From 5218de8a2a1c8797fea608e55fa0097fff0e1f34 Mon Sep 17 00:00:00 2001 From: Konrad Lipinski Date: Thu, 5 Dec 2019 12:00:54 +0100 Subject: [PATCH] Imported Upstream version 1.17 --- .gitignore | 587 + .travis-ci.sh | 11 + .travis.yml | 16 +- NOTICE | 257 +- README | 394 +- appveyor.yml | 21 +- doc/about.rst | 4 +- doc/admin/admin_commands/k5srvutil.rst | 9 +- doc/admin/admin_commands/kadmin_local.rst | 25 +- doc/admin/admin_commands/kadmind.rst | 39 +- doc/admin/admin_commands/kdb5_ldap_util.rst | 9 +- doc/admin/admin_commands/kdb5_util.rst | 46 +- doc/admin/admin_commands/kprop.rst | 16 +- doc/admin/admin_commands/kpropd.rst | 42 +- doc/admin/admin_commands/kproplog.rst | 25 +- doc/admin/admin_commands/krb5kdc.rst | 27 +- doc/admin/admin_commands/ktutil.rst | 18 +- doc/admin/admin_commands/sserver.rst | 9 +- doc/admin/advanced/retiring-des.rst | 12 +- doc/admin/appl_servers.rst | 20 +- doc/admin/backup_host.rst | 22 +- doc/admin/conf_files/kadm5_acl.rst | 13 + doc/admin/conf_files/kdc_conf.rst | 101 +- doc/admin/conf_files/krb5_conf.rst | 109 +- doc/admin/conf_ldap.rst | 4 +- doc/admin/database.rst | 103 +- doc/admin/dbtypes.rst | 147 + doc/admin/dictionary.rst | 88 + doc/admin/env_variables.rst | 44 +- doc/admin/index.rst | 3 + doc/admin/install_appl_srv.rst | 2 +- doc/admin/install_kdc.rst | 123 +- doc/admin/lockout.rst | 12 +- doc/admin/pkinit.rst | 45 + doc/admin/realm_config.rst | 40 +- doc/admin/spake.rst | 56 + doc/admin/troubleshoot.rst | 24 +- doc/appdev/gssapi.rst | 41 +- doc/appdev/index.rst | 1 + doc/appdev/refs/api/index.rst | 3 + doc/appdev/refs/macros/index.rst | 4 + doc/appdev/y2038.rst | 28 + doc/basic/ccache_def.rst | 2 +- doc/build/directory_org.rst | 2 +- doc/build/doing_build.rst | 4 +- doc/build/index.rst | 2 +- doc/build/options2configure.rst | 7 +- doc/build_this.rst | 4 +- doc/conf.py | 13 +- doc/copyright.rst | 2 +- doc/formats/cookie.rst | 37 + doc/formats/freshness_token.rst | 19 + doc/formats/index.rst | 1 + doc/html/.buildinfo | 4 - doc/html/_sources/about.txt | 35 - doc/html/_sources/admin/admin_commands/index.txt | 17 - .../_sources/admin/admin_commands/k5srvutil.txt | 62 - .../_sources/admin/admin_commands/kadmin_local.txt | 995 - doc/html/_sources/admin/admin_commands/kadmind.txt | 123 - .../admin/admin_commands/kdb5_ldap_util.txt | 462 - .../_sources/admin/admin_commands/kdb5_util.txt | 497 - doc/html/_sources/admin/admin_commands/kprop.txt | 60 - doc/html/_sources/admin/admin_commands/kpropd.txt | 130 - .../_sources/admin/admin_commands/kproplog.txt | 85 - doc/html/_sources/admin/admin_commands/krb5kdc.txt | 123 - doc/html/_sources/admin/admin_commands/ktutil.txt | 133 - doc/html/_sources/admin/admin_commands/sserver.txt | 105 - doc/html/_sources/admin/advanced/index.txt | 9 - doc/html/_sources/admin/advanced/ldapbackend.txt | 143 - doc/html/_sources/admin/advanced/retiring-des.txt | 417 - doc/html/_sources/admin/appl_servers.txt | 147 - doc/html/_sources/admin/auth_indicator.txt | 57 - doc/html/_sources/admin/backup_host.txt | 34 - doc/html/_sources/admin/conf_files/index.txt | 20 - doc/html/_sources/admin/conf_files/kadm5_acl.txt | 150 - doc/html/_sources/admin/conf_files/kdc_conf.txt | 937 - doc/html/_sources/admin/conf_files/krb5_conf.txt | 1172 - doc/html/_sources/admin/conf_ldap.txt | 161 - doc/html/_sources/admin/database.txt | 894 - doc/html/_sources/admin/enctypes.txt | 146 - doc/html/_sources/admin/env_variables.txt | 46 - doc/html/_sources/admin/host_config.txt | 231 - doc/html/_sources/admin/https.txt | 48 - doc/html/_sources/admin/index.txt | 31 - doc/html/_sources/admin/install.txt | 21 - doc/html/_sources/admin/install_appl_srv.txt | 83 - doc/html/_sources/admin/install_clients.txt | 58 - doc/html/_sources/admin/install_kdc.txt | 533 - doc/html/_sources/admin/lockout.txt | 150 - doc/html/_sources/admin/otp.txt | 100 - doc/html/_sources/admin/pkinit.txt | 309 - doc/html/_sources/admin/princ_dns.txt | 109 - doc/html/_sources/admin/realm_config.txt | 265 - doc/html/_sources/admin/troubleshoot.txt | 135 - doc/html/_sources/admin/various_envs.txt | 33 - doc/html/_sources/appdev/gssapi.txt | 618 - doc/html/_sources/appdev/h5l_mit_apidiff.txt | 31 - doc/html/_sources/appdev/index.txt | 15 - doc/html/_sources/appdev/init_creds.txt | 304 - doc/html/_sources/appdev/princ_handle.txt | 79 - doc/html/_sources/appdev/refs/api/index.txt | 411 - .../appdev/refs/api/krb5_425_conv_principal.txt | 59 - .../appdev/refs/api/krb5_524_conv_principal.txt | 60 - .../appdev/refs/api/krb5_524_convert_creds.txt | 55 - .../appdev/refs/api/krb5_address_compare.txt | 47 - .../appdev/refs/api/krb5_address_order.txt | 49 - .../appdev/refs/api/krb5_address_search.txt | 55 - .../appdev/refs/api/krb5_allow_weak_crypto.txt | 49 - .../appdev/refs/api/krb5_aname_to_localname.txt | 61 - .../appdev/refs/api/krb5_anonymous_principal.txt | 47 - .../appdev/refs/api/krb5_anonymous_realm.txt | 47 - .../appdev/refs/api/krb5_appdefault_boolean.txt | 57 - .../appdev/refs/api/krb5_appdefault_string.txt | 57 - .../appdev/refs/api/krb5_auth_con_free.txt | 49 - .../appdev/refs/api/krb5_auth_con_genaddrs.txt | 66 - .../refs/api/krb5_auth_con_get_checksum_func.txt | 49 - .../appdev/refs/api/krb5_auth_con_getaddrs.txt | 49 - .../refs/api/krb5_auth_con_getauthenticator.txt | 51 - .../appdev/refs/api/krb5_auth_con_getflags.txt | 60 - .../appdev/refs/api/krb5_auth_con_getkey.txt | 51 - .../appdev/refs/api/krb5_auth_con_getkey_k.txt | 51 - .../refs/api/krb5_auth_con_getlocalseqnumber.txt | 51 - .../refs/api/krb5_auth_con_getlocalsubkey.txt | 46 - .../appdev/refs/api/krb5_auth_con_getrcache.txt | 51 - .../refs/api/krb5_auth_con_getrecvsubkey.txt | 51 - .../refs/api/krb5_auth_con_getrecvsubkey_k.txt | 51 - .../refs/api/krb5_auth_con_getremoteseqnumber.txt | 51 - .../refs/api/krb5_auth_con_getremotesubkey.txt | 46 - .../refs/api/krb5_auth_con_getsendsubkey.txt | 51 - .../refs/api/krb5_auth_con_getsendsubkey_k.txt | 51 - .../appdev/refs/api/krb5_auth_con_init.txt | 57 - .../appdev/refs/api/krb5_auth_con_initivector.txt | 48 - .../refs/api/krb5_auth_con_set_checksum_func.txt | 53 - .../refs/api/krb5_auth_con_set_req_cksumtype.txt | 51 - .../appdev/refs/api/krb5_auth_con_setaddrs.txt | 56 - .../appdev/refs/api/krb5_auth_con_setflags.txt | 60 - .../appdev/refs/api/krb5_auth_con_setports.txt | 56 - .../appdev/refs/api/krb5_auth_con_setrcache.txt | 51 - .../refs/api/krb5_auth_con_setrecvsubkey.txt | 51 - .../refs/api/krb5_auth_con_setrecvsubkey_k.txt | 55 - .../refs/api/krb5_auth_con_setsendsubkey.txt | 51 - .../refs/api/krb5_auth_con_setsendsubkey_k.txt | 55 - .../refs/api/krb5_auth_con_setuseruserkey.txt | 47 - .../appdev/refs/api/krb5_build_principal.txt | 68 - .../refs/api/krb5_build_principal_alloc_va.txt | 66 - .../appdev/refs/api/krb5_build_principal_ext.txt | 60 - .../appdev/refs/api/krb5_build_principal_va.txt | 50 - .../_sources/appdev/refs/api/krb5_c_block_size.txt | 47 - .../appdev/refs/api/krb5_c_checksum_length.txt | 47 - .../appdev/refs/api/krb5_c_crypto_length.txt | 49 - .../appdev/refs/api/krb5_c_crypto_length_iov.txt | 53 - .../_sources/appdev/refs/api/krb5_c_decrypt.txt | 65 - .../appdev/refs/api/krb5_c_decrypt_iov.txt | 70 - .../appdev/refs/api/krb5_c_derive_prfplus.txt | 48 - .../_sources/appdev/refs/api/krb5_c_encrypt.txt | 65 - .../appdev/refs/api/krb5_c_encrypt_iov.txt | 70 - .../appdev/refs/api/krb5_c_encrypt_length.txt | 53 - .../appdev/refs/api/krb5_c_enctype_compare.txt | 53 - .../_sources/appdev/refs/api/krb5_c_free_state.txt | 47 - .../appdev/refs/api/krb5_c_fx_cf2_simple.txt | 57 - .../_sources/appdev/refs/api/krb5_c_init_state.txt | 49 - .../appdev/refs/api/krb5_c_is_coll_proof_cksum.txt | 43 - .../appdev/refs/api/krb5_c_is_keyed_cksum.txt | 43 - .../refs/api/krb5_c_keyed_checksum_types.txt | 53 - .../_sources/appdev/refs/api/krb5_c_keylengths.txt | 49 - .../appdev/refs/api/krb5_c_make_checksum.txt | 68 - .../appdev/refs/api/krb5_c_make_checksum_iov.txt | 68 - .../appdev/refs/api/krb5_c_make_random_key.txt | 51 - .../appdev/refs/api/krb5_c_padding_length.txt | 53 - doc/html/_sources/appdev/refs/api/krb5_c_prf.txt | 53 - .../_sources/appdev/refs/api/krb5_c_prf_length.txt | 47 - .../_sources/appdev/refs/api/krb5_c_prfplus.txt | 61 - .../appdev/refs/api/krb5_c_random_add_entropy.txt | 51 - .../appdev/refs/api/krb5_c_random_make_octets.txt | 49 - .../appdev/refs/api/krb5_c_random_os_entropy.txt | 51 - .../appdev/refs/api/krb5_c_random_seed.txt | 44 - .../appdev/refs/api/krb5_c_random_to_key.txt | 64 - .../appdev/refs/api/krb5_c_string_to_key.txt | 55 - .../refs/api/krb5_c_string_to_key_with_params.txt | 57 - .../appdev/refs/api/krb5_c_valid_cksumtype.txt | 43 - .../appdev/refs/api/krb5_c_valid_enctype.txt | 43 - .../appdev/refs/api/krb5_c_verify_checksum.txt | 65 - .../appdev/refs/api/krb5_c_verify_checksum_iov.txt | 70 - .../appdev/refs/api/krb5_calculate_checksum.txt | 54 - .../appdev/refs/api/krb5_cc_cache_match.txt | 56 - .../_sources/appdev/refs/api/krb5_cc_close.txt | 52 - .../appdev/refs/api/krb5_cc_copy_creds.txt | 47 - .../_sources/appdev/refs/api/krb5_cc_default.txt | 54 - .../appdev/refs/api/krb5_cc_default_name.txt | 51 - .../_sources/appdev/refs/api/krb5_cc_destroy.txt | 52 - doc/html/_sources/appdev/refs/api/krb5_cc_dup.txt | 44 - .../appdev/refs/api/krb5_cc_end_seq_get.txt | 54 - .../_sources/appdev/refs/api/krb5_cc_gen_new.txt | 39 - .../appdev/refs/api/krb5_cc_get_config.txt | 58 - .../_sources/appdev/refs/api/krb5_cc_get_flags.txt | 55 - .../appdev/refs/api/krb5_cc_get_full_name.txt | 52 - .../_sources/appdev/refs/api/krb5_cc_get_name.txt | 53 - .../appdev/refs/api/krb5_cc_get_principal.txt | 58 - .../_sources/appdev/refs/api/krb5_cc_get_type.txt | 45 - .../appdev/refs/api/krb5_cc_initialize.txt | 54 - .../appdev/refs/api/krb5_cc_last_change_time.txt | 44 - doc/html/_sources/appdev/refs/api/krb5_cc_lock.txt | 49 - doc/html/_sources/appdev/refs/api/krb5_cc_move.txt | 54 - .../appdev/refs/api/krb5_cc_new_unique.txt | 52 - .../_sources/appdev/refs/api/krb5_cc_next_cred.txt | 60 - .../appdev/refs/api/krb5_cc_remove_cred.txt | 64 - .../_sources/appdev/refs/api/krb5_cc_resolve.txt | 58 - .../appdev/refs/api/krb5_cc_retrieve_cred.txt | 94 - .../_sources/appdev/refs/api/krb5_cc_select.txt | 73 - .../appdev/refs/api/krb5_cc_set_config.txt | 66 - .../appdev/refs/api/krb5_cc_set_default_name.txt | 57 - .../_sources/appdev/refs/api/krb5_cc_set_flags.txt | 51 - .../appdev/refs/api/krb5_cc_start_seq_get.txt | 59 - .../appdev/refs/api/krb5_cc_store_cred.txt | 54 - .../appdev/refs/api/krb5_cc_support_switch.txt | 50 - .../_sources/appdev/refs/api/krb5_cc_switch.txt | 52 - .../_sources/appdev/refs/api/krb5_cc_unlock.txt | 49 - .../appdev/refs/api/krb5_cccol_cursor_free.txt | 48 - .../appdev/refs/api/krb5_cccol_cursor_new.txt | 56 - .../appdev/refs/api/krb5_cccol_cursor_next.txt | 62 - .../appdev/refs/api/krb5_cccol_have_content.txt | 48 - .../refs/api/krb5_cccol_last_change_time.txt | 53 - .../_sources/appdev/refs/api/krb5_cccol_lock.txt | 51 - .../_sources/appdev/refs/api/krb5_cccol_unlock.txt | 47 - .../appdev/refs/api/krb5_change_password.txt | 77 - .../appdev/refs/api/krb5_check_clockskew.txt | 54 - .../appdev/refs/api/krb5_checksum_size.txt | 44 - .../_sources/appdev/refs/api/krb5_chpw_message.txt | 62 - .../appdev/refs/api/krb5_cksumtype_to_string.txt | 47 - .../appdev/refs/api/krb5_clear_error_message.txt | 40 - .../appdev/refs/api/krb5_copy_addresses.txt | 51 - .../appdev/refs/api/krb5_copy_authdata.txt | 59 - .../appdev/refs/api/krb5_copy_authenticator.txt | 51 - .../appdev/refs/api/krb5_copy_checksum.txt | 51 - .../_sources/appdev/refs/api/krb5_copy_context.txt | 52 - .../_sources/appdev/refs/api/krb5_copy_creds.txt | 51 - .../_sources/appdev/refs/api/krb5_copy_data.txt | 51 - .../appdev/refs/api/krb5_copy_error_message.txt | 42 - .../appdev/refs/api/krb5_copy_keyblock.txt | 51 - .../refs/api/krb5_copy_keyblock_contents.txt | 51 - .../appdev/refs/api/krb5_copy_principal.txt | 51 - .../_sources/appdev/refs/api/krb5_copy_ticket.txt | 51 - .../refs/api/krb5_decode_authdata_container.txt | 52 - .../appdev/refs/api/krb5_decode_ticket.txt | 45 - doc/html/_sources/appdev/refs/api/krb5_decrypt.txt | 52 - .../appdev/refs/api/krb5_deltat_to_string.txt | 47 - .../appdev/refs/api/krb5_eblock_enctype.txt | 44 - .../refs/api/krb5_encode_authdata_container.txt | 56 - doc/html/_sources/appdev/refs/api/krb5_encrypt.txt | 52 - .../_sources/appdev/refs/api/krb5_encrypt_size.txt | 44 - .../appdev/refs/api/krb5_enctype_to_name.txt | 57 - .../appdev/refs/api/krb5_enctype_to_string.txt | 47 - .../appdev/refs/api/krb5_expand_hostname.txt | 52 - .../appdev/refs/api/krb5_find_authdata.txt | 56 - .../_sources/appdev/refs/api/krb5_finish_key.txt | 44 - .../appdev/refs/api/krb5_finish_random_key.txt | 46 - .../appdev/refs/api/krb5_free_addresses.txt | 54 - .../appdev/refs/api/krb5_free_ap_rep_enc_part.txt | 42 - .../appdev/refs/api/krb5_free_authdata.txt | 54 - .../appdev/refs/api/krb5_free_authenticator.txt | 42 - .../appdev/refs/api/krb5_free_checksum.txt | 42 - .../refs/api/krb5_free_checksum_contents.txt | 42 - .../appdev/refs/api/krb5_free_cksumtypes.txt | 42 - .../_sources/appdev/refs/api/krb5_free_context.txt | 40 - .../appdev/refs/api/krb5_free_cred_contents.txt | 42 - .../_sources/appdev/refs/api/krb5_free_creds.txt | 42 - .../_sources/appdev/refs/api/krb5_free_data.txt | 42 - .../appdev/refs/api/krb5_free_data_contents.txt | 42 - .../appdev/refs/api/krb5_free_default_realm.txt | 42 - .../appdev/refs/api/krb5_free_enctypes.txt | 46 - .../_sources/appdev/refs/api/krb5_free_error.txt | 42 - .../appdev/refs/api/krb5_free_error_message.txt | 42 - .../appdev/refs/api/krb5_free_host_realm.txt | 48 - .../appdev/refs/api/krb5_free_keyblock.txt | 42 - .../refs/api/krb5_free_keyblock_contents.txt | 42 - .../refs/api/krb5_free_keytab_entry_contents.txt | 53 - .../appdev/refs/api/krb5_free_principal.txt | 42 - .../_sources/appdev/refs/api/krb5_free_string.txt | 46 - .../appdev/refs/api/krb5_free_tgt_creds.txt | 50 - .../_sources/appdev/refs/api/krb5_free_ticket.txt | 42 - .../appdev/refs/api/krb5_free_unparsed_name.txt | 42 - .../appdev/refs/api/krb5_fwd_tgt_creds.txt | 68 - .../appdev/refs/api/krb5_get_credentials.txt | 81 - .../appdev/refs/api/krb5_get_credentials_renew.txt | 50 - .../refs/api/krb5_get_credentials_validate.txt | 50 - .../appdev/refs/api/krb5_get_default_realm.txt | 56 - .../appdev/refs/api/krb5_get_error_message.txt | 62 - .../refs/api/krb5_get_fallback_host_realm.txt | 52 - .../appdev/refs/api/krb5_get_host_realm.txt | 63 - .../refs/api/krb5_get_in_tkt_with_keytab.txt | 58 - .../refs/api/krb5_get_in_tkt_with_password.txt | 58 - .../appdev/refs/api/krb5_get_in_tkt_with_skey.txt | 58 - .../appdev/refs/api/krb5_get_init_creds_keytab.txt | 62 - .../refs/api/krb5_get_init_creds_opt_alloc.txt | 49 - .../refs/api/krb5_get_init_creds_opt_free.txt | 45 - .../api/krb5_get_init_creds_opt_get_fast_flags.txt | 47 - .../refs/api/krb5_get_init_creds_opt_init.txt | 42 - .../krb5_get_init_creds_opt_set_address_list.txt | 42 - .../api/krb5_get_init_creds_opt_set_anonymous.txt | 42 - .../krb5_get_init_creds_opt_set_canonicalize.txt | 42 - ...t_init_creds_opt_set_change_password_prompt.txt | 42 - .../api/krb5_get_init_creds_opt_set_etype_list.txt | 44 - ...krb5_get_init_creds_opt_set_expire_callback.txt | 78 - .../krb5_get_init_creds_opt_set_fast_ccache.txt | 52 - ...rb5_get_init_creds_opt_set_fast_ccache_name.txt | 48 - .../api/krb5_get_init_creds_opt_set_fast_flags.txt | 51 - .../krb5_get_init_creds_opt_set_forwardable.txt | 42 - .../api/krb5_get_init_creds_opt_set_in_ccache.txt | 52 - .../api/krb5_get_init_creds_opt_set_out_ccache.txt | 44 - .../refs/api/krb5_get_init_creds_opt_set_pa.txt | 46 - .../krb5_get_init_creds_opt_set_pac_request.txt | 52 - .../krb5_get_init_creds_opt_set_preauth_list.txt | 44 - .../api/krb5_get_init_creds_opt_set_proxiable.txt | 42 - .../api/krb5_get_init_creds_opt_set_renew_life.txt | 42 - .../api/krb5_get_init_creds_opt_set_responder.txt | 50 - .../refs/api/krb5_get_init_creds_opt_set_salt.txt | 42 - .../api/krb5_get_init_creds_opt_set_tkt_life.txt | 42 - .../refs/api/krb5_get_init_creds_password.txt | 75 - .../refs/api/krb5_get_permitted_enctypes.txt | 53 - .../_sources/appdev/refs/api/krb5_get_profile.txt | 56 - .../appdev/refs/api/krb5_get_prompt_types.txt | 43 - .../appdev/refs/api/krb5_get_renewed_creds.txt | 62 - .../appdev/refs/api/krb5_get_server_rcache.txt | 51 - .../appdev/refs/api/krb5_get_time_offsets.txt | 51 - .../appdev/refs/api/krb5_get_validated_creds.txt | 67 - .../_sources/appdev/refs/api/krb5_init_context.txt | 58 - .../appdev/refs/api/krb5_init_context_profile.txt | 55 - .../appdev/refs/api/krb5_init_creds_free.txt | 42 - .../appdev/refs/api/krb5_init_creds_get.txt | 49 - .../appdev/refs/api/krb5_init_creds_get_creds.txt | 51 - .../appdev/refs/api/krb5_init_creds_get_error.txt | 47 - .../appdev/refs/api/krb5_init_creds_get_times.txt | 51 - .../appdev/refs/api/krb5_init_creds_init.txt | 59 - .../appdev/refs/api/krb5_init_creds_set_keytab.txt | 51 - .../refs/api/krb5_init_creds_set_password.txt | 51 - .../refs/api/krb5_init_creds_set_service.txt | 51 - .../appdev/refs/api/krb5_init_creds_step.txt | 65 - .../appdev/refs/api/krb5_init_keyblock.txt | 61 - .../appdev/refs/api/krb5_init_random_key.txt | 48 - .../appdev/refs/api/krb5_init_secure_context.txt | 54 - .../appdev/refs/api/krb5_is_config_principal.txt | 45 - .../appdev/refs/api/krb5_is_referral_realm.txt | 43 - .../appdev/refs/api/krb5_is_thread_safe.txt | 43 - .../_sources/appdev/refs/api/krb5_k_create_key.txt | 51 - .../_sources/appdev/refs/api/krb5_k_decrypt.txt | 65 - .../appdev/refs/api/krb5_k_decrypt_iov.txt | 70 - .../_sources/appdev/refs/api/krb5_k_encrypt.txt | 65 - .../appdev/refs/api/krb5_k_encrypt_iov.txt | 70 - .../_sources/appdev/refs/api/krb5_k_free_key.txt | 39 - .../appdev/refs/api/krb5_k_key_enctype.txt | 39 - .../appdev/refs/api/krb5_k_key_keyblock.txt | 41 - .../appdev/refs/api/krb5_k_make_checksum.txt | 68 - .../appdev/refs/api/krb5_k_make_checksum_iov.txt | 68 - doc/html/_sources/appdev/refs/api/krb5_k_prf.txt | 61 - .../appdev/refs/api/krb5_k_reference_key.txt | 39 - .../appdev/refs/api/krb5_k_verify_checksum.txt | 65 - .../appdev/refs/api/krb5_k_verify_checksum_iov.txt | 70 - .../_sources/appdev/refs/api/krb5_kt_add_entry.txt | 52 - .../appdev/refs/api/krb5_kt_client_default.txt | 56 - .../_sources/appdev/refs/api/krb5_kt_close.txt | 45 - .../_sources/appdev/refs/api/krb5_kt_default.txt | 52 - .../appdev/refs/api/krb5_kt_default_name.txt | 55 - doc/html/_sources/appdev/refs/api/krb5_kt_dup.txt | 52 - .../appdev/refs/api/krb5_kt_end_seq_get.txt | 54 - .../appdev/refs/api/krb5_kt_free_entry.txt | 44 - .../_sources/appdev/refs/api/krb5_kt_get_entry.txt | 70 - .../_sources/appdev/refs/api/krb5_kt_get_name.txt | 57 - .../_sources/appdev/refs/api/krb5_kt_get_type.txt | 45 - .../appdev/refs/api/krb5_kt_have_content.txt | 50 - .../appdev/refs/api/krb5_kt_next_entry.txt | 57 - .../appdev/refs/api/krb5_kt_read_service_key.txt | 68 - .../appdev/refs/api/krb5_kt_remove_entry.txt | 51 - .../_sources/appdev/refs/api/krb5_kt_resolve.txt | 66 - .../appdev/refs/api/krb5_kt_start_seq_get.txt | 54 - doc/html/_sources/appdev/refs/api/krb5_kuserok.txt | 51 - .../refs/api/krb5_make_authdata_kdc_issued.txt | 48 - .../appdev/refs/api/krb5_merge_authdata.txt | 61 - .../_sources/appdev/refs/api/krb5_mk_1cred.txt | 60 - .../_sources/appdev/refs/api/krb5_mk_error.txt | 51 - .../_sources/appdev/refs/api/krb5_mk_ncred.txt | 72 - doc/html/_sources/appdev/refs/api/krb5_mk_priv.txt | 82 - doc/html/_sources/appdev/refs/api/krb5_mk_rep.txt | 59 - .../_sources/appdev/refs/api/krb5_mk_rep_dce.txt | 51 - doc/html/_sources/appdev/refs/api/krb5_mk_req.txt | 65 - .../appdev/refs/api/krb5_mk_req_extended.txt | 74 - doc/html/_sources/appdev/refs/api/krb5_mk_safe.txt | 83 - .../_sources/appdev/refs/api/krb5_os_localaddr.txt | 49 - .../appdev/refs/api/krb5_pac_add_buffer.txt | 75 - .../_sources/appdev/refs/api/krb5_pac_free.txt | 42 - .../appdev/refs/api/krb5_pac_get_buffer.txt | 53 - .../appdev/refs/api/krb5_pac_get_types.txt | 49 - .../_sources/appdev/refs/api/krb5_pac_init.txt | 49 - .../_sources/appdev/refs/api/krb5_pac_parse.txt | 53 - .../_sources/appdev/refs/api/krb5_pac_sign.txt | 60 - .../_sources/appdev/refs/api/krb5_pac_verify.txt | 69 - .../_sources/appdev/refs/api/krb5_parse_name.txt | 74 - .../appdev/refs/api/krb5_parse_name_flags.txt | 77 - .../appdev/refs/api/krb5_prepend_error_message.txt | 44 - .../appdev/refs/api/krb5_principal2salt.txt | 47 - .../appdev/refs/api/krb5_principal_compare.txt | 47 - .../refs/api/krb5_principal_compare_any_realm.txt | 51 - .../refs/api/krb5_principal_compare_flags.txt | 65 - .../_sources/appdev/refs/api/krb5_process_key.txt | 46 - .../appdev/refs/api/krb5_prompter_posix.txt | 64 - .../_sources/appdev/refs/api/krb5_random_key.txt | 48 - doc/html/_sources/appdev/refs/api/krb5_rd_cred.txt | 67 - .../_sources/appdev/refs/api/krb5_rd_error.txt | 51 - doc/html/_sources/appdev/refs/api/krb5_rd_priv.txt | 76 - doc/html/_sources/appdev/refs/api/krb5_rd_rep.txt | 57 - .../_sources/appdev/refs/api/krb5_rd_rep_dce.txt | 53 - doc/html/_sources/appdev/refs/api/krb5_rd_req.txt | 105 - doc/html/_sources/appdev/refs/api/krb5_rd_safe.txt | 80 - .../appdev/refs/api/krb5_read_password.txt | 70 - .../appdev/refs/api/krb5_realm_compare.txt | 47 - .../_sources/appdev/refs/api/krb5_recvauth.txt | 68 - .../appdev/refs/api/krb5_recvauth_version.txt | 61 - .../refs/api/krb5_responder_get_challenge.txt | 52 - .../refs/api/krb5_responder_list_questions.txt | 50 - .../refs/api/krb5_responder_otp_challenge_free.txt | 48 - .../refs/api/krb5_responder_otp_get_challenge.txt | 56 - .../refs/api/krb5_responder_otp_set_answer.txt | 52 - .../api/krb5_responder_pkinit_challenge_free.txt | 48 - .../api/krb5_responder_pkinit_get_challenge.txt | 56 - .../refs/api/krb5_responder_pkinit_set_answer.txt | 50 - .../appdev/refs/api/krb5_responder_set_answer.txt | 57 - .../appdev/refs/api/krb5_salttype_to_string.txt | 47 - .../_sources/appdev/refs/api/krb5_sendauth.txt | 98 - .../refs/api/krb5_server_decrypt_ticket_keytab.txt | 51 - .../appdev/refs/api/krb5_set_default_realm.txt | 52 - .../refs/api/krb5_set_default_tgs_enctypes.txt | 61 - .../appdev/refs/api/krb5_set_error_message.txt | 44 - .../appdev/refs/api/krb5_set_kdc_recv_hook.txt | 52 - .../appdev/refs/api/krb5_set_kdc_send_hook.txt | 52 - .../_sources/appdev/refs/api/krb5_set_password.txt | 74 - .../refs/api/krb5_set_password_using_ccache.txt | 74 - .../appdev/refs/api/krb5_set_principal_realm.txt | 54 - .../appdev/refs/api/krb5_set_real_time.txt | 51 - .../appdev/refs/api/krb5_set_trace_callback.txt | 63 - .../appdev/refs/api/krb5_set_trace_filename.txt | 61 - .../_sources/appdev/refs/api/krb5_sname_match.txt | 59 - .../appdev/refs/api/krb5_sname_to_principal.txt | 74 - .../appdev/refs/api/krb5_string_to_cksumtype.txt | 45 - .../appdev/refs/api/krb5_string_to_deltat.txt | 45 - .../appdev/refs/api/krb5_string_to_enctype.txt | 45 - .../appdev/refs/api/krb5_string_to_key.txt | 50 - .../appdev/refs/api/krb5_string_to_salttype.txt | 45 - .../appdev/refs/api/krb5_string_to_timestamp.txt | 45 - .../_sources/appdev/refs/api/krb5_timeofday.txt | 52 - .../appdev/refs/api/krb5_timestamp_to_sfstring.txt | 53 - .../appdev/refs/api/krb5_timestamp_to_string.txt | 51 - .../appdev/refs/api/krb5_tkt_creds_free.txt | 46 - .../appdev/refs/api/krb5_tkt_creds_get.txt | 53 - .../appdev/refs/api/krb5_tkt_creds_get_creds.txt | 55 - .../appdev/refs/api/krb5_tkt_creds_get_times.txt | 55 - .../appdev/refs/api/krb5_tkt_creds_init.txt | 67 - .../appdev/refs/api/krb5_tkt_creds_step.txt | 69 - .../_sources/appdev/refs/api/krb5_unparse_name.txt | 58 - .../appdev/refs/api/krb5_unparse_name_ext.txt | 60 - .../appdev/refs/api/krb5_unparse_name_flags.txt | 70 - .../refs/api/krb5_unparse_name_flags_ext.txt | 54 - .../_sources/appdev/refs/api/krb5_us_timeofday.txt | 54 - .../_sources/appdev/refs/api/krb5_use_enctype.txt | 46 - .../refs/api/krb5_verify_authdata_kdc_issued.txt | 48 - .../appdev/refs/api/krb5_verify_checksum.txt | 54 - .../appdev/refs/api/krb5_verify_init_creds.txt | 65 - .../refs/api/krb5_verify_init_creds_opt_init.txt | 40 - ...rb5_verify_init_creds_opt_set_ap_req_nofail.txt | 46 - .../refs/api/krb5_vprepend_error_message.txt | 46 - .../appdev/refs/api/krb5_vset_error_message.txt | 46 - .../appdev/refs/api/krb5_vwrap_error_message.txt | 48 - .../appdev/refs/api/krb5_wrap_error_message.txt | 46 - doc/html/_sources/appdev/refs/index.txt | 9 - .../appdev/refs/macros/ADDRTYPE_ADDRPORT.txt | 17 - .../_sources/appdev/refs/macros/ADDRTYPE_CHAOS.txt | 17 - .../_sources/appdev/refs/macros/ADDRTYPE_DDP.txt | 17 - .../_sources/appdev/refs/macros/ADDRTYPE_INET.txt | 17 - .../_sources/appdev/refs/macros/ADDRTYPE_INET6.txt | 17 - .../appdev/refs/macros/ADDRTYPE_IPPORT.txt | 17 - .../_sources/appdev/refs/macros/ADDRTYPE_ISO.txt | 17 - .../appdev/refs/macros/ADDRTYPE_IS_LOCAL.txt | 17 - .../appdev/refs/macros/ADDRTYPE_NETBIOS.txt | 17 - .../_sources/appdev/refs/macros/ADDRTYPE_XNS.txt | 17 - .../appdev/refs/macros/AD_TYPE_EXTERNAL.txt | 17 - .../appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.txt | 17 - .../appdev/refs/macros/AD_TYPE_REGISTERED.txt | 17 - .../appdev/refs/macros/AD_TYPE_RESERVED.txt | 17 - .../refs/macros/AP_OPTS_ETYPE_NEGOTIATION.txt | 17 - .../appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.txt | 18 - .../appdev/refs/macros/AP_OPTS_RESERVED.txt | 17 - .../appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.txt | 18 - .../appdev/refs/macros/AP_OPTS_USE_SUBKEY.txt | 18 - .../appdev/refs/macros/AP_OPTS_WIRE_MASK.txt | 17 - .../refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.txt | 18 - .../refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.txt | 18 - .../appdev/refs/macros/CKSUMTYPE_CRC32.txt | 17 - .../appdev/refs/macros/CKSUMTYPE_DESCBC.txt | 17 - .../refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.txt | 18 - .../refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.txt | 18 - .../refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.txt | 18 - .../refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.txt | 17 - .../macros/CKSUMTYPE_HMAC_SHA256_128_AES128.txt | 18 - .../macros/CKSUMTYPE_HMAC_SHA384_192_AES256.txt | 18 - .../refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.txt | 17 - .../appdev/refs/macros/CKSUMTYPE_NIST_SHA.txt | 17 - .../appdev/refs/macros/CKSUMTYPE_RSA_MD4.txt | 17 - .../appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.txt | 17 - .../appdev/refs/macros/CKSUMTYPE_RSA_MD5.txt | 17 - .../appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.txt | 17 - .../macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.txt | 18 - .../macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.txt | 18 - .../macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.txt | 18 - .../macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.txt | 18 - .../appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.txt | 18 - .../refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.txt | 18 - .../refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.txt | 18 - .../refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.txt | 18 - .../appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.txt | 18 - .../appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.txt | 17 - .../appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.txt | 17 - .../appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.txt | 17 - .../appdev/refs/macros/ENCTYPE_DES_CBC_CRC.txt | 18 - .../appdev/refs/macros/ENCTYPE_DES_CBC_MD4.txt | 18 - .../appdev/refs/macros/ENCTYPE_DES_CBC_MD5.txt | 18 - .../appdev/refs/macros/ENCTYPE_DES_CBC_RAW.txt | 17 - .../appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.txt | 17 - .../appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.txt | 18 - .../appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.txt | 18 - .../_sources/appdev/refs/macros/ENCTYPE_NULL.txt | 17 - .../appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.txt | 18 - .../appdev/refs/macros/ENCTYPE_RSA_ENV.txt | 18 - .../appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.txt | 18 - .../appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.txt | 18 - .../appdev/refs/macros/ENCTYPE_UNKNOWN.txt | 17 - .../appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.txt | 17 - .../appdev/refs/macros/KDC_OPT_CANONICALIZE.txt | 17 - .../refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.txt | 17 - .../macros/KDC_OPT_DISABLE_TRANSITED_CHECK.txt | 17 - .../appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.txt | 17 - .../appdev/refs/macros/KDC_OPT_FORWARDABLE.txt | 17 - .../appdev/refs/macros/KDC_OPT_FORWARDED.txt | 17 - .../appdev/refs/macros/KDC_OPT_POSTDATED.txt | 17 - .../appdev/refs/macros/KDC_OPT_PROXIABLE.txt | 17 - .../_sources/appdev/refs/macros/KDC_OPT_PROXY.txt | 17 - .../_sources/appdev/refs/macros/KDC_OPT_RENEW.txt | 17 - .../appdev/refs/macros/KDC_OPT_RENEWABLE.txt | 17 - .../appdev/refs/macros/KDC_OPT_RENEWABLE_OK.txt | 17 - .../refs/macros/KDC_OPT_REQUEST_ANONYMOUS.txt | 17 - .../appdev/refs/macros/KDC_OPT_VALIDATE.txt | 17 - .../appdev/refs/macros/KDC_TKT_COMMON_MASK.txt | 17 - .../macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.txt | 18 - .../appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.txt | 18 - .../appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.txt | 18 - .../_sources/appdev/refs/macros/KRB5_AP_REP.txt | 18 - .../_sources/appdev/refs/macros/KRB5_AP_REQ.txt | 18 - .../_sources/appdev/refs/macros/KRB5_AS_REP.txt | 18 - .../_sources/appdev/refs/macros/KRB5_AS_REQ.txt | 18 - .../appdev/refs/macros/KRB5_AUTHDATA_AND_OR.txt | 17 - .../refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.txt | 17 - .../appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.txt | 17 - .../macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.txt | 18 - .../appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.txt | 17 - .../refs/macros/KRB5_AUTHDATA_IF_RELEVANT.txt | 17 - .../macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.txt | 17 - .../refs/macros/KRB5_AUTHDATA_KDC_ISSUED.txt | 17 - .../macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.txt | 17 - .../appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.txt | 17 - .../appdev/refs/macros/KRB5_AUTHDATA_SESAME.txt | 17 - .../refs/macros/KRB5_AUTHDATA_SIGNTICKET.txt | 18 - .../appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.txt | 17 - .../refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.txt | 18 - .../refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.txt | 18 - .../KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.txt | 18 - .../KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.txt | 18 - .../KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.txt | 18 - ...KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.txt | 18 - .../refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.txt | 17 - .../refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.txt | 18 - .../refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.txt | 18 - .../refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.txt | 17 - doc/html/_sources/appdev/refs/macros/KRB5_CRED.txt | 18 - .../refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.txt | 18 - .../appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.txt | 18 - .../appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.txt | 18 - .../appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.txt | 18 - .../refs/macros/KRB5_CRYPTO_TYPE_PADDING.txt | 18 - .../refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.txt | 18 - .../appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.txt | 18 - .../refs/macros/KRB5_CRYPTO_TYPE_TRAILER.txt | 18 - .../appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.txt | 18 - .../refs/macros/KRB5_DOMAIN_X500_COMPRESS.txt | 18 - .../refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.txt | 18 - .../_sources/appdev/refs/macros/KRB5_ERROR.txt | 18 - .../appdev/refs/macros/KRB5_FAST_REQUIRED.txt | 18 - .../_sources/appdev/refs/macros/KRB5_GC_CACHED.txt | 18 - .../appdev/refs/macros/KRB5_GC_CANONICALIZE.txt | 18 - .../refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.txt | 18 - .../appdev/refs/macros/KRB5_GC_FORWARDABLE.txt | 18 - .../appdev/refs/macros/KRB5_GC_NO_STORE.txt | 18 - .../refs/macros/KRB5_GC_NO_TRANSIT_CHECK.txt | 18 - .../appdev/refs/macros/KRB5_GC_USER_USER.txt | 18 - .../KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.txt | 17 - .../macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.txt | 17 - .../KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.txt | 17 - .../KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.txt | 17 - .../macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.txt | 17 - .../macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.txt | 17 - .../KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.txt | 17 - .../macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.txt | 17 - .../macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.txt | 17 - .../refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.txt | 17 - .../macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.txt | 17 - .../appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.txt | 18 - .../refs/macros/KRB5_INIT_CONTEXT_SECURE.txt | 18 - .../macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.txt | 18 - .../_sources/appdev/refs/macros/KRB5_INT16_MAX.txt | 17 - .../_sources/appdev/refs/macros/KRB5_INT16_MIN.txt | 17 - .../_sources/appdev/refs/macros/KRB5_INT32_MAX.txt | 17 - .../_sources/appdev/refs/macros/KRB5_INT32_MIN.txt | 17 - .../appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.txt | 17 - .../macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.txt | 17 - .../appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.txt | 17 - .../macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.txt | 17 - .../appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.txt | 17 - .../appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.txt | 17 - .../macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.txt | 17 - .../macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.txt | 17 - .../appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.txt | 17 - .../appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.txt | 17 - .../macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.txt | 17 - .../macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.txt | 18 - .../refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.txt | 18 - .../refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.txt | 17 - .../KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.txt | 18 - .../KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.txt | 18 - .../KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.txt | 17 - .../KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.txt | 18 - .../refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.txt | 18 - .../KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.txt | 17 - .../KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.txt | 17 - .../macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.txt | 17 - .../macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.txt | 17 - .../refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.txt | 17 - .../macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.txt | 17 - .../refs/macros/KRB5_KPASSWD_ACCESSDENIED.txt | 18 - .../appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.txt | 18 - .../refs/macros/KRB5_KPASSWD_BAD_VERSION.txt | 18 - .../appdev/refs/macros/KRB5_KPASSWD_HARDERROR.txt | 18 - .../macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.txt | 18 - .../appdev/refs/macros/KRB5_KPASSWD_MALFORMED.txt | 18 - .../appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.txt | 18 - .../appdev/refs/macros/KRB5_KPASSWD_SUCCESS.txt | 18 - .../refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.txt | 17 - .../refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.txt | 17 - .../refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.txt | 17 - .../appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.txt | 17 - .../appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.txt | 17 - .../refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.txt | 17 - .../appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.txt | 17 - .../_sources/appdev/refs/macros/KRB5_LRQ_NONE.txt | 17 - .../refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.txt | 17 - .../refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.txt | 17 - .../refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.txt | 17 - .../appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.txt | 17 - .../appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.txt | 17 - .../refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.txt | 17 - .../appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.txt | 17 - .../refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.txt | 18 - .../refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.txt | 18 - .../appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.txt | 18 - .../refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.txt | 18 - .../appdev/refs/macros/KRB5_NT_PRINCIPAL.txt | 18 - .../appdev/refs/macros/KRB5_NT_SMTP_NAME.txt | 18 - .../appdev/refs/macros/KRB5_NT_SRV_HST.txt | 18 - .../appdev/refs/macros/KRB5_NT_SRV_INST.txt | 18 - .../appdev/refs/macros/KRB5_NT_SRV_XHST.txt | 18 - .../_sources/appdev/refs/macros/KRB5_NT_UID.txt | 18 - .../appdev/refs/macros/KRB5_NT_UNKNOWN.txt | 18 - .../appdev/refs/macros/KRB5_NT_WELLKNOWN.txt | 18 - .../appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.txt | 18 - .../appdev/refs/macros/KRB5_PAC_CLIENT_INFO.txt | 18 - .../refs/macros/KRB5_PAC_CREDENTIALS_INFO.txt | 18 - .../refs/macros/KRB5_PAC_DELEGATION_INFO.txt | 18 - .../appdev/refs/macros/KRB5_PAC_LOGON_INFO.txt | 18 - .../refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.txt | 18 - .../refs/macros/KRB5_PAC_SERVER_CHECKSUM.txt | 18 - .../appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_AFS3_SALT.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_AP_REQ.txt | 17 - .../appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.txt | 18 - .../macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.txt | 18 - .../refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.txt | 18 - .../refs/macros/KRB5_PADATA_ENC_TIMESTAMP.txt | 18 - .../refs/macros/KRB5_PADATA_ENC_UNIX_TIME.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_FOR_USER.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_FX_COOKIE.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_FX_ERROR.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_FX_FAST.txt | 18 - .../macros/KRB5_PADATA_GET_FROM_TYPED_DATA.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_NONE.txt | 17 - .../appdev/refs/macros/KRB5_PADATA_OSF_DCE.txt | 18 - .../refs/macros/KRB5_PADATA_OTP_CHALLENGE.txt | 18 - .../refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_PKINIT_KX.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_PK_AS_REP.txt | 18 - .../refs/macros/KRB5_PADATA_PK_AS_REP_OLD.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.txt | 18 - .../refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_PW_SALT.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_REFERRAL.txt | 18 - .../refs/macros/KRB5_PADATA_S4U_X509_USER.txt | 18 - .../refs/macros/KRB5_PADATA_SAM_CHALLENGE.txt | 18 - .../refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.txt | 18 - .../refs/macros/KRB5_PADATA_SAM_REDIRECT.txt | 18 - .../refs/macros/KRB5_PADATA_SAM_RESPONSE.txt | 18 - .../refs/macros/KRB5_PADATA_SAM_RESPONSE_2.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_SESAME.txt | 18 - .../refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.txt | 18 - .../appdev/refs/macros/KRB5_PADATA_TGS_REQ.txt | 17 - .../refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.txt | 18 - .../macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.txt | 18 - .../macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.txt | 18 - .../macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.txt | 18 - .../refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.txt | 18 - .../macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.txt | 18 - .../macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.txt | 18 - .../refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.txt | 18 - .../macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.txt | 18 - .../refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.txt | 18 - .../macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.txt | 18 - .../refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.txt | 18 - doc/html/_sources/appdev/refs/macros/KRB5_PRIV.txt | 18 - .../refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.txt | 18 - .../macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.txt | 18 - .../refs/macros/KRB5_PROMPT_TYPE_PASSWORD.txt | 18 - .../refs/macros/KRB5_PROMPT_TYPE_PREAUTH.txt | 18 - doc/html/_sources/appdev/refs/macros/KRB5_PVNO.txt | 18 - .../appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.txt | 17 - .../refs/macros/KRB5_RECVAUTH_BADAUTHVERS.txt | 17 - .../refs/macros/KRB5_RECVAUTH_SKIP_VERSION.txt | 17 - .../appdev/refs/macros/KRB5_REFERRAL_REALM.txt | 18 - .../KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.txt | 18 - .../KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.txt | 18 - .../macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.txt | 18 - .../KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.txt | 18 - .../KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.txt | 17 - .../macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.txt | 18 - .../KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.txt | 17 - ...ONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.txt | 18 - ...ONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.txt | 18 - ...ESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.txt | 18 - .../refs/macros/KRB5_RESPONDER_QUESTION_OTP.txt | 63 - .../macros/KRB5_RESPONDER_QUESTION_PASSWORD.txt | 19 - .../refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.txt | 38 - doc/html/_sources/appdev/refs/macros/KRB5_SAFE.txt | 18 - .../refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.txt | 18 - .../refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.txt | 17 - .../appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.txt | 17 - .../appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.txt | 18 - .../appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.txt | 18 - .../appdev/refs/macros/KRB5_TC_MATCH_FLAGS.txt | 18 - .../refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.txt | 18 - .../appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.txt | 18 - .../appdev/refs/macros/KRB5_TC_MATCH_KTYPE.txt | 18 - .../refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.txt | 18 - .../appdev/refs/macros/KRB5_TC_MATCH_TIMES.txt | 18 - .../refs/macros/KRB5_TC_MATCH_TIMES_EXACT.txt | 18 - .../appdev/refs/macros/KRB5_TC_NOTICKET.txt | 17 - .../appdev/refs/macros/KRB5_TC_OPENCLOSE.txt | 18 - .../refs/macros/KRB5_TC_SUPPORTED_KTYPES.txt | 18 - .../_sources/appdev/refs/macros/KRB5_TGS_NAME.txt | 17 - .../appdev/refs/macros/KRB5_TGS_NAME_SIZE.txt | 17 - .../_sources/appdev/refs/macros/KRB5_TGS_REP.txt | 18 - .../_sources/appdev/refs/macros/KRB5_TGS_REQ.txt | 18 - .../macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.txt | 18 - .../KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.txt | 17 - .../appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.txt | 18 - .../refs/macros/LR_TYPE_INTERPRETATION_MASK.txt | 17 - .../refs/macros/LR_TYPE_THIS_SERVER_ONLY.txt | 17 - .../appdev/refs/macros/MAX_KEYTAB_NAME_LEN.txt | 18 - .../_sources/appdev/refs/macros/MSEC_DIRBIT.txt | 17 - .../_sources/appdev/refs/macros/MSEC_VAL_MASK.txt | 17 - .../appdev/refs/macros/SALT_TYPE_AFS_LENGTH.txt | 17 - .../appdev/refs/macros/SALT_TYPE_NO_LENGTH.txt | 17 - .../_sources/appdev/refs/macros/THREEPARAMOPEN.txt | 17 - .../appdev/refs/macros/TKT_FLG_ANONYMOUS.txt | 17 - .../appdev/refs/macros/TKT_FLG_ENC_PA_REP.txt | 17 - .../appdev/refs/macros/TKT_FLG_FORWARDABLE.txt | 17 - .../appdev/refs/macros/TKT_FLG_FORWARDED.txt | 17 - .../appdev/refs/macros/TKT_FLG_HW_AUTH.txt | 17 - .../appdev/refs/macros/TKT_FLG_INITIAL.txt | 17 - .../appdev/refs/macros/TKT_FLG_INVALID.txt | 17 - .../appdev/refs/macros/TKT_FLG_MAY_POSTDATE.txt | 17 - .../appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.txt | 17 - .../appdev/refs/macros/TKT_FLG_POSTDATED.txt | 17 - .../appdev/refs/macros/TKT_FLG_PRE_AUTH.txt | 17 - .../appdev/refs/macros/TKT_FLG_PROXIABLE.txt | 17 - .../_sources/appdev/refs/macros/TKT_FLG_PROXY.txt | 17 - .../appdev/refs/macros/TKT_FLG_RENEWABLE.txt | 17 - .../refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.txt | 17 - .../_sources/appdev/refs/macros/VALID_INT_BITS.txt | 17 - .../appdev/refs/macros/VALID_UINT_BITS.txt | 17 - doc/html/_sources/appdev/refs/macros/index.txt | 380 - .../refs/macros/krb524_convert_creds_kdc.txt | 17 - .../appdev/refs/macros/krb524_init_ets.txt | 17 - .../_sources/appdev/refs/macros/krb5_const.txt | 17 - .../appdev/refs/macros/krb5_princ_component.txt | 17 - .../appdev/refs/macros/krb5_princ_name.txt | 17 - .../appdev/refs/macros/krb5_princ_realm.txt | 17 - .../appdev/refs/macros/krb5_princ_set_realm.txt | 17 - .../refs/macros/krb5_princ_set_realm_data.txt | 17 - .../refs/macros/krb5_princ_set_realm_length.txt | 17 - .../appdev/refs/macros/krb5_princ_size.txt | 17 - .../appdev/refs/macros/krb5_princ_type.txt | 17 - .../_sources/appdev/refs/macros/krb5_roundup.txt | 17 - doc/html/_sources/appdev/refs/macros/krb5_x.txt | 17 - doc/html/_sources/appdev/refs/macros/krb5_xc.txt | 17 - doc/html/_sources/appdev/refs/types/index.txt | 109 - .../_sources/appdev/refs/types/krb5_address.txt | 45 - .../_sources/appdev/refs/types/krb5_addrtype.txt | 20 - .../_sources/appdev/refs/types/krb5_ap_rep.txt | 35 - .../appdev/refs/types/krb5_ap_rep_enc_part.txt | 50 - .../_sources/appdev/refs/types/krb5_ap_req.txt | 45 - .../appdev/refs/types/krb5_auth_context.txt | 20 - .../_sources/appdev/refs/types/krb5_authdata.txt | 45 - .../appdev/refs/types/krb5_authdatatype.txt | 20 - .../appdev/refs/types/krb5_authenticator.txt | 65 - .../_sources/appdev/refs/types/krb5_boolean.txt | 20 - .../_sources/appdev/refs/types/krb5_cc_cursor.txt | 21 - .../_sources/appdev/refs/types/krb5_ccache.txt | 20 - .../appdev/refs/types/krb5_cccol_cursor.txt | 21 - .../_sources/appdev/refs/types/krb5_checksum.txt | 44 - .../_sources/appdev/refs/types/krb5_cksumtype.txt | 20 - .../appdev/refs/types/krb5_const_pointer.txt | 20 - .../appdev/refs/types/krb5_const_principal.txt | 50 - .../_sources/appdev/refs/types/krb5_context.txt | 20 - doc/html/_sources/appdev/refs/types/krb5_cred.txt | 45 - .../appdev/refs/types/krb5_cred_enc_part.txt | 60 - .../_sources/appdev/refs/types/krb5_cred_info.txt | 60 - doc/html/_sources/appdev/refs/types/krb5_creds.txt | 80 - .../_sources/appdev/refs/types/krb5_crypto_iov.txt | 35 - .../_sources/appdev/refs/types/krb5_cryptotype.txt | 20 - doc/html/_sources/appdev/refs/types/krb5_data.txt | 39 - .../_sources/appdev/refs/types/krb5_deltat.txt | 20 - .../_sources/appdev/refs/types/krb5_enc_data.txt | 44 - .../appdev/refs/types/krb5_enc_kdc_rep_part.txt | 80 - .../appdev/refs/types/krb5_enc_tkt_part.txt | 65 - .../appdev/refs/types/krb5_encrypt_block.txt | 39 - .../_sources/appdev/refs/types/krb5_enctype.txt | 20 - doc/html/_sources/appdev/refs/types/krb5_error.txt | 75 - .../_sources/appdev/refs/types/krb5_error_code.txt | 21 - .../refs/types/krb5_expire_callback_func.txt | 20 - doc/html/_sources/appdev/refs/types/krb5_flags.txt | 20 - .../appdev/refs/types/krb5_get_init_creds_opt.txt | 80 - .../appdev/refs/types/krb5_gic_opt_pa_data.txt | 35 - .../appdev/refs/types/krb5_init_creds_context.txt | 20 - doc/html/_sources/appdev/refs/types/krb5_int16.txt | 20 - doc/html/_sources/appdev/refs/types/krb5_int32.txt | 20 - .../_sources/appdev/refs/types/krb5_kdc_rep.txt | 60 - .../_sources/appdev/refs/types/krb5_kdc_req.txt | 105 - doc/html/_sources/appdev/refs/types/krb5_key.txt | 21 - .../_sources/appdev/refs/types/krb5_keyblock.txt | 45 - .../_sources/appdev/refs/types/krb5_keytab.txt | 20 - .../appdev/refs/types/krb5_keytab_entry.txt | 50 - .../_sources/appdev/refs/types/krb5_keyusage.txt | 20 - .../_sources/appdev/refs/types/krb5_kt_cursor.txt | 20 - doc/html/_sources/appdev/refs/types/krb5_kvno.txt | 20 - .../appdev/refs/types/krb5_last_req_entry.txt | 40 - doc/html/_sources/appdev/refs/types/krb5_magic.txt | 20 - .../refs/types/krb5_mk_req_checksum_func.txt | 21 - .../_sources/appdev/refs/types/krb5_msgtype.txt | 20 - doc/html/_sources/appdev/refs/types/krb5_octet.txt | 20 - .../_sources/appdev/refs/types/krb5_pa_data.txt | 45 - .../_sources/appdev/refs/types/krb5_pa_pac_req.txt | 29 - .../refs/types/krb5_pa_server_referral_data.txt | 49 - .../refs/types/krb5_pa_svr_referral_data.txt | 29 - doc/html/_sources/appdev/refs/types/krb5_pac.txt | 21 - .../_sources/appdev/refs/types/krb5_pointer.txt | 20 - .../appdev/refs/types/krb5_post_recv_fn.txt | 22 - .../appdev/refs/types/krb5_pre_send_fn.txt | 24 - .../appdev/refs/types/krb5_preauthtype.txt | 20 - .../_sources/appdev/refs/types/krb5_principal.txt | 49 - .../appdev/refs/types/krb5_principal_data.txt | 49 - .../_sources/appdev/refs/types/krb5_prompt.txt | 40 - .../appdev/refs/types/krb5_prompt_type.txt | 20 - .../appdev/refs/types/krb5_prompter_fct.txt | 21 - .../_sources/appdev/refs/types/krb5_pwd_data.txt | 39 - .../_sources/appdev/refs/types/krb5_rcache.txt | 20 - .../appdev/refs/types/krb5_replay_data.txt | 40 - .../appdev/refs/types/krb5_responder_context.txt | 22 - .../appdev/refs/types/krb5_responder_fn.txt | 21 - .../refs/types/krb5_responder_otp_challenge.txt | 34 - .../refs/types/krb5_responder_otp_tokeninfo.txt | 59 - .../refs/types/krb5_responder_pkinit_challenge.txt | 29 - .../refs/types/krb5_responder_pkinit_identity.txt | 34 - .../_sources/appdev/refs/types/krb5_response.txt | 49 - .../_sources/appdev/refs/types/krb5_ticket.txt | 45 - .../appdev/refs/types/krb5_ticket_times.txt | 45 - .../_sources/appdev/refs/types/krb5_timestamp.txt | 20 - .../appdev/refs/types/krb5_tkt_authent.txt | 45 - .../appdev/refs/types/krb5_tkt_creds_context.txt | 20 - .../appdev/refs/types/krb5_trace_callback.txt | 20 - .../_sources/appdev/refs/types/krb5_trace_info.txt | 30 - .../_sources/appdev/refs/types/krb5_transited.txt | 40 - .../_sources/appdev/refs/types/krb5_typed_data.txt | 44 - doc/html/_sources/appdev/refs/types/krb5_ui_2.txt | 20 - doc/html/_sources/appdev/refs/types/krb5_ui_4.txt | 20 - .../refs/types/krb5_verify_init_creds_opt.txt | 34 - .../appdev/refs/types/passwd_phrase_element.txt | 39 - doc/html/_sources/basic/ccache_def.txt | 153 - doc/html/_sources/basic/date_format.txt | 140 - doc/html/_sources/basic/index.txt | 14 - doc/html/_sources/basic/keytab_def.txt | 61 - doc/html/_sources/basic/rcache_def.txt | 97 - doc/html/_sources/basic/stash_file_def.txt | 25 - doc/html/_sources/build/directory_org.txt | 75 - doc/html/_sources/build/doing_build.txt | 158 - doc/html/_sources/build/index.txt | 63 - doc/html/_sources/build/options2configure.txt | 409 - doc/html/_sources/build/osconf.txt | 26 - doc/html/_sources/build_this.txt | 82 - doc/html/_sources/copyright.txt | 8 - doc/html/_sources/formats/ccache_file_format.txt | 176 - doc/html/_sources/formats/cookie.txt | 60 - doc/html/_sources/formats/index.txt | 9 - doc/html/_sources/formats/keytab_file_format.txt | 51 - doc/html/_sources/index.txt | 18 - doc/html/_sources/mitK5defaults.txt | 77 - doc/html/_sources/mitK5features.txt | 329 - doc/html/_sources/mitK5license.txt | 11 - doc/html/_sources/plugindev/ccselect.txt | 28 - doc/html/_sources/plugindev/clpreauth.txt | 54 - doc/html/_sources/plugindev/general.txt | 98 - doc/html/_sources/plugindev/gssapi.txt | 101 - doc/html/_sources/plugindev/hostrealm.txt | 39 - doc/html/_sources/plugindev/index.txt | 35 - doc/html/_sources/plugindev/internal.txt | 32 - doc/html/_sources/plugindev/kadm5_hook.txt | 27 - doc/html/_sources/plugindev/kdcpreauth.txt | 79 - doc/html/_sources/plugindev/localauth.txt | 43 - doc/html/_sources/plugindev/locate.txt | 32 - doc/html/_sources/plugindev/profile.txt | 96 - doc/html/_sources/plugindev/pwqual.txt | 25 - doc/html/_sources/resources.txt | 60 - doc/html/_sources/user/index.txt | 10 - doc/html/_sources/user/pwd_mgmt.txt | 106 - doc/html/_sources/user/tkt_mgmt.txt | 314 - doc/html/_sources/user/user_commands/index.txt | 17 - doc/html/_sources/user/user_commands/kdestroy.txt | 77 - doc/html/_sources/user/user_commands/kinit.txt | 228 - doc/html/_sources/user/user_commands/klist.txt | 132 - doc/html/_sources/user/user_commands/kpasswd.txt | 39 - .../_sources/user/user_commands/krb5-config.txt | 83 - doc/html/_sources/user/user_commands/ksu.txt | 387 - doc/html/_sources/user/user_commands/kswitch.txt | 56 - doc/html/_sources/user/user_commands/kvno.txt | 86 - doc/html/_sources/user/user_commands/sclient.txt | 24 - doc/html/_sources/user/user_config/index.txt | 12 - doc/html/_sources/user/user_config/k5identity.txt | 64 - doc/html/_sources/user/user_config/k5login.txt | 54 - doc/html/_static/agogo.css | 464 - doc/html/_static/ajax-loader.gif | Bin 673 -> 0 bytes doc/html/_static/basic.css | 537 - doc/html/_static/bgfooter.png | Bin 434 -> 0 bytes doc/html/_static/bgtop.png | Bin 430 -> 0 bytes doc/html/_static/comment-bright.png | Bin 3500 -> 0 bytes doc/html/_static/comment-close.png | Bin 3578 -> 0 bytes doc/html/_static/comment.png | Bin 3445 -> 0 bytes doc/html/_static/doctools.js | 238 - doc/html/_static/down-pressed.png | Bin 368 -> 0 bytes doc/html/_static/down.png | Bin 363 -> 0 bytes doc/html/_static/file.png | Bin 392 -> 0 bytes doc/html/_static/jquery.js | 9404 -------- doc/html/_static/kerb.css | 169 - doc/html/_static/minus.png | Bin 199 -> 0 bytes doc/html/_static/plus.png | Bin 199 -> 0 bytes doc/html/_static/pygments.css | 62 - doc/html/_static/searchtools.js | 622 - doc/html/_static/underscore.js | 1226 - doc/html/_static/up-pressed.png | Bin 372 -> 0 bytes doc/html/_static/up.png | Bin 363 -> 0 bytes doc/html/_static/websupport.js | 808 - doc/html/about.html | 166 - doc/html/admin/admin_commands/index.html | 185 - doc/html/admin/admin_commands/k5srvutil.html | 224 - doc/html/admin/admin_commands/kadmin_local.html | 982 - doc/html/admin/admin_commands/kadmind.html | 277 - doc/html/admin/admin_commands/kdb5_ldap_util.html | 560 - doc/html/admin/admin_commands/kdb5_util.html | 615 - doc/html/admin/admin_commands/kprop.html | 223 - doc/html/admin/admin_commands/kpropd.html | 286 - doc/html/admin/admin_commands/kproplog.html | 249 - doc/html/admin/admin_commands/krb5kdc.html | 277 - doc/html/admin/admin_commands/ktutil.html | 292 - doc/html/admin/admin_commands/sserver.html | 270 - doc/html/admin/advanced/index.html | 167 - doc/html/admin/advanced/ldapbackend.html | 304 - doc/html/admin/advanced/retiring-des.html | 550 - doc/html/admin/appl_servers.html | 356 - doc/html/admin/auth_indicator.html | 206 - doc/html/admin/backup_host.html | 191 - doc/html/admin/conf_files/index.html | 183 - doc/html/admin/conf_files/kadm5_acl.html | 334 - doc/html/admin/conf_files/kdc_conf.html | 1069 - doc/html/admin/conf_files/krb5_conf.html | 1300 -- doc/html/admin/conf_ldap.html | 328 - doc/html/admin/database.html | 1858 -- doc/html/admin/enctypes.html | 345 - doc/html/admin/env_variables.html | 192 - doc/html/admin/host_config.html | 366 - doc/html/admin/https.html | 200 - doc/html/admin/index.html | 187 - doc/html/admin/install.html | 202 - doc/html/admin/install_appl_srv.html | 235 - doc/html/admin/install_clients.html | 212 - doc/html/admin/install_kdc.html | 655 - doc/html/admin/lockout.html | 300 - doc/html/admin/otp.html | 248 - doc/html/admin/pkinit.html | 447 - doc/html/admin/princ_dns.html | 262 - doc/html/admin/realm_config.html | 399 - doc/html/admin/troubleshoot.html | 273 - doc/html/admin/various_envs.html | 189 - doc/html/appdev/gssapi.html | 705 - doc/html/appdev/h5l_mit_apidiff.html | 187 - doc/html/appdev/index.html | 155 - doc/html/appdev/init_creds.html | 442 - doc/html/appdev/princ_handle.html | 169 - doc/html/appdev/refs/api/index.html | 558 - .../appdev/refs/api/krb5_425_conv_principal.html | 177 - .../appdev/refs/api/krb5_524_conv_principal.html | 183 - .../appdev/refs/api/krb5_524_convert_creds.html | 177 - doc/html/appdev/refs/api/krb5_address_compare.html | 173 - doc/html/appdev/refs/api/krb5_address_order.html | 175 - doc/html/appdev/refs/api/krb5_address_search.html | 177 - .../appdev/refs/api/krb5_allow_weak_crypto.html | 173 - .../appdev/refs/api/krb5_aname_to_localname.html | 182 - .../appdev/refs/api/krb5_anonymous_principal.html | 164 - doc/html/appdev/refs/api/krb5_anonymous_realm.html | 164 - .../appdev/refs/api/krb5_appdefault_boolean.html | 170 - .../appdev/refs/api/krb5_appdefault_string.html | 170 - doc/html/appdev/refs/api/krb5_auth_con_free.html | 173 - .../appdev/refs/api/krb5_auth_con_genaddrs.html | 183 - .../refs/api/krb5_auth_con_get_checksum_func.html | 174 - .../appdev/refs/api/krb5_auth_con_getaddrs.html | 174 - .../refs/api/krb5_auth_con_getauthenticator.html | 174 - .../appdev/refs/api/krb5_auth_con_getflags.html | 182 - doc/html/appdev/refs/api/krb5_auth_con_getkey.html | 174 - .../appdev/refs/api/krb5_auth_con_getkey_k.html | 174 - .../refs/api/krb5_auth_con_getlocalseqnumber.html | 174 - .../refs/api/krb5_auth_con_getlocalsubkey.html | 163 - .../appdev/refs/api/krb5_auth_con_getrcache.html | 174 - .../refs/api/krb5_auth_con_getrecvsubkey.html | 174 - .../refs/api/krb5_auth_con_getrecvsubkey_k.html | 174 - .../refs/api/krb5_auth_con_getremoteseqnumber.html | 174 - .../refs/api/krb5_auth_con_getremotesubkey.html | 163 - .../refs/api/krb5_auth_con_getsendsubkey.html | 174 - .../refs/api/krb5_auth_con_getsendsubkey_k.html | 174 - doc/html/appdev/refs/api/krb5_auth_con_init.html | 175 - .../appdev/refs/api/krb5_auth_con_initivector.html | 163 - .../refs/api/krb5_auth_con_set_checksum_func.html | 175 - .../refs/api/krb5_auth_con_set_req_cksumtype.html | 174 - .../appdev/refs/api/krb5_auth_con_setaddrs.html | 179 - .../appdev/refs/api/krb5_auth_con_setflags.html | 182 - .../appdev/refs/api/krb5_auth_con_setports.html | 179 - .../appdev/refs/api/krb5_auth_con_setrcache.html | 174 - .../refs/api/krb5_auth_con_setrecvsubkey.html | 174 - .../refs/api/krb5_auth_con_setrecvsubkey_k.html | 178 - .../refs/api/krb5_auth_con_setsendsubkey.html | 174 - .../refs/api/krb5_auth_con_setsendsubkey_k.html | 178 - .../refs/api/krb5_auth_con_setuseruserkey.html | 173 - doc/html/appdev/refs/api/krb5_build_principal.html | 184 - .../refs/api/krb5_build_principal_alloc_va.html | 182 - .../appdev/refs/api/krb5_build_principal_ext.html | 180 - .../appdev/refs/api/krb5_build_principal_va.html | 165 - doc/html/appdev/refs/api/krb5_c_block_size.html | 173 - .../appdev/refs/api/krb5_c_checksum_length.html | 173 - doc/html/appdev/refs/api/krb5_c_crypto_length.html | 174 - .../appdev/refs/api/krb5_c_crypto_length_iov.html | 175 - doc/html/appdev/refs/api/krb5_c_decrypt.html | 181 - doc/html/appdev/refs/api/krb5_c_decrypt_iov.html | 186 - .../appdev/refs/api/krb5_c_derive_prfplus.html | 165 - doc/html/appdev/refs/api/krb5_c_encrypt.html | 181 - doc/html/appdev/refs/api/krb5_c_encrypt_iov.html | 186 - .../appdev/refs/api/krb5_c_encrypt_length.html | 175 - .../appdev/refs/api/krb5_c_enctype_compare.html | 175 - doc/html/appdev/refs/api/krb5_c_free_state.html | 173 - doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html | 177 - doc/html/appdev/refs/api/krb5_c_init_state.html | 174 - .../refs/api/krb5_c_is_coll_proof_cksum.html | 170 - .../appdev/refs/api/krb5_c_is_keyed_cksum.html | 170 - .../refs/api/krb5_c_keyed_checksum_types.html | 175 - doc/html/appdev/refs/api/krb5_c_keylengths.html | 174 - doc/html/appdev/refs/api/krb5_c_make_checksum.html | 185 - .../appdev/refs/api/krb5_c_make_checksum_iov.html | 185 - .../appdev/refs/api/krb5_c_make_random_key.html | 174 - .../appdev/refs/api/krb5_c_padding_length.html | 175 - doc/html/appdev/refs/api/krb5_c_prf.html | 175 - doc/html/appdev/refs/api/krb5_c_prf_length.html | 173 - doc/html/appdev/refs/api/krb5_c_prfplus.html | 179 - .../appdev/refs/api/krb5_c_random_add_entropy.html | 174 - .../appdev/refs/api/krb5_c_random_make_octets.html | 173 - .../appdev/refs/api/krb5_c_random_os_entropy.html | 174 - doc/html/appdev/refs/api/krb5_c_random_seed.html | 162 - doc/html/appdev/refs/api/krb5_c_random_to_key.html | 183 - doc/html/appdev/refs/api/krb5_c_string_to_key.html | 176 - .../refs/api/krb5_c_string_to_key_with_params.html | 177 - .../appdev/refs/api/krb5_c_valid_cksumtype.html | 170 - doc/html/appdev/refs/api/krb5_c_valid_enctype.html | 170 - .../appdev/refs/api/krb5_c_verify_checksum.html | 181 - .../refs/api/krb5_c_verify_checksum_iov.html | 186 - .../appdev/refs/api/krb5_calculate_checksum.html | 167 - doc/html/appdev/refs/api/krb5_cc_cache_match.html | 179 - doc/html/appdev/refs/api/krb5_cc_close.html | 178 - doc/html/appdev/refs/api/krb5_cc_copy_creds.html | 173 - doc/html/appdev/refs/api/krb5_cc_default.html | 180 - doc/html/appdev/refs/api/krb5_cc_default_name.html | 172 - doc/html/appdev/refs/api/krb5_cc_destroy.html | 178 - doc/html/appdev/refs/api/krb5_cc_dup.html | 163 - doc/html/appdev/refs/api/krb5_cc_end_seq_get.html | 178 - doc/html/appdev/refs/api/krb5_cc_gen_new.html | 161 - doc/html/appdev/refs/api/krb5_cc_get_config.html | 181 - doc/html/appdev/refs/api/krb5_cc_get_flags.html | 177 - .../appdev/refs/api/krb5_cc_get_full_name.html | 167 - doc/html/appdev/refs/api/krb5_cc_get_name.html | 176 - .../appdev/refs/api/krb5_cc_get_principal.html | 180 - doc/html/appdev/refs/api/krb5_cc_get_type.html | 172 - doc/html/appdev/refs/api/krb5_cc_initialize.html | 179 - .../appdev/refs/api/krb5_cc_last_change_time.html | 163 - doc/html/appdev/refs/api/krb5_cc_lock.html | 173 - doc/html/appdev/refs/api/krb5_cc_move.html | 179 - doc/html/appdev/refs/api/krb5_cc_new_unique.html | 179 - doc/html/appdev/refs/api/krb5_cc_next_cred.html | 180 - doc/html/appdev/refs/api/krb5_cc_remove_cred.html | 184 - doc/html/appdev/refs/api/krb5_cc_resolve.html | 179 - .../appdev/refs/api/krb5_cc_retrieve_cred.html | 194 - doc/html/appdev/refs/api/krb5_cc_select.html | 183 - doc/html/appdev/refs/api/krb5_cc_set_config.html | 188 - .../appdev/refs/api/krb5_cc_set_default_name.html | 180 - doc/html/appdev/refs/api/krb5_cc_set_flags.html | 174 - .../appdev/refs/api/krb5_cc_start_seq_get.html | 179 - doc/html/appdev/refs/api/krb5_cc_store_cred.html | 179 - .../appdev/refs/api/krb5_cc_support_switch.html | 177 - doc/html/appdev/refs/api/krb5_cc_switch.html | 178 - doc/html/appdev/refs/api/krb5_cc_unlock.html | 173 - .../appdev/refs/api/krb5_cccol_cursor_free.html | 176 - .../appdev/refs/api/krb5_cccol_cursor_new.html | 178 - .../appdev/refs/api/krb5_cccol_cursor_next.html | 182 - .../appdev/refs/api/krb5_cccol_have_content.html | 175 - .../refs/api/krb5_cccol_last_change_time.html | 174 - doc/html/appdev/refs/api/krb5_cccol_lock.html | 172 - doc/html/appdev/refs/api/krb5_cccol_unlock.html | 171 - doc/html/appdev/refs/api/krb5_change_password.html | 187 - doc/html/appdev/refs/api/krb5_check_clockskew.html | 178 - doc/html/appdev/refs/api/krb5_checksum_size.html | 162 - doc/html/appdev/refs/api/krb5_chpw_message.html | 184 - .../appdev/refs/api/krb5_cksumtype_to_string.html | 173 - .../appdev/refs/api/krb5_clear_error_message.html | 160 - doc/html/appdev/refs/api/krb5_copy_addresses.html | 174 - doc/html/appdev/refs/api/krb5_copy_authdata.html | 178 - .../appdev/refs/api/krb5_copy_authenticator.html | 174 - doc/html/appdev/refs/api/krb5_copy_checksum.html | 174 - doc/html/appdev/refs/api/krb5_copy_context.html | 178 - doc/html/appdev/refs/api/krb5_copy_creds.html | 174 - doc/html/appdev/refs/api/krb5_copy_data.html | 174 - .../appdev/refs/api/krb5_copy_error_message.html | 161 - doc/html/appdev/refs/api/krb5_copy_keyblock.html | 174 - .../refs/api/krb5_copy_keyblock_contents.html | 174 - doc/html/appdev/refs/api/krb5_copy_principal.html | 174 - doc/html/appdev/refs/api/krb5_copy_ticket.html | 174 - .../refs/api/krb5_decode_authdata_container.html | 178 - doc/html/appdev/refs/api/krb5_decode_ticket.html | 172 - doc/html/appdev/refs/api/krb5_decrypt.html | 166 - .../appdev/refs/api/krb5_deltat_to_string.html | 173 - doc/html/appdev/refs/api/krb5_eblock_enctype.html | 162 - .../refs/api/krb5_encode_authdata_container.html | 179 - doc/html/appdev/refs/api/krb5_encrypt.html | 166 - doc/html/appdev/refs/api/krb5_encrypt_size.html | 162 - doc/html/appdev/refs/api/krb5_enctype_to_name.html | 179 - .../appdev/refs/api/krb5_enctype_to_string.html | 173 - doc/html/appdev/refs/api/krb5_expand_hostname.html | 167 - doc/html/appdev/refs/api/krb5_find_authdata.html | 169 - doc/html/appdev/refs/api/krb5_finish_key.html | 162 - .../appdev/refs/api/krb5_finish_random_key.html | 163 - doc/html/appdev/refs/api/krb5_free_addresses.html | 166 - .../appdev/refs/api/krb5_free_ap_rep_enc_part.html | 162 - doc/html/appdev/refs/api/krb5_free_authdata.html | 166 - .../appdev/refs/api/krb5_free_authenticator.html | 162 - doc/html/appdev/refs/api/krb5_free_checksum.html | 162 - .../refs/api/krb5_free_checksum_contents.html | 162 - doc/html/appdev/refs/api/krb5_free_cksumtypes.html | 161 - doc/html/appdev/refs/api/krb5_free_context.html | 160 - .../appdev/refs/api/krb5_free_cred_contents.html | 162 - doc/html/appdev/refs/api/krb5_free_creds.html | 162 - doc/html/appdev/refs/api/krb5_free_data.html | 162 - .../appdev/refs/api/krb5_free_data_contents.html | 162 - .../appdev/refs/api/krb5_free_default_realm.html | 161 - doc/html/appdev/refs/api/krb5_free_enctypes.html | 165 - doc/html/appdev/refs/api/krb5_free_error.html | 162 - .../appdev/refs/api/krb5_free_error_message.html | 161 - doc/html/appdev/refs/api/krb5_free_host_realm.html | 177 - doc/html/appdev/refs/api/krb5_free_keyblock.html | 162 - .../refs/api/krb5_free_keyblock_contents.html | 162 - .../refs/api/krb5_free_keytab_entry_contents.html | 176 - doc/html/appdev/refs/api/krb5_free_principal.html | 161 - doc/html/appdev/refs/api/krb5_free_string.html | 165 - doc/html/appdev/refs/api/krb5_free_tgt_creds.html | 165 - doc/html/appdev/refs/api/krb5_free_ticket.html | 162 - .../appdev/refs/api/krb5_free_unparsed_name.html | 161 - doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html | 188 - doc/html/appdev/refs/api/krb5_get_credentials.html | 194 - .../refs/api/krb5_get_credentials_renew.html | 165 - .../refs/api/krb5_get_credentials_validate.html | 165 - .../appdev/refs/api/krb5_get_default_realm.html | 179 - .../appdev/refs/api/krb5_get_error_message.html | 168 - .../refs/api/krb5_get_fallback_host_realm.html | 165 - doc/html/appdev/refs/api/krb5_get_host_realm.html | 182 - .../refs/api/krb5_get_in_tkt_with_keytab.html | 169 - .../refs/api/krb5_get_in_tkt_with_password.html | 169 - .../appdev/refs/api/krb5_get_in_tkt_with_skey.html | 169 - .../refs/api/krb5_get_init_creds_keytab.html | 183 - .../refs/api/krb5_get_init_creds_opt_alloc.html | 173 - .../refs/api/krb5_get_init_creds_opt_free.html | 165 - .../krb5_get_init_creds_opt_get_fast_flags.html | 173 - .../refs/api/krb5_get_init_creds_opt_init.html | 160 - .../krb5_get_init_creds_opt_set_address_list.html | 161 - .../api/krb5_get_init_creds_opt_set_anonymous.html | 162 - .../krb5_get_init_creds_opt_set_canonicalize.html | 161 - ..._init_creds_opt_set_change_password_prompt.html | 162 - .../krb5_get_init_creds_opt_set_etype_list.html | 162 - ...rb5_get_init_creds_opt_set_expire_callback.html | 176 - .../krb5_get_init_creds_opt_set_fast_ccache.html | 167 - ...b5_get_init_creds_opt_set_fast_ccache_name.html | 164 - .../krb5_get_init_creds_opt_set_fast_flags.html | 179 - .../krb5_get_init_creds_opt_set_forwardable.html | 161 - .../api/krb5_get_init_creds_opt_set_in_ccache.html | 167 - .../krb5_get_init_creds_opt_set_out_ccache.html | 163 - .../refs/api/krb5_get_init_creds_opt_set_pa.html | 164 - .../krb5_get_init_creds_opt_set_pac_request.html | 167 - .../krb5_get_init_creds_opt_set_preauth_list.html | 163 - .../api/krb5_get_init_creds_opt_set_proxiable.html | 161 - .../krb5_get_init_creds_opt_set_renew_life.html | 161 - .../api/krb5_get_init_creds_opt_set_responder.html | 167 - .../refs/api/krb5_get_init_creds_opt_set_salt.html | 162 - .../api/krb5_get_init_creds_opt_set_tkt_life.html | 161 - .../refs/api/krb5_get_init_creds_password.html | 194 - .../refs/api/krb5_get_permitted_enctypes.html | 174 - doc/html/appdev/refs/api/krb5_get_profile.html | 179 - .../appdev/refs/api/krb5_get_prompt_types.html | 170 - .../appdev/refs/api/krb5_get_renewed_creds.html | 182 - .../appdev/refs/api/krb5_get_server_rcache.html | 174 - .../appdev/refs/api/krb5_get_time_offsets.html | 174 - .../appdev/refs/api/krb5_get_validated_creds.html | 187 - doc/html/appdev/refs/api/krb5_init_context.html | 180 - .../appdev/refs/api/krb5_init_context_profile.html | 169 - doc/html/appdev/refs/api/krb5_init_creds_free.html | 161 - doc/html/appdev/refs/api/krb5_init_creds_get.html | 173 - .../appdev/refs/api/krb5_init_creds_get_creds.html | 174 - .../appdev/refs/api/krb5_init_creds_get_error.html | 173 - .../appdev/refs/api/krb5_init_creds_get_times.html | 174 - doc/html/appdev/refs/api/krb5_init_creds_init.html | 178 - .../refs/api/krb5_init_creds_set_keytab.html | 174 - .../refs/api/krb5_init_creds_set_password.html | 174 - .../refs/api/krb5_init_creds_set_service.html | 174 - doc/html/appdev/refs/api/krb5_init_creds_step.html | 179 - doc/html/appdev/refs/api/krb5_init_keyblock.html | 179 - doc/html/appdev/refs/api/krb5_init_random_key.html | 164 - .../appdev/refs/api/krb5_init_secure_context.html | 177 - .../appdev/refs/api/krb5_is_config_principal.html | 172 - .../appdev/refs/api/krb5_is_referral_realm.html | 170 - doc/html/appdev/refs/api/krb5_is_thread_safe.html | 170 - doc/html/appdev/refs/api/krb5_k_create_key.html | 174 - doc/html/appdev/refs/api/krb5_k_decrypt.html | 181 - doc/html/appdev/refs/api/krb5_k_decrypt_iov.html | 186 - doc/html/appdev/refs/api/krb5_k_encrypt.html | 181 - doc/html/appdev/refs/api/krb5_k_encrypt_iov.html | 186 - doc/html/appdev/refs/api/krb5_k_free_key.html | 161 - doc/html/appdev/refs/api/krb5_k_key_enctype.html | 161 - doc/html/appdev/refs/api/krb5_k_key_keyblock.html | 162 - doc/html/appdev/refs/api/krb5_k_make_checksum.html | 185 - .../appdev/refs/api/krb5_k_make_checksum_iov.html | 185 - doc/html/appdev/refs/api/krb5_k_prf.html | 179 - doc/html/appdev/refs/api/krb5_k_reference_key.html | 161 - .../appdev/refs/api/krb5_k_verify_checksum.html | 181 - .../refs/api/krb5_k_verify_checksum_iov.html | 186 - doc/html/appdev/refs/api/krb5_kt_add_entry.html | 180 - .../appdev/refs/api/krb5_kt_client_default.html | 182 - doc/html/appdev/refs/api/krb5_kt_close.html | 172 - doc/html/appdev/refs/api/krb5_kt_default.html | 178 - doc/html/appdev/refs/api/krb5_kt_default_name.html | 180 - doc/html/appdev/refs/api/krb5_kt_dup.html | 167 - doc/html/appdev/refs/api/krb5_kt_end_seq_get.html | 179 - doc/html/appdev/refs/api/krb5_kt_free_entry.html | 162 - doc/html/appdev/refs/api/krb5_kt_get_entry.html | 183 - doc/html/appdev/refs/api/krb5_kt_get_name.html | 181 - doc/html/appdev/refs/api/krb5_kt_get_type.html | 172 - doc/html/appdev/refs/api/krb5_kt_have_content.html | 177 - doc/html/appdev/refs/api/krb5_kt_next_entry.html | 181 - .../appdev/refs/api/krb5_kt_read_service_key.html | 184 - doc/html/appdev/refs/api/krb5_kt_remove_entry.html | 179 - doc/html/appdev/refs/api/krb5_kt_resolve.html | 182 - .../appdev/refs/api/krb5_kt_start_seq_get.html | 179 - doc/html/appdev/refs/api/krb5_kuserok.html | 174 - .../refs/api/krb5_make_authdata_kdc_issued.html | 165 - doc/html/appdev/refs/api/krb5_merge_authdata.html | 179 - doc/html/appdev/refs/api/krb5_mk_1cred.html | 183 - doc/html/appdev/refs/api/krb5_mk_error.html | 174 - doc/html/appdev/refs/api/krb5_mk_ncred.html | 188 - doc/html/appdev/refs/api/krb5_mk_priv.html | 190 - doc/html/appdev/refs/api/krb5_mk_rep.html | 176 - doc/html/appdev/refs/api/krb5_mk_rep_dce.html | 174 - doc/html/appdev/refs/api/krb5_mk_req.html | 180 - doc/html/appdev/refs/api/krb5_mk_req_extended.html | 192 - doc/html/appdev/refs/api/krb5_mk_safe.html | 185 - doc/html/appdev/refs/api/krb5_os_localaddr.html | 173 - doc/html/appdev/refs/api/krb5_pac_add_buffer.html | 187 - doc/html/appdev/refs/api/krb5_pac_free.html | 162 - doc/html/appdev/refs/api/krb5_pac_get_buffer.html | 175 - doc/html/appdev/refs/api/krb5_pac_get_types.html | 174 - doc/html/appdev/refs/api/krb5_pac_init.html | 173 - doc/html/appdev/refs/api/krb5_pac_parse.html | 175 - doc/html/appdev/refs/api/krb5_pac_sign.html | 171 - doc/html/appdev/refs/api/krb5_pac_verify.html | 182 - doc/html/appdev/refs/api/krb5_parse_name.html | 186 - .../appdev/refs/api/krb5_parse_name_flags.html | 193 - .../refs/api/krb5_prepend_error_message.html | 163 - doc/html/appdev/refs/api/krb5_principal2salt.html | 173 - .../appdev/refs/api/krb5_principal_compare.html | 173 - .../refs/api/krb5_principal_compare_any_realm.html | 174 - .../refs/api/krb5_principal_compare_flags.html | 187 - doc/html/appdev/refs/api/krb5_process_key.html | 163 - doc/html/appdev/refs/api/krb5_prompter_posix.html | 183 - doc/html/appdev/refs/api/krb5_random_key.html | 164 - doc/html/appdev/refs/api/krb5_rd_cred.html | 182 - doc/html/appdev/refs/api/krb5_rd_error.html | 174 - doc/html/appdev/refs/api/krb5_rd_priv.html | 189 - doc/html/appdev/refs/api/krb5_rd_rep.html | 176 - doc/html/appdev/refs/api/krb5_rd_rep_dce.html | 175 - doc/html/appdev/refs/api/krb5_rd_req.html | 193 - doc/html/appdev/refs/api/krb5_rd_safe.html | 192 - doc/html/appdev/refs/api/krb5_read_password.html | 185 - doc/html/appdev/refs/api/krb5_realm_compare.html | 173 - doc/html/appdev/refs/api/krb5_recvauth.html | 184 - .../appdev/refs/api/krb5_recvauth_version.html | 179 - .../refs/api/krb5_responder_get_challenge.html | 167 - .../refs/api/krb5_responder_list_questions.html | 166 - .../api/krb5_responder_otp_challenge_free.html | 166 - .../refs/api/krb5_responder_otp_get_challenge.html | 168 - .../refs/api/krb5_responder_otp_set_answer.html | 168 - .../api/krb5_responder_pkinit_challenge_free.html | 166 - .../api/krb5_responder_pkinit_get_challenge.html | 168 - .../refs/api/krb5_responder_pkinit_set_answer.html | 167 - .../appdev/refs/api/krb5_responder_set_answer.html | 179 - .../appdev/refs/api/krb5_salttype_to_string.html | 173 - doc/html/appdev/refs/api/krb5_sendauth.html | 200 - .../api/krb5_server_decrypt_ticket_keytab.html | 174 - .../appdev/refs/api/krb5_set_default_realm.html | 178 - .../refs/api/krb5_set_default_tgs_enctypes.html | 183 - .../appdev/refs/api/krb5_set_error_message.html | 162 - .../appdev/refs/api/krb5_set_kdc_recv_hook.html | 168 - .../appdev/refs/api/krb5_set_kdc_send_hook.html | 168 - doc/html/appdev/refs/api/krb5_set_password.html | 188 - .../refs/api/krb5_set_password_using_ccache.html | 188 - .../appdev/refs/api/krb5_set_principal_realm.html | 179 - doc/html/appdev/refs/api/krb5_set_real_time.html | 174 - .../appdev/refs/api/krb5_set_trace_callback.html | 182 - .../appdev/refs/api/krb5_set_trace_filename.html | 181 - doc/html/appdev/refs/api/krb5_sname_match.html | 178 - .../appdev/refs/api/krb5_sname_to_principal.html | 191 - .../appdev/refs/api/krb5_string_to_cksumtype.html | 172 - .../appdev/refs/api/krb5_string_to_deltat.html | 172 - .../appdev/refs/api/krb5_string_to_enctype.html | 172 - doc/html/appdev/refs/api/krb5_string_to_key.html | 165 - .../appdev/refs/api/krb5_string_to_salttype.html | 172 - .../appdev/refs/api/krb5_string_to_timestamp.html | 172 - doc/html/appdev/refs/api/krb5_timeofday.html | 178 - .../refs/api/krb5_timestamp_to_sfstring.html | 175 - .../appdev/refs/api/krb5_timestamp_to_string.html | 174 - doc/html/appdev/refs/api/krb5_tkt_creds_free.html | 165 - doc/html/appdev/refs/api/krb5_tkt_creds_get.html | 177 - .../appdev/refs/api/krb5_tkt_creds_get_creds.html | 178 - .../appdev/refs/api/krb5_tkt_creds_get_times.html | 178 - doc/html/appdev/refs/api/krb5_tkt_creds_init.html | 182 - doc/html/appdev/refs/api/krb5_tkt_creds_step.html | 183 - doc/html/appdev/refs/api/krb5_unparse_name.html | 180 - .../appdev/refs/api/krb5_unparse_name_ext.html | 181 - .../appdev/refs/api/krb5_unparse_name_flags.html | 191 - .../refs/api/krb5_unparse_name_flags_ext.html | 180 - doc/html/appdev/refs/api/krb5_us_timeofday.html | 179 - doc/html/appdev/refs/api/krb5_use_enctype.html | 163 - .../refs/api/krb5_verify_authdata_kdc_issued.html | 165 - doc/html/appdev/refs/api/krb5_verify_checksum.html | 167 - .../appdev/refs/api/krb5_verify_init_creds.html | 179 - .../refs/api/krb5_verify_init_creds_opt_init.html | 159 - ...b5_verify_init_creds_opt_set_ap_req_nofail.html | 163 - .../refs/api/krb5_vprepend_error_message.html | 164 - .../appdev/refs/api/krb5_vset_error_message.html | 163 - .../appdev/refs/api/krb5_vwrap_error_message.html | 165 - .../appdev/refs/api/krb5_wrap_error_message.html | 164 - doc/html/appdev/refs/index.html | 153 - doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html | 162 - doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html | 162 - doc/html/appdev/refs/macros/ADDRTYPE_DDP.html | 162 - doc/html/appdev/refs/macros/ADDRTYPE_INET.html | 162 - doc/html/appdev/refs/macros/ADDRTYPE_INET6.html | 162 - doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html | 162 - doc/html/appdev/refs/macros/ADDRTYPE_ISO.html | 162 - doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html | 162 - doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html | 162 - doc/html/appdev/refs/macros/ADDRTYPE_XNS.html | 162 - doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html | 162 - .../refs/macros/AD_TYPE_FIELD_TYPE_MASK.html | 162 - .../appdev/refs/macros/AD_TYPE_REGISTERED.html | 162 - doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html | 162 - .../refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html | 162 - .../refs/macros/AP_OPTS_MUTUAL_REQUIRED.html | 163 - doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html | 162 - .../refs/macros/AP_OPTS_USE_SESSION_KEY.html | 163 - .../appdev/refs/macros/AP_OPTS_USE_SUBKEY.html | 163 - doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html | 162 - .../refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html | 163 - .../refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html | 163 - doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html | 162 - doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html | 162 - .../refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html | 163 - .../refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html | 164 - .../refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html | 164 - .../refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html | 162 - .../macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html | 163 - .../macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html | 163 - .../refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html | 162 - .../appdev/refs/macros/CKSUMTYPE_NIST_SHA.html | 162 - doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html | 162 - .../appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html | 162 - doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html | 162 - .../appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html | 162 - .../macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html | 163 - .../macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html | 163 - .../macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html | 163 - .../macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html | 163 - .../appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html | 163 - .../refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html | 163 - .../refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html | 163 - .../refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html | 163 - .../appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html | 163 - .../appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html | 162 - .../appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html | 162 - .../appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html | 162 - .../appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html | 163 - .../appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html | 163 - .../appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html | 163 - .../appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html | 162 - .../appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html | 162 - .../appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html | 163 - .../appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html | 163 - doc/html/appdev/refs/macros/ENCTYPE_NULL.html | 162 - .../appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html | 163 - doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html | 163 - .../refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html | 163 - .../appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html | 163 - doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html | 162 - .../appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html | 162 - .../appdev/refs/macros/KDC_OPT_CANONICALIZE.html | 162 - .../refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html | 162 - .../macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html | 162 - .../refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html | 162 - .../appdev/refs/macros/KDC_OPT_FORWARDABLE.html | 162 - doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html | 162 - doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html | 162 - doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html | 162 - doc/html/appdev/refs/macros/KDC_OPT_PROXY.html | 162 - doc/html/appdev/refs/macros/KDC_OPT_RENEW.html | 162 - doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html | 162 - .../appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html | 162 - .../refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html | 162 - doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html | 162 - .../appdev/refs/macros/KDC_TKT_COMMON_MASK.html | 162 - .../KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html | 163 - .../refs/macros/KRB5_ANONYMOUS_PRINCSTR.html | 163 - .../refs/macros/KRB5_ANONYMOUS_REALMSTR.html | 163 - doc/html/appdev/refs/macros/KRB5_AP_REP.html | 163 - doc/html/appdev/refs/macros/KRB5_AP_REQ.html | 163 - doc/html/appdev/refs/macros/KRB5_AS_REP.html | 163 - doc/html/appdev/refs/macros/KRB5_AS_REQ.html | 163 - .../appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html | 162 - .../refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html | 162 - .../appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html | 162 - .../macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html | 163 - .../appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html | 162 - .../refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html | 162 - .../macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html | 162 - .../refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html | 162 - .../macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html | 162 - .../appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html | 162 - .../appdev/refs/macros/KRB5_AUTHDATA_SESAME.html | 162 - .../refs/macros/KRB5_AUTHDATA_SIGNTICKET.html | 163 - .../refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html | 162 - .../refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html | 163 - .../refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html | 163 - .../KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html | 163 - ...KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html | 163 - .../KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html | 163 - ...RB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html | 163 - .../refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html | 162 - .../macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html | 163 - .../refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html | 163 - .../refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html | 162 - doc/html/appdev/refs/macros/KRB5_CRED.html | 163 - .../refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html | 163 - .../appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html | 163 - .../appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html | 163 - .../refs/macros/KRB5_CRYPTO_TYPE_HEADER.html | 163 - .../refs/macros/KRB5_CRYPTO_TYPE_PADDING.html | 163 - .../refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html | 163 - .../refs/macros/KRB5_CRYPTO_TYPE_STREAM.html | 163 - .../refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html | 163 - .../refs/macros/KRB5_CYBERSAFE_SECUREID.html | 164 - .../refs/macros/KRB5_DOMAIN_X500_COMPRESS.html | 163 - .../refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html | 163 - doc/html/appdev/refs/macros/KRB5_ERROR.html | 163 - .../appdev/refs/macros/KRB5_FAST_REQUIRED.html | 163 - doc/html/appdev/refs/macros/KRB5_GC_CACHED.html | 163 - .../appdev/refs/macros/KRB5_GC_CANONICALIZE.html | 163 - .../macros/KRB5_GC_CONSTRAINED_DELEGATION.html | 163 - .../appdev/refs/macros/KRB5_GC_FORWARDABLE.html | 163 - doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html | 163 - .../refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html | 163 - doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html | 163 - .../KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html | 162 - .../macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html | 162 - .../KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html | 162 - .../KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html | 162 - .../macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html | 162 - .../KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html | 162 - .../KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html | 162 - .../macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html | 162 - .../macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html | 162 - .../refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html | 162 - .../macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html | 162 - .../appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html | 163 - .../refs/macros/KRB5_INIT_CONTEXT_SECURE.html | 163 - .../macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html | 163 - doc/html/appdev/refs/macros/KRB5_INT16_MAX.html | 162 - doc/html/appdev/refs/macros/KRB5_INT16_MIN.html | 162 - doc/html/appdev/refs/macros/KRB5_INT32_MAX.html | 162 - doc/html/appdev/refs/macros/KRB5_INT32_MIN.html | 162 - .../appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html | 162 - .../macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html | 162 - .../appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html | 162 - .../refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html | 162 - .../refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html | 162 - .../macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html | 162 - .../refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html | 162 - .../refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html | 162 - .../macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html | 162 - .../refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html | 162 - .../appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html | 162 - .../macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html | 162 - .../appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html | 162 - .../macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html | 162 - .../macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html | 162 - .../appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html | 162 - .../refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html | 162 - .../appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html | 162 - .../refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html | 162 - .../refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html | 162 - .../macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html | 162 - .../macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html | 162 - .../refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html | 162 - .../refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html | 162 - .../macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html | 162 - .../refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html | 162 - .../macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html | 162 - .../refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html | 162 - .../refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html | 163 - .../refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html | 163 - .../refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html | 162 - .../KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html | 163 - .../KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html | 163 - .../KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html | 162 - .../KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html | 163 - .../refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html | 163 - .../KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html | 162 - .../KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html | 162 - .../macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html | 162 - .../macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html | 162 - .../refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html | 162 - .../macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html | 162 - .../refs/macros/KRB5_KPASSWD_ACCESSDENIED.html | 163 - .../appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html | 163 - .../refs/macros/KRB5_KPASSWD_BAD_VERSION.html | 163 - .../appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html | 163 - .../macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html | 163 - .../appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html | 163 - .../appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html | 163 - .../appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html | 163 - .../refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html | 162 - .../refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html | 162 - .../refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html | 162 - .../appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html | 162 - .../appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html | 162 - .../refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html | 162 - .../refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html | 162 - doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html | 162 - .../refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html | 162 - .../refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html | 162 - .../refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html | 162 - .../appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html | 162 - .../appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html | 162 - .../refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html | 162 - .../refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html | 162 - .../refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html | 163 - .../refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html | 163 - .../appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html | 163 - .../refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html | 163 - doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html | 163 - doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html | 163 - doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html | 163 - doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html | 163 - doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html | 163 - doc/html/appdev/refs/macros/KRB5_NT_UID.html | 163 - doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html | 163 - doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html | 163 - .../appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html | 163 - .../appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html | 163 - .../refs/macros/KRB5_PAC_CREDENTIALS_INFO.html | 163 - .../refs/macros/KRB5_PAC_DELEGATION_INFO.html | 163 - .../appdev/refs/macros/KRB5_PAC_LOGON_INFO.html | 163 - .../refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html | 163 - .../refs/macros/KRB5_PAC_SERVER_CHECKSUM.html | 163 - .../appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html | 163 - .../appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html | 164 - .../appdev/refs/macros/KRB5_PADATA_AP_REQ.html | 162 - .../refs/macros/KRB5_PADATA_AS_CHECKSUM.html | 163 - .../macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html | 163 - .../macros/KRB5_PADATA_ENC_SANDIA_SECURID.html | 164 - .../refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html | 163 - .../refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html | 164 - .../appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html | 164 - .../refs/macros/KRB5_PADATA_ETYPE_INFO2.html | 163 - .../appdev/refs/macros/KRB5_PADATA_FOR_USER.html | 163 - .../appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html | 163 - .../appdev/refs/macros/KRB5_PADATA_FX_ERROR.html | 163 - .../appdev/refs/macros/KRB5_PADATA_FX_FAST.html | 163 - .../macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html | 164 - doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html | 162 - .../appdev/refs/macros/KRB5_PADATA_OSF_DCE.html | 164 - .../refs/macros/KRB5_PADATA_OTP_CHALLENGE.html | 163 - .../refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html | 163 - .../refs/macros/KRB5_PADATA_OTP_REQUEST.html | 163 - .../refs/macros/KRB5_PADATA_PAC_REQUEST.html | 163 - .../appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html | 163 - .../appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html | 164 - .../refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html | 163 - .../appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html | 164 - .../refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html | 163 - .../appdev/refs/macros/KRB5_PADATA_PW_SALT.html | 163 - .../appdev/refs/macros/KRB5_PADATA_REFERRAL.html | 163 - .../refs/macros/KRB5_PADATA_S4U_X509_USER.html | 163 - .../refs/macros/KRB5_PADATA_SAM_CHALLENGE.html | 163 - .../refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html | 163 - .../refs/macros/KRB5_PADATA_SAM_REDIRECT.html | 164 - .../refs/macros/KRB5_PADATA_SAM_RESPONSE.html | 163 - .../refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html | 163 - .../appdev/refs/macros/KRB5_PADATA_SESAME.html | 164 - .../refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html | 164 - .../appdev/refs/macros/KRB5_PADATA_TGS_REQ.html | 162 - .../macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html | 163 - .../macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html | 163 - .../macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html | 163 - .../KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html | 163 - .../refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html | 163 - .../macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html | 163 - .../macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html | 163 - .../refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html | 163 - .../macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html | 163 - .../macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html | 163 - .../macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html | 163 - .../refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html | 163 - doc/html/appdev/refs/macros/KRB5_PRIV.html | 163 - .../refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html | 163 - .../KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html | 163 - .../refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html | 163 - .../refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html | 163 - doc/html/appdev/refs/macros/KRB5_PVNO.html | 163 - .../appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html | 162 - .../refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html | 162 - .../refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html | 162 - .../appdev/refs/macros/KRB5_REFERRAL_REALM.html | 163 - .../KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html | 163 - .../KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html | 163 - .../macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html | 164 - .../KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html | 164 - .../KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html | 162 - .../macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html | 163 - .../KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html | 162 - ...NDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html | 163 - ...NDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html | 163 - ...SPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html | 163 - .../refs/macros/KRB5_RESPONDER_QUESTION_OTP.html | 186 - .../macros/KRB5_RESPONDER_QUESTION_PASSWORD.html | 164 - .../macros/KRB5_RESPONDER_QUESTION_PKINIT.html | 173 - doc/html/appdev/refs/macros/KRB5_SAFE.html | 163 - .../refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html | 163 - .../refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html | 162 - .../refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html | 162 - .../appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html | 163 - .../appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html | 163 - .../appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html | 163 - .../refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html | 163 - .../appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html | 163 - .../appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html | 163 - .../refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html | 163 - .../appdev/refs/macros/KRB5_TC_MATCH_TIMES.html | 163 - .../refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html | 163 - doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html | 162 - doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html | 163 - .../refs/macros/KRB5_TC_SUPPORTED_KTYPES.html | 163 - doc/html/appdev/refs/macros/KRB5_TGS_NAME.html | 162 - .../appdev/refs/macros/KRB5_TGS_NAME_SIZE.html | 162 - doc/html/appdev/refs/macros/KRB5_TGS_REP.html | 163 - doc/html/appdev/refs/macros/KRB5_TGS_REQ.html | 163 - .../macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html | 163 - .../KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html | 162 - .../appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html | 163 - .../refs/macros/LR_TYPE_INTERPRETATION_MASK.html | 162 - .../refs/macros/LR_TYPE_THIS_SERVER_ONLY.html | 162 - .../appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html | 163 - doc/html/appdev/refs/macros/MSEC_DIRBIT.html | 162 - doc/html/appdev/refs/macros/MSEC_VAL_MASK.html | 162 - .../appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html | 162 - .../appdev/refs/macros/SALT_TYPE_NO_LENGTH.html | 162 - doc/html/appdev/refs/macros/THREEPARAMOPEN.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html | 162 - .../appdev/refs/macros/TKT_FLG_ENC_PA_REP.html | 162 - .../appdev/refs/macros/TKT_FLG_FORWARDABLE.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_INVALID.html | 162 - .../appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html | 162 - .../appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_PROXY.html | 162 - doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html | 162 - .../macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html | 162 - doc/html/appdev/refs/macros/VALID_INT_BITS.html | 162 - doc/html/appdev/refs/macros/VALID_UINT_BITS.html | 162 - doc/html/appdev/refs/macros/index.html | 528 - .../refs/macros/krb524_convert_creds_kdc.html | 162 - doc/html/appdev/refs/macros/krb524_init_ets.html | 162 - doc/html/appdev/refs/macros/krb5_const.html | 162 - .../appdev/refs/macros/krb5_princ_component.html | 162 - doc/html/appdev/refs/macros/krb5_princ_name.html | 162 - doc/html/appdev/refs/macros/krb5_princ_realm.html | 162 - .../appdev/refs/macros/krb5_princ_set_realm.html | 162 - .../refs/macros/krb5_princ_set_realm_data.html | 162 - .../refs/macros/krb5_princ_set_realm_length.html | 162 - doc/html/appdev/refs/macros/krb5_princ_size.html | 162 - doc/html/appdev/refs/macros/krb5_princ_type.html | 162 - doc/html/appdev/refs/macros/krb5_roundup.html | 162 - doc/html/appdev/refs/macros/krb5_x.html | 162 - doc/html/appdev/refs/macros/krb5_xc.html | 162 - doc/html/appdev/refs/types/index.html | 256 - doc/html/appdev/refs/types/krb5_address.html | 183 - doc/html/appdev/refs/types/krb5_addrtype.html | 158 - doc/html/appdev/refs/types/krb5_ap_rep.html | 175 - .../appdev/refs/types/krb5_ap_rep_enc_part.html | 192 - doc/html/appdev/refs/types/krb5_ap_req.html | 186 - doc/html/appdev/refs/types/krb5_auth_context.html | 158 - doc/html/appdev/refs/types/krb5_authdata.html | 186 - doc/html/appdev/refs/types/krb5_authdatatype.html | 158 - doc/html/appdev/refs/types/krb5_authenticator.html | 211 - doc/html/appdev/refs/types/krb5_boolean.html | 158 - doc/html/appdev/refs/types/krb5_cc_cursor.html | 159 - doc/html/appdev/refs/types/krb5_ccache.html | 158 - doc/html/appdev/refs/types/krb5_cccol_cursor.html | 159 - doc/html/appdev/refs/types/krb5_checksum.html | 182 - doc/html/appdev/refs/types/krb5_cksumtype.html | 158 - doc/html/appdev/refs/types/krb5_const_pointer.html | 158 - .../appdev/refs/types/krb5_const_principal.html | 189 - doc/html/appdev/refs/types/krb5_context.html | 158 - doc/html/appdev/refs/types/krb5_cred.html | 186 - doc/html/appdev/refs/types/krb5_cred_enc_part.html | 203 - doc/html/appdev/refs/types/krb5_cred_info.html | 204 - doc/html/appdev/refs/types/krb5_creds.html | 228 - doc/html/appdev/refs/types/krb5_crypto_iov.html | 175 - doc/html/appdev/refs/types/krb5_cryptotype.html | 158 - doc/html/appdev/refs/types/krb5_data.html | 177 - doc/html/appdev/refs/types/krb5_deltat.html | 158 - doc/html/appdev/refs/types/krb5_enc_data.html | 182 - .../appdev/refs/types/krb5_enc_kdc_rep_part.html | 229 - doc/html/appdev/refs/types/krb5_enc_tkt_part.html | 210 - doc/html/appdev/refs/types/krb5_encrypt_block.html | 177 - doc/html/appdev/refs/types/krb5_enctype.html | 158 - doc/html/appdev/refs/types/krb5_error.html | 222 - doc/html/appdev/refs/types/krb5_error_code.html | 160 - .../refs/types/krb5_expire_callback_func.html | 158 - doc/html/appdev/refs/types/krb5_flags.html | 158 - .../appdev/refs/types/krb5_get_init_creds_opt.html | 218 - .../appdev/refs/types/krb5_gic_opt_pa_data.html | 173 - .../appdev/refs/types/krb5_init_creds_context.html | 158 - doc/html/appdev/refs/types/krb5_int16.html | 158 - doc/html/appdev/refs/types/krb5_int32.html | 158 - doc/html/appdev/refs/types/krb5_kdc_rep.html | 204 - doc/html/appdev/refs/types/krb5_kdc_req.html | 258 - doc/html/appdev/refs/types/krb5_key.html | 160 - doc/html/appdev/refs/types/krb5_keyblock.html | 183 - doc/html/appdev/refs/types/krb5_keytab.html | 158 - doc/html/appdev/refs/types/krb5_keytab_entry.html | 192 - doc/html/appdev/refs/types/krb5_keyusage.html | 158 - doc/html/appdev/refs/types/krb5_kt_cursor.html | 158 - doc/html/appdev/refs/types/krb5_kvno.html | 158 - .../appdev/refs/types/krb5_last_req_entry.html | 180 - doc/html/appdev/refs/types/krb5_magic.html | 158 - .../refs/types/krb5_mk_req_checksum_func.html | 159 - doc/html/appdev/refs/types/krb5_msgtype.html | 158 - doc/html/appdev/refs/types/krb5_octet.html | 158 - doc/html/appdev/refs/types/krb5_pa_data.html | 186 - doc/html/appdev/refs/types/krb5_pa_pac_req.html | 168 - .../refs/types/krb5_pa_server_referral_data.html | 187 - .../refs/types/krb5_pa_svr_referral_data.html | 168 - doc/html/appdev/refs/types/krb5_pac.html | 159 - doc/html/appdev/refs/types/krb5_pointer.html | 158 - doc/html/appdev/refs/types/krb5_post_recv_fn.html | 161 - doc/html/appdev/refs/types/krb5_pre_send_fn.html | 163 - doc/html/appdev/refs/types/krb5_preauthtype.html | 158 - doc/html/appdev/refs/types/krb5_principal.html | 188 - .../appdev/refs/types/krb5_principal_data.html | 188 - doc/html/appdev/refs/types/krb5_prompt.html | 182 - doc/html/appdev/refs/types/krb5_prompt_type.html | 158 - doc/html/appdev/refs/types/krb5_prompter_fct.html | 159 - doc/html/appdev/refs/types/krb5_pwd_data.html | 177 - doc/html/appdev/refs/types/krb5_rcache.html | 158 - doc/html/appdev/refs/types/krb5_replay_data.html | 182 - .../appdev/refs/types/krb5_responder_context.html | 160 - doc/html/appdev/refs/types/krb5_responder_fn.html | 160 - .../refs/types/krb5_responder_otp_challenge.html | 172 - .../refs/types/krb5_responder_otp_tokeninfo.html | 197 - .../types/krb5_responder_pkinit_challenge.html | 167 - .../refs/types/krb5_responder_pkinit_identity.html | 172 - doc/html/appdev/refs/types/krb5_response.html | 187 - doc/html/appdev/refs/types/krb5_ticket.html | 187 - doc/html/appdev/refs/types/krb5_ticket_times.html | 187 - doc/html/appdev/refs/types/krb5_timestamp.html | 158 - doc/html/appdev/refs/types/krb5_tkt_authent.html | 183 - .../appdev/refs/types/krb5_tkt_creds_context.html | 158 - .../appdev/refs/types/krb5_trace_callback.html | 158 - doc/html/appdev/refs/types/krb5_trace_info.html | 169 - doc/html/appdev/refs/types/krb5_transited.html | 180 - doc/html/appdev/refs/types/krb5_typed_data.html | 182 - doc/html/appdev/refs/types/krb5_ui_2.html | 158 - doc/html/appdev/refs/types/krb5_ui_4.html | 158 - .../refs/types/krb5_verify_init_creds_opt.html | 173 - .../appdev/refs/types/passwd_phrase_element.html | 177 - doc/html/basic/ccache_def.html | 286 - doc/html/basic/date_format.html | 341 - doc/html/basic/index.html | 149 - doc/html/basic/keytab_def.html | 194 - doc/html/basic/rcache_def.html | 230 - doc/html/basic/stash_file_def.html | 158 - doc/html/build/directory_org.html | 255 - doc/html/build/doing_build.html | 291 - doc/html/build/index.html | 197 - doc/html/build/options2configure.html | 491 - doc/html/build/osconf.html | 164 - doc/html/build_this.html | 211 - doc/html/copyright.html | 138 - doc/html/formats/ccache_file_format.html | 298 - doc/html/formats/cookie.html | 197 - doc/html/formats/index.html | 145 - doc/html/formats/keytab_file_format.html | 187 - doc/html/genindex-A.html | 207 - doc/html/genindex-C.html | 191 - doc/html/genindex-E.html | 227 - doc/html/genindex-K.html | 3971 ---- doc/html/genindex-L.html | 135 - doc/html/genindex-M.html | 139 - doc/html/genindex-P.html | 143 - doc/html/genindex-R.html | 240 - doc/html/genindex-S.html | 135 - doc/html/genindex-T.html | 191 - doc/html/genindex-V.html | 135 - doc/html/genindex-all.html | 4540 ---- doc/html/genindex.html | 139 - doc/html/index.html | 143 - doc/html/mitK5defaults.html | 359 - doc/html/mitK5features.html | 459 - doc/html/mitK5license.html | 1287 -- doc/html/objects.inv | Bin 24130 -> 0 bytes doc/html/plugindev/ccselect.html | 165 - doc/html/plugindev/clpreauth.html | 192 - doc/html/plugindev/general.html | 225 - doc/html/plugindev/gssapi.html | 236 - doc/html/plugindev/hostrealm.html | 175 - doc/html/plugindev/index.html | 182 - doc/html/plugindev/internal.html | 178 - doc/html/plugindev/kadm5_hook.html | 167 - doc/html/plugindev/kdcpreauth.html | 212 - doc/html/plugindev/localauth.html | 181 - doc/html/plugindev/locate.html | 170 - doc/html/plugindev/profile.html | 234 - doc/html/plugindev/pwqual.html | 166 - doc/html/resources.html | 189 - doc/html/search.html | 147 - doc/html/searchindex.js | 1 - doc/html/user/index.html | 173 - doc/html/user/pwd_mgmt.html | 239 - doc/html/user/tkt_mgmt.html | 459 - doc/html/user/user_commands/index.html | 164 - doc/html/user/user_commands/kdestroy.html | 223 - doc/html/user/user_commands/kinit.html | 354 - doc/html/user/user_commands/klist.html | 268 - doc/html/user/user_commands/kpasswd.html | 186 - doc/html/user/user_commands/krb5-config.html | 238 - doc/html/user/user_commands/ksu.html | 507 - doc/html/user/user_commands/kswitch.html | 204 - doc/html/user/user_commands/kvno.html | 229 - doc/html/user/user_commands/sclient.html | 171 - doc/html/user/user_config/index.html | 153 - doc/html/user/user_config/k5identity.html | 202 - doc/html/user/user_config/k5login.html | 193 - doc/iprop-notes.txt | 48 +- doc/mitK5defaults.rst | 16 +- doc/mitK5features.rst | 209 +- doc/notice.rst | 57 +- doc/pdf/GMakefile | 66 - doc/pdf/admin.pdf | Bin 743212 -> 0 bytes doc/pdf/admin.tex | 11632 ---------- doc/pdf/appdev.pdf | Bin 1445588 -> 0 bytes doc/pdf/appdev.tex | 23032 ------------------- doc/pdf/basic.pdf | Bin 138196 -> 0 bytes doc/pdf/basic.tex | 751 - doc/pdf/build.pdf | Bin 153691 -> 0 bytes doc/pdf/build.tex | 993 - doc/pdf/fncychap.sty | 683 - doc/pdf/plugindev.pdf | Bin 140170 -> 0 bytes doc/pdf/plugindev.tex | 801 - doc/pdf/python.ist | 11 - doc/pdf/sphinx.sty | 522 - doc/pdf/sphinxhowto.cls | 104 - doc/pdf/sphinxmanual.cls | 148 - doc/pdf/tabulary.sty | 449 - doc/pdf/user.pdf | Bin 200362 -> 0 bytes doc/pdf/user.tex | 1923 -- doc/plugindev/certauth.rst | 27 + doc/plugindev/general.rst | 24 +- doc/plugindev/index.rst | 3 + doc/plugindev/kadm5_auth.rst | 35 + doc/plugindev/kdcpolicy.rst | 24 + doc/resources.rst | 20 +- doc/user/user_commands/kdestroy.rst | 21 +- doc/user/user_commands/kinit.rst | 15 +- doc/user/user_commands/klist.rst | 13 +- doc/user/user_commands/kpasswd.rst | 9 +- doc/user/user_commands/krb5-config.rst | 2 +- doc/user/user_commands/ksu.rst | 13 + doc/user/user_commands/kswitch.rst | 14 +- doc/user/user_commands/kvno.rst | 14 +- doc/user/user_commands/sclient.rst | 8 +- doc/user/user_config/index.rst | 1 + doc/user/user_config/kerberos.rst | 170 + src/Makefile.in | 63 +- src/aclocal.m4 | 42 +- src/appl/gss-sample/Makefile.in | 4 +- src/appl/gss-sample/gss-misc.c | 2 +- src/appl/gss-sample/gss-server.c | 1 + src/appl/gss-sample/t_gss_sample.py | 24 +- src/appl/simple/client/sim_client.c | 2 +- src/appl/simple/server/sim_server.c | 3 +- src/appl/user_user/client.c | 60 +- src/appl/user_user/t_user2user.py | 7 +- src/ccapi/common/win/OldCC/ccutils.c | 6 - src/ccapi/common/win/OldCC/ccutils.h | 3 - src/ccapi/common/win/OldCC/opts.cxx | 39 - src/ccapi/common/win/OldCC/secure.hxx | 6 - src/ccapi/common/win/OldCC/util.h | 3 - src/ccapi/lib/win/Makefile.in | 2 +- src/ccapi/lib/win/OldCC/client.cxx | 39 - src/ccapi/lib/win/ccapi_os_ipc.cxx | 15 - src/ccapi/lib/win/ccs_reply_proc.c | 8 +- src/ccapi/lib/win/dllmain.cxx | 12 +- src/ccapi/server/mac/ccs_os_pipe.c | 4 +- src/ccapi/server/win/ccs_os_server.cpp | 23 +- src/ccapi/server/win/ccs_request_proc.c | 12 +- src/ccapi/server/win/ccs_win_pipe.c | 4 +- src/ccapi/test/Makefile.in | 2 +- src/ccapi/test/pingtest.c | 6 - src/clients/kcpytkt/kcpytkt.c | 48 +- src/clients/kdeltkt/kdeltkt.c | 37 +- src/clients/kdestroy/kdestroy.c | 125 +- src/clients/kinit/kinit.c | 491 +- src/clients/kinit/kinit_kdb.c | 34 +- src/clients/klist/Makefile.in | 2 +- src/clients/klist/klist.c | 464 +- src/clients/kpasswd/Makefile.in | 12 +- src/clients/kpasswd/deps | 4 - src/clients/kpasswd/kpasswd.c | 110 +- src/clients/kpasswd/ksetpwd.c | 309 - src/clients/ksu/authorization.c | 17 - src/clients/ksu/ccache.c | 22 +- src/clients/ksu/heuristic.c | 1 - src/clients/ksu/ksu.h | 2 +- src/clients/ksu/main.c | 17 +- src/clients/ksu/setenv.c | 16 +- src/clients/kswitch/kswitch.c | 3 - src/clients/kvno/kvno.c | 377 +- src/config-files/services.append | 2 +- src/config/ac-archive/README | 52 +- src/config/ac-archive/acx_pthread.m4 | 239 - src/config/ac-archive/ax_pthread.m4 | 485 + src/config/ac-archive/ax_recursive_eval.m4 | 56 + src/config/ac-archive/relpaths.m4 | 155 - src/config/config.guess | 670 +- src/config/config.sub | 2525 +- src/config/pkg.m4 | 275 + src/config/post.in | 2 +- src/config/pre.in | 25 +- src/config/win-post.in | 8 - src/config/win-pre.in | 60 +- src/configure | 14580 ------------ src/configure.in | 210 +- src/include/Makefile.in | 3 + src/include/adm_proto.h | 1 + src/include/autoconf.h.in | 770 - src/include/fake-addrinfo.h | 2 +- src/include/gssrpc/auth.h | 15 - src/include/gssrpc/clnt.h | 2 +- src/include/gssrpc/rename.h | 26 +- src/include/gssrpc/rpc.h | 25 - src/include/gssrpc/types.hin | 7 - src/include/iprop_hdr.h | 2 +- src/include/k5-buf.h | 14 +- src/include/k5-cmocka.h | 16 + src/include/k5-hashtab.h | 79 + src/include/k5-hex.h | 53 + src/include/k5-input.h | 6 +- src/include/k5-int-pkinit.h | 1 + src/include/k5-int.h | 113 +- src/include/k5-platform.h | 128 +- src/include/k5-spake.h | 107 + src/include/k5-thread.h | 16 + src/include/k5-trace.h | 62 +- src/include/k5-utf8.h | 61 +- src/include/kdb.h | 30 +- src/include/kdb_log.h | 5 +- src/include/krb5/certauth_plugin.h | 128 + src/include/krb5/clpreauth_plugin.h | 21 +- src/include/krb5/kadm5_auth_plugin.h | 306 + src/include/krb5/kdcpolicy_plugin.h | 128 + src/include/krb5/kdcpreauth_plugin.h | 38 +- src/include/krb5/krb5.hin | 167 +- src/include/net-server.h | 2 +- src/include/osconf.hin | 15 +- src/include/port-sockets.h | 48 +- src/include/socket-utils.h | 11 + src/include/win-mac.h | 2 - src/kadmin/cli/deps | 13 +- src/kadmin/cli/getdate.y | 18 +- src/kadmin/cli/kadmin.c | 13 +- src/kadmin/cli/strftime.c | 465 - src/kadmin/dbutil/deps | 16 +- src/kadmin/dbutil/dump.c | 95 +- src/kadmin/dbutil/kadm5_create.c | 14 +- src/kadmin/dbutil/kdb5_create.c | 11 +- src/kadmin/dbutil/kdb5_mkey.c | 15 +- src/kadmin/dbutil/kdb5_util.c | 47 +- src/kadmin/dbutil/strtok.c | 8 +- src/kadmin/dbutil/t_tdumputil.py | 6 +- src/kadmin/dbutil/tabdump.c | 21 +- src/kadmin/ktutil/deps | 13 +- src/kadmin/ktutil/ktutil.c | 23 +- src/kadmin/ktutil/ktutil.h | 4 +- src/kadmin/ktutil/ktutil_funcs.c | 192 +- src/kadmin/server/Makefile.in | 8 +- src/kadmin/server/auth.c | 314 + src/kadmin/server/auth.h | 85 + src/kadmin/server/auth_acl.c | 755 + src/kadmin/server/auth_self.c | 77 + src/kadmin/server/deps | 112 +- src/kadmin/server/ipropd_svc.c | 79 +- src/kadmin/server/kadm_rpc_svc.c | 2 +- src/kadmin/server/misc.c | 129 +- src/kadmin/server/misc.h | 17 - src/kadmin/server/ovsec_kadmd.c | 38 +- src/kadmin/server/schpw.c | 54 +- src/kadmin/server/server_stubs.c | 340 +- src/kadmin/testing/util/tcl_kadm5.c | 12 +- src/kdc/Makefile.in | 1 + src/kdc/deps | 42 +- src/kdc/dispatch.c | 61 +- src/kdc/do_as_req.c | 88 +- src/kdc/do_tgs_req.c | 118 +- src/kdc/extern.c | 5 +- src/kdc/extern.h | 1 - src/kdc/fast_util.c | 32 +- src/kdc/kdc_audit.c | 21 +- src/kdc/kdc_log.c | 35 +- src/kdc/kdc_preauth.c | 759 +- src/kdc/kdc_preauth_ec.c | 41 +- src/kdc/kdc_preauth_encts.c | 9 +- src/kdc/kdc_util.c | 280 +- src/kdc/kdc_util.h | 38 +- src/kdc/main.c | 50 +- src/kdc/policy.c | 267 +- src/kdc/policy.h | 19 +- src/kdc/replay.c | 127 +- src/kdc/t_bigreply.py | 18 + src/kdc/t_emptytgt.py | 6 +- src/kdc/t_replay.c | 422 +- src/kdc/t_workers.py | 1 - src/kdc/tgs_policy.c | 18 +- src/kprop/Makefile.in | 35 + src/kprop/deps | 74 + src/kprop/kprop.c | 597 + src/kprop/kprop.h | 43 + src/kprop/kprop_util.c | 98 + src/kprop/kpropd.c | 1609 ++ src/{slave => kprop}/kpropd_rpc.c | 0 src/kprop/kproplog.c | 572 + src/kprop/replica_update | 30 + src/lib/Makefile.in | 16 +- src/lib/apputils/net-server.c | 283 +- src/lib/apputils/udppktinfo.c | 14 +- src/lib/apputils/udppktinfo.h | 2 +- src/lib/crypto/builtin/des/des_int.h | 2 +- src/lib/crypto/builtin/des/destest.c | 15 +- src/lib/crypto/builtin/des/doc/libdes.doc | 4 +- src/lib/crypto/builtin/des/f_cksum.c | 2 +- src/lib/crypto/builtin/des/f_sched.c | 12 +- src/lib/crypto/builtin/des/f_tables.h | 10 +- src/lib/crypto/builtin/des/t_verify.c | 24 - src/lib/crypto/builtin/enc_provider/rc4.c | 2 +- src/lib/crypto/builtin/md4/md4.c | 2 +- src/lib/crypto/builtin/md5/md5.c | 2 +- src/lib/crypto/builtin/pbkdf2.c | 38 +- src/lib/crypto/builtin/sha1/t_shs.c | 15 - src/lib/crypto/builtin/sha2/sha256.c | 10 +- src/lib/crypto/builtin/sha2/sha512.c | 4 +- src/lib/crypto/crypto_tests/deps | 39 +- src/lib/crypto/crypto_tests/t_cksum.c | 35 +- src/lib/crypto/crypto_tests/t_cksums.c | 4 - src/lib/crypto/crypto_tests/t_crc.c | 73 +- src/lib/crypto/crypto_tests/t_cts.c | 27 - src/lib/crypto/crypto_tests/t_decrypt.c | 4 - src/lib/crypto/crypto_tests/t_derive.c | 4 - src/lib/crypto/crypto_tests/t_hmac.c | 45 +- src/lib/crypto/crypto_tests/t_sha2.c | 2 +- src/lib/crypto/crypto_tests/t_str2key.c | 4 - src/lib/crypto/crypto_tests/vectors.c | 5 - src/lib/crypto/krb/Makefile.in | 2 +- src/lib/crypto/krb/crc32.c | 6 +- src/lib/crypto/krb/crypto_int.h | 1 + src/lib/crypto/krb/enctype_util.c | 16 + src/lib/crypto/krb/etypes.c | 33 +- src/lib/crypto/krb/keyblocks.c | 2 +- src/lib/crypto/krb/nfold.c | 10 - src/lib/crypto/krb/s2k_des.c | 4 +- src/lib/crypto/krb/s2k_pbkdf2.c | 4 +- src/lib/crypto/krb/s2k_rc4.c | 4 +- src/lib/crypto/krb/string_to_key.c | 7 +- src/lib/crypto/krb/t_fortuna.c | 2 +- src/lib/crypto/libk5crypto.exports | 1 + src/lib/crypto/openssl/sha256.c | 6 +- src/lib/gssapi/generic/gssapi.hin | 4 +- src/lib/gssapi/generic/gssapi_ext.h | 42 +- src/lib/gssapi/generic/gssapi_generic.c | 9 + src/lib/gssapi/generic/util_set.c | 15 - src/lib/gssapi/krb5/accept_sec_context.c | 19 +- src/lib/gssapi/krb5/acquire_cred.c | 13 +- src/lib/gssapi/krb5/context_time.c | 2 +- src/lib/gssapi/krb5/copy_ccache.c | 10 +- src/lib/gssapi/krb5/export_cred.c | 5 +- src/lib/gssapi/krb5/gssapiP_krb5.h | 12 + src/lib/gssapi/krb5/gssapi_krb5.c | 51 +- src/lib/gssapi/krb5/gssapi_krb5.h | 19 + src/lib/gssapi/krb5/iakerb.c | 4 +- src/lib/gssapi/krb5/import_name.c | 8 +- src/lib/gssapi/krb5/init_sec_context.c | 9 +- src/lib/gssapi/krb5/inq_context.c | 29 +- src/lib/gssapi/krb5/inq_cred.c | 53 +- src/lib/gssapi/krb5/k5sealv3.c | 10 +- src/lib/gssapi/krb5/k5unseal.c | 2 +- src/lib/gssapi/krb5/naming_exts.c | 31 +- src/lib/gssapi/krb5/s4u_gss_glue.c | 2 +- src/lib/gssapi/libgssapi_krb5.exports | 3 + src/lib/gssapi/mechglue/g_acquire_cred.c | 232 +- src/lib/gssapi/mechglue/g_dup_name.c | 2 +- src/lib/gssapi/mechglue/g_export_cred.c | 2 +- src/lib/gssapi/mechglue/g_glue.c | 20 +- src/lib/gssapi/mechglue/g_initialize.c | 25 - src/lib/gssapi/mechglue/g_inq_cred.c | 7 +- src/lib/gssapi/mechglue/mglueP.h | 5 - src/lib/gssapi32.def | 5 + src/lib/kadm5/alt_prof.c | 17 +- src/lib/kadm5/chpass_util.c | 12 +- src/lib/kadm5/clnt/client_init.c | 48 +- src/lib/kadm5/clnt/libkadm5clnt_mit.exports | 1 + src/lib/kadm5/deps | 14 +- src/lib/kadm5/kadm_err.et | 1 + src/lib/kadm5/logger.c | 212 +- src/lib/kadm5/srv/Makefile.in | 20 +- src/lib/kadm5/srv/deps | 21 - src/lib/kadm5/srv/libkadm5srv_mit.exports | 6 +- src/lib/kadm5/srv/server_acl.c | 823 - src/lib/kadm5/srv/server_acl.h | 100 - src/lib/kadm5/srv/server_init.c | 11 - src/lib/kadm5/srv/server_kdb.c | 2 +- src/lib/kadm5/srv/server_misc.c | 14 + src/lib/kadm5/srv/svr_principal.c | 95 +- src/lib/kadm5/unit-test/setkey-test.c | 12 +- src/lib/kdb/Makefile.in | 2 +- src/lib/kdb/deps | 3 +- src/lib/kdb/iprop.x | 4 +- src/lib/kdb/iprop_xdr.c | 40 +- src/lib/kdb/kdb5.c | 18 +- src/lib/kdb/kdb_convert.c | 16 +- src/lib/kdb/kdb_default.c | 2 +- src/lib/kdb/kdb_log.c | 163 +- src/lib/kdb/t_sort_key_data.c | 5 +- src/lib/kdb/t_stringattr.py | 1 - src/lib/krad/t_daemon.py | 4 +- src/lib/krb5/asn.1/Makefile.in | 3 - src/lib/krb5/asn.1/README.asn1 | 10 +- src/lib/krb5/asn.1/asn1_encode.c | 549 +- src/lib/krb5/asn.1/asn1_encode.h | 74 +- src/lib/krb5/asn.1/asn1_k_encode.c | 184 +- src/lib/krb5/asn.1/asn1buf.c | 209 - src/lib/krb5/asn.1/asn1buf.h | 147 - src/lib/krb5/asn.1/deps | 26 +- src/lib/krb5/asn.1/krbasn1.h | 1 - src/lib/krb5/asn.1/ldap_key_seq.c | 13 +- src/lib/krb5/ccache/Makefile.in | 3 + src/lib/krb5/ccache/cc-int.h | 4 + src/lib/krb5/ccache/cc_file.c | 4 +- src/lib/krb5/ccache/cc_kcm.c | 73 +- src/lib/krb5/ccache/cc_keyring.c | 16 +- src/lib/krb5/ccache/cc_memory.c | 254 +- src/lib/krb5/ccache/cc_mslsa.c | 44 +- src/lib/krb5/ccache/cc_retr.c | 113 +- src/lib/krb5/ccache/ccapi/stdcc.c | 58 - src/lib/krb5/ccache/ccapi/stdcc_util.c | 52 +- src/lib/krb5/ccache/ccapi/winccld.h | 36 - src/lib/krb5/ccache/cccursor.c | 49 +- src/lib/krb5/ccache/ccmarshal.c | 2 +- src/lib/krb5/ccache/ccselect.c | 52 +- src/lib/krb5/ccache/ccselect_hostname.c | 146 + src/lib/krb5/ccache/deps | 39 +- src/lib/krb5/ccache/t_cc.c | 51 + src/lib/krb5/ccache/t_cccol.py | 14 +- src/lib/krb5/keytab/kt_file.c | 10 +- src/lib/krb5/keytab/kt_memory.c | 2 +- src/lib/krb5/keytab/kt_srvtab.c | 2 +- src/lib/krb5/keytab/t_keytab.c | 13 - src/lib/krb5/krb/Makefile.in | 26 +- src/lib/krb5/krb/addr_order.c | 2 +- src/lib/krb5/krb/appdefault.c | 2 + src/lib/krb5/krb/authdata.c | 4 +- src/lib/krb5/krb/authdata.h | 3 +- src/lib/krb5/krb/conv_princ.c | 11 +- src/lib/krb5/krb/copy_addrs.c | 2 +- src/lib/krb5/krb/copy_auth.c | 2 +- src/lib/krb5/krb/copy_princ.c | 2 +- src/lib/krb5/krb/decrypt_tk.c | 3 +- src/lib/krb5/krb/deltat.c | 85 +- src/lib/krb5/krb/deps | 77 +- src/lib/krb5/krb/encrypt_tk.c | 5 +- src/lib/krb5/krb/fwd_tgt.c | 28 +- src/lib/krb5/krb/gc_via_tkt.c | 32 +- src/lib/krb5/krb/gen_save_subkey.c | 3 +- src/lib/krb5/krb/get_creds.c | 15 +- src/lib/krb5/krb/get_etype_info.c | 180 + src/lib/krb5/krb/get_in_tkt.c | 324 +- src/lib/krb5/krb/gic_keytab.c | 2 +- src/lib/krb5/krb/gic_opt.c | 2 +- src/lib/krb5/krb/gic_pwd.c | 6 +- src/lib/krb5/krb/init_creds_ctx.h | 13 +- src/lib/krb5/krb/init_ctx.c | 19 +- src/lib/krb5/krb/int-proto.h | 25 +- src/lib/krb5/krb/kfree.c | 82 +- src/lib/krb5/krb/mk_req.c | 5 +- src/lib/krb5/krb/pac.c | 43 +- src/lib/krb5/krb/pac_sign.c | 53 +- src/lib/krb5/krb/plugin.c | 13 +- src/lib/krb5/krb/pr_to_salt.c | 11 +- src/lib/krb5/krb/preauth2.c | 332 +- src/lib/krb5/krb/preauth_ec.c | 1 + src/lib/krb5/krb/preauth_encts.c | 16 +- src/lib/krb5/krb/preauth_otp.c | 4 + src/lib/krb5/krb/preauth_sam2.c | 1 + src/lib/krb5/krb/rd_req_dec.c | 31 +- src/lib/krb5/krb/s4u_creds.c | 29 +- src/lib/krb5/krb/send_tgs.c | 24 +- src/lib/krb5/krb/sendauth.c | 23 +- src/lib/krb5/krb/str_conv.c | 45 +- src/lib/krb5/krb/strftime.c | 416 - src/lib/krb5/krb/t_expire_warn.py | 15 +- src/lib/krb5/krb/t_get_etype_info.c | 110 + src/lib/krb5/krb/t_get_etype_info.py | 63 + src/lib/krb5/krb/t_in_ccache_patypes.py | 2 - src/lib/krb5/krb/t_kerb.c | 12 +- src/lib/krb5/krb/t_pac.c | 639 +- src/lib/krb5/krb/t_parse_host_string.c | 5 +- src/lib/krb5/krb/t_ser.c | 75 +- src/lib/krb5/krb/t_valid_times.c | 111 + src/lib/krb5/krb/t_vfy_increds.py | 11 +- src/lib/krb5/krb/unparse.c | 10 +- src/lib/krb5/krb/valid_times.c | 4 +- src/lib/krb5/krb/vfy_increds.c | 2 +- src/lib/krb5/krb/walk_rtree.c | 8 +- src/lib/krb5/krb/x-deltat.y | 1 - src/lib/krb5/libkrb5.exports | 9 + src/lib/krb5/os/Makefile.in | 4 +- src/lib/krb5/os/accessor.c | 15 +- src/lib/krb5/os/c_ustime.c | 15 +- src/lib/krb5/os/changepw.c | 104 +- src/lib/krb5/os/deps | 5 +- src/lib/krb5/os/dnsglue.c | 123 +- src/lib/krb5/os/dnsglue.h | 35 +- src/lib/krb5/os/dnssrv.c | 131 +- src/lib/krb5/os/expand_path.c | 2 +- src/lib/krb5/os/full_ipadr.c | 4 +- src/lib/krb5/os/genaddrs.c | 8 +- src/lib/krb5/os/hostaddr.c | 14 +- src/lib/krb5/os/hostrealm.c | 66 +- src/lib/krb5/os/hostrealm_dns.c | 6 +- src/lib/krb5/os/hostrealm_domain.c | 2 +- src/lib/krb5/os/localaddr.c | 46 +- src/lib/krb5/os/localauth_rule.c | 4 +- src/lib/krb5/os/locate_kdc.c | 54 +- src/lib/krb5/os/mk_faddr.c | 2 +- src/lib/krb5/os/net_read.c | 2 +- src/lib/krb5/os/net_write.c | 2 +- src/lib/krb5/os/os-proto.h | 22 +- src/lib/krb5/os/port2ip.c | 2 +- src/lib/krb5/os/read_pwd.c | 49 +- src/lib/krb5/os/sendto_kdc.c | 11 +- src/lib/krb5/os/t_discover_uri.py | 1 - src/lib/krb5/os/t_locate_kdc.c | 2 +- src/lib/krb5/os/t_trace.ref | 2 +- src/lib/krb5/os/timeofday.c | 4 +- src/lib/krb5/os/toffset.c | 5 +- src/lib/krb5/os/trace.c | 69 +- src/lib/krb5/os/ustime.c | 9 +- src/lib/krb5/rcache/rc_conv.c | 2 +- src/lib/krb5/rcache/rc_dfl.c | 15 +- src/lib/krb5/rcache/rc_io.c | 4 - src/lib/krb5/rcache/ser_rc.c | 2 +- src/lib/krb5/rcache/t_replay.c | 8 +- src/lib/krb5/unicode/ure/ure.c | 2 +- src/lib/krb5_32.def | 17 + src/lib/rpc/auth_gssapi.c | 8 - src/lib/rpc/auth_none.c | 6 +- src/lib/rpc/auth_unix.c | 34 +- src/lib/rpc/authunix_prot.c | 2 +- src/lib/rpc/clnt_raw.c | 8 +- src/lib/rpc/clnt_simple.c | 2 +- src/lib/rpc/clnt_tcp.c | 30 +- src/lib/rpc/clnt_udp.c | 30 +- src/lib/rpc/deps | 3 +- src/lib/rpc/getrpcent.c | 18 +- src/lib/rpc/pmap_clnt.c | 4 +- src/lib/rpc/pmap_getmaps.c | 2 +- src/lib/rpc/pmap_getport.c | 2 +- src/lib/rpc/pmap_prot2.c | 6 +- src/lib/rpc/pmap_rmt.c | 24 +- src/lib/rpc/rpc_callmsg.c | 6 +- src/lib/rpc/svc.c | 28 +- src/lib/rpc/svc_auth.c | 11 +- src/lib/rpc/svc_auth_gssapi.c | 8 +- src/lib/rpc/svc_auth_unix.c | 10 +- src/lib/rpc/svc_raw.c | 16 +- src/lib/rpc/svc_tcp.c | 50 +- src/lib/rpc/svc_udp.c | 43 +- src/lib/rpc/unit-test/rpc_test_svc.c | 2 +- src/lib/rpc/unit-test/server.c | 2 +- src/lib/rpc/xdr.c | 16 +- src/lib/rpc/xdr_alloc.c | 16 +- src/lib/rpc/xdr_array.c | 26 +- src/lib/rpc/xdr_float.c | 4 +- src/lib/rpc/xdr_mem.c | 4 +- src/lib/rpc/xdr_rec.c | 51 +- src/lib/rpc/xdr_reference.c | 4 +- src/lib/win_glue.c | 9 - src/man/Makefile.in | 14 +- src/man/README | 5 +- src/man/k5identity.man | 16 +- src/man/k5login.man | 6 +- src/man/k5srvutil.man | 20 +- src/man/kadm5.acl.man | 27 +- src/man/kadmin.man | 226 +- src/man/kadmind.man | 78 +- src/man/kdb5_ldap_util.man | 96 +- src/man/kdb5_util.man | 201 +- src/man/kdc.conf.man | 348 +- src/man/kdestroy.man | 33 +- src/man/kerberos.man | 202 + src/man/kinit.man | 80 +- src/man/klist.man | 47 +- src/man/kpasswd.man | 10 +- src/man/kprop.man | 38 +- src/man/kpropd.man | 79 +- src/man/kproplog.man | 41 +- src/man/krb5-config.man | 28 +- src/man/krb5.conf.man | 335 +- src/man/krb5kdc.man | 45 +- src/man/ksu.man | 49 +- src/man/kswitch.man | 24 +- src/man/ktutil.man | 19 +- src/man/kvno.man | 35 +- src/man/sclient.man | 12 +- src/man/sserver.man | 20 +- src/patchlevel.h | 8 +- src/plugins/audit/kdc_j_encode.c | 29 +- src/plugins/authdata/greet_server/greet_auth.c | 3 +- src/plugins/certauth/test/Makefile.in | 20 + src/plugins/certauth/test/certauth_test.exports | 2 + src/plugins/certauth/test/deps | 14 + src/plugins/certauth/test/main.c | 211 + src/plugins/kadm5_auth/test/Makefile.in | 20 + src/plugins/kadm5_auth/test/deps | 22 + .../kadm5_auth/test/kadm5_auth_test.exports | 2 + src/plugins/kadm5_auth/test/main.c | 305 + src/plugins/kdb/db2/db2_exp.c | 5 +- src/plugins/kdb/db2/kdb_db2.c | 23 +- src/plugins/kdb/db2/kdb_db2.h | 5 +- src/plugins/kdb/db2/libdb2/btree/bt_utils.c | 8 +- src/plugins/kdb/db2/libdb2/hash/hash.c | 19 +- src/plugins/kdb/db2/libdb2/recno/rec_search.c | 4 +- src/plugins/kdb/db2/libdb2/test/btree.tests/main.c | 2 +- src/plugins/kdb/db2/libdb2/test/dbtest.c | 4 +- src/plugins/kdb/db2/lockout.c | 12 +- src/plugins/kdb/ldap/deps | 41 +- src/plugins/kdb/ldap/ldap_util/deps | 23 +- .../kdb/ldap/ldap_util/kdb5_ldap_services.c | 32 +- .../kdb/ldap/ldap_util/kdb5_ldap_services.h | 2 - src/plugins/kdb/ldap/libkdb_ldap/deps | 57 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c | 6 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h | 18 +- src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c | 1 - .../kdb/ldap/libkdb_ldap/kerberos.openldap.ldif | 68 + src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c | 68 - src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c | 98 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c | 216 +- src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c | 3 - .../kdb/ldap/libkdb_ldap/ldap_service_stash.c | 65 +- .../kdb/ldap/libkdb_ldap/ldap_service_stash.h | 3 - src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c | 2 +- .../kdb/ldap/libkdb_ldap/libkdb_ldap.exports | 1 - src/plugins/kdb/ldap/libkdb_ldap/lockout.c | 13 +- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c | 189 +- src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h | 51 +- src/plugins/kdb/lmdb/Makefile.in | 27 + src/plugins/kdb/lmdb/deps | 53 + src/plugins/kdb/lmdb/kdb_lmdb.c | 1143 + src/plugins/kdb/lmdb/klmdb-int.h | 78 + src/plugins/kdb/lmdb/klmdb.exports | 1 + src/plugins/kdb/lmdb/lockout.c | 180 + src/plugins/kdb/lmdb/marshal.c | 339 + src/plugins/kdb/test/kdb_test.c | 40 +- src/plugins/kdcpolicy/test/Makefile.in | 20 + src/plugins/kdcpolicy/test/deps | 14 + src/plugins/kdcpolicy/test/kdcpolicy_test.exports | 1 + src/plugins/kdcpolicy/test/main.c | 111 + src/plugins/preauth/otp/main.c | 3 +- src/plugins/preauth/otp/otp_state.c | 16 +- src/plugins/preauth/pkinit/Makefile.in | 8 +- src/plugins/preauth/pkinit/deps | 20 +- src/plugins/preauth/pkinit/pkinit.h | 15 +- src/plugins/preauth/pkinit/pkinit_clnt.c | 47 +- src/plugins/preauth/pkinit/pkinit_crypto.h | 122 +- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 5800 ----- src/plugins/preauth/pkinit/pkinit_crypto_openssl.c | 1014 +- src/plugins/preauth/pkinit/pkinit_crypto_openssl.h | 23 +- src/plugins/preauth/pkinit/pkinit_identity.c | 56 +- src/plugins/preauth/pkinit/pkinit_lib.c | 3 + src/plugins/preauth/pkinit/pkinit_matching.c | 198 +- src/plugins/preauth/pkinit/pkinit_srv.c | 530 +- src/plugins/preauth/pkinit/pkinit_trace.h | 89 +- src/plugins/preauth/securid_sam2/grail.c | 3 +- src/plugins/preauth/securid_sam2/securid2.c | 3 +- src/plugins/preauth/spake/AUTHORS | 16 + src/plugins/preauth/spake/Makefile.in | 60 + src/plugins/preauth/spake/deps | 73 + src/plugins/preauth/spake/edwards25519.c | 2644 +++ src/plugins/preauth/spake/edwards25519_tables.h | 7881 +++++++ src/plugins/preauth/spake/groups.c | 442 + src/plugins/preauth/spake/groups.h | 148 + src/plugins/preauth/spake/iana.c | 108 + src/plugins/preauth/spake/iana.h | 65 + src/plugins/preauth/spake/openssl.c | 316 + src/plugins/preauth/spake/spake.def | 3 + src/plugins/preauth/spake/spake.exports | 2 + src/plugins/preauth/spake/spake_client.c | 388 + src/plugins/preauth/spake/spake_kdc.c | 591 + src/plugins/preauth/spake/t_krb5.conf | 2 + src/plugins/preauth/spake/t_vectors.c | 476 + src/plugins/preauth/spake/trace.h | 74 + src/plugins/preauth/spake/util.c | 212 + src/plugins/preauth/spake/util.h | 56 + src/plugins/preauth/test/Makefile.in | 4 +- src/plugins/preauth/test/cltest.c | 97 +- src/plugins/preauth/test/common.c | 61 + src/plugins/preauth/test/common.h | 41 + src/plugins/preauth/test/deps | 14 +- src/plugins/preauth/test/kdctest.c | 96 +- src/po/Makefile.in | 2 +- src/po/de.po | 9301 ++++++++ src/po/mit-krb5.pot | 4688 ++-- src/prototype/prototype.c | 2 +- src/prototype/prototype.h | 2 +- src/slave/Makefile.in | 35 - src/slave/deps | 73 - src/slave/kprop.c | 619 - src/slave/kprop.h | 43 - src/slave/kprop_util.c | 98 - src/slave/kpropd.c | 1614 -- src/slave/kproplog.c | 567 - src/slave/kslave_update | 30 - src/tests/Makefile.in | 29 +- src/tests/asn.1/Makefile.in | 4 +- src/tests/asn.1/deps | 70 +- src/tests/asn.1/krb5_decode_leak.c | 12 - src/tests/asn.1/krb5_decode_test.c | 37 + src/tests/asn.1/krb5_encode_test.c | 29 + src/tests/asn.1/ktest.c | 101 + src/tests/asn.1/ktest.h | 9 + src/tests/asn.1/ktest_equal.c | 49 + src/tests/asn.1/ktest_equal.h | 6 + src/tests/asn.1/make-vectors.c | 56 + src/tests/asn.1/pkinit_encode.out | 2 +- src/tests/asn.1/pkinit_trval.out | 1 + src/tests/asn.1/reference_encode.out | 6 + src/tests/asn.1/spake.asn1 | 44 + src/tests/asn.1/trval_reference.out | 50 + src/tests/asn.1/utility.c | 29 +- src/tests/asn.1/utility.h | 6 +- src/tests/create/kdb5_mkdums.c | 2 +- src/tests/dejagnu/config/default.exp | 116 +- src/tests/dejagnu/krb-standalone/kprop.exp | 33 +- src/tests/dejagnu/pkinit-certs/ca.pem | 54 +- src/tests/dejagnu/pkinit-certs/generic.p12 | Bin 0 -> 2477 bytes src/tests/dejagnu/pkinit-certs/generic.pem | 21 + src/tests/dejagnu/pkinit-certs/kdc.pem | 50 +- src/tests/dejagnu/pkinit-certs/make-certs.sh | 71 +- src/tests/dejagnu/pkinit-certs/privkey-enc.pem | 52 +- src/tests/dejagnu/pkinit-certs/privkey.pem | 50 +- src/tests/dejagnu/pkinit-certs/user-enc.p12 | Bin 3029 -> 2837 bytes src/tests/dejagnu/pkinit-certs/user-upn.p12 | Bin 0 -> 2829 bytes src/tests/dejagnu/pkinit-certs/user-upn.pem | 28 + src/tests/dejagnu/pkinit-certs/user-upn2.p12 | Bin 0 -> 2813 bytes src/tests/dejagnu/pkinit-certs/user-upn2.pem | 28 + src/tests/dejagnu/pkinit-certs/user-upn3.p12 | Bin 0 -> 2829 bytes src/tests/dejagnu/pkinit-certs/user-upn3.pem | 28 + src/tests/dejagnu/pkinit-certs/user.p12 | Bin 3104 -> 2837 bytes src/tests/dejagnu/pkinit-certs/user.pem | 56 +- src/tests/dejagnu/proxy-certs/make-certs.sh | 2 +- src/tests/deps | 16 +- src/tests/gssapi/Makefile.in | 58 +- src/tests/gssapi/common.c | 4 +- src/tests/gssapi/deps | 25 +- src/tests/gssapi/t_add_cred.c | 137 + src/tests/gssapi/t_authind.py | 21 +- src/tests/gssapi/t_ccselect.py | 82 +- src/tests/gssapi/t_client_keytab.py | 61 +- src/tests/gssapi/t_enctypes.c | 14 + src/tests/gssapi/t_enctypes.py | 5 +- src/tests/gssapi/t_export_cred.py | 5 +- src/tests/gssapi/t_gssapi.py | 137 +- src/tests/gssapi/t_imp_name.c | 44 +- src/tests/gssapi/t_invalid.c | 57 +- src/tests/gssapi/t_lifetime.c | 140 + src/tests/gssapi/t_oid.c | 3 + src/tests/gssapi/t_prf.c | 13 +- src/tests/gssapi/t_s4u.c | 20 + src/tests/gssapi/t_s4u.py | 101 +- src/tests/hammer/kdc5_hammer.c | 54 +- src/tests/icinterleave.c | 128 + src/tests/icred.c | 67 +- src/tests/jsonwalker.py | 28 +- src/tests/kdbtest.c | 5 +- src/tests/responder.c | 2 +- src/tests/shlib/t_loader.c | 12 - src/tests/t_audit.py | 12 +- src/tests/t_authdata.py | 91 +- src/tests/t_bogus_kdc_req.py | 2 - src/tests/t_ccache.py | 86 +- src/tests/t_certauth.py | 46 + src/tests/t_changepw.py | 1 - src/tests/t_crossrealm.py | 68 +- src/tests/t_cve-2012-1014.py | 4 +- src/tests/t_cve-2012-1015.py | 4 +- src/tests/t_cve-2013-1416.py | 2 - src/tests/t_cve-2013-1417.py | 2 - src/tests/t_dump.py | 178 +- src/tests/t_errmsg.py | 1 - src/tests/t_etype_info.py | 3 +- src/tests/t_general.py | 45 +- src/tests/t_hooks.py | 1 - src/tests/t_hostrealm.py | 22 +- src/tests/t_iprop.py | 722 +- src/tests/t_kadm5_auth.py | 80 + src/tests/t_kadm5_hook.py | 11 +- src/tests/t_kadmin_acl.py | 288 +- src/tests/t_kadmin_parsing.py | 31 +- src/tests/t_kdb.py | 265 +- src/tests/t_kdb_locking.py | 9 +- src/tests/t_kdc_log.py | 2 - src/tests/t_kdcpolicy.py | 61 + src/tests/t_keydata.py | 17 +- src/tests/t_keyrollover.py | 17 +- src/tests/t_keytab.py | 138 +- src/tests/t_kprop.py | 54 +- src/tests/t_localauth.py | 18 +- src/tests/t_mkey.py | 68 +- src/tests/t_otp.py | 52 +- src/tests/t_pkinit.py | 241 +- src/tests/t_policy.py | 148 +- src/tests/t_preauth.py | 264 +- src/tests/t_princflags.py | 1 - src/tests/t_proxy.py | 19 +- src/tests/t_pwqual.py | 30 +- src/tests/t_rdreq.py | 14 +- src/tests/t_referral.py | 37 +- src/tests/t_renew.py | 88 +- src/tests/t_renprinc.py | 2 - src/tests/t_salt.py | 13 +- src/tests/t_sesskeynego.py | 1 - src/tests/t_skew.py | 27 +- src/tests/t_sn2princ.py | 6 +- src/tests/t_spake.py | 149 + src/tests/t_stringattr.py | 6 +- src/tests/t_tabdump.py | 5 +- src/tests/t_u2u.py | 35 + src/tests/t_unlockiter.py | 5 +- src/tests/t_y2038.py | 79 + src/tests/threads/t_rcache.c | 6 - src/util/Makefile.in | 3 +- src/util/def-check.pl | 10 +- src/util/depfix.pl | 2 +- src/util/k5test.py | 164 +- src/util/paste-kdcproxy.py | 1 - src/util/princflags.py | 25 +- src/util/profile/prof_file.c | 52 +- src/util/profile/prof_int.h | 5 +- src/util/profile/prof_parse.c | 56 +- src/util/profile/prof_test1 | 23 + src/util/profile/prof_tree.c | 15 +- src/util/profile/profile_tcl.c | 27 +- src/util/profile/test.ini | 6 + src/util/ss/cmd_tbl.lex.l | 2 +- src/util/ss/data.c | 3 - src/util/ss/deps | 2 +- src/util/ss/error.c | 4 +- src/util/ss/execute_cmd.c | 18 +- src/util/ss/help.c | 12 +- src/util/ss/invocation.c | 8 +- src/util/ss/list_rqs.c | 10 +- src/util/ss/listen.c | 11 +- src/util/ss/options.c | 4 +- src/util/ss/pager.c | 2 +- src/util/ss/parse.c | 8 +- src/util/ss/request_tbl.c | 8 +- src/util/ss/requests.c | 2 +- src/util/ss/utils.c | 12 +- src/util/support/Makefile.in | 40 +- src/util/support/cache-addrinfo.h | 12 +- src/util/support/deps | 23 +- src/util/support/dir_filenames.c | 135 + src/util/support/fake-addrinfo.c | 22 +- src/util/support/getopt.c | 2 + src/util/support/gmt_mktime.c | 17 +- src/util/support/hashtab.c | 243 + src/util/support/hex.c | 116 + src/util/support/k5buf.c | 67 +- src/util/support/libkrb5support-fixed.exports | 16 +- src/util/support/mkstemp.c | 4 +- src/util/support/strerror_r.c | 1 + src/util/support/t_hashtab.c | 176 + src/util/support/t_hex.c | 169 + src/util/support/t_path.c | 15 +- src/util/support/t_utf16.c | 117 + src/util/support/threads.c | 6 - src/util/support/utf8.c | 24 +- src/util/support/utf8_conv.c | 477 +- src/util/support/zap.c | 4 +- src/util/testrealm.py | 2 +- src/util/verto/README | 2 +- src/util/verto/libverto.exports | 1 + src/util/verto/verto-k5ev.c | 24 +- src/util/verto/verto-libev.c | 5 + src/util/verto/verto.c | 131 +- src/util/verto/verto.h | 20 +- src/util/windows/Makefile.in | 2 +- src/util/wshelper/Makefile.in | 64 - src/util/wshelper/dllmain.c | 264 - src/util/wshelper/gethna.c | 477 - src/util/wshelper/hesiod.c | 359 - src/util/wshelper/hesmailh.c | 87 - src/util/wshelper/hespwnam.c | 196 - src/util/wshelper/hesservb.c | 137 - src/util/wshelper/inetaton.c | 153 - src/util/wshelper/pwd.h | 15 - src/util/wshelper/res_comp.c | 361 - src/util/wshelper/res_init.c | 814 - src/util/wshelper/res_quer.c | 561 - src/util/wshelper/resource.h | 29 - src/util/wshelper/resource.rc | 64 - src/util/wshelper/string.rc | 29 - src/util/wshelper/ver.rc.inc | 57 - src/util/wshelper/wsh-int.h | 5 - src/util/wshelper/wshelp32.def | 33 - src/util/wshelper/wshelp64.def | 33 - src/util/wshelper/wshelper.def | 42 - src/windows/Makefile.in | 2 +- src/windows/README | 159 +- src/windows/build/BKWconfig.xml | 172 - src/windows/build/Logger.pm | 87 - src/windows/build/bkw-automation.html | 367 - src/windows/build/bkw.pl | 700 - src/windows/build/bootstrap.xml | 19 - src/windows/build/commandandcontrol.pl | 170 - src/windows/build/copyfiles.pl | 137 - src/windows/build/copyfiles.xml | 156 - src/windows/build/corebinaryfiles.xml | 85 - src/windows/build/css/main-action(1).css | 54 - src/windows/build/css/main-action.css | 1032 - src/windows/build/makeZip.pl | 84 - src/windows/build/pruneFiles.pl | 36 - src/windows/build/repository1.pl | 90 - src/windows/build/sdkfiles.xml | 23 - src/windows/build/signFiles.pl | 27 - src/windows/build/site-local.sed | 2 - src/windows/build/tee.pl | 79 - src/windows/build/which.pl | 69 - src/windows/build/zipXML.pl | 21 - src/windows/cns/Makefile.in | 76 - src/windows/cns/clock00.ico | Bin 1086 -> 0 bytes src/windows/cns/clock05.ico | Bin 1086 -> 0 bytes src/windows/cns/clock10.ico | Bin 1086 -> 0 bytes src/windows/cns/clock15.ico | Bin 1086 -> 0 bytes src/windows/cns/clock20.ico | Bin 1086 -> 0 bytes src/windows/cns/clock25.ico | Bin 1086 -> 0 bytes src/windows/cns/clock30.ico | Bin 1086 -> 0 bytes src/windows/cns/clock35.ico | Bin 1086 -> 0 bytes src/windows/cns/clock40.ico | Bin 1086 -> 0 bytes src/windows/cns/clock45.ico | Bin 1086 -> 0 bytes src/windows/cns/clock50.ico | Bin 1086 -> 0 bytes src/windows/cns/clock55.ico | Bin 1086 -> 0 bytes src/windows/cns/clock60.ico | Bin 1086 -> 0 bytes src/windows/cns/clockexp.ico | Bin 1086 -> 0 bytes src/windows/cns/clocktkt.ico | Bin 1086 -> 0 bytes src/windows/cns/cns-help.doc | Bin 22528 -> 0 bytes src/windows/cns/cns-help.hlp | Bin 11944 -> 0 bytes src/windows/cns/cns-help.hpj | 133 - src/windows/cns/cns.c | 2196 -- src/windows/cns/cns.h | 249 - src/windows/cns/cns.ico | Bin 1086 -> 0 bytes src/windows/cns/cns_reg.c | 230 - src/windows/cns/cns_reg.h | 33 - src/windows/cns/cnsres4.rc | 108 - src/windows/cns/cnsres5.rc | 215 - src/windows/cns/debug.c | 90 - src/windows/cns/heap.c | 33 - src/windows/cns/kerbnet.doc | Bin 22528 -> 0 bytes src/windows/cns/kerbnet.hlp | Bin 16334 -> 0 bytes src/windows/cns/kerbnet.hpj | 133 - src/windows/cns/kpasswd.c | 90 - src/windows/cns/krb5.def | 9 - src/windows/cns/krbini.h | 37 - src/windows/cns/options.c | 232 - src/windows/cns/password.c | 323 - src/windows/cns/tktlist.c | 432 - src/windows/cns/tktlist.h | 26 - src/windows/include/arpa/nameser.h | 263 - src/windows/include/hesiod.h | 217 - src/windows/include/leashwin.h | 22 +- src/windows/include/loadfuncs-krb5.h | 23 - src/windows/include/loadfuncs-leash.h | 36 - src/windows/include/mitwhich.h | 84 - src/windows/include/resolv.h | 284 - src/windows/include/wshelper.h | 148 - src/windows/installer/nsis/KfWConfigPage.ini | 59 - src/windows/installer/nsis/KfWConfigPage2.ini | 20 - src/windows/installer/nsis/kfw-fixed.nsi | 1907 -- src/windows/installer/nsis/kfw.ico | Bin 25214 -> 0 bytes src/windows/installer/nsis/kfw.nsi | 16 - src/windows/installer/nsis/killer.cpp | 380 - src/windows/installer/nsis/licenses.rtf | 98 - src/windows/installer/nsis/nsi-includes-tagged.nsi | 8 - src/windows/installer/nsis/site-local-tagged.nsi | 13 - src/windows/installer/nsis/utils.nsi | 825 - src/windows/installer/wix/Makefile | 14 +- src/windows/installer/wix/config.wxi | 37 +- src/windows/installer/wix/custom/custom.cpp | 6 +- src/windows/installer/wix/custom/custom.h | 2 +- src/windows/installer/wix/features.wxi | 18 +- src/windows/installer/wix/files.wxi | 262 +- src/windows/installer/wix/kfw.wxs | 3 +- src/windows/installer/wix/lang/config_1033.wxi | 4 +- src/windows/installer/wix/lang/strings_1033.wxl | 4 +- src/windows/installer/wix/msi-deployment-guide.txt | 81 +- src/windows/installer/wix/platform.wxi | 14 +- src/windows/installer/wix/property.wxi | 7 - src/windows/installer/wix/runtime.wxi | 2 +- src/windows/installer/wix/site-local-tagged.wxi | 105 - src/windows/kfwlogon/Makefile.in | 5 +- src/windows/kfwlogon/kfwcommon.c | 2 - src/windows/kfwlogon/kfwlogon.c | 11 - src/windows/leash/AfsProperties.cpp | 123 - src/windows/leash/AfsProperties.h | 56 - src/windows/leash/CLeashDragListBox.cpp | 215 - src/windows/leash/CLeashDragListBox.h | 45 - src/windows/leash/Krb4AddToDomainRealmList.cpp | 107 - src/windows/leash/Krb4AddToDomainRealmList.h | 73 - src/windows/leash/Krb4AddToRealmHostList.cpp | 121 - src/windows/leash/Krb4AddToRealmHostList.h | 75 - src/windows/leash/Krb4DomainRealmMaintenance.cpp | 268 - src/windows/leash/Krb4DomainRealmMaintenance.h | 76 - src/windows/leash/Krb4EditDomainRealmList.cpp | 151 - src/windows/leash/Krb4EditDomainRealmList.h | 77 - src/windows/leash/Krb4EditRealmHostList.cpp | 193 - src/windows/leash/Krb4EditRealmHostList.h | 79 - src/windows/leash/Krb4Properties.cpp | 390 - src/windows/leash/Krb4Properties.h | 138 - src/windows/leash/Krb4RealmHostMaintenance.cpp | 373 - src/windows/leash/Krb4RealmHostMaintenance.h | 86 - src/windows/leash/Krb5Properties.cpp | 644 - src/windows/leash/Krb5Properties.h | 172 - src/windows/leash/KrbAddHostServer.cpp | 77 - src/windows/leash/KrbAddHostServer.h | 53 - src/windows/leash/KrbAddRealm.cpp | 88 - src/windows/leash/KrbAddRealm.h | 66 - src/windows/leash/KrbConfigOptions.cpp | 674 - src/windows/leash/KrbConfigOptions.h | 89 - src/windows/leash/KrbDomainRealmMaintenance.cpp | 440 - src/windows/leash/KrbDomainRealmMaintenance.h | 59 - src/windows/leash/KrbEditHostServer.cpp | 97 - src/windows/leash/KrbEditHostServer.h | 69 - src/windows/leash/KrbEditRealm.cpp | 99 - src/windows/leash/KrbEditRealm.h | 75 - src/windows/leash/KrbListTickets.cpp | 12 +- src/windows/leash/KrbMiscConfigOpt.cpp | 1020 - src/windows/leash/KrbMiscConfigOpt.h | 173 - src/windows/leash/KrbProperties.cpp | 106 - src/windows/leash/KrbProperties.h | 95 - src/windows/leash/KrbRealmHostMaintenance.cpp | 1044 - src/windows/leash/KrbRealmHostMaintenance.h | 102 - src/windows/leash/Leash.cpp | 353 - src/windows/leash/Leash.h | 9 - src/windows/leash/Leash.rc | 243 +- src/windows/leash/LeashAboutBox.cpp | 13 - src/windows/leash/LeashControlPanel.cpp | 43 - src/windows/leash/LeashControlPanel.h | 46 - src/windows/leash/LeashFileDialog.cpp | 75 - src/windows/leash/LeashFileDialog.h | 57 - src/windows/leash/LeashProperties.cpp | 202 - src/windows/leash/LeashProperties.h | 78 - src/windows/leash/LeashView.cpp | 470 +- src/windows/leash/LeashView.h | 37 +- src/windows/leash/Lglobals.cpp | 148 - src/windows/leash/Lglobals.h | 81 - src/windows/leash/MainFrm.cpp | 3 +- src/windows/leash/Makefile.in | 57 +- src/windows/leash/VSroutines.c | 64 - src/windows/leash/htmlhelp/Images/Bullet.gif | Bin 816 -> 0 bytes src/windows/leash/htmlhelp/Images/Capture.PNG | Bin 5304 -> 0 bytes .../leash/htmlhelp/Images/Get_Ticket_Icon.png | Bin 1588 -> 0 bytes .../htmlhelp/Images/Kerberos_auth_serv_fig_10.jpg | Bin 11267 -> 0 bytes .../htmlhelp/Images/Kerberos_auth_serv_fig_11.jpg | Bin 9638 -> 0 bytes .../htmlhelp/Images/Kerberos_auth_serv_fig_12.jpg | Bin 18413 -> 0 bytes .../htmlhelp/Images/Kerberos_auth_serv_fig_13.jpg | Bin 10175 -> 0 bytes .../htmlhelp/Images/Kerberos_auth_serv_fig_5.jpg | Bin 13318 -> 0 bytes .../htmlhelp/Images/Kerberos_auth_serv_fig_6.jpg | Bin 7854 -> 0 bytes .../htmlhelp/Images/Kerberos_auth_serv_fig_7.jpg | Bin 7210 -> 0 bytes .../htmlhelp/Images/Kerberos_auth_serv_fig_8.jpg | Bin 14820 -> 0 bytes .../htmlhelp/Images/Kerberos_auth_serv_fig_9.jpg | Bin 24615 -> 0 bytes .../leash/htmlhelp/Images/Leash_about_leash.jpg | Bin 42760 -> 0 bytes .../htmlhelp/Images/Leash_change_password.JPG | Bin 30300 -> 0 bytes .../leash/htmlhelp/Images/Leash_debug_window.jpg | Bin 15354 -> 0 bytes .../leash/htmlhelp/Images/Leash_display_window.jpg | Bin 79940 -> 0 bytes .../htmlhelp/Images/Leash_init_ticket_advanced.jpg | Bin 41549 -> 0 bytes .../htmlhelp/Images/Leash_init_ticket_basic.jpg | Bin 24631 -> 0 bytes .../leash/htmlhelp/Images/Leash_menu_action.jpg | Bin 16106 -> 0 bytes .../leash/htmlhelp/Images/Leash_menu_file.jpg | Bin 3447 -> 0 bytes .../leash/htmlhelp/Images/Leash_menu_help.jpg | Bin 7711 -> 0 bytes .../leash/htmlhelp/Images/Leash_menu_options.jpg | Bin 18430 -> 0 bytes .../leash/htmlhelp/Images/Leash_menu_view.jpg | Bin 6673 -> 0 bytes .../leash/htmlhelp/Images/Leash_properties_afs.jpg | Bin 10505 -> 0 bytes .../htmlhelp/Images/Leash_properties_krb4.jpg | Bin 29475 -> 0 bytes .../htmlhelp/Images/Leash_properties_krb5_1.jpg | Bin 27382 -> 0 bytes .../htmlhelp/Images/Leash_properties_krb5_2.jpg | Bin 21146 -> 0 bytes .../htmlhelp/Images/Leash_properties_krb_1.jpg | Bin 191736 -> 0 bytes .../htmlhelp/Images/Leash_properties_krb_2.jpg | Bin 50291 -> 0 bytes .../htmlhelp/Images/Leash_properties_krb_3.jpg | Bin 45661 -> 0 bytes .../htmlhelp/Images/Leash_properties_krb_4.jpg | Bin 45052 -> 0 bytes .../htmlhelp/Images/Leash_properties_leash.jpg | Bin 26797 -> 0 bytes .../leash/htmlhelp/Images/Leash_systray_icons.jpg | Bin 3740 -> 0 bytes .../leash/htmlhelp/Images/Leash_systray_menu.jpg | Bin 15892 -> 0 bytes .../leash/htmlhelp/Images/Leash_toolbar.jpg | Bin 5632 -> 0 bytes .../leash/htmlhelp/Images/Options_Button.PNG | Bin 4116 -> 0 bytes .../leash/htmlhelp/Images/Options_Button_Tiny.png | Bin 2243 -> 0 bytes src/windows/leash/htmlhelp/Images/Options_Menu.PNG | Bin 5614 -> 0 bytes .../leash/htmlhelp/Images/Options_Menu_Open.png | Bin 10690 -> 0 bytes .../leash/htmlhelp/Images/Options_Menu_Tiny.png | Bin 7332 -> 0 bytes .../leash/htmlhelp/Images/Ticket_Options.PNG | Bin 6267 -> 0 bytes src/windows/leash/htmlhelp/Images/View_Menu.GIF | Bin 9618 -> 0 bytes src/windows/leash/htmlhelp/Images/View_Menu.PNG | Bin 4838 -> 0 bytes .../leash/htmlhelp/Images/View_Menu_tiny.png | Bin 4664 -> 0 bytes src/windows/leash/htmlhelp/Images/View_Options.PNG | Bin 5512 -> 0 bytes .../Images/allowed_mix_case_realm_name.png | Bin 1986 -> 0 bytes .../htmlhelp/Images/automatic_ticket_renewal.png | Bin 1857 -> 0 bytes .../htmlhelp/Images/destroy_tickets_on_exit.png | Bin 1742 -> 0 bytes .../leash/htmlhelp/Images/encryption_type.png | Bin 1660 -> 0 bytes .../leash/htmlhelp/Images/expiration_alarm.png | Bin 1293 -> 0 bytes src/windows/leash/htmlhelp/Images/flags.png | Bin 1142 -> 0 bytes src/windows/leash/htmlhelp/Images/issued.png | Bin 1183 -> 0 bytes .../leash/htmlhelp/Images/renewable_until.png | Bin 1123 -> 0 bytes src/windows/leash/htmlhelp/Images/valid_until.png | Bin 1297 -> 0 bytes src/windows/leash/htmlhelp/LeashHelp.hhp | 184 - src/windows/leash/htmlhelp/MITKerberosHelp.hhp | 72 - src/windows/leash/htmlhelp/Table_of_Contents.hhc | 232 - src/windows/leash/htmlhelp/html/Button_Menu.htm | 97 - .../leash/htmlhelp/html/Distroy_Tickets.htm | 11 - src/windows/leash/htmlhelp/html/Export_Tickets.htm | 36 - .../leash/htmlhelp/html/How_Use_Kerberos.htm | 44 - src/windows/leash/htmlhelp/html/Import_Status.htm | 75 - src/windows/leash/htmlhelp/html/Import_Tickets.htm | 82 - src/windows/leash/htmlhelp/html/More_Menu.htm | 49 - src/windows/leash/htmlhelp/html/Options_Menu.htm | 62 - src/windows/leash/htmlhelp/html/Renew_Tickets2.htm | 87 - src/windows/leash/htmlhelp/html/View_Menu.htm | 99 - .../leash/htmlhelp/html/Windows_Logon_Tickets.htm | 45 - .../leash/htmlhelp/html/afx_hidw_status_bar.htm | 34 - .../leash/htmlhelp/html/afx_hidw_toolbar.htm | 23 - src/windows/leash/htmlhelp/html/hid_app_about.htm | 16 - src/windows/leash/htmlhelp/html/hid_app_exit.htm | 22 - .../leash/htmlhelp/html/hid_context_help.htm | 20 - src/windows/leash/htmlhelp/html/hid_help_index.htm | 18 - src/windows/leash/htmlhelp/html/hid_help_using.htm | 16 - src/windows/leash/htmlhelp/html/hid_sc_close.htm | 1 - .../leash/htmlhelp/html/hid_sc_maximize.htm | 17 - .../leash/htmlhelp/html/hid_sc_minimize.htm | 16 - src/windows/leash/htmlhelp/html/hid_sc_move.htm | 18 - src/windows/leash/htmlhelp/html/hid_sc_restore.htm | 17 - src/windows/leash/htmlhelp/html/hid_sc_size.htm | 26 - .../leash/htmlhelp/html/hid_view_status_bar.htm | 24 - .../leash/htmlhelp/html/hid_view_toolbar.htm | 23 - .../leash/htmlhelp/html/leash_acknowledgements.htm | 76 - .../leash/htmlhelp/html/leash_bug_reports.htm | 30 - .../html/leash_command_change_password.htm | 28 - .../html/leash_command_destroy_tickets.htm | 27 - .../htmlhelp/html/leash_command_get_tickets.htm | 43 - .../htmlhelp/html/leash_command_import_tickets.htm | 27 - .../htmlhelp/html/leash_command_renew_tickets.htm | 27 - .../htmlhelp/html/leash_command_reset_window.htm | 19 - .../htmlhelp/html/leash_command_sync_time.htm | 27 - .../htmlhelp/html/leash_command_update_display.htm | 30 - .../leash/htmlhelp/html/leash_copyright.htm | 45 - src/windows/leash/htmlhelp/html/leash_errors.htm | 18 - src/windows/leash/htmlhelp/html/leash_export.htm | 34 - .../leash/htmlhelp/html/leash_external_aklog.htm | 20 - .../htmlhelp/html/leash_external_kdestroy.htm | 19 - .../leash/htmlhelp/html/leash_external_kinit.htm | 19 - .../leash/htmlhelp/html/leash_external_klist.htm | 19 - .../leash/htmlhelp/html/leash_external_ms2mit.htm | 20 - .../leash/htmlhelp/html/leash_file_exit.htm | 24 - .../htmlhelp/html/leash_help_about_leash32.htm | 42 - .../htmlhelp/html/leash_kerberos_copyright.htm | 45 - .../leash/htmlhelp/html/leash_manpage_aklog.htm | 17 - .../leash/htmlhelp/html/leash_manpage_kdestroy.htm | 86 - .../leash/htmlhelp/html/leash_manpage_kinit.htm | 17 - .../leash/htmlhelp/html/leash_manpage_klist.htm | 106 - .../leash/htmlhelp/html/leash_manpage_ms2mit.htm | 16 - src/windows/leash/htmlhelp/html/leash_manpages.htm | 18 - .../leash/htmlhelp/html/leash_menu_commands.htm | 58 - .../htmlhelp/html/leash_menu_help_why_use.htm | 17 - .../htmlhelp/html/leash_option_afs_properties.htm | 27 - .../htmlhelp/html/leash_option_auto_renewal.htm | 22 - .../html/leash_option_destroy_tickets_on_exit.htm | 19 - .../html/leash_option_expiration_alarm.htm | 25 - .../html/leash_option_kerberos_properties.htm | 133 - .../htmlhelp/html/leash_option_krb4_properties.htm | 33 - .../htmlhelp/html/leash_option_krb5_properties.htm | 126 - .../html/leash_option_leash_properties.htm | 79 - .../html/leash_option_upper_case_realm.htm | 24 - .../htmlhelp/html/leash_topic_about_kerberos.htm | 52 - .../leash/htmlhelp/html/leash_topic_error_57.htm | 25 - .../leash/htmlhelp/html/leash_topic_error_62.htm | 20 - .../leash/htmlhelp/html/leash_topic_error_8.htm | 21 - .../html/leash_topic_error_invalid_principal.htm | 17 - .../html/leash_topic_kerberos_auth_service.htm | 988 - .../html/leash_topic_kerberos_command_prompt.htm | 29 - .../html/leash_topic_kerberos_help_topics.htm | 26 - .../htmlhelp/html/leash_topic_kerberos_names.htm | 29 - .../html/leash_topic_kerberos_principals.htm | 125 - .../htmlhelp/html/leash_topic_kerberos_tickets.htm | 23 - .../html/leash_topic_leash_help_topics.htm | 33 - .../htmlhelp/html/leash_topic_leash_systray.htm | 64 - .../htmlhelp/html/leash_topic_leash_window.htm | 81 - .../htmlhelp/html/leash_topic_online_help.htm | 25 - .../htmlhelp/html/leash_topic_password_choice.htm | 91 - .../htmlhelp/html/leash_topic_timing_issues.htm | 27 - .../leash/htmlhelp/html/leash_topic_why_use.htm | 77 - .../htmlhelp/html/leash_view_debug_window.htm | 32 - .../leash/htmlhelp/html/leash_view_large_icons.htm | 25 - .../leash/htmlhelp/html/leash_view_status_bar.htm | 21 - .../leash/htmlhelp/html/leash_view_toolbar.htm | 49 - src/windows/leash/htmlhelp/leash32.hhk | 364 - src/windows/leash/htmlhelp/leash32.hhp | 228 - src/windows/leash/out2con.cpp | 4 +- src/windows/leash/resource.h | 23 - src/windows/leashdll/AFSroutines.c | 833 - src/windows/leashdll/Makefile.in | 40 +- src/windows/leashdll/include/krb4/conf-pc.h | 108 - src/windows/leashdll/include/krb4/conf.h | 74 - src/windows/leashdll/include/krb4/osconf.h | 59 - src/windows/leashdll/krb5routines.c | 163 - src/windows/leashdll/leash-int.h | 88 +- src/windows/leashdll/leashdll.c | 19 - src/windows/leashdll/leashdll.h | 90 - src/windows/leashdll/leashids.h | 1 - src/windows/leashdll/leashw32.def | 33 - src/windows/leashdll/lsh_pwd.c | 98 +- src/windows/leashdll/lsh_pwd.rc | 1 - src/windows/leashdll/lshcallb.c | 14 - src/windows/leashdll/lshfunc.c | 360 +- src/windows/leashdll/lshutil.cpp | 11 - src/windows/leashdll/registry.c | 105 - src/windows/leashdll/timesync.c | 22 +- src/windows/leashdll/winerr.c | 47 - src/windows/lib/Makefile.in | 5 +- src/windows/lib/cacheapi.h | 15 - src/windows/lib/gic.c | 157 - src/windows/lib/gic.h | 28 - src/windows/lib/registry.c | 232 - src/windows/lib/registry.h | 40 - src/windows/lib/vardlg.c | 454 - src/windows/lib/vardlg.h | 32 - src/windows/ms2mit/ms2mit.c | 2 +- src/windows/version.rc | 67 +- src/windows/winlevel.h | 3 +- src/windows/wintel/Makefile.in | 46 - src/windows/wintel/auth.c | 867 - src/windows/wintel/auth.h | 28 - src/windows/wintel/dialog.h | 42 - src/windows/wintel/edit.c | 444 - src/windows/wintel/emul.c | 766 - src/windows/wintel/enc_des.c | 725 - src/windows/wintel/enc_des.h | 120 - src/windows/wintel/encrypt.c | 999 - src/windows/wintel/encrypt.h | 178 - src/windows/wintel/font.c | 100 - src/windows/wintel/genget.c | 101 - src/windows/wintel/ini.h | 16 - src/windows/wintel/intern.c | 815 - src/windows/wintel/k5stream.c | 118 - src/windows/wintel/k5stream.h | 57 - src/windows/wintel/ktelnet.doc | Bin 16384 -> 0 bytes src/windows/wintel/ktelnet.hlp | Bin 9204 -> 0 bytes src/windows/wintel/ktelnet.hpj | 92 - src/windows/wintel/ncsa.ico | Bin 766 -> 0 bytes src/windows/wintel/negotiat.c | 865 - src/windows/wintel/resource.h | 17 - src/windows/wintel/screen.c | 1147 - src/windows/wintel/screen.h | 325 - src/windows/wintel/struct.h | 29 - src/windows/wintel/telnet.c | 904 - src/windows/wintel/telnet.def | 39 - src/windows/wintel/telnet.h | 41 - src/windows/wintel/telnet.rc | 247 - src/windows/wintel/telnet_arpa.h | 327 - src/windows/wintel/telopts.h | 164 - src/windows/wintel/terminal.ico | Bin 766 -> 0 bytes src/windows/wintel/wt-proto.h | 63 - 3097 files changed, 55172 insertions(+), 370935 deletions(-) create mode 100644 .gitignore create mode 100644 .travis-ci.sh create mode 100644 doc/admin/dbtypes.rst create mode 100644 doc/admin/dictionary.rst create mode 100644 doc/admin/spake.rst create mode 100644 doc/appdev/y2038.rst create mode 100644 doc/formats/freshness_token.rst delete mode 100644 doc/html/.buildinfo delete mode 100644 doc/html/_sources/about.txt delete mode 100644 doc/html/_sources/admin/admin_commands/index.txt delete mode 100644 doc/html/_sources/admin/admin_commands/k5srvutil.txt delete mode 100644 doc/html/_sources/admin/admin_commands/kadmin_local.txt delete mode 100644 doc/html/_sources/admin/admin_commands/kadmind.txt delete mode 100644 doc/html/_sources/admin/admin_commands/kdb5_ldap_util.txt delete mode 100644 doc/html/_sources/admin/admin_commands/kdb5_util.txt delete mode 100644 doc/html/_sources/admin/admin_commands/kprop.txt delete mode 100644 doc/html/_sources/admin/admin_commands/kpropd.txt delete mode 100644 doc/html/_sources/admin/admin_commands/kproplog.txt delete mode 100644 doc/html/_sources/admin/admin_commands/krb5kdc.txt delete mode 100644 doc/html/_sources/admin/admin_commands/ktutil.txt delete mode 100644 doc/html/_sources/admin/admin_commands/sserver.txt delete mode 100644 doc/html/_sources/admin/advanced/index.txt delete mode 100644 doc/html/_sources/admin/advanced/ldapbackend.txt delete mode 100644 doc/html/_sources/admin/advanced/retiring-des.txt delete mode 100644 doc/html/_sources/admin/appl_servers.txt delete mode 100644 doc/html/_sources/admin/auth_indicator.txt delete mode 100644 doc/html/_sources/admin/backup_host.txt delete mode 100644 doc/html/_sources/admin/conf_files/index.txt delete mode 100644 doc/html/_sources/admin/conf_files/kadm5_acl.txt delete mode 100644 doc/html/_sources/admin/conf_files/kdc_conf.txt delete mode 100644 doc/html/_sources/admin/conf_files/krb5_conf.txt delete mode 100644 doc/html/_sources/admin/conf_ldap.txt delete mode 100644 doc/html/_sources/admin/database.txt delete mode 100644 doc/html/_sources/admin/enctypes.txt delete mode 100644 doc/html/_sources/admin/env_variables.txt delete mode 100644 doc/html/_sources/admin/host_config.txt delete mode 100644 doc/html/_sources/admin/https.txt delete mode 100644 doc/html/_sources/admin/index.txt delete mode 100644 doc/html/_sources/admin/install.txt delete mode 100644 doc/html/_sources/admin/install_appl_srv.txt delete mode 100644 doc/html/_sources/admin/install_clients.txt delete mode 100644 doc/html/_sources/admin/install_kdc.txt delete mode 100644 doc/html/_sources/admin/lockout.txt delete mode 100644 doc/html/_sources/admin/otp.txt delete mode 100644 doc/html/_sources/admin/pkinit.txt delete mode 100644 doc/html/_sources/admin/princ_dns.txt delete mode 100644 doc/html/_sources/admin/realm_config.txt delete mode 100644 doc/html/_sources/admin/troubleshoot.txt delete mode 100644 doc/html/_sources/admin/various_envs.txt delete mode 100644 doc/html/_sources/appdev/gssapi.txt delete mode 100644 doc/html/_sources/appdev/h5l_mit_apidiff.txt delete mode 100644 doc/html/_sources/appdev/index.txt delete mode 100644 doc/html/_sources/appdev/init_creds.txt delete mode 100644 doc/html/_sources/appdev/princ_handle.txt delete mode 100644 doc/html/_sources/appdev/refs/api/index.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_425_conv_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_524_conv_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_524_convert_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_address_compare.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_address_order.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_address_search.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_allow_weak_crypto.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_aname_to_localname.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_appdefault_boolean.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_appdefault_string.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_free.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_get_checksum_func.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getaddrs.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getauthenticator.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey_k.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalsubkey.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getrcache.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getremotesubkey.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey_k.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_init.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_set_checksum_func.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_set_req_cksumtype.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_setaddrs.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_setports.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_setrcache.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey_k.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_auth_con_setuseruserkey.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_build_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_build_principal_alloc_va.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_build_principal_ext.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_build_principal_va.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_block_size.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_checksum_length.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_crypto_length.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_decrypt.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_decrypt_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_derive_prfplus.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_encrypt.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_encrypt_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_encrypt_length.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_enctype_compare.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_free_state.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_fx_cf2_simple.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_init_state.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_is_coll_proof_cksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_is_keyed_cksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_keyed_checksum_types.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_keylengths.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_make_checksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_make_random_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_padding_length.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_prf.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_prf_length.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_prfplus.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_random_add_entropy.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_random_make_octets.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_random_os_entropy.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_random_seed.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_random_to_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_string_to_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_string_to_key_with_params.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_valid_cksumtype.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_valid_enctype.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_calculate_checksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_close.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_copy_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_default.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_default_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_destroy.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_dup.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_end_seq_get.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_gen_new.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_get_config.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_get_flags.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_get_full_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_get_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_get_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_get_type.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_initialize.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_last_change_time.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_lock.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_move.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_new_unique.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_next_cred.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_remove_cred.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_resolve.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_select.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_set_config.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_set_default_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_set_flags.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_start_seq_get.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_store_cred.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_support_switch.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_switch.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cc_unlock.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_free.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_new.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_next.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cccol_have_content.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cccol_last_change_time.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cccol_lock.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cccol_unlock.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_change_password.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_check_clockskew.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_checksum_size.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_chpw_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_cksumtype_to_string.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_clear_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_addresses.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_authdata.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_authenticator.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_checksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_context.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_data.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_keyblock.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_keyblock_contents.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_copy_ticket.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_decode_authdata_container.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_decode_ticket.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_decrypt.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_deltat_to_string.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_eblock_enctype.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_encode_authdata_container.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_encrypt.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_encrypt_size.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_enctype_to_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_enctype_to_string.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_expand_hostname.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_find_authdata.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_finish_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_finish_random_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_addresses.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_ap_rep_enc_part.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_authdata.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_authenticator.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_checksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_checksum_contents.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_cksumtypes.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_context.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_cred_contents.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_data.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_data_contents.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_default_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_enctypes.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_error.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_host_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_keyblock.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_keyblock_contents.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_keytab_entry_contents.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_string.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_tgt_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_ticket.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_free_unparsed_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_credentials.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_credentials_renew.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_credentials_validate.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_default_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_fallback_host_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_host_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_keytab.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_password.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_skey.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_keytab.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_alloc.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_free.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_init.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pa.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_responder.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_salt.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_init_creds_password.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_permitted_enctypes.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_profile.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_renewed_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_server_rcache.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_time_offsets.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_get_validated_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_context.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_context_profile.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_get_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_get_error.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_get_times.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_set_keytab.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_set_password.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_keyblock.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_random_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_init_secure_context.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_is_config_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_is_referral_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_is_thread_safe.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_create_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_decrypt.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_decrypt_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_encrypt.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_encrypt_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_free_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_key_enctype.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_key_keyblock.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_make_checksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_prf.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_reference_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_add_entry.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_client_default.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_close.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_default.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_default_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_dup.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_end_seq_get.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_free_entry.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_get_entry.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_get_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_get_type.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_have_content.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_next_entry.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_read_service_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_remove_entry.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_resolve.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kt_start_seq_get.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_kuserok.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_make_authdata_kdc_issued.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_merge_authdata.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_mk_1cred.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_mk_error.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_mk_ncred.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_mk_priv.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_mk_rep.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_mk_rep_dce.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_mk_req.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_mk_safe.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_os_localaddr.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_pac_free.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_pac_get_buffer.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_pac_get_types.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_pac_init.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_pac_parse.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_pac_sign.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_parse_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_prepend_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_principal2salt.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_principal_compare.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_principal_compare_any_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_process_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_prompter_posix.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_random_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_rd_cred.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_rd_error.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_rd_priv.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_rd_rep.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_rd_rep_dce.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_rd_req.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_rd_safe.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_read_password.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_realm_compare.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_recvauth.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_recvauth_version.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_responder_get_challenge.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_responder_list_questions.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_responder_otp_challenge_free.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_responder_otp_get_challenge.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_responder_otp_set_answer.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_challenge_free.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_get_challenge.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_set_answer.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_responder_set_answer.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_salttype_to_string.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_sendauth.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_server_decrypt_ticket_keytab.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_default_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_default_tgs_enctypes.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_kdc_recv_hook.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_kdc_send_hook.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_password.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_password_using_ccache.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_principal_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_real_time.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_trace_callback.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_set_trace_filename.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_sname_match.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_string_to_cksumtype.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_string_to_deltat.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_string_to_enctype.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_string_to_key.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_string_to_salttype.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_string_to_timestamp.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_timeofday.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_timestamp_to_sfstring.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_timestamp_to_string.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_tkt_creds_free.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_times.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_tkt_creds_init.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_unparse_name.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_unparse_name_ext.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags_ext.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_us_timeofday.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_use_enctype.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_verify_authdata_kdc_issued.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_verify_checksum.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_verify_init_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_init.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_vprepend_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_vset_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_vwrap_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/api/krb5_wrap_error_message.txt delete mode 100644 doc/html/_sources/appdev/refs/index.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_ADDRPORT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_CHAOS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_DDP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET6.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_IPPORT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_ISO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_IS_LOCAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_NETBIOS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ADDRTYPE_XNS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AD_TYPE_EXTERNAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AD_TYPE_REGISTERED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AD_TYPE_RESERVED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AP_OPTS_RESERVED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SUBKEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/AP_OPTS_WIRE_MASK.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CRC32.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_DESCBC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_NIST_SHA.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_NULL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ENV.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/ENCTYPE_UNKNOWN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_CANONICALIZE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDABLE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_POSTDATED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXIABLE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEW.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_OPT_VALIDATE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KDC_TKT_COMMON_MASK.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AP_REP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AP_REQ.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AS_REP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AS_REQ.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SESAME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CRED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_ERROR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_FAST_REQUIRED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GC_CACHED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GC_CANONICALIZE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GC_FORWARDABLE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_STORE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GC_USER_USER.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_INT16_MAX.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_INT16_MIN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_INT32_MAX.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_INT32_MIN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_NONE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_PRINCIPAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_SMTP_NAME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_HST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_INST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_XHST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_UID.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_UNKNOWN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_WELLKNOWN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PAC_LOGON_INFO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AP_REQ.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FOR_USER.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_ERROR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_FAST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_NONE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OSF_DCE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PW_SALT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_REFERRAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SESAME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_TGS_REQ.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PRIV.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_PVNO.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_REFERRAL_REALM.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_SAFE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_NOTICKET.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_OPENCLOSE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME_SIZE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TGS_REP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TGS_REQ.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/MSEC_DIRBIT.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/MSEC_VAL_MASK.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/SALT_TYPE_NO_LENGTH.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/THREEPARAMOPEN.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_ANONYMOUS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_ENC_PA_REP.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDABLE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_HW_AUTH.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_INITIAL.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_INVALID.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_POSTDATED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_PRE_AUTH.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXIABLE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXY.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_RENEWABLE.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/VALID_INT_BITS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/VALID_UINT_BITS.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/index.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb524_convert_creds_kdc.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb524_init_ets.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_const.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_princ_component.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_princ_name.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_princ_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_data.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_length.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_princ_size.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_princ_type.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_roundup.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_x.txt delete mode 100644 doc/html/_sources/appdev/refs/macros/krb5_xc.txt delete mode 100644 doc/html/_sources/appdev/refs/types/index.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_address.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_addrtype.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_ap_rep.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_ap_rep_enc_part.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_ap_req.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_auth_context.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_authdata.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_authdatatype.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_authenticator.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_boolean.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_cc_cursor.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_ccache.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_cccol_cursor.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_checksum.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_cksumtype.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_const_pointer.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_const_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_context.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_cred.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_cred_enc_part.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_cred_info.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_creds.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_crypto_iov.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_cryptotype.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_deltat.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_enc_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_enc_kdc_rep_part.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_enc_tkt_part.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_encrypt_block.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_enctype.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_error.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_error_code.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_expire_callback_func.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_flags.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_get_init_creds_opt.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_gic_opt_pa_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_init_creds_context.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_int16.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_int32.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_kdc_rep.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_kdc_req.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_key.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_keyblock.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_keytab.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_keytab_entry.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_keyusage.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_kt_cursor.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_kvno.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_last_req_entry.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_magic.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_mk_req_checksum_func.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_msgtype.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_octet.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_pa_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_pa_pac_req.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_pa_server_referral_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_pa_svr_referral_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_pac.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_pointer.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_post_recv_fn.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_pre_send_fn.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_preauthtype.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_principal.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_principal_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_prompt.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_prompt_type.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_prompter_fct.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_pwd_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_rcache.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_replay_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_responder_context.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_responder_fn.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_responder_otp_challenge.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_responder_otp_tokeninfo.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_challenge.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_identity.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_response.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_ticket.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_ticket_times.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_timestamp.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_tkt_authent.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_tkt_creds_context.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_trace_callback.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_trace_info.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_transited.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_typed_data.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_ui_2.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_ui_4.txt delete mode 100644 doc/html/_sources/appdev/refs/types/krb5_verify_init_creds_opt.txt delete mode 100644 doc/html/_sources/appdev/refs/types/passwd_phrase_element.txt delete mode 100644 doc/html/_sources/basic/ccache_def.txt delete mode 100644 doc/html/_sources/basic/date_format.txt delete mode 100644 doc/html/_sources/basic/index.txt delete mode 100644 doc/html/_sources/basic/keytab_def.txt delete mode 100644 doc/html/_sources/basic/rcache_def.txt delete mode 100644 doc/html/_sources/basic/stash_file_def.txt delete mode 100644 doc/html/_sources/build/directory_org.txt delete mode 100644 doc/html/_sources/build/doing_build.txt delete mode 100644 doc/html/_sources/build/index.txt delete mode 100644 doc/html/_sources/build/options2configure.txt delete mode 100644 doc/html/_sources/build/osconf.txt delete mode 100644 doc/html/_sources/build_this.txt delete mode 100644 doc/html/_sources/copyright.txt delete mode 100644 doc/html/_sources/formats/ccache_file_format.txt delete mode 100644 doc/html/_sources/formats/cookie.txt delete mode 100644 doc/html/_sources/formats/index.txt delete mode 100644 doc/html/_sources/formats/keytab_file_format.txt delete mode 100644 doc/html/_sources/index.txt delete mode 100644 doc/html/_sources/mitK5defaults.txt delete mode 100644 doc/html/_sources/mitK5features.txt delete mode 100644 doc/html/_sources/mitK5license.txt delete mode 100644 doc/html/_sources/plugindev/ccselect.txt delete mode 100644 doc/html/_sources/plugindev/clpreauth.txt delete mode 100644 doc/html/_sources/plugindev/general.txt delete mode 100644 doc/html/_sources/plugindev/gssapi.txt delete mode 100644 doc/html/_sources/plugindev/hostrealm.txt delete mode 100644 doc/html/_sources/plugindev/index.txt delete mode 100644 doc/html/_sources/plugindev/internal.txt delete mode 100644 doc/html/_sources/plugindev/kadm5_hook.txt delete mode 100644 doc/html/_sources/plugindev/kdcpreauth.txt delete mode 100644 doc/html/_sources/plugindev/localauth.txt delete mode 100644 doc/html/_sources/plugindev/locate.txt delete mode 100644 doc/html/_sources/plugindev/profile.txt delete mode 100644 doc/html/_sources/plugindev/pwqual.txt delete mode 100644 doc/html/_sources/resources.txt delete mode 100644 doc/html/_sources/user/index.txt delete mode 100644 doc/html/_sources/user/pwd_mgmt.txt delete mode 100644 doc/html/_sources/user/tkt_mgmt.txt delete mode 100644 doc/html/_sources/user/user_commands/index.txt delete mode 100644 doc/html/_sources/user/user_commands/kdestroy.txt delete mode 100644 doc/html/_sources/user/user_commands/kinit.txt delete mode 100644 doc/html/_sources/user/user_commands/klist.txt delete mode 100644 doc/html/_sources/user/user_commands/kpasswd.txt delete mode 100644 doc/html/_sources/user/user_commands/krb5-config.txt delete mode 100644 doc/html/_sources/user/user_commands/ksu.txt delete mode 100644 doc/html/_sources/user/user_commands/kswitch.txt delete mode 100644 doc/html/_sources/user/user_commands/kvno.txt delete mode 100644 doc/html/_sources/user/user_commands/sclient.txt delete mode 100644 doc/html/_sources/user/user_config/index.txt delete mode 100644 doc/html/_sources/user/user_config/k5identity.txt delete mode 100644 doc/html/_sources/user/user_config/k5login.txt delete mode 100644 doc/html/_static/agogo.css delete mode 100644 doc/html/_static/ajax-loader.gif delete mode 100644 doc/html/_static/basic.css delete mode 100644 doc/html/_static/bgfooter.png delete mode 100644 doc/html/_static/bgtop.png delete mode 100644 doc/html/_static/comment-bright.png delete mode 100644 doc/html/_static/comment-close.png delete mode 100644 doc/html/_static/comment.png delete mode 100644 doc/html/_static/doctools.js delete mode 100644 doc/html/_static/down-pressed.png delete mode 100644 doc/html/_static/down.png delete mode 100644 doc/html/_static/file.png delete mode 100644 doc/html/_static/jquery.js delete mode 100644 doc/html/_static/kerb.css delete mode 100644 doc/html/_static/minus.png delete mode 100644 doc/html/_static/plus.png delete mode 100644 doc/html/_static/pygments.css delete mode 100644 doc/html/_static/searchtools.js delete mode 100644 doc/html/_static/underscore.js delete mode 100644 doc/html/_static/up-pressed.png delete mode 100644 doc/html/_static/up.png delete mode 100644 doc/html/_static/websupport.js delete mode 100644 doc/html/about.html delete mode 100644 doc/html/admin/admin_commands/index.html delete mode 100644 doc/html/admin/admin_commands/k5srvutil.html delete mode 100644 doc/html/admin/admin_commands/kadmin_local.html delete mode 100644 doc/html/admin/admin_commands/kadmind.html delete mode 100644 doc/html/admin/admin_commands/kdb5_ldap_util.html delete mode 100644 doc/html/admin/admin_commands/kdb5_util.html delete mode 100644 doc/html/admin/admin_commands/kprop.html delete mode 100644 doc/html/admin/admin_commands/kpropd.html delete mode 100644 doc/html/admin/admin_commands/kproplog.html delete mode 100644 doc/html/admin/admin_commands/krb5kdc.html delete mode 100644 doc/html/admin/admin_commands/ktutil.html delete mode 100644 doc/html/admin/admin_commands/sserver.html delete mode 100644 doc/html/admin/advanced/index.html delete mode 100644 doc/html/admin/advanced/ldapbackend.html delete mode 100644 doc/html/admin/advanced/retiring-des.html delete mode 100644 doc/html/admin/appl_servers.html delete mode 100644 doc/html/admin/auth_indicator.html delete mode 100644 doc/html/admin/backup_host.html delete mode 100644 doc/html/admin/conf_files/index.html delete mode 100644 doc/html/admin/conf_files/kadm5_acl.html delete mode 100644 doc/html/admin/conf_files/kdc_conf.html delete mode 100644 doc/html/admin/conf_files/krb5_conf.html delete mode 100644 doc/html/admin/conf_ldap.html delete mode 100644 doc/html/admin/database.html delete mode 100644 doc/html/admin/enctypes.html delete mode 100644 doc/html/admin/env_variables.html delete mode 100644 doc/html/admin/host_config.html delete mode 100644 doc/html/admin/https.html delete mode 100644 doc/html/admin/index.html delete mode 100644 doc/html/admin/install.html delete mode 100644 doc/html/admin/install_appl_srv.html delete mode 100644 doc/html/admin/install_clients.html delete mode 100644 doc/html/admin/install_kdc.html delete mode 100644 doc/html/admin/lockout.html delete mode 100644 doc/html/admin/otp.html delete mode 100644 doc/html/admin/pkinit.html delete mode 100644 doc/html/admin/princ_dns.html delete mode 100644 doc/html/admin/realm_config.html delete mode 100644 doc/html/admin/troubleshoot.html delete mode 100644 doc/html/admin/various_envs.html delete mode 100644 doc/html/appdev/gssapi.html delete mode 100644 doc/html/appdev/h5l_mit_apidiff.html delete mode 100644 doc/html/appdev/index.html delete mode 100644 doc/html/appdev/init_creds.html delete mode 100644 doc/html/appdev/princ_handle.html delete mode 100644 doc/html/appdev/refs/api/index.html delete mode 100644 doc/html/appdev/refs/api/krb5_425_conv_principal.html delete mode 100644 doc/html/appdev/refs/api/krb5_524_conv_principal.html delete mode 100644 doc/html/appdev/refs/api/krb5_524_convert_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_address_compare.html delete mode 100644 doc/html/appdev/refs/api/krb5_address_order.html delete mode 100644 doc/html/appdev/refs/api/krb5_address_search.html delete mode 100644 doc/html/appdev/refs/api/krb5_allow_weak_crypto.html delete mode 100644 doc/html/appdev/refs/api/krb5_aname_to_localname.html delete mode 100644 doc/html/appdev/refs/api/krb5_anonymous_principal.html delete mode 100644 doc/html/appdev/refs/api/krb5_anonymous_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_appdefault_boolean.html delete mode 100644 doc/html/appdev/refs/api/krb5_appdefault_string.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_free.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getflags.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getkey.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getrcache.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_init.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_initivector.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_setflags.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_setports.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_setrcache.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html delete mode 100644 doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html delete mode 100644 doc/html/appdev/refs/api/krb5_build_principal.html delete mode 100644 doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html delete mode 100644 doc/html/appdev/refs/api/krb5_build_principal_ext.html delete mode 100644 doc/html/appdev/refs/api/krb5_build_principal_va.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_block_size.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_checksum_length.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_crypto_length.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_decrypt.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_decrypt_iov.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_derive_prfplus.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_encrypt.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_encrypt_iov.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_encrypt_length.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_enctype_compare.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_free_state.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_init_state.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_is_keyed_cksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_keyed_checksum_types.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_keylengths.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_make_checksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_make_checksum_iov.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_make_random_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_padding_length.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_prf.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_prf_length.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_prfplus.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_random_add_entropy.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_random_make_octets.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_random_os_entropy.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_random_seed.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_random_to_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_string_to_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_string_to_key_with_params.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_valid_cksumtype.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_valid_enctype.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_verify_checksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_c_verify_checksum_iov.html delete mode 100644 doc/html/appdev/refs/api/krb5_calculate_checksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_cache_match.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_close.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_copy_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_default.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_default_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_destroy.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_dup.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_end_seq_get.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_gen_new.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_get_config.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_get_flags.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_get_full_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_get_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_get_principal.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_get_type.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_initialize.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_last_change_time.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_lock.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_move.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_new_unique.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_next_cred.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_remove_cred.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_resolve.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_retrieve_cred.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_select.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_set_config.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_set_default_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_set_flags.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_start_seq_get.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_store_cred.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_support_switch.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_switch.html delete mode 100644 doc/html/appdev/refs/api/krb5_cc_unlock.html delete mode 100644 doc/html/appdev/refs/api/krb5_cccol_cursor_free.html delete mode 100644 doc/html/appdev/refs/api/krb5_cccol_cursor_new.html delete mode 100644 doc/html/appdev/refs/api/krb5_cccol_cursor_next.html delete mode 100644 doc/html/appdev/refs/api/krb5_cccol_have_content.html delete mode 100644 doc/html/appdev/refs/api/krb5_cccol_last_change_time.html delete mode 100644 doc/html/appdev/refs/api/krb5_cccol_lock.html delete mode 100644 doc/html/appdev/refs/api/krb5_cccol_unlock.html delete mode 100644 doc/html/appdev/refs/api/krb5_change_password.html delete mode 100644 doc/html/appdev/refs/api/krb5_check_clockskew.html delete mode 100644 doc/html/appdev/refs/api/krb5_checksum_size.html delete mode 100644 doc/html/appdev/refs/api/krb5_chpw_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_cksumtype_to_string.html delete mode 100644 doc/html/appdev/refs/api/krb5_clear_error_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_addresses.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_authdata.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_authenticator.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_checksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_context.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_data.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_error_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_keyblock.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_keyblock_contents.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_principal.html delete mode 100644 doc/html/appdev/refs/api/krb5_copy_ticket.html delete mode 100644 doc/html/appdev/refs/api/krb5_decode_authdata_container.html delete mode 100644 doc/html/appdev/refs/api/krb5_decode_ticket.html delete mode 100644 doc/html/appdev/refs/api/krb5_decrypt.html delete mode 100644 doc/html/appdev/refs/api/krb5_deltat_to_string.html delete mode 100644 doc/html/appdev/refs/api/krb5_eblock_enctype.html delete mode 100644 doc/html/appdev/refs/api/krb5_encode_authdata_container.html delete mode 100644 doc/html/appdev/refs/api/krb5_encrypt.html delete mode 100644 doc/html/appdev/refs/api/krb5_encrypt_size.html delete mode 100644 doc/html/appdev/refs/api/krb5_enctype_to_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_enctype_to_string.html delete mode 100644 doc/html/appdev/refs/api/krb5_expand_hostname.html delete mode 100644 doc/html/appdev/refs/api/krb5_find_authdata.html delete mode 100644 doc/html/appdev/refs/api/krb5_finish_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_finish_random_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_addresses.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_ap_rep_enc_part.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_authdata.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_authenticator.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_checksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_checksum_contents.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_cksumtypes.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_context.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_cred_contents.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_data.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_data_contents.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_default_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_enctypes.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_error.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_error_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_host_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_keyblock.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_keyblock_contents.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_keytab_entry_contents.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_principal.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_string.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_tgt_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_ticket.html delete mode 100644 doc/html/appdev/refs/api/krb5_free_unparsed_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_credentials.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_credentials_renew.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_credentials_validate.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_default_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_error_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_fallback_host_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_host_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_in_tkt_with_keytab.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_in_tkt_with_password.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_in_tkt_with_skey.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_keytab.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_alloc.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_free.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_init.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pa.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_responder.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_salt.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_init_creds_password.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_permitted_enctypes.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_profile.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_prompt_types.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_renewed_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_server_rcache.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_time_offsets.html delete mode 100644 doc/html/appdev/refs/api/krb5_get_validated_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_context.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_context_profile.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_free.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_get.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_get_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_get_error.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_get_times.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_init.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_set_keytab.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_set_password.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_set_service.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_creds_step.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_keyblock.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_random_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_init_secure_context.html delete mode 100644 doc/html/appdev/refs/api/krb5_is_config_principal.html delete mode 100644 doc/html/appdev/refs/api/krb5_is_referral_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_is_thread_safe.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_create_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_decrypt.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_decrypt_iov.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_encrypt.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_encrypt_iov.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_free_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_key_enctype.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_key_keyblock.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_make_checksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_make_checksum_iov.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_prf.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_reference_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_verify_checksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_k_verify_checksum_iov.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_add_entry.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_client_default.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_close.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_default.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_default_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_dup.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_end_seq_get.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_free_entry.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_get_entry.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_get_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_get_type.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_have_content.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_next_entry.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_read_service_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_remove_entry.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_resolve.html delete mode 100644 doc/html/appdev/refs/api/krb5_kt_start_seq_get.html delete mode 100644 doc/html/appdev/refs/api/krb5_kuserok.html delete mode 100644 doc/html/appdev/refs/api/krb5_make_authdata_kdc_issued.html delete mode 100644 doc/html/appdev/refs/api/krb5_merge_authdata.html delete mode 100644 doc/html/appdev/refs/api/krb5_mk_1cred.html delete mode 100644 doc/html/appdev/refs/api/krb5_mk_error.html delete mode 100644 doc/html/appdev/refs/api/krb5_mk_ncred.html delete mode 100644 doc/html/appdev/refs/api/krb5_mk_priv.html delete mode 100644 doc/html/appdev/refs/api/krb5_mk_rep.html delete mode 100644 doc/html/appdev/refs/api/krb5_mk_rep_dce.html delete mode 100644 doc/html/appdev/refs/api/krb5_mk_req.html delete mode 100644 doc/html/appdev/refs/api/krb5_mk_req_extended.html delete mode 100644 doc/html/appdev/refs/api/krb5_mk_safe.html delete mode 100644 doc/html/appdev/refs/api/krb5_os_localaddr.html delete mode 100644 doc/html/appdev/refs/api/krb5_pac_add_buffer.html delete mode 100644 doc/html/appdev/refs/api/krb5_pac_free.html delete mode 100644 doc/html/appdev/refs/api/krb5_pac_get_buffer.html delete mode 100644 doc/html/appdev/refs/api/krb5_pac_get_types.html delete mode 100644 doc/html/appdev/refs/api/krb5_pac_init.html delete mode 100644 doc/html/appdev/refs/api/krb5_pac_parse.html delete mode 100644 doc/html/appdev/refs/api/krb5_pac_sign.html delete mode 100644 doc/html/appdev/refs/api/krb5_pac_verify.html delete mode 100644 doc/html/appdev/refs/api/krb5_parse_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_parse_name_flags.html delete mode 100644 doc/html/appdev/refs/api/krb5_prepend_error_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_principal2salt.html delete mode 100644 doc/html/appdev/refs/api/krb5_principal_compare.html delete mode 100644 doc/html/appdev/refs/api/krb5_principal_compare_any_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_principal_compare_flags.html delete mode 100644 doc/html/appdev/refs/api/krb5_process_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_prompter_posix.html delete mode 100644 doc/html/appdev/refs/api/krb5_random_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_rd_cred.html delete mode 100644 doc/html/appdev/refs/api/krb5_rd_error.html delete mode 100644 doc/html/appdev/refs/api/krb5_rd_priv.html delete mode 100644 doc/html/appdev/refs/api/krb5_rd_rep.html delete mode 100644 doc/html/appdev/refs/api/krb5_rd_rep_dce.html delete mode 100644 doc/html/appdev/refs/api/krb5_rd_req.html delete mode 100644 doc/html/appdev/refs/api/krb5_rd_safe.html delete mode 100644 doc/html/appdev/refs/api/krb5_read_password.html delete mode 100644 doc/html/appdev/refs/api/krb5_realm_compare.html delete mode 100644 doc/html/appdev/refs/api/krb5_recvauth.html delete mode 100644 doc/html/appdev/refs/api/krb5_recvauth_version.html delete mode 100644 doc/html/appdev/refs/api/krb5_responder_get_challenge.html delete mode 100644 doc/html/appdev/refs/api/krb5_responder_list_questions.html delete mode 100644 doc/html/appdev/refs/api/krb5_responder_otp_challenge_free.html delete mode 100644 doc/html/appdev/refs/api/krb5_responder_otp_get_challenge.html delete mode 100644 doc/html/appdev/refs/api/krb5_responder_otp_set_answer.html delete mode 100644 doc/html/appdev/refs/api/krb5_responder_pkinit_challenge_free.html delete mode 100644 doc/html/appdev/refs/api/krb5_responder_pkinit_get_challenge.html delete mode 100644 doc/html/appdev/refs/api/krb5_responder_pkinit_set_answer.html delete mode 100644 doc/html/appdev/refs/api/krb5_responder_set_answer.html delete mode 100644 doc/html/appdev/refs/api/krb5_salttype_to_string.html delete mode 100644 doc/html/appdev/refs/api/krb5_sendauth.html delete mode 100644 doc/html/appdev/refs/api/krb5_server_decrypt_ticket_keytab.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_default_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_default_tgs_enctypes.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_error_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_kdc_recv_hook.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_kdc_send_hook.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_password.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_password_using_ccache.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_principal_realm.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_real_time.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_trace_callback.html delete mode 100644 doc/html/appdev/refs/api/krb5_set_trace_filename.html delete mode 100644 doc/html/appdev/refs/api/krb5_sname_match.html delete mode 100644 doc/html/appdev/refs/api/krb5_sname_to_principal.html delete mode 100644 doc/html/appdev/refs/api/krb5_string_to_cksumtype.html delete mode 100644 doc/html/appdev/refs/api/krb5_string_to_deltat.html delete mode 100644 doc/html/appdev/refs/api/krb5_string_to_enctype.html delete mode 100644 doc/html/appdev/refs/api/krb5_string_to_key.html delete mode 100644 doc/html/appdev/refs/api/krb5_string_to_salttype.html delete mode 100644 doc/html/appdev/refs/api/krb5_string_to_timestamp.html delete mode 100644 doc/html/appdev/refs/api/krb5_timeofday.html delete mode 100644 doc/html/appdev/refs/api/krb5_timestamp_to_sfstring.html delete mode 100644 doc/html/appdev/refs/api/krb5_timestamp_to_string.html delete mode 100644 doc/html/appdev/refs/api/krb5_tkt_creds_free.html delete mode 100644 doc/html/appdev/refs/api/krb5_tkt_creds_get.html delete mode 100644 doc/html/appdev/refs/api/krb5_tkt_creds_get_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_tkt_creds_get_times.html delete mode 100644 doc/html/appdev/refs/api/krb5_tkt_creds_init.html delete mode 100644 doc/html/appdev/refs/api/krb5_tkt_creds_step.html delete mode 100644 doc/html/appdev/refs/api/krb5_unparse_name.html delete mode 100644 doc/html/appdev/refs/api/krb5_unparse_name_ext.html delete mode 100644 doc/html/appdev/refs/api/krb5_unparse_name_flags.html delete mode 100644 doc/html/appdev/refs/api/krb5_unparse_name_flags_ext.html delete mode 100644 doc/html/appdev/refs/api/krb5_us_timeofday.html delete mode 100644 doc/html/appdev/refs/api/krb5_use_enctype.html delete mode 100644 doc/html/appdev/refs/api/krb5_verify_authdata_kdc_issued.html delete mode 100644 doc/html/appdev/refs/api/krb5_verify_checksum.html delete mode 100644 doc/html/appdev/refs/api/krb5_verify_init_creds.html delete mode 100644 doc/html/appdev/refs/api/krb5_verify_init_creds_opt_init.html delete mode 100644 doc/html/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html delete mode 100644 doc/html/appdev/refs/api/krb5_vprepend_error_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_vset_error_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_vwrap_error_message.html delete mode 100644 doc/html/appdev/refs/api/krb5_wrap_error_message.html delete mode 100644 doc/html/appdev/refs/index.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_DDP.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_INET.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_INET6.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_ISO.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html delete mode 100644 doc/html/appdev/refs/macros/ADDRTYPE_XNS.html delete mode 100644 doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html delete mode 100644 doc/html/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.html delete mode 100644 doc/html/appdev/refs/macros/AD_TYPE_REGISTERED.html delete mode 100644 doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html delete mode 100644 doc/html/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html delete mode 100644 doc/html/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.html delete mode 100644 doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html delete mode 100644 doc/html/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.html delete mode 100644 doc/html/appdev/refs/macros/AP_OPTS_USE_SUBKEY.html delete mode 100644 doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_NIST_SHA.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html delete mode 100644 doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_NULL.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html delete mode 100644 doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_CANONICALIZE.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_FORWARDABLE.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_PROXY.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_RENEW.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html delete mode 100644 doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html delete mode 100644 doc/html/appdev/refs/macros/KDC_TKT_COMMON_MASK.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AP_REP.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AP_REQ.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AS_REP.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AS_REQ.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_SESAME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CRED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_ERROR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_FAST_REQUIRED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GC_CACHED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GC_CANONICALIZE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GC_FORWARDABLE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_INT16_MAX.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_INT16_MIN.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_INT32_MAX.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_INT32_MIN.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_UID.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PAC_LOGON_INFO.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_AP_REQ.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_FOR_USER.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_FX_ERROR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_FX_FAST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_OSF_DCE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_PW_SALT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_REFERRAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_SESAME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_TGS_REQ.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PRIV.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_PVNO.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_REFERRAL_REALM.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_SAFE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TGS_NAME.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TGS_NAME_SIZE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TGS_REP.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TGS_REQ.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html delete mode 100644 doc/html/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html delete mode 100644 doc/html/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.html delete mode 100644 doc/html/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.html delete mode 100644 doc/html/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html delete mode 100644 doc/html/appdev/refs/macros/MSEC_DIRBIT.html delete mode 100644 doc/html/appdev/refs/macros/MSEC_VAL_MASK.html delete mode 100644 doc/html/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html delete mode 100644 doc/html/appdev/refs/macros/SALT_TYPE_NO_LENGTH.html delete mode 100644 doc/html/appdev/refs/macros/THREEPARAMOPEN.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_ENC_PA_REP.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_FORWARDABLE.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_INVALID.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_PROXY.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html delete mode 100644 doc/html/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html delete mode 100644 doc/html/appdev/refs/macros/VALID_INT_BITS.html delete mode 100644 doc/html/appdev/refs/macros/VALID_UINT_BITS.html delete mode 100644 doc/html/appdev/refs/macros/index.html delete mode 100644 doc/html/appdev/refs/macros/krb524_convert_creds_kdc.html delete mode 100644 doc/html/appdev/refs/macros/krb524_init_ets.html delete mode 100644 doc/html/appdev/refs/macros/krb5_const.html delete mode 100644 doc/html/appdev/refs/macros/krb5_princ_component.html delete mode 100644 doc/html/appdev/refs/macros/krb5_princ_name.html delete mode 100644 doc/html/appdev/refs/macros/krb5_princ_realm.html delete mode 100644 doc/html/appdev/refs/macros/krb5_princ_set_realm.html delete mode 100644 doc/html/appdev/refs/macros/krb5_princ_set_realm_data.html delete mode 100644 doc/html/appdev/refs/macros/krb5_princ_set_realm_length.html delete mode 100644 doc/html/appdev/refs/macros/krb5_princ_size.html delete mode 100644 doc/html/appdev/refs/macros/krb5_princ_type.html delete mode 100644 doc/html/appdev/refs/macros/krb5_roundup.html delete mode 100644 doc/html/appdev/refs/macros/krb5_x.html delete mode 100644 doc/html/appdev/refs/macros/krb5_xc.html delete mode 100644 doc/html/appdev/refs/types/index.html delete mode 100644 doc/html/appdev/refs/types/krb5_address.html delete mode 100644 doc/html/appdev/refs/types/krb5_addrtype.html delete mode 100644 doc/html/appdev/refs/types/krb5_ap_rep.html delete mode 100644 doc/html/appdev/refs/types/krb5_ap_rep_enc_part.html delete mode 100644 doc/html/appdev/refs/types/krb5_ap_req.html delete mode 100644 doc/html/appdev/refs/types/krb5_auth_context.html delete mode 100644 doc/html/appdev/refs/types/krb5_authdata.html delete mode 100644 doc/html/appdev/refs/types/krb5_authdatatype.html delete mode 100644 doc/html/appdev/refs/types/krb5_authenticator.html delete mode 100644 doc/html/appdev/refs/types/krb5_boolean.html delete mode 100644 doc/html/appdev/refs/types/krb5_cc_cursor.html delete mode 100644 doc/html/appdev/refs/types/krb5_ccache.html delete mode 100644 doc/html/appdev/refs/types/krb5_cccol_cursor.html delete mode 100644 doc/html/appdev/refs/types/krb5_checksum.html delete mode 100644 doc/html/appdev/refs/types/krb5_cksumtype.html delete mode 100644 doc/html/appdev/refs/types/krb5_const_pointer.html delete mode 100644 doc/html/appdev/refs/types/krb5_const_principal.html delete mode 100644 doc/html/appdev/refs/types/krb5_context.html delete mode 100644 doc/html/appdev/refs/types/krb5_cred.html delete mode 100644 doc/html/appdev/refs/types/krb5_cred_enc_part.html delete mode 100644 doc/html/appdev/refs/types/krb5_cred_info.html delete mode 100644 doc/html/appdev/refs/types/krb5_creds.html delete mode 100644 doc/html/appdev/refs/types/krb5_crypto_iov.html delete mode 100644 doc/html/appdev/refs/types/krb5_cryptotype.html delete mode 100644 doc/html/appdev/refs/types/krb5_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_deltat.html delete mode 100644 doc/html/appdev/refs/types/krb5_enc_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_enc_kdc_rep_part.html delete mode 100644 doc/html/appdev/refs/types/krb5_enc_tkt_part.html delete mode 100644 doc/html/appdev/refs/types/krb5_encrypt_block.html delete mode 100644 doc/html/appdev/refs/types/krb5_enctype.html delete mode 100644 doc/html/appdev/refs/types/krb5_error.html delete mode 100644 doc/html/appdev/refs/types/krb5_error_code.html delete mode 100644 doc/html/appdev/refs/types/krb5_expire_callback_func.html delete mode 100644 doc/html/appdev/refs/types/krb5_flags.html delete mode 100644 doc/html/appdev/refs/types/krb5_get_init_creds_opt.html delete mode 100644 doc/html/appdev/refs/types/krb5_gic_opt_pa_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_init_creds_context.html delete mode 100644 doc/html/appdev/refs/types/krb5_int16.html delete mode 100644 doc/html/appdev/refs/types/krb5_int32.html delete mode 100644 doc/html/appdev/refs/types/krb5_kdc_rep.html delete mode 100644 doc/html/appdev/refs/types/krb5_kdc_req.html delete mode 100644 doc/html/appdev/refs/types/krb5_key.html delete mode 100644 doc/html/appdev/refs/types/krb5_keyblock.html delete mode 100644 doc/html/appdev/refs/types/krb5_keytab.html delete mode 100644 doc/html/appdev/refs/types/krb5_keytab_entry.html delete mode 100644 doc/html/appdev/refs/types/krb5_keyusage.html delete mode 100644 doc/html/appdev/refs/types/krb5_kt_cursor.html delete mode 100644 doc/html/appdev/refs/types/krb5_kvno.html delete mode 100644 doc/html/appdev/refs/types/krb5_last_req_entry.html delete mode 100644 doc/html/appdev/refs/types/krb5_magic.html delete mode 100644 doc/html/appdev/refs/types/krb5_mk_req_checksum_func.html delete mode 100644 doc/html/appdev/refs/types/krb5_msgtype.html delete mode 100644 doc/html/appdev/refs/types/krb5_octet.html delete mode 100644 doc/html/appdev/refs/types/krb5_pa_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_pa_pac_req.html delete mode 100644 doc/html/appdev/refs/types/krb5_pa_server_referral_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_pa_svr_referral_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_pac.html delete mode 100644 doc/html/appdev/refs/types/krb5_pointer.html delete mode 100644 doc/html/appdev/refs/types/krb5_post_recv_fn.html delete mode 100644 doc/html/appdev/refs/types/krb5_pre_send_fn.html delete mode 100644 doc/html/appdev/refs/types/krb5_preauthtype.html delete mode 100644 doc/html/appdev/refs/types/krb5_principal.html delete mode 100644 doc/html/appdev/refs/types/krb5_principal_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_prompt.html delete mode 100644 doc/html/appdev/refs/types/krb5_prompt_type.html delete mode 100644 doc/html/appdev/refs/types/krb5_prompter_fct.html delete mode 100644 doc/html/appdev/refs/types/krb5_pwd_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_rcache.html delete mode 100644 doc/html/appdev/refs/types/krb5_replay_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_responder_context.html delete mode 100644 doc/html/appdev/refs/types/krb5_responder_fn.html delete mode 100644 doc/html/appdev/refs/types/krb5_responder_otp_challenge.html delete mode 100644 doc/html/appdev/refs/types/krb5_responder_otp_tokeninfo.html delete mode 100644 doc/html/appdev/refs/types/krb5_responder_pkinit_challenge.html delete mode 100644 doc/html/appdev/refs/types/krb5_responder_pkinit_identity.html delete mode 100644 doc/html/appdev/refs/types/krb5_response.html delete mode 100644 doc/html/appdev/refs/types/krb5_ticket.html delete mode 100644 doc/html/appdev/refs/types/krb5_ticket_times.html delete mode 100644 doc/html/appdev/refs/types/krb5_timestamp.html delete mode 100644 doc/html/appdev/refs/types/krb5_tkt_authent.html delete mode 100644 doc/html/appdev/refs/types/krb5_tkt_creds_context.html delete mode 100644 doc/html/appdev/refs/types/krb5_trace_callback.html delete mode 100644 doc/html/appdev/refs/types/krb5_trace_info.html delete mode 100644 doc/html/appdev/refs/types/krb5_transited.html delete mode 100644 doc/html/appdev/refs/types/krb5_typed_data.html delete mode 100644 doc/html/appdev/refs/types/krb5_ui_2.html delete mode 100644 doc/html/appdev/refs/types/krb5_ui_4.html delete mode 100644 doc/html/appdev/refs/types/krb5_verify_init_creds_opt.html delete mode 100644 doc/html/appdev/refs/types/passwd_phrase_element.html delete mode 100644 doc/html/basic/ccache_def.html delete mode 100644 doc/html/basic/date_format.html delete mode 100644 doc/html/basic/index.html delete mode 100644 doc/html/basic/keytab_def.html delete mode 100644 doc/html/basic/rcache_def.html delete mode 100644 doc/html/basic/stash_file_def.html delete mode 100644 doc/html/build/directory_org.html delete mode 100644 doc/html/build/doing_build.html delete mode 100644 doc/html/build/index.html delete mode 100644 doc/html/build/options2configure.html delete mode 100644 doc/html/build/osconf.html delete mode 100644 doc/html/build_this.html delete mode 100644 doc/html/copyright.html delete mode 100644 doc/html/formats/ccache_file_format.html delete mode 100644 doc/html/formats/cookie.html delete mode 100644 doc/html/formats/index.html delete mode 100644 doc/html/formats/keytab_file_format.html delete mode 100644 doc/html/genindex-A.html delete mode 100644 doc/html/genindex-C.html delete mode 100644 doc/html/genindex-E.html delete mode 100644 doc/html/genindex-K.html delete mode 100644 doc/html/genindex-L.html delete mode 100644 doc/html/genindex-M.html delete mode 100644 doc/html/genindex-P.html delete mode 100644 doc/html/genindex-R.html delete mode 100644 doc/html/genindex-S.html delete mode 100644 doc/html/genindex-T.html delete mode 100644 doc/html/genindex-V.html delete mode 100644 doc/html/genindex-all.html delete mode 100644 doc/html/genindex.html delete mode 100644 doc/html/index.html delete mode 100644 doc/html/mitK5defaults.html delete mode 100644 doc/html/mitK5features.html delete mode 100644 doc/html/mitK5license.html delete mode 100644 doc/html/objects.inv delete mode 100644 doc/html/plugindev/ccselect.html delete mode 100644 doc/html/plugindev/clpreauth.html delete mode 100644 doc/html/plugindev/general.html delete mode 100644 doc/html/plugindev/gssapi.html delete mode 100644 doc/html/plugindev/hostrealm.html delete mode 100644 doc/html/plugindev/index.html delete mode 100644 doc/html/plugindev/internal.html delete mode 100644 doc/html/plugindev/kadm5_hook.html delete mode 100644 doc/html/plugindev/kdcpreauth.html delete mode 100644 doc/html/plugindev/localauth.html delete mode 100644 doc/html/plugindev/locate.html delete mode 100644 doc/html/plugindev/profile.html delete mode 100644 doc/html/plugindev/pwqual.html delete mode 100644 doc/html/resources.html delete mode 100644 doc/html/search.html delete mode 100644 doc/html/searchindex.js delete mode 100644 doc/html/user/index.html delete mode 100644 doc/html/user/pwd_mgmt.html delete mode 100644 doc/html/user/tkt_mgmt.html delete mode 100644 doc/html/user/user_commands/index.html delete mode 100644 doc/html/user/user_commands/kdestroy.html delete mode 100644 doc/html/user/user_commands/kinit.html delete mode 100644 doc/html/user/user_commands/klist.html delete mode 100644 doc/html/user/user_commands/kpasswd.html delete mode 100644 doc/html/user/user_commands/krb5-config.html delete mode 100644 doc/html/user/user_commands/ksu.html delete mode 100644 doc/html/user/user_commands/kswitch.html delete mode 100644 doc/html/user/user_commands/kvno.html delete mode 100644 doc/html/user/user_commands/sclient.html delete mode 100644 doc/html/user/user_config/index.html delete mode 100644 doc/html/user/user_config/k5identity.html delete mode 100644 doc/html/user/user_config/k5login.html delete mode 100644 doc/pdf/GMakefile delete mode 100644 doc/pdf/admin.pdf delete mode 100644 doc/pdf/admin.tex delete mode 100644 doc/pdf/appdev.pdf delete mode 100644 doc/pdf/appdev.tex delete mode 100644 doc/pdf/basic.pdf delete mode 100644 doc/pdf/basic.tex delete mode 100644 doc/pdf/build.pdf delete mode 100644 doc/pdf/build.tex delete mode 100644 doc/pdf/fncychap.sty delete mode 100644 doc/pdf/plugindev.pdf delete mode 100644 doc/pdf/plugindev.tex delete mode 100644 doc/pdf/python.ist delete mode 100644 doc/pdf/sphinx.sty delete mode 100644 doc/pdf/sphinxhowto.cls delete mode 100644 doc/pdf/sphinxmanual.cls delete mode 100644 doc/pdf/tabulary.sty delete mode 100644 doc/pdf/user.pdf delete mode 100644 doc/pdf/user.tex create mode 100644 doc/plugindev/certauth.rst create mode 100644 doc/plugindev/kadm5_auth.rst create mode 100644 doc/plugindev/kdcpolicy.rst create mode 100644 doc/user/user_config/kerberos.rst delete mode 100644 src/clients/kpasswd/ksetpwd.c delete mode 100644 src/config/ac-archive/acx_pthread.m4 create mode 100644 src/config/ac-archive/ax_pthread.m4 create mode 100644 src/config/ac-archive/ax_recursive_eval.m4 delete mode 100644 src/config/ac-archive/relpaths.m4 create mode 100644 src/config/pkg.m4 delete mode 100755 src/configure delete mode 100644 src/include/autoconf.h.in create mode 100644 src/include/k5-cmocka.h create mode 100644 src/include/k5-hashtab.h create mode 100644 src/include/k5-hex.h create mode 100644 src/include/k5-spake.h create mode 100644 src/include/krb5/certauth_plugin.h create mode 100644 src/include/krb5/kadm5_auth_plugin.h create mode 100644 src/include/krb5/kdcpolicy_plugin.h delete mode 100644 src/kadmin/cli/strftime.c create mode 100644 src/kadmin/server/auth.c create mode 100644 src/kadmin/server/auth.h create mode 100644 src/kadmin/server/auth_acl.c create mode 100644 src/kadmin/server/auth_self.c create mode 100644 src/kdc/t_bigreply.py create mode 100644 src/kprop/Makefile.in create mode 100644 src/kprop/deps create mode 100644 src/kprop/kprop.c create mode 100644 src/kprop/kprop.h create mode 100644 src/kprop/kprop_util.c create mode 100644 src/kprop/kpropd.c rename src/{slave => kprop}/kpropd_rpc.c (100%) create mode 100644 src/kprop/kproplog.c create mode 100644 src/kprop/replica_update delete mode 100644 src/lib/kadm5/srv/server_acl.c delete mode 100644 src/lib/kadm5/srv/server_acl.h delete mode 100644 src/lib/krb5/asn.1/asn1buf.c delete mode 100644 src/lib/krb5/asn.1/asn1buf.h create mode 100644 src/lib/krb5/ccache/ccselect_hostname.c create mode 100644 src/lib/krb5/krb/get_etype_info.c delete mode 100644 src/lib/krb5/krb/strftime.c create mode 100644 src/lib/krb5/krb/t_get_etype_info.c create mode 100644 src/lib/krb5/krb/t_get_etype_info.py create mode 100644 src/lib/krb5/krb/t_valid_times.c create mode 100644 src/man/kerberos.man create mode 100644 src/plugins/certauth/test/Makefile.in create mode 100644 src/plugins/certauth/test/certauth_test.exports create mode 100644 src/plugins/certauth/test/deps create mode 100644 src/plugins/certauth/test/main.c create mode 100644 src/plugins/kadm5_auth/test/Makefile.in create mode 100644 src/plugins/kadm5_auth/test/deps create mode 100644 src/plugins/kadm5_auth/test/kadm5_auth_test.exports create mode 100644 src/plugins/kadm5_auth/test/main.c create mode 100644 src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif create mode 100644 src/plugins/kdb/lmdb/Makefile.in create mode 100644 src/plugins/kdb/lmdb/deps create mode 100644 src/plugins/kdb/lmdb/kdb_lmdb.c create mode 100644 src/plugins/kdb/lmdb/klmdb-int.h create mode 100644 src/plugins/kdb/lmdb/klmdb.exports create mode 100644 src/plugins/kdb/lmdb/lockout.c create mode 100644 src/plugins/kdb/lmdb/marshal.c create mode 100644 src/plugins/kdcpolicy/test/Makefile.in create mode 100644 src/plugins/kdcpolicy/test/deps create mode 100644 src/plugins/kdcpolicy/test/kdcpolicy_test.exports create mode 100644 src/plugins/kdcpolicy/test/main.c delete mode 100644 src/plugins/preauth/pkinit/pkinit_crypto_nss.c create mode 100644 src/plugins/preauth/spake/AUTHORS create mode 100644 src/plugins/preauth/spake/Makefile.in create mode 100644 src/plugins/preauth/spake/deps create mode 100644 src/plugins/preauth/spake/edwards25519.c create mode 100644 src/plugins/preauth/spake/edwards25519_tables.h create mode 100644 src/plugins/preauth/spake/groups.c create mode 100644 src/plugins/preauth/spake/groups.h create mode 100644 src/plugins/preauth/spake/iana.c create mode 100644 src/plugins/preauth/spake/iana.h create mode 100644 src/plugins/preauth/spake/openssl.c create mode 100644 src/plugins/preauth/spake/spake.def create mode 100644 src/plugins/preauth/spake/spake.exports create mode 100644 src/plugins/preauth/spake/spake_client.c create mode 100644 src/plugins/preauth/spake/spake_kdc.c create mode 100644 src/plugins/preauth/spake/t_krb5.conf create mode 100644 src/plugins/preauth/spake/t_vectors.c create mode 100644 src/plugins/preauth/spake/trace.h create mode 100644 src/plugins/preauth/spake/util.c create mode 100644 src/plugins/preauth/spake/util.h create mode 100644 src/plugins/preauth/test/common.c create mode 100644 src/plugins/preauth/test/common.h create mode 100644 src/po/de.po delete mode 100644 src/slave/Makefile.in delete mode 100644 src/slave/deps delete mode 100644 src/slave/kprop.c delete mode 100644 src/slave/kprop.h delete mode 100644 src/slave/kprop_util.c delete mode 100644 src/slave/kpropd.c delete mode 100644 src/slave/kproplog.c delete mode 100644 src/slave/kslave_update create mode 100644 src/tests/asn.1/spake.asn1 create mode 100644 src/tests/dejagnu/pkinit-certs/generic.p12 create mode 100644 src/tests/dejagnu/pkinit-certs/generic.pem create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn.p12 create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn.pem create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn2.p12 create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn2.pem create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.p12 create mode 100644 src/tests/dejagnu/pkinit-certs/user-upn3.pem create mode 100644 src/tests/gssapi/t_add_cred.c create mode 100644 src/tests/gssapi/t_lifetime.c create mode 100644 src/tests/icinterleave.c create mode 100644 src/tests/t_certauth.py create mode 100644 src/tests/t_kadm5_auth.py create mode 100644 src/tests/t_kdcpolicy.py create mode 100644 src/tests/t_spake.py create mode 100644 src/tests/t_u2u.py create mode 100644 src/tests/t_y2038.py create mode 100644 src/util/support/dir_filenames.c create mode 100644 src/util/support/hashtab.c create mode 100644 src/util/support/hex.c create mode 100644 src/util/support/t_hashtab.c create mode 100644 src/util/support/t_hex.c create mode 100644 src/util/support/t_utf16.c delete mode 100644 src/util/wshelper/Makefile.in delete mode 100644 src/util/wshelper/dllmain.c delete mode 100644 src/util/wshelper/gethna.c delete mode 100644 src/util/wshelper/hesiod.c delete mode 100644 src/util/wshelper/hesmailh.c delete mode 100644 src/util/wshelper/hespwnam.c delete mode 100644 src/util/wshelper/hesservb.c delete mode 100644 src/util/wshelper/inetaton.c delete mode 100644 src/util/wshelper/pwd.h delete mode 100644 src/util/wshelper/res_comp.c delete mode 100644 src/util/wshelper/res_init.c delete mode 100644 src/util/wshelper/res_quer.c delete mode 100644 src/util/wshelper/resource.h delete mode 100644 src/util/wshelper/resource.rc delete mode 100644 src/util/wshelper/string.rc delete mode 100644 src/util/wshelper/ver.rc.inc delete mode 100644 src/util/wshelper/wsh-int.h delete mode 100644 src/util/wshelper/wshelp32.def delete mode 100644 src/util/wshelper/wshelp64.def delete mode 100644 src/util/wshelper/wshelper.def delete mode 100644 src/windows/build/BKWconfig.xml delete mode 100644 src/windows/build/Logger.pm delete mode 100644 src/windows/build/bkw-automation.html delete mode 100644 src/windows/build/bkw.pl delete mode 100644 src/windows/build/bootstrap.xml delete mode 100644 src/windows/build/commandandcontrol.pl delete mode 100644 src/windows/build/copyfiles.pl delete mode 100644 src/windows/build/copyfiles.xml delete mode 100644 src/windows/build/corebinaryfiles.xml delete mode 100644 src/windows/build/css/main-action(1).css delete mode 100644 src/windows/build/css/main-action.css delete mode 100644 src/windows/build/makeZip.pl delete mode 100644 src/windows/build/pruneFiles.pl delete mode 100644 src/windows/build/repository1.pl delete mode 100644 src/windows/build/sdkfiles.xml delete mode 100644 src/windows/build/signFiles.pl delete mode 100644 src/windows/build/site-local.sed delete mode 100644 src/windows/build/tee.pl delete mode 100644 src/windows/build/which.pl delete mode 100644 src/windows/build/zipXML.pl delete mode 100644 src/windows/cns/Makefile.in delete mode 100644 src/windows/cns/clock00.ico delete mode 100644 src/windows/cns/clock05.ico delete mode 100644 src/windows/cns/clock10.ico delete mode 100644 src/windows/cns/clock15.ico delete mode 100644 src/windows/cns/clock20.ico delete mode 100644 src/windows/cns/clock25.ico delete mode 100644 src/windows/cns/clock30.ico delete mode 100644 src/windows/cns/clock35.ico delete mode 100644 src/windows/cns/clock40.ico delete mode 100644 src/windows/cns/clock45.ico delete mode 100644 src/windows/cns/clock50.ico delete mode 100644 src/windows/cns/clock55.ico delete mode 100644 src/windows/cns/clock60.ico delete mode 100644 src/windows/cns/clockexp.ico delete mode 100644 src/windows/cns/clocktkt.ico delete mode 100644 src/windows/cns/cns-help.doc delete mode 100644 src/windows/cns/cns-help.hlp delete mode 100644 src/windows/cns/cns-help.hpj delete mode 100644 src/windows/cns/cns.c delete mode 100644 src/windows/cns/cns.h delete mode 100644 src/windows/cns/cns.ico delete mode 100644 src/windows/cns/cns_reg.c delete mode 100644 src/windows/cns/cns_reg.h delete mode 100644 src/windows/cns/cnsres4.rc delete mode 100644 src/windows/cns/cnsres5.rc delete mode 100644 src/windows/cns/debug.c delete mode 100644 src/windows/cns/heap.c delete mode 100644 src/windows/cns/kerbnet.doc delete mode 100644 src/windows/cns/kerbnet.hlp delete mode 100644 src/windows/cns/kerbnet.hpj delete mode 100644 src/windows/cns/kpasswd.c delete mode 100644 src/windows/cns/krb5.def delete mode 100644 src/windows/cns/krbini.h delete mode 100644 src/windows/cns/options.c delete mode 100644 src/windows/cns/password.c delete mode 100644 src/windows/cns/tktlist.c delete mode 100644 src/windows/cns/tktlist.h delete mode 100644 src/windows/include/arpa/nameser.h delete mode 100644 src/windows/include/hesiod.h delete mode 100644 src/windows/include/mitwhich.h delete mode 100644 src/windows/include/resolv.h delete mode 100644 src/windows/include/wshelper.h delete mode 100644 src/windows/installer/nsis/KfWConfigPage.ini delete mode 100644 src/windows/installer/nsis/KfWConfigPage2.ini delete mode 100644 src/windows/installer/nsis/kfw-fixed.nsi delete mode 100644 src/windows/installer/nsis/kfw.ico delete mode 100644 src/windows/installer/nsis/kfw.nsi delete mode 100644 src/windows/installer/nsis/killer.cpp delete mode 100644 src/windows/installer/nsis/licenses.rtf delete mode 100644 src/windows/installer/nsis/nsi-includes-tagged.nsi delete mode 100644 src/windows/installer/nsis/site-local-tagged.nsi delete mode 100644 src/windows/installer/nsis/utils.nsi delete mode 100644 src/windows/installer/wix/site-local-tagged.wxi delete mode 100644 src/windows/leash/AfsProperties.cpp delete mode 100644 src/windows/leash/AfsProperties.h delete mode 100644 src/windows/leash/CLeashDragListBox.cpp delete mode 100644 src/windows/leash/CLeashDragListBox.h delete mode 100644 src/windows/leash/Krb4AddToDomainRealmList.cpp delete mode 100644 src/windows/leash/Krb4AddToDomainRealmList.h delete mode 100644 src/windows/leash/Krb4AddToRealmHostList.cpp delete mode 100644 src/windows/leash/Krb4AddToRealmHostList.h delete mode 100644 src/windows/leash/Krb4DomainRealmMaintenance.cpp delete mode 100644 src/windows/leash/Krb4DomainRealmMaintenance.h delete mode 100644 src/windows/leash/Krb4EditDomainRealmList.cpp delete mode 100644 src/windows/leash/Krb4EditDomainRealmList.h delete mode 100644 src/windows/leash/Krb4EditRealmHostList.cpp delete mode 100644 src/windows/leash/Krb4EditRealmHostList.h delete mode 100644 src/windows/leash/Krb4Properties.cpp delete mode 100644 src/windows/leash/Krb4Properties.h delete mode 100644 src/windows/leash/Krb4RealmHostMaintenance.cpp delete mode 100644 src/windows/leash/Krb4RealmHostMaintenance.h delete mode 100644 src/windows/leash/Krb5Properties.cpp delete mode 100644 src/windows/leash/Krb5Properties.h delete mode 100644 src/windows/leash/KrbAddHostServer.cpp delete mode 100644 src/windows/leash/KrbAddHostServer.h delete mode 100644 src/windows/leash/KrbAddRealm.cpp delete mode 100644 src/windows/leash/KrbAddRealm.h delete mode 100644 src/windows/leash/KrbConfigOptions.cpp delete mode 100644 src/windows/leash/KrbConfigOptions.h delete mode 100644 src/windows/leash/KrbDomainRealmMaintenance.cpp delete mode 100644 src/windows/leash/KrbDomainRealmMaintenance.h delete mode 100644 src/windows/leash/KrbEditHostServer.cpp delete mode 100644 src/windows/leash/KrbEditHostServer.h delete mode 100644 src/windows/leash/KrbEditRealm.cpp delete mode 100644 src/windows/leash/KrbEditRealm.h delete mode 100644 src/windows/leash/KrbMiscConfigOpt.cpp delete mode 100644 src/windows/leash/KrbMiscConfigOpt.h delete mode 100644 src/windows/leash/KrbProperties.cpp delete mode 100644 src/windows/leash/KrbProperties.h delete mode 100644 src/windows/leash/KrbRealmHostMaintenance.cpp delete mode 100644 src/windows/leash/KrbRealmHostMaintenance.h delete mode 100644 src/windows/leash/LeashControlPanel.cpp delete mode 100644 src/windows/leash/LeashControlPanel.h delete mode 100644 src/windows/leash/LeashFileDialog.cpp delete mode 100644 src/windows/leash/LeashFileDialog.h delete mode 100644 src/windows/leash/LeashProperties.cpp delete mode 100644 src/windows/leash/LeashProperties.h delete mode 100644 src/windows/leash/Lglobals.cpp delete mode 100644 src/windows/leash/VSroutines.c delete mode 100644 src/windows/leash/htmlhelp/Images/Bullet.gif delete mode 100644 src/windows/leash/htmlhelp/Images/Capture.PNG delete mode 100644 src/windows/leash/htmlhelp/Images/Get_Ticket_Icon.png delete mode 100644 src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_10.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_11.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_12.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_13.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_5.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_6.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_7.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_8.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_9.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_about_leash.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_change_password.JPG delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_debug_window.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_display_window.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_init_ticket_advanced.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_init_ticket_basic.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_menu_action.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_menu_file.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_menu_help.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_menu_options.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_menu_view.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_properties_afs.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_properties_krb4.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_properties_krb5_1.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_properties_krb5_2.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_properties_krb_1.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_properties_krb_2.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_properties_krb_3.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_properties_krb_4.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_properties_leash.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_systray_icons.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_systray_menu.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Leash_toolbar.jpg delete mode 100644 src/windows/leash/htmlhelp/Images/Options_Button.PNG delete mode 100644 src/windows/leash/htmlhelp/Images/Options_Button_Tiny.png delete mode 100644 src/windows/leash/htmlhelp/Images/Options_Menu.PNG delete mode 100644 src/windows/leash/htmlhelp/Images/Options_Menu_Open.png delete mode 100644 src/windows/leash/htmlhelp/Images/Options_Menu_Tiny.png delete mode 100644 src/windows/leash/htmlhelp/Images/Ticket_Options.PNG delete mode 100644 src/windows/leash/htmlhelp/Images/View_Menu.GIF delete mode 100644 src/windows/leash/htmlhelp/Images/View_Menu.PNG delete mode 100644 src/windows/leash/htmlhelp/Images/View_Menu_tiny.png delete mode 100644 src/windows/leash/htmlhelp/Images/View_Options.PNG delete mode 100644 src/windows/leash/htmlhelp/Images/allowed_mix_case_realm_name.png delete mode 100644 src/windows/leash/htmlhelp/Images/automatic_ticket_renewal.png delete mode 100644 src/windows/leash/htmlhelp/Images/destroy_tickets_on_exit.png delete mode 100644 src/windows/leash/htmlhelp/Images/encryption_type.png delete mode 100644 src/windows/leash/htmlhelp/Images/expiration_alarm.png delete mode 100644 src/windows/leash/htmlhelp/Images/flags.png delete mode 100644 src/windows/leash/htmlhelp/Images/issued.png delete mode 100644 src/windows/leash/htmlhelp/Images/renewable_until.png delete mode 100644 src/windows/leash/htmlhelp/Images/valid_until.png delete mode 100644 src/windows/leash/htmlhelp/LeashHelp.hhp delete mode 100644 src/windows/leash/htmlhelp/Table_of_Contents.hhc delete mode 100644 src/windows/leash/htmlhelp/html/Button_Menu.htm delete mode 100644 src/windows/leash/htmlhelp/html/Distroy_Tickets.htm delete mode 100644 src/windows/leash/htmlhelp/html/Export_Tickets.htm delete mode 100644 src/windows/leash/htmlhelp/html/How_Use_Kerberos.htm delete mode 100644 src/windows/leash/htmlhelp/html/Import_Status.htm delete mode 100644 src/windows/leash/htmlhelp/html/Import_Tickets.htm delete mode 100644 src/windows/leash/htmlhelp/html/More_Menu.htm delete mode 100644 src/windows/leash/htmlhelp/html/Options_Menu.htm delete mode 100644 src/windows/leash/htmlhelp/html/Renew_Tickets2.htm delete mode 100644 src/windows/leash/htmlhelp/html/View_Menu.htm delete mode 100644 src/windows/leash/htmlhelp/html/Windows_Logon_Tickets.htm delete mode 100644 src/windows/leash/htmlhelp/html/afx_hidw_status_bar.htm delete mode 100644 src/windows/leash/htmlhelp/html/afx_hidw_toolbar.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_app_about.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_app_exit.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_context_help.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_help_index.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_help_using.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_sc_close.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_sc_maximize.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_sc_minimize.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_sc_move.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_sc_restore.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_sc_size.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_view_status_bar.htm delete mode 100644 src/windows/leash/htmlhelp/html/hid_view_toolbar.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_acknowledgements.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_bug_reports.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_command_change_password.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_command_destroy_tickets.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_command_get_tickets.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_command_import_tickets.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_command_renew_tickets.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_command_reset_window.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_command_sync_time.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_command_update_display.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_copyright.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_errors.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_export.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_external_aklog.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_external_kdestroy.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_external_kinit.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_external_klist.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_external_ms2mit.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_file_exit.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_help_about_leash32.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_kerberos_copyright.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_manpage_aklog.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_manpage_kdestroy.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_manpage_kinit.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_manpage_klist.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_manpage_ms2mit.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_manpages.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_menu_commands.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_menu_help_why_use.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_option_afs_properties.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_option_auto_renewal.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_option_destroy_tickets_on_exit.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_option_expiration_alarm.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_option_kerberos_properties.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_option_krb4_properties.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_option_krb5_properties.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_option_leash_properties.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_option_upper_case_realm.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_about_kerberos.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_error_57.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_error_62.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_error_8.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_error_invalid_principal.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_kerberos_auth_service.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_kerberos_command_prompt.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_kerberos_help_topics.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_kerberos_names.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_kerberos_principals.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_kerberos_tickets.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_leash_help_topics.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_leash_systray.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_leash_window.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_online_help.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_password_choice.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_timing_issues.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_topic_why_use.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_view_debug_window.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_view_large_icons.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_view_status_bar.htm delete mode 100644 src/windows/leash/htmlhelp/html/leash_view_toolbar.htm delete mode 100644 src/windows/leash/htmlhelp/leash32.hhk delete mode 100644 src/windows/leash/htmlhelp/leash32.hhp delete mode 100644 src/windows/leashdll/AFSroutines.c delete mode 100644 src/windows/leashdll/include/krb4/conf-pc.h delete mode 100644 src/windows/leashdll/include/krb4/conf.h delete mode 100644 src/windows/leashdll/include/krb4/osconf.h delete mode 100644 src/windows/leashdll/lshcallb.c delete mode 100644 src/windows/leashdll/registry.c delete mode 100644 src/windows/lib/gic.c delete mode 100644 src/windows/lib/gic.h delete mode 100644 src/windows/lib/registry.c delete mode 100644 src/windows/lib/registry.h delete mode 100644 src/windows/lib/vardlg.c delete mode 100644 src/windows/lib/vardlg.h delete mode 100644 src/windows/wintel/Makefile.in delete mode 100644 src/windows/wintel/auth.c delete mode 100644 src/windows/wintel/auth.h delete mode 100644 src/windows/wintel/dialog.h delete mode 100644 src/windows/wintel/edit.c delete mode 100644 src/windows/wintel/emul.c delete mode 100644 src/windows/wintel/enc_des.c delete mode 100644 src/windows/wintel/enc_des.h delete mode 100644 src/windows/wintel/encrypt.c delete mode 100644 src/windows/wintel/encrypt.h delete mode 100644 src/windows/wintel/font.c delete mode 100644 src/windows/wintel/genget.c delete mode 100644 src/windows/wintel/ini.h delete mode 100644 src/windows/wintel/intern.c delete mode 100644 src/windows/wintel/k5stream.c delete mode 100644 src/windows/wintel/k5stream.h delete mode 100644 src/windows/wintel/ktelnet.doc delete mode 100644 src/windows/wintel/ktelnet.hlp delete mode 100644 src/windows/wintel/ktelnet.hpj delete mode 100644 src/windows/wintel/ncsa.ico delete mode 100644 src/windows/wintel/negotiat.c delete mode 100644 src/windows/wintel/resource.h delete mode 100644 src/windows/wintel/screen.c delete mode 100644 src/windows/wintel/screen.h delete mode 100644 src/windows/wintel/struct.h delete mode 100644 src/windows/wintel/telnet.c delete mode 100644 src/windows/wintel/telnet.def delete mode 100644 src/windows/wintel/telnet.h delete mode 100644 src/windows/wintel/telnet.rc delete mode 100644 src/windows/wintel/telnet_arpa.h delete mode 100644 src/windows/wintel/telopts.h delete mode 100644 src/windows/wintel/terminal.ico delete mode 100644 src/windows/wintel/wt-proto.h diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..9e0546d --- /dev/null +++ b/.gitignore @@ -0,0 +1,587 @@ +*~ +*.a +*.dll +*.dylib +*.exe +*.exp +*.lib +*.map +*.o +*.obj +*.pc +*.pyc +*.so +binutils.versions +darwin.exports +hpux.exports +lib*.so.* +Makefile +OBJS.* +obj/ +skiptests +testdir/ +testlog +testtrace + +# Ignore the build directory +/build/ + +# The autom4te cache directory +autom4te.cache/ + +# Generated by Dolphin for individual settings for directories +.directory + +# Generated by Kate-Part +*.kate-swp +*.new + +# KDevelop files +.kdev4/ +*.kdev4 + +# Files generated by merges +*.orig + +# macOS files +.DS_Store +.AppleDouble +.LSOverride + +# macOS Resource Forks +._* + +# macOS Files that might appear in the root of a volume +.DocumentRevisions-V100 +.fseventsd +.Spotlight-V100 +.TemporaryItems +.Trashes +.VolumeIcon.icns + +# macOS Directories potentially created on remote AFP share +.AppleDB +.AppleDesktop +Network Trash Folder +Temporary Items +.apdisk + +# Windows image file caches +Thumbs.db +ehthumbs.db + +# Folder config file +Desktop.ini + +# Recycle Bin used on file shares +$RECYCLE.BIN/ + +# Windows Installer files +*.cab +*.msi +*.msm +*.msp + +# Windows shortcuts +*.lnk + +# Visual Studio +.vscode + +# TortoiseGit Project-level settings +/.tgitconfig + +# Eclipse generated files + +*.pydevproject +.autotools +.metadata +.gradle +bin/ +tmp/ +*.tmp +*.bak +*.swp +*~.nib +local.properties +.settings/ +.loadpath + +# Eclipse Core +.project + +# Eclipse External tool builders +.externalToolBuilders/ + +# Eclipse Locally stored "Eclipse launch configurations" +*.launch + +# Eclipse CDT-specific +.cproject + +# Eclipse PDT-specific +.buildpath + +# Eclipse sbteclipse plugin +.target + +# Eclipse TeXlipse plugin +.texlipse + +# Eclipse STS (Spring Tool Suite) +.springBeans + +/doc/version.py + +/doc/html/ +/doc/pdf/ + +# Emacs tags table +/src/TAGS + +/src/config.log +/src/config.status +/src/configure +/src/pyrunenv.vals +/src/runenv.py + +/src/appl/gss-sample/gss-client +/src/appl/gss-sample/gss-server + +/src/appl/sample/sclient/sclient + +/src/appl/sample/sserver/sserver + +/src/appl/simple/client/sim_client + +/src/appl/simple/server/sim_server + +/src/appl/user_user/uuclient +/src/appl/user_user/uuserver + +/src/build-tools/krb5-config + +/src/ccapi/lib/ccapi_err.c +/src/ccapi/lib/ccapi_err.h +/src/ccapi/lib/win/srctmp/ + +/src/ccapi/server/win/srctmp/ + +/src/ccapi/test/ccapi_ccache.c +/src/ccapi/test/ccapi_ccache_iterator.c +/src/ccapi/test/ccapi_context.c +/src/ccapi/test/ccapi_context_change_time.c +/src/ccapi/test/ccapi_credentials.c +/src/ccapi/test/ccapi_credentials_iterator.c +/src/ccapi/test/ccapi_err.c +/src/ccapi/test/ccapi_intermediates/ +/src/ccapi/test/ccapi_ipc.c +/src/ccapi/test/ccapi_string.c +/src/ccapi/test/ccapi_test/ +/src/ccapi/test/ccapi_v2.c +/src/ccapi/test/cci_cred_union.c +/src/ccapi/test/cci_debugging.h +/src/ccapi/test/cci_identifier.c +/src/ccapi/test/cci_message.c +/src/ccapi/test/cci_os_identifier.c +/src/ccapi/test/cci_types.h +/src/ccapi/test/ccs_reply.h +/src/ccapi/test/ccs_request.h +/src/ccapi/test/ccs_request_c.c +/src/ccapi/test/pingtest2.pdb +/src/ccapi/test/pingtest2.exe.manifest +/src/ccapi/test/testall1.exe +/src/ccapi/test/testall1.map +/src/ccapi/test/win-utils.h + +/src/clients/kdestroy/kdestroy + +/src/clients/kinit/kinit + +/src/clients/klist/klist + +/src/clients/kpasswd/kpasswd + +/src/clients/ksu/ksu + +/src/clients/kswitch/kswitch + +/src/clients/kvno/kvno + +/src/doc/Doxyfile +/src/doc/doxy/ +/src/doc/paths.py +/src/doc/rst_apiref/ +/src/doc/rst_composite/ +/src/doc/html_subst/ + +/src/include/autoconf.h +/src/include/autoconf.h.in +/src/include/autoconf.stamp +/src/include/autoconf.stmp +/src/include/com_err.h +/src/include/db-config.h +/src/include/db.h +/src/include/gssapi/ +/src/include/kadm5/ +/src/include/kdc_j_encode.h +/src/include/krb5.stamp +/src/include/osconf.h +/src/include/private-and-public-decls +/src/include/profile.h +/src/include/ss/ +/src/include/verto-k5ev.h +/src/include/verto.h +/src/include/*_err.h + +/src/include/gssrpc/types.h + +/src/include/krb5/krb5.h + +/src/kadmin/cli/getdate.c +/src/kadmin/cli/kadmin +/src/kadmin/cli/kadmin.local +/src/kadmin/cli/kadmin_ct.c + +/src/kadmin/dbutil/import_err.c +/src/kadmin/dbutil/import_err.h +/src/kadmin/dbutil/kdb5_util +/src/kadmin/dbutil/t_tdumputil + +/src/kadmin/ktutil/ktutil +/src/kadmin/ktutil/ktutil_ct.c + +/src/kadmin/server/kadmind + +/src/kadmin/testing/admin_* +/src/kadmin/testing/init-* +/src/kadmin/testing/kadmin_* +/src/kadmin/testing/krb5-test-root/ + +/src/kadmin/testing/scripts/compare_dump.pl +/src/kadmin/testing/scripts/env-setup.sh +/src/kadmin/testing/scripts/env-setup.stamp +/src/kadmin/testing/scripts/make-host-keytab.pl +/src/kadmin/testing/scripts/qualname.pl +/src/kadmin/testing/scripts/simple_dump.pl +/src/kadmin/testing/scripts/verify_xrunner_report.pl + +/src/kadmin/testing/util/kadm5_clnt_tcl +/src/kadmin/testing/util/kadm5_srv_tcl + +/src/kdc/kdc5_err.[ch] +/src/kdc/krb5kdc +/src/kdc/rtest +/src/kdc/t_replay + +/src/lib/k5sprt32.def + +/src/lib/crypto/builtin/aes/aes-gen +/src/lib/crypto/builtin/aes/kresults.out + +/src/lib/crypto/builtin/camellia/camellia-gen +/src/lib/crypto/builtin/camellia/kresults.out + +/src/lib/crypto/builtin/des/destest +/src/lib/crypto/builtin/des/verify + +/src/lib/crypto/builtin/sha1/t_shs +/src/lib/crypto/builtin/sha1/t_shs3 + +/src/lib/crypto/crypto_tests/aes-test +/src/lib/crypto/crypto_tests/camellia-test +/src/lib/crypto/crypto_tests/camellia-vt.txt +/src/lib/crypto/crypto_tests/t_cf2 +/src/lib/crypto/crypto_tests/t_cf2.output +/src/lib/crypto/crypto_tests/t_cksum4 +/src/lib/crypto/crypto_tests/t_cksum5 +/src/lib/crypto/crypto_tests/t_cksums +/src/lib/crypto/crypto_tests/t_cmac +/src/lib/crypto/crypto_tests/t_combine +/src/lib/crypto/crypto_tests/t_crc +/src/lib/crypto/crypto_tests/t_cts +/src/lib/crypto/crypto_tests/t_decrypt +/src/lib/crypto/crypto_tests/t_derive +/src/lib/crypto/crypto_tests/t_encrypt +/src/lib/crypto/crypto_tests/t_fork +/src/lib/crypto/crypto_tests/t_hmac +/src/lib/crypto/crypto_tests/t_mddriver +/src/lib/crypto/crypto_tests/t_mddriver4 +/src/lib/crypto/crypto_tests/t_nfold +/src/lib/crypto/crypto_tests/t_prf +/src/lib/crypto/crypto_tests/t_prf.output +/src/lib/crypto/crypto_tests/t_prng +/src/lib/crypto/crypto_tests/t_prng.output +/src/lib/crypto/crypto_tests/t_sha2 +/src/lib/crypto/crypto_tests/t_short +/src/lib/crypto/crypto_tests/t_str2key +/src/lib/crypto/crypto_tests/vk.txt +/src/lib/crypto/crypto_tests/vt.txt + +/src/lib/crypto/krb/t_fortuna +/src/lib/crypto/krb/t_fortuna.output + +/src/lib/gssapi/merged-gssapi-header.h + +/src/lib/gssapi/generic/errmap.h +/src/lib/gssapi/generic/gssapi.h +/src/lib/gssapi/generic/gssapi_err_generic.[ch] +/src/lib/gssapi/generic/t_seqstate + +/src/lib/gssapi/krb5/error_map.h +/src/lib/gssapi/krb5/gssapi_err_krb5.[ch] + +/src/lib/kadm5/chpass_util_strings.[ch] +/src/lib/kadm5/kadm_err.[ch] + +/src/lib/kadm5/unit-test/*.log +/src/lib/kadm5/unit-test/*.sum +/src/lib/kadm5/unit-test/*-test + +/src/lib/kdb/adb_err.[ch] + +/src/lib/kdb/t_sort_key_data +/src/lib/kdb/t_stringattr +/src/lib/kdb/t_ulog +/src/lib/kdb/test.ulog + +/src/lib/krad/t_attr +/src/lib/krad/t_attrset +/src/lib/krad/t_client +/src/lib/krad/t_code +/src/lib/krad/t_packet +/src/lib/krad/t_remote + +/src/lib/krb5/ccache/kcmrpc.c +/src/lib/krb5/ccache/kcmrpc.h +/src/lib/krb5/ccache/t_cc +/src/lib/krb5/ccache/t_cccol +/src/lib/krb5/ccache/t_cccursor +/src/lib/krb5/ccache/t_marshal +/src/lib/krb5/ccache/testcache + +/src/lib/krb5/error_tables/*_err.[ch] + +/src/lib/krb5/keytab/t_keytab + +/src/lib/krb5/krb/t_authdata +/src/lib/krb5/krb/t_cc_config +/src/lib/krb5/krb/t_copy_context +/src/lib/krb5/krb/t_deltat +/src/lib/krb5/krb/t_etypes +/src/lib/krb5/krb/t_expand +/src/lib/krb5/krb/t_expire_warn +/src/lib/krb5/krb/t_get_etype_info +/src/lib/krb5/krb/t_in_ccache +/src/lib/krb5/krb/t_kerb +/src/lib/krb5/krb/t_pac +/src/lib/krb5/krb/t_parse_host_string +/src/lib/krb5/krb/t_princ +/src/lib/krb5/krb/t_ser +/src/lib/krb5/krb/t_vfy_increds +/src/lib/krb5/krb/t_walk_rtree +/src/lib/krb5/krb/t_response_items +/src/lib/krb5/krb/t_sname_match +/src/lib/krb5/krb/t_valid_times + +/src/lib/krb5/os/t_expand_path +/src/lib/krb5/os/t_locate_kdc +/src/lib/krb5/os/t_std_conf +/src/lib/krb5/os/t_trace + +/src/lib/krb5/unicode/.links +/src/lib/krb5/unicode/ucdata.[ch] +/src/lib/krb5/unicode/ucgendat.c +/src/lib/krb5/unicode/uctable.h +/src/lib/krb5/unicode/ure.[ch] +/src/lib/krb5/unicode/urestubs.c + +/src/lib/rpc/types.stamp + +/src/lib/rpc/unit-test/*.log +/src/lib/rpc/unit-test/*.sum +/src/lib/rpc/unit-test/client +/src/lib/rpc/unit-test/dbg.log +/src/lib/rpc/unit-test/server + +/src/man/*.sub + +/src/plugins/kdb/db2/libdb2/test/__dbtest +/src/plugins/kdb/db2/libdb2/test/dbtest + +/src/plugins/kdb/ldap/ldap_util/getdate.c +/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util + +/src/plugins/preauth/pkinit/pkinit_kdf_test + +/src/po/*.mo + +/src/kprop/kprop +/src/kprop/kpropd +/src/kprop/kproplog + +/src/tests/adata +/src/tests/au.log +/src/tests/etinfo +/src/tests/forward +/src/tests/gcred +/src/tests/hist +/src/tests/hooks +/src/tests/hrealm +/src/tests/icinterleave +/src/tests/icred +/src/tests/kdbtest +/src/tests/kdc.conf +/src/tests/krb5.conf +/src/tests/localauth +/src/tests/plugorder +/src/tests/rdreq +/src/tests/responder +/src/tests/s2p +/src/tests/s4u2proxy +/src/tests/unlockiter + +/src/tests/asn.1/expected_encode.out +/src/tests/asn.1/expected_trval.out +/src/tests/asn.1/krb5_decode_leak +/src/tests/asn.1/krb5_decode_test +/src/tests/asn.1/krb5_encode_test +/src/tests/asn.1/t_trval +/src/tests/asn.1/test.out +/src/tests/asn.1/trval.out + +/src/tests/create/kdb5_mkdums + +/src/tests/dejagnu/dbg.log +/src/tests/dejagnu/krb.log +/src/tests/dejagnu/krb.sum +/src/tests/dejagnu/runenv.vals +/src/tests/dejagnu/site.exp +/src/tests/dejagnu/t_inetd +/src/tests/dejagnu/tmpdir/ + +/src/tests/gss-threads/gss-client +/src/tests/gss-threads/gss-server + +/src/tests/gssapi/ccinit +/src/tests/gssapi/ccrefresh +/src/tests/gssapi/t_accname +/src/tests/gssapi/t_add_cred +/src/tests/gssapi/t_ccselect +/src/tests/gssapi/t_ciflags +/src/tests/gssapi/t_credstore +/src/tests/gssapi/t_enctypes +/src/tests/gssapi/t_err +/src/tests/gssapi/t_export_cred +/src/tests/gssapi/t_export_name +/src/tests/gssapi/t_gssexts +/src/tests/gssapi/t_imp_cred +/src/tests/gssapi/t_imp_name +/src/tests/gssapi/t_invalid +/src/tests/gssapi/t_inq_cred +/src/tests/gssapi/t_inq_mechs_name +/src/tests/gssapi/t_iov +/src/tests/gssapi/t_lifetime +/src/tests/gssapi/t_namingexts +/src/tests/gssapi/t_oid +/src/tests/gssapi/t_pcontok +/src/tests/gssapi/t_prf +/src/tests/gssapi/t_s4u +/src/tests/gssapi/t_s4u2proxy_krb5 +/src/tests/gssapi/t_saslname +/src/tests/gssapi/t_spnego +/src/tests/gssapi/t_srcattrs +/src/tests/gssapi/t_inq_ctx + +/src/tests/hammer/kdc5_hammer + +/src/tests/misc/test_chpw_message +/src/tests/misc/test_cxx_gss +/src/tests/misc/test_cxx_k5int +/src/tests/misc/test_cxx_kadm5 +/src/tests/misc/test_cxx_krb5 +/src/tests/misc/test_cxx_rpc +/src/tests/misc/test_getpw + +/src/tests/ldap +/src/tests/mkeystash_compat/bigendian +/src/tests/mkeystash_compat/kdc.conf +/src/tests/mkeystash_compat/krb5.conf + +/src/tests/resolve/addrinfo-test +/src/tests/resolve/fake-addrinfo-test +/src/tests/resolve/resolve + +/src/tests/verify/kdb5_verify + +/src/util/et/compile_et +/src/util/et/et?.[ch] +/src/util/et/t_com_err +/src/util/et/test?.[ch] +/src/util/et/test_et + +/src/util/gss-kernel-lib/autoconf.h +/src/util/gss-kernel-lib/com_err.h +/src/util/gss-kernel-lib/gssapi/ +/src/util/gss-kernel-lib/gssapi*.h +/src/util/gss-kernel-lib/k5-*.h +/src/util/gss-kernel-lib/k5seal*.c +/src/util/gss-kernel-lib/k5unseal*.c +/src/util/gss-kernel-lib/krb5.h +/src/util/gss-kernel-lib/krb5/ +/src/util/gss-kernel-lib/osconf.h +/src/util/gss-kernel-lib/port-sockets.h +/src/util/gss-kernel-lib/profile.h +/src/util/gss-kernel-lib/socket-utils.h +/src/util/gss-kernel-lib/t_kgss_kernel +/src/util/gss-kernel-lib/t_kgss_user +/src/util/gss-kernel-lib/util_*.c + +/src/util/k5ev/rename.h + +/src/util/profile/*.bak +/src/util/profile/modtest.conf +/src/util/profile/prof_err.[ch] +/src/util/profile/profile.h +/src/util/profile/profile_tcl +/src/util/profile/test?.ini +/src/util/profile/test_include_dir/ +/src/util/profile/test_load +/src/util/profile/test_parse +/src/util/profile/test_profile +/src/util/profile/test_vtable +/src/util/profile/testinc.ini +/src/util/profile/testinc2.ini + +/src/util/ss/ct_c.awk +/src/util/ss/ct_c.sed +/src/util/ss/mk_cmds +/src/util/ss/ss_err.[ch] +/src/util/ss/std_rqs.c + +/src/util/support/libkrb5support.exports +/src/util/support/t_base64 +/src/util/support/t_hashtab +/src/util/support/t_hex +/src/util/support/t_json +/src/util/support/t_k5buf +/src/util/support/t_path +/src/util/support/t_path_win +/src/util/support/t_unal +/src/util/support/t_utf8 +/src/util/support/t_utf16 + +/src/util/verto/rename.h + +/src/plugins/kdb/db2/libdb2/test/t.be.db +/src/plugins/kdb/db2/libdb2/test/t.le.db + +/src/windows/installer/wix/custom/custom.exp +/src/windows/installer/wix/kfw.wixobj +/src/windows/installer/wix/kfw.wixpdb + +/src/windows/leash/htmlhelp/MITKerberosHelp.chm +/src/windows/leash/kfwribbon.bml +/src/windows/leash/kfwribbon.h +/src/windows/leash/kfwribbon.rc +/src/windows/leash/out2con.sav diff --git a/.travis-ci.sh b/.travis-ci.sh new file mode 100644 index 0000000..4e6e1b6 --- /dev/null +++ b/.travis-ci.sh @@ -0,0 +1,11 @@ +cd src +autoreconf +./configure --enable-maintainer-mode --with-ldap +make $MAKEVARS +make check +make distclean +# Check for files unexpectedly not removed by make distclean. +rm -rf autom4te.cache configure include/autoconf.h.in +if [ -n "$(git ls-files -o)" ]; then + exit 1 +fi diff --git a/.travis.yml b/.travis.yml index d71e37e..f093899 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,16 +1,16 @@ -language: c +language: c++ sudo: required -dist: trusty - -compiler: - - clang - - gcc +matrix: + include: + - compiler: clang + env: MAKEVARS=CPPFLAGS=-Werror + - compiler: gcc before_install: - sudo apt-get update -qq - - sudo apt-get install -y bison dejagnu gettext keyutils ldap-utils libldap2-dev libkeyutils-dev libssl-dev python-cjson python-paste python-pyrad slapd tcl-dev tcsh + - sudo apt-get install -y bison dejagnu gettext keyutils ldap-utils libldap2-dev libkeyutils-dev libssl-dev python3-paste slapd tcl-dev tcsh - mkdir -p cmocka/build - cd cmocka - wget https://cmocka.org/files/1.1/cmocka-1.1.1.tar.xz @@ -21,4 +21,4 @@ before_install: - sudo make install - cd ../.. -script: cd src && autoreconf && ./configure --with-ldap && make && make check +script: sh -ex .travis-ci.sh diff --git a/NOTICE b/NOTICE index ff102ff..de8ab70 100644 --- a/NOTICE +++ b/NOTICE @@ -1,4 +1,4 @@ -Copyright (C) 1985-2017 by the Massachusetts Institute of Technology. +Copyright (C) 1985-2019 by the Massachusetts Institute of Technology. All rights reserved. @@ -40,7 +40,7 @@ nationals of those countries. Documentation components of this software distribution are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. -(http://creativecommons.org/licenses/by-sa/3.0/) +(https://creativecommons.org/licenses/by-sa/3.0/) Individual source code files are copyright MIT, Cygnus Support, Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, @@ -137,8 +137,9 @@ Portions of "src/lib/crypto" have the following copyright: The implementation of the AES encryption algorithm in "src/lib/crypto/builtin/aes" has the following copyright: - Copyright (C) 2001, Dr Brian Gladman "brg@gladman.uk.net", Worcester, UK. - All rights reserved. + Copyright (C) 2001, Dr Brian Gladman "brg@gladman.uk.net", + Worcester, UK. + All rights reserved. LICENSE TERMS @@ -148,9 +149,9 @@ The implementation of the AES encryption algorithm in 1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer; - 2. distributions in binary form include the above copyright notice, - this list of conditions and the following disclaimer in the - documentation and/or other associated materials; + 2. distributions in binary form include the above copyright + notice, this list of conditions and the following disclaimer in + the documentation and/or other associated materials; 3. the copyright holder's name is not used to endorse products built using this software without specific written permission. @@ -167,9 +168,9 @@ Portions contributed by Red Hat, including the pre-authentication plug-in framework and the NSS crypto implementation, contain the following copyright: - Copyright (C) 2006 Red Hat, Inc. - Portions copyright (C) 2006 Massachusetts Institute of Technology - All Rights Reserved. + Copyright (C) 2006 Red Hat, Inc. + Portions copyright (C) 2006 Massachusetts Institute of Technology + All Rights Reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions @@ -178,10 +179,10 @@ following copyright: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in - the documentation and/or other materials provided with the - distribution. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. * Neither the name of Red Hat, Inc., nor the names of its contributors may be used to endorse or promote products derived @@ -311,8 +312,8 @@ the following new or changed files: lib/kdb/kdb_log.c lib/kdb/kdb_log.h lib/krb5/error_tables/kdb5_err.et - slave/kpropd_rpc.c - slave/kproplog.c + kprop/kpropd_rpc.c + kprop/kproplog.c are subject to the following license: @@ -344,15 +345,16 @@ Kerberos V5 includes documentation and software developed at the University of California at Berkeley, which includes this copyright notice: - Copyright (C) 1983 Regents of the University of California. - All rights reserved. + Copyright (C) 1983 Regents of the University of California. + All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following @@ -381,8 +383,8 @@ notice: Portions contributed by Novell, Inc., including the LDAP database backend, are subject to the following license: - Copyright (C) 2004-2005, Novell, Inc. - All rights reserved. + Copyright (C) 2004-2005, Novell, Inc. + All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions @@ -391,10 +393,10 @@ backend, are subject to the following license: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in - the documentation and/or other materials provided with the - distribution. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. * The copyright holder's name is not used to endorse or promote products derived from this software without specific prior @@ -420,9 +422,9 @@ University of Michigan's Center for Information Technology Integration, including the PKINIT implementation, are subject to the following license: - COPYRIGHT (C) 2006-2007 - THE REGENTS OF THE UNIVERSITY OF MICHIGAN - ALL RIGHTS RESERVED + COPYRIGHT (C) 2006-2007 + THE REGENTS OF THE UNIVERSITY OF MICHIGAN + ALL RIGHTS RESERVED Permission is granted to use, copy, create derivative works and redistribute this software and such derivative works for any @@ -450,8 +452,8 @@ following license: The pkcs11.h file included in the PKINIT code has the following license: - Copyright 2006 g10 Code GmbH - Copyright 2006 Andreas Jellinghaus + Copyright 2006 g10 Code GmbH + Copyright 2006 Andreas Jellinghaus This file is free software; as a special exception the author gives unlimited permission to copy and/or distribute it, with or without @@ -495,22 +497,23 @@ The implementations of UTF-8 string handling in src/util/support and src/lib/krb5/unicode are subject to the following copyright and permission notice: - The OpenLDAP Public License - Version 2.8, 17 August 2003 + The OpenLDAP Public License + Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions in source form must retain copyright statements - and notices, + 1. Redistributions in source form must retain copyright + statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and - 3. Redistributions must contain a verbatim copy of this document. + 3. Redistributions must contain a verbatim copy of this + document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use @@ -548,25 +551,26 @@ permission notice: Marked test programs in src/lib/krb5/krb have the following copyright: - Copyright (C) 2006 Kungliga Tekniska Högskola - (Royal Institute of Technology, Stockholm, Sweden). - All rights reserved. + Copyright (C) 2006 Kungliga Tekniska Högskola + (Royal Institute of Technology, Stockholm, Sweden). + All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - 3. Neither the name of KTH nor the names of its contributors may be - used to endorse or promote products derived from this software - without specific prior written permission. + 3. Neither the name of KTH nor the names of its contributors may + be used to endorse or promote products derived from this + software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, @@ -583,7 +587,7 @@ Marked test programs in src/lib/krb5/krb have the following copyright: ====================================================================== -The KCM Mach RPC definition file used on OS X has the following +The KCM Mach RPC definition file used on macOS has the following copyright: Copyright (C) 2009 Kungliga Tekniska Högskola @@ -635,16 +639,17 @@ src/include/gssrpc have the following copyright and permission notice: modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. - 3. Neither the name of the "Oracle America, Inc." nor the names of - its contributors may be used to endorse or promote products + 3. Neither the name of the "Oracle America, Inc." nor the names + of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. @@ -670,9 +675,9 @@ src/include/gssrpc have the following copyright and permission notice: modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer as - the first lines of this file unmodified. + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer as the first lines of this file unmodified. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following @@ -731,26 +736,6 @@ src/include/gssrpc have the following copyright and permission notice: ====================================================================== -Portions extracted from Internet RFCs have the following copyright -notice: - - Copyright (C) The Internet Society (2006). - - This document is subject to the rights, licenses and restrictions - contained in BCP 78, and except as set forth therein, the authors - retain all their rights. - - This document and the information contained herein are provided on - an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE - REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND - THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, - EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT - THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR - ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A - PARTICULAR PURPOSE. - -====================================================================== - Copyright (C) 1991, 1992, 1994 by Cygnus Support. Permission to use, copy, modify, and distribute this software and @@ -791,15 +776,16 @@ notice: Portions of the implementation of the Fortuna-like PRNG are subject to the following notice: - Copyright (C) 2005 Marko Kreen - All rights reserved. + Copyright (C) 2005 Marko Kreen + All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following @@ -844,8 +830,8 @@ the following notice: ====================================================================== - Copyright (C) 1995 - The President and Fellows of Harvard University + Copyright (C) 1995 + The President and Fellows of Harvard University This code is derived from software contributed to Harvard by Jeremy Rassen. @@ -854,8 +840,9 @@ the following notice: modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following @@ -887,9 +874,9 @@ the following notice: ====================================================================== - Copyright (C) 2008 by the Massachusetts Institute of Technology. - Copyright 1995 by Richard P. Basch. All Rights Reserved. - Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. + Copyright (C) 2008 by the Massachusetts Institute of Technology. + Copyright 1995 by Richard P. Basch. All Rights Reserved. + Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It @@ -913,8 +900,8 @@ the following notice: The following notice applies to "src/lib/krb5/krb/strptime.c" and "src/include/k5-queue.h". - Copyright (C) 1997, 1998 The NetBSD Foundation, Inc. - All rights reserved. + Copyright (C) 1997, 1998 The NetBSD Foundation, Inc. + All rights reserved. This code was contributed to The NetBSD Foundation by Klaus Klein. @@ -922,8 +909,9 @@ The following notice applies to "src/lib/krb5/krb/strptime.c" and modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following @@ -936,9 +924,10 @@ The following notice applies to "src/lib/krb5/krb/strptime.c" and This product includes software developed by the NetBSD Foundation, Inc. and its contributors. - 4. Neither the name of The NetBSD Foundation nor the names of its - contributors may be used to endorse or promote products derived - from this software without specific prior written permission. + 4. Neither the name of The NetBSD Foundation nor the names of + its contributors may be used to endorse or promote products + derived from this software without specific prior written + permission. THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, @@ -959,8 +948,8 @@ The following notice applies to "src/lib/krb5/krb/strptime.c" and The following notice applies to Unicode library files in "src/lib/krb5/unicode": - Copyright 1997, 1998, 1999 Computing Research Labs, - New Mexico State University + Copyright 1997, 1998, 1999 Computing Research Labs, + New Mexico State University Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation @@ -1048,8 +1037,9 @@ The following notice applies to portiions of "src/lib/rpc" and modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following @@ -1143,9 +1133,10 @@ The following notice applies to Portions of "src/lib/krb5" are subject to the following notice: - Copyright (C) 1994 CyberSAFE Corporation. - Copyright 1990,1991,2007,2008 by the Massachusetts Institute of Technology. - All Rights Reserved. + Copyright (C) 1994 CyberSAFE Corporation. + Copyright 1990,1991,2007,2008 by the Massachusetts + Institute of Technology. + All Rights Reserved. Export of this software from the United States of America may require a specific license from the United States Government. It @@ -1178,8 +1169,9 @@ license: modification, are permitted provided that the following conditions are met: - 1. Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + 1. Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following @@ -1217,10 +1209,10 @@ The bundled libev source code is subject to the following license: * Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright - notice, this list of conditions and the following disclaimer in - the documentation and/or other materials provided with the - distribution. + * Redistributions in binary form must reproduce the above + copyright notice, this list of conditions and the following + disclaimer in the documentation and/or other materials provided + with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT @@ -1252,15 +1244,15 @@ The bundled libev source code is subject to the following license: Files copied from the Intel AESNI Sample Library are subject to the following license: - Copyright (C) 2010, Intel Corporation - All rights reserved. + Copyright (C) 2010, Intel Corporation All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: - * Redistributions of source code must retain the above copyright - notice, this list of conditions and the following disclaimer. + * Redistributions of source code must retain the above + copyright notice, this list of conditions and the following + disclaimer. * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following @@ -1316,3 +1308,54 @@ The following notice applies to STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +====================================================================== + +The following notice applies to portions of +"src/plugins/preauth/spake/edwards25519.c" and +"src/plugins/preauth/spake/edwards25519_tables.h": + +The MIT License (MIT) + +Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS +file). + +Permission is hereby granted, free of charge, to any person obtaining +a copy of this software and associated documentation files (the +"Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, +distribute, sublicense, and/or sell copies of the Software, and to +permit persons to whom the Software is furnished to do so, subject to +the following conditions: + +The above copyright notice and this permission notice shall be +included in all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, +EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. +IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY +CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, +TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE +SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + +====================================================================== + +The following notice applies to portions of +"src/plugins/preauth/spake/edwards25519.c": + +Copyright (c) 2015-2016, Google Inc. + +Permission to use, copy, modify, and/or distribute this software for +any purpose with or without fee is hereby granted, provided that the +above copyright notice and this permission notice appear in all +copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL +WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED +WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE +AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL +DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR +PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER +TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +PERFORMANCE OF THIS SOFTWARE. diff --git a/README b/README index 02b83bb..fd1eed6 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ - Kerberos Version 5, Release 1.15 + Kerberos Version 5, Release 1.17 Release Notes The MIT Kerberos Team @@ -6,7 +6,7 @@ Copyright and Other Notices --------------------------- -Copyright (C) 1985-2017 by the Massachusetts Institute of Technology +Copyright (C) 1985-2019 by the Massachusetts Institute of Technology and its contributors. All rights reserved. Please see the file named NOTICE for additional notices. @@ -73,238 +73,185 @@ from using single-DES cryptosystems. Among these is a configuration variable that enables "weak" enctypes, which defaults to "false" beginning with krb5-1.8. -Major changes in 1.15.2 (2017-09-25) ------------------------------------- - -This is a bug fix release. - -* Fix a KDC denial of service vulnerability caused by unset status - strings [CVE-2017-11368] - -* Preserve GSS contexts on init/accept failure [CVE-2017-11462] - -* Fix kadm5 setkey operation with LDAP KDB module - -* Use a ten-second timeout after successful connection for HTTPS KDC - requests, as we do for TCP requests - -* Fix client null dereference when KDC offers encrypted challenge - without FAST - -* Ignore dotfiles when processing profile includedir directive - -* Improve documentation - -krb5-1.15.2 changes by ticket ID --------------------------------- - -8557 Allow null outputs to gss_get_name_attribute() -8559 Fix leaks in gss_inquire_cred_by_oid() -8560 Force autoconf rebuild in maintainer rules -8563 Ignore dotfiles in profile includedir -8565 Fix krb5int_open_plugin_dirs() error handling -8567 Bug in mslsa ccahe -8573 Check for FAST in encrypted challenge client -8576 Make RC4 string-to-key more robust -8580 kinit fails for OTP users when using KdcProxy with both IPv4&6 DNS -8581 Allow clock skew in krb5 gss_context_time() -8584 Free GSS checksum data deterministically -8585 Add aes-sha2 enctypes to aes family documentation -8588 Fix kadm5.acl error reporting -8589 setkey kadm5 operation does not work with LDAP KDB -8593 Add aes-sha2 to default enctypes in docs -8594 Clarify "all privileges" in kadm5.acl docs -8598 Preserve GSS context on init/accept failure -8599 Prevent KDC unset status assertion failures -8600 Prevent null dereference with keyboard master key - - -Major changes in 1.15.1 (2017-03-01) ------------------------------------- - -This is a bug fix release. - -* Allow KDB modules to determine how the e_data field of principal - fields is freed - -* Fix udp_preference_limit when the KDC location is configured with - SRV records +Major changes in 1.17 (2019-01-08) +---------------------------------- -* Fix KDC and kadmind startup on some IPv4-only systems +Administrator experience: -* Fix the processing of PKINIT certificate matching rules which have - two components and no explicit relation +* A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module should + be more performant and more robust than the DB2 module, and may + become the default module for new databases in a future release. -* Improve documentation +* "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. -krb5-1.15.1 changes by ticket ID --------------------------------- +Developer experience: -7940 PKINIT docs only work for one-component client principals -8523 Add krbPwdPolicy attributes to kerberos.ldif -8524 Add caveats to krbtgt change documentation -8525 Fix error handling in PKINIT decode_data() -8530 KDC/kadmind explicit wildcard listener addresses do not use pktinfo -8531 KDC/kadmind may fail to start on IPv4-only systems -8532 Fix GSSAPI authind attribute name in docs -8538 Need a way to free KDB module e_data -8540 Document default realm and login authorization -8552 Add GSSAPI S4U documentation -8553 Fix PKINIT two-component matching rule parsing -8554 udp_preference_limit fails with SRV records +* The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. +* The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. -Major changes in 1.15 (2016-12-01) ----------------------------------- +* KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. -Administrator experience: +* Programs which use large numbers of memory credential caches should + perform better. -* Improve support for multihomed Kerberos servers by adding options - for specifying restricted listening addresses for the KDC and - kadmind. +Protocol evolution: -* Add support to kadmin for remote extraction of current keys without - changing them (requires a special kadmin permission that is excluded - from the wildcard permission), with the exception of highly - protected keys. +* The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. SPAKE + is enabled by default on clients, but must be manually enabled on + the KDC for this release. -* Add a lockdown_keys principal attribute to prevent retrieval of the - principal's keys (old or new) via the kadmin protocol. In newly - created databases, this attribute is set on the krbtgt and kadmin - principals. +* PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access to + a smart card to generate authentication requests for the future. -* Restore recursive dump capability for DB2 back end, so sites can - more easily recover from database corruption resulting from power - failure events. +* Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. -* Add DNS auto-discovery of KDC and kpasswd servers from URI records, - in addition to SRV records. URI records can convey TCP and UDP - servers and master KDC status in a single DNS lookup, and can also - point to HTTPS proxy servers. +* The KDC now supports cross-realm S4U2Self requests when used with a + third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. -* Add support for password history to the LDAP back end. +User experience: -* Add support for principal renaming to the LDAP back end. +* The new ktutil addent -f flag can be used to fetch salt information + from the KDC for password-based keys. -* Use the getrandom system call on supported Linux kernels to avoid - blocking problems when getting entropy from the operating system. +* The new kdestroy -p option can be used to destroy a credential cache + within a collection by client principal name. -* In the PKINIT client, use the correct DigestInfo encoding for PKCS - #1 signatures, so that some especially strict smart cards will work. +* The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. Code quality: -* Clean up numerous compilation warnings. - -* Remove various infrequently built modules, including some preauth - modules that were not built by default. +* Python test scripts now use Python 3. -Developer experience: - -* Add support for building with OpenSSL 1.1. +* Python test scripts now display markers in verbose output, making it + easier to find where a failure occurred within the scripts. -* Use SHA-256 instead of MD5 for (non-cryptographic) hashing of - authenticators in the replay cache. This helps sites that must - build with FIPS 140 conformant libraries that lack MD5. +* The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. -* Eliminate util/reconf and allow the use of autoreconf alone to - regenerate the configure script. - -Protocol evolution: - -* Add support for the AES-SHA2 enctypes, which allows sites to conform - to Suite B crypto requirements. - -krb5-1.15 changes by ticket ID +krb5-1.17 changes by ticket ID ------------------------------ -1093 KDC could use feature to limit listening interfaces -5889 password history doesn't work with LDAP KDB -6666 some non-default plugin directories don't build in 1.8 branch -7852 kadmin.local's ktadd -norandkey does not handle multiple kvnos - in the KDB -7985 Add krb5_get_init_creds_opt_set_pac_request -8065 Renaming principals with LDAP KDB deletes the principal -8277 iprop can choose wrong realm -8278 Add krb5_expand_hostname() API -8280 Fix impersonate_name to work with interposers -8295 kdb5_ldap_stash_service_password() stash file logic needs tweaking -8297 jsonwalker.py test fails -8298 Audit Test fails when system has IPV6 address -8299 Remove util/reconf -8329 Only run export-check.pl in maintainer mode -8344 Create KDC and kadmind log files with mode 0640 -8345 Remove nss libk5crypto implementation -8348 Remove workaround when binding to udp addresses and pktinfo - isn't supported by the system -8353 Replace MD5 use in rcache with SHA-256 -8354 Only store latest keys in key history entry -8355 Add kadm5_setkey_principal_4 RPC to kadmin -8364 Add get_principal_keys RPC to kadmin -8365 Add the ability to lock down principal keys -8366 Increase initial DNS buffer size -8368 Remove hdb KDB module -8371 Improve libkadm5 client RPC thread safety -8372 Use cached S4U2Proxy tickets in GSSAPI -8374 Interoperate with incomplete SPNEGO responses -8375 Allow zero cksumtype in krb5_k_verify_checksum() -8379 Add auth indicator handling to libkdb_ldap -8381 Don't fall back to master on password read error -8386 Add KDC pre-send and post-receive KDC hooks -8388 Remove port 750 from the KDC default ports -8389 Make profile includedir accept all *.conf files -8391 Add kinit long option support for all platforms -8393 Password Expiration "Never" Inconsistently Applied -8394 Add debug message filtering to krb5_klog_syslog -8396 Skip password prompt when running ksu as root -8398 Add libk5crypto support for OpenSSL 1.1.0 -8399 Unconstify some krb5 GSS OIDs -8403 kinit documentation page -8404 Remove non-DFSG documentation -8405 Work around python-ldap bug in kerberos.ldif -8412 Link correct VS2015 C libraries for debug builds -8414 Use library malloc for principal, policy entries -8418 Add libkdb function to specialize principal's salt -8419 Do not indicate deprecated GSS mechanisms -8423 Add SPNEGO special case for NTLMSSP+MechListMIC -8425 Add auth-indicator authdata module -8426 test_check_allowed_to_delegate() should free unparsed princ output -8428 Minimize timing leaks in PKINIT decryption -8429 Fix Makefile for paths containing '+' character -8434 Fix memory leak in old gssrpc authentication -8436 Update libev sources to 4.22 -8446 Fix leak in key change operations -8451 Add hints for -A flag to kdestroy -8456 Add the kprop-port option to kadmind -8462 Better handle failures to resolve client keytab -8464 Set prompt type for OTP preauth prompt -8465 Improve bad password inference in kinit -8466 Rename k5-queue.h macros -8471 Change KDC error for encrypted timestamp preauth -8476 Restore recursive dump functionality -8478 usability improvements for bttest -8488 Stop generating doc/CHANGES -8490 Add aes-sha2 enctype support -8494 Add krb5_db_register_keytab() -8496 Add KDC discovery from URI records -8498 Potential memory leak in prepare_error_as() -8499 Use getrandom system call on recent Linux kernels -8500 Document krb5_kt_next_entry() requirement -8502 ret_boolean in profile_get_boolean() should be krb5_boolean * - instead of int * -8504 Properly handle EOF condition on libkrad sockets -8506 PKINIT fails with PKCS#11 middlware that implements PKCS#1 V2.1 -8507 Suggest unlocked iteration for mkey rollover -8508 Clarify krb5_kt_resolve() API documentation -8509 Leak in krb5_cccol_have_content with truncated ccache -8510 Update features list for 1.15 -8512 Fix detection of libaceclnt for securid_sam2 -8513 Add doxygen comments for RFC 8009, RFC 4757 -8514 Make zap() more reliable -8516 Fix declaration without type in t_shs3.c -8520 Relicense ccapi/common/win/OldCC/autolock.hxx -8521 Allow slapd path configuration in t_kdb.py - +7905 Password changes can result in replay error +8202 memory ccache cursors are invalidated by initialize +8270 No logging when a non-root ksu with command fails authorization +8587 ktutil addent should be able to fetch etype-info2 for principal +8629 etype-info not included in hint list for REQUIRES_HW_AUTH principals +8630 Logging from KDC/kadmind plugin modules +8634 Trace log on k5tls load failure +8635 Fix a few German translation prepositions +8636 PKINIT certid option cannot handle leading zero +8641 Make public headers work with gcc -Wundef +8642 etype-info conflated for initial, final reply key enctype +8647 Add SPAKE preauth support +8648 Implement PKINIT freshness tokens +8650 Exit with status 0 from kadmind +8651 profile library may try to reread from special device files +8652 Report extended errors in kinit -k -t KDB: +8653 Include preauth name in trace output if possible +8654 Prevent fallback from SPAKE to encrypted timestamp +8655 Need per-realm client configuration to deny encrypted timestamp +8657 SPAKE support for Windows build +8659 SPAKE client asks for password before checking second-factor support +8661 ksu segfaults when argc == 0 +8662 Windows README does not document MFC requirement +8663 TLS is not free on library unload +8664 Avoid simultaneous KDB/ulog locks in ulog_replay +8665 Display more extended errors in kdb5_util +8673 Improve error for kadmind -proponly without iprop +8674 Add LMDB KDB module +8677 Escape curly braces in def-check.pl regexes +8678 Don't specify MFC library in Leash build +8679 Fix Leash build error with recent Visual Studio +8680 Update kfw installer for VS2017, WiX 3.11.1 +8682 Stop building CNS for Windows +8684 Fix option parsing on Windows +8685 Make plugin auto-registration work on Windows +8686 Process profile includedir in sorted order +8687 Repeated lookups of local computer name on Windows +8689 t_path.c build failure with NDEBUG +8690 Fix Windows strerror_r() implementation +8691 Use pkg.m4 macros +8692 Make docs build python3-compatible +8693 Resource leak in domain_fallback_realm() +8694 Add documentation on dictionary attacks +8695 Resource leak in krb5_524_conv_principal() +8696 Resource leak in krb5_425_conv_principal() +8697 Resource leak in krb5_gss_inquire_cred() +8698 Resource leak in aname_replacer() +8699 Resource leak in k5_os_hostaddr() +8700 Resource leak in krb5int_get_fq_local_hostname() +8702 Resource leak in kdb5_purge_mkeys() +8703 Resource leak in RPC UDP cache code +8704 Resource leak in read_secret_file() +8707 Resource leak in ulog_map() +8708 Incorrect error handling in OTP plugin +8709 Explicitly look for python2 in configure.in +8710 Convert Python tests to Python 3 +8711 Use SHA-256 instead of MD5 for audit ticket IDs +8713 Zap copy of secret in RC4 string-to-key +8715 Make krb5kdc -p affect TCP ports +8716 Remove outdated note in krb5kdc man page +8718 krb5_get_credentials incorrectly matches user to user ticket +8719 Extend gss-sample timeout from 10s to 300s +8720 Don't include all MEMORY ccaches in collection +8721 Don't tag S4U2Proxy result creds as user-to-user +8722 Use a hash table for MEMORY ccache resolution +8723 Use PTHREAD_CFLAGS when testing for getpwnam_r() +8724 Add kdestroy -p option +8725 Update many documentation links to https +8726 Null deref on some invalid PKINIT identities +8727 Check strdup return in kadm5_get_config_params() +8728 doc: kswitch manual "see also" subsection typo +8729 Memory leak in gss_add_cred() creation case +8730 Add kvno option for user-to-user +8731 Document that DESTDIR must be an absolute path +8732 Fix name of .pdb file in ccapi/test/Makefile.in +8733 Multiple pkinit_identities semantics are unclear and perhaps not useful +8734 gss_add_cred() aliases memory when creating extended cred +8736 Check mech cred in gss_inquire_cred_by_mech() +8737 gss_add_cred() ignores desired_name if creating a new credential +8738 Use the term "replica KDC" in source and docs +8741 S4U2Self client code fails with no default realm +8742 Use "replica" in iprop settings +8743 Fix incorrect TRACE usages to use {str} +8744 KDC/kadmind may not follow master key change before purge_mkeys +8745 libss without readline can interfere with reading passwords +8746 Fix 64-bit Windows socket write error handling +8747 Allow referrals for cross-realm S4U2Self requests +8748 Add more constraints to S4U2Self processing +8749 Add PAC APIs which can include a client realm +8750 Resource leak in ktutil_add() +8751 Fix up kdb5_util documentation +8752 Don't dump policies if principals are specified +8753 Prevent SIGPIPE from socket writes on UNIX-likes +8754 Correct kpasswd_server description in krb5.conf(5) +8755 Bring back general kerberos man page +8756 Add GSS_KRB5_NT_ENTERPRISE_NAME name type +8757 Start S4U2Self realm lookup at server realm +8759 Resource leak in kadm5_randkey_principal_3() +8760 Retry KCM writes once on remote hangup +8762 Fix spelling of auth_to_local example +8763 Ignore password attributes for S4U2Self requests +8767 Remove incorrect KDC assertion +8768 Fix double-close in ksu get_authorized_princ_names +8769 Fix build issues with Solaris native compiler Acknowledgements ---------------- @@ -395,7 +342,7 @@ Past and present members of the Kerberos Team at MIT: Zhanna Tsitkova Ted Ts'o Marshall Vale - Tom Yu + Taylor Yu The following external contributors have provided code, patches, bug reports, suggestions, and valuable resources: @@ -405,6 +352,7 @@ reports, suggestions, and valuable resources: Russell Allbery Brian Almeida Michael B Allen + Pooja Anil Heinz-Ado Arnolds Derek Atkins Mark Bannister @@ -424,6 +372,7 @@ reports, suggestions, and valuable resources: Michael Calmer Andrea Campi Julien Chaffraix + Puran Chand Ravi Channavajhala Srinivas Cheruku Leonardo Chiquitto @@ -444,7 +393,9 @@ reports, suggestions, and valuable resources: Mark Deneen Günther Deschner John Devitofranceschi + Marc Dionne Roland Dowdeswell + Dorian Ducournau Viktor Dukhovni Jason Edgecombe Mark Eichin @@ -458,17 +409,21 @@ reports, suggestions, and valuable resources: JC Ferguson Remi Ferrand Paul Fertser + Fabiano Fidêncio William Fiveash Jacques Florent Ákos Frohner Sebastian Galiano Marcus Granado + Dylan Gray Scott Grizzard Helmut Grohne Steve Grubb Philip Guenther + Timo Gurr Dominic Hargreaves Robbie Harwood + John Hascall Jakob Haufe Matthieu Hautreux Jochen Hein @@ -482,6 +437,7 @@ reports, suggestions, and valuable resources: Jakub Hrozek Shumon Huque Jeffrey Hutzelman + Sergey Ilinykh Wyllys Ingersoll Holger Isenberg Spencer Jackson @@ -491,22 +447,31 @@ reports, suggestions, and valuable resources: Joel Johnson Alexander Karaivanov Anders Kaseorg + Bar Katz + Zentaro Kavanagh + Mubashir Kazia W. Trevor King Patrik Kis + Martin Kittel + Matthew Krupcale Mikkel Kruse Reinhard Kugler Tomas Kuthan Pierre Labastie + Chris Leick Volker Lendecke Jan iankko Lieskovsky Todd Lipcon Oliver Loch + Chris Long Kevin Longfellow Frank Lonigro Jon Looney Nuno Lopes + Todd Lubin Ryan Lynch Roland Mainz + Sorin Manolache Andrei Maslennikov Michael Mattioli Nathaniel McCallum @@ -529,14 +494,18 @@ reports, suggestions, and valuable resources: Javier Palacios Tom Parker Ezra Peisach + Alejandro Perez Zoran Pericic W. Michael Petullo Mark Phalan + Sharwan Ram Brett Randall Jonathan Reams Jonathan Reed Robert Relyea + Tony Reix Martin Rex + Pat Riehecky Jason Rogers Matt Rogers Nate Rosenblum @@ -545,9 +514,12 @@ reports, suggestions, and valuable resources: Guillaume Rousse Joshua Schaeffer Andreas Schneider + Paul Seyfert Tom Shaw Jim Shi Peter Shoults + Richard Silverman + Cel Skeggs Simo Sorce Michael Spang Michael Ströder @@ -562,6 +534,7 @@ reports, suggestions, and valuable resources: John Washington Stef Walter Xi Wang + Nehal J Wani Kevin Wasserman Margaret Wasserman Marcus Watts @@ -576,6 +549,7 @@ reports, suggestions, and valuable resources: Neng Xue Zhaomo Yang Nickolai Zeldovich + Bean Zhang Hanz van Zijst Gertjan Zwartjes diff --git a/appveyor.yml b/appveyor.yml index be4f6f3..e54c7c4 100644 --- a/appveyor.yml +++ b/appveyor.yml @@ -1,16 +1,25 @@ +image: Visual Studio 2017 + build_script: - - call "C:\Program Files\Microsoft SDKs\Windows\v7.1\Bin\SetEnv.cmd" /x86 - mkdir C:\kfw - set KRB_INSTALL_DIR=C:\kfw - - set CPU=i386 - - set NO_LEASH=1 - - set - cd %APPVEYOR_BUILD_FOLDER%\src + - set PATH=%PATH%;%wix%bin + - call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvars32.bat" + - set - nmake -f Makefile.in prep-windows - nmake - nmake install - - set CPU=AMD64 - - setenv /x64 + - cd windows\installer\wix + - nmake + - rename kfw.msi kfw32.msi + - cd ..\..\.. + - call "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Auxiliary\Build\vcvars64.bat" + - set - nmake clean - nmake - nmake install + - cd windows\installer\wix + - nmake clean + - nmake + - rename kfw.msi kfw64.msi diff --git a/doc/about.rst b/doc/about.rst index 904f612..dfdc31f 100644 --- a/doc/about.rst +++ b/doc/about.rst @@ -6,7 +6,7 @@ towards improving the MIT KC documentation content. If you are an experienced Kerberos developer and/or administrator, please consider sharing your knowledge and experience with the Kerberos Community. You can suggest your own topic or write about any of the topics listed -`here `__. +`here `__. If you have any questions, comments, or suggestions on the existing documents, please send your feedback via email to krb5-bugs@mit.edu. The HTML version of @@ -22,7 +22,7 @@ unified in a central form. Man pages, HTML documentation, and PDF documents are compiled from reStructuredText sources, and the application developer documentation incorporates Doxygen markup from the source tree. This project was undertaken along the outline described -`here `__. +`here `__. Previous versions of Kerberos 5 attempted to maintain separate documentation in the texinfo format, with separate groff manual pages. Having the API diff --git a/doc/admin/admin_commands/k5srvutil.rst b/doc/admin/admin_commands/k5srvutil.rst index b873d90..79502cf 100644 --- a/doc/admin/admin_commands/k5srvutil.rst +++ b/doc/admin/admin_commands/k5srvutil.rst @@ -56,7 +56,14 @@ k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in place. +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + SEE ALSO -------- -:ref:`kadmin(1)`, :ref:`ktutil(1)` +:ref:`kadmin(1)`, :ref:`ktutil(1)`, :ref:`kerberos(7)` diff --git a/doc/admin/admin_commands/kadmin_local.rst b/doc/admin/admin_commands/kadmin_local.rst index 50c3b99..150da1f 100644 --- a/doc/admin/admin_commands/kadmin_local.rst +++ b/doc/admin/admin_commands/kadmin_local.rst @@ -297,8 +297,9 @@ Options: {-\|+}\ **allow_dup_skey** **-allow_dup_skey** disables user-to-user authentication for this - principal by prohibiting this principal from obtaining a session - key for another user. **+allow_dup_skey** clears this flag. + principal by prohibiting others from obtaining a service ticket + encrypted in this principal's TGT session key. + **+allow_dup_skey** clears this flag. {-\|+}\ **requires_preauth** **+requires_preauth** requires this principal to preauthenticate @@ -325,7 +326,9 @@ Options: {-\|+}\ **allow_svr** **-allow_svr** prohibits the issuance of service tickets for this - principal. **+allow_svr** clears this flag. + principal. In release 1.17 and later, user-to-user service + tickets are still allowed unless the **-allow_dup_skey** flag is + also set. **+allow_svr** clears this flag. {-\|+}\ **allow_tgs_req** **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS) @@ -661,6 +664,13 @@ KDC: *principal*. The *value* is a JSON string representing an array of objects, each having optional ``type`` and ``username`` fields. +**pkinit_cert_match** + Specifies a matching expression that defines the certificate + attributes required for the client certificate used by the + principal during PKINIT authentication. The matching expression + is in the same format as those used by the **pkinit_cert_match** + option in :ref:`krb5.conf(5)`. (New in release 1.16.) + This command requires the **modify** privilege. Alias: **setstr** @@ -989,7 +999,14 @@ The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + SEE ALSO -------- -:ref:`kpasswd(1)`, :ref:`kadmind(8)` +:ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` diff --git a/doc/admin/admin_commands/kadmind.rst b/doc/admin/admin_commands/kadmind.rst index f5b7733..9e73ece 100644 --- a/doc/admin/admin_commands/kadmind.rst +++ b/doc/admin/admin_commands/kadmind.rst @@ -49,14 +49,14 @@ After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. kadmind can be configured for incremental database propagation. -Incremental propagation allows slave KDC servers to receive principal -and policy updates incrementally instead of receiving full dumps of -the database. This facility can be enabled in the :ref:`kdc.conf(5)` -file with the **iprop_enable** option. Incremental propagation -requires the principal ``kiprop/MASTER\@REALM`` (where MASTER is the -master KDC's canonical host name, and REALM the realm name). In -release 1.13, this principal is automatically created and registered -into the datebase. +Incremental propagation allows replica KDC servers to receive +principal and policy updates incrementally instead of receiving full +dumps of the database. This facility can be enabled in the +:ref:`kdc.conf(5)` file with the **iprop_enable** option. Incremental +propagation requires the principal ``kiprop/MASTER\@REALM`` (where +MASTER is the master KDC's canonical host name, and REALM the realm +name). In release 1.13, this principal is automatically created and +registered into the datebase. OPTIONS @@ -78,10 +78,10 @@ OPTIONS the server to place itself in the background. **-proponly** - causes the server to only listen and respond to Kerberos slave + causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used - to set up a hierarchical propagation topology where a slave KDC - provides incremental updates to other Kerberos slaves. + to set up a hierarchical propagation topology where a replica KDC + provides incremental updates to other Kerberos replicas. **-port** *port-number* specifies the port on which the administration server listens for @@ -100,12 +100,12 @@ OPTIONS **-K** *kprop_path* specifies the path to the kprop command to use to send full dumps - to slaves in response to full resync requests. + to replicas in response to full resync requests. **-k** *kprop_port* - specifies the port by which the kprop process that is spawned by kadmind - connects to the slave kpropd, in order to transfer the dump file during - an iprop full resync request. + specifies the port by which the kprop process that is spawned by + kadmind connects to the replica kpropd, in order to transfer the + dump file during an iprop full resync request. **-F** *dump_file* specifies the file path to be used for dumping the KDB in response @@ -116,8 +116,15 @@ OPTIONS ` in :ref:`kadmin(1)` for supported arguments. +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + SEE ALSO -------- :ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, -:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)` +:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)`, :ref:`kerberos(7)` diff --git a/doc/admin/admin_commands/kdb5_ldap_util.rst b/doc/admin/admin_commands/kdb5_ldap_util.rst index cbf313f..343df4d 100644 --- a/doc/admin/admin_commands/kdb5_ldap_util.rst +++ b/doc/admin/admin_commands/kdb5_ldap_util.rst @@ -456,7 +456,14 @@ Example:: .. _kdb5_ldap_util_list_policy_end: +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + SEE ALSO -------- -:ref:`kadmin(1)` +:ref:`kadmin(1)`, :ref:`kerberos(7)` diff --git a/doc/admin/admin_commands/kdb5_util.rst b/doc/admin/admin_commands/kdb5_util.rst index 258498f..fee6826 100644 --- a/doc/admin/admin_commands/kdb5_util.rst +++ b/doc/admin/admin_commands/kdb5_util.rst @@ -12,10 +12,12 @@ SYNOPSIS [**-r** *realm*] [**-d** *dbname*] [**-k** *mkeytype*] -[**-M** *mkeyname*] [**-kv** *mkeyVNO*] -[**-sf** *stashfilename*] +[**-M** *mkeyname*] [**-m**] +[**-sf** *stashfilename*] +[**-P** *password*] +[**-x** *db_args*] *command* [*command_options*] .. _kdb5_util_synopsis_end: @@ -79,6 +81,10 @@ COMMAND-LINE OPTIONS expose the password to other users on the system via the process list. +**-x** *db_args* + specifies database-specific options. See :ref:`kadmin(1)` for + supported options. + .. _kdb5_util_options_end: @@ -130,9 +136,10 @@ dump .. _kdb5_util_dump: - **dump** [**-b7**\|\ **-ov**\|\ **-r13**] [**-verbose**] - [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**] - [**-recurse**] [*filename* [*principals*...]] + **dump** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] + [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** + *mkey_file*] [**-rev**] [**-recurse**] [*filename* + [*principals*...]] Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is dumped in current format, "kdb5_util @@ -197,8 +204,8 @@ load .. _kdb5_util_load: - **load** [**-b7**\|\ **-ov**\|\ **-r13**] [**-hash**] - [**-verbose**] [**-update**] *filename* [*dbname*] + **load** [**-b7**\|\ **-ov**\|\ **-r13**\|\ **-r18**] [**-hash**] + [**-verbose**] [**-update**] *filename* Loads a database dump from the named file into the named database. If no option is given to determine the format of the dump file, the @@ -230,10 +237,11 @@ Options: releases prior to 1.11. **-hash** - requires the database to be stored as a hash. If this option is - not specified, the database will be stored as a btree. This - option is not recommended, as databases stored in hash format are - known to corrupt data and lose principals. + stores the database in hash format, if using the DB2 database + type. If this option is not specified, the database will be + stored in btree format. This option is not recommended, as + databases stored in hash format are known to corrupt data and lose + principals. **-verbose** causes the name of each principal and policy to be printed as it @@ -245,9 +253,6 @@ Options: what is in the dump file and the old one destroyed upon successful completion. -If specified, *dbname* overrides the value specified on the command -line or the default. - .. _kdb5_util_load_end: ark @@ -272,9 +277,9 @@ specifies the encryption type of the new master key; see values. The **-s** option stashes the new master key in the stash file, which will be created if it doesn't already exist. -After a new master key is added, it should be propagated to slave +After a new master key is added, it should be propagated to replica servers via a manual or periodic invocation of :ref:`kprop(8)`. Then, -the stash files on the slave servers should be updated with the +the stash files on the replica servers should be updated with the kdb5_util **stash** command. Once those steps are complete, the key is ready to be marked active with the kdb5_util **use_mkey** command. @@ -491,7 +496,14 @@ Examples:: bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + SEE ALSO -------- -:ref:`kadmin(1)` +:ref:`kadmin(1)`, :ref:`kerberos(7)` diff --git a/doc/admin/admin_commands/kprop.rst b/doc/admin/admin_commands/kprop.rst index 726c8cc..c2b6c79 100644 --- a/doc/admin/admin_commands/kprop.rst +++ b/doc/admin/admin_commands/kprop.rst @@ -12,15 +12,15 @@ SYNOPSIS [**-d**] [**-P** *port*] [**-s** *keytab*] -*slave_host* +*replica_host* DESCRIPTION ----------- kprop is used to securely propagate a Kerberos V5 database dump file -from the master Kerberos server to a slave Kerberos server, which is -specified by *slave_host*. The dump file must be created by +from the master Kerberos server to a replica Kerberos server, which is +specified by *replica_host*. The dump file must be created by :ref:`kdb5_util(8)`. @@ -33,7 +33,7 @@ OPTIONS **-f** *file* Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally - |kdcdir|\ ``/slave_datatrans``. + |kdcdir|\ ``/replica_datatrans``. **-P** *port* Specifies the port to use to contact the :ref:`kpropd(8)` server @@ -49,12 +49,12 @@ OPTIONS ENVIRONMENT ----------- -*kprop* uses the following environment variable: - -* **KRB5_CONFIG** +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. SEE ALSO -------- -:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` +:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, +:ref:`kerberos(7)` diff --git a/doc/admin/admin_commands/kpropd.rst b/doc/admin/admin_commands/kpropd.rst index 5e01e2f..7f7faa2 100644 --- a/doc/admin/admin_commands/kpropd.rst +++ b/doc/admin/admin_commands/kpropd.rst @@ -10,28 +10,30 @@ SYNOPSIS [**-r** *realm*] [**-A** *admin_server*] [**-a** *acl_file*] -[**-f** *slave_dumpfile*] +[**-f** *replica_dumpfile*] [**-F** *principal_database*] [**-p** *kdb5_util_prog*] [**-P** *port*] +[**--pid-file**\ =\ *pid_file*] [**-d**] [**-t**] DESCRIPTION ----------- -The *kpropd* command runs on the slave KDC server. It listens for +The *kpropd* command runs on the replica KDC server. It listens for update requests made by the :ref:`kprop(8)` program. If incremental propagation is enabled, it periodically requests incremental updates from the master KDC. -When the slave receives a kprop request from the master, kpropd +When the replica receives a kprop request from the master, kpropd accepts the dumped KDC database and places it in a file, and then runs :ref:`kdb5_util(8)` to load the dumped database into the active database which is used by :ref:`krb5kdc(8)`. This allows the master Kerberos server to use :ref:`kprop(8)` to propagate its database to -the slave servers. Upon a successful download of the KDC database -file, the slave Kerberos server will have an up-to-date KDC database. +the replica servers. Upon a successful download of the KDC database +file, the replica Kerberos server will have an up-to-date KDC +database. Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to @@ -50,15 +52,15 @@ compatibility but does nothing. Incremental propagation may be enabled with the **iprop_enable** variable in :ref:`kdc.conf(5)`. If incremental propagation is -enabled, the slave periodically polls the master KDC for updates, at -an interval determined by the **iprop_slave_poll** variable. If the -slave receives updates, kpropd updates its log file with any updates +enabled, the replica periodically polls the master KDC for updates, at +an interval determined by the **iprop_replica_poll** variable. If the +replica receives updates, kpropd updates its log file with any updates from the master. :ref:`kproplog(8)` can be used to view a summary of -the update entry log on the slave KDC. If incremental propagation is -enabled, the principal ``kiprop/slavehostname@REALM`` (where -*slavehostname* is the name of the slave KDC host, and *REALM* is the -name of the Kerberos realm) must be present in the slave's keytab -file. +the update entry log on the replica KDC. If incremental propagation +is enabled, the principal ``kiprop/replicahostname@REALM`` (where +*replicahostname* is the name of the replica KDC host, and *REALM* is +the name of the Kerberos realm) must be present in the replica's +keytab file. :ref:`kproplog(8)` can be used to force full replication when iprop is enabled. @@ -104,6 +106,10 @@ OPTIONS Allows the user to specify the path to the kpropd.acl file; by default the path used is |kdcdir|\ ``/kpropd.acl``. +**--pid-file**\ =\ *pid_file* + In standalone mode, write the process ID of the daemon into + *pid_file*. + ENVIRONMENT ----------- @@ -124,7 +130,15 @@ kpropd.acl will allow Kerberos database propagation via :ref:`kprop(8)`. +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + SEE ALSO -------- -:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, inetd(8) +:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, +:ref:`kerberos(7)`, inetd(8) diff --git a/doc/admin/admin_commands/kproplog.rst b/doc/admin/admin_commands/kproplog.rst index ed90639..44e706d 100644 --- a/doc/admin/admin_commands/kproplog.rst +++ b/doc/admin/admin_commands/kproplog.rst @@ -17,18 +17,18 @@ The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the update log maintained by the :ref:`kadmind(8)` process on the master -KDC server and the :ref:`kpropd(8)` process on the slave KDC servers. -When updates occur, they are logged to this file. Subsequently any -KDC slave configured for incremental updates will request the current -data from the master KDC and update their log file with any updates -returned. +KDC server and the :ref:`kpropd(8)` process on the replica KDC +servers. When updates occur, they are logged to this file. +Subsequently any KDC replica configured for incremental updates will +request the current data from the master KDC and update their log file +with any updates returned. The kproplog command requires read access to the update log file. It will display update entries only for the KDC it runs on. If no options are specified, kproplog displays a summary of the update log. If invoked on the master, kproplog also displays all of the -update entries. If invoked on a slave KDC server, kproplog displays +update entries. If invoked on a replica KDC server, kproplog displays only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update. @@ -37,9 +37,9 @@ OPTIONS ------- **-R** - Reset the update log. This forces full resynchronization. If used - on a slave then that slave will request a full resync. If used on - the master then all slaves will request full resyncs. + Reset the update log. This forces full resynchronization. If + used on a replica then that replica will request a full resync. + If used on the master then all replicas will request full resyncs. **-h** Display a summary of the update log. This information includes @@ -74,12 +74,11 @@ OPTIONS ENVIRONMENT ----------- -kproplog uses the following environment variables: - -* **KRB5_KDC_PROFILE** +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. SEE ALSO -------- -:ref:`kpropd(8)` +:ref:`kpropd(8)`, :ref:`kerberos(7)` diff --git a/doc/admin/admin_commands/krb5kdc.rst b/doc/admin/admin_commands/krb5kdc.rst index 7ec4ee4..0342d0d 100644 --- a/doc/admin/admin_commands/krb5kdc.rst +++ b/doc/admin/admin_commands/krb5kdc.rst @@ -57,12 +57,12 @@ The **-P** *pid_file* option tells the KDC to write its PID into the KDC is still running and to allow init scripts to stop the correct process. -The **-p** *portnum* option specifies the default UDP port numbers -which the KDC should listen on for Kerberos version 5 requests, as a -comma-separated list. This value overrides the UDP port numbers -specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but -may be overridden by realm-specific values. If no value is given from -any source, the default port is 88. +The **-p** *portnum* option specifies the default UDP and TCP port +numbers which the KDC should listen on for Kerberos version 5 +requests, as a comma-separated list. This value overrides the port +numbers specified in the :ref:`kdcdefaults` section of +:ref:`kdc.conf(5)`, but may be overridden by realm-specific values. +If no value is given from any source, the default port is 88. The **-w** *numworkers* option tells the KDC to fork *numworkers* processes to listen to the KDC ports and process requests in parallel. @@ -72,13 +72,6 @@ will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. -.. note:: - - On operating systems which do not have *pktinfo* support, - using worker processes will prevent the KDC from listening - for UDP packets on network interfaces created after the KDC - starts. - The **-x** *db_args* option specifies database-specific arguments. See :ref:`Database Options ` in :ref:`kadmin(1)` for supported arguments. @@ -110,14 +103,12 @@ description for further details. ENVIRONMENT ----------- -krb5kdc uses the following environment variables: - -* **KRB5_CONFIG** -* **KRB5_KDC_PROFILE** +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. SEE ALSO -------- :ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`, -:ref:`kdb5_ldap_util(8)` +:ref:`kdb5_ldap_util(8)`, :ref:`kerberos(7)` diff --git a/doc/admin/admin_commands/ktutil.rst b/doc/admin/admin_commands/ktutil.rst index d55ddc8..0dbc08f 100644 --- a/doc/admin/admin_commands/ktutil.rst +++ b/doc/admin/admin_commands/ktutil.rst @@ -87,9 +87,14 @@ add_entry ~~~~~~~~~ **add_entry** {**-key**\|\ **-password**} **-p** *principal* - **-k** *kvno* **-e** *enctype* + **-k** *kvno* [**-e** *enctype*] [**-f**\|\ **-s** *salt*] -Add *principal* to keylist using key or password. +Add *principal* to keylist using key or password. If the **-f** flag +is specified, salt information will be fetched from the KDC; in this +case the **-e** flag may be omitted, or it may be supplied to force a +particular enctype. If the **-f** flag is not specified, the **-e** +flag must be specified, and the default salt will be used unless +overridden with the **-s** option. Alias: **addent** @@ -127,7 +132,14 @@ EXAMPLE ktutil: +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + SEE ALSO -------- -:ref:`kadmin(1)`, :ref:`kdb5_util(8)` +:ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`kerberos(7)` diff --git a/doc/admin/admin_commands/sserver.rst b/doc/admin/admin_commands/sserver.rst index b4e4644..a8dcf5d 100644 --- a/doc/admin/admin_commands/sserver.rst +++ b/doc/admin/admin_commands/sserver.rst @@ -99,7 +99,14 @@ COMMON ERROR MESSAGES probably not installed in the proper directory. +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + SEE ALSO -------- -:ref:`sclient(1)`, services(5), inetd(8) +:ref:`sclient(1)`, :ref:`kerberos(7)`, services(5), inetd(8) diff --git a/doc/admin/advanced/retiring-des.rst b/doc/admin/advanced/retiring-des.rst index 8bcf83d..ebac95f 100644 --- a/doc/admin/advanced/retiring-des.rst +++ b/doc/admin/advanced/retiring-des.rst @@ -134,11 +134,11 @@ existing tickets will still function until their scheduled expiry .. note:: - The new ``krbtgt@REALM`` key should be propagated to slave KDCs + The new ``krbtgt@REALM`` key should be propagated to replica KDCs immediately so that TGTs issued by the master KDC can be used to - issue service tickets on slave KDCs. Slave KDCs will refuse requests - using the new TGT kvno until the new krbtgt entry has been propagated - to them. + issue service tickets on replica KDCs. Replica KDCs will refuse + requests using the new TGT kvno until the new krbtgt entry has + been propagated to them. It is necessary to explicitly specify the enctypes for the new database entry, since **supported_enctypes** has not been changed. Leaving @@ -321,8 +321,8 @@ The following KDC configuration will not generate DES keys by default: As before, the KDC process must be restarted for this change to take effect. It is best practice to update kdc.conf on all KDCs, not just the - master, to avoid unpleasant surprises should the master fail and a slave - need to be promoted. + master, to avoid unpleasant surprises should the master fail and a + replica need to be promoted. It is now appropriate to remove the legacy single-DES key from the ``krbtgt/REALM`` entry: diff --git a/doc/admin/appl_servers.rst b/doc/admin/appl_servers.rst index f6474cd..fee49f0 100644 --- a/doc/admin/appl_servers.rst +++ b/doc/admin/appl_servers.rst @@ -121,16 +121,16 @@ Configuring your firewall to work with Kerberos V5 If you need off-site users to be able to get Kerberos tickets in your realm, they must be able to get to your KDC. This requires either -that you have a slave KDC outside your firewall, or that you configure -your firewall to allow UDP requests into at least one of your KDCs, on -whichever port the KDC is running. (The default is port 88; other -ports may be specified in the KDC's :ref:`kdc.conf(5)` file.) -Similarly, if you need off-site users to be able to change their -passwords in your realm, they must be able to get to your Kerberos -admin server on the kpasswd port (which defaults to 464). If you need -off-site users to be able to administer your Kerberos realm, they must -be able to get to your Kerberos admin server on the administrative -port (which defaults to 749). +that you have a replica KDC outside your firewall, or that you +configure your firewall to allow UDP requests into at least one of +your KDCs, on whichever port the KDC is running. (The default is port +88; other ports may be specified in the KDC's :ref:`kdc.conf(5)` +file.) Similarly, if you need off-site users to be able to change +their passwords in your realm, they must be able to get to your +Kerberos admin server on the kpasswd port (which defaults to 464). If +you need off-site users to be able to administer your Kerberos realm, +they must be able to get to your Kerberos admin server on the +administrative port (which defaults to 749). If your on-site users inside your firewall will need to get to KDCs in other realms, you will also need to configure your firewall to allow diff --git a/doc/admin/backup_host.rst b/doc/admin/backup_host.rst index a0c2a28..982a2d1 100644 --- a/doc/admin/backup_host.rst +++ b/doc/admin/backup_host.rst @@ -18,17 +18,17 @@ Backing up the Kerberos database -------------------------------- As with any file, it is possible that your Kerberos database could -become corrupted. If this happens on one of the slave KDCs, you might -never notice, since the next automatic propagation of the database -would install a fresh copy. However, if it happens to the master KDC, -the corrupted database would be propagated to all of the slaves during -the next propagation. For this reason, MIT recommends that you back -up your Kerberos database regularly. Because the master KDC is -continuously dumping the database to a file in order to propagate it -to the slave KDCs, it is a simple matter to have a cron job -periodically copy the dump file to a secure machine elsewhere on your -network. (Of course, it is important to make the host where these -backups are stored as secure as your KDCs, and to encrypt its +become corrupted. If this happens on one of the replica KDCs, you +might never notice, since the next automatic propagation of the +database would install a fresh copy. However, if it happens to the +master KDC, the corrupted database would be propagated to all of the +replicas during the next propagation. For this reason, MIT recommends +that you back up your Kerberos database regularly. Because the master +KDC is continuously dumping the database to a file in order to +propagate it to the replica KDCs, it is a simple matter to have a cron +job periodically copy the dump file to a secure machine elsewhere on +your network. (Of course, it is important to make the host where +these backups are stored as secure as your KDCs, and to encrypt its transmission across your network.) Then if your database becomes corrupted, you can load the most recent dump onto the master KDC. (See :ref:`restore_from_dump`.) diff --git a/doc/admin/conf_files/kadm5_acl.rst b/doc/admin/conf_files/kadm5_acl.rst index 138a2d7..290bf0e 100644 --- a/doc/admin/conf_files/kadm5_acl.rst +++ b/doc/admin/conf_files/kadm5_acl.rst @@ -144,6 +144,19 @@ principals. any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. +MODULE BEHAVIOR +--------------- + +The ACL file can coexist with other authorization modules in release +1.16 and later, as configured in the :ref:`kadm5_auth` section of +:ref:`krb5.conf(5)`. The ACL file will positively authorize +operations according to the rules above, but will never +authoritatively deny an operation, so other modules can authorize +operations in addition to those authorized by the ACL file. + +To operate without an ACL file, set the *acl_file* variable in +:ref:`kdc.conf(5)` to the empty string with ``acl_file = ""``. + SEE ALSO -------- diff --git a/doc/admin/conf_files/kdc_conf.rst b/doc/admin/conf_files/kdc_conf.rst index 4e54f7e..c73791c 100644 --- a/doc/admin/conf_files/kdc_conf.rst +++ b/doc/admin/conf_files/kdc_conf.rst @@ -43,10 +43,10 @@ The kdc.conf file may contain the following sections: [kdcdefaults] ~~~~~~~~~~~~~ -With two exceptions, relations in the [kdcdefaults] section specify -default values for realm variables, to be used if the [realms] -subsection does not contain a relation for the tag. See the -:ref:`kdc_realms` section for the definitions of these relations. +Some relations in the [kdcdefaults] section specify default values for +realm variables, to be used if the [realms] subsection does not +contain a relation for the tag. See the :ref:`kdc_realms` section for +the definitions of these relations. * **host_based_services** * **kdc_listen** @@ -56,6 +56,8 @@ subsection does not contain a relation for the tag. See the * **no_host_referral** * **restrict_anonymous_to_tgt** +The following [kdcdefaults] variables have no per-realm equivalent: + **kdc_max_dgram_reply_size** Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. @@ -65,6 +67,12 @@ subsection does not contain a relation for the tag. See the daemon. The value may be limited by OS settings. The default value is 5. +**spake_preauth_kdc_challenge** + (String.) Specifies the group for a SPAKE optimistic challenge. + See the **spake_preauth_groups** variable in :ref:`libdefaults` + for possible values. The default is not to issue an optimistic + challenge. (New in release 1.17.) + .. _kdc_realms: @@ -86,9 +94,10 @@ The following tags may be specified in a [realms] subsection: **acl_file** (String.) Location of the access control list file that :ref:`kadmind(8)` uses to determine which principals are allowed - which permissions on the Kerberos database. The default value is - |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL - file see :ref:`kadm5.acl(5)`. + which permissions on the Kerberos database. To operate without an + ACL file, set this relation to the empty string with ``acl_file = + ""``. The default value is |kdcdir|\ ``/kadm5.acl``. For more + information on Kerberos ACL file see :ref:`kadm5.acl(5)`. **database_module** (String.) This relation indicates the name of the configuration @@ -125,9 +134,8 @@ The following tags may be specified in a [realms] subsection: the principal within this realm. **dup-skey** - Enabling this flag allows the principal to obtain a session - key for another user, permitting user-to-user authentication - for this principal. + Enabling this flag allows the KDC to issue user-to-user + service tickets for this principal. **forwardable** Enabling this flag allows the principal to obtain forwardable @@ -184,7 +192,9 @@ The following tags may be specified in a [realms] subsection: **service** Enabling this flag allows the the KDC to issue service tickets - for this principal. + for this principal. In release 1.17 and later, user-to-user + service tickets are still allowed if the **dup-skey** flag is + set. **tgt-based** Enabling this flag allows a principal to obtain tickets based @@ -198,6 +208,11 @@ The following tags may be specified in a [realms] subsection: if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. +**encrypted_challenge_indicator** + (String.) Specifies the authentication indicator value that the KDC + asserts into tickets obtained using FAST encrypted challenge + pre-authentication. New in 1.16. + **host_based_services** (Whitespace- or comma-separated list.) Lists services which will get host-based referral processing even if the server principal is @@ -212,10 +227,15 @@ The following tags may be specified in a [realms] subsection: retained for incremental propagation. The default value is 1000. Prior to release 1.11, the maximum value was 2500. +**iprop_replica_poll** + (Delta time string.) Specifies how often the replica KDC polls + for new updates from the master. The default value is ``2m`` + (that is, two minutes). New in release 1.17. + **iprop_slave_poll** - (Delta time string.) Specifies how often the slave KDC polls for - new updates from the master. The default value is ``2m`` (that - is, two minutes). + (Delta time string.) The name for **iprop_replica_poll** prior to + release 1.17. Its value is used as a fallback if + **iprop_replica_poll** is not specified. **iprop_listen** (Whitespace- or comma-separated list.) Specifies the iprop RPC @@ -232,8 +252,8 @@ The following tags may be specified in a [realms] subsection: **iprop_port** (Port number.) Specifies the port number to be used for incremental propagation. When **iprop_enable** is true, this - relation is required in the slave configuration file, and this - relation or **iprop_listen** is required in the master + relation is required in the replica KDC configuration file, and + this relation or **iprop_listen** is required in the master configuration file, as there is no default port number. Port numbers specified in **iprop_listen** entries will override this port number for the :ref:`kadmind(8)` daemon. @@ -241,7 +261,7 @@ The following tags may be specified in a [realms] subsection: **iprop_resync_timeout** (Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration - files, and is used by slave KDCs only. The default value is 5 + files, and is used by replica KDCs only. The default value is 5 minutes (``5m``). New in release 1.11. **iprop_logfile** @@ -397,6 +417,12 @@ The following tags may be specified in a [realms] subsection: without allowing anonymous authentication to services. The default value is false. New in release 1.9. +**spake_preauth_indicator** + (String.) Specifies an authentication indicator value that the + KDC asserts into tickets obtained using SPAKE pre-authentication. + The default is not to add any indicators. This option may be + specified multiple times. New in release 1.17. + **supported_enctypes** (List of *key*:*salt* strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created @@ -455,8 +481,8 @@ The following tags may be specified in a [dbmodules] subsection: **db_library** This tag indicates the name of the loadable database module. The - value should be ``db2`` for the DB2 module and ``kldap`` for the - LDAP module. + value should be ``db2`` for the DB2 module, ``klmdb`` for the LMDB + module, or ``kldap`` for the LDAP module. **disable_last_success** If set to ``true``, suppresses KDC updates to the "Last successful @@ -531,6 +557,24 @@ The following tags may be specified in a [dbmodules] subsection: **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** names for SASL authentication. This file must be kept secure. +**mapsize** + This LMDB-specific tag indicates the maximum size of the two + database environments in megabytes. The default value is 128. + Increase this value to address "Environment mapsize limit reached" + errors. New in release 1.17. + +**max_readers** + This LMDB-specific tag indicates the maximum number of concurrent + reading processes for the databases. The default value is 128. + New in release 1.17. + +**nosync** + This LMDB-specific tag can be set to improve the throughput of + kadmind and other administrative agents, at the expense of + durability (recent database changes may not survive a power outage + or other sudden reboot). It does not affect the throughput of the + KDC. The default value is false. New in release 1.17. + **unlockiter** If set to ``true``, this DB2-specific tag causes iteration operations to release the database lock while processing each @@ -593,19 +637,15 @@ Logging specifications may have the following forms: **SYSLOG**\ [\ **:**\ *severity*\ [\ **:**\ *facility*\ ]] This causes the daemon's logging messages to go to the system log. - The severity argument specifies the default severity of system log - messages. This may be any of the following severities supported - by the syslog(3) call, minus the ``LOG_`` prefix: **EMERG**, - **ALERT**, **CRIT**, **ERR**, **WARNING**, **NOTICE**, **INFO**, - and **DEBUG**. + For backward compatibility, a severity argument may be specified, + and must be specified in order to specify a facility. This + argument will be ignored. The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG\_ prefix: **KERN**, **USER**, **MAIL**, **DAEMON**, **AUTH**, **LPR**, **NEWS**, - **UUCP**, **CRON**, and **LOCAL0** through **LOCAL7**. - - If no severity is specified, the default is **ERR**. If no + **UUCP**, **CRON**, and **LOCAL0** through **LOCAL7**. If no facility is specified, the default is **AUTH**. In the following example, the logging messages from the KDC will go to @@ -765,9 +805,6 @@ For information about the syntax of some of these options, see pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) -**pkinit_kdc_ocsp** - Specifies the location of the KDC's OCSP. - **pkinit_pool** Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client's @@ -795,6 +832,10 @@ For information about the syntax of some of these options, see **pkinit_require_crl_checking** should be set to true if the policy is such that up-to-date CRLs must be present for every CA. +**pkinit_require_freshness** + Specifies whether to require clients to include a freshness token + in PKINIT requests. The default value is false. (New in release + 1.17.) .. _Encryption_types: diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst index 02a9359..7b4389f 100644 --- a/doc/admin/conf_files/krb5_conf.rst +++ b/doc/admin/conf_files/krb5_conf.rst @@ -21,8 +21,10 @@ Structure --------- The krb5.conf file is set up in the style of a Windows INI file. -Sections are headed by the section name, in square brackets. Each -section may contain zero or more relations, of the form:: +Lines beginning with '#' or ';' (possibly after initial whitespace) +are ignored as comments. Sections are headed by the section name, in +square brackets. Each section may contain zero or more relations, of +the form:: foo = bar @@ -58,7 +60,9 @@ alphanumeric characters, dashes, or underscores. Starting in release 1.15, files with names ending in ".conf" are also included, unless the name begins with ".". Included profile files are syntactically independent of their parents, so each included file must begin with a -section header. +section header. Starting in release 1.17, files are read in +alphanumeric order; in previous releases, they may be read in any +order. The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the @@ -263,7 +267,7 @@ The libdefaults section may contain any of the following relations: the local user or by root. **kcm_mach_service** - On OS X only, determines the name of the bootstrap service used to + On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is ``-``, Mach RPC will not be used to contact the KCM daemon. The default value is ``org.h5l.kcm``. @@ -324,7 +328,8 @@ The libdefaults section may contain any of the following relations: **plugin_base_dir** If set, determines the base directory where krb5 plugins are located. The default value is the ``krb5/plugins`` subdirectory - of the krb5 library directory. + of the krb5 library directory. This relation is subject to + parameter expansion (see below) in release 1.17 and later. **preferred_preauth_types** This allows you to set the preferred preauthentication types which @@ -365,6 +370,21 @@ The libdefaults section may contain any of the following relations: with the session key type. See the **kdc_req_checksum_type** configuration option for the possible values and their meanings. +**spake_preauth_groups** + A whitespace or comma-separated list of words which specifies the + groups allowed for SPAKE preauthentication. The possible values + are: + + ============ ================================ + edwards25519 Edwards25519 curve (:rfc:`7748`) + P-256 NIST P-256 curve (:rfc:`5480`) + P-384 NIST P-384 curve (:rfc:`5480`) + P-521 NIST P-521 curve (:rfc:`5480`) + ============ ================================ + + The default value for the client is ``edwards25519``. The default + value for the KDC is empty. New in release 1.17. + **ticket_lifetime** (:ref:`duration` string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. @@ -434,7 +454,7 @@ following tags may be specified in the realm's subsection: auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ - auto_to_local = DEFAULT + auth_to_local = DEFAULT } would result in any principal without ``root`` or ``admin`` as the @@ -456,6 +476,16 @@ following tags may be specified in the realm's subsection: (for example, when converting ``rcmd.hostname`` to ``host/hostname.domain``). +**disable_encrypted_timestamp** + If this flag is true, the client will not perform encrypted + timestamp preauthentication if requested by the KDC. Setting this + flag can help to prevent dictionary attacks by active attackers, + if the realm's KDCs support SPAKE preauthentication or if initial + authentication always uses another mechanism or always uses FAST. + This flag persists across client referrals during initial + authentication. This flag does not prevent the KDC from offering + encrypted timestamp. New in release 1.17. + **http_anchors** When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be @@ -494,7 +524,8 @@ following tags may be specified in the realm's subsection: **kpasswd_server** Points to the server where all the password changes are performed. - If there is no such entry, the port 464 on the **admin_server** + If there is no such entry, DNS will be queried (unless forbidden + by **dns_lookup_kdc**). Finally, port 464 on the **admin_server** host will be tried. **master_kdc** @@ -502,8 +533,8 @@ following tags may be specified in the realm's subsection: one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user's password has just been changed, and - the updated database has not been propagated to the slave servers - yet. + the updated database has not been propagated to the replica + servers yet. **v4_instance_convert** This subsection allows the administrator to configure exceptions @@ -745,6 +776,10 @@ disabled with the disable tag): Uses the service realm to guess an appropriate cache from the collection +**hostname** + If the service principal is host-based, uses the service hostname + to guess an appropriate cache from the collection + .. _pwqual: pwqual interface @@ -778,6 +813,26 @@ interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. +.. _kadm5_auth: + +kadm5_auth interface +#################### + +The kadm5_auth section (introduced in release 1.16) controls modules +for the kadmin authorization interface, which determines whether a +client principal is allowed to perform a kadmin operation. The +following built-in modules exist for this interface: + +**acl** + This module reads the :ref:`kadm5.acl(5)` file, and authorizes + operations which are allowed according to the rules in the file. + +**self** + This module authorizes self-service operations including password + changes, creation of new random keys, fetching the client's + principal record or string attributes, and fetching the policy + record associated with the client principal. + .. _clpreauth: .. _kdcpreauth: @@ -859,6 +914,32 @@ built-in modules exist for this interface: This module authorizes a principal to a local account if the principal name maps to the local account name. +.. _certauth: + +certauth interface +################## + +The certauth section (introduced in release 1.16) controls modules for +the certificate authorization interface, which determines whether a +certificate is allowed to preauthenticate a user via PKINIT. The +following built-in modules exist for this interface: + +**pkinit_san** + This module authorizes the certificate if it contains a PKINIT + Subject Alternative Name for the requested client principal, or a + Microsoft UPN SAN matching the principal if **pkinit_allow_upn** + is set to true for the realm. + +**pkinit_eku** + This module rejects the certificate if it does not contain an + Extended Key Usage attribute consistent with the + **pkinit_eku_checking** value for the realm. + +**dbmatch** + This module authorizes or rejects the certificate according to + whether it matches the **pkinit_cert_match** string attribute on + the client principal, if that attribute is present. + PKINIT options -------------- @@ -1054,11 +1135,11 @@ PKINIT krb5.conf options **pkinit_identities** Specifies the location(s) to be used to find the user's X.509 - identity information. This option may be specified multiple - times. Each value is attempted in order until identity - information is found and authentication is attempted. Note that - these values are not used if the user specifies - **X509_user_identity** on the command line. + identity information. If this option is specified multiple times, + the first valid value is used; this can be used to specify an + environment variable (with **ENV:**\ *envvar*) followed by a + default value. Note that these values are not used if the user + specifies **X509_user_identity** on the command line. **pkinit_kdc_hostname** The presense of this option indicates that the client is willing diff --git a/doc/admin/conf_ldap.rst b/doc/admin/conf_ldap.rst index 6443f46..a49b578 100644 --- a/doc/admin/conf_ldap.rst +++ b/doc/admin/conf_ldap.rst @@ -1,3 +1,5 @@ +.. _conf_ldap: + Configuring Kerberos with OpenLDAP back-end =========================================== @@ -16,7 +18,7 @@ Configuring Kerberos with OpenLDAP back-end certificate location in *slapd.conf* file. Refer to the following link for more information: - http://www.openldap.org/doc/admin23/tls.html + https://www.openldap.org/doc/admin23/tls.html B. Setting up SSL on OpenLDAP client: diff --git a/doc/admin/database.rst b/doc/admin/database.rst index b693042..2b02af3 100644 --- a/doc/admin/database.rst +++ b/doc/admin/database.rst @@ -377,14 +377,14 @@ To restore a Kerberos database dump from a file, use the Examples ######## -To load a single principal, either replacing or updating the database: +To dump a single principal and later load it, updating the database: :: - shell% kdb5_util load dumpfile principal + shell% kdb5_util dump dumpfile principal@REALM shell% - shell% kdb5_util load -update dumpfile principal + shell% kdb5_util load -update dumpfile shell% @@ -510,13 +510,13 @@ availability. To roll over the master key, follow these steps: master key, the new key will have version 2. The new master key will not be used until you make it active. -#. Propagate the database to all slave KDCs, either manually or by +#. Propagate the database to all replica KDCs, either manually or by waiting until the next scheduled propagation. If you do not have - any slave KDCs, you can skip this and the next step. + any replica KDCs, you can skip this and the next step. -#. On each slave KDC, run ``kdb5_util list_mkeys`` to verify that the - new master key is present, and then ``kdb5_util stash`` to write - the new master key to the slave KDC's stash file. +#. On each replica KDC, run ``kdb5_util list_mkeys`` to verify that + the new master key is present, and then ``kdb5_util stash`` to + write the new master key to the replica KDC's stash file. #. On the master KDC, run ``kdb5_util use_mkey 2`` to begin using the new master key. Replace ``2`` with the version of the new master @@ -529,11 +529,15 @@ availability. To roll over the master key, follow these steps: command will iterate over the database and re-encrypt all keys in the new master key. If the database is large and uses DB2, the master KDC will become unavailable while this command runs, but - clients should fail over to slave KDCs (if any are present) during - this time period. In release 1.13 and later, you can instead run - ``kdb5_util -x unlockiter update_princ_encryption`` to use unlocked - iteration; this variant will take longer, but will keep the - database available to the KDC and kadmind while it runs. + clients should fail over to replica KDCs (if any are present) + during this time period. In release 1.13 and later, you can + instead run ``kdb5_util -x unlockiter update_princ_encryption`` to + use unlocked iteration; this variant will take longer, but will + keep the database available to the KDC and kadmind while it runs. + +#. Wait until the above changes have propagated to all replica KDCs + and until all running KDC and kadmind processes have serviced + requests using updated principal entries. #. On the master KDC, run ``kdb5_util purge_mkeys`` to clean up the old master key. @@ -794,22 +798,22 @@ Overview At some very large sites, dumping and transmitting the database can take more time than is desirable for changes to propagate from the -master KDC to the slave KDCs. The incremental propagation support +master KDC to the replica KDCs. The incremental propagation support added in the 1.7 release is intended to address this. With incremental propagation enabled, all programs on the master KDC that change the database also write information about the changes to an "update log" file, maintained as a circular buffer of a certain -size. A process on each slave KDC connects to a service on the master -KDC (currently implemented in the :ref:`kadmind(8)` server) and +size. A process on each replica KDC connects to a service on the +master KDC (currently implemented in the :ref:`kadmind(8)` server) and periodically requests the changes that have been made since the last check. By default, this check is done every two minutes. If the database has just been modified in the previous several seconds -(currently the threshold is hard-coded at 10 seconds), the slave will -not retrieve updates, but instead will pause and try again soon after. -This reduces the likelihood that incremental update queries will cause -delays for an administrator trying to make a bunch of changes to the -database at the same time. +(currently the threshold is hard-coded at 10 seconds), the replica +will not retrieve updates, but instead will pause and try again soon +after. This reduces the likelihood that incremental update queries +will cause delays for an administrator trying to make a bunch of +changes to the database at the same time. Incremental propagation uses the following entries in the per-realm data in the KDC config file (See :ref:`kdc.conf(5)`): @@ -817,53 +821,54 @@ data in the KDC config file (See :ref:`kdc.conf(5)`): ====================== =============== =========================================== iprop_enable *boolean* If *true*, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is *false*. iprop_master_ulogsize *integer* Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. -iprop_slave_poll *time interval* Indicates how often the slave should poll the master KDC for changes to the database. The default is two minutes. -iprop_port *integer* Specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files. -iprop_resync_timeout *integer* Specifies the number of seconds to wait for a full propagation to complete. This is optional on slave configurations. Defaults to 300 seconds (5 minutes). +iprop_replica_poll *time interval* Indicates how often the replica should poll the master KDC for changes to the database. The default is two minutes. +iprop_port *integer* Specifies the port number to be used for incremental propagation. This is required in both master and replica configuration files. +iprop_resync_timeout *integer* Specifies the number of seconds to wait for a full propagation to complete. This is optional on replica configurations. Defaults to 300 seconds (5 minutes). iprop_logfile *file name* Specifies where the update log file for the realm database is to be stored. The default is to use the *database_name* entry from the realms section of the config file :ref:`kdc.conf(5)`, with *.ulog* appended. (NOTE: If database_name isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the *dbmodules* section, then the hard-coded default for *database_name* is used. Determination of the *iprop_logfile* default value will not use values from the *dbmodules* section.) ====================== =============== =========================================== -Both master and slave sides must have a principal named +Both master and replica sides must have a principal named ``kiprop/hostname`` (where *hostname* is the lowercase, fully-qualified, canonical name for the host) registered in the Kerberos database, and have keys for that principal stored in the default keytab file (|keytab|). In release 1.13, the ``kiprop/hostname`` principal is created automatically for the master -KDC, but it must still be created for slave KDCs. +KDC, but it must still be created for replica KDCs. On the master KDC side, the ``kiprop/hostname`` principal must be listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the **p** privilege (see :ref:`privileges`). -On the slave KDC side, :ref:`kpropd(8)` should be run. When +On the replica KDC side, :ref:`kpropd(8)` should be run. When incremental propagation is enabled, it will connect to the kadmind on the master KDC and start requesting updates. The normal kprop mechanism is disabled by the incremental propagation -support. However, if the slave has been unable to fetch changes from -the master KDC for too long (network problems, perhaps), the log on -the master may wrap around and overwrite some of the updates that the -slave has not yet retrieved. In this case, the slave will instruct -the master KDC to dump the current database out to a file and invoke a -one-time kprop propagation, with special options to also convey the -point in the update log at which the slave should resume fetching -incremental updates. Thus, all the keytab and ACL setup previously -described for kprop propagation is still needed. - -If an environment has a large number of slaves, it may be desirable to -arrange them in a hierarchy instead of having the master serve updates -to every slave. To do this, run ``kadmind -proponly`` on each -intermediate slave, and ``kpropd -A upstreamhostname`` on downstream -slaves to direct each one to the appropriate upstream slave. +support. However, if the replica has been unable to fetch changes +from the master KDC for too long (network problems, perhaps), the log +on the master may wrap around and overwrite some of the updates that +the replica has not yet retrieved. In this case, the replica will +instruct the master KDC to dump the current database out to a file and +invoke a one-time kprop propagation, with special options to also +convey the point in the update log at which the replica should resume +fetching incremental updates. Thus, all the keytab and ACL setup +previously described for kprop propagation is still needed. + +If an environment has a large number of replicas, it may be desirable +to arrange them in a hierarchy instead of having the master serve +updates to every replica. To do this, run ``kadmind -proponly`` on +each intermediate replica, and ``kpropd -A upstreamhostname`` on +downstream replicas to direct each one to the appropriate upstream +replica. There are several known restrictions in the current implementation: - The incremental update protocol does not transport changes to policy objects. Any policy changes on the master will result in full - resyncs to all slaves. -- The slave's KDB module must support locking; it cannot be using the + resyncs to all replicas. +- The replica's KDB module must support locking; it cannot be using the LDAP KDB module. -- The master and slave must be able to initiate TCP connections in +- The master and replica must be able to initiate TCP connections in both directions, without an intervening NAT. @@ -885,10 +890,10 @@ rpcbind (also known as portmapper) and the client looks up the port number to contact. In the MIT implementation, where interaction with some modern versions of rpcbind doesn't always work well, the port number must be specified in the config file on both the master and -slave sides. +replica sides. The Sun implementation hard-codes pathnames in ``/var/krb5`` for the -update log and the per-slave kprop dump files. In the MIT +update log and the per-replica kprop dump files. In the MIT implementation, the pathname for the update log is specified in the -config file, and the per-slave dump files are stored in -|kdcdir|\ ``/slave_datatrans_hostname``. +config file, and the per-replica dump files are stored in +|kdcdir|\ ``/replica_datatrans_hostname``. diff --git a/doc/admin/dbtypes.rst b/doc/admin/dbtypes.rst new file mode 100644 index 0000000..02f79ac --- /dev/null +++ b/doc/admin/dbtypes.rst @@ -0,0 +1,147 @@ +Database types +============== + +A Kerberos database can be implemented with one of three built-in +database providers, called KDB modules. Software which incorporates +the MIT krb5 KDC may also provide its own KDB module. The following +subsections describe the three built-in KDB modules and the +configuration specific to them. + +The database type can be configured with the **db_library** variable +in the :ref:`dbmodules` subsection for the realm. For example:: + + [dbmodules] + ATHENA.MIT.EDU = { + db_library = db2 + } + +If the ``ATHENA.MIT.EDU`` realm subsection contains a +**database_module** setting, then the subsection within +``[dbmodules]`` should use that name instead of ``ATHENA.MIT.EDU``. + +To transition from one database type to another, stop the +:ref:`kadmind(8)` service, use ``kdb5_util dump`` to create a dump +file, change the **db_library** value and set any appropriate +configuration for the new database type, and use ``kdb5_util load`` to +create and populate the new database. If the new database type is +LDAP, create the new database using ``kdb5_ldap_util`` and populate it +from the dump file using ``kdb5_util load -update``. Then restart the +:ref:`krb5kdc(8)` and :ref:`kadmind(8)` services. + + +Berkeley database module (db2) +------------------------------ + +The default KDB module is ``db2``, which uses a version of the +Berkeley DB library. It creates four files based on the database +pathname. If the pathname ends with ``principal`` then the four files +are: + +* ``principal``, containing principal entry data +* ``principal.ok``, a lock file for the principal database +* ``principal.kadm5``, containing policy object data +* ``principal.kadm5.lock``, a lock file for the policy database + +For large databases, the :ref:`kdb5_util(8)` **dump** command (perhaps +invoked by :ref:`kprop(8)` or by :ref:`kadmind(8)` for incremental +propagation) may cause :ref:`krb5kdc(8)` to stop for a noticeable +period of time while it iterates over the database. This delay can be +avoided by disabling account lockout features so that the KDC does not +perform database writes (see :ref:`disable_lockout`). Alternatively, +a slower form of iteration can be enabled by setting the +**unlockiter** variable to ``true``. For example:: + + [dbmodules] + ATHENA.MIT.EDU = { + db_library = db2 + unlockiter = true + } + +In rare cases, a power failure or other unclean system shutdown may +cause inconsistencies in the internal pointers within a database file, +such that ``kdb5_util dump`` cannot retrieve all principal entries in +the database. In this situation, it may be possible to retrieve all +of the principal data by running ``kdb5_util dump -recurse`` to +iterate over the database using the tree pointers instead of the +iteration pointers. Running ``kdb5_util dump -rev`` to iterate over +the database backwards may also retrieve some of the data which is not +retrieved by a normal dump operation. + + +Lightning Memory-Mapped Database module (klmdb) +----------------------------------------------- + +The klmdb module was added in release 1.17. It uses the LMDB library, +and may offer better performance and reliability than the db2 module. +It creates four files based on the database pathname. If the pathname +ends with ``principal``, then the four files are: + +* ``principal.mdb``, containing policy object data and most principal + entry data +* ``principal.mdb-lock``, a lock file for the primary database +* ``principal.lockout.mdb``, containing the account lockout attributes + (last successful authentication time, last failed authentication + time, and number of failed attempts) for each principal entry +* ``principal.lockout.mdb-lock``, a lock file for the lockout database + +Separating out the lockout attributes ensures that the KDC will never +block on an administrative operation such as a database dump or load. +It also allows the KDC to operate without write access to the primary +database. If both account lockout features are disabled (see +:ref:`disable_lockout`), the lockout database files will be created +but will not subsequently be opened, and the account lockout +attributes will always have zero values. + +Because LMDB creates a memory map to the database files, it requires a +configured memory map size which also determines the maximum size of +the database. This size is applied equally to the two databases, so +twice the configured size will be consumed in the process address +space; this is primarily a limitation on 32-bit platforms. The +default value of 128 megabytes should be sufficient for several +hundred thousand principal entries. If the limit is reached, kadmin +operations will fail and the error message "Environment mapsize limit +reached" will appear in the kadmind log file. In this case, the +**mapsize** variable can be used to increase the map size. The +following example sets the map size to 512 megabytes:: + + [dbmodules] + ATHENA.MIT.EDU = { + db_library = klmdb + mapsize = 512 + } + +LMDB has a configurable maximum number of readers. The default value +of 128 should be sufficient for most deployments. If you are going to +use a large number of KDC worker processes, it may be necessary to set +the **max_readers** variable to a larger number. + +By default, LMDB synchronizes database files to disk after each write +transaction to ensure durability in the case of an unclean system +shutdown. The klmdb module always turns synchronization off for the +lockout database to ensure reasonable KDC performance, but leaves it +on for the primary database. If high throughput for administrative +operations (including password changes) is required, the **nosync** +variable can be set to "true" to disable synchronization for the +primary database. + +The klmdb module does not support explicit locking with the +:ref:`kadmin(1)` **lock** command. + + +LDAP module (kldap) +------------------- + +The kldap module stores principal and policy data using an LDAP +server. To use it you must configure an LDAP server to use the +Kerberos schema. See :ref:`conf_ldap` for details. + +Because :ref:`krb5kdc(8)` is single-threaded, latency in LDAP database +accesses may limit KDC operation throughput. If the LDAP server is +located on the same server host as the KDC and accessed through an +``ldapi://`` URL, latency should be minimal. If this is not possible, +consider starting multiple KDC worker processes with the +:ref:`krb5kdc(8)` **-w** option to enable concurrent processing of KDC +requests. + +The kldap module does not support explicit locking with the +:ref:`kadmin(1)` **lock** command. diff --git a/doc/admin/dictionary.rst b/doc/admin/dictionary.rst new file mode 100644 index 0000000..a5c5786 --- /dev/null +++ b/doc/admin/dictionary.rst @@ -0,0 +1,88 @@ +.. _dictionary: + +Addressing dictionary attack risks +================================== + +Kerberos initial authentication is normally secured using the client +principal's long-term key, which for users is generally derived from a +password. Using a pasword-derived long-term key carries the risk of a +dictionary attack, where an attacker tries a sequence of possible +passwords, possibly requiring much less effort than would be required +to try all possible values of the key. Even if :ref:`password policy +objects ` are used to force users not to pick trivial +passwords, dictionary attacks can sometimes be successful against a +significant fraction of the users in a realm. Dictionary attacks are +not a concern for principals using random keys. + +A dictionary attack may be online or offline. An online dictionary +attack is performed by trying each password in a separate request to +the KDC, and is therefore visible to the KDC and also limited in speed +by the KDC's processing power and the network capacity between the +client and the KDC. Online dictionary attacks can be mitigated using +:ref:`account lockout `. This measure is not totally +satisfactory, as it makes it easy for an attacker to deny access to a +client principal. + +An offline dictionary attack is performed by obtaining a ciphertext +generated using the password-derived key, and trying each password +against the ciphertext. This category of attack is invisible to the +KDC and can be performed much faster than an online attack. The +attack will generally take much longer with more recent encryption +types (particularly the ones based on AES), because those encryption +types use a much more expensive string-to-key function. However, the +best defense is to deny the attacker access to a useful ciphertext. +The required defensive measures depend on the attacker's level of +network access. + +An off-path attacker has no access to packets sent between legitimate +users and the KDC. An off-path attacker could gain access to an +attackable ciphertext either by making an AS request for a client +principal which does not have the **+requires_preauth** flag, or by +making a TGS request (after authenticating as a different user) for a +server principal which does not have the **-allow_svr** flag. To +address off-path attackers, a KDC administrator should set those flags +on principals with password-derived keys:: + + kadmin: add_principal +requires_preauth -allow_svr princname + +An attacker with passive network access (one who can monitor packets +sent between legitimate users and the KDC, but cannot change them or +insert their own packets) can gain access to an attackable ciphertext +by observing an authentication by a user using the most common form of +preauthentication, encrypted timestamp. Any of the following methods +can prevent dictionary attacks by attackers with passive network +access: + +* Enabling :ref:`SPAKE preauthentication ` (added in release + 1.17) on the KDC, and ensuring that all clients are able to support + it. + +* Using an :ref:`HTTPS proxy ` for communication with the KDC, + if the attacker cannot monitor communication between the proxy + server and the KDC. + +* Using FAST, protecting the initial authentication with either a + random key (such as a host key) or with :ref:`anonymous PKINIT + `. + +An attacker with active network access (one who can inject or modify +packets sent between legitimate users and the KDC) can try to fool the +client software into sending an attackable ciphertext using an +encryption type and salt string of the attacker's choosing. Any of the +following methods can prevent dictionary attacks by active attackers: + +* Enabling SPAKE preauthentication and setting the + **disable_encrypted_timestamp** variable to ``true`` in the + :ref:`realms` subsection of the client configuration. + +* Using an HTTPS proxy as described above, configured in the client's + krb5.conf realm configuration. If :ref:`KDC discovery + ` is used to locate a proxy server, an active + attacker may be able to use DNS spoofing to cause the client to use + a different HTTPS server or to not use HTTPS. + +* Using FAST as described above. + +If :ref:`PKINIT ` or :ref:`OTP ` are used for +initial authentication, the principal's long-term keys are not used +and dictionary attacks are usually not a concern. diff --git a/doc/admin/env_variables.rst b/doc/admin/env_variables.rst index 0c146d3..a2d15be 100644 --- a/doc/admin/env_variables.rst +++ b/doc/admin/env_variables.rst @@ -1,46 +1,4 @@ Environment variables ===================== -The following environment variables can be used during runtime: - -**KRB5_CONFIG** - Main Kerberos configuration file. Multiple filenames can be - specified, separated by a colon; all files which are present will - be read. (See :ref:`mitK5defaults` for the default path.) - -**KRB5_KDC_PROFILE** - KDC configuration file. (See :ref:`mitK5defaults` for the default - name.) - -**KRB5_KTNAME** - Default keytab file name. (See :ref:`mitK5defaults` for the - default name.) - -**KRB5_CLIENT_KTNAME** - Default client keytab file name. (See :ref:`mitK5defaults` for - the default name.) - -**KRB5CCNAME** - Default name for the credentials cache file, in the form *type*\:\ - *residual*. The type of the default cache may determine the - availability of a cache collection. For instance, a default cache - of type ``DIR`` causes caches within the directory to be present - in the global cache collection. - -**KRB5RCACHETYPE** - Default replay cache type. Defaults to ``dfl``. A value of - ``none`` disables the replay cache. - -**KRB5RCACHEDIR** - Default replay cache directory. (See :ref:`mitK5defaults` for the - default location.) - -**KPROP_PORT** - :ref:`kprop(8)` port to use. Defaults to 754. - -**KRB5_TRACE** - Filename for trace-logging output (introduced in release 1.9). - For example, ``env KRB5_TRACE=/dev/stdout kinit`` would send - tracing information for kinit to ``/dev/stdout``. Some programs - may ignore this variable (particularly setuid or login system - programs). +This content has moved to :ref:`kerberos(7)`. diff --git a/doc/admin/index.rst b/doc/admin/index.rst index b702f40..d87b003 100644 --- a/doc/admin/index.rst +++ b/doc/admin/index.rst @@ -8,6 +8,7 @@ For administrators conf_files/index.rst realm_config.rst database.rst + dbtypes.rst lockout.rst conf_ldap.rst appl_servers.rst @@ -15,6 +16,8 @@ For administrators backup_host.rst pkinit.rst otp.rst + spake.rst + dictionary.rst princ_dns.rst enctypes.rst https.rst diff --git a/doc/admin/install_appl_srv.rst b/doc/admin/install_appl_srv.rst index 1490500..6bae724 100644 --- a/doc/admin/install_appl_srv.rst +++ b/doc/admin/install_appl_srv.rst @@ -34,7 +34,7 @@ the machine's root password. In order to generate a keytab for a host, the host must have a principal in the Kerberos database. The procedure for adding hosts to the database is described fully in :ref:`add_mod_del_princs`. (See -:ref:`slave_host_key` for a brief description.) The keytab is +:ref:`replica_host_key` for a brief description.) The keytab is generated by running :ref:`kadmin(1)` and issuing the :ref:`ktadd` command. diff --git a/doc/admin/install_kdc.rst b/doc/admin/install_kdc.rst index 5c97fee..5d1e70e 100644 --- a/doc/admin/install_kdc.rst +++ b/doc/admin/install_kdc.rst @@ -2,23 +2,23 @@ Installing KDCs =============== When setting up Kerberos in a production environment, it is best to -have multiple slave KDCs alongside with a master KDC to ensure the +have multiple replica KDCs alongside with a master KDC to ensure the continued availability of the Kerberized services. Each KDC contains a copy of the Kerberos database. The master KDC contains the writable -copy of the realm database, which it replicates to the slave KDCs at +copy of the realm database, which it replicates to the replica KDCs at regular intervals. All database changes (such as password changes) -are made on the master KDC. Slave KDCs provide Kerberos +are made on the master KDC. Replica KDCs provide Kerberos ticket-granting services, but not database administration, when the master KDC is unavailable. MIT recommends that you install all of your KDCs to be able to function as either the master or one of the -slaves. This will enable you to easily switch your master KDC with -one of the slaves if necessary (see :ref:`switch_master_slave`). This -installation procedure is based on that recommendation. +replicas. This will enable you to easily switch your master KDC with +one of the replicas if necessary (see :ref:`switch_master_replica`). +This installation procedure is based on that recommendation. .. warning:: - The Kerberos system relies on the availability of correct time - information. Ensure that the master and all slave KDCs have + information. Ensure that the master and all replica KDCs have properly synchronized clocks. - It is best to install and run KDCs on secured and dedicated @@ -41,7 +41,7 @@ source (See :ref:`do_build`). names:: kerberos.mit.edu - master KDC - kerberos-1.mit.edu - slave KDC + kerberos-1.mit.edu - replica KDC ATHENA.MIT.EDU - realm name .k5.ATHENA.MIT.EDU - stash file admin/admin - admin principal @@ -286,23 +286,23 @@ against the principals that you have created on the previous step shell% kinit admin/admin@ATHENA.MIT.EDU -Install the slave KDCs ----------------------- +Install the replica KDCs +------------------------ -You are now ready to start configuring the slave KDCs. +You are now ready to start configuring the replica KDCs. .. note:: Assuming you are setting the KDCs up so that you can easily - switch the master KDC with one of the slaves, you should + switch the master KDC with one of the replicas, you should perform each of these steps on the master KDC as well as the - slave KDCs, unless these instructions specify otherwise. + replica KDCs, unless these instructions specify otherwise. -.. _slave_host_key: +.. _replica_host_key: -Create host keytabs for slave KDCs -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Create host keytabs for replica KDCs +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Each KDC needs a ``host`` key in the Kerberos database. These keys are used for mutual authentication when propagating the database dump @@ -311,7 +311,8 @@ file from the master KDC to the secondary KDC servers. On the master KDC, connect to administrative interface and create the host principal for each of the KDCs' ``host`` services. For example, if the master KDC were called ``kerberos.mit.edu``, and you had a -slave KDC named ``kerberos-1.mit.edu``, you would type the following:: +replica KDC named ``kerberos-1.mit.edu``, you would type the +following:: shell% kadmin kadmin: addprinc -randkey host/kerberos.mit.edu @@ -324,13 +325,13 @@ slave KDC named ``kerberos-1.mit.edu``, you would type the following:: It is not strictly necessary to have the master KDC server in the Kerberos database, but it can be handy if you want to be able to swap -the master KDC with one of the slaves. +the master KDC with one of the replicas. Next, extract ``host`` random keys for all participating KDCs and store them in each host's default keytab file. Ideally, you should extract each keytab locally on its own KDC. If this is not feasible, you should use an encrypted session to send them across the network. -To extract a keytab directly on a slave KDC called +To extract a keytab directly on a replica KDC called ``kerberos-1.mit.edu``, you would execute the following command:: kadmin: ktadd host/kerberos-1.mit.edu @@ -343,7 +344,7 @@ To extract a keytab directly on a slave KDC called Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. -If you are instead extracting a keytab for the slave KDC called +If you are instead extracting a keytab for the replica KDC called ``kerberos-1.mit.edu`` on the master KDC, you should use a dedicated temporary keytab file for that machine's keytab:: @@ -357,12 +358,12 @@ The file ``/tmp/kerberos-1.keytab`` can then be installed as ``/etc/krb5.keytab`` on the host ``kerberos-1.mit.edu``. -Configure slave KDCs -~~~~~~~~~~~~~~~~~~~~ +Configure replica KDCs +~~~~~~~~~~~~~~~~~~~~~~ Database propagation copies the contents of the master's database, but does not propagate configuration files, stash files, or the kadm5 ACL -file. The following files must be copied by hand to each slave (see +file. The following files must be copied by hand to each replica (see :ref:`mitK5defaults` for the default locations for these files): * krb5.conf @@ -371,27 +372,27 @@ file. The following files must be copied by hand to each slave (see * master key stash file Move the copied files into their appropriate directories, exactly as -on the master KDC. kadm5.acl is only needed to allow a slave to swap -with the master KDC. +on the master KDC. kadm5.acl is only needed to allow a replica to +swap with the master KDC. -The database is propagated from the master KDC to the slave KDCs via +The database is propagated from the master KDC to the replica KDCs via the :ref:`kpropd(8)` daemon. You must explicitly specify the principals which are allowed to provide Kerberos dump updates on the -slave machine with a new database. Create a file named kpropd.acl in -the KDC state directory containing the ``host`` principals for each of -the KDCs:: +replica machine with a new database. Create a file named kpropd.acl +in the KDC state directory containing the ``host`` principals for each +of the KDCs:: host/kerberos.mit.edu@ATHENA.MIT.EDU host/kerberos-1.mit.edu@ATHENA.MIT.EDU .. note:: - If you expect that the master and slave KDCs will be + If you expect that the master and replica KDCs will be switched at some point of time, list the host principals from all participating KDC servers in kpropd.acl files on all of the KDCs. Otherwise, you only need to list the master KDC's host principal in the kpropd.acl files of the - slave KDCs. + replica KDCs. Then, add the following line to ``/etc/inetd.conf`` on each KDC (adjust the path to kpropd):: @@ -402,34 +403,34 @@ You also need to add the following line to ``/etc/services`` on each KDC, if it is not already present (assuming that the default port is used):: - krb5_prop 754/tcp # Kerberos slave propagation + krb5_prop 754/tcp # Kerberos replica propagation Restart inetd daemon. Alternatively, start :ref:`kpropd(8)` as a stand-alone daemon. This is required when incremental propagation is enabled. -Now that the slave KDC is able to accept database propagation, you’ll -need to propagate the database from the master server. +Now that the replica KDC is able to accept database propagation, +you’ll need to propagate the database from the master server. -NOTE: Do not start the slave KDC yet; you still do not have a copy of -the master's database. +NOTE: Do not start the replica KDC yet; you still do not have a copy +of the master's database. -.. _kprop_to_slaves: +.. _kprop_to_replicas: -Propagate the database to each slave KDC -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Propagate the database to each replica KDC +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ First, create a dump file of the database on the master KDC, as follows:: - shell% kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans + shell% kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans -Then, manually propagate the database to each slave KDC, as in the +Then, manually propagate the database to each replica KDC, as in the following example:: - shell% kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu + shell% kprop -f /usr/local/var/krb5kdc/replica_datatrans kerberos-1.mit.edu Database propagation to kerberos-1.mit.edu: SUCCEEDED @@ -447,17 +448,17 @@ following is an example of a Bourne shell script that will do this. kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" - kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans + kdb5_util dump /usr/local/var/krb5kdc/replica_datatrans for kdc in $kdclist do - kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc + kprop -f /usr/local/var/krb5kdc/replica_datatrans $kdc done You will need to set up a cron job to run this script at the intervals you decided on earlier (see :ref:`db_prop`). -Now that the slave KDC has a copy of the Kerberos database, you can +Now that the replica KDC has a copy of the Kerberos database, you can start the krb5kdc daemon:: shell% krb5kdc @@ -487,24 +488,24 @@ Once your KDCs are set up and running, you are ready to use services into the Kerberos database. This procedure is described fully in :ref:`add_mod_del_princs`. -You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash. See the following section for the +You may occasionally want to use one of your replica KDCs as the +master. This might happen if you are upgrading the master KDC, or if +your master KDC has a disk crash. See the following section for the instructions. -.. _switch_master_slave: +.. _switch_master_replica: -Switching master and slave KDCs -------------------------------- +Switching master and replica KDCs +--------------------------------- -You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash. +You may occasionally want to use one of your replica KDCs as the +master. This might happen if you are upgrading the master KDC, or if +your master KDC has a disk crash. Assuming you have configured all of your KDCs to be able to function -as either the master KDC or a slave KDC (as this document recommends), -all you need to do to make the changeover is: +as either the master KDC or a replica KDC (as this document +recommends), all you need to do to make the changeover is: If the master KDC is still running, do the following on the *old* master KDC: @@ -512,14 +513,14 @@ master KDC: #. Kill the kadmind process. #. Disable the cron job that propagates the database. #. Run your database propagation script manually, to ensure that the - slaves all have the latest copy of the database (see - :ref:`kprop_to_slaves`). + replicas all have the latest copy of the database (see + :ref:`kprop_to_replicas`). On the *new* master KDC: #. Start the :ref:`kadmind(8)` daemon (see :ref:`start_kdc_daemons`). #. Set up the cron job to propagate the database (see - :ref:`kprop_to_slaves`). + :ref:`kprop_to_replicas`). #. Switch the CNAMEs of the old and new master KDCs. If you can't do this, you'll need to change the :ref:`krb5.conf(5)` file on every client machine in your Kerberos realm. @@ -529,5 +530,5 @@ Incremental database propagation -------------------------------- If you expect your Kerberos database to become large, you may wish to -set up incremental propagation to slave KDCs. See :ref:`incr_db_prop` -for details. +set up incremental propagation to replica KDCs. See +:ref:`incr_db_prop` for details. diff --git a/doc/admin/lockout.rst b/doc/admin/lockout.rst index d262663..97d9b1e 100644 --- a/doc/admin/lockout.rst +++ b/doc/admin/lockout.rst @@ -1,3 +1,5 @@ +.. _lockout: + Account lockout =============== @@ -100,13 +102,13 @@ traditional :ref:`kprop(8)` or incremental propagation. Because of this, the number of attempts an attacker can make within a time period is multiplied by the number of KDCs. For instance, if the **maxfailure** parameter on a policy is 10 and there are four KDCs in -the environment (a master and three slaves), an attacker could make as -many as 40 attempts before the principal is locked out on all four +the environment (a master and three replicas), an attacker could make +as many as 40 attempts before the principal is locked out on all four KDCs. -An administrative unlock is propagated from the master to the slave +An administrative unlock is propagated from the master to the replica KDCs during the next propagation. Propagation of an administrative -unlock will cause the counter of failed attempts on each slave to +unlock will cause the counter of failed attempts on each replica to reset to 1 on the next failure. If a KDC environment uses a replication strategy other than kprop or @@ -115,6 +117,8 @@ LDAP replication, then account lockout state may be replicated between KDCs and the concerns of this section may not apply. +.. _disable_lockout: + KDC performance and account lockout ----------------------------------- diff --git a/doc/admin/pkinit.rst b/doc/admin/pkinit.rst index 460d75d..bec4fc8 100644 --- a/doc/admin/pkinit.rst +++ b/doc/admin/pkinit.rst @@ -223,6 +223,26 @@ time as follows:: kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' +By default, the KDC requires PKINIT client certificates to have the +standard Extended Key Usage and Subject Alternative Name attributes +for PKINIT. Starting in release 1.16, it is possible to authorize +client certificates based on the subject or other criteria instead of +the standard PKINIT Subject Alternative Name, by setting the +**pkinit_cert_match** string attribute on each client principal entry. +For example:: + + kadmin set_string user@REALM pkinit_cert_match "CN=user@REALM$" + +The **pkinit_cert_match** string attribute follows the syntax used by +the :ref:`krb5.conf(5)` **pkinit_cert_match** relation. To allow the +use of non-PKINIT client certificates, it will also be necessary to +disable key usage checking using the **pkinit_eku_checking** relation; +for example:: + + [kdcdefaults] + pkinit_eku_checking = none + + Configuring the clients ----------------------- @@ -307,3 +327,28 @@ appropriate :ref:`kdc_realms` subsection of the KDC's To obtain anonymous credentials on a client, run ``kinit -n``, or ``kinit -n @REALMNAME`` to specify a realm. The resulting tickets will have the client name ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. + + +Freshness tokens +---------------- + +Freshness tokens can ensure that the client has recently had access to +its certificate private key. If freshness tokens are not required by +the KDC, a client program with temporary possession of the private key +can compose requests for future timestamps and use them later. + +In release 1.17 and later, freshness tokens are supported by the +client and are sent by the KDC when the client indicates support for +them. Because not all clients support freshness tokens yet, they are +not required by default. To check if freshness tokens are supported +by a realm's clients, look in the KDC logs for the lines:: + + PKINIT: freshness token received from + PKINIT: no freshness token received from + +To require freshness tokens for all clients in a realm (except for +clients authenticating anonymously), set the +**pkinit_require_freshness** variable to ``true`` in the appropriate +:ref:`kdc_realms` subsection of the KDC's :ref:`kdc.conf(5)` file. To +test that this option is in effect, run ``kinit -X disable_freshness`` +and verify that authentication is unsuccessful. diff --git a/doc/admin/realm_config.rst b/doc/admin/realm_config.rst index c016d72..23245ca 100644 --- a/doc/admin/realm_config.rst +++ b/doc/admin/realm_config.rst @@ -9,10 +9,10 @@ following issues: * How you will assign your hostnames to Kerberos realms. * Which ports your KDC and and kadmind services will use, if they will not be using the default ports. -* How many slave KDCs you need and where they should be located. -* The hostnames of your master and slave KDCs. +* How many replica KDCs you need and where they should be located. +* The hostnames of your master and replica KDCs. * How frequently you will propagate the database from the master KDC - to the slave KDCs. + to the replica KDCs. Realm name @@ -94,28 +94,28 @@ port numbers used by the Kerberos V5 programs, refer to the :ref:`conf_firewall`. -Slave KDCs ----------- +Replica KDCs +------------ -Slave KDCs provide an additional source of Kerberos ticket-granting +Replica KDCs provide an additional source of Kerberos ticket-granting services in the event of inaccessibility of the master KDC. The -number of slave KDCs you need and the decision of where to place them, +number of replica KDCs you need and the decision of where to place them, both physically and logically, depends on the specifics of your network. Kerberos authentication requires that each client be able to contact a KDC. Therefore, you need to anticipate any likely reason a KDC might -be unavailable and have a slave KDC to take up the slack. +be unavailable and have a replica KDC to take up the slack. Some considerations include: -* Have at least one slave KDC as a backup, for when the master KDC is - down, is being upgraded, or is otherwise unavailable. +* Have at least one replica KDC as a backup, for when the master KDC + is down, is being upgraded, or is otherwise unavailable. * If your network is split such that a network outage is likely to cause a network partition (some segment or segments of the network - to become cut off or isolated from other segments), have a slave KDC - accessible to each segment. -* If possible, have at least one slave KDC in a different building + to become cut off or isolated from other segments), have a replica + KDC accessible to each segment. +* If possible, have at least one replica KDC in a different building from the master, in case of power outages, fires, or other localized disasters. @@ -127,8 +127,8 @@ Hostnames for KDCs MIT recommends that your KDCs have a predefined set of CNAME records (DNS hostname aliases), such as ``kerberos`` for the master KDC and -``kerberos-1``, ``kerberos-2``, ... for the slave KDCs. This way, if -you need to swap a machine, you only need to change a DNS entry, +``kerberos-1``, ``kerberos-2``, ... for the replica KDCs. This way, +if you need to swap a machine, you only need to change a DNS entry, rather than having to change hostnames. As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS @@ -207,7 +207,7 @@ convey more information about a realm's KDCs with a single query. The client performs a query for the following URI records: -* ``_kerberos.REALM`` for fiding KDCs. +* ``_kerberos.REALM`` for finding KDCs. * ``_kerberos-adm.REALM`` for finding kadmin services. * ``_kpasswd.REALM`` for finding password services. @@ -248,7 +248,7 @@ Database propagation -------------------- The Kerberos database resides on the master KDC, and must be -propagated regularly (usually by a cron job) to the slave KDCs. In +propagated regularly (usually by a cron job) to the replica KDCs. In deciding how frequently the propagation should happen, you will need to balance the amount of time the propagation takes against the maximum reasonable amount of time a user should have to wait for a @@ -256,10 +256,10 @@ password change to take effect. If the propagation time is longer than this maximum reasonable time (e.g., you have a particularly large database, you have a lot of -slaves, or you experience frequent network delays), you may wish to +replicas, or you experience frequent network delays), you may wish to cut down on your propagation delay by performing the propagation in parallel. To do this, have the master KDC propagate the database to -one set of slaves, and then have each of these slaves propagate the -database to additional slaves. +one set of replicas, and then have each of these replicas propagate +the database to additional replicas. See also :ref:`incr_db_prop` diff --git a/doc/admin/spake.rst b/doc/admin/spake.rst new file mode 100644 index 0000000..8b9f471 --- /dev/null +++ b/doc/admin/spake.rst @@ -0,0 +1,56 @@ +.. _spake: + +SPAKE Preauthentication +======================= + +SPAKE preauthentication (added in release 1.17) uses public key +cryptography techniques to protect against :ref:`password dictionary +attacks `. Unlike :ref:`PKINIT `, it does not +require any additional infrastructure such as certificates; it simply +needs to be turned on. Using SPAKE preauthentication may modestly +increase the CPU and network load on the KDC. + +SPAKE preauthentication can use one of four elliptic curve groups for +its password-authenticated key exchange. The recommended group is +``edwards25519``; three NIST curves (``P-256``, ``P-384``, and +``P-521``) are also supported. + +By default, SPAKE with the ``edwards25519`` group is enabled on +clients, but the KDC does not offer SPAKE by default. To turn it on, +set the **spake_preauth_groups** variable in :ref:`libdefaults` to a +list of allowed groups. This variable affects both the client and the +KDC. Simply setting it to ``edwards25519`` is recommended:: + + [libdefaults] + spake_preauth_groups = edwards25519 + +Set the **+requires_preauth** and **-allow_svr** flags on client +principal entries, as you would for any preauthentication mechanism:: + + kadmin: modprinc +requires_preauth -allow_srv PRINCNAME + +Clients which do not implement SPAKE preauthentication will fall back +to encrypted timestamp. + +An active attacker can force a fallback to encrypted timestamp by +modifying the initial KDC response, defeating the protection against +dictionary attacks. To prevent this fallback on clients which do +implement SPAKE preauthentication, set the +**disable_encrypted_timestamp** variable to ``true`` in the +:ref:`realms` subsection for realms whose KDCs offer SPAKE +preauthentication. + +By default, SPAKE preauthentication requires an extra network round +trip to the KDC during initial authentication. If most of the clients +in a realm support SPAKE, this extra round trip can be eliminated +using an optimistic challenge, by setting the +**spake_preauth_kdc_challenge** variable in :ref:`kdcdefaults` to a +single group name:: + + [kdcdefaults] + spake_preauth_kdc_challenge = edwards25519 + +Using optimistic challenge will cause the KDC to do extra work for +initial authentication requests that do not result in SPAKE +preauthentication, but will save work when SPAKE preauthentication is +used. diff --git a/doc/admin/troubleshoot.rst b/doc/admin/troubleshoot.rst index 0c61493..6a0c7f8 100644 --- a/doc/admin/troubleshoot.rst +++ b/doc/admin/troubleshoot.rst @@ -106,20 +106,20 @@ properly on the client if the principal entry has no long-term keys. kprop: No route to host while connecting to server .................................................. -Make sure that the hostname of the slave (as given to kprop) is -correct, and that any firewalls between the master and the slave allow -a connection on port 754. +Make sure that the hostname of the replica KDC (as given to kprop) is +correct, and that any firewalls between the master and the replica +allow a connection on port 754. .. _kprop_con_refused: kprop: Connection refused while connecting to server .................................................... -If the slave is intended to run kpropd out of inetd, make sure that -inetd is configured to accept krb5_prop connections. inetd may need -to be restarted or sent a SIGHUP to recognize the new configuration. -If the slave is intended to run kpropd in standalone mode, make sure -that it is running. +If the replica KDC is intended to run kpropd out of inetd, make sure +that inetd is configured to accept krb5_prop connections. inetd may +need to be restarted or sent a SIGHUP to recognize the new +configuration. If the replica is intended to run kpropd in standalone +mode, make sure that it is running. .. _kprop_sendauth_exchange: @@ -128,8 +128,8 @@ kprop: Server rejected authentication (during sendauth exchange) while authentic Make sure that: -#. The time is synchronized between the master and slave KDCs. +#. The time is synchronized between the master and replica KDCs. #. The master stash file was copied from the master to the expected - location on the slave. -#. The slave has a keytab file in the default location containing a - ``host`` principal for the slave's hostname. + location on the replica. +#. The replica has a keytab file in the default location containing a + ``host`` principal for the replica's hostname. diff --git a/doc/appdev/gssapi.rst b/doc/appdev/gssapi.rst index 0258f79..d26ac08 100644 --- a/doc/appdev/gssapi.rst +++ b/doc/appdev/gssapi.rst @@ -55,6 +55,12 @@ name types are supported by the krb5 mechanism: * **GSS_C_NT_EXPORT_NAME**: The value must be the result of a gss_export_name_ call. +* **GSS_KRB5_NT_ENTERPRISE_NAME**: The value should be a krb5 + enterprise name string (see :rfc:`6806` section 5), in the form + ``user@suffix``. This name type is used to convey alias names, and + is defined in the ```` header. (New in + release 1.17.) + Initiator credentials --------------------- @@ -312,6 +318,25 @@ issue a ticket from the client to the target service. The GSSAPI library will then use this ticket to authenticate to the target service. +If an application needs to find out whether a credential it holds is a +proxy credential and the name of the intermediate service, it can +query the credential with the **GSS_KRB5_GET_CRED_IMPERSONATOR** OID +(new in release 1.16, declared in ````) using +the gss_inquire_cred_by_oid extension (declared in +````):: + + OM_uint32 gss_inquire_cred_by_oid(OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + gss_OID desired_object, + gss_buffer_set_t *data_set); + +If the call succeeds and *cred_handle* is a proxy credential, +*data_set* will be set to a single-element buffer set containing the +unparsed principal name of the intermediate service. If *cred_handle* +is not a proxy credential, *data_set* will be set to an empty buffer +set. If the library does not support the query, +gss_inquire_cred_by_oid will return **GSS_S_UNAVAILABLE**. + AEAD message wrapping --------------------- @@ -608,11 +633,11 @@ gss_get_mic_iov_length and gss_get_mic_iov:: handle_error(major, minor); -.. _gss_accept_sec_context: http://tools.ietf.org/html/rfc2744.html#section-5.1 -.. _gss_acquire_cred: http://tools.ietf.org/html/rfc2744.html#section-5.2 -.. _gss_export_name: http://tools.ietf.org/html/rfc2744.html#section-5.13 -.. _gss_get_name_attribute: http://tools.ietf.org/html/6680.html#section-7.5 -.. _gss_import_name: http://tools.ietf.org/html/rfc2744.html#section-5.16 -.. _gss_init_sec_context: http://tools.ietf.org/html/rfc2744.html#section-5.19 -.. _gss_inquire_name: http://tools.ietf.org/html/rfc6680.txt#section-7.4 -.. _gss_inquire_cred: http://tools.ietf.org/html/rfc2744.html#section-5.21 +.. _gss_accept_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.1 +.. _gss_acquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.2 +.. _gss_export_name: https://tools.ietf.org/html/rfc2744.html#section-5.13 +.. _gss_get_name_attribute: https://tools.ietf.org/html/6680.html#section-7.5 +.. _gss_import_name: https://tools.ietf.org/html/rfc2744.html#section-5.16 +.. _gss_init_sec_context: https://tools.ietf.org/html/rfc2744.html#section-5.19 +.. _gss_inquire_name: https://tools.ietf.org/html/rfc6680.txt#section-7.4 +.. _gss_inquire_cred: https://tools.ietf.org/html/rfc2744.html#section-5.21 diff --git a/doc/appdev/index.rst b/doc/appdev/index.rst index 3d62045..961bb1e 100644 --- a/doc/appdev/index.rst +++ b/doc/appdev/index.rst @@ -5,6 +5,7 @@ For application developers :maxdepth: 1 gssapi.rst + y2038.rst h5l_mit_apidiff.rst init_creds.rst princ_handle.rst diff --git a/doc/appdev/refs/api/index.rst b/doc/appdev/refs/api/index.rst index f2f27fe..f8a5aa5 100644 --- a/doc/appdev/refs/api/index.rst +++ b/doc/appdev/refs/api/index.rst @@ -212,6 +212,7 @@ Rarely used public interfaces krb5_free_string.rst krb5_free_ticket.rst krb5_free_unparsed_name.rst + krb5_get_etype_info.rst krb5_get_permitted_enctypes.rst krb5_get_server_rcache.rst krb5_get_time_offsets.rst @@ -255,7 +256,9 @@ Rarely used public interfaces krb5_pac_init.rst krb5_pac_parse.rst krb5_pac_sign.rst + krb5_pac_sign_ext.rst krb5_pac_verify.rst + krb5_pac_verify_ext.rst krb5_prepend_error_message.rst krb5_principal2salt.rst krb5_rd_cred.rst diff --git a/doc/appdev/refs/macros/index.rst b/doc/appdev/refs/macros/index.rst index e767471..47c6d44 100644 --- a/doc/appdev/refs/macros/index.rst +++ b/doc/appdev/refs/macros/index.rst @@ -181,6 +181,7 @@ Public KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst + KRB5_KEYUSAGE_PA_AS_FRESHNESS.rst KRB5_KEYUSAGE_PA_FX_COOKIE.rst KRB5_KEYUSAGE_PA_OTP_REQUEST.rst KRB5_KEYUSAGE_PA_PKINIT_KX.rst @@ -189,6 +190,7 @@ Public KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.rst KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.rst KRB5_KEYUSAGE_PA_SAM_RESPONSE.rst + KRB5_KEYUSAGE_SPAKE.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.rst KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.rst KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.rst @@ -241,6 +243,7 @@ Public KRB5_PADATA_AFS3_SALT.rst KRB5_PADATA_AP_REQ.rst KRB5_PADATA_AS_CHECKSUM.rst + KRB5_PADATA_AS_FRESHNESS.rst KRB5_PADATA_ENCRYPTED_CHALLENGE.rst KRB5_PADATA_ENC_SANDIA_SECURID.rst KRB5_PADATA_ENC_TIMESTAMP.rst @@ -272,6 +275,7 @@ Public KRB5_PADATA_SAM_RESPONSE.rst KRB5_PADATA_SAM_RESPONSE_2.rst KRB5_PADATA_SESAME.rst + KRB5_PADATA_SPAKE.rst KRB5_PADATA_SVR_REFERRAL_INFO.rst KRB5_PADATA_TGS_REQ.rst KRB5_PADATA_USE_SPECIFIED_KVNO.rst diff --git a/doc/appdev/y2038.rst b/doc/appdev/y2038.rst new file mode 100644 index 0000000..bc4122d --- /dev/null +++ b/doc/appdev/y2038.rst @@ -0,0 +1,28 @@ +Year 2038 considerations for uses of krb5_timestamp +=================================================== + +POSIX time values, which measure the number of seconds since January 1 +1970, will exceed the maximum value representable in a signed 32-bit +integer in January 2038. This documentation describes considerations +for consumers of the MIT krb5 libraries. + +Applications or libraries which use libkrb5 and consume the timestamps +included in credentials or other structures make use of the +:c:type:`krb5_timestamp` type. For historical reasons, krb5_timestamp +is a signed 32-bit integer, even on platforms where a larger type is +natively used to represent time values. To behave properly for time +values after January 2038, calling code should cast krb5_timestamp +values to uint32_t, and then to time_t:: + + (time_t)(uint32_t)timestamp + +Used in this way, krb5_timestamp values can represent time values up +until February 2106, provided that the platform uses a 64-bit or +larger time_t type. This usage will also remain safe if a later +version of MIT krb5 changes krb5_timestamp to an unsigned 32-bit +integer. + +The GSSAPI only uses representations of time intervals, not absolute +times. Callers of the GSSAPI should require no changes to behave +correctly after January 2038, provided that they use MIT krb5 release +1.16 or later. diff --git a/doc/basic/ccache_def.rst b/doc/basic/ccache_def.rst index ff857f4..d147f0d 100644 --- a/doc/basic/ccache_def.rst +++ b/doc/basic/ccache_def.rst @@ -64,7 +64,7 @@ library. KCM client support is new in release 1.13. A KCM daemon has not yet been implemented in MIT krb5, but the client will interoperate - with the KCM daemon implemented by Heimdal. OS X 10.7 and higher + with the KCM daemon implemented by Heimdal. macOS 10.7 and higher provides a KCM daemon as part of the operating system, and the **KCM** cache type is used as the default cache on that platform in a default build. diff --git a/doc/build/directory_org.rst b/doc/build/directory_org.rst index f3aeeb5..db0c6c0 100644 --- a/doc/build/directory_org.rst +++ b/doc/build/directory_org.rst @@ -17,7 +17,7 @@ lib_ Libraries for use with/by Kerberos V5 plugins Kerberos plugins directory po Localization infrastructure prototype Templates files containing the MIT copyright message and a placeholder for the title and description of the file. -slave Utilities for propagating the database to slave KDCs :ref:`kprop(8)` and :ref:`kpropd(8)` +kprop Utilities for propagating the database to replica KDCs :ref:`kprop(8)` and :ref:`kpropd(8)` tests Test suite util_ Various utilities for building/configuring the code, sending bug reports, etc. windows Source code for building Kerberos V5 on Windows (see windows/README) diff --git a/doc/build/doing_build.rst b/doc/build/doing_build.rst index 25daa52..4da1998 100644 --- a/doc/build/doing_build.rst +++ b/doc/build/doing_build.rst @@ -81,7 +81,7 @@ use:: This will install the binaries under *DESTDIR/PREFIX*, e.g., the user programs will install into *DESTDIR/PREFIX/bin*, the libraries into -*DESTDIR/PREFIX/lib*, etc. +*DESTDIR/PREFIX/lib*, etc. *DESTDIR* must be an absolute path. Some implementations of make allow multiple commands to be run in parallel, for faster builds. We test our Makefiles in parallel builds @@ -123,7 +123,7 @@ by ``make check``. These tests require manual setup and teardown of support infrastructure which is not easily automated, or require excessive resources for ordinary use. The procedure for running the manual tests is documented at -http://k5wiki.kerberos.org/wiki/Manual_Testing. +https://k5wiki.kerberos.org/wiki/Manual_Testing. Cleaning up the build diff --git a/doc/build/index.rst b/doc/build/index.rst index 3416817..f321d02 100644 --- a/doc/build/index.rst +++ b/doc/build/index.rst @@ -29,7 +29,7 @@ Obtaining the software ---------------------- The source code can be obtained from MIT Kerberos Distribution page, -at http://web.mit.edu/kerberos/dist/index.html. +at https://kerberos.org/dist/index.html. The MIT Kerberos distribution comes in an archive file, generally named krb5-VERSION-signed.tar, where *VERSION* is a placeholder for the major and minor versions of MIT Kerberos. (For example, MIT diff --git a/doc/build/options2configure.rst b/doc/build/options2configure.rst index 0fd0307..ddbee20 100644 --- a/doc/build/options2configure.rst +++ b/doc/build/options2configure.rst @@ -329,6 +329,9 @@ Optional packages **-**\ **-with-ldap** Compile OpenLDAP database backend module. +**-**\ **-with-lmdb** + Compile LMDB database backend module. + **-**\ **-with-tcl=**\ *path* Specifies that *path* is the location of a Tcl installation. Tcl is needed for some of the tests run by 'make check'; such tests @@ -350,10 +353,6 @@ Optional packages prng specify ``--with-prng-alg=os``. The default is ``fortuna``. (See :ref:`mitK5features`) -**-**\ **-with-pkinit-crypto-impl=**\ *IMPL* - Use the specified pkinit crypto implementation *IMPL*. - Defaults to using OpenSSL. - **-**\ **-without-libedit** Do not compile and link against libedit. Some utilities will no longer offer command history or completion in interactive mode if diff --git a/doc/build_this.rst b/doc/build_this.rst index e515df9..08c330d 100644 --- a/doc/build_this.rst +++ b/doc/build_this.rst @@ -3,8 +3,8 @@ How to build this documentation from the source Pre-requisites for a simple build, or to update man pages: -* Sphinx 1.0.4 or higher (See http://sphinx.pocoo.org) with the autodoc - extension installed. +* Sphinx 1.0.4 or higher (See http://www.sphinx-doc.org) with the + autodoc extension installed. Additional prerequisites to include the API reference based on Doxygen markup: diff --git a/doc/conf.py b/doc/conf.py index 8b7fe7f..c32e330 100644 --- a/doc/conf.py +++ b/doc/conf.py @@ -45,12 +45,12 @@ else: # General information about the project. project = u'MIT Kerberos' -copyright = u'1985-2017, MIT' +copyright = u'1985-2019, MIT' # The version info for the project you're documenting, acts as replacement for # |version| and |release|, also used in various other places throughout the # built documents. -execfile("version.py") +exec(open("version.py").read()) # The short X.Y version. r_list = [r_major, r_minor] if r_patch: @@ -238,7 +238,7 @@ if 'mansubs' in tags: ckeytab = '``@CKTNAME@``' elif 'pathsubs' in tags: # Read configured paths from a file produced by the build system. - execfile('paths.py') + exec(open("paths.py").read()) else: bindir = ':ref:`BINDIR `' sbindir = ':ref:`SBINDIR `' @@ -272,7 +272,7 @@ else: rst_epilog += ''' .. |krb5conf| replace:: ``/etc/krb5.conf`` .. |defkeysalts| replace:: ``aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal`` -.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha384-192 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4`` +.. |defetypes| replace:: ``aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4`` .. |defmkey| replace:: ``aes256-cts-hmac-sha1-96`` .. |copy| unicode:: U+000A9 ''' @@ -292,11 +292,12 @@ man_pages = [ ('user/user_commands/krb5-config', 'krb5-config', u'tool for linking against MIT Kerberos libraries', [u'MIT'], 1), ('user/user_config/k5login', 'k5login', u'Kerberos V5 acl file for host access', [u'MIT'], 5), ('user/user_config/k5identity', 'k5identity', u'Kerberos V5 client principal selection rules', [u'MIT'], 5), + ('user/user_config/kerberos', 'kerberos', u'Overview of using Kerberos', [u'MIT'], 7), ('admin/admin_commands/krb5kdc', 'krb5kdc', u'Kerberos V5 KDC', [u'MIT'], 8), ('admin/admin_commands/kadmin_local', 'kadmin', u'Kerberos V5 database administration program', [u'MIT'], 1), - ('admin/admin_commands/kprop', 'kprop', u'propagate a Kerberos V5 principal database to a slave server', [u'MIT'], 8), + ('admin/admin_commands/kprop', 'kprop', u'propagate a Kerberos V5 principal database to a replica server', [u'MIT'], 8), ('admin/admin_commands/kproplog', 'kproplog', u'display the contents of the Kerberos principal update log', [u'MIT'], 8), - ('admin/admin_commands/kpropd', 'kpropd', u'Kerberos V5 slave KDC update server', [u'MIT'], 8), + ('admin/admin_commands/kpropd', 'kpropd', u'Kerberos V5 replica KDC update server', [u'MIT'], 8), ('admin/admin_commands/kdb5_util', 'kdb5_util', u'Kerberos database maintenance utility', [u'MIT'], 8), ('admin/admin_commands/ktutil', 'ktutil', u'Kerberos keytab file maintenance utility', [u'MIT'], 1), ('admin/admin_commands/k5srvutil', 'k5srvutil', u'host key table (keytab) manipulation utility', [u'MIT'], 1), diff --git a/doc/copyright.rst b/doc/copyright.rst index 40e5d23..3a59658 100644 --- a/doc/copyright.rst +++ b/doc/copyright.rst @@ -1,7 +1,7 @@ Copyright ========= -Copyright |copy| 1985-2017 by the Massachusetts Institute of +Copyright |copy| 1985-2019 by the Massachusetts Institute of Technology and its contributors. All rights reserved. See :ref:`mitK5license` for additional copyright and license diff --git a/doc/formats/cookie.rst b/doc/formats/cookie.rst index 640955c..e32365d 100644 --- a/doc/formats/cookie.rst +++ b/doc/formats/cookie.rst @@ -58,3 +58,40 @@ mechanisms which have separate request and reply types, the request type is used; this allows the KDC to determine whether a cookie is relevant to a request by comparing the request pa-data types to the cookie data types. + +SPAKE cookie format (version 1) +------------------------------- + +Inside the SecureCookie wrapper, a data value of type 151 contains +state for SPAKE pre-authentication. This data is the concatenation of +the following: + +* a two-byte big-endian version number with the value 1 +* a two-byte big-endian stage number +* a four-byte big-endian group number +* a four-byte big-endian length and data for the SPAKE value +* a four-byte big-endian length and data for the transcript hash +* zero or more second factor records, each consisting of: + - a four-byte big-endian second-factor type + - a four-byte big-endian length and data + +The stage value is 0 if the cookie was sent with a challenge message. +Otherwise it is 1 for the first encdata message sent by the KDC during +an exchange, 2 for the second, etc.. + +The group value indicates the group number used in the SPAKE challenge. + +For a stage-0 cookie, the SPAKE value is the KDC private key, +represented in the scalar marshalling form of the group. For other +cookies, the SPAKE value is the SPAKE result K, represented in the +group element marshalling form. + +For a stage-0 cookie, the transcript hash is the intermediate hash +after updating with the client support message (if one was sent) and +challenge. For other cookies it is the final hash. + +For a stage-0 cookie, there may be any number of second-factor +records, including none; a second-factor type need not create a state +field if it does not need one, and no record is created for SF-NONE. +For other cookies, there must be exactly one second-factor record +corresponding to the factor type chosen by the client. diff --git a/doc/formats/freshness_token.rst b/doc/formats/freshness_token.rst new file mode 100644 index 0000000..3127621 --- /dev/null +++ b/doc/formats/freshness_token.rst @@ -0,0 +1,19 @@ +PKINIT freshness tokens +======================= + +:rfc:`8070` specifies a pa-data type PA_AS_FRESHNESS, which clients +should reflect within signed PKINIT data to prove recent access to the +client certificate private key. The contents of a freshness token are +left to the KDC implementation. The MIT krb5 KDC uses the following +format for freshness tokens (starting in release 1.17): + +* a four-byte big-endian POSIX timestamp +* a four-byte big-endian key version number +* an :rfc:`3961` checksum, with no ASN.1 wrapper + +The checksum is computed using the first key in the local krbtgt +principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` +if the request is to the ``KRBTEST.COM`` realm) of the indicated key +version. The checksum type must be the mandatory checksum type for +the encryption type of the krbtgt key. The key usage value for the +checksum is 514. diff --git a/doc/formats/index.rst b/doc/formats/index.rst index 8b30626..4ad5344 100644 --- a/doc/formats/index.rst +++ b/doc/formats/index.rst @@ -7,3 +7,4 @@ Protocols and file formats ccache_file_format keytab_file_format cookie + freshness_token diff --git a/doc/html/.buildinfo b/doc/html/.buildinfo deleted file mode 100644 index 27fb025..0000000 --- a/doc/html/.buildinfo +++ /dev/null @@ -1,4 +0,0 @@ -# Sphinx build info version 1 -# This file hashes the configuration used when building these files. When it is not found, a full rebuild will be done. -config: fc62d372e8a29aeabe3fddbba35feb54 -tags: 645f666f9bcd5a90fca523b33c5a78b7 diff --git a/doc/html/_sources/about.txt b/doc/html/_sources/about.txt deleted file mode 100644 index 904f612..0000000 --- a/doc/html/_sources/about.txt +++ /dev/null @@ -1,35 +0,0 @@ -Contributing to the MIT Kerberos Documentation -============================================== - -We are looking for documentation writers and editors who could contribute -towards improving the MIT KC documentation content. If you are an experienced -Kerberos developer and/or administrator, please consider sharing your knowledge -and experience with the Kerberos Community. You can suggest your own topic or -write about any of the topics listed -`here `__. - -If you have any questions, comments, or suggestions on the existing documents, -please send your feedback via email to krb5-bugs@mit.edu. The HTML version of -this documentation has a "FEEDBACK" link to the krb5-bugs@mit.edu email -address with a pre-constructed subject line. - - -Background ----------- - -Starting with release 1.11, the Kerberos documentation set is -unified in a central form. Man pages, HTML documentation, and PDF -documents are compiled from reStructuredText sources, and the application -developer documentation incorporates Doxygen markup from the source -tree. This project was undertaken along the outline described -`here `__. - -Previous versions of Kerberos 5 attempted to maintain separate documentation -in the texinfo format, with separate groff manual pages. Having the API -documentation disjoint from the source code implementing that API -resulted in the documentation becoming stale, and over time the documentation -ceased to match reality. With a fresh start and a source format that is -easier to use and maintain, reStructuredText-based documents should provide -an improved experience for the user. Consolidating all the documentation -formats into a single source document makes the documentation set easier -to maintain. diff --git a/doc/html/_sources/admin/admin_commands/index.txt b/doc/html/_sources/admin/admin_commands/index.txt deleted file mode 100644 index e8dc765..0000000 --- a/doc/html/_sources/admin/admin_commands/index.txt +++ /dev/null @@ -1,17 +0,0 @@ -Administration programs -======================== - -.. toctree:: - :maxdepth: 1 - - kadmin_local.rst - kadmind.rst - kdb5_util.rst - kdb5_ldap_util.rst - krb5kdc.rst - kprop.rst - kpropd.rst - kproplog.rst - ktutil.rst - k5srvutil.rst - sserver.rst diff --git a/doc/html/_sources/admin/admin_commands/k5srvutil.txt b/doc/html/_sources/admin/admin_commands/k5srvutil.txt deleted file mode 100644 index b873d90..0000000 --- a/doc/html/_sources/admin/admin_commands/k5srvutil.txt +++ /dev/null @@ -1,62 +0,0 @@ -.. _k5srvutil(1): - -k5srvutil -========= - -SYNOPSIS --------- - -**k5srvutil** *operation* -[**-i**] -[**-f** *filename*] -[**-e** *keysalts*] - -DESCRIPTION ------------ - -k5srvutil allows an administrator to list keys currently in -a keytab, to obtain new keys for a principal currently in a keytab, -or to delete non-current keys from a keytab. - -*operation* must be one of the following: - -**list** - Lists the keys in a keytab, showing version number and principal - name. - -**change** - Uses the kadmin protocol to update the keys in the Kerberos - database to new randomly-generated keys, and updates the keys in - the keytab to match. If a key's version number doesn't match the - version number stored in the Kerberos server's database, then the - operation will fail. If the **-i** flag is given, k5srvutil will - prompt for confirmation before changing each key. If the **-k** - option is given, the old and new keys will be displayed. - Ordinarily, keys will be generated with the default encryption - types and key salts. This can be overridden with the **-e** - option. Old keys are retained in the keytab so that existing - tickets continue to work, but **delold** should be used after - such tickets expire, to prevent attacks against the old keys. - -**delold** - Deletes keys that are not the most recent version from the keytab. - This operation should be used some time after a change operation - to remove old keys, after existing tickets issued for the service - have expired. If the **-i** flag is given, then k5srvutil will - prompt for confirmation for each principal. - -**delete** - Deletes particular keys in the keytab, interactively prompting for - each key. - -In all cases, the default keytab is used unless this is overridden by -the **-f** option. - -k5srvutil uses the :ref:`kadmin(1)` program to edit the keytab in -place. - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`ktutil(1)` diff --git a/doc/html/_sources/admin/admin_commands/kadmin_local.txt b/doc/html/_sources/admin/admin_commands/kadmin_local.txt deleted file mode 100644 index 50c3b99..0000000 --- a/doc/html/_sources/admin/admin_commands/kadmin_local.txt +++ /dev/null @@ -1,995 +0,0 @@ -.. _kadmin(1): - -kadmin -====== - -SYNOPSIS --------- - -.. _kadmin_synopsis: - -**kadmin** -[**-O**\|\ **-N**] -[**-r** *realm*] -[**-p** *principal*] -[**-q** *query*] -[[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**] -[**-w** *password*] -[**-s** *admin_server*\ [:*port*]] -[command args...] - -**kadmin.local** -[**-r** *realm*] -[**-p** *principal*] -[**-q** *query*] -[**-d** *dbname*] -[**-e** *enc*:*salt* ...] -[**-m**] -[**-x** *db_args*] -[command args...] - -.. _kadmin_synopsis_end: - - -DESCRIPTION ------------ - -kadmin and kadmin.local are command-line interfaces to the Kerberos V5 -administration system. They provide nearly identical functionalities; -the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using :ref:`kadmind(8)`. -Except as explicitly noted otherwise, this man page will use "kadmin" -to refer to both versions. kadmin provides for the maintenance of -Kerberos principals, password policies, and service key tables -(keytabs). - -The remote kadmin client uses Kerberos to authenticate to kadmind -using the service principal ``kadmin/ADMINHOST`` (where *ADMINHOST* is -the fully-qualified hostname of the admin server) or ``kadmin/admin``. -If the credentials cache contains a ticket for one of these -principals, and the **-c** credentials_cache option is specified, that -ticket is used to authenticate to kadmind. Otherwise, the **-p** and -**-k** options are used to specify the client Kerberos principal name -used to authenticate. Once kadmin has determined the principal name, -it requests a service ticket from the KDC, and uses that service -ticket to authenticate to kadmind. - -Since kadmin.local directly accesses the KDC database, it usually must -be run directly on the master KDC with sufficient permissions to read -the KDC database. If the KDC database uses the LDAP database module, -kadmin.local can be run on any host which can access the LDAP server. - - -OPTIONS -------- - -.. _kadmin_options: - -**-r** *realm* - Use *realm* as the default database realm. - -**-p** *principal* - Use *principal* to authenticate. Otherwise, kadmin will append - ``/admin`` to the primary principal name of the default ccache, - the value of the **USER** environment variable, or the username as - obtained with getpwuid, in order of preference. - -**-k** - Use a keytab to decrypt the KDC response instead of prompting for - a password. In this case, the default principal will be - ``host/hostname``. If there is no keytab specified with the - **-t** option, then the default keytab will be used. - -**-t** *keytab* - Use *keytab* to decrypt the KDC response. This can only be used - with the **-k** option. - -**-n** - Requests anonymous processing. Two types of anonymous principals - are supported. For fully anonymous Kerberos, configure PKINIT on - the KDC and configure **pkinit_anchors** in the client's - :ref:`krb5.conf(5)`. Then use the **-n** option with a principal - of the form ``@REALM`` (an empty principal name followed by the - at-sign and a realm name). If permitted by the KDC, an anonymous - ticket will be returned. A second form of anonymous tickets is - supported; these realm-exposed tickets hide the identity of the - client but not the client's realm. For this mode, use ``kinit - -n`` with a normal principal name. If supported by the KDC, the - principal (but not realm) will be replaced by the anonymous - principal. As of release 1.8, the MIT Kerberos KDC only supports - fully anonymous operation. - -**-c** *credentials_cache* - Use *credentials_cache* as the credentials cache. The - cache should contain a service ticket for the ``kadmin/ADMINHOST`` - (where *ADMINHOST* is the fully-qualified hostname of the admin - server) or ``kadmin/admin`` service; it can be acquired with the - :ref:`kinit(1)` program. If this option is not specified, kadmin - requests a new service ticket from the KDC, and stores it in its - own temporary ccache. - -**-w** *password* - Use *password* instead of prompting for one. Use this option with - care, as it may expose the password to other users on the system - via the process list. - -**-q** *query* - Perform the specified query and then exit. - -**-d** *dbname* - Specifies the name of the KDC database. This option does not - apply to the LDAP database module. - -**-s** *admin_server*\ [:*port*] - Specifies the admin server which kadmin should contact. - -**-m** - If using kadmin.local, prompt for the database master password - instead of reading it from a stash file. - -**-e** "*enc*:*salt* ..." - Sets the keysalt list to be used for any new keys created. See - :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible - values. - -**-O** - Force use of old AUTH_GSSAPI authentication flavor. - -**-N** - Prevent fallback to AUTH_GSSAPI authentication flavor. - -**-x** *db_args* - Specifies the database specific arguments. See the next section - for supported options. - -.. _kadmin_options_end: - -Starting with release 1.14, if any command-line arguments remain after -the options, they will be treated as a single query to be executed. -This mode of operation is intended for scripts and behaves differently -from the interactive mode in several respects: - -* Query arguments are split by the shell, not by kadmin. -* Informational and warning messages are suppressed. Error messages - and query output (e.g. for **get_principal**) will still be - displayed. -* Confirmation prompts are disabled (as if **-force** was given). - Password prompts will still be issued as required. -* The exit status will be non-zero if the query fails. - -The **-q** option does not carry these behavior differences; the query -will be processed as if it was entered interactively. The **-q** -option cannot be used in combination with a query in the remaining -arguments. - -.. _dboptions: - -DATABASE OPTIONS ----------------- - -Database options can be used to override database-specific defaults. -Supported options for the DB2 module are: - - **-x dbname=**\ \*filename* - Specifies the base filename of the DB2 database. - - **-x lockiter** - Make iteration operations hold the lock for the duration of - the entire operation, rather than temporarily releasing the - lock while handling each principal. This is the default - behavior, but this option exists to allow command line - override of a [dbmodules] setting. First introduced in - release 1.13. - - **-x unlockiter** - Make iteration operations unlock the database for each - principal, instead of holding the lock for the duration of the - entire operation. First introduced in release 1.13. - -Supported options for the LDAP module are: - - **-x host=**\ *ldapuri* - Specifies the LDAP server to connect to by a LDAP URI. - - **-x binddn=**\ *bind_dn* - Specifies the DN used to bind to the LDAP server. - - **-x bindpwd=**\ *password* - Specifies the password or SASL secret used to bind to the LDAP - server. Using this option may expose the password to other - users on the system via the process list; to avoid this, - instead stash the password using the **stashsrvpw** command of - :ref:`kdb5_ldap_util(8)`. - - **-x sasl_mech=**\ *mechanism* - Specifies the SASL mechanism used to bind to the LDAP server. - The bind DN is ignored if a SASL mechanism is used. New in - release 1.13. - - **-x sasl_authcid=**\ *name* - Specifies the authentication name used when binding to the - LDAP server with a SASL mechanism, if the mechanism requires - one. New in release 1.13. - - **-x sasl_authzid=**\ *name* - Specifies the authorization name used when binding to the LDAP - server with a SASL mechanism. New in release 1.13. - - **-x sasl_realm=**\ *realm* - Specifies the realm used when binding to the LDAP server with - a SASL mechanism, if the mechanism uses one. New in release - 1.13. - - **-x debug=**\ *level* - sets the OpenLDAP client library debug level. *level* is an - integer to be interpreted by the library. Debugging messages - are printed to standard error. New in release 1.12. - - -COMMANDS --------- - -When using the remote client, available commands may be restricted -according to the privileges specified in the :ref:`kadm5.acl(5)` file -on the admin server. - -.. _add_principal: - -add_principal -~~~~~~~~~~~~~ - - **add_principal** [*options*] *newprinc* - -Creates the principal *newprinc*, prompting twice for a password. If -no password policy is specified with the **-policy** option, and the -policy named ``default`` is assigned to the principal if it exists. -However, creating a policy named ``default`` will not automatically -assign this policy to previously existing principals. This policy -assignment can be suppressed with the **-clearpolicy** option. - -This command requires the **add** privilege. - -Aliases: **addprinc**, **ank** - -Options: - -**-expire** *expdate* - (:ref:`getdate` string) The expiration date of the principal. - -**-pwexpire** *pwexpdate* - (:ref:`getdate` string) The password expiration date. - -**-maxlife** *maxlife* - (:ref:`duration` or :ref:`getdate` string) The maximum ticket life - for the principal. - -**-maxrenewlife** *maxrenewlife* - (:ref:`duration` or :ref:`getdate` string) The maximum renewable - life of tickets for the principal. - -**-kvno** *kvno* - The initial key version number. - -**-policy** *policy* - The password policy used by this principal. If not specified, the - policy ``default`` is used if it exists (unless **-clearpolicy** - is specified). - -**-clearpolicy** - Prevents any policy from being assigned when **-policy** is not - specified. - -{-\|+}\ **allow_postdated** - **-allow_postdated** prohibits this principal from obtaining - postdated tickets. **+allow_postdated** clears this flag. - -{-\|+}\ **allow_forwardable** - **-allow_forwardable** prohibits this principal from obtaining - forwardable tickets. **+allow_forwardable** clears this flag. - -{-\|+}\ **allow_renewable** - **-allow_renewable** prohibits this principal from obtaining - renewable tickets. **+allow_renewable** clears this flag. - -{-\|+}\ **allow_proxiable** - **-allow_proxiable** prohibits this principal from obtaining - proxiable tickets. **+allow_proxiable** clears this flag. - -{-\|+}\ **allow_dup_skey** - **-allow_dup_skey** disables user-to-user authentication for this - principal by prohibiting this principal from obtaining a session - key for another user. **+allow_dup_skey** clears this flag. - -{-\|+}\ **requires_preauth** - **+requires_preauth** requires this principal to preauthenticate - before being allowed to kinit. **-requires_preauth** clears this - flag. When **+requires_preauth** is set on a service principal, - the KDC will only issue service tickets for that service principal - if the client's initial authentication was performed using - preauthentication. - -{-\|+}\ **requires_hwauth** - **+requires_hwauth** requires this principal to preauthenticate - using a hardware device before being allowed to kinit. - **-requires_hwauth** clears this flag. When **+requires_hwauth** is - set on a service principal, the KDC will only issue service tickets - for that service principal if the client's initial authentication was - performed using a hardware device to preauthenticate. - -{-\|+}\ **ok_as_delegate** - **+ok_as_delegate** sets the **okay as delegate** flag on tickets - issued with this principal as the service. Clients may use this - flag as a hint that credentials should be delegated when - authenticating to the service. **-ok_as_delegate** clears this - flag. - -{-\|+}\ **allow_svr** - **-allow_svr** prohibits the issuance of service tickets for this - principal. **+allow_svr** clears this flag. - -{-\|+}\ **allow_tgs_req** - **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS) - request for a service ticket for this principal is not permitted. - **+allow_tgs_req** clears this flag. - -{-\|+}\ **allow_tix** - **-allow_tix** forbids the issuance of any tickets for this - principal. **+allow_tix** clears this flag. - -{-\|+}\ **needchange** - **+needchange** forces a password change on the next initial - authentication to this principal. **-needchange** clears this - flag. - -{-\|+}\ **password_changing_service** - **+password_changing_service** marks this principal as a password - change service principal. - -{-\|+}\ **ok_to_auth_as_delegate** - **+ok_to_auth_as_delegate** allows this principal to acquire - forwardable tickets to itself from arbitrary users, for use with - constrained delegation. - -{-\|+}\ **no_auth_data_required** - **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from - being added to service tickets for the principal. - -{-\|+}\ **lockdown_keys** - **+lockdown_keys** prevents keys for this principal from leaving - the KDC via kadmind. The chpass and extract operations are denied - for a principal with this attribute. The chrand operation is - allowed, but will not return the new keys. The delete and rename - operations are also denied if this attribute is set, in order to - prevent a malicious administrator from replacing principals like - krbtgt/* or kadmin/* with new principals without the attribute. - This attribute can be set via the network protocol, but can only - be removed using kadmin.local. - -**-randkey** - Sets the key of the principal to a random value. - -**-nokey** - Causes the principal to be created with no key. New in release - 1.12. - -**-pw** *password* - Sets the password of the principal to the specified string and - does not prompt for a password. Note: using this option in a - shell script may expose the password to other users on the system - via the process list. - -**-e** *enc*:*salt*,... - Uses the specified keysalt list for setting the keys of the - principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a - list of possible values. - -**-x** *db_princ_args* - Indicates database-specific options. The options for the LDAP - database module are: - - **-x dn=**\ *dn* - Specifies the LDAP object that will contain the Kerberos - principal being created. - - **-x linkdn=**\ *dn* - Specifies the LDAP object to which the newly created Kerberos - principal object will point. - - **-x containerdn=**\ *container_dn* - Specifies the container object under which the Kerberos - principal is to be created. - - **-x tktpolicy=**\ *policy* - Associates a ticket policy to the Kerberos principal. - - .. note:: - - - The **containerdn** and **linkdn** options cannot be - specified with the **dn** option. - - If the *dn* or *containerdn* options are not specified while - adding the principal, the principals are created under the - principal container configured in the realm or the realm - container. - - *dn* and *containerdn* should be within the subtrees or - principal container configured in the realm. - -Example:: - - kadmin: addprinc jennifer - WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal jennifer@ATHENA.MIT.EDU: - Re-enter password for principal jennifer@ATHENA.MIT.EDU: - Principal "jennifer@ATHENA.MIT.EDU" created. - kadmin: - -.. _add_principal_end: - -.. _modify_principal: - -modify_principal -~~~~~~~~~~~~~~~~ - - **modify_principal** [*options*] *principal* - -Modifies the specified principal, changing the fields as specified. -The options to **add_principal** also apply to this command, except -for the **-randkey**, **-pw**, and **-e** options. In addition, the -option **-clearpolicy** will clear the current policy of a principal. - -This command requires the *modify* privilege. - -Alias: **modprinc** - -Options (in addition to the **addprinc** options): - -**-unlock** - Unlocks a locked principal (one which has received too many failed - authentication attempts without enough time between them according - to its password policy) so that it can successfully authenticate. - -.. _modify_principal_end: - -.. _rename_principal: - -rename_principal -~~~~~~~~~~~~~~~~ - - **rename_principal** [**-force**] *old_principal* *new_principal* - -Renames the specified *old_principal* to *new_principal*. This -command prompts for confirmation, unless the **-force** option is -given. - -This command requires the **add** and **delete** privileges. - -Alias: **renprinc** - -.. _rename_principal_end: - -.. _delete_principal: - -delete_principal -~~~~~~~~~~~~~~~~ - - **delete_principal** [**-force**] *principal* - -Deletes the specified *principal* from the database. This command -prompts for deletion, unless the **-force** option is given. - -This command requires the **delete** privilege. - -Alias: **delprinc** - -.. _delete_principal_end: - -.. _change_password: - -change_password -~~~~~~~~~~~~~~~ - - **change_password** [*options*] *principal* - -Changes the password of *principal*. Prompts for a new password if -neither **-randkey** or **-pw** is specified. - -This command requires the **changepw** privilege, or that the -principal running the program is the same as the principal being -changed. - -Alias: **cpw** - -The following options are available: - -**-randkey** - Sets the key of the principal to a random value. - -**-pw** *password* - Set the password to the specified string. Using this option in a - script may expose the password to other users on the system via - the process list. - -**-e** *enc*:*salt*,... - Uses the specified keysalt list for setting the keys of the - principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a - list of possible values. - -**-keepold** - Keeps the existing keys in the database. This flag is usually not - necessary except perhaps for ``krbtgt`` principals. - -Example:: - - kadmin: cpw systest - Enter password for principal systest@BLEEP.COM: - Re-enter password for principal systest@BLEEP.COM: - Password for systest@BLEEP.COM changed. - kadmin: - -.. _change_password_end: - -.. _purgekeys: - -purgekeys -~~~~~~~~~ - - **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal* - -Purges previously retained old keys (e.g., from **change_password --keepold**) from *principal*. If **-keepkvno** is specified, then -only purges keys with kvnos lower than *oldest_kvno_to_keep*. If -**-all** is specified, then all keys are purged. The **-all** option -is new in release 1.12. - -This command requires the **modify** privilege. - -.. _purgekeys_end: - -.. _get_principal: - -get_principal -~~~~~~~~~~~~~ - - **get_principal** [**-terse**] *principal* - -Gets the attributes of principal. With the **-terse** option, outputs -fields as quoted tab-separated strings. - -This command requires the **inquire** privilege, or that the principal -running the the program to be the same as the one being listed. - -Alias: **getprinc** - -Examples:: - - kadmin: getprinc tlyu/admin - Principal: tlyu/admin@BLEEP.COM - Expiration date: [never] - Last password change: Mon Aug 12 14:16:47 EDT 1996 - Password expiration date: [none] - Maximum ticket life: 0 days 10:00:00 - Maximum renewable life: 7 days 00:00:00 - Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) - Last successful authentication: [never] - Last failed authentication: [never] - Failed password attempts: 0 - Number of keys: 2 - Key: vno 1, des-cbc-crc - Key: vno 1, des-cbc-crc:v4 - Attributes: - Policy: [none] - - kadmin: getprinc -terse systest - systest@BLEEP.COM 3 86400 604800 1 - 785926535 753241234 785900000 - tlyu/admin@BLEEP.COM 786100034 0 0 - kadmin: - -.. _get_principal_end: - -.. _list_principals: - -list_principals -~~~~~~~~~~~~~~~ - - **list_principals** [*expression*] - -Retrieves all or some principal names. *expression* is a shell-style -glob expression that can contain the wild-card characters ``?``, -``*``, and ``[]``. All principal names matching the expression are -printed. If no expression is provided, all principal names are -printed. If the expression does not contain an ``@`` character, an -``@`` character followed by the local realm is appended to the -expression. - -This command requires the **list** privilege. - -Alias: **listprincs**, **get_principals**, **get_princs** - -Example:: - - kadmin: listprincs test* - test3@SECURE-TEST.OV.COM - test2@SECURE-TEST.OV.COM - test1@SECURE-TEST.OV.COM - testuser@SECURE-TEST.OV.COM - kadmin: - -.. _list_principals_end: - -.. _get_strings: - -get_strings -~~~~~~~~~~~ - - **get_strings** *principal* - -Displays string attributes on *principal*. - -This command requires the **inquire** privilege. - -Alias: **getstr** - -.. _get_strings_end: - -.. _set_string: - -set_string -~~~~~~~~~~ - - **set_string** *principal* *name* *value* - -Sets a string attribute on *principal*. String attributes are used to -supply per-principal configuration to the KDC and some KDC plugin -modules. The following string attribute names are recognized by the -KDC: - -**require_auth** - Specifies an authentication indicator which is required to - authenticate to the principal as a service. Multiple indicators - can be specified, separated by spaces; in this case any of the - specified indicators will be accepted. (New in release 1.14.) - -**session_enctypes** - Specifies the encryption types supported for session keys when the - principal is authenticated to as a server. See - :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the - accepted values. - -**otp** - Enables One Time Passwords (OTP) preauthentication for a client - *principal*. The *value* is a JSON string representing an array - of objects, each having optional ``type`` and ``username`` fields. - -This command requires the **modify** privilege. - -Alias: **setstr** - -Example:: - - set_string host/foo.mit.edu session_enctypes aes128-cts - set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" - -.. _set_string_end: - -.. _del_string: - -del_string -~~~~~~~~~~ - - **del_string** *principal* *key* - -Deletes a string attribute from *principal*. - -This command requires the **delete** privilege. - -Alias: **delstr** - -.. _del_string_end: - -.. _add_policy: - -add_policy -~~~~~~~~~~ - - **add_policy** [*options*] *policy* - -Adds a password policy named *policy* to the database. - -This command requires the **add** privilege. - -Alias: **addpol** - -The following options are available: - -**-maxlife** *time* - (:ref:`duration` or :ref:`getdate` string) Sets the maximum - lifetime of a password. - -**-minlife** *time* - (:ref:`duration` or :ref:`getdate` string) Sets the minimum - lifetime of a password. - -**-minlength** *length* - Sets the minimum length of a password. - -**-minclasses** *number* - Sets the minimum number of character classes required in a - password. The five character classes are lower case, upper case, - numbers, punctuation, and whitespace/unprintable characters. - -**-history** *number* - Sets the number of past keys kept for a principal. This option is - not supported with the LDAP KDC database module. - -.. _policy_maxfailure: - -**-maxfailure** *maxnumber* - Sets the number of authentication failures before the principal is - locked. Authentication failures are only tracked for principals - which require preauthentication. The counter of failed attempts - resets to 0 after a successful attempt to authenticate. A - *maxnumber* value of 0 (the default) disables lockout. - -.. _policy_failurecountinterval: - -**-failurecountinterval** *failuretime* - (:ref:`duration` or :ref:`getdate` string) Sets the allowable time - between authentication failures. If an authentication failure - happens after *failuretime* has elapsed since the previous - failure, the number of authentication failures is reset to 1. A - *failuretime* value of 0 (the default) means forever. - -.. _policy_lockoutduration: - -**-lockoutduration** *lockouttime* - (:ref:`duration` or :ref:`getdate` string) Sets the duration for - which the principal is locked from authenticating if too many - authentication failures occur without the specified failure count - interval elapsing. A duration of 0 (the default) means the - principal remains locked out until it is administratively unlocked - with ``modprinc -unlock``. - -**-allowedkeysalts** - Specifies the key/salt tuples supported for long-term keys when - setting or changing a principal's password/keys. See - :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the - accepted values, but note that key/salt tuples must be separated - with commas (',') only. To clear the allowed key/salt policy use - a value of '-'. - -Example:: - - kadmin: add_policy -maxlife "2 days" -minlength 5 guests - kadmin: - -.. _add_policy_end: - -.. _modify_policy: - -modify_policy -~~~~~~~~~~~~~ - - **modify_policy** [*options*] *policy* - -Modifies the password policy named *policy*. Options are as described -for **add_policy**. - -This command requires the **modify** privilege. - -Alias: **modpol** - -.. _modify_policy_end: - -.. _delete_policy: - -delete_policy -~~~~~~~~~~~~~ - - **delete_policy** [**-force**] *policy* - -Deletes the password policy named *policy*. Prompts for confirmation -before deletion. The command will fail if the policy is in use by any -principals. - -This command requires the **delete** privilege. - -Alias: **delpol** - -Example:: - - kadmin: del_policy guests - Are you sure you want to delete the policy "guests"? - (yes/no): yes - kadmin: - -.. _delete_policy_end: - -.. _get_policy: - -get_policy -~~~~~~~~~~ - - **get_policy** [ **-terse** ] *policy* - -Displays the values of the password policy named *policy*. With the -**-terse** flag, outputs the fields as quoted strings separated by -tabs. - -This command requires the **inquire** privilege. - -Alias: getpol - -Examples:: - - kadmin: get_policy admin - Policy: admin - Maximum password life: 180 days 00:00:00 - Minimum password life: 00:00:00 - Minimum password length: 6 - Minimum number of password character classes: 2 - Number of old keys kept: 5 - Reference count: 17 - - kadmin: get_policy -terse admin - admin 15552000 0 6 2 5 17 - kadmin: - -The "Reference count" is the number of principals using that policy. -With the LDAP KDC database module, the reference count field is not -meaningful. - -.. _get_policy_end: - -.. _list_policies: - -list_policies -~~~~~~~~~~~~~ - - **list_policies** [*expression*] - -Retrieves all or some policy names. *expression* is a shell-style -glob expression that can contain the wild-card characters ``?``, -``*``, and ``[]``. All policy names matching the expression are -printed. If no expression is provided, all existing policy names are -printed. - -This command requires the **list** privilege. - -Aliases: **listpols**, **get_policies**, **getpols**. - -Examples:: - - kadmin: listpols - test-pol - dict-only - once-a-min - test-pol-nopw - - kadmin: listpols t* - test-pol - test-pol-nopw - kadmin: - -.. _list_policies_end: - -.. _ktadd: - -ktadd -~~~~~ - - | **ktadd** [options] *principal* - | **ktadd** [options] **-glob** *princ-exp* - -Adds a *principal*, or all principals matching *princ-exp*, to a -keytab file. Each principal's keys are randomized in the process. -The rules for *princ-exp* are described in the **list_principals** -command. - -This command requires the **inquire** and **changepw** privileges. -With the **-glob** form, it also requires the **list** privilege. - -The options are: - -**-k[eytab]** *keytab* - Use *keytab* as the keytab file. Otherwise, the default keytab is - used. - -**-e** *enc*:*salt*,... - Uses the specified keysalt list for setting the new keys of the - principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a - list of possible values. - -**-q** - Display less verbose information. - -**-norandkey** - Do not randomize the keys. The keys and their version numbers stay - unchanged. This option cannot be specified in combination with the - **-e** option. - -An entry for each of the principal's unique encryption types is added, -ignoring multiple keys with the same encryption type but different -salt types. - -Example:: - - kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu - Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, - encryption type aes256-cts-hmac-sha1-96 added to keytab - FILE:/tmp/foo-new-keytab - kadmin: - -.. _ktadd_end: - -.. _ktremove: - -ktremove -~~~~~~~~ - - **ktremove** [options] *principal* [*kvno* | *all* | *old*] - -Removes entries for the specified *principal* from a keytab. Requires -no permissions, since this does not require database access. - -If the string "all" is specified, all entries for that principal are -removed; if the string "old" is specified, all entries for that -principal except those with the highest kvno are removed. Otherwise, -the value specified is parsed as an integer, and all entries whose -kvno match that integer are removed. - -The options are: - -**-k[eytab]** *keytab* - Use *keytab* as the keytab file. Otherwise, the default keytab is - used. - -**-q** - Display less verbose information. - -Example:: - - kadmin: ktremove kadmin/admin all - Entry for principal kadmin/admin with kvno 3 removed from keytab - FILE:/etc/krb5.keytab - kadmin: - -.. _ktremove_end: - -lock -~~~~ - -Lock database exclusively. Use with extreme caution! This command -only works with the DB2 KDC database module. - -unlock -~~~~~~ - -Release the exclusive database lock. - -list_requests -~~~~~~~~~~~~~ - -Lists available for kadmin requests. - -Aliases: **lr**, **?** - -quit -~~~~ - -Exit program. If the database was locked, the lock is released. - -Aliases: **exit**, **q** - - -HISTORY -------- - -The kadmin program was originally written by Tom Yu at MIT, as an -interface to the OpenVision Kerberos administration program. - - -SEE ALSO --------- - -:ref:`kpasswd(1)`, :ref:`kadmind(8)` diff --git a/doc/html/_sources/admin/admin_commands/kadmind.txt b/doc/html/_sources/admin/admin_commands/kadmind.txt deleted file mode 100644 index f5b7733..0000000 --- a/doc/html/_sources/admin/admin_commands/kadmind.txt +++ /dev/null @@ -1,123 +0,0 @@ -.. _kadmind(8): - -kadmind -======= - -SYNOPSIS --------- - -**kadmind** -[**-x** *db_args*] -[**-r** *realm*] -[**-m**] -[**-nofork**] -[**-proponly**] -[**-port** *port-number*] -[**-P** *pid_file*] -[**-p** *kdb5_util_path*] -[**-K** *kprop_path*] -[**-k** *kprop_port*] -[**-F** *dump_file*] - -DESCRIPTION ------------ - -kadmind starts the Kerberos administration server. kadmind typically -runs on the master Kerberos server, which stores the KDC database. If -the KDC database uses the LDAP module, the administration server and -the KDC server need not run on the same machine. kadmind accepts -remote requests from programs such as :ref:`kadmin(1)` and -:ref:`kpasswd(1)` to administer the information in these database. - -kadmind requires a number of configuration files to be set up in order -for it to work: - -:ref:`kdc.conf(5)` - The KDC configuration file contains configuration information for - the KDC and admin servers. kadmind uses settings in this file to - locate the Kerberos database, and is also affected by the - **acl_file**, **dict_file**, **kadmind_port**, and iprop-related - settings. - -:ref:`kadm5.acl(5)` - kadmind's ACL (access control list) tells it which principals are - allowed to perform administration actions. The pathname to the - ACL file can be specified with the **acl_file** :ref:`kdc.conf(5)` - variable; by default, it is |kdcdir|\ ``/kadm5.acl``. - -After the server begins running, it puts itself in the background and -disassociates itself from its controlling terminal. - -kadmind can be configured for incremental database propagation. -Incremental propagation allows slave KDC servers to receive principal -and policy updates incrementally instead of receiving full dumps of -the database. This facility can be enabled in the :ref:`kdc.conf(5)` -file with the **iprop_enable** option. Incremental propagation -requires the principal ``kiprop/MASTER\@REALM`` (where MASTER is the -master KDC's canonical host name, and REALM the realm name). In -release 1.13, this principal is automatically created and registered -into the datebase. - - -OPTIONS -------- - -**-r** *realm* - specifies the realm that kadmind will serve; if it is not - specified, the default realm of the host is used. - -**-m** - causes the master database password to be fetched from the - keyboard (before the server puts itself in the background, if not - invoked with the **-nofork** option) rather than from a file on - disk. - -**-nofork** - causes the server to remain in the foreground and remain - associated to the terminal. In normal operation, you should allow - the server to place itself in the background. - -**-proponly** - causes the server to only listen and respond to Kerberos slave - incremental propagation polling requests. This option can be used - to set up a hierarchical propagation topology where a slave KDC - provides incremental updates to other Kerberos slaves. - -**-port** *port-number* - specifies the port on which the administration server listens for - connections. The default port is determined by the - **kadmind_port** configuration variable in :ref:`kdc.conf(5)`. - -**-P** *pid_file* - specifies the file to which the PID of kadmind process should be - written after it starts up. This file can be used to identify - whether kadmind is still running and to allow init scripts to stop - the correct process. - -**-p** *kdb5_util_path* - specifies the path to the kdb5_util command to use when dumping the - KDB in response to full resync requests when iprop is enabled. - -**-K** *kprop_path* - specifies the path to the kprop command to use to send full dumps - to slaves in response to full resync requests. - -**-k** *kprop_port* - specifies the port by which the kprop process that is spawned by kadmind - connects to the slave kpropd, in order to transfer the dump file during - an iprop full resync request. - -**-F** *dump_file* - specifies the file path to be used for dumping the KDB in response - to full resync requests when iprop is enabled. - -**-x** *db_args* - specifies database-specific arguments. See :ref:`Database Options - ` in :ref:`kadmin(1)` for supported arguments. - - -SEE ALSO --------- - -:ref:`kpasswd(1)`, :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, -:ref:`kdb5_ldap_util(8)`, :ref:`kadm5.acl(5)` diff --git a/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.txt b/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.txt deleted file mode 100644 index cbf313f..0000000 --- a/doc/html/_sources/admin/admin_commands/kdb5_ldap_util.txt +++ /dev/null @@ -1,462 +0,0 @@ -.. _kdb5_ldap_util(8): - -kdb5_ldap_util -=============== - -SYNOPSIS --------- - -.. _kdb5_ldap_util_synopsis: - -**kdb5_ldap_util** -[**-D** *user_dn* [**-w** *passwd*]] -[**-H** *ldapuri*] -**command** -[*command_options*] - -.. _kdb5_ldap_util_synopsis_end: - - -DESCRIPTION ------------ - -kdb5_ldap_util allows an administrator to manage realms, Kerberos -services and ticket policies. - - -COMMAND-LINE OPTIONS --------------------- - -.. _kdb5_ldap_util_options: - -**-D** *user_dn* - Specifies the Distinguished Name (DN) of the user who has - sufficient rights to perform the operation on the LDAP server. - -**-w** *passwd* - Specifies the password of *user_dn*. This option is not - recommended. - -**-H** *ldapuri* - Specifies the URI of the LDAP server. It is recommended to use - ``ldapi://`` or ``ldaps://`` to connect to the LDAP server. - -.. _kdb5_ldap_util_options_end: - - -COMMANDS --------- - -create -~~~~~~ - -.. _kdb5_ldap_util_create: - - **create** - [**-subtrees** *subtree_dn_list*] - [**-sscope** *search_scope*] - [**-containerref** *container_reference_dn*] - [**-k** *mkeytype*] - [**-kv** *mkeyVNO*] - [**-m|-P** *password*\|\ **-sf** *stashfilename*] - [**-s**] - [**-r** *realm*] - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - -Creates realm in directory. Options: - -**-subtrees** *subtree_dn_list* - Specifies the list of subtrees containing the principals of a - realm. The list contains the DNs of the subtree objects separated - by colon (``:``). - -**-sscope** *search_scope* - Specifies the scope for searching the principals under the - subtree. The possible values are 1 or one (one level), 2 or sub - (subtrees). - -**-containerref** *container_reference_dn* - Specifies the DN of the container object in which the principals - of a realm will be created. If the container reference is not - configured for a realm, the principals will be created in the - realm container. - -**-k** *mkeytype* - Specifies the key type of the master key in the database. The - default is given by the **master_key_type** variable in - :ref:`kdc.conf(5)`. - -**-kv** *mkeyVNO* - Specifies the version number of the master key in the database; - the default is 1. Note that 0 is not allowed. - -**-m** - Specifies that the master database password should be read from - the TTY rather than fetched from a file on the disk. - -**-P** *password* - Specifies the master database password. This option is not - recommended. - -**-r** *realm* - Specifies the Kerberos realm of the database. - -**-sf** *stashfilename* - Specifies the stash file of the master database password. - -**-s** - Specifies that the stash file is to be created. - -**-maxtktlife** *max_ticket_life* - (:ref:`getdate` string) Specifies maximum ticket life for - principals in this realm. - -**-maxrenewlife** *max_renewable_ticket_life* - (:ref:`getdate` string) Specifies maximum renewable life of - tickets for principals in this realm. - -*ticket_flags* - Specifies global ticket flags for the realm. Allowable flags are - documented in the description of the **add_principal** command in - :ref:`kadmin(1)`. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU - Password for "cn=admin,o=org": - Initializing database for realm 'ATHENA.MIT.EDU' - You will be prompted for the database Master Password. - It is important that you NOT FORGET this password. - Enter KDC database master key: - Re-enter KDC database master key to verify: - -.. _kdb5_ldap_util_create_end: - -modify -~~~~~~ - -.. _kdb5_ldap_util_modify: - - **modify** - [**-subtrees** *subtree_dn_list*] - [**-sscope** *search_scope*] - [**-containerref** *container_reference_dn*] - [**-r** *realm*] - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - -Modifies the attributes of a realm. Options: - -**-subtrees** *subtree_dn_list* - Specifies the list of subtrees containing the principals of a - realm. The list contains the DNs of the subtree objects separated - by colon (``:``). This list replaces the existing list. - -**-sscope** *search_scope* - Specifies the scope for searching the principals under the - subtrees. The possible values are 1 or one (one level), 2 or sub - (subtrees). - -**-containerref** *container_reference_dn* Specifies the DN of the - container object in which the principals of a realm will be - created. - -**-r** *realm* - Specifies the Kerberos realm of the database. - -**-maxtktlife** *max_ticket_life* - (:ref:`getdate` string) Specifies maximum ticket life for - principals in this realm. - -**-maxrenewlife** *max_renewable_ticket_life* - (:ref:`getdate` string) Specifies maximum renewable life of - tickets for principals in this realm. - -*ticket_flags* - Specifies global ticket flags for the realm. Allowable flags are - documented in the description of the **add_principal** command in - :ref:`kadmin(1)`. - -Example:: - - shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify +requires_preauth -r - ATHENA.MIT.EDU - Password for "cn=admin,o=org": - shell% - -.. _kdb5_ldap_util_modify_end: - -view -~~~~ - -.. _kdb5_ldap_util_view: - - **view** [**-r** *realm*] - -Displays the attributes of a realm. Options: - -**-r** *realm* - Specifies the Kerberos realm of the database. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view -r ATHENA.MIT.EDU - Password for "cn=admin,o=org": - Realm Name: ATHENA.MIT.EDU - Subtree: ou=users,o=org - Subtree: ou=servers,o=org - SearchScope: ONE - Maximum ticket life: 0 days 01:00:00 - Maximum renewable life: 0 days 10:00:00 - Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE - -.. _kdb5_ldap_util_view_end: - -destroy -~~~~~~~ - -.. _kdb5_ldap_util_destroy: - - **destroy** [**-f**] [**-r** *realm*] - -Destroys an existing realm. Options: - -**-f** - If specified, will not prompt the user for confirmation. - -**-r** *realm* - Specifies the Kerberos realm of the database. - -Example:: - - shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU - Password for "cn=admin,o=org": - Deleting KDC database of 'ATHENA.MIT.EDU', are you sure? - (type 'yes' to confirm)? yes - OK, deleting database of 'ATHENA.MIT.EDU'... - shell% - -.. _kdb5_ldap_util_destroy_end: - -list -~~~~ - -.. _kdb5_ldap_util_list: - - **list** - -Lists the name of realms. - -Example:: - - shell% kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu list - Password for "cn=admin,o=org": - ATHENA.MIT.EDU - OPENLDAP.MIT.EDU - MEDIA-LAB.MIT.EDU - shell% - -.. _kdb5_ldap_util_list_end: - -stashsrvpw -~~~~~~~~~~ - -.. _kdb5_ldap_util_stashsrvpw: - - **stashsrvpw** - [**-f** *filename*] - *name* - -Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options: - -**-f** *filename* - Specifies the complete path of the service password file. By - default, ``/usr/local/var/service_passwd`` is used. - -*name* - Specifies the name of the object whose password is to be stored. - If :ref:`krb5kdc(8)` or :ref:`kadmind(8)` are configured for - simple binding, this should be the distinguished name it will - use as given by the **ldap_kdc_dn** or **ldap_kadmind_dn** - variable in :ref:`kdc.conf(5)`. If the KDC or kadmind is - configured for SASL binding, this should be the authentication - name it will use as given by the **ldap_kdc_sasl_authcid** or - **ldap_kadmind_sasl_authcid** variable. - -Example:: - - kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile - cn=service-kdc,o=org - Password for "cn=service-kdc,o=org": - Re-enter password for "cn=service-kdc,o=org": - -.. _kdb5_ldap_util_stashsrvpw_end: - -create_policy -~~~~~~~~~~~~~ - -.. _kdb5_ldap_util_create_policy: - - **create_policy** - [**-r** *realm*] - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - *policy_name* - -Creates a ticket policy in the directory. Options: - -**-r** *realm* - Specifies the Kerberos realm of the database. - -**-maxtktlife** *max_ticket_life* - (:ref:`getdate` string) Specifies maximum ticket life for - principals. - -**-maxrenewlife** *max_renewable_ticket_life* - (:ref:`getdate` string) Specifies maximum renewable life of - tickets for principals. - -*ticket_flags* - Specifies the ticket flags. If this option is not specified, by - default, no restriction will be set by the policy. Allowable - flags are documented in the description of the **add_principal** - command in :ref:`kadmin(1)`. - -*policy_name* - Specifies the name of the ticket policy. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" - -maxrenewlife "1 week" -allow_postdated +needchange - -allow_forwardable tktpolicy - Password for "cn=admin,o=org": - -.. _kdb5_ldap_util_create_policy_end: - -modify_policy -~~~~~~~~~~~~~ - -.. _kdb5_ldap_util_modify_policy: - - **modify_policy** - [**-r** *realm*] - [**-maxtktlife** *max_ticket_life*] - [**-maxrenewlife** *max_renewable_ticket_life*] - [*ticket_flags*] - *policy_name* - -Modifies the attributes of a ticket policy. Options are same as for -**create_policy**. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H - ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU - -maxtktlife "60 minutes" -maxrenewlife "10 hours" - +allow_postdated -requires_preauth tktpolicy - Password for "cn=admin,o=org": - -.. _kdb5_ldap_util_modify_policy_end: - -view_policy -~~~~~~~~~~~ - -.. _kdb5_ldap_util_view_policy: - - **view_policy** - [**-r** *realm*] - *policy_name* - -Displays the attributes of a ticket policy. Options: - -*policy_name* - Specifies the name of the ticket policy. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - view_policy -r ATHENA.MIT.EDU tktpolicy - Password for "cn=admin,o=org": - Ticket policy: tktpolicy - Maximum ticket life: 0 days 01:00:00 - Maximum renewable life: 0 days 10:00:00 - Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE - -.. _kdb5_ldap_util_view_policy_end: - -destroy_policy -~~~~~~~~~~~~~~ - -.. _kdb5_ldap_util_destroy_policy: - - **destroy_policy** - [**-r** *realm*] - [**-force**] - *policy_name* - -Destroys an existing ticket policy. Options: - -**-r** *realm* - Specifies the Kerberos realm of the database. - -**-force** - Forces the deletion of the policy object. If not specified, the - user will be prompted for confirmation before deleting the policy. - -*policy_name* - Specifies the name of the ticket policy. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - destroy_policy -r ATHENA.MIT.EDU tktpolicy - Password for "cn=admin,o=org": - This will delete the policy object 'tktpolicy', are you sure? - (type 'yes' to confirm)? yes - ** policy object 'tktpolicy' deleted. - -.. _kdb5_ldap_util_destroy_policy_end: - -list_policy -~~~~~~~~~~~ - -.. _kdb5_ldap_util_list_policy: - - **list_policy** - [**-r** *realm*] - -Lists the ticket policies in realm if specified or in the default -realm. Options: - -**-r** *realm* - Specifies the Kerberos realm of the database. - -Example:: - - kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu - list_policy -r ATHENA.MIT.EDU - Password for "cn=admin,o=org": - tktpolicy - tmppolicy - userpolicy - -.. _kdb5_ldap_util_list_policy_end: - - -SEE ALSO --------- - -:ref:`kadmin(1)` diff --git a/doc/html/_sources/admin/admin_commands/kdb5_util.txt b/doc/html/_sources/admin/admin_commands/kdb5_util.txt deleted file mode 100644 index 258498f..0000000 --- a/doc/html/_sources/admin/admin_commands/kdb5_util.txt +++ /dev/null @@ -1,497 +0,0 @@ -.. _kdb5_util(8): - -kdb5_util -========= - -SYNOPSIS --------- - -.. _kdb5_util_synopsis: - -**kdb5_util** -[**-r** *realm*] -[**-d** *dbname*] -[**-k** *mkeytype*] -[**-M** *mkeyname*] -[**-kv** *mkeyVNO*] -[**-sf** *stashfilename*] -[**-m**] -*command* [*command_options*] - -.. _kdb5_util_synopsis_end: - -DESCRIPTION ------------ - -kdb5_util allows an administrator to perform maintenance procedures on -the KDC database. Databases can be created, destroyed, and dumped to -or loaded from ASCII files. kdb5_util can create a Kerberos master -key stash file or perform live rollover of the master key. - -When kdb5_util is run, it attempts to acquire the master key and open -the database. However, execution continues regardless of whether or -not kdb5_util successfully opens the database, because the database -may not exist yet or the stash file may be corrupt. - -Note that some KDC database modules may not support all kdb5_util -commands. - - -COMMAND-LINE OPTIONS --------------------- - -.. _kdb5_util_options: - -**-r** *realm* - specifies the Kerberos realm of the database. - -**-d** *dbname* - specifies the name under which the principal database is stored; - by default the database is that listed in :ref:`kdc.conf(5)`. The - password policy database and lock files are also derived from this - value. - -**-k** *mkeytype* - specifies the key type of the master key in the database. The - default is given by the **master_key_type** variable in - :ref:`kdc.conf(5)`. - -**-kv** *mkeyVNO* - Specifies the version number of the master key in the database; - the default is 1. Note that 0 is not allowed. - -**-M** *mkeyname* - principal name for the master key in the database. If not - specified, the name is determined by the **master_key_name** - variable in :ref:`kdc.conf(5)`. - -**-m** - specifies that the master database password should be read from - the keyboard rather than fetched from a file on disk. - -**-sf** *stash_file* - specifies the stash filename of the master database password. If - not specified, the filename is determined by the - **key_stash_file** variable in :ref:`kdc.conf(5)`. - -**-P** *password* - specifies the master database password. Using this option may - expose the password to other users on the system via the process - list. - -.. _kdb5_util_options_end: - - -COMMANDS --------- - -create -~~~~~~ - -.. _kdb5_util_create: - - **create** [**-s**] - -Creates a new database. If the **-s** option is specified, the stash -file is also created. This command fails if the database already -exists. If the command is successful, the database is opened just as -if it had already existed when the program was first run. - -.. _kdb5_util_create_end: - -destroy -~~~~~~~ - -.. _kdb5_util_destroy: - - **destroy** [**-f**] - -Destroys the database, first overwriting the disk sectors and then -unlinking the files, after prompting the user for confirmation. With -the **-f** argument, does not prompt the user. - -.. _kdb5_util_destroy_end: - -stash -~~~~~ - -.. _kdb5_util_stash: - - **stash** [**-f** *keyfile*] - -Stores the master principal's keys in a stash file. The **-f** -argument can be used to override the *keyfile* specified in -:ref:`kdc.conf(5)`. - -.. _kdb5_util_stash_end: - -dump -~~~~ - -.. _kdb5_util_dump: - - **dump** [**-b7**\|\ **-ov**\|\ **-r13**] [**-verbose**] - [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**] - [**-recurse**] [*filename* [*principals*...]] - -Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, "kdb5_util -load_dump version 7". If filename is not specified, or is the string -"-", the dump is sent to standard output. Options: - -**-b7** - causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util - load_dump version 4"). This was the dump format produced on - releases prior to 1.2.2. - -**-ov** - causes the dump to be in "ovsec_adm_export" format. - -**-r13** - causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util - load_dump version 5"). This was the dump format produced on - releases prior to 1.8. - -**-r18** - causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util - load_dump version 6"). This was the dump format produced on - releases prior to 1.11. - -**-verbose** - causes the name of each principal and policy to be printed as it - is dumped. - -**-mkey_convert** - prompts for a new master key. This new master key will be used to - re-encrypt principal key data in the dumpfile. The principal keys - themselves will not be changed. - -**-new_mkey_file** *mkey_file* - the filename of a stash file. The master key in this stash file - will be used to re-encrypt the key data in the dumpfile. The key - data in the database will not be changed. - -**-rev** - dumps in reverse order. This may recover principals that do not - dump normally, in cases where database corruption has occurred. - -**-recurse** - causes the dump to walk the database recursively (btree only). - This may recover principals that do not dump normally, in cases - where database corruption has occurred. In cases of such - corruption, this option will probably retrieve more principals - than the **-rev** option will. - - .. versionchanged:: 1.15 - Release 1.15 restored the functionality of the **-recurse** - option. - - .. versionchanged:: 1.5 - The **-recurse** option ceased working until release 1.15, - doing a normal dump instead of a recursive traversal. - -.. _kdb5_util_dump_end: - -load -~~~~ - -.. _kdb5_util_load: - - **load** [**-b7**\|\ **-ov**\|\ **-r13**] [**-hash**] - [**-verbose**] [**-update**] *filename* [*dbname*] - -Loads a database dump from the named file into the named database. If -no option is given to determine the format of the dump file, the -format is detected automatically and handled as appropriate. Unless -the **-update** option is given, **load** creates a new database -containing only the data in the dump file, overwriting the contents of -any previously existing database. Note that when using the LDAP KDC -database module, the **-update** flag is required. - -Options: - -**-b7** - requires the database to be in the Kerberos 5 Beta 7 format - ("kdb5_util load_dump version 4"). This was the dump format - produced on releases prior to 1.2.2. - -**-ov** - requires the database to be in "ovsec_adm_import" format. Must be - used with the **-update** option. - -**-r13** - requires the database to be in Kerberos 5 1.3 format ("kdb5_util - load_dump version 5"). This was the dump format produced on - releases prior to 1.8. - -**-r18** - requires the database to be in Kerberos 5 1.8 format ("kdb5_util - load_dump version 6"). This was the dump format produced on - releases prior to 1.11. - -**-hash** - requires the database to be stored as a hash. If this option is - not specified, the database will be stored as a btree. This - option is not recommended, as databases stored in hash format are - known to corrupt data and lose principals. - -**-verbose** - causes the name of each principal and policy to be printed as it - is dumped. - -**-update** - records from the dump file are added to or updated in the existing - database. Otherwise, a new database is created containing only - what is in the dump file and the old one destroyed upon successful - completion. - -If specified, *dbname* overrides the value specified on the command -line or the default. - -.. _kdb5_util_load_end: - -ark -~~~ - - **ark** [**-e** *enc*:*salt*,...] *principal* - -Adds new random keys to *principal* at the next available key version -number. Keys for the current highest key version number will be -preserved. The **-e** option specifies the list of encryption and -salt types to be used for the new keys. - -add_mkey -~~~~~~~~ - - **add_mkey** [**-e** *etype*] [**-s**] - -Adds a new master key to the master key principal, but does not mark -it as active. Existing master keys will remain. The **-e** option -specifies the encryption type of the new master key; see -:ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible -values. The **-s** option stashes the new master key in the stash -file, which will be created if it doesn't already exist. - -After a new master key is added, it should be propagated to slave -servers via a manual or periodic invocation of :ref:`kprop(8)`. Then, -the stash files on the slave servers should be updated with the -kdb5_util **stash** command. Once those steps are complete, the key -is ready to be marked active with the kdb5_util **use_mkey** command. - -use_mkey -~~~~~~~~ - - **use_mkey** *mkeyVNO* [*time*] - -Sets the activation time of the master key specified by *mkeyVNO*. -Once a master key becomes active, it will be used to encrypt newly -created principal keys. If no *time* argument is given, the current -time is used, causing the specified master key version to become -active immediately. The format for *time* is :ref:`getdate` string. - -After a new master key becomes active, the kdb5_util -**update_princ_encryption** command can be used to update all -principal keys to be encrypted in the new master key. - -list_mkeys -~~~~~~~~~~ - - **list_mkeys** - -List all master keys, from most recent to earliest, in the master key -principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**. A -``*`` following an mkey denotes the currently active master key. - -purge_mkeys -~~~~~~~~~~~ - - **purge_mkeys** [**-f**] [**-n**] [**-v**] - -Delete master keys from the master key principal that are not used to -protect any principals. This command can be used to remove old master -keys all principal keys are protected by a newer master key. - -**-f** - does not prompt for confirmation. - -**-n** - performs a dry run, showing master keys that would be purged, but - not actually purging any keys. - -**-v** - gives more verbose output. - -update_princ_encryption -~~~~~~~~~~~~~~~~~~~~~~~ - - **update_princ_encryption** [**-f**] [**-n**] [**-v**] - [*princ-pattern*] - -Update all principal records (or only those matching the -*princ-pattern* glob pattern) to re-encrypt the key data using the -active database master key, if they are encrypted using a different -version, and give a count at the end of the number of principals -updated. If the **-f** option is not given, ask for confirmation -before starting to make changes. The **-v** option causes each -principal processed to be listed, with an indication as to whether it -needed updating or not. The **-n** option performs a dry run, only -showing the actions which would have been taken. - -tabdump -~~~~~~~ - - **tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*] - *dumptype* - -Dump selected fields of the database in a tabular format suitable for -reporting (e.g., using traditional Unix text processing tools) or -importing into relational databases. The data format is tab-separated -(default), or optionally comma-separated (CSV), with a fixed number of -columns. The output begins with a header line containing field names, -unless suppression is requested using the **-H** option. - -The *dumptype* parameter specifies the name of an output table (see -below). - -Options: - -**-H** - suppress writing the field names in a header line - -**-c** - use comma separated values (CSV) format, with minimal quoting, - instead of the default tab-separated (unquoted, unescaped) format - -**-e** - write empty hexadecimal string fields as empty fields instead of - as "-1". - -**-n** - produce numeric output for fields that normally have symbolic - output, such as enctypes and flag names. Also requests output of - time stamps as decimal POSIX time_t values. - -**-o** *outfile* - write the dump to the specified output file instead of to standard - output - -Dump types: - -**keydata** - principal encryption key information, including actual key data - (which is still encrypted in the master key) - - **name** - principal name - **keyindex** - index of this key in the principal's key list - **kvno** - key version number - **enctype** - encryption type - **key** - key data as a hexadecimal string - **salttype** - salt type - **salt** - salt data as a hexadecimal string - -**keyinfo** - principal encryption key information (as in **keydata** above), - excluding actual key data - -**princ_flags** - principal boolean attributes. Flag names print as hexadecimal - numbers if the **-n** option is specified, and all flag positions - are printed regardless of whether or not they are set. If **-n** - is not specified, print all known flag names for each principal, - but only print hexadecimal flag names if the corresponding flag is - set. - - **name** - principal name - **flag** - flag name - **value** - boolean value (0 for clear, or 1 for set) - -**princ_lockout** - state information used for tracking repeated password failures - - **name** - principal name - **last_success** - time stamp of most recent successful authentication - **last_failed** - time stamp of most recent failed authentication - **fail_count** - count of failed attempts - -**princ_meta** - principal metadata - - **name** - principal name - **modby** - name of last principal to modify this principal - **modtime** - timestamp of last modification - **lastpwd** - timestamp of last password change - **policy** - policy object name - **mkvno** - key version number of the master key that encrypts this - principal's key data - **hist_kvno** - key version number of the history key that encrypts the key - history data for this principal - -**princ_stringattrs** - string attributes (key/value pairs) - - **name** - principal name - **key** - attribute name - **value** - attribute value - -**princ_tktpolicy** - per-principal ticket policy data, including maximum ticket - lifetimes - - **name** - principal name - **expiration** - principal expiration date - **pw_expiration** - password expiration date - **max_life** - maximum ticket lifetime - **max_renew_life** - maximum renewable ticket lifetime - -Examples:: - - $ kdb5_util tabdump -o keyinfo.txt keyinfo - $ cat keyinfo.txt - name keyindex kvno enctype salttype salt - foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 - bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1 - bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 - $ sqlite3 - sqlite> .mode tabs - sqlite> .import keyinfo.txt keyinfo - sqlite> select * from keyinfo where enctype like 'des-cbc-%'; - bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 - sqlite> .quit - $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt - bar@EXAMPLE.COM 1 1 des-cbc-crc normal -1 - - -SEE ALSO --------- - -:ref:`kadmin(1)` diff --git a/doc/html/_sources/admin/admin_commands/kprop.txt b/doc/html/_sources/admin/admin_commands/kprop.txt deleted file mode 100644 index 726c8cc..0000000 --- a/doc/html/_sources/admin/admin_commands/kprop.txt +++ /dev/null @@ -1,60 +0,0 @@ -.. _kprop(8): - -kprop -===== - -SYNOPSIS --------- - -**kprop** -[**-r** *realm*] -[**-f** *file*] -[**-d**] -[**-P** *port*] -[**-s** *keytab*] -*slave_host* - - -DESCRIPTION ------------ - -kprop is used to securely propagate a Kerberos V5 database dump file -from the master Kerberos server to a slave Kerberos server, which is -specified by *slave_host*. The dump file must be created by -:ref:`kdb5_util(8)`. - - -OPTIONS -------- - -**-r** *realm* - Specifies the realm of the master server. - -**-f** *file* - Specifies the filename where the dumped principal database file is - to be found; by default the dumped database file is normally - |kdcdir|\ ``/slave_datatrans``. - -**-P** *port* - Specifies the port to use to contact the :ref:`kpropd(8)` server - on the remote host. - -**-d** - Prints debugging information. - -**-s** *keytab* - Specifies the location of the keytab file. - - -ENVIRONMENT ------------ - -*kprop* uses the following environment variable: - -* **KRB5_CONFIG** - - -SEE ALSO --------- - -:ref:`kpropd(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` diff --git a/doc/html/_sources/admin/admin_commands/kpropd.txt b/doc/html/_sources/admin/admin_commands/kpropd.txt deleted file mode 100644 index 5e01e2f..0000000 --- a/doc/html/_sources/admin/admin_commands/kpropd.txt +++ /dev/null @@ -1,130 +0,0 @@ -.. _kpropd(8): - -kpropd -====== - -SYNOPSIS --------- - -**kpropd** -[**-r** *realm*] -[**-A** *admin_server*] -[**-a** *acl_file*] -[**-f** *slave_dumpfile*] -[**-F** *principal_database*] -[**-p** *kdb5_util_prog*] -[**-P** *port*] -[**-d**] -[**-t**] - -DESCRIPTION ------------ - -The *kpropd* command runs on the slave KDC server. It listens for -update requests made by the :ref:`kprop(8)` program. If incremental -propagation is enabled, it periodically requests incremental updates -from the master KDC. - -When the slave receives a kprop request from the master, kpropd -accepts the dumped KDC database and places it in a file, and then runs -:ref:`kdb5_util(8)` to load the dumped database into the active -database which is used by :ref:`krb5kdc(8)`. This allows the master -Kerberos server to use :ref:`kprop(8)` to propagate its database to -the slave servers. Upon a successful download of the KDC database -file, the slave Kerberos server will have an up-to-date KDC database. - -Where incremental propagation is not used, kpropd is commonly invoked -out of inetd(8) as a nowait service. This is done by adding a line to -the ``/etc/inetd.conf`` file which looks like this:: - - kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd - -kpropd can also run as a standalone daemon, backgrounding itself and -waiting for connections on port 754 (or the port specified with the -**-P** option if given). Standalone mode is required for incremental -propagation. Starting in release 1.11, kpropd automatically detects -whether it was run from inetd and runs in standalone mode if it is -not. Prior to release 1.11, the **-S** option is required to run -kpropd in standalone mode; this option is now accepted for backward -compatibility but does nothing. - -Incremental propagation may be enabled with the **iprop_enable** -variable in :ref:`kdc.conf(5)`. If incremental propagation is -enabled, the slave periodically polls the master KDC for updates, at -an interval determined by the **iprop_slave_poll** variable. If the -slave receives updates, kpropd updates its log file with any updates -from the master. :ref:`kproplog(8)` can be used to view a summary of -the update entry log on the slave KDC. If incremental propagation is -enabled, the principal ``kiprop/slavehostname@REALM`` (where -*slavehostname* is the name of the slave KDC host, and *REALM* is the -name of the Kerberos realm) must be present in the slave's keytab -file. - -:ref:`kproplog(8)` can be used to force full replication when iprop is -enabled. - - -OPTIONS --------- - -**-r** *realm* - Specifies the realm of the master server. - -**-A** *admin_server* - Specifies the server to be contacted for incremental updates; by - default, the master admin server is contacted. - -**-f** *file* - Specifies the filename where the dumped principal database file is - to be stored; by default the dumped database file is |kdcdir|\ - ``/from_master``. - -**-p** - Allows the user to specify the pathname to the :ref:`kdb5_util(8)` - program; by default the pathname used is |sbindir|\ - ``/kdb5_util``. - -**-d** - Turn on debug mode. In this mode, kpropd will not detach - itself from the current job and run in the background. Instead, - it will run in the foreground and print out debugging messages - during the database propagation. - -**-t** - In standalone mode without incremental propagation, exit after one - dump file is received. In incremental propagation mode, exit as - soon as the database is up to date, or if the master returns an - error. - -**-P** - Allow for an alternate port number for kpropd to listen on. This - is only useful in combination with the **-S** option. - -**-a** *acl_file* - Allows the user to specify the path to the kpropd.acl file; by - default the path used is |kdcdir|\ ``/kpropd.acl``. - - -ENVIRONMENT ------------ - -kpropd uses the following environment variables: - -* **KRB5_CONFIG** -* **KRB5_KDC_PROFILE** - - -FILES ------ - -kpropd.acl - Access file for kpropd; the default location is - ``/usr/local/var/krb5kdc/kpropd.acl``. Each entry is a line - containing the principal of a host from which the local machine - will allow Kerberos database propagation via :ref:`kprop(8)`. - - -SEE ALSO --------- - -:ref:`kprop(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)`, inetd(8) diff --git a/doc/html/_sources/admin/admin_commands/kproplog.txt b/doc/html/_sources/admin/admin_commands/kproplog.txt deleted file mode 100644 index ed90639..0000000 --- a/doc/html/_sources/admin/admin_commands/kproplog.txt +++ /dev/null @@ -1,85 +0,0 @@ -.. _kproplog(8): - -kproplog -======== - -SYNOPSIS --------- - -**kproplog** [**-h**] [**-e** *num*] [-v] -**kproplog** [-R] - - -DESCRIPTION ------------ - -The kproplog command displays the contents of the KDC database update -log to standard output. It can be used to keep track of incremental -updates to the principal database. The update log file contains the -update log maintained by the :ref:`kadmind(8)` process on the master -KDC server and the :ref:`kpropd(8)` process on the slave KDC servers. -When updates occur, they are logged to this file. Subsequently any -KDC slave configured for incremental updates will request the current -data from the master KDC and update their log file with any updates -returned. - -The kproplog command requires read access to the update log file. It -will display update entries only for the KDC it runs on. - -If no options are specified, kproplog displays a summary of the update -log. If invoked on the master, kproplog also displays all of the -update entries. If invoked on a slave KDC server, kproplog displays -only a summary of the updates, which includes the serial number of the -last update received and the associated time stamp of the last update. - - -OPTIONS -------- - -**-R** - Reset the update log. This forces full resynchronization. If used - on a slave then that slave will request a full resync. If used on - the master then all slaves will request full resyncs. - -**-h** - Display a summary of the update log. This information includes - the database version number, state of the database, the number of - updates in the log, the time stamp of the first and last update, - and the version number of the first and last update entry. - -**-e** *num* - Display the last *num* update entries in the log. This is useful - when debugging synchronization between KDC servers. - -**-v** - Display individual attributes per update. An example of the - output generated for one entry:: - - Update Entry - Update serial # : 4 - Update operation : Add - Update principal : test@EXAMPLE.COM - Update size : 424 - Update committed : True - Update time stamp : Fri Feb 20 23:37:42 2004 - Attributes changed : 6 - Principal - Key data - Password last changed - Modifying principal - Modification time - TL data - - -ENVIRONMENT ------------ - -kproplog uses the following environment variables: - -* **KRB5_KDC_PROFILE** - - -SEE ALSO --------- - -:ref:`kpropd(8)` diff --git a/doc/html/_sources/admin/admin_commands/krb5kdc.txt b/doc/html/_sources/admin/admin_commands/krb5kdc.txt deleted file mode 100644 index 7ec4ee4..0000000 --- a/doc/html/_sources/admin/admin_commands/krb5kdc.txt +++ /dev/null @@ -1,123 +0,0 @@ -.. _krb5kdc(8): - -krb5kdc -======= - -SYNOPSIS --------- - -**krb5kdc** -[**-x** *db_args*] -[**-d** *dbname*] -[**-k** *keytype*] -[**-M** *mkeyname*] -[**-p** *portnum*] -[**-m**] -[**-r** *realm*] -[**-n**] -[**-w** *numworkers*] -[**-P** *pid_file*] -[**-T** *time_offset*] - - -DESCRIPTION ------------ - -krb5kdc is the Kerberos version 5 Authentication Service and Key -Distribution Center (AS/KDC). - - -OPTIONS -------- - -The **-r** *realm* option specifies the realm for which the server -should provide service. - -The **-d** *dbname* option specifies the name under which the -principal database can be found. This option does not apply to the -LDAP database. - -The **-k** *keytype* option specifies the key type of the master key -to be entered manually as a password when **-m** is given; the default -is ``des-cbc-crc``. - -The **-M** *mkeyname* option specifies the principal name for the -master key in the database (usually ``K/M`` in the KDC's realm). - -The **-m** option specifies that the master database password should -be fetched from the keyboard rather than from a stash file. - -The **-n** option specifies that the KDC does not put itself in the -background and does not disassociate itself from the terminal. In -normal operation, you should always allow the KDC to place itself in -the background. - -The **-P** *pid_file* option tells the KDC to write its PID into -*pid_file* after it starts up. This can be used to identify whether -the KDC is still running and to allow init scripts to stop the correct -process. - -The **-p** *portnum* option specifies the default UDP port numbers -which the KDC should listen on for Kerberos version 5 requests, as a -comma-separated list. This value overrides the UDP port numbers -specified in the :ref:`kdcdefaults` section of :ref:`kdc.conf(5)`, but -may be overridden by realm-specific values. If no value is given from -any source, the default port is 88. - -The **-w** *numworkers* option tells the KDC to fork *numworkers* -processes to listen to the KDC ports and process requests in parallel. -The top level KDC process (whose pid is recorded in the pid file if -the **-P** option is also given) acts as a supervisor. The supervisor -will relay SIGHUP signals to the worker subprocesses, and will -terminate the worker subprocess if the it is itself terminated or if -any other worker process exits. - -.. note:: - - On operating systems which do not have *pktinfo* support, - using worker processes will prevent the KDC from listening - for UDP packets on network interfaces created after the KDC - starts. - -The **-x** *db_args* option specifies database-specific arguments. -See :ref:`Database Options ` in :ref:`kadmin(1)` for -supported arguments. - -The **-T** *offset* option specifies a time offset, in seconds, which -the KDC will operate under. It is intended only for testing purposes. - -EXAMPLE -------- - -The KDC may service requests for multiple realms (maximum 32 realms). -The realms are listed on the command line. Per-realm options that can -be specified on the command line pertain for each realm that follows -it and are superseded by subsequent definitions of the same option. - -For example:: - - krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3 - -specifies that the KDC listen on port 2001 for REALM1 and on port 2002 -for REALM2 and REALM3. Additionally, per-realm parameters may be -specified in the :ref:`kdc.conf(5)` file. The location of this file -may be specified by the **KRB5_KDC_PROFILE** environment variable. -Per-realm parameters specified in this file take precedence over -options specified on the command line. See the :ref:`kdc.conf(5)` -description for further details. - - -ENVIRONMENT ------------ - -krb5kdc uses the following environment variables: - -* **KRB5_CONFIG** -* **KRB5_KDC_PROFILE** - - -SEE ALSO --------- - -:ref:`kdb5_util(8)`, :ref:`kdc.conf(5)`, :ref:`krb5.conf(5)`, -:ref:`kdb5_ldap_util(8)` diff --git a/doc/html/_sources/admin/admin_commands/ktutil.txt b/doc/html/_sources/admin/admin_commands/ktutil.txt deleted file mode 100644 index d55ddc8..0000000 --- a/doc/html/_sources/admin/admin_commands/ktutil.txt +++ /dev/null @@ -1,133 +0,0 @@ -.. _ktutil(1): - -ktutil -====== - -SYNOPSIS --------- - -**ktutil** - - -DESCRIPTION ------------ - -The ktutil command invokes a command interface from which an -administrator can read, write, or edit entries in a keytab or Kerberos -V4 srvtab file. - - -COMMANDS --------- - -list -~~~~ - - **list** - -Displays the current keylist. - -Alias: **l** - -read_kt -~~~~~~~ - - **read_kt** *keytab* - -Read the Kerberos V5 keytab file *keytab* into the current keylist. - -Alias: **rkt** - -read_st -~~~~~~~ - - **read_st** *srvtab* - -Read the Kerberos V4 srvtab file *srvtab* into the current keylist. - -Alias: **rst** - -write_kt -~~~~~~~~ - - **write_kt** *keytab* - -Write the current keylist into the Kerberos V5 keytab file *keytab*. - -Alias: **wkt** - -write_st -~~~~~~~~ - - **write_st** *srvtab* - -Write the current keylist into the Kerberos V4 srvtab file *srvtab*. - -Alias: **wst** - -clear_list -~~~~~~~~~~ - - **clear_list** - -Clear the current keylist. - -Alias: **clear** - -delete_entry -~~~~~~~~~~~~ - - **delete_entry** *slot* - -Delete the entry in slot number *slot* from the current keylist. - -Alias: **delent** - -add_entry -~~~~~~~~~ - - **add_entry** {**-key**\|\ **-password**} **-p** *principal* - **-k** *kvno* **-e** *enctype* - -Add *principal* to keylist using key or password. - -Alias: **addent** - -list_requests -~~~~~~~~~~~~~ - - **list_requests** - -Displays a listing of available commands. - -Aliases: **lr**, **?** - -quit -~~~~ - - **quit** - -Quits ktutil. - -Aliases: **exit**, **q** - - -EXAMPLE -------- - - :: - - ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e - aes128-cts-hmac-sha1-96 - Password for alice@BLEEP.COM: - ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e - aes256-cts-hmac-sha1-96 - Password for alice@BLEEP.COM: - ktutil: write_kt keytab - ktutil: - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`kdb5_util(8)` diff --git a/doc/html/_sources/admin/admin_commands/sserver.txt b/doc/html/_sources/admin/admin_commands/sserver.txt deleted file mode 100644 index b4e4644..0000000 --- a/doc/html/_sources/admin/admin_commands/sserver.txt +++ /dev/null @@ -1,105 +0,0 @@ -.. _sserver(8): - -sserver -======= - -SYNOPSIS --------- - -**sserver** -[ **-p** *port* ] -[ **-S** *keytab* ] -[ *server_port* ] - - -DESCRIPTION ------------ - -sserver and :ref:`sclient(1)` are a simple demonstration client/server -application. When sclient connects to sserver, it performs a Kerberos -authentication, and then sserver returns to sclient the Kerberos -principal which was used for the Kerberos authentication. It makes a -good test that Kerberos has been successfully installed on a machine. - -The service name used by sserver and sclient is sample. Hence, -sserver will require that there be a keytab entry for the service -``sample/hostname.domain.name@REALM.NAME``. This keytab is generated -using the :ref:`kadmin(1)` program. The keytab file is usually -installed as |keytab|. - -The **-S** option allows for a different keytab than the default. - -sserver is normally invoked out of inetd(8), using a line in -``/etc/inetd.conf`` that looks like this:: - - sample stream tcp nowait root /usr/local/sbin/sserver sserver - -Since ``sample`` is normally not a port defined in ``/etc/services``, -you will usually have to add a line to ``/etc/services`` which looks -like this:: - - sample 13135/tcp - -When using sclient, you will first have to have an entry in the -Kerberos database, by using :ref:`kadmin(1)`, and then you have to get -Kerberos tickets, by using :ref:`kinit(1)`. Also, if you are running -the sclient program on a different host than the sserver it will be -connecting to, be sure that both hosts have an entry in /etc/services -for the sample tcp port, and that the same port number is in both -files. - -When you run sclient you should see something like this:: - - sendauth succeeded, reply is: - reply len 32, contents: - You are nlgilman@JIMI.MIT.EDU - - -COMMON ERROR MESSAGES ---------------------- - -1) kinit returns the error:: - - kinit: Client not found in Kerberos database while getting - initial credentials - - This means that you didn't create an entry for your username in the - Kerberos database. - -2) sclient returns the error:: - - unknown service sample/tcp; check /etc/services - - This means that you don't have an entry in /etc/services for the - sample tcp port. - -3) sclient returns the error:: - - connect: Connection refused - - This probably means you didn't edit /etc/inetd.conf correctly, or - you didn't restart inetd after editing inetd.conf. - -4) sclient returns the error:: - - sclient: Server not found in Kerberos database while using - sendauth - - This means that the ``sample/hostname@LOCAL.REALM`` service was not - defined in the Kerberos database; it should be created using - :ref:`kadmin(1)`, and a keytab file needs to be generated to make - the key for that service principal available for sclient. - -5) sclient returns the error:: - - sendauth rejected, error reply is: - "No such file or directory" - - This probably means sserver couldn't find the keytab file. It was - probably not installed in the proper directory. - - -SEE ALSO --------- - -:ref:`sclient(1)`, services(5), inetd(8) diff --git a/doc/html/_sources/admin/advanced/index.txt b/doc/html/_sources/admin/advanced/index.txt deleted file mode 100644 index 54add53..0000000 --- a/doc/html/_sources/admin/advanced/index.txt +++ /dev/null @@ -1,9 +0,0 @@ -Advanced topics -=============== - - -.. toctree:: - :maxdepth: 1 - - ldapbackend.rst - retiring-des.rst diff --git a/doc/html/_sources/admin/advanced/ldapbackend.txt b/doc/html/_sources/admin/advanced/ldapbackend.txt deleted file mode 100644 index 59c9eaa..0000000 --- a/doc/html/_sources/admin/advanced/ldapbackend.txt +++ /dev/null @@ -1,143 +0,0 @@ -.. _ldap_be_ubuntu: - -LDAP backend on Ubuntu 10.4 (lucid) -=================================== - -Setting up Kerberos v1.9 with LDAP backend on Ubuntu 10.4 (Lucid Lynx) - - -Prerequisites -------------- - -Install the following packages: *slapd, ldap-utils* and *libldap2-dev* - -You can install the necessary packages with these commands:: - - sudo apt-get install slapd - sudo apt-get install ldap-utils - sudo apt-get install libldap2-dev - -Extend the user schema using schemas from standart OpenLDAP -distribution: *cosine, mics, nis, inetcomperson* :: - - ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif - ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/mics.ldif - ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif - ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetcomperson.ldif - - -Building Kerberos from source ------------------------------ - -:: - - ./configure --with-ldap - make - sudo make install - - -Setting up Kerberos -------------------- - -Configuration -~~~~~~~~~~~~~ - -Update kdc.conf with the LDAP back-end information:: - - [realms] - EXAMPLE.COM = { - database_module = LDAP - } - - [dbmodules] - LDAP = { - db_library = kldap - ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com - ldap_kdc_dn = cn=admin,dc=example,dc=com - ldap_kadmind_dn = cn=admin,dc=example,dc=com - ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash - ldap_servers = ldapi:/// - } - - -Schema -~~~~~~ - -From the source tree copy -``src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema`` into -``/etc/ldap/schema`` - -Warning: this step should be done after slapd is installed to avoid -problems with slapd installation. - -To convert kerberos.schema to run-time configuration (``cn=config``) -do the following: - -#. Create a temporary file ``/tmp/schema_convert.conf`` with the - following content:: - - include /etc/ldap/schema/kerberos.schema - -#. Create a temporary directory ``/tmp/krb5_ldif``. - -#. Run:: - - slaptest -f /tmp/schema_convert.conf -F /tmp/krb5_ldif - - This should in a new file named - ``/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif``. - -#. Edit ``/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif`` by - replacing the lines:: - - dn: cn={0}kerberos - cn: {0}kerberos - - with - - dn: cn=kerberos,cn=schema,cn=config - cn: kerberos - - Also, remove following attribute-value pairs:: - - structuralObjectClass: olcSchemaConfig - entryUUID: ... - creatorsName: cn=config - createTimestamp: ... - entryCSN: ... - modifiersName: cn=config - modifyTimestamp: ... - -#. Load the new schema with ldapadd (with the proper authentication):: - - ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif - - which should result the message ``adding new entry - "cn=kerberos,cn=schema,cn=config"``. - - -Create Kerberos database ------------------------- - -Using LDAP administrator credentials, create Kerberos database and -master key stash:: - - kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s - -Stash the LDAP administrative passwords:: - - kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=com - -Start :ref:`krb5kdc(8)`:: - - krb5kdc - -To destroy database run:: - - kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// destroy -f - - -Useful references ------------------ - -* `Kerberos and LDAP `_ diff --git a/doc/html/_sources/admin/advanced/retiring-des.txt b/doc/html/_sources/admin/advanced/retiring-des.txt deleted file mode 100644 index 8bcf83d..0000000 --- a/doc/html/_sources/admin/advanced/retiring-des.txt +++ /dev/null @@ -1,417 +0,0 @@ -.. _retiring-des: - -Retiring DES -======================= - -Version 5 of the Kerberos protocol was originally implemented using -the Data Encryption Standard (DES) as a block cipher for encryption. -While it was considered secure at the time, advancements in computational -ability have rendered DES vulnerable to brute force attacks on its 56-bit -keyspace. As such, it is now considered insecure and should not be -used (:rfc:`6649`). - -History -------- - -DES was used in the original Kerberos implementation, and was the -only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was -added in version 1.1, with full support following in version 1.2. -The Advanced Encryption Standard (AES), which supersedes DES, gained -partial support in version 1.3.0 of krb5 and full support in version 1.3.2. -However, deployments of krb5 using Kerberos databases created with older -versions of krb5 will not necessarily start using strong crypto for -ordinary operation without administrator intervention. - -Types of keys -------------- - -* The database master key: This key is not exposed to user requests, - but is used to encrypt other key material stored in the kerberos - database. The database master key is currently stored as ``K/M`` - by default. -* Password-derived keys: User principals frequently have keys - derived from a password. When a new password is set, the KDC - uses various string2key functions to generate keys in the database - for that principal. -* Keytab keys: Application server principals generally use random - keys which are not derived from a password. When the database - entry is created, the KDC generates random keys of various enctypes - to enter in the database, which are conveyed to the application server - and stored in a keytab. -* Session keys: These are short-term keys generated by the KDC while - processing client requests, with an enctype selected by the KDC. - -For details on the various enctypes and how enctypes are selected by the KDC -for session keys and client/server long-term keys, see :ref:`enctypes`. -When using the :ref:`kadmin(1)` interface to generate new long-term keys, -the **-e** argument can be used to force a particular set of enctypes, -overriding the KDC default values. - -.. note:: - - When the KDC is selecting a session key, it has no knowledge about the - kerberos installation on the server which will receive the service ticket, - only what keys are in the database for the service principal. - In order to allow uninterrupted operation to - clients while migrating away from DES, care must be taken to ensure that - kerberos installations on application server machines are configured to - support newer encryption types before keys of those new encryption types - are created in the Kerberos database for those server principals. - -Upgrade procedure ------------------ - -This procedure assumes that the KDC software has already been upgraded -to a modern version of krb5 that supports non-DES keys, so that the -only remaining task is to update the actual keys used to service requests. -The realm used for demonstrating this procedure, ZONE.MIT.EDU, -is an example of the worst-case scenario, where all keys in the realm -are DES. The realm was initially created with a very old version of krb5, -and **supported_enctypes** in :ref:`kdc.conf(5)` was set to a value -appropriate when the KDC was installed, but was not updated as the KDC -was upgraded: - -:: - - [realms] - ZONE.MIT.EDU = { - [...] - master_key_type = des-cbc-crc - supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 - } - -This resulted in the keys for all principals in the realm being forced -to DES-only, unless specifically requested using :ref:`kadmin(1)`. - -Before starting the upgrade, all KDCs were running krb5 1.11, -and the database entries for some "high-value" principals were: - -:: - - [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' - [...] - Number of keys: 1 - Key: vno 1, des-cbc-crc:v4 - [...] - [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin' - [...] - Number of keys: 1 - Key: vno 15, des-cbc-crc - [...] - [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw' - [...] - Number of keys: 1 - Key: vno 14, des-cbc-crc - [...] - -The ``krbtgt/REALM`` key appears to have never been changed since creation -(its kvno is 1), and all three database entries have only a des-cbc-crc key. - -The krbtgt key and KDC keys -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Perhaps the biggest single-step improvement in the security of the cell -is gained by strengthening the key of the ticket-granting service principal, -``krbtgt/REALM``---if this principal's key is compromised, so is the -entire realm. Since the server that will handle service tickets -for this principal is the KDC itself, it is easy to guarantee that it -will be configured to support any encryption types which might be -selected. However, the default KDC behavior when creating new keys is to -remove the old keys, which would invalidate all existing tickets issued -against that principal, rendering the TGTs cached by clients useless. -Instead, a new key can be created with the old key retained, so that -existing tickets will still function until their scheduled expiry -(see :ref:`changing_krbtgt_key`). - -:: - - [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ - > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal - [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ - > -keepold krbtgt/ZONE.MIT.EDU" - Authenticating as principal root/admin@ZONE.MIT.EDU with password. - Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. - -.. note:: - - The new ``krbtgt@REALM`` key should be propagated to slave KDCs - immediately so that TGTs issued by the master KDC can be used to - issue service tickets on slave KDCs. Slave KDCs will refuse requests - using the new TGT kvno until the new krbtgt entry has been propagated - to them. - -It is necessary to explicitly specify the enctypes for the new database -entry, since **supported_enctypes** has not been changed. Leaving -**supported_enctypes** unchanged makes a potential rollback operation -easier, since all new keys of new enctypes are the result of explicit -administrator action and can be easily enumerated. -Upgrading the krbtgt key should have minimal user-visible disruption other -than that described in the note above, since only clients which list the -new enctypes as supported will use them, per the procedure -in :ref:`session_key_selection`. -Once the krbtgt key is updated, the session and ticket keys for user -TGTs will be strong keys, but subsequent requests -for service tickets will still get DES keys until the service principals -have new keys generated. Application service -remains uninterrupted due to the key-selection procedure on the KDC. - -After the change, the database entry is now: - -:: - - [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU' - [...] - Number of keys: 5 - Key: vno 2, aes256-cts-hmac-sha1-96 - Key: vno 2, aes128-cts-hmac-sha1-96 - Key: vno 2, des3-cbc-sha1 - Key: vno 2, des-cbc-crc - Key: vno 1, des-cbc-crc:v4 - [...] - -Since the expected disruptions from rekeying the krbtgt principal are -minor, after a short testing period, it is -appropriate to rekey the other high-value principals, ``kadmin/admin@REALM`` -and ``kadmin/changepw@REALM``. These are the service principals used for -changing user passwords and updating application keytabs. The kadmin -and password-changing services are regular kerberized services, so the -session-key-selection algorithm described in :ref:`session_key_selection` -applies. It is particularly important to have strong session keys for -these services, since user passwords and new long-term keys are conveyed -over the encrypted channel. - -:: - - [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ - > aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal - [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ - > kadmin/admin" - Authenticating as principal root/admin@ZONE.MIT.EDU with password. - Key for "kadmin/admin@ZONE.MIT.EDU" randomized. - [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \ - > kadmin/changepw" - Authenticating as principal root/admin@ZONE.MIT.EDU with password. - Key for "kadmin/changepw@ZONE.MIT.EDU" randomized. - -It is not necessary to retain a single-DES key for these services, since -password changes are not part of normal daily workflow, and disruption -from a client failure is likely to be minimal. Furthermore, if a kerberos -client experiences failure changing a user password or keytab key, -this indicates that that client will become inoperative once services -are rekeyed to non-DES enctypes. Such problems can be detected early -at this stage, giving more time for corrective action. - -Adding strong keys to application servers -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Before switching the default enctypes for new keys over to strong enctypes, -it may be desired to test upgrading a handful of services with the -new configuration before flipping the switch for the defaults. This -still requires using the **-e** argument in :ref:`kadmin(1)` to get non-default -enctypes: - -:: - - [root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\ - > aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal - [root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \ - > /etc/zephyr/krb5.keytab -q "ktadd -e ${enctypes} \ - > -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU" - Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. - Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. - Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. - Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab. - Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab. - -Be sure to remove the old keys from the application keytab, per best -practice. - -:: - - [root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold - Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. - Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab. - -Adding strong keys by default -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -Once the high-visibility services have been rekeyed, it is probably -appropriate to change :ref:`kdc.conf(5)` to generate keys with the new -encryption types by default. This enables server administrators to generate -new enctypes with the **change** subcommand of :ref:`k5srvutil(1)`, -and causes user password -changes to add new encryption types for their entries. It will probably -be necessary to implement administrative controls to cause all user -principal keys to be updated in a reasonable period of time, whether -by forcing password changes or a password synchronization service that -has access to the current password and can add the new keys. - -:: - - [realms] - ZONE.MIT.EDU = { - supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal - -.. note:: - - The krb5kdc process must be restarted for these changes to take effect. - -At this point, all service administrators can update their services and the -servers behind them to take advantage of strong cryptography. -If necessary, the server's krb5 installation should be configured and/or -upgraded to a version supporting non-DES keys. See :ref:`enctypes` for -krb5 version and configuration settings. -Only when the service is configured to accept non-DES keys should -the key version number be incremented and new keys generated -(``k5srvutil change && k5srvutil delold``). - -:: - - root@dr-willy:~# k5srvutil change - Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. - Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. - Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab. - Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. - Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. - root@dr-willy:~# klist -e -k -t /etc/krb5.keytab - Keytab name: WRFILE:/etc/krb5.keytab - KVNO Timestamp Principal - ---- ----------------- -------------------------------------------------------- - 2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) - 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC) - 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC) - 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1) - 3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32) - root@dr-willy:~# k5srvutil delold - Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. - Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. - -When a single service principal is shared by multiple backend servers in -a load-balanced environment, it may be necessary to schedule downtime -or adjust the population in the load-balanced pool in order to propagate -the updated keytab to all hosts in the pool with minimal service interruption. - -Removing DES keys from usage -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -This situation remains something of a testing or transitory state, -as new DES keys are still being generated, and will be used if requested -by a client. To make more progress removing DES from the realm, the KDC -should be configured to not generate such keys by default. - -.. note:: - - An attacker posing as a client can implement a brute force attack against - a DES key for any principal, if that key is in the current (highest-kvno) - key list. This attack is only possible if **allow_weak_crypto = true** - is enabled on the KDC. Setting the **+requires_preauth** flag on a - principal forces this attack to be an online attack, much slower than - the offline attack otherwise available to the attacker. However, setting - this flag on a service principal is not always advisable; see the entry in - :ref:`add_principal` for details. - -The following KDC configuration will not generate DES keys by default: - -:: - - [realms] - ZONE.MIT.EDU = { - supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal - -.. note:: - - As before, the KDC process must be restarted for this change to take - effect. It is best practice to update kdc.conf on all KDCs, not just the - master, to avoid unpleasant surprises should the master fail and a slave - need to be promoted. - -It is now appropriate to remove the legacy single-DES key from the -``krbtgt/REALM`` entry: - -:: - - [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \ - > krbtgt/ZONE.MIT.EDU" - Authenticating as principal host/admin@ATHENA.MIT.EDU with password. - Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized. - -After the maximum ticket lifetime has passed, the old database entry -should be removed. - -:: - - [root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU' - Authenticating as principal root/admin@ZONE.MIT.EDU with password. - Old keys for principal "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" purged. - -After the KDC is restarted with the new **supported_enctypes**, -all user password changes and application keytab updates will not -generate DES keys by default. - -:: - - contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU - Password for zonetest@ZONE.MIT.EDU: [enter old password] - Enter new password: [enter new password] - Enter it again: [enter new password] - Password changed. - contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest' - [...] - Number of keys: 3 - Key: vno 9, aes256-cts-hmac-sha1-96 - Key: vno 9, aes128-cts-hmac-sha1-96 - Key: vno 9, des3-cbc-sha1 - [...] - - [kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \ - > -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU' - Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab. - Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. - Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab. - Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab. - -Once all principals have been re-keyed, DES support can be disabled on the -KDC (**allow_weak_crypto = false**), and client machines can remove -**allow_weak_crypto = true** from their :ref:`krb5.conf(5)` configuration -files, completing the migration. **allow_weak_crypto** takes precedence over -all places where DES enctypes could be explicitly configured. DES keys will -not be used, even if they are present, when **allow_weak_crypto = false**. - -Support for legacy services -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If there remain legacy services which do not support non-DES enctypes -(such as older versions of AFS), **allow_weak_crypto** must remain -enabled on the KDC. Client machines need not have this setting, -though---applications which require DES can use API calls to allow -weak crypto on a per-request basis, overriding the system krb5.conf. -However, having **allow_weak_crypto** set on the KDC means that any -principals which have a DES key in the database could still use those -keys. To minimize the use of DES in the realm and restrict it to just -legacy services which require DES, it is necessary to remove all other -DES keys. The realm has been configured such that at password and -keytab change, no DES keys will be generated by default. The task -then reduces to requiring user password changes and having server -administrators update their service keytabs. Administrative outreach -will be necessary, and if the desire to eliminate DES is sufficiently -strong, the KDC administrators may choose to randkey any principals -which have not been rekeyed after some timeout period, forcing the -user to contact the helpdesk for access. - -The Database Master Key ------------------------ - -This procedure does not alter ``K/M@REALM``, the key used to encrypt key -material in the Kerberos database. (This is the key stored in the stash file -on the KDC if stash files are used.) However, the security risk of -a single-DES key for ``K/M`` is minimal, given that access to material -encrypted in ``K/M`` (the Kerberos database) is generally tightly controlled. -If an attacker can gain access to the encrypted database, they likely -have access to the stash file as well, rendering the weak cryptography -broken by non-cryptographic means. As such, upgrading ``K/M`` to a stronger -encryption type is unlikely to be a high-priority task. - -Is is possible to upgrade the master key used for the database, if -desired. Using :ref:`kdb5_util(8)`'s **add_mkey**, **use_mkey**, and -**update_princ_encryption** commands, a new master key can be added -and activated for use on new key material, and the existing entries -converted to the new master key. diff --git a/doc/html/_sources/admin/appl_servers.txt b/doc/html/_sources/admin/appl_servers.txt deleted file mode 100644 index f6474cd..0000000 --- a/doc/html/_sources/admin/appl_servers.txt +++ /dev/null @@ -1,147 +0,0 @@ -Application servers -=================== - -If you need to install the Kerberos V5 programs on an application -server, please refer to the Kerberos V5 Installation Guide. Once you -have installed the software, you need to add that host to the Kerberos -database (see :ref:`add_mod_del_princs`), and generate a keytab for -that host, that contains the host's key. You also need to make sure -the host's clock is within your maximum clock skew of the KDCs. - - -Keytabs -------- - -A keytab is a host's copy of its own keylist, which is analogous to a -user's password. An application server that needs to authenticate -itself to the KDC has to have a keytab that contains its own principal -and key. Just as it is important for users to protect their -passwords, it is equally important for hosts to protect their keytabs. -You should always store keytab files on local disk, and make them -readable only by root, and you should never send a keytab file over a -network in the clear. Ideally, you should run the :ref:`kadmin(1)` -command to extract a keytab on the host on which the keytab is to -reside. - - -.. _add_princ_kt: - -Adding principals to keytabs -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To generate a keytab, or to add a principal to an existing keytab, use -the **ktadd** command from kadmin. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _ktadd: - :end-before: _ktadd_end: - - -Examples -######## - -Here is a sample session, using configuration files that enable only -AES encryption:: - - kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU - Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab - Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab - kadmin: - - -Removing principals from keytabs -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To remove a principal from an existing keytab, use the kadmin -**ktremove** command. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _ktremove: - :end-before: _ktremove_end: - - -Clock Skew ----------- - -A Kerberos application server host must keep its clock synchronized or -it will reject authentication requests from clients. Modern operating -systems typically provide a facility to maintain the correct time; -make sure it is enabled. This is especially important on virtual -machines, where clocks tend to drift more rapidly than normal machine -clocks. - -The default allowable clock skew is controlled by the **clockskew** -variable in :ref:`libdefaults`. - - -Getting DNS information correct -------------------------------- - -Several aspects of Kerberos rely on name service. When a hostname is -used to name a service, the Kerberos library canonicalizes the -hostname using forward and reverse name resolution. (The reverse name -resolution step can be turned off using the **rdns** variable in -:ref:`libdefaults`.) The result of this canonicalization must match -the principal entry in the host's keytab, or authentication will fail. - -Each host's canonical name must be the fully-qualified host name -(including the domain), and each host's IP address must -reverse-resolve to the canonical name. - -Configuration of hostnames varies by operating system. On the -application server itself, canonicalization will typically use the -``/etc/hosts`` file rather than the DNS. Ensure that the line for the -server's hostname is in the following form:: - - IP address fully-qualified hostname aliases - -Here is a sample ``/etc/hosts`` file:: - - # this is a comment - 127.0.0.1 localhost localhost.mit.edu - 10.0.0.6 daffodil.mit.edu daffodil trillium wake-robin - -The output of ``klist -k`` for this example host should look like:: - - viola# klist -k - Keytab name: /etc/krb5.keytab - KVNO Principal - ---- ------------------------------------------------------------ - 2 host/daffodil.mit.edu@ATHENA.MIT.EDU - -If you were to ssh to this host with a fresh credentials cache (ticket -file), and then :ref:`klist(1)`, the output should list a service -principal of ``host/daffodil.mit.edu@ATHENA.MIT.EDU``. - - -.. _conf_firewall: - -Configuring your firewall to work with Kerberos V5 --------------------------------------------------- - -If you need off-site users to be able to get Kerberos tickets in your -realm, they must be able to get to your KDC. This requires either -that you have a slave KDC outside your firewall, or that you configure -your firewall to allow UDP requests into at least one of your KDCs, on -whichever port the KDC is running. (The default is port 88; other -ports may be specified in the KDC's :ref:`kdc.conf(5)` file.) -Similarly, if you need off-site users to be able to change their -passwords in your realm, they must be able to get to your Kerberos -admin server on the kpasswd port (which defaults to 464). If you need -off-site users to be able to administer your Kerberos realm, they must -be able to get to your Kerberos admin server on the administrative -port (which defaults to 749). - -If your on-site users inside your firewall will need to get to KDCs in -other realms, you will also need to configure your firewall to allow -outgoing TCP and UDP requests to port 88, and to port 464 to allow -password changes. If your on-site users inside your firewall will -need to get to Kerberos admin servers in other realms, you will also -need to allow outgoing TCP and UDP requests to port 749. - -If any of your KDCs are outside your firewall, you will need to allow -kprop requests to get through to the remote KDC. :ref:`kprop(8)` uses -the ``krb5_prop`` service on port 754 (tcp). - -The book *UNIX System Security*, by David Curry, is a good starting -point for learning to configure firewalls. diff --git a/doc/html/_sources/admin/auth_indicator.txt b/doc/html/_sources/admin/auth_indicator.txt deleted file mode 100644 index b13905e..0000000 --- a/doc/html/_sources/admin/auth_indicator.txt +++ /dev/null @@ -1,57 +0,0 @@ -.. _auth_indicator: - -Authentication indicators -========================= - -As of release 1.14, the KDC can be configured to annotate tickets if -the client authenticated using a stronger preauthentication mechanism -such as :ref:`PKINIT ` or :ref:`OTP `. These -annotations are called "authentication indicators." Service -principals can be configured to require particular authentication -indicators in order to authenticate to that service. An -authentication indicator value can be any string chosen by the KDC -administrator; there are no pre-set values. - -To use authentication indicators with PKINIT or OTP, first configure -the KDC to include an indicator when that preauthentication mechanism -is used. For PKINIT, use the **pkinit_indicator** variable in -:ref:`kdc.conf(5)`. For OTP, use the **indicator** variable in the -token type definition, or specify the indicators in the **otp** user -string as described in :ref:`otp_preauth`. - -To require an indicator to be present in order to authenticate to a -service principal, set the **require_auth** string attribute on the -principal to the indicator value to be required. If you wish to allow -one of several indicators to be accepted, you can specify multiple -indicator values separated by spaces. - -For example, a realm could be configured to set the authentication -indicator value "strong" when PKINIT is used to authenticate, using a -setting in the :ref:`kdc_realms` subsection:: - - pkinit_indicator = strong - -A service principal could be configured to require the "strong" -authentication indicator value:: - - $ kadmin setstr host/high.value.server require_auth strong - Password for user/admin@KRBTEST.COM: - -A user who authenticates with PKINIT would be able to obtain a ticket -for the service principal:: - - $ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user - $ kvno host/high.value.server - host/high.value.server@KRBTEST.COM: kvno = 1 - -but a user who authenticates with a password would not:: - - $ kinit user - Password for user@KRBTEST.COM: - $ kvno host/high.value.server - kvno: KDC policy rejects request while getting credentials for - host/high.value.server@KRBTEST.COM - -GSSAPI server applications can inspect authentication indicators -through the :ref:`auth-indicators ` name -attribute. diff --git a/doc/html/_sources/admin/backup_host.txt b/doc/html/_sources/admin/backup_host.txt deleted file mode 100644 index a0c2a28..0000000 --- a/doc/html/_sources/admin/backup_host.txt +++ /dev/null @@ -1,34 +0,0 @@ -Backups of secure hosts -======================= - -When you back up a secure host, you should exclude the host's keytab -file from the backup. If someone obtained a copy of the keytab from a -backup, that person could make any host masquerade as the host whose -keytab was compromised. In many configurations, knowledge of the -host's keytab also allows root access to the host. This could be -particularly dangerous if the compromised keytab was from one of your -KDCs. If the machine has a disk crash and the keytab file is lost, it -is easy to generate another keytab file. (See :ref:`add_princ_kt`.) -If you are unable to exclude particular files from backups, you should -ensure that the backups are kept as secure as the host's root -password. - - -Backing up the Kerberos database --------------------------------- - -As with any file, it is possible that your Kerberos database could -become corrupted. If this happens on one of the slave KDCs, you might -never notice, since the next automatic propagation of the database -would install a fresh copy. However, if it happens to the master KDC, -the corrupted database would be propagated to all of the slaves during -the next propagation. For this reason, MIT recommends that you back -up your Kerberos database regularly. Because the master KDC is -continuously dumping the database to a file in order to propagate it -to the slave KDCs, it is a simple matter to have a cron job -periodically copy the dump file to a secure machine elsewhere on your -network. (Of course, it is important to make the host where these -backups are stored as secure as your KDCs, and to encrypt its -transmission across your network.) Then if your database becomes -corrupted, you can load the most recent dump onto the master KDC. -(See :ref:`restore_from_dump`.) diff --git a/doc/html/_sources/admin/conf_files/index.txt b/doc/html/_sources/admin/conf_files/index.txt deleted file mode 100644 index a04836a..0000000 --- a/doc/html/_sources/admin/conf_files/index.txt +++ /dev/null @@ -1,20 +0,0 @@ -Configuration Files -=================== - -Kerberos uses configuration files to allow administrators to specify -settings on a per-machine basis. :ref:`krb5.conf(5)` applies to all -applications using the Kerboros library, on clients and servers. -For KDC-specific applications, additional settings can be specified in -:ref:`kdc.conf(5)`; the two files are merged into a configuration profile -used by applications accessing the KDC database directly. :ref:`kadm5.acl(5)` -is also only used on the KDC, it controls permissions for modifying the -KDC database. - -Contents --------- -.. toctree:: - :maxdepth: 1 - - krb5_conf - kdc_conf - kadm5_acl diff --git a/doc/html/_sources/admin/conf_files/kadm5_acl.txt b/doc/html/_sources/admin/conf_files/kadm5_acl.txt deleted file mode 100644 index 138a2d7..0000000 --- a/doc/html/_sources/admin/conf_files/kadm5_acl.txt +++ /dev/null @@ -1,150 +0,0 @@ -.. _kadm5.acl(5): - -kadm5.acl -========= - -DESCRIPTION ------------ - -The Kerberos :ref:`kadmind(8)` daemon uses an Access Control List -(ACL) file to manage access rights to the Kerberos database. -For operations that affect principals, the ACL file also controls -which principals can operate on which other principals. - -The default location of the Kerberos ACL file is -|kdcdir|\ ``/kadm5.acl`` unless this is overridden by the *acl_file* -variable in :ref:`kdc.conf(5)`. - -SYNTAX ------- - -Empty lines and lines starting with the sharp sign (``#``) are -ignored. Lines containing ACL entries have the format:: - - principal permissions [target_principal [restrictions] ] - -.. note:: - - Line order in the ACL file is important. The first matching entry - will control access for an actor principal on a target principal. - -*principal* - (Partially or fully qualified Kerberos principal name.) Specifies - the principal whose permissions are to be set. - - Each component of the name may be wildcarded using the ``*`` - character. - -*permissions* - Specifies what operations may or may not be performed by a - *principal* matching a particular entry. This is a string of one or - more of the following list of characters or their upper-case - counterparts. If the character is *upper-case*, then the operation - is disallowed. If the character is *lower-case*, then the operation - is permitted. - - == ====================================================== - a [Dis]allows the addition of principals or policies - c [Dis]allows the changing of passwords for principals - d [Dis]allows the deletion of principals or policies - e [Dis]allows the extraction of principal keys - i [Dis]allows inquiries about principals or policies - l [Dis]allows the listing of all principals or policies - m [Dis]allows the modification of principals or policies - p [Dis]allows the propagation of the principal database (used in :ref:`incr_db_prop`) - s [Dis]allows the explicit setting of the key for a principal - x Short for admcilsp. All privileges (except ``e``) - \* Same as x. - == ====================================================== - -.. note:: - - The ``extract`` privilege is not included in the wildcard - privilege; it must be explicitly assigned. This privilege - allows the user to extract keys from the database, and must be - handled with great care to avoid disclosure of important keys - like those of the kadmin/* or krbtgt/* principals. The - **lockdown_keys** principal attribute can be used to prevent - key extraction from specific principals regardless of the - granted privilege. - -*target_principal* - (Optional. Partially or fully qualified Kerberos principal name.) - Specifies the principal on which *permissions* may be applied. - Each component of the name may be wildcarded using the ``*`` - character. - - *target_principal* can also include back-references to *principal*, - in which ``*number`` matches the corresponding wildcard in - *principal*. - -*restrictions* - (Optional) A string of flags. Allowed restrictions are: - - {+\|-}\ *flagname* - flag is forced to the indicated value. The permissible flags - are the same as those for the **default_principal_flags** - variable in :ref:`kdc.conf(5)`. - - *-clearpolicy* - policy is forced to be empty. - - *-policy pol* - policy is forced to be *pol*. - - -{*expire, pwexpire, maxlife, maxrenewlife*} *time* - (:ref:`getdate` string) associated value will be forced to - MIN(*time*, requested value). - - The above flags act as restrictions on any add or modify operation - which is allowed due to that ACL line. - -.. warning:: - - If the kadmind ACL file is modified, the kadmind daemon needs to be - restarted for changes to take effect. - -EXAMPLE -------- - -Here is an example of a kadm5.acl file:: - - */admin@ATHENA.MIT.EDU * # line 1 - joeadmin@ATHENA.MIT.EDU ADMCIL # line 2 - joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU # line 3 - */root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU # line 4 - */root@ATHENA.MIT.EDU l * # line 5 - sms@ATHENA.MIT.EDU x * -maxlife 9h -postdateable # line 6 - -(line 1) Any principal in the ``ATHENA.MIT.EDU`` realm with an -``admin`` instance has all administrative privileges except extracting -keys. - -(lines 1-3) The user ``joeadmin`` has all permissions except -extracting keys with his ``admin`` instance, -``joeadmin/admin@ATHENA.MIT.EDU`` (matches line 1). He has no -permissions at all with his null instance, ``joeadmin@ATHENA.MIT.EDU`` -(matches line 2). His ``root`` and other non-``admin``, non-null -instances (e.g., ``extra`` or ``dbadmin``) have inquire permissions -with any principal that has the instance ``root`` (matches line 3). - -(line 4) Any ``root`` principal in ``ATHENA.MIT.EDU`` can inquire -or change the password of their null instance, but not any other -null instance. (Here, ``*1`` denotes a back-reference to the -component matching the first wildcard in the actor principal.) - -(line 5) Any ``root`` principal in ``ATHENA.MIT.EDU`` can generate -the list of principals in the database, and the list of policies -in the database. This line is separate from line 4, because list -permission can only be granted globally, not to specific target -principals. - -(line 6) Finally, the Service Management System principal -``sms@ATHENA.MIT.EDU`` has all permissions except extracting keys, but -any principal that it creates or modifies will not be able to get -postdateable tickets or tickets with a life of longer than 9 hours. - -SEE ALSO --------- - -:ref:`kdc.conf(5)`, :ref:`kadmind(8)` diff --git a/doc/html/_sources/admin/conf_files/kdc_conf.txt b/doc/html/_sources/admin/conf_files/kdc_conf.txt deleted file mode 100644 index 4e54f7e..0000000 --- a/doc/html/_sources/admin/conf_files/kdc_conf.txt +++ /dev/null @@ -1,937 +0,0 @@ -.. _kdc.conf(5): - -kdc.conf -======== - -The kdc.conf file supplements :ref:`krb5.conf(5)` for programs which -are typically only used on a KDC, such as the :ref:`krb5kdc(8)` and -:ref:`kadmind(8)` daemons and the :ref:`kdb5_util(8)` program. -Relations documented here may also be specified in krb5.conf; for the -KDC programs mentioned, krb5.conf and kdc.conf will be merged into a -single configuration profile. - -Normally, the kdc.conf file is found in the KDC state directory, -|kdcdir|. You can override the default location by setting the -environment variable **KRB5_KDC_PROFILE**. - -Please note that you need to restart the KDC daemon for any configuration -changes to take effect. - -Structure ---------- - -The kdc.conf file is set up in the same format as the -:ref:`krb5.conf(5)` file. - - -Sections --------- - -The kdc.conf file may contain the following sections: - -==================== ================================================= -:ref:`kdcdefaults` Default values for KDC behavior -:ref:`kdc_realms` Realm-specific database configuration and settings -:ref:`dbdefaults` Default database settings -:ref:`dbmodules` Per-database settings -:ref:`logging` Controls how Kerberos daemons perform logging -==================== ================================================= - - -.. _kdcdefaults: - -[kdcdefaults] -~~~~~~~~~~~~~ - -With two exceptions, relations in the [kdcdefaults] section specify -default values for realm variables, to be used if the [realms] -subsection does not contain a relation for the tag. See the -:ref:`kdc_realms` section for the definitions of these relations. - -* **host_based_services** -* **kdc_listen** -* **kdc_ports** -* **kdc_tcp_listen** -* **kdc_tcp_ports** -* **no_host_referral** -* **restrict_anonymous_to_tgt** - -**kdc_max_dgram_reply_size** - Specifies the maximum packet size that can be sent over UDP. The - default value is 4096 bytes. - -**kdc_tcp_listen_backlog** - (Integer.) Set the size of the listen queue length for the KDC - daemon. The value may be limited by OS settings. The default - value is 5. - - -.. _kdc_realms: - -[realms] -~~~~~~~~ - -Each tag in the [realms] section is the name of a Kerberos realm. The -value of the tag is a subsection where the relations define KDC -parameters for that particular realm. The following example shows how -to define one parameter for the ATHENA.MIT.EDU realm:: - - [realms] - ATHENA.MIT.EDU = { - max_renewable_life = 7d 0h 0m 0s - } - -The following tags may be specified in a [realms] subsection: - -**acl_file** - (String.) Location of the access control list file that - :ref:`kadmind(8)` uses to determine which principals are allowed - which permissions on the Kerberos database. The default value is - |kdcdir|\ ``/kadm5.acl``. For more information on Kerberos ACL - file see :ref:`kadm5.acl(5)`. - -**database_module** - (String.) This relation indicates the name of the configuration - section under :ref:`dbmodules` for database-specific parameters - used by the loadable database library. The default value is the - realm name. If this configuration section does not exist, default - values will be used for all database parameters. - -**database_name** - (String, deprecated.) This relation specifies the location of the - Kerberos database for this realm, if the DB2 module is being used - and the :ref:`dbmodules` configuration section does not specify a - database name. The default value is |kdcdir|\ ``/principal``. - -**default_principal_expiration** - (:ref:`abstime` string.) Specifies the default expiration date of - principals created in this realm. The default value is 0, which - means no expiration date. - -**default_principal_flags** - (Flag string.) Specifies the default attributes of principals - created in this realm. The format for this string is a - comma-separated list of flags, with '+' before each flag that - should be enabled and '-' before each flag that should be - disabled. The **postdateable**, **forwardable**, **tgt-based**, - **renewable**, **proxiable**, **dup-skey**, **allow-tickets**, and - **service** flags default to enabled. - - There are a number of possible flags: - - **allow-tickets** - Enabling this flag means that the KDC will issue tickets for - this principal. Disabling this flag essentially deactivates - the principal within this realm. - - **dup-skey** - Enabling this flag allows the principal to obtain a session - key for another user, permitting user-to-user authentication - for this principal. - - **forwardable** - Enabling this flag allows the principal to obtain forwardable - tickets. - - **hwauth** - If this flag is enabled, then the principal is required to - preauthenticate using a hardware device before receiving any - tickets. - - **no-auth-data-required** - Enabling this flag prevents PAC or AD-SIGNEDPATH data from - being added to service tickets for the principal. - - **ok-as-delegate** - If this flag is enabled, it hints the client that credentials - can and should be delegated when authenticating to the - service. - - **ok-to-auth-as-delegate** - Enabling this flag allows the principal to use S4USelf tickets. - - **postdateable** - Enabling this flag allows the principal to obtain postdateable - tickets. - - **preauth** - If this flag is enabled on a client principal, then that - principal is required to preauthenticate to the KDC before - receiving any tickets. On a service principal, enabling this - flag means that service tickets for this principal will only - be issued to clients with a TGT that has the preauthenticated - bit set. - - **proxiable** - Enabling this flag allows the principal to obtain proxy - tickets. - - **pwchange** - Enabling this flag forces a password change for this - principal. - - **pwservice** - If this flag is enabled, it marks this principal as a password - change service. This should only be used in special cases, - for example, if a user's password has expired, then the user - has to get tickets for that principal without going through - the normal password authentication in order to be able to - change the password. - - **renewable** - Enabling this flag allows the principal to obtain renewable - tickets. - - **service** - Enabling this flag allows the the KDC to issue service tickets - for this principal. - - **tgt-based** - Enabling this flag allows a principal to obtain tickets based - on a ticket-granting-ticket, rather than repeating the - authentication process that was used to obtain the TGT. - -**dict_file** - (String.) Location of the dictionary file containing strings that - are not allowed as passwords. The file should contain one string - per line, with no additional whitespace. If none is specified or - if there is no policy assigned to the principal, no dictionary - checks of passwords will be performed. - -**host_based_services** - (Whitespace- or comma-separated list.) Lists services which will - get host-based referral processing even if the server principal is - not marked as host-based by the client. - -**iprop_enable** - (Boolean value.) Specifies whether incremental database - propagation is enabled. The default value is false. - -**iprop_master_ulogsize** - (Integer.) Specifies the maximum number of log entries to be - retained for incremental propagation. The default value is 1000. - Prior to release 1.11, the maximum value was 2500. - -**iprop_slave_poll** - (Delta time string.) Specifies how often the slave KDC polls for - new updates from the master. The default value is ``2m`` (that - is, two minutes). - -**iprop_listen** - (Whitespace- or comma-separated list.) Specifies the iprop RPC - listening addresses and/or ports for the :ref:`kadmind(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If kadmind fails to bind - to any of the specified addresses, it will fail to start. The - default (when **iprop_enable** is true) is to bind to the wildcard - address at the port specified in **iprop_port**. New in release - 1.15. - -**iprop_port** - (Port number.) Specifies the port number to be used for - incremental propagation. When **iprop_enable** is true, this - relation is required in the slave configuration file, and this - relation or **iprop_listen** is required in the master - configuration file, as there is no default port number. Port - numbers specified in **iprop_listen** entries will override this - port number for the :ref:`kadmind(8)` daemon. - -**iprop_resync_timeout** - (Delta time string.) Specifies the amount of time to wait for a - full propagation to complete. This is optional in configuration - files, and is used by slave KDCs only. The default value is 5 - minutes (``5m``). New in release 1.11. - -**iprop_logfile** - (File name.) Specifies where the update log file for the realm - database is to be stored. The default is to use the - **database_name** entry from the realms section of the krb5 config - file, with ``.ulog`` appended. (NOTE: If **database_name** isn't - specified in the realms section, perhaps because the LDAP database - back end is being used, or the file name is specified in the - [dbmodules] section, then the hard-coded default for - **database_name** is used. Determination of the **iprop_logfile** - default value will not use values from the [dbmodules] section.) - -**kadmind_listen** - (Whitespace- or comma-separated list.) Specifies the kadmin RPC - listening addresses and/or ports for the :ref:`kadmind(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If kadmind fails to bind - to any of the specified addresses, it will fail to start. The - default is to bind to the wildcard address at the port specified - in **kadmind_port**, or the standard kadmin port (749). New in - release 1.15. - -**kadmind_port** - (Port number.) Specifies the port on which the :ref:`kadmind(8)` - daemon is to listen for this realm. Port numbers specified in - **kadmind_listen** entries will override this port number. The - assigned port for kadmind is 749, which is used by default. - -**key_stash_file** - (String.) Specifies the location where the master key has been - stored (via kdb5_util stash). The default is |kdcdir|\ - ``/.k5.REALM``, where *REALM* is the Kerberos realm. - -**kdc_listen** - (Whitespace- or comma-separated list.) Specifies the UDP - listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If no port is specified, - the standard port (88) is used. If the KDC daemon fails to bind - to any of the specified addresses, it will fail to start. The - default is to bind to the wildcard address on the standard port. - New in release 1.15. - -**kdc_ports** - (Whitespace- or comma-separated list, deprecated.) Prior to - release 1.15, this relation lists the ports for the - :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In - release 1.15 and later, it has the same meaning as **kdc_listen** - if that relation is not defined. - -**kdc_tcp_listen** - (Whitespace- or comma-separated list.) Specifies the TCP - listening addresses and/or ports for the :ref:`krb5kdc(8)` daemon. - Each entry may be an interface address, a port number, or an - address and port number separated by a colon. If the address - contains colons, enclose it in square brackets. If no address is - specified, the wildcard address is used. If no port is specified, - the standard port (88) is used. To disable listening on TCP, set - this relation to the empty string with ``kdc_tcp_listen = ""``. - If the KDC daemon fails to bind to any of the specified addresses, - it will fail to start. The default is to bind to the wildcard - address on the standard port. New in release 1.15. - -**kdc_tcp_ports** - (Whitespace- or comma-separated list, deprecated.) Prior to - release 1.15, this relation lists the ports for the - :ref:`krb5kdc(8)` daemon to listen on for UDP requests. In - release 1.15 and later, it has the same meaning as - **kdc_tcp_listen** if that relation is not defined. - -**kpasswd_listen** - (Comma-separated list.) Specifies the kpasswd listening addresses - and/or ports for the :ref:`kadmind(8)` daemon. Each entry may be - an interface address, a port number, or an address and port number - separated by a colon. If the address contains colons, enclose it - in square brackets. If no address is specified, the wildcard - address is used. If kadmind fails to bind to any of the specified - addresses, it will fail to start. The default is to bind to the - wildcard address at the port specified in **kpasswd_port**, or the - standard kpasswd port (464). New in release 1.15. - -**kpasswd_port** - (Port number.) Specifies the port on which the :ref:`kadmind(8)` - daemon is to listen for password change requests for this realm. - Port numbers specified in **kpasswd_listen** entries will override - this port number. The assigned port for password change requests - is 464, which is used by default. - -**master_key_name** - (String.) Specifies the name of the principal associated with the - master key. The default is ``K/M``. - -**master_key_type** - (Key type string.) Specifies the master key's key type. The - default value for this is |defmkey|. For a list of all possible - values, see :ref:`Encryption_types`. - -**max_life** - (:ref:`duration` string.) Specifies the maximum time period for - which a ticket may be valid in this realm. The default value is - 24 hours. - -**max_renewable_life** - (:ref:`duration` string.) Specifies the maximum time period - during which a valid ticket may be renewed in this realm. - The default value is 0. - -**no_host_referral** - (Whitespace- or comma-separated list.) Lists services to block - from getting host-based referral processing, even if the client - marks the server principal as host-based or the service is also - listed in **host_based_services**. ``no_host_referral = *`` will - disable referral processing altogether. - -**des_crc_session_supported** - (Boolean value). If set to true, the KDC will assume that service - principals support des-cbc-crc for session key enctype negotiation - purposes. If **allow_weak_crypto** in :ref:`libdefaults` is - false, or if des-cbc-crc is not a permitted enctype, then this - variable has no effect. Defaults to true. New in release 1.11. - -**reject_bad_transit** - (Boolean value.) If set to true, the KDC will check the list of - transited realms for cross-realm tickets against the transit path - computed from the realm names and the capaths section of its - :ref:`krb5.conf(5)` file; if the path in the ticket to be issued - contains any realms not in the computed path, the ticket will not - be issued, and an error will be returned to the client instead. - If this value is set to false, such tickets will be issued - anyways, and it will be left up to the application server to - validate the realm transit path. - - If the disable-transited-check flag is set in the incoming - request, this check is not performed at all. Having the - **reject_bad_transit** option will cause such ticket requests to - be rejected always. - - This transit path checking and config file option currently apply - only to TGS requests. - - The default value is true. - -**restrict_anonymous_to_tgt** - (Boolean value.) If set to true, the KDC will reject ticket - requests from anonymous principals to service principals other - than the realm's ticket-granting service. This option allows - anonymous PKINIT to be enabled for use as FAST armor tickets - without allowing anonymous authentication to services. The - default value is false. New in release 1.9. - -**supported_enctypes** - (List of *key*:*salt* strings.) Specifies the default key/salt - combinations of principals for this realm. Any principals created - through :ref:`kadmin(1)` will have keys of these types. The - default value for this tag is |defkeysalts|. For lists of - possible values, see :ref:`Keysalt_lists`. - - -.. _dbdefaults: - -[dbdefaults] -~~~~~~~~~~~~ - -The [dbdefaults] section specifies default values for some database -parameters, to be used if the [dbmodules] subsection does not contain -a relation for the tag. See the :ref:`dbmodules` section for the -definitions of these relations. - -* **ldap_kerberos_container_dn** -* **ldap_kdc_dn** -* **ldap_kdc_sasl_authcid** -* **ldap_kdc_sasl_authzid** -* **ldap_kdc_sasl_mech** -* **ldap_kdc_sasl_realm** -* **ldap_kadmind_dn** -* **ldap_kadmind_sasl_authcid** -* **ldap_kadmind_sasl_authzid** -* **ldap_kadmind_sasl_mech** -* **ldap_kadmind_sasl_realm** -* **ldap_service_password_file** -* **ldap_servers** -* **ldap_conns_per_server** - - -.. _dbmodules: - -[dbmodules] -~~~~~~~~~~~ - -The [dbmodules] section contains parameters used by the KDC database -library and database modules. Each tag in the [dbmodules] section is -the name of a Kerberos realm or a section name specified by a realm's -**database_module** parameter. The following example shows how to -define one database parameter for the ATHENA.MIT.EDU realm:: - - [dbmodules] - ATHENA.MIT.EDU = { - disable_last_success = true - } - -The following tags may be specified in a [dbmodules] subsection: - -**database_name** - This DB2-specific tag indicates the location of the database in - the filesystem. The default is |kdcdir|\ ``/principal``. - -**db_library** - This tag indicates the name of the loadable database module. The - value should be ``db2`` for the DB2 module and ``kldap`` for the - LDAP module. - -**disable_last_success** - If set to ``true``, suppresses KDC updates to the "Last successful - authentication" field of principal entries requiring - preauthentication. Setting this flag may improve performance. - (Principal entries which do not require preauthentication never - update the "Last successful authentication" field.). First - introduced in release 1.9. - -**disable_lockout** - If set to ``true``, suppresses KDC updates to the "Last failed - authentication" and "Failed password attempts" fields of principal - entries requiring preauthentication. Setting this flag may - improve performance, but also disables account lockout. First - introduced in release 1.9. - -**ldap_conns_per_server** - This LDAP-specific tag indicates the number of connections to be - maintained per LDAP server. - -**ldap_kdc_dn** and **ldap_kadmind_dn** - These LDAP-specific tags indicate the default DN for binding to - the LDAP server. The :ref:`krb5kdc(8)` daemon uses - **ldap_kdc_dn**, while the :ref:`kadmind(8)` daemon and other - administrative programs use **ldap_kadmind_dn**. The kadmind DN - must have the rights to read and write the Kerberos data in the - LDAP database. The KDC DN must have the same rights, unless - **disable_lockout** and **disable_last_success** are true, in - which case it only needs to have rights to read the Kerberos data. - These tags are ignored if a SASL mechanism is set with - **ldap_kdc_sasl_mech** or **ldap_kadmind_sasl_mech**. - -**ldap_kdc_sasl_mech** and **ldap_kadmind_sasl_mech** - These LDAP-specific tags specify the SASL mechanism (such as - ``EXTERNAL``) to use when binding to the LDAP server. New in - release 1.13. - -**ldap_kdc_sasl_authcid** and **ldap_kadmind_sasl_authcid** - These LDAP-specific tags specify the SASL authentication identity - to use when binding to the LDAP server. Not all SASL mechanisms - require an authentication identity. If the SASL mechanism - requires a secret (such as the password for ``DIGEST-MD5``), these - tags also determine the name within the - **ldap_service_password_file** where the secret is stashed. New - in release 1.13. - -**ldap_kdc_sasl_authzid** and **ldap_kadmind_sasl_authzid** - These LDAP-specific tags specify the SASL authorization identity - to use when binding to the LDAP server. In most circumstances - they do not need to be specified. New in release 1.13. - -**ldap_kdc_sasl_realm** and **ldap_kadmind_sasl_realm** - These LDAP-specific tags specify the SASL realm to use when - binding to the LDAP server. In most circumstances they do not - need to be set. New in release 1.13. - -**ldap_kerberos_container_dn** - This LDAP-specific tag indicates the DN of the container object - where the realm objects will be located. - -**ldap_servers** - This LDAP-specific tag indicates the list of LDAP servers that the - Kerberos servers can connect to. The list of LDAP servers is - whitespace-separated. The LDAP server is specified by a LDAP URI. - It is recommended to use ``ldapi:`` or ``ldaps:`` URLs to connect - to the LDAP server. - -**ldap_service_password_file** - This LDAP-specific tag indicates the file containing the stashed - passwords (created by ``kdb5_ldap_util stashsrvpw``) for the - **ldap_kdc_dn** and **ldap_kadmind_dn** objects, or for the - **ldap_kdc_sasl_authcid** or **ldap_kadmind_sasl_authcid** names - for SASL authentication. This file must be kept secure. - -**unlockiter** - If set to ``true``, this DB2-specific tag causes iteration - operations to release the database lock while processing each - principal. Setting this flag to ``true`` can prevent extended - blocking of KDC or kadmin operations when dumps of large databases - are in progress. First introduced in release 1.13. - -The following tag may be specified directly in the [dbmodules] -section to control where database modules are loaded from: - -**db_module_dir** - This tag controls where the plugin system looks for database - modules. The value should be an absolute path. - -.. _logging: - -[logging] -~~~~~~~~~ - -The [logging] section indicates how :ref:`krb5kdc(8)` and -:ref:`kadmind(8)` perform logging. It may contain the following -relations: - -**admin_server** - Specifies how :ref:`kadmind(8)` performs logging. - -**kdc** - Specifies how :ref:`krb5kdc(8)` performs logging. - -**default** - Specifies how either daemon performs logging in the absence of - relations specific to the daemon. - -**debug** - (Boolean value.) Specifies whether debugging messages are - included in log outputs other than SYSLOG. Debugging messages are - always included in the system log output because syslog performs - its own priority filtering. The default value is false. New in - release 1.15. - -Logging specifications may have the following forms: - -**FILE=**\ *filename* or **FILE:**\ *filename* - This value causes the daemon's logging messages to go to the - *filename*. If the ``=`` form is used, the file is overwritten. - If the ``:`` form is used, the file is appended to. - -**STDERR** - This value causes the daemon's logging messages to go to its - standard error stream. - -**CONSOLE** - This value causes the daemon's logging messages to go to the - console, if the system supports it. - -**DEVICE=**\ ** - This causes the daemon's logging messages to go to the specified - device. - -**SYSLOG**\ [\ **:**\ *severity*\ [\ **:**\ *facility*\ ]] - This causes the daemon's logging messages to go to the system log. - - The severity argument specifies the default severity of system log - messages. This may be any of the following severities supported - by the syslog(3) call, minus the ``LOG_`` prefix: **EMERG**, - **ALERT**, **CRIT**, **ERR**, **WARNING**, **NOTICE**, **INFO**, - and **DEBUG**. - - The facility argument specifies the facility under which the - messages are logged. This may be any of the following facilities - supported by the syslog(3) call minus the LOG\_ prefix: **KERN**, - **USER**, **MAIL**, **DAEMON**, **AUTH**, **LPR**, **NEWS**, - **UUCP**, **CRON**, and **LOCAL0** through **LOCAL7**. - - If no severity is specified, the default is **ERR**. If no - facility is specified, the default is **AUTH**. - -In the following example, the logging messages from the KDC will go to -the console and to the system log under the facility LOG_DAEMON with -default severity of LOG_INFO; and the logging messages from the -administrative server will be appended to the file -``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``. :: - - [logging] - kdc = CONSOLE - kdc = SYSLOG:INFO:DAEMON - admin_server = FILE:/var/adm/kadmin.log - admin_server = DEVICE=/dev/tty04 - - -.. _otp: - -[otp] -~~~~~ - -Each subsection of [otp] is the name of an OTP token type. The tags -within the subsection define the configuration required to forward a -One Time Password request to a RADIUS server. - -For each token type, the following tags may be specified: - -**server** - This is the server to send the RADIUS request to. It can be a - hostname with optional port, an ip address with optional port, or - a Unix domain socket address. The default is - |kdcdir|\ ``/.socket``. - -**secret** - This tag indicates a filename (which may be relative to |kdcdir|) - containing the secret used to encrypt the RADIUS packets. The - secret should appear in the first line of the file by itself; - leading and trailing whitespace on the line will be removed. If - the value of **server** is a Unix domain socket address, this tag - is optional, and an empty secret will be used if it is not - specified. Otherwise, this tag is required. - -**timeout** - An integer which specifies the time in seconds during which the - KDC should attempt to contact the RADIUS server. This tag is the - total time across all retries and should be less than the time - which an OTP value remains valid for. The default is 5 seconds. - -**retries** - This tag specifies the number of retries to make to the RADIUS - server. The default is 3 retries (4 tries). - -**strip_realm** - If this tag is ``true``, the principal without the realm will be - passed to the RADIUS server. Otherwise, the realm will be - included. The default value is ``true``. - -**indicator** - This tag specifies an authentication indicator to be included in - the ticket if this token type is used to authenticate. This - option may be specified multiple times. (New in release 1.14.) - -In the following example, requests are sent to a remote server via UDP:: - - [otp] - MyRemoteTokenType = { - server = radius.mydomain.com:1812 - secret = SEmfiajf42$ - timeout = 15 - retries = 5 - strip_realm = true - } - -An implicit default token type named ``DEFAULT`` is defined for when -the per-principal configuration does not specify a token type. Its -configuration is shown below. You may override this token type to -something applicable for your situation:: - - [otp] - DEFAULT = { - strip_realm = false - } - -PKINIT options --------------- - -.. note:: - - The following are pkinit-specific options. These values may - be specified in [kdcdefaults] as global defaults, or within - a realm-specific subsection of [realms]. Also note that a - realm-specific value over-rides, does not add to, a generic - [kdcdefaults] specification. The search order is: - -1. realm-specific subsection of [realms]:: - - [realms] - EXAMPLE.COM = { - pkinit_anchors = FILE:/usr/local/example.com.crt - } - -2. generic value in the [kdcdefaults] section:: - - [kdcdefaults] - pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ - -For information about the syntax of some of these options, see -:ref:`Specifying PKINIT identity information ` in -:ref:`krb5.conf(5)`. - -**pkinit_anchors** - Specifies the location of trusted anchor (root) certificates which - the KDC trusts to sign client certificates. This option is - required if pkinit is to be supported by the KDC. This option may - be specified multiple times. - -**pkinit_dh_min_bits** - Specifies the minimum number of bits the KDC is willing to accept - for a client's Diffie-Hellman key. The default is 2048. - -**pkinit_allow_upn** - Specifies that the KDC is willing to accept client certificates - with the Microsoft UserPrincipalName (UPN) Subject Alternative - Name (SAN). This means the KDC accepts the binding of the UPN in - the certificate to the Kerberos principal name. The default value - is false. - - Without this option, the KDC will only accept certificates with - the id-pkinit-san as defined in :rfc:`4556`. There is currently - no option to disable SAN checking in the KDC. - -**pkinit_eku_checking** - This option specifies what Extended Key Usage (EKU) values the KDC - is willing to accept in client certificates. The values - recognized in the kdc.conf file are: - - **kpClientAuth** - This is the default value and specifies that client - certificates must have the id-pkinit-KPClientAuth EKU as - defined in :rfc:`4556`. - - **scLogin** - If scLogin is specified, client certificates with the - Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be - accepted. - - **none** - If none is specified, then client certificates will not be - checked to verify they have an acceptable EKU. The use of - this option is not recommended. - -**pkinit_identity** - Specifies the location of the KDC's X.509 identity information. - This option is required if pkinit is to be supported by the KDC. - -**pkinit_indicator** - Specifies an authentication indicator to include in the ticket if - pkinit is used to authenticate. This option may be specified - multiple times. (New in release 1.14.) - -**pkinit_kdc_ocsp** - Specifies the location of the KDC's OCSP. - -**pkinit_pool** - Specifies the location of intermediate certificates which may be - used by the KDC to complete the trust chain between a client's - certificate and a trusted anchor. This option may be specified - multiple times. - -**pkinit_revoke** - Specifies the location of Certificate Revocation List (CRL) - information to be used by the KDC when verifying the validity of - client certificates. This option may be specified multiple times. - -**pkinit_require_crl_checking** - The default certificate verification process will always check the - available revocation information to see if a certificate has been - revoked. If a match is found for the certificate in a CRL, - verification fails. If the certificate being verified is not - listed in a CRL, or there is no CRL present for its issuing CA, - and **pkinit_require_crl_checking** is false, then verification - succeeds. - - However, if **pkinit_require_crl_checking** is true and there is - no CRL information available for the issuing CA, then verification - fails. - - **pkinit_require_crl_checking** should be set to true if the - policy is such that up-to-date CRLs must be present for every CA. - - -.. _Encryption_types: - -Encryption types ----------------- - -Any tag in the configuration files which requires a list of encryption -types can be set to some combination of the following strings. -Encryption types marked as "weak" are available for compatibility but -not recommended for use. - -==================================================== ========================================================= -des-cbc-crc DES cbc mode with CRC-32 (weak) -des-cbc-md4 DES cbc mode with RSA-MD4 (weak) -des-cbc-md5 DES cbc mode with RSA-MD5 (weak) -des-cbc-raw DES cbc mode raw (weak) -des3-cbc-raw Triple DES cbc mode raw (weak) -des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd Triple DES cbc mode with HMAC/sha1 -des-hmac-sha1 DES with HMAC/sha1 (weak) -aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 AES-256 CTS mode with 96-bit SHA-1 HMAC -aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 AES-128 CTS mode with 96-bit SHA-1 HMAC -aes256-cts-hmac-sha384-192 aes256-sha2 AES-256 CTS mode with 192-bit SHA-384 HMAC -aes128-cts-hmac-sha256-128 aes128-sha2 AES-128 CTS mode with 128-bit SHA-256 HMAC -arcfour-hmac rc4-hmac arcfour-hmac-md5 RC4 with HMAC/MD5 -arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp Exportable RC4 with HMAC/MD5 (weak) -camellia256-cts-cmac camellia256-cts Camellia-256 CTS mode with CMAC -camellia128-cts-cmac camellia128-cts Camellia-128 CTS mode with CMAC -des The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) -des3 The triple DES family: des3-cbc-sha1 -aes The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 -rc4 The RC4 family: arcfour-hmac -camellia The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac -==================================================== ========================================================= - -The string **DEFAULT** can be used to refer to the default set of -types for the variable in question. Types or families can be removed -from the current list by prefixing them with a minus sign ("-"). -Types or families can be prefixed with a plus sign ("+") for symmetry; -it has the same meaning as just listing the type or family. For -example, "``DEFAULT -des``" would be the default set of encryption -types with DES types removed, and "``des3 DEFAULT``" would be the -default set of encryption types with triple DES types moved to the -front. - -While **aes128-cts** and **aes256-cts** are supported for all Kerberos -operations, they are not supported by very old versions of our GSSAPI -implementation (krb5-1.3.1 and earlier). Services running versions of -krb5 without AES support must not be given keys of these encryption -types in the KDC database. - -The **aes128-sha2** and **aes256-sha2** encryption types are new in -release 1.15. Services running versions of krb5 without support for -these newer encryption types must not be given keys of these -encryption types in the KDC database. - - -.. _Keysalt_lists: - -Keysalt lists -------------- - -Kerberos keys for users are usually derived from passwords. Kerberos -commands and configuration parameters that affect generation of keys -take lists of enctype-salttype ("keysalt") pairs, known as *keysalt -lists*. Each keysalt pair is an enctype name followed by a salttype -name, in the format *enc*:*salt*. Individual keysalt list members are -separated by comma (",") characters or space characters. For example:: - - kadmin -e aes256-cts:normal,aes128-cts:normal - -would start up kadmin so that by default it would generate -password-derived keys for the **aes256-cts** and **aes128-cts** -encryption types, using a **normal** salt. - -To ensure that people who happen to pick the same password do not have -the same key, Kerberos 5 incorporates more information into the key -using something called a salt. The supported salt types are as -follows: - -================= ============================================ -normal default for Kerberos Version 5 -v4 the only type used by Kerberos Version 4 (no salt) -norealm same as the default, without using realm information -onlyrealm uses only realm information as the salt -afs3 AFS version 3, only used for compatibility with Kerberos 4 in AFS -special generate a random salt -================= ============================================ - - -Sample kdc.conf File --------------------- - -Here's an example of a kdc.conf file:: - - [kdcdefaults] - kdc_listen = 88 - kdc_tcp_listen = 88 - [realms] - ATHENA.MIT.EDU = { - kadmind_port = 749 - max_life = 12h 0m 0s - max_renewable_life = 7d 0h 0m 0s - master_key_type = aes256-cts-hmac-sha1-96 - supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal - database_module = openldap_ldapconf - } - - [logging] - kdc = FILE:/usr/local/var/krb5kdc/kdc.log - admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log - - [dbdefaults] - ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu - - [dbmodules] - openldap_ldapconf = { - db_library = kldap - disable_last_success = true - ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu" - # this object needs to have read rights on - # the realm container and principal subtrees - ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu" - # this object needs to have read and write rights on - # the realm container and principal subtrees - ldap_service_password_file = /etc/kerberos/service.keyfile - ldap_servers = ldaps://kerberos.mit.edu - ldap_conns_per_server = 5 - } - - -FILES ------- - -|kdcdir|\ ``/kdc.conf`` - - -SEE ALSO ---------- - -:ref:`krb5.conf(5)`, :ref:`krb5kdc(8)`, :ref:`kadm5.acl(5)` diff --git a/doc/html/_sources/admin/conf_files/krb5_conf.txt b/doc/html/_sources/admin/conf_files/krb5_conf.txt deleted file mode 100644 index 02a9359..0000000 --- a/doc/html/_sources/admin/conf_files/krb5_conf.txt +++ /dev/null @@ -1,1172 +0,0 @@ -.. _krb5.conf(5): - -krb5.conf -========= - -The krb5.conf file contains Kerberos configuration information, -including the locations of KDCs and admin servers for the Kerberos -realms of interest, defaults for the current realm and for Kerberos -applications, and mappings of hostnames onto Kerberos realms. -Normally, you should install your krb5.conf file in the directory -``/etc``. You can override the default location by setting the -environment variable **KRB5_CONFIG**. Multiple colon-separated -filenames may be specified in **KRB5_CONFIG**; all files which are -present will be read. Starting in release 1.14, directory names can -also be specified in **KRB5_CONFIG**; all files within the directory -whose names consist solely of alphanumeric characters, dashes, or -underscores will be read. - - -Structure ---------- - -The krb5.conf file is set up in the style of a Windows INI file. -Sections are headed by the section name, in square brackets. Each -section may contain zero or more relations, of the form:: - - foo = bar - -or:: - - fubar = { - foo = bar - baz = quux - } - -Placing a '\*' at the end of a line indicates that this is the *final* -value for the tag. This means that neither the remainder of this -configuration file nor any other configuration file will be checked -for any other values for this tag. - -For example, if you have the following lines:: - - foo = bar* - foo = baz - -then the second value of ``foo`` (``baz``) would never be read. - -The krb5.conf file can include other files using either of the -following directives at the beginning of a line:: - - include FILENAME - includedir DIRNAME - -*FILENAME* or *DIRNAME* should be an absolute path. The named file or -directory must exist and be readable. Including a directory includes -all files within the directory whose names consist solely of -alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in ".conf" are also included, unless the -name begins with ".". Included profile files are syntactically -independent of their parents, so each included file must begin with a -section header. - -The krb5.conf file can specify that configuration should be obtained -from a loadable module, rather than the file itself, using the -following directive at the beginning of a line before any section -headers:: - - module MODULEPATH:RESIDUAL - -*MODULEPATH* may be relative to the library path of the krb5 -installation, or it may be an absolute path. *RESIDUAL* is provided -to the module at initialization time. If krb5.conf uses a module -directive, :ref:`kdc.conf(5)` should also use one if it exists. - - -Sections --------- - -The krb5.conf file may contain the following sections: - -=================== ======================================================= -:ref:`libdefaults` Settings used by the Kerberos V5 library -:ref:`realms` Realm-specific contact information and settings -:ref:`domain_realm` Maps server hostnames to Kerberos realms -:ref:`capaths` Authentication paths for non-hierarchical cross-realm -:ref:`appdefaults` Settings used by some Kerberos V5 applications -:ref:`plugins` Controls plugin module registration -=================== ======================================================= - -Additionally, krb5.conf may include any of the relations described in -:ref:`kdc.conf(5)`, but it is not a recommended practice. - -.. _libdefaults: - -[libdefaults] -~~~~~~~~~~~~~ - -The libdefaults section may contain any of the following relations: - -**allow_weak_crypto** - If this flag is set to false, then weak encryption types (as noted - in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered - out of the lists **default_tgs_enctypes**, - **default_tkt_enctypes**, and **permitted_enctypes**. The default - value for this tag is false, which may cause authentication - failures in existing Kerberos infrastructures that do not support - strong crypto. Users in affected environments should set this tag - to true until their infrastructure adopts stronger ciphers. - -**ap_req_checksum_type** - An integer which specifies the type of AP-REQ checksum to use in - authenticators. This variable should be unset so the appropriate - checksum for the encryption key in use will be used. This can be - set if backward compatibility requires a specific checksum type. - See the **kdc_req_checksum_type** configuration option for the - possible values and their meanings. - -**canonicalize** - If this flag is set to true, initial ticket requests to the KDC - will request canonicalization of the client principal name, and - answers with different client principals than the requested - principal will be accepted. The default value is false. - -**ccache_type** - This parameter determines the format of credential cache types - created by :ref:`kinit(1)` or other programs. The default value - is 4, which represents the most current format. Smaller values - can be used for compatibility with very old implementations of - Kerberos which interact with credential caches on the same host. - -**clockskew** - Sets the maximum allowable amount of clockskew in seconds that the - library will tolerate before assuming that a Kerberos message is - invalid. The default value is 300 seconds, or five minutes. - - The clockskew setting is also used when evaluating ticket start - and expiration times. For example, tickets that have reached - their expiration time can still be used (and renewed if they are - renewable tickets) if they have been expired for a shorter - duration than the **clockskew** setting. - -**default_ccache_name** - This relation specifies the name of the default credential cache. - The default is |ccache|. This relation is subject to parameter - expansion (see below). New in release 1.11. - -**default_client_keytab_name** - This relation specifies the name of the default keytab for - obtaining client credentials. The default is |ckeytab|. This - relation is subject to parameter expansion (see below). - New in release 1.11. - -**default_keytab_name** - This relation specifies the default keytab name to be used by - application servers such as sshd. The default is |keytab|. This - relation is subject to parameter expansion (see below). - -**default_realm** - Identifies the default Kerberos realm for the client. Set its - value to your Kerberos realm. If this value is not set, then a - realm must be specified with every Kerberos principal when - invoking programs such as :ref:`kinit(1)`. - -**default_tgs_enctypes** - Identifies the supported list of session key encryption types that - the client should request when making a TGS-REQ, in order of - preference from highest to lowest. The list may be delimited with - commas or whitespace. See :ref:`Encryption_types` in - :ref:`kdc.conf(5)` for a list of the accepted values for this tag. - The default value is |defetypes|, but single-DES encryption types - will be implicitly removed from this list if the value of - **allow_weak_crypto** is false. - - Do not set this unless required for specific backward - compatibility purposes; stale values of this setting can prevent - clients from taking advantage of new stronger enctypes when the - libraries are upgraded. - -**default_tkt_enctypes** - Identifies the supported list of session key encryption types that - the client should request when making an AS-REQ, in order of - preference from highest to lowest. The format is the same as for - default_tgs_enctypes. The default value for this tag is - |defetypes|, but single-DES encryption types will be implicitly - removed from this list if the value of **allow_weak_crypto** is - false. - - Do not set this unless required for specific backward - compatibility purposes; stale values of this setting can prevent - clients from taking advantage of new stronger enctypes when the - libraries are upgraded. - -**dns_canonicalize_hostname** - Indicate whether name lookups will be used to canonicalize - hostnames for use in service principal names. Setting this flag - to false can improve security by reducing reliance on DNS, but - means that short hostnames will not be canonicalized to - fully-qualified hostnames. The default value is true. - -**dns_lookup_kdc** - Indicate whether DNS SRV records should be used to locate the KDCs - and other servers for a realm, if they are not listed in the - krb5.conf information for the realm. (Note that the admin_server - entry must be in the krb5.conf realm information in order to - contact kadmind, because the DNS implementation for kadmin is - incomplete.) - - Enabling this option does open up a type of denial-of-service - attack, if someone spoofs the DNS records and redirects you to - another server. However, it's no worse than a denial of service, - because that fake KDC will be unable to decode anything you send - it (besides the initial ticket request, which has no encrypted - data), and anything the fake KDC sends will not be trusted without - verification using some secret that it won't know. - -**dns_uri_lookup** - Indicate whether DNS URI records should be used to locate the KDCs - and other servers for a realm, if they are not listed in the - krb5.conf information for the realm. SRV records are used as a - fallback if no URI records were found. The default value is true. - New in release 1.15. - -**err_fmt** - This relation allows for custom error message formatting. If a - value is set, error messages will be formatted by substituting a - normal error message for %M and an error code for %C in the value. - -**extra_addresses** - This allows a computer to use multiple local addresses, in order - to allow Kerberos to work in a network that uses NATs while still - using address-restricted tickets. The addresses should be in a - comma-separated list. This option has no effect if - **noaddresses** is true. - -**forwardable** - If this flag is true, initial tickets will be forwardable by - default, if allowed by the KDC. The default value is false. - -**ignore_acceptor_hostname** - When accepting GSSAPI or krb5 security contexts for host-based - service principals, ignore any hostname passed by the calling - application, and allow clients to authenticate to any service - principal in the keytab matching the service name and realm name - (if given). This option can improve the administrative - flexibility of server applications on multihomed hosts, but could - compromise the security of virtual hosting environments. The - default value is false. New in release 1.10. - -**k5login_authoritative** - If this flag is true, principals must be listed in a local user's - k5login file to be granted login access, if a :ref:`.k5login(5)` - file exists. If this flag is false, a principal may still be - granted login access through other mechanisms even if a k5login - file exists but does not list the principal. The default value is - true. - -**k5login_directory** - If set, the library will look for a local user's k5login file - within the named directory, with a filename corresponding to the - local username. If not set, the library will look for k5login - files in the user's home directory, with the filename .k5login. - For security reasons, .k5login files must be owned by - the local user or by root. - -**kcm_mach_service** - On OS X only, determines the name of the bootstrap service used to - contact the KCM daemon for the KCM credential cache type. If the - value is ``-``, Mach RPC will not be used to contact the KCM - daemon. The default value is ``org.h5l.kcm``. - -**kcm_socket** - Determines the path to the Unix domain socket used to access the - KCM daemon for the KCM credential cache type. If the value is - ``-``, Unix domain sockets will not be used to contact the KCM - daemon. The default value is - ``/var/run/.heim_org.h5l.kcm-socket``. - -**kdc_default_options** - Default KDC options (Xored for multiple values) when requesting - initial tickets. By default it is set to 0x00000010 - (KDC_OPT_RENEWABLE_OK). - -**kdc_timesync** - Accepted values for this relation are 1 or 0. If it is nonzero, - client machines will compute the difference between their time and - the time returned by the KDC in the timestamps in the tickets and - use this value to correct for an inaccurate system clock when - requesting service tickets or authenticating to services. This - corrective factor is only used by the Kerberos library; it is not - used to change the system clock. The default value is 1. - -**kdc_req_checksum_type** - An integer which specifies the type of checksum to use for the KDC - requests, for compatibility with very old KDC implementations. - This value is only used for DES keys; other keys use the preferred - checksum type for those keys. - - The possible values and their meanings are as follows. - - ======== =============================== - 1 CRC32 - 2 RSA MD4 - 3 RSA MD4 DES - 4 DES CBC - 7 RSA MD5 - 8 RSA MD5 DES - 9 NIST SHA - 12 HMAC SHA1 DES3 - -138 Microsoft MD5 HMAC checksum type - ======== =============================== - -**noaddresses** - If this flag is true, requests for initial tickets will not be - made with address restrictions set, allowing the tickets to be - used across NATs. The default value is true. - -**permitted_enctypes** - Identifies all encryption types that are permitted for use in - session key encryption. The default value for this tag is - |defetypes|, but single-DES encryption types will be implicitly - removed from this list if the value of **allow_weak_crypto** is - false. - -**plugin_base_dir** - If set, determines the base directory where krb5 plugins are - located. The default value is the ``krb5/plugins`` subdirectory - of the krb5 library directory. - -**preferred_preauth_types** - This allows you to set the preferred preauthentication types which - the client will attempt before others which may be advertised by a - KDC. The default value for this setting is "17, 16, 15, 14", - which forces libkrb5 to attempt to use PKINIT if it is supported. - -**proxiable** - If this flag is true, initial tickets will be proxiable by - default, if allowed by the KDC. The default value is false. - -**rdns** - If this flag is true, reverse name lookup will be used in addition - to forward name lookup to canonicalizing hostnames for use in - service principal names. If **dns_canonicalize_hostname** is set - to false, this flag has no effect. The default value is true. - -**realm_try_domains** - Indicate whether a host's domain components should be used to - determine the Kerberos realm of the host. The value of this - variable is an integer: -1 means not to search, 0 means to try the - host's domain itself, 1 means to also try the domain's immediate - parent, and so forth. The library's usual mechanism for locating - Kerberos realms is used to determine whether a domain is a valid - realm, which may involve consulting DNS if **dns_lookup_kdc** is - set. The default is not to search domain components. - -**renew_lifetime** - (:ref:`duration` string.) Sets the default renewable lifetime - for initial ticket requests. The default value is 0. - -**safe_checksum_type** - An integer which specifies the type of checksum to use for the - KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For - compatibility with applications linked against DCE version 1.1 or - earlier Kerberos libraries, use a value of 3 to use the RSA MD4 - DES instead. This field is ignored when its value is incompatible - with the session key type. See the **kdc_req_checksum_type** - configuration option for the possible values and their meanings. - -**ticket_lifetime** - (:ref:`duration` string.) Sets the default lifetime for initial - ticket requests. The default value is 1 day. - -**udp_preference_limit** - When sending a message to the KDC, the library will try using TCP - before UDP if the size of the message is above - **udp_preference_limit**. If the message is smaller than - **udp_preference_limit**, then UDP will be tried before TCP. - Regardless of the size, both protocols will be tried if the first - attempt fails. - -**verify_ap_req_nofail** - If this flag is true, then an attempt to verify initial - credentials will fail if the client machine does not have a - keytab. The default value is false. - -.. _realms: - -[realms] -~~~~~~~~ - -Each tag in the [realms] section of the file is the name of a Kerberos -realm. The value of the tag is a subsection with relations that -define the properties of that particular realm. For each realm, the -following tags may be specified in the realm's subsection: - -**admin_server** - Identifies the host where the administration server is running. - Typically, this is the master Kerberos server. This tag must be - given a value in order to communicate with the :ref:`kadmind(8)` - server for the realm. - -**auth_to_local** - This tag allows you to set a general rule for mapping principal - names to local user names. It will be used if there is not an - explicit mapping for the principal name that is being - translated. The possible values are: - - **RULE:**\ *exp* - The local name will be formulated from *exp*. - - The format for *exp* is **[**\ *n*\ **:**\ *string*\ **](**\ - *regexp*\ **)s/**\ *pattern*\ **/**\ *replacement*\ **/g**. - The integer *n* indicates how many components the target - principal should have. If this matches, then a string will be - formed from *string*, substituting the realm of the principal - for ``$0`` and the *n*'th component of the principal for - ``$n`` (e.g., if the principal was ``johndoe/admin`` then - ``[2:$2$1foo]`` would result in the string - ``adminjohndoefoo``). If this string matches *regexp*, then - the ``s//[g]`` substitution command will be run over the - string. The optional **g** will cause the substitution to be - global over the *string*, instead of replacing only the first - match in the *string*. - - **DEFAULT** - The principal name will be used as the local user name. If - the principal has more than one component or is not in the - default realm, this rule is not applicable and the conversion - will fail. - - For example:: - - [realms] - ATHENA.MIT.EDU = { - auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ - auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// - auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ - auto_to_local = DEFAULT - } - - would result in any principal without ``root`` or ``admin`` as the - second component to be translated with the default rule. A - principal with a second component of ``admin`` will become its - first component. ``root`` will be used as the local name for any - principal with a second component of ``root``. The exception to - these two rules are any principals ``johndoe/*``, which will - always get the local name ``guest``. - -**auth_to_local_names** - This subsection allows you to set explicit mappings from principal - names to local user names. The tag is the mapping name, and the - value is the corresponding local user name. - -**default_domain** - This tag specifies the domain used to expand hostnames when - translating Kerberos 4 service principals to Kerberos 5 principals - (for example, when converting ``rcmd.hostname`` to - ``host/hostname.domain``). - -**http_anchors** - When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag - can be used to specify the location of the CA certificate which should be - trusted to issue the certificate for a proxy server. If left unspecified, - the system-wide default set of CA certificates is used. - - The syntax for values is similar to that of values for the - **pkinit_anchors** tag: - - **FILE:** *filename* - - *filename* is assumed to be the name of an OpenSSL-style ca-bundle file. - - **DIR:** *dirname* - - *dirname* is assumed to be an directory which contains CA certificates. - All files in the directory will be examined; if they contain certificates - (in PEM format), they will be used. - - **ENV:** *envvar* - - *envvar* specifies the name of an environment variable which has been set - to a value conforming to one of the previous values. For example, - ``ENV:X509_PROXY_CA``, where environment variable ``X509_PROXY_CA`` has - been set to ``FILE:/tmp/my_proxy.pem``. - -**kdc** - The name or address of a host running a KDC for that realm. An - optional port number, separated from the hostname by a colon, may - be included. If the name or address contains colons (for example, - if it is an IPv6 address), enclose it in square brackets to - distinguish the colon from a port separator. For your computer to - be able to communicate with the KDC for each realm, this tag must - be given a value in each realm subsection in the configuration - file, or there must be DNS SRV records specifying the KDCs. - -**kpasswd_server** - Points to the server where all the password changes are performed. - If there is no such entry, the port 464 on the **admin_server** - host will be tried. - -**master_kdc** - Identifies the master KDC(s). Currently, this tag is used in only - one case: If an attempt to get credentials fails because of an - invalid password, the client software will attempt to contact the - master KDC, in case the user's password has just been changed, and - the updated database has not been propagated to the slave servers - yet. - -**v4_instance_convert** - This subsection allows the administrator to configure exceptions - to the **default_domain** mapping rule. It contains V4 instances - (the tag name) which should be translated to some specific - hostname (the tag value) as the second component in a Kerberos V5 - principal name. - -**v4_realm** - This relation is used by the krb524 library routines when - converting a V5 principal name to a V4 principal name. It is used - when the V4 realm name and the V5 realm name are not the same, but - still share the same principal names and passwords. The tag value - is the Kerberos V4 realm name. - - -.. _domain_realm: - -[domain_realm] -~~~~~~~~~~~~~~ - -The [domain_realm] section provides a translation from a domain name -or hostname to a Kerberos realm name. The tag name can be a host name -or domain name, where domain names are indicated by a prefix of a -period (``.``). The value of the relation is the Kerberos realm name -for that particular host or domain. A host name relation implicitly -provides the corresponding domain name relation, unless an explicit domain -name relation is provided. The Kerberos realm may be -identified either in the realms_ section or using DNS SRV records. -Host names and domain names should be in lower case. For example:: - - [domain_realm] - crash.mit.edu = TEST.ATHENA.MIT.EDU - .dev.mit.edu = TEST.ATHENA.MIT.EDU - mit.edu = ATHENA.MIT.EDU - -maps the host with the name ``crash.mit.edu`` into the -``TEST.ATHENA.MIT.EDU`` realm. The second entry maps all hosts under the -domain ``dev.mit.edu`` into the ``TEST.ATHENA.MIT.EDU`` realm, but not -the host with the name ``dev.mit.edu``. That host is matched -by the third entry, which maps the host ``mit.edu`` and all hosts -under the domain ``mit.edu`` that do not match a preceding rule -into the realm ``ATHENA.MIT.EDU``. - -If no translation entry applies to a hostname used for a service -principal for a service ticket request, the library will try to get a -referral to the appropriate realm from the client realm's KDC. If -that does not succeed, the host's realm is considered to be the -hostname's domain portion converted to uppercase, unless the -**realm_try_domains** setting in [libdefaults] causes a different -parent domain to be used. - - -.. _capaths: - -[capaths] -~~~~~~~~~ - -In order to perform direct (non-hierarchical) cross-realm -authentication, configuration is needed to determine the -authentication paths between realms. - -A client will use this section to find the authentication path between -its realm and the realm of the server. The server will use this -section to verify the authentication path used by the client, by -checking the transited field of the received ticket. - -There is a tag for each participating client realm, and each tag has -subtags for each of the server realms. The value of the subtags is an -intermediate realm which may participate in the cross-realm -authentication. The subtags may be repeated if there is more then one -intermediate realm. A value of "." means that the two realms share -keys directly, and no intermediate realms should be allowed to -participate. - -Only those entries which will be needed on the client or the server -need to be present. A client needs a tag for its local realm with -subtags for all the realms of servers it will need to authenticate to. -A server needs a tag for each realm of the clients it will serve, with -a subtag of the server realm. - -For example, ``ANL.GOV``, ``PNL.GOV``, and ``NERSC.GOV`` all wish to -use the ``ES.NET`` realm as an intermediate realm. ANL has a sub -realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV`` -but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems -would look like this:: - - [capaths] - ANL.GOV = { - TEST.ANL.GOV = . - PNL.GOV = ES.NET - NERSC.GOV = ES.NET - ES.NET = . - } - TEST.ANL.GOV = { - ANL.GOV = . - } - PNL.GOV = { - ANL.GOV = ES.NET - } - NERSC.GOV = { - ANL.GOV = ES.NET - } - ES.NET = { - ANL.GOV = . - } - -The [capaths] section of the configuration file used on ``NERSC.GOV`` -systems would look like this:: - - [capaths] - NERSC.GOV = { - ANL.GOV = ES.NET - TEST.ANL.GOV = ES.NET - TEST.ANL.GOV = ANL.GOV - PNL.GOV = ES.NET - ES.NET = . - } - ANL.GOV = { - NERSC.GOV = ES.NET - } - PNL.GOV = { - NERSC.GOV = ES.NET - } - ES.NET = { - NERSC.GOV = . - } - TEST.ANL.GOV = { - NERSC.GOV = ANL.GOV - NERSC.GOV = ES.NET - } - -When a subtag is used more than once within a tag, clients will use -the order of values to determine the path. The order of values is not -important to servers. - - -.. _appdefaults: - -[appdefaults] -~~~~~~~~~~~~~ - -Each tag in the [appdefaults] section names a Kerberos V5 application -or an option that is used by some Kerberos V5 application[s]. The -value of the tag defines the default behaviors for that application. - -For example:: - - [appdefaults] - telnet = { - ATHENA.MIT.EDU = { - option1 = false - } - } - telnet = { - option1 = true - option2 = true - } - ATHENA.MIT.EDU = { - option2 = false - } - option2 = true - -The above four ways of specifying the value of an option are shown in -order of decreasing precedence. In this example, if telnet is running -in the realm EXAMPLE.COM, it should, by default, have option1 and -option2 set to true. However, a telnet program in the realm -``ATHENA.MIT.EDU`` should have ``option1`` set to false and -``option2`` set to true. Any other programs in ATHENA.MIT.EDU should -have ``option2`` set to false by default. Any programs running in -other realms should have ``option2`` set to true. - -The list of specifiable options for each application may be found in -that application's man pages. The application defaults specified here -are overridden by those specified in the realms_ section. - - -.. _plugins: - -[plugins] -~~~~~~~~~ - - * pwqual_ interface - * kadm5_hook_ interface - * clpreauth_ and kdcpreauth_ interfaces - -Tags in the [plugins] section can be used to register dynamic plugin -modules and to turn modules on and off. Not every krb5 pluggable -interface uses the [plugins] section; the ones that do are documented -here. - -New in release 1.9. - -Each pluggable interface corresponds to a subsection of [plugins]. -All subsections support the same tags: - -**disable** - This tag may have multiple values. If there are values for this - tag, then the named modules will be disabled for the pluggable - interface. - -**enable_only** - This tag may have multiple values. If there are values for this - tag, then only the named modules will be enabled for the pluggable - interface. - -**module** - This tag may have multiple values. Each value is a string of the - form ``modulename:pathname``, which causes the shared object - located at *pathname* to be registered as a dynamic module named - *modulename* for the pluggable interface. If *pathname* is not an - absolute path, it will be treated as relative to the - **plugin_base_dir** value from :ref:`libdefaults`. - -For pluggable interfaces where module order matters, modules -registered with a **module** tag normally come first, in the order -they are registered, followed by built-in modules in the order they -are documented below. If **enable_only** tags are used, then the -order of those tags overrides the normal module order. - -The following subsections are currently supported within the [plugins] -section: - -.. _ccselect: - -ccselect interface -################## - -The ccselect subsection controls modules for credential cache -selection within a cache collection. In addition to any registered -dynamic modules, the following built-in modules exist (and may be -disabled with the disable tag): - -**k5identity** - Uses a .k5identity file in the user's home directory to select a - client principal - -**realm** - Uses the service realm to guess an appropriate cache from the - collection - -.. _pwqual: - -pwqual interface -################ - -The pwqual subsection controls modules for the password quality -interface, which is used to reject weak passwords when passwords are -changed. The following built-in modules exist for this interface: - -**dict** - Checks against the realm dictionary file - -**empty** - Rejects empty passwords - -**hesiod** - Checks against user information stored in Hesiod (only if Kerberos - was built with Hesiod support) - -**princ** - Checks against components of the principal name - -.. _kadm5_hook: - -kadm5_hook interface -#################### - -The kadm5_hook interface provides plugins with information on -principal creation, modification, password changes and deletion. This -interface can be used to write a plugin to synchronize MIT Kerberos -with another database such as Active Directory. No plugins are built -in for this interface. - -.. _clpreauth: - -.. _kdcpreauth: - -clpreauth and kdcpreauth interfaces -################################### - -The clpreauth and kdcpreauth interfaces allow plugin modules to -provide client and KDC preauthentication mechanisms. The following -built-in modules exist for these interfaces: - -**pkinit** - This module implements the PKINIT preauthentication mechanism. - -**encrypted_challenge** - This module implements the encrypted challenge FAST factor. - -**encrypted_timestamp** - This module implements the encrypted timestamp mechanism. - -.. _hostrealm: - -hostrealm interface -################### - -The hostrealm section (introduced in release 1.12) controls modules -for the host-to-realm interface, which affects the local mapping of -hostnames to realm names and the choice of default realm. The following -built-in modules exist for this interface: - -**profile** - This module consults the [domain_realm] section of the profile for - authoritative host-to-realm mappings, and the **default_realm** - variable for the default realm. - -**dns** - This module looks for DNS records for fallback host-to-realm - mappings and the default realm. It only operates if the - **dns_lookup_realm** variable is set to true. - -**domain** - This module applies heuristics for fallback host-to-realm - mappings. It implements the **realm_try_domains** variable, and - uses the uppercased parent domain of the hostname if that does not - produce a result. - -.. _localauth: - -localauth interface -################### - -The localauth section (introduced in release 1.12) controls modules -for the local authorization interface, which affects the relationship -between Kerberos principals and local system accounts. The following -built-in modules exist for this interface: - -**default** - This module implements the **DEFAULT** type for **auth_to_local** - values. - -**rule** - This module implements the **RULE** type for **auth_to_local** - values. - -**names** - This module looks for an **auth_to_local_names** mapping for the - principal name. - -**auth_to_local** - This module processes **auth_to_local** values in the default - realm's section, and applies the default method if no - **auth_to_local** values exist. - -**k5login** - This module authorizes a principal to a local account according to - the account's :ref:`.k5login(5)` file. - -**an2ln** - This module authorizes a principal to a local account if the - principal name maps to the local account name. - - -PKINIT options --------------- - -.. note:: - - The following are PKINIT-specific options. These values may - be specified in [libdefaults] as global defaults, or within - a realm-specific subsection of [libdefaults], or may be - specified as realm-specific values in the [realms] section. - A realm-specific value overrides, not adds to, a generic - [libdefaults] specification. The search order is: - -1. realm-specific subsection of [libdefaults]:: - - [libdefaults] - EXAMPLE.COM = { - pkinit_anchors = FILE:/usr/local/example.com.crt - } - -2. realm-specific value in the [realms] section:: - - [realms] - OTHERREALM.ORG = { - pkinit_anchors = FILE:/usr/local/otherrealm.org.crt - } - -3. generic value in the [libdefaults] section:: - - [libdefaults] - pkinit_anchors = DIR:/usr/local/generic_trusted_cas/ - - -.. _pkinit_identity: - -Specifying PKINIT identity information -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The syntax for specifying Public Key identity, trust, and revocation -information for PKINIT is as follows: - -**FILE:**\ *filename*\ [**,**\ *keyfilename*] - This option has context-specific behavior. - - In **pkinit_identity** or **pkinit_identities**, *filename* - specifies the name of a PEM-format file containing the user's - certificate. If *keyfilename* is not specified, the user's - private key is expected to be in *filename* as well. Otherwise, - *keyfilename* is the name of the file containing the private key. - - In **pkinit_anchors** or **pkinit_pool**, *filename* is assumed to - be the name of an OpenSSL-style ca-bundle file. - -**DIR:**\ *dirname* - This option has context-specific behavior. - - In **pkinit_identity** or **pkinit_identities**, *dirname* - specifies a directory with files named ``*.crt`` and ``*.key`` - where the first part of the file name is the same for matching - pairs of certificate and private key files. When a file with a - name ending with ``.crt`` is found, a matching file ending with - ``.key`` is assumed to contain the private key. If no such file - is found, then the certificate in the ``.crt`` is not used. - - In **pkinit_anchors** or **pkinit_pool**, *dirname* is assumed to - be an OpenSSL-style hashed CA directory where each CA cert is - stored in a file named ``hash-of-ca-cert.#``. This infrastructure - is encouraged, but all files in the directory will be examined and - if they contain certificates (in PEM format), they will be used. - - In **pkinit_revoke**, *dirname* is assumed to be an OpenSSL-style - hashed CA directory where each revocation list is stored in a file - named ``hash-of-ca-cert.r#``. This infrastructure is encouraged, - but all files in the directory will be examined and if they - contain a revocation list (in PEM format), they will be used. - -**PKCS12:**\ *filename* - *filename* is the name of a PKCS #12 format file, containing the - user's certificate and private key. - -**PKCS11:**\ [**module_name=**]\ *modname*\ [**:slotid=**\ *slot-id*][**:token=**\ *token-label*][**:certid=**\ *cert-id*][**:certlabel=**\ *cert-label*] - All keyword/values are optional. *modname* specifies the location - of a library implementing PKCS #11. If a value is encountered - with no keyword, it is assumed to be the *modname*. If no - module-name is specified, the default is ``opensc-pkcs11.so``. - ``slotid=`` and/or ``token=`` may be specified to force the use of - a particular smard card reader or token if there is more than one - available. ``certid=`` and/or ``certlabel=`` may be specified to - force the selection of a particular certificate on the device. - See the **pkinit_cert_match** configuration option for more ways - to select a particular certificate to use for PKINIT. - -**ENV:**\ *envvar* - *envvar* specifies the name of an environment variable which has - been set to a value conforming to one of the previous values. For - example, ``ENV:X509_PROXY``, where environment variable - ``X509_PROXY`` has been set to ``FILE:/tmp/my_proxy.pem``. - - -PKINIT krb5.conf options -~~~~~~~~~~~~~~~~~~~~~~~~ - -**pkinit_anchors** - Specifies the location of trusted anchor (root) certificates which - the client trusts to sign KDC certificates. This option may be - specified multiple times. These values from the config file are - not used if the user specifies X509_anchors on the command line. - -**pkinit_cert_match** - Specifies matching rules that the client certificate must match - before it is used to attempt PKINIT authentication. If a user has - multiple certificates available (on a smart card, or via other - media), there must be exactly one certificate chosen before - attempting PKINIT authentication. This option may be specified - multiple times. All the available certificates are checked - against each rule in order until there is a match of exactly one - certificate. - - The Subject and Issuer comparison strings are the :rfc:`2253` - string representations from the certificate Subject DN and Issuer - DN values. - - The syntax of the matching rules is: - - [*relation-operator*\ ]\ *component-rule* ... - - where: - - *relation-operator* - can be either ``&&``, meaning all component rules must match, - or ``||``, meaning only one component rule must match. The - default is ``&&``. - - *component-rule* - can be one of the following. Note that there is no - punctuation or whitespace between component rules. - - | ****\ *regular-expression* - | ****\ *regular-expression* - | ****\ *regular-expression* - | ****\ *extended-key-usage-list* - | ****\ *key-usage-list* - - *extended-key-usage-list* is a comma-separated list of - required Extended Key Usage values. All values in the list - must be present in the certificate. Extended Key Usage values - can be: - - * pkinit - * msScLogin - * clientAuth - * emailProtection - - *key-usage-list* is a comma-separated list of required Key - Usage values. All values in the list must be present in the - certificate. Key Usage values can be: - - * digitalSignature - * keyEncipherment - - Examples:: - - pkinit_cert_match = ||.*DoE.*.*@EXAMPLE.COM - pkinit_cert_match = &&msScLogin,clientAuth.*DoE.* - pkinit_cert_match = msScLogin,clientAuthdigitalSignature - -**pkinit_eku_checking** - This option specifies what Extended Key Usage value the KDC - certificate presented to the client must contain. (Note that if - the KDC certificate has the pkinit SubjectAlternativeName encoded - as the Kerberos TGS name, EKU checking is not necessary since the - issuing CA has certified this as a KDC certificate.) The values - recognized in the krb5.conf file are: - - **kpKDC** - This is the default value and specifies that the KDC must have - the id-pkinit-KPKdc EKU as defined in :rfc:`4556`. - - **kpServerAuth** - If **kpServerAuth** is specified, a KDC certificate with the - id-kp-serverAuth EKU will be accepted. This key usage value - is used in most commercially issued server certificates. - - **none** - If **none** is specified, then the KDC certificate will not be - checked to verify it has an acceptable EKU. The use of this - option is not recommended. - -**pkinit_dh_min_bits** - Specifies the size of the Diffie-Hellman key the client will - attempt to use. The acceptable values are 1024, 2048, and 4096. - The default is 2048. - -**pkinit_identities** - Specifies the location(s) to be used to find the user's X.509 - identity information. This option may be specified multiple - times. Each value is attempted in order until identity - information is found and authentication is attempted. Note that - these values are not used if the user specifies - **X509_user_identity** on the command line. - -**pkinit_kdc_hostname** - The presense of this option indicates that the client is willing - to accept a KDC certificate with a dNSName SAN (Subject - Alternative Name) rather than requiring the id-pkinit-san as - defined in :rfc:`4556`. This option may be specified multiple - times. Its value should contain the acceptable hostname for the - KDC (as contained in its certificate). - -**pkinit_pool** - Specifies the location of intermediate certificates which may be - used by the client to complete the trust chain between a KDC - certificate and a trusted anchor. This option may be specified - multiple times. - -**pkinit_require_crl_checking** - The default certificate verification process will always check the - available revocation information to see if a certificate has been - revoked. If a match is found for the certificate in a CRL, - verification fails. If the certificate being verified is not - listed in a CRL, or there is no CRL present for its issuing CA, - and **pkinit_require_crl_checking** is false, then verification - succeeds. - - However, if **pkinit_require_crl_checking** is true and there is - no CRL information available for the issuing CA, then verification - fails. - - **pkinit_require_crl_checking** should be set to true if the - policy is such that up-to-date CRLs must be present for every CA. - -**pkinit_revoke** - Specifies the location of Certificate Revocation List (CRL) - information to be used by the client when verifying the validity - of the KDC certificate presented. This option may be specified - multiple times. - - -.. _parameter_expansion: - -Parameter expansion -------------------- - -Starting with release 1.11, several variables, such as -**default_keytab_name**, allow parameters to be expanded. -Valid parameters are: - - ================= =================================================== - %{TEMP} Temporary directory - %{uid} Unix real UID or Windows SID - %{euid} Unix effective user ID or Windows SID - %{USERID} Same as %{uid} - %{null} Empty string - %{LIBDIR} Installation library directory - %{BINDIR} Installation binary directory - %{SBINDIR} Installation admin binary directory - %{username} (Unix) Username of effective user ID - %{APPDATA} (Windows) Roaming application data for current user - %{COMMON_APPDATA} (Windows) Application data for all users - %{LOCAL_APPDATA} (Windows) Local application data for current user - %{SYSTEM} (Windows) Windows system folder - %{WINDOWS} (Windows) Windows folder - %{USERCONFIG} (Windows) Per-user MIT krb5 config file directory - %{COMMONCONFIG} (Windows) Common MIT krb5 config file directory - ================= =================================================== - -Sample krb5.conf file ---------------------- - -Here is an example of a generic krb5.conf file:: - - [libdefaults] - default_realm = ATHENA.MIT.EDU - dns_lookup_kdc = true - dns_lookup_realm = false - - [realms] - ATHENA.MIT.EDU = { - kdc = kerberos.mit.edu - kdc = kerberos-1.mit.edu - kdc = kerberos-2.mit.edu - admin_server = kerberos.mit.edu - master_kdc = kerberos.mit.edu - } - EXAMPLE.COM = { - kdc = kerberos.example.com - kdc = kerberos-1.example.com - admin_server = kerberos.example.com - } - - [domain_realm] - mit.edu = ATHENA.MIT.EDU - - [capaths] - ATHENA.MIT.EDU = { - EXAMPLE.COM = . - } - EXAMPLE.COM = { - ATHENA.MIT.EDU = . - } - -FILES ------ - -|krb5conf| - - -SEE ALSO --------- - -syslog(3) diff --git a/doc/html/_sources/admin/conf_ldap.txt b/doc/html/_sources/admin/conf_ldap.txt deleted file mode 100644 index 6443f46..0000000 --- a/doc/html/_sources/admin/conf_ldap.txt +++ /dev/null @@ -1,161 +0,0 @@ -Configuring Kerberos with OpenLDAP back-end -=========================================== - - - 1. Set up SSL on the OpenLDAP server and client to ensure secure - communication when the KDC service and LDAP server are on different - machines. ``ldapi://`` can be used if the LDAP server and KDC - service are running on the same machine. - - A. Setting up SSL on the OpenLDAP server: - - i) Get a CA certificate using OpenSSL tools - ii) Configure OpenLDAP server for using SSL/TLS - - For the latter, you need to specify the location of CA - certificate location in *slapd.conf* file. - - Refer to the following link for more information: - http://www.openldap.org/doc/admin23/tls.html - - B. Setting up SSL on OpenLDAP client: - - i) For the KDC and Admin Server, you need to do the client-side - configuration in ldap.conf. For example:: - - TLS_CACERT /etc/openldap/certs/cacert.pem - - 2. Include the Kerberos schema file (kerberos.schema) in the - configuration file (slapd.conf) on the LDAP Server, by providing - the location where it is stored:: - - include /etc/openldap/schema/kerberos.schema - - 3. Choose DNs for the :ref:`krb5kdc(8)` and :ref:`kadmind(8)` servers - to bind to the LDAP server, and create them if necessary. These DNs - will be specified with the **ldap_kdc_dn** and **ldap_kadmind_dn** - directives in :ref:`kdc.conf(5)`; their passwords can be stashed - with "``kdb5_ldap_util stashsrvpw``" and the resulting file - specified with the **ldap_service_password_file** directive. - - 4. Choose a DN for the global Kerberos container entry (but do not - create the entry at this time). This DN will be specified with the - **ldap_kerberos_container_dn** directive in :ref:`kdc.conf(5)`. - Realm container entries will be created underneath this DN. - Principal entries may exist either underneath the realm container - (the default) or in separate trees referenced from the realm - container. - - 5. Configure the LDAP server ACLs to enable the KDC and kadmin server - DNs to read and write the Kerberos data. If - **disable_last_success** and **disable_lockout** are both set to - true in the :ref:`dbmodules` subsection for the realm, then the - KDC DN only requires read access to the Kerberos data. - - Sample access control information:: - - access to dn.base="" - by * read - - access to dn.base="cn=Subschema" - by * read - - access to attrs=userPassword,userPKCS12 - by self write - by * auth - - access to attrs=shadowLastChange - by self write - by * read - - # Providing access to realm container - access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com" - by dn.exact="cn=kdc-service,dc=example,dc=com" write - by dn.exact="cn=adm-service,dc=example,dc=com" write - by * none - - # Providing access to principals, if not underneath realm container - access to dn.subtree= "ou=users,dc=example,dc=com" - by dn.exact="cn=kdc-service,dc=example,dc=com" write - by dn.exact="cn=adm-service,dc=example,dc=com" write - by * none - - access to * - by * read - - If the locations of the container and principals or the DNs of - the service objects for a realm are changed then this - information should be updated. - - 6. Start the LDAP server as follows:: - - slapd -h "ldapi:/// ldaps:///" - - 7. Modify the :ref:`kdc.conf(5)` file to include LDAP specific items - listed below:: - - realms - database_module - - dbmodules - db_library - db_module_dir - ldap_kdc_dn - ldap_kadmind_dn - ldap_service_password_file - ldap_servers - ldap_conns_per_server - - 8. Create the realm using :ref:`kdb5_ldap_util(8)` (see - :ref:`ldap_create_realm`):: - - kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees ou=users,dc=example,dc=com -r EXAMPLE.COM -s - - Use the **-subtrees** option if the principals are to exist in a - separate subtree from the realm container. Before executing the - command, make sure that the subtree mentioned above - ``(ou=users,dc=example,dc=com)`` exists. If the principals will - exist underneath the realm container, omit the **-subtrees** option - and do not worry about creating the principal subtree. - - For more information, refer to the section :ref:`ops_on_ldap`. - - The realm object is created under the - **ldap_kerberos_container_dn** specified in the configuration file. - This operation will also create the Kerberos container, if not - present already. This will be used to store information related to - all realms. - - 9. Stash the password of the service object used by the KDC and - Administration service to bind to the LDAP server using the - :ref:`kdb5_ldap_util(8)` **stashsrvpw** command (see - :ref:`stash_ldap`). The object DN should be the same as - **ldap_kdc_dn** and **ldap_kadmind_dn** values specified in the - :ref:`kdc.conf(5)` file:: - - kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com - - 10. Add ``krbPrincipalName`` to the indexes in slapd.conf to speed up - the access. - -With the LDAP back end it is possible to provide aliases for principal -entries. Currently we provide no mechanism provided for creating -aliases, so it must be done by direct manipulation of the LDAP -entries. - -An entry with aliases contains multiple values of the -*krbPrincipalName* attribute. Since LDAP attribute values are not -ordered, it is necessary to specify which principal name is canonical, -by using the *krbCanonicalName* attribute. Therefore, to create -aliases for an entry, first set the *krbCanonicalName* attribute of -the entry to the canonical principal name (which should be identical -to the pre-existing *krbPrincipalName* value), and then add additional -*krbPrincipalName* attributes for the aliases. - -Principal aliases are only returned by the KDC when the client -requests canonicalization. Canonicalization is normally requested for -service principals; for client principals, an explicit flag is often -required (e.g., ``kinit -C``) and canonicalization is only performed -for initial ticket requests. - -.. seealso:: :ref:`ldap_be_ubuntu` diff --git a/doc/html/_sources/admin/database.txt b/doc/html/_sources/admin/database.txt deleted file mode 100644 index b693042..0000000 --- a/doc/html/_sources/admin/database.txt +++ /dev/null @@ -1,894 +0,0 @@ -Database administration -======================= - -A Kerberos database contains all of a realm's Kerberos principals, -their passwords, and other administrative information about each -principal. For the most part, you will use the :ref:`kdb5_util(8)` -program to manipulate the Kerberos database as a whole, and the -:ref:`kadmin(1)` program to make changes to the entries in the -database. (One notable exception is that users will use the -:ref:`kpasswd(1)` program to change their own passwords.) The kadmin -program has its own command-line interface, to which you type the -database administrating commands. - -:ref:`kdb5_util(8)` provides a means to create, delete, load, or dump -a Kerberos database. It also contains commands to roll over the -database master key, and to stash a copy of the key so that the -:ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons can use the database -without manual input. - -:ref:`kadmin(1)` provides for the maintenance of Kerberos principals, -password policies, and service key tables (keytabs). Normally it -operates as a network client using Kerberos authentication to -communicate with :ref:`kadmind(8)`, but there is also a variant, named -kadmin.local, which directly accesses the Kerberos database on the -local filesystem (or through LDAP). kadmin.local is necessary to set -up enough of the database to be able to use the remote version. - -kadmin can authenticate to the admin server using the service -principal ``kadmin/HOST`` (where *HOST* is the hostname of the admin -server) or ``kadmin/admin``. If the credentials cache contains a -ticket for either service principal and the **-c** ccache option is -specified, that ticket is used to authenticate to KADM5. Otherwise, -the **-p** and **-k** options are used to specify the client Kerberos -principal name used to authenticate. Once kadmin has determined the -principal name, it requests a ``kadmin/admin`` Kerberos service ticket -from the KDC, and uses that service ticket to authenticate to KADM5. - -See :ref:`kadmin(1)` for the available kadmin and kadmin.local -commands and options. - - -kadmin options --------------- - -You can invoke :ref:`kadmin(1)` or kadmin.local with any of the -following options: - -.. include:: admin_commands/kadmin_local.rst - :start-after: kadmin_synopsis: - :end-before: kadmin_synopsis_end: - -**OPTIONS** - -.. include:: admin_commands/kadmin_local.rst - :start-after: _kadmin_options: - :end-before: _kadmin_options_end: - - -Date Format ------------ - -For the supported date-time formats see :ref:`getdate` section -in :ref:`datetime`. - - -Principals ----------- - -Each entry in the Kerberos database contains a Kerberos principal and -the attributes and policies associated with that principal. - - -.. _add_mod_del_princs: - -Adding, modifying and deleting principals -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To add a principal to the database, use the :ref:`kadmin(1)` -**add_principal** command. - -To modify attributes of a principal, use the kadmin -**modify_principal** command. - -To delete a principal, use the kadmin **delete_principal** command. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _add_principal: - :end-before: _add_principal_end: - -.. include:: admin_commands/kadmin_local.rst - :start-after: _modify_principal: - :end-before: _modify_principal_end: - -.. include:: admin_commands/kadmin_local.rst - :start-after: _delete_principal: - :end-before: _delete_principal_end: - - -Examples -######## - -If you want to create a principal which is contained by a LDAP object, -all you need to do is:: - - kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer - WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password. - Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again. - Principal "jennifer@ATHENA.MIT.EDU" created. - kadmin: - -If you want to create a principal under a specific LDAP container and -link to an existing LDAP object, all you need to do is:: - - kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david - WARNING: no policy specified for "david@ATHENA.MIT.EDU"; - defaulting to no policy. - Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. - Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again. - Principal "david@ATHENA.MIT.EDU" created. - kadmin: - -If you want to associate a ticket policy to a principal, all you need -to do is:: - - kadmin: modprinc -x tktpolicy=userpolicy david - Principal "david@ATHENA.MIT.EDU" modified. - kadmin: - -If, on the other hand, you want to set up an account that expires on -January 1, 2000, that uses a policy called "stduser", with a temporary -password (which you want the user to change immediately), you would -type the following:: - - kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser +needchange - Enter password for principal david@ATHENA.MIT.EDU: <= Type the password. - Re-enter password for principal - david@ATHENA.MIT.EDU: <= Type it again. - Principal "david@ATHENA.MIT.EDU" created. - kadmin: - -If you want to delete a principal:: - - kadmin: delprinc jennifer - Are you sure you want to delete the principal - "jennifer@ATHENA.MIT.EDU"? (yes/no): yes - Principal "jennifer@ATHENA.MIT.EDU" deleted. - Make sure that you have removed this principal from - all ACLs before reusing. - kadmin: - - -Retrieving information about a principal -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To retrieve a listing of the attributes and/or policies associated -with a principal, use the :ref:`kadmin(1)` **get_principal** command. - -To generate a listing of principals, use the kadmin -**list_principals** command. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _get_principal: - :end-before: _get_principal_end: - -.. include:: admin_commands/kadmin_local.rst - :start-after: _list_principals: - :end-before: _list_principals_end: - - -Changing passwords -~~~~~~~~~~~~~~~~~~ - -To change a principal's password use the :ref:`kadmin(1)` -**change_password** command. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _change_password: - :end-before: _change_password_end: - -.. note:: - - Password changes through kadmin are subject to the same - password policies as would apply to password changes through - :ref:`kpasswd(1)`. - - -.. _policies: - -Policies --------- - -A policy is a set of rules governing passwords. Policies can dictate -minimum and maximum password lifetimes, minimum number of characters -and character classes a password must contain, and the number of old -passwords kept in the database. - - -Adding, modifying and deleting policies -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To add a new policy, use the :ref:`kadmin(1)` **add_policy** command. - -To modify attributes of a principal, use the kadmin **modify_policy** -command. - -To delete a policy, use the kadmin **delete_policy** command. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _add_policy: - :end-before: _add_policy_end: - -.. include:: admin_commands/kadmin_local.rst - :start-after: _modify_policy: - :end-before: _modify_policy_end: - -.. include:: admin_commands/kadmin_local.rst - :start-after: _delete_policy: - :end-before: _delete_policy_end: - -.. note:: - - You must cancel the policy from *all* principals before - deleting it. The *delete_policy* command will fail if the policy - is in use by any principals. - - -Retrieving policies -~~~~~~~~~~~~~~~~~~~ - -To retrieve a policy, use the :ref:`kadmin(1)` **get_policy** command. - -You can retrieve the list of policies with the kadmin -**list_policies** command. - -.. include:: admin_commands/kadmin_local.rst - :start-after: _get_policy: - :end-before: _get_policy_end: - -.. include:: admin_commands/kadmin_local.rst - :start-after: _list_policies: - :end-before: _list_policies_end: - - -Policies and principals -~~~~~~~~~~~~~~~~~~~~~~~ - -Policies can be applied to principals as they are created by using -the **-policy** flag to :ref:`add_principal`. Existing principals can -be modified by using the **-policy** or **-clearpolicy** flag to -:ref:`modify_principal`. - - -Updating the history key -~~~~~~~~~~~~~~~~~~~~~~~~ - -If a policy specifies a number of old keys kept of two or more, the -stored old keys are encrypted in a history key, which is found in the -key data of the ``kadmin/history`` principal. - -Currently there is no support for proper rollover of the history key, -but you can change the history key (for example, to use a better -encryption type) at the cost of invalidating currently stored old -keys. To change the history key, run:: - - kadmin: change_password -randkey kadmin/history - -This command will fail if you specify the **-keepold** flag. Only one -new history key will be created, even if you specify multiple key/salt -combinations. - -In the future, we plan to migrate towards encrypting old keys in the -master key instead of the history key, and implementing proper -rollover support for stored old keys. - - -.. _privileges: - -Privileges ----------- - -Administrative privileges for the Kerberos database are stored in the -file :ref:`kadm5.acl(5)`. - -.. note:: - - A common use of an admin instance is so you can grant - separate permissions (such as administrator access to the - Kerberos database) to a separate Kerberos principal. For - example, the user ``joeadmin`` might have a principal for - his administrative use, called ``joeadmin/admin``. This - way, ``joeadmin`` would obtain ``joeadmin/admin`` tickets - only when he actually needs to use those permissions. - - -.. _db_operations: - -Operations on the Kerberos database ------------------------------------ - -The :ref:`kdb5_util(8)` command is the primary tool for administrating -the Kerberos database. - -.. include:: admin_commands/kdb5_util.rst - :start-after: _kdb5_util_synopsis: - :end-before: _kdb5_util_synopsis_end: - -**OPTIONS** - -.. include:: admin_commands/kdb5_util.rst - :start-after: _kdb5_util_options: - :end-before: _kdb5_util_options_end: - -.. toctree:: - :maxdepth: 1 - - -Dumping a Kerberos database to a file -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To dump a Kerberos database into a file, use the :ref:`kdb5_util(8)` -**dump** command on one of the KDCs. - -.. include:: admin_commands/kdb5_util.rst - :start-after: _kdb5_util_dump: - :end-before: _kdb5_util_dump_end: - - -Examples -######## - -:: - - shell% kdb5_util dump dumpfile - shell% - - shell% kbd5_util dump -verbose dumpfile - kadmin/admin@ATHENA.MIT.EDU - krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - kadmin/history@ATHENA.MIT.EDU - K/M@ATHENA.MIT.EDU - kadmin/changepw@ATHENA.MIT.EDU - shell% - -If you specify which principals to dump, you must use the full -principal, as in the following example:: - - shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU - kadmin/admin@ATHENA.MIT.EDU - K/M@ATHENA.MIT.EDU - shell% - -Otherwise, the principals will not match those in the database and -will not be dumped:: - - shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin - shell% - -If you do not specify a dump file, kdb5_util will dump the database to -the standard output. - - -.. _restore_from_dump: - -Restoring a Kerberos database from a dump file -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -To restore a Kerberos database dump from a file, use the -:ref:`kdb5_util(8)` **load** command on one of the KDCs. - -.. include:: admin_commands/kdb5_util.rst - :start-after: _kdb5_util_load: - :end-before: _kdb5_util_load_end: - - -Examples -######## - -To load a single principal, either replacing or updating the database: - -:: - - shell% kdb5_util load dumpfile principal - shell% - - shell% kdb5_util load -update dumpfile principal - shell% - - -.. note:: - - If the database file exists, and the *-update* flag was not - given, *kdb5_util* will overwrite the existing database. - -Using kdb5_util to upgrade a master KDC from krb5 1.1.x: - -:: - - shell% kdb5_util dump old-kdb-dump - shell% kdb5_util dump -ov old-kdb-dump.ov - [Create a new KDC installation, using the old stash file/master password] - shell% kdb5_util load old-kdb-dump - shell% kdb5_util load -update old-kdb-dump.ov - -The use of old-kdb-dump.ov for an extra dump and load is necessary -to preserve per-principal policy information, which is not included in -the default dump format of krb5 1.1.x. - -.. note:: - - Using kdb5_util to dump and reload the principal database is - only necessary when upgrading from versions of krb5 prior - to 1.2.0---newer versions will use the existing database as-is. - - -.. _create_stash: - -Creating a stash file -~~~~~~~~~~~~~~~~~~~~~ - -A stash file allows a KDC to authenticate itself to the database -utilities, such as :ref:`kadmind(8)`, :ref:`krb5kdc(8)`, and -:ref:`kdb5_util(8)`. - -To create a stash file, use the :ref:`kdb5_util(8)` **stash** command. - -.. include:: admin_commands/kdb5_util.rst - :start-after: _kdb5_util_stash: - :end-before: _kdb5_util_stash_end: - - -Example -####### - - shell% kdb5_util stash - kdb5_util: Cannot find/read stored master key while reading master key - kdb5_util: Warning: proceeding without master key - Enter KDC database master key: <= Type the KDC database master password. - shell% - -If you do not specify a stash file, kdb5_util will stash the key in -the file specified in your :ref:`kdc.conf(5)` file. - - -Creating and destroying a Kerberos database -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If you need to create a new Kerberos database, use the -:ref:`kdb5_util(8)` **create** command. - -.. include:: admin_commands/kdb5_util.rst - :start-after: _kdb5_util_create: - :end-before: _kdb5_util_create_end: - -If you need to destroy the current Kerberos database, use the -:ref:`kdb5_util(8)` **destroy** command. - -.. include:: admin_commands/kdb5_util.rst - :start-after: _kdb5_util_destroy: - :end-before: _kdb5_util_destroy_end: - - -Examples -######## - -:: - - shell% kdb5_util -r ATHENA.MIT.EDU create -s - Loading random data - Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', - master key name 'K/M@ATHENA.MIT.EDU' - You will be prompted for the database Master Password. - It is important that you NOT FORGET this password. - Enter KDC database master key: <= Type the master password. - Re-enter KDC database master key to verify: <= Type it again. - shell% - - shell% kdb5_util -r ATHENA.MIT.EDU destroy - Deleting KDC database stored in '/usr/local/var/krb5kdc/principal', are you sure? - (type 'yes' to confirm)? <= yes - OK, deleting database '/usr/local/var/krb5kdc/principal'... - ** Database '/usr/local/var/krb5kdc/principal' destroyed. - shell% - - -Updating the master key -~~~~~~~~~~~~~~~~~~~~~~~ - -Starting with release 1.7, :ref:`kdb5_util(8)` allows the master key -to be changed using a rollover process, with minimal loss of -availability. To roll over the master key, follow these steps: - -#. On the master KDC, run ``kdb5_util list_mkeys`` to view the current - master key version number (KVNO). If you have never rolled over - the master key before, this will likely be version 1:: - - $ kdb5_util list_mkeys - Master keys for Principal: K/M@KRBTEST.COM - KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 * - -#. On the master KDC, run ``kdb5_util use_mkey 1`` to ensure that a - master key activation list is present in the database. This step - is unnecessary in release 1.11.4 or later, or if the database was - initially created with release 1.7 or later. - -#. On the master KDC, run ``kdb5_util add_mkey -s`` to create a new - master key and write it to the stash file. Enter a secure password - when prompted. If this is the first time you are changing the - master key, the new key will have version 2. The new master key - will not be used until you make it active. - -#. Propagate the database to all slave KDCs, either manually or by - waiting until the next scheduled propagation. If you do not have - any slave KDCs, you can skip this and the next step. - -#. On each slave KDC, run ``kdb5_util list_mkeys`` to verify that the - new master key is present, and then ``kdb5_util stash`` to write - the new master key to the slave KDC's stash file. - -#. On the master KDC, run ``kdb5_util use_mkey 2`` to begin using the - new master key. Replace ``2`` with the version of the new master - key, as appropriate. You can optionally specify a date for the new - master key to become active; by default, it will become active - immediately. Prior to release 1.12, :ref:`kadmind(8)` must be - restarted for this change to take full effect. - -#. On the master KDC, run ``kdb5_util update_princ_encryption``. This - command will iterate over the database and re-encrypt all keys in - the new master key. If the database is large and uses DB2, the - master KDC will become unavailable while this command runs, but - clients should fail over to slave KDCs (if any are present) during - this time period. In release 1.13 and later, you can instead run - ``kdb5_util -x unlockiter update_princ_encryption`` to use unlocked - iteration; this variant will take longer, but will keep the - database available to the KDC and kadmind while it runs. - -#. On the master KDC, run ``kdb5_util purge_mkeys`` to clean up the - old master key. - - -.. _ops_on_ldap: - -Operations on the LDAP database -------------------------------- - -The :ref:`kdb5_ldap_util(8)` is the primary tool for administrating -the Kerberos LDAP database. It allows an administrator to manage -realms, Kerberos services (KDC and Admin Server) and ticket policies. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_synopsis: - :end-before: _kdb5_ldap_util_synopsis_end: - -**OPTIONS** - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_options: - :end-before: _kdb5_ldap_util_options_end: - - -.. _ldap_create_realm: - -Creating a Kerberos realm -~~~~~~~~~~~~~~~~~~~~~~~~~ - -If you need to create a new realm, use the :ref:`kdb5_ldap_util(8)` -**create** command as follows. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_create: - :end-before: _kdb5_ldap_util_create_end: - - -.. _ldap_mod_realm: - -Modifying a Kerberos realm -~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If you need to modify a realm, use the :ref:`kdb5_ldap_util(8)` -**modify** command as follows. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_modify: - :end-before: _kdb5_ldap_util_modify_end: - - -Destroying a Kerberos realm -~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If you need to destroy a Kerberos realm, use the -:ref:`kdb5_ldap_util(8)` **destroy** command as follows. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_destroy: - :end-before: _kdb5_ldap_util_destroy_end: - - -Retrieving information about a Kerberos realm -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If you need to display the attributes of a realm, use the -:ref:`kdb5_ldap_util(8)` **view** command as follows. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_view: - :end-before: _kdb5_ldap_util_view_end: - - -Listing available Kerberos realms -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -If you need to display the list of the realms, use the -:ref:`kdb5_ldap_util(8)` **list** command as follows. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_list: - :end-before: _kdb5_ldap_util_list_end: - - -.. _stash_ldap: - -Stashing service object's password -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The :ref:`kdb5_ldap_util(8)` **stashsrvpw** command allows an -administrator to store the password of service object in a file. The -KDC and Administration server uses this password to authenticate to -the LDAP server. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_stashsrvpw: - :end-before: _kdb5_ldap_util_stashsrvpw_end: - - -Ticket Policy operations -~~~~~~~~~~~~~~~~~~~~~~~~ - -Creating a Ticket Policy -######################## - -To create a new ticket policy in directory , use the -:ref:`kdb5_ldap_util(8)` **create_policy** command. Ticket policy -objects are created under the realm container. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_create_policy: - :end-before: _kdb5_ldap_util_create_policy_end: - - -Modifying a Ticket Policy -######################### - -To modify a ticket policy in directory, use the -:ref:`kdb5_ldap_util(8)` **modify_policy** command. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_modify_policy: - :end-before: _kdb5_ldap_util_modify_policy_end: - - -Retrieving Information About a Ticket Policy -############################################ - -To display the attributes of a ticket policy, use the -:ref:`kdb5_ldap_util(8)` **view_policy** command. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_view_policy: - :end-before: _kdb5_ldap_util_view_policy_end: - - -Destroying a Ticket Policy -########################## - -To destroy an existing ticket policy, use the :ref:`kdb5_ldap_util(8)` -**destroy_policy** command. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_destroy_policy: - :end-before: _kdb5_ldap_util_destroy_policy_end: - - -Listing available Ticket Policies -################################# - -To list the name of ticket policies in a realm, use the -:ref:`kdb5_ldap_util(8)` **list_policy** command. - -.. include:: admin_commands/kdb5_ldap_util.rst - :start-after: _kdb5_ldap_util_list_policy: - :end-before: _kdb5_ldap_util_list_policy_end: - - -.. _xrealm_authn: - -Cross-realm authentication --------------------------- - -In order for a KDC in one realm to authenticate Kerberos users in a -different realm, it must share a key with the KDC in the other realm. -In both databases, there must be krbtgt service principals for both realms. -For example, if you need to do cross-realm authentication between the realms -``ATHENA.MIT.EDU`` and ``EXAMPLE.COM``, you would need to add the -principals ``krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU`` and -``krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM`` to both databases. -These principals must all have the same passwords, key version -numbers, and encryption types; this may require explicitly setting -the key version number with the **-kvno** option. - -In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators -would run the following commands on the KDCs in both realms:: - - shell%: kadmin.local -e "aes256-cts:normal" - kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM - Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: - Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: - kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU - Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: - Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: - kadmin: - -.. note:: - - Even if most principals in a realm are generally created - with the **requires_preauth** flag enabled, this flag is not - desirable on cross-realm authentication keys because doing - so makes it impossible to disable preauthentication on a - service-by-service basis. Disabling it as in the example - above is recommended. - -.. note:: - - It is very important that these principals have good - passwords. MIT recommends that TGT principal passwords be - at least 26 characters of random ASCII text. - - -.. _changing_krbtgt_key: - -Changing the krbtgt key ------------------------ - -A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the -principal ``krbtgt/REALM``. The key for this principal is created -when the Kerberos database is initialized and need not be changed. -However, it will only have the encryption types supported by the KDC -at the time of the initial database creation. To allow use of newer -encryption types for the TGT, this key has to be changed. - -Changing this key using the normal :ref:`kadmin(1)` -**change_password** command would invalidate any previously issued -TGTs. Therefore, when changing this key, normally one should use the -**-keepold** flag to change_password to retain the previous key in the -database as well as the new key. For example:: - - kadmin: change_password -randkey -keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - -.. warning:: - - After issuing this command, the old key is still valid - and is still vulnerable to (for instance) brute force - attacks. To completely retire an old key or encryption - type, run the kadmin **purgekeys** command to delete keys - with older kvnos, ideally first making sure that all - tickets issued with the old keys have expired. - -Only the first krbtgt key of the newest key version is used to encrypt -ticket-granting tickets. However, the set of encryption types present -in the krbtgt keys is used by default to determine the session key -types supported by the krbtgt service (see -:ref:`session_key_selection`). Because non-MIT Kerberos clients -sometimes send a limited set of encryption types when making AS -requests, it can be important to for the krbtgt service to support -multiple encryption types. This can be accomplished by giving the -krbtgt principal multiple keys, which is usually as simple as not -specifying any **-e** option when changing the krbtgt key, or by -setting the **session_enctypes** string attribute on the krbtgt -principal (see :ref:`set_string`). - -Due to a bug in releases 1.8 through 1.13, renewed and forwarded -tickets may not work if the original ticket was obtained prior to a -krbtgt key change and the modified ticket is obtained afterwards. -Upgrading the KDC to release 1.14 or later will correct this bug. - - -.. _incr_db_prop: - -Incremental database propagation --------------------------------- - -Overview -~~~~~~~~ - -At some very large sites, dumping and transmitting the database can -take more time than is desirable for changes to propagate from the -master KDC to the slave KDCs. The incremental propagation support -added in the 1.7 release is intended to address this. - -With incremental propagation enabled, all programs on the master KDC -that change the database also write information about the changes to -an "update log" file, maintained as a circular buffer of a certain -size. A process on each slave KDC connects to a service on the master -KDC (currently implemented in the :ref:`kadmind(8)` server) and -periodically requests the changes that have been made since the last -check. By default, this check is done every two minutes. If the -database has just been modified in the previous several seconds -(currently the threshold is hard-coded at 10 seconds), the slave will -not retrieve updates, but instead will pause and try again soon after. -This reduces the likelihood that incremental update queries will cause -delays for an administrator trying to make a bunch of changes to the -database at the same time. - -Incremental propagation uses the following entries in the per-realm -data in the KDC config file (See :ref:`kdc.conf(5)`): - -====================== =============== =========================================== -iprop_enable *boolean* If *true*, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is *false*. -iprop_master_ulogsize *integer* Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. -iprop_slave_poll *time interval* Indicates how often the slave should poll the master KDC for changes to the database. The default is two minutes. -iprop_port *integer* Specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files. -iprop_resync_timeout *integer* Specifies the number of seconds to wait for a full propagation to complete. This is optional on slave configurations. Defaults to 300 seconds (5 minutes). -iprop_logfile *file name* Specifies where the update log file for the realm database is to be stored. The default is to use the *database_name* entry from the realms section of the config file :ref:`kdc.conf(5)`, with *.ulog* appended. (NOTE: If database_name isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the *dbmodules* section, then the hard-coded default for *database_name* is used. Determination of the *iprop_logfile* default value will not use values from the *dbmodules* section.) -====================== =============== =========================================== - -Both master and slave sides must have a principal named -``kiprop/hostname`` (where *hostname* is the lowercase, -fully-qualified, canonical name for the host) registered in the -Kerberos database, and have keys for that principal stored in the -default keytab file (|keytab|). In release 1.13, the -``kiprop/hostname`` principal is created automatically for the master -KDC, but it must still be created for slave KDCs. - -On the master KDC side, the ``kiprop/hostname`` principal must be -listed in the kadmind ACL file :ref:`kadm5.acl(5)`, and given the -**p** privilege (see :ref:`privileges`). - -On the slave KDC side, :ref:`kpropd(8)` should be run. When -incremental propagation is enabled, it will connect to the kadmind on -the master KDC and start requesting updates. - -The normal kprop mechanism is disabled by the incremental propagation -support. However, if the slave has been unable to fetch changes from -the master KDC for too long (network problems, perhaps), the log on -the master may wrap around and overwrite some of the updates that the -slave has not yet retrieved. In this case, the slave will instruct -the master KDC to dump the current database out to a file and invoke a -one-time kprop propagation, with special options to also convey the -point in the update log at which the slave should resume fetching -incremental updates. Thus, all the keytab and ACL setup previously -described for kprop propagation is still needed. - -If an environment has a large number of slaves, it may be desirable to -arrange them in a hierarchy instead of having the master serve updates -to every slave. To do this, run ``kadmind -proponly`` on each -intermediate slave, and ``kpropd -A upstreamhostname`` on downstream -slaves to direct each one to the appropriate upstream slave. - -There are several known restrictions in the current implementation: - -- The incremental update protocol does not transport changes to policy - objects. Any policy changes on the master will result in full - resyncs to all slaves. -- The slave's KDB module must support locking; it cannot be using the - LDAP KDB module. -- The master and slave must be able to initiate TCP connections in - both directions, without an intervening NAT. - - -Sun/MIT incremental propagation differences -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Sun donated the original code for supporting incremental database -propagation to MIT. Some changes have been made in the MIT source -tree that will be visible to administrators. (These notes are based -on Sun's patches. Changes to Sun's implementation since then may not -be reflected here.) - -The Sun config file support looks for ``sunw_dbprop_enable``, -``sunw_dbprop_master_ulogsize``, and ``sunw_dbprop_slave_poll``. - -The incremental propagation service is implemented as an ONC RPC -service. In the Sun implementation, the service is registered with -rpcbind (also known as portmapper) and the client looks up the port -number to contact. In the MIT implementation, where interaction with -some modern versions of rpcbind doesn't always work well, the port -number must be specified in the config file on both the master and -slave sides. - -The Sun implementation hard-codes pathnames in ``/var/krb5`` for the -update log and the per-slave kprop dump files. In the MIT -implementation, the pathname for the update log is specified in the -config file, and the per-slave dump files are stored in -|kdcdir|\ ``/slave_datatrans_hostname``. diff --git a/doc/html/_sources/admin/enctypes.txt b/doc/html/_sources/admin/enctypes.txt deleted file mode 100644 index 3cdfc92..0000000 --- a/doc/html/_sources/admin/enctypes.txt +++ /dev/null @@ -1,146 +0,0 @@ -.. _enctypes: - -Encryption types -================ - -Kerberos can use a variety of cipher algorithms to protect data. A -Kerberos **encryption type** (also known as an **enctype**) is a -specific combination of a cipher algorithm with an integrity algorithm -to provide both confidentiality and integrity to data. - - -Enctypes in requests --------------------- - -Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and -TGS-REQs. The client uses the AS-REQ to obtain initial tickets -(typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to -obtain service tickets. - -The KDC uses three different keys when issuing a ticket to a client: - -* The long-term key of the service: the KDC uses this to encrypt the - actual service ticket. The KDC only uses the first long-term key in - the most recent kvno for this purpose. - -* The session key: the KDC randomly chooses this key and places one - copy inside the ticket and the other copy inside the encrypted part - of the reply. - -* The reply-encrypting key: the KDC uses this to encrypt the reply it - sends to the client. For AS replies, this is a long-term key of the - client principal. For TGS replies, this is either the session key of the - authenticating ticket, or a subsession key. - -Each of these keys is of a specific enctype. - -Each request type allows the client to submit a list of enctypes that -it is willing to accept. For the AS-REQ, this list affects both the -session key selection and the reply-encrypting key selection. For the -TGS-REQ, this list only affects the session key selection. - - -.. _session_key_selection: - -Session key selection ---------------------- - -The KDC chooses the session key enctype by taking the intersection of -its **permitted_enctypes** list, the list of long-term keys for the -most recent kvno of the service, and the client's requested list of -enctypes. If **allow_weak_crypto** is true, all services are assumed -to support des-cbc-crc. - -Starting in krb5-1.11, **des_crc_session_supported** in -:ref:`kdc.conf(5)` allows additional control over whether the KDC -issues des-cbc-crc session keys. - -Also starting in krb5-1.11, it is possible to set a string attribute -on a service principal to control what session key enctypes the KDC -may issue for service tickets for that principal. See -:ref:`set_string` in :ref:`kadmin(1)` for details. - - -Choosing enctypes for a service -------------------------------- - -Generally, a service should have a key of the strongest -enctype that both it and the KDC support. If the KDC is running a -release earlier than krb5-1.11, it is also useful to generate an -additional key for each enctype that the service can support. The KDC -will only use the first key in the list of long-term keys for encrypting -the service ticket, but the additional long-term keys indicate the -other enctypes that the service supports. - -As noted above, starting with release krb5-1.11, there are additional -configuration settings that control session key enctype selection -independently of the set of long-term keys that the KDC has stored for -a service principal. - - -Configuration variables ------------------------ - -The following ``[libdefaults]`` settings in :ref:`krb5.conf(5)` will -affect how enctypes are chosen. - -**allow_weak_crypto** - defaults to *false* starting with krb5-1.8. When *false*, removes - single-DES enctypes (and other weak enctypes) from - **permitted_enctypes**, **default_tkt_enctypes**, and - **default_tgs_enctypes**. Do not set this to *true* unless the - use of weak enctypes is an acceptable risk for your environment - and the weak enctypes are required for backward compatibility. - -**permitted_enctypes** - controls the set of enctypes that a service will accept as session - keys. - -**default_tkt_enctypes** - controls the default set of enctypes that the Kerberos client - library requests when making an AS-REQ. Do not set this unless - required for specific backward compatibility purposes; stale - values of this setting can prevent clients from taking advantage - of new stronger enctypes when the libraries are upgraded. - -**default_tgs_enctypes** - controls the default set of enctypes that the Kerberos client - library requests when making a TGS-REQ. Do not set this unless - required for specific backward compatibility purposes; stale - values of this setting can prevent clients from taking advantage - of new stronger enctypes when the libraries are upgraded. - -The following per-realm setting in :ref:`kdc.conf(5)` affects the -generation of long-term keys. - -**supported_enctypes** - controls the default set of enctype-salttype pairs that :ref:`kadmind(8)` - will use for generating long-term keys, either randomly or from - passwords - - -Enctype compatibility ---------------------- - -See :ref:`Encryption_types` for additional information about enctypes. - -========================== ===== ======== ======= -enctype weak? krb5 Windows -========================== ===== ======== ======= -des-cbc-crc weak all >=2000 -des-cbc-md4 weak all ? -des-cbc-md5 weak all >=2000 -des3-cbc-sha1 >=1.1 none -arcfour-hmac >=1.3 >=2000 -arcfour-hmac-exp weak >=1.3 >=2000 -aes128-cts-hmac-sha1-96 >=1.3 >=Vista -aes256-cts-hmac-sha1-96 >=1.3 >=Vista -aes128-cts-hmac-sha256-128 >=1.15 none -aes256-cts-hmac-sha384-192 >=1.15 none -camellia128-cts-cmac >=1.9 none -camellia256-cts-cmac >=1.9 none -========================== ===== ======== ======= - -krb5 releases 1.8 and later disable the single-DES enctypes by -default. Microsoft Windows releases Windows 7 and later disable -single-DES enctypes by default. diff --git a/doc/html/_sources/admin/env_variables.txt b/doc/html/_sources/admin/env_variables.txt deleted file mode 100644 index 0c146d3..0000000 --- a/doc/html/_sources/admin/env_variables.txt +++ /dev/null @@ -1,46 +0,0 @@ -Environment variables -===================== - -The following environment variables can be used during runtime: - -**KRB5_CONFIG** - Main Kerberos configuration file. Multiple filenames can be - specified, separated by a colon; all files which are present will - be read. (See :ref:`mitK5defaults` for the default path.) - -**KRB5_KDC_PROFILE** - KDC configuration file. (See :ref:`mitK5defaults` for the default - name.) - -**KRB5_KTNAME** - Default keytab file name. (See :ref:`mitK5defaults` for the - default name.) - -**KRB5_CLIENT_KTNAME** - Default client keytab file name. (See :ref:`mitK5defaults` for - the default name.) - -**KRB5CCNAME** - Default name for the credentials cache file, in the form *type*\:\ - *residual*. The type of the default cache may determine the - availability of a cache collection. For instance, a default cache - of type ``DIR`` causes caches within the directory to be present - in the global cache collection. - -**KRB5RCACHETYPE** - Default replay cache type. Defaults to ``dfl``. A value of - ``none`` disables the replay cache. - -**KRB5RCACHEDIR** - Default replay cache directory. (See :ref:`mitK5defaults` for the - default location.) - -**KPROP_PORT** - :ref:`kprop(8)` port to use. Defaults to 754. - -**KRB5_TRACE** - Filename for trace-logging output (introduced in release 1.9). - For example, ``env KRB5_TRACE=/dev/stdout kinit`` would send - tracing information for kinit to ``/dev/stdout``. Some programs - may ignore this variable (particularly setuid or login system - programs). diff --git a/doc/html/_sources/admin/host_config.txt b/doc/html/_sources/admin/host_config.txt deleted file mode 100644 index 6df2504..0000000 --- a/doc/html/_sources/admin/host_config.txt +++ /dev/null @@ -1,231 +0,0 @@ -Host configuration -================== - -All hosts running Kerberos software, whether they are clients, -application servers, or KDCs, can be configured using -:ref:`krb5.conf(5)`. Here we describe some of the behavior changes -you might want to make. - - -Default realm -------------- - -In the :ref:`libdefaults` section, the **default_realm** realm -relation sets the default Kerberos realm. For example:: - - [libdefaults] - default_realm = ATHENA.MIT.EDU - -The default realm affects Kerberos behavior in the following ways: - -* When a principal name is parsed from text, the default realm is used - if no ``@REALM`` component is specified. - -* The default realm affects login authorization as described below. - -* For programs which operate on a Kerberos database, the default realm - is used to determine which database to operate on, unless the **-r** - parameter is given to specify a realm. - -* A server program may use the default realm when looking up its key - in a :ref:`keytab file `, if its realm is not - determined by :ref:`domain_realm` configuration or by the server - program itself. - -* If :ref:`kinit(1)` is passed the **-n** flag, it requests anonymous - tickets from the default realm. - -In some situations, these uses of the default realm might conflict. -For example, it might be desirable for principal name parsing to use -one realm by default, but for login authorization to use a second -realm. In this situation, the first realm can be configured as the -default realm, and **auth_to_local** relations can be used as -described below to use the second realm for login authorization. - - -.. _login_authorization: - -Login authorization -------------------- - -If a host runs a Kerberos-enabled login service such as OpenSSH with -GSSAPIAuthentication enabled, login authorization rules determine -whether a Kerberos principal is allowed to access a local account. - -By default, a Kerberos principal is allowed access to an account if -its realm matches the default realm and its name matches the account -name. (For historical reasons, access is also granted by default if -the name has two components and the second component matches the -default realm; for instance, ``alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU`` -is granted access to the ``alice`` account if ``ATHENA.MIT.EDU`` is -the default realm.) - -The simplest way to control local access is using :ref:`.k5login(5)` -files. To use these, place a ``.k5login`` file in the home directory -of each account listing the principal names which should have login -access to that account. If it is not desirable to use ``.k5login`` -files located in account home directories, the **k5login_directory** -relation in the :ref:`libdefaults` section can specify a directory -containing one file per account uname. - -By default, if a ``.k5login`` file is present, it controls -authorization both positively and negatively--any principal name -contained in the file is granted access and any other principal name -is denied access, even if it would have had access if the ``.k5login`` -file didn't exist. The **k5login_authoritative** relation in the -:ref:`libdefaults` section can be set to false to make ``.k5login`` -files provide positive authorization only. - -The **auth_to_local** relation in the :ref:`realms` section for the -default realm can specify pattern-matching rules to control login -authorization. For example, the following configuration allows access -to principals from a different realm than the default realm:: - - [realms] - DEFAULT.REALM = { - # Allow access to principals from OTHER.REALM. - # - # [1:$1@$0] matches single-component principal names and creates - # a selection string containing the principal name and realm. - # - # (.*@OTHER\.REALM) matches against the selection string, so that - # only principals in OTHER.REALM are matched. - # - # s/@OTHER\.REALM$// removes the realm name, leaving behind the - # principal name as the acount name. - auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$// - - # Also allow principals from the default realm. Omit this line - # to only allow access to principals in OTHER.REALM. - auth_to_local = DEFAULT - } - -The **auth_to_local_names** subsection of the :ref:`realms` section -for the default realm can specify explicit mappings from principal -names to local accounts. The key used in this subsection is the -principal name without realm, so it is only safe to use in a Kerberos -environment with a single realm or a tightly controlled set of realms. -An example use of **auth_to_local_names** might be:: - - [realms] - ATHENA.MIT.EDU = { - auth_to_local_names = { - # Careful, these match principals in any realm! - host/example.com = hostaccount - fred = localfred - } - } - -Local authorization behavior can also be modified using plugin -modules; see :ref:`hostrealm_plugin` for details. - - -.. _plugin_config: - -Plugin module configuration ---------------------------- - -Many aspects of Kerberos behavior, such as client preauthentication -and KDC service location, can be modified through the use of plugin -modules. For most of these behaviors, you can use the :ref:`plugins` -section of krb5.conf to register third-party modules, and to switch -off registered or built-in modules. - -A plugin module takes the form of a Unix shared object -(``modname.so``) or Windows DLL (``modname.dll``). If you have -installed a third-party plugin module and want to register it, you do -so using the **module** relation in the appropriate subsection of the -[plugins] section. The value for **module** must give the module name -and the path to the module, separated by a colon. The module name -will often be the same as the shared object's name, but in unusual -cases (such as a shared object which implements multiple modules for -the same interface) it might not be. For example, to register a -client preauthentication module named ``mypreauth`` installed at -``/path/to/mypreauth.so``, you could write:: - - [plugins] - clpreauth = { - module = mypreauth:/path/to/mypreauth.so - } - -Many of the pluggable behaviors in MIT krb5 contain built-in modules -which can be switched off. You can disable a built-in module (or one -you have registered) using the **disable** directive in the -appropriate subsection of the [plugins] section. For example, to -disable the use of .k5identity files to select credential caches, you -could write:: - - [plugins] - ccselect = { - disable = k5identity - } - -If you want to disable multiple modules, specify the **disable** -directive multiple times, giving one module to disable each time. - -Alternatively, you can explicitly specify which modules you want to be -enabled for that behavior using the **enable_only** directive. For -example, to make :ref:`kadmind(8)` check password quality using only a -module you have registered, and no other mechanism, you could write:: - - [plugins] - pwqual = { - module = mymodule:/path/to/mymodule.so - enable_only = mymodule - } - -Again, if you want to specify multiple modules, specify the -**enable_only** directive multiple times, giving one module to enable -each time. - -Some Kerberos interfaces use different mechanisms to register plugin -modules. - - -KDC location modules -~~~~~~~~~~~~~~~~~~~~ - -For historical reasons, modules to control how KDC servers are located -are registered simply by placing the shared object or DLL into the -"libkrb5" subdirectory of the krb5 plugin directory, which defaults to -|libdir|\ ``/krb5/plugins``. For example, Samba's winbind krb5 -locator plugin would be registered by placing its shared object in -|libdir|\ ``/krb5/plugins/libkrb5/winbind_krb5_locator.so``. - - -.. _gssapi_plugin_config: - -GSSAPI mechanism modules -~~~~~~~~~~~~~~~~~~~~~~~~ - -GSSAPI mechanism modules are registered using the file -``/etc/gss/mech`` or configuration files in the ``/etc/gss/mech.d/`` -directory. Only files with a ``.conf`` suffix will be read from the -``/etc/gss/mech.d/`` directory. Each line in these files has the -form:: - - oid pathname [options] - -Only the oid and pathname are required. *oid* is the object -identifier of the GSSAPI mechanism to be registered. *pathname* is a -path to the module shared object or DLL. *options* (if present) are -options provided to the plugin module, surrounded in square brackets. -*type* (if present) can be used to indicate a special type of module. -Currently the only special module type is "interposer", for a module -designed to intercept calls to other mechanisms. - - -.. _profile_plugin_config: - -Configuration profile modules -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -A configuration profile module replaces the information source for -:ref:`krb5.conf(5)` itself. To use a profile module, begin krb5.conf -with the line:: - - module PATHNAME:STRING - -where *PATHNAME* is a path to the module shared object or DLL, and -*STRING* is a string to provide to the module. The module will then -take over, and the rest of krb5.conf will be ignored. diff --git a/doc/html/_sources/admin/https.txt b/doc/html/_sources/admin/https.txt deleted file mode 100644 index b4e68b2..0000000 --- a/doc/html/_sources/admin/https.txt +++ /dev/null @@ -1,48 +0,0 @@ -.. _https: - -HTTPS proxy configuration -========================= - -In addition to being able to use UDP or TCP to communicate directly -with a KDC as is outlined in RFC4120, and with kpasswd services in a -similar fashion, the client libraries can attempt to use an HTTPS -proxy server to communicate with a KDC or kpasswd service, using the -protocol outlined in [MS-KKDCP]. - -Communicating with a KDC through an HTTPS proxy allows clients to -contact servers when network firewalls might otherwise prevent them -from doing so. The use of TLS also encrypts all traffic between the -clients and the KDC, preventing observers from conducting password -dictionary attacks or from observing the client and server principals -being authenticated, at additional computational cost to both clients -and servers. - -An HTTPS proxy server is provided as a feature in some versions of -Microsoft Windows Server, and a WSGI implementation named `kdcproxy` -is available in the python package index. - - -Configuring the clients ------------------------ - -To use an HTTPS proxy, a client host must trust the CA which issued -that proxy's SSL certificate. If that CA's certificate is not in the -system-wide default set of trusted certificates, configure the -following relation in the client host's :ref:`krb5.conf(5)` file in -the appropriate :ref:`realms` subsection:: - - http_anchors = FILE:/etc/krb5/cacert.pem - -Adjust the pathname to match the path of the file which contains a -copy of the CA's certificate. The `http_anchors` option is documented -more fully in :ref:`krb5.conf(5)`. - -Configure the client to access the KDC and kpasswd service by -specifying their locations in its :ref:`krb5.conf(5)` file in the form -of HTTPS URLs for the proxy server:: - - kdc = https://server.fqdn/KdcProxy - kpasswd_server = https://server.fqdn/KdcProxy - -If the proxy and client are properly configured, client commands such -as ``kinit``, ``kvno``, and ``kpasswd`` should all function normally. diff --git a/doc/html/_sources/admin/index.txt b/doc/html/_sources/admin/index.txt deleted file mode 100644 index b702f40..0000000 --- a/doc/html/_sources/admin/index.txt +++ /dev/null @@ -1,31 +0,0 @@ -For administrators -================== - -.. toctree:: - :maxdepth: 1 - - install.rst - conf_files/index.rst - realm_config.rst - database.rst - lockout.rst - conf_ldap.rst - appl_servers.rst - host_config.rst - backup_host.rst - pkinit.rst - otp.rst - princ_dns.rst - enctypes.rst - https.rst - auth_indicator.rst - -.. toctree:: - :maxdepth: 1 - - admin_commands/index.rst - ../mitK5defaults.rst - env_variables.rst - troubleshoot.rst - advanced/index.rst - various_envs.rst diff --git a/doc/html/_sources/admin/install.txt b/doc/html/_sources/admin/install.txt deleted file mode 100644 index a79bda9..0000000 --- a/doc/html/_sources/admin/install.txt +++ /dev/null @@ -1,21 +0,0 @@ -Installation guide -================== - -Contents --------- - -.. toctree:: - :maxdepth: 2 - - install_kdc.rst - install_clients.rst - install_appl_srv.rst - - -Additional references ---------------------- - -#. Debian: `Setting up MIT Kerberos 5 - `_ -#. Solaris: `Configuring the Kerberos Service - `_ diff --git a/doc/html/_sources/admin/install_appl_srv.txt b/doc/html/_sources/admin/install_appl_srv.txt deleted file mode 100644 index 1490500..0000000 --- a/doc/html/_sources/admin/install_appl_srv.txt +++ /dev/null @@ -1,83 +0,0 @@ -UNIX Application Servers -======================== - -An application server is a host that provides one or more services -over the network. Application servers can be "secure" or "insecure." -A "secure" host is set up to require authentication from every client -connecting to it. An "insecure" host will still provide Kerberos -authentication, but will also allow unauthenticated clients to -connect. - -If you have Kerberos V5 installed on all of your client machines, MIT -recommends that you make your hosts secure, to take advantage of the -security that Kerberos authentication affords. However, if you have -some clients that do not have Kerberos V5 installed, you can run an -insecure server, and still take advantage of Kerberos V5's single -sign-on capability. - - -.. _keytab_file: - -The keytab file ---------------- - -All Kerberos server machines need a keytab file to authenticate to the -KDC. By default on UNIX-like systems this file is named |keytab|. -The keytab file is an local copy of the host's key. The keytab file -is a potential point of entry for a break-in, and if compromised, -would allow unrestricted access to its host. The keytab file should -be readable only by root, and should exist only on the machine's local -disk. The file should not be part of any backup of the machine, -unless access to the backup data is secured as tightly as access to -the machine's root password. - -In order to generate a keytab for a host, the host must have a -principal in the Kerberos database. The procedure for adding hosts to -the database is described fully in :ref:`add_mod_del_princs`. (See -:ref:`slave_host_key` for a brief description.) The keytab is -generated by running :ref:`kadmin(1)` and issuing the :ref:`ktadd` -command. - -For example, to generate a keytab file to allow the host -``trillium.mit.edu`` to authenticate for the services host, ftp, and -pop, the administrator ``joeadmin`` would issue the command (on -``trillium.mit.edu``):: - - trillium% kadmin - kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu - pop/trillium.mit.edu - kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - FILE:/etc/krb5.keytab. - kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - FILE:/etc/krb5.keytab. - kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES-CBC-CRC added to keytab - FILE:/etc/krb5.keytab. - kadmin5: quit - trillium% - -If you generate the keytab file on another host, you need to get a -copy of the keytab file onto the destination host (``trillium``, in -the above example) without sending it unencrypted over the network. - - -Some advice about secure hosts ------------------------------- - -Kerberos V5 can protect your host from certain types of break-ins, but -it is possible to install Kerberos V5 and still leave your host -vulnerable to attack. Obviously an installation guide is not the -place to try to include an exhaustive list of countermeasures for -every possible attack, but it is worth noting some of the larger holes -and how to close them. - -We recommend that backups of secure machines exclude the keytab file -(|keytab|). If this is not possible, the backups should at least be -done locally, rather than over a network, and the backup tapes should -be physically secured. - -The keytab file and any programs run by root, including the Kerberos -V5 binaries, should be kept on local disk. The keytab file should be -readable only by root. diff --git a/doc/html/_sources/admin/install_clients.txt b/doc/html/_sources/admin/install_clients.txt deleted file mode 100644 index f2c87d0..0000000 --- a/doc/html/_sources/admin/install_clients.txt +++ /dev/null @@ -1,58 +0,0 @@ -Installing and configuring UNIX client machines -=============================================== - -The Kerberized client programs include :ref:`kinit(1)`, -:ref:`klist(1)`, :ref:`kdestroy(1)`, and :ref:`kpasswd(1)`. All of -these programs are in the directory |bindir|. - -You can often integrate Kerberos with the login system on client -machines, typically through the use of PAM. The details vary by -operating system, and should be covered in your operating system's -documentation. If you do this, you will need to make sure your users -know to use their Kerberos passwords when they log in. - -You will also need to educate your users to use the ticket management -programs kinit, klist, and kdestroy. If you do not have Kerberos -password changing integrated into the native password program (again, -typically through PAM), you will need to educate users to use kpasswd -in place of its non-Kerberos counterparts passwd. - - -Client machine configuration files ----------------------------------- - -Each machine running Kerberos should have a :ref:`krb5.conf(5)` file. -At a minimum, it should define a **default_realm** setting in -:ref:`libdefaults`. If you are not using DNS SRV records -(:ref:`kdc_hostnames`) or URI records (:ref:`kdc_discovery`), it must -also contain a :ref:`realms` section containing information for your -realm's KDCs. - -Consider setting **rdns** to false in order to reduce your dependence -on precisely correct DNS information for service hostnames. Turning -this flag off means that service hostnames will be canonicalized -through forward name resolution (which adds your domain name to -unqualified hostnames, and resolves CNAME records in DNS), but not -through reverse address lookup. The default value of this flag is -true for historical reasons only. - -If you anticipate users frequently logging into remote hosts -(e.g., using ssh) using forwardable credentials, consider setting -**forwardable** to true so that users obtain forwardable tickets by -default. Otherwise users will need to use ``kinit -f`` to get -forwardable tickets. - -Consider adjusting the **ticket_lifetime** setting to match the likely -length of sessions for your users. For instance, if most of your -users will be logging in for an eight-hour workday, you could set the -default to ten hours so that tickets obtained in the morning expire -shortly after the end of the workday. Users can still manually -request longer tickets when necessary, up to the maximum allowed by -each user's principal record on the KDC. - -If a client host may access services in different realms, it may be -useful to define a :ref:`domain_realm` mapping so that clients know -which hosts belong to which realms. However, if your clients and KDC -are running release 1.7 or later, it is also reasonable to leave this -section out on client machines and just define it in the KDC's -krb5.conf. diff --git a/doc/html/_sources/admin/install_kdc.txt b/doc/html/_sources/admin/install_kdc.txt deleted file mode 100644 index 5c97fee..0000000 --- a/doc/html/_sources/admin/install_kdc.txt +++ /dev/null @@ -1,533 +0,0 @@ -Installing KDCs -=============== - -When setting up Kerberos in a production environment, it is best to -have multiple slave KDCs alongside with a master KDC to ensure the -continued availability of the Kerberized services. Each KDC contains -a copy of the Kerberos database. The master KDC contains the writable -copy of the realm database, which it replicates to the slave KDCs at -regular intervals. All database changes (such as password changes) -are made on the master KDC. Slave KDCs provide Kerberos -ticket-granting services, but not database administration, when the -master KDC is unavailable. MIT recommends that you install all of -your KDCs to be able to function as either the master or one of the -slaves. This will enable you to easily switch your master KDC with -one of the slaves if necessary (see :ref:`switch_master_slave`). This -installation procedure is based on that recommendation. - -.. warning:: - - - The Kerberos system relies on the availability of correct time - information. Ensure that the master and all slave KDCs have - properly synchronized clocks. - - - It is best to install and run KDCs on secured and dedicated - hardware with limited access. If your KDC is also a file - server, FTP server, Web server, or even just a client machine, - someone who obtained root access through a security hole in any - of those areas could potentially gain access to the Kerberos - database. - - -Install and configure the master KDC ------------------------------------- - -Install Kerberos either from the OS-provided packages or from the -source (See :ref:`do_build`). - -.. note:: - - For the purpose of this document we will use the following - names:: - - kerberos.mit.edu - master KDC - kerberos-1.mit.edu - slave KDC - ATHENA.MIT.EDU - realm name - .k5.ATHENA.MIT.EDU - stash file - admin/admin - admin principal - - See :ref:`mitK5defaults` for the default names and locations - of the relevant to this topic files. Adjust the names and - paths to your system environment. - - -Edit KDC configuration files ----------------------------- - -Modify the configuration files, :ref:`krb5.conf(5)` and -:ref:`kdc.conf(5)`, to reflect the correct information (such as -domain-realm mappings and Kerberos servers names) for your realm. -(See :ref:`mitK5defaults` for the recommended default locations for -these files). - -Most of the tags in the configuration have default values that will -work well for most sites. There are some tags in the -:ref:`krb5.conf(5)` file whose values must be specified, and this -section will explain those. - -If the locations for these configuration files differs from the -default ones, set **KRB5_CONFIG** and **KRB5_KDC_PROFILE** environment -variables to point to the krb5.conf and kdc.conf respectively. For -example:: - - export KRB5_CONFIG=/yourdir/krb5.conf - export KRB5_KDC_PROFILE=/yourdir/kdc.conf - - -krb5.conf -~~~~~~~~~ - -If you are not using DNS TXT records (see :ref:`mapping_hostnames`), -you must specify the **default_realm** in the :ref:`libdefaults` -section. If you are not using DNS URI or SRV records (see -:ref:`kdc_hostnames` and :ref:`kdc_discovery`), you must include the -**kdc** tag for each *realm* in the :ref:`realms` section. To -communicate with the kadmin server in each realm, the **admin_server** -tag must be set in the -:ref:`realms` section. - -An example krb5.conf file:: - - [libdefaults] - default_realm = ATHENA.MIT.EDU - - [realms] - ATHENA.MIT.EDU = { - kdc = kerberos.mit.edu - kdc = kerberos-1.mit.edu - admin_server = kerberos.mit.edu - } - - -kdc.conf -~~~~~~~~ - -The kdc.conf file can be used to control the listening ports of the -KDC and kadmind, as well as realm-specific defaults, the database type -and location, and logging. - -An example kdc.conf file:: - - [kdcdefaults] - kdc_listen = 88 - kdc_tcp_listen = 88 - - [realms] - ATHENA.MIT.EDU = { - kadmind_port = 749 - max_life = 12h 0m 0s - max_renewable_life = 7d 0h 0m 0s - master_key_type = aes256-cts - supported_enctypes = aes256-cts:normal aes128-cts:normal - # If the default location does not suit your setup, - # explicitly configure the following values: - # database_name = /var/krb5kdc/principal - # key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU - # acl_file = /var/krb5kdc/kadm5.acl - } - - [logging] - # By default, the KDC and kadmind will log output using - # syslog. You can instead send log output to files like this: - kdc = FILE:/var/log/krb5kdc.log - admin_server = FILE:/var/log/kadmin.log - default = FILE:/var/log/krb5lib.log - -Replace ``ATHENA.MIT.EDU`` and ``kerberos.mit.edu`` with the name of -your Kerberos realm and server respectively. - -.. note:: - - You have to have write permission on the target directories - (these directories must exist) used by **database_name**, - **key_stash_file**, and **acl_file**. - - -.. _create_db: - -Create the KDC database ------------------------ - -You will use the :ref:`kdb5_util(8)` command on the master KDC to -create the Kerberos database and the optional :ref:`stash_definition`. - -.. note:: - - If you choose not to install a stash file, the KDC will - prompt you for the master key each time it starts up. This - means that the KDC will not be able to start automatically, - such as after a system reboot. - -:ref:`kdb5_util(8)` will prompt you for the master password for the -Kerberos database. This password can be any string. A good password -is one you can remember, but that no one else can guess. Examples of -bad passwords are words that can be found in a dictionary, any common -or popular name, especially a famous person (or cartoon character), -your username in any form (e.g., forward, backward, repeated twice, -etc.), and any of the sample passwords that appear in this manual. -One example of a password which might be good if it did not appear in -this manual is "MITiys4K5!", which represents the sentence "MIT is -your source for Kerberos 5!" (It's the first letter of each word, -substituting the numeral "4" for the word "for", and includes the -punctuation mark at the end.) - -The following is an example of how to create a Kerberos database and -stash file on the master KDC, using the :ref:`kdb5_util(8)` command. -Replace ``ATHENA.MIT.EDU`` with the name of your Kerberos realm:: - - shell% kdb5_util create -r ATHENA.MIT.EDU -s - - Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU', - master key name 'K/M@ATHENA.MIT.EDU' - You will be prompted for the database Master Password. - It is important that you NOT FORGET this password. - Enter KDC database master key: <= Type the master password. - Re-enter KDC database master key to verify: <= Type it again. - shell% - -This will create five files in |kdcdir| (or at the locations specified -in :ref:`kdc.conf(5)`): - -* two Kerberos database files, ``principal``, and ``principal.ok`` -* the Kerberos administrative database file, ``principal.kadm5`` -* the administrative database lock file, ``principal.kadm5.lock`` -* the stash file, in this example ``.k5.ATHENA.MIT.EDU``. If you do - not want a stash file, run the above command without the **-s** - option. - -For more information on administrating Kerberos database see -:ref:`db_operations`. - - -.. _admin_acl: - -Add administrators to the ACL file ----------------------------------- - -Next, you need create an Access Control List (ACL) file and put the -Kerberos principal of at least one of the administrators into it. -This file is used by the :ref:`kadmind(8)` daemon to control which -principals may view and make privileged modifications to the Kerberos -database files. The ACL filename is determined by the **acl_file** -variable in :ref:`kdc.conf(5)`; the default is |kdcdir|\ -``/kadm5.acl``. - -For more information on Kerberos ACL file see :ref:`kadm5.acl(5)`. - -.. _addadmin_kdb: - -Add administrators to the Kerberos database -------------------------------------------- - -Next you need to add administrative principals (i.e., principals who -are allowed to administer Kerberos database) to the Kerberos database. -You *must* add at least one principal now to allow communication -between the Kerberos administration daemon kadmind and the kadmin -program over the network for further administration. To do this, use -the kadmin.local utility on the master KDC. kadmin.local is designed -to be run on the master KDC host without using Kerberos authentication -to an admin server; instead, it must have read and write access to the -Kerberos database on the local filesystem. - -The administrative principals you create should be the ones you added -to the ACL file (see :ref:`admin_acl`). - -In the following example, the administrative principal ``admin/admin`` -is created:: - - shell% kadmin.local - - kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU - - WARNING: no policy specified for "admin/admin@ATHENA.MIT.EDU"; - assigning "default". - Enter password for principal admin/admin@ATHENA.MIT.EDU: <= Enter a password. - Re-enter password for principal admin/admin@ATHENA.MIT.EDU: <= Type it again. - Principal "admin/admin@ATHENA.MIT.EDU" created. - kadmin.local: - -.. _start_kdc_daemons: - -Start the Kerberos daemons on the master KDC --------------------------------------------- - -At this point, you are ready to start the Kerberos KDC -(:ref:`krb5kdc(8)`) and administrative daemons on the Master KDC. To -do so, type:: - - shell% krb5kdc - shell% kadmind - -Each server daemon will fork and run in the background. - -.. note:: - - Assuming you want these daemons to start up automatically at - boot time, you can add them to the KDC's ``/etc/rc`` or - ``/etc/inittab`` file. You need to have a - :ref:`stash_definition` in order to do this. - -You can verify that they started properly by checking for their -startup messages in the logging locations you defined in -:ref:`krb5.conf(5)` (see :ref:`logging`). For example:: - - shell% tail /var/log/krb5kdc.log - Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation - shell% tail /var/log/kadmin.log - Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting - -Any errors the daemons encounter while starting will also be listed in -the logging output. - -As an additional verification, check if :ref:`kinit(1)` succeeds -against the principals that you have created on the previous step -(:ref:`addadmin_kdb`). Run:: - - shell% kinit admin/admin@ATHENA.MIT.EDU - - -Install the slave KDCs ----------------------- - -You are now ready to start configuring the slave KDCs. - -.. note:: - - Assuming you are setting the KDCs up so that you can easily - switch the master KDC with one of the slaves, you should - perform each of these steps on the master KDC as well as the - slave KDCs, unless these instructions specify otherwise. - - -.. _slave_host_key: - -Create host keytabs for slave KDCs -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -Each KDC needs a ``host`` key in the Kerberos database. These keys -are used for mutual authentication when propagating the database dump -file from the master KDC to the secondary KDC servers. - -On the master KDC, connect to administrative interface and create the -host principal for each of the KDCs' ``host`` services. For example, -if the master KDC were called ``kerberos.mit.edu``, and you had a -slave KDC named ``kerberos-1.mit.edu``, you would type the following:: - - shell% kadmin - kadmin: addprinc -randkey host/kerberos.mit.edu - NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default" - Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created. - - kadmin: addprinc -randkey host/kerberos-1.mit.edu - NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default" - Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created. - -It is not strictly necessary to have the master KDC server in the -Kerberos database, but it can be handy if you want to be able to swap -the master KDC with one of the slaves. - -Next, extract ``host`` random keys for all participating KDCs and -store them in each host's default keytab file. Ideally, you should -extract each keytab locally on its own KDC. If this is not feasible, -you should use an encrypted session to send them across the network. -To extract a keytab directly on a slave KDC called -``kerberos-1.mit.edu``, you would execute the following command:: - - kadmin: ktadd host/kerberos-1.mit.edu - Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. - Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. - Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab. - Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type arcfour-hmac added to keytab FILE:/etc/krb5.keytab. - -If you are instead extracting a keytab for the slave KDC called -``kerberos-1.mit.edu`` on the master KDC, you should use a dedicated -temporary keytab file for that machine's keytab:: - - kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu - Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. - Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption - type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab. - -The file ``/tmp/kerberos-1.keytab`` can then be installed as -``/etc/krb5.keytab`` on the host ``kerberos-1.mit.edu``. - - -Configure slave KDCs -~~~~~~~~~~~~~~~~~~~~ - -Database propagation copies the contents of the master's database, but -does not propagate configuration files, stash files, or the kadm5 ACL -file. The following files must be copied by hand to each slave (see -:ref:`mitK5defaults` for the default locations for these files): - -* krb5.conf -* kdc.conf -* kadm5.acl -* master key stash file - -Move the copied files into their appropriate directories, exactly as -on the master KDC. kadm5.acl is only needed to allow a slave to swap -with the master KDC. - -The database is propagated from the master KDC to the slave KDCs via -the :ref:`kpropd(8)` daemon. You must explicitly specify the -principals which are allowed to provide Kerberos dump updates on the -slave machine with a new database. Create a file named kpropd.acl in -the KDC state directory containing the ``host`` principals for each of -the KDCs:: - - host/kerberos.mit.edu@ATHENA.MIT.EDU - host/kerberos-1.mit.edu@ATHENA.MIT.EDU - -.. note:: - - If you expect that the master and slave KDCs will be - switched at some point of time, list the host principals - from all participating KDC servers in kpropd.acl files on - all of the KDCs. Otherwise, you only need to list the - master KDC's host principal in the kpropd.acl files of the - slave KDCs. - -Then, add the following line to ``/etc/inetd.conf`` on each KDC -(adjust the path to kpropd):: - - krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd - -You also need to add the following line to ``/etc/services`` on each -KDC, if it is not already present (assuming that the default port is -used):: - - krb5_prop 754/tcp # Kerberos slave propagation - -Restart inetd daemon. - -Alternatively, start :ref:`kpropd(8)` as a stand-alone daemon. This is -required when incremental propagation is enabled. - -Now that the slave KDC is able to accept database propagation, you’ll -need to propagate the database from the master server. - -NOTE: Do not start the slave KDC yet; you still do not have a copy of -the master's database. - - -.. _kprop_to_slaves: - -Propagate the database to each slave KDC -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -First, create a dump file of the database on the master KDC, as -follows:: - - shell% kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans - -Then, manually propagate the database to each slave KDC, as in the -following example:: - - shell% kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu - - Database propagation to kerberos-1.mit.edu: SUCCEEDED - -You will need a script to dump and propagate the database. The -following is an example of a Bourne shell script that will do this. - -.. note:: - - Remember that you need to replace ``/usr/local/var/krb5kdc`` - with the name of the KDC state directory. - -:: - - #!/bin/sh - - kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu" - - kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans - - for kdc in $kdclist - do - kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc - done - -You will need to set up a cron job to run this script at the intervals -you decided on earlier (see :ref:`db_prop`). - -Now that the slave KDC has a copy of the Kerberos database, you can -start the krb5kdc daemon:: - - shell% krb5kdc - -As with the master KDC, you will probably want to add this command to -the KDCs' ``/etc/rc`` or ``/etc/inittab`` files, so they will start -the krb5kdc daemon automatically at boot time. - - -Propagation failed? -################### - -You may encounter the following error messages. For a more detailed -discussion on possible causes and solutions click on the error link -to be redirected to :ref:`troubleshoot` section. - -.. include:: ./troubleshoot.rst - :start-after: _prop_failed_start: - :end-before: _prop_failed_end: - - -Add Kerberos principals to the database ---------------------------------------- - -Once your KDCs are set up and running, you are ready to use -:ref:`kadmin(1)` to load principals for your users, hosts, and other -services into the Kerberos database. This procedure is described -fully in :ref:`add_mod_del_princs`. - -You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash. See the following section for the -instructions. - - -.. _switch_master_slave: - -Switching master and slave KDCs -------------------------------- - -You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash. - -Assuming you have configured all of your KDCs to be able to function -as either the master KDC or a slave KDC (as this document recommends), -all you need to do to make the changeover is: - -If the master KDC is still running, do the following on the *old* -master KDC: - -#. Kill the kadmind process. -#. Disable the cron job that propagates the database. -#. Run your database propagation script manually, to ensure that the - slaves all have the latest copy of the database (see - :ref:`kprop_to_slaves`). - -On the *new* master KDC: - -#. Start the :ref:`kadmind(8)` daemon (see :ref:`start_kdc_daemons`). -#. Set up the cron job to propagate the database (see - :ref:`kprop_to_slaves`). -#. Switch the CNAMEs of the old and new master KDCs. If you can't do - this, you'll need to change the :ref:`krb5.conf(5)` file on every - client machine in your Kerberos realm. - - -Incremental database propagation --------------------------------- - -If you expect your Kerberos database to become large, you may wish to -set up incremental propagation to slave KDCs. See :ref:`incr_db_prop` -for details. diff --git a/doc/html/_sources/admin/lockout.txt b/doc/html/_sources/admin/lockout.txt deleted file mode 100644 index d262663..0000000 --- a/doc/html/_sources/admin/lockout.txt +++ /dev/null @@ -1,150 +0,0 @@ -Account lockout -=============== - -As of release 1.8, the KDC can be configured to lock out principals -after a number of failed authentication attempts within a period of -time. Account lockout can make it more difficult to attack a -principal's password by brute force, but also makes it easy for an -attacker to deny access to a principal. - - -Configuring account lockout ---------------------------- - -Account lockout only works for principals with the -**+requires_preauth** flag set. Without this flag, the KDC cannot -know whether or not a client successfully decrypted the ticket it -issued. It is also important to set the **-allow_svr** flag on a -principal to protect its password from an off-line dictionary attack -through a TGS request. You can set these flags on a principal with -:ref:`kadmin(1)` as follows:: - - kadmin: modprinc +requires_preauth -allow_svr PRINCNAME - -Account lockout parameters are configured via :ref:`policy objects -`. There may be an existing policy associated with user -principals (such as the "default" policy), or you may need to create a -new one and associate it with each user principal. - -The policy parameters related to account lockout are: - -* :ref:`maxfailure `: the number of failed attempts - before the principal is locked out -* :ref:`failurecountinterval `: the - allowable interval between failed attempts -* :ref:`lockoutduration `: the amount of time - a principal is locked out for - -Here is an example of setting these parameters on a new policy and -associating it with a principal:: - - kadmin: addpol -maxfailure 10 -failurecountinterval 180 - -lockoutduration 60 lockout_policy - kadmin: modprinc -policy lockout_policy PRINCNAME - - -Testing account lockout ------------------------ - -To test that account lockout is working, try authenticating as the -principal (hopefully not one that might be in use) multiple times with -the wrong password. For instance, if **maxfailure** is set to 2, you -might see:: - - $ kinit user - Password for user@KRBTEST.COM: - kinit: Password incorrect while getting initial credentials - $ kinit user - Password for user@KRBTEST.COM: - kinit: Password incorrect while getting initial credentials - $ kinit user - kinit: Client's credentials have been revoked while getting initial credentials - - -Account lockout principal state -------------------------------- - -A principal entry keeps three pieces of state related to account -lockout: - -* The time of last successful authentication -* The time of last failed authentication -* A counter of failed attempts - -The time of last successful authentication is not actually needed for -the account lockout system to function, but may be of administrative -interest. These fields can be observed with the **getprinc** kadmin -command. For example:: - - kadmin: getprinc user - Principal: user@KRBTEST.COM - ... - Last successful authentication: [never] - Last failed authentication: Mon Dec 03 12:30:33 EST 2012 - Failed password attempts: 2 - ... - -A principal which has been locked out can be administratively unlocked -with the **-unlock** option to the **modprinc** kadmin command:: - - kadmin: modprinc -unlock PRINCNAME - -This command will reset the number of failed attempts to 0. - - -KDC replication and account lockout ------------------------------------ - -The account lockout state of a principal is not replicated by either -traditional :ref:`kprop(8)` or incremental propagation. Because of -this, the number of attempts an attacker can make within a time period -is multiplied by the number of KDCs. For instance, if the -**maxfailure** parameter on a policy is 10 and there are four KDCs in -the environment (a master and three slaves), an attacker could make as -many as 40 attempts before the principal is locked out on all four -KDCs. - -An administrative unlock is propagated from the master to the slave -KDCs during the next propagation. Propagation of an administrative -unlock will cause the counter of failed attempts on each slave to -reset to 1 on the next failure. - -If a KDC environment uses a replication strategy other than kprop or -incremental propagation, such as the LDAP KDB module with multi-master -LDAP replication, then account lockout state may be replicated between -KDCs and the concerns of this section may not apply. - - -KDC performance and account lockout ------------------------------------ - -In order to fully track account lockout state, the KDC must write to -the the database on each successful and failed authentication. -Writing to the database is generally more expensive than reading from -it, so these writes may have a significant impact on KDC performance. -As of release 1.9, it is possible to turn off account lockout state -tracking in order to improve performance, by setting the -**disable_last_success** and **disable_lockout** variables in the -database module subsection of :ref:`kdc.conf(5)`. For example:: - - [dbmodules] - DB = { - disable_last_success = true - disable_lockout = true - } - -Of the two variables, setting **disable_last_success** will usually -have the largest positive impact on performance, and will still allow -account lockout policies to operate. However, it will make it -impossible to observe the last successful authentication time with -kadmin. - - -KDC setup and account lockout ------------------------------ - -To update the account lockout state on principals, the KDC must be -able to write to the principal database. For the DB2 module, no -special setup is required. For the LDAP module, the KDC DN must be -granted write access to the principal objects. If the KDC DN has only -read access, account lockout will not function. diff --git a/doc/html/_sources/admin/otp.txt b/doc/html/_sources/admin/otp.txt deleted file mode 100644 index 29dc520..0000000 --- a/doc/html/_sources/admin/otp.txt +++ /dev/null @@ -1,100 +0,0 @@ -.. _otp_preauth: - -OTP Preauthentication -===================== - -OTP is a preauthentication mechanism for Kerberos 5 which uses One -Time Passwords (OTP) to authenticate the client to the KDC. The OTP -is passed to the KDC over an encrypted FAST channel in clear-text. -The KDC uses the password along with per-user configuration to proxy -the request to a third-party RADIUS system. This enables -out-of-the-box compatibility with a large number of already widely -deployed proprietary systems. - -Additionally, our implementation of the OTP system allows for the -passing of RADIUS requests over a UNIX domain stream socket. This -permits the use of a local companion daemon which can handle the -details of authentication. - - -Defining token types --------------------- - -Token types are defined in either :ref:`krb5.conf(5)` or -:ref:`kdc.conf(5)` according to the following format:: - - [otp] - = { - server = (default: see below) - secret = - timeout = (default: 5 [seconds]) - retries = (default: 3) - strip_realm = (default: true) - indicator = (default: none) - } - -If the server field begins with '/', it will be interpreted as a UNIX -socket. Otherwise, it is assumed to be in the format host:port. When -a UNIX domain socket is specified, the secret field is optional and an -empty secret is used by default. If the server field is not -specified, it defaults to |kdcrundir|\ ``/.socket``. - -When forwarding the request over RADIUS, by default the principal is -used in the User-Name attribute of the RADIUS packet. The strip_realm -parameter controls whether the principal is forwarded with or without -the realm portion. - -If an indicator field is present, tickets issued using this token type -will be annotated with the specified authentication indicator (see -:ref:`auth_indicator`). This key may be specified multiple times to -add multiple indicators. - - -The default token type ----------------------- - -A default token type is used internally when no token type is specified for a -given user. It is defined as follows:: - - [otp] - DEFAULT = { - strip_realm = false - } - -The administrator may override the internal ``DEFAULT`` token type -simply by defining a configuration with the same name. - - -Token instance configuration ----------------------------- - -To enable OTP for a client principal, the administrator must define -the **otp** string attribute for that principal. (See -:ref:`set_string`.) The **otp** user string is a JSON string of the -format: - -.. code-block:: xml - - [{ - "type": , - "username": , - "indicators": [, ...] - }, ...] - -This is an array of token objects. Both fields of token objects are -optional. The **type** field names the token type of this token; if -not specified, it defaults to ``DEFAULT``. The **username** field -specifies the value to be sent in the User-Name RADIUS attribute. If -not specified, the principal name is sent, with or without realm as -defined in the token type. The **indicators** field specifies a list -of authentication indicators to annotate tickets with, overriding any -indicators specified in the token type. - -For ease of configuration, an empty array (``[]``) is treated as -equivalent to one DEFAULT token (``[{}]``). - - -Other considerations --------------------- - -#. FAST is required for OTP to work. diff --git a/doc/html/_sources/admin/pkinit.txt b/doc/html/_sources/admin/pkinit.txt deleted file mode 100644 index 460d75d..0000000 --- a/doc/html/_sources/admin/pkinit.txt +++ /dev/null @@ -1,309 +0,0 @@ -.. _pkinit: - -PKINIT configuration -==================== - -PKINIT is a preauthentication mechanism for Kerberos 5 which uses -X.509 certificates to authenticate the KDC to clients and vice versa. -PKINIT can also be used to enable anonymity support, allowing clients -to communicate securely with the KDC or with application servers -without authenticating as a particular client principal. - - -Creating certificates ---------------------- - -PKINIT requires an X.509 certificate for the KDC and one for each -client principal which will authenticate using PKINIT. For anonymous -PKINIT, a KDC certificate is required, but client certificates are -not. A commercially issued server certificate can be used for the KDC -certificate, but generally cannot be used for client certificates. - -The instruction in this section describe how to establish a -certificate authority and create standard PKINIT certificates. Skip -this section if you are using a commercially issued server certificate -as the KDC certificate for anonymous PKINIT, or if you are configuring -a client to use an Active Directory KDC. - - -Generating a certificate authority certificate -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -You can establish a new certificate authority (CA) for use with a -PKINIT deployment with the commands:: - - openssl genrsa -out cakey.pem 2048 - openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650 - -The second command will ask for the values of several certificate -fields. These fields can be set to any values. You can adjust the -expiration time of the CA certificate by changing the number after -``-days``. Since the CA certificate must be deployed to client -machines each time it changes, it should normally have an expiration -time far in the future; however, expiration times after 2037 may cause -interoperability issues in rare circumstances. - -The result of these commands will be two files, cakey.pem and -cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which -must be carefully protected. cacert.pem will contain the CA -certificate, which must be placed in the filesytems of the KDC and -each client host. cakey.pem will be required to create KDC and client -certificates. - - -Generating a KDC certificate -~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -A KDC certificate for use with PKINIT is required to have some unusual -fields, which makes generating them with OpenSSL somewhat complicated. -First, you will need a file containing the following:: - - [kdc_cert] - basicConstraints=CA:FALSE - keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement - extendedKeyUsage=1.3.6.1.5.2.3.5 - subjectKeyIdentifier=hash - authorityKeyIdentifier=keyid,issuer - issuerAltName=issuer:copy - subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name - - [kdc_princ_name] - realm=EXP:0,GeneralString:${ENV::REALM} - principal_name=EXP:1,SEQUENCE:kdc_principal_seq - - [kdc_principal_seq] - name_type=EXP:0,INTEGER:1 - name_string=EXP:1,SEQUENCE:kdc_principals - - [kdc_principals] - princ1=GeneralString:krbtgt - princ2=GeneralString:${ENV::REALM} - -If the above contents are placed in extensions.kdc, you can generate -and sign a KDC certificate with the following commands:: - - openssl genrsa -out kdckey.pem 2048 - openssl req -new -out kdc.req -key kdckey.pem - env REALM=YOUR_REALMNAME openssl x509 -req -in kdc.req \ - -CAkey cakey.pem -CA cacert.pem -out kdc.pem -days 365 \ - -extfile extensions.kdc -extensions kdc_cert -CAcreateserial - rm kdc.req - -The second command will ask for the values of certificate fields, -which can be set to any values. In the third command, substitute your -KDC's realm name for YOUR_REALMNAME. You can adjust the certificate's -expiration date by changing the number after ``-days``. Remember to -create a new KDC certificate before the old one expires. - -The result of this operation will be in two files, kdckey.pem and -kdc.pem. Both files must be placed in the KDC's filesystem. -kdckey.pem, which contains the KDC's private key, must be carefully -protected. - -If you examine the KDC certificate with ``openssl x509 -in kdc.pem --text -noout``, OpenSSL will not know how to display the KDC principal -name in the Subject Alternative Name extension, so it will appear as -``othername:``. This is normal and does not mean -anything is wrong with the KDC certificate. - - -Generating client certificates -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -PKINIT client certificates also must have some unusual certificate -fields. To generate a client certificate with OpenSSL for a -single-component principal name, you will need an extensions file -(different from the KDC extensions file above) containing:: - - [client_cert] - basicConstraints=CA:FALSE - keyUsage=digitalSignature,keyEncipherment,keyAgreement - extendedKeyUsage=1.3.6.1.5.2.3.4 - subjectKeyIdentifier=hash - authorityKeyIdentifier=keyid,issuer - issuerAltName=issuer:copy - subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name - - [princ_name] - realm=EXP:0,GeneralString:${ENV::REALM} - principal_name=EXP:1,SEQUENCE:principal_seq - - [principal_seq] - name_type=EXP:0,INTEGER:1 - name_string=EXP:1,SEQUENCE:principals - - [principals] - princ1=GeneralString:${ENV::CLIENT} - -If the above contents are placed in extensions.client, you can -generate and sign a client certificate with the following commands:: - - openssl genrsa -out clientkey.pem 2048 - openssl req -new -key clientkey.pem -out client.req - env REALM=YOUR_REALMNAME CLIENT=YOUR_PRINCNAME openssl x509 \ - -CAkey cakey.pem -CA cacert.pem -req -in client.req \ - -extensions client_cert -extfile extensions.client \ - -days 365 -out client.pem - rm client.req - -Normally, the first two commands should be run on the client host, and -the resulting client.req file transferred to the certificate authority -host for the third command. As in the previous steps, the second -command will ask for the values of certificate fields, which can be -set to any values. In the third command, substitute your realm's name -for YOUR_REALMNAME and the client's principal name (without realm) for -YOUR_PRINCNAME. You can adjust the certificate's expiration date by -changing the number after ``-days``. - -The result of this operation will be two files, clientkey.pem and -client.pem. Both files must be present on the client's host; -clientkey.pem, which contains the client's private key, must be -protected from access by others. - -As in the KDC certificate, OpenSSL will display the client principal -name as ``othername:`` in the Subject Alternative Name -extension of a PKINIT client certificate. - -If the client principal name contains more than one component -(e.g. ``host/example.com@REALM``), the ``[principals]`` section of -``extensions.client`` must be altered to contain multiple entries. -(Simply setting ``CLIENT`` to ``host/example.com`` would generate a -certificate for ``host\/example.com@REALM`` which would not match the -multi-component principal name.) For a two-component principal, the -section should read:: - - [principals] - princ1=GeneralString:${ENV::CLIENT1} - princ2=GeneralString:${ENV::CLIENT2} - -The environment variables ``CLIENT1`` and ``CLIENT2`` must then be set -to the first and second components when running ``openssl x509``. - - -Configuring the KDC -------------------- - -The KDC must have filesystem access to the KDC certificate (kdc.pem) -and the KDC private key (kdckey.pem). Configure the following -relation in the KDC's :ref:`kdc.conf(5)` file, either in the -:ref:`kdcdefaults` section or in a :ref:`kdc_realms` subsection (with -appropriate pathnames):: - - pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem - -If any clients will authenticate using regular (as opposed to -anonymous) PKINIT, the KDC must also have filesystem access to the CA -certificate (cacert.pem), and the following configuration (with the -appropriate pathname):: - - pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem - -Because of the larger size of requests and responses using PKINIT, you -may also need to allow TCP access to the KDC:: - - kdc_tcp_listen = 88 - -Restart the :ref:`krb5kdc(8)` daemon to pick up the configuration -changes. - -The principal entry for each PKINIT-using client must be configured to -require preauthentication. Ensure this with the command:: - - kadmin -q 'modprinc +requires_preauth YOUR_PRINCNAME' - -Starting with release 1.12, it is possible to remove the long-term -keys of a principal entry, which can save some space in the database -and help to clarify some PKINIT-related error conditions by not asking -for a password:: - - kadmin -q 'purgekeys -all YOUR_PRINCNAME' - -These principal options can also be specified at principal creation -time as follows:: - - kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME' - - -Configuring the clients ------------------------ - -Client hosts must be configured to trust the issuing authority for the -KDC certificate. For a newly established certificate authority, the -client host must have filesystem access to the CA certificate -(cacert.pem) and the following relation in :ref:`krb5.conf(5)` in the -appropriate :ref:`realms` subsection (with appropriate pathnames):: - - pkinit_anchors = FILE:/etc/krb5/cacert.pem - -If the KDC certificate is a commercially issued server certificate, -the issuing certificate is most likely included in a system directory. -You can specify it by filename as above, or specify the whole -directory like so:: - - pkinit_anchors = DIR:/etc/ssl/certs - -A commercially issued server certificate will usually not have the -standard PKINIT principal name or Extended Key Usage extensions, so -the following additional configuration is required:: - - pkinit_eku_checking = kpServerAuth - pkinit_kdc_hostname = hostname.of.kdc.certificate - -Multiple **pkinit_kdc_hostname** relations can be configured to -recognize multiple KDC certificates. If the KDC is an Active -Directory domain controller, setting **pkinit_kdc_hostname** is -necessary, but it should not be necessary to set -**pkinit_eku_checking**. - -To perform regular (as opposed to anonymous) PKINIT authentication, a -client host must have filesystem access to a client certificate -(client.pem), and the corresponding private key (clientkey.pem). -Configure the following relations in the client host's -:ref:`krb5.conf(5)` file in the appropriate :ref:`realms` subsection -(with appropriate pathnames):: - - pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem - -If the KDC and client are properly configured, it should now be -possible to run ``kinit username`` without entering a password. - - -.. _anonymous_pkinit: - -Anonymous PKINIT ----------------- - -Anonymity support in Kerberos allows a client to obtain a ticket -without authenticating as any particular principal. Such a ticket can -be used as a FAST armor ticket, or to securely communicate with an -application server anonymously. - -To configure anonymity support, you must generate or otherwise procure -a KDC certificate and configure the KDC host, but you do not need to -generate any client certificates. On the KDC, you must set the -**pkinit_identity** variable to provide the KDC certificate, but do -not need to set the **pkinit_anchors** variable or store the issuing -certificate if you won't have any client certificates to verify. On -client hosts, you must set the **pkinit_anchors** variable (and -possibly **pkinit_kdc_hostname** and **pkinit_eku_checking**) in order -to trust the issuing authority for the KDC certificate, but do not -need to set the **pkinit_identities** variable. - -Anonymity support is not enabled by default. To enable it, you must -create the principal ``WELLKNOWN/ANONYMOUS`` using the command:: - - kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS' - -Some Kerberos deployments include application servers which lack -proper access control, and grant some level of access to any user who -can authenticate. In such an environment, enabling anonymity support -on the KDC would present a security issue. If you need to enable -anonymity support for TGTs (for use as FAST armor tickets) without -enabling anonymous authentication to application servers, you can set -the variable **restrict_anonymous_to_tgt** to ``true`` in the -appropriate :ref:`kdc_realms` subsection of the KDC's -:ref:`kdc.conf(5)` file. - -To obtain anonymous credentials on a client, run ``kinit -n``, or -``kinit -n @REALMNAME`` to specify a realm. The resulting tickets -will have the client name ``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. diff --git a/doc/html/_sources/admin/princ_dns.txt b/doc/html/_sources/admin/princ_dns.txt deleted file mode 100644 index e1d823f..0000000 --- a/doc/html/_sources/admin/princ_dns.txt +++ /dev/null @@ -1,109 +0,0 @@ -Principal names and DNS -======================= - -Kerberos clients can do DNS lookups to canonicalize service principal -names. This can cause difficulties when setting up Kerberos -application servers, especially when the client's name for the service -is different from what the service thinks its name is. - - -Service principal names ------------------------ - -A frequently used kind of principal name is the host-based service -principal name. This kind of principal name has two components: a -service name and a hostname. For example, ``imap/imap.example.com`` -is the principal name of the "imap" service on the host -"imap.example.com". Other possible service names for the first -component include "host" (remote login services such as ssh), "HTTP", -and "nfs" (Network File System). - -Service administrators often publish well-known hostname aliases that -they would prefer users to use instead of the canonical name of the -service host. This gives service administrators more flexibility in -deploying services. For example, a shell login server might be named -"long-vanity-hostname.example.com", but users will naturally prefer to -type something like "login.example.com". Hostname aliases also allow -for administrators to set up load balancing for some sorts of services -based on rotating ``CNAME`` records in DNS. - - -Service principal canonicalization ----------------------------------- - -MIT Kerberos clients currently always do forward resolution (looking -up the IPv4 and possibly IPv6 addresses using ``getaddrinfo()``) of -the hostname part of a host-based service principal to canonicalize -the hostname. They obtain the "canonical" name of the host when doing -so. By default, MIT Kerberos clients will also then do reverse DNS -resolution (looking up the hostname associated with the IPv4 or IPv6 -address using ``getnameinfo()``) of the hostname. Using the -:ref:`krb5.conf(5)` setting:: - - [libdefaults] - rdns = false - -will disable reverse DNS lookup on clients. The default setting is -"true". - -Operating system bugs may prevent a setting of ``rdns = false`` from -disabling reverse DNS lookup. Some versions of GNU libc have a bug in -``getaddrinfo()`` that cause them to look up ``PTR`` records even when -not required. MIT Kerberos releases krb5-1.10.2 and newer have a -workaround for this problem, as does the krb5-1.9.x series as of -release krb5-1.9.4. - - -Reverse DNS mismatches ----------------------- - -Sometimes, an enterprise will have control over its forward DNS but -not its reverse DNS. The reverse DNS is sometimes under the control -of the Internet service provider of the enterprise, and the enterprise -may not have much influence in setting up reverse DNS records for its -address space. If there are difficulties with getting forward and -reverse DNS to match, it is best to set ``rdns = false`` on client -machines. - - -Overriding application behavior -------------------------------- - -Applications can choose to use a default hostname component in their -service principal name when accepting authentication, which avoids -some sorts of hostname mismatches. Because not all relevant -applications do this yet, using the :ref:`krb5.conf(5)` setting:: - - [libdefaults] - ignore_acceptor_hostname = true - -will allow the Kerberos library to override the application's choice -of service principal hostname and will allow a server program to -accept incoming authentications using any key in its keytab that -matches the service name and realm name (if given). This setting -defaults to "false" and is available in releases krb5-1.10 and later. - - -Provisioning keytabs --------------------- - -One service principal entry that should be in the keytab is a -principal whose hostname component is the canonical hostname that -``getaddrinfo()`` reports for all known aliases for the host. If the -reverse DNS information does not match this canonical hostname, an -additional service principal entry should be in the keytab for this -different hostname. - - -Specific application advice ---------------------------- - -Secure shell (ssh) -~~~~~~~~~~~~~~~~~~ - -Setting ``GSSAPIStrictAcceptorCheck = no`` in the configuration file -of modern versions of the openssh daemon will allow the daemon to try -any key in its keytab when accepting a connection, rather than looking -for the keytab entry that matches the host's own idea of its name -(typically the name that ``gethostname()`` returns). This requires -krb5-1.10 or later. diff --git a/doc/html/_sources/admin/realm_config.txt b/doc/html/_sources/admin/realm_config.txt deleted file mode 100644 index c016d72..0000000 --- a/doc/html/_sources/admin/realm_config.txt +++ /dev/null @@ -1,265 +0,0 @@ -Realm configuration decisions -============================= - -Before installing Kerberos V5, it is necessary to consider the -following issues: - -* The name of your Kerberos realm (or the name of each realm, if you - need more than one). -* How you will assign your hostnames to Kerberos realms. -* Which ports your KDC and and kadmind services will use, if they will - not be using the default ports. -* How many slave KDCs you need and where they should be located. -* The hostnames of your master and slave KDCs. -* How frequently you will propagate the database from the master KDC - to the slave KDCs. - - -Realm name ----------- - -Although your Kerberos realm can be any ASCII string, convention is to -make it the same as your domain name, in upper-case letters. - -For example, hosts in the domain ``example.com`` would be in the -Kerberos realm:: - - EXAMPLE.COM - -If you need multiple Kerberos realms, MIT recommends that you use -descriptive names which end with your domain name, such as:: - - BOSTON.EXAMPLE.COM - HOUSTON.EXAMPLE.COM - - -.. _mapping_hostnames: - -Mapping hostnames onto Kerberos realms --------------------------------------- - -Mapping hostnames onto Kerberos realms is done in one of three ways. - -The first mechanism works through a set of rules in the -:ref:`domain_realm` section of :ref:`krb5.conf(5)`. You can specify -mappings for an entire domain or on a per-hostname basis. Typically -you would do this by specifying the mappings for a given domain or -subdomain and listing the exceptions. - -The second mechanism is to use KDC host-based service referrals. With -this method, the KDC's krb5.conf has a full [domain_realm] mapping for -hosts, but the clients do not, or have mappings for only a subset of -the hosts they might contact. When a client needs to contact a server -host for which it has no mapping, it will ask the client realm's KDC -for the service ticket, and will receive a referral to the appropriate -service realm. - -To use referrals, clients must be running MIT krb5 1.6 or later, and -the KDC must be running MIT krb5 1.7 or later. The -**host_based_services** and **no_host_referral** variables in the -:ref:`kdc_realms` section of :ref:`kdc.conf(5)` can be used to -fine-tune referral behavior on the KDC. - -It is also possible for clients to use DNS TXT records, if -**dns_lookup_realm** is enabled in :ref:`krb5.conf(5)`. Such lookups -are disabled by default because DNS is an insecure protocol and security -holes could result if DNS records are spoofed. If enabled, the client -will try to look up a TXT record formed by prepending the prefix -``_kerberos`` to the hostname in question. If that record is not -found, the client will attempt a lookup by prepending ``_kerberos`` to the -host's domain name, then its parent domain, up to the top-level domain. -For the hostname ``boston.engineering.example.com``, the names looked up -would be:: - - _kerberos.boston.engineering.example.com - _kerberos.engineering.example.com - _kerberos.example.com - _kerberos.com - -The value of the first TXT record found is taken as the realm name. - -Even if you do not choose to use this mechanism within your site, -you may wish to set it up anyway, for use when interacting with other sites. - - -Ports for the KDC and admin services ------------------------------------- - -The default ports used by Kerberos are port 88 for the KDC and port -749 for the admin server. You can, however, choose to run on other -ports, as long as they are specified in each host's -:ref:`krb5.conf(5)` files or in DNS SRV records, and the -:ref:`kdc.conf(5)` file on each KDC. For a more thorough treatment of -port numbers used by the Kerberos V5 programs, refer to the -:ref:`conf_firewall`. - - -Slave KDCs ----------- - -Slave KDCs provide an additional source of Kerberos ticket-granting -services in the event of inaccessibility of the master KDC. The -number of slave KDCs you need and the decision of where to place them, -both physically and logically, depends on the specifics of your -network. - -Kerberos authentication requires that each client be able to contact a -KDC. Therefore, you need to anticipate any likely reason a KDC might -be unavailable and have a slave KDC to take up the slack. - -Some considerations include: - -* Have at least one slave KDC as a backup, for when the master KDC is - down, is being upgraded, or is otherwise unavailable. -* If your network is split such that a network outage is likely to - cause a network partition (some segment or segments of the network - to become cut off or isolated from other segments), have a slave KDC - accessible to each segment. -* If possible, have at least one slave KDC in a different building - from the master, in case of power outages, fires, or other localized - disasters. - - -.. _kdc_hostnames: - -Hostnames for KDCs ------------------- - -MIT recommends that your KDCs have a predefined set of CNAME records -(DNS hostname aliases), such as ``kerberos`` for the master KDC and -``kerberos-1``, ``kerberos-2``, ... for the slave KDCs. This way, if -you need to swap a machine, you only need to change a DNS entry, -rather than having to change hostnames. - -As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS -using SRV records (:rfc:`2782`), assuming the Kerberos realm name is -also a DNS domain name. These records indicate the hostname and port -number to contact for that service, optionally with weighting and -prioritization. The domain name used in the SRV record name is the -realm name. Several different Kerberos-related service names are -used: - -_kerberos._udp - This is for contacting any KDC by UDP. This entry will be used - the most often. Normally you should list port 88 on each of your - KDCs. -_kerberos._tcp - This is for contacting any KDC by TCP. The MIT KDC by default - will not listen on any TCP ports, so unless you've changed the - configuration or you're running another KDC implementation, you - should leave this unspecified. If you do enable TCP support, - normally you should use port 88. -_kerberos-master._udp - This entry should refer to those KDCs, if any, that will - immediately see password changes to the Kerberos database. If a - user is logging in and the password appears to be incorrect, the - client will retry with the master KDC before failing with an - "incorrect password" error given. - - If you have only one KDC, or for whatever reason there is no - accessible KDC that would get database changes faster than the - others, you do not need to define this entry. -_kerberos-adm._tcp - This should list port 749 on your master KDC. Support for it is - not complete at this time, but it will eventually be used by the - :ref:`kadmin(1)` program and related utilities. For now, you will - also need the **admin_server** variable in :ref:`krb5.conf(5)`. -_kpasswd._udp - This should list port 464 on your master KDC. It is used when a - user changes her password. If this entry is not defined but a - _kerberos-adm._tcp entry is defined, the client will use the - _kerberos-adm._tcp entry with the port number changed to 749. - -The DNS SRV specification requires that the hostnames listed be the -canonical names, not aliases. So, for example, you might include the -following records in your (BIND-style) zone file:: - - $ORIGIN foobar.com. - _kerberos TXT "FOOBAR.COM" - kerberos CNAME daisy - kerberos-1 CNAME use-the-force-luke - kerberos-2 CNAME bunny-rabbit - _kerberos._udp SRV 0 0 88 daisy - SRV 0 0 88 use-the-force-luke - SRV 0 0 88 bunny-rabbit - _kerberos-master._udp SRV 0 0 88 daisy - _kerberos-adm._tcp SRV 0 0 749 daisy - _kpasswd._udp SRV 0 0 464 daisy - -Clients can also be configured with the explicit location of services -using the **kdc**, **master_kdc**, **admin_server**, and -**kpasswd_server** variables in the :ref:`realms` section of -:ref:`krb5.conf(5)`. Even if some clients will be configured with -explicit server locations, providing SRV records will still benefit -unconfigured clients, and be useful for other sites. - - -.. _kdc_discovery: - -KDC Discovery -------------- - -As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI -records (:rfc:`7553`). Limitations with the SRV record format may -result in extra DNS queries in situations where a client must failover -to other transport types, or find a master server. The URI record can -convey more information about a realm's KDCs with a single query. - -The client performs a query for the following URI records: - -* ``_kerberos.REALM`` for fiding KDCs. -* ``_kerberos-adm.REALM`` for finding kadmin services. -* ``_kpasswd.REALM`` for finding password services. - -The URI record includes a priority, weight, and a URI string that -consists of case-insensitive colon separated fields, in the form -``scheme:[flags]:transport:residual``. - -* *scheme* defines the registered URI type. It should always be - ``krb5srv``. -* *flags* contains zero or more flag characters. Currently the only - valid flag is ``m``, which indicates that the record is for a master - server. -* *transport* defines the transport type of the residual URL or - address. Accepted values are ``tcp``, ``udp``, or ``kkdcp`` for the - MS-KKDCP type. -* *residual* contains the hostname, IP address, or URL to be - contacted using the specified transport, with an optional port - extension. The MS-KKDCP transport type uses a HTTPS URL, and can - include a port and/or path extension. - -An example of URI records in a zone file:: - - _kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com - URI 20 1 krb5srv:m:udp:kdc2.example.com:89 - URI 40 1 krb5srv::udp:10.10.0.23 - URI 30 1 krb5srv::kkdcp:https://proxy:89/auth - -URI lookups are enabled by default, and can be disabled by setting -**dns_uri_lookup** in the :ref:`libdefaults` section of -:ref:`krb5.conf(5)` to False. When enabled, URI lookups take -precedence over SRV lookups, falling back to SRV lookups if no URI -records are found. - - -.. _db_prop: - -Database propagation --------------------- - -The Kerberos database resides on the master KDC, and must be -propagated regularly (usually by a cron job) to the slave KDCs. In -deciding how frequently the propagation should happen, you will need -to balance the amount of time the propagation takes against the -maximum reasonable amount of time a user should have to wait for a -password change to take effect. - -If the propagation time is longer than this maximum reasonable time -(e.g., you have a particularly large database, you have a lot of -slaves, or you experience frequent network delays), you may wish to -cut down on your propagation delay by performing the propagation in -parallel. To do this, have the master KDC propagate the database to -one set of slaves, and then have each of these slaves propagate the -database to additional slaves. - -See also :ref:`incr_db_prop` diff --git a/doc/html/_sources/admin/troubleshoot.txt b/doc/html/_sources/admin/troubleshoot.txt deleted file mode 100644 index 0c61493..0000000 --- a/doc/html/_sources/admin/troubleshoot.txt +++ /dev/null @@ -1,135 +0,0 @@ -.. _troubleshoot: - -Troubleshooting -=============== - -.. _trace_logging: - -Trace logging -------------- - -Most programs using MIT krb5 1.9 or later can be made to provide -information about internal krb5 library operations using trace -logging. To enable this, set the **KRB5_TRACE** environment variable -to a filename before running the program. On many operating systems, -the filename ``/dev/stdout`` can be used to send trace logging output -to standard output. - -Some programs do not honor **KRB5_TRACE**, either because they use -secure library contexts (this generally applies to setuid programs and -parts of the login system) or because they take direct control of the -trace logging system using the API. - -Here is a short example showing trace logging output for an invocation -of the :ref:`kvno(1)` command:: - - shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM - [9138] 1332348778.823276: Getting credentials user@KRBTEST.COM -> - krbtgt/KRBTEST.COM@KRBTEST.COM using ccache - FILE:/me/krb5/build/testdir/ccache - [9138] 1332348778.823381: Retrieving user@KRBTEST.COM -> - krbtgt/KRBTEST.COM@KRBTEST.COM from - FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 - krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 - - -List of errors --------------- - -Frequently seen errors -~~~~~~~~~~~~~~~~~~~~~~ - -#. :ref:`init_creds_ETYPE_NOSUPP` - -#. :ref:`cert_chain_ETYPE_NOSUPP` - -#. :ref:`err_cert_chain_cert_expired` - - -Errors seen by admins -~~~~~~~~~~~~~~~~~~~~~ - -.. _prop_failed_start: - -#. :ref:`kprop_no_route` - -#. :ref:`kprop_con_refused` - -#. :ref:`kprop_sendauth_exchange` - -.. _prop_failed_end: - ------ - -.. _init_creds_etype_nosupp: - -KDC has no support for encryption type while getting initial credentials -........................................................................ - -.. _cert_chain_etype_nosupp: - - -credential verification failed: KDC has no support for encryption type -...................................................................... - -This most commonly happens when trying to use a principal with only -DES keys, in a release (MIT krb5 1.7 or later) which disables DES by -default. DES encryption is considered weak due to its inadequate key -size. If you cannot migrate away from its use, you can re-enable DES -by adding ``allow_weak_crypto = true`` to the :ref:`libdefaults` -section of :ref:`krb5.conf(5)`. - - -.. _err_cert_chain_cert_expired: - -Cannot create cert chain: certificate has expired -................................................. - -This error message indicates that PKINIT authentication failed because -the client certificate, KDC certificate, or one of the certificates in -the signing chain above them has expired. - -If the KDC certificate has expired, this message appears in the KDC -log file, and the client will receive a "Preauthentication failed" -error. (Prior to release 1.11, the KDC log file message erroneously -appears as "Out of memory". Prior to release 1.12, the client will -receive a "Generic error".) - -If the client or a signing certificate has expired, this message may -appear in trace_logging_ output from :ref:`kinit(1)` or, starting in -release 1.12, as an error message from kinit or another program which -gets initial tickets. The error message is more likely to appear -properly on the client if the principal entry has no long-term keys. - -.. _kprop_no_route: - -kprop: No route to host while connecting to server -.................................................. - -Make sure that the hostname of the slave (as given to kprop) is -correct, and that any firewalls between the master and the slave allow -a connection on port 754. - -.. _kprop_con_refused: - -kprop: Connection refused while connecting to server -.................................................... - -If the slave is intended to run kpropd out of inetd, make sure that -inetd is configured to accept krb5_prop connections. inetd may need -to be restarted or sent a SIGHUP to recognize the new configuration. -If the slave is intended to run kpropd in standalone mode, make sure -that it is running. - -.. _kprop_sendauth_exchange: - -kprop: Server rejected authentication (during sendauth exchange) while authenticating to server -............................................................................................... - -Make sure that: - -#. The time is synchronized between the master and slave KDCs. -#. The master stash file was copied from the master to the expected - location on the slave. -#. The slave has a keytab file in the default location containing a - ``host`` principal for the slave's hostname. diff --git a/doc/html/_sources/admin/various_envs.txt b/doc/html/_sources/admin/various_envs.txt deleted file mode 100644 index c32ac05..0000000 --- a/doc/html/_sources/admin/various_envs.txt +++ /dev/null @@ -1,33 +0,0 @@ -Various links -============= - -Whitepapers ------------ - -#. http://kerberos.org/software/whitepapers.html - - -Tutorials ---------- - -#. Fulvio Ricciardi _ - - -Troubleshooting ---------------- - -#. http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html - -#. http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs_howto_v3.pdf - -#. http://sysdoc.doors.ch/HP/T1417-90005.pdf - -#. http://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html - -#. http://download.oracle.com/docs/cd/E19253-01/816-4557/trouble-1/index.html - -#. http://technet.microsoft.com/en-us/library/bb463167.aspx#EBAA - -#. https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528 - -#. http://h71000.www7.hp.com/doc/83final/ba548_90007/ch06s05.html diff --git a/doc/html/_sources/appdev/gssapi.txt b/doc/html/_sources/appdev/gssapi.txt deleted file mode 100644 index 0258f79..0000000 --- a/doc/html/_sources/appdev/gssapi.txt +++ /dev/null @@ -1,618 +0,0 @@ -Developing with GSSAPI -====================== - -The GSSAPI (Generic Security Services API) allows applications to -communicate securely using Kerberos 5 or other security mechanisms. -We recommend using the GSSAPI (or a higher-level framework which -encompasses GSSAPI, such as SASL) for secure network communication -over using the libkrb5 API directly. - -GSSAPIv2 is specified in :rfc:`2743` and :rfc:`2744`. Also see -:rfc:`7546` for a description of how to use the GSSAPI in a client or -server program. - -This documentation will describe how various ways of using the -GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, -as well as krb5-specific extensions to the GSSAPI. - - -Name types ----------- - -A GSSAPI application can name a local or remote entity by calling -gss_import_name_, specifying a name type and a value. The following -name types are supported by the krb5 mechanism: - -* **GSS_C_NT_HOSTBASED_SERVICE**: The value should be a string of the - form ``service`` or ``service@hostname``. This is the most common - way to name target services when initiating a security context, and - is the most likely name type to work across multiple mechanisms. - -* **GSS_KRB5_NT_PRINCIPAL_NAME**: The value should be a principal name - string. This name type only works with the krb5 mechanism, and is - defined in the ```` header. - -* **GSS_C_NT_USER_NAME** or **GSS_C_NULL_OID**: The value is treated - as an unparsed principal name string, as above. These name types - may work with mechanisms other than krb5, but will have different - interpretations in those mechanisms. **GSS_C_NT_USER_NAME** is - intended to be used with a local username, which will parse into a - single-component principal in the default realm. - -* **GSS_C_NT_ANONYMOUS**: The value is ignored. The anonymous - principal is used, allowing a client to authenticate to a server - without asserting a particular identity (which may or may not be - allowed by a particular server or Kerberos realm). - -* **GSS_C_NT_MACHINE_UID_NAME**: The value is uid_t object. On - Unix-like systems, the username of the uid is looked up in the - system user database and the resulting username is parsed as a - principal name. - -* **GSS_C_NT_STRING_UID_NAME**: As above, but the value is a decimal - string representation of the uid. - -* **GSS_C_NT_EXPORT_NAME**: The value must be the result of a - gss_export_name_ call. - - -Initiator credentials ---------------------- - -A GSSAPI client application uses gss_init_sec_context_ to establish a -security context. The *initiator_cred_handle* parameter determines -what tickets are used to establish the connection. An application can -either pass **GSS_C_NO_CREDENTIAL** to use the default client -credential, or it can use gss_acquire_cred_ beforehand to acquire an -initiator credential. The call to gss_acquire_cred_ may include a -*desired_name* parameter, or it may pass **GSS_C_NO_NAME** if it does -not have a specific name preference. - -If the desired name for a krb5 initiator credential is a host-based -name, it is converted to a principal name of the form -``service/hostname`` in the local realm, where *hostname* is the local -hostname if not specified. The hostname will be canonicalized using -forward name resolution, and possibly also using reverse name -resolution depending on the value of the **rdns** variable in -:ref:`libdefaults`. - -If a desired name is specified in the call to gss_acquire_cred_, the -krb5 mechanism will attempt to find existing tickets for that client -principal name in the default credential cache or collection. If the -default cache type does not support a collection, and the default -cache contains credentials for a different principal than the desired -name, a **GSS_S_CRED_UNAVAIL** error will be returned with a minor -code indicating a mismatch. - -If no existing tickets are available for the desired name, but the -name has an entry in the default client :ref:`keytab_definition`, the -krb5 mechanism will acquire initial tickets for the name using the -default client keytab. - -If no desired name is specified, credential acquisition will be -deferred until the credential is used in a call to -gss_init_sec_context_ or gss_inquire_cred_. If the call is to -gss_init_sec_context_, the target name will be used to choose a client -principal name using the credential cache selection facility. (This -facility might, for instance, try to choose existing tickets for a -client principal in the same realm as the target service). If there -are no existing tickets for the chosen principal, but it is present in -the default client keytab, the krb5 mechanism will acquire initial -tickets using the keytab. - -If the target name cannot be used to select a client principal -(because the credentials are used in a call to gss_inquire_cred_), or -if the credential cache selection facility cannot choose a principal -for it, the default credential cache will be selected if it exists and -contains tickets. - -If the default credential cache does not exist, but the default client -keytab does, the krb5 mechanism will try to acquire initial tickets -for the first principal in the default client keytab. - -If the krb5 mechanism acquires initial tickets using the default -client keytab, the resulting tickets will be stored in the default -cache or collection, and will be refreshed by future calls to -gss_acquire_cred_ as they approach their expire time. - - -Acceptor names --------------- - -A GSSAPI server application uses gss_accept_sec_context_ to establish -a security context based on tokens provided by the client. The -*acceptor_cred_handle* parameter determines what -:ref:`keytab_definition` entries may be authenticated to by the -client, if the krb5 mechanism is used. - -The simplest choice is to pass **GSS_C_NO_CREDENTIAL** as the acceptor -credential. In this case, clients may authenticate to any service -principal in the default keytab (typically |keytab|, or the value of -the **KRB5_KTNAME** environment variable). This is the recommended -approach if the server application has no specific requirements to the -contrary. - -A server may acquire an acceptor credential with gss_acquire_cred_ and -a *cred_usage* of **GSS_C_ACCEPT** or **GSS_C_BOTH**. If the -*desired_name* parameter is **GSS_C_NO_NAME**, then clients will be -allowed to authenticate to any service principal in the default -keytab, just as if no acceptor credential was supplied. - -If a server wishes to specify a *desired_name* to gss_acquire_cred_, -the most common choice is a host-based name. If the host-based -*desired_name* contains just a *service*, then clients will be allowed -to authenticate to any host-based service principal (that is, a -principal of the form ``service/hostname@REALM``) for the named -service, regardless of hostname or realm, as long as it is present in -the default keytab. If the input name contains both a *service* and a -*hostname*, clients will be allowed to authenticate to any host-based -principal for the named service and hostname, regardless of realm. - -.. note:: - - If a *hostname* is specified, it will be canonicalized - using forward name resolution, and possibly also using - reverse name resolution depending on the value of the - **rdns** variable in :ref:`libdefaults`. - -.. note:: - - If the **ignore_acceptor_hostname** variable in - :ref:`libdefaults` is enabled, then *hostname* will be - ignored even if one is specified in the input name. - -.. note:: - - In MIT krb5 versions prior to 1.10, and in Heimdal's - implementation of the krb5 mechanism, an input name with - just a *service* is treated like an input name of - ``service@localhostname``, where *localhostname* is the - string returned by gethostname(). - -If the *desired_name* is a krb5 principal name or a local system name -type which is mapped to a krb5 principal name, clients will only be -allowed to authenticate to that principal in the default keytab. - - -Name Attributes ---------------- - -In release 1.8 or later, the gss_inquire_name_ and -gss_get_name_attribute_ functions, specified in :rfc:`6680`, can be -used to retrieve name attributes from the *src_name* returned by -gss_accept_sec_context_. The following attributes are defined when -the krb5 mechanism is used: - -.. _gssapi_authind_attr: - -* "auth-indicators" attribute: - -This attribute will be included in the gss_inquire_name_ output if the -ticket contains :ref:`authentication indicators `. -One indicator is returned per invocation of gss_get_name_attribute_, -so multiple invocations may be necessary to retrieve all of the -indicators from the ticket. (New in release 1.15.) - - -Importing and exporting credentials ------------------------------------ - -The following GSSAPI extensions can be used to import and export -credentials (declared in ````):: - - OM_uint32 gss_export_cred(OM_uint32 *minor_status, - gss_cred_id_t cred_handle, - gss_buffer_t token); - - OM_uint32 gss_import_cred(OM_uint32 *minor_status, - gss_buffer_t token, - gss_cred_id_t *cred_handle); - -The first function serializes a GSSAPI credential handle into a -buffer; the second unseralizes a buffer into a GSSAPI credential -handle. Serializing a credential does not destroy it. If any of the -mechanisms used in *cred_handle* do not support serialization, -gss_export_cred will return **GSS_S_UNAVAILABLE**. As with other -GSSAPI serialization functions, these extensions are only intended to -work with a matching implementation on the other side; they do not -serialize credentials in a standardized format. - -A serialized credential may contain secret information such as ticket -session keys. The serialization format does not protect this -information from eavesdropping or tampering. The calling application -must take care to protect the serialized credential when communicating -it over an insecure channel or to an untrusted party. - -A krb5 GSSAPI credential may contain references to a credential cache, -a client keytab, an acceptor keytab, and a replay cache. These -resources are normally serialized as references to their external -locations (such as the filename of the credential cache). Because of -this, a serialized krb5 credential can only be imported by a process -with similar privileges to the exporter. A serialized credential -should not be trusted if it originates from a source with lower -privileges than the importer, as it may contain references to external -credential cache, keytab, or replay cache resources not accessible to -the originator. - -An exception to the above rule applies when a krb5 GSSAPI credential -refers to a memory credential cache, as is normally the case for -delegated credentials received by gss_accept_sec_context_. In this -case, the contents of the credential cache are serialized, so that the -resulting token may be imported even if the original memory credential -cache no longer exists. - - -Constrained delegation (S4U) ----------------------------- - -The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions -allow an intermediate service to acquire credentials from a client to -a target service without requiring the client to delegate a -ticket-granting ticket, if the KDC is configured to allow it. - -To perform a constrained delegation operation, the intermediate -service must submit to the KDC an "evidence ticket" from the client to -the intermediate service with the forwardable bit set. An evidence -ticket can be acquired when the client authenticates to the -intermediate service with Kerberos, or with an S4U2Self request if the -KDC allows it. The MIT krb5 GSSAPI library represents an evidence -ticket using a "proxy credential", which is a special kind of -gss_cred_id_t object whose underlying credential cache contains the -evidence ticket and a krbtgt ticket for the intermediate service. - -To acquire a proxy credential during client authentication, the -service should first create an acceptor credential using the -**GSS_C_BOTH** usage. The application should then pass this -credential as the *acceptor_cred_handle* to gss_accept_sec_context_, -and also pass a *delegated_cred_handle* output parameter to receive a -proxy credential containing the evidence ticket. The output value of -*delegated_cred_handle* may be a delegated ticket-granting ticket if -the client sent one, or a proxy credential if the client authenticated -with a forwardable service ticket, or **GSS_C_NO_CREDENTIAL** if -neither is the case. - -To acquire a proxy credential using an S4U2Self request, the service -can use the following GSSAPI extension:: - - OM_uint32 gss_acquire_cred_impersonate_name(OM_uint32 *minor_status, - gss_cred_id_t icred, - gss_name_t desired_name, - OM_uint32 time_req, - gss_OID_set desired_mechs, - gss_cred_usage_t cred_usage, - gss_cred_id_t *output_cred, - gss_OID_set *actual_mechs, - OM_uint32 *time_rec); - -The parameters to this function are similar to those of -gss_acquire_cred_, except that *icred* is used to make an S4U2Self -request to the KDC for a ticket from *desired_name* to the -intermediate service. Both *icred* and *desired_name* are required -for this function; passing **GSS_C_NO_CREDENTIAL** or -**GSS_C_NO_NAME** will cause the call to fail. *icred* must contain a -krbtgt ticket for the intermediate service. If the KDC returns a -forwardable ticket, the result of this operation is a proxy -credential; if it is not forwardable, the result is a regular -credential for *desired_name*. - -A recent KDC will usually allow any service to acquire a ticket from a -client to itself with an S4U2Self request, but the ticket will only be -forwardable if the service has a specific privilege. In the MIT krb5 -KDC, this privilege is determined by the **ok_to_auth_as_delegate** -bit on the intermediate service's principal entry, which can be -configured with :ref:`kadmin(1)`. - -Once the intermediate service has a proxy credential, it can simply -pass it to gss_init_sec_context_ as the *initiator_cred_handle* -parameter, and the desired service as the *target_name* parameter. -The GSSAPI library will present the krbtgt ticket and evidence ticket -in the proxy credential to the KDC in an S4U2Proxy request; if the -intermediate service has the appropriate permissions, the KDC will -issue a ticket from the client to the target service. The GSSAPI -library will then use this ticket to authenticate to the target -service. - - -AEAD message wrapping ---------------------- - -The following GSSAPI extensions (declared in -````) can be used to wrap and unwrap messages -with additional "associated data" which is integrity-checked but is -not included in the output buffer:: - - OM_uint32 gss_wrap_aead(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, gss_qop_t qop_req, - gss_buffer_t input_assoc_buffer, - gss_buffer_t input_payload_buffer, - int *conf_state, - gss_buffer_t output_message_buffer); - - OM_uint32 gss_unwrap_aead(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - gss_buffer_t input_message_buffer, - gss_buffer_t input_assoc_buffer, - gss_buffer_t output_payload_buffer, - int *conf_state, - gss_qop_t *qop_state); - -Wrap tokens created with gss_wrap_aead will successfully unwrap only -if the same *input_assoc_buffer* contents are presented to -gss_unwrap_aead. - - -IOV message wrapping --------------------- - -The following extensions (declared in ````) can -be used for in-place encryption, fine-grained control over wrap token -layout, and for constructing wrap tokens compatible with Microsoft DCE -RPC:: - - typedef struct gss_iov_buffer_desc_struct { - OM_uint32 type; - gss_buffer_desc buffer; - } gss_iov_buffer_desc, *gss_iov_buffer_t; - - OM_uint32 gss_wrap_iov(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, gss_qop_t qop_req, - int *conf_state, - gss_iov_buffer_desc *iov, int iov_count); - - OM_uint32 gss_unwrap_iov(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int *conf_state, gss_qop_t *qop_state, - gss_iov_buffer_desc *iov, int iov_count); - - OM_uint32 gss_wrap_iov_length(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - int conf_req_flag, - gss_qop_t qop_req, int *conf_state, - gss_iov_buffer_desc *iov, - int iov_count); - - OM_uint32 gss_release_iov_buffer(OM_uint32 *minor_status, - gss_iov_buffer_desc *iov, - int iov_count); - -The caller of gss_wrap_iov provides an array of gss_iov_buffer_desc -structures, each containing a type and a gss_buffer_desc structure. -Valid types include: - -* **GSS_C_BUFFER_TYPE_DATA**: A data buffer to be included in the - token, and to be encrypted or decrypted in-place if the token is - confidentiality-protected. - -* **GSS_C_BUFFER_TYPE_HEADER**: The GSSAPI wrap token header and - underlying cryptographic header. - -* **GSS_C_BUFFER_TYPE_TRAILER**: The cryptographic trailer, if one is - required. - -* **GSS_C_BUFFER_TYPE_PADDING**: Padding to be combined with the data - during encryption and decryption. (The implementation may choose to - place padding in the trailer buffer, in which case it will set the - padding buffer length to 0.) - -* **GSS_C_BUFFER_TYPE_STREAM**: For unwrapping only, a buffer - containing a complete wrap token in standard format to be unwrapped. - -* **GSS_C_BUFFER_TYPE_SIGN_ONLY**: A buffer to be included in the - token's integrity protection checksum, but not to be encrypted or - included in the token itself. - -For gss_wrap_iov, the IOV list should contain one HEADER buffer, -followed by zero or more SIGN_ONLY buffers, followed by one or more -DATA buffers, followed by a TRAILER buffer. The memory pointed to by -the buffers is not required to be contiguous or in any particular -order. If *conf_req_flag* is true, DATA buffers will be encrypted -in-place, while SIGN_ONLY buffers will not be modified. - -The type of an output buffer may be combined with -**GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_wrap_iov allocate -the buffer contents. If gss_wrap_iov allocates a buffer, it sets the -**GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer type. -gss_release_iov_buffer can be used to release all allocated buffers -within an iov list and unset their allocated flags. Here is an -example of how gss_wrap_iov can be used with allocation requested -(*ctx* is assumed to be a previously established gss_ctx_id_t):: - - OM_uint32 major, minor; - gss_iov_buffer_desc iov[4]; - char str[] = "message"; - - iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE; - iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; - iov[1].buffer.value = str; - iov[1].buffer.length = strlen(str); - iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE; - iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE; - - major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, - iov, 4); - if (GSS_ERROR(major)) - handle_error(major, minor); - - /* Transmit or otherwise use resulting buffers. */ - - (void)gss_release_iov_buffer(&minor, iov, 4); - -If the caller does not choose to request buffer allocation by -gss_wrap_iov, it should first call gss_wrap_iov_length to query the -lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers -must be provided in the iov list so that padding length can be -computed correctly, but the output buffers need not be initialized. -Here is an example of using gss_wrap_iov_length and gss_wrap_iov:: - - OM_uint32 major, minor; - gss_iov_buffer_desc iov[4]; - char str[1024] = "message", *ptr; - - iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER; - iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; - iov[1].buffer.value = str; - iov[1].buffer.length = strlen(str); - - iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING; - iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER; - - major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, - NULL, iov, 4); - if (GSS_ERROR(major)) - handle_error(major, minor); - if (strlen(str) + iov[0].buffer.length + iov[2].buffer.length + - iov[3].buffer.length > sizeof(str)) - handle_out_of_space_error(); - ptr = str + strlen(str); - iov[0].buffer.value = ptr; - ptr += iov[0].buffer.length; - iov[2].buffer.value = ptr; - ptr += iov[2].buffer.length; - iov[3].buffer.value = ptr; - - major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, - iov, 4); - if (GSS_ERROR(major)) - handle_error(major, minor); - -If the context was established using the **GSS_C_DCE_STYLE** flag -(described in :rfc:`4757`), wrap tokens compatible with Microsoft DCE -RPC can be constructed. In this case, the IOV list must include a -SIGN_ONLY buffer, a DATA buffer, a second SIGN_ONLY buffer, and a -HEADER buffer in that order (the order of the buffer contents remains -arbitrary). The application must pad the DATA buffer to a multiple of -16 bytes as no padding or trailer buffer is used. - -gss_unwrap_iov may be called with an IOV list just like one which -would be provided to gss_wrap_iov. DATA buffers will be decrypted -in-place if they were encrypted, and SIGN_ONLY buffers will not be -modified. - -Alternatively, gss_unwrap_iov may be called with a single STREAM -buffer, zero or more SIGN_ONLY buffers, and a single DATA buffer. The -STREAM buffer is interpreted as a complete wrap token. The STREAM -buffer will be modified in-place to decrypt its contents. The DATA -buffer will be initialized to point to the decrypted data within the -STREAM buffer, unless it has the **GSS_C_BUFFER_FLAG_ALLOCATE** flag -set, in which case it will be initialized with a copy of the decrypted -data. Here is an example (*token* and *token_len* are assumed to be a -pre-existing pointer and length for a modifiable region of data):: - - OM_uint32 major, minor; - gss_iov_buffer_desc iov[2]; - - iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM; - iov[0].buffer.value = token; - iov[0].buffer.length = token_len; - iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; - major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2); - if (GSS_ERROR(major)) - handle_error(major, minor); - - /* Decrypted data is in iov[1].buffer, pointing to a subregion of - * token. */ - -.. _gssapi_mic_token: - -IOV MIC tokens --------------- - -The following extensions (declared in ````) can -be used in release 1.12 or later to construct and verify MIC tokens -using an IOV list:: - - OM_uint32 gss_get_mic_iov(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - gss_qop_t qop_req, - gss_iov_buffer_desc *iov, - int iov_count); - - OM_uint32 gss_get_mic_iov_length(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - gss_qop_t qop_req, - gss_iov_buffer_desc *iov, - iov_count); - - OM_uint32 gss_verify_mic_iov(OM_uint32 *minor_status, - gss_ctx_id_t context_handle, - gss_qop_t *qop_state, - gss_iov_buffer_desc *iov, - int iov_count); - -The caller of gss_get_mic_iov provides an array of gss_iov_buffer_desc -structures, each containing a type and a gss_buffer_desc structure. -Valid types include: - -* **GSS_C_BUFFER_TYPE_DATA** and **GSS_C_BUFFER_TYPE_SIGN_ONLY**: The - corresponding buffer for each of these types will be signed for the - MIC token, in the order provided. - -* **GSS_C_BUFFER_TYPE_MIC_TOKEN**: The GSSAPI MIC token. - -The type of the MIC_TOKEN buffer may be combined with -**GSS_C_BUFFER_FLAG_ALLOCATE** to request that gss_get_mic_iov -allocate the buffer contents. If gss_get_mic_iov allocates the -buffer, it sets the **GSS_C_BUFFER_FLAG_ALLOCATED** flag on the buffer -type. gss_release_iov_buffer can be used to release all allocated -buffers within an iov list and unset their allocated flags. Here is -an example of how gss_get_mic_iov can be used with allocation -requested (*ctx* is assumed to be a previously established -gss_ctx_id_t):: - - OM_uint32 major, minor; - gss_iov_buffer_desc iov[3]; - - iov[0].type = GSS_IOV_BUFFER_TYPE_DATA; - iov[0].buffer.value = "sign1"; - iov[0].buffer.length = 5; - iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY; - iov[1].buffer.value = "sign2"; - iov[1].buffer.length = 5; - iov[2].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN | GSS_IOV_BUFFER_FLAG_ALLOCATE; - - major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 3); - if (GSS_ERROR(major)) - handle_error(major, minor); - - /* Transmit or otherwise use iov[2].buffer. */ - - (void)gss_release_iov_buffer(&minor, iov, 3); - -If the caller does not choose to request buffer allocation by -gss_get_mic_iov, it should first call gss_get_mic_iov_length to query -the length of the MIC_TOKEN buffer. Here is an example of using -gss_get_mic_iov_length and gss_get_mic_iov:: - - OM_uint32 major, minor; - gss_iov_buffer_desc iov[2]; - char data[1024]; - - iov[0].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN; - iov[1].type = GSS_IOV_BUFFER_TYPE_DATA; - iov[1].buffer.value = "message"; - iov[1].buffer.length = 7; - - major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT, - NULL, iov, 2); - if (GSS_ERROR(major)) - handle_error(major, minor); - if (iov[0].buffer.length > sizeof(data)) - handle_out_of_space_error(); - iov[0].buffer.value = data; - - major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL, - iov, 2); - if (GSS_ERROR(major)) - handle_error(major, minor); - - -.. _gss_accept_sec_context: http://tools.ietf.org/html/rfc2744.html#section-5.1 -.. _gss_acquire_cred: http://tools.ietf.org/html/rfc2744.html#section-5.2 -.. _gss_export_name: http://tools.ietf.org/html/rfc2744.html#section-5.13 -.. _gss_get_name_attribute: http://tools.ietf.org/html/6680.html#section-7.5 -.. _gss_import_name: http://tools.ietf.org/html/rfc2744.html#section-5.16 -.. _gss_init_sec_context: http://tools.ietf.org/html/rfc2744.html#section-5.19 -.. _gss_inquire_name: http://tools.ietf.org/html/rfc6680.txt#section-7.4 -.. _gss_inquire_cred: http://tools.ietf.org/html/rfc2744.html#section-5.21 diff --git a/doc/html/_sources/appdev/h5l_mit_apidiff.txt b/doc/html/_sources/appdev/h5l_mit_apidiff.txt deleted file mode 100644 index 0ea5e32..0000000 --- a/doc/html/_sources/appdev/h5l_mit_apidiff.txt +++ /dev/null @@ -1,31 +0,0 @@ -Differences between Heimdal and MIT Kerberos API -================================================ - -.. tabularcolumns:: |l|l| - -.. table:: - - ======================================== ================================================= - :c:func:`krb5_auth_con_getaddrs()` H5l: If either of the pointers to local_addr - and remote_addr is not NULL, it is freed - first and then reallocated before being - populated with the content of corresponding - address from authentication context. - :c:func:`krb5_auth_con_setaddrs()` H5l: If either address is NULL, the previous - address remains in place - :c:func:`krb5_auth_con_setports()` H5l: Not implemented as of version 1.3.3 - :c:func:`krb5_auth_con_setrecvsubkey()` H5l: If either port is NULL, the previous - port remains in place - :c:func:`krb5_auth_con_setsendsubkey()` H5l: Not implemented as of version 1.3.3 - :c:func:`krb5_cc_set_config()` MIT: Before version 1.10 it was assumed that - the last argument *data* is ALWAYS non-zero. - :c:func:`krb5_cccol_last_change_time()` H5l takes 3 arguments: krb5_context context, - const char \*type, krb5_timestamp \*change_time - MIT takes two arguments: krb5_context context, - krb5_timestamp \*change_time - :c:func:`krb5_set_default_realm()` H5l: Caches the computed default realm context - field. If the second argument is NULL, - it tries to retrieve it from libdefaults or DNS. - MIT: Computes the default realm each time - if it wasn't explicitly set in the context - ======================================== ================================================= diff --git a/doc/html/_sources/appdev/index.txt b/doc/html/_sources/appdev/index.txt deleted file mode 100644 index 3d62045..0000000 --- a/doc/html/_sources/appdev/index.txt +++ /dev/null @@ -1,15 +0,0 @@ -For application developers -========================== - -.. toctree:: - :maxdepth: 1 - - gssapi.rst - h5l_mit_apidiff.rst - init_creds.rst - princ_handle.rst - -.. toctree:: - :maxdepth: 1 - - refs/index.rst diff --git a/doc/html/_sources/appdev/init_creds.txt b/doc/html/_sources/appdev/init_creds.txt deleted file mode 100644 index 5c3c0a8..0000000 --- a/doc/html/_sources/appdev/init_creds.txt +++ /dev/null @@ -1,304 +0,0 @@ -Initial credentials -=================== - -Software that performs tasks such as logging users into a computer -when they type their Kerberos password needs to get initial -credentials (usually ticket granting tickets) from Kerberos. Such -software shares some behavior with the :ref:`kinit(1)` program. - -Whenever a program grants access to a resource (such as a local login -session on a desktop computer) based on a user successfully getting -initial Kerberos credentials, it must verify those credentials against -a secure shared secret (e.g., a host keytab) to ensure that the user -credentials actually originate from a legitimate KDC. Failure to -perform this verification is a critical vulnerability, because a -malicious user can execute the "Zanarotti attack": the user constructs -a fake response that appears to come from the legitimate KDC, but -whose contents come from an attacker-controlled KDC. - -Some applications read a Kerberos password over the network (ideally -over a secure channel), which they then verify against the KDC. While -this technique may be the only practical way to integrate Kerberos -into some existing legacy systems, its use is contrary to the original -design goals of Kerberos. - -The function :c:func:`krb5_get_init_creds_password` will get initial -credentials for a client using a password. An application that needs -to verify the credentials can call :c:func:`krb5_verify_init_creds`. -Here is an example of code to obtain and verify TGT credentials, given -strings *princname* and *password* for the client principal name and -password:: - - krb5_error_code ret; - krb5_creds creds; - krb5_principal client_princ = NULL; - - memset(&creds, 0, sizeof(creds)); - ret = krb5_parse_name(context, princname, &client_princ); - if (ret) - goto cleanup; - ret = krb5_get_init_creds_password(context, &creds, client_princ, - password, NULL, NULL, 0, NULL, NULL); - if (ret) - goto cleanup; - ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, NULL); - - cleanup: - krb5_free_principal(context, client_princ); - krb5_free_cred_contents(context, &creds); - return ret; - -Options for get_init_creds --------------------------- - -The function :c:func:`krb5_get_init_creds_password` takes an options -parameter (which can be a null pointer). Use the function -:c:func:`krb5_get_init_creds_opt_alloc` to allocate an options -structure, and :c:func:`krb5_get_init_creds_opt_free` to free it. For -example:: - - krb5_error_code ret; - krb5_get_init_creds_opt *opt = NULL; - krb5_creds creds; - - memset(&creds, 0, sizeof(creds)); - ret = krb5_get_init_creds_opt_alloc(context, &opt); - if (ret) - goto cleanup; - krb5_get_init_creds_opt_set_tkt_life(opt, 24 * 60 * 60); - ret = krb5_get_init_creds_password(context, &creds, client_princ, - password, NULL, NULL, 0, NULL, opt); - if (ret) - goto cleanup; - - cleanup: - krb5_get_init_creds_opt_free(context, opt); - krb5_free_cred_contents(context, &creds); - return ret; - -Getting anonymous credentials ------------------------------ - -As of release 1.8, it is possible to obtain fully anonymous or -partially anonymous (realm-exposed) credentials, if the KDC supports -it. The MIT KDC supports issuing fully anonymous credentials as of -release 1.8 if configured appropriately (see :ref:`anonymous_pkinit`), -but does not support issuing realm-exposed anonymous credentials at -this time. - -To obtain fully anonymous credentials, call -:c:func:`krb5_get_init_creds_opt_set_anonymous` on the options -structure to set the anonymous flag, and specify a client principal -with the KDC's realm and a single empty data component (the principal -obtained by parsing ``@``\ *realmname*). Authentication will take -place using anonymous PKINIT; if successful, the client principal of -the resulting tickets will be -``WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS``. Here is an example:: - - krb5_get_init_creds_opt_set_anonymous(opt, 1); - ret = krb5_build_principal(context, &client_princ, strlen(myrealm), - myrealm, "", (char *)NULL); - if (ret) - goto cleanup; - ret = krb5_get_init_creds_password(context, &creds, client_princ, - password, NULL, NULL, 0, NULL, opt); - if (ret) - goto cleanup; - -To obtain realm-exposed anonymous credentials, set the anonymous flag -on the options structure as above, but specify a normal client -principal in order to prove membership in the realm. Authentication -will take place as it normally does; if successful, the client -principal of the resulting tickets will be ``WELLKNOWN/ANONYMOUS@``\ -*realmname*. - -User interaction ----------------- - -Authenticating a user usually requires the entry of secret -information, such as a password. A password can be supplied directly -to :c:func:`krb5_get_init_creds_password` via the *password* -parameter, or the application can supply prompter and/or responder -callbacks instead. If callbacks are used, the user can also be -queried for other secret information such as a PIN, informed of -impending password expiration, or prompted to change a password which -has expired. - -Prompter callback -~~~~~~~~~~~~~~~~~ - -A prompter callback can be specified via the *prompter* and *data* -parameters to :c:func:`krb5_get_init_creds_password`. The prompter -will be invoked each time the krb5 library has a question to ask or -information to present. When the prompter callback is invoked, the -*banner* argument (if not null) is intended to be displayed to the -user, and the questions to be answered are specified in the *prompts* -array. Each prompt contains a text question in the *prompt* field, a -*hidden* bit to indicate whether the answer should be hidden from -display, and a storage area for the answer in the *reply* field. The -callback should fill in each question's ``reply->data`` with the -answer, up to a maximum number of ``reply->length`` bytes, and then -reset ``reply->length`` to the length of the answer. - -A prompter callback can call :c:func:`krb5_get_prompt_types` to get an -array of type constants corresponding to the prompts, to get -programmatic information about the semantic meaning of the questions. -:c:func:`krb5_get_prompt_types` may return a null pointer if no prompt -type information is available. - -Text-based applications can use a built-in text prompter -implementation by supplying :c:func:`krb5_prompter_posix` as the -*prompter* parameter and a null pointer as the *data* parameter. For -example:: - - ret = krb5_get_init_creds_password(context, &creds, client_princ, - NULL, krb5_prompter_posix, NULL, 0, - NULL, NULL); - -Responder callback -~~~~~~~~~~~~~~~~~~ - -A responder callback can be specified through the init_creds options -using the :c:func:`krb5_get_init_creds_opt_set_responder` function. -Responder callbacks can present a more sophisticated user interface -for authentication secrets. The responder callback is usually invoked -only once per authentication, with a list of questions produced by all -of the allowed preauthentication mechanisms. - -When the responder callback is invoked, the *rctx* argument can be -accessed to obtain the list of questions and to answer them. The -:c:func:`krb5_responder_list_questions` function retrieves an array of -question types. For each question type, the -:c:func:`krb5_responder_get_challenge` function retrieves additional -information about the question, if applicable, and the -:c:func:`krb5_responder_set_answer` function sets the answer. - -Responder question types, challenges, and answers are UTF-8 strings. -The question type is a well-known string; the meaning of the challenge -and answer depend on the question type. If an application does not -understand a question type, it cannot interpret the challenge or -provide an answer. Failing to answer a question typically results in -the prompter callback being used as a fallback. - -Password question -################# - -The :c:macro:`KRB5_RESPONDER_QUESTION_PASSWORD` (or ``"password"``) -question type requests the user's password. This question does not -have a challenge, and the response is simply the password string. - -One-time password question -########################## - -The :c:macro:`KRB5_RESPONDER_QUESTION_OTP` (or ``"otp"``) question -type requests a choice among one-time password tokens and the PIN and -value for the chosen token. The challenge and answer are JSON-encoded -strings, but an application can use convenience functions to avoid -doing any JSON processing itself. - -The :c:func:`krb5_responder_otp_get_challenge` function decodes the -challenge into a krb5_responder_otp_challenge structure. The -:c:func:`krb5_responder_otp_set_answer` function selects one of the -token information elements from the challenge and supplies the value -and pin for that token. - -PKINIT password or PIN question -############################### - -The :c:macro:`KRB5_RESPONDER_QUESTION_PKINIT` (or ``"pkinit"``) question -type requests PINs for hardware devices and/or passwords for encrypted -credentials which are stored on disk, potentially also supplying -information about the state of the hardware devices. The challenge and -answer are JSON-encoded strings, but an application can use convenience -functions to avoid doing any JSON processing itself. - -The :c:func:`krb5_responder_pkinit_get_challenge` function decodes the -challenges into a krb5_responder_pkinit_challenge structure. The -:c:func:`krb5_responder_pkinit_set_answer` function can be used to -supply the PIN or password for a particular client credential, and can -be called multiple times. - -Example -####### - -Here is an example of using a responder callback:: - - static krb5_error_code - my_responder(krb5_context context, void *data, - krb5_responder_context rctx) - { - krb5_error_code ret; - krb5_responder_otp_challenge *chl; - - if (krb5_responder_get_challenge(context, rctx, - KRB5_RESPONDER_QUESTION_PASSWORD)) { - ret = krb5_responder_set_answer(context, rctx, - KRB5_RESPONDER_QUESTION_PASSWORD, - "open sesame"); - if (ret) - return ret; - } - ret = krb5_responder_otp_get_challenge(context, rctx, &chl); - if (ret == 0 && chl != NULL) { - ret = krb5_responder_otp_set_answer(context, rctx, 0, "1234", - NULL); - krb5_responder_otp_challenge_free(context, rctx, chl); - if (ret) - return ret; - } - return 0; - } - - static krb5_error_code - get_creds(krb5_context context, krb5_principal client_princ) - { - krb5_error_code ret; - krb5_get_init_creds_opt *opt = NULL; - krb5_creds creds; - - memset(&creds, 0, sizeof(creds)); - ret = krb5_get_init_creds_opt_alloc(context, &opt); - if (ret) - goto cleanup; - ret = krb5_get_init_creds_opt_set_responder(context, opt, my_responder, - NULL); - if (ret) - goto cleanup; - ret = krb5_get_init_creds_password(context, &creds, client_princ, - NULL, NULL, NULL, 0, NULL, opt); - - cleanup: - krb5_get_init_creds_opt_free(context, opt); - krb5_free_cred_contents(context, &creds); - return ret; - } - -Verifying initial credentials ------------------------------ - -Use the function :c:func:`krb5_verify_init_creds` to verify initial -credentials. It takes an options structure (which can be a null -pointer). Use :c:func:`krb5_verify_init_creds_opt_init` to initialize -the caller-allocated options structure, and -:c:func:`krb5_verify_init_creds_opt_set_ap_req_nofail` to set the -"nofail" option. For example:: - - krb5_verify_init_creds_opt vopt; - - krb5_verify_init_creds_opt_init(&vopt); - krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1); - ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, &vopt); - -The confusingly named "nofail" option, when set, means that the -verification must actually succeed in order for -:c:func:`krb5_verify_init_creds` to indicate success. The default -state of this option (cleared) means that if there is no key material -available to verify the user credentials, the verification will -succeed anyway. (The default can be changed by a configuration file -setting.) - -This accommodates a use case where a large number of unkeyed shared -desktop workstations need to allow users to log in using Kerberos. -The security risks from this practice are mitigated by the absence of -valuable state on the shared workstations---any valuable resources -that the users would access reside on networked servers. diff --git a/doc/html/_sources/appdev/princ_handle.txt b/doc/html/_sources/appdev/princ_handle.txt deleted file mode 100644 index 455f00a..0000000 --- a/doc/html/_sources/appdev/princ_handle.txt +++ /dev/null @@ -1,79 +0,0 @@ -Principal manipulation and parsing -================================== - -Kerberos principal structure - -.. - -:c:type:`krb5_principal_data` - -:c:type:`krb5_principal` - -.. - -Create and free principal - -.. - -:c:func:`krb5_build_principal()` - -:c:func:`krb5_build_principal_alloc_va()` - -:c:func:`krb5_build_principal_ext()` - -:c:func:`krb5_copy_principal()` - -:c:func:`krb5_free_principal()` - -:c:func:`krb5_cc_get_principal()` - -.. - -Comparing - -.. - -:c:func:`krb5_principal_compare()` - -:c:func:`krb5_principal_compare_flags()` - -:c:func:`krb5_principal_compare_any_realm()` - -:c:func:`krb5_sname_match()` - -:c:func:`krb5_sname_to_principal()` - -.. - - -Parsing: - -.. - -:c:func:`krb5_parse_name()` - -:c:func:`krb5_parse_name_flags()` - -:c:func:`krb5_unparse_name()` - -:c:func:`krb5_unparse_name_flags()` - -.. - -Utilities: - -.. - -:c:func:`krb5_is_config_principal()` - -:c:func:`krb5_kuserok()` - -:c:func:`krb5_set_password()` - -:c:func:`krb5_set_password_using_ccache()` - -:c:func:`krb5_set_principal_realm()` - -:c:func:`krb5_realm_compare()` - -.. diff --git a/doc/html/_sources/appdev/refs/api/index.txt b/doc/html/_sources/appdev/refs/api/index.txt deleted file mode 100644 index f2f27fe..0000000 --- a/doc/html/_sources/appdev/refs/api/index.txt +++ /dev/null @@ -1,411 +0,0 @@ -krb5 API -======== - - -Frequently used public interfaces ----------------------------------- - -.. toctree:: - :maxdepth: 1 - - krb5_build_principal.rst - krb5_build_principal_alloc_va.rst - krb5_build_principal_ext.rst - krb5_cc_close.rst - krb5_cc_default.rst - krb5_cc_default_name.rst - krb5_cc_destroy.rst - krb5_cc_dup.rst - krb5_cc_get_name.rst - krb5_cc_get_principal.rst - krb5_cc_get_type.rst - krb5_cc_initialize.rst - krb5_cc_new_unique.rst - krb5_cc_resolve.rst - krb5_change_password.rst - krb5_chpw_message.rst - krb5_expand_hostname.rst - krb5_free_context.rst - krb5_free_error_message.rst - krb5_free_principal.rst - krb5_fwd_tgt_creds.rst - krb5_get_default_realm.rst - krb5_get_error_message.rst - krb5_get_host_realm.rst - krb5_get_credentials.rst - krb5_get_fallback_host_realm.rst - krb5_get_init_creds_keytab.rst - krb5_get_init_creds_opt_alloc.rst - krb5_get_init_creds_opt_free.rst - krb5_get_init_creds_opt_get_fast_flags.rst - krb5_get_init_creds_opt_set_address_list.rst - krb5_get_init_creds_opt_set_anonymous.rst - krb5_get_init_creds_opt_set_canonicalize.rst - krb5_get_init_creds_opt_set_change_password_prompt.rst - krb5_get_init_creds_opt_set_etype_list.rst - krb5_get_init_creds_opt_set_expire_callback.rst - krb5_get_init_creds_opt_set_fast_ccache.rst - krb5_get_init_creds_opt_set_fast_ccache_name.rst - krb5_get_init_creds_opt_set_fast_flags.rst - krb5_get_init_creds_opt_set_forwardable.rst - krb5_get_init_creds_opt_set_in_ccache.rst - krb5_get_init_creds_opt_set_out_ccache.rst - krb5_get_init_creds_opt_set_pa.rst - krb5_get_init_creds_opt_set_pac_request.rst - krb5_get_init_creds_opt_set_preauth_list.rst - krb5_get_init_creds_opt_set_proxiable.rst - krb5_get_init_creds_opt_set_renew_life.rst - krb5_get_init_creds_opt_set_responder.rst - krb5_get_init_creds_opt_set_salt.rst - krb5_get_init_creds_opt_set_tkt_life.rst - krb5_get_init_creds_password.rst - krb5_get_profile.rst - krb5_get_prompt_types.rst - krb5_get_renewed_creds.rst - krb5_get_validated_creds.rst - krb5_init_context.rst - krb5_init_secure_context.rst - krb5_is_config_principal.rst - krb5_is_thread_safe.rst - krb5_kt_close.rst - krb5_kt_client_default.rst - krb5_kt_default.rst - krb5_kt_default_name.rst - krb5_kt_dup.rst - krb5_kt_get_name.rst - krb5_kt_get_type.rst - krb5_kt_resolve.rst - krb5_kuserok.rst - krb5_parse_name.rst - krb5_parse_name_flags.rst - krb5_principal_compare.rst - krb5_principal_compare_any_realm.rst - krb5_principal_compare_flags.rst - krb5_prompter_posix.rst - krb5_realm_compare.rst - krb5_responder_get_challenge.rst - krb5_responder_list_questions.rst - krb5_responder_set_answer.rst - krb5_responder_otp_get_challenge.rst - krb5_responder_otp_set_answer.rst - krb5_responder_otp_challenge_free.rst - krb5_responder_pkinit_get_challenge.rst - krb5_responder_pkinit_set_answer.rst - krb5_responder_pkinit_challenge_free.rst - krb5_set_default_realm.rst - krb5_set_password.rst - krb5_set_password_using_ccache.rst - krb5_set_principal_realm.rst - krb5_set_trace_callback.rst - krb5_set_trace_filename.rst - krb5_sname_match.rst - krb5_sname_to_principal.rst - krb5_unparse_name.rst - krb5_unparse_name_ext.rst - krb5_unparse_name_flags.rst - krb5_unparse_name_flags_ext.rst - krb5_us_timeofday.rst - krb5_verify_authdata_kdc_issued.rst - -Rarely used public interfaces --------------------------------- - -.. toctree:: - :maxdepth: 1 - - krb5_425_conv_principal.rst - krb5_524_conv_principal.rst - krb5_address_compare.rst - krb5_address_order.rst - krb5_address_search.rst - krb5_allow_weak_crypto.rst - krb5_aname_to_localname.rst - krb5_anonymous_principal.rst - krb5_anonymous_realm.rst - krb5_appdefault_boolean.rst - krb5_appdefault_string.rst - krb5_auth_con_free.rst - krb5_auth_con_genaddrs.rst - krb5_auth_con_get_checksum_func.rst - krb5_auth_con_getaddrs.rst - krb5_auth_con_getauthenticator.rst - krb5_auth_con_getflags.rst - krb5_auth_con_getkey.rst - krb5_auth_con_getkey_k.rst - krb5_auth_con_getlocalseqnumber.rst - krb5_auth_con_getrcache.rst - krb5_auth_con_getrecvsubkey.rst - krb5_auth_con_getrecvsubkey_k.rst - krb5_auth_con_getremoteseqnumber.rst - krb5_auth_con_getsendsubkey.rst - krb5_auth_con_getsendsubkey_k.rst - krb5_auth_con_init.rst - krb5_auth_con_set_checksum_func.rst - krb5_auth_con_set_req_cksumtype.rst - krb5_auth_con_setaddrs.rst - krb5_auth_con_setflags.rst - krb5_auth_con_setports.rst - krb5_auth_con_setrcache.rst - krb5_auth_con_setrecvsubkey.rst - krb5_auth_con_setrecvsubkey_k.rst - krb5_auth_con_setsendsubkey.rst - krb5_auth_con_setsendsubkey_k.rst - krb5_auth_con_setuseruserkey.rst - krb5_cc_cache_match.rst - krb5_cc_copy_creds.rst - krb5_cc_end_seq_get.rst - krb5_cc_get_config.rst - krb5_cc_get_flags.rst - krb5_cc_get_full_name.rst - krb5_cc_last_change_time.rst - krb5_cc_lock.rst - krb5_cc_move.rst - krb5_cc_next_cred.rst - krb5_cc_remove_cred.rst - krb5_cc_retrieve_cred.rst - krb5_cc_select.rst - krb5_cc_set_config.rst - krb5_cc_set_default_name.rst - krb5_cc_set_flags.rst - krb5_cc_start_seq_get.rst - krb5_cc_store_cred.rst - krb5_cc_support_switch.rst - krb5_cc_switch.rst - krb5_cc_unlock.rst - krb5_cccol_cursor_free.rst - krb5_cccol_cursor_new.rst - krb5_cccol_cursor_next.rst - krb5_cccol_have_content.rst - krb5_cccol_last_change_time.rst - krb5_cccol_lock.rst - krb5_cccol_unlock.rst - krb5_clear_error_message.rst - krb5_check_clockskew.rst - krb5_copy_addresses.rst - krb5_copy_authdata.rst - krb5_copy_authenticator.rst - krb5_copy_checksum.rst - krb5_copy_context.rst - krb5_copy_creds.rst - krb5_copy_data.rst - krb5_copy_error_message.rst - krb5_copy_keyblock.rst - krb5_copy_keyblock_contents.rst - krb5_copy_principal.rst - krb5_copy_ticket.rst - krb5_find_authdata.rst - krb5_free_addresses.rst - krb5_free_ap_rep_enc_part.rst - krb5_free_authdata.rst - krb5_free_authenticator.rst - krb5_free_cred_contents.rst - krb5_free_creds.rst - krb5_free_data.rst - krb5_free_data_contents.rst - krb5_free_default_realm.rst - krb5_free_enctypes.rst - krb5_free_error.rst - krb5_free_host_realm.rst - krb5_free_keyblock.rst - krb5_free_keyblock_contents.rst - krb5_free_keytab_entry_contents.rst - krb5_free_string.rst - krb5_free_ticket.rst - krb5_free_unparsed_name.rst - krb5_get_permitted_enctypes.rst - krb5_get_server_rcache.rst - krb5_get_time_offsets.rst - krb5_init_context_profile.rst - krb5_init_creds_free.rst - krb5_init_creds_get.rst - krb5_init_creds_get_creds.rst - krb5_init_creds_get_error.rst - krb5_init_creds_get_times.rst - krb5_init_creds_init.rst - krb5_init_creds_set_keytab.rst - krb5_init_creds_set_password.rst - krb5_init_creds_set_service.rst - krb5_init_creds_step.rst - krb5_init_keyblock.rst - krb5_is_referral_realm.rst - krb5_kt_add_entry.rst - krb5_kt_end_seq_get.rst - krb5_kt_get_entry.rst - krb5_kt_have_content.rst - krb5_kt_next_entry.rst - krb5_kt_read_service_key.rst - krb5_kt_remove_entry.rst - krb5_kt_start_seq_get.rst - krb5_make_authdata_kdc_issued.rst - krb5_merge_authdata.rst - krb5_mk_1cred.rst - krb5_mk_error.rst - krb5_mk_ncred.rst - krb5_mk_priv.rst - krb5_mk_rep.rst - krb5_mk_rep_dce.rst - krb5_mk_req.rst - krb5_mk_req_extended.rst - krb5_mk_safe.rst - krb5_os_localaddr.rst - krb5_pac_add_buffer.rst - krb5_pac_free.rst - krb5_pac_get_buffer.rst - krb5_pac_get_types.rst - krb5_pac_init.rst - krb5_pac_parse.rst - krb5_pac_sign.rst - krb5_pac_verify.rst - krb5_prepend_error_message.rst - krb5_principal2salt.rst - krb5_rd_cred.rst - krb5_rd_error.rst - krb5_rd_priv.rst - krb5_rd_rep.rst - krb5_rd_rep_dce.rst - krb5_rd_req.rst - krb5_rd_safe.rst - krb5_read_password.rst - krb5_salttype_to_string.rst - krb5_server_decrypt_ticket_keytab.rst - krb5_set_default_tgs_enctypes.rst - krb5_set_error_message.rst - krb5_set_kdc_recv_hook.rst - krb5_set_kdc_send_hook.rst - krb5_set_real_time.rst - krb5_string_to_cksumtype.rst - krb5_string_to_deltat.rst - krb5_string_to_enctype.rst - krb5_string_to_salttype.rst - krb5_string_to_timestamp.rst - krb5_timeofday.rst - krb5_timestamp_to_sfstring.rst - krb5_timestamp_to_string.rst - krb5_tkt_creds_free.rst - krb5_tkt_creds_get.rst - krb5_tkt_creds_get_creds.rst - krb5_tkt_creds_get_times.rst - krb5_tkt_creds_init.rst - krb5_tkt_creds_step.rst - krb5_verify_init_creds.rst - krb5_verify_init_creds_opt_init.rst - krb5_verify_init_creds_opt_set_ap_req_nofail.rst - krb5_vprepend_error_message.rst - krb5_vset_error_message.rst - krb5_vwrap_error_message.rst - krb5_wrap_error_message.rst - - -Public interfaces that should not be called directly -------------------------------------------------------- - -.. toctree:: - :maxdepth: 1 - - krb5_c_block_size.rst - krb5_c_checksum_length.rst - krb5_c_crypto_length.rst - krb5_c_crypto_length_iov.rst - krb5_c_decrypt.rst - krb5_c_decrypt_iov.rst - krb5_c_derive_prfplus.rst - krb5_c_encrypt.rst - krb5_c_encrypt_iov.rst - krb5_c_encrypt_length.rst - krb5_c_enctype_compare.rst - krb5_c_free_state.rst - krb5_c_fx_cf2_simple.rst - krb5_c_init_state.rst - krb5_c_is_coll_proof_cksum.rst - krb5_c_is_keyed_cksum.rst - krb5_c_keyed_checksum_types.rst - krb5_c_keylengths.rst - krb5_c_make_checksum.rst - krb5_c_make_checksum_iov.rst - krb5_c_make_random_key.rst - krb5_c_padding_length.rst - krb5_c_prf.rst - krb5_c_prfplus.rst - krb5_c_prf_length.rst - krb5_c_random_add_entropy.rst - krb5_c_random_make_octets.rst - krb5_c_random_os_entropy.rst - krb5_c_random_to_key.rst - krb5_c_string_to_key.rst - krb5_c_string_to_key_with_params.rst - krb5_c_valid_cksumtype.rst - krb5_c_valid_enctype.rst - krb5_c_verify_checksum.rst - krb5_c_verify_checksum_iov.rst - krb5_cksumtype_to_string.rst - krb5_decode_authdata_container.rst - krb5_decode_ticket.rst - krb5_deltat_to_string.rst - krb5_encode_authdata_container.rst - krb5_enctype_to_name.rst - krb5_enctype_to_string.rst - krb5_free_checksum.rst - krb5_free_checksum_contents.rst - krb5_free_cksumtypes.rst - krb5_free_tgt_creds.rst - krb5_k_create_key.rst - krb5_k_decrypt.rst - krb5_k_decrypt_iov.rst - krb5_k_encrypt.rst - krb5_k_encrypt_iov.rst - krb5_k_free_key.rst - krb5_k_key_enctype.rst - krb5_k_key_keyblock.rst - krb5_k_make_checksum.rst - krb5_k_make_checksum_iov.rst - krb5_k_prf.rst - krb5_k_reference_key.rst - krb5_k_verify_checksum.rst - krb5_k_verify_checksum_iov.rst - - -Legacy convenience interfaces ------------------------------- - -.. toctree:: - :maxdepth: 1 - - krb5_recvauth.rst - krb5_recvauth_version.rst - krb5_sendauth.rst - - -Deprecated public interfaces ------------------------------- - -.. toctree:: - :maxdepth: 1 - - krb5_524_convert_creds.rst - krb5_auth_con_getlocalsubkey.rst - krb5_auth_con_getremotesubkey.rst - krb5_auth_con_initivector.rst - krb5_build_principal_va.rst - krb5_c_random_seed.rst - krb5_calculate_checksum.rst - krb5_checksum_size.rst - krb5_encrypt.rst - krb5_decrypt.rst - krb5_eblock_enctype.rst - krb5_encrypt_size.rst - krb5_finish_key.rst - krb5_finish_random_key.rst - krb5_cc_gen_new.rst - krb5_get_credentials_renew.rst - krb5_get_credentials_validate.rst - krb5_get_in_tkt_with_password.rst - krb5_get_in_tkt_with_skey.rst - krb5_get_in_tkt_with_keytab.rst - krb5_get_init_creds_opt_init.rst - krb5_init_random_key.rst - krb5_kt_free_entry.rst - krb5_random_key.rst - krb5_process_key.rst - krb5_string_to_key.rst - krb5_use_enctype.rst - krb5_verify_checksum.rst diff --git a/doc/html/_sources/appdev/refs/api/krb5_425_conv_principal.txt b/doc/html/_sources/appdev/refs/api/krb5_425_conv_principal.txt deleted file mode 100644 index c6b6827..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_425_conv_principal.txt +++ /dev/null @@ -1,59 +0,0 @@ -krb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal. -======================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_425_conv_principal(krb5_context context, const char * name, const char * instance, const char * realm, krb5_principal * princ) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **name** - V4 name - - **[in]** **instance** - V4 instance - - **[in]** **realm** - Realm - - **[out]** **princ** - V5 principal - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function builds a *princ* from V4 specification based on given input *name.instance@realm* . - - - -Use :c:func:`krb5_free_principal()` to free *princ* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_524_conv_principal.txt b/doc/html/_sources/appdev/refs/api/krb5_524_conv_principal.txt deleted file mode 100644 index 14b2fc1..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_524_conv_principal.txt +++ /dev/null @@ -1,60 +0,0 @@ -krb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal. -======================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, char * name, char * inst, char * realm) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **princ** - V5 Principal - - **[out]** **name** - V4 principal's name to be filled in - - **[out]** **inst** - V4 principal's instance name to be filled in - - **[out]** **realm** - Principal's realm name to be filled in - - -.. - - -:retval: - - 0 Success - - KRB5_INVALID_PRINCIPAL Invalid principal name - - KRB5_CONFIG_CANTOPEN Can't open or find Kerberos configuration file - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function separates a V5 principal *princ* into *name* , *instance* , and *realm* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_524_convert_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_524_convert_creds.txt deleted file mode 100644 index f8d96f0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_524_convert_creds.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials. -========================================================================================== - -.. - -.. c:function:: int krb5_524_convert_creds(krb5_context context, krb5_creds * v5creds, struct credentials * v4creds) - -.. - - -:param: - - **context** - - **v5creds** - - **v4creds** - - -.. - - -:retval: - - KRB524_KRB4_DISABLED (always) - - -.. - - - - - - - - - - - - - - -.. - - - - - - -.. note:: - - Not implemented - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_address_compare.txt b/doc/html/_sources/appdev/refs/api/krb5_address_compare.txt deleted file mode 100644 index 7665fc7..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_address_compare.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_address_compare - Compare two Kerberos addresses. -======================================================== - -.. - -.. c:function:: krb5_boolean krb5_address_compare(krb5_context context, const krb5_address * addr1, const krb5_address * addr2) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **addr1** - First address to be compared - - **[in]** **addr2** - Second address to be compared - - -.. - - - -:return: - - TRUE if the addresses are the same, FALSE otherwise - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_address_order.txt b/doc/html/_sources/appdev/refs/api/krb5_address_order.txt deleted file mode 100644 index 6d344cc..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_address_order.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_address_order - Return an ordering of the specified addresses. -===================================================================== - -.. - -.. c:function:: int krb5_address_order(krb5_context context, const krb5_address * addr1, const krb5_address * addr2) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **addr1** - First address - - **[in]** **addr2** - Second address - - -.. - - -:retval: - - 0 The two addresses are the same - - \< 0 First address is less than second - - \> 0 First address is greater than second - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_address_search.txt b/doc/html/_sources/appdev/refs/api/krb5_address_search.txt deleted file mode 100644 index 2bc68c4..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_address_search.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_address_search - Search a list of addresses for a specified address. -=========================================================================== - -.. - -.. c:function:: krb5_boolean krb5_address_search(krb5_context context, const krb5_address * addr, krb5_address *const * addrlist) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **addr** - Address to search for - - **[in]** **addrlist** - Address list to be searched (or NULL) - - -.. - - - -:return: - - TRUE if addr is listed in addrlist , or addrlist is NULL; FALSE otherwise - -.. - - - - - - - - - - - - - - -.. - - - - - - -.. note:: - - If *addrlist* contains only a NetBIOS addresses, it will be treated as a null list. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_allow_weak_crypto.txt b/doc/html/_sources/appdev/refs/api/krb5_allow_weak_crypto.txt deleted file mode 100644 index f81d504..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_allow_weak_crypto.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_allow_weak_crypto - Allow the appplication to override the profile's allow_weak_crypto setting. -====================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enable** - Boolean flag - - -.. - - -:retval: - - 0 (always) - - -.. - - - - - - - -This function allows an application to override the allow_weak_crypto setting. It is primarily for use by aklog. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_aname_to_localname.txt b/doc/html/_sources/appdev/refs/api/krb5_aname_to_localname.txt deleted file mode 100644 index c616294..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_aname_to_localname.txt +++ /dev/null @@ -1,61 +0,0 @@ -krb5_aname_to_localname - Convert a principal name to a local name. -===================================================================== - -.. - -.. c:function:: krb5_error_code krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int lnsize_in, char * lname) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **aname** - Principal name - - **[in]** **lnsize_in** - Space available in *lname* - - **[out]** **lname** - Local name buffer to be filled in - - -.. - - -:retval: - - 0 Success - - System errors - - -:return: - - Kerberos error codes - -.. - - - - - - - -If *aname* does not correspond to any local account, KRB5_LNAME_NOTRANS is returned. If *lnsize_in* is too small for the local name, KRB5_CONFIG_NOTENUFSPACE is returned. - - - -Local names, rather than principal names, can be used by programs that translate to an environment-specific name (for example, a user account name). - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.txt b/doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.txt deleted file mode 100644 index 4de5547..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_anonymous_principal.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_anonymous_principal - Build an anonymous principal. -========================================================== - -.. - -.. c:function:: krb5_const_principal krb5_anonymous_principal(void None) - -.. - - -:param: - - **None** - - -.. - - - -.. - - - - - - - -This function returns constant storage that must not be freed. - - - - - - - - - - -.. - -.. seealso:: - :data:`KRB5_ANONYMOUS_PRINCSTR` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.txt deleted file mode 100644 index b8366ab..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_anonymous_realm.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_anonymous_realm - Return an anonymous realm data. -======================================================== - -.. - -.. c:function:: const krb5_data * krb5_anonymous_realm(void None) - -.. - - -:param: - - **None** - - -.. - - - -.. - - - - - - - -This function returns constant storage that must not be freed. - - - - - - - - - - -.. - -.. seealso:: - :data:`KRB5_ANONYMOUS_REALMSTR` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_appdefault_boolean.txt b/doc/html/_sources/appdev/refs/api/krb5_appdefault_boolean.txt deleted file mode 100644 index e164341..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_appdefault_boolean.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf. -=============================================================================================== - -.. - -.. c:function:: void krb5_appdefault_boolean(krb5_context context, const char * appname, const krb5_data * realm, const char * option, int default_value, int * ret_value) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **appname** - Application name - - **[in]** **realm** - Realm name - - **[in]** **option** - Option to be checked - - **[in]** **default_value** - Default value to return if no match is found - - **[out]** **ret_value** - Boolean value of *option* - - -.. - - - -.. - - - - - - - -This function gets the application defaults for *option* based on the given *appname* and/or *realm* . - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_appdefault_string()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_appdefault_string.txt b/doc/html/_sources/appdev/refs/api/krb5_appdefault_string.txt deleted file mode 100644 index 1c7590b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_appdefault_string.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf. -============================================================================================= - -.. - -.. c:function:: void krb5_appdefault_string(krb5_context context, const char * appname, const krb5_data * realm, const char * option, const char * default_value, char ** ret_value) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **appname** - Application name - - **[in]** **realm** - Realm name - - **[in]** **option** - Option to be checked - - **[in]** **default_value** - Default value to return if no match is found - - **[out]** **ret_value** - String value of *option* - - -.. - - - -.. - - - - - - - -This function gets the application defaults for *option* based on the given *appname* and/or *realm* . - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_appdefault_boolean()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_free.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_free.txt deleted file mode 100644 index 2062de7..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_free.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_auth_con_free - Free a krb5_auth_context structure. -========================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context to be freed - - -.. - - -:retval: - - 0 (always) - - -.. - - - - - - - -This function frees an auth context allocated by :c:func:`krb5_auth_con_init()` . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.txt deleted file mode 100644 index b8a3f40..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_genaddrs.txt +++ /dev/null @@ -1,66 +0,0 @@ -krb5_auth_con_genaddrs - Generate auth context addresses from a connected socket. -=================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int infd, int flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **infd** - Connected socket descriptor - - **[in]** **flags** - Flags - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets the local and/or remote addresses in *auth_context* based on the local and remote endpoints of the socket *infd* . The following flags determine the operations performed: - - - - - - - :data:`KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR` Generate local address. - - - - :data:`KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR` Generate remote address. - - - - :data:`KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR` Generate local address and port. - - - - :data:`KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR` Generate remote address and port. - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_get_checksum_func.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_get_checksum_func.txt deleted file mode 100644 index e3a4274..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_get_checksum_func.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_auth_con_get_checksum_func - Get the checksum callback from an auth context. -=================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_get_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func * func, void ** data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **func** - Checksum callback - - **[out]** **data** - Callback argument - - -.. - - -:retval: - - 0 (always) - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getaddrs.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getaddrs.txt deleted file mode 100644 index 1225294..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getaddrs.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_auth_con_getaddrs - Retrieve address fields from an auth context. -======================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address ** local_addr, krb5_address ** remote_addr) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **local_addr** - Local address (NULL if not needed) - - **[out]** **remote_addr** - Remote address (NULL if not needed) - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getauthenticator.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getauthenticator.txt deleted file mode 100644 index a288338..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getauthenticator.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context. -=================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator ** authenticator) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **authenticator** - Authenticator - - -.. - - -:retval: - - 0 Success. Otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_free_authenticator()` to free *authenticator* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.txt deleted file mode 100644 index 1884f12..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getflags.txt +++ /dev/null @@ -1,60 +0,0 @@ -krb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure. -============================================================================= - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 * flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **flags** - Flags bit mask - - -.. - - -:retval: - - 0 (always) - - -.. - - - - - - - -Valid values for *flags* are: - - - :data:`KRB5_AUTH_CONTEXT_DO_TIME` Use timestamps - - - - :data:`KRB5_AUTH_CONTEXT_RET_TIME` Save timestamps - - - - :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` Use sequence numbers - - - - :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` Save sequence numbers - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey.txt deleted file mode 100644 index cfe99ff..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock. -===================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **keyblock** - Session key - - -.. - - -:retval: - - 0 Success. Otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a keyblock containing the session key from *auth_context* . Use :c:func:`krb5_free_keyblock()` to free *keyblock* when it is no longer needed - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey_k.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey_k.txt deleted file mode 100644 index 0a320ae..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getkey_k.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getkey_k - Retrieve the session key from an auth context. -========================================================================= - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context, krb5_key * key) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **key** - Session key - - -.. - - -:retval: - - 0 (always) - - -.. - - - - - - - -This function sets *key* to the session key from *auth_context* . Use :c:func:`krb5_k_free_key()` to release *key* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.txt deleted file mode 100644 index 977d0ef..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalseqnumber.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context. -============================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 * seqnumber) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **seqnumber** - Local sequence number - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Retrieve the local sequence number from *auth_context* and return it in *seqnumber* . The :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` flag must be set in *auth_context* for this function to be useful. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalsubkey.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalsubkey.txt deleted file mode 100644 index 655b9d5..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getlocalsubkey.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_auth_con_getlocalsubkey -============================ - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock) - -.. - - -:param: - - **context** - - **auth_context** - - **keyblock** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_auth_con_getsendsubkey() . - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrcache.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrcache.txt deleted file mode 100644 index c506636..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrcache.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getrcache - Retrieve the replay cache from an auth context. -=========================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache * rcache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **rcache** - Replay cache handle - - -.. - - -:retval: - - 0 (always) - - -.. - - - - - - - -This function fetches the replay cache from *auth_context* . The caller should not close *rcache* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey.txt deleted file mode 100644 index 1b7ddfa..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock. -================================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock ** keyblock) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **ac** - Authentication context - - **[out]** **keyblock** - Receiving subkey - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a keyblock containing the receiving subkey from *auth_context* . Use :c:func:`krb5_free_keyblock()` to free *keyblock* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.txt deleted file mode 100644 index 44ce573..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock. -=================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key * key) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **ac** - Authentication context - - **[out]** **key** - Receiving subkey - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets *key* to the receiving subkey from *auth_context* . Use :c:func:`krb5_k_free_key()` to release *key* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.txt deleted file mode 100644 index 9dee0e6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremoteseqnumber.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context. -============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 * seqnumber) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **seqnumber** - Remote sequence number - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Retrieve the remote sequence number from *auth_context* and return it in *seqnumber* . The :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` flag must be set in *auth_context* for this function to be useful. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremotesubkey.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremotesubkey.txt deleted file mode 100644 index 3f1095c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getremotesubkey.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_auth_con_getremotesubkey -============================= - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock) - -.. - - -:param: - - **context** - - **auth_context** - - **keyblock** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_auth_con_getrecvsubkey() . - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey.txt deleted file mode 100644 index 6a842b6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock. -============================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock ** keyblock) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **ac** - Authentication context - - **[out]** **keyblock** - Send subkey - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a keyblock containing the send subkey from *auth_context* . Use :c:func:`krb5_free_keyblock()` to free *keyblock* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey_k.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey_k.txt deleted file mode 100644 index c63e6c9..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_getsendsubkey_k.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context. -================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key * key) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **ac** - Authentication context - - **[out]** **key** - Send subkey - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets *key* to the send subkey from *auth_context* . Use :c:func:`krb5_k_free_key()` to release *key* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_init.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_init.txt deleted file mode 100644 index 9c5ee8f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_init.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_auth_con_init - Create and initialize an authentication context. -======================================================================= - -.. - -.. c:function:: krb5_error_code krb5_auth_con_init(krb5_context context, krb5_auth_context * auth_context) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **auth_context** - Authentication context - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates an authentication context to hold configuration and state relevant to krb5 functions for authenticating principals and protecting messages once authentication has occurred. - - - -By default, flags for the context are set to enable the use of the replay cache ( :data:`KRB5_AUTH_CONTEXT_DO_TIME` ), but not sequence numbers. Use :c:func:`krb5_auth_con_setflags()` to change the flags. - - - -The allocated *auth_context* must be freed with :c:func:`krb5_auth_con_free()` when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt deleted file mode 100644 index 7d5bf4c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_initivector.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_auth_con_initivector -========================= - -.. - -.. c:function:: krb5_error_code krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context) - -.. - - -:param: - - **context** - - **auth_context** - - -.. - - - -.. - - -DEPRECATED Not replaced. - - - - - - - - - - -RFC 4120 doesn't have anything like the initvector concept; only really old protocols may need this API. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_checksum_func.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_checksum_func.txt deleted file mode 100644 index a762d4e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_checksum_func.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_auth_con_set_checksum_func - Set a checksum callback in an auth context. -=============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_set_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func func, void * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **func** - Checksum callback - - **[in]** **data** - Callback argument - - -.. - - -:retval: - - 0 (always) - - -.. - - - - - - - -Set a callback to obtain checksum data in :c:func:`krb5_mk_req()` . The callback will be invoked after the subkey and local sequence number are stored in *auth_context* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_req_cksumtype.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_req_cksumtype.txt deleted file mode 100644 index 76c948e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_set_req_cksumtype.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context. -============================================================================ - -.. - -.. c:function:: krb5_error_code krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **cksumtype** - Checksum type - - -.. - - -:retval: - - 0 Success. Otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets the checksum type in *auth_context* to be used by :c:func:`krb5_mk_req()` for the authenticator checksum. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setaddrs.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_setaddrs.txt deleted file mode 100644 index 4730219..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setaddrs.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_auth_con_setaddrs - Set the local and remote addresses in an auth context. -================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address * local_addr, krb5_address * remote_addr) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **local_addr** - Local address - - **[in]** **remote_addr** - Remote address - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function releases the storage assigned to the contents of the local and remote addresses of *auth_context* and then sets them to *local_addr* and *remote_addr* respectively. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_auth_con_genaddrs()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.txt deleted file mode 100644 index a159e23..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setflags.txt +++ /dev/null @@ -1,60 +0,0 @@ -krb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure. -============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **flags** - Flags bit mask - - -.. - - -:retval: - - 0 (always) - - -.. - - - - - - - -Valid values for *flags* are: - - - :data:`KRB5_AUTH_CONTEXT_DO_TIME` Use timestamps - - - - :data:`KRB5_AUTH_CONTEXT_RET_TIME` Save timestamps - - - - :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` Use sequence numbers - - - - :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` Save sequence numbers - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setports.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_setports.txt deleted file mode 100644 index 279c327..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setports.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_auth_con_setports - Set local and remote port fields in an auth context. -=============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb5_address * local_port, krb5_address * remote_port) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **local_port** - Local port - - **[in]** **remote_port** - Remote port - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function releases the storage assigned to the contents of the local and remote ports of *auth_context* and then sets them to *local_port* and *remote_port* respectively. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_auth_con_genaddrs()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrcache.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrcache.txt deleted file mode 100644 index 9b197a3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrcache.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_setrcache - Set the replay cache in an auth context. -==================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache rcache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **rcache** - Replay cache haddle - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets the replay cache in *auth_context* to *rcache* . *rcache* will be closed when *auth_context* is freed, so the caller should relinguish that responsibility. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey.txt deleted file mode 100644 index 7e43d91..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock. -============================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock * keyblock) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **ac** - Authentication context - - **[in]** **keyblock** - Receiving subkey - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets the receiving subkey in *ac* to a copy of *keyblock* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.txt deleted file mode 100644 index feafaab..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context. -============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **ac** - Authentication context - - **[in]** **key** - Receiving subkey - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets the receiving subkey in *ac* to *key* , incrementing its reference count. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey.txt deleted file mode 100644 index 47f746b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock. -======================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock * keyblock) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **ac** - Authentication context - - **[in]** **keyblock** - Send subkey - - -.. - - -:retval: - - 0 Success. Otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets the send subkey in *ac* to a copy of *keyblock* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey_k.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey_k.txt deleted file mode 100644 index 59fd739..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setsendsubkey_k.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context. -========================================================================= - -.. - -.. c:function:: krb5_error_code krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **ac** - Authentication context - - **[out]** **key** - Send subkey - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets the send subkey in *ac* to *key* , incrementing its reference count. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setuseruserkey.txt b/doc/html/_sources/appdev/refs/api/krb5_auth_con_setuseruserkey.txt deleted file mode 100644 index 11d9249..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_auth_con_setuseruserkey.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_auth_con_setuseruserkey - Set the session key in an auth context. -======================================================================== - -.. - -.. c:function:: krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock * keyblock) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **keyblock** - User key - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_build_principal.txt b/doc/html/_sources/appdev/refs/api/krb5_build_principal.txt deleted file mode 100644 index 5a8cb0e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_build_principal.txt +++ /dev/null @@ -1,68 +0,0 @@ -krb5_build_principal - Build a principal name using null-terminated strings. -============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_build_principal(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, ... ) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **princ** - Principal name - - **[in]** **rlen** - Realm name length - - **[in]** **realm** - Realm name - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Call :c:func:`krb5_free_principal()` to free *princ* when it is no longer needed. - - - - - - - - - - - - - - -.. - - - - - - -.. note:: - - :c:func:`krb5_build_principal()` and :c:func:`krb5_build_principal_alloc_va()` perform the same task. :c:func:`krb5_build_principal()` takes variadic arguments. :c:func:`krb5_build_principal_alloc_va()` takes a pre-computed *varargs* pointer. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_build_principal_alloc_va.txt b/doc/html/_sources/appdev/refs/api/krb5_build_principal_alloc_va.txt deleted file mode 100644 index 6f8a57e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_build_principal_alloc_va.txt +++ /dev/null @@ -1,66 +0,0 @@ -krb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list. -===================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_build_principal_alloc_va(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, va_list ap) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **princ** - Principal structure - - **[in]** **rlen** - Realm name length - - **[in]** **realm** - Realm name - - **[in]** **ap** - List of char * components, ending with NULL - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Similar to :c:func:`krb5_build_principal()` , this function builds a principal name, but its name components are specified as a va_list. - - - -Use :c:func:`krb5_free_principal()` to deallocate *princ* when it is no longer needed. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_build_principal_ext.txt b/doc/html/_sources/appdev/refs/api/krb5_build_principal_ext.txt deleted file mode 100644 index e1b6397..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_build_principal_ext.txt +++ /dev/null @@ -1,60 +0,0 @@ -krb5_build_principal_ext - Build a principal name using length-counted strings. -================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_build_principal_ext(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, ... ) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **princ** - Principal name - - **[in]** **rlen** - Realm name length - - **[in]** **realm** - Realm name - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function creates a principal from a length-counted string and a variable-length list of length-counted components. The list of components ends with the first 0 length argument (so it is not possible to specify an empty component with this function). Call :c:func:`krb5_free_principal()` to free allocated memory for principal when it is no longer needed. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_build_principal_va.txt b/doc/html/_sources/appdev/refs/api/krb5_build_principal_va.txt deleted file mode 100644 index 88f530e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_build_principal_va.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_build_principal_va -======================= - -.. - -.. c:function:: krb5_error_code krb5_build_principal_va(krb5_context context, krb5_principal princ, unsigned int rlen, const char * realm, va_list ap) - -.. - - -:param: - - **context** - - **princ** - - **rlen** - - **realm** - - **ap** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_build_principal_alloc_va() . - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_block_size.txt b/doc/html/_sources/appdev/refs/api/krb5_c_block_size.txt deleted file mode 100644 index 4c4a13e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_block_size.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_c_block_size - Return cipher block size. -=============================================== - -.. - -.. c:function:: krb5_error_code krb5_c_block_size(krb5_context context, krb5_enctype enctype, size_t * blocksize) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[out]** **blocksize** - Block size for *enctype* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_checksum_length.txt b/doc/html/_sources/appdev/refs/api/krb5_c_checksum_length.txt deleted file mode 100644 index 644e34b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_checksum_length.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_c_checksum_length - Return the length of checksums for a checksum type. -============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype, size_t * length) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cksumtype** - Checksum type - - **[out]** **length** - Checksum length - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length.txt b/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length.txt deleted file mode 100644 index 3879981..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_c_crypto_length - Return a length of a message field specific to the encryption type. -============================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_c_crypto_length(krb5_context context, krb5_enctype enctype, krb5_cryptotype type, unsigned int * size) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[in]** **type** - Type field (See :data:`KRB5_CRYPTO_TYPE` types) - - **[out]** **size** - Length of the *type* specific to *enctype* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.txt b/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.txt deleted file mode 100644 index 1b4edaa..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_crypto_length_iov.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array. -============================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, krb5_crypto_iov * data, size_t num_data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[inout]** **data** - IOV array - - **[in]** **num_data** - Size of *data* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Padding is set to the actual padding required based on the provided *data* buffers. Typically this API is used after setting up the data buffers and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` buffers, but before actually allocating header, trailer and padding. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_decrypt.txt b/doc/html/_sources/appdev/refs/api/krb5_c_decrypt.txt deleted file mode 100644 index 31f011d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_decrypt.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_c_decrypt - Decrypt data using a key (operates on keyblock). -=================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_decrypt(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_enc_data * input, krb5_data * output) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Encryption key - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[inout]** **cipher_state** - Cipher state; specify NULL if not needed - - **[in]** **input** - Encrypted data - - **[out]** **output** - Decrypted data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function decrypts the data block *input* and stores the output into *output* . The actual decryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. - - - - - - - - - - -.. - - - - - - -.. note:: - - The caller must initialize *output* and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let :c:func:`krb5_c_decrypt()` trim *output->length* . For some enctypes, the resulting *output->length* may include padding bytes. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_decrypt_iov.txt b/doc/html/_sources/appdev/refs/api/krb5_c_decrypt_iov.txt deleted file mode 100644 index 2dc3f10..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_decrypt_iov.txt +++ /dev/null @@ -1,70 +0,0 @@ -krb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock). -==================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock * keyblock, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keyblock** - Encryption key - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[in]** **cipher_state** - Cipher state; specify NULL if not needed - - **[inout]** **data** - IOV array. Modified in-place. - - **[in]** **num_data** - Size of *data* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function decrypts the data block *data* and stores the output in-place. The actual decryption key will be derived from *keyblock* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_c_decrypt_iov()` - - - - - - -.. note:: - - On return from a :c:func:`krb5_c_decrypt_iov()` call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. - - This function is similar to :c:func:`krb5_k_decrypt_iov()` , but operates on keyblock *keyblock* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_derive_prfplus.txt b/doc/html/_sources/appdev/refs/api/krb5_c_derive_prfplus.txt deleted file mode 100644 index fdb62c5..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_derive_prfplus.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+). -================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_enctype enctype, krb5_keyblock ** out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **k** - KDC contribution key - - **[in]** **input** - Input string - - **[in]** **enctype** - Output key enctype (or **ENCTYPE_NULL** ) - - **[out]** **out** - Derived keyblock - - -.. - - - -.. - - - - - - - -This function uses PRF+ as defined in RFC 6113 to derive a key from another key and an input string. If *enctype* is **ENCTYPE_NULL** , the output key will have the same enctype as the input key. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_encrypt.txt b/doc/html/_sources/appdev/refs/api/krb5_c_encrypt.txt deleted file mode 100644 index 7b6cb03..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_encrypt.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_c_encrypt - Encrypt data using a key (operates on keyblock). -=================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_encrypt(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_data * input, krb5_enc_data * output) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Encryption key - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[inout]** **cipher_state** - Cipher state; specify NULL if not needed - - **[in]** **input** - Data to be encrypted - - **[out]** **output** - Encrypted data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function encrypts the data block *input* and stores the output into *output* . The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. - - - - - - - - - - -.. - - - - - - -.. note:: - - The caller must initialize *output* and allocate at least enough space for the result (using :c:func:`krb5_c_encrypt_length()` to determine the amount of space needed). *output->length* will be set to the actual length of the ciphertext. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_iov.txt b/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_iov.txt deleted file mode 100644 index dbfcb52..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_iov.txt +++ /dev/null @@ -1,70 +0,0 @@ -krb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock). -==================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock * keyblock, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keyblock** - Encryption key - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[in]** **cipher_state** - Cipher state; specify NULL if not needed - - **[inout]** **data** - IOV array. Modified in-place. - - **[in]** **num_data** - Size of *data* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function encrypts the data block *data* and stores the output in-place. The actual encryption key will be derived from *keyblock* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_c_decrypt_iov()` - - - - - - -.. note:: - - On return from a :c:func:`krb5_c_encrypt_iov()` call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. - - This function is similar to :c:func:`krb5_k_encrypt_iov()` , but operates on keyblock *keyblock* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_length.txt b/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_length.txt deleted file mode 100644 index a459c3a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_encrypt_length.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_c_encrypt_length - Compute encrypted data length. -======================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype, size_t inputlen, size_t * length) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[in]** **inputlen** - Length of the data to be encrypted - - **[out]** **length** - Length of the encrypted data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function computes the length of the ciphertext produced by encrypting *inputlen* bytes including padding, confounder, and checksum. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_enctype_compare.txt b/doc/html/_sources/appdev/refs/api/krb5_c_enctype_compare.txt deleted file mode 100644 index 156cdd2..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_enctype_compare.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_c_enctype_compare - Compare two encryption types. -======================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, krb5_boolean * similar) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **e1** - First encryption type - - **[in]** **e2** - Second encryption type - - **[out]** **similar** - **TRUE** if types are similar, **FALSE** if not - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function determines whether two encryption types use the same kind of keys. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_free_state.txt b/doc/html/_sources/appdev/refs/api/krb5_c_free_state.txt deleted file mode 100644 index f934e95..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_free_state.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state() . -======================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_c_free_state(krb5_context context, const krb5_keyblock * key, krb5_data * state) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Key - - **[in]** **state** - Cipher state to be freed - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_fx_cf2_simple.txt b/doc/html/_sources/appdev/refs/api/krb5_c_fx_cf2_simple.txt deleted file mode 100644 index 0d9cf9d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_fx_cf2_simple.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings. -=========================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_fx_cf2_simple(krb5_context context, const krb5_keyblock * k1, const char * pepper1, const krb5_keyblock * k2, const char * pepper2, krb5_keyblock ** out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **k1** - KDC contribution key - - **[in]** **pepper1** - String"PKINIT" - - **[in]** **k2** - Reply key - - **[in]** **pepper2** - String"KeyExchange" - - **[out]** **out** - Output key - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function computes the KRB-FX-CF2 function over its inputs and places the results in a newly allocated keyblock. This function is simple in that it assumes that *pepper1* and *pepper2* are C strings with no internal nulls and that the enctype of the result will be the same as that of *k1* . *k1* and *k2* may be of different enctypes. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_init_state.txt b/doc/html/_sources/appdev/refs/api/krb5_c_init_state.txt deleted file mode 100644 index c28dca7..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_init_state.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_c_init_state - Initialize a new cipher state. -==================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_init_state(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, krb5_data * new_state) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Key - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[out]** **new_state** - New cipher state - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_is_coll_proof_cksum.txt b/doc/html/_sources/appdev/refs/api/krb5_c_is_coll_proof_cksum.txt deleted file mode 100644 index 478f246..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_is_coll_proof_cksum.txt +++ /dev/null @@ -1,43 +0,0 @@ -krb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof. -=============================================================================== - -.. - -.. c:function:: krb5_boolean krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype) - -.. - - -:param: - - **[in]** **ctype** - Checksum type - - -.. - - - -:return: - - TRUE if ctype is collision-proof, FALSE if it is not collision-proof or not a valid checksum type. - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_is_keyed_cksum.txt b/doc/html/_sources/appdev/refs/api/krb5_c_is_keyed_cksum.txt deleted file mode 100644 index ed6e6ab..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_is_keyed_cksum.txt +++ /dev/null @@ -1,43 +0,0 @@ -krb5_c_is_keyed_cksum - Test whether a checksum type is keyed. -================================================================ - -.. - -.. c:function:: krb5_boolean krb5_c_is_keyed_cksum(krb5_cksumtype ctype) - -.. - - -:param: - - **[in]** **ctype** - Checksum type - - -.. - - - -:return: - - TRUE if ctype is a keyed checksum type, FALSE otherwise. - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_keyed_checksum_types.txt b/doc/html/_sources/appdev/refs/api/krb5_c_keyed_checksum_types.txt deleted file mode 100644 index 22f5092..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_keyed_checksum_types.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type. -===================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, unsigned int * count, krb5_cksumtype ** cksumtypes) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[out]** **count** - Count of allowable checksum types - - **[out]** **cksumtypes** - Array of allowable checksum types - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_free_cksumtypes()` to free *cksumtypes* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_keylengths.txt b/doc/html/_sources/appdev/refs/api/krb5_c_keylengths.txt deleted file mode 100644 index 9b195c4..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_keylengths.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_c_keylengths - Return length of the specified key in bytes. -================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_keylengths(krb5_context context, krb5_enctype enctype, size_t * keybytes, size_t * keylength) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[out]** **keybytes** - Number of bytes required to make a key - - **[out]** **keylength** - Length of final key - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum.txt b/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum.txt deleted file mode 100644 index f432c60..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum.txt +++ /dev/null @@ -1,68 +0,0 @@ -krb5_c_make_checksum - Compute a checksum (operates on keyblock). -=================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * input, krb5_checksum * cksum) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cksumtype** - Checksum type (0 for mandatory type) - - **[in]** **key** - Encryption key for a keyed checksum - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[in]** **input** - Input data - - **[out]** **cksum** - Generated checksum - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function computes a checksum of type *cksumtype* over *input* , using *key* if the checksum type is a keyed checksum. If *cksumtype* is 0 and *key* is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. The newly created *cksum* must be released by calling :c:func:`krb5_free_checksum_contents()` when it is no longer needed. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_c_verify_checksum()` - - - - - - -.. note:: - - This function is similar to :c:func:`krb5_k_make_checksum()` , but operates on keyblock *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.txt b/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.txt deleted file mode 100644 index d313c2b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_make_checksum_iov.txt +++ /dev/null @@ -1,68 +0,0 @@ -krb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock) -=========================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, krb5_crypto_iov * data, size_t num_data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cksumtype** - Checksum type (0 for mandatory type) - - **[in]** **key** - Encryption key for a keyed checksum - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[inout]** **data** - IOV array - - **[in]** **num_data** - Size of *data* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Create a checksum in the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` element over :data:`KRB5_CRYPTO_TYPE_DATA` and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` chunks in *data* . Only the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` region is modified. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_c_verify_checksum_iov()` - - - - - - -.. note:: - - This function is similar to :c:func:`krb5_k_make_checksum_iov()` , but operates on keyblock *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_make_random_key.txt b/doc/html/_sources/appdev/refs/api/krb5_c_make_random_key.txt deleted file mode 100644 index d485c1c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_make_random_key.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_c_make_random_key - Generate an enctype-specific random encryption key. -============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_make_random_key(krb5_context context, krb5_enctype enctype, krb5_keyblock * k5_random_key) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type of the generated key - - **[out]** **k5_random_key** - An allocated and initialized keyblock - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_free_keyblock_contents()` to free *k5_random_key* when no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_padding_length.txt b/doc/html/_sources/appdev/refs/api/krb5_c_padding_length.txt deleted file mode 100644 index 35471bf..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_padding_length.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_c_padding_length - Return a number of padding octets. -============================================================ - -.. - -.. c:function:: krb5_error_code krb5_c_padding_length(krb5_context context, krb5_enctype enctype, size_t data_length, unsigned int * size) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[in]** **data_length** - Length of the plaintext to pad - - **[out]** **size** - Number of padding octets - - -.. - - -:retval: - - 0 Success; otherwise - KRB5_BAD_ENCTYPE - - -.. - - - - - - - -This function returns the number of the padding octets required to pad *data_length* octets of plaintext. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_prf.txt b/doc/html/_sources/appdev/refs/api/krb5_c_prf.txt deleted file mode 100644 index b626f43..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_prf.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_c_prf - Generate enctype-specific pseudo-random bytes. -============================================================= - -.. - -.. c:function:: krb5_error_code krb5_c_prf(krb5_context context, const krb5_keyblock * keyblock, krb5_data * input, krb5_data * output) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keyblock** - Key - - **[in]** **input** - Input data - - **[out]** **output** - Output data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function selects a pseudo-random function based on *keyblock* and computes its value over *input* , placing the result into *output* . The caller must preinitialize *output* and allocate space for the result, using :c:func:`krb5_c_prf_length()` to determine the required length. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_prf_length.txt b/doc/html/_sources/appdev/refs/api/krb5_c_prf_length.txt deleted file mode 100644 index ff20e29..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_prf_length.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type. -============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t * len) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[out]** **len** - Length of PRF output - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_prfplus.txt b/doc/html/_sources/appdev/refs/api/krb5_c_prfplus.txt deleted file mode 100644 index 682a8f4..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_prfplus.txt +++ /dev/null @@ -1,61 +0,0 @@ -krb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+. -==================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_data * output) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **k** - KDC contribution key - - **[in]** **input** - Input data - - **[out]** **output** - Pseudo-random output buffer - - -.. - - - -:return: - - 0 on success, E2BIG if output->length is too large for PRF+ to generate, ENOMEM on allocation failure, or an error code from krb5_c_prf() - -.. - - - - - - - -This function fills *output* with PRF+(k, input) as defined in RFC 6113 section 5.1. The caller must preinitialize *output* and allocate the desired amount of space. The length of the pseudo-random output will match the length of *output* . - - - - - - - - - - -.. - - - - - - -.. note:: - - RFC 4402 defines a different PRF+ operation. This function does not implement that operation. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_random_add_entropy.txt b/doc/html/_sources/appdev/refs/api/krb5_c_random_add_entropy.txt deleted file mode 100644 index d64693c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_random_add_entropy.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_c_random_add_entropy - Add entropy to the pseudo-random number generator. -================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, const krb5_data * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **randsource** - Entropy source (see KRB5_RANDSOURCE types) - - **[in]** **data** - Data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Contribute entropy to the PRNG used by krb5 crypto operations. This may or may not affect the output of the next crypto operation requiring random data. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_random_make_octets.txt b/doc/html/_sources/appdev/refs/api/krb5_c_random_make_octets.txt deleted file mode 100644 index 91a1159..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_random_make_octets.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_c_random_make_octets - Generate pseudo-random bytes. -=========================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_random_make_octets(krb5_context context, krb5_data * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **data** - Random data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Fills in *data* with bytes from the PRNG used by krb5 crypto operations. The caller must preinitialize *data* and allocate the desired amount of space. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_random_os_entropy.txt b/doc/html/_sources/appdev/refs/api/krb5_c_random_os_entropy.txt deleted file mode 100644 index 65fc251..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_random_os_entropy.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_c_random_os_entropy - Collect entropy from the OS if possible. -===================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_random_os_entropy(krb5_context context, int strong, int * success) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **strong** - Strongest available source of entropy - - **[out]** **success** - 1 if OS provides entropy, 0 otherwise - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -If *strong* is non-zero, this function attempts to use the strongest available source of entropy. Setting this flag may cause the function to block on some operating systems. Good uses include seeding the PRNG for kadmind and realm setup. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_random_seed.txt b/doc/html/_sources/appdev/refs/api/krb5_c_random_seed.txt deleted file mode 100644 index 9e1c816..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_random_seed.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_c_random_seed -================== - -.. - -.. c:function:: krb5_error_code krb5_c_random_seed(krb5_context context, krb5_data * data) - -.. - - -:param: - - **context** - - **data** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_random_to_key.txt b/doc/html/_sources/appdev/refs/api/krb5_c_random_to_key.txt deleted file mode 100644 index 927c878..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_random_to_key.txt +++ /dev/null @@ -1,64 +0,0 @@ -krb5_c_random_to_key - Generate an enctype-specific key from random data. -=========================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_random_to_key(krb5_context context, krb5_enctype enctype, krb5_data * random_data, krb5_keyblock * k5_random_key) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[in]** **random_data** - Random input data - - **[out]** **k5_random_key** - Resulting key - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function takes random input data *random_data* and produces a valid key *k5_random_key* for a given *enctype* . - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_c_keylengths()` - - - - - - -.. note:: - - It is assumed that *k5_random_key* has already been initialized and *k5_random_key->contents* has been allocated with the correct length. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key.txt b/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key.txt deleted file mode 100644 index deacb14..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_c_string_to_key - Convert a string (such a password) to a key. -===================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_string_to_key(krb5_context context, krb5_enctype enctype, const krb5_data * string, const krb5_data * salt, krb5_keyblock * key) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[in]** **string** - String to be converted - - **[in]** **salt** - Salt value - - **[out]** **key** - Generated key - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function converts *string* to a *key* of encryption type *enctype* , using the specified *salt* . The newly created *key* must be released by calling :c:func:`krb5_free_keyblock_contents()` when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key_with_params.txt b/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key_with_params.txt deleted file mode 100644 index 8ec6e21..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_string_to_key_with_params.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters. -=============================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, const krb5_data * string, const krb5_data * salt, const krb5_data * params, krb5_keyblock * key) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[in]** **string** - String to be converted - - **[in]** **salt** - Salt value - - **[in]** **params** - Parameters - - **[out]** **key** - Generated key - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function is similar to :c:func:`krb5_c_string_to_key()` , but also takes parameters which may affect the algorithm in an enctype-dependent way. The newly created *key* must be released by calling :c:func:`krb5_free_keyblock_contents()` when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_valid_cksumtype.txt b/doc/html/_sources/appdev/refs/api/krb5_c_valid_cksumtype.txt deleted file mode 100644 index 0cc7787..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_valid_cksumtype.txt +++ /dev/null @@ -1,43 +0,0 @@ -krb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type. -================================================================================================= - -.. - -.. c:function:: krb5_boolean krb5_c_valid_cksumtype(krb5_cksumtype ctype) - -.. - - -:param: - - **[in]** **ctype** - Checksum type - - -.. - - - -:return: - - TRUE if ctype is valid, FALSE if not - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_valid_enctype.txt b/doc/html/_sources/appdev/refs/api/krb5_c_valid_enctype.txt deleted file mode 100644 index f5adeee..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_valid_enctype.txt +++ /dev/null @@ -1,43 +0,0 @@ -krb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type. -===================================================================================================== - -.. - -.. c:function:: krb5_boolean krb5_c_valid_enctype(krb5_enctype ktype) - -.. - - -:param: - - **[in]** **ktype** - Encryption type - - -.. - - - -:return: - - TRUE if ktype is valid, FALSE if not - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum.txt b/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum.txt deleted file mode 100644 index 49eb599..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_c_verify_checksum - Verify a checksum (operates on keyblock). -==================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_verify_checksum(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * data, const krb5_checksum * cksum, krb5_boolean * valid) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Encryption key for a keyed checksum - - **[in]** **usage** - *key* usage - - **[in]** **data** - Data to be used to compute a new checksum using *key* to compare *cksum* against - - **[in]** **cksum** - Checksum to be verified - - **[out]** **valid** - Non-zero for success, zero for failure - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function verifies that *cksum* is a valid checksum for *data* . If the checksum type of *cksum* is a keyed checksum, *key* is used to verify the checksum. If the checksum type in *cksum* is 0 and *key* is not NULL, the mandatory checksum type for *key* will be used. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. - - - - - - - - - - -.. - - - - - - -.. note:: - - This function is similar to :c:func:`krb5_k_verify_checksum()` , but operates on keyblock *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.txt b/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.txt deleted file mode 100644 index e8c37b3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_c_verify_checksum_iov.txt +++ /dev/null @@ -1,70 +0,0 @@ -krb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock). -=============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, const krb5_crypto_iov * data, size_t num_data, krb5_boolean * valid) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cksumtype** - Checksum type (0 for mandatory type) - - **[in]** **key** - Encryption key for a keyed checksum - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[in]** **data** - IOV array - - **[in]** **num_data** - Size of *data* - - **[out]** **valid** - Non-zero for success, zero for failure - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Confirm that the checksum in the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` element is a valid checksum of the :data:`KRB5_CRYPTO_TYPE_DATA` and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` regions in the iov. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_c_make_checksum_iov()` - - - - - - -.. note:: - - This function is similar to :c:func:`krb5_k_verify_checksum_iov()` , but operates on keyblock *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_calculate_checksum.txt b/doc/html/_sources/appdev/refs/api/krb5_calculate_checksum.txt deleted file mode 100644 index ef40b12..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_calculate_checksum.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_calculate_checksum -======================= - -.. - -.. c:function:: krb5_error_code krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length, krb5_checksum * outcksum) - -.. - - -:param: - - **context** - - **ctype** - - **in** - - **in_length** - - **seed** - - **seed_length** - - **outcksum** - - -.. - - - -.. - - -DEPRECATED See krb5_c_make_checksum() - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.txt deleted file mode 100644 index 3e01acc..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_cache_match.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_cc_cache_match - Find a credential cache with a specified client principal. -================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_cache_match(krb5_context context, krb5_principal client, krb5_ccache * cache_out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **client** - Client principal - - **[out]** **cache_out** - Credential cache handle - - -.. - - -:retval: - - 0 Success - - KRB5_CC_NOTFOUND None - - -.. - - - - - - - -Find a cache within the collection whose default principal is *client* . Use *krb5_cc_close* to close *ccache* when it is no longer needed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.10 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_close.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_close.txt deleted file mode 100644 index 6a58c9a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_close.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_cc_close - Close a credential cache handle. -================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_close(krb5_context context, krb5_ccache cache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function closes a credential cache handle *cache* without affecting the contents of the cache. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_copy_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_copy_creds.txt deleted file mode 100644 index f3af7c1..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_copy_creds.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_cc_copy_creds - Copy a credential cache. -=============================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **incc** - Credential cache to be copied - - **[out]** **outcc** - Copy of credential cache to be filled in - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_default.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_default.txt deleted file mode 100644 index 3a85ba4..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_default.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_cc_default - Resolve the default credential cache name. -============================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_default(krb5_context context, krb5_ccache * ccache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **ccache** - Pointer to credential cache name - - -.. - - -:retval: - - 0 Success - - KV5M_CONTEXT Bad magic number for _krb5_context structure - - KRB5_FCC_INTERNAL The name of the default credential cache cannot be obtained - - -:return: - - Kerberos error codes - -.. - - - - - - - -Create a handle to the default credential cache as given by :c:func:`krb5_cc_default_name()` . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_default_name.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_default_name.txt deleted file mode 100644 index f54c5e5..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_default_name.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_cc_default_name - Return the name of the default credential cache. -========================================================================= - -.. - -.. c:function:: const char * krb5_cc_default_name(krb5_context context) - -.. - - -:param: - - **[in]** **context** - Library context - - -.. - - - -:return: - - Name of default credential cache for the current user. - -.. - - - - - - - -Return a pointer to the default credential cache name for *context* , as determined by a prior call to :c:func:`krb5_cc_set_default_name()` , by the KRB5CCNAME environment variable, by the default_ccache_name profile variable, or by the operating system or build-time default value. The returned value must not be modified or freed by the caller. The returned value becomes invalid when *context* is destroyed :c:func:`krb5_free_context()` or if a subsequent call to :c:func:`krb5_cc_set_default_name()` is made on *context* . - - - -The default credential cache name is cached in *context* between calls to this function, so if the value of KRB5CCNAME changes in the process environment after the first call to this function on, that change will not be reflected in later calls with the same context. The caller can invoke :c:func:`krb5_cc_set_default_name()` with a NULL value of *name* to clear the cached value and force the default name to be recomputed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_destroy.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_destroy.txt deleted file mode 100644 index 1225471..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_destroy.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_cc_destroy - Destroy a credential cache. -=============================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_destroy(krb5_context context, krb5_ccache cache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - -.. - - -:retval: - - 0 Success - - -:return: - - Permission errors - -.. - - - - - - - -This function destroys any existing contents of *cache* and closes the handle to it. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_dup.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_dup.txt deleted file mode 100644 index 00179a0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_dup.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_cc_dup - Duplicate ccache handle. -======================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache * out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **in** - Credential cache handle to be duplicated - - **[out]** **out** - Credential cache handle - - -.. - - - -.. - - - - - - - -Create a new handle referring to the same cache as *in* . The new handle and *in* can be closed independently. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_end_seq_get.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_end_seq_get.txt deleted file mode 100644 index b5b0900..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_end_seq_get.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries. -========================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[in]** **cursor** - Cursor - - -.. - - -:retval: - - 0 (always) - - -.. - - - - - - - -This function finishes processing credential cache entries and invalidates *cursor* . - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_cc_start_seq_get()` , :c:func:`krb5_cc_next_cred()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_gen_new.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_gen_new.txt deleted file mode 100644 index 3672b36..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_gen_new.txt +++ /dev/null @@ -1,39 +0,0 @@ -krb5_cc_gen_new -=============== - -.. - -.. c:function:: krb5_error_code krb5_cc_gen_new(krb5_context context, krb5_ccache * cache) - -.. - - -:param: - - **context** - - **cache** - - -.. - - - -.. - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_get_config.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_get_config.txt deleted file mode 100644 index 4021ee6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_get_config.txt +++ /dev/null @@ -1,58 +0,0 @@ -krb5_cc_get_config - Get a configuration value from a credential cache. -========================================================================= - -.. - -.. c:function:: krb5_error_code krb5_cc_get_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char * key, krb5_data * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **id** - Credential cache handle - - **[in]** **principal** - Configuration for this principal; if NULL, global for the whole cache - - **[in]** **key** - Name of config variable - - **[out]** **data** - Data to be fetched - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Use :c:func:`krb5_free_data_contents()` to free *data* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_get_flags.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_get_flags.txt deleted file mode 100644 index ca764c8..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_get_flags.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_cc_get_flags - Retrieve flags from a credential cache structure. -======================================================================= - -.. - -.. c:function:: krb5_error_code krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags * flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[out]** **flags** - Flag bit mask - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - -.. warning:: - - For memory credential cache always returns a flag mask of 0. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_get_full_name.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_get_full_name.txt deleted file mode 100644 index 7c57045..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_get_full_name.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_cc_get_full_name - Retrieve the full name of a credential cache. -======================================================================= - -.. - -.. c:function:: krb5_error_code krb5_cc_get_full_name(krb5_context context, krb5_ccache cache, char ** fullname_out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[out]** **fullname_out** - Full name of cache - - -.. - - - -.. - - - - - - - -Use :c:func:`krb5_free_string()` to free *fullname_out* when it is no longer needed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.10 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_get_name.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_get_name.txt deleted file mode 100644 index 34afeee..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_get_name.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_cc_get_name - Retrieve the name, but not type of a credential cache. -=========================================================================== - -.. - -.. c:function:: const char * krb5_cc_get_name(krb5_context context, krb5_ccache cache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - -.. - - - -:return: - - On success - the name of the credential cache. - -.. - - - - - - - - - - - - - - -.. - - - - - -.. warning:: - - Returns the name of the credential cache. The result is an alias into *cache* and should not be freed or modified by the caller. This name does not include the cache type, so should not be used as input to :c:func:`krb5_cc_resolve()` . - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_get_principal.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_get_principal.txt deleted file mode 100644 index 139817c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_get_principal.txt +++ /dev/null @@ -1,58 +0,0 @@ -krb5_cc_get_principal - Get the default principal of a credential cache. -========================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_get_principal(krb5_context context, krb5_ccache cache, krb5_principal * principal) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[out]** **principal** - Primary principal - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Returns the default client principal of a credential cache as set by :c:func:`krb5_cc_initialize()` . - - - -Use :c:func:`krb5_free_principal()` to free *principal* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_get_type.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_get_type.txt deleted file mode 100644 index a970bd6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_get_type.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_cc_get_type - Retrieve the type of a credential cache. -============================================================= - -.. - -.. c:function:: const char * krb5_cc_get_type(krb5_context context, krb5_ccache cache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - -.. - - - -:return: - - The type of a credential cache as an alias that must not be modified or freed by the caller. - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_initialize.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_initialize.txt deleted file mode 100644 index d306a29..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_initialize.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_cc_initialize - Initialize a credential cache. -===================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_initialize(krb5_context context, krb5_ccache cache, krb5_principal principal) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[in]** **principal** - Default principal name - - -.. - - -:retval: - - 0 Success - - -:return: - - System errors; Permission errors; Kerberos error codes - -.. - - - - - - - -Destroy any existing contents of *cache* and initialize it for the default principal *principal* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_last_change_time.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_last_change_time.txt deleted file mode 100644 index c3c5701..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_last_change_time.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_cc_last_change_time - Return a timestamp of the last modification to a credential cache. -=============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_last_change_time(krb5_context context, krb5_ccache ccache, krb5_timestamp * change_time) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ccache** - Credential cache handle - - **[out]** **change_time** - The last change time of *ccache* - - -.. - - - -.. - - - - - - - -If an error occurs, *change_time* is set to 0. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_lock.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_lock.txt deleted file mode 100644 index 58dfe6f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_lock.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_cc_lock - Lock a credential cache. -========================================= - -.. - -.. c:function:: krb5_error_code krb5_cc_lock(krb5_context context, krb5_ccache ccache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ccache** - Credential cache handle - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_cc_unlock()` to unlock the lock. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_move.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_move.txt deleted file mode 100644 index ba9f0fd..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_move.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_cc_move - Move a credential cache. -========================================= - -.. - -.. c:function:: krb5_error_code krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **src** - The credential cache to move the content from - - **[in]** **dst** - The credential cache to move the content to - - -.. - - -:retval: - - 0 Success; src is closed. - - -:return: - - Kerberos error codes; src is still allocated. - -.. - - - - - - - -This function reinitializes *dst* and populates it with the credentials and default principal of *src* ; then, if successful, destroys *src* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_new_unique.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_new_unique.txt deleted file mode 100644 index e4313c0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_new_unique.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_cc_new_unique - Create a new credential cache of the specified type with a unique name. -============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_new_unique(krb5_context context, const char * type, const char * hint, krb5_ccache * id) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **type** - Credential cache type name - - **[in]** **hint** - Unused - - **[out]** **id** - Credential cache handle - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_next_cred.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_next_cred.txt deleted file mode 100644 index 98d2586..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_next_cred.txt +++ /dev/null @@ -1,60 +0,0 @@ -krb5_cc_next_cred - Retrieve the next entry from the credential cache. -======================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_next_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor, krb5_creds * creds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[in]** **cursor** - Cursor - - **[out]** **creds** - Next credential cache entry - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function fills in *creds* with the next entry in *cache* and advances *cursor* . - - - -Use :c:func:`krb5_free_cred_contents()` to free *creds* when it is no longer needed. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_cc_start_seq_get()` , krb5_end_seq_get() - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_remove_cred.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_remove_cred.txt deleted file mode 100644 index 3843e74..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_remove_cred.txt +++ /dev/null @@ -1,64 +0,0 @@ -krb5_cc_remove_cred - Remove credentials from a credential cache. -=================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds * creds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[in]** **flags** - Bitwise-ORed search flags - - **[in]** **creds** - Credentials to be matched - - -.. - - -:retval: - - KRB5_CC_NOSUPP Not implemented for this cache type - - -:return: - - No matches found; Data cannot be deleted; Kerberos error codes - -.. - - - - - - - -This function accepts the same flag values as :c:func:`krb5_cc_retrieve_cred()` . - - - - - - - - - - -.. - - - - - -.. warning:: - - This function is not implemented for some cache types. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_resolve.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_resolve.txt deleted file mode 100644 index 746ac6c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_resolve.txt +++ /dev/null @@ -1,58 +0,0 @@ -krb5_cc_resolve - Resolve a credential cache name. -==================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_resolve(krb5_context context, const char * name, krb5_ccache * cache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **name** - Credential cache name to be resolved - - **[out]** **cache** - Credential cache handle - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Fills in *cache* with a *cache* handle that corresponds to the name in *name* . *name* should be of the form **type:residual** , and *type* must be a type known to the library. If the *name* does not contain a colon, interpret it as a file name. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.txt deleted file mode 100644 index b334e30..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_retrieve_cred.txt +++ /dev/null @@ -1,94 +0,0 @@ -krb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache. -=================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds * mcreds, krb5_creds * creds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[in]** **flags** - Flags bit mask - - **[in]** **mcreds** - Credentials to match - - **[out]** **creds** - Credentials matching the requested value - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function searches a credential cache for credentials matching *mcreds* and returns it if found. - - - -Valid values for *flags* are: - - - - - - - :data:`KRB5_TC_MATCH_TIMES` The requested lifetime must be at least as great as in *mcreds* . - - - - :data:`KRB5_TC_MATCH_IS_SKEY` The *is_skey* field much match exactly. - - - - :data:`KRB5_TC_MATCH_FLAGS` Flags set in *mcreds* must be set. - - - - :data:`KRB5_TC_MATCH_TIMES_EXACT` The requested lifetime must match exactly. - - - - :data:`KRB5_TC_MATCH_FLAGS_EXACT` Flags must match exactly. - - - - :data:`KRB5_TC_MATCH_AUTHDATA` The authorization data must match. - - - - :data:`KRB5_TC_MATCH_SRV_NAMEONLY` Only the name portion of the principal name must match, not the realm. - - - - :data:`KRB5_TC_MATCH_2ND_TKT` The second tickets must match. - - - - :data:`KRB5_TC_MATCH_KTYPE` The encryption key types must match. - - - - :data:`KRB5_TC_SUPPORTED_KTYPES` Check all matching entries that have any supported encryption type and return the one with the encryption type listed earliest. - - Use :c:func:`krb5_free_cred_contents()` to free *creds* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_select.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_select.txt deleted file mode 100644 index 221eb28..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_select.txt +++ /dev/null @@ -1,73 +0,0 @@ -krb5_cc_select - Select a credential cache to use with a server principal. -============================================================================ - -.. - -.. c:function:: krb5_error_code krb5_cc_select(krb5_context context, krb5_principal server, krb5_ccache * cache_out, krb5_principal * princ_out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **server** - Server principal - - **[out]** **cache_out** - Credential cache handle - - **[out]** **princ_out** - Client principal - - -.. - - - -:return: - - If an appropriate cache is found, 0 is returned, cache_out is set to the selected cache, and princ_out is set to the default principal of that cache. - -.. - - - - - - - -Select a cache within the collection containing credentials most appropriate for use with *server* , according to configured rules and heuristics. - - - -Use :c:func:`krb5_cc_close()` to release *cache_out* when it is no longer needed. Use :c:func:`krb5_free_principal()` to release *princ_out* when it is no longer needed. Note that *princ_out* is set in some error conditions. - - - -If the appropriate client principal can be authoritatively determined but the cache collection contains no credentials for that principal, then KRB5_CC_NOTFOUND is returned, *cache_out* is set to NULL, and *princ_out* is set to the appropriate client principal. - - - -If no configured mechanism can determine the appropriate cache or principal, KRB5_CC_NOTFOUND is returned and *cache_out* and *princ_out* are set to NULL. - - - -Any other error code indicates a fatal error in the processing of a cache selection mechanism. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.10 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_set_config.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_set_config.txt deleted file mode 100644 index fdcc613..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_set_config.txt +++ /dev/null @@ -1,66 +0,0 @@ -krb5_cc_set_config - Store a configuration value in a credential cache. -========================================================================= - -.. - -.. c:function:: krb5_error_code krb5_cc_set_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char * key, krb5_data * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **id** - Credential cache handle - - **[in]** **principal** - Configuration for a specific principal; if NULL, global for the whole cache - - **[in]** **key** - Name of config variable - - **[in]** **data** - Data to store, or NULL to remove - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - - - - - - - - -.. - - - - - -.. warning:: - - Before version 1.10 *data* was assumed to be always non-null. - - -.. note:: - - Existing configuration under the same key is over-written. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_set_default_name.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_set_default_name.txt deleted file mode 100644 index f1eb902..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_set_default_name.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_cc_set_default_name - Set the default credential cache name. -=================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_set_default_name(krb5_context context, const char * name) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **name** - Default credential cache name or NULL - - -.. - - -:retval: - - 0 Success - - KV5M_CONTEXT Bad magic number for _krb5_context structure - - -:return: - - Kerberos error codes - -.. - - - - - - - -Set the default credential cache name to *name* for future operations using *context* . If *name* is NULL, clear any previous application-set default name and forget any cached value of the default name for *context* . - - - -Calls to this function invalidate the result of any previous calls to :c:func:`krb5_cc_default_name()` using *context* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_set_flags.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_set_flags.txt deleted file mode 100644 index d68d874..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_set_flags.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_cc_set_flags - Set options flags on a credential cache. -============================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[in]** **flags** - Flag bit mask - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function resets *cache* flags to *flags* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_start_seq_get.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_start_seq_get.txt deleted file mode 100644 index 75f4b09..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_start_seq_get.txt +++ /dev/null @@ -1,59 +0,0 @@ -krb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache. -============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[out]** **cursor** - Cursor - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - :c:func:`krb5_cc_end_seq_get()` must be called to complete the retrieve operation. - - - - - - - - - - -.. - - - - - - -.. note:: - - If *cache* is modified between the time of the call to this function and the time of the final :c:func:`krb5_cc_end_seq_get()` , the results are undefined. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_store_cred.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_store_cred.txt deleted file mode 100644 index 1cc27cc..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_store_cred.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_cc_store_cred - Store credentials in a credential cache. -=============================================================== - -.. - -.. c:function:: krb5_error_code krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds * creds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - **[in]** **creds** - Credentials to be stored in cache - - -.. - - -:retval: - - 0 Success - - -:return: - - Permission errors; storage failure errors; Kerberos error codes - -.. - - - - - - - -This function stores *creds* into *cache* . If *creds->server* and the server in the decoded ticket *creds->ticket* differ, the credentials will be stored under both server principal names. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_support_switch.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_support_switch.txt deleted file mode 100644 index 394629b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_support_switch.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_cc_support_switch - Determine whether a credential cache type supports switching. -======================================================================================== - -.. - -.. c:function:: krb5_boolean krb5_cc_support_switch(krb5_context context, const char * type) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **type** - Credential cache type - - -.. - - -:retval: - - TRUE if type supports switching - - FALSE if it does not or is not a valid credential cache type. - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.10 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_switch.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_switch.txt deleted file mode 100644 index ef4c570..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_switch.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_cc_switch - Make a credential cache the primary cache for its collection. -================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_cc_switch(krb5_context context, krb5_ccache cache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cache** - Credential cache handle - - -.. - - -:retval: - - 0 Success, or the type of cache doesn't support switching - - -:return: - - Kerberos error codes - -.. - - - - - - - -If the type of *cache* supports it, set *cache* to be the primary credential cache for the collection it belongs to. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cc_unlock.txt b/doc/html/_sources/appdev/refs/api/krb5_cc_unlock.txt deleted file mode 100644 index 5e28046..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cc_unlock.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_cc_unlock - Unlock a credential cache. -============================================= - -.. - -.. c:function:: krb5_error_code krb5_cc_unlock(krb5_context context, krb5_ccache ccache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ccache** - Credential cache handle - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function unlocks the *ccache* locked by :c:func:`krb5_cc_lock()` . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_free.txt b/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_free.txt deleted file mode 100644 index 14bc730..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_free.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_cccol_cursor_free - Free a credential cache collection cursor. -===================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor * cursor) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cursor** - Cursor - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_cccol_cursor_new()` , :c:func:`krb5_cccol_cursor_next()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_new.txt b/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_new.txt deleted file mode 100644 index 8a447fc..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_new.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches. -============================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor * cursor) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **cursor** - Cursor - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Get a new cache iteration *cursor* that will iterate over all known credential caches independent of type. - - - -Use :c:func:`krb5_cccol_cursor_free()` to release *cursor* when it is no longer needed. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_cccol_cursor_next()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_next.txt b/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_next.txt deleted file mode 100644 index 7b8c964..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cccol_cursor_next.txt +++ /dev/null @@ -1,62 +0,0 @@ -krb5_cccol_cursor_next - Get the next credential cache in the collection. -=========================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, krb5_ccache * ccache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cursor** - Cursor - - **[out]** **ccache** - Credential cache handle - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_cc_close()` to close *ccache* when it is no longer needed. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_cccol_cursor_new()` , :c:func:`krb5_cccol_cursor_free()` - - - - - - -.. note:: - - When all caches are iterated over and the end of the list is reached, *ccache* is set to NULL. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cccol_have_content.txt b/doc/html/_sources/appdev/refs/api/krb5_cccol_have_content.txt deleted file mode 100644 index fbd6a85..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cccol_have_content.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_cccol_have_content - Check if the credential cache collection contains any credentials. -============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cccol_have_content(krb5_context context) - -.. - - -:param: - - **[in]** **context** - Library context - - -.. - - -:retval: - - 0 Credentials are available in the collection - - KRB5_CC_NOTFOUND The collection contains no credentials - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cccol_last_change_time.txt b/doc/html/_sources/appdev/refs/api/krb5_cccol_last_change_time.txt deleted file mode 100644 index b6868d0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cccol_last_change_time.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_cccol_last_change_time - Return a timestamp of the last modification of any known credential cache. -========================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cccol_last_change_time(krb5_context context, krb5_timestamp * change_time) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **change_time** - Last modification timestamp - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function returns the most recent modification time of any known credential cache, ignoring any caches which cannot supply a last modification time. - - - -If there are no known credential caches, *change_time* is set to 0. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cccol_lock.txt b/doc/html/_sources/appdev/refs/api/krb5_cccol_lock.txt deleted file mode 100644 index 7907129..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cccol_lock.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_cccol_lock - Acquire a global lock for credential caches. -================================================================ - -.. - -.. c:function:: krb5_error_code krb5_cccol_lock(krb5_context context) - -.. - - -:param: - - **[in]** **context** - Library context - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function locks the global credential cache collection, ensuring that no ccaches are added to or removed from it until the collection lock is released. - - - -Use :c:func:`krb5_cccol_unlock()` to unlock the lock. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cccol_unlock.txt b/doc/html/_sources/appdev/refs/api/krb5_cccol_unlock.txt deleted file mode 100644 index 4c5a214..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cccol_unlock.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_cccol_unlock - Release a global lock for credential caches. -================================================================== - -.. - -.. c:function:: krb5_error_code krb5_cccol_unlock(krb5_context context) - -.. - - -:param: - - **[in]** **context** - Library context - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function unlocks the lock from :c:func:`krb5_cccol_lock()` . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_change_password.txt b/doc/html/_sources/appdev/refs/api/krb5_change_password.txt deleted file mode 100644 index 7c5db7f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_change_password.txt +++ /dev/null @@ -1,77 +0,0 @@ -krb5_change_password - Change a password for an existing Kerberos account. -============================================================================ - -.. - -.. c:function:: krb5_error_code krb5_change_password(krb5_context context, krb5_creds * creds, const char * newpw, int * result_code, krb5_data * result_code_string, krb5_data * result_string) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **creds** - Credentials for kadmin/changepw service - - **[in]** **newpw** - New password - - **[out]** **result_code** - Numeric error code from server - - **[out]** **result_code_string** - String equivalent to *result_code* - - **[out]** **result_string** - Change password response from the KDC - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Change the password for the existing principal identified by *creds* . - - - -The possible values of the output *result_code* are: - - - - - - - :data:`KRB5_KPASSWD_SUCCESS` (0) - success - - - - :data:`KRB5_KPASSWD_MALFORMED` (1) - Malformed request error - - - - :data:`KRB5_KPASSWD_HARDERROR` (2) - Server error - - - - :data:`KRB5_KPASSWD_AUTHERROR` (3) - Authentication error - - - - :data:`KRB5_KPASSWD_SOFTERROR` (4) - Password change rejected - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_check_clockskew.txt b/doc/html/_sources/appdev/refs/api/krb5_check_clockskew.txt deleted file mode 100644 index 4999d48..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_check_clockskew.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time. -=================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_check_clockskew(krb5_context context, krb5_timestamp date) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **date** - Timestamp to check - - -.. - - -:retval: - - 0 Success - - KRB5KRB_AP_ERR_SKEW date is not within allowable clock skew - - -.. - - - - - - - -This function checks if *date* is close enough to the current time according to the configured allowable clock skew. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.10 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_checksum_size.txt b/doc/html/_sources/appdev/refs/api/krb5_checksum_size.txt deleted file mode 100644 index 5a67699..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_checksum_size.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_checksum_size -================== - -.. - -.. c:function:: size_t krb5_checksum_size(krb5_context context, krb5_cksumtype ctype) - -.. - - -:param: - - **context** - - **ctype** - - -.. - - - -.. - - -DEPRECATED See krb5_c_checksum_length() - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_chpw_message.txt b/doc/html/_sources/appdev/refs/api/krb5_chpw_message.txt deleted file mode 100644 index 372c95d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_chpw_message.txt +++ /dev/null @@ -1,62 +0,0 @@ -krb5_chpw_message - Get a result message for changing or setting a password. -============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_chpw_message(krb5_context context, const krb5_data * server_string, char ** message_out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **server_string** - Data returned from the remote system - - **[out]** **message_out** - A message displayable to the user - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function processes the *server_string* returned in the *result_string* parameter of :c:func:`krb5_change_password()` , :c:func:`krb5_set_password()` , and related functions, and returns a displayable string. If *server_string* contains Active Directory structured policy information, it will be converted into human-readable text. - - - -Use :c:func:`krb5_free_string()` to free *message_out* when it is no longer needed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_cksumtype_to_string.txt b/doc/html/_sources/appdev/refs/api/krb5_cksumtype_to_string.txt deleted file mode 100644 index a297c8f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_cksumtype_to_string.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_cksumtype_to_string - Convert a checksum type to a string. -================================================================= - -.. - -.. c:function:: krb5_error_code krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char * buffer, size_t buflen) - -.. - - -:param: - - **[in]** **cksumtype** - Checksum type - - **[out]** **buffer** - Buffer to hold converted checksum type - - **[in]** **buflen** - Storage available in *buffer* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_clear_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_clear_error_message.txt deleted file mode 100644 index c988ca3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_clear_error_message.txt +++ /dev/null @@ -1,40 +0,0 @@ -krb5_clear_error_message - Clear the extended error message in a context. -=========================================================================== - -.. - -.. c:function:: void krb5_clear_error_message(krb5_context ctx) - -.. - - -:param: - - **[in]** **ctx** - Library context - - -.. - - - -.. - - - - - - - -This function unsets the extended error message in a context, to ensure that it is not mistakenly applied to another occurrence of the same error code. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_addresses.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_addresses.txt deleted file mode 100644 index a9c7c74..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_addresses.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_copy_addresses - Copy an array of addresses. -=================================================== - -.. - -.. c:function:: krb5_error_code krb5_copy_addresses(krb5_context context, krb5_address *const * inaddr, krb5_address *** outaddr) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **inaddr** - Array of addresses to be copied - - **[out]** **outaddr** - Copy of array of addresses - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new address array containing a copy of *inaddr* . Use :c:func:`krb5_free_addresses()` to free *outaddr* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_authdata.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_authdata.txt deleted file mode 100644 index 0ee9ba0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_authdata.txt +++ /dev/null @@ -1,59 +0,0 @@ -krb5_copy_authdata - Copy an authorization data list. -======================================================= - -.. - -.. c:function:: krb5_error_code krb5_copy_authdata(krb5_context context, krb5_authdata *const * in_authdat, krb5_authdata *** out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **in_authdat** - List of *krb5_authdata* structures - - **[out]** **out** - New array of *krb5_authdata* structures - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new authorization data list containing a copy of *in_authdat* , which must be null-terminated. Use :c:func:`krb5_free_authdata()` to free *out* when it is no longer needed. - - - - - - - - - - -.. - - - - - - -.. note:: - - The last array entry in *in_authdat* must be a NULL pointer. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_authenticator.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_authenticator.txt deleted file mode 100644 index bc0c345..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_authenticator.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_copy_authenticator - Copy a krb5_authenticator structure. -================================================================ - -.. - -.. c:function:: krb5_error_code krb5_copy_authenticator(krb5_context context, const krb5_authenticator * authfrom, krb5_authenticator ** authto) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **authfrom** - krb5_authenticator structure to be copied - - **[out]** **authto** - Copy of krb5_authenticator structure - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new krb5_authenticator structure with the content of *authfrom* . Use :c:func:`krb5_free_authenticator()` to free *authto* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_checksum.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_checksum.txt deleted file mode 100644 index 1c93955..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_checksum.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_copy_checksum - Copy a krb5_checksum structure. -====================================================== - -.. - -.. c:function:: krb5_error_code krb5_copy_checksum(krb5_context context, const krb5_checksum * ckfrom, krb5_checksum ** ckto) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ckfrom** - Checksum to be copied - - **[out]** **ckto** - Copy of krb5_checksum structure - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new krb5_checksum structure with the contents of *ckfrom* . Use :c:func:`krb5_free_checksum()` to free *ckto* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_context.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_context.txt deleted file mode 100644 index 2b5d215..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_context.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_copy_context - Copy a krb5_context structure. -==================================================== - -.. - -.. c:function:: krb5_error_code krb5_copy_context(krb5_context ctx, krb5_context * nctx_out) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[out]** **nctx_out** - New context structure - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -The newly created context must be released by calling :c:func:`krb5_free_context()` when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_creds.txt deleted file mode 100644 index 862293b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_creds.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_copy_creds - Copy a krb5_creds structure. -================================================ - -.. - -.. c:function:: krb5_error_code krb5_copy_creds(krb5_context context, const krb5_creds * incred, krb5_creds ** outcred) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **incred** - Credentials structure to be copied - - **[out]** **outcred** - Copy of *incred* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new credential with the contents of *incred* . Use :c:func:`krb5_free_creds()` to free *outcred* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_data.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_data.txt deleted file mode 100644 index 81ad0f2..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_data.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_copy_data - Copy a krb5_data object. -=========================================== - -.. - -.. c:function:: krb5_error_code krb5_copy_data(krb5_context context, const krb5_data * indata, krb5_data ** outdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **indata** - Data object to be copied - - **[out]** **outdata** - Copy of *indata* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new krb5_data object with the contents of *indata* . Use :c:func:`krb5_free_data()` to free *outdata* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_error_message.txt deleted file mode 100644 index 3904cab..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_error_message.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_copy_error_message - Copy the most recent extended error message from one context to another. -==================================================================================================== - -.. - -.. c:function:: void krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx) - -.. - - -:param: - - **[in]** **dest_ctx** - Library context to copy message to - - **[in]** **src_ctx** - Library context with current message - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock.txt deleted file mode 100644 index 5bb2958..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_copy_keyblock - Copy a keyblock. -======================================= - -.. - -.. c:function:: krb5_error_code krb5_copy_keyblock(krb5_context context, const krb5_keyblock * from, krb5_keyblock ** to) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **from** - Keyblock to be copied - - **[out]** **to** - Copy of keyblock *from* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new keyblock with the same contents as *from* . Use :c:func:`krb5_free_keyblock()` to free *to* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock_contents.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock_contents.txt deleted file mode 100644 index 9f85859..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_keyblock_contents.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_copy_keyblock_contents - Copy the contents of a keyblock. -================================================================ - -.. - -.. c:function:: krb5_error_code krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock * from, krb5_keyblock * to) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **from** - Key to be copied - - **[out]** **to** - Output key - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function copies the contents of *from* to *to* . Use :c:func:`krb5_free_keyblock_contents()` to free *to* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_principal.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_principal.txt deleted file mode 100644 index 1ca9fea..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_principal.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_copy_principal - Copy a principal. -========================================= - -.. - -.. c:function:: krb5_error_code krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal * outprinc) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **inprinc** - Principal to be copied - - **[out]** **outprinc** - Copy of *inprinc* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new principal structure with the contents of *inprinc* . Use :c:func:`krb5_free_principal()` to free *outprinc* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_copy_ticket.txt b/doc/html/_sources/appdev/refs/api/krb5_copy_ticket.txt deleted file mode 100644 index a643cc5..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_copy_ticket.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_copy_ticket - Copy a krb5_ticket structure. -================================================== - -.. - -.. c:function:: krb5_error_code krb5_copy_ticket(krb5_context context, const krb5_ticket * from, krb5_ticket ** pto) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **from** - Ticket to be copied - - **[out]** **pto** - Copy of ticket - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new krb5_ticket structure containing the contents of *from* . Use :c:func:`krb5_free_ticket()` to free *pto* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_decode_authdata_container.txt b/doc/html/_sources/appdev/refs/api/krb5_decode_authdata_container.txt deleted file mode 100644 index 791b41b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_decode_authdata_container.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_decode_authdata_container - Unwrap authorization data. -============================================================= - -.. - -.. c:function:: krb5_error_code krb5_decode_authdata_container(krb5_context context, krb5_authdatatype type, const krb5_authdata * container, krb5_authdata *** authdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **type** - :data:`KRB5_AUTHDATA` type of *container* - - **[in]** **container** - Authorization data to be decoded - - **[out]** **authdata** - List of decoded authorization data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_encode_authdata_container()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_decode_ticket.txt b/doc/html/_sources/appdev/refs/api/krb5_decode_ticket.txt deleted file mode 100644 index 8f2cf82..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_decode_ticket.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_decode_ticket - Decode an ASN.1-formatted ticket. -======================================================== - -.. - -.. c:function:: krb5_error_code krb5_decode_ticket(const krb5_data * code, krb5_ticket ** rep) - -.. - - -:param: - - **[in]** **code** - ASN.1-formatted ticket - - **[out]** **rep** - Decoded ticket information - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_decrypt.txt b/doc/html/_sources/appdev/refs/api/krb5_decrypt.txt deleted file mode 100644 index eb8123f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_decrypt.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_decrypt -============ - -.. - -.. c:function:: krb5_error_code krb5_decrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block * eblock, krb5_pointer ivec) - -.. - - -:param: - - **context** - - **inptr** - - **outptr** - - **size** - - **eblock** - - **ivec** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_deltat_to_string.txt b/doc/html/_sources/appdev/refs/api/krb5_deltat_to_string.txt deleted file mode 100644 index 3b66ba3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_deltat_to_string.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_deltat_to_string - Convert a relative time value to a string. -==================================================================== - -.. - -.. c:function:: krb5_error_code krb5_deltat_to_string(krb5_deltat deltat, char * buffer, size_t buflen) - -.. - - -:param: - - **[in]** **deltat** - Relative time value to convert - - **[out]** **buffer** - Buffer to hold time string - - **[in]** **buflen** - Storage available in *buffer* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_eblock_enctype.txt b/doc/html/_sources/appdev/refs/api/krb5_eblock_enctype.txt deleted file mode 100644 index c621a6d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_eblock_enctype.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_eblock_enctype -=================== - -.. - -.. c:function:: krb5_enctype krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block * eblock) - -.. - - -:param: - - **context** - - **eblock** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_encode_authdata_container.txt b/doc/html/_sources/appdev/refs/api/krb5_encode_authdata_container.txt deleted file mode 100644 index 4ca53b4..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_encode_authdata_container.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_encode_authdata_container - Wrap authorization data in a container. -========================================================================== - -.. - -.. c:function:: krb5_error_code krb5_encode_authdata_container(krb5_context context, krb5_authdatatype type, krb5_authdata *const * authdata, krb5_authdata *** container) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **type** - :data:`KRB5_AUTHDATA` type of *container* - - **[in]** **authdata** - List of authorization data to be encoded - - **[out]** **container** - List of encoded authorization data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -The result is returned in *container* as a single-element list. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_decode_authdata_container()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_encrypt.txt b/doc/html/_sources/appdev/refs/api/krb5_encrypt.txt deleted file mode 100644 index 56e93be..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_encrypt.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_encrypt -============ - -.. - -.. c:function:: krb5_error_code krb5_encrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block * eblock, krb5_pointer ivec) - -.. - - -:param: - - **context** - - **inptr** - - **outptr** - - **size** - - **eblock** - - **ivec** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_encrypt_size.txt b/doc/html/_sources/appdev/refs/api/krb5_encrypt_size.txt deleted file mode 100644 index f331490..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_encrypt_size.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_encrypt_size -================= - -.. - -.. c:function:: size_t krb5_encrypt_size(size_t length, krb5_enctype crypto) - -.. - - -:param: - - **length** - - **crypto** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_enctype_to_name.txt b/doc/html/_sources/appdev/refs/api/krb5_enctype_to_name.txt deleted file mode 100644 index d830697..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_enctype_to_name.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_enctype_to_name - Convert an encryption type to a name or alias. -======================================================================= - -.. - -.. c:function:: krb5_error_code krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, char * buffer, size_t buflen) - -.. - - -:param: - - **[in]** **enctype** - Encryption type - - **[in]** **shortest** - Flag - - **[out]** **buffer** - Buffer to hold encryption type string - - **[in]** **buflen** - Storage available in *buffer* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -If *shortest* is FALSE, this function returns the enctype's canonical name (like"aes128-cts-hmac-sha1-96"). If *shortest* is TRUE, it return the enctype's shortest alias (like"aes128-cts"). - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_enctype_to_string.txt b/doc/html/_sources/appdev/refs/api/krb5_enctype_to_string.txt deleted file mode 100644 index d46d83e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_enctype_to_string.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_enctype_to_string - Convert an encryption type to a string. -================================================================== - -.. - -.. c:function:: krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char * buffer, size_t buflen) - -.. - - -:param: - - **[in]** **enctype** - Encryption type - - **[out]** **buffer** - Buffer to hold encryption type string - - **[in]** **buflen** - Storage available in *buffer* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_expand_hostname.txt b/doc/html/_sources/appdev/refs/api/krb5_expand_hostname.txt deleted file mode 100644 index 60ff0b5..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_expand_hostname.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_expand_hostname - Canonicalize a hostname, possibly using name service. -============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_expand_hostname(krb5_context context, const char * host, char ** canonhost_out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **host** - Input hostname - - **[out]** **canonhost_out** - Canonicalized hostname - - -.. - - - -.. - - - - - - - -This function canonicalizes orig_hostname, possibly using name service lookups if configuration permits. Use :c:func:`krb5_free_string()` to free *canonhost_out* when it is no longer needed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.15 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_find_authdata.txt b/doc/html/_sources/appdev/refs/api/krb5_find_authdata.txt deleted file mode 100644 index 42aea2c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_find_authdata.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_find_authdata - Find authorization data elements. -======================================================== - -.. - -.. c:function:: krb5_error_code krb5_find_authdata(krb5_context context, krb5_authdata *const * ticket_authdata, krb5_authdata *const * ap_req_authdata, krb5_authdatatype ad_type, krb5_authdata *** results) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ticket_authdata** - Authorization data list from ticket - - **[in]** **ap_req_authdata** - Authorization data list from AP request - - **[in]** **ad_type** - Authorization data type to find - - **[out]** **results** - List of matching entries - - -.. - - - -.. - - - - - - - -This function searches *ticket_authdata* and *ap_req_authdata* for elements of type *ad_type* . Either input list may be NULL, in which case it will not be searched; otherwise, the input lists must be terminated by NULL entries. This function will search inside AD-IF-RELEVANT containers if found in either list. Use :c:func:`krb5_free_authdata()` to free *results* when it is no longer needed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.10 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_finish_key.txt b/doc/html/_sources/appdev/refs/api/krb5_finish_key.txt deleted file mode 100644 index a9f3da5..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_finish_key.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_finish_key -=============== - -.. - -.. c:function:: krb5_error_code krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock) - -.. - - -:param: - - **context** - - **eblock** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_finish_random_key.txt b/doc/html/_sources/appdev/refs/api/krb5_finish_random_key.txt deleted file mode 100644 index 26c8b59..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_finish_random_key.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_finish_random_key -====================== - -.. - -.. c:function:: krb5_error_code krb5_finish_random_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_pointer * ptr) - -.. - - -:param: - - **context** - - **eblock** - - **ptr** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_addresses.txt b/doc/html/_sources/appdev/refs/api/krb5_free_addresses.txt deleted file mode 100644 index 6717f52..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_addresses.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_free_addresses - Free the data stored in array of addresses. -=================================================================== - -.. - -.. c:function:: void krb5_free_addresses(krb5_context context, krb5_address ** val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Array of addresses to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the array itself. - - - - - - - - - - -.. - - - - - - -.. note:: - - The last entry in the array must be a NULL pointer. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_ap_rep_enc_part.txt b/doc/html/_sources/appdev/refs/api/krb5_free_ap_rep_enc_part.txt deleted file mode 100644 index 33f24e8..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_ap_rep_enc_part.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure. -==================================================================== - -.. - -.. c:function:: void krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - AP-REP enc part to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_authdata.txt b/doc/html/_sources/appdev/refs/api/krb5_free_authdata.txt deleted file mode 100644 index e2b3e90..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_authdata.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_free_authdata - Free the storage assigned to array of authentication data. -================================================================================= - -.. - -.. c:function:: void krb5_free_authdata(krb5_context context, krb5_authdata ** val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Array of authentication data to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the array itself. - - - - - - - - - - -.. - - - - - - -.. note:: - - The last entry in the array must be a NULL pointer. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_authenticator.txt b/doc/html/_sources/appdev/refs/api/krb5_free_authenticator.txt deleted file mode 100644 index 505a508..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_authenticator.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_authenticator - Free a krb5_authenticator structure. -================================================================ - -.. - -.. c:function:: void krb5_free_authenticator(krb5_context context, krb5_authenticator * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Authenticator structure to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_checksum.txt b/doc/html/_sources/appdev/refs/api/krb5_free_checksum.txt deleted file mode 100644 index b1cd9bc..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_checksum.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_checksum - Free a krb5_checksum structure. -====================================================== - -.. - -.. c:function:: void krb5_free_checksum(krb5_context context, register krb5_checksum * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Checksum structure to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_checksum_contents.txt b/doc/html/_sources/appdev/refs/api/krb5_free_checksum_contents.txt deleted file mode 100644 index d265d49..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_checksum_contents.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_checksum_contents - Free the contents of a krb5_checksum structure. -=============================================================================== - -.. - -.. c:function:: void krb5_free_checksum_contents(krb5_context context, register krb5_checksum * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Checksum structure to free contents of - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* , but not the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_cksumtypes.txt b/doc/html/_sources/appdev/refs/api/krb5_free_cksumtypes.txt deleted file mode 100644 index d4d0d28..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_cksumtypes.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_cksumtypes - Free an array of checksum types. -========================================================= - -.. - -.. c:function:: void krb5_free_cksumtypes(krb5_context context, krb5_cksumtype * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Array of checksum types to be freed - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_context.txt b/doc/html/_sources/appdev/refs/api/krb5_free_context.txt deleted file mode 100644 index dc05228..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_context.txt +++ /dev/null @@ -1,40 +0,0 @@ -krb5_free_context - Free a krb5 library context. -================================================== - -.. - -.. c:function:: void krb5_free_context(krb5_context context) - -.. - - -:param: - - **[in]** **context** - Library context - - -.. - - - -.. - - - - - - - -This function frees a *context* that was created by :c:func:`krb5_init_context()` or :c:func:`krb5_init_secure_context()` . - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_cred_contents.txt b/doc/html/_sources/appdev/refs/api/krb5_free_cred_contents.txt deleted file mode 100644 index cc26788..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_cred_contents.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_cred_contents - Free the contents of a krb5_creds structure. -======================================================================== - -.. - -.. c:function:: void krb5_free_cred_contents(krb5_context context, krb5_creds * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Credential structure to free contents of - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* , but not the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_free_creds.txt deleted file mode 100644 index c78ecdf..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_creds.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_creds - Free a krb5_creds structure. -================================================ - -.. - -.. c:function:: void krb5_free_creds(krb5_context context, krb5_creds * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Credential structure to be freed. - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_data.txt b/doc/html/_sources/appdev/refs/api/krb5_free_data.txt deleted file mode 100644 index 8cd23a5..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_data.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_data - Free a krb5_data structure. -============================================== - -.. - -.. c:function:: void krb5_free_data(krb5_context context, krb5_data * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Data structure to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_data_contents.txt b/doc/html/_sources/appdev/refs/api/krb5_free_data_contents.txt deleted file mode 100644 index 9feddc9..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_data_contents.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field. -=============================================================================================== - -.. - -.. c:function:: void krb5_free_data_contents(krb5_context context, krb5_data * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Data structure to free contents of - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* , but not the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_default_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_free_default_realm.txt deleted file mode 100644 index 79228bf..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_default_realm.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm() . -============================================================================================== - -.. - -.. c:function:: void krb5_free_default_realm(krb5_context context, char * lrealm) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **lrealm** - Realm to be freed - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_enctypes.txt b/doc/html/_sources/appdev/refs/api/krb5_free_enctypes.txt deleted file mode 100644 index e1189cb..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_enctypes.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_free_enctypes - Free an array of encryption types. -========================================================= - -.. - -.. c:function:: void krb5_free_enctypes(krb5_context context, krb5_enctype * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Array of enctypes to be freed - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.12 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_error.txt b/doc/html/_sources/appdev/refs/api/krb5_free_error.txt deleted file mode 100644 index 4339bda..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_error.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth() . -===================================================================================== - -.. - -.. c:function:: void krb5_free_error(krb5_context context, register krb5_error * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Error data structure to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_free_error_message.txt deleted file mode 100644 index b4b0061..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_error_message.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_error_message - Free an error message generated by krb5_get_error_message() . -========================================================================================= - -.. - -.. c:function:: void krb5_free_error_message(krb5_context ctx, const char * msg) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **msg** - Pointer to error message - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_host_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_free_host_realm.txt deleted file mode 100644 index a38e6ae..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_host_realm.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_free_host_realm - Free the memory allocated by krb5_get_host_realm() . -============================================================================= - -.. - -.. c:function:: krb5_error_code krb5_free_host_realm(krb5_context context, char *const * realmlist) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **realmlist** - List of realm names to be released - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_keyblock.txt b/doc/html/_sources/appdev/refs/api/krb5_free_keyblock.txt deleted file mode 100644 index d3b7dc6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_keyblock.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_keyblock - Free a krb5_keyblock structure. -====================================================== - -.. - -.. c:function:: void krb5_free_keyblock(krb5_context context, register krb5_keyblock * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Keyblock to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_keyblock_contents.txt b/doc/html/_sources/appdev/refs/api/krb5_free_keyblock_contents.txt deleted file mode 100644 index 5f5aa58..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_keyblock_contents.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure. -=============================================================================== - -.. - -.. c:function:: void krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock * key) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Keyblock to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *key* , but not the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_keytab_entry_contents.txt b/doc/html/_sources/appdev/refs/api/krb5_free_keytab_entry_contents.txt deleted file mode 100644 index adecfe2..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_keytab_entry_contents.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_free_keytab_entry_contents - Free the contents of a key table entry. -=========================================================================== - -.. - -.. c:function:: krb5_error_code krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry * entry) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **entry** - Key table entry whose contents are to be freed - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - - -.. note:: - - The pointer is not freed. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_principal.txt b/doc/html/_sources/appdev/refs/api/krb5_free_principal.txt deleted file mode 100644 index 218369a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_principal.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_principal - Free the storage assigned to a principal. -================================================================= - -.. - -.. c:function:: void krb5_free_principal(krb5_context context, krb5_principal val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Principal to be freed - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_string.txt b/doc/html/_sources/appdev/refs/api/krb5_free_string.txt deleted file mode 100644 index 4c7bcac..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_string.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_free_string - Free a string allocated by a krb5 function. -================================================================ - -.. - -.. c:function:: void krb5_free_string(krb5_context context, char * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - String to be freed - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.10 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_tgt_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_free_tgt_creds.txt deleted file mode 100644 index f885fc0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_tgt_creds.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_free_tgt_creds - Free an array of credential structures. -=============================================================== - -.. - -.. c:function:: void krb5_free_tgt_creds(krb5_context context, krb5_creds ** tgts) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **tgts** - Null-terminated array of credentials to free - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - - -.. note:: - - The last entry in the array *tgts* must be a NULL pointer. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_ticket.txt b/doc/html/_sources/appdev/refs/api/krb5_free_ticket.txt deleted file mode 100644 index f523917..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_ticket.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_ticket - Free a ticket. -=================================== - -.. - -.. c:function:: void krb5_free_ticket(krb5_context context, krb5_ticket * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Ticket to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *val* and the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_free_unparsed_name.txt b/doc/html/_sources/appdev/refs/api/krb5_free_unparsed_name.txt deleted file mode 100644 index b6f9e16..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_free_unparsed_name.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_free_unparsed_name - Free a string representation of a principal. -======================================================================== - -.. - -.. c:function:: void krb5_free_unparsed_name(krb5_context context, char * val) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **val** - Name string to be freed - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt deleted file mode 100644 index a6273bb..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_fwd_tgt_creds.txt +++ /dev/null @@ -1,68 +0,0 @@ -krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message. -========================================================================= - -.. - -.. c:function:: krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **rhost** - Remote host - - **[in]** **client** - Client principal of TGT - - **[in]** **server** - Principal of server to receive TGT - - **[in]** **cc** - Credential cache handle (NULL to use default) - - **[in]** **forwardable** - Whether TGT should be forwardable - - **[out]** **outbuf** - KRB-CRED message - - -.. - - -:retval: - - 0 Success - - ENOMEM Insufficient memory - - KRB5_PRINC_NOMATCH Requested principal and ticket do not match - - KRB5_NO_TKT_SUPPLIED Request did not supply a ticket - - KRB5_CC_BADNAME Credential cache name or principal name malformed - - -:return: - - Kerberos error codes - -.. - - - - - - - -Get a TGT for use at the remote host *rhost* and format it into a KRB-CRED message. If *rhost* is NULL and *server* is of type :data:`KRB5_NT_SRV_HST` , the second component of *server* will be used. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_credentials.txt b/doc/html/_sources/appdev/refs/api/krb5_get_credentials.txt deleted file mode 100644 index 6cf56d0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_credentials.txt +++ /dev/null @@ -1,81 +0,0 @@ -krb5_get_credentials - Get an additional ticket. -================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_credentials(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **options** - Options - - **[in]** **ccache** - Credential cache handle - - **[in]** **in_creds** - Input credentials - - **[out]** **out_creds** - Output updated credentials - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Use *ccache* or a TGS exchange to get a service ticket matching *in_creds* . - - - -Valid values for *options* are: - - - :data:`KRB5_GC_CACHED` Search only credential cache for the ticket - - - - :data:`KRB5_GC_USER_USER` Return a user to user authentication ticket - - *in_creds* must be non-null. *in_creds->client* and *in_creds->server* must be filled in to specify the client and the server respectively. If any authorization data needs to be requested for the service ticket (such as restrictions on how the ticket can be used), specify it in *in_creds->authdata* ; otherwise set *in_creds->authdata* to NULL. The session key type is specified in *in_creds->keyblock.enctype* , if it is nonzero. - - - -The expiration date is specified in *in_creds->times.endtime* . The KDC may return tickets with an earlier expiration date. If *in_creds->times.endtime* is set to 0, the latest possible expiration date will be requested. - - - -Any returned ticket and intermediate ticket-granting tickets are stored in *ccache* . - - - -Use :c:func:`krb5_free_creds()` to free *out_creds* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_credentials_renew.txt b/doc/html/_sources/appdev/refs/api/krb5_get_credentials_renew.txt deleted file mode 100644 index 75aac54..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_credentials_renew.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_get_credentials_renew -========================== - -.. - -.. c:function:: krb5_error_code krb5_get_credentials_renew(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds) - -.. - - -:param: - - **context** - - **options** - - **ccache** - - **in_creds** - - **out_creds** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_get_renewed_creds. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_credentials_validate.txt b/doc/html/_sources/appdev/refs/api/krb5_get_credentials_validate.txt deleted file mode 100644 index 29033b9..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_credentials_validate.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_get_credentials_validate -============================= - -.. - -.. c:function:: krb5_error_code krb5_get_credentials_validate(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds) - -.. - - -:param: - - **context** - - **options** - - **ccache** - - **in_creds** - - **out_creds** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_get_validated_creds. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_default_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_get_default_realm.txt deleted file mode 100644 index 5b63648..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_default_realm.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_get_default_realm - Retrieve the default realm. -====================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_default_realm(krb5_context context, char ** lrealm) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **lrealm** - Default realm name - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Retrieves the default realm to be used if no user-specified realm is available. - - - -Use :c:func:`krb5_free_default_realm()` to free *lrealm* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_get_error_message.txt deleted file mode 100644 index 81b7de3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_error_message.txt +++ /dev/null @@ -1,62 +0,0 @@ -krb5_get_error_message - Get the (possibly extended) error message for a code. -================================================================================ - -.. - -.. c:function:: const char * krb5_get_error_message(krb5_context ctx, krb5_error_code code) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **code** - Error code - - -.. - - - -.. - - - - - - - -The behavior of :c:func:`krb5_get_error_message()` is only defined the first time it is called after a failed call to a krb5 function using the same context, and only when the error code passed in is the same as that returned by the krb5 function. - - - -This function never returns NULL, so its result may be used unconditionally as a C string. - - - -The string returned by this function must be freed using :c:func:`krb5_free_error_message()` - - - - - - - - - - -.. - - - - - - -.. note:: - - Future versions may return the same string for the second and following calls. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_fallback_host_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_get_fallback_host_realm.txt deleted file mode 100644 index 6ab4330..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_fallback_host_realm.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_get_fallback_host_realm -============================ - -.. - -.. c:function:: krb5_error_code krb5_get_fallback_host_realm(krb5_context context, krb5_data * hdata, char *** realmsp) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **hdata** - Host name (or NULL) - - **[out]** **realmsp** - Null-terminated list of realm names - - -.. - - - -.. - - - - - - - -Fill in *realmsp* with a pointer to a null-terminated list of realm names obtained through heuristics or insecure resolution methods which have lower priority than KDC referrals. - - - -If *host* is NULL, the local host's realms are determined. - - - -Use :c:func:`krb5_free_host_realm()` to release *realmsp* when it is no longer needed. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_host_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_get_host_realm.txt deleted file mode 100644 index 7cc8e94..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_host_realm.txt +++ /dev/null @@ -1,63 +0,0 @@ -krb5_get_host_realm - Get the Kerberos realm names for a host. -================================================================ - -.. - -.. c:function:: krb5_error_code krb5_get_host_realm(krb5_context context, const char * host, char *** realmsp) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **host** - Host name (or NULL) - - **[out]** **realmsp** - Null-terminated list of realm names - - -.. - - -:retval: - - 0 Success - - ENOMEM Insufficient memory - - -:return: - - Kerberos error codes - -.. - - - - - - - -Fill in *realmsp* with a pointer to a null-terminated list of realm names. If there are no known realms for the host, a list containing the referral (empty) realm is returned. - - - -If *host* is NULL, the local host's realms are determined. - - - -Use :c:func:`krb5_free_host_realm()` to release *realmsp* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_keytab.txt b/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_keytab.txt deleted file mode 100644 index fd3985b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_keytab.txt +++ /dev/null @@ -1,58 +0,0 @@ -krb5_get_in_tkt_with_keytab -=========================== - -.. - -.. c:function:: krb5_error_code krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, krb5_keytab arg_keytab, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply) - -.. - - -:param: - - **context** - - **options** - - **addrs** - - **ktypes** - - **pre_auth_types** - - **arg_keytab** - - **ccache** - - **creds** - - **ret_as_reply** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_get_init_creds_keytab() . - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_password.txt b/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_password.txt deleted file mode 100644 index 556c6fe..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_password.txt +++ /dev/null @@ -1,58 +0,0 @@ -krb5_get_in_tkt_with_password -============================= - -.. - -.. c:function:: krb5_error_code krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, const char * password, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply) - -.. - - -:param: - - **context** - - **options** - - **addrs** - - **ktypes** - - **pre_auth_types** - - **password** - - **ccache** - - **creds** - - **ret_as_reply** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_get_init_creds_password() . - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_skey.txt b/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_skey.txt deleted file mode 100644 index fed7f0b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_in_tkt_with_skey.txt +++ /dev/null @@ -1,58 +0,0 @@ -krb5_get_in_tkt_with_skey -========================= - -.. - -.. c:function:: krb5_error_code krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, const krb5_keyblock * key, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply) - -.. - - -:param: - - **context** - - **options** - - **addrs** - - **ktypes** - - **pre_auth_types** - - **key** - - **ccache** - - **creds** - - **ret_as_reply** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_get_init_creds(). - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_keytab.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_keytab.txt deleted file mode 100644 index 32ce5cb..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_keytab.txt +++ /dev/null @@ -1,62 +0,0 @@ -krb5_get_init_creds_keytab - Get initial credentials using a key table. -========================================================================= - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_keytab(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_keytab arg_keytab, krb5_deltat start_time, const char * in_tkt_service, krb5_get_init_creds_opt * k5_gic_options) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **creds** - New credentials - - **[in]** **client** - Client principal - - **[in]** **arg_keytab** - Key table handle - - **[in]** **start_time** - Time when ticket becomes valid (0 for now) - - **[in]** **in_tkt_service** - Service name of initial credentials (or NULL) - - **[in]** **k5_gic_options** - Initial credential options - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function requests KDC for an initial credentials for *client* using a client key stored in *arg_keytab* . If *in_tkt_service* is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_alloc.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_alloc.txt deleted file mode 100644 index 45fa82d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_alloc.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure. -====================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt ** opt) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **opt** - New options structure - - -.. - - -:retval: - - 0 - Success; Kerberos errors otherwise. - - -.. - - - - - - - -This function is the preferred way to create an options structure for getting initial credentials, and is required to make use of certain options. Use :c:func:`krb5_get_init_creds_opt_free()` to free *opt* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_free.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_free.txt deleted file mode 100644 index 0e75e15..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_free.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_get_init_creds_opt_free - Free initial credential options. -================================================================= - -.. - -.. c:function:: void krb5_get_init_creds_opt_free(krb5_context context, krb5_get_init_creds_opt * opt) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options structure to free - - -.. - - - -.. - - - - - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_get_init_creds_opt_alloc()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.txt deleted file mode 100644 index b38ddac..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options. -=============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_get_fast_flags(krb5_context context, krb5_get_init_creds_opt * opt, krb5_flags * out_flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options - - **[out]** **out_flags** - FAST flags - - -.. - - -:retval: - - 0 - Success; Kerberos errors otherwise. - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_init.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_init.txt deleted file mode 100644 index 1cbaa9a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_init.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_init -============================ - -.. - -.. c:function:: void krb5_get_init_creds_opt_init(krb5_get_init_creds_opt * opt) - -.. - - -:param: - - **opt** - - -.. - - - -.. - - -DEPRECATED Use krb5_get_init_creds_opt_alloc() instead. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.txt deleted file mode 100644 index e460a46..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options. -==================================================================================================== - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt * opt, krb5_address ** addresses) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **addresses** - Null-terminated array of addresses - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.txt deleted file mode 100644 index 6953b2c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options. -======================================================================================================== - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt * opt, int anonymous) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **anonymous** - Whether to make an anonymous request - - -.. - - - -.. - - - - - - - -This function may be used to request anonymous credentials from the KDC by setting *anonymous* to non-zero. Note that anonymous credentials are only a request; clients must verify that credentials are anonymous if that is a requirement. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.txt deleted file mode 100644 index 099644f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options. -============================================================================================================== - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt * opt, int canonicalize) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **canonicalize** - Whether to canonicalize client principal - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.txt deleted file mode 100644 index 633dd7d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options. -============================================================================================================================== - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt * opt, int prompt) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **prompt** - Whether to prompt to change password - - -.. - - - -.. - - - - - - - -This flag is on by default. It controls whether :c:func:`krb5_get_init_creds_password()` will react to an expired-password error by prompting for a new password and attempting to change the old one. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.txt deleted file mode 100644 index ac6f8ab..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options. -======================================================================================================== - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt * opt, krb5_enctype * etype_list, int etype_list_length) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **etype_list** - Array of encryption types - - **[in]** **etype_list_length** - Length of *etype_list* - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.txt deleted file mode 100644 index 2690cf1..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.txt +++ /dev/null @@ -1,78 +0,0 @@ -krb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options. -========================================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_set_expire_callback(krb5_context context, krb5_get_init_creds_opt * opt, krb5_expire_callback_func cb, void * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options structure - - **[in]** **cb** - Callback function - - **[in]** **data** - Callback argument - - -.. - - - -.. - - - - - - - -Set a callback to receive password and account expiration times. - - - -This option only applies to :c:func:`krb5_get_init_creds_password()` . *cb* will be invoked if and only if credentials are successfully acquired. The callback will receive the *context* from the :c:func:`krb5_get_init_creds_password()` call and the *data* argument supplied with this API. The remaining arguments should be interpreted as follows: - - - -If *is_last_req* is true, then the KDC reply contained last-req entries which unambiguously indicated the password expiration, account expiration, or both. (If either value was not present, the corresponding argument will be 0.) Furthermore, a non-zero *password_expiration* should be taken as a suggestion from the KDC that a warning be displayed. - - - -If *is_last_req* is false, then *account_expiration* will be 0 and *password_expiration* will contain the expiration time of either the password or account, or 0 if no expiration time was indicated in the KDC reply. The callback should independently decide whether to display a password expiration warning. - - - -Note that *cb* may be invoked even if credentials are being acquired for the kadmin/changepw service in order to change the password. It is the caller's responsibility to avoid displaying a password expiry warning in this case. - - - - - - - - - - -.. - - - - - -.. warning:: - - Setting an expire callback with this API will cause :c:func:`krb5_get_init_creds_password()` not to send password expiry warnings to the prompter, as it ordinarily may. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.txt deleted file mode 100644 index 8a26b32..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options. -=============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options - - **[in]** **ccache** - Credential cache handle - - -.. - - - -.. - - - - - - - -This function is similar to :c:func:`krb5_get_init_creds_opt_set_fast_ccache_name()` , but uses a credential cache handle instead of a name. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.txt deleted file mode 100644 index da1c782..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options. -================================================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, krb5_get_init_creds_opt * opt, const char * fast_ccache_name) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options - - **[in]** **fast_ccache_name** - Credential cache name - - -.. - - - -.. - - - - - - - -Sets the location of a credential cache containing an armor ticket to protect an initial credential exchange using the FAST protocol extension. - - - -In version 1.7, setting an armor ccache requires that FAST be used for the exchange. In version 1.8 or later, setting the armor ccache causes FAST to be used if the KDC supports it; :c:func:`krb5_get_init_creds_opt_set_fast_flags()` must be used to require that FAST be used. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.txt deleted file mode 100644 index 272cbac..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options. -======================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_set_fast_flags(krb5_context context, krb5_get_init_creds_opt * opt, krb5_flags flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options - - **[in]** **flags** - FAST flags - - -.. - - -:retval: - - 0 - Success; Kerberos errors otherwise. - - -.. - - - - - - - -The following flag values are valid: - - - :data:`KRB5_FAST_REQUIRED` - Require FAST to be used - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.txt deleted file mode 100644 index 50d64b8..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options. -============================================================================================================ - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt * opt, int forwardable) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **forwardable** - Whether credentials should be forwardable - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.txt deleted file mode 100644 index 41d5117..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_get_init_creds_opt_set_in_ccache - Set an input credential cache in initial credential options. -====================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_set_in_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options - - **[in]** **ccache** - Credential cache handle - - -.. - - - -.. - - - - - - - -If an input credential cache is set, then the krb5_get_init_creds family of APIs will read settings from it. Setting an input ccache is desirable when the application wishes to perform authentication in the same way (using the same preauthentication mechanisms, and making the same non-security- sensitive choices) as the previous authentication attempt, which stored information in the passed-in ccache. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.txt deleted file mode 100644 index dcb1cf6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options. -======================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_set_out_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options - - **[in]** **ccache** - Credential cache handle - - -.. - - - -.. - - - - - - - -If an output credential cache is set, then the krb5_get_init_creds family of APIs will write credentials to it. Setting an output ccache is desirable both because it simplifies calling code and because it permits the krb5_get_init_creds APIs to write out configuration information about the realm to the ccache. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pa.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pa.txt deleted file mode 100644 index a610fa0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pa.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options. -====================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_set_pa(krb5_context context, krb5_get_init_creds_opt * opt, const char * attr, const char * value) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options structure - - **[in]** **attr** - Preauthentication option name - - **[in]** **value** - Preauthentication option value - - -.. - - - -.. - - - - - - - -This function allows the caller to supply options for preauthentication. The values of *attr* and *value* are supplied to each preauthentication module available within *context* . - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.txt deleted file mode 100644 index ed46081..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_get_init_creds_opt_set_pac_request - Ask the KDC to include or not include a PAC in the ticket. -====================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_set_pac_request(krb5_context context, krb5_get_init_creds_opt * opt, krb5_boolean req_pac) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options structure - - **[in]** **req_pac** - Whether to request a PAC or not - - -.. - - - -.. - - - - - - - -If this option is set, the AS request will include a PAC-REQUEST pa-data item explicitly asking the KDC to either include or not include a privilege attribute certificate in the ticket authorization data. By default, no request is made; typically the KDC will default to including a PAC if it supports them. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.15 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.txt deleted file mode 100644 index 3bcbcb4..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options. -======================================================================================================= - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt * opt, krb5_preauthtype * preauth_list, int preauth_list_length) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **preauth_list** - Array of preauthentication types - - **[in]** **preauth_list_length** - Length of *preauth_list* - - -.. - - - -.. - - - - - - - -This function can be used to perform optimistic preauthentication when getting initial credentials, in combination with :c:func:`krb5_get_init_creds_opt_set_salt()` and :c:func:`krb5_get_init_creds_opt_set_pa()` . - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.txt deleted file mode 100644 index 7ced727..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options. -======================================================================================================== - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt * opt, int proxiable) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **proxiable** - Whether credentials should be proxiable - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.txt deleted file mode 100644 index 58e938d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options. -========================================================================================================= - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt * opt, krb5_deltat renew_life) - -.. - - -:param: - - **[in]** **opt** - Pointer to *options* field - - **[in]** **renew_life** - Ticket renewal lifetime - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_responder.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_responder.txt deleted file mode 100644 index 220ba40..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_responder.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_get_init_creds_opt_set_responder - Set the responder function in initial credential options. -=================================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_opt_set_responder(krb5_context context, krb5_get_init_creds_opt * opt, krb5_responder_fn responder, void * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **opt** - Options structure - - **[in]** **responder** - Responder function - - **[in]** **data** - Responder data argument - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_salt.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_salt.txt deleted file mode 100644 index 22512f6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_salt.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options. -============================================================================================================= - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt * opt, krb5_data * salt) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **salt** - Salt data - - -.. - - - -.. - - - - - - - -When getting initial credentials with a password, a salt string it used to convert the password to a key. Normally this salt is obtained from the first KDC reply, but when performing optimistic preauthentication, the client may need to supply the salt string with this function. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.txt deleted file mode 100644 index a5c1f68..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options. -=============================================================================================== - -.. - -.. c:function:: void krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt * opt, krb5_deltat tkt_life) - -.. - - -:param: - - **[in]** **opt** - Options structure - - **[in]** **tkt_life** - Ticket lifetime - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_password.txt b/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_password.txt deleted file mode 100644 index 1c6fd68..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_init_creds_password.txt +++ /dev/null @@ -1,75 +0,0 @@ -krb5_get_init_creds_password - Get initial credentials using a password. -========================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_init_creds_password(krb5_context context, krb5_creds * creds, krb5_principal client, const char * password, krb5_prompter_fct prompter, void * data, krb5_deltat start_time, const char * in_tkt_service, krb5_get_init_creds_opt * k5_gic_options) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **creds** - New credentials - - **[in]** **client** - Client principal - - **[in]** **password** - Password (or NULL) - - **[in]** **prompter** - Prompter function - - **[in]** **data** - Prompter callback data - - **[in]** **start_time** - Time when ticket becomes valid (0 for now) - - **[in]** **in_tkt_service** - Service name of initial credentials (or NULL) - - **[in]** **k5_gic_options** - Initial credential options - - -.. - - -:retval: - - 0 Success - - EINVAL Invalid argument - - KRB5_KDC_UNREACH Cannot contact any KDC for requested realm - - KRB5_PREAUTH_FAILED Generic Pre-athentication failure - - KRB5_LIBOS_PWDINTR Password read interrupted - - KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm - - KRB5KDC_ERR_KEY_EXP Password has expired - - KRB5_LIBOS_BADPWDMATCH Password mismatch - - KRB5_CHPW_PWDNULL New password cannot be zero length - - KRB5_CHPW_FAIL Password change failed - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function requests KDC for an initial credentials for *client* using *password* . If *password* is NULL, a password will be prompted for using *prompter* if necessary. If *in_tkt_service* is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_permitted_enctypes.txt b/doc/html/_sources/appdev/refs/api/krb5_get_permitted_enctypes.txt deleted file mode 100644 index f55adc6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_permitted_enctypes.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys. -============================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_get_permitted_enctypes(krb5_context context, krb5_enctype ** ktypes) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **ktypes** - Zero-terminated list of encryption types - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function returns the list of encryption types permitted for session keys within *context* , as determined by configuration or by a previous call to :c:func:`krb5_set_default_tgs_enctypes()` . - - - -Use :c:func:`krb5_free_enctypes()` to free *ktypes* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_profile.txt b/doc/html/_sources/appdev/refs/api/krb5_get_profile.txt deleted file mode 100644 index 4ef2949..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_profile.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_get_profile - Retrieve configuration profile from the context. -===================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_profile(krb5_context context, struct _profile_t ** profile) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **profile** - Pointer to data read from a configuration file - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function creates a new *profile* object that reflects profile in the supplied *context* . - - - -The *profile* object may be freed with profile_release() function. See profile.h and profile API for more details. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.txt b/doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.txt deleted file mode 100644 index 39156ca..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_prompt_types.txt +++ /dev/null @@ -1,43 +0,0 @@ -krb5_get_prompt_types - Get prompt types array from a context. -================================================================ - -.. - -.. c:function:: krb5_prompt_type * krb5_get_prompt_types(krb5_context context) - -.. - - -:param: - - **[in]** **context** - Library context - - -.. - - - -:return: - - Pointer to an array of prompt types corresponding to the prompter's prompts arguments. Each type has one of the following values: KRB5_PROMPT_TYPE_PASSWORD KRB5_PROMPT_TYPE_NEW_PASSWORD KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN KRB5_PROMPT_TYPE_PREAUTH - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_renewed_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_get_renewed_creds.txt deleted file mode 100644 index 21458f8..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_renewed_creds.txt +++ /dev/null @@ -1,62 +0,0 @@ -krb5_get_renewed_creds - Get renewed credential from KDC using an existing credential. -======================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_renewed_creds(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_ccache ccache, const char * in_tkt_service) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **creds** - Renewed credentials - - **[in]** **client** - Client principal name - - **[in]** **ccache** - Credential cache - - **[in]** **in_tkt_service** - Server principal string (or NULL) - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function gets a renewed credential using an existing one from *ccache* . If *in_tkt_service* is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. - - - -If successful, the renewed credential is placed in *creds* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_server_rcache.txt b/doc/html/_sources/appdev/refs/api/krb5_get_server_rcache.txt deleted file mode 100644 index 0e74747..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_server_rcache.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_get_server_rcache - Generate a replay cache object for server use and open it. -===================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_server_rcache(krb5_context context, const krb5_data * piece, krb5_rcache * rcptr) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **piece** - Unique identifier for replay cache - - **[out]** **rcptr** - Handle to an open rcache - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function generates a replay cache name based on *piece* and opens a handle to it. Typically *piece* is the first component of the service principal name. Use krb5_rc_close() to close *rcptr* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_time_offsets.txt b/doc/html/_sources/appdev/refs/api/krb5_get_time_offsets.txt deleted file mode 100644 index 9bdd8ec..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_time_offsets.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_get_time_offsets - Return the time offsets from the os context. -====================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_time_offsets(krb5_context context, krb5_timestamp * seconds, krb5_int32 * microseconds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **seconds** - Time offset, seconds portion - - **[out]** **microseconds** - Time offset, microseconds portion - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function returns the time offsets in *context* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_get_validated_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_get_validated_creds.txt deleted file mode 100644 index e1bf310..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_get_validated_creds.txt +++ /dev/null @@ -1,67 +0,0 @@ -krb5_get_validated_creds - Get validated credentials from the KDC. -==================================================================== - -.. - -.. c:function:: krb5_error_code krb5_get_validated_creds(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_ccache ccache, const char * in_tkt_service) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **creds** - Validated credentials - - **[in]** **client** - Client principal name - - **[in]** **ccache** - Credential cache - - **[in]** **in_tkt_service** - Server principal string (or NULL) - - -.. - - -:retval: - - 0 Success - - KRB5_NO_2ND_TKT Request missing second ticket - - KRB5_NO_TKT_SUPPLIED Request did not supply a ticket - - KRB5_PRINC_NOMATCH Requested principal and ticket do not match - - KRB5_KDCREP_MODIFIED KDC reply did not match expectations - - KRB5_KDCREP_SKEW Clock skew too great in KDC reply - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function gets a validated credential using a postdated credential from *ccache* . If *in_tkt_service* is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. - - - -If successful, the validated credential is placed in *creds* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_context.txt b/doc/html/_sources/appdev/refs/api/krb5_init_context.txt deleted file mode 100644 index ec50809..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_context.txt +++ /dev/null @@ -1,58 +0,0 @@ -krb5_init_context - Create a krb5 library context. -==================================================== - -.. - -.. c:function:: krb5_error_code krb5_init_context(krb5_context * context) - -.. - - -:param: - - **[out]** **context** - Library context - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -The *context* must be released by calling :c:func:`krb5_free_context()` when it is no longer needed. - - - - - - - - - - -.. - - - - - -.. warning:: - - Any program or module that needs the Kerberos code to not trust the environment must use :c:func:`krb5_init_secure_context()` , or clean out the environment. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_context_profile.txt b/doc/html/_sources/appdev/refs/api/krb5_init_context_profile.txt deleted file mode 100644 index 2732309..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_context_profile.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_init_context_profile - Create a krb5 library context using a specified profile. -====================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_init_context_profile(struct _profile_t * profile, krb5_flags flags, krb5_context * context) - -.. - - -:param: - - **[in]** **profile** - Profile object (NULL to create default profile) - - **[in]** **flags** - Context initialization flags - - **[out]** **context** - Library context - - -.. - - - -.. - - - - - - - -Create a context structure, optionally using a specified profile and initialization flags. If *profile* is NULL, the default profile will be created from config files. If *profile* is non-null, a copy of it will be made for the new context; the caller should still clean up its copy. Valid flag values are: - - - - - - - :data:`KRB5_INIT_CONTEXT_SECURE` Ignore environment variables - - - - :data:`KRB5_INIT_CONTEXT_KDC` Use KDC configuration if creating profile - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt deleted file mode 100644 index 85efec0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_free.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_init_creds_free - Free an initial credentials context. -============================================================= - -.. - -.. c:function:: void krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - Initial credentials context - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt deleted file mode 100644 index 05c26f3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_init_creds_get - Acquire credentials using an initial credentials context. -================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - Initial credentials context - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function synchronously obtains credentials using a context created by :c:func:`krb5_init_creds_init()` . On successful return, the credentials can be retrieved with :c:func:`krb5_init_creds_get_creds()` . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_creds.txt deleted file mode 100644 index 46ef1cf..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_creds.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context. -================================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx, krb5_creds * creds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - Initial credentials context - - **[out]** **creds** - Acquired credentials - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function copies the acquired initial credentials from *ctx* into *creds* , after the successful completion of :c:func:`krb5_init_creds_get()` or :c:func:`krb5_init_creds_step()` . Use :c:func:`krb5_free_cred_contents()` to free *creds* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_error.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_error.txt deleted file mode 100644 index 66aea0b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_error.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_init_creds_get_error - Get the last error from KDC from an initial credentials context. -============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, krb5_error ** error) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - Initial credentials context - - **[out]** **error** - Error from KDC, or NULL if none was received - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_times.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_times.txt deleted file mode 100644 index 7e9d516..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_get_times.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_init_creds_get_times - Retrieve ticket times from an initial credentials context. -======================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx, krb5_ticket_times * times) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - Initial credentials context - - **[out]** **times** - Ticket times for acquired credentials - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -The initial credentials context must have completed obtaining credentials via either :c:func:`krb5_init_creds_get()` or :c:func:`krb5_init_creds_step()` . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt deleted file mode 100644 index 6bbbeed..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_init.txt +++ /dev/null @@ -1,59 +0,0 @@ -krb5_init_creds_init - Create a context for acquiring initial credentials. -============================================================================ - -.. - -.. c:function:: krb5_error_code krb5_init_creds_init(krb5_context context, krb5_principal client, krb5_prompter_fct prompter, void * data, krb5_deltat start_time, krb5_get_init_creds_opt * options, krb5_init_creds_context * ctx) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **client** - Client principal to get initial creds for - - **[in]** **prompter** - Prompter callback - - **[in]** **data** - Prompter callback argument - - **[in]** **start_time** - Time when credentials become valid (0 for now) - - **[in]** **options** - Options structure (NULL for default) - - **[out]** **ctx** - New initial credentials context - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a new context for acquiring initial credentials. Use :c:func:`krb5_init_creds_free()` to free *ctx* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_keytab.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_keytab.txt deleted file mode 100644 index 222755a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_keytab.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials. -========================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, krb5_keytab keytab) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - Initial credentials context - - **[in]** **keytab** - Key table handle - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function supplies a keytab containing the client key for an initial credentials request. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_password.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_password.txt deleted file mode 100644 index 10ad140..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_password.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_init_creds_set_password - Set a password for acquiring initial credentials. -================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx, const char * password) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - Initial credentials context - - **[in]** **password** - Password - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function supplies a password to be used to construct the client key for an initial credentials request. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt deleted file mode 100644 index d08ffc7..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_set_service.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_init_creds_set_service - Specify a service principal for acquiring initial credentials. -============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx, const char * service) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - Initial credentials context - - **[in]** **service** - Service principal string - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. *service* is parsed as a principal name; any realm part is ignored. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt b/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt deleted file mode 100644 index c4e8a20..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_creds_step.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_init_creds_step - Get the next KDC request for acquiring initial credentials. -==================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx, krb5_data * in, krb5_data * out, krb5_data * realm, unsigned int * flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - Initial credentials context - - **[in]** **in** - KDC response (empty on the first call) - - **[out]** **out** - Next KDC request - - **[out]** **realm** - Realm for next KDC request - - **[out]** **flags** - Output flags - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function constructs the next KDC request in an initial credential exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, *in* should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. - - - -If more requests are needed, *flags* will be set to :data:`KRB5_INIT_CREDS_STEP_FLAG_CONTINUE` and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain :data:`KRB5_INIT_CREDS_STEP_FLAG_CONTINUE` and *out* will be empty. - - - -If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_keyblock.txt b/doc/html/_sources/appdev/refs/api/krb5_init_keyblock.txt deleted file mode 100644 index b0258eb..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_keyblock.txt +++ /dev/null @@ -1,61 +0,0 @@ -krb5_init_keyblock - Initialize an empty krb5_keyblock . -========================================================== - -.. - -.. c:function:: krb5_error_code krb5_init_keyblock(krb5_context context, krb5_enctype enctype, size_t length, krb5_keyblock ** out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enctype** - Encryption type - - **[in]** **length** - Length of keyblock (or 0) - - **[out]** **out** - New keyblock structure - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Initialize a new keyblock and allocate storage for the contents of the key. It is legal to pass in a length of 0, in which case contents are left unallocated. Use :c:func:`krb5_free_keyblock()` to free *out* when it is no longer needed. - - - - - - - - - - -.. - - - - - - -.. note:: - - If *length* is set to 0, contents are left unallocated. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_random_key.txt b/doc/html/_sources/appdev/refs/api/krb5_init_random_key.txt deleted file mode 100644 index 271d727..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_random_key.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_init_random_key -==================== - -.. - -.. c:function:: krb5_error_code krb5_init_random_key(krb5_context context, const krb5_encrypt_block * eblock, const krb5_keyblock * keyblock, krb5_pointer * ptr) - -.. - - -:param: - - **context** - - **eblock** - - **keyblock** - - **ptr** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_init_secure_context.txt b/doc/html/_sources/appdev/refs/api/krb5_init_secure_context.txt deleted file mode 100644 index 8d27396..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_init_secure_context.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_init_secure_context - Create a krb5 library context using only configuration files. -========================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_init_secure_context(krb5_context * context) - -.. - - -:param: - - **[out]** **context** - Library context - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Create a context structure, using only system configuration files. All information passed through the environment variables is ignored. - - - -The *context* must be released by calling :c:func:`krb5_free_context()` when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_is_config_principal.txt b/doc/html/_sources/appdev/refs/api/krb5_is_config_principal.txt deleted file mode 100644 index 3b50605..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_is_config_principal.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_is_config_principal - Test whether a principal is a configuration principal. -=================================================================================== - -.. - -.. c:function:: krb5_boolean krb5_is_config_principal(krb5_context context, krb5_const_principal principal) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **principal** - Principal to check - - -.. - - - -:return: - - TRUE if the principal is a configuration principal (generated part of krb5_cc_set_config() ); FALSE otherwise. - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_is_referral_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_is_referral_realm.txt deleted file mode 100644 index 89916c3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_is_referral_realm.txt +++ /dev/null @@ -1,43 +0,0 @@ -krb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM. -====================================================================== - -.. - -.. c:function:: krb5_boolean krb5_is_referral_realm(const krb5_data * r) - -.. - - -:param: - - **[in]** **r** - Realm to check - - -.. - - - -:return: - - TRUE if r is zero-length, FALSE otherwise - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_is_thread_safe.txt b/doc/html/_sources/appdev/refs/api/krb5_is_thread_safe.txt deleted file mode 100644 index 812a2c3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_is_thread_safe.txt +++ /dev/null @@ -1,43 +0,0 @@ -krb5_is_thread_safe - Test whether the Kerberos library was built with multithread support. -============================================================================================= - -.. - -.. c:function:: krb5_boolean krb5_is_thread_safe(void None) - -.. - - -:param: - - **None** - - -.. - - -:retval: - - TRUE if the library is threadsafe; FALSE otherwise - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_create_key.txt b/doc/html/_sources/appdev/refs/api/krb5_k_create_key.txt deleted file mode 100644 index 5473382..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_create_key.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock. -==================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_k_create_key(krb5_context context, const krb5_keyblock * key_data, krb5_key * out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key_data** - Keyblock - - **[out]** **out** - Opaque key - - -.. - - -:retval: - - 0 Success; otherwise - KRB5_BAD_ENCTYPE - - -.. - - - - - - - -The reference count on a key *out* is set to 1. Use :c:func:`krb5_k_free_key()` to free *out* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_decrypt.txt b/doc/html/_sources/appdev/refs/api/krb5_k_decrypt.txt deleted file mode 100644 index 81b5c63..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_decrypt.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_k_decrypt - Decrypt data using a key (operates on opaque key). -===================================================================== - -.. - -.. c:function:: krb5_error_code krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_enc_data * input, krb5_data * output) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Encryption key - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[inout]** **cipher_state** - Cipher state; specify NULL if not needed - - **[in]** **input** - Encrypted data - - **[out]** **output** - Decrypted data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function decrypts the data block *input* and stores the output into *output* . The actual decryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. - - - - - - - - - - -.. - - - - - - -.. note:: - - The caller must initialize *output* and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let :c:func:`krb5_c_decrypt()` trim *output->length* . For some enctypes, the resulting *output->length* may include padding bytes. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_decrypt_iov.txt b/doc/html/_sources/appdev/refs/api/krb5_k_decrypt_iov.txt deleted file mode 100644 index f6cf2f3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_decrypt_iov.txt +++ /dev/null @@ -1,70 +0,0 @@ -krb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key). -====================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Encryption key - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[in]** **cipher_state** - Cipher state; specify NULL if not needed - - **[inout]** **data** - IOV array. Modified in-place. - - **[in]** **num_data** - Size of *data* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function decrypts the data block *data* and stores the output in-place. The actual decryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_k_encrypt_iov()` - - - - - - -.. note:: - - On return from a :c:func:`krb5_c_decrypt_iov()` call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. - - This function is similar to :c:func:`krb5_c_decrypt_iov()` , but operates on opaque key *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_encrypt.txt b/doc/html/_sources/appdev/refs/api/krb5_k_encrypt.txt deleted file mode 100644 index 90f92c4..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_encrypt.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_k_encrypt - Encrypt data using a key (operates on opaque key). -===================================================================== - -.. - -.. c:function:: krb5_error_code krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_data * input, krb5_enc_data * output) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Encryption key - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[inout]** **cipher_state** - Cipher state; specify NULL if not needed - - **[in]** **input** - Data to be encrypted - - **[out]** **output** - Encrypted data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function encrypts the data block *input* and stores the output into *output* . The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. - - - - - - - - - - -.. - - - - - - -.. note:: - - The caller must initialize *output* and allocate at least enough space for the result (using :c:func:`krb5_c_encrypt_length()` to determine the amount of space needed). *output->length* will be set to the actual length of the ciphertext. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_encrypt_iov.txt b/doc/html/_sources/appdev/refs/api/krb5_k_encrypt_iov.txt deleted file mode 100644 index c221529..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_encrypt_iov.txt +++ /dev/null @@ -1,70 +0,0 @@ -krb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key). -====================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Encryption key - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[in]** **cipher_state** - Cipher state; specify NULL if not needed - - **[inout]** **data** - IOV array. Modified in-place. - - **[in]** **num_data** - Size of *data* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function encrypts the data block *data* and stores the output in-place. The actual encryption key will be derived from *key* and *usage* if key derivation is specified for the encryption type. If non-null, *cipher_state* specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_k_decrypt_iov()` - - - - - - -.. note:: - - On return from a :c:func:`krb5_c_encrypt_iov()` call, the *data->length* in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. - - This function is similar to :c:func:`krb5_c_encrypt_iov()` , but operates on opaque key *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_free_key.txt b/doc/html/_sources/appdev/refs/api/krb5_k_free_key.txt deleted file mode 100644 index c1060f6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_free_key.txt +++ /dev/null @@ -1,39 +0,0 @@ -krb5_k_free_key - Decrement the reference count on a key and free it if it hits zero. -======================================================================================= - -.. - -.. c:function:: void krb5_k_free_key(krb5_context context, krb5_key key) - -.. - - -:param: - - **context** - - **key** - - -.. - - - -.. - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_key_enctype.txt b/doc/html/_sources/appdev/refs/api/krb5_k_key_enctype.txt deleted file mode 100644 index d77a541..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_key_enctype.txt +++ /dev/null @@ -1,39 +0,0 @@ -krb5_k_key_enctype - Retrieve the enctype of a krb5_key structure. -==================================================================== - -.. - -.. c:function:: krb5_enctype krb5_k_key_enctype(krb5_context context, krb5_key key) - -.. - - -:param: - - **context** - - **key** - - -.. - - - -.. - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_key_keyblock.txt b/doc/html/_sources/appdev/refs/api/krb5_k_key_keyblock.txt deleted file mode 100644 index efd782c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_key_keyblock.txt +++ /dev/null @@ -1,41 +0,0 @@ -krb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure. -================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_k_key_keyblock(krb5_context context, krb5_key key, krb5_keyblock ** key_data) - -.. - - -:param: - - **context** - - **key** - - **key_data** - - -.. - - - -.. - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum.txt b/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum.txt deleted file mode 100644 index 2a11066..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum.txt +++ /dev/null @@ -1,68 +0,0 @@ -krb5_k_make_checksum - Compute a checksum (operates on opaque key). -===================================================================== - -.. - -.. c:function:: krb5_error_code krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_data * input, krb5_checksum * cksum) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cksumtype** - Checksum type (0 for mandatory type) - - **[in]** **key** - Encryption key for a keyed checksum - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[in]** **input** - Input data - - **[out]** **cksum** - Generated checksum - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function computes a checksum of type *cksumtype* over *input* , using *key* if the checksum type is a keyed checksum. If *cksumtype* is 0 and *key* is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. The newly created *cksum* must be released by calling :c:func:`krb5_free_checksum_contents()` when it is no longer needed. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_c_verify_checksum()` - - - - - - -.. note:: - - This function is similar to :c:func:`krb5_c_make_checksum()` , but operates on opaque *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.txt b/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.txt deleted file mode 100644 index 381f706..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_make_checksum_iov.txt +++ /dev/null @@ -1,68 +0,0 @@ -krb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key) -============================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, krb5_crypto_iov * data, size_t num_data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cksumtype** - Checksum type (0 for mandatory type) - - **[in]** **key** - Encryption key for a keyed checksum - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[inout]** **data** - IOV array - - **[in]** **num_data** - Size of *data* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Create a checksum in the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` element over :data:`KRB5_CRYPTO_TYPE_DATA` and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` chunks in *data* . Only the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` region is modified. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_k_verify_checksum_iov()` - - - - - - -.. note:: - - This function is similar to :c:func:`krb5_c_make_checksum_iov()` , but operates on opaque *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_prf.txt b/doc/html/_sources/appdev/refs/api/krb5_k_prf.txt deleted file mode 100644 index f6d9527..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_prf.txt +++ /dev/null @@ -1,61 +0,0 @@ -krb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key). -====================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_k_prf(krb5_context context, krb5_key key, krb5_data * input, krb5_data * output) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Key - - **[in]** **input** - Input data - - **[out]** **output** - Output data - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function selects a pseudo-random function based on *key* and computes its value over *input* , placing the result into *output* . The caller must preinitialize *output* and allocate space for the result. - - - - - - - - - - -.. - - - - - - -.. note:: - - This function is similar to :c:func:`krb5_c_prf()` , but operates on opaque *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_reference_key.txt b/doc/html/_sources/appdev/refs/api/krb5_k_reference_key.txt deleted file mode 100644 index 06b4629..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_reference_key.txt +++ /dev/null @@ -1,39 +0,0 @@ -krb5_k_reference_key - Increment the reference count on a key. -================================================================ - -.. - -.. c:function:: void krb5_k_reference_key(krb5_context context, krb5_key key) - -.. - - -:param: - - **context** - - **key** - - -.. - - - -.. - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum.txt b/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum.txt deleted file mode 100644 index 1a183f2..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_k_verify_checksum - Verify a checksum (operates on opaque key). -====================================================================== - -.. - -.. c:function:: krb5_error_code krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * data, const krb5_checksum * cksum, krb5_boolean * valid) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Encryption key for a keyed checksum - - **[in]** **usage** - *key* usage - - **[in]** **data** - Data to be used to compute a new checksum using *key* to compare *cksum* against - - **[in]** **cksum** - Checksum to be verified - - **[out]** **valid** - Non-zero for success, zero for failure - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function verifies that *cksum* is a valid checksum for *data* . If the checksum type of *cksum* is a keyed checksum, *key* is used to verify the checksum. If the checksum type in *cksum* is 0 and *key* is not NULL, the mandatory checksum type for *key* will be used. The actual checksum key will be derived from *key* and *usage* if key derivation is specified for the checksum type. - - - - - - - - - - -.. - - - - - - -.. note:: - - This function is similar to :c:func:`krb5_c_verify_checksum()` , but operates on opaque *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.txt b/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.txt deleted file mode 100644 index 1cfca03..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_k_verify_checksum_iov.txt +++ /dev/null @@ -1,70 +0,0 @@ -krb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key). -================================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_crypto_iov * data, size_t num_data, krb5_boolean * valid) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **cksumtype** - Checksum type (0 for mandatory type) - - **[in]** **key** - Encryption key for a keyed checksum - - **[in]** **usage** - Key usage (see :data:`KRB5_KEYUSAGE` types) - - **[in]** **data** - IOV array - - **[in]** **num_data** - Size of *data* - - **[out]** **valid** - Non-zero for success, zero for failure - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Confirm that the checksum in the :data:`KRB5_CRYPTO_TYPE_CHECKSUM` element is a valid checksum of the :data:`KRB5_CRYPTO_TYPE_DATA` and :data:`KRB5_CRYPTO_TYPE_SIGN_ONLY` regions in the iov. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_k_make_checksum_iov()` - - - - - - -.. note:: - - This function is similar to :c:func:`krb5_c_verify_checksum_iov()` , but operates on opaque *key* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_add_entry.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_add_entry.txt deleted file mode 100644 index f762d36..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_add_entry.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_kt_add_entry - Add a new entry to a key table. -===================================================== - -.. - -.. c:function:: krb5_error_code krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry * entry) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **id** - Key table handle - - **[in]** **entry** - Entry to be added - - -.. - - -:retval: - - 0 Success - - ENOMEM Insufficient memory - - KRB5_KT_NOWRITE Key table is not writeable - - -:return: - - Kerberos error codes - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_client_default.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_client_default.txt deleted file mode 100644 index 8f5663b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_client_default.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_kt_client_default - Resolve the default client key table. -================================================================ - -.. - -.. c:function:: krb5_error_code krb5_kt_client_default(krb5_context context, krb5_keytab * keytab_out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **keytab_out** - Key table handle - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Fill *keytab_out* with a handle to the default client key table. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_close.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_close.txt deleted file mode 100644 index 4761ad6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_close.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_kt_close - Close a key table handle. -=========================================== - -.. - -.. c:function:: krb5_error_code krb5_kt_close(krb5_context context, krb5_keytab keytab) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keytab** - Key table handle - - -.. - - -:retval: - - 0 None - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_default.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_default.txt deleted file mode 100644 index 35f5a66..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_default.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_kt_default - Resolve the default key table. -================================================== - -.. - -.. c:function:: krb5_error_code krb5_kt_default(krb5_context context, krb5_keytab * id) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **id** - Key table handle - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Set *id* to a handle to the default key table. The key table is not opened. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_default_name.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_default_name.txt deleted file mode 100644 index 6f9e558..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_default_name.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_kt_default_name - Get the default key table name. -======================================================== - -.. - -.. c:function:: krb5_error_code krb5_kt_default_name(krb5_context context, char * name, int name_size) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **name** - Default key table name - - **[in]** **name_size** - Space available in *name* - - -.. - - -:retval: - - 0 Success - - KRB5_CONFIG_NOTENUFSPACE Buffer is too short - - -:return: - - Kerberos error codes - -.. - - - - - - - -Fill *name* with the name of the default key table for *context* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_dup.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_dup.txt deleted file mode 100644 index 7454635..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_dup.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_kt_dup - Duplicate keytab handle. -======================================== - -.. - -.. c:function:: krb5_error_code krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab * out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **in** - Key table handle to be duplicated - - **[out]** **out** - Key table handle - - -.. - - - -.. - - - - - - - -Create a new handle referring to the same key table as *in* . The new handle and *in* can be closed independently. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.12 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_end_seq_get.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_end_seq_get.txt deleted file mode 100644 index 9e42653..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_end_seq_get.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_kt_end_seq_get - Release a keytab cursor. -================================================ - -.. - -.. c:function:: krb5_error_code krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor * cursor) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keytab** - Key table handle - - **[out]** **cursor** - Cursor - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function should be called to release the cursor created by :c:func:`krb5_kt_start_seq_get()` . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_free_entry.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_free_entry.txt deleted file mode 100644 index 5eaa118..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_free_entry.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_kt_free_entry -================== - -.. - -.. c:function:: krb5_error_code krb5_kt_free_entry(krb5_context context, krb5_keytab_entry * entry) - -.. - - -:param: - - **context** - - **entry** - - -.. - - - -.. - - -DEPRECATED Use krb5_free_keytab_entry_contents instead. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_get_entry.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_get_entry.txt deleted file mode 100644 index cfbae19..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_get_entry.txt +++ /dev/null @@ -1,70 +0,0 @@ -krb5_kt_get_entry - Get an entry from a key table. -==================================================== - -.. - -.. c:function:: krb5_error_code krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, krb5_const_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keytab_entry * entry) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keytab** - Key table handle - - **[in]** **principal** - Principal name - - **[in]** **vno** - Key version number (0 for highest available) - - **[in]** **enctype** - Encryption type (0 zero for any enctype) - - **[out]** **entry** - Returned entry from key table - - -.. - - -:retval: - - 0 Success - - Kerberos error codes on failure - - -.. - - - - - - - -Retrieve an entry from a key table which matches the *keytab* , *principal* , *vno* , and *enctype* . If *vno* is zero, retrieve the highest-numbered kvno matching the other fields. If *enctype* is 0, match any enctype. - - - -Use :c:func:`krb5_free_keytab_entry_contents()` to free *entry* when it is no longer needed. - - - - - - - - - - -.. - - - - - - -.. note:: - - If *vno* is zero, the function retrieves the highest-numbered-kvno entry that matches the specified principal. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_get_name.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_get_name.txt deleted file mode 100644 index 5d36dbb..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_get_name.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_kt_get_name - Get a key table name. -========================================== - -.. - -.. c:function:: krb5_error_code krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char * name, unsigned int namelen) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keytab** - Key table handle - - **[out]** **name** - Key table name - - **[in]** **namelen** - Maximum length to fill in name - - -.. - - -:retval: - - 0 Success - - KRB5_KT_NAME_TOOLONG Key table name does not fit in namelen bytes - - -:return: - - Kerberos error codes - -.. - - - - - - - -Fill *name* with the name of *keytab* including the type and delimiter. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_get_type.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_get_type.txt deleted file mode 100644 index c675af8..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_get_type.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_kt_get_type - Return the type of a key table. -==================================================== - -.. - -.. c:function:: const char * krb5_kt_get_type(krb5_context context, krb5_keytab keytab) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keytab** - Key table handle - - -.. - - - -:return: - - The type of a key table as an alias that must not be modified or freed by the caller. - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_have_content.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_have_content.txt deleted file mode 100644 index dffa94e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_have_content.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_kt_have_content - Check if a keytab exists and contains entries. -======================================================================= - -.. - -.. c:function:: krb5_error_code krb5_kt_have_content(krb5_context context, krb5_keytab keytab) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keytab** - Key table handle - - -.. - - -:retval: - - 0 Keytab exists and contains entries - - KRB5_KT_NOTFOUND Keytab does not contain entries - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_next_entry.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_next_entry.txt deleted file mode 100644 index ae5a3ac..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_next_entry.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_kt_next_entry - Retrieve the next entryfrom the key table. -================================================================= - -.. - -.. c:function:: krb5_error_code krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, krb5_keytab_entry * entry, krb5_kt_cursor * cursor) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keytab** - Key table handle - - **[out]** **entry** - Returned key table entry - - **[in]** **cursor** - Key table cursor - - -.. - - -:retval: - - 0 Success - - KRB5_KT_END - if the last entry was reached - - -:return: - - Kerberos error codes - -.. - - - - - - - -Return the next sequential entry in *keytab* and advance *cursor* . Callers must release the returned entry with :c:func:`krb5_kt_free_entry()` . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_read_service_key.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_read_service_key.txt deleted file mode 100644 index 38f00a0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_read_service_key.txt +++ /dev/null @@ -1,68 +0,0 @@ -krb5_kt_read_service_key - Retrieve a service key from a key table. -===================================================================== - -.. - -.. c:function:: krb5_error_code krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keyblock ** key) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keyprocarg** - Name of a key table (NULL to use default name) - - **[in]** **principal** - Service principal - - **[in]** **vno** - Key version number (0 for highest available) - - **[in]** **enctype** - Encryption type (0 for any type) - - **[out]** **key** - Service key from key table - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error code if not found or keyprocarg is invalid. - -.. - - - - - - - -Open and search the specified key table for the entry identified by *principal* , *enctype* , and *vno* . If no key is found, return an error code. - - - -The default key table is used, unless *keyprocarg* is non-null. *keyprocarg* designates aspecific key table. - - - -Use :c:func:`krb5_free_keyblock()` to free *key* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_remove_entry.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_remove_entry.txt deleted file mode 100644 index 10c1705..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_remove_entry.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_kt_remove_entry - Remove an entry from a key table. -========================================================== - -.. - -.. c:function:: krb5_error_code krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry * entry) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **id** - Key table handle - - **[in]** **entry** - Entry to remove from key table - - -.. - - -:retval: - - 0 Success - - KRB5_KT_NOWRITE Key table is not writable - - -:return: - - Kerberos error codes - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_resolve.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_resolve.txt deleted file mode 100644 index 49d5e25..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_resolve.txt +++ /dev/null @@ -1,66 +0,0 @@ -krb5_kt_resolve - Get a handle for a key table. -================================================= - -.. - -.. c:function:: krb5_error_code krb5_kt_resolve(krb5_context context, const char * name, krb5_keytab * ktid) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **name** - Name of the key table - - **[out]** **ktid** - Key table handle - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Resolve the key table name *name* and set *ktid* to a handle identifying the key table. Use :c:func:`krb5_kt_close()` to free *ktid* when it is no longer needed. - - - - *name* must be of the form **type:residual** , where *type* must be a type known to the library and *residual* portion should be specific to the particular keytab type. If no *type* is given, the default is **FILE** . - - - -If *name* is of type **FILE** , the keytab file is not opened by this call. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kt_start_seq_get.txt b/doc/html/_sources/appdev/refs/api/krb5_kt_start_seq_get.txt deleted file mode 100644 index b00b263..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kt_start_seq_get.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_kt_start_seq_get - Start a sequential retrieval of key table entries. -============================================================================ - -.. - -.. c:function:: krb5_error_code krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor * cursor) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **keytab** - Key table handle - - **[out]** **cursor** - Cursor - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Prepare to read sequentially every key in the specified key table. Use :c:func:`krb5_kt_end_seq_get()` to release the cursor when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_kuserok.txt b/doc/html/_sources/appdev/refs/api/krb5_kuserok.txt deleted file mode 100644 index 7dbd15f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_kuserok.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_kuserok - Determine if a principal is authorized to log in as a local user. -================================================================================== - -.. - -.. c:function:: krb5_boolean krb5_kuserok(krb5_context context, krb5_principal principal, const char * luser) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **principal** - Principal name - - **[in]** **luser** - Local username - - -.. - - -:retval: - - TRUE Principal is authorized to log in as user; FALSE otherwise. - - -.. - - - - - - - -Determine whether *principal* is authorized to log in as a local user *luser* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_make_authdata_kdc_issued.txt b/doc/html/_sources/appdev/refs/api/krb5_make_authdata_kdc_issued.txt deleted file mode 100644 index e671af5..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_make_authdata_kdc_issued.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data. -================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_make_authdata_kdc_issued(krb5_context context, const krb5_keyblock * key, krb5_const_principal issuer, krb5_authdata *const * authdata, krb5_authdata *** ad_kdcissued) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Session key - - **[in]** **issuer** - The name of the issuing principal - - **[in]** **authdata** - List of authorization data to be signed - - **[out]** **ad_kdcissued** - List containing AD-KDCIssued authdata - - -.. - - - -.. - - - - - - - -This function wraps a list of authorization data entries *authdata* in an AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with *key* . The result is returned in *ad_kdcissued* as a single-element list. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_merge_authdata.txt b/doc/html/_sources/appdev/refs/api/krb5_merge_authdata.txt deleted file mode 100644 index 86370ec..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_merge_authdata.txt +++ /dev/null @@ -1,61 +0,0 @@ -krb5_merge_authdata - Merge two authorization data lists into a new list. -=========================================================================== - -.. - -.. c:function:: krb5_error_code krb5_merge_authdata(krb5_context context, krb5_authdata *const * inauthdat1, krb5_authdata *const * inauthdat2, krb5_authdata *** outauthdat) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **inauthdat1** - First list of *krb5_authdata* structures - - **[in]** **inauthdat2** - Second list of *krb5_authdata* structures - - **[out]** **outauthdat** - Merged list of *krb5_authdata* structures - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Merge two authdata arrays, such as the array from a ticket and authenticator. Use :c:func:`krb5_free_authdata()` to free *outauthdat* when it is no longer needed. - - - - - - - - - - -.. - - - - - - -.. note:: - - The last array entry in *inauthdat1* and *inauthdat2* must be a NULL pointer. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_1cred.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_1cred.txt deleted file mode 100644 index c1ab909..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_mk_1cred.txt +++ /dev/null @@ -1,60 +0,0 @@ -krb5_mk_1cred - Format a KRB-CRED message for a single set of credentials. -============================================================================ - -.. - -.. c:function:: krb5_error_code krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, krb5_creds * pcreds, krb5_data ** ppdata, krb5_replay_data * outdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **pcreds** - Pointer to credentials - - **[out]** **ppdata** - Encoded credentials - - **[out]** **outdata** - Replay cache data (NULL if not needed) - - -.. - - -:retval: - - 0 Success - - ENOMEM Insufficient memory - - KRB5_RC_REQUIRED Message replay detection requires rcache parameter - - -:return: - - Kerberos error codes - -.. - - - - - - - -This is a convenience function that calls :c:func:`krb5_mk_ncred()` with a single set of credentials. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_error.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_error.txt deleted file mode 100644 index e043210..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_mk_error.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_mk_error - Format and encode a KRB_ERROR message. -======================================================== - -.. - -.. c:function:: krb5_error_code krb5_mk_error(krb5_context context, const krb5_error * dec_err, krb5_data * enc_err) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **dec_err** - Error structure to be encoded - - **[out]** **enc_err** - Encoded error structure - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates a **KRB_ERROR** message in *enc_err* . Use :c:func:`krb5_free_data_contents()` to free *enc_err* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.txt deleted file mode 100644 index 7bf0577..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_mk_ncred.txt +++ /dev/null @@ -1,72 +0,0 @@ -krb5_mk_ncred - Format a KRB-CRED message for an array of credentials. -======================================================================== - -.. - -.. c:function:: krb5_error_code krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds ** ppcreds, krb5_data ** ppdata, krb5_replay_data * outdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **ppcreds** - Null-terminated array of credentials - - **[out]** **ppdata** - Encoded credentials - - **[out]** **outdata** - Replay cache information (NULL if not needed) - - -.. - - -:retval: - - 0 Success - - ENOMEM Insufficient memory - - KRB5_RC_REQUIRED Message replay detection requires rcache parameter - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function takes an array of credentials *ppcreds* and formats a **KRB-CRED** message *ppdata* to pass to :c:func:`krb5_rd_cred()` . - - - -The message will be encrypted using the send subkey of *auth_context* if it is present, or the session key otherwise. - - - - - - - - - - -.. - - - - - - -.. note:: - - If the :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in *auth_context* , *outdata* is required. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_priv.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_priv.txt deleted file mode 100644 index 2c3cefa..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_mk_priv.txt +++ /dev/null @@ -1,82 +0,0 @@ -krb5_mk_priv - Format a KRB-PRIV message. -=========================================== - -.. - -.. c:function:: krb5_error_code krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * outbuf, krb5_replay_data * outdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **userdata** - User data for **KRB-PRIV** message - - **[out]** **outbuf** - Formatted **KRB-PRIV** message - - **[out]** **outdata** - Replay cache handle (NULL if not needed) - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function is similar to :c:func:`krb5_mk_safe()` , but the message is encrypted and integrity-protected, not just integrity-protected. - - - -The local address in *auth_context* must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. - - - - - - - :data:`KRB5_AUTH_CONTEXT_DO_TIME` - Use timestamps in *outdata* - - - - :data:`KRB5_AUTH_CONTEXT_RET_TIME` - Copy timestamp to *outdata* . - - - - :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` - Use local sequence numbers from *auth_context* in replay cache. - - - - :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` - Use local sequence numbers from *auth_context* as a sequence number in the encrypted message *outbuf* . - - - - - - - - -.. - - - - - - -.. note:: - - If the :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in *auth_context* , the *outdata* is required. - - The flags from *auth_context* specify whether sequence numbers or timestamps will be used to identify the message. Valid values are: - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_rep.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_rep.txt deleted file mode 100644 index ef712e6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_mk_rep.txt +++ /dev/null @@ -1,59 +0,0 @@ -krb5_mk_rep - Format and encrypt a KRB_AP_REP message. -======================================================== - -.. - -.. c:function:: krb5_error_code krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data * outbuf) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **outbuf** - **AP-REP** message - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function fills in *outbuf* with an AP-REP message using information from *auth_context* . - - - -If the flags in *auth_context* indicate that a sequence number should be used (either :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` ) and the local sequence number in *auth_context* is 0, a new number will be generated with krb5_generate_seq_number(). - - - -Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_rep_dce.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_rep_dce.txt deleted file mode 100644 index ead597f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_mk_rep_dce.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC. -======================================================================== - -.. - -.. c:function:: krb5_error_code krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data * outbuf) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[out]** **outbuf** - **AP-REP** message - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt deleted file mode 100644 index e3a5da4..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_mk_req.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_mk_req - Create a KRB_AP_REQ message. -============================================ - -.. - -.. c:function:: krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, char * service, char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf) - -.. - - -:param: - - **[in]** **context** - Library context - - **[inout]** **auth_context** - Pre-existing or newly created auth context - - **[in]** **ap_req_options** - :data:`AP_OPTS` options - - **[in]** **service** - Service name, or NULL to use **"host"** - - **[in]** **hostname** - Host name, or NULL to use local hostname - - **[in]** **in_data** - Application data to be checksummed in the authenticator, or NULL - - **[in]** **ccache** - Credential cache used to obtain credentials for the desired service. - - **[out]** **outbuf** - **AP-REQ** message - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function is similar to :c:func:`krb5_mk_req_extended()` except that it uses a given *hostname* , *service* , and *ccache* to construct a service principal name and obtain credentials. - - - -Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.txt deleted file mode 100644 index e3ef4b9..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_mk_req_extended.txt +++ /dev/null @@ -1,74 +0,0 @@ -krb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials. -================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_mk_req_extended(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, krb5_data * in_data, krb5_creds * in_creds, krb5_data * outbuf) - -.. - - -:param: - - **[in]** **context** - Library context - - **[inout]** **auth_context** - Pre-existing or newly created auth context - - **[in]** **ap_req_options** - :data:`AP_OPTS` options - - **[in]** **in_data** - Application data to be checksummed in the authenticator, or NULL - - **[in]** **in_creds** - Credentials for the service with valid ticket and key - - **[out]** **outbuf** - **AP-REQ** message - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Valid *ap_req_options* are: - - - :data:`AP_OPTS_USE_SESSION_KEY` - Use the session key when creating the request used for user to user authentication. - - - - :data:`AP_OPTS_MUTUAL_REQUIRED` - Request a mutual authentication packet from the reciever. - - - - :data:`AP_OPTS_USE_SUBKEY` - Generate a subsession key from the current session key obtained from the credentials. - - This function creates a KRB_AP_REQ message using supplied credentials *in_creds* . *auth_context* may point to an existing auth context or to NULL, in which case a new one will be created. If *in_data* is non-null, a checksum of it will be included in the authenticator contained in the KRB_AP_REQ message. Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. - - - -On successful return, the authenticator is stored in *auth_context* with the *client* and *checksum* fields nulled out. (This is to prevent pointer-sharing problems; the caller should not need these fields anyway, since the caller supplied them.) - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_mk_req()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_mk_safe.txt b/doc/html/_sources/appdev/refs/api/krb5_mk_safe.txt deleted file mode 100644 index 3921890..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_mk_safe.txt +++ /dev/null @@ -1,83 +0,0 @@ -krb5_mk_safe - Format a KRB-SAFE message. -=========================================== - -.. - -.. c:function:: krb5_error_code krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * outbuf, krb5_replay_data * outdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **userdata** - User data in the message - - **[out]** **outbuf** - Formatted **KRB-SAFE** buffer - - **[out]** **outdata** - Replay data. Specify NULL if not needed - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function creates an integrity protected **KRB-SAFE** message using data supplied by the application. - - - -Fields in *auth_context* specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and :data:`KRB5_AUTH_CONTEXT` flags. - - - -The local address in *auth_context* must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. - - - -If :data:`KRB5_AUTH_CONTEXT_DO_TIME` flag is set in the *auth_context* , an entry describing the message is entered in the replay cache *auth_context->rcache* which enables the caller to detect if this message is reflected by an attacker. If :data:`KRB5_AUTH_CONTEXT_DO_TIME` is not set, the replay cache is not used. - - - -If either :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` is set, the *auth_context* local sequence number will be placed in *outdata* as its sequence number. - - - -Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. - - - - - - - - - - -.. - - - - - - -.. note:: - - The *outdata* argument is required if :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in the *auth_context* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_os_localaddr.txt b/doc/html/_sources/appdev/refs/api/krb5_os_localaddr.txt deleted file mode 100644 index 7af9e61..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_os_localaddr.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_os_localaddr - Return all interface addresses for this host. -=================================================================== - -.. - -.. c:function:: krb5_error_code krb5_os_localaddr(krb5_context context, krb5_address *** addr) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **addr** - Array of krb5_address pointers, ending with NULL - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_free_addresses()` to free *addr* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.txt deleted file mode 100644 index 3f5fa7b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_pac_add_buffer.txt +++ /dev/null @@ -1,75 +0,0 @@ -krb5_pac_add_buffer - Add a buffer to a PAC handle. -===================================================== - -.. - -.. c:function:: krb5_error_code krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, const krb5_data * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **pac** - PAC handle - - **[in]** **type** - Buffer type - - **[in]** **data** - contents - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function adds a buffer of type *type* and contents *data* to *pac* if there isn't already a buffer of this type present. - - - -The valid values of *type* is one of the following: - - - :data:`KRB5_PAC_LOGON_INFO` - Logon information - - - - :data:`KRB5_PAC_CREDENTIALS_INFO` - Credentials information - - - - :data:`KRB5_PAC_SERVER_CHECKSUM` - Server checksum - - - - :data:`KRB5_PAC_PRIVSVR_CHECKSUM` - KDC checksum - - - - :data:`KRB5_PAC_CLIENT_INFO` - Client name and ticket information - - - - :data:`KRB5_PAC_DELEGATION_INFO` - Constrained delegation information - - - - :data:`KRB5_PAC_UPN_DNS_INFO` - User principal name and DNS information - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_free.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_free.txt deleted file mode 100644 index 9b204be..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_pac_free.txt +++ /dev/null @@ -1,42 +0,0 @@ -krb5_pac_free - Free a PAC handle. -==================================== - -.. - -.. c:function:: void krb5_pac_free(krb5_context context, krb5_pac pac) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **pac** - PAC to be freed - - -.. - - - -.. - - - - - - - -This function frees the contents of *pac* and the structure itself. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_get_buffer.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_get_buffer.txt deleted file mode 100644 index ef31a5b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_pac_get_buffer.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_pac_get_buffer - Retrieve a buffer value from a PAC. -=========================================================== - -.. - -.. c:function:: krb5_error_code krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, krb5_data * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **pac** - PAC handle - - **[in]** **type** - Type of buffer to retrieve - - **[out]** **data** - Buffer value - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_free_data_contents()` to free *data* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_get_types.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_get_types.txt deleted file mode 100644 index bce3b2c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_pac_get_types.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_pac_get_types - Return an array of buffer types in a PAC handle. -======================================================================= - -.. - -.. c:function:: krb5_error_code krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t * len, krb5_ui_4 ** types) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **pac** - PAC handle - - **[out]** **len** - Number of entries in *types* - - **[out]** **types** - Array of buffer types - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_init.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_init.txt deleted file mode 100644 index 4a0630d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_pac_init.txt +++ /dev/null @@ -1,49 +0,0 @@ -krb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle. -=============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_pac_init(krb5_context context, krb5_pac * pac) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **pac** - New PAC handle - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_pac_free()` to free *pac* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_parse.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_parse.txt deleted file mode 100644 index 1cae5be..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_pac_parse.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_pac_parse - Unparse an encoded PAC into a new handle. -============================================================ - -.. - -.. c:function:: krb5_error_code krb5_pac_parse(krb5_context context, const void * ptr, size_t len, krb5_pac * pac) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ptr** - PAC buffer - - **[in]** **len** - Length of *ptr* - - **[out]** **pac** - PAC handle - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -Use :c:func:`krb5_pac_free()` to free *pac* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_sign.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_sign.txt deleted file mode 100644 index 3c6bc41..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_pac_sign.txt +++ /dev/null @@ -1,60 +0,0 @@ -krb5_pac_sign - Sign a PAC. -============================= - -.. - -.. c:function:: krb5_error_code krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server_key, const krb5_keyblock * privsvr_key, krb5_data * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **pac** - PAC handle - - **[in]** **authtime** - Expected timestamp - - **[in]** **principal** - Expected principal name (or NULL) - - **[in]** **server_key** - Key for server checksum - - **[in]** **privsvr_key** - Key for KDC checksum - - **[out]** **data** - Signed PAC encoding - - -.. - - - -.. - - - - - - - -This function signs *pac* using the keys *server_key* and *privsvr_key* and returns the signed encoding in *data* . *pac* is modified to include the server and KDC checksum buffers. Use :c:func:`krb5_free_data_contents()` to free *data* when it is no longer needed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.10 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt b/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt deleted file mode 100644 index d9af52f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_pac_verify.txt +++ /dev/null @@ -1,69 +0,0 @@ -krb5_pac_verify - Verify a PAC. -================================= - -.. - -.. c:function:: krb5_error_code krb5_pac_verify(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server, const krb5_keyblock * privsvr) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **pac** - PAC handle - - **[in]** **authtime** - Expected timestamp - - **[in]** **principal** - Expected principal name (or NULL) - - **[in]** **server** - Key to validate server checksum (or NULL) - - **[in]** **privsvr** - Key to validate KDC checksum (or NULL) - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function validates *pac* against the supplied *server* , *privsvr* , *principal* and *authtime* . If *principal* is NULL, the principal and authtime are not verified. If *server* or *privsvr* is NULL, the corresponding checksum is not verified. - - - -If successful, *pac* is marked as verified. - - - - - - - - - - -.. - - - - - - -.. note:: - - A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_parse_name.txt b/doc/html/_sources/appdev/refs/api/krb5_parse_name.txt deleted file mode 100644 index bbd1a1a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_parse_name.txt +++ /dev/null @@ -1,74 +0,0 @@ -krb5_parse_name - Convert a string principal name to a krb5_principal structure. -================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_parse_name(krb5_context context, const char * name, krb5_principal * principal_out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **name** - String representation of a principal name - - **[out]** **principal_out** - New principal - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Convert a string representation of a principal name to a krb5_principal structure. - - - -A string representation of a Kerberos name consists of one or more principal name components, separated by slashes, optionally followed by the @ character and a realm name. If the realm name is not specified, the local realm is used. - - - -To use the slash and @ symbols as part of a component (quoted) instead of using them as a component separator or as a realm prefix), put a backslash () character in front of the symbol. Similarly, newline, tab, backspace, and NULL characters can be included in a component by using **n** , **t** , **b** or **0** , respectively. - - - -Use :c:func:`krb5_free_principal()` to free *principal_out* when it is no longer needed. - - - - - - - - - - -.. - - - - - - -.. note:: - - The realm in a Kerberos *name* cannot contain slash, colon, or NULL characters. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.txt b/doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.txt deleted file mode 100644 index 1190ec3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_parse_name_flags.txt +++ /dev/null @@ -1,77 +0,0 @@ -krb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags. -========================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_parse_name_flags(krb5_context context, const char * name, int flags, krb5_principal * principal_out) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **name** - String representation of a principal name - - **[in]** **flags** - Flag - - **[out]** **principal_out** - New principal - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Similar to :c:func:`krb5_parse_name()` , this function converts a single-string representation of a principal name to a krb5_principal structure. - - - -The following flags are valid: - - - :data:`KRB5_PRINCIPAL_PARSE_NO_REALM` - no realm must be present in *name* - - - - :data:`KRB5_PRINCIPAL_PARSE_REQUIRE_REALM` - realm must be present in *name* - - - - :data:`KRB5_PRINCIPAL_PARSE_ENTERPRISE` - create single-component enterprise principal - - - - :data:`KRB5_PRINCIPAL_PARSE_IGNORE_REALM` - ignore realm if present in *name* - - If **KRB5_PRINCIPAL_PARSE_NO_REALM** or **KRB5_PRINCIPAL_PARSE_IGNORE_REALM** is specified in *flags* , the realm of the new principal will be empty. Otherwise, the default realm for *context* will be used if *name* does not specify a realm. - - - -Use :c:func:`krb5_free_principal()` to free *principal_out* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_prepend_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_prepend_error_message.txt deleted file mode 100644 index 6503ab1..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_prepend_error_message.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_prepend_error_message - Add a prefix to the message for an error code. -============================================================================= - -.. - -.. c:function:: void krb5_prepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, ... ) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **code** - Error code - - **[in]** **fmt** - Format string for error message prefix - - -.. - - - -.. - - - - - - - -Format a message and prepend it to the current message for *code* . The prefix will be separated from the old message with a colon and space. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_principal2salt.txt b/doc/html/_sources/appdev/refs/api/krb5_principal2salt.txt deleted file mode 100644 index c885291..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_principal2salt.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_principal2salt - Convert a principal name into the default salt for that principal. -========================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_principal2salt(krb5_context context, register krb5_const_principal pr, krb5_data * ret) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **pr** - Principal name - - **[out]** **ret** - Default salt for *pr* to be filled in - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_principal_compare.txt b/doc/html/_sources/appdev/refs/api/krb5_principal_compare.txt deleted file mode 100644 index 269efe3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_principal_compare.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_principal_compare - Compare two principals. -================================================== - -.. - -.. c:function:: krb5_boolean krb5_principal_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **princ1** - First principal - - **[in]** **princ2** - Second principal - - -.. - - -:retval: - - TRUE if the principals are the same; FALSE otherwise - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_principal_compare_any_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_principal_compare_any_realm.txt deleted file mode 100644 index d2766bd..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_principal_compare_any_realm.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_principal_compare_any_realm - Compare two principals ignoring realm components. -====================================================================================== - -.. - -.. c:function:: krb5_boolean krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **princ1** - First principal - - **[in]** **princ2** - Second principal - - -.. - - -:retval: - - TRUE if the principals are the same; FALSE otherwise - - -.. - - - - - - - -Similar to :c:func:`krb5_principal_compare()` , but do not compare the realm components of the principals. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.txt b/doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.txt deleted file mode 100644 index 3df09d3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_principal_compare_flags.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_principal_compare_flags - Compare two principals with additional flags. -============================================================================== - -.. - -.. c:function:: krb5_boolean krb5_principal_compare_flags(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2, int flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **princ1** - First principal - - **[in]** **princ2** - Second principal - - **[in]** **flags** - Flags - - -.. - - -:retval: - - TRUE if the principal names are the same; FALSE otherwise - - -.. - - - - - - - -Valid flags are: - - - :data:`KRB5_PRINCIPAL_COMPARE_IGNORE_REALM` - ignore realm component - - - - :data:`KRB5_PRINCIPAL_COMPARE_ENTERPRISE` - UPNs as real principals - - - - :data:`KRB5_PRINCIPAL_COMPARE_CASEFOLD` case-insensitive - - - - :data:`KRB5_PRINCIPAL_COMPARE_UTF8` - treat principals as UTF-8 - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_principal_compare()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_process_key.txt b/doc/html/_sources/appdev/refs/api/krb5_process_key.txt deleted file mode 100644 index 3d08b5d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_process_key.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_process_key -================ - -.. - -.. c:function:: krb5_error_code krb5_process_key(krb5_context context, krb5_encrypt_block * eblock, const krb5_keyblock * key) - -.. - - -:param: - - **context** - - **eblock** - - **key** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_prompter_posix.txt b/doc/html/_sources/appdev/refs/api/krb5_prompter_posix.txt deleted file mode 100644 index 5450996..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_prompter_posix.txt +++ /dev/null @@ -1,64 +0,0 @@ -krb5_prompter_posix - Prompt user for password. -================================================= - -.. - -.. c:function:: krb5_error_code krb5_prompter_posix(krb5_context context, void * data, const char * name, const char * banner, int num_prompts, krb5_prompt prompts) - -.. - - -:param: - - **[in]** **context** - Library context - - **data** - Unused (callback argument) - - **[in]** **name** - Name to output during prompt - - **[in]** **banner** - Banner to output during prompt - - **[in]** **num_prompts** - Number of prompts in *prompts* - - **[in]** **prompts** - Array of prompts and replies - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function is intended to be used as a prompter callback for :c:func:`krb5_get_init_creds_password()` or :c:func:`krb5_init_creds_init()` . - - - -Writes *name* and *banner* to stdout, each followed by a newline, then writes each prompt field in the *prompts* array, followed by":", and sets the reply field of the entry to a line of input read from stdin. If the hidden flag is set for a prompt, then terminal echoing is turned off when input is read. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_random_key.txt b/doc/html/_sources/appdev/refs/api/krb5_random_key.txt deleted file mode 100644 index d8e81ba..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_random_key.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_random_key -=============== - -.. - -.. c:function:: krb5_error_code krb5_random_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_pointer ptr, krb5_keyblock ** keyblock) - -.. - - -:param: - - **context** - - **eblock** - - **ptr** - - **keyblock** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_rd_cred.txt b/doc/html/_sources/appdev/refs/api/krb5_rd_cred.txt deleted file mode 100644 index 2940564..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_rd_cred.txt +++ /dev/null @@ -1,67 +0,0 @@ -krb5_rd_cred - Read and validate a KRB-CRED message. -====================================================== - -.. - -.. c:function:: krb5_error_code krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data * pcreddata, krb5_creds *** pppcreds, krb5_replay_data * outdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **pcreddata** - **KRB-CRED** message - - **[out]** **pppcreds** - Null-terminated array of forwarded credentials - - **[out]** **outdata** - Replay data (NULL if not needed) - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - *pcreddata* will be decrypted using the receiving subkey if it is present in *auth_context* , or the session key if the receiving subkey is not present or fails to decrypt the message. - - - -Use :c:func:`krb5_free_tgt_creds()` to free *pppcreds* when it is no longer needed. - - - - - - - - - - -.. - - - - - - -.. note:: - - The *outdata* argument is required if :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in the *auth_context* .` - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_rd_error.txt b/doc/html/_sources/appdev/refs/api/krb5_rd_error.txt deleted file mode 100644 index dd34375..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_rd_error.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_rd_error - Decode a KRB-ERROR message. -============================================= - -.. - -.. c:function:: krb5_error_code krb5_rd_error(krb5_context context, const krb5_data * enc_errbuf, krb5_error ** dec_error) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **enc_errbuf** - Encoded error message - - **[out]** **dec_error** - Decoded error message - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function processes **KRB-ERROR** message *enc_errbuf* and returns an allocated structure *dec_error* containing the error message. Use :c:func:`krb5_free_error()` to free *dec_error* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_rd_priv.txt b/doc/html/_sources/appdev/refs/api/krb5_rd_priv.txt deleted file mode 100644 index af75e8f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_rd_priv.txt +++ /dev/null @@ -1,76 +0,0 @@ -krb5_rd_priv - Process a KRB-PRIV message. -============================================ - -.. - -.. c:function:: krb5_error_code krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_data * outbuf, krb5_replay_data * outdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication structure - - **[in]** **inbuf** - **KRB-PRIV** message to be parsed - - **[out]** **outbuf** - Data parsed from **KRB-PRIV** message - - **[out]** **outdata** - Replay data. Specify NULL if not needed - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function parses a **KRB-PRIV** message, verifies its integrity, and stores its unencrypted data into *outbuf* . - - - -If the :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` flag is set in *auth_context* , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. - - - -If the :data:`KRB5_AUTH_CONTEXT_DO_TIME` flag is set in *auth_context* , then two additional checks are performed: - - - The timestamp in the message must be within the permitted clock skew (which is usually five minutes). - - - - The message must not be a replayed message field in *auth_context* . - - - - - - - - -.. - - - - - - -.. note:: - - If the :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in *auth_context* , *outdata* is required. - - *auth_context* must have a remote address set. This address will be used to verify the sender address in the KRB-PRIV message. If *auth_context* has a local address set, it will be used to verify the receiver address in the KRB-PRIV message if the message contains one. Both addresses must use type **ADDRTYPE_ADDRPORT** . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_rd_rep.txt b/doc/html/_sources/appdev/refs/api/krb5_rd_rep.txt deleted file mode 100644 index 67419a8..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_rd_rep.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_rd_rep - Parse and decrypt a KRB_AP_REP message. -======================================================= - -.. - -.. c:function:: krb5_error_code krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_ap_rep_enc_part ** repl) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **inbuf** - AP-REP message - - **[out]** **repl** - Decrypted reply message - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function parses, decrypts and verifies a message from *inbuf* and fills in *repl* with a pointer to allocated memory containing the fields from the encrypted response. - - - -Use :c:func:`krb5_free_ap_rep_enc_part()` to free *repl* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_rd_rep_dce.txt b/doc/html/_sources/appdev/refs/api/krb5_rd_rep_dce.txt deleted file mode 100644 index c82ef43..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_rd_rep_dce.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC. -======================================================================= - -.. - -.. c:function:: krb5_error_code krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_ui_4 * nonce) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **inbuf** - AP-REP message - - **[out]** **nonce** - Sequence number from the decrypted reply - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function parses, decrypts and verifies a message from *inbuf* and fills in *nonce* with a decrypted reply sequence number. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_rd_req.txt b/doc/html/_sources/appdev/refs/api/krb5_rd_req.txt deleted file mode 100644 index 85516e3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_rd_req.txt +++ /dev/null @@ -1,105 +0,0 @@ -krb5_rd_req - Parse and decrypt a KRB_AP_REQ message. -======================================================= - -.. - -.. c:function:: krb5_error_code krb5_rd_req(krb5_context context, krb5_auth_context * auth_context, const krb5_data * inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags * ap_req_options, krb5_ticket ** ticket) - -.. - - -:param: - - **[in]** **context** - Library context - - **[inout]** **auth_context** - Pre-existing or newly created auth context - - **[in]** **inbuf** - AP-REQ message to be parsed - - **[in]** **server** - Matching principal for server, or NULL to allow any principal in keytab - - **[in]** **keytab** - Key table, or NULL to use the default - - **[out]** **ap_req_options** - If non-null, the AP-REQ flags on output - - **[out]** **ticket** - If non-null, ticket from the AP-REQ message - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function parses, decrypts and verifies a AP-REQ message from *inbuf* and stores the authenticator in *auth_context* . - - - -If a keyblock was specified in *auth_context* using :c:func:`krb5_auth_con_setuseruserkey()` , that key is used to decrypt the ticket in AP-REQ message and *keytab* is ignored. In this case, *server* should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection. - - - -Otherwise, the decryption key is obtained from *keytab* , or from the default keytab if it is NULL. In this case, *server* may be a complete principal name, a matching principal (see :c:func:`krb5_sname_match()` ), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows: - - - - - - - If *server* is a complete principal name, then its entry in *keytab* is tried. - - - - Otherwise, if *keytab* is iterable, then all entries in *keytab* which match *server* are tried. - - - - Otherwise, the server principal in the ticket must match *server* , and its entry in *keytab* is tried. - - - - - -The client specified in the decrypted authenticator must match the client specified in the decrypted ticket. - - - -If the *remote_addr* field of *auth_context* is set, the request must come from that address. - - - -If a replay cache handle is provided in the *auth_context* , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of *auth_context* . - - - -Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times. - - - -On success the authenticator, subkey, and remote sequence number of the request are stored in *auth_context* . If the :data:`AP_OPTS_MUTUAL_REQUIRED` bit is set, the local sequence number is XORed with the remote sequence number in the request. - - - -Use :c:func:`krb5_free_ticket()` to free *ticket* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_rd_safe.txt b/doc/html/_sources/appdev/refs/api/krb5_rd_safe.txt deleted file mode 100644 index d6c096f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_rd_safe.txt +++ /dev/null @@ -1,80 +0,0 @@ -krb5_rd_safe - Process KRB-SAFE message. -========================================== - -.. - -.. c:function:: krb5_error_code krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_data * outbuf, krb5_replay_data * outdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **auth_context** - Authentication context - - **[in]** **inbuf** - **KRB-SAFE** message to be parsed - - **[out]** **outbuf** - Data parsed from **KRB-SAFE** message - - **[out]** **outdata** - Replay data. Specify NULL if not needed - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function parses a **KRB-SAFE** message, verifies its integrity, and stores its data into *outbuf* . - - - -If the :data:`KRB5_AUTH_CONTEXT_DO_SEQUENCE` flag is set in *auth_context* , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of *auth_context* . Otherwise, the sequence number is not used. - - - -If the :data:`KRB5_AUTH_CONTEXT_DO_TIME` flag is set in *auth_context* , then two additional checks are performed: - - - The timestamp in the message must be within the permitted clock skew (which is usually five minutes). - - - - The message must not be a replayed message field in *auth_context* . - - Use :c:func:`krb5_free_data_contents()` to free *outbuf* when it is no longer needed. - - - - - - - - - - -.. - - - - - - -.. note:: - - The *outdata* argument is required if :data:`KRB5_AUTH_CONTEXT_RET_TIME` or :data:`KRB5_AUTH_CONTEXT_RET_SEQUENCE` flag is set in the *auth_context* . - - *auth_context* must have a remote address set. This address will be used to verify the sender address in the KRB-SAFE message. If *auth_context* has a local address set, it will be used to verify the receiver address in the KRB-SAFE message if the message contains one. Both addresses must use type **ADDRTYPE_ADDRPORT** . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_read_password.txt b/doc/html/_sources/appdev/refs/api/krb5_read_password.txt deleted file mode 100644 index bc13db5..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_read_password.txt +++ /dev/null @@ -1,70 +0,0 @@ -krb5_read_password - Read a password from keyboard input. -=========================================================== - -.. - -.. c:function:: krb5_error_code krb5_read_password(krb5_context context, const char * prompt, const char * prompt2, char * return_pwd, unsigned int * size_return) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **prompt** - First user prompt when reading password - - **[in]** **prompt2** - Second user prompt (NULL to prompt only once) - - **[out]** **return_pwd** - Returned password - - **[inout]** **size_return** - On input, maximum size of password; on output, size of password read - - -.. - - -:retval: - - 0 Success - - -:return: - - Error in reading or verifying the password Kerberos error codes - -.. - - - - - - - -This function reads a password from keyboard input and stores it in *return_pwd* . *size_return* should be set by the caller to the amount of storage space available in *return_pwd* ; on successful return, it will be set to the length of the password read. - - - - *prompt* is printed to the terminal, followed by":", and then a password is read from the keyboard. - - - -If *prompt2* is NULL, the password is read only once. Otherwise, *prompt2* is printed to the terminal and a second password is read. If the two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned. - - - -Echoing is turned off when the password is read. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_realm_compare.txt b/doc/html/_sources/appdev/refs/api/krb5_realm_compare.txt deleted file mode 100644 index f9df1b0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_realm_compare.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_realm_compare - Compare the realms of two principals. -============================================================ - -.. - -.. c:function:: krb5_boolean krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **princ1** - First principal - - **[in]** **princ2** - Second principal - - -.. - - -:retval: - - TRUE if the realm names are the same; FALSE otherwise - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_recvauth.txt b/doc/html/_sources/appdev/refs/api/krb5_recvauth.txt deleted file mode 100644 index c9bcaa8..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_recvauth.txt +++ /dev/null @@ -1,68 +0,0 @@ -krb5_recvauth - Server function for sendauth protocol. -======================================================== - -.. - -.. c:function:: krb5_error_code krb5_recvauth(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, char * appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket ** ticket) - -.. - - -:param: - - **[in]** **context** - Library context - - **[inout]** **auth_context** - Pre-existing or newly created auth context - - **[in]** **fd** - File descriptor - - **[in]** **appl_version** - Application protocol version to be matched against the client's application version - - **[in]** **server** - Server principal (NULL for any in *keytab* ) - - **[in]** **flags** - Additional specifications - - **[in]** **keytab** - Key table containing service keys - - **[out]** **ticket** - Ticket (NULL if not needed) - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function performs the server side of a sendauth/recvauth exchange by sending and receiving messages over *fd* . - - - -Use :c:func:`krb5_free_ticket()` to free *ticket* when it is no longer needed. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_sendauth()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_recvauth_version.txt b/doc/html/_sources/appdev/refs/api/krb5_recvauth_version.txt deleted file mode 100644 index 6d3e446..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_recvauth_version.txt +++ /dev/null @@ -1,61 +0,0 @@ -krb5_recvauth_version - Server function for sendauth protocol with version parameter. -======================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_recvauth_version(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket ** ticket, krb5_data * version) - -.. - - -:param: - - **[in]** **context** - Library context - - **[inout]** **auth_context** - Pre-existing or newly created auth context - - **[in]** **fd** - File descriptor - - **[in]** **server** - Server principal (NULL for any in *keytab* ) - - **[in]** **flags** - Additional specifications - - **[in]** **keytab** - Decryption key - - **[out]** **ticket** - Ticket (NULL if not needed) - - **[out]** **version** - sendauth protocol version (NULL if not needed) - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function is similar to :c:func:`krb5_recvauth()` with the additional output information place into *version* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_responder_get_challenge.txt b/doc/html/_sources/appdev/refs/api/krb5_responder_get_challenge.txt deleted file mode 100644 index ae1edc9..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_responder_get_challenge.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_responder_get_challenge - Retrieve the challenge data for a given question in the responder context. -=========================================================================================================== - -.. - -.. c:function:: const char * krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx, const char * question) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **rctx** - Responder context - - **[in]** **question** - Question name - - -.. - - - -.. - - - - - - - -Return a pointer to a C string containing the challenge for *question* within *rctx* , or NULL if the question is not present in *rctx* . The structure of the question depends on the question name, but will always be printable UTF-8 text. The returned pointer is an alias, valid only as long as the lifetime of *rctx* , and should not be modified or freed by the caller. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_responder_list_questions.txt b/doc/html/_sources/appdev/refs/api/krb5_responder_list_questions.txt deleted file mode 100644 index d1efd01..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_responder_list_questions.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_responder_list_questions - List the question names contained in the responder context. -============================================================================================= - -.. - -.. c:function:: const char *const * krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **rctx** - Responder context - - -.. - - - -.. - - - - - - - -Return a pointer to a null-terminated list of question names which are present in *rctx* . The pointer is an alias, valid only as long as the lifetime of *rctx* , and should not be modified or freed by the caller. A question's challenge can be retrieved using :c:func:`krb5_responder_get_challenge()` and answered using :c:func:`krb5_responder_set_answer()` . - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_responder_otp_challenge_free.txt b/doc/html/_sources/appdev/refs/api/krb5_responder_otp_challenge_free.txt deleted file mode 100644 index fb4863e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_responder_otp_challenge_free.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_responder_otp_challenge_free - Free the value returned by krb5_responder_otp_get_challenge() . -===================================================================================================== - -.. - -.. c:function:: void krb5_responder_otp_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge * chl) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **rctx** - Responder context - - **[in]** **chl** - The challenge to free - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_responder_otp_get_challenge.txt b/doc/html/_sources/appdev/refs/api/krb5_responder_otp_get_challenge.txt deleted file mode 100644 index 4fd609e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_responder_otp_get_challenge.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_responder_otp_get_challenge - Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct. -========================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_responder_otp_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge ** chl) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **rctx** - Responder context - - **[out]** **chl** - Challenge structure - - -.. - - - -.. - - - - - - - -A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP question challenge data, making it available in native C. The main feature of this function is the ability to interact with OTP tokens without parsing the JSON. - - - -The returned value must be passed to :c:func:`krb5_responder_otp_challenge_free()` to be freed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_responder_otp_set_answer.txt b/doc/html/_sources/appdev/refs/api/krb5_responder_otp_set_answer.txt deleted file mode 100644 index 0535a20..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_responder_otp_set_answer.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_responder_otp_set_answer - Answer the KRB5_RESPONDER_QUESTION_OTP question. -================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx, size_t ti, const char * value, const char * pin) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **rctx** - Responder context - - **[in]** **ti** - The index of the tokeninfo selected - - **[in]** **value** - The value to set, or NULL for none - - **[in]** **pin** - The pin to set, or NULL for none - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_challenge_free.txt b/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_challenge_free.txt deleted file mode 100644 index e7376aa..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_challenge_free.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_responder_pkinit_challenge_free - Free the value returned by krb5_responder_pkinit_get_challenge() . -=========================================================================================================== - -.. - -.. c:function:: void krb5_responder_pkinit_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge * chl) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **rctx** - Responder context - - **[in]** **chl** - The challenge to free - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.12 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_get_challenge.txt b/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_get_challenge.txt deleted file mode 100644 index a145881..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_get_challenge.txt +++ /dev/null @@ -1,56 +0,0 @@ -krb5_responder_pkinit_get_challenge - Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct. -================================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_responder_pkinit_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge ** chl_out) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **rctx** - Responder context - - **[out]** **chl_out** - Challenge structure - - -.. - - - -.. - - - - - - - -A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT question challenge data, making it available in native C. The main feature of this function is the ability to read the challenge without parsing the JSON. - - - -The returned value must be passed to :c:func:`krb5_responder_pkinit_challenge_free()` to be freed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.12 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_set_answer.txt b/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_set_answer.txt deleted file mode 100644 index dc8fa57..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_responder_pkinit_set_answer.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_responder_pkinit_set_answer - Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity. -========================================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx, const char * identity, const char * pin) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **rctx** - Responder context - - **[in]** **identity** - The identity for which a PIN is being supplied - - **[in]** **pin** - The provided PIN, or NULL for none - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.12 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_responder_set_answer.txt b/doc/html/_sources/appdev/refs/api/krb5_responder_set_answer.txt deleted file mode 100644 index c5b588a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_responder_set_answer.txt +++ /dev/null @@ -1,57 +0,0 @@ -krb5_responder_set_answer - Answer a named question in the responder context. -=============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx, const char * question, const char * answer) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **rctx** - Responder context - - **[in]** **question** - Question name - - **[in]** **answer** - The string to set (MUST be printable UTF-8) - - -.. - - -:retval: - - EINVAL question is not present within rctx - - -.. - - - - - - - -This function supplies an answer to *question* within *rctx* . The appropriate form of the answer depends on the question name. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.11 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_salttype_to_string.txt b/doc/html/_sources/appdev/refs/api/krb5_salttype_to_string.txt deleted file mode 100644 index e0e44a6..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_salttype_to_string.txt +++ /dev/null @@ -1,47 +0,0 @@ -krb5_salttype_to_string - Convert a salt type to a string. -============================================================ - -.. - -.. c:function:: krb5_error_code krb5_salttype_to_string(krb5_int32 salttype, char * buffer, size_t buflen) - -.. - - -:param: - - **[in]** **salttype** - Salttype to convert - - **[out]** **buffer** - Buffer to receive the converted string - - **[in]** **buflen** - Storage available in *buffer* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_sendauth.txt b/doc/html/_sources/appdev/refs/api/krb5_sendauth.txt deleted file mode 100644 index 29abeaf..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_sendauth.txt +++ /dev/null @@ -1,98 +0,0 @@ -krb5_sendauth - Client function for sendauth protocol. -======================================================== - -.. - -.. c:function:: krb5_error_code krb5_sendauth(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, char * appl_version, krb5_principal client, krb5_principal server, krb5_flags ap_req_options, krb5_data * in_data, krb5_creds * in_creds, krb5_ccache ccache, krb5_error ** error, krb5_ap_rep_enc_part ** rep_result, krb5_creds ** out_creds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[inout]** **auth_context** - Pre-existing or newly created auth context - - **[in]** **fd** - File descriptor that describes network socket - - **[in]** **appl_version** - Application protocol version to be matched with the receiver's application version - - **[in]** **client** - Client principal - - **[in]** **server** - Server principal - - **[in]** **ap_req_options** - :data:`AP_OPTS` options - - **[in]** **in_data** - Data to be sent to the server - - **[in]** **in_creds** - Input credentials, or NULL to use *ccache* - - **[in]** **ccache** - Credential cache - - **[out]** **error** - If non-null, contains KRB_ERROR message returned from server - - **[out]** **rep_result** - If non-null and *ap_req_options* is :data:`AP_OPTS_MUTUAL_REQUIRED` , contains the result of mutual authentication exchange - - **[out]** **out_creds** - If non-null, the retrieved credentials - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function performs the client side of a sendauth/recvauth exchange by sending and receiving messages over *fd* . - - - -Credentials may be specified in three ways: - - - - - - - If *in_creds* is NULL, credentials are obtained with :c:func:`krb5_get_credentials()` using the principals *client* and *server* . *server* must be non-null; *client* may NULL to use the default principal of *ccache* . - - - - - If *in_creds* is non-null, but does not contain a ticket, credentials for the exchange are obtained with :c:func:`krb5_get_credentials()` using *in_creds* . In this case, the values of *client* and *server* are unused. - - - - - If *in_creds* is a complete credentials structure, it used directly. In this case, the values of *client* , *server* , and *ccache* are unused. - - If the server is using a different application protocol than that specified in *appl_version* , an error will be returned. - - - -Use :c:func:`krb5_free_creds()` to free *out_creds* , :c:func:`krb5_free_ap_rep_enc_part()` to free *rep_result* , and :c:func:`krb5_free_error()` to free *error* when they are no longer needed. - - - - - - - - - - -.. - -.. seealso:: - :c:func:`krb5_recvauth()` - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_server_decrypt_ticket_keytab.txt b/doc/html/_sources/appdev/refs/api/krb5_server_decrypt_ticket_keytab.txt deleted file mode 100644 index 0ec0337..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_server_decrypt_ticket_keytab.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table. -===================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, krb5_ticket * ticket) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **kt** - Key table - - **[in]** **ticket** - Ticket to be decrypted - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function takes a *ticket* as input and decrypts it using key data from *kt* . The result is placed into *ticket->enc_part2* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_default_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_set_default_realm.txt deleted file mode 100644 index d9ac43d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_default_realm.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_set_default_realm - Override the default realm for the specified context. -================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_set_default_realm(krb5_context context, const char * lrealm) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **lrealm** - Realm name for the default realm - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -If *lrealm* is NULL, clear the default realm setting. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_default_tgs_enctypes.txt b/doc/html/_sources/appdev/refs/api/krb5_set_default_tgs_enctypes.txt deleted file mode 100644 index 870ca63..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_default_tgs_enctypes.txt +++ /dev/null @@ -1,61 +0,0 @@ -krb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure. -=============================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype * etypes) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **etypes** - Encryption type(s) to set - - -.. - - -:retval: - - 0 Success - - KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function sets the default enctype list for TGS requests made using *context* to *etypes* . - - - - - - - - - - -.. - - - - - - -.. note:: - - This overrides the default list (from config file or built-in). - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_set_error_message.txt deleted file mode 100644 index 86bf9b7..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_error_message.txt +++ /dev/null @@ -1,44 +0,0 @@ -krb5_set_error_message - Set an extended error message for an error code. -=========================================================================== - -.. - -.. c:function:: void krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, ... ) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **code** - Error code - - **[in]** **fmt** - Error string for the error code - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_kdc_recv_hook.txt b/doc/html/_sources/appdev/refs/api/krb5_set_kdc_recv_hook.txt deleted file mode 100644 index 66a334a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_kdc_recv_hook.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_set_kdc_recv_hook - Set a KDC post-receive hook function. -================================================================ - -.. - -.. c:function:: void krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, void * data) - -.. - - -:param: - - **[in]** **context** - The library context. - - **[in]** **recv_hook** - Hook function (or NULL to disable the hook) - - **[in]** **data** - Callback data to be passed to *recv_hook* - - -.. - - - -.. - - - - - - - - *recv_hook* will be called after a reply is received from a KDC during a call to a library function such as :c:func:`krb5_get_credentials()` . The hook function may inspect or override the reply. This hook will not be executed if the pre-send hook returns a synthetic reply. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.15 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_kdc_send_hook.txt b/doc/html/_sources/appdev/refs/api/krb5_set_kdc_send_hook.txt deleted file mode 100644 index 7bffffb..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_kdc_send_hook.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_set_kdc_send_hook - Set a KDC pre-send hook function. -============================================================ - -.. - -.. c:function:: void krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, void * data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **send_hook** - Hook function (or NULL to disable the hook) - - **[in]** **data** - Callback data to be passed to *send_hook* - - -.. - - - -.. - - - - - - - - *send_hook* will be called before messages are sent to KDCs by library functions such as :c:func:`krb5_get_credentials()` . The hook function may inspect, override, or synthesize its own reply to the message. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.15 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_password.txt b/doc/html/_sources/appdev/refs/api/krb5_set_password.txt deleted file mode 100644 index 0fefb2c..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_password.txt +++ /dev/null @@ -1,74 +0,0 @@ -krb5_set_password - Set a password for a principal using specified credentials. -================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_set_password(krb5_context context, krb5_creds * creds, const char * newpw, krb5_principal change_password_for, int * result_code, krb5_data * result_code_string, krb5_data * result_string) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **creds** - Credentials for kadmin/changepw service - - **[in]** **newpw** - New password - - **[in]** **change_password_for** - Change the password for this principal - - **[out]** **result_code** - Numeric error code from server - - **[out]** **result_code_string** - String equivalent to *result_code* - - **[out]** **result_string** - Data returned from the remote system - - -.. - - -:retval: - - 0 Success and result_code is set to KRB5_KPASSWD_SUCCESS . - - -:return: - - Kerberos error codes. - -.. - - - - - - - -This function uses the credentials *creds* to set the password *newpw* for the principal *change_password_for* . It implements the set password operation of RFC 3244, for interoperability with Microsoft Windows implementations. - - - -The error code and strings are returned in *result_code* , *result_code_string* and *result_string* . - - - - - - - - - - -.. - - - - - - -.. note:: - - If *change_password_for* is NULL, the change is performed on the current principal. If *change_password_for* is non-null, the change is performed on the principal name passed in *change_password_for* . - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_password_using_ccache.txt b/doc/html/_sources/appdev/refs/api/krb5_set_password_using_ccache.txt deleted file mode 100644 index 24bf4be..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_password_using_ccache.txt +++ /dev/null @@ -1,74 +0,0 @@ -krb5_set_password_using_ccache - Set a password for a principal using cached credentials. -=========================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, const char * newpw, krb5_principal change_password_for, int * result_code, krb5_data * result_code_string, krb5_data * result_string) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ccache** - Credential cache - - **[in]** **newpw** - New password - - **[in]** **change_password_for** - Change the password for this principal - - **[out]** **result_code** - Numeric error code from server - - **[out]** **result_code_string** - String equivalent to *result_code* - - **[out]** **result_string** - Data returned from the remote system - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function uses the cached credentials from *ccache* to set the password *newpw* for the principal *change_password_for* . It implements RFC 3244 set password operation (interoperable with MS Windows implementations) using the credential cache. - - - -The error code and strings are returned in *result_code* , *result_code_string* and *result_string* . - - - - - - - - - - -.. - - - - - - -.. note:: - - If *change_password_for* is set to NULL, the change is performed on the default principal in *ccache* . If *change_password_for* is non null, the change is performed on the specified principal. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_principal_realm.txt b/doc/html/_sources/appdev/refs/api/krb5_set_principal_realm.txt deleted file mode 100644 index 0319b33..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_principal_realm.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_set_principal_realm - Set the realm field of a principal. -================================================================ - -.. - -.. c:function:: krb5_error_code krb5_set_principal_realm(krb5_context context, krb5_principal principal, const char * realm) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **principal** - Principal name - - **[in]** **realm** - Realm name - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -Set the realm name part of *principal* to *realm* , overwriting the previous realm. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_real_time.txt b/doc/html/_sources/appdev/refs/api/krb5_set_real_time.txt deleted file mode 100644 index 18d7a6b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_real_time.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_set_real_time - Set time offset field in a krb5_context structure. -========================================================================= - -.. - -.. c:function:: krb5_error_code krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **seconds** - Real time, seconds portion - - **[in]** **microseconds** - Real time, microseconds portion - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function sets the time offset in *context* to the difference between the system time and the real time as determined by *seconds* and *microseconds* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_trace_callback.txt b/doc/html/_sources/appdev/refs/api/krb5_set_trace_callback.txt deleted file mode 100644 index 4c31ddb..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_trace_callback.txt +++ /dev/null @@ -1,63 +0,0 @@ -krb5_set_trace_callback - Specify a callback function for trace events. -========================================================================= - -.. - -.. c:function:: krb5_error_code krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, void * cb_data) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **fn** - Callback function - - **[in]** **cb_data** - Callback data - - -.. - - - -:return: - - Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library (unless fn is NULL). - -.. - - - - - - - -Specify a callback for trace events occurring in krb5 operations performed within *context* . *fn* will be invoked with *context* as the first argument, *cb_data* as the last argument, and a pointer to a krb5_trace_info as the second argument. If the trace callback is reset via this function or *context* is destroyed, *fn* will be invoked with a NULL second argument so it can clean up *cb_data* . Supply a NULL value for *fn* to disable trace callbacks within *context* . - - - - - - - - - - -.. - - - - - - -.. note:: - - This function overrides the information passed through the *KRB5_TRACE* environment variable. - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_set_trace_filename.txt b/doc/html/_sources/appdev/refs/api/krb5_set_trace_filename.txt deleted file mode 100644 index 6d75325..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_set_trace_filename.txt +++ /dev/null @@ -1,61 +0,0 @@ -krb5_set_trace_filename - Specify a file name for directing trace events. -=========================================================================== - -.. - -.. c:function:: krb5_error_code krb5_set_trace_filename(krb5_context context, const char * filename) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **filename** - File name - - -.. - - -:retval: - - KRB5_TRACE_NOSUPP Tracing is not supported in the library. - - -.. - - - - - - - -Open *filename* for appending (creating it, if necessary) and set up a callback to write trace events to it. - - - - - - - - - - -.. - - - - - - -.. note:: - - This function overrides the information passed through the *KRB5_TRACE* environment variable. - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_sname_match.txt b/doc/html/_sources/appdev/refs/api/krb5_sname_match.txt deleted file mode 100644 index c375000..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_sname_match.txt +++ /dev/null @@ -1,59 +0,0 @@ -krb5_sname_match - Test whether a principal matches a matching principal. -=========================================================================== - -.. - -.. c:function:: krb5_boolean krb5_sname_match(krb5_context context, krb5_const_principal matching, krb5_const_principal princ) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **matching** - Matching principal - - **[in]** **princ** - Principal to test - - -.. - - - -:return: - - TRUE if princ matches matching , FALSE otherwise. - -.. - - - - - - - -If *matching* is NULL, return TRUE. If *matching* is not a matching principal, return the value of krb5_principal_compare(context, matching, princ). - - - - - - - - - - -.. - - - - - - -.. note:: - - A matching principal is a host-based principal with an empty realm and/or second data component (hostname). Profile configuration may cause the hostname to be ignored even if it is present. A principal matches a matching principal if the former has the same non-empty (and non-ignored) components of the latter. - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.txt b/doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.txt deleted file mode 100644 index 07b4849..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_sname_to_principal.txt +++ /dev/null @@ -1,74 +0,0 @@ -krb5_sname_to_principal - Generate a full principal name from a service name. -=============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_sname_to_principal(krb5_context context, const char * hostname, const char * sname, krb5_int32 type, krb5_principal * ret_princ) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **hostname** - Host name, or NULL to use local host - - **[in]** **sname** - Service name, or NULL to use **"host"** - - **[in]** **type** - Principal type - - **[out]** **ret_princ** - Generated principal - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function converts a *hostname* and *sname* into *krb5_principal* structure *ret_princ* . The returned principal will be of the form *sname\/hostname@REALM* where REALM is determined by :c:func:`krb5_get_host_realm()` . In some cases this may be the referral (empty) realm. - - - -The *type* can be one of the following: - - - - - - - :data:`KRB5_NT_SRV_HST` canonicalizes the host name before looking up the realm and generating the principal. - - - - - :data:`KRB5_NT_UNKNOWN` accepts the hostname as given, and does not canonicalize it. - - Use krb5_free_principal to free *ret_princ* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_string_to_cksumtype.txt b/doc/html/_sources/appdev/refs/api/krb5_string_to_cksumtype.txt deleted file mode 100644 index 8ad07f7..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_string_to_cksumtype.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_string_to_cksumtype - Convert a string to a checksum type. -================================================================= - -.. - -.. c:function:: krb5_error_code krb5_string_to_cksumtype(char * string, krb5_cksumtype * cksumtypep) - -.. - - -:param: - - **[in]** **string** - String to be converted - - **[out]** **cksumtypep** - Checksum type to be filled in - - -.. - - -:retval: - - 0 Success; otherwise - EINVAL - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_string_to_deltat.txt b/doc/html/_sources/appdev/refs/api/krb5_string_to_deltat.txt deleted file mode 100644 index 0f1b958..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_string_to_deltat.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_string_to_deltat - Convert a string to a delta time value. -================================================================= - -.. - -.. c:function:: krb5_error_code krb5_string_to_deltat(char * string, krb5_deltat * deltatp) - -.. - - -:param: - - **[in]** **string** - String to be converted - - **[out]** **deltatp** - Delta time to be filled in - - -.. - - -:retval: - - 0 Success; otherwise - KRB5_DELTAT_BADFORMAT - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_string_to_enctype.txt b/doc/html/_sources/appdev/refs/api/krb5_string_to_enctype.txt deleted file mode 100644 index 173251f..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_string_to_enctype.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_string_to_enctype - Convert a string to an encryption type. -================================================================== - -.. - -.. c:function:: krb5_error_code krb5_string_to_enctype(char * string, krb5_enctype * enctypep) - -.. - - -:param: - - **[in]** **string** - String to convert to an encryption type - - **[out]** **enctypep** - Encryption type - - -.. - - -:retval: - - 0 Success; otherwise - EINVAL - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_string_to_key.txt b/doc/html/_sources/appdev/refs/api/krb5_string_to_key.txt deleted file mode 100644 index 3f44b9d..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_string_to_key.txt +++ /dev/null @@ -1,50 +0,0 @@ -krb5_string_to_key -================== - -.. - -.. c:function:: krb5_error_code krb5_string_to_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_keyblock * keyblock, const krb5_data * data, const krb5_data * salt) - -.. - - -:param: - - **context** - - **eblock** - - **keyblock** - - **data** - - **salt** - - -.. - - - -.. - - -DEPRECATED See krb5_c_string_to_key() - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_string_to_salttype.txt b/doc/html/_sources/appdev/refs/api/krb5_string_to_salttype.txt deleted file mode 100644 index 36978f4..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_string_to_salttype.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_string_to_salttype - Convert a string to a salt type. -============================================================ - -.. - -.. c:function:: krb5_error_code krb5_string_to_salttype(char * string, krb5_int32 * salttypep) - -.. - - -:param: - - **[in]** **string** - String to convert to an encryption type - - **[out]** **salttypep** - Salt type to be filled in - - -.. - - -:retval: - - 0 Success; otherwise - EINVAL - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_string_to_timestamp.txt b/doc/html/_sources/appdev/refs/api/krb5_string_to_timestamp.txt deleted file mode 100644 index 11b6d1e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_string_to_timestamp.txt +++ /dev/null @@ -1,45 +0,0 @@ -krb5_string_to_timestamp - Convert a string to a timestamp. -============================================================= - -.. - -.. c:function:: krb5_error_code krb5_string_to_timestamp(char * string, krb5_timestamp * timestampp) - -.. - - -:param: - - **[in]** **string** - String to be converted - - **[out]** **timestampp** - Pointer to timestamp - - -.. - - -:retval: - - 0 Success; otherwise - EINVAL - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_timeofday.txt b/doc/html/_sources/appdev/refs/api/krb5_timeofday.txt deleted file mode 100644 index 0c38a97..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_timeofday.txt +++ /dev/null @@ -1,52 +0,0 @@ -krb5_timeofday - Retrieve the current time with context specific time offset adjustment. -========================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_timeofday(krb5_context context, register krb5_timestamp * timeret) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **timeret** - Timestamp to fill in - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function retrieves the system time of day with the context specific time offset adjustment. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_sfstring.txt b/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_sfstring.txt deleted file mode 100644 index 3750c45..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_sfstring.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding. -============================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char * buffer, size_t buflen, char * pad) - -.. - - -:param: - - **[in]** **timestamp** - Timestamp to convert - - **[out]** **buffer** - Buffer to hold the converted timestamp - - **[in]** **buflen** - Length of buffer - - **[in]** **pad** - Optional value to pad *buffer* if converted timestamp does not fill it - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -If *pad* is not NULL, *buffer* is padded out to *buflen* - 1 characters with the value of * *pad* . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_string.txt b/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_string.txt deleted file mode 100644 index 1c4c71e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_timestamp_to_string.txt +++ /dev/null @@ -1,51 +0,0 @@ -krb5_timestamp_to_string - Convert a timestamp to a string. -============================================================= - -.. - -.. c:function:: krb5_error_code krb5_timestamp_to_string(krb5_timestamp timestamp, char * buffer, size_t buflen) - -.. - - -:param: - - **[in]** **timestamp** - Timestamp to convert - - **[out]** **buffer** - Buffer to hold converted timestamp - - **[in]** **buflen** - Storage available in *buffer* - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -The string is returned in the locale's appropriate date and time representation. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_free.txt b/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_free.txt deleted file mode 100644 index 623ed5b..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_free.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_tkt_creds_free - Free a TGS request context. -=================================================== - -.. - -.. c:function:: void krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - TGS request context - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get.txt b/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get.txt deleted file mode 100644 index 4ff37fd..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get.txt +++ /dev/null @@ -1,53 +0,0 @@ -krb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context. -==================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - TGS request context - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function synchronously obtains credentials using a context created by :c:func:`krb5_tkt_creds_init()` . On successful return, the credentials can be retrieved with :c:func:`krb5_tkt_creds_get_creds()` . - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_creds.txt deleted file mode 100644 index 1f402ae..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_creds.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context. -====================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx, krb5_creds * creds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - TGS request context - - **[out]** **creds** - Acquired credentials - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function copies the acquired initial credentials from *ctx* into *creds* , after the successful completion of :c:func:`krb5_tkt_creds_get()` or :c:func:`krb5_tkt_creds_step()` . Use :c:func:`krb5_free_cred_contents()` to free *creds* when it is no longer needed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_times.txt b/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_times.txt deleted file mode 100644 index 09701f0..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_get_times.txt +++ /dev/null @@ -1,55 +0,0 @@ -krb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context. -============================================================================== - -.. - -.. c:function:: krb5_error_code krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx, krb5_ticket_times * times) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - TGS request context - - **[out]** **times** - Ticket times for acquired credentials - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -The TGS request context must have completed obtaining credentials via either :c:func:`krb5_tkt_creds_get()` or :c:func:`krb5_tkt_creds_step()` . - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_init.txt b/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_init.txt deleted file mode 100644 index e61ee90..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_init.txt +++ /dev/null @@ -1,67 +0,0 @@ -krb5_tkt_creds_init - Create a context to get credentials from a KDC's Ticket Granting Service. -================================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, krb5_creds * creds, krb5_flags options, krb5_tkt_creds_context * ctx) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ccache** - Credential cache handle - - **[in]** **creds** - Input credentials - - **[in]** **options** - :data:`KRB5_GC` options for this request. - - **[out]** **ctx** - New TGS request context - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function prepares to obtain credentials matching *creds* , either by retrieving them from *ccache* or by making requests to ticket-granting services beginning with a ticket-granting ticket for the client principal's realm. - - - -The resulting TGS acquisition context can be used asynchronously with :c:func:`krb5_tkt_creds_step()` or synchronously with :c:func:`krb5_tkt_creds_get()` . See also :c:func:`krb5_get_credentials()` for synchronous use. - - - -Use :c:func:`krb5_tkt_creds_free()` to free *ctx* when it is no longer needed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.txt b/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.txt deleted file mode 100644 index 6cab164..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_tkt_creds_step.txt +++ /dev/null @@ -1,69 +0,0 @@ -krb5_tkt_creds_step - Get the next KDC request in a TGS exchange. -=================================================================== - -.. - -.. c:function:: krb5_error_code krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, krb5_data * in, krb5_data * out, krb5_data * realm, unsigned int * flags) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **ctx** - TGS request context - - **[in]** **in** - KDC response (empty on the first call) - - **[out]** **out** - Next KDC request - - **[out]** **realm** - Realm for next KDC request - - **[out]** **flags** - Output flags - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function constructs the next KDC request for a TGS exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, *in* should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. - - - -If more requests are needed, *flags* will be set to :data:`KRB5_TKT_CREDS_STEP_FLAG_CONTINUE` and the next request will be placed in *out* . If no more requests are needed, *flags* will not contain :data:`KRB5_TKT_CREDS_STEP_FLAG_CONTINUE` and *out* will be empty. - - - -If this function returns **KRB5KRB_ERR_RESPONSE_TOO_BIG** , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the TGS exchange has failed. - - - - - - - - - - -.. - - - - -.. note:: - - New in 1.9 - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_unparse_name.txt b/doc/html/_sources/appdev/refs/api/krb5_unparse_name.txt deleted file mode 100644 index 11a434a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_unparse_name.txt +++ /dev/null @@ -1,58 +0,0 @@ -krb5_unparse_name - Convert a krb5_principal structure to a string representation. -==================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_unparse_name(krb5_context context, krb5_const_principal principal, register char ** name) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **principal** - Principal - - **[out]** **name** - String representation of principal name - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -The resulting string representation uses the format and quoting conventions described for :c:func:`krb5_parse_name()` . - - - -Use :c:func:`krb5_free_unparsed_name()` to free *name* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_unparse_name_ext.txt b/doc/html/_sources/appdev/refs/api/krb5_unparse_name_ext.txt deleted file mode 100644 index 61b13e1..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_unparse_name_ext.txt +++ /dev/null @@ -1,60 +0,0 @@ -krb5_unparse_name_ext - Convert krb5_principal structure to string and length. -================================================================================ - -.. - -.. c:function:: krb5_error_code krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, char ** name, unsigned int * size) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **principal** - Principal - - **[inout]** **name** - String representation of principal name - - **[inout]** **size** - Size of unparsed name - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes. On failure name is set to NULL - -.. - - - - - - - -This function is similar to :c:func:`krb5_unparse_name()` , but allows the use of an existing buffer for the result. If size is not NULL, then *name* must point to either NULL or an existing buffer of at least the size pointed to by *size* . The buffer will be allocated or resized if necessary, with the new pointer stored into *name* . Whether or not the buffer is resized, the necessary space for the result, including null terminator, will be stored into *size* . - - - -If size is NULL, this function behaves exactly as :c:func:`krb5_unparse_name()` . - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.txt b/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.txt deleted file mode 100644 index 0cf41cf..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags.txt +++ /dev/null @@ -1,70 +0,0 @@ -krb5_unparse_name_flags - Convert krb5_principal structure to a string with flags. -==================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, int flags, char ** name) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **principal** - Principal - - **[in]** **flags** - Flags - - **[out]** **name** - String representation of principal name - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes. On failure name is set to NULL - -.. - - - - - - - -Similar to :c:func:`krb5_unparse_name()` , this function converts a krb5_principal structure to a string representation. - - - -The following flags are valid: - - - :data:`KRB5_PRINCIPAL_UNPARSE_SHORT` - omit realm if it is the local realm - - - - :data:`KRB5_PRINCIPAL_UNPARSE_NO_REALM` - omit realm - - - - :data:`KRB5_PRINCIPAL_UNPARSE_DISPLAY` - do not quote special characters - - Use :c:func:`krb5_free_unparsed_name()` to free *name* when it is no longer needed. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags_ext.txt b/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags_ext.txt deleted file mode 100644 index aa713bd..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_unparse_name_flags_ext.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags. -============================================================================================= - -.. - -.. c:function:: krb5_error_code krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, int flags, char ** name, unsigned int * size) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **principal** - Principal - - **[in]** **flags** - Flags - - **[out]** **name** - Single string format of principal name - - **[out]** **size** - Size of unparsed name buffer - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes. On failure name is set to NULL - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_us_timeofday.txt b/doc/html/_sources/appdev/refs/api/krb5_us_timeofday.txt deleted file mode 100644 index ba4ef80..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_us_timeofday.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch. -====================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_us_timeofday(krb5_context context, krb5_timestamp * seconds, krb5_int32 * microseconds) - -.. - - -:param: - - **[in]** **context** - Library context - - **[out]** **seconds** - System timeofday, seconds portion - - **[out]** **microseconds** - System timeofday, microseconds portion - - -.. - - -:retval: - - 0 Success - - -:return: - - Kerberos error codes - -.. - - - - - - - -This function retrieves the system time of day with the context specific time offset adjustment. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_use_enctype.txt b/doc/html/_sources/appdev/refs/api/krb5_use_enctype.txt deleted file mode 100644 index 10b3fa7..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_use_enctype.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_use_enctype -================ - -.. - -.. c:function:: krb5_error_code krb5_use_enctype(krb5_context context, krb5_encrypt_block * eblock, krb5_enctype enctype) - -.. - - -:param: - - **context** - - **eblock** - - **enctype** - - -.. - - - -.. - - -DEPRECATED Replaced by krb5_c_* API family. - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_verify_authdata_kdc_issued.txt b/doc/html/_sources/appdev/refs/api/krb5_verify_authdata_kdc_issued.txt deleted file mode 100644 index 3097139..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_verify_authdata_kdc_issued.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data. -====================================================================================== - -.. - -.. c:function:: krb5_error_code krb5_verify_authdata_kdc_issued(krb5_context context, const krb5_keyblock * key, const krb5_authdata * ad_kdcissued, krb5_principal * issuer, krb5_authdata *** authdata) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **key** - Session key - - **[in]** **ad_kdcissued** - AD-KDCIssued authorization data to be unwrapped - - **[out]** **issuer** - Name of issuing principal (or NULL) - - **[out]** **authdata** - Unwrapped list of authorization data - - -.. - - - -.. - - - - - - - -This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section 5.2.6.2) and verifies its signature against *key* . The issuer field of the authdatum element is returned in *issuer* , and the unwrapped list of authdata is returned in *authdata* . - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_verify_checksum.txt b/doc/html/_sources/appdev/refs/api/krb5_verify_checksum.txt deleted file mode 100644 index 0ddf631..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_verify_checksum.txt +++ /dev/null @@ -1,54 +0,0 @@ -krb5_verify_checksum -==================== - -.. - -.. c:function:: krb5_error_code krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, const krb5_checksum * cksum, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length) - -.. - - -:param: - - **context** - - **ctype** - - **cksum** - - **in** - - **in_length** - - **seed** - - **seed_length** - - -.. - - - -.. - - -DEPRECATED See krb5_c_verify_checksum() - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds.txt b/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds.txt deleted file mode 100644 index 04185f3..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds.txt +++ /dev/null @@ -1,65 +0,0 @@ -krb5_verify_init_creds - Verify initial credentials against a keytab. -======================================================================= - -.. - -.. c:function:: krb5_error_code krb5_verify_init_creds(krb5_context context, krb5_creds * creds, krb5_principal server, krb5_keytab keytab, krb5_ccache * ccache, krb5_verify_init_creds_opt * options) - -.. - - -:param: - - **[in]** **context** - Library context - - **[in]** **creds** - Initial credentials to be verified - - **[in]** **server** - Server principal (or NULL) - - **[in]** **keytab** - Key table (NULL to use default keytab) - - **[in]** **ccache** - Credential cache for fetched creds (or NULL) - - **[in]** **options** - Verification options (NULL for default options) - - -.. - - -:retval: - - 0 Success; otherwise - Kerberos error codes - - -.. - - - - - - - -This function attempts to verify that *creds* were obtained from a KDC with knowledge of a key in *keytab* , or the default keytab if *keytab* is NULL. If *server* is provided, the highest-kvno key entry for that principal name is used to verify the credentials; otherwise, all unique"host"service principals in the keytab are tried. - - - -If the specified keytab does not exist, or is empty, or cannot be read, or does not contain an entry for *server* , then credential verification may be skipped unless configuration demands that it succeed. The caller can control this behavior by providing a verification options structure; see :c:func:`krb5_verify_init_creds_opt_init()` and :c:func:`krb5_verify_init_creds_opt_set_ap_req_nofail()` . - - - -If *ccache* is NULL, any additional credentials fetched during the verification process will be destroyed. If *ccache* points to NULL, a memory ccache will be created for the additional credentials and returned in *ccache* . If *ccache* points to a valid credential cache handle, the additional credentials will be stored in that cache. - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_init.txt b/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_init.txt deleted file mode 100644 index a55fd3a..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_init.txt +++ /dev/null @@ -1,40 +0,0 @@ -krb5_verify_init_creds_opt_init - Initialize a credential verification options structure. -=========================================================================================== - -.. - -.. c:function:: void krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt * k5_vic_options) - -.. - - -:param: - - **[in]** **k5_vic_options** - Verification options structure - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.txt b/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.txt deleted file mode 100644 index fc6ac02..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required. -================================================================================================= - -.. - -.. c:function:: void krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic_options, int ap_req_nofail) - -.. - - -:param: - - **[in]** **k5_vic_options** - Verification options structure - - **[in]** **ap_req_nofail** - Whether to require successful verification - - -.. - - - -.. - - - - - - - -This function determines how :c:func:`krb5_verify_init_creds()` behaves if no keytab information is available. If *ap_req_nofail* is **FALSE** , verification will be skipped in this case and :c:func:`krb5_verify_init_creds()` will return successfully. If *ap_req_nofail* is **TRUE** , :c:func:`krb5_verify_init_creds()` will not return successfully unless verification can be performed. - - - -If this function is not used, the behavior of :c:func:`krb5_verify_init_creds()` is determined through configuration. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_vprepend_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_vprepend_error_message.txt deleted file mode 100644 index 7c49359..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_vprepend_error_message.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list. -============================================================================================== - -.. - -.. c:function:: void krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, va_list args) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **code** - Error code - - **[in]** **fmt** - Format string for error message prefix - - **[in]** **args** - List of vprintf(3) style arguments - - -.. - - - -.. - - - - - - - -This function is similar to :c:func:`krb5_prepend_error_message()` , but uses a va_list instead of variadic arguments. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_vset_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_vset_error_message.txt deleted file mode 100644 index fcb4b69..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_vset_error_message.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_vset_error_message - Set an extended error message for an error code using a va_list. -============================================================================================ - -.. - -.. c:function:: void krb5_vset_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, va_list args) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **code** - Error code - - **[in]** **fmt** - Error string for the error code - - **[in]** **args** - List of vprintf(3) style arguments - - -.. - - - -.. - - - - - - - - - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_vwrap_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_vwrap_error_message.txt deleted file mode 100644 index 1e2a27e..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_vwrap_error_message.txt +++ /dev/null @@ -1,48 +0,0 @@ -krb5_vwrap_error_message - Add a prefix to a different error code's message using a va_list. -============================================================================================== - -.. - -.. c:function:: void krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, va_list args) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **old_code** - Previous error code - - **[in]** **code** - Error code - - **[in]** **fmt** - Format string for error message prefix - - **[in]** **args** - List of vprintf(3) style arguments - - -.. - - - -.. - - - - - - - -This function is similar to :c:func:`krb5_wrap_error_message()` , but uses a va_list instead of variadic arguments. - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/api/krb5_wrap_error_message.txt b/doc/html/_sources/appdev/refs/api/krb5_wrap_error_message.txt deleted file mode 100644 index b599ae7..0000000 --- a/doc/html/_sources/appdev/refs/api/krb5_wrap_error_message.txt +++ /dev/null @@ -1,46 +0,0 @@ -krb5_wrap_error_message - Add a prefix to a different error code's message. -============================================================================= - -.. - -.. c:function:: void krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, ... ) - -.. - - -:param: - - **[in]** **ctx** - Library context - - **[in]** **old_code** - Previous error code - - **[in]** **code** - Error code - - **[in]** **fmt** - Format string for error message prefix - - -.. - - - -.. - - - - - - - -Format a message and prepend it to the message for *old_code* . The prefix will be separated from the old message with a colon and space. Set the resulting message as the extended error message for *code* . - - - - - - -.. - - - - - diff --git a/doc/html/_sources/appdev/refs/index.txt b/doc/html/_sources/appdev/refs/index.txt deleted file mode 100644 index 37a895f..0000000 --- a/doc/html/_sources/appdev/refs/index.txt +++ /dev/null @@ -1,9 +0,0 @@ -Complete reference - API and datatypes -====================================== - -.. toctree:: - :maxdepth: 1 - - api/index.rst - types/index.rst - macros/index.rst diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ADDRPORT.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ADDRPORT.txt deleted file mode 100644 index f2e3248..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ADDRPORT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-ADDRPORT-data: - -ADDRTYPE_ADDRPORT -================= - -.. -.. data:: ADDRTYPE_ADDRPORT -.. - - - - -======================== ====================== -``ADDRTYPE_ADDRPORT`` ``0x0100`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_CHAOS.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_CHAOS.txt deleted file mode 100644 index cbc6dae..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_CHAOS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-CHAOS-data: - -ADDRTYPE_CHAOS -============== - -.. -.. data:: ADDRTYPE_CHAOS -.. - - - - -===================== ====================== -``ADDRTYPE_CHAOS`` ``0x0005`` -===================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_DDP.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_DDP.txt deleted file mode 100644 index a62d91f..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_DDP.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-DDP-data: - -ADDRTYPE_DDP -============ - -.. -.. data:: ADDRTYPE_DDP -.. - - - - -=================== ====================== -``ADDRTYPE_DDP`` ``0x0010`` -=================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET.txt deleted file mode 100644 index 10ed68a..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-INET-data: - -ADDRTYPE_INET -============= - -.. -.. data:: ADDRTYPE_INET -.. - - - - -==================== ====================== -``ADDRTYPE_INET`` ``0x0002`` -==================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET6.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET6.txt deleted file mode 100644 index c41a466..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_INET6.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-INET6-data: - -ADDRTYPE_INET6 -============== - -.. -.. data:: ADDRTYPE_INET6 -.. - - - - -===================== ====================== -``ADDRTYPE_INET6`` ``0x0018`` -===================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IPPORT.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IPPORT.txt deleted file mode 100644 index 0cd4a20..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IPPORT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-IPPORT-data: - -ADDRTYPE_IPPORT -=============== - -.. -.. data:: ADDRTYPE_IPPORT -.. - - - - -====================== ====================== -``ADDRTYPE_IPPORT`` ``0x0101`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ISO.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ISO.txt deleted file mode 100644 index 0b35244..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_ISO.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-ISO-data: - -ADDRTYPE_ISO -============ - -.. -.. data:: ADDRTYPE_ISO -.. - - - - -=================== ====================== -``ADDRTYPE_ISO`` ``0x0007`` -=================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IS_LOCAL.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IS_LOCAL.txt deleted file mode 100644 index de1bdc4..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_IS_LOCAL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-IS-LOCAL-data: - -ADDRTYPE_IS_LOCAL -================= - -.. -.. data:: ADDRTYPE_IS_LOCAL -.. - - - - -================================== ====================== -``ADDRTYPE_IS_LOCAL (addrtype)`` ``(addrtype & 0x8000)`` -================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_NETBIOS.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_NETBIOS.txt deleted file mode 100644 index b8e4762..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_NETBIOS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-NETBIOS-data: - -ADDRTYPE_NETBIOS -================ - -.. -.. data:: ADDRTYPE_NETBIOS -.. - - - - -======================= ====================== -``ADDRTYPE_NETBIOS`` ``0x0014`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_XNS.txt b/doc/html/_sources/appdev/refs/macros/ADDRTYPE_XNS.txt deleted file mode 100644 index 8b86172..0000000 --- a/doc/html/_sources/appdev/refs/macros/ADDRTYPE_XNS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ADDRTYPE-XNS-data: - -ADDRTYPE_XNS -============ - -.. -.. data:: ADDRTYPE_XNS -.. - - - - -=================== ====================== -``ADDRTYPE_XNS`` ``0x0006`` -=================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AD_TYPE_EXTERNAL.txt b/doc/html/_sources/appdev/refs/macros/AD_TYPE_EXTERNAL.txt deleted file mode 100644 index 69d9f08..0000000 --- a/doc/html/_sources/appdev/refs/macros/AD_TYPE_EXTERNAL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _AD-TYPE-EXTERNAL-data: - -AD_TYPE_EXTERNAL -================ - -.. -.. data:: AD_TYPE_EXTERNAL -.. - - - - -======================= ====================== -``AD_TYPE_EXTERNAL`` ``0x4000`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.txt b/doc/html/_sources/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.txt deleted file mode 100644 index a1fb268..0000000 --- a/doc/html/_sources/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _AD-TYPE-FIELD-TYPE-MASK-data: - -AD_TYPE_FIELD_TYPE_MASK -======================= - -.. -.. data:: AD_TYPE_FIELD_TYPE_MASK -.. - - - - -============================== ====================== -``AD_TYPE_FIELD_TYPE_MASK`` ``0x1fff`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AD_TYPE_REGISTERED.txt b/doc/html/_sources/appdev/refs/macros/AD_TYPE_REGISTERED.txt deleted file mode 100644 index 465c318..0000000 --- a/doc/html/_sources/appdev/refs/macros/AD_TYPE_REGISTERED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _AD-TYPE-REGISTERED-data: - -AD_TYPE_REGISTERED -================== - -.. -.. data:: AD_TYPE_REGISTERED -.. - - - - -========================= ====================== -``AD_TYPE_REGISTERED`` ``0x2000`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AD_TYPE_RESERVED.txt b/doc/html/_sources/appdev/refs/macros/AD_TYPE_RESERVED.txt deleted file mode 100644 index ea1e699..0000000 --- a/doc/html/_sources/appdev/refs/macros/AD_TYPE_RESERVED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _AD-TYPE-RESERVED-data: - -AD_TYPE_RESERVED -================ - -.. -.. data:: AD_TYPE_RESERVED -.. - - - - -======================= ====================== -``AD_TYPE_RESERVED`` ``0x8000`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.txt b/doc/html/_sources/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.txt deleted file mode 100644 index 5258fc9..0000000 --- a/doc/html/_sources/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _AP-OPTS-ETYPE-NEGOTIATION-data: - -AP_OPTS_ETYPE_NEGOTIATION -========================= - -.. -.. data:: AP_OPTS_ETYPE_NEGOTIATION -.. - - - - -================================ ====================== -``AP_OPTS_ETYPE_NEGOTIATION`` ``0x00000002`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.txt b/doc/html/_sources/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.txt deleted file mode 100644 index fc51787..0000000 --- a/doc/html/_sources/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _AP-OPTS-MUTUAL-REQUIRED-data: - -AP_OPTS_MUTUAL_REQUIRED -======================= - -.. -.. data:: AP_OPTS_MUTUAL_REQUIRED -.. - -Perform a mutual authentication exchange. - - - -============================== ====================== -``AP_OPTS_MUTUAL_REQUIRED`` ``0x20000000`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AP_OPTS_RESERVED.txt b/doc/html/_sources/appdev/refs/macros/AP_OPTS_RESERVED.txt deleted file mode 100644 index 101a5a8..0000000 --- a/doc/html/_sources/appdev/refs/macros/AP_OPTS_RESERVED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _AP-OPTS-RESERVED-data: - -AP_OPTS_RESERVED -================ - -.. -.. data:: AP_OPTS_RESERVED -.. - - - - -======================= ====================== -``AP_OPTS_RESERVED`` ``0x80000000`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.txt b/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.txt deleted file mode 100644 index 76340ce..0000000 --- a/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _AP-OPTS-USE-SESSION-KEY-data: - -AP_OPTS_USE_SESSION_KEY -======================= - -.. -.. data:: AP_OPTS_USE_SESSION_KEY -.. - -Use session key. - - - -============================== ====================== -``AP_OPTS_USE_SESSION_KEY`` ``0x40000000`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SUBKEY.txt b/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SUBKEY.txt deleted file mode 100644 index 1e7e757..0000000 --- a/doc/html/_sources/appdev/refs/macros/AP_OPTS_USE_SUBKEY.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _AP-OPTS-USE-SUBKEY-data: - -AP_OPTS_USE_SUBKEY -================== - -.. -.. data:: AP_OPTS_USE_SUBKEY -.. - -Generate a subsession key from the current session key obtained from the credentials. - - - -========================= ====================== -``AP_OPTS_USE_SUBKEY`` ``0x00000001`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/AP_OPTS_WIRE_MASK.txt b/doc/html/_sources/appdev/refs/macros/AP_OPTS_WIRE_MASK.txt deleted file mode 100644 index c801afd..0000000 --- a/doc/html/_sources/appdev/refs/macros/AP_OPTS_WIRE_MASK.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _AP-OPTS-WIRE-MASK-data: - -AP_OPTS_WIRE_MASK -================= - -.. -.. data:: AP_OPTS_WIRE_MASK -.. - - - - -======================== ====================== -``AP_OPTS_WIRE_MASK`` ``0xfffffff0`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.txt deleted file mode 100644 index 302962c..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-CMAC-CAMELLIA128-data: - -CKSUMTYPE_CMAC_CAMELLIA128 -========================== - -.. -.. data:: CKSUMTYPE_CMAC_CAMELLIA128 -.. - -RFC 6803. - - - -================================= ====================== -``CKSUMTYPE_CMAC_CAMELLIA128`` ``0x0011`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.txt deleted file mode 100644 index 979f06a..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-CMAC-CAMELLIA256-data: - -CKSUMTYPE_CMAC_CAMELLIA256 -========================== - -.. -.. data:: CKSUMTYPE_CMAC_CAMELLIA256 -.. - -RFC 6803. - - - -================================= ====================== -``CKSUMTYPE_CMAC_CAMELLIA256`` ``0x0012`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CRC32.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CRC32.txt deleted file mode 100644 index cf5c90c..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_CRC32.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-CRC32-data: - -CKSUMTYPE_CRC32 -=============== - -.. -.. data:: CKSUMTYPE_CRC32 -.. - - - - -====================== ====================== -``CKSUMTYPE_CRC32`` ``0x0001`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_DESCBC.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_DESCBC.txt deleted file mode 100644 index 2d42028..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_DESCBC.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-DESCBC-data: - -CKSUMTYPE_DESCBC -================ - -.. -.. data:: CKSUMTYPE_DESCBC -.. - - - - -======================= ====================== -``CKSUMTYPE_DESCBC`` ``0x0004`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.txt deleted file mode 100644 index 89bf818..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-HMAC-MD5-ARCFOUR-data: - -CKSUMTYPE_HMAC_MD5_ARCFOUR -========================== - -.. -.. data:: CKSUMTYPE_HMAC_MD5_ARCFOUR -.. - -RFC 4757. - - - -================================= ====================== -``CKSUMTYPE_HMAC_MD5_ARCFOUR`` ``-138`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.txt deleted file mode 100644 index 57ad067..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-HMAC-SHA1-96-AES128-data: - -CKSUMTYPE_HMAC_SHA1_96_AES128 -============================= - -.. -.. data:: CKSUMTYPE_HMAC_SHA1_96_AES128 -.. - -RFC 3962. - -Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96 - -==================================== ====================== -``CKSUMTYPE_HMAC_SHA1_96_AES128`` ``0x000f`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.txt deleted file mode 100644 index f48d8f7..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-HMAC-SHA1-96-AES256-data: - -CKSUMTYPE_HMAC_SHA1_96_AES256 -============================= - -.. -.. data:: CKSUMTYPE_HMAC_SHA1_96_AES256 -.. - -RFC 3962. - -Used with ENCTYPE_AES256_CTS_HMAC_SHA1_96 - -==================================== ====================== -``CKSUMTYPE_HMAC_SHA1_96_AES256`` ``0x0010`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.txt deleted file mode 100644 index 1063b67..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-HMAC-SHA1-DES3-data: - -CKSUMTYPE_HMAC_SHA1_DES3 -======================== - -.. -.. data:: CKSUMTYPE_HMAC_SHA1_DES3 -.. - - - - -=============================== ====================== -``CKSUMTYPE_HMAC_SHA1_DES3`` ``0x000c`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.txt deleted file mode 100644 index 028e23d..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-HMAC-SHA256-128-AES128-data: - -CKSUMTYPE_HMAC_SHA256_128_AES128 -================================ - -.. -.. data:: CKSUMTYPE_HMAC_SHA256_128_AES128 -.. - -RFC 8009. - - - -======================================= ====================== -``CKSUMTYPE_HMAC_SHA256_128_AES128`` ``0x0013`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.txt deleted file mode 100644 index 06307c7..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-HMAC-SHA384-192-AES256-data: - -CKSUMTYPE_HMAC_SHA384_192_AES256 -================================ - -.. -.. data:: CKSUMTYPE_HMAC_SHA384_192_AES256 -.. - -RFC 8009. - - - -======================================= ====================== -``CKSUMTYPE_HMAC_SHA384_192_AES256`` ``0x0014`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.txt deleted file mode 100644 index 1059086..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-MD5-HMAC-ARCFOUR-data: - -CKSUMTYPE_MD5_HMAC_ARCFOUR -========================== - -.. -.. data:: CKSUMTYPE_MD5_HMAC_ARCFOUR -.. - - - - -================================= ====================== -``CKSUMTYPE_MD5_HMAC_ARCFOUR`` ``-137 /* Microsoft netlogon */`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_NIST_SHA.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_NIST_SHA.txt deleted file mode 100644 index 5e21944..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_NIST_SHA.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-NIST-SHA-data: - -CKSUMTYPE_NIST_SHA -================== - -.. -.. data:: CKSUMTYPE_NIST_SHA -.. - - - - -========================= ====================== -``CKSUMTYPE_NIST_SHA`` ``0x0009`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4.txt deleted file mode 100644 index 7f5e2df..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-RSA-MD4-data: - -CKSUMTYPE_RSA_MD4 -================= - -.. -.. data:: CKSUMTYPE_RSA_MD4 -.. - - - - -======================== ====================== -``CKSUMTYPE_RSA_MD4`` ``0x0002`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.txt deleted file mode 100644 index 580624e..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-RSA-MD4-DES-data: - -CKSUMTYPE_RSA_MD4_DES -===================== - -.. -.. data:: CKSUMTYPE_RSA_MD4_DES -.. - - - - -============================ ====================== -``CKSUMTYPE_RSA_MD4_DES`` ``0x0003`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5.txt deleted file mode 100644 index e1aadeb..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-RSA-MD5-data: - -CKSUMTYPE_RSA_MD5 -================= - -.. -.. data:: CKSUMTYPE_RSA_MD5 -.. - - - - -======================== ====================== -``CKSUMTYPE_RSA_MD5`` ``0x0007`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.txt b/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.txt deleted file mode 100644 index 251a1fc..0000000 --- a/doc/html/_sources/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _CKSUMTYPE-RSA-MD5-DES-data: - -CKSUMTYPE_RSA_MD5_DES -===================== - -.. -.. data:: CKSUMTYPE_RSA_MD5_DES -.. - - - - -============================ ====================== -``CKSUMTYPE_RSA_MD5_DES`` ``0x0008`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.txt deleted file mode 100644 index b41f106..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-AES128-CTS-HMAC-SHA1-96-data: - -ENCTYPE_AES128_CTS_HMAC_SHA1_96 -=============================== - -.. -.. data:: ENCTYPE_AES128_CTS_HMAC_SHA1_96 -.. - -RFC 3962. - - - -====================================== ====================== -``ENCTYPE_AES128_CTS_HMAC_SHA1_96`` ``0x0011`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.txt deleted file mode 100644 index b088122..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-AES128-CTS-HMAC-SHA256-128-data: - -ENCTYPE_AES128_CTS_HMAC_SHA256_128 -================================== - -.. -.. data:: ENCTYPE_AES128_CTS_HMAC_SHA256_128 -.. - -RFC 8009. - - - -========================================= ====================== -``ENCTYPE_AES128_CTS_HMAC_SHA256_128`` ``0x0013`` -========================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.txt deleted file mode 100644 index 52773eb..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-AES256-CTS-HMAC-SHA1-96-data: - -ENCTYPE_AES256_CTS_HMAC_SHA1_96 -=============================== - -.. -.. data:: ENCTYPE_AES256_CTS_HMAC_SHA1_96 -.. - -RFC 3962. - - - -====================================== ====================== -``ENCTYPE_AES256_CTS_HMAC_SHA1_96`` ``0x0012`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.txt deleted file mode 100644 index 1f7bbf7..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-AES256-CTS-HMAC-SHA384-192-data: - -ENCTYPE_AES256_CTS_HMAC_SHA384_192 -================================== - -.. -.. data:: ENCTYPE_AES256_CTS_HMAC_SHA384_192 -.. - -RFC 8009. - - - -========================================= ====================== -``ENCTYPE_AES256_CTS_HMAC_SHA384_192`` ``0x0014`` -========================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.txt deleted file mode 100644 index 2721265..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-ARCFOUR-HMAC-data: - -ENCTYPE_ARCFOUR_HMAC -==================== - -.. -.. data:: ENCTYPE_ARCFOUR_HMAC -.. - -RFC 4757. - - - -=========================== ====================== -``ENCTYPE_ARCFOUR_HMAC`` ``0x0017`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.txt deleted file mode 100644 index fa3b8c3..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-ARCFOUR-HMAC-EXP-data: - -ENCTYPE_ARCFOUR_HMAC_EXP -======================== - -.. -.. data:: ENCTYPE_ARCFOUR_HMAC_EXP -.. - -RFC 4757. - - - -=============================== ====================== -``ENCTYPE_ARCFOUR_HMAC_EXP`` ``0x0018`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.txt deleted file mode 100644 index 553578a..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-CAMELLIA128-CTS-CMAC-data: - -ENCTYPE_CAMELLIA128_CTS_CMAC -============================ - -.. -.. data:: ENCTYPE_CAMELLIA128_CTS_CMAC -.. - -RFC 6803. - - - -=================================== ====================== -``ENCTYPE_CAMELLIA128_CTS_CMAC`` ``0x0019`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.txt deleted file mode 100644 index 2ad90d3..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-CAMELLIA256-CTS-CMAC-data: - -ENCTYPE_CAMELLIA256_CTS_CMAC -============================ - -.. -.. data:: ENCTYPE_CAMELLIA256_CTS_CMAC -.. - -RFC 6803. - - - -=================================== ====================== -``ENCTYPE_CAMELLIA256_CTS_CMAC`` ``0x001a`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.txt deleted file mode 100644 index d75692e..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DES3-CBC-ENV-data: - -ENCTYPE_DES3_CBC_ENV -==================== - -.. -.. data:: ENCTYPE_DES3_CBC_ENV -.. - -DES-3 cbc mode, CMS enveloped data. - - - -=========================== ====================== -``ENCTYPE_DES3_CBC_ENV`` ``0x000f`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.txt deleted file mode 100644 index 3070f17..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DES3-CBC-RAW-data: - -ENCTYPE_DES3_CBC_RAW -==================== - -.. -.. data:: ENCTYPE_DES3_CBC_RAW -.. - - - - -=========================== ====================== -``ENCTYPE_DES3_CBC_RAW`` ``0x0006`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.txt deleted file mode 100644 index 62c8ca5..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DES3-CBC-SHA-data: - -ENCTYPE_DES3_CBC_SHA -==================== - -.. -.. data:: ENCTYPE_DES3_CBC_SHA -.. - - - - -=========================== ====================== -``ENCTYPE_DES3_CBC_SHA`` ``0x0005`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.txt deleted file mode 100644 index 9ad6330..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DES3-CBC-SHA1-data: - -ENCTYPE_DES3_CBC_SHA1 -===================== - -.. -.. data:: ENCTYPE_DES3_CBC_SHA1 -.. - - - - -============================ ====================== -``ENCTYPE_DES3_CBC_SHA1`` ``0x0010`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.txt deleted file mode 100644 index 63bb07e..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DES-CBC-CRC-data: - -ENCTYPE_DES_CBC_CRC -=================== - -.. -.. data:: ENCTYPE_DES_CBC_CRC -.. - -DES cbc mode with CRC-32. - - - -========================== ====================== -``ENCTYPE_DES_CBC_CRC`` ``0x0001`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.txt deleted file mode 100644 index 1e477a9..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DES-CBC-MD4-data: - -ENCTYPE_DES_CBC_MD4 -=================== - -.. -.. data:: ENCTYPE_DES_CBC_MD4 -.. - -DES cbc mode with RSA-MD4. - - - -========================== ====================== -``ENCTYPE_DES_CBC_MD4`` ``0x0002`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.txt deleted file mode 100644 index 87c1c60..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DES-CBC-MD5-data: - -ENCTYPE_DES_CBC_MD5 -=================== - -.. -.. data:: ENCTYPE_DES_CBC_MD5 -.. - -DES cbc mode with RSA-MD5. - - - -========================== ====================== -``ENCTYPE_DES_CBC_MD5`` ``0x0003`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.txt deleted file mode 100644 index d03eac2..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DES-CBC-RAW-data: - -ENCTYPE_DES_CBC_RAW -=================== - -.. -.. data:: ENCTYPE_DES_CBC_RAW -.. - - - - -========================== ====================== -``ENCTYPE_DES_CBC_RAW`` ``0x0004`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.txt deleted file mode 100644 index d2f325f..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DES-HMAC-SHA1-data: - -ENCTYPE_DES_HMAC_SHA1 -===================== - -.. -.. data:: ENCTYPE_DES_HMAC_SHA1 -.. - - - - -============================ ====================== -``ENCTYPE_DES_HMAC_SHA1`` ``0x0008`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.txt deleted file mode 100644 index 0f1ab60..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-DSA-SHA1-CMS-data: - -ENCTYPE_DSA_SHA1_CMS -==================== - -.. -.. data:: ENCTYPE_DSA_SHA1_CMS -.. - -DSA with SHA1, CMS signature. - - - -=========================== ====================== -``ENCTYPE_DSA_SHA1_CMS`` ``0x0009`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.txt deleted file mode 100644 index 94c3880..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-MD5-RSA-CMS-data: - -ENCTYPE_MD5_RSA_CMS -=================== - -.. -.. data:: ENCTYPE_MD5_RSA_CMS -.. - -MD5 with RSA, CMS signature. - - - -========================== ====================== -``ENCTYPE_MD5_RSA_CMS`` ``0x000a`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_NULL.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_NULL.txt deleted file mode 100644 index 241698f..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_NULL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-NULL-data: - -ENCTYPE_NULL -============ - -.. -.. data:: ENCTYPE_NULL -.. - - - - -=================== ====================== -``ENCTYPE_NULL`` ``0x0000`` -=================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.txt deleted file mode 100644 index 7da5260..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-RC2-CBC-ENV-data: - -ENCTYPE_RC2_CBC_ENV -=================== - -.. -.. data:: ENCTYPE_RC2_CBC_ENV -.. - -RC2 cbc mode, CMS enveloped data. - - - -========================== ====================== -``ENCTYPE_RC2_CBC_ENV`` ``0x000c`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ENV.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ENV.txt deleted file mode 100644 index 7b58fca..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ENV.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-RSA-ENV-data: - -ENCTYPE_RSA_ENV -=============== - -.. -.. data:: ENCTYPE_RSA_ENV -.. - -RSA encryption, CMS enveloped data. - - - -====================== ====================== -``ENCTYPE_RSA_ENV`` ``0x000d`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.txt deleted file mode 100644 index d51908a..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-RSA-ES-OAEP-ENV-data: - -ENCTYPE_RSA_ES_OAEP_ENV -======================= - -.. -.. data:: ENCTYPE_RSA_ES_OAEP_ENV -.. - -RSA w/OEAP encryption, CMS enveloped data. - - - -============================== ====================== -``ENCTYPE_RSA_ES_OAEP_ENV`` ``0x000e`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.txt deleted file mode 100644 index 6b5971b..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-SHA1-RSA-CMS-data: - -ENCTYPE_SHA1_RSA_CMS -==================== - -.. -.. data:: ENCTYPE_SHA1_RSA_CMS -.. - -SHA1 with RSA, CMS signature. - - - -=========================== ====================== -``ENCTYPE_SHA1_RSA_CMS`` ``0x000b`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/ENCTYPE_UNKNOWN.txt b/doc/html/_sources/appdev/refs/macros/ENCTYPE_UNKNOWN.txt deleted file mode 100644 index f0c034c..0000000 --- a/doc/html/_sources/appdev/refs/macros/ENCTYPE_UNKNOWN.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _ENCTYPE-UNKNOWN-data: - -ENCTYPE_UNKNOWN -=============== - -.. -.. data:: ENCTYPE_UNKNOWN -.. - - - - -====================== ====================== -``ENCTYPE_UNKNOWN`` ``0x01ff`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.txt deleted file mode 100644 index ea6e8bf..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-ALLOW-POSTDATE-data: - -KDC_OPT_ALLOW_POSTDATE -====================== - -.. -.. data:: KDC_OPT_ALLOW_POSTDATE -.. - - - - -============================= ====================== -``KDC_OPT_ALLOW_POSTDATE`` ``0x04000000`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_CANONICALIZE.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_CANONICALIZE.txt deleted file mode 100644 index a23b4ef..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_CANONICALIZE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-CANONICALIZE-data: - -KDC_OPT_CANONICALIZE -==================== - -.. -.. data:: KDC_OPT_CANONICALIZE -.. - - - - -=========================== ====================== -``KDC_OPT_CANONICALIZE`` ``0x00010000`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.txt deleted file mode 100644 index 6e456a0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-CNAME-IN-ADDL-TKT-data: - -KDC_OPT_CNAME_IN_ADDL_TKT -========================= - -.. -.. data:: KDC_OPT_CNAME_IN_ADDL_TKT -.. - - - - -================================ ====================== -``KDC_OPT_CNAME_IN_ADDL_TKT`` ``0x00020000`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.txt deleted file mode 100644 index 55072ae..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-DISABLE-TRANSITED-CHECK-data: - -KDC_OPT_DISABLE_TRANSITED_CHECK -=============================== - -.. -.. data:: KDC_OPT_DISABLE_TRANSITED_CHECK -.. - - - - -====================================== ====================== -``KDC_OPT_DISABLE_TRANSITED_CHECK`` ``0x00000020`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.txt deleted file mode 100644 index 3baaab2..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-ENC-TKT-IN-SKEY-data: - -KDC_OPT_ENC_TKT_IN_SKEY -======================= - -.. -.. data:: KDC_OPT_ENC_TKT_IN_SKEY -.. - - - - -============================== ====================== -``KDC_OPT_ENC_TKT_IN_SKEY`` ``0x00000008`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDABLE.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDABLE.txt deleted file mode 100644 index abe8f26..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDABLE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-FORWARDABLE-data: - -KDC_OPT_FORWARDABLE -=================== - -.. -.. data:: KDC_OPT_FORWARDABLE -.. - - - - -========================== ====================== -``KDC_OPT_FORWARDABLE`` ``0x40000000`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDED.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDED.txt deleted file mode 100644 index ab4e0ef..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_FORWARDED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-FORWARDED-data: - -KDC_OPT_FORWARDED -================= - -.. -.. data:: KDC_OPT_FORWARDED -.. - - - - -======================== ====================== -``KDC_OPT_FORWARDED`` ``0x20000000`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_POSTDATED.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_POSTDATED.txt deleted file mode 100644 index f7858cf..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_POSTDATED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-POSTDATED-data: - -KDC_OPT_POSTDATED -================= - -.. -.. data:: KDC_OPT_POSTDATED -.. - - - - -======================== ====================== -``KDC_OPT_POSTDATED`` ``0x02000000`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXIABLE.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXIABLE.txt deleted file mode 100644 index 82925cd..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXIABLE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-PROXIABLE-data: - -KDC_OPT_PROXIABLE -================= - -.. -.. data:: KDC_OPT_PROXIABLE -.. - - - - -======================== ====================== -``KDC_OPT_PROXIABLE`` ``0x10000000`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXY.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXY.txt deleted file mode 100644 index d1c99c8..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_PROXY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-PROXY-data: - -KDC_OPT_PROXY -============= - -.. -.. data:: KDC_OPT_PROXY -.. - - - - -==================== ====================== -``KDC_OPT_PROXY`` ``0x08000000`` -==================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEW.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEW.txt deleted file mode 100644 index 8c68ee6..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEW.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-RENEW-data: - -KDC_OPT_RENEW -============= - -.. -.. data:: KDC_OPT_RENEW -.. - - - - -==================== ====================== -``KDC_OPT_RENEW`` ``0x00000002`` -==================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE.txt deleted file mode 100644 index b757c87..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-RENEWABLE-data: - -KDC_OPT_RENEWABLE -================= - -.. -.. data:: KDC_OPT_RENEWABLE -.. - - - - -======================== ====================== -``KDC_OPT_RENEWABLE`` ``0x00800000`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.txt deleted file mode 100644 index 405bec0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-RENEWABLE-OK-data: - -KDC_OPT_RENEWABLE_OK -==================== - -.. -.. data:: KDC_OPT_RENEWABLE_OK -.. - - - - -=========================== ====================== -``KDC_OPT_RENEWABLE_OK`` ``0x00000010`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.txt deleted file mode 100644 index 29d22a4..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-REQUEST-ANONYMOUS-data: - -KDC_OPT_REQUEST_ANONYMOUS -========================= - -.. -.. data:: KDC_OPT_REQUEST_ANONYMOUS -.. - - - - -================================ ====================== -``KDC_OPT_REQUEST_ANONYMOUS`` ``0x00008000`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_OPT_VALIDATE.txt b/doc/html/_sources/appdev/refs/macros/KDC_OPT_VALIDATE.txt deleted file mode 100644 index c15e83c..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_OPT_VALIDATE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-OPT-VALIDATE-data: - -KDC_OPT_VALIDATE -================ - -.. -.. data:: KDC_OPT_VALIDATE -.. - - - - -======================= ====================== -``KDC_OPT_VALIDATE`` ``0x00000001`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KDC_TKT_COMMON_MASK.txt b/doc/html/_sources/appdev/refs/macros/KDC_TKT_COMMON_MASK.txt deleted file mode 100644 index ccb5d30..0000000 --- a/doc/html/_sources/appdev/refs/macros/KDC_TKT_COMMON_MASK.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KDC-TKT-COMMON-MASK-data: - -KDC_TKT_COMMON_MASK -=================== - -.. -.. data:: KDC_TKT_COMMON_MASK -.. - - - - -========================== ====================== -``KDC_TKT_COMMON_MASK`` ``0x54800000`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.txt deleted file mode 100644 index 894c4f8..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-ALTAUTH-ATT-CHALLENGE-RESPONSE-data: - -KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE -=================================== - -.. -.. data:: KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE -.. - -alternate authentication types - - - -========================================== ====================== -``KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE`` ``64`` -========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.txt deleted file mode 100644 index 85682d1..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-ANONYMOUS-PRINCSTR-data: - -KRB5_ANONYMOUS_PRINCSTR -======================= - -.. -.. data:: KRB5_ANONYMOUS_PRINCSTR -.. - -Anonymous principal name. - - - -============================== ====================== -``KRB5_ANONYMOUS_PRINCSTR`` ``"ANONYMOUS"`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.txt deleted file mode 100644 index 9d8015d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-ANONYMOUS-REALMSTR-data: - -KRB5_ANONYMOUS_REALMSTR -======================= - -.. -.. data:: KRB5_ANONYMOUS_REALMSTR -.. - -Anonymous realm. - - - -============================== ====================== -``KRB5_ANONYMOUS_REALMSTR`` ``"WELLKNOWN:ANONYMOUS"`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AP_REP.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AP_REP.txt deleted file mode 100644 index 3d1099f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AP_REP.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AP-REP-data: - -KRB5_AP_REP -=========== - -.. -.. data:: KRB5_AP_REP -.. - -Response to mutual AP request. - - - -================== ====================== -``KRB5_AP_REP`` ``((krb5_msgtype)15)`` -================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AP_REQ.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AP_REQ.txt deleted file mode 100644 index 487a607..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AP_REQ.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AP-REQ-data: - -KRB5_AP_REQ -=========== - -.. -.. data:: KRB5_AP_REQ -.. - -Auth req to application server. - - - -================== ====================== -``KRB5_AP_REQ`` ``((krb5_msgtype)14)`` -================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AS_REP.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AS_REP.txt deleted file mode 100644 index c9f7ea1..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AS_REP.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AS-REP-data: - -KRB5_AS_REP -=========== - -.. -.. data:: KRB5_AS_REP -.. - -Response to AS request. - - - -================== ====================== -``KRB5_AS_REP`` ``((krb5_msgtype)11)`` -================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AS_REQ.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AS_REQ.txt deleted file mode 100644 index 9a5ca6f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AS_REQ.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AS-REQ-data: - -KRB5_AS_REQ -=========== - -.. -.. data:: KRB5_AS_REQ -.. - -Initial authentication request. - - - -================== ====================== -``KRB5_AS_REQ`` ``((krb5_msgtype)10)`` -================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.txt deleted file mode 100644 index 805b8bd..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-AND-OR-data: - -KRB5_AUTHDATA_AND_OR -==================== - -.. -.. data:: KRB5_AUTHDATA_AND_OR -.. - - - - -=========================== ====================== -``KRB5_AUTHDATA_AND_OR`` ``5`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.txt deleted file mode 100644 index 304c2b2..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-AUTH-INDICATOR-data: - -KRB5_AUTHDATA_AUTH_INDICATOR -============================ - -.. -.. data:: KRB5_AUTHDATA_AUTH_INDICATOR -.. - - - - -=================================== ====================== -``KRB5_AUTHDATA_AUTH_INDICATOR`` ``97`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.txt deleted file mode 100644 index 213947a..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-CAMMAC-data: - -KRB5_AUTHDATA_CAMMAC -==================== - -.. -.. data:: KRB5_AUTHDATA_CAMMAC -.. - - - - -=========================== ====================== -``KRB5_AUTHDATA_CAMMAC`` ``96`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.txt deleted file mode 100644 index 0f45484..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-ETYPE-NEGOTIATION-data: - -KRB5_AUTHDATA_ETYPE_NEGOTIATION -=============================== - -.. -.. data:: KRB5_AUTHDATA_ETYPE_NEGOTIATION -.. - -RFC 4537. - - - -====================================== ====================== -``KRB5_AUTHDATA_ETYPE_NEGOTIATION`` ``129`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.txt deleted file mode 100644 index 3661af5..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-FX-ARMOR-data: - -KRB5_AUTHDATA_FX_ARMOR -====================== - -.. -.. data:: KRB5_AUTHDATA_FX_ARMOR -.. - - - - -============================= ====================== -``KRB5_AUTHDATA_FX_ARMOR`` ``71`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.txt deleted file mode 100644 index eb773f8..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-IF-RELEVANT-data: - -KRB5_AUTHDATA_IF_RELEVANT -========================= - -.. -.. data:: KRB5_AUTHDATA_IF_RELEVANT -.. - - - - -================================ ====================== -``KRB5_AUTHDATA_IF_RELEVANT`` ``1`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.txt deleted file mode 100644 index 8ddb686..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-INITIAL-VERIFIED-CAS-data: - -KRB5_AUTHDATA_INITIAL_VERIFIED_CAS -================================== - -.. -.. data:: KRB5_AUTHDATA_INITIAL_VERIFIED_CAS -.. - - - - -========================================= ====================== -``KRB5_AUTHDATA_INITIAL_VERIFIED_CAS`` ``9`` -========================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.txt deleted file mode 100644 index b63e83d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-KDC-ISSUED-data: - -KRB5_AUTHDATA_KDC_ISSUED -======================== - -.. -.. data:: KRB5_AUTHDATA_KDC_ISSUED -.. - - - - -=============================== ====================== -``KRB5_AUTHDATA_KDC_ISSUED`` ``4`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.txt deleted file mode 100644 index 8112bf0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-MANDATORY-FOR-KDC-data: - -KRB5_AUTHDATA_MANDATORY_FOR_KDC -=============================== - -.. -.. data:: KRB5_AUTHDATA_MANDATORY_FOR_KDC -.. - - - - -====================================== ====================== -``KRB5_AUTHDATA_MANDATORY_FOR_KDC`` ``8`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.txt deleted file mode 100644 index ffd0448..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-OSF-DCE-data: - -KRB5_AUTHDATA_OSF_DCE -===================== - -.. -.. data:: KRB5_AUTHDATA_OSF_DCE -.. - - - - -============================ ====================== -``KRB5_AUTHDATA_OSF_DCE`` ``64`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SESAME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SESAME.txt deleted file mode 100644 index 2857cfe..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SESAME.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-SESAME-data: - -KRB5_AUTHDATA_SESAME -==================== - -.. -.. data:: KRB5_AUTHDATA_SESAME -.. - - - - -=========================== ====================== -``KRB5_AUTHDATA_SESAME`` ``65`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.txt deleted file mode 100644 index c74afcb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-SIGNTICKET-data: - -KRB5_AUTHDATA_SIGNTICKET -======================== - -.. -.. data:: KRB5_AUTHDATA_SIGNTICKET -.. - -formerly 142 in krb5 1.8 - - - -=============================== ====================== -``KRB5_AUTHDATA_SIGNTICKET`` ``512`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.txt deleted file mode 100644 index e6417b8..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTHDATA-WIN2K-PAC-data: - -KRB5_AUTHDATA_WIN2K_PAC -======================= - -.. -.. data:: KRB5_AUTHDATA_WIN2K_PAC -.. - - - - -============================== ====================== -``KRB5_AUTHDATA_WIN2K_PAC`` ``128`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.txt deleted file mode 100644 index 700a704..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-DO-SEQUENCE-data: - -KRB5_AUTH_CONTEXT_DO_SEQUENCE -============================= - -.. -.. data:: KRB5_AUTH_CONTEXT_DO_SEQUENCE -.. - -Prevent replays with sequence numbers. - - - -==================================== ====================== -``KRB5_AUTH_CONTEXT_DO_SEQUENCE`` ``0x00000004`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.txt deleted file mode 100644 index 14e6e6d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-DO-TIME-data: - -KRB5_AUTH_CONTEXT_DO_TIME -========================= - -.. -.. data:: KRB5_AUTH_CONTEXT_DO_TIME -.. - -Prevent replays with timestamps and replay cache. - - - -================================ ====================== -``KRB5_AUTH_CONTEXT_DO_TIME`` ``0x00000001`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.txt deleted file mode 100644 index e500f7d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-GENERATE-LOCAL-ADDR-data: - -KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR -===================================== - -.. -.. data:: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR -.. - -Generate the local network address. - - - -============================================ ====================== -``KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR`` ``0x00000001`` -============================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.txt deleted file mode 100644 index a7ae9ec..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-GENERATE-LOCAL-FULL-ADDR-data: - -KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR -========================================== - -.. -.. data:: KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR -.. - -Generate the local network address and the local port. - - - -================================================= ====================== -``KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR`` ``0x00000004`` -================================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.txt deleted file mode 100644 index 7887a5d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-GENERATE-REMOTE-ADDR-data: - -KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR -====================================== - -.. -.. data:: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR -.. - -Generate the remote network address. - - - -============================================= ====================== -``KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR`` ``0x00000002`` -============================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.txt deleted file mode 100644 index 9b90467..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-GENERATE-REMOTE-FULL-ADDR-data: - -KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR -=========================================== - -.. -.. data:: KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR -.. - -Generate the remote network address and the remote port. - - - -================================================== ====================== -``KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR`` ``0x00000008`` -================================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.txt deleted file mode 100644 index 09e1b68..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-PERMIT-ALL-data: - -KRB5_AUTH_CONTEXT_PERMIT_ALL -============================ - -.. -.. data:: KRB5_AUTH_CONTEXT_PERMIT_ALL -.. - - - - -=================================== ====================== -``KRB5_AUTH_CONTEXT_PERMIT_ALL`` ``0x00000010`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.txt deleted file mode 100644 index 6e7e9c4..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-RET-SEQUENCE-data: - -KRB5_AUTH_CONTEXT_RET_SEQUENCE -============================== - -.. -.. data:: KRB5_AUTH_CONTEXT_RET_SEQUENCE -.. - -Save sequence numbers for application. - - - -===================================== ====================== -``KRB5_AUTH_CONTEXT_RET_SEQUENCE`` ``0x00000008`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.txt deleted file mode 100644 index 0d94280..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-RET-TIME-data: - -KRB5_AUTH_CONTEXT_RET_TIME -========================== - -.. -.. data:: KRB5_AUTH_CONTEXT_RET_TIME -.. - -Save timestamps for application. - - - -================================= ====================== -``KRB5_AUTH_CONTEXT_RET_TIME`` ``0x00000002`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.txt deleted file mode 100644 index 63f6b09..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-AUTH-CONTEXT-USE-SUBKEY-data: - -KRB5_AUTH_CONTEXT_USE_SUBKEY -============================ - -.. -.. data:: KRB5_AUTH_CONTEXT_USE_SUBKEY -.. - - - - -=================================== ====================== -``KRB5_AUTH_CONTEXT_USE_SUBKEY`` ``0x00000020`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CRED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CRED.txt deleted file mode 100644 index 948520a..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CRED.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CRED-data: - -KRB5_CRED -========= - -.. -.. data:: KRB5_CRED -.. - -Cred forwarding message. - - - -================ ====================== -``KRB5_CRED`` ``((krb5_msgtype)22)`` -================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.txt deleted file mode 100644 index d6caedf..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CRYPTO-TYPE-CHECKSUM-data: - -KRB5_CRYPTO_TYPE_CHECKSUM -========================= - -.. -.. data:: KRB5_CRYPTO_TYPE_CHECKSUM -.. - -[out] checksum for MIC - - - -================================ ====================== -``KRB5_CRYPTO_TYPE_CHECKSUM`` ``6`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.txt deleted file mode 100644 index 7adb024..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CRYPTO-TYPE-DATA-data: - -KRB5_CRYPTO_TYPE_DATA -===================== - -.. -.. data:: KRB5_CRYPTO_TYPE_DATA -.. - -[in, out] plaintext - - - -============================ ====================== -``KRB5_CRYPTO_TYPE_DATA`` ``2`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.txt deleted file mode 100644 index 3051533..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CRYPTO-TYPE-EMPTY-data: - -KRB5_CRYPTO_TYPE_EMPTY -====================== - -.. -.. data:: KRB5_CRYPTO_TYPE_EMPTY -.. - -[in] ignored - - - -============================= ====================== -``KRB5_CRYPTO_TYPE_EMPTY`` ``0`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.txt deleted file mode 100644 index 4faac43..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CRYPTO-TYPE-HEADER-data: - -KRB5_CRYPTO_TYPE_HEADER -======================= - -.. -.. data:: KRB5_CRYPTO_TYPE_HEADER -.. - -[out] header - - - -============================== ====================== -``KRB5_CRYPTO_TYPE_HEADER`` ``1`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.txt deleted file mode 100644 index 9fc17ab..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CRYPTO-TYPE-PADDING-data: - -KRB5_CRYPTO_TYPE_PADDING -======================== - -.. -.. data:: KRB5_CRYPTO_TYPE_PADDING -.. - -[out] padding - - - -=============================== ====================== -``KRB5_CRYPTO_TYPE_PADDING`` ``4`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.txt deleted file mode 100644 index 52f206a..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CRYPTO-TYPE-SIGN-ONLY-data: - -KRB5_CRYPTO_TYPE_SIGN_ONLY -========================== - -.. -.. data:: KRB5_CRYPTO_TYPE_SIGN_ONLY -.. - -[in] associated data - - - -================================= ====================== -``KRB5_CRYPTO_TYPE_SIGN_ONLY`` ``3`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.txt deleted file mode 100644 index d2fdc66..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CRYPTO-TYPE-STREAM-data: - -KRB5_CRYPTO_TYPE_STREAM -======================= - -.. -.. data:: KRB5_CRYPTO_TYPE_STREAM -.. - -[in] entire message without decomposing the structure into header, data and trailer buffers - - - -============================== ====================== -``KRB5_CRYPTO_TYPE_STREAM`` ``7`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.txt deleted file mode 100644 index dfb858f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CRYPTO-TYPE-TRAILER-data: - -KRB5_CRYPTO_TYPE_TRAILER -======================== - -.. -.. data:: KRB5_CRYPTO_TYPE_TRAILER -.. - -[out] checksum for encrypt - - - -=============================== ====================== -``KRB5_CRYPTO_TYPE_TRAILER`` ``5`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.txt b/doc/html/_sources/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.txt deleted file mode 100644 index 312cf55..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-CYBERSAFE-SECUREID-data: - -KRB5_CYBERSAFE_SECUREID -======================= - -.. -.. data:: KRB5_CYBERSAFE_SECUREID -.. - -Cybersafe. - -RFC 4120 - -============================== ====================== -``KRB5_CYBERSAFE_SECUREID`` ``9`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.txt b/doc/html/_sources/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.txt deleted file mode 100644 index 160a4eb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-DOMAIN-X500-COMPRESS-data: - -KRB5_DOMAIN_X500_COMPRESS -========================= - -.. -.. data:: KRB5_DOMAIN_X500_COMPRESS -.. - -Transited encoding types. - - - -================================ ====================== -``KRB5_DOMAIN_X500_COMPRESS`` ``1`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.txt b/doc/html/_sources/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.txt deleted file mode 100644 index 78d5996..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-ENCPADATA-REQ-ENC-PA-REP-data: - -KRB5_ENCPADATA_REQ_ENC_PA_REP -============================= - -.. -.. data:: KRB5_ENCPADATA_REQ_ENC_PA_REP -.. - -RFC 6806. - - - -==================================== ====================== -``KRB5_ENCPADATA_REQ_ENC_PA_REP`` ``149`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_ERROR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_ERROR.txt deleted file mode 100644 index d4fe6d3..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_ERROR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-ERROR-data: - -KRB5_ERROR -========== - -.. -.. data:: KRB5_ERROR -.. - -Error response. - - - -================= ====================== -``KRB5_ERROR`` ``((krb5_msgtype)30)`` -================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_FAST_REQUIRED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_FAST_REQUIRED.txt deleted file mode 100644 index 6f5cd09..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_FAST_REQUIRED.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-FAST-REQUIRED-data: - -KRB5_FAST_REQUIRED -================== - -.. -.. data:: KRB5_FAST_REQUIRED -.. - -Require KDC to support FAST. - - - -========================= ====================== -``KRB5_FAST_REQUIRED`` ``0x0001`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GC_CACHED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GC_CACHED.txt deleted file mode 100644 index 533a1af..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GC_CACHED.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GC-CACHED-data: - -KRB5_GC_CACHED -============== - -.. -.. data:: KRB5_GC_CACHED -.. - -Want cached ticket only. - - - -===================== ====================== -``KRB5_GC_CACHED`` ``2`` -===================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GC_CANONICALIZE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GC_CANONICALIZE.txt deleted file mode 100644 index 13aac04..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GC_CANONICALIZE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GC-CANONICALIZE-data: - -KRB5_GC_CANONICALIZE -==================== - -.. -.. data:: KRB5_GC_CANONICALIZE -.. - -Set canonicalize KDC option. - - - -=========================== ====================== -``KRB5_GC_CANONICALIZE`` ``4`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.txt deleted file mode 100644 index 6105e90..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GC-CONSTRAINED-DELEGATION-data: - -KRB5_GC_CONSTRAINED_DELEGATION -============================== - -.. -.. data:: KRB5_GC_CONSTRAINED_DELEGATION -.. - -Constrained delegation. - - - -===================================== ====================== -``KRB5_GC_CONSTRAINED_DELEGATION`` ``64`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GC_FORWARDABLE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GC_FORWARDABLE.txt deleted file mode 100644 index ebb67ef..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GC_FORWARDABLE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GC-FORWARDABLE-data: - -KRB5_GC_FORWARDABLE -=================== - -.. -.. data:: KRB5_GC_FORWARDABLE -.. - -Acquire forwardable tickets. - - - -========================== ====================== -``KRB5_GC_FORWARDABLE`` ``16`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_STORE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_STORE.txt deleted file mode 100644 index 0f3f5f7..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_STORE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GC-NO-STORE-data: - -KRB5_GC_NO_STORE -================ - -.. -.. data:: KRB5_GC_NO_STORE -.. - -Do not store in credential cache. - - - -======================= ====================== -``KRB5_GC_NO_STORE`` ``8`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.txt deleted file mode 100644 index dadc90e..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GC-NO-TRANSIT-CHECK-data: - -KRB5_GC_NO_TRANSIT_CHECK -======================== - -.. -.. data:: KRB5_GC_NO_TRANSIT_CHECK -.. - -Disable transited check. - - - -=============================== ====================== -``KRB5_GC_NO_TRANSIT_CHECK`` ``32`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GC_USER_USER.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GC_USER_USER.txt deleted file mode 100644 index 04cb962..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GC_USER_USER.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GC-USER-USER-data: - -KRB5_GC_USER_USER -================= - -.. -.. data:: KRB5_GC_USER_USER -.. - -Want user-user ticket. - - - -======================== ====================== -``KRB5_GC_USER_USER`` ``1`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.txt deleted file mode 100644 index 21968e2..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-ADDRESS-LIST-data: - -KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST -==================================== - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST -.. - - - - -=========================================== ====================== -``KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST`` ``0x0020`` -=========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.txt deleted file mode 100644 index f8890b0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-ANONYMOUS-data: - -KRB5_GET_INIT_CREDS_OPT_ANONYMOUS -================================= - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_ANONYMOUS -.. - - - - -======================================== ====================== -``KRB5_GET_INIT_CREDS_OPT_ANONYMOUS`` ``0x0400`` -======================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.txt deleted file mode 100644 index e00d52b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-CANONICALIZE-data: - -KRB5_GET_INIT_CREDS_OPT_CANONICALIZE -==================================== - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_CANONICALIZE -.. - - - - -=========================================== ====================== -``KRB5_GET_INIT_CREDS_OPT_CANONICALIZE`` ``0x0200`` -=========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.txt deleted file mode 100644 index 8469245..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-CHG-PWD-PRMPT-data: - -KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT -===================================== - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT -.. - - - - -============================================ ====================== -``KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT`` ``0x0100`` -============================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.txt deleted file mode 100644 index f85ce2d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-ETYPE-LIST-data: - -KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST -================================== - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST -.. - - - - -========================================= ====================== -``KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST`` ``0x0010`` -========================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.txt deleted file mode 100644 index c66c6f1..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-FORWARDABLE-data: - -KRB5_GET_INIT_CREDS_OPT_FORWARDABLE -=================================== - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_FORWARDABLE -.. - - - - -========================================== ====================== -``KRB5_GET_INIT_CREDS_OPT_FORWARDABLE`` ``0x0004`` -========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.txt deleted file mode 100644 index 50d4b15..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-PREAUTH-LIST-data: - -KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST -==================================== - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST -.. - - - - -=========================================== ====================== -``KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST`` ``0x0040`` -=========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.txt deleted file mode 100644 index ee787a5..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-PROXIABLE-data: - -KRB5_GET_INIT_CREDS_OPT_PROXIABLE -================================= - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_PROXIABLE -.. - - - - -======================================== ====================== -``KRB5_GET_INIT_CREDS_OPT_PROXIABLE`` ``0x0008`` -======================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.txt deleted file mode 100644 index 3d240fd..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-RENEW-LIFE-data: - -KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE -================================== - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE -.. - - - - -========================================= ====================== -``KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE`` ``0x0002`` -========================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.txt deleted file mode 100644 index 00f83f6..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-SALT-data: - -KRB5_GET_INIT_CREDS_OPT_SALT -============================ - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_SALT -.. - - - - -=================================== ====================== -``KRB5_GET_INIT_CREDS_OPT_SALT`` ``0x0080`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.txt deleted file mode 100644 index a8dc2cb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-GET-INIT-CREDS-OPT-TKT-LIFE-data: - -KRB5_GET_INIT_CREDS_OPT_TKT_LIFE -================================ - -.. -.. data:: KRB5_GET_INIT_CREDS_OPT_TKT_LIFE -.. - - - - -======================================= ====================== -``KRB5_GET_INIT_CREDS_OPT_TKT_LIFE`` ``0x0001`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.txt b/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.txt deleted file mode 100644 index b6790a3..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-INIT-CONTEXT-KDC-data: - -KRB5_INIT_CONTEXT_KDC -===================== - -.. -.. data:: KRB5_INIT_CONTEXT_KDC -.. - -Use KDC configuration if available. - - - -============================ ====================== -``KRB5_INIT_CONTEXT_KDC`` ``0x2`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.txt deleted file mode 100644 index 328f193..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-INIT-CONTEXT-SECURE-data: - -KRB5_INIT_CONTEXT_SECURE -======================== - -.. -.. data:: KRB5_INIT_CONTEXT_SECURE -.. - -Use secure context configuration. - - - -=============================== ====================== -``KRB5_INIT_CONTEXT_SECURE`` ``0x1`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.txt deleted file mode 100644 index 848ad86..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-INIT-CREDS-STEP-FLAG-CONTINUE-data: - -KRB5_INIT_CREDS_STEP_FLAG_CONTINUE -================================== - -.. -.. data:: KRB5_INIT_CREDS_STEP_FLAG_CONTINUE -.. - -More responses needed. - - - -========================================= ====================== -``KRB5_INIT_CREDS_STEP_FLAG_CONTINUE`` ``0x1`` -========================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MAX.txt b/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MAX.txt deleted file mode 100644 index 7530fe5..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MAX.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-INT16-MAX-data: - -KRB5_INT16_MAX -============== - -.. -.. data:: KRB5_INT16_MAX -.. - - - - -===================== ====================== -``KRB5_INT16_MAX`` ``65535`` -===================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MIN.txt b/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MIN.txt deleted file mode 100644 index 7a3502e..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_INT16_MIN.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-INT16-MIN-data: - -KRB5_INT16_MIN -============== - -.. -.. data:: KRB5_INT16_MIN -.. - - - - -===================== ====================== -``KRB5_INT16_MIN`` ``(-KRB5_INT16_MAX-1)`` -===================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MAX.txt b/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MAX.txt deleted file mode 100644 index 8f06e65..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MAX.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-INT32-MAX-data: - -KRB5_INT32_MAX -============== - -.. -.. data:: KRB5_INT32_MAX -.. - - - - -===================== ====================== -``KRB5_INT32_MAX`` ``2147483647`` -===================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MIN.txt b/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MIN.txt deleted file mode 100644 index c86de49..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_INT32_MIN.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-INT32-MIN-data: - -KRB5_INT32_MIN -============== - -.. -.. data:: KRB5_INT32_MIN -.. - - - - -===================== ====================== -``KRB5_INT32_MIN`` ``(-KRB5_INT32_MAX-1)`` -===================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.txt deleted file mode 100644 index 9691367..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AD-ITE-data: - -KRB5_KEYUSAGE_AD_ITE -==================== - -.. -.. data:: KRB5_KEYUSAGE_AD_ITE -.. - - - - -=========================== ====================== -``KRB5_KEYUSAGE_AD_ITE`` ``21`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.txt deleted file mode 100644 index 24a451a..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AD-KDCISSUED-CKSUM-data: - -KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM -================================ - -.. -.. data:: KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM -.. - - - - -======================================= ====================== -``KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM`` ``19`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.txt deleted file mode 100644 index 2ae9c9a..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AD-MTE-data: - -KRB5_KEYUSAGE_AD_MTE -==================== - -.. -.. data:: KRB5_KEYUSAGE_AD_MTE -.. - - - - -=========================== ====================== -``KRB5_KEYUSAGE_AD_MTE`` ``20`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.txt deleted file mode 100644 index 727007f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AD-SIGNEDPATH-data: - -KRB5_KEYUSAGE_AD_SIGNEDPATH -=========================== - -.. -.. data:: KRB5_KEYUSAGE_AD_SIGNEDPATH -.. - - - - -================================== ====================== -``KRB5_KEYUSAGE_AD_SIGNEDPATH`` ``-21`` -================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.txt deleted file mode 100644 index 7632e56..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-APP-DATA-CKSUM-data: - -KRB5_KEYUSAGE_APP_DATA_CKSUM -============================ - -.. -.. data:: KRB5_KEYUSAGE_APP_DATA_CKSUM -.. - - - - -=================================== ====================== -``KRB5_KEYUSAGE_APP_DATA_CKSUM`` ``17`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.txt deleted file mode 100644 index c85ca03..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-APP-DATA-ENCRYPT-data: - -KRB5_KEYUSAGE_APP_DATA_ENCRYPT -============================== - -.. -.. data:: KRB5_KEYUSAGE_APP_DATA_ENCRYPT -.. - - - - -===================================== ====================== -``KRB5_KEYUSAGE_APP_DATA_ENCRYPT`` ``16`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.txt deleted file mode 100644 index ff605d6..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AP-REP-ENCPART-data: - -KRB5_KEYUSAGE_AP_REP_ENCPART -============================ - -.. -.. data:: KRB5_KEYUSAGE_AP_REP_ENCPART -.. - - - - -=================================== ====================== -``KRB5_KEYUSAGE_AP_REP_ENCPART`` ``12`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.txt deleted file mode 100644 index 9e5abc0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AP-REQ-AUTH-data: - -KRB5_KEYUSAGE_AP_REQ_AUTH -========================= - -.. -.. data:: KRB5_KEYUSAGE_AP_REQ_AUTH -.. - - - - -================================ ====================== -``KRB5_KEYUSAGE_AP_REQ_AUTH`` ``11`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.txt deleted file mode 100644 index c7524db..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AP-REQ-AUTH-CKSUM-data: - -KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM -=============================== - -.. -.. data:: KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM -.. - - - - -====================================== ====================== -``KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM`` ``10`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.txt deleted file mode 100644 index 9dc39de..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AS-REP-ENCPART-data: - -KRB5_KEYUSAGE_AS_REP_ENCPART -============================ - -.. -.. data:: KRB5_KEYUSAGE_AS_REP_ENCPART -.. - - - - -=================================== ====================== -``KRB5_KEYUSAGE_AS_REP_ENCPART`` ``3`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.txt deleted file mode 100644 index 937a656..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AS-REQ-data: - -KRB5_KEYUSAGE_AS_REQ -==================== - -.. -.. data:: KRB5_KEYUSAGE_AS_REQ -.. - - - - -=========================== ====================== -``KRB5_KEYUSAGE_AS_REQ`` ``56`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.txt deleted file mode 100644 index f13a2c7..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-AS-REQ-PA-ENC-TS-data: - -KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS -============================== - -.. -.. data:: KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS -.. - - - - -===================================== ====================== -``KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS`` ``1`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.txt deleted file mode 100644 index 2f04a3d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-CAMMAC-data: - -KRB5_KEYUSAGE_CAMMAC -==================== - -.. -.. data:: KRB5_KEYUSAGE_CAMMAC -.. - - - - -=========================== ====================== -``KRB5_KEYUSAGE_CAMMAC`` ``64`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.txt deleted file mode 100644 index 4ee4720..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-ENC-CHALLENGE-CLIENT-data: - -KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT -================================== - -.. -.. data:: KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT -.. - - - - -========================================= ====================== -``KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT`` ``54`` -========================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.txt deleted file mode 100644 index fdb81df..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-ENC-CHALLENGE-KDC-data: - -KRB5_KEYUSAGE_ENC_CHALLENGE_KDC -=============================== - -.. -.. data:: KRB5_KEYUSAGE_ENC_CHALLENGE_KDC -.. - - - - -====================================== ====================== -``KRB5_KEYUSAGE_ENC_CHALLENGE_KDC`` ``55`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.txt deleted file mode 100644 index a99f966..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-FAST-ENC-data: - -KRB5_KEYUSAGE_FAST_ENC -====================== - -.. -.. data:: KRB5_KEYUSAGE_FAST_ENC -.. - - - - -============================= ====================== -``KRB5_KEYUSAGE_FAST_ENC`` ``51`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.txt deleted file mode 100644 index a407c94..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-FAST-FINISHED-data: - -KRB5_KEYUSAGE_FAST_FINISHED -=========================== - -.. -.. data:: KRB5_KEYUSAGE_FAST_FINISHED -.. - - - - -================================== ====================== -``KRB5_KEYUSAGE_FAST_FINISHED`` ``53`` -================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.txt deleted file mode 100644 index 4f79179..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-FAST-REP-data: - -KRB5_KEYUSAGE_FAST_REP -====================== - -.. -.. data:: KRB5_KEYUSAGE_FAST_REP -.. - - - - -============================= ====================== -``KRB5_KEYUSAGE_FAST_REP`` ``52`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.txt deleted file mode 100644 index dca0e2d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-FAST-REQ-CHKSUM-data: - -KRB5_KEYUSAGE_FAST_REQ_CHKSUM -============================= - -.. -.. data:: KRB5_KEYUSAGE_FAST_REQ_CHKSUM -.. - - - - -==================================== ====================== -``KRB5_KEYUSAGE_FAST_REQ_CHKSUM`` ``50`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.txt deleted file mode 100644 index 15d70a9..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-GSS-TOK-MIC-data: - -KRB5_KEYUSAGE_GSS_TOK_MIC -========================= - -.. -.. data:: KRB5_KEYUSAGE_GSS_TOK_MIC -.. - - - - -================================ ====================== -``KRB5_KEYUSAGE_GSS_TOK_MIC`` ``22`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.txt deleted file mode 100644 index 9ef4dd1..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-GSS-TOK-WRAP-INTEG-data: - -KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG -================================ - -.. -.. data:: KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG -.. - - - - -======================================= ====================== -``KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG`` ``23`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.txt deleted file mode 100644 index 690f050..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-GSS-TOK-WRAP-PRIV-data: - -KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV -=============================== - -.. -.. data:: KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV -.. - - - - -====================================== ====================== -``KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV`` ``24`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.txt deleted file mode 100644 index 66285a2..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-IAKERB-FINISHED-data: - -KRB5_KEYUSAGE_IAKERB_FINISHED -============================= - -.. -.. data:: KRB5_KEYUSAGE_IAKERB_FINISHED -.. - - - - -==================================== ====================== -``KRB5_KEYUSAGE_IAKERB_FINISHED`` ``42`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.txt deleted file mode 100644 index f07479b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-KDC-REP-TICKET-data: - -KRB5_KEYUSAGE_KDC_REP_TICKET -============================ - -.. -.. data:: KRB5_KEYUSAGE_KDC_REP_TICKET -.. - - - - -=================================== ====================== -``KRB5_KEYUSAGE_KDC_REP_TICKET`` ``2`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.txt deleted file mode 100644 index 1a4a822..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-KRB-CRED-ENCPART-data: - -KRB5_KEYUSAGE_KRB_CRED_ENCPART -============================== - -.. -.. data:: KRB5_KEYUSAGE_KRB_CRED_ENCPART -.. - - - - -===================================== ====================== -``KRB5_KEYUSAGE_KRB_CRED_ENCPART`` ``14`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.txt deleted file mode 100644 index 8d573ce..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-KRB-ERROR-CKSUM-data: - -KRB5_KEYUSAGE_KRB_ERROR_CKSUM -============================= - -.. -.. data:: KRB5_KEYUSAGE_KRB_ERROR_CKSUM -.. - - - - -==================================== ====================== -``KRB5_KEYUSAGE_KRB_ERROR_CKSUM`` ``18`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.txt deleted file mode 100644 index 1270ce8..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-KRB-PRIV-ENCPART-data: - -KRB5_KEYUSAGE_KRB_PRIV_ENCPART -============================== - -.. -.. data:: KRB5_KEYUSAGE_KRB_PRIV_ENCPART -.. - - - - -===================================== ====================== -``KRB5_KEYUSAGE_KRB_PRIV_ENCPART`` ``13`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.txt deleted file mode 100644 index aaa1eca..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-KRB-SAFE-CKSUM-data: - -KRB5_KEYUSAGE_KRB_SAFE_CKSUM -============================ - -.. -.. data:: KRB5_KEYUSAGE_KRB_SAFE_CKSUM -.. - - - - -=================================== ====================== -``KRB5_KEYUSAGE_KRB_SAFE_CKSUM`` ``15`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.txt deleted file mode 100644 index 93e4f9c..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-PA-FX-COOKIE-data: - -KRB5_KEYUSAGE_PA_FX_COOKIE -========================== - -.. -.. data:: KRB5_KEYUSAGE_PA_FX_COOKIE -.. - -Used for encrypted FAST cookies. - - - -================================= ====================== -``KRB5_KEYUSAGE_PA_FX_COOKIE`` ``513`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.txt deleted file mode 100644 index 2c967c2..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-PA-OTP-REQUEST-data: - -KRB5_KEYUSAGE_PA_OTP_REQUEST -============================ - -.. -.. data:: KRB5_KEYUSAGE_PA_OTP_REQUEST -.. - -See RFC 6560 section 4.2. - - - -=================================== ====================== -``KRB5_KEYUSAGE_PA_OTP_REQUEST`` ``45`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.txt deleted file mode 100644 index dc31f8f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-PA-PKINIT-KX-data: - -KRB5_KEYUSAGE_PA_PKINIT_KX -========================== - -.. -.. data:: KRB5_KEYUSAGE_PA_PKINIT_KX -.. - - - - -================================= ====================== -``KRB5_KEYUSAGE_PA_PKINIT_KX`` ``44`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.txt deleted file mode 100644 index 7debada..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-PA-S4U-X509-USER-REPLY-data: - -KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY -==================================== - -.. -.. data:: KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY -.. - -Note conflict with :c:data:`KRB5_KEYUSAGE_PA_SAM_RESPONSE` . - - - -=========================================== ====================== -``KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY`` ``27`` -=========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.txt deleted file mode 100644 index e8db461..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-PA-S4U-X509-USER-REQUEST-data: - -KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST -====================================== - -.. -.. data:: KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST -.. - -Note conflict with :c:data:`KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID` . - - - -============================================= ====================== -``KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST`` ``26`` -============================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.txt deleted file mode 100644 index b19f78a..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-PA-SAM-CHALLENGE-CKSUM-data: - -KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM -==================================== - -.. -.. data:: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM -.. - - - - -=========================================== ====================== -``KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM`` ``25`` -=========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.txt deleted file mode 100644 index d4cccc0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-PA-SAM-CHALLENGE-TRACKID-data: - -KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID -====================================== - -.. -.. data:: KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID -.. - -Note conflict with :c:data:`KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST` . - - - -============================================= ====================== -``KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID`` ``26`` -============================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.txt deleted file mode 100644 index af816e8..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-PA-SAM-RESPONSE-data: - -KRB5_KEYUSAGE_PA_SAM_RESPONSE -============================= - -.. -.. data:: KRB5_KEYUSAGE_PA_SAM_RESPONSE -.. - -Note conflict with :c:data:`KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY` . - - - -==================================== ====================== -``KRB5_KEYUSAGE_PA_SAM_RESPONSE`` ``27`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.txt deleted file mode 100644 index 17a9812..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-TGS-REP-ENCPART-SESSKEY-data: - -KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY -===================================== - -.. -.. data:: KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY -.. - - - - -============================================ ====================== -``KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY`` ``8`` -============================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.txt deleted file mode 100644 index 4363758..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-TGS-REP-ENCPART-SUBKEY-data: - -KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY -==================================== - -.. -.. data:: KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY -.. - - - - -=========================================== ====================== -``KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY`` ``9`` -=========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.txt deleted file mode 100644 index ed977eb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-TGS-REQ-AD-SESSKEY-data: - -KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY -================================ - -.. -.. data:: KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY -.. - - - - -======================================= ====================== -``KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY`` ``4`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.txt deleted file mode 100644 index 323ca1a..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-TGS-REQ-AD-SUBKEY-data: - -KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY -=============================== - -.. -.. data:: KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY -.. - - - - -====================================== ====================== -``KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY`` ``5`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.txt deleted file mode 100644 index 06f082b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-TGS-REQ-AUTH-data: - -KRB5_KEYUSAGE_TGS_REQ_AUTH -========================== - -.. -.. data:: KRB5_KEYUSAGE_TGS_REQ_AUTH -.. - - - - -================================= ====================== -``KRB5_KEYUSAGE_TGS_REQ_AUTH`` ``7`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.txt deleted file mode 100644 index b57d4c1..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KEYUSAGE-TGS-REQ-AUTH-CKSUM-data: - -KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM -================================ - -.. -.. data:: KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM -.. - - - - -======================================= ====================== -``KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM`` ``6`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.txt deleted file mode 100644 index d6f6c57..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KPASSWD-ACCESSDENIED-data: - -KRB5_KPASSWD_ACCESSDENIED -========================= - -.. -.. data:: KRB5_KPASSWD_ACCESSDENIED -.. - -Not authorized. - - - -================================ ====================== -``KRB5_KPASSWD_ACCESSDENIED`` ``5`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.txt deleted file mode 100644 index 7950d0d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KPASSWD-AUTHERROR-data: - -KRB5_KPASSWD_AUTHERROR -====================== - -.. -.. data:: KRB5_KPASSWD_AUTHERROR -.. - -Authentication error. - - - -============================= ====================== -``KRB5_KPASSWD_AUTHERROR`` ``3`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.txt deleted file mode 100644 index 9d934fa..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KPASSWD-BAD-VERSION-data: - -KRB5_KPASSWD_BAD_VERSION -======================== - -.. -.. data:: KRB5_KPASSWD_BAD_VERSION -.. - -Unknown RPC version. - - - -=============================== ====================== -``KRB5_KPASSWD_BAD_VERSION`` ``6`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.txt deleted file mode 100644 index 7b92336..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KPASSWD-HARDERROR-data: - -KRB5_KPASSWD_HARDERROR -====================== - -.. -.. data:: KRB5_KPASSWD_HARDERROR -.. - -Server error. - - - -============================= ====================== -``KRB5_KPASSWD_HARDERROR`` ``2`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.txt deleted file mode 100644 index c39cb73..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KPASSWD-INITIAL-FLAG-NEEDED-data: - -KRB5_KPASSWD_INITIAL_FLAG_NEEDED -================================ - -.. -.. data:: KRB5_KPASSWD_INITIAL_FLAG_NEEDED -.. - -The presented credentials were not obtained using a password directly. - - - -======================================= ====================== -``KRB5_KPASSWD_INITIAL_FLAG_NEEDED`` ``7`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.txt deleted file mode 100644 index c0ecafc..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KPASSWD-MALFORMED-data: - -KRB5_KPASSWD_MALFORMED -====================== - -.. -.. data:: KRB5_KPASSWD_MALFORMED -.. - -Malformed request. - - - -============================= ====================== -``KRB5_KPASSWD_MALFORMED`` ``1`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.txt deleted file mode 100644 index be8885a..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KPASSWD-SOFTERROR-data: - -KRB5_KPASSWD_SOFTERROR -====================== - -.. -.. data:: KRB5_KPASSWD_SOFTERROR -.. - -Password change rejected. - - - -============================= ====================== -``KRB5_KPASSWD_SOFTERROR`` ``4`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.txt b/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.txt deleted file mode 100644 index 8e7022c..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-KPASSWD-SUCCESS-data: - -KRB5_KPASSWD_SUCCESS -==================== - -.. -.. data:: KRB5_KPASSWD_SUCCESS -.. - -Success. - - - -=========================== ====================== -``KRB5_KPASSWD_SUCCESS`` ``0`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.txt deleted file mode 100644 index 7c13121..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ALL-ACCT-EXPTIME-data: - -KRB5_LRQ_ALL_ACCT_EXPTIME -========================= - -.. -.. data:: KRB5_LRQ_ALL_ACCT_EXPTIME -.. - - - - -================================ ====================== -``KRB5_LRQ_ALL_ACCT_EXPTIME`` ``7`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.txt deleted file mode 100644 index ad376c9..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ALL-LAST-INITIAL-data: - -KRB5_LRQ_ALL_LAST_INITIAL -========================= - -.. -.. data:: KRB5_LRQ_ALL_LAST_INITIAL -.. - - - - -================================ ====================== -``KRB5_LRQ_ALL_LAST_INITIAL`` ``2`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.txt deleted file mode 100644 index 2a59db2..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ALL-LAST-RENEWAL-data: - -KRB5_LRQ_ALL_LAST_RENEWAL -========================= - -.. -.. data:: KRB5_LRQ_ALL_LAST_RENEWAL -.. - - - - -================================ ====================== -``KRB5_LRQ_ALL_LAST_RENEWAL`` ``4`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.txt deleted file mode 100644 index bc67787..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ALL-LAST-REQ-data: - -KRB5_LRQ_ALL_LAST_REQ -===================== - -.. -.. data:: KRB5_LRQ_ALL_LAST_REQ -.. - - - - -============================ ====================== -``KRB5_LRQ_ALL_LAST_REQ`` ``5`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.txt deleted file mode 100644 index cd583bd..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ALL-LAST-TGT-data: - -KRB5_LRQ_ALL_LAST_TGT -===================== - -.. -.. data:: KRB5_LRQ_ALL_LAST_TGT -.. - - - - -============================ ====================== -``KRB5_LRQ_ALL_LAST_TGT`` ``1`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.txt deleted file mode 100644 index 477ef5b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ALL-LAST-TGT-ISSUED-data: - -KRB5_LRQ_ALL_LAST_TGT_ISSUED -============================ - -.. -.. data:: KRB5_LRQ_ALL_LAST_TGT_ISSUED -.. - - - - -=================================== ====================== -``KRB5_LRQ_ALL_LAST_TGT_ISSUED`` ``3`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.txt deleted file mode 100644 index 2d2e5ed..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ALL-PW-EXPTIME-data: - -KRB5_LRQ_ALL_PW_EXPTIME -======================= - -.. -.. data:: KRB5_LRQ_ALL_PW_EXPTIME -.. - - - - -============================== ====================== -``KRB5_LRQ_ALL_PW_EXPTIME`` ``6`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_NONE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_NONE.txt deleted file mode 100644 index 82a38fe..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_NONE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-NONE-data: - -KRB5_LRQ_NONE -============= - -.. -.. data:: KRB5_LRQ_NONE -.. - - - - -==================== ====================== -``KRB5_LRQ_NONE`` ``0`` -==================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.txt deleted file mode 100644 index 54c4577..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ONE-ACCT-EXPTIME-data: - -KRB5_LRQ_ONE_ACCT_EXPTIME -========================= - -.. -.. data:: KRB5_LRQ_ONE_ACCT_EXPTIME -.. - - - - -================================ ====================== -``KRB5_LRQ_ONE_ACCT_EXPTIME`` ``(-7)`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.txt deleted file mode 100644 index 30e6c5e..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ONE-LAST-INITIAL-data: - -KRB5_LRQ_ONE_LAST_INITIAL -========================= - -.. -.. data:: KRB5_LRQ_ONE_LAST_INITIAL -.. - - - - -================================ ====================== -``KRB5_LRQ_ONE_LAST_INITIAL`` ``(-2)`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.txt deleted file mode 100644 index 2561dca..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ONE-LAST-RENEWAL-data: - -KRB5_LRQ_ONE_LAST_RENEWAL -========================= - -.. -.. data:: KRB5_LRQ_ONE_LAST_RENEWAL -.. - - - - -================================ ====================== -``KRB5_LRQ_ONE_LAST_RENEWAL`` ``(-4)`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.txt deleted file mode 100644 index 2e0261d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ONE-LAST-REQ-data: - -KRB5_LRQ_ONE_LAST_REQ -===================== - -.. -.. data:: KRB5_LRQ_ONE_LAST_REQ -.. - - - - -============================ ====================== -``KRB5_LRQ_ONE_LAST_REQ`` ``(-5)`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.txt deleted file mode 100644 index a977cd3..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ONE-LAST-TGT-data: - -KRB5_LRQ_ONE_LAST_TGT -===================== - -.. -.. data:: KRB5_LRQ_ONE_LAST_TGT -.. - - - - -============================ ====================== -``KRB5_LRQ_ONE_LAST_TGT`` ``(-1)`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.txt deleted file mode 100644 index 82e67af..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ONE-LAST-TGT-ISSUED-data: - -KRB5_LRQ_ONE_LAST_TGT_ISSUED -============================ - -.. -.. data:: KRB5_LRQ_ONE_LAST_TGT_ISSUED -.. - - - - -=================================== ====================== -``KRB5_LRQ_ONE_LAST_TGT_ISSUED`` ``(-3)`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.txt deleted file mode 100644 index 4017357..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-LRQ-ONE-PW-EXPTIME-data: - -KRB5_LRQ_ONE_PW_EXPTIME -======================= - -.. -.. data:: KRB5_LRQ_ONE_PW_EXPTIME -.. - - - - -============================== ====================== -``KRB5_LRQ_ONE_PW_EXPTIME`` ``(-6)`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.txt deleted file mode 100644 index c6f5197..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-ENTERPRISE-PRINCIPAL-data: - -KRB5_NT_ENTERPRISE_PRINCIPAL -============================ - -.. -.. data:: KRB5_NT_ENTERPRISE_PRINCIPAL -.. - -Windows 2000 UPN. - - - -=================================== ====================== -``KRB5_NT_ENTERPRISE_PRINCIPAL`` ``10`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.txt deleted file mode 100644 index 561bd0f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-ENT-PRINCIPAL-AND-ID-data: - -KRB5_NT_ENT_PRINCIPAL_AND_ID -============================ - -.. -.. data:: KRB5_NT_ENT_PRINCIPAL_AND_ID -.. - -NT 4 style name and SID. - - - -=================================== ====================== -``KRB5_NT_ENT_PRINCIPAL_AND_ID`` ``-130`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.txt deleted file mode 100644 index 431dbfb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-MS-PRINCIPAL-data: - -KRB5_NT_MS_PRINCIPAL -==================== - -.. -.. data:: KRB5_NT_MS_PRINCIPAL -.. - -Windows 2000 UPN and SID. - - - -=========================== ====================== -``KRB5_NT_MS_PRINCIPAL`` ``-128`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.txt deleted file mode 100644 index 0f79545..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-MS-PRINCIPAL-AND-ID-data: - -KRB5_NT_MS_PRINCIPAL_AND_ID -=========================== - -.. -.. data:: KRB5_NT_MS_PRINCIPAL_AND_ID -.. - -NT 4 style name. - - - -================================== ====================== -``KRB5_NT_MS_PRINCIPAL_AND_ID`` ``-129`` -================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_PRINCIPAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_PRINCIPAL.txt deleted file mode 100644 index cc4a6d2..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_PRINCIPAL.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-PRINCIPAL-data: - -KRB5_NT_PRINCIPAL -================= - -.. -.. data:: KRB5_NT_PRINCIPAL -.. - -Just the name of the principal as in DCE, or for users. - - - -======================== ====================== -``KRB5_NT_PRINCIPAL`` ``1`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_SMTP_NAME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_SMTP_NAME.txt deleted file mode 100644 index 000c7d0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_SMTP_NAME.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-SMTP-NAME-data: - -KRB5_NT_SMTP_NAME -================= - -.. -.. data:: KRB5_NT_SMTP_NAME -.. - -Name in form of SMTP email name. - - - -======================== ====================== -``KRB5_NT_SMTP_NAME`` ``7`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_HST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_HST.txt deleted file mode 100644 index 2304b24..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_HST.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-SRV-HST-data: - -KRB5_NT_SRV_HST -=============== - -.. -.. data:: KRB5_NT_SRV_HST -.. - -Service with host name as instance (telnet, rcommands) - - - -====================== ====================== -``KRB5_NT_SRV_HST`` ``3`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_INST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_INST.txt deleted file mode 100644 index 24fafca..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_INST.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-SRV-INST-data: - -KRB5_NT_SRV_INST -================ - -.. -.. data:: KRB5_NT_SRV_INST -.. - -Service and other unique instance (krbtgt) - - - -======================= ====================== -``KRB5_NT_SRV_INST`` ``2`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_XHST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_XHST.txt deleted file mode 100644 index 2a1a748..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_SRV_XHST.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-SRV-XHST-data: - -KRB5_NT_SRV_XHST -================ - -.. -.. data:: KRB5_NT_SRV_XHST -.. - -Service with host as remaining components. - - - -======================= ====================== -``KRB5_NT_SRV_XHST`` ``4`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_UID.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_UID.txt deleted file mode 100644 index b7b0b36..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_UID.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-UID-data: - -KRB5_NT_UID -=========== - -.. -.. data:: KRB5_NT_UID -.. - -Unique ID. - - - -================== ====================== -``KRB5_NT_UID`` ``5`` -================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_UNKNOWN.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_UNKNOWN.txt deleted file mode 100644 index 8c1ed2c..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_UNKNOWN.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-UNKNOWN-data: - -KRB5_NT_UNKNOWN -=============== - -.. -.. data:: KRB5_NT_UNKNOWN -.. - -Name type not known. - - - -====================== ====================== -``KRB5_NT_UNKNOWN`` ``0`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_WELLKNOWN.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_WELLKNOWN.txt deleted file mode 100644 index 7853278..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_WELLKNOWN.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-WELLKNOWN-data: - -KRB5_NT_WELLKNOWN -================= - -.. -.. data:: KRB5_NT_WELLKNOWN -.. - -Well-known (special) principal. - - - -======================== ====================== -``KRB5_NT_WELLKNOWN`` ``11`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.txt deleted file mode 100644 index 81ac0ea..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-NT-X500-PRINCIPAL-data: - -KRB5_NT_X500_PRINCIPAL -====================== - -.. -.. data:: KRB5_NT_X500_PRINCIPAL -.. - -PKINIT. - - - -============================= ====================== -``KRB5_NT_X500_PRINCIPAL`` ``6`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.txt deleted file mode 100644 index 14dea5b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PAC-CLIENT-INFO-data: - -KRB5_PAC_CLIENT_INFO -==================== - -.. -.. data:: KRB5_PAC_CLIENT_INFO -.. - -Client name and ticket info. - - - -=========================== ====================== -``KRB5_PAC_CLIENT_INFO`` ``10`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.txt deleted file mode 100644 index 8243582..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PAC-CREDENTIALS-INFO-data: - -KRB5_PAC_CREDENTIALS_INFO -========================= - -.. -.. data:: KRB5_PAC_CREDENTIALS_INFO -.. - -Credentials information. - - - -================================ ====================== -``KRB5_PAC_CREDENTIALS_INFO`` ``2`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.txt deleted file mode 100644 index 03f5eb0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PAC-DELEGATION-INFO-data: - -KRB5_PAC_DELEGATION_INFO -======================== - -.. -.. data:: KRB5_PAC_DELEGATION_INFO -.. - -Constrained delegation info. - - - -=============================== ====================== -``KRB5_PAC_DELEGATION_INFO`` ``11`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_LOGON_INFO.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PAC_LOGON_INFO.txt deleted file mode 100644 index fda4381..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_LOGON_INFO.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PAC-LOGON-INFO-data: - -KRB5_PAC_LOGON_INFO -=================== - -.. -.. data:: KRB5_PAC_LOGON_INFO -.. - -Logon information. - - - -========================== ====================== -``KRB5_PAC_LOGON_INFO`` ``1`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.txt deleted file mode 100644 index 6113176..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PAC-PRIVSVR-CHECKSUM-data: - -KRB5_PAC_PRIVSVR_CHECKSUM -========================= - -.. -.. data:: KRB5_PAC_PRIVSVR_CHECKSUM -.. - -KDC checksum. - - - -================================ ====================== -``KRB5_PAC_PRIVSVR_CHECKSUM`` ``7`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.txt deleted file mode 100644 index 610d63f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PAC-SERVER-CHECKSUM-data: - -KRB5_PAC_SERVER_CHECKSUM -======================== - -.. -.. data:: KRB5_PAC_SERVER_CHECKSUM -.. - -Server checksum. - - - -=============================== ====================== -``KRB5_PAC_SERVER_CHECKSUM`` ``6`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.txt deleted file mode 100644 index 4f160ed..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PAC-UPN-DNS-INFO-data: - -KRB5_PAC_UPN_DNS_INFO -===================== - -.. -.. data:: KRB5_PAC_UPN_DNS_INFO -.. - -User principal name and DNS info. - - - -============================ ====================== -``KRB5_PAC_UPN_DNS_INFO`` ``12`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.txt deleted file mode 100644 index 63c6056..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-AFS3-SALT-data: - -KRB5_PADATA_AFS3_SALT -===================== - -.. -.. data:: KRB5_PADATA_AFS3_SALT -.. - -Cygnus. - -RFC 4120, 3961 - -============================ ====================== -``KRB5_PADATA_AFS3_SALT`` ``10`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AP_REQ.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AP_REQ.txt deleted file mode 100644 index f3546c5..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AP_REQ.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-AP-REQ-data: - -KRB5_PADATA_AP_REQ -================== - -.. -.. data:: KRB5_PADATA_AP_REQ -.. - - - - -========================= ====================== -``KRB5_PADATA_AP_REQ`` ``1`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.txt deleted file mode 100644 index d36ef36..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-AS-CHECKSUM-data: - -KRB5_PADATA_AS_CHECKSUM -======================= - -.. -.. data:: KRB5_PADATA_AS_CHECKSUM -.. - -AS checksum. - - - -============================== ====================== -``KRB5_PADATA_AS_CHECKSUM`` ``132`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.txt deleted file mode 100644 index 1d74dcf..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-ENCRYPTED-CHALLENGE-data: - -KRB5_PADATA_ENCRYPTED_CHALLENGE -=============================== - -.. -.. data:: KRB5_PADATA_ENCRYPTED_CHALLENGE -.. - -RFC 6113. - - - -====================================== ====================== -``KRB5_PADATA_ENCRYPTED_CHALLENGE`` ``138`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.txt deleted file mode 100644 index 30602bb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-ENC-SANDIA-SECURID-data: - -KRB5_PADATA_ENC_SANDIA_SECURID -============================== - -.. -.. data:: KRB5_PADATA_ENC_SANDIA_SECURID -.. - -SecurId passcode. - -RFC 4120 - -===================================== ====================== -``KRB5_PADATA_ENC_SANDIA_SECURID`` ``6`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.txt deleted file mode 100644 index 495695d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-ENC-TIMESTAMP-data: - -KRB5_PADATA_ENC_TIMESTAMP -========================= - -.. -.. data:: KRB5_PADATA_ENC_TIMESTAMP -.. - -RFC 4120. - - - -================================ ====================== -``KRB5_PADATA_ENC_TIMESTAMP`` ``2`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.txt deleted file mode 100644 index d7ae893..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-ENC-UNIX-TIME-data: - -KRB5_PADATA_ENC_UNIX_TIME -========================= - -.. -.. data:: KRB5_PADATA_ENC_UNIX_TIME -.. - -timestamp encrypted in key. - -RFC 4120 - -================================ ====================== -``KRB5_PADATA_ENC_UNIX_TIME`` ``5`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.txt deleted file mode 100644 index 09591ad..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-ETYPE-INFO-data: - -KRB5_PADATA_ETYPE_INFO -====================== - -.. -.. data:: KRB5_PADATA_ETYPE_INFO -.. - -Etype info for preauth. - -RFC 4120 - -============================= ====================== -``KRB5_PADATA_ETYPE_INFO`` ``11`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.txt deleted file mode 100644 index 533bb62..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-ETYPE-INFO2-data: - -KRB5_PADATA_ETYPE_INFO2 -======================= - -.. -.. data:: KRB5_PADATA_ETYPE_INFO2 -.. - -RFC 4120. - - - -============================== ====================== -``KRB5_PADATA_ETYPE_INFO2`` ``19`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FOR_USER.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FOR_USER.txt deleted file mode 100644 index cf65890..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FOR_USER.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-FOR-USER-data: - -KRB5_PADATA_FOR_USER -==================== - -.. -.. data:: KRB5_PADATA_FOR_USER -.. - -username protocol transition request - - - -=========================== ====================== -``KRB5_PADATA_FOR_USER`` ``129`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.txt deleted file mode 100644 index bf0c14b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-FX-COOKIE-data: - -KRB5_PADATA_FX_COOKIE -===================== - -.. -.. data:: KRB5_PADATA_FX_COOKIE -.. - -RFC 6113. - - - -============================ ====================== -``KRB5_PADATA_FX_COOKIE`` ``133`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_ERROR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_ERROR.txt deleted file mode 100644 index e68b7eb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_ERROR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-FX-ERROR-data: - -KRB5_PADATA_FX_ERROR -==================== - -.. -.. data:: KRB5_PADATA_FX_ERROR -.. - -RFC 6113. - - - -=========================== ====================== -``KRB5_PADATA_FX_ERROR`` ``137`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_FAST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_FAST.txt deleted file mode 100644 index c60d2eb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_FX_FAST.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-FX-FAST-data: - -KRB5_PADATA_FX_FAST -=================== - -.. -.. data:: KRB5_PADATA_FX_FAST -.. - -RFC 6113. - - - -========================== ====================== -``KRB5_PADATA_FX_FAST`` ``136`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.txt deleted file mode 100644 index ac2effe..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-GET-FROM-TYPED-DATA-data: - -KRB5_PADATA_GET_FROM_TYPED_DATA -=============================== - -.. -.. data:: KRB5_PADATA_GET_FROM_TYPED_DATA -.. - -Embedded in typed data. - -RFC 4120 - -====================================== ====================== -``KRB5_PADATA_GET_FROM_TYPED_DATA`` ``22`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_NONE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_NONE.txt deleted file mode 100644 index c3b5842..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_NONE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-NONE-data: - -KRB5_PADATA_NONE -================ - -.. -.. data:: KRB5_PADATA_NONE -.. - - - - -======================= ====================== -``KRB5_PADATA_NONE`` ``0`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OSF_DCE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OSF_DCE.txt deleted file mode 100644 index 79c8362..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OSF_DCE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-OSF-DCE-data: - -KRB5_PADATA_OSF_DCE -=================== - -.. -.. data:: KRB5_PADATA_OSF_DCE -.. - -OSF DCE. - -RFC 4120 - -========================== ====================== -``KRB5_PADATA_OSF_DCE`` ``8`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.txt deleted file mode 100644 index 480ec9b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-OTP-CHALLENGE-data: - -KRB5_PADATA_OTP_CHALLENGE -========================= - -.. -.. data:: KRB5_PADATA_OTP_CHALLENGE -.. - -RFC 6560 section 4.1. - - - -================================ ====================== -``KRB5_PADATA_OTP_CHALLENGE`` ``141`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.txt deleted file mode 100644 index 677be03..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-OTP-PIN-CHANGE-data: - -KRB5_PADATA_OTP_PIN_CHANGE -========================== - -.. -.. data:: KRB5_PADATA_OTP_PIN_CHANGE -.. - -RFC 6560 section 4.3. - - - -================================= ====================== -``KRB5_PADATA_OTP_PIN_CHANGE`` ``144`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.txt deleted file mode 100644 index 498606e..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-OTP-REQUEST-data: - -KRB5_PADATA_OTP_REQUEST -======================= - -.. -.. data:: KRB5_PADATA_OTP_REQUEST -.. - -RFC 6560 section 4.2. - - - -============================== ====================== -``KRB5_PADATA_OTP_REQUEST`` ``142`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.txt deleted file mode 100644 index d8b737f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-PAC-REQUEST-data: - -KRB5_PADATA_PAC_REQUEST -======================= - -.. -.. data:: KRB5_PADATA_PAC_REQUEST -.. - -include Windows PAC - - - -============================== ====================== -``KRB5_PADATA_PAC_REQUEST`` ``128`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.txt deleted file mode 100644 index 29e6724..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-PKINIT-KX-data: - -KRB5_PADATA_PKINIT_KX -===================== - -.. -.. data:: KRB5_PADATA_PKINIT_KX -.. - -RFC 6112. - - - -============================ ====================== -``KRB5_PADATA_PKINIT_KX`` ``147`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.txt deleted file mode 100644 index aff8309..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-PK-AS-REP-data: - -KRB5_PADATA_PK_AS_REP -===================== - -.. -.. data:: KRB5_PADATA_PK_AS_REP -.. - -PKINIT. - -RFC 4556 - -============================ ====================== -``KRB5_PADATA_PK_AS_REP`` ``17`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.txt deleted file mode 100644 index 6ca1842..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-PK-AS-REP-OLD-data: - -KRB5_PADATA_PK_AS_REP_OLD -========================= - -.. -.. data:: KRB5_PADATA_PK_AS_REP_OLD -.. - -PKINIT. - - - -================================ ====================== -``KRB5_PADATA_PK_AS_REP_OLD`` ``15`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.txt deleted file mode 100644 index 805bc50..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-PK-AS-REQ-data: - -KRB5_PADATA_PK_AS_REQ -===================== - -.. -.. data:: KRB5_PADATA_PK_AS_REQ -.. - -PKINIT. - -RFC 4556 - -============================ ====================== -``KRB5_PADATA_PK_AS_REQ`` ``16`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.txt deleted file mode 100644 index 30e144d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-PK-AS-REQ-OLD-data: - -KRB5_PADATA_PK_AS_REQ_OLD -========================= - -.. -.. data:: KRB5_PADATA_PK_AS_REQ_OLD -.. - -PKINIT. - - - -================================ ====================== -``KRB5_PADATA_PK_AS_REQ_OLD`` ``14`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PW_SALT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PW_SALT.txt deleted file mode 100644 index 2548753..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_PW_SALT.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-PW-SALT-data: - -KRB5_PADATA_PW_SALT -=================== - -.. -.. data:: KRB5_PADATA_PW_SALT -.. - -RFC 4120. - - - -========================== ====================== -``KRB5_PADATA_PW_SALT`` ``3`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_REFERRAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_REFERRAL.txt deleted file mode 100644 index 28c3a53..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_REFERRAL.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-REFERRAL-data: - -KRB5_PADATA_REFERRAL -==================== - -.. -.. data:: KRB5_PADATA_REFERRAL -.. - -draft referral system - - - -=========================== ====================== -``KRB5_PADATA_REFERRAL`` ``25`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.txt deleted file mode 100644 index e06330d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-S4U-X509-USER-data: - -KRB5_PADATA_S4U_X509_USER -========================= - -.. -.. data:: KRB5_PADATA_S4U_X509_USER -.. - -certificate protocol transition request - - - -================================ ====================== -``KRB5_PADATA_S4U_X509_USER`` ``130`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.txt deleted file mode 100644 index 016d36b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-SAM-CHALLENGE-data: - -KRB5_PADATA_SAM_CHALLENGE -========================= - -.. -.. data:: KRB5_PADATA_SAM_CHALLENGE -.. - -SAM/OTP. - - - -================================ ====================== -``KRB5_PADATA_SAM_CHALLENGE`` ``12`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.txt deleted file mode 100644 index 533ea06..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-SAM-CHALLENGE-2-data: - -KRB5_PADATA_SAM_CHALLENGE_2 -=========================== - -.. -.. data:: KRB5_PADATA_SAM_CHALLENGE_2 -.. - -draft challenge system, updated - - - -================================== ====================== -``KRB5_PADATA_SAM_CHALLENGE_2`` ``30`` -================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.txt deleted file mode 100644 index e69387d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-SAM-REDIRECT-data: - -KRB5_PADATA_SAM_REDIRECT -======================== - -.. -.. data:: KRB5_PADATA_SAM_REDIRECT -.. - -SAM/OTP. - -RFC 4120 - -=============================== ====================== -``KRB5_PADATA_SAM_REDIRECT`` ``21`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.txt deleted file mode 100644 index e94d047..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-SAM-RESPONSE-data: - -KRB5_PADATA_SAM_RESPONSE -======================== - -.. -.. data:: KRB5_PADATA_SAM_RESPONSE -.. - -SAM/OTP. - - - -=============================== ====================== -``KRB5_PADATA_SAM_RESPONSE`` ``13`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.txt deleted file mode 100644 index 6621613..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-SAM-RESPONSE-2-data: - -KRB5_PADATA_SAM_RESPONSE_2 -========================== - -.. -.. data:: KRB5_PADATA_SAM_RESPONSE_2 -.. - -draft challenge system, updated - - - -================================= ====================== -``KRB5_PADATA_SAM_RESPONSE_2`` ``31`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SESAME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SESAME.txt deleted file mode 100644 index 63019ee..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SESAME.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-SESAME-data: - -KRB5_PADATA_SESAME -================== - -.. -.. data:: KRB5_PADATA_SESAME -.. - -Sesame project. - -RFC 4120 - -========================= ====================== -``KRB5_PADATA_SESAME`` ``7`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.txt deleted file mode 100644 index e58a172..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-SVR-REFERRAL-INFO-data: - -KRB5_PADATA_SVR_REFERRAL_INFO -============================= - -.. -.. data:: KRB5_PADATA_SVR_REFERRAL_INFO -.. - -Windows 2000 referrals. - -RFC 6820 - -==================================== ====================== -``KRB5_PADATA_SVR_REFERRAL_INFO`` ``20`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_TGS_REQ.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_TGS_REQ.txt deleted file mode 100644 index e888f5b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_TGS_REQ.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-TGS-REQ-data: - -KRB5_PADATA_TGS_REQ -=================== - -.. -.. data:: KRB5_PADATA_TGS_REQ -.. - - - - -========================== ====================== -``KRB5_PADATA_TGS_REQ`` ``KRB5_PADATA_AP_REQ`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.txt deleted file mode 100644 index 5ee21d2..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PADATA-USE-SPECIFIED-KVNO-data: - -KRB5_PADATA_USE_SPECIFIED_KVNO -============================== - -.. -.. data:: KRB5_PADATA_USE_SPECIFIED_KVNO -.. - -RFC 4120. - - - -===================================== ====================== -``KRB5_PADATA_USE_SPECIFIED_KVNO`` ``20`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.txt deleted file mode 100644 index bd42eeb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-COMPARE-CASEFOLD-data: - -KRB5_PRINCIPAL_COMPARE_CASEFOLD -=============================== - -.. -.. data:: KRB5_PRINCIPAL_COMPARE_CASEFOLD -.. - -case-insensitive - - - -====================================== ====================== -``KRB5_PRINCIPAL_COMPARE_CASEFOLD`` ``4`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.txt deleted file mode 100644 index 3341d43..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-COMPARE-ENTERPRISE-data: - -KRB5_PRINCIPAL_COMPARE_ENTERPRISE -================================= - -.. -.. data:: KRB5_PRINCIPAL_COMPARE_ENTERPRISE -.. - -UPNs as real principals. - - - -======================================== ====================== -``KRB5_PRINCIPAL_COMPARE_ENTERPRISE`` ``2`` -======================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.txt deleted file mode 100644 index 39b443f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-COMPARE-IGNORE-REALM-data: - -KRB5_PRINCIPAL_COMPARE_IGNORE_REALM -=================================== - -.. -.. data:: KRB5_PRINCIPAL_COMPARE_IGNORE_REALM -.. - -ignore realm component - - - -========================================== ====================== -``KRB5_PRINCIPAL_COMPARE_IGNORE_REALM`` ``1`` -========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.txt deleted file mode 100644 index 78bc4b0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-COMPARE-UTF8-data: - -KRB5_PRINCIPAL_COMPARE_UTF8 -=========================== - -.. -.. data:: KRB5_PRINCIPAL_COMPARE_UTF8 -.. - -treat principals as UTF-8 - - - -================================== ====================== -``KRB5_PRINCIPAL_COMPARE_UTF8`` ``8`` -================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.txt deleted file mode 100644 index df6de6c..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-PARSE-ENTERPRISE-data: - -KRB5_PRINCIPAL_PARSE_ENTERPRISE -=============================== - -.. -.. data:: KRB5_PRINCIPAL_PARSE_ENTERPRISE -.. - -Create single-component enterprise principle. - - - -====================================== ====================== -``KRB5_PRINCIPAL_PARSE_ENTERPRISE`` ``0x4`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.txt deleted file mode 100644 index d6a3995..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-PARSE-IGNORE-REALM-data: - -KRB5_PRINCIPAL_PARSE_IGNORE_REALM -================================= - -.. -.. data:: KRB5_PRINCIPAL_PARSE_IGNORE_REALM -.. - -Ignore realm if present. - - - -======================================== ====================== -``KRB5_PRINCIPAL_PARSE_IGNORE_REALM`` ``0x8`` -======================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.txt deleted file mode 100644 index ecd8226..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-PARSE-NO-REALM-data: - -KRB5_PRINCIPAL_PARSE_NO_REALM -============================= - -.. -.. data:: KRB5_PRINCIPAL_PARSE_NO_REALM -.. - -Error if realm is present. - - - -==================================== ====================== -``KRB5_PRINCIPAL_PARSE_NO_REALM`` ``0x1`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.txt deleted file mode 100644 index 022e161..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-PARSE-REQUIRE-REALM-data: - -KRB5_PRINCIPAL_PARSE_REQUIRE_REALM -================================== - -.. -.. data:: KRB5_PRINCIPAL_PARSE_REQUIRE_REALM -.. - -Error if realm is not present. - - - -========================================= ====================== -``KRB5_PRINCIPAL_PARSE_REQUIRE_REALM`` ``0x2`` -========================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.txt deleted file mode 100644 index d15af8b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-UNPARSE-DISPLAY-data: - -KRB5_PRINCIPAL_UNPARSE_DISPLAY -============================== - -.. -.. data:: KRB5_PRINCIPAL_UNPARSE_DISPLAY -.. - -Don't escape special characters. - - - -===================================== ====================== -``KRB5_PRINCIPAL_UNPARSE_DISPLAY`` ``0x4`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.txt deleted file mode 100644 index 1f8bb51..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-UNPARSE-NO-REALM-data: - -KRB5_PRINCIPAL_UNPARSE_NO_REALM -=============================== - -.. -.. data:: KRB5_PRINCIPAL_UNPARSE_NO_REALM -.. - -Omit realm always. - - - -====================================== ====================== -``KRB5_PRINCIPAL_UNPARSE_NO_REALM`` ``0x2`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.txt deleted file mode 100644 index c640401..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRINCIPAL-UNPARSE-SHORT-data: - -KRB5_PRINCIPAL_UNPARSE_SHORT -============================ - -.. -.. data:: KRB5_PRINCIPAL_UNPARSE_SHORT -.. - -Omit realm if it is the local realm. - - - -=================================== ====================== -``KRB5_PRINCIPAL_UNPARSE_SHORT`` ``0x1`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PRIV.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PRIV.txt deleted file mode 100644 index aaa2dbc..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PRIV.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PRIV-data: - -KRB5_PRIV -========= - -.. -.. data:: KRB5_PRIV -.. - -Private application message. - - - -================ ====================== -``KRB5_PRIV`` ``((krb5_msgtype)21)`` -================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.txt deleted file mode 100644 index 115bae1..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PROMPT-TYPE-NEW-PASSWORD-data: - -KRB5_PROMPT_TYPE_NEW_PASSWORD -============================= - -.. -.. data:: KRB5_PROMPT_TYPE_NEW_PASSWORD -.. - -Prompt for new password (during password change) - - - -==================================== ====================== -``KRB5_PROMPT_TYPE_NEW_PASSWORD`` ``0x2`` -==================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.txt deleted file mode 100644 index 170fa58..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PROMPT-TYPE-NEW-PASSWORD-AGAIN-data: - -KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN -=================================== - -.. -.. data:: KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN -.. - -Prompt for new password again. - - - -========================================== ====================== -``KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN`` ``0x3`` -========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.txt deleted file mode 100644 index 37e3243..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PROMPT-TYPE-PASSWORD-data: - -KRB5_PROMPT_TYPE_PASSWORD -========================= - -.. -.. data:: KRB5_PROMPT_TYPE_PASSWORD -.. - -Prompt for password. - - - -================================ ====================== -``KRB5_PROMPT_TYPE_PASSWORD`` ``0x1`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.txt deleted file mode 100644 index 5d577cc..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PROMPT-TYPE-PREAUTH-data: - -KRB5_PROMPT_TYPE_PREAUTH -======================== - -.. -.. data:: KRB5_PROMPT_TYPE_PREAUTH -.. - -Prompt for preauthentication data (such as an OTP value) - - - -=============================== ====================== -``KRB5_PROMPT_TYPE_PREAUTH`` ``0x4`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_PVNO.txt b/doc/html/_sources/appdev/refs/macros/KRB5_PVNO.txt deleted file mode 100644 index fe2f903..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_PVNO.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-PVNO-data: - -KRB5_PVNO -========= - -.. -.. data:: KRB5_PVNO -.. - -Protocol version number. - - - -================ ====================== -``KRB5_PVNO`` ``5`` -================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.txt deleted file mode 100644 index 15478f0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-REALM-BRANCH-CHAR-data: - -KRB5_REALM_BRANCH_CHAR -====================== - -.. -.. data:: KRB5_REALM_BRANCH_CHAR -.. - - - - -============================= ====================== -``KRB5_REALM_BRANCH_CHAR`` ``'.'`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.txt deleted file mode 100644 index c3c2dfa..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RECVAUTH-BADAUTHVERS-data: - -KRB5_RECVAUTH_BADAUTHVERS -========================= - -.. -.. data:: KRB5_RECVAUTH_BADAUTHVERS -.. - - - - -================================ ====================== -``KRB5_RECVAUTH_BADAUTHVERS`` ``0x0002`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.txt deleted file mode 100644 index e833faa..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RECVAUTH-SKIP-VERSION-data: - -KRB5_RECVAUTH_SKIP_VERSION -========================== - -.. -.. data:: KRB5_RECVAUTH_SKIP_VERSION -.. - - - - -================================= ====================== -``KRB5_RECVAUTH_SKIP_VERSION`` ``0x0001`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_REFERRAL_REALM.txt b/doc/html/_sources/appdev/refs/macros/KRB5_REFERRAL_REALM.txt deleted file mode 100644 index f862018..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_REFERRAL_REALM.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-REFERRAL-REALM-data: - -KRB5_REFERRAL_REALM -=================== - -.. -.. data:: KRB5_REFERRAL_REALM -.. - -Constant for realm referrals. - - - -========================== ====================== -``KRB5_REFERRAL_REALM`` ``""`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.txt deleted file mode 100644 index b9dc937..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-OTP-FLAGS-COLLECT-PIN-data: - -KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN -==================================== - -.. -.. data:: KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN -.. - -This flag indicates that the PIN value MUST be collected. - - - -=========================================== ====================== -``KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN`` ``0x0002`` -=========================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.txt deleted file mode 100644 index ced9443..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-OTP-FLAGS-COLLECT-TOKEN-data: - -KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN -====================================== - -.. -.. data:: KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN -.. - -This flag indicates that the token value MUST be collected. - - - -============================================= ====================== -``KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN`` ``0x0001`` -============================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.txt deleted file mode 100644 index b3e9204..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-OTP-FLAGS-NEXTOTP-data: - -KRB5_RESPONDER_OTP_FLAGS_NEXTOTP -================================ - -.. -.. data:: KRB5_RESPONDER_OTP_FLAGS_NEXTOTP -.. - -This flag indicates that the token is now in re-synchronization mode with the server. - -The user is expected to reply with the next code displayed on the token. - -======================================= ====================== -``KRB5_RESPONDER_OTP_FLAGS_NEXTOTP`` ``0x0004`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.txt deleted file mode 100644 index f43d49d..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-OTP-FLAGS-SEPARATE-PIN-data: - -KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN -===================================== - -.. -.. data:: KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN -.. - -This flag indicates that the PIN MUST be returned as a separate item. - -This flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If this flag is not set, the responder may either concatenate PIN + token value and store it as "value" in the answer or it may return them separately. If they are returned separately, they will be concatenated internally. - -============================================ ====================== -``KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN`` ``0x0008`` -============================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.txt deleted file mode 100644 index 58a97cf..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-OTP-FORMAT-ALPHANUMERIC-data: - -KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC -====================================== - -.. -.. data:: KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC -.. - - - - -============================================= ====================== -``KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC`` ``2`` -============================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.txt deleted file mode 100644 index bfafd2f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-OTP-FORMAT-DECIMAL-data: - -KRB5_RESPONDER_OTP_FORMAT_DECIMAL -================================= - -.. -.. data:: KRB5_RESPONDER_OTP_FORMAT_DECIMAL -.. - -These format constants identify the format of the token value. - - - -======================================== ====================== -``KRB5_RESPONDER_OTP_FORMAT_DECIMAL`` ``0`` -======================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.txt deleted file mode 100644 index eaf925b..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-OTP-FORMAT-HEXADECIMAL-data: - -KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL -===================================== - -.. -.. data:: KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL -.. - - - - -============================================ ====================== -``KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL`` ``1`` -============================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.txt deleted file mode 100644 index a034d3c..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-PKINIT-FLAGS-TOKEN-USER-PIN-COUNT-LOW-data: - -KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW -==================================================== - -.. -.. data:: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW -.. - -This flag indicates that an incorrect PIN was supplied at least once since the last time the correct PIN was supplied. - - - -=========================================================== ====================== -``KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW`` ``(1 << 0)`` -=========================================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.txt deleted file mode 100644 index 59d01bd..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-PKINIT-FLAGS-TOKEN-USER-PIN-FINAL-TRY-data: - -KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY -==================================================== - -.. -.. data:: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY -.. - -This flag indicates that supplying an incorrect PIN will cause the token to lock itself. - - - -=========================================================== ====================== -``KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY`` ``(1 << 1)`` -=========================================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.txt deleted file mode 100644 index 00e3126..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-PKINIT-FLAGS-TOKEN-USER-PIN-LOCKED-data: - -KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED -================================================= - -.. -.. data:: KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED -.. - -This flag indicates that the user PIN is locked, and you can't log in to the token with it. - - - -======================================================== ====================== -``KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED`` ``(1 << 2)`` -======================================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.txt deleted file mode 100644 index cb63b5e..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.txt +++ /dev/null @@ -1,63 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-QUESTION-OTP-data: - -KRB5_RESPONDER_QUESTION_OTP -=========================== - -.. -.. data:: KRB5_RESPONDER_QUESTION_OTP -.. - -OTP responder question. - -The OTP responder question is asked when the KDC indicates that an OTP value is required in order to complete the authentication. The JSON format of the challenge is: - -*{* - -*"service": ,* - -*"tokenInfo": [* - -*{* - -*"flags": ,* - -*"vendor": ,* - -*"challenge": ,* - -*"length": ,* - -*"format": ,* - -*"tokenID": ,* - -*"algID": ,* - -*},* - -*...* - -*]* - -*}* - -The answer to the question MUST be JSON formatted: - -*{* - -*"tokeninfo": ,* - -*"value": ,* - -*"pin": ,* - -*}* - -For more detail, please see RFC 6560. - - -================================== ====================== -``KRB5_RESPONDER_QUESTION_OTP`` ``"otp"`` -================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.txt deleted file mode 100644 index 8606604..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.txt +++ /dev/null @@ -1,19 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-QUESTION-PASSWORD-data: - -KRB5_RESPONDER_QUESTION_PASSWORD -================================ - -.. -.. data:: KRB5_RESPONDER_QUESTION_PASSWORD -.. - -Long-term password responder question. - -This question is asked when the long-term password is needed. It has no challenge and the response is simply the password string. - - -======================================= ====================== -``KRB5_RESPONDER_QUESTION_PASSWORD`` ``"password"`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.txt deleted file mode 100644 index 1602eb7..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.txt +++ /dev/null @@ -1,38 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-RESPONDER-QUESTION-PKINIT-data: - -KRB5_RESPONDER_QUESTION_PKINIT -============================== - -.. -.. data:: KRB5_RESPONDER_QUESTION_PKINIT -.. - -PKINIT responder question. - -The PKINIT responder question is asked when the client needs a password that's being used to protect key information, and is formatted as a JSON object. A specific identity's flags value, if not zero, is the bitwise-OR of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined below, and possibly other flags to be added later. Any resemblance to similarly-named CKF_* values in the PKCS#11 API should not be depended on. - -*{* - -*identity : flags ,* - -*...* - -*}* - -The answer to the question MUST be JSON formatted: - -*{* - -*identity : password ,* - -*...* - -*}* - - - -===================================== ====================== -``KRB5_RESPONDER_QUESTION_PKINIT`` ``"pkinit"`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_SAFE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_SAFE.txt deleted file mode 100644 index 519fd4a..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_SAFE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-SAFE-data: - -KRB5_SAFE -========= - -.. -.. data:: KRB5_SAFE -.. - -Safe application message. - - - -================ ====================== -``KRB5_SAFE`` ``((krb5_msgtype)20)`` -================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.txt b/doc/html/_sources/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.txt deleted file mode 100644 index a8b453c..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-SAM-MUST-PK-ENCRYPT-SAD-data: - -KRB5_SAM_MUST_PK_ENCRYPT_SAD -============================ - -.. -.. data:: KRB5_SAM_MUST_PK_ENCRYPT_SAD -.. - -currently must be zero - - - -=================================== ====================== -``KRB5_SAM_MUST_PK_ENCRYPT_SAD`` ``0x20000000`` -=================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.txt b/doc/html/_sources/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.txt deleted file mode 100644 index 64d43a4..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-SAM-SEND-ENCRYPTED-SAD-data: - -KRB5_SAM_SEND_ENCRYPTED_SAD -=========================== - -.. -.. data:: KRB5_SAM_SEND_ENCRYPTED_SAD -.. - - - - -================================== ====================== -``KRB5_SAM_SEND_ENCRYPTED_SAD`` ``0x40000000`` -================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.txt deleted file mode 100644 index 21ac066..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-SAM-USE-SAD-AS-KEY-data: - -KRB5_SAM_USE_SAD_AS_KEY -======================= - -.. -.. data:: KRB5_SAM_USE_SAD_AS_KEY -.. - - - - -============================== ====================== -``KRB5_SAM_USE_SAD_AS_KEY`` ``0x80000000`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.txt deleted file mode 100644 index eae8cf4..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-MATCH-2ND-TKT-data: - -KRB5_TC_MATCH_2ND_TKT -===================== - -.. -.. data:: KRB5_TC_MATCH_2ND_TKT -.. - -The second ticket must match. - - - -============================ ====================== -``KRB5_TC_MATCH_2ND_TKT`` ``0x00000080`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.txt deleted file mode 100644 index 2229332..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-MATCH-AUTHDATA-data: - -KRB5_TC_MATCH_AUTHDATA -====================== - -.. -.. data:: KRB5_TC_MATCH_AUTHDATA -.. - -The authorization data must match. - - - -============================= ====================== -``KRB5_TC_MATCH_AUTHDATA`` ``0x00000020`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.txt deleted file mode 100644 index ec95c5f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-MATCH-FLAGS-data: - -KRB5_TC_MATCH_FLAGS -=================== - -.. -.. data:: KRB5_TC_MATCH_FLAGS -.. - -All the flags set in the match credentials must be set. - - - -========================== ====================== -``KRB5_TC_MATCH_FLAGS`` ``0x00000004`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.txt deleted file mode 100644 index 8cef13e..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-MATCH-FLAGS-EXACT-data: - -KRB5_TC_MATCH_FLAGS_EXACT -========================= - -.. -.. data:: KRB5_TC_MATCH_FLAGS_EXACT -.. - -All the flags must match exactly. - - - -================================ ====================== -``KRB5_TC_MATCH_FLAGS_EXACT`` ``0x00000010`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.txt deleted file mode 100644 index 6685002..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-MATCH-IS-SKEY-data: - -KRB5_TC_MATCH_IS_SKEY -===================== - -.. -.. data:: KRB5_TC_MATCH_IS_SKEY -.. - -The is_skey field must match exactly. - - - -============================ ====================== -``KRB5_TC_MATCH_IS_SKEY`` ``0x00000002`` -============================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.txt deleted file mode 100644 index 31325a8..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-MATCH-KTYPE-data: - -KRB5_TC_MATCH_KTYPE -=================== - -.. -.. data:: KRB5_TC_MATCH_KTYPE -.. - -The encryption key type must match. - - - -========================== ====================== -``KRB5_TC_MATCH_KTYPE`` ``0x00000100`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.txt deleted file mode 100644 index 4c7695f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-MATCH-SRV-NAMEONLY-data: - -KRB5_TC_MATCH_SRV_NAMEONLY -========================== - -.. -.. data:: KRB5_TC_MATCH_SRV_NAMEONLY -.. - -Only the name portion of the principal name must match. - - - -================================= ====================== -``KRB5_TC_MATCH_SRV_NAMEONLY`` ``0x00000040`` -================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES.txt deleted file mode 100644 index 7a16524..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-MATCH-TIMES-data: - -KRB5_TC_MATCH_TIMES -=================== - -.. -.. data:: KRB5_TC_MATCH_TIMES -.. - -The requested lifetime must be at least as great as the time specified. - - - -========================== ====================== -``KRB5_TC_MATCH_TIMES`` ``0x00000001`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.txt deleted file mode 100644 index 2453f93..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-MATCH-TIMES-EXACT-data: - -KRB5_TC_MATCH_TIMES_EXACT -========================= - -.. -.. data:: KRB5_TC_MATCH_TIMES_EXACT -.. - -All the time fields must match exactly. - - - -================================ ====================== -``KRB5_TC_MATCH_TIMES_EXACT`` ``0x00000008`` -================================ ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_NOTICKET.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_NOTICKET.txt deleted file mode 100644 index a9008cf..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_NOTICKET.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-NOTICKET-data: - -KRB5_TC_NOTICKET -================ - -.. -.. data:: KRB5_TC_NOTICKET -.. - - - - -======================= ====================== -``KRB5_TC_NOTICKET`` ``0x00000002`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_OPENCLOSE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_OPENCLOSE.txt deleted file mode 100644 index a7fb943..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_OPENCLOSE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-OPENCLOSE-data: - -KRB5_TC_OPENCLOSE -================= - -.. -.. data:: KRB5_TC_OPENCLOSE -.. - -Open and close the file for each cache operation. - - - -======================== ====================== -``KRB5_TC_OPENCLOSE`` ``0x00000001`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.txt deleted file mode 100644 index e1edae9..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TC-SUPPORTED-KTYPES-data: - -KRB5_TC_SUPPORTED_KTYPES -======================== - -.. -.. data:: KRB5_TC_SUPPORTED_KTYPES -.. - -The supported key types must match. - - - -=============================== ====================== -``KRB5_TC_SUPPORTED_KTYPES`` ``0x00000200`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME.txt deleted file mode 100644 index 602b5c3..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TGS-NAME-data: - -KRB5_TGS_NAME -============= - -.. -.. data:: KRB5_TGS_NAME -.. - - - - -==================== ====================== -``KRB5_TGS_NAME`` ``"krbtgt"`` -==================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME_SIZE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME_SIZE.txt deleted file mode 100644 index 931ebdb..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TGS_NAME_SIZE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TGS-NAME-SIZE-data: - -KRB5_TGS_NAME_SIZE -================== - -.. -.. data:: KRB5_TGS_NAME_SIZE -.. - - - - -========================= ====================== -``KRB5_TGS_NAME_SIZE`` ``6`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REP.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REP.txt deleted file mode 100644 index 18cadb3..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REP.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TGS-REP-data: - -KRB5_TGS_REP -============ - -.. -.. data:: KRB5_TGS_REP -.. - -Response to TGS request. - - - -=================== ====================== -``KRB5_TGS_REP`` ``((krb5_msgtype)13)`` -=================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REQ.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REQ.txt deleted file mode 100644 index 132d9f5..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TGS_REQ.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TGS-REQ-data: - -KRB5_TGS_REQ -============ - -.. -.. data:: KRB5_TGS_REQ -.. - -Ticket granting server request. - - - -=================== ====================== -``KRB5_TGS_REQ`` ``((krb5_msgtype)12)`` -=================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.txt b/doc/html/_sources/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.txt deleted file mode 100644 index 28d376f..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-TKT-CREDS-STEP-FLAG-CONTINUE-data: - -KRB5_TKT_CREDS_STEP_FLAG_CONTINUE -================================= - -.. -.. data:: KRB5_TKT_CREDS_STEP_FLAG_CONTINUE -.. - -More responses needed. - - - -======================================== ====================== -``KRB5_TKT_CREDS_STEP_FLAG_CONTINUE`` ``0x1`` -======================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.txt b/doc/html/_sources/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.txt deleted file mode 100644 index a6a60c9..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-VERIFY-INIT-CREDS-OPT-AP-REQ-NOFAIL-data: - -KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL -======================================== - -.. -.. data:: KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL -.. - - - - -=============================================== ====================== -``KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL`` ``0x0001`` -=============================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.txt b/doc/html/_sources/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.txt deleted file mode 100644 index 430a3f0..0000000 --- a/doc/html/_sources/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _KRB5-WELLKNOWN-NAMESTR-data: - -KRB5_WELLKNOWN_NAMESTR -====================== - -.. -.. data:: KRB5_WELLKNOWN_NAMESTR -.. - -First component of NT_WELLKNOWN principals. - - - -============================= ====================== -``KRB5_WELLKNOWN_NAMESTR`` ``"WELLKNOWN"`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.txt b/doc/html/_sources/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.txt deleted file mode 100644 index c44baf6..0000000 --- a/doc/html/_sources/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _LR-TYPE-INTERPRETATION-MASK-data: - -LR_TYPE_INTERPRETATION_MASK -=========================== - -.. -.. data:: LR_TYPE_INTERPRETATION_MASK -.. - - - - -================================== ====================== -``LR_TYPE_INTERPRETATION_MASK`` ``0x7fff`` -================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.txt b/doc/html/_sources/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.txt deleted file mode 100644 index 15e6dbf..0000000 --- a/doc/html/_sources/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _LR-TYPE-THIS-SERVER-ONLY-data: - -LR_TYPE_THIS_SERVER_ONLY -======================== - -.. -.. data:: LR_TYPE_THIS_SERVER_ONLY -.. - - - - -=============================== ====================== -``LR_TYPE_THIS_SERVER_ONLY`` ``0x8000`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.txt b/doc/html/_sources/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.txt deleted file mode 100644 index 94bde20..0000000 --- a/doc/html/_sources/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.txt +++ /dev/null @@ -1,18 +0,0 @@ -.. highlightlang:: c - -.. _MAX-KEYTAB-NAME-LEN-data: - -MAX_KEYTAB_NAME_LEN -=================== - -.. -.. data:: MAX_KEYTAB_NAME_LEN -.. - -Long enough for MAXPATHLEN + some extra. - - - -========================== ====================== -``MAX_KEYTAB_NAME_LEN`` ``1100`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/MSEC_DIRBIT.txt b/doc/html/_sources/appdev/refs/macros/MSEC_DIRBIT.txt deleted file mode 100644 index 9a4b07e..0000000 --- a/doc/html/_sources/appdev/refs/macros/MSEC_DIRBIT.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _MSEC-DIRBIT-data: - -MSEC_DIRBIT -=========== - -.. -.. data:: MSEC_DIRBIT -.. - - - - -================== ====================== -``MSEC_DIRBIT`` ``0x8000`` -================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/MSEC_VAL_MASK.txt b/doc/html/_sources/appdev/refs/macros/MSEC_VAL_MASK.txt deleted file mode 100644 index 7d60035..0000000 --- a/doc/html/_sources/appdev/refs/macros/MSEC_VAL_MASK.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _MSEC-VAL-MASK-data: - -MSEC_VAL_MASK -============= - -.. -.. data:: MSEC_VAL_MASK -.. - - - - -==================== ====================== -``MSEC_VAL_MASK`` ``0x7fff`` -==================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.txt b/doc/html/_sources/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.txt deleted file mode 100644 index c9db0ac..0000000 --- a/doc/html/_sources/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _SALT-TYPE-AFS-LENGTH-data: - -SALT_TYPE_AFS_LENGTH -==================== - -.. -.. data:: SALT_TYPE_AFS_LENGTH -.. - - - - -=========================== ====================== -``SALT_TYPE_AFS_LENGTH`` ``UINT_MAX`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/SALT_TYPE_NO_LENGTH.txt b/doc/html/_sources/appdev/refs/macros/SALT_TYPE_NO_LENGTH.txt deleted file mode 100644 index 4025269..0000000 --- a/doc/html/_sources/appdev/refs/macros/SALT_TYPE_NO_LENGTH.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _SALT-TYPE-NO-LENGTH-data: - -SALT_TYPE_NO_LENGTH -=================== - -.. -.. data:: SALT_TYPE_NO_LENGTH -.. - - - - -========================== ====================== -``SALT_TYPE_NO_LENGTH`` ``UINT_MAX`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/THREEPARAMOPEN.txt b/doc/html/_sources/appdev/refs/macros/THREEPARAMOPEN.txt deleted file mode 100644 index 2840552..0000000 --- a/doc/html/_sources/appdev/refs/macros/THREEPARAMOPEN.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _THREEPARAMOPEN-data: - -THREEPARAMOPEN -============== - -.. -.. data:: THREEPARAMOPEN -.. - - - - -============================== ====================== -``THREEPARAMOPEN (x, y, z)`` ``open(x,y,z)`` -============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_ANONYMOUS.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_ANONYMOUS.txt deleted file mode 100644 index 0bc4517..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_ANONYMOUS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-ANONYMOUS-data: - -TKT_FLG_ANONYMOUS -================= - -.. -.. data:: TKT_FLG_ANONYMOUS -.. - - - - -======================== ====================== -``TKT_FLG_ANONYMOUS`` ``0x00008000`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_ENC_PA_REP.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_ENC_PA_REP.txt deleted file mode 100644 index 0acc605..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_ENC_PA_REP.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-ENC-PA-REP-data: - -TKT_FLG_ENC_PA_REP -================== - -.. -.. data:: TKT_FLG_ENC_PA_REP -.. - - - - -========================= ====================== -``TKT_FLG_ENC_PA_REP`` ``0x00010000`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDABLE.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDABLE.txt deleted file mode 100644 index 1566a8a..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDABLE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-FORWARDABLE-data: - -TKT_FLG_FORWARDABLE -=================== - -.. -.. data:: TKT_FLG_FORWARDABLE -.. - - - - -========================== ====================== -``TKT_FLG_FORWARDABLE`` ``0x40000000`` -========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDED.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDED.txt deleted file mode 100644 index 35d6aa0..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_FORWARDED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-FORWARDED-data: - -TKT_FLG_FORWARDED -================= - -.. -.. data:: TKT_FLG_FORWARDED -.. - - - - -======================== ====================== -``TKT_FLG_FORWARDED`` ``0x20000000`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_HW_AUTH.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_HW_AUTH.txt deleted file mode 100644 index ed238e2..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_HW_AUTH.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-HW-AUTH-data: - -TKT_FLG_HW_AUTH -=============== - -.. -.. data:: TKT_FLG_HW_AUTH -.. - - - - -====================== ====================== -``TKT_FLG_HW_AUTH`` ``0x00100000`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_INITIAL.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_INITIAL.txt deleted file mode 100644 index b004176..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_INITIAL.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-INITIAL-data: - -TKT_FLG_INITIAL -=============== - -.. -.. data:: TKT_FLG_INITIAL -.. - - - - -====================== ====================== -``TKT_FLG_INITIAL`` ``0x00400000`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_INVALID.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_INVALID.txt deleted file mode 100644 index efb9d5a..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_INVALID.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-INVALID-data: - -TKT_FLG_INVALID -=============== - -.. -.. data:: TKT_FLG_INVALID -.. - - - - -====================== ====================== -``TKT_FLG_INVALID`` ``0x01000000`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.txt deleted file mode 100644 index bff936d..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-MAY-POSTDATE-data: - -TKT_FLG_MAY_POSTDATE -==================== - -.. -.. data:: TKT_FLG_MAY_POSTDATE -.. - - - - -=========================== ====================== -``TKT_FLG_MAY_POSTDATE`` ``0x04000000`` -=========================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.txt deleted file mode 100644 index 690f55a..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-OK-AS-DELEGATE-data: - -TKT_FLG_OK_AS_DELEGATE -====================== - -.. -.. data:: TKT_FLG_OK_AS_DELEGATE -.. - - - - -============================= ====================== -``TKT_FLG_OK_AS_DELEGATE`` ``0x00040000`` -============================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_POSTDATED.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_POSTDATED.txt deleted file mode 100644 index 8c4635b..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_POSTDATED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-POSTDATED-data: - -TKT_FLG_POSTDATED -================= - -.. -.. data:: TKT_FLG_POSTDATED -.. - - - - -======================== ====================== -``TKT_FLG_POSTDATED`` ``0x02000000`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_PRE_AUTH.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_PRE_AUTH.txt deleted file mode 100644 index c64288a..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_PRE_AUTH.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-PRE-AUTH-data: - -TKT_FLG_PRE_AUTH -================ - -.. -.. data:: TKT_FLG_PRE_AUTH -.. - - - - -======================= ====================== -``TKT_FLG_PRE_AUTH`` ``0x00200000`` -======================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXIABLE.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXIABLE.txt deleted file mode 100644 index 4df206b..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXIABLE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-PROXIABLE-data: - -TKT_FLG_PROXIABLE -================= - -.. -.. data:: TKT_FLG_PROXIABLE -.. - - - - -======================== ====================== -``TKT_FLG_PROXIABLE`` ``0x10000000`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXY.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXY.txt deleted file mode 100644 index fb75dd9..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_PROXY.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-PROXY-data: - -TKT_FLG_PROXY -============= - -.. -.. data:: TKT_FLG_PROXY -.. - - - - -==================== ====================== -``TKT_FLG_PROXY`` ``0x08000000`` -==================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_RENEWABLE.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_RENEWABLE.txt deleted file mode 100644 index 8a1ad04..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_RENEWABLE.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-RENEWABLE-data: - -TKT_FLG_RENEWABLE -================= - -.. -.. data:: TKT_FLG_RENEWABLE -.. - - - - -======================== ====================== -``TKT_FLG_RENEWABLE`` ``0x00800000`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.txt b/doc/html/_sources/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.txt deleted file mode 100644 index 093975d..0000000 --- a/doc/html/_sources/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _TKT-FLG-TRANSIT-POLICY-CHECKED-data: - -TKT_FLG_TRANSIT_POLICY_CHECKED -============================== - -.. -.. data:: TKT_FLG_TRANSIT_POLICY_CHECKED -.. - - - - -===================================== ====================== -``TKT_FLG_TRANSIT_POLICY_CHECKED`` ``0x00080000`` -===================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/VALID_INT_BITS.txt b/doc/html/_sources/appdev/refs/macros/VALID_INT_BITS.txt deleted file mode 100644 index 280b58d..0000000 --- a/doc/html/_sources/appdev/refs/macros/VALID_INT_BITS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _VALID-INT-BITS-data: - -VALID_INT_BITS -============== - -.. -.. data:: VALID_INT_BITS -.. - - - - -===================== ====================== -``VALID_INT_BITS`` ``INT_MAX`` -===================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/VALID_UINT_BITS.txt b/doc/html/_sources/appdev/refs/macros/VALID_UINT_BITS.txt deleted file mode 100644 index 889aae9..0000000 --- a/doc/html/_sources/appdev/refs/macros/VALID_UINT_BITS.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _VALID-UINT-BITS-data: - -VALID_UINT_BITS -=============== - -.. -.. data:: VALID_UINT_BITS -.. - - - - -====================== ====================== -``VALID_UINT_BITS`` ``UINT_MAX`` -====================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/index.txt b/doc/html/_sources/appdev/refs/macros/index.txt deleted file mode 100644 index e767471..0000000 --- a/doc/html/_sources/appdev/refs/macros/index.txt +++ /dev/null @@ -1,380 +0,0 @@ -krb5 simple macros -========================= - -Public -------- - -.. toctree:: - :maxdepth: 1 - - ADDRTYPE_ADDRPORT.rst - ADDRTYPE_CHAOS.rst - ADDRTYPE_DDP.rst - ADDRTYPE_INET.rst - ADDRTYPE_INET6.rst - ADDRTYPE_IPPORT.rst - ADDRTYPE_ISO.rst - ADDRTYPE_IS_LOCAL.rst - ADDRTYPE_NETBIOS.rst - ADDRTYPE_XNS.rst - AD_TYPE_EXTERNAL.rst - AD_TYPE_FIELD_TYPE_MASK.rst - AD_TYPE_REGISTERED.rst - AD_TYPE_RESERVED.rst - AP_OPTS_ETYPE_NEGOTIATION.rst - AP_OPTS_MUTUAL_REQUIRED.rst - AP_OPTS_RESERVED.rst - AP_OPTS_USE_SESSION_KEY.rst - AP_OPTS_USE_SUBKEY.rst - AP_OPTS_WIRE_MASK.rst - CKSUMTYPE_CMAC_CAMELLIA128.rst - CKSUMTYPE_CMAC_CAMELLIA256.rst - CKSUMTYPE_CRC32.rst - CKSUMTYPE_DESCBC.rst - CKSUMTYPE_HMAC_MD5_ARCFOUR.rst - CKSUMTYPE_HMAC_SHA1_96_AES128.rst - CKSUMTYPE_HMAC_SHA1_96_AES256.rst - CKSUMTYPE_HMAC_SHA256_128_AES128.rst - CKSUMTYPE_HMAC_SHA384_192_AES256.rst - CKSUMTYPE_HMAC_SHA1_DES3.rst - CKSUMTYPE_MD5_HMAC_ARCFOUR.rst - CKSUMTYPE_NIST_SHA.rst - CKSUMTYPE_RSA_MD4.rst - CKSUMTYPE_RSA_MD4_DES.rst - CKSUMTYPE_RSA_MD5.rst - CKSUMTYPE_RSA_MD5_DES.rst - ENCTYPE_AES128_CTS_HMAC_SHA1_96.rst - ENCTYPE_AES128_CTS_HMAC_SHA256_128.rst - ENCTYPE_AES256_CTS_HMAC_SHA1_96.rst - ENCTYPE_AES256_CTS_HMAC_SHA384_192.rst - ENCTYPE_ARCFOUR_HMAC.rst - ENCTYPE_ARCFOUR_HMAC_EXP.rst - ENCTYPE_CAMELLIA128_CTS_CMAC.rst - ENCTYPE_CAMELLIA256_CTS_CMAC.rst - ENCTYPE_DES3_CBC_ENV.rst - ENCTYPE_DES3_CBC_RAW.rst - ENCTYPE_DES3_CBC_SHA.rst - ENCTYPE_DES3_CBC_SHA1.rst - ENCTYPE_DES_CBC_CRC.rst - ENCTYPE_DES_CBC_MD4.rst - ENCTYPE_DES_CBC_MD5.rst - ENCTYPE_DES_CBC_RAW.rst - ENCTYPE_DES_HMAC_SHA1.rst - ENCTYPE_DSA_SHA1_CMS.rst - ENCTYPE_MD5_RSA_CMS.rst - ENCTYPE_NULL.rst - ENCTYPE_RC2_CBC_ENV.rst - ENCTYPE_RSA_ENV.rst - ENCTYPE_RSA_ES_OAEP_ENV.rst - ENCTYPE_SHA1_RSA_CMS.rst - ENCTYPE_UNKNOWN.rst - KDC_OPT_ALLOW_POSTDATE.rst - KDC_OPT_CANONICALIZE.rst - KDC_OPT_CNAME_IN_ADDL_TKT.rst - KDC_OPT_DISABLE_TRANSITED_CHECK.rst - KDC_OPT_ENC_TKT_IN_SKEY.rst - KDC_OPT_FORWARDABLE.rst - KDC_OPT_FORWARDED.rst - KDC_OPT_POSTDATED.rst - KDC_OPT_PROXIABLE.rst - KDC_OPT_PROXY.rst - KDC_OPT_RENEW.rst - KDC_OPT_RENEWABLE.rst - KDC_OPT_RENEWABLE_OK.rst - KDC_OPT_REQUEST_ANONYMOUS.rst - KDC_OPT_VALIDATE.rst - KDC_TKT_COMMON_MASK.rst - KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.rst - KRB5_ANONYMOUS_PRINCSTR.rst - KRB5_ANONYMOUS_REALMSTR.rst - KRB5_AP_REP.rst - KRB5_AP_REQ.rst - KRB5_AS_REP.rst - KRB5_AS_REQ.rst - KRB5_AUTHDATA_AND_OR.rst - KRB5_AUTHDATA_AUTH_INDICATOR.rst - KRB5_AUTHDATA_CAMMAC.rst - KRB5_AUTHDATA_ETYPE_NEGOTIATION.rst - KRB5_AUTHDATA_FX_ARMOR.rst - KRB5_AUTHDATA_IF_RELEVANT.rst - KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.rst - KRB5_AUTHDATA_KDC_ISSUED.rst - KRB5_AUTHDATA_MANDATORY_FOR_KDC.rst - KRB5_AUTHDATA_OSF_DCE.rst - KRB5_AUTHDATA_SESAME.rst - KRB5_AUTHDATA_SIGNTICKET.rst - KRB5_AUTHDATA_WIN2K_PAC.rst - KRB5_AUTH_CONTEXT_DO_SEQUENCE.rst - KRB5_AUTH_CONTEXT_DO_TIME.rst - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.rst - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.rst - KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.rst - KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.rst - KRB5_AUTH_CONTEXT_PERMIT_ALL.rst - KRB5_AUTH_CONTEXT_RET_SEQUENCE.rst - KRB5_AUTH_CONTEXT_RET_TIME.rst - KRB5_AUTH_CONTEXT_USE_SUBKEY.rst - KRB5_CRED.rst - KRB5_CRYPTO_TYPE_CHECKSUM.rst - KRB5_CRYPTO_TYPE_DATA.rst - KRB5_CRYPTO_TYPE_EMPTY.rst - KRB5_CRYPTO_TYPE_HEADER.rst - KRB5_CRYPTO_TYPE_PADDING.rst - KRB5_CRYPTO_TYPE_SIGN_ONLY.rst - KRB5_CRYPTO_TYPE_STREAM.rst - KRB5_CRYPTO_TYPE_TRAILER.rst - KRB5_CYBERSAFE_SECUREID.rst - KRB5_DOMAIN_X500_COMPRESS.rst - KRB5_ENCPADATA_REQ_ENC_PA_REP.rst - KRB5_ERROR.rst - KRB5_FAST_REQUIRED.rst - KRB5_GC_CACHED.rst - KRB5_GC_CANONICALIZE.rst - KRB5_GC_CONSTRAINED_DELEGATION.rst - KRB5_GC_FORWARDABLE.rst - KRB5_GC_NO_STORE.rst - KRB5_GC_NO_TRANSIT_CHECK.rst - KRB5_GC_USER_USER.rst - KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.rst - KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.rst - KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.rst - KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.rst - KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.rst - KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.rst - KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.rst - KRB5_GET_INIT_CREDS_OPT_PROXIABLE.rst - KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.rst - KRB5_GET_INIT_CREDS_OPT_SALT.rst - KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.rst - KRB5_INIT_CONTEXT_SECURE.rst - KRB5_INIT_CONTEXT_KDC.rst - KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.rst - KRB5_INT16_MAX.rst - KRB5_INT16_MIN.rst - KRB5_INT32_MAX.rst - KRB5_INT32_MIN.rst - KRB5_KEYUSAGE_AD_ITE.rst - KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.rst - KRB5_KEYUSAGE_AD_MTE.rst - KRB5_KEYUSAGE_AD_SIGNEDPATH.rst - KRB5_KEYUSAGE_APP_DATA_CKSUM.rst - KRB5_KEYUSAGE_APP_DATA_ENCRYPT.rst - KRB5_KEYUSAGE_AP_REP_ENCPART.rst - KRB5_KEYUSAGE_AP_REQ_AUTH.rst - KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.rst - KRB5_KEYUSAGE_AS_REP_ENCPART.rst - KRB5_KEYUSAGE_AS_REQ.rst - KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.rst - KRB5_KEYUSAGE_CAMMAC.rst - KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.rst - KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.rst - KRB5_KEYUSAGE_FAST_ENC.rst - KRB5_KEYUSAGE_FAST_FINISHED.rst - KRB5_KEYUSAGE_FAST_REP.rst - KRB5_KEYUSAGE_FAST_REQ_CHKSUM.rst - KRB5_KEYUSAGE_GSS_TOK_MIC.rst - KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.rst - KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.rst - KRB5_KEYUSAGE_IAKERB_FINISHED.rst - KRB5_KEYUSAGE_KDC_REP_TICKET.rst - KRB5_KEYUSAGE_KRB_CRED_ENCPART.rst - KRB5_KEYUSAGE_KRB_ERROR_CKSUM.rst - KRB5_KEYUSAGE_KRB_PRIV_ENCPART.rst - KRB5_KEYUSAGE_KRB_SAFE_CKSUM.rst - KRB5_KEYUSAGE_PA_FX_COOKIE.rst - KRB5_KEYUSAGE_PA_OTP_REQUEST.rst - KRB5_KEYUSAGE_PA_PKINIT_KX.rst - KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.rst - KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.rst - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.rst - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.rst - KRB5_KEYUSAGE_PA_SAM_RESPONSE.rst - KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.rst - KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.rst - KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.rst - KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.rst - KRB5_KEYUSAGE_TGS_REQ_AUTH.rst - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.rst - KRB5_KPASSWD_ACCESSDENIED.rst - KRB5_KPASSWD_AUTHERROR.rst - KRB5_KPASSWD_BAD_VERSION.rst - KRB5_KPASSWD_HARDERROR.rst - KRB5_KPASSWD_INITIAL_FLAG_NEEDED.rst - KRB5_KPASSWD_MALFORMED.rst - KRB5_KPASSWD_SOFTERROR.rst - KRB5_KPASSWD_SUCCESS.rst - KRB5_LRQ_ALL_ACCT_EXPTIME.rst - KRB5_LRQ_ALL_LAST_INITIAL.rst - KRB5_LRQ_ALL_LAST_RENEWAL.rst - KRB5_LRQ_ALL_LAST_REQ.rst - KRB5_LRQ_ALL_LAST_TGT.rst - KRB5_LRQ_ALL_LAST_TGT_ISSUED.rst - KRB5_LRQ_ALL_PW_EXPTIME.rst - KRB5_LRQ_NONE.rst - KRB5_LRQ_ONE_ACCT_EXPTIME.rst - KRB5_LRQ_ONE_LAST_INITIAL.rst - KRB5_LRQ_ONE_LAST_RENEWAL.rst - KRB5_LRQ_ONE_LAST_REQ.rst - KRB5_LRQ_ONE_LAST_TGT.rst - KRB5_LRQ_ONE_LAST_TGT_ISSUED.rst - KRB5_LRQ_ONE_PW_EXPTIME.rst - KRB5_NT_ENTERPRISE_PRINCIPAL.rst - KRB5_NT_ENT_PRINCIPAL_AND_ID.rst - KRB5_NT_MS_PRINCIPAL.rst - KRB5_NT_MS_PRINCIPAL_AND_ID.rst - KRB5_NT_PRINCIPAL.rst - KRB5_NT_SMTP_NAME.rst - KRB5_NT_SRV_HST.rst - KRB5_NT_SRV_INST.rst - KRB5_NT_SRV_XHST.rst - KRB5_NT_UID.rst - KRB5_NT_UNKNOWN.rst - KRB5_NT_WELLKNOWN.rst - KRB5_NT_X500_PRINCIPAL.rst - KRB5_PAC_CLIENT_INFO.rst - KRB5_PAC_CREDENTIALS_INFO.rst - KRB5_PAC_DELEGATION_INFO.rst - KRB5_PAC_LOGON_INFO.rst - KRB5_PAC_PRIVSVR_CHECKSUM.rst - KRB5_PAC_SERVER_CHECKSUM.rst - KRB5_PAC_UPN_DNS_INFO.rst - KRB5_PADATA_AFS3_SALT.rst - KRB5_PADATA_AP_REQ.rst - KRB5_PADATA_AS_CHECKSUM.rst - KRB5_PADATA_ENCRYPTED_CHALLENGE.rst - KRB5_PADATA_ENC_SANDIA_SECURID.rst - KRB5_PADATA_ENC_TIMESTAMP.rst - KRB5_PADATA_ENC_UNIX_TIME.rst - KRB5_PADATA_ETYPE_INFO.rst - KRB5_PADATA_ETYPE_INFO2.rst - KRB5_PADATA_FOR_USER.rst - KRB5_PADATA_FX_COOKIE.rst - KRB5_PADATA_FX_ERROR.rst - KRB5_PADATA_FX_FAST.rst - KRB5_PADATA_GET_FROM_TYPED_DATA.rst - KRB5_PADATA_NONE.rst - KRB5_PADATA_OSF_DCE.rst - KRB5_PADATA_OTP_CHALLENGE.rst - KRB5_PADATA_OTP_PIN_CHANGE.rst - KRB5_PADATA_OTP_REQUEST.rst - KRB5_PADATA_PAC_REQUEST.rst - KRB5_PADATA_PKINIT_KX.rst - KRB5_PADATA_PK_AS_REP.rst - KRB5_PADATA_PK_AS_REP_OLD.rst - KRB5_PADATA_PK_AS_REQ.rst - KRB5_PADATA_PK_AS_REQ_OLD.rst - KRB5_PADATA_PW_SALT.rst - KRB5_PADATA_REFERRAL.rst - KRB5_PADATA_S4U_X509_USER.rst - KRB5_PADATA_SAM_CHALLENGE.rst - KRB5_PADATA_SAM_CHALLENGE_2.rst - KRB5_PADATA_SAM_REDIRECT.rst - KRB5_PADATA_SAM_RESPONSE.rst - KRB5_PADATA_SAM_RESPONSE_2.rst - KRB5_PADATA_SESAME.rst - KRB5_PADATA_SVR_REFERRAL_INFO.rst - KRB5_PADATA_TGS_REQ.rst - KRB5_PADATA_USE_SPECIFIED_KVNO.rst - KRB5_PRINCIPAL_COMPARE_CASEFOLD.rst - KRB5_PRINCIPAL_COMPARE_ENTERPRISE.rst - KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.rst - KRB5_PRINCIPAL_COMPARE_UTF8.rst - KRB5_PRINCIPAL_PARSE_ENTERPRISE.rst - KRB5_PRINCIPAL_PARSE_IGNORE_REALM.rst - KRB5_PRINCIPAL_PARSE_NO_REALM.rst - KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.rst - KRB5_PRINCIPAL_UNPARSE_DISPLAY.rst - KRB5_PRINCIPAL_UNPARSE_NO_REALM.rst - KRB5_PRINCIPAL_UNPARSE_SHORT.rst - KRB5_PRIV.rst - KRB5_PROMPT_TYPE_NEW_PASSWORD.rst - KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.rst - KRB5_PROMPT_TYPE_PASSWORD.rst - KRB5_PROMPT_TYPE_PREAUTH.rst - KRB5_PVNO.rst - KRB5_REALM_BRANCH_CHAR.rst - KRB5_RECVAUTH_BADAUTHVERS.rst - KRB5_RECVAUTH_SKIP_VERSION.rst - KRB5_REFERRAL_REALM.rst - KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.rst - KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.rst - KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.rst - KRB5_RESPONDER_QUESTION_PKINIT.rst - KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.rst - KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.rst - KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.rst - KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.rst - KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.rst - KRB5_RESPONDER_OTP_FORMAT_DECIMAL.rst - KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.rst - KRB5_RESPONDER_QUESTION_OTP.rst - KRB5_RESPONDER_QUESTION_PASSWORD.rst - KRB5_SAFE.rst - KRB5_SAM_MUST_PK_ENCRYPT_SAD.rst - KRB5_SAM_SEND_ENCRYPTED_SAD.rst - KRB5_SAM_USE_SAD_AS_KEY.rst - KRB5_TC_MATCH_2ND_TKT.rst - KRB5_TC_MATCH_AUTHDATA.rst - KRB5_TC_MATCH_FLAGS.rst - KRB5_TC_MATCH_FLAGS_EXACT.rst - KRB5_TC_MATCH_IS_SKEY.rst - KRB5_TC_MATCH_KTYPE.rst - KRB5_TC_MATCH_SRV_NAMEONLY.rst - KRB5_TC_MATCH_TIMES.rst - KRB5_TC_MATCH_TIMES_EXACT.rst - KRB5_TC_NOTICKET.rst - KRB5_TC_OPENCLOSE.rst - KRB5_TC_SUPPORTED_KTYPES.rst - KRB5_TGS_NAME.rst - KRB5_TGS_NAME_SIZE.rst - KRB5_TGS_REP.rst - KRB5_TGS_REQ.rst - KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.rst - KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.rst - KRB5_WELLKNOWN_NAMESTR.rst - LR_TYPE_INTERPRETATION_MASK.rst - LR_TYPE_THIS_SERVER_ONLY.rst - MAX_KEYTAB_NAME_LEN.rst - MSEC_DIRBIT.rst - MSEC_VAL_MASK.rst - SALT_TYPE_AFS_LENGTH.rst - SALT_TYPE_NO_LENGTH.rst - THREEPARAMOPEN.rst - TKT_FLG_ANONYMOUS.rst - TKT_FLG_ENC_PA_REP.rst - TKT_FLG_FORWARDABLE.rst - TKT_FLG_FORWARDED.rst - TKT_FLG_HW_AUTH.rst - TKT_FLG_INITIAL.rst - TKT_FLG_INVALID.rst - TKT_FLG_MAY_POSTDATE.rst - TKT_FLG_OK_AS_DELEGATE.rst - TKT_FLG_POSTDATED.rst - TKT_FLG_PRE_AUTH.rst - TKT_FLG_PROXIABLE.rst - TKT_FLG_PROXY.rst - TKT_FLG_RENEWABLE.rst - TKT_FLG_TRANSIT_POLICY_CHECKED.rst - VALID_INT_BITS.rst - VALID_UINT_BITS.rst - krb5_const.rst - krb5_princ_component.rst - krb5_princ_name.rst - krb5_princ_realm.rst - krb5_princ_set_realm.rst - krb5_princ_set_realm_data.rst - krb5_princ_set_realm_length.rst - krb5_princ_size.rst - krb5_princ_type.rst - krb5_roundup.rst - krb5_x.rst - krb5_xc.rst - -Deprecated macros ------------------------------- - -.. toctree:: - :maxdepth: 1 - - krb524_convert_creds_kdc.rst - krb524_init_ets.rst diff --git a/doc/html/_sources/appdev/refs/macros/krb524_convert_creds_kdc.txt b/doc/html/_sources/appdev/refs/macros/krb524_convert_creds_kdc.txt deleted file mode 100644 index 6fe8894..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb524_convert_creds_kdc.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb524-convert-creds-kdc-data: - -krb524_convert_creds_kdc -======================== - -.. -.. data:: krb524_convert_creds_kdc -.. - - - - -=============================== ====================== -``krb524_convert_creds_kdc`` ``krb5_524_convert_creds`` -=============================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb524_init_ets.txt b/doc/html/_sources/appdev/refs/macros/krb524_init_ets.txt deleted file mode 100644 index fdde042..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb524_init_ets.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb524-init-ets-data: - -krb524_init_ets -=============== - -.. -.. data:: krb524_init_ets -.. - - - - -========================= ====================== -``krb524_init_ets (x)`` ``(0)`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_const.txt b/doc/html/_sources/appdev/refs/macros/krb5_const.txt deleted file mode 100644 index 6e9a508..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_const.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-const-data: - -krb5_const -========== - -.. -.. data:: krb5_const -.. - - - - -================= ====================== -``krb5_const`` ``const`` -================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_princ_component.txt b/doc/html/_sources/appdev/refs/macros/krb5_princ_component.txt deleted file mode 100644 index 25178cd..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_princ_component.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-princ-component-data: - -krb5_princ_component -==================== - -.. -.. data:: krb5_princ_component -.. - - - - -============================================== ====================== -``krb5_princ_component (context, princ, i)`` ``(((i) < krb5_princ_size(context, princ)) ? (princ)->data + (i) : NULL)`` -============================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_princ_name.txt b/doc/html/_sources/appdev/refs/macros/krb5_princ_name.txt deleted file mode 100644 index 13a9fac..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_princ_name.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-princ-name-data: - -krb5_princ_name -=============== - -.. -.. data:: krb5_princ_name -.. - - - - -====================================== ====================== -``krb5_princ_name (context, princ)`` ``(princ)->data`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_princ_realm.txt b/doc/html/_sources/appdev/refs/macros/krb5_princ_realm.txt deleted file mode 100644 index f9bef3a..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_princ_realm.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-princ-realm-data: - -krb5_princ_realm -================ - -.. -.. data:: krb5_princ_realm -.. - - - - -======================================= ====================== -``krb5_princ_realm (context, princ)`` ``(&(princ)->realm)`` -======================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm.txt b/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm.txt deleted file mode 100644 index 37040c9..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-princ-set-realm-data: - -krb5_princ_set_realm -==================== - -.. -.. data:: krb5_princ_set_realm -.. - - - - -================================================== ====================== -``krb5_princ_set_realm (context, princ, value)`` ``((princ)->realm = *(value))`` -================================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_data.txt b/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_data.txt deleted file mode 100644 index 576e955..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_data.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-princ-set-realm-data-data: - -krb5_princ_set_realm_data -========================= - -.. -.. data:: krb5_princ_set_realm_data -.. - - - - -======================================================= ====================== -``krb5_princ_set_realm_data (context, princ, value)`` ``(princ)->realm.data = (value)`` -======================================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_length.txt b/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_length.txt deleted file mode 100644 index c4cba13..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_princ_set_realm_length.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-princ-set-realm-length-data: - -krb5_princ_set_realm_length -=========================== - -.. -.. data:: krb5_princ_set_realm_length -.. - - - - -========================================================= ====================== -``krb5_princ_set_realm_length (context, princ, value)`` ``(princ)->realm.length = (value)`` -========================================================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_princ_size.txt b/doc/html/_sources/appdev/refs/macros/krb5_princ_size.txt deleted file mode 100644 index 1108a91..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_princ_size.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-princ-size-data: - -krb5_princ_size -=============== - -.. -.. data:: krb5_princ_size -.. - - - - -====================================== ====================== -``krb5_princ_size (context, princ)`` ``(princ)->length`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_princ_type.txt b/doc/html/_sources/appdev/refs/macros/krb5_princ_type.txt deleted file mode 100644 index 394afd0..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_princ_type.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-princ-type-data: - -krb5_princ_type -=============== - -.. -.. data:: krb5_princ_type -.. - - - - -====================================== ====================== -``krb5_princ_type (context, princ)`` ``(princ)->type`` -====================================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_roundup.txt b/doc/html/_sources/appdev/refs/macros/krb5_roundup.txt deleted file mode 100644 index 660d7b9..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_roundup.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-roundup-data: - -krb5_roundup -============ - -.. -.. data:: krb5_roundup -.. - - - - -========================= ====================== -``krb5_roundup (x, y)`` ``((((x) + (y) - 1)/(y))*(y))`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_x.txt b/doc/html/_sources/appdev/refs/macros/krb5_x.txt deleted file mode 100644 index 083d406..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_x.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-x-data: - -krb5_x -====== - -.. -.. data:: krb5_x -.. - - - - -======================== ====================== -``krb5_x (ptr, args)`` ``((ptr)?((*(ptr)) args):(abort(),1))`` -======================== ====================== diff --git a/doc/html/_sources/appdev/refs/macros/krb5_xc.txt b/doc/html/_sources/appdev/refs/macros/krb5_xc.txt deleted file mode 100644 index 5bfbfc9..0000000 --- a/doc/html/_sources/appdev/refs/macros/krb5_xc.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. highlightlang:: c - -.. _krb5-xc-data: - -krb5_xc -======= - -.. -.. data:: krb5_xc -.. - - - - -========================= ====================== -``krb5_xc (ptr, args)`` ``((ptr)?((*(ptr)) args):(abort(),(char*)0))`` -========================= ====================== diff --git a/doc/html/_sources/appdev/refs/types/index.txt b/doc/html/_sources/appdev/refs/types/index.txt deleted file mode 100644 index dc414cf..0000000 --- a/doc/html/_sources/appdev/refs/types/index.txt +++ /dev/null @@ -1,109 +0,0 @@ -krb5 types and structures -========================= - -Public -------- - -.. toctree:: - :maxdepth: 1 - - krb5_address.rst - krb5_addrtype.rst - krb5_ap_req.rst - krb5_ap_rep.rst - krb5_ap_rep_enc_part.rst - krb5_authdata.rst - krb5_authdatatype.rst - krb5_authenticator.rst - krb5_boolean.rst - krb5_checksum.rst - krb5_const_pointer.rst - krb5_const_principal.rst - krb5_cred.rst - krb5_cred_enc_part.rst - krb5_cred_info.rst - krb5_creds.rst - krb5_crypto_iov.rst - krb5_cryptotype.rst - krb5_data.rst - krb5_deltat.rst - krb5_enc_data.rst - krb5_enc_kdc_rep_part.rst - krb5_enc_tkt_part.rst - krb5_encrypt_block.rst - krb5_enctype.rst - krb5_error.rst - krb5_error_code.rst - krb5_expire_callback_func.rst - krb5_flags.rst - krb5_get_init_creds_opt.rst - krb5_gic_opt_pa_data.rst - krb5_int16.rst - krb5_int32.rst - krb5_kdc_rep.rst - krb5_kdc_req.rst - krb5_keyblock.rst - krb5_keytab_entry.rst - krb5_keyusage.rst - krb5_kt_cursor.rst - krb5_kvno.rst - krb5_last_req_entry.rst - krb5_magic.rst - krb5_mk_req_checksum_func.rst - krb5_msgtype.rst - krb5_octet.rst - krb5_pa_pac_req.rst - krb5_pa_server_referral_data.rst - krb5_pa_svr_referral_data.rst - krb5_pa_data.rst - krb5_pointer.rst - krb5_post_recv_fn.rst - krb5_pre_send_fn.rst - krb5_preauthtype.rst - krb5_principal.rst - krb5_principal_data.rst - krb5_const_principal.rst - krb5_prompt.rst - krb5_prompt_type.rst - krb5_prompter_fct.rst - krb5_pwd_data.rst - krb5_responder_context.rst - krb5_responder_fn.rst - krb5_responder_otp_challenge.rst - krb5_responder_otp_tokeninfo.rst - krb5_responder_pkinit_challenge.rst - krb5_responder_pkinit_identity.rst - krb5_response.rst - krb5_replay_data.rst - krb5_ticket.rst - krb5_ticket_times.rst - krb5_timestamp.rst - krb5_tkt_authent.rst - krb5_trace_callback.rst - krb5_trace_info.rst - krb5_transited.rst - krb5_typed_data.rst - krb5_ui_2.rst - krb5_ui_4.rst - krb5_verify_init_creds_opt.rst - passwd_phrase_element.rst - - -Internal ---------- - -.. toctree:: - :maxdepth: 1 - - krb5_auth_context.rst - krb5_cksumtype - krb5_context.rst - krb5_cc_cursor.rst - krb5_ccache.rst - krb5_cccol_cursor.rst - krb5_init_creds_context.rst - krb5_key.rst - krb5_keytab.rst - krb5_pac.rst - krb5_rcache.rst - krb5_tkt_creds_context.rst diff --git a/doc/html/_sources/appdev/refs/types/krb5_address.txt b/doc/html/_sources/appdev/refs/types/krb5_address.txt deleted file mode 100644 index 1d65d71..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_address.txt +++ /dev/null @@ -1,45 +0,0 @@ -.. highlightlang:: c - -.. _krb5-address-struct: - -krb5_address -============ - -.. -.. c:type:: krb5_address -.. - -Structure for address. - - - -Declaration ------------- - -typedef struct _krb5_address krb5_address - - -Members ---------- - - -.. c:member:: krb5_magic krb5_address.magic - - - - -.. c:member:: krb5_addrtype krb5_address.addrtype - - - - -.. c:member:: unsigned int krb5_address.length - - - - -.. c:member:: krb5_octet * krb5_address.contents - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_addrtype.txt b/doc/html/_sources/appdev/refs/types/krb5_addrtype.txt deleted file mode 100644 index d2dcbc8..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_addrtype.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-addrtype-struct: - -krb5_addrtype -============= - -.. -.. c:type:: krb5_addrtype -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_addrtype - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_ap_rep.txt b/doc/html/_sources/appdev/refs/types/krb5_ap_rep.txt deleted file mode 100644 index f05a113..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_ap_rep.txt +++ /dev/null @@ -1,35 +0,0 @@ -.. highlightlang:: c - -.. _krb5-ap-rep-struct: - -krb5_ap_rep -=========== - -.. -.. c:type:: krb5_ap_rep -.. - -C representaton of AP-REP message. - -The server's response to a client's request for mutual authentication. - -Declaration ------------- - -typedef struct _krb5_ap_rep krb5_ap_rep - - -Members ---------- - - -.. c:member:: krb5_magic krb5_ap_rep.magic - - - - -.. c:member:: krb5_enc_data krb5_ap_rep.enc_part - - Ciphertext of ApRepEncPart. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_ap_rep_enc_part.txt b/doc/html/_sources/appdev/refs/types/krb5_ap_rep_enc_part.txt deleted file mode 100644 index 73b7b15..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_ap_rep_enc_part.txt +++ /dev/null @@ -1,50 +0,0 @@ -.. highlightlang:: c - -.. _krb5-ap-rep-enc-part-struct: - -krb5_ap_rep_enc_part -==================== - -.. -.. c:type:: krb5_ap_rep_enc_part -.. - -Cleartext that is encrypted and put into :c:type:`_krb5_ap_rep` . - - - -Declaration ------------- - -typedef struct _krb5_ap_rep_enc_part krb5_ap_rep_enc_part - - -Members ---------- - - -.. c:member:: krb5_magic krb5_ap_rep_enc_part.magic - - - - -.. c:member:: krb5_timestamp krb5_ap_rep_enc_part.ctime - - Client time, seconds portion. - - -.. c:member:: krb5_int32 krb5_ap_rep_enc_part.cusec - - Client time, microseconds portion. - - -.. c:member:: krb5_keyblock * krb5_ap_rep_enc_part.subkey - - Subkey (optional) - - -.. c:member:: krb5_ui_4 krb5_ap_rep_enc_part.seq_number - - Sequence number. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_ap_req.txt b/doc/html/_sources/appdev/refs/types/krb5_ap_req.txt deleted file mode 100644 index 9806c17..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_ap_req.txt +++ /dev/null @@ -1,45 +0,0 @@ -.. highlightlang:: c - -.. _krb5-ap-req-struct: - -krb5_ap_req -=========== - -.. -.. c:type:: krb5_ap_req -.. - -Authentication header. - - - -Declaration ------------- - -typedef struct _krb5_ap_req krb5_ap_req - - -Members ---------- - - -.. c:member:: krb5_magic krb5_ap_req.magic - - - - -.. c:member:: krb5_flags krb5_ap_req.ap_options - - Requested options. - - -.. c:member:: krb5_ticket * krb5_ap_req.ticket - - Ticket. - - -.. c:member:: krb5_enc_data krb5_ap_req.authenticator - - Encrypted authenticator. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_auth_context.txt b/doc/html/_sources/appdev/refs/types/krb5_auth_context.txt deleted file mode 100644 index 8266b6c..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_auth_context.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-auth-context-struct: - -krb5_auth_context -================= - -.. -.. c:type:: krb5_auth_context -.. - - - - -Declaration ------------- - -typedef struct _krb5_auth_context\* krb5_auth_context - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_authdata.txt b/doc/html/_sources/appdev/refs/types/krb5_authdata.txt deleted file mode 100644 index ef4d4c1..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_authdata.txt +++ /dev/null @@ -1,45 +0,0 @@ -.. highlightlang:: c - -.. _krb5-authdata-struct: - -krb5_authdata -============= - -.. -.. c:type:: krb5_authdata -.. - -Structure for auth data. - - - -Declaration ------------- - -typedef struct _krb5_authdata krb5_authdata - - -Members ---------- - - -.. c:member:: krb5_magic krb5_authdata.magic - - - - -.. c:member:: krb5_authdatatype krb5_authdata.ad_type - - ADTYPE. - - -.. c:member:: unsigned int krb5_authdata.length - - Length of data. - - -.. c:member:: krb5_octet * krb5_authdata.contents - - Data. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_authdatatype.txt b/doc/html/_sources/appdev/refs/types/krb5_authdatatype.txt deleted file mode 100644 index 933b168..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_authdatatype.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-authdatatype-struct: - -krb5_authdatatype -================= - -.. -.. c:type:: krb5_authdatatype -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_authdatatype - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_authenticator.txt b/doc/html/_sources/appdev/refs/types/krb5_authenticator.txt deleted file mode 100644 index a060140..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_authenticator.txt +++ /dev/null @@ -1,65 +0,0 @@ -.. highlightlang:: c - -.. _krb5-authenticator-struct: - -krb5_authenticator -================== - -.. -.. c:type:: krb5_authenticator -.. - -Ticket authenticator. - -The C representation of an unencrypted authenticator. - -Declaration ------------- - -typedef struct _krb5_authenticator krb5_authenticator - - -Members ---------- - - -.. c:member:: krb5_magic krb5_authenticator.magic - - - - -.. c:member:: krb5_principal krb5_authenticator.client - - client name/realm - - -.. c:member:: krb5_checksum * krb5_authenticator.checksum - - checksum, includes type, optional - - -.. c:member:: krb5_int32 krb5_authenticator.cusec - - client usec portion - - -.. c:member:: krb5_timestamp krb5_authenticator.ctime - - client sec portion - - -.. c:member:: krb5_keyblock * krb5_authenticator.subkey - - true session key, optional - - -.. c:member:: krb5_ui_4 krb5_authenticator.seq_number - - sequence #, optional - - -.. c:member:: krb5_authdata ** krb5_authenticator.authorization_data - - authoriazation data - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_boolean.txt b/doc/html/_sources/appdev/refs/types/krb5_boolean.txt deleted file mode 100644 index 6ee72b3..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_boolean.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-boolean-struct: - -krb5_boolean -============ - -.. -.. c:type:: krb5_boolean -.. - - - - -Declaration ------------- - -typedef unsigned int krb5_boolean - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_cc_cursor.txt b/doc/html/_sources/appdev/refs/types/krb5_cc_cursor.txt deleted file mode 100644 index a570794..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_cc_cursor.txt +++ /dev/null @@ -1,21 +0,0 @@ -.. highlightlang:: c - -.. _krb5-cc-cursor-struct: - -krb5_cc_cursor -============== - -.. -.. c:type:: krb5_cc_cursor -.. - -Cursor for sequential lookup. - - - -Declaration ------------- - -typedef krb5_pointer krb5_cc_cursor - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_ccache.txt b/doc/html/_sources/appdev/refs/types/krb5_ccache.txt deleted file mode 100644 index 4c96cc8..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_ccache.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-ccache-struct: - -krb5_ccache -=========== - -.. -.. c:type:: krb5_ccache -.. - - - - -Declaration ------------- - -typedef struct _krb5_ccache\* krb5_ccache - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_cccol_cursor.txt b/doc/html/_sources/appdev/refs/types/krb5_cccol_cursor.txt deleted file mode 100644 index 20ee4e0..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_cccol_cursor.txt +++ /dev/null @@ -1,21 +0,0 @@ -.. highlightlang:: c - -.. _krb5-cccol-cursor-struct: - -krb5_cccol_cursor -================= - -.. -.. c:type:: krb5_cccol_cursor -.. - -Cursor for iterating over all ccaches. - - - -Declaration ------------- - -typedef struct _krb5_cccol_cursor\* krb5_cccol_cursor - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_checksum.txt b/doc/html/_sources/appdev/refs/types/krb5_checksum.txt deleted file mode 100644 index 0e970fd..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_checksum.txt +++ /dev/null @@ -1,44 +0,0 @@ -.. highlightlang:: c - -.. _krb5-checksum-struct: - -krb5_checksum -============= - -.. -.. c:type:: krb5_checksum -.. - - - - -Declaration ------------- - -typedef struct _krb5_checksum krb5_checksum - - -Members ---------- - - -.. c:member:: krb5_magic krb5_checksum.magic - - - - -.. c:member:: krb5_cksumtype krb5_checksum.checksum_type - - - - -.. c:member:: unsigned int krb5_checksum.length - - - - -.. c:member:: krb5_octet * krb5_checksum.contents - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_cksumtype.txt b/doc/html/_sources/appdev/refs/types/krb5_cksumtype.txt deleted file mode 100644 index c901dfc..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_cksumtype.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-cksumtype-struct: - -krb5_cksumtype -============== - -.. -.. c:type:: krb5_cksumtype -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_cksumtype - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_const_pointer.txt b/doc/html/_sources/appdev/refs/types/krb5_const_pointer.txt deleted file mode 100644 index 05da082..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_const_pointer.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-const-pointer-struct: - -krb5_const_pointer -================== - -.. -.. c:type:: krb5_const_pointer -.. - - - - -Declaration ------------- - -typedef void const\* krb5_const_pointer - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_const_principal.txt b/doc/html/_sources/appdev/refs/types/krb5_const_principal.txt deleted file mode 100644 index b30d3f7..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_const_principal.txt +++ /dev/null @@ -1,50 +0,0 @@ -.. highlightlang:: c - -.. _krb5-const-principal-struct: - -krb5_const_principal -==================== - -.. -.. c:type:: krb5_const_principal -.. - -Constant version of :c:type:`krb5_principal_data` . - - - -Declaration ------------- - -typedef const krb5_principal_data\* krb5_const_principal - - -Members ---------- - - -.. c:member:: krb5_magic krb5_const_principal.magic - - - - -.. c:member:: krb5_data krb5_const_principal.realm - - - - -.. c:member:: krb5_data * krb5_const_principal.data - - An array of strings. - - -.. c:member:: krb5_int32 krb5_const_principal.length - - - - -.. c:member:: krb5_int32 krb5_const_principal.type - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_context.txt b/doc/html/_sources/appdev/refs/types/krb5_context.txt deleted file mode 100644 index 51bce12..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_context.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-context-struct: - -krb5_context -============ - -.. -.. c:type:: krb5_context -.. - - - - -Declaration ------------- - -typedef struct _krb5_context\* krb5_context - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_cred.txt b/doc/html/_sources/appdev/refs/types/krb5_cred.txt deleted file mode 100644 index 61f1691..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_cred.txt +++ /dev/null @@ -1,45 +0,0 @@ -.. highlightlang:: c - -.. _krb5-cred-struct: - -krb5_cred -========= - -.. -.. c:type:: krb5_cred -.. - -Credentials data structure. - - - -Declaration ------------- - -typedef struct _krb5_cred krb5_cred - - -Members ---------- - - -.. c:member:: krb5_magic krb5_cred.magic - - - - -.. c:member:: krb5_ticket ** krb5_cred.tickets - - Tickets. - - -.. c:member:: krb5_enc_data krb5_cred.enc_part - - Encrypted part. - - -.. c:member:: krb5_cred_enc_part * krb5_cred.enc_part2 - - Unencrypted version, if available. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_cred_enc_part.txt b/doc/html/_sources/appdev/refs/types/krb5_cred_enc_part.txt deleted file mode 100644 index eee6a8a..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_cred_enc_part.txt +++ /dev/null @@ -1,60 +0,0 @@ -.. highlightlang:: c - -.. _krb5-cred-enc-part-struct: - -krb5_cred_enc_part -================== - -.. -.. c:type:: krb5_cred_enc_part -.. - -Cleartext credentials information. - - - -Declaration ------------- - -typedef struct _krb5_cred_enc_part krb5_cred_enc_part - - -Members ---------- - - -.. c:member:: krb5_magic krb5_cred_enc_part.magic - - - - -.. c:member:: krb5_int32 krb5_cred_enc_part.nonce - - Nonce (optional) - - -.. c:member:: krb5_timestamp krb5_cred_enc_part.timestamp - - Generation time, seconds portion. - - -.. c:member:: krb5_int32 krb5_cred_enc_part.usec - - Generation time, microseconds portion. - - -.. c:member:: krb5_address * krb5_cred_enc_part.s_address - - Sender address (optional) - - -.. c:member:: krb5_address * krb5_cred_enc_part.r_address - - Recipient address (optional) - - -.. c:member:: krb5_cred_info ** krb5_cred_enc_part.ticket_info - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_cred_info.txt b/doc/html/_sources/appdev/refs/types/krb5_cred_info.txt deleted file mode 100644 index 20cb799..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_cred_info.txt +++ /dev/null @@ -1,60 +0,0 @@ -.. highlightlang:: c - -.. _krb5-cred-info-struct: - -krb5_cred_info -============== - -.. -.. c:type:: krb5_cred_info -.. - -Credentials information inserted into *EncKrbCredPart* . - - - -Declaration ------------- - -typedef struct _krb5_cred_info krb5_cred_info - - -Members ---------- - - -.. c:member:: krb5_magic krb5_cred_info.magic - - - - -.. c:member:: krb5_keyblock * krb5_cred_info.session - - Session key used to encrypt ticket. - - -.. c:member:: krb5_principal krb5_cred_info.client - - Client principal and realm. - - -.. c:member:: krb5_principal krb5_cred_info.server - - Server principal and realm. - - -.. c:member:: krb5_flags krb5_cred_info.flags - - Ticket flags. - - -.. c:member:: krb5_ticket_times krb5_cred_info.times - - Auth, start, end, renew_till. - - -.. c:member:: krb5_address ** krb5_cred_info.caddrs - - Array of pointers to addrs (optional) - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_creds.txt b/doc/html/_sources/appdev/refs/types/krb5_creds.txt deleted file mode 100644 index caa91fd..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_creds.txt +++ /dev/null @@ -1,80 +0,0 @@ -.. highlightlang:: c - -.. _krb5-creds-struct: - -krb5_creds -========== - -.. -.. c:type:: krb5_creds -.. - -Credentials structure including ticket, session key, and lifetime info. - - - -Declaration ------------- - -typedef struct _krb5_creds krb5_creds - - -Members ---------- - - -.. c:member:: krb5_magic krb5_creds.magic - - - - -.. c:member:: krb5_principal krb5_creds.client - - client's principal identifier - - -.. c:member:: krb5_principal krb5_creds.server - - server's principal identifier - - -.. c:member:: krb5_keyblock krb5_creds.keyblock - - session encryption key info - - -.. c:member:: krb5_ticket_times krb5_creds.times - - lifetime info - - -.. c:member:: krb5_boolean krb5_creds.is_skey - - true if ticket is encrypted in another ticket's skey - - -.. c:member:: krb5_flags krb5_creds.ticket_flags - - flags in ticket - - -.. c:member:: krb5_address ** krb5_creds.addresses - - addrs in ticket - - -.. c:member:: krb5_data krb5_creds.ticket - - ticket string itself - - -.. c:member:: krb5_data krb5_creds.second_ticket - - second ticket, if related to ticket (via DUPLICATE-SKEY or ENC-TKT-IN-SKEY) - - -.. c:member:: krb5_authdata ** krb5_creds.authdata - - authorization data - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_crypto_iov.txt b/doc/html/_sources/appdev/refs/types/krb5_crypto_iov.txt deleted file mode 100644 index 7ede192..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_crypto_iov.txt +++ /dev/null @@ -1,35 +0,0 @@ -.. highlightlang:: c - -.. _krb5-crypto-iov-struct: - -krb5_crypto_iov -=============== - -.. -.. c:type:: krb5_crypto_iov -.. - -Structure to describe a region of text to be encrypted or decrypted. - -The *flags* member describes the type of the iov. The *data* member points to the memory that will be manipulated. All iov APIs take a pointer to the first element of an array of krb5_crypto_iov's along with the size of that array. Buffer contents are manipulated in-place; data is overwritten. Callers must allocate the right number of krb5_crypto_iov structures before calling into an iov API. - -Declaration ------------- - -typedef struct _krb5_crypto_iov krb5_crypto_iov - - -Members ---------- - - -.. c:member:: krb5_cryptotype krb5_crypto_iov.flags - - :c:data:`KRB5_CRYPTO_TYPE` type of the iov - - -.. c:member:: krb5_data krb5_crypto_iov.data - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_cryptotype.txt b/doc/html/_sources/appdev/refs/types/krb5_cryptotype.txt deleted file mode 100644 index 8cc46bf..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_cryptotype.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-cryptotype-struct: - -krb5_cryptotype -=============== - -.. -.. c:type:: krb5_cryptotype -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_cryptotype - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_data.txt b/doc/html/_sources/appdev/refs/types/krb5_data.txt deleted file mode 100644 index 7bc2c0e..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_data.txt +++ /dev/null @@ -1,39 +0,0 @@ -.. highlightlang:: c - -.. _krb5-data-struct: - -krb5_data -========= - -.. -.. c:type:: krb5_data -.. - - - - -Declaration ------------- - -typedef struct _krb5_data krb5_data - - -Members ---------- - - -.. c:member:: krb5_magic krb5_data.magic - - - - -.. c:member:: unsigned int krb5_data.length - - - - -.. c:member:: char * krb5_data.data - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_deltat.txt b/doc/html/_sources/appdev/refs/types/krb5_deltat.txt deleted file mode 100644 index acc6193..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_deltat.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-deltat-struct: - -krb5_deltat -=========== - -.. -.. c:type:: krb5_deltat -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_deltat - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_enc_data.txt b/doc/html/_sources/appdev/refs/types/krb5_enc_data.txt deleted file mode 100644 index b5109f7..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_enc_data.txt +++ /dev/null @@ -1,44 +0,0 @@ -.. highlightlang:: c - -.. _krb5-enc-data-struct: - -krb5_enc_data -============= - -.. -.. c:type:: krb5_enc_data -.. - - - - -Declaration ------------- - -typedef struct _krb5_enc_data krb5_enc_data - - -Members ---------- - - -.. c:member:: krb5_magic krb5_enc_data.magic - - - - -.. c:member:: krb5_enctype krb5_enc_data.enctype - - - - -.. c:member:: krb5_kvno krb5_enc_data.kvno - - - - -.. c:member:: krb5_data krb5_enc_data.ciphertext - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_enc_kdc_rep_part.txt b/doc/html/_sources/appdev/refs/types/krb5_enc_kdc_rep_part.txt deleted file mode 100644 index 1c5f129..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_enc_kdc_rep_part.txt +++ /dev/null @@ -1,80 +0,0 @@ -.. highlightlang:: c - -.. _krb5-enc-kdc-rep-part-struct: - -krb5_enc_kdc_rep_part -===================== - -.. -.. c:type:: krb5_enc_kdc_rep_part -.. - -C representation of *EncKDCRepPart* protocol message. - -This is the cleartext message that is encrypted and inserted in *KDC-REP* . - -Declaration ------------- - -typedef struct _krb5_enc_kdc_rep_part krb5_enc_kdc_rep_part - - -Members ---------- - - -.. c:member:: krb5_magic krb5_enc_kdc_rep_part.magic - - - - -.. c:member:: krb5_msgtype krb5_enc_kdc_rep_part.msg_type - - krb5 message type - - -.. c:member:: krb5_keyblock * krb5_enc_kdc_rep_part.session - - Session key. - - -.. c:member:: krb5_last_req_entry ** krb5_enc_kdc_rep_part.last_req - - Array of pointers to entries. - - -.. c:member:: krb5_int32 krb5_enc_kdc_rep_part.nonce - - Nonce from request. - - -.. c:member:: krb5_timestamp krb5_enc_kdc_rep_part.key_exp - - Expiration date. - - -.. c:member:: krb5_flags krb5_enc_kdc_rep_part.flags - - Ticket flags. - - -.. c:member:: krb5_ticket_times krb5_enc_kdc_rep_part.times - - Lifetime info. - - -.. c:member:: krb5_principal krb5_enc_kdc_rep_part.server - - Server's principal identifier. - - -.. c:member:: krb5_address ** krb5_enc_kdc_rep_part.caddrs - - Array of ptrs to addrs, optional. - - -.. c:member:: krb5_pa_data ** krb5_enc_kdc_rep_part.enc_padata - - Encrypted preauthentication data. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_enc_tkt_part.txt b/doc/html/_sources/appdev/refs/types/krb5_enc_tkt_part.txt deleted file mode 100644 index 8079fb4..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_enc_tkt_part.txt +++ /dev/null @@ -1,65 +0,0 @@ -.. highlightlang:: c - -.. _krb5-enc-tkt-part-struct: - -krb5_enc_tkt_part -================= - -.. -.. c:type:: krb5_enc_tkt_part -.. - -Encrypted part of ticket. - - - -Declaration ------------- - -typedef struct _krb5_enc_tkt_part krb5_enc_tkt_part - - -Members ---------- - - -.. c:member:: krb5_magic krb5_enc_tkt_part.magic - - - - -.. c:member:: krb5_flags krb5_enc_tkt_part.flags - - flags - - -.. c:member:: krb5_keyblock * krb5_enc_tkt_part.session - - session key: includes enctype - - -.. c:member:: krb5_principal krb5_enc_tkt_part.client - - client name/realm - - -.. c:member:: krb5_transited krb5_enc_tkt_part.transited - - list of transited realms - - -.. c:member:: krb5_ticket_times krb5_enc_tkt_part.times - - auth, start, end, renew_till - - -.. c:member:: krb5_address ** krb5_enc_tkt_part.caddrs - - array of ptrs to addresses - - -.. c:member:: krb5_authdata ** krb5_enc_tkt_part.authorization_data - - auth data - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_encrypt_block.txt b/doc/html/_sources/appdev/refs/types/krb5_encrypt_block.txt deleted file mode 100644 index 5b83893..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_encrypt_block.txt +++ /dev/null @@ -1,39 +0,0 @@ -.. highlightlang:: c - -.. _krb5-encrypt-block-struct: - -krb5_encrypt_block -================== - -.. -.. c:type:: krb5_encrypt_block -.. - - - - -Declaration ------------- - -typedef struct _krb5_encrypt_block krb5_encrypt_block - - -Members ---------- - - -.. c:member:: krb5_magic krb5_encrypt_block.magic - - - - -.. c:member:: krb5_enctype krb5_encrypt_block.crypto_entry - - - - -.. c:member:: krb5_keyblock * krb5_encrypt_block.key - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_enctype.txt b/doc/html/_sources/appdev/refs/types/krb5_enctype.txt deleted file mode 100644 index bd15445..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_enctype.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-enctype-struct: - -krb5_enctype -============ - -.. -.. c:type:: krb5_enctype -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_enctype - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_error.txt b/doc/html/_sources/appdev/refs/types/krb5_error.txt deleted file mode 100644 index a160da5..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_error.txt +++ /dev/null @@ -1,75 +0,0 @@ -.. highlightlang:: c - -.. _krb5-error-struct: - -krb5_error -========== - -.. -.. c:type:: krb5_error -.. - -Error message structure. - - - -Declaration ------------- - -typedef struct _krb5_error krb5_error - - -Members ---------- - - -.. c:member:: krb5_magic krb5_error.magic - - - - -.. c:member:: krb5_timestamp krb5_error.ctime - - Client sec portion; optional. - - -.. c:member:: krb5_int32 krb5_error.cusec - - Client usec portion; optional. - - -.. c:member:: krb5_int32 krb5_error.susec - - Server usec portion. - - -.. c:member:: krb5_timestamp krb5_error.stime - - Server sec portion. - - -.. c:member:: krb5_ui_4 krb5_error.error - - Error code (protocol error #'s) - - -.. c:member:: krb5_principal krb5_error.client - - Client principal and realm. - - -.. c:member:: krb5_principal krb5_error.server - - Server principal and realm. - - -.. c:member:: krb5_data krb5_error.text - - Descriptive text. - - -.. c:member:: krb5_data krb5_error.e_data - - Additional error-describing data. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_error_code.txt b/doc/html/_sources/appdev/refs/types/krb5_error_code.txt deleted file mode 100644 index 60a3b72..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_error_code.txt +++ /dev/null @@ -1,21 +0,0 @@ -.. highlightlang:: c - -.. _krb5-error-code-struct: - -krb5_error_code -=============== - -.. -.. c:type:: krb5_error_code -.. - -Used to convey an operation status. - -The value 0 indicates success; any other values are com_err codes. Use :c:func:`krb5_get_error_message()` to obtain a string describing the error. - -Declaration ------------- - -typedef krb5_int32 krb5_error_code - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_expire_callback_func.txt b/doc/html/_sources/appdev/refs/types/krb5_expire_callback_func.txt deleted file mode 100644 index 81acfe2..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_expire_callback_func.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-expire-callback-func-struct: - -krb5_expire_callback_func -========================= - -.. -.. c:type:: krb5_expire_callback_func -.. - - - - -Declaration ------------- - -typedef void( \* krb5_expire_callback_func)(krb5_context context, void \*data, krb5_timestamp password_expiration, krb5_timestamp account_expiration, krb5_boolean is_last_req) - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_flags.txt b/doc/html/_sources/appdev/refs/types/krb5_flags.txt deleted file mode 100644 index 0efb204..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_flags.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-flags-struct: - -krb5_flags -========== - -.. -.. c:type:: krb5_flags -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_flags - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_get_init_creds_opt.txt b/doc/html/_sources/appdev/refs/types/krb5_get_init_creds_opt.txt deleted file mode 100644 index 52e8e36..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_get_init_creds_opt.txt +++ /dev/null @@ -1,80 +0,0 @@ -.. highlightlang:: c - -.. _krb5-get-init-creds-opt-struct: - -krb5_get_init_creds_opt -======================= - -.. -.. c:type:: krb5_get_init_creds_opt -.. - -Store options for *_krb5_get_init_creds* . - - - -Declaration ------------- - -typedef struct _krb5_get_init_creds_opt krb5_get_init_creds_opt - - -Members ---------- - - -.. c:member:: krb5_flags krb5_get_init_creds_opt.flags - - - - -.. c:member:: krb5_deltat krb5_get_init_creds_opt.tkt_life - - - - -.. c:member:: krb5_deltat krb5_get_init_creds_opt.renew_life - - - - -.. c:member:: int krb5_get_init_creds_opt.forwardable - - - - -.. c:member:: int krb5_get_init_creds_opt.proxiable - - - - -.. c:member:: krb5_enctype * krb5_get_init_creds_opt.etype_list - - - - -.. c:member:: int krb5_get_init_creds_opt.etype_list_length - - - - -.. c:member:: krb5_address ** krb5_get_init_creds_opt.address_list - - - - -.. c:member:: krb5_preauthtype * krb5_get_init_creds_opt.preauth_list - - - - -.. c:member:: int krb5_get_init_creds_opt.preauth_list_length - - - - -.. c:member:: krb5_data * krb5_get_init_creds_opt.salt - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_gic_opt_pa_data.txt b/doc/html/_sources/appdev/refs/types/krb5_gic_opt_pa_data.txt deleted file mode 100644 index 665e3cd..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_gic_opt_pa_data.txt +++ /dev/null @@ -1,35 +0,0 @@ -.. highlightlang:: c - -.. _krb5-gic-opt-pa-data-struct: - -krb5_gic_opt_pa_data -==================== - -.. -.. c:type:: krb5_gic_opt_pa_data -.. - -Generic preauth option attribute/value pairs. - - - -Declaration ------------- - -typedef struct _krb5_gic_opt_pa_data krb5_gic_opt_pa_data - - -Members ---------- - - -.. c:member:: char * krb5_gic_opt_pa_data.attr - - - - -.. c:member:: char * krb5_gic_opt_pa_data.value - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_init_creds_context.txt b/doc/html/_sources/appdev/refs/types/krb5_init_creds_context.txt deleted file mode 100644 index 73be70a..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_init_creds_context.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-init-creds-context-struct: - -krb5_init_creds_context -======================= - -.. -.. c:type:: krb5_init_creds_context -.. - - - - -Declaration ------------- - -typedef struct _krb5_init_creds_context\* krb5_init_creds_context - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_int16.txt b/doc/html/_sources/appdev/refs/types/krb5_int16.txt deleted file mode 100644 index 06ca8e6..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_int16.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-int16-struct: - -krb5_int16 -========== - -.. -.. c:type:: krb5_int16 -.. - - - - -Declaration ------------- - -typedef int16_t krb5_int16 - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_int32.txt b/doc/html/_sources/appdev/refs/types/krb5_int32.txt deleted file mode 100644 index b97596f..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_int32.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-int32-struct: - -krb5_int32 -========== - -.. -.. c:type:: krb5_int32 -.. - - - - -Declaration ------------- - -typedef int32_t krb5_int32 - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_kdc_rep.txt b/doc/html/_sources/appdev/refs/types/krb5_kdc_rep.txt deleted file mode 100644 index 5071a8f..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_kdc_rep.txt +++ /dev/null @@ -1,60 +0,0 @@ -.. highlightlang:: c - -.. _krb5-kdc-rep-struct: - -krb5_kdc_rep -============ - -.. -.. c:type:: krb5_kdc_rep -.. - -Representation of the *KDC-REP* protocol message. - - - -Declaration ------------- - -typedef struct _krb5_kdc_rep krb5_kdc_rep - - -Members ---------- - - -.. c:member:: krb5_magic krb5_kdc_rep.magic - - - - -.. c:member:: krb5_msgtype krb5_kdc_rep.msg_type - - KRB5_AS_REP or KRB5_KDC_REP. - - -.. c:member:: krb5_pa_data ** krb5_kdc_rep.padata - - Preauthentication data from KDC. - - -.. c:member:: krb5_principal krb5_kdc_rep.client - - Client principal and realm. - - -.. c:member:: krb5_ticket * krb5_kdc_rep.ticket - - Ticket. - - -.. c:member:: krb5_enc_data krb5_kdc_rep.enc_part - - Encrypted part of reply. - - -.. c:member:: krb5_enc_kdc_rep_part * krb5_kdc_rep.enc_part2 - - Unencrypted version, if available. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_kdc_req.txt b/doc/html/_sources/appdev/refs/types/krb5_kdc_req.txt deleted file mode 100644 index be8af13..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_kdc_req.txt +++ /dev/null @@ -1,105 +0,0 @@ -.. highlightlang:: c - -.. _krb5-kdc-req-struct: - -krb5_kdc_req -============ - -.. -.. c:type:: krb5_kdc_req -.. - -C representation of KDC-REQ protocol message, including KDC-REQ-BODY. - - - -Declaration ------------- - -typedef struct _krb5_kdc_req krb5_kdc_req - - -Members ---------- - - -.. c:member:: krb5_magic krb5_kdc_req.magic - - - - -.. c:member:: krb5_msgtype krb5_kdc_req.msg_type - - KRB5_AS_REQ or KRB5_TGS_REQ. - - -.. c:member:: krb5_pa_data ** krb5_kdc_req.padata - - Preauthentication data. - - -.. c:member:: krb5_flags krb5_kdc_req.kdc_options - - Requested options. - - -.. c:member:: krb5_principal krb5_kdc_req.client - - Client principal and realm. - - -.. c:member:: krb5_principal krb5_kdc_req.server - - Server principal and realm. - - -.. c:member:: krb5_timestamp krb5_kdc_req.from - - Requested start time. - - -.. c:member:: krb5_timestamp krb5_kdc_req.till - - Requested end time. - - -.. c:member:: krb5_timestamp krb5_kdc_req.rtime - - Requested renewable end time. - - -.. c:member:: krb5_int32 krb5_kdc_req.nonce - - Nonce to match request and response. - - -.. c:member:: int krb5_kdc_req.nktypes - - Number of enctypes. - - -.. c:member:: krb5_enctype * krb5_kdc_req.ktype - - Requested enctypes. - - -.. c:member:: krb5_address ** krb5_kdc_req.addresses - - Requested addresses (optional) - - -.. c:member:: krb5_enc_data krb5_kdc_req.authorization_data - - Encrypted authz data (optional) - - -.. c:member:: krb5_authdata ** krb5_kdc_req.unenc_authdata - - Unencrypted authz data. - - -.. c:member:: krb5_ticket ** krb5_kdc_req.second_ticket - - Second ticket array (optional) - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_key.txt b/doc/html/_sources/appdev/refs/types/krb5_key.txt deleted file mode 100644 index d662446..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_key.txt +++ /dev/null @@ -1,21 +0,0 @@ -.. highlightlang:: c - -.. _krb5-key-struct: - -krb5_key -======== - -.. -.. c:type:: krb5_key -.. - -Opaque identifier for a key. - -Use with the krb5_k APIs for better performance for repeated operations with the same key and usage. Key identifiers must not be used simultaneously within multiple threads, as they may contain mutable internal state and are not mutex-protected. - -Declaration ------------- - -typedef struct krb5_key_st\* krb5_key - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_keyblock.txt b/doc/html/_sources/appdev/refs/types/krb5_keyblock.txt deleted file mode 100644 index ee3ec76..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_keyblock.txt +++ /dev/null @@ -1,45 +0,0 @@ -.. highlightlang:: c - -.. _krb5-keyblock-struct: - -krb5_keyblock -============= - -.. -.. c:type:: krb5_keyblock -.. - -Exposed contents of a key. - - - -Declaration ------------- - -typedef struct _krb5_keyblock krb5_keyblock - - -Members ---------- - - -.. c:member:: krb5_magic krb5_keyblock.magic - - - - -.. c:member:: krb5_enctype krb5_keyblock.enctype - - - - -.. c:member:: unsigned int krb5_keyblock.length - - - - -.. c:member:: krb5_octet * krb5_keyblock.contents - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_keytab.txt b/doc/html/_sources/appdev/refs/types/krb5_keytab.txt deleted file mode 100644 index c8b3e26..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_keytab.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-keytab-struct: - -krb5_keytab -=========== - -.. -.. c:type:: krb5_keytab -.. - - - - -Declaration ------------- - -typedef struct _krb5_kt\* krb5_keytab - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_keytab_entry.txt b/doc/html/_sources/appdev/refs/types/krb5_keytab_entry.txt deleted file mode 100644 index 81c2be7..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_keytab_entry.txt +++ /dev/null @@ -1,50 +0,0 @@ -.. highlightlang:: c - -.. _krb5-keytab-entry-struct: - -krb5_keytab_entry -================= - -.. -.. c:type:: krb5_keytab_entry -.. - -A key table entry. - - - -Declaration ------------- - -typedef struct krb5_keytab_entry_st krb5_keytab_entry - - -Members ---------- - - -.. c:member:: krb5_magic krb5_keytab_entry.magic - - - - -.. c:member:: krb5_principal krb5_keytab_entry.principal - - Principal of this key. - - -.. c:member:: krb5_timestamp krb5_keytab_entry.timestamp - - Time entry written to keytable. - - -.. c:member:: krb5_kvno krb5_keytab_entry.vno - - Key version number. - - -.. c:member:: krb5_keyblock krb5_keytab_entry.key - - The secret key. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_keyusage.txt b/doc/html/_sources/appdev/refs/types/krb5_keyusage.txt deleted file mode 100644 index 56885f7..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_keyusage.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-keyusage-struct: - -krb5_keyusage -============= - -.. -.. c:type:: krb5_keyusage -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_keyusage - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_kt_cursor.txt b/doc/html/_sources/appdev/refs/types/krb5_kt_cursor.txt deleted file mode 100644 index d08ea00..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_kt_cursor.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-kt-cursor-struct: - -krb5_kt_cursor -============== - -.. -.. c:type:: krb5_kt_cursor -.. - - - - -Declaration ------------- - -typedef krb5_pointer krb5_kt_cursor - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_kvno.txt b/doc/html/_sources/appdev/refs/types/krb5_kvno.txt deleted file mode 100644 index 324ce12..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_kvno.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-kvno-struct: - -krb5_kvno -========= - -.. -.. c:type:: krb5_kvno -.. - - - - -Declaration ------------- - -typedef unsigned int krb5_kvno - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_last_req_entry.txt b/doc/html/_sources/appdev/refs/types/krb5_last_req_entry.txt deleted file mode 100644 index d7e6378..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_last_req_entry.txt +++ /dev/null @@ -1,40 +0,0 @@ -.. highlightlang:: c - -.. _krb5-last-req-entry-struct: - -krb5_last_req_entry -=================== - -.. -.. c:type:: krb5_last_req_entry -.. - -Last request entry. - - - -Declaration ------------- - -typedef struct _krb5_last_req_entry krb5_last_req_entry - - -Members ---------- - - -.. c:member:: krb5_magic krb5_last_req_entry.magic - - - - -.. c:member:: krb5_int32 krb5_last_req_entry.lr_type - - LR type. - - -.. c:member:: krb5_timestamp krb5_last_req_entry.value - - Timestamp. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_magic.txt b/doc/html/_sources/appdev/refs/types/krb5_magic.txt deleted file mode 100644 index 3be2051..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_magic.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-magic-struct: - -krb5_magic -========== - -.. -.. c:type:: krb5_magic -.. - - - - -Declaration ------------- - -typedef krb5_error_code krb5_magic - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_mk_req_checksum_func.txt b/doc/html/_sources/appdev/refs/types/krb5_mk_req_checksum_func.txt deleted file mode 100644 index a8f34c8..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_mk_req_checksum_func.txt +++ /dev/null @@ -1,21 +0,0 @@ -.. highlightlang:: c - -.. _krb5-mk-req-checksum-func-struct: - -krb5_mk_req_checksum_func -========================= - -.. -.. c:type:: krb5_mk_req_checksum_func -.. - -Type of function used as a callback to generate checksum data for mk_req. - - - -Declaration ------------- - -typedef krb5_error_code( \* krb5_mk_req_checksum_func)(krb5_context, krb5_auth_context, void \*, krb5_data \*\*) - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_msgtype.txt b/doc/html/_sources/appdev/refs/types/krb5_msgtype.txt deleted file mode 100644 index 5e93f24..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_msgtype.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-msgtype-struct: - -krb5_msgtype -============ - -.. -.. c:type:: krb5_msgtype -.. - - - - -Declaration ------------- - -typedef unsigned int krb5_msgtype - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_octet.txt b/doc/html/_sources/appdev/refs/types/krb5_octet.txt deleted file mode 100644 index 3ec5e33..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_octet.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-octet-struct: - -krb5_octet -========== - -.. -.. c:type:: krb5_octet -.. - - - - -Declaration ------------- - -typedef uint8_t krb5_octet - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_pa_data.txt b/doc/html/_sources/appdev/refs/types/krb5_pa_data.txt deleted file mode 100644 index a594900..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_pa_data.txt +++ /dev/null @@ -1,45 +0,0 @@ -.. highlightlang:: c - -.. _krb5-pa-data-struct: - -krb5_pa_data -============ - -.. -.. c:type:: krb5_pa_data -.. - -Pre-authentication data. - - - -Declaration ------------- - -typedef struct _krb5_pa_data krb5_pa_data - - -Members ---------- - - -.. c:member:: krb5_magic krb5_pa_data.magic - - - - -.. c:member:: krb5_preauthtype krb5_pa_data.pa_type - - Preauthentication data type. - - -.. c:member:: unsigned int krb5_pa_data.length - - Length of data. - - -.. c:member:: krb5_octet * krb5_pa_data.contents - - Data. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_pa_pac_req.txt b/doc/html/_sources/appdev/refs/types/krb5_pa_pac_req.txt deleted file mode 100644 index e62edad..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_pa_pac_req.txt +++ /dev/null @@ -1,29 +0,0 @@ -.. highlightlang:: c - -.. _krb5-pa-pac-req-struct: - -krb5_pa_pac_req -=============== - -.. -.. c:type:: krb5_pa_pac_req -.. - - - - -Declaration ------------- - -typedef struct _krb5_pa_pac_req krb5_pa_pac_req - - -Members ---------- - - -.. c:member:: krb5_boolean krb5_pa_pac_req.include_pac - - TRUE if a PAC should be included in TGS-REP. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_pa_server_referral_data.txt b/doc/html/_sources/appdev/refs/types/krb5_pa_server_referral_data.txt deleted file mode 100644 index 59460d7..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_pa_server_referral_data.txt +++ /dev/null @@ -1,49 +0,0 @@ -.. highlightlang:: c - -.. _krb5-pa-server-referral-data-struct: - -krb5_pa_server_referral_data -============================ - -.. -.. c:type:: krb5_pa_server_referral_data -.. - - - - -Declaration ------------- - -typedef struct _krb5_pa_server_referral_data krb5_pa_server_referral_data - - -Members ---------- - - -.. c:member:: krb5_data * krb5_pa_server_referral_data.referred_realm - - - - -.. c:member:: krb5_principal krb5_pa_server_referral_data.true_principal_name - - - - -.. c:member:: krb5_principal krb5_pa_server_referral_data.requested_principal_name - - - - -.. c:member:: krb5_timestamp krb5_pa_server_referral_data.referral_valid_until - - - - -.. c:member:: krb5_checksum krb5_pa_server_referral_data.rep_cksum - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_pa_svr_referral_data.txt b/doc/html/_sources/appdev/refs/types/krb5_pa_svr_referral_data.txt deleted file mode 100644 index ea31606..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_pa_svr_referral_data.txt +++ /dev/null @@ -1,29 +0,0 @@ -.. highlightlang:: c - -.. _krb5-pa-svr-referral-data-struct: - -krb5_pa_svr_referral_data -========================= - -.. -.. c:type:: krb5_pa_svr_referral_data -.. - - - - -Declaration ------------- - -typedef struct _krb5_pa_svr_referral_data krb5_pa_svr_referral_data - - -Members ---------- - - -.. c:member:: krb5_principal krb5_pa_svr_referral_data.principal - - Referred name, only realm is required. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_pac.txt b/doc/html/_sources/appdev/refs/types/krb5_pac.txt deleted file mode 100644 index 9903e8e..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_pac.txt +++ /dev/null @@ -1,21 +0,0 @@ -.. highlightlang:: c - -.. _krb5-pac-struct: - -krb5_pac -======== - -.. -.. c:type:: krb5_pac -.. - -PAC data structure to convey authorization information. - - - -Declaration ------------- - -typedef struct krb5_pac_data\* krb5_pac - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_pointer.txt b/doc/html/_sources/appdev/refs/types/krb5_pointer.txt deleted file mode 100644 index ff1588a..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_pointer.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-pointer-struct: - -krb5_pointer -============ - -.. -.. c:type:: krb5_pointer -.. - - - - -Declaration ------------- - -typedef void\* krb5_pointer - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_post_recv_fn.txt b/doc/html/_sources/appdev/refs/types/krb5_post_recv_fn.txt deleted file mode 100644 index ed37b01..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_post_recv_fn.txt +++ /dev/null @@ -1,22 +0,0 @@ -.. highlightlang:: c - -.. _krb5-post-recv-fn-struct: - -krb5_post_recv_fn -================= - -.. -.. c:type:: krb5_post_recv_fn -.. - -Hook function for inspecting or overriding KDC replies. - -If *code* is non-zero, KDC communication failed and *reply* should be ignored. The hook function may return *code* or a different error code, or may synthesize a reply by setting *new_reply_out* and return successfully. -The hook function should use :c:func:`krb5_copy_data()` to construct the value for *new_reply_out* , to ensure that it can be freed correctly by the library. - -Declaration ------------- - -typedef krb5_error_code( \* krb5_post_recv_fn)(krb5_context context, void \*data, krb5_error_code code, const krb5_data \*realm, const krb5_data \*message, const krb5_data \*reply, krb5_data \*\*new_reply_out) - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_pre_send_fn.txt b/doc/html/_sources/appdev/refs/types/krb5_pre_send_fn.txt deleted file mode 100644 index a0fa04f..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_pre_send_fn.txt +++ /dev/null @@ -1,24 +0,0 @@ -.. highlightlang:: c - -.. _krb5-pre-send-fn-struct: - -krb5_pre_send_fn -================ - -.. -.. c:type:: krb5_pre_send_fn -.. - -Hook function for inspecting or modifying messages sent to KDCs. - -If the hook function sets *reply_out* , *message* will not be sent to the KDC, and the given reply will used instead. -If the hook function sets *new_message_out* , the given message will be sent to the KDC in place of *message* . -If the hook function returns successfully without setting either output, *message* will be sent to the KDC normally. -The hook function should use :c:func:`krb5_copy_data()` to construct the value for *new_message_out* or *reply_out* , to ensure that it can be freed correctly by the library. - -Declaration ------------- - -typedef krb5_error_code( \* krb5_pre_send_fn)(krb5_context context, void \*data, const krb5_data \*realm, const krb5_data \*message, krb5_data \*\*new_message_out, krb5_data \*\*new_reply_out) - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_preauthtype.txt b/doc/html/_sources/appdev/refs/types/krb5_preauthtype.txt deleted file mode 100644 index 601c6de..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_preauthtype.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-preauthtype-struct: - -krb5_preauthtype -================ - -.. -.. c:type:: krb5_preauthtype -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_preauthtype - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_principal.txt b/doc/html/_sources/appdev/refs/types/krb5_principal.txt deleted file mode 100644 index 38c2e9a..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_principal.txt +++ /dev/null @@ -1,49 +0,0 @@ -.. highlightlang:: c - -.. _krb5-principal-struct: - -krb5_principal -============== - -.. -.. c:type:: krb5_principal -.. - - - - -Declaration ------------- - -typedef krb5_principal_data\* krb5_principal - - -Members ---------- - - -.. c:member:: krb5_magic krb5_principal.magic - - - - -.. c:member:: krb5_data krb5_principal.realm - - - - -.. c:member:: krb5_data * krb5_principal.data - - An array of strings. - - -.. c:member:: krb5_int32 krb5_principal.length - - - - -.. c:member:: krb5_int32 krb5_principal.type - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_principal_data.txt b/doc/html/_sources/appdev/refs/types/krb5_principal_data.txt deleted file mode 100644 index f094f9c..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_principal_data.txt +++ /dev/null @@ -1,49 +0,0 @@ -.. highlightlang:: c - -.. _krb5-principal-data-struct: - -krb5_principal_data -=================== - -.. -.. c:type:: krb5_principal_data -.. - - - - -Declaration ------------- - -typedef struct krb5_principal_data krb5_principal_data - - -Members ---------- - - -.. c:member:: krb5_magic krb5_principal_data.magic - - - - -.. c:member:: krb5_data krb5_principal_data.realm - - - - -.. c:member:: krb5_data * krb5_principal_data.data - - An array of strings. - - -.. c:member:: krb5_int32 krb5_principal_data.length - - - - -.. c:member:: krb5_int32 krb5_principal_data.type - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_prompt.txt b/doc/html/_sources/appdev/refs/types/krb5_prompt.txt deleted file mode 100644 index cfc1698..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_prompt.txt +++ /dev/null @@ -1,40 +0,0 @@ -.. highlightlang:: c - -.. _krb5-prompt-struct: - -krb5_prompt -=========== - -.. -.. c:type:: krb5_prompt -.. - -Text for prompt used in prompter callback function. - - - -Declaration ------------- - -typedef struct _krb5_prompt krb5_prompt - - -Members ---------- - - -.. c:member:: char * krb5_prompt.prompt - - The prompt to show to the user. - - -.. c:member:: int krb5_prompt.hidden - - Boolean; informative prompt or hidden (e.g. - PIN) - -.. c:member:: krb5_data * krb5_prompt.reply - - Must be allocated before call to prompt routine. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_prompt_type.txt b/doc/html/_sources/appdev/refs/types/krb5_prompt_type.txt deleted file mode 100644 index 6495c65..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_prompt_type.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-prompt-type-struct: - -krb5_prompt_type -================ - -.. -.. c:type:: krb5_prompt_type -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_prompt_type - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_prompter_fct.txt b/doc/html/_sources/appdev/refs/types/krb5_prompter_fct.txt deleted file mode 100644 index 66b8f6d..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_prompter_fct.txt +++ /dev/null @@ -1,21 +0,0 @@ -.. highlightlang:: c - -.. _krb5-prompter-fct-struct: - -krb5_prompter_fct -================= - -.. -.. c:type:: krb5_prompter_fct -.. - -Pointer to a prompter callback function. - - - -Declaration ------------- - -typedef krb5_error_code( \* krb5_prompter_fct)(krb5_context context, void \*data, const char \*name, const char \*banner, int num_prompts, krb5_prompt prompts[]) - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_pwd_data.txt b/doc/html/_sources/appdev/refs/types/krb5_pwd_data.txt deleted file mode 100644 index 67c03f7..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_pwd_data.txt +++ /dev/null @@ -1,39 +0,0 @@ -.. highlightlang:: c - -.. _krb5-pwd-data-struct: - -krb5_pwd_data -============= - -.. -.. c:type:: krb5_pwd_data -.. - - - - -Declaration ------------- - -typedef struct _krb5_pwd_data krb5_pwd_data - - -Members ---------- - - -.. c:member:: krb5_magic krb5_pwd_data.magic - - - - -.. c:member:: int krb5_pwd_data.sequence_count - - - - -.. c:member:: passwd_phrase_element ** krb5_pwd_data.element - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_rcache.txt b/doc/html/_sources/appdev/refs/types/krb5_rcache.txt deleted file mode 100644 index 43f17fe..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_rcache.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-rcache-struct: - -krb5_rcache -=========== - -.. -.. c:type:: krb5_rcache -.. - - - - -Declaration ------------- - -typedef struct krb5_rc_st\* krb5_rcache - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_replay_data.txt b/doc/html/_sources/appdev/refs/types/krb5_replay_data.txt deleted file mode 100644 index 0008fa6..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_replay_data.txt +++ /dev/null @@ -1,40 +0,0 @@ -.. highlightlang:: c - -.. _krb5-replay-data-struct: - -krb5_replay_data -================ - -.. -.. c:type:: krb5_replay_data -.. - -Replay data. - -Sequence number and timestamp information output by :c:func:`krb5_rd_priv()` and :c:func:`krb5_rd_safe()` . - -Declaration ------------- - -typedef struct krb5_replay_data krb5_replay_data - - -Members ---------- - - -.. c:member:: krb5_timestamp krb5_replay_data.timestamp - - Timestamp, seconds portion. - - -.. c:member:: krb5_int32 krb5_replay_data.usec - - Timestamp, microseconds portion. - - -.. c:member:: krb5_ui_4 krb5_replay_data.seq - - Sequence number. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_responder_context.txt b/doc/html/_sources/appdev/refs/types/krb5_responder_context.txt deleted file mode 100644 index 3a7eb21..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_responder_context.txt +++ /dev/null @@ -1,22 +0,0 @@ -.. highlightlang:: c - -.. _krb5-responder-context-struct: - -krb5_responder_context -====================== - -.. -.. c:type:: krb5_responder_context -.. - -A container for a set of preauthentication questions and answers. - -A responder context is supplied by the krb5 authentication system to a :c:type:`krb5_responder_fn` callback. It contains a list of questions and can receive answers. Questions contained in a responder context can be listed using :c:func:`krb5_responder_list_questions()` , retrieved using :c:func:`krb5_responder_get_challenge()` , or answered using :c:func:`krb5_responder_set_answer()` . The form of a question's challenge and answer depend on the question name. - - -Declaration ------------- - -typedef struct krb5_responder_context_st\* krb5_responder_context - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_responder_fn.txt b/doc/html/_sources/appdev/refs/types/krb5_responder_fn.txt deleted file mode 100644 index 8fcd2e2..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_responder_fn.txt +++ /dev/null @@ -1,21 +0,0 @@ -.. highlightlang:: c - -.. _krb5-responder-fn-struct: - -krb5_responder_fn -================= - -.. -.. c:type:: krb5_responder_fn -.. - -Responder function for an initial credential exchange. - -If a required question is unanswered, the prompter may be called. - -Declaration ------------- - -typedef krb5_error_code( \* krb5_responder_fn)(krb5_context ctx, void \*data, krb5_responder_context rctx) - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_responder_otp_challenge.txt b/doc/html/_sources/appdev/refs/types/krb5_responder_otp_challenge.txt deleted file mode 100644 index e46c7ed..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_responder_otp_challenge.txt +++ /dev/null @@ -1,34 +0,0 @@ -.. highlightlang:: c - -.. _krb5-responder-otp-challenge-struct: - -krb5_responder_otp_challenge -============================ - -.. -.. c:type:: krb5_responder_otp_challenge -.. - - - - -Declaration ------------- - -typedef struct _krb5_responder_otp_challenge krb5_responder_otp_challenge - - -Members ---------- - - -.. c:member:: char * krb5_responder_otp_challenge.service - - - - -.. c:member:: krb5_responder_otp_tokeninfo ** krb5_responder_otp_challenge.tokeninfo - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_responder_otp_tokeninfo.txt b/doc/html/_sources/appdev/refs/types/krb5_responder_otp_tokeninfo.txt deleted file mode 100644 index 8c5c4b8..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_responder_otp_tokeninfo.txt +++ /dev/null @@ -1,59 +0,0 @@ -.. highlightlang:: c - -.. _krb5-responder-otp-tokeninfo-struct: - -krb5_responder_otp_tokeninfo -============================ - -.. -.. c:type:: krb5_responder_otp_tokeninfo -.. - - - - -Declaration ------------- - -typedef struct _krb5_responder_otp_tokeninfo krb5_responder_otp_tokeninfo - - -Members ---------- - - -.. c:member:: krb5_flags krb5_responder_otp_tokeninfo.flags - - - - -.. c:member:: krb5_int32 krb5_responder_otp_tokeninfo.format - - - - -.. c:member:: krb5_int32 krb5_responder_otp_tokeninfo.length - - - - -.. c:member:: char * krb5_responder_otp_tokeninfo.vendor - - - - -.. c:member:: char * krb5_responder_otp_tokeninfo.challenge - - - - -.. c:member:: char * krb5_responder_otp_tokeninfo.token_id - - - - -.. c:member:: char * krb5_responder_otp_tokeninfo.alg_id - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_challenge.txt b/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_challenge.txt deleted file mode 100644 index f309cfc..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_challenge.txt +++ /dev/null @@ -1,29 +0,0 @@ -.. highlightlang:: c - -.. _krb5-responder-pkinit-challenge-struct: - -krb5_responder_pkinit_challenge -=============================== - -.. -.. c:type:: krb5_responder_pkinit_challenge -.. - - - - -Declaration ------------- - -typedef struct _krb5_responder_pkinit_challenge krb5_responder_pkinit_challenge - - -Members ---------- - - -.. c:member:: krb5_responder_pkinit_identity ** krb5_responder_pkinit_challenge.identities - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_identity.txt b/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_identity.txt deleted file mode 100644 index 56f3722..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_responder_pkinit_identity.txt +++ /dev/null @@ -1,34 +0,0 @@ -.. highlightlang:: c - -.. _krb5-responder-pkinit-identity-struct: - -krb5_responder_pkinit_identity -============================== - -.. -.. c:type:: krb5_responder_pkinit_identity -.. - - - - -Declaration ------------- - -typedef struct _krb5_responder_pkinit_identity krb5_responder_pkinit_identity - - -Members ---------- - - -.. c:member:: char * krb5_responder_pkinit_identity.identity - - - - -.. c:member:: krb5_int32 krb5_responder_pkinit_identity.token_flags - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_response.txt b/doc/html/_sources/appdev/refs/types/krb5_response.txt deleted file mode 100644 index 4876233..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_response.txt +++ /dev/null @@ -1,49 +0,0 @@ -.. highlightlang:: c - -.. _krb5-response-struct: - -krb5_response -============= - -.. -.. c:type:: krb5_response -.. - - - - -Declaration ------------- - -typedef struct _krb5_response krb5_response - - -Members ---------- - - -.. c:member:: krb5_magic krb5_response.magic - - - - -.. c:member:: krb5_octet krb5_response.message_type - - - - -.. c:member:: krb5_data krb5_response.response - - - - -.. c:member:: krb5_int32 krb5_response.expected_nonce - - - - -.. c:member:: krb5_timestamp krb5_response.request_time - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_ticket.txt b/doc/html/_sources/appdev/refs/types/krb5_ticket.txt deleted file mode 100644 index 2a809d4..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_ticket.txt +++ /dev/null @@ -1,45 +0,0 @@ -.. highlightlang:: c - -.. _krb5-ticket-struct: - -krb5_ticket -=========== - -.. -.. c:type:: krb5_ticket -.. - -Ticket structure. - -The C representation of the ticket message, with a pointer to the C representation of the encrypted part. - -Declaration ------------- - -typedef struct _krb5_ticket krb5_ticket - - -Members ---------- - - -.. c:member:: krb5_magic krb5_ticket.magic - - - - -.. c:member:: krb5_principal krb5_ticket.server - - server name/realm - - -.. c:member:: krb5_enc_data krb5_ticket.enc_part - - encryption type, kvno, encrypted encoding - - -.. c:member:: krb5_enc_tkt_part * krb5_ticket.enc_part2 - - ptr to decrypted version, if available - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_ticket_times.txt b/doc/html/_sources/appdev/refs/types/krb5_ticket_times.txt deleted file mode 100644 index 57dab5d..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_ticket_times.txt +++ /dev/null @@ -1,45 +0,0 @@ -.. highlightlang:: c - -.. _krb5-ticket-times-struct: - -krb5_ticket_times -================= - -.. -.. c:type:: krb5_ticket_times -.. - -Ticket start time, end time, and renewal duration. - - - -Declaration ------------- - -typedef struct _krb5_ticket_times krb5_ticket_times - - -Members ---------- - - -.. c:member:: krb5_timestamp krb5_ticket_times.authtime - - Time at which KDC issued the initial ticket that corresponds to this ticket. - - -.. c:member:: krb5_timestamp krb5_ticket_times.starttime - - optional in ticket, if not present, use *authtime* - - -.. c:member:: krb5_timestamp krb5_ticket_times.endtime - - Ticket expiration time. - - -.. c:member:: krb5_timestamp krb5_ticket_times.renew_till - - Latest time at which renewal of ticket can be valid. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt b/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt deleted file mode 100644 index e9263e4..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_timestamp.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-timestamp-struct: - -krb5_timestamp -============== - -.. -.. c:type:: krb5_timestamp -.. - - - - -Declaration ------------- - -typedef krb5_int32 krb5_timestamp - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_tkt_authent.txt b/doc/html/_sources/appdev/refs/types/krb5_tkt_authent.txt deleted file mode 100644 index 307c63f..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_tkt_authent.txt +++ /dev/null @@ -1,45 +0,0 @@ -.. highlightlang:: c - -.. _krb5-tkt-authent-struct: - -krb5_tkt_authent -================ - -.. -.. c:type:: krb5_tkt_authent -.. - -Ticket authentication data. - - - -Declaration ------------- - -typedef struct _krb5_tkt_authent krb5_tkt_authent - - -Members ---------- - - -.. c:member:: krb5_magic krb5_tkt_authent.magic - - - - -.. c:member:: krb5_ticket * krb5_tkt_authent.ticket - - - - -.. c:member:: krb5_authenticator * krb5_tkt_authent.authenticator - - - - -.. c:member:: krb5_flags krb5_tkt_authent.ap_options - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_tkt_creds_context.txt b/doc/html/_sources/appdev/refs/types/krb5_tkt_creds_context.txt deleted file mode 100644 index 398d42f..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_tkt_creds_context.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-tkt-creds-context-struct: - -krb5_tkt_creds_context -====================== - -.. -.. c:type:: krb5_tkt_creds_context -.. - - - - -Declaration ------------- - -typedef struct _krb5_tkt_creds_context\* krb5_tkt_creds_context - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_trace_callback.txt b/doc/html/_sources/appdev/refs/types/krb5_trace_callback.txt deleted file mode 100644 index b3bff56..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_trace_callback.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-trace-callback-struct: - -krb5_trace_callback -=================== - -.. -.. c:type:: krb5_trace_callback -.. - - - - -Declaration ------------- - -typedef void( \* krb5_trace_callback)(krb5_context context, const krb5_trace_info \*info, void \*cb_data) - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_trace_info.txt b/doc/html/_sources/appdev/refs/types/krb5_trace_info.txt deleted file mode 100644 index 7f303b6..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_trace_info.txt +++ /dev/null @@ -1,30 +0,0 @@ -.. highlightlang:: c - -.. _krb5-trace-info-struct: - -krb5_trace_info -=============== - -.. -.. c:type:: krb5_trace_info -.. - -A wrapper for passing information to a *krb5_trace_callback* . - -Currently, it only contains the formatted message as determined the the format string and arguments of the tracing macro, but it may be extended to contain more fields in the future. - -Declaration ------------- - -typedef struct _krb5_trace_info krb5_trace_info - - -Members ---------- - - -.. c:member:: const char * krb5_trace_info.message - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_transited.txt b/doc/html/_sources/appdev/refs/types/krb5_transited.txt deleted file mode 100644 index 5966479..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_transited.txt +++ /dev/null @@ -1,40 +0,0 @@ -.. highlightlang:: c - -.. _krb5-transited-struct: - -krb5_transited -============== - -.. -.. c:type:: krb5_transited -.. - -Structure for transited encoding. - - - -Declaration ------------- - -typedef struct _krb5_transited krb5_transited - - -Members ---------- - - -.. c:member:: krb5_magic krb5_transited.magic - - - - -.. c:member:: krb5_octet krb5_transited.tr_type - - Transited encoding type. - - -.. c:member:: krb5_data krb5_transited.tr_contents - - Contents. - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_typed_data.txt b/doc/html/_sources/appdev/refs/types/krb5_typed_data.txt deleted file mode 100644 index e3555eb..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_typed_data.txt +++ /dev/null @@ -1,44 +0,0 @@ -.. highlightlang:: c - -.. _krb5-typed-data-struct: - -krb5_typed_data -=============== - -.. -.. c:type:: krb5_typed_data -.. - - - - -Declaration ------------- - -typedef struct _krb5_typed_data krb5_typed_data - - -Members ---------- - - -.. c:member:: krb5_magic krb5_typed_data.magic - - - - -.. c:member:: krb5_int32 krb5_typed_data.type - - - - -.. c:member:: unsigned int krb5_typed_data.length - - - - -.. c:member:: krb5_octet * krb5_typed_data.data - - - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_ui_2.txt b/doc/html/_sources/appdev/refs/types/krb5_ui_2.txt deleted file mode 100644 index ce9c205..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_ui_2.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-ui-2-struct: - -krb5_ui_2 -========= - -.. -.. c:type:: krb5_ui_2 -.. - - - - -Declaration ------------- - -typedef uint16_t krb5_ui_2 - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_ui_4.txt b/doc/html/_sources/appdev/refs/types/krb5_ui_4.txt deleted file mode 100644 index b41ecb4..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_ui_4.txt +++ /dev/null @@ -1,20 +0,0 @@ -.. highlightlang:: c - -.. _krb5-ui-4-struct: - -krb5_ui_4 -========= - -.. -.. c:type:: krb5_ui_4 -.. - - - - -Declaration ------------- - -typedef uint32_t krb5_ui_4 - - diff --git a/doc/html/_sources/appdev/refs/types/krb5_verify_init_creds_opt.txt b/doc/html/_sources/appdev/refs/types/krb5_verify_init_creds_opt.txt deleted file mode 100644 index eaefb19..0000000 --- a/doc/html/_sources/appdev/refs/types/krb5_verify_init_creds_opt.txt +++ /dev/null @@ -1,34 +0,0 @@ -.. highlightlang:: c - -.. _krb5-verify-init-creds-opt-struct: - -krb5_verify_init_creds_opt -========================== - -.. -.. c:type:: krb5_verify_init_creds_opt -.. - - - - -Declaration ------------- - -typedef struct _krb5_verify_init_creds_opt krb5_verify_init_creds_opt - - -Members ---------- - - -.. c:member:: krb5_flags krb5_verify_init_creds_opt.flags - - - - -.. c:member:: int krb5_verify_init_creds_opt.ap_req_nofail - - boolean - - diff --git a/doc/html/_sources/appdev/refs/types/passwd_phrase_element.txt b/doc/html/_sources/appdev/refs/types/passwd_phrase_element.txt deleted file mode 100644 index c4738c5..0000000 --- a/doc/html/_sources/appdev/refs/types/passwd_phrase_element.txt +++ /dev/null @@ -1,39 +0,0 @@ -.. highlightlang:: c - -.. _passwd-phrase-element-struct: - -passwd_phrase_element -===================== - -.. -.. c:type:: passwd_phrase_element -.. - - - - -Declaration ------------- - -typedef struct _passwd_phrase_element passwd_phrase_element - - -Members ---------- - - -.. c:member:: krb5_magic passwd_phrase_element.magic - - - - -.. c:member:: krb5_data * passwd_phrase_element.passwd - - - - -.. c:member:: krb5_data * passwd_phrase_element.phrase - - - - diff --git a/doc/html/_sources/basic/ccache_def.txt b/doc/html/_sources/basic/ccache_def.txt deleted file mode 100644 index ff857f4..0000000 --- a/doc/html/_sources/basic/ccache_def.txt +++ /dev/null @@ -1,153 +0,0 @@ -.. _ccache_definition: - -Credential cache -================ - -A credential cache (or "ccache") holds Kerberos credentials while they -remain valid and, generally, while the user's session lasts, so that -authenticating to a service multiple times (e.g., connecting to a web -or mail server more than once) doesn't require contacting the KDC -every time. - -A credential cache usually contains one initial ticket which is -obtained using a password or another form of identity verification. -If this ticket is a ticket-granting ticket, it can be used to obtain -additional credentials without the password. Because the credential -cache does not store the password, less long-term damage can be done -to the user's account if the machine is compromised. - -A credentials cache stores a default client principal name, set when -the cache is created. This is the name shown at the top of the -:ref:`klist(1)` *-A* output. - -Each normal cache entry includes a service principal name, a client -principal name (which, in some ccache types, need not be the same as -the default), lifetime information, and flags, along with the -credential itself. There are also other entries, indicated by special -names, that store additional information. - - -ccache types ------------- - -The credential cache interface, like the :ref:`keytab_definition` and -:ref:`rcache_definition` interfaces, uses `TYPE:value` strings to -indicate the type of credential cache and any associated cache naming -data to use. - -There are several kinds of credentials cache supported in the MIT -Kerberos library. Not all are supported on every platform. In most -cases, it should be correct to use the default type built into the -library. - -#. **API** is only implemented on Windows. It communicates with a - server process that holds the credentials in memory for the user, - rather than writing them to disk. - -#. **DIR** points to the storage location of the collection of the - credential caches in *FILE:* format. It is most useful when dealing - with multiple Kerberos realms and KDCs. For release 1.10 the - directory must already exist. In post-1.10 releases the - requirement is for parent directory to exist and the current - process must have permissions to create the directory if it does - not exist. See :ref:`col_ccache` for details. New in release 1.10. - -#. **FILE** caches are the simplest and most portable. A simple flat - file format is used to store one credential after another. This is - the default ccache type if no type is specified in a ccache name. - -#. **KCM** caches work by contacting a daemon process called ``kcm`` - to perform cache operations. If the cache name is just ``KCM:``, - the default cache as determined by the KCM daemon will be used. - Newly created caches must generally be named ``KCM:uid:name``, - where *uid* is the effective user ID of the running process. - - KCM client support is new in release 1.13. A KCM daemon has not - yet been implemented in MIT krb5, but the client will interoperate - with the KCM daemon implemented by Heimdal. OS X 10.7 and higher - provides a KCM daemon as part of the operating system, and the - **KCM** cache type is used as the default cache on that platform in - a default build. - -#. **KEYRING** is Linux-specific, and uses the kernel keyring support - to store credential data in unswappable kernel memory where only - the current user should be able to access it. The following - residual forms are supported: - - * KEYRING:name - * KEYRING:process:name - process keyring - * KEYRING:thread:name - thread keyring - - Starting with release 1.12 the *KEYRING* type supports collections. - The following new residual forms were added: - - * KEYRING:session:name - session keyring - * KEYRING:user:name - user keyring - * KEYRING:persistent:uidnumber - persistent per-UID collection. - Unlike the user keyring, this collection survives after the user - logs out, until the cache credentials expire. This type of - ccache requires support from the kernel; otherwise, it will fall - back to the user keyring. - - See :ref:`col_ccache` for details. - -#. **MEMORY** caches are for storage of credentials that don't need to - be made available outside of the current process. For example, a - memory ccache is used by :ref:`kadmin(1)` to store the - administrative ticket used to contact the admin server. Memory - ccaches are faster than file ccaches and are automatically - destroyed when the process exits. - -#. **MSLSA** is a Windows-specific cache type that accesses the - Windows credential store. - - -.. _col_ccache: - -Collections of caches ---------------------- - -Some credential cache types can support collections of multiple -caches. One of the caches in the collection is designated as the -*primary* and will be used when the collection is resolved as a cache. -When a collection-enabled cache type is the default cache for a -process, applications can search the specified collection for a -specific client principal, and GSSAPI applications will automatically -select between the caches in the collection based on criteria such as -the target service realm. - -Credential cache collections are new in release 1.10, with support -from the **DIR** and **API** ccache types. Starting in release 1.12, -collections are also supported by the **KEYRING** ccache type. -Collections are supported by the **KCM** ccache type in release 1.13. - - -Tool alterations to use cache collection -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -* :ref:`kdestroy(1)` *-A* will destroy all caches in the collection. -* If the default cache type supports switching, :ref:`kinit(1)` - *princname* will search the collection for a matching cache and - store credentials there, or will store credentials in a new unique - cache of the default type if no existing cache for the principal - exists. Either way, kinit will switch to the selected cache. -* :ref:`klist(1)` *-l* will list the caches in the collection. -* :ref:`klist(1)` *-A* will show the content of all caches in the - collection. -* :ref:`kswitch(1)` *-p princname* will search the collection for a - matching cache and switch to it. -* :ref:`kswitch(1)` *-c cachename* will switch to a specified cache. - - -Default ccache name -------------------- - -The default credential cache name is determined by the following, in -descending order of priority: - -#. The **KRB5CCNAME** environment variable. For example, - ``KRB5CCNAME=DIR:/mydir/``. - -#. The **default_ccache_name** profile variable in :ref:`libdefaults`. - -#. The hardcoded default, |ccache|. diff --git a/doc/html/_sources/basic/date_format.txt b/doc/html/_sources/basic/date_format.txt deleted file mode 100644 index 6ee82ce..0000000 --- a/doc/html/_sources/basic/date_format.txt +++ /dev/null @@ -1,140 +0,0 @@ -.. _datetime: - -Supported date and time formats -=============================== - -.. _duration: - -Time duration -------------- - -This format is used to express a time duration in the Kerberos -configuration files and user commands. The allowed formats are: - - ====================== ============== ============ - Format Example Value - ---------------------- -------------- ------------ - h:m[:s] 36:00 36 hours - NdNhNmNs 8h30s 8 hours 30 seconds - N (number of seconds) 3600 1 hour - ====================== ============== ============ - -Here *N* denotes a number, *d* - days, *h* - hours, *m* - minutes, -*s* - seconds. - -.. note:: - - The time interval should not exceed 2147483647 seconds. - -Examples:: - - Request a ticket valid for one hour, five hours, 30 minutes - and 10 days respectively: - - kinit -l 3600 - kinit -l 5:00 - kinit -l 30m - kinit -l "10d 0h 0m 0s" - - -.. _getdate: - -getdate time ------------- - -Some of the kadmin and kdb5_util commands take a date-time in a -human-readable format. Some of the acceptable date-time -strings are: - - +-----------+------------------+-----------------+ - | | Format | Example | - +===========+==================+=================+ - | Date | mm/dd/yy | 07/27/12 | - | +------------------+-----------------+ - | | month dd, yyyy | Jul 27, 2012 | - | +------------------+-----------------+ - | | yyyy-mm-dd | 2012-07-27 | - +-----------+------------------+-----------------+ - | Absolute | HH:mm[:ss]pp | 08:30 PM | - | time +------------------+-----------------+ - | | hh:mm[:ss] | 20:30 | - +-----------+------------------+-----------------+ - | Relative | N tt | 30 sec | - | time | | | - +-----------+------------------+-----------------+ - | Time zone | Z | EST | - | +------------------+-----------------+ - | | z | -0400 | - +-----------+------------------+-----------------+ - -(See :ref:`abbreviation`.) - -Examples:: - - Create a principal that expires on the date indicated: - addprinc test1 -expire "3/27/12 10:00:07 EST" - addprinc test2 -expire "January 23, 2015 10:05pm" - addprinc test3 -expire "22:00 GMT" - Add a principal that will expire in 30 minutes: - addprinc test4 -expire "30 minutes" - - -.. _abstime: - -Absolute time -------------- - -This rarely used date-time format can be noted in one of the -following ways: - - - +------------------------+----------------------+--------------+ - | Format | Example | Value | - +========================+======================+==============+ - | yyyymmddhhmmss | 20141231235900 | One minute | - +------------------------+----------------------+ before 2015 | - | yyyy.mm.dd.hh.mm.ss | 2014.12.31.23.59.00 | | - +------------------------+----------------------+ | - | yymmddhhmmss | 141231235900 | | - +------------------------+----------------------+ | - | yy.mm.dd.hh.mm.ss | 14.12.31.23.59.00 | | - +------------------------+----------------------+ | - | dd-month-yyyy:hh:mm:ss | 31-Dec-2014:23:59:00 | | - +------------------------+----------------------+--------------+ - | hh:mm:ss | 20:00:00 | 8 o'clock in | - +------------------------+----------------------+ the evening | - | hhmmss | 200000 | | - +------------------------+----------------------+--------------+ - -(See :ref:`abbreviation`.) - -Example:: - - Set the default expiration date to July 27, 2012 at 20:30 - default_principal_expiration = 20120727203000 - - -.. _abbreviation: - -Abbreviations used in this document -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -| *month* : locale’s month name or its abbreviation; -| *dd* : day of month (01-31); -| *HH* : hours (00-12); -| *hh* : hours (00-23); -| *mm* : in time - minutes (00-59); in date - month (01-12); -| *N* : number; -| *pp* : AM or PM; -| *ss* : seconds (00-60); -| *tt* : time units (hours, minutes, min, seconds, sec); -| *yyyy* : year; -| *yy* : last two digits of the year; -| *Z* : alphabetic time zone abbreviation; -| *z* : numeric time zone; - -.. note:: - - - If the date specification contains spaces, you may need to - enclose it in double quotes; - - All keywords are case-insensitive. diff --git a/doc/html/_sources/basic/index.txt b/doc/html/_sources/basic/index.txt deleted file mode 100644 index 87a9b54..0000000 --- a/doc/html/_sources/basic/index.txt +++ /dev/null @@ -1,14 +0,0 @@ -.. _basic_concepts: - -Kerberos V5 concepts -==================== - - -.. toctree:: - :maxdepth: 1 - - ccache_def - keytab_def - rcache_def - stash_file_def - date_format diff --git a/doc/html/_sources/basic/keytab_def.txt b/doc/html/_sources/basic/keytab_def.txt deleted file mode 100644 index 33ae67c..0000000 --- a/doc/html/_sources/basic/keytab_def.txt +++ /dev/null @@ -1,61 +0,0 @@ -.. _keytab_definition: - -keytab -====== - -A keytab (short for "key table") stores long-term keys for one or more -principals. Keytabs are normally represented by files in a standard -format, although in rare cases they can be represented in other ways. -Keytabs are used most often to allow server applications to accept -authentications from clients, but can also be used to obtain initial -credentials for client applications. - -Keytabs are named using the format *type*\ ``:``\ *value*. Usually -*type* is ``FILE`` and *value* is the absolute pathname of the file. -Other possible values for *type* are ``SRVTAB``, which indicates a -file in the deprecated Kerberos 4 srvtab format, and ``MEMORY``, which -indicates a temporary keytab stored in the memory of the current -process. - -A keytab contains one or more entries, where each entry consists of a -timestamp (indicating when the entry was written to the keytab), a -principal name, a key version number, an encryption type, and the -encryption key itself. - -A keytab can be displayed using the :ref:`klist(1)` command with the -``-k`` option. Keytabs can be created or appended to by extracting -keys from the KDC database using the :ref:`kadmin(1)` :ref:`ktadd` -command. Keytabs can be manipulated using the :ref:`ktutil(1)` and -:ref:`k5srvutil(1)` commands. - - -Default keytab --------------- - -The default keytab is used by server applications if the application -does not request a specific keytab. The name of the default keytab is -determined by the following, in decreasing order of preference: - -#. The **KRB5_KTNAME** environment variable. - -#. The **default_keytab_name** profile variable in :ref:`libdefaults`. - -#. The hardcoded default, |keytab|. - - -Default client keytab ---------------------- - -The default client keytab is used, if it is present and readable, to -automatically obtain initial credentials for GSSAPI client -applications. The principal name of the first entry in the client -keytab is used by default when obtaining initial credentials. The -name of the default client keytab is determined by the following, in -decreasing order of preference: - -#. The **KRB5_CLIENT_KTNAME** environment variable. - -#. The **default_client_keytab_name** profile variable in - :ref:`libdefaults`. - -#. The hardcoded default, |ckeytab|. diff --git a/doc/html/_sources/basic/rcache_def.txt b/doc/html/_sources/basic/rcache_def.txt deleted file mode 100644 index 2de9533..0000000 --- a/doc/html/_sources/basic/rcache_def.txt +++ /dev/null @@ -1,97 +0,0 @@ -.. _rcache_definition: - -replay cache -============ - -A replay cache (or "rcache") keeps track of all authenticators -recently presented to a service. If a duplicate authentication -request is detected in the replay cache, an error message is sent to -the application program. - -The replay cache interface, like the credential cache and -:ref:`keytab_definition` interfaces, uses `type:value` strings to -indicate the type of replay cache and any associated cache naming -data to use. - -Background information ----------------------- - -Some Kerberos or GSSAPI services use a simple authentication mechanism -where a message is sent containing an authenticator, which establishes -the encryption key that the client will use for talking to the -service. But nothing about that prevents an eavesdropper from -recording the messages sent by the client, establishing a new -connection, and re-sending or "replaying" the same messages; the -replayed authenticator will establish the same encryption key for the -new session, and the following messages will be decrypted and -processed. The attacker may not know what the messages say, and can't -generate new messages under the same encryption key, but in some -instances it may be harmful to the user (or helpful to the attacker) -to cause the server to see the same messages again a second time. For -example, if the legitimate client sends "delete first message in -mailbox", a replay from an attacker may delete another, different -"first" message. (Protocol design to guard against such problems has -been discussed in :rfc:`4120#section-10`.) - -Even if one protocol uses further protection to verify that the client -side of the connection actually knows the encryption keys (and thus is -presumably a legitimate user), if another service uses the same -service principal name, it may be possible to record an authenticator -used with the first protocol and "replay" it against the second. - -The replay cache mitigates these attacks somewhat, by keeping track of -authenticators that have been seen until their five-minute window -expires. Different authenticators generated by multiple connections -from the same legitimate client will generally have different -timestamps, and thus will not be considered the same. - -This mechanism isn't perfect. If a message is sent to one application -server but a man-in-the-middle attacker can prevent it from actually -arriving at that server, the attacker could then use the authenticator -(once!) against a different service on the same host. This could be a -problem if the message from the client included something more than -authentication in the first message that could be useful to the -attacker (which is uncommon; in most protocols the server has to -indicate a successful authentication before the client sends -additional messages), or if the simple act of presenting the -authenticator triggers some interesting action in the service being -attacked. - -Default rcache type -------------------- - -There is currently only one implemented kind of replay cache, called -**dfl**. It stores replay data in one file, occasionally rewriting it -to purge old, expired entries. - -The default type can be overridden by the **KRB5RCACHETYPE** -environment variable. - -The placement of the replay cache file is determined by the following: - -#. The **KRB5RCACHEDIR** environment variable; - -#. If KRB5RCACHEDIR is unspecified, on UNIX, the library - will fall back to the environment variable **TMPDIR**, and then to - a temporary directory determined at configuration time such as - */tmp* or */var/tmp*; on Windows, it will check the environment - variables *TEMP* and *TMP*, and fall back to the directory C:\\. - -Performance issues ------------------- - -Several known minor performance issues that may occur when replay -cache is enabled on the Kerberos system include: delays due to writing -the authenticator data to disk slowing down response time for very -heavily loaded servers, and delays during the rewrite that may be -unacceptable to high-performance services. - -For use cases where replays are adequately defended against for all -protocols using a given service principal name, or where performance -or other considerations outweigh the risk of replays, the special -replay cache type "none" can be specified:: - - KRB5RCACHETYPE=none - -It doesn't record any information about authenticators, and reports -that any authenticator seen is not a replay. diff --git a/doc/html/_sources/basic/stash_file_def.txt b/doc/html/_sources/basic/stash_file_def.txt deleted file mode 100644 index 256e2c2..0000000 --- a/doc/html/_sources/basic/stash_file_def.txt +++ /dev/null @@ -1,25 +0,0 @@ -.. _stash_definition: - - -stash file -============ - -The stash file is a local copy of the master key that resides in -encrypted form on the KDC's local disk. The stash file is used to -authenticate the KDC to itself automatically before starting the -:ref:`kadmind(8)` and :ref:`krb5kdc(8)` daemons (e.g., as part of the -machine's boot sequence). The stash file, like the keytab file (see -:ref:`keytab_file`) is a potential point-of-entry for a break-in, and -if compromised, would allow unrestricted access to the Kerberos -database. If you choose to install a stash file, it should be -readable only by root, and should exist only on the KDC's local disk. -The file should not be part of any backup of the machine, unless -access to the backup data is secured as tightly as access to the -master password itself. - -.. note:: - - If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. - This means that the KDC will not be able to start automatically, such as after a system reboot. - - diff --git a/doc/html/_sources/build/directory_org.txt b/doc/html/_sources/build/directory_org.txt deleted file mode 100644 index f3aeeb5..0000000 --- a/doc/html/_sources/build/directory_org.txt +++ /dev/null @@ -1,75 +0,0 @@ -Organization of the source directory -==================================== - -Below is a brief overview of the organization of the complete source -directory. More detailed descriptions follow. - -=============== ============================================== -appl Kerberos application client and server programs -ccapi Credential cache services -clients Kerberos V5 user programs (See :ref:`user_commands`) -config Configure scripts -config-files Sample Kerberos configuration files -include include files needed to build the Kerberos system -kadmin Administrative interface to the Kerberos master database: :ref:`kadmin(1)`, :ref:`kdb5_util(8)`, :ref:`ktutil(1)`. -kdc Kerberos V5 Authentication Service and Key Distribution Center -lib_ Libraries for use with/by Kerberos V5 -plugins Kerberos plugins directory -po Localization infrastructure -prototype Templates files containing the MIT copyright message and a placeholder for the title and description of the file. -slave Utilities for propagating the database to slave KDCs :ref:`kprop(8)` and :ref:`kpropd(8)` -tests Test suite -util_ Various utilities for building/configuring the code, sending bug reports, etc. -windows Source code for building Kerberos V5 on Windows (see windows/README) -=============== ============================================== - - -.. _lib: - -lib ---- - -The lib directory contain several subdirectories as well as some -definition and glue files. - - - The apputils directory contains the code for the generic network - servicing. - - The crypto subdirectory contains the Kerberos V5 encryption - library. - - The gssapi library contains the Generic Security Services API, - which is a library of commands to be used in secure client-server - communication. - - The kadm5 directory contains the libraries for the KADM5 - administration utilities. - - The Kerberos 5 database libraries are contained in kdb. - - The krb5 directory contains Kerberos 5 API. - - The rpc directory contains the API for the Kerberos Remote - Procedure Call protocol. - - -.. _util: - -util ----- - -The util directory contains several utility programs and libraries. - - the programs used to configure and build the code, such as - autoconf, lndir, kbuild, reconf, and makedepend, are in this - directory. - - the profile directory contains most of the functions which parse - the Kerberos configuration files (krb5.conf and kdc.conf). - - the Kerberos error table library and utilities (et); - - the Sub-system library and utilities (ss); - - database utilities (db2); - - pseudo-terminal utilities (pty); - - bug-reporting program send-pr; - - a generic support library support used by several of our other - libraries; - - the build infrastructure for building lightweight Kerberos client - (collected-client-lib) - - the tool for validating Kerberos configuration files - (confvalidator); - - the toolkit for kernel integrators for building krb5 code subsets - (gss-kernel-lib); - - source code for building Kerberos V5 on MacOS (mac) - - Windows getopt operations (windows) diff --git a/doc/html/_sources/build/doing_build.txt b/doc/html/_sources/build/doing_build.txt deleted file mode 100644 index 25daa52..0000000 --- a/doc/html/_sources/build/doing_build.txt +++ /dev/null @@ -1,158 +0,0 @@ -Doing the build -=============== - -.. _do_build: - -Building within a single tree ------------------------------ - -If you only need to build Kerberos for one platform, using a single -directory tree which contains both the source files and the object -files is the simplest. However, if you need to maintain Kerberos for -a large number of platforms, you will probably want to use separate -build trees for each platform. We recommend that you look at OS -Incompatibilities, for notes that we have on particular operating -systems. - -If you don't want separate build trees for each architecture, then use -the following abbreviated procedure:: - - cd /u1/krb5-VERSION/src - ./configure - make - -That's it! - -Building with separate build directories ----------------------------------------- - -If you wish to keep separate build directories for each platform, you -can do so using the following procedure. (Note, this requires that -your make program support VPATH. GNU's make will provide this -functionality, for example.) If your make program does not support -this, see the next section. - -For example, if you wish to store the binaries in ``tmpbuild`` build -directory you might use the following procedure:: - - mkdir /u1/tmpbuild - cd /u1/tmpbuild - /u1/krb5-VERSION/src/configure - make - - -Building using lndir --------------------- - -If you wish to keep separate build directories for each platform, and -you do not have access to a make program which supports VPATH, all is -not lost. You can use the lndir program to create symbolic link trees -in your build directory. - -For example, if you wish to create a build directory for solaris -binaries you might use the following procedure:: - - mkdir /u1/krb5-VERSION/solaris - cd /u1/krb5-VERSION/solaris - /u1/krb5-VERSION/src/util/lndir `pwd`/../src - ./configure - make - -You must give an absolute pathname to lndir because it has a bug that -makes it fail for relative pathnames. Note that this version differs -from the latest version as distributed and installed by the -XConsortium with X11R6. Either version should be acceptable. - - -Installing the binaries ------------------------ - -Once you have built Kerberos, you should install the binaries. You can -do this by running:: - - make install - -If you want to install the binaries into a destination directory that -is not their final destination, which may be convenient if you want to -build a binary distribution to be deployed on multiple hosts, you may -use:: - - make install DESTDIR=/path/to/destdir - -This will install the binaries under *DESTDIR/PREFIX*, e.g., the user -programs will install into *DESTDIR/PREFIX/bin*, the libraries into -*DESTDIR/PREFIX/lib*, etc. - -Some implementations of make allow multiple commands to be run in -parallel, for faster builds. We test our Makefiles in parallel builds -with GNU make only; they may not be compatible with other parallel -build implementations. - - -Testing the build ------------------ - -The Kerberos V5 distribution comes with built-in regression tests. To -run them, simply type the following command while in the top-level -build directory (i.e., the directory where you sent typed make to -start building Kerberos; see :ref:`do_build`):: - - make check - -However, there are several prerequisites that must be satisfied first: - -* Configure and build Kerberos with Tcl support. Tcl is used to drive - the test suite. This often means passing **-**\ **-with-tcl** to - configure to tell it the location of the Tcl configuration - script. (See :ref:`options2configure`.) -* In addition to Tcl, DejaGnu must be available on the system for some - of the tests to run. The test suite will still run the other tests - if DejaGnu is not present, but the test coverage will be reduced - accordingly. -* On some operating systems, you have to run ``make install`` before - running ``make check``, or the test suite will pick up installed - versions of Kerberos libraries rather than the newly built ones. - You can install into a prefix that isn't in the system library - search path, though. Alternatively, you can configure with - **-**\ **-disable-rpath**, which renders the build tree less suitable for - installation, but allows testing without interference from - previously installed libraries. - -There are additional regression tests available, which are not run -by ``make check``. These tests require manual setup and teardown of -support infrastructure which is not easily automated, or require -excessive resources for ordinary use. The procedure for running -the manual tests is documented at -http://k5wiki.kerberos.org/wiki/Manual_Testing. - - -Cleaning up the build ---------------------- - -* Use ``make clean`` to remove all files generated by running make - command. -* Use ``make distclean`` to remove all files generated by running - ./configure script. After running ``make distclean`` your source - tree (ideally) should look like the raw (just un-tarred) source - tree. - -Using autoconf --------------- - -(If you are not a developer, you can ignore this section.) - -In the Kerberos V5 source directory, there is a configure script which -automatically determines the compilation environment and creates the -proper Makefiles for a particular platform. This configure script is -generated using autoconf, which you should already have installed if -you will be making changes to ``src/configure.in``. - -Normal users will not need to worry about running autoconf; the -distribution comes with the configure script already prebuilt. - -The autoconf package comes with a script called ``autoreconf`` that -will automatically run ``autoconf`` and ``autoheader`` as needed. You -should run ``autoreconf`` from the top source directory, e.g.:: - - cd /u1/krb5-VERSION/src - autoreconf --verbose diff --git a/doc/html/_sources/build/index.txt b/doc/html/_sources/build/index.txt deleted file mode 100644 index 3416817..0000000 --- a/doc/html/_sources/build/index.txt +++ /dev/null @@ -1,63 +0,0 @@ -.. _build_V5: - -Building Kerberos V5 -==================== - -This section details how to build and install MIT Kerberos software -from the source. - -Prerequisites -------------- - -In order to build Kerberos V5, you will need approximately 60-70 -megabytes of disk space. The exact amount will vary depending on the -platform and whether the distribution is compiled with debugging -symbol tables or not. - -Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, "c89"). -Some operating systems do not have an ANSI C compiler, or their -default compiler requires extra command-line options to enable ANSI C -conformance. - -If you wish to keep a separate build tree, which contains the compiled -\*.o file and executables, separate from your source tree, you will -need a make program which supports **VPATH**, or you will need to use -a tool such as lndir to produce a symbolic link tree for your build -tree. - -Obtaining the software ----------------------- - -The source code can be obtained from MIT Kerberos Distribution page, -at http://web.mit.edu/kerberos/dist/index.html. -The MIT Kerberos distribution comes in an archive file, generally -named krb5-VERSION-signed.tar, where *VERSION* is a placeholder for -the major and minor versions of MIT Kerberos. (For example, MIT -Kerberos 1.9 has major version "1" and minor version "9".) - -The krb5-VERSION-signed.tar contains a compressed tar file consisting -of the sources for all of Kerberos (generally named -krb5-VERSION.tar.gz) and a PGP signature file for this source tree -(generally named krb5-VERSION.tar.gz.asc). MIT highly recommends that -you verify the integrity of the source code using this signature, -e.g., by running:: - - tar xf krb5-VERSION-signed.tar - gpg --verify krb5-VERSION.tar.gz.asc - -Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume -that you have chosen the top directory of the distribution the directory -``/u1/krb5-VERSION``. - -Review the README file for the license, copyright and other sprecific to the -distribution information. - -Contents --------- -.. toctree:: - :maxdepth: 1 - - directory_org.rst - doing_build.rst - options2configure.rst - osconf.rst diff --git a/doc/html/_sources/build/options2configure.txt b/doc/html/_sources/build/options2configure.txt deleted file mode 100644 index 0fd0307..0000000 --- a/doc/html/_sources/build/options2configure.txt +++ /dev/null @@ -1,409 +0,0 @@ -.. _options2configure: - -Options to *configure* -====================== - -There are a number of options to configure which you can use to -control how the Kerberos distribution is built. - -Most commonly used options --------------------------- - -**-**\ **-help** - Provides help to configure. This will list the set of commonly - used options for building Kerberos. - -**-**\ **-prefix=**\ *PREFIX* - By default, Kerberos will install the package's files rooted at - ``/usr/local``. If you desire to place the binaries into the - directory *PREFIX*, use this option. - -**-**\ **-exec-prefix=**\ *EXECPREFIX* - This option allows one to separate the architecture independent - programs from the host-dependent files (configuration files, - manual pages). Use this option to install architecture-dependent - programs in *EXECPREFIX*. The default location is the value of - specified by **-**\ **-prefix** option. - -**-**\ **-localstatedir=**\ *LOCALSTATEDIR* - This option sets the directory for locally modifiable - single-machine data. In Kerberos, this mostly is useful for - setting a location for the KDC data files, as they will be - installed in ``LOCALSTATEDIR/krb5kdc``, which is by default - ``PREFIX/var/krb5kdc``. - -**-**\ **-with-netlib**\ [=\ *libs*] - Allows for suppression of or replacement of network libraries. By - default, Kerberos V5 configuration will look for ``-lnsl`` and - ``-lsocket``. If your operating system has a broken resolver - library or fails to pass the tests in ``src/tests/resolv``, you - will need to use this option. - -**-**\ **-with-tcl=**\ *TCLPATH* - Some of the unit-tests in the build tree rely upon using a program - in Tcl. The directory specified by *TCLPATH* specifies where the - Tcl header file (TCLPATH/include/tcl.h) as well as where the Tcl - library (TCLPATH/lib) should be found. - -**-**\ **-enable-dns-for-realm** - Enable the use of DNS to look up a host's Kerberos realm, - if the information is not provided in - :ref:`krb5.conf(5)`. See :ref:`mapping_hostnames` - for information about using DNS to determine the default realm. - DNS lookups for realm names are disabled by default. - -**-**\ **-with-system-et** - Use an installed version of the error-table (et) support software, - the compile_et program, the com_err.h header file and the com_err - library. If these are not in the default locations, you may wish - to specify ``CPPFLAGS=-I/some/dir`` and - ``LDFLAGS=-L/some/other/dir`` options at configuration time as - well. - - If this option is not given, a version supplied with the Kerberos - sources will be built and installed along with the rest of the - Kerberos tree, for Kerberos applications to link against. - -**-**\ **-with-system-ss** - Use an installed version of the subsystem command-line interface - software, the mk_cmds program, the ``ss/ss.h`` header file and the - ss library. If these are not in the default locations, you may - wish to specify ``CPPFLAGS=-I/some/dir`` and - ``LDFLAGS=-L/some/other/dir`` options at configuration time as - well. See also the **SS_LIB** option. - - If this option is not given, the ss library supplied with the - Kerberos sources will be compiled and linked into those programs - that need it; it will not be installed separately. - -**-**\ **-with-system-db** - Use an installed version of the Berkeley DB package, which must - provide an API compatible with version 1.85. This option is - unsupported and untested. In particular, we do not know if the - database-rename code used in the dumpfile load operation will - behave properly. - - If this option is not given, a version supplied with the Kerberos - sources will be built and installed. (We are not updating this - version at this time because of licensing issues with newer - versions that we haven't investigated sufficiently yet.) - - -Environment variables ---------------------- - -**CC=**\ *COMPILER* - Use *COMPILER* as the C compiler. - -**CFLAGS=**\ *FLAGS* - Use *FLAGS* as the default set of C compiler flags. - -**CPP=**\ *CPP* - C preprocessor to use. (e.g., ``CPP='gcc -E'``) - -**CPPFLAGS=**\ *CPPOPTS* - Use *CPPOPTS* as the default set of C preprocessor flags. The - most common use of this option is to select certain #define's for - use with the operating system's include files. - - -**DB_HEADER=**\ *headername* - If db.h is not the correct header file to include to compile - against the Berkeley DB 1.85 API, specify the correct header file - name with this option. For example, ``DB_HEADER=db3/db_185.h``. - -**DB_LIB=**\ *libs*... - If ``-ldb`` is not the correct library specification for the - Berkeley DB library version to be used, override it with this - option. For example, ``DB_LIB=-ldb-3.3``. - -**DEFCCNAME=**\ *ccachename* - Override the built-in default credential cache name. - For example, ``DEFCCNAME=DIR:/var/run/user/%{USERID}/ccache`` - See :ref:`parameter_expansion` for information about supported - parameter expansions. - -**DEFCKTNAME=**\ *keytabname* - Override the built-in default client keytab name. - The format is the same as for *DEFCCNAME*. - -**DEFKTNAME=**\ *keytabname* - Override the built-in default keytab name. - The format is the same as for *DEFCCNAME*. - -**LD=**\ *LINKER* - Use *LINKER* as the default loader if it should be different from - C compiler as specified above. - -**LDFLAGS=**\ *LDOPTS* - This option informs the linker where to get additional libraries - (e.g., ``-L``). - -**LIBS=**\ *LDNAME* - This option allows one to specify libraries to be passed to the - linker (e.g., ``-l``) - -**SS_LIB=**\ *libs*... - If ``-lss`` is not the correct way to link in your installed ss - library, for example if additional support libraries are needed, - specify the correct link options here. Some variants of this - library are around which allow for Emacs-like line editing, but - different versions require different support libraries to be - explicitly specified. - - This option is ignored if **-**\ **-with-system-ss** is not specified. - -**YACC** - The 'Yet Another C Compiler' implementation to use. Defaults to - the first program found out of: '`bison -y`', '`byacc`', - '`yacc`'. - -**YFLAGS** - The list of arguments that will be passed by default to $YACC. - This script will default YFLAGS to the empty string to avoid a - default value of ``-d`` given by some make applications. - - -Fine tuning of the installation directories -------------------------------------------- - -**-**\ **-bindir=**\ *DIR* - User executables. Defaults to ``EXECPREFIX/bin``, where - *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** - configuration option. - -**-**\ **-sbindir=**\ *DIR* - System admin executables. Defaults to ``EXECPREFIX/sbin``, where - *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** - configuration option. - -**-**\ **-sysconfdir=**\ *DIR* - Read-only single-machine data such as krb5.conf. - Defaults to ``PREFIX/etc``, where - *PREFIX* is the path specified by **-**\ **-prefix** configuration - option. - -**-**\ **-libdir=**\ *DIR* - Object code libraries. Defaults to ``EXECPREFIX/lib``, where - *EXECPREFIX* is the path specified by **-**\ **-exec-prefix** - configuration option. - -**-**\ **-includedir=**\ *DIR* - C header files. Defaults to ``PREFIX/include``, where *PREFIX* is - the path specified by **-**\ **-prefix** configuration option. - -**-**\ **-datarootdir=**\ *DATAROOTDIR* - Read-only architecture-independent data root. Defaults to - ``PREFIX/share``, where *PREFIX* is the path specified by - **-**\ **-prefix** configuration option. - -**-**\ **-datadir=**\ *DIR* - Read-only architecture-independent data. Defaults to path - specified by **-**\ **-datarootdir** configuration option. - -**-**\ **-localedir=**\ *DIR* - Locale-dependent data. Defaults to ``DATAROOTDIR/locale``, where - *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** - configuration option. - -**-**\ **-mandir=**\ *DIR* - Man documentation. Defaults to ``DATAROOTDIR/man``, where - *DATAROOTDIR* is the path specified by **-**\ **-datarootdir** - configuration option. - - -Program names -------------- - -**-**\ **-program-prefix=**\ *PREFIX* - Prepend *PREFIX* to the names of the programs when installing - them. For example, specifying ``--program-prefix=mit-`` at the - configure time will cause the program named ``abc`` to be - installed as ``mit-abc``. - -**-**\ **-program-suffix=**\ *SUFFIX* - Append *SUFFIX* to the names of the programs when installing them. - For example, specifying ``--program-suffix=-mit`` at the configure - time will cause the program named ``abc`` to be installed as - ``abc-mit``. - -**-**\ **-program-transform-name=**\ *PROGRAM* - Run ``sed -e PROGRAM`` on installed program names. (*PROGRAM* is a - sed script). - - -System types ------------- - -**-**\ **-build=**\ *BUILD* - Configure for building on *BUILD* - (e.g., ``--build=x86_64-linux-gnu``). - -**-**\ **-host=**\ *HOST* - Cross-compile to build programs to run on *HOST* - (e.g., ``--host=x86_64-linux-gnu``). By default, Kerberos V5 - configuration will look for "build" option. - - -Optional features ------------------ - -**-**\ **-disable-option-checking** - Ignore unrecognized --enable/--with options. - -**-**\ **-disable-**\ *FEATURE* - Do not include *FEATURE* (same as --enable-FEATURE=no). - -**-**\ **-enable-**\ *FEATURE*\ [=\ *ARG*] - Include *FEATURE* [ARG=yes]. - -**-**\ **-enable-maintainer-mode** - Enable rebuilding of source files, Makefiles, etc. - -**-**\ **-disable-delayed-initialization** - Initialize library code when loaded. Defaults to delay until - first use. - -**-**\ **-disable-thread-support** - Don't enable thread support. Defaults to enabled. - -**-**\ **-disable-rpath** - Suppress run path flags in link lines. - -**-**\ **-enable-athena** - Build with MIT Project Athena configuration. - -**-**\ **-disable-kdc-lookaside-cache** - Disable the cache which detects client retransmits. - -**-**\ **-disable-pkinit** - Disable PKINIT plugin support. - -**-**\ **-disable-aesni** - Disable support for using AES instructions on x86 platforms. - -**-**\ **-enable-asan**\ [=\ *ARG*] - Enable building with asan memory error checking. If *ARG* is - given, it controls the -fsanitize compilation flag value (the - default is "address"). - - -Optional packages ------------------ - -**-**\ **-with-**\ *PACKAGE*\ [=ARG\] - Use *PACKAGE* (e.g., ``--with-imap``). The default value of *ARG* - is ``yes``. - -**-**\ **-without-**\ *PACKAGE* - Do not use *PACKAGE* (same as ``--with-PACKAGE=no``) - (e.g., ``--without-libedit``). - -**-**\ **-with-size-optimizations** - Enable a few optimizations to reduce code size possibly at some - run-time cost. - -**-**\ **-with-system-et** - Use the com_err library and compile_et utility that are already - installed on the system, instead of building and installing - local versions. - -**-**\ **-with-system-ss** - Use the ss library and mk_cmds utility that are already installed - on the system, instead of building and using private versions. - -**-**\ **-with-system-db** - Use the berkeley db utility already installed on the system, - instead of using a private version. This option is not - recommended; enabling it may result in incompatibility with key - databases originating on other systems. - -**-**\ **-with-netlib=**\ *LIBS* - Use the resolver library specified in *LIBS*. Use this variable - if the C library resolver is insufficient or broken. - -**-**\ **-with-hesiod=**\ *path* - Compile with Hesiod support. The *path* points to the Hesiod - directory. By default Hesiod is unsupported. - -**-**\ **-with-ldap** - Compile OpenLDAP database backend module. - -**-**\ **-with-tcl=**\ *path* - Specifies that *path* is the location of a Tcl installation. - Tcl is needed for some of the tests run by 'make check'; such tests - will be skipped if this option is not set. - -**-**\ **-with-vague-errors** - Do not send helpful errors to client. For example, if the KDC - should return only vague error codes to clients. - -**-**\ **-with-crypto-impl=**\ *IMPL* - Use specified crypto implementation (e.g., **-**\ - **-with-crypto-impl=**\ *openssl*). The default is the native MIT - Kerberos implementation ``builtin``. The other currently - implemented crypto backend is ``openssl``. (See - :ref:`mitK5features`) - -**-**\ **-with-prng-alg=**\ *ALG* - Use specified PRNG algorithm. For example, to use the OS native - prng specify ``--with-prng-alg=os``. The default is ``fortuna``. - (See :ref:`mitK5features`) - -**-**\ **-with-pkinit-crypto-impl=**\ *IMPL* - Use the specified pkinit crypto implementation *IMPL*. - Defaults to using OpenSSL. - -**-**\ **-without-libedit** - Do not compile and link against libedit. Some utilities will no - longer offer command history or completion in interactive mode if - libedit is disabled. - -**-**\ **-with-readline** - Compile and link against GNU readline, as an alternative to libedit. - Building with readline breaks the dejagnu test suite, which is a - subset of the tests run by 'make check'. - -**-**\ **-with-system-verto** - Use an installed version of libverto. If the libverto header and - library are not in default locations, you may wish to specify - ``CPPFLAGS=-I/some/dir`` and ``LDFLAGS=-L/some/other/dir`` options - at configuration time as well. - - If this option is not given, the build system will try to detect - an installed version of libverto and use it if it is found. - Otherwise, a version supplied with the Kerberos sources will be - built and installed. The built-in version does not contain the - full set of back-end modules and is not a suitable general - replacement for the upstream version, but will work for the - purposes of Kerberos. - - Specifying **-**\ **-without-system-verto** will cause the built-in - version of libverto to be used unconditionally. - -**-**\ **-with-krb5-config=**\ *PATH* - Use the krb5-config program at *PATH* to obtain the build-time - default credential cache, keytab, and client keytab names. The - default is to use ``krb5-config`` from the program path. Specify - ``--without-krb5-config`` to disable the use of krb5-config and - use the usual built-in defaults. - - -Examples --------- - -For example, in order to configure Kerberos on a Solaris machine using -the suncc compiler with the optimizer turned on, run the configure -script with the following options:: - - % ./configure CC=suncc CFLAGS=-O - -For a slightly more complicated example, consider a system where -several packages to be used by Kerberos are installed in -``/usr/foobar``, including Berkeley DB 3.3, and an ss library that -needs to link against the curses library. The configuration of -Kerberos might be done thus:: - - ./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \ - --with-system-et --with-system-ss --with-system-db \ - SS_LIB='-lss -lcurses' DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3 diff --git a/doc/html/_sources/build/osconf.txt b/doc/html/_sources/build/osconf.txt deleted file mode 100644 index 22ee680..0000000 --- a/doc/html/_sources/build/osconf.txt +++ /dev/null @@ -1,26 +0,0 @@ -osconf.hin -========== - -There is one configuration file which you may wish to edit to control -various compile-time parameters in the Kerberos distribution:: - - include/osconf.hin - -The list that follows is by no means complete, just some of the more -interesting variables. - -**DEFAULT_PROFILE_PATH** - The pathname to the file which contains the profiles for the known - realms, their KDCs, etc. The default value is |krb5conf|. -**DEFAULT_KEYTAB_NAME** - The type and pathname to the default server keytab file. The - default is |keytab|. -**DEFAULT_KDC_ENCTYPE** - The default encryption type for the KDC database master key. The - default value is |defmkey|. -**RCTMPDIR** - The directory which stores replay caches. The default is - ``/var/tmp``. -**DEFAULT_KDB_FILE** - The location of the default database. The default value is - |kdcdir|\ ``/principal``. diff --git a/doc/html/_sources/build_this.txt b/doc/html/_sources/build_this.txt deleted file mode 100644 index e515df9..0000000 --- a/doc/html/_sources/build_this.txt +++ /dev/null @@ -1,82 +0,0 @@ -How to build this documentation from the source -=============================================== - -Pre-requisites for a simple build, or to update man pages: - -* Sphinx 1.0.4 or higher (See http://sphinx.pocoo.org) with the autodoc - extension installed. - -Additional prerequisites to include the API reference based on Doxygen -markup: - -* Python 2.5 with the Cheetah, lxml, and xml modules -* Doxygen - - -Simple build without API reference ----------------------------------- - -To test simple changes to the RST sources, you can build the -documentation without the Doxygen reference by running, from the doc -directory:: - - sphinx-build . test_html - -You will see a number of warnings about missing files. This is -expected. If there is not already a ``doc/version.py`` file, you will -need to create one by first running ``make version.py`` in the -``src/doc`` directory of a configured build tree. - - -Updating man pages ------------------- - -Man pages are generated from the RST sources and checked into the -``src/man`` directory of the repository. This allows man pages to be -installed without requiring Sphinx when using a source checkout. To -regenerate these files, run ``make man`` from the man subdirectory -of a configured build tree. You can also do this from an unconfigured -source tree with:: - - cd src/man - make -f Makefile.in top_srcdir=.. srcdir=. man - make clean - -As with the simple build, it is normal to see warnings about missing -files when rebuilding the man pages. - - -Building for a release tarball or web site ------------------------------------------- - -To generate documentation in HTML format, run ``make html`` in the -``doc`` subdirectory of a configured build tree (the build directory -corresponding to ``src/doc``, not the top-level ``doc`` directory). -The output will be placed in the top-level ``doc/html`` directory. -This build will include the API reference generated from Doxygen -markup in the source tree. - -Documentation generated this way will use symbolic names for paths -(like ``BINDIR`` for the directory containing user programs), with the -symbolic names being links to a table showing typical values for those -paths. - -You can also do this from an unconfigured source tree with:: - - cd src/doc - make -f Makefile.in SPHINX_ARGS= htmlsrc - - -Building for an OS package or site documentation ------------------------------------------------- - -To generate documentation specific to a build of MIT krb5 as you have -configured it, run ``make substhtml`` in the ``doc`` subdirectory of a -configured build tree (the build directory corresponding to -``src/doc``, not the top-level ``doc`` directory). The output will be -placed in the ``html_subst`` subdirectory of that build directory. -This build will include the API reference. - -Documentation generated this way will use concrete paths (like -``/usr/local/bin`` for the directory containing user programs, for a -default custom build). diff --git a/doc/html/_sources/copyright.txt b/doc/html/_sources/copyright.txt deleted file mode 100644 index 40e5d23..0000000 --- a/doc/html/_sources/copyright.txt +++ /dev/null @@ -1,8 +0,0 @@ -Copyright -========= - -Copyright |copy| 1985-2017 by the Massachusetts Institute of -Technology and its contributors. All rights reserved. - -See :ref:`mitK5license` for additional copyright and license -information. diff --git a/doc/html/_sources/formats/ccache_file_format.txt b/doc/html/_sources/formats/ccache_file_format.txt deleted file mode 100644 index 6349e0d..0000000 --- a/doc/html/_sources/formats/ccache_file_format.txt +++ /dev/null @@ -1,176 +0,0 @@ -.. _ccache_file_format: - -Credential cache file format -============================ - -There are four versions of the file format used by the FILE credential -cache type. The first byte of the file always has the value 5, and -the value of the second byte contains the version number (1 through -4). Versions 1 and 2 of the file format use native byte order for integer -representations. Versions 3 and 4 always use big-endian byte order. - -After the two-byte version indicator, the file has three parts: the -header (in version 4 only), the default principal name, and a sequence -of credentials. - - -Header format -------------- - -The header appears only in format version 4. It begins with a 16-bit -integer giving the length of the entire header, followed by a sequence -of fields. Each field consists of a 16-bit tag, a 16-bit length, and -a value of the given length. A file format implementation should -ignore fields with unknown tags. - -At this time there is only one defined header field. Its tag value is -1, its length is always 8, and its contents are two 32-bit integers -giving the seconds and microseconds of the time offset of the KDC -relative to the client. Adding this offset to the current time on the -client should give the current time on the KDC, if that offset has not -changed since the initial authentication. - - -.. _cache_principal_format: - -Principal format ----------------- - -The default principal is marshalled using the following informal -grammar:: - - principal ::= - name type (32 bits) [omitted in version 1] - count of components (32 bits) [includes realm in version 1] - realm (data) - component1 (data) - component2 (data) - ... - - data ::= - length (32 bits) - value (length bytes) - -There is no external framing on the default principal, so it must be -parsed according to the above grammar in order to find the sequence of -credentials which follows. - - -.. _ccache_credential_format: - -Credential format ------------------ - -The credential format uses the following informal grammar (referencing -the ``principal`` and ``data`` types from the previous section):: - - credential ::= - client (principal) - server (principal) - keyblock (keyblock) - authtime (32 bits) - starttime (32 bits) - endtime (32 bits) - renew_till (32 bits) - is_skey (1 byte, 0 or 1) - ticket_flags (32 bits) - addresses (addresses) - authdata (authdata) - ticket (data) - second_ticket (data) - - keyblock ::= - enctype (16 bits) [repeated twice in version 3] - data - - addresses ::= - count (32 bits) - address1 - address2 - ... - - address ::= - addrtype (16 bits) - data - - authdata ::= - count (32 bits) - authdata1 - authdata2 - ... - - authdata ::= - ad_type (16 bits) - data - -There is no external framing on a marshalled credential, so it must be -parsed according to the above grammar in order to find the next -credential. There is also no count of credentials or marker at the -end of the sequence of credentials; the sequence ends when the file -ends. - - -Credential cache configuration entries --------------------------------------- - -Configuration entries are encoded as credential entries. The client -principal of the entry is the default principal of the cache. The -server principal has the realm ``X-CACHECONF:`` and two or three -components, the first of which is ``krb5_ccache_conf_data``. The -server principal's second component is the configuration key. The -third component, if it exists, is a principal to which the -configuration key is associated. The configuration value is stored in -the ticket field of the entry. All other entry fields are zeroed. - -Programs using credential caches must be aware of configuration -entries for several reasons: - -* A program which displays the contents of a cache should not - generally display configuration entries. - -* The ticket field of a configuration entry is not (usually) a valid - encoding of a Kerberos ticket. An implementation must not treat the - cache file as malformed if it cannot decode the ticket field. - -* Configuration entries have an endtime field of 0 and might therefore - always be considered expired, but they should not be treated as - unimportant as a result. For instance, a program which copies - credentials from one cache to another should not omit configuration - entries because of the endtime. - -The following configuration keys are currently used in MIT krb5: - -fast_avail - The presence of this key with a non-empty value indicates that the - KDC asserted support for FAST (see :rfc:`6113`) during the initial - authentication, using the negotiation method described in - :rfc:`6806` section 11. This key is not associated with any - principal. - -pa_config_data - The value of this key contains a JSON object representation of - parameters remembered by the preauthentication mechanism used - during the initial authentication. These parameters may be used - when refreshing credentials. This key is associated with the - server principal of the initial authentication (usually the local - krbtgt principal of the client realm). - -pa_type - The value of this key is the ASCII decimal representation of the - preauth type number used during the initial authentication. This - key is associated with the server principal of the initial - authentication. - -proxy_impersonator - The presence of this key indicates that the cache is a synthetic - delegated credential for use with S4U2Proxy. The value is the - name of the intermediate service whose TGT can be used to make - S4U2Proxy requests for target services. This key is not - associated with any principal. - -refresh_time - The presence of this key indicates that the cache was acquired by - the GSS mechanism using a client keytab. The value is the ASCII - decimal representation of a timestamp at which the GSS mechanism - should attempt to refresh the credential cache from the client - keytab. diff --git a/doc/html/_sources/formats/cookie.txt b/doc/html/_sources/formats/cookie.txt deleted file mode 100644 index 640955c..0000000 --- a/doc/html/_sources/formats/cookie.txt +++ /dev/null @@ -1,60 +0,0 @@ -KDC cookie format -================= - -:rfc:`6113` section 5.2 specifies a pa-data type PA-FX-COOKIE, which -clients are required to reflect back to the KDC during -pre-authentication. The MIT krb5 KDC uses the following formats for -cookies. - - -Trivial cookie (version 0) --------------------------- - -If there is no pre-authentication mechanism state information to save, -a trivial cookie containing the value "MIT" is used. A trivial cookie -is needed to indicate that the conversation can continue. - - -Secure cookie (version 1) -------------------------- - -In release 1.14 and later, a secure cookie can be sent if there is any -mechanism state to save for the next request. A secure cookie -contains the concatenation of the following: - -* the four bytes "MIT1" -* a four-byte big-endian kvno value -* an :rfc:`3961` ciphertext - -The ciphertext is encrypted in the cookie key with key usage -number 513. The cookie key is derived from a key in the local krbtgt -principal entry for the realm (e.g. ``krbtgt/KRBTEST.COM@KRBTEST.COM`` -if the request is to the ``KRBTEST.COM`` realm). The first krbtgt key -for the indicated kvno value is combined with the client principal as -follows:: - - cookie-key <- random-to-key(PRF+(tgt-key, "COOKIE" | client-princ)) - -where **random-to-key** is the :rfc:`3961` random-to-key operation for -the krbtgt key's encryption type, **PRF+** is defined in :rfc:`6113`, -and ``|`` denotes concatenation. *client-princ* is the request client -principal name with realm, marshalled according to :rfc:`1964` section -2.1.1. - -The plain text of the encrypted part of a cookie is the DER encoding -of the following ASN.1 type:: - - SecureCookie ::= SEQUENCE { - time INTEGER, - data SEQUENCE OF PA-DATA, - ... - } - -The time field represents the cookie creation time; for brevity, it is -encoded as an integer giving the POSIX timestamp rather than as an -ASN.1 GeneralizedTime value. The data field contains one element for -each pre-authentication type which requires saved state. For -mechanisms which have separate request and reply types, the request -type is used; this allows the KDC to determine whether a cookie is -relevant to a request by comparing the request pa-data types to the -cookie data types. diff --git a/doc/html/_sources/formats/index.txt b/doc/html/_sources/formats/index.txt deleted file mode 100644 index 8b30626..0000000 --- a/doc/html/_sources/formats/index.txt +++ /dev/null @@ -1,9 +0,0 @@ -Protocols and file formats -========================== - -.. toctree:: - :maxdepth: 1 - - ccache_file_format - keytab_file_format - cookie diff --git a/doc/html/_sources/formats/keytab_file_format.txt b/doc/html/_sources/formats/keytab_file_format.txt deleted file mode 100644 index 8424d05..0000000 --- a/doc/html/_sources/formats/keytab_file_format.txt +++ /dev/null @@ -1,51 +0,0 @@ -.. _keytab_file_format: - -Keytab file format -================== - -There are two versions of the file format used by the FILE keytab -type. The first byte of the file always has the value 5, and the -value of the second byte contains the version number (1 or 2). -Version 1 of the file format uses native byte order for integer -representations. Version 2 always uses big-endian byte order. - -After the two-byte version indicator, the file contains a sequence of -signed 32-bit record lengths followed by key records or holes. A -positive record length indicates a valid key entry whose size is equal -to or less than the record length. A negative length indicates a -zero-filled hole whose size is the inverse of the length. A length of -0 indicates the end of the file. - - -Key entry format ----------------- - -A key entry may be smaller in size than the record length which -precedes it, because it may have replaced a hole which is larger than -the key entry. Key entries use the following informal grammar:: - - entry ::= - principal - timestamp (32 bits) - key version (8 bits) - enctype (16 bits) - key length (16 bits) - key contents - key version (32 bits) [in release 1.14 and later] - - principal ::= - count of components (16 bits) [includes realm in version 1] - realm (data) - component1 (data) - component2 (data) - ... - name type (32 bits) [omitted in version 1] - - data ::= - length (16 bits) - value (length bytes) - -The 32-bit key version overrides the 8-bit key version. To determine -if it is present, the implementation must check that at least 4 bytes -remain in the record after the other fields are read, and that the -value of the 32-bit integer contained in those bytes is non-zero. diff --git a/doc/html/_sources/index.txt b/doc/html/_sources/index.txt deleted file mode 100644 index 543a9d1..0000000 --- a/doc/html/_sources/index.txt +++ /dev/null @@ -1,18 +0,0 @@ -MIT Kerberos Documentation (|release|) -====================================== - - -.. toctree:: - :maxdepth: 1 - - user/index.rst - admin/index.rst - appdev/index.rst - plugindev/index.rst - build/index.rst - basic/index.rst - formats/index.rst - mitK5features.rst - build_this.rst - about.rst - resources diff --git a/doc/html/_sources/mitK5defaults.txt b/doc/html/_sources/mitK5defaults.txt deleted file mode 100644 index 443bcc5..0000000 --- a/doc/html/_sources/mitK5defaults.txt +++ /dev/null @@ -1,77 +0,0 @@ -.. _mitK5defaults: - -MIT Kerberos defaults -===================== - -General defaults ----------------- - -========================================== ============================= ==================== -Description Default Environment -========================================== ============================= ==================== -:ref:`keytab_definition` file |keytab| **KRB5_KTNAME** -Client :ref:`keytab_definition` file |ckeytab| **KRB5_CLIENT_KTNAME** -Kerberos config file :ref:`krb5.conf(5)` |krb5conf|\ ``:``\ **KRB5_CONFIG** - |sysconfdir|\ ``/krb5.conf`` -KDC config file :ref:`kdc.conf(5)` |kdcdir|\ ``/kdc.conf`` **KRB5_KDC_PROFILE** -KDC database path (DB2) |kdcdir|\ ``/principal`` -Master key :ref:`stash_definition` |kdcdir|\ ``/.k5.``\ *realm* -Admin server ACL file :ref:`kadm5.acl(5)` |kdcdir|\ ``/kadm5.acl`` -OTP socket directory |kdcrundir| -Plugin base directory |libdir|\ ``/krb5/plugins`` -:ref:`rcache_definition` directory ``/var/tmp`` **KRB5RCACHEDIR** -Master key default enctype |defmkey| -Default :ref:`keysalt list` |defkeysalts| -Permitted enctypes |defetypes| -KDC default port 88 -Admin server port 749 -Password change port 464 -========================================== ============================= ==================== - - -Slave KDC propagation defaults ------------------------------- - -This table shows defaults used by the :ref:`kprop(8)` and -:ref:`kpropd(8)` programs. - -========================== ============================== =========== -Description Default Environment -========================== ============================== =========== -kprop database dump file |kdcdir|\ ``/slave_datatrans`` -kpropd temporary dump file |kdcdir|\ ``/from_master`` -kdb5_util location |sbindir|\ ``/kdb5_util`` -kprop location |sbindir|\ ``/kprop`` -kpropd ACL file |kdcdir|\ ``/kpropd.acl`` -kprop port 754 KPROP_PORT -========================== ============================== =========== - - -.. _paths: - -Default paths for Unix-like systems ------------------------------------ - -On Unix-like systems, some paths used by MIT krb5 depend on parameters -chosen at build time. For a custom build, these paths default to -subdirectories of ``/usr/local``. When MIT krb5 is integrated into an -operating system, the paths are generally chosen to match the -operating system's filesystem layout. - -========================== ============= =========================== =========================== -Description Symbolic name Custom build path Typical OS path -========================== ============= =========================== =========================== -User programs BINDIR ``/usr/local/bin`` ``/usr/bin`` -Libraries and plugins LIBDIR ``/usr/local/lib`` ``/usr/lib`` -Parent of KDC state dir LOCALSTATEDIR ``/usr/local/var`` ``/var`` -Parent of KDC runtime dir RUNSTATEDIR ``/usr/local/var/run`` ``/run`` -Administrative programs SBINDIR ``/usr/local/sbin`` ``/usr/sbin`` -Alternate krb5.conf dir SYSCONFDIR ``/usr/local/etc`` ``/etc`` -Default ccache name DEFCCNAME ``FILE:/tmp/krb5cc_%{uid}`` ``FILE:/tmp/krb5cc_%{uid}`` -Default keytab name DEFKTNAME ``FILE:/etc/krb5.keytab`` ``FILE:/etc/krb5.keytab`` -========================== ============= =========================== =========================== - -The default client keytab name (DEFCKTNAME) typically defaults to -``FILE:/usr/local/var/krb5/user/%{euid}/client.keytab`` for a custom -build. A native build will typically use a path which will vary -according to the operating system's layout of ``/var``. diff --git a/doc/html/_sources/mitK5features.txt b/doc/html/_sources/mitK5features.txt deleted file mode 100644 index b4e4b8b..0000000 --- a/doc/html/_sources/mitK5features.txt +++ /dev/null @@ -1,329 +0,0 @@ -.. highlight:: rst - -.. toctree:: - :hidden: - - mitK5license.rst - -.. _mitK5features: - -MIT Kerberos features -===================== - -http://web.mit.edu/kerberos - - -Quick facts ------------ - -License - :ref:`mitK5license` - -Releases: - - Latest stable: http://web.mit.edu/kerberos/krb5-1.15/ - - Supported: http://web.mit.edu/kerberos/krb5-1.14/ - - Release cycle: 9 -- 12 months - -Supported platforms \/ OS distributions: - - Windows (KfW 4.0): Windows 7, Vista, XP - - Solaris: SPARC, x86_64/x86 - - GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86 - - BSD: NetBSD x86_64/x86 - -Crypto backends: - - builtin - MIT Kerberos native crypto library - - OpenSSL (1.0\+) - http://www.openssl.org - -Database backends: LDAP, DB2 - -krb4 support: Kerberos 5 release < 1.8 - -DES support: configurable (See :ref:`retiring-des`) - -Interoperability ----------------- - -`Microsoft` - -Starting from release 1.7: - -* Follow client principal referrals in the client library when - obtaining initial tickets. - -* KDC can issue realm referrals for service principals based on domain names. - -* Extensions supporting DCE RPC, including three-leg GSS context setup - and unencapsulated GSS tokens inside SPNEGO. - -* Microsoft GSS_WrapEX, implemented using the gss_iov API, which is - similar to the equivalent SSPI functionality. This is needed to - support some instances of DCE RPC. - -* NTLM recognition support in GSS-API, to facilitate dropping in an - NTLM implementation for improved compatibility with older releases - of Microsoft Windows. - -* KDC support for principal aliases, if the back end supports them. - Currently, only the LDAP back end supports aliases. - -* Support Microsoft set/change password (:rfc:`3244`) protocol in - kadmind. - -* Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which - allows a GSS application to request credential delegation only if - permitted by KDC policy. - - -Starting from release 1.8: - -* Microsoft Services for User (S4U) compatibility - - -`Heimdal` - -* Support for KCM credential cache starting from release 1.13 - -Feature list ------------- - -For more information on the specific project see http://k5wiki.kerberos.org/wiki/Projects - -Release 1.7 - - Credentials delegation :rfc:`5896` - - Cross-realm authentication and referrals :rfc:`6806` - - Master key migration - - PKINIT :rfc:`4556` :ref:`pkinit` - -Release 1.8 - - Anonymous PKINIT :rfc:`6112` :ref:`anonymous_pkinit` - - Constrained delegation - - IAKERB http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02 - - Heimdal bridge plugin for KDC backend - - GSS-API S4U extensions http://msdn.microsoft.com/en-us/library/cc246071 - - GSS-API naming extensions :rfc:`6680` - - GSS-API extensions for storing delegated credentials :rfc:`5588` - -Release 1.9 - - Advance warning on password expiry - - Camellia encryption (CTS-CMAC mode) :rfc:`6803` - - KDC support for SecurID preauthentication - - kadmin over IPv6 - - Trace logging :ref:`trace_logging` - - GSSAPI/KRB5 multi-realm support - - Plugin to test password quality :ref:`pwqual_plugin` - - Plugin to synchronize password changes :ref:`kadm5_hook_plugin` - - Parallel KDC - - GSS-API extentions for SASL GS2 bridge :rfc:`5801` :rfc:`5587` - - Purging old keys - - Naming extensions for delegation chain - - Password expiration API - - Windows client support (build-only) - - IPv6 support in iprop - -Release 1.10 - - Plugin interface for configuration :ref:`profile_plugin` - - Credentials for multiple identities :ref:`ccselect_plugin` - -Release 1.11 - - Client support for FAST OTP :rfc:`6560` - - GSS-API extensions for credential locations - - Responder mechanism - -Release 1.12 - - Plugin to control krb5_aname_to_localname and krb5_kuserok behavior :ref:`localauth_plugin` - - Plugin to control hostname-to-realm mappings and the default realm :ref:`hostrealm_plugin` - - GSSAPI extensions for constructing MIC tokens using IOV lists :ref:`gssapi_mic_token` - - Principal may refer to nonexistent policies `Policy Refcount project `_ - - Support for having no long-term keys for a principal `Principals Without Keys project `_ - - Collection support to the KEYRING credential cache type on Linux :ref:`ccache_definition` - - FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values :ref:`otp_preauth` - - Experimental Audit plugin for KDC processing `Audit project `_ - -Release 1.13 - - - Add support for accessing KDCs via an HTTPS proxy server using - the `MS-KKDCP - `_ - protocol. - - Add support for `hierarchical incremental propagation - `_, - where slaves can act as intermediates between an upstream master - and other downstream slaves. - - Add support for configuring GSS mechanisms using - ``/etc/gss/mech.d/*.conf`` files in addition to - ``/etc/gss/mech``. - - Add support to the LDAP KDB module for `binding to the LDAP - server using SASL - `_. - - The KDC listens for TCP connections by default. - - Fix a minor key disclosure vulnerability where using the - "keepold" option to the kadmin randkey operation could return the - old keys. `[CVE-2014-5351] - `_ - - Add client support for the Kerberos Cache Manager protocol. If - the host is running a Heimdal kcm daemon, caches served by the - daemon can be accessed with the KCM: cache type. - - When built on OS X 10.7 and higher, use "KCM:" as the default - cachetype, unless overridden by command-line options or - krb5-config values. - - Add support for doing unlocked database dumps for the DB2 KDC - back end, which would allow the KDC and kadmind to continue - accessing the database during lengthy database dumps. - -Release 1.14 - - * Administrator experience - - - Add a new kdb5_util tabdump command to provide reporting-friendly - tabular dump formats (tab-separated or CSV) for the KDC database. - Unlike the normal dump format, each output table has a fixed number - of fields. Some tables include human-readable forms of data that - are opaque in ordinary dump files. This format is also suitable for - importing into relational databases for complex queries. - - Add support to kadmin and kadmin.local for specifying a single - command line following any global options, where the command - arguments are split by the shell--for example, "kadmin getprinc - principalname". Commands issued this way do not prompt for - confirmation or display warning messages, and exit with non-zero - status if the operation fails. - - Accept the same principal flag names in kadmin as we do for the - default_principal_flags kdc.conf variable, and vice versa. Also - accept flag specifiers in the form that kadmin prints, as well as - hexadecimal numbers. - - Remove the triple-DES and RC4 encryption types from the default - value of supported_enctypes, which determines the default key and - salt types for new password-derived keys. By default, keys will - only created only for AES128 and AES256. This mitigates some types - of password guessing attacks. - - Add support for directory names in the KRB5_CONFIG and - KRB5_KDC_PROFILE environment variables. - - Add support for authentication indicators, which are ticket - annotations to indicate the strength of the initial authentication. - Add support for the "require_auth" string attribute, which can be - set on server principal entries to require an indicator when - authenticating to the server. - - Add support for key version numbers larger than 255 in keytab files, - and for version numbers up to 65535 in KDC databases. - - Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC - during pre-authentication, corresponding to the client's most - preferred encryption type. - - Add support for server name identification (SNI) when proxying KDC - requests over HTTPS. - - Add support for the err_fmt profile parameter, which can be used to - generate custom-formatted error messages. - - * Developer experience: - - - Change gss_acquire_cred_with_password() to acquire credentials into - a private memory credential cache. Applications can use - gss_store_cred() to make the resulting credentials visible to other - processes. - - Change gss_acquire_cred() and SPNEGO not to acquire credentials for - IAKERB or for non-standard variants of the krb5 mechanism OID unless - explicitly requested. (SPNEGO will still accept the Microsoft - variant of the krb5 mechanism OID during negotiation.) - - Change gss_accept_sec_context() not to accept tokens for IAKERB or - for non-standard variants of the krb5 mechanism OID unless an - acceptor credential is acquired for those mechanisms. - - Change gss_acquire_cred() to immediately resolve credentials if the - time_rec parameter is not NULL, so that a correct expiration time - can be returned. Normally credential resolution is delayed until - the target name is known. - - Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, - which can be used by plugin modules or applications to add prefixes - to existing detailed error messages. - - Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which - implement the RFC 6113 PRF+ operation and key derivation using PRF+. - - Add support for pre-authentication mechanisms which use multiple - round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error - code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth - interface; these callbacks can be used to save marshalled state - information in an encrypted cookie for the next request. - - Add a client_key() callback to the kdcpreauth interface to retrieve - the chosen client key, corresponding to the ETYPE-INFO2 entry sent - by the KDC. - - Add an add_auth_indicator() callback to the kdcpreauth interface, - allowing pre-authentication modules to assert authentication - indicators. - - Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to - suppress sending the confidentiality and integrity flags in GSS - initiator tokens unless they are requested by the caller. These - flags control the negotiated SASL security layer for the Microsoft - GSS-SPNEGO SASL mechanism. - - Make the FILE credential cache implementation less prone to - corruption issues in multi-threaded programs, especially on - platforms with support for open file description locks. - - * Performance: - - - On slave KDCs, poll the master KDC immediately after processing a - full resync, and do not require two full resyncs after the master - KDC's log file is reset. - -Release 1.15 - -* Administrator experience: - - - Add support to kadmin for remote extraction of current keys - without changing them (requires a special kadmin permission that - is excluded from the wildcard permission), with the exception of - highly protected keys. - - - Add a lockdown_keys principal attribute to prevent retrieval of - the principal's keys (old or new) via the kadmin protocol. In - newly created databases, this attribute is set on the krbtgt and - kadmin principals. - - - Restore recursive dump capability for DB2 back end, so sites can - more easily recover from database corruption resulting from power - failure events. - - - Add DNS auto-discovery of KDC and kpasswd servers from URI - records, in addition to SRV records. URI records can convey TCP - and UDP servers and master KDC status in a single DNS lookup, and - can also point to HTTPS proxy servers. - - - Add support for password history to the LDAP back end. - - - Add support for principal renaming to the LDAP back end. - - - Use the getrandom system call on supported Linux kernels to avoid - blocking problems when getting entropy from the operating system. - -* Code quality: - - - Clean up numerous compilation warnings. - - - Remove various infrequently built modules, including some preauth - modules that were not built by default. - -* Developer experience: - - - Add support for building with OpenSSL 1.1. - - - Use SHA-256 instead of MD5 for (non-cryptographic) hashing of - authenticators in the replay cache. This helps sites that must - build with FIPS 140 conformant libraries that lack MD5. - -* Protocol evolution: - - - Add support for the AES-SHA2 enctypes, which allows sites to - conform to Suite B crypto requirements. - -`Pre-authentication mechanisms` - -- PW-SALT :rfc:`4120#section-5.2.7.3` -- ENC-TIMESTAMP :rfc:`4120#section-5.2.7.2` -- SAM-2 -- FAST negotiation framework (release 1.8) :rfc:`6113` -- PKINIT with FAST on client (release 1.10) :rfc:`6113` -- PKINIT :rfc:`4556` -- FX-COOKIE :rfc:`6113#section-5.2` -- S4U-X509-USER (release 1.8) http://msdn.microsoft.com/en-us/library/cc246091 -- OTP (release 1.12) :ref:`otp_preauth` - -`PRNG` - -- modularity (release 1.9) -- Yarrow PRNG (release < 1.10) -- Fortuna PRNG (release 1.9) http://www.schneier.com/book-practical.html -- OS PRNG (release 1.10) OS's native PRNG diff --git a/doc/html/_sources/mitK5license.txt b/doc/html/_sources/mitK5license.txt deleted file mode 100644 index e23edbf..0000000 --- a/doc/html/_sources/mitK5license.txt +++ /dev/null @@ -1,11 +0,0 @@ -.. _mitK5license: - -MIT Kerberos License information -================================ - -.. toctree:: - :hidden: - - copyright.rst - -.. include:: notice.rst diff --git a/doc/html/_sources/plugindev/ccselect.txt b/doc/html/_sources/plugindev/ccselect.txt deleted file mode 100644 index 1253fe6..0000000 --- a/doc/html/_sources/plugindev/ccselect.txt +++ /dev/null @@ -1,28 +0,0 @@ -.. _ccselect_plugin: - -Credential cache selection interface (ccselect) -=============================================== - -The ccselect interface allows modules to control how credential caches -are chosen when a GSSAPI client contacts a service. For a detailed -description of the ccselect interface, see the header file -````. - -The primary ccselect method is **choose**, which accepts a server -principal as input and returns a ccache and/or principal name as -output. A module can use the krb5_cccol APIs to iterate over the -cache collection in order to find an appropriate ccache to use. - -.. TODO: add reference to the admin guide for ccaches and cache - collections when we have appropriate sections. - -A module can create and destroy per-library-context state objects by -implementing the **init** and **fini** methods. State objects have -the type krb5_ccselect_moddata, which is an abstract pointer type. A -module should typically cast this to an internal type for the state -object. - -A module can have one of two priorities, "authoritative" or -"heuristic". Results from authoritative modules, if any are -available, will take priority over results from heuristic modules. A -module communicates its priority as a result of the **init** method. diff --git a/doc/html/_sources/plugindev/clpreauth.txt b/doc/html/_sources/plugindev/clpreauth.txt deleted file mode 100644 index 38aa52e..0000000 --- a/doc/html/_sources/plugindev/clpreauth.txt +++ /dev/null @@ -1,54 +0,0 @@ -Client preauthentication interface (clpreauth) -============================================== - -During an initial ticket request, a KDC may ask a client to prove its -knowledge of the password before issuing an encrypted ticket, or to -use credentials other than a password. This process is called -preauthentication, and is described in :rfc:`4120` and :rfc:`6113`. -The clpreauth interface allows the addition of client support for -preauthentication mechanisms beyond those included in the core MIT -krb5 code base. For a detailed description of the clpreauth -interface, see the header file ```` (or -```` before release 1.12). - -A clpreauth module is generally responsible for: - -* Supplying a list of preauth type numbers used by the module in the - **pa_type_list** field of the vtable structure. - -* Indicating what kind of preauthentication mechanism it implements, - with the **flags** method. In the most common case, this method - just returns ``PA_REAL``, indicating that it implements a normal - preauthentication type. - -* Examining the padata information included in a PREAUTH_REQUIRED or - MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the - next AS request. This is done with the **process** method. - -* Examining the padata information included in a successful ticket - reply, possibly verifying the KDC identity and computing a reply - key. This is also done with the **process** method. - -* For preauthentication types which support it, recovering from errors - by examining the error data from the KDC and producing a padata - value for another AS request. This is done with the **tryagain** - method. - -* Receiving option information (supplied by ``kinit -X`` or by an - application), with the **gic_opts** method. - -A clpreauth module can create and destroy per-library-context and -per-request state objects by implementing the **init**, **fini**, -**request_init**, and **request_fini** methods. Per-context state -objects have the type krb5_clpreauth_moddata, and per-request state -objects have the type krb5_clpreauth_modreq. These are abstract -pointer types; a module should typically cast these to internal -types for the state objects. - -The **process** and **tryagain** methods have access to a callback -function and handle (called a "rock") which can be used to get -additional information about the current request, including the -expected enctype of the AS reply, the FAST armor key, and the client -long-term key (prompting for the user password if necessary). A -callback can also be used to replace the AS reply key if the -preauthentication mechanism computes one. diff --git a/doc/html/_sources/plugindev/general.txt b/doc/html/_sources/plugindev/general.txt deleted file mode 100644 index dff6807..0000000 --- a/doc/html/_sources/plugindev/general.txt +++ /dev/null @@ -1,98 +0,0 @@ -General plugin concepts -======================= - -A krb5 dynamic plugin module is a Unix shared object or Windows DLL. -Typically, the source code for a dynamic plugin module should live in -its own project with a build system using automake_ and libtool_, or -tools with similar functionality. - -A plugin module must define a specific symbol name, which depends on -the pluggable interface and module name. For most pluggable -interfaces, the exported symbol is a function named -``INTERFACE_MODULE_initvt``, where *INTERFACE* is the name of the -pluggable interface and *MODULE* is the name of the module. For these -interfaces, it is possible for one shared object or DLL to implement -multiple plugin modules, either for the same pluggable interface or -for different ones. For example, a shared object could implement both -KDC and client preauthentication mechanisms, by exporting functions -named ``kdcpreauth_mymech_initvt`` and ``clpreauth_mymech_initvt``. - -.. note: The profile, locate, and GSSAPI mechglue pluggable interfaces - follow different conventions. See the documentation for - those interfaces for details. The remainder of this section - applies to pluggable interfaces which use the standard - conventions. - -A plugin module implementation should include the header file -````, where *INTERFACE* is the name of the -pluggable interface. For instance, a ccselect plugin module -implementation should use ``#include ``. - -.. note: clpreauth and kdcpreauth module implementations should - include . - -initvt functions have the following prototype:: - - krb5_error_code interface_modname_initvt(krb5_context context, - int maj_ver, int min_ver, - krb5_plugin_vtable vtable); - -and should do the following: - -1. Check that the supplied maj_ver argument is supported by the - module. If it is not supported, the function should return - KRB5_PLUGIN_VER_NOTSUPP. - -2. Cast the supplied vtable pointer to the structure type - corresponding to the major version, as documented in the pluggable - interface header file. - -3. Fill in the structure fields with pointers to method functions and - static data, stopping at the field indicated by the supplied minor - version. Fields for unimplemented optional methods can be left - alone; it is not necessary to initialize them to NULL. - -In most cases, the context argument will not be used. The initvt -function should not allocate memory; think of it as a glorified -structure initializer. Each pluggable interface defines methods for -allocating and freeing module state if doing so is necessary for the -interface. - -Pluggable interfaces typically include a **name** field in the vtable -structure, which should be filled in with a pointer to a string -literal containing the module name. - -Here is an example of what an initvt function might look like for a -fictional pluggable interface named fences, for a module named -"wicker":: - - krb5_error_code - fences_wicker_initvt(krb5_context context, int maj_ver, - int min_ver, krb5_plugin_vtable vtable) - { - krb5_ccselect_vtable vt; - - if (maj_ver == 1) { - krb5_fences_vtable vt = (krb5_fences_vtable)vtable; - vt->name = "wicker"; - vt->slats = wicker_slats; - vt->braces = wicker_braces; - } else if (maj_ver == 2) { - krb5_fences_vtable_v2 vt = (krb5_fences_vtable_v2)vtable; - vt->name = "wicker"; - vt->material = wicker_material; - vt->construction = wicker_construction; - if (min_ver < 2) - return 0; - vt->footing = wicker_footing; - if (min_ver < 3) - return 0; - vt->appearance = wicker_appearance; - } else { - return KRB5_PLUGIN_VER_NOTSUPP; - } - return 0; - } - -.. _automake: http://www.gnu.org/software/automake/ -.. _libtool: http://www.gnu.org/software/libtool/ diff --git a/doc/html/_sources/plugindev/gssapi.txt b/doc/html/_sources/plugindev/gssapi.txt deleted file mode 100644 index 34fc9e4..0000000 --- a/doc/html/_sources/plugindev/gssapi.txt +++ /dev/null @@ -1,101 +0,0 @@ -GSSAPI mechanism interface -========================== - -The GSSAPI library in MIT krb5 can load mechanism modules to augment -the set of built-in mechanisms. - -.. note: The GSSAPI loadable mechanism interface does not follow the - normal conventions for MIT krb5 pluggable interfaces. - -A mechanism module is a Unix shared object or Windows DLL, built -separately from the krb5 tree. Modules are loaded according to the -``/etc/gss/mech`` or ``/etc/gss/mech.d/*.conf`` config files, as -described in :ref:`gssapi_plugin_config`. - -For the most part, a GSSAPI mechanism module exports the same -functions as would a GSSAPI implementation itself, with the same -function signatures. The mechanism selection layer within the GSSAPI -library (called the "mechglue") will dispatch calls from the -application to the module if the module's mechanism is requested. If -a module does not wish to implement a GSSAPI extension, it can simply -refrain from exporting it, and the mechglue will fail gracefully if -the application calls that function. - -The mechglue does not invoke a module's **gss_add_cred**, -**gss_add_cred_from**, **gss_add_cred_impersonate_name**, or -**gss_add_cred_with_password** function. A mechanism only needs to -implement the "acquire" variants of those functions. - -A module does not need to coordinate its minor status codes with those -of other mechanisms. If the mechglue detects conflicts, it will map -the mechanism's status codes onto unique values, and then map them -back again when **gss_display_status** is called. - - -Interposer modules ------------------- - -The mechglue also supports a kind of loadable module, called an -interposer module, which intercepts calls to existing mechanisms -rather than implementing a new mechanism. - -An interposer module must export the symbol **gss_mech_interposer** -with the following signature:: - - gss_OID_set gss_mech_interposer(gss_OID mech_type); - -This function is invoked with the OID of the interposer mechanism as -specified in ``/etc/gss/mech`` or in a ``/etc/gss/mech.d/*.conf`` -file, and returns a set of mechanism OIDs to be interposed. The -returned OID set must have been created using the mechglue's -gss_create_empty_oid_set and gss_add_oid_set_member functions. - -An interposer module must use the prefix ``gssi_`` for the GSSAPI -functions it exports, instead of the prefix ``gss_``. - -An interposer module can link against the GSSAPI library in order to -make calls to the original mechanism. To do so, it must specify a -special mechanism OID which is the concatention of the interposer's -own OID byte string and the original mechanism's OID byte string. - -Since **gss_accept_sec_context** does not accept a mechanism argument, -an interposer mechanism must, in order to invoke the original -mechanism's function, acquire a credential for the concatenated OID -and pass that as the *verifier_cred_handle* parameter. - -Since **gss_import_name**, **gss_import_cred**, and -**gss_import_sec_context** do not accept mechanism parameters, the SPI -has been extended to include variants which do. This allows the -interposer module to know which mechanism should be used to interpret -the token. These functions have the following signatures:: - - OM_uint32 gssi_import_sec_context_by_mech(OM_uint32 *minor_status, - gss_OID desired_mech, gss_buffer_t interprocess_token, - gss_ctx_id_t *context_handle); - - OM_uint32 gssi_import_name_by_mech(OM_uint32 *minor_status, - gss_OID mech_type, gss_buffer_t input_name_buffer, - gss_OID input_name_type, gss_name_t output_name); - - OM_uint32 gssi_import_cred_by_mech(OM_uint32 *minor_status, - gss_OID mech_type, gss_buffer_t token, - gss_cred_id_t *cred_handle); - -To re-enter the original mechanism when importing tokens for the above -functions, the interposer module must wrap the mechanism token in the -mechglue's format, using the concatenated OID. The mechglue token -formats are: - -* For **gss_import_sec_context**, a four-byte OID length in big-endian - order, followed by the mechanism OID, followed by the mechanism - token. - -* For **gss_import_name**, the bytes 04 01, followed by a two-byte OID - length in big-endian order, followed by the mechanism OID, followed - by the bytes 06, followed by the OID length as a single byte, - followed by the mechanism OID, followed by the mechanism token. - -* For **gss_import_cred**, a four-byte OID length in big-endian order, - followed by the mechanism OID, followed by a four-byte token length - in big-endian order, followed by the mechanism token. This sequence - may be repeated multiple times. diff --git a/doc/html/_sources/plugindev/hostrealm.txt b/doc/html/_sources/plugindev/hostrealm.txt deleted file mode 100644 index 4d488ef..0000000 --- a/doc/html/_sources/plugindev/hostrealm.txt +++ /dev/null @@ -1,39 +0,0 @@ -.. _hostrealm_plugin: - -Host-to-realm interface (hostrealm) -=================================== - -The host-to-realm interface was first introduced in release 1.12. It -allows modules to control the local mapping of hostnames to realm -names as well as the default realm. For a detailed description of the -hostrealm interface, see the header file -````. - -Although the mapping methods in the hostrealm interface return a list -of one or more realms, only the first realm in the list is currently -used by callers. Callers may begin using later responses in the -future. - -Any mapping method may return KRB5_PLUGIN_NO_HANDLE to defer -processing to a later module. - -A module can create and destroy per-library-context state objects -using the **init** and **fini** methods. If the module does not need -any state, it does not need to implement these methods. - -The optional **host_realm** method allows a module to determine -authoritative realm mappings for a hostname. The first authoritative -mapping is used in preference to KDC referrals when getting service -credentials. - -The optional **fallback_realm** method allows a module to determine -fallback mappings for a hostname. The first fallback mapping is tried -if there is no authoritative mapping for a realm, and KDC referrals -failed to produce a successful result. - -The optional **default_realm** method allows a module to determine the -local default realm. - -If a module implements any of the above methods, it must also -implement **free_list** to ensure that memory is allocated and -deallocated consistently. diff --git a/doc/html/_sources/plugindev/index.txt b/doc/html/_sources/plugindev/index.txt deleted file mode 100644 index 3fb9217..0000000 --- a/doc/html/_sources/plugindev/index.txt +++ /dev/null @@ -1,35 +0,0 @@ -For plugin module developers -============================ - -Kerberos plugin modules allow increased control over MIT krb5 library -and server behavior. This guide describes how to create dynamic -plugin modules and the currently available pluggable interfaces. - -See :ref:`plugin_config` for information on how to register dynamic -plugin modules and how to enable and disable modules via -:ref:`krb5.conf(5)`. - -.. TODO: update the above reference when we have a free-form section - in the admin guide about plugin configuration - - -Contents --------- - -.. toctree:: - :maxdepth: 2 - - general.rst - clpreauth.rst - kdcpreauth.rst - ccselect.rst - pwqual.rst - kadm5_hook.rst - hostrealm.rst - localauth.rst - locate.rst - profile.rst - gssapi.rst - internal.rst - -.. TODO: GSSAPI mechanism plugins diff --git a/doc/html/_sources/plugindev/internal.txt b/doc/html/_sources/plugindev/internal.txt deleted file mode 100644 index 99e30bb..0000000 --- a/doc/html/_sources/plugindev/internal.txt +++ /dev/null @@ -1,32 +0,0 @@ -Internal pluggable interfaces -============================= - -Following are brief discussions of pluggable interfaces which have not -yet been made public. These interfaces are functional, but the -interfaces are likely to change in incompatible ways from release to -release. In some cases, it may be necessary to copy header files from -the krb5 source tree to use an internal interface. Use these with -care, and expect to need to update your modules for each new release -of MIT krb5. - - -Kerberos database interface (KDB) ---------------------------------- - -A KDB module implements a database back end for KDC principal and -policy information, and can also control many aspects of KDC behavior. -For a full description of the interface, see the header file -````. - -The KDB pluggable interface is often referred to as the DAL (Database -Access Layer). - - -Authorization data interface (authdata) ---------------------------------------- - -The authdata interface allows a module to provide (from the KDC) or -consume (in application servers) authorization data of types beyond -those handled by the core MIT krb5 code base. The interface is -defined in the header file ````, which is not -installed by the build. diff --git a/doc/html/_sources/plugindev/kadm5_hook.txt b/doc/html/_sources/plugindev/kadm5_hook.txt deleted file mode 100644 index ece3eac..0000000 --- a/doc/html/_sources/plugindev/kadm5_hook.txt +++ /dev/null @@ -1,27 +0,0 @@ -.. _kadm5_hook_plugin: - -KADM5 hook interface (kadm5_hook) -================================= - -The kadm5_hook interface allows modules to perform actions when -changes are made to the Kerberos database through :ref:`kadmin(1)`. -For a detailed description of the kadm5_hook interface, see the header -file ````. - -The kadm5_hook interface has five primary methods: **chpass**, -**create**, **modify**, **remove**, and **rename**. (The **rename** -method was introduced in release 1.14.) Each of these methods is -called twice when the corresponding administrative action takes place, -once before the action is committed and once afterwards. A module can -prevent the action from taking place by returning an error code during -the pre-commit stage. - -A module can create and destroy per-process state objects by -implementing the **init** and **fini** methods. State objects have -the type kadm5_hook_modinfo, which is an abstract pointer type. A -module should typically cast this to an internal type for the state -object. - -Because the kadm5_hook interface is tied closely to the kadmin -interface (which is explicitly unstable), it may not remain as stable -across versions as other public pluggable interfaces. diff --git a/doc/html/_sources/plugindev/kdcpreauth.txt b/doc/html/_sources/plugindev/kdcpreauth.txt deleted file mode 100644 index ab7f3a9..0000000 --- a/doc/html/_sources/plugindev/kdcpreauth.txt +++ /dev/null @@ -1,79 +0,0 @@ -KDC preauthentication interface (kdcpreauth) -============================================ - -The kdcpreauth interface allows the addition of KDC support for -preauthentication mechanisms beyond those included in the core MIT -krb5 code base. For a detailed description of the kdcpreauth -interface, see the header file ```` (or -```` before release 1.12). - -A kdcpreauth module is generally responsible for: - -* Supplying a list of preauth type numbers used by the module in the - **pa_type_list** field of the vtable structure. - -* Indicating what kind of preauthentication mechanism it implements, - with the **flags** method. If the mechanism computes a new reply - key, it must specify the ``PA_REPLACES_KEY`` flag. If the mechanism - is generally only used with hardware tokens, the ``PA_HARDWARE`` - flag allows the mechanism to work with principals which have the - **requires_hwauth** flag set. - -* Producing a padata value to be sent with a preauth_required error, - with the **edata** method. - -* Examining a padata value sent by a client and verifying that it - proves knowledge of the appropriate client credential information. - This is done with the **verify** method. - -* Producing a padata response value for the client, and possibly - computing a reply key. This is done with the **return_padata** - method. - -A module can create and destroy per-KDC state objects by implementing -the **init** and **fini** methods. Per-KDC state objects have the -type krb5_kdcpreauth_moddata, which is an abstract pointer types. A -module should typically cast this to an internal type for the state -object. - -A module can create a per-request state object by returning one in the -**verify** method, receiving it in the **return_padata** method, and -destroying it in the **free_modreq** method. Note that these state -objects only apply to the processing of a single AS request packet, -not to an entire authentication exchange (since an authentication -exchange may remain unfinished by the client or may involve multiple -different KDC hosts). Per-request state objects have the type -krb5_kdcpreauth_modreq, which is an abstract pointer type. - -The **edata**, **verify**, and **return_padata** methods have access -to a callback function and handle (called a "rock") which can be used -to get additional information about the current request, including the -maximum allowable clock skew, the client's long-term keys, the -DER-encoded request body, the FAST armor key, string attributes on the -client's database entry, and the client's database entry itself. The -**verify** method can assert one or more authentication indicators to -be included in the issued ticket using the ``add_auth_indicator`` -callback (new in release 1.14). - -A module can generate state information to be included with the next -client request using the ``set_cookie`` callback (new in release -1.14). On the next request, the module can read this state -information using the ``get_cookie`` callback. Cookie information is -encrypted, timestamped, and transmitted to the client in a -``PA-FX-COOKIE`` pa-data item. Older clients may not support cookies -and therefore may not transmit the cookie in the next request; in this -case, ``get_cookie`` will not yield the saved information. - -If a module implements a mechanism which requires multiple round -trips, its **verify** method can respond with the code -``KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED`` and a list of pa-data in -the *e_data* parameter to be processed by the client. - -The **edata** and **verify** methods can be implemented -asynchronously. Because of this, they do not return values directly -to the caller, but must instead invoke responder functions with their -results. A synchronous implementation can invoke the responder -function immediately. An asynchronous implementation can use the -callback to get an event context for use with the libverto_ API. - -.. _libverto: https://fedorahosted.org/libverto/ diff --git a/doc/html/_sources/plugindev/localauth.txt b/doc/html/_sources/plugindev/localauth.txt deleted file mode 100644 index 6f396a9..0000000 --- a/doc/html/_sources/plugindev/localauth.txt +++ /dev/null @@ -1,43 +0,0 @@ -.. _localauth_plugin: - -Local authorization interface (localauth) -========================================= - -The localauth interface was first introduced in release 1.12. It -allows modules to control the relationship between Kerberos principals -and local system accounts. When an application calls -:c:func:`krb5_kuserok` or :c:func:`krb5_aname_to_localname`, localauth -modules are consulted to determine the result. For a detailed -description of the localauth interface, see the header file -````. - -A module can create and destroy per-library-context state objects -using the **init** and **fini** methods. If the module does not need -any state, it does not need to implement these methods. - -The optional **userok** method allows a module to control the behavior -of :c:func:`krb5_kuserok`. The module receives the authenticated name -and the local account name as inputs, and can return either 0 to -authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other -modules, or another error (canonically EPERM) to authoritatively deny -access. Access is granted if at least one module grants access and no -module authoritatively denies access. - -The optional **an2ln** method can work in two different ways. If the -module sets an array of uppercase type names in **an2ln_types**, then -the module's **an2ln** method will only be invoked by -:c:func:`krb5_aname_to_localname` if an **auth_to_local** value in -:ref:`krb5.conf(5)` refers to one of the module's types. In this -case, the *type* and *residual* arguments will give the type name and -residual string of the **auth_to_local** value. - -If the module does not set **an2ln_types** but does implement -**an2ln**, the module's **an2ln** method will be invoked for all -:c:func:`krb5_aname_to_localname` operations unless an earlier module -determines a mapping, with *type* and *residual* set to NULL. The -module can return KRB5_LNAME_NO_TRANS to defer mapping to later -modules. - -If a module implements **an2ln**, it must also implement -**free_string** to ensure that memory is allocated and deallocated -consistently. diff --git a/doc/html/_sources/plugindev/locate.txt b/doc/html/_sources/plugindev/locate.txt deleted file mode 100644 index fca6a4d..0000000 --- a/doc/html/_sources/plugindev/locate.txt +++ /dev/null @@ -1,32 +0,0 @@ -Server location interface (locate) -================================== - -The locate interface allows modules to control how KDCs and similar -services are located by clients. For a detailed description of the -ccselect interface, see the header file ````. - -.. note: The locate interface does not follow the normal conventions - for MIT krb5 pluggable interfaces, because it was made public - before those conventions were established. - -A locate module exports a structure object of type -krb5plugin_service_locate_ftable, with the name ``service_locator``. -The structure contains a minor version and pointers to the module's -methods. - -The primary locate method is **lookup**, which accepts a service type, -realm name, desired socket type, and desired address family (which -will be AF_UNSPEC if no specific address family is desired). The -method should invoke the callback function once for each server -address it wants to return, passing a socket type (SOCK_STREAM for TCP -or SOCK_DGRAM for UDP) and socket address. The **lookup** method -should return 0 if it has authoritatively determined the server -addresses for the realm, KRB5_PLUGIN_NO_HANDLE if it wants to let -other location mechanisms determine the server addresses, or another -code if it experienced a failure which should abort the location -process. - -A module can create and destroy per-library-context state objects by -implementing the **init** and **fini** methods. State objects have -the type void \*, and should be cast to an internal type for the state -object. diff --git a/doc/html/_sources/plugindev/profile.txt b/doc/html/_sources/plugindev/profile.txt deleted file mode 100644 index 209c064..0000000 --- a/doc/html/_sources/plugindev/profile.txt +++ /dev/null @@ -1,96 +0,0 @@ -.. _profile_plugin: - -Configuration interface (profile) -================================= - -The profile interface allows a module to control how krb5 -configuration information is obtained by the Kerberos library and -applications. For a detailed description of the profile interface, -see the header file ````. - -.. note:: - - The profile interface does not follow the normal conventions - for MIT krb5 pluggable interfaces, because it is part of a - lower-level component of the krb5 library. - -As with other types of plugin modules, a profile module is a Unix -shared object or Windows DLL, built separately from the krb5 tree. -The krb5 library will dynamically load and use a profile plugin module -if it reads a ``module`` directive at the beginning of krb5.conf, as -described in :ref:`profile_plugin_config`. - -A profile module exports a function named ``profile_module_init`` -matching the signature of the profile_module_init_fn type. This -function accepts a residual string, which may be used to help locate -the configuration source. The function fills in a vtable and may also -create a per-profile state object. If the module uses state objects, -it should implement the **copy** and **cleanup** methods to manage -them. - -A basic read-only profile module need only implement the -**get_values** and **free_values** methods. The **get_values** method -accepts a null-terminated list of C string names (e.g., an array -containing "libdefaults", "clockskew", and NULL for the **clockskew** -variable in the :ref:`libdefaults` section) and returns a -null-terminated list of values, which will be cleaned up with the -**free_values** method when the caller is done with them. - -Iterable profile modules must also define the **iterator_create**, -**iterator**, **iterator_free**, and **free_string** methods. The -core krb5 code does not require profiles to be iterable, but some -applications may iterate over the krb5 profile object in order to -present configuration interfaces. - -Writable profile modules must also define the **writable**, -**modified**, **update_relation**, **rename_section**, -**add_relation**, and **flush** methods. The core krb5 code does not -require profiles to be writable, but some applications may write to -the krb5 profile in order to present configuration interfaces. - -The following is an example of a very basic read-only profile module -which returns a hardcoded value for the **default_realm** variable in -:ref:`libdefaults`, and provides no other configuration information. -(For conciseness, the example omits code for checking the return -values of malloc and strdup.) :: - - #include - #include - #include - - static long - get_values(void *cbdata, const char *const *names, char ***values) - { - if (names[0] != NULL && strcmp(names[0], "libdefaults") == 0 && - names[1] != NULL && strcmp(names[1], "default_realm") == 0) { - *values = malloc(2 * sizeof(char *)); - (*values)[0] = strdup("ATHENA.MIT.EDU"); - (*values)[1] = NULL; - return 0; - } - return PROF_NO_RELATION; - } - - static void - free_values(void *cbdata, char **values) - { - char **v; - - for (v = values; *v; v++) - free(*v); - free(values); - } - - long - profile_module_init(const char *residual, struct profile_vtable *vtable, - void **cb_ret); - - long - profile_module_init(const char *residual, struct profile_vtable *vtable, - void **cb_ret) - { - *cb_ret = NULL; - vtable->get_values = get_values; - vtable->free_values = free_values; - return 0; - } diff --git a/doc/html/_sources/plugindev/pwqual.txt b/doc/html/_sources/plugindev/pwqual.txt deleted file mode 100644 index 523b95c..0000000 --- a/doc/html/_sources/plugindev/pwqual.txt +++ /dev/null @@ -1,25 +0,0 @@ -.. _pwqual_plugin: - -Password quality interface (pwqual) -=================================== - -The pwqual interface allows modules to control what passwords are -allowed when a user changes passwords. For a detailed description of -the pwqual interface, see the header file ````. - -The primary pwqual method is **check**, which receives a password as -input and returns success (0) or a ``KADM5_PASS_Q_`` failure code -depending on whether the password is allowed. The **check** method -also receives the principal name and the name of the principal's -password policy as input; although there is no stable interface for -the module to obtain the fields of the password policy, it can define -its own configuration or data store based on the policy name. - -A module can create and destroy per-process state objects by -implementing the **open** and **close** methods. State objects have -the type krb5_pwqual_moddata, which is an abstract pointer type. A -module should typically cast this to an internal type for the state -object. The **open** method also receives the name of the realm's -dictionary file (as configured by the **dict_file** variable in the -:ref:`kdc_realms` section of :ref:`kdc.conf(5)`) if it wishes to use -it. diff --git a/doc/html/_sources/resources.txt b/doc/html/_sources/resources.txt deleted file mode 100644 index 5bead12..0000000 --- a/doc/html/_sources/resources.txt +++ /dev/null @@ -1,60 +0,0 @@ -Resources -========= - -Mailing lists -------------- - -* kerberos@mit.edu is a community resource for discussion and - questions about MIT krb5 and other Kerberos implementations. To - subscribe to the list, please follow the instructions at - http://mailman.mit.edu/mailman/listinfo/kerberos. -* krbdev@mit.edu is the primary list for developers of MIT Kerberos. - To subscribe to the list, please follow the instructions at - http://mailman.mit.edu/mailman/listinfo/krbdev. -* krb5-bugs@mit.edu is notified when a ticket is created or updated. - This list helps track bugs and feature requests. - In addition, this list is used to track documentation criticism - and recommendations for improvements. -* krbcore@mit.edu is a private list for the MIT krb5 core team. Send - mail to this list if you need to contact the core team. -* krbcore-security@mit.edu is the point of contact for security problems - with MIT Kerberos. Please use PGP-encrypted mail to report possible - vulnerabilities to this list. - - -IRC channels ------------- - -The IRC channel `#kerberos` on irc.freenode.net is a community -resource for general Kerberos discussion and support. - -The main IRC channel for MIT Kerberos development is `#krbdev` on -freenode. - -For more information about freenode, see http://freenode.net/. - - -Archives --------- - -* The archive http://mailman.mit.edu/pipermail/kerberos/ contains past - postings from the `kerberos@mit.edu` list. - -* The http://mailman.mit.edu/pipermail/krbdev/ contains past - postings from the `krbdev@mit.edu` list. - - -Wiki ----- - -The wiki at http://k5wiki.kerberos.org/ contains useful information -for developers working on the MIT Kerberos source code. Some of the -information on the wiki may be useful for advanced users or system -administrators. - -Web pages ---------- - -* http://web.mit.edu/kerberos/ is the MIT Kerberos software web page. - -* http://kerberos.org/ is the MIT Kerberos Consortium web page. diff --git a/doc/html/_sources/user/index.txt b/doc/html/_sources/user/index.txt deleted file mode 100644 index 233c3ef..0000000 --- a/doc/html/_sources/user/index.txt +++ /dev/null @@ -1,10 +0,0 @@ -For users -========= - -.. toctree:: - :maxdepth: 2 - - pwd_mgmt.rst - tkt_mgmt.rst - user_config/index.rst - user_commands/index.rst diff --git a/doc/html/_sources/user/pwd_mgmt.txt b/doc/html/_sources/user/pwd_mgmt.txt deleted file mode 100644 index ed7d459..0000000 --- a/doc/html/_sources/user/pwd_mgmt.txt +++ /dev/null @@ -1,106 +0,0 @@ -Password management -=================== - -Your password is the only way Kerberos has of verifying your identity. -If someone finds out your password, that person can masquerade as -you---send email that comes from you, read, edit, or delete your files, -or log into other hosts as you---and no one will be able to tell the -difference. For this reason, it is important that you choose a good -password, and keep it secret. If you need to give access to your -account to someone else, you can do so through Kerberos (see -:ref:`grant_access`). You should never tell your password to anyone, -including your system administrator, for any reason. You should -change your password frequently, particularly any time you think -someone may have found out what it is. - - -Changing your password ----------------------- - -To change your Kerberos password, use the :ref:`kpasswd(1)` command. -It will ask you for your old password (to prevent someone else from -walking up to your computer when you're not there and changing your -password), and then prompt you for the new one twice. (The reason you -have to type it twice is to make sure you have typed it correctly.) -For example, user ``david`` would do the following:: - - shell% kpasswd - Password for david: <- Type your old password. - Enter new password: <- Type your new password. - Enter it again: <- Type the new password again. - Password changed. - shell% - -If ``david`` typed the incorrect old password, he would get the -following message:: - - shell% kpasswd - Password for david: <- Type the incorrect old password. - kpasswd: Password incorrect while getting initial ticket - shell% - -If you make a mistake and don't type the new password the same way -twice, kpasswd will ask you to try again:: - - shell% kpasswd - Password for david: <- Type the old password. - Enter new password: <- Type the new password. - Enter it again: <- Type a different new password. - kpasswd: Password mismatch while reading password - shell% - -Once you change your password, it takes some time for the change to -propagate through the system. Depending on how your system is set up, -this might be anywhere from a few minutes to an hour or more. If you -need to get new Kerberos tickets shortly after changing your password, -try the new password. If the new password doesn't work, try again -using the old one. - - -.. _grant_access: - -Granting access to your account -------------------------------- - -If you need to give someone access to log into your account, you can -do so through Kerberos, without telling the person your password. -Simply create a file called :ref:`.k5login(5)` in your home directory. -This file should contain the Kerberos principal of each person to whom -you wish to give access. Each principal must be on a separate line. -Here is a sample .k5login file:: - - jennifer@ATHENA.MIT.EDU - david@EXAMPLE.COM - -This file would allow the users ``jennifer`` and ``david`` to use your -user ID, provided that they had Kerberos tickets in their respective -realms. If you will be logging into other hosts across a network, you -will want to include your own Kerberos principal in your .k5login file -on each of these hosts. - -Using a .k5login file is much safer than giving out your password, -because: - -* You can take access away any time simply by removing the principal - from your .k5login file. - -* Although the user has full access to your account on one particular - host (or set of hosts if your .k5login file is shared, e.g., over - NFS), that user does not inherit your network privileges. - -* Kerberos keeps a log of who obtains tickets, so a system - administrator could find out, if necessary, who was capable of using - your user ID at a particular time. - -One common application is to have a .k5login file in root's home -directory, giving root access to that machine to the Kerberos -principals listed. This allows system administrators to allow users -to become root locally, or to log in remotely as root, without their -having to give out the root password, and without anyone having to -type the root password over the network. - - -Password quality verification ------------------------------ - -TODO diff --git a/doc/html/_sources/user/tkt_mgmt.txt b/doc/html/_sources/user/tkt_mgmt.txt deleted file mode 100644 index 9ec7f1e..0000000 --- a/doc/html/_sources/user/tkt_mgmt.txt +++ /dev/null @@ -1,314 +0,0 @@ -Ticket management -================= - -On many systems, Kerberos is built into the login program, and you get -tickets automatically when you log in. Other programs, such as ssh, -can forward copies of your tickets to a remote host. Most of these -programs also automatically destroy your tickets when they exit. -However, MIT recommends that you explicitly destroy your Kerberos -tickets when you are through with them, just to be sure. One way to -help ensure that this happens is to add the :ref:`kdestroy(1)` command -to your .logout file. Additionally, if you are going to be away from -your machine and are concerned about an intruder using your -permissions, it is safest to either destroy all copies of your -tickets, or use a screensaver that locks the screen. - - -Kerberos ticket properties --------------------------- - -There are various properties that Kerberos tickets can have: - -If a ticket is **forwardable**, then the KDC can issue a new ticket -(with a different network address, if necessary) based on the -forwardable ticket. This allows for authentication forwarding without -requiring a password to be typed in again. For example, if a user -with a forwardable TGT logs into a remote system, the KDC could issue -a new TGT for that user with the network address of the remote system, -allowing authentication on that host to work as though the user were -logged in locally. - -When the KDC creates a new ticket based on a forwardable ticket, it -sets the **forwarded** flag on that new ticket. Any tickets that are -created based on a ticket with the forwarded flag set will also have -their forwarded flags set. - -A **proxiable** ticket is similar to a forwardable ticket in that it -allows a service to take on the identity of the client. Unlike a -forwardable ticket, however, a proxiable ticket is only issued for -specific services. In other words, a ticket-granting ticket cannot be -issued based on a ticket that is proxiable but not forwardable. - -A **proxy** ticket is one that was issued based on a proxiable ticket. - -A **postdated** ticket is issued with the invalid flag set. After the -starting time listed on the ticket, it can be presented to the KDC to -obtain valid tickets. - -Ticket-granting tickets with the **postdateable** flag set can be used -to obtain postdated service tickets. - -**Renewable** tickets can be used to obtain new session keys without -the user entering their password again. A renewable ticket has two -expiration times. The first is the time at which this particular -ticket expires. The second is the latest possible expiration time for -any ticket issued based on this renewable ticket. - -A ticket with the **initial flag** set was issued based on the -authentication protocol, and not on a ticket-granting ticket. -Application servers that wish to ensure that the user's key has been -recently presented for verification could specify that this flag must -be set to accept the ticket. - -An **invalid** ticket must be rejected by application servers. -Postdated tickets are usually issued with this flag set, and must be -validated by the KDC before they can be used. - -A **preauthenticated** ticket is one that was only issued after the -client requesting the ticket had authenticated itself to the KDC. - -The **hardware authentication** flag is set on a ticket which required -the use of hardware for authentication. The hardware is expected to -be possessed only by the client which requested the tickets. - -If a ticket has the **transit policy** checked flag set, then the KDC -that issued this ticket implements the transited-realm check policy -and checked the transited-realms list on the ticket. The -transited-realms list contains a list of all intermediate realms -between the realm of the KDC that issued the first ticket and that of -the one that issued the current ticket. If this flag is not set, then -the application server must check the transited realms itself or else -reject the ticket. - -The **okay as delegate** flag indicates that the server specified in -the ticket is suitable as a delegate as determined by the policy of -that realm. Some client applications may use this flag to decide -whether to forward tickets to a remote host, although many -applications do not honor it. - -An **anonymous** ticket is one in which the named principal is a -generic principal for that realm; it does not actually specify the -individual that will be using the ticket. This ticket is meant only -to securely distribute a session key. - - -.. _obtain_tkt: - -Obtaining tickets with kinit ----------------------------- - -If your site has integrated Kerberos V5 with the login system, you -will get Kerberos tickets automatically when you log in. Otherwise, -you may need to explicitly obtain your Kerberos tickets, using the -:ref:`kinit(1)` program. Similarly, if your Kerberos tickets expire, -use the kinit program to obtain new ones. - -To use the kinit program, simply type ``kinit`` and then type your -password at the prompt. For example, Jennifer (whose username is -``jennifer``) works for Bleep, Inc. (a fictitious company with the -domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would -type:: - - shell% kinit - Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.] - shell% - -If you type your password incorrectly, kinit will give you the -following error message:: - - shell% kinit - Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.] - kinit: Password incorrect - shell% - -and you won't get Kerberos tickets. - -By default, kinit assumes you want tickets for your own username in -your default realm. Suppose Jennifer's friend David is visiting, and -he wants to borrow a window to check his mail. David needs to get -tickets for himself in his own realm, EXAMPLE.COM. He would type:: - - shell% kinit david@EXAMPLE.COM - Password for david@EXAMPLE.COM: <-- [Type david's password here.] - shell% - -David would then have tickets which he could use to log onto his own -machine. Note that he typed his password locally on Jennifer's -machine, but it never went over the network. Kerberos on the local -host performed the authentication to the KDC in the other realm. - -If you want to be able to forward your tickets to another host, you -need to request forwardable tickets. You do this by specifying the -**-f** option:: - - shell% kinit -f - Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.] - shell% - -Note that kinit does not tell you that it obtained forwardable -tickets; you can verify this using the :ref:`klist(1)` command (see -:ref:`view_tkt`). - -Normally, your tickets are good for your system's default ticket -lifetime, which is ten hours on many systems. You can specify a -different ticket lifetime with the **-l** option. Add the letter -**s** to the value for seconds, **m** for minutes, **h** for hours, or -**d** for days. For example, to obtain forwardable tickets for -``david@EXAMPLE.COM`` that would be good for three hours, you would -type:: - - shell% kinit -f -l 3h david@EXAMPLE.COM - Password for david@EXAMPLE.COM: <-- [Type david's password here.] - shell% - -.. note:: - - You cannot mix units; specifying a lifetime of 3h30m would - result in an error. Note also that most systems specify a - maximum ticket lifetime. If you request a longer ticket - lifetime, it will be automatically truncated to the maximum - lifetime. - - -.. _view_tkt: - -Viewing tickets with klist --------------------------- - -The :ref:`klist(1)` command shows your tickets. When you first obtain -tickets, you will have only the ticket-granting ticket. The listing -would look like this:: - - shell% klist - Ticket cache: /tmp/krb5cc_ttypa - Default principal: jennifer@ATHENA.MIT.EDU - - Valid starting Expires Service principal - 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - shell% - -The ticket cache is the location of your ticket file. In the above -example, this file is named ``/tmp/krb5cc_ttypa``. The default -principal is your Kerberos principal. - -The "valid starting" and "expires" fields describe the period of time -during which the ticket is valid. The "service principal" describes -each ticket. The ticket-granting ticket has a first component -``krbtgt``, and a second component which is the realm name. - -Now, if ``jennifer`` connected to the machine ``daffodil.mit.edu``, -and then typed "klist" again, she would have gotten the following -result:: - - shell% klist - Ticket cache: /tmp/krb5cc_ttypa - Default principal: jennifer@ATHENA.MIT.EDU - - Valid starting Expires Service principal - 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU - shell% - -Here's what happened: when ``jennifer`` used ssh to connect to the -host ``daffodil.mit.edu``, the ssh program presented her -ticket-granting ticket to the KDC and requested a host ticket for the -host ``daffodil.mit.edu``. The KDC sent the host ticket, which ssh -then presented to the host ``daffodil.mit.edu``, and she was allowed -to log in without typing her password. - -Suppose your Kerberos tickets allow you to log into a host in another -domain, such as ``trillium.example.com``, which is also in another -Kerberos realm, ``EXAMPLE.COM``. If you ssh to this host, you will -receive a ticket-granting ticket for the realm ``EXAMPLE.COM``, plus -the new host ticket for ``trillium.example.com``. klist will now -show:: - - shell% klist - Ticket cache: /tmp/krb5cc_ttypa - Default principal: jennifer@ATHENA.MIT.EDU - - Valid starting Expires Service principal - 06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - 06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU - 06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU - 06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM - shell% - -Depending on your host's and realm's configuration, you may also see a -ticket with the service principal ``host/trillium.example.com@``. If -so, this means that your host did not know what realm -trillium.example.com is in, so it asked the ``ATHENA.MIT.EDU`` KDC for -a referral. The next time you connect to ``trillium.example.com``, -the odd-looking entry will be used to avoid needing to ask for a -referral again. - -You can use the **-f** option to view the flags that apply to your -tickets. The flags are: - -===== ========================= - F Forwardable - f forwarded - P Proxiable - p proxy - D postDateable - d postdated - R Renewable - I Initial - i invalid - H Hardware authenticated - A preAuthenticated - T Transit policy checked - O Okay as delegate - a anonymous -===== ========================= - -Here is a sample listing. In this example, the user *jennifer* -obtained her initial tickets (**I**), which are forwardable (**F**) -and postdated (**d**) but not yet validated (**i**):: - - shell% klist -f - Ticket cache: /tmp/krb5cc_320 - Default principal: jennifer@ATHENA.MIT.EDU - - Valid starting Expires Service principal - 31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - Flags: FdiI - shell% - -In the following example, the user *david*'s tickets were forwarded -(**f**) to this host from another host. The tickets are reforwardable -(**F**):: - - shell% klist -f - Ticket cache: /tmp/krb5cc_p11795 - Default principal: david@EXAMPLE.COM - - Valid starting Expires Service principal - 07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM - Flags: Ff - 07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM - Flags: Ff - shell% - - -Destroying tickets with kdestroy --------------------------------- - -Your Kerberos tickets are proof that you are indeed yourself, and -tickets could be stolen if someone gains access to a computer where -they are stored. If this happens, the person who has them can -masquerade as you until they expire. For this reason, you should -destroy your Kerberos tickets when you are away from your computer. - -Destroying your tickets is easy. Simply type kdestroy:: - - shell% kdestroy - shell% - -If :ref:`kdestroy(1)` fails to destroy your tickets, it will beep and -give an error message. For example, if kdestroy can't find any -tickets to destroy, it will give the following message:: - - shell% kdestroy - kdestroy: No credentials cache file found while destroying cache - shell% diff --git a/doc/html/_sources/user/user_commands/index.txt b/doc/html/_sources/user/user_commands/index.txt deleted file mode 100644 index 7ce86a1..0000000 --- a/doc/html/_sources/user/user_commands/index.txt +++ /dev/null @@ -1,17 +0,0 @@ -.. _user_commands: - -User commands -============= - -.. toctree:: - :maxdepth: 1 - - kdestroy.rst - kinit.rst - klist.rst - kpasswd.rst - krb5-config.rst - ksu.rst - kswitch.rst - kvno.rst - sclient.rst diff --git a/doc/html/_sources/user/user_commands/kdestroy.txt b/doc/html/_sources/user/user_commands/kdestroy.txt deleted file mode 100644 index b8c67ab..0000000 --- a/doc/html/_sources/user/user_commands/kdestroy.txt +++ /dev/null @@ -1,77 +0,0 @@ -.. _kdestroy(1): - -kdestroy -======== - -SYNOPSIS --------- - -**kdestroy** -[**-A**] -[**-q**] -[**-c** *cache_name*] - - -DESCRIPTION ------------ - -The kdestroy utility destroys the user's active Kerberos authorization -tickets by overwriting and deleting the credentials cache that -contains them. If the credentials cache is not specified, the default -credentials cache is destroyed. - - -OPTIONS -------- - -**-A** - Destroys all caches in the collection, if a cache collection is - available. - -**-q** - Run quietly. Normally kdestroy beeps if it fails to destroy the - user's tickets. The **-q** flag suppresses this behavior. - -**-c** *cache_name* - Use *cache_name* as the credentials (ticket) cache name and - location; if this option is not used, the default cache name and - location are used. - - The default credentials cache may vary between systems. If the - **KRB5CCNAME** environment variable is set, its value is used to - name the default ticket cache. - - -NOTE ----- - -Most installations recommend that you place the kdestroy command in -your .logout file, so that your tickets are destroyed automatically -when you log out. - - -ENVIRONMENT ------------ - -kdestroy uses the following environment variable: - -**KRB5CCNAME** - Location of the default Kerberos 5 credentials (ticket) cache, in - the form *type*:*residual*. If no *type* prefix is present, the - **FILE** type is assumed. The type of the default cache may - determine the availability of a cache collection; for instance, a - default cache of type **DIR** causes caches within the directory - to be present in the collection. - - -FILES ------ - -|ccache| - Default location of Kerberos 5 credentials cache - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`klist(1)` diff --git a/doc/html/_sources/user/user_commands/kinit.txt b/doc/html/_sources/user/user_commands/kinit.txt deleted file mode 100644 index 3f9d534..0000000 --- a/doc/html/_sources/user/user_commands/kinit.txt +++ /dev/null @@ -1,228 +0,0 @@ -.. _kinit(1): - -kinit -===== - -SYNOPSIS --------- - -**kinit** -[**-V**] -[**-l** *lifetime*] -[**-s** *start_time*] -[**-r** *renewable_life*] -[**-p** | -**P**] -[**-f** | -**F**] -[**-a**] -[**-A**] -[**-C**] -[**-E**] -[**-v**] -[**-R**] -[**-k** [-**t** *keytab_file*]] -[**-c** *cache_name*] -[**-n**] -[**-S** *service_name*] -[**-I** *input_ccache*] -[**-T** *armor_ccache*] -[**-X** *attribute*\ [=\ *value*]] -[*principal*] - - -DESCRIPTION ------------ - -kinit obtains and caches an initial ticket-granting ticket for -*principal*. If *principal* is absent, kinit chooses an appropriate -principal name based on existing credential cache contents or the -local username of the user invoking kinit. Some options modify the -choice of principal name. - - -OPTIONS -------- - -**-V** - display verbose output. - -**-l** *lifetime* - (:ref:`duration` string.) Requests a ticket with the lifetime - *lifetime*. - - For example, ``kinit -l 5:30`` or ``kinit -l 5h30m``. - - If the **-l** option is not specified, the default ticket lifetime - (configured by each site) is used. Specifying a ticket lifetime - longer than the maximum ticket lifetime (configured by each site) - will not override the configured maximum ticket lifetime. - -**-s** *start_time* - (:ref:`duration` string.) Requests a postdated ticket. Postdated - tickets are issued with the **invalid** flag set, and need to be - resubmitted to the KDC for validation before use. - - *start_time* specifies the duration of the delay before the ticket - can become valid. - -**-r** *renewable_life* - (:ref:`duration` string.) Requests renewable tickets, with a total - lifetime of *renewable_life*. - -**-f** - requests forwardable tickets. - -**-F** - requests non-forwardable tickets. - -**-p** - requests proxiable tickets. - -**-P** - requests non-proxiable tickets. - -**-a** - requests tickets restricted to the host's local address[es]. - -**-A** - requests tickets not restricted by address. - -**-C** - requests canonicalization of the principal name, and allows the - KDC to reply with a different client principal from the one - requested. - -**-E** - treats the principal name as an enterprise name (implies the - **-C** option). - -**-v** - requests that the ticket-granting ticket in the cache (with the - **invalid** flag set) be passed to the KDC for validation. If the - ticket is within its requested time range, the cache is replaced - with the validated ticket. - -**-R** - requests renewal of the ticket-granting ticket. Note that an - expired ticket cannot be renewed, even if the ticket is still - within its renewable life. - - Note that renewable tickets that have expired as reported by - :ref:`klist(1)` may sometimes be renewed using this option, - because the KDC applies a grace period to account for client-KDC - clock skew. See :ref:`krb5.conf(5)` **clockskew** setting. - -**-k** [**-i** | **-t** *keytab_file*] - requests a ticket, obtained from a key in the local host's keytab. - The location of the keytab may be specified with the **-t** - *keytab_file* option, or with the **-i** option to specify the use - of the default client keytab; otherwise the default keytab will be - used. By default, a host ticket for the local host is requested, - but any principal may be specified. On a KDC, the special keytab - location ``KDB:`` can be used to indicate that kinit should open - the KDC database and look up the key directly. This permits an - administrator to obtain tickets as any principal that supports - authentication based on the key. - -**-n** - Requests anonymous processing. Two types of anonymous principals - are supported. - - For fully anonymous Kerberos, configure pkinit on the KDC and - configure **pkinit_anchors** in the client's :ref:`krb5.conf(5)`. - Then use the **-n** option with a principal of the form ``@REALM`` - (an empty principal name followed by the at-sign and a realm - name). If permitted by the KDC, an anonymous ticket will be - returned. - - A second form of anonymous tickets is supported; these - realm-exposed tickets hide the identity of the client but not the - client's realm. For this mode, use ``kinit -n`` with a normal - principal name. If supported by the KDC, the principal (but not - realm) will be replaced by the anonymous principal. - - As of release 1.8, the MIT Kerberos KDC only supports fully - anonymous operation. - -**-I** *input_ccache* - - Specifies the name of a credentials cache that already contains a - ticket. When obtaining that ticket, if information about how that - ticket was obtained was also stored to the cache, that information - will be used to affect how new credentials are obtained, including - preselecting the same methods of authenticating to the KDC. - -**-T** *armor_ccache* - Specifies the name of a credentials cache that already contains a - ticket. If supported by the KDC, this cache will be used to armor - the request, preventing offline dictionary attacks and allowing - the use of additional preauthentication mechanisms. Armoring also - makes sure that the response from the KDC is not modified in - transit. - -**-c** *cache_name* - use *cache_name* as the Kerberos 5 credentials (ticket) cache - location. If this option is not used, the default cache location - is used. - - The default cache location may vary between systems. If the - **KRB5CCNAME** environment variable is set, its value is used to - locate the default cache. If a principal name is specified and - the type of the default cache supports a collection (such as the - DIR type), an existing cache containing credentials for the - principal is selected or a new one is created and becomes the new - primary cache. Otherwise, any existing contents of the default - cache are destroyed by kinit. - -**-S** *service_name* - specify an alternate service name to use when getting initial - tickets. - -**-X** *attribute*\ [=\ *value*] - specify a pre-authentication *attribute* and *value* to be - interpreted by pre-authentication modules. The acceptable - attribute and value values vary from module to module. This - option may be specified multiple times to specify multiple - attributes. If no value is specified, it is assumed to be "yes". - - The following attributes are recognized by the PKINIT - pre-authentication mechanism: - - **X509_user_identity**\ =\ *value* - specify where to find user's X509 identity information - - **X509_anchors**\ =\ *value* - specify where to find trusted X509 anchor information - - **flag_RSA_PROTOCOL**\ [**=yes**] - specify use of RSA, rather than the default Diffie-Hellman - protocol - - -ENVIRONMENT ------------ - -kinit uses the following environment variables: - -**KRB5CCNAME** - Location of the default Kerberos 5 credentials cache, in the form - *type*:*residual*. If no *type* prefix is present, the **FILE** - type is assumed. The type of the default cache may determine the - availability of a cache collection; for instance, a default cache - of type **DIR** causes caches within the directory to be present - in the collection. - - -FILES ------ - -|ccache| - default location of Kerberos 5 credentials cache - -|keytab| - default location for the local host's keytab. - - -SEE ALSO --------- - -:ref:`klist(1)`, :ref:`kdestroy(1)`, kerberos(1) diff --git a/doc/html/_sources/user/user_commands/klist.txt b/doc/html/_sources/user/user_commands/klist.txt deleted file mode 100644 index c24c741..0000000 --- a/doc/html/_sources/user/user_commands/klist.txt +++ /dev/null @@ -1,132 +0,0 @@ -.. _klist(1): - -klist -===== - -SYNOPSIS --------- - -**klist** -[**-e**] -[[**-c**] [**-l**] [**-A**] [**-f**] [**-s**] [**-a** [**-n**]]] -[**-C**] -[**-k** [**-t**] [**-K**]] -[**-V**] -[*cache_name*\|\ *keytab_name*] - - -DESCRIPTION ------------ - -klist lists the Kerberos principal and Kerberos tickets held in a -credentials cache, or the keys held in a keytab file. - - -OPTIONS -------- - -**-e** - Displays the encryption types of the session key and the ticket - for each credential in the credential cache, or each key in the - keytab file. - -**-l** - If a cache collection is available, displays a table summarizing - the caches present in the collection. - -**-A** - If a cache collection is available, displays the contents of all - of the caches in the collection. - -**-c** - List tickets held in a credentials cache. This is the default if - neither **-c** nor **-k** is specified. - -**-f** - Shows the flags present in the credentials, using the following - abbreviations:: - - F Forwardable - f forwarded - P Proxiable - p proxy - D postDateable - d postdated - R Renewable - I Initial - i invalid - H Hardware authenticated - A preAuthenticated - T Transit policy checked - O Okay as delegate - a anonymous - -**-s** - Causes klist to run silently (produce no output). klist will exit - with status 1 if the credentials cache cannot be read or is - expired, and with status 0 otherwise. - -**-a** - Display list of addresses in credentials. - -**-n** - Show numeric addresses instead of reverse-resolving addresses. - -**-C** - List configuration data that has been stored in the credentials - cache when klist encounters it. By default, configuration data - is not listed. - -**-k** - List keys held in a keytab file. - -**-i** - In combination with **-k**, defaults to using the default client - keytab instead of the default acceptor keytab, if no name is - given. - -**-t** - Display the time entry timestamps for each keytab entry in the - keytab file. - -**-K** - Display the value of the encryption key in each keytab entry in - the keytab file. - -**-V** - Display the Kerberos version number and exit. - -If *cache_name* or *keytab_name* is not specified, klist will display -the credentials in the default credentials cache or keytab file as -appropriate. If the **KRB5CCNAME** environment variable is set, its -value is used to locate the default ticket cache. - - -ENVIRONMENT ------------ - -klist uses the following environment variable: - -**KRB5CCNAME** - Location of the default Kerberos 5 credentials (ticket) cache, in - the form *type*:*residual*. If no *type* prefix is present, the - **FILE** type is assumed. The type of the default cache may - determine the availability of a cache collection; for instance, a - default cache of type **DIR** causes caches within the directory - to be present in the collection. - - -FILES ------ - -|ccache| - Default location of Kerberos 5 credentials cache - -|keytab| - Default location for the local host's keytab file. - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`kdestroy(1)` diff --git a/doc/html/_sources/user/user_commands/kpasswd.txt b/doc/html/_sources/user/user_commands/kpasswd.txt deleted file mode 100644 index 1b64632..0000000 --- a/doc/html/_sources/user/user_commands/kpasswd.txt +++ /dev/null @@ -1,39 +0,0 @@ -.. _kpasswd(1): - -kpasswd -======= - -SYNOPSIS --------- - -**kpasswd** [*principal*] - - -DESCRIPTION ------------ - -The kpasswd command is used to change a Kerberos principal's password. -kpasswd first prompts for the current Kerberos password, then prompts -the user twice for the new password, and the password is changed. - -If the principal is governed by a policy that specifies the length -and/or number of character classes required in the new password, the -new password must conform to the policy. (The five character classes -are lower case, upper case, numbers, punctuation, and all other -characters.) - - -OPTIONS -------- - -*principal* - Change the password for the Kerberos principal principal. - Otherwise, kpasswd uses the principal name from an existing ccache - if there is one; if not, the principal is derived from the - identity of the user invoking the kpasswd command. - - -SEE ALSO --------- - -:ref:`kadmin(1)`, :ref:`kadmind(8)` diff --git a/doc/html/_sources/user/user_commands/krb5-config.txt b/doc/html/_sources/user/user_commands/krb5-config.txt deleted file mode 100644 index ee0fcea..0000000 --- a/doc/html/_sources/user/user_commands/krb5-config.txt +++ /dev/null @@ -1,83 +0,0 @@ -.. _krb5-config(1): - -krb5-config -=========== - -SYNOPSIS --------- - -**krb5-config** -[**-**\ **-help** | **-**\ **-all** | **-**\ **-version** | **-**\ **-vendor** | **-**\ **-prefix** | **-**\ **-exec-prefix** | **-**\ **-defccname** | **-**\ **-defktname** | **-**\ **-defcktname** | **-**\ **-cflags** | **-**\ **-libs** [*libraries*]] - - -DESCRIPTION ------------ - -krb5-config tells the application programmer what flags to use to compile -and link programs against the installed Kerberos libraries. - - -OPTIONS -------- - -**-**\ **-help** - prints a usage message. This is the default behavior when no options - are specified. - -**-**\ **-all** - prints the version, vendor, prefix, and exec-prefix. - -**-**\ **-version** - prints the version number of the Kerberos installation. - -**-**\ **-vendor** - prints the name of the vendor of the Kerberos installation. - -**-**\ **-prefix** - prints the prefix for which the Kerberos installation was built. - -**-**\ **-exec-prefix** - prints the prefix for executables for which the Kerberos installation - was built. - -**-**\ **-defccname** - prints the built-in default credentials cache location. - -**-**\ **-defktname** - prints the built-in default keytab location. - -**-**\ **-defcktname** - prints the built-in default client (initiator) keytab location. - -**-**\ **-cflags** - prints the compilation flags used to build the Kerberos installation. - -**-**\ **-libs** [*library*] - prints the compiler options needed to link against *library*. - Allowed values for *library* are: - - ============ =============================================== - krb5 Kerberos 5 applications (default) - gssapi GSSAPI applications with Kerberos 5 bindings - kadm-client Kadmin client - kadm-server Kadmin server - kdb Applications that access the Kerberos database - ============ =============================================== - -EXAMPLES --------- - -krb5-config is particularly useful for compiling against a Kerberos -installation that was installed in a non-standard location. For example, -a Kerberos installation that is installed in ``/opt/krb5/`` but uses -libraries in ``/usr/local/lib/`` for text localization would produce -the following output:: - - shell% krb5-config --libs krb5 - -L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err - - -SEE ALSO --------- - -kerberos(1), cc(1) diff --git a/doc/html/_sources/user/user_commands/ksu.txt b/doc/html/_sources/user/user_commands/ksu.txt deleted file mode 100644 index b2f9121..0000000 --- a/doc/html/_sources/user/user_commands/ksu.txt +++ /dev/null @@ -1,387 +0,0 @@ -.. _ksu(1): - -ksu -=== - -SYNOPSIS --------- - -**ksu** -[ *target_user* ] -[ **-n** *target_principal_name* ] -[ **-c** *source_cache_name* ] -[ **-k** ] -[ **-r** time ] -[ **-pf** ] -[ **-l** *lifetime* ] -[ **-z | Z** ] -[ **-q** ] -[ **-e** *command* [ args ... ] ] [ **-a** [ args ... ] ] - - -REQUIREMENTS ------------- - -Must have Kerberos version 5 installed to compile ksu. Must have a -Kerberos version 5 server running to use ksu. - - -DESCRIPTION ------------ - -ksu is a Kerberized version of the su program that has two missions: -one is to securely change the real and effective user ID to that of -the target user, and the other is to create a new security context. - -.. note:: - - For the sake of clarity, all references to and attributes of - the user invoking the program will start with "source" - (e.g., "source user", "source cache", etc.). - - Likewise, all references to and attributes of the target - account will start with "target". - -AUTHENTICATION --------------- - -To fulfill the first mission, ksu operates in two phases: -authentication and authorization. Resolving the target principal name -is the first step in authentication. The user can either specify his -principal name with the **-n** option (e.g., ``-n jqpublic@USC.EDU``) -or a default principal name will be assigned using a heuristic -described in the OPTIONS section (see **-n** option). The target user -name must be the first argument to ksu; if not specified root is the -default. If ``.`` is specified then the target user will be the -source user (e.g., ``ksu .``). If the source user is root or the -target user is the source user, no authentication or authorization -takes place. Otherwise, ksu looks for an appropriate Kerberos ticket -in the source cache. - -The ticket can either be for the end-server or a ticket granting -ticket (TGT) for the target principal's realm. If the ticket for the -end-server is already in the cache, it's decrypted and verified. If -it's not in the cache but the TGT is, the TGT is used to obtain the -ticket for the end-server. The end-server ticket is then verified. -If neither ticket is in the cache, but ksu is compiled with the -**GET_TGT_VIA_PASSWD** define, the user will be prompted for a -Kerberos password which will then be used to get a TGT. If the user -is logged in remotely and does not have a secure channel, the password -may be exposed. If neither ticket is in the cache and -**GET_TGT_VIA_PASSWD** is not defined, authentication fails. - - -AUTHORIZATION -------------- - -This section describes authorization of the source user when ksu is -invoked without the **-e** option. For a description of the **-e** -option, see the OPTIONS section. - -Upon successful authentication, ksu checks whether the target -principal is authorized to access the target account. In the target -user's home directory, ksu attempts to access two authorization files: -:ref:`.k5login(5)` and .k5users. In the .k5login file each line -contains the name of a principal that is authorized to access the -account. - -For example:: - - jqpublic@USC.EDU - jqpublic/secure@USC.EDU - jqpublic/admin@USC.EDU - -The format of .k5users is the same, except the principal name may be -followed by a list of commands that the principal is authorized to -execute (see the **-e** option in the OPTIONS section for details). - -Thus if the target principal name is found in the .k5login file the -source user is authorized to access the target account. Otherwise ksu -looks in the .k5users file. If the target principal name is found -without any trailing commands or followed only by ``*`` then the -source user is authorized. If either .k5login or .k5users exist but -an appropriate entry for the target principal does not exist then -access is denied. If neither file exists then the principal will be -granted access to the account according to the aname->lname mapping -rules. Otherwise, authorization fails. - - -EXECUTION OF THE TARGET SHELL ------------------------------ - -Upon successful authentication and authorization, ksu proceeds in a -similar fashion to su. The environment is unmodified with the -exception of USER, HOME and SHELL variables. If the target user is -not root, USER gets set to the target user name. Otherwise USER -remains unchanged. Both HOME and SHELL are set to the target login's -default values. In addition, the environment variable **KRB5CCNAME** -gets set to the name of the target cache. The real and effective user -ID are changed to that of the target user. The target user's shell is -then invoked (the shell name is specified in the password file). Upon -termination of the shell, ksu deletes the target cache (unless ksu is -invoked with the **-k** option). This is implemented by first doing a -fork and then an exec, instead of just exec, as done by su. - - -CREATING A NEW SECURITY CONTEXT -------------------------------- - -ksu can be used to create a new security context for the target -program (either the target shell, or command specified via the **-e** -option). The target program inherits a set of credentials from the -source user. By default, this set includes all of the credentials in -the source cache plus any additional credentials obtained during -authentication. The source user is able to limit the credentials in -this set by using **-z** or **-Z** option. **-z** restricts the copy -of tickets from the source cache to the target cache to only the -tickets where client == the target principal name. The **-Z** option -provides the target user with a fresh target cache (no creds in the -cache). Note that for security reasons, when the source user is root -and target user is non-root, **-z** option is the default mode of -operation. - -While no authentication takes place if the source user is root or is -the same as the target user, additional tickets can still be obtained -for the target cache. If **-n** is specified and no credentials can -be copied to the target cache, the source user is prompted for a -Kerberos password (unless **-Z** specified or **GET_TGT_VIA_PASSWD** -is undefined). If successful, a TGT is obtained from the Kerberos -server and stored in the target cache. Otherwise, if a password is -not provided (user hit return) ksu continues in a normal mode of -operation (the target cache will not contain the desired TGT). If the -wrong password is typed in, ksu fails. - -.. note:: - - During authentication, only the tickets that could be - obtained without providing a password are cached in in the - source cache. - - -OPTIONS -------- - -**-n** *target_principal_name* - Specify a Kerberos target principal name. Used in authentication - and authorization phases of ksu. - - If ksu is invoked without **-n**, a default principal name is - assigned via the following heuristic: - - * Case 1: source user is non-root. - - If the target user is the source user the default principal name - is set to the default principal of the source cache. If the - cache does not exist then the default principal name is set to - ``target_user@local_realm``. If the source and target users are - different and neither ``~target_user/.k5users`` nor - ``~target_user/.k5login`` exist then the default principal name - is ``target_user_login_name@local_realm``. Otherwise, starting - with the first principal listed below, ksu checks if the - principal is authorized to access the target account and whether - there is a legitimate ticket for that principal in the source - cache. If both conditions are met that principal becomes the - default target principal, otherwise go to the next principal. - - a) default principal of the source cache - b) target_user\@local_realm - c) source_user\@local_realm - - If a-c fails try any principal for which there is a ticket in - the source cache and that is authorized to access the target - account. If that fails select the first principal that is - authorized to access the target account from the above list. If - none are authorized and ksu is configured with - **PRINC_LOOK_AHEAD** turned on, select the default principal as - follows: - - For each candidate in the above list, select an authorized - principal that has the same realm name and first part of the - principal name equal to the prefix of the candidate. For - example if candidate a) is ``jqpublic@ISI.EDU`` and - ``jqpublic/secure@ISI.EDU`` is authorized to access the target - account then the default principal is set to - ``jqpublic/secure@ISI.EDU``. - - * Case 2: source user is root. - - If the target user is non-root then the default principal name - is ``target_user@local_realm``. Else, if the source cache - exists the default principal name is set to the default - principal of the source cache. If the source cache does not - exist, default principal name is set to ``root\@local_realm``. - -**-c** *source_cache_name* - - Specify source cache name (e.g., ``-c FILE:/tmp/my_cache``). If - **-c** option is not used then the name is obtained from - **KRB5CCNAME** environment variable. If **KRB5CCNAME** is not - defined the source cache name is set to ``krb5cc_``. - The target cache name is automatically set to ``krb5cc_.(gen_sym())``, where gen_sym generates a new number such that - the resulting cache does not already exist. For example:: - - krb5cc_1984.2 - -**-k** - Do not delete the target cache upon termination of the target - shell or a command (**-e** command). Without **-k**, ksu deletes - the target cache. - -**-z** - Restrict the copy of tickets from the source cache to the target - cache to only the tickets where client == the target principal - name. Use the **-n** option if you want the tickets for other then - the default principal. Note that the **-z** option is mutually - exclusive with the **-Z** option. - -**-Z** - Don't copy any tickets from the source cache to the target cache. - Just create a fresh target cache, where the default principal name - of the cache is initialized to the target principal name. Note - that the **-Z** option is mutually exclusive with the **-z** - option. - -**-q** - Suppress the printing of status messages. - -Ticket granting ticket options: - -**-l** *lifetime* **-r** *time* **-pf** - The ticket granting ticket options only apply to the case where - there are no appropriate tickets in the cache to authenticate the - source user. In this case if ksu is configured to prompt users - for a Kerberos password (**GET_TGT_VIA_PASSWD** is defined), the - ticket granting ticket options that are specified will be used - when getting a ticket granting ticket from the Kerberos server. - -**-l** *lifetime* - (:ref:`duration` string.) Specifies the lifetime to be requested - for the ticket; if this option is not specified, the default ticket - lifetime (12 hours) is used instead. - -**-r** *time* - (:ref:`duration` string.) Specifies that the **renewable** option - should be requested for the ticket, and specifies the desired - total lifetime of the ticket. - -**-p** - specifies that the **proxiable** option should be requested for - the ticket. - -**-f** - option specifies that the **forwardable** option should be - requested for the ticket. - -**-e** *command* [*args* ...] - ksu proceeds exactly the same as if it was invoked without the - **-e** option, except instead of executing the target shell, ksu - executes the specified command. Example of usage:: - - ksu bob -e ls -lag - - The authorization algorithm for **-e** is as follows: - - If the source user is root or source user == target user, no - authorization takes place and the command is executed. If source - user id != 0, and ``~target_user/.k5users`` file does not exist, - authorization fails. Otherwise, ``~target_user/.k5users`` file - must have an appropriate entry for target principal to get - authorized. - - The .k5users file format: - - A single principal entry on each line that may be followed by a - list of commands that the principal is authorized to execute. A - principal name followed by a ``*`` means that the user is - authorized to execute any command. Thus, in the following - example:: - - jqpublic@USC.EDU ls mail /local/kerberos/klist - jqpublic/secure@USC.EDU * - jqpublic/admin@USC.EDU - - ``jqpublic@USC.EDU`` is only authorized to execute ``ls``, - ``mail`` and ``klist`` commands. ``jqpublic/secure@USC.EDU`` is - authorized to execute any command. ``jqpublic/admin@USC.EDU`` is - not authorized to execute any command. Note, that - ``jqpublic/admin@USC.EDU`` is authorized to execute the target - shell (regular ksu, without the **-e** option) but - ``jqpublic@USC.EDU`` is not. - - The commands listed after the principal name must be either a full - path names or just the program name. In the second case, - **CMD_PATH** specifying the location of authorized programs must - be defined at the compilation time of ksu. Which command gets - executed? - - If the source user is root or the target user is the source user - or the user is authorized to execute any command (``*`` entry) - then command can be either a full or a relative path leading to - the target program. Otherwise, the user must specify either a - full path or just the program name. - -**-a** *args* - Specify arguments to be passed to the target shell. Note that all - flags and parameters following -a will be passed to the shell, - thus all options intended for ksu must precede **-a**. - - The **-a** option can be used to simulate the **-e** option if - used as follows:: - - -a -c [command [arguments]]. - - **-c** is interpreted by the c-shell to execute the command. - - -INSTALLATION INSTRUCTIONS -------------------------- - -ksu can be compiled with the following four flags: - -**GET_TGT_VIA_PASSWD** - In case no appropriate tickets are found in the source cache, the - user will be prompted for a Kerberos password. The password is - then used to get a ticket granting ticket from the Kerberos - server. The danger of configuring ksu with this macro is if the - source user is logged in remotely and does not have a secure - channel, the password may get exposed. - -**PRINC_LOOK_AHEAD** - During the resolution of the default principal name, - **PRINC_LOOK_AHEAD** enables ksu to find principal names in - the .k5users file as described in the OPTIONS section - (see **-n** option). - -**CMD_PATH** - Specifies a list of directories containing programs that users are - authorized to execute (via .k5users file). - -**HAVE_GETUSERSHELL** - If the source user is non-root, ksu insists that the target user's - shell to be invoked is a "legal shell". *getusershell(3)* is - called to obtain the names of "legal shells". Note that the - target user's shell is obtained from the passwd file. - -Sample configuration:: - - KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin" - -ksu should be owned by root and have the set user id bit turned on. - -ksu attempts to get a ticket for the end server just as Kerberized -telnet and rlogin. Thus, there must be an entry for the server in the -Kerberos database (e.g., ``host/nii.isi.edu@ISI.EDU``). The keytab -file must be in an appropriate location. - - -SIDE EFFECTS ------------- - -ksu deletes all expired tickets from the source cache. - - -AUTHOR OF KSU -------------- - -GENNADY (ARI) MEDVINSKY diff --git a/doc/html/_sources/user/user_commands/kswitch.txt b/doc/html/_sources/user/user_commands/kswitch.txt deleted file mode 100644 index 56e5915..0000000 --- a/doc/html/_sources/user/user_commands/kswitch.txt +++ /dev/null @@ -1,56 +0,0 @@ -.. _kswitch(1): - -kswitch -======= - -SYNOPSIS --------- - -**kswitch** -{**-c** *cachename*\|\ **-p** *principal*} - - -DESCRIPTION ------------ - -kswitch makes the specified credential cache the primary cache for the -collection, if a cache collection is available. - - -OPTIONS -------- - -**-c** *cachename* - Directly specifies the credential cache to be made primary. - -**-p** *principal* - Causes the cache collection to be searched for a cache containing - credentials for *principal*. If one is found, that collection is - made primary. - - -ENVIRONMENT ------------ - -kswitch uses the following environment variables: - -**KRB5CCNAME** - Location of the default Kerberos 5 credentials (ticket) cache, in - the form *type*:*residual*. If no *type* prefix is present, the - **FILE** type is assumed. The type of the default cache may - determine the availability of a cache collection; for instance, a - default cache of type **DIR** causes caches within the directory - to be present in the collection. - - -FILES ------ - -|ccache| - Default location of Kerberos 5 credentials cache - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`), kerberos(1) diff --git a/doc/html/_sources/user/user_commands/kvno.txt b/doc/html/_sources/user/user_commands/kvno.txt deleted file mode 100644 index 31ca244..0000000 --- a/doc/html/_sources/user/user_commands/kvno.txt +++ /dev/null @@ -1,86 +0,0 @@ -.. _kvno(1): - -kvno -==== - -SYNOPSIS --------- - -**kvno** -[**-c** *ccache*] -[**-e** *etype*] -[**-q**] -[**-h**] -[**-P**] -[**-S** *sname*] -[**-U** *for_user*] -*service1 service2* ... - - -DESCRIPTION ------------ - -kvno acquires a service ticket for the specified Kerberos principals -and prints out the key version numbers of each. - - -OPTIONS -------- - -**-c** *ccache* - Specifies the name of a credentials cache to use (if not the - default) - -**-e** *etype* - Specifies the enctype which will be requested for the session key - of all the services named on the command line. This is useful in - certain backward compatibility situations. - -**-q** - Suppress printing output when successful. If a service ticket - cannot be obtained, an error message will still be printed and - kvno will exit with nonzero status. - -**-h** - Prints a usage statement and exits. - -**-P** - Specifies that the *service1 service2* ... arguments are to be - treated as services for which credentials should be acquired using - constrained delegation. This option is only valid when used in - conjunction with protocol transition. - -**-S** *sname* - Specifies that the *service1 service2* ... arguments are - interpreted as hostnames, and the service principals are to be - constructed from those hostnames and the service name *sname*. - The service hostnames will be canonicalized according to the usual - rules for constructing service principals. - -**-U** *for_user* - Specifies that protocol transition (S4U2Self) is to be used to - acquire a ticket on behalf of *for_user*. If constrained - delegation is not requested, the service name must match the - credentials cache client principal. - - -ENVIRONMENT ------------ - -kvno uses the following environment variable: - -**KRB5CCNAME** - Location of the credentials (ticket) cache. - - -FILES ------ - -|ccache| - Default location of the credentials cache - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`kdestroy(1)` diff --git a/doc/html/_sources/user/user_commands/sclient.txt b/doc/html/_sources/user/user_commands/sclient.txt deleted file mode 100644 index ebf7972..0000000 --- a/doc/html/_sources/user/user_commands/sclient.txt +++ /dev/null @@ -1,24 +0,0 @@ -.. _sclient(1): - -sclient -======= - -SYNOPSIS --------- - -**sclient** *remotehost* - - -DESCRIPTION ------------ - -sclient is a sample application, primarily useful for testing -purposes. It contacts a sample server :ref:`sserver(8)` and -authenticates to it using Kerberos version 5 tickets, then displays -the server's response. - - -SEE ALSO --------- - -:ref:`kinit(1)`, :ref:`sserver(8)` diff --git a/doc/html/_sources/user/user_config/index.txt b/doc/html/_sources/user/user_config/index.txt deleted file mode 100644 index 6b3d439..0000000 --- a/doc/html/_sources/user/user_config/index.txt +++ /dev/null @@ -1,12 +0,0 @@ -User config files -================= - -The following files in your home directory can be used to control the -behavior of Kerberos as it applies to your account (unless they have -been disabled by your host's configuration): - -.. toctree:: - :maxdepth: 1 - - k5login.rst - k5identity.rst diff --git a/doc/html/_sources/user/user_config/k5identity.txt b/doc/html/_sources/user/user_config/k5identity.txt deleted file mode 100644 index cf5d95e..0000000 --- a/doc/html/_sources/user/user_config/k5identity.txt +++ /dev/null @@ -1,64 +0,0 @@ -.. _.k5identity(5): - -.k5identity -=========== - -DESCRIPTION ------------ - -The .k5identity file, which resides in a user's home directory, -contains a list of rules for selecting a client principals based on -the server being accessed. These rules are used to choose a -credential cache within the cache collection when possible. - -Blank lines and lines beginning with ``#`` are ignored. Each line has -the form: - - *principal* *field*\=\ *value* ... - -If the server principal meets all of the field constraints, then -principal is chosen as the client principal. The following fields are -recognized: - -**realm** - If the realm of the server principal is known, it is matched - against *value*, which may be a pattern using shell wildcards. - For host-based server principals, the realm will generally only be - known if there is a :ref:`domain_realm` section in - :ref:`krb5.conf(5)` with a mapping for the hostname. - -**service** - If the server principal is a host-based principal, its service - component is matched against *value*, which may be a pattern using - shell wildcards. - -**host** - If the server principal is a host-based principal, its hostname - component is converted to lower case and matched against *value*, - which may be a pattern using shell wildcards. - - If the server principal matches the constraints of multiple lines - in the .k5identity file, the principal from the first matching - line is used. If no line matches, credentials will be selected - some other way, such as the realm heuristic or the current primary - cache. - - -EXAMPLE -------- - -The following example .k5identity file selects the client principal -``alice@KRBTEST.COM`` if the server principal is within that realm, -the principal ``alice/root@EXAMPLE.COM`` if the server host is within -a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when -accessing the IMAP service on ``mail.example.com``:: - - alice@KRBTEST.COM realm=KRBTEST.COM - alice/root@EXAMPLE.COM host=*.servers.example.com - alice/mail@EXAMPLE.COM host=mail.example.com service=imap - - -SEE ALSO --------- - -kerberos(1), :ref:`krb5.conf(5)` diff --git a/doc/html/_sources/user/user_config/k5login.txt b/doc/html/_sources/user/user_config/k5login.txt deleted file mode 100644 index 8a9753d..0000000 --- a/doc/html/_sources/user/user_config/k5login.txt +++ /dev/null @@ -1,54 +0,0 @@ -.. _.k5login(5): - -.k5login -======== - -DESCRIPTION ------------ - -The .k5login file, which resides in a user's home directory, contains -a list of the Kerberos principals. Anyone with valid tickets for a -principal in the file is allowed host access with the UID of the user -in whose home directory the file resides. One common use is to place -a .k5login file in root's home directory, thereby granting system -administrators remote root access to the host via Kerberos. - - -EXAMPLES --------- - -Suppose the user ``alice`` had a .k5login file in her home directory -containing just the following line:: - - bob@FOOBAR.ORG - -This would allow ``bob`` to use Kerberos network applications, such as -ssh(1), to access ``alice``'s account, using ``bob``'s Kerberos -tickets. In a default configuration (with **k5login_authoritative** set -to true in :ref:`krb5.conf(5)`), this .k5login file would not let -``alice`` use those network applications to access her account, since -she is not listed! With no .k5login file, or with **k5login_authoritative** -set to false, a default rule would permit the principal ``alice`` in the -machine's default realm to access the ``alice`` account. - -Let us further suppose that ``alice`` is a system administrator. -Alice and the other system administrators would have their principals -in root's .k5login file on each host:: - - alice@BLEEP.COM - - joeadmin/root@BLEEP.COM - -This would allow either system administrator to log in to these hosts -using their Kerberos tickets instead of having to type the root -password. Note that because ``bob`` retains the Kerberos tickets for -his own principal, ``bob@FOOBAR.ORG``, he would not have any of the -privileges that require ``alice``'s tickets, such as root access to -any of the site's hosts, or the ability to change ``alice``'s -password. - - -SEE ALSO --------- - -kerberos(1) diff --git a/doc/html/_static/agogo.css b/doc/html/_static/agogo.css deleted file mode 100644 index e726d44..0000000 --- a/doc/html/_static/agogo.css +++ /dev/null @@ -1,464 +0,0 @@ -/* - * agogo.css_t - * ~~~~~~~~~~~ - * - * Sphinx stylesheet -- agogo theme. - * - * :copyright: Copyright 2007-2014 by the Sphinx team, see AUTHORS. - * :license: BSD, see LICENSE for details. - * - */ - -* { - margin: 0px; - padding: 0px; -} - -body { - font-family: "Verdana", Arial, sans-serif; - line-height: 1.4em; - color: black; - background-color: #5d1509; -} - - -/* Page layout */ - -div.header, div.content, div.footer { - width: auto; - margin-left: auto; - margin-right: auto; -} - -div.header-wrapper { - background: #555573 url(bgtop.png) top left repeat-x; - border-bottom: 3px solid #2e3436; -} - - -/* Default body styles */ -a { - color: #881f0d; -} - -div.bodywrapper a, div.footer a { - text-decoration: underline; -} - -.clearer { - clear: both; -} - -.left { - float: left; -} - -.right { - float: right; -} - -.line-block { - display: block; - margin-top: 1em; - margin-bottom: 1em; -} - -.line-block .line-block { - margin-top: 0; - margin-bottom: 0; - margin-left: 1.5em; -} - -h1, h2, h3, h4 { - font-family: "Georgia", "Times New Roman", serif; - font-weight: normal; - color: #3465a4; - margin-bottom: .8em; -} - -h1 { - color: #204a87; -} - -h2 { - padding-bottom: .5em; - border-bottom: 1px solid #3465a4; -} - -a.headerlink { - visibility: hidden; - color: #dddddd; - padding-left: .3em; -} - -h1:hover > a.headerlink, -h2:hover > a.headerlink, -h3:hover > a.headerlink, -h4:hover > a.headerlink, -h5:hover > a.headerlink, -h6:hover > a.headerlink, -dt:hover > a.headerlink { - visibility: visible; -} - -img { - border: 0; -} - -div.admonition { - margin-top: 10px; - margin-bottom: 10px; - padding: 2px 7px 1px 7px; - border-left: 0.2em solid black; -} - -p.admonition-title { - margin: 0px 10px 5px 0px; - font-weight: bold; -} - -dt:target, .highlighted { - background-color: #fbe54e; -} - -/* Header */ - -div.header { - padding-top: 10px; - padding-bottom: 10px; -} - -div.header .headertitle { - font-family: "Georgia", "Times New Roman", serif; - font-weight: normal; - font-size: 180%; - letter-spacing: .08em; - margin-bottom: .8em; -} - -div.header .headertitle a { - color: white; -} - -div.header div.rel { - margin-top: 1em; -} - -div.header div.rel a { - color: #fcaf3e; - letter-spacing: .1em; - text-transform: uppercase; -} - -p.logo { - float: right; -} - -img.logo { - border: 0; -} - - -/* Content */ -div.content-wrapper { - background-color: white; - padding-top: 20px; - padding-bottom: 20px; -} - -div.document { - width: 80%; - float: left; -} - -div.body { - padding-right: 2em; - text-align: justify; -} - -div.document h1 { - line-height: 120%; -} - -div.document ul { - margin: 1.5em; - list-style-type: square; -} - -div.document dd { - margin-left: 1.2em; - margin-top: .4em; - margin-bottom: 1em; -} - -div.document .section { - margin-top: 1.7em; -} -div.document .section:first-child { - margin-top: 0px; -} - -div.document div.highlight { - padding: 3px; - background-color: #eeeeec; - border-top: 2px solid #dddddd; - border-bottom: 2px solid #dddddd; - margin-top: .8em; - margin-bottom: .8em; -} - -div.document h2 { - margin-top: .7em; -} - -div.document p { - margin-bottom: .5em; -} - -div.document li.toctree-l1 { - margin-bottom: 1em; -} - -div.document .descname { - font-weight: bold; -} - -div.document .docutils.literal { - background-color: #eeeeec; - padding: 1px; -} - -div.document .docutils.xref.literal { - background-color: transparent; - padding: 0px; -} - -div.document blockquote { - margin: 1em; -} - -div.document ol { - margin: 1.5em; -} - - -/* Sidebar */ - -div.sidebar { - width: 20%; - float: right; - font-size: .9em; -} - -div.sidebar a, div.header a { - text-decoration: none; -} - -div.sidebar a:hover, div.header a:hover { - text-decoration: underline; -} - -div.sidebar h3 { - color: #2e3436; - text-transform: uppercase; - font-size: 130%; - letter-spacing: .1em; -} - -div.sidebar ul { - list-style-type: none; -} - -div.sidebar li.toctree-l1 a { - display: block; - padding: 1px; - border: 1px solid #dddddd; - background-color: #eeeeec; - margin-bottom: .4em; - padding-left: 3px; - color: #2e3436; -} - -div.sidebar li.toctree-l2 a { - background-color: transparent; - border: none; - margin-left: 1em; - border-bottom: 1px solid #dddddd; -} - -div.sidebar li.toctree-l3 a { - background-color: transparent; - border: none; - margin-left: 2em; - border-bottom: 1px solid #dddddd; -} - -div.sidebar li.toctree-l2:last-child a { - border-bottom: none; -} - -div.sidebar li.toctree-l1.current a { - border-right: 5px solid #fcaf3e; -} - -div.sidebar li.toctree-l1.current li.toctree-l2 a { - border-right: none; -} - -div.sidebar input[type="text"] { - width: 170px; -} - -div.sidebar input[type="submit"] { - width: 30px; -} - - -/* Footer */ - -div.footer-wrapper { - background: #5d1509; - border-top: 4px solid #babdb6; - padding-top: 10px; - padding-bottom: 10px; - min-height: 80px; -} - -div.footer, div.footer a { - color: #888a85; -} - -div.footer .right { - text-align: right; -} - -div.footer .left { - text-transform: uppercase; -} - - -/* Styles copied from basic theme */ - -img.align-left, .figure.align-left, object.align-left { - clear: left; - float: left; - margin-right: 1em; -} - -img.align-right, .figure.align-right, object.align-right { - clear: right; - float: right; - margin-left: 1em; -} - -img.align-center, .figure.align-center, object.align-center { - display: block; - margin-left: auto; - margin-right: auto; -} - -.align-left { - text-align: left; -} - -.align-center { - text-align: center; -} - -.align-right { - text-align: right; -} - -/* -- search page ----------------------------------------------------------- */ - -ul.search { - margin: 10px 0 0 20px; - padding: 0; -} - -ul.search li { - padding: 5px 0 5px 20px; - background-image: url(file.png); - background-repeat: no-repeat; - background-position: 0 7px; -} - -ul.search li a { - font-weight: bold; -} - -ul.search li div.context { - color: #888; - margin: 2px 0 0 30px; - text-align: left; -} - -ul.keywordmatches li.goodmatch a { - font-weight: bold; -} - -/* -- index page ------------------------------------------------------------ */ - -table.contentstable { - width: 90%; -} - -table.contentstable p.biglink { - line-height: 150%; -} - -a.biglink { - font-size: 1.3em; -} - -span.linkdescr { - font-style: italic; - padding-top: 5px; - font-size: 90%; -} - -/* -- general index --------------------------------------------------------- */ - -table.indextable td { - text-align: left; - vertical-align: top; -} - -table.indextable dl, table.indextable dd { - margin-top: 0; - margin-bottom: 0; -} - -table.indextable tr.pcap { - height: 10px; -} - -table.indextable tr.cap { - margin-top: 10px; - background-color: #f2f2f2; -} - -img.toggler { - margin-right: 3px; - margin-top: 3px; - cursor: pointer; -} - -/* -- viewcode extension ---------------------------------------------------- */ - -.viewcode-link { - float: right; -} - -.viewcode-back { - float: right; - font-family:: "Verdana", Arial, sans-serif; -} - -div.viewcode-block:target { - margin: -1px -3px; - padding: 0 3px; - background-color: #f4debf; - border-top: 1px solid #ac9; - border-bottom: 1px solid #ac9; -} \ No newline at end of file diff --git a/doc/html/_static/ajax-loader.gif b/doc/html/_static/ajax-loader.gif deleted file mode 100644 index 61faf8cab23993bd3e1560bff0668bd628642330..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 673 zcmZ?wbhEHb6krfw_{6~Q|Nno%(3)e{?)x>&1u}A`t?OF7Z|1gRivOgXi&7IyQd1Pl zGfOfQ60;I3a`F>X^fL3(@);C=vM_KlFfb_o=k{|A33hf2a5d61U}gjg=>Rd%XaNQW zW@Cw{|b%Y*pl8F?4B9 zlo4Fz*0kZGJabY|>}Okf0}CCg{u4`zEPY^pV?j2@h+|igy0+Kz6p;@SpM4s6)XEMg z#3Y4GX>Hjlml5ftdH$4x0JGdn8~MX(U~_^d!Hi)=HU{V%g+mi8#UGbE-*ao8f#h+S z2a0-5+vc7MU$e-NhmBjLIC1v|)9+Im8x1yacJ7{^tLX(ZhYi^rpmXm0`@ku9b53aN zEXH@Y3JaztblgpxbJt{AtE1ad1Ca>{v$rwwvK(>{m~Gf_=-Ro7Fk{#;i~+{{>QtvI yb2P8Zac~?~=sRA>$6{!(^3;ZP0TPFR(G_-UDU(8Jl0?(IXu$~#4A!880|o%~Al1tN diff --git a/doc/html/_static/basic.css b/doc/html/_static/basic.css deleted file mode 100644 index 77e6ce3..0000000 --- a/doc/html/_static/basic.css +++ /dev/null @@ -1,537 +0,0 @@ -/* - * basic.css - * ~~~~~~~~~ - * - * Sphinx stylesheet -- basic theme. - * - * :copyright: Copyright 2007-2014 by the Sphinx team, see AUTHORS. - * :license: BSD, see LICENSE for details. - * - */ - -/* -- main layout ----------------------------------------------------------- */ - -div.clearer { - clear: both; -} - -/* -- relbar ---------------------------------------------------------------- */ - -div.related { - width: 100%; - font-size: 90%; -} - -div.related h3 { - display: none; -} - -div.related ul { - margin: 0; - padding: 0 0 0 10px; - list-style: none; -} - -div.related li { - display: inline; -} - -div.related li.right { - float: right; - margin-right: 5px; -} - -/* -- sidebar --------------------------------------------------------------- */ - -div.sphinxsidebarwrapper { - padding: 10px 5px 0 10px; -} - -div.sphinxsidebar { - float: left; - width: 0px; - margin-left: -100%; - font-size: 90%; -} - -div.sphinxsidebar ul { - list-style: none; -} - -div.sphinxsidebar ul ul, -div.sphinxsidebar ul.want-points { - margin-left: 20px; - list-style: square; -} - -div.sphinxsidebar ul ul { - margin-top: 0; - margin-bottom: 0; -} - -div.sphinxsidebar form { - margin-top: 10px; -} - -div.sphinxsidebar input { - border: 1px solid #98dbcc; - font-family: sans-serif; - font-size: 1em; -} - -div.sphinxsidebar #searchbox input[type="text"] { - width: 170px; -} - -div.sphinxsidebar #searchbox input[type="submit"] { - width: 30px; -} - -img { - border: 0; - max-width: 100%; -} - -/* -- search page ----------------------------------------------------------- */ - -ul.search { - margin: 10px 0 0 20px; - padding: 0; -} - -ul.search li { - padding: 5px 0 5px 20px; - background-image: url(file.png); - background-repeat: no-repeat; - background-position: 0 7px; -} - -ul.search li a { - font-weight: bold; -} - -ul.search li div.context { - color: #888; - margin: 2px 0 0 30px; - text-align: left; -} - -ul.keywordmatches li.goodmatch a { - font-weight: bold; -} - -/* -- index page ------------------------------------------------------------ */ - -table.contentstable { - width: 90%; -} - -table.contentstable p.biglink { - line-height: 150%; -} - -a.biglink { - font-size: 1.3em; -} - -span.linkdescr { - font-style: italic; - padding-top: 5px; - font-size: 90%; -} - -/* -- general index --------------------------------------------------------- */ - -table.indextable { - width: 100%; -} - -table.indextable td { - text-align: left; - vertical-align: top; -} - -table.indextable dl, table.indextable dd { - margin-top: 0; - margin-bottom: 0; -} - -table.indextable tr.pcap { - height: 10px; -} - -table.indextable tr.cap { - margin-top: 10px; - background-color: #f2f2f2; -} - -img.toggler { - margin-right: 3px; - margin-top: 3px; - cursor: pointer; -} - -div.modindex-jumpbox { - border-top: 1px solid #ddd; - border-bottom: 1px solid #ddd; - margin: 1em 0 1em 0; - padding: 0.4em; -} - -div.genindex-jumpbox { - border-top: 1px solid #ddd; - border-bottom: 1px solid #ddd; - margin: 1em 0 1em 0; - padding: 0.4em; -} - -/* -- general body styles --------------------------------------------------- */ - -a.headerlink { - visibility: hidden; -} - -h1:hover > a.headerlink, -h2:hover > a.headerlink, -h3:hover > a.headerlink, -h4:hover > a.headerlink, -h5:hover > a.headerlink, -h6:hover > a.headerlink, -dt:hover > a.headerlink { - visibility: visible; -} - -div.body p.caption { - text-align: inherit; -} - -div.body td { - text-align: left; -} - -.field-list ul { - padding-left: 1em; -} - -.first { - margin-top: 0 !important; -} - -p.rubric { - margin-top: 30px; - font-weight: bold; -} - -img.align-left, .figure.align-left, object.align-left { - clear: left; - float: left; - margin-right: 1em; -} - -img.align-right, .figure.align-right, object.align-right { - clear: right; - float: right; - margin-left: 1em; -} - -img.align-center, .figure.align-center, object.align-center { - display: block; - margin-left: auto; - margin-right: auto; -} - -.align-left { - text-align: left; -} - -.align-center { - text-align: center; -} - -.align-right { - text-align: right; -} - -/* -- sidebars -------------------------------------------------------------- */ - -div.sidebar { - margin: 0 0 0.5em 1em; - border: 1px solid #ddb; - padding: 7px 7px 0 7px; - background-color: #ffe; - width: 40%; - float: right; -} - -p.sidebar-title { - font-weight: bold; -} - -/* -- topics ---------------------------------------------------------------- */ - -div.topic { - border: 1px solid #ccc; - padding: 7px 7px 0 7px; - margin: 10px 0 10px 0; -} - -p.topic-title { - font-size: 1.1em; - font-weight: bold; - margin-top: 10px; -} - -/* -- admonitions ----------------------------------------------------------- */ - -div.admonition { - margin-top: 10px; - margin-bottom: 10px; - padding: 7px; -} - -div.admonition dt { - font-weight: bold; -} - -div.admonition dl { - margin-bottom: 0; -} - -p.admonition-title { - margin: 0px 10px 5px 0px; - font-weight: bold; -} - -div.body p.centered { - text-align: center; - margin-top: 25px; -} - -/* -- tables ---------------------------------------------------------------- */ - -table.docutils { - border: 0; - border-collapse: collapse; -} - -table.docutils td, table.docutils th { - padding: 1px 8px 1px 5px; - border-top: 0; - border-left: 0; - border-right: 0; - border-bottom: 1px solid #aaa; -} - -table.field-list td, table.field-list th { - border: 0 !important; -} - -table.footnote td, table.footnote th { - border: 0 !important; -} - -th { - text-align: left; - padding-right: 5px; -} - -table.citation { - border-left: solid 1px gray; - margin-left: 1px; -} - -table.citation td { - border-bottom: none; -} - -/* -- other body styles ----------------------------------------------------- */ - -ol.arabic { - list-style: decimal; -} - -ol.loweralpha { - list-style: lower-alpha; -} - -ol.upperalpha { - list-style: upper-alpha; -} - -ol.lowerroman { - list-style: lower-roman; -} - -ol.upperroman { - list-style: upper-roman; -} - -dl { - margin-bottom: 15px; -} - -dd p { - margin-top: 0px; -} - -dd ul, dd table { - margin-bottom: 10px; -} - -dd { - margin-top: 3px; - margin-bottom: 10px; - margin-left: 30px; -} - -dt:target, .highlighted { - background-color: #fbe54e; -} - -dl.glossary dt { - font-weight: bold; - font-size: 1.1em; -} - -.field-list ul { - margin: 0; - padding-left: 1em; -} - -.field-list p { - margin: 0; -} - -.optional { - font-size: 1.3em; -} - -.versionmodified { - font-style: italic; -} - -.system-message { - background-color: #fda; - padding: 5px; - border: 3px solid red; -} - -.footnote:target { - background-color: #ffa; -} - -.line-block { - display: block; - margin-top: 1em; - margin-bottom: 1em; -} - -.line-block .line-block { - margin-top: 0; - margin-bottom: 0; - margin-left: 1.5em; -} - -.guilabel, .menuselection { - font-family: sans-serif; -} - -.accelerator { - text-decoration: underline; -} - -.classifier { - font-style: oblique; -} - -abbr, acronym { - border-bottom: dotted 1px; - cursor: help; -} - -/* -- code displays --------------------------------------------------------- */ - -pre { - overflow: auto; - overflow-y: hidden; /* fixes display issues on Chrome browsers */ -} - -td.linenos pre { - padding: 5px 0px; - border: 0; - background-color: transparent; - color: #aaa; -} - -table.highlighttable { - margin-left: 0.5em; -} - -table.highlighttable td { - padding: 0 0.5em 0 0.5em; -} - -tt.descname { - background-color: transparent; - font-weight: bold; - font-size: 1.2em; -} - -tt.descclassname { - background-color: transparent; -} - -tt.xref, a tt { - background-color: transparent; - font-weight: bold; -} - -h1 tt, h2 tt, h3 tt, h4 tt, h5 tt, h6 tt { - background-color: transparent; -} - -.viewcode-link { - float: right; -} - -.viewcode-back { - float: right; - font-family: sans-serif; -} - -div.viewcode-block:target { - margin: -1px -10px; - padding: 0 10px; -} - -/* -- math display ---------------------------------------------------------- */ - -img.math { - vertical-align: middle; -} - -div.body div.math p { - text-align: center; -} - -span.eqno { - float: right; -} - -/* -- printout stylesheet --------------------------------------------------- */ - -@media print { - div.document, - div.documentwrapper, - div.bodywrapper { - margin: 0 !important; - width: 100%; - } - - div.sphinxsidebar, - div.related, - div.footer, - #top-link { - display: none; - } -} \ No newline at end of file diff --git a/doc/html/_static/bgfooter.png b/doc/html/_static/bgfooter.png deleted file mode 100644 index 9ce5bdd902943fdf8b0c0ca6a545297e1e2cc665..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 434 zcmV;j0ZsmiP)Px#24YJ`L;%wO*8tD73qoQ5000SaNLh0L01FcU01FcV0GgZ_00007bV*G`2iXD> z2Q(2CT#42I000?uMObu0Z*6U5Zgc=ca%Ew3Wn>_CX>@2HM@dakSAh-}0003ENklR?sq9~H`=l5UI-{JW_f9!)=Hwush3JC}Y z1gFM&r>$lJNPt^*1k!w;l|obx>lr$2IOaI$n=(gBBaj^I0=y%@K5N&GIU&-%OE_~V zX=m=_j7d`hvubQRuF+xT63vIfWnC3%kKN*T3l7ob3nEC2R->wU1Y)4)(7_t^thiqb zj$CO7xBn9gg`*!MY$}SI|_*)!a*&V0w7h>cUb&$Grh37iJ=C%Yn c>}w1E0Z4f>1OEiDlmGw#07*qoM6N<$g4BwtIsgCw diff --git a/doc/html/_static/bgtop.png b/doc/html/_static/bgtop.png deleted file mode 100644 index a0d4709bac8f79943a817195c086461c8c4d5419..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 430 zcmV;f0a5;mP)Px#24YJ`L;zI)R{&FzA;Z4_000SaNLh0L01FcU01FcV0GgZ_00007bV*G`2iXD> z2Q3AZhV-)l000?uMObu0Z*6U5Zgc=ca%Ew3Wn>_CX>@2HM@dakSAh-}0003ANklMo8vqN`cM=KwSQV|n zk}naE+VzlN;kK@Ej${PSkI$-R6-Yfp`zA;^O$`)7`gRi{-0i?owGIbX{p>Nc##93U z;sA|ayOYkG%F9M0iEMUM*s3NDYSS=KN2ht8Rv|7nv77i{NTO47R)}V_+2H~mL-nTR z_8j}*%6Qm8?#7NU2kM$#gcP&kO?iw|n}ynz+r-~FA9nKcZnfixWvZ&d28Cc_6&_Pe zMpbjI>9r+<=}NIDz4mCd3U++H?rrHcYxH&eeB|)>mnv*N#44ILM2zL6yU!VVWSrgp Y0Yu&#qm)=by8r+H07*qoM6N<$f@HC)j{pDw diff --git a/doc/html/_static/comment-bright.png b/doc/html/_static/comment-bright.png deleted file mode 100644 index 551517b8c83b76f734ff791f847829a760ad1903..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3500 zcmV;d4O8-oP)Oz@Z0f2-7z;ux~O9+4z06=<WDR*FRcSTFz- zW=q650N5=6FiBTtNC2?60Km==3$g$R3;-}uh=nNt1bYBr$Ri_o0EC$U6h`t_Jn<{8 z5a%iY0C<_QJh>z}MS)ugEpZ1|S1ukX&Pf+56gFW3VVXcL!g-k)GJ!M?;PcD?0HBc- z5#WRK{dmp}uFlRjj{U%*%WZ25jX z{P*?XzTzZ-GF^d31o+^>%=Ap99M6&ogks$0k4OBs3;+Bb(;~!4V!2o<6ys46agIcq zjPo+3B8fthDa9qy|77CdEc*jK-!%ZRYCZvbku9iQV*~a}ClFY4z~c7+0P?$U!PF=S z1Au6Q;m>#f??3%Vpd|o+W=WE9003S@Bra6Svp>fO002awfhw>;8}z{#EWidF!3EsG z3;bXU&9EIRU@z1_9W=mEXoiz;4lcq~xDGvV5BgyU zp1~-*fe8db$Osc*A=-!mVv1NJjtCc-h4>-CNCXm#Bp}I%6j35eku^v$Qi@a{RY)E3 zJ#qp$hg?Rwkvqr$GJ^buyhkyVfwECO)C{#lxu`c9ghrwZ&}4KmnvWKso6vH!8a<3Q zq36)6Xb;+tK10Vaz~~qUGsJ8#F2=(`u{bOVlVi)VBCHIn#u~6ztOL7=^<&SmcLWlF zMZgI*1b0FpVIDz9SWH+>*hr`#93(Um+6gxa1B6k+CnA%mOSC4s5&6UzVlpv@SV$}* z))J2sFA#f(L&P^E5{W}HC%KRUNwK6<(h|}}(r!{C=`5+6G)NjFlgZj-YqAG9lq?`C z$c5yc>d>VnA`E_*3F2Qp##d8RZb=H01_mm@+|Cqnc9PsG(F5HIG_C zt)aG3uTh7n6Et<2In9F>NlT@zqLtGcXcuVrX|L#Xx)I%#9!{6gSJKPrN9dR61N3(c z4Tcqi$B1Vr8Jidf7-t!G7_XR2rWwr)$3XQ?}=hpK0&Z&W{| zep&sA23f;Q!%st`QJ}G3cbou<7-yIK2z4nfCCCtN2-XOGSWo##{8Q{ATurxr~;I`ytDs%xbip}RzP zziy}Qn4Z2~fSycmr`~zJ=lUFdFa1>gZThG6M+{g7vkW8#+YHVaJjFF}Z#*3@$J_By zLtVo_L#1JrVVB{Ak-5=4qt!-@Mh}c>#$4kh<88)m#-k<%CLtzEP3leVno>={htGUuD;o7bD)w_sX$S}eAxwzy?UvgBH(S?;#HZiQMoS*2K2 zT3xe7t(~nU*1N5{rxB;QPLocnp4Ml>u<^FZwyC!nu;thW+pe~4wtZn|Vi#w(#jeBd zlf9FDx_yoPJqHbk*$%56S{;6Kv~mM9!g3B(KJ}#RZ#@)!hR|78Dq|Iq-afF%KE1Brn_fm;Im z_u$xr8UFki1L{Ox>G0o)(&RAZ;=|I=wN2l97;cLaHH6leTB-XXa*h%dBOEvi`+x zi?=Txl?TadvyiL>SuF~-LZ;|cS}4~l2eM~nS7yJ>iOM;atDY;(?aZ^v+mJV$@1Ote z62cPUlD4IWOIIx&SmwQ~YB{nzae3Pc;}r!fhE@iwJh+OsDs9zItL;~pu715HdQEGA zUct(O!LkCy1<%NCg+}G`0PgpNm-?d@-hMgNe6^V+j6x$b<6@S<$+<4_1hi}Ti zncS4LsjI}fWY1>OX6feMEuLErma3QLmkw?X+1j)X-&VBk_4Y;EFPF_I+q;9dL%E~B zJh;4Nr^(LEJ3myURP{Rblsw%57T)g973R8o)DE9*xN#~;4_o$q%o z4K@u`jhx2fBXC4{U8Qn{*%*B$Ge=nny$HAYq{=vy|sI0 z_vss+H_qMky?OB#|JK!>IX&II^LlUh#rO5!7TtbwC;iULyV-Xq?ybB}ykGP{?LpZ? z-G|jbTmIbG@7#ZCz;~eY(cDM(28Dyq{*m>M4?_iynUBkc4TkHUI6gT!;y-fz>HMcd z&t%Ugo)`Y2{>!cx7B7DI)$7;J(U{Spm-3gBzioV_{p!H$8L!*M!p0uH$#^p{Ui4P` z?ZJ24cOCDe-w#jZd?0@)|7iKK^;6KN`;!@ylm7$*nDhK&GcDTy000JJOGiWi{{a60 z|De66lK=n!32;bRa{vGf6951U69E94oEQKA00(qQO+^RV2niQ93PPz|JOBU!-bqA3 zR5;6pl1pe^WfX zkSdl!omi0~*ntl;2q{jA^;J@WT8O!=A(Gck8fa>hn{#u{`Tyg)!KXI6l>4dj==iVKK6+%4zaRizy(5eryC3d2 z+5Y_D$4}k5v2=Siw{=O)SWY2HJwR3xX1*M*9G^XQ*TCNXF$Vj(kbMJXK0DaS_Sa^1 z?CEa!cFWDhcwxy%a?i@DN|G6-M#uuWU>lss@I>;$xmQ|`u3f;MQ|pYuHxxvMeq4TW;>|7Z2*AsqT=`-1O~nTm6O&pNEK?^cf9CX= zkq5|qAoE7un3V z^yy=@%6zqN^x`#qW+;e7j>th{6GV}sf*}g7{(R#T)yg-AZh0C&U;WA`AL$qz8()5^ zGFi2`g&L7!c?x+A2oOaG0c*Bg&YZt8cJ{jq_W{uTdA-<;`@iP$$=$H?gYIYc_q^*$ z#k(Key`d40R3?+GmgK8hHJcwiQ~r4By@w9*PuzR>x3#(F?YW_W5pPc(t(@-Y{psOt zz2!UE_5S)bLF)Oz@Z0f2-7z;ux~O9+4z06=<WDR*FRcSTFz- zW=q650N5=6FiBTtNC2?60Km==3$g$R3;-}uh=nNt1bYBr$Ri_o0EC$U6h`t_Jn<{8 z5a%iY0C<_QJh>z}MS)ugEpZ1|S1ukX&Pf+56gFW3VVXcL!g-k)GJ!M?;PcD?0HBc- z5#WRK{dmp}uFlRjj{U%*%WZ25jX z{P*?XzTzZ-GF^d31o+^>%=Ap99M6&ogks$0k4OBs3;+Bb(;~!4V!2o<6ys46agIcq zjPo+3B8fthDa9qy|77CdEc*jK-!%ZRYCZvbku9iQV*~a}ClFY4z~c7+0P?$U!PF=S z1Au6Q;m>#f??3%Vpd|o+W=WE9003S@Bra6Svp>fO002awfhw>;8}z{#EWidF!3EsG z3;bXU&9EIRU@z1_9W=mEXoiz;4lcq~xDGvV5BgyU zp1~-*fe8db$Osc*A=-!mVv1NJjtCc-h4>-CNCXm#Bp}I%6j35eku^v$Qi@a{RY)E3 zJ#qp$hg?Rwkvqr$GJ^buyhkyVfwECO)C{#lxu`c9ghrwZ&}4KmnvWKso6vH!8a<3Q zq36)6Xb;+tK10Vaz~~qUGsJ8#F2=(`u{bOVlVi)VBCHIn#u~6ztOL7=^<&SmcLWlF zMZgI*1b0FpVIDz9SWH+>*hr`#93(Um+6gxa1B6k+CnA%mOSC4s5&6UzVlpv@SV$}* z))J2sFA#f(L&P^E5{W}HC%KRUNwK6<(h|}}(r!{C=`5+6G)NjFlgZj-YqAG9lq?`C z$c5yc>d>VnA`E_*3F2Qp##d8RZb=H01_mm@+|Cqnc9PsG(F5HIG_C zt)aG3uTh7n6Et<2In9F>NlT@zqLtGcXcuVrX|L#Xx)I%#9!{6gSJKPrN9dR61N3(c z4Tcqi$B1Vr8Jidf7-t!G7_XR2rWwr)$3XQ?}=hpK0&Z&W{| zep&sA23f;Q!%st`QJ}G3cbou<7-yIK2z4nfCCCtN2-XOGSWo##{8Q{ATurxr~;I`ytDs%xbip}RzP zziy}Qn4Z2~fSycmr`~zJ=lUFdFa1>gZThG6M+{g7vkW8#+YHVaJjFF}Z#*3@$J_By zLtVo_L#1JrVVB{Ak-5=4qt!-@Mh}c>#$4kh<88)m#-k<%CLtzEP3leVno>={htGUuD;o7bD)w_sX$S}eAxwzy?UvgBH(S?;#HZiQMoS*2K2 zT3xe7t(~nU*1N5{rxB;QPLocnp4Ml>u<^FZwyC!nu;thW+pe~4wtZn|Vi#w(#jeBd zlf9FDx_yoPJqHbk*$%56S{;6Kv~mM9!g3B(KJ}#RZ#@)!hR|78Dq|Iq-afF%KE1Brn_fm;Im z_u$xr8UFki1L{Ox>G0o)(&RAZ;=|I=wN2l97;cLaHH6leTB-XXa*h%dBOEvi`+x zi?=Txl?TadvyiL>SuF~-LZ;|cS}4~l2eM~nS7yJ>iOM;atDY;(?aZ^v+mJV$@1Ote z62cPUlD4IWOIIx&SmwQ~YB{nzae3Pc;}r!fhE@iwJh+OsDs9zItL;~pu715HdQEGA zUct(O!LkCy1<%NCg+}G`0PgpNm-?d@-hMgNe6^V+j6x$b<6@S<$+<4_1hi}Ti zncS4LsjI}fWY1>OX6feMEuLErma3QLmkw?X+1j)X-&VBk_4Y;EFPF_I+q;9dL%E~B zJh;4Nr^(LEJ3myURP{Rblsw%57T)g973R8o)DE9*xN#~;4_o$q%o z4K@u`jhx2fBXC4{U8Qn{*%*B$Ge=nny$HAYq{=vy|sI0 z_vss+H_qMky?OB#|JK!>IX&II^LlUh#rO5!7TtbwC;iULyV-Xq?ybB}ykGP{?LpZ? z-G|jbTmIbG@7#ZCz;~eY(cDM(28Dyq{*m>M4?_iynUBkc4TkHUI6gT!;y-fz>HMcd z&t%Ugo)`Y2{>!cx7B7DI)$7;J(U{Spm-3gBzioV_{p!H$8L!*M!p0uH$#^p{Ui4P` z?ZJ24cOCDe-w#jZd?0@)|7iKK^;6KN`;!@ylm7$*nDhK&GcDTy000JJOGiWi{{a60 z|De66lK=n!32;bRa{vGf6951U69E94oEQKA00(qQO+^RV2oe()A>y0J-2easEJ;K` zR5;6Jl3z%jbr{D#&+mQTbB>-f&3W<<%ayjKi&ZjBc2N<@)`~{dMXWB0(ajbV85_gJ zf(EU`iek}4Bt%55ix|sVMm1u8KvB#hnmU~_r<Ogd(A5vg_omvd-#L!=(BMVklxVqhdT zofSj`QA^|)G*lu58>#vhvA)%0Or&dIsb%b)st*LV8`ANnOipDbh%_*c7`d6# z21*z~Xd?ovgf>zq(o0?Et~9ti+pljZC~#_KvJhA>u91WRaq|uqBBKP6V0?p-NL59w zrK0w($_m#SDPQ!Z$nhd^JO|f+7k5xca94d2OLJ&sSxlB7F%NtrF@@O7WWlkHSDtor zzD?u;b&KN$*MnHx;JDy9P~G<{4}9__s&MATBV4R+MuA8TjlZ3ye&qZMCUe8ihBnHI zhMSu zSERHwrmBb$SWVr+)Yk2k^FgTMR6mP;@FY2{}BeV|SUo=mNk<-XSOHNErw>s{^rR-bu$@aN7= zj~-qXcS2!BA*(Q**BOOl{FggkyHdCJi_Fy>?_K+G+DYwIn8`29DYPg&s4$}7D`fv? zuyJ2sMfJX(I^yrf6u!(~9anf(AqAk&ke}uL0SIb-H!SaDQvd(}07*qoM6N<$g1Ha7 A2LJ#7 diff --git a/doc/html/_static/comment.png b/doc/html/_static/comment.png deleted file mode 100644 index 92feb52b8824c6b0f59b658b1196c61de9162a95..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 3445 zcmV-*4T|!KP)Oz@Z0f2-7z;ux~O9+4z06=<WDR*FRcSTFz- zW=q650N5=6FiBTtNC2?60Km==3$g$R3;-}uh=nNt1bYBr$Ri_o0EC$U6h`t_Jn<{8 z5a%iY0C<_QJh>z}MS)ugEpZ1|S1ukX&Pf+56gFW3VVXcL!g-k)GJ!M?;PcD?0HBc- z5#WRK{dmp}uFlRjj{U%*%WZ25jX z{P*?XzTzZ-GF^d31o+^>%=Ap99M6&ogks$0k4OBs3;+Bb(;~!4V!2o<6ys46agIcq zjPo+3B8fthDa9qy|77CdEc*jK-!%ZRYCZvbku9iQV*~a}ClFY4z~c7+0P?$U!PF=S z1Au6Q;m>#f??3%Vpd|o+W=WE9003S@Bra6Svp>fO002awfhw>;8}z{#EWidF!3EsG z3;bXU&9EIRU@z1_9W=mEXoiz;4lcq~xDGvV5BgyU zp1~-*fe8db$Osc*A=-!mVv1NJjtCc-h4>-CNCXm#Bp}I%6j35eku^v$Qi@a{RY)E3 zJ#qp$hg?Rwkvqr$GJ^buyhkyVfwECO)C{#lxu`c9ghrwZ&}4KmnvWKso6vH!8a<3Q zq36)6Xb;+tK10Vaz~~qUGsJ8#F2=(`u{bOVlVi)VBCHIn#u~6ztOL7=^<&SmcLWlF zMZgI*1b0FpVIDz9SWH+>*hr`#93(Um+6gxa1B6k+CnA%mOSC4s5&6UzVlpv@SV$}* z))J2sFA#f(L&P^E5{W}HC%KRUNwK6<(h|}}(r!{C=`5+6G)NjFlgZj-YqAG9lq?`C z$c5yc>d>VnA`E_*3F2Qp##d8RZb=H01_mm@+|Cqnc9PsG(F5HIG_C zt)aG3uTh7n6Et<2In9F>NlT@zqLtGcXcuVrX|L#Xx)I%#9!{6gSJKPrN9dR61N3(c z4Tcqi$B1Vr8Jidf7-t!G7_XR2rWwr)$3XQ?}=hpK0&Z&W{| zep&sA23f;Q!%st`QJ}G3cbou<7-yIK2z4nfCCCtN2-XOGSWo##{8Q{ATurxr~;I`ytDs%xbip}RzP zziy}Qn4Z2~fSycmr`~zJ=lUFdFa1>gZThG6M+{g7vkW8#+YHVaJjFF}Z#*3@$J_By zLtVo_L#1JrVVB{Ak-5=4qt!-@Mh}c>#$4kh<88)m#-k<%CLtzEP3leVno>={htGUuD;o7bD)w_sX$S}eAxwzy?UvgBH(S?;#HZiQMoS*2K2 zT3xe7t(~nU*1N5{rxB;QPLocnp4Ml>u<^FZwyC!nu;thW+pe~4wtZn|Vi#w(#jeBd zlf9FDx_yoPJqHbk*$%56S{;6Kv~mM9!g3B(KJ}#RZ#@)!hR|78Dq|Iq-afF%KE1Brn_fm;Im z_u$xr8UFki1L{Ox>G0o)(&RAZ;=|I=wN2l97;cLaHH6leTB-XXa*h%dBOEvi`+x zi?=Txl?TadvyiL>SuF~-LZ;|cS}4~l2eM~nS7yJ>iOM;atDY;(?aZ^v+mJV$@1Ote z62cPUlD4IWOIIx&SmwQ~YB{nzae3Pc;}r!fhE@iwJh+OsDs9zItL;~pu715HdQEGA zUct(O!LkCy1<%NCg+}G`0PgpNm-?d@-hMgNe6^V+j6x$b<6@S<$+<4_1hi}Ti zncS4LsjI}fWY1>OX6feMEuLErma3QLmkw?X+1j)X-&VBk_4Y;EFPF_I+q;9dL%E~B zJh;4Nr^(LEJ3myURP{Rblsw%57T)g973R8o)DE9*xN#~;4_o$q%o z4K@u`jhx2fBXC4{U8Qn{*%*B$Ge=nny$HAYq{=vy|sI0 z_vss+H_qMky?OB#|JK!>IX&II^LlUh#rO5!7TtbwC;iULyV-Xq?ybB}ykGP{?LpZ? z-G|jbTmIbG@7#ZCz;~eY(cDM(28Dyq{*m>M4?_iynUBkc4TkHUI6gT!;y-fz>HMcd z&t%Ugo)`Y2{>!cx7B7DI)$7;J(U{Spm-3gBzioV_{p!H$8L!*M!p0uH$#^p{Ui4P` z?ZJ24cOCDe-w#jZd?0@)|7iKK^;6KN`;!@ylm7$*nDhK&GcDTy000JJOGiWi{{a60 z|De66lK=n!32;bRa{vGf6951U69E94oEQKA00(qQO+^RV2nzr)JMUJvzW@LNr%6OX zR5;6Zk;`k`RTRfR-*ac2G}PGmXsUu>6ce?Lsn$m^3Q`48f|TwQ+_-Qh=t8Ra7nE)y zf@08(pjZ@22^EVjG*%30TJRMkBUC$WqZ73uoiv&J=APqX;!v%AH}`Vx`999MVjXwy z{f1-vh8P<=plv&cZ>p5jjX~Vt&W0e)wpw1RFRuRdDkwlKb01tp5 zP=trFN0gH^|L4jJkB{6sCV;Q!ewpg-D&4cza%GQ*b>R*=34#dW;ek`FEiB(vnw+U# zpOX5UMJBhIN&;D1!yQoIAySC!9zqJmmfoJqmQp}p&h*HTfMh~u9rKic2oz3sNM^#F zBIq*MRLbsMt%y{EHj8}LeqUUvoxf0=kqji62>ne+U`d#%J)abyK&Y`=eD%oA!36<)baZyK zXJh5im6umkS|_CSGXips$nI)oBHXojzBzyY_M5K*uvb0_9viuBVyV%5VtJ*Am1ag# zczbv4B?u8j68iOz<+)nDu^oWnL+$_G{PZOCcOGQ?!1VCefves~rfpaEZs-PdVYMiV z98ElaJ2}7f;htSXFY#Zv?__sQeckE^HV{ItO=)2hMQs=(_ Xn!ZpXD%P(H00000NkvXXu0mjf= 0 && !jQuery(node.parentNode).hasClass(className)) { - var span = document.createElement("span"); - span.className = className; - span.appendChild(document.createTextNode(val.substr(pos, text.length))); - node.parentNode.insertBefore(span, node.parentNode.insertBefore( - document.createTextNode(val.substr(pos + text.length)), - node.nextSibling)); - node.nodeValue = val.substr(0, pos); - } - } - else if (!jQuery(node).is("button, select, textarea")) { - jQuery.each(node.childNodes, function() { - highlight(this); - }); - } - } - return this.each(function() { - highlight(this); - }); -}; - -/** - * Small JavaScript module for the documentation. - */ -var Documentation = { - - init : function() { - this.fixFirefoxAnchorBug(); - this.highlightSearchWords(); - this.initIndexTable(); - }, - - /** - * i18n support - */ - TRANSLATIONS : {}, - PLURAL_EXPR : function(n) { return n == 1 ? 0 : 1; }, - LOCALE : 'unknown', - - // gettext and ngettext don't access this so that the functions - // can safely bound to a different name (_ = Documentation.gettext) - gettext : function(string) { - var translated = Documentation.TRANSLATIONS[string]; - if (typeof translated == 'undefined') - return string; - return (typeof translated == 'string') ? translated : translated[0]; - }, - - ngettext : function(singular, plural, n) { - var translated = Documentation.TRANSLATIONS[singular]; - if (typeof translated == 'undefined') - return (n == 1) ? singular : plural; - return translated[Documentation.PLURALEXPR(n)]; - }, - - addTranslations : function(catalog) { - for (var key in catalog.messages) - this.TRANSLATIONS[key] = catalog.messages[key]; - this.PLURAL_EXPR = new Function('n', 'return +(' + catalog.plural_expr + ')'); - this.LOCALE = catalog.locale; - }, - - /** - * add context elements like header anchor links - */ - addContextElements : function() { - $('div[id] > :header:first').each(function() { - $('\u00B6'). - attr('href', '#' + this.id). - attr('title', _('Permalink to this headline')). - appendTo(this); - }); - $('dt[id]').each(function() { - $('\u00B6'). - attr('href', '#' + this.id). - attr('title', _('Permalink to this definition')). - appendTo(this); - }); - }, - - /** - * workaround a firefox stupidity - */ - fixFirefoxAnchorBug : function() { - if (document.location.hash && $.browser.mozilla) - window.setTimeout(function() { - document.location.href += ''; - }, 10); - }, - - /** - * highlight the search words provided in the url in the text - */ - highlightSearchWords : function() { - var params = $.getQueryParameters(); - var terms = (params.highlight) ? params.highlight[0].split(/\s+/) : []; - if (terms.length) { - var body = $('div.body'); - if (!body.length) { - body = $('body'); - } - window.setTimeout(function() { - $.each(terms, function() { - body.highlightText(this.toLowerCase(), 'highlighted'); - }); - }, 10); - $('

' + _('Hide Search Matches') + '

') - .appendTo($('#searchbox')); - } - }, - - /** - * init the domain index toggle buttons - */ - initIndexTable : function() { - var togglers = $('img.toggler').click(function() { - var src = $(this).attr('src'); - var idnum = $(this).attr('id').substr(7); - $('tr.cg-' + idnum).toggle(); - if (src.substr(-9) == 'minus.png') - $(this).attr('src', src.substr(0, src.length-9) + 'plus.png'); - else - $(this).attr('src', src.substr(0, src.length-8) + 'minus.png'); - }).css('display', ''); - if (DOCUMENTATION_OPTIONS.COLLAPSE_INDEX) { - togglers.click(); - } - }, - - /** - * helper function to hide the search marks again - */ - hideSearchWords : function() { - $('#searchbox .highlight-link').fadeOut(300); - $('span.highlighted').removeClass('highlighted'); - }, - - /** - * make the url absolute - */ - makeURL : function(relativeURL) { - return DOCUMENTATION_OPTIONS.URL_ROOT + '/' + relativeURL; - }, - - /** - * get the current relative url - */ - getCurrentURL : function() { - var path = document.location.pathname; - var parts = path.split(/\//); - $.each(DOCUMENTATION_OPTIONS.URL_ROOT.split(/\//), function() { - if (this == '..') - parts.pop(); - }); - var url = parts.join('/'); - return path.substring(url.lastIndexOf('/') + 1, path.length - 1); - } -}; - -// quick alias for translations -_ = Documentation.gettext; - -$(document).ready(function() { - Documentation.init(); -}); diff --git a/doc/html/_static/down-pressed.png b/doc/html/_static/down-pressed.png deleted file mode 100644 index 6f7ad782782e4f8e39b0c6e15c7344700cdd2527..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 368 zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`jKx9jP7LeL$-D$|*pj^6U4S$Y z{B+)352QE?JR*yM+OLB!qm#z$3ZNi+iKnkC`z>}Z23@f-Ava~9&<9T!#}JFtXD=!G zGdl{fK6ro2OGiOl+hKvH6i=D3%%Y^j`yIkRn!8O>@bG)IQR0{Kf+mxNd=_WScA8u_ z3;8(7x2){m9`nt+U(Nab&1G)!{`SPVpDX$w8McLTzAJ39wprG3p4XLq$06M`%}2Yk zRPPsbES*dnYm1wkGL;iioAUB*Or2kz6(-M_r_#Me-`{mj$Z%( diff --git a/doc/html/_static/down.png b/doc/html/_static/down.png deleted file mode 100644 index 3003a88770de3977d47a2ba69893436a2860f9e7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 363 zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`jKx9jP7LeL$-D$|*pj^6U4S$Y z{B+)352QE?JR*yM+OLB!qm#z$3ZNi+iKnkC`z>}xaV3tUZ$qnrLa#kt978NlpS`ru z&)HFc^}^>{UOEce+71h5nn>6&w6A!ieNbu1wh)UGh{8~et^#oZ1# z>T7oM=FZ~xXWnTo{qnXm$ZLOlqGswI_m2{XwVK)IJmBjW{J3-B3x@C=M{ShWt#fYS9M?R;8K$~YwlIqwf>VA7q=YKcwf2DS4Zj5inDKXXB1zl=(YO3ST6~rDq)&z z*o>z)=hxrfG-cDBW0G$!?6{M<$@{_4{m1o%Ub!naEtn|@^frU1tDnm{r-UW|!^@B8 diff --git a/doc/html/_static/file.png b/doc/html/_static/file.png deleted file mode 100644 index d18082e397e7e54f20721af768c4c2983258f1b4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 392 zcmeAS@N?(olHy`uVBq!ia0vp^0wB!61|;P_|4#%`Y)RhkE)4%caKYZ?lYt_f1s;*b z3=G`DAk4@xYmNj^kiEpy*OmP$HyOL$D9)yc9|lc|nKf<9@eUiWd>3GuTC!a5vdfWYEazjncPj5ZQX%+1 zt8B*4=d)!cdDz4wr^#OMYfqGz$1LDFF>|#>*O?AGil(WEs?wLLy{Gj2J_@opDm%`dlax3yA*@*N$G&*ukFv>P8+2CBWO(qz zD0k1@kN>hhb1_6`&wrCswzINE(evt-5C1B^STi2@PmdKI;Vst0PQB6!2kdN diff --git a/doc/html/_static/jquery.js b/doc/html/_static/jquery.js deleted file mode 100644 index e2efc33..0000000 --- a/doc/html/_static/jquery.js +++ /dev/null @@ -1,9404 +0,0 @@ -/*! - * jQuery JavaScript Library v1.7.2 - * http://jquery.com/ - * - * Copyright 2011, John Resig - * Dual licensed under the MIT or GPL Version 2 licenses. - * http://jquery.org/license - * - * Includes Sizzle.js - * http://sizzlejs.com/ - * Copyright 2011, The Dojo Foundation - * Released under the MIT, BSD, and GPL Licenses. - * - * Date: Fri Jul 5 14:07:58 UTC 2013 - */ -(function( window, undefined ) { - -// Use the correct document accordingly with window argument (sandbox) -var document = window.document, - navigator = window.navigator, - location = window.location; -var jQuery = (function() { - -// Define a local copy of jQuery -var jQuery = function( selector, context ) { - // The jQuery object is actually just the init constructor 'enhanced' - return new jQuery.fn.init( selector, context, rootjQuery ); - }, - - // Map over jQuery in case of overwrite - _jQuery = window.jQuery, - - // Map over the $ in case of overwrite - _$ = window.$, - - // A central reference to the root jQuery(document) - rootjQuery, - - // A simple way to check for HTML strings or ID strings - // Prioritize #id over to avoid XSS via location.hash (#9521) - quickExpr = /^(?:[^#<]*(<[\w\W]+>)[^>]*$|#([\w\-]*)$)/, - - // Check if a string has a non-whitespace character in it - rnotwhite = /\S/, - - // Used for trimming whitespace - trimLeft = /^\s+/, - trimRight = /\s+$/, - - // Match a standalone tag - rsingleTag = /^<(\w+)\s*\/?>(?:<\/\1>)?$/, - - // JSON RegExp - rvalidchars = /^[\],:{}\s]*$/, - rvalidescape = /\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g, - rvalidtokens = /"[^"\\\n\r]*"|true|false|null|-?\d+(?:\.\d*)?(?:[eE][+\-]?\d+)?/g, - rvalidbraces = /(?:^|:|,)(?:\s*\[)+/g, - - // Useragent RegExp - rwebkit = /(webkit)[ \/]([\w.]+)/, - ropera = /(opera)(?:.*version)?[ \/]([\w.]+)/, - rmsie = /(msie) ([\w.]+)/, - rmozilla = /(mozilla)(?:.*? rv:([\w.]+))?/, - - // Matches dashed string for camelizing - rdashAlpha = /-([a-z]|[0-9])/ig, - rmsPrefix = /^-ms-/, - - // Used by jQuery.camelCase as callback to replace() - fcamelCase = function( all, letter ) { - return ( letter + "" ).toUpperCase(); - }, - - // Keep a UserAgent string for use with jQuery.browser - userAgent = navigator.userAgent, - - // For matching the engine and version of the browser - browserMatch, - - // The deferred used on DOM ready - readyList, - - // The ready event handler - DOMContentLoaded, - - // Save a reference to some core methods - toString = Object.prototype.toString, - hasOwn = Object.prototype.hasOwnProperty, - push = Array.prototype.push, - slice = Array.prototype.slice, - trim = String.prototype.trim, - indexOf = Array.prototype.indexOf, - - // [[Class]] -> type pairs - class2type = {}; - -jQuery.fn = jQuery.prototype = { - constructor: jQuery, - init: function( selector, context, rootjQuery ) { - var match, elem, ret, doc; - - // Handle $(""), $(null), or $(undefined) - if ( !selector ) { - return this; - } - - // Handle $(DOMElement) - if ( selector.nodeType ) { - this.context = this[0] = selector; - this.length = 1; - return this; - } - - // The body element only exists once, optimize finding it - if ( selector === "body" && !context && document.body ) { - this.context = document; - this[0] = document.body; - this.selector = selector; - this.length = 1; - return this; - } - - // Handle HTML strings - if ( typeof selector === "string" ) { - // Are we dealing with HTML string or an ID? - if ( selector.charAt(0) === "<" && selector.charAt( selector.length - 1 ) === ">" && selector.length >= 3 ) { - // Assume that strings that start and end with <> are HTML and skip the regex check - match = [ null, selector, null ]; - - } else { - match = quickExpr.exec( selector ); - } - - // Verify a match, and that no context was specified for #id - if ( match && (match[1] || !context) ) { - - // HANDLE: $(html) -> $(array) - if ( match[1] ) { - context = context instanceof jQuery ? context[0] : context; - doc = ( context ? context.ownerDocument || context : document ); - - // If a single string is passed in and it's a single tag - // just do a createElement and skip the rest - ret = rsingleTag.exec( selector ); - - if ( ret ) { - if ( jQuery.isPlainObject( context ) ) { - selector = [ document.createElement( ret[1] ) ]; - jQuery.fn.attr.call( selector, context, true ); - - } else { - selector = [ doc.createElement( ret[1] ) ]; - } - - } else { - ret = jQuery.buildFragment( [ match[1] ], [ doc ] ); - selector = ( ret.cacheable ? jQuery.clone(ret.fragment) : ret.fragment ).childNodes; - } - - return jQuery.merge( this, selector ); - - // HANDLE: $("#id") - } else { - elem = document.getElementById( match[2] ); - - // Check parentNode to catch when Blackberry 4.6 returns - // nodes that are no longer in the document #6963 - if ( elem && elem.parentNode ) { - // Handle the case where IE and Opera return items - // by name instead of ID - if ( elem.id !== match[2] ) { - return rootjQuery.find( selector ); - } - - // Otherwise, we inject the element directly into the jQuery object - this.length = 1; - this[0] = elem; - } - - this.context = document; - this.selector = selector; - return this; - } - - // HANDLE: $(expr, $(...)) - } else if ( !context || context.jquery ) { - return ( context || rootjQuery ).find( selector ); - - // HANDLE: $(expr, context) - // (which is just equivalent to: $(context).find(expr) - } else { - return this.constructor( context ).find( selector ); - } - - // HANDLE: $(function) - // Shortcut for document ready - } else if ( jQuery.isFunction( selector ) ) { - return rootjQuery.ready( selector ); - } - - if ( selector.selector !== undefined ) { - this.selector = selector.selector; - this.context = selector.context; - } - - return jQuery.makeArray( selector, this ); - }, - - // Start with an empty selector - selector: "", - - // The current version of jQuery being used - jquery: "1.7.2", - - // The default length of a jQuery object is 0 - length: 0, - - // The number of elements contained in the matched element set - size: function() { - return this.length; - }, - - toArray: function() { - return slice.call( this, 0 ); - }, - - // Get the Nth element in the matched element set OR - // Get the whole matched element set as a clean array - get: function( num ) { - return num == null ? - - // Return a 'clean' array - this.toArray() : - - // Return just the object - ( num < 0 ? this[ this.length + num ] : this[ num ] ); - }, - - // Take an array of elements and push it onto the stack - // (returning the new matched element set) - pushStack: function( elems, name, selector ) { - // Build a new jQuery matched element set - var ret = this.constructor(); - - if ( jQuery.isArray( elems ) ) { - push.apply( ret, elems ); - - } else { - jQuery.merge( ret, elems ); - } - - // Add the old object onto the stack (as a reference) - ret.prevObject = this; - - ret.context = this.context; - - if ( name === "find" ) { - ret.selector = this.selector + ( this.selector ? " " : "" ) + selector; - } else if ( name ) { - ret.selector = this.selector + "." + name + "(" + selector + ")"; - } - - // Return the newly-formed element set - return ret; - }, - - // Execute a callback for every element in the matched set. - // (You can seed the arguments with an array of args, but this is - // only used internally.) - each: function( callback, args ) { - return jQuery.each( this, callback, args ); - }, - - ready: function( fn ) { - // Attach the listeners - jQuery.bindReady(); - - // Add the callback - readyList.add( fn ); - - return this; - }, - - eq: function( i ) { - i = +i; - return i === -1 ? - this.slice( i ) : - this.slice( i, i + 1 ); - }, - - first: function() { - return this.eq( 0 ); - }, - - last: function() { - return this.eq( -1 ); - }, - - slice: function() { - return this.pushStack( slice.apply( this, arguments ), - "slice", slice.call(arguments).join(",") ); - }, - - map: function( callback ) { - return this.pushStack( jQuery.map(this, function( elem, i ) { - return callback.call( elem, i, elem ); - })); - }, - - end: function() { - return this.prevObject || this.constructor(null); - }, - - // For internal use only. - // Behaves like an Array's method, not like a jQuery method. - push: push, - sort: [].sort, - splice: [].splice -}; - -// Give the init function the jQuery prototype for later instantiation -jQuery.fn.init.prototype = jQuery.fn; - -jQuery.extend = jQuery.fn.extend = function() { - var options, name, src, copy, copyIsArray, clone, - target = arguments[0] || {}, - i = 1, - length = arguments.length, - deep = false; - - // Handle a deep copy situation - if ( typeof target === "boolean" ) { - deep = target; - target = arguments[1] || {}; - // skip the boolean and the target - i = 2; - } - - // Handle case when target is a string or something (possible in deep copy) - if ( typeof target !== "object" && !jQuery.isFunction(target) ) { - target = {}; - } - - // extend jQuery itself if only one argument is passed - if ( length === i ) { - target = this; - --i; - } - - for ( ; i < length; i++ ) { - // Only deal with non-null/undefined values - if ( (options = arguments[ i ]) != null ) { - // Extend the base object - for ( name in options ) { - src = target[ name ]; - copy = options[ name ]; - - // Prevent never-ending loop - if ( target === copy ) { - continue; - } - - // Recurse if we're merging plain objects or arrays - if ( deep && copy && ( jQuery.isPlainObject(copy) || (copyIsArray = jQuery.isArray(copy)) ) ) { - if ( copyIsArray ) { - copyIsArray = false; - clone = src && jQuery.isArray(src) ? src : []; - - } else { - clone = src && jQuery.isPlainObject(src) ? src : {}; - } - - // Never move original objects, clone them - target[ name ] = jQuery.extend( deep, clone, copy ); - - // Don't bring in undefined values - } else if ( copy !== undefined ) { - target[ name ] = copy; - } - } - } - } - - // Return the modified object - return target; -}; - -jQuery.extend({ - noConflict: function( deep ) { - if ( window.$ === jQuery ) { - window.$ = _$; - } - - if ( deep && window.jQuery === jQuery ) { - window.jQuery = _jQuery; - } - - return jQuery; - }, - - // Is the DOM ready to be used? Set to true once it occurs. - isReady: false, - - // A counter to track how many items to wait for before - // the ready event fires. See #6781 - readyWait: 1, - - // Hold (or release) the ready event - holdReady: function( hold ) { - if ( hold ) { - jQuery.readyWait++; - } else { - jQuery.ready( true ); - } - }, - - // Handle when the DOM is ready - ready: function( wait ) { - // Either a released hold or an DOMready/load event and not yet ready - if ( (wait === true && !--jQuery.readyWait) || (wait !== true && !jQuery.isReady) ) { - // Make sure body exists, at least, in case IE gets a little overzealous (ticket #5443). - if ( !document.body ) { - return setTimeout( jQuery.ready, 1 ); - } - - // Remember that the DOM is ready - jQuery.isReady = true; - - // If a normal DOM Ready event fired, decrement, and wait if need be - if ( wait !== true && --jQuery.readyWait > 0 ) { - return; - } - - // If there are functions bound, to execute - readyList.fireWith( document, [ jQuery ] ); - - // Trigger any bound ready events - if ( jQuery.fn.trigger ) { - jQuery( document ).trigger( "ready" ).off( "ready" ); - } - } - }, - - bindReady: function() { - if ( readyList ) { - return; - } - - readyList = jQuery.Callbacks( "once memory" ); - - // Catch cases where $(document).ready() is called after the - // browser event has already occurred. - if ( document.readyState === "complete" ) { - // Handle it asynchronously to allow scripts the opportunity to delay ready - return setTimeout( jQuery.ready, 1 ); - } - - // Mozilla, Opera and webkit nightlies currently support this event - if ( document.addEventListener ) { - // Use the handy event callback - document.addEventListener( "DOMContentLoaded", DOMContentLoaded, false ); - - // A fallback to window.onload, that will always work - window.addEventListener( "load", jQuery.ready, false ); - - // If IE event model is used - } else if ( document.attachEvent ) { - // ensure firing before onload, - // maybe late but safe also for iframes - document.attachEvent( "onreadystatechange", DOMContentLoaded ); - - // A fallback to window.onload, that will always work - window.attachEvent( "onload", jQuery.ready ); - - // If IE and not a frame - // continually check to see if the document is ready - var toplevel = false; - - try { - toplevel = window.frameElement == null; - } catch(e) {} - - if ( document.documentElement.doScroll && toplevel ) { - doScrollCheck(); - } - } - }, - - // See test/unit/core.js for details concerning isFunction. - // Since version 1.3, DOM methods and functions like alert - // aren't supported. They return false on IE (#2968). - isFunction: function( obj ) { - return jQuery.type(obj) === "function"; - }, - - isArray: Array.isArray || function( obj ) { - return jQuery.type(obj) === "array"; - }, - - isWindow: function( obj ) { - return obj != null && obj == obj.window; - }, - - isNumeric: function( obj ) { - return !isNaN( parseFloat(obj) ) && isFinite( obj ); - }, - - type: function( obj ) { - return obj == null ? - String( obj ) : - class2type[ toString.call(obj) ] || "object"; - }, - - isPlainObject: function( obj ) { - // Must be an Object. - // Because of IE, we also have to check the presence of the constructor property. - // Make sure that DOM nodes and window objects don't pass through, as well - if ( !obj || jQuery.type(obj) !== "object" || obj.nodeType || jQuery.isWindow( obj ) ) { - return false; - } - - try { - // Not own constructor property must be Object - if ( obj.constructor && - !hasOwn.call(obj, "constructor") && - !hasOwn.call(obj.constructor.prototype, "isPrototypeOf") ) { - return false; - } - } catch ( e ) { - // IE8,9 Will throw exceptions on certain host objects #9897 - return false; - } - - // Own properties are enumerated firstly, so to speed up, - // if last one is own, then all properties are own. - - var key; - for ( key in obj ) {} - - return key === undefined || hasOwn.call( obj, key ); - }, - - isEmptyObject: function( obj ) { - for ( var name in obj ) { - return false; - } - return true; - }, - - error: function( msg ) { - throw new Error( msg ); - }, - - parseJSON: function( data ) { - if ( typeof data !== "string" || !data ) { - return null; - } - - // Make sure leading/trailing whitespace is removed (IE can't handle it) - data = jQuery.trim( data ); - - // Attempt to parse using the native JSON parser first - if ( window.JSON && window.JSON.parse ) { - return window.JSON.parse( data ); - } - - // Make sure the incoming data is actual JSON - // Logic borrowed from http://json.org/json2.js - if ( rvalidchars.test( data.replace( rvalidescape, "@" ) - .replace( rvalidtokens, "]" ) - .replace( rvalidbraces, "")) ) { - - return ( new Function( "return " + data ) )(); - - } - jQuery.error( "Invalid JSON: " + data ); - }, - - // Cross-browser xml parsing - parseXML: function( data ) { - if ( typeof data !== "string" || !data ) { - return null; - } - var xml, tmp; - try { - if ( window.DOMParser ) { // Standard - tmp = new DOMParser(); - xml = tmp.parseFromString( data , "text/xml" ); - } else { // IE - xml = new ActiveXObject( "Microsoft.XMLDOM" ); - xml.async = "false"; - xml.loadXML( data ); - } - } catch( e ) { - xml = undefined; - } - if ( !xml || !xml.documentElement || xml.getElementsByTagName( "parsererror" ).length ) { - jQuery.error( "Invalid XML: " + data ); - } - return xml; - }, - - noop: function() {}, - - // Evaluates a script in a global context - // Workarounds based on findings by Jim Driscoll - // http://weblogs.java.net/blog/driscoll/archive/2009/09/08/eval-javascript-global-context - globalEval: function( data ) { - if ( data && rnotwhite.test( data ) ) { - // We use execScript on Internet Explorer - // We use an anonymous function so that context is window - // rather than jQuery in Firefox - ( window.execScript || function( data ) { - window[ "eval" ].call( window, data ); - } )( data ); - } - }, - - // Convert dashed to camelCase; used by the css and data modules - // Microsoft forgot to hump their vendor prefix (#9572) - camelCase: function( string ) { - return string.replace( rmsPrefix, "ms-" ).replace( rdashAlpha, fcamelCase ); - }, - - nodeName: function( elem, name ) { - return elem.nodeName && elem.nodeName.toUpperCase() === name.toUpperCase(); - }, - - // args is for internal usage only - each: function( object, callback, args ) { - var name, i = 0, - length = object.length, - isObj = length === undefined || jQuery.isFunction( object ); - - if ( args ) { - if ( isObj ) { - for ( name in object ) { - if ( callback.apply( object[ name ], args ) === false ) { - break; - } - } - } else { - for ( ; i < length; ) { - if ( callback.apply( object[ i++ ], args ) === false ) { - break; - } - } - } - - // A special, fast, case for the most common use of each - } else { - if ( isObj ) { - for ( name in object ) { - if ( callback.call( object[ name ], name, object[ name ] ) === false ) { - break; - } - } - } else { - for ( ; i < length; ) { - if ( callback.call( object[ i ], i, object[ i++ ] ) === false ) { - break; - } - } - } - } - - return object; - }, - - // Use native String.trim function wherever possible - trim: trim ? - function( text ) { - return text == null ? - "" : - trim.call( text ); - } : - - // Otherwise use our own trimming functionality - function( text ) { - return text == null ? - "" : - text.toString().replace( trimLeft, "" ).replace( trimRight, "" ); - }, - - // results is for internal usage only - makeArray: function( array, results ) { - var ret = results || []; - - if ( array != null ) { - // The window, strings (and functions) also have 'length' - // Tweaked logic slightly to handle Blackberry 4.7 RegExp issues #6930 - var type = jQuery.type( array ); - - if ( array.length == null || type === "string" || type === "function" || type === "regexp" || jQuery.isWindow( array ) ) { - push.call( ret, array ); - } else { - jQuery.merge( ret, array ); - } - } - - return ret; - }, - - inArray: function( elem, array, i ) { - var len; - - if ( array ) { - if ( indexOf ) { - return indexOf.call( array, elem, i ); - } - - len = array.length; - i = i ? i < 0 ? Math.max( 0, len + i ) : i : 0; - - for ( ; i < len; i++ ) { - // Skip accessing in sparse arrays - if ( i in array && array[ i ] === elem ) { - return i; - } - } - } - - return -1; - }, - - merge: function( first, second ) { - var i = first.length, - j = 0; - - if ( typeof second.length === "number" ) { - for ( var l = second.length; j < l; j++ ) { - first[ i++ ] = second[ j ]; - } - - } else { - while ( second[j] !== undefined ) { - first[ i++ ] = second[ j++ ]; - } - } - - first.length = i; - - return first; - }, - - grep: function( elems, callback, inv ) { - var ret = [], retVal; - inv = !!inv; - - // Go through the array, only saving the items - // that pass the validator function - for ( var i = 0, length = elems.length; i < length; i++ ) { - retVal = !!callback( elems[ i ], i ); - if ( inv !== retVal ) { - ret.push( elems[ i ] ); - } - } - - return ret; - }, - - // arg is for internal usage only - map: function( elems, callback, arg ) { - var value, key, ret = [], - i = 0, - length = elems.length, - // jquery objects are treated as arrays - isArray = elems instanceof jQuery || length !== undefined && typeof length === "number" && ( ( length > 0 && elems[ 0 ] && elems[ length -1 ] ) || length === 0 || jQuery.isArray( elems ) ) ; - - // Go through the array, translating each of the items to their - if ( isArray ) { - for ( ; i < length; i++ ) { - value = callback( elems[ i ], i, arg ); - - if ( value != null ) { - ret[ ret.length ] = value; - } - } - - // Go through every key on the object, - } else { - for ( key in elems ) { - value = callback( elems[ key ], key, arg ); - - if ( value != null ) { - ret[ ret.length ] = value; - } - } - } - - // Flatten any nested arrays - return ret.concat.apply( [], ret ); - }, - - // A global GUID counter for objects - guid: 1, - - // Bind a function to a context, optionally partially applying any - // arguments. - proxy: function( fn, context ) { - if ( typeof context === "string" ) { - var tmp = fn[ context ]; - context = fn; - fn = tmp; - } - - // Quick check to determine if target is callable, in the spec - // this throws a TypeError, but we will just return undefined. - if ( !jQuery.isFunction( fn ) ) { - return undefined; - } - - // Simulated bind - var args = slice.call( arguments, 2 ), - proxy = function() { - return fn.apply( context, args.concat( slice.call( arguments ) ) ); - }; - - // Set the guid of unique handler to the same of original handler, so it can be removed - proxy.guid = fn.guid = fn.guid || proxy.guid || jQuery.guid++; - - return proxy; - }, - - // Mutifunctional method to get and set values to a collection - // The value/s can optionally be executed if it's a function - access: function( elems, fn, key, value, chainable, emptyGet, pass ) { - var exec, - bulk = key == null, - i = 0, - length = elems.length; - - // Sets many values - if ( key && typeof key === "object" ) { - for ( i in key ) { - jQuery.access( elems, fn, i, key[i], 1, emptyGet, value ); - } - chainable = 1; - - // Sets one value - } else if ( value !== undefined ) { - // Optionally, function values get executed if exec is true - exec = pass === undefined && jQuery.isFunction( value ); - - if ( bulk ) { - // Bulk operations only iterate when executing function values - if ( exec ) { - exec = fn; - fn = function( elem, key, value ) { - return exec.call( jQuery( elem ), value ); - }; - - // Otherwise they run against the entire set - } else { - fn.call( elems, value ); - fn = null; - } - } - - if ( fn ) { - for (; i < length; i++ ) { - fn( elems[i], key, exec ? value.call( elems[i], i, fn( elems[i], key ) ) : value, pass ); - } - } - - chainable = 1; - } - - return chainable ? - elems : - - // Gets - bulk ? - fn.call( elems ) : - length ? fn( elems[0], key ) : emptyGet; - }, - - now: function() { - return ( new Date() ).getTime(); - }, - - // Use of jQuery.browser is frowned upon. - // More details: http://docs.jquery.com/Utilities/jQuery.browser - uaMatch: function( ua ) { - ua = ua.toLowerCase(); - - var match = rwebkit.exec( ua ) || - ropera.exec( ua ) || - rmsie.exec( ua ) || - ua.indexOf("compatible") < 0 && rmozilla.exec( ua ) || - []; - - return { browser: match[1] || "", version: match[2] || "0" }; - }, - - sub: function() { - function jQuerySub( selector, context ) { - return new jQuerySub.fn.init( selector, context ); - } - jQuery.extend( true, jQuerySub, this ); - jQuerySub.superclass = this; - jQuerySub.fn = jQuerySub.prototype = this(); - jQuerySub.fn.constructor = jQuerySub; - jQuerySub.sub = this.sub; - jQuerySub.fn.init = function init( selector, context ) { - if ( context && context instanceof jQuery && !(context instanceof jQuerySub) ) { - context = jQuerySub( context ); - } - - return jQuery.fn.init.call( this, selector, context, rootjQuerySub ); - }; - jQuerySub.fn.init.prototype = jQuerySub.fn; - var rootjQuerySub = jQuerySub(document); - return jQuerySub; - }, - - browser: {} -}); - -// Populate the class2type map -jQuery.each("Boolean Number String Function Array Date RegExp Object".split(" "), function(i, name) { - class2type[ "[object " + name + "]" ] = name.toLowerCase(); -}); - -browserMatch = jQuery.uaMatch( userAgent ); -if ( browserMatch.browser ) { - jQuery.browser[ browserMatch.browser ] = true; - jQuery.browser.version = browserMatch.version; -} - -// Deprecated, use jQuery.browser.webkit instead -if ( jQuery.browser.webkit ) { - jQuery.browser.safari = true; -} - -// IE doesn't match non-breaking spaces with \s -if ( rnotwhite.test( "\xA0" ) ) { - trimLeft = /^[\s\xA0]+/; - trimRight = /[\s\xA0]+$/; -} - -// All jQuery objects should point back to these -rootjQuery = jQuery(document); - -// Cleanup functions for the document ready method -if ( document.addEventListener ) { - DOMContentLoaded = function() { - document.removeEventListener( "DOMContentLoaded", DOMContentLoaded, false ); - jQuery.ready(); - }; - -} else if ( document.attachEvent ) { - DOMContentLoaded = function() { - // Make sure body exists, at least, in case IE gets a little overzealous (ticket #5443). - if ( document.readyState === "complete" ) { - document.detachEvent( "onreadystatechange", DOMContentLoaded ); - jQuery.ready(); - } - }; -} - -// The DOM ready check for Internet Explorer -function doScrollCheck() { - if ( jQuery.isReady ) { - return; - } - - try { - // If IE is used, use the trick by Diego Perini - // http://javascript.nwbox.com/IEContentLoaded/ - document.documentElement.doScroll("left"); - } catch(e) { - setTimeout( doScrollCheck, 1 ); - return; - } - - // and execute any waiting functions - jQuery.ready(); -} - -return jQuery; - -})(); - - -// String to Object flags format cache -var flagsCache = {}; - -// Convert String-formatted flags into Object-formatted ones and store in cache -function createFlags( flags ) { - var object = flagsCache[ flags ] = {}, - i, length; - flags = flags.split( /\s+/ ); - for ( i = 0, length = flags.length; i < length; i++ ) { - object[ flags[i] ] = true; - } - return object; -} - -/* - * Create a callback list using the following parameters: - * - * flags: an optional list of space-separated flags that will change how - * the callback list behaves - * - * By default a callback list will act like an event callback list and can be - * "fired" multiple times. - * - * Possible flags: - * - * once: will ensure the callback list can only be fired once (like a Deferred) - * - * memory: will keep track of previous values and will call any callback added - * after the list has been fired right away with the latest "memorized" - * values (like a Deferred) - * - * unique: will ensure a callback can only be added once (no duplicate in the list) - * - * stopOnFalse: interrupt callings when a callback returns false - * - */ -jQuery.Callbacks = function( flags ) { - - // Convert flags from String-formatted to Object-formatted - // (we check in cache first) - flags = flags ? ( flagsCache[ flags ] || createFlags( flags ) ) : {}; - - var // Actual callback list - list = [], - // Stack of fire calls for repeatable lists - stack = [], - // Last fire value (for non-forgettable lists) - memory, - // Flag to know if list was already fired - fired, - // Flag to know if list is currently firing - firing, - // First callback to fire (used internally by add and fireWith) - firingStart, - // End of the loop when firing - firingLength, - // Index of currently firing callback (modified by remove if needed) - firingIndex, - // Add one or several callbacks to the list - add = function( args ) { - var i, - length, - elem, - type, - actual; - for ( i = 0, length = args.length; i < length; i++ ) { - elem = args[ i ]; - type = jQuery.type( elem ); - if ( type === "array" ) { - // Inspect recursively - add( elem ); - } else if ( type === "function" ) { - // Add if not in unique mode and callback is not in - if ( !flags.unique || !self.has( elem ) ) { - list.push( elem ); - } - } - } - }, - // Fire callbacks - fire = function( context, args ) { - args = args || []; - memory = !flags.memory || [ context, args ]; - fired = true; - firing = true; - firingIndex = firingStart || 0; - firingStart = 0; - firingLength = list.length; - for ( ; list && firingIndex < firingLength; firingIndex++ ) { - if ( list[ firingIndex ].apply( context, args ) === false && flags.stopOnFalse ) { - memory = true; // Mark as halted - break; - } - } - firing = false; - if ( list ) { - if ( !flags.once ) { - if ( stack && stack.length ) { - memory = stack.shift(); - self.fireWith( memory[ 0 ], memory[ 1 ] ); - } - } else if ( memory === true ) { - self.disable(); - } else { - list = []; - } - } - }, - // Actual Callbacks object - self = { - // Add a callback or a collection of callbacks to the list - add: function() { - if ( list ) { - var length = list.length; - add( arguments ); - // Do we need to add the callbacks to the - // current firing batch? - if ( firing ) { - firingLength = list.length; - // With memory, if we're not firing then - // we should call right away, unless previous - // firing was halted (stopOnFalse) - } else if ( memory && memory !== true ) { - firingStart = length; - fire( memory[ 0 ], memory[ 1 ] ); - } - } - return this; - }, - // Remove a callback from the list - remove: function() { - if ( list ) { - var args = arguments, - argIndex = 0, - argLength = args.length; - for ( ; argIndex < argLength ; argIndex++ ) { - for ( var i = 0; i < list.length; i++ ) { - if ( args[ argIndex ] === list[ i ] ) { - // Handle firingIndex and firingLength - if ( firing ) { - if ( i <= firingLength ) { - firingLength--; - if ( i <= firingIndex ) { - firingIndex--; - } - } - } - // Remove the element - list.splice( i--, 1 ); - // If we have some unicity property then - // we only need to do this once - if ( flags.unique ) { - break; - } - } - } - } - } - return this; - }, - // Control if a given callback is in the list - has: function( fn ) { - if ( list ) { - var i = 0, - length = list.length; - for ( ; i < length; i++ ) { - if ( fn === list[ i ] ) { - return true; - } - } - } - return false; - }, - // Remove all callbacks from the list - empty: function() { - list = []; - return this; - }, - // Have the list do nothing anymore - disable: function() { - list = stack = memory = undefined; - return this; - }, - // Is it disabled? - disabled: function() { - return !list; - }, - // Lock the list in its current state - lock: function() { - stack = undefined; - if ( !memory || memory === true ) { - self.disable(); - } - return this; - }, - // Is it locked? - locked: function() { - return !stack; - }, - // Call all callbacks with the given context and arguments - fireWith: function( context, args ) { - if ( stack ) { - if ( firing ) { - if ( !flags.once ) { - stack.push( [ context, args ] ); - } - } else if ( !( flags.once && memory ) ) { - fire( context, args ); - } - } - return this; - }, - // Call all the callbacks with the given arguments - fire: function() { - self.fireWith( this, arguments ); - return this; - }, - // To know if the callbacks have already been called at least once - fired: function() { - return !!fired; - } - }; - - return self; -}; - - - - -var // Static reference to slice - sliceDeferred = [].slice; - -jQuery.extend({ - - Deferred: function( func ) { - var doneList = jQuery.Callbacks( "once memory" ), - failList = jQuery.Callbacks( "once memory" ), - progressList = jQuery.Callbacks( "memory" ), - state = "pending", - lists = { - resolve: doneList, - reject: failList, - notify: progressList - }, - promise = { - done: doneList.add, - fail: failList.add, - progress: progressList.add, - - state: function() { - return state; - }, - - // Deprecated - isResolved: doneList.fired, - isRejected: failList.fired, - - then: function( doneCallbacks, failCallbacks, progressCallbacks ) { - deferred.done( doneCallbacks ).fail( failCallbacks ).progress( progressCallbacks ); - return this; - }, - always: function() { - deferred.done.apply( deferred, arguments ).fail.apply( deferred, arguments ); - return this; - }, - pipe: function( fnDone, fnFail, fnProgress ) { - return jQuery.Deferred(function( newDefer ) { - jQuery.each( { - done: [ fnDone, "resolve" ], - fail: [ fnFail, "reject" ], - progress: [ fnProgress, "notify" ] - }, function( handler, data ) { - var fn = data[ 0 ], - action = data[ 1 ], - returned; - if ( jQuery.isFunction( fn ) ) { - deferred[ handler ](function() { - returned = fn.apply( this, arguments ); - if ( returned && jQuery.isFunction( returned.promise ) ) { - returned.promise().then( newDefer.resolve, newDefer.reject, newDefer.notify ); - } else { - newDefer[ action + "With" ]( this === deferred ? newDefer : this, [ returned ] ); - } - }); - } else { - deferred[ handler ]( newDefer[ action ] ); - } - }); - }).promise(); - }, - // Get a promise for this deferred - // If obj is provided, the promise aspect is added to the object - promise: function( obj ) { - if ( obj == null ) { - obj = promise; - } else { - for ( var key in promise ) { - obj[ key ] = promise[ key ]; - } - } - return obj; - } - }, - deferred = promise.promise({}), - key; - - for ( key in lists ) { - deferred[ key ] = lists[ key ].fire; - deferred[ key + "With" ] = lists[ key ].fireWith; - } - - // Handle state - deferred.done( function() { - state = "resolved"; - }, failList.disable, progressList.lock ).fail( function() { - state = "rejected"; - }, doneList.disable, progressList.lock ); - - // Call given func if any - if ( func ) { - func.call( deferred, deferred ); - } - - // All done! - return deferred; - }, - - // Deferred helper - when: function( firstParam ) { - var args = sliceDeferred.call( arguments, 0 ), - i = 0, - length = args.length, - pValues = new Array( length ), - count = length, - pCount = length, - deferred = length <= 1 && firstParam && jQuery.isFunction( firstParam.promise ) ? - firstParam : - jQuery.Deferred(), - promise = deferred.promise(); - function resolveFunc( i ) { - return function( value ) { - args[ i ] = arguments.length > 1 ? sliceDeferred.call( arguments, 0 ) : value; - if ( !( --count ) ) { - deferred.resolveWith( deferred, args ); - } - }; - } - function progressFunc( i ) { - return function( value ) { - pValues[ i ] = arguments.length > 1 ? sliceDeferred.call( arguments, 0 ) : value; - deferred.notifyWith( promise, pValues ); - }; - } - if ( length > 1 ) { - for ( ; i < length; i++ ) { - if ( args[ i ] && args[ i ].promise && jQuery.isFunction( args[ i ].promise ) ) { - args[ i ].promise().then( resolveFunc(i), deferred.reject, progressFunc(i) ); - } else { - --count; - } - } - if ( !count ) { - deferred.resolveWith( deferred, args ); - } - } else if ( deferred !== firstParam ) { - deferred.resolveWith( deferred, length ? [ firstParam ] : [] ); - } - return promise; - } -}); - - - - -jQuery.support = (function() { - - var support, - all, - a, - select, - opt, - input, - fragment, - tds, - events, - eventName, - i, - isSupported, - div = document.createElement( "div" ), - documentElement = document.documentElement; - - // Preliminary tests - div.setAttribute("className", "t"); - div.innerHTML = "
a"; - - all = div.getElementsByTagName( "*" ); - a = div.getElementsByTagName( "a" )[ 0 ]; - - // Can't get basic test support - if ( !all || !all.length || !a ) { - return {}; - } - - // First batch of supports tests - select = document.createElement( "select" ); - opt = select.appendChild( document.createElement("option") ); - input = div.getElementsByTagName( "input" )[ 0 ]; - - support = { - // IE strips leading whitespace when .innerHTML is used - leadingWhitespace: ( div.firstChild.nodeType === 3 ), - - // Make sure that tbody elements aren't automatically inserted - // IE will insert them into empty tables - tbody: !div.getElementsByTagName("tbody").length, - - // Make sure that link elements get serialized correctly by innerHTML - // This requires a wrapper element in IE - htmlSerialize: !!div.getElementsByTagName("link").length, - - // Get the style information from getAttribute - // (IE uses .cssText instead) - style: /top/.test( a.getAttribute("style") ), - - // Make sure that URLs aren't manipulated - // (IE normalizes it by default) - hrefNormalized: ( a.getAttribute("href") === "/a" ), - - // Make sure that element opacity exists - // (IE uses filter instead) - // Use a regex to work around a WebKit issue. See #5145 - opacity: /^0.55/.test( a.style.opacity ), - - // Verify style float existence - // (IE uses styleFloat instead of cssFloat) - cssFloat: !!a.style.cssFloat, - - // Make sure that if no value is specified for a checkbox - // that it defaults to "on". - // (WebKit defaults to "" instead) - checkOn: ( input.value === "on" ), - - // Make sure that a selected-by-default option has a working selected property. - // (WebKit defaults to false instead of true, IE too, if it's in an optgroup) - optSelected: opt.selected, - - // Test setAttribute on camelCase class. If it works, we need attrFixes when doing get/setAttribute (ie6/7) - getSetAttribute: div.className !== "t", - - // Tests for enctype support on a form(#6743) - enctype: !!document.createElement("form").enctype, - - // Makes sure cloning an html5 element does not cause problems - // Where outerHTML is undefined, this still works - html5Clone: document.createElement("nav").cloneNode( true ).outerHTML !== "<:nav>", - - // Will be defined later - submitBubbles: true, - changeBubbles: true, - focusinBubbles: false, - deleteExpando: true, - noCloneEvent: true, - inlineBlockNeedsLayout: false, - shrinkWrapBlocks: false, - reliableMarginRight: true, - pixelMargin: true - }; - - // jQuery.boxModel DEPRECATED in 1.3, use jQuery.support.boxModel instead - jQuery.boxModel = support.boxModel = (document.compatMode === "CSS1Compat"); - - // Make sure checked status is properly cloned - input.checked = true; - support.noCloneChecked = input.cloneNode( true ).checked; - - // Make sure that the options inside disabled selects aren't marked as disabled - // (WebKit marks them as disabled) - select.disabled = true; - support.optDisabled = !opt.disabled; - - // Test to see if it's possible to delete an expando from an element - // Fails in Internet Explorer - try { - delete div.test; - } catch( e ) { - support.deleteExpando = false; - } - - if ( !div.addEventListener && div.attachEvent && div.fireEvent ) { - div.attachEvent( "onclick", function() { - // Cloning a node shouldn't copy over any - // bound event handlers (IE does this) - support.noCloneEvent = false; - }); - div.cloneNode( true ).fireEvent( "onclick" ); - } - - // Check if a radio maintains its value - // after being appended to the DOM - input = document.createElement("input"); - input.value = "t"; - input.setAttribute("type", "radio"); - support.radioValue = input.value === "t"; - - input.setAttribute("checked", "checked"); - - // #11217 - WebKit loses check when the name is after the checked attribute - input.setAttribute( "name", "t" ); - - div.appendChild( input ); - fragment = document.createDocumentFragment(); - fragment.appendChild( div.lastChild ); - - // WebKit doesn't clone checked state correctly in fragments - support.checkClone = fragment.cloneNode( true ).cloneNode( true ).lastChild.checked; - - // Check if a disconnected checkbox will retain its checked - // value of true after appended to the DOM (IE6/7) - support.appendChecked = input.checked; - - fragment.removeChild( input ); - fragment.appendChild( div ); - - // Technique from Juriy Zaytsev - // http://perfectionkills.com/detecting-event-support-without-browser-sniffing/ - // We only care about the case where non-standard event systems - // are used, namely in IE. Short-circuiting here helps us to - // avoid an eval call (in setAttribute) which can cause CSP - // to go haywire. See: https://developer.mozilla.org/en/Security/CSP - if ( div.attachEvent ) { - for ( i in { - submit: 1, - change: 1, - focusin: 1 - }) { - eventName = "on" + i; - isSupported = ( eventName in div ); - if ( !isSupported ) { - div.setAttribute( eventName, "return;" ); - isSupported = ( typeof div[ eventName ] === "function" ); - } - support[ i + "Bubbles" ] = isSupported; - } - } - - fragment.removeChild( div ); - - // Null elements to avoid leaks in IE - fragment = select = opt = div = input = null; - - // Run tests that need a body at doc ready - jQuery(function() { - var container, outer, inner, table, td, offsetSupport, - marginDiv, conMarginTop, style, html, positionTopLeftWidthHeight, - paddingMarginBorderVisibility, paddingMarginBorder, - body = document.getElementsByTagName("body")[0]; - - if ( !body ) { - // Return for frameset docs that don't have a body - return; - } - - conMarginTop = 1; - paddingMarginBorder = "padding:0;margin:0;border:"; - positionTopLeftWidthHeight = "position:absolute;top:0;left:0;width:1px;height:1px;"; - paddingMarginBorderVisibility = paddingMarginBorder + "0;visibility:hidden;"; - style = "style='" + positionTopLeftWidthHeight + paddingMarginBorder + "5px solid #000;"; - html = "
" + - "" + - "
"; - - container = document.createElement("div"); - container.style.cssText = paddingMarginBorderVisibility + "width:0;height:0;position:static;top:0;margin-top:" + conMarginTop + "px"; - body.insertBefore( container, body.firstChild ); - - // Construct the test element - div = document.createElement("div"); - container.appendChild( div ); - - // Check if table cells still have offsetWidth/Height when they are set - // to display:none and there are still other visible table cells in a - // table row; if so, offsetWidth/Height are not reliable for use when - // determining if an element has been hidden directly using - // display:none (it is still safe to use offsets if a parent element is - // hidden; don safety goggles and see bug #4512 for more information). - // (only IE 8 fails this test) - div.innerHTML = "
t
"; - tds = div.getElementsByTagName( "td" ); - isSupported = ( tds[ 0 ].offsetHeight === 0 ); - - tds[ 0 ].style.display = ""; - tds[ 1 ].style.display = "none"; - - // Check if empty table cells still have offsetWidth/Height - // (IE <= 8 fail this test) - support.reliableHiddenOffsets = isSupported && ( tds[ 0 ].offsetHeight === 0 ); - - // Check if div with explicit width and no margin-right incorrectly - // gets computed margin-right based on width of container. For more - // info see bug #3333 - // Fails in WebKit before Feb 2011 nightlies - // WebKit Bug 13343 - getComputedStyle returns wrong value for margin-right - if ( window.getComputedStyle ) { - div.innerHTML = ""; - marginDiv = document.createElement( "div" ); - marginDiv.style.width = "0"; - marginDiv.style.marginRight = "0"; - div.style.width = "2px"; - div.appendChild( marginDiv ); - support.reliableMarginRight = - ( parseInt( ( window.getComputedStyle( marginDiv, null ) || { marginRight: 0 } ).marginRight, 10 ) || 0 ) === 0; - } - - if ( typeof div.style.zoom !== "undefined" ) { - // Check if natively block-level elements act like inline-block - // elements when setting their display to 'inline' and giving - // them layout - // (IE < 8 does this) - div.innerHTML = ""; - div.style.width = div.style.padding = "1px"; - div.style.border = 0; - div.style.overflow = "hidden"; - div.style.display = "inline"; - div.style.zoom = 1; - support.inlineBlockNeedsLayout = ( div.offsetWidth === 3 ); - - // Check if elements with layout shrink-wrap their children - // (IE 6 does this) - div.style.display = "block"; - div.style.overflow = "visible"; - div.innerHTML = "
"; - support.shrinkWrapBlocks = ( div.offsetWidth !== 3 ); - } - - div.style.cssText = positionTopLeftWidthHeight + paddingMarginBorderVisibility; - div.innerHTML = html; - - outer = div.firstChild; - inner = outer.firstChild; - td = outer.nextSibling.firstChild.firstChild; - - offsetSupport = { - doesNotAddBorder: ( inner.offsetTop !== 5 ), - doesAddBorderForTableAndCells: ( td.offsetTop === 5 ) - }; - - inner.style.position = "fixed"; - inner.style.top = "20px"; - - // safari subtracts parent border width here which is 5px - offsetSupport.fixedPosition = ( inner.offsetTop === 20 || inner.offsetTop === 15 ); - inner.style.position = inner.style.top = ""; - - outer.style.overflow = "hidden"; - outer.style.position = "relative"; - - offsetSupport.subtractsBorderForOverflowNotVisible = ( inner.offsetTop === -5 ); - offsetSupport.doesNotIncludeMarginInBodyOffset = ( body.offsetTop !== conMarginTop ); - - if ( window.getComputedStyle ) { - div.style.marginTop = "1%"; - support.pixelMargin = ( window.getComputedStyle( div, null ) || { marginTop: 0 } ).marginTop !== "1%"; - } - - if ( typeof container.style.zoom !== "undefined" ) { - container.style.zoom = 1; - } - - body.removeChild( container ); - marginDiv = div = container = null; - - jQuery.extend( support, offsetSupport ); - }); - - return support; -})(); - - - - -var rbrace = /^(?:\{.*\}|\[.*\])$/, - rmultiDash = /([A-Z])/g; - -jQuery.extend({ - cache: {}, - - // Please use with caution - uuid: 0, - - // Unique for each copy of jQuery on the page - // Non-digits removed to match rinlinejQuery - expando: "jQuery" + ( jQuery.fn.jquery + Math.random() ).replace( /\D/g, "" ), - - // The following elements throw uncatchable exceptions if you - // attempt to add expando properties to them. - noData: { - "embed": true, - // Ban all objects except for Flash (which handle expandos) - "object": "clsid:D27CDB6E-AE6D-11cf-96B8-444553540000", - "applet": true - }, - - hasData: function( elem ) { - elem = elem.nodeType ? jQuery.cache[ elem[jQuery.expando] ] : elem[ jQuery.expando ]; - return !!elem && !isEmptyDataObject( elem ); - }, - - data: function( elem, name, data, pvt /* Internal Use Only */ ) { - if ( !jQuery.acceptData( elem ) ) { - return; - } - - var privateCache, thisCache, ret, - internalKey = jQuery.expando, - getByName = typeof name === "string", - - // We have to handle DOM nodes and JS objects differently because IE6-7 - // can't GC object references properly across the DOM-JS boundary - isNode = elem.nodeType, - - // Only DOM nodes need the global jQuery cache; JS object data is - // attached directly to the object so GC can occur automatically - cache = isNode ? jQuery.cache : elem, - - // Only defining an ID for JS objects if its cache already exists allows - // the code to shortcut on the same path as a DOM node with no cache - id = isNode ? elem[ internalKey ] : elem[ internalKey ] && internalKey, - isEvents = name === "events"; - - // Avoid doing any more work than we need to when trying to get data on an - // object that has no data at all - if ( (!id || !cache[id] || (!isEvents && !pvt && !cache[id].data)) && getByName && data === undefined ) { - return; - } - - if ( !id ) { - // Only DOM nodes need a new unique ID for each element since their data - // ends up in the global cache - if ( isNode ) { - elem[ internalKey ] = id = ++jQuery.uuid; - } else { - id = internalKey; - } - } - - if ( !cache[ id ] ) { - cache[ id ] = {}; - - // Avoids exposing jQuery metadata on plain JS objects when the object - // is serialized using JSON.stringify - if ( !isNode ) { - cache[ id ].toJSON = jQuery.noop; - } - } - - // An object can be passed to jQuery.data instead of a key/value pair; this gets - // shallow copied over onto the existing cache - if ( typeof name === "object" || typeof name === "function" ) { - if ( pvt ) { - cache[ id ] = jQuery.extend( cache[ id ], name ); - } else { - cache[ id ].data = jQuery.extend( cache[ id ].data, name ); - } - } - - privateCache = thisCache = cache[ id ]; - - // jQuery data() is stored in a separate object inside the object's internal data - // cache in order to avoid key collisions between internal data and user-defined - // data. - if ( !pvt ) { - if ( !thisCache.data ) { - thisCache.data = {}; - } - - thisCache = thisCache.data; - } - - if ( data !== undefined ) { - thisCache[ jQuery.camelCase( name ) ] = data; - } - - // Users should not attempt to inspect the internal events object using jQuery.data, - // it is undocumented and subject to change. But does anyone listen? No. - if ( isEvents && !thisCache[ name ] ) { - return privateCache.events; - } - - // Check for both converted-to-camel and non-converted data property names - // If a data property was specified - if ( getByName ) { - - // First Try to find as-is property data - ret = thisCache[ name ]; - - // Test for null|undefined property data - if ( ret == null ) { - - // Try to find the camelCased property - ret = thisCache[ jQuery.camelCase( name ) ]; - } - } else { - ret = thisCache; - } - - return ret; - }, - - removeData: function( elem, name, pvt /* Internal Use Only */ ) { - if ( !jQuery.acceptData( elem ) ) { - return; - } - - var thisCache, i, l, - - // Reference to internal data cache key - internalKey = jQuery.expando, - - isNode = elem.nodeType, - - // See jQuery.data for more information - cache = isNode ? jQuery.cache : elem, - - // See jQuery.data for more information - id = isNode ? elem[ internalKey ] : internalKey; - - // If there is already no cache entry for this object, there is no - // purpose in continuing - if ( !cache[ id ] ) { - return; - } - - if ( name ) { - - thisCache = pvt ? cache[ id ] : cache[ id ].data; - - if ( thisCache ) { - - // Support array or space separated string names for data keys - if ( !jQuery.isArray( name ) ) { - - // try the string as a key before any manipulation - if ( name in thisCache ) { - name = [ name ]; - } else { - - // split the camel cased version by spaces unless a key with the spaces exists - name = jQuery.camelCase( name ); - if ( name in thisCache ) { - name = [ name ]; - } else { - name = name.split( " " ); - } - } - } - - for ( i = 0, l = name.length; i < l; i++ ) { - delete thisCache[ name[i] ]; - } - - // If there is no data left in the cache, we want to continue - // and let the cache object itself get destroyed - if ( !( pvt ? isEmptyDataObject : jQuery.isEmptyObject )( thisCache ) ) { - return; - } - } - } - - // See jQuery.data for more information - if ( !pvt ) { - delete cache[ id ].data; - - // Don't destroy the parent cache unless the internal data object - // had been the only thing left in it - if ( !isEmptyDataObject(cache[ id ]) ) { - return; - } - } - - // Browsers that fail expando deletion also refuse to delete expandos on - // the window, but it will allow it on all other JS objects; other browsers - // don't care - // Ensure that `cache` is not a window object #10080 - if ( jQuery.support.deleteExpando || !cache.setInterval ) { - delete cache[ id ]; - } else { - cache[ id ] = null; - } - - // We destroyed the cache and need to eliminate the expando on the node to avoid - // false lookups in the cache for entries that no longer exist - if ( isNode ) { - // IE does not allow us to delete expando properties from nodes, - // nor does it have a removeAttribute function on Document nodes; - // we must handle all of these cases - if ( jQuery.support.deleteExpando ) { - delete elem[ internalKey ]; - } else if ( elem.removeAttribute ) { - elem.removeAttribute( internalKey ); - } else { - elem[ internalKey ] = null; - } - } - }, - - // For internal use only. - _data: function( elem, name, data ) { - return jQuery.data( elem, name, data, true ); - }, - - // A method for determining if a DOM node can handle the data expando - acceptData: function( elem ) { - if ( elem.nodeName ) { - var match = jQuery.noData[ elem.nodeName.toLowerCase() ]; - - if ( match ) { - return !(match === true || elem.getAttribute("classid") !== match); - } - } - - return true; - } -}); - -jQuery.fn.extend({ - data: function( key, value ) { - var parts, part, attr, name, l, - elem = this[0], - i = 0, - data = null; - - // Gets all values - if ( key === undefined ) { - if ( this.length ) { - data = jQuery.data( elem ); - - if ( elem.nodeType === 1 && !jQuery._data( elem, "parsedAttrs" ) ) { - attr = elem.attributes; - for ( l = attr.length; i < l; i++ ) { - name = attr[i].name; - - if ( name.indexOf( "data-" ) === 0 ) { - name = jQuery.camelCase( name.substring(5) ); - - dataAttr( elem, name, data[ name ] ); - } - } - jQuery._data( elem, "parsedAttrs", true ); - } - } - - return data; - } - - // Sets multiple values - if ( typeof key === "object" ) { - return this.each(function() { - jQuery.data( this, key ); - }); - } - - parts = key.split( ".", 2 ); - parts[1] = parts[1] ? "." + parts[1] : ""; - part = parts[1] + "!"; - - return jQuery.access( this, function( value ) { - - if ( value === undefined ) { - data = this.triggerHandler( "getData" + part, [ parts[0] ] ); - - // Try to fetch any internally stored data first - if ( data === undefined && elem ) { - data = jQuery.data( elem, key ); - data = dataAttr( elem, key, data ); - } - - return data === undefined && parts[1] ? - this.data( parts[0] ) : - data; - } - - parts[1] = value; - this.each(function() { - var self = jQuery( this ); - - self.triggerHandler( "setData" + part, parts ); - jQuery.data( this, key, value ); - self.triggerHandler( "changeData" + part, parts ); - }); - }, null, value, arguments.length > 1, null, false ); - }, - - removeData: function( key ) { - return this.each(function() { - jQuery.removeData( this, key ); - }); - } -}); - -function dataAttr( elem, key, data ) { - // If nothing was found internally, try to fetch any - // data from the HTML5 data-* attribute - if ( data === undefined && elem.nodeType === 1 ) { - - var name = "data-" + key.replace( rmultiDash, "-$1" ).toLowerCase(); - - data = elem.getAttribute( name ); - - if ( typeof data === "string" ) { - try { - data = data === "true" ? true : - data === "false" ? false : - data === "null" ? null : - jQuery.isNumeric( data ) ? +data : - rbrace.test( data ) ? jQuery.parseJSON( data ) : - data; - } catch( e ) {} - - // Make sure we set the data so it isn't changed later - jQuery.data( elem, key, data ); - - } else { - data = undefined; - } - } - - return data; -} - -// checks a cache object for emptiness -function isEmptyDataObject( obj ) { - for ( var name in obj ) { - - // if the public data object is empty, the private is still empty - if ( name === "data" && jQuery.isEmptyObject( obj[name] ) ) { - continue; - } - if ( name !== "toJSON" ) { - return false; - } - } - - return true; -} - - - - -function handleQueueMarkDefer( elem, type, src ) { - var deferDataKey = type + "defer", - queueDataKey = type + "queue", - markDataKey = type + "mark", - defer = jQuery._data( elem, deferDataKey ); - if ( defer && - ( src === "queue" || !jQuery._data(elem, queueDataKey) ) && - ( src === "mark" || !jQuery._data(elem, markDataKey) ) ) { - // Give room for hard-coded callbacks to fire first - // and eventually mark/queue something else on the element - setTimeout( function() { - if ( !jQuery._data( elem, queueDataKey ) && - !jQuery._data( elem, markDataKey ) ) { - jQuery.removeData( elem, deferDataKey, true ); - defer.fire(); - } - }, 0 ); - } -} - -jQuery.extend({ - - _mark: function( elem, type ) { - if ( elem ) { - type = ( type || "fx" ) + "mark"; - jQuery._data( elem, type, (jQuery._data( elem, type ) || 0) + 1 ); - } - }, - - _unmark: function( force, elem, type ) { - if ( force !== true ) { - type = elem; - elem = force; - force = false; - } - if ( elem ) { - type = type || "fx"; - var key = type + "mark", - count = force ? 0 : ( (jQuery._data( elem, key ) || 1) - 1 ); - if ( count ) { - jQuery._data( elem, key, count ); - } else { - jQuery.removeData( elem, key, true ); - handleQueueMarkDefer( elem, type, "mark" ); - } - } - }, - - queue: function( elem, type, data ) { - var q; - if ( elem ) { - type = ( type || "fx" ) + "queue"; - q = jQuery._data( elem, type ); - - // Speed up dequeue by getting out quickly if this is just a lookup - if ( data ) { - if ( !q || jQuery.isArray(data) ) { - q = jQuery._data( elem, type, jQuery.makeArray(data) ); - } else { - q.push( data ); - } - } - return q || []; - } - }, - - dequeue: function( elem, type ) { - type = type || "fx"; - - var queue = jQuery.queue( elem, type ), - fn = queue.shift(), - hooks = {}; - - // If the fx queue is dequeued, always remove the progress sentinel - if ( fn === "inprogress" ) { - fn = queue.shift(); - } - - if ( fn ) { - // Add a progress sentinel to prevent the fx queue from being - // automatically dequeued - if ( type === "fx" ) { - queue.unshift( "inprogress" ); - } - - jQuery._data( elem, type + ".run", hooks ); - fn.call( elem, function() { - jQuery.dequeue( elem, type ); - }, hooks ); - } - - if ( !queue.length ) { - jQuery.removeData( elem, type + "queue " + type + ".run", true ); - handleQueueMarkDefer( elem, type, "queue" ); - } - } -}); - -jQuery.fn.extend({ - queue: function( type, data ) { - var setter = 2; - - if ( typeof type !== "string" ) { - data = type; - type = "fx"; - setter--; - } - - if ( arguments.length < setter ) { - return jQuery.queue( this[0], type ); - } - - return data === undefined ? - this : - this.each(function() { - var queue = jQuery.queue( this, type, data ); - - if ( type === "fx" && queue[0] !== "inprogress" ) { - jQuery.dequeue( this, type ); - } - }); - }, - dequeue: function( type ) { - return this.each(function() { - jQuery.dequeue( this, type ); - }); - }, - // Based off of the plugin by Clint Helfers, with permission. - // http://blindsignals.com/index.php/2009/07/jquery-delay/ - delay: function( time, type ) { - time = jQuery.fx ? jQuery.fx.speeds[ time ] || time : time; - type = type || "fx"; - - return this.queue( type, function( next, hooks ) { - var timeout = setTimeout( next, time ); - hooks.stop = function() { - clearTimeout( timeout ); - }; - }); - }, - clearQueue: function( type ) { - return this.queue( type || "fx", [] ); - }, - // Get a promise resolved when queues of a certain type - // are emptied (fx is the type by default) - promise: function( type, object ) { - if ( typeof type !== "string" ) { - object = type; - type = undefined; - } - type = type || "fx"; - var defer = jQuery.Deferred(), - elements = this, - i = elements.length, - count = 1, - deferDataKey = type + "defer", - queueDataKey = type + "queue", - markDataKey = type + "mark", - tmp; - function resolve() { - if ( !( --count ) ) { - defer.resolveWith( elements, [ elements ] ); - } - } - while( i-- ) { - if (( tmp = jQuery.data( elements[ i ], deferDataKey, undefined, true ) || - ( jQuery.data( elements[ i ], queueDataKey, undefined, true ) || - jQuery.data( elements[ i ], markDataKey, undefined, true ) ) && - jQuery.data( elements[ i ], deferDataKey, jQuery.Callbacks( "once memory" ), true ) )) { - count++; - tmp.add( resolve ); - } - } - resolve(); - return defer.promise( object ); - } -}); - - - - -var rclass = /[\n\t\r]/g, - rspace = /\s+/, - rreturn = /\r/g, - rtype = /^(?:button|input)$/i, - rfocusable = /^(?:button|input|object|select|textarea)$/i, - rclickable = /^a(?:rea)?$/i, - rboolean = /^(?:autofocus|autoplay|async|checked|controls|defer|disabled|hidden|loop|multiple|open|readonly|required|scoped|selected)$/i, - getSetAttribute = jQuery.support.getSetAttribute, - nodeHook, boolHook, fixSpecified; - -jQuery.fn.extend({ - attr: function( name, value ) { - return jQuery.access( this, jQuery.attr, name, value, arguments.length > 1 ); - }, - - removeAttr: function( name ) { - return this.each(function() { - jQuery.removeAttr( this, name ); - }); - }, - - prop: function( name, value ) { - return jQuery.access( this, jQuery.prop, name, value, arguments.length > 1 ); - }, - - removeProp: function( name ) { - name = jQuery.propFix[ name ] || name; - return this.each(function() { - // try/catch handles cases where IE balks (such as removing a property on window) - try { - this[ name ] = undefined; - delete this[ name ]; - } catch( e ) {} - }); - }, - - addClass: function( value ) { - var classNames, i, l, elem, - setClass, c, cl; - - if ( jQuery.isFunction( value ) ) { - return this.each(function( j ) { - jQuery( this ).addClass( value.call(this, j, this.className) ); - }); - } - - if ( value && typeof value === "string" ) { - classNames = value.split( rspace ); - - for ( i = 0, l = this.length; i < l; i++ ) { - elem = this[ i ]; - - if ( elem.nodeType === 1 ) { - if ( !elem.className && classNames.length === 1 ) { - elem.className = value; - - } else { - setClass = " " + elem.className + " "; - - for ( c = 0, cl = classNames.length; c < cl; c++ ) { - if ( !~setClass.indexOf( " " + classNames[ c ] + " " ) ) { - setClass += classNames[ c ] + " "; - } - } - elem.className = jQuery.trim( setClass ); - } - } - } - } - - return this; - }, - - removeClass: function( value ) { - var classNames, i, l, elem, className, c, cl; - - if ( jQuery.isFunction( value ) ) { - return this.each(function( j ) { - jQuery( this ).removeClass( value.call(this, j, this.className) ); - }); - } - - if ( (value && typeof value === "string") || value === undefined ) { - classNames = ( value || "" ).split( rspace ); - - for ( i = 0, l = this.length; i < l; i++ ) { - elem = this[ i ]; - - if ( elem.nodeType === 1 && elem.className ) { - if ( value ) { - className = (" " + elem.className + " ").replace( rclass, " " ); - for ( c = 0, cl = classNames.length; c < cl; c++ ) { - className = className.replace(" " + classNames[ c ] + " ", " "); - } - elem.className = jQuery.trim( className ); - - } else { - elem.className = ""; - } - } - } - } - - return this; - }, - - toggleClass: function( value, stateVal ) { - var type = typeof value, - isBool = typeof stateVal === "boolean"; - - if ( jQuery.isFunction( value ) ) { - return this.each(function( i ) { - jQuery( this ).toggleClass( value.call(this, i, this.className, stateVal), stateVal ); - }); - } - - return this.each(function() { - if ( type === "string" ) { - // toggle individual class names - var className, - i = 0, - self = jQuery( this ), - state = stateVal, - classNames = value.split( rspace ); - - while ( (className = classNames[ i++ ]) ) { - // check each className given, space seperated list - state = isBool ? state : !self.hasClass( className ); - self[ state ? "addClass" : "removeClass" ]( className ); - } - - } else if ( type === "undefined" || type === "boolean" ) { - if ( this.className ) { - // store className if set - jQuery._data( this, "__className__", this.className ); - } - - // toggle whole className - this.className = this.className || value === false ? "" : jQuery._data( this, "__className__" ) || ""; - } - }); - }, - - hasClass: function( selector ) { - var className = " " + selector + " ", - i = 0, - l = this.length; - for ( ; i < l; i++ ) { - if ( this[i].nodeType === 1 && (" " + this[i].className + " ").replace(rclass, " ").indexOf( className ) > -1 ) { - return true; - } - } - - return false; - }, - - val: function( value ) { - var hooks, ret, isFunction, - elem = this[0]; - - if ( !arguments.length ) { - if ( elem ) { - hooks = jQuery.valHooks[ elem.type ] || jQuery.valHooks[ elem.nodeName.toLowerCase() ]; - - if ( hooks && "get" in hooks && (ret = hooks.get( elem, "value" )) !== undefined ) { - return ret; - } - - ret = elem.value; - - return typeof ret === "string" ? - // handle most common string cases - ret.replace(rreturn, "") : - // handle cases where value is null/undef or number - ret == null ? "" : ret; - } - - return; - } - - isFunction = jQuery.isFunction( value ); - - return this.each(function( i ) { - var self = jQuery(this), val; - - if ( this.nodeType !== 1 ) { - return; - } - - if ( isFunction ) { - val = value.call( this, i, self.val() ); - } else { - val = value; - } - - // Treat null/undefined as ""; convert numbers to string - if ( val == null ) { - val = ""; - } else if ( typeof val === "number" ) { - val += ""; - } else if ( jQuery.isArray( val ) ) { - val = jQuery.map(val, function ( value ) { - return value == null ? "" : value + ""; - }); - } - - hooks = jQuery.valHooks[ this.type ] || jQuery.valHooks[ this.nodeName.toLowerCase() ]; - - // If set returns undefined, fall back to normal setting - if ( !hooks || !("set" in hooks) || hooks.set( this, val, "value" ) === undefined ) { - this.value = val; - } - }); - } -}); - -jQuery.extend({ - valHooks: { - option: { - get: function( elem ) { - // attributes.value is undefined in Blackberry 4.7 but - // uses .value. See #6932 - var val = elem.attributes.value; - return !val || val.specified ? elem.value : elem.text; - } - }, - select: { - get: function( elem ) { - var value, i, max, option, - index = elem.selectedIndex, - values = [], - options = elem.options, - one = elem.type === "select-one"; - - // Nothing was selected - if ( index < 0 ) { - return null; - } - - // Loop through all the selected options - i = one ? index : 0; - max = one ? index + 1 : options.length; - for ( ; i < max; i++ ) { - option = options[ i ]; - - // Don't return options that are disabled or in a disabled optgroup - if ( option.selected && (jQuery.support.optDisabled ? !option.disabled : option.getAttribute("disabled") === null) && - (!option.parentNode.disabled || !jQuery.nodeName( option.parentNode, "optgroup" )) ) { - - // Get the specific value for the option - value = jQuery( option ).val(); - - // We don't need an array for one selects - if ( one ) { - return value; - } - - // Multi-Selects return an array - values.push( value ); - } - } - - // Fixes Bug #2551 -- select.val() broken in IE after form.reset() - if ( one && !values.length && options.length ) { - return jQuery( options[ index ] ).val(); - } - - return values; - }, - - set: function( elem, value ) { - var values = jQuery.makeArray( value ); - - jQuery(elem).find("option").each(function() { - this.selected = jQuery.inArray( jQuery(this).val(), values ) >= 0; - }); - - if ( !values.length ) { - elem.selectedIndex = -1; - } - return values; - } - } - }, - - attrFn: { - val: true, - css: true, - html: true, - text: true, - data: true, - width: true, - height: true, - offset: true - }, - - attr: function( elem, name, value, pass ) { - var ret, hooks, notxml, - nType = elem.nodeType; - - // don't get/set attributes on text, comment and attribute nodes - if ( !elem || nType === 3 || nType === 8 || nType === 2 ) { - return; - } - - if ( pass && name in jQuery.attrFn ) { - return jQuery( elem )[ name ]( value ); - } - - // Fallback to prop when attributes are not supported - if ( typeof elem.getAttribute === "undefined" ) { - return jQuery.prop( elem, name, value ); - } - - notxml = nType !== 1 || !jQuery.isXMLDoc( elem ); - - // All attributes are lowercase - // Grab necessary hook if one is defined - if ( notxml ) { - name = name.toLowerCase(); - hooks = jQuery.attrHooks[ name ] || ( rboolean.test( name ) ? boolHook : nodeHook ); - } - - if ( value !== undefined ) { - - if ( value === null ) { - jQuery.removeAttr( elem, name ); - return; - - } else if ( hooks && "set" in hooks && notxml && (ret = hooks.set( elem, value, name )) !== undefined ) { - return ret; - - } else { - elem.setAttribute( name, "" + value ); - return value; - } - - } else if ( hooks && "get" in hooks && notxml && (ret = hooks.get( elem, name )) !== null ) { - return ret; - - } else { - - ret = elem.getAttribute( name ); - - // Non-existent attributes return null, we normalize to undefined - return ret === null ? - undefined : - ret; - } - }, - - removeAttr: function( elem, value ) { - var propName, attrNames, name, l, isBool, - i = 0; - - if ( value && elem.nodeType === 1 ) { - attrNames = value.toLowerCase().split( rspace ); - l = attrNames.length; - - for ( ; i < l; i++ ) { - name = attrNames[ i ]; - - if ( name ) { - propName = jQuery.propFix[ name ] || name; - isBool = rboolean.test( name ); - - // See #9699 for explanation of this approach (setting first, then removal) - // Do not do this for boolean attributes (see #10870) - if ( !isBool ) { - jQuery.attr( elem, name, "" ); - } - elem.removeAttribute( getSetAttribute ? name : propName ); - - // Set corresponding property to false for boolean attributes - if ( isBool && propName in elem ) { - elem[ propName ] = false; - } - } - } - } - }, - - attrHooks: { - type: { - set: function( elem, value ) { - // We can't allow the type property to be changed (since it causes problems in IE) - if ( rtype.test( elem.nodeName ) && elem.parentNode ) { - jQuery.error( "type property can't be changed" ); - } else if ( !jQuery.support.radioValue && value === "radio" && jQuery.nodeName(elem, "input") ) { - // Setting the type on a radio button after the value resets the value in IE6-9 - // Reset value to it's default in case type is set after value - // This is for element creation - var val = elem.value; - elem.setAttribute( "type", value ); - if ( val ) { - elem.value = val; - } - return value; - } - } - }, - // Use the value property for back compat - // Use the nodeHook for button elements in IE6/7 (#1954) - value: { - get: function( elem, name ) { - if ( nodeHook && jQuery.nodeName( elem, "button" ) ) { - return nodeHook.get( elem, name ); - } - return name in elem ? - elem.value : - null; - }, - set: function( elem, value, name ) { - if ( nodeHook && jQuery.nodeName( elem, "button" ) ) { - return nodeHook.set( elem, value, name ); - } - // Does not return so that setAttribute is also used - elem.value = value; - } - } - }, - - propFix: { - tabindex: "tabIndex", - readonly: "readOnly", - "for": "htmlFor", - "class": "className", - maxlength: "maxLength", - cellspacing: "cellSpacing", - cellpadding: "cellPadding", - rowspan: "rowSpan", - colspan: "colSpan", - usemap: "useMap", - frameborder: "frameBorder", - contenteditable: "contentEditable" - }, - - prop: function( elem, name, value ) { - var ret, hooks, notxml, - nType = elem.nodeType; - - // don't get/set properties on text, comment and attribute nodes - if ( !elem || nType === 3 || nType === 8 || nType === 2 ) { - return; - } - - notxml = nType !== 1 || !jQuery.isXMLDoc( elem ); - - if ( notxml ) { - // Fix name and attach hooks - name = jQuery.propFix[ name ] || name; - hooks = jQuery.propHooks[ name ]; - } - - if ( value !== undefined ) { - if ( hooks && "set" in hooks && (ret = hooks.set( elem, value, name )) !== undefined ) { - return ret; - - } else { - return ( elem[ name ] = value ); - } - - } else { - if ( hooks && "get" in hooks && (ret = hooks.get( elem, name )) !== null ) { - return ret; - - } else { - return elem[ name ]; - } - } - }, - - propHooks: { - tabIndex: { - get: function( elem ) { - // elem.tabIndex doesn't always return the correct value when it hasn't been explicitly set - // http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/ - var attributeNode = elem.getAttributeNode("tabindex"); - - return attributeNode && attributeNode.specified ? - parseInt( attributeNode.value, 10 ) : - rfocusable.test( elem.nodeName ) || rclickable.test( elem.nodeName ) && elem.href ? - 0 : - undefined; - } - } - } -}); - -// Add the tabIndex propHook to attrHooks for back-compat (different case is intentional) -jQuery.attrHooks.tabindex = jQuery.propHooks.tabIndex; - -// Hook for boolean attributes -boolHook = { - get: function( elem, name ) { - // Align boolean attributes with corresponding properties - // Fall back to attribute presence where some booleans are not supported - var attrNode, - property = jQuery.prop( elem, name ); - return property === true || typeof property !== "boolean" && ( attrNode = elem.getAttributeNode(name) ) && attrNode.nodeValue !== false ? - name.toLowerCase() : - undefined; - }, - set: function( elem, value, name ) { - var propName; - if ( value === false ) { - // Remove boolean attributes when set to false - jQuery.removeAttr( elem, name ); - } else { - // value is true since we know at this point it's type boolean and not false - // Set boolean attributes to the same name and set the DOM property - propName = jQuery.propFix[ name ] || name; - if ( propName in elem ) { - // Only set the IDL specifically if it already exists on the element - elem[ propName ] = true; - } - - elem.setAttribute( name, name.toLowerCase() ); - } - return name; - } -}; - -// IE6/7 do not support getting/setting some attributes with get/setAttribute -if ( !getSetAttribute ) { - - fixSpecified = { - name: true, - id: true, - coords: true - }; - - // Use this for any attribute in IE6/7 - // This fixes almost every IE6/7 issue - nodeHook = jQuery.valHooks.button = { - get: function( elem, name ) { - var ret; - ret = elem.getAttributeNode( name ); - return ret && ( fixSpecified[ name ] ? ret.nodeValue !== "" : ret.specified ) ? - ret.nodeValue : - undefined; - }, - set: function( elem, value, name ) { - // Set the existing or create a new attribute node - var ret = elem.getAttributeNode( name ); - if ( !ret ) { - ret = document.createAttribute( name ); - elem.setAttributeNode( ret ); - } - return ( ret.nodeValue = value + "" ); - } - }; - - // Apply the nodeHook to tabindex - jQuery.attrHooks.tabindex.set = nodeHook.set; - - // Set width and height to auto instead of 0 on empty string( Bug #8150 ) - // This is for removals - jQuery.each([ "width", "height" ], function( i, name ) { - jQuery.attrHooks[ name ] = jQuery.extend( jQuery.attrHooks[ name ], { - set: function( elem, value ) { - if ( value === "" ) { - elem.setAttribute( name, "auto" ); - return value; - } - } - }); - }); - - // Set contenteditable to false on removals(#10429) - // Setting to empty string throws an error as an invalid value - jQuery.attrHooks.contenteditable = { - get: nodeHook.get, - set: function( elem, value, name ) { - if ( value === "" ) { - value = "false"; - } - nodeHook.set( elem, value, name ); - } - }; -} - - -// Some attributes require a special call on IE -if ( !jQuery.support.hrefNormalized ) { - jQuery.each([ "href", "src", "width", "height" ], function( i, name ) { - jQuery.attrHooks[ name ] = jQuery.extend( jQuery.attrHooks[ name ], { - get: function( elem ) { - var ret = elem.getAttribute( name, 2 ); - return ret === null ? undefined : ret; - } - }); - }); -} - -if ( !jQuery.support.style ) { - jQuery.attrHooks.style = { - get: function( elem ) { - // Return undefined in the case of empty string - // Normalize to lowercase since IE uppercases css property names - return elem.style.cssText.toLowerCase() || undefined; - }, - set: function( elem, value ) { - return ( elem.style.cssText = "" + value ); - } - }; -} - -// Safari mis-reports the default selected property of an option -// Accessing the parent's selectedIndex property fixes it -if ( !jQuery.support.optSelected ) { - jQuery.propHooks.selected = jQuery.extend( jQuery.propHooks.selected, { - get: function( elem ) { - var parent = elem.parentNode; - - if ( parent ) { - parent.selectedIndex; - - // Make sure that it also works with optgroups, see #5701 - if ( parent.parentNode ) { - parent.parentNode.selectedIndex; - } - } - return null; - } - }); -} - -// IE6/7 call enctype encoding -if ( !jQuery.support.enctype ) { - jQuery.propFix.enctype = "encoding"; -} - -// Radios and checkboxes getter/setter -if ( !jQuery.support.checkOn ) { - jQuery.each([ "radio", "checkbox" ], function() { - jQuery.valHooks[ this ] = { - get: function( elem ) { - // Handle the case where in Webkit "" is returned instead of "on" if a value isn't specified - return elem.getAttribute("value") === null ? "on" : elem.value; - } - }; - }); -} -jQuery.each([ "radio", "checkbox" ], function() { - jQuery.valHooks[ this ] = jQuery.extend( jQuery.valHooks[ this ], { - set: function( elem, value ) { - if ( jQuery.isArray( value ) ) { - return ( elem.checked = jQuery.inArray( jQuery(elem).val(), value ) >= 0 ); - } - } - }); -}); - - - - -var rformElems = /^(?:textarea|input|select)$/i, - rtypenamespace = /^([^\.]*)?(?:\.(.+))?$/, - rhoverHack = /(?:^|\s)hover(\.\S+)?\b/, - rkeyEvent = /^key/, - rmouseEvent = /^(?:mouse|contextmenu)|click/, - rfocusMorph = /^(?:focusinfocus|focusoutblur)$/, - rquickIs = /^(\w*)(?:#([\w\-]+))?(?:\.([\w\-]+))?$/, - quickParse = function( selector ) { - var quick = rquickIs.exec( selector ); - if ( quick ) { - // 0 1 2 3 - // [ _, tag, id, class ] - quick[1] = ( quick[1] || "" ).toLowerCase(); - quick[3] = quick[3] && new RegExp( "(?:^|\\s)" + quick[3] + "(?:\\s|$)" ); - } - return quick; - }, - quickIs = function( elem, m ) { - var attrs = elem.attributes || {}; - return ( - (!m[1] || elem.nodeName.toLowerCase() === m[1]) && - (!m[2] || (attrs.id || {}).value === m[2]) && - (!m[3] || m[3].test( (attrs[ "class" ] || {}).value )) - ); - }, - hoverHack = function( events ) { - return jQuery.event.special.hover ? events : events.replace( rhoverHack, "mouseenter$1 mouseleave$1" ); - }; - -/* - * Helper functions for managing events -- not part of the public interface. - * Props to Dean Edwards' addEvent library for many of the ideas. - */ -jQuery.event = { - - add: function( elem, types, handler, data, selector ) { - - var elemData, eventHandle, events, - t, tns, type, namespaces, handleObj, - handleObjIn, quick, handlers, special; - - // Don't attach events to noData or text/comment nodes (allow plain objects tho) - if ( elem.nodeType === 3 || elem.nodeType === 8 || !types || !handler || !(elemData = jQuery._data( elem )) ) { - return; - } - - // Caller can pass in an object of custom data in lieu of the handler - if ( handler.handler ) { - handleObjIn = handler; - handler = handleObjIn.handler; - selector = handleObjIn.selector; - } - - // Make sure that the handler has a unique ID, used to find/remove it later - if ( !handler.guid ) { - handler.guid = jQuery.guid++; - } - - // Init the element's event structure and main handler, if this is the first - events = elemData.events; - if ( !events ) { - elemData.events = events = {}; - } - eventHandle = elemData.handle; - if ( !eventHandle ) { - elemData.handle = eventHandle = function( e ) { - // Discard the second event of a jQuery.event.trigger() and - // when an event is called after a page has unloaded - return typeof jQuery !== "undefined" && (!e || jQuery.event.triggered !== e.type) ? - jQuery.event.dispatch.apply( eventHandle.elem, arguments ) : - undefined; - }; - // Add elem as a property of the handle fn to prevent a memory leak with IE non-native events - eventHandle.elem = elem; - } - - // Handle multiple events separated by a space - // jQuery(...).bind("mouseover mouseout", fn); - types = jQuery.trim( hoverHack(types) ).split( " " ); - for ( t = 0; t < types.length; t++ ) { - - tns = rtypenamespace.exec( types[t] ) || []; - type = tns[1]; - namespaces = ( tns[2] || "" ).split( "." ).sort(); - - // If event changes its type, use the special event handlers for the changed type - special = jQuery.event.special[ type ] || {}; - - // If selector defined, determine special event api type, otherwise given type - type = ( selector ? special.delegateType : special.bindType ) || type; - - // Update special based on newly reset type - special = jQuery.event.special[ type ] || {}; - - // handleObj is passed to all event handlers - handleObj = jQuery.extend({ - type: type, - origType: tns[1], - data: data, - handler: handler, - guid: handler.guid, - selector: selector, - quick: selector && quickParse( selector ), - namespace: namespaces.join(".") - }, handleObjIn ); - - // Init the event handler queue if we're the first - handlers = events[ type ]; - if ( !handlers ) { - handlers = events[ type ] = []; - handlers.delegateCount = 0; - - // Only use addEventListener/attachEvent if the special events handler returns false - if ( !special.setup || special.setup.call( elem, data, namespaces, eventHandle ) === false ) { - // Bind the global event handler to the element - if ( elem.addEventListener ) { - elem.addEventListener( type, eventHandle, false ); - - } else if ( elem.attachEvent ) { - elem.attachEvent( "on" + type, eventHandle ); - } - } - } - - if ( special.add ) { - special.add.call( elem, handleObj ); - - if ( !handleObj.handler.guid ) { - handleObj.handler.guid = handler.guid; - } - } - - // Add to the element's handler list, delegates in front - if ( selector ) { - handlers.splice( handlers.delegateCount++, 0, handleObj ); - } else { - handlers.push( handleObj ); - } - - // Keep track of which events have ever been used, for event optimization - jQuery.event.global[ type ] = true; - } - - // Nullify elem to prevent memory leaks in IE - elem = null; - }, - - global: {}, - - // Detach an event or set of events from an element - remove: function( elem, types, handler, selector, mappedTypes ) { - - var elemData = jQuery.hasData( elem ) && jQuery._data( elem ), - t, tns, type, origType, namespaces, origCount, - j, events, special, handle, eventType, handleObj; - - if ( !elemData || !(events = elemData.events) ) { - return; - } - - // Once for each type.namespace in types; type may be omitted - types = jQuery.trim( hoverHack( types || "" ) ).split(" "); - for ( t = 0; t < types.length; t++ ) { - tns = rtypenamespace.exec( types[t] ) || []; - type = origType = tns[1]; - namespaces = tns[2]; - - // Unbind all events (on this namespace, if provided) for the element - if ( !type ) { - for ( type in events ) { - jQuery.event.remove( elem, type + types[ t ], handler, selector, true ); - } - continue; - } - - special = jQuery.event.special[ type ] || {}; - type = ( selector? special.delegateType : special.bindType ) || type; - eventType = events[ type ] || []; - origCount = eventType.length; - namespaces = namespaces ? new RegExp("(^|\\.)" + namespaces.split(".").sort().join("\\.(?:.*\\.)?") + "(\\.|$)") : null; - - // Remove matching events - for ( j = 0; j < eventType.length; j++ ) { - handleObj = eventType[ j ]; - - if ( ( mappedTypes || origType === handleObj.origType ) && - ( !handler || handler.guid === handleObj.guid ) && - ( !namespaces || namespaces.test( handleObj.namespace ) ) && - ( !selector || selector === handleObj.selector || selector === "**" && handleObj.selector ) ) { - eventType.splice( j--, 1 ); - - if ( handleObj.selector ) { - eventType.delegateCount--; - } - if ( special.remove ) { - special.remove.call( elem, handleObj ); - } - } - } - - // Remove generic event handler if we removed something and no more handlers exist - // (avoids potential for endless recursion during removal of special event handlers) - if ( eventType.length === 0 && origCount !== eventType.length ) { - if ( !special.teardown || special.teardown.call( elem, namespaces ) === false ) { - jQuery.removeEvent( elem, type, elemData.handle ); - } - - delete events[ type ]; - } - } - - // Remove the expando if it's no longer used - if ( jQuery.isEmptyObject( events ) ) { - handle = elemData.handle; - if ( handle ) { - handle.elem = null; - } - - // removeData also checks for emptiness and clears the expando if empty - // so use it instead of delete - jQuery.removeData( elem, [ "events", "handle" ], true ); - } - }, - - // Events that are safe to short-circuit if no handlers are attached. - // Native DOM events should not be added, they may have inline handlers. - customEvent: { - "getData": true, - "setData": true, - "changeData": true - }, - - trigger: function( event, data, elem, onlyHandlers ) { - // Don't do events on text and comment nodes - if ( elem && (elem.nodeType === 3 || elem.nodeType === 8) ) { - return; - } - - // Event object or event type - var type = event.type || event, - namespaces = [], - cache, exclusive, i, cur, old, ontype, special, handle, eventPath, bubbleType; - - // focus/blur morphs to focusin/out; ensure we're not firing them right now - if ( rfocusMorph.test( type + jQuery.event.triggered ) ) { - return; - } - - if ( type.indexOf( "!" ) >= 0 ) { - // Exclusive events trigger only for the exact event (no namespaces) - type = type.slice(0, -1); - exclusive = true; - } - - if ( type.indexOf( "." ) >= 0 ) { - // Namespaced trigger; create a regexp to match event type in handle() - namespaces = type.split("."); - type = namespaces.shift(); - namespaces.sort(); - } - - if ( (!elem || jQuery.event.customEvent[ type ]) && !jQuery.event.global[ type ] ) { - // No jQuery handlers for this event type, and it can't have inline handlers - return; - } - - // Caller can pass in an Event, Object, or just an event type string - event = typeof event === "object" ? - // jQuery.Event object - event[ jQuery.expando ] ? event : - // Object literal - new jQuery.Event( type, event ) : - // Just the event type (string) - new jQuery.Event( type ); - - event.type = type; - event.isTrigger = true; - event.exclusive = exclusive; - event.namespace = namespaces.join( "." ); - event.namespace_re = event.namespace? new RegExp("(^|\\.)" + namespaces.join("\\.(?:.*\\.)?") + "(\\.|$)") : null; - ontype = type.indexOf( ":" ) < 0 ? "on" + type : ""; - - // Handle a global trigger - if ( !elem ) { - - // TODO: Stop taunting the data cache; remove global events and always attach to document - cache = jQuery.cache; - for ( i in cache ) { - if ( cache[ i ].events && cache[ i ].events[ type ] ) { - jQuery.event.trigger( event, data, cache[ i ].handle.elem, true ); - } - } - return; - } - - // Clean up the event in case it is being reused - event.result = undefined; - if ( !event.target ) { - event.target = elem; - } - - // Clone any incoming data and prepend the event, creating the handler arg list - data = data != null ? jQuery.makeArray( data ) : []; - data.unshift( event ); - - // Allow special events to draw outside the lines - special = jQuery.event.special[ type ] || {}; - if ( special.trigger && special.trigger.apply( elem, data ) === false ) { - return; - } - - // Determine event propagation path in advance, per W3C events spec (#9951) - // Bubble up to document, then to window; watch for a global ownerDocument var (#9724) - eventPath = [[ elem, special.bindType || type ]]; - if ( !onlyHandlers && !special.noBubble && !jQuery.isWindow( elem ) ) { - - bubbleType = special.delegateType || type; - cur = rfocusMorph.test( bubbleType + type ) ? elem : elem.parentNode; - old = null; - for ( ; cur; cur = cur.parentNode ) { - eventPath.push([ cur, bubbleType ]); - old = cur; - } - - // Only add window if we got to document (e.g., not plain obj or detached DOM) - if ( old && old === elem.ownerDocument ) { - eventPath.push([ old.defaultView || old.parentWindow || window, bubbleType ]); - } - } - - // Fire handlers on the event path - for ( i = 0; i < eventPath.length && !event.isPropagationStopped(); i++ ) { - - cur = eventPath[i][0]; - event.type = eventPath[i][1]; - - handle = ( jQuery._data( cur, "events" ) || {} )[ event.type ] && jQuery._data( cur, "handle" ); - if ( handle ) { - handle.apply( cur, data ); - } - // Note that this is a bare JS function and not a jQuery handler - handle = ontype && cur[ ontype ]; - if ( handle && jQuery.acceptData( cur ) && handle.apply( cur, data ) === false ) { - event.preventDefault(); - } - } - event.type = type; - - // If nobody prevented the default action, do it now - if ( !onlyHandlers && !event.isDefaultPrevented() ) { - - if ( (!special._default || special._default.apply( elem.ownerDocument, data ) === false) && - !(type === "click" && jQuery.nodeName( elem, "a" )) && jQuery.acceptData( elem ) ) { - - // Call a native DOM method on the target with the same name name as the event. - // Can't use an .isFunction() check here because IE6/7 fails that test. - // Don't do default actions on window, that's where global variables be (#6170) - // IE<9 dies on focus/blur to hidden element (#1486) - if ( ontype && elem[ type ] && ((type !== "focus" && type !== "blur") || event.target.offsetWidth !== 0) && !jQuery.isWindow( elem ) ) { - - // Don't re-trigger an onFOO event when we call its FOO() method - old = elem[ ontype ]; - - if ( old ) { - elem[ ontype ] = null; - } - - // Prevent re-triggering of the same event, since we already bubbled it above - jQuery.event.triggered = type; - elem[ type ](); - jQuery.event.triggered = undefined; - - if ( old ) { - elem[ ontype ] = old; - } - } - } - } - - return event.result; - }, - - dispatch: function( event ) { - - // Make a writable jQuery.Event from the native event object - event = jQuery.event.fix( event || window.event ); - - var handlers = ( (jQuery._data( this, "events" ) || {} )[ event.type ] || []), - delegateCount = handlers.delegateCount, - args = [].slice.call( arguments, 0 ), - run_all = !event.exclusive && !event.namespace, - special = jQuery.event.special[ event.type ] || {}, - handlerQueue = [], - i, j, cur, jqcur, ret, selMatch, matched, matches, handleObj, sel, related; - - // Use the fix-ed jQuery.Event rather than the (read-only) native event - args[0] = event; - event.delegateTarget = this; - - // Call the preDispatch hook for the mapped type, and let it bail if desired - if ( special.preDispatch && special.preDispatch.call( this, event ) === false ) { - return; - } - - // Determine handlers that should run if there are delegated events - // Avoid non-left-click bubbling in Firefox (#3861) - if ( delegateCount && !(event.button && event.type === "click") ) { - - // Pregenerate a single jQuery object for reuse with .is() - jqcur = jQuery(this); - jqcur.context = this.ownerDocument || this; - - for ( cur = event.target; cur != this; cur = cur.parentNode || this ) { - - // Don't process events on disabled elements (#6911, #8165) - if ( cur.disabled !== true ) { - selMatch = {}; - matches = []; - jqcur[0] = cur; - for ( i = 0; i < delegateCount; i++ ) { - handleObj = handlers[ i ]; - sel = handleObj.selector; - - if ( selMatch[ sel ] === undefined ) { - selMatch[ sel ] = ( - handleObj.quick ? quickIs( cur, handleObj.quick ) : jqcur.is( sel ) - ); - } - if ( selMatch[ sel ] ) { - matches.push( handleObj ); - } - } - if ( matches.length ) { - handlerQueue.push({ elem: cur, matches: matches }); - } - } - } - } - - // Add the remaining (directly-bound) handlers - if ( handlers.length > delegateCount ) { - handlerQueue.push({ elem: this, matches: handlers.slice( delegateCount ) }); - } - - // Run delegates first; they may want to stop propagation beneath us - for ( i = 0; i < handlerQueue.length && !event.isPropagationStopped(); i++ ) { - matched = handlerQueue[ i ]; - event.currentTarget = matched.elem; - - for ( j = 0; j < matched.matches.length && !event.isImmediatePropagationStopped(); j++ ) { - handleObj = matched.matches[ j ]; - - // Triggered event must either 1) be non-exclusive and have no namespace, or - // 2) have namespace(s) a subset or equal to those in the bound event (both can have no namespace). - if ( run_all || (!event.namespace && !handleObj.namespace) || event.namespace_re && event.namespace_re.test( handleObj.namespace ) ) { - - event.data = handleObj.data; - event.handleObj = handleObj; - - ret = ( (jQuery.event.special[ handleObj.origType ] || {}).handle || handleObj.handler ) - .apply( matched.elem, args ); - - if ( ret !== undefined ) { - event.result = ret; - if ( ret === false ) { - event.preventDefault(); - event.stopPropagation(); - } - } - } - } - } - - // Call the postDispatch hook for the mapped type - if ( special.postDispatch ) { - special.postDispatch.call( this, event ); - } - - return event.result; - }, - - // Includes some event props shared by KeyEvent and MouseEvent - // *** attrChange attrName relatedNode srcElement are not normalized, non-W3C, deprecated, will be removed in 1.8 *** - props: "attrChange attrName relatedNode srcElement altKey bubbles cancelable ctrlKey currentTarget eventPhase metaKey relatedTarget shiftKey target timeStamp view which".split(" "), - - fixHooks: {}, - - keyHooks: { - props: "char charCode key keyCode".split(" "), - filter: function( event, original ) { - - // Add which for key events - if ( event.which == null ) { - event.which = original.charCode != null ? original.charCode : original.keyCode; - } - - return event; - } - }, - - mouseHooks: { - props: "button buttons clientX clientY fromElement offsetX offsetY pageX pageY screenX screenY toElement".split(" "), - filter: function( event, original ) { - var eventDoc, doc, body, - button = original.button, - fromElement = original.fromElement; - - // Calculate pageX/Y if missing and clientX/Y available - if ( event.pageX == null && original.clientX != null ) { - eventDoc = event.target.ownerDocument || document; - doc = eventDoc.documentElement; - body = eventDoc.body; - - event.pageX = original.clientX + ( doc && doc.scrollLeft || body && body.scrollLeft || 0 ) - ( doc && doc.clientLeft || body && body.clientLeft || 0 ); - event.pageY = original.clientY + ( doc && doc.scrollTop || body && body.scrollTop || 0 ) - ( doc && doc.clientTop || body && body.clientTop || 0 ); - } - - // Add relatedTarget, if necessary - if ( !event.relatedTarget && fromElement ) { - event.relatedTarget = fromElement === event.target ? original.toElement : fromElement; - } - - // Add which for click: 1 === left; 2 === middle; 3 === right - // Note: button is not normalized, so don't use it - if ( !event.which && button !== undefined ) { - event.which = ( button & 1 ? 1 : ( button & 2 ? 3 : ( button & 4 ? 2 : 0 ) ) ); - } - - return event; - } - }, - - fix: function( event ) { - if ( event[ jQuery.expando ] ) { - return event; - } - - // Create a writable copy of the event object and normalize some properties - var i, prop, - originalEvent = event, - fixHook = jQuery.event.fixHooks[ event.type ] || {}, - copy = fixHook.props ? this.props.concat( fixHook.props ) : this.props; - - event = jQuery.Event( originalEvent ); - - for ( i = copy.length; i; ) { - prop = copy[ --i ]; - event[ prop ] = originalEvent[ prop ]; - } - - // Fix target property, if necessary (#1925, IE 6/7/8 & Safari2) - if ( !event.target ) { - event.target = originalEvent.srcElement || document; - } - - // Target should not be a text node (#504, Safari) - if ( event.target.nodeType === 3 ) { - event.target = event.target.parentNode; - } - - // For mouse/key events; add metaKey if it's not there (#3368, IE6/7/8) - if ( event.metaKey === undefined ) { - event.metaKey = event.ctrlKey; - } - - return fixHook.filter? fixHook.filter( event, originalEvent ) : event; - }, - - special: { - ready: { - // Make sure the ready event is setup - setup: jQuery.bindReady - }, - - load: { - // Prevent triggered image.load events from bubbling to window.load - noBubble: true - }, - - focus: { - delegateType: "focusin" - }, - blur: { - delegateType: "focusout" - }, - - beforeunload: { - setup: function( data, namespaces, eventHandle ) { - // We only want to do this special case on windows - if ( jQuery.isWindow( this ) ) { - this.onbeforeunload = eventHandle; - } - }, - - teardown: function( namespaces, eventHandle ) { - if ( this.onbeforeunload === eventHandle ) { - this.onbeforeunload = null; - } - } - } - }, - - simulate: function( type, elem, event, bubble ) { - // Piggyback on a donor event to simulate a different one. - // Fake originalEvent to avoid donor's stopPropagation, but if the - // simulated event prevents default then we do the same on the donor. - var e = jQuery.extend( - new jQuery.Event(), - event, - { type: type, - isSimulated: true, - originalEvent: {} - } - ); - if ( bubble ) { - jQuery.event.trigger( e, null, elem ); - } else { - jQuery.event.dispatch.call( elem, e ); - } - if ( e.isDefaultPrevented() ) { - event.preventDefault(); - } - } -}; - -// Some plugins are using, but it's undocumented/deprecated and will be removed. -// The 1.7 special event interface should provide all the hooks needed now. -jQuery.event.handle = jQuery.event.dispatch; - -jQuery.removeEvent = document.removeEventListener ? - function( elem, type, handle ) { - if ( elem.removeEventListener ) { - elem.removeEventListener( type, handle, false ); - } - } : - function( elem, type, handle ) { - if ( elem.detachEvent ) { - elem.detachEvent( "on" + type, handle ); - } - }; - -jQuery.Event = function( src, props ) { - // Allow instantiation without the 'new' keyword - if ( !(this instanceof jQuery.Event) ) { - return new jQuery.Event( src, props ); - } - - // Event object - if ( src && src.type ) { - this.originalEvent = src; - this.type = src.type; - - // Events bubbling up the document may have been marked as prevented - // by a handler lower down the tree; reflect the correct value. - this.isDefaultPrevented = ( src.defaultPrevented || src.returnValue === false || - src.getPreventDefault && src.getPreventDefault() ) ? returnTrue : returnFalse; - - // Event type - } else { - this.type = src; - } - - // Put explicitly provided properties onto the event object - if ( props ) { - jQuery.extend( this, props ); - } - - // Create a timestamp if incoming event doesn't have one - this.timeStamp = src && src.timeStamp || jQuery.now(); - - // Mark it as fixed - this[ jQuery.expando ] = true; -}; - -function returnFalse() { - return false; -} -function returnTrue() { - return true; -} - -// jQuery.Event is based on DOM3 Events as specified by the ECMAScript Language Binding -// http://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html -jQuery.Event.prototype = { - preventDefault: function() { - this.isDefaultPrevented = returnTrue; - - var e = this.originalEvent; - if ( !e ) { - return; - } - - // if preventDefault exists run it on the original event - if ( e.preventDefault ) { - e.preventDefault(); - - // otherwise set the returnValue property of the original event to false (IE) - } else { - e.returnValue = false; - } - }, - stopPropagation: function() { - this.isPropagationStopped = returnTrue; - - var e = this.originalEvent; - if ( !e ) { - return; - } - // if stopPropagation exists run it on the original event - if ( e.stopPropagation ) { - e.stopPropagation(); - } - // otherwise set the cancelBubble property of the original event to true (IE) - e.cancelBubble = true; - }, - stopImmediatePropagation: function() { - this.isImmediatePropagationStopped = returnTrue; - this.stopPropagation(); - }, - isDefaultPrevented: returnFalse, - isPropagationStopped: returnFalse, - isImmediatePropagationStopped: returnFalse -}; - -// Create mouseenter/leave events using mouseover/out and event-time checks -jQuery.each({ - mouseenter: "mouseover", - mouseleave: "mouseout" -}, function( orig, fix ) { - jQuery.event.special[ orig ] = { - delegateType: fix, - bindType: fix, - - handle: function( event ) { - var target = this, - related = event.relatedTarget, - handleObj = event.handleObj, - selector = handleObj.selector, - ret; - - // For mousenter/leave call the handler if related is outside the target. - // NB: No relatedTarget if the mouse left/entered the browser window - if ( !related || (related !== target && !jQuery.contains( target, related )) ) { - event.type = handleObj.origType; - ret = handleObj.handler.apply( this, arguments ); - event.type = fix; - } - return ret; - } - }; -}); - -// IE submit delegation -if ( !jQuery.support.submitBubbles ) { - - jQuery.event.special.submit = { - setup: function() { - // Only need this for delegated form submit events - if ( jQuery.nodeName( this, "form" ) ) { - return false; - } - - // Lazy-add a submit handler when a descendant form may potentially be submitted - jQuery.event.add( this, "click._submit keypress._submit", function( e ) { - // Node name check avoids a VML-related crash in IE (#9807) - var elem = e.target, - form = jQuery.nodeName( elem, "input" ) || jQuery.nodeName( elem, "button" ) ? elem.form : undefined; - if ( form && !form._submit_attached ) { - jQuery.event.add( form, "submit._submit", function( event ) { - event._submit_bubble = true; - }); - form._submit_attached = true; - } - }); - // return undefined since we don't need an event listener - }, - - postDispatch: function( event ) { - // If form was submitted by the user, bubble the event up the tree - if ( event._submit_bubble ) { - delete event._submit_bubble; - if ( this.parentNode && !event.isTrigger ) { - jQuery.event.simulate( "submit", this.parentNode, event, true ); - } - } - }, - - teardown: function() { - // Only need this for delegated form submit events - if ( jQuery.nodeName( this, "form" ) ) { - return false; - } - - // Remove delegated handlers; cleanData eventually reaps submit handlers attached above - jQuery.event.remove( this, "._submit" ); - } - }; -} - -// IE change delegation and checkbox/radio fix -if ( !jQuery.support.changeBubbles ) { - - jQuery.event.special.change = { - - setup: function() { - - if ( rformElems.test( this.nodeName ) ) { - // IE doesn't fire change on a check/radio until blur; trigger it on click - // after a propertychange. Eat the blur-change in special.change.handle. - // This still fires onchange a second time for check/radio after blur. - if ( this.type === "checkbox" || this.type === "radio" ) { - jQuery.event.add( this, "propertychange._change", function( event ) { - if ( event.originalEvent.propertyName === "checked" ) { - this._just_changed = true; - } - }); - jQuery.event.add( this, "click._change", function( event ) { - if ( this._just_changed && !event.isTrigger ) { - this._just_changed = false; - jQuery.event.simulate( "change", this, event, true ); - } - }); - } - return false; - } - // Delegated event; lazy-add a change handler on descendant inputs - jQuery.event.add( this, "beforeactivate._change", function( e ) { - var elem = e.target; - - if ( rformElems.test( elem.nodeName ) && !elem._change_attached ) { - jQuery.event.add( elem, "change._change", function( event ) { - if ( this.parentNode && !event.isSimulated && !event.isTrigger ) { - jQuery.event.simulate( "change", this.parentNode, event, true ); - } - }); - elem._change_attached = true; - } - }); - }, - - handle: function( event ) { - var elem = event.target; - - // Swallow native change events from checkbox/radio, we already triggered them above - if ( this !== elem || event.isSimulated || event.isTrigger || (elem.type !== "radio" && elem.type !== "checkbox") ) { - return event.handleObj.handler.apply( this, arguments ); - } - }, - - teardown: function() { - jQuery.event.remove( this, "._change" ); - - return rformElems.test( this.nodeName ); - } - }; -} - -// Create "bubbling" focus and blur events -if ( !jQuery.support.focusinBubbles ) { - jQuery.each({ focus: "focusin", blur: "focusout" }, function( orig, fix ) { - - // Attach a single capturing handler while someone wants focusin/focusout - var attaches = 0, - handler = function( event ) { - jQuery.event.simulate( fix, event.target, jQuery.event.fix( event ), true ); - }; - - jQuery.event.special[ fix ] = { - setup: function() { - if ( attaches++ === 0 ) { - document.addEventListener( orig, handler, true ); - } - }, - teardown: function() { - if ( --attaches === 0 ) { - document.removeEventListener( orig, handler, true ); - } - } - }; - }); -} - -jQuery.fn.extend({ - - on: function( types, selector, data, fn, /*INTERNAL*/ one ) { - var origFn, type; - - // Types can be a map of types/handlers - if ( typeof types === "object" ) { - // ( types-Object, selector, data ) - if ( typeof selector !== "string" ) { // && selector != null - // ( types-Object, data ) - data = data || selector; - selector = undefined; - } - for ( type in types ) { - this.on( type, selector, data, types[ type ], one ); - } - return this; - } - - if ( data == null && fn == null ) { - // ( types, fn ) - fn = selector; - data = selector = undefined; - } else if ( fn == null ) { - if ( typeof selector === "string" ) { - // ( types, selector, fn ) - fn = data; - data = undefined; - } else { - // ( types, data, fn ) - fn = data; - data = selector; - selector = undefined; - } - } - if ( fn === false ) { - fn = returnFalse; - } else if ( !fn ) { - return this; - } - - if ( one === 1 ) { - origFn = fn; - fn = function( event ) { - // Can use an empty set, since event contains the info - jQuery().off( event ); - return origFn.apply( this, arguments ); - }; - // Use same guid so caller can remove using origFn - fn.guid = origFn.guid || ( origFn.guid = jQuery.guid++ ); - } - return this.each( function() { - jQuery.event.add( this, types, fn, data, selector ); - }); - }, - one: function( types, selector, data, fn ) { - return this.on( types, selector, data, fn, 1 ); - }, - off: function( types, selector, fn ) { - if ( types && types.preventDefault && types.handleObj ) { - // ( event ) dispatched jQuery.Event - var handleObj = types.handleObj; - jQuery( types.delegateTarget ).off( - handleObj.namespace ? handleObj.origType + "." + handleObj.namespace : handleObj.origType, - handleObj.selector, - handleObj.handler - ); - return this; - } - if ( typeof types === "object" ) { - // ( types-object [, selector] ) - for ( var type in types ) { - this.off( type, selector, types[ type ] ); - } - return this; - } - if ( selector === false || typeof selector === "function" ) { - // ( types [, fn] ) - fn = selector; - selector = undefined; - } - if ( fn === false ) { - fn = returnFalse; - } - return this.each(function() { - jQuery.event.remove( this, types, fn, selector ); - }); - }, - - bind: function( types, data, fn ) { - return this.on( types, null, data, fn ); - }, - unbind: function( types, fn ) { - return this.off( types, null, fn ); - }, - - live: function( types, data, fn ) { - jQuery( this.context ).on( types, this.selector, data, fn ); - return this; - }, - die: function( types, fn ) { - jQuery( this.context ).off( types, this.selector || "**", fn ); - return this; - }, - - delegate: function( selector, types, data, fn ) { - return this.on( types, selector, data, fn ); - }, - undelegate: function( selector, types, fn ) { - // ( namespace ) or ( selector, types [, fn] ) - return arguments.length == 1? this.off( selector, "**" ) : this.off( types, selector, fn ); - }, - - trigger: function( type, data ) { - return this.each(function() { - jQuery.event.trigger( type, data, this ); - }); - }, - triggerHandler: function( type, data ) { - if ( this[0] ) { - return jQuery.event.trigger( type, data, this[0], true ); - } - }, - - toggle: function( fn ) { - // Save reference to arguments for access in closure - var args = arguments, - guid = fn.guid || jQuery.guid++, - i = 0, - toggler = function( event ) { - // Figure out which function to execute - var lastToggle = ( jQuery._data( this, "lastToggle" + fn.guid ) || 0 ) % i; - jQuery._data( this, "lastToggle" + fn.guid, lastToggle + 1 ); - - // Make sure that clicks stop - event.preventDefault(); - - // and execute the function - return args[ lastToggle ].apply( this, arguments ) || false; - }; - - // link all the functions, so any of them can unbind this click handler - toggler.guid = guid; - while ( i < args.length ) { - args[ i++ ].guid = guid; - } - - return this.click( toggler ); - }, - - hover: function( fnOver, fnOut ) { - return this.mouseenter( fnOver ).mouseleave( fnOut || fnOver ); - } -}); - -jQuery.each( ("blur focus focusin focusout load resize scroll unload click dblclick " + - "mousedown mouseup mousemove mouseover mouseout mouseenter mouseleave " + - "change select submit keydown keypress keyup error contextmenu").split(" "), function( i, name ) { - - // Handle event binding - jQuery.fn[ name ] = function( data, fn ) { - if ( fn == null ) { - fn = data; - data = null; - } - - return arguments.length > 0 ? - this.on( name, null, data, fn ) : - this.trigger( name ); - }; - - if ( jQuery.attrFn ) { - jQuery.attrFn[ name ] = true; - } - - if ( rkeyEvent.test( name ) ) { - jQuery.event.fixHooks[ name ] = jQuery.event.keyHooks; - } - - if ( rmouseEvent.test( name ) ) { - jQuery.event.fixHooks[ name ] = jQuery.event.mouseHooks; - } -}); - - - -/*! - * Sizzle CSS Selector Engine - * Copyright 2011, The Dojo Foundation - * Released under the MIT, BSD, and GPL Licenses. - * More information: http://sizzlejs.com/ - */ -(function(){ - -var chunker = /((?:\((?:\([^()]+\)|[^()]+)+\)|\[(?:\[[^\[\]]*\]|['"][^'"]*['"]|[^\[\]'"]+)+\]|\\.|[^ >+~,(\[\\]+)+|[>+~])(\s*,\s*)?((?:.|\r|\n)*)/g, - expando = "sizcache" + (Math.random() + '').replace('.', ''), - done = 0, - toString = Object.prototype.toString, - hasDuplicate = false, - baseHasDuplicate = true, - rBackslash = /\\/g, - rReturn = /\r\n/g, - rNonWord = /\W/; - -// Here we check if the JavaScript engine is using some sort of -// optimization where it does not always call our comparision -// function. If that is the case, discard the hasDuplicate value. -// Thus far that includes Google Chrome. -[0, 0].sort(function() { - baseHasDuplicate = false; - return 0; -}); - -var Sizzle = function( selector, context, results, seed ) { - results = results || []; - context = context || document; - - var origContext = context; - - if ( context.nodeType !== 1 && context.nodeType !== 9 ) { - return []; - } - - if ( !selector || typeof selector !== "string" ) { - return results; - } - - var m, set, checkSet, extra, ret, cur, pop, i, - prune = true, - contextXML = Sizzle.isXML( context ), - parts = [], - soFar = selector; - - // Reset the position of the chunker regexp (start from head) - do { - chunker.exec( "" ); - m = chunker.exec( soFar ); - - if ( m ) { - soFar = m[3]; - - parts.push( m[1] ); - - if ( m[2] ) { - extra = m[3]; - break; - } - } - } while ( m ); - - if ( parts.length > 1 && origPOS.exec( selector ) ) { - - if ( parts.length === 2 && Expr.relative[ parts[0] ] ) { - set = posProcess( parts[0] + parts[1], context, seed ); - - } else { - set = Expr.relative[ parts[0] ] ? - [ context ] : - Sizzle( parts.shift(), context ); - - while ( parts.length ) { - selector = parts.shift(); - - if ( Expr.relative[ selector ] ) { - selector += parts.shift(); - } - - set = posProcess( selector, set, seed ); - } - } - - } else { - // Take a shortcut and set the context if the root selector is an ID - // (but not if it'll be faster if the inner selector is an ID) - if ( !seed && parts.length > 1 && context.nodeType === 9 && !contextXML && - Expr.match.ID.test(parts[0]) && !Expr.match.ID.test(parts[parts.length - 1]) ) { - - ret = Sizzle.find( parts.shift(), context, contextXML ); - context = ret.expr ? - Sizzle.filter( ret.expr, ret.set )[0] : - ret.set[0]; - } - - if ( context ) { - ret = seed ? - { expr: parts.pop(), set: makeArray(seed) } : - Sizzle.find( parts.pop(), parts.length === 1 && (parts[0] === "~" || parts[0] === "+") && context.parentNode ? context.parentNode : context, contextXML ); - - set = ret.expr ? - Sizzle.filter( ret.expr, ret.set ) : - ret.set; - - if ( parts.length > 0 ) { - checkSet = makeArray( set ); - - } else { - prune = false; - } - - while ( parts.length ) { - cur = parts.pop(); - pop = cur; - - if ( !Expr.relative[ cur ] ) { - cur = ""; - } else { - pop = parts.pop(); - } - - if ( pop == null ) { - pop = context; - } - - Expr.relative[ cur ]( checkSet, pop, contextXML ); - } - - } else { - checkSet = parts = []; - } - } - - if ( !checkSet ) { - checkSet = set; - } - - if ( !checkSet ) { - Sizzle.error( cur || selector ); - } - - if ( toString.call(checkSet) === "[object Array]" ) { - if ( !prune ) { - results.push.apply( results, checkSet ); - - } else if ( context && context.nodeType === 1 ) { - for ( i = 0; checkSet[i] != null; i++ ) { - if ( checkSet[i] && (checkSet[i] === true || checkSet[i].nodeType === 1 && Sizzle.contains(context, checkSet[i])) ) { - results.push( set[i] ); - } - } - - } else { - for ( i = 0; checkSet[i] != null; i++ ) { - if ( checkSet[i] && checkSet[i].nodeType === 1 ) { - results.push( set[i] ); - } - } - } - - } else { - makeArray( checkSet, results ); - } - - if ( extra ) { - Sizzle( extra, origContext, results, seed ); - Sizzle.uniqueSort( results ); - } - - return results; -}; - -Sizzle.uniqueSort = function( results ) { - if ( sortOrder ) { - hasDuplicate = baseHasDuplicate; - results.sort( sortOrder ); - - if ( hasDuplicate ) { - for ( var i = 1; i < results.length; i++ ) { - if ( results[i] === results[ i - 1 ] ) { - results.splice( i--, 1 ); - } - } - } - } - - return results; -}; - -Sizzle.matches = function( expr, set ) { - return Sizzle( expr, null, null, set ); -}; - -Sizzle.matchesSelector = function( node, expr ) { - return Sizzle( expr, null, null, [node] ).length > 0; -}; - -Sizzle.find = function( expr, context, isXML ) { - var set, i, len, match, type, left; - - if ( !expr ) { - return []; - } - - for ( i = 0, len = Expr.order.length; i < len; i++ ) { - type = Expr.order[i]; - - if ( (match = Expr.leftMatch[ type ].exec( expr )) ) { - left = match[1]; - match.splice( 1, 1 ); - - if ( left.substr( left.length - 1 ) !== "\\" ) { - match[1] = (match[1] || "").replace( rBackslash, "" ); - set = Expr.find[ type ]( match, context, isXML ); - - if ( set != null ) { - expr = expr.replace( Expr.match[ type ], "" ); - break; - } - } - } - } - - if ( !set ) { - set = typeof context.getElementsByTagName !== "undefined" ? - context.getElementsByTagName( "*" ) : - []; - } - - return { set: set, expr: expr }; -}; - -Sizzle.filter = function( expr, set, inplace, not ) { - var match, anyFound, - type, found, item, filter, left, - i, pass, - old = expr, - result = [], - curLoop = set, - isXMLFilter = set && set[0] && Sizzle.isXML( set[0] ); - - while ( expr && set.length ) { - for ( type in Expr.filter ) { - if ( (match = Expr.leftMatch[ type ].exec( expr )) != null && match[2] ) { - filter = Expr.filter[ type ]; - left = match[1]; - - anyFound = false; - - match.splice(1,1); - - if ( left.substr( left.length - 1 ) === "\\" ) { - continue; - } - - if ( curLoop === result ) { - result = []; - } - - if ( Expr.preFilter[ type ] ) { - match = Expr.preFilter[ type ]( match, curLoop, inplace, result, not, isXMLFilter ); - - if ( !match ) { - anyFound = found = true; - - } else if ( match === true ) { - continue; - } - } - - if ( match ) { - for ( i = 0; (item = curLoop[i]) != null; i++ ) { - if ( item ) { - found = filter( item, match, i, curLoop ); - pass = not ^ found; - - if ( inplace && found != null ) { - if ( pass ) { - anyFound = true; - - } else { - curLoop[i] = false; - } - - } else if ( pass ) { - result.push( item ); - anyFound = true; - } - } - } - } - - if ( found !== undefined ) { - if ( !inplace ) { - curLoop = result; - } - - expr = expr.replace( Expr.match[ type ], "" ); - - if ( !anyFound ) { - return []; - } - - break; - } - } - } - - // Improper expression - if ( expr === old ) { - if ( anyFound == null ) { - Sizzle.error( expr ); - - } else { - break; - } - } - - old = expr; - } - - return curLoop; -}; - -Sizzle.error = function( msg ) { - throw new Error( "Syntax error, unrecognized expression: " + msg ); -}; - -/** - * Utility function for retreiving the text value of an array of DOM nodes - * @param {Array|Element} elem - */ -var getText = Sizzle.getText = function( elem ) { - var i, node, - nodeType = elem.nodeType, - ret = ""; - - if ( nodeType ) { - if ( nodeType === 1 || nodeType === 9 || nodeType === 11 ) { - // Use textContent || innerText for elements - if ( typeof elem.textContent === 'string' ) { - return elem.textContent; - } else if ( typeof elem.innerText === 'string' ) { - // Replace IE's carriage returns - return elem.innerText.replace( rReturn, '' ); - } else { - // Traverse it's children - for ( elem = elem.firstChild; elem; elem = elem.nextSibling) { - ret += getText( elem ); - } - } - } else if ( nodeType === 3 || nodeType === 4 ) { - return elem.nodeValue; - } - } else { - - // If no nodeType, this is expected to be an array - for ( i = 0; (node = elem[i]); i++ ) { - // Do not traverse comment nodes - if ( node.nodeType !== 8 ) { - ret += getText( node ); - } - } - } - return ret; -}; - -var Expr = Sizzle.selectors = { - order: [ "ID", "NAME", "TAG" ], - - match: { - ID: /#((?:[\w\u00c0-\uFFFF\-]|\\.)+)/, - CLASS: /\.((?:[\w\u00c0-\uFFFF\-]|\\.)+)/, - NAME: /\[name=['"]*((?:[\w\u00c0-\uFFFF\-]|\\.)+)['"]*\]/, - ATTR: /\[\s*((?:[\w\u00c0-\uFFFF\-]|\\.)+)\s*(?:(\S?=)\s*(?:(['"])(.*?)\3|(#?(?:[\w\u00c0-\uFFFF\-]|\\.)*)|)|)\s*\]/, - TAG: /^((?:[\w\u00c0-\uFFFF\*\-]|\\.)+)/, - CHILD: /:(only|nth|last|first)-child(?:\(\s*(even|odd|(?:[+\-]?\d+|(?:[+\-]?\d*)?n\s*(?:[+\-]\s*\d+)?))\s*\))?/, - POS: /:(nth|eq|gt|lt|first|last|even|odd)(?:\((\d*)\))?(?=[^\-]|$)/, - PSEUDO: /:((?:[\w\u00c0-\uFFFF\-]|\\.)+)(?:\((['"]?)((?:\([^\)]+\)|[^\(\)]*)+)\2\))?/ - }, - - leftMatch: {}, - - attrMap: { - "class": "className", - "for": "htmlFor" - }, - - attrHandle: { - href: function( elem ) { - return elem.getAttribute( "href" ); - }, - type: function( elem ) { - return elem.getAttribute( "type" ); - } - }, - - relative: { - "+": function(checkSet, part){ - var isPartStr = typeof part === "string", - isTag = isPartStr && !rNonWord.test( part ), - isPartStrNotTag = isPartStr && !isTag; - - if ( isTag ) { - part = part.toLowerCase(); - } - - for ( var i = 0, l = checkSet.length, elem; i < l; i++ ) { - if ( (elem = checkSet[i]) ) { - while ( (elem = elem.previousSibling) && elem.nodeType !== 1 ) {} - - checkSet[i] = isPartStrNotTag || elem && elem.nodeName.toLowerCase() === part ? - elem || false : - elem === part; - } - } - - if ( isPartStrNotTag ) { - Sizzle.filter( part, checkSet, true ); - } - }, - - ">": function( checkSet, part ) { - var elem, - isPartStr = typeof part === "string", - i = 0, - l = checkSet.length; - - if ( isPartStr && !rNonWord.test( part ) ) { - part = part.toLowerCase(); - - for ( ; i < l; i++ ) { - elem = checkSet[i]; - - if ( elem ) { - var parent = elem.parentNode; - checkSet[i] = parent.nodeName.toLowerCase() === part ? parent : false; - } - } - - } else { - for ( ; i < l; i++ ) { - elem = checkSet[i]; - - if ( elem ) { - checkSet[i] = isPartStr ? - elem.parentNode : - elem.parentNode === part; - } - } - - if ( isPartStr ) { - Sizzle.filter( part, checkSet, true ); - } - } - }, - - "": function(checkSet, part, isXML){ - var nodeCheck, - doneName = done++, - checkFn = dirCheck; - - if ( typeof part === "string" && !rNonWord.test( part ) ) { - part = part.toLowerCase(); - nodeCheck = part; - checkFn = dirNodeCheck; - } - - checkFn( "parentNode", part, doneName, checkSet, nodeCheck, isXML ); - }, - - "~": function( checkSet, part, isXML ) { - var nodeCheck, - doneName = done++, - checkFn = dirCheck; - - if ( typeof part === "string" && !rNonWord.test( part ) ) { - part = part.toLowerCase(); - nodeCheck = part; - checkFn = dirNodeCheck; - } - - checkFn( "previousSibling", part, doneName, checkSet, nodeCheck, isXML ); - } - }, - - find: { - ID: function( match, context, isXML ) { - if ( typeof context.getElementById !== "undefined" && !isXML ) { - var m = context.getElementById(match[1]); - // Check parentNode to catch when Blackberry 4.6 returns - // nodes that are no longer in the document #6963 - return m && m.parentNode ? [m] : []; - } - }, - - NAME: function( match, context ) { - if ( typeof context.getElementsByName !== "undefined" ) { - var ret = [], - results = context.getElementsByName( match[1] ); - - for ( var i = 0, l = results.length; i < l; i++ ) { - if ( results[i].getAttribute("name") === match[1] ) { - ret.push( results[i] ); - } - } - - return ret.length === 0 ? null : ret; - } - }, - - TAG: function( match, context ) { - if ( typeof context.getElementsByTagName !== "undefined" ) { - return context.getElementsByTagName( match[1] ); - } - } - }, - preFilter: { - CLASS: function( match, curLoop, inplace, result, not, isXML ) { - match = " " + match[1].replace( rBackslash, "" ) + " "; - - if ( isXML ) { - return match; - } - - for ( var i = 0, elem; (elem = curLoop[i]) != null; i++ ) { - if ( elem ) { - if ( not ^ (elem.className && (" " + elem.className + " ").replace(/[\t\n\r]/g, " ").indexOf(match) >= 0) ) { - if ( !inplace ) { - result.push( elem ); - } - - } else if ( inplace ) { - curLoop[i] = false; - } - } - } - - return false; - }, - - ID: function( match ) { - return match[1].replace( rBackslash, "" ); - }, - - TAG: function( match, curLoop ) { - return match[1].replace( rBackslash, "" ).toLowerCase(); - }, - - CHILD: function( match ) { - if ( match[1] === "nth" ) { - if ( !match[2] ) { - Sizzle.error( match[0] ); - } - - match[2] = match[2].replace(/^\+|\s*/g, ''); - - // parse equations like 'even', 'odd', '5', '2n', '3n+2', '4n-1', '-n+6' - var test = /(-?)(\d*)(?:n([+\-]?\d*))?/.exec( - match[2] === "even" && "2n" || match[2] === "odd" && "2n+1" || - !/\D/.test( match[2] ) && "0n+" + match[2] || match[2]); - - // calculate the numbers (first)n+(last) including if they are negative - match[2] = (test[1] + (test[2] || 1)) - 0; - match[3] = test[3] - 0; - } - else if ( match[2] ) { - Sizzle.error( match[0] ); - } - - // TODO: Move to normal caching system - match[0] = done++; - - return match; - }, - - ATTR: function( match, curLoop, inplace, result, not, isXML ) { - var name = match[1] = match[1].replace( rBackslash, "" ); - - if ( !isXML && Expr.attrMap[name] ) { - match[1] = Expr.attrMap[name]; - } - - // Handle if an un-quoted value was used - match[4] = ( match[4] || match[5] || "" ).replace( rBackslash, "" ); - - if ( match[2] === "~=" ) { - match[4] = " " + match[4] + " "; - } - - return match; - }, - - PSEUDO: function( match, curLoop, inplace, result, not ) { - if ( match[1] === "not" ) { - // If we're dealing with a complex expression, or a simple one - if ( ( chunker.exec(match[3]) || "" ).length > 1 || /^\w/.test(match[3]) ) { - match[3] = Sizzle(match[3], null, null, curLoop); - - } else { - var ret = Sizzle.filter(match[3], curLoop, inplace, true ^ not); - - if ( !inplace ) { - result.push.apply( result, ret ); - } - - return false; - } - - } else if ( Expr.match.POS.test( match[0] ) || Expr.match.CHILD.test( match[0] ) ) { - return true; - } - - return match; - }, - - POS: function( match ) { - match.unshift( true ); - - return match; - } - }, - - filters: { - enabled: function( elem ) { - return elem.disabled === false && elem.type !== "hidden"; - }, - - disabled: function( elem ) { - return elem.disabled === true; - }, - - checked: function( elem ) { - return elem.checked === true; - }, - - selected: function( elem ) { - // Accessing this property makes selected-by-default - // options in Safari work properly - if ( elem.parentNode ) { - elem.parentNode.selectedIndex; - } - - return elem.selected === true; - }, - - parent: function( elem ) { - return !!elem.firstChild; - }, - - empty: function( elem ) { - return !elem.firstChild; - }, - - has: function( elem, i, match ) { - return !!Sizzle( match[3], elem ).length; - }, - - header: function( elem ) { - return (/h\d/i).test( elem.nodeName ); - }, - - text: function( elem ) { - var attr = elem.getAttribute( "type" ), type = elem.type; - // IE6 and 7 will map elem.type to 'text' for new HTML5 types (search, etc) - // use getAttribute instead to test this case - return elem.nodeName.toLowerCase() === "input" && "text" === type && ( attr === type || attr === null ); - }, - - radio: function( elem ) { - return elem.nodeName.toLowerCase() === "input" && "radio" === elem.type; - }, - - checkbox: function( elem ) { - return elem.nodeName.toLowerCase() === "input" && "checkbox" === elem.type; - }, - - file: function( elem ) { - return elem.nodeName.toLowerCase() === "input" && "file" === elem.type; - }, - - password: function( elem ) { - return elem.nodeName.toLowerCase() === "input" && "password" === elem.type; - }, - - submit: function( elem ) { - var name = elem.nodeName.toLowerCase(); - return (name === "input" || name === "button") && "submit" === elem.type; - }, - - image: function( elem ) { - return elem.nodeName.toLowerCase() === "input" && "image" === elem.type; - }, - - reset: function( elem ) { - var name = elem.nodeName.toLowerCase(); - return (name === "input" || name === "button") && "reset" === elem.type; - }, - - button: function( elem ) { - var name = elem.nodeName.toLowerCase(); - return name === "input" && "button" === elem.type || name === "button"; - }, - - input: function( elem ) { - return (/input|select|textarea|button/i).test( elem.nodeName ); - }, - - focus: function( elem ) { - return elem === elem.ownerDocument.activeElement; - } - }, - setFilters: { - first: function( elem, i ) { - return i === 0; - }, - - last: function( elem, i, match, array ) { - return i === array.length - 1; - }, - - even: function( elem, i ) { - return i % 2 === 0; - }, - - odd: function( elem, i ) { - return i % 2 === 1; - }, - - lt: function( elem, i, match ) { - return i < match[3] - 0; - }, - - gt: function( elem, i, match ) { - return i > match[3] - 0; - }, - - nth: function( elem, i, match ) { - return match[3] - 0 === i; - }, - - eq: function( elem, i, match ) { - return match[3] - 0 === i; - } - }, - filter: { - PSEUDO: function( elem, match, i, array ) { - var name = match[1], - filter = Expr.filters[ name ]; - - if ( filter ) { - return filter( elem, i, match, array ); - - } else if ( name === "contains" ) { - return (elem.textContent || elem.innerText || getText([ elem ]) || "").indexOf(match[3]) >= 0; - - } else if ( name === "not" ) { - var not = match[3]; - - for ( var j = 0, l = not.length; j < l; j++ ) { - if ( not[j] === elem ) { - return false; - } - } - - return true; - - } else { - Sizzle.error( name ); - } - }, - - CHILD: function( elem, match ) { - var first, last, - doneName, parent, cache, - count, diff, - type = match[1], - node = elem; - - switch ( type ) { - case "only": - case "first": - while ( (node = node.previousSibling) ) { - if ( node.nodeType === 1 ) { - return false; - } - } - - if ( type === "first" ) { - return true; - } - - node = elem; - - /* falls through */ - case "last": - while ( (node = node.nextSibling) ) { - if ( node.nodeType === 1 ) { - return false; - } - } - - return true; - - case "nth": - first = match[2]; - last = match[3]; - - if ( first === 1 && last === 0 ) { - return true; - } - - doneName = match[0]; - parent = elem.parentNode; - - if ( parent && (parent[ expando ] !== doneName || !elem.nodeIndex) ) { - count = 0; - - for ( node = parent.firstChild; node; node = node.nextSibling ) { - if ( node.nodeType === 1 ) { - node.nodeIndex = ++count; - } - } - - parent[ expando ] = doneName; - } - - diff = elem.nodeIndex - last; - - if ( first === 0 ) { - return diff === 0; - - } else { - return ( diff % first === 0 && diff / first >= 0 ); - } - } - }, - - ID: function( elem, match ) { - return elem.nodeType === 1 && elem.getAttribute("id") === match; - }, - - TAG: function( elem, match ) { - return (match === "*" && elem.nodeType === 1) || !!elem.nodeName && elem.nodeName.toLowerCase() === match; - }, - - CLASS: function( elem, match ) { - return (" " + (elem.className || elem.getAttribute("class")) + " ") - .indexOf( match ) > -1; - }, - - ATTR: function( elem, match ) { - var name = match[1], - result = Sizzle.attr ? - Sizzle.attr( elem, name ) : - Expr.attrHandle[ name ] ? - Expr.attrHandle[ name ]( elem ) : - elem[ name ] != null ? - elem[ name ] : - elem.getAttribute( name ), - value = result + "", - type = match[2], - check = match[4]; - - return result == null ? - type === "!=" : - !type && Sizzle.attr ? - result != null : - type === "=" ? - value === check : - type === "*=" ? - value.indexOf(check) >= 0 : - type === "~=" ? - (" " + value + " ").indexOf(check) >= 0 : - !check ? - value && result !== false : - type === "!=" ? - value !== check : - type === "^=" ? - value.indexOf(check) === 0 : - type === "$=" ? - value.substr(value.length - check.length) === check : - type === "|=" ? - value === check || value.substr(0, check.length + 1) === check + "-" : - false; - }, - - POS: function( elem, match, i, array ) { - var name = match[2], - filter = Expr.setFilters[ name ]; - - if ( filter ) { - return filter( elem, i, match, array ); - } - } - } -}; - -var origPOS = Expr.match.POS, - fescape = function(all, num){ - return "\\" + (num - 0 + 1); - }; - -for ( var type in Expr.match ) { - Expr.match[ type ] = new RegExp( Expr.match[ type ].source + (/(?![^\[]*\])(?![^\(]*\))/.source) ); - Expr.leftMatch[ type ] = new RegExp( /(^(?:.|\r|\n)*?)/.source + Expr.match[ type ].source.replace(/\\(\d+)/g, fescape) ); -} -// Expose origPOS -// "global" as in regardless of relation to brackets/parens -Expr.match.globalPOS = origPOS; - -var makeArray = function( array, results ) { - array = Array.prototype.slice.call( array, 0 ); - - if ( results ) { - results.push.apply( results, array ); - return results; - } - - return array; -}; - -// Perform a simple check to determine if the browser is capable of -// converting a NodeList to an array using builtin methods. -// Also verifies that the returned array holds DOM nodes -// (which is not the case in the Blackberry browser) -try { - Array.prototype.slice.call( document.documentElement.childNodes, 0 )[0].nodeType; - -// Provide a fallback method if it does not work -} catch( e ) { - makeArray = function( array, results ) { - var i = 0, - ret = results || []; - - if ( toString.call(array) === "[object Array]" ) { - Array.prototype.push.apply( ret, array ); - - } else { - if ( typeof array.length === "number" ) { - for ( var l = array.length; i < l; i++ ) { - ret.push( array[i] ); - } - - } else { - for ( ; array[i]; i++ ) { - ret.push( array[i] ); - } - } - } - - return ret; - }; -} - -var sortOrder, siblingCheck; - -if ( document.documentElement.compareDocumentPosition ) { - sortOrder = function( a, b ) { - if ( a === b ) { - hasDuplicate = true; - return 0; - } - - if ( !a.compareDocumentPosition || !b.compareDocumentPosition ) { - return a.compareDocumentPosition ? -1 : 1; - } - - return a.compareDocumentPosition(b) & 4 ? -1 : 1; - }; - -} else { - sortOrder = function( a, b ) { - // The nodes are identical, we can exit early - if ( a === b ) { - hasDuplicate = true; - return 0; - - // Fallback to using sourceIndex (in IE) if it's available on both nodes - } else if ( a.sourceIndex && b.sourceIndex ) { - return a.sourceIndex - b.sourceIndex; - } - - var al, bl, - ap = [], - bp = [], - aup = a.parentNode, - bup = b.parentNode, - cur = aup; - - // If the nodes are siblings (or identical) we can do a quick check - if ( aup === bup ) { - return siblingCheck( a, b ); - - // If no parents were found then the nodes are disconnected - } else if ( !aup ) { - return -1; - - } else if ( !bup ) { - return 1; - } - - // Otherwise they're somewhere else in the tree so we need - // to build up a full list of the parentNodes for comparison - while ( cur ) { - ap.unshift( cur ); - cur = cur.parentNode; - } - - cur = bup; - - while ( cur ) { - bp.unshift( cur ); - cur = cur.parentNode; - } - - al = ap.length; - bl = bp.length; - - // Start walking down the tree looking for a discrepancy - for ( var i = 0; i < al && i < bl; i++ ) { - if ( ap[i] !== bp[i] ) { - return siblingCheck( ap[i], bp[i] ); - } - } - - // We ended someplace up the tree so do a sibling check - return i === al ? - siblingCheck( a, bp[i], -1 ) : - siblingCheck( ap[i], b, 1 ); - }; - - siblingCheck = function( a, b, ret ) { - if ( a === b ) { - return ret; - } - - var cur = a.nextSibling; - - while ( cur ) { - if ( cur === b ) { - return -1; - } - - cur = cur.nextSibling; - } - - return 1; - }; -} - -// Check to see if the browser returns elements by name when -// querying by getElementById (and provide a workaround) -(function(){ - // We're going to inject a fake input element with a specified name - var form = document.createElement("div"), - id = "script" + (new Date()).getTime(), - root = document.documentElement; - - form.innerHTML = ""; - - // Inject it into the root element, check its status, and remove it quickly - root.insertBefore( form, root.firstChild ); - - // The workaround has to do additional checks after a getElementById - // Which slows things down for other browsers (hence the branching) - if ( document.getElementById( id ) ) { - Expr.find.ID = function( match, context, isXML ) { - if ( typeof context.getElementById !== "undefined" && !isXML ) { - var m = context.getElementById(match[1]); - - return m ? - m.id === match[1] || typeof m.getAttributeNode !== "undefined" && m.getAttributeNode("id").nodeValue === match[1] ? - [m] : - undefined : - []; - } - }; - - Expr.filter.ID = function( elem, match ) { - var node = typeof elem.getAttributeNode !== "undefined" && elem.getAttributeNode("id"); - - return elem.nodeType === 1 && node && node.nodeValue === match; - }; - } - - root.removeChild( form ); - - // release memory in IE - root = form = null; -})(); - -(function(){ - // Check to see if the browser returns only elements - // when doing getElementsByTagName("*") - - // Create a fake element - var div = document.createElement("div"); - div.appendChild( document.createComment("") ); - - // Make sure no comments are found - if ( div.getElementsByTagName("*").length > 0 ) { - Expr.find.TAG = function( match, context ) { - var results = context.getElementsByTagName( match[1] ); - - // Filter out possible comments - if ( match[1] === "*" ) { - var tmp = []; - - for ( var i = 0; results[i]; i++ ) { - if ( results[i].nodeType === 1 ) { - tmp.push( results[i] ); - } - } - - results = tmp; - } - - return results; - }; - } - - // Check to see if an attribute returns normalized href attributes - div.innerHTML = ""; - - if ( div.firstChild && typeof div.firstChild.getAttribute !== "undefined" && - div.firstChild.getAttribute("href") !== "#" ) { - - Expr.attrHandle.href = function( elem ) { - return elem.getAttribute( "href", 2 ); - }; - } - - // release memory in IE - div = null; -})(); - -if ( document.querySelectorAll ) { - (function(){ - var oldSizzle = Sizzle, - div = document.createElement("div"), - id = "__sizzle__"; - - div.innerHTML = "

"; - - // Safari can't handle uppercase or unicode characters when - // in quirks mode. - if ( div.querySelectorAll && div.querySelectorAll(".TEST").length === 0 ) { - return; - } - - Sizzle = function( query, context, extra, seed ) { - context = context || document; - - // Only use querySelectorAll on non-XML documents - // (ID selectors don't work in non-HTML documents) - if ( !seed && !Sizzle.isXML(context) ) { - // See if we find a selector to speed up - var match = /^(\w+$)|^\.([\w\-]+$)|^#([\w\-]+$)/.exec( query ); - - if ( match && (context.nodeType === 1 || context.nodeType === 9) ) { - // Speed-up: Sizzle("TAG") - if ( match[1] ) { - return makeArray( context.getElementsByTagName( query ), extra ); - - // Speed-up: Sizzle(".CLASS") - } else if ( match[2] && Expr.find.CLASS && context.getElementsByClassName ) { - return makeArray( context.getElementsByClassName( match[2] ), extra ); - } - } - - if ( context.nodeType === 9 ) { - // Speed-up: Sizzle("body") - // The body element only exists once, optimize finding it - if ( query === "body" && context.body ) { - return makeArray( [ context.body ], extra ); - - // Speed-up: Sizzle("#ID") - } else if ( match && match[3] ) { - var elem = context.getElementById( match[3] ); - - // Check parentNode to catch when Blackberry 4.6 returns - // nodes that are no longer in the document #6963 - if ( elem && elem.parentNode ) { - // Handle the case where IE and Opera return items - // by name instead of ID - if ( elem.id === match[3] ) { - return makeArray( [ elem ], extra ); - } - - } else { - return makeArray( [], extra ); - } - } - - try { - return makeArray( context.querySelectorAll(query), extra ); - } catch(qsaError) {} - - // qSA works strangely on Element-rooted queries - // We can work around this by specifying an extra ID on the root - // and working up from there (Thanks to Andrew Dupont for the technique) - // IE 8 doesn't work on object elements - } else if ( context.nodeType === 1 && context.nodeName.toLowerCase() !== "object" ) { - var oldContext = context, - old = context.getAttribute( "id" ), - nid = old || id, - hasParent = context.parentNode, - relativeHierarchySelector = /^\s*[+~]/.test( query ); - - if ( !old ) { - context.setAttribute( "id", nid ); - } else { - nid = nid.replace( /'/g, "\\$&" ); - } - if ( relativeHierarchySelector && hasParent ) { - context = context.parentNode; - } - - try { - if ( !relativeHierarchySelector || hasParent ) { - return makeArray( context.querySelectorAll( "[id='" + nid + "'] " + query ), extra ); - } - - } catch(pseudoError) { - } finally { - if ( !old ) { - oldContext.removeAttribute( "id" ); - } - } - } - } - - return oldSizzle(query, context, extra, seed); - }; - - for ( var prop in oldSizzle ) { - Sizzle[ prop ] = oldSizzle[ prop ]; - } - - // release memory in IE - div = null; - })(); -} - -(function(){ - var html = document.documentElement, - matches = html.matchesSelector || html.mozMatchesSelector || html.webkitMatchesSelector || html.msMatchesSelector; - - if ( matches ) { - // Check to see if it's possible to do matchesSelector - // on a disconnected node (IE 9 fails this) - var disconnectedMatch = !matches.call( document.createElement( "div" ), "div" ), - pseudoWorks = false; - - try { - // This should fail with an exception - // Gecko does not error, returns false instead - matches.call( document.documentElement, "[test!='']:sizzle" ); - - } catch( pseudoError ) { - pseudoWorks = true; - } - - Sizzle.matchesSelector = function( node, expr ) { - // Make sure that attribute selectors are quoted - expr = expr.replace(/\=\s*([^'"\]]*)\s*\]/g, "='$1']"); - - if ( !Sizzle.isXML( node ) ) { - try { - if ( pseudoWorks || !Expr.match.PSEUDO.test( expr ) && !/!=/.test( expr ) ) { - var ret = matches.call( node, expr ); - - // IE 9's matchesSelector returns false on disconnected nodes - if ( ret || !disconnectedMatch || - // As well, disconnected nodes are said to be in a document - // fragment in IE 9, so check for that - node.document && node.document.nodeType !== 11 ) { - return ret; - } - } - } catch(e) {} - } - - return Sizzle(expr, null, null, [node]).length > 0; - }; - } -})(); - -(function(){ - var div = document.createElement("div"); - - div.innerHTML = "
"; - - // Opera can't find a second classname (in 9.6) - // Also, make sure that getElementsByClassName actually exists - if ( !div.getElementsByClassName || div.getElementsByClassName("e").length === 0 ) { - return; - } - - // Safari caches class attributes, doesn't catch changes (in 3.2) - div.lastChild.className = "e"; - - if ( div.getElementsByClassName("e").length === 1 ) { - return; - } - - Expr.order.splice(1, 0, "CLASS"); - Expr.find.CLASS = function( match, context, isXML ) { - if ( typeof context.getElementsByClassName !== "undefined" && !isXML ) { - return context.getElementsByClassName(match[1]); - } - }; - - // release memory in IE - div = null; -})(); - -function dirNodeCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) { - for ( var i = 0, l = checkSet.length; i < l; i++ ) { - var elem = checkSet[i]; - - if ( elem ) { - var match = false; - - elem = elem[dir]; - - while ( elem ) { - if ( elem[ expando ] === doneName ) { - match = checkSet[elem.sizset]; - break; - } - - if ( elem.nodeType === 1 && !isXML ){ - elem[ expando ] = doneName; - elem.sizset = i; - } - - if ( elem.nodeName.toLowerCase() === cur ) { - match = elem; - break; - } - - elem = elem[dir]; - } - - checkSet[i] = match; - } - } -} - -function dirCheck( dir, cur, doneName, checkSet, nodeCheck, isXML ) { - for ( var i = 0, l = checkSet.length; i < l; i++ ) { - var elem = checkSet[i]; - - if ( elem ) { - var match = false; - - elem = elem[dir]; - - while ( elem ) { - if ( elem[ expando ] === doneName ) { - match = checkSet[elem.sizset]; - break; - } - - if ( elem.nodeType === 1 ) { - if ( !isXML ) { - elem[ expando ] = doneName; - elem.sizset = i; - } - - if ( typeof cur !== "string" ) { - if ( elem === cur ) { - match = true; - break; - } - - } else if ( Sizzle.filter( cur, [elem] ).length > 0 ) { - match = elem; - break; - } - } - - elem = elem[dir]; - } - - checkSet[i] = match; - } - } -} - -if ( document.documentElement.contains ) { - Sizzle.contains = function( a, b ) { - return a !== b && (a.contains ? a.contains(b) : true); - }; - -} else if ( document.documentElement.compareDocumentPosition ) { - Sizzle.contains = function( a, b ) { - return !!(a.compareDocumentPosition(b) & 16); - }; - -} else { - Sizzle.contains = function() { - return false; - }; -} - -Sizzle.isXML = function( elem ) { - // documentElement is verified for cases where it doesn't yet exist - // (such as loading iframes in IE - #4833) - var documentElement = (elem ? elem.ownerDocument || elem : 0).documentElement; - - return documentElement ? documentElement.nodeName !== "HTML" : false; -}; - -var posProcess = function( selector, context, seed ) { - var match, - tmpSet = [], - later = "", - root = context.nodeType ? [context] : context; - - // Position selectors must be done after the filter - // And so must :not(positional) so we move all PSEUDOs to the end - while ( (match = Expr.match.PSEUDO.exec( selector )) ) { - later += match[0]; - selector = selector.replace( Expr.match.PSEUDO, "" ); - } - - selector = Expr.relative[selector] ? selector + "*" : selector; - - for ( var i = 0, l = root.length; i < l; i++ ) { - Sizzle( selector, root[i], tmpSet, seed ); - } - - return Sizzle.filter( later, tmpSet ); -}; - -// EXPOSE -// Override sizzle attribute retrieval -Sizzle.attr = jQuery.attr; -Sizzle.selectors.attrMap = {}; -jQuery.find = Sizzle; -jQuery.expr = Sizzle.selectors; -jQuery.expr[":"] = jQuery.expr.filters; -jQuery.unique = Sizzle.uniqueSort; -jQuery.text = Sizzle.getText; -jQuery.isXMLDoc = Sizzle.isXML; -jQuery.contains = Sizzle.contains; - - -})(); - - -var runtil = /Until$/, - rparentsprev = /^(?:parents|prevUntil|prevAll)/, - // Note: This RegExp should be improved, or likely pulled from Sizzle - rmultiselector = /,/, - isSimple = /^.[^:#\[\.,]*$/, - slice = Array.prototype.slice, - POS = jQuery.expr.match.globalPOS, - // methods guaranteed to produce a unique set when starting from a unique set - guaranteedUnique = { - children: true, - contents: true, - next: true, - prev: true - }; - -jQuery.fn.extend({ - find: function( selector ) { - var self = this, - i, l; - - if ( typeof selector !== "string" ) { - return jQuery( selector ).filter(function() { - for ( i = 0, l = self.length; i < l; i++ ) { - if ( jQuery.contains( self[ i ], this ) ) { - return true; - } - } - }); - } - - var ret = this.pushStack( "", "find", selector ), - length, n, r; - - for ( i = 0, l = this.length; i < l; i++ ) { - length = ret.length; - jQuery.find( selector, this[i], ret ); - - if ( i > 0 ) { - // Make sure that the results are unique - for ( n = length; n < ret.length; n++ ) { - for ( r = 0; r < length; r++ ) { - if ( ret[r] === ret[n] ) { - ret.splice(n--, 1); - break; - } - } - } - } - } - - return ret; - }, - - has: function( target ) { - var targets = jQuery( target ); - return this.filter(function() { - for ( var i = 0, l = targets.length; i < l; i++ ) { - if ( jQuery.contains( this, targets[i] ) ) { - return true; - } - } - }); - }, - - not: function( selector ) { - return this.pushStack( winnow(this, selector, false), "not", selector); - }, - - filter: function( selector ) { - return this.pushStack( winnow(this, selector, true), "filter", selector ); - }, - - is: function( selector ) { - return !!selector && ( - typeof selector === "string" ? - // If this is a positional selector, check membership in the returned set - // so $("p:first").is("p:last") won't return true for a doc with two "p". - POS.test( selector ) ? - jQuery( selector, this.context ).index( this[0] ) >= 0 : - jQuery.filter( selector, this ).length > 0 : - this.filter( selector ).length > 0 ); - }, - - closest: function( selectors, context ) { - var ret = [], i, l, cur = this[0]; - - // Array (deprecated as of jQuery 1.7) - if ( jQuery.isArray( selectors ) ) { - var level = 1; - - while ( cur && cur.ownerDocument && cur !== context ) { - for ( i = 0; i < selectors.length; i++ ) { - - if ( jQuery( cur ).is( selectors[ i ] ) ) { - ret.push({ selector: selectors[ i ], elem: cur, level: level }); - } - } - - cur = cur.parentNode; - level++; - } - - return ret; - } - - // String - var pos = POS.test( selectors ) || typeof selectors !== "string" ? - jQuery( selectors, context || this.context ) : - 0; - - for ( i = 0, l = this.length; i < l; i++ ) { - cur = this[i]; - - while ( cur ) { - if ( pos ? pos.index(cur) > -1 : jQuery.find.matchesSelector(cur, selectors) ) { - ret.push( cur ); - break; - - } else { - cur = cur.parentNode; - if ( !cur || !cur.ownerDocument || cur === context || cur.nodeType === 11 ) { - break; - } - } - } - } - - ret = ret.length > 1 ? jQuery.unique( ret ) : ret; - - return this.pushStack( ret, "closest", selectors ); - }, - - // Determine the position of an element within - // the matched set of elements - index: function( elem ) { - - // No argument, return index in parent - if ( !elem ) { - return ( this[0] && this[0].parentNode ) ? this.prevAll().length : -1; - } - - // index in selector - if ( typeof elem === "string" ) { - return jQuery.inArray( this[0], jQuery( elem ) ); - } - - // Locate the position of the desired element - return jQuery.inArray( - // If it receives a jQuery object, the first element is used - elem.jquery ? elem[0] : elem, this ); - }, - - add: function( selector, context ) { - var set = typeof selector === "string" ? - jQuery( selector, context ) : - jQuery.makeArray( selector && selector.nodeType ? [ selector ] : selector ), - all = jQuery.merge( this.get(), set ); - - return this.pushStack( isDisconnected( set[0] ) || isDisconnected( all[0] ) ? - all : - jQuery.unique( all ) ); - }, - - andSelf: function() { - return this.add( this.prevObject ); - } -}); - -// A painfully simple check to see if an element is disconnected -// from a document (should be improved, where feasible). -function isDisconnected( node ) { - return !node || !node.parentNode || node.parentNode.nodeType === 11; -} - -jQuery.each({ - parent: function( elem ) { - var parent = elem.parentNode; - return parent && parent.nodeType !== 11 ? parent : null; - }, - parents: function( elem ) { - return jQuery.dir( elem, "parentNode" ); - }, - parentsUntil: function( elem, i, until ) { - return jQuery.dir( elem, "parentNode", until ); - }, - next: function( elem ) { - return jQuery.nth( elem, 2, "nextSibling" ); - }, - prev: function( elem ) { - return jQuery.nth( elem, 2, "previousSibling" ); - }, - nextAll: function( elem ) { - return jQuery.dir( elem, "nextSibling" ); - }, - prevAll: function( elem ) { - return jQuery.dir( elem, "previousSibling" ); - }, - nextUntil: function( elem, i, until ) { - return jQuery.dir( elem, "nextSibling", until ); - }, - prevUntil: function( elem, i, until ) { - return jQuery.dir( elem, "previousSibling", until ); - }, - siblings: function( elem ) { - return jQuery.sibling( ( elem.parentNode || {} ).firstChild, elem ); - }, - children: function( elem ) { - return jQuery.sibling( elem.firstChild ); - }, - contents: function( elem ) { - return jQuery.nodeName( elem, "iframe" ) ? - elem.contentDocument || elem.contentWindow.document : - jQuery.makeArray( elem.childNodes ); - } -}, function( name, fn ) { - jQuery.fn[ name ] = function( until, selector ) { - var ret = jQuery.map( this, fn, until ); - - if ( !runtil.test( name ) ) { - selector = until; - } - - if ( selector && typeof selector === "string" ) { - ret = jQuery.filter( selector, ret ); - } - - ret = this.length > 1 && !guaranteedUnique[ name ] ? jQuery.unique( ret ) : ret; - - if ( (this.length > 1 || rmultiselector.test( selector )) && rparentsprev.test( name ) ) { - ret = ret.reverse(); - } - - return this.pushStack( ret, name, slice.call( arguments ).join(",") ); - }; -}); - -jQuery.extend({ - filter: function( expr, elems, not ) { - if ( not ) { - expr = ":not(" + expr + ")"; - } - - return elems.length === 1 ? - jQuery.find.matchesSelector(elems[0], expr) ? [ elems[0] ] : [] : - jQuery.find.matches(expr, elems); - }, - - dir: function( elem, dir, until ) { - var matched = [], - cur = elem[ dir ]; - - while ( cur && cur.nodeType !== 9 && (until === undefined || cur.nodeType !== 1 || !jQuery( cur ).is( until )) ) { - if ( cur.nodeType === 1 ) { - matched.push( cur ); - } - cur = cur[dir]; - } - return matched; - }, - - nth: function( cur, result, dir, elem ) { - result = result || 1; - var num = 0; - - for ( ; cur; cur = cur[dir] ) { - if ( cur.nodeType === 1 && ++num === result ) { - break; - } - } - - return cur; - }, - - sibling: function( n, elem ) { - var r = []; - - for ( ; n; n = n.nextSibling ) { - if ( n.nodeType === 1 && n !== elem ) { - r.push( n ); - } - } - - return r; - } -}); - -// Implement the identical functionality for filter and not -function winnow( elements, qualifier, keep ) { - - // Can't pass null or undefined to indexOf in Firefox 4 - // Set to 0 to skip string check - qualifier = qualifier || 0; - - if ( jQuery.isFunction( qualifier ) ) { - return jQuery.grep(elements, function( elem, i ) { - var retVal = !!qualifier.call( elem, i, elem ); - return retVal === keep; - }); - - } else if ( qualifier.nodeType ) { - return jQuery.grep(elements, function( elem, i ) { - return ( elem === qualifier ) === keep; - }); - - } else if ( typeof qualifier === "string" ) { - var filtered = jQuery.grep(elements, function( elem ) { - return elem.nodeType === 1; - }); - - if ( isSimple.test( qualifier ) ) { - return jQuery.filter(qualifier, filtered, !keep); - } else { - qualifier = jQuery.filter( qualifier, filtered ); - } - } - - return jQuery.grep(elements, function( elem, i ) { - return ( jQuery.inArray( elem, qualifier ) >= 0 ) === keep; - }); -} - - - - -function createSafeFragment( document ) { - var list = nodeNames.split( "|" ), - safeFrag = document.createDocumentFragment(); - - if ( safeFrag.createElement ) { - while ( list.length ) { - safeFrag.createElement( - list.pop() - ); - } - } - return safeFrag; -} - -var nodeNames = "abbr|article|aside|audio|bdi|canvas|data|datalist|details|figcaption|figure|footer|" + - "header|hgroup|mark|meter|nav|output|progress|section|summary|time|video", - rinlinejQuery = / jQuery\d+="(?:\d+|null)"/g, - rleadingWhitespace = /^\s+/, - rxhtmlTag = /<(?!area|br|col|embed|hr|img|input|link|meta|param)(([\w:]+)[^>]*)\/>/ig, - rtagName = /<([\w:]+)/, - rtbody = /]", "i"), - // checked="checked" or checked - rchecked = /checked\s*(?:[^=]|=\s*.checked.)/i, - rscriptType = /\/(java|ecma)script/i, - rcleanScript = /^\s*", "" ], - legend: [ 1, "
", "
" ], - thead: [ 1, "", "
" ], - tr: [ 2, "", "
" ], - td: [ 3, "", "
" ], - col: [ 2, "", "
" ], - area: [ 1, "", "" ], - _default: [ 0, "", "" ] - }, - safeFragment = createSafeFragment( document ); - -wrapMap.optgroup = wrapMap.option; -wrapMap.tbody = wrapMap.tfoot = wrapMap.colgroup = wrapMap.caption = wrapMap.thead; -wrapMap.th = wrapMap.td; - -// IE can't serialize and - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Contributing to the MIT Kerberos Documentation¶

-

We are looking for documentation writers and editors who could contribute -towards improving the MIT KC documentation content. If you are an experienced -Kerberos developer and/or administrator, please consider sharing your knowledge -and experience with the Kerberos Community. You can suggest your own topic or -write about any of the topics listed -here.

-

If you have any questions, comments, or suggestions on the existing documents, -please send your feedback via email to krb5-bugs@mit.edu. The HTML version of -this documentation has a “FEEDBACK” link to the krb5-bugs@mit.edu email -address with a pre-constructed subject line.

-
-

Background¶

-

Starting with release 1.11, the Kerberos documentation set is -unified in a central form. Man pages, HTML documentation, and PDF -documents are compiled from reStructuredText sources, and the application -developer documentation incorporates Doxygen markup from the source -tree. This project was undertaken along the outline described -here.

-

Previous versions of Kerberos 5 attempted to maintain separate documentation -in the texinfo format, with separate groff manual pages. Having the API -documentation disjoint from the source code implementing that API -resulted in the documentation becoming stale, and over time the documentation -ceased to match reality. With a fresh start and a source format that is -easier to use and maintain, reStructuredText-based documents should provide -an improved experience for the user. Consolidating all the documentation -formats into a single source document makes the documentation set easier -to maintain.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/index.html b/doc/html/admin/admin_commands/index.html deleted file mode 100644 index 133a747..0000000 --- a/doc/html/admin/admin_commands/index.html +++ /dev/null @@ -1,185 +0,0 @@ - - - - - - - - Administration programs — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/k5srvutil.html b/doc/html/admin/admin_commands/k5srvutil.html deleted file mode 100644 index 8086fc8..0000000 --- a/doc/html/admin/admin_commands/k5srvutil.html +++ /dev/null @@ -1,224 +0,0 @@ - - - - - - - - k5srvutil — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

k5srvutil¶

-
-

SYNOPSIS¶

-

k5srvutil operation -[-i] -[-f filename] -[-e keysalts]

-
-
-

DESCRIPTION¶

-

k5srvutil allows an administrator to list keys currently in -a keytab, to obtain new keys for a principal currently in a keytab, -or to delete non-current keys from a keytab.

-

operation must be one of the following:

-
-
list
-
Lists the keys in a keytab, showing version number and principal -name.
-
change
-
Uses the kadmin protocol to update the keys in the Kerberos -database to new randomly-generated keys, and updates the keys in -the keytab to match. If a key’s version number doesn’t match the -version number stored in the Kerberos server’s database, then the -operation will fail. If the -i flag is given, k5srvutil will -prompt for confirmation before changing each key. If the -k -option is given, the old and new keys will be displayed. -Ordinarily, keys will be generated with the default encryption -types and key salts. This can be overridden with the -e -option. Old keys are retained in the keytab so that existing -tickets continue to work, but delold should be used after -such tickets expire, to prevent attacks against the old keys.
-
delold
-
Deletes keys that are not the most recent version from the keytab. -This operation should be used some time after a change operation -to remove old keys, after existing tickets issued for the service -have expired. If the -i flag is given, then k5srvutil will -prompt for confirmation for each principal.
-
delete
-
Deletes particular keys in the keytab, interactively prompting for -each key.
-
-

In all cases, the default keytab is used unless this is overridden by -the -f option.

-

k5srvutil uses the kadmin program to edit the keytab in -place.

-
-
-

SEE ALSO¶

-

kadmin, ktutil

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/kadmin_local.html b/doc/html/admin/admin_commands/kadmin_local.html deleted file mode 100644 index 5e210ef..0000000 --- a/doc/html/admin/admin_commands/kadmin_local.html +++ /dev/null @@ -1,982 +0,0 @@ - - - - - - - - kadmin — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kadmin¶

-
-

SYNOPSIS¶

-

kadmin -[-O|-N] -[-r realm] -[-p principal] -[-q query] -[[-c cache_name]|[-k [-t keytab]]|-n] -[-w password] -[-s admin_server[:port]] -[command args...]

-

kadmin.local -[-r realm] -[-p principal] -[-q query] -[-d dbname] -[-e enc:salt ...] -[-m] -[-x db_args] -[command args...]

-
-
-

DESCRIPTION¶

-

kadmin and kadmin.local are command-line interfaces to the Kerberos V5 -administration system. They provide nearly identical functionalities; -the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using kadmind. -Except as explicitly noted otherwise, this man page will use “kadmin” -to refer to both versions. kadmin provides for the maintenance of -Kerberos principals, password policies, and service key tables -(keytabs).

-

The remote kadmin client uses Kerberos to authenticate to kadmind -using the service principal kadmin/ADMINHOST (where ADMINHOST is -the fully-qualified hostname of the admin server) or kadmin/admin. -If the credentials cache contains a ticket for one of these -principals, and the -c credentials_cache option is specified, that -ticket is used to authenticate to kadmind. Otherwise, the -p and --k options are used to specify the client Kerberos principal name -used to authenticate. Once kadmin has determined the principal name, -it requests a service ticket from the KDC, and uses that service -ticket to authenticate to kadmind.

-

Since kadmin.local directly accesses the KDC database, it usually must -be run directly on the master KDC with sufficient permissions to read -the KDC database. If the KDC database uses the LDAP database module, -kadmin.local can be run on any host which can access the LDAP server.

-
-
-

OPTIONS¶

-
-
-r realm
-
Use realm as the default database realm.
-
-p principal
-
Use principal to authenticate. Otherwise, kadmin will append -/admin to the primary principal name of the default ccache, -the value of the USER environment variable, or the username as -obtained with getpwuid, in order of preference.
-
-k
-
Use a keytab to decrypt the KDC response instead of prompting for -a password. In this case, the default principal will be -host/hostname. If there is no keytab specified with the --t option, then the default keytab will be used.
-
-t keytab
-
Use keytab to decrypt the KDC response. This can only be used -with the -k option.
-
-n
-
Requests anonymous processing. Two types of anonymous principals -are supported. For fully anonymous Kerberos, configure PKINIT on -the KDC and configure pkinit_anchors in the client’s -krb5.conf. Then use the -n option with a principal -of the form @REALM (an empty principal name followed by the -at-sign and a realm name). If permitted by the KDC, an anonymous -ticket will be returned. A second form of anonymous tickets is -supported; these realm-exposed tickets hide the identity of the -client but not the client’s realm. For this mode, use kinit --n with a normal principal name. If supported by the KDC, the -principal (but not realm) will be replaced by the anonymous -principal. As of release 1.8, the MIT Kerberos KDC only supports -fully anonymous operation.
-
-c credentials_cache
-
Use credentials_cache as the credentials cache. The -cache should contain a service ticket for the kadmin/ADMINHOST -(where ADMINHOST is the fully-qualified hostname of the admin -server) or kadmin/admin service; it can be acquired with the -kinit program. If this option is not specified, kadmin -requests a new service ticket from the KDC, and stores it in its -own temporary ccache.
-
-w password
-
Use password instead of prompting for one. Use this option with -care, as it may expose the password to other users on the system -via the process list.
-
-q query
-
Perform the specified query and then exit.
-
-d dbname
-
Specifies the name of the KDC database. This option does not -apply to the LDAP database module.
-
-s admin_server[:port]
-
Specifies the admin server which kadmin should contact.
-
-m
-
If using kadmin.local, prompt for the database master password -instead of reading it from a stash file.
-
-eenc:salt ...”
-
Sets the keysalt list to be used for any new keys created. See -Keysalt lists in kdc.conf for a list of possible -values.
-
-O
-
Force use of old AUTH_GSSAPI authentication flavor.
-
-N
-
Prevent fallback to AUTH_GSSAPI authentication flavor.
-
-x db_args
-
Specifies the database specific arguments. See the next section -for supported options.
-
-

Starting with release 1.14, if any command-line arguments remain after -the options, they will be treated as a single query to be executed. -This mode of operation is intended for scripts and behaves differently -from the interactive mode in several respects:

-
    -
  • Query arguments are split by the shell, not by kadmin.
    • -
  • Informational and warning messages are suppressed. Error messages -and query output (e.g. for get_principal) will still be -displayed.
    • -
  • Confirmation prompts are disabled (as if -force was given). -Password prompts will still be issued as required.
    • -
  • The exit status will be non-zero if the query fails.
    • -
-

The -q option does not carry these behavior differences; the query -will be processed as if it was entered interactively. The -q -option cannot be used in combination with a query in the remaining -arguments.

-
-
-

DATABASE OPTIONS¶

-

Database options can be used to override database-specific defaults. -Supported options for the DB2 module are:

-
-
-
-x dbname=*filename*
-
Specifies the base filename of the DB2 database.
-
-x lockiter
-
Make iteration operations hold the lock for the duration of -the entire operation, rather than temporarily releasing the -lock while handling each principal. This is the default -behavior, but this option exists to allow command line -override of a [dbmodules] setting. First introduced in -release 1.13.
-
-x unlockiter
-
Make iteration operations unlock the database for each -principal, instead of holding the lock for the duration of the -entire operation. First introduced in release 1.13.
-
-
-

Supported options for the LDAP module are:

-
-
-
-x host=ldapuri
-
Specifies the LDAP server to connect to by a LDAP URI.
-
-x binddn=bind_dn
-
Specifies the DN used to bind to the LDAP server.
-
-x bindpwd=password
-
Specifies the password or SASL secret used to bind to the LDAP -server. Using this option may expose the password to other -users on the system via the process list; to avoid this, -instead stash the password using the stashsrvpw command of -kdb5_ldap_util.
-
-x sasl_mech=mechanism
-
Specifies the SASL mechanism used to bind to the LDAP server. -The bind DN is ignored if a SASL mechanism is used. New in -release 1.13.
-
-x sasl_authcid=name
-
Specifies the authentication name used when binding to the -LDAP server with a SASL mechanism, if the mechanism requires -one. New in release 1.13.
-
-x sasl_authzid=name
-
Specifies the authorization name used when binding to the LDAP -server with a SASL mechanism. New in release 1.13.
-
-x sasl_realm=realm
-
Specifies the realm used when binding to the LDAP server with -a SASL mechanism, if the mechanism uses one. New in release -1.13.
-
-x debug=level
-
sets the OpenLDAP client library debug level. level is an -integer to be interpreted by the library. Debugging messages -are printed to standard error. New in release 1.12.
-
-
-
-
-

COMMANDS¶

-

When using the remote client, available commands may be restricted -according to the privileges specified in the kadm5.acl file -on the admin server.

-
-

add_principal¶

-
-
add_principal [options] newprinc
-

Creates the principal newprinc, prompting twice for a password. If -no password policy is specified with the -policy option, and the -policy named default is assigned to the principal if it exists. -However, creating a policy named default will not automatically -assign this policy to previously existing principals. This policy -assignment can be suppressed with the -clearpolicy option.

-

This command requires the add privilege.

-

Aliases: addprinc, ank

-

Options:

-
-
-expire expdate
-
(getdate time string) The expiration date of the principal.
-
-pwexpire pwexpdate
-
(getdate time string) The password expiration date.
-
-maxlife maxlife
-
(Time duration or getdate time string) The maximum ticket life -for the principal.
-
-maxrenewlife maxrenewlife
-
(Time duration or getdate time string) The maximum renewable -life of tickets for the principal.
-
-kvno kvno
-
The initial key version number.
-
-policy policy
-
The password policy used by this principal. If not specified, the -policy default is used if it exists (unless -clearpolicy -is specified).
-
-clearpolicy
-
Prevents any policy from being assigned when -policy is not -specified.
-
{-|+}allow_postdated
-
-allow_postdated prohibits this principal from obtaining -postdated tickets. +allow_postdated clears this flag.
-
{-|+}allow_forwardable
-
-allow_forwardable prohibits this principal from obtaining -forwardable tickets. +allow_forwardable clears this flag.
-
{-|+}allow_renewable
-
-allow_renewable prohibits this principal from obtaining -renewable tickets. +allow_renewable clears this flag.
-
{-|+}allow_proxiable
-
-allow_proxiable prohibits this principal from obtaining -proxiable tickets. +allow_proxiable clears this flag.
-
{-|+}allow_dup_skey
-
-allow_dup_skey disables user-to-user authentication for this -principal by prohibiting this principal from obtaining a session -key for another user. +allow_dup_skey clears this flag.
-
{-|+}requires_preauth
-
+requires_preauth requires this principal to preauthenticate -before being allowed to kinit. -requires_preauth clears this -flag. When +requires_preauth is set on a service principal, -the KDC will only issue service tickets for that service principal -if the client’s initial authentication was performed using -preauthentication.
-
{-|+}requires_hwauth
-
+requires_hwauth requires this principal to preauthenticate -using a hardware device before being allowed to kinit. --requires_hwauth clears this flag. When +requires_hwauth is -set on a service principal, the KDC will only issue service tickets -for that service principal if the client’s initial authentication was -performed using a hardware device to preauthenticate.
-
{-|+}ok_as_delegate
-
+ok_as_delegate sets the okay as delegate flag on tickets -issued with this principal as the service. Clients may use this -flag as a hint that credentials should be delegated when -authenticating to the service. -ok_as_delegate clears this -flag.
-
{-|+}allow_svr
-
-allow_svr prohibits the issuance of service tickets for this -principal. +allow_svr clears this flag.
-
{-|+}allow_tgs_req
-
-allow_tgs_req specifies that a Ticket-Granting Service (TGS) -request for a service ticket for this principal is not permitted. -+allow_tgs_req clears this flag.
-
{-|+}allow_tix
-
-allow_tix forbids the issuance of any tickets for this -principal. +allow_tix clears this flag.
-
{-|+}needchange
-
+needchange forces a password change on the next initial -authentication to this principal. -needchange clears this -flag.
-
{-|+}password_changing_service
-
+password_changing_service marks this principal as a password -change service principal.
-
{-|+}ok_to_auth_as_delegate
-
+ok_to_auth_as_delegate allows this principal to acquire -forwardable tickets to itself from arbitrary users, for use with -constrained delegation.
-
{-|+}no_auth_data_required
-
+no_auth_data_required prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal.
-
{-|+}lockdown_keys
-
+lockdown_keys prevents keys for this principal from leaving -the KDC via kadmind. The chpass and extract operations are denied -for a principal with this attribute. The chrand operation is -allowed, but will not return the new keys. The delete and rename -operations are also denied if this attribute is set, in order to -prevent a malicious administrator from replacing principals like -krbtgt/* or kadmin/* with new principals without the attribute. -This attribute can be set via the network protocol, but can only -be removed using kadmin.local.
-
-randkey
-
Sets the key of the principal to a random value.
-
-nokey
-
Causes the principal to be created with no key. New in release -1.12.
-
-pw password
-
Sets the password of the principal to the specified string and -does not prompt for a password. Note: using this option in a -shell script may expose the password to other users on the system -via the process list.
-
-e enc:salt,...
-
Uses the specified keysalt list for setting the keys of the -principal. See Keysalt lists in kdc.conf for a -list of possible values.
-
-x db_princ_args
-

Indicates database-specific options. The options for the LDAP -database module are:

-
-
-x dn=dn
-
Specifies the LDAP object that will contain the Kerberos -principal being created.
-
-x linkdn=dn
-
Specifies the LDAP object to which the newly created Kerberos -principal object will point.
-
-x containerdn=container_dn
-
Specifies the container object under which the Kerberos -principal is to be created.
-
-x tktpolicy=policy
-
Associates a ticket policy to the Kerberos principal.
-
-
-

Note

-
    -
  • The containerdn and linkdn options cannot be -specified with the dn option.
    • -
  • If the dn or containerdn options are not specified while -adding the principal, the principals are created under the -principal container configured in the realm or the realm -container.
    • -
  • dn and containerdn should be within the subtrees or -principal container configured in the realm.
    • -
-
-
-
-

Example:

-
kadmin: addprinc jennifer
-WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
-defaulting to no policy.
-Enter password for principal jennifer@ATHENA.MIT.EDU:
-Re-enter password for principal jennifer@ATHENA.MIT.EDU:
-Principal "jennifer@ATHENA.MIT.EDU" created.
-kadmin:
-
-
-
-
-

modify_principal¶

-
-
modify_principal [options] principal
-

Modifies the specified principal, changing the fields as specified. -The options to add_principal also apply to this command, except -for the -randkey, -pw, and -e options. In addition, the -option -clearpolicy will clear the current policy of a principal.

-

This command requires the modify privilege.

-

Alias: modprinc

-

Options (in addition to the addprinc options):

-
-
-unlock
-
Unlocks a locked principal (one which has received too many failed -authentication attempts without enough time between them according -to its password policy) so that it can successfully authenticate.
-
-
-
-

rename_principal¶

-
-
rename_principal [-force] old_principal new_principal
-

Renames the specified old_principal to new_principal. This -command prompts for confirmation, unless the -force option is -given.

-

This command requires the add and delete privileges.

-

Alias: renprinc

-
-
-

delete_principal¶

-
-
delete_principal [-force] principal
-

Deletes the specified principal from the database. This command -prompts for deletion, unless the -force option is given.

-

This command requires the delete privilege.

-

Alias: delprinc

-
-
-

change_password¶

-
-
change_password [options] principal
-

Changes the password of principal. Prompts for a new password if -neither -randkey or -pw is specified.

-

This command requires the changepw privilege, or that the -principal running the program is the same as the principal being -changed.

-

Alias: cpw

-

The following options are available:

-
-
-randkey
-
Sets the key of the principal to a random value.
-
-pw password
-
Set the password to the specified string. Using this option in a -script may expose the password to other users on the system via -the process list.
-
-e enc:salt,...
-
Uses the specified keysalt list for setting the keys of the -principal. See Keysalt lists in kdc.conf for a -list of possible values.
-
-keepold
-
Keeps the existing keys in the database. This flag is usually not -necessary except perhaps for krbtgt principals.
-
-

Example:

-
kadmin: cpw systest
-Enter password for principal systest@BLEEP.COM:
-Re-enter password for principal systest@BLEEP.COM:
-Password for systest@BLEEP.COM changed.
-kadmin:
-
-
-
-
-

purgekeys¶

-
-
purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal
-

Purges previously retained old keys (e.g., from change_password --keepold) from principal. If -keepkvno is specified, then -only purges keys with kvnos lower than oldest_kvno_to_keep. If --all is specified, then all keys are purged. The -all option -is new in release 1.12.

-

This command requires the modify privilege.

-
-
-

get_principal¶

-
-
get_principal [-terse] principal
-

Gets the attributes of principal. With the -terse option, outputs -fields as quoted tab-separated strings.

-

This command requires the inquire privilege, or that the principal -running the the program to be the same as the one being listed.

-

Alias: getprinc

-

Examples:

-
kadmin: getprinc tlyu/admin
-Principal: tlyu/admin@BLEEP.COM
-Expiration date: [never]
-Last password change: Mon Aug 12 14:16:47 EDT 1996
-Password expiration date: [none]
-Maximum ticket life: 0 days 10:00:00
-Maximum renewable life: 7 days 00:00:00
-Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
-Last successful authentication: [never]
-Last failed authentication: [never]
-Failed password attempts: 0
-Number of keys: 2
-Key: vno 1, des-cbc-crc
-Key: vno 1, des-cbc-crc:v4
-Attributes:
-Policy: [none]
-
-kadmin: getprinc -terse systest
-systest@BLEEP.COM   3    86400     604800    1
-785926535 753241234 785900000
-tlyu/admin@BLEEP.COM     786100034 0    0
-kadmin:
-
-
-
-
-

list_principals¶

-
-
list_principals [expression]
-

Retrieves all or some principal names. expression is a shell-style -glob expression that can contain the wild-card characters ?, -*, and []. All principal names matching the expression are -printed. If no expression is provided, all principal names are -printed. If the expression does not contain an @ character, an -@ character followed by the local realm is appended to the -expression.

-

This command requires the list privilege.

-

Alias: listprincs, get_principals, get_princs

-

Example:

-
kadmin:  listprincs test*
-test3@SECURE-TEST.OV.COM
-test2@SECURE-TEST.OV.COM
-test1@SECURE-TEST.OV.COM
-testuser@SECURE-TEST.OV.COM
-kadmin:
-
-
-
-
-

get_strings¶

-
-
get_strings principal
-

Displays string attributes on principal.

-

This command requires the inquire privilege.

-

Alias: getstr

-
-
-

set_string¶

-
-
set_string principal name value
-

Sets a string attribute on principal. String attributes are used to -supply per-principal configuration to the KDC and some KDC plugin -modules. The following string attribute names are recognized by the -KDC:

-
-
require_auth
-
Specifies an authentication indicator which is required to -authenticate to the principal as a service. Multiple indicators -can be specified, separated by spaces; in this case any of the -specified indicators will be accepted. (New in release 1.14.)
-
session_enctypes
-
Specifies the encryption types supported for session keys when the -principal is authenticated to as a server. See -Encryption types in kdc.conf for a list of the -accepted values.
-
otp
-
Enables One Time Passwords (OTP) preauthentication for a client -principal. The value is a JSON string representing an array -of objects, each having optional type and username fields.
-
-

This command requires the modify privilege.

-

Alias: setstr

-

Example:

-
set_string host/foo.mit.edu session_enctypes aes128-cts
-set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
-
-
-
-
-

del_string¶

-
-
del_string principal key
-

Deletes a string attribute from principal.

-

This command requires the delete privilege.

-

Alias: delstr

-
-
-

add_policy¶

-
-
add_policy [options] policy
-

Adds a password policy named policy to the database.

-

This command requires the add privilege.

-

Alias: addpol

-

The following options are available:

-
-
-maxlife time
-
(Time duration or getdate time string) Sets the maximum -lifetime of a password.
-
-minlife time
-
(Time duration or getdate time string) Sets the minimum -lifetime of a password.
-
-minlength length
-
Sets the minimum length of a password.
-
-minclasses number
-
Sets the minimum number of character classes required in a -password. The five character classes are lower case, upper case, -numbers, punctuation, and whitespace/unprintable characters.
-
-history number
-
Sets the number of past keys kept for a principal. This option is -not supported with the LDAP KDC database module.
-
-
-
-maxfailure maxnumber
-
Sets the number of authentication failures before the principal is -locked. Authentication failures are only tracked for principals -which require preauthentication. The counter of failed attempts -resets to 0 after a successful attempt to authenticate. A -maxnumber value of 0 (the default) disables lockout.
-
-
-
-failurecountinterval failuretime
-
(Time duration or getdate time string) Sets the allowable time -between authentication failures. If an authentication failure -happens after failuretime has elapsed since the previous -failure, the number of authentication failures is reset to 1. A -failuretime value of 0 (the default) means forever.
-
-
-
-lockoutduration lockouttime
-
(Time duration or getdate time string) Sets the duration for -which the principal is locked from authenticating if too many -authentication failures occur without the specified failure count -interval elapsing. A duration of 0 (the default) means the -principal remains locked out until it is administratively unlocked -with modprinc -unlock.
-
-allowedkeysalts
-
Specifies the key/salt tuples supported for long-term keys when -setting or changing a principal’s password/keys. See -Keysalt lists in kdc.conf for a list of the -accepted values, but note that key/salt tuples must be separated -with commas (‘,’) only. To clear the allowed key/salt policy use -a value of ‘-‘.
-
-

Example:

-
kadmin: add_policy -maxlife "2 days" -minlength 5 guests
-kadmin:
-
-
-
-
-

modify_policy¶

-
-
modify_policy [options] policy
-

Modifies the password policy named policy. Options are as described -for add_policy.

-

This command requires the modify privilege.

-

Alias: modpol

-
-
-

delete_policy¶

-
-
delete_policy [-force] policy
-

Deletes the password policy named policy. Prompts for confirmation -before deletion. The command will fail if the policy is in use by any -principals.

-

This command requires the delete privilege.

-

Alias: delpol

-

Example:

-
kadmin: del_policy guests
-Are you sure you want to delete the policy "guests"?
-(yes/no): yes
-kadmin:
-
-
-
-
-

get_policy¶

-
-
get_policy [ -terse ] policy
-

Displays the values of the password policy named policy. With the --terse flag, outputs the fields as quoted strings separated by -tabs.

-

This command requires the inquire privilege.

-

Alias: getpol

-

Examples:

-
kadmin: get_policy admin
-Policy: admin
-Maximum password life: 180 days 00:00:00
-Minimum password life: 00:00:00
-Minimum password length: 6
-Minimum number of password character classes: 2
-Number of old keys kept: 5
-Reference count: 17
-
-kadmin: get_policy -terse admin
-admin     15552000  0    6    2    5    17
-kadmin:
-
-
-

The “Reference count” is the number of principals using that policy. -With the LDAP KDC database module, the reference count field is not -meaningful.

-
-
-

list_policies¶

-
-
list_policies [expression]
-

Retrieves all or some policy names. expression is a shell-style -glob expression that can contain the wild-card characters ?, -*, and []. All policy names matching the expression are -printed. If no expression is provided, all existing policy names are -printed.

-

This command requires the list privilege.

-

Aliases: listpols, get_policies, getpols.

-

Examples:

-
kadmin:  listpols
-test-pol
-dict-only
-once-a-min
-test-pol-nopw
-
-kadmin:  listpols t*
-test-pol
-test-pol-nopw
-kadmin:
-
-
-
-
-

ktadd¶

-
-
-
ktadd [options] principal
-
ktadd [options] -glob princ-exp
-
-
-

Adds a principal, or all principals matching princ-exp, to a -keytab file. Each principal’s keys are randomized in the process. -The rules for princ-exp are described in the list_principals -command.

-

This command requires the inquire and changepw privileges. -With the -glob form, it also requires the list privilege.

-

The options are:

-
-
-k[eytab] keytab
-
Use keytab as the keytab file. Otherwise, the default keytab is -used.
-
-e enc:salt,...
-
Uses the specified keysalt list for setting the new keys of the -principal. See Keysalt lists in kdc.conf for a -list of possible values.
-
-q
-
Display less verbose information.
-
-norandkey
-
Do not randomize the keys. The keys and their version numbers stay -unchanged. This option cannot be specified in combination with the --e option.
-
-

An entry for each of the principal’s unique encryption types is added, -ignoring multiple keys with the same encryption type but different -salt types.

-

Example:

-
kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
-Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
-     encryption type aes256-cts-hmac-sha1-96 added to keytab
-     FILE:/tmp/foo-new-keytab
-kadmin:
-
-
-
-
-

ktremove¶

-
-
ktremove [options] principal [kvno | all | old]
-

Removes entries for the specified principal from a keytab. Requires -no permissions, since this does not require database access.

-

If the string “all” is specified, all entries for that principal are -removed; if the string “old” is specified, all entries for that -principal except those with the highest kvno are removed. Otherwise, -the value specified is parsed as an integer, and all entries whose -kvno match that integer are removed.

-

The options are:

-
-
-k[eytab] keytab
-
Use keytab as the keytab file. Otherwise, the default keytab is -used.
-
-q
-
Display less verbose information.
-
-

Example:

-
kadmin: ktremove kadmin/admin all
-Entry for principal kadmin/admin with kvno 3 removed from keytab
-     FILE:/etc/krb5.keytab
-kadmin:
-
-
-
-
-

lock¶

-

Lock database exclusively. Use with extreme caution! This command -only works with the DB2 KDC database module.

-
-
-

unlock¶

-

Release the exclusive database lock.

-
-
-

list_requests¶

-

Lists available for kadmin requests.

-

Aliases: lr, ?

-
-
-

quit¶

-

Exit program. If the database was locked, the lock is released.

-

Aliases: exit, q

-
-
-
-

HISTORY¶

-

The kadmin program was originally written by Tom Yu at MIT, as an -interface to the OpenVision Kerberos administration program.

-
-
-

SEE ALSO¶

-

kpasswd, kadmind

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/kadmind.html b/doc/html/admin/admin_commands/kadmind.html deleted file mode 100644 index 3cce17c..0000000 --- a/doc/html/admin/admin_commands/kadmind.html +++ /dev/null @@ -1,277 +0,0 @@ - - - - - - - - kadmind — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kadmind¶

-
-

SYNOPSIS¶

-

kadmind -[-x db_args] -[-r realm] -[-m] -[-nofork] -[-proponly] -[-port port-number] -[-P pid_file] -[-p kdb5_util_path] -[-K kprop_path] -[-k kprop_port] -[-F dump_file]

-
-
-

DESCRIPTION¶

-

kadmind starts the Kerberos administration server. kadmind typically -runs on the master Kerberos server, which stores the KDC database. If -the KDC database uses the LDAP module, the administration server and -the KDC server need not run on the same machine. kadmind accepts -remote requests from programs such as kadmin and -kpasswd to administer the information in these database.

-

kadmind requires a number of configuration files to be set up in order -for it to work:

-
-
kdc.conf
-
The KDC configuration file contains configuration information for -the KDC and admin servers. kadmind uses settings in this file to -locate the Kerberos database, and is also affected by the -acl_file, dict_file, kadmind_port, and iprop-related -settings.
-
kadm5.acl
-
kadmind’s ACL (access control list) tells it which principals are -allowed to perform administration actions. The pathname to the -ACL file can be specified with the acl_file kdc.conf -variable; by default, it is LOCALSTATEDIR/krb5kdc/kadm5.acl.
-
-

After the server begins running, it puts itself in the background and -disassociates itself from its controlling terminal.

-

kadmind can be configured for incremental database propagation. -Incremental propagation allows slave KDC servers to receive principal -and policy updates incrementally instead of receiving full dumps of -the database. This facility can be enabled in the kdc.conf -file with the iprop_enable option. Incremental propagation -requires the principal kiprop/MASTER\@REALM (where MASTER is the -master KDC’s canonical host name, and REALM the realm name). In -release 1.13, this principal is automatically created and registered -into the datebase.

-
-
-

OPTIONS¶

-
-
-r realm
-
specifies the realm that kadmind will serve; if it is not -specified, the default realm of the host is used.
-
-m
-
causes the master database password to be fetched from the -keyboard (before the server puts itself in the background, if not -invoked with the -nofork option) rather than from a file on -disk.
-
-nofork
-
causes the server to remain in the foreground and remain -associated to the terminal. In normal operation, you should allow -the server to place itself in the background.
-
-proponly
-
causes the server to only listen and respond to Kerberos slave -incremental propagation polling requests. This option can be used -to set up a hierarchical propagation topology where a slave KDC -provides incremental updates to other Kerberos slaves.
-
-port port-number
-
specifies the port on which the administration server listens for -connections. The default port is determined by the -kadmind_port configuration variable in kdc.conf.
-
-P pid_file
-
specifies the file to which the PID of kadmind process should be -written after it starts up. This file can be used to identify -whether kadmind is still running and to allow init scripts to stop -the correct process.
-
-p kdb5_util_path
-
specifies the path to the kdb5_util command to use when dumping the -KDB in response to full resync requests when iprop is enabled.
-
-K kprop_path
-
specifies the path to the kprop command to use to send full dumps -to slaves in response to full resync requests.
-
-k kprop_port
-
specifies the port by which the kprop process that is spawned by kadmind -connects to the slave kpropd, in order to transfer the dump file during -an iprop full resync request.
-
-F dump_file
-
specifies the file path to be used for dumping the KDB in response -to full resync requests when iprop is enabled.
-
-x db_args
-
specifies database-specific arguments. See Database Options in kadmin for supported arguments.
-
-
- -
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/kdb5_ldap_util.html b/doc/html/admin/admin_commands/kdb5_ldap_util.html deleted file mode 100644 index a8811f4..0000000 --- a/doc/html/admin/admin_commands/kdb5_ldap_util.html +++ /dev/null @@ -1,560 +0,0 @@ - - - - - - - - kdb5_ldap_util — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kdb5_ldap_util¶

-
-

SYNOPSIS¶

-

kdb5_ldap_util -[-D user_dn [-w passwd]] -[-H ldapuri] -command -[command_options]

-
-
-

DESCRIPTION¶

-

kdb5_ldap_util allows an administrator to manage realms, Kerberos -services and ticket policies.

-
-
-

COMMAND-LINE OPTIONS¶

-
-
-D user_dn
-
Specifies the Distinguished Name (DN) of the user who has -sufficient rights to perform the operation on the LDAP server.
-
-w passwd
-
Specifies the password of user_dn. This option is not -recommended.
-
-H ldapuri
-
Specifies the URI of the LDAP server. It is recommended to use -ldapi:// or ldaps:// to connect to the LDAP server.
-
-
-
-

COMMANDS¶

-
-

create¶

-
-
create -[-subtrees subtree_dn_list] -[-sscope search_scope] -[-containerref container_reference_dn] -[-k mkeytype] -[-kv mkeyVNO] -[-m|-P password|-sf stashfilename] -[-s] -[-r realm] -[-maxtktlife max_ticket_life] -[-maxrenewlife max_renewable_ticket_life] -[ticket_flags]
-

Creates realm in directory. Options:

-
-
-subtrees subtree_dn_list
-
Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (:).
-
-sscope search_scope
-
Specifies the scope for searching the principals under the -subtree. The possible values are 1 or one (one level), 2 or sub -(subtrees).
-
-containerref container_reference_dn
-
Specifies the DN of the container object in which the principals -of a realm will be created. If the container reference is not -configured for a realm, the principals will be created in the -realm container.
-
-k mkeytype
-
Specifies the key type of the master key in the database. The -default is given by the master_key_type variable in -kdc.conf.
-
-kv mkeyVNO
-
Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.
-
-m
-
Specifies that the master database password should be read from -the TTY rather than fetched from a file on the disk.
-
-P password
-
Specifies the master database password. This option is not -recommended.
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-sf stashfilename
-
Specifies the stash file of the master database password.
-
-s
-
Specifies that the stash file is to be created.
-
-maxtktlife max_ticket_life
-
(getdate time string) Specifies maximum ticket life for -principals in this realm.
-
-maxrenewlife max_renewable_ticket_life
-
(getdate time string) Specifies maximum renewable life of -tickets for principals in this realm.
-
ticket_flags
-
Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the add_principal command in -kadmin.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-Initializing database for realm 'ATHENA.MIT.EDU'
-You will be prompted for the database Master Password.
-It is important that you NOT FORGET this password.
-Enter KDC database master key:
-Re-enter KDC database master key to verify:
-
-
-
-
-

modify¶

-
-
modify -[-subtrees subtree_dn_list] -[-sscope search_scope] -[-containerref container_reference_dn] -[-r realm] -[-maxtktlife max_ticket_life] -[-maxrenewlife max_renewable_ticket_life] -[ticket_flags]
-

Modifies the attributes of a realm. Options:

-
-
-subtrees subtree_dn_list
-
Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (:). This list replaces the existing list.
-
-sscope search_scope
-
Specifies the scope for searching the principals under the -subtrees. The possible values are 1 or one (one level), 2 or sub -(subtrees).
-
-containerref container_reference_dn Specifies the DN of the
-
container object in which the principals of a realm will be -created.
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-maxtktlife max_ticket_life
-
(getdate time string) Specifies maximum ticket life for -principals in this realm.
-
-maxrenewlife max_renewable_ticket_life
-
(getdate time string) Specifies maximum renewable life of -tickets for principals in this realm.
-
ticket_flags
-
Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the add_principal command in -kadmin.
-
-

Example:

-
shell% kdb5_ldap_util -D cn=admin,o=org -H
-    ldaps://ldap-server1.mit.edu modify +requires_preauth -r
-    ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-shell%
-
-
-
-
-

view¶

-
-
view [-r realm]
-

Displays the attributes of a realm. Options:

-
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    view -r ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-Realm Name: ATHENA.MIT.EDU
-Subtree: ou=users,o=org
-Subtree: ou=servers,o=org
-SearchScope: ONE
-Maximum ticket life: 0 days 01:00:00
-Maximum renewable life: 0 days 10:00:00
-Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
-
-
-
-
-

destroy¶

-
-
destroy [-f] [-r realm]
-

Destroys an existing realm. Options:

-
-
-f
-
If specified, will not prompt the user for confirmation.
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-

Example:

-
shell% kdb5_ldap_util -D cn=admin,o=org -H
-    ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
-(type 'yes' to confirm)? yes
-OK, deleting database of 'ATHENA.MIT.EDU'...
-shell%
-
-
-
-
-

list¶

-
-
list
-

Lists the name of realms.

-

Example:

-
shell% kdb5_ldap_util -D cn=admin,o=org -H
-    ldaps://ldap-server1.mit.edu list
-Password for "cn=admin,o=org":
-ATHENA.MIT.EDU
-OPENLDAP.MIT.EDU
-MEDIA-LAB.MIT.EDU
-shell%
-
-
-
-
-

stashsrvpw¶

-
-
stashsrvpw -[-f filename] -name
-

Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options:

-
-
-f filename
-
Specifies the complete path of the service password file. By -default, /usr/local/var/service_passwd is used.
-
name
-
Specifies the name of the object whose password is to be stored. -If krb5kdc or kadmind are configured for -simple binding, this should be the distinguished name it will -use as given by the ldap_kdc_dn or ldap_kadmind_dn -variable in kdc.conf. If the KDC or kadmind is -configured for SASL binding, this should be the authentication -name it will use as given by the ldap_kdc_sasl_authcid or -ldap_kadmind_sasl_authcid variable.
-
-

Example:

-
kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
-    cn=service-kdc,o=org
-Password for "cn=service-kdc,o=org":
-Re-enter password for "cn=service-kdc,o=org":
-
-
-
-
-

create_policy¶

-
-
create_policy -[-r realm] -[-maxtktlife max_ticket_life] -[-maxrenewlife max_renewable_ticket_life] -[ticket_flags] -policy_name
-

Creates a ticket policy in the directory. Options:

-
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-maxtktlife max_ticket_life
-
(getdate time string) Specifies maximum ticket life for -principals.
-
-maxrenewlife max_renewable_ticket_life
-
(getdate time string) Specifies maximum renewable life of -tickets for principals.
-
ticket_flags
-
Specifies the ticket flags. If this option is not specified, by -default, no restriction will be set by the policy. Allowable -flags are documented in the description of the add_principal -command in kadmin.
-
policy_name
-
Specifies the name of the ticket policy.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
-    -maxrenewlife "1 week" -allow_postdated +needchange
-    -allow_forwardable tktpolicy
-Password for "cn=admin,o=org":
-
-
-
-
-

modify_policy¶

-
-
modify_policy -[-r realm] -[-maxtktlife max_ticket_life] -[-maxrenewlife max_renewable_ticket_life] -[ticket_flags] -policy_name
-

Modifies the attributes of a ticket policy. Options are same as for -create_policy.

-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H
-    ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
-    -maxtktlife "60 minutes" -maxrenewlife "10 hours"
-    +allow_postdated -requires_preauth tktpolicy
-Password for "cn=admin,o=org":
-
-
-
-
-

view_policy¶

-
-
view_policy -[-r realm] -policy_name
-

Displays the attributes of a ticket policy. Options:

-
-
policy_name
-
Specifies the name of the ticket policy.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    view_policy -r ATHENA.MIT.EDU tktpolicy
-Password for "cn=admin,o=org":
-Ticket policy: tktpolicy
-Maximum ticket life: 0 days 01:00:00
-Maximum renewable life: 0 days 10:00:00
-Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
-
-
-
-
-

destroy_policy¶

-
-
destroy_policy -[-r realm] -[-force] -policy_name
-

Destroys an existing ticket policy. Options:

-
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-force
-
Forces the deletion of the policy object. If not specified, the -user will be prompted for confirmation before deleting the policy.
-
policy_name
-
Specifies the name of the ticket policy.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    destroy_policy -r ATHENA.MIT.EDU tktpolicy
-Password for "cn=admin,o=org":
-This will delete the policy object 'tktpolicy', are you sure?
-(type 'yes' to confirm)? yes
-** policy object 'tktpolicy' deleted.
-
-
-
-
-

list_policy¶

-
-
list_policy -[-r realm]
-

Lists the ticket policies in realm if specified or in the default -realm. Options:

-
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    list_policy -r ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-tktpolicy
-tmppolicy
-userpolicy
-
-
-
-
-
-

SEE ALSO¶

-

kadmin

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/kdb5_util.html b/doc/html/admin/admin_commands/kdb5_util.html deleted file mode 100644 index bd1fb5a..0000000 --- a/doc/html/admin/admin_commands/kdb5_util.html +++ /dev/null @@ -1,615 +0,0 @@ - - - - - - - - kdb5_util — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kdb5_util¶

-
-

SYNOPSIS¶

-

kdb5_util -[-r realm] -[-d dbname] -[-k mkeytype] -[-M mkeyname] -[-kv mkeyVNO] -[-sf stashfilename] -[-m] -command [command_options]

-
-
-

DESCRIPTION¶

-

kdb5_util allows an administrator to perform maintenance procedures on -the KDC database. Databases can be created, destroyed, and dumped to -or loaded from ASCII files. kdb5_util can create a Kerberos master -key stash file or perform live rollover of the master key.

-

When kdb5_util is run, it attempts to acquire the master key and open -the database. However, execution continues regardless of whether or -not kdb5_util successfully opens the database, because the database -may not exist yet or the stash file may be corrupt.

-

Note that some KDC database modules may not support all kdb5_util -commands.

-
-
-

COMMAND-LINE OPTIONS¶

-
-
-r realm
-
specifies the Kerberos realm of the database.
-
-d dbname
-
specifies the name under which the principal database is stored; -by default the database is that listed in kdc.conf. The -password policy database and lock files are also derived from this -value.
-
-k mkeytype
-
specifies the key type of the master key in the database. The -default is given by the master_key_type variable in -kdc.conf.
-
-kv mkeyVNO
-
Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.
-
-M mkeyname
-
principal name for the master key in the database. If not -specified, the name is determined by the master_key_name -variable in kdc.conf.
-
-m
-
specifies that the master database password should be read from -the keyboard rather than fetched from a file on disk.
-
-sf stash_file
-
specifies the stash filename of the master database password. If -not specified, the filename is determined by the -key_stash_file variable in kdc.conf.
-
-P password
-
specifies the master database password. Using this option may -expose the password to other users on the system via the process -list.
-
-
-
-

COMMANDS¶

-
-

create¶

-
-
create [-s]
-

Creates a new database. If the -s option is specified, the stash -file is also created. This command fails if the database already -exists. If the command is successful, the database is opened just as -if it had already existed when the program was first run.

-
-
-

destroy¶

-
-
destroy [-f]
-

Destroys the database, first overwriting the disk sectors and then -unlinking the files, after prompting the user for confirmation. With -the -f argument, does not prompt the user.

-
-
-

stash¶

-
-
stash [-f keyfile]
-

Stores the master principal’s keys in a stash file. The -f -argument can be used to override the keyfile specified in -kdc.conf.

-
-
-

dump¶

-
-
dump [-b7|-ov|-r13] [-verbose] -[-mkey_convert] [-new_mkey_file mkey_file] [-rev] -[-recurse] [filename [principals...]]
-

Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, “kdb5_util -load_dump version 7”. If filename is not specified, or is the string -“-”, the dump is sent to standard output. Options:

-
-
-b7
-
causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util -load_dump version 4”). This was the dump format produced on -releases prior to 1.2.2.
-
-ov
-
causes the dump to be in “ovsec_adm_export” format.
-
-r13
-
causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.
-
-r18
-
causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.
-
-verbose
-
causes the name of each principal and policy to be printed as it -is dumped.
-
-mkey_convert
-
prompts for a new master key. This new master key will be used to -re-encrypt principal key data in the dumpfile. The principal keys -themselves will not be changed.
-
-new_mkey_file mkey_file
-
the filename of a stash file. The master key in this stash file -will be used to re-encrypt the key data in the dumpfile. The key -data in the database will not be changed.
-
-rev
-
dumps in reverse order. This may recover principals that do not -dump normally, in cases where database corruption has occurred.
-
-recurse
-

causes the dump to walk the database recursively (btree only). -This may recover principals that do not dump normally, in cases -where database corruption has occurred. In cases of such -corruption, this option will probably retrieve more principals -than the -rev option will.

-
-

Changed in version 1.15: Release 1.15 restored the functionality of the -recurse -option.

-
-
-

Changed in version 1.5: The -recurse option ceased working until release 1.15, -doing a normal dump instead of a recursive traversal.

-
-
-
-
-
-

load¶

-
-
load [-b7|-ov|-r13] [-hash] -[-verbose] [-update] filename [dbname]
-

Loads a database dump from the named file into the named database. If -no option is given to determine the format of the dump file, the -format is detected automatically and handled as appropriate. Unless -the -update option is given, load creates a new database -containing only the data in the dump file, overwriting the contents of -any previously existing database. Note that when using the LDAP KDC -database module, the -update flag is required.

-

Options:

-
-
-b7
-
requires the database to be in the Kerberos 5 Beta 7 format -(“kdb5_util load_dump version 4”). This was the dump format -produced on releases prior to 1.2.2.
-
-ov
-
requires the database to be in “ovsec_adm_import” format. Must be -used with the -update option.
-
-r13
-
requires the database to be in Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.
-
-r18
-
requires the database to be in Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.
-
-hash
-
requires the database to be stored as a hash. If this option is -not specified, the database will be stored as a btree. This -option is not recommended, as databases stored in hash format are -known to corrupt data and lose principals.
-
-verbose
-
causes the name of each principal and policy to be printed as it -is dumped.
-
-update
-
records from the dump file are added to or updated in the existing -database. Otherwise, a new database is created containing only -what is in the dump file and the old one destroyed upon successful -completion.
-
-

If specified, dbname overrides the value specified on the command -line or the default.

-
-
-

ark¶

-
-
ark [-e enc:salt,...] principal
-

Adds new random keys to principal at the next available key version -number. Keys for the current highest key version number will be -preserved. The -e option specifies the list of encryption and -salt types to be used for the new keys.

-
-
-

add_mkey¶

-
-
add_mkey [-e etype] [-s]
-

Adds a new master key to the master key principal, but does not mark -it as active. Existing master keys will remain. The -e option -specifies the encryption type of the new master key; see -Encryption types in kdc.conf for a list of possible -values. The -s option stashes the new master key in the stash -file, which will be created if it doesn’t already exist.

-

After a new master key is added, it should be propagated to slave -servers via a manual or periodic invocation of kprop. Then, -the stash files on the slave servers should be updated with the -kdb5_util stash command. Once those steps are complete, the key -is ready to be marked active with the kdb5_util use_mkey command.

-
-
-

use_mkey¶

-
-
use_mkey mkeyVNO [time]
-

Sets the activation time of the master key specified by mkeyVNO. -Once a master key becomes active, it will be used to encrypt newly -created principal keys. If no time argument is given, the current -time is used, causing the specified master key version to become -active immediately. The format for time is getdate time string.

-

After a new master key becomes active, the kdb5_util -update_princ_encryption command can be used to update all -principal keys to be encrypted in the new master key.

-
-
-

list_mkeys¶

-
-
list_mkeys
-

List all master keys, from most recent to earliest, in the master key -principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of kadmin getprinc. A -* following an mkey denotes the currently active master key.

-
-
-

purge_mkeys¶

-
-
purge_mkeys [-f] [-n] [-v]
-

Delete master keys from the master key principal that are not used to -protect any principals. This command can be used to remove old master -keys all principal keys are protected by a newer master key.

-
-
-f
-
does not prompt for confirmation.
-
-n
-
performs a dry run, showing master keys that would be purged, but -not actually purging any keys.
-
-v
-
gives more verbose output.
-
-
-
-

update_princ_encryption¶

-
-
update_princ_encryption [-f] [-n] [-v] -[princ-pattern]
-

Update all principal records (or only those matching the -princ-pattern glob pattern) to re-encrypt the key data using the -active database master key, if they are encrypted using a different -version, and give a count at the end of the number of principals -updated. If the -f option is not given, ask for confirmation -before starting to make changes. The -v option causes each -principal processed to be listed, with an indication as to whether it -needed updating or not. The -n option performs a dry run, only -showing the actions which would have been taken.

-
-
-

tabdump¶

-
-
tabdump [-H] [-c] [-e] [-n] [-o outfile] -dumptype
-

Dump selected fields of the database in a tabular format suitable for -reporting (e.g., using traditional Unix text processing tools) or -importing into relational databases. The data format is tab-separated -(default), or optionally comma-separated (CSV), with a fixed number of -columns. The output begins with a header line containing field names, -unless suppression is requested using the -H option.

-

The dumptype parameter specifies the name of an output table (see -below).

-

Options:

-
-
-H
-
suppress writing the field names in a header line
-
-c
-
use comma separated values (CSV) format, with minimal quoting, -instead of the default tab-separated (unquoted, unescaped) format
-
-e
-
write empty hexadecimal string fields as empty fields instead of -as “-1”.
-
-n
-
produce numeric output for fields that normally have symbolic -output, such as enctypes and flag names. Also requests output of -time stamps as decimal POSIX time_t values.
-
-o outfile
-
write the dump to the specified output file instead of to standard -output
-
-

Dump types:

-
-
keydata
-

principal encryption key information, including actual key data -(which is still encrypted in the master key)

-
-
name
-
principal name
-
keyindex
-
index of this key in the principal’s key list
-
kvno
-
key version number
-
enctype
-
encryption type
-
key
-
key data as a hexadecimal string
-
salttype
-
salt type
-
salt
-
salt data as a hexadecimal string
-
-
-
keyinfo
-
principal encryption key information (as in keydata above), -excluding actual key data
-
princ_flags
-

principal boolean attributes. Flag names print as hexadecimal -numbers if the -n option is specified, and all flag positions -are printed regardless of whether or not they are set. If -n -is not specified, print all known flag names for each principal, -but only print hexadecimal flag names if the corresponding flag is -set.

-
-
name
-
principal name
-
flag
-
flag name
-
value
-
boolean value (0 for clear, or 1 for set)
-
-
-
princ_lockout
-

state information used for tracking repeated password failures

-
-
name
-
principal name
-
last_success
-
time stamp of most recent successful authentication
-
last_failed
-
time stamp of most recent failed authentication
-
fail_count
-
count of failed attempts
-
-
-
princ_meta
-

principal metadata

-
-
name
-
principal name
-
modby
-
name of last principal to modify this principal
-
modtime
-
timestamp of last modification
-
lastpwd
-
timestamp of last password change
-
policy
-
policy object name
-
mkvno
-
key version number of the master key that encrypts this -principal’s key data
-
hist_kvno
-
key version number of the history key that encrypts the key -history data for this principal
-
-
-
princ_stringattrs
-

string attributes (key/value pairs)

-
-
name
-
principal name
-
key
-
attribute name
-
value
-
attribute value
-
-
-
princ_tktpolicy
-

per-principal ticket policy data, including maximum ticket -lifetimes

-
-
name
-
principal name
-
expiration
-
principal expiration date
-
pw_expiration
-
password expiration date
-
max_life
-
maximum ticket lifetime
-
max_renew_life
-
maximum renewable ticket lifetime
-
-
-
-

Examples:

-
$ kdb5_util tabdump -o keyinfo.txt keyinfo
-$ cat keyinfo.txt
-name        keyindex        kvno    enctype salttype        salt
-foo@EXAMPLE.COM     0       1       aes128-cts-hmac-sha1-96 normal  -1
-bar@EXAMPLE.COM     0       1       aes128-cts-hmac-sha1-96 normal  -1
-bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
-$ sqlite3
-sqlite> .mode tabs
-sqlite> .import keyinfo.txt keyinfo
-sqlite> select * from keyinfo where enctype like 'des-cbc-%';
-bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
-sqlite> .quit
-$ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt
-bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
-
-
-
-
-
-

SEE ALSO¶

-

kadmin

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/kprop.html b/doc/html/admin/admin_commands/kprop.html deleted file mode 100644 index 04e789e..0000000 --- a/doc/html/admin/admin_commands/kprop.html +++ /dev/null @@ -1,223 +0,0 @@ - - - - - - - - kprop — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kprop¶

-
-

SYNOPSIS¶

-

kprop -[-r realm] -[-f file] -[-d] -[-P port] -[-s keytab] -slave_host

-
-
-

DESCRIPTION¶

-

kprop is used to securely propagate a Kerberos V5 database dump file -from the master Kerberos server to a slave Kerberos server, which is -specified by slave_host. The dump file must be created by -kdb5_util.

-
-
-

OPTIONS¶

-
-
-r realm
-
Specifies the realm of the master server.
-
-f file
-
Specifies the filename where the dumped principal database file is -to be found; by default the dumped database file is normally -LOCALSTATEDIR/krb5kdc/slave_datatrans.
-
-P port
-
Specifies the port to use to contact the kpropd server -on the remote host.
-
-d
-
Prints debugging information.
-
-s keytab
-
Specifies the location of the keytab file.
-
-
-
-

ENVIRONMENT¶

-

kprop uses the following environment variable:

-
    -
  • KRB5_CONFIG
    • -
-
-
-

SEE ALSO¶

-

kpropd, kdb5_util, krb5kdc

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/kpropd.html b/doc/html/admin/admin_commands/kpropd.html deleted file mode 100644 index d116118..0000000 --- a/doc/html/admin/admin_commands/kpropd.html +++ /dev/null @@ -1,286 +0,0 @@ - - - - - - - - kpropd — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kpropd¶

-
-

SYNOPSIS¶

-

kpropd -[-r realm] -[-A admin_server] -[-a acl_file] -[-f slave_dumpfile] -[-F principal_database] -[-p kdb5_util_prog] -[-P port] -[-d] -[-t]

-
-
-

DESCRIPTION¶

-

The kpropd command runs on the slave KDC server. It listens for -update requests made by the kprop program. If incremental -propagation is enabled, it periodically requests incremental updates -from the master KDC.

-

When the slave receives a kprop request from the master, kpropd -accepts the dumped KDC database and places it in a file, and then runs -kdb5_util to load the dumped database into the active -database which is used by krb5kdc. This allows the master -Kerberos server to use kprop to propagate its database to -the slave servers. Upon a successful download of the KDC database -file, the slave Kerberos server will have an up-to-date KDC database.

-

Where incremental propagation is not used, kpropd is commonly invoked -out of inetd(8) as a nowait service. This is done by adding a line to -the /etc/inetd.conf file which looks like this:

-
kprop  stream  tcp  nowait  root  /usr/local/sbin/kpropd  kpropd
-
-
-

kpropd can also run as a standalone daemon, backgrounding itself and -waiting for connections on port 754 (or the port specified with the --P option if given). Standalone mode is required for incremental -propagation. Starting in release 1.11, kpropd automatically detects -whether it was run from inetd and runs in standalone mode if it is -not. Prior to release 1.11, the -S option is required to run -kpropd in standalone mode; this option is now accepted for backward -compatibility but does nothing.

-

Incremental propagation may be enabled with the iprop_enable -variable in kdc.conf. If incremental propagation is -enabled, the slave periodically polls the master KDC for updates, at -an interval determined by the iprop_slave_poll variable. If the -slave receives updates, kpropd updates its log file with any updates -from the master. kproplog can be used to view a summary of -the update entry log on the slave KDC. If incremental propagation is -enabled, the principal kiprop/slavehostname@REALM (where -slavehostname is the name of the slave KDC host, and REALM is the -name of the Kerberos realm) must be present in the slave’s keytab -file.

-

kproplog can be used to force full replication when iprop is -enabled.

-
-
-

OPTIONS¶

-
-
-r realm
-
Specifies the realm of the master server.
-
-A admin_server
-
Specifies the server to be contacted for incremental updates; by -default, the master admin server is contacted.
-
-f file
-
Specifies the filename where the dumped principal database file is -to be stored; by default the dumped database file is LOCALSTATEDIR/krb5kdc/from_master.
-
-p
-
Allows the user to specify the pathname to the kdb5_util -program; by default the pathname used is SBINDIR/kdb5_util.
-
-d
-
Turn on debug mode. In this mode, kpropd will not detach -itself from the current job and run in the background. Instead, -it will run in the foreground and print out debugging messages -during the database propagation.
-
-t
-
In standalone mode without incremental propagation, exit after one -dump file is received. In incremental propagation mode, exit as -soon as the database is up to date, or if the master returns an -error.
-
-P
-
Allow for an alternate port number for kpropd to listen on. This -is only useful in combination with the -S option.
-
-a acl_file
-
Allows the user to specify the path to the kpropd.acl file; by -default the path used is LOCALSTATEDIR/krb5kdc/kpropd.acl.
-
-
-
-

ENVIRONMENT¶

-

kpropd uses the following environment variables:

-
    -
  • KRB5_CONFIG
    • -
  • KRB5_KDC_PROFILE
    • -
-
-
-

FILES¶

-
-
kpropd.acl
-
Access file for kpropd; the default location is -/usr/local/var/krb5kdc/kpropd.acl. Each entry is a line -containing the principal of a host from which the local machine -will allow Kerberos database propagation via kprop.
-
-
-
-

SEE ALSO¶

-

kprop, kdb5_util, krb5kdc, inetd(8)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/kproplog.html b/doc/html/admin/admin_commands/kproplog.html deleted file mode 100644 index 28b5e6f..0000000 --- a/doc/html/admin/admin_commands/kproplog.html +++ /dev/null @@ -1,249 +0,0 @@ - - - - - - - - kproplog — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kproplog¶

-
-

SYNOPSIS¶

-

kproplog [-h] [-e num] [-v] -kproplog [-R]

-
-
-

DESCRIPTION¶

-

The kproplog command displays the contents of the KDC database update -log to standard output. It can be used to keep track of incremental -updates to the principal database. The update log file contains the -update log maintained by the kadmind process on the master -KDC server and the kpropd process on the slave KDC servers. -When updates occur, they are logged to this file. Subsequently any -KDC slave configured for incremental updates will request the current -data from the master KDC and update their log file with any updates -returned.

-

The kproplog command requires read access to the update log file. It -will display update entries only for the KDC it runs on.

-

If no options are specified, kproplog displays a summary of the update -log. If invoked on the master, kproplog also displays all of the -update entries. If invoked on a slave KDC server, kproplog displays -only a summary of the updates, which includes the serial number of the -last update received and the associated time stamp of the last update.

-
-
-

OPTIONS¶

-
-
-R
-
Reset the update log. This forces full resynchronization. If used -on a slave then that slave will request a full resync. If used on -the master then all slaves will request full resyncs.
-
-h
-
Display a summary of the update log. This information includes -the database version number, state of the database, the number of -updates in the log, the time stamp of the first and last update, -and the version number of the first and last update entry.
-
-e num
-
Display the last num update entries in the log. This is useful -when debugging synchronization between KDC servers.
-
-v
-

Display individual attributes per update. An example of the -output generated for one entry:

-
Update Entry
-   Update serial # : 4
-   Update operation : Add
-   Update principal : test@EXAMPLE.COM
-   Update size : 424
-   Update committed : True
-   Update time stamp : Fri Feb 20 23:37:42 2004
-   Attributes changed : 6
-         Principal
-         Key data
-         Password last changed
-         Modifying principal
-         Modification time
-         TL data
-
-
-
-
-
-
-

ENVIRONMENT¶

-

kproplog uses the following environment variables:

-
    -
  • KRB5_KDC_PROFILE
    • -
-
-
-

SEE ALSO¶

-

kpropd

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/krb5kdc.html b/doc/html/admin/admin_commands/krb5kdc.html deleted file mode 100644 index 0365bf6..0000000 --- a/doc/html/admin/admin_commands/krb5kdc.html +++ /dev/null @@ -1,277 +0,0 @@ - - - - - - - - krb5kdc — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5kdc¶

-
-

SYNOPSIS¶

-

krb5kdc -[-x db_args] -[-d dbname] -[-k keytype] -[-M mkeyname] -[-p portnum] -[-m] -[-r realm] -[-n] -[-w numworkers] -[-P pid_file] -[-T time_offset]

-
-
-

DESCRIPTION¶

-

krb5kdc is the Kerberos version 5 Authentication Service and Key -Distribution Center (AS/KDC).

-
-
-

OPTIONS¶

-

The -r realm option specifies the realm for which the server -should provide service.

-

The -d dbname option specifies the name under which the -principal database can be found. This option does not apply to the -LDAP database.

-

The -k keytype option specifies the key type of the master key -to be entered manually as a password when -m is given; the default -is des-cbc-crc.

-

The -M mkeyname option specifies the principal name for the -master key in the database (usually K/M in the KDC’s realm).

-

The -m option specifies that the master database password should -be fetched from the keyboard rather than from a stash file.

-

The -n option specifies that the KDC does not put itself in the -background and does not disassociate itself from the terminal. In -normal operation, you should always allow the KDC to place itself in -the background.

-

The -P pid_file option tells the KDC to write its PID into -pid_file after it starts up. This can be used to identify whether -the KDC is still running and to allow init scripts to stop the correct -process.

-

The -p portnum option specifies the default UDP port numbers -which the KDC should listen on for Kerberos version 5 requests, as a -comma-separated list. This value overrides the UDP port numbers -specified in the [kdcdefaults] section of kdc.conf, but -may be overridden by realm-specific values. If no value is given from -any source, the default port is 88.

-

The -w numworkers option tells the KDC to fork numworkers -processes to listen to the KDC ports and process requests in parallel. -The top level KDC process (whose pid is recorded in the pid file if -the -P option is also given) acts as a supervisor. The supervisor -will relay SIGHUP signals to the worker subprocesses, and will -terminate the worker subprocess if the it is itself terminated or if -any other worker process exits.

-
-

Note

-

On operating systems which do not have pktinfo support, -using worker processes will prevent the KDC from listening -for UDP packets on network interfaces created after the KDC -starts.

-
-

The -x db_args option specifies database-specific arguments. -See Database Options in kadmin for -supported arguments.

-

The -T offset option specifies a time offset, in seconds, which -the KDC will operate under. It is intended only for testing purposes.

-
-
-

EXAMPLE¶

-

The KDC may service requests for multiple realms (maximum 32 realms). -The realms are listed on the command line. Per-realm options that can -be specified on the command line pertain for each realm that follows -it and are superseded by subsequent definitions of the same option.

-

For example:

-
krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3
-
-
-

specifies that the KDC listen on port 2001 for REALM1 and on port 2002 -for REALM2 and REALM3. Additionally, per-realm parameters may be -specified in the kdc.conf file. The location of this file -may be specified by the KRB5_KDC_PROFILE environment variable. -Per-realm parameters specified in this file take precedence over -options specified on the command line. See the kdc.conf -description for further details.

-
-
-

ENVIRONMENT¶

-

krb5kdc uses the following environment variables:

-
    -
  • KRB5_CONFIG
    • -
  • KRB5_KDC_PROFILE
    • -
-
- -
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/ktutil.html b/doc/html/admin/admin_commands/ktutil.html deleted file mode 100644 index f72c3aa..0000000 --- a/doc/html/admin/admin_commands/ktutil.html +++ /dev/null @@ -1,292 +0,0 @@ - - - - - - - - ktutil — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ktutil¶

-
-

SYNOPSIS¶

-

ktutil

-
-
-

DESCRIPTION¶

-

The ktutil command invokes a command interface from which an -administrator can read, write, or edit entries in a keytab or Kerberos -V4 srvtab file.

-
-
-

COMMANDS¶

-
-

list¶

-
-
list
-

Displays the current keylist.

-

Alias: l

-
-
-

read_kt¶

-
-
read_kt keytab
-

Read the Kerberos V5 keytab file keytab into the current keylist.

-

Alias: rkt

-
-
-

read_st¶

-
-
read_st srvtab
-

Read the Kerberos V4 srvtab file srvtab into the current keylist.

-

Alias: rst

-
-
-

write_kt¶

-
-
write_kt keytab
-

Write the current keylist into the Kerberos V5 keytab file keytab.

-

Alias: wkt

-
-
-

write_st¶

-
-
write_st srvtab
-

Write the current keylist into the Kerberos V4 srvtab file srvtab.

-

Alias: wst

-
-
-

clear_list¶

-
-
clear_list
-

Clear the current keylist.

-

Alias: clear

-
-
-

delete_entry¶

-
-
delete_entry slot
-

Delete the entry in slot number slot from the current keylist.

-

Alias: delent

-
-
-

add_entry¶

-
-
add_entry {-key|-password} -p principal --k kvno -e enctype
-

Add principal to keylist using key or password.

-

Alias: addent

-
-
-

list_requests¶

-
-
list_requests
-

Displays a listing of available commands.

-

Aliases: lr, ?

-
-
-

quit¶

-
-
quit
-

Quits ktutil.

-

Aliases: exit, q

-
-
-
-

EXAMPLE¶

-
-
ktutil:  add_entry -password -p alice@BLEEP.COM -k 1 -e
-    aes128-cts-hmac-sha1-96
-Password for alice@BLEEP.COM:
-ktutil:  add_entry -password -p alice@BLEEP.COM -k 1 -e
-    aes256-cts-hmac-sha1-96
-Password for alice@BLEEP.COM:
-ktutil:  write_kt keytab
-ktutil:
-
-
-
-
-
-

SEE ALSO¶

-

kadmin, kdb5_util

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/admin_commands/sserver.html b/doc/html/admin/admin_commands/sserver.html deleted file mode 100644 index e48a516..0000000 --- a/doc/html/admin/admin_commands/sserver.html +++ /dev/null @@ -1,270 +0,0 @@ - - - - - - - - sserver — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

sserver¶

-
-

SYNOPSIS¶

-

sserver -[ -p port ] -[ -S keytab ] -[ server_port ]

-
-
-

DESCRIPTION¶

-

sserver and sclient are a simple demonstration client/server -application. When sclient connects to sserver, it performs a Kerberos -authentication, and then sserver returns to sclient the Kerberos -principal which was used for the Kerberos authentication. It makes a -good test that Kerberos has been successfully installed on a machine.

-

The service name used by sserver and sclient is sample. Hence, -sserver will require that there be a keytab entry for the service -sample/hostname.domain.name@REALM.NAME. This keytab is generated -using the kadmin program. The keytab file is usually -installed as DEFKTNAME.

-

The -S option allows for a different keytab than the default.

-

sserver is normally invoked out of inetd(8), using a line in -/etc/inetd.conf that looks like this:

-
sample stream tcp nowait root /usr/local/sbin/sserver sserver
-
-
-

Since sample is normally not a port defined in /etc/services, -you will usually have to add a line to /etc/services which looks -like this:

-
sample          13135/tcp
-
-
-

When using sclient, you will first have to have an entry in the -Kerberos database, by using kadmin, and then you have to get -Kerberos tickets, by using kinit. Also, if you are running -the sclient program on a different host than the sserver it will be -connecting to, be sure that both hosts have an entry in /etc/services -for the sample tcp port, and that the same port number is in both -files.

-

When you run sclient you should see something like this:

-
sendauth succeeded, reply is:
-reply len 32, contents:
-You are nlgilman@JIMI.MIT.EDU
-
-
-
-
-

COMMON ERROR MESSAGES¶

-
    -

  1. kinit returns the error:

    -
    kinit: Client not found in Kerberos database while getting
-       initial credentials
-
    -
    -

    This means that you didn’t create an entry for your username in the -Kerberos database.

    -
    2. -

  2. sclient returns the error:

    -
    unknown service sample/tcp; check /etc/services
-
    -
    -

    This means that you don’t have an entry in /etc/services for the -sample tcp port.

    -
    3. -

  3. sclient returns the error:

    -
    connect: Connection refused
-
    -
    -

    This probably means you didn’t edit /etc/inetd.conf correctly, or -you didn’t restart inetd after editing inetd.conf.

    -
    4. -

  4. sclient returns the error:

    -
    sclient: Server not found in Kerberos database while using
-         sendauth
-
    -
    -

    This means that the sample/hostname@LOCAL.REALM service was not -defined in the Kerberos database; it should be created using -kadmin, and a keytab file needs to be generated to make -the key for that service principal available for sclient.

    -
    5. -

  5. sclient returns the error:

    -
    sendauth rejected, error reply is:
-    "No such file or directory"
-
    -
    -

    This probably means sserver couldn’t find the keytab file. It was -probably not installed in the proper directory.

    -
    6. -
-
-
-

SEE ALSO¶

-

sclient, services(5), inetd(8)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/advanced/index.html b/doc/html/admin/advanced/index.html deleted file mode 100644 index d44572f..0000000 --- a/doc/html/admin/advanced/index.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - Advanced topics — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/advanced/ldapbackend.html b/doc/html/admin/advanced/ldapbackend.html deleted file mode 100644 index 9ca9d77..0000000 --- a/doc/html/admin/advanced/ldapbackend.html +++ /dev/null @@ -1,304 +0,0 @@ - - - - - - - - LDAP backend on Ubuntu 10.4 (lucid) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

LDAP backend on Ubuntu 10.4 (lucid)¶

-

Setting up Kerberos v1.9 with LDAP backend on Ubuntu 10.4 (Lucid Lynx)

-
-

Prerequisites¶

-

Install the following packages: slapd, ldap-utils and libldap2-dev

-

You can install the necessary packages with these commands:

-
sudo apt-get install slapd
-sudo apt-get install ldap-utils
-sudo apt-get install libldap2-dev
-
-
-

Extend the user schema using schemas from standart OpenLDAP -distribution: cosine, mics, nis, inetcomperson

-
ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
-ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/mics.ldif
-ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
-ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetcomperson.ldif
-
-
-
-
-

Building Kerberos from source¶

-
./configure --with-ldap
-make
-sudo make install
-
-
-
-
-

Setting up Kerberos¶

-
-

Configuration¶

-

Update kdc.conf with the LDAP back-end information:

-
[realms]
-    EXAMPLE.COM = {
-        database_module = LDAP
-    }
-
-[dbmodules]
-    LDAP = {
-        db_library = kldap
-        ldap_kerberos_container_dn = cn=krbContainer,dc=example,dc=com
-        ldap_kdc_dn = cn=admin,dc=example,dc=com
-        ldap_kadmind_dn = cn=admin,dc=example,dc=com
-        ldap_service_password_file = /usr/local/var/krb5kdc/admin.stash
-        ldap_servers = ldapi:///
-    }
-
-
-
-
-

Schema¶

-

From the source tree copy -src/plugins/kdb/ldap/libkdb_ldap/kerberos.schema into -/etc/ldap/schema

-

Warning: this step should be done after slapd is installed to avoid -problems with slapd installation.

-

To convert kerberos.schema to run-time configuration (cn=config) -do the following:

-
    -

  1. Create a temporary file /tmp/schema_convert.conf with the -following content:

    -
    include /etc/ldap/schema/kerberos.schema
-
    -
    -
    2. -

  2. Create a temporary directory /tmp/krb5_ldif.

    -
    3. -

  3. Run:

    -
    slaptest -f /tmp/schema_convert.conf -F /tmp/krb5_ldif
-
    -
    -

    This should in a new file named -/tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif.

    -
    4. -

  4. Edit /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif by -replacing the lines:

    -
    dn: cn={0}kerberos
-cn: {0}kerberos
-
    -
    -

    with

    -
    -

    dn: cn=kerberos,cn=schema,cn=config -cn: kerberos

    -
    -

    Also, remove following attribute-value pairs:

    -
    structuralObjectClass: olcSchemaConfig
-entryUUID: ...
-creatorsName: cn=config
-createTimestamp: ...
-entryCSN: ...
-modifiersName: cn=config
-modifyTimestamp: ...
-
    -
    -
    5. -

  5. Load the new schema with ldapadd (with the proper authentication):

    -
    ldapadd -Y EXTERNAL -H ldapi:/// -f  /tmp/krb5_ldif/cn=config/cn=schema/cn={0}kerberos.ldif
-
    -
    -

    which should result the message adding new entry -"cn=kerberos,cn=schema,cn=config".

    -
    6. -
-
-
-
-

Create Kerberos database¶

-

Using LDAP administrator credentials, create Kerberos database and -master key stash:

-
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// create -s
-
-
-

Stash the LDAP administrative passwords:

-
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// stashsrvpw cn=admin,dc=example,dc=com
-
-
-

Start krb5kdc:

-
krb5kdc
-
-
-

To destroy database run:

-
kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldapi:/// destroy -f
-
-
-
-
-

Useful references¶

- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/advanced/retiring-des.html b/doc/html/admin/advanced/retiring-des.html deleted file mode 100644 index 8854733..0000000 --- a/doc/html/admin/advanced/retiring-des.html +++ /dev/null @@ -1,550 +0,0 @@ - - - - - - - - Retiring DES — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Retiring DES¶

-

Version 5 of the Kerberos protocol was originally implemented using -the Data Encryption Standard (DES) as a block cipher for encryption. -While it was considered secure at the time, advancements in computational -ability have rendered DES vulnerable to brute force attacks on its 56-bit -keyspace. As such, it is now considered insecure and should not be -used (RFC 6649).

-
-

History¶

-

DES was used in the original Kerberos implementation, and was the -only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was -added in version 1.1, with full support following in version 1.2. -The Advanced Encryption Standard (AES), which supersedes DES, gained -partial support in version 1.3.0 of krb5 and full support in version 1.3.2. -However, deployments of krb5 using Kerberos databases created with older -versions of krb5 will not necessarily start using strong crypto for -ordinary operation without administrator intervention.

-
-
-

Types of keys¶

-
    -
  • The database master key: This key is not exposed to user requests, -but is used to encrypt other key material stored in the kerberos -database. The database master key is currently stored as K/M -by default.
    • -
  • Password-derived keys: User principals frequently have keys -derived from a password. When a new password is set, the KDC -uses various string2key functions to generate keys in the database -for that principal.
    • -
  • Keytab keys: Application server principals generally use random -keys which are not derived from a password. When the database -entry is created, the KDC generates random keys of various enctypes -to enter in the database, which are conveyed to the application server -and stored in a keytab.
    • -
  • Session keys: These are short-term keys generated by the KDC while -processing client requests, with an enctype selected by the KDC.
    • -
-

For details on the various enctypes and how enctypes are selected by the KDC -for session keys and client/server long-term keys, see Encryption types. -When using the kadmin interface to generate new long-term keys, -the -e argument can be used to force a particular set of enctypes, -overriding the KDC default values.

-
-

Note

-

When the KDC is selecting a session key, it has no knowledge about the -kerberos installation on the server which will receive the service ticket, -only what keys are in the database for the service principal. -In order to allow uninterrupted operation to -clients while migrating away from DES, care must be taken to ensure that -kerberos installations on application server machines are configured to -support newer encryption types before keys of those new encryption types -are created in the Kerberos database for those server principals.

-
-
-
-

Upgrade procedure¶

-

This procedure assumes that the KDC software has already been upgraded -to a modern version of krb5 that supports non-DES keys, so that the -only remaining task is to update the actual keys used to service requests. -The realm used for demonstrating this procedure, ZONE.MIT.EDU, -is an example of the worst-case scenario, where all keys in the realm -are DES. The realm was initially created with a very old version of krb5, -and supported_enctypes in kdc.conf was set to a value -appropriate when the KDC was installed, but was not updated as the KDC -was upgraded:

-
[realms]
-        ZONE.MIT.EDU = {
-                [...]
-                master_key_type = des-cbc-crc
-                supported_enctypes = des-cbc-crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3
-        }
-
-
-

This resulted in the keys for all principals in the realm being forced -to DES-only, unless specifically requested using kadmin.

-

Before starting the upgrade, all KDCs were running krb5 1.11, -and the database entries for some “high-value” principals were:

-
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'
-[...]
-Number of keys: 1
-Key: vno 1, des-cbc-crc:v4
-[...]
-[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/admin'
-[...]
-Number of keys: 1
-Key: vno 15, des-cbc-crc
-[...]
-[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc kadmin/changepw'
-[...]
-Number of keys: 1
-Key: vno 14, des-cbc-crc
-[...]
-
-
-

The krbtgt/REALM key appears to have never been changed since creation -(its kvno is 1), and all three database entries have only a des-cbc-crc key.

-
-

The krbtgt key and KDC keys¶

-

Perhaps the biggest single-step improvement in the security of the cell -is gained by strengthening the key of the ticket-granting service principal, -krbtgt/REALM—if this principal’s key is compromised, so is the -entire realm. Since the server that will handle service tickets -for this principal is the KDC itself, it is easy to guarantee that it -will be configured to support any encryption types which might be -selected. However, the default KDC behavior when creating new keys is to -remove the old keys, which would invalidate all existing tickets issued -against that principal, rendering the TGTs cached by clients useless. -Instead, a new key can be created with the old key retained, so that -existing tickets will still function until their scheduled expiry -(see Changing the krbtgt key).

-
[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\
-> aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal,des-cbc-crc:normal
-[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \
-> -keepold krbtgt/ZONE.MIT.EDU"
-Authenticating as principal root/admin@ZONE.MIT.EDU with password.
-Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized.
-
-
-
-

Note

-

The new krbtgt@REALM key should be propagated to slave KDCs -immediately so that TGTs issued by the master KDC can be used to -issue service tickets on slave KDCs. Slave KDCs will refuse requests -using the new TGT kvno until the new krbtgt entry has been propagated -to them.

-
-

It is necessary to explicitly specify the enctypes for the new database -entry, since supported_enctypes has not been changed. Leaving -supported_enctypes unchanged makes a potential rollback operation -easier, since all new keys of new enctypes are the result of explicit -administrator action and can be easily enumerated. -Upgrading the krbtgt key should have minimal user-visible disruption other -than that described in the note above, since only clients which list the -new enctypes as supported will use them, per the procedure -in Session key selection. -Once the krbtgt key is updated, the session and ticket keys for user -TGTs will be strong keys, but subsequent requests -for service tickets will still get DES keys until the service principals -have new keys generated. Application service -remains uninterrupted due to the key-selection procedure on the KDC.

-

After the change, the database entry is now:

-
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'getprinc krbtgt/ZONE.MIT.EDU'
-[...]
-Number of keys: 5
-Key: vno 2, aes256-cts-hmac-sha1-96
-Key: vno 2, aes128-cts-hmac-sha1-96
-Key: vno 2, des3-cbc-sha1
-Key: vno 2, des-cbc-crc
-Key: vno 1, des-cbc-crc:v4
-[...]
-
-
-

Since the expected disruptions from rekeying the krbtgt principal are -minor, after a short testing period, it is -appropriate to rekey the other high-value principals, kadmin/admin@REALM -and kadmin/changepw@REALM. These are the service principals used for -changing user passwords and updating application keytabs. The kadmin -and password-changing services are regular kerberized services, so the -session-key-selection algorithm described in Session key selection -applies. It is particularly important to have strong session keys for -these services, since user passwords and new long-term keys are conveyed -over the encrypted channel.

-
[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\
-> aes128-cts-hmac-sha1-96:normal,des3-hmac-sha1:normal
-[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \
-> kadmin/admin"
-Authenticating as principal root/admin@ZONE.MIT.EDU with password.
-Key for "kadmin/admin@ZONE.MIT.EDU" randomized.
-[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -e ${enctypes} -randkey \
-> kadmin/changepw"
-Authenticating as principal root/admin@ZONE.MIT.EDU with password.
-Key for "kadmin/changepw@ZONE.MIT.EDU" randomized.
-
-
-

It is not necessary to retain a single-DES key for these services, since -password changes are not part of normal daily workflow, and disruption -from a client failure is likely to be minimal. Furthermore, if a kerberos -client experiences failure changing a user password or keytab key, -this indicates that that client will become inoperative once services -are rekeyed to non-DES enctypes. Such problems can be detected early -at this stage, giving more time for corrective action.

-
-
-

Adding strong keys to application servers¶

-

Before switching the default enctypes for new keys over to strong enctypes, -it may be desired to test upgrading a handful of services with the -new configuration before flipping the switch for the defaults. This -still requires using the -e argument in kadmin to get non-default -enctypes:

-
[root@casio krb5kdc]# enctypes=aes256-cts-hmac-sha1-96:normal,\
-> aes128-cts-hmac-sha1-96:normal,des3-cbc-sha1:normal,des-cbc-crc:normal
-[root@casio krb5kdc]# kadmin -r ZONE.MIT.EDU -p zephyr/zephyr@ZONE.MIT.EDU -k -t \
-> /etc/zephyr/krb5.keytab  -q "ktadd -e ${enctypes} \
-> -k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU"
-Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab.
-Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab.
-Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:/etc/zephyr/krb5.keytab.
-Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3-cbc-sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab.
-Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des-cbc-crc added to keytab WRFILE:/etc/zephyr/krb5.keytab.
-
-
-

Be sure to remove the old keys from the application keytab, per best -practice.

-
[root@casio krb5kdc]# k5srvutil -f /etc/zephyr/krb5.keytab delold
-Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab.
-Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab.
-
-
-
-
-

Adding strong keys by default¶

-

Once the high-visibility services have been rekeyed, it is probably -appropriate to change kdc.conf to generate keys with the new -encryption types by default. This enables server administrators to generate -new enctypes with the change subcommand of k5srvutil, -and causes user password -changes to add new encryption types for their entries. It will probably -be necessary to implement administrative controls to cause all user -principal keys to be updated in a reasonable period of time, whether -by forcing password changes or a password synchronization service that -has access to the current password and can add the new keys.

-
[realms]
-        ZONE.MIT.EDU = {
-                supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal des-cbc-crc:normal
-
-
-
-

Note

-

The krb5kdc process must be restarted for these changes to take effect.

-
-

At this point, all service administrators can update their services and the -servers behind them to take advantage of strong cryptography. -If necessary, the server’s krb5 installation should be configured and/or -upgraded to a version supporting non-DES keys. See Encryption types for -krb5 version and configuration settings. -Only when the service is configured to accept non-DES keys should -the key version number be incremented and new keys generated -(k5srvutil change && k5srvutil delold).

-
root@dr-willy:~# k5srvutil change
-Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab.
-Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
-Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5.keytab.
-Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab.
-Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
-root@dr-willy:~# klist -e -k -t /etc/krb5.keytab
-Keytab name: WRFILE:/etc/krb5.keytab
-KVNO Timestamp         Principal
----- ----------------- --------------------------------------------------------
-   2 10/10/12 17:03:59 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32)
-   3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-256 CTS mode with 96-bit SHA-1 HMAC)
-   3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (AES-128 CTS mode with 96-bit SHA-1 HMAC)
-   3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1)
-   3 12/12/12 15:31:19 host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC-32)
-root@dr-willy:~# k5srvutil delold
-Authenticating as principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab.
-Entry for principal host/dr-willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab.
-
-
-

When a single service principal is shared by multiple backend servers in -a load-balanced environment, it may be necessary to schedule downtime -or adjust the population in the load-balanced pool in order to propagate -the updated keytab to all hosts in the pool with minimal service interruption.

-
-
-

Removing DES keys from usage¶

-

This situation remains something of a testing or transitory state, -as new DES keys are still being generated, and will be used if requested -by a client. To make more progress removing DES from the realm, the KDC -should be configured to not generate such keys by default.

-
-

Note

-

An attacker posing as a client can implement a brute force attack against -a DES key for any principal, if that key is in the current (highest-kvno) -key list. This attack is only possible if allow_weak_crypto = true -is enabled on the KDC. Setting the +requires_preauth flag on a -principal forces this attack to be an online attack, much slower than -the offline attack otherwise available to the attacker. However, setting -this flag on a service principal is not always advisable; see the entry in -add_principal for details.

-
-

The following KDC configuration will not generate DES keys by default:

-
[realms]
-        ZONE.MIT.EDU = {
-                supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal des3-hmac-sha1:normal
-
-
-
-

Note

-

As before, the KDC process must be restarted for this change to take -effect. It is best practice to update kdc.conf on all KDCs, not just the -master, to avoid unpleasant surprises should the master fail and a slave -need to be promoted.

-
-

It is now appropriate to remove the legacy single-DES key from the -krbtgt/REALM entry:

-
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q "cpw -randkey -keepold \
-> krbtgt/ZONE.MIT.EDU"
-Authenticating as principal host/admin@ATHENA.MIT.EDU with password.
-Key for "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" randomized.
-
-
-

After the maximum ticket lifetime has passed, the old database entry -should be removed.

-
[root@casio krb5kdc]# kadmin.local -r ZONE.MIT.EDU -q 'purgekeys krbtgt/ZONE.MIT.EDU'
-Authenticating as principal root/admin@ZONE.MIT.EDU with password.
-Old keys for principal "krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU" purged.
-
-
-

After the KDC is restarted with the new supported_enctypes, -all user password changes and application keytab updates will not -generate DES keys by default.

-
contents-vnder-pressvre:~> kpasswd zonetest@ZONE.MIT.EDU
-Password for zonetest@ZONE.MIT.EDU:  [enter old password]
-Enter new password:                  [enter new password]
-Enter it again:                      [enter new password]
-Password changed.
-contents-vnder-pressvre:~> kadmin -r ZONE.MIT.EDU -q 'getprinc zonetest'
-[...]
-Number of keys: 3
-Key: vno 9, aes256-cts-hmac-sha1-96
-Key: vno 9, aes128-cts-hmac-sha1-96
-Key: vno 9, des3-cbc-sha1
-[...]
-
-[kaduk@glossolalia ~]$ kadmin -p kaduk@ZONE.MIT.EDU -r ZONE.MIT.EDU -k \
-> -t kaduk-zone.keytab -q 'ktadd -k kaduk-zone.keytab kaduk@ZONE.MIT.EDU'
-Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk-zone.keytab.
-Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab.
-Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128-cts-hmac-sha1-96 added to keytab WRFILE:kaduk-zone.keytab.
-Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3-cbc-sha1 added to keytab WRFILE:kaduk-zone.keytab.
-
-
-

Once all principals have been re-keyed, DES support can be disabled on the -KDC (allow_weak_crypto = false), and client machines can remove -allow_weak_crypto = true from their krb5.conf configuration -files, completing the migration. allow_weak_crypto takes precedence over -all places where DES enctypes could be explicitly configured. DES keys will -not be used, even if they are present, when allow_weak_crypto = false.

-
-
-

Support for legacy services¶

-

If there remain legacy services which do not support non-DES enctypes -(such as older versions of AFS), allow_weak_crypto must remain -enabled on the KDC. Client machines need not have this setting, -though—applications which require DES can use API calls to allow -weak crypto on a per-request basis, overriding the system krb5.conf. -However, having allow_weak_crypto set on the KDC means that any -principals which have a DES key in the database could still use those -keys. To minimize the use of DES in the realm and restrict it to just -legacy services which require DES, it is necessary to remove all other -DES keys. The realm has been configured such that at password and -keytab change, no DES keys will be generated by default. The task -then reduces to requiring user password changes and having server -administrators update their service keytabs. Administrative outreach -will be necessary, and if the desire to eliminate DES is sufficiently -strong, the KDC administrators may choose to randkey any principals -which have not been rekeyed after some timeout period, forcing the -user to contact the helpdesk for access.

-
-
-
-

The Database Master Key¶

-

This procedure does not alter K/M@REALM, the key used to encrypt key -material in the Kerberos database. (This is the key stored in the stash file -on the KDC if stash files are used.) However, the security risk of -a single-DES key for K/M is minimal, given that access to material -encrypted in K/M (the Kerberos database) is generally tightly controlled. -If an attacker can gain access to the encrypted database, they likely -have access to the stash file as well, rendering the weak cryptography -broken by non-cryptographic means. As such, upgrading K/M to a stronger -encryption type is unlikely to be a high-priority task.

-

Is is possible to upgrade the master key used for the database, if -desired. Using kdb5_util‘s add_mkey, use_mkey, and -update_princ_encryption commands, a new master key can be added -and activated for use on new key material, and the existing entries -converted to the new master key.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/appl_servers.html b/doc/html/admin/appl_servers.html deleted file mode 100644 index 7db6143..0000000 --- a/doc/html/admin/appl_servers.html +++ /dev/null @@ -1,356 +0,0 @@ - - - - - - - - Application servers — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Application servers¶

-

If you need to install the Kerberos V5 programs on an application -server, please refer to the Kerberos V5 Installation Guide. Once you -have installed the software, you need to add that host to the Kerberos -database (see Adding, modifying and deleting principals), and generate a keytab for -that host, that contains the host’s key. You also need to make sure -the host’s clock is within your maximum clock skew of the KDCs.

-
-

Keytabs¶

-

A keytab is a host’s copy of its own keylist, which is analogous to a -user’s password. An application server that needs to authenticate -itself to the KDC has to have a keytab that contains its own principal -and key. Just as it is important for users to protect their -passwords, it is equally important for hosts to protect their keytabs. -You should always store keytab files on local disk, and make them -readable only by root, and you should never send a keytab file over a -network in the clear. Ideally, you should run the kadmin -command to extract a keytab on the host on which the keytab is to -reside.

-
-

Adding principals to keytabs¶

-

To generate a keytab, or to add a principal to an existing keytab, use -the ktadd command from kadmin.

-
-
-

ktadd¶

-
-
-
ktadd [options] principal
-
ktadd [options] -glob princ-exp
-
-
-

Adds a principal, or all principals matching princ-exp, to a -keytab file. Each principal’s keys are randomized in the process. -The rules for princ-exp are described in the list_principals -command.

-

This command requires the inquire and changepw privileges. -With the -glob form, it also requires the list privilege.

-

The options are:

-
-
-k[eytab] keytab
-
Use keytab as the keytab file. Otherwise, the default keytab is -used.
-
-e enc:salt,...
-
Uses the specified keysalt list for setting the new keys of the -principal. See Keysalt lists in kdc.conf for a -list of possible values.
-
-q
-
Display less verbose information.
-
-norandkey
-
Do not randomize the keys. The keys and their version numbers stay -unchanged. This option cannot be specified in combination with the --e option.
-
-

An entry for each of the principal’s unique encryption types is added, -ignoring multiple keys with the same encryption type but different -salt types.

-

Example:

-
kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
-Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
-     encryption type aes256-cts-hmac-sha1-96 added to keytab
-     FILE:/tmp/foo-new-keytab
-kadmin:
-
-
-
-

Examples¶

-

Here is a sample session, using configuration files that enable only -AES encryption:

-
kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU
-Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab
-Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab
-kadmin:
-
-
-
-
-
-

Removing principals from keytabs¶

-

To remove a principal from an existing keytab, use the kadmin -ktremove command.

-
-
-

ktremove¶

-
-
ktremove [options] principal [kvno | all | old]
-

Removes entries for the specified principal from a keytab. Requires -no permissions, since this does not require database access.

-

If the string “all” is specified, all entries for that principal are -removed; if the string “old” is specified, all entries for that -principal except those with the highest kvno are removed. Otherwise, -the value specified is parsed as an integer, and all entries whose -kvno match that integer are removed.

-

The options are:

-
-
-k[eytab] keytab
-
Use keytab as the keytab file. Otherwise, the default keytab is -used.
-
-q
-
Display less verbose information.
-
-

Example:

-
kadmin: ktremove kadmin/admin all
-Entry for principal kadmin/admin with kvno 3 removed from keytab
-     FILE:/etc/krb5.keytab
-kadmin:
-
-
-
-
-
-

Clock Skew¶

-

A Kerberos application server host must keep its clock synchronized or -it will reject authentication requests from clients. Modern operating -systems typically provide a facility to maintain the correct time; -make sure it is enabled. This is especially important on virtual -machines, where clocks tend to drift more rapidly than normal machine -clocks.

-

The default allowable clock skew is controlled by the clockskew -variable in [libdefaults].

-
-
-

Getting DNS information correct¶

-

Several aspects of Kerberos rely on name service. When a hostname is -used to name a service, the Kerberos library canonicalizes the -hostname using forward and reverse name resolution. (The reverse name -resolution step can be turned off using the rdns variable in -[libdefaults].) The result of this canonicalization must match -the principal entry in the host’s keytab, or authentication will fail.

-

Each host’s canonical name must be the fully-qualified host name -(including the domain), and each host’s IP address must -reverse-resolve to the canonical name.

-

Configuration of hostnames varies by operating system. On the -application server itself, canonicalization will typically use the -/etc/hosts file rather than the DNS. Ensure that the line for the -server’s hostname is in the following form:

-
IP address      fully-qualified hostname        aliases
-
-
-

Here is a sample /etc/hosts file:

-
# this is a comment
-127.0.0.1      localhost localhost.mit.edu
-10.0.0.6       daffodil.mit.edu daffodil trillium wake-robin
-
-
-

The output of klist -k for this example host should look like:

-
viola# klist -k
-Keytab name: /etc/krb5.keytab
-KVNO Principal
----- ------------------------------------------------------------
-   2 host/daffodil.mit.edu@ATHENA.MIT.EDU
-
-
-

If you were to ssh to this host with a fresh credentials cache (ticket -file), and then klist, the output should list a service -principal of host/daffodil.mit.edu@ATHENA.MIT.EDU.

-
-
-

Configuring your firewall to work with Kerberos V5¶

-

If you need off-site users to be able to get Kerberos tickets in your -realm, they must be able to get to your KDC. This requires either -that you have a slave KDC outside your firewall, or that you configure -your firewall to allow UDP requests into at least one of your KDCs, on -whichever port the KDC is running. (The default is port 88; other -ports may be specified in the KDC’s kdc.conf file.) -Similarly, if you need off-site users to be able to change their -passwords in your realm, they must be able to get to your Kerberos -admin server on the kpasswd port (which defaults to 464). If you need -off-site users to be able to administer your Kerberos realm, they must -be able to get to your Kerberos admin server on the administrative -port (which defaults to 749).

-

If your on-site users inside your firewall will need to get to KDCs in -other realms, you will also need to configure your firewall to allow -outgoing TCP and UDP requests to port 88, and to port 464 to allow -password changes. If your on-site users inside your firewall will -need to get to Kerberos admin servers in other realms, you will also -need to allow outgoing TCP and UDP requests to port 749.

-

If any of your KDCs are outside your firewall, you will need to allow -kprop requests to get through to the remote KDC. kprop uses -the krb5_prop service on port 754 (tcp).

-

The book UNIX System Security, by David Curry, is a good starting -point for learning to configure firewalls.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/auth_indicator.html b/doc/html/admin/auth_indicator.html deleted file mode 100644 index 4f62229..0000000 --- a/doc/html/admin/auth_indicator.html +++ /dev/null @@ -1,206 +0,0 @@ - - - - - - - - Authentication indicators — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Authentication indicators¶

-

As of release 1.14, the KDC can be configured to annotate tickets if -the client authenticated using a stronger preauthentication mechanism -such as PKINIT or OTP. These -annotations are called “authentication indicators.” Service -principals can be configured to require particular authentication -indicators in order to authenticate to that service. An -authentication indicator value can be any string chosen by the KDC -administrator; there are no pre-set values.

-

To use authentication indicators with PKINIT or OTP, first configure -the KDC to include an indicator when that preauthentication mechanism -is used. For PKINIT, use the pkinit_indicator variable in -kdc.conf. For OTP, use the indicator variable in the -token type definition, or specify the indicators in the otp user -string as described in OTP Preauthentication.

-

To require an indicator to be present in order to authenticate to a -service principal, set the require_auth string attribute on the -principal to the indicator value to be required. If you wish to allow -one of several indicators to be accepted, you can specify multiple -indicator values separated by spaces.

-

For example, a realm could be configured to set the authentication -indicator value “strong” when PKINIT is used to authenticate, using a -setting in the [realms] subsection:

-
pkinit_indicator = strong
-
-
-

A service principal could be configured to require the “strong” -authentication indicator value:

-
$ kadmin setstr host/high.value.server require_auth strong
-Password for user/admin@KRBTEST.COM:
-
-
-

A user who authenticates with PKINIT would be able to obtain a ticket -for the service principal:

-
$ kinit -X X509_user_identity=FILE:/my/cert.pem,/my/key.pem user
-$ kvno host/high.value.server
-host/high.value.server@KRBTEST.COM: kvno = 1
-
-
-

but a user who authenticates with a password would not:

-
$ kinit user
-Password for user@KRBTEST.COM:
-$ kvno host/high.value.server
-kvno: KDC policy rejects request while getting credentials for
-  host/high.value.server@KRBTEST.COM
-
-
-

GSSAPI server applications can inspect authentication indicators -through the auth-indicators name -attribute.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/backup_host.html b/doc/html/admin/backup_host.html deleted file mode 100644 index cf3b857..0000000 --- a/doc/html/admin/backup_host.html +++ /dev/null @@ -1,191 +0,0 @@ - - - - - - - - Backups of secure hosts — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Backups of secure hosts¶

-

When you back up a secure host, you should exclude the host’s keytab -file from the backup. If someone obtained a copy of the keytab from a -backup, that person could make any host masquerade as the host whose -keytab was compromised. In many configurations, knowledge of the -host’s keytab also allows root access to the host. This could be -particularly dangerous if the compromised keytab was from one of your -KDCs. If the machine has a disk crash and the keytab file is lost, it -is easy to generate another keytab file. (See Adding principals to keytabs.) -If you are unable to exclude particular files from backups, you should -ensure that the backups are kept as secure as the host’s root -password.

-
-

Backing up the Kerberos database¶

-

As with any file, it is possible that your Kerberos database could -become corrupted. If this happens on one of the slave KDCs, you might -never notice, since the next automatic propagation of the database -would install a fresh copy. However, if it happens to the master KDC, -the corrupted database would be propagated to all of the slaves during -the next propagation. For this reason, MIT recommends that you back -up your Kerberos database regularly. Because the master KDC is -continuously dumping the database to a file in order to propagate it -to the slave KDCs, it is a simple matter to have a cron job -periodically copy the dump file to a secure machine elsewhere on your -network. (Of course, it is important to make the host where these -backups are stored as secure as your KDCs, and to encrypt its -transmission across your network.) Then if your database becomes -corrupted, you can load the most recent dump onto the master KDC. -(See Restoring a Kerberos database from a dump file.)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/conf_files/index.html b/doc/html/admin/conf_files/index.html deleted file mode 100644 index 7813dd2..0000000 --- a/doc/html/admin/conf_files/index.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - Configuration Files — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Configuration Files¶

-

Kerberos uses configuration files to allow administrators to specify -settings on a per-machine basis. krb5.conf applies to all -applications using the Kerboros library, on clients and servers. -For KDC-specific applications, additional settings can be specified in -kdc.conf; the two files are merged into a configuration profile -used by applications accessing the KDC database directly. kadm5.acl -is also only used on the KDC, it controls permissions for modifying the -KDC database.

-
-

Contents¶

-
- -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/conf_files/kadm5_acl.html b/doc/html/admin/conf_files/kadm5_acl.html deleted file mode 100644 index c08c00b..0000000 --- a/doc/html/admin/conf_files/kadm5_acl.html +++ /dev/null @@ -1,334 +0,0 @@ - - - - - - - - kadm5.acl — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kadm5.acl¶

-
-

DESCRIPTION¶

-

The Kerberos kadmind daemon uses an Access Control List -(ACL) file to manage access rights to the Kerberos database. -For operations that affect principals, the ACL file also controls -which principals can operate on which other principals.

-

The default location of the Kerberos ACL file is -LOCALSTATEDIR/krb5kdc/kadm5.acl unless this is overridden by the acl_file -variable in kdc.conf.

-
-
-

SYNTAX¶

-

Empty lines and lines starting with the sharp sign (#) are -ignored. Lines containing ACL entries have the format:

-
principal  permissions  [target_principal  [restrictions] ]
-
-
-
-

Note

-

Line order in the ACL file is important. The first matching entry -will control access for an actor principal on a target principal.

-
-
-
principal
-

(Partially or fully qualified Kerberos principal name.) Specifies -the principal whose permissions are to be set.

-

Each component of the name may be wildcarded using the * -character.

-
-
permissions
-

Specifies what operations may or may not be performed by a -principal matching a particular entry. This is a string of one or -more of the following list of characters or their upper-case -counterparts. If the character is upper-case, then the operation -is disallowed. If the character is lower-case, then the operation -is permitted.

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
a[Dis]allows the addition of principals or policies
c[Dis]allows the changing of passwords for principals
d[Dis]allows the deletion of principals or policies
e[Dis]allows the extraction of principal keys
i[Dis]allows inquiries about principals or policies
l[Dis]allows the listing of all principals or policies
m[Dis]allows the modification of principals or policies
p[Dis]allows the propagation of the principal database (used in Incremental database propagation)
s[Dis]allows the explicit setting of the key for a principal
xShort for admcilsp. All privileges (except e)
*Same as x.
-
-
-
-

Note

-

The extract privilege is not included in the wildcard -privilege; it must be explicitly assigned. This privilege -allows the user to extract keys from the database, and must be -handled with great care to avoid disclosure of important keys -like those of the kadmin/* or krbtgt/* principals. The -lockdown_keys principal attribute can be used to prevent -key extraction from specific principals regardless of the -granted privilege.

-
-
-
target_principal
-

(Optional. Partially or fully qualified Kerberos principal name.) -Specifies the principal on which permissions may be applied. -Each component of the name may be wildcarded using the * -character.

-

target_principal can also include back-references to principal, -in which *number matches the corresponding wildcard in -principal.

-
-
restrictions
-

(Optional) A string of flags. Allowed restrictions are:

-
-
-
{+|-}flagname
-
flag is forced to the indicated value. The permissible flags -are the same as those for the default_principal_flags -variable in kdc.conf.
-
-clearpolicy
-
policy is forced to be empty.
-
-policy pol
-
policy is forced to be pol.
-
-{expire, pwexpire, maxlife, maxrenewlife} time
-
(getdate time string) associated value will be forced to -MIN(time, requested value).
-
-
-

The above flags act as restrictions on any add or modify operation -which is allowed due to that ACL line.

-
-
-
-

Warning

-

If the kadmind ACL file is modified, the kadmind daemon needs to be -restarted for changes to take effect.

-
-
-
-

EXAMPLE¶

-

Here is an example of a kadm5.acl file:

-
*/admin@ATHENA.MIT.EDU    *                               # line 1
-joeadmin@ATHENA.MIT.EDU   ADMCIL                          # line 2
-joeadmin/*@ATHENA.MIT.EDU i   */root@ATHENA.MIT.EDU       # line 3
-*/root@ATHENA.MIT.EDU     ci  *1@ATHENA.MIT.EDU           # line 4
-*/root@ATHENA.MIT.EDU     l   *                           # line 5
-sms@ATHENA.MIT.EDU        x   * -maxlife 9h -postdateable # line 6
-
-
-

(line 1) Any principal in the ATHENA.MIT.EDU realm with an -admin instance has all administrative privileges except extracting -keys.

-

(lines 1-3) The user joeadmin has all permissions except -extracting keys with his admin instance, -joeadmin/admin@ATHENA.MIT.EDU (matches line 1). He has no -permissions at all with his null instance, joeadmin@ATHENA.MIT.EDU -(matches line 2). His root and other non-admin, non-null -instances (e.g., extra or dbadmin) have inquire permissions -with any principal that has the instance root (matches line 3).

-

(line 4) Any root principal in ATHENA.MIT.EDU can inquire -or change the password of their null instance, but not any other -null instance. (Here, *1 denotes a back-reference to the -component matching the first wildcard in the actor principal.)

-

(line 5) Any root principal in ATHENA.MIT.EDU can generate -the list of principals in the database, and the list of policies -in the database. This line is separate from line 4, because list -permission can only be granted globally, not to specific target -principals.

-

(line 6) Finally, the Service Management System principal -sms@ATHENA.MIT.EDU has all permissions except extracting keys, but -any principal that it creates or modifies will not be able to get -postdateable tickets or tickets with a life of longer than 9 hours.

-
-
-

SEE ALSO¶

-

kdc.conf, kadmind

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/conf_files/kdc_conf.html b/doc/html/admin/conf_files/kdc_conf.html deleted file mode 100644 index e0fd44a..0000000 --- a/doc/html/admin/conf_files/kdc_conf.html +++ /dev/null @@ -1,1069 +0,0 @@ - - - - - - - - kdc.conf — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kdc.conf¶

-

The kdc.conf file supplements krb5.conf for programs which -are typically only used on a KDC, such as the krb5kdc and -kadmind daemons and the kdb5_util program. -Relations documented here may also be specified in krb5.conf; for the -KDC programs mentioned, krb5.conf and kdc.conf will be merged into a -single configuration profile.

-

Normally, the kdc.conf file is found in the KDC state directory, -LOCALSTATEDIR/krb5kdc. You can override the default location by setting the -environment variable KRB5_KDC_PROFILE.

-

Please note that you need to restart the KDC daemon for any configuration -changes to take effect.

-
-

Structure¶

-

The kdc.conf file is set up in the same format as the -krb5.conf file.

-
-
-

Sections¶

-

The kdc.conf file may contain the following sections:

- ---- - - - - - - - - - - - - - - - - - -
[kdcdefaults]Default values for KDC behavior
[realms]Realm-specific database configuration and settings
[dbdefaults]Default database settings
[dbmodules]Per-database settings
[logging]Controls how Kerberos daemons perform logging
-
-

[kdcdefaults]¶

-

With two exceptions, relations in the [kdcdefaults] section specify -default values for realm variables, to be used if the [realms] -subsection does not contain a relation for the tag. See the -[realms] section for the definitions of these relations.

-
    -
  • host_based_services
    • -
  • kdc_listen
    • -
  • kdc_ports
    • -
  • kdc_tcp_listen
    • -
  • kdc_tcp_ports
    • -
  • no_host_referral
    • -
  • restrict_anonymous_to_tgt
    • -
-
-
kdc_max_dgram_reply_size
-
Specifies the maximum packet size that can be sent over UDP. The -default value is 4096 bytes.
-
kdc_tcp_listen_backlog
-
(Integer.) Set the size of the listen queue length for the KDC -daemon. The value may be limited by OS settings. The default -value is 5.
-
-
-
-

[realms]¶

-

Each tag in the [realms] section is the name of a Kerberos realm. The -value of the tag is a subsection where the relations define KDC -parameters for that particular realm. The following example shows how -to define one parameter for the ATHENA.MIT.EDU realm:

-
[realms]
-    ATHENA.MIT.EDU = {
-        max_renewable_life = 7d 0h 0m 0s
-    }
-
-
-

The following tags may be specified in a [realms] subsection:

-
-
acl_file
-
(String.) Location of the access control list file that -kadmind uses to determine which principals are allowed -which permissions on the Kerberos database. The default value is -LOCALSTATEDIR/krb5kdc/kadm5.acl. For more information on Kerberos ACL -file see kadm5.acl.
-
database_module
-
(String.) This relation indicates the name of the configuration -section under [dbmodules] for database-specific parameters -used by the loadable database library. The default value is the -realm name. If this configuration section does not exist, default -values will be used for all database parameters.
-
database_name
-
(String, deprecated.) This relation specifies the location of the -Kerberos database for this realm, if the DB2 module is being used -and the [dbmodules] configuration section does not specify a -database name. The default value is LOCALSTATEDIR/krb5kdc/principal.
-
default_principal_expiration
-
(Absolute time string.) Specifies the default expiration date of -principals created in this realm. The default value is 0, which -means no expiration date.
-
default_principal_flags
-

(Flag string.) Specifies the default attributes of principals -created in this realm. The format for this string is a -comma-separated list of flags, with ‘+’ before each flag that -should be enabled and ‘-‘ before each flag that should be -disabled. The postdateable, forwardable, tgt-based, -renewable, proxiable, dup-skey, allow-tickets, and -service flags default to enabled.

-

There are a number of possible flags:

-
-
allow-tickets
-
Enabling this flag means that the KDC will issue tickets for -this principal. Disabling this flag essentially deactivates -the principal within this realm.
-
dup-skey
-
Enabling this flag allows the principal to obtain a session -key for another user, permitting user-to-user authentication -for this principal.
-
forwardable
-
Enabling this flag allows the principal to obtain forwardable -tickets.
-
hwauth
-
If this flag is enabled, then the principal is required to -preauthenticate using a hardware device before receiving any -tickets.
-
no-auth-data-required
-
Enabling this flag prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal.
-
ok-as-delegate
-
If this flag is enabled, it hints the client that credentials -can and should be delegated when authenticating to the -service.
-
ok-to-auth-as-delegate
-
Enabling this flag allows the principal to use S4USelf tickets.
-
postdateable
-
Enabling this flag allows the principal to obtain postdateable -tickets.
-
preauth
-
If this flag is enabled on a client principal, then that -principal is required to preauthenticate to the KDC before -receiving any tickets. On a service principal, enabling this -flag means that service tickets for this principal will only -be issued to clients with a TGT that has the preauthenticated -bit set.
-
proxiable
-
Enabling this flag allows the principal to obtain proxy -tickets.
-
pwchange
-
Enabling this flag forces a password change for this -principal.
-
pwservice
-
If this flag is enabled, it marks this principal as a password -change service. This should only be used in special cases, -for example, if a user’s password has expired, then the user -has to get tickets for that principal without going through -the normal password authentication in order to be able to -change the password.
-
renewable
-
Enabling this flag allows the principal to obtain renewable -tickets.
-
service
-
Enabling this flag allows the the KDC to issue service tickets -for this principal.
-
tgt-based
-
Enabling this flag allows a principal to obtain tickets based -on a ticket-granting-ticket, rather than repeating the -authentication process that was used to obtain the TGT.
-
-
-
dict_file
-
(String.) Location of the dictionary file containing strings that -are not allowed as passwords. The file should contain one string -per line, with no additional whitespace. If none is specified or -if there is no policy assigned to the principal, no dictionary -checks of passwords will be performed.
-
host_based_services
-
(Whitespace- or comma-separated list.) Lists services which will -get host-based referral processing even if the server principal is -not marked as host-based by the client.
-
iprop_enable
-
(Boolean value.) Specifies whether incremental database -propagation is enabled. The default value is false.
-
iprop_master_ulogsize
-
(Integer.) Specifies the maximum number of log entries to be -retained for incremental propagation. The default value is 1000. -Prior to release 1.11, the maximum value was 2500.
-
iprop_slave_poll
-
(Delta time string.) Specifies how often the slave KDC polls for -new updates from the master. The default value is 2m (that -is, two minutes).
-
iprop_listen
-
(Whitespace- or comma-separated list.) Specifies the iprop RPC -listening addresses and/or ports for the kadmind daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If kadmind fails to bind -to any of the specified addresses, it will fail to start. The -default (when iprop_enable is true) is to bind to the wildcard -address at the port specified in iprop_port. New in release -1.15.
-
iprop_port
-
(Port number.) Specifies the port number to be used for -incremental propagation. When iprop_enable is true, this -relation is required in the slave configuration file, and this -relation or iprop_listen is required in the master -configuration file, as there is no default port number. Port -numbers specified in iprop_listen entries will override this -port number for the kadmind daemon.
-
iprop_resync_timeout
-
(Delta time string.) Specifies the amount of time to wait for a -full propagation to complete. This is optional in configuration -files, and is used by slave KDCs only. The default value is 5 -minutes (5m). New in release 1.11.
-
iprop_logfile
-
(File name.) Specifies where the update log file for the realm -database is to be stored. The default is to use the -database_name entry from the realms section of the krb5 config -file, with .ulog appended. (NOTE: If database_name isn’t -specified in the realms section, perhaps because the LDAP database -back end is being used, or the file name is specified in the -[dbmodules] section, then the hard-coded default for -database_name is used. Determination of the iprop_logfile -default value will not use values from the [dbmodules] section.)
-
kadmind_listen
-
(Whitespace- or comma-separated list.) Specifies the kadmin RPC -listening addresses and/or ports for the kadmind daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If kadmind fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address at the port specified -in kadmind_port, or the standard kadmin port (749). New in -release 1.15.
-
kadmind_port
-
(Port number.) Specifies the port on which the kadmind -daemon is to listen for this realm. Port numbers specified in -kadmind_listen entries will override this port number. The -assigned port for kadmind is 749, which is used by default.
-
key_stash_file
-
(String.) Specifies the location where the master key has been -stored (via kdb5_util stash). The default is LOCALSTATEDIR/krb5kdc/.k5.REALM, where REALM is the Kerberos realm.
-
kdc_listen
-
(Whitespace- or comma-separated list.) Specifies the UDP -listening addresses and/or ports for the krb5kdc daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. If the KDC daemon fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address on the standard port. -New in release 1.15.
-
kdc_ports
-
(Whitespace- or comma-separated list, deprecated.) Prior to -release 1.15, this relation lists the ports for the -krb5kdc daemon to listen on for UDP requests. In -release 1.15 and later, it has the same meaning as kdc_listen -if that relation is not defined.
-
kdc_tcp_listen
-
(Whitespace- or comma-separated list.) Specifies the TCP -listening addresses and/or ports for the krb5kdc daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. To disable listening on TCP, set -this relation to the empty string with kdc_tcp_listen = "". -If the KDC daemon fails to bind to any of the specified addresses, -it will fail to start. The default is to bind to the wildcard -address on the standard port. New in release 1.15.
-
kdc_tcp_ports
-
(Whitespace- or comma-separated list, deprecated.) Prior to -release 1.15, this relation lists the ports for the -krb5kdc daemon to listen on for UDP requests. In -release 1.15 and later, it has the same meaning as -kdc_tcp_listen if that relation is not defined.
-
kpasswd_listen
-
(Comma-separated list.) Specifies the kpasswd listening addresses -and/or ports for the kadmind daemon. Each entry may be -an interface address, a port number, or an address and port number -separated by a colon. If the address contains colons, enclose it -in square brackets. If no address is specified, the wildcard -address is used. If kadmind fails to bind to any of the specified -addresses, it will fail to start. The default is to bind to the -wildcard address at the port specified in kpasswd_port, or the -standard kpasswd port (464). New in release 1.15.
-
kpasswd_port
-
(Port number.) Specifies the port on which the kadmind -daemon is to listen for password change requests for this realm. -Port numbers specified in kpasswd_listen entries will override -this port number. The assigned port for password change requests -is 464, which is used by default.
-
master_key_name
-
(String.) Specifies the name of the principal associated with the -master key. The default is K/M.
-
master_key_type
-
(Key type string.) Specifies the master key’s key type. The -default value for this is aes256-cts-hmac-sha1-96. For a list of all possible -values, see Encryption types.
-
max_life
-
(Time duration string.) Specifies the maximum time period for -which a ticket may be valid in this realm. The default value is -24 hours.
-
max_renewable_life
-
(Time duration string.) Specifies the maximum time period -during which a valid ticket may be renewed in this realm. -The default value is 0.
-
no_host_referral
-
(Whitespace- or comma-separated list.) Lists services to block -from getting host-based referral processing, even if the client -marks the server principal as host-based or the service is also -listed in host_based_services. no_host_referral = * will -disable referral processing altogether.
-
des_crc_session_supported
-
(Boolean value). If set to true, the KDC will assume that service -principals support des-cbc-crc for session key enctype negotiation -purposes. If allow_weak_crypto in [libdefaults] is -false, or if des-cbc-crc is not a permitted enctype, then this -variable has no effect. Defaults to true. New in release 1.11.
-
reject_bad_transit
-

(Boolean value.) If set to true, the KDC will check the list of -transited realms for cross-realm tickets against the transit path -computed from the realm names and the capaths section of its -krb5.conf file; if the path in the ticket to be issued -contains any realms not in the computed path, the ticket will not -be issued, and an error will be returned to the client instead. -If this value is set to false, such tickets will be issued -anyways, and it will be left up to the application server to -validate the realm transit path.

-

If the disable-transited-check flag is set in the incoming -request, this check is not performed at all. Having the -reject_bad_transit option will cause such ticket requests to -be rejected always.

-

This transit path checking and config file option currently apply -only to TGS requests.

-

The default value is true.

-
-
restrict_anonymous_to_tgt
-
(Boolean value.) If set to true, the KDC will reject ticket -requests from anonymous principals to service principals other -than the realm’s ticket-granting service. This option allows -anonymous PKINIT to be enabled for use as FAST armor tickets -without allowing anonymous authentication to services. The -default value is false. New in release 1.9.
-
supported_enctypes
-
(List of key:salt strings.) Specifies the default key/salt -combinations of principals for this realm. Any principals created -through kadmin will have keys of these types. The -default value for this tag is aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal. For lists of -possible values, see Keysalt lists.
-
-
-
-

[dbdefaults]¶

-

The [dbdefaults] section specifies default values for some database -parameters, to be used if the [dbmodules] subsection does not contain -a relation for the tag. See the [dbmodules] section for the -definitions of these relations.

-
    -
  • ldap_kerberos_container_dn
    • -
  • ldap_kdc_dn
    • -
  • ldap_kdc_sasl_authcid
    • -
  • ldap_kdc_sasl_authzid
    • -
  • ldap_kdc_sasl_mech
    • -
  • ldap_kdc_sasl_realm
    • -
  • ldap_kadmind_dn
    • -
  • ldap_kadmind_sasl_authcid
    • -
  • ldap_kadmind_sasl_authzid
    • -
  • ldap_kadmind_sasl_mech
    • -
  • ldap_kadmind_sasl_realm
    • -
  • ldap_service_password_file
    • -
  • ldap_servers
    • -
  • ldap_conns_per_server
    • -
-
-
-

[dbmodules]¶

-

The [dbmodules] section contains parameters used by the KDC database -library and database modules. Each tag in the [dbmodules] section is -the name of a Kerberos realm or a section name specified by a realm’s -database_module parameter. The following example shows how to -define one database parameter for the ATHENA.MIT.EDU realm:

-
[dbmodules]
-    ATHENA.MIT.EDU = {
-        disable_last_success = true
-    }
-
-
-

The following tags may be specified in a [dbmodules] subsection:

-
-
database_name
-
This DB2-specific tag indicates the location of the database in -the filesystem. The default is LOCALSTATEDIR/krb5kdc/principal.
-
db_library
-
This tag indicates the name of the loadable database module. The -value should be db2 for the DB2 module and kldap for the -LDAP module.
-
disable_last_success
-
If set to true, suppresses KDC updates to the “Last successful -authentication” field of principal entries requiring -preauthentication. Setting this flag may improve performance. -(Principal entries which do not require preauthentication never -update the “Last successful authentication” field.). First -introduced in release 1.9.
-
disable_lockout
-
If set to true, suppresses KDC updates to the “Last failed -authentication” and “Failed password attempts” fields of principal -entries requiring preauthentication. Setting this flag may -improve performance, but also disables account lockout. First -introduced in release 1.9.
-
ldap_conns_per_server
-
This LDAP-specific tag indicates the number of connections to be -maintained per LDAP server.
-
ldap_kdc_dn and ldap_kadmind_dn
-
These LDAP-specific tags indicate the default DN for binding to -the LDAP server. The krb5kdc daemon uses -ldap_kdc_dn, while the kadmind daemon and other -administrative programs use ldap_kadmind_dn. The kadmind DN -must have the rights to read and write the Kerberos data in the -LDAP database. The KDC DN must have the same rights, unless -disable_lockout and disable_last_success are true, in -which case it only needs to have rights to read the Kerberos data. -These tags are ignored if a SASL mechanism is set with -ldap_kdc_sasl_mech or ldap_kadmind_sasl_mech.
-
ldap_kdc_sasl_mech and ldap_kadmind_sasl_mech
-
These LDAP-specific tags specify the SASL mechanism (such as -EXTERNAL) to use when binding to the LDAP server. New in -release 1.13.
-
ldap_kdc_sasl_authcid and ldap_kadmind_sasl_authcid
-
These LDAP-specific tags specify the SASL authentication identity -to use when binding to the LDAP server. Not all SASL mechanisms -require an authentication identity. If the SASL mechanism -requires a secret (such as the password for DIGEST-MD5), these -tags also determine the name within the -ldap_service_password_file where the secret is stashed. New -in release 1.13.
-
ldap_kdc_sasl_authzid and ldap_kadmind_sasl_authzid
-
These LDAP-specific tags specify the SASL authorization identity -to use when binding to the LDAP server. In most circumstances -they do not need to be specified. New in release 1.13.
-
ldap_kdc_sasl_realm and ldap_kadmind_sasl_realm
-
These LDAP-specific tags specify the SASL realm to use when -binding to the LDAP server. In most circumstances they do not -need to be set. New in release 1.13.
-
ldap_kerberos_container_dn
-
This LDAP-specific tag indicates the DN of the container object -where the realm objects will be located.
-
ldap_servers
-
This LDAP-specific tag indicates the list of LDAP servers that the -Kerberos servers can connect to. The list of LDAP servers is -whitespace-separated. The LDAP server is specified by a LDAP URI. -It is recommended to use ldapi: or ldaps: URLs to connect -to the LDAP server.
-
ldap_service_password_file
-
This LDAP-specific tag indicates the file containing the stashed -passwords (created by kdb5_ldap_util stashsrvpw) for the -ldap_kdc_dn and ldap_kadmind_dn objects, or for the -ldap_kdc_sasl_authcid or ldap_kadmind_sasl_authcid names -for SASL authentication. This file must be kept secure.
-
unlockiter
-
If set to true, this DB2-specific tag causes iteration -operations to release the database lock while processing each -principal. Setting this flag to true can prevent extended -blocking of KDC or kadmin operations when dumps of large databases -are in progress. First introduced in release 1.13.
-
-

The following tag may be specified directly in the [dbmodules] -section to control where database modules are loaded from:

-
-
db_module_dir
-
This tag controls where the plugin system looks for database -modules. The value should be an absolute path.
-
-
-
-

[logging]¶

-

The [logging] section indicates how krb5kdc and -kadmind perform logging. It may contain the following -relations:

-
-
admin_server
-
Specifies how kadmind performs logging.
-
kdc
-
Specifies how krb5kdc performs logging.
-
default
-
Specifies how either daemon performs logging in the absence of -relations specific to the daemon.
-
debug
-
(Boolean value.) Specifies whether debugging messages are -included in log outputs other than SYSLOG. Debugging messages are -always included in the system log output because syslog performs -its own priority filtering. The default value is false. New in -release 1.15.
-
-

Logging specifications may have the following forms:

-
-
FILE=filename or FILE:filename
-
This value causes the daemon’s logging messages to go to the -filename. If the = form is used, the file is overwritten. -If the : form is used, the file is appended to.
-
STDERR
-
This value causes the daemon’s logging messages to go to its -standard error stream.
-
CONSOLE
-
This value causes the daemon’s logging messages to go to the -console, if the system supports it.
-
DEVICE=<devicename>
-
This causes the daemon’s logging messages to go to the specified -device.
-
SYSLOG[:severity[:facility]]
-

This causes the daemon’s logging messages to go to the system log.

-

The severity argument specifies the default severity of system log -messages. This may be any of the following severities supported -by the syslog(3) call, minus the LOG_ prefix: EMERG, -ALERT, CRIT, ERR, WARNING, NOTICE, INFO, -and DEBUG.

-

The facility argument specifies the facility under which the -messages are logged. This may be any of the following facilities -supported by the syslog(3) call minus the LOG_ prefix: KERN, -USER, MAIL, DAEMON, AUTH, LPR, NEWS, -UUCP, CRON, and LOCAL0 through LOCAL7.

-

If no severity is specified, the default is ERR. If no -facility is specified, the default is AUTH.

-
-
-

In the following example, the logging messages from the KDC will go to -the console and to the system log under the facility LOG_DAEMON with -default severity of LOG_INFO; and the logging messages from the -administrative server will be appended to the file -/var/adm/kadmin.log and sent to the device /dev/tty04.

-
[logging]
-    kdc = CONSOLE
-    kdc = SYSLOG:INFO:DAEMON
-    admin_server = FILE:/var/adm/kadmin.log
-    admin_server = DEVICE=/dev/tty04
-
-
-
-
-

[otp]¶

-

Each subsection of [otp] is the name of an OTP token type. The tags -within the subsection define the configuration required to forward a -One Time Password request to a RADIUS server.

-

For each token type, the following tags may be specified:

-
-
server
-
This is the server to send the RADIUS request to. It can be a -hostname with optional port, an ip address with optional port, or -a Unix domain socket address. The default is -LOCALSTATEDIR/krb5kdc/<name>.socket.
-
secret
-
This tag indicates a filename (which may be relative to LOCALSTATEDIR/krb5kdc) -containing the secret used to encrypt the RADIUS packets. The -secret should appear in the first line of the file by itself; -leading and trailing whitespace on the line will be removed. If -the value of server is a Unix domain socket address, this tag -is optional, and an empty secret will be used if it is not -specified. Otherwise, this tag is required.
-
timeout
-
An integer which specifies the time in seconds during which the -KDC should attempt to contact the RADIUS server. This tag is the -total time across all retries and should be less than the time -which an OTP value remains valid for. The default is 5 seconds.
-
retries
-
This tag specifies the number of retries to make to the RADIUS -server. The default is 3 retries (4 tries).
-
strip_realm
-
If this tag is true, the principal without the realm will be -passed to the RADIUS server. Otherwise, the realm will be -included. The default value is true.
-
indicator
-
This tag specifies an authentication indicator to be included in -the ticket if this token type is used to authenticate. This -option may be specified multiple times. (New in release 1.14.)
-
-

In the following example, requests are sent to a remote server via UDP:

-
[otp]
-    MyRemoteTokenType = {
-        server = radius.mydomain.com:1812
-        secret = SEmfiajf42$
-        timeout = 15
-        retries = 5
-        strip_realm = true
-    }
-
-
-

An implicit default token type named DEFAULT is defined for when -the per-principal configuration does not specify a token type. Its -configuration is shown below. You may override this token type to -something applicable for your situation:

-
[otp]
-    DEFAULT = {
-        strip_realm = false
-    }
-
-
-
-
-
-

PKINIT options¶

-
-

Note

-

The following are pkinit-specific options. These values may -be specified in [kdcdefaults] as global defaults, or within -a realm-specific subsection of [realms]. Also note that a -realm-specific value over-rides, does not add to, a generic -[kdcdefaults] specification. The search order is:

-
-
    -

  1. realm-specific subsection of [realms]:

    -
    [realms]
-    EXAMPLE.COM = {
-        pkinit_anchors = FILE:/usr/local/example.com.crt
-    }
-
    -
    -
    2. -

  2. generic value in the [kdcdefaults] section:

    -
    [kdcdefaults]
-    pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
-
    -
    -
    3. -
-

For information about the syntax of some of these options, see -Specifying PKINIT identity information in -krb5.conf.

-
-
pkinit_anchors
-
Specifies the location of trusted anchor (root) certificates which -the KDC trusts to sign client certificates. This option is -required if pkinit is to be supported by the KDC. This option may -be specified multiple times.
-
pkinit_dh_min_bits
-
Specifies the minimum number of bits the KDC is willing to accept -for a client’s Diffie-Hellman key. The default is 2048.
-
pkinit_allow_upn
-

Specifies that the KDC is willing to accept client certificates -with the Microsoft UserPrincipalName (UPN) Subject Alternative -Name (SAN). This means the KDC accepts the binding of the UPN in -the certificate to the Kerberos principal name. The default value -is false.

-

Without this option, the KDC will only accept certificates with -the id-pkinit-san as defined in RFC 4556. There is currently -no option to disable SAN checking in the KDC.

-
-
pkinit_eku_checking
-

This option specifies what Extended Key Usage (EKU) values the KDC -is willing to accept in client certificates. The values -recognized in the kdc.conf file are:

-
-
kpClientAuth
-
This is the default value and specifies that client -certificates must have the id-pkinit-KPClientAuth EKU as -defined in RFC 4556.
-
scLogin
-
If scLogin is specified, client certificates with the -Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be -accepted.
-
none
-
If none is specified, then client certificates will not be -checked to verify they have an acceptable EKU. The use of -this option is not recommended.
-
-
-
pkinit_identity
-
Specifies the location of the KDC’s X.509 identity information. -This option is required if pkinit is to be supported by the KDC.
-
pkinit_indicator
-
Specifies an authentication indicator to include in the ticket if -pkinit is used to authenticate. This option may be specified -multiple times. (New in release 1.14.)
-
pkinit_kdc_ocsp
-
Specifies the location of the KDC’s OCSP.
-
pkinit_pool
-
Specifies the location of intermediate certificates which may be -used by the KDC to complete the trust chain between a client’s -certificate and a trusted anchor. This option may be specified -multiple times.
-
pkinit_revoke
-
Specifies the location of Certificate Revocation List (CRL) -information to be used by the KDC when verifying the validity of -client certificates. This option may be specified multiple times.
-
pkinit_require_crl_checking
-

The default certificate verification process will always check the -available revocation information to see if a certificate has been -revoked. If a match is found for the certificate in a CRL, -verification fails. If the certificate being verified is not -listed in a CRL, or there is no CRL present for its issuing CA, -and pkinit_require_crl_checking is false, then verification -succeeds.

-

However, if pkinit_require_crl_checking is true and there is -no CRL information available for the issuing CA, then verification -fails.

-

pkinit_require_crl_checking should be set to true if the -policy is such that up-to-date CRLs must be present for every CA.

-
-
-
-
-

Encryption types¶

-

Any tag in the configuration files which requires a list of encryption -types can be set to some combination of the following strings. -Encryption types marked as “weak” are available for compatibility but -not recommended for use.

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
des-cbc-crcDES cbc mode with CRC-32 (weak)
des-cbc-md4DES cbc mode with RSA-MD4 (weak)
des-cbc-md5DES cbc mode with RSA-MD5 (weak)
des-cbc-rawDES cbc mode raw (weak)
des3-cbc-rawTriple DES cbc mode raw (weak)
des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kdTriple DES cbc mode with HMAC/sha1
des-hmac-sha1DES with HMAC/sha1 (weak)
aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1AES-256 CTS mode with 96-bit SHA-1 HMAC
aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1AES-128 CTS mode with 96-bit SHA-1 HMAC
aes256-cts-hmac-sha384-192 aes256-sha2AES-256 CTS mode with 192-bit SHA-384 HMAC
aes128-cts-hmac-sha256-128 aes128-sha2AES-128 CTS mode with 128-bit SHA-256 HMAC
arcfour-hmac rc4-hmac arcfour-hmac-md5RC4 with HMAC/MD5
arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-expExportable RC4 with HMAC/MD5 (weak)
camellia256-cts-cmac camellia256-ctsCamellia-256 CTS mode with CMAC
camellia128-cts-cmac camellia128-ctsCamellia-128 CTS mode with CMAC
desThe DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak)
des3The triple DES family: des3-cbc-sha1
aesThe AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128
rc4The RC4 family: arcfour-hmac
camelliaThe Camellia family: camellia256-cts-cmac and camellia128-cts-cmac
-

The string DEFAULT can be used to refer to the default set of -types for the variable in question. Types or families can be removed -from the current list by prefixing them with a minus sign (“-”). -Types or families can be prefixed with a plus sign (“+”) for symmetry; -it has the same meaning as just listing the type or family. For -example, “DEFAULT -des” would be the default set of encryption -types with DES types removed, and “des3 DEFAULT” would be the -default set of encryption types with triple DES types moved to the -front.

-

While aes128-cts and aes256-cts are supported for all Kerberos -operations, they are not supported by very old versions of our GSSAPI -implementation (krb5-1.3.1 and earlier). Services running versions of -krb5 without AES support must not be given keys of these encryption -types in the KDC database.

-

The aes128-sha2 and aes256-sha2 encryption types are new in -release 1.15. Services running versions of krb5 without support for -these newer encryption types must not be given keys of these -encryption types in the KDC database.

-
-
-

Keysalt lists¶

-

Kerberos keys for users are usually derived from passwords. Kerberos -commands and configuration parameters that affect generation of keys -take lists of enctype-salttype (“keysalt”) pairs, known as keysalt -lists. Each keysalt pair is an enctype name followed by a salttype -name, in the format enc:salt. Individual keysalt list members are -separated by comma (”,”) characters or space characters. For example:

-
kadmin -e aes256-cts:normal,aes128-cts:normal
-
-
-

would start up kadmin so that by default it would generate -password-derived keys for the aes256-cts and aes128-cts -encryption types, using a normal salt.

-

To ensure that people who happen to pick the same password do not have -the same key, Kerberos 5 incorporates more information into the key -using something called a salt. The supported salt types are as -follows:

- ---- - - - - - - - - - - - - - - - - - - - - -
normaldefault for Kerberos Version 5
v4the only type used by Kerberos Version 4 (no salt)
norealmsame as the default, without using realm information
onlyrealmuses only realm information as the salt
afs3AFS version 3, only used for compatibility with Kerberos 4 in AFS
specialgenerate a random salt
-
-
-

Sample kdc.conf File¶

-

Here’s an example of a kdc.conf file:

-
[kdcdefaults]
-    kdc_listen = 88
-    kdc_tcp_listen = 88
-[realms]
-    ATHENA.MIT.EDU = {
-        kadmind_port = 749
-        max_life = 12h 0m 0s
-        max_renewable_life = 7d 0h 0m 0s
-        master_key_type = aes256-cts-hmac-sha1-96
-        supported_enctypes = aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal
-        database_module = openldap_ldapconf
-    }
-
-[logging]
-    kdc = FILE:/usr/local/var/krb5kdc/kdc.log
-    admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
-
-[dbdefaults]
-    ldap_kerberos_container_dn = cn=krbcontainer,dc=mit,dc=edu
-
-[dbmodules]
-    openldap_ldapconf = {
-        db_library = kldap
-        disable_last_success = true
-        ldap_kdc_dn = "cn=krbadmin,dc=mit,dc=edu"
-            # this object needs to have read rights on
-            # the realm container and principal subtrees
-        ldap_kadmind_dn = "cn=krbadmin,dc=mit,dc=edu"
-            # this object needs to have read and write rights on
-            # the realm container and principal subtrees
-        ldap_service_password_file = /etc/kerberos/service.keyfile
-        ldap_servers = ldaps://kerberos.mit.edu
-        ldap_conns_per_server = 5
-    }
-
-
-
-
-

FILES¶

-

LOCALSTATEDIR/krb5kdc/kdc.conf

-
- -
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/conf_files/krb5_conf.html b/doc/html/admin/conf_files/krb5_conf.html deleted file mode 100644 index 1c1933d..0000000 --- a/doc/html/admin/conf_files/krb5_conf.html +++ /dev/null @@ -1,1300 +0,0 @@ - - - - - - - - krb5.conf — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5.conf¶

-

The krb5.conf file contains Kerberos configuration information, -including the locations of KDCs and admin servers for the Kerberos -realms of interest, defaults for the current realm and for Kerberos -applications, and mappings of hostnames onto Kerberos realms. -Normally, you should install your krb5.conf file in the directory -/etc. You can override the default location by setting the -environment variable KRB5_CONFIG. Multiple colon-separated -filenames may be specified in KRB5_CONFIG; all files which are -present will be read. Starting in release 1.14, directory names can -also be specified in KRB5_CONFIG; all files within the directory -whose names consist solely of alphanumeric characters, dashes, or -underscores will be read.

-
-

Structure¶

-

The krb5.conf file is set up in the style of a Windows INI file. -Sections are headed by the section name, in square brackets. Each -section may contain zero or more relations, of the form:

-
foo = bar
-
-
-

or:

-
fubar = {
-    foo = bar
-    baz = quux
-}
-
-
-

Placing a ‘*’ at the end of a line indicates that this is the final -value for the tag. This means that neither the remainder of this -configuration file nor any other configuration file will be checked -for any other values for this tag.

-

For example, if you have the following lines:

-
foo = bar*
-foo = baz
-
-
-

then the second value of foo (baz) would never be read.

-

The krb5.conf file can include other files using either of the -following directives at the beginning of a line:

-
include FILENAME
-includedir DIRNAME
-
-
-

FILENAME or DIRNAME should be an absolute path. The named file or -directory must exist and be readable. Including a directory includes -all files within the directory whose names consist solely of -alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in ”.conf” are also included, unless the -name begins with ”.”. Included profile files are syntactically -independent of their parents, so each included file must begin with a -section header.

-

The krb5.conf file can specify that configuration should be obtained -from a loadable module, rather than the file itself, using the -following directive at the beginning of a line before any section -headers:

-
module MODULEPATH:RESIDUAL
-
-
-

MODULEPATH may be relative to the library path of the krb5 -installation, or it may be an absolute path. RESIDUAL is provided -to the module at initialization time. If krb5.conf uses a module -directive, kdc.conf should also use one if it exists.

-
-
-

Sections¶

-

The krb5.conf file may contain the following sections:

- ---- - - - - - - - - - - - - - - - - - - - - -
[libdefaults]Settings used by the Kerberos V5 library
[realms]Realm-specific contact information and settings
[domain_realm]Maps server hostnames to Kerberos realms
[capaths]Authentication paths for non-hierarchical cross-realm
[appdefaults]Settings used by some Kerberos V5 applications
[plugins]Controls plugin module registration
-

Additionally, krb5.conf may include any of the relations described in -kdc.conf, but it is not a recommended practice.

-
-

[libdefaults]¶

-

The libdefaults section may contain any of the following relations:

-
-
allow_weak_crypto
-
If this flag is set to false, then weak encryption types (as noted -in Encryption types in kdc.conf) will be filtered -out of the lists default_tgs_enctypes, -default_tkt_enctypes, and permitted_enctypes. The default -value for this tag is false, which may cause authentication -failures in existing Kerberos infrastructures that do not support -strong crypto. Users in affected environments should set this tag -to true until their infrastructure adopts stronger ciphers.
-
ap_req_checksum_type
-
An integer which specifies the type of AP-REQ checksum to use in -authenticators. This variable should be unset so the appropriate -checksum for the encryption key in use will be used. This can be -set if backward compatibility requires a specific checksum type. -See the kdc_req_checksum_type configuration option for the -possible values and their meanings.
-
canonicalize
-
If this flag is set to true, initial ticket requests to the KDC -will request canonicalization of the client principal name, and -answers with different client principals than the requested -principal will be accepted. The default value is false.
-
ccache_type
-
This parameter determines the format of credential cache types -created by kinit or other programs. The default value -is 4, which represents the most current format. Smaller values -can be used for compatibility with very old implementations of -Kerberos which interact with credential caches on the same host.
-
clockskew
-

Sets the maximum allowable amount of clockskew in seconds that the -library will tolerate before assuming that a Kerberos message is -invalid. The default value is 300 seconds, or five minutes.

-

The clockskew setting is also used when evaluating ticket start -and expiration times. For example, tickets that have reached -their expiration time can still be used (and renewed if they are -renewable tickets) if they have been expired for a shorter -duration than the clockskew setting.

-
-
default_ccache_name
-
This relation specifies the name of the default credential cache. -The default is DEFCCNAME. This relation is subject to parameter -expansion (see below). New in release 1.11.
-
default_client_keytab_name
-
This relation specifies the name of the default keytab for -obtaining client credentials. The default is DEFCKTNAME. This -relation is subject to parameter expansion (see below). -New in release 1.11.
-
default_keytab_name
-
This relation specifies the default keytab name to be used by -application servers such as sshd. The default is DEFKTNAME. This -relation is subject to parameter expansion (see below).
-
default_realm
-
Identifies the default Kerberos realm for the client. Set its -value to your Kerberos realm. If this value is not set, then a -realm must be specified with every Kerberos principal when -invoking programs such as kinit.
-
default_tgs_enctypes
-

Identifies the supported list of session key encryption types that -the client should request when making a TGS-REQ, in order of -preference from highest to lowest. The list may be delimited with -commas or whitespace. See Encryption types in -kdc.conf for a list of the accepted values for this tag. -The default value is aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha384-192 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4, but single-DES encryption types -will be implicitly removed from this list if the value of -allow_weak_crypto is false.

-

Do not set this unless required for specific backward -compatibility purposes; stale values of this setting can prevent -clients from taking advantage of new stronger enctypes when the -libraries are upgraded.

-
-
default_tkt_enctypes
-

Identifies the supported list of session key encryption types that -the client should request when making an AS-REQ, in order of -preference from highest to lowest. The format is the same as for -default_tgs_enctypes. The default value for this tag is -aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha384-192 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4, but single-DES encryption types will be implicitly -removed from this list if the value of allow_weak_crypto is -false.

-

Do not set this unless required for specific backward -compatibility purposes; stale values of this setting can prevent -clients from taking advantage of new stronger enctypes when the -libraries are upgraded.

-
-
dns_canonicalize_hostname
-
Indicate whether name lookups will be used to canonicalize -hostnames for use in service principal names. Setting this flag -to false can improve security by reducing reliance on DNS, but -means that short hostnames will not be canonicalized to -fully-qualified hostnames. The default value is true.
-
dns_lookup_kdc
-

Indicate whether DNS SRV records should be used to locate the KDCs -and other servers for a realm, if they are not listed in the -krb5.conf information for the realm. (Note that the admin_server -entry must be in the krb5.conf realm information in order to -contact kadmind, because the DNS implementation for kadmin is -incomplete.)

-

Enabling this option does open up a type of denial-of-service -attack, if someone spoofs the DNS records and redirects you to -another server. However, it’s no worse than a denial of service, -because that fake KDC will be unable to decode anything you send -it (besides the initial ticket request, which has no encrypted -data), and anything the fake KDC sends will not be trusted without -verification using some secret that it won’t know.

-
-
dns_uri_lookup
-
Indicate whether DNS URI records should be used to locate the KDCs -and other servers for a realm, if they are not listed in the -krb5.conf information for the realm. SRV records are used as a -fallback if no URI records were found. The default value is true. -New in release 1.15.
-
err_fmt
-
This relation allows for custom error message formatting. If a -value is set, error messages will be formatted by substituting a -normal error message for %M and an error code for %C in the value.
-
extra_addresses
-
This allows a computer to use multiple local addresses, in order -to allow Kerberos to work in a network that uses NATs while still -using address-restricted tickets. The addresses should be in a -comma-separated list. This option has no effect if -noaddresses is true.
-
forwardable
-
If this flag is true, initial tickets will be forwardable by -default, if allowed by the KDC. The default value is false.
-
ignore_acceptor_hostname
-
When accepting GSSAPI or krb5 security contexts for host-based -service principals, ignore any hostname passed by the calling -application, and allow clients to authenticate to any service -principal in the keytab matching the service name and realm name -(if given). This option can improve the administrative -flexibility of server applications on multihomed hosts, but could -compromise the security of virtual hosting environments. The -default value is false. New in release 1.10.
-
k5login_authoritative
-
If this flag is true, principals must be listed in a local user’s -k5login file to be granted login access, if a .k5login -file exists. If this flag is false, a principal may still be -granted login access through other mechanisms even if a k5login -file exists but does not list the principal. The default value is -true.
-
k5login_directory
-
If set, the library will look for a local user’s k5login file -within the named directory, with a filename corresponding to the -local username. If not set, the library will look for k5login -files in the user’s home directory, with the filename .k5login. -For security reasons, .k5login files must be owned by -the local user or by root.
-
kcm_mach_service
-
On OS X only, determines the name of the bootstrap service used to -contact the KCM daemon for the KCM credential cache type. If the -value is -, Mach RPC will not be used to contact the KCM -daemon. The default value is org.h5l.kcm.
-
kcm_socket
-
Determines the path to the Unix domain socket used to access the -KCM daemon for the KCM credential cache type. If the value is --, Unix domain sockets will not be used to contact the KCM -daemon. The default value is -/var/run/.heim_org.h5l.kcm-socket.
-
kdc_default_options
-
Default KDC options (Xored for multiple values) when requesting -initial tickets. By default it is set to 0x00000010 -(KDC_OPT_RENEWABLE_OK).
-
kdc_timesync
-
Accepted values for this relation are 1 or 0. If it is nonzero, -client machines will compute the difference between their time and -the time returned by the KDC in the timestamps in the tickets and -use this value to correct for an inaccurate system clock when -requesting service tickets or authenticating to services. This -corrective factor is only used by the Kerberos library; it is not -used to change the system clock. The default value is 1.
-
kdc_req_checksum_type
-

An integer which specifies the type of checksum to use for the KDC -requests, for compatibility with very old KDC implementations. -This value is only used for DES keys; other keys use the preferred -checksum type for those keys.

-

The possible values and their meanings are as follows.

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1CRC32
2RSA MD4
3RSA MD4 DES
4DES CBC
7RSA MD5
8RSA MD5 DES
9NIST SHA
12HMAC SHA1 DES3
-138Microsoft MD5 HMAC checksum type
-
-
noaddresses
-
If this flag is true, requests for initial tickets will not be -made with address restrictions set, allowing the tickets to be -used across NATs. The default value is true.
-
permitted_enctypes
-
Identifies all encryption types that are permitted for use in -session key encryption. The default value for this tag is -aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha384-192 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4, but single-DES encryption types will be implicitly -removed from this list if the value of allow_weak_crypto is -false.
-
plugin_base_dir
-
If set, determines the base directory where krb5 plugins are -located. The default value is the krb5/plugins subdirectory -of the krb5 library directory.
-
preferred_preauth_types
-
This allows you to set the preferred preauthentication types which -the client will attempt before others which may be advertised by a -KDC. The default value for this setting is “17, 16, 15, 14”, -which forces libkrb5 to attempt to use PKINIT if it is supported.
-
proxiable
-
If this flag is true, initial tickets will be proxiable by -default, if allowed by the KDC. The default value is false.
-
rdns
-
If this flag is true, reverse name lookup will be used in addition -to forward name lookup to canonicalizing hostnames for use in -service principal names. If dns_canonicalize_hostname is set -to false, this flag has no effect. The default value is true.
-
realm_try_domains
-
Indicate whether a host’s domain components should be used to -determine the Kerberos realm of the host. The value of this -variable is an integer: -1 means not to search, 0 means to try the -host’s domain itself, 1 means to also try the domain’s immediate -parent, and so forth. The library’s usual mechanism for locating -Kerberos realms is used to determine whether a domain is a valid -realm, which may involve consulting DNS if dns_lookup_kdc is -set. The default is not to search domain components.
-
renew_lifetime
-
(Time duration string.) Sets the default renewable lifetime -for initial ticket requests. The default value is 0.
-
safe_checksum_type
-
An integer which specifies the type of checksum to use for the -KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For -compatibility with applications linked against DCE version 1.1 or -earlier Kerberos libraries, use a value of 3 to use the RSA MD4 -DES instead. This field is ignored when its value is incompatible -with the session key type. See the kdc_req_checksum_type -configuration option for the possible values and their meanings.
-
ticket_lifetime
-
(Time duration string.) Sets the default lifetime for initial -ticket requests. The default value is 1 day.
-
udp_preference_limit
-
When sending a message to the KDC, the library will try using TCP -before UDP if the size of the message is above -udp_preference_limit. If the message is smaller than -udp_preference_limit, then UDP will be tried before TCP. -Regardless of the size, both protocols will be tried if the first -attempt fails.
-
verify_ap_req_nofail
-
If this flag is true, then an attempt to verify initial -credentials will fail if the client machine does not have a -keytab. The default value is false.
-
-
-
-

[realms]¶

-

Each tag in the [realms] section of the file is the name of a Kerberos -realm. The value of the tag is a subsection with relations that -define the properties of that particular realm. For each realm, the -following tags may be specified in the realm’s subsection:

-
-
admin_server
-
Identifies the host where the administration server is running. -Typically, this is the master Kerberos server. This tag must be -given a value in order to communicate with the kadmind -server for the realm.
-
auth_to_local
-

This tag allows you to set a general rule for mapping principal -names to local user names. It will be used if there is not an -explicit mapping for the principal name that is being -translated. The possible values are:

-
-
RULE:exp
-

The local name will be formulated from exp.

-

The format for exp is [n:string](regexp)s/pattern/replacement/g. -The integer n indicates how many components the target -principal should have. If this matches, then a string will be -formed from string, substituting the realm of the principal -for $0 and the n‘th component of the principal for -$n (e.g., if the principal was johndoe/admin then -[2:$2$1foo] would result in the string -adminjohndoefoo). If this string matches regexp, then -the s//[g] substitution command will be run over the -string. The optional g will cause the substitution to be -global over the string, instead of replacing only the first -match in the string.

-
-
DEFAULT
-
The principal name will be used as the local user name. If -the principal has more than one component or is not in the -default realm, this rule is not applicable and the conversion -will fail.
-
-

For example:

-
[realms]
-    ATHENA.MIT.EDU = {
-        auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/
-        auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$//
-        auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/
-        auto_to_local = DEFAULT
-    }
-
-
-

would result in any principal without root or admin as the -second component to be translated with the default rule. A -principal with a second component of admin will become its -first component. root will be used as the local name for any -principal with a second component of root. The exception to -these two rules are any principals johndoe/*, which will -always get the local name guest.

-
-
auth_to_local_names
-
This subsection allows you to set explicit mappings from principal -names to local user names. The tag is the mapping name, and the -value is the corresponding local user name.
-
default_domain
-
This tag specifies the domain used to expand hostnames when -translating Kerberos 4 service principals to Kerberos 5 principals -(for example, when converting rcmd.hostname to -host/hostname.domain).
-
http_anchors
-

When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag -can be used to specify the location of the CA certificate which should be -trusted to issue the certificate for a proxy server. If left unspecified, -the system-wide default set of CA certificates is used.

-

The syntax for values is similar to that of values for the -pkinit_anchors tag:

-

FILE: filename

-

filename is assumed to be the name of an OpenSSL-style ca-bundle file.

-

DIR: dirname

-

dirname is assumed to be an directory which contains CA certificates. -All files in the directory will be examined; if they contain certificates -(in PEM format), they will be used.

-

ENV: envvar

-

envvar specifies the name of an environment variable which has been set -to a value conforming to one of the previous values. For example, -ENV:X509_PROXY_CA, where environment variable X509_PROXY_CA has -been set to FILE:/tmp/my_proxy.pem.

-
-
kdc
-
The name or address of a host running a KDC for that realm. An -optional port number, separated from the hostname by a colon, may -be included. If the name or address contains colons (for example, -if it is an IPv6 address), enclose it in square brackets to -distinguish the colon from a port separator. For your computer to -be able to communicate with the KDC for each realm, this tag must -be given a value in each realm subsection in the configuration -file, or there must be DNS SRV records specifying the KDCs.
-
kpasswd_server
-
Points to the server where all the password changes are performed. -If there is no such entry, the port 464 on the admin_server -host will be tried.
-
master_kdc
-
Identifies the master KDC(s). Currently, this tag is used in only -one case: If an attempt to get credentials fails because of an -invalid password, the client software will attempt to contact the -master KDC, in case the user’s password has just been changed, and -the updated database has not been propagated to the slave servers -yet.
-
v4_instance_convert
-
This subsection allows the administrator to configure exceptions -to the default_domain mapping rule. It contains V4 instances -(the tag name) which should be translated to some specific -hostname (the tag value) as the second component in a Kerberos V5 -principal name.
-
v4_realm
-
This relation is used by the krb524 library routines when -converting a V5 principal name to a V4 principal name. It is used -when the V4 realm name and the V5 realm name are not the same, but -still share the same principal names and passwords. The tag value -is the Kerberos V4 realm name.
-
-
-
-

[domain_realm]¶

-

The [domain_realm] section provides a translation from a domain name -or hostname to a Kerberos realm name. The tag name can be a host name -or domain name, where domain names are indicated by a prefix of a -period (.). The value of the relation is the Kerberos realm name -for that particular host or domain. A host name relation implicitly -provides the corresponding domain name relation, unless an explicit domain -name relation is provided. The Kerberos realm may be -identified either in the realms section or using DNS SRV records. -Host names and domain names should be in lower case. For example:

-
[domain_realm]
-    crash.mit.edu = TEST.ATHENA.MIT.EDU
-    .dev.mit.edu = TEST.ATHENA.MIT.EDU
-    mit.edu = ATHENA.MIT.EDU
-
-
-

maps the host with the name crash.mit.edu into the -TEST.ATHENA.MIT.EDU realm. The second entry maps all hosts under the -domain dev.mit.edu into the TEST.ATHENA.MIT.EDU realm, but not -the host with the name dev.mit.edu. That host is matched -by the third entry, which maps the host mit.edu and all hosts -under the domain mit.edu that do not match a preceding rule -into the realm ATHENA.MIT.EDU.

-

If no translation entry applies to a hostname used for a service -principal for a service ticket request, the library will try to get a -referral to the appropriate realm from the client realm’s KDC. If -that does not succeed, the host’s realm is considered to be the -hostname’s domain portion converted to uppercase, unless the -realm_try_domains setting in [libdefaults] causes a different -parent domain to be used.

-
-
-

[capaths]¶

-

In order to perform direct (non-hierarchical) cross-realm -authentication, configuration is needed to determine the -authentication paths between realms.

-

A client will use this section to find the authentication path between -its realm and the realm of the server. The server will use this -section to verify the authentication path used by the client, by -checking the transited field of the received ticket.

-

There is a tag for each participating client realm, and each tag has -subtags for each of the server realms. The value of the subtags is an -intermediate realm which may participate in the cross-realm -authentication. The subtags may be repeated if there is more then one -intermediate realm. A value of ”.” means that the two realms share -keys directly, and no intermediate realms should be allowed to -participate.

-

Only those entries which will be needed on the client or the server -need to be present. A client needs a tag for its local realm with -subtags for all the realms of servers it will need to authenticate to. -A server needs a tag for each realm of the clients it will serve, with -a subtag of the server realm.

-

For example, ANL.GOV, PNL.GOV, and NERSC.GOV all wish to -use the ES.NET realm as an intermediate realm. ANL has a sub -realm of TEST.ANL.GOV which will authenticate with NERSC.GOV -but not PNL.GOV. The [capaths] section for ANL.GOV systems -would look like this:

-
[capaths]
-    ANL.GOV = {
-        TEST.ANL.GOV = .
-        PNL.GOV = ES.NET
-        NERSC.GOV = ES.NET
-        ES.NET = .
-    }
-    TEST.ANL.GOV = {
-        ANL.GOV = .
-    }
-    PNL.GOV = {
-        ANL.GOV = ES.NET
-    }
-    NERSC.GOV = {
-        ANL.GOV = ES.NET
-    }
-    ES.NET = {
-        ANL.GOV = .
-    }
-
-
-

The [capaths] section of the configuration file used on NERSC.GOV -systems would look like this:

-
[capaths]
-    NERSC.GOV = {
-        ANL.GOV = ES.NET
-        TEST.ANL.GOV = ES.NET
-        TEST.ANL.GOV = ANL.GOV
-        PNL.GOV = ES.NET
-        ES.NET = .
-    }
-    ANL.GOV = {
-        NERSC.GOV = ES.NET
-    }
-    PNL.GOV = {
-        NERSC.GOV = ES.NET
-    }
-    ES.NET = {
-        NERSC.GOV = .
-    }
-    TEST.ANL.GOV = {
-        NERSC.GOV = ANL.GOV
-        NERSC.GOV = ES.NET
-    }
-
-
-

When a subtag is used more than once within a tag, clients will use -the order of values to determine the path. The order of values is not -important to servers.

-
-
-

[appdefaults]¶

-

Each tag in the [appdefaults] section names a Kerberos V5 application -or an option that is used by some Kerberos V5 application[s]. The -value of the tag defines the default behaviors for that application.

-

For example:

-
[appdefaults]
-    telnet = {
-        ATHENA.MIT.EDU = {
-            option1 = false
-        }
-    }
-    telnet = {
-        option1 = true
-        option2 = true
-    }
-    ATHENA.MIT.EDU = {
-        option2 = false
-    }
-    option2 = true
-
-
-

The above four ways of specifying the value of an option are shown in -order of decreasing precedence. In this example, if telnet is running -in the realm EXAMPLE.COM, it should, by default, have option1 and -option2 set to true. However, a telnet program in the realm -ATHENA.MIT.EDU should have option1 set to false and -option2 set to true. Any other programs in ATHENA.MIT.EDU should -have option2 set to false by default. Any programs running in -other realms should have option2 set to true.

-

The list of specifiable options for each application may be found in -that application’s man pages. The application defaults specified here -are overridden by those specified in the realms section.

-
-
-

[plugins]¶

-
-
-
-

Tags in the [plugins] section can be used to register dynamic plugin -modules and to turn modules on and off. Not every krb5 pluggable -interface uses the [plugins] section; the ones that do are documented -here.

-

New in release 1.9.

-

Each pluggable interface corresponds to a subsection of [plugins]. -All subsections support the same tags:

-
-
disable
-
This tag may have multiple values. If there are values for this -tag, then the named modules will be disabled for the pluggable -interface.
-
enable_only
-
This tag may have multiple values. If there are values for this -tag, then only the named modules will be enabled for the pluggable -interface.
-
module
-
This tag may have multiple values. Each value is a string of the -form modulename:pathname, which causes the shared object -located at pathname to be registered as a dynamic module named -modulename for the pluggable interface. If pathname is not an -absolute path, it will be treated as relative to the -plugin_base_dir value from [libdefaults].
-
-

For pluggable interfaces where module order matters, modules -registered with a module tag normally come first, in the order -they are registered, followed by built-in modules in the order they -are documented below. If enable_only tags are used, then the -order of those tags overrides the normal module order.

-

The following subsections are currently supported within the [plugins] -section:

-
-

ccselect interface¶

-

The ccselect subsection controls modules for credential cache -selection within a cache collection. In addition to any registered -dynamic modules, the following built-in modules exist (and may be -disabled with the disable tag):

-
-
k5identity
-
Uses a .k5identity file in the user’s home directory to select a -client principal
-
realm
-
Uses the service realm to guess an appropriate cache from the -collection
-
-
-
-

pwqual interface¶

-

The pwqual subsection controls modules for the password quality -interface, which is used to reject weak passwords when passwords are -changed. The following built-in modules exist for this interface:

-
-
dict
-
Checks against the realm dictionary file
-
empty
-
Rejects empty passwords
-
hesiod
-
Checks against user information stored in Hesiod (only if Kerberos -was built with Hesiod support)
-
princ
-
Checks against components of the principal name
-
-
-
-

kadm5_hook interface¶

-

The kadm5_hook interface provides plugins with information on -principal creation, modification, password changes and deletion. This -interface can be used to write a plugin to synchronize MIT Kerberos -with another database such as Active Directory. No plugins are built -in for this interface.

-
-
-

clpreauth and kdcpreauth interfaces¶

-

The clpreauth and kdcpreauth interfaces allow plugin modules to -provide client and KDC preauthentication mechanisms. The following -built-in modules exist for these interfaces:

-
-
pkinit
-
This module implements the PKINIT preauthentication mechanism.
-
encrypted_challenge
-
This module implements the encrypted challenge FAST factor.
-
encrypted_timestamp
-
This module implements the encrypted timestamp mechanism.
-
-
-
-

hostrealm interface¶

-

The hostrealm section (introduced in release 1.12) controls modules -for the host-to-realm interface, which affects the local mapping of -hostnames to realm names and the choice of default realm. The following -built-in modules exist for this interface:

-
-
profile
-
This module consults the [domain_realm] section of the profile for -authoritative host-to-realm mappings, and the default_realm -variable for the default realm.
-
dns
-
This module looks for DNS records for fallback host-to-realm -mappings and the default realm. It only operates if the -dns_lookup_realm variable is set to true.
-
domain
-
This module applies heuristics for fallback host-to-realm -mappings. It implements the realm_try_domains variable, and -uses the uppercased parent domain of the hostname if that does not -produce a result.
-
-
-
-

localauth interface¶

-

The localauth section (introduced in release 1.12) controls modules -for the local authorization interface, which affects the relationship -between Kerberos principals and local system accounts. The following -built-in modules exist for this interface:

-
-
default
-
This module implements the DEFAULT type for auth_to_local -values.
-
rule
-
This module implements the RULE type for auth_to_local -values.
-
names
-
This module looks for an auth_to_local_names mapping for the -principal name.
-
auth_to_local
-
This module processes auth_to_local values in the default -realm’s section, and applies the default method if no -auth_to_local values exist.
-
k5login
-
This module authorizes a principal to a local account according to -the account’s .k5login file.
-
an2ln
-
This module authorizes a principal to a local account if the -principal name maps to the local account name.
-
-
-
-
-
-

PKINIT options¶

-
-

Note

-

The following are PKINIT-specific options. These values may -be specified in [libdefaults] as global defaults, or within -a realm-specific subsection of [libdefaults], or may be -specified as realm-specific values in the [realms] section. -A realm-specific value overrides, not adds to, a generic -[libdefaults] specification. The search order is:

-
-
    -

  1. realm-specific subsection of [libdefaults]:

    -
    [libdefaults]
-    EXAMPLE.COM = {
-        pkinit_anchors = FILE:/usr/local/example.com.crt
-    }
-
    -
    -
    2. -

  2. realm-specific value in the [realms] section:

    -
    [realms]
-    OTHERREALM.ORG = {
-        pkinit_anchors = FILE:/usr/local/otherrealm.org.crt
-    }
-
    -
    -
    3. -

  3. generic value in the [libdefaults] section:

    -
    [libdefaults]
-    pkinit_anchors = DIR:/usr/local/generic_trusted_cas/
-
    -
    -
    4. -
-
-

Specifying PKINIT identity information¶

-

The syntax for specifying Public Key identity, trust, and revocation -information for PKINIT is as follows:

-
-
FILE:filename[,keyfilename]
-

This option has context-specific behavior.

-

In pkinit_identity or pkinit_identities, filename -specifies the name of a PEM-format file containing the user’s -certificate. If keyfilename is not specified, the user’s -private key is expected to be in filename as well. Otherwise, -keyfilename is the name of the file containing the private key.

-

In pkinit_anchors or pkinit_pool, filename is assumed to -be the name of an OpenSSL-style ca-bundle file.

-
-
DIR:dirname
-

This option has context-specific behavior.

-

In pkinit_identity or pkinit_identities, dirname -specifies a directory with files named *.crt and *.key -where the first part of the file name is the same for matching -pairs of certificate and private key files. When a file with a -name ending with .crt is found, a matching file ending with -.key is assumed to contain the private key. If no such file -is found, then the certificate in the .crt is not used.

-

In pkinit_anchors or pkinit_pool, dirname is assumed to -be an OpenSSL-style hashed CA directory where each CA cert is -stored in a file named hash-of-ca-cert.#. This infrastructure -is encouraged, but all files in the directory will be examined and -if they contain certificates (in PEM format), they will be used.

-

In pkinit_revoke, dirname is assumed to be an OpenSSL-style -hashed CA directory where each revocation list is stored in a file -named hash-of-ca-cert.r#. This infrastructure is encouraged, -but all files in the directory will be examined and if they -contain a revocation list (in PEM format), they will be used.

-
-
PKCS12:filename
-
filename is the name of a PKCS #12 format file, containing the -user’s certificate and private key.
-
PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]
-
All keyword/values are optional. modname specifies the location -of a library implementing PKCS #11. If a value is encountered -with no keyword, it is assumed to be the modname. If no -module-name is specified, the default is opensc-pkcs11.so. -slotid= and/or token= may be specified to force the use of -a particular smard card reader or token if there is more than one -available. certid= and/or certlabel= may be specified to -force the selection of a particular certificate on the device. -See the pkinit_cert_match configuration option for more ways -to select a particular certificate to use for PKINIT.
-
ENV:envvar
-
envvar specifies the name of an environment variable which has -been set to a value conforming to one of the previous values. For -example, ENV:X509_PROXY, where environment variable -X509_PROXY has been set to FILE:/tmp/my_proxy.pem.
-
-
-
-

PKINIT krb5.conf options¶

-
-
pkinit_anchors
-
Specifies the location of trusted anchor (root) certificates which -the client trusts to sign KDC certificates. This option may be -specified multiple times. These values from the config file are -not used if the user specifies X509_anchors on the command line.
-
pkinit_cert_match
-

Specifies matching rules that the client certificate must match -before it is used to attempt PKINIT authentication. If a user has -multiple certificates available (on a smart card, or via other -media), there must be exactly one certificate chosen before -attempting PKINIT authentication. This option may be specified -multiple times. All the available certificates are checked -against each rule in order until there is a match of exactly one -certificate.

-

The Subject and Issuer comparison strings are the RFC 2253 -string representations from the certificate Subject DN and Issuer -DN values.

-

The syntax of the matching rules is:

-
-
[relation-operator]component-rule ...
-

where:

-
-
relation-operator
-
can be either &&, meaning all component rules must match, -or ||, meaning only one component rule must match. The -default is &&.
-
component-rule
-

can be one of the following. Note that there is no -punctuation or whitespace between component rules.

-
-
-
<SUBJECT>regular-expression
-
<ISSUER>regular-expression
-
<SAN>regular-expression
-
<EKU>extended-key-usage-list
-
<KU>key-usage-list
-
-
-

extended-key-usage-list is a comma-separated list of -required Extended Key Usage values. All values in the list -must be present in the certificate. Extended Key Usage values -can be:

-
    -
  • pkinit
    • -
  • msScLogin
    • -
  • clientAuth
    • -
  • emailProtection
    • -
-

key-usage-list is a comma-separated list of required Key -Usage values. All values in the list must be present in the -certificate. Key Usage values can be:

-
    -
  • digitalSignature
    • -
  • keyEncipherment
    • -
-
-
-

Examples:

-
pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
-pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
-pkinit_cert_match = <EKU>msScLogin,clientAuth<KU>digitalSignature
-
-
-
-
pkinit_eku_checking
-

This option specifies what Extended Key Usage value the KDC -certificate presented to the client must contain. (Note that if -the KDC certificate has the pkinit SubjectAlternativeName encoded -as the Kerberos TGS name, EKU checking is not necessary since the -issuing CA has certified this as a KDC certificate.) The values -recognized in the krb5.conf file are:

-
-
kpKDC
-
This is the default value and specifies that the KDC must have -the id-pkinit-KPKdc EKU as defined in RFC 4556.
-
kpServerAuth
-
If kpServerAuth is specified, a KDC certificate with the -id-kp-serverAuth EKU will be accepted. This key usage value -is used in most commercially issued server certificates.
-
none
-
If none is specified, then the KDC certificate will not be -checked to verify it has an acceptable EKU. The use of this -option is not recommended.
-
-
-
pkinit_dh_min_bits
-
Specifies the size of the Diffie-Hellman key the client will -attempt to use. The acceptable values are 1024, 2048, and 4096. -The default is 2048.
-
pkinit_identities
-
Specifies the location(s) to be used to find the user’s X.509 -identity information. This option may be specified multiple -times. Each value is attempted in order until identity -information is found and authentication is attempted. Note that -these values are not used if the user specifies -X509_user_identity on the command line.
-
pkinit_kdc_hostname
-
The presense of this option indicates that the client is willing -to accept a KDC certificate with a dNSName SAN (Subject -Alternative Name) rather than requiring the id-pkinit-san as -defined in RFC 4556. This option may be specified multiple -times. Its value should contain the acceptable hostname for the -KDC (as contained in its certificate).
-
pkinit_pool
-
Specifies the location of intermediate certificates which may be -used by the client to complete the trust chain between a KDC -certificate and a trusted anchor. This option may be specified -multiple times.
-
pkinit_require_crl_checking
-

The default certificate verification process will always check the -available revocation information to see if a certificate has been -revoked. If a match is found for the certificate in a CRL, -verification fails. If the certificate being verified is not -listed in a CRL, or there is no CRL present for its issuing CA, -and pkinit_require_crl_checking is false, then verification -succeeds.

-

However, if pkinit_require_crl_checking is true and there is -no CRL information available for the issuing CA, then verification -fails.

-

pkinit_require_crl_checking should be set to true if the -policy is such that up-to-date CRLs must be present for every CA.

-
-
pkinit_revoke
-
Specifies the location of Certificate Revocation List (CRL) -information to be used by the client when verifying the validity -of the KDC certificate presented. This option may be specified -multiple times.
-
-
-
-
-

Parameter expansion¶

-

Starting with release 1.11, several variables, such as -default_keytab_name, allow parameters to be expanded. -Valid parameters are:

-
-
---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
%{TEMP}Temporary directory
%{uid}Unix real UID or Windows SID
%{euid}Unix effective user ID or Windows SID
%{USERID}Same as %{uid}
%{null}Empty string
%{LIBDIR}Installation library directory
%{BINDIR}Installation binary directory
%{SBINDIR}Installation admin binary directory
%{username}(Unix) Username of effective user ID
%{APPDATA}(Windows) Roaming application data for current user
%{COMMON_APPDATA}(Windows) Application data for all users
%{LOCAL_APPDATA}(Windows) Local application data for current user
%{SYSTEM}(Windows) Windows system folder
%{WINDOWS}(Windows) Windows folder
%{USERCONFIG}(Windows) Per-user MIT krb5 config file directory
%{COMMONCONFIG}(Windows) Common MIT krb5 config file directory
-
-
-
-

Sample krb5.conf file¶

-

Here is an example of a generic krb5.conf file:

-
[libdefaults]
-    default_realm = ATHENA.MIT.EDU
-    dns_lookup_kdc = true
-    dns_lookup_realm = false
-
-[realms]
-    ATHENA.MIT.EDU = {
-        kdc = kerberos.mit.edu
-        kdc = kerberos-1.mit.edu
-        kdc = kerberos-2.mit.edu
-        admin_server = kerberos.mit.edu
-        master_kdc = kerberos.mit.edu
-    }
-    EXAMPLE.COM = {
-        kdc = kerberos.example.com
-        kdc = kerberos-1.example.com
-        admin_server = kerberos.example.com
-    }
-
-[domain_realm]
-    mit.edu = ATHENA.MIT.EDU
-
-[capaths]
-    ATHENA.MIT.EDU = {
-           EXAMPLE.COM = .
-    }
-    EXAMPLE.COM = {
-           ATHENA.MIT.EDU = .
-    }
-
-
-
-
-

FILES¶

-

/etc/krb5.conf

-
-
-

SEE ALSO¶

-

syslog(3)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/conf_ldap.html b/doc/html/admin/conf_ldap.html deleted file mode 100644 index 46934e8..0000000 --- a/doc/html/admin/conf_ldap.html +++ /dev/null @@ -1,328 +0,0 @@ - - - - - - - - Configuring Kerberos with OpenLDAP back-end — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Configuring Kerberos with OpenLDAP back-end¶

-
-
    -

  1. Set up SSL on the OpenLDAP server and client to ensure secure -communication when the KDC service and LDAP server are on different -machines. ldapi:// can be used if the LDAP server and KDC -service are running on the same machine.

    -
      -
    1. Setting up SSL on the OpenLDAP server:
      2. -
    -
    -
      -

    1. Get a CA certificate using OpenSSL tools

      -
      2. -

    2. Configure OpenLDAP server for using SSL/TLS

      -

      For the latter, you need to specify the location of CA -certificate location in slapd.conf file.

      -

      Refer to the following link for more information: -http://www.openldap.org/doc/admin23/tls.html

      -
      3. -
    -
    -
      -

    1. Setting up SSL on OpenLDAP client:

      -
        -

      1. For the KDC and Admin Server, you need to do the client-side -configuration in ldap.conf. For example:

        -
        TLS_CACERT /etc/openldap/certs/cacert.pem
-
        -
        -
        2. -
      -
      2. -
    -
    2. -

  2. Include the Kerberos schema file (kerberos.schema) in the -configuration file (slapd.conf) on the LDAP Server, by providing -the location where it is stored:

    -
    include /etc/openldap/schema/kerberos.schema
-
    -
    -
    3. -

  3. Choose DNs for the krb5kdc and kadmind servers -to bind to the LDAP server, and create them if necessary. These DNs -will be specified with the ldap_kdc_dn and ldap_kadmind_dn -directives in kdc.conf; their passwords can be stashed -with “kdb5_ldap_util stashsrvpw” and the resulting file -specified with the ldap_service_password_file directive.

    -
    4. -

  4. Choose a DN for the global Kerberos container entry (but do not -create the entry at this time). This DN will be specified with the -ldap_kerberos_container_dn directive in kdc.conf. -Realm container entries will be created underneath this DN. -Principal entries may exist either underneath the realm container -(the default) or in separate trees referenced from the realm -container.

    -
    5. -

  5. Configure the LDAP server ACLs to enable the KDC and kadmin server -DNs to read and write the Kerberos data. If -disable_last_success and disable_lockout are both set to -true in the [dbmodules] subsection for the realm, then the -KDC DN only requires read access to the Kerberos data.

    -

    Sample access control information:

    -
    access to dn.base=""
-    by * read
-
-access to dn.base="cn=Subschema"
-    by * read
-
-access to attrs=userPassword,userPKCS12
-    by self write
-    by * auth
-
-access to attrs=shadowLastChange
-    by self write
-    by * read
-
-# Providing access to realm container
-access to dn.subtree= "cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com"
-    by dn.exact="cn=kdc-service,dc=example,dc=com" write
-    by dn.exact="cn=adm-service,dc=example,dc=com" write
-    by * none
-
-# Providing access to principals, if not underneath realm container
-access to dn.subtree= "ou=users,dc=example,dc=com"
-    by dn.exact="cn=kdc-service,dc=example,dc=com" write
-    by dn.exact="cn=adm-service,dc=example,dc=com" write
-    by * none
-
-access to *
-    by * read
-
    -
    -

    If the locations of the container and principals or the DNs of -the service objects for a realm are changed then this -information should be updated.

    -
    6. -

  6. Start the LDAP server as follows:

    -
    slapd -h "ldapi:/// ldaps:///"
-
    -
    -
    7. -

  7. Modify the kdc.conf file to include LDAP specific items -listed below:

    -
    realms
-    database_module
-
-dbmodules
-    db_library
-    db_module_dir
-    ldap_kdc_dn
-    ldap_kadmind_dn
-    ldap_service_password_file
-    ldap_servers
-    ldap_conns_per_server
-
    -
    -
    8. -

  8. Create the realm using kdb5_ldap_util (see -Creating a Kerberos realm):

    -
    kdb5_ldap_util -D cn=admin,dc=example,dc=com create -subtrees ou=users,dc=example,dc=com -r EXAMPLE.COM -s
-
    -
    -

    Use the -subtrees option if the principals are to exist in a -separate subtree from the realm container. Before executing the -command, make sure that the subtree mentioned above -(ou=users,dc=example,dc=com) exists. If the principals will -exist underneath the realm container, omit the -subtrees option -and do not worry about creating the principal subtree.

    -

    For more information, refer to the section Operations on the LDAP database.

    -

    The realm object is created under the -ldap_kerberos_container_dn specified in the configuration file. -This operation will also create the Kerberos container, if not -present already. This will be used to store information related to -all realms.

    -
    9. -

  9. Stash the password of the service object used by the KDC and -Administration service to bind to the LDAP server using the -kdb5_ldap_util stashsrvpw command (see -Stashing service object’s password). The object DN should be the same as -ldap_kdc_dn and ldap_kadmind_dn values specified in the -kdc.conf file:

    -
    kdb5_ldap_util -D cn=admin,dc=example,dc=com stashsrvpw -f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com
-
    -
    -
    10. -

  10. Add krbPrincipalName to the indexes in slapd.conf to speed up -the access.

    -
    11. -
-
-

With the LDAP back end it is possible to provide aliases for principal -entries. Currently we provide no mechanism provided for creating -aliases, so it must be done by direct manipulation of the LDAP -entries.

-

An entry with aliases contains multiple values of the -krbPrincipalName attribute. Since LDAP attribute values are not -ordered, it is necessary to specify which principal name is canonical, -by using the krbCanonicalName attribute. Therefore, to create -aliases for an entry, first set the krbCanonicalName attribute of -the entry to the canonical principal name (which should be identical -to the pre-existing krbPrincipalName value), and then add additional -krbPrincipalName attributes for the aliases.

-

Principal aliases are only returned by the KDC when the client -requests canonicalization. Canonicalization is normally requested for -service principals; for client principals, an explicit flag is often -required (e.g., kinit -C) and canonicalization is only performed -for initial ticket requests.

-
-

See also

-

LDAP backend on Ubuntu 10.4 (lucid)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/database.html b/doc/html/admin/database.html deleted file mode 100644 index e7539d4..0000000 --- a/doc/html/admin/database.html +++ /dev/null @@ -1,1858 +0,0 @@ - - - - - - - - Database administration — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Database administration¶

-

A Kerberos database contains all of a realm’s Kerberos principals, -their passwords, and other administrative information about each -principal. For the most part, you will use the kdb5_util -program to manipulate the Kerberos database as a whole, and the -kadmin program to make changes to the entries in the -database. (One notable exception is that users will use the -kpasswd program to change their own passwords.) The kadmin -program has its own command-line interface, to which you type the -database administrating commands.

-

kdb5_util provides a means to create, delete, load, or dump -a Kerberos database. It also contains commands to roll over the -database master key, and to stash a copy of the key so that the -kadmind and krb5kdc daemons can use the database -without manual input.

-

kadmin provides for the maintenance of Kerberos principals, -password policies, and service key tables (keytabs). Normally it -operates as a network client using Kerberos authentication to -communicate with kadmind, but there is also a variant, named -kadmin.local, which directly accesses the Kerberos database on the -local filesystem (or through LDAP). kadmin.local is necessary to set -up enough of the database to be able to use the remote version.

-

kadmin can authenticate to the admin server using the service -principal kadmin/HOST (where HOST is the hostname of the admin -server) or kadmin/admin. If the credentials cache contains a -ticket for either service principal and the -c ccache option is -specified, that ticket is used to authenticate to KADM5. Otherwise, -the -p and -k options are used to specify the client Kerberos -principal name used to authenticate. Once kadmin has determined the -principal name, it requests a kadmin/admin Kerberos service ticket -from the KDC, and uses that service ticket to authenticate to KADM5.

-

See kadmin for the available kadmin and kadmin.local -commands and options.

-
-

kadmin options¶

-

You can invoke kadmin or kadmin.local with any of the -following options:

-

kadmin -[-O|-N] -[-r realm] -[-p principal] -[-q query] -[[-c cache_name]|[-k [-t keytab]]|-n] -[-w password] -[-s admin_server[:port]] -[command args...]

-

kadmin.local -[-r realm] -[-p principal] -[-q query] -[-d dbname] -[-e enc:salt ...] -[-m] -[-x db_args] -[command args...]

-

OPTIONS

-
-
-r realm
-
Use realm as the default database realm.
-
-p principal
-
Use principal to authenticate. Otherwise, kadmin will append -/admin to the primary principal name of the default ccache, -the value of the USER environment variable, or the username as -obtained with getpwuid, in order of preference.
-
-k
-
Use a keytab to decrypt the KDC response instead of prompting for -a password. In this case, the default principal will be -host/hostname. If there is no keytab specified with the --t option, then the default keytab will be used.
-
-t keytab
-
Use keytab to decrypt the KDC response. This can only be used -with the -k option.
-
-n
-
Requests anonymous processing. Two types of anonymous principals -are supported. For fully anonymous Kerberos, configure PKINIT on -the KDC and configure pkinit_anchors in the client’s -krb5.conf. Then use the -n option with a principal -of the form @REALM (an empty principal name followed by the -at-sign and a realm name). If permitted by the KDC, an anonymous -ticket will be returned. A second form of anonymous tickets is -supported; these realm-exposed tickets hide the identity of the -client but not the client’s realm. For this mode, use kinit --n with a normal principal name. If supported by the KDC, the -principal (but not realm) will be replaced by the anonymous -principal. As of release 1.8, the MIT Kerberos KDC only supports -fully anonymous operation.
-
-c credentials_cache
-
Use credentials_cache as the credentials cache. The -cache should contain a service ticket for the kadmin/ADMINHOST -(where ADMINHOST is the fully-qualified hostname of the admin -server) or kadmin/admin service; it can be acquired with the -kinit program. If this option is not specified, kadmin -requests a new service ticket from the KDC, and stores it in its -own temporary ccache.
-
-w password
-
Use password instead of prompting for one. Use this option with -care, as it may expose the password to other users on the system -via the process list.
-
-q query
-
Perform the specified query and then exit.
-
-d dbname
-
Specifies the name of the KDC database. This option does not -apply to the LDAP database module.
-
-s admin_server[:port]
-
Specifies the admin server which kadmin should contact.
-
-m
-
If using kadmin.local, prompt for the database master password -instead of reading it from a stash file.
-
-eenc:salt ...”
-
Sets the keysalt list to be used for any new keys created. See -Keysalt lists in kdc.conf for a list of possible -values.
-
-O
-
Force use of old AUTH_GSSAPI authentication flavor.
-
-N
-
Prevent fallback to AUTH_GSSAPI authentication flavor.
-
-x db_args
-
Specifies the database specific arguments. See the next section -for supported options.
-
-
-
-

Date Format¶

-

For the supported date-time formats see getdate time section -in Supported date and time formats.

-
-
-

Principals¶

-

Each entry in the Kerberos database contains a Kerberos principal and -the attributes and policies associated with that principal.

-
-

Adding, modifying and deleting principals¶

-

To add a principal to the database, use the kadmin -add_principal command.

-

To modify attributes of a principal, use the kadmin -modify_principal command.

-

To delete a principal, use the kadmin delete_principal command.

-
-
-

add_principal¶

-
-
add_principal [options] newprinc
-

Creates the principal newprinc, prompting twice for a password. If -no password policy is specified with the -policy option, and the -policy named default is assigned to the principal if it exists. -However, creating a policy named default will not automatically -assign this policy to previously existing principals. This policy -assignment can be suppressed with the -clearpolicy option.

-

This command requires the add privilege.

-

Aliases: addprinc, ank

-

Options:

-
-
-expire expdate
-
(getdate time string) The expiration date of the principal.
-
-pwexpire pwexpdate
-
(getdate time string) The password expiration date.
-
-maxlife maxlife
-
(Time duration or getdate time string) The maximum ticket life -for the principal.
-
-maxrenewlife maxrenewlife
-
(Time duration or getdate time string) The maximum renewable -life of tickets for the principal.
-
-kvno kvno
-
The initial key version number.
-
-policy policy
-
The password policy used by this principal. If not specified, the -policy default is used if it exists (unless -clearpolicy -is specified).
-
-clearpolicy
-
Prevents any policy from being assigned when -policy is not -specified.
-
{-|+}allow_postdated
-
-allow_postdated prohibits this principal from obtaining -postdated tickets. +allow_postdated clears this flag.
-
{-|+}allow_forwardable
-
-allow_forwardable prohibits this principal from obtaining -forwardable tickets. +allow_forwardable clears this flag.
-
{-|+}allow_renewable
-
-allow_renewable prohibits this principal from obtaining -renewable tickets. +allow_renewable clears this flag.
-
{-|+}allow_proxiable
-
-allow_proxiable prohibits this principal from obtaining -proxiable tickets. +allow_proxiable clears this flag.
-
{-|+}allow_dup_skey
-
-allow_dup_skey disables user-to-user authentication for this -principal by prohibiting this principal from obtaining a session -key for another user. +allow_dup_skey clears this flag.
-
{-|+}requires_preauth
-
+requires_preauth requires this principal to preauthenticate -before being allowed to kinit. -requires_preauth clears this -flag. When +requires_preauth is set on a service principal, -the KDC will only issue service tickets for that service principal -if the client’s initial authentication was performed using -preauthentication.
-
{-|+}requires_hwauth
-
+requires_hwauth requires this principal to preauthenticate -using a hardware device before being allowed to kinit. --requires_hwauth clears this flag. When +requires_hwauth is -set on a service principal, the KDC will only issue service tickets -for that service principal if the client’s initial authentication was -performed using a hardware device to preauthenticate.
-
{-|+}ok_as_delegate
-
+ok_as_delegate sets the okay as delegate flag on tickets -issued with this principal as the service. Clients may use this -flag as a hint that credentials should be delegated when -authenticating to the service. -ok_as_delegate clears this -flag.
-
{-|+}allow_svr
-
-allow_svr prohibits the issuance of service tickets for this -principal. +allow_svr clears this flag.
-
{-|+}allow_tgs_req
-
-allow_tgs_req specifies that a Ticket-Granting Service (TGS) -request for a service ticket for this principal is not permitted. -+allow_tgs_req clears this flag.
-
{-|+}allow_tix
-
-allow_tix forbids the issuance of any tickets for this -principal. +allow_tix clears this flag.
-
{-|+}needchange
-
+needchange forces a password change on the next initial -authentication to this principal. -needchange clears this -flag.
-
{-|+}password_changing_service
-
+password_changing_service marks this principal as a password -change service principal.
-
{-|+}ok_to_auth_as_delegate
-
+ok_to_auth_as_delegate allows this principal to acquire -forwardable tickets to itself from arbitrary users, for use with -constrained delegation.
-
{-|+}no_auth_data_required
-
+no_auth_data_required prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal.
-
{-|+}lockdown_keys
-
+lockdown_keys prevents keys for this principal from leaving -the KDC via kadmind. The chpass and extract operations are denied -for a principal with this attribute. The chrand operation is -allowed, but will not return the new keys. The delete and rename -operations are also denied if this attribute is set, in order to -prevent a malicious administrator from replacing principals like -krbtgt/* or kadmin/* with new principals without the attribute. -This attribute can be set via the network protocol, but can only -be removed using kadmin.local.
-
-randkey
-
Sets the key of the principal to a random value.
-
-nokey
-
Causes the principal to be created with no key. New in release -1.12.
-
-pw password
-
Sets the password of the principal to the specified string and -does not prompt for a password. Note: using this option in a -shell script may expose the password to other users on the system -via the process list.
-
-e enc:salt,...
-
Uses the specified keysalt list for setting the keys of the -principal. See Keysalt lists in kdc.conf for a -list of possible values.
-
-x db_princ_args
-

Indicates database-specific options. The options for the LDAP -database module are:

-
-
-x dn=dn
-
Specifies the LDAP object that will contain the Kerberos -principal being created.
-
-x linkdn=dn
-
Specifies the LDAP object to which the newly created Kerberos -principal object will point.
-
-x containerdn=container_dn
-
Specifies the container object under which the Kerberos -principal is to be created.
-
-x tktpolicy=policy
-
Associates a ticket policy to the Kerberos principal.
-
-
-

Note

-
    -
  • The containerdn and linkdn options cannot be -specified with the dn option.
    • -
  • If the dn or containerdn options are not specified while -adding the principal, the principals are created under the -principal container configured in the realm or the realm -container.
    • -
  • dn and containerdn should be within the subtrees or -principal container configured in the realm.
    • -
-
-
-
-

Example:

-
kadmin: addprinc jennifer
-WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
-defaulting to no policy.
-Enter password for principal jennifer@ATHENA.MIT.EDU:
-Re-enter password for principal jennifer@ATHENA.MIT.EDU:
-Principal "jennifer@ATHENA.MIT.EDU" created.
-kadmin:
-
-
-
-
-

modify_principal¶

-
-
modify_principal [options] principal
-

Modifies the specified principal, changing the fields as specified. -The options to add_principal also apply to this command, except -for the -randkey, -pw, and -e options. In addition, the -option -clearpolicy will clear the current policy of a principal.

-

This command requires the modify privilege.

-

Alias: modprinc

-

Options (in addition to the addprinc options):

-
-
-unlock
-
Unlocks a locked principal (one which has received too many failed -authentication attempts without enough time between them according -to its password policy) so that it can successfully authenticate.
-
-
-
-

delete_principal¶

-
-
delete_principal [-force] principal
-

Deletes the specified principal from the database. This command -prompts for deletion, unless the -force option is given.

-

This command requires the delete privilege.

-

Alias: delprinc

-
-

Examples¶

-

If you want to create a principal which is contained by a LDAP object, -all you need to do is:

-
kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer
-WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
-defaulting to no policy.
-Enter password for principal jennifer@ATHENA.MIT.EDU:  <= Type the password.
-Re-enter password for principal jennifer@ATHENA.MIT.EDU:  <=Type it again.
-Principal "jennifer@ATHENA.MIT.EDU" created.
-kadmin:
-
-
-

If you want to create a principal under a specific LDAP container and -link to an existing LDAP object, all you need to do is:

-
kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david
-WARNING: no policy specified for "david@ATHENA.MIT.EDU";
-defaulting to no policy.
-Enter password for principal david@ATHENA.MIT.EDU:  <= Type the password.
-Re-enter password for principal david@ATHENA.MIT.EDU:  <=Type it again.
-Principal "david@ATHENA.MIT.EDU" created.
-kadmin:
-
-
-

If you want to associate a ticket policy to a principal, all you need -to do is:

-
kadmin: modprinc -x tktpolicy=userpolicy david
-Principal "david@ATHENA.MIT.EDU" modified.
-kadmin:
-
-
-

If, on the other hand, you want to set up an account that expires on -January 1, 2000, that uses a policy called “stduser”, with a temporary -password (which you want the user to change immediately), you would -type the following:

-
kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser +needchange
-Enter password for principal david@ATHENA.MIT.EDU:  <= Type the password.
-Re-enter password for principal
-david@ATHENA.MIT.EDU:  <= Type it again.
-Principal "david@ATHENA.MIT.EDU" created.
-kadmin:
-
-
-

If you want to delete a principal:

-
kadmin: delprinc jennifer
-Are you sure you want to delete the principal
-"jennifer@ATHENA.MIT.EDU"? (yes/no): yes
-Principal "jennifer@ATHENA.MIT.EDU" deleted.
-Make sure that you have removed this principal from
-all ACLs before reusing.
-kadmin:
-
-
-
-
-
-

Retrieving information about a principal¶

-

To retrieve a listing of the attributes and/or policies associated -with a principal, use the kadmin get_principal command.

-

To generate a listing of principals, use the kadmin -list_principals command.

-
-
-

get_principal¶

-
-
get_principal [-terse] principal
-

Gets the attributes of principal. With the -terse option, outputs -fields as quoted tab-separated strings.

-

This command requires the inquire privilege, or that the principal -running the the program to be the same as the one being listed.

-

Alias: getprinc

-

Examples:

-
kadmin: getprinc tlyu/admin
-Principal: tlyu/admin@BLEEP.COM
-Expiration date: [never]
-Last password change: Mon Aug 12 14:16:47 EDT 1996
-Password expiration date: [none]
-Maximum ticket life: 0 days 10:00:00
-Maximum renewable life: 7 days 00:00:00
-Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
-Last successful authentication: [never]
-Last failed authentication: [never]
-Failed password attempts: 0
-Number of keys: 2
-Key: vno 1, des-cbc-crc
-Key: vno 1, des-cbc-crc:v4
-Attributes:
-Policy: [none]
-
-kadmin: getprinc -terse systest
-systest@BLEEP.COM   3    86400     604800    1
-785926535 753241234 785900000
-tlyu/admin@BLEEP.COM     786100034 0    0
-kadmin:
-
-
-
-
-

list_principals¶

-
-
list_principals [expression]
-

Retrieves all or some principal names. expression is a shell-style -glob expression that can contain the wild-card characters ?, -*, and []. All principal names matching the expression are -printed. If no expression is provided, all principal names are -printed. If the expression does not contain an @ character, an -@ character followed by the local realm is appended to the -expression.

-

This command requires the list privilege.

-

Alias: listprincs, get_principals, get_princs

-

Example:

-
kadmin:  listprincs test*
-test3@SECURE-TEST.OV.COM
-test2@SECURE-TEST.OV.COM
-test1@SECURE-TEST.OV.COM
-testuser@SECURE-TEST.OV.COM
-kadmin:
-
-
-
-
-

Changing passwords¶

-

To change a principal’s password use the kadmin -change_password command.

-
-
-

change_password¶

-
-
change_password [options] principal
-

Changes the password of principal. Prompts for a new password if -neither -randkey or -pw is specified.

-

This command requires the changepw privilege, or that the -principal running the program is the same as the principal being -changed.

-

Alias: cpw

-

The following options are available:

-
-
-randkey
-
Sets the key of the principal to a random value.
-
-pw password
-
Set the password to the specified string. Using this option in a -script may expose the password to other users on the system via -the process list.
-
-e enc:salt,...
-
Uses the specified keysalt list for setting the keys of the -principal. See Keysalt lists in kdc.conf for a -list of possible values.
-
-keepold
-
Keeps the existing keys in the database. This flag is usually not -necessary except perhaps for krbtgt principals.
-
-

Example:

-
kadmin: cpw systest
-Enter password for principal systest@BLEEP.COM:
-Re-enter password for principal systest@BLEEP.COM:
-Password for systest@BLEEP.COM changed.
-kadmin:
-
-
-
-

Note

-

Password changes through kadmin are subject to the same -password policies as would apply to password changes through -kpasswd.

-
-
-
-
-

Policies¶

-

A policy is a set of rules governing passwords. Policies can dictate -minimum and maximum password lifetimes, minimum number of characters -and character classes a password must contain, and the number of old -passwords kept in the database.

-
-

Adding, modifying and deleting policies¶

-

To add a new policy, use the kadmin add_policy command.

-

To modify attributes of a principal, use the kadmin modify_policy -command.

-

To delete a policy, use the kadmin delete_policy command.

-
-
-

add_policy¶

-
-
add_policy [options] policy
-

Adds a password policy named policy to the database.

-

This command requires the add privilege.

-

Alias: addpol

-

The following options are available:

-
-
-maxlife time
-
(Time duration or getdate time string) Sets the maximum -lifetime of a password.
-
-minlife time
-
(Time duration or getdate time string) Sets the minimum -lifetime of a password.
-
-minlength length
-
Sets the minimum length of a password.
-
-minclasses number
-
Sets the minimum number of character classes required in a -password. The five character classes are lower case, upper case, -numbers, punctuation, and whitespace/unprintable characters.
-
-history number
-
Sets the number of past keys kept for a principal. This option is -not supported with the LDAP KDC database module.
-
-
-
-maxfailure maxnumber
-
Sets the number of authentication failures before the principal is -locked. Authentication failures are only tracked for principals -which require preauthentication. The counter of failed attempts -resets to 0 after a successful attempt to authenticate. A -maxnumber value of 0 (the default) disables lockout.
-
-
-
-failurecountinterval failuretime
-
(Time duration or getdate time string) Sets the allowable time -between authentication failures. If an authentication failure -happens after failuretime has elapsed since the previous -failure, the number of authentication failures is reset to 1. A -failuretime value of 0 (the default) means forever.
-
-
-
-lockoutduration lockouttime
-
(Time duration or getdate time string) Sets the duration for -which the principal is locked from authenticating if too many -authentication failures occur without the specified failure count -interval elapsing. A duration of 0 (the default) means the -principal remains locked out until it is administratively unlocked -with modprinc -unlock.
-
-allowedkeysalts
-
Specifies the key/salt tuples supported for long-term keys when -setting or changing a principal’s password/keys. See -Keysalt lists in kdc.conf for a list of the -accepted values, but note that key/salt tuples must be separated -with commas (‘,’) only. To clear the allowed key/salt policy use -a value of ‘-‘.
-
-

Example:

-
kadmin: add_policy -maxlife "2 days" -minlength 5 guests
-kadmin:
-
-
-
-
-

modify_policy¶

-
-
modify_policy [options] policy
-

Modifies the password policy named policy. Options are as described -for add_policy.

-

This command requires the modify privilege.

-

Alias: modpol

-
-
-

delete_policy¶

-
-
delete_policy [-force] policy
-

Deletes the password policy named policy. Prompts for confirmation -before deletion. The command will fail if the policy is in use by any -principals.

-

This command requires the delete privilege.

-

Alias: delpol

-

Example:

-
kadmin: del_policy guests
-Are you sure you want to delete the policy "guests"?
-(yes/no): yes
-kadmin:
-
-
-
-

Note

-

You must cancel the policy from all principals before -deleting it. The delete_policy command will fail if the policy -is in use by any principals.

-
-
-
-

Retrieving policies¶

-

To retrieve a policy, use the kadmin get_policy command.

-

You can retrieve the list of policies with the kadmin -list_policies command.

-
-
-

get_policy¶

-
-
get_policy [ -terse ] policy
-

Displays the values of the password policy named policy. With the --terse flag, outputs the fields as quoted strings separated by -tabs.

-

This command requires the inquire privilege.

-

Alias: getpol

-

Examples:

-
kadmin: get_policy admin
-Policy: admin
-Maximum password life: 180 days 00:00:00
-Minimum password life: 00:00:00
-Minimum password length: 6
-Minimum number of password character classes: 2
-Number of old keys kept: 5
-Reference count: 17
-
-kadmin: get_policy -terse admin
-admin     15552000  0    6    2    5    17
-kadmin:
-
-
-

The “Reference count” is the number of principals using that policy. -With the LDAP KDC database module, the reference count field is not -meaningful.

-
-
-

list_policies¶

-
-
list_policies [expression]
-

Retrieves all or some policy names. expression is a shell-style -glob expression that can contain the wild-card characters ?, -*, and []. All policy names matching the expression are -printed. If no expression is provided, all existing policy names are -printed.

-

This command requires the list privilege.

-

Aliases: listpols, get_policies, getpols.

-

Examples:

-
kadmin:  listpols
-test-pol
-dict-only
-once-a-min
-test-pol-nopw
-
-kadmin:  listpols t*
-test-pol
-test-pol-nopw
-kadmin:
-
-
-
-
-

Policies and principals¶

-

Policies can be applied to principals as they are created by using -the -policy flag to add_principal. Existing principals can -be modified by using the -policy or -clearpolicy flag to -modify_principal.

-
-
-

Updating the history key¶

-

If a policy specifies a number of old keys kept of two or more, the -stored old keys are encrypted in a history key, which is found in the -key data of the kadmin/history principal.

-

Currently there is no support for proper rollover of the history key, -but you can change the history key (for example, to use a better -encryption type) at the cost of invalidating currently stored old -keys. To change the history key, run:

-
kadmin: change_password -randkey kadmin/history
-
-
-

This command will fail if you specify the -keepold flag. Only one -new history key will be created, even if you specify multiple key/salt -combinations.

-

In the future, we plan to migrate towards encrypting old keys in the -master key instead of the history key, and implementing proper -rollover support for stored old keys.

-
-
-
-

Privileges¶

-

Administrative privileges for the Kerberos database are stored in the -file kadm5.acl.

-
-

Note

-

A common use of an admin instance is so you can grant -separate permissions (such as administrator access to the -Kerberos database) to a separate Kerberos principal. For -example, the user joeadmin might have a principal for -his administrative use, called joeadmin/admin. This -way, joeadmin would obtain joeadmin/admin tickets -only when he actually needs to use those permissions.

-
-
-
-

Operations on the Kerberos database¶

-

The kdb5_util command is the primary tool for administrating -the Kerberos database.

-

kdb5_util -[-r realm] -[-d dbname] -[-k mkeytype] -[-M mkeyname] -[-kv mkeyVNO] -[-sf stashfilename] -[-m] -command [command_options]

-

OPTIONS

-
-
-r realm
-
specifies the Kerberos realm of the database.
-
-d dbname
-
specifies the name under which the principal database is stored; -by default the database is that listed in kdc.conf. The -password policy database and lock files are also derived from this -value.
-
-k mkeytype
-
specifies the key type of the master key in the database. The -default is given by the master_key_type variable in -kdc.conf.
-
-kv mkeyVNO
-
Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.
-
-M mkeyname
-
principal name for the master key in the database. If not -specified, the name is determined by the master_key_name -variable in kdc.conf.
-
-m
-
specifies that the master database password should be read from -the keyboard rather than fetched from a file on disk.
-
-sf stash_file
-
specifies the stash filename of the master database password. If -not specified, the filename is determined by the -key_stash_file variable in kdc.conf.
-
-P password
-
specifies the master database password. Using this option may -expose the password to other users on the system via the process -list.
-
-
-
    -
-
-
-

Dumping a Kerberos database to a file¶

-

To dump a Kerberos database into a file, use the kdb5_util -dump command on one of the KDCs.

-
-
dump [-b7|-ov|-r13] [-verbose] -[-mkey_convert] [-new_mkey_file mkey_file] [-rev] -[-recurse] [filename [principals...]]
-

Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, “kdb5_util -load_dump version 7”. If filename is not specified, or is the string -“-”, the dump is sent to standard output. Options:

-
-
-b7
-
causes the dump to be in the Kerberos 5 Beta 7 format (“kdb5_util -load_dump version 4”). This was the dump format produced on -releases prior to 1.2.2.
-
-ov
-
causes the dump to be in “ovsec_adm_export” format.
-
-r13
-
causes the dump to be in the Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.
-
-r18
-
causes the dump to be in the Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.
-
-verbose
-
causes the name of each principal and policy to be printed as it -is dumped.
-
-mkey_convert
-
prompts for a new master key. This new master key will be used to -re-encrypt principal key data in the dumpfile. The principal keys -themselves will not be changed.
-
-new_mkey_file mkey_file
-
the filename of a stash file. The master key in this stash file -will be used to re-encrypt the key data in the dumpfile. The key -data in the database will not be changed.
-
-rev
-
dumps in reverse order. This may recover principals that do not -dump normally, in cases where database corruption has occurred.
-
-recurse
-

causes the dump to walk the database recursively (btree only). -This may recover principals that do not dump normally, in cases -where database corruption has occurred. In cases of such -corruption, this option will probably retrieve more principals -than the -rev option will.

-
-

Changed in version 1.15: Release 1.15 restored the functionality of the -recurse -option.

-
-
-

Changed in version 1.5: The -recurse option ceased working until release 1.15, -doing a normal dump instead of a recursive traversal.

-
-
-
-
-

Examples¶

-
shell% kdb5_util dump dumpfile
-shell%
-
-shell% kbd5_util dump -verbose dumpfile
-kadmin/admin@ATHENA.MIT.EDU
-krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
-kadmin/history@ATHENA.MIT.EDU
-K/M@ATHENA.MIT.EDU
-kadmin/changepw@ATHENA.MIT.EDU
-shell%
-
-
-

If you specify which principals to dump, you must use the full -principal, as in the following example:

-
shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU
-kadmin/admin@ATHENA.MIT.EDU
-K/M@ATHENA.MIT.EDU
-shell%
-
-
-

Otherwise, the principals will not match those in the database and -will not be dumped:

-
shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin
-shell%
-
-
-

If you do not specify a dump file, kdb5_util will dump the database to -the standard output.

-
-
-
-

Restoring a Kerberos database from a dump file¶

-

To restore a Kerberos database dump from a file, use the -kdb5_util load command on one of the KDCs.

-
-
load [-b7|-ov|-r13] [-hash] -[-verbose] [-update] filename [dbname]
-

Loads a database dump from the named file into the named database. If -no option is given to determine the format of the dump file, the -format is detected automatically and handled as appropriate. Unless -the -update option is given, load creates a new database -containing only the data in the dump file, overwriting the contents of -any previously existing database. Note that when using the LDAP KDC -database module, the -update flag is required.

-

Options:

-
-
-b7
-
requires the database to be in the Kerberos 5 Beta 7 format -(“kdb5_util load_dump version 4”). This was the dump format -produced on releases prior to 1.2.2.
-
-ov
-
requires the database to be in “ovsec_adm_import” format. Must be -used with the -update option.
-
-r13
-
requires the database to be in Kerberos 5 1.3 format (“kdb5_util -load_dump version 5”). This was the dump format produced on -releases prior to 1.8.
-
-r18
-
requires the database to be in Kerberos 5 1.8 format (“kdb5_util -load_dump version 6”). This was the dump format produced on -releases prior to 1.11.
-
-hash
-
requires the database to be stored as a hash. If this option is -not specified, the database will be stored as a btree. This -option is not recommended, as databases stored in hash format are -known to corrupt data and lose principals.
-
-verbose
-
causes the name of each principal and policy to be printed as it -is dumped.
-
-update
-
records from the dump file are added to or updated in the existing -database. Otherwise, a new database is created containing only -what is in the dump file and the old one destroyed upon successful -completion.
-
-

If specified, dbname overrides the value specified on the command -line or the default.

-
-

Examples¶

-

To load a single principal, either replacing or updating the database:

-
shell% kdb5_util load dumpfile principal
-shell%
-
-shell% kdb5_util load -update dumpfile principal
-shell%
-
-
-
-

Note

-

If the database file exists, and the -update flag was not -given, kdb5_util will overwrite the existing database.

-
-

Using kdb5_util to upgrade a master KDC from krb5 1.1.x:

-
shell% kdb5_util dump old-kdb-dump
-shell% kdb5_util dump -ov old-kdb-dump.ov
-  [Create a new KDC installation, using the old stash file/master password]
-shell% kdb5_util load old-kdb-dump
-shell% kdb5_util load -update old-kdb-dump.ov
-
-
-

The use of old-kdb-dump.ov for an extra dump and load is necessary -to preserve per-principal policy information, which is not included in -the default dump format of krb5 1.1.x.

-
-

Note

-

Using kdb5_util to dump and reload the principal database is -only necessary when upgrading from versions of krb5 prior -to 1.2.0—newer versions will use the existing database as-is.

-
-
-
-
-

Creating a stash file¶

-

A stash file allows a KDC to authenticate itself to the database -utilities, such as kadmind, krb5kdc, and -kdb5_util.

-

To create a stash file, use the kdb5_util stash command.

-
-
stash [-f keyfile]
-

Stores the master principal’s keys in a stash file. The -f -argument can be used to override the keyfile specified in -kdc.conf.

-
-

Example¶

-
-
shell% kdb5_util stash -kdb5_util: Cannot find/read stored master key while reading master key -kdb5_util: Warning: proceeding without master key -Enter KDC database master key: <= Type the KDC database master password. -shell%
-

If you do not specify a stash file, kdb5_util will stash the key in -the file specified in your kdc.conf file.

-
-
-
-

Creating and destroying a Kerberos database¶

-

If you need to create a new Kerberos database, use the -kdb5_util create command.

-
-
create [-s]
-

Creates a new database. If the -s option is specified, the stash -file is also created. This command fails if the database already -exists. If the command is successful, the database is opened just as -if it had already existed when the program was first run.

-

If you need to destroy the current Kerberos database, use the -kdb5_util destroy command.

-
-
destroy [-f]
-

Destroys the database, first overwriting the disk sectors and then -unlinking the files, after prompting the user for confirmation. With -the -f argument, does not prompt the user.

-
-

Examples¶

-
shell% kdb5_util -r ATHENA.MIT.EDU create -s
-Loading random data
-Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU',
-master key name 'K/M@ATHENA.MIT.EDU'
-You will be prompted for the database Master Password.
-It is important that you NOT FORGET this password.
-Enter KDC database master key:  <= Type the master password.
-Re-enter KDC database master key to verify:  <= Type it again.
-shell%
-
-shell% kdb5_util -r ATHENA.MIT.EDU destroy
-Deleting KDC database stored in '/usr/local/var/krb5kdc/principal', are you sure?
-(type 'yes' to confirm)?  <= yes
-OK, deleting database '/usr/local/var/krb5kdc/principal'...
-** Database '/usr/local/var/krb5kdc/principal' destroyed.
-shell%
-
-
-
-
-
-

Updating the master key¶

-

Starting with release 1.7, kdb5_util allows the master key -to be changed using a rollover process, with minimal loss of -availability. To roll over the master key, follow these steps:

-
    -

  1. On the master KDC, run kdb5_util list_mkeys to view the current -master key version number (KVNO). If you have never rolled over -the master key before, this will likely be version 1:

    -
    $ kdb5_util list_mkeys
-Master keys for Principal: K/M@KRBTEST.COM
-KVNO: 1, Enctype: des-cbc-crc, Active on: Wed Dec 31 19:00:00 EST 1969 *
-
    -
    -
    2. -

  2. On the master KDC, run kdb5_util use_mkey 1 to ensure that a -master key activation list is present in the database. This step -is unnecessary in release 1.11.4 or later, or if the database was -initially created with release 1.7 or later.

    -
    3. -

  3. On the master KDC, run kdb5_util add_mkey -s to create a new -master key and write it to the stash file. Enter a secure password -when prompted. If this is the first time you are changing the -master key, the new key will have version 2. The new master key -will not be used until you make it active.

    -
    4. -

  4. Propagate the database to all slave KDCs, either manually or by -waiting until the next scheduled propagation. If you do not have -any slave KDCs, you can skip this and the next step.

    -
    5. -

  5. On each slave KDC, run kdb5_util list_mkeys to verify that the -new master key is present, and then kdb5_util stash to write -the new master key to the slave KDC’s stash file.

    -
    6. -

  6. On the master KDC, run kdb5_util use_mkey 2 to begin using the -new master key. Replace 2 with the version of the new master -key, as appropriate. You can optionally specify a date for the new -master key to become active; by default, it will become active -immediately. Prior to release 1.12, kadmind must be -restarted for this change to take full effect.

    -
    7. -

  7. On the master KDC, run kdb5_util update_princ_encryption. This -command will iterate over the database and re-encrypt all keys in -the new master key. If the database is large and uses DB2, the -master KDC will become unavailable while this command runs, but -clients should fail over to slave KDCs (if any are present) during -this time period. In release 1.13 and later, you can instead run -kdb5_util -x unlockiter update_princ_encryption to use unlocked -iteration; this variant will take longer, but will keep the -database available to the KDC and kadmind while it runs.

    -
    8. -

  8. On the master KDC, run kdb5_util purge_mkeys to clean up the -old master key.

    -
    9. -
-
-
-
-

Operations on the LDAP database¶

-

The kdb5_ldap_util is the primary tool for administrating -the Kerberos LDAP database. It allows an administrator to manage -realms, Kerberos services (KDC and Admin Server) and ticket policies.

-

kdb5_ldap_util -[-D user_dn [-w passwd]] -[-H ldapuri] -command -[command_options]

-

OPTIONS

-
-
-D user_dn
-
Specifies the Distinguished Name (DN) of the user who has -sufficient rights to perform the operation on the LDAP server.
-
-w passwd
-
Specifies the password of user_dn. This option is not -recommended.
-
-H ldapuri
-
Specifies the URI of the LDAP server. It is recommended to use -ldapi:// or ldaps:// to connect to the LDAP server.
-
-
-

Creating a Kerberos realm¶

-

If you need to create a new realm, use the kdb5_ldap_util -create command as follows.

-
-
create -[-subtrees subtree_dn_list] -[-sscope search_scope] -[-containerref container_reference_dn] -[-k mkeytype] -[-kv mkeyVNO] -[-m|-P password|-sf stashfilename] -[-s] -[-r realm] -[-maxtktlife max_ticket_life] -[-maxrenewlife max_renewable_ticket_life] -[ticket_flags]
-

Creates realm in directory. Options:

-
-
-subtrees subtree_dn_list
-
Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (:).
-
-sscope search_scope
-
Specifies the scope for searching the principals under the -subtree. The possible values are 1 or one (one level), 2 or sub -(subtrees).
-
-containerref container_reference_dn
-
Specifies the DN of the container object in which the principals -of a realm will be created. If the container reference is not -configured for a realm, the principals will be created in the -realm container.
-
-k mkeytype
-
Specifies the key type of the master key in the database. The -default is given by the master_key_type variable in -kdc.conf.
-
-kv mkeyVNO
-
Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed.
-
-m
-
Specifies that the master database password should be read from -the TTY rather than fetched from a file on the disk.
-
-P password
-
Specifies the master database password. This option is not -recommended.
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-sf stashfilename
-
Specifies the stash file of the master database password.
-
-s
-
Specifies that the stash file is to be created.
-
-maxtktlife max_ticket_life
-
(getdate time string) Specifies maximum ticket life for -principals in this realm.
-
-maxrenewlife max_renewable_ticket_life
-
(getdate time string) Specifies maximum renewable life of -tickets for principals in this realm.
-
ticket_flags
-
Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the add_principal command in -kadmin.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-Initializing database for realm 'ATHENA.MIT.EDU'
-You will be prompted for the database Master Password.
-It is important that you NOT FORGET this password.
-Enter KDC database master key:
-Re-enter KDC database master key to verify:
-
-
-
-
-

Modifying a Kerberos realm¶

-

If you need to modify a realm, use the kdb5_ldap_util -modify command as follows.

-
-
modify -[-subtrees subtree_dn_list] -[-sscope search_scope] -[-containerref container_reference_dn] -[-r realm] -[-maxtktlife max_ticket_life] -[-maxrenewlife max_renewable_ticket_life] -[ticket_flags]
-

Modifies the attributes of a realm. Options:

-
-
-subtrees subtree_dn_list
-
Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (:). This list replaces the existing list.
-
-sscope search_scope
-
Specifies the scope for searching the principals under the -subtrees. The possible values are 1 or one (one level), 2 or sub -(subtrees).
-
-containerref container_reference_dn Specifies the DN of the
-
container object in which the principals of a realm will be -created.
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-maxtktlife max_ticket_life
-
(getdate time string) Specifies maximum ticket life for -principals in this realm.
-
-maxrenewlife max_renewable_ticket_life
-
(getdate time string) Specifies maximum renewable life of -tickets for principals in this realm.
-
ticket_flags
-
Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the add_principal command in -kadmin.
-
-

Example:

-
shell% kdb5_ldap_util -D cn=admin,o=org -H
-    ldaps://ldap-server1.mit.edu modify +requires_preauth -r
-    ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-shell%
-
-
-
-
-

Destroying a Kerberos realm¶

-

If you need to destroy a Kerberos realm, use the -kdb5_ldap_util destroy command as follows.

-
-
destroy [-f] [-r realm]
-

Destroys an existing realm. Options:

-
-
-f
-
If specified, will not prompt the user for confirmation.
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-

Example:

-
shell% kdb5_ldap_util -D cn=admin,o=org -H
-    ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-Deleting KDC database of 'ATHENA.MIT.EDU', are you sure?
-(type 'yes' to confirm)? yes
-OK, deleting database of 'ATHENA.MIT.EDU'...
-shell%
-
-
-
-
-

Retrieving information about a Kerberos realm¶

-

If you need to display the attributes of a realm, use the -kdb5_ldap_util view command as follows.

-
-
view [-r realm]
-

Displays the attributes of a realm. Options:

-
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    view -r ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-Realm Name: ATHENA.MIT.EDU
-Subtree: ou=users,o=org
-Subtree: ou=servers,o=org
-SearchScope: ONE
-Maximum ticket life: 0 days 01:00:00
-Maximum renewable life: 0 days 10:00:00
-Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
-
-
-
-
-

Listing available Kerberos realms¶

-

If you need to display the list of the realms, use the -kdb5_ldap_util list command as follows.

-
-
list
-

Lists the name of realms.

-

Example:

-
shell% kdb5_ldap_util -D cn=admin,o=org -H
-    ldaps://ldap-server1.mit.edu list
-Password for "cn=admin,o=org":
-ATHENA.MIT.EDU
-OPENLDAP.MIT.EDU
-MEDIA-LAB.MIT.EDU
-shell%
-
-
-
-
-

Stashing service object’s password¶

-

The kdb5_ldap_util stashsrvpw command allows an -administrator to store the password of service object in a file. The -KDC and Administration server uses this password to authenticate to -the LDAP server.

-
-
stashsrvpw -[-f filename] -name
-

Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options:

-
-
-f filename
-
Specifies the complete path of the service password file. By -default, /usr/local/var/service_passwd is used.
-
name
-
Specifies the name of the object whose password is to be stored. -If krb5kdc or kadmind are configured for -simple binding, this should be the distinguished name it will -use as given by the ldap_kdc_dn or ldap_kadmind_dn -variable in kdc.conf. If the KDC or kadmind is -configured for SASL binding, this should be the authentication -name it will use as given by the ldap_kdc_sasl_authcid or -ldap_kadmind_sasl_authcid variable.
-
-

Example:

-
kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile
-    cn=service-kdc,o=org
-Password for "cn=service-kdc,o=org":
-Re-enter password for "cn=service-kdc,o=org":
-
-
-
-
-

Ticket Policy operations¶

-
-

Creating a Ticket Policy¶

-

To create a new ticket policy in directory , use the -kdb5_ldap_util create_policy command. Ticket policy -objects are created under the realm container.

-
-
create_policy -[-r realm] -[-maxtktlife max_ticket_life] -[-maxrenewlife max_renewable_ticket_life] -[ticket_flags] -policy_name
-

Creates a ticket policy in the directory. Options:

-
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-maxtktlife max_ticket_life
-
(getdate time string) Specifies maximum ticket life for -principals.
-
-maxrenewlife max_renewable_ticket_life
-
(getdate time string) Specifies maximum renewable life of -tickets for principals.
-
ticket_flags
-
Specifies the ticket flags. If this option is not specified, by -default, no restriction will be set by the policy. Allowable -flags are documented in the description of the add_principal -command in kadmin.
-
policy_name
-
Specifies the name of the ticket policy.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day"
-    -maxrenewlife "1 week" -allow_postdated +needchange
-    -allow_forwardable tktpolicy
-Password for "cn=admin,o=org":
-
-
-
-
-

Modifying a Ticket Policy¶

-

To modify a ticket policy in directory, use the -kdb5_ldap_util modify_policy command.

-
-
modify_policy -[-r realm] -[-maxtktlife max_ticket_life] -[-maxrenewlife max_renewable_ticket_life] -[ticket_flags] -policy_name
-

Modifies the attributes of a ticket policy. Options are same as for -create_policy.

-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H
-    ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU
-    -maxtktlife "60 minutes" -maxrenewlife "10 hours"
-    +allow_postdated -requires_preauth tktpolicy
-Password for "cn=admin,o=org":
-
-
-
-
-

Retrieving Information About a Ticket Policy¶

-

To display the attributes of a ticket policy, use the -kdb5_ldap_util view_policy command.

-
-
view_policy -[-r realm] -policy_name
-

Displays the attributes of a ticket policy. Options:

-
-
policy_name
-
Specifies the name of the ticket policy.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    view_policy -r ATHENA.MIT.EDU tktpolicy
-Password for "cn=admin,o=org":
-Ticket policy: tktpolicy
-Maximum ticket life: 0 days 01:00:00
-Maximum renewable life: 0 days 10:00:00
-Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE
-
-
-
-
-

Destroying a Ticket Policy¶

-

To destroy an existing ticket policy, use the kdb5_ldap_util -destroy_policy command.

-
-
destroy_policy -[-r realm] -[-force] -policy_name
-

Destroys an existing ticket policy. Options:

-
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-force
-
Forces the deletion of the policy object. If not specified, the -user will be prompted for confirmation before deleting the policy.
-
policy_name
-
Specifies the name of the ticket policy.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    destroy_policy -r ATHENA.MIT.EDU tktpolicy
-Password for "cn=admin,o=org":
-This will delete the policy object 'tktpolicy', are you sure?
-(type 'yes' to confirm)? yes
-** policy object 'tktpolicy' deleted.
-
-
-
-
-

Listing available Ticket Policies¶

-

To list the name of ticket policies in a realm, use the -kdb5_ldap_util list_policy command.

-
-
list_policy -[-r realm]
-

Lists the ticket policies in realm if specified or in the default -realm. Options:

-
-
-r realm
-
Specifies the Kerberos realm of the database.
-
-

Example:

-
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu
-    list_policy -r ATHENA.MIT.EDU
-Password for "cn=admin,o=org":
-tktpolicy
-tmppolicy
-userpolicy
-
-
-
-
-
-
-

Cross-realm authentication¶

-

In order for a KDC in one realm to authenticate Kerberos users in a -different realm, it must share a key with the KDC in the other realm. -In both databases, there must be krbtgt service principals for both realms. -For example, if you need to do cross-realm authentication between the realms -ATHENA.MIT.EDU and EXAMPLE.COM, you would need to add the -principals krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU and -krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM to both databases. -These principals must all have the same passwords, key version -numbers, and encryption types; this may require explicitly setting -the key version number with the -kvno option.

-

In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators -would run the following commands on the KDCs in both realms:

-
shell%: kadmin.local -e "aes256-cts:normal"
-kadmin: addprinc -requires_preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM
-Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM:
-Re-enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM:
-kadmin: addprinc -requires_preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
-Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU:
-Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU:
-kadmin:
-
-
-
-

Note

-

Even if most principals in a realm are generally created -with the requires_preauth flag enabled, this flag is not -desirable on cross-realm authentication keys because doing -so makes it impossible to disable preauthentication on a -service-by-service basis. Disabling it as in the example -above is recommended.

-
-
-

Note

-

It is very important that these principals have good -passwords. MIT recommends that TGT principal passwords be -at least 26 characters of random ASCII text.

-
-
-
-

Changing the krbtgt key¶

-

A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the -principal krbtgt/REALM. The key for this principal is created -when the Kerberos database is initialized and need not be changed. -However, it will only have the encryption types supported by the KDC -at the time of the initial database creation. To allow use of newer -encryption types for the TGT, this key has to be changed.

-

Changing this key using the normal kadmin -change_password command would invalidate any previously issued -TGTs. Therefore, when changing this key, normally one should use the --keepold flag to change_password to retain the previous key in the -database as well as the new key. For example:

-
kadmin: change_password -randkey -keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
-
-
-
-

Warning

-

After issuing this command, the old key is still valid -and is still vulnerable to (for instance) brute force -attacks. To completely retire an old key or encryption -type, run the kadmin purgekeys command to delete keys -with older kvnos, ideally first making sure that all -tickets issued with the old keys have expired.

-
-

Only the first krbtgt key of the newest key version is used to encrypt -ticket-granting tickets. However, the set of encryption types present -in the krbtgt keys is used by default to determine the session key -types supported by the krbtgt service (see -Session key selection). Because non-MIT Kerberos clients -sometimes send a limited set of encryption types when making AS -requests, it can be important to for the krbtgt service to support -multiple encryption types. This can be accomplished by giving the -krbtgt principal multiple keys, which is usually as simple as not -specifying any -e option when changing the krbtgt key, or by -setting the session_enctypes string attribute on the krbtgt -principal (see set_string).

-

Due to a bug in releases 1.8 through 1.13, renewed and forwarded -tickets may not work if the original ticket was obtained prior to a -krbtgt key change and the modified ticket is obtained afterwards. -Upgrading the KDC to release 1.14 or later will correct this bug.

-
-
-

Incremental database propagation¶

-
-

Overview¶

-

At some very large sites, dumping and transmitting the database can -take more time than is desirable for changes to propagate from the -master KDC to the slave KDCs. The incremental propagation support -added in the 1.7 release is intended to address this.

-

With incremental propagation enabled, all programs on the master KDC -that change the database also write information about the changes to -an “update log” file, maintained as a circular buffer of a certain -size. A process on each slave KDC connects to a service on the master -KDC (currently implemented in the kadmind server) and -periodically requests the changes that have been made since the last -check. By default, this check is done every two minutes. If the -database has just been modified in the previous several seconds -(currently the threshold is hard-coded at 10 seconds), the slave will -not retrieve updates, but instead will pause and try again soon after. -This reduces the likelihood that incremental update queries will cause -delays for an administrator trying to make a bunch of changes to the -database at the same time.

-

Incremental propagation uses the following entries in the per-realm -data in the KDC config file (See kdc.conf):

- ----- - - - - - - - - - - - - - - - - - - - - - - - - - - -
iprop_enablebooleanIf true, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is false.
iprop_master_ulogsizeintegerIndicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500.
iprop_slave_polltime intervalIndicates how often the slave should poll the master KDC for changes to the database. The default is two minutes.
iprop_portintegerSpecifies the port number to be used for incremental propagation. This is required in both master and slave configuration files.
iprop_resync_timeoutintegerSpecifies the number of seconds to wait for a full propagation to complete. This is optional on slave configurations. Defaults to 300 seconds (5 minutes).
iprop_logfilefile nameSpecifies where the update log file for the realm database is to be stored. The default is to use the database_name entry from the realms section of the config file kdc.conf, with .ulog appended. (NOTE: If database_name isn’t specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the dbmodules section, then the hard-coded default for database_name is used. Determination of the iprop_logfile default value will not use values from the dbmodules section.)
-

Both master and slave sides must have a principal named -kiprop/hostname (where hostname is the lowercase, -fully-qualified, canonical name for the host) registered in the -Kerberos database, and have keys for that principal stored in the -default keytab file (DEFKTNAME). In release 1.13, the -kiprop/hostname principal is created automatically for the master -KDC, but it must still be created for slave KDCs.

-

On the master KDC side, the kiprop/hostname principal must be -listed in the kadmind ACL file kadm5.acl, and given the -p privilege (see Privileges).

-

On the slave KDC side, kpropd should be run. When -incremental propagation is enabled, it will connect to the kadmind on -the master KDC and start requesting updates.

-

The normal kprop mechanism is disabled by the incremental propagation -support. However, if the slave has been unable to fetch changes from -the master KDC for too long (network problems, perhaps), the log on -the master may wrap around and overwrite some of the updates that the -slave has not yet retrieved. In this case, the slave will instruct -the master KDC to dump the current database out to a file and invoke a -one-time kprop propagation, with special options to also convey the -point in the update log at which the slave should resume fetching -incremental updates. Thus, all the keytab and ACL setup previously -described for kprop propagation is still needed.

-

If an environment has a large number of slaves, it may be desirable to -arrange them in a hierarchy instead of having the master serve updates -to every slave. To do this, run kadmind -proponly on each -intermediate slave, and kpropd -A upstreamhostname on downstream -slaves to direct each one to the appropriate upstream slave.

-

There are several known restrictions in the current implementation:

-
    -
  • The incremental update protocol does not transport changes to policy -objects. Any policy changes on the master will result in full -resyncs to all slaves.
    • -
  • The slave’s KDB module must support locking; it cannot be using the -LDAP KDB module.
    • -
  • The master and slave must be able to initiate TCP connections in -both directions, without an intervening NAT.
    • -
-
-
-

Sun/MIT incremental propagation differences¶

-

Sun donated the original code for supporting incremental database -propagation to MIT. Some changes have been made in the MIT source -tree that will be visible to administrators. (These notes are based -on Sun’s patches. Changes to Sun’s implementation since then may not -be reflected here.)

-

The Sun config file support looks for sunw_dbprop_enable, -sunw_dbprop_master_ulogsize, and sunw_dbprop_slave_poll.

-

The incremental propagation service is implemented as an ONC RPC -service. In the Sun implementation, the service is registered with -rpcbind (also known as portmapper) and the client looks up the port -number to contact. In the MIT implementation, where interaction with -some modern versions of rpcbind doesn’t always work well, the port -number must be specified in the config file on both the master and -slave sides.

-

The Sun implementation hard-codes pathnames in /var/krb5 for the -update log and the per-slave kprop dump files. In the MIT -implementation, the pathname for the update log is specified in the -config file, and the per-slave dump files are stored in -LOCALSTATEDIR/krb5kdc/slave_datatrans_hostname.

-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/enctypes.html b/doc/html/admin/enctypes.html deleted file mode 100644 index bfc71da..0000000 --- a/doc/html/admin/enctypes.html +++ /dev/null @@ -1,345 +0,0 @@ - - - - - - - - Encryption types — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Encryption types¶

-

Kerberos can use a variety of cipher algorithms to protect data. A -Kerberos encryption type (also known as an enctype) is a -specific combination of a cipher algorithm with an integrity algorithm -to provide both confidentiality and integrity to data.

-
-

Enctypes in requests¶

-

Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and -TGS-REQs. The client uses the AS-REQ to obtain initial tickets -(typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to -obtain service tickets.

-

The KDC uses three different keys when issuing a ticket to a client:

-
    -
  • The long-term key of the service: the KDC uses this to encrypt the -actual service ticket. The KDC only uses the first long-term key in -the most recent kvno for this purpose.
    • -
  • The session key: the KDC randomly chooses this key and places one -copy inside the ticket and the other copy inside the encrypted part -of the reply.
    • -
  • The reply-encrypting key: the KDC uses this to encrypt the reply it -sends to the client. For AS replies, this is a long-term key of the -client principal. For TGS replies, this is either the session key of the -authenticating ticket, or a subsession key.
    • -
-

Each of these keys is of a specific enctype.

-

Each request type allows the client to submit a list of enctypes that -it is willing to accept. For the AS-REQ, this list affects both the -session key selection and the reply-encrypting key selection. For the -TGS-REQ, this list only affects the session key selection.

-
-
-

Session key selection¶

-

The KDC chooses the session key enctype by taking the intersection of -its permitted_enctypes list, the list of long-term keys for the -most recent kvno of the service, and the client’s requested list of -enctypes. If allow_weak_crypto is true, all services are assumed -to support des-cbc-crc.

-

Starting in krb5-1.11, des_crc_session_supported in -kdc.conf allows additional control over whether the KDC -issues des-cbc-crc session keys.

-

Also starting in krb5-1.11, it is possible to set a string attribute -on a service principal to control what session key enctypes the KDC -may issue for service tickets for that principal. See -set_string in kadmin for details.

-
-
-

Choosing enctypes for a service¶

-

Generally, a service should have a key of the strongest -enctype that both it and the KDC support. If the KDC is running a -release earlier than krb5-1.11, it is also useful to generate an -additional key for each enctype that the service can support. The KDC -will only use the first key in the list of long-term keys for encrypting -the service ticket, but the additional long-term keys indicate the -other enctypes that the service supports.

-

As noted above, starting with release krb5-1.11, there are additional -configuration settings that control session key enctype selection -independently of the set of long-term keys that the KDC has stored for -a service principal.

-
-
-

Configuration variables¶

-

The following [libdefaults] settings in krb5.conf will -affect how enctypes are chosen.

-
-
allow_weak_crypto
-
defaults to false starting with krb5-1.8. When false, removes -single-DES enctypes (and other weak enctypes) from -permitted_enctypes, default_tkt_enctypes, and -default_tgs_enctypes. Do not set this to true unless the -use of weak enctypes is an acceptable risk for your environment -and the weak enctypes are required for backward compatibility.
-
permitted_enctypes
-
controls the set of enctypes that a service will accept as session -keys.
-
default_tkt_enctypes
-
controls the default set of enctypes that the Kerberos client -library requests when making an AS-REQ. Do not set this unless -required for specific backward compatibility purposes; stale -values of this setting can prevent clients from taking advantage -of new stronger enctypes when the libraries are upgraded.
-
default_tgs_enctypes
-
controls the default set of enctypes that the Kerberos client -library requests when making a TGS-REQ. Do not set this unless -required for specific backward compatibility purposes; stale -values of this setting can prevent clients from taking advantage -of new stronger enctypes when the libraries are upgraded.
-
-

The following per-realm setting in kdc.conf affects the -generation of long-term keys.

-
-
supported_enctypes
-
controls the default set of enctype-salttype pairs that kadmind -will use for generating long-term keys, either randomly or from -passwords
-
-
-
-

Enctype compatibility¶

-

See Encryption types for additional information about enctypes.

- ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
enctypeweak?krb5Windows
des-cbc-crcweakall>=2000
des-cbc-md4weakall?
des-cbc-md5weakall>=2000
des3-cbc-sha1 >=1.1none
arcfour-hmac >=1.3>=2000
arcfour-hmac-expweak>=1.3>=2000
aes128-cts-hmac-sha1-96 >=1.3>=Vista
aes256-cts-hmac-sha1-96 >=1.3>=Vista
aes128-cts-hmac-sha256-128 >=1.15none
aes256-cts-hmac-sha384-192 >=1.15none
camellia128-cts-cmac >=1.9none
camellia256-cts-cmac >=1.9none
-

krb5 releases 1.8 and later disable the single-DES enctypes by -default. Microsoft Windows releases Windows 7 and later disable -single-DES enctypes by default.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/env_variables.html b/doc/html/admin/env_variables.html deleted file mode 100644 index 9b49c82..0000000 --- a/doc/html/admin/env_variables.html +++ /dev/null @@ -1,192 +0,0 @@ - - - - - - - - Environment variables — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Environment variables¶

-

The following environment variables can be used during runtime:

-
-
KRB5_CONFIG
-
Main Kerberos configuration file. Multiple filenames can be -specified, separated by a colon; all files which are present will -be read. (See MIT Kerberos defaults for the default path.)
-
KRB5_KDC_PROFILE
-
KDC configuration file. (See MIT Kerberos defaults for the default -name.)
-
KRB5_KTNAME
-
Default keytab file name. (See MIT Kerberos defaults for the -default name.)
-
KRB5_CLIENT_KTNAME
-
Default client keytab file name. (See MIT Kerberos defaults for -the default name.)
-
KRB5CCNAME
-
Default name for the credentials cache file, in the form type:residual. The type of the default cache may determine the -availability of a cache collection. For instance, a default cache -of type DIR causes caches within the directory to be present -in the global cache collection.
-
KRB5RCACHETYPE
-
Default replay cache type. Defaults to dfl. A value of -none disables the replay cache.
-
KRB5RCACHEDIR
-
Default replay cache directory. (See MIT Kerberos defaults for the -default location.)
-
KPROP_PORT
-
kprop port to use. Defaults to 754.
-
KRB5_TRACE
-
Filename for trace-logging output (introduced in release 1.9). -For example, env KRB5_TRACE=/dev/stdout kinit would send -tracing information for kinit to /dev/stdout. Some programs -may ignore this variable (particularly setuid or login system -programs).
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/host_config.html b/doc/html/admin/host_config.html deleted file mode 100644 index 3d32a19..0000000 --- a/doc/html/admin/host_config.html +++ /dev/null @@ -1,366 +0,0 @@ - - - - - - - - Host configuration — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Host configuration¶

-

All hosts running Kerberos software, whether they are clients, -application servers, or KDCs, can be configured using -krb5.conf. Here we describe some of the behavior changes -you might want to make.

-
-

Default realm¶

-

In the [libdefaults] section, the default_realm realm -relation sets the default Kerberos realm. For example:

-
[libdefaults]
-    default_realm = ATHENA.MIT.EDU
-
-
-

The default realm affects Kerberos behavior in the following ways:

-
    -
  • When a principal name is parsed from text, the default realm is used -if no @REALM component is specified.
    • -
  • The default realm affects login authorization as described below.
    • -
  • For programs which operate on a Kerberos database, the default realm -is used to determine which database to operate on, unless the -r -parameter is given to specify a realm.
    • -
  • A server program may use the default realm when looking up its key -in a keytab file, if its realm is not -determined by [domain_realm] configuration or by the server -program itself.
    • -
  • If kinit is passed the -n flag, it requests anonymous -tickets from the default realm.
    • -
-

In some situations, these uses of the default realm might conflict. -For example, it might be desirable for principal name parsing to use -one realm by default, but for login authorization to use a second -realm. In this situation, the first realm can be configured as the -default realm, and auth_to_local relations can be used as -described below to use the second realm for login authorization.

-
-
-

Login authorization¶

-

If a host runs a Kerberos-enabled login service such as OpenSSH with -GSSAPIAuthentication enabled, login authorization rules determine -whether a Kerberos principal is allowed to access a local account.

-

By default, a Kerberos principal is allowed access to an account if -its realm matches the default realm and its name matches the account -name. (For historical reasons, access is also granted by default if -the name has two components and the second component matches the -default realm; for instance, alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU -is granted access to the alice account if ATHENA.MIT.EDU is -the default realm.)

-

The simplest way to control local access is using .k5login -files. To use these, place a .k5login file in the home directory -of each account listing the principal names which should have login -access to that account. If it is not desirable to use .k5login -files located in account home directories, the k5login_directory -relation in the [libdefaults] section can specify a directory -containing one file per account uname.

-

By default, if a .k5login file is present, it controls -authorization both positively and negatively–any principal name -contained in the file is granted access and any other principal name -is denied access, even if it would have had access if the .k5login -file didn’t exist. The k5login_authoritative relation in the -[libdefaults] section can be set to false to make .k5login -files provide positive authorization only.

-

The auth_to_local relation in the [realms] section for the -default realm can specify pattern-matching rules to control login -authorization. For example, the following configuration allows access -to principals from a different realm than the default realm:

-
[realms]
-    DEFAULT.REALM = {
-        # Allow access to principals from OTHER.REALM.
-        #
-        # [1:$1@$0] matches single-component principal names and creates
-        # a selection string containing the principal name and realm.
-        #
-        # (.*@OTHER\.REALM) matches against the selection string, so that
-        # only principals in OTHER.REALM are matched.
-        #
-        # s/@OTHER\.REALM$// removes the realm name, leaving behind the
-        # principal name as the acount name.
-        auth_to_local = RULE:[1:$1@$0](.*@OTHER\.REALM)s/@OTHER\.REALM$//
-
-        # Also allow principals from the default realm.  Omit this line
-        # to only allow access to principals in OTHER.REALM.
-        auth_to_local = DEFAULT
-    }
-
-
-

The auth_to_local_names subsection of the [realms] section -for the default realm can specify explicit mappings from principal -names to local accounts. The key used in this subsection is the -principal name without realm, so it is only safe to use in a Kerberos -environment with a single realm or a tightly controlled set of realms. -An example use of auth_to_local_names might be:

-
[realms]
-    ATHENA.MIT.EDU = {
-        auth_to_local_names = {
-            # Careful, these match principals in any realm!
-            host/example.com = hostaccount
-            fred = localfred
-        }
-    }
-
-
-

Local authorization behavior can also be modified using plugin -modules; see Host-to-realm interface (hostrealm) for details.

-
-
-

Plugin module configuration¶

-

Many aspects of Kerberos behavior, such as client preauthentication -and KDC service location, can be modified through the use of plugin -modules. For most of these behaviors, you can use the [plugins] -section of krb5.conf to register third-party modules, and to switch -off registered or built-in modules.

-

A plugin module takes the form of a Unix shared object -(modname.so) or Windows DLL (modname.dll). If you have -installed a third-party plugin module and want to register it, you do -so using the module relation in the appropriate subsection of the -[plugins] section. The value for module must give the module name -and the path to the module, separated by a colon. The module name -will often be the same as the shared object’s name, but in unusual -cases (such as a shared object which implements multiple modules for -the same interface) it might not be. For example, to register a -client preauthentication module named mypreauth installed at -/path/to/mypreauth.so, you could write:

-
[plugins]
-    clpreauth = {
-        module = mypreauth:/path/to/mypreauth.so
-    }
-
-
-

Many of the pluggable behaviors in MIT krb5 contain built-in modules -which can be switched off. You can disable a built-in module (or one -you have registered) using the disable directive in the -appropriate subsection of the [plugins] section. For example, to -disable the use of .k5identity files to select credential caches, you -could write:

-
[plugins]
-    ccselect = {
-        disable = k5identity
-    }
-
-
-

If you want to disable multiple modules, specify the disable -directive multiple times, giving one module to disable each time.

-

Alternatively, you can explicitly specify which modules you want to be -enabled for that behavior using the enable_only directive. For -example, to make kadmind check password quality using only a -module you have registered, and no other mechanism, you could write:

-
[plugins]
-    pwqual = {
-        module = mymodule:/path/to/mymodule.so
-        enable_only = mymodule
-    }
-
-
-

Again, if you want to specify multiple modules, specify the -enable_only directive multiple times, giving one module to enable -each time.

-

Some Kerberos interfaces use different mechanisms to register plugin -modules.

-
-

KDC location modules¶

-

For historical reasons, modules to control how KDC servers are located -are registered simply by placing the shared object or DLL into the -“libkrb5” subdirectory of the krb5 plugin directory, which defaults to -LIBDIR/krb5/plugins. For example, Samba’s winbind krb5 -locator plugin would be registered by placing its shared object in -LIBDIR/krb5/plugins/libkrb5/winbind_krb5_locator.so.

-
-
-

GSSAPI mechanism modules¶

-

GSSAPI mechanism modules are registered using the file -/etc/gss/mech or configuration files in the /etc/gss/mech.d/ -directory. Only files with a .conf suffix will be read from the -/etc/gss/mech.d/ directory. Each line in these files has the -form:

-
oid  pathname  [options]  <type>
-
-
-

Only the oid and pathname are required. oid is the object -identifier of the GSSAPI mechanism to be registered. pathname is a -path to the module shared object or DLL. options (if present) are -options provided to the plugin module, surrounded in square brackets. -type (if present) can be used to indicate a special type of module. -Currently the only special module type is “interposer”, for a module -designed to intercept calls to other mechanisms.

-
-
-

Configuration profile modules¶

-

A configuration profile module replaces the information source for -krb5.conf itself. To use a profile module, begin krb5.conf -with the line:

-
module PATHNAME:STRING
-
-
-

where PATHNAME is a path to the module shared object or DLL, and -STRING is a string to provide to the module. The module will then -take over, and the rest of krb5.conf will be ignored.

-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/https.html b/doc/html/admin/https.html deleted file mode 100644 index 5b8b90d..0000000 --- a/doc/html/admin/https.html +++ /dev/null @@ -1,200 +0,0 @@ - - - - - - - - HTTPS proxy configuration — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

HTTPS proxy configuration¶

-

In addition to being able to use UDP or TCP to communicate directly -with a KDC as is outlined in RFC4120, and with kpasswd services in a -similar fashion, the client libraries can attempt to use an HTTPS -proxy server to communicate with a KDC or kpasswd service, using the -protocol outlined in [MS-KKDCP].

-

Communicating with a KDC through an HTTPS proxy allows clients to -contact servers when network firewalls might otherwise prevent them -from doing so. The use of TLS also encrypts all traffic between the -clients and the KDC, preventing observers from conducting password -dictionary attacks or from observing the client and server principals -being authenticated, at additional computational cost to both clients -and servers.

-

An HTTPS proxy server is provided as a feature in some versions of -Microsoft Windows Server, and a WSGI implementation named kdcproxy -is available in the python package index.

-
-

Configuring the clients¶

-

To use an HTTPS proxy, a client host must trust the CA which issued -that proxy’s SSL certificate. If that CA’s certificate is not in the -system-wide default set of trusted certificates, configure the -following relation in the client host’s krb5.conf file in -the appropriate [realms] subsection:

-
http_anchors = FILE:/etc/krb5/cacert.pem
-
-
-

Adjust the pathname to match the path of the file which contains a -copy of the CA’s certificate. The http_anchors option is documented -more fully in krb5.conf.

-

Configure the client to access the KDC and kpasswd service by -specifying their locations in its krb5.conf file in the form -of HTTPS URLs for the proxy server:

-
kdc = https://server.fqdn/KdcProxy
-kpasswd_server = https://server.fqdn/KdcProxy
-
-
-

If the proxy and client are properly configured, client commands such -as kinit, kvno, and kpasswd should all function normally.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/index.html b/doc/html/admin/index.html deleted file mode 100644 index 5592c9e..0000000 --- a/doc/html/admin/index.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - For administrators — MIT Kerberos Documentation - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/install.html b/doc/html/admin/install.html deleted file mode 100644 index 0da1ea1..0000000 --- a/doc/html/admin/install.html +++ /dev/null @@ -1,202 +0,0 @@ - - - - - - - - Installation guide — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/install_appl_srv.html b/doc/html/admin/install_appl_srv.html deleted file mode 100644 index 810a0b1..0000000 --- a/doc/html/admin/install_appl_srv.html +++ /dev/null @@ -1,235 +0,0 @@ - - - - - - - - UNIX Application Servers — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

UNIX Application Servers¶

-

An application server is a host that provides one or more services -over the network. Application servers can be “secure” or “insecure.” -A “secure” host is set up to require authentication from every client -connecting to it. An “insecure” host will still provide Kerberos -authentication, but will also allow unauthenticated clients to -connect.

-

If you have Kerberos V5 installed on all of your client machines, MIT -recommends that you make your hosts secure, to take advantage of the -security that Kerberos authentication affords. However, if you have -some clients that do not have Kerberos V5 installed, you can run an -insecure server, and still take advantage of Kerberos V5’s single -sign-on capability.

-
-

The keytab file¶

-

All Kerberos server machines need a keytab file to authenticate to the -KDC. By default on UNIX-like systems this file is named DEFKTNAME. -The keytab file is an local copy of the host’s key. The keytab file -is a potential point of entry for a break-in, and if compromised, -would allow unrestricted access to its host. The keytab file should -be readable only by root, and should exist only on the machine’s local -disk. The file should not be part of any backup of the machine, -unless access to the backup data is secured as tightly as access to -the machine’s root password.

-

In order to generate a keytab for a host, the host must have a -principal in the Kerberos database. The procedure for adding hosts to -the database is described fully in Adding, modifying and deleting principals. (See -Create host keytabs for slave KDCs for a brief description.) The keytab is -generated by running kadmin and issuing the ktadd -command.

-

For example, to generate a keytab file to allow the host -trillium.mit.edu to authenticate for the services host, ftp, and -pop, the administrator joeadmin would issue the command (on -trillium.mit.edu):

-
trillium% kadmin
-kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu
-    pop/trillium.mit.edu
-kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with
-    kvno 3, encryption type DES-CBC-CRC added to keytab
-    FILE:/etc/krb5.keytab.
-kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with
-    kvno 3, encryption type DES-CBC-CRC added to keytab
-    FILE:/etc/krb5.keytab.
-kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with
-    kvno 3, encryption type DES-CBC-CRC added to keytab
-    FILE:/etc/krb5.keytab.
-kadmin5: quit
-trillium%
-
-
-

If you generate the keytab file on another host, you need to get a -copy of the keytab file onto the destination host (trillium, in -the above example) without sending it unencrypted over the network.

-
-
-

Some advice about secure hosts¶

-

Kerberos V5 can protect your host from certain types of break-ins, but -it is possible to install Kerberos V5 and still leave your host -vulnerable to attack. Obviously an installation guide is not the -place to try to include an exhaustive list of countermeasures for -every possible attack, but it is worth noting some of the larger holes -and how to close them.

-

We recommend that backups of secure machines exclude the keytab file -(DEFKTNAME). If this is not possible, the backups should at least be -done locally, rather than over a network, and the backup tapes should -be physically secured.

-

The keytab file and any programs run by root, including the Kerberos -V5 binaries, should be kept on local disk. The keytab file should be -readable only by root.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/install_clients.html b/doc/html/admin/install_clients.html deleted file mode 100644 index 07997a3..0000000 --- a/doc/html/admin/install_clients.html +++ /dev/null @@ -1,212 +0,0 @@ - - - - - - - - Installing and configuring UNIX client machines — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Installing and configuring UNIX client machines¶

-

The Kerberized client programs include kinit, -klist, kdestroy, and kpasswd. All of -these programs are in the directory BINDIR.

-

You can often integrate Kerberos with the login system on client -machines, typically through the use of PAM. The details vary by -operating system, and should be covered in your operating system’s -documentation. If you do this, you will need to make sure your users -know to use their Kerberos passwords when they log in.

-

You will also need to educate your users to use the ticket management -programs kinit, klist, and kdestroy. If you do not have Kerberos -password changing integrated into the native password program (again, -typically through PAM), you will need to educate users to use kpasswd -in place of its non-Kerberos counterparts passwd.

-
-

Client machine configuration files¶

-

Each machine running Kerberos should have a krb5.conf file. -At a minimum, it should define a default_realm setting in -[libdefaults]. If you are not using DNS SRV records -(Hostnames for KDCs) or URI records (KDC Discovery), it must -also contain a [realms] section containing information for your -realm’s KDCs.

-

Consider setting rdns to false in order to reduce your dependence -on precisely correct DNS information for service hostnames. Turning -this flag off means that service hostnames will be canonicalized -through forward name resolution (which adds your domain name to -unqualified hostnames, and resolves CNAME records in DNS), but not -through reverse address lookup. The default value of this flag is -true for historical reasons only.

-

If you anticipate users frequently logging into remote hosts -(e.g., using ssh) using forwardable credentials, consider setting -forwardable to true so that users obtain forwardable tickets by -default. Otherwise users will need to use kinit -f to get -forwardable tickets.

-

Consider adjusting the ticket_lifetime setting to match the likely -length of sessions for your users. For instance, if most of your -users will be logging in for an eight-hour workday, you could set the -default to ten hours so that tickets obtained in the morning expire -shortly after the end of the workday. Users can still manually -request longer tickets when necessary, up to the maximum allowed by -each user’s principal record on the KDC.

-

If a client host may access services in different realms, it may be -useful to define a [domain_realm] mapping so that clients know -which hosts belong to which realms. However, if your clients and KDC -are running release 1.7 or later, it is also reasonable to leave this -section out on client machines and just define it in the KDC’s -krb5.conf.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/install_kdc.html b/doc/html/admin/install_kdc.html deleted file mode 100644 index 350df29..0000000 --- a/doc/html/admin/install_kdc.html +++ /dev/null @@ -1,655 +0,0 @@ - - - - - - - - Installing KDCs — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Installing KDCs¶

-

When setting up Kerberos in a production environment, it is best to -have multiple slave KDCs alongside with a master KDC to ensure the -continued availability of the Kerberized services. Each KDC contains -a copy of the Kerberos database. The master KDC contains the writable -copy of the realm database, which it replicates to the slave KDCs at -regular intervals. All database changes (such as password changes) -are made on the master KDC. Slave KDCs provide Kerberos -ticket-granting services, but not database administration, when the -master KDC is unavailable. MIT recommends that you install all of -your KDCs to be able to function as either the master or one of the -slaves. This will enable you to easily switch your master KDC with -one of the slaves if necessary (see Switching master and slave KDCs). This -installation procedure is based on that recommendation.

-
-

Warning

-
    -
  • The Kerberos system relies on the availability of correct time -information. Ensure that the master and all slave KDCs have -properly synchronized clocks.
    • -
  • It is best to install and run KDCs on secured and dedicated -hardware with limited access. If your KDC is also a file -server, FTP server, Web server, or even just a client machine, -someone who obtained root access through a security hole in any -of those areas could potentially gain access to the Kerberos -database.
    • -
-
-
-

Install and configure the master KDC¶

-

Install Kerberos either from the OS-provided packages or from the -source (See Building within a single tree).

-
-

Note

-

For the purpose of this document we will use the following -names:

-
kerberos.mit.edu    - master KDC
-kerberos-1.mit.edu  - slave KDC
-ATHENA.MIT.EDU      - realm name
-.k5.ATHENA.MIT.EDU  - stash file
-admin/admin         - admin principal
-
-
-

See MIT Kerberos defaults for the default names and locations -of the relevant to this topic files. Adjust the names and -paths to your system environment.

-
-
-
-

Edit KDC configuration files¶

-

Modify the configuration files, krb5.conf and -kdc.conf, to reflect the correct information (such as -domain-realm mappings and Kerberos servers names) for your realm. -(See MIT Kerberos defaults for the recommended default locations for -these files).

-

Most of the tags in the configuration have default values that will -work well for most sites. There are some tags in the -krb5.conf file whose values must be specified, and this -section will explain those.

-

If the locations for these configuration files differs from the -default ones, set KRB5_CONFIG and KRB5_KDC_PROFILE environment -variables to point to the krb5.conf and kdc.conf respectively. For -example:

-
export KRB5_CONFIG=/yourdir/krb5.conf
-export KRB5_KDC_PROFILE=/yourdir/kdc.conf
-
-
-
-

krb5.conf¶

-

If you are not using DNS TXT records (see Mapping hostnames onto Kerberos realms), -you must specify the default_realm in the [libdefaults] -section. If you are not using DNS URI or SRV records (see -Hostnames for KDCs and KDC Discovery), you must include the -kdc tag for each realm in the [realms] section. To -communicate with the kadmin server in each realm, the admin_server -tag must be set in the -[realms] section.

-

An example krb5.conf file:

-
[libdefaults]
-    default_realm = ATHENA.MIT.EDU
-
-[realms]
-    ATHENA.MIT.EDU = {
-        kdc = kerberos.mit.edu
-        kdc = kerberos-1.mit.edu
-        admin_server = kerberos.mit.edu
-    }
-
-
-
-
-

kdc.conf¶

-

The kdc.conf file can be used to control the listening ports of the -KDC and kadmind, as well as realm-specific defaults, the database type -and location, and logging.

-

An example kdc.conf file:

-
[kdcdefaults]
-    kdc_listen = 88
-    kdc_tcp_listen = 88
-
-[realms]
-    ATHENA.MIT.EDU = {
-        kadmind_port = 749
-        max_life = 12h 0m 0s
-        max_renewable_life = 7d 0h 0m 0s
-        master_key_type = aes256-cts
-        supported_enctypes = aes256-cts:normal aes128-cts:normal
-        # If the default location does not suit your setup,
-        # explicitly configure the following values:
-        #    database_name = /var/krb5kdc/principal
-        #    key_stash_file = /var/krb5kdc/.k5.ATHENA.MIT.EDU
-        #    acl_file = /var/krb5kdc/kadm5.acl
-    }
-
-[logging]
-    # By default, the KDC and kadmind will log output using
-    # syslog.  You can instead send log output to files like this:
-    kdc = FILE:/var/log/krb5kdc.log
-    admin_server = FILE:/var/log/kadmin.log
-    default = FILE:/var/log/krb5lib.log
-
-
-

Replace ATHENA.MIT.EDU and kerberos.mit.edu with the name of -your Kerberos realm and server respectively.

-
-

Note

-

You have to have write permission on the target directories -(these directories must exist) used by database_name, -key_stash_file, and acl_file.

-
-
-
-
-

Create the KDC database¶

-

You will use the kdb5_util command on the master KDC to -create the Kerberos database and the optional stash file.

-
-

Note

-

If you choose not to install a stash file, the KDC will -prompt you for the master key each time it starts up. This -means that the KDC will not be able to start automatically, -such as after a system reboot.

-
-

kdb5_util will prompt you for the master password for the -Kerberos database. This password can be any string. A good password -is one you can remember, but that no one else can guess. Examples of -bad passwords are words that can be found in a dictionary, any common -or popular name, especially a famous person (or cartoon character), -your username in any form (e.g., forward, backward, repeated twice, -etc.), and any of the sample passwords that appear in this manual. -One example of a password which might be good if it did not appear in -this manual is “MITiys4K5!”, which represents the sentence “MIT is -your source for Kerberos 5!” (It’s the first letter of each word, -substituting the numeral “4” for the word “for”, and includes the -punctuation mark at the end.)

-

The following is an example of how to create a Kerberos database and -stash file on the master KDC, using the kdb5_util command. -Replace ATHENA.MIT.EDU with the name of your Kerberos realm:

-
shell% kdb5_util create -r ATHENA.MIT.EDU -s
-
-Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU',
-master key name 'K/M@ATHENA.MIT.EDU'
-You will be prompted for the database Master Password.
-It is important that you NOT FORGET this password.
-Enter KDC database master key:  <= Type the master password.
-Re-enter KDC database master key to verify:  <= Type it again.
-shell%
-
-
-

This will create five files in LOCALSTATEDIR/krb5kdc (or at the locations specified -in kdc.conf):

-
    -
  • two Kerberos database files, principal, and principal.ok
    • -
  • the Kerberos administrative database file, principal.kadm5
    • -
  • the administrative database lock file, principal.kadm5.lock
    • -
  • the stash file, in this example .k5.ATHENA.MIT.EDU. If you do -not want a stash file, run the above command without the -s -option.
    • -
-

For more information on administrating Kerberos database see -Operations on the Kerberos database.

-
-
-

Add administrators to the ACL file¶

-

Next, you need create an Access Control List (ACL) file and put the -Kerberos principal of at least one of the administrators into it. -This file is used by the kadmind daemon to control which -principals may view and make privileged modifications to the Kerberos -database files. The ACL filename is determined by the acl_file -variable in kdc.conf; the default is LOCALSTATEDIR/krb5kdc/kadm5.acl.

-

For more information on Kerberos ACL file see kadm5.acl.

-
-
-

Add administrators to the Kerberos database¶

-

Next you need to add administrative principals (i.e., principals who -are allowed to administer Kerberos database) to the Kerberos database. -You must add at least one principal now to allow communication -between the Kerberos administration daemon kadmind and the kadmin -program over the network for further administration. To do this, use -the kadmin.local utility on the master KDC. kadmin.local is designed -to be run on the master KDC host without using Kerberos authentication -to an admin server; instead, it must have read and write access to the -Kerberos database on the local filesystem.

-

The administrative principals you create should be the ones you added -to the ACL file (see Add administrators to the ACL file).

-

In the following example, the administrative principal admin/admin -is created:

-
shell% kadmin.local
-
-kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU
-
-WARNING: no policy specified for "admin/admin@ATHENA.MIT.EDU";
-assigning "default".
-Enter password for principal admin/admin@ATHENA.MIT.EDU:  <= Enter a password.
-Re-enter password for principal admin/admin@ATHENA.MIT.EDU:  <= Type it again.
-Principal "admin/admin@ATHENA.MIT.EDU" created.
-kadmin.local:
-
-
-
-
-

Start the Kerberos daemons on the master KDC¶

-

At this point, you are ready to start the Kerberos KDC -(krb5kdc) and administrative daemons on the Master KDC. To -do so, type:

-
shell% krb5kdc
-shell% kadmind
-
-
-

Each server daemon will fork and run in the background.

-
-

Note

-

Assuming you want these daemons to start up automatically at -boot time, you can add them to the KDC’s /etc/rc or -/etc/inittab file. You need to have a -stash file in order to do this.

-
-

You can verify that they started properly by checking for their -startup messages in the logging locations you defined in -krb5.conf (see [logging]). For example:

-
shell% tail /var/log/krb5kdc.log
-Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation
-shell% tail /var/log/kadmin.log
-Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting
-
-
-

Any errors the daemons encounter while starting will also be listed in -the logging output.

-

As an additional verification, check if kinit succeeds -against the principals that you have created on the previous step -(Add administrators to the Kerberos database). Run:

-
shell% kinit admin/admin@ATHENA.MIT.EDU
-
-
-
-
-

Install the slave KDCs¶

-

You are now ready to start configuring the slave KDCs.

-
-

Note

-

Assuming you are setting the KDCs up so that you can easily -switch the master KDC with one of the slaves, you should -perform each of these steps on the master KDC as well as the -slave KDCs, unless these instructions specify otherwise.

-
-
-

Create host keytabs for slave KDCs¶

-

Each KDC needs a host key in the Kerberos database. These keys -are used for mutual authentication when propagating the database dump -file from the master KDC to the secondary KDC servers.

-

On the master KDC, connect to administrative interface and create the -host principal for each of the KDCs’ host services. For example, -if the master KDC were called kerberos.mit.edu, and you had a -slave KDC named kerberos-1.mit.edu, you would type the following:

-
shell% kadmin
-kadmin: addprinc -randkey host/kerberos.mit.edu
-NOTICE: no policy specified for "host/kerberos.mit.edu@ATHENA.MIT.EDU"; assigning "default"
-Principal "host/kerberos.mit.edu@ATHENA.MIT.EDU" created.
-
-kadmin: addprinc -randkey host/kerberos-1.mit.edu
-NOTICE: no policy specified for "host/kerberos-1.mit.edu@ATHENA.MIT.EDU"; assigning "default"
-Principal "host/kerberos-1.mit.edu@ATHENA.MIT.EDU" created.
-
-
-

It is not strictly necessary to have the master KDC server in the -Kerberos database, but it can be handy if you want to be able to swap -the master KDC with one of the slaves.

-

Next, extract host random keys for all participating KDCs and -store them in each host’s default keytab file. Ideally, you should -extract each keytab locally on its own KDC. If this is not feasible, -you should use an encrypted session to send them across the network. -To extract a keytab directly on a slave KDC called -kerberos-1.mit.edu, you would execute the following command:

-
kadmin: ktadd host/kerberos-1.mit.edu
-Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
-    type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
-Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
-    type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
-Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
-    type des3-cbc-sha1 added to keytab FILE:/etc/krb5.keytab.
-Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
-    type arcfour-hmac added to keytab FILE:/etc/krb5.keytab.
-
-
-

If you are instead extracting a keytab for the slave KDC called -kerberos-1.mit.edu on the master KDC, you should use a dedicated -temporary keytab file for that machine’s keytab:

-
kadmin: ktadd -k /tmp/kerberos-1.keytab host/kerberos-1.mit.edu
-Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
-    type aes256-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
-Entry for principal host/kerberos-1.mit.edu with kvno 2, encryption
-    type aes128-cts-hmac-sha1-96 added to keytab FILE:/etc/krb5.keytab.
-
-
-

The file /tmp/kerberos-1.keytab can then be installed as -/etc/krb5.keytab on the host kerberos-1.mit.edu.

-
-
-

Configure slave KDCs¶

-

Database propagation copies the contents of the master’s database, but -does not propagate configuration files, stash files, or the kadm5 ACL -file. The following files must be copied by hand to each slave (see -MIT Kerberos defaults for the default locations for these files):

-
    -
  • krb5.conf
    • -
  • kdc.conf
    • -
  • kadm5.acl
    • -
  • master key stash file
    • -
-

Move the copied files into their appropriate directories, exactly as -on the master KDC. kadm5.acl is only needed to allow a slave to swap -with the master KDC.

-

The database is propagated from the master KDC to the slave KDCs via -the kpropd daemon. You must explicitly specify the -principals which are allowed to provide Kerberos dump updates on the -slave machine with a new database. Create a file named kpropd.acl in -the KDC state directory containing the host principals for each of -the KDCs:

-
host/kerberos.mit.edu@ATHENA.MIT.EDU
-host/kerberos-1.mit.edu@ATHENA.MIT.EDU
-
-
-
-

Note

-

If you expect that the master and slave KDCs will be -switched at some point of time, list the host principals -from all participating KDC servers in kpropd.acl files on -all of the KDCs. Otherwise, you only need to list the -master KDC’s host principal in the kpropd.acl files of the -slave KDCs.

-
-

Then, add the following line to /etc/inetd.conf on each KDC -(adjust the path to kpropd):

-
krb5_prop stream tcp nowait root /usr/local/sbin/kpropd kpropd
-
-
-

You also need to add the following line to /etc/services on each -KDC, if it is not already present (assuming that the default port is -used):

-
krb5_prop       754/tcp               # Kerberos slave propagation
-
-
-

Restart inetd daemon.

-

Alternatively, start kpropd as a stand-alone daemon. This is -required when incremental propagation is enabled.

-

Now that the slave KDC is able to accept database propagation, you’ll -need to propagate the database from the master server.

-

NOTE: Do not start the slave KDC yet; you still do not have a copy of -the master’s database.

-
-
-

Propagate the database to each slave KDC¶

-

First, create a dump file of the database on the master KDC, as -follows:

-
shell% kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
-
-
-

Then, manually propagate the database to each slave KDC, as in the -following example:

-
shell% kprop -f /usr/local/var/krb5kdc/slave_datatrans kerberos-1.mit.edu
-
-Database propagation to kerberos-1.mit.edu: SUCCEEDED
-
-
-

You will need a script to dump and propagate the database. The -following is an example of a Bourne shell script that will do this.

-
-

Note

-

Remember that you need to replace /usr/local/var/krb5kdc -with the name of the KDC state directory.

-
-
#!/bin/sh
-
-kdclist = "kerberos-1.mit.edu kerberos-2.mit.edu"
-
-kdb5_util dump /usr/local/var/krb5kdc/slave_datatrans
-
-for kdc in $kdclist
-do
-    kprop -f /usr/local/var/krb5kdc/slave_datatrans $kdc
-done
-
-
-

You will need to set up a cron job to run this script at the intervals -you decided on earlier (see Database propagation).

-

Now that the slave KDC has a copy of the Kerberos database, you can -start the krb5kdc daemon:

-
shell% krb5kdc
-
-
-

As with the master KDC, you will probably want to add this command to -the KDCs’ /etc/rc or /etc/inittab files, so they will start -the krb5kdc daemon automatically at boot time.

-
-

Propagation failed?¶

-

You may encounter the following error messages. For a more detailed -discussion on possible causes and solutions click on the error link -to be redirected to Troubleshooting section.

-
    -
  1. kprop: No route to host while connecting to server
    2. -
  2. kprop: Connection refused while connecting to server
    3. -
  3. kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
    4. -
-
-
-
-
-

Add Kerberos principals to the database¶

-

Once your KDCs are set up and running, you are ready to use -kadmin to load principals for your users, hosts, and other -services into the Kerberos database. This procedure is described -fully in Adding, modifying and deleting principals.

-

You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash. See the following section for the -instructions.

-
-
-

Switching master and slave KDCs¶

-

You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash.

-

Assuming you have configured all of your KDCs to be able to function -as either the master KDC or a slave KDC (as this document recommends), -all you need to do to make the changeover is:

-

If the master KDC is still running, do the following on the old -master KDC:

-
    -
  1. Kill the kadmind process.
    2. -
  2. Disable the cron job that propagates the database.
    3. -
  3. Run your database propagation script manually, to ensure that the -slaves all have the latest copy of the database (see -Propagate the database to each slave KDC).
    4. -
-

On the new master KDC:

-
    -
  1. Start the kadmind daemon (see Start the Kerberos daemons on the master KDC).
    2. -
  2. Set up the cron job to propagate the database (see -Propagate the database to each slave KDC).
    3. -
  3. Switch the CNAMEs of the old and new master KDCs. If you can’t do -this, you’ll need to change the krb5.conf file on every -client machine in your Kerberos realm.
    4. -
-
-
-

Incremental database propagation¶

-

If you expect your Kerberos database to become large, you may wish to -set up incremental propagation to slave KDCs. See Incremental database propagation -for details.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/lockout.html b/doc/html/admin/lockout.html deleted file mode 100644 index 63e46c2..0000000 --- a/doc/html/admin/lockout.html +++ /dev/null @@ -1,300 +0,0 @@ - - - - - - - - Account lockout — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Account lockout¶

-

As of release 1.8, the KDC can be configured to lock out principals -after a number of failed authentication attempts within a period of -time. Account lockout can make it more difficult to attack a -principal’s password by brute force, but also makes it easy for an -attacker to deny access to a principal.

-
-

Configuring account lockout¶

-

Account lockout only works for principals with the -+requires_preauth flag set. Without this flag, the KDC cannot -know whether or not a client successfully decrypted the ticket it -issued. It is also important to set the -allow_svr flag on a -principal to protect its password from an off-line dictionary attack -through a TGS request. You can set these flags on a principal with -kadmin as follows:

-
kadmin: modprinc +requires_preauth -allow_svr PRINCNAME
-
-
-

Account lockout parameters are configured via policy objects. There may be an existing policy associated with user -principals (such as the “default” policy), or you may need to create a -new one and associate it with each user principal.

-

The policy parameters related to account lockout are:

- -

Here is an example of setting these parameters on a new policy and -associating it with a principal:

-
kadmin: addpol -maxfailure 10 -failurecountinterval 180
-    -lockoutduration 60 lockout_policy
-kadmin: modprinc -policy lockout_policy PRINCNAME
-
-
-
-
-

Testing account lockout¶

-

To test that account lockout is working, try authenticating as the -principal (hopefully not one that might be in use) multiple times with -the wrong password. For instance, if maxfailure is set to 2, you -might see:

-
$ kinit user
-Password for user@KRBTEST.COM:
-kinit: Password incorrect while getting initial credentials
-$ kinit user
-Password for user@KRBTEST.COM:
-kinit: Password incorrect while getting initial credentials
-$ kinit user
-kinit: Client's credentials have been revoked while getting initial credentials
-
-
-
-
-

Account lockout principal state¶

-

A principal entry keeps three pieces of state related to account -lockout:

-
    -
  • The time of last successful authentication
    • -
  • The time of last failed authentication
    • -
  • A counter of failed attempts
    • -
-

The time of last successful authentication is not actually needed for -the account lockout system to function, but may be of administrative -interest. These fields can be observed with the getprinc kadmin -command. For example:

-
kadmin: getprinc user
-Principal: user@KRBTEST.COM
-...
-Last successful authentication: [never]
-Last failed authentication: Mon Dec 03 12:30:33 EST 2012
-Failed password attempts: 2
-...
-
-
-

A principal which has been locked out can be administratively unlocked -with the -unlock option to the modprinc kadmin command:

-
kadmin: modprinc -unlock PRINCNAME
-
-
-

This command will reset the number of failed attempts to 0.

-
-
-

KDC replication and account lockout¶

-

The account lockout state of a principal is not replicated by either -traditional kprop or incremental propagation. Because of -this, the number of attempts an attacker can make within a time period -is multiplied by the number of KDCs. For instance, if the -maxfailure parameter on a policy is 10 and there are four KDCs in -the environment (a master and three slaves), an attacker could make as -many as 40 attempts before the principal is locked out on all four -KDCs.

-

An administrative unlock is propagated from the master to the slave -KDCs during the next propagation. Propagation of an administrative -unlock will cause the counter of failed attempts on each slave to -reset to 1 on the next failure.

-

If a KDC environment uses a replication strategy other than kprop or -incremental propagation, such as the LDAP KDB module with multi-master -LDAP replication, then account lockout state may be replicated between -KDCs and the concerns of this section may not apply.

-
-
-

KDC performance and account lockout¶

-

In order to fully track account lockout state, the KDC must write to -the the database on each successful and failed authentication. -Writing to the database is generally more expensive than reading from -it, so these writes may have a significant impact on KDC performance. -As of release 1.9, it is possible to turn off account lockout state -tracking in order to improve performance, by setting the -disable_last_success and disable_lockout variables in the -database module subsection of kdc.conf. For example:

-
[dbmodules]
-    DB = {
-        disable_last_success = true
-        disable_lockout = true
-    }
-
-
-

Of the two variables, setting disable_last_success will usually -have the largest positive impact on performance, and will still allow -account lockout policies to operate. However, it will make it -impossible to observe the last successful authentication time with -kadmin.

-
-
-

KDC setup and account lockout¶

-

To update the account lockout state on principals, the KDC must be -able to write to the principal database. For the DB2 module, no -special setup is required. For the LDAP module, the KDC DN must be -granted write access to the principal objects. If the KDC DN has only -read access, account lockout will not function.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/otp.html b/doc/html/admin/otp.html deleted file mode 100644 index c1ce2d7..0000000 --- a/doc/html/admin/otp.html +++ /dev/null @@ -1,248 +0,0 @@ - - - - - - - - OTP Preauthentication — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

OTP Preauthentication¶

-

OTP is a preauthentication mechanism for Kerberos 5 which uses One -Time Passwords (OTP) to authenticate the client to the KDC. The OTP -is passed to the KDC over an encrypted FAST channel in clear-text. -The KDC uses the password along with per-user configuration to proxy -the request to a third-party RADIUS system. This enables -out-of-the-box compatibility with a large number of already widely -deployed proprietary systems.

-

Additionally, our implementation of the OTP system allows for the -passing of RADIUS requests over a UNIX domain stream socket. This -permits the use of a local companion daemon which can handle the -details of authentication.

-
-

Defining token types¶

-

Token types are defined in either krb5.conf or -kdc.conf according to the following format:

-
[otp]
-    <name> = {
-        server = <host:port or filename> (default: see below)
-        secret = <filename>
-        timeout = <integer> (default: 5 [seconds])
-        retries = <integer> (default: 3)
-        strip_realm = <boolean> (default: true)
-        indicator = <string> (default: none)
-    }
-
-
-

If the server field begins with ‘/’, it will be interpreted as a UNIX -socket. Otherwise, it is assumed to be in the format host:port. When -a UNIX domain socket is specified, the secret field is optional and an -empty secret is used by default. If the server field is not -specified, it defaults to RUNSTATEDIR/krb5kdc/<name>.socket.

-

When forwarding the request over RADIUS, by default the principal is -used in the User-Name attribute of the RADIUS packet. The strip_realm -parameter controls whether the principal is forwarded with or without -the realm portion.

-

If an indicator field is present, tickets issued using this token type -will be annotated with the specified authentication indicator (see -Authentication indicators). This key may be specified multiple times to -add multiple indicators.

-
-
-

The default token type¶

-

A default token type is used internally when no token type is specified for a -given user. It is defined as follows:

-
[otp]
-    DEFAULT = {
-        strip_realm = false
-    }
-
-
-

The administrator may override the internal DEFAULT token type -simply by defining a configuration with the same name.

-
-
-

Token instance configuration¶

-

To enable OTP for a client principal, the administrator must define -the otp string attribute for that principal. (See -set_string.) The otp user string is a JSON string of the -format:

-
[{
-    "type": <string>,
-    "username": <string>,
-    "indicators": [<string>, ...]
- }, ...]
-
-
-

This is an array of token objects. Both fields of token objects are -optional. The type field names the token type of this token; if -not specified, it defaults to DEFAULT. The username field -specifies the value to be sent in the User-Name RADIUS attribute. If -not specified, the principal name is sent, with or without realm as -defined in the token type. The indicators field specifies a list -of authentication indicators to annotate tickets with, overriding any -indicators specified in the token type.

-

For ease of configuration, an empty array ([]) is treated as -equivalent to one DEFAULT token ([{}]).

-
-
-

Other considerations¶

-
    -
  1. FAST is required for OTP to work.
    2. -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/pkinit.html b/doc/html/admin/pkinit.html deleted file mode 100644 index 8c7c183..0000000 --- a/doc/html/admin/pkinit.html +++ /dev/null @@ -1,447 +0,0 @@ - - - - - - - - PKINIT configuration — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

PKINIT configuration¶

-

PKINIT is a preauthentication mechanism for Kerberos 5 which uses -X.509 certificates to authenticate the KDC to clients and vice versa. -PKINIT can also be used to enable anonymity support, allowing clients -to communicate securely with the KDC or with application servers -without authenticating as a particular client principal.

-
-

Creating certificates¶

-

PKINIT requires an X.509 certificate for the KDC and one for each -client principal which will authenticate using PKINIT. For anonymous -PKINIT, a KDC certificate is required, but client certificates are -not. A commercially issued server certificate can be used for the KDC -certificate, but generally cannot be used for client certificates.

-

The instruction in this section describe how to establish a -certificate authority and create standard PKINIT certificates. Skip -this section if you are using a commercially issued server certificate -as the KDC certificate for anonymous PKINIT, or if you are configuring -a client to use an Active Directory KDC.

-
-

Generating a certificate authority certificate¶

-

You can establish a new certificate authority (CA) for use with a -PKINIT deployment with the commands:

-
openssl genrsa -out cakey.pem 2048
-openssl req -key cakey.pem -new -x509 -out cacert.pem -days 3650
-
-
-

The second command will ask for the values of several certificate -fields. These fields can be set to any values. You can adjust the -expiration time of the CA certificate by changing the number after --days. Since the CA certificate must be deployed to client -machines each time it changes, it should normally have an expiration -time far in the future; however, expiration times after 2037 may cause -interoperability issues in rare circumstances.

-

The result of these commands will be two files, cakey.pem and -cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which -must be carefully protected. cacert.pem will contain the CA -certificate, which must be placed in the filesytems of the KDC and -each client host. cakey.pem will be required to create KDC and client -certificates.

-
-
-

Generating a KDC certificate¶

-

A KDC certificate for use with PKINIT is required to have some unusual -fields, which makes generating them with OpenSSL somewhat complicated. -First, you will need a file containing the following:

-
[kdc_cert]
-basicConstraints=CA:FALSE
-keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement
-extendedKeyUsage=1.3.6.1.5.2.3.5
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-issuerAltName=issuer:copy
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name
-
-[kdc_princ_name]
-realm=EXP:0,GeneralString:${ENV::REALM}
-principal_name=EXP:1,SEQUENCE:kdc_principal_seq
-
-[kdc_principal_seq]
-name_type=EXP:0,INTEGER:1
-name_string=EXP:1,SEQUENCE:kdc_principals
-
-[kdc_principals]
-princ1=GeneralString:krbtgt
-princ2=GeneralString:${ENV::REALM}
-
-
-

If the above contents are placed in extensions.kdc, you can generate -and sign a KDC certificate with the following commands:

-
openssl genrsa -out kdckey.pem 2048
-openssl req -new -out kdc.req -key kdckey.pem
-env REALM=YOUR_REALMNAME openssl x509 -req -in kdc.req \
-    -CAkey cakey.pem -CA cacert.pem -out kdc.pem -days 365 \
-    -extfile extensions.kdc -extensions kdc_cert -CAcreateserial
-rm kdc.req
-
-
-

The second command will ask for the values of certificate fields, -which can be set to any values. In the third command, substitute your -KDC’s realm name for YOUR_REALMNAME. You can adjust the certificate’s -expiration date by changing the number after -days. Remember to -create a new KDC certificate before the old one expires.

-

The result of this operation will be in two files, kdckey.pem and -kdc.pem. Both files must be placed in the KDC’s filesystem. -kdckey.pem, which contains the KDC’s private key, must be carefully -protected.

-

If you examine the KDC certificate with openssl x509 -in kdc.pem --text -noout, OpenSSL will not know how to display the KDC principal -name in the Subject Alternative Name extension, so it will appear as -othername:<unsupported>. This is normal and does not mean -anything is wrong with the KDC certificate.

-
-
-

Generating client certificates¶

-

PKINIT client certificates also must have some unusual certificate -fields. To generate a client certificate with OpenSSL for a -single-component principal name, you will need an extensions file -(different from the KDC extensions file above) containing:

-
[client_cert]
-basicConstraints=CA:FALSE
-keyUsage=digitalSignature,keyEncipherment,keyAgreement
-extendedKeyUsage=1.3.6.1.5.2.3.4
-subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer
-issuerAltName=issuer:copy
-subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ_name
-
-[princ_name]
-realm=EXP:0,GeneralString:${ENV::REALM}
-principal_name=EXP:1,SEQUENCE:principal_seq
-
-[principal_seq]
-name_type=EXP:0,INTEGER:1
-name_string=EXP:1,SEQUENCE:principals
-
-[principals]
-princ1=GeneralString:${ENV::CLIENT}
-
-
-

If the above contents are placed in extensions.client, you can -generate and sign a client certificate with the following commands:

-
openssl genrsa -out clientkey.pem 2048
-openssl req -new -key clientkey.pem -out client.req
-env REALM=YOUR_REALMNAME CLIENT=YOUR_PRINCNAME openssl x509 \
-    -CAkey cakey.pem -CA cacert.pem -req -in client.req \
-    -extensions client_cert -extfile extensions.client \
-    -days 365 -out client.pem
-rm client.req
-
-
-

Normally, the first two commands should be run on the client host, and -the resulting client.req file transferred to the certificate authority -host for the third command. As in the previous steps, the second -command will ask for the values of certificate fields, which can be -set to any values. In the third command, substitute your realm’s name -for YOUR_REALMNAME and the client’s principal name (without realm) for -YOUR_PRINCNAME. You can adjust the certificate’s expiration date by -changing the number after -days.

-

The result of this operation will be two files, clientkey.pem and -client.pem. Both files must be present on the client’s host; -clientkey.pem, which contains the client’s private key, must be -protected from access by others.

-

As in the KDC certificate, OpenSSL will display the client principal -name as othername:<unsupported> in the Subject Alternative Name -extension of a PKINIT client certificate.

-

If the client principal name contains more than one component -(e.g. host/example.com@REALM), the [principals] section of -extensions.client must be altered to contain multiple entries. -(Simply setting CLIENT to host/example.com would generate a -certificate for host\/example.com@REALM which would not match the -multi-component principal name.) For a two-component principal, the -section should read:

-
[principals]
-princ1=GeneralString:${ENV::CLIENT1}
-princ2=GeneralString:${ENV::CLIENT2}
-
-
-

The environment variables CLIENT1 and CLIENT2 must then be set -to the first and second components when running openssl x509.

-
-
-
-

Configuring the KDC¶

-

The KDC must have filesystem access to the KDC certificate (kdc.pem) -and the KDC private key (kdckey.pem). Configure the following -relation in the KDC’s kdc.conf file, either in the -[kdcdefaults] section or in a [realms] subsection (with -appropriate pathnames):

-
pkinit_identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem
-
-
-

If any clients will authenticate using regular (as opposed to -anonymous) PKINIT, the KDC must also have filesystem access to the CA -certificate (cacert.pem), and the following configuration (with the -appropriate pathname):

-
pkinit_anchors = FILE:/var/lib/krb5kdc/cacert.pem
-
-
-

Because of the larger size of requests and responses using PKINIT, you -may also need to allow TCP access to the KDC:

-
kdc_tcp_listen = 88
-
-
-

Restart the krb5kdc daemon to pick up the configuration -changes.

-

The principal entry for each PKINIT-using client must be configured to -require preauthentication. Ensure this with the command:

-
kadmin -q 'modprinc +requires_preauth YOUR_PRINCNAME'
-
-
-

Starting with release 1.12, it is possible to remove the long-term -keys of a principal entry, which can save some space in the database -and help to clarify some PKINIT-related error conditions by not asking -for a password:

-
kadmin -q 'purgekeys -all YOUR_PRINCNAME'
-
-
-

These principal options can also be specified at principal creation -time as follows:

-
kadmin -q 'add_principal +requires_preauth -nokey YOUR_PRINCNAME'
-
-
-
-
-

Configuring the clients¶

-

Client hosts must be configured to trust the issuing authority for the -KDC certificate. For a newly established certificate authority, the -client host must have filesystem access to the CA certificate -(cacert.pem) and the following relation in krb5.conf in the -appropriate [realms] subsection (with appropriate pathnames):

-
pkinit_anchors = FILE:/etc/krb5/cacert.pem
-
-
-

If the KDC certificate is a commercially issued server certificate, -the issuing certificate is most likely included in a system directory. -You can specify it by filename as above, or specify the whole -directory like so:

-
pkinit_anchors = DIR:/etc/ssl/certs
-
-
-

A commercially issued server certificate will usually not have the -standard PKINIT principal name or Extended Key Usage extensions, so -the following additional configuration is required:

-
pkinit_eku_checking = kpServerAuth
-pkinit_kdc_hostname = hostname.of.kdc.certificate
-
-
-

Multiple pkinit_kdc_hostname relations can be configured to -recognize multiple KDC certificates. If the KDC is an Active -Directory domain controller, setting pkinit_kdc_hostname is -necessary, but it should not be necessary to set -pkinit_eku_checking.

-

To perform regular (as opposed to anonymous) PKINIT authentication, a -client host must have filesystem access to a client certificate -(client.pem), and the corresponding private key (clientkey.pem). -Configure the following relations in the client host’s -krb5.conf file in the appropriate [realms] subsection -(with appropriate pathnames):

-
pkinit_identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem
-
-
-

If the KDC and client are properly configured, it should now be -possible to run kinit username without entering a password.

-
-
-

Anonymous PKINIT¶

-

Anonymity support in Kerberos allows a client to obtain a ticket -without authenticating as any particular principal. Such a ticket can -be used as a FAST armor ticket, or to securely communicate with an -application server anonymously.

-

To configure anonymity support, you must generate or otherwise procure -a KDC certificate and configure the KDC host, but you do not need to -generate any client certificates. On the KDC, you must set the -pkinit_identity variable to provide the KDC certificate, but do -not need to set the pkinit_anchors variable or store the issuing -certificate if you won’t have any client certificates to verify. On -client hosts, you must set the pkinit_anchors variable (and -possibly pkinit_kdc_hostname and pkinit_eku_checking) in order -to trust the issuing authority for the KDC certificate, but do not -need to set the pkinit_identities variable.

-

Anonymity support is not enabled by default. To enable it, you must -create the principal WELLKNOWN/ANONYMOUS using the command:

-
kadmin -q 'addprinc -randkey WELLKNOWN/ANONYMOUS'
-
-
-

Some Kerberos deployments include application servers which lack -proper access control, and grant some level of access to any user who -can authenticate. In such an environment, enabling anonymity support -on the KDC would present a security issue. If you need to enable -anonymity support for TGTs (for use as FAST armor tickets) without -enabling anonymous authentication to application servers, you can set -the variable restrict_anonymous_to_tgt to true in the -appropriate [realms] subsection of the KDC’s -kdc.conf file.

-

To obtain anonymous credentials on a client, run kinit -n, or -kinit -n @REALMNAME to specify a realm. The resulting tickets -will have the client name WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/princ_dns.html b/doc/html/admin/princ_dns.html deleted file mode 100644 index d18a74c..0000000 --- a/doc/html/admin/princ_dns.html +++ /dev/null @@ -1,262 +0,0 @@ - - - - - - - - Principal names and DNS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Principal names and DNS¶

-

Kerberos clients can do DNS lookups to canonicalize service principal -names. This can cause difficulties when setting up Kerberos -application servers, especially when the client’s name for the service -is different from what the service thinks its name is.

-
-

Service principal names¶

-

A frequently used kind of principal name is the host-based service -principal name. This kind of principal name has two components: a -service name and a hostname. For example, imap/imap.example.com -is the principal name of the “imap” service on the host -“imap.example.com”. Other possible service names for the first -component include “host” (remote login services such as ssh), “HTTP”, -and “nfs” (Network File System).

-

Service administrators often publish well-known hostname aliases that -they would prefer users to use instead of the canonical name of the -service host. This gives service administrators more flexibility in -deploying services. For example, a shell login server might be named -“long-vanity-hostname.example.com”, but users will naturally prefer to -type something like “login.example.com”. Hostname aliases also allow -for administrators to set up load balancing for some sorts of services -based on rotating CNAME records in DNS.

-
-
-

Service principal canonicalization¶

-

MIT Kerberos clients currently always do forward resolution (looking -up the IPv4 and possibly IPv6 addresses using getaddrinfo()) of -the hostname part of a host-based service principal to canonicalize -the hostname. They obtain the “canonical” name of the host when doing -so. By default, MIT Kerberos clients will also then do reverse DNS -resolution (looking up the hostname associated with the IPv4 or IPv6 -address using getnameinfo()) of the hostname. Using the -krb5.conf setting:

-
[libdefaults]
-    rdns = false
-
-
-

will disable reverse DNS lookup on clients. The default setting is -“true”.

-

Operating system bugs may prevent a setting of rdns = false from -disabling reverse DNS lookup. Some versions of GNU libc have a bug in -getaddrinfo() that cause them to look up PTR records even when -not required. MIT Kerberos releases krb5-1.10.2 and newer have a -workaround for this problem, as does the krb5-1.9.x series as of -release krb5-1.9.4.

-
-
-

Reverse DNS mismatches¶

-

Sometimes, an enterprise will have control over its forward DNS but -not its reverse DNS. The reverse DNS is sometimes under the control -of the Internet service provider of the enterprise, and the enterprise -may not have much influence in setting up reverse DNS records for its -address space. If there are difficulties with getting forward and -reverse DNS to match, it is best to set rdns = false on client -machines.

-
-
-

Overriding application behavior¶

-

Applications can choose to use a default hostname component in their -service principal name when accepting authentication, which avoids -some sorts of hostname mismatches. Because not all relevant -applications do this yet, using the krb5.conf setting:

-
[libdefaults]
-    ignore_acceptor_hostname = true
-
-
-

will allow the Kerberos library to override the application’s choice -of service principal hostname and will allow a server program to -accept incoming authentications using any key in its keytab that -matches the service name and realm name (if given). This setting -defaults to “false” and is available in releases krb5-1.10 and later.

-
-
-

Provisioning keytabs¶

-

One service principal entry that should be in the keytab is a -principal whose hostname component is the canonical hostname that -getaddrinfo() reports for all known aliases for the host. If the -reverse DNS information does not match this canonical hostname, an -additional service principal entry should be in the keytab for this -different hostname.

-
-
-

Specific application advice¶

-
-

Secure shell (ssh)¶

-

Setting GSSAPIStrictAcceptorCheck = no in the configuration file -of modern versions of the openssh daemon will allow the daemon to try -any key in its keytab when accepting a connection, rather than looking -for the keytab entry that matches the host’s own idea of its name -(typically the name that gethostname() returns). This requires -krb5-1.10 or later.

-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/realm_config.html b/doc/html/admin/realm_config.html deleted file mode 100644 index c054b98..0000000 --- a/doc/html/admin/realm_config.html +++ /dev/null @@ -1,399 +0,0 @@ - - - - - - - - Realm configuration decisions — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Realm configuration decisions¶

-

Before installing Kerberos V5, it is necessary to consider the -following issues:

-
    -
  • The name of your Kerberos realm (or the name of each realm, if you -need more than one).
    • -
  • How you will assign your hostnames to Kerberos realms.
    • -
  • Which ports your KDC and and kadmind services will use, if they will -not be using the default ports.
    • -
  • How many slave KDCs you need and where they should be located.
    • -
  • The hostnames of your master and slave KDCs.
    • -
  • How frequently you will propagate the database from the master KDC -to the slave KDCs.
    • -
-
-

Realm name¶

-

Although your Kerberos realm can be any ASCII string, convention is to -make it the same as your domain name, in upper-case letters.

-

For example, hosts in the domain example.com would be in the -Kerberos realm:

-
EXAMPLE.COM
-
-
-

If you need multiple Kerberos realms, MIT recommends that you use -descriptive names which end with your domain name, such as:

-
BOSTON.EXAMPLE.COM
-HOUSTON.EXAMPLE.COM
-
-
-
-
-

Mapping hostnames onto Kerberos realms¶

-

Mapping hostnames onto Kerberos realms is done in one of three ways.

-

The first mechanism works through a set of rules in the -[domain_realm] section of krb5.conf. You can specify -mappings for an entire domain or on a per-hostname basis. Typically -you would do this by specifying the mappings for a given domain or -subdomain and listing the exceptions.

-

The second mechanism is to use KDC host-based service referrals. With -this method, the KDC’s krb5.conf has a full [domain_realm] mapping for -hosts, but the clients do not, or have mappings for only a subset of -the hosts they might contact. When a client needs to contact a server -host for which it has no mapping, it will ask the client realm’s KDC -for the service ticket, and will receive a referral to the appropriate -service realm.

-

To use referrals, clients must be running MIT krb5 1.6 or later, and -the KDC must be running MIT krb5 1.7 or later. The -host_based_services and no_host_referral variables in the -[realms] section of kdc.conf can be used to -fine-tune referral behavior on the KDC.

-

It is also possible for clients to use DNS TXT records, if -dns_lookup_realm is enabled in krb5.conf. Such lookups -are disabled by default because DNS is an insecure protocol and security -holes could result if DNS records are spoofed. If enabled, the client -will try to look up a TXT record formed by prepending the prefix -_kerberos to the hostname in question. If that record is not -found, the client will attempt a lookup by prepending _kerberos to the -host’s domain name, then its parent domain, up to the top-level domain. -For the hostname boston.engineering.example.com, the names looked up -would be:

-
_kerberos.boston.engineering.example.com
-_kerberos.engineering.example.com
-_kerberos.example.com
-_kerberos.com
-
-
-

The value of the first TXT record found is taken as the realm name.

-

Even if you do not choose to use this mechanism within your site, -you may wish to set it up anyway, for use when interacting with other sites.

-
-
-

Ports for the KDC and admin services¶

-

The default ports used by Kerberos are port 88 for the KDC and port -749 for the admin server. You can, however, choose to run on other -ports, as long as they are specified in each host’s -krb5.conf files or in DNS SRV records, and the -kdc.conf file on each KDC. For a more thorough treatment of -port numbers used by the Kerberos V5 programs, refer to the -Configuring your firewall to work with Kerberos V5.

-
-
-

Slave KDCs¶

-

Slave KDCs provide an additional source of Kerberos ticket-granting -services in the event of inaccessibility of the master KDC. The -number of slave KDCs you need and the decision of where to place them, -both physically and logically, depends on the specifics of your -network.

-

Kerberos authentication requires that each client be able to contact a -KDC. Therefore, you need to anticipate any likely reason a KDC might -be unavailable and have a slave KDC to take up the slack.

-

Some considerations include:

-
    -
  • Have at least one slave KDC as a backup, for when the master KDC is -down, is being upgraded, or is otherwise unavailable.
    • -
  • If your network is split such that a network outage is likely to -cause a network partition (some segment or segments of the network -to become cut off or isolated from other segments), have a slave KDC -accessible to each segment.
    • -
  • If possible, have at least one slave KDC in a different building -from the master, in case of power outages, fires, or other localized -disasters.
    • -
-
-
-

Hostnames for KDCs¶

-

MIT recommends that your KDCs have a predefined set of CNAME records -(DNS hostname aliases), such as kerberos for the master KDC and -kerberos-1, kerberos-2, ... for the slave KDCs. This way, if -you need to swap a machine, you only need to change a DNS entry, -rather than having to change hostnames.

-

As of MIT krb5 1.4, clients can locate a realm’s KDCs through DNS -using SRV records (RFC 2782), assuming the Kerberos realm name is -also a DNS domain name. These records indicate the hostname and port -number to contact for that service, optionally with weighting and -prioritization. The domain name used in the SRV record name is the -realm name. Several different Kerberos-related service names are -used:

-
-
_kerberos._udp
-
This is for contacting any KDC by UDP. This entry will be used -the most often. Normally you should list port 88 on each of your -KDCs.
-
_kerberos._tcp
-
This is for contacting any KDC by TCP. The MIT KDC by default -will not listen on any TCP ports, so unless you’ve changed the -configuration or you’re running another KDC implementation, you -should leave this unspecified. If you do enable TCP support, -normally you should use port 88.
-
_kerberos-master._udp
-

This entry should refer to those KDCs, if any, that will -immediately see password changes to the Kerberos database. If a -user is logging in and the password appears to be incorrect, the -client will retry with the master KDC before failing with an -“incorrect password” error given.

-

If you have only one KDC, or for whatever reason there is no -accessible KDC that would get database changes faster than the -others, you do not need to define this entry.

-
-
_kerberos-adm._tcp
-
This should list port 749 on your master KDC. Support for it is -not complete at this time, but it will eventually be used by the -kadmin program and related utilities. For now, you will -also need the admin_server variable in krb5.conf.
-
_kpasswd._udp
-
This should list port 464 on your master KDC. It is used when a -user changes her password. If this entry is not defined but a -_kerberos-adm._tcp entry is defined, the client will use the -_kerberos-adm._tcp entry with the port number changed to 749.
-
-

The DNS SRV specification requires that the hostnames listed be the -canonical names, not aliases. So, for example, you might include the -following records in your (BIND-style) zone file:

-
$ORIGIN foobar.com.
-_kerberos               TXT       "FOOBAR.COM"
-kerberos                CNAME     daisy
-kerberos-1              CNAME     use-the-force-luke
-kerberos-2              CNAME     bunny-rabbit
-_kerberos._udp          SRV       0 0 88 daisy
-                        SRV       0 0 88 use-the-force-luke
-                        SRV       0 0 88 bunny-rabbit
-_kerberos-master._udp   SRV       0 0 88 daisy
-_kerberos-adm._tcp      SRV       0 0 749 daisy
-_kpasswd._udp           SRV       0 0 464 daisy
-
-
-

Clients can also be configured with the explicit location of services -using the kdc, master_kdc, admin_server, and -kpasswd_server variables in the [realms] section of -krb5.conf. Even if some clients will be configured with -explicit server locations, providing SRV records will still benefit -unconfigured clients, and be useful for other sites.

-
-
-

KDC Discovery¶

-

As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI -records (RFC 7553). Limitations with the SRV record format may -result in extra DNS queries in situations where a client must failover -to other transport types, or find a master server. The URI record can -convey more information about a realm’s KDCs with a single query.

-

The client performs a query for the following URI records:

-
    -
  • _kerberos.REALM for fiding KDCs.
    • -
  • _kerberos-adm.REALM for finding kadmin services.
    • -
  • _kpasswd.REALM for finding password services.
    • -
-

The URI record includes a priority, weight, and a URI string that -consists of case-insensitive colon separated fields, in the form -scheme:[flags]:transport:residual.

-
    -
  • scheme defines the registered URI type. It should always be -krb5srv.
    • -
  • flags contains zero or more flag characters. Currently the only -valid flag is m, which indicates that the record is for a master -server.
    • -
  • transport defines the transport type of the residual URL or -address. Accepted values are tcp, udp, or kkdcp for the -MS-KKDCP type.
    • -
  • residual contains the hostname, IP address, or URL to be -contacted using the specified transport, with an optional port -extension. The MS-KKDCP transport type uses a HTTPS URL, and can -include a port and/or path extension.
    • -
-

An example of URI records in a zone file:

-
_kerberos.EXAMPLE.COM  URI  10 1 krb5srv:m:tcp:kdc1.example.com
-                       URI  20 1 krb5srv:m:udp:kdc2.example.com:89
-                       URI  40 1 krb5srv::udp:10.10.0.23
-                       URI  30 1 krb5srv::kkdcp:https://proxy:89/auth
-
-
-

URI lookups are enabled by default, and can be disabled by setting -dns_uri_lookup in the [libdefaults] section of -krb5.conf to False. When enabled, URI lookups take -precedence over SRV lookups, falling back to SRV lookups if no URI -records are found.

-
-
-

Database propagation¶

-

The Kerberos database resides on the master KDC, and must be -propagated regularly (usually by a cron job) to the slave KDCs. In -deciding how frequently the propagation should happen, you will need -to balance the amount of time the propagation takes against the -maximum reasonable amount of time a user should have to wait for a -password change to take effect.

-

If the propagation time is longer than this maximum reasonable time -(e.g., you have a particularly large database, you have a lot of -slaves, or you experience frequent network delays), you may wish to -cut down on your propagation delay by performing the propagation in -parallel. To do this, have the master KDC propagate the database to -one set of slaves, and then have each of these slaves propagate the -database to additional slaves.

-

See also Incremental database propagation

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/troubleshoot.html b/doc/html/admin/troubleshoot.html deleted file mode 100644 index 4c8bd5b..0000000 --- a/doc/html/admin/troubleshoot.html +++ /dev/null @@ -1,273 +0,0 @@ - - - - - - - - Troubleshooting — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Troubleshooting¶

-
-

Trace logging¶

-

Most programs using MIT krb5 1.9 or later can be made to provide -information about internal krb5 library operations using trace -logging. To enable this, set the KRB5_TRACE environment variable -to a filename before running the program. On many operating systems, -the filename /dev/stdout can be used to send trace logging output -to standard output.

-

Some programs do not honor KRB5_TRACE, either because they use -secure library contexts (this generally applies to setuid programs and -parts of the login system) or because they take direct control of the -trace logging system using the API.

-

Here is a short example showing trace logging output for an invocation -of the kvno command:

-
shell% env KRB5_TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM
-[9138] 1332348778.823276: Getting credentials user@KRBTEST.COM ->
-    krbtgt/KRBTEST.COM@KRBTEST.COM using ccache
-    FILE:/me/krb5/build/testdir/ccache
-[9138] 1332348778.823381: Retrieving user@KRBTEST.COM ->
-    krbtgt/KRBTEST.COM@KRBTEST.COM from
-    FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0
-krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1
-
-
-
-
-

List of errors¶

- -
-

Errors seen by admins¶

-
    -
  1. kprop: No route to host while connecting to server
    2. -
  2. kprop: Connection refused while connecting to server
    3. -
  3. kprop: Server rejected authentication (during sendauth exchange) while authenticating to server
    4. -
-
-
-

KDC has no support for encryption type while getting initial credentials¶

-
-
-

credential verification failed: KDC has no support for encryption type¶

-

This most commonly happens when trying to use a principal with only -DES keys, in a release (MIT krb5 1.7 or later) which disables DES by -default. DES encryption is considered weak due to its inadequate key -size. If you cannot migrate away from its use, you can re-enable DES -by adding allow_weak_crypto = true to the [libdefaults] -section of krb5.conf.

-
-
-

Cannot create cert chain: certificate has expired¶

-

This error message indicates that PKINIT authentication failed because -the client certificate, KDC certificate, or one of the certificates in -the signing chain above them has expired.

-

If the KDC certificate has expired, this message appears in the KDC -log file, and the client will receive a “Preauthentication failed” -error. (Prior to release 1.11, the KDC log file message erroneously -appears as “Out of memory”. Prior to release 1.12, the client will -receive a “Generic error”.)

-

If the client or a signing certificate has expired, this message may -appear in trace_logging output from kinit or, starting in -release 1.12, as an error message from kinit or another program which -gets initial tickets. The error message is more likely to appear -properly on the client if the principal entry has no long-term keys.

-
-
-

kprop: No route to host while connecting to server¶

-

Make sure that the hostname of the slave (as given to kprop) is -correct, and that any firewalls between the master and the slave allow -a connection on port 754.

-
-
-

kprop: Connection refused while connecting to server¶

-

If the slave is intended to run kpropd out of inetd, make sure that -inetd is configured to accept krb5_prop connections. inetd may need -to be restarted or sent a SIGHUP to recognize the new configuration. -If the slave is intended to run kpropd in standalone mode, make sure -that it is running.

-
-
-

kprop: Server rejected authentication (during sendauth exchange) while authenticating to server¶

-

Make sure that:

-
    -
  1. The time is synchronized between the master and slave KDCs.
    2. -
  2. The master stash file was copied from the master to the expected -location on the slave.
    3. -
  3. The slave has a keytab file in the default location containing a -host principal for the slave’s hostname.
    4. -
-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/admin/various_envs.html b/doc/html/admin/various_envs.html deleted file mode 100644 index 0d1a895..0000000 --- a/doc/html/admin/various_envs.html +++ /dev/null @@ -1,189 +0,0 @@ - - - - - - - - Various links — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/gssapi.html b/doc/html/appdev/gssapi.html deleted file mode 100644 index 9850302..0000000 --- a/doc/html/appdev/gssapi.html +++ /dev/null @@ -1,705 +0,0 @@ - - - - - - - - Developing with GSSAPI — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Developing with GSSAPI¶

-

The GSSAPI (Generic Security Services API) allows applications to -communicate securely using Kerberos 5 or other security mechanisms. -We recommend using the GSSAPI (or a higher-level framework which -encompasses GSSAPI, such as SASL) for secure network communication -over using the libkrb5 API directly.

-

GSSAPIv2 is specified in RFC 2743 and RFC 2744. Also see -RFC 7546 for a description of how to use the GSSAPI in a client or -server program.

-

This documentation will describe how various ways of using the -GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, -as well as krb5-specific extensions to the GSSAPI.

-
-

Name types¶

-

A GSSAPI application can name a local or remote entity by calling -gss_import_name, specifying a name type and a value. The following -name types are supported by the krb5 mechanism:

-
    -
  • GSS_C_NT_HOSTBASED_SERVICE: The value should be a string of the -form service or service@hostname. This is the most common -way to name target services when initiating a security context, and -is the most likely name type to work across multiple mechanisms.
    • -
  • GSS_KRB5_NT_PRINCIPAL_NAME: The value should be a principal name -string. This name type only works with the krb5 mechanism, and is -defined in the <gssapi/gssapi_krb5.h> header.
    • -
  • GSS_C_NT_USER_NAME or GSS_C_NULL_OID: The value is treated -as an unparsed principal name string, as above. These name types -may work with mechanisms other than krb5, but will have different -interpretations in those mechanisms. GSS_C_NT_USER_NAME is -intended to be used with a local username, which will parse into a -single-component principal in the default realm.
    • -
  • GSS_C_NT_ANONYMOUS: The value is ignored. The anonymous -principal is used, allowing a client to authenticate to a server -without asserting a particular identity (which may or may not be -allowed by a particular server or Kerberos realm).
    • -
  • GSS_C_NT_MACHINE_UID_NAME: The value is uid_t object. On -Unix-like systems, the username of the uid is looked up in the -system user database and the resulting username is parsed as a -principal name.
    • -
  • GSS_C_NT_STRING_UID_NAME: As above, but the value is a decimal -string representation of the uid.
    • -
  • GSS_C_NT_EXPORT_NAME: The value must be the result of a -gss_export_name call.
    • -
-
-
-

Initiator credentials¶

-

A GSSAPI client application uses gss_init_sec_context to establish a -security context. The initiator_cred_handle parameter determines -what tickets are used to establish the connection. An application can -either pass GSS_C_NO_CREDENTIAL to use the default client -credential, or it can use gss_acquire_cred beforehand to acquire an -initiator credential. The call to gss_acquire_cred may include a -desired_name parameter, or it may pass GSS_C_NO_NAME if it does -not have a specific name preference.

-

If the desired name for a krb5 initiator credential is a host-based -name, it is converted to a principal name of the form -service/hostname in the local realm, where hostname is the local -hostname if not specified. The hostname will be canonicalized using -forward name resolution, and possibly also using reverse name -resolution depending on the value of the rdns variable in -[libdefaults].

-

If a desired name is specified in the call to gss_acquire_cred, the -krb5 mechanism will attempt to find existing tickets for that client -principal name in the default credential cache or collection. If the -default cache type does not support a collection, and the default -cache contains credentials for a different principal than the desired -name, a GSS_S_CRED_UNAVAIL error will be returned with a minor -code indicating a mismatch.

-

If no existing tickets are available for the desired name, but the -name has an entry in the default client keytab, the -krb5 mechanism will acquire initial tickets for the name using the -default client keytab.

-

If no desired name is specified, credential acquisition will be -deferred until the credential is used in a call to -gss_init_sec_context or gss_inquire_cred. If the call is to -gss_init_sec_context, the target name will be used to choose a client -principal name using the credential cache selection facility. (This -facility might, for instance, try to choose existing tickets for a -client principal in the same realm as the target service). If there -are no existing tickets for the chosen principal, but it is present in -the default client keytab, the krb5 mechanism will acquire initial -tickets using the keytab.

-

If the target name cannot be used to select a client principal -(because the credentials are used in a call to gss_inquire_cred), or -if the credential cache selection facility cannot choose a principal -for it, the default credential cache will be selected if it exists and -contains tickets.

-

If the default credential cache does not exist, but the default client -keytab does, the krb5 mechanism will try to acquire initial tickets -for the first principal in the default client keytab.

-

If the krb5 mechanism acquires initial tickets using the default -client keytab, the resulting tickets will be stored in the default -cache or collection, and will be refreshed by future calls to -gss_acquire_cred as they approach their expire time.

-
-
-

Acceptor names¶

-

A GSSAPI server application uses gss_accept_sec_context to establish -a security context based on tokens provided by the client. The -acceptor_cred_handle parameter determines what -keytab entries may be authenticated to by the -client, if the krb5 mechanism is used.

-

The simplest choice is to pass GSS_C_NO_CREDENTIAL as the acceptor -credential. In this case, clients may authenticate to any service -principal in the default keytab (typically DEFKTNAME, or the value of -the KRB5_KTNAME environment variable). This is the recommended -approach if the server application has no specific requirements to the -contrary.

-

A server may acquire an acceptor credential with gss_acquire_cred and -a cred_usage of GSS_C_ACCEPT or GSS_C_BOTH. If the -desired_name parameter is GSS_C_NO_NAME, then clients will be -allowed to authenticate to any service principal in the default -keytab, just as if no acceptor credential was supplied.

-

If a server wishes to specify a desired_name to gss_acquire_cred, -the most common choice is a host-based name. If the host-based -desired_name contains just a service, then clients will be allowed -to authenticate to any host-based service principal (that is, a -principal of the form service/hostname@REALM) for the named -service, regardless of hostname or realm, as long as it is present in -the default keytab. If the input name contains both a service and a -hostname, clients will be allowed to authenticate to any host-based -principal for the named service and hostname, regardless of realm.

-
-

Note

-

If a hostname is specified, it will be canonicalized -using forward name resolution, and possibly also using -reverse name resolution depending on the value of the -rdns variable in [libdefaults].

-
-
-

Note

-

If the ignore_acceptor_hostname variable in -[libdefaults] is enabled, then hostname will be -ignored even if one is specified in the input name.

-
-
-

Note

-

In MIT krb5 versions prior to 1.10, and in Heimdal’s -implementation of the krb5 mechanism, an input name with -just a service is treated like an input name of -service@localhostname, where localhostname is the -string returned by gethostname().

-
-

If the desired_name is a krb5 principal name or a local system name -type which is mapped to a krb5 principal name, clients will only be -allowed to authenticate to that principal in the default keytab.

-
-
-

Name Attributes¶

-

In release 1.8 or later, the gss_inquire_name and -gss_get_name_attribute functions, specified in RFC 6680, can be -used to retrieve name attributes from the src_name returned by -gss_accept_sec_context. The following attributes are defined when -the krb5 mechanism is used:

-
    -
  • “auth-indicators” attribute:
    • -
-

This attribute will be included in the gss_inquire_name output if the -ticket contains authentication indicators. -One indicator is returned per invocation of gss_get_name_attribute, -so multiple invocations may be necessary to retrieve all of the -indicators from the ticket. (New in release 1.15.)

-
-
-

Importing and exporting credentials¶

-

The following GSSAPI extensions can be used to import and export -credentials (declared in <gssapi/gssapi_ext.h>):

-
OM_uint32 gss_export_cred(OM_uint32 *minor_status,
-                          gss_cred_id_t cred_handle,
-                          gss_buffer_t token);
-
-OM_uint32 gss_import_cred(OM_uint32 *minor_status,
-                          gss_buffer_t token,
-                          gss_cred_id_t *cred_handle);
-
-
-

The first function serializes a GSSAPI credential handle into a -buffer; the second unseralizes a buffer into a GSSAPI credential -handle. Serializing a credential does not destroy it. If any of the -mechanisms used in cred_handle do not support serialization, -gss_export_cred will return GSS_S_UNAVAILABLE. As with other -GSSAPI serialization functions, these extensions are only intended to -work with a matching implementation on the other side; they do not -serialize credentials in a standardized format.

-

A serialized credential may contain secret information such as ticket -session keys. The serialization format does not protect this -information from eavesdropping or tampering. The calling application -must take care to protect the serialized credential when communicating -it over an insecure channel or to an untrusted party.

-

A krb5 GSSAPI credential may contain references to a credential cache, -a client keytab, an acceptor keytab, and a replay cache. These -resources are normally serialized as references to their external -locations (such as the filename of the credential cache). Because of -this, a serialized krb5 credential can only be imported by a process -with similar privileges to the exporter. A serialized credential -should not be trusted if it originates from a source with lower -privileges than the importer, as it may contain references to external -credential cache, keytab, or replay cache resources not accessible to -the originator.

-

An exception to the above rule applies when a krb5 GSSAPI credential -refers to a memory credential cache, as is normally the case for -delegated credentials received by gss_accept_sec_context. In this -case, the contents of the credential cache are serialized, so that the -resulting token may be imported even if the original memory credential -cache no longer exists.

-
-
-

Constrained delegation (S4U)¶

-

The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions -allow an intermediate service to acquire credentials from a client to -a target service without requiring the client to delegate a -ticket-granting ticket, if the KDC is configured to allow it.

-

To perform a constrained delegation operation, the intermediate -service must submit to the KDC an “evidence ticket” from the client to -the intermediate service with the forwardable bit set. An evidence -ticket can be acquired when the client authenticates to the -intermediate service with Kerberos, or with an S4U2Self request if the -KDC allows it. The MIT krb5 GSSAPI library represents an evidence -ticket using a “proxy credential”, which is a special kind of -gss_cred_id_t object whose underlying credential cache contains the -evidence ticket and a krbtgt ticket for the intermediate service.

-

To acquire a proxy credential during client authentication, the -service should first create an acceptor credential using the -GSS_C_BOTH usage. The application should then pass this -credential as the acceptor_cred_handle to gss_accept_sec_context, -and also pass a delegated_cred_handle output parameter to receive a -proxy credential containing the evidence ticket. The output value of -delegated_cred_handle may be a delegated ticket-granting ticket if -the client sent one, or a proxy credential if the client authenticated -with a forwardable service ticket, or GSS_C_NO_CREDENTIAL if -neither is the case.

-

To acquire a proxy credential using an S4U2Self request, the service -can use the following GSSAPI extension:

-
OM_uint32 gss_acquire_cred_impersonate_name(OM_uint32 *minor_status,
-                                            gss_cred_id_t icred,
-                                            gss_name_t desired_name,
-                                            OM_uint32 time_req,
-                                            gss_OID_set desired_mechs,
-                                            gss_cred_usage_t cred_usage,
-                                            gss_cred_id_t *output_cred,
-                                            gss_OID_set *actual_mechs,
-                                            OM_uint32 *time_rec);
-
-
-

The parameters to this function are similar to those of -gss_acquire_cred, except that icred is used to make an S4U2Self -request to the KDC for a ticket from desired_name to the -intermediate service. Both icred and desired_name are required -for this function; passing GSS_C_NO_CREDENTIAL or -GSS_C_NO_NAME will cause the call to fail. icred must contain a -krbtgt ticket for the intermediate service. If the KDC returns a -forwardable ticket, the result of this operation is a proxy -credential; if it is not forwardable, the result is a regular -credential for desired_name.

-

A recent KDC will usually allow any service to acquire a ticket from a -client to itself with an S4U2Self request, but the ticket will only be -forwardable if the service has a specific privilege. In the MIT krb5 -KDC, this privilege is determined by the ok_to_auth_as_delegate -bit on the intermediate service’s principal entry, which can be -configured with kadmin.

-

Once the intermediate service has a proxy credential, it can simply -pass it to gss_init_sec_context as the initiator_cred_handle -parameter, and the desired service as the target_name parameter. -The GSSAPI library will present the krbtgt ticket and evidence ticket -in the proxy credential to the KDC in an S4U2Proxy request; if the -intermediate service has the appropriate permissions, the KDC will -issue a ticket from the client to the target service. The GSSAPI -library will then use this ticket to authenticate to the target -service.

-
-
-

AEAD message wrapping¶

-

The following GSSAPI extensions (declared in -<gssapi/gssapi_ext.h>) can be used to wrap and unwrap messages -with additional “associated data” which is integrity-checked but is -not included in the output buffer:

-
OM_uint32 gss_wrap_aead(OM_uint32 *minor_status,
-                        gss_ctx_id_t context_handle,
-                        int conf_req_flag, gss_qop_t qop_req,
-                        gss_buffer_t input_assoc_buffer,
-                        gss_buffer_t input_payload_buffer,
-                        int *conf_state,
-                        gss_buffer_t output_message_buffer);
-
-OM_uint32 gss_unwrap_aead(OM_uint32 *minor_status,
-                          gss_ctx_id_t context_handle,
-                          gss_buffer_t input_message_buffer,
-                          gss_buffer_t input_assoc_buffer,
-                          gss_buffer_t output_payload_buffer,
-                          int *conf_state,
-                          gss_qop_t *qop_state);
-
-
-

Wrap tokens created with gss_wrap_aead will successfully unwrap only -if the same input_assoc_buffer contents are presented to -gss_unwrap_aead.

-
-
-

IOV message wrapping¶

-

The following extensions (declared in <gssapi/gssapi_ext.h>) can -be used for in-place encryption, fine-grained control over wrap token -layout, and for constructing wrap tokens compatible with Microsoft DCE -RPC:

-
typedef struct gss_iov_buffer_desc_struct {
-    OM_uint32 type;
-    gss_buffer_desc buffer;
-} gss_iov_buffer_desc, *gss_iov_buffer_t;
-
-OM_uint32 gss_wrap_iov(OM_uint32 *minor_status,
-                       gss_ctx_id_t context_handle,
-                       int conf_req_flag, gss_qop_t qop_req,
-                       int *conf_state,
-                       gss_iov_buffer_desc *iov, int iov_count);
-
-OM_uint32 gss_unwrap_iov(OM_uint32 *minor_status,
-                         gss_ctx_id_t context_handle,
-                         int *conf_state, gss_qop_t *qop_state,
-                         gss_iov_buffer_desc *iov, int iov_count);
-
-OM_uint32 gss_wrap_iov_length(OM_uint32 *minor_status,
-                              gss_ctx_id_t context_handle,
-                              int conf_req_flag,
-                              gss_qop_t qop_req, int *conf_state,
-                              gss_iov_buffer_desc *iov,
-                              int iov_count);
-
-OM_uint32 gss_release_iov_buffer(OM_uint32 *minor_status,
-                                 gss_iov_buffer_desc *iov,
-                                 int iov_count);
-
-
-

The caller of gss_wrap_iov provides an array of gss_iov_buffer_desc -structures, each containing a type and a gss_buffer_desc structure. -Valid types include:

-
    -
  • GSS_C_BUFFER_TYPE_DATA: A data buffer to be included in the -token, and to be encrypted or decrypted in-place if the token is -confidentiality-protected.
    • -
  • GSS_C_BUFFER_TYPE_HEADER: The GSSAPI wrap token header and -underlying cryptographic header.
    • -
  • GSS_C_BUFFER_TYPE_TRAILER: The cryptographic trailer, if one is -required.
    • -
  • GSS_C_BUFFER_TYPE_PADDING: Padding to be combined with the data -during encryption and decryption. (The implementation may choose to -place padding in the trailer buffer, in which case it will set the -padding buffer length to 0.)
    • -
  • GSS_C_BUFFER_TYPE_STREAM: For unwrapping only, a buffer -containing a complete wrap token in standard format to be unwrapped.
    • -
  • GSS_C_BUFFER_TYPE_SIGN_ONLY: A buffer to be included in the -token’s integrity protection checksum, but not to be encrypted or -included in the token itself.
    • -
-

For gss_wrap_iov, the IOV list should contain one HEADER buffer, -followed by zero or more SIGN_ONLY buffers, followed by one or more -DATA buffers, followed by a TRAILER buffer. The memory pointed to by -the buffers is not required to be contiguous or in any particular -order. If conf_req_flag is true, DATA buffers will be encrypted -in-place, while SIGN_ONLY buffers will not be modified.

-

The type of an output buffer may be combined with -GSS_C_BUFFER_FLAG_ALLOCATE to request that gss_wrap_iov allocate -the buffer contents. If gss_wrap_iov allocates a buffer, it sets the -GSS_C_BUFFER_FLAG_ALLOCATED flag on the buffer type. -gss_release_iov_buffer can be used to release all allocated buffers -within an iov list and unset their allocated flags. Here is an -example of how gss_wrap_iov can be used with allocation requested -(ctx is assumed to be a previously established gss_ctx_id_t):

-
OM_uint32 major, minor;
-gss_iov_buffer_desc iov[4];
-char str[] = "message";
-
-iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
-iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
-iov[1].buffer.value = str;
-iov[1].buffer.length = strlen(str);
-iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING | GSS_IOV_BUFFER_FLAG_ALLOCATE;
-iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER | GSS_IOV_BUFFER_FLAG_ALLOCATE;
-
-major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL,
-                     iov, 4);
-if (GSS_ERROR(major))
-    handle_error(major, minor);
-
-/* Transmit or otherwise use resulting buffers. */
-
-(void)gss_release_iov_buffer(&minor, iov, 4);
-
-
-

If the caller does not choose to request buffer allocation by -gss_wrap_iov, it should first call gss_wrap_iov_length to query the -lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers -must be provided in the iov list so that padding length can be -computed correctly, but the output buffers need not be initialized. -Here is an example of using gss_wrap_iov_length and gss_wrap_iov:

-
OM_uint32 major, minor;
-gss_iov_buffer_desc iov[4];
-char str[1024] = "message", *ptr;
-
-iov[0].type = GSS_IOV_BUFFER_TYPE_HEADER;
-iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
-iov[1].buffer.value = str;
-iov[1].buffer.length = strlen(str);
-
-iov[2].type = GSS_IOV_BUFFER_TYPE_PADDING;
-iov[3].type = GSS_IOV_BUFFER_TYPE_TRAILER;
-
-major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT,
-                            NULL, iov, 4);
-if (GSS_ERROR(major))
-    handle_error(major, minor);
-if (strlen(str) + iov[0].buffer.length + iov[2].buffer.length +
-    iov[3].buffer.length > sizeof(str))
-    handle_out_of_space_error();
-ptr = str + strlen(str);
-iov[0].buffer.value = ptr;
-ptr += iov[0].buffer.length;
-iov[2].buffer.value = ptr;
-ptr += iov[2].buffer.length;
-iov[3].buffer.value = ptr;
-
-major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL,
-                     iov, 4);
-if (GSS_ERROR(major))
-    handle_error(major, minor);
-
-
-

If the context was established using the GSS_C_DCE_STYLE flag -(described in RFC 4757), wrap tokens compatible with Microsoft DCE -RPC can be constructed. In this case, the IOV list must include a -SIGN_ONLY buffer, a DATA buffer, a second SIGN_ONLY buffer, and a -HEADER buffer in that order (the order of the buffer contents remains -arbitrary). The application must pad the DATA buffer to a multiple of -16 bytes as no padding or trailer buffer is used.

-

gss_unwrap_iov may be called with an IOV list just like one which -would be provided to gss_wrap_iov. DATA buffers will be decrypted -in-place if they were encrypted, and SIGN_ONLY buffers will not be -modified.

-

Alternatively, gss_unwrap_iov may be called with a single STREAM -buffer, zero or more SIGN_ONLY buffers, and a single DATA buffer. The -STREAM buffer is interpreted as a complete wrap token. The STREAM -buffer will be modified in-place to decrypt its contents. The DATA -buffer will be initialized to point to the decrypted data within the -STREAM buffer, unless it has the GSS_C_BUFFER_FLAG_ALLOCATE flag -set, in which case it will be initialized with a copy of the decrypted -data. Here is an example (token and token_len are assumed to be a -pre-existing pointer and length for a modifiable region of data):

-
OM_uint32 major, minor;
-gss_iov_buffer_desc iov[2];
-
-iov[0].type = GSS_IOV_BUFFER_TYPE_STREAM;
-iov[0].buffer.value = token;
-iov[0].buffer.length = token_len;
-iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
-major = gss_unwrap_iov(&minor, ctx, NULL, NULL, iov, 2);
-if (GSS_ERROR(major))
-    handle_error(major, minor);
-
-/* Decrypted data is in iov[1].buffer, pointing to a subregion of
- * token. */
-
-
-
-
-

IOV MIC tokens¶

-

The following extensions (declared in <gssapi/gssapi_ext.h>) can -be used in release 1.12 or later to construct and verify MIC tokens -using an IOV list:

-
OM_uint32 gss_get_mic_iov(OM_uint32 *minor_status,
-                          gss_ctx_id_t context_handle,
-                          gss_qop_t qop_req,
-                          gss_iov_buffer_desc *iov,
-                          int iov_count);
-
-OM_uint32 gss_get_mic_iov_length(OM_uint32 *minor_status,
-                                 gss_ctx_id_t context_handle,
-                                 gss_qop_t qop_req,
-                                 gss_iov_buffer_desc *iov,
-                                 iov_count);
-
-OM_uint32 gss_verify_mic_iov(OM_uint32 *minor_status,
-                             gss_ctx_id_t context_handle,
-                             gss_qop_t *qop_state,
-                             gss_iov_buffer_desc *iov,
-                             int iov_count);
-
-
-

The caller of gss_get_mic_iov provides an array of gss_iov_buffer_desc -structures, each containing a type and a gss_buffer_desc structure. -Valid types include:

-
    -
  • GSS_C_BUFFER_TYPE_DATA and GSS_C_BUFFER_TYPE_SIGN_ONLY: The -corresponding buffer for each of these types will be signed for the -MIC token, in the order provided.
    • -
  • GSS_C_BUFFER_TYPE_MIC_TOKEN: The GSSAPI MIC token.
    • -
-

The type of the MIC_TOKEN buffer may be combined with -GSS_C_BUFFER_FLAG_ALLOCATE to request that gss_get_mic_iov -allocate the buffer contents. If gss_get_mic_iov allocates the -buffer, it sets the GSS_C_BUFFER_FLAG_ALLOCATED flag on the buffer -type. gss_release_iov_buffer can be used to release all allocated -buffers within an iov list and unset their allocated flags. Here is -an example of how gss_get_mic_iov can be used with allocation -requested (ctx is assumed to be a previously established -gss_ctx_id_t):

-
OM_uint32 major, minor;
-gss_iov_buffer_desc iov[3];
-
-iov[0].type = GSS_IOV_BUFFER_TYPE_DATA;
-iov[0].buffer.value = "sign1";
-iov[0].buffer.length = 5;
-iov[1].type = GSS_IOV_BUFFER_TYPE_SIGN_ONLY;
-iov[1].buffer.value = "sign2";
-iov[1].buffer.length = 5;
-iov[2].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN | GSS_IOV_BUFFER_FLAG_ALLOCATE;
-
-major = gss_get_mic_iov(&minor, ctx, GSS_C_QOP_DEFAULT, iov, 3);
-if (GSS_ERROR(major))
-    handle_error(major, minor);
-
-/* Transmit or otherwise use iov[2].buffer. */
-
-(void)gss_release_iov_buffer(&minor, iov, 3);
-
-
-

If the caller does not choose to request buffer allocation by -gss_get_mic_iov, it should first call gss_get_mic_iov_length to query -the length of the MIC_TOKEN buffer. Here is an example of using -gss_get_mic_iov_length and gss_get_mic_iov:

-
OM_uint32 major, minor;
-gss_iov_buffer_desc iov[2];
-char data[1024];
-
-iov[0].type = GSS_IOV_BUFFER_TYPE_MIC_TOKEN;
-iov[1].type = GSS_IOV_BUFFER_TYPE_DATA;
-iov[1].buffer.value = "message";
-iov[1].buffer.length = 7;
-
-major = gss_wrap_iov_length(&minor, ctx, 1, GSS_C_QOP_DEFAULT,
-                            NULL, iov, 2);
-if (GSS_ERROR(major))
-    handle_error(major, minor);
-if (iov[0].buffer.length > sizeof(data))
-    handle_out_of_space_error();
-iov[0].buffer.value = data;
-
-major = gss_wrap_iov(&minor, ctx, 1, GSS_C_QOP_DEFAULT, NULL,
-                     iov, 2);
-if (GSS_ERROR(major))
-    handle_error(major, minor);
-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/h5l_mit_apidiff.html b/doc/html/appdev/h5l_mit_apidiff.html deleted file mode 100644 index 49eda59..0000000 --- a/doc/html/appdev/h5l_mit_apidiff.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - Differences between Heimdal and MIT Kerberos API — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Differences between Heimdal and MIT Kerberos API¶

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - -
krb5_auth_con_getaddrs()H5l: If either of the pointers to local_addr -and remote_addr is not NULL, it is freed -first and then reallocated before being -populated with the content of corresponding -address from authentication context.
krb5_auth_con_setaddrs()H5l: If either address is NULL, the previous -address remains in place
krb5_auth_con_setports()H5l: Not implemented as of version 1.3.3
krb5_auth_con_setrecvsubkey()H5l: If either port is NULL, the previous -port remains in place
krb5_auth_con_setsendsubkey()H5l: Not implemented as of version 1.3.3
krb5_cc_set_config()MIT: Before version 1.10 it was assumed that -the last argument data is ALWAYS non-zero.
krb5_cccol_last_change_time()H5l takes 3 arguments: krb5_context context, -const char *type, krb5_timestamp *change_time -MIT takes two arguments: krb5_context context, -krb5_timestamp *change_time
krb5_set_default_realm()H5l: Caches the computed default realm context -field. If the second argument is NULL, -it tries to retrieve it from libdefaults or DNS. -MIT: Computes the default realm each time -if it wasn’t explicitly set in the context
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/index.html b/doc/html/appdev/index.html deleted file mode 100644 index a49c3bc..0000000 --- a/doc/html/appdev/index.html +++ /dev/null @@ -1,155 +0,0 @@ - - - - - - - - For application developers — MIT Kerberos Documentation - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/init_creds.html b/doc/html/appdev/init_creds.html deleted file mode 100644 index d1e8839..0000000 --- a/doc/html/appdev/init_creds.html +++ /dev/null @@ -1,442 +0,0 @@ - - - - - - - - Initial credentials — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Initial credentials¶

-

Software that performs tasks such as logging users into a computer -when they type their Kerberos password needs to get initial -credentials (usually ticket granting tickets) from Kerberos. Such -software shares some behavior with the kinit program.

-

Whenever a program grants access to a resource (such as a local login -session on a desktop computer) based on a user successfully getting -initial Kerberos credentials, it must verify those credentials against -a secure shared secret (e.g., a host keytab) to ensure that the user -credentials actually originate from a legitimate KDC. Failure to -perform this verification is a critical vulnerability, because a -malicious user can execute the “Zanarotti attack”: the user constructs -a fake response that appears to come from the legitimate KDC, but -whose contents come from an attacker-controlled KDC.

-

Some applications read a Kerberos password over the network (ideally -over a secure channel), which they then verify against the KDC. While -this technique may be the only practical way to integrate Kerberos -into some existing legacy systems, its use is contrary to the original -design goals of Kerberos.

-

The function krb5_get_init_creds_password() will get initial -credentials for a client using a password. An application that needs -to verify the credentials can call krb5_verify_init_creds(). -Here is an example of code to obtain and verify TGT credentials, given -strings princname and password for the client principal name and -password:

-
krb5_error_code ret;
-krb5_creds creds;
-krb5_principal client_princ = NULL;
-
-memset(&creds, 0, sizeof(creds));
-ret = krb5_parse_name(context, princname, &client_princ);
-if (ret)
-    goto cleanup;
-ret = krb5_get_init_creds_password(context, &creds, client_princ,
-                                   password, NULL, NULL, 0, NULL, NULL);
-if (ret)
-    goto cleanup;
-ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, NULL);
-
-cleanup:
-krb5_free_principal(context, client_princ);
-krb5_free_cred_contents(context, &creds);
-return ret;
-
-
-
-

Options for get_init_creds¶

-

The function krb5_get_init_creds_password() takes an options -parameter (which can be a null pointer). Use the function -krb5_get_init_creds_opt_alloc() to allocate an options -structure, and krb5_get_init_creds_opt_free() to free it. For -example:

-
krb5_error_code ret;
-krb5_get_init_creds_opt *opt = NULL;
-krb5_creds creds;
-
-memset(&creds, 0, sizeof(creds));
-ret = krb5_get_init_creds_opt_alloc(context, &opt);
-if (ret)
-    goto cleanup;
-krb5_get_init_creds_opt_set_tkt_life(opt, 24 * 60 * 60);
-ret = krb5_get_init_creds_password(context, &creds, client_princ,
-                                   password, NULL, NULL, 0, NULL, opt);
-if (ret)
-    goto cleanup;
-
-cleanup:
-krb5_get_init_creds_opt_free(context, opt);
-krb5_free_cred_contents(context, &creds);
-return ret;
-
-
-
-
-

Getting anonymous credentials¶

-

As of release 1.8, it is possible to obtain fully anonymous or -partially anonymous (realm-exposed) credentials, if the KDC supports -it. The MIT KDC supports issuing fully anonymous credentials as of -release 1.8 if configured appropriately (see Anonymous PKINIT), -but does not support issuing realm-exposed anonymous credentials at -this time.

-

To obtain fully anonymous credentials, call -krb5_get_init_creds_opt_set_anonymous() on the options -structure to set the anonymous flag, and specify a client principal -with the KDC’s realm and a single empty data component (the principal -obtained by parsing @realmname). Authentication will take -place using anonymous PKINIT; if successful, the client principal of -the resulting tickets will be -WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS. Here is an example:

-
krb5_get_init_creds_opt_set_anonymous(opt, 1);
-ret = krb5_build_principal(context, &client_princ, strlen(myrealm),
-                           myrealm, "", (char *)NULL);
-if (ret)
-    goto cleanup;
-ret = krb5_get_init_creds_password(context, &creds, client_princ,
-                                   password, NULL, NULL, 0, NULL, opt);
-if (ret)
-    goto cleanup;
-
-
-

To obtain realm-exposed anonymous credentials, set the anonymous flag -on the options structure as above, but specify a normal client -principal in order to prove membership in the realm. Authentication -will take place as it normally does; if successful, the client -principal of the resulting tickets will be WELLKNOWN/ANONYMOUS@realmname.

-
-
-

User interaction¶

-

Authenticating a user usually requires the entry of secret -information, such as a password. A password can be supplied directly -to krb5_get_init_creds_password() via the password -parameter, or the application can supply prompter and/or responder -callbacks instead. If callbacks are used, the user can also be -queried for other secret information such as a PIN, informed of -impending password expiration, or prompted to change a password which -has expired.

-
-

Prompter callback¶

-

A prompter callback can be specified via the prompter and data -parameters to krb5_get_init_creds_password(). The prompter -will be invoked each time the krb5 library has a question to ask or -information to present. When the prompter callback is invoked, the -banner argument (if not null) is intended to be displayed to the -user, and the questions to be answered are specified in the prompts -array. Each prompt contains a text question in the prompt field, a -hidden bit to indicate whether the answer should be hidden from -display, and a storage area for the answer in the reply field. The -callback should fill in each question’s reply->data with the -answer, up to a maximum number of reply->length bytes, and then -reset reply->length to the length of the answer.

-

A prompter callback can call krb5_get_prompt_types() to get an -array of type constants corresponding to the prompts, to get -programmatic information about the semantic meaning of the questions. -krb5_get_prompt_types() may return a null pointer if no prompt -type information is available.

-

Text-based applications can use a built-in text prompter -implementation by supplying krb5_prompter_posix() as the -prompter parameter and a null pointer as the data parameter. For -example:

-
ret = krb5_get_init_creds_password(context, &creds, client_princ,
-                                   NULL, krb5_prompter_posix, NULL, 0,
-                                   NULL, NULL);
-
-
-
-
-

Responder callback¶

-

A responder callback can be specified through the init_creds options -using the krb5_get_init_creds_opt_set_responder() function. -Responder callbacks can present a more sophisticated user interface -for authentication secrets. The responder callback is usually invoked -only once per authentication, with a list of questions produced by all -of the allowed preauthentication mechanisms.

-

When the responder callback is invoked, the rctx argument can be -accessed to obtain the list of questions and to answer them. The -krb5_responder_list_questions() function retrieves an array of -question types. For each question type, the -krb5_responder_get_challenge() function retrieves additional -information about the question, if applicable, and the -krb5_responder_set_answer() function sets the answer.

-

Responder question types, challenges, and answers are UTF-8 strings. -The question type is a well-known string; the meaning of the challenge -and answer depend on the question type. If an application does not -understand a question type, it cannot interpret the challenge or -provide an answer. Failing to answer a question typically results in -the prompter callback being used as a fallback.

-
-

Password question¶

-

The KRB5_RESPONDER_QUESTION_PASSWORD (or "password") -question type requests the user’s password. This question does not -have a challenge, and the response is simply the password string.

-
-
-

One-time password question¶

-

The KRB5_RESPONDER_QUESTION_OTP (or "otp") question -type requests a choice among one-time password tokens and the PIN and -value for the chosen token. The challenge and answer are JSON-encoded -strings, but an application can use convenience functions to avoid -doing any JSON processing itself.

-

The krb5_responder_otp_get_challenge() function decodes the -challenge into a krb5_responder_otp_challenge structure. The -krb5_responder_otp_set_answer() function selects one of the -token information elements from the challenge and supplies the value -and pin for that token.

-
-
-

PKINIT password or PIN question¶

-

The KRB5_RESPONDER_QUESTION_PKINIT (or "pkinit") question -type requests PINs for hardware devices and/or passwords for encrypted -credentials which are stored on disk, potentially also supplying -information about the state of the hardware devices. The challenge and -answer are JSON-encoded strings, but an application can use convenience -functions to avoid doing any JSON processing itself.

-

The krb5_responder_pkinit_get_challenge() function decodes the -challenges into a krb5_responder_pkinit_challenge structure. The -krb5_responder_pkinit_set_answer() function can be used to -supply the PIN or password for a particular client credential, and can -be called multiple times.

-
-
-

Example¶

-

Here is an example of using a responder callback:

-
static krb5_error_code
-my_responder(krb5_context context, void *data,
-             krb5_responder_context rctx)
-{
-    krb5_error_code ret;
-    krb5_responder_otp_challenge *chl;
-
-    if (krb5_responder_get_challenge(context, rctx,
-                                     KRB5_RESPONDER_QUESTION_PASSWORD)) {
-        ret = krb5_responder_set_answer(context, rctx,
-                                        KRB5_RESPONDER_QUESTION_PASSWORD,
-                                        "open sesame");
-        if (ret)
-            return ret;
-    }
-    ret = krb5_responder_otp_get_challenge(context, rctx, &chl);
-    if (ret == 0 && chl != NULL) {
-        ret = krb5_responder_otp_set_answer(context, rctx, 0, "1234",
-                                            NULL);
-        krb5_responder_otp_challenge_free(context, rctx, chl);
-        if (ret)
-            return ret;
-    }
-    return 0;
-}
-
-static krb5_error_code
-get_creds(krb5_context context, krb5_principal client_princ)
-{
-    krb5_error_code ret;
-    krb5_get_init_creds_opt *opt = NULL;
-    krb5_creds creds;
-
-    memset(&creds, 0, sizeof(creds));
-    ret = krb5_get_init_creds_opt_alloc(context, &opt);
-    if (ret)
-        goto cleanup;
-    ret = krb5_get_init_creds_opt_set_responder(context, opt, my_responder,
-                                                NULL);
-    if (ret)
-        goto cleanup;
-    ret = krb5_get_init_creds_password(context, &creds, client_princ,
-                                       NULL, NULL, NULL, 0, NULL, opt);
-
-cleanup:
-    krb5_get_init_creds_opt_free(context, opt);
-    krb5_free_cred_contents(context, &creds);
-    return ret;
-}
-
-
-
-
-
-
-

Verifying initial credentials¶

-

Use the function krb5_verify_init_creds() to verify initial -credentials. It takes an options structure (which can be a null -pointer). Use krb5_verify_init_creds_opt_init() to initialize -the caller-allocated options structure, and -krb5_verify_init_creds_opt_set_ap_req_nofail() to set the -“nofail” option. For example:

-
krb5_verify_init_creds_opt vopt;
-
-krb5_verify_init_creds_opt_init(&vopt);
-krb5_verify_init_creds_opt_set_ap_req_nofail(&vopt, 1);
-ret = krb5_verify_init_creds(context, &creds, NULL, NULL, NULL, &vopt);
-
-
-

The confusingly named “nofail” option, when set, means that the -verification must actually succeed in order for -krb5_verify_init_creds() to indicate success. The default -state of this option (cleared) means that if there is no key material -available to verify the user credentials, the verification will -succeed anyway. (The default can be changed by a configuration file -setting.)

-

This accommodates a use case where a large number of unkeyed shared -desktop workstations need to allow users to log in using Kerberos. -The security risks from this practice are mitigated by the absence of -valuable state on the shared workstations—any valuable resources -that the users would access reside on networked servers.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/princ_handle.html b/doc/html/appdev/princ_handle.html deleted file mode 100644 index 8eaa028..0000000 --- a/doc/html/appdev/princ_handle.html +++ /dev/null @@ -1,169 +0,0 @@ - - - - - - - - Principal manipulation and parsing — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/index.html b/doc/html/appdev/refs/api/index.html deleted file mode 100644 index bd355e2..0000000 --- a/doc/html/appdev/refs/api/index.html +++ /dev/null @@ -1,558 +0,0 @@ - - - - - - - - krb5 API — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5 API¶

-
-

Frequently used public interfaces¶

-
- -
-
-
-

Rarely used public interfaces¶

-
- -
-
-
-

Public interfaces that should not be called directly¶

-
- -
-
- - -
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_425_conv_principal.html b/doc/html/appdev/refs/api/krb5_425_conv_principal.html deleted file mode 100644 index f64e14f..0000000 --- a/doc/html/appdev/refs/api/krb5_425_conv_principal.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal.¶

-
-
-krb5_error_code krb5_425_conv_principal(krb5_context context, const char * name, const char * instance, const char * realm, krb5_principal * princ)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] name - V4 name

-

[in] instance - V4 instance

-

[in] realm - Realm

-

[out] princ - V5 principal

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function builds a princ from V4 specification based on given input name.instance@realm .

-

Use krb5_free_principal() to free princ when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_524_conv_principal.html b/doc/html/appdev/refs/api/krb5_524_conv_principal.html deleted file mode 100644 index d437412..0000000 --- a/doc/html/appdev/refs/api/krb5_524_conv_principal.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal.¶

-
-
-krb5_error_code krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, char * name, char * inst, char * realm)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] princ - V5 Principal

-

[out] name - V4 principal’s name to be filled in

-

[out] inst - V4 principal’s instance name to be filled in

-

[out] realm - Principal’s realm name to be filled in

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • KRB5_INVALID_PRINCIPAL Invalid principal name
    • -
  • KRB5_CONFIG_CANTOPEN Can’t open or find Kerberos configuration file
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function separates a V5 principal princ into name , instance , and realm .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_524_convert_creds.html b/doc/html/appdev/refs/api/krb5_524_convert_creds.html deleted file mode 100644 index f208b36..0000000 --- a/doc/html/appdev/refs/api/krb5_524_convert_creds.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials.¶

-
-
-int krb5_524_convert_creds(krb5_context context, krb5_creds * v5creds, struct credentials * v4creds)¶
-
- - --- - - - -
param:

context

-

v5creds

-

v4creds

-
- --- - - - -
retval:
    -
  • KRB524_KRB4_DISABLED (always)
    • -
-
-
-

Note

-

Not implemented

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_address_compare.html b/doc/html/appdev/refs/api/krb5_address_compare.html deleted file mode 100644 index fc09df6..0000000 --- a/doc/html/appdev/refs/api/krb5_address_compare.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_address_compare - Compare two Kerberos addresses. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_address_compare - Compare two Kerberos addresses.¶

-
-
-krb5_boolean krb5_address_compare(krb5_context context, const krb5_address * addr1, const krb5_address * addr2)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] addr1 - First address to be compared

-

[in] addr2 - Second address to be compared

-
- --- - - - -
return:
    -
  • TRUE if the addresses are the same, FALSE otherwise
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_address_order.html b/doc/html/appdev/refs/api/krb5_address_order.html deleted file mode 100644 index 8c51e39..0000000 --- a/doc/html/appdev/refs/api/krb5_address_order.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_address_order - Return an ordering of the specified addresses. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_address_order - Return an ordering of the specified addresses.¶

-
-
-int krb5_address_order(krb5_context context, const krb5_address * addr1, const krb5_address * addr2)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] addr1 - First address

-

[in] addr2 - Second address

-
- --- - - - -
retval:
    -
  • 0 The two addresses are the same
    • -
  • < 0 First address is less than second
    • -
  • > 0 First address is greater than second
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_address_search.html b/doc/html/appdev/refs/api/krb5_address_search.html deleted file mode 100644 index 0efba5e..0000000 --- a/doc/html/appdev/refs/api/krb5_address_search.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_address_search - Search a list of addresses for a specified address. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_address_search - Search a list of addresses for a specified address.¶

-
- -
- - --- - - - -
param:

[in] context - Library context

-

[in] addr - Address to search for

-

[in] addrlist - Address list to be searched (or NULL)

-
- --- - - - -
return:
    -
  • TRUE if addr is listed in addrlist , or addrlist is NULL; FALSE otherwise
    • -
-
-
-

Note

-

If addrlist contains only a NetBIOS addresses, it will be treated as a null list.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html b/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html deleted file mode 100644 index e98d054..0000000 --- a/doc/html/appdev/refs/api/krb5_allow_weak_crypto.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_allow_weak_crypto - Allow the appplication to override the profile’s allow_weak_crypto setting. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_allow_weak_crypto - Allow the appplication to override the profile’s allow_weak_crypto setting.¶

-
-
-krb5_error_code krb5_allow_weak_crypto(krb5_context context, krb5_boolean enable)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enable - Boolean flag

-
- --- - - - -
retval:
    -
  • 0 (always)
    • -
-
-

This function allows an application to override the allow_weak_crypto setting. It is primarily for use by aklog.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_aname_to_localname.html b/doc/html/appdev/refs/api/krb5_aname_to_localname.html deleted file mode 100644 index 0dc2b89..0000000 --- a/doc/html/appdev/refs/api/krb5_aname_to_localname.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_aname_to_localname - Convert a principal name to a local name. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_aname_to_localname - Convert a principal name to a local name.¶

-
-
-krb5_error_code krb5_aname_to_localname(krb5_context context, krb5_const_principal aname, int lnsize_in, char * lname)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] aname - Principal name

-

[in] lnsize_in - Space available in lname

-

[out] lname - Local name buffer to be filled in

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • System errors
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

If aname does not correspond to any local account, KRB5_LNAME_NOTRANS is returned. If lnsize_in is too small for the local name, KRB5_CONFIG_NOTENUFSPACE is returned.

-

Local names, rather than principal names, can be used by programs that translate to an environment-specific name (for example, a user account name).

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_anonymous_principal.html b/doc/html/appdev/refs/api/krb5_anonymous_principal.html deleted file mode 100644 index e2d1a18..0000000 --- a/doc/html/appdev/refs/api/krb5_anonymous_principal.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - krb5_anonymous_principal - Build an anonymous principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_anonymous_principal - Build an anonymous principal.¶

-
-
-krb5_const_principal krb5_anonymous_principal(void None)¶
-
- - --- - - - -
param:None
-

This function returns constant storage that must not be freed.

-
-

See also

-

KRB5_ANONYMOUS_PRINCSTR

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_anonymous_realm.html b/doc/html/appdev/refs/api/krb5_anonymous_realm.html deleted file mode 100644 index b31e3f0..0000000 --- a/doc/html/appdev/refs/api/krb5_anonymous_realm.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - krb5_anonymous_realm - Return an anonymous realm data. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_anonymous_realm - Return an anonymous realm data.¶

-
-
-const krb5_data * krb5_anonymous_realm(void None)¶
-
- - --- - - - -
param:None
-

This function returns constant storage that must not be freed.

-
-

See also

-

KRB5_ANONYMOUS_REALMSTR

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_appdefault_boolean.html b/doc/html/appdev/refs/api/krb5_appdefault_boolean.html deleted file mode 100644 index 96a67be..0000000 --- a/doc/html/appdev/refs/api/krb5_appdefault_boolean.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - krb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf.¶

-
-
-void krb5_appdefault_boolean(krb5_context context, const char * appname, const krb5_data * realm, const char * option, int default_value, int * ret_value)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] appname - Application name

-

[in] realm - Realm name

-

[in] option - Option to be checked

-

[in] default_value - Default value to return if no match is found

-

[out] ret_value - Boolean value of option

-
-

This function gets the application defaults for option based on the given appname and/or realm .

-
-

See also

-

krb5_appdefault_string()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_appdefault_string.html b/doc/html/appdev/refs/api/krb5_appdefault_string.html deleted file mode 100644 index da666d2..0000000 --- a/doc/html/appdev/refs/api/krb5_appdefault_string.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - krb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf.¶

-
-
-void krb5_appdefault_string(krb5_context context, const char * appname, const krb5_data * realm, const char * option, const char * default_value, char ** ret_value)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] appname - Application name

-

[in] realm - Realm name

-

[in] option - Option to be checked

-

[in] default_value - Default value to return if no match is found

-

[out] ret_value - String value of option

-
-

This function gets the application defaults for option based on the given appname and/or realm .

-
-

See also

-

krb5_appdefault_boolean()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_free.html b/doc/html/appdev/refs/api/krb5_auth_con_free.html deleted file mode 100644 index fbcd27c..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_free.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_auth_con_free - Free a krb5_auth_context structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_free - Free a krb5_auth_context structure.¶

-
-
-krb5_error_code krb5_auth_con_free(krb5_context context, krb5_auth_context auth_context)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context to be freed

-
- --- - - - -
retval:
    -
  • 0 (always)
    • -
-
-

This function frees an auth context allocated by krb5_auth_con_init() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html b/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html deleted file mode 100644 index 8a6d4ba..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_genaddrs.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_auth_con_genaddrs - Generate auth context addresses from a connected socket. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_genaddrs - Generate auth context addresses from a connected socket.¶

-
-
-krb5_error_code krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int infd, int flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] infd - Connected socket descriptor

-

[in] flags - Flags

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function sets the local and/or remote addresses in auth_context based on the local and remote endpoints of the socket infd . The following flags determine the operations performed:

-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html b/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html deleted file mode 100644 index 6655229..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_get_checksum_func.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_get_checksum_func - Get the checksum callback from an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_get_checksum_func - Get the checksum callback from an auth context.¶

-
-
-krb5_error_code krb5_auth_con_get_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func * func, void ** data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] func - Checksum callback

-

[out] data - Callback argument

-
- --- - - - -
retval:
    -
  • 0 (always)
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html b/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html deleted file mode 100644 index fdc1164..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getaddrs.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getaddrs - Retrieve address fields from an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getaddrs - Retrieve address fields from an auth context.¶

-
-
-krb5_error_code krb5_auth_con_getaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address ** local_addr, krb5_address ** remote_addr)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] local_addr - Local address (NULL if not needed)

-

[out] remote_addr - Remote address (NULL if not needed)

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html b/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html deleted file mode 100644 index cecc196..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getauthenticator.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context.¶

-
-
-krb5_error_code krb5_auth_con_getauthenticator(krb5_context context, krb5_auth_context auth_context, krb5_authenticator ** authenticator)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] authenticator - Authenticator

-
- --- - - - -
retval:
    -
  • 0 Success. Otherwise - Kerberos error codes
    • -
-
-

Use krb5_free_authenticator() to free authenticator when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getflags.html b/doc/html/appdev/refs/api/krb5_auth_con_getflags.html deleted file mode 100644 index 471af72..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getflags.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure.¶

-
-
-krb5_error_code krb5_auth_con_getflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 * flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] flags - Flags bit mask

-
- --- - - - -
retval:
    -
  • 0 (always)
    • -
-
-

Valid values for flags are:

-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getkey.html deleted file mode 100644 index 0475a08..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getkey.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock.¶

-
-
-krb5_error_code krb5_auth_con_getkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] keyblock - Session key

-
- --- - - - -
retval:
    -
  • 0 Success. Otherwise - Kerberos error codes
    • -
-
-

This function creates a keyblock containing the session key from auth_context . Use krb5_free_keyblock() to free keyblock when it is no longer needed

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html deleted file mode 100644 index fdae854..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getkey_k.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getkey_k - Retrieve the session key from an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getkey_k - Retrieve the session key from an auth context.¶

-
-
-krb5_error_code krb5_auth_con_getkey_k(krb5_context context, krb5_auth_context auth_context, krb5_key * key)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] key - Session key

-
- --- - - - -
retval:
    -
  • 0 (always)
    • -
-
-

This function sets key to the session key from auth_context . Use krb5_k_free_key() to release key when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html b/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html deleted file mode 100644 index 4e81c85..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getlocalseqnumber.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context.¶

-
-
-krb5_error_code krb5_auth_con_getlocalseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 * seqnumber)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] seqnumber - Local sequence number

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Retrieve the local sequence number from auth_context and return it in seqnumber . The KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in auth_context for this function to be useful.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html deleted file mode 100644 index a68a6c2..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getlocalsubkey.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_auth_con_getlocalsubkey — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getlocalsubkey¶

-
-
-krb5_error_code krb5_auth_con_getlocalsubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock)¶
-
- - --- - - - -
param:

context

-

auth_context

-

keyblock

-
-

DEPRECATED Replaced by krb5_auth_con_getsendsubkey() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html b/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html deleted file mode 100644 index 60dfe54..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getrcache.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getrcache - Retrieve the replay cache from an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getrcache - Retrieve the replay cache from an auth context.¶

-
-
-krb5_error_code krb5_auth_con_getrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache * rcache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] rcache - Replay cache handle

-
- --- - - - -
retval:
    -
  • 0 (always)
    • -
-
-

This function fetches the replay cache from auth_context . The caller should not close rcache .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html deleted file mode 100644 index 81197e3..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock.¶

-
-
-krb5_error_code krb5_auth_con_getrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock ** keyblock)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] ac - Authentication context

-

[out] keyblock - Receiving subkey

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a keyblock containing the receiving subkey from auth_context . Use krb5_free_keyblock() to free keyblock when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html deleted file mode 100644 index 39b5fe5..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getrecvsubkey_k.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock.¶

-
-
-krb5_error_code krb5_auth_con_getrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key * key)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] ac - Authentication context

-

[out] key - Receiving subkey

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function sets key to the receiving subkey from auth_context . Use krb5_k_free_key() to release key when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html b/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html deleted file mode 100644 index 117536c..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getremoteseqnumber.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context.¶

-
-
-krb5_error_code krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 * seqnumber)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] seqnumber - Remote sequence number

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Retrieve the remote sequence number from auth_context and return it in seqnumber . The KRB5_AUTH_CONTEXT_DO_SEQUENCE flag must be set in auth_context for this function to be useful.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html deleted file mode 100644 index e837301..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getremotesubkey.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_auth_con_getremotesubkey — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getremotesubkey¶

-
-
-krb5_error_code krb5_auth_con_getremotesubkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock ** keyblock)¶
-
- - --- - - - -
param:

context

-

auth_context

-

keyblock

-
-

DEPRECATED Replaced by krb5_auth_con_getrecvsubkey() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html deleted file mode 100644 index 4ceee83..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock.¶

-
-
-krb5_error_code krb5_auth_con_getsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock ** keyblock)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] ac - Authentication context

-

[out] keyblock - Send subkey

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a keyblock containing the send subkey from auth_context . Use krb5_free_keyblock() to free keyblock when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html deleted file mode 100644 index e84765c..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_getsendsubkey_k.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context.¶

-
-
-krb5_error_code krb5_auth_con_getsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key * key)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] ac - Authentication context

-

[out] key - Send subkey

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function sets key to the send subkey from auth_context . Use krb5_k_free_key() to release key when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_init.html b/doc/html/appdev/refs/api/krb5_auth_con_init.html deleted file mode 100644 index f4693b7..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_init.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_auth_con_init - Create and initialize an authentication context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_init - Create and initialize an authentication context.¶

-
-
-krb5_error_code krb5_auth_con_init(krb5_context context, krb5_auth_context * auth_context)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] auth_context - Authentication context

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates an authentication context to hold configuration and state relevant to krb5 functions for authenticating principals and protecting messages once authentication has occurred.

-

By default, flags for the context are set to enable the use of the replay cache ( KRB5_AUTH_CONTEXT_DO_TIME ), but not sequence numbers. Use krb5_auth_con_setflags() to change the flags.

-

The allocated auth_context must be freed with krb5_auth_con_free() when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_initivector.html b/doc/html/appdev/refs/api/krb5_auth_con_initivector.html deleted file mode 100644 index 70d80eb..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_initivector.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_auth_con_initivector — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_initivector¶

-
-
-krb5_error_code krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context)¶
-
- - --- - - - -
param:

context

-

auth_context

-
-

DEPRECATED Not replaced.

-

RFC 4120 doesn’t have anything like the initvector concept; only really old protocols may need this API.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html b/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html deleted file mode 100644 index 2eb9ceb..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_set_checksum_func.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_auth_con_set_checksum_func - Set a checksum callback in an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_set_checksum_func - Set a checksum callback in an auth context.¶

-
-
-krb5_error_code krb5_auth_con_set_checksum_func(krb5_context context, krb5_auth_context auth_context, krb5_mk_req_checksum_func func, void * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] func - Checksum callback

-

[in] data - Callback argument

-
- --- - - - -
retval:
    -
  • 0 (always)
    • -
-
-

Set a callback to obtain checksum data in krb5_mk_req() . The callback will be invoked after the subkey and local sequence number are stored in auth_context .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html b/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html deleted file mode 100644 index 84128b1..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_set_req_cksumtype.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context.¶

-
-
-krb5_error_code krb5_auth_con_set_req_cksumtype(krb5_context context, krb5_auth_context auth_context, krb5_cksumtype cksumtype)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] cksumtype - Checksum type

-
- --- - - - -
retval:
    -
  • 0 Success. Otherwise - Kerberos error codes
    • -
-
-

This function sets the checksum type in auth_context to be used by krb5_mk_req() for the authenticator checksum.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html b/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html deleted file mode 100644 index 9d72f1d..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_setaddrs.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_auth_con_setaddrs - Set the local and remote addresses in an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_setaddrs - Set the local and remote addresses in an auth context.¶

-
-
-krb5_error_code krb5_auth_con_setaddrs(krb5_context context, krb5_auth_context auth_context, krb5_address * local_addr, krb5_address * remote_addr)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] local_addr - Local address

-

[in] remote_addr - Remote address

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function releases the storage assigned to the contents of the local and remote addresses of auth_context and then sets them to local_addr and remote_addr respectively.

-
-

See also

-

krb5_auth_con_genaddrs()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setflags.html b/doc/html/appdev/refs/api/krb5_auth_con_setflags.html deleted file mode 100644 index e72cc42..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_setflags.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure.¶

-
-
-krb5_error_code krb5_auth_con_setflags(krb5_context context, krb5_auth_context auth_context, krb5_int32 flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] flags - Flags bit mask

-
- --- - - - -
retval:
    -
  • 0 (always)
    • -
-
-

Valid values for flags are:

-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setports.html b/doc/html/appdev/refs/api/krb5_auth_con_setports.html deleted file mode 100644 index d40941c..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_setports.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_auth_con_setports - Set local and remote port fields in an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_setports - Set local and remote port fields in an auth context.¶

-
-
-krb5_error_code krb5_auth_con_setports(krb5_context context, krb5_auth_context auth_context, krb5_address * local_port, krb5_address * remote_port)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] local_port - Local port

-

[in] remote_port - Remote port

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function releases the storage assigned to the contents of the local and remote ports of auth_context and then sets them to local_port and remote_port respectively.

-
-

See also

-

krb5_auth_con_genaddrs()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html b/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html deleted file mode 100644 index 8c11dc7..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_setrcache.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_setrcache - Set the replay cache in an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_setrcache - Set the replay cache in an auth context.¶

-
-
-krb5_error_code krb5_auth_con_setrcache(krb5_context context, krb5_auth_context auth_context, krb5_rcache rcache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] rcache - Replay cache haddle

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function sets the replay cache in auth_context to rcache . rcache will be closed when auth_context is freed, so the caller should relinguish that responsibility.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html deleted file mode 100644 index 64872c5..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock.¶

-
-
-krb5_error_code krb5_auth_con_setrecvsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock * keyblock)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] ac - Authentication context

-

[in] keyblock - Receiving subkey

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function sets the receiving subkey in ac to a copy of keyblock .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html deleted file mode 100644 index 29213d8..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_setrecvsubkey_k.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context.¶

-
-
-krb5_error_code krb5_auth_con_setrecvsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] ac - Authentication context

-

[in] key - Receiving subkey

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function sets the receiving subkey in ac to key , incrementing its reference count.

-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html deleted file mode 100644 index 140eb9d..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock.¶

-
-
-krb5_error_code krb5_auth_con_setsendsubkey(krb5_context ctx, krb5_auth_context ac, krb5_keyblock * keyblock)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] ac - Authentication context

-

[in] keyblock - Send subkey

-
- --- - - - -
retval:
    -
  • 0 Success. Otherwise - Kerberos error codes
    • -
-
-

This function sets the send subkey in ac to a copy of keyblock .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html b/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html deleted file mode 100644 index 4993421..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_setsendsubkey_k.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context.¶

-
-
-krb5_error_code krb5_auth_con_setsendsubkey_k(krb5_context ctx, krb5_auth_context ac, krb5_key key)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] ac - Authentication context

-

[out] key - Send subkey

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function sets the send subkey in ac to key , incrementing its reference count.

-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html b/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html deleted file mode 100644 index e25a19d..0000000 --- a/doc/html/appdev/refs/api/krb5_auth_con_setuseruserkey.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_auth_con_setuseruserkey - Set the session key in an auth context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_con_setuseruserkey - Set the session key in an auth context.¶

-
-
-krb5_error_code krb5_auth_con_setuseruserkey(krb5_context context, krb5_auth_context auth_context, krb5_keyblock * keyblock)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] keyblock - User key

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_build_principal.html b/doc/html/appdev/refs/api/krb5_build_principal.html deleted file mode 100644 index 23a2b64..0000000 --- a/doc/html/appdev/refs/api/krb5_build_principal.html +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - krb5_build_principal - Build a principal name using null-terminated strings. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_build_principal - Build a principal name using null-terminated strings.¶

-
-
-krb5_error_code krb5_build_principal(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, ...)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] princ - Principal name

-

[in] rlen - Realm name length

-

[in] realm - Realm name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Call krb5_free_principal() to free princ when it is no longer needed.

-
-

Note

-

krb5_build_principal() and krb5_build_principal_alloc_va() perform the same task. krb5_build_principal() takes variadic arguments. krb5_build_principal_alloc_va() takes a pre-computed varargs pointer.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html b/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html deleted file mode 100644 index 4894564..0000000 --- a/doc/html/appdev/refs/api/krb5_build_principal_alloc_va.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list.¶

-
-
-krb5_error_code krb5_build_principal_alloc_va(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, va_list ap)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] princ - Principal structure

-

[in] rlen - Realm name length

-

[in] realm - Realm name

-

[in] ap - List of char * components, ending with NULL

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Similar to krb5_build_principal() , this function builds a principal name, but its name components are specified as a va_list.

-

Use krb5_free_principal() to deallocate princ when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_build_principal_ext.html b/doc/html/appdev/refs/api/krb5_build_principal_ext.html deleted file mode 100644 index 5c8f071..0000000 --- a/doc/html/appdev/refs/api/krb5_build_principal_ext.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_build_principal_ext - Build a principal name using length-counted strings. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_build_principal_ext - Build a principal name using length-counted strings.¶

-
-
-krb5_error_code krb5_build_principal_ext(krb5_context context, krb5_principal * princ, unsigned int rlen, const char * realm, ...)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] princ - Principal name

-

[in] rlen - Realm name length

-

[in] realm - Realm name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function creates a principal from a length-counted string and a variable-length list of length-counted components. The list of components ends with the first 0 length argument (so it is not possible to specify an empty component with this function). Call krb5_free_principal() to free allocated memory for principal when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_build_principal_va.html b/doc/html/appdev/refs/api/krb5_build_principal_va.html deleted file mode 100644 index 5c46973..0000000 --- a/doc/html/appdev/refs/api/krb5_build_principal_va.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_build_principal_va — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_build_principal_va¶

-
-
-krb5_error_code krb5_build_principal_va(krb5_context context, krb5_principal princ, unsigned int rlen, const char * realm, va_list ap)¶
-
- - --- - - - -
param:

context

-

princ

-

rlen

-

realm

-

ap

-
-

DEPRECATED Replaced by krb5_build_principal_alloc_va() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_block_size.html b/doc/html/appdev/refs/api/krb5_c_block_size.html deleted file mode 100644 index fe7e0cd..0000000 --- a/doc/html/appdev/refs/api/krb5_c_block_size.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_c_block_size - Return cipher block size. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_block_size - Return cipher block size.¶

-
-
-krb5_error_code krb5_c_block_size(krb5_context context, krb5_enctype enctype, size_t * blocksize)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[out] blocksize - Block size for enctype

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_checksum_length.html b/doc/html/appdev/refs/api/krb5_c_checksum_length.html deleted file mode 100644 index 20e4782..0000000 --- a/doc/html/appdev/refs/api/krb5_c_checksum_length.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_c_checksum_length - Return the length of checksums for a checksum type. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_checksum_length - Return the length of checksums for a checksum type.¶

-
-
-krb5_error_code krb5_c_checksum_length(krb5_context context, krb5_cksumtype cksumtype, size_t * length)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cksumtype - Checksum type

-

[out] length - Checksum length

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_crypto_length.html b/doc/html/appdev/refs/api/krb5_c_crypto_length.html deleted file mode 100644 index 6320844..0000000 --- a/doc/html/appdev/refs/api/krb5_c_crypto_length.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_c_crypto_length - Return a length of a message field specific to the encryption type. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_crypto_length - Return a length of a message field specific to the encryption type.¶

-
-
-krb5_error_code krb5_c_crypto_length(krb5_context context, krb5_enctype enctype, krb5_cryptotype type, unsigned int * size)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[in] type - Type field (See KRB5_CRYPTO_TYPE types)

-

[out] size - Length of the type specific to enctype

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html b/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html deleted file mode 100644 index 1965446..0000000 --- a/doc/html/appdev/refs/api/krb5_c_crypto_length_iov.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array.¶

-
-
-krb5_error_code krb5_c_crypto_length_iov(krb5_context context, krb5_enctype enctype, krb5_crypto_iov * data, size_t num_data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[inout] data - IOV array

-

[in] num_data - Size of data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Padding is set to the actual padding required based on the provided data buffers. Typically this API is used after setting up the data buffers and KRB5_CRYPTO_TYPE_SIGN_ONLY buffers, but before actually allocating header, trailer and padding.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_decrypt.html b/doc/html/appdev/refs/api/krb5_c_decrypt.html deleted file mode 100644 index ebaf841..0000000 --- a/doc/html/appdev/refs/api/krb5_c_decrypt.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_c_decrypt - Decrypt data using a key (operates on keyblock). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_decrypt - Decrypt data using a key (operates on keyblock).¶

-
-
-krb5_error_code krb5_c_decrypt(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_enc_data * input, krb5_data * output)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Encryption key

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[inout] cipher_state - Cipher state; specify NULL if not needed

-

[in] input - Encrypted data

-

[out] output - Decrypted data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function decrypts the data block input and stores the output into output . The actual decryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation.

-
-

Note

-

The caller must initialize output and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let krb5_c_decrypt() trim output->length . For some enctypes, the resulting output->length may include padding bytes.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html b/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html deleted file mode 100644 index 86e1dcd..0000000 --- a/doc/html/appdev/refs/api/krb5_c_decrypt_iov.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock).¶

-
-
-krb5_error_code krb5_c_decrypt_iov(krb5_context context, const krb5_keyblock * keyblock, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keyblock - Encryption key

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[in] cipher_state - Cipher state; specify NULL if not needed

-

[inout] data - IOV array. Modified in-place.

-

[in] num_data - Size of data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function decrypts the data block data and stores the output in-place. The actual decryption key will be derived from keyblock and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API.

-
-

See also

-

krb5_c_decrypt_iov()

-
-
-

Note

-

On return from a krb5_c_decrypt_iov() call, the data->length in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased.

-

This function is similar to krb5_k_decrypt_iov() , but operates on keyblock keyblock .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html b/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html deleted file mode 100644 index 477010a..0000000 --- a/doc/html/appdev/refs/api/krb5_c_derive_prfplus.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+).¶

-
-
-krb5_error_code krb5_c_derive_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_enctype enctype, krb5_keyblock ** out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] k - KDC contribution key

-

[in] input - Input string

-

[in] enctype - Output key enctype (or ENCTYPE_NULL )

-

[out] out - Derived keyblock

-
-

This function uses PRF+ as defined in RFC 6113 to derive a key from another key and an input string. If enctype is ENCTYPE_NULL , the output key will have the same enctype as the input key.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_encrypt.html b/doc/html/appdev/refs/api/krb5_c_encrypt.html deleted file mode 100644 index 8b0b029..0000000 --- a/doc/html/appdev/refs/api/krb5_c_encrypt.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_c_encrypt - Encrypt data using a key (operates on keyblock). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_encrypt - Encrypt data using a key (operates on keyblock).¶

-
-
-krb5_error_code krb5_c_encrypt(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_data * input, krb5_enc_data * output)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Encryption key

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[inout] cipher_state - Cipher state; specify NULL if not needed

-

[in] input - Data to be encrypted

-

[out] output - Encrypted data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function encrypts the data block input and stores the output into output . The actual encryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation.

-
-

Note

-

The caller must initialize output and allocate at least enough space for the result (using krb5_c_encrypt_length() to determine the amount of space needed). output->length will be set to the actual length of the ciphertext.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html b/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html deleted file mode 100644 index 6284086..0000000 --- a/doc/html/appdev/refs/api/krb5_c_encrypt_iov.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock).¶

-
-
-krb5_error_code krb5_c_encrypt_iov(krb5_context context, const krb5_keyblock * keyblock, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keyblock - Encryption key

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[in] cipher_state - Cipher state; specify NULL if not needed

-

[inout] data - IOV array. Modified in-place.

-

[in] num_data - Size of data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function encrypts the data block data and stores the output in-place. The actual encryption key will be derived from keyblock and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API.

-
-

See also

-

krb5_c_decrypt_iov()

-
-
-

Note

-

On return from a krb5_c_encrypt_iov() call, the data->length in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased.

-

This function is similar to krb5_k_encrypt_iov() , but operates on keyblock keyblock .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_encrypt_length.html b/doc/html/appdev/refs/api/krb5_c_encrypt_length.html deleted file mode 100644 index 4962428..0000000 --- a/doc/html/appdev/refs/api/krb5_c_encrypt_length.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_c_encrypt_length - Compute encrypted data length. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_encrypt_length - Compute encrypted data length.¶

-
-
-krb5_error_code krb5_c_encrypt_length(krb5_context context, krb5_enctype enctype, size_t inputlen, size_t * length)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[in] inputlen - Length of the data to be encrypted

-

[out] length - Length of the encrypted data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function computes the length of the ciphertext produced by encrypting inputlen bytes including padding, confounder, and checksum.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_enctype_compare.html b/doc/html/appdev/refs/api/krb5_c_enctype_compare.html deleted file mode 100644 index 16f2aab..0000000 --- a/doc/html/appdev/refs/api/krb5_c_enctype_compare.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_c_enctype_compare - Compare two encryption types. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_enctype_compare - Compare two encryption types.¶

-
-
-krb5_error_code krb5_c_enctype_compare(krb5_context context, krb5_enctype e1, krb5_enctype e2, krb5_boolean * similar)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] e1 - First encryption type

-

[in] e2 - Second encryption type

-

[out] similar - TRUE if types are similar, FALSE if not

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function determines whether two encryption types use the same kind of keys.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_free_state.html b/doc/html/appdev/refs/api/krb5_c_free_state.html deleted file mode 100644 index d935634..0000000 --- a/doc/html/appdev/refs/api/krb5_c_free_state.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state() . — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state() .¶

-
-
-krb5_error_code krb5_c_free_state(krb5_context context, const krb5_keyblock * key, krb5_data * state)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Key

-

[in] state - Cipher state to be freed

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html b/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html deleted file mode 100644 index d3b1389..0000000 --- a/doc/html/appdev/refs/api/krb5_c_fx_cf2_simple.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings.¶

-
-
-krb5_error_code krb5_c_fx_cf2_simple(krb5_context context, const krb5_keyblock * k1, const char * pepper1, const krb5_keyblock * k2, const char * pepper2, krb5_keyblock ** out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] k1 - KDC contribution key

-

[in] pepper1 - String”PKINIT”

-

[in] k2 - Reply key

-

[in] pepper2 - String”KeyExchange”

-

[out] out - Output key

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function computes the KRB-FX-CF2 function over its inputs and places the results in a newly allocated keyblock. This function is simple in that it assumes that pepper1 and pepper2 are C strings with no internal nulls and that the enctype of the result will be the same as that of k1 . k1 and k2 may be of different enctypes.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_init_state.html b/doc/html/appdev/refs/api/krb5_c_init_state.html deleted file mode 100644 index e74486d..0000000 --- a/doc/html/appdev/refs/api/krb5_c_init_state.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_c_init_state - Initialize a new cipher state. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_init_state - Initialize a new cipher state.¶

-
-
-krb5_error_code krb5_c_init_state(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, krb5_data * new_state)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Key

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[out] new_state - New cipher state

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html b/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html deleted file mode 100644 index 57fee9c..0000000 --- a/doc/html/appdev/refs/api/krb5_c_is_coll_proof_cksum.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - krb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof.¶

-
-
-krb5_boolean krb5_c_is_coll_proof_cksum(krb5_cksumtype ctype)¶
-
- - --- - - - -
param:[in] ctype - Checksum type
- --- - - - -
return:
    -
  • TRUE if ctype is collision-proof, FALSE if it is not collision-proof or not a valid checksum type.
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_is_keyed_cksum.html b/doc/html/appdev/refs/api/krb5_c_is_keyed_cksum.html deleted file mode 100644 index 9be49a8..0000000 --- a/doc/html/appdev/refs/api/krb5_c_is_keyed_cksum.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - krb5_c_is_keyed_cksum - Test whether a checksum type is keyed. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_is_keyed_cksum - Test whether a checksum type is keyed.¶

-
-
-krb5_boolean krb5_c_is_keyed_cksum(krb5_cksumtype ctype)¶
-
- - --- - - - -
param:[in] ctype - Checksum type
- --- - - - -
return:
    -
  • TRUE if ctype is a keyed checksum type, FALSE otherwise.
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_keyed_checksum_types.html b/doc/html/appdev/refs/api/krb5_c_keyed_checksum_types.html deleted file mode 100644 index 017e3de..0000000 --- a/doc/html/appdev/refs/api/krb5_c_keyed_checksum_types.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type.¶

-
-
-krb5_error_code krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, unsigned int * count, krb5_cksumtype ** cksumtypes)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[out] count - Count of allowable checksum types

-

[out] cksumtypes - Array of allowable checksum types

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Use krb5_free_cksumtypes() to free cksumtypes when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_keylengths.html b/doc/html/appdev/refs/api/krb5_c_keylengths.html deleted file mode 100644 index 7bedd6c..0000000 --- a/doc/html/appdev/refs/api/krb5_c_keylengths.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_c_keylengths - Return length of the specified key in bytes. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_keylengths - Return length of the specified key in bytes.¶

-
-
-krb5_error_code krb5_c_keylengths(krb5_context context, krb5_enctype enctype, size_t * keybytes, size_t * keylength)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[out] keybytes - Number of bytes required to make a key

-

[out] keylength - Length of final key

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_make_checksum.html b/doc/html/appdev/refs/api/krb5_c_make_checksum.html deleted file mode 100644 index 651c760..0000000 --- a/doc/html/appdev/refs/api/krb5_c_make_checksum.html +++ /dev/null @@ -1,185 +0,0 @@ - - - - - - - - krb5_c_make_checksum - Compute a checksum (operates on keyblock). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_make_checksum - Compute a checksum (operates on keyblock).¶

-
-
-krb5_error_code krb5_c_make_checksum(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * input, krb5_checksum * cksum)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cksumtype - Checksum type (0 for mandatory type)

-

[in] key - Encryption key for a keyed checksum

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[in] input - Input data

-

[out] cksum - Generated checksum

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function computes a checksum of type cksumtype over input , using key if the checksum type is a keyed checksum. If cksumtype is 0 and key is non-null, the checksum type will be the mandatory-to-implement checksum type for the key’s encryption type. The actual checksum key will be derived from key and usage if key derivation is specified for the checksum type. The newly created cksum must be released by calling krb5_free_checksum_contents() when it is no longer needed.

-
-

See also

-

krb5_c_verify_checksum()

-
-
-

Note

-

This function is similar to krb5_k_make_checksum() , but operates on keyblock key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_make_checksum_iov.html b/doc/html/appdev/refs/api/krb5_c_make_checksum_iov.html deleted file mode 100644 index 89203d8..0000000 --- a/doc/html/appdev/refs/api/krb5_c_make_checksum_iov.html +++ /dev/null @@ -1,185 +0,0 @@ - - - - - - - - krb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock)¶

-
-
-krb5_error_code krb5_c_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, krb5_crypto_iov * data, size_t num_data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cksumtype - Checksum type (0 for mandatory type)

-

[in] key - Encryption key for a keyed checksum

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[inout] data - IOV array

-

[in] num_data - Size of data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Create a checksum in the KRB5_CRYPTO_TYPE_CHECKSUM element over KRB5_CRYPTO_TYPE_DATA and KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in data . Only the KRB5_CRYPTO_TYPE_CHECKSUM region is modified.

-
-

See also

-

krb5_c_verify_checksum_iov()

-
-
-

Note

-

This function is similar to krb5_k_make_checksum_iov() , but operates on keyblock key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_make_random_key.html b/doc/html/appdev/refs/api/krb5_c_make_random_key.html deleted file mode 100644 index 77620c0..0000000 --- a/doc/html/appdev/refs/api/krb5_c_make_random_key.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_c_make_random_key - Generate an enctype-specific random encryption key. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_make_random_key - Generate an enctype-specific random encryption key.¶

-
-
-krb5_error_code krb5_c_make_random_key(krb5_context context, krb5_enctype enctype, krb5_keyblock * k5_random_key)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type of the generated key

-

[out] k5_random_key - An allocated and initialized keyblock

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Use krb5_free_keyblock_contents() to free k5_random_key when no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_padding_length.html b/doc/html/appdev/refs/api/krb5_c_padding_length.html deleted file mode 100644 index 59b0af1..0000000 --- a/doc/html/appdev/refs/api/krb5_c_padding_length.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_c_padding_length - Return a number of padding octets. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_padding_length - Return a number of padding octets.¶

-
-
-krb5_error_code krb5_c_padding_length(krb5_context context, krb5_enctype enctype, size_t data_length, unsigned int * size)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[in] data_length - Length of the plaintext to pad

-

[out] size - Number of padding octets

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - KRB5_BAD_ENCTYPE
    • -
-
-

This function returns the number of the padding octets required to pad data_length octets of plaintext.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_prf.html b/doc/html/appdev/refs/api/krb5_c_prf.html deleted file mode 100644 index 6e64b4d..0000000 --- a/doc/html/appdev/refs/api/krb5_c_prf.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_c_prf - Generate enctype-specific pseudo-random bytes. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_prf - Generate enctype-specific pseudo-random bytes.¶

-
-
-krb5_error_code krb5_c_prf(krb5_context context, const krb5_keyblock * keyblock, krb5_data * input, krb5_data * output)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keyblock - Key

-

[in] input - Input data

-

[out] output - Output data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function selects a pseudo-random function based on keyblock and computes its value over input , placing the result into output . The caller must preinitialize output and allocate space for the result, using krb5_c_prf_length() to determine the required length.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_prf_length.html b/doc/html/appdev/refs/api/krb5_c_prf_length.html deleted file mode 100644 index 5a4a6e6..0000000 --- a/doc/html/appdev/refs/api/krb5_c_prf_length.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type.¶

-
-
-krb5_error_code krb5_c_prf_length(krb5_context context, krb5_enctype enctype, size_t * len)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[out] len - Length of PRF output

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_prfplus.html b/doc/html/appdev/refs/api/krb5_c_prfplus.html deleted file mode 100644 index 5961c78..0000000 --- a/doc/html/appdev/refs/api/krb5_c_prfplus.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+.¶

-
-
-krb5_error_code krb5_c_prfplus(krb5_context context, const krb5_keyblock * k, const krb5_data * input, krb5_data * output)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] k - KDC contribution key

-

[in] input - Input data

-

[out] output - Pseudo-random output buffer

-
- --- - - - -
return:
    -
  • 0 on success, E2BIG if output->length is too large for PRF+ to generate, ENOMEM on allocation failure, or an error code from krb5_c_prf()
    • -
-
-

This function fills output with PRF+(k, input) as defined in RFC 6113 section 5.1. The caller must preinitialize output and allocate the desired amount of space. The length of the pseudo-random output will match the length of output .

-
-

Note

-

RFC 4402 defines a different PRF+ operation. This function does not implement that operation.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html b/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html deleted file mode 100644 index ee2e673..0000000 --- a/doc/html/appdev/refs/api/krb5_c_random_add_entropy.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_c_random_add_entropy - Add entropy to the pseudo-random number generator. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_random_add_entropy - Add entropy to the pseudo-random number generator.¶

-
-
-krb5_error_code krb5_c_random_add_entropy(krb5_context context, unsigned int randsource, const krb5_data * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] randsource - Entropy source (see KRB5_RANDSOURCE types)

-

[in] data - Data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Contribute entropy to the PRNG used by krb5 crypto operations. This may or may not affect the output of the next crypto operation requiring random data.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_random_make_octets.html b/doc/html/appdev/refs/api/krb5_c_random_make_octets.html deleted file mode 100644 index 390f23d..0000000 --- a/doc/html/appdev/refs/api/krb5_c_random_make_octets.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_c_random_make_octets - Generate pseudo-random bytes. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_random_make_octets - Generate pseudo-random bytes.¶

-
-
-krb5_error_code krb5_c_random_make_octets(krb5_context context, krb5_data * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] data - Random data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Fills in data with bytes from the PRNG used by krb5 crypto operations. The caller must preinitialize data and allocate the desired amount of space.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_random_os_entropy.html b/doc/html/appdev/refs/api/krb5_c_random_os_entropy.html deleted file mode 100644 index 374d60e..0000000 --- a/doc/html/appdev/refs/api/krb5_c_random_os_entropy.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_c_random_os_entropy - Collect entropy from the OS if possible. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_random_os_entropy - Collect entropy from the OS if possible.¶

-
-
-krb5_error_code krb5_c_random_os_entropy(krb5_context context, int strong, int * success)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] strong - Strongest available source of entropy

-

[out] success - 1 if OS provides entropy, 0 otherwise

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

If strong is non-zero, this function attempts to use the strongest available source of entropy. Setting this flag may cause the function to block on some operating systems. Good uses include seeding the PRNG for kadmind and realm setup.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_random_seed.html b/doc/html/appdev/refs/api/krb5_c_random_seed.html deleted file mode 100644 index a685462..0000000 --- a/doc/html/appdev/refs/api/krb5_c_random_seed.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_c_random_seed — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_random_seed¶

-
-
-krb5_error_code krb5_c_random_seed(krb5_context context, krb5_data * data)¶
-
- - --- - - - -
param:

context

-

data

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_random_to_key.html b/doc/html/appdev/refs/api/krb5_c_random_to_key.html deleted file mode 100644 index 4ffd778..0000000 --- a/doc/html/appdev/refs/api/krb5_c_random_to_key.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_c_random_to_key - Generate an enctype-specific key from random data. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_random_to_key - Generate an enctype-specific key from random data.¶

-
-
-krb5_error_code krb5_c_random_to_key(krb5_context context, krb5_enctype enctype, krb5_data * random_data, krb5_keyblock * k5_random_key)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[in] random_data - Random input data

-

[out] k5_random_key - Resulting key

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function takes random input data random_data and produces a valid key k5_random_key for a given enctype .

-
-

See also

-

krb5_c_keylengths()

-
-
-

Note

-

It is assumed that k5_random_key has already been initialized and k5_random_key->contents has been allocated with the correct length.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_string_to_key.html b/doc/html/appdev/refs/api/krb5_c_string_to_key.html deleted file mode 100644 index e13a07f..0000000 --- a/doc/html/appdev/refs/api/krb5_c_string_to_key.html +++ /dev/null @@ -1,176 +0,0 @@ - - - - - - - - krb5_c_string_to_key - Convert a string (such a password) to a key. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_string_to_key - Convert a string (such a password) to a key.¶

-
-
-krb5_error_code krb5_c_string_to_key(krb5_context context, krb5_enctype enctype, const krb5_data * string, const krb5_data * salt, krb5_keyblock * key)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[in] string - String to be converted

-

[in] salt - Salt value

-

[out] key - Generated key

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function converts string to a key of encryption type enctype , using the specified salt . The newly created key must be released by calling krb5_free_keyblock_contents() when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_string_to_key_with_params.html b/doc/html/appdev/refs/api/krb5_c_string_to_key_with_params.html deleted file mode 100644 index ef53a79..0000000 --- a/doc/html/appdev/refs/api/krb5_c_string_to_key_with_params.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters.¶

-
-
-krb5_error_code krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, const krb5_data * string, const krb5_data * salt, const krb5_data * params, krb5_keyblock * key)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[in] string - String to be converted

-

[in] salt - Salt value

-

[in] params - Parameters

-

[out] key - Generated key

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function is similar to krb5_c_string_to_key() , but also takes parameters which may affect the algorithm in an enctype-dependent way. The newly created key must be released by calling krb5_free_keyblock_contents() when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_valid_cksumtype.html b/doc/html/appdev/refs/api/krb5_c_valid_cksumtype.html deleted file mode 100644 index 76f132a..0000000 --- a/doc/html/appdev/refs/api/krb5_c_valid_cksumtype.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - krb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type.¶

-
-
-krb5_boolean krb5_c_valid_cksumtype(krb5_cksumtype ctype)¶
-
- - --- - - - -
param:[in] ctype - Checksum type
- --- - - - -
return:
    -
  • TRUE if ctype is valid, FALSE if not
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_valid_enctype.html b/doc/html/appdev/refs/api/krb5_c_valid_enctype.html deleted file mode 100644 index 969bd4a..0000000 --- a/doc/html/appdev/refs/api/krb5_c_valid_enctype.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - krb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type.¶

-
-
-krb5_boolean krb5_c_valid_enctype(krb5_enctype ktype)¶
-
- - --- - - - -
param:[in] ktype - Encryption type
- --- - - - -
return:
    -
  • TRUE if ktype is valid, FALSE if not
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_verify_checksum.html b/doc/html/appdev/refs/api/krb5_c_verify_checksum.html deleted file mode 100644 index d34fd89..0000000 --- a/doc/html/appdev/refs/api/krb5_c_verify_checksum.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_c_verify_checksum - Verify a checksum (operates on keyblock). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_verify_checksum - Verify a checksum (operates on keyblock).¶

-
-
-krb5_error_code krb5_c_verify_checksum(krb5_context context, const krb5_keyblock * key, krb5_keyusage usage, const krb5_data * data, const krb5_checksum * cksum, krb5_boolean * valid)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Encryption key for a keyed checksum

-

[in] usage - key usage

-

[in] data - Data to be used to compute a new checksum using key to compare cksum against

-

[in] cksum - Checksum to be verified

-

[out] valid - Non-zero for success, zero for failure

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function verifies that cksum is a valid checksum for data . If the checksum type of cksum is a keyed checksum, key is used to verify the checksum. If the checksum type in cksum is 0 and key is not NULL, the mandatory checksum type for key will be used. The actual checksum key will be derived from key and usage if key derivation is specified for the checksum type.

-
-

Note

-

This function is similar to krb5_k_verify_checksum() , but operates on keyblock key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_c_verify_checksum_iov.html b/doc/html/appdev/refs/api/krb5_c_verify_checksum_iov.html deleted file mode 100644 index 00e0f89..0000000 --- a/doc/html/appdev/refs/api/krb5_c_verify_checksum_iov.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock).¶

-
-
-krb5_error_code krb5_c_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock * key, krb5_keyusage usage, const krb5_crypto_iov * data, size_t num_data, krb5_boolean * valid)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cksumtype - Checksum type (0 for mandatory type)

-

[in] key - Encryption key for a keyed checksum

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[in] data - IOV array

-

[in] num_data - Size of data

-

[out] valid - Non-zero for success, zero for failure

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Confirm that the checksum in the KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the KRB5_CRYPTO_TYPE_DATA and KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov.

-
-

See also

-

krb5_c_make_checksum_iov()

-
-
-

Note

-

This function is similar to krb5_k_verify_checksum_iov() , but operates on keyblock key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_calculate_checksum.html b/doc/html/appdev/refs/api/krb5_calculate_checksum.html deleted file mode 100644 index 8ce2a8f..0000000 --- a/doc/html/appdev/refs/api/krb5_calculate_checksum.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_calculate_checksum — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_calculate_checksum¶

-
-
-krb5_error_code krb5_calculate_checksum(krb5_context context, krb5_cksumtype ctype, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length, krb5_checksum * outcksum)¶
-
- - --- - - - -
param:

context

-

ctype

-

in

-

in_length

-

seed

-

seed_length

-

outcksum

-
-

DEPRECATED See krb5_c_make_checksum()

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_cache_match.html b/doc/html/appdev/refs/api/krb5_cc_cache_match.html deleted file mode 100644 index 2a5c1a0..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_cache_match.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_cc_cache_match - Find a credential cache with a specified client principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_cache_match - Find a credential cache with a specified client principal.¶

-
-
-krb5_error_code krb5_cc_cache_match(krb5_context context, krb5_principal client, krb5_ccache * cache_out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] client - Client principal

-

[out] cache_out - Credential cache handle

-
- --- - - - -
retval:
    -
  • 0 Success
    • -
  • KRB5_CC_NOTFOUND None
    • -
-
-

Find a cache within the collection whose default principal is client . Use krb5_cc_close to close ccache when it is no longer needed.

-
-

Note

-

New in 1.10

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_close.html b/doc/html/appdev/refs/api/krb5_cc_close.html deleted file mode 100644 index 380e0b9..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_close.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_cc_close - Close a credential cache handle. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_close - Close a credential cache handle.¶

-
-
-krb5_error_code krb5_cc_close(krb5_context context, krb5_ccache cache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function closes a credential cache handle cache without affecting the contents of the cache.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_copy_creds.html b/doc/html/appdev/refs/api/krb5_cc_copy_creds.html deleted file mode 100644 index 0e09b64..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_copy_creds.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_cc_copy_creds - Copy a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_copy_creds - Copy a credential cache.¶

-
-
-krb5_error_code krb5_cc_copy_creds(krb5_context context, krb5_ccache incc, krb5_ccache outcc)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] incc - Credential cache to be copied

-

[out] outcc - Copy of credential cache to be filled in

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_default.html b/doc/html/appdev/refs/api/krb5_cc_default.html deleted file mode 100644 index 37bac6e..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_default.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_cc_default - Resolve the default credential cache name. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_default - Resolve the default credential cache name.¶

-
-
-krb5_error_code krb5_cc_default(krb5_context context, krb5_ccache * ccache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] ccache - Pointer to credential cache name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • KV5M_CONTEXT Bad magic number for _krb5_context structure
    • -
  • KRB5_FCC_INTERNAL The name of the default credential cache cannot be obtained
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Create a handle to the default credential cache as given by krb5_cc_default_name() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_default_name.html b/doc/html/appdev/refs/api/krb5_cc_default_name.html deleted file mode 100644 index a2b0e8f..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_default_name.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_cc_default_name - Return the name of the default credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_default_name - Return the name of the default credential cache.¶

-
-
-const char * krb5_cc_default_name(krb5_context context)¶
-
- - --- - - - -
param:[in] context - Library context
- --- - - - -
return:
    -
  • Name of default credential cache for the current user.
    • -
-
-

Return a pointer to the default credential cache name for context , as determined by a prior call to krb5_cc_set_default_name() , by the KRB5CCNAME environment variable, by the default_ccache_name profile variable, or by the operating system or build-time default value. The returned value must not be modified or freed by the caller. The returned value becomes invalid when context is destroyed krb5_free_context() or if a subsequent call to krb5_cc_set_default_name() is made on context .

-

The default credential cache name is cached in context between calls to this function, so if the value of KRB5CCNAME changes in the process environment after the first call to this function on, that change will not be reflected in later calls with the same context. The caller can invoke krb5_cc_set_default_name() with a NULL value of name to clear the cached value and force the default name to be recomputed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_destroy.html b/doc/html/appdev/refs/api/krb5_cc_destroy.html deleted file mode 100644 index eca3256..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_destroy.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_cc_destroy - Destroy a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_destroy - Destroy a credential cache.¶

-
-
-krb5_error_code krb5_cc_destroy(krb5_context context, krb5_ccache cache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Permission errors
    • -
-
-

This function destroys any existing contents of cache and closes the handle to it.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_dup.html b/doc/html/appdev/refs/api/krb5_cc_dup.html deleted file mode 100644 index 42401f0..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_dup.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_cc_dup - Duplicate ccache handle. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_dup - Duplicate ccache handle.¶

-
-
-krb5_error_code krb5_cc_dup(krb5_context context, krb5_ccache in, krb5_ccache * out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] in - Credential cache handle to be duplicated

-

[out] out - Credential cache handle

-
-

Create a new handle referring to the same cache as in . The new handle and in can be closed independently.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_end_seq_get.html b/doc/html/appdev/refs/api/krb5_cc_end_seq_get.html deleted file mode 100644 index 7c8c181..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_end_seq_get.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries.¶

-
-
-krb5_error_code krb5_cc_end_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[in] cursor - Cursor

-
- --- - - - -
retval:
    -
  • 0 (always)
    • -
-
-

This function finishes processing credential cache entries and invalidates cursor .

-
-

See also

-

krb5_cc_start_seq_get() , krb5_cc_next_cred()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_gen_new.html b/doc/html/appdev/refs/api/krb5_cc_gen_new.html deleted file mode 100644 index f557751..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_gen_new.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_cc_gen_new — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_gen_new¶

-
-
-krb5_error_code krb5_cc_gen_new(krb5_context context, krb5_ccache * cache)¶
-
- - --- - - - -
param:

context

-

cache

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_get_config.html b/doc/html/appdev/refs/api/krb5_cc_get_config.html deleted file mode 100644 index 6c4357a..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_get_config.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_cc_get_config - Get a configuration value from a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_get_config - Get a configuration value from a credential cache.¶

-
-
-krb5_error_code krb5_cc_get_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char * key, krb5_data * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] id - Credential cache handle

-

[in] principal - Configuration for this principal; if NULL, global for the whole cache

-

[in] key - Name of config variable

-

[out] data - Data to be fetched

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Use krb5_free_data_contents() to free data when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_get_flags.html b/doc/html/appdev/refs/api/krb5_cc_get_flags.html deleted file mode 100644 index 9907e48..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_get_flags.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_cc_get_flags - Retrieve flags from a credential cache structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_get_flags - Retrieve flags from a credential cache structure.¶

-
-
-krb5_error_code krb5_cc_get_flags(krb5_context context, krb5_ccache cache, krb5_flags * flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[out] flags - Flag bit mask

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
-

Warning

-

For memory credential cache always returns a flag mask of 0.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_get_full_name.html b/doc/html/appdev/refs/api/krb5_cc_get_full_name.html deleted file mode 100644 index cf3cc85..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_get_full_name.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_cc_get_full_name - Retrieve the full name of a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_get_full_name - Retrieve the full name of a credential cache.¶

-
-
-krb5_error_code krb5_cc_get_full_name(krb5_context context, krb5_ccache cache, char ** fullname_out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[out] fullname_out - Full name of cache

-
-

Use krb5_free_string() to free fullname_out when it is no longer needed.

-
-

Note

-

New in 1.10

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_get_name.html b/doc/html/appdev/refs/api/krb5_cc_get_name.html deleted file mode 100644 index c6822f1..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_get_name.html +++ /dev/null @@ -1,176 +0,0 @@ - - - - - - - - krb5_cc_get_name - Retrieve the name, but not type of a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_get_name - Retrieve the name, but not type of a credential cache.¶

-
-
-const char * krb5_cc_get_name(krb5_context context, krb5_ccache cache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-
- --- - - - -
return:
    -
  • On success - the name of the credential cache.
    • -
-
-
-

Warning

-

Returns the name of the credential cache. The result is an alias into cache and should not be freed or modified by the caller. This name does not include the cache type, so should not be used as input to krb5_cc_resolve() .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_get_principal.html b/doc/html/appdev/refs/api/krb5_cc_get_principal.html deleted file mode 100644 index ea4ed34..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_get_principal.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_cc_get_principal - Get the default principal of a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_get_principal - Get the default principal of a credential cache.¶

-
-
-krb5_error_code krb5_cc_get_principal(krb5_context context, krb5_ccache cache, krb5_principal * principal)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[out] principal - Primary principal

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Returns the default client principal of a credential cache as set by krb5_cc_initialize() .

-

Use krb5_free_principal() to free principal when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_get_type.html b/doc/html/appdev/refs/api/krb5_cc_get_type.html deleted file mode 100644 index f0091a0..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_get_type.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_cc_get_type - Retrieve the type of a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_get_type - Retrieve the type of a credential cache.¶

-
-
-const char * krb5_cc_get_type(krb5_context context, krb5_ccache cache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-
- --- - - - -
return:
    -
  • The type of a credential cache as an alias that must not be modified or freed by the caller.
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_initialize.html b/doc/html/appdev/refs/api/krb5_cc_initialize.html deleted file mode 100644 index 4ea4d69..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_initialize.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_cc_initialize - Initialize a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_initialize - Initialize a credential cache.¶

-
-
-krb5_error_code krb5_cc_initialize(krb5_context context, krb5_ccache cache, krb5_principal principal)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[in] principal - Default principal name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • System errors; Permission errors; Kerberos error codes
    • -
-
-

Destroy any existing contents of cache and initialize it for the default principal principal .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_last_change_time.html b/doc/html/appdev/refs/api/krb5_cc_last_change_time.html deleted file mode 100644 index 500c13c..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_last_change_time.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_cc_last_change_time - Return a timestamp of the last modification to a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_last_change_time - Return a timestamp of the last modification to a credential cache.¶

-
-
-krb5_error_code krb5_cc_last_change_time(krb5_context context, krb5_ccache ccache, krb5_timestamp * change_time)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ccache - Credential cache handle

-

[out] change_time - The last change time of ccache

-
-

If an error occurs, change_time is set to 0.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_lock.html b/doc/html/appdev/refs/api/krb5_cc_lock.html deleted file mode 100644 index 617adb1..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_lock.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_cc_lock - Lock a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_lock - Lock a credential cache.¶

-
-
-krb5_error_code krb5_cc_lock(krb5_context context, krb5_ccache ccache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ccache - Credential cache handle

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Use krb5_cc_unlock() to unlock the lock.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_move.html b/doc/html/appdev/refs/api/krb5_cc_move.html deleted file mode 100644 index 830e781..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_move.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_cc_move - Move a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_move - Move a credential cache.¶

-
-
-krb5_error_code krb5_cc_move(krb5_context context, krb5_ccache src, krb5_ccache dst)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] src - The credential cache to move the content from

-

[in] dst - The credential cache to move the content to

-
- --- - - - - - -
retval:
    -
  • 0 Success; src is closed.
    • -
-
return:
    -
  • Kerberos error codes; src is still allocated.
    • -
-
-

This function reinitializes dst and populates it with the credentials and default principal of src ; then, if successful, destroys src .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_new_unique.html b/doc/html/appdev/refs/api/krb5_cc_new_unique.html deleted file mode 100644 index 25c17c2..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_new_unique.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_cc_new_unique - Create a new credential cache of the specified type with a unique name. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_new_unique - Create a new credential cache of the specified type with a unique name.¶

-
-
-krb5_error_code krb5_cc_new_unique(krb5_context context, const char * type, const char * hint, krb5_ccache * id)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] type - Credential cache type name

-

[in] hint - Unused

-

[out] id - Credential cache handle

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_next_cred.html b/doc/html/appdev/refs/api/krb5_cc_next_cred.html deleted file mode 100644 index 101847f..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_next_cred.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_cc_next_cred - Retrieve the next entry from the credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_next_cred - Retrieve the next entry from the credential cache.¶

-
-
-krb5_error_code krb5_cc_next_cred(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor, krb5_creds * creds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[in] cursor - Cursor

-

[out] creds - Next credential cache entry

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function fills in creds with the next entry in cache and advances cursor .

-

Use krb5_free_cred_contents() to free creds when it is no longer needed.

-
-

See also

-

krb5_cc_start_seq_get() , krb5_end_seq_get()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_remove_cred.html b/doc/html/appdev/refs/api/krb5_cc_remove_cred.html deleted file mode 100644 index 9dd9629..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_remove_cred.html +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - krb5_cc_remove_cred - Remove credentials from a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_remove_cred - Remove credentials from a credential cache.¶

-
-
-krb5_error_code krb5_cc_remove_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds * creds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[in] flags - Bitwise-ORed search flags

-

[in] creds - Credentials to be matched

-
- --- - - - - - -
retval:
    -
  • KRB5_CC_NOSUPP Not implemented for this cache type
    • -
-
return:
    -
  • No matches found; Data cannot be deleted; Kerberos error codes
    • -
-
-

This function accepts the same flag values as krb5_cc_retrieve_cred() .

-
-

Warning

-

This function is not implemented for some cache types.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_resolve.html b/doc/html/appdev/refs/api/krb5_cc_resolve.html deleted file mode 100644 index aff52bf..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_resolve.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_cc_resolve - Resolve a credential cache name. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_resolve - Resolve a credential cache name.¶

-
-
-krb5_error_code krb5_cc_resolve(krb5_context context, const char * name, krb5_ccache * cache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] name - Credential cache name to be resolved

-

[out] cache - Credential cache handle

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Fills in cache with a cache handle that corresponds to the name in name . name should be of the form type:residual , and type must be a type known to the library. If the name does not contain a colon, interpret it as a file name.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_retrieve_cred.html b/doc/html/appdev/refs/api/krb5_cc_retrieve_cred.html deleted file mode 100644 index a44ec7b..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_retrieve_cred.html +++ /dev/null @@ -1,194 +0,0 @@ - - - - - - - - krb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache.¶

-
-
-krb5_error_code krb5_cc_retrieve_cred(krb5_context context, krb5_ccache cache, krb5_flags flags, krb5_creds * mcreds, krb5_creds * creds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[in] flags - Flags bit mask

-

[in] mcreds - Credentials to match

-

[out] creds - Credentials matching the requested value

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function searches a credential cache for credentials matching mcreds and returns it if found.

-

Valid values for flags are:

-
-
-
-
-

Use krb5_free_cred_contents() to free creds when it is no longer needed.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_select.html b/doc/html/appdev/refs/api/krb5_cc_select.html deleted file mode 100644 index 2568180..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_select.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_cc_select - Select a credential cache to use with a server principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_select - Select a credential cache to use with a server principal.¶

-
-
-krb5_error_code krb5_cc_select(krb5_context context, krb5_principal server, krb5_ccache * cache_out, krb5_principal * princ_out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] server - Server principal

-

[out] cache_out - Credential cache handle

-

[out] princ_out - Client principal

-
- --- - - - -
return:
    -
  • If an appropriate cache is found, 0 is returned, cache_out is set to the selected cache, and princ_out is set to the default principal of that cache.
    • -
-
-

Select a cache within the collection containing credentials most appropriate for use with server , according to configured rules and heuristics.

-

Use krb5_cc_close() to release cache_out when it is no longer needed. Use krb5_free_principal() to release princ_out when it is no longer needed. Note that princ_out is set in some error conditions.

-

If the appropriate client principal can be authoritatively determined but the cache collection contains no credentials for that principal, then KRB5_CC_NOTFOUND is returned, cache_out is set to NULL, and princ_out is set to the appropriate client principal.

-

If no configured mechanism can determine the appropriate cache or principal, KRB5_CC_NOTFOUND is returned and cache_out and princ_out are set to NULL.

-

Any other error code indicates a fatal error in the processing of a cache selection mechanism.

-
-

Note

-

New in 1.10

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_set_config.html b/doc/html/appdev/refs/api/krb5_cc_set_config.html deleted file mode 100644 index be95de3..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_set_config.html +++ /dev/null @@ -1,188 +0,0 @@ - - - - - - - - krb5_cc_set_config - Store a configuration value in a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_set_config - Store a configuration value in a credential cache.¶

-
-
-krb5_error_code krb5_cc_set_config(krb5_context context, krb5_ccache id, krb5_const_principal principal, const char * key, krb5_data * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] id - Credential cache handle

-

[in] principal - Configuration for a specific principal; if NULL, global for the whole cache

-

[in] key - Name of config variable

-

[in] data - Data to store, or NULL to remove

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-
-

Warning

-

Before version 1.10 data was assumed to be always non-null.

-
-
-

Note

-

Existing configuration under the same key is over-written.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_set_default_name.html b/doc/html/appdev/refs/api/krb5_cc_set_default_name.html deleted file mode 100644 index 45870ed..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_set_default_name.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_cc_set_default_name - Set the default credential cache name. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_set_default_name - Set the default credential cache name.¶

-
-
-krb5_error_code krb5_cc_set_default_name(krb5_context context, const char * name)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] name - Default credential cache name or NULL

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • KV5M_CONTEXT Bad magic number for _krb5_context structure
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Set the default credential cache name to name for future operations using context . If name is NULL, clear any previous application-set default name and forget any cached value of the default name for context .

-

Calls to this function invalidate the result of any previous calls to krb5_cc_default_name() using context .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_set_flags.html b/doc/html/appdev/refs/api/krb5_cc_set_flags.html deleted file mode 100644 index 86aeda2..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_set_flags.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_cc_set_flags - Set options flags on a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_set_flags - Set options flags on a credential cache.¶

-
-
-krb5_error_code krb5_cc_set_flags(krb5_context context, krb5_ccache cache, krb5_flags flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[in] flags - Flag bit mask

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function resets cache flags to flags .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_start_seq_get.html b/doc/html/appdev/refs/api/krb5_cc_start_seq_get.html deleted file mode 100644 index ba79148..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_start_seq_get.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache.¶

-
-
-krb5_error_code krb5_cc_start_seq_get(krb5_context context, krb5_ccache cache, krb5_cc_cursor * cursor)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[out] cursor - Cursor

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
-
krb5_cc_end_seq_get() must be called to complete the retrieve operation.
-
-

Note

-

If cache is modified between the time of the call to this function and the time of the final krb5_cc_end_seq_get() , the results are undefined.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_store_cred.html b/doc/html/appdev/refs/api/krb5_cc_store_cred.html deleted file mode 100644 index 2713be7..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_store_cred.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_cc_store_cred - Store credentials in a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_store_cred - Store credentials in a credential cache.¶

-
-
-krb5_error_code krb5_cc_store_cred(krb5_context context, krb5_ccache cache, krb5_creds * creds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-

[in] creds - Credentials to be stored in cache

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Permission errors; storage failure errors; Kerberos error codes
    • -
-
-

This function stores creds into cache . If creds->server and the server in the decoded ticket creds->ticket differ, the credentials will be stored under both server principal names.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_support_switch.html b/doc/html/appdev/refs/api/krb5_cc_support_switch.html deleted file mode 100644 index cf0b7f5..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_support_switch.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_cc_support_switch - Determine whether a credential cache type supports switching. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_support_switch - Determine whether a credential cache type supports switching.¶

-
-
-krb5_boolean krb5_cc_support_switch(krb5_context context, const char * type)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] type - Credential cache type

-
- --- - - - -
retval:
    -
  • TRUE if type supports switching
    • -
  • FALSE if it does not or is not a valid credential cache type.
    • -
-
-
-

Note

-

New in 1.10

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_switch.html b/doc/html/appdev/refs/api/krb5_cc_switch.html deleted file mode 100644 index f6d5bd0..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_switch.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_cc_switch - Make a credential cache the primary cache for its collection. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_switch - Make a credential cache the primary cache for its collection.¶

-
-
-krb5_error_code krb5_cc_switch(krb5_context context, krb5_ccache cache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cache - Credential cache handle

-
- --- - - - - - -
retval:
    -
  • 0 Success, or the type of cache doesn’t support switching
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

If the type of cache supports it, set cache to be the primary credential cache for the collection it belongs to.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cc_unlock.html b/doc/html/appdev/refs/api/krb5_cc_unlock.html deleted file mode 100644 index 5688a59..0000000 --- a/doc/html/appdev/refs/api/krb5_cc_unlock.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_cc_unlock - Unlock a credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_unlock - Unlock a credential cache.¶

-
-
-krb5_error_code krb5_cc_unlock(krb5_context context, krb5_ccache ccache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ccache - Credential cache handle

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function unlocks the ccache locked by krb5_cc_lock() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cccol_cursor_free.html b/doc/html/appdev/refs/api/krb5_cccol_cursor_free.html deleted file mode 100644 index 480f763..0000000 --- a/doc/html/appdev/refs/api/krb5_cccol_cursor_free.html +++ /dev/null @@ -1,176 +0,0 @@ - - - - - - - - krb5_cccol_cursor_free - Free a credential cache collection cursor. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cccol_cursor_free - Free a credential cache collection cursor.¶

-
-
-krb5_error_code krb5_cccol_cursor_free(krb5_context context, krb5_cccol_cursor * cursor)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cursor - Cursor

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
-

See also

-

krb5_cccol_cursor_new() , krb5_cccol_cursor_next()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cccol_cursor_new.html b/doc/html/appdev/refs/api/krb5_cccol_cursor_new.html deleted file mode 100644 index 986414a..0000000 --- a/doc/html/appdev/refs/api/krb5_cccol_cursor_new.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches.¶

-
-
-krb5_error_code krb5_cccol_cursor_new(krb5_context context, krb5_cccol_cursor * cursor)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] cursor - Cursor

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Get a new cache iteration cursor that will iterate over all known credential caches independent of type.

-

Use krb5_cccol_cursor_free() to release cursor when it is no longer needed.

-
-

See also

-

krb5_cccol_cursor_next()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cccol_cursor_next.html b/doc/html/appdev/refs/api/krb5_cccol_cursor_next.html deleted file mode 100644 index 5214a04..0000000 --- a/doc/html/appdev/refs/api/krb5_cccol_cursor_next.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_cccol_cursor_next - Get the next credential cache in the collection. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cccol_cursor_next - Get the next credential cache in the collection.¶

-
-
-krb5_error_code krb5_cccol_cursor_next(krb5_context context, krb5_cccol_cursor cursor, krb5_ccache * ccache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cursor - Cursor

-

[out] ccache - Credential cache handle

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Use krb5_cc_close() to close ccache when it is no longer needed.

-
-

See also

-

krb5_cccol_cursor_new() , krb5_cccol_cursor_free()

-
-
-

Note

-

When all caches are iterated over and the end of the list is reached, ccache is set to NULL.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cccol_have_content.html b/doc/html/appdev/refs/api/krb5_cccol_have_content.html deleted file mode 100644 index be9a9dc..0000000 --- a/doc/html/appdev/refs/api/krb5_cccol_have_content.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_cccol_have_content - Check if the credential cache collection contains any credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cccol_have_content - Check if the credential cache collection contains any credentials.¶

-
-
-krb5_error_code krb5_cccol_have_content(krb5_context context)¶
-
- - --- - - - -
param:[in] context - Library context
- --- - - - -
retval:
    -
  • 0 Credentials are available in the collection
    • -
  • KRB5_CC_NOTFOUND The collection contains no credentials
    • -
-
-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cccol_last_change_time.html b/doc/html/appdev/refs/api/krb5_cccol_last_change_time.html deleted file mode 100644 index 2bf8b74..0000000 --- a/doc/html/appdev/refs/api/krb5_cccol_last_change_time.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_cccol_last_change_time - Return a timestamp of the last modification of any known credential cache. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cccol_last_change_time - Return a timestamp of the last modification of any known credential cache.¶

-
-
-krb5_error_code krb5_cccol_last_change_time(krb5_context context, krb5_timestamp * change_time)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] change_time - Last modification timestamp

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function returns the most recent modification time of any known credential cache, ignoring any caches which cannot supply a last modification time.

-

If there are no known credential caches, change_time is set to 0.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cccol_lock.html b/doc/html/appdev/refs/api/krb5_cccol_lock.html deleted file mode 100644 index 2a2a651..0000000 --- a/doc/html/appdev/refs/api/krb5_cccol_lock.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_cccol_lock - Acquire a global lock for credential caches. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cccol_lock - Acquire a global lock for credential caches.¶

-
-
-krb5_error_code krb5_cccol_lock(krb5_context context)¶
-
- - --- - - - -
param:[in] context - Library context
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function locks the global credential cache collection, ensuring that no ccaches are added to or removed from it until the collection lock is released.

-

Use krb5_cccol_unlock() to unlock the lock.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cccol_unlock.html b/doc/html/appdev/refs/api/krb5_cccol_unlock.html deleted file mode 100644 index 812636b..0000000 --- a/doc/html/appdev/refs/api/krb5_cccol_unlock.html +++ /dev/null @@ -1,171 +0,0 @@ - - - - - - - - krb5_cccol_unlock - Release a global lock for credential caches. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cccol_unlock - Release a global lock for credential caches.¶

-
-
-krb5_error_code krb5_cccol_unlock(krb5_context context)¶
-
- - --- - - - -
param:[in] context - Library context
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function unlocks the lock from krb5_cccol_lock() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_change_password.html b/doc/html/appdev/refs/api/krb5_change_password.html deleted file mode 100644 index f653a7b..0000000 --- a/doc/html/appdev/refs/api/krb5_change_password.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - krb5_change_password - Change a password for an existing Kerberos account. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_change_password - Change a password for an existing Kerberos account.¶

-
-
-krb5_error_code krb5_change_password(krb5_context context, krb5_creds * creds, const char * newpw, int * result_code, krb5_data * result_code_string, krb5_data * result_string)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] creds - Credentials for kadmin/changepw service

-

[in] newpw - New password

-

[out] result_code - Numeric error code from server

-

[out] result_code_string - String equivalent to result_code

-

[out] result_string - Change password response from the KDC

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Change the password for the existing principal identified by creds .

-

The possible values of the output result_code are:

-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_check_clockskew.html b/doc/html/appdev/refs/api/krb5_check_clockskew.html deleted file mode 100644 index c97c1aa..0000000 --- a/doc/html/appdev/refs/api/krb5_check_clockskew.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time.¶

-
-
-krb5_error_code krb5_check_clockskew(krb5_context context, krb5_timestamp date)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] date - Timestamp to check

-
- --- - - - -
retval:
    -
  • 0 Success
    • -
  • KRB5KRB_AP_ERR_SKEW date is not within allowable clock skew
    • -
-
-

This function checks if date is close enough to the current time according to the configured allowable clock skew.

-
-

Note

-

New in 1.10

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_checksum_size.html b/doc/html/appdev/refs/api/krb5_checksum_size.html deleted file mode 100644 index 7ae9e8e..0000000 --- a/doc/html/appdev/refs/api/krb5_checksum_size.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_checksum_size — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_checksum_size¶

-
-
-size_t krb5_checksum_size(krb5_context context, krb5_cksumtype ctype)¶
-
- - --- - - - -
param:

context

-

ctype

-
-

DEPRECATED See krb5_c_checksum_length()

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_chpw_message.html b/doc/html/appdev/refs/api/krb5_chpw_message.html deleted file mode 100644 index be47d41..0000000 --- a/doc/html/appdev/refs/api/krb5_chpw_message.html +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - krb5_chpw_message - Get a result message for changing or setting a password. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_chpw_message - Get a result message for changing or setting a password.¶

-
-
-krb5_error_code krb5_chpw_message(krb5_context context, const krb5_data * server_string, char ** message_out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] server_string - Data returned from the remote system

-

[out] message_out - A message displayable to the user

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function processes the server_string returned in the result_string parameter of krb5_change_password() , krb5_set_password() , and related functions, and returns a displayable string. If server_string contains Active Directory structured policy information, it will be converted into human-readable text.

-

Use krb5_free_string() to free message_out when it is no longer needed.

-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_cksumtype_to_string.html b/doc/html/appdev/refs/api/krb5_cksumtype_to_string.html deleted file mode 100644 index 3ee095f..0000000 --- a/doc/html/appdev/refs/api/krb5_cksumtype_to_string.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_cksumtype_to_string - Convert a checksum type to a string. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cksumtype_to_string - Convert a checksum type to a string.¶

-
-
-krb5_error_code krb5_cksumtype_to_string(krb5_cksumtype cksumtype, char * buffer, size_t buflen)¶
-
- - --- - - - -
param:

[in] cksumtype - Checksum type

-

[out] buffer - Buffer to hold converted checksum type

-

[in] buflen - Storage available in buffer

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_clear_error_message.html b/doc/html/appdev/refs/api/krb5_clear_error_message.html deleted file mode 100644 index 414b4cc..0000000 --- a/doc/html/appdev/refs/api/krb5_clear_error_message.html +++ /dev/null @@ -1,160 +0,0 @@ - - - - - - - - krb5_clear_error_message - Clear the extended error message in a context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_clear_error_message - Clear the extended error message in a context.¶

-
-
-void krb5_clear_error_message(krb5_context ctx)¶
-
- - --- - - - -
param:[in] ctx - Library context
-

This function unsets the extended error message in a context, to ensure that it is not mistakenly applied to another occurrence of the same error code.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_addresses.html b/doc/html/appdev/refs/api/krb5_copy_addresses.html deleted file mode 100644 index 252a095..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_addresses.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_copy_addresses - Copy an array of addresses. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_addresses - Copy an array of addresses.¶

-
-
-krb5_error_code krb5_copy_addresses(krb5_context context, krb5_address *const * inaddr, krb5_address *** outaddr)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] inaddr - Array of addresses to be copied

-

[out] outaddr - Copy of array of addresses

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new address array containing a copy of inaddr . Use krb5_free_addresses() to free outaddr when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_authdata.html b/doc/html/appdev/refs/api/krb5_copy_authdata.html deleted file mode 100644 index 5dd06b2..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_authdata.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_copy_authdata - Copy an authorization data list. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_authdata - Copy an authorization data list.¶

-
-
-krb5_error_code krb5_copy_authdata(krb5_context context, krb5_authdata *const * in_authdat, krb5_authdata *** out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] in_authdat - List of krb5_authdata structures

-

[out] out - New array of krb5_authdata structures

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new authorization data list containing a copy of in_authdat , which must be null-terminated. Use krb5_free_authdata() to free out when it is no longer needed.

-
-

Note

-

The last array entry in in_authdat must be a NULL pointer.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_authenticator.html b/doc/html/appdev/refs/api/krb5_copy_authenticator.html deleted file mode 100644 index cab8545..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_authenticator.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_copy_authenticator - Copy a krb5_authenticator structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_authenticator - Copy a krb5_authenticator structure.¶

-
-
-krb5_error_code krb5_copy_authenticator(krb5_context context, const krb5_authenticator * authfrom, krb5_authenticator ** authto)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] authfrom - krb5_authenticator structure to be copied

-

[out] authto - Copy of krb5_authenticator structure

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new krb5_authenticator structure with the content of authfrom . Use krb5_free_authenticator() to free authto when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_checksum.html b/doc/html/appdev/refs/api/krb5_copy_checksum.html deleted file mode 100644 index ecc9cb0..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_checksum.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_copy_checksum - Copy a krb5_checksum structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_checksum - Copy a krb5_checksum structure.¶

-
-
-krb5_error_code krb5_copy_checksum(krb5_context context, const krb5_checksum * ckfrom, krb5_checksum ** ckto)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ckfrom - Checksum to be copied

-

[out] ckto - Copy of krb5_checksum structure

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new krb5_checksum structure with the contents of ckfrom . Use krb5_free_checksum() to free ckto when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_context.html b/doc/html/appdev/refs/api/krb5_copy_context.html deleted file mode 100644 index 952c63d..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_context.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_copy_context - Copy a krb5_context structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_context - Copy a krb5_context structure.¶

-
-
-krb5_error_code krb5_copy_context(krb5_context ctx, krb5_context * nctx_out)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[out] nctx_out - New context structure

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

The newly created context must be released by calling krb5_free_context() when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_creds.html b/doc/html/appdev/refs/api/krb5_copy_creds.html deleted file mode 100644 index 386e5a5..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_creds.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_copy_creds - Copy a krb5_creds structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_creds - Copy a krb5_creds structure.¶

-
-
-krb5_error_code krb5_copy_creds(krb5_context context, const krb5_creds * incred, krb5_creds ** outcred)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] incred - Credentials structure to be copied

-

[out] outcred - Copy of incred

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new credential with the contents of incred . Use krb5_free_creds() to free outcred when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_data.html b/doc/html/appdev/refs/api/krb5_copy_data.html deleted file mode 100644 index daaff63..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_data.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_copy_data - Copy a krb5_data object. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_data - Copy a krb5_data object.¶

-
-
-krb5_error_code krb5_copy_data(krb5_context context, const krb5_data * indata, krb5_data ** outdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] indata - Data object to be copied

-

[out] outdata - Copy of indata

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new krb5_data object with the contents of indata . Use krb5_free_data() to free outdata when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_error_message.html b/doc/html/appdev/refs/api/krb5_copy_error_message.html deleted file mode 100644 index ffcd711..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_error_message.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_copy_error_message - Copy the most recent extended error message from one context to another. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_error_message - Copy the most recent extended error message from one context to another.¶

-
-
-void krb5_copy_error_message(krb5_context dest_ctx, krb5_context src_ctx)¶
-
- - --- - - - -
param:

[in] dest_ctx - Library context to copy message to

-

[in] src_ctx - Library context with current message

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_keyblock.html b/doc/html/appdev/refs/api/krb5_copy_keyblock.html deleted file mode 100644 index e55ddf1..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_keyblock.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_copy_keyblock - Copy a keyblock. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_keyblock - Copy a keyblock.¶

-
-
-krb5_error_code krb5_copy_keyblock(krb5_context context, const krb5_keyblock * from, krb5_keyblock ** to)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] from - Keyblock to be copied

-

[out] to - Copy of keyblock from

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new keyblock with the same contents as from . Use krb5_free_keyblock() to free to when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_keyblock_contents.html b/doc/html/appdev/refs/api/krb5_copy_keyblock_contents.html deleted file mode 100644 index d0afb50..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_keyblock_contents.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_copy_keyblock_contents - Copy the contents of a keyblock. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_keyblock_contents - Copy the contents of a keyblock.¶

-
-
-krb5_error_code krb5_copy_keyblock_contents(krb5_context context, const krb5_keyblock * from, krb5_keyblock * to)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] from - Key to be copied

-

[out] to - Output key

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function copies the contents of from to to . Use krb5_free_keyblock_contents() to free to when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_principal.html b/doc/html/appdev/refs/api/krb5_copy_principal.html deleted file mode 100644 index 6378300..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_principal.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_copy_principal - Copy a principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_principal - Copy a principal.¶

-
-
-krb5_error_code krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal * outprinc)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] inprinc - Principal to be copied

-

[out] outprinc - Copy of inprinc

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new principal structure with the contents of inprinc . Use krb5_free_principal() to free outprinc when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_copy_ticket.html b/doc/html/appdev/refs/api/krb5_copy_ticket.html deleted file mode 100644 index 3f8dfb0..0000000 --- a/doc/html/appdev/refs/api/krb5_copy_ticket.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_copy_ticket - Copy a krb5_ticket structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_copy_ticket - Copy a krb5_ticket structure.¶

-
-
-krb5_error_code krb5_copy_ticket(krb5_context context, const krb5_ticket * from, krb5_ticket ** pto)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] from - Ticket to be copied

-

[out] pto - Copy of ticket

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new krb5_ticket structure containing the contents of from . Use krb5_free_ticket() to free pto when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_decode_authdata_container.html b/doc/html/appdev/refs/api/krb5_decode_authdata_container.html deleted file mode 100644 index 3c1fa5d..0000000 --- a/doc/html/appdev/refs/api/krb5_decode_authdata_container.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_decode_authdata_container - Unwrap authorization data. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_decode_authdata_container - Unwrap authorization data.¶

-
-
-krb5_error_code krb5_decode_authdata_container(krb5_context context, krb5_authdatatype type, const krb5_authdata * container, krb5_authdata *** authdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] type - KRB5_AUTHDATA type of container

-

[in] container - Authorization data to be decoded

-

[out] authdata - List of decoded authorization data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
-

See also

-

krb5_encode_authdata_container()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_decode_ticket.html b/doc/html/appdev/refs/api/krb5_decode_ticket.html deleted file mode 100644 index a330381..0000000 --- a/doc/html/appdev/refs/api/krb5_decode_ticket.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_decode_ticket - Decode an ASN.1-formatted ticket. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_decode_ticket - Decode an ASN.1-formatted ticket.¶

-
-
-krb5_error_code krb5_decode_ticket(const krb5_data * code, krb5_ticket ** rep)¶
-
- - --- - - - -
param:

[in] code - ASN.1-formatted ticket

-

[out] rep - Decoded ticket information

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_decrypt.html b/doc/html/appdev/refs/api/krb5_decrypt.html deleted file mode 100644 index 8db9875..0000000 --- a/doc/html/appdev/refs/api/krb5_decrypt.html +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - krb5_decrypt — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_decrypt¶

-
-
-krb5_error_code krb5_decrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block * eblock, krb5_pointer ivec)¶
-
- - --- - - - -
param:

context

-

inptr

-

outptr

-

size

-

eblock

-

ivec

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_deltat_to_string.html b/doc/html/appdev/refs/api/krb5_deltat_to_string.html deleted file mode 100644 index efd1dfb..0000000 --- a/doc/html/appdev/refs/api/krb5_deltat_to_string.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_deltat_to_string - Convert a relative time value to a string. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_deltat_to_string - Convert a relative time value to a string.¶

-
-
-krb5_error_code krb5_deltat_to_string(krb5_deltat deltat, char * buffer, size_t buflen)¶
-
- - --- - - - -
param:

[in] deltat - Relative time value to convert

-

[out] buffer - Buffer to hold time string

-

[in] buflen - Storage available in buffer

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_eblock_enctype.html b/doc/html/appdev/refs/api/krb5_eblock_enctype.html deleted file mode 100644 index bb6d22e..0000000 --- a/doc/html/appdev/refs/api/krb5_eblock_enctype.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_eblock_enctype — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_eblock_enctype¶

-
-
-krb5_enctype krb5_eblock_enctype(krb5_context context, const krb5_encrypt_block * eblock)¶
-
- - --- - - - -
param:

context

-

eblock

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_encode_authdata_container.html b/doc/html/appdev/refs/api/krb5_encode_authdata_container.html deleted file mode 100644 index 9c1951f..0000000 --- a/doc/html/appdev/refs/api/krb5_encode_authdata_container.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_encode_authdata_container - Wrap authorization data in a container. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_encode_authdata_container - Wrap authorization data in a container.¶

-
-
-krb5_error_code krb5_encode_authdata_container(krb5_context context, krb5_authdatatype type, krb5_authdata *const * authdata, krb5_authdata *** container)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] type - KRB5_AUTHDATA type of container

-

[in] authdata - List of authorization data to be encoded

-

[out] container - List of encoded authorization data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

The result is returned in container as a single-element list.

-
-

See also

-

krb5_decode_authdata_container()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_encrypt.html b/doc/html/appdev/refs/api/krb5_encrypt.html deleted file mode 100644 index 887b0b9..0000000 --- a/doc/html/appdev/refs/api/krb5_encrypt.html +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - krb5_encrypt — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_encrypt¶

-
-
-krb5_error_code krb5_encrypt(krb5_context context, krb5_const_pointer inptr, krb5_pointer outptr, size_t size, krb5_encrypt_block * eblock, krb5_pointer ivec)¶
-
- - --- - - - -
param:

context

-

inptr

-

outptr

-

size

-

eblock

-

ivec

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_encrypt_size.html b/doc/html/appdev/refs/api/krb5_encrypt_size.html deleted file mode 100644 index 6a927c5..0000000 --- a/doc/html/appdev/refs/api/krb5_encrypt_size.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_encrypt_size — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_encrypt_size¶

-
-
-size_t krb5_encrypt_size(size_t length, krb5_enctype crypto)¶
-
- - --- - - - -
param:

length

-

crypto

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_enctype_to_name.html b/doc/html/appdev/refs/api/krb5_enctype_to_name.html deleted file mode 100644 index e3f4c22..0000000 --- a/doc/html/appdev/refs/api/krb5_enctype_to_name.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_enctype_to_name - Convert an encryption type to a name or alias. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_enctype_to_name - Convert an encryption type to a name or alias.¶

-
-
-krb5_error_code krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, char * buffer, size_t buflen)¶
-
- - --- - - - -
param:

[in] enctype - Encryption type

-

[in] shortest - Flag

-

[out] buffer - Buffer to hold encryption type string

-

[in] buflen - Storage available in buffer

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

If shortest is FALSE, this function returns the enctype’s canonical name (like”aes128-cts-hmac-sha1-96”). If shortest is TRUE, it return the enctype’s shortest alias (like”aes128-cts”).

-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_enctype_to_string.html b/doc/html/appdev/refs/api/krb5_enctype_to_string.html deleted file mode 100644 index 045ff99..0000000 --- a/doc/html/appdev/refs/api/krb5_enctype_to_string.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_enctype_to_string - Convert an encryption type to a string. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_enctype_to_string - Convert an encryption type to a string.¶

-
-
-krb5_error_code krb5_enctype_to_string(krb5_enctype enctype, char * buffer, size_t buflen)¶
-
- - --- - - - -
param:

[in] enctype - Encryption type

-

[out] buffer - Buffer to hold encryption type string

-

[in] buflen - Storage available in buffer

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_expand_hostname.html b/doc/html/appdev/refs/api/krb5_expand_hostname.html deleted file mode 100644 index de9b523..0000000 --- a/doc/html/appdev/refs/api/krb5_expand_hostname.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_expand_hostname - Canonicalize a hostname, possibly using name service. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_expand_hostname - Canonicalize a hostname, possibly using name service.¶

-
-
-krb5_error_code krb5_expand_hostname(krb5_context context, const char * host, char ** canonhost_out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] host - Input hostname

-

[out] canonhost_out - Canonicalized hostname

-
-

This function canonicalizes orig_hostname, possibly using name service lookups if configuration permits. Use krb5_free_string() to free canonhost_out when it is no longer needed.

-
-

Note

-

New in 1.15

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_find_authdata.html b/doc/html/appdev/refs/api/krb5_find_authdata.html deleted file mode 100644 index 80e1257..0000000 --- a/doc/html/appdev/refs/api/krb5_find_authdata.html +++ /dev/null @@ -1,169 +0,0 @@ - - - - - - - - krb5_find_authdata - Find authorization data elements. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_find_authdata - Find authorization data elements.¶

-
-
-krb5_error_code krb5_find_authdata(krb5_context context, krb5_authdata *const * ticket_authdata, krb5_authdata *const * ap_req_authdata, krb5_authdatatype ad_type, krb5_authdata *** results)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ticket_authdata - Authorization data list from ticket

-

[in] ap_req_authdata - Authorization data list from AP request

-

[in] ad_type - Authorization data type to find

-

[out] results - List of matching entries

-
-

This function searches ticket_authdata and ap_req_authdata for elements of type ad_type . Either input list may be NULL, in which case it will not be searched; otherwise, the input lists must be terminated by NULL entries. This function will search inside AD-IF-RELEVANT containers if found in either list. Use krb5_free_authdata() to free results when it is no longer needed.

-
-

Note

-

New in 1.10

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_finish_key.html b/doc/html/appdev/refs/api/krb5_finish_key.html deleted file mode 100644 index 83db2d9..0000000 --- a/doc/html/appdev/refs/api/krb5_finish_key.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_finish_key — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_finish_key¶

-
-
-krb5_error_code krb5_finish_key(krb5_context context, krb5_encrypt_block * eblock)¶
-
- - --- - - - -
param:

context

-

eblock

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_finish_random_key.html b/doc/html/appdev/refs/api/krb5_finish_random_key.html deleted file mode 100644 index 8f128f9..0000000 --- a/doc/html/appdev/refs/api/krb5_finish_random_key.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_finish_random_key — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_finish_random_key¶

-
-
-krb5_error_code krb5_finish_random_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_pointer * ptr)¶
-
- - --- - - - -
param:

context

-

eblock

-

ptr

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_addresses.html b/doc/html/appdev/refs/api/krb5_free_addresses.html deleted file mode 100644 index ec686fd..0000000 --- a/doc/html/appdev/refs/api/krb5_free_addresses.html +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - krb5_free_addresses - Free the data stored in array of addresses. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_addresses - Free the data stored in array of addresses.¶

-
-
-void krb5_free_addresses(krb5_context context, krb5_address ** val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Array of addresses to be freed

-
-

This function frees the contents of val and the array itself.

-
-

Note

-

The last entry in the array must be a NULL pointer.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_ap_rep_enc_part.html b/doc/html/appdev/refs/api/krb5_free_ap_rep_enc_part.html deleted file mode 100644 index 87f6fcc..0000000 --- a/doc/html/appdev/refs/api/krb5_free_ap_rep_enc_part.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure.¶

-
-
-void krb5_free_ap_rep_enc_part(krb5_context context, krb5_ap_rep_enc_part * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - AP-REP enc part to be freed

-
-

This function frees the contents of val and the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_authdata.html b/doc/html/appdev/refs/api/krb5_free_authdata.html deleted file mode 100644 index b6d3996..0000000 --- a/doc/html/appdev/refs/api/krb5_free_authdata.html +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - krb5_free_authdata - Free the storage assigned to array of authentication data. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_authdata - Free the storage assigned to array of authentication data.¶

-
-
-void krb5_free_authdata(krb5_context context, krb5_authdata ** val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Array of authentication data to be freed

-
-

This function frees the contents of val and the array itself.

-
-

Note

-

The last entry in the array must be a NULL pointer.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_authenticator.html b/doc/html/appdev/refs/api/krb5_free_authenticator.html deleted file mode 100644 index 8b9f8ce..0000000 --- a/doc/html/appdev/refs/api/krb5_free_authenticator.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_authenticator - Free a krb5_authenticator structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_authenticator - Free a krb5_authenticator structure.¶

-
-
-void krb5_free_authenticator(krb5_context context, krb5_authenticator * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Authenticator structure to be freed

-
-

This function frees the contents of val and the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_checksum.html b/doc/html/appdev/refs/api/krb5_free_checksum.html deleted file mode 100644 index dd7b6e2..0000000 --- a/doc/html/appdev/refs/api/krb5_free_checksum.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_checksum - Free a krb5_checksum structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_checksum - Free a krb5_checksum structure.¶

-
-
-void krb5_free_checksum(krb5_context context, register krb5_checksum * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Checksum structure to be freed

-
-

This function frees the contents of val and the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_checksum_contents.html b/doc/html/appdev/refs/api/krb5_free_checksum_contents.html deleted file mode 100644 index 05c8a6e..0000000 --- a/doc/html/appdev/refs/api/krb5_free_checksum_contents.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_checksum_contents - Free the contents of a krb5_checksum structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_checksum_contents - Free the contents of a krb5_checksum structure.¶

-
-
-void krb5_free_checksum_contents(krb5_context context, register krb5_checksum * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Checksum structure to free contents of

-
-

This function frees the contents of val , but not the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_cksumtypes.html b/doc/html/appdev/refs/api/krb5_free_cksumtypes.html deleted file mode 100644 index a81b72f..0000000 --- a/doc/html/appdev/refs/api/krb5_free_cksumtypes.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_free_cksumtypes - Free an array of checksum types. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_cksumtypes - Free an array of checksum types.¶

-
-
-void krb5_free_cksumtypes(krb5_context context, krb5_cksumtype * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Array of checksum types to be freed

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_context.html b/doc/html/appdev/refs/api/krb5_free_context.html deleted file mode 100644 index 0b75121..0000000 --- a/doc/html/appdev/refs/api/krb5_free_context.html +++ /dev/null @@ -1,160 +0,0 @@ - - - - - - - - krb5_free_context - Free a krb5 library context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_context - Free a krb5 library context.¶

-
-
-void krb5_free_context(krb5_context context)¶
-
- - --- - - - -
param:[in] context - Library context
-

This function frees a context that was created by krb5_init_context() or krb5_init_secure_context() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_cred_contents.html b/doc/html/appdev/refs/api/krb5_free_cred_contents.html deleted file mode 100644 index 71cec7d..0000000 --- a/doc/html/appdev/refs/api/krb5_free_cred_contents.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_cred_contents - Free the contents of a krb5_creds structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_cred_contents - Free the contents of a krb5_creds structure.¶

-
-
-void krb5_free_cred_contents(krb5_context context, krb5_creds * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Credential structure to free contents of

-
-

This function frees the contents of val , but not the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_creds.html b/doc/html/appdev/refs/api/krb5_free_creds.html deleted file mode 100644 index 86741aa..0000000 --- a/doc/html/appdev/refs/api/krb5_free_creds.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_creds - Free a krb5_creds structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_creds - Free a krb5_creds structure.¶

-
-
-void krb5_free_creds(krb5_context context, krb5_creds * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Credential structure to be freed.

-
-

This function frees the contents of val and the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_data.html b/doc/html/appdev/refs/api/krb5_free_data.html deleted file mode 100644 index 4a3a439..0000000 --- a/doc/html/appdev/refs/api/krb5_free_data.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_data - Free a krb5_data structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_data - Free a krb5_data structure.¶

-
-
-void krb5_free_data(krb5_context context, krb5_data * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Data structure to be freed

-
-

This function frees the contents of val and the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_data_contents.html b/doc/html/appdev/refs/api/krb5_free_data_contents.html deleted file mode 100644 index aefab62..0000000 --- a/doc/html/appdev/refs/api/krb5_free_data_contents.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field.¶

-
-
-void krb5_free_data_contents(krb5_context context, krb5_data * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Data structure to free contents of

-
-

This function frees the contents of val , but not the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_default_realm.html b/doc/html/appdev/refs/api/krb5_free_default_realm.html deleted file mode 100644 index b8bd674..0000000 --- a/doc/html/appdev/refs/api/krb5_free_default_realm.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm() . — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm() .¶

-
-
-void krb5_free_default_realm(krb5_context context, char * lrealm)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] lrealm - Realm to be freed

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_enctypes.html b/doc/html/appdev/refs/api/krb5_free_enctypes.html deleted file mode 100644 index 169c6dc..0000000 --- a/doc/html/appdev/refs/api/krb5_free_enctypes.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_free_enctypes - Free an array of encryption types. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_enctypes - Free an array of encryption types.¶

-
-
-void krb5_free_enctypes(krb5_context context, krb5_enctype * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Array of enctypes to be freed

-
-
-

Note

-

New in 1.12

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_error.html b/doc/html/appdev/refs/api/krb5_free_error.html deleted file mode 100644 index ae3523e..0000000 --- a/doc/html/appdev/refs/api/krb5_free_error.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth() . — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth() .¶

-
-
-void krb5_free_error(krb5_context context, register krb5_error * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Error data structure to be freed

-
-

This function frees the contents of val and the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_error_message.html b/doc/html/appdev/refs/api/krb5_free_error_message.html deleted file mode 100644 index c1cc870..0000000 --- a/doc/html/appdev/refs/api/krb5_free_error_message.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_free_error_message - Free an error message generated by krb5_get_error_message() . — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_error_message - Free an error message generated by krb5_get_error_message() .¶

-
-
-void krb5_free_error_message(krb5_context ctx, const char * msg)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] msg - Pointer to error message

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_host_realm.html b/doc/html/appdev/refs/api/krb5_free_host_realm.html deleted file mode 100644 index 96a3a5a..0000000 --- a/doc/html/appdev/refs/api/krb5_free_host_realm.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_free_host_realm - Free the memory allocated by krb5_get_host_realm() . — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_host_realm - Free the memory allocated by krb5_get_host_realm() .¶

-
-
-krb5_error_code krb5_free_host_realm(krb5_context context, char *const * realmlist)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] realmlist - List of realm names to be released

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_keyblock.html b/doc/html/appdev/refs/api/krb5_free_keyblock.html deleted file mode 100644 index 2028ec2..0000000 --- a/doc/html/appdev/refs/api/krb5_free_keyblock.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_keyblock - Free a krb5_keyblock structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_keyblock - Free a krb5_keyblock structure.¶

-
-
-void krb5_free_keyblock(krb5_context context, register krb5_keyblock * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Keyblock to be freed

-
-

This function frees the contents of val and the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_keyblock_contents.html b/doc/html/appdev/refs/api/krb5_free_keyblock_contents.html deleted file mode 100644 index 9163d43..0000000 --- a/doc/html/appdev/refs/api/krb5_free_keyblock_contents.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure.¶

-
-
-void krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock * key)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Keyblock to be freed

-
-

This function frees the contents of key , but not the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_keytab_entry_contents.html b/doc/html/appdev/refs/api/krb5_free_keytab_entry_contents.html deleted file mode 100644 index 354f9d0..0000000 --- a/doc/html/appdev/refs/api/krb5_free_keytab_entry_contents.html +++ /dev/null @@ -1,176 +0,0 @@ - - - - - - - - krb5_free_keytab_entry_contents - Free the contents of a key table entry. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_keytab_entry_contents - Free the contents of a key table entry.¶

-
-
-krb5_error_code krb5_free_keytab_entry_contents(krb5_context context, krb5_keytab_entry * entry)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] entry - Key table entry whose contents are to be freed

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
-

Note

-

The pointer is not freed.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_principal.html b/doc/html/appdev/refs/api/krb5_free_principal.html deleted file mode 100644 index dcfff13..0000000 --- a/doc/html/appdev/refs/api/krb5_free_principal.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_free_principal - Free the storage assigned to a principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_principal - Free the storage assigned to a principal.¶

-
-
-void krb5_free_principal(krb5_context context, krb5_principal val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Principal to be freed

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_string.html b/doc/html/appdev/refs/api/krb5_free_string.html deleted file mode 100644 index 3fde376..0000000 --- a/doc/html/appdev/refs/api/krb5_free_string.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_free_string - Free a string allocated by a krb5 function. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_string - Free a string allocated by a krb5 function.¶

-
-
-void krb5_free_string(krb5_context context, char * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - String to be freed

-
-
-

Note

-

New in 1.10

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_tgt_creds.html b/doc/html/appdev/refs/api/krb5_free_tgt_creds.html deleted file mode 100644 index c79e99d..0000000 --- a/doc/html/appdev/refs/api/krb5_free_tgt_creds.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_free_tgt_creds - Free an array of credential structures. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_tgt_creds - Free an array of credential structures.¶

-
-
-void krb5_free_tgt_creds(krb5_context context, krb5_creds ** tgts)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] tgts - Null-terminated array of credentials to free

-
-
-

Note

-

The last entry in the array tgts must be a NULL pointer.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_ticket.html b/doc/html/appdev/refs/api/krb5_free_ticket.html deleted file mode 100644 index 3f129f3..0000000 --- a/doc/html/appdev/refs/api/krb5_free_ticket.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_free_ticket - Free a ticket. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_ticket - Free a ticket.¶

-
-
-void krb5_free_ticket(krb5_context context, krb5_ticket * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Ticket to be freed

-
-

This function frees the contents of val and the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_free_unparsed_name.html b/doc/html/appdev/refs/api/krb5_free_unparsed_name.html deleted file mode 100644 index 9718c3f..0000000 --- a/doc/html/appdev/refs/api/krb5_free_unparsed_name.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_free_unparsed_name - Free a string representation of a principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_free_unparsed_name - Free a string representation of a principal.¶

-
-
-void krb5_free_unparsed_name(krb5_context context, char * val)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] val - Name string to be freed

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html b/doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html deleted file mode 100644 index 38b196c..0000000 --- a/doc/html/appdev/refs/api/krb5_fwd_tgt_creds.html +++ /dev/null @@ -1,188 +0,0 @@ - - - - - - - - krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message.¶

-
-
-krb5_error_code krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, char * rhost, krb5_principal client, krb5_principal server, krb5_ccache cc, int forwardable, krb5_data * outbuf)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] rhost - Remote host

-

[in] client - Client principal of TGT

-

[in] server - Principal of server to receive TGT

-

[in] cc - Credential cache handle (NULL to use default)

-

[in] forwardable - Whether TGT should be forwardable

-

[out] outbuf - KRB-CRED message

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • ENOMEM Insufficient memory
    • -
  • KRB5_PRINC_NOMATCH Requested principal and ticket do not match
    • -
  • KRB5_NO_TKT_SUPPLIED Request did not supply a ticket
    • -
  • KRB5_CC_BADNAME Credential cache name or principal name malformed
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Get a TGT for use at the remote host rhost and format it into a KRB-CRED message. If rhost is NULL and server is of type KRB5_NT_SRV_HST , the second component of server will be used.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_credentials.html b/doc/html/appdev/refs/api/krb5_get_credentials.html deleted file mode 100644 index d488ea0..0000000 --- a/doc/html/appdev/refs/api/krb5_get_credentials.html +++ /dev/null @@ -1,194 +0,0 @@ - - - - - - - - krb5_get_credentials - Get an additional ticket. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_credentials - Get an additional ticket.¶

-
-
-krb5_error_code krb5_get_credentials(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] options - Options

-

[in] ccache - Credential cache handle

-

[in] in_creds - Input credentials

-

[out] out_creds - Output updated credentials

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Use ccache or a TGS exchange to get a service ticket matching in_creds .

-

Valid values for options are:

-
-
-
-
-

in_creds must be non-null. in_creds->client and in_creds->server must be filled in to specify the client and the server respectively. If any authorization data needs to be requested for the service ticket (such as restrictions on how the ticket can be used), specify it in in_creds->authdata ; otherwise set in_creds->authdata to NULL. The session key type is specified in in_creds->keyblock.enctype , if it is nonzero.

-
-

The expiration date is specified in in_creds->times.endtime . The KDC may return tickets with an earlier expiration date. If in_creds->times.endtime is set to 0, the latest possible expiration date will be requested.

-

Any returned ticket and intermediate ticket-granting tickets are stored in ccache .

-

Use krb5_free_creds() to free out_creds when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_credentials_renew.html b/doc/html/appdev/refs/api/krb5_get_credentials_renew.html deleted file mode 100644 index 3be1212..0000000 --- a/doc/html/appdev/refs/api/krb5_get_credentials_renew.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_get_credentials_renew — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_credentials_renew¶

-
-
-krb5_error_code krb5_get_credentials_renew(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds)¶
-
- - --- - - - -
param:

context

-

options

-

ccache

-

in_creds

-

out_creds

-
-

DEPRECATED Replaced by krb5_get_renewed_creds.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_credentials_validate.html b/doc/html/appdev/refs/api/krb5_get_credentials_validate.html deleted file mode 100644 index 22f9c48..0000000 --- a/doc/html/appdev/refs/api/krb5_get_credentials_validate.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_get_credentials_validate — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_credentials_validate¶

-
-
-krb5_error_code krb5_get_credentials_validate(krb5_context context, krb5_flags options, krb5_ccache ccache, krb5_creds * in_creds, krb5_creds ** out_creds)¶
-
- - --- - - - -
param:

context

-

options

-

ccache

-

in_creds

-

out_creds

-
-

DEPRECATED Replaced by krb5_get_validated_creds.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_default_realm.html b/doc/html/appdev/refs/api/krb5_get_default_realm.html deleted file mode 100644 index 8e85d0a..0000000 --- a/doc/html/appdev/refs/api/krb5_get_default_realm.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_get_default_realm - Retrieve the default realm. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_default_realm - Retrieve the default realm.¶

-
-
-krb5_error_code krb5_get_default_realm(krb5_context context, char ** lrealm)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] lrealm - Default realm name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Retrieves the default realm to be used if no user-specified realm is available.

-

Use krb5_free_default_realm() to free lrealm when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_error_message.html b/doc/html/appdev/refs/api/krb5_get_error_message.html deleted file mode 100644 index 63cea26..0000000 --- a/doc/html/appdev/refs/api/krb5_get_error_message.html +++ /dev/null @@ -1,168 +0,0 @@ - - - - - - - - krb5_get_error_message - Get the (possibly extended) error message for a code. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_error_message - Get the (possibly extended) error message for a code.¶

-
-
-const char * krb5_get_error_message(krb5_context ctx, krb5_error_code code)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] code - Error code

-
-

The behavior of krb5_get_error_message() is only defined the first time it is called after a failed call to a krb5 function using the same context, and only when the error code passed in is the same as that returned by the krb5 function.

-

This function never returns NULL, so its result may be used unconditionally as a C string.

-

The string returned by this function must be freed using krb5_free_error_message()

-
-

Note

-

Future versions may return the same string for the second and following calls.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_fallback_host_realm.html b/doc/html/appdev/refs/api/krb5_get_fallback_host_realm.html deleted file mode 100644 index 9bc8a73..0000000 --- a/doc/html/appdev/refs/api/krb5_get_fallback_host_realm.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_get_fallback_host_realm — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_fallback_host_realm¶

-
-
-krb5_error_code krb5_get_fallback_host_realm(krb5_context context, krb5_data * hdata, char *** realmsp)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] hdata - Host name (or NULL)

-

[out] realmsp - Null-terminated list of realm names

-
-

Fill in realmsp with a pointer to a null-terminated list of realm names obtained through heuristics or insecure resolution methods which have lower priority than KDC referrals.

-

If host is NULL, the local host’s realms are determined.

-

Use krb5_free_host_realm() to release realmsp when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_host_realm.html b/doc/html/appdev/refs/api/krb5_get_host_realm.html deleted file mode 100644 index 47ab872..0000000 --- a/doc/html/appdev/refs/api/krb5_get_host_realm.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_get_host_realm - Get the Kerberos realm names for a host. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_host_realm - Get the Kerberos realm names for a host.¶

-
-
-krb5_error_code krb5_get_host_realm(krb5_context context, const char * host, char *** realmsp)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] host - Host name (or NULL)

-

[out] realmsp - Null-terminated list of realm names

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • ENOMEM Insufficient memory
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Fill in realmsp with a pointer to a null-terminated list of realm names. If there are no known realms for the host, a list containing the referral (empty) realm is returned.

-

If host is NULL, the local host’s realms are determined.

-

Use krb5_free_host_realm() to release realmsp when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_keytab.html b/doc/html/appdev/refs/api/krb5_get_in_tkt_with_keytab.html deleted file mode 100644 index 63f29e9..0000000 --- a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_keytab.html +++ /dev/null @@ -1,169 +0,0 @@ - - - - - - - - krb5_get_in_tkt_with_keytab — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_in_tkt_with_keytab¶

-
-
-krb5_error_code krb5_get_in_tkt_with_keytab(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, krb5_keytab arg_keytab, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply)¶
-
- - --- - - - -
param:

context

-

options

-

addrs

-

ktypes

-

pre_auth_types

-

arg_keytab

-

ccache

-

creds

-

ret_as_reply

-
-

DEPRECATED Replaced by krb5_get_init_creds_keytab() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_password.html b/doc/html/appdev/refs/api/krb5_get_in_tkt_with_password.html deleted file mode 100644 index 813d845..0000000 --- a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_password.html +++ /dev/null @@ -1,169 +0,0 @@ - - - - - - - - krb5_get_in_tkt_with_password — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_in_tkt_with_password¶

-
-
-krb5_error_code krb5_get_in_tkt_with_password(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, const char * password, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply)¶
-
- - --- - - - -
param:

context

-

options

-

addrs

-

ktypes

-

pre_auth_types

-

password

-

ccache

-

creds

-

ret_as_reply

-
-

DEPRECATED Replaced by krb5_get_init_creds_password() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_skey.html b/doc/html/appdev/refs/api/krb5_get_in_tkt_with_skey.html deleted file mode 100644 index b417c89..0000000 --- a/doc/html/appdev/refs/api/krb5_get_in_tkt_with_skey.html +++ /dev/null @@ -1,169 +0,0 @@ - - - - - - - - krb5_get_in_tkt_with_skey — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_in_tkt_with_skey¶

-
-
-krb5_error_code krb5_get_in_tkt_with_skey(krb5_context context, krb5_flags options, krb5_address *const * addrs, krb5_enctype * ktypes, krb5_preauthtype * pre_auth_types, const krb5_keyblock * key, krb5_ccache ccache, krb5_creds * creds, krb5_kdc_rep ** ret_as_reply)¶
-
- - --- - - - -
param:

context

-

options

-

addrs

-

ktypes

-

pre_auth_types

-

key

-

ccache

-

creds

-

ret_as_reply

-
-

DEPRECATED Replaced by krb5_get_init_creds().

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_keytab.html b/doc/html/appdev/refs/api/krb5_get_init_creds_keytab.html deleted file mode 100644 index 546a7af..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_keytab.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_get_init_creds_keytab - Get initial credentials using a key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_keytab - Get initial credentials using a key table.¶

-
-
-krb5_error_code krb5_get_init_creds_keytab(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_keytab arg_keytab, krb5_deltat start_time, const char * in_tkt_service, krb5_get_init_creds_opt * k5_gic_options)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] creds - New credentials

-

[in] client - Client principal

-

[in] arg_keytab - Key table handle

-

[in] start_time - Time when ticket becomes valid (0 for now)

-

[in] in_tkt_service - Service name of initial credentials (or NULL)

-

[in] k5_gic_options - Initial credential options

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function requests KDC for an initial credentials for client using a client key stored in arg_keytab . If in_tkt_service is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_alloc.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_alloc.html deleted file mode 100644 index 45224b2..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_alloc.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_alloc(krb5_context context, krb5_get_init_creds_opt ** opt)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] opt - New options structure

-
- --- - - - -
retval:
    -
  • 0 - Success; Kerberos errors otherwise.
    • -
-
-

This function is the preferred way to create an options structure for getting initial credentials, and is required to make use of certain options. Use krb5_get_init_creds_opt_free() to free opt when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_free.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_free.html deleted file mode 100644 index 2704c69..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_free.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_free - Free initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_free - Free initial credential options.¶

-
-
-void krb5_get_init_creds_opt_free(krb5_context context, krb5_get_init_creds_opt * opt)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options structure to free

-
-
-

See also

-

krb5_get_init_creds_opt_alloc()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html deleted file mode 100644 index 1a7a760..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_get_fast_flags(krb5_context context, krb5_get_init_creds_opt * opt, krb5_flags * out_flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options

-

[out] out_flags - FAST flags

-
- --- - - - -
retval:
    -
  • 0 - Success; Kerberos errors otherwise.
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_init.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_init.html deleted file mode 100644 index b669c65..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_init.html +++ /dev/null @@ -1,160 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_init — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_init¶

-
-
-void krb5_get_init_creds_opt_init(krb5_get_init_creds_opt * opt)¶
-
- - --- - - - -
param:opt
-

DEPRECATED Use krb5_get_init_creds_opt_alloc() instead.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.html deleted file mode 100644 index 003287b..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_address_list.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_address_list(krb5_get_init_creds_opt * opt, krb5_address ** addresses)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] addresses - Null-terminated array of addresses

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.html deleted file mode 100644 index b0ef53c..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_anonymous.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_anonymous(krb5_get_init_creds_opt * opt, int anonymous)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] anonymous - Whether to make an anonymous request

-
-

This function may be used to request anonymous credentials from the KDC by setting anonymous to non-zero. Note that anonymous credentials are only a request; clients must verify that credentials are anonymous if that is a requirement.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html deleted file mode 100644 index 308bdc3..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_canonicalize(krb5_get_init_creds_opt * opt, int canonicalize)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] canonicalize - Whether to canonicalize client principal

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html deleted file mode 100644 index 3632040..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_change_password_prompt(krb5_get_init_creds_opt * opt, int prompt)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] prompt - Whether to prompt to change password

-
-

This flag is on by default. It controls whether krb5_get_init_creds_password() will react to an expired-password error by prompting for a new password and attempting to change the old one.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.html deleted file mode 100644 index 5806ca6..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_etype_list.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_etype_list(krb5_get_init_creds_opt * opt, krb5_enctype * etype_list, int etype_list_length)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] etype_list - Array of encryption types

-

[in] etype_list_length - Length of etype_list

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html deleted file mode 100644 index 42c8c47..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback.html +++ /dev/null @@ -1,176 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_set_expire_callback(krb5_context context, krb5_get_init_creds_opt * opt, krb5_expire_callback_func cb, void * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options structure

-

[in] cb - Callback function

-

[in] data - Callback argument

-
-

Set a callback to receive password and account expiration times.

-

This option only applies to krb5_get_init_creds_password() . cb will be invoked if and only if credentials are successfully acquired. The callback will receive the context from the krb5_get_init_creds_password() call and the data argument supplied with this API. The remaining arguments should be interpreted as follows:

-

If is_last_req is true, then the KDC reply contained last-req entries which unambiguously indicated the password expiration, account expiration, or both. (If either value was not present, the corresponding argument will be 0.) Furthermore, a non-zero password_expiration should be taken as a suggestion from the KDC that a warning be displayed.

-

If is_last_req is false, then account_expiration will be 0 and password_expiration will contain the expiration time of either the password or account, or 0 if no expiration time was indicated in the KDC reply. The callback should independently decide whether to display a password expiration warning.

-

Note that cb may be invoked even if credentials are being acquired for the kadmin/changepw service in order to change the password. It is the caller’s responsibility to avoid displaying a password expiry warning in this case.

-
-

Warning

-

Setting an expire callback with this API will cause krb5_get_init_creds_password() not to send password expiry warnings to the prompter, as it ordinarily may.

-
-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html deleted file mode 100644 index 4648312..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_set_fast_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options

-

[in] ccache - Credential cache handle

-
-

This function is similar to krb5_get_init_creds_opt_set_fast_ccache_name() , but uses a credential cache handle instead of a name.

-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html deleted file mode 100644 index b2bbd13..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_set_fast_ccache_name(krb5_context context, krb5_get_init_creds_opt * opt, const char * fast_ccache_name)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options

-

[in] fast_ccache_name - Credential cache name

-
-

Sets the location of a credential cache containing an armor ticket to protect an initial credential exchange using the FAST protocol extension.

-

In version 1.7, setting an armor ccache requires that FAST be used for the exchange. In version 1.8 or later, setting the armor ccache causes FAST to be used if the KDC supports it; krb5_get_init_creds_opt_set_fast_flags() must be used to require that FAST be used.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html deleted file mode 100644 index be547df..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_set_fast_flags(krb5_context context, krb5_get_init_creds_opt * opt, krb5_flags flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options

-

[in] flags - FAST flags

-
- --- - - - -
retval:
    -
  • 0 - Success; Kerberos errors otherwise.
    • -
-
-

The following flag values are valid:

-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.html deleted file mode 100644 index 8af14c7..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_forwardable.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_forwardable(krb5_get_init_creds_opt * opt, int forwardable)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] forwardable - Whether credentials should be forwardable

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.html deleted file mode 100644 index b44cd69..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_in_ccache - Set an input credential cache in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_in_ccache - Set an input credential cache in initial credential options.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_set_in_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options

-

[in] ccache - Credential cache handle

-
-

If an input credential cache is set, then the krb5_get_init_creds family of APIs will read settings from it. Setting an input ccache is desirable when the application wishes to perform authentication in the same way (using the same preauthentication mechanisms, and making the same non-security- sensitive choices) as the previous authentication attempt, which stored information in the passed-in ccache.

-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html deleted file mode 100644 index 6be0ca8..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_set_out_ccache(krb5_context context, krb5_get_init_creds_opt * opt, krb5_ccache ccache)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options

-

[in] ccache - Credential cache handle

-
-

If an output credential cache is set, then the krb5_get_init_creds family of APIs will write credentials to it. Setting an output ccache is desirable both because it simplifies calling code and because it permits the krb5_get_init_creds APIs to write out configuration information about the realm to the ccache.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pa.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pa.html deleted file mode 100644 index f5afee0..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pa.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_set_pa(krb5_context context, krb5_get_init_creds_opt * opt, const char * attr, const char * value)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options structure

-

[in] attr - Preauthentication option name

-

[in] value - Preauthentication option value

-
-

This function allows the caller to supply options for preauthentication. The values of attr and value are supplied to each preauthentication module available within context .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html deleted file mode 100644 index f344272..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_pac_request.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_pac_request - Ask the KDC to include or not include a PAC in the ticket. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_pac_request - Ask the KDC to include or not include a PAC in the ticket.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_set_pac_request(krb5_context context, krb5_get_init_creds_opt * opt, krb5_boolean req_pac)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options structure

-

[in] req_pac - Whether to request a PAC or not

-
-

If this option is set, the AS request will include a PAC-REQUEST pa-data item explicitly asking the KDC to either include or not include a privilege attribute certificate in the ticket authorization data. By default, no request is made; typically the KDC will default to including a PAC if it supports them.

-
-

Note

-

New in 1.15

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html deleted file mode 100644 index b405716..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_preauth_list(krb5_get_init_creds_opt * opt, krb5_preauthtype * preauth_list, int preauth_list_length)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] preauth_list - Array of preauthentication types

-

[in] preauth_list_length - Length of preauth_list

-
-

This function can be used to perform optimistic preauthentication when getting initial credentials, in combination with krb5_get_init_creds_opt_set_salt() and krb5_get_init_creds_opt_set_pa() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.html deleted file mode 100644 index 304186a..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_proxiable.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_proxiable(krb5_get_init_creds_opt * opt, int proxiable)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] proxiable - Whether credentials should be proxiable

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.html deleted file mode 100644 index cca6556..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_renew_life.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_renew_life(krb5_get_init_creds_opt * opt, krb5_deltat renew_life)¶
-
- - --- - - - -
param:

[in] opt - Pointer to options field

-

[in] renew_life - Ticket renewal lifetime

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_responder.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_responder.html deleted file mode 100644 index 0a6a382..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_responder.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_responder - Set the responder function in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_responder - Set the responder function in initial credential options.¶

-
-
-krb5_error_code krb5_get_init_creds_opt_set_responder(krb5_context context, krb5_get_init_creds_opt * opt, krb5_responder_fn responder, void * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] opt - Options structure

-

[in] responder - Responder function

-

[in] data - Responder data argument

-
-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_salt.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_salt.html deleted file mode 100644 index b00d2b2..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_salt.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_salt(krb5_get_init_creds_opt * opt, krb5_data * salt)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] salt - Salt data

-
-

When getting initial credentials with a password, a salt string it used to convert the password to a key. Normally this salt is obtained from the first KDC reply, but when performing optimistic preauthentication, the client may need to supply the salt string with this function.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html b/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html deleted file mode 100644 index 3f473c2..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options.¶

-
-
-void krb5_get_init_creds_opt_set_tkt_life(krb5_get_init_creds_opt * opt, krb5_deltat tkt_life)¶
-
- - --- - - - -
param:

[in] opt - Options structure

-

[in] tkt_life - Ticket lifetime

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_init_creds_password.html b/doc/html/appdev/refs/api/krb5_get_init_creds_password.html deleted file mode 100644 index 7a534f6..0000000 --- a/doc/html/appdev/refs/api/krb5_get_init_creds_password.html +++ /dev/null @@ -1,194 +0,0 @@ - - - - - - - - krb5_get_init_creds_password - Get initial credentials using a password. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_password - Get initial credentials using a password.¶

-
-
-krb5_error_code krb5_get_init_creds_password(krb5_context context, krb5_creds * creds, krb5_principal client, const char * password, krb5_prompter_fct prompter, void * data, krb5_deltat start_time, const char * in_tkt_service, krb5_get_init_creds_opt * k5_gic_options)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] creds - New credentials

-

[in] client - Client principal

-

[in] password - Password (or NULL)

-

[in] prompter - Prompter function

-

[in] data - Prompter callback data

-

[in] start_time - Time when ticket becomes valid (0 for now)

-

[in] in_tkt_service - Service name of initial credentials (or NULL)

-

[in] k5_gic_options - Initial credential options

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • EINVAL Invalid argument
    • -
  • KRB5_KDC_UNREACH Cannot contact any KDC for requested realm
    • -
  • KRB5_PREAUTH_FAILED Generic Pre-athentication failure
    • -
  • KRB5_LIBOS_PWDINTR Password read interrupted
    • -
  • KRB5_REALM_CANT_RESOLVE Cannot resolve network address for KDC in requested realm
    • -
  • KRB5KDC_ERR_KEY_EXP Password has expired
    • -
  • KRB5_LIBOS_BADPWDMATCH Password mismatch
    • -
  • KRB5_CHPW_PWDNULL New password cannot be zero length
    • -
  • KRB5_CHPW_FAIL Password change failed
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function requests KDC for an initial credentials for client using password . If password is NULL, a password will be prompted for using prompter if necessary. If in_tkt_service is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_permitted_enctypes.html b/doc/html/appdev/refs/api/krb5_get_permitted_enctypes.html deleted file mode 100644 index 7981958..0000000 --- a/doc/html/appdev/refs/api/krb5_get_permitted_enctypes.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys.¶

-
-
-krb5_error_code krb5_get_permitted_enctypes(krb5_context context, krb5_enctype ** ktypes)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] ktypes - Zero-terminated list of encryption types

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function returns the list of encryption types permitted for session keys within context , as determined by configuration or by a previous call to krb5_set_default_tgs_enctypes() .

-

Use krb5_free_enctypes() to free ktypes when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_profile.html b/doc/html/appdev/refs/api/krb5_get_profile.html deleted file mode 100644 index cfbf30c..0000000 --- a/doc/html/appdev/refs/api/krb5_get_profile.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_get_profile - Retrieve configuration profile from the context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_profile - Retrieve configuration profile from the context.¶

-
-
-krb5_error_code krb5_get_profile(krb5_context context, struct _profile_t ** profile)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] profile - Pointer to data read from a configuration file

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function creates a new profile object that reflects profile in the supplied context .

-

The profile object may be freed with profile_release() function. See profile.h and profile API for more details.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_prompt_types.html b/doc/html/appdev/refs/api/krb5_get_prompt_types.html deleted file mode 100644 index 319862e..0000000 --- a/doc/html/appdev/refs/api/krb5_get_prompt_types.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - krb5_get_prompt_types - Get prompt types array from a context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_prompt_types - Get prompt types array from a context.¶

-
-
-krb5_prompt_type * krb5_get_prompt_types(krb5_context context)¶
-
- - --- - - - -
param:[in] context - Library context
- --- - - - -
return:
    -
  • Pointer to an array of prompt types corresponding to the prompter’s prompts arguments. Each type has one of the following values: KRB5_PROMPT_TYPE_PASSWORD KRB5_PROMPT_TYPE_NEW_PASSWORD KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN KRB5_PROMPT_TYPE_PREAUTH
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_renewed_creds.html b/doc/html/appdev/refs/api/krb5_get_renewed_creds.html deleted file mode 100644 index 31ab2ca..0000000 --- a/doc/html/appdev/refs/api/krb5_get_renewed_creds.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_get_renewed_creds - Get renewed credential from KDC using an existing credential. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_renewed_creds - Get renewed credential from KDC using an existing credential.¶

-
-
-krb5_error_code krb5_get_renewed_creds(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_ccache ccache, const char * in_tkt_service)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] creds - Renewed credentials

-

[in] client - Client principal name

-

[in] ccache - Credential cache

-

[in] in_tkt_service - Server principal string (or NULL)

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function gets a renewed credential using an existing one from ccache . If in_tkt_service is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used.

-

If successful, the renewed credential is placed in creds .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_server_rcache.html b/doc/html/appdev/refs/api/krb5_get_server_rcache.html deleted file mode 100644 index 2570004..0000000 --- a/doc/html/appdev/refs/api/krb5_get_server_rcache.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_get_server_rcache - Generate a replay cache object for server use and open it. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_server_rcache - Generate a replay cache object for server use and open it.¶

-
-
-krb5_error_code krb5_get_server_rcache(krb5_context context, const krb5_data * piece, krb5_rcache * rcptr)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] piece - Unique identifier for replay cache

-

[out] rcptr - Handle to an open rcache

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function generates a replay cache name based on piece and opens a handle to it. Typically piece is the first component of the service principal name. Use krb5_rc_close() to close rcptr when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_time_offsets.html b/doc/html/appdev/refs/api/krb5_get_time_offsets.html deleted file mode 100644 index 24c29b0..0000000 --- a/doc/html/appdev/refs/api/krb5_get_time_offsets.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_get_time_offsets - Return the time offsets from the os context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_time_offsets - Return the time offsets from the os context.¶

-
-
-krb5_error_code krb5_get_time_offsets(krb5_context context, krb5_timestamp * seconds, krb5_int32 * microseconds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] seconds - Time offset, seconds portion

-

[out] microseconds - Time offset, microseconds portion

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function returns the time offsets in context .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_get_validated_creds.html b/doc/html/appdev/refs/api/krb5_get_validated_creds.html deleted file mode 100644 index 724bce0..0000000 --- a/doc/html/appdev/refs/api/krb5_get_validated_creds.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - krb5_get_validated_creds - Get validated credentials from the KDC. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_validated_creds - Get validated credentials from the KDC.¶

-
-
-krb5_error_code krb5_get_validated_creds(krb5_context context, krb5_creds * creds, krb5_principal client, krb5_ccache ccache, const char * in_tkt_service)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] creds - Validated credentials

-

[in] client - Client principal name

-

[in] ccache - Credential cache

-

[in] in_tkt_service - Server principal string (or NULL)

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • KRB5_NO_2ND_TKT Request missing second ticket
    • -
  • KRB5_NO_TKT_SUPPLIED Request did not supply a ticket
    • -
  • KRB5_PRINC_NOMATCH Requested principal and ticket do not match
    • -
  • KRB5_KDCREP_MODIFIED KDC reply did not match expectations
    • -
  • KRB5_KDCREP_SKEW Clock skew too great in KDC reply
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function gets a validated credential using a postdated credential from ccache . If in_tkt_service is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used.

-

If successful, the validated credential is placed in creds .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_context.html b/doc/html/appdev/refs/api/krb5_init_context.html deleted file mode 100644 index 747b727..0000000 --- a/doc/html/appdev/refs/api/krb5_init_context.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_init_context - Create a krb5 library context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_context - Create a krb5 library context.¶

-
-
-krb5_error_code krb5_init_context(krb5_context * context)¶
-
- - --- - - - -
param:[out] context - Library context
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

The context must be released by calling krb5_free_context() when it is no longer needed.

-
-

Warning

-

Any program or module that needs the Kerberos code to not trust the environment must use krb5_init_secure_context() , or clean out the environment.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_context_profile.html b/doc/html/appdev/refs/api/krb5_init_context_profile.html deleted file mode 100644 index aa6e33b..0000000 --- a/doc/html/appdev/refs/api/krb5_init_context_profile.html +++ /dev/null @@ -1,169 +0,0 @@ - - - - - - - - krb5_init_context_profile - Create a krb5 library context using a specified profile. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_context_profile - Create a krb5 library context using a specified profile.¶

-
-
-krb5_error_code krb5_init_context_profile(struct _profile_t * profile, krb5_flags flags, krb5_context * context)¶
-
- - --- - - - -
param:

[in] profile - Profile object (NULL to create default profile)

-

[in] flags - Context initialization flags

-

[out] context - Library context

-
-

Create a context structure, optionally using a specified profile and initialization flags. If profile is NULL, the default profile will be created from config files. If profile is non-null, a copy of it will be made for the new context; the caller should still clean up its copy. Valid flag values are:

-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_free.html b/doc/html/appdev/refs/api/krb5_init_creds_free.html deleted file mode 100644 index e593857..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_free.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_init_creds_free - Free an initial credentials context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_free - Free an initial credentials context.¶

-
-
-void krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - Initial credentials context

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_get.html b/doc/html/appdev/refs/api/krb5_init_creds_get.html deleted file mode 100644 index 896f3e5..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_get.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_init_creds_get - Acquire credentials using an initial credentials context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_get - Acquire credentials using an initial credentials context.¶

-
-
-krb5_error_code krb5_init_creds_get(krb5_context context, krb5_init_creds_context ctx)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - Initial credentials context

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function synchronously obtains credentials using a context created by krb5_init_creds_init() . On successful return, the credentials can be retrieved with krb5_init_creds_get_creds() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_get_creds.html b/doc/html/appdev/refs/api/krb5_init_creds_get_creds.html deleted file mode 100644 index e2c8b83..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_get_creds.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context.¶

-
-
-krb5_error_code krb5_init_creds_get_creds(krb5_context context, krb5_init_creds_context ctx, krb5_creds * creds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - Initial credentials context

-

[out] creds - Acquired credentials

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function copies the acquired initial credentials from ctx into creds , after the successful completion of krb5_init_creds_get() or krb5_init_creds_step() . Use krb5_free_cred_contents() to free creds when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_get_error.html b/doc/html/appdev/refs/api/krb5_init_creds_get_error.html deleted file mode 100644 index e388343..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_get_error.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_init_creds_get_error - Get the last error from KDC from an initial credentials context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_get_error - Get the last error from KDC from an initial credentials context.¶

-
-
-krb5_error_code krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, krb5_error ** error)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - Initial credentials context

-

[out] error - Error from KDC, or NULL if none was received

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_get_times.html b/doc/html/appdev/refs/api/krb5_init_creds_get_times.html deleted file mode 100644 index 4a51ed8..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_get_times.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_init_creds_get_times - Retrieve ticket times from an initial credentials context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_get_times - Retrieve ticket times from an initial credentials context.¶

-
-
-krb5_error_code krb5_init_creds_get_times(krb5_context context, krb5_init_creds_context ctx, krb5_ticket_times * times)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - Initial credentials context

-

[out] times - Ticket times for acquired credentials

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

The initial credentials context must have completed obtaining credentials via either krb5_init_creds_get() or krb5_init_creds_step() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_init.html b/doc/html/appdev/refs/api/krb5_init_creds_init.html deleted file mode 100644 index 353cf7a..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_init.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_init_creds_init - Create a context for acquiring initial credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_init - Create a context for acquiring initial credentials.¶

-
-
-krb5_error_code krb5_init_creds_init(krb5_context context, krb5_principal client, krb5_prompter_fct prompter, void * data, krb5_deltat start_time, krb5_get_init_creds_opt * options, krb5_init_creds_context * ctx)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] client - Client principal to get initial creds for

-

[in] prompter - Prompter callback

-

[in] data - Prompter callback argument

-

[in] start_time - Time when credentials become valid (0 for now)

-

[in] options - Options structure (NULL for default)

-

[out] ctx - New initial credentials context

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a new context for acquiring initial credentials. Use krb5_init_creds_free() to free ctx when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_set_keytab.html b/doc/html/appdev/refs/api/krb5_init_creds_set_keytab.html deleted file mode 100644 index 6d780b1..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_set_keytab.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials.¶

-
-
-krb5_error_code krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, krb5_keytab keytab)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - Initial credentials context

-

[in] keytab - Key table handle

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function supplies a keytab containing the client key for an initial credentials request.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_set_password.html b/doc/html/appdev/refs/api/krb5_init_creds_set_password.html deleted file mode 100644 index e118ff2..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_set_password.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_init_creds_set_password - Set a password for acquiring initial credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_set_password - Set a password for acquiring initial credentials.¶

-
-
-krb5_error_code krb5_init_creds_set_password(krb5_context context, krb5_init_creds_context ctx, const char * password)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - Initial credentials context

-

[in] password - Password

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function supplies a password to be used to construct the client key for an initial credentials request.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_set_service.html b/doc/html/appdev/refs/api/krb5_init_creds_set_service.html deleted file mode 100644 index 1a5cd4e..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_set_service.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_init_creds_set_service - Specify a service principal for acquiring initial credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_set_service - Specify a service principal for acquiring initial credentials.¶

-
-
-krb5_error_code krb5_init_creds_set_service(krb5_context context, krb5_init_creds_context ctx, const char * service)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - Initial credentials context

-

[in] service - Service principal string

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. service is parsed as a principal name; any realm part is ignored.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_creds_step.html b/doc/html/appdev/refs/api/krb5_init_creds_step.html deleted file mode 100644 index 56b497f..0000000 --- a/doc/html/appdev/refs/api/krb5_init_creds_step.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_init_creds_step - Get the next KDC request for acquiring initial credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_step - Get the next KDC request for acquiring initial credentials.¶

-
-
-krb5_error_code krb5_init_creds_step(krb5_context context, krb5_init_creds_context ctx, krb5_data * in, krb5_data * out, krb5_data * realm, unsigned int * flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - Initial credentials context

-

[in] in - KDC response (empty on the first call)

-

[out] out - Next KDC request

-

[out] realm - Realm for next KDC request

-

[out] flags - Output flags

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function constructs the next KDC request in an initial credential exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, in should be set to an empty buffer; on subsequent calls, it should be set to the KDC’s reply to the previous request.

-

If more requests are needed, flags will be set to KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in out . If no more requests are needed, flags will not contain KRB5_INIT_CREDS_STEP_FLAG_CONTINUE and out will be empty.

-

If this function returns KRB5KRB_ERR_RESPONSE_TOO_BIG , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_keyblock.html b/doc/html/appdev/refs/api/krb5_init_keyblock.html deleted file mode 100644 index 4c4537d..0000000 --- a/doc/html/appdev/refs/api/krb5_init_keyblock.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_init_keyblock - Initialize an empty krb5_keyblock . — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_keyblock - Initialize an empty krb5_keyblock .¶

-
-
-krb5_error_code krb5_init_keyblock(krb5_context context, krb5_enctype enctype, size_t length, krb5_keyblock ** out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enctype - Encryption type

-

[in] length - Length of keyblock (or 0)

-

[out] out - New keyblock structure

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Initialize a new keyblock and allocate storage for the contents of the key. It is legal to pass in a length of 0, in which case contents are left unallocated. Use krb5_free_keyblock() to free out when it is no longer needed.

-
-

Note

-

If length is set to 0, contents are left unallocated.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_random_key.html b/doc/html/appdev/refs/api/krb5_init_random_key.html deleted file mode 100644 index 62986fa..0000000 --- a/doc/html/appdev/refs/api/krb5_init_random_key.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - krb5_init_random_key — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_random_key¶

-
-
-krb5_error_code krb5_init_random_key(krb5_context context, const krb5_encrypt_block * eblock, const krb5_keyblock * keyblock, krb5_pointer * ptr)¶
-
- - --- - - - -
param:

context

-

eblock

-

keyblock

-

ptr

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_init_secure_context.html b/doc/html/appdev/refs/api/krb5_init_secure_context.html deleted file mode 100644 index 3d8c63e..0000000 --- a/doc/html/appdev/refs/api/krb5_init_secure_context.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_init_secure_context - Create a krb5 library context using only configuration files. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_secure_context - Create a krb5 library context using only configuration files.¶

-
-
-krb5_error_code krb5_init_secure_context(krb5_context * context)¶
-
- - --- - - - -
param:[out] context - Library context
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Create a context structure, using only system configuration files. All information passed through the environment variables is ignored.

-

The context must be released by calling krb5_free_context() when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_is_config_principal.html b/doc/html/appdev/refs/api/krb5_is_config_principal.html deleted file mode 100644 index b18ecfa..0000000 --- a/doc/html/appdev/refs/api/krb5_is_config_principal.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_is_config_principal - Test whether a principal is a configuration principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_is_config_principal - Test whether a principal is a configuration principal.¶

-
-
-krb5_boolean krb5_is_config_principal(krb5_context context, krb5_const_principal principal)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] principal - Principal to check

-
- --- - - - -
return:
    -
  • TRUE if the principal is a configuration principal (generated part of krb5_cc_set_config() ); FALSE otherwise.
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_is_referral_realm.html b/doc/html/appdev/refs/api/krb5_is_referral_realm.html deleted file mode 100644 index e617fa3..0000000 --- a/doc/html/appdev/refs/api/krb5_is_referral_realm.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - krb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM.¶

-
-
-krb5_boolean krb5_is_referral_realm(const krb5_data * r)¶
-
- - --- - - - -
param:[in] r - Realm to check
- --- - - - -
return:
    -
  • TRUE if r is zero-length, FALSE otherwise
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_is_thread_safe.html b/doc/html/appdev/refs/api/krb5_is_thread_safe.html deleted file mode 100644 index b5c5fa9..0000000 --- a/doc/html/appdev/refs/api/krb5_is_thread_safe.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - krb5_is_thread_safe - Test whether the Kerberos library was built with multithread support. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_is_thread_safe - Test whether the Kerberos library was built with multithread support.¶

-
-
-krb5_boolean krb5_is_thread_safe(void None)¶
-
- - --- - - - -
param:None
- --- - - - -
retval:
    -
  • TRUE if the library is threadsafe; FALSE otherwise
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_create_key.html b/doc/html/appdev/refs/api/krb5_k_create_key.html deleted file mode 100644 index 57b022a..0000000 --- a/doc/html/appdev/refs/api/krb5_k_create_key.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock.¶

-
-
-krb5_error_code krb5_k_create_key(krb5_context context, const krb5_keyblock * key_data, krb5_key * out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key_data - Keyblock

-

[out] out - Opaque key

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - KRB5_BAD_ENCTYPE
    • -
-
-

The reference count on a key out is set to 1. Use krb5_k_free_key() to free out when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_decrypt.html b/doc/html/appdev/refs/api/krb5_k_decrypt.html deleted file mode 100644 index a4bfad1..0000000 --- a/doc/html/appdev/refs/api/krb5_k_decrypt.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_k_decrypt - Decrypt data using a key (operates on opaque key). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_decrypt - Decrypt data using a key (operates on opaque key).¶

-
-
-krb5_error_code krb5_k_decrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_enc_data * input, krb5_data * output)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Encryption key

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[inout] cipher_state - Cipher state; specify NULL if not needed

-

[in] input - Encrypted data

-

[out] output - Decrypted data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function decrypts the data block input and stores the output into output . The actual decryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation.

-
-

Note

-

The caller must initialize output and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let krb5_c_decrypt() trim output->length . For some enctypes, the resulting output->length may include padding bytes.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_decrypt_iov.html b/doc/html/appdev/refs/api/krb5_k_decrypt_iov.html deleted file mode 100644 index 1e82560..0000000 --- a/doc/html/appdev/refs/api/krb5_k_decrypt_iov.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key).¶

-
-
-krb5_error_code krb5_k_decrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Encryption key

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[in] cipher_state - Cipher state; specify NULL if not needed

-

[inout] data - IOV array. Modified in-place.

-

[in] num_data - Size of data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function decrypts the data block data and stores the output in-place. The actual decryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API.

-
-

See also

-

krb5_k_encrypt_iov()

-
-
-

Note

-

On return from a krb5_c_decrypt_iov() call, the data->length in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased.

-

This function is similar to krb5_c_decrypt_iov() , but operates on opaque key key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_encrypt.html b/doc/html/appdev/refs/api/krb5_k_encrypt.html deleted file mode 100644 index 8753e0e..0000000 --- a/doc/html/appdev/refs/api/krb5_k_encrypt.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_k_encrypt - Encrypt data using a key (operates on opaque key). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_encrypt - Encrypt data using a key (operates on opaque key).¶

-
-
-krb5_error_code krb5_k_encrypt(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, const krb5_data * input, krb5_enc_data * output)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Encryption key

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[inout] cipher_state - Cipher state; specify NULL if not needed

-

[in] input - Data to be encrypted

-

[out] output - Encrypted data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function encrypts the data block input and stores the output into output . The actual encryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation.

-
-

Note

-

The caller must initialize output and allocate at least enough space for the result (using krb5_c_encrypt_length() to determine the amount of space needed). output->length will be set to the actual length of the ciphertext.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_encrypt_iov.html b/doc/html/appdev/refs/api/krb5_k_encrypt_iov.html deleted file mode 100644 index a96d590..0000000 --- a/doc/html/appdev/refs/api/krb5_k_encrypt_iov.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key).¶

-
-
-krb5_error_code krb5_k_encrypt_iov(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * cipher_state, krb5_crypto_iov * data, size_t num_data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Encryption key

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[in] cipher_state - Cipher state; specify NULL if not needed

-

[inout] data - IOV array. Modified in-place.

-

[in] num_data - Size of data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function encrypts the data block data and stores the output in-place. The actual encryption key will be derived from key and usage if key derivation is specified for the encryption type. If non-null, cipher_state specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5_crypto_iov structures before calling into this API.

-
-

See also

-

krb5_k_decrypt_iov()

-
-
-

Note

-

On return from a krb5_c_encrypt_iov() call, the data->length in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased.

-

This function is similar to krb5_c_encrypt_iov() , but operates on opaque key key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_free_key.html b/doc/html/appdev/refs/api/krb5_k_free_key.html deleted file mode 100644 index 5fe87ee..0000000 --- a/doc/html/appdev/refs/api/krb5_k_free_key.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_k_free_key - Decrement the reference count on a key and free it if it hits zero. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_free_key - Decrement the reference count on a key and free it if it hits zero.¶

-
-
-void krb5_k_free_key(krb5_context context, krb5_key key)¶
-
- - --- - - - -
param:

context

-

key

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_key_enctype.html b/doc/html/appdev/refs/api/krb5_k_key_enctype.html deleted file mode 100644 index 283f9d8..0000000 --- a/doc/html/appdev/refs/api/krb5_k_key_enctype.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_k_key_enctype - Retrieve the enctype of a krb5_key structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_key_enctype - Retrieve the enctype of a krb5_key structure.¶

-
-
-krb5_enctype krb5_k_key_enctype(krb5_context context, krb5_key key)¶
-
- - --- - - - -
param:

context

-

key

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_key_keyblock.html b/doc/html/appdev/refs/api/krb5_k_key_keyblock.html deleted file mode 100644 index 95eef71..0000000 --- a/doc/html/appdev/refs/api/krb5_k_key_keyblock.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure.¶

-
-
-krb5_error_code krb5_k_key_keyblock(krb5_context context, krb5_key key, krb5_keyblock ** key_data)¶
-
- - --- - - - -
param:

context

-

key

-

key_data

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_make_checksum.html b/doc/html/appdev/refs/api/krb5_k_make_checksum.html deleted file mode 100644 index 30106e3..0000000 --- a/doc/html/appdev/refs/api/krb5_k_make_checksum.html +++ /dev/null @@ -1,185 +0,0 @@ - - - - - - - - krb5_k_make_checksum - Compute a checksum (operates on opaque key). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_make_checksum - Compute a checksum (operates on opaque key).¶

-
-
-krb5_error_code krb5_k_make_checksum(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_data * input, krb5_checksum * cksum)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cksumtype - Checksum type (0 for mandatory type)

-

[in] key - Encryption key for a keyed checksum

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[in] input - Input data

-

[out] cksum - Generated checksum

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function computes a checksum of type cksumtype over input , using key if the checksum type is a keyed checksum. If cksumtype is 0 and key is non-null, the checksum type will be the mandatory-to-implement checksum type for the key’s encryption type. The actual checksum key will be derived from key and usage if key derivation is specified for the checksum type. The newly created cksum must be released by calling krb5_free_checksum_contents() when it is no longer needed.

-
-

See also

-

krb5_c_verify_checksum()

-
-
-

Note

-

This function is similar to krb5_c_make_checksum() , but operates on opaque key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_make_checksum_iov.html b/doc/html/appdev/refs/api/krb5_k_make_checksum_iov.html deleted file mode 100644 index 61549bd..0000000 --- a/doc/html/appdev/refs/api/krb5_k_make_checksum_iov.html +++ /dev/null @@ -1,185 +0,0 @@ - - - - - - - - krb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key)¶

-
-
-krb5_error_code krb5_k_make_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, krb5_crypto_iov * data, size_t num_data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cksumtype - Checksum type (0 for mandatory type)

-

[in] key - Encryption key for a keyed checksum

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[inout] data - IOV array

-

[in] num_data - Size of data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Create a checksum in the KRB5_CRYPTO_TYPE_CHECKSUM element over KRB5_CRYPTO_TYPE_DATA and KRB5_CRYPTO_TYPE_SIGN_ONLY chunks in data . Only the KRB5_CRYPTO_TYPE_CHECKSUM region is modified.

-
-

See also

-

krb5_k_verify_checksum_iov()

-
-
-

Note

-

This function is similar to krb5_c_make_checksum_iov() , but operates on opaque key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_prf.html b/doc/html/appdev/refs/api/krb5_k_prf.html deleted file mode 100644 index c74c5cf..0000000 --- a/doc/html/appdev/refs/api/krb5_k_prf.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key).¶

-
-
-krb5_error_code krb5_k_prf(krb5_context context, krb5_key key, krb5_data * input, krb5_data * output)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Key

-

[in] input - Input data

-

[out] output - Output data

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function selects a pseudo-random function based on key and computes its value over input , placing the result into output . The caller must preinitialize output and allocate space for the result.

-
-

Note

-

This function is similar to krb5_c_prf() , but operates on opaque key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_reference_key.html b/doc/html/appdev/refs/api/krb5_k_reference_key.html deleted file mode 100644 index a00618e..0000000 --- a/doc/html/appdev/refs/api/krb5_k_reference_key.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_k_reference_key - Increment the reference count on a key. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_reference_key - Increment the reference count on a key.¶

-
-
-void krb5_k_reference_key(krb5_context context, krb5_key key)¶
-
- - --- - - - -
param:

context

-

key

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_verify_checksum.html b/doc/html/appdev/refs/api/krb5_k_verify_checksum.html deleted file mode 100644 index 0762ead..0000000 --- a/doc/html/appdev/refs/api/krb5_k_verify_checksum.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_k_verify_checksum - Verify a checksum (operates on opaque key). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_verify_checksum - Verify a checksum (operates on opaque key).¶

-
-
-krb5_error_code krb5_k_verify_checksum(krb5_context context, krb5_key key, krb5_keyusage usage, const krb5_data * data, const krb5_checksum * cksum, krb5_boolean * valid)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Encryption key for a keyed checksum

-

[in] usage - key usage

-

[in] data - Data to be used to compute a new checksum using key to compare cksum against

-

[in] cksum - Checksum to be verified

-

[out] valid - Non-zero for success, zero for failure

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function verifies that cksum is a valid checksum for data . If the checksum type of cksum is a keyed checksum, key is used to verify the checksum. If the checksum type in cksum is 0 and key is not NULL, the mandatory checksum type for key will be used. The actual checksum key will be derived from key and usage if key derivation is specified for the checksum type.

-
-

Note

-

This function is similar to krb5_c_verify_checksum() , but operates on opaque key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_k_verify_checksum_iov.html b/doc/html/appdev/refs/api/krb5_k_verify_checksum_iov.html deleted file mode 100644 index e2574a0..0000000 --- a/doc/html/appdev/refs/api/krb5_k_verify_checksum_iov.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key). — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key).¶

-
-
-krb5_error_code krb5_k_verify_checksum_iov(krb5_context context, krb5_cksumtype cksumtype, krb5_key key, krb5_keyusage usage, const krb5_crypto_iov * data, size_t num_data, krb5_boolean * valid)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] cksumtype - Checksum type (0 for mandatory type)

-

[in] key - Encryption key for a keyed checksum

-

[in] usage - Key usage (see KRB5_KEYUSAGE types)

-

[in] data - IOV array

-

[in] num_data - Size of data

-

[out] valid - Non-zero for success, zero for failure

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Confirm that the checksum in the KRB5_CRYPTO_TYPE_CHECKSUM element is a valid checksum of the KRB5_CRYPTO_TYPE_DATA and KRB5_CRYPTO_TYPE_SIGN_ONLY regions in the iov.

-
-

See also

-

krb5_k_make_checksum_iov()

-
-
-

Note

-

This function is similar to krb5_c_verify_checksum_iov() , but operates on opaque key .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_add_entry.html b/doc/html/appdev/refs/api/krb5_kt_add_entry.html deleted file mode 100644 index 01ed63b..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_add_entry.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_kt_add_entry - Add a new entry to a key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_add_entry - Add a new entry to a key table.¶

-
-
-krb5_error_code krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry * entry)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] id - Key table handle

-

[in] entry - Entry to be added

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • ENOMEM Insufficient memory
    • -
  • KRB5_KT_NOWRITE Key table is not writeable
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_client_default.html b/doc/html/appdev/refs/api/krb5_kt_client_default.html deleted file mode 100644 index bb43bf9..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_client_default.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_kt_client_default - Resolve the default client key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_client_default - Resolve the default client key table.¶

-
-
-krb5_error_code krb5_kt_client_default(krb5_context context, krb5_keytab * keytab_out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] keytab_out - Key table handle

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Fill keytab_out with a handle to the default client key table.

-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_close.html b/doc/html/appdev/refs/api/krb5_kt_close.html deleted file mode 100644 index 5db6e12..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_close.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_kt_close - Close a key table handle. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_close - Close a key table handle.¶

-
-
-krb5_error_code krb5_kt_close(krb5_context context, krb5_keytab keytab)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keytab - Key table handle

-
- --- - - - -
retval:
    -
  • 0 None
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_default.html b/doc/html/appdev/refs/api/krb5_kt_default.html deleted file mode 100644 index 6ff36c1..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_default.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_kt_default - Resolve the default key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_default - Resolve the default key table.¶

-
-
-krb5_error_code krb5_kt_default(krb5_context context, krb5_keytab * id)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] id - Key table handle

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Set id to a handle to the default key table. The key table is not opened.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_default_name.html b/doc/html/appdev/refs/api/krb5_kt_default_name.html deleted file mode 100644 index 995b26c..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_default_name.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_kt_default_name - Get the default key table name. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_default_name - Get the default key table name.¶

-
-
-krb5_error_code krb5_kt_default_name(krb5_context context, char * name, int name_size)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] name - Default key table name

-

[in] name_size - Space available in name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • KRB5_CONFIG_NOTENUFSPACE Buffer is too short
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Fill name with the name of the default key table for context .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_dup.html b/doc/html/appdev/refs/api/krb5_kt_dup.html deleted file mode 100644 index 3404fe3..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_dup.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_kt_dup - Duplicate keytab handle. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_dup - Duplicate keytab handle.¶

-
-
-krb5_error_code krb5_kt_dup(krb5_context context, krb5_keytab in, krb5_keytab * out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] in - Key table handle to be duplicated

-

[out] out - Key table handle

-
-

Create a new handle referring to the same key table as in . The new handle and in can be closed independently.

-
-

Note

-

New in 1.12

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_end_seq_get.html b/doc/html/appdev/refs/api/krb5_kt_end_seq_get.html deleted file mode 100644 index a38fe44..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_end_seq_get.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_kt_end_seq_get - Release a keytab cursor. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_end_seq_get - Release a keytab cursor.¶

-
-
-krb5_error_code krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor * cursor)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keytab - Key table handle

-

[out] cursor - Cursor

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function should be called to release the cursor created by krb5_kt_start_seq_get() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_free_entry.html b/doc/html/appdev/refs/api/krb5_kt_free_entry.html deleted file mode 100644 index da31c33..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_free_entry.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_kt_free_entry — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_free_entry¶

-
-
-krb5_error_code krb5_kt_free_entry(krb5_context context, krb5_keytab_entry * entry)¶
-
- - --- - - - -
param:

context

-

entry

-
-

DEPRECATED Use krb5_free_keytab_entry_contents instead.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_get_entry.html b/doc/html/appdev/refs/api/krb5_kt_get_entry.html deleted file mode 100644 index 22324c0..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_get_entry.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_kt_get_entry - Get an entry from a key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_get_entry - Get an entry from a key table.¶

-
-
-krb5_error_code krb5_kt_get_entry(krb5_context context, krb5_keytab keytab, krb5_const_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keytab_entry * entry)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keytab - Key table handle

-

[in] principal - Principal name

-

[in] vno - Key version number (0 for highest available)

-

[in] enctype - Encryption type (0 zero for any enctype)

-

[out] entry - Returned entry from key table

-
- --- - - - -
retval:
    -
  • 0 Success
    • -
  • Kerberos error codes on failure
    • -
-
-

Retrieve an entry from a key table which matches the keytab , principal , vno , and enctype . If vno is zero, retrieve the highest-numbered kvno matching the other fields. If enctype is 0, match any enctype.

-

Use krb5_free_keytab_entry_contents() to free entry when it is no longer needed.

-
-

Note

-

If vno is zero, the function retrieves the highest-numbered-kvno entry that matches the specified principal.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_get_name.html b/doc/html/appdev/refs/api/krb5_kt_get_name.html deleted file mode 100644 index 0135225..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_get_name.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_kt_get_name - Get a key table name. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_get_name - Get a key table name.¶

-
-
-krb5_error_code krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char * name, unsigned int namelen)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keytab - Key table handle

-

[out] name - Key table name

-

[in] namelen - Maximum length to fill in name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • KRB5_KT_NAME_TOOLONG Key table name does not fit in namelen bytes
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Fill name with the name of keytab including the type and delimiter.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_get_type.html b/doc/html/appdev/refs/api/krb5_kt_get_type.html deleted file mode 100644 index 1a4dd77..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_get_type.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_kt_get_type - Return the type of a key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_get_type - Return the type of a key table.¶

-
-
-const char * krb5_kt_get_type(krb5_context context, krb5_keytab keytab)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keytab - Key table handle

-
- --- - - - -
return:
    -
  • The type of a key table as an alias that must not be modified or freed by the caller.
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_have_content.html b/doc/html/appdev/refs/api/krb5_kt_have_content.html deleted file mode 100644 index 455f6ae..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_have_content.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_kt_have_content - Check if a keytab exists and contains entries. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_have_content - Check if a keytab exists and contains entries.¶

-
-
-krb5_error_code krb5_kt_have_content(krb5_context context, krb5_keytab keytab)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keytab - Key table handle

-
- --- - - - -
retval:
    -
  • 0 Keytab exists and contains entries
    • -
  • KRB5_KT_NOTFOUND Keytab does not contain entries
    • -
-
-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_next_entry.html b/doc/html/appdev/refs/api/krb5_kt_next_entry.html deleted file mode 100644 index 1eaaaed..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_next_entry.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_kt_next_entry - Retrieve the next entryfrom the key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_next_entry - Retrieve the next entryfrom the key table.¶

-
-
-krb5_error_code krb5_kt_next_entry(krb5_context context, krb5_keytab keytab, krb5_keytab_entry * entry, krb5_kt_cursor * cursor)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keytab - Key table handle

-

[out] entry - Returned key table entry

-

[in] cursor - Key table cursor

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • KRB5_KT_END - if the last entry was reached
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Return the next sequential entry in keytab and advance cursor . Callers must release the returned entry with krb5_kt_free_entry() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_read_service_key.html b/doc/html/appdev/refs/api/krb5_kt_read_service_key.html deleted file mode 100644 index b913479..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_read_service_key.html +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - krb5_kt_read_service_key - Retrieve a service key from a key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_read_service_key - Retrieve a service key from a key table.¶

-
-
-krb5_error_code krb5_kt_read_service_key(krb5_context context, krb5_pointer keyprocarg, krb5_principal principal, krb5_kvno vno, krb5_enctype enctype, krb5_keyblock ** key)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keyprocarg - Name of a key table (NULL to use default name)

-

[in] principal - Service principal

-

[in] vno - Key version number (0 for highest available)

-

[in] enctype - Encryption type (0 for any type)

-

[out] key - Service key from key table

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error code if not found or keyprocarg is invalid.
    • -
-
-

Open and search the specified key table for the entry identified by principal , enctype , and vno . If no key is found, return an error code.

-

The default key table is used, unless keyprocarg is non-null. keyprocarg designates aspecific key table.

-

Use krb5_free_keyblock() to free key when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_remove_entry.html b/doc/html/appdev/refs/api/krb5_kt_remove_entry.html deleted file mode 100644 index e0ed76b..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_remove_entry.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_kt_remove_entry - Remove an entry from a key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_remove_entry - Remove an entry from a key table.¶

-
-
-krb5_error_code krb5_kt_remove_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry * entry)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] id - Key table handle

-

[in] entry - Entry to remove from key table

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • KRB5_KT_NOWRITE Key table is not writable
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_resolve.html b/doc/html/appdev/refs/api/krb5_kt_resolve.html deleted file mode 100644 index c44e352..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_resolve.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_kt_resolve - Get a handle for a key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_resolve - Get a handle for a key table.¶

-
-
-krb5_error_code krb5_kt_resolve(krb5_context context, const char * name, krb5_keytab * ktid)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] name - Name of the key table

-

[out] ktid - Key table handle

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Resolve the key table name name and set ktid to a handle identifying the key table. Use krb5_kt_close() to free ktid when it is no longer needed.

-
-
name must be of the form type:residual , where type must be a type known to the library and residual portion should be specific to the particular keytab type. If no type is given, the default is FILE .
-

If name is of type FILE , the keytab file is not opened by this call.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kt_start_seq_get.html b/doc/html/appdev/refs/api/krb5_kt_start_seq_get.html deleted file mode 100644 index f52f2f8..0000000 --- a/doc/html/appdev/refs/api/krb5_kt_start_seq_get.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_kt_start_seq_get - Start a sequential retrieval of key table entries. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_start_seq_get - Start a sequential retrieval of key table entries.¶

-
-
-krb5_error_code krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab, krb5_kt_cursor * cursor)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] keytab - Key table handle

-

[out] cursor - Cursor

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Prepare to read sequentially every key in the specified key table. Use krb5_kt_end_seq_get() to release the cursor when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_kuserok.html b/doc/html/appdev/refs/api/krb5_kuserok.html deleted file mode 100644 index 54f24a9..0000000 --- a/doc/html/appdev/refs/api/krb5_kuserok.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_kuserok - Determine if a principal is authorized to log in as a local user. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kuserok - Determine if a principal is authorized to log in as a local user.¶

-
-
-krb5_boolean krb5_kuserok(krb5_context context, krb5_principal principal, const char * luser)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] principal - Principal name

-

[in] luser - Local username

-
- --- - - - -
retval:
    -
  • TRUE Principal is authorized to log in as user; FALSE otherwise.
    • -
-
-

Determine whether principal is authorized to log in as a local user luser .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_make_authdata_kdc_issued.html b/doc/html/appdev/refs/api/krb5_make_authdata_kdc_issued.html deleted file mode 100644 index 53ecc10..0000000 --- a/doc/html/appdev/refs/api/krb5_make_authdata_kdc_issued.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data.¶

-
-
-krb5_error_code krb5_make_authdata_kdc_issued(krb5_context context, const krb5_keyblock * key, krb5_const_principal issuer, krb5_authdata *const * authdata, krb5_authdata *** ad_kdcissued)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Session key

-

[in] issuer - The name of the issuing principal

-

[in] authdata - List of authorization data to be signed

-

[out] ad_kdcissued - List containing AD-KDCIssued authdata

-
-

This function wraps a list of authorization data entries authdata in an AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with key . The result is returned in ad_kdcissued as a single-element list.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_merge_authdata.html b/doc/html/appdev/refs/api/krb5_merge_authdata.html deleted file mode 100644 index 7dc2a6a..0000000 --- a/doc/html/appdev/refs/api/krb5_merge_authdata.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_merge_authdata - Merge two authorization data lists into a new list. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_merge_authdata - Merge two authorization data lists into a new list.¶

-
-
-krb5_error_code krb5_merge_authdata(krb5_context context, krb5_authdata *const * inauthdat1, krb5_authdata *const * inauthdat2, krb5_authdata *** outauthdat)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] inauthdat1 - First list of krb5_authdata structures

-

[in] inauthdat2 - Second list of krb5_authdata structures

-

[out] outauthdat - Merged list of krb5_authdata structures

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Merge two authdata arrays, such as the array from a ticket and authenticator. Use krb5_free_authdata() to free outauthdat when it is no longer needed.

-
-

Note

-

The last array entry in inauthdat1 and inauthdat2 must be a NULL pointer.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_mk_1cred.html b/doc/html/appdev/refs/api/krb5_mk_1cred.html deleted file mode 100644 index 396a00b..0000000 --- a/doc/html/appdev/refs/api/krb5_mk_1cred.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_mk_1cred - Format a KRB-CRED message for a single set of credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_1cred - Format a KRB-CRED message for a single set of credentials.¶

-
-
-krb5_error_code krb5_mk_1cred(krb5_context context, krb5_auth_context auth_context, krb5_creds * pcreds, krb5_data ** ppdata, krb5_replay_data * outdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] pcreds - Pointer to credentials

-

[out] ppdata - Encoded credentials

-

[out] outdata - Replay cache data (NULL if not needed)

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • ENOMEM Insufficient memory
    • -
  • KRB5_RC_REQUIRED Message replay detection requires rcache parameter
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This is a convenience function that calls krb5_mk_ncred() with a single set of credentials.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_mk_error.html b/doc/html/appdev/refs/api/krb5_mk_error.html deleted file mode 100644 index 58bcff2..0000000 --- a/doc/html/appdev/refs/api/krb5_mk_error.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_mk_error - Format and encode a KRB_ERROR message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_error - Format and encode a KRB_ERROR message.¶

-
-
-krb5_error_code krb5_mk_error(krb5_context context, const krb5_error * dec_err, krb5_data * enc_err)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] dec_err - Error structure to be encoded

-

[out] enc_err - Encoded error structure

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates a KRB_ERROR message in enc_err . Use krb5_free_data_contents() to free enc_err when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_mk_ncred.html b/doc/html/appdev/refs/api/krb5_mk_ncred.html deleted file mode 100644 index 0025945..0000000 --- a/doc/html/appdev/refs/api/krb5_mk_ncred.html +++ /dev/null @@ -1,188 +0,0 @@ - - - - - - - - krb5_mk_ncred - Format a KRB-CRED message for an array of credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_ncred - Format a KRB-CRED message for an array of credentials.¶

-
-
-krb5_error_code krb5_mk_ncred(krb5_context context, krb5_auth_context auth_context, krb5_creds ** ppcreds, krb5_data ** ppdata, krb5_replay_data * outdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] ppcreds - Null-terminated array of credentials

-

[out] ppdata - Encoded credentials

-

[out] outdata - Replay cache information (NULL if not needed)

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • ENOMEM Insufficient memory
    • -
  • KRB5_RC_REQUIRED Message replay detection requires rcache parameter
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function takes an array of credentials ppcreds and formats a KRB-CRED message ppdata to pass to krb5_rd_cred() .

-

The message will be encrypted using the send subkey of auth_context if it is present, or the session key otherwise.

-
-

Note

-

If the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context , outdata is required.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_mk_priv.html b/doc/html/appdev/refs/api/krb5_mk_priv.html deleted file mode 100644 index 741af2a..0000000 --- a/doc/html/appdev/refs/api/krb5_mk_priv.html +++ /dev/null @@ -1,190 +0,0 @@ - - - - - - - - krb5_mk_priv - Format a KRB-PRIV message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_priv - Format a KRB-PRIV message.¶

-
-
-krb5_error_code krb5_mk_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * outbuf, krb5_replay_data * outdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] userdata - User data for KRB-PRIV message

-

[out] outbuf - Formatted KRB-PRIV message

-

[out] outdata - Replay cache handle (NULL if not needed)

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function is similar to krb5_mk_safe() , but the message is encrypted and integrity-protected, not just integrity-protected.

-

The local address in auth_context must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message.

-
-
-
-
-

Note

-

If the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context , the outdata is required.

-

The flags from auth_context specify whether sequence numbers or timestamps will be used to identify the message. Valid values are:

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_mk_rep.html b/doc/html/appdev/refs/api/krb5_mk_rep.html deleted file mode 100644 index 6340a89..0000000 --- a/doc/html/appdev/refs/api/krb5_mk_rep.html +++ /dev/null @@ -1,176 +0,0 @@ - - - - - - - - krb5_mk_rep - Format and encrypt a KRB_AP_REP message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_rep - Format and encrypt a KRB_AP_REP message.¶

-
-
-krb5_error_code krb5_mk_rep(krb5_context context, krb5_auth_context auth_context, krb5_data * outbuf)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] outbuf - AP-REP message

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function fills in outbuf with an AP-REP message using information from auth_context .

-

If the flags in auth_context indicate that a sequence number should be used (either KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE ) and the local sequence number in auth_context is 0, a new number will be generated with krb5_generate_seq_number().

-

Use krb5_free_data_contents() to free outbuf when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_mk_rep_dce.html b/doc/html/appdev/refs/api/krb5_mk_rep_dce.html deleted file mode 100644 index 874acf8..0000000 --- a/doc/html/appdev/refs/api/krb5_mk_rep_dce.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC.¶

-
-
-krb5_error_code krb5_mk_rep_dce(krb5_context context, krb5_auth_context auth_context, krb5_data * outbuf)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[out] outbuf - AP-REP message

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Use krb5_free_data_contents() to free outbuf when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_mk_req.html b/doc/html/appdev/refs/api/krb5_mk_req.html deleted file mode 100644 index 726970d..0000000 --- a/doc/html/appdev/refs/api/krb5_mk_req.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_mk_req - Create a KRB_AP_REQ message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_req - Create a KRB_AP_REQ message.¶

-
-
-krb5_error_code krb5_mk_req(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, char * service, char * hostname, krb5_data * in_data, krb5_ccache ccache, krb5_data * outbuf)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[inout] auth_context - Pre-existing or newly created auth context

-

[in] ap_req_options - AP_OPTS options

-

[in] service - Service name, or NULL to use “host”

-

[in] hostname - Host name, or NULL to use local hostname

-

[in] in_data - Application data to be checksummed in the authenticator, or NULL

-

[in] ccache - Credential cache used to obtain credentials for the desired service.

-

[out] outbuf - AP-REQ message

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function is similar to krb5_mk_req_extended() except that it uses a given hostname , service , and ccache to construct a service principal name and obtain credentials.

-

Use krb5_free_data_contents() to free outbuf when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_mk_req_extended.html b/doc/html/appdev/refs/api/krb5_mk_req_extended.html deleted file mode 100644 index d6c91b9..0000000 --- a/doc/html/appdev/refs/api/krb5_mk_req_extended.html +++ /dev/null @@ -1,192 +0,0 @@ - - - - - - - - krb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials.¶

-
-
-krb5_error_code krb5_mk_req_extended(krb5_context context, krb5_auth_context * auth_context, krb5_flags ap_req_options, krb5_data * in_data, krb5_creds * in_creds, krb5_data * outbuf)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[inout] auth_context - Pre-existing or newly created auth context

-

[in] ap_req_options - AP_OPTS options

-

[in] in_data - Application data to be checksummed in the authenticator, or NULL

-

[in] in_creds - Credentials for the service with valid ticket and key

-

[out] outbuf - AP-REQ message

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Valid ap_req_options are:

-
-
-
-
-

This function creates a KRB_AP_REQ message using supplied credentials in_creds . auth_context may point to an existing auth context or to NULL, in which case a new one will be created. If in_data is non-null, a checksum of it will be included in the authenticator contained in the KRB_AP_REQ message. Use krb5_free_data_contents() to free outbuf when it is no longer needed.

-
-

On successful return, the authenticator is stored in auth_context with the client and checksum fields nulled out. (This is to prevent pointer-sharing problems; the caller should not need these fields anyway, since the caller supplied them.)

-
-

See also

-

krb5_mk_req()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_mk_safe.html b/doc/html/appdev/refs/api/krb5_mk_safe.html deleted file mode 100644 index 19a2695..0000000 --- a/doc/html/appdev/refs/api/krb5_mk_safe.html +++ /dev/null @@ -1,185 +0,0 @@ - - - - - - - - krb5_mk_safe - Format a KRB-SAFE message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_safe - Format a KRB-SAFE message.¶

-
-
-krb5_error_code krb5_mk_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * userdata, krb5_data * outbuf, krb5_replay_data * outdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] userdata - User data in the message

-

[out] outbuf - Formatted KRB-SAFE buffer

-

[out] outdata - Replay data. Specify NULL if not needed

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function creates an integrity protected KRB-SAFE message using data supplied by the application.

-

Fields in auth_context specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and KRB5_AUTH_CONTEXT flags.

-

The local address in auth_context must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message.

-

If KRB5_AUTH_CONTEXT_DO_TIME flag is set in the auth_context , an entry describing the message is entered in the replay cache auth_context->rcache which enables the caller to detect if this message is reflected by an attacker. If KRB5_AUTH_CONTEXT_DO_TIME is not set, the replay cache is not used.

-

If either KRB5_AUTH_CONTEXT_DO_SEQUENCE or KRB5_AUTH_CONTEXT_RET_SEQUENCE is set, the auth_context local sequence number will be placed in outdata as its sequence number.

-

Use krb5_free_data_contents() to free outbuf when it is no longer needed.

-
-

Note

-

The outdata argument is required if KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the auth_context .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_os_localaddr.html b/doc/html/appdev/refs/api/krb5_os_localaddr.html deleted file mode 100644 index 6c12442..0000000 --- a/doc/html/appdev/refs/api/krb5_os_localaddr.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_os_localaddr - Return all interface addresses for this host. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_os_localaddr - Return all interface addresses for this host.¶

-
-
-krb5_error_code krb5_os_localaddr(krb5_context context, krb5_address *** addr)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] addr - Array of krb5_address pointers, ending with NULL

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Use krb5_free_addresses() to free addr when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_pac_add_buffer.html b/doc/html/appdev/refs/api/krb5_pac_add_buffer.html deleted file mode 100644 index 01492fd..0000000 --- a/doc/html/appdev/refs/api/krb5_pac_add_buffer.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - krb5_pac_add_buffer - Add a buffer to a PAC handle. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pac_add_buffer - Add a buffer to a PAC handle.¶

-
-
-krb5_error_code krb5_pac_add_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, const krb5_data * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] pac - PAC handle

-

[in] type - Buffer type

-

[in] data - contents

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function adds a buffer of type type and contents data to pac if there isn’t already a buffer of this type present.

-

The valid values of type is one of the following:

-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_pac_free.html b/doc/html/appdev/refs/api/krb5_pac_free.html deleted file mode 100644 index 9ee9ce1..0000000 --- a/doc/html/appdev/refs/api/krb5_pac_free.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_pac_free - Free a PAC handle. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pac_free - Free a PAC handle.¶

-
-
-void krb5_pac_free(krb5_context context, krb5_pac pac)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] pac - PAC to be freed

-
-

This function frees the contents of pac and the structure itself.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_pac_get_buffer.html b/doc/html/appdev/refs/api/krb5_pac_get_buffer.html deleted file mode 100644 index c05b811..0000000 --- a/doc/html/appdev/refs/api/krb5_pac_get_buffer.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_pac_get_buffer - Retrieve a buffer value from a PAC. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pac_get_buffer - Retrieve a buffer value from a PAC.¶

-
-
-krb5_error_code krb5_pac_get_buffer(krb5_context context, krb5_pac pac, krb5_ui_4 type, krb5_data * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] pac - PAC handle

-

[in] type - Type of buffer to retrieve

-

[out] data - Buffer value

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Use krb5_free_data_contents() to free data when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_pac_get_types.html b/doc/html/appdev/refs/api/krb5_pac_get_types.html deleted file mode 100644 index ad39243..0000000 --- a/doc/html/appdev/refs/api/krb5_pac_get_types.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_pac_get_types - Return an array of buffer types in a PAC handle. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pac_get_types - Return an array of buffer types in a PAC handle.¶

-
-
-krb5_error_code krb5_pac_get_types(krb5_context context, krb5_pac pac, size_t * len, krb5_ui_4 ** types)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] pac - PAC handle

-

[out] len - Number of entries in types

-

[out] types - Array of buffer types

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_pac_init.html b/doc/html/appdev/refs/api/krb5_pac_init.html deleted file mode 100644 index ba3a4b0..0000000 --- a/doc/html/appdev/refs/api/krb5_pac_init.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle.¶

-
-
-krb5_error_code krb5_pac_init(krb5_context context, krb5_pac * pac)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] pac - New PAC handle

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Use krb5_pac_free() to free pac when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_pac_parse.html b/doc/html/appdev/refs/api/krb5_pac_parse.html deleted file mode 100644 index 3fb3d97..0000000 --- a/doc/html/appdev/refs/api/krb5_pac_parse.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_pac_parse - Unparse an encoded PAC into a new handle. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pac_parse - Unparse an encoded PAC into a new handle.¶

-
-
-krb5_error_code krb5_pac_parse(krb5_context context, const void * ptr, size_t len, krb5_pac * pac)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ptr - PAC buffer

-

[in] len - Length of ptr

-

[out] pac - PAC handle

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

Use krb5_pac_free() to free pac when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_pac_sign.html b/doc/html/appdev/refs/api/krb5_pac_sign.html deleted file mode 100644 index 4c9fbb4..0000000 --- a/doc/html/appdev/refs/api/krb5_pac_sign.html +++ /dev/null @@ -1,171 +0,0 @@ - - - - - - - - krb5_pac_sign - Sign a PAC. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pac_sign - Sign a PAC.¶

-
-
-krb5_error_code krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server_key, const krb5_keyblock * privsvr_key, krb5_data * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] pac - PAC handle

-

[in] authtime - Expected timestamp

-

[in] principal - Expected principal name (or NULL)

-

[in] server_key - Key for server checksum

-

[in] privsvr_key - Key for KDC checksum

-

[out] data - Signed PAC encoding

-
-

This function signs pac using the keys server_key and privsvr_key and returns the signed encoding in data . pac is modified to include the server and KDC checksum buffers. Use krb5_free_data_contents() to free data when it is no longer needed.

-
-

Note

-

New in 1.10

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_pac_verify.html b/doc/html/appdev/refs/api/krb5_pac_verify.html deleted file mode 100644 index e9db4b5..0000000 --- a/doc/html/appdev/refs/api/krb5_pac_verify.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_pac_verify - Verify a PAC. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pac_verify - Verify a PAC.¶

-
-
-krb5_error_code krb5_pac_verify(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock * server, const krb5_keyblock * privsvr)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] pac - PAC handle

-

[in] authtime - Expected timestamp

-

[in] principal - Expected principal name (or NULL)

-

[in] server - Key to validate server checksum (or NULL)

-

[in] privsvr - Key to validate KDC checksum (or NULL)

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function validates pac against the supplied server , privsvr , principal and authtime . If principal is NULL, the principal and authtime are not verified. If server or privsvr is NULL, the corresponding checksum is not verified.

-

If successful, pac is marked as verified.

-
-

Note

-

A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_parse_name.html b/doc/html/appdev/refs/api/krb5_parse_name.html deleted file mode 100644 index 4e38478..0000000 --- a/doc/html/appdev/refs/api/krb5_parse_name.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_parse_name - Convert a string principal name to a krb5_principal structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_parse_name - Convert a string principal name to a krb5_principal structure.¶

-
-
-krb5_error_code krb5_parse_name(krb5_context context, const char * name, krb5_principal * principal_out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] name - String representation of a principal name

-

[out] principal_out - New principal

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Convert a string representation of a principal name to a krb5_principal structure.

-

A string representation of a Kerberos name consists of one or more principal name components, separated by slashes, optionally followed by the @ character and a realm name. If the realm name is not specified, the local realm is used.

-

To use the slash and @ symbols as part of a component (quoted) instead of using them as a component separator or as a realm prefix), put a backslash () character in front of the symbol. Similarly, newline, tab, backspace, and NULL characters can be included in a component by using n , t , b or 0 , respectively.

-

Use krb5_free_principal() to free principal_out when it is no longer needed.

-
-

Note

-

The realm in a Kerberos name cannot contain slash, colon, or NULL characters.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_parse_name_flags.html b/doc/html/appdev/refs/api/krb5_parse_name_flags.html deleted file mode 100644 index fbff4c5..0000000 --- a/doc/html/appdev/refs/api/krb5_parse_name_flags.html +++ /dev/null @@ -1,193 +0,0 @@ - - - - - - - - krb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags.¶

-
-
-krb5_error_code krb5_parse_name_flags(krb5_context context, const char * name, int flags, krb5_principal * principal_out)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] name - String representation of a principal name

-

[in] flags - Flag

-

[out] principal_out - New principal

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Similar to krb5_parse_name() , this function converts a single-string representation of a principal name to a krb5_principal structure.

-

The following flags are valid:

-
-
-
-
-

If KRB5_PRINCIPAL_PARSE_NO_REALM or KRB5_PRINCIPAL_PARSE_IGNORE_REALM is specified in flags , the realm of the new principal will be empty. Otherwise, the default realm for context will be used if name does not specify a realm.

-
-

Use krb5_free_principal() to free principal_out when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_prepend_error_message.html b/doc/html/appdev/refs/api/krb5_prepend_error_message.html deleted file mode 100644 index 7714a19..0000000 --- a/doc/html/appdev/refs/api/krb5_prepend_error_message.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_prepend_error_message - Add a prefix to the message for an error code. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_prepend_error_message - Add a prefix to the message for an error code.¶

-
-
-void krb5_prepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, ...)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] code - Error code

-

[in] fmt - Format string for error message prefix

-
-

Format a message and prepend it to the current message for code . The prefix will be separated from the old message with a colon and space.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_principal2salt.html b/doc/html/appdev/refs/api/krb5_principal2salt.html deleted file mode 100644 index 2fca54e..0000000 --- a/doc/html/appdev/refs/api/krb5_principal2salt.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_principal2salt - Convert a principal name into the default salt for that principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_principal2salt - Convert a principal name into the default salt for that principal.¶

-
-
-krb5_error_code krb5_principal2salt(krb5_context context, register krb5_const_principal pr, krb5_data * ret)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] pr - Principal name

-

[out] ret - Default salt for pr to be filled in

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_principal_compare.html b/doc/html/appdev/refs/api/krb5_principal_compare.html deleted file mode 100644 index b675f8d..0000000 --- a/doc/html/appdev/refs/api/krb5_principal_compare.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_principal_compare - Compare two principals. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_principal_compare - Compare two principals.¶

-
-
-krb5_boolean krb5_principal_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] princ1 - First principal

-

[in] princ2 - Second principal

-
- --- - - - -
retval:
    -
  • TRUE if the principals are the same; FALSE otherwise
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_principal_compare_any_realm.html b/doc/html/appdev/refs/api/krb5_principal_compare_any_realm.html deleted file mode 100644 index 2511496..0000000 --- a/doc/html/appdev/refs/api/krb5_principal_compare_any_realm.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_principal_compare_any_realm - Compare two principals ignoring realm components. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_principal_compare_any_realm - Compare two principals ignoring realm components.¶

-
-
-krb5_boolean krb5_principal_compare_any_realm(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] princ1 - First principal

-

[in] princ2 - Second principal

-
- --- - - - -
retval:
    -
  • TRUE if the principals are the same; FALSE otherwise
    • -
-
-

Similar to krb5_principal_compare() , but do not compare the realm components of the principals.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_principal_compare_flags.html b/doc/html/appdev/refs/api/krb5_principal_compare_flags.html deleted file mode 100644 index fb995a1..0000000 --- a/doc/html/appdev/refs/api/krb5_principal_compare_flags.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - krb5_principal_compare_flags - Compare two principals with additional flags. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_principal_compare_flags - Compare two principals with additional flags.¶

-
-
-krb5_boolean krb5_principal_compare_flags(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2, int flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] princ1 - First principal

-

[in] princ2 - Second principal

-

[in] flags - Flags

-
- --- - - - -
retval:
    -
  • TRUE if the principal names are the same; FALSE otherwise
    • -
-
-

Valid flags are:

-
-
-
-
-

See also

-

krb5_principal_compare()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_process_key.html b/doc/html/appdev/refs/api/krb5_process_key.html deleted file mode 100644 index 659d84b..0000000 --- a/doc/html/appdev/refs/api/krb5_process_key.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_process_key — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_process_key¶

-
-
-krb5_error_code krb5_process_key(krb5_context context, krb5_encrypt_block * eblock, const krb5_keyblock * key)¶
-
- - --- - - - -
param:

context

-

eblock

-

key

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_prompter_posix.html b/doc/html/appdev/refs/api/krb5_prompter_posix.html deleted file mode 100644 index 9d03dc0..0000000 --- a/doc/html/appdev/refs/api/krb5_prompter_posix.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_prompter_posix - Prompt user for password. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_prompter_posix - Prompt user for password.¶

-
-
-krb5_error_code krb5_prompter_posix(krb5_context context, void * data, const char * name, const char * banner, int num_prompts, krb5_prompt prompts)¶
-
- - --- - - - -
param:

[in] context - Library context

-

data - Unused (callback argument)

-

[in] name - Name to output during prompt

-

[in] banner - Banner to output during prompt

-

[in] num_prompts - Number of prompts in prompts

-

[in] prompts - Array of prompts and replies

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function is intended to be used as a prompter callback for krb5_get_init_creds_password() or krb5_init_creds_init() .

-

Writes name and banner to stdout, each followed by a newline, then writes each prompt field in the prompts array, followed by”:”, and sets the reply field of the entry to a line of input read from stdin. If the hidden flag is set for a prompt, then terminal echoing is turned off when input is read.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_random_key.html b/doc/html/appdev/refs/api/krb5_random_key.html deleted file mode 100644 index 88f9c7d..0000000 --- a/doc/html/appdev/refs/api/krb5_random_key.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - krb5_random_key — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_random_key¶

-
-
-krb5_error_code krb5_random_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_pointer ptr, krb5_keyblock ** keyblock)¶
-
- - --- - - - -
param:

context

-

eblock

-

ptr

-

keyblock

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_rd_cred.html b/doc/html/appdev/refs/api/krb5_rd_cred.html deleted file mode 100644 index dafe7d7..0000000 --- a/doc/html/appdev/refs/api/krb5_rd_cred.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_rd_cred - Read and validate a KRB-CRED message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_rd_cred - Read and validate a KRB-CRED message.¶

-
-
-krb5_error_code krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, krb5_data * pcreddata, krb5_creds *** pppcreds, krb5_replay_data * outdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] pcreddata - KRB-CRED message

-

[out] pppcreds - Null-terminated array of forwarded credentials

-

[out] outdata - Replay data (NULL if not needed)

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
-
pcreddata will be decrypted using the receiving subkey if it is present in auth_context , or the session key if the receiving subkey is not present or fails to decrypt the message.
-

Use krb5_free_tgt_creds() to free pppcreds when it is no longer needed.

-
-

Note

-

The outdata argument is required if KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the auth_context .`

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_rd_error.html b/doc/html/appdev/refs/api/krb5_rd_error.html deleted file mode 100644 index 02e005f..0000000 --- a/doc/html/appdev/refs/api/krb5_rd_error.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_rd_error - Decode a KRB-ERROR message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_rd_error - Decode a KRB-ERROR message.¶

-
-
-krb5_error_code krb5_rd_error(krb5_context context, const krb5_data * enc_errbuf, krb5_error ** dec_error)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] enc_errbuf - Encoded error message

-

[out] dec_error - Decoded error message

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function processes KRB-ERROR message enc_errbuf and returns an allocated structure dec_error containing the error message. Use krb5_free_error() to free dec_error when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_rd_priv.html b/doc/html/appdev/refs/api/krb5_rd_priv.html deleted file mode 100644 index be85589..0000000 --- a/doc/html/appdev/refs/api/krb5_rd_priv.html +++ /dev/null @@ -1,189 +0,0 @@ - - - - - - - - krb5_rd_priv - Process a KRB-PRIV message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_rd_priv - Process a KRB-PRIV message.¶

-
-
-krb5_error_code krb5_rd_priv(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_data * outbuf, krb5_replay_data * outdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication structure

-

[in] inbuf - KRB-PRIV message to be parsed

-

[out] outbuf - Data parsed from KRB-PRIV message

-

[out] outdata - Replay data. Specify NULL if not needed

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function parses a KRB-PRIV message, verifies its integrity, and stores its unencrypted data into outbuf .

-

If the KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in auth_context , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of auth_context . Otherwise, the sequence number is not used.

-

If the KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , then two additional checks are performed:

-
-
    -
  • The timestamp in the message must be within the permitted clock skew (which is usually five minutes).
    • -
  • The message must not be a replayed message field in auth_context .
    • -
-
-
-

Note

-

If the KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in auth_context , outdata is required.

-

auth_context must have a remote address set. This address will be used to verify the sender address in the KRB-PRIV message. If auth_context has a local address set, it will be used to verify the receiver address in the KRB-PRIV message if the message contains one. Both addresses must use type ADDRTYPE_ADDRPORT .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_rd_rep.html b/doc/html/appdev/refs/api/krb5_rd_rep.html deleted file mode 100644 index 0c3e6ea..0000000 --- a/doc/html/appdev/refs/api/krb5_rd_rep.html +++ /dev/null @@ -1,176 +0,0 @@ - - - - - - - - krb5_rd_rep - Parse and decrypt a KRB_AP_REP message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_rd_rep - Parse and decrypt a KRB_AP_REP message.¶

-
-
-krb5_error_code krb5_rd_rep(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_ap_rep_enc_part ** repl)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] inbuf - AP-REP message

-

[out] repl - Decrypted reply message

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function parses, decrypts and verifies a message from inbuf and fills in repl with a pointer to allocated memory containing the fields from the encrypted response.

-

Use krb5_free_ap_rep_enc_part() to free repl when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_rd_rep_dce.html b/doc/html/appdev/refs/api/krb5_rd_rep_dce.html deleted file mode 100644 index 77432c5..0000000 --- a/doc/html/appdev/refs/api/krb5_rd_rep_dce.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC.¶

-
-
-krb5_error_code krb5_rd_rep_dce(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_ui_4 * nonce)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] inbuf - AP-REP message

-

[out] nonce - Sequence number from the decrypted reply

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function parses, decrypts and verifies a message from inbuf and fills in nonce with a decrypted reply sequence number.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_rd_req.html b/doc/html/appdev/refs/api/krb5_rd_req.html deleted file mode 100644 index 28a3e6b..0000000 --- a/doc/html/appdev/refs/api/krb5_rd_req.html +++ /dev/null @@ -1,193 +0,0 @@ - - - - - - - - krb5_rd_req - Parse and decrypt a KRB_AP_REQ message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.¶

-
-
-krb5_error_code krb5_rd_req(krb5_context context, krb5_auth_context * auth_context, const krb5_data * inbuf, krb5_const_principal server, krb5_keytab keytab, krb5_flags * ap_req_options, krb5_ticket ** ticket)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[inout] auth_context - Pre-existing or newly created auth context

-

[in] inbuf - AP-REQ message to be parsed

-

[in] server - Matching principal for server, or NULL to allow any principal in keytab

-

[in] keytab - Key table, or NULL to use the default

-

[out] ap_req_options - If non-null, the AP-REQ flags on output

-

[out] ticket - If non-null, ticket from the AP-REQ message

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function parses, decrypts and verifies a AP-REQ message from inbuf and stores the authenticator in auth_context .

-

If a keyblock was specified in auth_context using krb5_auth_con_setuseruserkey() , that key is used to decrypt the ticket in AP-REQ message and keytab is ignored. In this case, server should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection.

-

Otherwise, the decryption key is obtained from keytab , or from the default keytab if it is NULL. In this case, server may be a complete principal name, a matching principal (see krb5_sname_match() ), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows:

-
-
    -
  • If server is a complete principal name, then its entry in keytab is tried.
    • -
  • Otherwise, if keytab is iterable, then all entries in keytab which match server are tried.
    • -
  • Otherwise, the server principal in the ticket must match server , and its entry in keytab is tried.
    • -
-
-

The client specified in the decrypted authenticator must match the client specified in the decrypted ticket.

-

If the remote_addr field of auth_context is set, the request must come from that address.

-

If a replay cache handle is provided in the auth_context , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of auth_context .

-

Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times.

-

On success the authenticator, subkey, and remote sequence number of the request are stored in auth_context . If the AP_OPTS_MUTUAL_REQUIRED bit is set, the local sequence number is XORed with the remote sequence number in the request.

-

Use krb5_free_ticket() to free ticket when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_rd_safe.html b/doc/html/appdev/refs/api/krb5_rd_safe.html deleted file mode 100644 index b41b7f3..0000000 --- a/doc/html/appdev/refs/api/krb5_rd_safe.html +++ /dev/null @@ -1,192 +0,0 @@ - - - - - - - - krb5_rd_safe - Process KRB-SAFE message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_rd_safe - Process KRB-SAFE message.¶

-
-
-krb5_error_code krb5_rd_safe(krb5_context context, krb5_auth_context auth_context, const krb5_data * inbuf, krb5_data * outbuf, krb5_replay_data * outdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] auth_context - Authentication context

-

[in] inbuf - KRB-SAFE message to be parsed

-

[out] outbuf - Data parsed from KRB-SAFE message

-

[out] outdata - Replay data. Specify NULL if not needed

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function parses a KRB-SAFE message, verifies its integrity, and stores its data into outbuf .

-

If the KRB5_AUTH_CONTEXT_DO_SEQUENCE flag is set in auth_context , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of auth_context . Otherwise, the sequence number is not used.

-

If the KRB5_AUTH_CONTEXT_DO_TIME flag is set in auth_context , then two additional checks are performed:

-
-
-
    -
  • The timestamp in the message must be within the permitted clock skew (which is usually five minutes).
    • -
  • The message must not be a replayed message field in auth_context .
    • -
-
-

Use krb5_free_data_contents() to free outbuf when it is no longer needed.

-
-
-

Note

-

The outdata argument is required if KRB5_AUTH_CONTEXT_RET_TIME or KRB5_AUTH_CONTEXT_RET_SEQUENCE flag is set in the auth_context .

-

auth_context must have a remote address set. This address will be used to verify the sender address in the KRB-SAFE message. If auth_context has a local address set, it will be used to verify the receiver address in the KRB-SAFE message if the message contains one. Both addresses must use type ADDRTYPE_ADDRPORT .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_read_password.html b/doc/html/appdev/refs/api/krb5_read_password.html deleted file mode 100644 index 3490614..0000000 --- a/doc/html/appdev/refs/api/krb5_read_password.html +++ /dev/null @@ -1,185 +0,0 @@ - - - - - - - - krb5_read_password - Read a password from keyboard input. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_read_password - Read a password from keyboard input.¶

-
-
-krb5_error_code krb5_read_password(krb5_context context, const char * prompt, const char * prompt2, char * return_pwd, unsigned int * size_return)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] prompt - First user prompt when reading password

-

[in] prompt2 - Second user prompt (NULL to prompt only once)

-

[out] return_pwd - Returned password

-

[inout] size_return - On input, maximum size of password; on output, size of password read

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Error in reading or verifying the password Kerberos error codes
    • -
-
-

This function reads a password from keyboard input and stores it in return_pwd . size_return should be set by the caller to the amount of storage space available in return_pwd ; on successful return, it will be set to the length of the password read.

-
-
prompt is printed to the terminal, followed by”:”, and then a password is read from the keyboard.
-

If prompt2 is NULL, the password is read only once. Otherwise, prompt2 is printed to the terminal and a second password is read. If the two passwords entered are not identical, KRB5_LIBOS_BADPWDMATCH is returned.

-

Echoing is turned off when the password is read.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_realm_compare.html b/doc/html/appdev/refs/api/krb5_realm_compare.html deleted file mode 100644 index eacc829..0000000 --- a/doc/html/appdev/refs/api/krb5_realm_compare.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_realm_compare - Compare the realms of two principals. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_realm_compare - Compare the realms of two principals.¶

-
-
-krb5_boolean krb5_realm_compare(krb5_context context, krb5_const_principal princ1, krb5_const_principal princ2)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] princ1 - First principal

-

[in] princ2 - Second principal

-
- --- - - - -
retval:
    -
  • TRUE if the realm names are the same; FALSE otherwise
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_recvauth.html b/doc/html/appdev/refs/api/krb5_recvauth.html deleted file mode 100644 index e2237b1..0000000 --- a/doc/html/appdev/refs/api/krb5_recvauth.html +++ /dev/null @@ -1,184 +0,0 @@ - - - - - - - - krb5_recvauth - Server function for sendauth protocol. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_recvauth - Server function for sendauth protocol.¶

-
-
-krb5_error_code krb5_recvauth(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, char * appl_version, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket ** ticket)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[inout] auth_context - Pre-existing or newly created auth context

-

[in] fd - File descriptor

-

[in] appl_version - Application protocol version to be matched against the client’s application version

-

[in] server - Server principal (NULL for any in keytab )

-

[in] flags - Additional specifications

-

[in] keytab - Key table containing service keys

-

[out] ticket - Ticket (NULL if not needed)

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function performs the server side of a sendauth/recvauth exchange by sending and receiving messages over fd .

-

Use krb5_free_ticket() to free ticket when it is no longer needed.

-
-

See also

-

krb5_sendauth()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_recvauth_version.html b/doc/html/appdev/refs/api/krb5_recvauth_version.html deleted file mode 100644 index c2e18fc..0000000 --- a/doc/html/appdev/refs/api/krb5_recvauth_version.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_recvauth_version - Server function for sendauth protocol with version parameter. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_recvauth_version - Server function for sendauth protocol with version parameter.¶

-
-
-krb5_error_code krb5_recvauth_version(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, krb5_principal server, krb5_int32 flags, krb5_keytab keytab, krb5_ticket ** ticket, krb5_data * version)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[inout] auth_context - Pre-existing or newly created auth context

-

[in] fd - File descriptor

-

[in] server - Server principal (NULL for any in keytab )

-

[in] flags - Additional specifications

-

[in] keytab - Decryption key

-

[out] ticket - Ticket (NULL if not needed)

-

[out] version - sendauth protocol version (NULL if not needed)

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function is similar to krb5_recvauth() with the additional output information place into version .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_responder_get_challenge.html b/doc/html/appdev/refs/api/krb5_responder_get_challenge.html deleted file mode 100644 index 8b5d9af..0000000 --- a/doc/html/appdev/refs/api/krb5_responder_get_challenge.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_responder_get_challenge - Retrieve the challenge data for a given question in the responder context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_get_challenge - Retrieve the challenge data for a given question in the responder context.¶

-
-
-const char * krb5_responder_get_challenge(krb5_context ctx, krb5_responder_context rctx, const char * question)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] rctx - Responder context

-

[in] question - Question name

-
-

Return a pointer to a C string containing the challenge for question within rctx , or NULL if the question is not present in rctx . The structure of the question depends on the question name, but will always be printable UTF-8 text. The returned pointer is an alias, valid only as long as the lifetime of rctx , and should not be modified or freed by the caller.

-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_responder_list_questions.html b/doc/html/appdev/refs/api/krb5_responder_list_questions.html deleted file mode 100644 index 172f3e4..0000000 --- a/doc/html/appdev/refs/api/krb5_responder_list_questions.html +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - krb5_responder_list_questions - List the question names contained in the responder context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_list_questions - List the question names contained in the responder context.¶

-
-
-const char *const * krb5_responder_list_questions(krb5_context ctx, krb5_responder_context rctx)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] rctx - Responder context

-
-

Return a pointer to a null-terminated list of question names which are present in rctx . The pointer is an alias, valid only as long as the lifetime of rctx , and should not be modified or freed by the caller. A question’s challenge can be retrieved using krb5_responder_get_challenge() and answered using krb5_responder_set_answer() .

-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_responder_otp_challenge_free.html b/doc/html/appdev/refs/api/krb5_responder_otp_challenge_free.html deleted file mode 100644 index 02bc354..0000000 --- a/doc/html/appdev/refs/api/krb5_responder_otp_challenge_free.html +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - krb5_responder_otp_challenge_free - Free the value returned by krb5_responder_otp_get_challenge() . — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_otp_challenge_free - Free the value returned by krb5_responder_otp_get_challenge() .¶

-
-
-void krb5_responder_otp_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge * chl)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] rctx - Responder context

-

[in] chl - The challenge to free

-
-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_responder_otp_get_challenge.html b/doc/html/appdev/refs/api/krb5_responder_otp_get_challenge.html deleted file mode 100644 index 71a34b9..0000000 --- a/doc/html/appdev/refs/api/krb5_responder_otp_get_challenge.html +++ /dev/null @@ -1,168 +0,0 @@ - - - - - - - - krb5_responder_otp_get_challenge - Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_otp_get_challenge - Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct.¶

-
-
-krb5_error_code krb5_responder_otp_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_otp_challenge ** chl)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] rctx - Responder context

-

[out] chl - Challenge structure

-
-

A convenience function which parses the KRB5_RESPONDER_QUESTION_OTP question challenge data, making it available in native C. The main feature of this function is the ability to interact with OTP tokens without parsing the JSON.

-

The returned value must be passed to krb5_responder_otp_challenge_free() to be freed.

-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_responder_otp_set_answer.html b/doc/html/appdev/refs/api/krb5_responder_otp_set_answer.html deleted file mode 100644 index df649d3..0000000 --- a/doc/html/appdev/refs/api/krb5_responder_otp_set_answer.html +++ /dev/null @@ -1,168 +0,0 @@ - - - - - - - - krb5_responder_otp_set_answer - Answer the KRB5_RESPONDER_QUESTION_OTP question. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_otp_set_answer - Answer the KRB5_RESPONDER_QUESTION_OTP question.¶

-
-
-krb5_error_code krb5_responder_otp_set_answer(krb5_context ctx, krb5_responder_context rctx, size_t ti, const char * value, const char * pin)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] rctx - Responder context

-

[in] ti - The index of the tokeninfo selected

-

[in] value - The value to set, or NULL for none

-

[in] pin - The pin to set, or NULL for none

-
-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_responder_pkinit_challenge_free.html b/doc/html/appdev/refs/api/krb5_responder_pkinit_challenge_free.html deleted file mode 100644 index 87d525e..0000000 --- a/doc/html/appdev/refs/api/krb5_responder_pkinit_challenge_free.html +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - krb5_responder_pkinit_challenge_free - Free the value returned by krb5_responder_pkinit_get_challenge() . — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_pkinit_challenge_free - Free the value returned by krb5_responder_pkinit_get_challenge() .¶

-
-
-void krb5_responder_pkinit_challenge_free(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge * chl)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] rctx - Responder context

-

[in] chl - The challenge to free

-
-
-

Note

-

New in 1.12

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_responder_pkinit_get_challenge.html b/doc/html/appdev/refs/api/krb5_responder_pkinit_get_challenge.html deleted file mode 100644 index b5cc9a8..0000000 --- a/doc/html/appdev/refs/api/krb5_responder_pkinit_get_challenge.html +++ /dev/null @@ -1,168 +0,0 @@ - - - - - - - - krb5_responder_pkinit_get_challenge - Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_pkinit_get_challenge - Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct.¶

-
-
-krb5_error_code krb5_responder_pkinit_get_challenge(krb5_context ctx, krb5_responder_context rctx, krb5_responder_pkinit_challenge ** chl_out)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] rctx - Responder context

-

[out] chl_out - Challenge structure

-
-

A convenience function which parses the KRB5_RESPONDER_QUESTION_PKINIT question challenge data, making it available in native C. The main feature of this function is the ability to read the challenge without parsing the JSON.

-

The returned value must be passed to krb5_responder_pkinit_challenge_free() to be freed.

-
-

Note

-

New in 1.12

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_responder_pkinit_set_answer.html b/doc/html/appdev/refs/api/krb5_responder_pkinit_set_answer.html deleted file mode 100644 index ba6d636..0000000 --- a/doc/html/appdev/refs/api/krb5_responder_pkinit_set_answer.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_responder_pkinit_set_answer - Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_pkinit_set_answer - Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity.¶

-
-
-krb5_error_code krb5_responder_pkinit_set_answer(krb5_context ctx, krb5_responder_context rctx, const char * identity, const char * pin)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] rctx - Responder context

-

[in] identity - The identity for which a PIN is being supplied

-

[in] pin - The provided PIN, or NULL for none

-
-
-

Note

-

New in 1.12

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_responder_set_answer.html b/doc/html/appdev/refs/api/krb5_responder_set_answer.html deleted file mode 100644 index 0bf4204..0000000 --- a/doc/html/appdev/refs/api/krb5_responder_set_answer.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_responder_set_answer - Answer a named question in the responder context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_set_answer - Answer a named question in the responder context.¶

-
-
-krb5_error_code krb5_responder_set_answer(krb5_context ctx, krb5_responder_context rctx, const char * question, const char * answer)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] rctx - Responder context

-

[in] question - Question name

-

[in] answer - The string to set (MUST be printable UTF-8)

-
- --- - - - -
retval:
    -
  • EINVAL question is not present within rctx
    • -
-
-

This function supplies an answer to question within rctx . The appropriate form of the answer depends on the question name.

-
-

Note

-

New in 1.11

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_salttype_to_string.html b/doc/html/appdev/refs/api/krb5_salttype_to_string.html deleted file mode 100644 index b223bc4..0000000 --- a/doc/html/appdev/refs/api/krb5_salttype_to_string.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_salttype_to_string - Convert a salt type to a string. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_salttype_to_string - Convert a salt type to a string.¶

-
-
-krb5_error_code krb5_salttype_to_string(krb5_int32 salttype, char * buffer, size_t buflen)¶
-
- - --- - - - -
param:

[in] salttype - Salttype to convert

-

[out] buffer - Buffer to receive the converted string

-

[in] buflen - Storage available in buffer

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_sendauth.html b/doc/html/appdev/refs/api/krb5_sendauth.html deleted file mode 100644 index 383108f..0000000 --- a/doc/html/appdev/refs/api/krb5_sendauth.html +++ /dev/null @@ -1,200 +0,0 @@ - - - - - - - - krb5_sendauth - Client function for sendauth protocol. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_sendauth - Client function for sendauth protocol.¶

-
-
-krb5_error_code krb5_sendauth(krb5_context context, krb5_auth_context * auth_context, krb5_pointer fd, char * appl_version, krb5_principal client, krb5_principal server, krb5_flags ap_req_options, krb5_data * in_data, krb5_creds * in_creds, krb5_ccache ccache, krb5_error ** error, krb5_ap_rep_enc_part ** rep_result, krb5_creds ** out_creds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[inout] auth_context - Pre-existing or newly created auth context

-

[in] fd - File descriptor that describes network socket

-

[in] appl_version - Application protocol version to be matched with the receiver’s application version

-

[in] client - Client principal

-

[in] server - Server principal

-

[in] ap_req_options - AP_OPTS options

-

[in] in_data - Data to be sent to the server

-

[in] in_creds - Input credentials, or NULL to use ccache

-

[in] ccache - Credential cache

-

[out] error - If non-null, contains KRB_ERROR message returned from server

-

[out] rep_result - If non-null and ap_req_options is AP_OPTS_MUTUAL_REQUIRED , contains the result of mutual authentication exchange

-

[out] out_creds - If non-null, the retrieved credentials

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function performs the client side of a sendauth/recvauth exchange by sending and receiving messages over fd .

-

Credentials may be specified in three ways:

-
-
-
    -
  • If in_creds is NULL, credentials are obtained with krb5_get_credentials() using the principals client and server . server must be non-null; client may NULL to use the default principal of ccache .
    • -
  • If in_creds is non-null, but does not contain a ticket, credentials for the exchange are obtained with krb5_get_credentials() using in_creds . In this case, the values of client and server are unused.
    • -
  • If in_creds is a complete credentials structure, it used directly. In this case, the values of client , server , and ccache are unused.
    • -
-
-

If the server is using a different application protocol than that specified in appl_version , an error will be returned.

-
-

Use krb5_free_creds() to free out_creds , krb5_free_ap_rep_enc_part() to free rep_result , and krb5_free_error() to free error when they are no longer needed.

-
-

See also

-

krb5_recvauth()

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_server_decrypt_ticket_keytab.html b/doc/html/appdev/refs/api/krb5_server_decrypt_ticket_keytab.html deleted file mode 100644 index a98a443..0000000 --- a/doc/html/appdev/refs/api/krb5_server_decrypt_ticket_keytab.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table.¶

-
-
-krb5_error_code krb5_server_decrypt_ticket_keytab(krb5_context context, const krb5_keytab kt, krb5_ticket * ticket)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] kt - Key table

-

[in] ticket - Ticket to be decrypted

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function takes a ticket as input and decrypts it using key data from kt . The result is placed into ticket->enc_part2 .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_default_realm.html b/doc/html/appdev/refs/api/krb5_set_default_realm.html deleted file mode 100644 index 99b049e..0000000 --- a/doc/html/appdev/refs/api/krb5_set_default_realm.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_set_default_realm - Override the default realm for the specified context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_default_realm - Override the default realm for the specified context.¶

-
-
-krb5_error_code krb5_set_default_realm(krb5_context context, const char * lrealm)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] lrealm - Realm name for the default realm

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

If lrealm is NULL, clear the default realm setting.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_default_tgs_enctypes.html b/doc/html/appdev/refs/api/krb5_set_default_tgs_enctypes.html deleted file mode 100644 index f85f42d..0000000 --- a/doc/html/appdev/refs/api/krb5_set_default_tgs_enctypes.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure.¶

-
-
-krb5_error_code krb5_set_default_tgs_enctypes(krb5_context context, const krb5_enctype * etypes)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] etypes - Encryption type(s) to set

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
  • KRB5_PROG_ETYPE_NOSUPP Program lacks support for encryption type
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function sets the default enctype list for TGS requests made using context to etypes .

-
-

Note

-

This overrides the default list (from config file or built-in).

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_error_message.html b/doc/html/appdev/refs/api/krb5_set_error_message.html deleted file mode 100644 index 3fe5c04..0000000 --- a/doc/html/appdev/refs/api/krb5_set_error_message.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_set_error_message - Set an extended error message for an error code. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_error_message - Set an extended error message for an error code.¶

-
-
-void krb5_set_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, ...)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] code - Error code

-

[in] fmt - Error string for the error code

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_kdc_recv_hook.html b/doc/html/appdev/refs/api/krb5_set_kdc_recv_hook.html deleted file mode 100644 index a246568..0000000 --- a/doc/html/appdev/refs/api/krb5_set_kdc_recv_hook.html +++ /dev/null @@ -1,168 +0,0 @@ - - - - - - - - krb5_set_kdc_recv_hook - Set a KDC post-receive hook function. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_kdc_recv_hook - Set a KDC post-receive hook function.¶

-
-
-void krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, void * data)¶
-
- - --- - - - -
param:

[in] context - The library context.

-

[in] recv_hook - Hook function (or NULL to disable the hook)

-

[in] data - Callback data to be passed to recv_hook

-
-
-
recv_hook will be called after a reply is received from a KDC during a call to a library function such as krb5_get_credentials() . The hook function may inspect or override the reply. This hook will not be executed if the pre-send hook returns a synthetic reply.
-
-

Note

-

New in 1.15

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_kdc_send_hook.html b/doc/html/appdev/refs/api/krb5_set_kdc_send_hook.html deleted file mode 100644 index 31005a8..0000000 --- a/doc/html/appdev/refs/api/krb5_set_kdc_send_hook.html +++ /dev/null @@ -1,168 +0,0 @@ - - - - - - - - krb5_set_kdc_send_hook - Set a KDC pre-send hook function. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_kdc_send_hook - Set a KDC pre-send hook function.¶

-
-
-void krb5_set_kdc_send_hook(krb5_context context, krb5_pre_send_fn send_hook, void * data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] send_hook - Hook function (or NULL to disable the hook)

-

[in] data - Callback data to be passed to send_hook

-
-
-
send_hook will be called before messages are sent to KDCs by library functions such as krb5_get_credentials() . The hook function may inspect, override, or synthesize its own reply to the message.
-
-

Note

-

New in 1.15

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_password.html b/doc/html/appdev/refs/api/krb5_set_password.html deleted file mode 100644 index 97e28f2..0000000 --- a/doc/html/appdev/refs/api/krb5_set_password.html +++ /dev/null @@ -1,188 +0,0 @@ - - - - - - - - krb5_set_password - Set a password for a principal using specified credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_password - Set a password for a principal using specified credentials.¶

-
-
-krb5_error_code krb5_set_password(krb5_context context, krb5_creds * creds, const char * newpw, krb5_principal change_password_for, int * result_code, krb5_data * result_code_string, krb5_data * result_string)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] creds - Credentials for kadmin/changepw service

-

[in] newpw - New password

-

[in] change_password_for - Change the password for this principal

-

[out] result_code - Numeric error code from server

-

[out] result_code_string - String equivalent to result_code

-

[out] result_string - Data returned from the remote system

-
- --- - - - - - -
retval:
    -
  • 0 Success and result_code is set to KRB5_KPASSWD_SUCCESS .
    • -
-
return:
    -
  • Kerberos error codes.
    • -
-
-

This function uses the credentials creds to set the password newpw for the principal change_password_for . It implements the set password operation of RFC 3244, for interoperability with Microsoft Windows implementations.

-

The error code and strings are returned in result_code , result_code_string and result_string .

-
-

Note

-

If change_password_for is NULL, the change is performed on the current principal. If change_password_for is non-null, the change is performed on the principal name passed in change_password_for .

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_password_using_ccache.html b/doc/html/appdev/refs/api/krb5_set_password_using_ccache.html deleted file mode 100644 index c2fb184..0000000 --- a/doc/html/appdev/refs/api/krb5_set_password_using_ccache.html +++ /dev/null @@ -1,188 +0,0 @@ - - - - - - - - krb5_set_password_using_ccache - Set a password for a principal using cached credentials. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_password_using_ccache - Set a password for a principal using cached credentials.¶

-
-
-krb5_error_code krb5_set_password_using_ccache(krb5_context context, krb5_ccache ccache, const char * newpw, krb5_principal change_password_for, int * result_code, krb5_data * result_code_string, krb5_data * result_string)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ccache - Credential cache

-

[in] newpw - New password

-

[in] change_password_for - Change the password for this principal

-

[out] result_code - Numeric error code from server

-

[out] result_code_string - String equivalent to result_code

-

[out] result_string - Data returned from the remote system

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function uses the cached credentials from ccache to set the password newpw for the principal change_password_for . It implements RFC 3244 set password operation (interoperable with MS Windows implementations) using the credential cache.

-

The error code and strings are returned in result_code , result_code_string and result_string .

-
-

Note

-

If change_password_for is set to NULL, the change is performed on the default principal in ccache . If change_password_for is non null, the change is performed on the specified principal.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_principal_realm.html b/doc/html/appdev/refs/api/krb5_set_principal_realm.html deleted file mode 100644 index cbf0f42..0000000 --- a/doc/html/appdev/refs/api/krb5_set_principal_realm.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_set_principal_realm - Set the realm field of a principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_principal_realm - Set the realm field of a principal.¶

-
-
-krb5_error_code krb5_set_principal_realm(krb5_context context, krb5_principal principal, const char * realm)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] principal - Principal name

-

[in] realm - Realm name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

Set the realm name part of principal to realm , overwriting the previous realm.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_real_time.html b/doc/html/appdev/refs/api/krb5_set_real_time.html deleted file mode 100644 index 66cb5fc..0000000 --- a/doc/html/appdev/refs/api/krb5_set_real_time.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_set_real_time - Set time offset field in a krb5_context structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_real_time - Set time offset field in a krb5_context structure.¶

-
-
-krb5_error_code krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] seconds - Real time, seconds portion

-

[in] microseconds - Real time, microseconds portion

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function sets the time offset in context to the difference between the system time and the real time as determined by seconds and microseconds .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_trace_callback.html b/doc/html/appdev/refs/api/krb5_set_trace_callback.html deleted file mode 100644 index 79e4a72..0000000 --- a/doc/html/appdev/refs/api/krb5_set_trace_callback.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_set_trace_callback - Specify a callback function for trace events. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_trace_callback - Specify a callback function for trace events.¶

-
-
-krb5_error_code krb5_set_trace_callback(krb5_context context, krb5_trace_callback fn, void * cb_data)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] fn - Callback function

-

[in] cb_data - Callback data

-
- --- - - - -
return:
    -
  • Returns KRB5_TRACE_NOSUPP if tracing is not supported in the library (unless fn is NULL).
    • -
-
-

Specify a callback for trace events occurring in krb5 operations performed within context . fn will be invoked with context as the first argument, cb_data as the last argument, and a pointer to a krb5_trace_info as the second argument. If the trace callback is reset via this function or context is destroyed, fn will be invoked with a NULL second argument so it can clean up cb_data . Supply a NULL value for fn to disable trace callbacks within context .

-
-

Note

-

This function overrides the information passed through the KRB5_TRACE environment variable.

-
-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_set_trace_filename.html b/doc/html/appdev/refs/api/krb5_set_trace_filename.html deleted file mode 100644 index f74bfae..0000000 --- a/doc/html/appdev/refs/api/krb5_set_trace_filename.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_set_trace_filename - Specify a file name for directing trace events. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_set_trace_filename - Specify a file name for directing trace events.¶

-
-
-krb5_error_code krb5_set_trace_filename(krb5_context context, const char * filename)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] filename - File name

-
- --- - - - -
retval:
    -
  • KRB5_TRACE_NOSUPP Tracing is not supported in the library.
    • -
-
-

Open filename for appending (creating it, if necessary) and set up a callback to write trace events to it.

-
-

Note

-

This function overrides the information passed through the KRB5_TRACE environment variable.

-
-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_sname_match.html b/doc/html/appdev/refs/api/krb5_sname_match.html deleted file mode 100644 index e02c425..0000000 --- a/doc/html/appdev/refs/api/krb5_sname_match.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_sname_match - Test whether a principal matches a matching principal. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_sname_match - Test whether a principal matches a matching principal.¶

-
-
-krb5_boolean krb5_sname_match(krb5_context context, krb5_const_principal matching, krb5_const_principal princ)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] matching - Matching principal

-

[in] princ - Principal to test

-
- --- - - - -
return:
    -
  • TRUE if princ matches matching , FALSE otherwise.
    • -
-
-

If matching is NULL, return TRUE. If matching is not a matching principal, return the value of krb5_principal_compare(context, matching, princ).

-
-

Note

-

A matching principal is a host-based principal with an empty realm and/or second data component (hostname). Profile configuration may cause the hostname to be ignored even if it is present. A principal matches a matching principal if the former has the same non-empty (and non-ignored) components of the latter.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_sname_to_principal.html b/doc/html/appdev/refs/api/krb5_sname_to_principal.html deleted file mode 100644 index cbcc971..0000000 --- a/doc/html/appdev/refs/api/krb5_sname_to_principal.html +++ /dev/null @@ -1,191 +0,0 @@ - - - - - - - - krb5_sname_to_principal - Generate a full principal name from a service name. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_sname_to_principal - Generate a full principal name from a service name.¶

-
-
-krb5_error_code krb5_sname_to_principal(krb5_context context, const char * hostname, const char * sname, krb5_int32 type, krb5_principal * ret_princ)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] hostname - Host name, or NULL to use local host

-

[in] sname - Service name, or NULL to use “host”

-

[in] type - Principal type

-

[out] ret_princ - Generated principal

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function converts a hostname and sname into krb5_principal structure ret_princ . The returned principal will be of the form sname/hostname@REALM where REALM is determined by krb5_get_host_realm() . In some cases this may be the referral (empty) realm.

-

The type can be one of the following:

-
-
-
    -
  • KRB5_NT_SRV_HST canonicalizes the host name before looking up the realm and generating the principal.
    • -
  • KRB5_NT_UNKNOWN accepts the hostname as given, and does not canonicalize it.
    • -
-
-

Use krb5_free_principal to free ret_princ when it is no longer needed.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_string_to_cksumtype.html b/doc/html/appdev/refs/api/krb5_string_to_cksumtype.html deleted file mode 100644 index a263378..0000000 --- a/doc/html/appdev/refs/api/krb5_string_to_cksumtype.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_string_to_cksumtype - Convert a string to a checksum type. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_string_to_cksumtype - Convert a string to a checksum type.¶

-
-
-krb5_error_code krb5_string_to_cksumtype(char * string, krb5_cksumtype * cksumtypep)¶
-
- - --- - - - -
param:

[in] string - String to be converted

-

[out] cksumtypep - Checksum type to be filled in

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - EINVAL
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_string_to_deltat.html b/doc/html/appdev/refs/api/krb5_string_to_deltat.html deleted file mode 100644 index 95de0ef..0000000 --- a/doc/html/appdev/refs/api/krb5_string_to_deltat.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_string_to_deltat - Convert a string to a delta time value. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_string_to_deltat - Convert a string to a delta time value.¶

-
-
-krb5_error_code krb5_string_to_deltat(char * string, krb5_deltat * deltatp)¶
-
- - --- - - - -
param:

[in] string - String to be converted

-

[out] deltatp - Delta time to be filled in

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - KRB5_DELTAT_BADFORMAT
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_string_to_enctype.html b/doc/html/appdev/refs/api/krb5_string_to_enctype.html deleted file mode 100644 index 6e0853c..0000000 --- a/doc/html/appdev/refs/api/krb5_string_to_enctype.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_string_to_enctype - Convert a string to an encryption type. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_string_to_enctype - Convert a string to an encryption type.¶

-
-
-krb5_error_code krb5_string_to_enctype(char * string, krb5_enctype * enctypep)¶
-
- - --- - - - -
param:

[in] string - String to convert to an encryption type

-

[out] enctypep - Encryption type

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - EINVAL
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_string_to_key.html b/doc/html/appdev/refs/api/krb5_string_to_key.html deleted file mode 100644 index 083f30b..0000000 --- a/doc/html/appdev/refs/api/krb5_string_to_key.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_string_to_key — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_string_to_key¶

-
-
-krb5_error_code krb5_string_to_key(krb5_context context, const krb5_encrypt_block * eblock, krb5_keyblock * keyblock, const krb5_data * data, const krb5_data * salt)¶
-
- - --- - - - -
param:

context

-

eblock

-

keyblock

-

data

-

salt

-
-

DEPRECATED See krb5_c_string_to_key()

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_string_to_salttype.html b/doc/html/appdev/refs/api/krb5_string_to_salttype.html deleted file mode 100644 index 6f730f2..0000000 --- a/doc/html/appdev/refs/api/krb5_string_to_salttype.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_string_to_salttype - Convert a string to a salt type. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_string_to_salttype - Convert a string to a salt type.¶

-
-
-krb5_error_code krb5_string_to_salttype(char * string, krb5_int32 * salttypep)¶
-
- - --- - - - -
param:

[in] string - String to convert to an encryption type

-

[out] salttypep - Salt type to be filled in

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - EINVAL
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_string_to_timestamp.html b/doc/html/appdev/refs/api/krb5_string_to_timestamp.html deleted file mode 100644 index bb82935..0000000 --- a/doc/html/appdev/refs/api/krb5_string_to_timestamp.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_string_to_timestamp - Convert a string to a timestamp. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_string_to_timestamp - Convert a string to a timestamp.¶

-
-
-krb5_error_code krb5_string_to_timestamp(char * string, krb5_timestamp * timestampp)¶
-
- - --- - - - -
param:

[in] string - String to be converted

-

[out] timestampp - Pointer to timestamp

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - EINVAL
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_timeofday.html b/doc/html/appdev/refs/api/krb5_timeofday.html deleted file mode 100644 index 017b4e3..0000000 --- a/doc/html/appdev/refs/api/krb5_timeofday.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_timeofday - Retrieve the current time with context specific time offset adjustment. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_timeofday - Retrieve the current time with context specific time offset adjustment.¶

-
-
-krb5_error_code krb5_timeofday(krb5_context context, register krb5_timestamp * timeret)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] timeret - Timestamp to fill in

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function retrieves the system time of day with the context specific time offset adjustment.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_timestamp_to_sfstring.html b/doc/html/appdev/refs/api/krb5_timestamp_to_sfstring.html deleted file mode 100644 index 385001b..0000000 --- a/doc/html/appdev/refs/api/krb5_timestamp_to_sfstring.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding.¶

-
-
-krb5_error_code krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char * buffer, size_t buflen, char * pad)¶
-
- - --- - - - -
param:

[in] timestamp - Timestamp to convert

-

[out] buffer - Buffer to hold the converted timestamp

-

[in] buflen - Length of buffer

-

[in] pad - Optional value to pad buffer if converted timestamp does not fill it

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

If pad is not NULL, buffer is padded out to buflen - 1 characters with the value of * pad .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_timestamp_to_string.html b/doc/html/appdev/refs/api/krb5_timestamp_to_string.html deleted file mode 100644 index 1d6404c..0000000 --- a/doc/html/appdev/refs/api/krb5_timestamp_to_string.html +++ /dev/null @@ -1,174 +0,0 @@ - - - - - - - - krb5_timestamp_to_string - Convert a timestamp to a string. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_timestamp_to_string - Convert a timestamp to a string.¶

-
-
-krb5_error_code krb5_timestamp_to_string(krb5_timestamp timestamp, char * buffer, size_t buflen)¶
-
- - --- - - - -
param:

[in] timestamp - Timestamp to convert

-

[out] buffer - Buffer to hold converted timestamp

-

[in] buflen - Storage available in buffer

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

The string is returned in the locale’s appropriate date and time representation.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_free.html b/doc/html/appdev/refs/api/krb5_tkt_creds_free.html deleted file mode 100644 index b7c26f6..0000000 --- a/doc/html/appdev/refs/api/krb5_tkt_creds_free.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_tkt_creds_free - Free a TGS request context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_tkt_creds_free - Free a TGS request context.¶

-
-
-void krb5_tkt_creds_free(krb5_context context, krb5_tkt_creds_context ctx)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - TGS request context

-
-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_get.html b/doc/html/appdev/refs/api/krb5_tkt_creds_get.html deleted file mode 100644 index 50bf630..0000000 --- a/doc/html/appdev/refs/api/krb5_tkt_creds_get.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context.¶

-
-
-krb5_error_code krb5_tkt_creds_get(krb5_context context, krb5_tkt_creds_context ctx)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - TGS request context

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function synchronously obtains credentials using a context created by krb5_tkt_creds_init() . On successful return, the credentials can be retrieved with krb5_tkt_creds_get_creds() .

-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_get_creds.html b/doc/html/appdev/refs/api/krb5_tkt_creds_get_creds.html deleted file mode 100644 index 4bc177a..0000000 --- a/doc/html/appdev/refs/api/krb5_tkt_creds_get_creds.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context.¶

-
-
-krb5_error_code krb5_tkt_creds_get_creds(krb5_context context, krb5_tkt_creds_context ctx, krb5_creds * creds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - TGS request context

-

[out] creds - Acquired credentials

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function copies the acquired initial credentials from ctx into creds , after the successful completion of krb5_tkt_creds_get() or krb5_tkt_creds_step() . Use krb5_free_cred_contents() to free creds when it is no longer needed.

-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_get_times.html b/doc/html/appdev/refs/api/krb5_tkt_creds_get_times.html deleted file mode 100644 index fd0e2f2..0000000 --- a/doc/html/appdev/refs/api/krb5_tkt_creds_get_times.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - krb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context.¶

-
-
-krb5_error_code krb5_tkt_creds_get_times(krb5_context context, krb5_tkt_creds_context ctx, krb5_ticket_times * times)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - TGS request context

-

[out] times - Ticket times for acquired credentials

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

The TGS request context must have completed obtaining credentials via either krb5_tkt_creds_get() or krb5_tkt_creds_step() .

-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_init.html b/doc/html/appdev/refs/api/krb5_tkt_creds_init.html deleted file mode 100644 index cb82fb1..0000000 --- a/doc/html/appdev/refs/api/krb5_tkt_creds_init.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_tkt_creds_init - Create a context to get credentials from a KDC’s Ticket Granting Service. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_tkt_creds_init - Create a context to get credentials from a KDC’s Ticket Granting Service.¶

-
-
-krb5_error_code krb5_tkt_creds_init(krb5_context context, krb5_ccache ccache, krb5_creds * creds, krb5_flags options, krb5_tkt_creds_context * ctx)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ccache - Credential cache handle

-

[in] creds - Input credentials

-

[in] options - KRB5_GC options for this request.

-

[out] ctx - New TGS request context

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function prepares to obtain credentials matching creds , either by retrieving them from ccache or by making requests to ticket-granting services beginning with a ticket-granting ticket for the client principal’s realm.

-

The resulting TGS acquisition context can be used asynchronously with krb5_tkt_creds_step() or synchronously with krb5_tkt_creds_get() . See also krb5_get_credentials() for synchronous use.

-

Use krb5_tkt_creds_free() to free ctx when it is no longer needed.

-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_tkt_creds_step.html b/doc/html/appdev/refs/api/krb5_tkt_creds_step.html deleted file mode 100644 index 549c1f1..0000000 --- a/doc/html/appdev/refs/api/krb5_tkt_creds_step.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_tkt_creds_step - Get the next KDC request in a TGS exchange. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_tkt_creds_step - Get the next KDC request in a TGS exchange.¶

-
-
-krb5_error_code krb5_tkt_creds_step(krb5_context context, krb5_tkt_creds_context ctx, krb5_data * in, krb5_data * out, krb5_data * realm, unsigned int * flags)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] ctx - TGS request context

-

[in] in - KDC response (empty on the first call)

-

[out] out - Next KDC request

-

[out] realm - Realm for next KDC request

-

[out] flags - Output flags

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function constructs the next KDC request for a TGS exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, in should be set to an empty buffer; on subsequent calls, it should be set to the KDC’s reply to the previous request.

-

If more requests are needed, flags will be set to KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and the next request will be placed in out . If no more requests are needed, flags will not contain KRB5_TKT_CREDS_STEP_FLAG_CONTINUE and out will be empty.

-

If this function returns KRB5KRB_ERR_RESPONSE_TOO_BIG , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the TGS exchange has failed.

-
-

Note

-

New in 1.9

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_unparse_name.html b/doc/html/appdev/refs/api/krb5_unparse_name.html deleted file mode 100644 index a55ebdb..0000000 --- a/doc/html/appdev/refs/api/krb5_unparse_name.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_unparse_name - Convert a krb5_principal structure to a string representation. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_unparse_name - Convert a krb5_principal structure to a string representation.¶

-
-
-krb5_error_code krb5_unparse_name(krb5_context context, krb5_const_principal principal, register char ** name)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] principal - Principal

-

[out] name - String representation of principal name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

The resulting string representation uses the format and quoting conventions described for krb5_parse_name() .

-

Use krb5_free_unparsed_name() to free name when it is no longer needed.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_unparse_name_ext.html b/doc/html/appdev/refs/api/krb5_unparse_name_ext.html deleted file mode 100644 index 98398c4..0000000 --- a/doc/html/appdev/refs/api/krb5_unparse_name_ext.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - krb5_unparse_name_ext - Convert krb5_principal structure to string and length. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_unparse_name_ext - Convert krb5_principal structure to string and length.¶

-
-
-krb5_error_code krb5_unparse_name_ext(krb5_context context, krb5_const_principal principal, char ** name, unsigned int * size)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] principal - Principal

-

[inout] name - String representation of principal name

-

[inout] size - Size of unparsed name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes. On failure name is set to NULL
    • -
-
-

This function is similar to krb5_unparse_name() , but allows the use of an existing buffer for the result. If size is not NULL, then name must point to either NULL or an existing buffer of at least the size pointed to by size . The buffer will be allocated or resized if necessary, with the new pointer stored into name . Whether or not the buffer is resized, the necessary space for the result, including null terminator, will be stored into size .

-

If size is NULL, this function behaves exactly as krb5_unparse_name() .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_unparse_name_flags.html b/doc/html/appdev/refs/api/krb5_unparse_name_flags.html deleted file mode 100644 index af44d13..0000000 --- a/doc/html/appdev/refs/api/krb5_unparse_name_flags.html +++ /dev/null @@ -1,191 +0,0 @@ - - - - - - - - krb5_unparse_name_flags - Convert krb5_principal structure to a string with flags. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_unparse_name_flags - Convert krb5_principal structure to a string with flags.¶

-
-
-krb5_error_code krb5_unparse_name_flags(krb5_context context, krb5_const_principal principal, int flags, char ** name)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] principal - Principal

-

[in] flags - Flags

-

[out] name - String representation of principal name

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes. On failure name is set to NULL
    • -
-
-

Similar to krb5_unparse_name() , this function converts a krb5_principal structure to a string representation.

-

The following flags are valid:

-
-
-
-
-

Use krb5_free_unparsed_name() to free name when it is no longer needed.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_unparse_name_flags_ext.html b/doc/html/appdev/refs/api/krb5_unparse_name_flags_ext.html deleted file mode 100644 index 8286b8f..0000000 --- a/doc/html/appdev/refs/api/krb5_unparse_name_flags_ext.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags.¶

-
-
-krb5_error_code krb5_unparse_name_flags_ext(krb5_context context, krb5_const_principal principal, int flags, char ** name, unsigned int * size)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] principal - Principal

-

[in] flags - Flags

-

[out] name - Single string format of principal name

-

[out] size - Size of unparsed name buffer

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes. On failure name is set to NULL
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_us_timeofday.html b/doc/html/appdev/refs/api/krb5_us_timeofday.html deleted file mode 100644 index 7b10ebb..0000000 --- a/doc/html/appdev/refs/api/krb5_us_timeofday.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch.¶

-
-
-krb5_error_code krb5_us_timeofday(krb5_context context, krb5_timestamp * seconds, krb5_int32 * microseconds)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[out] seconds - System timeofday, seconds portion

-

[out] microseconds - System timeofday, microseconds portion

-
- --- - - - - - -
retval:
    -
  • 0 Success
    • -
-
return:
    -
  • Kerberos error codes
    • -
-
-

This function retrieves the system time of day with the context specific time offset adjustment.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_use_enctype.html b/doc/html/appdev/refs/api/krb5_use_enctype.html deleted file mode 100644 index 24d4e75..0000000 --- a/doc/html/appdev/refs/api/krb5_use_enctype.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_use_enctype — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_use_enctype¶

-
-
-krb5_error_code krb5_use_enctype(krb5_context context, krb5_encrypt_block * eblock, krb5_enctype enctype)¶
-
- - --- - - - -
param:

context

-

eblock

-

enctype

-
-

DEPRECATED Replaced by krb5_c_* API family.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_verify_authdata_kdc_issued.html b/doc/html/appdev/refs/api/krb5_verify_authdata_kdc_issued.html deleted file mode 100644 index ff91ae1..0000000 --- a/doc/html/appdev/refs/api/krb5_verify_authdata_kdc_issued.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data.¶

-
-
-krb5_error_code krb5_verify_authdata_kdc_issued(krb5_context context, const krb5_keyblock * key, const krb5_authdata * ad_kdcissued, krb5_principal * issuer, krb5_authdata *** authdata)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] key - Session key

-

[in] ad_kdcissued - AD-KDCIssued authorization data to be unwrapped

-

[out] issuer - Name of issuing principal (or NULL)

-

[out] authdata - Unwrapped list of authorization data

-
-

This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section 5.2.6.2) and verifies its signature against key . The issuer field of the authdatum element is returned in issuer , and the unwrapped list of authdata is returned in authdata .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_verify_checksum.html b/doc/html/appdev/refs/api/krb5_verify_checksum.html deleted file mode 100644 index f4053af..0000000 --- a/doc/html/appdev/refs/api/krb5_verify_checksum.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_verify_checksum — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_verify_checksum¶

-
-
-krb5_error_code krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, const krb5_checksum * cksum, krb5_const_pointer in, size_t in_length, krb5_const_pointer seed, size_t seed_length)¶
-
- - --- - - - -
param:

context

-

ctype

-

cksum

-

in

-

in_length

-

seed

-

seed_length

-
-

DEPRECATED See krb5_c_verify_checksum()

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_verify_init_creds.html b/doc/html/appdev/refs/api/krb5_verify_init_creds.html deleted file mode 100644 index 502a1c3..0000000 --- a/doc/html/appdev/refs/api/krb5_verify_init_creds.html +++ /dev/null @@ -1,179 +0,0 @@ - - - - - - - - krb5_verify_init_creds - Verify initial credentials against a keytab. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_verify_init_creds - Verify initial credentials against a keytab.¶

-
-
-krb5_error_code krb5_verify_init_creds(krb5_context context, krb5_creds * creds, krb5_principal server, krb5_keytab keytab, krb5_ccache * ccache, krb5_verify_init_creds_opt * options)¶
-
- - --- - - - -
param:

[in] context - Library context

-

[in] creds - Initial credentials to be verified

-

[in] server - Server principal (or NULL)

-

[in] keytab - Key table (NULL to use default keytab)

-

[in] ccache - Credential cache for fetched creds (or NULL)

-

[in] options - Verification options (NULL for default options)

-
- --- - - - -
retval:
    -
  • 0 Success; otherwise - Kerberos error codes
    • -
-
-

This function attempts to verify that creds were obtained from a KDC with knowledge of a key in keytab , or the default keytab if keytab is NULL. If server is provided, the highest-kvno key entry for that principal name is used to verify the credentials; otherwise, all unique”host”service principals in the keytab are tried.

-

If the specified keytab does not exist, or is empty, or cannot be read, or does not contain an entry for server , then credential verification may be skipped unless configuration demands that it succeed. The caller can control this behavior by providing a verification options structure; see krb5_verify_init_creds_opt_init() and krb5_verify_init_creds_opt_set_ap_req_nofail() .

-

If ccache is NULL, any additional credentials fetched during the verification process will be destroyed. If ccache points to NULL, a memory ccache will be created for the additional credentials and returned in ccache . If ccache points to a valid credential cache handle, the additional credentials will be stored in that cache.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_init.html b/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_init.html deleted file mode 100644 index cfae5bf..0000000 --- a/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_init.html +++ /dev/null @@ -1,159 +0,0 @@ - - - - - - - - krb5_verify_init_creds_opt_init - Initialize a credential verification options structure. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_verify_init_creds_opt_init - Initialize a credential verification options structure.¶

-
-
-void krb5_verify_init_creds_opt_init(krb5_verify_init_creds_opt * k5_vic_options)¶
-
- - --- - - - -
param:[in] k5_vic_options - Verification options structure
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html b/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html deleted file mode 100644 index a6e967d..0000000 --- a/doc/html/appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required.¶

-
-
-void krb5_verify_init_creds_opt_set_ap_req_nofail(krb5_verify_init_creds_opt * k5_vic_options, int ap_req_nofail)¶
-
- - --- - - - -
param:

[in] k5_vic_options - Verification options structure

-

[in] ap_req_nofail - Whether to require successful verification

-
-

This function determines how krb5_verify_init_creds() behaves if no keytab information is available. If ap_req_nofail is FALSE , verification will be skipped in this case and krb5_verify_init_creds() will return successfully. If ap_req_nofail is TRUE , krb5_verify_init_creds() will not return successfully unless verification can be performed.

-

If this function is not used, the behavior of krb5_verify_init_creds() is determined through configuration.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_vprepend_error_message.html b/doc/html/appdev/refs/api/krb5_vprepend_error_message.html deleted file mode 100644 index 26bd2dc..0000000 --- a/doc/html/appdev/refs/api/krb5_vprepend_error_message.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - krb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list.¶

-
-
-void krb5_vprepend_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, va_list args)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] code - Error code

-

[in] fmt - Format string for error message prefix

-

[in] args - List of vprintf(3) style arguments

-
-

This function is similar to krb5_prepend_error_message() , but uses a va_list instead of variadic arguments.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_vset_error_message.html b/doc/html/appdev/refs/api/krb5_vset_error_message.html deleted file mode 100644 index f5c65f5..0000000 --- a/doc/html/appdev/refs/api/krb5_vset_error_message.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_vset_error_message - Set an extended error message for an error code using a va_list. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_vset_error_message - Set an extended error message for an error code using a va_list.¶

-
-
-void krb5_vset_error_message(krb5_context ctx, krb5_error_code code, const char * fmt, va_list args)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] code - Error code

-

[in] fmt - Error string for the error code

-

[in] args - List of vprintf(3) style arguments

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_vwrap_error_message.html b/doc/html/appdev/refs/api/krb5_vwrap_error_message.html deleted file mode 100644 index dda25ff..0000000 --- a/doc/html/appdev/refs/api/krb5_vwrap_error_message.html +++ /dev/null @@ -1,165 +0,0 @@ - - - - - - - - krb5_vwrap_error_message - Add a prefix to a different error code’s message using a va_list. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_vwrap_error_message - Add a prefix to a different error code’s message using a va_list.¶

-
-
-void krb5_vwrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, va_list args)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] old_code - Previous error code

-

[in] code - Error code

-

[in] fmt - Format string for error message prefix

-

[in] args - List of vprintf(3) style arguments

-
-

This function is similar to krb5_wrap_error_message() , but uses a va_list instead of variadic arguments.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/api/krb5_wrap_error_message.html b/doc/html/appdev/refs/api/krb5_wrap_error_message.html deleted file mode 100644 index 6a967b2..0000000 --- a/doc/html/appdev/refs/api/krb5_wrap_error_message.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - krb5_wrap_error_message - Add a prefix to a different error code’s message. — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_wrap_error_message - Add a prefix to a different error code’s message.¶

-
-
-void krb5_wrap_error_message(krb5_context ctx, krb5_error_code old_code, krb5_error_code code, const char * fmt, ...)¶
-
- - --- - - - -
param:

[in] ctx - Library context

-

[in] old_code - Previous error code

-

[in] code - Error code

-

[in] fmt - Format string for error message prefix

-
-

Format a message and prepend it to the message for old_code . The prefix will be separated from the old message with a colon and space. Set the resulting message as the extended error message for code .

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/index.html b/doc/html/appdev/refs/index.html deleted file mode 100644 index d457b4b..0000000 --- a/doc/html/appdev/refs/index.html +++ /dev/null @@ -1,153 +0,0 @@ - - - - - - - - Complete reference - API and datatypes — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Complete reference - API and datatypes¶

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html b/doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html deleted file mode 100644 index 1d1ace7..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_ADDRPORT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_ADDRPORT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_ADDRPORT¶

-
-
-ADDRTYPE_ADDRPORT¶
-
- - ---- - - - - - -
ADDRTYPE_ADDRPORT0x0100
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html b/doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html deleted file mode 100644 index eac7091..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_CHAOS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_CHAOS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_CHAOS¶

-
-
-ADDRTYPE_CHAOS¶
-
- - ---- - - - - - -
ADDRTYPE_CHAOS0x0005
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_DDP.html b/doc/html/appdev/refs/macros/ADDRTYPE_DDP.html deleted file mode 100644 index 606372d..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_DDP.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_DDP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_DDP¶

-
-
-ADDRTYPE_DDP¶
-
- - ---- - - - - - -
ADDRTYPE_DDP0x0010
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_INET.html b/doc/html/appdev/refs/macros/ADDRTYPE_INET.html deleted file mode 100644 index 197c5ca..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_INET.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_INET — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_INET¶

-
-
-ADDRTYPE_INET¶
-
- - ---- - - - - - -
ADDRTYPE_INET0x0002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_INET6.html b/doc/html/appdev/refs/macros/ADDRTYPE_INET6.html deleted file mode 100644 index a590c95..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_INET6.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_INET6 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_INET6¶

-
-
-ADDRTYPE_INET6¶
-
- - ---- - - - - - -
ADDRTYPE_INET60x0018
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html b/doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html deleted file mode 100644 index 5d3cd96..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_IPPORT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_IPPORT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_IPPORT¶

-
-
-ADDRTYPE_IPPORT¶
-
- - ---- - - - - - -
ADDRTYPE_IPPORT0x0101
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_ISO.html b/doc/html/appdev/refs/macros/ADDRTYPE_ISO.html deleted file mode 100644 index c716d2b..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_ISO.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_ISO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_ISO¶

-
-
-ADDRTYPE_ISO¶
-
- - ---- - - - - - -
ADDRTYPE_ISO0x0007
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html b/doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html deleted file mode 100644 index dc26d28..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_IS_LOCAL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_IS_LOCAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_IS_LOCAL¶

-
-
-ADDRTYPE_IS_LOCAL¶
-
- - ---- - - - - - -
ADDRTYPE_IS_LOCAL (addrtype)(addrtype & 0x8000)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html b/doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html deleted file mode 100644 index d2db3ad..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_NETBIOS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_NETBIOS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_NETBIOS¶

-
-
-ADDRTYPE_NETBIOS¶
-
- - ---- - - - - - -
ADDRTYPE_NETBIOS0x0014
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ADDRTYPE_XNS.html b/doc/html/appdev/refs/macros/ADDRTYPE_XNS.html deleted file mode 100644 index 61b2d16..0000000 --- a/doc/html/appdev/refs/macros/ADDRTYPE_XNS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ADDRTYPE_XNS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ADDRTYPE_XNS¶

-
-
-ADDRTYPE_XNS¶
-
- - ---- - - - - - -
ADDRTYPE_XNS0x0006
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html b/doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html deleted file mode 100644 index 979ff82..0000000 --- a/doc/html/appdev/refs/macros/AD_TYPE_EXTERNAL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - AD_TYPE_EXTERNAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AD_TYPE_EXTERNAL¶

-
-
-AD_TYPE_EXTERNAL¶
-
- - ---- - - - - - -
AD_TYPE_EXTERNAL0x4000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.html b/doc/html/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.html deleted file mode 100644 index cb75e1a..0000000 --- a/doc/html/appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - AD_TYPE_FIELD_TYPE_MASK — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AD_TYPE_FIELD_TYPE_MASK¶

-
-
-AD_TYPE_FIELD_TYPE_MASK¶
-
- - ---- - - - - - -
AD_TYPE_FIELD_TYPE_MASK0x1fff
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AD_TYPE_REGISTERED.html b/doc/html/appdev/refs/macros/AD_TYPE_REGISTERED.html deleted file mode 100644 index 1917df2..0000000 --- a/doc/html/appdev/refs/macros/AD_TYPE_REGISTERED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - AD_TYPE_REGISTERED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AD_TYPE_REGISTERED¶

-
-
-AD_TYPE_REGISTERED¶
-
- - ---- - - - - - -
AD_TYPE_REGISTERED0x2000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html b/doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html deleted file mode 100644 index d7483c6..0000000 --- a/doc/html/appdev/refs/macros/AD_TYPE_RESERVED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - AD_TYPE_RESERVED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AD_TYPE_RESERVED¶

-
-
-AD_TYPE_RESERVED¶
-
- - ---- - - - - - -
AD_TYPE_RESERVED0x8000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html b/doc/html/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html deleted file mode 100644 index bba81a6..0000000 --- a/doc/html/appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - AP_OPTS_ETYPE_NEGOTIATION — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AP_OPTS_ETYPE_NEGOTIATION¶

-
-
-AP_OPTS_ETYPE_NEGOTIATION¶
-
- - ---- - - - - - -
AP_OPTS_ETYPE_NEGOTIATION0x00000002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.html b/doc/html/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.html deleted file mode 100644 index 5648a57..0000000 --- a/doc/html/appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - AP_OPTS_MUTUAL_REQUIRED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AP_OPTS_MUTUAL_REQUIRED¶

-
-
-AP_OPTS_MUTUAL_REQUIRED¶
-
- -

Perform a mutual authentication exchange.

- ---- - - - - - -
AP_OPTS_MUTUAL_REQUIRED0x20000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html b/doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html deleted file mode 100644 index bbc07aa..0000000 --- a/doc/html/appdev/refs/macros/AP_OPTS_RESERVED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - AP_OPTS_RESERVED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AP_OPTS_RESERVED¶

-
-
-AP_OPTS_RESERVED¶
-
- - ---- - - - - - -
AP_OPTS_RESERVED0x80000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.html b/doc/html/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.html deleted file mode 100644 index 873e4b1..0000000 --- a/doc/html/appdev/refs/macros/AP_OPTS_USE_SESSION_KEY.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - AP_OPTS_USE_SESSION_KEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AP_OPTS_USE_SESSION_KEY¶

-
-
-AP_OPTS_USE_SESSION_KEY¶
-
- -

Use session key.

- ---- - - - - - -
AP_OPTS_USE_SESSION_KEY0x40000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AP_OPTS_USE_SUBKEY.html b/doc/html/appdev/refs/macros/AP_OPTS_USE_SUBKEY.html deleted file mode 100644 index 406f732..0000000 --- a/doc/html/appdev/refs/macros/AP_OPTS_USE_SUBKEY.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - AP_OPTS_USE_SUBKEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AP_OPTS_USE_SUBKEY¶

-
-
-AP_OPTS_USE_SUBKEY¶
-
- -

Generate a subsession key from the current session key obtained from the credentials.

- ---- - - - - - -
AP_OPTS_USE_SUBKEY0x00000001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html b/doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html deleted file mode 100644 index 08b2ceb..0000000 --- a/doc/html/appdev/refs/macros/AP_OPTS_WIRE_MASK.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - AP_OPTS_WIRE_MASK — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

AP_OPTS_WIRE_MASK¶

-
-
-AP_OPTS_WIRE_MASK¶
-
- - ---- - - - - - -
AP_OPTS_WIRE_MASK0xfffffff0
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html b/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html deleted file mode 100644 index 20b1e25..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - CKSUMTYPE_CMAC_CAMELLIA128 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_CMAC_CAMELLIA128¶

-
-
-CKSUMTYPE_CMAC_CAMELLIA128¶
-
- -

RFC 6803.

- ---- - - - - - -
CKSUMTYPE_CMAC_CAMELLIA1280x0011
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html b/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html deleted file mode 100644 index 37632c6..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - CKSUMTYPE_CMAC_CAMELLIA256 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_CMAC_CAMELLIA256¶

-
-
-CKSUMTYPE_CMAC_CAMELLIA256¶
-
- -

RFC 6803.

- ---- - - - - - -
CKSUMTYPE_CMAC_CAMELLIA2560x0012
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html b/doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html deleted file mode 100644 index 54d6f1b..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_CRC32.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - CKSUMTYPE_CRC32 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_CRC32¶

-
-
-CKSUMTYPE_CRC32¶
-
- - ---- - - - - - -
CKSUMTYPE_CRC320x0001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html b/doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html deleted file mode 100644 index f45f9ed..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_DESCBC.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - CKSUMTYPE_DESCBC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_DESCBC¶

-
-
-CKSUMTYPE_DESCBC¶
-
- - ---- - - - - - -
CKSUMTYPE_DESCBC0x0004
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html deleted file mode 100644 index 9acdb89..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - CKSUMTYPE_HMAC_MD5_ARCFOUR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_HMAC_MD5_ARCFOUR¶

-
-
-CKSUMTYPE_HMAC_MD5_ARCFOUR¶
-
- -

RFC 4757.

- ---- - - - - - -
CKSUMTYPE_HMAC_MD5_ARCFOUR-138
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html deleted file mode 100644 index 4005147..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - CKSUMTYPE_HMAC_SHA1_96_AES128 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_HMAC_SHA1_96_AES128¶

-
-
-CKSUMTYPE_HMAC_SHA1_96_AES128¶
-
- -

RFC 3962.

-

Used with ENCTYPE_AES128_CTS_HMAC_SHA1_96

- ---- - - - - - -
CKSUMTYPE_HMAC_SHA1_96_AES1280x000f
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html deleted file mode 100644 index fdfdef9..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - CKSUMTYPE_HMAC_SHA1_96_AES256 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_HMAC_SHA1_96_AES256¶

-
-
-CKSUMTYPE_HMAC_SHA1_96_AES256¶
-
- -

RFC 3962.

-

Used with ENCTYPE_AES256_CTS_HMAC_SHA1_96

- ---- - - - - - -
CKSUMTYPE_HMAC_SHA1_96_AES2560x0010
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html deleted file mode 100644 index 0c6d5c7..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - CKSUMTYPE_HMAC_SHA1_DES3 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_HMAC_SHA1_DES3¶

-
-
-CKSUMTYPE_HMAC_SHA1_DES3¶
-
- - ---- - - - - - -
CKSUMTYPE_HMAC_SHA1_DES30x000c
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html deleted file mode 100644 index 6b336bd..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - CKSUMTYPE_HMAC_SHA256_128_AES128 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_HMAC_SHA256_128_AES128¶

-
-
-CKSUMTYPE_HMAC_SHA256_128_AES128¶
-
- -

RFC 8009.

- ---- - - - - - -
CKSUMTYPE_HMAC_SHA256_128_AES1280x0013
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html b/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html deleted file mode 100644 index f3681bc..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - CKSUMTYPE_HMAC_SHA384_192_AES256 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_HMAC_SHA384_192_AES256¶

-
-
-CKSUMTYPE_HMAC_SHA384_192_AES256¶
-
- -

RFC 8009.

- ---- - - - - - -
CKSUMTYPE_HMAC_SHA384_192_AES2560x0014
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html b/doc/html/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html deleted file mode 100644 index d4731aa..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - CKSUMTYPE_MD5_HMAC_ARCFOUR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_MD5_HMAC_ARCFOUR¶

-
-
-CKSUMTYPE_MD5_HMAC_ARCFOUR¶
-
- - ---- - - - - - -
CKSUMTYPE_MD5_HMAC_ARCFOUR-137 /* Microsoft netlogon */
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_NIST_SHA.html b/doc/html/appdev/refs/macros/CKSUMTYPE_NIST_SHA.html deleted file mode 100644 index bcd9e85..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_NIST_SHA.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - CKSUMTYPE_NIST_SHA — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_NIST_SHA¶

-
-
-CKSUMTYPE_NIST_SHA¶
-
- - ---- - - - - - -
CKSUMTYPE_NIST_SHA0x0009
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html deleted file mode 100644 index b9b50f2..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - CKSUMTYPE_RSA_MD4 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_RSA_MD4¶

-
-
-CKSUMTYPE_RSA_MD4¶
-
- - ---- - - - - - -
CKSUMTYPE_RSA_MD40x0002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html deleted file mode 100644 index 6dc8f4e..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - CKSUMTYPE_RSA_MD4_DES — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_RSA_MD4_DES¶

-
-
-CKSUMTYPE_RSA_MD4_DES¶
-
- - ---- - - - - - -
CKSUMTYPE_RSA_MD4_DES0x0003
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html deleted file mode 100644 index f1fc089..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - CKSUMTYPE_RSA_MD5 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_RSA_MD5¶

-
-
-CKSUMTYPE_RSA_MD5¶
-
- - ---- - - - - - -
CKSUMTYPE_RSA_MD50x0007
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html b/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html deleted file mode 100644 index dc5236f..0000000 --- a/doc/html/appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - CKSUMTYPE_RSA_MD5_DES — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

CKSUMTYPE_RSA_MD5_DES¶

-
-
-CKSUMTYPE_RSA_MD5_DES¶
-
- - ---- - - - - - -
CKSUMTYPE_RSA_MD5_DES0x0008
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html b/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html deleted file mode 100644 index bd0b09a..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_AES128_CTS_HMAC_SHA1_96 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_AES128_CTS_HMAC_SHA1_96¶

-
-
-ENCTYPE_AES128_CTS_HMAC_SHA1_96¶
-
- -

RFC 3962.

- ---- - - - - - -
ENCTYPE_AES128_CTS_HMAC_SHA1_960x0011
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html b/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html deleted file mode 100644 index 77179c1..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_AES128_CTS_HMAC_SHA256_128 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_AES128_CTS_HMAC_SHA256_128¶

-
-
-ENCTYPE_AES128_CTS_HMAC_SHA256_128¶
-
- -

RFC 8009.

- ---- - - - - - -
ENCTYPE_AES128_CTS_HMAC_SHA256_1280x0013
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html b/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html deleted file mode 100644 index 986a3ee..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_AES256_CTS_HMAC_SHA1_96 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_AES256_CTS_HMAC_SHA1_96¶

-
-
-ENCTYPE_AES256_CTS_HMAC_SHA1_96¶
-
- -

RFC 3962.

- ---- - - - - - -
ENCTYPE_AES256_CTS_HMAC_SHA1_960x0012
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html b/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html deleted file mode 100644 index fafe225..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_AES256_CTS_HMAC_SHA384_192 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_AES256_CTS_HMAC_SHA384_192¶

-
-
-ENCTYPE_AES256_CTS_HMAC_SHA384_192¶
-
- -

RFC 8009.

- ---- - - - - - -
ENCTYPE_AES256_CTS_HMAC_SHA384_1920x0014
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html b/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html deleted file mode 100644 index 061a49a..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_ARCFOUR_HMAC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_ARCFOUR_HMAC¶

-
-
-ENCTYPE_ARCFOUR_HMAC¶
-
- -

RFC 4757.

- ---- - - - - - -
ENCTYPE_ARCFOUR_HMAC0x0017
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html b/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html deleted file mode 100644 index 859828d..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_ARCFOUR_HMAC_EXP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_ARCFOUR_HMAC_EXP¶

-
-
-ENCTYPE_ARCFOUR_HMAC_EXP¶
-
- -

RFC 4757.

- ---- - - - - - -
ENCTYPE_ARCFOUR_HMAC_EXP0x0018
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html b/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html deleted file mode 100644 index 5524a49..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_CAMELLIA128_CTS_CMAC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_CAMELLIA128_CTS_CMAC¶

-
-
-ENCTYPE_CAMELLIA128_CTS_CMAC¶
-
- -

RFC 6803.

- ---- - - - - - -
ENCTYPE_CAMELLIA128_CTS_CMAC0x0019
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html b/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html deleted file mode 100644 index ffdc607..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_CAMELLIA256_CTS_CMAC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_CAMELLIA256_CTS_CMAC¶

-
-
-ENCTYPE_CAMELLIA256_CTS_CMAC¶
-
- -

RFC 6803.

- ---- - - - - - -
ENCTYPE_CAMELLIA256_CTS_CMAC0x001a
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html deleted file mode 100644 index 7d2f3b9..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_ENV.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_DES3_CBC_ENV — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DES3_CBC_ENV¶

-
-
-ENCTYPE_DES3_CBC_ENV¶
-
- -

DES-3 cbc mode, CMS enveloped data.

- ---- - - - - - -
ENCTYPE_DES3_CBC_ENV0x000f
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html deleted file mode 100644 index de378c1..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_RAW.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ENCTYPE_DES3_CBC_RAW — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DES3_CBC_RAW¶

-
-
-ENCTYPE_DES3_CBC_RAW¶
-
- - ---- - - - - - -
ENCTYPE_DES3_CBC_RAW0x0006
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html deleted file mode 100644 index 02d756f..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ENCTYPE_DES3_CBC_SHA — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DES3_CBC_SHA¶

-
-
-ENCTYPE_DES3_CBC_SHA¶
-
- - ---- - - - - - -
ENCTYPE_DES3_CBC_SHA0x0005
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html b/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html deleted file mode 100644 index 9951fd1..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ENCTYPE_DES3_CBC_SHA1 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DES3_CBC_SHA1¶

-
-
-ENCTYPE_DES3_CBC_SHA1¶
-
- - ---- - - - - - -
ENCTYPE_DES3_CBC_SHA10x0010
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html deleted file mode 100644 index 5df6118..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_CRC.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_DES_CBC_CRC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DES_CBC_CRC¶

-
-
-ENCTYPE_DES_CBC_CRC¶
-
- -

DES cbc mode with CRC-32.

- ---- - - - - - -
ENCTYPE_DES_CBC_CRC0x0001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html deleted file mode 100644 index 53a26a1..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD4.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_DES_CBC_MD4 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DES_CBC_MD4¶

-
-
-ENCTYPE_DES_CBC_MD4¶
-
- -

DES cbc mode with RSA-MD4.

- ---- - - - - - -
ENCTYPE_DES_CBC_MD40x0002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html deleted file mode 100644 index e43d667..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_MD5.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_DES_CBC_MD5 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DES_CBC_MD5¶

-
-
-ENCTYPE_DES_CBC_MD5¶
-
- -

DES cbc mode with RSA-MD5.

- ---- - - - - - -
ENCTYPE_DES_CBC_MD50x0003
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html deleted file mode 100644 index 1762f7e..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DES_CBC_RAW.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ENCTYPE_DES_CBC_RAW — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DES_CBC_RAW¶

-
-
-ENCTYPE_DES_CBC_RAW¶
-
- - ---- - - - - - -
ENCTYPE_DES_CBC_RAW0x0004
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html b/doc/html/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html deleted file mode 100644 index 9b7d540..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ENCTYPE_DES_HMAC_SHA1 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DES_HMAC_SHA1¶

-
-
-ENCTYPE_DES_HMAC_SHA1¶
-
- - ---- - - - - - -
ENCTYPE_DES_HMAC_SHA10x0008
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html b/doc/html/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html deleted file mode 100644 index bc8906b..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_DSA_SHA1_CMS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_DSA_SHA1_CMS¶

-
-
-ENCTYPE_DSA_SHA1_CMS¶
-
- -

DSA with SHA1, CMS signature.

- ---- - - - - - -
ENCTYPE_DSA_SHA1_CMS0x0009
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html b/doc/html/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html deleted file mode 100644 index 1e49ec7..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_MD5_RSA_CMS.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_MD5_RSA_CMS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_MD5_RSA_CMS¶

-
-
-ENCTYPE_MD5_RSA_CMS¶
-
- -

MD5 with RSA, CMS signature.

- ---- - - - - - -
ENCTYPE_MD5_RSA_CMS0x000a
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_NULL.html b/doc/html/appdev/refs/macros/ENCTYPE_NULL.html deleted file mode 100644 index 26cd09b..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_NULL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ENCTYPE_NULL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_NULL¶

-
-
-ENCTYPE_NULL¶
-
- - ---- - - - - - -
ENCTYPE_NULL0x0000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html b/doc/html/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html deleted file mode 100644 index 3ee1012..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_RC2_CBC_ENV.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_RC2_CBC_ENV — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_RC2_CBC_ENV¶

-
-
-ENCTYPE_RC2_CBC_ENV¶
-
- -

RC2 cbc mode, CMS enveloped data.

- ---- - - - - - -
ENCTYPE_RC2_CBC_ENV0x000c
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html b/doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html deleted file mode 100644 index 164c7f7..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_RSA_ENV.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_RSA_ENV — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_RSA_ENV¶

-
-
-ENCTYPE_RSA_ENV¶
-
- -

RSA encryption, CMS enveloped data.

- ---- - - - - - -
ENCTYPE_RSA_ENV0x000d
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html b/doc/html/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html deleted file mode 100644 index f2d1deb..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_RSA_ES_OAEP_ENV — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_RSA_ES_OAEP_ENV¶

-
-
-ENCTYPE_RSA_ES_OAEP_ENV¶
-
- -

RSA w/OEAP encryption, CMS enveloped data.

- ---- - - - - - -
ENCTYPE_RSA_ES_OAEP_ENV0x000e
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html b/doc/html/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html deleted file mode 100644 index b29f673..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - ENCTYPE_SHA1_RSA_CMS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_SHA1_RSA_CMS¶

-
-
-ENCTYPE_SHA1_RSA_CMS¶
-
- -

SHA1 with RSA, CMS signature.

- ---- - - - - - -
ENCTYPE_SHA1_RSA_CMS0x000b
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html b/doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html deleted file mode 100644 index 65dc9ca..0000000 --- a/doc/html/appdev/refs/macros/ENCTYPE_UNKNOWN.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - ENCTYPE_UNKNOWN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ENCTYPE_UNKNOWN¶

-
-
-ENCTYPE_UNKNOWN¶
-
- - ---- - - - - - -
ENCTYPE_UNKNOWN0x01ff
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html b/doc/html/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html deleted file mode 100644 index 66c4152..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_ALLOW_POSTDATE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_ALLOW_POSTDATE¶

-
-
-KDC_OPT_ALLOW_POSTDATE¶
-
- - ---- - - - - - -
KDC_OPT_ALLOW_POSTDATE0x04000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_CANONICALIZE.html b/doc/html/appdev/refs/macros/KDC_OPT_CANONICALIZE.html deleted file mode 100644 index ba4b375..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_CANONICALIZE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_CANONICALIZE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_CANONICALIZE¶

-
-
-KDC_OPT_CANONICALIZE¶
-
- - ---- - - - - - -
KDC_OPT_CANONICALIZE0x00010000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html b/doc/html/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html deleted file mode 100644 index 73a2f92..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_CNAME_IN_ADDL_TKT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_CNAME_IN_ADDL_TKT¶

-
-
-KDC_OPT_CNAME_IN_ADDL_TKT¶
-
- - ---- - - - - - -
KDC_OPT_CNAME_IN_ADDL_TKT0x00020000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html b/doc/html/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html deleted file mode 100644 index 34405d6..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_DISABLE_TRANSITED_CHECK — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_DISABLE_TRANSITED_CHECK¶

-
-
-KDC_OPT_DISABLE_TRANSITED_CHECK¶
-
- - ---- - - - - - -
KDC_OPT_DISABLE_TRANSITED_CHECK0x00000020
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html b/doc/html/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html deleted file mode 100644 index ab6f4da..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_ENC_TKT_IN_SKEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_ENC_TKT_IN_SKEY¶

-
-
-KDC_OPT_ENC_TKT_IN_SKEY¶
-
- - ---- - - - - - -
KDC_OPT_ENC_TKT_IN_SKEY0x00000008
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_FORWARDABLE.html b/doc/html/appdev/refs/macros/KDC_OPT_FORWARDABLE.html deleted file mode 100644 index 8c4e3ea..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_FORWARDABLE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_FORWARDABLE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_FORWARDABLE¶

-
-
-KDC_OPT_FORWARDABLE¶
-
- - ---- - - - - - -
KDC_OPT_FORWARDABLE0x40000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html b/doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html deleted file mode 100644 index f3caeaf..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_FORWARDED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_FORWARDED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_FORWARDED¶

-
-
-KDC_OPT_FORWARDED¶
-
- - ---- - - - - - -
KDC_OPT_FORWARDED0x20000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html b/doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html deleted file mode 100644 index 03c53b8..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_POSTDATED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_POSTDATED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_POSTDATED¶

-
-
-KDC_OPT_POSTDATED¶
-
- - ---- - - - - - -
KDC_OPT_POSTDATED0x02000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html b/doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html deleted file mode 100644 index 5b53722..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_PROXIABLE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_PROXIABLE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_PROXIABLE¶

-
-
-KDC_OPT_PROXIABLE¶
-
- - ---- - - - - - -
KDC_OPT_PROXIABLE0x10000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_PROXY.html b/doc/html/appdev/refs/macros/KDC_OPT_PROXY.html deleted file mode 100644 index 20ff7c9..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_PROXY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_PROXY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_PROXY¶

-
-
-KDC_OPT_PROXY¶
-
- - ---- - - - - - -
KDC_OPT_PROXY0x08000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_RENEW.html b/doc/html/appdev/refs/macros/KDC_OPT_RENEW.html deleted file mode 100644 index 37b65ff..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_RENEW.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_RENEW — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_RENEW¶

-
-
-KDC_OPT_RENEW¶
-
- - ---- - - - - - -
KDC_OPT_RENEW0x00000002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html b/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html deleted file mode 100644 index 3de5865..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_RENEWABLE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_RENEWABLE¶

-
-
-KDC_OPT_RENEWABLE¶
-
- - ---- - - - - - -
KDC_OPT_RENEWABLE0x00800000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html b/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html deleted file mode 100644 index f28b5d4..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_RENEWABLE_OK.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_RENEWABLE_OK — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_RENEWABLE_OK¶

-
-
-KDC_OPT_RENEWABLE_OK¶
-
- - ---- - - - - - -
KDC_OPT_RENEWABLE_OK0x00000010
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html b/doc/html/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html deleted file mode 100644 index 4673ff3..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_REQUEST_ANONYMOUS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_REQUEST_ANONYMOUS¶

-
-
-KDC_OPT_REQUEST_ANONYMOUS¶
-
- - ---- - - - - - -
KDC_OPT_REQUEST_ANONYMOUS0x00008000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html b/doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html deleted file mode 100644 index ab882c4..0000000 --- a/doc/html/appdev/refs/macros/KDC_OPT_VALIDATE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_OPT_VALIDATE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_OPT_VALIDATE¶

-
-
-KDC_OPT_VALIDATE¶
-
- - ---- - - - - - -
KDC_OPT_VALIDATE0x00000001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KDC_TKT_COMMON_MASK.html b/doc/html/appdev/refs/macros/KDC_TKT_COMMON_MASK.html deleted file mode 100644 index 36208e6..0000000 --- a/doc/html/appdev/refs/macros/KDC_TKT_COMMON_MASK.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KDC_TKT_COMMON_MASK — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC_TKT_COMMON_MASK¶

-
-
-KDC_TKT_COMMON_MASK¶
-
- - ---- - - - - - -
KDC_TKT_COMMON_MASK0x54800000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html b/doc/html/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html deleted file mode 100644 index 6c14cc1..0000000 --- a/doc/html/appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE¶

-
-
-KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE¶
-
- -

alternate authentication types

- ---- - - - - - -
KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE64
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.html b/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.html deleted file mode 100644 index 4a70540..0000000 --- a/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_ANONYMOUS_PRINCSTR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_ANONYMOUS_PRINCSTR¶

-
-
-KRB5_ANONYMOUS_PRINCSTR¶
-
- -

Anonymous principal name.

- ---- - - - - - -
KRB5_ANONYMOUS_PRINCSTR"ANONYMOUS"
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.html b/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.html deleted file mode 100644 index 343aa59..0000000 --- a/doc/html/appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_ANONYMOUS_REALMSTR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_ANONYMOUS_REALMSTR¶

-
-
-KRB5_ANONYMOUS_REALMSTR¶
-
- -

Anonymous realm.

- ---- - - - - - -
KRB5_ANONYMOUS_REALMSTR"WELLKNOWN:ANONYMOUS"
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AP_REP.html b/doc/html/appdev/refs/macros/KRB5_AP_REP.html deleted file mode 100644 index 5586e93..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AP_REP.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AP_REP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AP_REP¶

-
-
-KRB5_AP_REP¶
-
- -

Response to mutual AP request.

- ---- - - - - - -
KRB5_AP_REP((krb5_msgtype)15)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AP_REQ.html b/doc/html/appdev/refs/macros/KRB5_AP_REQ.html deleted file mode 100644 index c254d40..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AP_REQ.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AP_REQ — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AP_REQ¶

-
-
-KRB5_AP_REQ¶
-
- -

Auth req to application server.

- ---- - - - - - -
KRB5_AP_REQ((krb5_msgtype)14)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AS_REP.html b/doc/html/appdev/refs/macros/KRB5_AS_REP.html deleted file mode 100644 index 620aabb..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AS_REP.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AS_REP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AS_REP¶

-
-
-KRB5_AS_REP¶
-
- -

Response to AS request.

- ---- - - - - - -
KRB5_AS_REP((krb5_msgtype)11)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AS_REQ.html b/doc/html/appdev/refs/macros/KRB5_AS_REQ.html deleted file mode 100644 index 3a009b3..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AS_REQ.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AS_REQ — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AS_REQ¶

-
-
-KRB5_AS_REQ¶
-
- -

Initial authentication request.

- ---- - - - - - -
KRB5_AS_REQ((krb5_msgtype)10)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html deleted file mode 100644 index 3749594..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AND_OR.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_AND_OR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_AND_OR¶

-
-
-KRB5_AUTHDATA_AND_OR¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_AND_OR5
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html deleted file mode 100644 index 8280202..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_AUTH_INDICATOR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_AUTH_INDICATOR¶

-
-
-KRB5_AUTHDATA_AUTH_INDICATOR¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_AUTH_INDICATOR97
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html deleted file mode 100644 index 3ad58c2..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_CAMMAC.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_CAMMAC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_CAMMAC¶

-
-
-KRB5_AUTHDATA_CAMMAC¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_CAMMAC96
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html deleted file mode 100644 index 0884feb..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_ETYPE_NEGOTIATION — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_ETYPE_NEGOTIATION¶

-
-
-KRB5_AUTHDATA_ETYPE_NEGOTIATION¶
-
- -

RFC 4537.

- ---- - - - - - -
KRB5_AUTHDATA_ETYPE_NEGOTIATION129
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html deleted file mode 100644 index ce2d347..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_FX_ARMOR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_FX_ARMOR¶

-
-
-KRB5_AUTHDATA_FX_ARMOR¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_FX_ARMOR71
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html deleted file mode 100644 index 50ecc84..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_IF_RELEVANT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_IF_RELEVANT¶

-
-
-KRB5_AUTHDATA_IF_RELEVANT¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_IF_RELEVANT1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html deleted file mode 100644 index 7b13ed2..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_INITIAL_VERIFIED_CAS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_INITIAL_VERIFIED_CAS¶

-
-
-KRB5_AUTHDATA_INITIAL_VERIFIED_CAS¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_INITIAL_VERIFIED_CAS9
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html deleted file mode 100644 index 527ef21..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_KDC_ISSUED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_KDC_ISSUED¶

-
-
-KRB5_AUTHDATA_KDC_ISSUED¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_KDC_ISSUED4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html deleted file mode 100644 index a5cd880..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_MANDATORY_FOR_KDC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_MANDATORY_FOR_KDC¶

-
-
-KRB5_AUTHDATA_MANDATORY_FOR_KDC¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_MANDATORY_FOR_KDC8
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html deleted file mode 100644 index 6e8351f..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_OSF_DCE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_OSF_DCE¶

-
-
-KRB5_AUTHDATA_OSF_DCE¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_OSF_DCE64
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SESAME.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SESAME.html deleted file mode 100644 index 314fe46..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SESAME.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_SESAME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_SESAME¶

-
-
-KRB5_AUTHDATA_SESAME¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_SESAME65
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.html deleted file mode 100644 index 20a3f33..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_SIGNTICKET — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_SIGNTICKET¶

-
-
-KRB5_AUTHDATA_SIGNTICKET¶
-
- -

formerly 142 in krb5 1.8

- ---- - - - - - -
KRB5_AUTHDATA_SIGNTICKET512
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html b/doc/html/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html deleted file mode 100644 index f3406ef..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTHDATA_WIN2K_PAC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTHDATA_WIN2K_PAC¶

-
-
-KRB5_AUTHDATA_WIN2K_PAC¶
-
- - ---- - - - - - -
KRB5_AUTHDATA_WIN2K_PAC128
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html deleted file mode 100644 index 3491ba8..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_DO_SEQUENCE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_DO_SEQUENCE¶

-
-
-KRB5_AUTH_CONTEXT_DO_SEQUENCE¶
-
- -

Prevent replays with sequence numbers.

- ---- - - - - - -
KRB5_AUTH_CONTEXT_DO_SEQUENCE0x00000004
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html deleted file mode 100644 index c4c0ff2..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_DO_TIME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_DO_TIME¶

-
-
-KRB5_AUTH_CONTEXT_DO_TIME¶
-
- -

Prevent replays with timestamps and replay cache.

- ---- - - - - - -
KRB5_AUTH_CONTEXT_DO_TIME0x00000001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html deleted file mode 100644 index 3c8455a..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR¶

-
-
-KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR¶
-
- -

Generate the local network address.

- ---- - - - - - -
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR0x00000001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html deleted file mode 100644 index 94a88b8..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR¶

-
-
-KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR¶
-
- -

Generate the local network address and the local port.

- ---- - - - - - -
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR0x00000004
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html deleted file mode 100644 index 9863624..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR¶

-
-
-KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR¶
-
- -

Generate the remote network address.

- ---- - - - - - -
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR0x00000002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html deleted file mode 100644 index 07ec955..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR¶

-
-
-KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR¶
-
- -

Generate the remote network address and the remote port.

- ---- - - - - - -
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR0x00000008
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html deleted file mode 100644 index 2c8f224..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_PERMIT_ALL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_PERMIT_ALL¶

-
-
-KRB5_AUTH_CONTEXT_PERMIT_ALL¶
-
- - ---- - - - - - -
KRB5_AUTH_CONTEXT_PERMIT_ALL0x00000010
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html deleted file mode 100644 index 81a7a81..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_RET_SEQUENCE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_RET_SEQUENCE¶

-
-
-KRB5_AUTH_CONTEXT_RET_SEQUENCE¶
-
- -

Save sequence numbers for application.

- ---- - - - - - -
KRB5_AUTH_CONTEXT_RET_SEQUENCE0x00000008
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html deleted file mode 100644 index 19f6641..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_RET_TIME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_RET_TIME¶

-
-
-KRB5_AUTH_CONTEXT_RET_TIME¶
-
- -

Save timestamps for application.

- ---- - - - - - -
KRB5_AUTH_CONTEXT_RET_TIME0x00000002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html b/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html deleted file mode 100644 index af7160d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_AUTH_CONTEXT_USE_SUBKEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_AUTH_CONTEXT_USE_SUBKEY¶

-
-
-KRB5_AUTH_CONTEXT_USE_SUBKEY¶
-
- - ---- - - - - - -
KRB5_AUTH_CONTEXT_USE_SUBKEY0x00000020
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CRED.html b/doc/html/appdev/refs/macros/KRB5_CRED.html deleted file mode 100644 index f933da5..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CRED.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_CRED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CRED¶

-
-
-KRB5_CRED¶
-
- -

Cred forwarding message.

- ---- - - - - - -
KRB5_CRED((krb5_msgtype)22)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html deleted file mode 100644 index 6947c8c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_CRYPTO_TYPE_CHECKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CRYPTO_TYPE_CHECKSUM¶

-
-
-KRB5_CRYPTO_TYPE_CHECKSUM¶
-
- -

[out] checksum for MIC

- ---- - - - - - -
KRB5_CRYPTO_TYPE_CHECKSUM6
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html deleted file mode 100644 index c5f8553..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_CRYPTO_TYPE_DATA — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CRYPTO_TYPE_DATA¶

-
-
-KRB5_CRYPTO_TYPE_DATA¶
-
- -

[in, out] plaintext

- ---- - - - - - -
KRB5_CRYPTO_TYPE_DATA2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html deleted file mode 100644 index 12c4838..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_CRYPTO_TYPE_EMPTY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CRYPTO_TYPE_EMPTY¶

-
-
-KRB5_CRYPTO_TYPE_EMPTY¶
-
- -

[in] ignored

- ---- - - - - - -
KRB5_CRYPTO_TYPE_EMPTY0
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.html deleted file mode 100644 index 769548d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_CRYPTO_TYPE_HEADER — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CRYPTO_TYPE_HEADER¶

-
-
-KRB5_CRYPTO_TYPE_HEADER¶
-
- -

[out] header

- ---- - - - - - -
KRB5_CRYPTO_TYPE_HEADER1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.html deleted file mode 100644 index 6cd99c1..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_CRYPTO_TYPE_PADDING — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CRYPTO_TYPE_PADDING¶

-
-
-KRB5_CRYPTO_TYPE_PADDING¶
-
- -

[out] padding

- ---- - - - - - -
KRB5_CRYPTO_TYPE_PADDING4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html deleted file mode 100644 index 7a8929c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_CRYPTO_TYPE_SIGN_ONLY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CRYPTO_TYPE_SIGN_ONLY¶

-
-
-KRB5_CRYPTO_TYPE_SIGN_ONLY¶
-
- -

[in] associated data

- ---- - - - - - -
KRB5_CRYPTO_TYPE_SIGN_ONLY3
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.html deleted file mode 100644 index d89f2eb..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_CRYPTO_TYPE_STREAM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CRYPTO_TYPE_STREAM¶

-
-
-KRB5_CRYPTO_TYPE_STREAM¶
-
- -

[in] entire message without decomposing the structure into header, data and trailer buffers

- ---- - - - - - -
KRB5_CRYPTO_TYPE_STREAM7
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html b/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html deleted file mode 100644 index f4ffa17..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_CRYPTO_TYPE_TRAILER — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CRYPTO_TYPE_TRAILER¶

-
-
-KRB5_CRYPTO_TYPE_TRAILER¶
-
- -

[out] checksum for encrypt

- ---- - - - - - -
KRB5_CRYPTO_TYPE_TRAILER5
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.html b/doc/html/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.html deleted file mode 100644 index f0e5850..0000000 --- a/doc/html/appdev/refs/macros/KRB5_CYBERSAFE_SECUREID.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_CYBERSAFE_SECUREID — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_CYBERSAFE_SECUREID¶

-
-
-KRB5_CYBERSAFE_SECUREID¶
-
- -

Cybersafe.

-

RFC 4120

- ---- - - - - - -
KRB5_CYBERSAFE_SECUREID9
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.html b/doc/html/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.html deleted file mode 100644 index 3458298..0000000 --- a/doc/html/appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_DOMAIN_X500_COMPRESS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_DOMAIN_X500_COMPRESS¶

-
-
-KRB5_DOMAIN_X500_COMPRESS¶
-
- -

Transited encoding types.

- ---- - - - - - -
KRB5_DOMAIN_X500_COMPRESS1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html b/doc/html/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html deleted file mode 100644 index 33edc54..0000000 --- a/doc/html/appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_ENCPADATA_REQ_ENC_PA_REP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_ENCPADATA_REQ_ENC_PA_REP¶

-
-
-KRB5_ENCPADATA_REQ_ENC_PA_REP¶
-
- -

RFC 6806.

- ---- - - - - - -
KRB5_ENCPADATA_REQ_ENC_PA_REP149
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_ERROR.html b/doc/html/appdev/refs/macros/KRB5_ERROR.html deleted file mode 100644 index ef59c40..0000000 --- a/doc/html/appdev/refs/macros/KRB5_ERROR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_ERROR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_ERROR¶

-
-
-KRB5_ERROR¶
-
- -

Error response.

- ---- - - - - - -
KRB5_ERROR((krb5_msgtype)30)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_FAST_REQUIRED.html b/doc/html/appdev/refs/macros/KRB5_FAST_REQUIRED.html deleted file mode 100644 index 76311c7..0000000 --- a/doc/html/appdev/refs/macros/KRB5_FAST_REQUIRED.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_FAST_REQUIRED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_FAST_REQUIRED¶

-
-
-KRB5_FAST_REQUIRED¶
-
- -

Require KDC to support FAST.

- ---- - - - - - -
KRB5_FAST_REQUIRED0x0001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GC_CACHED.html b/doc/html/appdev/refs/macros/KRB5_GC_CACHED.html deleted file mode 100644 index d6ab7c4..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GC_CACHED.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_GC_CACHED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GC_CACHED¶

-
-
-KRB5_GC_CACHED¶
-
- -

Want cached ticket only.

- ---- - - - - - -
KRB5_GC_CACHED2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GC_CANONICALIZE.html b/doc/html/appdev/refs/macros/KRB5_GC_CANONICALIZE.html deleted file mode 100644 index 5225879..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GC_CANONICALIZE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_GC_CANONICALIZE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GC_CANONICALIZE¶

-
-
-KRB5_GC_CANONICALIZE¶
-
- -

Set canonicalize KDC option.

- ---- - - - - - -
KRB5_GC_CANONICALIZE4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.html b/doc/html/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.html deleted file mode 100644 index 6f09550..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_GC_CONSTRAINED_DELEGATION — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GC_CONSTRAINED_DELEGATION¶

-
-
-KRB5_GC_CONSTRAINED_DELEGATION¶
-
- -

Constrained delegation.

- ---- - - - - - -
KRB5_GC_CONSTRAINED_DELEGATION64
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GC_FORWARDABLE.html b/doc/html/appdev/refs/macros/KRB5_GC_FORWARDABLE.html deleted file mode 100644 index 0c277af..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GC_FORWARDABLE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_GC_FORWARDABLE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GC_FORWARDABLE¶

-
-
-KRB5_GC_FORWARDABLE¶
-
- -

Acquire forwardable tickets.

- ---- - - - - - -
KRB5_GC_FORWARDABLE16
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html b/doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html deleted file mode 100644 index ff80bde..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GC_NO_STORE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_GC_NO_STORE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GC_NO_STORE¶

-
-
-KRB5_GC_NO_STORE¶
-
- -

Do not store in credential cache.

- ---- - - - - - -
KRB5_GC_NO_STORE8
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html b/doc/html/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html deleted file mode 100644 index d18c099..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_GC_NO_TRANSIT_CHECK — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GC_NO_TRANSIT_CHECK¶

-
-
-KRB5_GC_NO_TRANSIT_CHECK¶
-
- -

Disable transited check.

- ---- - - - - - -
KRB5_GC_NO_TRANSIT_CHECK32
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html b/doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html deleted file mode 100644 index 457c834..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GC_USER_USER.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_GC_USER_USER — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GC_USER_USER¶

-
-
-KRB5_GC_USER_USER¶
-
- -

Want user-user ticket.

- ---- - - - - - -
KRB5_GC_USER_USER1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html deleted file mode 100644 index ea6138b..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST¶

-
-
-KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST0x0020
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html deleted file mode 100644 index a9747a8..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_ANONYMOUS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_ANONYMOUS¶

-
-
-KRB5_GET_INIT_CREDS_OPT_ANONYMOUS¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_ANONYMOUS0x0400
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html deleted file mode 100644 index a339ab9..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_CANONICALIZE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_CANONICALIZE¶

-
-
-KRB5_GET_INIT_CREDS_OPT_CANONICALIZE¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_CANONICALIZE0x0200
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html deleted file mode 100644 index f208679..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT¶

-
-
-KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT0x0100
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html deleted file mode 100644 index 0a29484..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST¶

-
-
-KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST0x0010
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html deleted file mode 100644 index 82181b6..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_FORWARDABLE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_FORWARDABLE¶

-
-
-KRB5_GET_INIT_CREDS_OPT_FORWARDABLE¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_FORWARDABLE0x0004
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html deleted file mode 100644 index 5a56917..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST¶

-
-
-KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST0x0040
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html deleted file mode 100644 index 0e6a002..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_PROXIABLE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_PROXIABLE¶

-
-
-KRB5_GET_INIT_CREDS_OPT_PROXIABLE¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_PROXIABLE0x0008
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html deleted file mode 100644 index 3f7c69c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE¶

-
-
-KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE0x0002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html deleted file mode 100644 index c6ca878..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_SALT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_SALT¶

-
-
-KRB5_GET_INIT_CREDS_OPT_SALT¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_SALT0x0080
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html b/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html deleted file mode 100644 index ea0f60d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_GET_INIT_CREDS_OPT_TKT_LIFE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_GET_INIT_CREDS_OPT_TKT_LIFE¶

-
-
-KRB5_GET_INIT_CREDS_OPT_TKT_LIFE¶
-
- - ---- - - - - - -
KRB5_GET_INIT_CREDS_OPT_TKT_LIFE0x0001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html b/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html deleted file mode 100644 index 617c704..0000000 --- a/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_KDC.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_INIT_CONTEXT_KDC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_INIT_CONTEXT_KDC¶

-
-
-KRB5_INIT_CONTEXT_KDC¶
-
- -

Use KDC configuration if available.

- ---- - - - - - -
KRB5_INIT_CONTEXT_KDC0x2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.html b/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.html deleted file mode 100644 index 5806f39..0000000 --- a/doc/html/appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_INIT_CONTEXT_SECURE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_INIT_CONTEXT_SECURE¶

-
-
-KRB5_INIT_CONTEXT_SECURE¶
-
- -

Use secure context configuration.

- ---- - - - - - -
KRB5_INIT_CONTEXT_SECURE0x1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html b/doc/html/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html deleted file mode 100644 index 29eb8c1..0000000 --- a/doc/html/appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_INIT_CREDS_STEP_FLAG_CONTINUE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_INIT_CREDS_STEP_FLAG_CONTINUE¶

-
-
-KRB5_INIT_CREDS_STEP_FLAG_CONTINUE¶
-
- -

More responses needed.

- ---- - - - - - -
KRB5_INIT_CREDS_STEP_FLAG_CONTINUE0x1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_INT16_MAX.html b/doc/html/appdev/refs/macros/KRB5_INT16_MAX.html deleted file mode 100644 index dce11f9..0000000 --- a/doc/html/appdev/refs/macros/KRB5_INT16_MAX.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_INT16_MAX — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_INT16_MAX¶

-
-
-KRB5_INT16_MAX¶
-
- - ---- - - - - - -
KRB5_INT16_MAX65535
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_INT16_MIN.html b/doc/html/appdev/refs/macros/KRB5_INT16_MIN.html deleted file mode 100644 index 5c4dab7..0000000 --- a/doc/html/appdev/refs/macros/KRB5_INT16_MIN.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_INT16_MIN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_INT16_MIN¶

-
-
-KRB5_INT16_MIN¶
-
- - ---- - - - - - -
KRB5_INT16_MIN(-KRB5_INT16_MAX-1)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_INT32_MAX.html b/doc/html/appdev/refs/macros/KRB5_INT32_MAX.html deleted file mode 100644 index 4c9fc4d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_INT32_MAX.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_INT32_MAX — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_INT32_MAX¶

-
-
-KRB5_INT32_MAX¶
-
- - ---- - - - - - -
KRB5_INT32_MAX2147483647
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_INT32_MIN.html b/doc/html/appdev/refs/macros/KRB5_INT32_MIN.html deleted file mode 100644 index d27e4f4..0000000 --- a/doc/html/appdev/refs/macros/KRB5_INT32_MIN.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_INT32_MIN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_INT32_MIN¶

-
-
-KRB5_INT32_MIN¶
-
- - ---- - - - - - -
KRB5_INT32_MIN(-KRB5_INT32_MAX-1)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html deleted file mode 100644 index efb3411..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AD_ITE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AD_ITE¶

-
-
-KRB5_KEYUSAGE_AD_ITE¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AD_ITE21
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html deleted file mode 100644 index b37c5b5..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM¶

-
-
-KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM19
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html deleted file mode 100644 index e2f62f8..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AD_MTE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AD_MTE¶

-
-
-KRB5_KEYUSAGE_AD_MTE¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AD_MTE20
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html deleted file mode 100644 index f4764fc..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AD_SIGNEDPATH — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AD_SIGNEDPATH¶

-
-
-KRB5_KEYUSAGE_AD_SIGNEDPATH¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AD_SIGNEDPATH-21
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html deleted file mode 100644 index 4659570..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_APP_DATA_CKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_APP_DATA_CKSUM¶

-
-
-KRB5_KEYUSAGE_APP_DATA_CKSUM¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_APP_DATA_CKSUM17
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html deleted file mode 100644 index d23c352..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_APP_DATA_ENCRYPT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_APP_DATA_ENCRYPT¶

-
-
-KRB5_KEYUSAGE_APP_DATA_ENCRYPT¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_APP_DATA_ENCRYPT16
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html deleted file mode 100644 index 6d582e6..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AP_REP_ENCPART — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AP_REP_ENCPART¶

-
-
-KRB5_KEYUSAGE_AP_REP_ENCPART¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AP_REP_ENCPART12
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html deleted file mode 100644 index 8dfcc54..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AP_REQ_AUTH — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AP_REQ_AUTH¶

-
-
-KRB5_KEYUSAGE_AP_REQ_AUTH¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AP_REQ_AUTH11
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html deleted file mode 100644 index d5b1108..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM¶

-
-
-KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM10
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html deleted file mode 100644 index d52631f..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AS_REP_ENCPART — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AS_REP_ENCPART¶

-
-
-KRB5_KEYUSAGE_AS_REP_ENCPART¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AS_REP_ENCPART3
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html deleted file mode 100644 index d00610d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AS_REQ — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AS_REQ¶

-
-
-KRB5_KEYUSAGE_AS_REQ¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AS_REQ56
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html deleted file mode 100644 index 225041c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS¶

-
-
-KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html deleted file mode 100644 index a520513..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_CAMMAC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_CAMMAC¶

-
-
-KRB5_KEYUSAGE_CAMMAC¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_CAMMAC64
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html deleted file mode 100644 index 496e377..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT¶

-
-
-KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT54
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html deleted file mode 100644 index e26418a..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_ENC_CHALLENGE_KDC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_ENC_CHALLENGE_KDC¶

-
-
-KRB5_KEYUSAGE_ENC_CHALLENGE_KDC¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_ENC_CHALLENGE_KDC55
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html deleted file mode 100644 index e74cf52..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_FAST_ENC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_FAST_ENC¶

-
-
-KRB5_KEYUSAGE_FAST_ENC¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_FAST_ENC51
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html deleted file mode 100644 index c0259af..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_FAST_FINISHED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_FAST_FINISHED¶

-
-
-KRB5_KEYUSAGE_FAST_FINISHED¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_FAST_FINISHED53
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html deleted file mode 100644 index c8d2421..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_FAST_REP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_FAST_REP¶

-
-
-KRB5_KEYUSAGE_FAST_REP¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_FAST_REP52
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html deleted file mode 100644 index 0b00f18..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_FAST_REQ_CHKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_FAST_REQ_CHKSUM¶

-
-
-KRB5_KEYUSAGE_FAST_REQ_CHKSUM¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_FAST_REQ_CHKSUM50
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html deleted file mode 100644 index 7c374ec..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_GSS_TOK_MIC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_GSS_TOK_MIC¶

-
-
-KRB5_KEYUSAGE_GSS_TOK_MIC¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_GSS_TOK_MIC22
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html deleted file mode 100644 index 996627a..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG¶

-
-
-KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG23
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html deleted file mode 100644 index 2e41ced..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV¶

-
-
-KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV24
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html deleted file mode 100644 index 4534645..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_IAKERB_FINISHED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_IAKERB_FINISHED¶

-
-
-KRB5_KEYUSAGE_IAKERB_FINISHED¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_IAKERB_FINISHED42
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html deleted file mode 100644 index b8720de..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_KDC_REP_TICKET — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_KDC_REP_TICKET¶

-
-
-KRB5_KEYUSAGE_KDC_REP_TICKET¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_KDC_REP_TICKET2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html deleted file mode 100644 index 0fd0908..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_KRB_CRED_ENCPART — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_KRB_CRED_ENCPART¶

-
-
-KRB5_KEYUSAGE_KRB_CRED_ENCPART¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_KRB_CRED_ENCPART14
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html deleted file mode 100644 index f343dc5..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_KRB_ERROR_CKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_KRB_ERROR_CKSUM¶

-
-
-KRB5_KEYUSAGE_KRB_ERROR_CKSUM¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_KRB_ERROR_CKSUM18
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html deleted file mode 100644 index ab32c29..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_KRB_PRIV_ENCPART — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_KRB_PRIV_ENCPART¶

-
-
-KRB5_KEYUSAGE_KRB_PRIV_ENCPART¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_KRB_PRIV_ENCPART13
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html deleted file mode 100644 index f3e096e..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_KRB_SAFE_CKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_KRB_SAFE_CKSUM¶

-
-
-KRB5_KEYUSAGE_KRB_SAFE_CKSUM¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_KRB_SAFE_CKSUM15
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html deleted file mode 100644 index db959e4..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_PA_FX_COOKIE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html deleted file mode 100644 index c5c035c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_PA_OTP_REQUEST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_PA_OTP_REQUEST¶

-
-
-KRB5_KEYUSAGE_PA_OTP_REQUEST¶
-
- -

See RFC 6560 section 4.2.

- ---- - - - - - -
KRB5_KEYUSAGE_PA_OTP_REQUEST45
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html deleted file mode 100644 index 073824d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_PA_PKINIT_KX — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_PA_PKINIT_KX¶

-
-
-KRB5_KEYUSAGE_PA_PKINIT_KX¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_PA_PKINIT_KX44
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html deleted file mode 100644 index 67e4474..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY¶

-
-
-KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY¶
-
- -

Note conflict with KRB5_KEYUSAGE_PA_SAM_RESPONSE .

- ---- - - - - - -
KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY27
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html deleted file mode 100644 index 80a9625..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST¶

-
-
-KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST¶
-
- -

Note conflict with KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID .

- ---- - - - - - -
KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST26
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html deleted file mode 100644 index e04ea8e..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM¶

-
-
-KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM25
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html deleted file mode 100644 index 0c26fb9..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID¶

-
-
-KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID¶
-
- -

Note conflict with KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST .

- ---- - - - - - -
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID26
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html deleted file mode 100644 index e0c8ead..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_PA_SAM_RESPONSE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_PA_SAM_RESPONSE¶

-
-
-KRB5_KEYUSAGE_PA_SAM_RESPONSE¶
-
- -

Note conflict with KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY .

- ---- - - - - - -
KRB5_KEYUSAGE_PA_SAM_RESPONSE27
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html deleted file mode 100644 index 4827bd3..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY¶

-
-
-KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY8
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html deleted file mode 100644 index c9eafae..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY¶

-
-
-KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY9
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html deleted file mode 100644 index 9b88ec7..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY¶

-
-
-KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html deleted file mode 100644 index 528d0f4..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY¶

-
-
-KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY5
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html deleted file mode 100644 index 3065ecf..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_TGS_REQ_AUTH — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_TGS_REQ_AUTH¶

-
-
-KRB5_KEYUSAGE_TGS_REQ_AUTH¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_TGS_REQ_AUTH7
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html b/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html deleted file mode 100644 index b54610e..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM¶

-
-
-KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM¶
-
- - ---- - - - - - -
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM6
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.html deleted file mode 100644 index d40b440..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KPASSWD_ACCESSDENIED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KPASSWD_ACCESSDENIED¶

-
-
-KRB5_KPASSWD_ACCESSDENIED¶
-
- -

Not authorized.

- ---- - - - - - -
KRB5_KPASSWD_ACCESSDENIED5
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html deleted file mode 100644 index 5e805f7..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_AUTHERROR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KPASSWD_AUTHERROR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KPASSWD_AUTHERROR¶

-
-
-KRB5_KPASSWD_AUTHERROR¶
-
- -

Authentication error.

- ---- - - - - - -
KRB5_KPASSWD_AUTHERROR3
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.html deleted file mode 100644 index 0a876c2..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KPASSWD_BAD_VERSION — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KPASSWD_BAD_VERSION¶

-
-
-KRB5_KPASSWD_BAD_VERSION¶
-
- -

Unknown RPC version.

- ---- - - - - - -
KRB5_KPASSWD_BAD_VERSION6
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html deleted file mode 100644 index 3f0489d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_HARDERROR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KPASSWD_HARDERROR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KPASSWD_HARDERROR¶

-
-
-KRB5_KPASSWD_HARDERROR¶
-
- -

Server error.

- ---- - - - - - -
KRB5_KPASSWD_HARDERROR2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html deleted file mode 100644 index 5a4b49f..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KPASSWD_INITIAL_FLAG_NEEDED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KPASSWD_INITIAL_FLAG_NEEDED¶

-
-
-KRB5_KPASSWD_INITIAL_FLAG_NEEDED¶
-
- -

The presented credentials were not obtained using a password directly.

- ---- - - - - - -
KRB5_KPASSWD_INITIAL_FLAG_NEEDED7
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html deleted file mode 100644 index ab40d20..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_MALFORMED.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KPASSWD_MALFORMED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KPASSWD_MALFORMED¶

-
-
-KRB5_KPASSWD_MALFORMED¶
-
- -

Malformed request.

- ---- - - - - - -
KRB5_KPASSWD_MALFORMED1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html deleted file mode 100644 index 9855634..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_SOFTERROR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KPASSWD_SOFTERROR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KPASSWD_SOFTERROR¶

-
-
-KRB5_KPASSWD_SOFTERROR¶
-
- -

Password change rejected.

- ---- - - - - - -
KRB5_KPASSWD_SOFTERROR4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html b/doc/html/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html deleted file mode 100644 index 246ae6c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_KPASSWD_SUCCESS.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_KPASSWD_SUCCESS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_KPASSWD_SUCCESS¶

-
-
-KRB5_KPASSWD_SUCCESS¶
-
- -

Success.

- ---- - - - - - -
KRB5_KPASSWD_SUCCESS0
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html deleted file mode 100644 index 41ee245..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ALL_ACCT_EXPTIME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ALL_ACCT_EXPTIME¶

-
-
-KRB5_LRQ_ALL_ACCT_EXPTIME¶
-
- - ---- - - - - - -
KRB5_LRQ_ALL_ACCT_EXPTIME7
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html deleted file mode 100644 index 22d3d6b..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ALL_LAST_INITIAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ALL_LAST_INITIAL¶

-
-
-KRB5_LRQ_ALL_LAST_INITIAL¶
-
- - ---- - - - - - -
KRB5_LRQ_ALL_LAST_INITIAL2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html deleted file mode 100644 index 4c014fe..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ALL_LAST_RENEWAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ALL_LAST_RENEWAL¶

-
-
-KRB5_LRQ_ALL_LAST_RENEWAL¶
-
- - ---- - - - - - -
KRB5_LRQ_ALL_LAST_RENEWAL4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html deleted file mode 100644 index 246feee..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ALL_LAST_REQ — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ALL_LAST_REQ¶

-
-
-KRB5_LRQ_ALL_LAST_REQ¶
-
- - ---- - - - - - -
KRB5_LRQ_ALL_LAST_REQ5
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html deleted file mode 100644 index 2fa007b..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ALL_LAST_TGT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ALL_LAST_TGT¶

-
-
-KRB5_LRQ_ALL_LAST_TGT¶
-
- - ---- - - - - - -
KRB5_LRQ_ALL_LAST_TGT1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html deleted file mode 100644 index d617125..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ALL_LAST_TGT_ISSUED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ALL_LAST_TGT_ISSUED¶

-
-
-KRB5_LRQ_ALL_LAST_TGT_ISSUED¶
-
- - ---- - - - - - -
KRB5_LRQ_ALL_LAST_TGT_ISSUED3
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html deleted file mode 100644 index 9543777..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ALL_PW_EXPTIME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ALL_PW_EXPTIME¶

-
-
-KRB5_LRQ_ALL_PW_EXPTIME¶
-
- - ---- - - - - - -
KRB5_LRQ_ALL_PW_EXPTIME6
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html b/doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html deleted file mode 100644 index 720deeb..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_NONE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_NONE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_NONE¶

-
-
-KRB5_LRQ_NONE¶
-
- - ---- - - - - - -
KRB5_LRQ_NONE0
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html deleted file mode 100644 index 31506fd..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ONE_ACCT_EXPTIME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ONE_ACCT_EXPTIME¶

-
-
-KRB5_LRQ_ONE_ACCT_EXPTIME¶
-
- - ---- - - - - - -
KRB5_LRQ_ONE_ACCT_EXPTIME(-7)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html deleted file mode 100644 index 03e8828..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ONE_LAST_INITIAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ONE_LAST_INITIAL¶

-
-
-KRB5_LRQ_ONE_LAST_INITIAL¶
-
- - ---- - - - - - -
KRB5_LRQ_ONE_LAST_INITIAL(-2)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html deleted file mode 100644 index a256598..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ONE_LAST_RENEWAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ONE_LAST_RENEWAL¶

-
-
-KRB5_LRQ_ONE_LAST_RENEWAL¶
-
- - ---- - - - - - -
KRB5_LRQ_ONE_LAST_RENEWAL(-4)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html deleted file mode 100644 index adfeec2..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ONE_LAST_REQ — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ONE_LAST_REQ¶

-
-
-KRB5_LRQ_ONE_LAST_REQ¶
-
- - ---- - - - - - -
KRB5_LRQ_ONE_LAST_REQ(-5)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html deleted file mode 100644 index 9b0fa0c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ONE_LAST_TGT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ONE_LAST_TGT¶

-
-
-KRB5_LRQ_ONE_LAST_TGT¶
-
- - ---- - - - - - -
KRB5_LRQ_ONE_LAST_TGT(-1)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html deleted file mode 100644 index 49aad31..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ONE_LAST_TGT_ISSUED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ONE_LAST_TGT_ISSUED¶

-
-
-KRB5_LRQ_ONE_LAST_TGT_ISSUED¶
-
- - ---- - - - - - -
KRB5_LRQ_ONE_LAST_TGT_ISSUED(-3)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html b/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html deleted file mode 100644 index e7c35f7..0000000 --- a/doc/html/appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_LRQ_ONE_PW_EXPTIME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_LRQ_ONE_PW_EXPTIME¶

-
-
-KRB5_LRQ_ONE_PW_EXPTIME¶
-
- - ---- - - - - - -
KRB5_LRQ_ONE_PW_EXPTIME(-6)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html b/doc/html/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html deleted file mode 100644 index 7d34a87..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_ENTERPRISE_PRINCIPAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_ENTERPRISE_PRINCIPAL¶

-
-
-KRB5_NT_ENTERPRISE_PRINCIPAL¶
-
- -

Windows 2000 UPN.

- ---- - - - - - -
KRB5_NT_ENTERPRISE_PRINCIPAL10
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html b/doc/html/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html deleted file mode 100644 index 9bd3bdd..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_ENT_PRINCIPAL_AND_ID — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_ENT_PRINCIPAL_AND_ID¶

-
-
-KRB5_NT_ENT_PRINCIPAL_AND_ID¶
-
- -

NT 4 style name and SID.

- ---- - - - - - -
KRB5_NT_ENT_PRINCIPAL_AND_ID-130
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html b/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html deleted file mode 100644 index 1701d8f..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_MS_PRINCIPAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_MS_PRINCIPAL¶

-
-
-KRB5_NT_MS_PRINCIPAL¶
-
- -

Windows 2000 UPN and SID.

- ---- - - - - - -
KRB5_NT_MS_PRINCIPAL-128
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html b/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html deleted file mode 100644 index 15f1eec..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_MS_PRINCIPAL_AND_ID — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_MS_PRINCIPAL_AND_ID¶

-
-
-KRB5_NT_MS_PRINCIPAL_AND_ID¶
-
- -

NT 4 style name.

- ---- - - - - - -
KRB5_NT_MS_PRINCIPAL_AND_ID-129
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html b/doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html deleted file mode 100644 index 8806167..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_PRINCIPAL.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_PRINCIPAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_PRINCIPAL¶

-
-
-KRB5_NT_PRINCIPAL¶
-
- -

Just the name of the principal as in DCE, or for users.

- ---- - - - - - -
KRB5_NT_PRINCIPAL1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html b/doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html deleted file mode 100644 index 73ae2a9..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_SMTP_NAME.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_SMTP_NAME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_SMTP_NAME¶

-
-
-KRB5_NT_SMTP_NAME¶
-
- -

Name in form of SMTP email name.

- ---- - - - - - -
KRB5_NT_SMTP_NAME7
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html b/doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html deleted file mode 100644 index 01a18d8..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_SRV_HST.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_SRV_HST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_SRV_HST¶

-
-
-KRB5_NT_SRV_HST¶
-
- -

Service with host name as instance (telnet, rcommands)

- ---- - - - - - -
KRB5_NT_SRV_HST3
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html b/doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html deleted file mode 100644 index 93659f8..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_SRV_INST.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_SRV_INST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_SRV_INST¶

-
-
-KRB5_NT_SRV_INST¶
-
- -

Service and other unique instance (krbtgt)

- ---- - - - - - -
KRB5_NT_SRV_INST2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html b/doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html deleted file mode 100644 index ecdcb57..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_SRV_XHST.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_SRV_XHST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_SRV_XHST¶

-
-
-KRB5_NT_SRV_XHST¶
-
- -

Service with host as remaining components.

- ---- - - - - - -
KRB5_NT_SRV_XHST4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_UID.html b/doc/html/appdev/refs/macros/KRB5_NT_UID.html deleted file mode 100644 index 0df792c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_UID.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_UID — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_UID¶

-
-
-KRB5_NT_UID¶
-
- -

Unique ID.

- ---- - - - - - -
KRB5_NT_UID5
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html b/doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html deleted file mode 100644 index e336394..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_UNKNOWN.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_UNKNOWN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_UNKNOWN¶

-
-
-KRB5_NT_UNKNOWN¶
-
- -

Name type not known.

- ---- - - - - - -
KRB5_NT_UNKNOWN0
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html b/doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html deleted file mode 100644 index 38a9075..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_WELLKNOWN.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_WELLKNOWN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_WELLKNOWN¶

-
-
-KRB5_NT_WELLKNOWN¶
-
- -

Well-known (special) principal.

- ---- - - - - - -
KRB5_NT_WELLKNOWN11
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html b/doc/html/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html deleted file mode 100644 index ee5d277..0000000 --- a/doc/html/appdev/refs/macros/KRB5_NT_X500_PRINCIPAL.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_NT_X500_PRINCIPAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_NT_X500_PRINCIPAL¶

-
-
-KRB5_NT_X500_PRINCIPAL¶
-
- -

PKINIT.

- ---- - - - - - -
KRB5_NT_X500_PRINCIPAL6
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html deleted file mode 100644 index 02a7f23..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PAC_CLIENT_INFO.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PAC_CLIENT_INFO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PAC_CLIENT_INFO¶

-
-
-KRB5_PAC_CLIENT_INFO¶
-
- -

Client name and ticket info.

- ---- - - - - - -
KRB5_PAC_CLIENT_INFO10
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.html deleted file mode 100644 index 0cd982e..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PAC_CREDENTIALS_INFO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PAC_CREDENTIALS_INFO¶

-
-
-KRB5_PAC_CREDENTIALS_INFO¶
-
- -

Credentials information.

- ---- - - - - - -
KRB5_PAC_CREDENTIALS_INFO2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.html deleted file mode 100644 index 3480eea..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PAC_DELEGATION_INFO.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PAC_DELEGATION_INFO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PAC_DELEGATION_INFO¶

-
-
-KRB5_PAC_DELEGATION_INFO¶
-
- -

Constrained delegation info.

- ---- - - - - - -
KRB5_PAC_DELEGATION_INFO11
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_LOGON_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_LOGON_INFO.html deleted file mode 100644 index e0db3dc..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PAC_LOGON_INFO.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PAC_LOGON_INFO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PAC_LOGON_INFO¶

-
-
-KRB5_PAC_LOGON_INFO¶
-
- -

Logon information.

- ---- - - - - - -
KRB5_PAC_LOGON_INFO1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html b/doc/html/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html deleted file mode 100644 index 92a3e7b..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PAC_PRIVSVR_CHECKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PAC_PRIVSVR_CHECKSUM¶

-
-
-KRB5_PAC_PRIVSVR_CHECKSUM¶
-
- -

KDC checksum.

- ---- - - - - - -
KRB5_PAC_PRIVSVR_CHECKSUM7
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.html b/doc/html/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.html deleted file mode 100644 index 565dde8..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PAC_SERVER_CHECKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PAC_SERVER_CHECKSUM¶

-
-
-KRB5_PAC_SERVER_CHECKSUM¶
-
- -

Server checksum.

- ---- - - - - - -
KRB5_PAC_SERVER_CHECKSUM6
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html b/doc/html/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html deleted file mode 100644 index b915f38..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PAC_UPN_DNS_INFO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PAC_UPN_DNS_INFO¶

-
-
-KRB5_PAC_UPN_DNS_INFO¶
-
- -

User principal name and DNS info.

- ---- - - - - - -
KRB5_PAC_UPN_DNS_INFO12
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html b/doc/html/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html deleted file mode 100644 index eea54ad..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_AFS3_SALT.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_AFS3_SALT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_AFS3_SALT¶

-
-
-KRB5_PADATA_AFS3_SALT¶
-
- -

Cygnus.

-

RFC 4120, 3961

- ---- - - - - - -
KRB5_PADATA_AFS3_SALT10
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_AP_REQ.html b/doc/html/appdev/refs/macros/KRB5_PADATA_AP_REQ.html deleted file mode 100644 index 98d1462..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_AP_REQ.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_PADATA_AP_REQ — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_AP_REQ¶

-
-
-KRB5_PADATA_AP_REQ¶
-
- - ---- - - - - - -
KRB5_PADATA_AP_REQ1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.html b/doc/html/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.html deleted file mode 100644 index 35ae3cf..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_AS_CHECKSUM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_AS_CHECKSUM¶

-
-
-KRB5_PADATA_AS_CHECKSUM¶
-
- -

AS checksum.

- ---- - - - - - -
KRB5_PADATA_AS_CHECKSUM132
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html deleted file mode 100644 index d656bd6..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_ENCRYPTED_CHALLENGE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_ENCRYPTED_CHALLENGE¶

-
-
-KRB5_PADATA_ENCRYPTED_CHALLENGE¶
-
- -

RFC 6113.

- ---- - - - - - -
KRB5_PADATA_ENCRYPTED_CHALLENGE138
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.html deleted file mode 100644 index 99a47e5..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_ENC_SANDIA_SECURID — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_ENC_SANDIA_SECURID¶

-
-
-KRB5_PADATA_ENC_SANDIA_SECURID¶
-
- -

SecurId passcode.

-

RFC 4120

- ---- - - - - - -
KRB5_PADATA_ENC_SANDIA_SECURID6
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html deleted file mode 100644 index 85831e3..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_ENC_TIMESTAMP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_ENC_TIMESTAMP¶

-
-
-KRB5_PADATA_ENC_TIMESTAMP¶
-
- -

RFC 4120.

- ---- - - - - - -
KRB5_PADATA_ENC_TIMESTAMP2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html deleted file mode 100644 index 6e1b9c9..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_ENC_UNIX_TIME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_ENC_UNIX_TIME¶

-
-
-KRB5_PADATA_ENC_UNIX_TIME¶
-
- -

timestamp encrypted in key.

-

RFC 4120

- ---- - - - - - -
KRB5_PADATA_ENC_UNIX_TIME5
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html deleted file mode 100644 index bbd4665..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_ETYPE_INFO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_ETYPE_INFO¶

-
-
-KRB5_PADATA_ETYPE_INFO¶
-
- -

Etype info for preauth.

-

RFC 4120

- ---- - - - - - -
KRB5_PADATA_ETYPE_INFO11
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.html b/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.html deleted file mode 100644 index d2d9cc6..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_ETYPE_INFO2 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_ETYPE_INFO2¶

-
-
-KRB5_PADATA_ETYPE_INFO2¶
-
- -

RFC 4120.

- ---- - - - - - -
KRB5_PADATA_ETYPE_INFO219
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_FOR_USER.html b/doc/html/appdev/refs/macros/KRB5_PADATA_FOR_USER.html deleted file mode 100644 index 23038ee..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_FOR_USER.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_FOR_USER — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_FOR_USER¶

-
-
-KRB5_PADATA_FOR_USER¶
-
- -

username protocol transition request

- ---- - - - - - -
KRB5_PADATA_FOR_USER129
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html deleted file mode 100644 index 9709ea1..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_COOKIE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_FX_COOKIE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_ERROR.html b/doc/html/appdev/refs/macros/KRB5_PADATA_FX_ERROR.html deleted file mode 100644 index 5d8cc07..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_ERROR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_FX_ERROR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_FX_ERROR¶

-
-
-KRB5_PADATA_FX_ERROR¶
-
- -

RFC 6113.

- ---- - - - - - -
KRB5_PADATA_FX_ERROR137
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_FAST.html b/doc/html/appdev/refs/macros/KRB5_PADATA_FX_FAST.html deleted file mode 100644 index 0cc2b5c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_FX_FAST.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_FX_FAST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_FX_FAST¶

-
-
-KRB5_PADATA_FX_FAST¶
-
- -

RFC 6113.

- ---- - - - - - -
KRB5_PADATA_FX_FAST136
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html b/doc/html/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html deleted file mode 100644 index 014c10d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_GET_FROM_TYPED_DATA — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_GET_FROM_TYPED_DATA¶

-
-
-KRB5_PADATA_GET_FROM_TYPED_DATA¶
-
- -

Embedded in typed data.

-

RFC 4120

- ---- - - - - - -
KRB5_PADATA_GET_FROM_TYPED_DATA22
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html deleted file mode 100644 index bb687ef..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_NONE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_PADATA_NONE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_NONE¶

-
-
-KRB5_PADATA_NONE¶
-
- - ---- - - - - - -
KRB5_PADATA_NONE0
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_OSF_DCE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_OSF_DCE.html deleted file mode 100644 index 7b9ee79..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_OSF_DCE.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_OSF_DCE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_OSF_DCE¶

-
-
-KRB5_PADATA_OSF_DCE¶
-
- -

OSF DCE.

-

RFC 4120

- ---- - - - - - -
KRB5_PADATA_OSF_DCE8
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.html deleted file mode 100644 index 7ef4749..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_OTP_CHALLENGE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_OTP_CHALLENGE¶

-
-
-KRB5_PADATA_OTP_CHALLENGE¶
-
- -

RFC 6560 section 4.1.

- ---- - - - - - -
KRB5_PADATA_OTP_CHALLENGE141
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html deleted file mode 100644 index 54c0b67..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_OTP_PIN_CHANGE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_OTP_PIN_CHANGE¶

-
-
-KRB5_PADATA_OTP_PIN_CHANGE¶
-
- -

RFC 6560 section 4.3.

- ---- - - - - - -
KRB5_PADATA_OTP_PIN_CHANGE144
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.html b/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.html deleted file mode 100644 index 0b620da..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_OTP_REQUEST.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_OTP_REQUEST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_OTP_REQUEST¶

-
-
-KRB5_PADATA_OTP_REQUEST¶
-
- -

RFC 6560 section 4.2.

- ---- - - - - - -
KRB5_PADATA_OTP_REQUEST142
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.html deleted file mode 100644 index 175ea81..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_PAC_REQUEST.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_PAC_REQUEST — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_PAC_REQUEST¶

-
-
-KRB5_PADATA_PAC_REQUEST¶
-
- -

include Windows PAC

- ---- - - - - - -
KRB5_PADATA_PAC_REQUEST128
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html deleted file mode 100644 index 2c29ae8..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_PKINIT_KX.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_PKINIT_KX — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_PKINIT_KX¶

-
-
-KRB5_PADATA_PKINIT_KX¶
-
- -

RFC 6112.

- ---- - - - - - -
KRB5_PADATA_PKINIT_KX147
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html deleted file mode 100644 index 97a4ab7..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_PK_AS_REP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_PK_AS_REP¶

-
-
-KRB5_PADATA_PK_AS_REP¶
-
- -

PKINIT.

-

RFC 4556

- ---- - - - - - -
KRB5_PADATA_PK_AS_REP17
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html deleted file mode 100644 index b2d6c2e..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_PK_AS_REP_OLD — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_PK_AS_REP_OLD¶

-
-
-KRB5_PADATA_PK_AS_REP_OLD¶
-
- -

PKINIT.

- ---- - - - - - -
KRB5_PADATA_PK_AS_REP_OLD15
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html deleted file mode 100644 index 844136e..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_PK_AS_REQ — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_PK_AS_REQ¶

-
-
-KRB5_PADATA_PK_AS_REQ¶
-
- -

PKINIT.

-

RFC 4556

- ---- - - - - - -
KRB5_PADATA_PK_AS_REQ16
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html deleted file mode 100644 index 943324e..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_PK_AS_REQ_OLD — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_PK_AS_REQ_OLD¶

-
-
-KRB5_PADATA_PK_AS_REQ_OLD¶
-
- -

PKINIT.

- ---- - - - - - -
KRB5_PADATA_PK_AS_REQ_OLD14
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_PW_SALT.html b/doc/html/appdev/refs/macros/KRB5_PADATA_PW_SALT.html deleted file mode 100644 index 72a6677..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_PW_SALT.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_PW_SALT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_PW_SALT¶

-
-
-KRB5_PADATA_PW_SALT¶
-
- -

RFC 4120.

- ---- - - - - - -
KRB5_PADATA_PW_SALT3
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_REFERRAL.html b/doc/html/appdev/refs/macros/KRB5_PADATA_REFERRAL.html deleted file mode 100644 index f1ecce0..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_REFERRAL.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_REFERRAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_REFERRAL¶

-
-
-KRB5_PADATA_REFERRAL¶
-
- -

draft referral system

- ---- - - - - - -
KRB5_PADATA_REFERRAL25
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.html b/doc/html/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.html deleted file mode 100644 index 8a4dc67..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_S4U_X509_USER.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_S4U_X509_USER — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_S4U_X509_USER¶

-
-
-KRB5_PADATA_S4U_X509_USER¶
-
- -

certificate protocol transition request

- ---- - - - - - -
KRB5_PADATA_S4U_X509_USER130
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.html deleted file mode 100644 index 44ccebb..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_SAM_CHALLENGE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_SAM_CHALLENGE¶

-
-
-KRB5_PADATA_SAM_CHALLENGE¶
-
- -

SAM/OTP.

- ---- - - - - - -
KRB5_PADATA_SAM_CHALLENGE12
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html deleted file mode 100644 index 308a098..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_SAM_CHALLENGE_2 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_SAM_CHALLENGE_2¶

-
-
-KRB5_PADATA_SAM_CHALLENGE_2¶
-
- -

draft challenge system, updated

- ---- - - - - - -
KRB5_PADATA_SAM_CHALLENGE_230
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.html deleted file mode 100644 index 9458830..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_SAM_REDIRECT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_SAM_REDIRECT¶

-
-
-KRB5_PADATA_SAM_REDIRECT¶
-
- -

SAM/OTP.

-

RFC 4120

- ---- - - - - - -
KRB5_PADATA_SAM_REDIRECT21
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.html deleted file mode 100644 index 08aaff3..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_SAM_RESPONSE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_SAM_RESPONSE¶

-
-
-KRB5_PADATA_SAM_RESPONSE¶
-
- -

SAM/OTP.

- ---- - - - - - -
KRB5_PADATA_SAM_RESPONSE13
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html deleted file mode 100644 index bd99452..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_SAM_RESPONSE_2 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_SAM_RESPONSE_2¶

-
-
-KRB5_PADATA_SAM_RESPONSE_2¶
-
- -

draft challenge system, updated

- ---- - - - - - -
KRB5_PADATA_SAM_RESPONSE_231
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SESAME.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SESAME.html deleted file mode 100644 index fff5986..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_SESAME.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_SESAME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_SESAME¶

-
-
-KRB5_PADATA_SESAME¶
-
- -

Sesame project.

-

RFC 4120

- ---- - - - - - -
KRB5_PADATA_SESAME7
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html b/doc/html/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html deleted file mode 100644 index a2fe801..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_PADATA_SVR_REFERRAL_INFO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_SVR_REFERRAL_INFO¶

-
-
-KRB5_PADATA_SVR_REFERRAL_INFO¶
-
- -

Windows 2000 referrals.

-

RFC 6820

- ---- - - - - - -
KRB5_PADATA_SVR_REFERRAL_INFO20
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_TGS_REQ.html b/doc/html/appdev/refs/macros/KRB5_PADATA_TGS_REQ.html deleted file mode 100644 index 486fd6f..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_TGS_REQ.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_PADATA_TGS_REQ — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_TGS_REQ¶

-
-
-KRB5_PADATA_TGS_REQ¶
-
- - ---- - - - - - -
KRB5_PADATA_TGS_REQKRB5_PADATA_AP_REQ
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html b/doc/html/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html deleted file mode 100644 index 9145faa..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PADATA_USE_SPECIFIED_KVNO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PADATA_USE_SPECIFIED_KVNO¶

-
-
-KRB5_PADATA_USE_SPECIFIED_KVNO¶
-
- -

RFC 4120.

- ---- - - - - - -
KRB5_PADATA_USE_SPECIFIED_KVNO20
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html deleted file mode 100644 index c960eee..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_COMPARE_CASEFOLD — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_COMPARE_CASEFOLD¶

-
-
-KRB5_PRINCIPAL_COMPARE_CASEFOLD¶
-
- -

case-insensitive

- ---- - - - - - -
KRB5_PRINCIPAL_COMPARE_CASEFOLD4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html deleted file mode 100644 index 9706fa6..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_COMPARE_ENTERPRISE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_COMPARE_ENTERPRISE¶

-
-
-KRB5_PRINCIPAL_COMPARE_ENTERPRISE¶
-
- -

UPNs as real principals.

- ---- - - - - - -
KRB5_PRINCIPAL_COMPARE_ENTERPRISE2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html deleted file mode 100644 index 08fc860..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_COMPARE_IGNORE_REALM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_COMPARE_IGNORE_REALM¶

-
-
-KRB5_PRINCIPAL_COMPARE_IGNORE_REALM¶
-
- -

ignore realm component

- ---- - - - - - -
KRB5_PRINCIPAL_COMPARE_IGNORE_REALM1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html deleted file mode 100644 index a454183..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_COMPARE_UTF8 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_COMPARE_UTF8¶

-
-
-KRB5_PRINCIPAL_COMPARE_UTF8¶
-
- -

treat principals as UTF-8

- ---- - - - - - -
KRB5_PRINCIPAL_COMPARE_UTF88
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html deleted file mode 100644 index 923df84..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_PARSE_ENTERPRISE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_PARSE_ENTERPRISE¶

-
-
-KRB5_PRINCIPAL_PARSE_ENTERPRISE¶
-
- -

Create single-component enterprise principle.

- ---- - - - - - -
KRB5_PRINCIPAL_PARSE_ENTERPRISE0x4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html deleted file mode 100644 index ad86198..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_PARSE_IGNORE_REALM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_PARSE_IGNORE_REALM¶

-
-
-KRB5_PRINCIPAL_PARSE_IGNORE_REALM¶
-
- -

Ignore realm if present.

- ---- - - - - - -
KRB5_PRINCIPAL_PARSE_IGNORE_REALM0x8
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html deleted file mode 100644 index d8f9510..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_PARSE_NO_REALM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_PARSE_NO_REALM¶

-
-
-KRB5_PRINCIPAL_PARSE_NO_REALM¶
-
- -

Error if realm is present.

- ---- - - - - - -
KRB5_PRINCIPAL_PARSE_NO_REALM0x1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html deleted file mode 100644 index 26d5d4e..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_PARSE_REQUIRE_REALM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_PARSE_REQUIRE_REALM¶

-
-
-KRB5_PRINCIPAL_PARSE_REQUIRE_REALM¶
-
- -

Error if realm is not present.

- ---- - - - - - -
KRB5_PRINCIPAL_PARSE_REQUIRE_REALM0x2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html deleted file mode 100644 index 50880af..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_UNPARSE_DISPLAY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_UNPARSE_DISPLAY¶

-
-
-KRB5_PRINCIPAL_UNPARSE_DISPLAY¶
-
- -

Don’t escape special characters.

- ---- - - - - - -
KRB5_PRINCIPAL_UNPARSE_DISPLAY0x4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html deleted file mode 100644 index 81195de..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_UNPARSE_NO_REALM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_UNPARSE_NO_REALM¶

-
-
-KRB5_PRINCIPAL_UNPARSE_NO_REALM¶
-
- -

Omit realm always.

- ---- - - - - - -
KRB5_PRINCIPAL_UNPARSE_NO_REALM0x2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html b/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html deleted file mode 100644 index fb02b05..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRINCIPAL_UNPARSE_SHORT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRINCIPAL_UNPARSE_SHORT¶

-
-
-KRB5_PRINCIPAL_UNPARSE_SHORT¶
-
- -

Omit realm if it is the local realm.

- ---- - - - - - -
KRB5_PRINCIPAL_UNPARSE_SHORT0x1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PRIV.html b/doc/html/appdev/refs/macros/KRB5_PRIV.html deleted file mode 100644 index 4ba8972..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PRIV.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PRIV — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PRIV¶

-
-
-KRB5_PRIV¶
-
- -

Private application message.

- ---- - - - - - -
KRB5_PRIV((krb5_msgtype)21)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html deleted file mode 100644 index c6b173c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PROMPT_TYPE_NEW_PASSWORD — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PROMPT_TYPE_NEW_PASSWORD¶

-
-
-KRB5_PROMPT_TYPE_NEW_PASSWORD¶
-
- -

Prompt for new password (during password change)

- ---- - - - - - -
KRB5_PROMPT_TYPE_NEW_PASSWORD0x2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html deleted file mode 100644 index 4bb4ae1..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN¶

-
-
-KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN¶
-
- -

Prompt for new password again.

- ---- - - - - - -
KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN0x3
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html deleted file mode 100644 index e69cf2d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PROMPT_TYPE_PASSWORD — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PROMPT_TYPE_PASSWORD¶

-
-
-KRB5_PROMPT_TYPE_PASSWORD¶
-
- -

Prompt for password.

- ---- - - - - - -
KRB5_PROMPT_TYPE_PASSWORD0x1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html b/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html deleted file mode 100644 index bbdc1e7..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PROMPT_TYPE_PREAUTH — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PROMPT_TYPE_PREAUTH¶

-
-
-KRB5_PROMPT_TYPE_PREAUTH¶
-
- -

Prompt for preauthentication data (such as an OTP value)

- ---- - - - - - -
KRB5_PROMPT_TYPE_PREAUTH0x4
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_PVNO.html b/doc/html/appdev/refs/macros/KRB5_PVNO.html deleted file mode 100644 index f74789d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_PVNO.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_PVNO — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_PVNO¶

-
-
-KRB5_PVNO¶
-
- -

Protocol version number.

- ---- - - - - - -
KRB5_PVNO5
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html b/doc/html/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html deleted file mode 100644 index 831ac4e..0000000 --- a/doc/html/appdev/refs/macros/KRB5_REALM_BRANCH_CHAR.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_REALM_BRANCH_CHAR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_REALM_BRANCH_CHAR¶

-
-
-KRB5_REALM_BRANCH_CHAR¶
-
- - ---- - - - - - -
KRB5_REALM_BRANCH_CHAR'.'
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html b/doc/html/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html deleted file mode 100644 index 6e170a5..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_RECVAUTH_BADAUTHVERS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RECVAUTH_BADAUTHVERS¶

-
-
-KRB5_RECVAUTH_BADAUTHVERS¶
-
- - ---- - - - - - -
KRB5_RECVAUTH_BADAUTHVERS0x0002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html b/doc/html/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html deleted file mode 100644 index 7540101..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_RECVAUTH_SKIP_VERSION — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RECVAUTH_SKIP_VERSION¶

-
-
-KRB5_RECVAUTH_SKIP_VERSION¶
-
- - ---- - - - - - -
KRB5_RECVAUTH_SKIP_VERSION0x0001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_REFERRAL_REALM.html b/doc/html/appdev/refs/macros/KRB5_REFERRAL_REALM.html deleted file mode 100644 index b5d84f0..0000000 --- a/doc/html/appdev/refs/macros/KRB5_REFERRAL_REALM.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_REFERRAL_REALM — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_REFERRAL_REALM¶

-
-
-KRB5_REFERRAL_REALM¶
-
- -

Constant for realm referrals.

- ---- - - - - - -
KRB5_REFERRAL_REALM""
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html deleted file mode 100644 index fba1cfa..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN¶

-
-
-KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN¶
-
- -

This flag indicates that the PIN value MUST be collected.

- ---- - - - - - -
KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN0x0002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html deleted file mode 100644 index 8770434..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN¶

-
-
-KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN¶
-
- -

This flag indicates that the token value MUST be collected.

- ---- - - - - - -
KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN0x0001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html deleted file mode 100644 index 210690a..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_RESPONDER_OTP_FLAGS_NEXTOTP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_OTP_FLAGS_NEXTOTP¶

-
-
-KRB5_RESPONDER_OTP_FLAGS_NEXTOTP¶
-
- -

This flag indicates that the token is now in re-synchronization mode with the server.

-

The user is expected to reply with the next code displayed on the token.

- ---- - - - - - -
KRB5_RESPONDER_OTP_FLAGS_NEXTOTP0x0004
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html deleted file mode 100644 index d12e513..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN¶

-
-
-KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN¶
-
- -

This flag indicates that the PIN MUST be returned as a separate item.

-

This flag only takes effect if KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN is set. If this flag is not set, the responder may either concatenate PIN + token value and store it as “value” in the answer or it may return them separately. If they are returned separately, they will be concatenated internally.

- ---- - - - - - -
KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN0x0008
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html deleted file mode 100644 index 9255e37..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC¶

-
-
-KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC¶
-
- - ---- - - - - - -
KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC2
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html deleted file mode 100644 index 1503c7c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_RESPONDER_OTP_FORMAT_DECIMAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_OTP_FORMAT_DECIMAL¶

-
-
-KRB5_RESPONDER_OTP_FORMAT_DECIMAL¶
-
- -

These format constants identify the format of the token value.

- ---- - - - - - -
KRB5_RESPONDER_OTP_FORMAT_DECIMAL0
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html deleted file mode 100644 index 6174c0f..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL¶

-
-
-KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL¶
-
- - ---- - - - - - -
KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html deleted file mode 100644 index f5faab0..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW¶

-
-
-KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW¶
-
- -

This flag indicates that an incorrect PIN was supplied at least once since the last time the correct PIN was supplied.

- ---- - - - - - -
KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW(1 << 0)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html deleted file mode 100644 index 55eba5c..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY¶

-
-
-KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY¶
-
- -

This flag indicates that supplying an incorrect PIN will cause the token to lock itself.

- ---- - - - - - -
KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY(1 << 1)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html deleted file mode 100644 index 85a80a1..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED¶

-
-
-KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED¶
-
- -

This flag indicates that the user PIN is locked, and you can’t log in to the token with it.

- ---- - - - - - -
KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED(1 << 2)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.html deleted file mode 100644 index b0a695d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - KRB5_RESPONDER_QUESTION_OTP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_QUESTION_OTP¶

-
-
-KRB5_RESPONDER_QUESTION_OTP¶
-
- -

OTP responder question.

-

The OTP responder question is asked when the KDC indicates that an OTP value is required in order to complete the authentication. The JSON format of the challenge is:

-

{

-

“service”: <string (optional)>,

-

“tokenInfo”: [

-

{

-

“flags”: <number>,

-

“vendor”: <string (optional)>,

-

“challenge”: <string (optional)>,

-

“length”: <number (optional)>,

-

“format”: <number (optional)>,

-

“tokenID”: <string (optional)>,

-

“algID”: <string (optional)>,

-

},

-

...

-

]

-

}

-

The answer to the question MUST be JSON formatted:

-

{

-

“tokeninfo”: <number>,

-

“value”: <string (optional)>,

-

“pin”: <string (optional)>,

-

}

-

For more detail, please see RFC 6560.

- ---- - - - - - -
KRB5_RESPONDER_QUESTION_OTP"otp"
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.html deleted file mode 100644 index cdb2b9d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - KRB5_RESPONDER_QUESTION_PASSWORD — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_QUESTION_PASSWORD¶

-
-
-KRB5_RESPONDER_QUESTION_PASSWORD¶
-
- -

Long-term password responder question.

-

This question is asked when the long-term password is needed. It has no challenge and the response is simply the password string.

- ---- - - - - - -
KRB5_RESPONDER_QUESTION_PASSWORD"password"
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.html b/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.html deleted file mode 100644 index 3fc30ee..0000000 --- a/doc/html/appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - KRB5_RESPONDER_QUESTION_PKINIT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_RESPONDER_QUESTION_PKINIT¶

-
-
-KRB5_RESPONDER_QUESTION_PKINIT¶
-
- -

PKINIT responder question.

-

The PKINIT responder question is asked when the client needs a password that’s being used to protect key information, and is formatted as a JSON object. A specific identity’s flags value, if not zero, is the bitwise-OR of one or more of the KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_* flags defined below, and possibly other flags to be added later. Any resemblance to similarly-named CKF_* values in the PKCS#11 API should not be depended on.

-

{

-

identity <string> : flags <number>,

-

...

-

}

-

The answer to the question MUST be JSON formatted:

-

{

-

identity <string> : password <string>,

-

...

-

}

- ---- - - - - - -
KRB5_RESPONDER_QUESTION_PKINIT"pkinit"
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_SAFE.html b/doc/html/appdev/refs/macros/KRB5_SAFE.html deleted file mode 100644 index c2d751b..0000000 --- a/doc/html/appdev/refs/macros/KRB5_SAFE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_SAFE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_SAFE¶

-
-
-KRB5_SAFE¶
-
- -

Safe application message.

- ---- - - - - - -
KRB5_SAFE((krb5_msgtype)20)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html b/doc/html/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html deleted file mode 100644 index 0e1cbc1..0000000 --- a/doc/html/appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_SAM_MUST_PK_ENCRYPT_SAD — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_SAM_MUST_PK_ENCRYPT_SAD¶

-
-
-KRB5_SAM_MUST_PK_ENCRYPT_SAD¶
-
- -

currently must be zero

- ---- - - - - - -
KRB5_SAM_MUST_PK_ENCRYPT_SAD0x20000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html b/doc/html/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html deleted file mode 100644 index 03a404a..0000000 --- a/doc/html/appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_SAM_SEND_ENCRYPTED_SAD — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_SAM_SEND_ENCRYPTED_SAD¶

-
-
-KRB5_SAM_SEND_ENCRYPTED_SAD¶
-
- - ---- - - - - - -
KRB5_SAM_SEND_ENCRYPTED_SAD0x40000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html b/doc/html/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html deleted file mode 100644 index 7f0f183..0000000 --- a/doc/html/appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_SAM_USE_SAD_AS_KEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_SAM_USE_SAD_AS_KEY¶

-
-
-KRB5_SAM_USE_SAD_AS_KEY¶
-
- - ---- - - - - - -
KRB5_SAM_USE_SAD_AS_KEY0x80000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html deleted file mode 100644 index 81c3554..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_MATCH_2ND_TKT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_MATCH_2ND_TKT¶

-
-
-KRB5_TC_MATCH_2ND_TKT¶
-
- -

The second ticket must match.

- ---- - - - - - -
KRB5_TC_MATCH_2ND_TKT0x00000080
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html deleted file mode 100644 index b9fc234..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_MATCH_AUTHDATA — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_MATCH_AUTHDATA¶

-
-
-KRB5_TC_MATCH_AUTHDATA¶
-
- -

The authorization data must match.

- ---- - - - - - -
KRB5_TC_MATCH_AUTHDATA0x00000020
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html deleted file mode 100644 index 4afffe9..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_MATCH_FLAGS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_MATCH_FLAGS¶

-
-
-KRB5_TC_MATCH_FLAGS¶
-
- -

All the flags set in the match credentials must be set.

- ---- - - - - - -
KRB5_TC_MATCH_FLAGS0x00000004
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html deleted file mode 100644 index e8ba97d..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_MATCH_FLAGS_EXACT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_MATCH_FLAGS_EXACT¶

-
-
-KRB5_TC_MATCH_FLAGS_EXACT¶
-
- -

All the flags must match exactly.

- ---- - - - - - -
KRB5_TC_MATCH_FLAGS_EXACT0x00000010
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html deleted file mode 100644 index 19d0cb7..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_MATCH_IS_SKEY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_MATCH_IS_SKEY¶

-
-
-KRB5_TC_MATCH_IS_SKEY¶
-
- -

The is_skey field must match exactly.

- ---- - - - - - -
KRB5_TC_MATCH_IS_SKEY0x00000002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html deleted file mode 100644 index 14dc43f..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_KTYPE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_MATCH_KTYPE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_MATCH_KTYPE¶

-
-
-KRB5_TC_MATCH_KTYPE¶
-
- -

The encryption key type must match.

- ---- - - - - - -
KRB5_TC_MATCH_KTYPE0x00000100
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html deleted file mode 100644 index 19f2cd5..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_MATCH_SRV_NAMEONLY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_MATCH_SRV_NAMEONLY¶

-
-
-KRB5_TC_MATCH_SRV_NAMEONLY¶
-
- -

Only the name portion of the principal name must match.

- ---- - - - - - -
KRB5_TC_MATCH_SRV_NAMEONLY0x00000040
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES.html deleted file mode 100644 index 9fba6be..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_MATCH_TIMES — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_MATCH_TIMES¶

-
-
-KRB5_TC_MATCH_TIMES¶
-
- -

The requested lifetime must be at least as great as the time specified.

- ---- - - - - - -
KRB5_TC_MATCH_TIMES0x00000001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html b/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html deleted file mode 100644 index 8786ded..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_MATCH_TIMES_EXACT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_MATCH_TIMES_EXACT¶

-
-
-KRB5_TC_MATCH_TIMES_EXACT¶
-
- -

All the time fields must match exactly.

- ---- - - - - - -
KRB5_TC_MATCH_TIMES_EXACT0x00000008
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html b/doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html deleted file mode 100644 index 1012154..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_NOTICKET.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_TC_NOTICKET — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_NOTICKET¶

-
-
-KRB5_TC_NOTICKET¶
-
- - ---- - - - - - -
KRB5_TC_NOTICKET0x00000002
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html b/doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html deleted file mode 100644 index 7a79cb8..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_OPENCLOSE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_OPENCLOSE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_OPENCLOSE¶

-
-
-KRB5_TC_OPENCLOSE¶
-
- -

Open and close the file for each cache operation.

- ---- - - - - - -
KRB5_TC_OPENCLOSE0x00000001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.html b/doc/html/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.html deleted file mode 100644 index 30d3cba..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TC_SUPPORTED_KTYPES — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TC_SUPPORTED_KTYPES¶

-
-
-KRB5_TC_SUPPORTED_KTYPES¶
-
- -

The supported key types must match.

- ---- - - - - - -
KRB5_TC_SUPPORTED_KTYPES0x00000200
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TGS_NAME.html b/doc/html/appdev/refs/macros/KRB5_TGS_NAME.html deleted file mode 100644 index f7192a2..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TGS_NAME.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_TGS_NAME — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TGS_NAME¶

-
-
-KRB5_TGS_NAME¶
-
- - ---- - - - - - -
KRB5_TGS_NAME"krbtgt"
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TGS_NAME_SIZE.html b/doc/html/appdev/refs/macros/KRB5_TGS_NAME_SIZE.html deleted file mode 100644 index 1a9aebb..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TGS_NAME_SIZE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_TGS_NAME_SIZE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TGS_NAME_SIZE¶

-
-
-KRB5_TGS_NAME_SIZE¶
-
- - ---- - - - - - -
KRB5_TGS_NAME_SIZE6
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TGS_REP.html b/doc/html/appdev/refs/macros/KRB5_TGS_REP.html deleted file mode 100644 index 1fe1411..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TGS_REP.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TGS_REP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TGS_REP¶

-
-
-KRB5_TGS_REP¶
-
- -

Response to TGS request.

- ---- - - - - - -
KRB5_TGS_REP((krb5_msgtype)13)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TGS_REQ.html b/doc/html/appdev/refs/macros/KRB5_TGS_REQ.html deleted file mode 100644 index 5e6119a..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TGS_REQ.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TGS_REQ — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TGS_REQ¶

-
-
-KRB5_TGS_REQ¶
-
- -

Ticket granting server request.

- ---- - - - - - -
KRB5_TGS_REQ((krb5_msgtype)12)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html b/doc/html/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html deleted file mode 100644 index aed7c1f..0000000 --- a/doc/html/appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_TKT_CREDS_STEP_FLAG_CONTINUE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_TKT_CREDS_STEP_FLAG_CONTINUE¶

-
-
-KRB5_TKT_CREDS_STEP_FLAG_CONTINUE¶
-
- -

More responses needed.

- ---- - - - - - -
KRB5_TKT_CREDS_STEP_FLAG_CONTINUE0x1
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html b/doc/html/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html deleted file mode 100644 index 152312a..0000000 --- a/doc/html/appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL¶

-
-
-KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL¶
-
- - ---- - - - - - -
KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL0x0001
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html b/doc/html/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html deleted file mode 100644 index b7deab2..0000000 --- a/doc/html/appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - KRB5_WELLKNOWN_NAMESTR — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KRB5_WELLKNOWN_NAMESTR¶

-
-
-KRB5_WELLKNOWN_NAMESTR¶
-
- -

First component of NT_WELLKNOWN principals.

- ---- - - - - - -
KRB5_WELLKNOWN_NAMESTR"WELLKNOWN"
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.html b/doc/html/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.html deleted file mode 100644 index c7cf198..0000000 --- a/doc/html/appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - LR_TYPE_INTERPRETATION_MASK — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

LR_TYPE_INTERPRETATION_MASK¶

-
-
-LR_TYPE_INTERPRETATION_MASK¶
-
- - ---- - - - - - -
LR_TYPE_INTERPRETATION_MASK0x7fff
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.html b/doc/html/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.html deleted file mode 100644 index 4602710..0000000 --- a/doc/html/appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - LR_TYPE_THIS_SERVER_ONLY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

LR_TYPE_THIS_SERVER_ONLY¶

-
-
-LR_TYPE_THIS_SERVER_ONLY¶
-
- - ---- - - - - - -
LR_TYPE_THIS_SERVER_ONLY0x8000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html b/doc/html/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html deleted file mode 100644 index 7e77f16..0000000 --- a/doc/html/appdev/refs/macros/MAX_KEYTAB_NAME_LEN.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - MAX_KEYTAB_NAME_LEN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

MAX_KEYTAB_NAME_LEN¶

-
-
-MAX_KEYTAB_NAME_LEN¶
-
- -

Long enough for MAXPATHLEN + some extra.

- ---- - - - - - -
MAX_KEYTAB_NAME_LEN1100
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/MSEC_DIRBIT.html b/doc/html/appdev/refs/macros/MSEC_DIRBIT.html deleted file mode 100644 index a09abcc..0000000 --- a/doc/html/appdev/refs/macros/MSEC_DIRBIT.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - MSEC_DIRBIT — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

MSEC_DIRBIT¶

-
-
-MSEC_DIRBIT¶
-
- - ---- - - - - - -
MSEC_DIRBIT0x8000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/MSEC_VAL_MASK.html b/doc/html/appdev/refs/macros/MSEC_VAL_MASK.html deleted file mode 100644 index be2abff..0000000 --- a/doc/html/appdev/refs/macros/MSEC_VAL_MASK.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - MSEC_VAL_MASK — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

MSEC_VAL_MASK¶

-
-
-MSEC_VAL_MASK¶
-
- - ---- - - - - - -
MSEC_VAL_MASK0x7fff
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html b/doc/html/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html deleted file mode 100644 index a3765df..0000000 --- a/doc/html/appdev/refs/macros/SALT_TYPE_AFS_LENGTH.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - SALT_TYPE_AFS_LENGTH — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

SALT_TYPE_AFS_LENGTH¶

-
-
-SALT_TYPE_AFS_LENGTH¶
-
- - ---- - - - - - -
SALT_TYPE_AFS_LENGTHUINT_MAX
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/SALT_TYPE_NO_LENGTH.html b/doc/html/appdev/refs/macros/SALT_TYPE_NO_LENGTH.html deleted file mode 100644 index d0d5b5b..0000000 --- a/doc/html/appdev/refs/macros/SALT_TYPE_NO_LENGTH.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - SALT_TYPE_NO_LENGTH — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

SALT_TYPE_NO_LENGTH¶

-
-
-SALT_TYPE_NO_LENGTH¶
-
- - ---- - - - - - -
SALT_TYPE_NO_LENGTHUINT_MAX
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/THREEPARAMOPEN.html b/doc/html/appdev/refs/macros/THREEPARAMOPEN.html deleted file mode 100644 index c6a39f1..0000000 --- a/doc/html/appdev/refs/macros/THREEPARAMOPEN.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - THREEPARAMOPEN — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

THREEPARAMOPEN¶

-
-
-THREEPARAMOPEN¶
-
- - ---- - - - - - -
THREEPARAMOPEN (x, y, z)open(x,y,z)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html b/doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html deleted file mode 100644 index 81cb045..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_ANONYMOUS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_ANONYMOUS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_ANONYMOUS¶

-
-
-TKT_FLG_ANONYMOUS¶
-
- - ---- - - - - - -
TKT_FLG_ANONYMOUS0x00008000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_ENC_PA_REP.html b/doc/html/appdev/refs/macros/TKT_FLG_ENC_PA_REP.html deleted file mode 100644 index 8c96597..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_ENC_PA_REP.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_ENC_PA_REP — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_ENC_PA_REP¶

-
-
-TKT_FLG_ENC_PA_REP¶
-
- - ---- - - - - - -
TKT_FLG_ENC_PA_REP0x00010000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_FORWARDABLE.html b/doc/html/appdev/refs/macros/TKT_FLG_FORWARDABLE.html deleted file mode 100644 index 5c51927..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_FORWARDABLE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_FORWARDABLE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_FORWARDABLE¶

-
-
-TKT_FLG_FORWARDABLE¶
-
- - ---- - - - - - -
TKT_FLG_FORWARDABLE0x40000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html b/doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html deleted file mode 100644 index 40fac65..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_FORWARDED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_FORWARDED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_FORWARDED¶

-
-
-TKT_FLG_FORWARDED¶
-
- - ---- - - - - - -
TKT_FLG_FORWARDED0x20000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html b/doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html deleted file mode 100644 index 9bb4608..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_HW_AUTH.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_HW_AUTH — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_HW_AUTH¶

-
-
-TKT_FLG_HW_AUTH¶
-
- - ---- - - - - - -
TKT_FLG_HW_AUTH0x00100000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html b/doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html deleted file mode 100644 index de96ae7..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_INITIAL.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_INITIAL — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_INITIAL¶

-
-
-TKT_FLG_INITIAL¶
-
- - ---- - - - - - -
TKT_FLG_INITIAL0x00400000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_INVALID.html b/doc/html/appdev/refs/macros/TKT_FLG_INVALID.html deleted file mode 100644 index 2e89b58..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_INVALID.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_INVALID — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_INVALID¶

-
-
-TKT_FLG_INVALID¶
-
- - ---- - - - - - -
TKT_FLG_INVALID0x01000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html b/doc/html/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html deleted file mode 100644 index 0fe9299..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_MAY_POSTDATE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_MAY_POSTDATE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_MAY_POSTDATE¶

-
-
-TKT_FLG_MAY_POSTDATE¶
-
- - ---- - - - - - -
TKT_FLG_MAY_POSTDATE0x04000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html b/doc/html/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html deleted file mode 100644 index e4477a1..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_OK_AS_DELEGATE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_OK_AS_DELEGATE¶

-
-
-TKT_FLG_OK_AS_DELEGATE¶
-
- - ---- - - - - - -
TKT_FLG_OK_AS_DELEGATE0x00040000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html b/doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html deleted file mode 100644 index 51e8fe7..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_POSTDATED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_POSTDATED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_POSTDATED¶

-
-
-TKT_FLG_POSTDATED¶
-
- - ---- - - - - - -
TKT_FLG_POSTDATED0x02000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html b/doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html deleted file mode 100644 index a51ab1c..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_PRE_AUTH.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_PRE_AUTH — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_PRE_AUTH¶

-
-
-TKT_FLG_PRE_AUTH¶
-
- - ---- - - - - - -
TKT_FLG_PRE_AUTH0x00200000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html b/doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html deleted file mode 100644 index 75c88bf..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_PROXIABLE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_PROXIABLE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_PROXIABLE¶

-
-
-TKT_FLG_PROXIABLE¶
-
- - ---- - - - - - -
TKT_FLG_PROXIABLE0x10000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_PROXY.html b/doc/html/appdev/refs/macros/TKT_FLG_PROXY.html deleted file mode 100644 index 990243d..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_PROXY.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_PROXY — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_PROXY¶

-
-
-TKT_FLG_PROXY¶
-
- - ---- - - - - - -
TKT_FLG_PROXY0x08000000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html b/doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html deleted file mode 100644 index 2aa7408..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_RENEWABLE.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_RENEWABLE — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_RENEWABLE¶

-
-
-TKT_FLG_RENEWABLE¶
-
- - ---- - - - - - -
TKT_FLG_RENEWABLE0x00800000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html b/doc/html/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html deleted file mode 100644 index 7335b84..0000000 --- a/doc/html/appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - TKT_FLG_TRANSIT_POLICY_CHECKED — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

TKT_FLG_TRANSIT_POLICY_CHECKED¶

-
-
-TKT_FLG_TRANSIT_POLICY_CHECKED¶
-
- - ---- - - - - - -
TKT_FLG_TRANSIT_POLICY_CHECKED0x00080000
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/VALID_INT_BITS.html b/doc/html/appdev/refs/macros/VALID_INT_BITS.html deleted file mode 100644 index ed8f43e..0000000 --- a/doc/html/appdev/refs/macros/VALID_INT_BITS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - VALID_INT_BITS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

VALID_INT_BITS¶

-
-
-VALID_INT_BITS¶
-
- - ---- - - - - - -
VALID_INT_BITSINT_MAX
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/VALID_UINT_BITS.html b/doc/html/appdev/refs/macros/VALID_UINT_BITS.html deleted file mode 100644 index 5f9402a..0000000 --- a/doc/html/appdev/refs/macros/VALID_UINT_BITS.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - VALID_UINT_BITS — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

VALID_UINT_BITS¶

-
-
-VALID_UINT_BITS¶
-
- - ---- - - - - - -
VALID_UINT_BITSUINT_MAX
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/index.html b/doc/html/appdev/refs/macros/index.html deleted file mode 100644 index 7c576bf..0000000 --- a/doc/html/appdev/refs/macros/index.html +++ /dev/null @@ -1,528 +0,0 @@ - - - - - - - - krb5 simple macros — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5 simple macros¶

-
-

Public¶

-
- -
-
-
-

Deprecated macros¶

-
- -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb524_convert_creds_kdc.html b/doc/html/appdev/refs/macros/krb524_convert_creds_kdc.html deleted file mode 100644 index a4ba145..0000000 --- a/doc/html/appdev/refs/macros/krb524_convert_creds_kdc.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb524_convert_creds_kdc — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb524_convert_creds_kdc¶

-
-
-krb524_convert_creds_kdc¶
-
- - ---- - - - - - -
krb524_convert_creds_kdckrb5_524_convert_creds
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb524_init_ets.html b/doc/html/appdev/refs/macros/krb524_init_ets.html deleted file mode 100644 index cd7198c..0000000 --- a/doc/html/appdev/refs/macros/krb524_init_ets.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb524_init_ets — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb524_init_ets¶

-
-
-krb524_init_ets¶
-
- - ---- - - - - - -
krb524_init_ets (x)(0)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_const.html b/doc/html/appdev/refs/macros/krb5_const.html deleted file mode 100644 index 9008524..0000000 --- a/doc/html/appdev/refs/macros/krb5_const.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_const — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_const¶

-
-
-krb5_const¶
-
- - ---- - - - - - -
krb5_constconst
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_princ_component.html b/doc/html/appdev/refs/macros/krb5_princ_component.html deleted file mode 100644 index 4a63fa4..0000000 --- a/doc/html/appdev/refs/macros/krb5_princ_component.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_princ_component — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_princ_component¶

-
-
-krb5_princ_component¶
-
- - ---- - - - - - -
krb5_princ_component (context, princ, i)(((i) < krb5_princ_size(context, princ)) ? (princ)->data + (i) : NULL)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_princ_name.html b/doc/html/appdev/refs/macros/krb5_princ_name.html deleted file mode 100644 index 5e9df5c..0000000 --- a/doc/html/appdev/refs/macros/krb5_princ_name.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_princ_name — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_princ_name¶

-
-
-krb5_princ_name¶
-
- - ---- - - - - - -
krb5_princ_name (context, princ)(princ)->data
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_princ_realm.html b/doc/html/appdev/refs/macros/krb5_princ_realm.html deleted file mode 100644 index fa66710..0000000 --- a/doc/html/appdev/refs/macros/krb5_princ_realm.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_princ_realm — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_princ_realm¶

-
-
-krb5_princ_realm¶
-
- - ---- - - - - - -
krb5_princ_realm (context, princ)(&(princ)->realm)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_princ_set_realm.html b/doc/html/appdev/refs/macros/krb5_princ_set_realm.html deleted file mode 100644 index 5a264c2..0000000 --- a/doc/html/appdev/refs/macros/krb5_princ_set_realm.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_princ_set_realm — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_princ_set_realm¶

-
-
-krb5_princ_set_realm¶
-
- - ---- - - - - - -
krb5_princ_set_realm (context, princ, value)((princ)->realm = *(value))
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_princ_set_realm_data.html b/doc/html/appdev/refs/macros/krb5_princ_set_realm_data.html deleted file mode 100644 index 6874ea3..0000000 --- a/doc/html/appdev/refs/macros/krb5_princ_set_realm_data.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_princ_set_realm_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_princ_set_realm_data¶

-
-
-krb5_princ_set_realm_data¶
-
- - ---- - - - - - -
krb5_princ_set_realm_data (context, princ, value)(princ)->realm.data = (value)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_princ_set_realm_length.html b/doc/html/appdev/refs/macros/krb5_princ_set_realm_length.html deleted file mode 100644 index 24743dc..0000000 --- a/doc/html/appdev/refs/macros/krb5_princ_set_realm_length.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_princ_set_realm_length — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_princ_set_realm_length¶

-
-
-krb5_princ_set_realm_length¶
-
- - ---- - - - - - -
krb5_princ_set_realm_length (context, princ, value)(princ)->realm.length = (value)
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_princ_size.html b/doc/html/appdev/refs/macros/krb5_princ_size.html deleted file mode 100644 index 05a128c..0000000 --- a/doc/html/appdev/refs/macros/krb5_princ_size.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_princ_size — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_princ_size¶

-
-
-krb5_princ_size¶
-
- - ---- - - - - - -
krb5_princ_size (context, princ)(princ)->length
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_princ_type.html b/doc/html/appdev/refs/macros/krb5_princ_type.html deleted file mode 100644 index 336ff1e..0000000 --- a/doc/html/appdev/refs/macros/krb5_princ_type.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_princ_type — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_princ_type¶

-
-
-krb5_princ_type¶
-
- - ---- - - - - - -
krb5_princ_type (context, princ)(princ)->type
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_roundup.html b/doc/html/appdev/refs/macros/krb5_roundup.html deleted file mode 100644 index cbad559..0000000 --- a/doc/html/appdev/refs/macros/krb5_roundup.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_roundup — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_roundup¶

-
-
-krb5_roundup¶
-
- - ---- - - - - - -
krb5_roundup (x, y)((((x) + (y) - 1)/(y))*(y))
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_x.html b/doc/html/appdev/refs/macros/krb5_x.html deleted file mode 100644 index 8f59cd2..0000000 --- a/doc/html/appdev/refs/macros/krb5_x.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_x — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_x¶

-
-
-krb5_x¶
-
- - ---- - - - - - -
krb5_x (ptr, args)((ptr)?((*(ptr)) args):(abort(),1))
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/macros/krb5_xc.html b/doc/html/appdev/refs/macros/krb5_xc.html deleted file mode 100644 index 231215a..0000000 --- a/doc/html/appdev/refs/macros/krb5_xc.html +++ /dev/null @@ -1,162 +0,0 @@ - - - - - - - - krb5_xc — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_xc¶

-
-
-krb5_xc¶
-
- - ---- - - - - - -
krb5_xc (ptr, args)((ptr)?((*(ptr)) args):(abort(),(char*)0))
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/index.html b/doc/html/appdev/refs/types/index.html deleted file mode 100644 index d2eedab..0000000 --- a/doc/html/appdev/refs/types/index.html +++ /dev/null @@ -1,256 +0,0 @@ - - - - - - - - krb5 types and structures — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5 types and structures¶

- - -
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_address.html b/doc/html/appdev/refs/types/krb5_address.html deleted file mode 100644 index 01b1c0b..0000000 --- a/doc/html/appdev/refs/types/krb5_address.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_address — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_address¶

-
-
-krb5_address¶
-
- -

Structure for address.

-
-

Declaration¶

-

typedef struct _krb5_address krb5_address

-
-
-

Members¶

-
-
-krb5_magic krb5_address.magic¶
-
- -
-
-krb5_addrtype krb5_address.addrtype¶
-
- -
-
-unsigned int krb5_address.length¶
-
- -
-
-krb5_octet * krb5_address.contents¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_addrtype.html b/doc/html/appdev/refs/types/krb5_addrtype.html deleted file mode 100644 index 1dc7f23..0000000 --- a/doc/html/appdev/refs/types/krb5_addrtype.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_addrtype — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_addrtype¶

-
-
-krb5_addrtype¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_addrtype

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_ap_rep.html b/doc/html/appdev/refs/types/krb5_ap_rep.html deleted file mode 100644 index f800de0..0000000 --- a/doc/html/appdev/refs/types/krb5_ap_rep.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_ap_rep — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_ap_rep¶

-
-
-krb5_ap_rep¶
-
- -

C representaton of AP-REP message.

-

The server’s response to a client’s request for mutual authentication.

-
-

Declaration¶

-

typedef struct _krb5_ap_rep krb5_ap_rep

-
-
-

Members¶

-
-
-krb5_magic krb5_ap_rep.magic¶
-
- -
-
-krb5_enc_data krb5_ap_rep.enc_part¶
-

Ciphertext of ApRepEncPart.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_ap_rep_enc_part.html b/doc/html/appdev/refs/types/krb5_ap_rep_enc_part.html deleted file mode 100644 index dfdf34b..0000000 --- a/doc/html/appdev/refs/types/krb5_ap_rep_enc_part.html +++ /dev/null @@ -1,192 +0,0 @@ - - - - - - - - krb5_ap_rep_enc_part — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_ap_rep_enc_part¶

-
-
-krb5_ap_rep_enc_part¶
-
- -

Cleartext that is encrypted and put into _krb5_ap_rep .

-
-

Declaration¶

-

typedef struct _krb5_ap_rep_enc_part krb5_ap_rep_enc_part

-
-
-

Members¶

-
-
-krb5_magic krb5_ap_rep_enc_part.magic¶
-
- -
-
-krb5_timestamp krb5_ap_rep_enc_part.ctime¶
-

Client time, seconds portion.

-
- -
-
-krb5_int32 krb5_ap_rep_enc_part.cusec¶
-

Client time, microseconds portion.

-
- -
-
-krb5_keyblock * krb5_ap_rep_enc_part.subkey¶
-

Subkey (optional)

-
- -
-
-krb5_ui_4 krb5_ap_rep_enc_part.seq_number¶
-

Sequence number.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_ap_req.html b/doc/html/appdev/refs/types/krb5_ap_req.html deleted file mode 100644 index 5ca690a..0000000 --- a/doc/html/appdev/refs/types/krb5_ap_req.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_ap_req — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_ap_req¶

-
-
-krb5_ap_req¶
-
- -

Authentication header.

-
-

Declaration¶

-

typedef struct _krb5_ap_req krb5_ap_req

-
-
-

Members¶

-
-
-krb5_magic krb5_ap_req.magic¶
-
- -
-
-krb5_flags krb5_ap_req.ap_options¶
-

Requested options.

-
- -
-
-krb5_ticket * krb5_ap_req.ticket¶
-

Ticket.

-
- -
-
-krb5_enc_data krb5_ap_req.authenticator¶
-

Encrypted authenticator.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_auth_context.html b/doc/html/appdev/refs/types/krb5_auth_context.html deleted file mode 100644 index 8022c59..0000000 --- a/doc/html/appdev/refs/types/krb5_auth_context.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_auth_context — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_auth_context¶

-
-
-krb5_auth_context¶
-
- -
-

Declaration¶

-

typedef struct _krb5_auth_context* krb5_auth_context

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_authdata.html b/doc/html/appdev/refs/types/krb5_authdata.html deleted file mode 100644 index 11d2fef..0000000 --- a/doc/html/appdev/refs/types/krb5_authdata.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_authdata — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_authdata¶

-
-
-krb5_authdata¶
-
- -

Structure for auth data.

-
-

Declaration¶

-

typedef struct _krb5_authdata krb5_authdata

-
-
-

Members¶

-
-
-krb5_magic krb5_authdata.magic¶
-
- -
-
-krb5_authdatatype krb5_authdata.ad_type¶
-

ADTYPE.

-
- -
-
-unsigned int krb5_authdata.length¶
-

Length of data.

-
- -
-
-krb5_octet * krb5_authdata.contents¶
-

Data.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_authdatatype.html b/doc/html/appdev/refs/types/krb5_authdatatype.html deleted file mode 100644 index 3c005a4..0000000 --- a/doc/html/appdev/refs/types/krb5_authdatatype.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_authdatatype — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_authdatatype¶

-
-
-krb5_authdatatype¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_authdatatype

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_authenticator.html b/doc/html/appdev/refs/types/krb5_authenticator.html deleted file mode 100644 index 0421338..0000000 --- a/doc/html/appdev/refs/types/krb5_authenticator.html +++ /dev/null @@ -1,211 +0,0 @@ - - - - - - - - krb5_authenticator — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_authenticator¶

-
-
-krb5_authenticator¶
-
- -

Ticket authenticator.

-

The C representation of an unencrypted authenticator.

-
-

Declaration¶

-

typedef struct _krb5_authenticator krb5_authenticator

-
-
-

Members¶

-
-
-krb5_magic krb5_authenticator.magic¶
-
- -
-
-krb5_principal krb5_authenticator.client¶
-

client name/realm

-
- -
-
-krb5_checksum * krb5_authenticator.checksum¶
-

checksum, includes type, optional

-
- -
-
-krb5_int32 krb5_authenticator.cusec¶
-

client usec portion

-
- -
-
-krb5_timestamp krb5_authenticator.ctime¶
-

client sec portion

-
- -
-
-krb5_keyblock * krb5_authenticator.subkey¶
-

true session key, optional

-
- -
-
-krb5_ui_4 krb5_authenticator.seq_number¶
-

sequence #, optional

-
- -
-
-krb5_authdata ** krb5_authenticator.authorization_data¶
-

authoriazation data

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_boolean.html b/doc/html/appdev/refs/types/krb5_boolean.html deleted file mode 100644 index b277836..0000000 --- a/doc/html/appdev/refs/types/krb5_boolean.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_boolean — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_boolean¶

-
-
-krb5_boolean¶
-
- -
-

Declaration¶

-

typedef unsigned int krb5_boolean

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_cc_cursor.html b/doc/html/appdev/refs/types/krb5_cc_cursor.html deleted file mode 100644 index 10a24c6..0000000 --- a/doc/html/appdev/refs/types/krb5_cc_cursor.html +++ /dev/null @@ -1,159 +0,0 @@ - - - - - - - - krb5_cc_cursor — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cc_cursor¶

-
-
-krb5_cc_cursor¶
-
- -

Cursor for sequential lookup.

-
-

Declaration¶

-

typedef krb5_pointer krb5_cc_cursor

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_ccache.html b/doc/html/appdev/refs/types/krb5_ccache.html deleted file mode 100644 index 45e9348..0000000 --- a/doc/html/appdev/refs/types/krb5_ccache.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_ccache — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_ccache¶

-
-
-krb5_ccache¶
-
- -
-

Declaration¶

-

typedef struct _krb5_ccache* krb5_ccache

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_cccol_cursor.html b/doc/html/appdev/refs/types/krb5_cccol_cursor.html deleted file mode 100644 index e31ef2e..0000000 --- a/doc/html/appdev/refs/types/krb5_cccol_cursor.html +++ /dev/null @@ -1,159 +0,0 @@ - - - - - - - - krb5_cccol_cursor — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cccol_cursor¶

-
-
-krb5_cccol_cursor¶
-
- -

Cursor for iterating over all ccaches.

-
-

Declaration¶

-

typedef struct _krb5_cccol_cursor* krb5_cccol_cursor

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_checksum.html b/doc/html/appdev/refs/types/krb5_checksum.html deleted file mode 100644 index 2cb935e..0000000 --- a/doc/html/appdev/refs/types/krb5_checksum.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_checksum — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_checksum¶

-
-
-krb5_checksum¶
-
- -
-

Declaration¶

-

typedef struct _krb5_checksum krb5_checksum

-
-
-

Members¶

-
-
-krb5_magic krb5_checksum.magic¶
-
- -
-
-krb5_cksumtype krb5_checksum.checksum_type¶
-
- -
-
-unsigned int krb5_checksum.length¶
-
- -
-
-krb5_octet * krb5_checksum.contents¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_cksumtype.html b/doc/html/appdev/refs/types/krb5_cksumtype.html deleted file mode 100644 index 2bd3cbe..0000000 --- a/doc/html/appdev/refs/types/krb5_cksumtype.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_cksumtype — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cksumtype¶

-
-
-krb5_cksumtype¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_cksumtype

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_const_pointer.html b/doc/html/appdev/refs/types/krb5_const_pointer.html deleted file mode 100644 index 442775c..0000000 --- a/doc/html/appdev/refs/types/krb5_const_pointer.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_const_pointer — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_const_pointer¶

-
-
-krb5_const_pointer¶
-
- -
-

Declaration¶

-

typedef void const* krb5_const_pointer

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_const_principal.html b/doc/html/appdev/refs/types/krb5_const_principal.html deleted file mode 100644 index b15dee8..0000000 --- a/doc/html/appdev/refs/types/krb5_const_principal.html +++ /dev/null @@ -1,189 +0,0 @@ - - - - - - - - krb5_const_principal — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_const_principal¶

-
-
-krb5_const_principal¶
-
- -

Constant version of krb5_principal_data .

-
-

Declaration¶

-

typedef const krb5_principal_data* krb5_const_principal

-
-
-

Members¶

-
-
-krb5_magic krb5_const_principal.magic¶
-
- -
-
-krb5_data krb5_const_principal.realm¶
-
- -
-
-krb5_data * krb5_const_principal.data¶
-

An array of strings.

-
- -
-
-krb5_int32 krb5_const_principal.length¶
-
- -
-
-krb5_int32 krb5_const_principal.type¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_context.html b/doc/html/appdev/refs/types/krb5_context.html deleted file mode 100644 index 4b185cf..0000000 --- a/doc/html/appdev/refs/types/krb5_context.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_context — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_context¶

-
-
-krb5_context¶
-
- -
-

Declaration¶

-

typedef struct _krb5_context* krb5_context

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_cred.html b/doc/html/appdev/refs/types/krb5_cred.html deleted file mode 100644 index 7ea231c..0000000 --- a/doc/html/appdev/refs/types/krb5_cred.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_cred — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cred¶

-
-
-krb5_cred¶
-
- -

Credentials data structure.

-
-

Declaration¶

-

typedef struct _krb5_cred krb5_cred

-
-
-

Members¶

-
-
-krb5_magic krb5_cred.magic¶
-
- -
-
-krb5_ticket ** krb5_cred.tickets¶
-

Tickets.

-
- -
-
-krb5_enc_data krb5_cred.enc_part¶
-

Encrypted part.

-
- -
-
-krb5_cred_enc_part * krb5_cred.enc_part2¶
-

Unencrypted version, if available.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_cred_enc_part.html b/doc/html/appdev/refs/types/krb5_cred_enc_part.html deleted file mode 100644 index c1a42a2..0000000 --- a/doc/html/appdev/refs/types/krb5_cred_enc_part.html +++ /dev/null @@ -1,203 +0,0 @@ - - - - - - - - krb5_cred_enc_part — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cred_enc_part¶

-
-
-krb5_cred_enc_part¶
-
- -

Cleartext credentials information.

-
-

Declaration¶

-

typedef struct _krb5_cred_enc_part krb5_cred_enc_part

-
-
-

Members¶

-
-
-krb5_magic krb5_cred_enc_part.magic¶
-
- -
-
-krb5_int32 krb5_cred_enc_part.nonce¶
-

Nonce (optional)

-
- -
-
-krb5_timestamp krb5_cred_enc_part.timestamp¶
-

Generation time, seconds portion.

-
- -
-
-krb5_int32 krb5_cred_enc_part.usec¶
-

Generation time, microseconds portion.

-
- -
-
-krb5_address * krb5_cred_enc_part.s_address¶
-

Sender address (optional)

-
- -
-
-krb5_address * krb5_cred_enc_part.r_address¶
-

Recipient address (optional)

-
- -
-
-krb5_cred_info ** krb5_cred_enc_part.ticket_info¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_cred_info.html b/doc/html/appdev/refs/types/krb5_cred_info.html deleted file mode 100644 index db54f63..0000000 --- a/doc/html/appdev/refs/types/krb5_cred_info.html +++ /dev/null @@ -1,204 +0,0 @@ - - - - - - - - krb5_cred_info — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cred_info¶

-
-
-krb5_cred_info¶
-
- -

Credentials information inserted into EncKrbCredPart .

-
-

Declaration¶

-

typedef struct _krb5_cred_info krb5_cred_info

-
-
-

Members¶

-
-
-krb5_magic krb5_cred_info.magic¶
-
- -
-
-krb5_keyblock * krb5_cred_info.session¶
-

Session key used to encrypt ticket.

-
- -
-
-krb5_principal krb5_cred_info.client¶
-

Client principal and realm.

-
- -
-
-krb5_principal krb5_cred_info.server¶
-

Server principal and realm.

-
- -
-
-krb5_flags krb5_cred_info.flags¶
-

Ticket flags.

-
- -
-
-krb5_ticket_times krb5_cred_info.times¶
-

Auth, start, end, renew_till.

-
- -
-
-krb5_address ** krb5_cred_info.caddrs¶
-

Array of pointers to addrs (optional)

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_creds.html b/doc/html/appdev/refs/types/krb5_creds.html deleted file mode 100644 index 8432a91..0000000 --- a/doc/html/appdev/refs/types/krb5_creds.html +++ /dev/null @@ -1,228 +0,0 @@ - - - - - - - - krb5_creds — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_creds¶

-
-
-krb5_creds¶
-
- -

Credentials structure including ticket, session key, and lifetime info.

-
-

Declaration¶

-

typedef struct _krb5_creds krb5_creds

-
-
-

Members¶

-
-
-krb5_magic krb5_creds.magic¶
-
- -
-
-krb5_principal krb5_creds.client¶
-

client’s principal identifier

-
- -
-
-krb5_principal krb5_creds.server¶
-

server’s principal identifier

-
- -
-
-krb5_keyblock krb5_creds.keyblock¶
-

session encryption key info

-
- -
-
-krb5_ticket_times krb5_creds.times¶
-

lifetime info

-
- -
-
-krb5_boolean krb5_creds.is_skey¶
-

true if ticket is encrypted in another ticket’s skey

-
- -
-
-krb5_flags krb5_creds.ticket_flags¶
-

flags in ticket

-
- -
-
-krb5_address ** krb5_creds.addresses¶
-

addrs in ticket

-
- -
-
-krb5_data krb5_creds.ticket¶
-

ticket string itself

-
- -
-
-krb5_data krb5_creds.second_ticket¶
-

second ticket, if related to ticket (via DUPLICATE-SKEY or ENC-TKT-IN-SKEY)

-
- -
-
-krb5_authdata ** krb5_creds.authdata¶
-

authorization data

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_crypto_iov.html b/doc/html/appdev/refs/types/krb5_crypto_iov.html deleted file mode 100644 index 19ef944..0000000 --- a/doc/html/appdev/refs/types/krb5_crypto_iov.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - krb5_crypto_iov — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_crypto_iov¶

-
-
-krb5_crypto_iov¶
-
- -

Structure to describe a region of text to be encrypted or decrypted.

-

The flags member describes the type of the iov. The data member points to the memory that will be manipulated. All iov APIs take a pointer to the first element of an array of krb5_crypto_iov’s along with the size of that array. Buffer contents are manipulated in-place; data is overwritten. Callers must allocate the right number of krb5_crypto_iov structures before calling into an iov API.

-
-

Declaration¶

-

typedef struct _krb5_crypto_iov krb5_crypto_iov

-
-
-

Members¶

-
-
-krb5_cryptotype krb5_crypto_iov.flags¶
-

KRB5_CRYPTO_TYPE type of the iov

-
- -
-
-krb5_data krb5_crypto_iov.data¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_cryptotype.html b/doc/html/appdev/refs/types/krb5_cryptotype.html deleted file mode 100644 index 182cfc9..0000000 --- a/doc/html/appdev/refs/types/krb5_cryptotype.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_cryptotype — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_cryptotype¶

-
-
-krb5_cryptotype¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_cryptotype

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_data.html b/doc/html/appdev/refs/types/krb5_data.html deleted file mode 100644 index 6e1b3e5..0000000 --- a/doc/html/appdev/refs/types/krb5_data.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_data¶

-
-
-krb5_data¶
-
- -
-

Declaration¶

-

typedef struct _krb5_data krb5_data

-
-
-

Members¶

-
-
-krb5_magic krb5_data.magic¶
-
- -
-
-unsigned int krb5_data.length¶
-
- -
-
-char * krb5_data.data¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_deltat.html b/doc/html/appdev/refs/types/krb5_deltat.html deleted file mode 100644 index 3113b51..0000000 --- a/doc/html/appdev/refs/types/krb5_deltat.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_deltat — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_deltat¶

-
-
-krb5_deltat¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_deltat

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_enc_data.html b/doc/html/appdev/refs/types/krb5_enc_data.html deleted file mode 100644 index d5f26f5..0000000 --- a/doc/html/appdev/refs/types/krb5_enc_data.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_enc_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_enc_data¶

-
-
-krb5_enc_data¶
-
- -
-

Declaration¶

-

typedef struct _krb5_enc_data krb5_enc_data

-
-
-

Members¶

-
-
-krb5_magic krb5_enc_data.magic¶
-
- -
-
-krb5_enctype krb5_enc_data.enctype¶
-
- -
-
-krb5_kvno krb5_enc_data.kvno¶
-
- -
-
-krb5_data krb5_enc_data.ciphertext¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_enc_kdc_rep_part.html b/doc/html/appdev/refs/types/krb5_enc_kdc_rep_part.html deleted file mode 100644 index d8a80b2..0000000 --- a/doc/html/appdev/refs/types/krb5_enc_kdc_rep_part.html +++ /dev/null @@ -1,229 +0,0 @@ - - - - - - - - krb5_enc_kdc_rep_part — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_enc_kdc_rep_part¶

-
-
-krb5_enc_kdc_rep_part¶
-
- -

C representation of EncKDCRepPart protocol message.

-

This is the cleartext message that is encrypted and inserted in KDC-REP .

-
-

Declaration¶

-

typedef struct _krb5_enc_kdc_rep_part krb5_enc_kdc_rep_part

-
-
-

Members¶

-
-
-krb5_magic krb5_enc_kdc_rep_part.magic¶
-
- -
-
-krb5_msgtype krb5_enc_kdc_rep_part.msg_type¶
-

krb5 message type

-
- -
-
-krb5_keyblock * krb5_enc_kdc_rep_part.session¶
-

Session key.

-
- -
-
-krb5_last_req_entry ** krb5_enc_kdc_rep_part.last_req¶
-

Array of pointers to entries.

-
- -
-
-krb5_int32 krb5_enc_kdc_rep_part.nonce¶
-

Nonce from request.

-
- -
-
-krb5_timestamp krb5_enc_kdc_rep_part.key_exp¶
-

Expiration date.

-
- -
-
-krb5_flags krb5_enc_kdc_rep_part.flags¶
-

Ticket flags.

-
- -
-
-krb5_ticket_times krb5_enc_kdc_rep_part.times¶
-

Lifetime info.

-
- -
-
-krb5_principal krb5_enc_kdc_rep_part.server¶
-

Server’s principal identifier.

-
- -
-
-krb5_address ** krb5_enc_kdc_rep_part.caddrs¶
-

Array of ptrs to addrs, optional.

-
- -
-
-krb5_pa_data ** krb5_enc_kdc_rep_part.enc_padata¶
-

Encrypted preauthentication data.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_enc_tkt_part.html b/doc/html/appdev/refs/types/krb5_enc_tkt_part.html deleted file mode 100644 index b77856b..0000000 --- a/doc/html/appdev/refs/types/krb5_enc_tkt_part.html +++ /dev/null @@ -1,210 +0,0 @@ - - - - - - - - krb5_enc_tkt_part — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_enc_tkt_part¶

-
-
-krb5_enc_tkt_part¶
-
- -

Encrypted part of ticket.

-
-

Declaration¶

-

typedef struct _krb5_enc_tkt_part krb5_enc_tkt_part

-
-
-

Members¶

-
-
-krb5_magic krb5_enc_tkt_part.magic¶
-
- -
-
-krb5_flags krb5_enc_tkt_part.flags¶
-

flags

-
- -
-
-krb5_keyblock * krb5_enc_tkt_part.session¶
-

session key: includes enctype

-
- -
-
-krb5_principal krb5_enc_tkt_part.client¶
-

client name/realm

-
- -
-
-krb5_transited krb5_enc_tkt_part.transited¶
-

list of transited realms

-
- -
-
-krb5_ticket_times krb5_enc_tkt_part.times¶
-

auth, start, end, renew_till

-
- -
-
-krb5_address ** krb5_enc_tkt_part.caddrs¶
-

array of ptrs to addresses

-
- -
-
-krb5_authdata ** krb5_enc_tkt_part.authorization_data¶
-

auth data

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_encrypt_block.html b/doc/html/appdev/refs/types/krb5_encrypt_block.html deleted file mode 100644 index ed2dc67..0000000 --- a/doc/html/appdev/refs/types/krb5_encrypt_block.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_encrypt_block — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_encrypt_block¶

-
-
-krb5_encrypt_block¶
-
- -
-

Declaration¶

-

typedef struct _krb5_encrypt_block krb5_encrypt_block

-
-
-

Members¶

-
-
-krb5_magic krb5_encrypt_block.magic¶
-
- -
-
-krb5_enctype krb5_encrypt_block.crypto_entry¶
-
- -
-
-krb5_keyblock * krb5_encrypt_block.key¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_enctype.html b/doc/html/appdev/refs/types/krb5_enctype.html deleted file mode 100644 index 82417fb..0000000 --- a/doc/html/appdev/refs/types/krb5_enctype.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_enctype — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_enctype¶

-
-
-krb5_enctype¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_enctype

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_error.html b/doc/html/appdev/refs/types/krb5_error.html deleted file mode 100644 index 5bfc5de..0000000 --- a/doc/html/appdev/refs/types/krb5_error.html +++ /dev/null @@ -1,222 +0,0 @@ - - - - - - - - krb5_error — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_error¶

-
-
-krb5_error¶
-
- -

Error message structure.

-
-

Declaration¶

-

typedef struct _krb5_error krb5_error

-
-
-

Members¶

-
-
-krb5_magic krb5_error.magic¶
-
- -
-
-krb5_timestamp krb5_error.ctime¶
-

Client sec portion; optional.

-
- -
-
-krb5_int32 krb5_error.cusec¶
-

Client usec portion; optional.

-
- -
-
-krb5_int32 krb5_error.susec¶
-

Server usec portion.

-
- -
-
-krb5_timestamp krb5_error.stime¶
-

Server sec portion.

-
- -
-
-krb5_ui_4 krb5_error.error¶
-

Error code (protocol error #’s)

-
- -
-
-krb5_principal krb5_error.client¶
-

Client principal and realm.

-
- -
-
-krb5_principal krb5_error.server¶
-

Server principal and realm.

-
- -
-
-krb5_data krb5_error.text¶
-

Descriptive text.

-
- -
-
-krb5_data krb5_error.e_data¶
-

Additional error-describing data.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_error_code.html b/doc/html/appdev/refs/types/krb5_error_code.html deleted file mode 100644 index 4550fa1..0000000 --- a/doc/html/appdev/refs/types/krb5_error_code.html +++ /dev/null @@ -1,160 +0,0 @@ - - - - - - - - krb5_error_code — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_error_code¶

-
-
-krb5_error_code¶
-
- -

Used to convey an operation status.

-

The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error.

-
-

Declaration¶

-

typedef krb5_int32 krb5_error_code

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_expire_callback_func.html b/doc/html/appdev/refs/types/krb5_expire_callback_func.html deleted file mode 100644 index 6cacb44..0000000 --- a/doc/html/appdev/refs/types/krb5_expire_callback_func.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_expire_callback_func — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_expire_callback_func¶

-
-
-krb5_expire_callback_func¶
-
- -
-

Declaration¶

-

typedef void( * krb5_expire_callback_func)(krb5_context context, void *data, krb5_timestamp password_expiration, krb5_timestamp account_expiration, krb5_boolean is_last_req)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_flags.html b/doc/html/appdev/refs/types/krb5_flags.html deleted file mode 100644 index 3e2d0eb..0000000 --- a/doc/html/appdev/refs/types/krb5_flags.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_flags — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_flags¶

-
-
-krb5_flags¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_flags

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_get_init_creds_opt.html b/doc/html/appdev/refs/types/krb5_get_init_creds_opt.html deleted file mode 100644 index 282bed3..0000000 --- a/doc/html/appdev/refs/types/krb5_get_init_creds_opt.html +++ /dev/null @@ -1,218 +0,0 @@ - - - - - - - - krb5_get_init_creds_opt — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_get_init_creds_opt¶

-
-
-krb5_get_init_creds_opt¶
-
- -

Store options for _krb5_get_init_creds .

-
-

Declaration¶

-

typedef struct _krb5_get_init_creds_opt krb5_get_init_creds_opt

-
-
-

Members¶

-
-
-krb5_flags krb5_get_init_creds_opt.flags¶
-
- -
-
-krb5_deltat krb5_get_init_creds_opt.tkt_life¶
-
- -
-
-krb5_deltat krb5_get_init_creds_opt.renew_life¶
-
- -
-
-int krb5_get_init_creds_opt.forwardable¶
-
- -
-
-int krb5_get_init_creds_opt.proxiable¶
-
- -
-
-krb5_enctype * krb5_get_init_creds_opt.etype_list¶
-
- -
-
-int krb5_get_init_creds_opt.etype_list_length¶
-
- -
-
-krb5_address ** krb5_get_init_creds_opt.address_list¶
-
- -
-
-krb5_preauthtype * krb5_get_init_creds_opt.preauth_list¶
-
- -
-
-int krb5_get_init_creds_opt.preauth_list_length¶
-
- -
-
-krb5_data * krb5_get_init_creds_opt.salt¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_gic_opt_pa_data.html b/doc/html/appdev/refs/types/krb5_gic_opt_pa_data.html deleted file mode 100644 index 2e8ea56..0000000 --- a/doc/html/appdev/refs/types/krb5_gic_opt_pa_data.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_gic_opt_pa_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_gic_opt_pa_data¶

-
-
-krb5_gic_opt_pa_data¶
-
- -

Generic preauth option attribute/value pairs.

-
-

Declaration¶

-

typedef struct _krb5_gic_opt_pa_data krb5_gic_opt_pa_data

-
-
-

Members¶

-
-
-char * krb5_gic_opt_pa_data.attr¶
-
- -
-
-char * krb5_gic_opt_pa_data.value¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_init_creds_context.html b/doc/html/appdev/refs/types/krb5_init_creds_context.html deleted file mode 100644 index 0b8e727..0000000 --- a/doc/html/appdev/refs/types/krb5_init_creds_context.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_init_creds_context — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_init_creds_context¶

-
-
-krb5_init_creds_context¶
-
- -
-

Declaration¶

-

typedef struct _krb5_init_creds_context* krb5_init_creds_context

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_int16.html b/doc/html/appdev/refs/types/krb5_int16.html deleted file mode 100644 index d7cba5b..0000000 --- a/doc/html/appdev/refs/types/krb5_int16.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_int16 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_int16¶

-
-
-krb5_int16¶
-
- -
-

Declaration¶

-

typedef int16_t krb5_int16

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_int32.html b/doc/html/appdev/refs/types/krb5_int32.html deleted file mode 100644 index 2264fac..0000000 --- a/doc/html/appdev/refs/types/krb5_int32.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_int32 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_int32¶

-
-
-krb5_int32¶
-
- -
-

Declaration¶

-

typedef int32_t krb5_int32

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_kdc_rep.html b/doc/html/appdev/refs/types/krb5_kdc_rep.html deleted file mode 100644 index 5aa3d03..0000000 --- a/doc/html/appdev/refs/types/krb5_kdc_rep.html +++ /dev/null @@ -1,204 +0,0 @@ - - - - - - - - krb5_kdc_rep — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kdc_rep¶

-
-
-krb5_kdc_rep¶
-
- -

Representation of the KDC-REP protocol message.

-
-

Declaration¶

-

typedef struct _krb5_kdc_rep krb5_kdc_rep

-
-
-

Members¶

-
-
-krb5_magic krb5_kdc_rep.magic¶
-
- -
-
-krb5_msgtype krb5_kdc_rep.msg_type¶
-

KRB5_AS_REP or KRB5_KDC_REP.

-
- -
-
-krb5_pa_data ** krb5_kdc_rep.padata¶
-

Preauthentication data from KDC.

-
- -
-
-krb5_principal krb5_kdc_rep.client¶
-

Client principal and realm.

-
- -
-
-krb5_ticket * krb5_kdc_rep.ticket¶
-

Ticket.

-
- -
-
-krb5_enc_data krb5_kdc_rep.enc_part¶
-

Encrypted part of reply.

-
- -
-
-krb5_enc_kdc_rep_part * krb5_kdc_rep.enc_part2¶
-

Unencrypted version, if available.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_kdc_req.html b/doc/html/appdev/refs/types/krb5_kdc_req.html deleted file mode 100644 index 7f40991..0000000 --- a/doc/html/appdev/refs/types/krb5_kdc_req.html +++ /dev/null @@ -1,258 +0,0 @@ - - - - - - - - krb5_kdc_req — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kdc_req¶

-
-
-krb5_kdc_req¶
-
- -

C representation of KDC-REQ protocol message, including KDC-REQ-BODY.

-
-

Declaration¶

-

typedef struct _krb5_kdc_req krb5_kdc_req

-
-
-

Members¶

-
-
-krb5_magic krb5_kdc_req.magic¶
-
- -
-
-krb5_msgtype krb5_kdc_req.msg_type¶
-

KRB5_AS_REQ or KRB5_TGS_REQ.

-
- -
-
-krb5_pa_data ** krb5_kdc_req.padata¶
-

Preauthentication data.

-
- -
-
-krb5_flags krb5_kdc_req.kdc_options¶
-

Requested options.

-
- -
-
-krb5_principal krb5_kdc_req.client¶
-

Client principal and realm.

-
- -
-
-krb5_principal krb5_kdc_req.server¶
-

Server principal and realm.

-
- -
-
-krb5_timestamp krb5_kdc_req.from¶
-

Requested start time.

-
- -
-
-krb5_timestamp krb5_kdc_req.till¶
-

Requested end time.

-
- -
-
-krb5_timestamp krb5_kdc_req.rtime¶
-

Requested renewable end time.

-
- -
-
-krb5_int32 krb5_kdc_req.nonce¶
-

Nonce to match request and response.

-
- -
-
-int krb5_kdc_req.nktypes¶
-

Number of enctypes.

-
- -
-
-krb5_enctype * krb5_kdc_req.ktype¶
-

Requested enctypes.

-
- -
-
-krb5_address ** krb5_kdc_req.addresses¶
-

Requested addresses (optional)

-
- -
-
-krb5_enc_data krb5_kdc_req.authorization_data¶
-

Encrypted authz data (optional)

-
- -
-
-krb5_authdata ** krb5_kdc_req.unenc_authdata¶
-

Unencrypted authz data.

-
- -
-
-krb5_ticket ** krb5_kdc_req.second_ticket¶
-

Second ticket array (optional)

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_key.html b/doc/html/appdev/refs/types/krb5_key.html deleted file mode 100644 index c780f36..0000000 --- a/doc/html/appdev/refs/types/krb5_key.html +++ /dev/null @@ -1,160 +0,0 @@ - - - - - - - - krb5_key — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_key¶

-
-
-krb5_key¶
-
- -

Opaque identifier for a key.

-

Use with the krb5_k APIs for better performance for repeated operations with the same key and usage. Key identifiers must not be used simultaneously within multiple threads, as they may contain mutable internal state and are not mutex-protected.

-
-

Declaration¶

-

typedef struct krb5_key_st* krb5_key

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_keyblock.html b/doc/html/appdev/refs/types/krb5_keyblock.html deleted file mode 100644 index ba5cdd2..0000000 --- a/doc/html/appdev/refs/types/krb5_keyblock.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_keyblock — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_keyblock¶

-
-
-krb5_keyblock¶
-
- -

Exposed contents of a key.

-
-

Declaration¶

-

typedef struct _krb5_keyblock krb5_keyblock

-
-
-

Members¶

-
-
-krb5_magic krb5_keyblock.magic¶
-
- -
-
-krb5_enctype krb5_keyblock.enctype¶
-
- -
-
-unsigned int krb5_keyblock.length¶
-
- -
-
-krb5_octet * krb5_keyblock.contents¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_keytab.html b/doc/html/appdev/refs/types/krb5_keytab.html deleted file mode 100644 index b20c832..0000000 --- a/doc/html/appdev/refs/types/krb5_keytab.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_keytab — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_keytab¶

-
-
-krb5_keytab¶
-
- -
-

Declaration¶

-

typedef struct _krb5_kt* krb5_keytab

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_keytab_entry.html b/doc/html/appdev/refs/types/krb5_keytab_entry.html deleted file mode 100644 index da5e71c..0000000 --- a/doc/html/appdev/refs/types/krb5_keytab_entry.html +++ /dev/null @@ -1,192 +0,0 @@ - - - - - - - - krb5_keytab_entry — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_keytab_entry¶

-
-
-krb5_keytab_entry¶
-
- -

A key table entry.

-
-

Declaration¶

-

typedef struct krb5_keytab_entry_st krb5_keytab_entry

-
-
-

Members¶

-
-
-krb5_magic krb5_keytab_entry.magic¶
-
- -
-
-krb5_principal krb5_keytab_entry.principal¶
-

Principal of this key.

-
- -
-
-krb5_timestamp krb5_keytab_entry.timestamp¶
-

Time entry written to keytable.

-
- -
-
-krb5_kvno krb5_keytab_entry.vno¶
-

Key version number.

-
- -
-
-krb5_keyblock krb5_keytab_entry.key¶
-

The secret key.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_keyusage.html b/doc/html/appdev/refs/types/krb5_keyusage.html deleted file mode 100644 index 273e656..0000000 --- a/doc/html/appdev/refs/types/krb5_keyusage.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_keyusage — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_keyusage¶

-
-
-krb5_keyusage¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_keyusage

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_kt_cursor.html b/doc/html/appdev/refs/types/krb5_kt_cursor.html deleted file mode 100644 index 0231756..0000000 --- a/doc/html/appdev/refs/types/krb5_kt_cursor.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_kt_cursor — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kt_cursor¶

-
-
-krb5_kt_cursor¶
-
- -
-

Declaration¶

-

typedef krb5_pointer krb5_kt_cursor

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_kvno.html b/doc/html/appdev/refs/types/krb5_kvno.html deleted file mode 100644 index 851f269..0000000 --- a/doc/html/appdev/refs/types/krb5_kvno.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_kvno — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_kvno¶

-
-
-krb5_kvno¶
-
- -
-

Declaration¶

-

typedef unsigned int krb5_kvno

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_last_req_entry.html b/doc/html/appdev/refs/types/krb5_last_req_entry.html deleted file mode 100644 index 8332f41..0000000 --- a/doc/html/appdev/refs/types/krb5_last_req_entry.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_last_req_entry — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_last_req_entry¶

-
-
-krb5_last_req_entry¶
-
- -

Last request entry.

-
-

Declaration¶

-

typedef struct _krb5_last_req_entry krb5_last_req_entry

-
-
-

Members¶

-
-
-krb5_magic krb5_last_req_entry.magic¶
-
- -
-
-krb5_int32 krb5_last_req_entry.lr_type¶
-

LR type.

-
- -
-
-krb5_timestamp krb5_last_req_entry.value¶
-

Timestamp.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_magic.html b/doc/html/appdev/refs/types/krb5_magic.html deleted file mode 100644 index 37ba655..0000000 --- a/doc/html/appdev/refs/types/krb5_magic.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_magic — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_magic¶

-
-
-krb5_magic¶
-
- -
-

Declaration¶

-

typedef krb5_error_code krb5_magic

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_mk_req_checksum_func.html b/doc/html/appdev/refs/types/krb5_mk_req_checksum_func.html deleted file mode 100644 index 0bb57bf..0000000 --- a/doc/html/appdev/refs/types/krb5_mk_req_checksum_func.html +++ /dev/null @@ -1,159 +0,0 @@ - - - - - - - - krb5_mk_req_checksum_func — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_mk_req_checksum_func¶

-
-
-krb5_mk_req_checksum_func¶
-
- -

Type of function used as a callback to generate checksum data for mk_req.

-
-

Declaration¶

-

typedef krb5_error_code( * krb5_mk_req_checksum_func)(krb5_context, krb5_auth_context, void *, krb5_data **)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_msgtype.html b/doc/html/appdev/refs/types/krb5_msgtype.html deleted file mode 100644 index 0e4ce21..0000000 --- a/doc/html/appdev/refs/types/krb5_msgtype.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_msgtype — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_msgtype¶

-
-
-krb5_msgtype¶
-
- -
-

Declaration¶

-

typedef unsigned int krb5_msgtype

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_octet.html b/doc/html/appdev/refs/types/krb5_octet.html deleted file mode 100644 index 99d5c09..0000000 --- a/doc/html/appdev/refs/types/krb5_octet.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_octet — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_octet¶

-
-
-krb5_octet¶
-
- -
-

Declaration¶

-

typedef uint8_t krb5_octet

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_pa_data.html b/doc/html/appdev/refs/types/krb5_pa_data.html deleted file mode 100644 index 90202f0..0000000 --- a/doc/html/appdev/refs/types/krb5_pa_data.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - krb5_pa_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pa_data¶

-
-
-krb5_pa_data¶
-
- -

Pre-authentication data.

-
-

Declaration¶

-

typedef struct _krb5_pa_data krb5_pa_data

-
-
-

Members¶

-
-
-krb5_magic krb5_pa_data.magic¶
-
- -
-
-krb5_preauthtype krb5_pa_data.pa_type¶
-

Preauthentication data type.

-
- -
-
-unsigned int krb5_pa_data.length¶
-

Length of data.

-
- -
-
-krb5_octet * krb5_pa_data.contents¶
-

Data.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_pa_pac_req.html b/doc/html/appdev/refs/types/krb5_pa_pac_req.html deleted file mode 100644 index fa4ab51..0000000 --- a/doc/html/appdev/refs/types/krb5_pa_pac_req.html +++ /dev/null @@ -1,168 +0,0 @@ - - - - - - - - krb5_pa_pac_req — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pa_pac_req¶

-
-
-krb5_pa_pac_req¶
-
- -
-

Declaration¶

-

typedef struct _krb5_pa_pac_req krb5_pa_pac_req

-
-
-

Members¶

-
-
-krb5_boolean krb5_pa_pac_req.include_pac¶
-

TRUE if a PAC should be included in TGS-REP.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_pa_server_referral_data.html b/doc/html/appdev/refs/types/krb5_pa_server_referral_data.html deleted file mode 100644 index 06f9546..0000000 --- a/doc/html/appdev/refs/types/krb5_pa_server_referral_data.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - krb5_pa_server_referral_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pa_server_referral_data¶

-
-
-krb5_pa_server_referral_data¶
-
- -
-

Declaration¶

-

typedef struct _krb5_pa_server_referral_data krb5_pa_server_referral_data

-
-
-

Members¶

-
-
-krb5_data * krb5_pa_server_referral_data.referred_realm¶
-
- -
-
-krb5_principal krb5_pa_server_referral_data.true_principal_name¶
-
- -
-
-krb5_principal krb5_pa_server_referral_data.requested_principal_name¶
-
- -
-
-krb5_timestamp krb5_pa_server_referral_data.referral_valid_until¶
-
- -
-
-krb5_checksum krb5_pa_server_referral_data.rep_cksum¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_pa_svr_referral_data.html b/doc/html/appdev/refs/types/krb5_pa_svr_referral_data.html deleted file mode 100644 index bd5ae6e..0000000 --- a/doc/html/appdev/refs/types/krb5_pa_svr_referral_data.html +++ /dev/null @@ -1,168 +0,0 @@ - - - - - - - - krb5_pa_svr_referral_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pa_svr_referral_data¶

-
-
-krb5_pa_svr_referral_data¶
-
- -
-

Declaration¶

-

typedef struct _krb5_pa_svr_referral_data krb5_pa_svr_referral_data

-
-
-

Members¶

-
-
-krb5_principal krb5_pa_svr_referral_data.principal¶
-

Referred name, only realm is required.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_pac.html b/doc/html/appdev/refs/types/krb5_pac.html deleted file mode 100644 index d7ab9a1..0000000 --- a/doc/html/appdev/refs/types/krb5_pac.html +++ /dev/null @@ -1,159 +0,0 @@ - - - - - - - - krb5_pac — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pac¶

-
-
-krb5_pac¶
-
- -

PAC data structure to convey authorization information.

-
-

Declaration¶

-

typedef struct krb5_pac_data* krb5_pac

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_pointer.html b/doc/html/appdev/refs/types/krb5_pointer.html deleted file mode 100644 index ece786c..0000000 --- a/doc/html/appdev/refs/types/krb5_pointer.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_pointer — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pointer¶

-
-
-krb5_pointer¶
-
- -
-

Declaration¶

-

typedef void* krb5_pointer

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_post_recv_fn.html b/doc/html/appdev/refs/types/krb5_post_recv_fn.html deleted file mode 100644 index 2199e69..0000000 --- a/doc/html/appdev/refs/types/krb5_post_recv_fn.html +++ /dev/null @@ -1,161 +0,0 @@ - - - - - - - - krb5_post_recv_fn — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_post_recv_fn¶

-
-
-krb5_post_recv_fn¶
-
- -

Hook function for inspecting or overriding KDC replies.

-

If code is non-zero, KDC communication failed and reply should be ignored. The hook function may return code or a different error code, or may synthesize a reply by setting new_reply_out and return successfully. -The hook function should use krb5_copy_data() to construct the value for new_reply_out , to ensure that it can be freed correctly by the library.

-
-

Declaration¶

-

typedef krb5_error_code( * krb5_post_recv_fn)(krb5_context context, void *data, krb5_error_code code, const krb5_data *realm, const krb5_data *message, const krb5_data *reply, krb5_data **new_reply_out)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_pre_send_fn.html b/doc/html/appdev/refs/types/krb5_pre_send_fn.html deleted file mode 100644 index ffa0792..0000000 --- a/doc/html/appdev/refs/types/krb5_pre_send_fn.html +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - krb5_pre_send_fn — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pre_send_fn¶

-
-
-krb5_pre_send_fn¶
-
- -

Hook function for inspecting or modifying messages sent to KDCs.

-

If the hook function sets reply_out , message will not be sent to the KDC, and the given reply will used instead. -If the hook function sets new_message_out , the given message will be sent to the KDC in place of message . -If the hook function returns successfully without setting either output, message will be sent to the KDC normally. -The hook function should use krb5_copy_data() to construct the value for new_message_out or reply_out , to ensure that it can be freed correctly by the library.

-
-

Declaration¶

-

typedef krb5_error_code( * krb5_pre_send_fn)(krb5_context context, void *data, const krb5_data *realm, const krb5_data *message, krb5_data **new_message_out, krb5_data **new_reply_out)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_preauthtype.html b/doc/html/appdev/refs/types/krb5_preauthtype.html deleted file mode 100644 index 7dfc740..0000000 --- a/doc/html/appdev/refs/types/krb5_preauthtype.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_preauthtype — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_preauthtype¶

-
-
-krb5_preauthtype¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_preauthtype

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_principal.html b/doc/html/appdev/refs/types/krb5_principal.html deleted file mode 100644 index ba7b9ca..0000000 --- a/doc/html/appdev/refs/types/krb5_principal.html +++ /dev/null @@ -1,188 +0,0 @@ - - - - - - - - krb5_principal — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_principal¶

-
-
-krb5_principal¶
-
- -
-

Declaration¶

-

typedef krb5_principal_data* krb5_principal

-
-
-

Members¶

-
-
-krb5_magic krb5_principal.magic¶
-
- -
-
-krb5_data krb5_principal.realm¶
-
- -
-
-krb5_data * krb5_principal.data¶
-

An array of strings.

-
- -
-
-krb5_int32 krb5_principal.length¶
-
- -
-
-krb5_int32 krb5_principal.type¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_principal_data.html b/doc/html/appdev/refs/types/krb5_principal_data.html deleted file mode 100644 index a844f4b..0000000 --- a/doc/html/appdev/refs/types/krb5_principal_data.html +++ /dev/null @@ -1,188 +0,0 @@ - - - - - - - - krb5_principal_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_principal_data¶

-
-
-krb5_principal_data¶
-
- -
-

Declaration¶

-

typedef struct krb5_principal_data krb5_principal_data

-
-
-

Members¶

-
-
-krb5_magic krb5_principal_data.magic¶
-
- -
-
-krb5_data krb5_principal_data.realm¶
-
- -
-
-krb5_data * krb5_principal_data.data¶
-

An array of strings.

-
- -
-
-krb5_int32 krb5_principal_data.length¶
-
- -
-
-krb5_int32 krb5_principal_data.type¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_prompt.html b/doc/html/appdev/refs/types/krb5_prompt.html deleted file mode 100644 index 23a36ef..0000000 --- a/doc/html/appdev/refs/types/krb5_prompt.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_prompt — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_prompt¶

-
-
-krb5_prompt¶
-
- -

Text for prompt used in prompter callback function.

-
-

Declaration¶

-

typedef struct _krb5_prompt krb5_prompt

-
-
-

Members¶

-
-
-char * krb5_prompt.prompt¶
-

The prompt to show to the user.

-
- -
-
-int krb5_prompt.hidden¶
-

Boolean; informative prompt or hidden (e.g. -PIN)

-
- -
-
-krb5_data * krb5_prompt.reply¶
-

Must be allocated before call to prompt routine.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_prompt_type.html b/doc/html/appdev/refs/types/krb5_prompt_type.html deleted file mode 100644 index 6119b26..0000000 --- a/doc/html/appdev/refs/types/krb5_prompt_type.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_prompt_type — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_prompt_type¶

-
-
-krb5_prompt_type¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_prompt_type

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_prompter_fct.html b/doc/html/appdev/refs/types/krb5_prompter_fct.html deleted file mode 100644 index a09c302..0000000 --- a/doc/html/appdev/refs/types/krb5_prompter_fct.html +++ /dev/null @@ -1,159 +0,0 @@ - - - - - - - - krb5_prompter_fct — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_prompter_fct¶

-
-
-krb5_prompter_fct¶
-
- -

Pointer to a prompter callback function.

-
-

Declaration¶

-

typedef krb5_error_code( * krb5_prompter_fct)(krb5_context context, void *data, const char *name, const char *banner, int num_prompts, krb5_prompt prompts[])

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_pwd_data.html b/doc/html/appdev/refs/types/krb5_pwd_data.html deleted file mode 100644 index 4d2690e..0000000 --- a/doc/html/appdev/refs/types/krb5_pwd_data.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - krb5_pwd_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_pwd_data¶

-
-
-krb5_pwd_data¶
-
- -
-

Declaration¶

-

typedef struct _krb5_pwd_data krb5_pwd_data

-
-
-

Members¶

-
-
-krb5_magic krb5_pwd_data.magic¶
-
- -
-
-int krb5_pwd_data.sequence_count¶
-
- -
-
-passwd_phrase_element ** krb5_pwd_data.element¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_rcache.html b/doc/html/appdev/refs/types/krb5_rcache.html deleted file mode 100644 index 718aa9e..0000000 --- a/doc/html/appdev/refs/types/krb5_rcache.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_rcache — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_rcache¶

-
-
-krb5_rcache¶
-
- -
-

Declaration¶

-

typedef struct krb5_rc_st* krb5_rcache

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_replay_data.html b/doc/html/appdev/refs/types/krb5_replay_data.html deleted file mode 100644 index 9a26835..0000000 --- a/doc/html/appdev/refs/types/krb5_replay_data.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_replay_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_replay_data¶

-
-
-krb5_replay_data¶
-
- -

Replay data.

-

Sequence number and timestamp information output by krb5_rd_priv() and krb5_rd_safe() .

-
-

Declaration¶

-

typedef struct krb5_replay_data krb5_replay_data

-
-
-

Members¶

-
-
-krb5_timestamp krb5_replay_data.timestamp¶
-

Timestamp, seconds portion.

-
- -
-
-krb5_int32 krb5_replay_data.usec¶
-

Timestamp, microseconds portion.

-
- -
-
-krb5_ui_4 krb5_replay_data.seq¶
-

Sequence number.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_responder_context.html b/doc/html/appdev/refs/types/krb5_responder_context.html deleted file mode 100644 index ca4fdfc..0000000 --- a/doc/html/appdev/refs/types/krb5_responder_context.html +++ /dev/null @@ -1,160 +0,0 @@ - - - - - - - - krb5_responder_context — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_context¶

-
-
-krb5_responder_context¶
-
- -

A container for a set of preauthentication questions and answers.

-

A responder context is supplied by the krb5 authentication system to a krb5_responder_fn callback. It contains a list of questions and can receive answers. Questions contained in a responder context can be listed using krb5_responder_list_questions() , retrieved using krb5_responder_get_challenge() , or answered using krb5_responder_set_answer() . The form of a question’s challenge and answer depend on the question name.

-
-

Declaration¶

-

typedef struct krb5_responder_context_st* krb5_responder_context

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_responder_fn.html b/doc/html/appdev/refs/types/krb5_responder_fn.html deleted file mode 100644 index 1bf7da3..0000000 --- a/doc/html/appdev/refs/types/krb5_responder_fn.html +++ /dev/null @@ -1,160 +0,0 @@ - - - - - - - - krb5_responder_fn — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_fn¶

-
-
-krb5_responder_fn¶
-
- -

Responder function for an initial credential exchange.

-

If a required question is unanswered, the prompter may be called.

-
-

Declaration¶

-

typedef krb5_error_code( * krb5_responder_fn)(krb5_context ctx, void *data, krb5_responder_context rctx)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_responder_otp_challenge.html b/doc/html/appdev/refs/types/krb5_responder_otp_challenge.html deleted file mode 100644 index 3729407..0000000 --- a/doc/html/appdev/refs/types/krb5_responder_otp_challenge.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_responder_otp_challenge — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_otp_challenge¶

-
-
-krb5_responder_otp_challenge¶
-
- -
-

Declaration¶

-

typedef struct _krb5_responder_otp_challenge krb5_responder_otp_challenge

-
-
-

Members¶

-
-
-char * krb5_responder_otp_challenge.service¶
-
- -
-
-krb5_responder_otp_tokeninfo ** krb5_responder_otp_challenge.tokeninfo¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_responder_otp_tokeninfo.html b/doc/html/appdev/refs/types/krb5_responder_otp_tokeninfo.html deleted file mode 100644 index 8387c26..0000000 --- a/doc/html/appdev/refs/types/krb5_responder_otp_tokeninfo.html +++ /dev/null @@ -1,197 +0,0 @@ - - - - - - - - krb5_responder_otp_tokeninfo — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_otp_tokeninfo¶

-
-
-krb5_responder_otp_tokeninfo¶
-
- -
-

Declaration¶

-

typedef struct _krb5_responder_otp_tokeninfo krb5_responder_otp_tokeninfo

-
-
-

Members¶

-
-
-krb5_flags krb5_responder_otp_tokeninfo.flags¶
-
- -
-
-krb5_int32 krb5_responder_otp_tokeninfo.format¶
-
- -
-
-krb5_int32 krb5_responder_otp_tokeninfo.length¶
-
- -
-
-char * krb5_responder_otp_tokeninfo.vendor¶
-
- -
-
-char * krb5_responder_otp_tokeninfo.challenge¶
-
- -
-
-char * krb5_responder_otp_tokeninfo.token_id¶
-
- -
-
-char * krb5_responder_otp_tokeninfo.alg_id¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_responder_pkinit_challenge.html b/doc/html/appdev/refs/types/krb5_responder_pkinit_challenge.html deleted file mode 100644 index 4dbd2f2..0000000 --- a/doc/html/appdev/refs/types/krb5_responder_pkinit_challenge.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - krb5_responder_pkinit_challenge — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_pkinit_challenge¶

-
-
-krb5_responder_pkinit_challenge¶
-
- -
-

Declaration¶

-

typedef struct _krb5_responder_pkinit_challenge krb5_responder_pkinit_challenge

-
-
-

Members¶

-
-
-krb5_responder_pkinit_identity ** krb5_responder_pkinit_challenge.identities¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_responder_pkinit_identity.html b/doc/html/appdev/refs/types/krb5_responder_pkinit_identity.html deleted file mode 100644 index a2decc3..0000000 --- a/doc/html/appdev/refs/types/krb5_responder_pkinit_identity.html +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - krb5_responder_pkinit_identity — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_responder_pkinit_identity¶

-
-
-krb5_responder_pkinit_identity¶
-
- -
-

Declaration¶

-

typedef struct _krb5_responder_pkinit_identity krb5_responder_pkinit_identity

-
-
-

Members¶

-
-
-char * krb5_responder_pkinit_identity.identity¶
-
- -
-
-krb5_int32 krb5_responder_pkinit_identity.token_flags¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_response.html b/doc/html/appdev/refs/types/krb5_response.html deleted file mode 100644 index a33cf1d..0000000 --- a/doc/html/appdev/refs/types/krb5_response.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - krb5_response — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_response¶

-
-
-krb5_response¶
-
- -
-

Declaration¶

-

typedef struct _krb5_response krb5_response

-
-
-

Members¶

-
-
-krb5_magic krb5_response.magic¶
-
- -
-
-krb5_octet krb5_response.message_type¶
-
- -
-
-krb5_data krb5_response.response¶
-
- -
-
-krb5_int32 krb5_response.expected_nonce¶
-
- -
-
-krb5_timestamp krb5_response.request_time¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_ticket.html b/doc/html/appdev/refs/types/krb5_ticket.html deleted file mode 100644 index 0fafd2b..0000000 --- a/doc/html/appdev/refs/types/krb5_ticket.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - krb5_ticket — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_ticket¶

-
-
-krb5_ticket¶
-
- -

Ticket structure.

-

The C representation of the ticket message, with a pointer to the C representation of the encrypted part.

-
-

Declaration¶

-

typedef struct _krb5_ticket krb5_ticket

-
-
-

Members¶

-
-
-krb5_magic krb5_ticket.magic¶
-
- -
-
-krb5_principal krb5_ticket.server¶
-

server name/realm

-
- -
-
-krb5_enc_data krb5_ticket.enc_part¶
-

encryption type, kvno, encrypted encoding

-
- -
-
-krb5_enc_tkt_part * krb5_ticket.enc_part2¶
-

ptr to decrypted version, if available

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_ticket_times.html b/doc/html/appdev/refs/types/krb5_ticket_times.html deleted file mode 100644 index 2f3865e..0000000 --- a/doc/html/appdev/refs/types/krb5_ticket_times.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - krb5_ticket_times — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_ticket_times¶

-
-
-krb5_ticket_times¶
-
- -

Ticket start time, end time, and renewal duration.

-
-

Declaration¶

-

typedef struct _krb5_ticket_times krb5_ticket_times

-
-
-

Members¶

-
-
-krb5_timestamp krb5_ticket_times.authtime¶
-

Time at which KDC issued the initial ticket that corresponds to this ticket.

-
- -
-
-krb5_timestamp krb5_ticket_times.starttime¶
-

optional in ticket, if not present, use authtime

-
- -
-
-krb5_timestamp krb5_ticket_times.endtime¶
-

Ticket expiration time.

-
- -
-
-krb5_timestamp krb5_ticket_times.renew_till¶
-

Latest time at which renewal of ticket can be valid.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_timestamp.html b/doc/html/appdev/refs/types/krb5_timestamp.html deleted file mode 100644 index 800e06d..0000000 --- a/doc/html/appdev/refs/types/krb5_timestamp.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_timestamp — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_timestamp¶

-
-
-krb5_timestamp¶
-
- -
-

Declaration¶

-

typedef krb5_int32 krb5_timestamp

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_tkt_authent.html b/doc/html/appdev/refs/types/krb5_tkt_authent.html deleted file mode 100644 index 36e8944..0000000 --- a/doc/html/appdev/refs/types/krb5_tkt_authent.html +++ /dev/null @@ -1,183 +0,0 @@ - - - - - - - - krb5_tkt_authent — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_tkt_authent¶

-
-
-krb5_tkt_authent¶
-
- -

Ticket authentication data.

-
-

Declaration¶

-

typedef struct _krb5_tkt_authent krb5_tkt_authent

-
-
-

Members¶

-
-
-krb5_magic krb5_tkt_authent.magic¶
-
- -
-
-krb5_ticket * krb5_tkt_authent.ticket¶
-
- -
-
-krb5_authenticator * krb5_tkt_authent.authenticator¶
-
- -
-
-krb5_flags krb5_tkt_authent.ap_options¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_tkt_creds_context.html b/doc/html/appdev/refs/types/krb5_tkt_creds_context.html deleted file mode 100644 index f47e61c..0000000 --- a/doc/html/appdev/refs/types/krb5_tkt_creds_context.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_tkt_creds_context — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_tkt_creds_context¶

-
-
-krb5_tkt_creds_context¶
-
- -
-

Declaration¶

-

typedef struct _krb5_tkt_creds_context* krb5_tkt_creds_context

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_trace_callback.html b/doc/html/appdev/refs/types/krb5_trace_callback.html deleted file mode 100644 index 69a52bb..0000000 --- a/doc/html/appdev/refs/types/krb5_trace_callback.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_trace_callback — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_trace_callback¶

-
-
-krb5_trace_callback¶
-
- -
-

Declaration¶

-

typedef void( * krb5_trace_callback)(krb5_context context, const krb5_trace_info *info, void *cb_data)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_trace_info.html b/doc/html/appdev/refs/types/krb5_trace_info.html deleted file mode 100644 index 5981cc9..0000000 --- a/doc/html/appdev/refs/types/krb5_trace_info.html +++ /dev/null @@ -1,169 +0,0 @@ - - - - - - - - krb5_trace_info — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_trace_info¶

-
-
-krb5_trace_info¶
-
- -

A wrapper for passing information to a krb5_trace_callback .

-

Currently, it only contains the formatted message as determined the the format string and arguments of the tracing macro, but it may be extended to contain more fields in the future.

-
-

Declaration¶

-

typedef struct _krb5_trace_info krb5_trace_info

-
-
-

Members¶

-
-
-const char * krb5_trace_info.message¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_transited.html b/doc/html/appdev/refs/types/krb5_transited.html deleted file mode 100644 index 60b4183..0000000 --- a/doc/html/appdev/refs/types/krb5_transited.html +++ /dev/null @@ -1,180 +0,0 @@ - - - - - - - - krb5_transited — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_transited¶

-
-
-krb5_transited¶
-
- -

Structure for transited encoding.

-
-

Declaration¶

-

typedef struct _krb5_transited krb5_transited

-
-
-

Members¶

-
-
-krb5_magic krb5_transited.magic¶
-
- -
-
-krb5_octet krb5_transited.tr_type¶
-

Transited encoding type.

-
- -
-
-krb5_data krb5_transited.tr_contents¶
-

Contents.

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_typed_data.html b/doc/html/appdev/refs/types/krb5_typed_data.html deleted file mode 100644 index ff5ecb2..0000000 --- a/doc/html/appdev/refs/types/krb5_typed_data.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - krb5_typed_data — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_typed_data¶

-
-
-krb5_typed_data¶
-
- -
-

Declaration¶

-

typedef struct _krb5_typed_data krb5_typed_data

-
-
-

Members¶

-
-
-krb5_magic krb5_typed_data.magic¶
-
- -
-
-krb5_int32 krb5_typed_data.type¶
-
- -
-
-unsigned int krb5_typed_data.length¶
-
- -
-
-krb5_octet * krb5_typed_data.data¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_ui_2.html b/doc/html/appdev/refs/types/krb5_ui_2.html deleted file mode 100644 index 6361ad6..0000000 --- a/doc/html/appdev/refs/types/krb5_ui_2.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_ui_2 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_ui_2¶

-
-
-krb5_ui_2¶
-
- -
-

Declaration¶

-

typedef uint16_t krb5_ui_2

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_ui_4.html b/doc/html/appdev/refs/types/krb5_ui_4.html deleted file mode 100644 index f78a428..0000000 --- a/doc/html/appdev/refs/types/krb5_ui_4.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - krb5_ui_4 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_ui_4¶

-
-
-krb5_ui_4¶
-
- -
-

Declaration¶

-

typedef uint32_t krb5_ui_4

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/krb5_verify_init_creds_opt.html b/doc/html/appdev/refs/types/krb5_verify_init_creds_opt.html deleted file mode 100644 index 989ed8e..0000000 --- a/doc/html/appdev/refs/types/krb5_verify_init_creds_opt.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - krb5_verify_init_creds_opt — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5_verify_init_creds_opt¶

-
-
-krb5_verify_init_creds_opt¶
-
- -
-

Declaration¶

-

typedef struct _krb5_verify_init_creds_opt krb5_verify_init_creds_opt

-
-
-

Members¶

-
-
-krb5_flags krb5_verify_init_creds_opt.flags¶
-
- -
-
-int krb5_verify_init_creds_opt.ap_req_nofail¶
-

boolean

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/appdev/refs/types/passwd_phrase_element.html b/doc/html/appdev/refs/types/passwd_phrase_element.html deleted file mode 100644 index 8c5895d..0000000 --- a/doc/html/appdev/refs/types/passwd_phrase_element.html +++ /dev/null @@ -1,177 +0,0 @@ - - - - - - - - passwd_phrase_element — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

passwd_phrase_element¶

-
-
-passwd_phrase_element¶
-
- -
-

Declaration¶

-

typedef struct _passwd_phrase_element passwd_phrase_element

-
-
-

Members¶

-
-
-krb5_magic passwd_phrase_element.magic¶
-
- -
-
-krb5_data * passwd_phrase_element.passwd¶
-
- -
-
-krb5_data * passwd_phrase_element.phrase¶
-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/basic/ccache_def.html b/doc/html/basic/ccache_def.html deleted file mode 100644 index ab1e865..0000000 --- a/doc/html/basic/ccache_def.html +++ /dev/null @@ -1,286 +0,0 @@ - - - - - - - - Credential cache — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Credential cache¶

-

A credential cache (or “ccache”) holds Kerberos credentials while they -remain valid and, generally, while the user’s session lasts, so that -authenticating to a service multiple times (e.g., connecting to a web -or mail server more than once) doesn’t require contacting the KDC -every time.

-

A credential cache usually contains one initial ticket which is -obtained using a password or another form of identity verification. -If this ticket is a ticket-granting ticket, it can be used to obtain -additional credentials without the password. Because the credential -cache does not store the password, less long-term damage can be done -to the user’s account if the machine is compromised.

-

A credentials cache stores a default client principal name, set when -the cache is created. This is the name shown at the top of the -klist -A output.

-

Each normal cache entry includes a service principal name, a client -principal name (which, in some ccache types, need not be the same as -the default), lifetime information, and flags, along with the -credential itself. There are also other entries, indicated by special -names, that store additional information.

-
-

ccache types¶

-

The credential cache interface, like the keytab and -replay cache interfaces, uses TYPE:value strings to -indicate the type of credential cache and any associated cache naming -data to use.

-

There are several kinds of credentials cache supported in the MIT -Kerberos library. Not all are supported on every platform. In most -cases, it should be correct to use the default type built into the -library.

-
    -

  1. API is only implemented on Windows. It communicates with a -server process that holds the credentials in memory for the user, -rather than writing them to disk.

    -
    2. -

  2. DIR points to the storage location of the collection of the -credential caches in FILE: format. It is most useful when dealing -with multiple Kerberos realms and KDCs. For release 1.10 the -directory must already exist. In post-1.10 releases the -requirement is for parent directory to exist and the current -process must have permissions to create the directory if it does -not exist. See Collections of caches for details. New in release 1.10.

    -
    3. -

  3. FILE caches are the simplest and most portable. A simple flat -file format is used to store one credential after another. This is -the default ccache type if no type is specified in a ccache name.

    -
    4. -

  4. KCM caches work by contacting a daemon process called kcm -to perform cache operations. If the cache name is just KCM:, -the default cache as determined by the KCM daemon will be used. -Newly created caches must generally be named KCM:uid:name, -where uid is the effective user ID of the running process.

    -

    KCM client support is new in release 1.13. A KCM daemon has not -yet been implemented in MIT krb5, but the client will interoperate -with the KCM daemon implemented by Heimdal. OS X 10.7 and higher -provides a KCM daemon as part of the operating system, and the -KCM cache type is used as the default cache on that platform in -a default build.

    -
    5. -

  5. KEYRING is Linux-specific, and uses the kernel keyring support -to store credential data in unswappable kernel memory where only -the current user should be able to access it. The following -residual forms are supported:

    -
      -
    • KEYRING:name
      • -
    • KEYRING:process:name - process keyring
      • -
    • KEYRING:thread:name - thread keyring
      • -
    -

    Starting with release 1.12 the KEYRING type supports collections. -The following new residual forms were added:

    -
      -
    • KEYRING:session:name - session keyring
      • -
    • KEYRING:user:name - user keyring
      • -
    • KEYRING:persistent:uidnumber - persistent per-UID collection. -Unlike the user keyring, this collection survives after the user -logs out, until the cache credentials expire. This type of -ccache requires support from the kernel; otherwise, it will fall -back to the user keyring.
      • -
    -

    See Collections of caches for details.

    -
    6. -

  6. MEMORY caches are for storage of credentials that don’t need to -be made available outside of the current process. For example, a -memory ccache is used by kadmin to store the -administrative ticket used to contact the admin server. Memory -ccaches are faster than file ccaches and are automatically -destroyed when the process exits.

    -
    7. -

  7. MSLSA is a Windows-specific cache type that accesses the -Windows credential store.

    -
    8. -
-
-
-

Collections of caches¶

-

Some credential cache types can support collections of multiple -caches. One of the caches in the collection is designated as the -primary and will be used when the collection is resolved as a cache. -When a collection-enabled cache type is the default cache for a -process, applications can search the specified collection for a -specific client principal, and GSSAPI applications will automatically -select between the caches in the collection based on criteria such as -the target service realm.

-

Credential cache collections are new in release 1.10, with support -from the DIR and API ccache types. Starting in release 1.12, -collections are also supported by the KEYRING ccache type. -Collections are supported by the KCM ccache type in release 1.13.

-
-

Tool alterations to use cache collection¶

-
    -
  • kdestroy -A will destroy all caches in the collection.
    • -
  • If the default cache type supports switching, kinit -princname will search the collection for a matching cache and -store credentials there, or will store credentials in a new unique -cache of the default type if no existing cache for the principal -exists. Either way, kinit will switch to the selected cache.
    • -
  • klist -l will list the caches in the collection.
    • -
  • klist -A will show the content of all caches in the -collection.
    • -
  • kswitch -p princname will search the collection for a -matching cache and switch to it.
    • -
  • kswitch -c cachename will switch to a specified cache.
    • -
-
-
-
-

Default ccache name¶

-

The default credential cache name is determined by the following, in -descending order of priority:

-
    -
  1. The KRB5CCNAME environment variable. For example, -KRB5CCNAME=DIR:/mydir/.
    2. -
  2. The default_ccache_name profile variable in [libdefaults].
    3. -
  3. The hardcoded default, DEFCCNAME.
    4. -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/basic/date_format.html b/doc/html/basic/date_format.html deleted file mode 100644 index 74caba7..0000000 --- a/doc/html/basic/date_format.html +++ /dev/null @@ -1,341 +0,0 @@ - - - - - - - - Supported date and time formats — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Supported date and time formats¶

-
-

Time duration¶

-

This format is used to express a time duration in the Kerberos -configuration files and user commands. The allowed formats are:

-
-
----- - - - - - - - - - - - - - - - - - - -
FormatExampleValue
h:m[:s]36:0036 hours
NdNhNmNs8h30s8 hours 30 seconds
N (number of seconds)36001 hour
-
-

Here N denotes a number, d - days, h - hours, m - minutes, -s - seconds.

-
-

Note

-

The time interval should not exceed 2147483647 seconds.

-
-

Examples:

-
Request a ticket valid for one hour, five hours, 30 minutes
-and 10 days respectively:
-
-  kinit -l 3600
-  kinit -l 5:00
-  kinit -l 30m
-  kinit -l "10d 0h 0m 0s"
-
-
-
-
-

getdate time¶

-

Some of the kadmin and kdb5_util commands take a date-time in a -human-readable format. Some of the acceptable date-time -strings are:

-
-
----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 FormatExample
Datemm/dd/yy07/27/12
month dd, yyyyJul 27, 2012
yyyy-mm-dd2012-07-27
Absolute -timeHH:mm[:ss]pp08:30 PM
hh:mm[:ss]20:30
Relative -timeN tt30 sec
Time zoneZEST
z-0400
-
-

(See Abbreviations used in this document.)

-

Examples:

-
Create a principal that expires on the date indicated:
-    addprinc test1 -expire "3/27/12 10:00:07 EST"
-    addprinc test2 -expire "January 23, 2015 10:05pm"
-    addprinc test3 -expire "22:00 GMT"
-Add a principal that will expire in 30 minutes:
-    addprinc test4 -expire "30 minutes"
-
-
-
-
-

Absolute time¶

-

This rarely used date-time format can be noted in one of the -following ways:

-
-
----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FormatExampleValue
yyyymmddhhmmss20141231235900One minute -before 2015
yyyy.mm.dd.hh.mm.ss2014.12.31.23.59.00
yymmddhhmmss141231235900
yy.mm.dd.hh.mm.ss14.12.31.23.59.00
dd-month-yyyy:hh:mm:ss31-Dec-2014:23:59:00
hh:mm:ss20:00:008 o’clock in -the evening
hhmmss200000
-
-

(See Abbreviations used in this document.)

-

Example:

-
Set the default expiration date to July 27, 2012 at 20:30
-default_principal_expiration = 20120727203000
-
-
-
-

Abbreviations used in this document¶

-
-
month : locale’s month name or its abbreviation;
-
dd : day of month (01-31);
-
HH : hours (00-12);
-
hh : hours (00-23);
-
mm : in time - minutes (00-59); in date - month (01-12);
-
N : number;
-
pp : AM or PM;
-
ss : seconds (00-60);
-
tt : time units (hours, minutes, min, seconds, sec);
-
yyyy : year;
-
yy : last two digits of the year;
-
Z : alphabetic time zone abbreviation;
-
z : numeric time zone;
-
-
-

Note

-
    -
  • If the date specification contains spaces, you may need to -enclose it in double quotes;
    • -
  • All keywords are case-insensitive.
    • -
-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/basic/index.html b/doc/html/basic/index.html deleted file mode 100644 index 57c146b..0000000 --- a/doc/html/basic/index.html +++ /dev/null @@ -1,149 +0,0 @@ - - - - - - - - Kerberos V5 concepts — MIT Kerberos Documentation - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/basic/keytab_def.html b/doc/html/basic/keytab_def.html deleted file mode 100644 index 4c034b5..0000000 --- a/doc/html/basic/keytab_def.html +++ /dev/null @@ -1,194 +0,0 @@ - - - - - - - - keytab — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

keytab¶

-

A keytab (short for “key table”) stores long-term keys for one or more -principals. Keytabs are normally represented by files in a standard -format, although in rare cases they can be represented in other ways. -Keytabs are used most often to allow server applications to accept -authentications from clients, but can also be used to obtain initial -credentials for client applications.

-

Keytabs are named using the format type:value. Usually -type is FILE and value is the absolute pathname of the file. -Other possible values for type are SRVTAB, which indicates a -file in the deprecated Kerberos 4 srvtab format, and MEMORY, which -indicates a temporary keytab stored in the memory of the current -process.

-

A keytab contains one or more entries, where each entry consists of a -timestamp (indicating when the entry was written to the keytab), a -principal name, a key version number, an encryption type, and the -encryption key itself.

-

A keytab can be displayed using the klist command with the --k option. Keytabs can be created or appended to by extracting -keys from the KDC database using the kadmin ktadd -command. Keytabs can be manipulated using the ktutil and -k5srvutil commands.

-
-

Default keytab¶

-

The default keytab is used by server applications if the application -does not request a specific keytab. The name of the default keytab is -determined by the following, in decreasing order of preference:

-
    -
  1. The KRB5_KTNAME environment variable.
    2. -
  2. The default_keytab_name profile variable in [libdefaults].
    3. -
  3. The hardcoded default, DEFKTNAME.
    4. -
-
-
-

Default client keytab¶

-

The default client keytab is used, if it is present and readable, to -automatically obtain initial credentials for GSSAPI client -applications. The principal name of the first entry in the client -keytab is used by default when obtaining initial credentials. The -name of the default client keytab is determined by the following, in -decreasing order of preference:

-
    -
  1. The KRB5_CLIENT_KTNAME environment variable.
    2. -
  2. The default_client_keytab_name profile variable in -[libdefaults].
    3. -
  3. The hardcoded default, DEFCKTNAME.
    4. -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/basic/rcache_def.html b/doc/html/basic/rcache_def.html deleted file mode 100644 index 76aa47e..0000000 --- a/doc/html/basic/rcache_def.html +++ /dev/null @@ -1,230 +0,0 @@ - - - - - - - - replay cache — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

replay cache¶

-

A replay cache (or “rcache”) keeps track of all authenticators -recently presented to a service. If a duplicate authentication -request is detected in the replay cache, an error message is sent to -the application program.

-

The replay cache interface, like the credential cache and -keytab interfaces, uses type:value strings to -indicate the type of replay cache and any associated cache naming -data to use.

-
-

Background information¶

-

Some Kerberos or GSSAPI services use a simple authentication mechanism -where a message is sent containing an authenticator, which establishes -the encryption key that the client will use for talking to the -service. But nothing about that prevents an eavesdropper from -recording the messages sent by the client, establishing a new -connection, and re-sending or “replaying” the same messages; the -replayed authenticator will establish the same encryption key for the -new session, and the following messages will be decrypted and -processed. The attacker may not know what the messages say, and can’t -generate new messages under the same encryption key, but in some -instances it may be harmful to the user (or helpful to the attacker) -to cause the server to see the same messages again a second time. For -example, if the legitimate client sends “delete first message in -mailbox”, a replay from an attacker may delete another, different -“first” message. (Protocol design to guard against such problems has -been discussed in RFC 4120.)

-

Even if one protocol uses further protection to verify that the client -side of the connection actually knows the encryption keys (and thus is -presumably a legitimate user), if another service uses the same -service principal name, it may be possible to record an authenticator -used with the first protocol and “replay” it against the second.

-

The replay cache mitigates these attacks somewhat, by keeping track of -authenticators that have been seen until their five-minute window -expires. Different authenticators generated by multiple connections -from the same legitimate client will generally have different -timestamps, and thus will not be considered the same.

-

This mechanism isn’t perfect. If a message is sent to one application -server but a man-in-the-middle attacker can prevent it from actually -arriving at that server, the attacker could then use the authenticator -(once!) against a different service on the same host. This could be a -problem if the message from the client included something more than -authentication in the first message that could be useful to the -attacker (which is uncommon; in most protocols the server has to -indicate a successful authentication before the client sends -additional messages), or if the simple act of presenting the -authenticator triggers some interesting action in the service being -attacked.

-
-
-

Default rcache type¶

-

There is currently only one implemented kind of replay cache, called -dfl. It stores replay data in one file, occasionally rewriting it -to purge old, expired entries.

-

The default type can be overridden by the KRB5RCACHETYPE -environment variable.

-

The placement of the replay cache file is determined by the following:

-
    -
  1. The KRB5RCACHEDIR environment variable;
    2. -
  2. If KRB5RCACHEDIR is unspecified, on UNIX, the library -will fall back to the environment variable TMPDIR, and then to -a temporary directory determined at configuration time such as -/tmp or /var/tmp; on Windows, it will check the environment -variables TEMP and TMP, and fall back to the directory C:\.
    3. -
-
-
-

Performance issues¶

-

Several known minor performance issues that may occur when replay -cache is enabled on the Kerberos system include: delays due to writing -the authenticator data to disk slowing down response time for very -heavily loaded servers, and delays during the rewrite that may be -unacceptable to high-performance services.

-

For use cases where replays are adequately defended against for all -protocols using a given service principal name, or where performance -or other considerations outweigh the risk of replays, the special -replay cache type “none” can be specified:

-
KRB5RCACHETYPE=none
-
-
-

It doesn’t record any information about authenticators, and reports -that any authenticator seen is not a replay.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/basic/stash_file_def.html b/doc/html/basic/stash_file_def.html deleted file mode 100644 index 70aec6e..0000000 --- a/doc/html/basic/stash_file_def.html +++ /dev/null @@ -1,158 +0,0 @@ - - - - - - - - stash file — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

stash file¶

-

The stash file is a local copy of the master key that resides in -encrypted form on the KDC’s local disk. The stash file is used to -authenticate the KDC to itself automatically before starting the -kadmind and krb5kdc daemons (e.g., as part of the -machine’s boot sequence). The stash file, like the keytab file (see -The keytab file) is a potential point-of-entry for a break-in, and -if compromised, would allow unrestricted access to the Kerberos -database. If you choose to install a stash file, it should be -readable only by root, and should exist only on the KDC’s local disk. -The file should not be part of any backup of the machine, unless -access to the backup data is secured as tightly as access to the -master password itself.

-
-

Note

-

If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. -This means that the KDC will not be able to start automatically, such as after a system reboot.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/build/directory_org.html b/doc/html/build/directory_org.html deleted file mode 100644 index e5e5902..0000000 --- a/doc/html/build/directory_org.html +++ /dev/null @@ -1,255 +0,0 @@ - - - - - - - - Organization of the source directory — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Organization of the source directory¶

-

Below is a brief overview of the organization of the complete source -directory. More detailed descriptions follow.

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
applKerberos application client and server programs
ccapiCredential cache services
clientsKerberos V5 user programs (See User commands)
configConfigure scripts
config-filesSample Kerberos configuration files
includeinclude files needed to build the Kerberos system
kadminAdministrative interface to the Kerberos master database: kadmin, kdb5_util, ktutil.
kdcKerberos V5 Authentication Service and Key Distribution Center
libLibraries for use with/by Kerberos V5
pluginsKerberos plugins directory
poLocalization infrastructure
prototypeTemplates files containing the MIT copyright message and a placeholder for the title and description of the file.
slaveUtilities for propagating the database to slave KDCs kprop and kpropd
testsTest suite
utilVarious utilities for building/configuring the code, sending bug reports, etc.
windowsSource code for building Kerberos V5 on Windows (see windows/README)
-
-

lib¶

-

The lib directory contain several subdirectories as well as some -definition and glue files.

-
-
    -
  • The apputils directory contains the code for the generic network -servicing.
    • -
  • The crypto subdirectory contains the Kerberos V5 encryption -library.
    • -
  • The gssapi library contains the Generic Security Services API, -which is a library of commands to be used in secure client-server -communication.
    • -
  • The kadm5 directory contains the libraries for the KADM5 -administration utilities.
    • -
  • The Kerberos 5 database libraries are contained in kdb.
    • -
  • The krb5 directory contains Kerberos 5 API.
    • -
  • The rpc directory contains the API for the Kerberos Remote -Procedure Call protocol.
    • -
-
-
-
-

util¶

-
-
The util directory contains several utility programs and libraries.
-
    -
  • the programs used to configure and build the code, such as -autoconf, lndir, kbuild, reconf, and makedepend, are in this -directory.
    • -
  • the profile directory contains most of the functions which parse -the Kerberos configuration files (krb5.conf and kdc.conf).
    • -
  • the Kerberos error table library and utilities (et);
    • -
  • the Sub-system library and utilities (ss);
    • -
  • database utilities (db2);
    • -
  • pseudo-terminal utilities (pty);
    • -
  • bug-reporting program send-pr;
    • -
  • a generic support library support used by several of our other -libraries;
    • -
  • the build infrastructure for building lightweight Kerberos client -(collected-client-lib)
    • -
  • the tool for validating Kerberos configuration files -(confvalidator);
    • -
  • the toolkit for kernel integrators for building krb5 code subsets -(gss-kernel-lib);
    • -
  • source code for building Kerberos V5 on MacOS (mac)
    • -
  • Windows getopt operations (windows)
    • -
-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/build/doing_build.html b/doc/html/build/doing_build.html deleted file mode 100644 index a7f97d6..0000000 --- a/doc/html/build/doing_build.html +++ /dev/null @@ -1,291 +0,0 @@ - - - - - - - - Doing the build — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Doing the build¶

-
-

Building within a single tree¶

-

If you only need to build Kerberos for one platform, using a single -directory tree which contains both the source files and the object -files is the simplest. However, if you need to maintain Kerberos for -a large number of platforms, you will probably want to use separate -build trees for each platform. We recommend that you look at OS -Incompatibilities, for notes that we have on particular operating -systems.

-

If you don’t want separate build trees for each architecture, then use -the following abbreviated procedure:

-
cd /u1/krb5-VERSION/src
-./configure
-make
-
-
-

That’s it!

-
-
-

Building with separate build directories¶

-

If you wish to keep separate build directories for each platform, you -can do so using the following procedure. (Note, this requires that -your make program support VPATH. GNU’s make will provide this -functionality, for example.) If your make program does not support -this, see the next section.

-

For example, if you wish to store the binaries in tmpbuild build -directory you might use the following procedure:

-
mkdir /u1/tmpbuild
-cd /u1/tmpbuild
-/u1/krb5-VERSION/src/configure
-make
-
-
-
-
-

Building using lndir¶

-

If you wish to keep separate build directories for each platform, and -you do not have access to a make program which supports VPATH, all is -not lost. You can use the lndir program to create symbolic link trees -in your build directory.

-

For example, if you wish to create a build directory for solaris -binaries you might use the following procedure:

-
mkdir /u1/krb5-VERSION/solaris
-cd /u1/krb5-VERSION/solaris
-/u1/krb5-VERSION/src/util/lndir `pwd`/../src
-./configure
-make
-
-
-

You must give an absolute pathname to lndir because it has a bug that -makes it fail for relative pathnames. Note that this version differs -from the latest version as distributed and installed by the -XConsortium with X11R6. Either version should be acceptable.

-
-
-

Installing the binaries¶

-

Once you have built Kerberos, you should install the binaries. You can -do this by running:

-
make install
-
-
-

If you want to install the binaries into a destination directory that -is not their final destination, which may be convenient if you want to -build a binary distribution to be deployed on multiple hosts, you may -use:

-
make install DESTDIR=/path/to/destdir
-
-
-

This will install the binaries under DESTDIR/PREFIX, e.g., the user -programs will install into DESTDIR/PREFIX/bin, the libraries into -DESTDIR/PREFIX/lib, etc.

-

Some implementations of make allow multiple commands to be run in -parallel, for faster builds. We test our Makefiles in parallel builds -with GNU make only; they may not be compatible with other parallel -build implementations.

-
-
-

Testing the build¶

-

The Kerberos V5 distribution comes with built-in regression tests. To -run them, simply type the following command while in the top-level -build directory (i.e., the directory where you sent typed make to -start building Kerberos; see Building within a single tree):

-
make check
-
-
-

However, there are several prerequisites that must be satisfied first:

-
    -
  • Configure and build Kerberos with Tcl support. Tcl is used to drive -the test suite. This often means passing --with-tcl to -configure to tell it the location of the Tcl configuration -script. (See Options to configure.)
    • -
  • In addition to Tcl, DejaGnu must be available on the system for some -of the tests to run. The test suite will still run the other tests -if DejaGnu is not present, but the test coverage will be reduced -accordingly.
    • -
  • On some operating systems, you have to run make install before -running make check, or the test suite will pick up installed -versions of Kerberos libraries rather than the newly built ones. -You can install into a prefix that isn’t in the system library -search path, though. Alternatively, you can configure with ---disable-rpath, which renders the build tree less suitable for -installation, but allows testing without interference from -previously installed libraries.
    • -
-

There are additional regression tests available, which are not run -by make check. These tests require manual setup and teardown of -support infrastructure which is not easily automated, or require -excessive resources for ordinary use. The procedure for running -the manual tests is documented at -http://k5wiki.kerberos.org/wiki/Manual_Testing.

-
-
-

Cleaning up the build¶

-
    -
  • Use make clean to remove all files generated by running make -command.
    • -
  • Use make distclean to remove all files generated by running -./configure script. After running make distclean your source -tree (ideally) should look like the raw (just un-tarred) source -tree.
    • -
-
-
-

Using autoconf¶

-

(If you are not a developer, you can ignore this section.)

-

In the Kerberos V5 source directory, there is a configure script which -automatically determines the compilation environment and creates the -proper Makefiles for a particular platform. This configure script is -generated using autoconf, which you should already have installed if -you will be making changes to src/configure.in.

-

Normal users will not need to worry about running autoconf; the -distribution comes with the configure script already prebuilt.

-

The autoconf package comes with a script called autoreconf that -will automatically run autoconf and autoheader as needed. You -should run autoreconf from the top source directory, e.g.:

-
cd /u1/krb5-VERSION/src
-autoreconf --verbose
-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/build/index.html b/doc/html/build/index.html deleted file mode 100644 index 5327817..0000000 --- a/doc/html/build/index.html +++ /dev/null @@ -1,197 +0,0 @@ - - - - - - - - Building Kerberos V5 — MIT Kerberos Documentation - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Building Kerberos V5¶

-

This section details how to build and install MIT Kerberos software -from the source.

-
-

Prerequisites¶

-

In order to build Kerberos V5, you will need approximately 60-70 -megabytes of disk space. The exact amount will vary depending on the -platform and whether the distribution is compiled with debugging -symbol tables or not.

-

Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, “c89”). -Some operating systems do not have an ANSI C compiler, or their -default compiler requires extra command-line options to enable ANSI C -conformance.

-

If you wish to keep a separate build tree, which contains the compiled -*.o file and executables, separate from your source tree, you will -need a make program which supports VPATH, or you will need to use -a tool such as lndir to produce a symbolic link tree for your build -tree.

-
-
-

Obtaining the software¶

-

The source code can be obtained from MIT Kerberos Distribution page, -at http://web.mit.edu/kerberos/dist/index.html. -The MIT Kerberos distribution comes in an archive file, generally -named krb5-VERSION-signed.tar, where VERSION is a placeholder for -the major and minor versions of MIT Kerberos. (For example, MIT -Kerberos 1.9 has major version “1” and minor version “9”.)

-

The krb5-VERSION-signed.tar contains a compressed tar file consisting -of the sources for all of Kerberos (generally named -krb5-VERSION.tar.gz) and a PGP signature file for this source tree -(generally named krb5-VERSION.tar.gz.asc). MIT highly recommends that -you verify the integrity of the source code using this signature, -e.g., by running:

-
tar xf krb5-VERSION-signed.tar
-gpg --verify krb5-VERSION.tar.gz.asc
-
-
-

Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume -that you have chosen the top directory of the distribution the directory -/u1/krb5-VERSION.

-

Review the README file for the license, copyright and other sprecific to the -distribution information.

-
- -
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/build/options2configure.html b/doc/html/build/options2configure.html deleted file mode 100644 index 4e294cb..0000000 --- a/doc/html/build/options2configure.html +++ /dev/null @@ -1,491 +0,0 @@ - - - - - - - - Options to configure — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Options to configure¶

-

There are a number of options to configure which you can use to -control how the Kerberos distribution is built.

-
-

Most commonly used options¶

-
-
--help
-
Provides help to configure. This will list the set of commonly -used options for building Kerberos.
-
--prefix=PREFIX
-
By default, Kerberos will install the package’s files rooted at -/usr/local. If you desire to place the binaries into the -directory PREFIX, use this option.
-
--exec-prefix=EXECPREFIX
-
This option allows one to separate the architecture independent -programs from the host-dependent files (configuration files, -manual pages). Use this option to install architecture-dependent -programs in EXECPREFIX. The default location is the value of -specified by --prefix option.
-
--localstatedir=LOCALSTATEDIR
-
This option sets the directory for locally modifiable -single-machine data. In Kerberos, this mostly is useful for -setting a location for the KDC data files, as they will be -installed in LOCALSTATEDIR/krb5kdc, which is by default -PREFIX/var/krb5kdc.
-
--with-netlib[=libs]
-
Allows for suppression of or replacement of network libraries. By -default, Kerberos V5 configuration will look for -lnsl and --lsocket. If your operating system has a broken resolver -library or fails to pass the tests in src/tests/resolv, you -will need to use this option.
-
--with-tcl=TCLPATH
-
Some of the unit-tests in the build tree rely upon using a program -in Tcl. The directory specified by TCLPATH specifies where the -Tcl header file (TCLPATH/include/tcl.h) as well as where the Tcl -library (TCLPATH/lib) should be found.
-
--enable-dns-for-realm
-
Enable the use of DNS to look up a host’s Kerberos realm, -if the information is not provided in -krb5.conf. See Mapping hostnames onto Kerberos realms -for information about using DNS to determine the default realm. -DNS lookups for realm names are disabled by default.
-
--with-system-et
-

Use an installed version of the error-table (et) support software, -the compile_et program, the com_err.h header file and the com_err -library. If these are not in the default locations, you may wish -to specify CPPFLAGS=-I/some/dir and -LDFLAGS=-L/some/other/dir options at configuration time as -well.

-

If this option is not given, a version supplied with the Kerberos -sources will be built and installed along with the rest of the -Kerberos tree, for Kerberos applications to link against.

-
-
--with-system-ss
-

Use an installed version of the subsystem command-line interface -software, the mk_cmds program, the ss/ss.h header file and the -ss library. If these are not in the default locations, you may -wish to specify CPPFLAGS=-I/some/dir and -LDFLAGS=-L/some/other/dir options at configuration time as -well. See also the SS_LIB option.

-

If this option is not given, the ss library supplied with the -Kerberos sources will be compiled and linked into those programs -that need it; it will not be installed separately.

-
-
--with-system-db
-

Use an installed version of the Berkeley DB package, which must -provide an API compatible with version 1.85. This option is -unsupported and untested. In particular, we do not know if the -database-rename code used in the dumpfile load operation will -behave properly.

-

If this option is not given, a version supplied with the Kerberos -sources will be built and installed. (We are not updating this -version at this time because of licensing issues with newer -versions that we haven’t investigated sufficiently yet.)

-
-
-
-
-

Environment variables¶

-
-
CC=COMPILER
-
Use COMPILER as the C compiler.
-
CFLAGS=FLAGS
-
Use FLAGS as the default set of C compiler flags.
-
CPP=CPP
-
C preprocessor to use. (e.g., CPP='gcc -E')
-
CPPFLAGS=CPPOPTS
-
Use CPPOPTS as the default set of C preprocessor flags. The -most common use of this option is to select certain #define’s for -use with the operating system’s include files.
-
DB_HEADER=headername
-
If db.h is not the correct header file to include to compile -against the Berkeley DB 1.85 API, specify the correct header file -name with this option. For example, DB_HEADER=db3/db_185.h.
-
DB_LIB=libs...
-
If -ldb is not the correct library specification for the -Berkeley DB library version to be used, override it with this -option. For example, DB_LIB=-ldb-3.3.
-
DEFCCNAME=ccachename
-
Override the built-in default credential cache name. -For example, DEFCCNAME=DIR:/var/run/user/%{USERID}/ccache -See Parameter expansion for information about supported -parameter expansions.
-
DEFCKTNAME=keytabname
-
Override the built-in default client keytab name. -The format is the same as for DEFCCNAME.
-
DEFKTNAME=keytabname
-
Override the built-in default keytab name. -The format is the same as for DEFCCNAME.
-
LD=LINKER
-
Use LINKER as the default loader if it should be different from -C compiler as specified above.
-
LDFLAGS=LDOPTS
-
This option informs the linker where to get additional libraries -(e.g., -L<lib dir>).
-
LIBS=LDNAME
-
This option allows one to specify libraries to be passed to the -linker (e.g., -l<library>)
-
SS_LIB=libs...
-

If -lss is not the correct way to link in your installed ss -library, for example if additional support libraries are needed, -specify the correct link options here. Some variants of this -library are around which allow for Emacs-like line editing, but -different versions require different support libraries to be -explicitly specified.

-

This option is ignored if --with-system-ss is not specified.

-
-
YACC
-
The ‘Yet Another C Compiler’ implementation to use. Defaults to -the first program found out of: ‘bison -y‘, ‘byacc‘, -‘yacc‘.
-
YFLAGS
-
The list of arguments that will be passed by default to $YACC. -This script will default YFLAGS to the empty string to avoid a -default value of -d given by some make applications.
-
-
-
-

Fine tuning of the installation directories¶

-
-
--bindir=DIR
-
User executables. Defaults to EXECPREFIX/bin, where -EXECPREFIX is the path specified by --exec-prefix -configuration option.
-
--sbindir=DIR
-
System admin executables. Defaults to EXECPREFIX/sbin, where -EXECPREFIX is the path specified by --exec-prefix -configuration option.
-
--sysconfdir=DIR
-
Read-only single-machine data such as krb5.conf. -Defaults to PREFIX/etc, where -PREFIX is the path specified by --prefix configuration -option.
-
--libdir=DIR
-
Object code libraries. Defaults to EXECPREFIX/lib, where -EXECPREFIX is the path specified by --exec-prefix -configuration option.
-
--includedir=DIR
-
C header files. Defaults to PREFIX/include, where PREFIX is -the path specified by --prefix configuration option.
-
--datarootdir=DATAROOTDIR
-
Read-only architecture-independent data root. Defaults to -PREFIX/share, where PREFIX is the path specified by ---prefix configuration option.
-
--datadir=DIR
-
Read-only architecture-independent data. Defaults to path -specified by --datarootdir configuration option.
-
--localedir=DIR
-
Locale-dependent data. Defaults to DATAROOTDIR/locale, where -DATAROOTDIR is the path specified by --datarootdir -configuration option.
-
--mandir=DIR
-
Man documentation. Defaults to DATAROOTDIR/man, where -DATAROOTDIR is the path specified by --datarootdir -configuration option.
-
-
-
-

Program names¶

-
-
--program-prefix=PREFIX
-
Prepend PREFIX to the names of the programs when installing -them. For example, specifying --program-prefix=mit- at the -configure time will cause the program named abc to be -installed as mit-abc.
-
--program-suffix=SUFFIX
-
Append SUFFIX to the names of the programs when installing them. -For example, specifying --program-suffix=-mit at the configure -time will cause the program named abc to be installed as -abc-mit.
-
--program-transform-name=PROGRAM
-
Run sed -e PROGRAM on installed program names. (PROGRAM is a -sed script).
-
-
-
-

System types¶

-
-
--build=BUILD
-
Configure for building on BUILD -(e.g., --build=x86_64-linux-gnu).
-
--host=HOST
-
Cross-compile to build programs to run on HOST -(e.g., --host=x86_64-linux-gnu). By default, Kerberos V5 -configuration will look for “build” option.
-
-
-
-

Optional features¶

-
-
--disable-option-checking
-
Ignore unrecognized –enable/–with options.
-
--disable-FEATURE
-
Do not include FEATURE (same as –enable-FEATURE=no).
-
--enable-FEATURE[=ARG]
-
Include FEATURE [ARG=yes].
-
--enable-maintainer-mode
-
Enable rebuilding of source files, Makefiles, etc.
-
--disable-delayed-initialization
-
Initialize library code when loaded. Defaults to delay until -first use.
-
--disable-thread-support
-
Don’t enable thread support. Defaults to enabled.
-
--disable-rpath
-
Suppress run path flags in link lines.
-
--enable-athena
-
Build with MIT Project Athena configuration.
-
--disable-kdc-lookaside-cache
-
Disable the cache which detects client retransmits.
-
--disable-pkinit
-
Disable PKINIT plugin support.
-
--disable-aesni
-
Disable support for using AES instructions on x86 platforms.
-
--enable-asan[=ARG]
-
Enable building with asan memory error checking. If ARG is -given, it controls the -fsanitize compilation flag value (the -default is “address”).
-
-
-
-

Optional packages¶

-
-
--with-PACKAGE[=ARG]
-
Use PACKAGE (e.g., --with-imap). The default value of ARG -is yes.
-
--without-PACKAGE
-
Do not use PACKAGE (same as --with-PACKAGE=no) -(e.g., --without-libedit).
-
--with-size-optimizations
-
Enable a few optimizations to reduce code size possibly at some -run-time cost.
-
--with-system-et
-
Use the com_err library and compile_et utility that are already -installed on the system, instead of building and installing -local versions.
-
--with-system-ss
-
Use the ss library and mk_cmds utility that are already installed -on the system, instead of building and using private versions.
-
--with-system-db
-
Use the berkeley db utility already installed on the system, -instead of using a private version. This option is not -recommended; enabling it may result in incompatibility with key -databases originating on other systems.
-
--with-netlib=LIBS
-
Use the resolver library specified in LIBS. Use this variable -if the C library resolver is insufficient or broken.
-
--with-hesiod=path
-
Compile with Hesiod support. The path points to the Hesiod -directory. By default Hesiod is unsupported.
-
--with-ldap
-
Compile OpenLDAP database backend module.
-
--with-tcl=path
-
Specifies that path is the location of a Tcl installation. -Tcl is needed for some of the tests run by ‘make check’; such tests -will be skipped if this option is not set.
-
--with-vague-errors
-
Do not send helpful errors to client. For example, if the KDC -should return only vague error codes to clients.
-
--with-crypto-impl=IMPL
-
Use specified crypto implementation (e.g., --with-crypto-impl=openssl). The default is the native MIT -Kerberos implementation builtin. The other currently -implemented crypto backend is openssl. (See -MIT Kerberos features)
-
--with-prng-alg=ALG
-
Use specified PRNG algorithm. For example, to use the OS native -prng specify --with-prng-alg=os. The default is fortuna. -(See MIT Kerberos features)
-
--with-pkinit-crypto-impl=IMPL
-
Use the specified pkinit crypto implementation IMPL. -Defaults to using OpenSSL.
-
--without-libedit
-
Do not compile and link against libedit. Some utilities will no -longer offer command history or completion in interactive mode if -libedit is disabled.
-
--with-readline
-
Compile and link against GNU readline, as an alternative to libedit. -Building with readline breaks the dejagnu test suite, which is a -subset of the tests run by ‘make check’.
-
--with-system-verto
-

Use an installed version of libverto. If the libverto header and -library are not in default locations, you may wish to specify -CPPFLAGS=-I/some/dir and LDFLAGS=-L/some/other/dir options -at configuration time as well.

-

If this option is not given, the build system will try to detect -an installed version of libverto and use it if it is found. -Otherwise, a version supplied with the Kerberos sources will be -built and installed. The built-in version does not contain the -full set of back-end modules and is not a suitable general -replacement for the upstream version, but will work for the -purposes of Kerberos.

-

Specifying --without-system-verto will cause the built-in -version of libverto to be used unconditionally.

-
-
--with-krb5-config=PATH
-
Use the krb5-config program at PATH to obtain the build-time -default credential cache, keytab, and client keytab names. The -default is to use krb5-config from the program path. Specify ---without-krb5-config to disable the use of krb5-config and -use the usual built-in defaults.
-
-
-
-

Examples¶

-

For example, in order to configure Kerberos on a Solaris machine using -the suncc compiler with the optimizer turned on, run the configure -script with the following options:

-
% ./configure CC=suncc CFLAGS=-O
-
-
-

For a slightly more complicated example, consider a system where -several packages to be used by Kerberos are installed in -/usr/foobar, including Berkeley DB 3.3, and an ss library that -needs to link against the curses library. The configuration of -Kerberos might be done thus:

-
./configure CPPFLAGS=-I/usr/foobar/include LDFLAGS=-L/usr/foobar/lib \
---with-system-et --with-system-ss --with-system-db  \
-SS_LIB='-lss -lcurses'  DB_HEADER=db3/db_185.h DB_LIB=-ldb-3.3
-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/build/osconf.html b/doc/html/build/osconf.html deleted file mode 100644 index e612817..0000000 --- a/doc/html/build/osconf.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - osconf.hin — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

osconf.hin¶

-

There is one configuration file which you may wish to edit to control -various compile-time parameters in the Kerberos distribution:

-
include/osconf.hin
-
-
-

The list that follows is by no means complete, just some of the more -interesting variables.

-
-
DEFAULT_PROFILE_PATH
-
The pathname to the file which contains the profiles for the known -realms, their KDCs, etc. The default value is /etc/krb5.conf.
-
DEFAULT_KEYTAB_NAME
-
The type and pathname to the default server keytab file. The -default is DEFKTNAME.
-
DEFAULT_KDC_ENCTYPE
-
The default encryption type for the KDC database master key. The -default value is aes256-cts-hmac-sha1-96.
-
RCTMPDIR
-
The directory which stores replay caches. The default is -/var/tmp.
-
DEFAULT_KDB_FILE
-
The location of the default database. The default value is -LOCALSTATEDIR/krb5kdc/principal.
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/build_this.html b/doc/html/build_this.html deleted file mode 100644 index 3696515..0000000 --- a/doc/html/build_this.html +++ /dev/null @@ -1,211 +0,0 @@ - - - - - - - - How to build this documentation from the source — MIT Kerberos Documentation - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

How to build this documentation from the source¶

-

Pre-requisites for a simple build, or to update man pages:

- -

Additional prerequisites to include the API reference based on Doxygen -markup:

-
    -
  • Python 2.5 with the Cheetah, lxml, and xml modules
    • -
  • Doxygen
    • -
-
-

Simple build without API reference¶

-

To test simple changes to the RST sources, you can build the -documentation without the Doxygen reference by running, from the doc -directory:

-
sphinx-build . test_html
-
-
-

You will see a number of warnings about missing files. This is -expected. If there is not already a doc/version.py file, you will -need to create one by first running make version.py in the -src/doc directory of a configured build tree.

-
-
-

Updating man pages¶

-

Man pages are generated from the RST sources and checked into the -src/man directory of the repository. This allows man pages to be -installed without requiring Sphinx when using a source checkout. To -regenerate these files, run make man from the man subdirectory -of a configured build tree. You can also do this from an unconfigured -source tree with:

-
cd src/man
-make -f Makefile.in top_srcdir=.. srcdir=. man
-make clean
-
-
-

As with the simple build, it is normal to see warnings about missing -files when rebuilding the man pages.

-
-
-

Building for a release tarball or web site¶

-

To generate documentation in HTML format, run make html in the -doc subdirectory of a configured build tree (the build directory -corresponding to src/doc, not the top-level doc directory). -The output will be placed in the top-level doc/html directory. -This build will include the API reference generated from Doxygen -markup in the source tree.

-

Documentation generated this way will use symbolic names for paths -(like BINDIR for the directory containing user programs), with the -symbolic names being links to a table showing typical values for those -paths.

-

You can also do this from an unconfigured source tree with:

-
cd src/doc
-make -f Makefile.in SPHINX_ARGS= htmlsrc
-
-
-
-
-

Building for an OS package or site documentation¶

-

To generate documentation specific to a build of MIT krb5 as you have -configured it, run make substhtml in the doc subdirectory of a -configured build tree (the build directory corresponding to -src/doc, not the top-level doc directory). The output will be -placed in the html_subst subdirectory of that build directory. -This build will include the API reference.

-

Documentation generated this way will use concrete paths (like -/usr/local/bin for the directory containing user programs, for a -default custom build).

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/copyright.html b/doc/html/copyright.html deleted file mode 100644 index f76d612..0000000 --- a/doc/html/copyright.html +++ /dev/null @@ -1,138 +0,0 @@ - - - - - - - - Copyright — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/formats/ccache_file_format.html b/doc/html/formats/ccache_file_format.html deleted file mode 100644 index aa03dec..0000000 --- a/doc/html/formats/ccache_file_format.html +++ /dev/null @@ -1,298 +0,0 @@ - - - - - - - - Credential cache file format — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Credential cache file format¶

-

There are four versions of the file format used by the FILE credential -cache type. The first byte of the file always has the value 5, and -the value of the second byte contains the version number (1 through -4). Versions 1 and 2 of the file format use native byte order for integer -representations. Versions 3 and 4 always use big-endian byte order.

-

After the two-byte version indicator, the file has three parts: the -header (in version 4 only), the default principal name, and a sequence -of credentials.

-
-

Header format¶

-

The header appears only in format version 4. It begins with a 16-bit -integer giving the length of the entire header, followed by a sequence -of fields. Each field consists of a 16-bit tag, a 16-bit length, and -a value of the given length. A file format implementation should -ignore fields with unknown tags.

-

At this time there is only one defined header field. Its tag value is -1, its length is always 8, and its contents are two 32-bit integers -giving the seconds and microseconds of the time offset of the KDC -relative to the client. Adding this offset to the current time on the -client should give the current time on the KDC, if that offset has not -changed since the initial authentication.

-
-
-

Principal format¶

-

The default principal is marshalled using the following informal -grammar:

-
principal ::=
-    name type (32 bits) [omitted in version 1]
-    count of components (32 bits) [includes realm in version 1]
-    realm (data)
-    component1 (data)
-    component2 (data)
-    ...
-
-data ::=
-    length (32 bits)
-    value (length bytes)
-
-
-

There is no external framing on the default principal, so it must be -parsed according to the above grammar in order to find the sequence of -credentials which follows.

-
-
-

Credential format¶

-

The credential format uses the following informal grammar (referencing -the principal and data types from the previous section):

-
credential ::=
-    client (principal)
-    server (principal)
-    keyblock (keyblock)
-    authtime (32 bits)
-    starttime (32 bits)
-    endtime (32 bits)
-    renew_till (32 bits)
-    is_skey (1 byte, 0 or 1)
-    ticket_flags (32 bits)
-    addresses (addresses)
-    authdata (authdata)
-    ticket (data)
-    second_ticket (data)
-
-keyblock ::=
-    enctype (16 bits) [repeated twice in version 3]
-    data
-
-addresses ::=
-    count (32 bits)
-    address1
-    address2
-    ...
-
-address ::=
-    addrtype (16 bits)
-    data
-
-authdata ::=
-    count (32 bits)
-    authdata1
-    authdata2
-    ...
-
-authdata ::=
-    ad_type (16 bits)
-    data
-
-
-

There is no external framing on a marshalled credential, so it must be -parsed according to the above grammar in order to find the next -credential. There is also no count of credentials or marker at the -end of the sequence of credentials; the sequence ends when the file -ends.

-
-
-

Credential cache configuration entries¶

-

Configuration entries are encoded as credential entries. The client -principal of the entry is the default principal of the cache. The -server principal has the realm X-CACHECONF: and two or three -components, the first of which is krb5_ccache_conf_data. The -server principal’s second component is the configuration key. The -third component, if it exists, is a principal to which the -configuration key is associated. The configuration value is stored in -the ticket field of the entry. All other entry fields are zeroed.

-

Programs using credential caches must be aware of configuration -entries for several reasons:

-
    -
  • A program which displays the contents of a cache should not -generally display configuration entries.
    • -
  • The ticket field of a configuration entry is not (usually) a valid -encoding of a Kerberos ticket. An implementation must not treat the -cache file as malformed if it cannot decode the ticket field.
    • -
  • Configuration entries have an endtime field of 0 and might therefore -always be considered expired, but they should not be treated as -unimportant as a result. For instance, a program which copies -credentials from one cache to another should not omit configuration -entries because of the endtime.
    • -
-

The following configuration keys are currently used in MIT krb5:

-
-
fast_avail
-
The presence of this key with a non-empty value indicates that the -KDC asserted support for FAST (see RFC 6113) during the initial -authentication, using the negotiation method described in -RFC 6806 section 11. This key is not associated with any -principal.
-
pa_config_data
-
The value of this key contains a JSON object representation of -parameters remembered by the preauthentication mechanism used -during the initial authentication. These parameters may be used -when refreshing credentials. This key is associated with the -server principal of the initial authentication (usually the local -krbtgt principal of the client realm).
-
pa_type
-
The value of this key is the ASCII decimal representation of the -preauth type number used during the initial authentication. This -key is associated with the server principal of the initial -authentication.
-
proxy_impersonator
-
The presence of this key indicates that the cache is a synthetic -delegated credential for use with S4U2Proxy. The value is the -name of the intermediate service whose TGT can be used to make -S4U2Proxy requests for target services. This key is not -associated with any principal.
-
refresh_time
-
The presence of this key indicates that the cache was acquired by -the GSS mechanism using a client keytab. The value is the ASCII -decimal representation of a timestamp at which the GSS mechanism -should attempt to refresh the credential cache from the client -keytab.
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/formats/cookie.html b/doc/html/formats/cookie.html deleted file mode 100644 index cbf170c..0000000 --- a/doc/html/formats/cookie.html +++ /dev/null @@ -1,197 +0,0 @@ - - - - - - - - KDC cookie format — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/formats/index.html b/doc/html/formats/index.html deleted file mode 100644 index 4f0d9ba..0000000 --- a/doc/html/formats/index.html +++ /dev/null @@ -1,145 +0,0 @@ - - - - - - - - Protocols and file formats — MIT Kerberos Documentation - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/formats/keytab_file_format.html b/doc/html/formats/keytab_file_format.html deleted file mode 100644 index 0eff27c..0000000 --- a/doc/html/formats/keytab_file_format.html +++ /dev/null @@ -1,187 +0,0 @@ - - - - - - - - Keytab file format — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Keytab file format¶

-

There are two versions of the file format used by the FILE keytab -type. The first byte of the file always has the value 5, and the -value of the second byte contains the version number (1 or 2). -Version 1 of the file format uses native byte order for integer -representations. Version 2 always uses big-endian byte order.

-

After the two-byte version indicator, the file contains a sequence of -signed 32-bit record lengths followed by key records or holes. A -positive record length indicates a valid key entry whose size is equal -to or less than the record length. A negative length indicates a -zero-filled hole whose size is the inverse of the length. A length of -0 indicates the end of the file.

-
-

Key entry format¶

-

A key entry may be smaller in size than the record length which -precedes it, because it may have replaced a hole which is larger than -the key entry. Key entries use the following informal grammar:

-
entry ::=
-    principal
-    timestamp (32 bits)
-    key version (8 bits)
-    enctype (16 bits)
-    key length (16 bits)
-    key contents
-    key version (32 bits) [in release 1.14 and later]
-
-principal ::=
-    count of components (16 bits) [includes realm in version 1]
-    realm (data)
-    component1 (data)
-    component2 (data)
-    ...
-    name type (32 bits) [omitted in version 1]
-
-data ::=
-    length (16 bits)
-    value (length bytes)
-
-
-

The 32-bit key version overrides the 8-bit key version. To determine -if it is present, the implementation must check that at least 4 bytes -remain in the record after the other fields are read, and that the -value of the 32-bit integer contained in those bytes is non-zero.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-A.html b/doc/html/genindex-A.html deleted file mode 100644 index 25763f1..0000000 --- a/doc/html/genindex-A.html +++ /dev/null @@ -1,207 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – A

- - - - -
- -
AD_TYPE_EXTERNAL (built-in variable) -
- - -
AD_TYPE_FIELD_TYPE_MASK (built-in variable) -
- - -
AD_TYPE_REGISTERED (built-in variable) -
- - -
AD_TYPE_RESERVED (built-in variable) -
- - -
ADDRTYPE_ADDRPORT (built-in variable) -
- - -
ADDRTYPE_CHAOS (built-in variable) -
- - -
ADDRTYPE_DDP (built-in variable) -
- - -
ADDRTYPE_INET (built-in variable) -
- - -
ADDRTYPE_INET6 (built-in variable) -
- - -
ADDRTYPE_IPPORT (built-in variable) -
- -
- -
ADDRTYPE_IS_LOCAL (built-in variable) -
- - -
ADDRTYPE_ISO (built-in variable) -
- - -
ADDRTYPE_NETBIOS (built-in variable) -
- - -
ADDRTYPE_XNS (built-in variable) -
- - -
AP_OPTS_ETYPE_NEGOTIATION (built-in variable) -
- - -
AP_OPTS_MUTUAL_REQUIRED (built-in variable) -
- - -
AP_OPTS_RESERVED (built-in variable) -
- - -
AP_OPTS_USE_SESSION_KEY (built-in variable) -
- - -
AP_OPTS_USE_SUBKEY (built-in variable) -
- - -
AP_OPTS_WIRE_MASK (built-in variable) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-C.html b/doc/html/genindex-C.html deleted file mode 100644 index 4db9c5b..0000000 --- a/doc/html/genindex-C.html +++ /dev/null @@ -1,191 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – C

- - - - -
- -
CKSUMTYPE_CMAC_CAMELLIA128 (built-in variable) -
- - -
CKSUMTYPE_CMAC_CAMELLIA256 (built-in variable) -
- - -
CKSUMTYPE_CRC32 (built-in variable) -
- - -
CKSUMTYPE_DESCBC (built-in variable) -
- - -
CKSUMTYPE_HMAC_MD5_ARCFOUR (built-in variable) -
- - -
CKSUMTYPE_HMAC_SHA1_96_AES128 (built-in variable) -
- - -
CKSUMTYPE_HMAC_SHA1_96_AES256 (built-in variable) -
- - -
CKSUMTYPE_HMAC_SHA1_DES3 (built-in variable) -
- -
- -
CKSUMTYPE_HMAC_SHA256_128_AES128 (built-in variable) -
- - -
CKSUMTYPE_HMAC_SHA384_192_AES256 (built-in variable) -
- - -
CKSUMTYPE_MD5_HMAC_ARCFOUR (built-in variable) -
- - -
CKSUMTYPE_NIST_SHA (built-in variable) -
- - -
CKSUMTYPE_RSA_MD4 (built-in variable) -
- - -
CKSUMTYPE_RSA_MD4_DES (built-in variable) -
- - -
CKSUMTYPE_RSA_MD5 (built-in variable) -
- - -
CKSUMTYPE_RSA_MD5_DES (built-in variable) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-E.html b/doc/html/genindex-E.html deleted file mode 100644 index a09b909..0000000 --- a/doc/html/genindex-E.html +++ /dev/null @@ -1,227 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – E

- - - - -
- -
ENCTYPE_AES128_CTS_HMAC_SHA1_96 (built-in variable) -
- - -
ENCTYPE_AES128_CTS_HMAC_SHA256_128 (built-in variable) -
- - -
ENCTYPE_AES256_CTS_HMAC_SHA1_96 (built-in variable) -
- - -
ENCTYPE_AES256_CTS_HMAC_SHA384_192 (built-in variable) -
- - -
ENCTYPE_ARCFOUR_HMAC (built-in variable) -
- - -
ENCTYPE_ARCFOUR_HMAC_EXP (built-in variable) -
- - -
ENCTYPE_CAMELLIA128_CTS_CMAC (built-in variable) -
- - -
ENCTYPE_CAMELLIA256_CTS_CMAC (built-in variable) -
- - -
ENCTYPE_DES3_CBC_ENV (built-in variable) -
- - -
ENCTYPE_DES3_CBC_RAW (built-in variable) -
- - -
ENCTYPE_DES3_CBC_SHA (built-in variable) -
- - -
ENCTYPE_DES3_CBC_SHA1 (built-in variable) -
- - -
ENCTYPE_DES_CBC_CRC (built-in variable) -
- -
- -
ENCTYPE_DES_CBC_MD4 (built-in variable) -
- - -
ENCTYPE_DES_CBC_MD5 (built-in variable) -
- - -
ENCTYPE_DES_CBC_RAW (built-in variable) -
- - -
ENCTYPE_DES_HMAC_SHA1 (built-in variable) -
- - -
ENCTYPE_DSA_SHA1_CMS (built-in variable) -
- - -
ENCTYPE_MD5_RSA_CMS (built-in variable) -
- - -
ENCTYPE_NULL (built-in variable) -
- - -
ENCTYPE_RC2_CBC_ENV (built-in variable) -
- - -
ENCTYPE_RSA_ENV (built-in variable) -
- - -
ENCTYPE_RSA_ES_OAEP_ENV (built-in variable) -
- - -
ENCTYPE_SHA1_RSA_CMS (built-in variable) -
- - -
ENCTYPE_UNKNOWN (built-in variable) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-K.html b/doc/html/genindex-K.html deleted file mode 100644 index fad15eb..0000000 --- a/doc/html/genindex-K.html +++ /dev/null @@ -1,3971 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – K

- - - - -
- -
KDC_OPT_ALLOW_POSTDATE (built-in variable) -
- - -
KDC_OPT_CANONICALIZE (built-in variable) -
- - -
KDC_OPT_CNAME_IN_ADDL_TKT (built-in variable) -
- - -
KDC_OPT_DISABLE_TRANSITED_CHECK (built-in variable) -
- - -
KDC_OPT_ENC_TKT_IN_SKEY (built-in variable) -
- - -
KDC_OPT_FORWARDABLE (built-in variable) -
- - -
KDC_OPT_FORWARDED (built-in variable) -
- - -
KDC_OPT_POSTDATED (built-in variable) -
- - -
KDC_OPT_PROXIABLE (built-in variable) -
- - -
KDC_OPT_PROXY (built-in variable) -
- - -
KDC_OPT_RENEW (built-in variable) -
- - -
KDC_OPT_RENEWABLE (built-in variable) -
- - -
KDC_OPT_RENEWABLE_OK (built-in variable) -
- - -
KDC_OPT_REQUEST_ANONYMOUS (built-in variable) -
- - -
KDC_OPT_VALIDATE (built-in variable) -
- - -
KDC_TKT_COMMON_MASK (built-in variable) -
- - -
krb524_convert_creds_kdc (built-in variable) -
- - -
krb524_init_ets (built-in variable) -
- - -
krb5_425_conv_principal (C function) -
- - -
krb5_524_conv_principal (C function) -
- - -
krb5_524_convert_creds (C function) -
- - -
krb5_address (C type) -
- - -
krb5_address.addrtype (C member) -
- - -
krb5_address.contents (C member) -
- - -
krb5_address.length (C member) -
- - -
krb5_address.magic (C member) -
- - -
krb5_address_compare (C function) -
- - -
krb5_address_order (C function) -
- - -
krb5_address_search (C function) -
- - -
krb5_addrtype (C type) -
- - -
krb5_allow_weak_crypto (C function) -
- - -
KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE (built-in variable) -
- - -
krb5_aname_to_localname (C function) -
- - -
krb5_anonymous_principal (C function) -
- - -
KRB5_ANONYMOUS_PRINCSTR (built-in variable) -
- - -
krb5_anonymous_realm (C function) -
- - -
KRB5_ANONYMOUS_REALMSTR (built-in variable) -
- - -
KRB5_AP_REP (built-in variable) -
- - -
krb5_ap_rep (C type) -
- - -
krb5_ap_rep.enc_part (C member) -
- - -
krb5_ap_rep.magic (C member) -
- - -
krb5_ap_rep_enc_part (C type) -
- - -
krb5_ap_rep_enc_part.ctime (C member) -
- - -
krb5_ap_rep_enc_part.cusec (C member) -
- - -
krb5_ap_rep_enc_part.magic (C member) -
- - -
krb5_ap_rep_enc_part.seq_number (C member) -
- - -
krb5_ap_rep_enc_part.subkey (C member) -
- - -
KRB5_AP_REQ (built-in variable) -
- - -
krb5_ap_req (C type) -
- - -
krb5_ap_req.ap_options (C member) -
- - -
krb5_ap_req.authenticator (C member) -
- - -
krb5_ap_req.magic (C member) -
- - -
krb5_ap_req.ticket (C member) -
- - -
krb5_appdefault_boolean (C function) -
- - -
krb5_appdefault_string (C function) -
- - -
KRB5_AS_REP (built-in variable) -
- - -
KRB5_AS_REQ (built-in variable) -
- - -
krb5_auth_con_free (C function) -
- - -
krb5_auth_con_genaddrs (C function) -
- - -
krb5_auth_con_get_checksum_func (C function) -
- - -
krb5_auth_con_getaddrs (C function) -
- - -
krb5_auth_con_getauthenticator (C function) -
- - -
krb5_auth_con_getflags (C function) -
- - -
krb5_auth_con_getkey (C function) -
- - -
krb5_auth_con_getkey_k (C function) -
- - -
krb5_auth_con_getlocalseqnumber (C function) -
- - -
krb5_auth_con_getlocalsubkey (C function) -
- - -
krb5_auth_con_getrcache (C function) -
- - -
krb5_auth_con_getrecvsubkey (C function) -
- - -
krb5_auth_con_getrecvsubkey_k (C function) -
- - -
krb5_auth_con_getremoteseqnumber (C function) -
- - -
krb5_auth_con_getremotesubkey (C function) -
- - -
krb5_auth_con_getsendsubkey (C function) -
- - -
krb5_auth_con_getsendsubkey_k (C function) -
- - -
krb5_auth_con_init (C function) -
- - -
krb5_auth_con_initivector (C function) -
- - -
krb5_auth_con_set_checksum_func (C function) -
- - -
krb5_auth_con_set_req_cksumtype (C function) -
- - -
krb5_auth_con_setaddrs (C function) -
- - -
krb5_auth_con_setflags (C function) -
- - -
krb5_auth_con_setports (C function) -
- - -
krb5_auth_con_setrcache (C function) -
- - -
krb5_auth_con_setrecvsubkey (C function) -
- - -
krb5_auth_con_setrecvsubkey_k (C function) -
- - -
krb5_auth_con_setsendsubkey (C function) -
- - -
krb5_auth_con_setsendsubkey_k (C function) -
- - -
krb5_auth_con_setuseruserkey (C function) -
- - -
krb5_auth_context (C type) -
- - -
KRB5_AUTH_CONTEXT_DO_SEQUENCE (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_DO_TIME (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_PERMIT_ALL (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_RET_SEQUENCE (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_RET_TIME (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_USE_SUBKEY (built-in variable) -
- - -
krb5_authdata (C type) -
- - -
krb5_authdata.ad_type (C member) -
- - -
krb5_authdata.contents (C member) -
- - -
krb5_authdata.length (C member) -
- - -
krb5_authdata.magic (C member) -
- - -
KRB5_AUTHDATA_AND_OR (built-in variable) -
- - -
KRB5_AUTHDATA_AUTH_INDICATOR (built-in variable) -
- - -
KRB5_AUTHDATA_CAMMAC (built-in variable) -
- - -
KRB5_AUTHDATA_ETYPE_NEGOTIATION (built-in variable) -
- - -
KRB5_AUTHDATA_FX_ARMOR (built-in variable) -
- - -
KRB5_AUTHDATA_IF_RELEVANT (built-in variable) -
- - -
KRB5_AUTHDATA_INITIAL_VERIFIED_CAS (built-in variable) -
- - -
KRB5_AUTHDATA_KDC_ISSUED (built-in variable) -
- - -
KRB5_AUTHDATA_MANDATORY_FOR_KDC (built-in variable) -
- - -
KRB5_AUTHDATA_OSF_DCE (built-in variable) -
- - -
KRB5_AUTHDATA_SESAME (built-in variable) -
- - -
KRB5_AUTHDATA_SIGNTICKET (built-in variable) -
- - -
KRB5_AUTHDATA_WIN2K_PAC (built-in variable) -
- - -
krb5_authdatatype (C type) -
- - -
krb5_authenticator (C type) -
- - -
krb5_authenticator.authorization_data (C member) -
- - -
krb5_authenticator.checksum (C member) -
- - -
krb5_authenticator.client (C member) -
- - -
krb5_authenticator.ctime (C member) -
- - -
krb5_authenticator.cusec (C member) -
- - -
krb5_authenticator.magic (C member) -
- - -
krb5_authenticator.seq_number (C member) -
- - -
krb5_authenticator.subkey (C member) -
- - -
krb5_boolean (C type) -
- - -
krb5_build_principal (C function) -
- - -
krb5_build_principal_alloc_va (C function) -
- - -
krb5_build_principal_ext (C function) -
- - -
krb5_build_principal_va (C function) -
- - -
krb5_c_block_size (C function) -
- - -
krb5_c_checksum_length (C function) -
- - -
krb5_c_crypto_length (C function) -
- - -
krb5_c_crypto_length_iov (C function) -
- - -
krb5_c_decrypt (C function) -
- - -
krb5_c_decrypt_iov (C function) -
- - -
krb5_c_derive_prfplus (C function) -
- - -
krb5_c_encrypt (C function) -
- - -
krb5_c_encrypt_iov (C function) -
- - -
krb5_c_encrypt_length (C function) -
- - -
krb5_c_enctype_compare (C function) -
- - -
krb5_c_free_state (C function) -
- - -
krb5_c_fx_cf2_simple (C function) -
- - -
krb5_c_init_state (C function) -
- - -
krb5_c_is_coll_proof_cksum (C function) -
- - -
krb5_c_is_keyed_cksum (C function) -
- - -
krb5_c_keyed_checksum_types (C function) -
- - -
krb5_c_keylengths (C function) -
- - -
krb5_c_make_checksum (C function) -
- - -
krb5_c_make_checksum_iov (C function) -
- - -
krb5_c_make_random_key (C function) -
- - -
krb5_c_padding_length (C function) -
- - -
krb5_c_prf (C function) -
- - -
krb5_c_prf_length (C function) -
- - -
krb5_c_prfplus (C function) -
- - -
krb5_c_random_add_entropy (C function) -
- - -
krb5_c_random_make_octets (C function) -
- - -
krb5_c_random_os_entropy (C function) -
- - -
krb5_c_random_seed (C function) -
- - -
krb5_c_random_to_key (C function) -
- - -
krb5_c_string_to_key (C function) -
- - -
krb5_c_string_to_key_with_params (C function) -
- - -
krb5_c_valid_cksumtype (C function) -
- - -
krb5_c_valid_enctype (C function) -
- - -
krb5_c_verify_checksum (C function) -
- - -
krb5_c_verify_checksum_iov (C function) -
- - -
krb5_calculate_checksum (C function) -
- - -
krb5_cc_cache_match (C function) -
- - -
krb5_cc_close (C function) -
- - -
krb5_cc_copy_creds (C function) -
- - -
krb5_cc_cursor (C type) -
- - -
krb5_cc_default (C function) -
- - -
krb5_cc_default_name (C function) -
- - -
krb5_cc_destroy (C function) -
- - -
krb5_cc_dup (C function) -
- - -
krb5_cc_end_seq_get (C function) -
- - -
krb5_cc_gen_new (C function) -
- - -
krb5_cc_get_config (C function) -
- - -
krb5_cc_get_flags (C function) -
- - -
krb5_cc_get_full_name (C function) -
- - -
krb5_cc_get_name (C function) -
- - -
krb5_cc_get_principal (C function) -
- - -
krb5_cc_get_type (C function) -
- - -
krb5_cc_initialize (C function) -
- - -
krb5_cc_last_change_time (C function) -
- - -
krb5_cc_lock (C function) -
- - -
krb5_cc_move (C function) -
- - -
krb5_cc_new_unique (C function) -
- - -
krb5_cc_next_cred (C function) -
- - -
krb5_cc_remove_cred (C function) -
- - -
krb5_cc_resolve (C function) -
- - -
krb5_cc_retrieve_cred (C function) -
- - -
krb5_cc_select (C function) -
- - -
krb5_cc_set_config (C function) -
- - -
krb5_cc_set_default_name (C function) -
- - -
krb5_cc_set_flags (C function) -
- - -
krb5_cc_start_seq_get (C function) -
- - -
krb5_cc_store_cred (C function) -
- - -
krb5_cc_support_switch (C function) -
- - -
krb5_cc_switch (C function) -
- - -
krb5_cc_unlock (C function) -
- - -
krb5_ccache (C type) -
- - -
krb5_cccol_cursor (C type) -
- - -
krb5_cccol_cursor_free (C function) -
- - -
krb5_cccol_cursor_new (C function) -
- - -
krb5_cccol_cursor_next (C function) -
- - -
krb5_cccol_have_content (C function) -
- - -
krb5_cccol_last_change_time (C function) -
- - -
krb5_cccol_lock (C function) -
- - -
krb5_cccol_unlock (C function) -
- - -
krb5_change_password (C function) -
- - -
krb5_check_clockskew (C function) -
- - -
krb5_checksum (C type) -
- - -
krb5_checksum.checksum_type (C member) -
- - -
krb5_checksum.contents (C member) -
- - -
krb5_checksum.length (C member) -
- - -
krb5_checksum.magic (C member) -
- - -
krb5_checksum_size (C function) -
- - -
krb5_chpw_message (C function) -
- - -
krb5_cksumtype (C type) -
- - -
krb5_cksumtype_to_string (C function) -
- - -
krb5_clear_error_message (C function) -
- - -
krb5_const (built-in variable) -
- - -
krb5_const_pointer (C type) -
- - -
krb5_const_principal (C type) -
- - -
krb5_const_principal.data (C member) -
- - -
krb5_const_principal.length (C member) -
- - -
krb5_const_principal.magic (C member) -
- - -
krb5_const_principal.realm (C member) -
- - -
krb5_const_principal.type (C member) -
- - -
krb5_context (C type) -
- - -
krb5_copy_addresses (C function) -
- - -
krb5_copy_authdata (C function) -
- - -
krb5_copy_authenticator (C function) -
- - -
krb5_copy_checksum (C function) -
- - -
krb5_copy_context (C function) -
- - -
krb5_copy_creds (C function) -
- - -
krb5_copy_data (C function) -
- - -
krb5_copy_error_message (C function) -
- - -
krb5_copy_keyblock (C function) -
- - -
krb5_copy_keyblock_contents (C function) -
- - -
krb5_copy_principal (C function) -
- - -
krb5_copy_ticket (C function) -
- - -
KRB5_CRED (built-in variable) -
- - -
krb5_cred (C type) -
- - -
krb5_cred.enc_part (C member) -
- - -
krb5_cred.enc_part2 (C member) -
- - -
krb5_cred.magic (C member) -
- - -
krb5_cred.tickets (C member) -
- - -
krb5_cred_enc_part (C type) -
- - -
krb5_cred_enc_part.magic (C member) -
- - -
krb5_cred_enc_part.nonce (C member) -
- - -
krb5_cred_enc_part.r_address (C member) -
- - -
krb5_cred_enc_part.s_address (C member) -
- - -
krb5_cred_enc_part.ticket_info (C member) -
- - -
krb5_cred_enc_part.timestamp (C member) -
- - -
krb5_cred_enc_part.usec (C member) -
- - -
krb5_cred_info (C type) -
- - -
krb5_cred_info.caddrs (C member) -
- - -
krb5_cred_info.client (C member) -
- - -
krb5_cred_info.flags (C member) -
- - -
krb5_cred_info.magic (C member) -
- - -
krb5_cred_info.server (C member) -
- - -
krb5_cred_info.session (C member) -
- - -
krb5_cred_info.times (C member) -
- - -
krb5_creds (C type) -
- - -
krb5_creds.addresses (C member) -
- - -
krb5_creds.authdata (C member) -
- - -
krb5_creds.client (C member) -
- - -
krb5_creds.is_skey (C member) -
- - -
krb5_creds.keyblock (C member) -
- - -
krb5_creds.magic (C member) -
- - -
krb5_creds.second_ticket (C member) -
- - -
krb5_creds.server (C member) -
- - -
krb5_creds.ticket (C member) -
- - -
krb5_creds.ticket_flags (C member) -
- - -
krb5_creds.times (C member) -
- - -
krb5_crypto_iov (C type) -
- - -
krb5_crypto_iov.data (C member) -
- - -
krb5_crypto_iov.flags (C member) -
- - -
KRB5_CRYPTO_TYPE_CHECKSUM (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_DATA (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_EMPTY (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_HEADER (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_PADDING (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_SIGN_ONLY (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_STREAM (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_TRAILER (built-in variable) -
- - -
krb5_cryptotype (C type) -
- - -
KRB5_CYBERSAFE_SECUREID (built-in variable) -
- - -
krb5_data (C type) -
- - -
krb5_data.data (C member) -
- - -
krb5_data.length (C member) -
- - -
krb5_data.magic (C member) -
- - -
krb5_decode_authdata_container (C function) -
- - -
krb5_decode_ticket (C function) -
- - -
krb5_decrypt (C function) -
- - -
krb5_deltat (C type) -
- - -
krb5_deltat_to_string (C function) -
- - -
KRB5_DOMAIN_X500_COMPRESS (built-in variable) -
- - -
krb5_eblock_enctype (C function) -
- - -
krb5_enc_data (C type) -
- - -
krb5_enc_data.ciphertext (C member) -
- - -
krb5_enc_data.enctype (C member) -
- - -
krb5_enc_data.kvno (C member) -
- - -
krb5_enc_data.magic (C member) -
- - -
krb5_enc_kdc_rep_part (C type) -
- - -
krb5_enc_kdc_rep_part.caddrs (C member) -
- - -
krb5_enc_kdc_rep_part.enc_padata (C member) -
- - -
krb5_enc_kdc_rep_part.flags (C member) -
- - -
krb5_enc_kdc_rep_part.key_exp (C member) -
- - -
krb5_enc_kdc_rep_part.last_req (C member) -
- - -
krb5_enc_kdc_rep_part.magic (C member) -
- - -
krb5_enc_kdc_rep_part.msg_type (C member) -
- - -
krb5_enc_kdc_rep_part.nonce (C member) -
- - -
krb5_enc_kdc_rep_part.server (C member) -
- - -
krb5_enc_kdc_rep_part.session (C member) -
- - -
krb5_enc_kdc_rep_part.times (C member) -
- - -
krb5_enc_tkt_part (C type) -
- - -
krb5_enc_tkt_part.authorization_data (C member) -
- - -
krb5_enc_tkt_part.caddrs (C member) -
- - -
krb5_enc_tkt_part.client (C member) -
- - -
krb5_enc_tkt_part.flags (C member) -
- - -
krb5_enc_tkt_part.magic (C member) -
- - -
krb5_enc_tkt_part.session (C member) -
- - -
krb5_enc_tkt_part.times (C member) -
- - -
krb5_enc_tkt_part.transited (C member) -
- - -
krb5_encode_authdata_container (C function) -
- - -
KRB5_ENCPADATA_REQ_ENC_PA_REP (built-in variable) -
- - -
krb5_encrypt (C function) -
- - -
krb5_encrypt_block (C type) -
- - -
krb5_encrypt_block.crypto_entry (C member) -
- - -
krb5_encrypt_block.key (C member) -
- - -
krb5_encrypt_block.magic (C member) -
- - -
krb5_encrypt_size (C function) -
- - -
krb5_enctype (C type) -
- - -
krb5_enctype_to_name (C function) -
- - -
krb5_enctype_to_string (C function) -
- - -
KRB5_ERROR (built-in variable) -
- - -
krb5_error (C type) -
- - -
krb5_error.client (C member) -
- - -
krb5_error.ctime (C member) -
- - -
krb5_error.cusec (C member) -
- - -
krb5_error.e_data (C member) -
- - -
krb5_error.error (C member) -
- - -
krb5_error.magic (C member) -
- - -
krb5_error.server (C member) -
- - -
krb5_error.stime (C member) -
- - -
krb5_error.susec (C member) -
- - -
krb5_error.text (C member) -
- - -
krb5_error_code (C type) -
- - -
krb5_expand_hostname (C function) -
- - -
krb5_expire_callback_func (C type) -
- - -
KRB5_FAST_REQUIRED (built-in variable) -
- - -
krb5_find_authdata (C function) -
- - -
krb5_finish_key (C function) -
- - -
krb5_finish_random_key (C function) -
- - -
krb5_flags (C type) -
- - -
krb5_free_addresses (C function) -
- - -
krb5_free_ap_rep_enc_part (C function) -
- - -
krb5_free_authdata (C function) -
- - -
krb5_free_authenticator (C function) -
- - -
krb5_free_checksum (C function) -
- - -
krb5_free_checksum_contents (C function) -
- - -
krb5_free_cksumtypes (C function) -
- - -
krb5_free_context (C function) -
- - -
krb5_free_cred_contents (C function) -
- - -
krb5_free_creds (C function) -
- - -
krb5_free_data (C function) -
- - -
krb5_free_data_contents (C function) -
- - -
krb5_free_default_realm (C function) -
- - -
krb5_free_enctypes (C function) -
- - -
krb5_free_error (C function) -
- - -
krb5_free_error_message (C function) -
- - -
krb5_free_host_realm (C function) -
- - -
krb5_free_keyblock (C function) -
- - -
krb5_free_keyblock_contents (C function) -
- - -
krb5_free_keytab_entry_contents (C function) -
- - -
krb5_free_principal (C function) -
- - -
krb5_free_string (C function) -
- - -
krb5_free_tgt_creds (C function) -
- - -
krb5_free_ticket (C function) -
- - -
krb5_free_unparsed_name (C function) -
- - -
krb5_fwd_tgt_creds (C function) -
- - -
KRB5_GC_CACHED (built-in variable) -
- - -
KRB5_GC_CANONICALIZE (built-in variable) -
- - -
KRB5_GC_CONSTRAINED_DELEGATION (built-in variable) -
- - -
KRB5_GC_FORWARDABLE (built-in variable) -
- - -
KRB5_GC_NO_STORE (built-in variable) -
- - -
KRB5_GC_NO_TRANSIT_CHECK (built-in variable) -
- - -
KRB5_GC_USER_USER (built-in variable) -
- - -
krb5_get_credentials (C function) -
- - -
krb5_get_credentials_renew (C function) -
- - -
krb5_get_credentials_validate (C function) -
- - -
krb5_get_default_realm (C function) -
- - -
krb5_get_error_message (C function) -
- - -
krb5_get_fallback_host_realm (C function) -
- - -
krb5_get_host_realm (C function) -
- - -
krb5_get_in_tkt_with_keytab (C function) -
- - -
krb5_get_in_tkt_with_password (C function) -
- - -
krb5_get_in_tkt_with_skey (C function) -
- - -
krb5_get_init_creds_keytab (C function) -
- - -
krb5_get_init_creds_opt (C type) -
- - -
krb5_get_init_creds_opt.address_list (C member) -
- - -
krb5_get_init_creds_opt.etype_list (C member) -
- - -
krb5_get_init_creds_opt.etype_list_length (C member) -
- - -
krb5_get_init_creds_opt.flags (C member) -
- - -
krb5_get_init_creds_opt.forwardable (C member) -
- - -
krb5_get_init_creds_opt.preauth_list (C member) -
- - -
krb5_get_init_creds_opt.preauth_list_length (C member) -
- - -
krb5_get_init_creds_opt.proxiable (C member) -
- - -
krb5_get_init_creds_opt.renew_life (C member) -
- - -
krb5_get_init_creds_opt.salt (C member) -
- - -
krb5_get_init_creds_opt.tkt_life (C member) -
- - -
KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST (built-in variable) -
- - -
krb5_get_init_creds_opt_alloc (C function) -
- - -
KRB5_GET_INIT_CREDS_OPT_ANONYMOUS (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_CANONICALIZE (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_FORWARDABLE (built-in variable) -
- - -
krb5_get_init_creds_opt_free (C function) -
- - -
krb5_get_init_creds_opt_get_fast_flags (C function) -
- - -
krb5_get_init_creds_opt_init (C function) -
- - -
KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_PROXIABLE (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_SALT (built-in variable) -
- - -
krb5_get_init_creds_opt_set_address_list (C function) -
- - -
krb5_get_init_creds_opt_set_anonymous (C function) -
- - -
krb5_get_init_creds_opt_set_canonicalize (C function) -
- - -
krb5_get_init_creds_opt_set_change_password_prompt (C function) -
- - -
krb5_get_init_creds_opt_set_etype_list (C function) -
- - -
krb5_get_init_creds_opt_set_expire_callback (C function) -
- - -
krb5_get_init_creds_opt_set_fast_ccache (C function) -
- - -
krb5_get_init_creds_opt_set_fast_ccache_name (C function) -
- - -
krb5_get_init_creds_opt_set_fast_flags (C function) -
- - -
krb5_get_init_creds_opt_set_forwardable (C function) -
- - -
krb5_get_init_creds_opt_set_in_ccache (C function) -
- - -
krb5_get_init_creds_opt_set_out_ccache (C function) -
- - -
krb5_get_init_creds_opt_set_pa (C function) -
- - -
krb5_get_init_creds_opt_set_pac_request (C function) -
- - -
krb5_get_init_creds_opt_set_preauth_list (C function) -
- - -
krb5_get_init_creds_opt_set_proxiable (C function) -
- - -
krb5_get_init_creds_opt_set_renew_life (C function) -
- - -
krb5_get_init_creds_opt_set_responder (C function) -
- - -
krb5_get_init_creds_opt_set_salt (C function) -
- - -
krb5_get_init_creds_opt_set_tkt_life (C function) -
- - -
KRB5_GET_INIT_CREDS_OPT_TKT_LIFE (built-in variable) -
- - -
krb5_get_init_creds_password (C function) -
- - -
krb5_get_permitted_enctypes (C function) -
- - -
krb5_get_profile (C function) -
- - -
krb5_get_prompt_types (C function) -
- - -
krb5_get_renewed_creds (C function) -
- - -
krb5_get_server_rcache (C function) -
- - -
krb5_get_time_offsets (C function) -
- - -
krb5_get_validated_creds (C function) -
- - -
krb5_gic_opt_pa_data (C type) -
- - -
krb5_gic_opt_pa_data.attr (C member) -
- - -
krb5_gic_opt_pa_data.value (C member) -
- - -
krb5_init_context (C function) -
- - -
KRB5_INIT_CONTEXT_KDC (built-in variable) -
- - -
krb5_init_context_profile (C function) -
- - -
KRB5_INIT_CONTEXT_SECURE (built-in variable) -
- - -
krb5_init_creds_context (C type) -
- - -
krb5_init_creds_free (C function) -
- - -
krb5_init_creds_get (C function) -
- - -
krb5_init_creds_get_creds (C function) -
- - -
krb5_init_creds_get_error (C function) -
- - -
krb5_init_creds_get_times (C function) -
- - -
krb5_init_creds_init (C function) -
- - -
krb5_init_creds_set_keytab (C function) -
- - -
krb5_init_creds_set_password (C function) -
- - -
krb5_init_creds_set_service (C function) -
- - -
krb5_init_creds_step (C function) -
- - -
KRB5_INIT_CREDS_STEP_FLAG_CONTINUE (built-in variable) -
- - -
krb5_init_keyblock (C function) -
- - -
krb5_init_random_key (C function) -
- - -
krb5_init_secure_context (C function) -
- - -
krb5_int16 (C type) -
- -
- -
KRB5_INT16_MAX (built-in variable) -
- - -
KRB5_INT16_MIN (built-in variable) -
- - -
krb5_int32 (C type) -
- - -
KRB5_INT32_MAX (built-in variable) -
- - -
KRB5_INT32_MIN (built-in variable) -
- - -
krb5_is_config_principal (C function) -
- - -
krb5_is_referral_realm (C function) -
- - -
krb5_is_thread_safe (C function) -
- - -
krb5_k_create_key (C function) -
- - -
krb5_k_decrypt (C function) -
- - -
krb5_k_decrypt_iov (C function) -
- - -
krb5_k_encrypt (C function) -
- - -
krb5_k_encrypt_iov (C function) -
- - -
krb5_k_free_key (C function) -
- - -
krb5_k_key_enctype (C function) -
- - -
krb5_k_key_keyblock (C function) -
- - -
krb5_k_make_checksum (C function) -
- - -
krb5_k_make_checksum_iov (C function) -
- - -
krb5_k_prf (C function) -
- - -
krb5_k_reference_key (C function) -
- - -
krb5_k_verify_checksum (C function) -
- - -
krb5_k_verify_checksum_iov (C function) -
- - -
krb5_kdc_rep (C type) -
- - -
krb5_kdc_rep.client (C member) -
- - -
krb5_kdc_rep.enc_part (C member) -
- - -
krb5_kdc_rep.enc_part2 (C member) -
- - -
krb5_kdc_rep.magic (C member) -
- - -
krb5_kdc_rep.msg_type (C member) -
- - -
krb5_kdc_rep.padata (C member) -
- - -
krb5_kdc_rep.ticket (C member) -
- - -
krb5_kdc_req (C type) -
- - -
krb5_kdc_req.addresses (C member) -
- - -
krb5_kdc_req.authorization_data (C member) -
- - -
krb5_kdc_req.client (C member) -
- - -
krb5_kdc_req.from (C member) -
- - -
krb5_kdc_req.kdc_options (C member) -
- - -
krb5_kdc_req.ktype (C member) -
- - -
krb5_kdc_req.magic (C member) -
- - -
krb5_kdc_req.msg_type (C member) -
- - -
krb5_kdc_req.nktypes (C member) -
- - -
krb5_kdc_req.nonce (C member) -
- - -
krb5_kdc_req.padata (C member) -
- - -
krb5_kdc_req.rtime (C member) -
- - -
krb5_kdc_req.second_ticket (C member) -
- - -
krb5_kdc_req.server (C member) -
- - -
krb5_kdc_req.till (C member) -
- - -
krb5_kdc_req.unenc_authdata (C member) -
- - -
krb5_key (C type) -
- - -
krb5_keyblock (C type) -
- - -
krb5_keyblock.contents (C member) -
- - -
krb5_keyblock.enctype (C member) -
- - -
krb5_keyblock.length (C member) -
- - -
krb5_keyblock.magic (C member) -
- - -
krb5_keytab (C type) -
- - -
krb5_keytab_entry (C type) -
- - -
krb5_keytab_entry.key (C member) -
- - -
krb5_keytab_entry.magic (C member) -
- - -
krb5_keytab_entry.principal (C member) -
- - -
krb5_keytab_entry.timestamp (C member) -
- - -
krb5_keytab_entry.vno (C member) -
- - -
krb5_keyusage (C type) -
- - -
KRB5_KEYUSAGE_AD_ITE (built-in variable) -
- - -
KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_AD_MTE (built-in variable) -
- - -
KRB5_KEYUSAGE_AD_SIGNEDPATH (built-in variable) -
- - -
KRB5_KEYUSAGE_AP_REP_ENCPART (built-in variable) -
- - -
KRB5_KEYUSAGE_AP_REQ_AUTH (built-in variable) -
- - -
KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_APP_DATA_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_APP_DATA_ENCRYPT (built-in variable) -
- - -
KRB5_KEYUSAGE_AS_REP_ENCPART (built-in variable) -
- - -
KRB5_KEYUSAGE_AS_REQ (built-in variable) -
- - -
KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS (built-in variable) -
- - -
KRB5_KEYUSAGE_CAMMAC (built-in variable) -
- - -
KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT (built-in variable) -
- - -
KRB5_KEYUSAGE_ENC_CHALLENGE_KDC (built-in variable) -
- - -
KRB5_KEYUSAGE_FAST_ENC (built-in variable) -
- - -
KRB5_KEYUSAGE_FAST_FINISHED (built-in variable) -
- - -
KRB5_KEYUSAGE_FAST_REP (built-in variable) -
- - -
KRB5_KEYUSAGE_FAST_REQ_CHKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_GSS_TOK_MIC (built-in variable) -
- - -
KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG (built-in variable) -
- - -
KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV (built-in variable) -
- - -
KRB5_KEYUSAGE_IAKERB_FINISHED (built-in variable) -
- - -
KRB5_KEYUSAGE_KDC_REP_TICKET (built-in variable) -
- - -
KRB5_KEYUSAGE_KRB_CRED_ENCPART (built-in variable) -
- - -
KRB5_KEYUSAGE_KRB_ERROR_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_KRB_PRIV_ENCPART (built-in variable) -
- - -
KRB5_KEYUSAGE_KRB_SAFE_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_FX_COOKIE (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_OTP_REQUEST (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_PKINIT_KX (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_SAM_RESPONSE (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REQ_AUTH (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM (built-in variable) -
- - -
KRB5_KPASSWD_ACCESSDENIED (built-in variable) -
- - -
KRB5_KPASSWD_AUTHERROR (built-in variable) -
- - -
KRB5_KPASSWD_BAD_VERSION (built-in variable) -
- - -
KRB5_KPASSWD_HARDERROR (built-in variable) -
- - -
KRB5_KPASSWD_INITIAL_FLAG_NEEDED (built-in variable) -
- - -
KRB5_KPASSWD_MALFORMED (built-in variable) -
- - -
KRB5_KPASSWD_SOFTERROR (built-in variable) -
- - -
KRB5_KPASSWD_SUCCESS (built-in variable) -
- - -
krb5_kt_add_entry (C function) -
- - -
krb5_kt_client_default (C function) -
- - -
krb5_kt_close (C function) -
- - -
krb5_kt_cursor (C type) -
- - -
krb5_kt_default (C function) -
- - -
krb5_kt_default_name (C function) -
- - -
krb5_kt_dup (C function) -
- - -
krb5_kt_end_seq_get (C function) -
- - -
krb5_kt_free_entry (C function) -
- - -
krb5_kt_get_entry (C function) -
- - -
krb5_kt_get_name (C function) -
- - -
krb5_kt_get_type (C function) -
- - -
krb5_kt_have_content (C function) -
- - -
krb5_kt_next_entry (C function) -
- - -
krb5_kt_read_service_key (C function) -
- - -
krb5_kt_remove_entry (C function) -
- - -
krb5_kt_resolve (C function) -
- - -
krb5_kt_start_seq_get (C function) -
- - -
krb5_kuserok (C function) -
- - -
krb5_kvno (C type) -
- - -
krb5_last_req_entry (C type) -
- - -
krb5_last_req_entry.lr_type (C member) -
- - -
krb5_last_req_entry.magic (C member) -
- - -
krb5_last_req_entry.value (C member) -
- - -
KRB5_LRQ_ALL_ACCT_EXPTIME (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_INITIAL (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_RENEWAL (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_REQ (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_TGT (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_TGT_ISSUED (built-in variable) -
- - -
KRB5_LRQ_ALL_PW_EXPTIME (built-in variable) -
- - -
KRB5_LRQ_NONE (built-in variable) -
- - -
KRB5_LRQ_ONE_ACCT_EXPTIME (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_INITIAL (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_RENEWAL (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_REQ (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_TGT (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_TGT_ISSUED (built-in variable) -
- - -
KRB5_LRQ_ONE_PW_EXPTIME (built-in variable) -
- - -
krb5_magic (C type) -
- - -
krb5_make_authdata_kdc_issued (C function) -
- - -
krb5_merge_authdata (C function) -
- - -
krb5_mk_1cred (C function) -
- - -
krb5_mk_error (C function) -
- - -
krb5_mk_ncred (C function) -
- - -
krb5_mk_priv (C function) -
- - -
krb5_mk_rep (C function) -
- - -
krb5_mk_rep_dce (C function) -
- - -
krb5_mk_req (C function) -
- - -
krb5_mk_req_checksum_func (C type) -
- - -
krb5_mk_req_extended (C function) -
- - -
krb5_mk_safe (C function) -
- - -
krb5_msgtype (C type) -
- - -
KRB5_NT_ENT_PRINCIPAL_AND_ID (built-in variable) -
- - -
KRB5_NT_ENTERPRISE_PRINCIPAL (built-in variable) -
- - -
KRB5_NT_MS_PRINCIPAL (built-in variable) -
- - -
KRB5_NT_MS_PRINCIPAL_AND_ID (built-in variable) -
- - -
KRB5_NT_PRINCIPAL (built-in variable) -
- - -
KRB5_NT_SMTP_NAME (built-in variable) -
- - -
KRB5_NT_SRV_HST (built-in variable) -
- - -
KRB5_NT_SRV_INST (built-in variable) -
- - -
KRB5_NT_SRV_XHST (built-in variable) -
- - -
KRB5_NT_UID (built-in variable) -
- - -
KRB5_NT_UNKNOWN (built-in variable) -
- - -
KRB5_NT_WELLKNOWN (built-in variable) -
- - -
KRB5_NT_X500_PRINCIPAL (built-in variable) -
- - -
krb5_octet (C type) -
- - -
krb5_os_localaddr (C function) -
- - -
krb5_pa_data (C type) -
- - -
krb5_pa_data.contents (C member) -
- - -
krb5_pa_data.length (C member) -
- - -
krb5_pa_data.magic (C member) -
- - -
krb5_pa_data.pa_type (C member) -
- - -
krb5_pa_pac_req (C type) -
- - -
krb5_pa_pac_req.include_pac (C member) -
- - -
krb5_pa_server_referral_data (C type) -
- - -
krb5_pa_server_referral_data.referral_valid_until (C member) -
- - -
krb5_pa_server_referral_data.referred_realm (C member) -
- - -
krb5_pa_server_referral_data.rep_cksum (C member) -
- - -
krb5_pa_server_referral_data.requested_principal_name (C member) -
- - -
krb5_pa_server_referral_data.true_principal_name (C member) -
- - -
krb5_pa_svr_referral_data (C type) -
- - -
krb5_pa_svr_referral_data.principal (C member) -
- - -
krb5_pac (C type) -
- - -
krb5_pac_add_buffer (C function) -
- - -
KRB5_PAC_CLIENT_INFO (built-in variable) -
- - -
KRB5_PAC_CREDENTIALS_INFO (built-in variable) -
- - -
KRB5_PAC_DELEGATION_INFO (built-in variable) -
- - -
krb5_pac_free (C function) -
- - -
krb5_pac_get_buffer (C function) -
- - -
krb5_pac_get_types (C function) -
- - -
krb5_pac_init (C function) -
- - -
KRB5_PAC_LOGON_INFO (built-in variable) -
- - -
krb5_pac_parse (C function) -
- - -
KRB5_PAC_PRIVSVR_CHECKSUM (built-in variable) -
- - -
KRB5_PAC_SERVER_CHECKSUM (built-in variable) -
- - -
krb5_pac_sign (C function) -
- - -
KRB5_PAC_UPN_DNS_INFO (built-in variable) -
- - -
krb5_pac_verify (C function) -
- - -
KRB5_PADATA_AFS3_SALT (built-in variable) -
- - -
KRB5_PADATA_AP_REQ (built-in variable) -
- - -
KRB5_PADATA_AS_CHECKSUM (built-in variable) -
- - -
KRB5_PADATA_ENC_SANDIA_SECURID (built-in variable) -
- - -
KRB5_PADATA_ENC_TIMESTAMP (built-in variable) -
- - -
KRB5_PADATA_ENC_UNIX_TIME (built-in variable) -
- - -
KRB5_PADATA_ENCRYPTED_CHALLENGE (built-in variable) -
- - -
KRB5_PADATA_ETYPE_INFO (built-in variable) -
- - -
KRB5_PADATA_ETYPE_INFO2 (built-in variable) -
- - -
KRB5_PADATA_FOR_USER (built-in variable) -
- - -
KRB5_PADATA_FX_COOKIE (built-in variable) -
- - -
KRB5_PADATA_FX_ERROR (built-in variable) -
- - -
KRB5_PADATA_FX_FAST (built-in variable) -
- - -
KRB5_PADATA_GET_FROM_TYPED_DATA (built-in variable) -
- - -
KRB5_PADATA_NONE (built-in variable) -
- - -
KRB5_PADATA_OSF_DCE (built-in variable) -
- - -
KRB5_PADATA_OTP_CHALLENGE (built-in variable) -
- - -
KRB5_PADATA_OTP_PIN_CHANGE (built-in variable) -
- - -
KRB5_PADATA_OTP_REQUEST (built-in variable) -
- - -
KRB5_PADATA_PAC_REQUEST (built-in variable) -
- - -
KRB5_PADATA_PK_AS_REP (built-in variable) -
- - -
KRB5_PADATA_PK_AS_REP_OLD (built-in variable) -
- - -
KRB5_PADATA_PK_AS_REQ (built-in variable) -
- - -
KRB5_PADATA_PK_AS_REQ_OLD (built-in variable) -
- - -
KRB5_PADATA_PKINIT_KX (built-in variable) -
- - -
KRB5_PADATA_PW_SALT (built-in variable) -
- - -
KRB5_PADATA_REFERRAL (built-in variable) -
- - -
KRB5_PADATA_S4U_X509_USER (built-in variable) -
- - -
KRB5_PADATA_SAM_CHALLENGE (built-in variable) -
- - -
KRB5_PADATA_SAM_CHALLENGE_2 (built-in variable) -
- - -
KRB5_PADATA_SAM_REDIRECT (built-in variable) -
- - -
KRB5_PADATA_SAM_RESPONSE (built-in variable) -
- - -
KRB5_PADATA_SAM_RESPONSE_2 (built-in variable) -
- - -
KRB5_PADATA_SESAME (built-in variable) -
- - -
KRB5_PADATA_SVR_REFERRAL_INFO (built-in variable) -
- - -
KRB5_PADATA_TGS_REQ (built-in variable) -
- - -
KRB5_PADATA_USE_SPECIFIED_KVNO (built-in variable) -
- - -
krb5_parse_name (C function) -
- - -
krb5_parse_name_flags (C function) -
- - -
krb5_pointer (C type) -
- - -
krb5_post_recv_fn (C type) -
- - -
krb5_pre_send_fn (C type) -
- - -
krb5_preauthtype (C type) -
- - -
krb5_prepend_error_message (C function) -
- - -
krb5_princ_component (built-in variable) -
- - -
krb5_princ_name (built-in variable) -
- - -
krb5_princ_realm (built-in variable) -
- - -
krb5_princ_set_realm (built-in variable) -
- - -
krb5_princ_set_realm_data (built-in variable) -
- - -
krb5_princ_set_realm_length (built-in variable) -
- - -
krb5_princ_size (built-in variable) -
- - -
krb5_princ_type (built-in variable) -
- - -
krb5_principal (C type) -
- - -
krb5_principal.data (C member) -
- - -
krb5_principal.length (C member) -
- - -
krb5_principal.magic (C member) -
- - -
krb5_principal.realm (C member) -
- - -
krb5_principal.type (C member) -
- - -
krb5_principal2salt (C function) -
- - -
krb5_principal_compare (C function) -
- - -
krb5_principal_compare_any_realm (C function) -
- - -
KRB5_PRINCIPAL_COMPARE_CASEFOLD (built-in variable) -
- - -
KRB5_PRINCIPAL_COMPARE_ENTERPRISE (built-in variable) -
- - -
krb5_principal_compare_flags (C function) -
- - -
KRB5_PRINCIPAL_COMPARE_IGNORE_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_COMPARE_UTF8 (built-in variable) -
- - -
krb5_principal_data (C type) -
- - -
krb5_principal_data.data (C member) -
- - -
krb5_principal_data.length (C member) -
- - -
krb5_principal_data.magic (C member) -
- - -
krb5_principal_data.realm (C member) -
- - -
krb5_principal_data.type (C member) -
- - -
KRB5_PRINCIPAL_PARSE_ENTERPRISE (built-in variable) -
- - -
KRB5_PRINCIPAL_PARSE_IGNORE_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_PARSE_NO_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_PARSE_REQUIRE_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_UNPARSE_DISPLAY (built-in variable) -
- - -
KRB5_PRINCIPAL_UNPARSE_NO_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_UNPARSE_SHORT (built-in variable) -
- - -
KRB5_PRIV (built-in variable) -
- - -
krb5_process_key (C function) -
- - -
krb5_prompt (C type) -
- - -
krb5_prompt.hidden (C member) -
- - -
krb5_prompt.prompt (C member) -
- - -
krb5_prompt.reply (C member) -
- - -
krb5_prompt_type (C type) -
- - -
KRB5_PROMPT_TYPE_NEW_PASSWORD (built-in variable) -
- - -
KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN (built-in variable) -
- - -
KRB5_PROMPT_TYPE_PASSWORD (built-in variable) -
- - -
KRB5_PROMPT_TYPE_PREAUTH (built-in variable) -
- - -
krb5_prompter_fct (C type) -
- - -
krb5_prompter_posix (C function) -
- - -
KRB5_PVNO (built-in variable) -
- - -
krb5_pwd_data (C type) -
- - -
krb5_pwd_data.element (C member) -
- - -
krb5_pwd_data.magic (C member) -
- - -
krb5_pwd_data.sequence_count (C member) -
- - -
krb5_random_key (C function) -
- - -
krb5_rcache (C type) -
- - -
krb5_rd_cred (C function) -
- - -
krb5_rd_error (C function) -
- - -
krb5_rd_priv (C function) -
- - -
krb5_rd_rep (C function) -
- - -
krb5_rd_rep_dce (C function) -
- - -
krb5_rd_req (C function) -
- - -
krb5_rd_safe (C function) -
- - -
krb5_read_password (C function) -
- - -
KRB5_REALM_BRANCH_CHAR (built-in variable) -
- - -
krb5_realm_compare (C function) -
- - -
krb5_recvauth (C function) -
- - -
KRB5_RECVAUTH_BADAUTHVERS (built-in variable) -
- - -
KRB5_RECVAUTH_SKIP_VERSION (built-in variable) -
- - -
krb5_recvauth_version (C function) -
- - -
KRB5_REFERRAL_REALM (built-in variable) -
- - -
krb5_replay_data (C type) -
- - -
krb5_replay_data.seq (C member) -
- - -
krb5_replay_data.timestamp (C member) -
- - -
krb5_replay_data.usec (C member) -
- - -
krb5_responder_context (C type) -
- - -
krb5_responder_fn (C type) -
- - -
krb5_responder_get_challenge (C function) -
- - -
krb5_responder_list_questions (C function) -
- - -
krb5_responder_otp_challenge (C type) -
- - -
krb5_responder_otp_challenge.service (C member) -
- - -
krb5_responder_otp_challenge.tokeninfo (C member) -
- - -
krb5_responder_otp_challenge_free (C function) -
- - -
KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FLAGS_NEXTOTP (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FORMAT_DECIMAL (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL (built-in variable) -
- - -
krb5_responder_otp_get_challenge (C function) -
- - -
krb5_responder_otp_set_answer (C function) -
- - -
krb5_responder_otp_tokeninfo (C type) -
- - -
krb5_responder_otp_tokeninfo.alg_id (C member) -
- - -
krb5_responder_otp_tokeninfo.challenge (C member) -
- - -
krb5_responder_otp_tokeninfo.flags (C member) -
- - -
krb5_responder_otp_tokeninfo.format (C member) -
- - -
krb5_responder_otp_tokeninfo.length (C member) -
- - -
krb5_responder_otp_tokeninfo.token_id (C member) -
- - -
krb5_responder_otp_tokeninfo.vendor (C member) -
- - -
krb5_responder_pkinit_challenge (C type) -
- - -
krb5_responder_pkinit_challenge.identities (C member) -
- - -
krb5_responder_pkinit_challenge_free (C function) -
- - -
KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW (built-in variable) -
- - -
KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY (built-in variable) -
- - -
KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED (built-in variable) -
- - -
krb5_responder_pkinit_get_challenge (C function) -
- - -
krb5_responder_pkinit_identity (C type) -
- - -
krb5_responder_pkinit_identity.identity (C member) -
- - -
krb5_responder_pkinit_identity.token_flags (C member) -
- - -
krb5_responder_pkinit_set_answer (C function) -
- - -
KRB5_RESPONDER_QUESTION_OTP (built-in variable) -
- - -
KRB5_RESPONDER_QUESTION_PASSWORD (built-in variable) -
- - -
KRB5_RESPONDER_QUESTION_PKINIT (built-in variable) -
- - -
krb5_responder_set_answer (C function) -
- - -
krb5_response (C type) -
- - -
krb5_response.expected_nonce (C member) -
- - -
krb5_response.magic (C member) -
- - -
krb5_response.message_type (C member) -
- - -
krb5_response.request_time (C member) -
- - -
krb5_response.response (C member) -
- - -
krb5_roundup (built-in variable) -
- - -
KRB5_SAFE (built-in variable) -
- - -
krb5_salttype_to_string (C function) -
- - -
KRB5_SAM_MUST_PK_ENCRYPT_SAD (built-in variable) -
- - -
KRB5_SAM_SEND_ENCRYPTED_SAD (built-in variable) -
- - -
KRB5_SAM_USE_SAD_AS_KEY (built-in variable) -
- - -
krb5_sendauth (C function) -
- - -
krb5_server_decrypt_ticket_keytab (C function) -
- - -
krb5_set_default_realm (C function) -
- - -
krb5_set_default_tgs_enctypes (C function) -
- - -
krb5_set_error_message (C function) -
- - -
krb5_set_kdc_recv_hook (C function) -
- - -
krb5_set_kdc_send_hook (C function) -
- - -
krb5_set_password (C function) -
- - -
krb5_set_password_using_ccache (C function) -
- - -
krb5_set_principal_realm (C function) -
- - -
krb5_set_real_time (C function) -
- - -
krb5_set_trace_callback (C function) -
- - -
krb5_set_trace_filename (C function) -
- - -
krb5_sname_match (C function) -
- - -
krb5_sname_to_principal (C function) -
- - -
krb5_string_to_cksumtype (C function) -
- - -
krb5_string_to_deltat (C function) -
- - -
krb5_string_to_enctype (C function) -
- - -
krb5_string_to_key (C function) -
- - -
krb5_string_to_salttype (C function) -
- - -
krb5_string_to_timestamp (C function) -
- - -
KRB5_TC_MATCH_2ND_TKT (built-in variable) -
- - -
KRB5_TC_MATCH_AUTHDATA (built-in variable) -
- - -
KRB5_TC_MATCH_FLAGS (built-in variable) -
- - -
KRB5_TC_MATCH_FLAGS_EXACT (built-in variable) -
- - -
KRB5_TC_MATCH_IS_SKEY (built-in variable) -
- - -
KRB5_TC_MATCH_KTYPE (built-in variable) -
- - -
KRB5_TC_MATCH_SRV_NAMEONLY (built-in variable) -
- - -
KRB5_TC_MATCH_TIMES (built-in variable) -
- - -
KRB5_TC_MATCH_TIMES_EXACT (built-in variable) -
- - -
KRB5_TC_NOTICKET (built-in variable) -
- - -
KRB5_TC_OPENCLOSE (built-in variable) -
- - -
KRB5_TC_SUPPORTED_KTYPES (built-in variable) -
- - -
KRB5_TGS_NAME (built-in variable) -
- - -
KRB5_TGS_NAME_SIZE (built-in variable) -
- - -
KRB5_TGS_REP (built-in variable) -
- - -
KRB5_TGS_REQ (built-in variable) -
- - -
krb5_ticket (C type) -
- - -
krb5_ticket.enc_part (C member) -
- - -
krb5_ticket.enc_part2 (C member) -
- - -
krb5_ticket.magic (C member) -
- - -
krb5_ticket.server (C member) -
- - -
krb5_ticket_times (C type) -
- - -
krb5_ticket_times.authtime (C member) -
- - -
krb5_ticket_times.endtime (C member) -
- - -
krb5_ticket_times.renew_till (C member) -
- - -
krb5_ticket_times.starttime (C member) -
- - -
krb5_timeofday (C function) -
- - -
krb5_timestamp (C type) -
- - -
krb5_timestamp_to_sfstring (C function) -
- - -
krb5_timestamp_to_string (C function) -
- - -
krb5_tkt_authent (C type) -
- - -
krb5_tkt_authent.ap_options (C member) -
- - -
krb5_tkt_authent.authenticator (C member) -
- - -
krb5_tkt_authent.magic (C member) -
- - -
krb5_tkt_authent.ticket (C member) -
- - -
krb5_tkt_creds_context (C type) -
- - -
krb5_tkt_creds_free (C function) -
- - -
krb5_tkt_creds_get (C function) -
- - -
krb5_tkt_creds_get_creds (C function) -
- - -
krb5_tkt_creds_get_times (C function) -
- - -
krb5_tkt_creds_init (C function) -
- - -
krb5_tkt_creds_step (C function) -
- - -
KRB5_TKT_CREDS_STEP_FLAG_CONTINUE (built-in variable) -
- - -
krb5_trace_callback (C type) -
- - -
krb5_trace_info (C type) -
- - -
krb5_trace_info.message (C member) -
- - -
krb5_transited (C type) -
- - -
krb5_transited.magic (C member) -
- - -
krb5_transited.tr_contents (C member) -
- - -
krb5_transited.tr_type (C member) -
- - -
krb5_typed_data (C type) -
- - -
krb5_typed_data.data (C member) -
- - -
krb5_typed_data.length (C member) -
- - -
krb5_typed_data.magic (C member) -
- - -
krb5_typed_data.type (C member) -
- - -
krb5_ui_2 (C type) -
- - -
krb5_ui_4 (C type) -
- - -
krb5_unparse_name (C function) -
- - -
krb5_unparse_name_ext (C function) -
- - -
krb5_unparse_name_flags (C function) -
- - -
krb5_unparse_name_flags_ext (C function) -
- - -
krb5_us_timeofday (C function) -
- - -
krb5_use_enctype (C function) -
- - -
krb5_verify_authdata_kdc_issued (C function) -
- - -
krb5_verify_checksum (C function) -
- - -
krb5_verify_init_creds (C function) -
- - -
krb5_verify_init_creds_opt (C type) -
- - -
krb5_verify_init_creds_opt.ap_req_nofail (C member) -
- - -
krb5_verify_init_creds_opt.flags (C member) -
- - -
KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL (built-in variable) -
- - -
krb5_verify_init_creds_opt_init (C function) -
- - -
krb5_verify_init_creds_opt_set_ap_req_nofail (C function) -
- - -
krb5_vprepend_error_message (C function) -
- - -
krb5_vset_error_message (C function) -
- - -
krb5_vwrap_error_message (C function) -
- - -
KRB5_WELLKNOWN_NAMESTR (built-in variable) -
- - -
krb5_wrap_error_message (C function) -
- - -
krb5_x (built-in variable) -
- - -
krb5_xc (built-in variable) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-L.html b/doc/html/genindex-L.html deleted file mode 100644 index 18426cd..0000000 --- a/doc/html/genindex-L.html +++ /dev/null @@ -1,135 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – L

- - - - -
- -
LR_TYPE_INTERPRETATION_MASK (built-in variable) -
- -
- -
LR_TYPE_THIS_SERVER_ONLY (built-in variable) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-M.html b/doc/html/genindex-M.html deleted file mode 100644 index f4ec55f..0000000 --- a/doc/html/genindex-M.html +++ /dev/null @@ -1,139 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – M

- - - - -
- -
MAX_KEYTAB_NAME_LEN (built-in variable) -
- - -
MSEC_DIRBIT (built-in variable) -
- -
- -
MSEC_VAL_MASK (built-in variable) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-P.html b/doc/html/genindex-P.html deleted file mode 100644 index b9c1853..0000000 --- a/doc/html/genindex-P.html +++ /dev/null @@ -1,143 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – P

- - - - -
- -
passwd_phrase_element (C type) -
- - -
passwd_phrase_element.magic (C member) -
- -
- -
passwd_phrase_element.passwd (C member) -
- - -
passwd_phrase_element.phrase (C member) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-R.html b/doc/html/genindex-R.html deleted file mode 100644 index b879805..0000000 --- a/doc/html/genindex-R.html +++ /dev/null @@ -1,240 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – R

- - - -
- -
- RFC -
- -
- -
RFC 1964 -
- - -
RFC 2253 -
- - -
RFC 2743 -
- - -
RFC 2744 -
- - -
RFC 2782 -
- - -
RFC 3244 -
- - -
RFC 3961, [1] -
- - -
RFC 4120 -
- - -
RFC 4120#section-10 -
- - -
RFC 4120#section-5.2.7.2 -
- - -
RFC 4120#section-5.2.7.3 -
- - -
RFC 4556, [1], [2], [3], [4], [5] -
- - -
RFC 4757 -
- - -
RFC 5587 -
- - -
RFC 5588 -
- - -
RFC 5801 -
- - -
RFC 5896 -
- - -
RFC 6112 -
- - -
RFC 6113, [1], [2], [3], [4], [5] -
- - -
RFC 6113#section-5.2 -
- - -
RFC 6560 -
- - -
RFC 6649 -
- - -
RFC 6680, [1] -
- - -
RFC 6803 -
- - -
RFC 6806, [1] -
- - -
RFC 7546 -
- - -
RFC 7553 -
- -
-
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-S.html b/doc/html/genindex-S.html deleted file mode 100644 index a00d08f..0000000 --- a/doc/html/genindex-S.html +++ /dev/null @@ -1,135 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – S

- - - - -
- -
SALT_TYPE_AFS_LENGTH (built-in variable) -
- -
- -
SALT_TYPE_NO_LENGTH (built-in variable) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-T.html b/doc/html/genindex-T.html deleted file mode 100644 index 14484e6..0000000 --- a/doc/html/genindex-T.html +++ /dev/null @@ -1,191 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – T

- - - - -
- -
THREEPARAMOPEN (built-in variable) -
- - -
TKT_FLG_ANONYMOUS (built-in variable) -
- - -
TKT_FLG_ENC_PA_REP (built-in variable) -
- - -
TKT_FLG_FORWARDABLE (built-in variable) -
- - -
TKT_FLG_FORWARDED (built-in variable) -
- - -
TKT_FLG_HW_AUTH (built-in variable) -
- - -
TKT_FLG_INITIAL (built-in variable) -
- - -
TKT_FLG_INVALID (built-in variable) -
- -
- -
TKT_FLG_MAY_POSTDATE (built-in variable) -
- - -
TKT_FLG_OK_AS_DELEGATE (built-in variable) -
- - -
TKT_FLG_POSTDATED (built-in variable) -
- - -
TKT_FLG_PRE_AUTH (built-in variable) -
- - -
TKT_FLG_PROXIABLE (built-in variable) -
- - -
TKT_FLG_PROXY (built-in variable) -
- - -
TKT_FLG_RENEWABLE (built-in variable) -
- - -
TKT_FLG_TRANSIT_POLICY_CHECKED (built-in variable) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-V.html b/doc/html/genindex-V.html deleted file mode 100644 index 7d1809b..0000000 --- a/doc/html/genindex-V.html +++ /dev/null @@ -1,135 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index – V

- - - - -
- -
VALID_INT_BITS (built-in variable) -
- -
- -
VALID_UINT_BITS (built-in variable) -
- -
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex-all.html b/doc/html/genindex-all.html deleted file mode 100644 index b104738..0000000 --- a/doc/html/genindex-all.html +++ /dev/null @@ -1,4540 +0,0 @@ - - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index

- -
- A - | C - | E - | K - | L - | M - | P - | R - | S - | T - | V - -
-

A

- - - -
- -
AD_TYPE_EXTERNAL (built-in variable) -
- - -
AD_TYPE_FIELD_TYPE_MASK (built-in variable) -
- - -
AD_TYPE_REGISTERED (built-in variable) -
- - -
AD_TYPE_RESERVED (built-in variable) -
- - -
ADDRTYPE_ADDRPORT (built-in variable) -
- - -
ADDRTYPE_CHAOS (built-in variable) -
- - -
ADDRTYPE_DDP (built-in variable) -
- - -
ADDRTYPE_INET (built-in variable) -
- - -
ADDRTYPE_INET6 (built-in variable) -
- - -
ADDRTYPE_IPPORT (built-in variable) -
- -
- -
ADDRTYPE_IS_LOCAL (built-in variable) -
- - -
ADDRTYPE_ISO (built-in variable) -
- - -
ADDRTYPE_NETBIOS (built-in variable) -
- - -
ADDRTYPE_XNS (built-in variable) -
- - -
AP_OPTS_ETYPE_NEGOTIATION (built-in variable) -
- - -
AP_OPTS_MUTUAL_REQUIRED (built-in variable) -
- - -
AP_OPTS_RESERVED (built-in variable) -
- - -
AP_OPTS_USE_SESSION_KEY (built-in variable) -
- - -
AP_OPTS_USE_SUBKEY (built-in variable) -
- - -
AP_OPTS_WIRE_MASK (built-in variable) -
- -
- -

C

- - - -
- -
CKSUMTYPE_CMAC_CAMELLIA128 (built-in variable) -
- - -
CKSUMTYPE_CMAC_CAMELLIA256 (built-in variable) -
- - -
CKSUMTYPE_CRC32 (built-in variable) -
- - -
CKSUMTYPE_DESCBC (built-in variable) -
- - -
CKSUMTYPE_HMAC_MD5_ARCFOUR (built-in variable) -
- - -
CKSUMTYPE_HMAC_SHA1_96_AES128 (built-in variable) -
- - -
CKSUMTYPE_HMAC_SHA1_96_AES256 (built-in variable) -
- - -
CKSUMTYPE_HMAC_SHA1_DES3 (built-in variable) -
- -
- -
CKSUMTYPE_HMAC_SHA256_128_AES128 (built-in variable) -
- - -
CKSUMTYPE_HMAC_SHA384_192_AES256 (built-in variable) -
- - -
CKSUMTYPE_MD5_HMAC_ARCFOUR (built-in variable) -
- - -
CKSUMTYPE_NIST_SHA (built-in variable) -
- - -
CKSUMTYPE_RSA_MD4 (built-in variable) -
- - -
CKSUMTYPE_RSA_MD4_DES (built-in variable) -
- - -
CKSUMTYPE_RSA_MD5 (built-in variable) -
- - -
CKSUMTYPE_RSA_MD5_DES (built-in variable) -
- -
- -

E

- - - -
- -
ENCTYPE_AES128_CTS_HMAC_SHA1_96 (built-in variable) -
- - -
ENCTYPE_AES128_CTS_HMAC_SHA256_128 (built-in variable) -
- - -
ENCTYPE_AES256_CTS_HMAC_SHA1_96 (built-in variable) -
- - -
ENCTYPE_AES256_CTS_HMAC_SHA384_192 (built-in variable) -
- - -
ENCTYPE_ARCFOUR_HMAC (built-in variable) -
- - -
ENCTYPE_ARCFOUR_HMAC_EXP (built-in variable) -
- - -
ENCTYPE_CAMELLIA128_CTS_CMAC (built-in variable) -
- - -
ENCTYPE_CAMELLIA256_CTS_CMAC (built-in variable) -
- - -
ENCTYPE_DES3_CBC_ENV (built-in variable) -
- - -
ENCTYPE_DES3_CBC_RAW (built-in variable) -
- - -
ENCTYPE_DES3_CBC_SHA (built-in variable) -
- - -
ENCTYPE_DES3_CBC_SHA1 (built-in variable) -
- - -
ENCTYPE_DES_CBC_CRC (built-in variable) -
- -
- -
ENCTYPE_DES_CBC_MD4 (built-in variable) -
- - -
ENCTYPE_DES_CBC_MD5 (built-in variable) -
- - -
ENCTYPE_DES_CBC_RAW (built-in variable) -
- - -
ENCTYPE_DES_HMAC_SHA1 (built-in variable) -
- - -
ENCTYPE_DSA_SHA1_CMS (built-in variable) -
- - -
ENCTYPE_MD5_RSA_CMS (built-in variable) -
- - -
ENCTYPE_NULL (built-in variable) -
- - -
ENCTYPE_RC2_CBC_ENV (built-in variable) -
- - -
ENCTYPE_RSA_ENV (built-in variable) -
- - -
ENCTYPE_RSA_ES_OAEP_ENV (built-in variable) -
- - -
ENCTYPE_SHA1_RSA_CMS (built-in variable) -
- - -
ENCTYPE_UNKNOWN (built-in variable) -
- -
- -

K

- - - -
- -
KDC_OPT_ALLOW_POSTDATE (built-in variable) -
- - -
KDC_OPT_CANONICALIZE (built-in variable) -
- - -
KDC_OPT_CNAME_IN_ADDL_TKT (built-in variable) -
- - -
KDC_OPT_DISABLE_TRANSITED_CHECK (built-in variable) -
- - -
KDC_OPT_ENC_TKT_IN_SKEY (built-in variable) -
- - -
KDC_OPT_FORWARDABLE (built-in variable) -
- - -
KDC_OPT_FORWARDED (built-in variable) -
- - -
KDC_OPT_POSTDATED (built-in variable) -
- - -
KDC_OPT_PROXIABLE (built-in variable) -
- - -
KDC_OPT_PROXY (built-in variable) -
- - -
KDC_OPT_RENEW (built-in variable) -
- - -
KDC_OPT_RENEWABLE (built-in variable) -
- - -
KDC_OPT_RENEWABLE_OK (built-in variable) -
- - -
KDC_OPT_REQUEST_ANONYMOUS (built-in variable) -
- - -
KDC_OPT_VALIDATE (built-in variable) -
- - -
KDC_TKT_COMMON_MASK (built-in variable) -
- - -
krb524_convert_creds_kdc (built-in variable) -
- - -
krb524_init_ets (built-in variable) -
- - -
krb5_425_conv_principal (C function) -
- - -
krb5_524_conv_principal (C function) -
- - -
krb5_524_convert_creds (C function) -
- - -
krb5_address (C type) -
- - -
krb5_address.addrtype (C member) -
- - -
krb5_address.contents (C member) -
- - -
krb5_address.length (C member) -
- - -
krb5_address.magic (C member) -
- - -
krb5_address_compare (C function) -
- - -
krb5_address_order (C function) -
- - -
krb5_address_search (C function) -
- - -
krb5_addrtype (C type) -
- - -
krb5_allow_weak_crypto (C function) -
- - -
KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE (built-in variable) -
- - -
krb5_aname_to_localname (C function) -
- - -
krb5_anonymous_principal (C function) -
- - -
KRB5_ANONYMOUS_PRINCSTR (built-in variable) -
- - -
krb5_anonymous_realm (C function) -
- - -
KRB5_ANONYMOUS_REALMSTR (built-in variable) -
- - -
KRB5_AP_REP (built-in variable) -
- - -
krb5_ap_rep (C type) -
- - -
krb5_ap_rep.enc_part (C member) -
- - -
krb5_ap_rep.magic (C member) -
- - -
krb5_ap_rep_enc_part (C type) -
- - -
krb5_ap_rep_enc_part.ctime (C member) -
- - -
krb5_ap_rep_enc_part.cusec (C member) -
- - -
krb5_ap_rep_enc_part.magic (C member) -
- - -
krb5_ap_rep_enc_part.seq_number (C member) -
- - -
krb5_ap_rep_enc_part.subkey (C member) -
- - -
KRB5_AP_REQ (built-in variable) -
- - -
krb5_ap_req (C type) -
- - -
krb5_ap_req.ap_options (C member) -
- - -
krb5_ap_req.authenticator (C member) -
- - -
krb5_ap_req.magic (C member) -
- - -
krb5_ap_req.ticket (C member) -
- - -
krb5_appdefault_boolean (C function) -
- - -
krb5_appdefault_string (C function) -
- - -
KRB5_AS_REP (built-in variable) -
- - -
KRB5_AS_REQ (built-in variable) -
- - -
krb5_auth_con_free (C function) -
- - -
krb5_auth_con_genaddrs (C function) -
- - -
krb5_auth_con_get_checksum_func (C function) -
- - -
krb5_auth_con_getaddrs (C function) -
- - -
krb5_auth_con_getauthenticator (C function) -
- - -
krb5_auth_con_getflags (C function) -
- - -
krb5_auth_con_getkey (C function) -
- - -
krb5_auth_con_getkey_k (C function) -
- - -
krb5_auth_con_getlocalseqnumber (C function) -
- - -
krb5_auth_con_getlocalsubkey (C function) -
- - -
krb5_auth_con_getrcache (C function) -
- - -
krb5_auth_con_getrecvsubkey (C function) -
- - -
krb5_auth_con_getrecvsubkey_k (C function) -
- - -
krb5_auth_con_getremoteseqnumber (C function) -
- - -
krb5_auth_con_getremotesubkey (C function) -
- - -
krb5_auth_con_getsendsubkey (C function) -
- - -
krb5_auth_con_getsendsubkey_k (C function) -
- - -
krb5_auth_con_init (C function) -
- - -
krb5_auth_con_initivector (C function) -
- - -
krb5_auth_con_set_checksum_func (C function) -
- - -
krb5_auth_con_set_req_cksumtype (C function) -
- - -
krb5_auth_con_setaddrs (C function) -
- - -
krb5_auth_con_setflags (C function) -
- - -
krb5_auth_con_setports (C function) -
- - -
krb5_auth_con_setrcache (C function) -
- - -
krb5_auth_con_setrecvsubkey (C function) -
- - -
krb5_auth_con_setrecvsubkey_k (C function) -
- - -
krb5_auth_con_setsendsubkey (C function) -
- - -
krb5_auth_con_setsendsubkey_k (C function) -
- - -
krb5_auth_con_setuseruserkey (C function) -
- - -
krb5_auth_context (C type) -
- - -
KRB5_AUTH_CONTEXT_DO_SEQUENCE (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_DO_TIME (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_PERMIT_ALL (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_RET_SEQUENCE (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_RET_TIME (built-in variable) -
- - -
KRB5_AUTH_CONTEXT_USE_SUBKEY (built-in variable) -
- - -
krb5_authdata (C type) -
- - -
krb5_authdata.ad_type (C member) -
- - -
krb5_authdata.contents (C member) -
- - -
krb5_authdata.length (C member) -
- - -
krb5_authdata.magic (C member) -
- - -
KRB5_AUTHDATA_AND_OR (built-in variable) -
- - -
KRB5_AUTHDATA_AUTH_INDICATOR (built-in variable) -
- - -
KRB5_AUTHDATA_CAMMAC (built-in variable) -
- - -
KRB5_AUTHDATA_ETYPE_NEGOTIATION (built-in variable) -
- - -
KRB5_AUTHDATA_FX_ARMOR (built-in variable) -
- - -
KRB5_AUTHDATA_IF_RELEVANT (built-in variable) -
- - -
KRB5_AUTHDATA_INITIAL_VERIFIED_CAS (built-in variable) -
- - -
KRB5_AUTHDATA_KDC_ISSUED (built-in variable) -
- - -
KRB5_AUTHDATA_MANDATORY_FOR_KDC (built-in variable) -
- - -
KRB5_AUTHDATA_OSF_DCE (built-in variable) -
- - -
KRB5_AUTHDATA_SESAME (built-in variable) -
- - -
KRB5_AUTHDATA_SIGNTICKET (built-in variable) -
- - -
KRB5_AUTHDATA_WIN2K_PAC (built-in variable) -
- - -
krb5_authdatatype (C type) -
- - -
krb5_authenticator (C type) -
- - -
krb5_authenticator.authorization_data (C member) -
- - -
krb5_authenticator.checksum (C member) -
- - -
krb5_authenticator.client (C member) -
- - -
krb5_authenticator.ctime (C member) -
- - -
krb5_authenticator.cusec (C member) -
- - -
krb5_authenticator.magic (C member) -
- - -
krb5_authenticator.seq_number (C member) -
- - -
krb5_authenticator.subkey (C member) -
- - -
krb5_boolean (C type) -
- - -
krb5_build_principal (C function) -
- - -
krb5_build_principal_alloc_va (C function) -
- - -
krb5_build_principal_ext (C function) -
- - -
krb5_build_principal_va (C function) -
- - -
krb5_c_block_size (C function) -
- - -
krb5_c_checksum_length (C function) -
- - -
krb5_c_crypto_length (C function) -
- - -
krb5_c_crypto_length_iov (C function) -
- - -
krb5_c_decrypt (C function) -
- - -
krb5_c_decrypt_iov (C function) -
- - -
krb5_c_derive_prfplus (C function) -
- - -
krb5_c_encrypt (C function) -
- - -
krb5_c_encrypt_iov (C function) -
- - -
krb5_c_encrypt_length (C function) -
- - -
krb5_c_enctype_compare (C function) -
- - -
krb5_c_free_state (C function) -
- - -
krb5_c_fx_cf2_simple (C function) -
- - -
krb5_c_init_state (C function) -
- - -
krb5_c_is_coll_proof_cksum (C function) -
- - -
krb5_c_is_keyed_cksum (C function) -
- - -
krb5_c_keyed_checksum_types (C function) -
- - -
krb5_c_keylengths (C function) -
- - -
krb5_c_make_checksum (C function) -
- - -
krb5_c_make_checksum_iov (C function) -
- - -
krb5_c_make_random_key (C function) -
- - -
krb5_c_padding_length (C function) -
- - -
krb5_c_prf (C function) -
- - -
krb5_c_prf_length (C function) -
- - -
krb5_c_prfplus (C function) -
- - -
krb5_c_random_add_entropy (C function) -
- - -
krb5_c_random_make_octets (C function) -
- - -
krb5_c_random_os_entropy (C function) -
- - -
krb5_c_random_seed (C function) -
- - -
krb5_c_random_to_key (C function) -
- - -
krb5_c_string_to_key (C function) -
- - -
krb5_c_string_to_key_with_params (C function) -
- - -
krb5_c_valid_cksumtype (C function) -
- - -
krb5_c_valid_enctype (C function) -
- - -
krb5_c_verify_checksum (C function) -
- - -
krb5_c_verify_checksum_iov (C function) -
- - -
krb5_calculate_checksum (C function) -
- - -
krb5_cc_cache_match (C function) -
- - -
krb5_cc_close (C function) -
- - -
krb5_cc_copy_creds (C function) -
- - -
krb5_cc_cursor (C type) -
- - -
krb5_cc_default (C function) -
- - -
krb5_cc_default_name (C function) -
- - -
krb5_cc_destroy (C function) -
- - -
krb5_cc_dup (C function) -
- - -
krb5_cc_end_seq_get (C function) -
- - -
krb5_cc_gen_new (C function) -
- - -
krb5_cc_get_config (C function) -
- - -
krb5_cc_get_flags (C function) -
- - -
krb5_cc_get_full_name (C function) -
- - -
krb5_cc_get_name (C function) -
- - -
krb5_cc_get_principal (C function) -
- - -
krb5_cc_get_type (C function) -
- - -
krb5_cc_initialize (C function) -
- - -
krb5_cc_last_change_time (C function) -
- - -
krb5_cc_lock (C function) -
- - -
krb5_cc_move (C function) -
- - -
krb5_cc_new_unique (C function) -
- - -
krb5_cc_next_cred (C function) -
- - -
krb5_cc_remove_cred (C function) -
- - -
krb5_cc_resolve (C function) -
- - -
krb5_cc_retrieve_cred (C function) -
- - -
krb5_cc_select (C function) -
- - -
krb5_cc_set_config (C function) -
- - -
krb5_cc_set_default_name (C function) -
- - -
krb5_cc_set_flags (C function) -
- - -
krb5_cc_start_seq_get (C function) -
- - -
krb5_cc_store_cred (C function) -
- - -
krb5_cc_support_switch (C function) -
- - -
krb5_cc_switch (C function) -
- - -
krb5_cc_unlock (C function) -
- - -
krb5_ccache (C type) -
- - -
krb5_cccol_cursor (C type) -
- - -
krb5_cccol_cursor_free (C function) -
- - -
krb5_cccol_cursor_new (C function) -
- - -
krb5_cccol_cursor_next (C function) -
- - -
krb5_cccol_have_content (C function) -
- - -
krb5_cccol_last_change_time (C function) -
- - -
krb5_cccol_lock (C function) -
- - -
krb5_cccol_unlock (C function) -
- - -
krb5_change_password (C function) -
- - -
krb5_check_clockskew (C function) -
- - -
krb5_checksum (C type) -
- - -
krb5_checksum.checksum_type (C member) -
- - -
krb5_checksum.contents (C member) -
- - -
krb5_checksum.length (C member) -
- - -
krb5_checksum.magic (C member) -
- - -
krb5_checksum_size (C function) -
- - -
krb5_chpw_message (C function) -
- - -
krb5_cksumtype (C type) -
- - -
krb5_cksumtype_to_string (C function) -
- - -
krb5_clear_error_message (C function) -
- - -
krb5_const (built-in variable) -
- - -
krb5_const_pointer (C type) -
- - -
krb5_const_principal (C type) -
- - -
krb5_const_principal.data (C member) -
- - -
krb5_const_principal.length (C member) -
- - -
krb5_const_principal.magic (C member) -
- - -
krb5_const_principal.realm (C member) -
- - -
krb5_const_principal.type (C member) -
- - -
krb5_context (C type) -
- - -
krb5_copy_addresses (C function) -
- - -
krb5_copy_authdata (C function) -
- - -
krb5_copy_authenticator (C function) -
- - -
krb5_copy_checksum (C function) -
- - -
krb5_copy_context (C function) -
- - -
krb5_copy_creds (C function) -
- - -
krb5_copy_data (C function) -
- - -
krb5_copy_error_message (C function) -
- - -
krb5_copy_keyblock (C function) -
- - -
krb5_copy_keyblock_contents (C function) -
- - -
krb5_copy_principal (C function) -
- - -
krb5_copy_ticket (C function) -
- - -
KRB5_CRED (built-in variable) -
- - -
krb5_cred (C type) -
- - -
krb5_cred.enc_part (C member) -
- - -
krb5_cred.enc_part2 (C member) -
- - -
krb5_cred.magic (C member) -
- - -
krb5_cred.tickets (C member) -
- - -
krb5_cred_enc_part (C type) -
- - -
krb5_cred_enc_part.magic (C member) -
- - -
krb5_cred_enc_part.nonce (C member) -
- - -
krb5_cred_enc_part.r_address (C member) -
- - -
krb5_cred_enc_part.s_address (C member) -
- - -
krb5_cred_enc_part.ticket_info (C member) -
- - -
krb5_cred_enc_part.timestamp (C member) -
- - -
krb5_cred_enc_part.usec (C member) -
- - -
krb5_cred_info (C type) -
- - -
krb5_cred_info.caddrs (C member) -
- - -
krb5_cred_info.client (C member) -
- - -
krb5_cred_info.flags (C member) -
- - -
krb5_cred_info.magic (C member) -
- - -
krb5_cred_info.server (C member) -
- - -
krb5_cred_info.session (C member) -
- - -
krb5_cred_info.times (C member) -
- - -
krb5_creds (C type) -
- - -
krb5_creds.addresses (C member) -
- - -
krb5_creds.authdata (C member) -
- - -
krb5_creds.client (C member) -
- - -
krb5_creds.is_skey (C member) -
- - -
krb5_creds.keyblock (C member) -
- - -
krb5_creds.magic (C member) -
- - -
krb5_creds.second_ticket (C member) -
- - -
krb5_creds.server (C member) -
- - -
krb5_creds.ticket (C member) -
- - -
krb5_creds.ticket_flags (C member) -
- - -
krb5_creds.times (C member) -
- - -
krb5_crypto_iov (C type) -
- - -
krb5_crypto_iov.data (C member) -
- - -
krb5_crypto_iov.flags (C member) -
- - -
KRB5_CRYPTO_TYPE_CHECKSUM (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_DATA (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_EMPTY (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_HEADER (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_PADDING (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_SIGN_ONLY (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_STREAM (built-in variable) -
- - -
KRB5_CRYPTO_TYPE_TRAILER (built-in variable) -
- - -
krb5_cryptotype (C type) -
- - -
KRB5_CYBERSAFE_SECUREID (built-in variable) -
- - -
krb5_data (C type) -
- - -
krb5_data.data (C member) -
- - -
krb5_data.length (C member) -
- - -
krb5_data.magic (C member) -
- - -
krb5_decode_authdata_container (C function) -
- - -
krb5_decode_ticket (C function) -
- - -
krb5_decrypt (C function) -
- - -
krb5_deltat (C type) -
- - -
krb5_deltat_to_string (C function) -
- - -
KRB5_DOMAIN_X500_COMPRESS (built-in variable) -
- - -
krb5_eblock_enctype (C function) -
- - -
krb5_enc_data (C type) -
- - -
krb5_enc_data.ciphertext (C member) -
- - -
krb5_enc_data.enctype (C member) -
- - -
krb5_enc_data.kvno (C member) -
- - -
krb5_enc_data.magic (C member) -
- - -
krb5_enc_kdc_rep_part (C type) -
- - -
krb5_enc_kdc_rep_part.caddrs (C member) -
- - -
krb5_enc_kdc_rep_part.enc_padata (C member) -
- - -
krb5_enc_kdc_rep_part.flags (C member) -
- - -
krb5_enc_kdc_rep_part.key_exp (C member) -
- - -
krb5_enc_kdc_rep_part.last_req (C member) -
- - -
krb5_enc_kdc_rep_part.magic (C member) -
- - -
krb5_enc_kdc_rep_part.msg_type (C member) -
- - -
krb5_enc_kdc_rep_part.nonce (C member) -
- - -
krb5_enc_kdc_rep_part.server (C member) -
- - -
krb5_enc_kdc_rep_part.session (C member) -
- - -
krb5_enc_kdc_rep_part.times (C member) -
- - -
krb5_enc_tkt_part (C type) -
- - -
krb5_enc_tkt_part.authorization_data (C member) -
- - -
krb5_enc_tkt_part.caddrs (C member) -
- - -
krb5_enc_tkt_part.client (C member) -
- - -
krb5_enc_tkt_part.flags (C member) -
- - -
krb5_enc_tkt_part.magic (C member) -
- - -
krb5_enc_tkt_part.session (C member) -
- - -
krb5_enc_tkt_part.times (C member) -
- - -
krb5_enc_tkt_part.transited (C member) -
- - -
krb5_encode_authdata_container (C function) -
- - -
KRB5_ENCPADATA_REQ_ENC_PA_REP (built-in variable) -
- - -
krb5_encrypt (C function) -
- - -
krb5_encrypt_block (C type) -
- - -
krb5_encrypt_block.crypto_entry (C member) -
- - -
krb5_encrypt_block.key (C member) -
- - -
krb5_encrypt_block.magic (C member) -
- - -
krb5_encrypt_size (C function) -
- - -
krb5_enctype (C type) -
- - -
krb5_enctype_to_name (C function) -
- - -
krb5_enctype_to_string (C function) -
- - -
KRB5_ERROR (built-in variable) -
- - -
krb5_error (C type) -
- - -
krb5_error.client (C member) -
- - -
krb5_error.ctime (C member) -
- - -
krb5_error.cusec (C member) -
- - -
krb5_error.e_data (C member) -
- - -
krb5_error.error (C member) -
- - -
krb5_error.magic (C member) -
- - -
krb5_error.server (C member) -
- - -
krb5_error.stime (C member) -
- - -
krb5_error.susec (C member) -
- - -
krb5_error.text (C member) -
- - -
krb5_error_code (C type) -
- - -
krb5_expand_hostname (C function) -
- - -
krb5_expire_callback_func (C type) -
- - -
KRB5_FAST_REQUIRED (built-in variable) -
- - -
krb5_find_authdata (C function) -
- - -
krb5_finish_key (C function) -
- - -
krb5_finish_random_key (C function) -
- - -
krb5_flags (C type) -
- - -
krb5_free_addresses (C function) -
- - -
krb5_free_ap_rep_enc_part (C function) -
- - -
krb5_free_authdata (C function) -
- - -
krb5_free_authenticator (C function) -
- - -
krb5_free_checksum (C function) -
- - -
krb5_free_checksum_contents (C function) -
- - -
krb5_free_cksumtypes (C function) -
- - -
krb5_free_context (C function) -
- - -
krb5_free_cred_contents (C function) -
- - -
krb5_free_creds (C function) -
- - -
krb5_free_data (C function) -
- - -
krb5_free_data_contents (C function) -
- - -
krb5_free_default_realm (C function) -
- - -
krb5_free_enctypes (C function) -
- - -
krb5_free_error (C function) -
- - -
krb5_free_error_message (C function) -
- - -
krb5_free_host_realm (C function) -
- - -
krb5_free_keyblock (C function) -
- - -
krb5_free_keyblock_contents (C function) -
- - -
krb5_free_keytab_entry_contents (C function) -
- - -
krb5_free_principal (C function) -
- - -
krb5_free_string (C function) -
- - -
krb5_free_tgt_creds (C function) -
- - -
krb5_free_ticket (C function) -
- - -
krb5_free_unparsed_name (C function) -
- - -
krb5_fwd_tgt_creds (C function) -
- - -
KRB5_GC_CACHED (built-in variable) -
- - -
KRB5_GC_CANONICALIZE (built-in variable) -
- - -
KRB5_GC_CONSTRAINED_DELEGATION (built-in variable) -
- - -
KRB5_GC_FORWARDABLE (built-in variable) -
- - -
KRB5_GC_NO_STORE (built-in variable) -
- - -
KRB5_GC_NO_TRANSIT_CHECK (built-in variable) -
- - -
KRB5_GC_USER_USER (built-in variable) -
- - -
krb5_get_credentials (C function) -
- - -
krb5_get_credentials_renew (C function) -
- - -
krb5_get_credentials_validate (C function) -
- - -
krb5_get_default_realm (C function) -
- - -
krb5_get_error_message (C function) -
- - -
krb5_get_fallback_host_realm (C function) -
- - -
krb5_get_host_realm (C function) -
- - -
krb5_get_in_tkt_with_keytab (C function) -
- - -
krb5_get_in_tkt_with_password (C function) -
- - -
krb5_get_in_tkt_with_skey (C function) -
- - -
krb5_get_init_creds_keytab (C function) -
- - -
krb5_get_init_creds_opt (C type) -
- - -
krb5_get_init_creds_opt.address_list (C member) -
- - -
krb5_get_init_creds_opt.etype_list (C member) -
- - -
krb5_get_init_creds_opt.etype_list_length (C member) -
- - -
krb5_get_init_creds_opt.flags (C member) -
- - -
krb5_get_init_creds_opt.forwardable (C member) -
- - -
krb5_get_init_creds_opt.preauth_list (C member) -
- - -
krb5_get_init_creds_opt.preauth_list_length (C member) -
- - -
krb5_get_init_creds_opt.proxiable (C member) -
- - -
krb5_get_init_creds_opt.renew_life (C member) -
- - -
krb5_get_init_creds_opt.salt (C member) -
- - -
krb5_get_init_creds_opt.tkt_life (C member) -
- - -
KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST (built-in variable) -
- - -
krb5_get_init_creds_opt_alloc (C function) -
- - -
KRB5_GET_INIT_CREDS_OPT_ANONYMOUS (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_CANONICALIZE (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_FORWARDABLE (built-in variable) -
- - -
krb5_get_init_creds_opt_free (C function) -
- - -
krb5_get_init_creds_opt_get_fast_flags (C function) -
- - -
krb5_get_init_creds_opt_init (C function) -
- - -
KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_PROXIABLE (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE (built-in variable) -
- - -
KRB5_GET_INIT_CREDS_OPT_SALT (built-in variable) -
- - -
krb5_get_init_creds_opt_set_address_list (C function) -
- - -
krb5_get_init_creds_opt_set_anonymous (C function) -
- - -
krb5_get_init_creds_opt_set_canonicalize (C function) -
- - -
krb5_get_init_creds_opt_set_change_password_prompt (C function) -
- - -
krb5_get_init_creds_opt_set_etype_list (C function) -
- - -
krb5_get_init_creds_opt_set_expire_callback (C function) -
- - -
krb5_get_init_creds_opt_set_fast_ccache (C function) -
- - -
krb5_get_init_creds_opt_set_fast_ccache_name (C function) -
- - -
krb5_get_init_creds_opt_set_fast_flags (C function) -
- - -
krb5_get_init_creds_opt_set_forwardable (C function) -
- - -
krb5_get_init_creds_opt_set_in_ccache (C function) -
- - -
krb5_get_init_creds_opt_set_out_ccache (C function) -
- - -
krb5_get_init_creds_opt_set_pa (C function) -
- - -
krb5_get_init_creds_opt_set_pac_request (C function) -
- - -
krb5_get_init_creds_opt_set_preauth_list (C function) -
- - -
krb5_get_init_creds_opt_set_proxiable (C function) -
- - -
krb5_get_init_creds_opt_set_renew_life (C function) -
- - -
krb5_get_init_creds_opt_set_responder (C function) -
- - -
krb5_get_init_creds_opt_set_salt (C function) -
- - -
krb5_get_init_creds_opt_set_tkt_life (C function) -
- - -
KRB5_GET_INIT_CREDS_OPT_TKT_LIFE (built-in variable) -
- - -
krb5_get_init_creds_password (C function) -
- - -
krb5_get_permitted_enctypes (C function) -
- - -
krb5_get_profile (C function) -
- - -
krb5_get_prompt_types (C function) -
- - -
krb5_get_renewed_creds (C function) -
- - -
krb5_get_server_rcache (C function) -
- - -
krb5_get_time_offsets (C function) -
- - -
krb5_get_validated_creds (C function) -
- - -
krb5_gic_opt_pa_data (C type) -
- - -
krb5_gic_opt_pa_data.attr (C member) -
- - -
krb5_gic_opt_pa_data.value (C member) -
- - -
krb5_init_context (C function) -
- - -
KRB5_INIT_CONTEXT_KDC (built-in variable) -
- - -
krb5_init_context_profile (C function) -
- - -
KRB5_INIT_CONTEXT_SECURE (built-in variable) -
- - -
krb5_init_creds_context (C type) -
- - -
krb5_init_creds_free (C function) -
- - -
krb5_init_creds_get (C function) -
- - -
krb5_init_creds_get_creds (C function) -
- - -
krb5_init_creds_get_error (C function) -
- - -
krb5_init_creds_get_times (C function) -
- - -
krb5_init_creds_init (C function) -
- - -
krb5_init_creds_set_keytab (C function) -
- - -
krb5_init_creds_set_password (C function) -
- - -
krb5_init_creds_set_service (C function) -
- - -
krb5_init_creds_step (C function) -
- - -
KRB5_INIT_CREDS_STEP_FLAG_CONTINUE (built-in variable) -
- - -
krb5_init_keyblock (C function) -
- - -
krb5_init_random_key (C function) -
- - -
krb5_init_secure_context (C function) -
- - -
krb5_int16 (C type) -
- -
- -
KRB5_INT16_MAX (built-in variable) -
- - -
KRB5_INT16_MIN (built-in variable) -
- - -
krb5_int32 (C type) -
- - -
KRB5_INT32_MAX (built-in variable) -
- - -
KRB5_INT32_MIN (built-in variable) -
- - -
krb5_is_config_principal (C function) -
- - -
krb5_is_referral_realm (C function) -
- - -
krb5_is_thread_safe (C function) -
- - -
krb5_k_create_key (C function) -
- - -
krb5_k_decrypt (C function) -
- - -
krb5_k_decrypt_iov (C function) -
- - -
krb5_k_encrypt (C function) -
- - -
krb5_k_encrypt_iov (C function) -
- - -
krb5_k_free_key (C function) -
- - -
krb5_k_key_enctype (C function) -
- - -
krb5_k_key_keyblock (C function) -
- - -
krb5_k_make_checksum (C function) -
- - -
krb5_k_make_checksum_iov (C function) -
- - -
krb5_k_prf (C function) -
- - -
krb5_k_reference_key (C function) -
- - -
krb5_k_verify_checksum (C function) -
- - -
krb5_k_verify_checksum_iov (C function) -
- - -
krb5_kdc_rep (C type) -
- - -
krb5_kdc_rep.client (C member) -
- - -
krb5_kdc_rep.enc_part (C member) -
- - -
krb5_kdc_rep.enc_part2 (C member) -
- - -
krb5_kdc_rep.magic (C member) -
- - -
krb5_kdc_rep.msg_type (C member) -
- - -
krb5_kdc_rep.padata (C member) -
- - -
krb5_kdc_rep.ticket (C member) -
- - -
krb5_kdc_req (C type) -
- - -
krb5_kdc_req.addresses (C member) -
- - -
krb5_kdc_req.authorization_data (C member) -
- - -
krb5_kdc_req.client (C member) -
- - -
krb5_kdc_req.from (C member) -
- - -
krb5_kdc_req.kdc_options (C member) -
- - -
krb5_kdc_req.ktype (C member) -
- - -
krb5_kdc_req.magic (C member) -
- - -
krb5_kdc_req.msg_type (C member) -
- - -
krb5_kdc_req.nktypes (C member) -
- - -
krb5_kdc_req.nonce (C member) -
- - -
krb5_kdc_req.padata (C member) -
- - -
krb5_kdc_req.rtime (C member) -
- - -
krb5_kdc_req.second_ticket (C member) -
- - -
krb5_kdc_req.server (C member) -
- - -
krb5_kdc_req.till (C member) -
- - -
krb5_kdc_req.unenc_authdata (C member) -
- - -
krb5_key (C type) -
- - -
krb5_keyblock (C type) -
- - -
krb5_keyblock.contents (C member) -
- - -
krb5_keyblock.enctype (C member) -
- - -
krb5_keyblock.length (C member) -
- - -
krb5_keyblock.magic (C member) -
- - -
krb5_keytab (C type) -
- - -
krb5_keytab_entry (C type) -
- - -
krb5_keytab_entry.key (C member) -
- - -
krb5_keytab_entry.magic (C member) -
- - -
krb5_keytab_entry.principal (C member) -
- - -
krb5_keytab_entry.timestamp (C member) -
- - -
krb5_keytab_entry.vno (C member) -
- - -
krb5_keyusage (C type) -
- - -
KRB5_KEYUSAGE_AD_ITE (built-in variable) -
- - -
KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_AD_MTE (built-in variable) -
- - -
KRB5_KEYUSAGE_AD_SIGNEDPATH (built-in variable) -
- - -
KRB5_KEYUSAGE_AP_REP_ENCPART (built-in variable) -
- - -
KRB5_KEYUSAGE_AP_REQ_AUTH (built-in variable) -
- - -
KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_APP_DATA_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_APP_DATA_ENCRYPT (built-in variable) -
- - -
KRB5_KEYUSAGE_AS_REP_ENCPART (built-in variable) -
- - -
KRB5_KEYUSAGE_AS_REQ (built-in variable) -
- - -
KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS (built-in variable) -
- - -
KRB5_KEYUSAGE_CAMMAC (built-in variable) -
- - -
KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT (built-in variable) -
- - -
KRB5_KEYUSAGE_ENC_CHALLENGE_KDC (built-in variable) -
- - -
KRB5_KEYUSAGE_FAST_ENC (built-in variable) -
- - -
KRB5_KEYUSAGE_FAST_FINISHED (built-in variable) -
- - -
KRB5_KEYUSAGE_FAST_REP (built-in variable) -
- - -
KRB5_KEYUSAGE_FAST_REQ_CHKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_GSS_TOK_MIC (built-in variable) -
- - -
KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG (built-in variable) -
- - -
KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV (built-in variable) -
- - -
KRB5_KEYUSAGE_IAKERB_FINISHED (built-in variable) -
- - -
KRB5_KEYUSAGE_KDC_REP_TICKET (built-in variable) -
- - -
KRB5_KEYUSAGE_KRB_CRED_ENCPART (built-in variable) -
- - -
KRB5_KEYUSAGE_KRB_ERROR_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_KRB_PRIV_ENCPART (built-in variable) -
- - -
KRB5_KEYUSAGE_KRB_SAFE_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_FX_COOKIE (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_OTP_REQUEST (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_PKINIT_KX (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID (built-in variable) -
- - -
KRB5_KEYUSAGE_PA_SAM_RESPONSE (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REQ_AUTH (built-in variable) -
- - -
KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM (built-in variable) -
- - -
KRB5_KPASSWD_ACCESSDENIED (built-in variable) -
- - -
KRB5_KPASSWD_AUTHERROR (built-in variable) -
- - -
KRB5_KPASSWD_BAD_VERSION (built-in variable) -
- - -
KRB5_KPASSWD_HARDERROR (built-in variable) -
- - -
KRB5_KPASSWD_INITIAL_FLAG_NEEDED (built-in variable) -
- - -
KRB5_KPASSWD_MALFORMED (built-in variable) -
- - -
KRB5_KPASSWD_SOFTERROR (built-in variable) -
- - -
KRB5_KPASSWD_SUCCESS (built-in variable) -
- - -
krb5_kt_add_entry (C function) -
- - -
krb5_kt_client_default (C function) -
- - -
krb5_kt_close (C function) -
- - -
krb5_kt_cursor (C type) -
- - -
krb5_kt_default (C function) -
- - -
krb5_kt_default_name (C function) -
- - -
krb5_kt_dup (C function) -
- - -
krb5_kt_end_seq_get (C function) -
- - -
krb5_kt_free_entry (C function) -
- - -
krb5_kt_get_entry (C function) -
- - -
krb5_kt_get_name (C function) -
- - -
krb5_kt_get_type (C function) -
- - -
krb5_kt_have_content (C function) -
- - -
krb5_kt_next_entry (C function) -
- - -
krb5_kt_read_service_key (C function) -
- - -
krb5_kt_remove_entry (C function) -
- - -
krb5_kt_resolve (C function) -
- - -
krb5_kt_start_seq_get (C function) -
- - -
krb5_kuserok (C function) -
- - -
krb5_kvno (C type) -
- - -
krb5_last_req_entry (C type) -
- - -
krb5_last_req_entry.lr_type (C member) -
- - -
krb5_last_req_entry.magic (C member) -
- - -
krb5_last_req_entry.value (C member) -
- - -
KRB5_LRQ_ALL_ACCT_EXPTIME (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_INITIAL (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_RENEWAL (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_REQ (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_TGT (built-in variable) -
- - -
KRB5_LRQ_ALL_LAST_TGT_ISSUED (built-in variable) -
- - -
KRB5_LRQ_ALL_PW_EXPTIME (built-in variable) -
- - -
KRB5_LRQ_NONE (built-in variable) -
- - -
KRB5_LRQ_ONE_ACCT_EXPTIME (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_INITIAL (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_RENEWAL (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_REQ (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_TGT (built-in variable) -
- - -
KRB5_LRQ_ONE_LAST_TGT_ISSUED (built-in variable) -
- - -
KRB5_LRQ_ONE_PW_EXPTIME (built-in variable) -
- - -
krb5_magic (C type) -
- - -
krb5_make_authdata_kdc_issued (C function) -
- - -
krb5_merge_authdata (C function) -
- - -
krb5_mk_1cred (C function) -
- - -
krb5_mk_error (C function) -
- - -
krb5_mk_ncred (C function) -
- - -
krb5_mk_priv (C function) -
- - -
krb5_mk_rep (C function) -
- - -
krb5_mk_rep_dce (C function) -
- - -
krb5_mk_req (C function) -
- - -
krb5_mk_req_checksum_func (C type) -
- - -
krb5_mk_req_extended (C function) -
- - -
krb5_mk_safe (C function) -
- - -
krb5_msgtype (C type) -
- - -
KRB5_NT_ENT_PRINCIPAL_AND_ID (built-in variable) -
- - -
KRB5_NT_ENTERPRISE_PRINCIPAL (built-in variable) -
- - -
KRB5_NT_MS_PRINCIPAL (built-in variable) -
- - -
KRB5_NT_MS_PRINCIPAL_AND_ID (built-in variable) -
- - -
KRB5_NT_PRINCIPAL (built-in variable) -
- - -
KRB5_NT_SMTP_NAME (built-in variable) -
- - -
KRB5_NT_SRV_HST (built-in variable) -
- - -
KRB5_NT_SRV_INST (built-in variable) -
- - -
KRB5_NT_SRV_XHST (built-in variable) -
- - -
KRB5_NT_UID (built-in variable) -
- - -
KRB5_NT_UNKNOWN (built-in variable) -
- - -
KRB5_NT_WELLKNOWN (built-in variable) -
- - -
KRB5_NT_X500_PRINCIPAL (built-in variable) -
- - -
krb5_octet (C type) -
- - -
krb5_os_localaddr (C function) -
- - -
krb5_pa_data (C type) -
- - -
krb5_pa_data.contents (C member) -
- - -
krb5_pa_data.length (C member) -
- - -
krb5_pa_data.magic (C member) -
- - -
krb5_pa_data.pa_type (C member) -
- - -
krb5_pa_pac_req (C type) -
- - -
krb5_pa_pac_req.include_pac (C member) -
- - -
krb5_pa_server_referral_data (C type) -
- - -
krb5_pa_server_referral_data.referral_valid_until (C member) -
- - -
krb5_pa_server_referral_data.referred_realm (C member) -
- - -
krb5_pa_server_referral_data.rep_cksum (C member) -
- - -
krb5_pa_server_referral_data.requested_principal_name (C member) -
- - -
krb5_pa_server_referral_data.true_principal_name (C member) -
- - -
krb5_pa_svr_referral_data (C type) -
- - -
krb5_pa_svr_referral_data.principal (C member) -
- - -
krb5_pac (C type) -
- - -
krb5_pac_add_buffer (C function) -
- - -
KRB5_PAC_CLIENT_INFO (built-in variable) -
- - -
KRB5_PAC_CREDENTIALS_INFO (built-in variable) -
- - -
KRB5_PAC_DELEGATION_INFO (built-in variable) -
- - -
krb5_pac_free (C function) -
- - -
krb5_pac_get_buffer (C function) -
- - -
krb5_pac_get_types (C function) -
- - -
krb5_pac_init (C function) -
- - -
KRB5_PAC_LOGON_INFO (built-in variable) -
- - -
krb5_pac_parse (C function) -
- - -
KRB5_PAC_PRIVSVR_CHECKSUM (built-in variable) -
- - -
KRB5_PAC_SERVER_CHECKSUM (built-in variable) -
- - -
krb5_pac_sign (C function) -
- - -
KRB5_PAC_UPN_DNS_INFO (built-in variable) -
- - -
krb5_pac_verify (C function) -
- - -
KRB5_PADATA_AFS3_SALT (built-in variable) -
- - -
KRB5_PADATA_AP_REQ (built-in variable) -
- - -
KRB5_PADATA_AS_CHECKSUM (built-in variable) -
- - -
KRB5_PADATA_ENC_SANDIA_SECURID (built-in variable) -
- - -
KRB5_PADATA_ENC_TIMESTAMP (built-in variable) -
- - -
KRB5_PADATA_ENC_UNIX_TIME (built-in variable) -
- - -
KRB5_PADATA_ENCRYPTED_CHALLENGE (built-in variable) -
- - -
KRB5_PADATA_ETYPE_INFO (built-in variable) -
- - -
KRB5_PADATA_ETYPE_INFO2 (built-in variable) -
- - -
KRB5_PADATA_FOR_USER (built-in variable) -
- - -
KRB5_PADATA_FX_COOKIE (built-in variable) -
- - -
KRB5_PADATA_FX_ERROR (built-in variable) -
- - -
KRB5_PADATA_FX_FAST (built-in variable) -
- - -
KRB5_PADATA_GET_FROM_TYPED_DATA (built-in variable) -
- - -
KRB5_PADATA_NONE (built-in variable) -
- - -
KRB5_PADATA_OSF_DCE (built-in variable) -
- - -
KRB5_PADATA_OTP_CHALLENGE (built-in variable) -
- - -
KRB5_PADATA_OTP_PIN_CHANGE (built-in variable) -
- - -
KRB5_PADATA_OTP_REQUEST (built-in variable) -
- - -
KRB5_PADATA_PAC_REQUEST (built-in variable) -
- - -
KRB5_PADATA_PK_AS_REP (built-in variable) -
- - -
KRB5_PADATA_PK_AS_REP_OLD (built-in variable) -
- - -
KRB5_PADATA_PK_AS_REQ (built-in variable) -
- - -
KRB5_PADATA_PK_AS_REQ_OLD (built-in variable) -
- - -
KRB5_PADATA_PKINIT_KX (built-in variable) -
- - -
KRB5_PADATA_PW_SALT (built-in variable) -
- - -
KRB5_PADATA_REFERRAL (built-in variable) -
- - -
KRB5_PADATA_S4U_X509_USER (built-in variable) -
- - -
KRB5_PADATA_SAM_CHALLENGE (built-in variable) -
- - -
KRB5_PADATA_SAM_CHALLENGE_2 (built-in variable) -
- - -
KRB5_PADATA_SAM_REDIRECT (built-in variable) -
- - -
KRB5_PADATA_SAM_RESPONSE (built-in variable) -
- - -
KRB5_PADATA_SAM_RESPONSE_2 (built-in variable) -
- - -
KRB5_PADATA_SESAME (built-in variable) -
- - -
KRB5_PADATA_SVR_REFERRAL_INFO (built-in variable) -
- - -
KRB5_PADATA_TGS_REQ (built-in variable) -
- - -
KRB5_PADATA_USE_SPECIFIED_KVNO (built-in variable) -
- - -
krb5_parse_name (C function) -
- - -
krb5_parse_name_flags (C function) -
- - -
krb5_pointer (C type) -
- - -
krb5_post_recv_fn (C type) -
- - -
krb5_pre_send_fn (C type) -
- - -
krb5_preauthtype (C type) -
- - -
krb5_prepend_error_message (C function) -
- - -
krb5_princ_component (built-in variable) -
- - -
krb5_princ_name (built-in variable) -
- - -
krb5_princ_realm (built-in variable) -
- - -
krb5_princ_set_realm (built-in variable) -
- - -
krb5_princ_set_realm_data (built-in variable) -
- - -
krb5_princ_set_realm_length (built-in variable) -
- - -
krb5_princ_size (built-in variable) -
- - -
krb5_princ_type (built-in variable) -
- - -
krb5_principal (C type) -
- - -
krb5_principal.data (C member) -
- - -
krb5_principal.length (C member) -
- - -
krb5_principal.magic (C member) -
- - -
krb5_principal.realm (C member) -
- - -
krb5_principal.type (C member) -
- - -
krb5_principal2salt (C function) -
- - -
krb5_principal_compare (C function) -
- - -
krb5_principal_compare_any_realm (C function) -
- - -
KRB5_PRINCIPAL_COMPARE_CASEFOLD (built-in variable) -
- - -
KRB5_PRINCIPAL_COMPARE_ENTERPRISE (built-in variable) -
- - -
krb5_principal_compare_flags (C function) -
- - -
KRB5_PRINCIPAL_COMPARE_IGNORE_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_COMPARE_UTF8 (built-in variable) -
- - -
krb5_principal_data (C type) -
- - -
krb5_principal_data.data (C member) -
- - -
krb5_principal_data.length (C member) -
- - -
krb5_principal_data.magic (C member) -
- - -
krb5_principal_data.realm (C member) -
- - -
krb5_principal_data.type (C member) -
- - -
KRB5_PRINCIPAL_PARSE_ENTERPRISE (built-in variable) -
- - -
KRB5_PRINCIPAL_PARSE_IGNORE_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_PARSE_NO_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_PARSE_REQUIRE_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_UNPARSE_DISPLAY (built-in variable) -
- - -
KRB5_PRINCIPAL_UNPARSE_NO_REALM (built-in variable) -
- - -
KRB5_PRINCIPAL_UNPARSE_SHORT (built-in variable) -
- - -
KRB5_PRIV (built-in variable) -
- - -
krb5_process_key (C function) -
- - -
krb5_prompt (C type) -
- - -
krb5_prompt.hidden (C member) -
- - -
krb5_prompt.prompt (C member) -
- - -
krb5_prompt.reply (C member) -
- - -
krb5_prompt_type (C type) -
- - -
KRB5_PROMPT_TYPE_NEW_PASSWORD (built-in variable) -
- - -
KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN (built-in variable) -
- - -
KRB5_PROMPT_TYPE_PASSWORD (built-in variable) -
- - -
KRB5_PROMPT_TYPE_PREAUTH (built-in variable) -
- - -
krb5_prompter_fct (C type) -
- - -
krb5_prompter_posix (C function) -
- - -
KRB5_PVNO (built-in variable) -
- - -
krb5_pwd_data (C type) -
- - -
krb5_pwd_data.element (C member) -
- - -
krb5_pwd_data.magic (C member) -
- - -
krb5_pwd_data.sequence_count (C member) -
- - -
krb5_random_key (C function) -
- - -
krb5_rcache (C type) -
- - -
krb5_rd_cred (C function) -
- - -
krb5_rd_error (C function) -
- - -
krb5_rd_priv (C function) -
- - -
krb5_rd_rep (C function) -
- - -
krb5_rd_rep_dce (C function) -
- - -
krb5_rd_req (C function) -
- - -
krb5_rd_safe (C function) -
- - -
krb5_read_password (C function) -
- - -
KRB5_REALM_BRANCH_CHAR (built-in variable) -
- - -
krb5_realm_compare (C function) -
- - -
krb5_recvauth (C function) -
- - -
KRB5_RECVAUTH_BADAUTHVERS (built-in variable) -
- - -
KRB5_RECVAUTH_SKIP_VERSION (built-in variable) -
- - -
krb5_recvauth_version (C function) -
- - -
KRB5_REFERRAL_REALM (built-in variable) -
- - -
krb5_replay_data (C type) -
- - -
krb5_replay_data.seq (C member) -
- - -
krb5_replay_data.timestamp (C member) -
- - -
krb5_replay_data.usec (C member) -
- - -
krb5_responder_context (C type) -
- - -
krb5_responder_fn (C type) -
- - -
krb5_responder_get_challenge (C function) -
- - -
krb5_responder_list_questions (C function) -
- - -
krb5_responder_otp_challenge (C type) -
- - -
krb5_responder_otp_challenge.service (C member) -
- - -
krb5_responder_otp_challenge.tokeninfo (C member) -
- - -
krb5_responder_otp_challenge_free (C function) -
- - -
KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FLAGS_NEXTOTP (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FORMAT_DECIMAL (built-in variable) -
- - -
KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL (built-in variable) -
- - -
krb5_responder_otp_get_challenge (C function) -
- - -
krb5_responder_otp_set_answer (C function) -
- - -
krb5_responder_otp_tokeninfo (C type) -
- - -
krb5_responder_otp_tokeninfo.alg_id (C member) -
- - -
krb5_responder_otp_tokeninfo.challenge (C member) -
- - -
krb5_responder_otp_tokeninfo.flags (C member) -
- - -
krb5_responder_otp_tokeninfo.format (C member) -
- - -
krb5_responder_otp_tokeninfo.length (C member) -
- - -
krb5_responder_otp_tokeninfo.token_id (C member) -
- - -
krb5_responder_otp_tokeninfo.vendor (C member) -
- - -
krb5_responder_pkinit_challenge (C type) -
- - -
krb5_responder_pkinit_challenge.identities (C member) -
- - -
krb5_responder_pkinit_challenge_free (C function) -
- - -
KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW (built-in variable) -
- - -
KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY (built-in variable) -
- - -
KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED (built-in variable) -
- - -
krb5_responder_pkinit_get_challenge (C function) -
- - -
krb5_responder_pkinit_identity (C type) -
- - -
krb5_responder_pkinit_identity.identity (C member) -
- - -
krb5_responder_pkinit_identity.token_flags (C member) -
- - -
krb5_responder_pkinit_set_answer (C function) -
- - -
KRB5_RESPONDER_QUESTION_OTP (built-in variable) -
- - -
KRB5_RESPONDER_QUESTION_PASSWORD (built-in variable) -
- - -
KRB5_RESPONDER_QUESTION_PKINIT (built-in variable) -
- - -
krb5_responder_set_answer (C function) -
- - -
krb5_response (C type) -
- - -
krb5_response.expected_nonce (C member) -
- - -
krb5_response.magic (C member) -
- - -
krb5_response.message_type (C member) -
- - -
krb5_response.request_time (C member) -
- - -
krb5_response.response (C member) -
- - -
krb5_roundup (built-in variable) -
- - -
KRB5_SAFE (built-in variable) -
- - -
krb5_salttype_to_string (C function) -
- - -
KRB5_SAM_MUST_PK_ENCRYPT_SAD (built-in variable) -
- - -
KRB5_SAM_SEND_ENCRYPTED_SAD (built-in variable) -
- - -
KRB5_SAM_USE_SAD_AS_KEY (built-in variable) -
- - -
krb5_sendauth (C function) -
- - -
krb5_server_decrypt_ticket_keytab (C function) -
- - -
krb5_set_default_realm (C function) -
- - -
krb5_set_default_tgs_enctypes (C function) -
- - -
krb5_set_error_message (C function) -
- - -
krb5_set_kdc_recv_hook (C function) -
- - -
krb5_set_kdc_send_hook (C function) -
- - -
krb5_set_password (C function) -
- - -
krb5_set_password_using_ccache (C function) -
- - -
krb5_set_principal_realm (C function) -
- - -
krb5_set_real_time (C function) -
- - -
krb5_set_trace_callback (C function) -
- - -
krb5_set_trace_filename (C function) -
- - -
krb5_sname_match (C function) -
- - -
krb5_sname_to_principal (C function) -
- - -
krb5_string_to_cksumtype (C function) -
- - -
krb5_string_to_deltat (C function) -
- - -
krb5_string_to_enctype (C function) -
- - -
krb5_string_to_key (C function) -
- - -
krb5_string_to_salttype (C function) -
- - -
krb5_string_to_timestamp (C function) -
- - -
KRB5_TC_MATCH_2ND_TKT (built-in variable) -
- - -
KRB5_TC_MATCH_AUTHDATA (built-in variable) -
- - -
KRB5_TC_MATCH_FLAGS (built-in variable) -
- - -
KRB5_TC_MATCH_FLAGS_EXACT (built-in variable) -
- - -
KRB5_TC_MATCH_IS_SKEY (built-in variable) -
- - -
KRB5_TC_MATCH_KTYPE (built-in variable) -
- - -
KRB5_TC_MATCH_SRV_NAMEONLY (built-in variable) -
- - -
KRB5_TC_MATCH_TIMES (built-in variable) -
- - -
KRB5_TC_MATCH_TIMES_EXACT (built-in variable) -
- - -
KRB5_TC_NOTICKET (built-in variable) -
- - -
KRB5_TC_OPENCLOSE (built-in variable) -
- - -
KRB5_TC_SUPPORTED_KTYPES (built-in variable) -
- - -
KRB5_TGS_NAME (built-in variable) -
- - -
KRB5_TGS_NAME_SIZE (built-in variable) -
- - -
KRB5_TGS_REP (built-in variable) -
- - -
KRB5_TGS_REQ (built-in variable) -
- - -
krb5_ticket (C type) -
- - -
krb5_ticket.enc_part (C member) -
- - -
krb5_ticket.enc_part2 (C member) -
- - -
krb5_ticket.magic (C member) -
- - -
krb5_ticket.server (C member) -
- - -
krb5_ticket_times (C type) -
- - -
krb5_ticket_times.authtime (C member) -
- - -
krb5_ticket_times.endtime (C member) -
- - -
krb5_ticket_times.renew_till (C member) -
- - -
krb5_ticket_times.starttime (C member) -
- - -
krb5_timeofday (C function) -
- - -
krb5_timestamp (C type) -
- - -
krb5_timestamp_to_sfstring (C function) -
- - -
krb5_timestamp_to_string (C function) -
- - -
krb5_tkt_authent (C type) -
- - -
krb5_tkt_authent.ap_options (C member) -
- - -
krb5_tkt_authent.authenticator (C member) -
- - -
krb5_tkt_authent.magic (C member) -
- - -
krb5_tkt_authent.ticket (C member) -
- - -
krb5_tkt_creds_context (C type) -
- - -
krb5_tkt_creds_free (C function) -
- - -
krb5_tkt_creds_get (C function) -
- - -
krb5_tkt_creds_get_creds (C function) -
- - -
krb5_tkt_creds_get_times (C function) -
- - -
krb5_tkt_creds_init (C function) -
- - -
krb5_tkt_creds_step (C function) -
- - -
KRB5_TKT_CREDS_STEP_FLAG_CONTINUE (built-in variable) -
- - -
krb5_trace_callback (C type) -
- - -
krb5_trace_info (C type) -
- - -
krb5_trace_info.message (C member) -
- - -
krb5_transited (C type) -
- - -
krb5_transited.magic (C member) -
- - -
krb5_transited.tr_contents (C member) -
- - -
krb5_transited.tr_type (C member) -
- - -
krb5_typed_data (C type) -
- - -
krb5_typed_data.data (C member) -
- - -
krb5_typed_data.length (C member) -
- - -
krb5_typed_data.magic (C member) -
- - -
krb5_typed_data.type (C member) -
- - -
krb5_ui_2 (C type) -
- - -
krb5_ui_4 (C type) -
- - -
krb5_unparse_name (C function) -
- - -
krb5_unparse_name_ext (C function) -
- - -
krb5_unparse_name_flags (C function) -
- - -
krb5_unparse_name_flags_ext (C function) -
- - -
krb5_us_timeofday (C function) -
- - -
krb5_use_enctype (C function) -
- - -
krb5_verify_authdata_kdc_issued (C function) -
- - -
krb5_verify_checksum (C function) -
- - -
krb5_verify_init_creds (C function) -
- - -
krb5_verify_init_creds_opt (C type) -
- - -
krb5_verify_init_creds_opt.ap_req_nofail (C member) -
- - -
krb5_verify_init_creds_opt.flags (C member) -
- - -
KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL (built-in variable) -
- - -
krb5_verify_init_creds_opt_init (C function) -
- - -
krb5_verify_init_creds_opt_set_ap_req_nofail (C function) -
- - -
krb5_vprepend_error_message (C function) -
- - -
krb5_vset_error_message (C function) -
- - -
krb5_vwrap_error_message (C function) -
- - -
KRB5_WELLKNOWN_NAMESTR (built-in variable) -
- - -
krb5_wrap_error_message (C function) -
- - -
krb5_x (built-in variable) -
- - -
krb5_xc (built-in variable) -
- -
- -

L

- - - -
- -
LR_TYPE_INTERPRETATION_MASK (built-in variable) -
- -
- -
LR_TYPE_THIS_SERVER_ONLY (built-in variable) -
- -
- -

M

- - - -
- -
MAX_KEYTAB_NAME_LEN (built-in variable) -
- - -
MSEC_DIRBIT (built-in variable) -
- -
- -
MSEC_VAL_MASK (built-in variable) -
- -
- -

P

- - - -
- -
passwd_phrase_element (C type) -
- - -
passwd_phrase_element.magic (C member) -
- -
- -
passwd_phrase_element.passwd (C member) -
- - -
passwd_phrase_element.phrase (C member) -
- -
- -

R

- - -
- -
- RFC -
- -
- -
RFC 1964 -
- - -
RFC 2253 -
- - -
RFC 2743 -
- - -
RFC 2744 -
- - -
RFC 2782 -
- - -
RFC 3244 -
- - -
RFC 3961, [1] -
- - -
RFC 4120 -
- - -
RFC 4120#section-10 -
- - -
RFC 4120#section-5.2.7.2 -
- - -
RFC 4120#section-5.2.7.3 -
- - -
RFC 4556, [1], [2], [3], [4], [5] -
- - -
RFC 4757 -
- - -
RFC 5587 -
- - -
RFC 5588 -
- - -
RFC 5801 -
- - -
RFC 5896 -
- - -
RFC 6112 -
- - -
RFC 6113, [1], [2], [3], [4], [5] -
- - -
RFC 6113#section-5.2 -
- - -
RFC 6560 -
- - -
RFC 6649 -
- - -
RFC 6680, [1] -
- - -
RFC 6803 -
- - -
RFC 6806, [1] -
- - -
RFC 7546 -
- - -
RFC 7553 -
- -
-
- -

S

- - - -
- -
SALT_TYPE_AFS_LENGTH (built-in variable) -
- -
- -
SALT_TYPE_NO_LENGTH (built-in variable) -
- -
- -

T

- - - -
- -
THREEPARAMOPEN (built-in variable) -
- - -
TKT_FLG_ANONYMOUS (built-in variable) -
- - -
TKT_FLG_ENC_PA_REP (built-in variable) -
- - -
TKT_FLG_FORWARDABLE (built-in variable) -
- - -
TKT_FLG_FORWARDED (built-in variable) -
- - -
TKT_FLG_HW_AUTH (built-in variable) -
- - -
TKT_FLG_INITIAL (built-in variable) -
- - -
TKT_FLG_INVALID (built-in variable) -
- -
- -
TKT_FLG_MAY_POSTDATE (built-in variable) -
- - -
TKT_FLG_OK_AS_DELEGATE (built-in variable) -
- - -
TKT_FLG_POSTDATED (built-in variable) -
- - -
TKT_FLG_PRE_AUTH (built-in variable) -
- - -
TKT_FLG_PROXIABLE (built-in variable) -
- - -
TKT_FLG_PROXY (built-in variable) -
- - -
TKT_FLG_RENEWABLE (built-in variable) -
- - -
TKT_FLG_TRANSIT_POLICY_CHECKED (built-in variable) -
- -
- -

V

- - - -
- -
VALID_INT_BITS (built-in variable) -
- -
- -
VALID_UINT_BITS (built-in variable) -
- -
- - - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/genindex.html b/doc/html/genindex.html deleted file mode 100644 index 4fe3e6d..0000000 --- a/doc/html/genindex.html +++ /dev/null @@ -1,139 +0,0 @@ - - - - - - - - Index — MIT Kerberos Documentation - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - -

Index

- -

Index pages by letter:

- -
-

A - | C - | E - | K - | L - | M - | P - | R - | S - | T - | V -

- -

Full index on one page - (can be huge)

-
- - -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/index.html b/doc/html/index.html deleted file mode 100644 index 3dff19a..0000000 --- a/doc/html/index.html +++ /dev/null @@ -1,143 +0,0 @@ - - - - - - - - MIT Kerberos Documentation (1.15.2) — MIT Kerberos Documentation - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/mitK5defaults.html b/doc/html/mitK5defaults.html deleted file mode 100644 index 44ae63a..0000000 --- a/doc/html/mitK5defaults.html +++ /dev/null @@ -1,359 +0,0 @@ - - - - - - - - MIT Kerberos defaults — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

MIT Kerberos defaults¶

-
-

General defaults¶

- ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DescriptionDefaultEnvironment
keytab fileDEFKTNAMEKRB5_KTNAME
Client keytab fileDEFCKTNAMEKRB5_CLIENT_KTNAME
Kerberos config file krb5.conf/etc/krb5.conf:SYSCONFDIR/krb5.confKRB5_CONFIG
KDC config file kdc.confLOCALSTATEDIR/krb5kdc/kdc.confKRB5_KDC_PROFILE
KDC database path (DB2)LOCALSTATEDIR/krb5kdc/principal 
Master key stash fileLOCALSTATEDIR/krb5kdc/.k5.realm 
Admin server ACL file kadm5.aclLOCALSTATEDIR/krb5kdc/kadm5.acl 
OTP socket directoryRUNSTATEDIR/krb5kdc 
Plugin base directoryLIBDIR/krb5/plugins 
replay cache directory/var/tmpKRB5RCACHEDIR
Master key default enctypeaes256-cts-hmac-sha1-96 
Default keysalt listaes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal 
Permitted enctypesaes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha384-192 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4 
KDC default port88 
Admin server port749 
Password change port464 
-
-
-

Slave KDC propagation defaults¶

-

This table shows defaults used by the kprop and -kpropd programs.

- ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DescriptionDefaultEnvironment
kprop database dump fileLOCALSTATEDIR/krb5kdc/slave_datatrans 
kpropd temporary dump fileLOCALSTATEDIR/krb5kdc/from_master 
kdb5_util locationSBINDIR/kdb5_util 
kprop locationSBINDIR/kprop 
kpropd ACL fileLOCALSTATEDIR/krb5kdc/kpropd.acl 
kprop port754KPROP_PORT
-
-
-

Default paths for Unix-like systems¶

-

On Unix-like systems, some paths used by MIT krb5 depend on parameters -chosen at build time. For a custom build, these paths default to -subdirectories of /usr/local. When MIT krb5 is integrated into an -operating system, the paths are generally chosen to match the -operating system’s filesystem layout.

- ------ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
DescriptionSymbolic nameCustom build pathTypical OS path
User programsBINDIR/usr/local/bin/usr/bin
Libraries and pluginsLIBDIR/usr/local/lib/usr/lib
Parent of KDC state dirLOCALSTATEDIR/usr/local/var/var
Parent of KDC runtime dirRUNSTATEDIR/usr/local/var/run/run
Administrative programsSBINDIR/usr/local/sbin/usr/sbin
Alternate krb5.conf dirSYSCONFDIR/usr/local/etc/etc
Default ccache nameDEFCCNAMEFILE:/tmp/krb5cc_%{uid}FILE:/tmp/krb5cc_%{uid}
Default keytab nameDEFKTNAMEFILE:/etc/krb5.keytabFILE:/etc/krb5.keytab
-

The default client keytab name (DEFCKTNAME) typically defaults to -FILE:/usr/local/var/krb5/user/%{euid}/client.keytab for a custom -build. A native build will typically use a path which will vary -according to the operating system’s layout of /var.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/mitK5features.html b/doc/html/mitK5features.html deleted file mode 100644 index 9ac3c57..0000000 --- a/doc/html/mitK5features.html +++ /dev/null @@ -1,459 +0,0 @@ - - - - - - - - MIT Kerberos features — MIT Kerberos Documentation - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-
-
-

MIT Kerberos features¶

-

http://web.mit.edu/kerberos

-
-

Quick facts¶

-

License - MIT Kerberos License information

-
-
Releases:
-
-
-
Supported platforms / OS distributions:
-
    -
  • Windows (KfW 4.0): Windows 7, Vista, XP
    • -
  • Solaris: SPARC, x86_64/x86
    • -
  • GNU/Linux: Debian x86_64/x86, Ubuntu x86_64/x86, RedHat x86_64/x86
    • -
  • BSD: NetBSD x86_64/x86
    • -
-
-
Crypto backends:
-
-
-
-

Database backends: LDAP, DB2

-

krb4 support: Kerberos 5 release < 1.8

-

DES support: configurable (See Retiring DES)

-
-
-

Interoperability¶

-

Microsoft

-

Starting from release 1.7:

-
    -
  • Follow client principal referrals in the client library when -obtaining initial tickets.
    • -
  • KDC can issue realm referrals for service principals based on domain names.
    • -
  • Extensions supporting DCE RPC, including three-leg GSS context setup -and unencapsulated GSS tokens inside SPNEGO.
    • -
  • Microsoft GSS_WrapEX, implemented using the gss_iov API, which is -similar to the equivalent SSPI functionality. This is needed to -support some instances of DCE RPC.
    • -
  • NTLM recognition support in GSS-API, to facilitate dropping in an -NTLM implementation for improved compatibility with older releases -of Microsoft Windows.
    • -
  • KDC support for principal aliases, if the back end supports them. -Currently, only the LDAP back end supports aliases.
    • -
  • Support Microsoft set/change password (RFC 3244) protocol in -kadmind.
    • -
  • Implement client and KDC support for GSS_C_DELEG_POLICY_FLAG, which -allows a GSS application to request credential delegation only if -permitted by KDC policy.
    • -
-

Starting from release 1.8:

-
    -
  • Microsoft Services for User (S4U) compatibility
    • -
-

Heimdal

-
    -
  • Support for KCM credential cache starting from release 1.13
    • -
-
-
-

Feature list¶

-

For more information on the specific project see http://k5wiki.kerberos.org/wiki/Projects

-
-
Release 1.7
-
-
-
Release 1.8
-
-
-
Release 1.9
-
    -
  • Advance warning on password expiry
    • -
  • Camellia encryption (CTS-CMAC mode) RFC 6803
    • -
  • KDC support for SecurID preauthentication
    • -
  • kadmin over IPv6
    • -
  • Trace logging Trace logging
    • -
  • GSSAPI/KRB5 multi-realm support
    • -
  • Plugin to test password quality Password quality interface (pwqual)
    • -
  • Plugin to synchronize password changes KADM5 hook interface (kadm5_hook)
    • -
  • Parallel KDC
    • -
  • GSS-API extentions for SASL GS2 bridge RFC 5801 RFC 5587
    • -
  • Purging old keys
    • -
  • Naming extensions for delegation chain
    • -
  • Password expiration API
    • -
  • Windows client support (build-only)
    • -
  • IPv6 support in iprop
    • -
-
-
Release 1.10
-
-
-
Release 1.11
-
    -
  • Client support for FAST OTP RFC 6560
    • -
  • GSS-API extensions for credential locations
    • -
  • Responder mechanism
    • -
-
-
Release 1.12
-
-
-
-

Release 1.13

-
-
    -
  • Add support for accessing KDCs via an HTTPS proxy server using -the MS-KKDCP -protocol.
    • -
  • Add support for hierarchical incremental propagation, -where slaves can act as intermediates between an upstream master -and other downstream slaves.
    • -
  • Add support for configuring GSS mechanisms using -/etc/gss/mech.d/*.conf files in addition to -/etc/gss/mech.
    • -
  • Add support to the LDAP KDB module for binding to the LDAP -server using SASL.
    • -
  • The KDC listens for TCP connections by default.
    • -
  • Fix a minor key disclosure vulnerability where using the -“keepold” option to the kadmin randkey operation could return the -old keys. [CVE-2014-5351]
    • -
  • Add client support for the Kerberos Cache Manager protocol. If -the host is running a Heimdal kcm daemon, caches served by the -daemon can be accessed with the KCM: cache type.
    • -
  • When built on OS X 10.7 and higher, use “KCM:” as the default -cachetype, unless overridden by command-line options or -krb5-config values.
    • -
  • Add support for doing unlocked database dumps for the DB2 KDC -back end, which would allow the KDC and kadmind to continue -accessing the database during lengthy database dumps.
    • -
-
-

Release 1.14

-
-
    -
  • Administrator experience
      -
    • Add a new kdb5_util tabdump command to provide reporting-friendly -tabular dump formats (tab-separated or CSV) for the KDC database. -Unlike the normal dump format, each output table has a fixed number -of fields. Some tables include human-readable forms of data that -are opaque in ordinary dump files. This format is also suitable for -importing into relational databases for complex queries.
      • -
    • Add support to kadmin and kadmin.local for specifying a single -command line following any global options, where the command -arguments are split by the shell–for example, “kadmin getprinc -principalname”. Commands issued this way do not prompt for -confirmation or display warning messages, and exit with non-zero -status if the operation fails.
      • -
    • Accept the same principal flag names in kadmin as we do for the -default_principal_flags kdc.conf variable, and vice versa. Also -accept flag specifiers in the form that kadmin prints, as well as -hexadecimal numbers.
      • -
    • Remove the triple-DES and RC4 encryption types from the default -value of supported_enctypes, which determines the default key and -salt types for new password-derived keys. By default, keys will -only created only for AES128 and AES256. This mitigates some types -of password guessing attacks.
      • -
    • Add support for directory names in the KRB5_CONFIG and -KRB5_KDC_PROFILE environment variables.
      • -
    • Add support for authentication indicators, which are ticket -annotations to indicate the strength of the initial authentication. -Add support for the “require_auth” string attribute, which can be -set on server principal entries to require an indicator when -authenticating to the server.
      • -
    • Add support for key version numbers larger than 255 in keytab files, -and for version numbers up to 65535 in KDC databases.
      • -
    • Transmit only one ETYPE-INFO and/or ETYPE-INFO2 entry from the KDC -during pre-authentication, corresponding to the client’s most -preferred encryption type.
      • -
    • Add support for server name identification (SNI) when proxying KDC -requests over HTTPS.
      • -
    • Add support for the err_fmt profile parameter, which can be used to -generate custom-formatted error messages.
      • -
    -
    • -
  • Developer experience:
      -
    • Change gss_acquire_cred_with_password() to acquire credentials into -a private memory credential cache. Applications can use -gss_store_cred() to make the resulting credentials visible to other -processes.
      • -
    • Change gss_acquire_cred() and SPNEGO not to acquire credentials for -IAKERB or for non-standard variants of the krb5 mechanism OID unless -explicitly requested. (SPNEGO will still accept the Microsoft -variant of the krb5 mechanism OID during negotiation.)
      • -
    • Change gss_accept_sec_context() not to accept tokens for IAKERB or -for non-standard variants of the krb5 mechanism OID unless an -acceptor credential is acquired for those mechanisms.
      • -
    • Change gss_acquire_cred() to immediately resolve credentials if the -time_rec parameter is not NULL, so that a correct expiration time -can be returned. Normally credential resolution is delayed until -the target name is known.
      • -
    • Add krb5_prepend_error_message() and krb5_wrap_error_message() APIs, -which can be used by plugin modules or applications to add prefixes -to existing detailed error messages.
      • -
    • Add krb5_c_prfplus() and krb5_c_derive_prfplus() APIs, which -implement the RFC 6113 PRF+ operation and key derivation using PRF+.
      • -
    • Add support for pre-authentication mechanisms which use multiple -round trips, using the the KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error -code. Add get_cookie() and set_cookie() callbacks to the kdcpreauth -interface; these callbacks can be used to save marshalled state -information in an encrypted cookie for the next request.
      • -
    • Add a client_key() callback to the kdcpreauth interface to retrieve -the chosen client key, corresponding to the ETYPE-INFO2 entry sent -by the KDC.
      • -
    • Add an add_auth_indicator() callback to the kdcpreauth interface, -allowing pre-authentication modules to assert authentication -indicators.
      • -
    • Add support for the GSS_KRB5_CRED_NO_CI_FLAGS_X cred option to -suppress sending the confidentiality and integrity flags in GSS -initiator tokens unless they are requested by the caller. These -flags control the negotiated SASL security layer for the Microsoft -GSS-SPNEGO SASL mechanism.
      • -
    • Make the FILE credential cache implementation less prone to -corruption issues in multi-threaded programs, especially on -platforms with support for open file description locks.
      • -
    -
    • -
  • Performance:
      -
    • On slave KDCs, poll the master KDC immediately after processing a -full resync, and do not require two full resyncs after the master -KDC’s log file is reset.
      • -
    -
    • -
-
-

Release 1.15

-
    -
  • Administrator experience:
      -
    • Add support to kadmin for remote extraction of current keys -without changing them (requires a special kadmin permission that -is excluded from the wildcard permission), with the exception of -highly protected keys.
      • -
    • Add a lockdown_keys principal attribute to prevent retrieval of -the principal’s keys (old or new) via the kadmin protocol. In -newly created databases, this attribute is set on the krbtgt and -kadmin principals.
      • -
    • Restore recursive dump capability for DB2 back end, so sites can -more easily recover from database corruption resulting from power -failure events.
      • -
    • Add DNS auto-discovery of KDC and kpasswd servers from URI -records, in addition to SRV records. URI records can convey TCP -and UDP servers and master KDC status in a single DNS lookup, and -can also point to HTTPS proxy servers.
      • -
    • Add support for password history to the LDAP back end.
      • -
    • Add support for principal renaming to the LDAP back end.
      • -
    • Use the getrandom system call on supported Linux kernels to avoid -blocking problems when getting entropy from the operating system.
      • -
    -
    • -
  • Code quality:
      -
    • Clean up numerous compilation warnings.
      • -
    • Remove various infrequently built modules, including some preauth -modules that were not built by default.
      • -
    -
    • -
  • Developer experience:
      -
    • Add support for building with OpenSSL 1.1.
      • -
    • Use SHA-256 instead of MD5 for (non-cryptographic) hashing of -authenticators in the replay cache. This helps sites that must -build with FIPS 140 conformant libraries that lack MD5.
      • -
    -
    • -
  • Protocol evolution:
      -
    • Add support for the AES-SHA2 enctypes, which allows sites to -conform to Suite B crypto requirements.
      • -
    -
    • -
-

Pre-authentication mechanisms

- -

PRNG

- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/mitK5license.html b/doc/html/mitK5license.html deleted file mode 100644 index eff8567..0000000 --- a/doc/html/mitK5license.html +++ /dev/null @@ -1,1287 +0,0 @@ - - - - - - - - MIT Kerberos License information — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

MIT Kerberos License information¶

-
-
-

Copyright © 1985-2017 by the Massachusetts Institute of Technology.

-

All rights reserved.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met:

-
    -
  • Redistributions of source code must retain the above copyright notice, -this list of conditions and the following disclaimer.
    • -
  • Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    • -
-

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-

Downloading of this software may constitute an export of cryptographic -software from the United States of America that is subject to the -United States Export Administration Regulations (EAR), 15 CFR 730-774. -Additional laws or regulations may apply. It is the responsibility of -the person or entity contemplating export to comply with all -applicable export laws and regulations, including obtaining any -required license from the U.S. government.

-

The U.S. government prohibits export of encryption source code to -certain countries and individuals, including, but not limited to, the -countries of Cuba, Iran, North Korea, Sudan, Syria, and residents and -nationals of those countries.

-

Documentation components of this software distribution are licensed -under a Creative Commons Attribution-ShareAlike 3.0 Unported License. -(http://creativecommons.org/licenses/by-sa/3.0/)

-

Individual source code files are copyright MIT, Cygnus Support, -Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, -FundsXpress, and others.

-

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, -and Zephyr are trademarks of the Massachusetts Institute of Technology -(MIT). No commercial use of these trademarks may be made without -prior written permission of MIT.

-

“Commercial use” means use of a name in a product or other for-profit -manner. It does NOT prevent a commercial firm from referring to the -MIT trademarks in order to convey information (although in doing so, -recognition of their trademark status should be given).

-
-

The following copyright and permission notice applies to the -OpenVision Kerberos Administration system located in -kadmin/create, kadmin/dbutil, kadmin/passwd, -kadmin/server, lib/kadm5, and portions of -lib/rpc:

-
-

Copyright, OpenVision Technologies, Inc., 1993-1996, All Rights Reserved

-

WARNING: Retrieving the OpenVision Kerberos Administration system source -code, as described below, indicates your acceptance of the following -terms. If you do not agree to the following terms, do not retrieve the -OpenVision Kerberos administration system.

-

You may freely use and distribute the Source Code and Object Code -compiled from it, with or without modification, but this Source Code is -provided to you “AS IS” EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT -LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A -PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. -IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, -LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR -FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS -AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE -OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR -ANY OTHER REASON.

-

OpenVision retains all copyrights in the donated Source Code. OpenVision -also retains copyright to derivative works of the Source Code, whether -created by OpenVision or by a third party. The OpenVision copyright -notice must be preserved if derivative works are made based on the -donated Source Code.

-

OpenVision Technologies, Inc. has donated this Kerberos Administration -system to MIT for inclusion in the standard Kerberos 5 distribution. -This donation underscores our commitment to continuing Kerberos -technology development and our gratitude for the valuable work which has -been performed by MIT and the Kerberos community.

-
-
-
-
Portions contributed by Matt Crawford crawdad@fnal.gov were work -performed at Fermi National Accelerator Laboratory, which is operated -by Universities Research Association, Inc., under contract -DE-AC02-76CHO3000 with the U.S. Department of Energy.
-
-

Portions of src/lib/crypto have the following copyright:

-
-

Copyright © 1998 by the FundsXpress, INC.

-

All rights reserved.

-
-
Export of this software from the United States of America may require -a specific license from the United States Government. It is the -responsibility of any person or organization contemplating export to -obtain such a license before exporting.
-

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of FundsXpress. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. FundsXpress makes no representations about the suitability of -this software for any purpose. It is provided “as is” without express -or implied warranty.

-

THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR -IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

-
-
-

The implementation of the AES encryption algorithm in -src/lib/crypto/builtin/aes has the following copyright:

-
-
-
Copyright © 2001, Dr Brian Gladman brg@gladman.uk.net, -Worcester, UK.
-
All rights reserved.
-
-

LICENSE TERMS

-

The free distribution and use of this software in both source and binary -form is allowed (with or without changes) provided that:

-
    -
  1. distributions of this source code include the above copyright -notice, this list of conditions and the following disclaimer;
    2. -
  2. distributions in binary form include the above copyright -notice, this list of conditions and the following disclaimer -in the documentation and/or other associated materials;
    3. -
  3. the copyright holder’s name is not used to endorse products -built using this software without specific written permission.
    4. -
-

DISCLAIMER

-

This software is provided ‘as is’ with no explcit or implied warranties -in respect of any properties, including, but not limited to, correctness -and fitness for purpose.

-
-
-

Portions contributed by Red Hat, including the pre-authentication -plug-in framework and the NSS crypto implementation, contain the -following copyright:

-
-
-
Copyright © 2006 Red Hat, Inc.
-
Portions copyright © 2006 Massachusetts Institute of Technology
-
All Rights Reserved.
-
-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met:

-
    -
  • Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    • -
  • Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    • -
  • Neither the name of Red Hat, Inc., nor the names of its contributors -may be used to endorse or promote products derived from this software -without specific prior written permission.
    • -
-

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS -IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER -OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-
-
-

The bundled verto source code is subject to the following license:

-
-

Copyright 2011 Red Hat, Inc.

-

Permission is hereby granted, free of charge, to any person -obtaining a copy of this software and associated documentation files -(the “Software”), to deal in the Software without restriction, -including without limitation the rights to use, copy, modify, merge, -publish, distribute, sublicense, and/or sell copies of the Software, -and to permit persons to whom the Software is furnished to do so, -subject to the following conditions:

-

The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software.

-

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS -BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN -ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE.

-
-
-

The MS-KKDCP client implementation has the following copyright:

-
-

Copyright 2013,2014 Red Hat, Inc.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met:

-
-
    -
  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    2. -
  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in -the documentation and/or other materials provided with the -distribution.
    3. -
-
-

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS -IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER -OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, -PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-
-
-

The implementations of GSSAPI mechglue in GSSAPI-SPNEGO in -src/lib/gssapi, including the following files:

-
lib/gssapi/generic/gssapi_err_generic.et
-lib/gssapi/mechglue/g_accept_sec_context.c
-lib/gssapi/mechglue/g_acquire_cred.c
-lib/gssapi/mechglue/g_canon_name.c
-lib/gssapi/mechglue/g_compare_name.c
-lib/gssapi/mechglue/g_context_time.c
-lib/gssapi/mechglue/g_delete_sec_context.c
-lib/gssapi/mechglue/g_dsp_name.c
-lib/gssapi/mechglue/g_dsp_status.c
-lib/gssapi/mechglue/g_dup_name.c
-lib/gssapi/mechglue/g_exp_sec_context.c
-lib/gssapi/mechglue/g_export_name.c
-lib/gssapi/mechglue/g_glue.c
-lib/gssapi/mechglue/g_imp_name.c
-lib/gssapi/mechglue/g_imp_sec_context.c
-lib/gssapi/mechglue/g_init_sec_context.c
-lib/gssapi/mechglue/g_initialize.c
-lib/gssapi/mechglue/g_inquire_context.c
-lib/gssapi/mechglue/g_inquire_cred.c
-lib/gssapi/mechglue/g_inquire_names.c
-lib/gssapi/mechglue/g_process_context.c
-lib/gssapi/mechglue/g_rel_buffer.c
-lib/gssapi/mechglue/g_rel_cred.c
-lib/gssapi/mechglue/g_rel_name.c
-lib/gssapi/mechglue/g_rel_oid_set.c
-lib/gssapi/mechglue/g_seal.c
-lib/gssapi/mechglue/g_sign.c
-lib/gssapi/mechglue/g_store_cred.c
-lib/gssapi/mechglue/g_unseal.c
-lib/gssapi/mechglue/g_userok.c
-lib/gssapi/mechglue/g_utils.c
-lib/gssapi/mechglue/g_verify.c
-lib/gssapi/mechglue/gssd_pname_to_uid.c
-lib/gssapi/mechglue/mglueP.h
-lib/gssapi/mechglue/oid_ops.c
-lib/gssapi/spnego/gssapiP_spnego.h
-lib/gssapi/spnego/spnego_mech.c
-
-
-

and the initial implementation of incremental propagation, including -the following new or changed files:

-
include/iprop_hdr.h
-kadmin/server/ipropd_svc.c
-lib/kdb/iprop.x
-lib/kdb/kdb_convert.c
-lib/kdb/kdb_log.c
-lib/kdb/kdb_log.h
-lib/krb5/error_tables/kdb5_err.et
-slave/kpropd_rpc.c
-slave/kproplog.c
-
-
-

are subject to the following license:

-
-

Copyright © 2004 Sun Microsystems, Inc.

-

Permission is hereby granted, free of charge, to any person obtaining a -copy of this software and associated documentation files (the -“Software”), to deal in the Software without restriction, including -without limitation the rights to use, copy, modify, merge, publish, -distribute, sublicense, and/or sell copies of the Software, and to -permit persons to whom the Software is furnished to do so, subject to -the following conditions:

-

The above copyright notice and this permission notice shall be included -in all copies or substantial portions of the Software.

-

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS -OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY -CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, -TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE -SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

-
-
-

Kerberos V5 includes documentation and software developed at the -University of California at Berkeley, which includes this copyright -notice:

-
-
-
Copyright © 1983 Regents of the University of California.
-
All rights reserved.
-
-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met:

-
    -
  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    2. -
  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    3. -
  3. Neither the name of the University nor the names of its contributors -may be used to endorse or promote products derived from this software -without specific prior written permission.
    4. -
-

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE.

-
-
-

Portions contributed by Novell, Inc., including the LDAP database -backend, are subject to the following license:

-
-
-
Copyright © 2004-2005, Novell, Inc.
-
All rights reserved.
-
-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met:

-
    -
  • Redistributions of source code must retain the above copyright notice, -this list of conditions and the following disclaimer.
    • -
  • Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    • -
  • The copyright holder’s name is not used to endorse or promote products -derived from this software without specific prior written permission.
    • -
-

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE -LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE.

-
-
-

Portions funded by Sandia National Laboratory -and developed by the University of Michigan’s -Center for Information Technology Integration, -including the PKINIT implementation, are subject -to the following license:

-
-
-
COPYRIGHT © 2006-2007
-
THE REGENTS OF THE UNIVERSITY OF MICHIGAN
-
ALL RIGHTS RESERVED
-
-

Permission is granted to use, copy, create derivative works -and redistribute this software and such derivative works -for any purpose, so long as the name of The University of -Michigan is not used in any advertising or publicity -pertaining to the use of distribution of this software -without specific, written prior authorization. If the -above copyright notice or any other identification of the -University of Michigan is included in any copy of any -portion of this software, then the disclaimer below must -also be included.

-

THIS SOFTWARE IS PROVIDED AS IS, WITHOUT REPRESENTATION -FROM THE UNIVERSITY OF MICHIGAN AS TO ITS FITNESS FOR ANY -PURPOSE, AND WITHOUT WARRANTY BY THE UNIVERSITY OF -MICHIGAN OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING -WITHOUT LIMITATION THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE -REGENTS OF THE UNIVERSITY OF MICHIGAN SHALL NOT BE LIABLE -FOR ANY DAMAGES, INCLUDING SPECIAL, INDIRECT, INCIDENTAL, OR -CONSEQUENTIAL DAMAGES, WITH RESPECT TO ANY CLAIM ARISING -OUT OF OR IN CONNECTION WITH THE USE OF THE SOFTWARE, EVEN -IF IT HAS BEEN OR IS HEREAFTER ADVISED OF THE POSSIBILITY OF -SUCH DAMAGES.

-
-
-

The pkcs11.h file included in the PKINIT code has the -following license:

-
-
-
Copyright 2006 g10 Code GmbH
-
Copyright 2006 Andreas Jellinghaus
-
-

This file is free software; as a special exception the author gives -unlimited permission to copy and/or distribute it, with or without -modifications, as long as this notice is preserved.

-

This file is distributed in the hope that it will be useful, but -WITHOUT ANY WARRANTY, to the extent permitted by law; without even -the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -PURPOSE.

-
-
-

Portions contributed by Apple Inc. are subject to the following license:

-
-

Copyright 2004-2008 Apple Inc. All Rights Reserved.

-
-
Export of this software from the United States of America may require -a specific license from the United States Government. It is the -responsibility of any person or organization contemplating export to -obtain such a license before exporting.
-

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of Apple Inc. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. Apple Inc. makes no representations about the suitability of -this software for any purpose. It is provided “as is” without express -or implied warranty.

-

THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR -IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED -WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.

-
-
-

The implementations of UTF-8 string handling in src/util/support and -src/lib/krb5/unicode are subject to the following copyright and -permission notice:

-
-
-
The OpenLDAP Public License
-
Version 2.8, 17 August 2003
-
-

Redistribution and use of this software and associated documentation -(“Software”), with or without modification, are permitted provided -that the following conditions are met:

-
    -
  1. Redistributions in source form must retain copyright statements -and notices,
    2. -
  2. Redistributions in binary form must reproduce applicable copyright -statements and notices, this list of conditions, and the following -disclaimer in the documentation and/or other materials provided -with the distribution, and
    3. -
  3. Redistributions must contain a verbatim copy of this document.
    4. -
-

The OpenLDAP Foundation may revise this license from time to time. -Each revision is distinguished by a version number. You may use -this Software under terms of this license revision or under the -terms of any subsequent revision of the license.

-

THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS -CONTRIBUTORS “AS IS” AND ANY EXPRESSED OR IMPLIED WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY -AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT -SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) -OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, -BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN -ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE.

-

The names of the authors and copyright holders must not be used in -advertising or otherwise to promote the sale, use or other dealing -in this Software without specific, written prior permission. Title -to copyright in this Software shall at all times remain with copyright -holders.

-

OpenLDAP is a registered trademark of the OpenLDAP Foundation.

-

Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, -California, USA. All Rights Reserved. Permission to copy and -distribute verbatim copies of this document is granted.

-
-
-

Marked test programs in src/lib/krb5/krb have the following copyright:

-
-
-
Copyright © 2006 Kungliga Tekniska Högskola
-
(Royal Institute of Technology, Stockholm, Sweden).
-
All rights reserved.
-
-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
    -
  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    2. -
  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    3. -
  3. Neither the name of KTH nor the names of its contributors may be -used to endorse or promote products derived from this software without -specific prior written permission.
    4. -
-

THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS “AS IS” AND ANY -EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE -LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, -WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR -OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF -ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-
-
-

The KCM Mach RPC definition file used on OS X has the following copyright:

-
-
-
Copyright © 2009 Kungliga Tekniska Högskola
-
(Royal Institute of Technology, Stockholm, Sweden).
-
All rights reserved.
-
-

Portions Copyright © 2009 Apple Inc. All rights reserved.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
    -
  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    2. -
  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    3. -
  3. Neither the name of the Institute nor the names of its contributors -may be used to endorse or promote products derived from this software -without specific prior written permission.
    4. -
-

THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS “AS IS” AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE.

-
-
-

Portions of the RPC implementation in src/lib/rpc and src/include/gssrpc -have the following copyright and permission notice:

-
-

Copyright © 2010, Oracle America, Inc.

-

All rights reserved.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met:

-
    -
  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    2. -
  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in -the documentation and/or other materials provided with the -distribution.
    3. -
  3. Neither the name of the “Oracle America, Inc.” nor the names of -its contributors may be used to endorse or promote products -derived from this software without specific prior written permission.
    4. -
-

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS -IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR -PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-
-
-
-

Copyright © 2006,2007,2009 -NTT (Nippon Telegraph and Telephone Corporation). All rights reserved.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
    -
  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer as -the first lines of this file unmodified.
    2. -
  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    3. -
-

THIS SOFTWARE IS PROVIDED BY NTT “AS IS” AND ANY EXPRESS OR -IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES -OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. -IN NO EVENT SHALL NTT BE LIABLE FOR ANY DIRECT, INDIRECT, -INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF -THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-
-
-
-

Copyright 2000 by Carnegie Mellon University

-

All Rights Reserved

-

Permission to use, copy, modify, and distribute this software and its -documentation for any purpose and without fee is hereby granted, -provided that the above copyright notice appear in all copies and that -both that copyright notice and this permission notice appear in -supporting documentation, and that the name of Carnegie Mellon -University not be used in advertising or publicity pertaining to -distribution of the software without specific, written prior -permission.

-

CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO -THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND -FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR -ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT -OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

-
-
-
-

Copyright © 2002 Naval Research Laboratory (NRL/CCS)

-

Permission to use, copy, modify and distribute this software and its -documentation is hereby granted, provided that both the copyright -notice and this permission notice appear in all copies of the software, -derivative works or modified versions, and any portions thereof.

-

NRL ALLOWS FREE USE OF THIS SOFTWARE IN ITS “AS IS” CONDITION AND -DISCLAIMS ANY LIABILITY OF ANY KIND FOR ANY DAMAGES WHATSOEVER -RESULTING FROM THE USE OF THIS SOFTWARE.

-
-
-
-

Copyright © 1991, 1992, 1994 by Cygnus Support.

-

Permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation. -Cygnus Support makes no representations about the suitability of -this software for any purpose. It is provided “as is” without express -or implied warranty.

-
-
-
-

Copyright © 2006 Secure Endpoints Inc.

-

Permission is hereby granted, free of charge, to any person -obtaining a copy of this software and associated documentation -files (the “Software”), to deal in the Software without -restriction, including without limitation the rights to use, copy, -modify, merge, publish, distribute, sublicense, and/or sell copies -of the Software, and to permit persons to whom the Software is -furnished to do so, subject to the following conditions:

-

The above copyright notice and this permission notice shall be -included in all copies or substantial portions of the Software.

-

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, -EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND -NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS -BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN -ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -SOFTWARE.

-
-
-

Portions of the implementation of the Fortuna-like PRNG are subject to -the following notice:

-
-
-
Copyright © 2005 Marko Kreen
-
All rights reserved.
-
-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
    -
  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    2. -
  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    3. -
-

THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS “AS IS” AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE.

-
-
-

Copyright © 1994 by the University of Southern California

-
-
EXPORT OF THIS SOFTWARE from the United States of America may -require a specific license from the United States Government. -It is the responsibility of any person or organization contemplating -export to obtain such a license before exporting.
-

WITHIN THAT CONSTRAINT, permission to copy, modify, and distribute -this software and its documentation in source and binary forms is -hereby granted, provided that any documentation or other materials -related to such distribution or use acknowledge that the software -was developed by the University of Southern California.

-

DISCLAIMER OF WARRANTY. THIS SOFTWARE IS PROVIDED “AS IS”. The -University of Southern California MAKES NO REPRESENTATIONS OR -WARRANTIES, EXPRESS OR IMPLIED. By way of example, but not -limitation, the University of Southern California MAKES NO -REPRESENTATIONS OR WARRANTIES OF MERCHANTABILITY OR FITNESS FOR ANY -PARTICULAR PURPOSE. The University of Southern -California shall not be held liable for any liability nor for any -direct, indirect, or consequential damages with respect to any -claim by the user or distributor of the ksu software.

-
-
-
-
-
Copyright © 1995
-
The President and Fellows of Harvard University
-
-

This code is derived from software contributed to Harvard by -Jeremy Rassen.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
    -

  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.

    -
    2. -

  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.

    -
    3. -

  3. All advertising materials mentioning features or use of this software -must display the following acknowledgement:

    -
    -

    This product includes software developed by the University of -California, Berkeley and its contributors.

    -
    -
    4. -

  4. Neither the name of the University nor the names of its contributors -may be used to endorse or promote products derived from this software -without specific prior written permission.

    -
    5. -
-

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS “AS IS” AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE.

-
-
-
-
-
Copyright © 2008 by the Massachusetts Institute of Technology.
-
Copyright 1995 by Richard P. Basch. All Rights Reserved.
-
Copyright 1995 by Lehman Brothers, Inc. All Rights Reserved.
-
-
-
Export of this software from the United States of America may -require a specific license from the United States Government. -It is the responsibility of any person or organization contemplating -export to obtain such a license before exporting.
-

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of Richard P. Basch, Lehman Brothers and M.I.T. not be used -in advertising or publicity pertaining to distribution of the software -without specific, written prior permission. Richard P. Basch, -Lehman Brothers and M.I.T. make no representations about the suitability -of this software for any purpose. It is provided “as is” without -express or implied warranty.

-
-
-

The following notice applies to src/lib/krb5/krb/strptime.c and -src/include/k5-queue.h.

-
-
-
Copyright © 1997, 1998 The NetBSD Foundation, Inc.
-
All rights reserved.
-
-

This code was contributed to The NetBSD Foundation by Klaus Klein.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
    -

  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.

    -
    2. -

  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.

    -
    3. -

  3. All advertising materials mentioning features or use of this software -must display the following acknowledgement:

    -
    -

    This product includes software developed by the NetBSD -Foundation, Inc. and its contributors.

    -
    -
    4. -

  4. Neither the name of The NetBSD Foundation nor the names of its -contributors may be used to endorse or promote products derived -from this software without specific prior written permission.

    -
    5. -
-

THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS -“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS -BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS -INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN -CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE -POSSIBILITY OF SUCH DAMAGE.

-
-
-

The following notice applies to Unicode library files in -src/lib/krb5/unicode:

-
-
-
Copyright 1997, 1998, 1999 Computing Research Labs,
-
New Mexico State University
-
-

Permission is hereby granted, free of charge, to any person obtaining a -copy of this software and associated documentation files (the “Software”), -to deal in the Software without restriction, including without limitation -the rights to use, copy, modify, merge, publish, distribute, sublicense, -and/or sell copies of the Software, and to permit persons to whom the -Software is furnished to do so, subject to the following conditions:

-

The above copyright notice and this permission notice shall be included in -all copies or substantial portions of the Software.

-

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -THE COMPUTING RESEARCH LAB OR NEW MEXICO STATE UNIVERSITY BE LIABLE FOR ANY -CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT -OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR -THE USE OR OTHER DEALINGS IN THE SOFTWARE.

-
-
-

The following notice applies to src/util/support/strlcpy.c:

-
-

Copyright © 1998 Todd C. Miller Todd.Miller@courtesan.com

-

Permission to use, copy, modify, and distribute this software for any -purpose with or without fee is hereby granted, provided that the above -copyright notice and this permission notice appear in all copies.

-

THE SOFTWARE IS PROVIDED “AS IS” AND THE AUTHOR DISCLAIMS ALL WARRANTIES -WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

-
-
-

The following notice applies to src/util/profile/argv_parse.c and -src/util/profile/argv_parse.h:

-
-

Copyright 1999 by Theodore Ts’o.

-

Permission to use, copy, modify, and distribute this software for -any purpose with or without fee is hereby granted, provided that -the above copyright notice and this permission notice appear in all -copies. THE SOFTWARE IS PROVIDED “AS IS” AND THEODORE TS’O (THE -AUTHOR) DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, -INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. -IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, -INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER -RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION -OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR -IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. (Isn’t -it sick that the U.S. culture of lawsuit-happy lawyers requires -this kind of disclaimer?)

-
-
-

The following notice applies to SWIG-generated code in -src/util/profile/profile_tcl.c:

-
-

Copyright © 1999-2000, The University of Chicago

-

This file may be freely redistributed without license or fee provided -this copyright message remains intact.

-
-
-

The following notice applies to portiions of src/lib/rpc and -src/include/gssrpc:

-
-

Copyright © 2000 The Regents of the University of Michigan. -All rights reserved.

-

Copyright © 2000 Dug Song dugsong@UMICH.EDU. -All rights reserved, all wrongs reversed.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
    -
  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    2. -
  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    3. -
  3. Neither the name of the University nor the names of its -contributors may be used to endorse or promote products derived -from this software without specific prior written permission.
    4. -
-

THIS SOFTWARE IS PROVIDED “AS IS” AND ANY EXPRESS OR IMPLIED -WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR -CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF -SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR -BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF -LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING -NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS -SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-
-
-

Implementations of the MD4 algorithm are subject to the following -notice:

-
-

Copyright © 1990, RSA Data Security, Inc. All rights reserved.

-

License to copy and use this software is granted provided that -it is identified as the “RSA Data Security, Inc. MD4 Message -Digest Algorithm” in all material mentioning or referencing this -software or this function.

-

License is also granted to make and use derivative works -provided that such works are identified as “derived from the RSA -Data Security, Inc. MD4 Message Digest Algorithm” in all -material mentioning or referencing the derived work.

-

RSA Data Security, Inc. makes no representations concerning -either the merchantability of this software or the suitability -of this software for any particular purpose. It is provided “as -is” without express or implied warranty of any kind.

-

These notices must be retained in any copies of any part of this -documentation and/or software.

-
-
-

Implementations of the MD5 algorithm are subject to the following -notice:

-
-

Copyright © 1990, RSA Data Security, Inc. All rights reserved.

-

License to copy and use this software is granted provided that -it is identified as the “RSA Data Security, Inc. MD5 Message- -Digest Algorithm” in all material mentioning or referencing this -software or this function.

-

License is also granted to make and use derivative works -provided that such works are identified as “derived from the RSA -Data Security, Inc. MD5 Message-Digest Algorithm” in all -material mentioning or referencing the derived work.

-

RSA Data Security, Inc. makes no representations concerning -either the merchantability of this software or the suitability -of this software for any particular purpose. It is provided “as -is” without express or implied warranty of any kind.

-

These notices must be retained in any copies of any part of this -documentation and/or software.

-
-
-

The following notice applies to src/lib/crypto/crypto_tests/t_mddriver.c:

-
-

Copyright © 1990-2, RSA Data Security, Inc. Created 1990. All -rights reserved.

-

RSA Data Security, Inc. makes no representations concerning either -the merchantability of this software or the suitability of this -software for any particular purpose. It is provided “as is” -without express or implied warranty of any kind.

-

These notices must be retained in any copies of any part of this -documentation and/or software.

-
-
-

Portions of src/lib/krb5 are subject to the following notice:

-
-
-
Copyright © 1994 CyberSAFE Corporation.
-
Copyright 1990,1991,2007,2008 by the Massachusetts -Institute of Technology.
-
All Rights Reserved.
-
-
-
Export of this software from the United States of America may -require a specific license from the United States Government. -It is the responsibility of any person or organization contemplating -export to obtain such a license before exporting.
-

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright -notice appear in all copies and that both that copyright notice and -this permission notice appear in supporting documentation, and that -the name of M.I.T. not be used in advertising or publicity pertaining -to distribution of the software without specific, written prior -permission. Furthermore if you modify this software you must label -your software as modified software and not distribute it in such a -fashion that it might be confused with the original M.I.T. software. -Neither M.I.T., the Open Computing Security Group, nor -CyberSAFE Corporation make any representations about the suitability of -this software for any purpose. It is provided “as is” without express -or implied warranty.

-
-
-

Portions contributed by PADL Software are subject to the following -license:

-
-

Copyright (c) 2011, PADL Software Pty Ltd. -All rights reserved.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
    -
  1. Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    2. -
  2. Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in the -documentation and/or other materials provided with the distribution.
    3. -
  3. Neither the name of PADL Software nor the names of its contributors -may be used to endorse or promote products derived from this software -without specific prior written permission.
    4. -
-

THIS SOFTWARE IS PROVIDED BY PADL SOFTWARE AND CONTRIBUTORS “AS IS” AND -ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE -ARE DISCLAIMED. IN NO EVENT SHALL PADL SOFTWARE OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS -OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT -LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY -OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE.

-
-
-

The bundled libev source code is subject to the following license:

-
-

All files in libev are Copyright (C)2007,2008,2009 Marc Alexander Lehmann.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met:

-
    -
  • Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    • -
  • Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following -disclaimer in the documentation and/or other materials provided -with the distribution.
    • -
-

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-

Alternatively, the contents of this package may be used under the terms -of the GNU General Public License (“GPL”) version 2 or any later version, -in which case the provisions of the GPL are applicable instead of the -above. If you wish to allow the use of your version of this package only -under the terms of the GPL and not to allow others to use your version of -this file under the BSD license, indicate your decision by deleting the -provisions above and replace them with the notice and other provisions -required by the GPL in this and the other files of this package. If you do -not delete the provisions above, a recipient may use your version of this -file under either the BSD or the GPL.

-
-
-

Files copied from the Intel AESNI Sample Library are subject to the -following license:

-
-

Copyright © 2010, Intel Corporation -All rights reserved.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
-
    -
  • Redistributions of source code must retain the above -copyright notice, this list of conditions and the following -disclaimer.
    • -
  • Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following -disclaimer in the documentation and/or other materials -provided with the distribution.
    • -
  • Neither the name of Intel Corporation nor the names of its -contributors may be used to endorse or promote products -derived from this software without specific prior written -permission.
    • -
-
-

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND -CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, -INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF -MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS -BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, -EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED -TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON -ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR -TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF -THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF -SUCH DAMAGE.

-
-
-

The following notice applies to -src/ccapi/common/win/OldCC/autolock.hxx:

-
-

Copyright (C) 1998 by Danilo Almeida. All rights reserved.

-

Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions -are met:

-
    -
  • Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer.
    • -
  • Redistributions in binary form must reproduce the above copyright -notice, this list of conditions and the following disclaimer in -the documentation and/or other materials provided with the -distribution.
    • -
-

THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -“AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS -FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE -COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, -INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES -(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -OF THE POSSIBILITY OF SUCH DAMAGE.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/objects.inv b/doc/html/objects.inv deleted file mode 100644 index 11b6a9f7997b851fdb70f2e0d82509ac609b6abe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24130 zcmV(|K+(S=AX9K?X>NERX>N99Zgg*Qc_4OWa&u{KZXhxWBOp+6Z)#;@bUGkSNmL+9 zWpZL=a&L1ABOq2~a&u{KZaN?_E-^JOG72LgRA^-&a%F8{X>Md?av*PJAarPHb0B7E zY-J#6b0A}HZE$jBb8}^6Aa!$TZf78RY-wUH3V7PJeOq(l$g=J`zk-OfBhFe8hndyx z?unW8rUuz2%xw_v%RVuoph31d2E-t+yVtKjnRSusDrE`phnY62%tA<2S$X*~^O!BS zyP{j1*8kovzh~QS?_GDf-fi~3uJZju`mot%#jnrD?;lhA{L9m6xBXxL)&0Lm#`afd zxn3VnKMz@NQ{=t%^0YK&Ivm#7%df}mq4;&TTpjb`*Jv=9FTTy&`a&;*D7wd_FC|7u|>a*kxqhyFtI` z;4kXo&1Xf?D^ADr>g2z3{DI;j2o`zc>NP&+;kenaHizZ5cUT?^crK6o{FwFF^P)YV zyZNV&>1;ln^oO%(l+L1g0uSb9GM&fiJdQ?V`Q?p-{EqggUIzbFH@4ibdz*E@%}f?) z4F6SM6-@@|aG>3XhXxi%kFAe~O|}((?v}+fb*-dqSzHg}k@#~QC3n@baSoT?dCVR+ z#VI>x>#(nz$2Y@d5zpg+`AyYGXZ2j1cl>LLWpB6s&|7B(?R)xn$^Dqmmqh7!@F5+< ziTo<(pjcZ=oW55qckt7SL%xUgbrrIxqCvEX(j*$g4@qXz39OeZeKol#I?F>ZKb(r* z?tD7K`Z;EQpEvY}I!mXsMUsy17x%C%=JB8RL-onJhda+}*jd~4@{pcSn{B#<7nvUN z?Pm2e&Gu`TRAB!HDYe_d0*CFYO~Ahnul4X+53lub(jK3*hm$68+>J&cg4ol>$9#q- zT)=W#7ARN(9yLC}dw6&WtehxG@8WOTbGC=!2e0rcv!|QEeJ%I-{^u?~6W0_-HGGil z0mjJ!w%>H}Z9Kg%*Oixm|62U|V|ECUg}{;mizW-jwaz+Ezn?c-<3+JczpnGm{*e!J z-gVyN#Gmm0FxY+FoSruOF8plxw9UGwW0vvzTpfQNPC4J-+3s)(c`5z*x7lLKcXB+Q zE%bL{jq)$#J8hjEd->_mJLS*WezSkbLmpH)MG8}-;OyVpVQ$aS(t~G zyzYA058LHq(c5P~PWXxbbzF1~;(0n<%+l*obd#i$`0D~bX7Ic&fNx z{mXK{%GSTCgmU(|xYn(X4m|yPMRpRJ$Tr(Qo}OsGiLFmIK?)P3Y=V?epe6DDH|Q=#0H1IaC^f)LZ>~So|u+^T3&t( zcr?-d;+CEMsJTt&+9NT>`030JW)K<0Q^=8QoW|@RW|OcZczxa-I(W@_aDdja0^##B z&5w`r{(9p4%6^`U^9TRd~2^Reh`L#~AU-6#|y6)=x3iRHOw4WbO`s`!{ ziIny~^+B=yD8Ill)Ir;gOOeC&{0ORmHb1|HUs2NW$;yvC!FG!_A?OS2Vwe4fhvh2k z{-dP)r?Gwx%iiG`4mvO;f3#UcvnZY24JX4zdiT}6j#LW%i;O+H?V?&bG5sKxB@+-iC`8=8G z1`AxM1YZv}#0ie;9%z&W>d|mQ21>xRKLy$U6>f8yCa5Y;`mrSnT|`V%`^KjjX>9J@< z!F5n2A2#^)r{m97i%o1At|u*~cku*mD7ZeHq}M~Zm2@%x=2?FvUd5YrIONAus6%Tu zo6Z-uPm5hPq|6B(4p@48)wYl_3-}pe$+6YwmNF`Z%URLNQQ>t`@Spbx`Xzh&t7En< zn6h+wK7pP65V8$#;zi2dR(~E35~d<8?iT52c&+cm8ajSE>wLF_RrllLzy1Z1VRvB8 zKKgwOrsD{f$5&v74L_d2YD%;la1nI2N50!OTv5$V%&rM=dX46MgAKV38ZV;7a5~W( zUo|A1UB2Et{7g&bn5vsuwj-ZN(Xw%(W42%JvTAnRGD3ZMJ~_YUZ~!GSJHBMcLRyt; zp*#Tx7?x~_*i2&>>oCdzY0Qe?C=l0 zk6k$dSZeUj&)ckpp(YsrGQ^zpDxEf~=j_x*(4mn8I(NDl_V40_Th!?^o!#aHzi6|{ z_C=TpkR_SrvY?sDl0nyz?;&&BHo3<8offRl=K#Xq1+fdAEb1~X@uzhte>fYQ9)9zj>xZhKp_u1}94 zTX{4GC1f;8M`%7TZuC8D4qAbZ)f0Sewts9L>FD3W{PEH@Y5zgN)zH z?wM(+tEY@Tm)^q}y@>SXy?ai9Kb8C`@@uQzMIax8Jn~`E?06J*OOPXDDKw8%PLbji zx?{slBlOu-8_B_R)4p4BIL129Ab<~W7yC6@18MdHUO2pM*M@~d;rtzBG?<7dvEh-q zCz*RCGrRupZo+;WsBQl*TftiDB2l)7*aiE*Sr9W_)6;~gB>#a^j z?+N8*@w9x``{TDT-(VCcFiF~9B+O zGA_p3=;8BEY?-C(`10uC8jW!a@C`lnU~6*|(QKBg2bTLbOsdZJWwBuv%PKpV;);#^ ziq2%=He(lhC2?sQeE!n#gL#|BD`Aln|r6Z$Cn)A87_=^aC0kbz|M#Zw8&8$N|k zQ4)7SBo3#Oq(pKsTtikA=$Rk`8zfYN0T<#VL6?I9Z14;l9&WVc!=MzUBOA?h6G&kW zRxZ3B`y$YP_jQt3&O5kf;=0h2v^-{DxIO&d3eknGqG%qc_lxV_JyJNxl^LjHp>PAYuTA zz{nrFKRw*XFLju`4i+&F#x>&^m@Nl%q6irK3AIy|7hVM$3L7taycNZXdc21L7A~vCjzuOz|0;gu>>sv z1YXpD0u?A%HjwrpkU6%k7Cl0|SHQoU_L{@A#)K z`_y3rY>n^pAe2lJjTYRYJej6wLRWzq$B>k}E7)LjL#bTDAXYt3+?n?DGmfpqpS3N|Rg}Buh@2}GFaANq= z#nsLuBIZDi(`S=cg$XdkzqLaTBjFNr8GQ0#SX%%pUB{m?+*#$@bhTQpo-&sL%12T# zi}^f2-4oRPe7gnXorB{Zy6j@%0=+ySJntz;V(QqI>)~XW+!~_OP2!FB9kYG*`UVld zc|3`~kYaunrHW2@&)_M{3=PGnyk{sBv??74m1@wkZ6I6-!=qY8!-XtB#sB>!uQjauRaJao&D6I(%DbTXH%Rq4m)Mu zo6Y{51;-uP<4YDX2b8i<<8X2xJA#lNN)=}vs-IR|+E1-6m+rpxreKTdbX@L>4R>>A ztLHH9-(Z;F>PQ#!Xp#)M|2pp9na)5DS%*Va(#;w@oTr~*eoTRLDVdW)wh}5o2b*-u zAvKy<#TP0+85385(S^$Mg+j@WE$HKh5q`B_Gyg>kBm8PIKsSZk2p5A4#0W2VmA_<1 z=VRs2K2`T)A@-65-duMeKXvd{AGVKZGz9==(3x^Qx&f^`)?hN`b@pt2!F#bH=#9`V zwo~9^?_;-|rBdy1Pva6;Zi_Yw9&XThg0d%Zt9d2?`{t_;T%cs9f{q!x`oNvLz@%t)$&EK<7l6Jri~%1T47CSI8p}g3dspfFAeR>9W-#1s!42z|Q$JT$Ija z4}NOBK1HRc#&- z$5efCK#`ccA;^KNA&!{uz;NWc2rN|Xn;>d^xl0JRX&a}No^CL4{DE47NLc+Fk>0ip zR)Byt1y+nJS-OxhriUQU-`hnW??3qhk8H$vtd9j#E_$y=_;OVH9@{+Gn}n$Z>6bZt zAtJAD+z;2L^Jnj0l)K-Qxi3ZL>V+9i#q;LSLl`y&eM97A|1-;ZN$!TT^m9DNz^)-2 z9TXj&v0vf3+iVz~pkK|=E4ABQ(KdQBPW%BJb*uySO}fgCr*!qS#M{I_vmXbHNztHL zFhLKwdTavzr<|a_-0$;Kcf~7};82%Q{hR&0c|gEb)_qzQUBOWS(qQ47jzEgKF<32+ zJij0eng+{bF^@n^8>EAH6yLD?0Slz&q%y-X+xE?&-Y;WuU72ooi@8H zP})x?VCeVzi!}Z^TMWmsCGAZDae}Rw6aIWG!jN8!FXeo?7fcyYqO=n0ePN(hOw;4j zEQ=>a&xA4bh6iewgE;Ab>f1Uczb;%#&u`+oWWX1S=dzB_NPw1JVi0+-pU}a$EZU?) zOaCtjw&C>6?3!C6860NjRVRCLyV%f>!P`vAsYc6@Myj$^6I9 zP@m-V>o?mW2^UMZS178s-z0Ek7eB%`Gm8^5E8w4pGngZ|$lB%_-@sQfQ*s`Ur|{49J=h=U zP4QU5Vxbf4Yw}_e!Uy@8c&cw^8iEFGL3%`!3d7#;SZw>ucc>n6~43%`Z z#3EfOug*p)_r`NvIA4$RCF~mBEx+7d;yG9qd{fmkn)(JCQ@I8+cOJ9TB|vfvt5zs- z-O6Vtc5!?;yuO{KU(Lys0dalUNLK+ni%g!+^b4eYV}5f1i< zzPi93(brP;ZuZ<$7bJa$6XudL<*&G`RN_Jb6I|zo%MC}JmvX>RR6>q7!J{8<;$r2= zU9S&;e%!%eW_fYpn!B_@pbl`}|OBii@ifiFugxM5AXu zWH9>9<8iq^rC^a}g-fkEysp#T<4(v$M%)v`H~4{}g8AoD-u;=MkN7b^?@t<9kAn~~ zFBoI4`7!8C&!^*=#2m(7QWjjD&W*S2A@T(2sx-t_rSAmTqMXH3{mvu{i5RkH*xTl> zZyq%4Pwyv-bTs|aB5qjn3X!%wF?qT?sgJaUM-Zd}6P(dvp=7W+orCqHofRddX(1G? zkfs@Hx2leOY*%&Uqp#}7M+4S^=MwDJAInuMXbT=YNg98R`W|?TLcog*xYb}*Wk3!& z%M8dt8zWF`9`^w?E-Vy4GQ62+RWAG#hLarCz-m3Nwi_%O+`>(cxoFiI>yL)<#DisY zQL4oUg5kmMesjTt`PGh4f0m zWtOVh!;jwbxNBEx@cL^S&BwlCgL0IA;cK?tKJW9_eUHWMPa$9UB_56LCetsIbP~ZH zUg%$Fjh5y`Fzi*@5)PQFW2m#uA0IvVh`M?!g6%I&D@4VZ9fiRPA*#7}T)A{XIabz@ zXkAZ8PQcVD1ozmbLE2&Q)zTk6K)#2jb9nvx?2hKvxiJKnQKJpcp?w})=>|@h$<$HZ zM!C*iI$*jBMX=T5=W~?GB)TAqGp)YJS=JUgv$`T@-9m0*9Xl;!hpicC89S5K)qxIs z9<0zo;2WX zmW2CoU+L)x+dZv0t8M*`vGgR%0zY-dCr2nlhALZzGDO_bAIcB}TEuD-uGCl+tgV5v z+{#5bDOqvF#7TJ_Bg@BSkgeeJe5BD$WEc?jq-rT>tP22dlxj68g`Z1KM^Wfo@SwdRxxIgYv^GDy%itqrS!pfj^RvCX8?RofpN8W*nFeq~rUr((;8I!918^JA7i zz~V}={CKl*C|G*P(qk-hcEw2dmrPxxg8@d#Ovh5w5v7&F045rvrR$U<u!2}E9Ip)_ET0QjqC$(1-NxwkXcb-oOMZ1s*WWS2neg_Jy0`w`W7I?VknP}^ zgOn=YH;ybhF3Unp9G9={5EJw0iw`jYL!Fx2w_)+}?gtHb{J!-qzpuIHa*PmKf6J(P zSU{b{(ra#z$<(*GztOZGk>mXpv8np4nfEYTAC~QEN=F0c9E=CE$X8TaBXK;PLw4M4 zPRw{|`A}x@d^}vBiQ<126-|dlk}`x3fTe_)q^9$_F^yAB(5ohx$!p#6nj|rMkeI5}M9edsv42 zFhMSO@o+YK{V3OMzoTAgwzb_nGt0@=7|(9nn)0`o6~ApPed|#CMZKX*Dh9Gl-lmd) z3Q_4u6~Pa%JXlMVBFv$h+_RnwU`?>*CyD7;HOKkaGNABJ3*$jwdwc@5OlEG>&~Z|9 zgxl!wbOg!O1L1=TCGm?nZ_0U7!CU&NU4xEn6y8{=Z8pkaIFI`ae>MsqcUC_5<2S4v z+M>9!TKE$Sf;#IfJBZYRrTDcM7c7NIC1`9=om25Pckd*amSY1f7gkux2?prO+%(>dat(x33x2e;kD#l!hg|p*&tF*7R?I*WS$63qj?L zfbt4V?r5L&wtcgdhFP7}620Hyd1-?0ujYM!d6gNtk10iF6k2C>)Aq$p>uQ^Jun`L` zP8Sdy$5LL7-IFK1$tr zgco#;T-BgU`hRK&?oIv@UMw>OE=RFUysWg8ZTLMEq1jVb{-V2RF#g!pTg!I;QStrL z77@YaqFs%x%j>>23M)9C9s={2tUd|-D2cDFY$h+6cxyl5z++uecm{J&!My&rPw|{J zJK+h+M)5p*SbV4Kq!qGG1dqN-#6>%Wp!|w<83e2}s_CzF5pN%1jt7FNpW&2$!4)Tpe|!t%3S zTE~Uyb}&U_uAN3xYQw@*l@Ku|PO`uZYf))AolQr>{x>c%Vk_a=O{Hnc7#C$QEBuin zlpL%pW03P2bWb1?$m$qyp78;ACeFE*opcN zo_N@l1L36RwHmkiV?eb=pjPTN!Y5g=5&p#1#IguBr8}{tl?{sJXWpY&elmBb-YfU* z_NlD+qCh2iO)~{3iQzNsov3u{ESBq_R(@m95GDhq1!ocsjOKnWk`D8;r!OB}-gmW~ z8D8iC*(dx1O?{=KnVxQNL5VHQD5x#5WfGLe48~bNiswsqfCbhq!eC0Aq|=C4{mC3}Sx8D0{#{^UpuplssS{m%Fd-atC72 z#2g2=sji^KjtGbTzMPDMlsNw!W?P;@Pw&|@Szz;2>%cAtoDt){83ggt zVDX;}WY`=hR_V&yIW4~jw&VZ~vnvN&DyuEBgE=s(@}|#ERV$@Z9q8Dbqtzy25kGtT z@M8C@t-HFD>~5SFBngQwo3$B2Dve%gyhWjLXPt4SQ}ZgU`4Q{G+&B9jl~)xUrs%?X zDHKyo!&C`u^BGMBiJ58~x>rRuvAtKz0lfusYdc$OgUo(HRSwHhn7Lg_Q(1S}m(pYs zbk_L}tFw9|Abzhe=M;gE|EtdPmsy}`^SBSr>n+2@2$*){_d3S0z!-C&(!8#c8uc|V ziWK)8;$@iCc@c;dcO8h^bTmvFF{CQ3115fi`@E!x)EvICzKWEjP?`|5Uinoc0+}x* zX4IRf7HvFlvQKK__Pg1`x<3s|0+7&DzkYD-{yguA^jsDgoEEaaB;Ftlc|A!&dItBL@>q=^Vt zW}met!({a5mwk&~AFQzcEbjB7#&@45&YmAOm2hk3=l%M82=IRk4&7_XubEY+TU3fT zJxlDht6YRN%7d5ftA4VmWm)wTJ!3dCyr&0vHN;Btj17NlPqMKq|3-}8UchDK2rmt^ z5(8MhHD@_5nSjShTP?tEeq+}^5ZB7Is1=i6h-_T1w*kH7ME+AB3-5qTMa5yH^_TMz z)Is*eUfSmm%T0&|%IbE1vve6==3p|tj)uBIN}z|;!=rMbgyBnAQ_UV8YXc=Jo`0^C zd-Hmwc<-^8K$x;UnNDm+9bQyJSH?qpzcM$E{9Yb66GI8}V zk-ba8TUzVAtYF7Ov1?k=dEYyHnOO<#@b^y}8C?12Y#W7(i4w|?yKxP?)?R3vMzu#x8chbN-L}y|qTo40U?GNY3@>;+4ZNz; z<$eZU!HME!s3^sPMC~@j{R{NE^A|3-Q>3#WhxTdG81$-3mBw)s9>pQ=@OvuZ7YdHz zc=pMZC)RqPQ96;Q`P^HFR_!7*3>GS#i9)9g=&K>sM6IuecG2OY#6AbX2``!xa&fb8 zCB1lPT+QClQf=Gi4VF?(dp8&r=mi8CKc9kY{9_S+w1%t_|LQ>H)8A*O@0+{`bn8#z z#i!vku{`_Yy6k8Ss?rPVq{XBSx%|86VJx_XU01e|D0>`RLa4V7Z4NM9kqhnG@TNs4c5j*15wdqBlfHB1)lw~C zNrtU7RhF~sQB~D3E7g$I*5@$WR=I|(3jS?WlWbT~lzPxhn9lRr)NejlC9rq!8|V<+ zvfA|+ZVU}Js|>arXeuOvMIfJp^m~7Kki|Ue-x;cYBem-BI|O_DW)6?vtizPFjXRr5 z58C`!cP3~{rw{0}5?;!JWnrEl&{8F2l!e1g_m4S_r%!0da6GUomfP|#tisM3N%8fW zvj$|Vm)^rZNF_l35b~uDdtDV!2J`|Qno}mcLWk;IahB*%3G^D1m)Dns{t8LR+c*6hk zx1H5T%|a>YnP}M`o*9?uh4A)=Hz^#!`p`zrb}-&<*<43sNYyYn7vnJjUF@QXu@Bq0 z6=>erxavS@Z;8E&+Ei#LlEcL@$AWE7RFdqdWG#_`TN3HP7s8fA#;}@ZiRUwHrbps2 zP*N+ww9C=}eWjY^8wgEc6D+2kTP3csn9`wDvpg1+J-FND8Dr(z|Bek30@ps{G1or3 zsB|uD{n)GSg$5M9Jl`c;_&aFf;eEzs8Hi7yRlB;3JH|^ucW4OM75FW~z2A#~%-869 zk#El$2&;mPWyNyWs{BY2C(+nbeT0v79BIzZzC#24xy$KMi@C>w6Wh%*{KTKdDccpE z-g52x%GLIivr2?tj7Zc#Ge%lrX*Qkrymw5H#dJSmZDCAfNnGwQr{(GSE{S?j>pWWIUfFP^~;>DY98wWp&;3FSqH~?rzqO6*-S5 z*1=-E%yx*&A~kVEF5$}KTnS!bfG(wkHXjl|FVWhyYRSkf3SNvm)RIUR(|PQ$AlUWN zZxtS;77i*`l-eHhB}Heb<-+BlhH!Sia}2uG94;H};OYoF6}<71ji~}At25sn5=vIR_4+LB+{u!ACW@m>3vwH#a+^eQO~vWwPCDs?#l2X zgHwjK3PvWoO)y^d_g1BU1!^}nMK|r?=DOZ**V3EU>kjGYZE%#R#@+H~=|>O4HIAci zrN`VvHmYOp{fP);%%8tB5{YQy;XEdUBQ;8XQ$GSiKIsn~^ZH|D?j#18M*Xx!8Jwz2 z3j;@E9cO1XoEo|c$$LJ4O0qB7fRyiNlXNgi+$d#rke3npWx3i~Nw~IigcSqzSc)zKJ#J7x*nqx}ug+DC z+h9f3p}q>Gb;aU?PnaSS-t2M3LYK&_H+!rSAiE66h11*&Ml4CDsl~PCOB^0zl|JGYj(9% zEP_l9sXrJdhjH1kFu|6%dgdkT!;Q=@!^zbh3JbTLSq}Sj)Xn2Qzvxtu%IENAGHo~( zT%?^J+wpc&=?rt<+EtX_4E zgmtCiuRi|PBUh=fDf+m2pLSvH$oz75{R?FS4otD&(#$%s~#K$_! ze@iN^f`np;Fr4%|>HA%;q~AUi1f{TYFce%M8fKhW+zGEp(shd9Vq+0A_h z#YsNTefiBcfet?kuHi0GMUD#Y`jF!3ywJ;uC_g?N+5yo{4`o*x`W}AI^KG^aiVz4E zO;Cty4D^8oqYQM$&z>CMT-`BGTN>gef4zaQW|Q6m0%r5cMnYAhhWaSE$h4f4)nx;d zuvtE5$L~E<_KUEZBPC>O7~RG5Pw6%MoWv|a;v=fOutlf`wy?afMR_vp&(wB(QtnUg ztM+{AwVGzsm$jj8Y(U*v%SIP8AJPItylXA@PS$aFDBkyq<+epdh3GnYpC-}BSx=!H ztU!5zm_$V2S$ITwu~Tk5;k$Qr6jkX?P9Mn&U0x8YsVmTh7-6N)Pa{y+q?JZ` zWAP-LPP5n5;z@Vxl2$UQ;1wh&N4p>up-oYF;$2t#WxD}j`)13wC3=$u7;pXpy?nSM zz(4Enq;RYN`2aQR36SwP?4WPd)j-o5^#oiAZ4ydQe?h>DGpR%!w_H<1*G8OL*Vc-6BCB+{xx8mo|2c`n5qvohC1 zEsdt7#DqCMw5%7?@nH^jggJO6)4wxU1y74e&N<}+_-e|rDgw~D8u#8PQ z2T3kVwTh2u(a67r&@0Wt5RFAL=~|1tDqUl%7p7W#hiwS|BIGQ{JJ$cq;;)}zm%+b? zDKi{oHi1?`G-p`k76n8(qpN%W`yQ<)uO#lBYZ^w#%1{21w(FBq(TtX9gda zk5UzqY7h$E49=A>?O_0^DpKuzqtXzhtPcoF|{PNlqQAy7ntB~B9#{jtlO ziUGr^xp{zhvdvzW`&M-+hu82rM)Bup;wen25EwRV5tg$mZPYX|GgP$^{w2HR<0h!W z9b?cAQ+CDK$%*NEy{GKQa-FR(VSh8B#~Fsx&s`8vUG}LcZEaRRF*p}QFs61wh&JLc zv(&1>QeAPS4s)pSK;}b%Rh1s8K0$Pu@zW@}POx^;P2~=BjTvhS9TrtaF1d1qzJw4I zP$k#Gsq9{97FlPt6`L%yAzj6Y&D7ww<;ODrvG8LWIZXI6L?d$nHsTrmjzZz~ZJmQ( zRtR7aS$__`O=p~v>^3(0HR5~nW1EALO+B0phW%(Uox9IUou;F_u>Xk{4=OA25a66z zxDZ!AenK#(m_imTV8yL@L#3da1<1#X6c}X-ssUqpz$c#Ge?hw{_{747^$n{`D%ERT zXA!{HZ`0!VV!4XD3orzpD?hQVh@XxK-E0f*TFj&2s0QC9#&!3ATA?NwMa=yHpXa5r z;6f9-iE8w#<@WHj+@E*ZF-WO*>P*pSb{kFZ$MM|I@EfT+Vjmo{S9q&VWuLuh=HL{| zm+g*{MRrg}SLo0DeC(DZU|3aYlI&R3s*Z<77=vt3c=paOem(3cpIE=>qxUzFeitzHB&9#^zrV5(DC}~F9l9hGNEL(Q2lYDC58Z!k&#TS)pH}hmHz{1+?R7Ae(4rl~e|0Oy z@~o3WM##5NtZ^x@Y;3VU)Y)xL&mSMM<>`FPTxqp(sI2KZTvYpB4(d^%*OpP_*%xmN zSqzzo?DL){>Z~`#VY~d<3XFX};i)%+VKN&<-#j>MgQ~+?7&c&~ISmWWlz3@&t*7z9 z1?5mx+Wm#-BgkdfS*tEPP-^dbfBYuVl`SD^@6tbh6L3jCK20GqK*gAVh`T7?2Nm2c zLBp7Gh)$I0#3-}tr0|*zD333)89<0P84N(8A7_^zWwOMYbe+S#YuCdLJ>syzd>!oc z;WEkNHQR1mq$}=rxs-ns&r0Q!2@fwV|dXoR5i+Z%A_LUH#H2jmU#ra z{pHOjXdrWx1r3k=mbE@zv0rttgj}s)yKlFfrG#{^$mmoFx9Y=o9*u^PglP8_lxiJ~ z(nN$QzHMQhEG|}q>NLg;BQO|`TN-r^JgzZ@et5nlpNZHP$mZ;kr2l#6N_O9iB% zsJII4Py(_omvDr_MObJEczOu*6+EywK!W`r0a8J`a48%0;0GlFNdw{im%!Q? zy#P!xA=6RXiwT)tQYR)<8u{|_-9h+mWwapVtxd->;hz;=f8%voJ`J?T7dH43pbHK%4b((LALIUtVO@>m0! zV^G-$+MG?lJ@FGWA_#H8pDRI$fvW2PiGsLJ$k< zM;yJscg0^FQJV`Bzrm1Pt!U6(20G$wJc zO5ngqm#5Q_8n+faJ;tLx(`~-IsMI9mw;ll7%Ej^J@cK5-K$*|_uF5;{Mk}v!R_M!* zL!K|M%W40Fu$d{q>`K({mOsQfLzeOii+LKo!Aay;ErI*GVXag<+_6&LZi)C_jLy5mMJEyRJCC8aJAb@7!ka1wc8=&<()w{d;_rrP5+e_-YG#moIx;R7>^%qPj;GTx`@N@);kb;Sfg_(ZgA7SQQw)>tP zyDpo+&8bYSlyzghO)v~wmi#2#wU5>M4kaK7rk8Y;)!)5?(VVs{)+-Es!i0K#Uu7se5?kxFm>M&83c6_u9=^BElWvwsy~G6t0;Jg$<#oJs2vC3-t# zYr>3ndnxnz2@eqU@o6y*b*>d#k)j1BVKSB8nyp|#a~8NG%%xC!R@g6c1zr)JnP;^f zmTZGyH)z<*+w&UhACul{#b}8rcmn5RkslkkKuPJEgSWWm4jjVsGC1s~&)g+&Kyw(Y zfSHjcQysf~_iO%Sa9ifb&3~AWA{86DQCzRxkCm-d=6FwcutArP8FhJUOwQM}%}KIU zl3H^pHBuil%C^%Ptoc|bqnhqR+RF|u`zaoovLi&dc#Q~tqa1r0uWROCWWFzLGJB5n z;h1G;wVp_CS0T6NVne0lvmi`oa9A^zja{=JhinD1I^E~{6-5QnTf*As6ZtTa^!3^n zFEDViu4S&Lmt~7Z_+lS?JT`)TKUU3Zf=X=fU6ep+r3yA~V3poJkeQkoFrCieQ3KWL z$qd$y-75v+FU3QStQR)UyPYo*A6_YN>G1Fvc&A{xZ9jg{Krt$ z4L74hCj!%Oo$tUFdd|`u^o~%Lqi!?0hZ(7DqH$Y*^M4nmvJl1HocK@`RQf3 z-KATqwx@7wlE3hOC_jPITOt(=#9uP1h04k6 zrC=e2=H+%3I#u@Mbtj44@{b*)%-yp;kxe3viJ;~FA^=Z3&eQz+eN9M=Lr*J!#aANH zS!S2cGT$3pT`PQLs3Z`(FkI)Mt(Y;)ryV6f$>%fIWBa)v^^={b8?o-*S&odN1r!@+U(u)g-+p(vMmfx zfQ>UW9YN7F*qly1?8u2il@`b`S=`c~42hG(fG1YzP?LE>t+!LNnR7BEtm^b;W<(LEAWP+NElg^RQj*sD z!b82_e*Xo?328Qw9T$>^deBS%qgd!I&w6zh$LS;7%?eVf`3N$2$coGI0*z%^`!29x z0{%xkL_M4ys8Hh`R?9~;KZX1(gIDdJMm2~1M)Akwl%q~idi;mXpWWJbXt^Ik48mH! zg?x7c=+p3K6k^K3a?JMGE9{hq>}?Jfaio!TF%LG3JG13>OE>uoNw`{EzCe|+!dM<6 zIZ)+bwtvBLyE<=CZ4Hn!HdFn<-5Px%H)DhS?b&Y#j=_@sspzUh1=OfKetVK03by7j zQt@7v+cRZZyE6E6^eAcT`F0(=t$dwT;Z3AlZuS`^Eal~OE)0@Kg}5cyL3&`1WuGGq zy7m6BX0q>Hu68;w*S9|m2LrE_bFp8-j3zeA;2K~vgQh3|3L2Kh52SD#ht1oFXjFop z$u`L9X}N#QQV~ETXs0Gu1DGzA=WiIKPOYq0r{)pQ5GS8UVNl*-JDuUV)iL)>IOcHA zaiwDQl0M}*)e)faxJ_JDP?M}&zr5Br3K<$#yS?;?B9lG);*}(9eXJBc3XQ0@)1pd5 z2Ryf@>?n>OiYDns=e!<40Ec=i9bAo>6;yfKlvrV%ByCO~=dQpzqzW;O-V62Nip>Q; zp9hv(O3#GQ=IUwIWb?S8oNB>bZl0bt z+b!9c^eP0hus8LTRp@IyF-NLv!)9s@PL>c{Dq5;x1`o1^h|YFv1X2$Q#+z7-6ps?o zR`+l^zk#i?Y)w9CES~x;N`{-%?op+AVSona;PU1skgYFYazZ^0EnBB#bBt)4=m@!8 ze#**>h%j(n#p<$uL_dVhe~6Y(Mela7{!Q0)4{jKyK=hS4ETm)9;IY-Cz{F;6TC*kX z4*BsE8aQA)j?Zb6vsS-V8i3g)D>zY>XB;=WZ@4_-Y0 zJ6e&uO#qtq@7zdOnY=vTDGF4@;Mp!@*+SL(X_+jPZqQw}#bUX6{*cla zj)Tu-O0h)&|5BA5Kh{laDM~Nz;kOulX*=pGd#ltRaWhmar=o7SYxQ2KxNnWG-WMtT zazWlmcm6|V!&A>!gTpUch)yMqzOlX#y(&RtfgxeSu{O02+}b%F5Mgdn{%9;%oL+^~MpVnmXq z3LF@KcAsa~rU**kXxJF6jdJ>$EfE}#t<@-d*yQoUFvuxwKIO;v0(kSYH#{8lm`mfr zXb90Tr*x1ZV{mvZw5R1uCVkvwJ56P()eS>a-MzduX-srLpFf@Hz#r4m0;t7Jt1{vZKGTvQjwu(d&tWm%6T!n_3#oWdb~P zOZrphgEAXyk{V?gy6m9QCWdV@yJ6cQl>$hTEkC|4k86<_`)2YD4;#V>trEMF?GMx( z`-3N0pPZxbs~7ULS+BEw`+6aI`d3h;2Y=GoHd`LU>s#7f_4)op1;8&=;mPiaHP0le zHAgGlApv&i(~8J3JE~fxAu}!y>*1!^<_9GNtugp47NQeQqjo7zXCYl0v((Q{iBjzfdR0)1$MLe^`C~i0 z3Qf@brgawA<_h#D7##G9D58=VRb8XkN8$Ock-JVdMRre zc1aO<)#xGy%4+R25WOUfgCuNnep0cIE;but65=vyLa_%f77wQb(VhkDb%omfYssod zL*)+a?@e@S*-Snp3_I!l=%Hx!zt~bt54z%*j8nxTc%3JdgU960_ZZi|n+XjbUiz+f& zRc4i*`i{dP_cptI=L%%E;U#;4y3R_BRf(*(NaL^E_(c7&#_?Z09|o*su2bQrqd!`m z)fS+_mI;z{Hj~>}Ym?yMW^`$;Ra;jTqd{>08U0{Q{i+1NQeE~AF85XrNM6?H{d!ha zXR@_|W%Qw^BMBvVdmqRL=!cux;vFh(V}w>_=OgeUf| z*XF0@hC8@I>)5_2@LRMkA<83#+S4veDRE8fmn9i|Z<_v+DW!Tt{A2aCdRJ-jx}i0Y zDrsv|P}(CXi$(;cPs39YD{rMGYPW?@hL9W}KXc>TC3PWatYcJ3+Ey*2>V@?>W5rU) zu2qfRJ;N=fe2s{G?64uaPvm7WY=S#BTSwr!Hyor-X5Rm4rD>cY#^`OoI(mwkT8!OYU> zun~1oj+=waBR*1+w_c(3=7I)PSn(~L?8jlra)^r))#ayixPIgct7X%$lnQmNsHpPR z1LZ}<=rMA`YNz<1g_b+0{_VP${02=>sgA#c+R0KyaN`^eSVtm6p&shU`z*_67K*I3 z7@g`tSRRPM;n)n!5lr0iB`rMxDi}&rFW{XOcN_2A$yHm|B_xET@p#q*E}P)>pfdTB z*UDu>O@Z;2682WJVqwT^{Xf^pWrc#_blhYwA$^B67JuM5C`9Vua@TXjccVUea%D%0 z(fJ}?%tsayD|Jrb)A9ovrPZX|bLSip8KcqrD_w+CxoFHsr6wIUd5Ser9V*&APIul{ zvGfBGFzk}ao3SNkqY4FY#uf&f&Ihbb78an=c-&q_IC0O%OmUc#T#PywxzUO&5O6`4 z6*)z-S=PoFb2+2f?>#L~v~qV9xv!65P!^HJ<5EYkz7M^pl+IA2M6@r5(o_ni#F5c+ zvi#69-d$H@(YHfOs40YP>Seh-;GQMC!Zo~EQ7bzVW+9zjq|*G2=T+$z330;fEH#PM zK{?fKL@d$$?EZ10BM-x9holP@brBpQp3mTDihhs_P+45{Sa#NK?k&*l>L8(PX3b1S zx;Qm!!|Pzli#r7>#9X8Y}FVIJFdy4fF!BAXZfi`nG%!B@y=E+#Nwoqv`Nbf*Rg7= zPLk^c)K#1;+a(Z@99~onJ9KG)`;wIAXCv#(G=JOf8JGJDE#Dd`{c(l>ABI2DU_xU; zI!!cWl4_fp9#*Xv266=uyG3}hL~K777ZtM%uEXP3k))(-h)*CD)$GBvhxX<@Xb zG{kDT(BusE1Lpzb29ydA)t5~RZD#!FYi2A?Z5~dhpYojE5y&{ah7<--$bCjYNO|yv zl0w0Xo9mdPYFCofn&ZP2vn^kOBK|g$r;-#6J^i=0k4nht>#3koMYHI0dG%Sl#B7^R zStVm#YCEB7kUyv0sLr@07qMw-;98cE3Mwh@jwmpzDg*`OR<5{`aZ%wn^=DBNZ~VV& zvp>DRB6Nxas>b4jd3AX*PJI4l9co&2 z>}u<;cFxy?d@r&7fxveU_nOD}QhF}%`H>f%m)Bt#fDjGHs?q4Z2he$suOgswzJ6P`t5&G_-^L%5&9W~#4B6IzVM z*;o*t|M&C511a#QGXyj-mZ9!V)~cSMAIMa>Xo*^b&fr#!s5+4wzPrl+OspG1~xKRePZ5?VZUZr^+8XUeunyf&0PG`B*9zYsgurno=0E5}W*+_*SNEUA{xYVq#E=UIFh2+yUsW?ML z+#L1}NK~g3>{9d(fd`aX*Ow_Tpp)|UqLk)36>ZJoO|9HwaoFgIqD6HFo5`!VP!C0o zo>+>bbs-L4`l4cew#;B`^E8_uW_5;#HT&=h47pJQCp!3=!s3r>XuPc9sPNZ&#X;pzI`D^!vt|1 zZj4lQ&WjT((+Y{j|J)gfYhouPPUz)=1!WRYfwS(imbTOCwf}V2KBu@31=nj*ljyWU%h%}2Nb_PL2sm@IV#Cy3aMntBt@QhE}Xl1AUGgdlJx`*C=?D$@LL4ya-7Vrx#ECa52@yy=yK ztip%!x&iS6zi+vt6?gJ-d&~3?V-1eFJOx{H@Kqr;hRx*hxskOnmE6<9!@%6o+IZC3 zEfuJr>X7rN0idQ%bgxQMsvf|i$`|H@RdaYM4-+$sD&odMSz+ZS{YL=*Ma*VoTcMzN z^IUAi^kg0oPWSo4a?L3bA->tX^oi9jGN zpzhnYRh={9YV{X5la6C9wnJhUoWm(nip}GmC{mELM#Pa_nEr<)BbMZ;ydh2^O6=K< z62q&9?YW@h%#hYDp|d(=&E6_TMW~-mR`lGQWN7G*!{(?p*J+Cn)hF_%WGd})+oohb zmnIVFjZ0#`A1)xZ(`%Q(selOzA+6RcdcQ&)qD(hA+`|2AzQ#^v_X~V-%gvr-GkbY` zY1{!};KCmUUh(Hl$A6aO{#|-SEZm?oxZ`Z-L*p%Js4Lp$3IP5FfQTBgzF2ndxOvHf z#HY^UdL}aRPJ9?8xjI)g7|a*nW^p>4#Eb6X=f9b9q))P2u8w)}t47M_z!~o5pFYB+ z#rvytJe<@|q0<_3+{NGSljtT+qd}SsZzl0z7A3>&zwf*52K{uHB=_+kWbg~#u?qkxLsNt`^E1vY(3LL~qdOME#X>uFA ztDoMR~b)Mc*h7#>ZQI$2f`m>1UuAN6B6Nlp3k?cfU{j zp8|h(#bWNbS(GGS25Hpq$4N4XCqvQ#bFo!3FYXrb`fk$e>HJGHA2iKqkykVI?~?m5 z`w``fOaJ&SjpF3$<8Sq|*0Ne}e>$EmQbs+AzohKfP3Q3YZX%LEtDnI5wwrjNuJ$P~ z#*A|`OcsPMtL1Ol=jn7bXtCFk%`2;Ci~?m&${u=&nD?$lE9m~o)T|aW$``j#SMQUc+lN{g3BRK+hR7pWdbV+ z{;LF9G#R8r%7XE5+VbmuayOZNnb0JcAoe|rS(GLp?$fUy|Mf?D5APd)+kH&hLydFP zeCPF7IG3h(!#MDJN0){ZN?AYTXDMvk@+msuK{eI|jV{yL04jbhrFRFb>zk^Jg3`ue>+gPqg|Jz~*%gPSwd zp9!<@^FUceAWGO)jlVA9`6L=O84x5nN24H*oF8OQ3Fh1%fPGbgJ>Zg#0@hv zpTzxJcQw>ylrDSYqxI!YEy7WZ#M&rE~WYn@yJ(J1~LO%_2$NyX-y8D;x) z9x^HCFy`yezs(j?z94Sn2woatN}H)hN1jJt0##(-aGr_r90V0;_T>RbJ`*iYj|M)D zMxX$XgVgVm$9z-NeQoaM>f)bN?mykq1^2}@XvOSJ4N|;DmopCLnzaK=gW=>RaPbJP z8V>{*&)jxyq1Ia5s>Bpd6gZ`(3DM!gXdPN6N*!2a!)O$wX_{=_osN3>a55P7qebA3 z*Eo&&@tB%K<2X%*|4ljCHF{;PL7xlUXfmC^7mb={b8ysKnJuRBsV-0gW>$sa6#}(aKgGL_Wt(|>AOF!TAJuOx4CNi zAn+Fb+w=~3D9c7;PI#QlJzzE!puj^iX`l`#gtEkid>Z6;eMN#>u^ueYS>6l&jZm0~;O=SrTM zlNnv{Ai+l80?+1>&wjh0v88C7!Lm=9jUzXc*Z0f4xA5iDc?^#}8jXY8zczcby)gqi zJSyA!{?r+K=Quvl#So-KkSS1c8QwF7iy=767@b4&8O~XAc)!606!5tB zDqAeLl^4-Cz&6&{T)#O%Io)g^8|1bJ!qete1s-_xvx(`lwZUlcR_>39svU2|m9!QgntEan@3UBFQ{iRWOfa5=~p zKJlT~O;I0F4G*XqzaWXODN6&%oDnIOtU`@KRk-TI8m#(&us)|3^_w6ms9r z`7)eb-J$;>Wb>3vO_7T)b1>0}Q3pSBjW)ZON5fIDlTvWioh3AHo5@n|JD<)$OHXg( zuhAgx562{jWz!VaS|5X?nG8_u;17-maA`nV{Vqn5ESSgRDg1K{I>}`c!JMcO4>Fmy zun0_MkH#r5RYdol!Q-A&gnH={3I=Qall&A&W=q!b0M=9zrTuY26RZk@Z@0rIwom0* z7qZz+UY8#WWIIT9s^5xJd)E$}bnrbFSd^{_s&D%ojfMjR)1{w=i-t$6(>7SZ=ye!g zU;=CWM6AsPC>y6W@b2pO_SS%l*}c!m+Mq^npV~w%)grI+zAWJRk3(HAjH$u$p(7DJ zoQ_BaZp`F!FwDnfbDUAkV;c=HTt(BXZKj6((&}ueJsDu1eu+mT0#?Q%uRBNQ@q#%i zLXSN&P+VA$Ab@e8d48Vg~jKS<{lu>KKqLhx3t3M@S2a|B~54oTP3&U zHLk2#)NDoD^u}FDGzT7-6p5lVkz90?lNT)ULPM$Fr{wKYlbCMgg%rlTWvE z&AQi^r`Bxny13k!a5T$7jie*O1w-9zA3|sQP`C4E@q9d7;Hen8-z!dsAMxviiX{L_ z8^1M=Z-&VtZd`*leH}Uz4$?~ef+gI)BcVwf=cv&sTk4a3T~fZ*{=6Ty4uHX-=M3Ue zd=s&FXaHct;BrSjhjcHe57!7{G`VL17ck0M*qj&wHM#t;mHWx?D^&?`u^E1|V}9PR z&j*6jOi+6C_|FLay^iN|P|d zD5&8g4#Z6XN1gO!dN~yr>)~{scJu!GEAkPC#6G9-RnOZ&2`o zs2^|;s9bdzSnk3ch2mfZo1K0B?l*e&Ij61hof5%tCW~#42Vj#O9L^kTq0i7(smVfE zn+d~%F5(MPZqzB<*u@~|qJ~^7clo@3J-wgvEgpZJ5oLqHC^rM@T1Hw*KKHw;-`nPM1FJ_n z_yqRE=Xj1-?Ew8i;i`*+i0TcYK@h=a>&WBiTM5RX>B%aG=Ly_mLVciqRPxk%W`ljQ ztuTcB={?AR(e%rkVF=3^?Kd!G>5anGLVO20k1Y-0y-&Xo->aLa&Ke#}LDYh6GwBD1 zbQD&vzhcm5u75Ie*u!beKbVdqcoAPe{_9^Xzzy$>vYK3M)yycX_&E%s3ljrwnv`u9 zhg*Kac^u%ZLTaC$IZdw9K|csQC|D@<0NMfvRqi@XkPQEHaMj>4VGjjDGl8Qi%Gq{X zsJxB1j((KH*Tjk%US`i36ZQKGR8WYXQWqN~`+(*(Zep*|q~q~y5t{$Ocx6Z~%;{N?S z4mEQ)S3|`YHeqhJnuGGL(!SMxxeJHgeHq=zkmA_&l%o`n^L5W zY%?{klKaK=@2%DcGJ3EpUjic?f}t`0E4iJL>|770*PDS#f1sUU@-_MfTa{+DxlM~z zqG`Amnk+~Fc8kgV9vNC|7Wa8!?7PpC06?D2+fa)sET6@}XqcpL?( zs+_~tP41}$UhjQpvhFy#3Ud%EjJD>75E0PjrV&d(_)OFO3?_$vZ#2CLgWpyRZrnli zm5w`zzBXEzEy^gXoL&o?jt};qnR;HxpTU_VcHVOTGZQh%-EbBVt#$H|a>Nm@cGEgZ zoN+hggSFItOlEh71?pPkv|gFbzBW{5OC|>@U1cS}Qa7#m9eI-DdpOf(chW}{kj(GktceH( zWO%yRJZE`}c$vxOiY8B{fx+aGp-$%r!;YA26n(F)rsrAHvQ-J|$}x%KK~SAq2RA8a zTLkJ_r)>-V=6w}tQ`SxpP}An}G8V=>zO(fcNJ97*Psxy@Rbi_^4u|J`estu0R(>E+ z5~M}#cL#IxyGLhCdxM5 zK&HA_8hQz|>n}5N^p}w?swueymBB%2)-ud<$WgfKDb&C~;*EII~4=zI9^QNsBP?N_+Pq zW%=$sb@@zmZU6+|$Li6F)h!#K6{~EH9xt@`fV=XfsA){*pVifb;U)4zOTut2Pw$$5 zwl(z;6nsOhczhBbOR0FxyS%%o8E+lCjRU - - - - - - - Credential cache selection interface (ccselect) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Credential cache selection interface (ccselect)¶

-

The ccselect interface allows modules to control how credential caches -are chosen when a GSSAPI client contacts a service. For a detailed -description of the ccselect interface, see the header file -<krb5/ccselect_plugin.h>.

-

The primary ccselect method is choose, which accepts a server -principal as input and returns a ccache and/or principal name as -output. A module can use the krb5_cccol APIs to iterate over the -cache collection in order to find an appropriate ccache to use.

-

A module can create and destroy per-library-context state objects by -implementing the init and fini methods. State objects have -the type krb5_ccselect_moddata, which is an abstract pointer type. A -module should typically cast this to an internal type for the state -object.

-

A module can have one of two priorities, “authoritative” or -“heuristic”. Results from authoritative modules, if any are -available, will take priority over results from heuristic modules. A -module communicates its priority as a result of the init method.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/clpreauth.html b/doc/html/plugindev/clpreauth.html deleted file mode 100644 index a868132..0000000 --- a/doc/html/plugindev/clpreauth.html +++ /dev/null @@ -1,192 +0,0 @@ - - - - - - - - Client preauthentication interface (clpreauth) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Client preauthentication interface (clpreauth)¶

-

During an initial ticket request, a KDC may ask a client to prove its -knowledge of the password before issuing an encrypted ticket, or to -use credentials other than a password. This process is called -preauthentication, and is described in RFC 4120 and RFC 6113. -The clpreauth interface allows the addition of client support for -preauthentication mechanisms beyond those included in the core MIT -krb5 code base. For a detailed description of the clpreauth -interface, see the header file <krb5/clpreauth_plugin.h> (or -<krb5/preauth_plugin.h> before release 1.12).

-

A clpreauth module is generally responsible for:

-
    -
  • Supplying a list of preauth type numbers used by the module in the -pa_type_list field of the vtable structure.
    • -
  • Indicating what kind of preauthentication mechanism it implements, -with the flags method. In the most common case, this method -just returns PA_REAL, indicating that it implements a normal -preauthentication type.
    • -
  • Examining the padata information included in a PREAUTH_REQUIRED or -MORE_PREAUTH_DATA_REQUIRED error and producing padata values for the -next AS request. This is done with the process method.
    • -
  • Examining the padata information included in a successful ticket -reply, possibly verifying the KDC identity and computing a reply -key. This is also done with the process method.
    • -
  • For preauthentication types which support it, recovering from errors -by examining the error data from the KDC and producing a padata -value for another AS request. This is done with the tryagain -method.
    • -
  • Receiving option information (supplied by kinit -X or by an -application), with the gic_opts method.
    • -
-

A clpreauth module can create and destroy per-library-context and -per-request state objects by implementing the init, fini, -request_init, and request_fini methods. Per-context state -objects have the type krb5_clpreauth_moddata, and per-request state -objects have the type krb5_clpreauth_modreq. These are abstract -pointer types; a module should typically cast these to internal -types for the state objects.

-

The process and tryagain methods have access to a callback -function and handle (called a “rock”) which can be used to get -additional information about the current request, including the -expected enctype of the AS reply, the FAST armor key, and the client -long-term key (prompting for the user password if necessary). A -callback can also be used to replace the AS reply key if the -preauthentication mechanism computes one.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/general.html b/doc/html/plugindev/general.html deleted file mode 100644 index 7ceb64a..0000000 --- a/doc/html/plugindev/general.html +++ /dev/null @@ -1,225 +0,0 @@ - - - - - - - - General plugin concepts — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

General plugin concepts¶

-

A krb5 dynamic plugin module is a Unix shared object or Windows DLL. -Typically, the source code for a dynamic plugin module should live in -its own project with a build system using automake and libtool, or -tools with similar functionality.

-

A plugin module must define a specific symbol name, which depends on -the pluggable interface and module name. For most pluggable -interfaces, the exported symbol is a function named -INTERFACE_MODULE_initvt, where INTERFACE is the name of the -pluggable interface and MODULE is the name of the module. For these -interfaces, it is possible for one shared object or DLL to implement -multiple plugin modules, either for the same pluggable interface or -for different ones. For example, a shared object could implement both -KDC and client preauthentication mechanisms, by exporting functions -named kdcpreauth_mymech_initvt and clpreauth_mymech_initvt.

-

A plugin module implementation should include the header file -<krb5/INTERFACE_plugin.h>, where INTERFACE is the name of the -pluggable interface. For instance, a ccselect plugin module -implementation should use #include <krb5/ccselect_plugin.h>.

-

initvt functions have the following prototype:

-
krb5_error_code interface_modname_initvt(krb5_context context,
-                                         int maj_ver, int min_ver,
-                                         krb5_plugin_vtable vtable);
-
-
-

and should do the following:

-
    -
  1. Check that the supplied maj_ver argument is supported by the -module. If it is not supported, the function should return -KRB5_PLUGIN_VER_NOTSUPP.
    2. -
  2. Cast the supplied vtable pointer to the structure type -corresponding to the major version, as documented in the pluggable -interface header file.
    3. -
  3. Fill in the structure fields with pointers to method functions and -static data, stopping at the field indicated by the supplied minor -version. Fields for unimplemented optional methods can be left -alone; it is not necessary to initialize them to NULL.
    4. -
-

In most cases, the context argument will not be used. The initvt -function should not allocate memory; think of it as a glorified -structure initializer. Each pluggable interface defines methods for -allocating and freeing module state if doing so is necessary for the -interface.

-

Pluggable interfaces typically include a name field in the vtable -structure, which should be filled in with a pointer to a string -literal containing the module name.

-

Here is an example of what an initvt function might look like for a -fictional pluggable interface named fences, for a module named -“wicker”:

-
krb5_error_code
-fences_wicker_initvt(krb5_context context, int maj_ver,
-                     int min_ver, krb5_plugin_vtable vtable)
-{
-    krb5_ccselect_vtable vt;
-
-    if (maj_ver == 1) {
-        krb5_fences_vtable vt = (krb5_fences_vtable)vtable;
-        vt->name = "wicker";
-        vt->slats = wicker_slats;
-        vt->braces = wicker_braces;
-    } else if (maj_ver == 2) {
-        krb5_fences_vtable_v2 vt = (krb5_fences_vtable_v2)vtable;
-        vt->name = "wicker";
-        vt->material = wicker_material;
-        vt->construction = wicker_construction;
-        if (min_ver < 2)
-            return 0;
-        vt->footing = wicker_footing;
-        if (min_ver < 3)
-            return 0;
-        vt->appearance = wicker_appearance;
-    } else {
-        return KRB5_PLUGIN_VER_NOTSUPP;
-    }
-    return 0;
-}
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/gssapi.html b/doc/html/plugindev/gssapi.html deleted file mode 100644 index c77c760..0000000 --- a/doc/html/plugindev/gssapi.html +++ /dev/null @@ -1,236 +0,0 @@ - - - - - - - - GSSAPI mechanism interface — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

GSSAPI mechanism interface¶

-

The GSSAPI library in MIT krb5 can load mechanism modules to augment -the set of built-in mechanisms.

-

A mechanism module is a Unix shared object or Windows DLL, built -separately from the krb5 tree. Modules are loaded according to the -/etc/gss/mech or /etc/gss/mech.d/*.conf config files, as -described in GSSAPI mechanism modules.

-

For the most part, a GSSAPI mechanism module exports the same -functions as would a GSSAPI implementation itself, with the same -function signatures. The mechanism selection layer within the GSSAPI -library (called the “mechglue”) will dispatch calls from the -application to the module if the module’s mechanism is requested. If -a module does not wish to implement a GSSAPI extension, it can simply -refrain from exporting it, and the mechglue will fail gracefully if -the application calls that function.

-

The mechglue does not invoke a module’s gss_add_cred, -gss_add_cred_from, gss_add_cred_impersonate_name, or -gss_add_cred_with_password function. A mechanism only needs to -implement the “acquire” variants of those functions.

-

A module does not need to coordinate its minor status codes with those -of other mechanisms. If the mechglue detects conflicts, it will map -the mechanism’s status codes onto unique values, and then map them -back again when gss_display_status is called.

-
-

Interposer modules¶

-

The mechglue also supports a kind of loadable module, called an -interposer module, which intercepts calls to existing mechanisms -rather than implementing a new mechanism.

-

An interposer module must export the symbol gss_mech_interposer -with the following signature:

-
gss_OID_set gss_mech_interposer(gss_OID mech_type);
-
-
-

This function is invoked with the OID of the interposer mechanism as -specified in /etc/gss/mech or in a /etc/gss/mech.d/*.conf -file, and returns a set of mechanism OIDs to be interposed. The -returned OID set must have been created using the mechglue’s -gss_create_empty_oid_set and gss_add_oid_set_member functions.

-

An interposer module must use the prefix gssi_ for the GSSAPI -functions it exports, instead of the prefix gss_.

-

An interposer module can link against the GSSAPI library in order to -make calls to the original mechanism. To do so, it must specify a -special mechanism OID which is the concatention of the interposer’s -own OID byte string and the original mechanism’s OID byte string.

-

Since gss_accept_sec_context does not accept a mechanism argument, -an interposer mechanism must, in order to invoke the original -mechanism’s function, acquire a credential for the concatenated OID -and pass that as the verifier_cred_handle parameter.

-

Since gss_import_name, gss_import_cred, and -gss_import_sec_context do not accept mechanism parameters, the SPI -has been extended to include variants which do. This allows the -interposer module to know which mechanism should be used to interpret -the token. These functions have the following signatures:

-
OM_uint32 gssi_import_sec_context_by_mech(OM_uint32 *minor_status,
-    gss_OID desired_mech, gss_buffer_t interprocess_token,
-    gss_ctx_id_t *context_handle);
-
-OM_uint32 gssi_import_name_by_mech(OM_uint32 *minor_status,
-    gss_OID mech_type, gss_buffer_t input_name_buffer,
-    gss_OID input_name_type, gss_name_t output_name);
-
-OM_uint32 gssi_import_cred_by_mech(OM_uint32 *minor_status,
-    gss_OID mech_type, gss_buffer_t token,
-    gss_cred_id_t *cred_handle);
-
-
-

To re-enter the original mechanism when importing tokens for the above -functions, the interposer module must wrap the mechanism token in the -mechglue’s format, using the concatenated OID. The mechglue token -formats are:

-
    -
  • For gss_import_sec_context, a four-byte OID length in big-endian -order, followed by the mechanism OID, followed by the mechanism -token.
    • -
  • For gss_import_name, the bytes 04 01, followed by a two-byte OID -length in big-endian order, followed by the mechanism OID, followed -by the bytes 06, followed by the OID length as a single byte, -followed by the mechanism OID, followed by the mechanism token.
    • -
  • For gss_import_cred, a four-byte OID length in big-endian order, -followed by the mechanism OID, followed by a four-byte token length -in big-endian order, followed by the mechanism token. This sequence -may be repeated multiple times.
    • -
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/hostrealm.html b/doc/html/plugindev/hostrealm.html deleted file mode 100644 index 26750e9..0000000 --- a/doc/html/plugindev/hostrealm.html +++ /dev/null @@ -1,175 +0,0 @@ - - - - - - - - Host-to-realm interface (hostrealm) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Host-to-realm interface (hostrealm)¶

-

The host-to-realm interface was first introduced in release 1.12. It -allows modules to control the local mapping of hostnames to realm -names as well as the default realm. For a detailed description of the -hostrealm interface, see the header file -<krb5/hostrealm_plugin.h>.

-

Although the mapping methods in the hostrealm interface return a list -of one or more realms, only the first realm in the list is currently -used by callers. Callers may begin using later responses in the -future.

-

Any mapping method may return KRB5_PLUGIN_NO_HANDLE to defer -processing to a later module.

-

A module can create and destroy per-library-context state objects -using the init and fini methods. If the module does not need -any state, it does not need to implement these methods.

-

The optional host_realm method allows a module to determine -authoritative realm mappings for a hostname. The first authoritative -mapping is used in preference to KDC referrals when getting service -credentials.

-

The optional fallback_realm method allows a module to determine -fallback mappings for a hostname. The first fallback mapping is tried -if there is no authoritative mapping for a realm, and KDC referrals -failed to produce a successful result.

-

The optional default_realm method allows a module to determine the -local default realm.

-

If a module implements any of the above methods, it must also -implement free_list to ensure that memory is allocated and -deallocated consistently.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/index.html b/doc/html/plugindev/index.html deleted file mode 100644 index 2c204a3..0000000 --- a/doc/html/plugindev/index.html +++ /dev/null @@ -1,182 +0,0 @@ - - - - - - - - For plugin module developers — MIT Kerberos Documentation - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

For plugin module developers¶

-

Kerberos plugin modules allow increased control over MIT krb5 library -and server behavior. This guide describes how to create dynamic -plugin modules and the currently available pluggable interfaces.

-

See Plugin module configuration for information on how to register dynamic -plugin modules and how to enable and disable modules via -krb5.conf.

- -
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/internal.html b/doc/html/plugindev/internal.html deleted file mode 100644 index e5361f4..0000000 --- a/doc/html/plugindev/internal.html +++ /dev/null @@ -1,178 +0,0 @@ - - - - - - - - Internal pluggable interfaces — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Internal pluggable interfaces¶

-

Following are brief discussions of pluggable interfaces which have not -yet been made public. These interfaces are functional, but the -interfaces are likely to change in incompatible ways from release to -release. In some cases, it may be necessary to copy header files from -the krb5 source tree to use an internal interface. Use these with -care, and expect to need to update your modules for each new release -of MIT krb5.

-
-

Kerberos database interface (KDB)¶

-

A KDB module implements a database back end for KDC principal and -policy information, and can also control many aspects of KDC behavior. -For a full description of the interface, see the header file -<kdb.h>.

-

The KDB pluggable interface is often referred to as the DAL (Database -Access Layer).

-
-
-

Authorization data interface (authdata)¶

-

The authdata interface allows a module to provide (from the KDC) or -consume (in application servers) authorization data of types beyond -those handled by the core MIT krb5 code base. The interface is -defined in the header file <krb5/authdata_plugin.h>, which is not -installed by the build.

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/kadm5_hook.html b/doc/html/plugindev/kadm5_hook.html deleted file mode 100644 index f638f64..0000000 --- a/doc/html/plugindev/kadm5_hook.html +++ /dev/null @@ -1,167 +0,0 @@ - - - - - - - - KADM5 hook interface (kadm5_hook) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KADM5 hook interface (kadm5_hook)¶

-

The kadm5_hook interface allows modules to perform actions when -changes are made to the Kerberos database through kadmin. -For a detailed description of the kadm5_hook interface, see the header -file <krb5/kadm5_hook_plugin.h>.

-

The kadm5_hook interface has five primary methods: chpass, -create, modify, remove, and rename. (The rename -method was introduced in release 1.14.) Each of these methods is -called twice when the corresponding administrative action takes place, -once before the action is committed and once afterwards. A module can -prevent the action from taking place by returning an error code during -the pre-commit stage.

-

A module can create and destroy per-process state objects by -implementing the init and fini methods. State objects have -the type kadm5_hook_modinfo, which is an abstract pointer type. A -module should typically cast this to an internal type for the state -object.

-

Because the kadm5_hook interface is tied closely to the kadmin -interface (which is explicitly unstable), it may not remain as stable -across versions as other public pluggable interfaces.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/kdcpreauth.html b/doc/html/plugindev/kdcpreauth.html deleted file mode 100644 index 98117ee..0000000 --- a/doc/html/plugindev/kdcpreauth.html +++ /dev/null @@ -1,212 +0,0 @@ - - - - - - - - KDC preauthentication interface (kdcpreauth) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

KDC preauthentication interface (kdcpreauth)¶

-

The kdcpreauth interface allows the addition of KDC support for -preauthentication mechanisms beyond those included in the core MIT -krb5 code base. For a detailed description of the kdcpreauth -interface, see the header file <krb5/kdcpreauth_plugin.h> (or -<krb5/preauth_plugin.h> before release 1.12).

-

A kdcpreauth module is generally responsible for:

-
    -
  • Supplying a list of preauth type numbers used by the module in the -pa_type_list field of the vtable structure.
    • -
  • Indicating what kind of preauthentication mechanism it implements, -with the flags method. If the mechanism computes a new reply -key, it must specify the PA_REPLACES_KEY flag. If the mechanism -is generally only used with hardware tokens, the PA_HARDWARE -flag allows the mechanism to work with principals which have the -requires_hwauth flag set.
    • -
  • Producing a padata value to be sent with a preauth_required error, -with the edata method.
    • -
  • Examining a padata value sent by a client and verifying that it -proves knowledge of the appropriate client credential information. -This is done with the verify method.
    • -
  • Producing a padata response value for the client, and possibly -computing a reply key. This is done with the return_padata -method.
    • -
-

A module can create and destroy per-KDC state objects by implementing -the init and fini methods. Per-KDC state objects have the -type krb5_kdcpreauth_moddata, which is an abstract pointer types. A -module should typically cast this to an internal type for the state -object.

-

A module can create a per-request state object by returning one in the -verify method, receiving it in the return_padata method, and -destroying it in the free_modreq method. Note that these state -objects only apply to the processing of a single AS request packet, -not to an entire authentication exchange (since an authentication -exchange may remain unfinished by the client or may involve multiple -different KDC hosts). Per-request state objects have the type -krb5_kdcpreauth_modreq, which is an abstract pointer type.

-

The edata, verify, and return_padata methods have access -to a callback function and handle (called a “rock”) which can be used -to get additional information about the current request, including the -maximum allowable clock skew, the client’s long-term keys, the -DER-encoded request body, the FAST armor key, string attributes on the -client’s database entry, and the client’s database entry itself. The -verify method can assert one or more authentication indicators to -be included in the issued ticket using the add_auth_indicator -callback (new in release 1.14).

-

A module can generate state information to be included with the next -client request using the set_cookie callback (new in release -1.14). On the next request, the module can read this state -information using the get_cookie callback. Cookie information is -encrypted, timestamped, and transmitted to the client in a -PA-FX-COOKIE pa-data item. Older clients may not support cookies -and therefore may not transmit the cookie in the next request; in this -case, get_cookie will not yield the saved information.

-

If a module implements a mechanism which requires multiple round -trips, its verify method can respond with the code -KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and a list of pa-data in -the e_data parameter to be processed by the client.

-

The edata and verify methods can be implemented -asynchronously. Because of this, they do not return values directly -to the caller, but must instead invoke responder functions with their -results. A synchronous implementation can invoke the responder -function immediately. An asynchronous implementation can use the -callback to get an event context for use with the libverto API.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/localauth.html b/doc/html/plugindev/localauth.html deleted file mode 100644 index d64e13e..0000000 --- a/doc/html/plugindev/localauth.html +++ /dev/null @@ -1,181 +0,0 @@ - - - - - - - - Local authorization interface (localauth) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Local authorization interface (localauth)¶

-

The localauth interface was first introduced in release 1.12. It -allows modules to control the relationship between Kerberos principals -and local system accounts. When an application calls -krb5_kuserok() or krb5_aname_to_localname(), localauth -modules are consulted to determine the result. For a detailed -description of the localauth interface, see the header file -<krb5/localauth_plugin.h>.

-

A module can create and destroy per-library-context state objects -using the init and fini methods. If the module does not need -any state, it does not need to implement these methods.

-

The optional userok method allows a module to control the behavior -of krb5_kuserok(). The module receives the authenticated name -and the local account name as inputs, and can return either 0 to -authorize access, KRB5_PLUGIN_NO_HANDLE to defer the decision to other -modules, or another error (canonically EPERM) to authoritatively deny -access. Access is granted if at least one module grants access and no -module authoritatively denies access.

-

The optional an2ln method can work in two different ways. If the -module sets an array of uppercase type names in an2ln_types, then -the module’s an2ln method will only be invoked by -krb5_aname_to_localname() if an auth_to_local value in -krb5.conf refers to one of the module’s types. In this -case, the type and residual arguments will give the type name and -residual string of the auth_to_local value.

-

If the module does not set an2ln_types but does implement -an2ln, the module’s an2ln method will be invoked for all -krb5_aname_to_localname() operations unless an earlier module -determines a mapping, with type and residual set to NULL. The -module can return KRB5_LNAME_NO_TRANS to defer mapping to later -modules.

-

If a module implements an2ln, it must also implement -free_string to ensure that memory is allocated and deallocated -consistently.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/locate.html b/doc/html/plugindev/locate.html deleted file mode 100644 index 2d9b7a5..0000000 --- a/doc/html/plugindev/locate.html +++ /dev/null @@ -1,170 +0,0 @@ - - - - - - - - Server location interface (locate) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Server location interface (locate)¶

-

The locate interface allows modules to control how KDCs and similar -services are located by clients. For a detailed description of the -ccselect interface, see the header file <krb5/locate_plugin.h>.

-

A locate module exports a structure object of type -krb5plugin_service_locate_ftable, with the name service_locator. -The structure contains a minor version and pointers to the module’s -methods.

-

The primary locate method is lookup, which accepts a service type, -realm name, desired socket type, and desired address family (which -will be AF_UNSPEC if no specific address family is desired). The -method should invoke the callback function once for each server -address it wants to return, passing a socket type (SOCK_STREAM for TCP -or SOCK_DGRAM for UDP) and socket address. The lookup method -should return 0 if it has authoritatively determined the server -addresses for the realm, KRB5_PLUGIN_NO_HANDLE if it wants to let -other location mechanisms determine the server addresses, or another -code if it experienced a failure which should abort the location -process.

-

A module can create and destroy per-library-context state objects by -implementing the init and fini methods. State objects have -the type void *, and should be cast to an internal type for the state -object.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/profile.html b/doc/html/plugindev/profile.html deleted file mode 100644 index 91d0423..0000000 --- a/doc/html/plugindev/profile.html +++ /dev/null @@ -1,234 +0,0 @@ - - - - - - - - Configuration interface (profile) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Configuration interface (profile)¶

-

The profile interface allows a module to control how krb5 -configuration information is obtained by the Kerberos library and -applications. For a detailed description of the profile interface, -see the header file <profile.h>.

-
-

Note

-

The profile interface does not follow the normal conventions -for MIT krb5 pluggable interfaces, because it is part of a -lower-level component of the krb5 library.

-
-

As with other types of plugin modules, a profile module is a Unix -shared object or Windows DLL, built separately from the krb5 tree. -The krb5 library will dynamically load and use a profile plugin module -if it reads a module directive at the beginning of krb5.conf, as -described in Configuration profile modules.

-

A profile module exports a function named profile_module_init -matching the signature of the profile_module_init_fn type. This -function accepts a residual string, which may be used to help locate -the configuration source. The function fills in a vtable and may also -create a per-profile state object. If the module uses state objects, -it should implement the copy and cleanup methods to manage -them.

-

A basic read-only profile module need only implement the -get_values and free_values methods. The get_values method -accepts a null-terminated list of C string names (e.g., an array -containing “libdefaults”, “clockskew”, and NULL for the clockskew -variable in the [libdefaults] section) and returns a -null-terminated list of values, which will be cleaned up with the -free_values method when the caller is done with them.

-

Iterable profile modules must also define the iterator_create, -iterator, iterator_free, and free_string methods. The -core krb5 code does not require profiles to be iterable, but some -applications may iterate over the krb5 profile object in order to -present configuration interfaces.

-

Writable profile modules must also define the writable, -modified, update_relation, rename_section, -add_relation, and flush methods. The core krb5 code does not -require profiles to be writable, but some applications may write to -the krb5 profile in order to present configuration interfaces.

-

The following is an example of a very basic read-only profile module -which returns a hardcoded value for the default_realm variable in -[libdefaults], and provides no other configuration information. -(For conciseness, the example omits code for checking the return -values of malloc and strdup.)

-
#include <stdlib.h>
-#include <string.h>
-#include <profile.h>
-
-static long
-get_values(void *cbdata, const char *const *names, char ***values)
-{
-    if (names[0] != NULL && strcmp(names[0], "libdefaults") == 0 &&
-        names[1] != NULL && strcmp(names[1], "default_realm") == 0) {
-        *values = malloc(2 * sizeof(char *));
-        (*values)[0] = strdup("ATHENA.MIT.EDU");
-        (*values)[1] = NULL;
-        return 0;
-    }
-    return PROF_NO_RELATION;
-}
-
-static void
-free_values(void *cbdata, char **values)
-{
-    char **v;
-
-    for (v = values; *v; v++)
-        free(*v);
-    free(values);
-}
-
-long
-profile_module_init(const char *residual, struct profile_vtable *vtable,
-                    void **cb_ret);
-
-long
-profile_module_init(const char *residual, struct profile_vtable *vtable,
-                    void **cb_ret)
-{
-    *cb_ret = NULL;
-    vtable->get_values = get_values;
-    vtable->free_values = free_values;
-    return 0;
-}
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/plugindev/pwqual.html b/doc/html/plugindev/pwqual.html deleted file mode 100644 index 598b133..0000000 --- a/doc/html/plugindev/pwqual.html +++ /dev/null @@ -1,166 +0,0 @@ - - - - - - - - Password quality interface (pwqual) — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Password quality interface (pwqual)¶

-

The pwqual interface allows modules to control what passwords are -allowed when a user changes passwords. For a detailed description of -the pwqual interface, see the header file <krb5/pwqual_plugin.h>.

-

The primary pwqual method is check, which receives a password as -input and returns success (0) or a KADM5_PASS_Q_ failure code -depending on whether the password is allowed. The check method -also receives the principal name and the name of the principal’s -password policy as input; although there is no stable interface for -the module to obtain the fields of the password policy, it can define -its own configuration or data store based on the policy name.

-

A module can create and destroy per-process state objects by -implementing the open and close methods. State objects have -the type krb5_pwqual_moddata, which is an abstract pointer type. A -module should typically cast this to an internal type for the state -object. The open method also receives the name of the realm’s -dictionary file (as configured by the dict_file variable in the -[realms] section of kdc.conf) if it wishes to use -it.

-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/resources.html b/doc/html/resources.html deleted file mode 100644 index 9af9b67..0000000 --- a/doc/html/resources.html +++ /dev/null @@ -1,189 +0,0 @@ - - - - - - - - Resources — MIT Kerberos Documentation - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Resources¶

-
-

Mailing lists¶

-
    -
  • kerberos@mit.edu is a community resource for discussion and -questions about MIT krb5 and other Kerberos implementations. To -subscribe to the list, please follow the instructions at -http://mailman.mit.edu/mailman/listinfo/kerberos.
    • -
  • krbdev@mit.edu is the primary list for developers of MIT Kerberos. -To subscribe to the list, please follow the instructions at -http://mailman.mit.edu/mailman/listinfo/krbdev.
    • -
  • krb5-bugs@mit.edu is notified when a ticket is created or updated. -This list helps track bugs and feature requests. -In addition, this list is used to track documentation criticism -and recommendations for improvements.
    • -
  • krbcore@mit.edu is a private list for the MIT krb5 core team. Send -mail to this list if you need to contact the core team.
    • -
  • krbcore-security@mit.edu is the point of contact for security problems -with MIT Kerberos. Please use PGP-encrypted mail to report possible -vulnerabilities to this list.
    • -
-
-
-

IRC channels¶

-

The IRC channel #kerberos on irc.freenode.net is a community -resource for general Kerberos discussion and support.

-

The main IRC channel for MIT Kerberos development is #krbdev on -freenode.

-

For more information about freenode, see http://freenode.net/.

-
-
-

Archives¶

- -
-
-

Wiki¶

-

The wiki at http://k5wiki.kerberos.org/ contains useful information -for developers working on the MIT Kerberos source code. Some of the -information on the wiki may be useful for advanced users or system -administrators.

-
-
-

Web pages¶

- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/search.html b/doc/html/search.html deleted file mode 100644 index 97ae537..0000000 --- a/doc/html/search.html +++ /dev/null @@ -1,147 +0,0 @@ - - - - - - - - Search — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -

Search

-
- -

- Please activate JavaScript to enable the search - functionality. -

-
-

- From here you can search these documents. Enter your search - words into the box below and click "search". Note that the search - function will automatically search for all of the words. Pages - containing fewer words won't appear in the result list. -

-
- - - -
- -
- -
- -
-
-
-
-
-

On this page

- -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/searchindex.js b/doc/html/searchindex.js deleted file mode 100644 index 0d83902..0000000 --- a/doc/html/searchindex.js +++ /dev/null @@ -1 +0,0 @@ -Search.setIndex({envversion:42,terms:{libdefault:[794,10],req:[504,34,907,363,1,568,248,812,57],entropi:181,preauth_list_length:[829,644],"0x0011":[728,516],untrust:17,both:[504,821,907,812,515,70,463,208,17,248,4,532,275,493,330,814,215,662,44,203,437],localstatedir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],krb5_auth_con_setflag:[745,181],principalnam:576,reboot:[613,895],four:[563,434,437,764,812,323],prefix:[812,10,672,493,181],dirnam:812,forget:[44,895,818,484],krb5_free_str:[509,188,181,110],whose:[521,895,484,276,302,17,794,812,70,184,473,56,323,44,32,45,88,104],string2kei:73,krb5_cc_get_config:181,"const":[449,3,453,876,671,230,672,494,485,12,224,247,249,881,586,631,480,235,701,31,703,708,274,277,719,49,723,815,286,287,51,507,291,292,734,59,744,300,72,752,77,38,310,759,81,526,765,242,535,811,331,102,791,663,914,110,111,341,282,344,346,69,565,349,568,569,124,910,827,818,577,821,819,131,620,136,137,831,832,140,835,240,595,658,377,378,840,841,39,603,385,606,609,853,389,114,856,394,863,397,399,400,403,524,258,632,877,362,251,887,188,417,267,890,190,191,628,421,422,197,901,903,848,789,428,820,657,373,627,436,857,211,917,215,444,505,669],krb5_sname_match:[731,568,181],aug:[70,44],sysadv6:713,cybersaf:[250,330],g_process_context:330,heimdal:[17,713],allow_renew:[70,44],salttyp:[423,10,248,690],ndnhnmn:176,concret:126,context_handl:[17,764],swap:[895,493],container_reference_dn:[44,484],under:[812,515,70,463,484,27,423,330,473,44,10,77,45,203],krb5_get_init_creds_opt_set_pa:181,keylist:[794,138],sha256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],worth:100,krb5_build_principal_ext:[731,181],merchant:330,digit:176,joeadmin:[44,32,100,184],everi:[895,181,812,100,44,10],risk:[521,248,27,73],downstream:[44,576],localhostnam:17,kvno:[794,423,361,563,895,70,762,147,248,275,711,138,321,73,100,44,309,519,370],userpkcs12:515,gssapi_ext:17,krb5_kt_cursor:[803,621,40,36],upstream:[44,576,452],slave_host:132,affect:[377,603,248,662,812,689,10,32,738,640],g_rel_buff:330,gss_store_cr:576,trailer:[17,181],look:[794,473,776,63,452,493,437,17,4,812,662,640,44,10,701,203,104,814],upn:[10,381,851,714,511],krb5_responder_context:[521,242,36,286,649,341,831,235,47,157,269],krb5_get_init_creds_opt_set_canonic:181,sclient:[762,361,814],supported_enctyp:[10,576,895,73,248],verif:[812,10,895],sequence_count:443,modtim:423,x86_64:[576,452],repres:[895,563,159,70,17,812],abil:[649,184,73,47],krb5_principal_compare_enterpris:511,miller:330,direct:[515,147,662,812,181,44],"10d":176,histor:[792,662],yacc:452,second:[449,422,287,394,51,793,372,10,493,511,461,411,302,17,18,686,29,640,504,852,628,130,70,27,318,812,368,914,323,265,904,34,208,327,662,176,189,279,44,45,437,104],krb5_auth_con_setrcach:181,"_passwd_phrase_el":889,krb5_enc_data:[336,114,840,39,259,636,36,669],krb5_address_search:181,even:[895,907,812,17,18,27,662,176,330,73,44,10,493,640,473],subsequ:[615,566,330,73,191,45,185],hide:[70,44,640],neg:[302,662],linkdn:[70,44],requisit:126,ptr:[741,856,826,17,526,598,473,901,309,324,910],krb5_auth_con_setrecvsubkey_k:181,ticket_flag:[44,484,793,323],krb5_get_init_creds_opt_set_renew_lif:181,conduct:275,"new":[774,504,855,724,434,895,70,17,147,248,181,423,73,699,44,10,812,794],dumptyp:423,topolog:689,metadata:423,krb5_kt_remove_entri:181,elimin:73,subtre:[70,10,515,484,44],algid:433,abov:[521,504,515,812,452,895,687,437,17,147,248,764,423,330,73,100,323,44,32,104],displai:[521,504,794,907,724,330,70,576,159,83,566,562,138,323,44,484,518,640],never:[794,820,759,434,131,51,812,70,119,73,56,44,10,791,104],etyp:[33,423,137,646,576],authorit:[393,687,226,812,698,608],here:[521,812,776,434,452,17,147,4,176,662,794,119,44,10,32,104],renew_til:[660,826,544,323],met:[437,330],krb5_cc_gen_new:181,cksum:[282,444,505,744,631],pepper2:72,path:[895,812,63,452,273,493,689,568,662,275,44,10,484,203,126],service_loc:226,interpret:[521,907,70,620,208,17,646,764,437,640],dry:423,hdata:656,alg_id:897,clientauth:812,krb5_verify_authdata_kdc_issu:181,krb5_set_default_tgs_enctyp:[105,181],precis:792,krb5_get_init_creds_opt_set_fast_ccach:181,permit:[70,208,181,812,44,10,32,188,532],krb5_pac_credentials_info:595,krb5_chpw_messag:181,ovsec_adm_import:[423,44],portabl:614,krb5_enctype_to_nam:181,service_nam:640,gssrpc:330,inittab:895,get_cooki:[576,850],realm_try_domain:812,unix:[794,812,228,662,423,10],krb5_string_to_enctyp:181,brg:330,mic_token:17,txt:[423,895,493],unit:[176,330,104,452],highli:[26,576],subjectaltnam:504,describ:[794,815,457,832,895,17,413,73,504,642,70,764,812,100,321,323,773,776,437,662,328,330,924,44,549,104],would:[613,576,56,10,493,119,895,17,184,73,473,521,504,764,812,100,321,423,273,540,662,44,104],ldap_kadmind_sasl_authcid:[10,484,44],init:[608,223,226,413,850,698,687,45,689],"0x02000000":[808,410],suit:[836,895,576,203,452],datadir:452,call:[521,895,17,662,812,321,73,44,10],clockskew:[812,794,568,640,815],recommend:[895,812,452,493,26,17,423,100,104,56,44,10,484,203,23,386],krb5_free_ticket:[102,181],difficulti:473,type:[70,423,45,724,484],until:[812,614,452,70,576,17,27,423,112,73,44,104],gss_inquire_nam:17,krb5_expire_callback_func:[907,36],unescap:423,maxtktlif:[44,484],krb5_auth_con_setport:[449,181],krb5_c_derive_prfplu:181,relat:[423,515,812,434,504,576,662,110,275,330,689,10,493,793],notic:[10,330,56,895],toolkit:836,warn:[895,907,855,70,576,330,44,10,126],exce:176,"0x00400000":351,free_str:[815,608],loss:[44,330],hole:[895,302,100,493],"0x00000100":587,unpack:26,must:[812,3,876,227,4,30,10,587,452,683,17,249,686,687,25,26,479,482,235,275,44,47,49,724,725,815,840,51,850,493,895,744,433,302,73,32,78,521,504,312,759,63,761,70,763,764,100,85,323,649,539,327,330,191,791,792,104,794,802,555,346,118,119,69,121,320,568,827,820,580,131,132,133,139,141,835,13,375,39,603,608,437,614,114,648,576,620,821,862,173,177,409,632,870,887,267,641,642,628,646,423,902,803,203,905,515,745,434,436,208,662,505,215,832,924,669],inputlen:182,g_compare_nam:330,word:[895,104],err:10,restor:[423,56],neglig:330,setup:[44,895],work:[70,423,724,689],krb5_verify_init_creds_opt_init:[521,519,181],server_kei:765,krb5_get_server_rcach:181,krb5_random_kei:181,rctmpdir:746,root:[794,613,63,452,895,437,812,100,184,73,56,10,32,783,119,814],"_krb5_cred_info":544,overrid:[812,70,208,423,73,44,10,45],defer:[17,608,687],renew_lifetim:812,give:[563,608,662,423,104,330,73,323,44,203,119,473],synchron:[794,895,566,147,181,812,73,753],kpasswd:[794,812,361,70,576,689,792,275,73,44,10,762,119],smtp:816,min_ver:4,indic:[70,423,73],fqdn:275,g_inquire_context:330,"0x0019":246,caution:70,unavail:[44,493,895],want:[895,70,437,226,588,662,104,44,442,203,119],pa_config_data:323,unsign:[615,453,454,551,877,635,185,577,360,525,647,479,914,108,374,651,596,377,535,843,101,154,91,499],krb5_keyblock:[876,840,111,734,736,11,346,69,298,179,300,247,181,143,349,72,310,369,131,322,197,483,653,603,210,669,791,505,444],crypto_test:330,enc:[794,70,576,423,882,44,10,793],end:[423,10,812,855],manipul:[44,155,515],quot:[176,70,423,672,44,549,489],ordinari:[576,203,73],keylength:604,how:[504,452,895,26,17,248,662,30,812,100,73,44,572,10,493],cname:[895,493,792,473],env:[273,504,812,147],answer:[521,812,341,181],verifi:[504,895,17,812,44,484,10],negoti:[10,576,323],krb5_mk_rep_dc:181,config:[361,855,524,452,737,576,764,812,28,137,44,836,10,77,762],client_cert:504,bindir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],updat:[812,855,63,724,515,566,423,73,689,10],krb5_tc_match_flag:686,krb5_const:2,recogn:[504,70,147,812,10,783,640],outsid:[794,614],"_krb5_kt":582,x509:[504,576,640],rassen:330,after:[613,614,855,724,576,860,51,167,119,895,302,73,689,814,504,63,70,245,423,323,203,434,437,149,784,191,44,45,792,104],modprinc:[70,44,434,504],befor:[449,223,724,613,850,10,623,493,70,413,73,689,77,640,504,759,515,131,27,423,139,484,701,203,820,812,434,147,149,176,330,924,44,791,104],wrong:[504,437,330,434,104],krb5_cryptotyp:[551,924,36],retain:[724,70,330,184,73,44,10],core:[885,815,413,850,23],law:330,iprop_port:[10,44],sserver:427,demonstr:[73,814],krb5_principal_unparse_no_realm:489,renew_lif:[798,829],attempt:[423,776,743,434,70,519,437,17,812,275,44,556,323,10,493,639],third:[504,208,662,812,330,323],krb5_cc_last_change_tim:181,fallback_realm:687,opaqu:[251,181],bootstrap:812,credenti:[794,504,855,434,273,662,812,70,321,814,44,10,792],exclud:[423,576,100,56],alias:[794,515,70,576,138,473,44,493],maintain:[794,776,452,566,44,10,203],environ:70,incorpor:[10,776],enter:[504,895,70,764,104,914,832,73,484,44,45,119],exclus:[70,437,330],mechan:[515,70,812,321,44,10],order:[521,504,515,812,434,895,70,17,181,792,423,100,321,73,56,44,10,32,689],g10:330,origin:[521,452,70,17,764,330,73,44,493],belong:[352,792],feedback:776,softwar:[521,794,713,662,812,73],krb5_octet:[525,154,360,499,36],krb5_c_valid_enctyp:181,over:[794,10,493,895,17,876,248,181,72,73,77,310,473,521,812,100,776,208,662,44,45,505],govern:[44,330,25],becaus:[614,223,452,815,850,56,10,493,119,302,17,184,473,32,640,521,504,258,423,323,203,532,812,434,147,44],addit:[476,812,515,70,248,275,44,10,32],krb5_config:[895,63,273,132,576,812,28,45],privileg:[70,794,32],gss_c_nt_user_nam:17,keyboard:[423,44,45,181,689],enckrbcredpart:544,flexibl:[812,473],vari:[794,26,28,386,792,640],"_krb5_cccol_cursor":221,digest:[10,330],fip:576,directli:[521,476,812,895,70,17,275,44,10],clearpolici:[70,44,32],krb5_responder_set_answ:[521,341,181],fix:[423,576],krb5_cccol_lock:181,arg_keytab:[657,841],better:[44,78],krb5_deltat:[164,798,841,36,712,606,357,520],iprop:[10,576,330,63,689],krb5_responder_question_pkinit:[521,181],hidden:[521,848,139],solaris9ab:713,cred:[521,65,362,463,181,686,610],easier:[776,73],descend:614,krb5_get_init_creds_opt_set_tkt_lif:[521,181],them:[794,614,452,815,576,4,672,10,739,493,895,625,1,693,73,473,521,504,70,764,482,203,515,37,147,275,330,386,100,44,104],thei:[794,614,452,576,850,10,493,119,895,17,748,73,566,78,473,521,642,70,423,482,323,203,812,159,147,662,44,792,104],"0x0017":337,proce:437,safe:[812,267,662,181],slave_dumpfil:63,"break":[613,100,452],krb5_c_checksum_length:181,glorifi:4,uid_t:17,interrupt:[330,73,606],krb5_cc_lock:181,ccache_typ:812,gss_import_nam:[17,764],choic:[521,17,812,556,473,640],hhmmss:176,pkinit_dh_min_bit:[812,10],wrfile:73,newpw:[362,890,400],cb_data:[136,372],dumpfil:[423,44,452],accommod:521,lockout:[70,10,162,44],timeout:[10,208,73],each:[794,812,63,724,70,248,662,423,44,10,32,45,792],debug:[63,70,132,26,10,566],went:104,higher:[126,576,17,614],preferred_preauth_typ:812,side:[515,17,642,695,27,44],mean:[521,504,613,70,437,746,812,330,73,44,10,895,203,792,104,814],prohibit:[70,44,330],xconsortium:203,symmetri:10,autohead:203,resum:44,tlyu:[70,44],kcm_socket:812,appdata:812,lnsl:452,krb5_trace_nosupp:[853,372],nii:437,kdc_opt_renewable_ok:812,cusec:[904,727,457],service_passwd:[44,484],eku:[812,10],extract:[794,895,70,576,159,44,32],krb5_responder_pkinit_challeng:[521,649,269,36],otherrealm:812,krb5_init_creds_get_error:181,network:[794,452,56,493,174,119,895,17,184,306,473,521,642,70,768,812,100,836,275,664,606,44,45,104],log_:10,newli:[504,614,695,141,744,70,363,603,568,1,423,72,234,44,69,203,576,505,642],krb5_decode_authdata_contain:181,kdc_principal_seq:504,krb5plugin_service_locate_ft:226,content:[776,855,566,423,73,814],rewrit:27,kdb5_util_prog:63,reader:812,gov:[812,330],forth:812,wst:138,onlin:73,krb5_free_host_realm:181,inop:73,ignore_acceptor_hostnam:[812,17,473],krb5_address:[378,536,723,224,36,693,875,287,394,555,657,371,399,625],getrandom:576,situat:[10,493,646,73,662],ntt:330,free:[521,731,12,181],standard:[504,566,159,70,540,17,147,423,330,73,44,10,576],jennif:[70,44,119,104],"_krb5_pa_pac_req":767,"_krb5_responder_otp_tokeninfo":897,md4:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],md5:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],orig_hostnam:188,semfiajf42:10,workaround:473,libedit:452,argument:[521,449,535,70,689,181,423,784,73,151,44,10,45],openssh:[473,662],default_kdc_enctyp:746,openssl:[812,504,576,452,515],filter:[812,10],shrubberi:713,renew:[812,70,181,423,44,484,10],iso:26,unabl:[812,44,56],unknown:[97,147,814,323],regress:203,"_krb5_crypto_iov":924,onto:[812,895,100,56],licens:[26,462,452,576],user:[794,855,10,493,895,17,73,32,473,504,63,515,70,423,321,484,812,776,434,208,147,44,792],gss_ctx_id_t:[17,764],kfw:576,rang:640,entrycsn:855,render:[203,73],krb5_mk_rep:181,krb5_mk_req:[784,272,181],independ:[907,452,684,248,812,293,629],lockdown_kei:[70,44,32,576],thereof:330,restrict:[70,181,30,812,73,484,44,32],hook:181,unlik:[614,576,73,104],alreadi:[298,614,515,452,895,208,423,73,126,44,595,203,437,640],messag:[70,63],wasn:449,name_str:504,needchang:[70,44,484],agre:330,primari:[70,44,181,491],permitted_enctyp:[812,248],krb5_get_fallback_host_realm:181,krb5_auth_con_initivector:181,gss_mech_interpos:764,top:[614,203,26,126,45,493],krb5_rd_priv:181,kern:10,evolut:576,noout:504,fiction:4,travers:[423,44],krb5_kt_get_entri:181,master:[855,63,70,132,566,484,423,689,45],too:[820,759,207,131,791,422,70,129,44,346],krb5_realm_compar:[731,181],similarli:[794,672,118,104],krb5_cc_copy_cr:181,recent:[257,724,17,248,181,423,56],dict_fil:[10,689,455],outag:493,listen:[895,63,576,689,10,45,493],consol:10,randkei:[895,504,70,576,73,44],krb5_ldif:855,gss_c_buffer_flag_alloc:17,tool:[423,44,515],keytab_fil:640,noninfring:330,an2ln:[812,608],task:[521,535,73],somewhat:[504,27],nokei:[70,44,504],clpreauth_mymech_initvt:4,keyid:504,target:[895,614,576,17,812,323,32],keyword:[176,812],generalstr:504,provid:[794,614,452,815,286,493,119,895,17,568,248,473,689,885,519,576,521,504,70,639,812,100,203,515,776,437,147,662,149,275,330,44,45],verto:[330,452],gic_opt:413,krb5_address_compar:181,tree:[44,776,515,855,895],krb5_pac_server_checksum:595,cppflag:452,project:[776,452,576,4,330,303],matter:[812,56],nctx_out:141,getprinc:[434,70,576,423,73,44],krb5_checksum:[401,505,181,444],conf_keyfil:[44,484],minut:[812,821,484,27,176,104,215,44,10,119],krb5_encrypt_block:[222,419,36,719,261,526,896,856,910,609,819],userprincipalnam:10,lawyer:330,close:[458,100,88,543,181],boston:493,pass:[853,114,452,226,51,167,732,556,400,10,623,203,17,73,640,641,840,759,131,764,649,372,31,820,812,39,208,662,316,47,791,437,669],eventu:493,keyinfo:423,compon:[521,504,453,17,632,181,318,812,877,672,662,586,32,473],raw:[10,203],seed:[401,639,282,832],manner:330,increment:[63,566,73,689,10,32],"_krb5_pa_server_referral_data":220,slaptest:855,incompat:[885,812,203,452],minu:10,krb5_replay_data:[267,522,821,36,732,832,215,254],strength:576,realm:[794,855,63,70,132,484,423,321,73,689,32,45,814],pkinit_anchor:[504,70,812,44,10,640],delegated_cred_handl:17,new_mkey_fil:[423,44],latter:[515,18],thorough:493,kpasswd_serv:[275,812,493],contact:[812,614,63,606,70,132,518,275,698,44,10,493,23,73],krb5_set_principal_realm:[731,181],krb5_copy_address:181,output_cr:17,get_cr:521,expens:434,safe_checksum_typ:812,sock_dgram:226,though:[203,73,104],usernam:[504,863,895,70,208,17,812,104,573,44,640,814],kdb_log:330,glob:[70,44,423,794],object:[515,423,70,812,484,10],what:[812,540,17,27,4,455,423,413,850,73,44,10,32,119,248,104,473],last_success:423,regular:[504,895,437,17,812,73],letter:[895,493,104],eavesdropp:27,phase:437,choos:[515,73],authdatum:373,tradit:[423,434],cksumtyp:[600,272,247,385,744,674,91,310,505,756],ad_typ:[436,360,323],don:[614,452,437,814,116,203,119],krb5_auth_con_set_checksum_func:181,"0x00000004":[788,177,768],unpleas:73,"0x00000008":[202,664,763,16],lose:[423,44],lpr:10,doe:[794,614,452,815,620,494,10,346,701,119,895,17,632,73,129,687,519,473,521,504,642,63,70,135,764,423,874,374,203,812,708,437,159,330,608,44,45,104],declar:17,probabl:[895,423,73,44,203,814],wildcard:[783,10,32,576],krb5_auth_con_setaddr:[449,181],left:[812,10,4,316],sunwaadm:713,profile_vt:815,gss_get_mic_iov:17,random:[794,895,70,181,423,73,44,10],radiu:[10,208,576],pkc:[812,118],kerber:[895,437,73,792],krb5_anonymous_princip:181,kdc_err_more_preauth_data_requir:576,addr1:[287,394],protocol:[812,724,70,17,181,275,73,827,44,493,869],priv:181,involv:[812,850],consolid:776,arcfour:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],layout:[28,17],acquir:[70,44,17,423,181],rcach:[522,732,832,586,458,543],delet:[794,812,724,70,423,138,484,32],tty04:10,maxfailur:[70,44,434],configur:[70,566,484,689],bind_dn:70,krb5_checksum_s:181,auth_gssapi:[70,44],busi:330,ldap:[70,689,423,95,484,45],krb5_c_is_keyed_cksum:181,folder:812,pwservic:10,serv:[812,44,576,689],incorrect:[434,685,104,925,493,119],klein:330,likewis:437,stop:[45,4,689],compli:330,pcred:522,krb5_copy_data:181,db_module_dir:[10,515],cryptographi:73,report:[576,27,423,473,640,836,23],pa_hardwar:850,net:[812,330,713,23],qop_stat:17,bar:[423,812],g_export_nam:330,relianc:812,krb5_principal_compare_any_realm:[731,181],baz:812,"_krb5_responder_pkinit_ident":771,twice:[895,25,223,70,323,44,119],bad:[895,818,125],pkinit_kdc_hostnam:[812,504],max_renew_lif:423,krb5_k_make_checksum:[505,181],gss_c_both:17,testdir:147,krb5_build_princip:[521,731,181],respond:689,policy_nam:[44,484],human:[176,576,110],krb524:812,output_nam:764,padl:330,securid:[576,592],krb5_is_thread_saf:181,datatyp:155,num:566,mandatori:[600,744,631,247,385,310,505,444],result:[521,298,776,17,855,504,708,133,147,840,181,812,515,72,73,44,876,493,818,794,669],krb5_process_kei:181,respons:[615,390,850,343,238,559,634,68,569,362,413,185,689,75,640,521,504,583,70,636,518,27,34,907,687,330,44,543],corrupt:[423,44,576,56],themselv:[423,44],db_librari:[10,855,515],best:[895,73,473],subject:[504,776,812,330,44,10],awar:323,iterator_fre:815,stashfilenam:[423,44,484],authto:507,krb5_crypto_type_data:[385,247,310,600],remote_port:625,databas:724,krb5_verify_init_creds_opt:[521,572,519,204,36],krb5_set_default_realm:[449,181],discoveri:[895,792],gss_c_nt_machine_uid_nam:17,fail_count:423,xvm:73,simplest:[614,17,203,662],allow_tgs_req:[70,44],awai:[119,147,73,104],krb5_kdcpreauth_modreq:850,approach:17,include_pac:767,attribut:[515,855,70,208,484,248,423,321,44,10,32,566],accord:[563,502,70,208,393,646,764,812,28,323,44,437],extend:[812,10,855,181,504],krb5_pac_fre:181,change_tim:[449,237,257],ccach:[70,147,181,125,44,88],weak:[812,10,147,73,248],sysdoc:713,extens:[504,576,17,764,827,126,493],harvard:330,preprocessor:452,extent:[576,330],entryuuid:855,toler:812,pkinit_ident:[812,10,504],k5login:[762,748,662,812,437,119],krb5_init_secure_context:[624,181,862],protect:[794,504,267,745,434,576,17,248,27,423,100,832,827,118,78],g_imp_sec_context:330,expos:[521,70,437,423,525,73,44,640],ss_lib:452,howev:[100,504,812,434,70,493,423,330,73,56,44,10,203,792,104],krb5_responder_pkinit_get_challeng:[521,181],against:[521,895,821,695,373,724,258,631,568,181,812,73,215,662,10,493,444],krb5_tc_match_srv_nameonli:686,krb5_auth_con_getkey_k:181,logic:493,countri:330,mkeyvno:[423,44,484],com:[855,147,566,10,493,119,563,184,473,576,504,515,70,812,138,321,423,434,713,662,783,330,44,104],compromis:[613,614,812,100,73,56],fullname_out:509,rcommand:260,default_realm:[895,815,662,812,687,792],data_length:651,foobar:[493,184,452],int32_t:546,iterator_cr:815,loader:452,krb5_cc_store_cr:181,written:[330,70,159,847,689,77],exemplari:330,guid:[794,162],assum:[562,298,449,918,26,17,248,812,72,73,640,10,77,895,493,208,104,386],summar:562,sclogin:10,duplic:181,reciev:1,krb5_string_to_timestamp:181,byacc:452,failuretim:[70,44],krb5_enctyp:[450,224,105,551,730,55,171,604,868,69,298,530,871,349,143,182,22,755,819,657,896,365,137,370,411,597,378,36,711,603,149,316,651,91,825],fri:566,three:[642,434,576,248,73,323,493,104],been:[562,298,614,812,434,748,764,27,423,330,73,44,885,10,104,814],beep:[386,104],anl:812,keyspac:73,interest:[812,27,434,746],realmnam:[521,504],token_id:897,gss_krb5_nt_principal_nam:17,allow_dup_skei:[70,44],nofail:521,krb5_cccol_have_cont:181,life:[70,44,32,640,484],rather:[100,812,614,615,794,70,493,689,764,423,563,185,129,44,10,484,45,203,640,473],krb5_princ_nomatch:[422,318],krb5_auth_con_getkei:181,encourag:812,suppress:[452,70,437,646,423,386,44,10,576],s4uself:10,worker:45,search:[812,10,484,181,44],telnet:[812,260,437],anywher:119,pkinit_require_crl_check:[812,10],krb5_prompt_type_preauth:591,ldif:855,krb5_unparse_name_flag:[731,181],krb5_const_point:[401,261,222,282,36],sender:[267,821,832,215,189],krb5_425_conv_princip:181,ident:[70,10],appl_vers:[695,642],gnu:[576,330,203,473,452],servic:[724,63,70,814,484,45],properti:[812,762,330],commerci:[812,504,330],session_enctyp:[70,44],krb5_no_2nd_tkt:422,vagu:452,anchor:[812,10,640],keytyp:45,spawn:689,ulog:[10,44],kadmind_port:[10,895,689],printabl:[235,242],mexico:330,kdcproxi:275,tabl:[70,44,423,181],userpolici:[44,484],iov_count:17,disjoint:776,gssapistrictacceptorcheck:473,krb5_cc_select:181,conf:[794,476,776,855,63,724,70,132,566,484,95,423,138,321,73,56,689,427,32,45,814],module_nam:812,sever:[794,504,614,452,70,493,27,812,44,321,323,836,10,203],krb5_kt_start_seq_get:[621,181],disabl:[328,812,452,895,273,493,372,147,748,662,248,167,70,241,73,44,10,623,203,473],intact:330,target_princip:32,incorrectli:104,perform:[895,812,515,70,689,423,814,484,44,10,32],suggest:[776,907],make:[794,855,56,10,493,895,17,248,181,73,814,504,515,70,423,100,812,776,434,147,662,604,44,792],camellia:[10,576],bunni:493,default_tkt_enctyp:[812,248],krb5_principal2salt:181,disable_lockout:[10,434,515],krb5_princ_set_realm:2,complex:576,split:[70,576,493],big:[302,563,764,323],gss_unwrap_iov:17,return_pwd:914,complet:[121,17,812,642,761,860,133,568,245,423,73,44,10,484,155,493],uninterrupt:73,unlockit:[70,10,44],evid:17,rfc4120:275,krb5_k_reference_kei:181,keydata:423,pick:[10,203,504],hand:[44,73,895],idea:473,"0x0101":749,"0x0100":[778,262],tune:493,squar:[812,10,662],gss_verify_mic_iov:17,g_glue:330,kept:[70,10,100,56,44],krb5_init_creds_set_keytab:181,scenario:73,kprop:[423,427,689],thu:[44,437,27,452],default_profile_path:746,inherit:[437,119],krb5_boolean:[18,584,863,494,399,171,510,511,411,871,631,247,71,358,130,394,368,265,36,37,912,385,920,789,444],client:[794,476,515,273,248,662,812,70,321,73,44,10,814],shortli:[792,119],rekei:73,thi:[812,453,227,230,877,9,458,12,411,243,726,463,17,247,248,249,686,586,566,256,257,631,693,639,483,699,484,703,486,555,708,272,37,273,279,44,45,49,502,724,504,840,51,507,842,732,734,56,10,736,895,738,493,298,743,745,65,1,70,72,73,689,32,69,310,521,522,312,759,63,81,348,100,85,245,774,89,776,94,191,651,102,791,792,794,796,105,107,340,110,111,112,716,648,346,723,565,349,334,725,124,814,357,859,575,818,473,369,131,363,364,921,144,658,377,600,841,39,603,147,149,385,606,610,543,611,114,855,412,194,166,887,168,171,621,403,625,869,406,624,178,524,409,876,181,182,882,185,753,188,417,267,133,744,644,421,422,322,423,920,653,428,820,515,907,627,434,436,208,801,662,915,916,666,217,832,444,505,669],gss_inquire_cr:17,programm:540,preauthent:[162,70,662,812,321,44,10],krb5_is_referral_realm:181,gss_c_buffer_type_mic_token:17,"0x00080000":459,unchang:[70,794,437,73],lr_type:503,identifi:[267,812,45,362,586,661,662,249,730,330,793,689,324,78],just:[794,895,614,812,643,746,437,17,423,413,184,73,44,10,267,203,792,104],krb5_bad_enctyp:[651,251],"_kerbero":493,via:[521,895,776,812,63,434,70,181,423,44,10],addent:138,krb5_auth_con_setsendsubkey_k:181,yet:[895,614,812,452,423,473,885,44,104],previous:[70,44,17,423,181],"0x00000010":[812,683,858,861],easi:[104,434,73,56],krb5_principal_parse_require_realm:632,interfer:203,krb5kdc_err_key_exp:606,had:[895,662,423,184,104,44,119],admcil:32,"0x00010000":[297,7],newest:44,els:[437,119,104,4,895],save:[504,563,667,16,576,850,115,266],hat:330,opt:[796,798,725,107,229,556,55,743,407,827,817,575,520,521,644,81,371,142,532,706,907,537,37,540,787,280],applic:[776,814],rev:[423,44],preserv:[423,44,330],donat:[44,330],vaniti:473,filesytem:504,euid:[812,28],database_nam:[10,895,44],krb5_tkt_creds_init:[735,181],krb5_get_init_creds_opt_set_etype_list:181,daemon:[228,63,812,44,10,32],herebi:330,ctime:[904,727,457],specif:[476,515,895,70,689,248,812,73,44,10,32,45],arbitrari:[70,44,17],uint16_t:810,moira:330,manual:[895,776,452,423,44,45,203,792],unstabl:223,krb5_ccselect_moddata:698,krb5_c_keylength:181,v4_instance_convert:812,unnecessari:44,krb5_mk_1cred:181,kdc_max_dgram_reply_s:10,underli:17,www:[515,576,713],right:[820,759,462,131,484,330,44,10,32,791,924],old:[794,504,743,724,895,70,576,812,211,27,423,73,44,10,38,869,119],deal:[614,330],interv:[895,434,63,70,176,44],krb5_principal_compare_flag:[731,181],intern:[482,208,72,147],kadm5:[70,423,689,476],indirect:330,successfulli:[521,907,434,70,17,857,423,814,572,44,59],"0x80000000":[670,290],krb5_no_tkt_suppli:[422,318],transmiss:56,insensit:[176,424,493,511],wicker_foot:4,normal:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],krb5_auth_con_setrecvsubkei:[449,181],dbname:[70,44,45,423],buffer:[164,129,207,17,181,149,39,832,185,171,44,756,346,597,669],krb5_k_encrypt:181,equal:[794,302,437],krb5_prompt_type_new_password_again:591,icr:17,timestampp:781,foo:[70,423,812,794],localhost:794,gss_iov_buffer_type_data:17,krb5_princ_siz:[439,2],gss_s_unavail:17,insecur:[100,17,493,73,656],pose:73,delold:[73,724],key_exp:324,krb5_cc_cache_match:181,promot:[330,73],repositori:126,krb5_typed_data:36,post:181,timeret:740,plug:330,krb5_kt_get_nam:181,sshd:812,sasl_authzid:70,alexand:330,unpars:[17,181],seqnumb:[312,85],slightli:452,appplic:181,simul:437,gss_accept_sec_context:[576,17,764],canonic:[812,794,792,515],cipher:[812,73,181,248],keyprocarg:730,g_imp_nam:330,krb5_auth_con_getremotesubkei:181,krbprincipalnam:515,free_valu:815,krb5_c_block_siz:181,telephon:330,almeida:330,authfrom:507,preauth:[33,576,878,413,850,323,10],krb5_tkt_creds_get_cr:[735,181],init_cr:521,deploi:[504,208,203,473],encod:[521,274,812,181],default_principal_expir:[176,10],libev:330,down:[493,27],creativ:330,ad_kdcissu:[403,373],formerli:285,wrap:44,initvector:869,info2:576,storag:[521,49,693,463,164,227,181,171,625,597,756],compile_et:452,accordingli:203,allowedkeysalt:[70,44],wai:[614,603,452,107,556,493,119,176,17,885,126,576,521,642,812,159,662,783,330,608,44,104],support:[70,423,45,689],transform:452,disable_last_success:[10,434,515],avail:[812,70,423,138,73,10,814],reli:[794,895,452],krb5_pac_init:181,editor:776,krb5_c_random_add_entropi:181,telegraph:330,fork:[895,437,45],head:812,iprop_resync_timeout:[10,44],disallow_forward:[44,484],form:[794,613,614,576,620,10,493,562,895,17,249,816,640,267,70,527,812,832,235,701,783,776,273,662,275,330,386,44,918],offer:452,forc:[63,434,70,566,484,812,73,191,44,10,32,493],x509_anchor:[812,640],refcount:576,back:855,krb5_k_create_kei:181,k5login_directori:[812,662],admin_serv:[895,63,70,812,44,10,493],krb5_init_context:[624,181],"true":[566,394,863,494,399,171,10,510,511,411,871,17,18,248,71,184,73,572,358,473,504,130,727,812,368,584,767,265,515,907,434,208,147,912,44,789,792,793],freenod:23,reset:[521,434,70,576,916,372,44,566],absent:640,attr:[81,515,878],ldap_kdc_sasl_authcid:[10,484,44],wicker_slat:4,inquir:[70,44,32,794],passwd_phrase_el:[443,36],maximum:[521,812,794,70,484,423,104,914,850,73,44,10,374,45,493,792,640],tell:[540,104,689,45,203,119],inaccur:812,gss_export_cr:17,fermi:330,absenc:[521,10],mitiys4k5:895,distclean:203,autoconf:836,retir:95,"30m":176,trim:[39,669],later:[827,563,302,17,147,248,608,44,330,473,191,687,10,493,118,792],alongsid:895,hardcod:[815,614,159],chrand:[70,44],decrypt:[70,44,17,434,181],krb5_auth_con_fre:181,outcr:627,ipropd_svc:330,exist:[521,895,776,812,724,434,515,70,17,181,423,662,100,73,484,44,10,77,859,794,823],krb5_cc_get_nam:181,request:[794,812,63,515,70,566,689,423,321,73,44,10,32,45],getusershel:437,check:[895,662,17,181,812,124,814,44,10,428,686],maxpathlen:109,courtesan:330,vista:[576,248],gss_c_no_credenti:17,encrypt:[794,724,70,423,73,56],kadm5_pass_q_:455,inauthdat1:628,krb5_get_in_tkt_with_skei:181,when:[223,452,453,455,230,672,10,12,726,17,248,249,686,687,254,23,73,695,27,28,698,701,30,711,491,40,745,275,308,316,718,44,45,723,815,51,507,292,734,56,509,739,493,895,744,433,606,1,559,143,517,689,489,521,504,63,70,764,321,323,88,812,535,540,159,543,783,191,102,549,104,794,796,105,107,110,111,556,118,119,69,562,565,566,568,569,814,357,473,821,369,363,586,914,921,141,126,658,730,841,603,147,384,848,386,608,91,610,208,614,576,393,860,862,736,915,406,524,875,632,877,251,887,188,640,641,364,642,628,644,420,646,765,245,423,901,903,653,656,515,627,872,436,437,684,662,792,832,505],actor:32,database_modul:[10,855,515],krb5_free_error:181,test:[70,566,812,73,44,45,814],krb5_c_crypto_length_iov:181,roll:44,"0x40000000":[541,335,720,770],realiti:776,krb5_get_default_realm:181,bullopensourc:713,intend:[521,70,437,17,147,848,44,45],krb5_plugin_vt:4,kdcpreauth_plugin:850,g_dup_nam:330,center:[836,45,330],outreach:73,krb5_pac_sign:181,muse:330,consid:[776,452,258,147,27,812,73,323,493,792],easili:[895,576,203,73],krb5_c_random_to_kei:181,"_krb5_respons":583,camellia128:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],lsocket:452,lastpwd:423,modpol:[70,44],longer:[452,453,30,230,672,12,726,17,249,686,586,254,695,872,701,711,491,40,308,316,718,44,723,730,292,734,509,739,493,744,745,684,1,143,517,32,489,88,535,102,792,104,105,107,110,111,69,565,568,569,357,821,369,363,364,832,141,507,627,603,384,91,610,393,860,862,736,915,406,524,875,632,877,251,887,188,640,641,642,628,420,765,245,901,903,653,656,658,436,549,921,505],furthermor:[330,73,907],libldap2:855,krb5_k_decrypt:181,pseudo:181,flag:[521,812,256,724,434,515,70,17,181,423,662,73,484,44,920,10,32,493,792],krb5_c_fx_cf2_simpl:181,krb5ccname:[562,614,273,918,437,646,386,191,640],pathnam:[504,812,63,746,159,662,275,689,44,203],srvtab:[138,159],time:[794,449,855,724,566,10,493,895,17,73,32,504,515,70,423,484,812,776,434,208,147,662,44,45],g_delete_sec_context:330,backward:[812,895,646,248,63],daili:73,krb5_string_to_cksumtyp:181,iprop_slave_pol:[10,63,44],mydomain:10,concept:869,relai:45,chain:[812,10],krb5_get_credenti:181,skip:[572,44,519,452,504],krb5_kpasswd_autherror:362,global:[515,524,273,484,181,812,44,10,77,32],newprinc:[70,44],gss_c_deleg_policy_flag:576,signific:434,supplement:10,netbsd:[576,330],extendedkeyusag:504,hierarch:[812,576,689],decid:[895,907,493,104],hold:[614,745,70,164,879,874,171,597,756],depend:[521,603,242,452,26,17,4,455,28,119,235,527,493,118,104,792],zone:[176,493,73],pem:[275,504,812,321,515],decim:[423,17,323],readabl:[794,613,812,576,159,110,176,100],lkrb5:540,krb5_wrap_error_messag:[140,181],decis:162,umich:330,"0x000f":[150,578],downtim:73,"0x000d":416,"0x000e":775,aspx:713,"0x000c":[899,199],keyindex:423,iakerb:576,sourc:[776,45],string:[521,895,812,70,208,17,248,181,423,321,662,484,44,10,32,493,794],impend:521,krb5_kdc_rep:[378,657,224,36],auth_to_loc:[812,662,608],krb5_salttype_to_str:181,netlib:452,feasibl:895,implicitli:812,condit:[504,437,330,393],ok_as_deleg:[70,44],exact:[515,26],local_realm:437,krb5_responder_pkinit_ident:[319,36],"0x00000020":[830,13,700],hour:[437,484,176,104,44,10,32,792,119],"0x0008":[305,482,619,84],"0x0009":[655,326],did:[895,318,422,104,258],mkeynam:[423,44,45],"0x0004":[414,804,83,834],"0x0005":[786,244],"0x0002":[92,383,355,867,902,127],"0x0003":[766,356],"0x0000":585,"0x0001":[913,301,696,456,233,426,539],item:[37,515,482,850],unsupport:[504,452],representaton:636,team:23,cooki:475,round:[576,850],dir:[562,504,614,452,273,918,812,28,386,10,640],in_data:[363,1,642],prevent:[5,812,223,724,788,70,576,1,27,248,275,330,640,44,10,32,45,119,473],slower:73,yyyi:176,pkinit_kdc_ocsp:10,desir:[580,226,452,363,17,662,532,556,73,44,346,437],krb5_cc_move:181,"_krb5_get_init_cr":829,plu:[10,437,104],sign:[504,70,17,147,181,812,100,44,10,32],"_krb5_last_req_entri":503,no_host_referr:[10,493],containerref:[44,484],btree:[423,44],port:[794,895,63,273,132,208,689,812,70,814,44,10,45],master_key_typ:[895,423,44,73,484,10],pw_expir:423,portnum:45,appear:[521,504,895,147,4,330,73,323,10,493],often:[515,203,159,662,473,44,885,10,493,792],krb5_cc_dup:181,repli:[615,248,167,796,850,623,59,563,569,413,72,185,917,640,814,521,422,83,907,139,35,857,848],krb5_get_init_creds_opt_set_proxi:181,systest:[70,44],remain:[449,614,907,223,70,302,17,192,423,330,850,73,44,689,10,437],krb5_get_init_creds_opt_alloc:[521,181],current:[812,724,662,515,70,566,181,423,191,138,73,63,44,10,493,473],sinc:[794,504,515,70,1,181,812,814,56,44,73],wors:812,subdomain:[783,493],krb5_appdefault_str:[124,181],an2ln_typ:608,va_list:[577,181,877],myrealm:521,deriv:[181,423,73,44,10,791,669],pkinit_allow_upn:10,gener:[794,724,434,566,248,812,100,73,56,44,10,32,814],krb5_responder_context_st:527,satisfi:203,explicitli:[449,223,452,895,37,576,662,70,73,44,32,104],modif:[895,812,566,181,423,32],address:[794,449,776,181,812,473,44,10,493,792],k5srvutil:427,along:[776,208,924,614,452],krb5_responder_otp_set_answ:[521,181],wait:[10,493,63,44],box:208,krb5_kt_free_entri:181,susec:457,rlogin:437,checksum:[812,17,181],sscope:[44,484],master_key_nam:[423,10,44],queue:[10,330],kcm_mach_servic:812,behav:[70,572,17,479,452],krb5_chpw_fail:606,extrem:70,bob:[437,184],output_payload_buff:17,commonli:[147,63],semant:521,regardless:[423,812,32,17],stduser:44,extra:[44,26,493,109,32],modul:[812,70,423,44,689,10],prefer:[159,70,107,17,812,473,687,44,576],expdat:[70,44],leav:[70,662,100,73,44,493,792],krb5_responder_question_password:521,fake:[521,812],marker:323,instal:[794,855,162,662,812,814,56,44,73],krb5_copy_authent:181,random_data:298,password_changing_servic:[70,44],old_cod:[38,140],memori:[17,147,447,181,453],sake:437,wicker:4,athent:606,univers:330,visit:104,live:[423,4],book:[794,576],criteria:614,msg:397,scope:[44,484],strdup:815,kbd5_util:44,challeng:[521,812,181],tightli:[613,100,73,662],athena:[794,895,452,70,815,484,662,812,330,104,100,44,10,32,119,73],krb5_mk_req_extend:[363,181],gssi_:764,log_daemon:10,afford:100,peopl:10,rlen:[535,877,577,453],ctype:[721,282,584,401,510,358],src_ctx:508,krb5_pac_get_buff:181,prototyp:[836,4],examin:[812,504,413,850],"_krb5_pwd_data":443,krb_ap_rep:181,ap_opts_use_session_kei:1,libpam:713,allow_tix:[70,44],subschema:515,default_kdb_fil:746,"_krb5_pa_svr_referral_data":304,runstatedir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],prepar:181,ldap_kerberos_container_dn:[10,855,515],uniqu:[70,794,181],cat:423,descriptor:[256,695,642,234],krb5_responder_pkinit_flags_token_:118,preauth_plugin:[413,850],old_princip:70,can:[223,452,226,4,455,232,10,17,248,129,687,258,26,27,698,484,701,30,32,273,672,275,44,45,724,293,56,739,59,895,748,73,689,753,519,521,504,63,70,764,527,100,321,323,423,776,159,176,191,792,104,794,566,341,119,563,473,572,126,629,138,832,372,476,147,608,850,437,614,855,576,393,493,413,885,640,644,812,203,515,434,660,735,208,857,662,217],inadequ:147,purpos:[895,452,248,812,330,518,10,45],logon:[10,595,538],krbdev:23,sighup:[45,147],cred_usag:17,stream:[895,63,208,17,814,10],krb5_kt_client_default:181,curri:794,krb5_authent:[872,181],backslash:672,topic:776,spi:764,keyusag:504,kdclist:895,host_realm:687,surround:662,sharp:32,krb5_kei:[774,406,181,915,921,699],k5_random_kei:[143,298],krb5_respons:36,krb5_get_error_messag:181,alwai:[794,449,166,115,10,458,345,493,242,243,302,473,151,77,73,812,323,266,915,212,784,920,44,45,447],lxml:126,multipl:[794,614,576,4,850,10,493,895,17,73,640,521,504,70,27,764,812,321,203,515,434,273,208,662,783,78,44,45],strlen:[521,17],krb5_pa_server_referral_data:36,ch06s05:713,modulenam:812,sharealik:330,write:[895,614,515,812,434,853,815,27,662,423,138,848,776,44,10,45,532],till:34,purg:[70,423,576,27,73],krb5_keyusage_pa_sam_challenge_trackid:547,aklog:920,krb5_verify_checksum:181,krb5_is_config_princip:[731,181],map:[812,895,792,662],product:[895,330],krb5_kt_end:803,prof_no_rel:815,krb5_us_timeofdai:181,southern:330,usabl:181,sni:576,appnam:[124,428],membership:521,keyfilenam:812,xore:[812,568],commit:[566,330,223],mai:[794,1,918,223,452,725,568,576,51,30,167,437,796,850,473,10,623,493,869,119,562,895,746,31,302,17,18,248,857,413,72,73,687,885,32,519,78,386,521,504,642,63,515,70,639,27,764,423,482,323,701,203,783,377,812,907,434,39,273,815,208,603,147,662,792,176,436,330,23,640,44,45,919,334,104,669],underscor:[812,330],mcred:686,krb5_unparse_name_ext:181,man:[70,812,776,27,452],for_us:646,regularli:[493,56],gethostnam:[17,473],practic:[521,39,576,812,73,669],rep_cksum:220,failurecountinterv:[70,44,434],stdin:848,explicit:[515,662,812,73,32,493],kldap:[10,855],krb5_expand_hostnam:181,inform:[855,70,132,566,423,689],"switch":[228,73,662],preced:[437,812,73,45,493,302],combin:[794,63,70,17,248,181,44,10],block:[10,73,181],anoth:[349,70,147,181,812,100,56,44,9,10,493],outaddr:723,untest:452,ordinarili:[907,724],talk:27,ssh:[794,792],krb5_get_init_cr:[378,556,532],denot:[176,423,32,563],"_krb5_typed_data":647,anticip:[493,792],krb5_auth_con_getrecvsubkei:181,changeov:895,acl_fil:[10,32,895,63,689],pkinit_revok:[812,10],krb5_timestamp:[449,237,502,503,727,457,257,461,879,278,583,258,765,874,29,904,324,34,36,660,781,740,847,189,279,220,852],opensc:812,lss:452,key_stash_fil:[423,10,895,44],size_t:[721,222,164,282,674,171,401,149,530,247,879,182,310,690,759,131,261,365,831,874,901,597,820,600,825,148,604,385,316,651,756,791],still:[737,895,812,434,70,493,437,646,611,792,423,100,73,689,44,45,203,576,640],pointer:[449,1,223,226,4,455,555,292,850,798,320,242,409,334,17,569,413,125,752,309,521,522,191,628,479,591,698,372,324,887,656,535,276,781,397,544,341,875,924],keysalt:[70,794,724],dynam:[328,812,4,815],entiti:[17,330],fsanit:452,conjunct:646,unswapp:614,group:330,krb5_auth_con_getlocalsubkei:181,cygnu:[594,330],polici:[812,70,484,423,321,689,10,32],default_tgs_enctyp:[812,248],othernam:504,slotid:812,kadmin:[427,724],handle_out_of_space_error:17,platform:[614,26,203,576,452],window:[764,812,614,890,815,576,248,4,27,275,400,836,662,24,851,714,104,218],krb5_rd_safe:181,mail:[10,614],krb5_init_context_profil:181,main:[273,649,23,47],gss_c_null_oid:17,krb5_cccol_unlock:[112,181],krb5_error:[903,168,642,565,74],krb5_ticket:181,non:[449,114,1,724,725,247,576,840,30,730,556,400,737,302,631,568,18,70,73,77,640,890,759,642,744,258,131,639,812,323,32,820,907,39,437,857,792,385,44,444,791,540,505,669],within:[794,895,393,434,273,493,17,181,812,70,44,10,88],g_acquire_cr:330,krb5_set_kdc_send_hook:181,krb5_tkt_authent:36,supersed:[45,73],initi:[895,434,515,70,248,812,814,484,44,73],nation:330,underneath:515,therebi:184,krb5_auth_con_get_checksum_func:181,nlgilman:814,now:[504,841,63,895,83,73,357,493,104,606],discuss:[885,895,330,27,23],nor:[562,812,437,330],possess:104,outweigh:27,sequenti:181,term:[504,614,70,576,159,147,248,413,330,850,73,44,559],subkei:181,x509_user_ident:[812,321,640],krb5_cc_notfound:[163,393,88],simpl:[98,72,814,56,484,44],didn:[814,662],krb5_authdatatyp:[291,274,360,436,36],crypto:[377,580,530,452,576,812,330,73,836],separ:[812,776,515,273,38,484,211,662,423,70,672,482,321,44,217,10,32,45,493],krb5_auth_con_getflag:181,rock:[413,850],januari:[176,44],princ_tktpolici:423,ters:[70,44],compil:[776,452,746,540,576,437,330,203,26],failov:493,domain:[794,504,895,208,792,812,814,10,493,576,104],replai:[273,17,181],minclass:[70,44],regener:126,replac:[222,855,452,856,896,869,895,530,224,179,302,413,307,577,819,419,657,70,261,526,812,697,484,910,378,922,210,662,330,640,44,719],individu:[10,566,330,104],krb5_nt_srv_hst:[701,318],continu:[895,563,724,437,423,330,56,576],lookasid:452,ensur:[521,504,515,608,895,687,857,112,73,56,44,9,10,794,59,104],"0x4000":581,krb5_c_encrypt_iov:181,year:176,distributor:330,happen:[895,70,147,56,44,10,493,104],in_length:[401,282],g_seal:330,shown:[812,10,614],accomplish:44,gss_release_iov_buff:17,"0x0018":[295,156],space:[504,580,114,840,207,70,38,26,39,876,211,479,176,914,321,473,129,10,648,346,669],profit:330,precomput:181,krb5_prompter_fct:[357,606,36],bindpwd:70,krb5_last_req_entri:[324,36],"0x0010":[96,677,487,839],"0x0013":[529,873],"0x0012":[52,180],profil:[812,10,476],setstr:[70,321],"void":[722,49,557,798,688,815,372,227,801,167,842,168,796,508,55,9,623,62,59,120,60,555,624,743,178,407,409,17,486,124,882,428,151,278,22,752,376,38,520,397,572,521,226,331,644,194,725,480,136,320,371,140,264,357,348,240,142,144,204,269,706,89,901,907,537,435,911,912,94,857,211,845,784,811,848,606,787,666,919,103,157,280],internet:473,libkrb5:[812,17,662],krb5_parse_nam:[521,731,181],correct:[45,73,689],krb5_const_princip:[568,227,403,511,524,726,258,18,71,129,77,489,130,479,765,368,108,265,429,36,711,217,549],integr:[521,267,821,26,17,248,792,28,330,832,215,836,576,104],earlier:[895,248,30,812,608,10],krb5_kdcpreauth_moddata:850,"goto":521,pwexpir:[70,44,32],migrat:[44,576,147,73],chl_out:649,krb5cc_ttypa:104,envelop:[150,775,416,899],krb5_cc_resolv:[708,181],request_tim:583,return_padata:850,california:330,lab:[44,330,484],gss_c_no_nam:17,org:[515,576,713,812,330,184,484,44,203,126,23],"byte":[521,17,181,182,10,669],sunw_dbprop_master_ulogs:44,card:[70,10,812,44],care:[70,17,662,73,885,44,32],from_mast:[28,63],suffici:[70,44,73,452,484],g_inquire_nam:330,rule:[794,783,393,70,437,17,646,662,812,184,44,493],sysconfdir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],refus:[895,73,814],recov:[423,44,413,576],turn:[794,434,63,437,812,914,848,452,792],gssi_import_sec_context_by_mech:764,place:[521,449,63,724,504,17,248,181,812,100,73,689,662,45,493,792],reject_bad_transit:10,principl:469,"0x001a":404,imposs:[44,434],frequent:[473,493,73,792],first:[449,615,452,453,566,287,394,51,372,796,473,10,493,511,895,563,411,302,17,248,185,687,126,32,814,504,25,628,130,70,586,27,86,423,368,914,321,323,265,203,812,515,437,159,662,783,330,924,191,608,44,104],oper:[794,515,724,70,566,484,812,73,689,10,32,45],redhat:576,carri:70,onc:[521,895,614,226,812,223,745,70,17,27,423,914,73,44,794,203,119,925],arrai:[70,521,208,17,181],tokeninfo:[514,831,433],yourself:104,acquisit:[17,739],rpcbind:44,"long":[614,815,576,109,341,850,493,559,242,17,248,413,73,473,504,70,39,159,147,330,44,669],yarrow:576,oppos:504,custom:[812,28,576,126],open:[521,423,181,812,217,44],predefin:493,size:[504,566,147,181,812,44,10],ret_as_repli:[378,224,657],given:[724,10,493,298,12,181,249,124,73,125,473,521,63,70,363,423,484,428,812,208,147,662,44,45],"_krb5_ccach":339,breviti:563,silent:562,convent:[815,493,549],local_port:625,teardown:203,fmt:[811,211,140,331,240,38],parallel:[493,576,45,203],krb5_tkt_creds_fre:181,citi:330,necessarili:73,draft:[391,576,552,542],userinfo:713,krb5_auth_context_generate_local_addr:256,conveni:521,friend:104,includ:[794,855,566,10,493,895,17,181,182,473,32,504,639,423,100,321,515,708,812,44,792,669],krb5_c_padding_length:181,allow_svr:[70,44,434],grant:[521,504,841,434,895,70,17,248,181,422,812,662,73,44,10,32,30,493,703,606],especi:[794,895,576,473],copi:[794,504,855,895,17,147,248,322,275,100,483,181,56,44],specifi:[794,476,63,70,132,566,484,423,321,73,689,10,32,45],test2:[70,44,176],kdc_default_opt:812,enclos:[176,10,812],pnl:812,mostli:452,gss_iov_buffer_desc_struct:17,krb5_tkt_creds_context:[121,615,739,36,735,860,62],e19253:713,holder:330,than:[794,614,615,473,185,576,287,10,493,119,563,302,17,248,413,814,129,689,32,640,73,504,642,70,27,764,423,100,484,203,656,812,434,662,44,45],royal:330,ckfrom:658,wide:[275,812,208],ciphertext:[820,563,759,39,131,636,840,114,182,370,791,669],sasl_realm:70,sasl_mech:70,gss_get_name_attribut:17,exampl:[70,423,566,484],kinit:[521,176,614,515,812,434,504,273,762,147,662,275,70,413,321,814,44,895,792],temporarili:70,posix:[423,563],balanc:[493,73,473],were:[794,895,614,576,17,812,330,73,519,239,104],posit:[423,302,662,434],new_message_out:59,worcest:330,kdc_princip:504,seri:[473,181],pre:[515,695,535,642,363,17,568,1,181,167,321,606,234,776],lowest:812,sai:27,prf:181,san:[812,10],sam:[576,564,601,602],keyblock:181,"_krb5_prompt":139,slat:4,krb5_init_creds_init:[753,181],ani:[794,473,566,393,56,10,493,895,17,181,73,129,32,818,686,521,504,823,63,70,423,100,321,859,812,776,208,147,662,44,45],ank:[70,44],dash:812,userconfig:812,properli:[275,504,147,452,895],krb5_cc_destroi:181,result_str:[362,890,400,110],bitwis:[118,65],engin:493,techniqu:521,advic:228,krb5_tc_match_ktyp:686,shadowlastchang:515,consortium:23,x509_proxy_ca:812,note:[15,325,423,725,70,393,248,176,213,100,850,73,484,44,10,547,895,203,812,104,907],krb5_ccache_conf_data:323,ideal:[521,44,203,794,895],includedir:[812,452],take:[449,389,223,732,10,493,119,298,17,248,73,32,521,812,482,698,535,437,603,147,662,176,100,924,44,45,104],advis:[330,73],"_krb5_error":457,hwauth:10,outptr:[261,222],noth:[27,63],channel:[521,208,17,73],begin:[820,812,114,759,39,131,815,208,323,840,662,423,687,783,44,739,791,689,669],sure:[794,515,70,484,147,104,73,640,44,792,119,814],eblock:[222,419,856,719,261,526,896,910,609,819],trace:273,stashsrvpw:70,multipli:434,g_accept_sec_context:330,compress:26,statu:[562,70,437,646,764,330,773,576],default_domain:812,krb5_kt_resolv:181,beta:[423,44],mk_req:376,krb5_get_init_creds_opt_set_anonym:[521,181],sublicens:330,pair:[812,855,248,878,423,10],time_rec:[576,17],america:330,krb5_encrypt:181,unalloc:316,renam:[70,44,576,223,452],ccachenam:452,adopt:812,drive:203,krb5_copy_checksum:181,aes128:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],krb5_rc_requir:[522,732],sbindir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],runtim:[273,28],subtag:812,krb5_decode_ticket:181,ckf_:118,salt:[794,724,70,603,181,423,44,10,69],hmac:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],gracefulli:764,recipi:[330,189],krb5_gc_cach:30,krb5_pa_data:[34,35,324,36],krb5_prop:[794,895,147],show:[562,614,724,147,423,28,139,126,10,104],"0x54800000":824,pkinit_ind:[10,321],ldapuri:[70,44,484],krb5_524_convert_cr:181,bin:[895,452,437,28,126,203],subprocess:45,"3h30m":104,tkt:793,"0x1fff":618,krb5_get_init_creds_opt:[796,798,725,107,229,556,55,743,407,827,357,817,575,520,521,644,81,371,142,532,706,907,537,841,36,37,606,787,280],permiss:[794,476,614,823,895,70,463,576,17,330,44,10,32,859,104],krb5_kdcrep_skew:422,threshold:44,kerberosnf:713,etype_list:[55,829],tend:794,unfinish:850,gss_wrapex:576,help:[504,452,815,540,27,23,576,104],xml:126,userdata:[267,832],onli:[794,812,725,566,51,30,399,10,493,869,895,17,248,181,73,689,32,310,686,521,63,515,70,423,100,476,907,434,147,662,44,45,792],slow:27,fenc:4,input_payload_buff:17,krb5_c_crypto_length:181,g_dsp_statu:330,activ:[504,812,63,110,423,386,44,73],state:[423,10,566,73,895],dict:[70,44,812],overwritten:[10,924],inaddr:723,krb5_free_checksum_cont:[505,181],nearli:70,variou:[73,162],get:[70,855,73,814],wicker_brac:4,secondari:895,ssl:[275,504,515],cannot:[70,44,794,434,504],om_uint32:[17,764],"import":[794,895,812,434,423,73,56,484,44,32],krb5_build_principal_alloc_va:[731,535,181],pipermail:23,requir:[794,267,504,107,725,229,732,473,832,10,604,493,895,566,17,876,248,181,814,689,254,73,521,522,821,63,515,70,827,423,100,321,651,377,812,434,208,662,149,215,44],krb5_use_enctyp:181,input_message_buff:17,ldopt:452,requires_hwauth:[70,44,850],krb5_prompt_typ:[591,36],delprinc:[70,44],krb5_sname_to_princip:[731,181],borrow:104,yield:850,across:[895,223,17,812,56,10,119],"_krb5_responder_otp_challeng":514,bison:452,krb5_key_st:78,krb5_cccol_cursor:[684,342,517,36],kpclientauth:10,where:[794,614,452,576,4,56,10,493,563,17,249,73,689,640,521,63,515,70,132,26,27,423,701,203,812,437,159,662,44,104],summari:[566,63],wiki:[576,203],kernel:[836,576,614],caller:[615,648,1,3,815,576,840,341,114,850,458,737,346,242,17,876,131,185,687,519,521,580,759,81,914,907,832,835,803,820,708,39,191,791,543,924,669],kiprop:[44,63,689],tekniska:330,nfsv4:713,ap_req_authdata:436,placehold:[836,26],keepold:[70,44,576,73],change_password_for:[890,400],krb5_transit:[826,36],krb5_auth_con_setsendsubkei:[449,181],krb5_responder_otp_challeng:[521,47,157,36],minlif:[70,44],request_init:413,krb5_c_random_make_octet:181,ocsp:10,detect:[522,63,452,27,764,423,732,832,73,44],review:26,enumer:73,label:[812,330],enough:[114,502,39,70,840,109,44,669],listinfo:23,between:[895,812,434,70,566,147,275,44,10],kdc_cert:504,pwchang:10,qop_req:17,krb5_cksumtyp:[721,282,600,272,36,584,435,247,674,590,385,505,401,744,154,91,510,310,358,756],krb5_principal_unparse_displai:489,oeap:775,kdb5_err:330,sname:[701,646],august:330,parent:[812,28,614,493],screen:104,krb5_free_checksum:[658,181],style:[691,811,70,812,846,140,331,44,493],tktpolici:[70,44,484],no_auth_data_requir:[70,44],cycl:576,sparc:576,kdb5_util_path:689,in_tkt_servic:[841,422,703,606],uncondition:[51,452],substhtml:126,come:[521,26,568,812,203,119],valid:[298,17,584,181,812,44,115,266,10,493],"0x00000040":870,krb524_krb4_disabl:345,fit:[374,330],"0x0020":675,pertain:[45,330],contract:330,enable_onli:[812,662],jqpublic:437,present:[632,341,10,239,562,895,242,918,302,17,18,838,73,815,254,640,521,504,63,27,812,321,833,235,595,203,515,907,660,273,208,159,732,662,386,216,44,104],krb5_finish_random_kei:181,mani:[434,70,147,662,812,56,885,44,493,104],krb5_princ_set_realm_data:2,stime:457,unrecogn:452,among:521,krb5_c_encrypt_length:[840,181],gss_c_buffer_type_data:17,krb5_cc_default:181,locate_plugin:226,output_message_buff:17,period:[812,63,434,423,104,56,44,10,640,73],dispatch:764,pol:[70,44,32],featur:[275,649,47],colon:[672,273,38,620,211,662,812,44,484,10,493],libdir:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],allow_forward:[70,44,484],supervisor:45,poll:[10,576,689,63,44],einval:[450,432,781,590,606,235],krb5_lname_notran:129,resynchron:566,krb5_k_key_enctyp:181,input_name_typ:764,marc:330,krb5_tc_match_is_skei:686,rebuild:[126,452],invers:302,mark:[895,258,70,423,330,44,10],krb5_invalid_princip:217,skei:[10,793],krb5cc_320:104,krb5_c_valid_cksumtyp:181,certifi:812,crawford:330,"abstract":[413,850,223,698,455],procedur:423,cipher_st:[820,114,759,39,131,840,791,669],manual_test:203,keyexchang:72,resolut:[794,437,17,792,473,576,656],gss_c_nt_string_uid_nam:17,krb5_c_verify_checksum:[505,181],optimist:[181,644],wake:794,rememb:[504,895,323],preauth_requir:[413,850],andrea:330,krb5_sendauth:181,those:[794,452,576,850,493,895,302,17,413,184,73,885,126,32,521,70,646,764,812,423,330,44],outcksum:401,"case":[614,1,724,4,850,10,493,511,783,17,568,413,73,885,32,572,521,25,642,70,316,27,423,424,701,812,907,436,437,159,662,176,330,608,44],ivec:[261,222],interoper:[504,614,400,890],principal_seq:504,enc_errbuf:903,gss_s_cred_unavail:17,cast:[223,226,4,455,413,850,698],invok:[521,566,608,25,63,437,226,764,812,784,138,850,814,191,372,44,689,640,907],db_lib:452,testus:[70,44],del_polici:[70,44],region:[600,17,247,385,310,924],setuid:[273,147],advantag:[812,100,73,248],stdout:[273,848,147],krb5_error_cod:[744,450,222,224,453,876,695,229,230,672,674,234,235,458,11,12,595,240,461,411,243,681,463,896,247,114,249,881,686,415,586,254,690,256,257,277,258,693,887,639,74,135,479,872,483,699,266,701,30,703,261,359,272,36,37,274,364,712,40,740,276,716,308,491,279,719,47,282,502,684,286,840,51,507,291,292,293,509,737,730,604,642,298,628,745,65,91,1,732,143,72,517,307,848,77,69,519,310,489,521,522,312,759,524,81,316,526,318,718,85,245,108,88,532,907,774,649,535,536,811,146,825,726,781,922,329,784,852,787,671,651,102,791,549,874,237,853,105,107,827,551,340,110,111,112,556,342,115,344,346,723,121,627,565,349,334,352,568,569,711,910,125,357,859,817,575,818,577,580,393,129,369,131,620,363,133,365,590,137,38,921,140,141,372,373,374,862,756,597,658,377,378,600,841,39,765,603,148,149,735,384,385,606,734,609,610,543,611,158,389,615,648,412,856,163,164,860,821,166,395,736,697,400,171,621,401,403,625,738,823,406,739,179,629,875,631,632,877,869,879,182,251,185,151,914,753,188,417,267,890,641,190,331,419,420,421,422,322,197,362,920,803,200,901,903,653,761,656,429,820,657,432,205,206,207,436,300,210,211,915,916,831,917,505,215,217,832,444,447,669],henc:814,krb5_deltat_badformat:712,worri:[515,203],ktutil:[427,724],gss_add_cr:764,authtim:[660,258,765,323],texinfo:776,krb5_pac_data:54,time_t:423,inquiri:32,krb5_randsourc:377,author:[70,10,812],media:[812,44,484],same:[794,614,452,576,287,394,51,4,111,556,293,9,10,493,119,411,65,17,18,511,72,814,689,77,640,130,70,629,27,764,812,368,484,265,32,515,535,208,349,662,78,191,44,45,437],trip:[576,850],binari:[812,100],epoch:181,pac:[70,10,181,44],pad:[17,181],timestamp:[812,181,423,73,266,115],autolock:330,grain:17,hxx:330,pam:792,week:[44,484],exhaust:100,default_ccache_nam:[812,614,191],finish:181,krb5_unparse_name_flags_ext:181,bb463167:713,"_krb5_verify_init_creds_opt":6,confidenti:[576,17,248],someon:[812,895,119,104,56],companion:208,krbcanonicalnam:515,capabl:[576,100,119],openldap:[70,855,484],common_appdata:812,preiniti:[648,580,876,346],improv:[776,434,576,812,73,10,23],extern:[10,17,855,323],kreen:330,cartoon:895,krb5_eblock_enctyp:181,krb5_c_decrypt_iov:181,krb5_string_to_deltat:181,macro:98,markup:[126,776],krb5_clear_error_messag:181,without:[504,614,812,434,452,895,70,203,208,17,478,662,649,100,73,63,44,10,738,59,47],krb5_auth_context_do_tim:[267,821,745,832,115,215,266],pktinfo:45,gain:[895,73,104],disassoci:[45,689],krb5_responder_list_quest:[521,181],inauthdat2:628,comment:[794,776],trust:[812,504,17,862,275,10,640],requires_pwchang:[44,484],authorization_data:[727,34,826],execut:[521,423,515,452,895,70,26,167,540],addrlist:399,extfil:504,krb5_free_princip:[521,535,453,491,393,181,731,877,12,726],acceler:330,rest:[662,452],krb5_free_ap_rep_enc_part:181,host_based_servic:[10,493],krb5_plugin_no_handl:[226,608,687],helpdesk:73,kill:895,invalid:[562,812,243,730,73,191,640,217,44,818,104,606],aspect:[885,794,662],flavor:[70,44],getstr:70,speed:515,subtree_dn_list:[44,484],samba:662,gss_buffer_desc:17,stai:[70,794],hint:[70,10,671,44],krb5_tc_match_tim:686,html_subst:126,regent:330,except:[794,70,363,17,576,812,330,44,10,32,493,437],param:[3,9,62,12,18,22,37,40,47,49,51,55,11,65,71,72,74,77,81,85,88,89,609,94,102,103,105,107,110,111,112,615,115,69,121,124,125,130,131,133,137,921,140,141,142,144,148,149,157,158,163,164,166,167,168,171,178,524,182,251,185,188,190,787,322,197,874,204,373,179,207,362,210,211,215,217,222,224,227,229,230,234,242,243,247,249,254,256,257,258,261,264,265,266,269,272,274,740,276,279,280,282,286,287,291,292,293,298,300,307,310,489,312,318,108,146,329,331,200,340,341,342,344,345,346,349,334,352,357,358,412,363,364,365,368,371,372,205,374,206,377,378,384,385,543,389,393,394,397,399,400,401,403,406,407,409,681,415,417,419,420,421,422,428,429,432,435,735,669,447,450,453,30,458,461,463,129,135,479,872,483,235,486,359,491,308,316,502,507,509,510,511,517,519,520,522,526,411,532,535,536,537,651,549,551,555,716,557,565,856,568,569,827,572,575,577,580,860,629,590,591,240,595,597,600,39,603,604,606,91,610,611,114,620,623,624,625,627,631,632,641,642,628,644,649,653,656,657,658,395,666,444,671,672,494,674,530,726,686,586,688,690,693,639,695,697,699,701,703,706,708,711,712,556,718,719,721,722,723,725,730,842,732,734,736,737,738,739,743,745,1,143,753,120,38,756,759,761,348,765,774,781,784,191,789,791,796,237,798,801,803,277,320,811,910,859,817,818,819,821,840,823,369,831,832,835,841,845,436,848,825,852,853,648,508,194,584,862,863,621,868,869,871,875,876,877,879,881,882,151,887,267,890,744,896,245,901,903,820,907,911,912,684,914,915,916,917,920,922,505],desktop:521,identif:[576,330],gss:[836,576,764,662,323],princ_look_ahead:437,ricciardi:713,treatment:493,versa:[504,576],db_arg:[70,44,45,689],vulner:[521,576,100,73,44,23],disrupt:73,princ_meta:423,microsystem:330,earli:73,"_krb5_context":[630,818,125],around:[44,452],krb5_c_is_coll_proof_cksum:181,read:[521,504,515,812,434,895,273,566,484,181,423,70,138,662,44,10],address1:323,address2:323,zephyr:[330,73],ap_req_opt:[363,1,568,642],inetd:[895,147,814,63],traffic:275,insist:437,grammar:[302,323],yyyymmddhhmmss:176,presum:27,fortuna:[576,330,452],gss_c_nt_hostbased_servic:17,intel:330,whitespac:[70,10,812,44],unimpl:4,apputil:836,integ:[794,504,563,70,208,812,44,323,10,302],server:[63,724,70,132,566,484,423,814,689,45],benefit:493,"0x20000000":[905,822,605,175],either:[794,449,614,4,10,739,59,121,17,248,184,504,895,364,479,812,482,832,203,515,907,434,37,761,208,147,436,330,608,44,437,104],rcmd:812,krb5_principal_compare_utf8:511,output:[794,895,70,840,349,131,876,566,17,147,181,423,273,72,44,10,791,669],iran:330,rollov:[423,44],manag:[815,762,576,484,44,32,792],iprop_listen:10,sbin:[63,28,814,452,895],my_cach:437,maj_ver:4,default_client_keytab_nam:[812,159],sha384:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],legitim:[521,437,27],ldap_conns_per_serv:[10,515],krb5_kpasswd_softerror:362,adequ:27,krb5_free_data_cont:[524,181],authent:[794,855,70,423,73,484,45,814],respect:[895,70,30,176,693,672,330,625,119],load_dump:[423,44],krb5_set_password_using_ccach:[731,181],krb5_aname_to_localnam:181,constitut:330,err_fmt:[812,576],af_unspec:226,nonzero:[812,646,30],basic:815,krb5_pre_send_fn:[623,36],keytab:[63,724,70,132,138,73,814],confirm:[724,70,576,247,423,385,484,44],sudan:330,krb5_copy_keyblock_cont:181,highest:[794,730,812,70,423,711,73,519],definit:[836,10,45,321,330],token:[812,10,321],legal:[437,316],randsourc:377,"0x00100000":866,exit:[562,614,63,70,576,646,138,44,45,104],g_rel_oid_set:330,keyfil:[423,10,515,44],damag:[614,330],notabl:44,refer:[70,484],kdc_tcp_port:10,power:[576,493],krb5_realm_cant_resolv:606,inspect:[167,321,623,59,857],gratitud:330,openvis:[70,330],broken:[73,452],pressvr:73,fulli:[521,895,794,812,434,70,275,100,44,32,640],regexp:812,referr:[576,552,812,292,656,687,10,678,493,701,104,218],krb5_auth_context_ret_tim:[267,821,732,832,115,215,266,254],appli:[476,907,812,434,70,437,17,147,748,640,330,850,73,44,9,10,32,45,104],unicod:330,basch:330,src:[855,452,330,126,203,611],central:776,krb5_data:[49,840,110,669,346,69,298,524,300,876,181,362,124,77,580,131,197,428,377,922,349,603,791,505,444],krb5_timestamp_to_sfstr:181,acl:[70,476,63,689],addition:[812,208,45,104],krb5_get_credentials_valid:181,srv:[812,895,576,493,792],stand:895,act:[32,45,27,576],"_tcp":493,tape:100,routin:[812,139],cflag:[540,452],krb5_c_:[222,530,419,856,261,526,922,896,910,719,819],gss_import_cr:[17,764],multihom:812,surviv:614,krb5_kt_notfound:135,quietli:386,trademark:330,"01am":44,your:[776,814],willi:73,zanarotti:521,log:[566,63],her:[493,184,104],area:[521,895],heim_org:812,dec_error:903,brute:[44,73,434],overwrit:[423,44,881,386],krb5_copy_ticket:181,start:[794,812,776,855,63,515,70,689,228,248,423,73,44,10,32,45],interfac:[70,10,138,45,73],ipv4:473,lot:493,ipv6:[812,576,473],besid:812,strictli:895,restrict_anonymous_to_tgt:[10,504],unam:662,krb5_principal_compare_ignore_realm:511,krb5_encrypt_s:181,tupl:[70,44],bundl:[812,330],regard:330,jul:176,krb5_auth_con_getaddr:[449,181],krb5_cc_get_full_nam:181,preselect:640,krb_ap_req:181,krb5_responder_otp_get_challeng:[521,181],src_name:17,cryptograph:[576,17,73,330],padata:[34,35,850,413],faster:[493,614,203],tripl:[10,576,73],immedi:[812,576,423,850,73,44,493],krb5_rd_cred:[732,181],possibl:[521,504,515,812,434,453,70,17,248,181,423,100,73,56,44,10,484,895,493,794,473],ovsec_adm_export:[423,44],spnego_mech:330,krb5_get_init_creds_keytab:[657,181],unusu:[504,662],mkey_convert:[423,44],krb5_init_creds_step:[245,181,761],sasl_authcid:70,krb5_init_creds_get_tim:181,connect:[895,63,70,689,44,100,814,484,10,473],cbc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],proxy_imperson:323,uid:[614,437,17,812,28,184],creat:[70,689],certain:[452,107,646,100,330,44],todd:330,gssapi:[812,10,321],fellow:330,krb5_cksumtype_to_str:181,decreas:[812,159],file:[70,132,484,423,689],krb5_pa_pac_req:36,yymmddhhmmss:176,encompass:17,fill:[217,521,129,181],workdai:792,again:[764,895,27,662,104,44,772,792,119,73],gss_import_sec_context:764,adminjohndoefoo:812,osconf:26,dbmodul:[70,855],reforward:104,krb5_cc_default_nam:[181,125],prepend:[38,493,211,452],field:[521,449,812,434,504,70,208,181,423,44,10,493],cleanup:[521,815],collis:181,gss_c_dce_styl:17,writabl:[815,158,895],ignor:[737,794,641,257,841,258,273,421,17,632,422,181,812,70,606,662,10,32,703],you:[794,613,855,452,232,56,10,493,119,895,746,814,689,126,23,504,70,26,812,100,321,484,203,515,776,434,437,147,662,176,330,386,44,45,792,104],intermedi:[576,17,30,812,44,323,10,104],krb524_init_et:2,adminhost:[70,44],kdcdefault:45,symbol:[26,4,423,28,672,764,126,203],krb5_tc_match_flags_exact:686,drift:794,mkei:423,andrew:[44,484],ansi:26,track:[434,70,566,27,423,44,23],krb5_k_prf:181,krb5_kt_next_entri:181,pool:73,reduc:[820,759,452,131,791,812,73,44,203,792],gss_iov_buffer_type_sign_onli:17,pkinit:[70,321],mkey_fil:[423,44],directori:[504,614,855,258,273,484,27,662,110,812,814,44,10,895,792],noaddress:812,mask:[266,916,115,447,686],out_flag:817,password:[794,812,855,515,70,566,484,423,138,321,73,56,689,10,32,45],potenti:[521,613,100,73,895],cpp:452,escap:116,enctype_nul:349,kprop_path:689,dst:611,unset:[9,812,17,181],cpw:[70,44,73],pto:102,represent:[812,17,181],all:[794,812,724,473,566,56,10,895,684,17,248,181,73,32,686,521,504,641,515,70,423,100,476,776,434,273,662,792,275,44,517],dist:26,krb5_get_in_tkt_with_password:181,gss_c_buffer_type_head:17,alg:452,lack:[504,137,576],concern:[330,434,104],pluggabl:[328,812,662,4],month:[176,576],krb5krb_err_response_too_big:[615,185],krb5_get_in_tkt_with_keytab:181,krb5_init_creds_set_servic:181,ldap_kdc_dn:[10,515,484,855,44],pty:[836,330],krb5_copy_authdata:181,follow:[794,614,855,452,540,632,576,51,4,229,672,386,10,783,493,701,119,562,176,563,724,746,918,302,17,568,748,184,73,815,885,32,566,23,489,504,256,63,895,70,132,646,27,764,423,591,907,323,836,595,203,248,812,515,434,273,208,159,914,662,275,330,848,640,44,45,437,104],disk:[521,613,614,895,26,484,27,423,100,56,689,44,794],krb5_tc_match_authdata:686,unansw:919,krb5_kt_dup:181,seed_length:[401,282],uint8_t:923,laboratori:330,strptime:330,nt_wellknown:86,former:18,krb5_server_decrypt_ticket_keytab:181,tail:895,ap_req_nofail:[572,6],dest_ctx:508,gss_iov_buffer_type_pad:17,hist_kvno:423,introduc:[223,273,687,812,70,608,10],requires_preauth:[504,434,70,73,484,44],cachenam:[614,918],liter:4,masquerad:[119,104,56],r13:[423,44],song:330,fals:[394,863,494,399,171,10,493,511,411,871,510,18,248,71,184,73,572,358,473,504,130,584,812,368,265,907,208,662,912,44,789,792],subcommand:73,krb5_kpasswd_malform:362,offlin:[73,640],util:[44,493,895,855,731],krb5_make_authdata_kdc_issu:181,candid:437,worst:73,gss_add_cred_from:764,failur:[576,226,455,346,463,247,73,489,521,631,70,479,812,108,423,434,711,330,385,606,44,444],veri:[815,27,812,73,44,10],ticket:[794,812,724,515,70,423,321,73,484,10,32,814],hostrealm_plugin:687,krb5_cc_next_cr:[243,181],krb5_cc_retrieve_cr:[181,65],k5login_authorit:[812,184,662],quux:812,list:[70,776,724,689],krb5_c_string_to_kei:181,kpasswd_listen:10,krb5_free_context:[191,181,141],adjust:[820,895,759,504,131,181,275,73,791,792],"_krb5_encrypt_block":755,cosin:855,stderr:10,small:129,getdat:[70,44,32,423,484],anam:[437,129],krb5_pac_delegation_info:595,pid_fil:[45,689],enterpris:[469,632,473,640],krb5_auth_con_getrcach:181,gss_c_nt_anonym:17,ten:[792,104],krb5_prompter_posix:[521,181],handi:895,edu:[794,815,576,10,119,895,73,32,23,814,70,26,812,100,484,776,437,713,662,330,44,104],past:[70,44,23],syslog:[812,10,895],zero:[449,70,639,17,247,181,812,493,444],design:[521,895,614,27,662,730],v4_realm:812,changepw:[794,907,70,362,73,44,400],further:[895,45,184,27],tls_cacert:515,max_renewable_lif:[10,895],kdb:[855,434,576,328,330,689,836,44],krb5_init_context_kdc:737,subjectalternativenam:812,last_req:324,get_princ:[70,44],abc:452,sub:[812,44,836,484],richard:330,defin:[812,10,792,814,895],gss_get_mic_iov_length:17,section:[70,45],abl:[794,613,614,812,434,895,437,275,321,104,44,10,32,493,119],brief:[885,836,100],pppcred:254,credentials_cach:[70,44],"public":812,version:[794,449,724,566,51,730,10,17,181,73,827,77,473,70,695,423,484,812,776,711,275,44,45],intersect:248,krb5_cccol_cursor_new:[342,181],osf:43,option2:812,krb5_auth_con_getrecvsubkey_k:181,option1:812,g_context_tim:330,full:[63,566,181,44,73,689,10,493],hash:[423,44,576,812,504],berkelei:[330,452],vtabl:[815,413,850,4],keepkvno:70,unmodifi:[437,330],sophist:521,modular:576,tkt_life:[520,829],middl:27,solari:[228,576,203,452],excess:203,variad:[535,140,811],method:[226,223,815,323,4,455,812,413,608,698,687,656,850,493,640],fred:662,modifi:70,invoc:[423,17,147],valu:[794,855,10,493,895,17,248,181,73,32,521,504,515,70,423,321,484,812,273,208,662,44,45,792],krb5_cc_unlock:[205,181],getpwuid:[70,44],krb5_cred_enc_part:[336,36],naval:330,krb5_finish_kei:181,krb5_fences_vt:4,principal_out:[672,632],observ:[275,434],prior:[63,17,147,423,330,191,44,10],out_cr:[697,30,642,307],krb5_clpreauth_moddata:413,krb5_pac_upn_dns_info:595,action:[223,27,423,330,73,689],diffi:[812,10,640],krb5_gc:739,rkt:138,mkvno:423,marko:330,depart:330,sprecif:26,reiniti:611,transit:[562,826,805,568,573,646,828,812,241,104,496,10,640],krb5_recvauth_vers:181,deprec:10,acceptor_cred_handl:17,famili:[261,530,419,856,556,226,526,922,896,222,910,10,719,532,819],heurist:[783,437,393,812,698,656],decrement:181,krb5_prepend_error_messag:181,handle_error:17,select:[423,44,812,73],yflag:452,hexadecim:[423,576],paus:44,proceed:44,gss_iov_buffer_desc:17,krb5_deltat_to_str:181,generalizedtim:563,regist:[328,812,89,94,662,740,168,330,348,689,44,493,549,486,429],pa_typ:[635,323],coverag:203,ldap_kadmind_sasl_authzid:10,krb5_set_trace_callback:181,krb5_init_random_kei:181,command_opt:[423,44,484],formul:812,morn:792,ldap_serv:[10,855,515],krb5_cc_start_seq_get:[610,243,181],standart:855,upstreamhostnam:44,krb5_get_init_creds_opt_set_salt:[181,644],minor:[764,17,26,226,27,4,73,576],more:[794,614,615,452,473,576,672,850,343,10,493,118,119,895,433,746,334,17,68,73,687,32,23,185,521,504,515,27,423,100,836,31,812,434,159,147,275,44],flat:614,mellon:330,door:713,flagnam:32,canon:[794,515,689,473,171,608,44,493],krb5_auth_con_setuseruserkei:181,gss_oid:764,krb5_tkt_creds_get:181,update_rel:815,"0x0040":252,krb5_copy_error_messag:181,krb5_get_init_creds_opt_set_address_list:181,krb5_init_creds_get:181,cacert:[275,504,515],compani:104,destin:[100,203],new_princip:70,cach:[794,449,273,17,181,812,70,73,662,44],interface_module_initvt:4,dictat:44,none:[515,49,206,273,208,912,227,27,248,812,70,44,831,437,74,10,88,286],endpoint:[256,330],nonc:[34,324,917,189],krb5_trace_info:[136,372,36],valuabl:[521,330],"0x000b":560,der:[563,850],outlin:[275,776],krb5_auth_context:181,dev:[273,10,855,812,147],krb5_c_make_checksum_iov:181,actual_mech:17,krb5_calculate_checksum:181,kdcpreauth_mymech_initvt:4,learn:794,dec:[176,44,434,895],gss_iov_buffer_type_mic_token:17,krb5:[794,855,724,566,56,10,95,73,689,32,814,63,70,132,423,138,321,484,427,476,776,45],krb4:576,ap_opts_use_subkei:1,prompt:[521,895,724,70,181,423,484,44],ap_opt:[259,363,1,837,642],tr_type:496,registr:812,share:[521,776,452,815,1,4,812,764,73,662,44,119],krb5_kdcrep_modifi:422,krb5_get_init_creds_opt_set_fast_ccache_nam:[575,181],krb5_free_cr:[627,181],tabular:[423,576],minimum:[70,10,792,44],resync:[44,576,566,689],gss_oid_set:[17,764],incom:[10,473],phrase:889,krb5_get_init_creds_opt_get_fast_flag:181,krb5_cred:[521,65,362,463,181,686,345,610],tr_content:496,cours:56,newlin:[672,848],secur:[70,132,73,794],programmat:521,ascii:[423,44,493,323],isi:437,altogeth:10,krb5_k_verify_checksum_iov:[247,600,181],subsess:[1,46,248],krb5_k_make_checksum_iov:[310,181],csv:[423,576],input_assoc_buff:17,sign_onli:17,isn:[27,330,44,10,595,203],trace_log:147,"_krb5_get_init_creds_opt":829,resourc:[521,61,17,203,713],redwood:330,referenc:[515,330,323],flip:73,variant:[44,576,764,452],reflect:[820,895,563,759,131,334,832,191,44,791],okai:[70,44,104,562],des_crc_session_support:[10,248],offset:[45,181],krb524_convert_creds_kdc:2,unlink:[423,44],associ:[614,474,434,70,566,17,27,44,330,473,323,10,32,689],maxlif:[70,44,32],kdc_port:10,circumst:[10,504],"short":[207,159,147,812,73,32],krb5_set_real_tim:181,confus:330,krb5_k_encrypt_iov:[131,759,181],stash:[70,484],krb5_encode_authdata_contain:[291,181],caus:[452,685,10,493,562,895,17,18,73,827,640,473,504,70,639,689,27,423,812,907,434,273,330,386,44,918],suncc:452,stash_fil:[423,44],is_last_req:[907,278],alphabet:176,"0x00000080":327,seq:29,g_canon_nam:330,sunw_dbprop_slave_pol:44,iprop_master_ulogs:[10,44],ldap_kadmind_sasl_mech:10,sendauth:[895,814],rotat:473,concatent:764,soon:[44,63],held:[562,330],cache_nam:[70,44,386,640,562],createtimestamp:855,through:[521,895,641,812,223,434,853,656,372,662,275,44,321,104,323,572,10,794,493,792,119],delstr:70,gss_acquire_cred_impersonate_nam:17,krb5_ktname:[273,28,17,159],krb5_keytab_entri:[158,329,276,36,395,711,803],krb5_string_to_kei:181,paramet:[423,10,45],member:10,typedef:[221,454,6,457,676,17,466,259,636,480,29,485,31,34,35,490,717,826,189,496,790,336,501,503,727,54,59,60,513,425,514,304,481,752,309,755,78,525,317,531,319,767,771,324,773,544,101,546,499,793,339,807,809,810,376,360,582,583,897,829,909,370,139,837,596,843,660,847,153,154,865,172,630,878,635,278,889,299,647,898,650,900,904,136,387,857,527,919,443,923,220,924],get_valu:815,sale:330,extra_address:812,relev:[436,895,563,473,745],html:[515,776,26,713,126,576],rapidli:794,famou:895,component1:[302,323],"0x00800000":[512,333],krb5_auth_con_getsendsubkey_k:181,might:[895,434,452,493,17,4,275,662,330,73,56,323,44,203,119,473],alter:[504,73],"0x00020000":198,kpkdc:812,good:[794,895,639,330,104,44,119,814],"return":[521,515,63,70,566,17,394,181,812,814,44,217,10,473],lowercas:44,sentenc:895,component2:[302,323],message_out:110,framework:[576,17,330],casio:73,krb5_authdata:[373,628,36,436,409,291,274,887,403],sign1:17,sign2:17,foot:4,krb5_prompt_type_password:591,detach:63,krb5_free_authent:[507,872,181],getpol:[70,44],krb5_fwd_tgt_cred:181,administr:776,troubleshoot:[895,162],level:[504,70,493,17,484,44,815,45,203,126],userid:[812,452],instruct:[44,895,23,452,504],refresh:[17,323],"0x0006":[270,673],slave_datatrans_hostnam:44,val:[722,194,557,178,435,409,94,801,348,555,842,168,882,264,666,22,144,486],principal_nam:504,"0x0007":[106,93],ceas:[423,44,776],found:[895,918,452,65,428,132,437,393,568,686,730,436,124,119,44,10,45,493,812,104,814],intervent:73,krb_error:181,truncat:104,krb5_mk_ncred:[522,181],subsystem:452,krb5_anonymous_realm:181,cost:[275,44,330,452],weight:493,tryagain:413,unkei:521,referred_realm:220,krb5_pointer:[501,222,642,36,261,526,695,730,856,234,910,790],realli:869,krb5_c_random_os_entropi:181,krb5_princ_nam:2,iter:[70,10,181,44],gennadi:437,http:[812,515],energi:330,beyond:[885,413,850],todo:119,event:[493,181],http_anchor:[275,812],ftp:[895,100],authdata:[373,628,274,30,328,291,323,403,793],krb5_anonymous_princstr:227,krb5cc_p11795:104,usec:[457,727,189,29],krb5_allow_weak_crypto:181,publish:[330,473],research:330,krb5_auth_context_ret_sequ:[267,821,364,732,832,115,215,266,254],enomem:[522,395,318,292,732,346],print:[63,70,132,437,646,576,423,914,44,540],occurr:9,wicker_construct:4,clpreauth_plugin:413,qualifi:[70,44,32,812,794],oid:[576,764,662],add_auth_ind:[576,850],proxi:[812,10],danilo:330,ldapadd:855,differ:[794,812,515,70,423,814],effect:[614,812,482,73,44,10,32,493],asc:26,krb5_generate_seq_numb:364,reason:[258,437,662,812,330,119,56,323,493,792,104,73],base:[614,648,876,576,455,850,10,493,895,12,17,18,413,124,473,586,885,126,640,521,256,70,812,28,428,515,776,149,783,330,44,104],krb5_init_context_secur:737,ask:[423,521,493,181,504],earliest:[423,686],workstat:521,lag:437,basi:[44,493,73,476],db_185:452,thread:[614,576,78,452],daisi:493,krb5_get_init_creds_opt_set_in_ccach:181,omit:[515,128,815,302,662,212,323,489],krb5_string_to_salttyp:181,krb5_cccol:698,gss_cred_id_t:[17,764],perhap:[70,10,73,44],iprop_hdr:330,krb5_free_enctyp:181,syria:330,lifetim:[812,70,181,423,73,44,686],assign:[895,70,625,181,693,44,10,32,493],major:[26,17,4],gpg:26,get_tgt_via_passwd:437,notifi:23,kdb_convert:330,binddn:70,exchang:895,more_preauth_data_requir:413,number:[794,724,566,10,493,181,73,689,32,814,521,504,63,70,812,138,484,266,423,434,208,44,45],sometim:[44,473,640],"3de":73,pop:100,smaller:[812,302],done:[895,614,855,63,452,515,815,437,413,100,850,44,493],krb5_524_conv_princip:181,stdlib:815,blank:783,krb5_pac_verifi:181,stabl:[576,223,455],verify_ap_req_nofail:812,miss:[126,422],gpl:330,guess:[812,895,576],guest:[70,44,812],vararg:535,interact:[70,44,812,493,724],size_return:914,least:[794,895,114,925,39,302,840,479,100,686,608,44,375,493,669],dfl:[273,27],writeabl:395,accept:[815,576,226,10,493,895,65,248,73,689,640,473,63,70,764,812,321,698,701,203,159,147,176,330,44,104],natur:473,krb5_roundup:2,scheme:493,kadm5_hook_modinfo:223,store:[794,724,840,56,10,895,17,248,181,70,73,689,521,504,63,515,131,812,484,423,784,44,791,669],krb5_lname_no_tran:608,memset:521,your_realmnam:504,relationship:[812,608],behind:[73,662],iprop_logfil:[10,44],krbnfs_howto_v3:713,appropri:[521,423,393,812,504,437,17,662,562,275,879,850,73,235,44,895,493,640,698],pars:[794,521,70,17,662,155],modbi:423,fall:[614,493,27],crypto_entri:755,gss_error:17,grace:640,krb5_get_init_creds_opt_set_fast_flag:[181,827],test_html:126,kind:[614,411,17,27,764,413,330,850,473],pwexpdat:[70,44],contrari:[521,17],prebuilt:203,krb5_get_init_creds_opt_init:181,whenev:521,remot:[794,256,536,70,132,17,181,792,473,44,10,689],gotten:104,remov:[70,423,855,724],sunw_dbprop_en:44,kkdcp:[275,576,330,493],"_krb5_address":499,unconfigur:[126,493],admcilsp:32,str:17,arrang:44,"_krb5_cred_enc_part":189,toward:[44,776],master_kdc:[812,493],randomli:[248,724],ktid:249,comput:[521,449,535,812,17,181,275,73,10],deleg:[70,10,44],strengthen:73,well:[521,895,452,473,576,17,812,311,687,836,44,73],clientkei:504,beforehand:17,krb5_config_cantopen:217,packag:[275,855,203,895],local0:10,allow_weak_crypto:[147,248,181,812,73,10],expir:[504,812,724,70,423,44,10,32,792],service2:646,service1:646,"null":[521,449,536,17,181,812,399,32],option:724,principal_databas:63,krb5_auth_context_generate_remote_addr:256,dec_err:565,onlyrealm:[10,73],equival:[362,890,208,400,576],remote_addr:[693,449,536,568],krb5_free_keyblock_cont:[143,603,734,181,69],cfr:330,self:515,s_address:189,nktype:34,luser:863,add_rel:815,schema_convert:855,brace:4,krb5_auth_context_do_sequ:[267,312,364,821,85,115,215,832,266],krb5_ticket_tim:[121,761,36,826,544,324,793],krb5_responder_otp_tokeninfo:[514,36],distribut:[855,452,746,26,330,836,45,203,576,104],exec:[437,540,452],vno:[70,730,711,847,73,44],previou:[449,776,615,504,105,812,70,556,881,185,323,44,895,38,818,140],reach:[812,803,517],krb5_auth_context_generate_remote_full_addr:256,react:743,most:[504,393,812,257,724,895,17,147,248,181,423,662,56,44,10,493,792],spnego:[576,330],plan:44,profile_releas:334,krb5_cc_set_default_nam:[191,181],kdc_listen:[10,895],dump_fil:689,ppcred:732,addr:[378,224,657,875,399,544,324,793],allow_proxi:[70,44],hereaft:330,x11r6:203,krb5_prompt:[848,36],clear:[521,794,70,208,181,423,138,191,44,818],lehman:330,cover:792,krb5_enc_kdc_rep_part:36,enctypep:450,auth_to_local_nam:[812,662],part:[336,613,614,826,672,563,568,248,71,881,882,73,815,309,473,421,422,764,812,100,323,703,35,437,147,330,44],exp:[794,504,70,248,812,10],add:[794,812,228,515,70,566,423,138,73,44,10,32,792,814],kswitch:[614,361,762],enctyp:[812,423,138,73,44,10],krb5_unparse_nam:[731,181],usual:[521,504,614,159,434,452,39,70,17,646,821,323,812,814,215,44,10,45,493,104,669],microsoft:[812,576,17,713,248,275,400,236,10],sector:[423,44],wsgi:275,afs3:[10,73],"0x8000":[431,780,892,145],your_princnam:504,carefulli:504,hostnam:[794,504,895,70,812,814,44,10,792,473],consult:[812,608],krb5_magic:[336,503,727,485,457,525,755,189,360,259,636,370,904,324,596,34,35,36,826,847,544,154,793,499],gss_name_t:[17,764],python:[275,126],fini:[223,687,226,413,850,698,608],modifiersnam:855,session:[794,70,812,73,44,10],passwd:[889,437,330,484,44,792],tmpbuild:203,krb5_cccol_cursor_next:[342,181,684],fine:[17,493],find:[17,181,812,814,217,44,493],privsvr:258,impact:434,krb5_c_prfplu:181,kprop_port:[273,28,689],kadm:540,copyright:[836,26],"0x0200":468,ticket_lifetim:[812,792],solut:895,local_addr:[693,449,536],krb5_cc_cursor:[133,610,243,36],gssapi_err_gener:330,couldn:814,templat:836,krb5_gic_opt_pa_data:36,log_info:10,iec:26,ckto:658,krb5_libos_badpwdmatch:[914,606],krb5_change_password:181,hit:181,unus:[848,642,671],krb5_x:2,luke:493,lehmann:330,express:[70,44,330,812,176],last_fail:423,nativ:[452,302,792,649,28,323,576,47],mainten:[70,44,423],r_address:189,authoriaz:727,liabl:330,krb5_responder_question_otp:[521,181],krb5_verify_init_cr:[521,181],hin:26,think:[119,4,473],establish:[504,17,27],krb5_init_creds_set_password:181,crt:[812,10],synthet:[167,323],synthes:[623,857],krb5_auth_con_set_req_cksumtyp:181,rfc:[17,181,812,73,10,493,869],crc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],salttypep:432,encrypted_timestamp:812,crl:[812,10],reply_out:59,certif:[275,10,812,515],set:[70,423,776,484,689],dump:689,tokenid:433,slavehostnam:63,pid:[45,689],startup:895,krb5_get_permitted_enctyp:181,decompos:478,mutabl:78,emac:452,sed:452,sec:181,arg:[741,811,452,70,437,598,140,331,44],reserv:[330,462],delpol:[70,44],unqualifi:792,whatsoev:330,analog:794,encrypted_challeng:812,gss_iov_buffer_flag_alloc:17,simultan:78,gladman:330,"_krb5_responder_pkinit_challeng":319,someth:[10,814,27,473,73],particip:[812,895],nopw:[70,44],reus:44,mutex:78,recv_hook:167,kth:330,netlogon:236,experi:[776,576,493,73],krb5_merge_authdata:181,altern:[504,63,452,895,715,17,662,812,28,330,10,203,640],krb5_set_kdc_recv_hook:181,bourn:895,plugin_base_dir:812,syntact:812,numer:[562,423,890,895,362,576,176,400],norandkei:[70,794],ebaa:713,isol:493,disallow:32,krb5_anonymous_realmstr:49,krb5_flag:[224,229,737,739,324,65,1,568,686,307,817,642,657,259,363,697,30,378,36,826,916,447,544,793],fundsxpress:330,succeed:[895,814],outfil:423,oid_op:330,local7:10,enc_err:565,stale:[812,776,248],struct:[345,737,334,17,181],disclaim:330,fail:[794,812,724,70,423,73,44,10],last:[449,434,70,566,181,423,44,10],delimit:[812,374],mandir:452,db_header:452,alon:[895,4],dns_lookup_kdc:812,unspecifi:[812,493,27],vopt:521,context:[521,449,287,394,17,147,181,812,920,124,399,166,129,217,345,12,428],pdf:[776,713],prng:[377,580,452,576,330,639],whole:[44,77,504,524,258],require_auth:[70,576,321],krb5_kt_have_cont:181,simpli:[521,504,208,17,662,764,104,203,559,119],reject:[794,895,812,321,814,10],tgt:[521,504,320,248,181,73,44,10],point:[794,613,614,1,452,895,70,924,576,17,479,812,100,73,44,519,23],schedul:[44,73],ret_valu:[124,428],cryptosystem:73,krb5_crypto_typ:[551,924],residu:[562,614,273,918,620,249,812,386,608,815,493,640],header:[423,812,17,181],fashion:[275,437,330],realm1:45,smard:812,realm3:45,linux:[576,614,452],cakei:504,krb5_os_localaddr:181,bridg:576,mission:437,krb5rcachetyp:[273,27],etype_list_length:[55,829],backend:95,authz:34,krb5_cc_get_princip:[731,181],outbuf:[267,821,364,363,1,318,384,832,215],krb5_get_init_creds_opt_set_forward:181,stamp:[423,566],krb5_fcc_intern:125,devic:[70,10,812,521,44],due:[44,32,147,27,73],empti:[521,812,453,70,208,181,423,292,185,44,10,32],implicit:10,have_getusershel:437,whom:[330,119],secret:[521,70,208,17,812,847,10,119],libverto:[850,452],krb5_c_init_st:181,dup:10,name_s:207,krb5_get_renewed_cr:[181,307],krb5_plugin_ver_notsupp:4,nonexist:576,address_list:829,kdc_tcp_listen:[10,895,504],"_krb5_checksum":154,modern:[794,44,73,473],brother:330,nrl:330,fire:493,clariti:437,buflen:[164,879,874,171,690,597,756],consequenti:330,coordin:764,nonrepudi:504,understand:521,krb5_copy_princip:[731,181],func:[784,151],demand:519,input_ccach:640,educ:792,enc_part:[336,636,309,35],imap:[783,473,452],"_krb5_init_creds_context":650,acount:662,krb5_pac_privsvr_checksum:595,creativecommon:330,stolen:104,datarootdir:452,nofork:689,kdc_tcp_listen_backlog:10,krb5_mk_priv:181,erron:147,rep_result:642,durat:[70,10,660,812,44],camellia256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],norealm:[10,73],"while":[895,434,70,812,321,814,44,10,73],gss_init_sec_context:17,match:[794,724,30,10,346,65,17,181,124,686,32,473,504,70,422,318,423,428,812,776,436,662,275,44,792],behavior:[70,10,812,73,662],error:[70,63],krb5rcachedir:[273,28,27],input_name_buff:764,pepper1:72,robin:794,subsect:[504,812,434,515,662,275,321,10],propag:[812,63,132,423,73,56,689,10,32],malloc:815,ldname:452,readi:[423,895],g_userok:330,krb5_timestamp_to_str:181,influenc:473,readm:[836,26],confound:182,revers:[423,44,812,792,794],itself:[794,613,614,94,685,194,555,842,168,850,10,178,409,17,882,73,689,688,521,63,70,764,812,348,144,486,89,159,801,662,793,666,44,45,104],cred_handl:[17,764],dget_tgt_via_passwd:437,limit:[895,437,330,44,10,493],yourdir:895,illinoi:713,rcptr:586,dedic:895,"_krb5_ticket":309,ccselect_plugin:[698,4],gs2:576,my_respond:521,minim:[423,44,73],error_t:330,mistakenli:9,new_reply_out:[857,59],krb5_kvno:[711,730,370,847,36],serverauth:812,krb5_cc_set_config:[449,181],shorter:812,libc:473,lengthi:576,decod:[521,291,812,181,463],krb5_mk_error:181,viola:794,sqlite3:423,wicker_materi:4,swig:330,conflict:[15,325,568,662,213,764,547],krb5_principal_unparse_short:489,sell:330,k5user:437,"0x00200000":313,x86:[576,452],g_inquire_cr:330,optim:452,nersc:812,cppopt:452,alert:10,krb5_int32:[266,727,115,234,457,676,865,461,773,481,189,690,312,299,695,531,85,904,701,324,485,432,36,717,387,279,852],temporari:[895,855,70,159,27,812,28,44],glossolalia:73,enctype_aes128_cts_hmac_sha1_96:578,enctype_aes256_cts_hmac_sha1_96:96,transitori:73,built:[521,812,662,181],sha2:[10,576],lower:[783,25,70,815,17,812,44,32,656],sha1:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],is_skei:[173,686,793,323],ktype:[378,34,871,224,657,105],older:[44,576,850,73],entri:[794,855,566,10,493,895,814,17,181,73,32,473,521,504,63,70,812,138,515,434,147,100,44],krb5_princ_typ:2,keytab_nam:562,harm:27,honor:[147,104],www7:713,person:[895,119,330,104,56],medvinski:437,krb5_cc_end_seq_get:181,uint32_t:809,"0x10000000":[757,398],ppdata:[522,732],mon:[70,44,434],ldb:452,construct:[521,776,615,857,363,17,646,4,185,59,576,417],krb5_kdc_req:36,dejagnu:[203,452],gss_c_accept:17,anonym:[70,10,662,44],ba548_90007:713,mslsa:614,outprinc:726,envvar:812,emailprotect:812,krb5_get_validated_cr:[697,181],"76cho3000":330,administ:[794,895,689],question:[10,776,493],g_verifi:330,myremotetokentyp:10,priorit:493,confvalid:836,cut:493,restructuredtext:776,lockouttim:[70,44],forbid:[70,44],ldap_kdc_sasl_realm:10,hostaccount:662,win:330,input:[791,17,181,44,12,669],gss_buffer_t:[17,764],slave:[794,812,228,63,132,566,689,423,100,73,56,44,10],approxim:26,useless:73,passcod:592,vendor:[540,897,433],authdata2:323,authdata1:323,format:[423,10,32,812,776],princ1:[265,368,504,511,130],princ2:[265,368,504,511,130],allow_postd:[70,44,484],transmit:[615,576,17,850,185,44],apt:855,step:[794,504,855,895,437,423,73,44],resid:[521,613,783,330,184,493,794],gss_iov_buffer_t:17,inetcomperson:855,account_expir:[907,278],krb5_c_prf:181,redirect:[812,895],g_exp_sec_context:330,success:[450,453,876,455,230,672,674,234,10,11,12,595,461,411,726,463,247,249,881,686,129,687,599,254,690,256,257,277,258,693,887,586,695,27,872,483,699,701,229,703,708,272,276,274,712,40,740,711,716,308,491,279,44,756,502,840,507,291,292,734,736,133,604,298,744,745,300,1,732,143,72,517,74,848,77,69,519,310,489,521,522,312,759,63,761,70,316,318,718,85,245,108,88,774,423,535,536,146,825,781,852,671,651,102,791,549,874,105,107,551,340,110,111,112,114,342,344,346,723,121,565,30,773,334,352,568,569,479,125,572,357,859,817,818,580,823,369,131,620,363,364,365,590,137,921,141,374,597,658,377,730,600,841,39,603,148,149,384,385,606,91,610,543,611,158,389,615,648,412,164,860,821,862,400,171,621,625,738,406,739,524,875,631,632,877,879,182,413,251,185,914,753,415,639,417,267,890,641,190,642,628,420,421,646,422,322,197,362,803,200,901,903,653,429,820,432,205,627,434,207,735,437,684,395,916,917,505,215,217,832,444,447,669],authdata_plugin:885,lnsize_in:129,signal:45,threadsaf:912,krb5_vwrap_error_messag:181,resolv:[794,792,181],elaps:[70,44],collect:[273,812,17,181],princip:[63,724,70,132,566,484,423,138,73,689,45,814],"boolean":[208,181,423,44,920,10],wicker_appear:4,"0x0080":607,fnal:330,popular:895,krb5_get_credentials_renew:181,"1foo":812,two:[449,434,476,70,504,248,181,812,662,44,10,895,473],signedpath:[70,10,44],krb5_get_init_creds_password:[521,907,743,224,181],encount:[562,895,812],krb5_pac:[258,420,36,148,765,718,901,688,595],simplifi:532,acknowledg:330,creation:[812,44,563,73,504],some:[423,228,724,273,812,662,275,70,73,44,10],gen_sym:437,listpol:[70,44],kdc1:493,strongest:[639,248],krb5_read_error:181,sampl:[794,814],referral_valid_until:220,cacheconf:323,structuralobjectclass:855,sizeof:[521,815,17],surpris:73,modulepath:812,certlabel:812,krb5_c_random_se:181,"0x2000":396,charg:330,issueraltnam:504,"0x01000000":354,per:[614,423,223,815,566,226,455,850,10,493,17,248,413,73,687,521,70,812,698,476,208,662,608,44,45],gss_qop_t:17,recognit:[576,330],substitut:[812,504,330,895],retri:[10,208,493],larg:[521,895,759,791,131,346,208,493,820,44,10,203],slash:672,numwork:45,necessari:[853,504,515,855,895,70,17,479,4,812,413,73,885,44,119,493,792,104,606],reproduc:330,datebas:689,machin:[794,476,228,63,515,812,100,73,56,689,814],krb5_c_enctype_compar:181,run:[794,614,855,452,576,10,493,562,895,248,73,689,126,566,814,504,63,515,70,26,423,28,100,203,812,437,147,662,386,44,45,792],refresh_tim:323,winbind:662,pa_type_list:[413,850],agreement:330,unport:330,fulvio:713,"0x00000001":[5,268,214,174,375,46],kdc2:493,ap_req_checksum_typ:812,from:[776,63,724,70,132,566,484,423,138,689,45],krb5_auth_con_getsendsubkei:[210,181],resiz:479,cmac:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],krb5_get_profil:181,usa:330,constraint:[783,330],mechglu:[330,764],materi:[521,330,73,4],prove:[521,413,850],gss_krb5_cred_no_ci_flags_x:576,dns_uri_lookup:[812,493],strcmp:815,disclosur:[32,576],argv_pars:330,gss_create_empty_oid_set:764,userok:608,loadabl:[812,10,764],"5h30m":640,fulfil:437,hesiod:[812,330,452],timeofdai:852,real:[812,461,437,381,511],primarili:[920,518],krb5_referral_realm:181,krb5_keyusage_pa_sam_respons:325,canonhost_out:188,"_krb5_data":596,target_user_login_nam:437,bsd:[576,330],krb5_rd_rep:181,krb5_rd_req:181,mydir:614,contributor:[330,462],chang:[794,812,724,515,70,566,423,73,10,32],nss:330,inclus:330,institut:[330,462],fictiti:104,carnegi:330,megabyt:26,krb5_pwd_data:36,fast:[812,10,208,181,504],krb5_get_init_creds_opt_set_pac_request:181,krb5_get_init_creds_opt_set_respond:[521,181],prompt2:914,krb5_tc_supported_ktyp:686,pocoo:126,krb5_chpw_pwdnull:606,forward:[794,895,70,208,17,181,812,473,44,10,792],crit:10,mach:[812,330],usr:[126,895,855,63,452,437,484,812,28,814,44,10,540],"0x00000002":[779,667,800,315,306,173],krb5_enc_tkt_part:36,gss_iov_buffer_type_stream:17,vprintf:[811,140,331],krb5_mk_safe:[267,181],server1:[44,484],krb5_cc_nosupp:65,pwd:203,screensav:104,link:[895,776,515,162,812,44],translat:[812,129],newer:[452,423,473,44,10,73],krb5_free_unparsed_nam:181,line:[70,776],mitig:[521,576,27],krb5_crypto_type_sign_onli:[385,600,247,310,149],info:[33,895,891,161,576,136,665,10,324,793],concaten:[482,563,764],gss_wrap_iov:17,utf:[521,242,330,593,235,511],consist:[608,26,159,323,812,672,687,493],princ_stringattr:423,confusingli:521,checkout:126,dns_lookup_realm:[812,493],infd:256,fdii:104,redistribut:330,doc:[126,713,515],readlin:452,gssapiv2:17,similar:[648,632,576,226,4,234,411,811,17,247,877,575,310,489,267,759,744,631,131,363,479,423,368,140,820,812,600,437,603,275,385,505,791,104,444],impl:452,krb5krb_ap_err_skew:502,kaduk:73,gss_c_buffer_type_trail:17,constant:[521,49,227,661,485,678],curs:452,user_dn:[44,484],flush:815,doesn:[614,724,352,27,423,44,869,119],unauthent:100,"char":[449,450,224,453,671,672,494,12,3,17,249,129,690,695,479,264,235,701,31,703,708,712,308,489,815,286,51,292,509,741,514,72,752,77,38,756,521,81,318,108,771,242,535,781,331,191,549,110,341,277,344,120,811,124,428,827,818,577,362,363,590,914,831,139,140,835,240,374,596,597,841,848,606,853,557,164,620,863,397,400,171,524,632,877,878,879,881,188,417,890,642,421,897,422,874,656,432,207,211,217],container_dn:[70,44],incomplet:812,int_max:380,openldap_ldapconf:10,home:[783,437,748,662,812,184,484,44,119],krb5_free_address:[723,181],enc_padata:324,kdcissu:181,unifi:776,krb5_get_init_creds_opt_set_change_password_prompt:181,krb5_principal_parse_enterpris:632,"0x0400":66,pre_auth_typ:[378,224,657],ticket_authdata:436,bracket:[812,10,662],krb5_ccselect_vt:4,nat:[812,44],krb5_cc_close:[88,181],addpol:[70,44,434],"0xfffffff0":21,krb5_kt_nowrit:[158,395],particular:[521,504,724,452,17,249,812,119,330,321,73,56,10,32,203,104],interface_modname_initvt:4,krb5_pwqual_moddata:455,krb5_cred_info:[189,36],clean:[737,44,862,372],lucid:95,meaning:[70,44],search_scop:[44,484],libtool:4,refrain:764,mymodul:662,gss_acquire_cr:[576,17],true_principal_nam:220,infrequ:576,algorithm:[452,437,603,248,330,73],vice:[504,576],krb5_kt_read_service_kei:181,krb5_free_keyblock:[111,736,653,181,369],ldap_kdc_sasl_mech:10,namelen:374,delta:[10,181],krb5_k_free_kei:[406,251,921,181,915],inout:[820,114,759,600,642,39,131,363,695,568,479,149,840,1,914,234,791,310,669],"_krb5_auth_context":513,far:504,fresh:[794,437,776,56],creatorsnam:855,krb5_context:[449,3,453,671,494,674,877,9,458,11,12,411,243,681,463,247,686,129,629,256,257,693,639,872,483,699,266,708,272,491,721,502,287,507,509,738,604,298,745,65,143,72,517,77,69,310,521,312,85,88,774,535,536,146,825,163,784,191,651,791,237,551,340,110,112,716,342,115,345,346,723,349,352,124,125,859,818,577,580,840,823,369,131,620,133,365,921,658,377,603,149,91,610,543,611,393,394,166,736,399,401,625,869,406,179,876,181,182,151,887,322,197,362,920,653,428,922,205,524,300,210,684,915,916,505,217,444,447,669],endtim:[660,30,323],realmlist:277,getaddrinfo:473,code:[453,30,230,674,877,9,10,11,12,411,726,463,17,247,686,129,256,257,693,639,872,483,699,671,272,276,491,277,308,274,44,723,840,507,291,734,736,738,604,298,745,65,143,72,517,77,310,756,521,312,318,85,774,812,776,535,536,146,825,102,791,551,340,110,111,112,716,342,346,69,352,125,818,580,393,823,369,131,133,365,921,141,597,658,377,603,147,149,91,610,543,611,164,620,171,625,406,627,876,181,182,887,190,322,197,362,653,205,524,300,684,916,505,217,669,447,444],partial:[521,32,73],autodoc:126,queri:[521,70,576,17,44,493],makedepend:836,keytabl:847,recomput:191,jimi:814,edt:[70,44],krb5_princ_realm:2,oldcc:330,cmd_path:437,krb5_copy_context:181,issuer:[812,504,403,373],proponli:[44,689],privat:[504,709,452,576,812,23],procur:[504,330],krb5_rd_rep_dc:181,ac02:330,slot:[812,138],sensit:556,elsewher:56,friendli:576,send:[794,895,776,273,689,147,248,181,812,100,44,10],cachetyp:576,nippon:330,behalf:646,krb5_kt_close:181,aris:330,fatal:393,sent:[563,642,203,208,17,147,27,423,850,44,10,623,59,576,104],deactiv:10,lndir:836,alphanumer:812,rollback:73,whichev:794,kcm:[812,576,330,614],rout:895,hierarchi:44,krbtest:[563,434,147,783,321,44],disast:493,max_renewable_ticket_lif:[44,484],spoof:[812,493],korea:330,krb5_build_principal_va:181,tri:[449,568,812,687,10,519],portmapp:44,magic:[336,503,727,900,457,425,525,904,635,125,309,755,818,189,889,360,583,259,636,647,370,443,485,837,324,596,34,35,826,847,544,496,154,793,499],complic:[504,452],"try":[452,434,437,17,147,812,100,473,44,493,119],ctx:[615,699,286,860,51,736,341,240,9,62,121,406,739,242,811,245,919,17,185,74,357,753,38,397,417,761,412,421,322,649,831,921,140,141,235,653,269,774,735,911,211,331,483,157,47],krb5_princ_set_realm_length:2,addr2:[287,394],freed:[449,722,49,557,3,194,227,51,166,555,168,59,120,178,745,300,409,334,882,22,348,649,688,264,835,144,242,89,708,435,276,94,857,341,191,666,543,47],modifytimestamp:855,proof:181,pleas:[794,10,776,433,23],malici:[70,44,521],impli:[330,640],"0x8":838,"0x3":772,"0x2":[212,448,679,833],"0x1":[128,68,382,343,216,886],kadm5_hook_plugin:223,pkcs11:[812,330],pkcs12:812,"0x4":[469,116,296],cron:[10,493,56,895],krb5_prog_etype_nosupp:137,gmbh:330,name_typ:504,download:[330,713,63],aprepencpart:636,odd:104,click:895,append:[853,452,70,159,44,10],krb5_vprepend_error_messag:181,compat:[812,10,63],index:[423,515,26,713,275,831],compar:[731,181],chicago:330,tmppolici:[44,484],resembl:118,"_krb5_ticket_tim":660,access:[794,613,614,576,850,56,10,493,895,17,413,73,689,885,32,566,521,504,63,515,70,762,812,100,203,476,434,662,275,608,44,792],gss_c_buffer_type_sign_onli:17,rhost:318,princ_nam:504,udp_preference_limit:812,addprinc:[70,44,895,176,504],trillium:[794,100,104],whatev:493,krb5_auth_context_generate_local_full_addr:256,ldap_service_password_fil:[10,855,515],krb5_kdc_unreach:606,krb5_auth_con_genaddr:181,leg:576,g_init_sec_context:330,len:[825,148,901,814],target_principal_nam:437,bodi:[34,850],intercept:[764,662],logout:[386,104],ubuntu:95,safer:119,becom:[423,776,812,191,841,895,437,640,73,56,357,44,493,119,606],cf2:181,krb5_cc_get_typ:181,rtime:34,great:[32,375,422,686],produc:[521,298,812,26,562,423,182,413,850,687,44,540],convers:[812,563],krbadmin:[10,515],larger:[504,302,100,576],technolog:[330,462],autoreconf:203,dsa:326,cert:[812,504,321,515],typic:[521,794,792,223,37,586,17,248,4,455,812,28,413,850,698,689,10,149,493,126,473],rdn:[812,794,17,792,473],inptr:[261,222],explain:895,revoc:[812,10],writer:776,starttim:[660,323],danger:[437,56],revok:[812,10,434],realloc:449,g_initi:330,dprinc_look_ahead:437,foundat:330,princ_out:393,"8h30":176,expect:[895,258,765,147,83,422,812,413,73,885,126,104],auth_context:[312,166,732,115,234,736,458,11,625,869,832,784,406,179,1,568,569,151,821,254,267,522,256,695,642,369,693,363,364,318,872,921,266,653,536,745,272,210,915,384,917,215,85,543],krb5_ui_2:36,krb5_c_encrypt:181,asan:452,getnameinfo:473,gss_wrap_aead:17,oldest_kvno_to_keep:70,fee:330,feb:566,tar:[26,203],eperm:608,commun:[504,614,515,812,895,17,857,776,275,330,698,836,44,23],client1:504,client2:504,doubl:176,chl:[521,269,157,47],kpasswd_port:10,g_dsp_name:330,next:[377,895,434,131,840,181,423,70,56,44,791,669],krb5_trace:[273,853,147,372],few:[119,452],gss_add_oid_set_memb:764,gss_c_qop_default:17,krb5_decrypt:181,db_princ_arg:[70,44],gssi_import_cred_by_mech:764,stage:[73,223],remaind:812,sort:473,armor_ccach:640,addrtyp:[431,499,323],comparison:812,factor:812,gss_export_nam:17,trail:[10,437],keytab_out:200,rabbit:493,actual:[521,820,114,759,744,434,39,131,505,631,27,149,423,73,840,44,444,791,248,104,669],krb5srv:493,socket:[812,10,208,181],high:[321,27,73],account:[812,10,162,662,44],schneier:576,retriev:[70,423],krb5_kuserok:[731,181],augment:764,alia:[708,3,70,181,138,44],ride:10,alic:[783,138,184,662],critic:[521,23],inprinc:726,subregion:17,obvious:100,endian:[302,563,764,323],meet:783,adtyp:360,"0x08000000":[445,844],fetch:[524,689,423,458,484,44,45,519],client_kei:576,control:[794,615,452,473,815,576,226,455,10,895,743,746,17,748,73,687,885,32,519,185,521,504,515,689,812,698,248,476,208,147,662,328,608],sqlite:423,malform:[362,58,318,323],contempl:330,process:[521,895,812,70,566,17,181,423,73,191,44,10,45,689,794],pcreddata:254,sudo:855,mech_typ:764,krbcontain:[10,855,515],"_krb5_ap_req":259,"_krb5_ap_rep":[636,904],tag:[812,10,895,323],proprietari:208,"_profile_t":[737,334],tab:[70,44,576,423,672],krb5_kdc_profil:[895,63,273,576,28,10,45,566],addrtype_addrport:[821,215],serial:[566,17],krb5_clpreauth_modreq:413,krb5_principal_parse_ignore_realm:632,repl:569,"function":[483,49,453,840,227,312,166,877,736,458,12,895,406,411,745,349,625,17,876,181,182,124,72,73,310,521,256,369,131,70,322,423,920,921,699,44,653,651,428,774,434,272,693,915,275,217,85,791,543,505,669],delai:[452,576,27,44,493,640],pkinit_pool:[812,10],aes256:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],deltatp:712,unrestrict:[613,100],krb5_k_key_keyblock:181,occur:[237,745,258,70,566,27,423,372,44],local_appdata:812,brian:330,kbuild:836,"05pm":176,commonconfig:812,krb5_set_trace_filenam:181,subdirectori:[812,28,836,662,126],pwqual_plugin:455,instead:[452,576,672,850,10,59,562,895,811,184,73,689,575,473,521,63,258,70,421,764,423,140,142,812,437,329,330,44],kdb5_util:[427,689],unenc_authdata:34,keyencipher:[812,504],circular:44,msdn:576,klau:330,overridden:[724,576,27,812,32,45],"0x7fff":[888,705],roam:812,gcc:452,"_krb5_enc_data":370,conf_stat:17,inst:217,request_fini:413,krb5_init_creds_context:[36,412,911,421,761,245,185,74,357,753,417],dbutil:330,krb5_cc_new_uniqu:181,krb5_pac_client_info:595,alloc:[521,840,745,453,131,17,181,149,166,791,669],drop:576,essenti:10,pkinit_eku_check:[812,10,504],amount:[580,114,434,493,26,840,812,914,10,346],counter:[70,44,434],interprocess_token:764,element:[521,181],issu:[521,504,373,724,434,660,70,208,17,248,275,100,73,44,10,403,493,812],winbind_krb5_loc:662,unaccept:27,allow:[794,812,724,473,56,10,895,17,248,181,73,689,32,814,521,504,63,70,423,100,321,484,476,434,208,147,662,275,44,45,792],minlength:[70,44],delent:138,krb5_k:78,fallback:[70,44,812,521,687],default_keytab_nam:[812,159,746],retval:[450,453,876,229,230,672,494,674,234,235,458,11,12,595,461,411,243,726,463,247,249,881,686,129,586,254,690,256,257,277,258,693,887,639,695,135,479,872,483,699,265,266,701,30,703,272,276,274,712,40,740,711,716,308,491,279,756,502,684,287,507,291,292,734,736,133,604,511,298,744,745,65,1,732,143,72,517,74,848,77,69,519,310,489,522,312,759,761,316,318,718,85,245,108,88,774,535,536,146,825,781,784,852,671,651,102,791,549,874,853,105,107,551,340,110,111,112,114,342,115,344,345,723,121,369,627,565,334,352,568,569,125,357,859,817,818,580,840,823,130,131,620,363,364,365,590,368,137,921,141,374,597,658,377,730,600,841,39,603,148,149,384,385,606,91,610,543,611,158,389,615,648,412,163,164,860,821,166,862,863,400,171,621,625,738,406,739,524,875,631,632,877,879,182,251,185,151,914,753,415,417,267,890,641,190,642,628,420,421,422,322,197,362,920,803,200,901,903,653,429,820,432,205,206,207,735,912,300,395,915,916,917,505,215,217,832,444,447,669],krb5lib:895,houston:493,krb5_cc_get_flag:181,h5l:[812,449],"h\u00f6gskola":330,move:[10,181,895],mkeytyp:[423,44,484],krb5_cc_set_flag:181,tcl:[203,452],comma:[812,70,423,44,10,45],defktnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],cbdata:815,bunch:44,gss_c_nt_export_nam:17,key_data:[251,359],krb5_kt_default_nam:181,gss_acquire_cred_with_password:576,krb5_pac_pars:181,mypreauth:662,krb5_tkt_creds_step_flag_continu:615,chosen:[521,783,26,17,248,812,28,321,698,576],banner:[521,752,848],"_krb5_ap_rep_enc_part":904,whether:[521,812,411,63,434,208,248,181,423,662,73,689,10,45],restart:[504,895,147,73,44,10,32,814],krb5_preauth_fail:606,total:[10,437,640],anyon:[184,119],lockout_polici:434,therefor:[44,850,515,493,323],wellknown:[521,504,883,86],minor_statu:[17,764],"_krb5_enc_kdc_rep_part":324,krb5_get_host_realm:181,crash:[812,895,56],krb5_appdefault_boolean:181,dal:885,auto:576,sid:[812,846,851],dai:[504,812,70,181,740,484,44],auth:[515,17,181,321,166,10,493],krb5_free_cksumtyp:[91,181],mention:[10,330,515],krb5_end_seq_get:610,facilit:576,front:[10,672],krb5_pac_logon_info:595,krb5_timeofdai:181,gss_unwrap_aead:17,anyth:[812,504,869],edit:[228,138,855,814,724],unlimit:330,new_stat:197,uidnumb:614,dugsong:330,ietf:576,capath:10,mode:[423,63,452,913,70,437,147,83,150,899,355,73,44,10,576,640,356],ldap_kadmind_sasl_realm:10,tmpdir:27,verifier_cred_handl:764,subset:[836,493,452],usc:437,chunk:[310,600],relinguish:543,consum:885,localfr:662,keyagr:504,"static":[521,815,4],krb5_c_prf_length:[876,181],awk:423,our:[836,10,208,330,203],patch:44,iprop_en:[10,689,63,44],token_flag:771,special:[764,614,434,576,17,27,662,330,311,44,10,116,640,489],out:[450,452,453,876,30,230,672,674,234,458,12,411,726,247,249,686,129,586,656,253,254,690,257,631,639,695,872,266,701,671,703,711,274,364,712,40,740,308,491,279,44,756,47,723,504,840,507,291,292,293,509,737,739,298,744,745,606,1,732,143,72,517,74,489,522,312,63,761,70,316,318,718,85,108,88,532,774,812,535,536,146,825,781,330,651,102,549,200,237,105,107,551,110,111,803,114,346,119,69,121,565,349,334,568,569,124,814,125,357,817,580,393,369,362,620,363,133,365,590,914,921,141,374,597,658,730,841,39,915,765,603,147,148,604,384,385,386,734,91,610,852,614,615,648,164,860,821,862,736,400,171,621,402,403,406,524,408,629,875,632,877,879,182,251,185,151,887,188,267,890,641,190,642,628,420,645,646,422,245,197,649,874,901,903,652,653,428,429,432,373,627,434,207,436,208,415,684,792,917,505,215,217,832,444,447,669],variabl:[794,812,63,70,132,566,689,423,321,484,44,10,32,45],krb5_free_authdata:[436,887,181],matt:330,krb5_init_creds_get_cr:[753,181],intrud:104,contigu:17,reload:44,krb5_responder_pkinit_set_answ:[521,181],defend:27,develop:776,kdestroi:[614,762,792],send_hook:623,ret:[521,429],kdc_princ_nam:504,guarante:73,suitabl:[452,576,423,330,203,104],rel:[812,10,181],inaccess:493,hardwar:[521,562,895,70,850,44,10,104],krb5_cc_remove_cr:181,result_cod:[362,890,400],red:330,clarifi:504,krb5_set_error_messag:181,experiment:576,insid:[436,794,576,248],workflow:73,bleep:[70,44,138,184,104],krb5_post_recv_fn:[167,36],cleartext:[904,324,189],receiv:[63,70,566,17,147,181,812,73,44,10,493,689],standalon:[147,63],"_krb5_authdata":360,dictionari:[895,812,434,455,275,10,640],releas:[393,112,10,625,69,406,684,17,248,181,693,473,689,521,504,63,70,423,921,44,812,776,434,273,603,147,915,321,792,505],likelihood:44,afterward:[44,223],shortest:171,maxrenewlif:[70,44,32,484],postdat:[562,70,422,104,44,10,32,640],gssapiauthent:662,krb5_get_init_creds_opt_set_preauth_list:181,proxiabl:[70,10,812,181,44],backspac:672,unquot:423,could:[895,776,434,437,27,4,792,812,104,321,73,56,662,493,576,119],put:[904,672,45,895,689],mac:[836,258],keep:[794,434,70,26,27,44,203,566,119],counterpart:[32,792],conf_req_flag:17,length:[521,535,70,17,181,877,44,10,792],krb5_gc_user_us:30,ksu_opt:437,ltd:330,"_krb5_trace_info":31,ret_princ:701,distinguish:[812,44,330,484],krb5_princ_compon:2,krb5_find_authdata:181,endors:330,suffix:[662,452],krb5_responder_fn:[527,787,36],krb5_tc_match_times_exact:686,qualiti:[328,812,576,662],lcurs:452,echo:[914,848],date:[70,10,812,423,63],gssapip_spnego:330,certid:812,submit:[17,248],pgp:[26,23],lib:504,owner:330,"_krb5_tkt_authent":837,facil:[794,10,17,689],princ:[794,906,702,563,160,453,70,439,812,18,877,423,231,535,799,217,294,574,12,577],g_rel_cr:330,prioriti:[614,73,10,493,656,698],renewable_lif:640,strict:330,data:[521,449,812,515,70,566,17,248,181,423,100,73,44,10],annot:[208,321,576],enckdcreppart:324,mkdir:203,system:[794,890,110,400,10,740,461,17,181,73,129,32,473,521,504,641,823,895,70,639,423,100,812,434,273,208,147,275,191,44,45,792],wrapper:31,basicconstraint:504,hotp:70,attack:[521,812,724,434,576,27,275,100,832,73,44,640],uint_max:[612,392,283],physic:[100,493],lockit:70,termin:[45,181,689],"final":[812,32,133,203,604],rpath:[540,203,452],prone:576,kpserverauth:[812,504],udp:[794,812,615,576,226,275,185,10,45,493],shell:[70,44,895,484],krb5_ui_4:[36,420,29,727,148,917,457,904,595],eavesdrop:17,krb5_mk_req_checksum_func:[784,151,36],juli:176,rsa:[504,195,812,560,775,330,355,356,10,416,640],v5cred:345,biggest:73,krb5_set_password:[731,181,110],shall:330,krb5_address_ord:181,rst:[126,138],exactli:[895,437,479,763,812,686,173,683],krb5_auth_con_getlocalseqnumb:181,haven:452,securecooki:563,cacreateseri:504,krb5_free_cred_cont:[521,610,686,181],slack:493,particularli:[273,540,73,56,493,119],charact:[895,25,70,812,672,874,44,10,116,493,32,489],claim:330,sweden:330,crawdad:330,bind:[515,70,540,44,484,10,493,576],lrealm:[344,308,120],krb5_crypto_iov:[820,759,600,36,131,247,149,385,791,310],start_tim:[841,357,606,640],unencrypt:[336,34,35,727,100,215],asn:181,dbadmin:32,krb5_tkt_creds_get_tim:181,plaintext:[651,652],linker:452,initvt:4,correspond:[521,449,907,812,223,258,504,17,620,4,423,591,129,660,126,32,576],tom:70,mk_cmd:452,have:[794,614,223,724,473,576,226,4,455,850,56,10,493,869,119,121,563,349,302,17,748,413,184,73,885,126,32,640,814,521,504,821,63,895,70,26,27,764,423,100,698,323,203,248,656,812,776,686,434,761,437,662,330,215,44,45,792,104],ari:437,need:[452,453,30,230,672,234,10,12,726,17,249,686,687,254,23,73,26,695,872,701,711,491,40,308,316,718,44,723,504,815,840,507,292,734,509,739,493,895,744,745,684,1,68,118,143,517,689,32,489,521,522,759,764,100,88,812,535,536,540,176,102,791,549,104,794,796,105,107,110,111,114,343,559,119,69,563,565,568,569,814,357,821,369,131,363,586,921,141,126,836,658,730,39,603,147,732,384,608,91,610,614,615,576,393,860,862,736,915,869,406,524,875,632,877,251,185,885,887,188,640,267,641,364,642,628,420,765,245,423,901,903,653,203,656,820,515,627,434,436,792,215,832,505,669],chpass:[70,44,223],k5_gic_opt:[606,841],krb5_c_string_to_key_with_param:181,verbatim:330,min:[70,44,32,176],mic:855,cksumtypep:590,r18:[423,44],mix:104,localedir:452,initiator_cred_handl:17,which:[794,887,614,603,855,223,452,540,815,286,226,1,4,455,341,556,850,473,783,10,484,493,895,563,746,302,17,568,413,184,73,689,885,32,576,814,521,504,821,257,63,515,70,132,26,646,27,764,423,28,138,832,698,323,836,203,812,656,649,566,907,434,660,273,711,208,159,147,662,792,275,436,330,215,316,44,45,437,104,47],gss_:764,htmlsrc:126,ncsa:713,singl:[521,504,776,662,895,70,274,17,248,181,812,100,73,44,10,403,493],uppercas:[812,608],happi:330,unless:[613,724,576,248,730,10,493,895,17,748,73,572,32,519,70,423,100,372,812,437,662,608,44],deploy:[504,73],gss_c_buffer_type_pad:17,lk5crypto:540,who:[504,776,895,44,321,104,484,10,119],oracl:[330,713],presid:330,ldap_kadmind_dn:[10,515,484,855,44],kungliga:330,krb5_cccol_last_change_tim:[449,181],ap_opts_mutual_requir:[1,568,642],eight:792,"_krb5_transit":496,pa_real:413,segment:493,kerboro:476,gss_add_cred_with_password:764,pa_replaces_kei:850,krb5_cc_switch:181,marshal:[576,563,323],placement:27,won:[812,504,104],url:[275,10,493],hopefulli:434,stronger:[812,321,73,248],uri:[895,70,576,812,44,484,10,493,792],issuanc:[70,44],inde:104,deni:[434,70,437,662,608,44],furnish:330,determin:[895,256,393,411,63,273,876,17,812,840,181,423,70,662,191,44,10,689],occasion:[895,27],constrain:[70,44],krb5_trace_callback:[372,36],"_krb5_enc_tkt_part":826,gss_cred_usage_t:17,krb5_ap_rep_enc_part:181,maco:836,source_us:437,krb5_keytab_entry_st:847,"12h":[10,895],text:[521,504,563,242,208,662,110,423,139,457,44,540,924],verbos:[794,70,423,44,203,640],tty:[44,484],lcom_err:540,localauth_plugin:608,visibl:[44,576,73],anywai:[521,10,1,493],krb5_keytab:[158,389,293,234,621,568,249,519,412,695,135,200,835,803,374,657,206,841,36,711,415,40,395],subjectkeyidentifi:504,ksu:[361,330,762],kadmin5:100,krb5_kt_default:181,locat:[515,63,273,132,812,689,10,32,45],launchpad:713,much:[473,73,119,686],klist:[794,614,762,159,73,792],forev:[70,44],incident:330,should:[794,855,724,473,56,10,493,895,17,248,73,689,814,521,504,515,70,423,100,484,812,776,662,275,44,45,792],resubmit:640,suppos:[184,104],execprefix:452,libkdb_ldap:855,local:[521,895,855,63,662,70,208,17,181,812,100,73,44,10,484,493,794,814],hope:330,meant:104,count:[774,70,181,423,699,44],keyr:[576,614],aesni:[330,452],krb5_verify_init_creds_opt_set_ap_req_nofail:[521,519,181],armor:[10,181,504],cuba:330,password_expir:[907,278],convert:[812,17,855,73,181],michigan:330,kdckei:504,krb5_pac_get_typ:181,autom:203,krb5_kpasswd_success:[362,400],g_store_cr:330,theori:330,increas:[131,328,820,759,791],krb5_enctype_to_str:181,db3:452,db2:[434,70,576,28,44,836,10],krb5_kpasswd_harderror:362,result_code_str:[362,890,400],k5_vic_opt:[572,204],krb5_rcach:[458,586,543,36],source_cache_nam:437,my_proxi:812,princnam:[521,614,434],enabl:[794,614,452,10,493,895,745,17,73,689,504,63,70,26,27,812,832,515,437,147,662,328,920,44,208],"0x00040000":170,upper:[70,44,32,25,493],krb5_xc:2,s4u2proxi:[17,323],admin23:515,sha:[812,10,576,73],kadmind:[70,427],des3:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],she:[184,104],partit:493,contain:[794,566,393,620,399,736,10,493,895,17,181,689,32,521,504,63,369,70,423,484,653,812,515,147,662,275,44,792],nist:812,dnsname:812,conform:[812,26,25,576],listprinc:[70,44],krb5_rc_st:807,unimport:323,signatur:[195,373,326,815,26,764,560],persist:614,frame:323,knowledg:[776,413,850,73,56,519],abort:[598,741,226],packet:[10,208,45,850,1],dcmd_path:437,krb5_prompt_type_new_password:591,p27:713,krb5_free_tgt_cr:181,int16_t:153,troubl:713,krb5_copy_cr:181,krb5_principal_data:[731,485,900,36],krb5_principal_compare_casefold:511,correctli:[857,17,59,814,119],pattern:[423,812,783,662],dll:[764,815,662,4],cache_out:[393,88],slapd:[515,855],time_req:17,krbcore:23,progress:[10,73],neither:[562,70,437,17,812,330,44],num_prompt:[752,848],email:[816,776,119],auto_to_loc:812,perfect:27,krb5_c_decrypt:181,sole:812,nowait:[895,814,63],k5ident:[812,762,748,662],kei:[855,724,70,566,423,138,814,484,45],enc_part2:[336,309,35,389],krbtgt:70,top_srcdir:126,job:[895,493,63,56],entir:[70,478,850,73,323,493],crc32:812,mailbox:27,lawsuit:330,embed:523,convei:[773,576,54,73,330,44,493],david:[794,44,119,104],doxygen:[126,776],plugin:[70,10,855],admin:[794,895,855,63,515,70,484,812,321,73,689,44,32],goal:521,modnam:[812,662],g_sign:330,krb5_cc_support_switch:181,etc:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],aspecif:730,instanc:[434,273,662,812,44,32,792],sesam:[521,303],kv5m_context:[818,125],ccapi:[836,330],gssd_pname_to_uid:330,freeli:330,krb5_responder_otp_challenge_fre:[521,181],krb5cc_1984:437,krb5_pa_svr_referral_data:36,krb5kdc:[776,63,724,70,132,566,689,423,484,427],gss_display_statu:764,krb5_cccol_cursor_fre:181,cc246091:576,kpropd_rpc:330,arriv:27,walk:[423,44,119],vnder:73,rpc:[812,10,17,181,44],ucb:437,commenc:895,hellman:[812,10,640],advertis:[812,330],msg_type:[34,35,324],krb5_vset_error_messag:181,mailman:23,gssi_import_name_by_mech:764,tort:330,target_nam:17,"_krb5_kdc_req":34,"_krb5_kdc_rep":35,krb5_init_creds_fre:181,e_data:[850,457],insuffici:[522,452,732,395,292,318],g_unseal:330,json:[521,433,70,208,649,323,118,47],krb5kdc_err_more_preauth_data_requir:850,treat:[258,70,208,17,646,812,399,511,323,640,593],krb5_fences_vtable_v2:4,foreground:[63,689],popul:[449,73,611],infrastructur:[812,836,203],bit:[521,504,302,17,568,686,323,916,115,266,10,437,447,73],searchscop:[44,484],caddr:[324,826,544],presenc:323,sock_stream:226,assert:[576,17,850,323],krb5_principal_parse_no_realm:632,krb5_recvauth:181,srcdir:126,otp:[70,321],presens:812,profile_module_init_fn:815,kdc_timesync:812,gss_wrap_iov_length:17,replic:[895,63],multi:[504,576,434],novel:330,requested_principal_nam:220,virtual:[812,794],plain:563,krb5_libos_pwdintr:606,cursor:[133,610,243,181],pkinit_cert_match:812,realmsp:[292,656],in_cr:[697,30,642,1,307],wild:[70,44],kdc_option:34,cve:576,krb5_kt_end_seq_get:181,layer:[885,576,764],c89:26,blocksiz:365,cell:73,cultur:330,kdc:[855,63,70,566,689,423,484,45],site:[794,44,493,895],archiv:26,default_valu:[124,428],substanti:330,lightweight:836,krb5_auth_con_getremoteseqnumb:181,headernam:452,revis:330,wkt:138,greater:287,tamper:17,incr:627,denial:812,let:[226,184,39,669],portiion:330,parti:[208,17,662,330],cc246071:576,num_data:[820,759,600,131,247,149,385,791,310],cross:[812,10],bjaspan:[70,44],himself:104,handl:[70,208,17,181,423,73,458,44,32,88],incc:146,krb5_fast_requir:229,largest:434,fubar:812,com_err:[773,452],fide:493,difficult:434,v4cred:345,massachusett:[330,462],krb5_keyusag:[820,114,759,600,744,36,131,631,39,247,840,197,385,444,791,310,505,669],digitalsignatur:[812,504],api:[776,17,147,73],upon:[423,44,437,63,452],entryfrom:181,krb5_free_data:[230,181],krb5_int16:36,uucp:10,tortiou:330,"83final":713,dealloc:[608,877,687],login:[273,10,812],expand:812,audit:576,krb5_preauthtyp:[378,224,644,36,829,635,657],johndo:812,mech:[576,764,662],off:[794,434,662,812,914,848,493,792],"0x04000000":[209,464],client_princ:521,krb5_k_verify_checksum:[181,444],interpos:662,authoritykeyidentifi:504,concis:815,theodor:330,set_cooki:[576,850],krb5_c_make_checksum:181,krb5_pac_add_buff:181,filesystem:[10,44,504,895,28],undefin:[437,133],undertaken:776,sandia:330,gss_iov_buffer_type_head:17,piec:[434,586],latest:[895,660,576,30,203,104],test1:[70,44,176],test3:[70,44,176],krb5_auth_con_init:[181,166],deltat:164,test4:176,librari:[3,453,671,230,494,674,877,9,458,11,12,411,243,726,463,17,247,248,686,129,629,256,257,693,639,872,483,699,266,486,555,708,272,491,713,275,274,502,287,507,291,734,10,509,738,604,298,745,65,143,72,517,77,69,310,521,312,70,348,85,88,774,812,535,536,146,825,163,784,191,651,102,791,794,237,551,340,110,111,112,716,342,115,346,723,349,352,124,473,125,859,818,580,840,823,369,131,620,133,365,921,141,658,377,476,603,147,149,91,610,543,611,508,393,394,166,736,399,625,406,178,524,409,876,181,182,882,151,887,188,322,197,362,920,653,428,205,627,435,436,300,684,915,916,505,217,444,447,669],less:[794,614,70,302,287,10,203,576],cheetah:126,boot:[613,895],obtain:[796,724,56,10,895,1,568,248,181,473,125,753,521,504,642,761,70,363,812,321,656,784,44,792],tcp:[794,504,615,812,63,895,576,226,275,814,44,10,493,185],ok_to_auth_as_deleg:[70,44,17],token_len:17,server_str:110,est:[176,44,434],heavili:27,glue:836,taken:[423,907,493,73],tclpath:452,web:[895,26,614],krb5_init_creds_step_flag_continu:185,krb5_read_password:181,in_authdat:887,makefil:[126,203,452],technet:713,krb5_nt_unknown:701,script:[895,452,70,689,836,44,45,203],kproplog:[427,63],jellinghau:330,edata:850,adm:[10,493,515],rctx:[521,242,919,286,649,341,831,235,47,157,269],smart:[812,10],gmt:176,e2big:346,fences_wicker_initvt:4,renprinc:70,krb5_rc_close:586,rename_sect:815,hard:[10,44],containerdn:[70,44],krb5_copy_keyblock:181,punctuat:[70,44,812,25,895],five:[895,821,25,223,70,812,27,176,215,44],know:[504,452,434,27,764,812,792,104],dns_canonicalize_hostnam:812,kdc_req_checksum_typ:812,recurs:[423,44,576],gssapi_krb5:17,krb5_c_keyed_checksum_typ:181,name:[794,855,724,162,10,895,73,689,32,814,504,63,515,70,423,100,321,484,812,273,208,662,275,44,45,792],insert:[324,544],s4u2self:[17,646],outcc:146,like:[794,613,614,452,473,171,493,869,895,17,73,126,32,814,504,63,70,27,812,100,203,423,147,44,792],lost:[330,203,56],safest:104,corpor:330,outauthdat:628,princ_lockout:423,slave_datatran:[28,895,132],ldflag:452,krb5_principal_compar:[731,181],krb5_free_default_realm:181,princ_flag:423,"_krb5_pa_data":635,desired_nam:17,expected_nonc:583,architectur:[203,452],page:[70,812,26,776,452],krb5_addrtyp:[499,36],titl:[836,330],retransmit:452,krb5_msgtype:[534,34,35,709,36,633,634,742,390,57,75,76,238,324],fast_avail:323,t1417:713,suppli:[521,907,257,70,17,181,318],krb5_check_clockskew:181,krb5_auth_con_getauthent:181,destdir:203,mit1:563,k5wiki:[576,203,23],"export":[10,895],ldap_kdc_sasl_authzid:10,unencapsul:576,mistak:119,proper:[504,855,568,814,44,203],krb5_k_decrypt_iov:[791,181],transport:[44,615,493,185],tmp:[794,895,855,746,70,437,27,812,28,104],krb5_get_init_creds_opt_fre:[521,107,181],desired_mech:[17,764],"_krb5_gic_opt_pa_data":878,lead:[10,437],sphinx_arg:126,ticket_info:189,avoid:[521,907,855,452,70,576,73,32,104,473],octet:181,interface_plugin:4,outgo:794,jeremi:330,krb5_tc_match_2nd_tkt:686,server_port:814,sequenc:[266,181,504],krb5_get_time_offset:181,preauth_list:[829,644],lockoutdur:[70,44,434],stockholm:330,pepper:181,investig:452,liabil:330,krb5_responder_get_challeng:[521,181],mssclogin:812,krb5_get_prompt_typ:[521,181],"0x00000200":802,host:[794,63,70,132,321,73,689,814],although:[159,455,330,104,687,493,119],krb5_kt_name_toolong:374,gss_iov:576,"0x00008000":[470,8],keytabnam:452,flag_rsa_protocol:640,microsecond:[461,323,852,29,279,904,189],expiri:[576,907,73],"_kpasswd":493,unprint:[70,44],about:[776,10,32,73,515],ntlm:576,rare:504,interven:44,krb5_ccach:[237,224,890,393,620,30,556,509,738,739,823,3,243,65,463,352,703,681,517,307,77,519,686,125,642,657,363,133,422,318,697,671,88,532,378,708,205,524,146,36,491,575,859,916,716,611,629,610,447],column:423,krb5_cc_badnam:318,eytab:[70,794],krb5_tkt_creds_step:[121,739,860,181],"_krb5_authent":727,statement:[330,646],krb5_crypto_type_checksum:[385,247,310,600],krb:[812,181],fast_ccache_nam:827,krb5_client_ktnam:[273,28,159],zonetest:73,kadmind_listen:10,profile_tcl:330,own:[764,895,776,70,437,4,455,812,794,184,104,44,10,623,119,473],generic_trusted_ca:[812,10],absolut:[812,10],builtin:[576,330,452],automat:[613,614,63,895,70,437,159,423,386,56,689,44,203,104],warranti:330,automak:4,guard:27,outdata:[267,522,821,230,732,832,215,254],req_pac:37,sspi:576,checksum_typ:154,inbuf:[917,821,568,569,215],dug:330,gss_iov_buffer_type_trail:17,merg:[10,181,476],"_udp":493,krb5_c_make_random_kei:181,defccnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],explcit:330,haddl:543,transfer:[504,689],profile_module_init:815,trigger:27,mgluep:330,ldapi:[10,515,484,855,44],"0x01ff":622,"var":[504,855,63,452,895,746,484,27,812,28,44,10],groff:776,userpassword:515,cancel:44,target_us:437,krb5_parse_name_flag:[731,181],krb5_get_init_creds_opt_set_expire_callback:181,north:330,unwrap:[17,181],seq_numb:[904,727],subscrib:23,message_typ:583,wed:44,unambigu:907,krb5_config_notenufspac:[129,207],eas:208,ear:330,bug:[776,713,473,836,44,203,23],g_rel_nam:330,realm2:45,succe:[521,10,812,519,895],made:[895,614,223,63,37,147,812,137,330,191,737,885,44,918],defcktnam:[0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160,161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176,177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192,193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208,209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224,225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260,261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,277,278,279,280,281,282,283,284,285,286,287,288,289,290,291,292,293,294,295,296,297,298,299,300,301,302,303,304,305,306,307,308,309,310,311,312,313,314,315,316,317,318,319,320,321,322,323,324,325,326,327,328,329,330,331,332,333,334,335,336,337,338,339,340,341,342,343,344,345,346,347,348,349,350,351,352,353,354,355,356,357,358,359,360,361,362,363,364,365,366,367,368,369,370,371,372,373,374,375,376,377,378,379,380,381,382,383,384,385,386,387,388,389,390,391,392,393,394,395,396,397,398,399,400,401,402,403,404,405,406,407,408,409,410,411,412,413,414,415,416,417,418,419,420,421,422,423,424,425,426,427,428,429,430,431,432,433,434,435,436,437,438,439,440,441,442,443,444,445,446,447,448,449,450,451,452,453,454,455,456,457,458,459,460,461,462,463,464,465,466,467,468,469,470,471,472,473,474,475,476,477,478,479,480,481,482,483,484,485,486,487,488,489,490,491,492,493,494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514,515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,533,534,535,536,537,538,539,540,541,542,543,544,545,546,547,548,549,550,551,552,553,554,555,556,557,558,559,560,561,562,563,564,565,566,567,568,569,570,571,572,573,574,575,576,577,578,579,580,581,582,583,584,585,586,587,588,589,590,591,592,593,594,595,596,597,598,599,600,601,602,603,604,605,606,607,608,609,610,611,612,613,614,615,616,617,618,619,620,621,622,623,624,625,626,627,628,629,630,631,632,633,634,635,636,637,638,639,640,641,642,643,644,645,646,647,648,649,650,651,652,653,654,655,656,657,658,659,660,661,662,663,664,665,666,667,668,669,670,671,672,673,674,675,676,677,678,679,680,681,682,683,684,685,686,687,688,689,690,691,692,693,694,695,696,697,698,699,700,701,702,703,704,705,706,707,708,709,710,711,712,713,714,715,716,717,718,719,720,721,722,723,724,725,726,727,728,729,730,731,732,733,734,735,736,737,738,739,740,741,742,743,744,745,746,747,748,749,750,751,752,753,754,755,756,757,758,759,760,761,762,763,764,765,766,767,768,769,770,771,772,773,774,775,776,777,778,779,780,781,782,783,784,785,786,787,788,789,790,791,792,793,794,795,796,797,798,799,800,801,802,803,804,805,806,807,808,809,810,811,812,813,814,815,816,817,818,819,820,821,822,823,824,825,826,827,828,829,830,831,832,833,834,835,836,837,838,839,840,841,842,843,844,845,846,847,848,849,850,851,852,853,854,855,856,857,858,859,860,861,862,863,864,865,866,867,868,869,870,871,872,873,874,875,876,877,878,879,880,881,882,883,884,885,886,887,888,889,890,891,892,893,894,895,896,897,898,899,900,901,902,903,904,905,906,907,908,909,910,911,912,913,914,915,916,917,918,919,920,921,922,923,924,925],temp:[812,27],rc4:[10,576],wish:[895,452,746,556,493,26,17,764,455,812,330,321,104,203,119],daffodil:[794,104],"_krb5_cred":[336,793],krb5_c_verify_checksum_iov:[310,181],rc2:899,krb5_free_error_messag:181,asynchron:[739,850],record:[895,812,302,27,792,423,473,44,45,493,576],below:[812,515,208,662,423,437,330,44,836,10,118],devicenam:10,genrsa:504,vpath:[26,203],dce:[812,17,181],lynx:855,krb5_c_free_stat:181,otherwis:[450,452,876,229,230,674,234,10,11,12,461,411,726,17,247,686,586,254,517,256,25,257,258,693,639,695,872,483,699,265,30,703,272,276,274,712,275,716,316,279,44,723,840,507,291,732,734,736,133,604,493,511,298,744,745,300,1,143,71,72,73,74,753,519,310,756,504,312,759,761,70,718,85,245,774,812,536,146,825,781,912,330,651,102,791,792,104,794,105,18,107,551,614,340,111,112,114,342,69,562,121,369,565,568,569,357,817,358,580,130,131,860,363,364,365,590,368,914,921,690,595,597,377,600,841,39,603,148,149,735,384,385,606,91,610,543,389,615,648,412,164,394,821,863,437,399,171,625,406,739,627,875,631,632,879,182,251,185,887,640,417,267,190,642,628,895,420,421,422,322,197,423,874,901,903,653,789,429,820,432,205,658,436,208,362,684,916,917,505,215,832,444,447,669],problem:[855,576,1,27,73,44,23,473],strategi:434,time_offset:45,display:110,krb5_cc_initi:[491,181],netbio:399,firm:330,default_principal_flag:[10,32,576],krb5_get_init_creds_opt_set_out_ccach:181,cb_ret:815,evalu:812,x509_proxi:812,"int":[615,453,287,551,360,4,6,400,345,511,743,877,17,632,479,525,124,635,890,185,129,572,752,577,489,55,706,256,454,644,362,639,647,318,914,139,829,108,91,374,651,596,377,34,535,537,207,843,848,443,101,154,280,725,499],dure:[895,63,434,273,44,56,689,10],indata:230,filenam:[853,504,812,63,724,895,273,132,208,17,147,423,70,44,10,484],max_lif:[423,10,895],gss_add_cred_impersonate_nam:764,strip_realm:[10,208],max_ticket_lif:[44,484],implement:[449,614,223,452,815,576,226,4,455,850,400,10,345,346,65,493,302,17,413,73,687,885,23,521,890,744,27,764,812,698,323,203,776,208,662,275,330,505,608,44,437,104],ini:812,remotehost:518,regul:330,kpropd:[132,689,427],inc:[330,104],mutual:[895,822,642,636,437,1,390],"0x000a":195,"_krb5_tkt_creds_context":172,countermeasur:100,t_mddriver:330,privsvr_kei:765,krb5_princip:[722,453,393,863,731,877,12,726,181,357,577,521,823,422,318,88,703,730,535,841,491,606],detail:[614,223,815,576,226,455,850,895,433,334,248,413,73,687,208,26,698,836,437,662,608,45,792],free_modreq:850,lname:[437,129],"default":[63,724,70,132,484,423,814,689,45],other:[794,895,812,434,70,689,248,662,423,73,44,10,32,45],lookup:[501,452,188,576,226,812,473,493,792],futur:[504,17,51,687,44,31,818],sick:330,varieti:248,getopt:836,krb5cc_:[28,437],gss_c_buffer_type_stream:17,known:[521,620,248,181,423,473,44,10],repeat:[895,812,764,423,323,10,78],second_ticket:[34,793,323],"class":[70,44,25],reconf:836,h71000:713,krb5_kt_get_typ:181,unser:17,beeblebrox:895,uncommon:27,sasl:[70,576,17,44,484,10],strlcpy:330,olcschemaconfig:855,krb5_rd_error:181,debian:[576,228],krb5_free_keytab_entry_cont:181,kdb5_ldap_util:[70,427,689],free_list:687,multithread:181,experienc:[776,226],maxnumb:[70,44],sphinx:126,fund:330,appl:[836,330,258],krb5_kt_add_entri:181,krb5_init_keyblock:181,g_util:330,portion:[461,852,208,29,727,249,812,870,330,686,457,279,904,189],emerg:10,krb5_responder_pkinit_challenge_fre:181,"0x0014":[50,894,405],keybyt:604,"_krb5_keyblock":525,recvauth:[695,642],rep:[190,636,364,569,384,35,882,767,917,324]},objtypes:{"0":"c:function","1":"c:member","2":"c:type","3":"py:data"},objnames:{"0":["c","function","C function"],"1":["c","member","C member"],"2":["c","type","C type"],"3":["py","data","Python data"]},filenames:["appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT","appdev/refs/api/krb5_mk_req_extended","appdev/refs/macros/index","appdev/refs/api/krb5_cc_get_type","plugindev/general","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME","appdev/refs/types/krb5_verify_init_creds_opt","appdev/refs/macros/TKT_FLG_ENC_PA_REP","appdev/refs/macros/TKT_FLG_ANONYMOUS","appdev/refs/api/krb5_clear_error_message","admin/conf_files/kdc_conf","appdev/refs/api/krb5_auth_con_setuseruserkey","appdev/refs/api/krb5_425_conv_principal","appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA","appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE","appdev/gssapi","appdev/refs/api/krb5_sname_match","appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC","appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC","appdev/refs/macros/AP_OPTS_WIRE_MASK","appdev/refs/api/krb5_free_enctypes","resources","appdev/refs/macros/KRB5_PADATA_PAC_REQUEST","user/user_commands/kpasswd","build/index","basic/rcache_def","mitK5defaults","appdev/refs/types/krb5_replay_data","appdev/refs/api/krb5_get_credentials","appdev/refs/types/krb5_trace_info","admin/conf_files/kadm5_acl","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO","appdev/refs/types/krb5_kdc_req","appdev/refs/types/krb5_kdc_rep","appdev/refs/types/index","appdev/refs/api/krb5_get_init_creds_opt_set_pac_request","appdev/refs/api/krb5_wrap_error_message","appdev/refs/api/krb5_k_decrypt","appdev/refs/api/krb5_kt_start_seq_get","appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED","appdev/refs/macros/KRB5_AUTHDATA_CAMMAC","appdev/refs/macros/KRB5_PADATA_OSF_DCE","admin/database","admin/admin_commands/krb5kdc","appdev/refs/macros/AP_OPTS_USE_SUBKEY","appdev/refs/api/krb5_responder_otp_get_challenge","appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME","appdev/refs/api/krb5_anonymous_realm","appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256","appdev/refs/api/krb5_get_error_message","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96","appdev/refs/macros/KRB5_PADATA_PK_AS_REP","appdev/refs/types/krb5_pac","appdev/refs/api/krb5_get_init_creds_opt_set_etype_list","admin/backup_host","appdev/refs/macros/KRB5_AP_REQ","appdev/refs/macros/KRB5_KPASSWD_MALFORMED","appdev/refs/types/krb5_pre_send_fn","appdev/refs/types/krb5_pointer","index","appdev/refs/api/krb5_tkt_creds_free","admin/admin_commands/kpropd","appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR","appdev/refs/api/krb5_cc_remove_cred","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS","appdev/refs/macros/KRB5_NT_UID","appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE","appdev/refs/api/krb5_c_string_to_key","admin/admin_commands/kadmin_local","appdev/refs/api/krb5_is_config_principal","appdev/refs/api/krb5_c_fx_cf2_simple","admin/advanced/retiring-des","appdev/refs/api/krb5_init_creds_get_error","appdev/refs/macros/KRB5_TGS_REP","appdev/refs/macros/KRB5_TGS_REQ","appdev/refs/api/krb5_cc_set_config","appdev/refs/types/krb5_key","appdev/refs/macros/KRB5_REALM_BRANCH_CHAR","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY","appdev/refs/api/krb5_get_init_creds_opt_set_pa","appdev/refs/macros/KRB5_KPASSWD_HARDERROR","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP","appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1","appdev/refs/api/krb5_auth_con_getlocalseqnumber","appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR","appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR","appdev/refs/api/krb5_cc_cache_match","appdev/refs/api/krb5_free_keyblock_contents","appdev/refs/macros/krb524_convert_creds_kdc","appdev/refs/api/krb5_c_keyed_checksum_types","appdev/refs/macros/CKSUMTYPE_RSA_MD4","appdev/refs/macros/CKSUMTYPE_RSA_MD5","appdev/refs/api/krb5_free_keyblock","admin/advanced/index","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256","appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION","appdev/refs/index","appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE","admin/install_appl_srv","appdev/refs/types/krb5_msgtype","appdev/refs/api/krb5_copy_ticket","appdev/refs/api/krb5_k_reference_key","user/tkt_mgmt","appdev/refs/api/krb5_get_permitted_enctypes","appdev/refs/macros/ADDRTYPE_ISO","appdev/refs/api/krb5_get_init_creds_opt_alloc","appdev/refs/api/krb5_unparse_name_flags_ext","appdev/refs/macros/MAX_KEYTAB_NAME_LEN","appdev/refs/api/krb5_chpw_message","appdev/refs/api/krb5_copy_keyblock","appdev/refs/api/krb5_cccol_lock","appdev/refs/macros/KRB5_PADATA_AP_REQ","appdev/refs/api/krb5_k_encrypt","appdev/refs/api/krb5_auth_con_setflags","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY","appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT","user/pwd_mgmt","appdev/refs/api/krb5_free_default_realm","appdev/refs/api/krb5_tkt_creds_get_times","appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE","appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP","appdev/refs/api/krb5_appdefault_boolean","appdev/refs/api/krb5_cc_default","build_this","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT","appdev/refs/api/krb5_aname_to_localname","appdev/refs/api/krb5_realm_compare","appdev/refs/api/krb5_c_encrypt_iov","admin/admin_commands/kprop","appdev/refs/api/krb5_cc_start_seq_get","appdev/refs/macros/KRB5_INT32_MIN","appdev/refs/api/krb5_kt_have_content","appdev/refs/types/krb5_trace_callback","appdev/refs/api/krb5_set_default_tgs_enctypes","admin/admin_commands/ktutil","appdev/refs/types/krb5_prompt","appdev/refs/api/krb5_vwrap_error_message","appdev/refs/api/krb5_copy_context","appdev/refs/api/krb5_get_init_creds_opt_init","appdev/refs/api/krb5_c_make_random_key","appdev/refs/api/krb5_free_ticket","appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY","appdev/refs/api/krb5_cc_copy_creds","admin/troubleshoot","appdev/refs/api/krb5_pac_get_types","appdev/refs/api/krb5_c_crypto_length_iov","appdev/refs/macros/ENCTYPE_DES3_CBC_ENV","appdev/refs/api/krb5_auth_con_get_checksum_func","appdev/refs/macros/KRB5_KPASSWD_SOFTERROR","appdev/refs/types/krb5_int16","appdev/refs/types/krb5_checksum","appdev/index","appdev/refs/macros/ADDRTYPE_INET6","appdev/refs/api/krb5_responder_otp_challenge_free","appdev/refs/api/krb5_kt_remove_entry","basic/keytab_def","appdev/refs/macros/krb5_princ_type","appdev/refs/macros/KRB5_PAC_DELEGATION_INFO","admin/index","appdev/refs/api/krb5_cccol_have_content","appdev/refs/api/krb5_deltat_to_string","formats/index","appdev/refs/api/krb5_auth_con_free","appdev/refs/api/krb5_set_kdc_recv_hook","appdev/refs/api/krb5_free_error","appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL","appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE","appdev/refs/api/krb5_enctype_to_name","appdev/refs/types/krb5_tkt_creds_context","appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR","appdev/refs/macros/KDC_OPT_FORWARDED","basic/date_format","appdev/refs/macros/KRB5_TC_MATCH_FLAGS","appdev/refs/api/krb5_free_authenticator","appdev/refs/api/krb5_auth_con_getremotesubkey","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256","appdev/refs/api/index","appdev/refs/api/krb5_c_encrypt_length","appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO","user/user_config/k5login","appdev/refs/api/krb5_init_creds_step","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC","appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ","appdev/refs/api/krb5_expand_hostname","appdev/refs/types/krb5_cred_enc_part","appdev/refs/api/krb5_decode_ticket","appdev/refs/api/krb5_cc_default_name","appdev/refs/macros/KRB5_NT_SRV_XHST","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM","appdev/refs/api/krb5_free_data","appdev/refs/macros/ENCTYPE_MD5_RSA_CMS","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ","appdev/refs/api/krb5_c_init_state","appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3","appdev/refs/api/krb5_kt_client_default","appdev/refs/macros/KRB5_INT16_MIN","appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY","build/doing_build","appdev/refs/api/krb5_verify_init_creds_opt_init","appdev/refs/api/krb5_cc_lock","appdev/refs/api/krb5_kt_close","appdev/refs/api/krb5_kt_default_name","admin/otp","appdev/refs/macros/TKT_FLG_MAY_POSTDATE","appdev/refs/api/krb5_auth_con_getlocalsubkey","appdev/refs/api/krb5_prepend_error_message","appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE","appdev/refs/macros/KDC_OPT_VALIDATE","appdev/refs/api/krb5_rd_priv","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM","appdev/refs/api/krb5_524_conv_principal","appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO","appdev/refs/macros/KRB5_PADATA_FX_COOKIE","appdev/refs/types/krb5_pa_server_referral_data","appdev/refs/types/krb5_cccol_cursor","appdev/refs/api/krb5_decrypt","plugindev/kadm5_hook","appdev/refs/api/krb5_get_in_tkt_with_password","appdev/refs/macros/KRB5_PADATA_FX_ERROR","plugindev/locate","appdev/refs/api/krb5_anonymous_principal","admin/install","appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags","appdev/refs/api/krb5_copy_data","appdev/refs/macros/krb5_princ_set_realm_data","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED","appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL","appdev/refs/api/krb5_recvauth_version","appdev/refs/api/krb5_responder_set_answer","appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR","appdev/refs/api/krb5_cc_last_change_time","appdev/refs/macros/KRB5_ERROR","appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED","appdev/refs/api/krb5_set_error_message","appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK","appdev/refs/api/krb5_responder_get_challenge","appdev/refs/api/krb5_cc_end_seq_get","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA","appdev/refs/api/krb5_init_creds_get_creds","appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC","appdev/refs/api/krb5_c_verify_checksum_iov","admin/enctypes","appdev/refs/api/krb5_kt_resolve","appdev/refs/macros/KRB5_CYBERSAFE_SECUREID","appdev/refs/api/krb5_k_create_key","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST","appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM","appdev/refs/api/krb5_rd_cred","appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED","appdev/refs/api/krb5_auth_con_genaddrs","appdev/refs/api/krb5_cccol_last_change_time","appdev/refs/api/krb5_pac_verify","appdev/refs/types/krb5_ap_req","appdev/refs/macros/KRB5_NT_SRV_HST","appdev/refs/api/krb5_encrypt","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT","appdev/refs/macros/KRB5_PADATA_PKINIT_KX","appdev/refs/api/krb5_free_string","appdev/refs/api/krb5_principal_compare","appdev/refs/api/krb5_auth_con_getflags","appdev/refs/api/krb5_mk_priv","appdev/refs/macros/KRB5_TC_OPENCLOSE","appdev/refs/api/krb5_responder_pkinit_challenge_free","appdev/refs/macros/ADDRTYPE_XNS","appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE","appdev/refs/api/krb5_auth_con_set_req_cksumtype","admin/env_variables","appdev/refs/api/krb5_encode_authdata_container","admin/https","appdev/refs/api/krb5_free_keytab_entry_contents","appdev/refs/api/krb5_free_host_realm","appdev/refs/types/krb5_expire_callback_func","appdev/refs/api/krb5_get_time_offsets","appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize","appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED","appdev/refs/api/krb5_verify_checksum","appdev/refs/macros/SALT_TYPE_AFS_LENGTH","appdev/refs/macros/KRB5_KPASSWD_AUTHERROR","appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET","appdev/refs/api/krb5_responder_pkinit_set_answer","appdev/refs/api/krb5_address_order","appdev/refs/macros/KRB5_PADATA_NONE","appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC","appdev/refs/macros/AP_OPTS_RESERVED","appdev/refs/api/krb5_decode_authdata_container","appdev/refs/api/krb5_get_host_realm","appdev/refs/api/krb5_kt_dup","appdev/refs/macros/krb5_princ_set_realm","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP","appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH","appdev/refs/macros/KDC_OPT_CANONICALIZE","appdev/refs/api/krb5_c_random_to_key","appdev/refs/types/krb5_authdatatype","appdev/refs/api/krb5_c_free_state","appdev/refs/macros/CKSUMTYPE_CRC32","formats/keytab_file_format","appdev/refs/macros/KRB5_PADATA_SESAME","appdev/refs/types/krb5_pa_svr_referral_data","appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR","appdev/refs/api/krb5_get_credentials_renew","appdev/refs/api/krb5_get_default_realm","appdev/refs/types/krb5_ticket","appdev/refs/api/krb5_c_make_checksum_iov","appdev/refs/macros/KRB5_NT_WELLKNOWN","appdev/refs/api/krb5_auth_con_getremoteseqnumber","appdev/refs/macros/TKT_FLG_PRE_AUTH","appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX","appdev/refs/macros/KDC_OPT_RENEW","appdev/refs/api/krb5_init_keyblock","appdev/refs/types/krb5_keyusage","appdev/refs/api/krb5_fwd_tgt_creds","appdev/refs/types/krb5_responder_pkinit_challenge","appdev/refs/api/krb5_free_tgt_creds","admin/auth_indicator","appdev/refs/api/krb5_auth_con_setrecvsubkey","formats/ccache_file_format","appdev/refs/types/krb5_enc_kdc_rep_part","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY","appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS","appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT","plugindev/index","appdev/refs/api/krb5_kt_free_entry","mitK5license","appdev/refs/api/krb5_vset_error_message","appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD","appdev/refs/macros/TKT_FLG_RENEWABLE","appdev/refs/api/krb5_get_profile","appdev/refs/macros/TKT_FLG_FORWARDABLE","appdev/refs/types/krb5_cred","appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC","appdev/refs/macros/krb524_init_ets","appdev/refs/types/krb5_ccache","appdev/refs/api/krb5_cccol_unlock","appdev/refs/api/krb5_responder_list_questions","appdev/refs/api/krb5_cccol_cursor_free","appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE","appdev/refs/api/krb5_set_default_realm","appdev/refs/api/krb5_524_convert_creds","appdev/refs/api/krb5_c_prfplus","appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART","appdev/refs/api/krb5_free_checksum","appdev/refs/api/krb5_c_derive_prfplus","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV","appdev/refs/macros/TKT_FLG_INITIAL","appdev/refs/api/krb5_cc_switch","appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM","appdev/refs/macros/TKT_FLG_INVALID","appdev/refs/macros/ENCTYPE_DES_CBC_MD4","appdev/refs/macros/ENCTYPE_DES_CBC_MD5","appdev/refs/api/krb5_init_creds_init","appdev/refs/api/krb5_c_is_keyed_cksum","appdev/refs/api/krb5_k_key_keyblock","appdev/refs/types/krb5_authdata","user/user_commands/index","appdev/refs/api/krb5_change_password","appdev/refs/api/krb5_mk_req","appdev/refs/api/krb5_mk_rep","appdev/refs/api/krb5_c_block_size","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC","appdev/refs/api/krb5_principal_compare_any_realm","appdev/refs/api/krb5_auth_con_getkey","appdev/refs/types/krb5_enc_data","appdev/refs/api/krb5_get_init_creds_opt_set_address_list","appdev/refs/api/krb5_set_trace_callback","appdev/refs/api/krb5_verify_authdata_kdc_issued","appdev/refs/api/krb5_kt_get_name","appdev/refs/macros/KRB5_TC_MATCH_TIMES","appdev/refs/types/krb5_mk_req_checksum_func","appdev/refs/api/krb5_c_random_add_entropy","appdev/refs/api/krb5_get_in_tkt_with_skey","appdev/refs/macros/KRB5_PADATA_PW_SALT","appdev/refs/macros/VALID_INT_BITS","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE","appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE","appdev/refs/macros/ADDRTYPE_INET","appdev/refs/api/krb5_mk_rep_dce","appdev/refs/api/krb5_k_verify_checksum_iov","user/user_commands/kdestroy","appdev/refs/types/krb5_cksumtype","appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ","appdev/refs/api/krb5_server_decrypt_ticket_keytab","appdev/refs/macros/KRB5_AP_REP","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2","appdev/refs/macros/VALID_UINT_BITS","appdev/refs/api/krb5_cc_select","appdev/refs/api/krb5_address_compare","appdev/refs/api/krb5_kt_add_entry","appdev/refs/macros/AD_TYPE_REGISTERED","appdev/refs/api/krb5_free_error_message","appdev/refs/macros/KDC_OPT_PROXIABLE","appdev/refs/api/krb5_address_search","appdev/refs/api/krb5_set_password","appdev/refs/api/krb5_calculate_checksum","appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING","appdev/refs/api/krb5_make_authdata_kdc_issued","appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC","appdev/refs/macros/ADDRTYPE_NETBIOS","appdev/refs/api/krb5_auth_con_getrecvsubkey_k","appdev/refs/api/krb5_get_init_creds_opt_free","appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER","appdev/refs/api/krb5_free_authdata","appdev/refs/macros/TKT_FLG_POSTDATED","appdev/refs/api/krb5_c_enctype_compare","appdev/refs/api/krb5_init_creds_set_keytab","plugindev/clpreauth","appdev/refs/macros/CKSUMTYPE_DESCBC","appdev/refs/api/krb5_kt_default","appdev/refs/macros/ENCTYPE_RSA_ENV","appdev/refs/api/krb5_init_creds_set_password","appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH","appdev/refs/api/krb5_finish_key","appdev/refs/api/krb5_pac_get_buffer","appdev/refs/api/krb5_init_creds_set_service","appdev/refs/api/krb5_get_validated_creds","admin/admin_commands/kdb5_util","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD","appdev/refs/types/krb5_principal_data","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE","admin/admin_commands/index","appdev/refs/api/krb5_appdefault_string","appdev/refs/api/krb5_principal2salt","appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION","appdev/refs/macros/ADDRTYPE_IS_LOCAL","appdev/refs/api/krb5_string_to_salttype","appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP","admin/lockout","appdev/refs/api/krb5_free_cksumtypes","appdev/refs/api/krb5_find_authdata","user/user_commands/ksu","appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE","appdev/refs/macros/krb5_princ_component","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT","appdev/refs/macros/krb5_roundup","appdev/refs/macros/KRB5_GC_CACHED","appdev/refs/types/krb5_pwd_data","appdev/refs/api/krb5_c_verify_checksum","appdev/refs/macros/TKT_FLG_PROXY","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL","appdev/refs/api/krb5_cc_get_flags","appdev/refs/macros/KRB5_INIT_CONTEXT_KDC","appdev/h5l_mit_apidiff","appdev/refs/api/krb5_string_to_enctype","appdev/refs/macros/KRB5_GC_NO_STORE","build/options2configure","appdev/refs/api/krb5_build_principal_ext","appdev/refs/types/krb5_boolean","plugindev/pwqual","appdev/refs/macros/KRB5_FAST_REQUIRED","appdev/refs/types/krb5_error","appdev/refs/api/krb5_auth_con_getrcache","appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED","appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE","appdev/refs/api/krb5_set_real_time","copyright","appdev/refs/api/krb5_cc_store_cred","appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY","appdev/refs/types/krb5_preauthtype","appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE","appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS","appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY","admin/princ_dns","appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY","appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE","admin/conf_files/index","appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED","appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM","appdev/refs/api/krb5_unparse_name_ext","appdev/refs/types/krb5_const_pointer","appdev/refs/types/krb5_flags","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN","appdev/refs/api/krb5_auth_con_setsendsubkey","admin/admin_commands/kdb5_ldap_util","appdev/refs/types/krb5_const_principal","appdev/refs/api/krb5_free_checksum_contents","appdev/refs/macros/ADDRTYPE_DDP","appdev/refs/macros/KRB5_NT_SRV_INST","appdev/refs/api/krb5_unparse_name_flags","appdev/refs/types/krb5_magic","appdev/refs/api/krb5_cc_get_principal","appdev/refs/macros/KRB5_NT_X500_PRINCIPAL","admin/realm_config","appdev/refs/api/krb5_cc_support_switch","appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME","appdev/refs/types/krb5_transited","appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO","appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC","appdev/refs/types/krb5_address","appdev/refs/macros/KRB5_PVNO","appdev/refs/types/krb5_cc_cursor","appdev/refs/api/krb5_check_clockskew","appdev/refs/types/krb5_last_req_entry","admin/pkinit","appdev/refs/api/krb5_c_make_checksum","appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL","appdev/refs/api/krb5_copy_authenticator","appdev/refs/api/krb5_copy_error_message","appdev/refs/api/krb5_cc_get_full_name","appdev/refs/api/krb5_c_valid_cksumtype","appdev/refs/api/krb5_principal_compare_flags","appdev/refs/macros/KDC_OPT_RENEWABLE","appdev/refs/types/krb5_auth_context","appdev/refs/types/krb5_responder_otp_challenge","admin/conf_ldap","appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128","appdev/refs/api/krb5_cccol_cursor_next","user/user_commands/sclient","appdev/refs/api/krb5_verify_init_creds","appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life","appdev/init_creds","appdev/refs/api/krb5_mk_1cred","appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA","appdev/refs/api/krb5_cc_get_config","appdev/refs/types/krb5_keyblock","appdev/refs/api/krb5_init_random_key","appdev/refs/types/krb5_responder_context","appdev/refs/macros/KRB5_PADATA_OTP_REQUEST","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128","appdev/refs/api/krb5_encrypt_size","appdev/refs/types/krb5_enctype","appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache","appdev/refs/macros/KRB5_GC_CANONICALIZE","appdev/refs/macros/KRB5_SAFE","appdev/refs/api/krb5_build_principal","appdev/refs/api/krb5_auth_con_getaddrs","appdev/refs/api/krb5_get_init_creds_opt_set_forwardable","appdev/refs/macros/KRB5_PAC_LOGON_INFO","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN","user/user_commands/krb5-config","appdev/refs/macros/AP_OPTS_USE_SESSION_KEY","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2","appdev/refs/api/krb5_auth_con_setrcache","appdev/refs/types/krb5_cred_info","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM","appdev/refs/types/krb5_int32","appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST","appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY","appdev/refs/api/krb5_unparse_name","appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2","appdev/refs/api/krb5_c_crypto_length","appdev/refs/macros/KRB5_PADATA_REFERRAL","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT","appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE","appdev/refs/api/krb5_free_addresses","appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache","appdev/refs/api/krb5_free_unparsed_name","appdev/refs/macros/KRB5_LRQ_NONE","appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD","appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS","appdev/refs/macros/KRB5_GC_FORWARDABLE","user/user_commands/klist","formats/cookie","appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE","appdev/refs/api/krb5_mk_error","admin/admin_commands/kproplog","appdev/refs/macros/KRB5_TGS_NAME","appdev/refs/api/krb5_rd_req","appdev/refs/api/krb5_rd_rep","appdev/refs/macros/THREEPARAMOPEN","appdev/refs/macros/KRB5_INT32_MAX","appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail","appdev/refs/macros/KRB5_PADATA_FOR_USER","appdev/refs/macros/krb5_princ_set_realm_length","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache","mitK5features","appdev/refs/api/krb5_build_principal_va","appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128","basic/index","appdev/refs/api/krb5_c_random_make_octets","appdev/refs/macros/AD_TYPE_EXTERNAL","appdev/refs/types/krb5_keytab","appdev/refs/types/krb5_response","appdev/refs/api/krb5_c_is_coll_proof_cksum","appdev/refs/macros/ENCTYPE_NULL","appdev/refs/api/krb5_get_server_rcache","appdev/refs/macros/KRB5_TC_MATCH_KTYPE","appdev/refs/macros/KRB5_GC_USER_USER","appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART","appdev/refs/api/krb5_string_to_cksumtype","appdev/refs/api/krb5_get_prompt_types","appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8","appdev/refs/macros/KRB5_PADATA_AFS3_SALT","appdev/refs/api/krb5_pac_add_buffer","appdev/refs/types/krb5_data","appdev/refs/api/krb5_enctype_to_string","appdev/refs/macros/krb5_x","appdev/refs/macros/KRB5_KPASSWD_SUCCESS","appdev/refs/api/krb5_k_make_checksum_iov","appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT","appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE","appdev/refs/api/krb5_c_string_to_key_with_params","appdev/refs/api/krb5_c_keylengths","appdev/refs/macros/TKT_FLG_FORWARDED","appdev/refs/api/krb5_get_init_creds_password","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT","plugindev/localauth","appdev/refs/api/krb5_string_to_key","appdev/refs/api/krb5_cc_next_cred","appdev/refs/api/krb5_cc_move","appdev/refs/macros/SALT_TYPE_NO_LENGTH","basic/stash_file_def","basic/ccache_def","appdev/refs/api/krb5_tkt_creds_step","appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME","appdev/refs/macros/KRB5_AUTHDATA_AND_OR","appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE","appdev/refs/api/krb5_cc_resolve","appdev/refs/api/krb5_kt_end_seq_get","appdev/refs/macros/ENCTYPE_UNKNOWN","appdev/refs/api/krb5_set_kdc_send_hook","appdev/refs/api/krb5_free_context","appdev/refs/api/krb5_auth_con_setports","appdev/refs/macros/KRB5_PADATA_FX_FAST","appdev/refs/api/krb5_copy_creds","appdev/refs/api/krb5_merge_authdata","appdev/refs/api/krb5_cc_dup","appdev/refs/types/krb5_context","appdev/refs/api/krb5_k_verify_checksum","appdev/refs/api/krb5_parse_name_flags","appdev/refs/macros/KRB5_AS_REQ","appdev/refs/macros/KRB5_AS_REP","appdev/refs/types/krb5_pa_data","appdev/refs/types/krb5_ap_rep","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ","appdev/refs/macros/KRB5_AUTHDATA_SESAME","appdev/refs/api/krb5_c_random_os_entropy","user/user_commands/kinit","appdev/refs/api/krb5_init_secure_context","appdev/refs/api/krb5_sendauth","appdev/refs/macros/KRB5_NT_PRINCIPAL","appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list","appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER","user/user_commands/kvno","appdev/refs/types/krb5_typed_data","appdev/refs/api/krb5_k_prf","appdev/refs/api/krb5_responder_pkinit_get_challenge","appdev/refs/types/krb5_init_creds_context","appdev/refs/api/krb5_c_padding_length","appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA","appdev/refs/api/krb5_auth_con_getrecvsubkey","appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT","appdev/refs/macros/CKSUMTYPE_NIST_SHA","appdev/refs/api/krb5_get_fallback_host_realm","appdev/refs/api/krb5_get_in_tkt_with_keytab","appdev/refs/api/krb5_copy_checksum","appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART","appdev/refs/types/krb5_ticket_times","appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL","admin/host_config","appdev/refs/macros/krb5_const","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR","appdev/refs/macros/KRB5_PAC_CLIENT_INFO","appdev/refs/api/krb5_free_creds","appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME","appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED","appdev/refs/api/krb5_c_decrypt","appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY","appdev/refs/api/krb5_cc_new_unique","appdev/refs/api/krb5_parse_name","appdev/refs/macros/ENCTYPE_DES3_CBC_RAW","appdev/refs/api/krb5_c_checksum_length","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST","appdev/refs/types/krb5_deltat","appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1","appdev/refs/macros/KRB5_REFERRAL_REALM","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD","appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM","appdev/refs/api/krb5_cc_gen_new","appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS","appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT","appdev/refs/api/krb5_cccol_cursor_new","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY","appdev/refs/api/krb5_cc_retrieve_cred","plugindev/hostrealm","appdev/refs/api/krb5_pac_free","admin/admin_commands/kadmind","appdev/refs/api/krb5_salttype_to_string","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM","appdev/refs/api/krb5_auth_con_setaddrs","appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM","appdev/refs/api/krb5_recvauth","appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION","appdev/refs/api/krb5_get_credentials_validate","plugindev/ccselect","appdev/refs/api/krb5_auth_con_setrecvsubkey_k","appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK","appdev/refs/api/krb5_sname_to_principal","appdev/refs/macros/krb5_princ_size","appdev/refs/api/krb5_get_renewed_creds","appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM","appdev/refs/macros/MSEC_VAL_MASK","appdev/refs/api/krb5_get_init_creds_opt_set_proxiable","appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED","appdev/refs/api/krb5_cc_get_name","appdev/refs/macros/KRB5_PRIV","appdev/refs/macros/KRB5_PADATA_TGS_REQ","appdev/refs/api/krb5_kt_get_entry","appdev/refs/api/krb5_string_to_deltat","admin/various_envs","appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL","appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE","appdev/refs/api/krb5_cc_unlock","appdev/refs/types/krb5_cryptotype","appdev/refs/api/krb5_pac_init","appdev/refs/api/krb5_process_key","appdev/refs/macros/KDC_OPT_FORWARDABLE","appdev/refs/api/krb5_checksum_size","appdev/refs/api/krb5_free_principal","appdev/refs/api/krb5_copy_addresses","admin/admin_commands/k5srvutil","appdev/refs/api/krb5_get_init_creds_opt_set_anonymous","appdev/refs/api/krb5_copy_principal","appdev/refs/types/krb5_authenticator","appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY","appdev/refs/api/krb5_kt_read_service_key","appdev/princ_handle","appdev/refs/api/krb5_mk_ncred","appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL","appdev/refs/api/krb5_copy_keyblock_contents","appdev/refs/api/krb5_tkt_creds_get","appdev/refs/api/krb5_auth_con_getsendsubkey","appdev/refs/api/krb5_init_context_profile","appdev/refs/api/krb5_cc_close","appdev/refs/api/krb5_tkt_creds_init","appdev/refs/api/krb5_timeofday","appdev/refs/macros/krb5_xc","appdev/refs/macros/KRB5_CRED","appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt","appdev/refs/api/krb5_k_make_checksum","appdev/refs/api/krb5_auth_con_init","build/osconf","appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP","user/user_config/index","appdev/refs/macros/ADDRTYPE_IPPORT","appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST","appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS","appdev/refs/types/krb5_prompter_fct","appdev/refs/api/krb5_init_creds_get","appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME","appdev/refs/types/krb5_encrypt_block","appdev/refs/api/krb5_cksumtype_to_string","appdev/refs/macros/TKT_FLG_PROXIABLE","appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM","appdev/refs/api/krb5_k_decrypt_iov","appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM","appdev/refs/api/krb5_init_creds_get_times","user/index","appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT","plugindev/gssapi","appdev/refs/api/krb5_pac_sign","appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES","appdev/refs/types/krb5_pa_pac_req","appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR","appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP","appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD","appdev/refs/types/krb5_responder_pkinit_identity","appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN","appdev/refs/types/krb5_error_code","appdev/refs/api/krb5_auth_con_setsendsubkey_k","appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV","about","appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM","appdev/refs/macros/ADDRTYPE_ADDRPORT","appdev/refs/macros/KRB5_TC_NOTICKET","appdev/refs/macros/AD_TYPE_RESERVED","appdev/refs/api/krb5_string_to_timestamp","appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH","user/user_config/k5identity","appdev/refs/api/krb5_auth_con_set_checksum_func","appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME","appdev/refs/macros/ADDRTYPE_CHAOS","appdev/refs/api/krb5_get_init_creds_opt_set_responder","appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE","appdev/refs/api/krb5_is_referral_realm","appdev/refs/types/krb5_kt_cursor","appdev/refs/api/krb5_c_decrypt_iov","admin/install_clients","appdev/refs/types/krb5_creds","admin/appl_servers","appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL","appdev/refs/api/krb5_get_init_creds_opt_set_salt","appdev/refs/macros/KRB5_TGS_NAME_SIZE","appdev/refs/api/krb5_get_init_creds_opt_set_renew_life","appdev/refs/macros/krb5_princ_realm","appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION","appdev/refs/api/krb5_free_cred_contents","appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES","appdev/refs/api/krb5_kt_next_entry","appdev/refs/macros/ENCTYPE_DES_CBC_RAW","appdev/refs/macros/KRB5_PADATA_S4U_X509_USER","appdev/refs/macros/KRB5_INT16_MAX","appdev/refs/types/krb5_rcache","appdev/refs/macros/KDC_OPT_POSTDATED","appdev/refs/types/krb5_ui_4","appdev/refs/types/krb5_ui_2","appdev/refs/api/krb5_vprepend_error_message","admin/conf_files/krb5_conf","appdev/refs/macros/KRB5_NT_UNKNOWN","admin/admin_commands/sserver","plugindev/profile","appdev/refs/macros/KRB5_NT_SMTP_NAME","appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags","appdev/refs/api/krb5_cc_set_default_name","appdev/refs/api/krb5_eblock_enctype","appdev/refs/api/krb5_k_encrypt_iov","appdev/refs/api/krb5_rd_safe","appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED","appdev/refs/api/krb5_cc_initialize","appdev/refs/macros/KDC_TKT_COMMON_MASK","appdev/refs/api/krb5_c_prf_length","appdev/refs/types/krb5_enc_tkt_part","appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name","appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS","appdev/refs/types/krb5_get_init_creds_opt","appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY","appdev/refs/api/krb5_responder_otp_set_answer","appdev/refs/api/krb5_mk_safe","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE","appdev/refs/api/krb5_kt_get_type","build/directory_org","appdev/refs/types/krb5_tkt_authent","appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM","appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST","appdev/refs/api/krb5_c_encrypt","appdev/refs/api/krb5_get_init_creds_keytab","appdev/refs/api/krb5_free_data_contents","appdev/refs/types/krb5_kvno","appdev/refs/macros/KDC_OPT_PROXY","appdev/refs/api/krb5_k_free_key","appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID","appdev/refs/types/krb5_keytab_entry","appdev/refs/api/krb5_prompter_posix","appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD","plugindev/kdcpreauth","appdev/refs/macros/KRB5_NT_MS_PRINCIPAL","appdev/refs/api/krb5_us_timeofday","appdev/refs/api/krb5_set_trace_filename","appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART","admin/advanced/ldapbackend","appdev/refs/api/krb5_finish_random_key","appdev/refs/types/krb5_post_recv_fn","appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL","appdev/refs/api/krb5_cc_destroy","appdev/refs/api/krb5_tkt_creds_get_creds","appdev/refs/macros/KDC_OPT_RENEWABLE_OK","appdev/refs/api/krb5_init_context","appdev/refs/api/krb5_kuserok","appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG","appdev/refs/types/krb5_addrtype","appdev/refs/macros/TKT_FLG_HW_AUTH","appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS","appdev/refs/api/krb5_k_key_enctype","appdev/refs/api/krb5_auth_con_initivector","appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY","appdev/refs/api/krb5_c_valid_enctype","appdev/refs/api/krb5_auth_con_getauthenticator","appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128","appdev/refs/api/krb5_timestamp_to_sfstring","appdev/refs/api/krb5_os_localaddr","appdev/refs/api/krb5_c_prf","appdev/refs/api/krb5_build_principal_alloc_va","appdev/refs/types/krb5_gic_opt_pa_data","appdev/refs/api/krb5_timestamp_to_string","appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC","appdev/refs/api/krb5_set_principal_realm","appdev/refs/api/krb5_free_ap_rep_enc_part","appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR","appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM","plugindev/internal","appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD","appdev/refs/api/krb5_copy_authdata","appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK","appdev/refs/types/passwd_phrase_element","appdev/refs/api/krb5_set_password_using_ccache","appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO","appdev/refs/macros/MSEC_DIRBIT","appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET","appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192","admin/install_kdc","appdev/refs/api/krb5_use_enctype","appdev/refs/types/krb5_responder_otp_tokeninfo","appdev/refs/types/krb5_prompt_type","appdev/refs/macros/ENCTYPE_RC2_CBC_ENV","appdev/refs/types/krb5_principal","appdev/refs/api/krb5_pac_parse","appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN","appdev/refs/api/krb5_rd_error","appdev/refs/types/krb5_ap_rep_enc_part","appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD","appdev/refs/macros/krb5_princ_name","appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback","appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR","appdev/refs/types/krb5_timestamp","appdev/refs/api/krb5_random_key","appdev/refs/api/krb5_init_creds_free","appdev/refs/api/krb5_is_thread_safe","appdev/refs/macros/ENCTYPE_DES_CBC_CRC","appdev/refs/api/krb5_read_password","appdev/refs/api/krb5_auth_con_getkey_k","appdev/refs/api/krb5_cc_set_flags","appdev/refs/api/krb5_rd_rep_dce","user/user_commands/kswitch","appdev/refs/types/krb5_responder_fn","appdev/refs/api/krb5_allow_weak_crypto","appdev/refs/api/krb5_auth_con_getsendsubkey_k","appdev/refs/api/krb5_c_random_seed","appdev/refs/types/krb5_octet","appdev/refs/types/krb5_crypto_iov","appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW"],titles:["KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT","krb5_mk_req_extended - Create a KRB_AP_REQ message using supplied credentials.","krb5 simple macros","krb5_cc_get_type - Retrieve the type of a credential cache.","General plugin concepts","KRB5_AUTH_CONTEXT_DO_TIME","krb5_verify_init_creds_opt","TKT_FLG_ENC_PA_REP","TKT_FLG_ANONYMOUS","krb5_clear_error_message - Clear the extended error message in a context.","kdc.conf","krb5_auth_con_setuseruserkey - Set the session key in an auth context.","krb5_425_conv_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal.","KRB5_TC_MATCH_AUTHDATA","KRB5_ANONYMOUS_PRINCSTR","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID","KRB5_AUTH_CONTEXT_RET_SEQUENCE","Developing with GSSAPI","krb5_sname_match - Test whether a principal matches a matching principal.","KRB5_KEYUSAGE_ENC_CHALLENGE_KDC","KRB5_AUTHDATA_MANDATORY_FOR_KDC","AP_OPTS_WIRE_MASK","krb5_free_enctypes - Free an array of encryption types.","Resources","KRB5_PADATA_PAC_REQUEST","kpasswd","Building Kerberos V5","replay cache","MIT Kerberos defaults","krb5_replay_data","krb5_get_credentials - Get an additional ticket.","krb5_trace_info","kadm5.acl","KRB5_PADATA_ETYPE_INFO","krb5_kdc_req","krb5_kdc_rep","krb5 types and structures","krb5_get_init_creds_opt_set_pac_request - Ask the KDC to include or not include a PAC in the ticket.","krb5_wrap_error_message - Add a prefix to a different error code’s message.","krb5_k_decrypt - Decrypt data using a key (operates on opaque key).","krb5_kt_start_seq_get - Start a sequential retrieval of key table entries.","KRB5_AUTHDATA_KDC_ISSUED","KRB5_AUTHDATA_CAMMAC","KRB5_PADATA_OSF_DCE","Database administration","krb5kdc","AP_OPTS_USE_SUBKEY","krb5_responder_otp_get_challenge - Decode the KRB5_RESPONDER_QUESTION_OTP to a C struct.","KRB5_LRQ_ONE_PW_EXPTIME","krb5_anonymous_realm - Return an anonymous realm data.","CKSUMTYPE_HMAC_SHA384_192_AES256","krb5_get_error_message - Get the (possibly extended) error message for a code.","ENCTYPE_AES256_CTS_HMAC_SHA1_96","KRB5_PADATA_PK_AS_REP","krb5_pac","krb5_get_init_creds_opt_set_etype_list - Set allowable encryption types in initial credential options.","Backups of secure hosts","KRB5_AP_REQ","KRB5_KPASSWD_MALFORMED","krb5_pre_send_fn","krb5_pointer","MIT Kerberos Documentation (1.15.2)","krb5_tkt_creds_free - Free a TGS request context.","kpropd","CKSUMTYPE_HMAC_MD5_ARCFOUR","krb5_cc_remove_cred - Remove credentials from a credential cache.","KRB5_GET_INIT_CREDS_OPT_ANONYMOUS","KRB5_NT_UID","KRB5_TKT_CREDS_STEP_FLAG_CONTINUE","krb5_c_string_to_key - Convert a string (such a password) to a key.","kadmin","krb5_is_config_principal - Test whether a principal is a configuration principal.","krb5_c_fx_cf2_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings.","Retiring DES","krb5_init_creds_get_error - Get the last error from KDC from an initial credentials context.","KRB5_TGS_REP","KRB5_TGS_REQ","krb5_cc_set_config - Store a configuration value in a credential cache.","krb5_key","KRB5_REALM_BRANCH_CHAR","KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY","krb5_get_init_creds_opt_set_pa - Supply options for preauthentication in initial credential options.","KRB5_KPASSWD_HARDERROR","KRB5_RESPONDER_OTP_FLAGS_NEXTOTP","ENCTYPE_DES_HMAC_SHA1","krb5_auth_con_getlocalseqnumber - Retrieve the local sequence number from an auth context.","KRB5_WELLKNOWN_NAMESTR","KRB5_AUTHDATA_FX_ARMOR","krb5_cc_cache_match - Find a credential cache with a specified client principal.","krb5_free_keyblock_contents - Free the contents of a krb5_keyblock structure.","krb524_convert_creds_kdc","krb5_c_keyed_checksum_types - Return a list of keyed checksum types usable with an encryption type.","CKSUMTYPE_RSA_MD4","CKSUMTYPE_RSA_MD5","krb5_free_keyblock - Free a krb5_keyblock structure.","Advanced topics","CKSUMTYPE_HMAC_SHA1_96_AES256","KRB5_KPASSWD_BAD_VERSION","Complete reference - API and datatypes","KRB5_KEYUSAGE_AD_MTE","UNIX Application Servers","krb5_msgtype","krb5_copy_ticket - Copy a krb5_ticket structure.","krb5_k_reference_key - Increment the reference count on a key.","Ticket management","krb5_get_permitted_enctypes - Return a list of encryption types permitted for session keys.","ADDRTYPE_ISO","krb5_get_init_creds_opt_alloc - Allocate a new initial credential options structure.","krb5_unparse_name_flags_ext - Convert krb5_principal structure to string format with flags.","MAX_KEYTAB_NAME_LEN","krb5_chpw_message - Get a result message for changing or setting a password.","krb5_copy_keyblock - Copy a keyblock.","krb5_cccol_lock - Acquire a global lock for credential caches.","KRB5_PADATA_AP_REQ","krb5_k_encrypt - Encrypt data using a key (operates on opaque key).","krb5_auth_con_setflags - Set a flags field in a krb5_auth_context structure.","KRB5_PRINCIPAL_UNPARSE_DISPLAY","KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM","KRB5_RESPONDER_QUESTION_PKINIT","Password management","krb5_free_default_realm - Free a default realm string returned by krb5_get_default_realm() .","krb5_tkt_creds_get_times - Retrieve ticket times from a TGS request context.","KRB5_PADATA_OTP_PIN_CHANGE","KRB5_ENCPADATA_REQ_ENC_PA_REP","krb5_appdefault_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf.","krb5_cc_default - Resolve the default credential cache name.","How to build this documentation from the source","KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE","KRB5_PRINCIPAL_UNPARSE_SHORT","krb5_aname_to_localname - Convert a principal name to a local name.","krb5_realm_compare - Compare the realms of two principals.","krb5_c_encrypt_iov - Encrypt data in place supporting AEAD (operates on keyblock).","kprop","krb5_cc_start_seq_get - Prepare to sequentially read every credential in a credential cache.","KRB5_INT32_MIN","krb5_kt_have_content - Check if a keytab exists and contains entries.","krb5_trace_callback","krb5_set_default_tgs_enctypes - Set default TGS encryption types in a krb5_context structure.","ktutil","krb5_prompt","krb5_vwrap_error_message - Add a prefix to a different error code’s message using a va_list.","krb5_copy_context - Copy a krb5_context structure.","krb5_get_init_creds_opt_init","krb5_c_make_random_key - Generate an enctype-specific random encryption key.","krb5_free_ticket - Free a ticket.","LR_TYPE_THIS_SERVER_ONLY","krb5_cc_copy_creds - Copy a credential cache.","Troubleshooting","krb5_pac_get_types - Return an array of buffer types in a PAC handle.","krb5_c_crypto_length_iov - Fill in lengths for header, trailer and padding in a IOV array.","ENCTYPE_DES3_CBC_ENV","krb5_auth_con_get_checksum_func - Get the checksum callback from an auth context.","KRB5_KPASSWD_SOFTERROR","krb5_int16","krb5_checksum","For application developers","ADDRTYPE_INET6","krb5_responder_otp_challenge_free - Free the value returned by krb5_responder_otp_get_challenge() .","krb5_kt_remove_entry - Remove an entry from a key table.","keytab","krb5_princ_type","KRB5_PAC_DELEGATION_INFO","For administrators","krb5_cccol_have_content - Check if the credential cache collection contains any credentials.","krb5_deltat_to_string - Convert a relative time value to a string.","Protocols and file formats","krb5_auth_con_free - Free a krb5_auth_context structure.","krb5_set_kdc_recv_hook - Set a KDC post-receive hook function.","krb5_free_error - Free an error allocated by krb5_read_error() or krb5_sendauth() .","KRB5_LRQ_ONE_LAST_INITIAL","TKT_FLG_OK_AS_DELEGATE","krb5_enctype_to_name - Convert an encryption type to a name or alias.","krb5_tkt_creds_context","KRB5_TC_MATCH_IS_SKEY","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR","KDC_OPT_FORWARDED","Supported date and time formats","KRB5_TC_MATCH_FLAGS","krb5_free_authenticator - Free a krb5_authenticator structure.","krb5_auth_con_getremotesubkey","CKSUMTYPE_CMAC_CAMELLIA256","krb5 API","krb5_c_encrypt_length - Compute encrypted data length.","KRB5_PADATA_USE_SPECIFIED_KVNO",".k5login","krb5_init_creds_step - Get the next KDC request for acquiring initial credentials.","KRB5_KEYUSAGE_GSS_TOK_MIC","KRB5_LRQ_ONE_LAST_REQ","krb5_expand_hostname - Canonicalize a hostname, possibly using name service.","krb5_cred_enc_part","krb5_decode_ticket - Decode an ASN.1-formatted ticket.","krb5_cc_default_name - Return the name of the default credential cache.","KRB5_NT_SRV_XHST","KRB5_KEYUSAGE_FAST_REQ_CHKSUM","krb5_free_data - Free a krb5_data structure.","ENCTYPE_MD5_RSA_CMS","KRB5_KEYUSAGE_AS_REQ","krb5_c_init_state - Initialize a new cipher state.","KDC_OPT_CNAME_IN_ADDL_TKT","CKSUMTYPE_HMAC_SHA1_DES3","krb5_kt_client_default - Resolve the default client key table.","KRB5_INT16_MIN","KDC_OPT_ENC_TKT_IN_SKEY","Doing the build","krb5_verify_init_creds_opt_init - Initialize a credential verification options structure.","krb5_cc_lock - Lock a credential cache.","krb5_kt_close - Close a key table handle.","krb5_kt_default_name - Get the default key table name.","OTP Preauthentication","TKT_FLG_MAY_POSTDATE","krb5_auth_con_getlocalsubkey","krb5_prepend_error_message - Add a prefix to the message for an error code.","KRB5_PRINCIPAL_UNPARSE_NO_REALM","KRB5_KEYUSAGE_PA_SAM_RESPONSE","KDC_OPT_VALIDATE","krb5_rd_priv - Process a KRB-PRIV message.","KRB5_PRINCIPAL_PARSE_NO_REALM","krb5_524_conv_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal.","KRB5_PADATA_SVR_REFERRAL_INFO","KRB5_PADATA_FX_COOKIE","krb5_pa_server_referral_data","krb5_cccol_cursor","krb5_decrypt","KADM5 hook interface (kadm5_hook)","krb5_get_in_tkt_with_password","KRB5_PADATA_FX_ERROR","Server location interface (locate)","krb5_anonymous_principal - Build an anonymous principal.","Installation guide","krb5_get_init_creds_opt_set_fast_flags - Set FAST flags in initial credential options.","krb5_copy_data - Copy a krb5_data object.","krb5_princ_set_realm_data","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED","KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL","krb5_recvauth_version - Server function for sendauth protocol with version parameter.","krb5_responder_set_answer - Answer a named question in the responder context.","CKSUMTYPE_MD5_HMAC_ARCFOUR","krb5_cc_last_change_time - Return a timestamp of the last modification to a credential cache.","KRB5_ERROR","KRB5_KPASSWD_INITIAL_FLAG_NEEDED","krb5_set_error_message - Set an extended error message for an error code.","KRB5_GC_NO_TRANSIT_CHECK","krb5_responder_get_challenge - Retrieve the challenge data for a given question in the responder context.","krb5_cc_end_seq_get - Finish a series of sequential processing credential cache entries.","ENCTYPE_DES3_CBC_SHA","krb5_init_creds_get_creds - Retrieve acquired credentials from an initial credentials context.","ENCTYPE_CAMELLIA128_CTS_CMAC","krb5_c_verify_checksum_iov - Validate a checksum element in IOV array (operates on keyblock).","Encryption types","krb5_kt_resolve - Get a handle for a key table.","KRB5_CYBERSAFE_SECUREID","krb5_k_create_key - Create a krb5_key from the enctype and key data in a keyblock.","KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST","KRB5_CRYPTO_TYPE_CHECKSUM","krb5_rd_cred - Read and validate a KRB-CRED message.","KRB5_KEYUSAGE_FAST_FINISHED","krb5_auth_con_genaddrs - Generate auth context addresses from a connected socket.","krb5_cccol_last_change_time - Return a timestamp of the last modification of any known credential cache.","krb5_pac_verify - Verify a PAC.","krb5_ap_req","KRB5_NT_SRV_HST","krb5_encrypt","KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT","KRB5_PADATA_PKINIT_KX","krb5_free_string - Free a string allocated by a krb5 function.","krb5_principal_compare - Compare two principals.","krb5_auth_con_getflags - Retrieve flags from a krb5_auth_context structure.","krb5_mk_priv - Format a KRB-PRIV message.","KRB5_TC_OPENCLOSE","krb5_responder_pkinit_challenge_free - Free the value returned by krb5_responder_pkinit_get_challenge() .","ADDRTYPE_XNS","KRB5_PADATA_OTP_CHALLENGE","krb5_auth_con_set_req_cksumtype - Set checksum type in an an auth context.","Environment variables","krb5_encode_authdata_container - Wrap authorization data in a container.","HTTPS proxy configuration","krb5_free_keytab_entry_contents - Free the contents of a key table entry.","krb5_free_host_realm - Free the memory allocated by krb5_get_host_realm() .","krb5_expire_callback_func","krb5_get_time_offsets - Return the time offsets from the os context.","krb5_get_init_creds_opt_set_canonicalize - Set or unset the canonicalize flag in initial credential options.","KRB5_KPASSWD_ACCESSDENIED","krb5_verify_checksum","SALT_TYPE_AFS_LENGTH","KRB5_KPASSWD_AUTHERROR","KRB5_AUTHDATA_SIGNTICKET","krb5_responder_pkinit_set_answer - Answer the KRB5_RESPONDER_QUESTION_PKINIT question for one identity.","krb5_address_order - Return an ordering of the specified addresses.","KRB5_PADATA_NONE","KRB5_KEYUSAGE_FAST_ENC","AP_OPTS_RESERVED","krb5_decode_authdata_container - Unwrap authorization data.","krb5_get_host_realm - Get the Kerberos realm names for a host.","krb5_kt_dup - Duplicate keytab handle.","krb5_princ_set_realm","ENCTYPE_ARCFOUR_HMAC_EXP","KRB5_PROMPT_TYPE_PREAUTH","KDC_OPT_CANONICALIZE","krb5_c_random_to_key - Generate an enctype-specific key from random data.","krb5_authdatatype","krb5_c_free_state - Free a cipher state previously allocated by krb5_c_init_state() .","CKSUMTYPE_CRC32","Keytab file format","KRB5_PADATA_SESAME","krb5_pa_svr_referral_data","CKSUMTYPE_RSA_MD5_DES","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR","krb5_get_credentials_renew","krb5_get_default_realm - Retrieve the default realm.","krb5_ticket","krb5_c_make_checksum_iov - Fill in a checksum element in IOV array (operates on keyblock)","KRB5_NT_WELLKNOWN","krb5_auth_con_getremoteseqnumber - Retrieve the remote sequence number from an auth context.","TKT_FLG_PRE_AUTH","KRB5_KEYUSAGE_PA_PKINIT_KX","KDC_OPT_RENEW","krb5_init_keyblock - Initialize an empty krb5_keyblock .","krb5_keyusage","krb5_fwd_tgt_creds - Get a forwarded TGT and format a KRB-CRED message.","krb5_responder_pkinit_challenge","krb5_free_tgt_creds - Free an array of credential structures.","Authentication indicators","krb5_auth_con_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock.","Credential cache file format","krb5_enc_kdc_rep_part","KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY","ENCTYPE_DSA_SHA1_CMS","KRB5_TC_MATCH_2ND_TKT","For plugin module developers","krb5_kt_free_entry","MIT Kerberos License information","krb5_vset_error_message - Set an extended error message for an error code using a va_list.","KRB5_PADATA_PK_AS_REP_OLD","TKT_FLG_RENEWABLE","krb5_get_profile - Retrieve configuration profile from the context.","TKT_FLG_FORWARDABLE","krb5_cred","ENCTYPE_ARCFOUR_HMAC","krb524_init_ets","krb5_ccache","krb5_cccol_unlock - Release a global lock for credential caches.","krb5_responder_list_questions - List the question names contained in the responder context.","krb5_cccol_cursor_free - Free a credential cache collection cursor.","KRB5_INIT_CREDS_STEP_FLAG_CONTINUE","krb5_set_default_realm - Override the default realm for the specified context.","krb5_524_convert_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials.","krb5_c_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+.","KRB5_KEYUSAGE_AS_REP_ENCPART","krb5_free_checksum - Free a krb5_checksum structure.","krb5_c_derive_prfplus - Derive a key using some input data (via RFC 6113 PRF+).","KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV","TKT_FLG_INITIAL","krb5_cc_switch - Make a credential cache the primary cache for its collection.","KRB5_PAC_PRIVSVR_CHECKSUM","TKT_FLG_INVALID","ENCTYPE_DES_CBC_MD4","ENCTYPE_DES_CBC_MD5","krb5_init_creds_init - Create a context for acquiring initial credentials.","krb5_c_is_keyed_cksum - Test whether a checksum type is keyed.","krb5_k_key_keyblock - Retrieve a copy of the keyblock from a krb5_key structure.","krb5_authdata","User commands","krb5_change_password - Change a password for an existing Kerberos account.","krb5_mk_req - Create a KRB_AP_REQ message.","krb5_mk_rep - Format and encrypt a KRB_AP_REP message.","krb5_c_block_size - Return cipher block size.","KRB5_KEYUSAGE_AP_REQ_AUTH","KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC","krb5_principal_compare_any_realm - Compare two principals ignoring realm components.","krb5_auth_con_getkey - Retrieve the session key from an auth context as a keyblock.","krb5_enc_data","krb5_get_init_creds_opt_set_address_list - Set address restrictions in initial credential options.","krb5_set_trace_callback - Specify a callback function for trace events.","krb5_verify_authdata_kdc_issued - Unwrap and verify AD-KDCIssued authorization data.","krb5_kt_get_name - Get a key table name.","KRB5_TC_MATCH_TIMES","krb5_mk_req_checksum_func","krb5_c_random_add_entropy - Add entropy to the pseudo-random number generator.","krb5_get_in_tkt_with_skey","KRB5_PADATA_PW_SALT","VALID_INT_BITS","KRB5_PRINCIPAL_COMPARE_ENTERPRISE","KRB5_INIT_CONTEXT_SECURE","ADDRTYPE_INET","krb5_mk_rep_dce - Format and encrypt a KRB_AP_REP message for DCE RPC.","krb5_k_verify_checksum_iov - Validate a checksum element in IOV array (operates on opaque key).","kdestroy","krb5_cksumtype","KRB5_LRQ_ALL_LAST_REQ","krb5_server_decrypt_ticket_keytab - Decrypt a ticket using the specified key table.","KRB5_AP_REP","KRB5_PADATA_SAM_CHALLENGE_2","VALID_UINT_BITS","krb5_cc_select - Select a credential cache to use with a server principal.","krb5_address_compare - Compare two Kerberos addresses.","krb5_kt_add_entry - Add a new entry to a key table.","AD_TYPE_REGISTERED","krb5_free_error_message - Free an error message generated by krb5_get_error_message() .","KDC_OPT_PROXIABLE","krb5_address_search - Search a list of addresses for a specified address.","krb5_set_password - Set a password for a principal using specified credentials.","krb5_calculate_checksum","KRB5_CRYPTO_TYPE_PADDING","krb5_make_authdata_kdc_issued - Encode and sign AD-KDCIssued authorization data.","ENCTYPE_CAMELLIA256_CTS_CMAC","ADDRTYPE_NETBIOS","krb5_auth_con_getrecvsubkey_k - Retrieve the receiving subkey from an auth context as a keyblock.","krb5_get_init_creds_opt_free - Free initial credential options.","KRB5_CRYPTO_TYPE_TRAILER","krb5_free_authdata - Free the storage assigned to array of authentication data.","TKT_FLG_POSTDATED","krb5_c_enctype_compare - Compare two encryption types.","krb5_init_creds_set_keytab - Specify a keytab to use for acquiring initial credentials.","Client preauthentication interface (clpreauth)","CKSUMTYPE_DESCBC","krb5_kt_default - Resolve the default key table.","ENCTYPE_RSA_ENV","krb5_init_creds_set_password - Set a password for acquiring initial credentials.","KRB5_KEYUSAGE_AD_SIGNEDPATH","krb5_finish_key","krb5_pac_get_buffer - Retrieve a buffer value from a PAC.","krb5_init_creds_set_service - Specify a service principal for acquiring initial credentials.","krb5_get_validated_creds - Get validated credentials from the KDC.","kdb5_util","KRB5_PRINCIPAL_COMPARE_CASEFOLD","krb5_principal_data","KRB5_GET_INIT_CREDS_OPT_TKT_LIFE","Administration programs","krb5_appdefault_string - Retrieve a string value from the appdefaults section of krb5.conf.","krb5_principal2salt - Convert a principal name into the default salt for that principal.","KRB5_GC_CONSTRAINED_DELEGATION","ADDRTYPE_IS_LOCAL","krb5_string_to_salttype - Convert a string to a salt type.","KRB5_RESPONDER_QUESTION_OTP","Account lockout","krb5_free_cksumtypes - Free an array of checksum types.","krb5_find_authdata - Find authorization data elements.","ksu","KRB5_PADATA_ENCRYPTED_CHALLENGE","krb5_princ_component","KRB5_LRQ_ALL_LAST_TGT","krb5_roundup","KRB5_GC_CACHED","krb5_pwd_data","krb5_c_verify_checksum - Verify a checksum (operates on keyblock).","TKT_FLG_PROXY","KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL","krb5_cc_get_flags - Retrieve flags from a credential cache structure.","KRB5_INIT_CONTEXT_KDC","Differences between Heimdal and MIT Kerberos API","krb5_string_to_enctype - Convert a string to an encryption type.","KRB5_GC_NO_STORE","Options to configure","krb5_build_principal_ext - Build a principal name using length-counted strings.","krb5_boolean","Password quality interface (pwqual)","KRB5_FAST_REQUIRED","krb5_error","krb5_auth_con_getrcache - Retrieve the replay cache from an auth context.","TKT_FLG_TRANSIT_POLICY_CHECKED","KRB5_KEYUSAGE_AD_ITE","krb5_set_real_time - Set time offset field in a krb5_context structure.","Copyright","krb5_cc_store_cred - Store credentials in a credential cache.","KDC_OPT_ALLOW_POSTDATE","KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY","krb5_preauthtype","KRB5_AUTHDATA_ETYPE_NEGOTIATION","KRB5_GET_INIT_CREDS_OPT_CANONICALIZE","KRB5_PRINCIPAL_PARSE_ENTERPRISE","KDC_OPT_REQUEST_ANONYMOUS","KRB5_AUTHDATA_IF_RELEVANT","KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY","Principal names and DNS","KRB5_CRYPTO_TYPE_SIGN_ONLY","KRB5_KEYUSAGE_PA_FX_COOKIE","Configuration Files","KRB5_KEYUSAGE_IAKERB_FINISHED","KRB5_CRYPTO_TYPE_STREAM","krb5_unparse_name_ext - Convert krb5_principal structure to string and length.","krb5_const_pointer","krb5_flags","KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN","krb5_auth_con_setsendsubkey - Set the send subkey in an auth context with a keyblock.","kdb5_ldap_util","krb5_const_principal","krb5_free_checksum_contents - Free the contents of a krb5_checksum structure.","ADDRTYPE_DDP","KRB5_NT_SRV_INST","krb5_unparse_name_flags - Convert krb5_principal structure to a string with flags.","krb5_magic","krb5_cc_get_principal - Get the default principal of a credential cache.","KRB5_NT_X500_PRINCIPAL","Realm configuration decisions","krb5_cc_support_switch - Determine whether a credential cache type supports switching.","KRB5_PADATA_ENC_UNIX_TIME","krb5_transited","KRB5_PAC_CREDENTIALS_INFO","KRB5_AUTHDATA_WIN2K_PAC","krb5_address","KRB5_PVNO","krb5_cc_cursor","krb5_check_clockskew - Check if a timestamp is within the allowed clock skew of the current time.","krb5_last_req_entry","PKINIT configuration","krb5_c_make_checksum - Compute a checksum (operates on keyblock).","KRB5_LRQ_ALL_LAST_RENEWAL","krb5_copy_authenticator - Copy a krb5_authenticator structure.","krb5_copy_error_message - Copy the most recent extended error message from one context to another.","krb5_cc_get_full_name - Retrieve the full name of a credential cache.","krb5_c_valid_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type.","krb5_principal_compare_flags - Compare two principals with additional flags.","KDC_OPT_RENEWABLE","krb5_auth_context","krb5_responder_otp_challenge","Configuring Kerberos with OpenLDAP back-end","CKSUMTYPE_CMAC_CAMELLIA128","krb5_cccol_cursor_next - Get the next credential cache in the collection.","sclient","krb5_verify_init_creds - Verify initial credentials against a keytab.","krb5_get_init_creds_opt_set_tkt_life - Set the ticket lifetime in initial credential options.","Initial credentials","krb5_mk_1cred - Format a KRB-CRED message for a single set of credentials.","KRB5_PADATA_GET_FROM_TYPED_DATA","krb5_cc_get_config - Get a configuration value from a credential cache.","krb5_keyblock","krb5_init_random_key","krb5_responder_context","KRB5_PADATA_OTP_REQUEST","ENCTYPE_AES128_CTS_HMAC_SHA256_128","krb5_encrypt_size","krb5_enctype","krb5_get_init_creds_opt_set_out_ccache - Set an output credential cache in initial credential options.","KRB5_GC_CANONICALIZE","KRB5_SAFE","krb5_build_principal - Build a principal name using null-terminated strings.","krb5_auth_con_getaddrs - Retrieve address fields from an auth context.","krb5_get_init_creds_opt_set_forwardable - Set or unset the forwardable flag in initial credential options.","KRB5_PAC_LOGON_INFO","KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN","krb5-config","AP_OPTS_USE_SESSION_KEY","KRB5_PADATA_SAM_RESPONSE_2","krb5_auth_con_setrcache - Set the replay cache in an auth context.","krb5_cred_info","KRB5_KEYUSAGE_APP_DATA_CKSUM","krb5_int32","KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST","KRB5_CRYPTO_TYPE_EMPTY","krb5_unparse_name - Convert a krb5_principal structure to a string representation.","KRB5_PADATA_ETYPE_INFO2","krb5_c_crypto_length - Return a length of a message field specific to the encryption type.","KRB5_PADATA_REFERRAL","KRB5_LRQ_ONE_LAST_TGT","KRB5_AUTHDATA_OSF_DCE","krb5_free_addresses - Free the data stored in array of addresses.","krb5_get_init_creds_opt_set_in_ccache - Set an input credential cache in initial credential options.","krb5_free_unparsed_name - Free a string representation of a principal.","KRB5_LRQ_NONE","KRB5_RESPONDER_QUESTION_PASSWORD","ENCTYPE_SHA1_RSA_CMS","KRB5_GC_FORWARDABLE","klist","KDC cookie format","KRB5_PADATA_SAM_CHALLENGE","krb5_mk_error - Format and encode a KRB_ERROR message.","kproplog","KRB5_TGS_NAME","krb5_rd_req - Parse and decrypt a KRB_AP_REQ message.","krb5_rd_rep - Parse and decrypt a KRB_AP_REP message.","THREEPARAMOPEN","KRB5_INT32_MAX","krb5_verify_init_creds_opt_set_ap_req_nofail - Set whether credential verification is required.","KRB5_PADATA_FOR_USER","krb5_princ_set_realm_length","krb5_get_init_creds_opt_set_fast_ccache - Set FAST armor cache in initial credential options.","MIT Kerberos features","krb5_build_principal_va","CKSUMTYPE_HMAC_SHA1_96_AES128","Kerberos V5 concepts","krb5_c_random_make_octets - Generate pseudo-random bytes.","AD_TYPE_EXTERNAL","krb5_keytab","krb5_response","krb5_c_is_coll_proof_cksum - Test whether a checksum type is collision-proof.","ENCTYPE_NULL","krb5_get_server_rcache - Generate a replay cache object for server use and open it.","KRB5_TC_MATCH_KTYPE","KRB5_GC_USER_USER","KRB5_KEYUSAGE_AP_REP_ENCPART","krb5_string_to_cksumtype - Convert a string to a checksum type.","krb5_get_prompt_types - Get prompt types array from a context.","KRB5_PADATA_ENC_SANDIA_SECURID","KRB5_PRINCIPAL_COMPARE_UTF8","KRB5_PADATA_AFS3_SALT","krb5_pac_add_buffer - Add a buffer to a PAC handle.","krb5_data","krb5_enctype_to_string - Convert an encryption type to a string.","krb5_x","KRB5_KPASSWD_SUCCESS","krb5_k_make_checksum_iov - Fill in a checksum element in IOV array (operates on opaque key)","KRB5_PADATA_SAM_REDIRECT","KRB5_PADATA_SAM_RESPONSE","krb5_c_string_to_key_with_params - Convert a string (such as a password) to a key with additional parameters.","krb5_c_keylengths - Return length of the specified key in bytes.","TKT_FLG_FORWARDED","krb5_get_init_creds_password - Get initial credentials using a password.","KRB5_GET_INIT_CREDS_OPT_SALT","Local authorization interface (localauth)","krb5_string_to_key","krb5_cc_next_cred - Retrieve the next entry from the credential cache.","krb5_cc_move - Move a credential cache.","SALT_TYPE_NO_LENGTH","stash file","Credential cache","krb5_tkt_creds_step - Get the next KDC request in a TGS exchange.","KRB5_LRQ_ONE_ACCT_EXPTIME","KRB5_AUTHDATA_AND_OR","AD_TYPE_FIELD_TYPE_MASK","KRB5_GET_INIT_CREDS_OPT_PROXIABLE","krb5_cc_resolve - Resolve a credential cache name.","krb5_kt_end_seq_get - Release a keytab cursor.","ENCTYPE_UNKNOWN","krb5_set_kdc_send_hook - Set a KDC pre-send hook function.","krb5_free_context - Free a krb5 library context.","krb5_auth_con_setports - Set local and remote port fields in an auth context.","KRB5_PADATA_FX_FAST","krb5_copy_creds - Copy a krb5_creds structure.","krb5_merge_authdata - Merge two authorization data lists into a new list.","krb5_cc_dup - Duplicate ccache handle.","krb5_context","krb5_k_verify_checksum - Verify a checksum (operates on opaque key).","krb5_parse_name_flags - Convert a string principal name to a krb5_principal with flags.","KRB5_AS_REQ","KRB5_AS_REP","krb5_pa_data","krb5_ap_rep","KRB5_PADATA_PK_AS_REQ","KRB5_AUTHDATA_SESAME","krb5_c_random_os_entropy - Collect entropy from the OS if possible.","kinit","krb5_init_secure_context - Create a krb5 library context using only configuration files.","krb5_sendauth - Client function for sendauth protocol.","KRB5_NT_PRINCIPAL","krb5_get_init_creds_opt_set_preauth_list - Set preauthentication types in initial credential options.","KRB5_CRYPTO_TYPE_HEADER","kvno","krb5_typed_data","krb5_k_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key).","krb5_responder_pkinit_get_challenge - Decode the KRB5_RESPONDER_QUESTION_PKINIT to a C struct.","krb5_init_creds_context","krb5_c_padding_length - Return a number of padding octets.","KRB5_CRYPTO_TYPE_DATA","krb5_auth_con_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock.","KRB5_KEYUSAGE_APP_DATA_ENCRYPT","CKSUMTYPE_NIST_SHA","krb5_get_fallback_host_realm","krb5_get_in_tkt_with_keytab","krb5_copy_checksum - Copy a krb5_checksum structure.","KRB5_KEYUSAGE_KRB_PRIV_ENCPART","krb5_ticket_times","KRB5_RESPONDER_OTP_FORMAT_DECIMAL","Host configuration","krb5_const","KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR","KRB5_PAC_CLIENT_INFO","krb5_free_creds - Free a krb5_creds structure.","KRB5_AUTH_CONTEXT_RET_TIME","KRB5_LRQ_ONE_LAST_TGT_ISSUED","krb5_c_decrypt - Decrypt data using a key (operates on keyblock).","KRB5_SAM_USE_SAD_AS_KEY","krb5_cc_new_unique - Create a new credential cache of the specified type with a unique name.","krb5_parse_name - Convert a string principal name to a krb5_principal structure.","ENCTYPE_DES3_CBC_RAW","krb5_c_checksum_length - Return the length of checksums for a checksum type.","KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST","krb5_deltat","ENCTYPE_DES3_CBC_SHA1","KRB5_REFERRAL_REALM","KRB5_PROMPT_TYPE_NEW_PASSWORD","KRB5_KEYUSAGE_KRB_SAFE_CKSUM","krb5_cc_gen_new","KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS","KRB5_TC_MATCH_FLAGS_EXACT","krb5_cccol_cursor_new - Prepare to iterate over the collection of known credential caches.","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY","krb5_cc_retrieve_cred - Retrieve a specified credentials from a credential cache.","Host-to-realm interface (hostrealm)","krb5_pac_free - Free a PAC handle.","kadmind","krb5_salttype_to_string - Convert a salt type to a string.","KRB5_NT_MS_PRINCIPAL_AND_ID","KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM","krb5_auth_con_setaddrs - Set the local and remote addresses in an auth context.","KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM","krb5_recvauth - Server function for sendauth protocol.","KRB5_RECVAUTH_SKIP_VERSION","krb5_get_credentials_validate","Credential cache selection interface (ccselect)","krb5_auth_con_setrecvsubkey_k - Set the receiving subkey in an auth context.","KDC_OPT_DISABLE_TRANSITED_CHECK","krb5_sname_to_principal - Generate a full principal name from a service name.","krb5_princ_size","krb5_get_renewed_creds - Get renewed credential from KDC using an existing credential.","KRB5_KEYUSAGE_KRB_ERROR_CKSUM","MSEC_VAL_MASK","krb5_get_init_creds_opt_set_proxiable - Set or unset the proxiable flag in initial credential options.","KRB5_LRQ_ALL_LAST_TGT_ISSUED","krb5_cc_get_name - Retrieve the name, but not type of a credential cache.","KRB5_PRIV","KRB5_PADATA_TGS_REQ","krb5_kt_get_entry - Get an entry from a key table.","krb5_string_to_deltat - Convert a string to a delta time value.","Various links","KRB5_NT_ENTERPRISE_PRINCIPAL","KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE","krb5_cc_unlock - Unlock a credential cache.","krb5_cryptotype","krb5_pac_init - Create an empty Privilege Attribute Certificate (PAC) handle.","krb5_process_key","KDC_OPT_FORWARDABLE","krb5_checksum_size","krb5_free_principal - Free the storage assigned to a principal.","krb5_copy_addresses - Copy an array of addresses.","k5srvutil","krb5_get_init_creds_opt_set_anonymous - Set or unset the anonymous flag in initial credential options.","krb5_copy_principal - Copy a principal.","krb5_authenticator","ENCTYPE_AES128_CTS_HMAC_SHA1_96","KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY","krb5_kt_read_service_key - Retrieve a service key from a key table.","Principal manipulation and parsing","krb5_mk_ncred - Format a KRB-CRED message for an array of credentials.","KRB5_LRQ_ONE_LAST_RENEWAL","krb5_copy_keyblock_contents - Copy the contents of a keyblock.","krb5_tkt_creds_get - Synchronously obtain credentials using a TGS request context.","krb5_auth_con_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock.","krb5_init_context_profile - Create a krb5 library context using a specified profile.","krb5_cc_close - Close a credential cache handle.","krb5_tkt_creds_init - Create a context to get credentials from a KDC’s Ticket Granting Service.","krb5_timeofday - Retrieve the current time with context specific time offset adjustment.","krb5_xc","KRB5_CRED","krb5_get_init_creds_opt_set_change_password_prompt - Set or unset change-password-prompt flag in initial credential options.","krb5_k_make_checksum - Compute a checksum (operates on opaque key).","krb5_auth_con_init - Create and initialize an authentication context.","osconf.hin","KRB5_KEYUSAGE_FAST_REP","User config files","ADDRTYPE_IPPORT","KRB5_KEYUSAGE_PA_OTP_REQUEST","KRB5_AUTHDATA_INITIAL_VERIFIED_CAS","krb5_prompter_fct","krb5_init_creds_get - Acquire credentials using an initial credentials context.","KRB5_LRQ_ALL_ACCT_EXPTIME","krb5_encrypt_block","krb5_cksumtype_to_string - Convert a checksum type to a string.","TKT_FLG_PROXIABLE","KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM","krb5_k_decrypt_iov - Decrypt data in place supporting AEAD (operates on opaque key).","KRB5_PRINCIPAL_COMPARE_IGNORE_REALM","krb5_init_creds_get_times - Retrieve ticket times from an initial credentials context.","For users","KRB5_TC_MATCH_TIMES_EXACT","GSSAPI mechanism interface","krb5_pac_sign - Sign a PAC.","CKSUMTYPE_RSA_MD4_DES","krb5_pa_pac_req","KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR","KRB5_PADATA_ENC_TIMESTAMP","KRB5_SAM_SEND_ENCRYPTED_SAD","krb5_responder_pkinit_identity","KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN","krb5_error_code","krb5_auth_con_setsendsubkey_k - Set the send subkey in an auth context.","ENCTYPE_RSA_ES_OAEP_ENV","Contributing to the MIT Kerberos Documentation","KRB5_PADATA_AS_CHECKSUM","ADDRTYPE_ADDRPORT","KRB5_TC_NOTICKET","AD_TYPE_RESERVED","krb5_string_to_timestamp - Convert a string to a timestamp.","KRB5_KEYUSAGE_TGS_REQ_AUTH",".k5identity","krb5_auth_con_set_checksum_func - Set a checksum callback in an auth context.","KRB5_LRQ_ALL_PW_EXPTIME","ADDRTYPE_CHAOS","krb5_get_init_creds_opt_set_responder - Set the responder function in initial credential options.","KRB5_AUTH_CONTEXT_DO_SEQUENCE","krb5_is_referral_realm - Check for a match with KRB5_REFERRAL_REALM.","krb5_kt_cursor","krb5_c_decrypt_iov - Decrypt data in place supporting AEAD (operates on keyblock).","Installing and configuring UNIX client machines","krb5_creds","Application servers","KRB5_LRQ_ALL_LAST_INITIAL","krb5_get_init_creds_opt_set_salt - Set salt for optimistic preauthentication in initial credential options.","KRB5_TGS_NAME_SIZE","krb5_get_init_creds_opt_set_renew_life - Set the ticket renewal lifetime in initial credential options.","krb5_princ_realm","AP_OPTS_ETYPE_NEGOTIATION","krb5_free_cred_contents - Free the contents of a krb5_creds structure.","KRB5_TC_SUPPORTED_KTYPES","krb5_kt_next_entry - Retrieve the next entryfrom the key table.","ENCTYPE_DES_CBC_RAW","KRB5_PADATA_S4U_X509_USER","KRB5_INT16_MAX","krb5_rcache","KDC_OPT_POSTDATED","krb5_ui_4","krb5_ui_2","krb5_vprepend_error_message - Add a prefix to the message for an error code using a va_list.","krb5.conf","KRB5_NT_UNKNOWN","sserver","Configuration interface (profile)","KRB5_NT_SMTP_NAME","krb5_get_init_creds_opt_get_fast_flags - Retrieve FAST flags from initial credential options.","krb5_cc_set_default_name - Set the default credential cache name.","krb5_eblock_enctype","krb5_k_encrypt_iov - Encrypt data in place supporting AEAD (operates on opaque key).","krb5_rd_safe - Process KRB-SAFE message.","AP_OPTS_MUTUAL_REQUIRED","krb5_cc_initialize - Initialize a credential cache.","KDC_TKT_COMMON_MASK","krb5_c_prf_length - Get the output length of pseudo-random functions for an encryption type.","krb5_enc_tkt_part","krb5_get_init_creds_opt_set_fast_ccache_name - Set location of FAST armor ccache in initial credential options.","KRB5_DOMAIN_X500_COMPRESS","krb5_get_init_creds_opt","KRB5_AUTH_CONTEXT_USE_SUBKEY","krb5_responder_otp_set_answer - Answer the KRB5_RESPONDER_QUESTION_OTP question.","krb5_mk_safe - Format a KRB-SAFE message.","KRB5_PRINCIPAL_PARSE_REQUIRE_REALM","KRB5_GET_INIT_CREDS_OPT_FORWARDABLE","krb5_kt_get_type - Return the type of a key table.","Organization of the source directory","krb5_tkt_authent","KRB5_PRINCIPAL_PARSE_IGNORE_REALM","KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST","krb5_c_encrypt - Encrypt data using a key (operates on keyblock).","krb5_get_init_creds_keytab - Get initial credentials using a key table.","krb5_free_data_contents - Free the contents of a krb5_data structure and zero the data field.","krb5_kvno","KDC_OPT_PROXY","krb5_k_free_key - Decrement the reference count on a key and free it if it hits zero.","KRB5_NT_ENT_PRINCIPAL_AND_ID","krb5_keytab_entry","krb5_prompter_posix - Prompt user for password.","KRB5_PADATA_PK_AS_REQ_OLD","KDC preauthentication interface (kdcpreauth)","KRB5_NT_MS_PRINCIPAL","krb5_us_timeofday - Retrieve the system time of day, in sec and ms, since the epoch.","krb5_set_trace_filename - Specify a file name for directing trace events.","KRB5_KEYUSAGE_KRB_CRED_ENCPART","LDAP backend on Ubuntu 10.4 (lucid)","krb5_finish_random_key","krb5_post_recv_fn","KRB5_AUTH_CONTEXT_PERMIT_ALL","krb5_cc_destroy - Destroy a credential cache.","krb5_tkt_creds_get_creds - Retrieve acquired credentials from a TGS request context.","KDC_OPT_RENEWABLE_OK","krb5_init_context - Create a krb5 library context.","krb5_kuserok - Determine if a principal is authorized to log in as a local user.","KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG","krb5_addrtype","TKT_FLG_HW_AUTH","KRB5_RECVAUTH_BADAUTHVERS","krb5_k_key_enctype - Retrieve the enctype of a krb5_key structure.","krb5_auth_con_initivector","KRB5_TC_MATCH_SRV_NAMEONLY","krb5_c_valid_enctype - Verify that a specified encryption type is a valid Kerberos encryption type.","krb5_auth_con_getauthenticator - Retrieve the authenticator from an auth context.","CKSUMTYPE_HMAC_SHA256_128_AES128","krb5_timestamp_to_sfstring - Convert a timestamp to a string, with optional output padding.","krb5_os_localaddr - Return all interface addresses for this host.","krb5_c_prf - Generate enctype-specific pseudo-random bytes.","krb5_build_principal_alloc_va - Build a principal name, using a precomputed variable argument list.","krb5_gic_opt_pa_data","krb5_timestamp_to_string - Convert a timestamp to a string.","KRB5_KEYUSAGE_CAMMAC","krb5_set_principal_realm - Set the realm field of a principal.","krb5_free_ap_rep_enc_part - Free a krb5_ap_rep_enc_part structure.","KRB5_ANONYMOUS_REALMSTR","KRB5_PAC_SERVER_CHECKSUM","Internal pluggable interfaces","KRB5_PROMPT_TYPE_PASSWORD","krb5_copy_authdata - Copy an authorization data list.","LR_TYPE_INTERPRETATION_MASK","passwd_phrase_element","krb5_set_password_using_ccache - Set a password for a principal using cached credentials.","KRB5_PAC_UPN_DNS_INFO","MSEC_DIRBIT","KRB5_KEYUSAGE_KDC_REP_TICKET","ENCTYPE_AES256_CTS_HMAC_SHA384_192","Installing KDCs","krb5_use_enctype","krb5_responder_otp_tokeninfo","krb5_prompt_type","ENCTYPE_RC2_CBC_ENV","krb5_principal","krb5_pac_parse - Unparse an encoded PAC into a new handle.","KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN","krb5_rd_error - Decode a KRB-ERROR message.","krb5_ap_rep_enc_part","KRB5_SAM_MUST_PK_ENCRYPT_SAD","krb5_princ_name","krb5_get_init_creds_opt_set_expire_callback - Set an expiration callback in initial credential options.","KRB5_AUTHDATA_AUTH_INDICATOR","krb5_timestamp","krb5_random_key","krb5_init_creds_free - Free an initial credentials context.","krb5_is_thread_safe - Test whether the Kerberos library was built with multithread support.","ENCTYPE_DES_CBC_CRC","krb5_read_password - Read a password from keyboard input.","krb5_auth_con_getkey_k - Retrieve the session key from an auth context.","krb5_cc_set_flags - Set options flags on a credential cache.","krb5_rd_rep_dce - Parse and decrypt a KRB_AP_REP message for DCE RPC.","kswitch","krb5_responder_fn","krb5_allow_weak_crypto - Allow the appplication to override the profile’s allow_weak_crypto setting.","krb5_auth_con_getsendsubkey_k - Retrieve the send subkey from an auth context.","krb5_c_random_seed","krb5_octet","krb5_crypto_iov","KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW"],objects:{"":{krb5_c_string_to_key:[69,0,1,"c.krb5_c_string_to_key"],KRB5_LRQ_ALL_LAST_TGT_ISSUED:[707,3,1,""],krb5_get_in_tkt_with_password:[224,0,1,"c.krb5_get_in_tkt_with_password"],KRB5_TGS_NAME:[567,3,1,""],KRB5_INT32_MIN:[134,3,1,""],KRB5_KEYUSAGE_AD_SIGNEDPATH:[418,3,1,""],krb5_get_in_tkt_with_keytab:[657,0,1,"c.krb5_get_in_tkt_with_keytab"],krb5_pac_parse:[901,0,1,"c.krb5_pac_parse"],krb5_copy_authdata:[887,0,1,"c.krb5_copy_authdata"],krb5_address_compare:[394,0,1,"c.krb5_address_compare"],krb5_copy_context:[141,0,1,"c.krb5_copy_context"],krb5_cc_get_config:[524,0,1,"c.krb5_cc_get_config"],KRB5_AUTHDATA_KDC_ISSUED:[41,3,1,""],krb5_sname_match:[18,0,1,"c.krb5_sname_match"],KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:[343,3,1,""],ENCTYPE_DES_HMAC_SHA1:[84,3,1,""],krb5_transited:[496,2,1,"c.krb5_transited"],krb5_kt_remove_entry:[158,0,1,"c.krb5_kt_remove_entry"],krb5_server_decrypt_ticket_keytab:[389,0,1,"c.krb5_server_decrypt_ticket_keytab"],krb5_free_ticket:[144,0,1,"c.krb5_free_ticket"],krb5_kt_close:[206,0,1,"c.krb5_kt_close"],krb5_get_init_creds_opt_set_pa:[81,0,1,"c.krb5_get_init_creds_opt_set_pa"],MSEC_VAL_MASK:[705,3,1,""],ENCTYPE_DES3_CBC_SHA1:[677,3,1,""],KRB5_KPASSWD_ACCESSDENIED:[281,3,1,""],krb5_build_principal_ext:[453,0,1,"c.krb5_build_principal_ext"],TKT_FLG_FORWARDED:[605,3,1,""],krb5_c_free_state:[300,0,1,"c.krb5_c_free_state"],krb5_free_cksumtypes:[435,0,1,"c.krb5_free_cksumtypes"],KRB5_PADATA_SAM_REDIRECT:[601,3,1,""],CKSUMTYPE_HMAC_SHA1_96_AES256:[96,3,1,""],KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:[772,3,1,""],krb5_build_principal_va:[577,0,1,"c.krb5_build_principal_va"],krb5_prompter_fct:[752,2,1,"c.krb5_prompter_fct"],krb5_k_key_enctype:[868,0,1,"c.krb5_k_key_enctype"],KRB5_PADATA_PK_AS_REQ_OLD:[849,3,1,""],krb5_eblock_enctype:[819,0,1,"c.krb5_eblock_enctype"],krb5_get_init_creds_opt_set_fast_ccache_name:[827,0,1,"c.krb5_get_init_creds_opt_set_fast_ccache_name"],krb5_responder_pkinit_get_challenge:[649,0,1,"c.krb5_responder_pkinit_get_challenge"],KRB5_PAC_SERVER_CHECKSUM:[884,3,1,""],KRB5_CRYPTO_TYPE_DATA:[652,3,1,""],krb5_keyblock:[525,2,1,"c.krb5_keyblock"],KRB5_PAC_UPN_DNS_INFO:[891,3,1,""],krb5_princ_realm:[799,3,1,""],krb5_principal_data:[425,2,1,"c.krb5_principal_data"],krb5_c_derive_prfplus:[349,0,1,"c.krb5_c_derive_prfplus"],ENCTYPE_UNKNOWN:[622,3,1,""],krb5_tkt_creds_get_creds:[860,0,1,"c.krb5_tkt_creds_get_creds"],krb5_cc_store_cred:[463,0,1,"c.krb5_cc_store_cred"],krb5_rd_priv:[215,0,1,"c.krb5_rd_priv"],KRB5_KEYUSAGE_PA_FX_COOKIE:[475,3,1,""],krb5_cc_move:[611,0,1,"c.krb5_cc_move"],krb5_verify_authdata_kdc_issued:[373,0,1,"c.krb5_verify_authdata_kdc_issued"],krb5_aname_to_localname:[129,0,1,"c.krb5_aname_to_localname"],KRB5_AP_REQ:[57,3,1,""],KRB5_AP_REP:[390,3,1,""],krb5_enc_data:[370,2,1,"c.krb5_enc_data"],krb5_address_search:[399,0,1,"c.krb5_address_search"],krb5_free_authenticator:[178,0,1,"c.krb5_free_authenticator"],krb5_get_permitted_enctypes:[105,0,1,"c.krb5_get_permitted_enctypes"],krb5_c_random_make_octets:[580,0,1,"c.krb5_c_random_make_octets"],KRB5_KEYUSAGE_GSS_TOK_MIC:[186,3,1,""],krb5_cc_dup:[629,0,1,"c.krb5_cc_dup"],KRB5_PRIV:[709,3,1,""],KRB5_PADATA_OTP_CHALLENGE:[271,3,1,""],TKT_FLG_PROXIABLE:[757,3,1,""],krb5_auth_con_setrecvsubkey_k:[699,0,1,"c.krb5_auth_con_setrecvsubkey_k"],krb5_cccol_cursor_new:[684,0,1,"c.krb5_cccol_cursor_new"],krb5_auth_con_getrecvsubkey_k:[406,0,1,"c.krb5_auth_con_getrecvsubkey_k"],krb5_verify_init_creds_opt:[6,2,1,"c.krb5_verify_init_creds_opt"],KRB5_PADATA_AP_REQ:[113,3,1,""],KRB5_KEYUSAGE_AS_REQ:[196,3,1,""],krb5_cc_gen_new:[681,0,1,"c.krb5_cc_gen_new"],KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:[729,3,1,""],krb5_auth_con_getrcache:[458,0,1,"c.krb5_auth_con_getrcache"],KRB5_PADATA_PK_AS_REP:[53,3,1,""],KRB5_PADATA_PK_AS_REQ:[637,3,1,""],AD_TYPE_EXTERNAL:[581,3,1,""],krb5_cc_unlock:[716,0,1,"c.krb5_cc_unlock"],krb5_cred_enc_part:[189,2,1,"c.krb5_cred_enc_part"],passwd_phrase_element:[889,2,1,"c.passwd_phrase_element"],KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:[262,3,1,""],krb5_flags:[481,2,1,"c.krb5_flags"],krb5_cc_select:[393,0,1,"c.krb5_cc_select"],krb5_mk_req_extended:[1,0,1,"c.krb5_mk_req_extended"],krb5_kt_free_entry:[329,0,1,"c.krb5_kt_free_entry"],KRB5_AUTHDATA_IF_RELEVANT:[471,3,1,""],krb5_finish_key:[419,0,1,"c.krb5_finish_key"],krb5_creds:[793,2,1,"c.krb5_creds"],krb5_boolean:[454,2,1,"c.krb5_boolean"],krb5_responder_pkinit_identity:[771,2,1,"c.krb5_responder_pkinit_identity"],krb524_convert_creds_kdc:[90,3,1,""],KRB5_NT_SRV_HST:[260,3,1,""],krb5_get_init_creds_opt_free:[407,0,1,"c.krb5_get_init_creds_opt_free"],KRB5_AUTHDATA_AND_OR:[617,3,1,""],KRB5_CRYPTO_TYPE_HEADER:[645,3,1,""],KRB5_PRINCIPAL_UNPARSE_DISPLAY:[116,3,1,""],KRB5_NT_WELLKNOWN:[311,3,1,""],krb5_get_init_creds_opt_set_proxiable:[706,0,1,"c.krb5_get_init_creds_opt_set_proxiable"],krb5_ui_4:[809,2,1,"c.krb5_ui_4"],KRB5_NT_ENTERPRISE_PRINCIPAL:[714,3,1,""],krb5_cc_get_flags:[447,0,1,"c.krb5_cc_get_flags"],KRB5_KPASSWD_MALFORMED:[58,3,1,""],KRB5_AS_REP:[634,3,1,""],KRB5_AS_REQ:[633,3,1,""],krb5_init_random_key:[526,0,1,"c.krb5_init_random_key"],KRB5_CRYPTO_TYPE_PADDING:[402,3,1,""],krb5_k_create_key:[251,0,1,"c.krb5_k_create_key"],ENCTYPE_RC2_CBC_ENV:[899,3,1,""],krb5_rd_rep_dce:[917,0,1,"c.krb5_rd_rep_dce"],KRB5_PADATA_ETYPE_INFO2:[550,3,1,""],krb5_set_trace_callback:[372,0,1,"c.krb5_set_trace_callback"],krb5_key:[78,2,1,"c.krb5_key"],krb5_pwd_data:[443,2,1,"c.krb5_pwd_data"],KRB5_PAC_CREDENTIALS_INFO:[497,3,1,""],KRB5_PADATA_OTP_REQUEST:[528,3,1,""],krb5_cc_start_seq_get:[133,0,1,"c.krb5_cc_start_seq_get"],krb5_copy_error_message:[508,0,1,"c.krb5_copy_error_message"],KRB5_TGS_NAME_SIZE:[797,3,1,""],krb5_expire_callback_func:[278,2,1,"c.krb5_expire_callback_func"],krb5_realm_compare:[130,0,1,"c.krb5_realm_compare"],KDC_OPT_CANONICALIZE:[297,3,1,""],krb5_c_fx_cf2_simple:[72,0,1,"c.krb5_c_fx_cf2_simple"],krb5_cc_close:[738,0,1,"c.krb5_cc_close"],krb5_tkt_creds_get:[735,0,1,"c.krb5_tkt_creds_get"],CKSUMTYPE_HMAC_SHA1_DES3:[199,3,1,""],krb5_auth_con_setaddrs:[693,0,1,"c.krb5_auth_con_setaddrs"],krb5_get_init_creds_opt_set_address_list:[371,0,1,"c.krb5_get_init_creds_opt_set_address_list"],krb5_k_verify_checksum:[631,0,1,"c.krb5_k_verify_checksum"],krb5_init_creds_get:[753,0,1,"c.krb5_init_creds_get"],krb5_ap_req:[259,2,1,"c.krb5_ap_req"],krb5_ap_rep:[636,2,1,"c.krb5_ap_rep"],KDC_OPT_POSTDATED:[808,3,1,""],CKSUMTYPE_RSA_MD5_DES:[305,3,1,""],MSEC_DIRBIT:[892,3,1,""],krb5_get_init_creds_opt_set_out_ccache:[532,0,1,"c.krb5_get_init_creds_opt_set_out_ccache"],CKSUMTYPE_HMAC_SHA384_192_AES256:[50,3,1,""],krb5_kuserok:[863,0,1,"c.krb5_kuserok"],KRB5_TC_MATCH_KTYPE:[587,3,1,""],TKT_FLG_MAY_POSTDATE:[209,3,1,""],krb5_auth_context:[513,2,1,"c.krb5_auth_context"],AP_OPTS_USE_SESSION_KEY:[541,3,1,""],KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:[232,3,1,""],krb5_c_make_checksum_iov:[310,0,1,"c.krb5_c_make_checksum_iov"],krb5_verify_init_creds_opt_init:[204,0,1,"c.krb5_verify_init_creds_opt_init"],krb5_calculate_checksum:[401,0,1,"c.krb5_calculate_checksum"],KRB5_WELLKNOWN_NAMESTR:[86,3,1,""],THREEPARAMOPEN:[570,3,1,""],KRB5_RESPONDER_QUESTION_PKINIT:[118,3,1,""],krb5_kt_get_name:[374,0,1,"c.krb5_kt_get_name"],MAX_KEYTAB_NAME_LEN:[109,3,1,""],KDC_OPT_PROXY:[844,3,1,""],KRB5_KEYUSAGE_KRB_ERROR_CKSUM:[704,3,1,""],KRB5_TC_MATCH_TIMES:[375,3,1,""],krb5_kt_client_default:[200,0,1,"c.krb5_kt_client_default"],krb5_principal:[900,2,1,"c.krb5_principal"],KRB5_NT_SRV_XHST:[192,3,1,""],krb5_encode_authdata_container:[274,0,1,"c.krb5_encode_authdata_container"],KRB5_TC_MATCH_AUTHDATA:[13,3,1,""],krb5_cred:[336,2,1,"c.krb5_cred"],krb5_authenticator:[727,2,1,"c.krb5_authenticator"],krb5_k_key_keyblock:[359,0,1,"c.krb5_k_key_keyblock"],krb5_pa_server_referral_data:[220,2,1,"c.krb5_pa_server_referral_data"],KRB5_CRYPTO_TYPE_SIGN_ONLY:[474,3,1,""],krb5_cc_last_change_time:[237,0,1,"c.krb5_cc_last_change_time"],KRB5_PRINCIPAL_PARSE_IGNORE_REALM:[838,3,1,""],krb5_init_creds_get_times:[761,0,1,"c.krb5_init_creds_get_times"],KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:[252,3,1,""],krb5_cccol_unlock:[340,0,1,"c.krb5_cccol_unlock"],KRB5_AUTHDATA_SIGNTICKET:[285,3,1,""],krb5_c_init_state:[197,0,1,"c.krb5_c_init_state"],krb5_auth_con_get_checksum_func:[151,0,1,"c.krb5_auth_con_get_checksum_func"],krb5_free_principal:[722,0,1,"c.krb5_free_principal"],KRB5_GC_CANONICALIZE:[533,3,1,""],krb5_responder_otp_set_answer:[831,0,1,"c.krb5_responder_otp_set_answer"],krb5_const:[663,3,1,""],ADDRTYPE_IPPORT:[749,3,1,""],krb5_vwrap_error_message:[140,0,1,"c.krb5_vwrap_error_message"],KRB5_PADATA_ENC_TIMESTAMP:[769,3,1,""],ADDRTYPE_IS_LOCAL:[431,3,1,""],TKT_FLG_HW_AUTH:[866,3,1,""],ENCTYPE_NULL:[585,3,1,""],krb5_verify_init_creds:[519,0,1,"c.krb5_verify_init_creds"],krb5_set_real_time:[461,0,1,"c.krb5_set_real_time"],krb5_find_authdata:[436,0,1,"c.krb5_find_authdata"],krb5_init_creds_context:[650,2,1,"c.krb5_init_creds_context"],krb5_us_timeofday:[852,0,1,"c.krb5_us_timeofday"],krb5_c_keylengths:[604,0,1,"c.krb5_c_keylengths"],krb5_unparse_name_ext:[479,0,1,"c.krb5_unparse_name_ext"],KRB5_PADATA_FX_FAST:[626,3,1,""],KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:[715,3,1,""],krb5_error_code:[773,2,1,"c.krb5_error_code"],krb5_free_enctypes:[22,0,1,"c.krb5_free_enctypes"],krb5_k_encrypt_iov:[820,0,1,"c.krb5_k_encrypt_iov"],krb5_auth_con_setrcache:[543,0,1,"c.krb5_auth_con_setrcache"],krb5_fwd_tgt_creds:[318,0,1,"c.krb5_fwd_tgt_creds"],krb5_prompt:[139,2,1,"c.krb5_prompt"],KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:[465,3,1,""],krb5_copy_addresses:[723,0,1,"c.krb5_copy_addresses"],krb5_get_init_creds_opt_init:[142,0,1,"c.krb5_get_init_creds_opt_init"],krb5_get_renewed_creds:[703,0,1,"c.krb5_get_renewed_creds"],krb5_anonymous_principal:[227,0,1,"c.krb5_anonymous_principal"],krb5_c_make_random_key:[143,0,1,"c.krb5_c_make_random_key"],krb5_cc_initialize:[823,0,1,"c.krb5_cc_initialize"],KDC_TKT_COMMON_MASK:[824,3,1,""],krb5_c_valid_cksumtype:[510,0,1,"c.krb5_c_valid_cksumtype"],krb5_string_to_key:[609,0,1,"c.krb5_string_to_key"],krb5_get_in_tkt_with_skey:[378,0,1,"c.krb5_get_in_tkt_with_skey"],krb5_auth_con_setports:[625,0,1,"c.krb5_auth_con_setports"],krb5_timestamp:[909,2,1,"c.krb5_timestamp"],krb5_ticket_times:[660,2,1,"c.krb5_ticket_times"],KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:[174,3,1,""],krb5_auth_con_getrecvsubkey:[653,0,1,"c.krb5_auth_con_getrecvsubkey"],KDC_OPT_VALIDATE:[214,3,1,""],ENCTYPE_DES3_CBC_SHA:[244,3,1,""],KRB5_SAFE:[534,3,1,""],krb5_copy_creds:[627,0,1,"c.krb5_copy_creds"],krb5_k_make_checksum_iov:[600,0,1,"c.krb5_k_make_checksum_iov"],krb5_princ_name:[906,3,1,""],KRB5_AUTH_CONTEXT_DO_SEQUENCE:[788,3,1,""],TKT_FLG_POSTDATED:[410,3,1,""],AP_OPTS_ETYPE_NEGOTIATION:[800,3,1,""],KRB5_NT_SMTP_NAME:[816,3,1,""],krb5_princ_set_realm:[294,3,1,""],KRB5_GC_USER_USER:[588,3,1,""],krb5_pac_verify:[258,0,1,"c.krb5_pac_verify"],krb5_deltat:[676,2,1,"c.krb5_deltat"],krb5_rd_safe:[821,0,1,"c.krb5_rd_safe"],krb5_auth_con_getlocalsubkey:[210,0,1,"c.krb5_auth_con_getlocalsubkey"],krb5_enctype:[531,2,1,"c.krb5_enctype"],krb5_sendauth:[642,0,1,"c.krb5_sendauth"],krb5_auth_con_getsendsubkey_k:[921,0,1,"c.krb5_auth_con_getsendsubkey_k"],KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:[350,3,1,""],krb5_k_verify_checksum_iov:[385,0,1,"c.krb5_k_verify_checksum_iov"],krb5_get_host_realm:[292,0,1,"c.krb5_get_host_realm"],KRB5_CRYPTO_TYPE_TRAILER:[408,3,1,""],krb5_appdefault_boolean:[124,0,1,"c.krb5_appdefault_boolean"],krb5_set_kdc_send_hook:[623,0,1,"c.krb5_set_kdc_send_hook"],KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:[446,3,1,""],krb5_unparse_name:[549,0,1,"c.krb5_unparse_name"],krb5_timeofday:[740,0,1,"c.krb5_timeofday"],krb5_c_checksum_length:[674,0,1,"c.krb5_c_checksum_length"],krb5_c_make_checksum:[505,0,1,"c.krb5_c_make_checksum"],krb5_authdata:[360,2,1,"c.krb5_authdata"],KRB5_SAM_SEND_ENCRYPTED_SAD:[770,3,1,""],krb5_set_kdc_recv_hook:[167,0,1,"c.krb5_set_kdc_recv_hook"],krb5_cc_lock:[205,0,1,"c.krb5_cc_lock"],KRB5_GC_NO_STORE:[451,3,1,""],krb5_responder_otp_get_challenge:[47,0,1,"c.krb5_responder_otp_get_challenge"],krb5_responder_context:[527,2,1,"c.krb5_responder_context"],krb5_c_is_coll_proof_cksum:[584,0,1,"c.krb5_c_is_coll_proof_cksum"],KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:[758,3,1,""],KRB5_PADATA_ETYPE_INFO:[33,3,1,""],krb5_cc_get_principal:[491,0,1,"c.krb5_cc_get_principal"],KRB5_PADATA_TGS_REQ:[710,3,1,""],CKSUMTYPE_CMAC_CAMELLIA128:[516,3,1,""],krb5_rd_req:[568,0,1,"c.krb5_rd_req"],KRB5_CRED:[742,3,1,""],krb5_responder_otp_challenge:[514,2,1,"c.krb5_responder_otp_challenge"],krb5_unparse_name_flags:[489,0,1,"c.krb5_unparse_name_flags"],krb5_anonymous_realm:[49,0,1,"c.krb5_anonymous_realm"],krb5_auth_con_free:[166,0,1,"c.krb5_auth_con_free"],KRB5_KEYUSAGE_KRB_PRIV_ENCPART:[659,3,1,""],CKSUMTYPE_DESCBC:[414,3,1,""],KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:[760,3,1,""],krb5_timestamp_to_sfstring:[874,0,1,"c.krb5_timestamp_to_sfstring"],krb5_pointer:[60,2,1,"c.krb5_pointer"],VALID_INT_BITS:[380,3,1,""],KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:[833,3,1,""],krb5_init_creds_step:[185,0,1,"c.krb5_init_creds_step"],krb5_get_init_creds_opt_set_responder:[787,0,1,"c.krb5_get_init_creds_opt_set_responder"],KRB5_PROMPT_TYPE_NEW_PASSWORD:[679,3,1,""],krb5_pa_pac_req:[767,2,1,"c.krb5_pa_pac_req"],krb5_get_server_rcache:[586,0,1,"c.krb5_get_server_rcache"],krb5_responder_otp_tokeninfo:[897,2,1,"c.krb5_responder_otp_tokeninfo"],krb5_init_creds_get_error:[74,0,1,"c.krb5_init_creds_get_error"],KRB5_PADATA_SESAME:[303,3,1,""],KDC_OPT_ENC_TKT_IN_SKEY:[202,3,1,""],KRB5_CRYPTO_TYPE_STREAM:[478,3,1,""],ADDRTYPE_INET:[383,3,1,""],krb5_allow_weak_crypto:[920,0,1,"c.krb5_allow_weak_crypto"],KRB5_KEYUSAGE_FAST_ENC:[289,3,1,""],krb5_last_req_entry:[503,2,1,"c.krb5_last_req_entry"],KRB5_PAC_PRIVSVR_CHECKSUM:[353,3,1,""],krb5_free_host_realm:[277,0,1,"c.krb5_free_host_realm"],krb5_cccol_have_content:[163,0,1,"c.krb5_cccol_have_content"],krb5_auth_con_getauthenticator:[872,0,1,"c.krb5_auth_con_getauthenticator"],krb5_princ_set_realm_length:[574,3,1,""],KRB5_SAM_USE_SAD_AS_KEY:[670,3,1,""],krb5_post_recv_fn:[857,2,1,"c.krb5_post_recv_fn"],krb5_cc_default_name:[191,0,1,"c.krb5_cc_default_name"],KRB5_PVNO:[500,3,1,""],KRB5_PRINCIPAL_PARSE_NO_REALM:[216,3,1,""],krb5_get_fallback_host_realm:[656,0,1,"c.krb5_get_fallback_host_realm"],krb5_checksum_size:[721,0,1,"c.krb5_checksum_size"],ENCTYPE_DES3_CBC_RAW:[673,3,1,""],KRB5_AUTH_CONTEXT_RET_TIME:[667,3,1,""],LR_TYPE_THIS_SERVER_ONLY:[145,3,1,""],KRB5_NT_ENT_PRINCIPAL_AND_ID:[846,3,1,""],KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:[0,3,1,""],krb5_auth_con_getlocalseqnumber:[85,0,1,"c.krb5_auth_con_getlocalseqnumber"],KRB5_RESPONDER_OTP_FORMAT_DECIMAL:[661,3,1,""],KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:[306,3,1,""],krb5_get_init_creds_opt_set_preauth_list:[644,0,1,"c.krb5_get_init_creds_opt_set_preauth_list"],KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:[685,3,1,""],KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:[547,3,1,""],KRB5_ENCPADATA_REQ_ENC_PA_REP:[123,3,1,""],CKSUMTYPE_RSA_MD4_DES:[766,3,1,""],KRB5_TC_MATCH_FLAGS_EXACT:[683,3,1,""],krb5_random_key:[910,0,1,"c.krb5_random_key"],krb5_free_keytab_entry_contents:[276,0,1,"c.krb5_free_keytab_entry_contents"],ENCTYPE_AES256_CTS_HMAC_SHA1_96:[52,3,1,""],krb5_responder_fn:[919,2,1,"c.krb5_responder_fn"],krb5_mk_rep:[364,0,1,"c.krb5_mk_rep"],krb5_mk_req:[363,0,1,"c.krb5_mk_req"],KRB5_FAST_REQUIRED:[456,3,1,""],KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:[664,3,1,""],krb5_clear_error_message:[9,0,1,"c.krb5_clear_error_message"],CKSUMTYPE_CMAC_CAMELLIA256:[180,3,1,""],krb5_mk_ncred:[732,0,1,"c.krb5_mk_ncred"],krb5_wrap_error_message:[38,0,1,"c.krb5_wrap_error_message"],ENCTYPE_DES_CBC_MD5:[356,3,1,""],ENCTYPE_DES_CBC_MD4:[355,3,1,""],krb5_get_init_creds_opt_set_pac_request:[37,0,1,"c.krb5_get_init_creds_opt_set_pac_request"],krb5_string_to_salttype:[432,0,1,"c.krb5_string_to_salttype"],krb5_address:[499,2,1,"c.krb5_address"],KRB5_PRINCIPAL_UNPARSE_SHORT:[128,3,1,""],krb5_kt_get_entry:[711,0,1,"c.krb5_kt_get_entry"],krb5_get_init_creds_opt_set_in_ccache:[556,0,1,"c.krb5_get_init_creds_opt_set_in_ccache"],krb5_auth_con_initivector:[869,0,1,"c.krb5_auth_con_initivector"],krb5_c_random_os_entropy:[639,0,1,"c.krb5_c_random_os_entropy"],ADDRTYPE_XNS:[270,3,1,""],KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:[839,3,1,""],krb5_prompter_posix:[848,0,1,"c.krb5_prompter_posix"],krb5_const_pointer:[480,2,1,"c.krb5_const_pointer"],AD_TYPE_REGISTERED:[396,3,1,""],krb5_keyusage:[317,2,1,"c.krb5_keyusage"],KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:[15,3,1,""],KRB5_PROMPT_TYPE_PASSWORD:[886,3,1,""],ENCTYPE_DES_CBC_CRC:[913,3,1,""],KRB5_PAC_DELEGATION_INFO:[161,3,1,""],KDC_OPT_PROXIABLE:[398,3,1,""],krb5_c_random_seed:[922,0,1,"c.krb5_c_random_seed"],KRB5_TC_SUPPORTED_KTYPES:[802,3,1,""],KRB5_NT_SRV_INST:[488,3,1,""],krb5_kt_have_content:[135,0,1,"c.krb5_kt_have_content"],KRB5_LRQ_NONE:[558,3,1,""],krb5_set_password:[400,0,1,"c.krb5_set_password"],KRB5_PADATA_ENC_UNIX_TIME:[495,3,1,""],krb5_tkt_creds_context:[172,2,1,"c.krb5_tkt_creds_context"],krb5_addrtype:[865,2,1,"c.krb5_addrtype"],krb5_init_creds_get_creds:[245,0,1,"c.krb5_init_creds_get_creds"],KRB5_AUTHDATA_AUTH_INDICATOR:[908,3,1,""],krb5_c_encrypt:[840,0,1,"c.krb5_c_encrypt"],krb5_use_enctype:[896,0,1,"c.krb5_use_enctype"],KRB5_PADATA_SVR_REFERRAL_INFO:[218,3,1,""],KRB5_KEYUSAGE_PA_PKINIT_KX:[314,3,1,""],krb5_get_init_creds_opt_set_fast_flags:[229,0,1,"c.krb5_get_init_creds_opt_set_fast_flags"],krb5_enctype_to_string:[597,0,1,"c.krb5_enctype_to_string"],krb5_get_validated_creds:[422,0,1,"c.krb5_get_validated_creds"],krb5_merge_authdata:[628,0,1,"c.krb5_merge_authdata"],krb5_checksum:[154,2,1,"c.krb5_checksum"],krb5_crypto_iov:[924,2,1,"c.krb5_crypto_iov"],krb5_encrypt_block:[755,2,1,"c.krb5_encrypt_block"],krb5_cc_destroy:[859,0,1,"c.krb5_cc_destroy"],KRB5_KEYUSAGE_AD_ITE:[460,3,1,""],KRB5_AUTH_CONTEXT_USE_SUBKEY:[830,3,1,""],krb5_init_creds_init:[357,0,1,"c.krb5_init_creds_init"],krb5_c_padding_length:[651,0,1,"c.krb5_c_padding_length"],TKT_FLG_ENC_PA_REP:[7,3,1,""],KDC_OPT_RENEWABLE:[512,3,1,""],KRB5_RESPONDER_QUESTION_PASSWORD:[559,3,1,""],krb5_responder_otp_challenge_free:[157,0,1,"c.krb5_responder_otp_challenge_free"],KRB5_PADATA_PAC_REQUEST:[24,3,1,""],TKT_FLG_PRE_AUTH:[313,3,1,""],krb5_cksumtype:[387,2,1,"c.krb5_cksumtype"],krb5_replay_data:[29,2,1,"c.krb5_replay_data"],krb5_responder_list_questions:[341,0,1,"c.krb5_responder_list_questions"],KDC_OPT_REQUEST_ANONYMOUS:[470,3,1,""],krb5_salttype_to_string:[690,0,1,"c.krb5_salttype_to_string"],KDC_OPT_DISABLE_TRANSITED_CHECK:[700,3,1,""],krb5_copy_keyblock_contents:[734,0,1,"c.krb5_copy_keyblock_contents"],ENCTYPE_SHA1_RSA_CMS:[560,3,1,""],CKSUMTYPE_NIST_SHA:[655,3,1,""],krb5_set_principal_realm:[881,0,1,"c.krb5_set_principal_realm"],KRB5_TC_MATCH_IS_SKEY:[173,3,1,""],krb5_init_keyblock:[316,0,1,"c.krb5_init_keyblock"],KRB5_KPASSWD_AUTHERROR:[284,3,1,""],ADDRTYPE_ADDRPORT:[778,3,1,""],CKSUMTYPE_HMAC_MD5_ARCFOUR:[64,3,1,""],KRB5_AUTHDATA_SESAME:[638,3,1,""],krb5_enctype_to_name:[171,0,1,"c.krb5_enctype_to_name"],krb5_encrypt_size:[530,0,1,"c.krb5_encrypt_size"],krb5_rcache:[807,2,1,"c.krb5_rcache"],KRB5_PRINCIPAL_COMPARE_UTF8:[593,3,1,""],krb5_tkt_creds_get_times:[121,0,1,"c.krb5_tkt_creds_get_times"],krb5_free_string:[264,0,1,"c.krb5_free_string"],krb5_free_keyblock_contents:[89,0,1,"c.krb5_free_keyblock_contents"],krb5_encrypt:[261,0,1,"c.krb5_encrypt"],krb5_cc_switch:[352,0,1,"c.krb5_cc_switch"],ADDRTYPE_NETBIOS:[405,3,1,""],krb5_auth_con_set_checksum_func:[784,0,1,"c.krb5_auth_con_set_checksum_func"],krb5_princ_type:[160,3,1,""],krb5_k_decrypt_iov:[759,0,1,"c.krb5_k_decrypt_iov"],krb5_auth_con_set_req_cksumtype:[272,0,1,"c.krb5_auth_con_set_req_cksumtype"],KRB5_PADATA_NONE:[288,3,1,""],krb5_roundup:[441,3,1,""],krb5_enc_kdc_rep_part:[324,2,1,"c.krb5_enc_kdc_rep_part"],ENCTYPE_AES256_CTS_HMAC_SHA384_192:[894,3,1,""],krb5_decode_ticket:[190,0,1,"c.krb5_decode_ticket"],krb5_trace_callback:[136,2,1,"c.krb5_trace_callback"],krb5_ap_rep_enc_part:[904,2,1,"c.krb5_ap_rep_enc_part"],krb5_pa_data:[635,2,1,"c.krb5_pa_data"],KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:[83,3,1,""],AP_OPTS_WIRE_MASK:[21,3,1,""],krb5_cc_copy_creds:[146,0,1,"c.krb5_cc_copy_creds"],KRB5_LRQ_ONE_LAST_RENEWAL:[733,3,1,""],KRB5_INT16_MIN:[201,3,1,""],krb5_get_profile:[334,0,1,"c.krb5_get_profile"],KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:[80,3,1,""],krb5_get_init_creds_opt:[829,2,1,"c.krb5_get_init_creds_opt"],krb5_cccol_cursor_next:[517,0,1,"c.krb5_cccol_cursor_next"],krb5_copy_checksum:[658,0,1,"c.krb5_copy_checksum"],krb5_get_init_creds_opt_alloc:[107,0,1,"c.krb5_get_init_creds_opt_alloc"],krb5_keytab:[582,2,1,"c.krb5_keytab"],krb5_init_creds_set_service:[421,0,1,"c.krb5_init_creds_set_service"],KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:[482,3,1,""],krb5_cccol_cursor_free:[342,0,1,"c.krb5_cccol_cursor_free"],krb5_c_crypto_length:[551,0,1,"c.krb5_c_crypto_length"],krb5_get_error_message:[51,0,1,"c.krb5_get_error_message"],krb5_cc_cursor:[501,2,1,"c.krb5_cc_cursor"],krb5_make_authdata_kdc_issued:[403,0,1,"c.krb5_make_authdata_kdc_issued"],ADDRTYPE_ISO:[106,3,1,""],krb5_c_is_keyed_cksum:[358,0,1,"c.krb5_c_is_keyed_cksum"],KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:[692,3,1,""],KDC_OPT_CNAME_IN_ADDL_TKT:[198,3,1,""],krb5_ccache:[339,2,1,"c.krb5_ccache"],krb5_change_password:[362,0,1,"c.krb5_change_password"],krb5_verify_init_creds_opt_set_ap_req_nofail:[572,0,1,"c.krb5_verify_init_creds_opt_set_ap_req_nofail"],krb5_x:[598,3,1,""],KRB5_PADATA_AFS3_SALT:[594,3,1,""],krb5_verify_checksum:[282,0,1,"c.krb5_verify_checksum"],KRB5_GC_CACHED:[442,3,1,""],krb5_keytab_entry:[847,2,1,"c.krb5_keytab_entry"],krb5_copy_data:[230,0,1,"c.krb5_copy_data"],krb5_kt_dup:[293,0,1,"c.krb5_kt_dup"],CKSUMTYPE_HMAC_SHA1_96_AES128:[578,3,1,""],krb5_free_addresses:[555,0,1,"c.krb5_free_addresses"],krb5_build_principal_alloc_va:[877,0,1,"c.krb5_build_principal_alloc_va"],KRB5_INT32_MAX:[571,3,1,""],KRB5_LRQ_ALL_LAST_INITIAL:[795,3,1,""],krb5_ticket:[309,2,1,"c.krb5_ticket"],KRB5_ANONYMOUS_REALMSTR:[883,3,1,""],krb5_init_creds_set_password:[417,0,1,"c.krb5_init_creds_set_password"],krb5_principal_compare_any_realm:[368,0,1,"c.krb5_principal_compare_any_realm"],KRB5_PADATA_SAM_RESPONSE:[602,3,1,""],krb5_free_authdata:[409,0,1,"c.krb5_free_authdata"],krb5_cccol_cursor:[221,2,1,"c.krb5_cccol_cursor"],KRB5_TC_MATCH_FLAGS:[177,3,1,""],krb5_k_make_checksum:[744,0,1,"c.krb5_k_make_checksum"],KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:[925,3,1,""],krb5_is_config_principal:[71,0,1,"c.krb5_is_config_principal"],krb5_prompt_type:[898,2,1,"c.krb5_prompt_type"],TKT_FLG_OK_AS_DELEGATE:[170,3,1,""],krb5_expand_hostname:[188,0,1,"c.krb5_expand_hostname"],krb5_process_key:[719,0,1,"c.krb5_process_key"],krb5_auth_con_setsendsubkey:[483,0,1,"c.krb5_auth_con_setsendsubkey"],KDC_OPT_ALLOW_POSTDATE:[464,3,1,""],krb5_mk_req_checksum_func:[376,2,1,"c.krb5_mk_req_checksum_func"],KRB5_KEYUSAGE_KDC_REP_TICKET:[893,3,1,""],KRB5_PADATA_FX_COOKIE:[219,3,1,""],krb5_set_trace_filename:[853,0,1,"c.krb5_set_trace_filename"],KRB5_DOMAIN_X500_COMPRESS:[828,3,1,""],krb5_sname_to_principal:[701,0,1,"c.krb5_sname_to_principal"],KRB5_KEYUSAGE_KRB_SAFE_CKSUM:[680,3,1,""],SALT_TYPE_AFS_LENGTH:[283,3,1,""],krb5_free_checksum_contents:[486,0,1,"c.krb5_free_checksum_contents"],krb5_kt_default_name:[207,0,1,"c.krb5_kt_default_name"],KRB5_KPASSWD_SOFTERROR:[152,3,1,""],krb5_preauthtype:[466,2,1,"c.krb5_preauthtype"],krb5_set_default_realm:[344,0,1,"c.krb5_set_default_realm"],krb5_free_cred_contents:[801,0,1,"c.krb5_free_cred_contents"],KRB5_AUTHDATA_OSF_DCE:[554,3,1,""],krb5_cc_retrieve_cred:[686,0,1,"c.krb5_cc_retrieve_cred"],KRB5_AUTHDATA_MANDATORY_FOR_KDC:[20,3,1,""],krb5_responder_set_answer:[235,0,1,"c.krb5_responder_set_answer"],krb5_c_keyed_checksum_types:[91,0,1,"c.krb5_c_keyed_checksum_types"],KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:[472,3,1,""],KRB5_KPASSWD_HARDERROR:[82,3,1,""],KRB5_LRQ_ONE_LAST_TGT:[553,3,1,""],krb5_cksumtype_to_string:[756,0,1,"c.krb5_cksumtype_to_string"],KRB5_AUTH_CONTEXT_RET_SEQUENCE:[16,3,1,""],krb5_c_decrypt:[669,0,1,"c.krb5_c_decrypt"],KRB5_PRINCIPAL_COMPARE_CASEFOLD:[424,3,1,""],KRB5_LRQ_ALL_ACCT_EXPTIME:[754,3,1,""],KRB5_NT_UID:[67,3,1,""],krb5_free_checksum:[348,0,1,"c.krb5_free_checksum"],TKT_FLG_ANONYMOUS:[8,3,1,""],krb5_cc_support_switch:[494,0,1,"c.krb5_cc_support_switch"],KRB5_KPASSWD_BAD_VERSION:[97,3,1,""],KRB5_CRYPTO_TYPE_EMPTY:[548,3,1,""],CKSUMTYPE_HMAC_SHA256_128_AES128:[873,3,1,""],KRB5_KEYUSAGE_FAST_REP:[747,3,1,""],krb5_init_secure_context:[641,0,1,"c.krb5_init_secure_context"],krb5_get_init_creds_opt_set_anonymous:[725,0,1,"c.krb5_get_init_creds_opt_set_anonymous"],krb5_principal_compare:[265,0,1,"c.krb5_principal_compare"],krb5_finish_random_key:[856,0,1,"c.krb5_finish_random_key"],KRB5_PAC_CLIENT_INFO:[665,3,1,""],krb5_auth_con_setflags:[115,0,1,"c.krb5_auth_con_setflags"],krb5_kt_end_seq_get:[621,0,1,"c.krb5_kt_end_seq_get"],krb5_responder_get_challenge:[242,0,1,"c.krb5_responder_get_challenge"],KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:[694,3,1,""],KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:[539,3,1,""],krb5_auth_con_getkey_k:[915,0,1,"c.krb5_auth_con_getkey_k"],KRB5_INIT_CONTEXT_SECURE:[382,3,1,""],KRB5_LRQ_ALL_LAST_TGT:[440,3,1,""],krb5_get_init_creds_opt_set_canonicalize:[280,0,1,"c.krb5_get_init_creds_opt_set_canonicalize"],krb5_princ_set_realm_data:[231,3,1,""],KRB5_AUTH_CONTEXT_PERMIT_ALL:[858,3,1,""],krb5_pa_svr_referral_data:[304,2,1,"c.krb5_pa_svr_referral_data"],TKT_FLG_INITIAL:[351,3,1,""],KRB5_AUTHDATA_ETYPE_NEGOTIATION:[467,3,1,""],KRB5_AUTH_CONTEXT_DO_TIME:[5,3,1,""],krb5_c_encrypt_length:[182,0,1,"c.krb5_c_encrypt_length"],KRB5_GET_INIT_CREDS_OPT_PROXIABLE:[619,3,1,""],AP_OPTS_RESERVED:[290,3,1,""],krb5_cc_default:[125,0,1,"c.krb5_cc_default"],TKT_FLG_TRANSIT_POLICY_CHECKED:[459,3,1,""],krb5_init_creds_free:[911,0,1,"c.krb5_init_creds_free"],KRB5_GET_INIT_CREDS_OPT_SALT:[607,3,1,""],KRB5_REALM_BRANCH_CHAR:[79,3,1,""],krb5_const_principal:[485,2,1,"c.krb5_const_principal"],krb5_os_localaddr:[875,0,1,"c.krb5_os_localaddr"],krb5_k_encrypt:[114,0,1,"c.krb5_k_encrypt"],krb5_string_to_timestamp:[781,0,1,"c.krb5_string_to_timestamp"],ENCTYPE_ARCFOUR_HMAC_EXP:[295,3,1,""],krb5_cccol_last_change_time:[257,0,1,"c.krb5_cccol_last_change_time"],CKSUMTYPE_MD5_HMAC_ARCFOUR:[236,3,1,""],krb5_tkt_creds_step:[615,0,1,"c.krb5_tkt_creds_step"],KRB5_TC_NOTICKET:[779,3,1,""],krb524_init_ets:[338,3,1,""],AD_TYPE_RESERVED:[780,3,1,""],KDC_OPT_FORWARDED:[175,3,1,""],KRB5_LRQ_ALL_PW_EXPTIME:[785,3,1,""],KRB5_KEYUSAGE_APP_DATA_ENCRYPT:[654,3,1,""],krb5_get_init_creds_opt_get_fast_flags:[817,0,1,"c.krb5_get_init_creds_opt_get_fast_flags"],krb5_error:[457,2,1,"c.krb5_error"],KRB5_KEYUSAGE_PA_SAM_RESPONSE:[213,3,1,""],krb5_responder_pkinit_set_answer:[286,0,1,"c.krb5_responder_pkinit_set_answer"],CKSUMTYPE_CRC32:[301,3,1,""],ADDRTYPE_INET6:[156,3,1,""],KRB5_LRQ_ONE_PW_EXPTIME:[48,3,1,""],KRB5_GC_NO_TRANSIT_CHECK:[241,3,1,""],KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:[902,3,1,""],krb5_c_verify_checksum:[444,0,1,"c.krb5_c_verify_checksum"],krb5_rd_error:[903,0,1,"c.krb5_rd_error"],krb5_cc_set_default_name:[818,0,1,"c.krb5_cc_set_default_name"],krb5_recvauth:[695,0,1,"c.krb5_recvauth"],KRB5_TC_MATCH_SRV_NAMEONLY:[870,3,1,""],krb5_auth_con_getkey:[369,0,1,"c.krb5_auth_con_getkey"],KRB5_AUTHDATA_WIN2K_PAC:[498,3,1,""],KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:[19,3,1,""],krb5_kt_cursor:[790,2,1,"c.krb5_kt_cursor"],krb5_cryptotype:[717,2,1,"c.krb5_cryptotype"],krb5_mk_priv:[267,0,1,"c.krb5_mk_priv"],ENCTYPE_DSA_SHA1_CMS:[326,3,1,""],CKSUMTYPE_RSA_MD4:[92,3,1,""],KRB5_PADATA_OTP_PIN_CHANGE:[122,3,1,""],TKT_FLG_FORWARDABLE:[335,3,1,""],TKT_FLG_INVALID:[354,3,1,""],KRB5_RESPONDER_QUESTION_OTP:[433,3,1,""],krb5_magic:[490,2,1,"c.krb5_magic"],krb5_get_init_creds_opt_set_salt:[796,0,1,"c.krb5_get_init_creds_opt_set_salt"],ENCTYPE_DES_CBC_RAW:[804,3,1,""],krb5_tkt_creds_free:[62,0,1,"c.krb5_tkt_creds_free"],KRB5_KEYUSAGE_FAST_REQ_CHKSUM:[193,3,1,""],ENCTYPE_CAMELLIA256_CTS_CMAC:[404,3,1,""],krb5_kt_start_seq_get:[40,0,1,"c.krb5_kt_start_seq_get"],krb5_auth_con_getflags:[266,0,1,"c.krb5_auth_con_getflags"],KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:[367,3,1,""],krb5_get_init_creds_opt_set_tkt_life:[520,0,1,"c.krb5_get_init_creds_opt_set_tkt_life"],KRB5_NT_PRINCIPAL:[643,3,1,""],krb5_kvno:[843,2,1,"c.krb5_kvno"],krb5_auth_con_getaddrs:[536,0,1,"c.krb5_auth_con_getaddrs"],ENCTYPE_CAMELLIA128_CTS_CMAC:[246,3,1,""],krb5_cc_set_config:[77,0,1,"c.krb5_cc_set_config"],krb5_chpw_message:[110,0,1,"c.krb5_chpw_message"],krb5_cccol_lock:[112,0,1,"c.krb5_cccol_lock"],KRB5_PADATA_ENC_SANDIA_SECURID:[592,3,1,""],krb5_mk_error:[565,0,1,"c.krb5_mk_error"],krb5_princ_component:[439,3,1,""],krb5_425_conv_principal:[12,0,1,"c.krb5_425_conv_principal"],krb5_unparse_name_flags_ext:[108,0,1,"c.krb5_unparse_name_flags_ext"],KRB5_KEYUSAGE_KRB_CRED_ENCPART:[854,3,1,""],KRB5_PADATA_REFERRAL:[552,3,1,""],TKT_FLG_PROXY:[445,3,1,""],KRB5_LRQ_ONE_LAST_REQ:[187,3,1,""],krb5_free_data:[194,0,1,"c.krb5_free_data"],krb5_int16:[153,2,1,"c.krb5_int16"],krb5_int32:[546,2,1,"c.krb5_int32"],KRB5_PRINCIPAL_COMPARE_ENTERPRISE:[381,3,1,""],krb5_k_reference_key:[103,0,1,"c.krb5_k_reference_key"],KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:[675,3,1,""],KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:[468,3,1,""],krb5_string_to_enctype:[450,0,1,"c.krb5_string_to_enctype"],krb5_init_creds_set_keytab:[412,0,1,"c.krb5_init_creds_set_keytab"],krb5_c_decrypt_iov:[791,0,1,"c.krb5_c_decrypt_iov"],krb5_string_to_deltat:[712,0,1,"c.krb5_string_to_deltat"],krb5_timestamp_to_string:[879,0,1,"c.krb5_timestamp_to_string"],krb5_kt_get_type:[835,0,1,"c.krb5_kt_get_type"],krb5_cc_end_seq_get:[243,0,1,"c.krb5_cc_end_seq_get"],KRB5_CYBERSAFE_SECUREID:[250,3,1,""],ENCTYPE_AES128_CTS_HMAC_SHA1_96:[728,3,1,""],krb5_is_referral_realm:[789,0,1,"c.krb5_is_referral_realm"],KRB5_PADATA_PW_SALT:[379,3,1,""],krb5_c_prf_length:[825,0,1,"c.krb5_c_prf_length"],krb5_authdatatype:[299,2,1,"c.krb5_authdatatype"],ENCTYPE_DES3_CBC_ENV:[150,3,1,""],krb5_kdc_req:[34,2,1,"c.krb5_kdc_req"],krb5_kdc_rep:[35,2,1,"c.krb5_kdc_rep"],krb5_get_init_creds_opt_set_fast_ccache:[575,0,1,"c.krb5_get_init_creds_opt_set_fast_ccache"],krb5_gic_opt_pa_data:[878,2,1,"c.krb5_gic_opt_pa_data"],krb5_string_to_cksumtype:[590,0,1,"c.krb5_string_to_cksumtype"],krb5_free_ap_rep_enc_part:[882,0,1,"c.krb5_free_ap_rep_enc_part"],KRB5_ERROR:[238,3,1,""],KRB5_PADATA_USE_SPECIFIED_KVNO:[183,3,1,""],KRB5_LRQ_ONE_LAST_TGT_ISSUED:[668,3,1,""],krb5_auth_con_setsendsubkey_k:[774,0,1,"c.krb5_auth_con_setsendsubkey_k"],KRB5_KEYUSAGE_CAMMAC:[880,3,1,""],krb5_get_init_creds_opt_set_renew_life:[798,0,1,"c.krb5_get_init_creds_opt_set_renew_life"],KRB5_PADATA_ENCRYPTED_CHALLENGE:[438,3,1,""],KRB5_PADATA_SAM_CHALLENGE_2:[391,3,1,""],ENCTYPE_RSA_ES_OAEP_ENV:[775,3,1,""],krb5_read_password:[914,0,1,"c.krb5_read_password"],KRB5_PRINCIPAL_PARSE_ENTERPRISE:[469,3,1,""],krb5_prepend_error_message:[211,0,1,"c.krb5_prepend_error_message"],krb5_appdefault_string:[428,0,1,"c.krb5_appdefault_string"],KRB5_PAC_LOGON_INFO:[538,3,1,""],KRB5_INT16_MAX:[806,3,1,""],KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:[66,3,1,""],krb5_cc_remove_cred:[65,0,1,"c.krb5_cc_remove_cred"],KRB5_KEYUSAGE_APP_DATA_CKSUM:[545,3,1,""],KDC_OPT_FORWARDABLE:[720,3,1,""],LR_TYPE_INTERPRETATION_MASK:[888,3,1,""],krb5_build_principal:[535,0,1,"c.krb5_build_principal"],krb5_524_conv_principal:[217,0,1,"c.krb5_524_conv_principal"],krb5_copy_keyblock:[111,0,1,"c.krb5_copy_keyblock"],krb5_pac_get_buffer:[420,0,1,"c.krb5_pac_get_buffer"],KRB5_RECVAUTH_SKIP_VERSION:[696,3,1,""],KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:[864,3,1,""],krb5_tkt_creds_init:[739,0,1,"c.krb5_tkt_creds_init"],krb5_c_prf:[876,0,1,"c.krb5_c_prf"],KRB5_PRINCIPAL_UNPARSE_NO_REALM:[212,3,1,""],krb5_get_init_creds_opt_set_etype_list:[55,0,1,"c.krb5_get_init_creds_opt_set_etype_list"],krb5_get_prompt_types:[591,0,1,"c.krb5_get_prompt_types"],KRB5_ANONYMOUS_PRINCSTR:[14,3,1,""],KRB5_GC_CONSTRAINED_DELEGATION:[430,3,1,""],KRB5_PADATA_PKINIT_KX:[263,3,1,""],krb5_524_convert_creds:[345,0,1,"c.krb5_524_convert_creds"],krb5_auth_con_genaddrs:[256,0,1,"c.krb5_auth_con_genaddrs"],KRB5_KPASSWD_SUCCESS:[599,3,1,""],krb5_ui_2:[810,2,1,"c.krb5_ui_2"],krb5_free_default_realm:[120,0,1,"c.krb5_free_default_realm"],krb5_get_credentials_renew:[307,0,1,"c.krb5_get_credentials_renew"],KRB5_SAM_MUST_PK_ENCRYPT_SAD:[905,3,1,""],KRB5_CRYPTO_TYPE_CHECKSUM:[253,3,1,""],krb5_mk_1cred:[522,0,1,"c.krb5_mk_1cred"],krb5_get_init_creds_password:[606,0,1,"c.krb5_get_init_creds_password"],KRB5_GC_FORWARDABLE:[561,3,1,""],krb5_pac:[54,2,1,"c.krb5_pac"],krb5_msgtype:[101,2,1,"c.krb5_msgtype"],KRB5_LRQ_ONE_ACCT_EXPTIME:[616,3,1,""],krb5_c_valid_enctype:[871,0,1,"c.krb5_c_valid_enctype"],SALT_TYPE_NO_LENGTH:[612,3,1,""],KRB5_LRQ_ONE_LAST_INITIAL:[169,3,1,""],KRB5_KEYUSAGE_TGS_REQ_AUTH:[782,3,1,""],krb5_recvauth_version:[234,0,1,"c.krb5_recvauth_version"],krb5_mk_rep_dce:[384,0,1,"c.krb5_mk_rep_dce"],KRB5_REFERRAL_REALM:[678,3,1,""],krb5_pre_send_fn:[59,2,1,"c.krb5_pre_send_fn"],KRB5_KPASSWD_INITIAL_FLAG_NEEDED:[239,3,1,""],ENCTYPE_AES128_CTS_HMAC_SHA256_128:[529,3,1,""],krb5_vset_error_message:[331,0,1,"c.krb5_vset_error_message"],KRB5_LRQ_ALL_LAST_REQ:[388,3,1,""],KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:[127,3,1,""],krb5_pac_get_types:[148,0,1,"c.krb5_pac_get_types"],KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:[834,3,1,""],krb5_auth_con_setrecvsubkey:[322,0,1,"c.krb5_auth_con_setrecvsubkey"],krb5_set_error_message:[240,0,1,"c.krb5_set_error_message"],KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:[768,3,1,""],KRB5_RECVAUTH_BADAUTHVERS:[867,3,1,""],KRB5_PADATA_GET_FROM_TYPED_DATA:[523,3,1,""],krb5_auth_con_getsendsubkey:[736,0,1,"c.krb5_auth_con_getsendsubkey"],krb5_free_data_contents:[842,0,1,"c.krb5_free_data_contents"],KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:[426,3,1,""],KRB5_KEYUSAGE_AS_REP_ENCPART:[347,3,1,""],krb5_cc_cache_match:[88,0,1,"c.krb5_cc_cache_match"],krb5_typed_data:[647,2,1,"c.krb5_typed_data"],krb5_free_error_message:[397,0,1,"c.krb5_free_error_message"],krb5_c_random_add_entropy:[377,0,1,"c.krb5_c_random_add_entropy"],krb5_free_creds:[666,0,1,"c.krb5_free_creds"],KRB5_NT_UNKNOWN:[813,3,1,""],AP_OPTS_MUTUAL_REQUIRED:[822,3,1,""],ENCTYPE_RSA_ENV:[416,3,1,""],krb5_auth_con_setuseruserkey:[11,0,1,"c.krb5_auth_con_setuseruserkey"],krb5_data:[596,2,1,"c.krb5_data"],KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:[117,3,1,""],KRB5_AUTHDATA_FX_ARMOR:[87,3,1,""],KRB5_PADATA_SAM_RESPONSE_2:[542,3,1,""],KRB5_TC_MATCH_2ND_TKT:[327,3,1,""],krb5_c_block_size:[365,0,1,"c.krb5_c_block_size"],KRB5_PADATA_PK_AS_REP_OLD:[332,3,1,""],ENCTYPE_MD5_RSA_CMS:[195,3,1,""],KRB5_PADATA_FOR_USER:[573,3,1,""],krb5_responder_pkinit_challenge_free:[269,0,1,"c.krb5_responder_pkinit_challenge_free"],krb5_auth_con_getremotesubkey:[179,0,1,"c.krb5_auth_con_getremotesubkey"],krb5_address_order:[287,0,1,"c.krb5_address_order"],krb5_set_default_tgs_enctypes:[137,0,1,"c.krb5_set_default_tgs_enctypes"],krb5_kt_resolve:[249,0,1,"c.krb5_kt_resolve"],KRB5_PADATA_SAM_CHALLENGE:[564,3,1,""],krb5_tkt_authent:[837,2,1,"c.krb5_tkt_authent"],krb5_princ_size:[702,3,1,""],krb5_trace_info:[31,2,1,"c.krb5_trace_info"],krb5_rd_rep:[569,0,1,"c.krb5_rd_rep"],krb5_cc_get_type:[3,0,1,"c.krb5_cc_get_type"],KRB5_PADATA_OSF_DCE:[43,3,1,""],KRB5_NT_MS_PRINCIPAL_AND_ID:[691,3,1,""],KDC_OPT_RENEW:[315,3,1,""],KRB5_PADATA_FX_ERROR:[225,3,1,""],KRB5_LRQ_ALL_LAST_RENEWAL:[506,3,1,""],ADDRTYPE_CHAOS:[786,3,1,""],krb5_copy_ticket:[102,0,1,"c.krb5_copy_ticket"],krb5_pac_init:[718,0,1,"c.krb5_pac_init"],krb5_parse_name:[672,0,1,"c.krb5_parse_name"],krb5_copy_principal:[726,0,1,"c.krb5_copy_principal"],KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:[751,3,1,""],KRB5_TC_MATCH_TIMES_EXACT:[763,3,1,""],krb5_enc_tkt_part:[826,2,1,"c.krb5_enc_tkt_part"],krb5_mk_safe:[832,0,1,"c.krb5_mk_safe"],KRB5_KEYUSAGE_FAST_FINISHED:[255,3,1,""],krb5_check_clockskew:[502,0,1,"c.krb5_check_clockskew"],KRB5_AUTHDATA_CAMMAC:[42,3,1,""],KRB5_KEYUSAGE_AP_REQ_AUTH:[366,3,1,""],KRB5_TC_OPENCLOSE:[268,3,1,""],krb5_pac_add_buffer:[595,0,1,"c.krb5_pac_add_buffer"],krb5_get_credentials_validate:[697,0,1,"c.krb5_get_credentials_validate"],krb5_init_context:[862,0,1,"c.krb5_init_context"],krb5_cc_new_unique:[671,0,1,"c.krb5_cc_new_unique"],krb5_kt_default:[415,0,1,"c.krb5_kt_default"],krb5_is_thread_safe:[912,0,1,"c.krb5_is_thread_safe"],krb5_cc_resolve:[620,0,1,"c.krb5_cc_resolve"],krb5_rd_cred:[254,0,1,"c.krb5_rd_cred"],krb5_decrypt:[222,0,1,"c.krb5_decrypt"],krb5_xc:[741,3,1,""],ADDRTYPE_DDP:[487,3,1,""],krb5_c_enctype_compare:[411,0,1,"c.krb5_c_enctype_compare"],krb5_c_verify_checksum_iov:[247,0,1,"c.krb5_c_verify_checksum_iov"],krb5_get_init_creds_opt_set_forwardable:[537,0,1,"c.krb5_get_init_creds_opt_set_forwardable"],krb5_get_init_creds_keytab:[841,0,1,"c.krb5_get_init_creds_keytab"],CKSUMTYPE_RSA_MD5:[93,3,1,""],KRB5_NT_X500_PRINCIPAL:[492,3,1,""],KDC_OPT_RENEWABLE_OK:[861,3,1,""],krb5_auth_con_getremoteseqnumber:[312,0,1,"c.krb5_auth_con_getremoteseqnumber"],KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:[233,3,1,""],krb5_free_unparsed_name:[557,0,1,"c.krb5_free_unparsed_name"],krb5_k_decrypt:[39,0,1,"c.krb5_k_decrypt"],krb5_cc_get_name:[708,0,1,"c.krb5_cc_get_name"],krb5_c_encrypt_iov:[131,0,1,"c.krb5_c_encrypt_iov"],krb5_deltat_to_string:[164,0,1,"c.krb5_deltat_to_string"],krb5_copy_authenticator:[507,0,1,"c.krb5_copy_authenticator"],krb5_vprepend_error_message:[811,0,1,"c.krb5_vprepend_error_message"],krb5_get_time_offsets:[279,0,1,"c.krb5_get_time_offsets"],KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:[325,3,1,""],krb5_parse_name_flags:[632,0,1,"c.krb5_parse_name_flags"],KRB5_KEYUSAGE_IAKERB_FINISHED:[477,3,1,""],krb5_cc_get_full_name:[509,0,1,"c.krb5_cc_get_full_name"],krb5_init_context_profile:[737,0,1,"c.krb5_init_context_profile"],KRB5_KEYUSAGE_AD_MTE:[99,3,1,""],krb5_c_string_to_key_with_params:[603,0,1,"c.krb5_c_string_to_key_with_params"],krb5_response:[583,2,1,"c.krb5_response"],krb5_get_init_creds_opt_set_change_password_prompt:[743,0,1,"c.krb5_get_init_creds_opt_set_change_password_prompt"],KRB5_PADATA_AS_CHECKSUM:[777,3,1,""],krb5_free_context:[624,0,1,"c.krb5_free_context"],krb5_auth_con_init:[745,0,1,"c.krb5_auth_con_init"],ENCTYPE_ARCFOUR_HMAC:[337,3,1,""],krb5_pac_free:[688,0,1,"c.krb5_pac_free"],krb5_set_password_using_ccache:[890,0,1,"c.krb5_set_password_using_ccache"],AP_OPTS_USE_SUBKEY:[46,3,1,""],krb5_free_error:[168,0,1,"c.krb5_free_error"],krb5_c_crypto_length_iov:[149,0,1,"c.krb5_c_crypto_length_iov"],KRB5_INIT_CONTEXT_KDC:[448,3,1,""],VALID_UINT_BITS:[392,3,1,""],krb5_free_tgt_creds:[320,0,1,"c.krb5_free_tgt_creds"],krb5_get_default_realm:[308,0,1,"c.krb5_get_default_realm"],krb5_cred_info:[544,2,1,"c.krb5_cred_info"],krb5_c_random_to_key:[298,0,1,"c.krb5_c_random_to_key"],KRB5_NT_MS_PRINCIPAL:[851,3,1,""],TKT_FLG_RENEWABLE:[333,3,1,""],krb5_pac_sign:[765,0,1,"c.krb5_pac_sign"],KRB5_PADATA_S4U_X509_USER:[805,3,1,""],KRB5_TGS_REQ:[76,3,1,""],KRB5_TGS_REP:[75,3,1,""],KRB5_PROMPT_TYPE_PREAUTH:[296,3,1,""],krb5_k_prf:[648,0,1,"c.krb5_k_prf"],krb5_kt_read_service_key:[730,0,1,"c.krb5_kt_read_service_key"],krb5_octet:[923,2,1,"c.krb5_octet"],krb5_principal_compare_flags:[511,0,1,"c.krb5_principal_compare_flags"],krb5_get_init_creds_opt_set_expire_callback:[907,0,1,"c.krb5_get_init_creds_opt_set_expire_callback"],krb5_k_free_key:[845,0,1,"c.krb5_k_free_key"],krb5_kt_next_entry:[803,0,1,"c.krb5_kt_next_entry"],krb5_free_keyblock:[94,0,1,"c.krb5_free_keyblock"],KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:[682,3,1,""],krb5_get_credentials:[30,0,1,"c.krb5_get_credentials"],krb5_decode_authdata_container:[291,0,1,"c.krb5_decode_authdata_container"],KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:[68,3,1,""],AD_TYPE_FIELD_TYPE_MASK:[618,3,1,""],krb5_cc_set_flags:[916,0,1,"c.krb5_cc_set_flags"],krb5_cc_next_cred:[610,0,1,"c.krb5_cc_next_cred"],krb5_principal2salt:[429,0,1,"c.krb5_principal2salt"],krb5_c_prfplus:[346,0,1,"c.krb5_c_prfplus"],krb5_responder_pkinit_challenge:[319,2,1,"c.krb5_responder_pkinit_challenge"],krb5_context:[630,2,1,"c.krb5_context"],KRB5_KEYUSAGE_PA_OTP_REQUEST:[750,3,1,""],krb5_kt_add_entry:[395,0,1,"c.krb5_kt_add_entry"],KRB5_KEYUSAGE_AP_REP_ENCPART:[589,3,1,""]},krb5_responder_pkinit_identity:{token_flags:[771,1,1,"c.krb5_responder_pkinit_identity.token_flags"],identity:[771,1,1,"c.krb5_responder_pkinit_identity.identity"]},krb5_kdc_req:{rtime:[34,1,1,"c.krb5_kdc_req.rtime"],nonce:[34,1,1,"c.krb5_kdc_req.nonce"],authorization_data:[34,1,1,"c.krb5_kdc_req.authorization_data"],addresses:[34,1,1,"c.krb5_kdc_req.addresses"],msg_type:[34,1,1,"c.krb5_kdc_req.msg_type"],from:[34,1,1,"c.krb5_kdc_req.from"],kdc_options:[34,1,1,"c.krb5_kdc_req.kdc_options"],unenc_authdata:[34,1,1,"c.krb5_kdc_req.unenc_authdata"],server:[34,1,1,"c.krb5_kdc_req.server"],nktypes:[34,1,1,"c.krb5_kdc_req.nktypes"],till:[34,1,1,"c.krb5_kdc_req.till"],client:[34,1,1,"c.krb5_kdc_req.client"],second_ticket:[34,1,1,"c.krb5_kdc_req.second_ticket"],ktype:[34,1,1,"c.krb5_kdc_req.ktype"],magic:[34,1,1,"c.krb5_kdc_req.magic"],padata:[34,1,1,"c.krb5_kdc_req.padata"]},krb5_kdc_rep:{magic:[35,1,1,"c.krb5_kdc_rep.magic"],msg_type:[35,1,1,"c.krb5_kdc_rep.msg_type"],enc_part2:[35,1,1,"c.krb5_kdc_rep.enc_part2"],padata:[35,1,1,"c.krb5_kdc_rep.padata"],client:[35,1,1,"c.krb5_kdc_rep.client"],ticket:[35,1,1,"c.krb5_kdc_rep.ticket"],enc_part:[35,1,1,"c.krb5_kdc_rep.enc_part"]},krb5_gic_opt_pa_data:{attr:[878,1,1,"c.krb5_gic_opt_pa_data.attr"],value:[878,1,1,"c.krb5_gic_opt_pa_data.value"]},krb5_tkt_authent:{authenticator:[837,1,1,"c.krb5_tkt_authent.authenticator"],ticket:[837,1,1,"c.krb5_tkt_authent.ticket"],magic:[837,1,1,"c.krb5_tkt_authent.magic"],ap_options:[837,1,1,"c.krb5_tkt_authent.ap_options"]},krb5_keytab_entry:{vno:[847,1,1,"c.krb5_keytab_entry.vno"],timestamp:[847,1,1,"c.krb5_keytab_entry.timestamp"],magic:[847,1,1,"c.krb5_keytab_entry.magic"],key:[847,1,1,"c.krb5_keytab_entry.key"],principal:[847,1,1,"c.krb5_keytab_entry.principal"]},krb5_get_init_creds_opt:{proxiable:[829,1,1,"c.krb5_get_init_creds_opt.proxiable"],forwardable:[829,1,1,"c.krb5_get_init_creds_opt.forwardable"],preauth_list_length:[829,1,1,"c.krb5_get_init_creds_opt.preauth_list_length"],renew_life:[829,1,1,"c.krb5_get_init_creds_opt.renew_life"],tkt_life:[829,1,1,"c.krb5_get_init_creds_opt.tkt_life"],flags:[829,1,1,"c.krb5_get_init_creds_opt.flags"],preauth_list:[829,1,1,"c.krb5_get_init_creds_opt.preauth_list"],etype_list:[829,1,1,"c.krb5_get_init_creds_opt.etype_list"],salt:[829,1,1,"c.krb5_get_init_creds_opt.salt"],etype_list_length:[829,1,1,"c.krb5_get_init_creds_opt.etype_list_length"],address_list:[829,1,1,"c.krb5_get_init_creds_opt.address_list"]},krb5_const_principal:{type:[485,1,1,"c.krb5_const_principal.type"],length:[485,1,1,"c.krb5_const_principal.length"],magic:[485,1,1,"c.krb5_const_principal.magic"],realm:[485,1,1,"c.krb5_const_principal.realm"],data:[485,1,1,"c.krb5_const_principal.data"]},krb5_pa_pac_req:{include_pac:[767,1,1,"c.krb5_pa_pac_req.include_pac"]},krb5_responder_otp_tokeninfo:{vendor:[897,1,1,"c.krb5_responder_otp_tokeninfo.vendor"],format:[897,1,1,"c.krb5_responder_otp_tokeninfo.format"],challenge:[897,1,1,"c.krb5_responder_otp_tokeninfo.challenge"],length:[897,1,1,"c.krb5_responder_otp_tokeninfo.length"],flags:[897,1,1,"c.krb5_responder_otp_tokeninfo.flags"],token_id:[897,1,1,"c.krb5_responder_otp_tokeninfo.token_id"],alg_id:[897,1,1,"c.krb5_responder_otp_tokeninfo.alg_id"]},krb5_enc_data:{ciphertext:[370,1,1,"c.krb5_enc_data.ciphertext"],magic:[370,1,1,"c.krb5_enc_data.magic"],kvno:[370,1,1,"c.krb5_enc_data.kvno"],enctype:[370,1,1,"c.krb5_enc_data.enctype"]},krb5_cred:{tickets:[336,1,1,"c.krb5_cred.tickets"],magic:[336,1,1,"c.krb5_cred.magic"],enc_part:[336,1,1,"c.krb5_cred.enc_part"],enc_part2:[336,1,1,"c.krb5_cred.enc_part2"]},krb5_pa_data:{length:[635,1,1,"c.krb5_pa_data.length"],pa_type:[635,1,1,"c.krb5_pa_data.pa_type"],magic:[635,1,1,"c.krb5_pa_data.magic"],contents:[635,1,1,"c.krb5_pa_data.contents"]},krb5_address:{addrtype:[499,1,1,"c.krb5_address.addrtype"],length:[499,1,1,"c.krb5_address.length"],magic:[499,1,1,"c.krb5_address.magic"],contents:[499,1,1,"c.krb5_address.contents"]},krb5_response:{magic:[583,1,1,"c.krb5_response.magic"],message_type:[583,1,1,"c.krb5_response.message_type"],response:[583,1,1,"c.krb5_response.response"],expected_nonce:[583,1,1,"c.krb5_response.expected_nonce"],request_time:[583,1,1,"c.krb5_response.request_time"]},krb5_authenticator:{magic:[727,1,1,"c.krb5_authenticator.magic"],ctime:[727,1,1,"c.krb5_authenticator.ctime"],checksum:[727,1,1,"c.krb5_authenticator.checksum"],seq_number:[727,1,1,"c.krb5_authenticator.seq_number"],client:[727,1,1,"c.krb5_authenticator.client"],subkey:[727,1,1,"c.krb5_authenticator.subkey"],cusec:[727,1,1,"c.krb5_authenticator.cusec"],authorization_data:[727,1,1,"c.krb5_authenticator.authorization_data"]},krb5_pa_server_referral_data:{true_principal_name:[220,1,1,"c.krb5_pa_server_referral_data.true_principal_name"],requested_principal_name:[220,1,1,"c.krb5_pa_server_referral_data.requested_principal_name"],referral_valid_until:[220,1,1,"c.krb5_pa_server_referral_data.referral_valid_until"],rep_cksum:[220,1,1,"c.krb5_pa_server_referral_data.rep_cksum"],referred_realm:[220,1,1,"c.krb5_pa_server_referral_data.referred_realm"]},krb5_transited:{tr_contents:[496,1,1,"c.krb5_transited.tr_contents"],tr_type:[496,1,1,"c.krb5_transited.tr_type"],magic:[496,1,1,"c.krb5_transited.magic"]},krb5_pwd_data:{sequence_count:[443,1,1,"c.krb5_pwd_data.sequence_count"],magic:[443,1,1,"c.krb5_pwd_data.magic"],element:[443,1,1,"c.krb5_pwd_data.element"]},krb5_error:{magic:[457,1,1,"c.krb5_error.magic"],ctime:[457,1,1,"c.krb5_error.ctime"],susec:[457,1,1,"c.krb5_error.susec"],text:[457,1,1,"c.krb5_error.text"],e_data:[457,1,1,"c.krb5_error.e_data"],server:[457,1,1,"c.krb5_error.server"],client:[457,1,1,"c.krb5_error.client"],stime:[457,1,1,"c.krb5_error.stime"],cusec:[457,1,1,"c.krb5_error.cusec"],error:[457,1,1,"c.krb5_error.error"]},krb5_principal:{data:[900,1,1,"c.krb5_principal.data"],length:[900,1,1,"c.krb5_principal.length"],magic:[900,1,1,"c.krb5_principal.magic"],realm:[900,1,1,"c.krb5_principal.realm"],type:[900,1,1,"c.krb5_principal.type"]},krb5_last_req_entry:{lr_type:[503,1,1,"c.krb5_last_req_entry.lr_type"],magic:[503,1,1,"c.krb5_last_req_entry.magic"],value:[503,1,1,"c.krb5_last_req_entry.value"]},krb5_enc_tkt_part:{caddrs:[826,1,1,"c.krb5_enc_tkt_part.caddrs"],magic:[826,1,1,"c.krb5_enc_tkt_part.magic"],transited:[826,1,1,"c.krb5_enc_tkt_part.transited"],times:[826,1,1,"c.krb5_enc_tkt_part.times"],session:[826,1,1,"c.krb5_enc_tkt_part.session"],flags:[826,1,1,"c.krb5_enc_tkt_part.flags"],client:[826,1,1,"c.krb5_enc_tkt_part.client"],authorization_data:[826,1,1,"c.krb5_enc_tkt_part.authorization_data"]},krb5_cred_info:{caddrs:[544,1,1,"c.krb5_cred_info.caddrs"],magic:[544,1,1,"c.krb5_cred_info.magic"],times:[544,1,1,"c.krb5_cred_info.times"],session:[544,1,1,"c.krb5_cred_info.session"],flags:[544,1,1,"c.krb5_cred_info.flags"],client:[544,1,1,"c.krb5_cred_info.client"],server:[544,1,1,"c.krb5_cred_info.server"]},krb5_keyblock:{length:[525,1,1,"c.krb5_keyblock.length"],magic:[525,1,1,"c.krb5_keyblock.magic"],contents:[525,1,1,"c.krb5_keyblock.contents"],enctype:[525,1,1,"c.krb5_keyblock.enctype"]},krb5_replay_data:{timestamp:[29,1,1,"c.krb5_replay_data.timestamp"],usec:[29,1,1,"c.krb5_replay_data.usec"],seq:[29,1,1,"c.krb5_replay_data.seq"]},krb5_authdata:{length:[360,1,1,"c.krb5_authdata.length"],magic:[360,1,1,"c.krb5_authdata.magic"],ad_type:[360,1,1,"c.krb5_authdata.ad_type"],contents:[360,1,1,"c.krb5_authdata.contents"]},krb5_typed_data:{data:[647,1,1,"c.krb5_typed_data.data"],length:[647,1,1,"c.krb5_typed_data.length"],magic:[647,1,1,"c.krb5_typed_data.magic"],type:[647,1,1,"c.krb5_typed_data.type"]},krb5_ticket_times:{endtime:[660,1,1,"c.krb5_ticket_times.endtime"],renew_till:[660,1,1,"c.krb5_ticket_times.renew_till"],starttime:[660,1,1,"c.krb5_ticket_times.starttime"],authtime:[660,1,1,"c.krb5_ticket_times.authtime"]},krb5_ap_req:{authenticator:[259,1,1,"c.krb5_ap_req.authenticator"],ticket:[259,1,1,"c.krb5_ap_req.ticket"],magic:[259,1,1,"c.krb5_ap_req.magic"],ap_options:[259,1,1,"c.krb5_ap_req.ap_options"]},krb5_ap_rep:{enc_part:[636,1,1,"c.krb5_ap_rep.enc_part"],magic:[636,1,1,"c.krb5_ap_rep.magic"]},krb5_verify_init_creds_opt:{flags:[6,1,1,"c.krb5_verify_init_creds_opt.flags"],ap_req_nofail:[6,1,1,"c.krb5_verify_init_creds_opt.ap_req_nofail"]},krb5_ticket:{enc_part:[309,1,1,"c.krb5_ticket.enc_part"],server:[309,1,1,"c.krb5_ticket.server"],magic:[309,1,1,"c.krb5_ticket.magic"],enc_part2:[309,1,1,"c.krb5_ticket.enc_part2"]},krb5_cred_enc_part:{nonce:[189,1,1,"c.krb5_cred_enc_part.nonce"],magic:[189,1,1,"c.krb5_cred_enc_part.magic"],s_address:[189,1,1,"c.krb5_cred_enc_part.s_address"],ticket_info:[189,1,1,"c.krb5_cred_enc_part.ticket_info"],timestamp:[189,1,1,"c.krb5_cred_enc_part.timestamp"],usec:[189,1,1,"c.krb5_cred_enc_part.usec"],r_address:[189,1,1,"c.krb5_cred_enc_part.r_address"]},krb5_trace_info:{message:[31,1,1,"c.krb5_trace_info.message"]},passwd_phrase_element:{passwd:[889,1,1,"c.passwd_phrase_element.passwd"],phrase:[889,1,1,"c.passwd_phrase_element.phrase"],magic:[889,1,1,"c.passwd_phrase_element.magic"]},krb5_crypto_iov:{data:[924,1,1,"c.krb5_crypto_iov.data"],flags:[924,1,1,"c.krb5_crypto_iov.flags"]},krb5_data:{data:[596,1,1,"c.krb5_data.data"],length:[596,1,1,"c.krb5_data.length"],magic:[596,1,1,"c.krb5_data.magic"]},krb5_enc_kdc_rep_part:{nonce:[324,1,1,"c.krb5_enc_kdc_rep_part.nonce"],caddrs:[324,1,1,"c.krb5_enc_kdc_rep_part.caddrs"],magic:[324,1,1,"c.krb5_enc_kdc_rep_part.magic"],msg_type:[324,1,1,"c.krb5_enc_kdc_rep_part.msg_type"],last_req:[324,1,1,"c.krb5_enc_kdc_rep_part.last_req"],times:[324,1,1,"c.krb5_enc_kdc_rep_part.times"],key_exp:[324,1,1,"c.krb5_enc_kdc_rep_part.key_exp"],session:[324,1,1,"c.krb5_enc_kdc_rep_part.session"],flags:[324,1,1,"c.krb5_enc_kdc_rep_part.flags"],server:[324,1,1,"c.krb5_enc_kdc_rep_part.server"],enc_padata:[324,1,1,"c.krb5_enc_kdc_rep_part.enc_padata"]},krb5_encrypt_block:{crypto_entry:[755,1,1,"c.krb5_encrypt_block.crypto_entry"],magic:[755,1,1,"c.krb5_encrypt_block.magic"],key:[755,1,1,"c.krb5_encrypt_block.key"]},krb5_prompt:{reply:[139,1,1,"c.krb5_prompt.reply"],hidden:[139,1,1,"c.krb5_prompt.hidden"],prompt:[139,1,1,"c.krb5_prompt.prompt"]},krb5_checksum:{checksum_type:[154,1,1,"c.krb5_checksum.checksum_type"],length:[154,1,1,"c.krb5_checksum.length"],magic:[154,1,1,"c.krb5_checksum.magic"],contents:[154,1,1,"c.krb5_checksum.contents"]},krb5_principal_data:{realm:[425,1,1,"c.krb5_principal_data.realm"],length:[425,1,1,"c.krb5_principal_data.length"],magic:[425,1,1,"c.krb5_principal_data.magic"],data:[425,1,1,"c.krb5_principal_data.data"],type:[425,1,1,"c.krb5_principal_data.type"]},krb5_responder_pkinit_challenge:{identities:[319,1,1,"c.krb5_responder_pkinit_challenge.identities"]},krb5_responder_otp_challenge:{tokeninfo:[514,1,1,"c.krb5_responder_otp_challenge.tokeninfo"],service:[514,1,1,"c.krb5_responder_otp_challenge.service"]},krb5_creds:{authdata:[793,1,1,"c.krb5_creds.authdata"],magic:[793,1,1,"c.krb5_creds.magic"],addresses:[793,1,1,"c.krb5_creds.addresses"],keyblock:[793,1,1,"c.krb5_creds.keyblock"],server:[793,1,1,"c.krb5_creds.server"],client:[793,1,1,"c.krb5_creds.client"],ticket_flags:[793,1,1,"c.krb5_creds.ticket_flags"],second_ticket:[793,1,1,"c.krb5_creds.second_ticket"],is_skey:[793,1,1,"c.krb5_creds.is_skey"],ticket:[793,1,1,"c.krb5_creds.ticket"],times:[793,1,1,"c.krb5_creds.times"]},krb5_pa_svr_referral_data:{principal:[304,1,1,"c.krb5_pa_svr_referral_data.principal"]},krb5_ap_rep_enc_part:{seq_number:[904,1,1,"c.krb5_ap_rep_enc_part.seq_number"],magic:[904,1,1,"c.krb5_ap_rep_enc_part.magic"],subkey:[904,1,1,"c.krb5_ap_rep_enc_part.subkey"],cusec:[904,1,1,"c.krb5_ap_rep_enc_part.cusec"],ctime:[904,1,1,"c.krb5_ap_rep_enc_part.ctime"]}},titleterms:{libdefault:812,entropi:[377,639],kdc_tkt_common_mask:824,krb5_auth_con_setflag:115,prefix:[38,140,811,211],consider:208,krb5_free_str:264,krb5_cc_get_config:524,krb5_sname_match:18,heimdal:449,krb5_free_ticket:144,krb5_get_init_creds_opt_set_pa:81,krb5_build_principal_ext:453,everi:133,kadmin:[70,44],kvno:646,krb5_responder_context:527,krb5_get_init_creds_opt_set_canonic:280,sclient:518,verif:[572,147,204,119],krb5_principal_compare_enterpris:381,direct:853,krb5_auth_con_setrcach:543,krb5_enc_data:370,krb5_nt_ms_princip:851,krb5_address_search:399,krb5_auth_con_setaddr:693,krb5_auth_con_setrecvsubkey_k:699,krb5_get_init_creds_opt_set_renew_lif:798,"new":[628,107,395,671,901,197,437],krb5_kt_remove_entri:158,manipul:731,krb5_auth_context_do_tim:5,krb5_cc_gen_new:681,path:28,krb5_tgs_name:567,acceptor:17,krb5_keyusage_app_data_cksum:545,krb5_verify_authdata_kdc_issu:373,krb5_set_default_tgs_enctyp:137,krb5_get_init_creds_opt_set_fast_ccach:575,cksumtype_hmac_sha1_96_aes128:578,permit:105,krb5_chpw_messag:110,krb5_boolean:454,kdc_opt_cname_in_addl_tkt:198,krb5_enctype_to_nam:171,unix:[28,100,792],subkei:[774,406,322,483,699,736,921,653],krb5_responder_otp_flags_nextotp:83,call:181,krb5_sam_must_pk_encrypt_sad:905,type:[450,3,105,551,614,671,494,674,55,171,10,510,591,411,452,17,248,73,22,358,690,644,584,27,590,137,708,835,756,597,871,432,272,36,208,435,147,148,91,825],krb5_expire_callback_func:278,krb5_c_derive_prfplu:349,restor:44,setup:434,work:794,krb5_verify_init_creds_opt_init:204,krb5_get_server_rcach:586,overrid:[344,920,473],krb5_responder_pkinit_flags_token_user_pin_lock:232,kpasswd:25,krb5_lrq_one_pw_exptim:48,indic:321,end:515,krb5_padata_pk_as_req:637,cksumtype_rsa_md5:93,cksumtype_rsa_md4:92,krb5_string_to_cksumtyp:590,how:126,answer:[235,286,831],verifi:[521,373,871,631,519,258,510,444],enctype_des3_cbc_sha1:677,krb5_auth_con_getflag:266,updat:[44,126],krb5_tc_match_flag:177,krb5_const:663,krb5_gc_forward:561,krb5_cryptotyp:717,sserver:814,krb5_cc_last_change_tim:237,opaqu:[820,114,759,600,744,631,39,385,648],credenti:[3,229,494,77,243,463,17,686,257,698,671,703,706,708,491,716,280,725,732,55,509,738,739,743,65,1,517,74,753,519,520,521,522,761,81,323,88,532,537,146,163,191,796,237,798,107,340,112,556,342,345,827,320,352,125,572,357,859,817,575,818,823,412,620,133,371,841,147,606,610,611,614,393,860,400,524,185,417,890,787,644,421,422,245,204,907,205,407,735,911,684,916,447],receiv:[167,406,699,653,322],environ:[562,918,63,452,273,132,566,646,386,45,640],krb5_prompt:139,krb5_kt_resolv:249,order:287,over:684,krb5_free_checksum_cont:486,privileg:[718,44],keyboard:914,krb5_parse_name_flag:632,krb5_responder_set_answ:235,tkt_flg_initi:351,krb5_keyusage_tgs_req_ad_sesskei:472,s4u:17,krb5_deltat:676,create_polici:484,krb5_sendauth:[168,642],krb5_auth_con_genaddr:256,cred:[522,732,254,318],krb5_get_init_creds_opt_set_tkt_lif:520,ccselect:[812,698],safe:[821,832],krb5_c_checksum_length:674,krb5_cc_lock:205,krb5_tc_match_tim:375,krb5_c_is_coll_proof_cksum:584,lockout:434,each:895,krb5_safe:534,cksumtype_hmac_md5_arcfour:64,krb5_principal_compare_ignore_realm:760,kdc_opt_renewable_ok:861,krb5_pa_pac_req:767,krb5_responder_pkinit_challeng:319,krb5_init_creds_get_error:74,content:[89,228,476,276,26,801,328,842,734,486],krb5_free_host_realm:277,krb5_init_context_kdc:448,krb5_wellknown_namestr:86,free:[722,557,194,166,801,555,842,397,277,342,62,120,624,178,407,300,409,882,22,348,688,320,264,144,486,269,89,435,276,911,94,168,845,666,157],krb5_trace_info:31,krb5_pac_delegation_info:161,renew:[703,798],krb5_padata_for_us:573,onto:493,krb5_mk_rep:364,krb5_mk_req:363,krb5_authdata_cammac:42,restrict:371,hook:[167,623,223],instruct:437,klist:[562,104],primari:352,krb5_get_fallback_host_realm:656,krb5_auth_con_initivector:869,krb5_prompter_posix:848,krb5_524_conv_princip:217,krb5_kt_get_entri:711,master:[44,73,895],krb5_realm_compar:130,krb5_c_random_os_entropi:639,krb5_keyusage_pa_s4u_x509_user_repli:325,krb5_cc_copy_cr:146,tool:614,krb5_tc_supported_ktyp:802,target:437,krb5_c_encrypt:840,krb5_get_init_creds_opt_proxi:619,krb5_address_compar:394,tree:203,krb5_pac_server_checksum:884,cksumtype_hmac_sha1_96_aes256:96,krb5_checksum:[348,154,658,486],krb5_flag:481,krb5_encrypt_block:755,provis:473,krb5_padata_otp_pin_chang:122,increment:[44,103,895],seen:147,krb5_replay_data:29,krb5_responder_otp_flags_collect_pin:902,realm:[49,130,292,662,812,368,44,881,308,687,344,10,493,120],cksumtype_descbc:414,krb5_set_principal_realm:881,krb5_copy_address:723,krb5_init_keyblock:316,krb5_cc_end_seq_get:243,object:[230,44,586],krb5_auth_con_set_checksum_func:784,declar:[221,454,6,457,676,466,259,636,480,29,485,31,34,35,490,717,826,189,496,790,336,501,503,727,54,59,60,513,425,514,304,481,752,309,755,78,525,317,531,319,767,771,324,773,544,101,546,499,793,339,807,809,810,376,360,582,583,897,829,909,370,139,837,596,843,660,847,153,154,865,172,630,878,635,278,889,299,647,898,650,900,904,136,387,857,527,919,443,923,220,924],random:[377,298,580,648,825,876,143,346],syntax:32,krb5_anonymous_princip:227,tkt_flg_may_postd:209,priv:[267,215],absolut:176,acquir:[412,421,860,245,112,185,357,753,417],rcach:27,kdestroi:[386,104],krb5_checksum_s:721,ldap:[44,855],krb5_c_is_keyed_cksum:358,krb5_copy_data:230,krb5_principal_compare_any_realm:368,"public":[2,181,36],krb5_k_make_checksum:744,krb5_build_princip:535,respond:[521,235,341,242,787],krb5_is_thread_saf:912,datatyp:98,result:110,krb5_process_kei:719,krb5_nt_srv_xhst:192,fail:[895,147],databas:[895,855,70,73,56,885,44,493],krb5_set_default_realm:344,discoveri:493,cksumtype_cmac_camellia128:516,krb5_kpasswd_bad_vers:97,irc:23,attribut:[718,17],tkt_flg_proxiabl:757,extend:[9,240,51,331,508],ccach:[614,629,827],tkt_flg_postdat:410,krb5_get_init_creds_opt_preauth_list:252,k5login:184,krb5_init_secure_context:641,krb5_kt_end_seq_get:621,cksumtype_rsa_md5_d:305,krb5_responder_pkinit_get_challeng:[649,269],against:519,tabdump:423,cksumtype_nist_sha:655,krb5_auth_con_getkey_k:915,login:662,addrtype_ipport:749,krb5_cc_store_cr:463,guid:228,krb5_k_encrypt:114,duplic:[293,629],krb5_wrap_error_messag:38,krb5_tkt_creds_get_tim:121,list_request:[70,138],clear_list:138,keyblock:[406,359,369,131,840,247,322,111,251,483,736,734,653,444,791,310,505,669],krb5_encpadata_req_enc_pa_rep:123,add_mkei:423,krb5_cccol_have_cont:163,krb5_auth_con_getkei:369,krb5_cc_unlock:716,argument:877,multithread:912,krb5_prompt_type_preauth:296,krb5_unparse_name_flag:489,krb5_const_point:480,krb5_425_conv_princip:12,ident:[812,286],ad_type_reserv:780,servic:[188,421,248,730,73,44,701,739,493,473],properti:104,conf:[812,10,124,428,895],krb5_cc_get_full_nam:509,krb5_kt_start_seq_get:40,krb5_principal_unparse_no_realm:212,perform:[27,434],make:352,format:[267,522,563,565,302,108,165,732,318,176,384,190,832,323,44,364],krb5_c_valid_enctyp:871,krb5_princ_set_realm:294,complet:98,krb5_k_reference_kei:103,krb5_get_init_creds_opt_tkt_lif:426,tune:452,krb5_init_creds_set_keytab:412,client:[504,642,159,275,413,200,88,792],thi:[176,126,875],krb5_tc_match_ktyp:587,preauthent:[796,644,81,208,413,850],krb5_is_referral_realm:789,rout:147,update_princ_encrypt:423,protocol:[695,165,642,234],cksumtype_crc32:301,krb5_auth_con_setsendsubkey_k:774,krb5_principal_parse_ignore_realm:838,previous:300,krb5_pac_fre:688,krb5_c_prf:876,krb5_keyusage_iakerb_finish:477,krb5_padata_etype_info2:550,applic:[794,155,73,100,473],krb5_authdata_etype_negoti:467,background:[776,27],krb5_tkt_creds_init:739,krb5_get_init_creds_opt_set_etype_list:55,add_entri:138,daemon:895,specif:[298,648,876,551,740,473,143],krb5_authdata_fx_armor:87,krb5_int32_min:134,threeparamopen:570,krb5_c_keylength:604,kdc_opt_postd:808,write_kt:138,krb5_mk_1cred:522,krb5_keyusage_ad_kdcissued_cksum:117,krb5_principal_compare_flag:511,krb5_nt_srv_inst:488,intern:[885,36],kadm5:[32,223],krb5_keyusage_pa_otp_request:750,enctype_sha1_rsa_cm:560,krb5_keyusage_krb_error_cksum:704,krb5_auth_con_setrecvsubkei:322,krb5_prompt_type_new_password_again:772,krb5_princ_siz:702,krb5_cc_cache_match:88,krb5_typed_data:647,post:167,delete_polici:[70,44],krb5_kt_get_nam:374,appplic:920,canonic:[188,473,280],krb5_c_block_siz:365,krb5_gc_constrained_deleg:430,krb5_tkt_creds_get_cr:860,encod:[403,901,565],wrap:[274,17],precomput:877,support:[820,759,131,912,147,176,494,73,791],krb5_gc_no_transit_check:241,avail:44,cksumtype_cmac_camellia256:180,krb5_pac_init:718,krb5_keyusage_fast_finish:255,kdcpreauth:[812,850],krb5_padata_pkinit_kx:263,krb5_cc_start_seq_get:133,krb5_init_context:862,hostrealm:[812,687],enctype_aes128_cts_hmac_sha256_128:529,autoconf:203,retir:73,krb5_altauth_att_challenge_respons:715,decrypt:[389,759,39,568,569,917,791,669],ad_type_field_type_mask:618,exist:[362,135,703],krb5_cc_get_nam:708,check:[163,789,135,502],encrypt:[450,114,105,840,551,55,171,10,411,871,248,143,182,22,131,364,137,597,820,147,384,91,825],krb5_get_in_tkt_with_skei:378,krb5_free_princip:722,krb5_keyusage_ad_signedpath:418,krb5_free_error:168,test:[434,18,912,584,71,203,358],krb5_c_crypto_length_iov:149,krb5_auth_context_use_subkei:830,krb5_nt_princip:643,krb5_get_default_realm:[308,120],krb5_set_password_using_ccach:890,krb5_pac_sign:765,krb5_c_random_to_kei:298,salt:[796,690,432,429],krb5_k_decrypt:39,pseudo:[377,580,648,346,876,825],krb5_c_fx_cf2_simpl:72,ignor:368,time:[521,121,461,502,761,164,712,740,279,176,852],krb5_kt_next_entri:803,concept:[579,4],chain:147,krb5_get_credenti:30,global:[112,340],krb5_c_string_to_kei:69,krb5_pa_data:635,krb5_gc_canonic:533,ap_opts_reserv:290,decis:493,krb5_init_creds_get:753,krb5_padata_get_from_typed_data:523,sourc:[836,126,855],string:[450,712,557,453,164,672,120,632,879,72,428,69,690,479,590,535,874,264,108,756,597,432,603,781,489,549],krb5_cybersafe_secureid:250,krb5_domain_x500_compress:828,krb5_responder_pkinit_ident:771,administr:[44,427,895,162],iter:684,cooki:563,enctype_aes256_cts_hmac_sha1_96:52,krb5_cc_move:611,sign:[403,765],krb5_keyusage_gss_tok_wrap_integ:864,ktremov:[70,794],port:[625,493],krb5_cc_dup:629,krb5_get_init_creds_opt_set_proxi:706,current:[740,502],krb5_appdefault_str:428,va_list:[811,140,331],deriv:349,gener:[377,298,256,648,504,876,580,4,143,28,397,586,701,346],modif:[237,257],address:[256,536,723,693,875,287,394,555,399,371],krb5_responder_otp_set_answ:831,krb5_tc_openclos:268,krb5_kt_free_entri:329,krb5_padata_otp_request:528,krb5_authdata_win2k_pac:498,commonli:452,modul:[328,764,662],krb5_responder_question_password:559,krb5kdc:45,instal:[895,228,452,437,203,792],krb5_copy_authent:507,memori:277,krb5_pwd_data:443,krb5_free_unparsed_nam:557,krb5_get_init_creds_opt_renew_lif:127,krb5_mk_req_extend:1,krb5_cc_close:738,krb5_pac_get_buff:420,krb5_k_verify_checksum:631,ap_opts_use_session_kei:541,prepar:[133,684],uniqu:671,krb5_kt_client_default:200,krb5_keyusage_fast_enc:289,krb5_authent:[507,727,178],topic:95,krb5_kei:[251,868,359,78],krb5_respons:583,krb5_verify_init_creds_opt_set_ap_req_nofail:572,krb5_get_error_messag:[397,51],krb5_keyusage_krb_priv_encpart:659,krb5_cc_retrieve_cr:686,krb5_pa_server_referral_data:220,krb5_keyusage_pa_sam_challenge_trackid:15,krb5_is_config_princip:71,map:493,krb5_us_timeofdai:852,usabl:91,date:[176,44],krb5_padata_pk_as_rep:53,data:[49,840,555,291,114,403,298,242,349,409,182,251,885,887,759,628,131,820,373,39,436,274,842,791,669],krb5_unparse_name_ext:479,man:126,krb5_expand_hostnam:188,inform:[812,44,330,27,794],"switch":[895,494],cannot:147,combin:72,krb5_get_init_creds_opt_init:142,krb5_keyusage_ap_req_auth_cksum:758,krb5_auth_con_getrecvsubkei:653,krb5_timestamp:909,krb5_prompt_type_new_password:679,krb5_padata_pw_salt:379,krb5_auth_con_getlocalsubkei:210,polici:44,krb5_responder_get_challeng:242,krb5_rd_safe:821,mail:23,krb5_init_context_profil:737,krb5_cccol_unlock:340,krb5_rcach:807,synopsi:[562,566,25,63,724,70,132,437,484,646,918,423,138,814,689,540,45,518,640,386],krb5_set_kdc_send_hook:623,krb5_tkt_authent:837,initi:[796,798,725,107,761,229,556,55,743,407,17,412,185,74,357,753,817,519,520,417,521,823,644,81,421,827,245,197,371,532,204,706,907,537,841,575,147,745,606,787,316,911,280],krb5_auth_con_get_checksum_func:151,krb5_init_creds_step_flag_continu:343,krb5_padata_fx_error:225,krb5_nt_unknown:813,name:[853,614,452,453,620,671,672,171,509,493,701,17,632,877,473,129,125,188,818,191,708,235,374,429,535,207,341,292],config:[540,748],revers:473,krb5_authdatatyp:299,separ:203,krb5_responder_otp_format_alphanumer:367,get_polici:[70,44],krb5_padata_sam_respons:602,list_princip:[70,44],replai:[458,586,27,543],krb5_nt_srv_hst:260,unlock:[70,716],prompter:521,krb5_c_encrypt_iov:131,krb5_k_create_kei:251,storag:[409,722],krb5_padata_referr:552,krb5_last_req_entri:503,profil:[920,737,334,662,815],lr_type_interpretation_mask:888,krb5_parse_nam:672,correct:794,krb5_const_princip:485,krb5_cc_resolv:620,krb5_pac_credentials_info:497,"byte":[648,580,876,346,604],synchron:735,refus:147,place:[131,791,759,820],change_password:[70,44],view:[104,484],frequent:[147,181],oper:[820,114,759,600,744,39,131,631,247,840,385,44,648,444,791,310,505,669],directli:181,arrai:[320,600,435,409,247,148,149,555,591,385,732,22,310,723],open:586,size:365,krb5_address:499,given:242,krb5_tkt_creds_fre:62,krb5_auth_context_generate_local_addr:174,conveni:181,read_kt:138,krb5_c_padding_length:651,krb5_keyusage_as_req:196,tkt_flg_enc_pa_rep:7,copi:[230,359,146,627,507,726,111,734,141,508,102,723,887,658],specifi:[853,389,871,412,510,421,287,604,812,399,400,372,344,737,671,88,686],krb5_tkt_creds_context:172,krb5_as_rep:634,krb5_as_req:633,kinit:[640,104],optimist:796,krb5_verify_init_creds_opt_ap_req_nofail:233,seri:243,pre:623,prf:[346,349],enctype_rsa_env:416,krb5_init_creds_init:357,ani:[163,257],krb5_cc_destroi:859,dbdefault:10,krb5_responder_otp_format_decim:661,advic:[100,473],destroi:[423,44,859,104,484],note:386,kdc_opt_renew:[512,315],channel:23,enctype_rsa_es_oaep_env:775,trace:[853,147,372],stashsrvpw:484,buffer:[420,595,148],krb5_lrq_one_last_renew:733,krb5_get_init_creds_opt_set_anonym:725,krb5_encrypt:261,whitepap:713,krb5_auth_con_fre:166,krb5_decode_ticket:190,enctype_unknown:622,krb5_gc_cach:442,krb5_keyusage_enc_challenge_cli:0,destroy_polici:484,krb5_524_convert_cr:345,krb5_get_init_creds_opt:829,addrtype_iso:106,krb5_get_init_creds_opt_alloc:107,onli:641,krb5_c_crypto_length:551,cksumtype_hmac_sha256_128_aes128:873,variou:713,get:[794,615,51,30,292,739,524,249,185,151,74,517,521,422,318,591,374,110,703,841,207,711,491,147,606,825],krb5_crypto_type_stream:478,krb5_kt_dup:293,ssh:473,"import":17,krb5_build_principal_alloc_va:877,requir:[572,437],krb5_authdata_auth_ind:908,krb5_prompt_typ:898,krb5_sname_to_princip:701,krb5_int16_min:201,krb5_cccol_cursor:221,passwd_phrase_el:889,wiki:23,ap_opts_wire_mask:21,krb5_c_decrypt:669,krb5_transit:496,krb5_auth_con_setsendsubkei:483,krb5_responder_otp_challeng:514,krb5_c_random_make_octet:580,between:449,enctype_aes256_cts_hmac_sha384_192:894,krb5_principal_unparse_displai:116,add_polici:[70,44],krb5_free_checksum:348,krb5_keyusage_krb_safe_cksum:680,tutori:713,krb5_finish_random_kei:856,krb5_princ_set_realm_data:231,krb5_c_encrypt_length:182,krb5_cc_default:125,overview:44,featur:[576,452],krb5_kpasswd_accessdeni:281,krb5_k_key_enctyp:868,krb5_tc_match_is_skei:173,skew:[794,502],procedur:73,krb5_c_verify_checksum:444,enctype_arcfour_hmac_exp:295,krb5_kt_cursor:790,interoper:576,krb5_padata_sam_challenge_2:391,krb5_lrq_all_last_tgt_issu:707,krb5_keyusage_tgs_rep_encpart_sesskei:465,krb5_error_cod:773,ktutil:138,modify_polici:[70,44,484],develop:[155,328,17],author:[504,373,628,436,274,437,662,863,291,608,885,887,403],binari:203,epoch:852,pac:[258,37,420,148,765,718,901,688,595],pad:[651,874,149],document:[176,61,776,126],finish:243,krb5_unparse_name_flags_ext:108,openldap:515,krb5_eblock_enctyp:819,krb5_c_decrypt_iov:791,krb5_string_to_deltat:712,macro:2,krb5_c_enctype_compar:411,without:126,krb5_responder_list_quest:341,execut:437,krb5_gic_opt_pa_data:878,krb5_free_ap_rep_enc_part:882,struct:[649,47],enctype_arcfour_hmac:337,krb5_get_init_creds_opt_set_fast_flag:229,krb5_padata_s4u_x509_us:805,kdc_opt_forward:[720,175],krb5_cc_get_flag:447,read:[914,133,254],get_str:70,enctype_des_cbc_raw:804,krb5_lrq_one_last_tgt:553,server:[794,695,393,226,147,100,73,234,586],krb5_nt_ms_principal_and_id:691,output:[825,874,532],manag:[119,104],krb5_padata_fx_fast:626,krb5_tc_noticket:779,krb5_kpasswd_softerror:152,krb5_free_data_cont:842,krb5_aname_to_localnam:129,krb5_principal_parse_enterpris:469,krb5_pre_send_fn:59,keytab:[794,895,412,302,159,135,100,293,473,621,519],krb5_copy_keyblock_cont:734,refer:[228,845,98,126,855,103],enctype_camellia128_cts_cmac:246,krb5_keyusage_tgs_rep_encpart_subkei:729,krb5_auth_context_ret_tim:667,krb5_keyusage_app_data_encrypt:654,krb5_data:[230,842,194,596],krb5_timestamp_to_sfstr:874,acl:[895,32],krb5_get_credentials_valid:697,aead:[131,791,17,759,820],backup:56,krb5_padata_pk_as_req_old:849,list_mkei:423,krb5_authdata_if_relev:471,your:[794,119],log:[863,10,147],clpreauth:[812,413],krb5_copy_ticket:102,start:[895,40],interfac:[764,608,223,815,875,226,181,455,812,413,850,698,687,885],krb5_encrypt_s:530,addrtype_ddp:487,krb5_auth_con_getaddr:536,krb5_crypto_type_trail:408,krb_ap_req:[363,1,568],krb5_responder_otp_get_challeng:[157,47],krb5_pac_get_typ:148,krb5_enctype_to_str:597,possibl:[639,188,51],"default":[614,207,491,200,159,27,662,818,28,137,308,73,191,125,344,429,415,208,120],krb5_get_init_creds_keytab:841,krb5_sam_use_sad_as_kei:670,krb5_init_creds_step:185,krb5_init_creds_get_tim:761,creat:[504,641,1,855,745,895,737,363,484,147,671,423,251,862,357,718,44,739,437],ad_type_extern:581,gssapi:[17,764,662],krb5_cksumtype_to_str:756,file:[562,476,641,918,63,613,853,646,302,165,748,812,44,100,386,323,10,895,792,640],fill:[600,310,149],osconf:746,krb5_padata_non:288,dbmodul:10,krb5_auth_con_init:745,krb5_cc_default_nam:191,field:[461,536,551,842,881,115,625],valid:[871,247,422,385,510,254],collis:584,krb5_free_keytab_entry_cont:276,krb5_keyusage_cammac:880,salt_type_afs_length:283,krb524_init_et:338,krb5_auth_con_getauthent:872,kdcdefault:10,krb5_tc_match_flags_exact:683,krb5_authdata_and_or:617,krb5_k_prf:648,krb5_get_init_creds_opt_set_expire_callback:907,pkinit:[521,10,812,504],directori:[836,203,452],descript:[724,566,562,184,814,689,32,640,25,63,70,132,518,646,423,138,484,437,783,386,45,540,918],enctype_nul:585,unset:[706,725,743,537,280],purge_mkei:423,represent:[557,549],all:875,krb5_get_in_tkt_with_password:224,krb5_allow_weak_crypto:920,krb5_get_in_tkt_with_keytab:657,krb5_init_creds_set_servic:421,krb5_copy_authdata:887,krb5_tc_match_authdata:13,krb5_server_decrypt_ticket_keytab:389,program:[427,452],krb5_tc_match_times_exact:763,krb5_kpasswd_malform:58,util:836,krb5_make_authdata_kdc_issu:403,mechan:[764,662],enctype_des3_cbc_raw:673,ticket:[121,389,190,798,761,37,30,520,44,739,144,104],krb5_cc_next_cr:610,krb5_prompter_fct:752,list:[628,105,576,484,147,877,341,138,399,44,10,887,91,23],adjust:740,getdat:176,enctype_dsa_sha1_cm:326,krb5_auth_con_getrcach:458,krb5_rd_priv:215,zero:[842,845],proxi:275,deleg:17,clock:[794,502],sun:44,section:[812,10,124,428],delet:44,abbrevi:176,version:[563,234],krb5_cccol_cursor_new:684,krb5_auth_con_getrecvsubkey_k:406,full:[509,701],krb5_keyusage_gss_tok_m:186,krb5_verify_init_creds_opt:6,enctype_des_hmac_sha1:84,krb5_authdata_kdc_issu:41,strong:73,modifi:[44,484],valu:[712,524,420,164,124,428,77,157,269],search:399,krb5_cred_enc_part:189,cksumtype_md5_hmac_arcfour:236,krb5_finish_kei:419,krb5_cc_select:393,cksumtype_hmac_sha1_des3:199,krb5_pac_upn_dns_info:891,via:349,deprec:[2,181],krb5_sam_send_encrypted_sad:770,decrement:845,krb5_prepend_error_messag:211,krb5_nt_x500_princip:492,select:[393,248,698],krb5_deltat_to_str:164,two:[411,628,130,394,368,72,265,511],krb5_set_trace_callback:372,krb5_init_random_kei:526,krb5_lrq_all_last_renew:506,krb5_get_init_creds_opt_set_salt:796,krb5_padata_as_checksum:777,krb5_auth_con_setuseruserkei:11,krb5_tkt_creds_get:735,flag:[706,817,743,537,725,632,511,229,916,115,108,266,489,447,280],krb5_copy_error_messag:508,krb5_get_init_creds_opt_set_address_list:371,known:[257,684],cach:[614,237,3,393,620,340,671,112,556,342,509,458,738,823,243,65,716,463,352,517,125,77,575,818,686,890,257,586,133,27,698,323,88,532,708,205,524,146,491,684,163,859,916,494,611,191,610,543,447],krb5_auth_context_permit_al:858,krb5_auth_context:[266,513,115,166],histori:[70,44,73],krb5_c_make_checksum_iov:310,krb5_calculate_checksum:401,archiv:23,get_init_cr:521,krb5_keyusage_as_req_pa_enc_t:682,krb5:[895,641,2,36,540,181,862,812,124,264,737,624,428],ap_opts_use_subkei:46,get_princip:[70,44],prompt:[848,591,743],challeng:242,krb5_get_init_creds_opt_set_fast_ccache_nam:827,krb5_free_cr:666,krb5_get_init_creds_opt_set_forward:537,krb5_get_init_creds_opt_get_fast_flag:817,krb5_cred:[336,742,627,801,666,793],secur:[100,437,563,473,56],anoth:508,krb5_k_verify_checksum_iov:385,reject:147,krb5_k_make_checksum_iov:600,simpl:[126,2],resourc:23,krb5_keyusage_pa_pkinit_kx:314,kdc_opt_disable_transited_check:700,krb5_get_init_creds_opt_canonic:468,krb524_convert_creds_kdc:90,krb5_set_real_tim:461,krb5_k_encrypt_iov:820,stash:[423,44,613],krb5_encode_authdata_contain:274,callback:[521,784,907,151,372],sendauth:[695,147,642,234],purgekei:70,krb5_keytab_entri:847,krb5_string_to_kei:609,paramet:[812,603,234],krb5_keyusage_fast_req_chksum:193,krb5_auth_con_getsendsubkey_k:921,alter:614,"return":[91,49,237,257,105,875,287,551,148,365,604,674,191,835,279,651,269,157,120],timestamp:[237,502,781,879,874,257],krb5_get_init_creds_opt_salt:607,krb5_authdata:360,krb5_prompt_type_password:886,krb5_free_authent:178,krb5_fwd_tgt_cred:318,troubleshoot:[713,147],authent:[745,409,437,147,872,321,44],token:[208,17],krb5_keyusage_ad_mt:99,krb5_keyusage_fast_rep:747,krb_error:565,trailer:149,krb5_anonymous_realm:49,krb5_padata_sam_redirect:601,krb5_pointer:60,krb_ap_rep:[384,364,917,569],krb5_princ_nam:906,connect:[256,147],krb5_keyusag:317,krb5_responder_otp_tokeninfo:897,event:[853,372],authdata:885,krb5_anonymous_princstr:14,krb5_get_profil:334,krb5_auth_context_ret_sequ:16,iov:[600,17,247,149,385,310],tkt_flg_proxi:445,krb5_authdata_mandatory_for_kdc:20,krb5_keyblock:[525,89,94,316],advanc:95,krb5_lrq_one_last_req:187,effect:437,quick:576,krb5_tgs_name_s:797,krb5_principal_data:425,ask:37,krb5_keyusage_gss_tok_wrap_priv:350,asn:190,krb5_get_init_creds_opt_set_in_ccach:556,krb5_string_to_salttyp:432,krb5_free_enctyp:22,lifetim:[520,798],assign:[409,722],localauth:[812,608],exchang:[615,147],number:[377,651,312,85],krb5_mk_ncred:732,krb5_pac_verifi:258,differ:[44,38,140,449],addrtype_chao:786,interact:521,krb5_roundup:441,store:[555,463,77],schema:855,option:[796,798,452,725,107,229,556,55,10,562,743,407,566,70,689,817,575,520,640,521,25,63,644,81,132,827,646,423,371,874,484,532,204,706,812,907,537,437,916,386,787,44,45,540,918,280],krb5_ticket_tim:660,pars:[731,917,568,569],remot:[693,312,625],remov:[794,158,73,65],krb5_merge_authdata:628,krb5_int32_max:571,krb5_padata_encrypted_challeng:438,comput:[182,72,505,744],packag:[126,452],allow_weak_crypto:920,expir:[907,147],"null":535,del_str:70,krb5_auth_context_generate_remote_addr:306,built:912,lib:836,krb5_princ_typ:160,krb5_recvauth_vers:234,also:[724,566,10,562,184,814,689,32,640,25,63,70,132,518,646,812,138,484,423,540,783,386,45,918],build:[535,855,453,26,227,877,126,203],enctype_des_cbc_md5:356,enctype_des_cbc_md4:355,krb5_lrq_all_pw_exptim:785,tkt_flg_pre_auth:313,krb5_auth_context_do_sequ:788,krb5_lrq_one_acct_exptim:616,krb5_lrq_none:558,krb5_auth_context_generate_remote_full_addr:664,most:[452,508],krb5_realm_branch_char:79,krb5_cc_set_default_nam:818,krb5_nt_uid:67,clear:9,krb5_enc_kdc_rep_part:324,clean:203,kswitch:918,enctyp:[298,648,876,248,143,251,868],krb5_unparse_nam:549,msec_dirbit:892,session:[105,11,915,248,369],krb5_copy_checksum:658,find:[436,88],tkt_flg_renew:333,krb5_c_prfplu:346,firewal:794,copyright:462,krb5_lrq_one_last_tgt_issu:668,krb5_cc_cursor:501,ktadd:[70,794],krb5_change_password:362,hit:845,krb5_x:598,krb5_padata_osf_dc:43,krb5_responder_question_otp:[831,433,47],krb5_verify_init_cr:519,hin:746,krb5_init_creds_set_password:417,krb5_auth_con_set_req_cksumtyp:272,krb5_free_authdata:409,kdc_opt_allow_postd:464,common:814,krb5_nt_ent_principal_and_id:846,certif:[718,504,147],set:[796,855,798,725,110,167,556,400,623,11,625,774,461,743,916,881,827,572,575,520,417,55,522,115,787,644,693,322,137,483,699,240,229,532,706,890,907,537,272,818,784,331,920,371,543,280],dump:[423,44],krb5_mk_req_checksum_func:376,krb5_get_permitted_enctyp:105,see:[724,566,10,562,184,814,689,32,640,25,63,70,132,518,646,812,138,484,423,540,783,386,45,918],sec:852,close:[738,206],ark:423,ap_opts_mutual_requir:822,krb5_crypto_type_data:652,krb5_keyusage_tgs_req_auth_cksum:692,max_keytab_name_len:109,krb5_set_kdc_recv_hook:167,krb5_copy_cr:627,salt_type_no_length:612,krb5_anonymous_realmstr:883,krb5_cc_support_switch:494,last:[237,257,74],context:[483,508,736,860,312,862,9,341,737,344,458,62,624,121,406,11,739,242,745,625,334,369,151,74,357,753,256,761,693,322,872,591,85,245,699,235,653,774,536,272,735,911,437,915,740,784,641,279,921,543],krb5_kt_have_cont:135,load:423,tgt:318,header:[149,323],krb5_principal_compar:265,suppli:[81,1],krb5_os_localaddr:875,backend:855,krb5_cc_get_princip:491,krb5_tkt_creds_step:615,kproplog:566,empti:[718,316],krb5_cc_get_typ:3,krb5_c_init_st:[300,197],add_princip:[70,44],krb5_get_renewed_cr:703,krb5_padata_enc_unix_tim:495,krb5_copy_princip:726,krb5_pac_privsvr_checksum:353,krb5_pac_client_info:665,krb5_mk_priv:267,durat:176,"while":147,krb5_free_cred_cont:801,read_st:138,behavior:473,error:[811,508,147,51,211,903,168,140,331,74,9,240,38,397,814],anonym:[521,504,49,227,725],propag:[28,895,493,44],krb5_magic:490,krb5_timestamp_to_str:879,krb5_recvauth_skip_vers:696,krb5_keyusage_enc_challenge_kdc:19,krb5_mk_rep_dc:384,grant:[739,119],krb5_kvno:843,krb5_cc_set_config:77,krb5_cccol_lock:112,decod:[649,903,190,47],krb5_mk_error:565,krb5_principal_unparse_short:128,krb5_princip:[900,632,479,672,108,549,489],krb5_decode_authdata_contain:291,krb5_int32:546,user:[521,361,762,748,863,848],enctype_aes128_cts_hmac_sha1_96:728,recent:508,kdc_opt_valid:214,entri:[158,243,276,135,302,40,395,711,323,610],krb5_free_keyblock_cont:89,pwqual:[812,455],krb5_c_prf_length:825,krb5_kdc_req:34,krb5_kdc_rep:35,addrtype_inet6:156,krb5_get_validated_cr:422,krb5_c_keyed_checksum_typ:91,input:[914,556,349],kdc_opt_enc_tkt_in_skei:202,krb5_auth_context_generate_local_full_addr:768,checksum:[600,272,435,756,584,631,247,590,784,385,505,151,744,674,91,510,310,358,444],krb5_crypto_type_empti:548,kprop:[132,147],cksumtype_rsa_md4_d:766,ad_type_regist:396,msec_val_mask:705,krb5_keyusage_pa_s4u_x509_user_request:547,enctype_camellia256_cts_cmac:404,krb5_vwrap_error_messag:140,resolv:[620,415,200,125],collect:[614,684,639,352,163,342,517],princip:[794,722,557,453,632,393,227,863,731,672,400,12,511,895,726,18,877,71,881,473,129,890,130,421,368,323,265,701,88,429,535,434,491,217,44],api:[449,98,181,126],krb5_get_credentials_renew:307,krb5_get_init_creds_password:606,krb5_pac:54,some:[100,349],back:[515,56],krb5_read_error:168,sampl:[812,10],krb5_c_random_se:922,machin:792,krb5_padata_sesam:303,krb5_principal_compare_utf8:593,prerequisit:[26,855],krb5_auth_con_getsendsubkei:736,valid_int_bit:380,block:365,krb5_referral_realm:[678,789],krb5_keyusage_pa_sam_respons:213,within:[203,502],krb5_padata_ap_req:113,krb5_c_make_random_kei:143,krb5_rd_rep:569,krb5_rd_req:568,tkt_flg_forward:[605,335],krb5_responder_pkinit_flags_token_user_pin_count_low:925,krb5_nt_smtp_name:816,question:[521,242,286,341,831,235],fast:[817,827,575,229],krb5_get_init_creds_opt_set_pac_request:37,krb5_get_init_creds_opt_set_respond:787,includ:37,forward:[537,318],krb5_enc_tkt_part:826,krb5_mk_safe:832,link:713,delta:712,line:[423,484],krb5_crypto_type_sign_onli:474,krb5_responder_pkinit_flags_token_user_pin_final_tri:685,krb5_crypto_type_pad:402,krb5_kt_get_typ:835,addrtype_is_loc:431,krb5_free_address:555,tkt_flg_ok_as_deleg:170,kdcissu:[403,373],krb5_nt_enterprise_princip:714,krb5_get_init_creds_opt_set_change_password_prompt:743,sequenti:[133,40,243],krb5_keyusage_pa_fx_cooki:475,delete_entri:138,krb5_vprepend_error_messag:811,krb5_cred_info:544,lucid:855,krb5_kpasswd_initial_flag_need:239,krb5_padata_etype_info:33,krb5_kt_read_service_kei:730,krb5_free_keyblock:94,krb5_k_free_kei:845,krb5_context:[137,461,630,141],cksumtype_hmac_sha384_192_aes256:50,pluggabl:885,code:[811,211,51,140,331,240,38],krb5_princ_realm:799,krb5_copy_context:141,krb5_rd_rep_dc:917,send:[736,483,623,921,774],valid_uint_bit:392,krb5_kt_close:206,lndir:203,krb5_build_principal_va:577,write_st:138,krb5_lrq_all_acct_exptim:754,kadm5_hook:[812,223],krb5_tgs_req:76,krb5_tgs_rep:75,krb5_princ_set_realm_length:574,krb5_init_context_secur:382,krb5_padata_fx_cooki:219,compat:248,compar:[411,130,394,368,265,511],fine:452,krb5_keyusage_kdc_rep_ticket:893,access:119,krb5_get_prompt_typ:591,enctype_md5_rsa_cm:195,krb5_priv:709,ubuntu:855,cf2:72,sinc:852,convert:[450,603,164,672,171,345,12,69,632,879,129,690,479,590,874,108,756,597,429,432,712,781,217,489,549],cert:147,chang:[362,44,743,119,110],configur:[794,476,641,515,855,434,452,504,815,208,248,662,792,275,71,323,895,77,493,334,524],krb5_padata_afs3_salt:594,krb5_ui_2:810,krb5_ui_4:809,from:[794,158,855,508,860,312,369,730,736,458,739,701,121,406,524,65,334,761,124,251,73,151,74,126,817,686,256,298,420,639,422,245,872,591,921,44,266,653,703,428,536,359,711,914,915,279,85,610,447],upgrad:73,next:[803,615,610,185,517],kdc_opt_proxi:[398,844],krb5_padata_use_specified_kvno:183,krb5_decrypt:222,krb5_padata_tgs_req:710,mismatch:473,krb5_ap_req:[259,57],krb5_ap_rep:[636,390],account:[362,434,119],retriev:[3,860,730,736,509,458,868,121,406,242,334,369,124,686,817,312,761,420,245,872,921,44,803,266,653,428,708,536,359,40,915,740,308,852,85,610,447],krb5_kuserok:863,alia:171,use_mkei:423,proof:584,krb5_keyusage_as_rep_encpart:347,process:[821,243,215],lock:[70,112,205,340],tarbal:126,addrtype_addrport:778,krb5_pvno:500,rename_princip:70,krb5_k_key_keyblock:359,krb5_keyusage_tgs_req_auth:782,krb5_set_trace_filenam:853,kdb5_util:423,krb5_find_authdata:436,krb5_init_creds_context:650,krb5_cc_new_uniqu:671,alloc:[107,277,168,264,300],enctype_rc2_cbc_env:899,element:[436,385,247,310,600],issu:27,allow:[920,55,502],krb5_get_init_creds_opt_chg_pwd_prmpt:262,move:611,krb5_cc_set_flag:916,krb5_kt_default_nam:207,krb5_pac_pars:901,krb5_tkt_creds_step_flag_continu:68,krb5_keyusage_pa_sam_challenge_cksum:694,krb5_error:[238,457],krb5_get_host_realm:[292,277],krb5_appdefault_boolean:124,handl:[206,148,249,718,293,901,629,688,595,738],dai:852,auth:[312,736,458,11,625,406,85,151,256,369,693,322,872,483,699,653,774,536,272,915,784,921,543],krb5_free_cksumtyp:435,krb5_c_make_checksum:505,krb5_pac_logon_info:538,krb5_timeofdai:740,edit:895,krb5_recvauth_badauthv:867,enctype_des3_cbc_sha:244,variabl:[273,248,452,877],rfc:[346,349],krb5_init_creds_get_cr:245,armor:[575,827],rel:164,krb5_cc_remove_cr:65,krb5_keyusage_ap_rep_encpart:589,krb5_set_error_messag:240,krb5_post_recv_fn:857,unpars:901,releas:[126,340,621],krb5_get_init_creds_opt_set_preauth_list:644,proxiabl:706,krb5_random_kei:910,addrtype_inet:383,length:[453,551,479,604,182,674,149,825],krb5_gc_user_us:588,krb5_princ_compon:439,softwar:26,krb5_responder_fn:919,qualiti:[119,455],kerbero:[794,449,855,576,394,12,292,56,345,510,61,871,493,885,895,362,26,28,579,515,776,912,330,217,44,104],licens:330,system:[28,852,452],messag:[1,508,551,51,110,397,732,9,565,17,568,569,814,38,254,267,522,821,215,363,364,318,832,140,903,240,811,211,384,917,331],termin:535,tkt_flg_transit_policy_check:459,shell:[437,473],view_polici:484,krb5_set_password:400,tkt_flg_hw_auth:866,krb5_auth_con_getlocalseqnumb:85,structur:[107,194,166,507,842,672,115,10,868,461,178,627,882,204,489,479,348,812,137,320,141,108,266,486,658,89,359,36,94,801,666,102,549,447],krb5_rd_error:903,krb5_authdata_osf_dc:554,krb5_keyusage_ad_it:460,krb5_crypto_iov:924,krb5_tc_match_srv_nameonli:870,krb5_responder_otp_flags_separate_pin:482,set_str:70,tabl:[158,389,206,841,207,276,40,395,249,730,711,200,835,803,374,415],tkt_flg_invalid:354,modify_princip:[70,44],krb5_c_string_to_key_with_param:603,mic:17,krb5_principal_parse_require_realm:833,mit:[61,776,449,576,28,330,44],singl:[522,203],krb5_cccol_last_change_tim:257,cipher:[300,365,197],krb5_cksumtyp:387,krb5_c_random_add_entropi:377,krb5_cc_switch:352,krb5_responder_question_pkinit:[649,286,118],request:[121,615,735,860,248,185,62],determin:[863,494],delete_princip:[70,44],constrain:17,krb5_trace_callback:136,fact:576,krb5_ap_rep_enc_part:[904,882],krb5_salttype_to_str:690,trivial:563,krb5_keytab:582,ksu:437,locat:[226,662,827],should:181,local:[693,863,85,129,608,625],contribut:776,krb5_verify_checksum:282,krb5_responder_otp_format_hexadecim:446,krb5_kpasswd_success:599,krb5_rd_cred:254,keysalt:10,krb5_kpasswd_harderror:82,krb5_kpasswd_autherror:284,krb5_ticket:[309,102],organ:836,krb5_xc:741,kadmind:689,contain:[274,341,135,163],krb5_get_init_creds_opt_etype_list:839,legaci:[73,181],krb5_free_tgt_cr:320,krb5_padata_enc_sandia_securid:592,krb5_nt_wellknown:311,domain_realm:812,krb5_principal_compare_casefold:424,enctype_des3_cbc_env:150,state:[300,434,197],krb5_use_enctyp:896,addrtype_netbio:405,k5ident:783,kei:[158,389,603,648,915,105,840,730,114,11,69,298,349,302,369,248,249,143,251,73,415,358,845,759,72,744,631,200,835,803,374,600,820,206,841,207,276,39,40,395,604,711,385,44,91,103,669],krbtgt:[44,73],krb5_get_init_creds_opt_forward:834,addit:[603,228,511,30],krb5_padata_otp_challeng:271,plugin:[328,812,662,4],admin:[493,147],instanc:208,enctype_des_cbc_crc:913,krb5_pa_svr_referral_data:304,krb5_cccol_cursor_fre:342,rpc:[384,917],quit:[70,138],krb5_vset_error_messag:331,krb5_keyusage_tgs_req_ad_subkei:80,krb5_padata_sam_response_2:542,krb5_init_creds_fre:911,compon:368,krb5_principal_parse_no_realm:216,krb5_recvauth:695,otp:[10,208],replic:434,krb5_authdata_initial_verified_ca:751,cursor:[621,342],defin:208,krb5_crypto_type_head:645,side:437,site:126,krb5_get_init_creds_opt_anonym:66,krb5_auth_con_getremoteseqnumb:312,addrtype_xn:270,krb5_keyusage_ap_req_auth:366,krb5_lrq_all_last_initi:795,cross:44,member:[336,503,727,6,457,900,425,514,878,304,525,904,635,309,755,189,889,360,583,259,636,897,647,829,319,370,139,29,771,485,837,324,31,34,35,596,660,826,767,924,544,496,443,154,847,220,793,499],krb5_fast_requir:456,slave:[28,493,895],hostnam:[493,188],expans:812,entryfrom:803,krb5_free_data:194,ap_opts_etype_negoti:800,krb5_preauthtyp:466,interpos:764,krb5_padata_svr_referral_info:218,exampl:[521,794,452,540,783,138,184,44,32,45],command:[70,423,361,138,484],krb5_pac_add_buff:595,choos:248,krb5_padata_enc_timestamp:769,krb5_cccol_cursor_next:517,"boolean":124,obtain:[735,26,104],kdc_opt_canonic:297,krb5_authdata_signticket:285,krb5_padata_sam_challeng:564,web:[126,23],krb5_read_password:914,list_polici:[70,44,484],add:[377,895,811,395,211,140,595,38],krb5_clear_error_messag:9,match:[789,18],krb5_copy_keyblock:111,krb5_keyusage_krb_cred_encpart:854,password:[521,890,743,606,362,603,110,69,914,848,400,44,455,119,417],krb5_int16_max:806,lr_type_this_server_onli:145,krb5_address_ord:287,like:28,krb5_auth_con_setport:625,krb5_free_default_realm:120,krb5_padata_pac_request:24,page:[126,23],krb5_responder_otp_flags_collect_token:539,krb5_addrtyp:865,krb5_msgtype:101,krb5_check_clockskew:502,kdb:885,kdc:[504,615,434,895,37,147,422,662,167,28,563,850,73,74,10,623,739,493,703,185],"export":17,krb5_k_decrypt_iov:759,librari:[737,641,624,912,862],krb5_get_init_creds_opt_fre:407,krb5_gc_no_stor:451,octet:651,krb5_tc_match_2nd_tkt:327,sequenc:[312,85],krb5_get_time_offset:279,krb5_c_valid_cksumtyp:510,pepper:72,krb5_string_to_timestamp:781,dce:[384,917],usag:73,host:[895,875,147,662,292,100,56,687],offset:[740,279,461],krb5_lrq_all_last_tgt:440,krb5_padata_pk_as_rep_old:332,krb5_int16:153,about:[44,100],rare:181,socket:256,http:275,kdc_opt_request_anonym:470,krb5_string_to_enctyp:450,krb5_crypto_type_checksum:253,krb:[267,522,821,318,732,72,832,215,903,254],krb5_auth_con_getremotesubkei:179,capath:812,krb5_authdata_sesam:638,merg:628,krb5_get_init_creds_opt_address_list:675,"function":[234,695,167,787,264,372,623,825,642],krb5_lrq_all_last_req:388,unwrap:[291,373],krb5_kt_default:415,tkt_flg_anonym:8,count:[845,103,453],whether:[18,912,584,71,494,572,358],krb5_c_verify_checksum_iov:247,krb5_free_error_messag:397,krb5_c_free_stat:300,krb5_enctyp:531,krb5_cc_initi:823,krb5_responder_otp_challenge_fre:157,krb5_get_init_creds_opt_set_out_ccach:532,pin:521,dure:147,krb5_kt_add_entri:395,kpropd:63,krb5_free_context:624,other:208,krb5_responder_pkinit_challenge_fre:269,krb5_ccach:339,krb5_lrq_one_last_initi:169,krb5_octet:923,kdb5_ldap_util:484,appdefault:[812,124,428],krb5_responder_pkinit_set_answ:286,k5srvutil:724,krb5_principal2salt:429}}) \ No newline at end of file diff --git a/doc/html/user/index.html b/doc/html/user/index.html deleted file mode 100644 index fa7208e..0000000 --- a/doc/html/user/index.html +++ /dev/null @@ -1,173 +0,0 @@ - - - - - - - - For users — MIT Kerberos Documentation - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- - - - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/pwd_mgmt.html b/doc/html/user/pwd_mgmt.html deleted file mode 100644 index dce13fc..0000000 --- a/doc/html/user/pwd_mgmt.html +++ /dev/null @@ -1,239 +0,0 @@ - - - - - - - - Password management — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Password management¶

-

Your password is the only way Kerberos has of verifying your identity. -If someone finds out your password, that person can masquerade as -you—send email that comes from you, read, edit, or delete your files, -or log into other hosts as you—and no one will be able to tell the -difference. For this reason, it is important that you choose a good -password, and keep it secret. If you need to give access to your -account to someone else, you can do so through Kerberos (see -Granting access to your account). You should never tell your password to anyone, -including your system administrator, for any reason. You should -change your password frequently, particularly any time you think -someone may have found out what it is.

-
-

Changing your password¶

-

To change your Kerberos password, use the kpasswd command. -It will ask you for your old password (to prevent someone else from -walking up to your computer when you’re not there and changing your -password), and then prompt you for the new one twice. (The reason you -have to type it twice is to make sure you have typed it correctly.) -For example, user david would do the following:

-
shell% kpasswd
-Password for david:    <- Type your old password.
-Enter new password:    <- Type your new password.
-Enter it again:  <- Type the new password again.
-Password changed.
-shell%
-
-
-

If david typed the incorrect old password, he would get the -following message:

-
shell% kpasswd
-Password for david:  <- Type the incorrect old password.
-kpasswd: Password incorrect while getting initial ticket
-shell%
-
-
-

If you make a mistake and don’t type the new password the same way -twice, kpasswd will ask you to try again:

-
shell% kpasswd
-Password for david:  <- Type the old password.
-Enter new password:  <- Type the new password.
-Enter it again: <- Type a different new password.
-kpasswd: Password mismatch while reading password
-shell%
-
-
-

Once you change your password, it takes some time for the change to -propagate through the system. Depending on how your system is set up, -this might be anywhere from a few minutes to an hour or more. If you -need to get new Kerberos tickets shortly after changing your password, -try the new password. If the new password doesn’t work, try again -using the old one.

-
-
-

Granting access to your account¶

-

If you need to give someone access to log into your account, you can -do so through Kerberos, without telling the person your password. -Simply create a file called .k5login in your home directory. -This file should contain the Kerberos principal of each person to whom -you wish to give access. Each principal must be on a separate line. -Here is a sample .k5login file:

-
jennifer@ATHENA.MIT.EDU
-david@EXAMPLE.COM
-
-
-

This file would allow the users jennifer and david to use your -user ID, provided that they had Kerberos tickets in their respective -realms. If you will be logging into other hosts across a network, you -will want to include your own Kerberos principal in your .k5login file -on each of these hosts.

-

Using a .k5login file is much safer than giving out your password, -because:

-
    -
  • You can take access away any time simply by removing the principal -from your .k5login file.
    • -
  • Although the user has full access to your account on one particular -host (or set of hosts if your .k5login file is shared, e.g., over -NFS), that user does not inherit your network privileges.
    • -
  • Kerberos keeps a log of who obtains tickets, so a system -administrator could find out, if necessary, who was capable of using -your user ID at a particular time.
    • -
-

One common application is to have a .k5login file in root’s home -directory, giving root access to that machine to the Kerberos -principals listed. This allows system administrators to allow users -to become root locally, or to log in remotely as root, without their -having to give out the root password, and without anyone having to -type the root password over the network.

-
-
-

Password quality verification¶

-

TODO

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/tkt_mgmt.html b/doc/html/user/tkt_mgmt.html deleted file mode 100644 index 328a358..0000000 --- a/doc/html/user/tkt_mgmt.html +++ /dev/null @@ -1,459 +0,0 @@ - - - - - - - - Ticket management — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

Ticket management¶

-

On many systems, Kerberos is built into the login program, and you get -tickets automatically when you log in. Other programs, such as ssh, -can forward copies of your tickets to a remote host. Most of these -programs also automatically destroy your tickets when they exit. -However, MIT recommends that you explicitly destroy your Kerberos -tickets when you are through with them, just to be sure. One way to -help ensure that this happens is to add the kdestroy command -to your .logout file. Additionally, if you are going to be away from -your machine and are concerned about an intruder using your -permissions, it is safest to either destroy all copies of your -tickets, or use a screensaver that locks the screen.

-
-

Kerberos ticket properties¶

-

There are various properties that Kerberos tickets can have:

-

If a ticket is forwardable, then the KDC can issue a new ticket -(with a different network address, if necessary) based on the -forwardable ticket. This allows for authentication forwarding without -requiring a password to be typed in again. For example, if a user -with a forwardable TGT logs into a remote system, the KDC could issue -a new TGT for that user with the network address of the remote system, -allowing authentication on that host to work as though the user were -logged in locally.

-

When the KDC creates a new ticket based on a forwardable ticket, it -sets the forwarded flag on that new ticket. Any tickets that are -created based on a ticket with the forwarded flag set will also have -their forwarded flags set.

-

A proxiable ticket is similar to a forwardable ticket in that it -allows a service to take on the identity of the client. Unlike a -forwardable ticket, however, a proxiable ticket is only issued for -specific services. In other words, a ticket-granting ticket cannot be -issued based on a ticket that is proxiable but not forwardable.

-

A proxy ticket is one that was issued based on a proxiable ticket.

-

A postdated ticket is issued with the invalid flag set. After the -starting time listed on the ticket, it can be presented to the KDC to -obtain valid tickets.

-

Ticket-granting tickets with the postdateable flag set can be used -to obtain postdated service tickets.

-

Renewable tickets can be used to obtain new session keys without -the user entering their password again. A renewable ticket has two -expiration times. The first is the time at which this particular -ticket expires. The second is the latest possible expiration time for -any ticket issued based on this renewable ticket.

-

A ticket with the initial flag set was issued based on the -authentication protocol, and not on a ticket-granting ticket. -Application servers that wish to ensure that the user’s key has been -recently presented for verification could specify that this flag must -be set to accept the ticket.

-

An invalid ticket must be rejected by application servers. -Postdated tickets are usually issued with this flag set, and must be -validated by the KDC before they can be used.

-

A preauthenticated ticket is one that was only issued after the -client requesting the ticket had authenticated itself to the KDC.

-

The hardware authentication flag is set on a ticket which required -the use of hardware for authentication. The hardware is expected to -be possessed only by the client which requested the tickets.

-

If a ticket has the transit policy checked flag set, then the KDC -that issued this ticket implements the transited-realm check policy -and checked the transited-realms list on the ticket. The -transited-realms list contains a list of all intermediate realms -between the realm of the KDC that issued the first ticket and that of -the one that issued the current ticket. If this flag is not set, then -the application server must check the transited realms itself or else -reject the ticket.

-

The okay as delegate flag indicates that the server specified in -the ticket is suitable as a delegate as determined by the policy of -that realm. Some client applications may use this flag to decide -whether to forward tickets to a remote host, although many -applications do not honor it.

-

An anonymous ticket is one in which the named principal is a -generic principal for that realm; it does not actually specify the -individual that will be using the ticket. This ticket is meant only -to securely distribute a session key.

-
-
-

Obtaining tickets with kinit¶

-

If your site has integrated Kerberos V5 with the login system, you -will get Kerberos tickets automatically when you log in. Otherwise, -you may need to explicitly obtain your Kerberos tickets, using the -kinit program. Similarly, if your Kerberos tickets expire, -use the kinit program to obtain new ones.

-

To use the kinit program, simply type kinit and then type your -password at the prompt. For example, Jennifer (whose username is -jennifer) works for Bleep, Inc. (a fictitious company with the -domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would -type:

-
shell% kinit
-Password for jennifer@ATHENA.MIT.EDU: <-- [Type jennifer's password here.]
-shell%
-
-
-

If you type your password incorrectly, kinit will give you the -following error message:

-
shell% kinit
-Password for jennifer@ATHENA.MIT.EDU: <-- [Type the wrong password here.]
-kinit: Password incorrect
-shell%
-
-
-

and you won’t get Kerberos tickets.

-

By default, kinit assumes you want tickets for your own username in -your default realm. Suppose Jennifer’s friend David is visiting, and -he wants to borrow a window to check his mail. David needs to get -tickets for himself in his own realm, EXAMPLE.COM. He would type:

-
shell% kinit david@EXAMPLE.COM
-Password for david@EXAMPLE.COM: <-- [Type david's password here.]
-shell%
-
-
-

David would then have tickets which he could use to log onto his own -machine. Note that he typed his password locally on Jennifer’s -machine, but it never went over the network. Kerberos on the local -host performed the authentication to the KDC in the other realm.

-

If you want to be able to forward your tickets to another host, you -need to request forwardable tickets. You do this by specifying the --f option:

-
shell% kinit -f
-Password for jennifer@ATHENA.MIT.EDU: <-- [Type your password here.]
-shell%
-
-
-

Note that kinit does not tell you that it obtained forwardable -tickets; you can verify this using the klist command (see -Viewing tickets with klist).

-

Normally, your tickets are good for your system’s default ticket -lifetime, which is ten hours on many systems. You can specify a -different ticket lifetime with the -l option. Add the letter -s to the value for seconds, m for minutes, h for hours, or -d for days. For example, to obtain forwardable tickets for -david@EXAMPLE.COM that would be good for three hours, you would -type:

-
shell% kinit -f -l 3h david@EXAMPLE.COM
-Password for david@EXAMPLE.COM: <-- [Type david's password here.]
-shell%
-
-
-
-

Note

-

You cannot mix units; specifying a lifetime of 3h30m would -result in an error. Note also that most systems specify a -maximum ticket lifetime. If you request a longer ticket -lifetime, it will be automatically truncated to the maximum -lifetime.

-
-
-
-

Viewing tickets with klist¶

-

The klist command shows your tickets. When you first obtain -tickets, you will have only the ticket-granting ticket. The listing -would look like this:

-
shell% klist
-Ticket cache: /tmp/krb5cc_ttypa
-Default principal: jennifer@ATHENA.MIT.EDU
-
-Valid starting     Expires            Service principal
-06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
-shell%
-
-
-

The ticket cache is the location of your ticket file. In the above -example, this file is named /tmp/krb5cc_ttypa. The default -principal is your Kerberos principal.

-

The “valid starting” and “expires” fields describe the period of time -during which the ticket is valid. The “service principal” describes -each ticket. The ticket-granting ticket has a first component -krbtgt, and a second component which is the realm name.

-

Now, if jennifer connected to the machine daffodil.mit.edu, -and then typed “klist” again, she would have gotten the following -result:

-
shell% klist
-Ticket cache: /tmp/krb5cc_ttypa
-Default principal: jennifer@ATHENA.MIT.EDU
-
-Valid starting     Expires            Service principal
-06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
-06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
-shell%
-
-
-

Here’s what happened: when jennifer used ssh to connect to the -host daffodil.mit.edu, the ssh program presented her -ticket-granting ticket to the KDC and requested a host ticket for the -host daffodil.mit.edu. The KDC sent the host ticket, which ssh -then presented to the host daffodil.mit.edu, and she was allowed -to log in without typing her password.

-

Suppose your Kerberos tickets allow you to log into a host in another -domain, such as trillium.example.com, which is also in another -Kerberos realm, EXAMPLE.COM. If you ssh to this host, you will -receive a ticket-granting ticket for the realm EXAMPLE.COM, plus -the new host ticket for trillium.example.com. klist will now -show:

-
shell% klist
-Ticket cache: /tmp/krb5cc_ttypa
-Default principal: jennifer@ATHENA.MIT.EDU
-
-Valid starting     Expires            Service principal
-06/07/04 19:49:21  06/08/04 05:49:19  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
-06/07/04 20:22:30  06/08/04 05:49:19  host/daffodil.mit.edu@ATHENA.MIT.EDU
-06/07/04 20:24:18  06/08/04 05:49:19  krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU
-06/07/04 20:24:18  06/08/04 05:49:19  host/trillium.example.com@EXAMPLE.COM
-shell%
-
-
-

Depending on your host’s and realm’s configuration, you may also see a -ticket with the service principal host/trillium.example.com@. If -so, this means that your host did not know what realm -trillium.example.com is in, so it asked the ATHENA.MIT.EDU KDC for -a referral. The next time you connect to trillium.example.com, -the odd-looking entry will be used to avoid needing to ask for a -referral again.

-

You can use the -f option to view the flags that apply to your -tickets. The flags are:

- ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
FForwardable
fforwarded
PProxiable
pproxy
DpostDateable
dpostdated
RRenewable
IInitial
iinvalid
HHardware authenticated
ApreAuthenticated
TTransit policy checked
OOkay as delegate
aanonymous
-

Here is a sample listing. In this example, the user jennifer -obtained her initial tickets (I), which are forwardable (F) -and postdated (d) but not yet validated (i):

-
shell% klist -f
-Ticket cache: /tmp/krb5cc_320
-Default principal: jennifer@ATHENA.MIT.EDU
-
-Valid starting      Expires             Service principal
-31/07/05 19:06:25  31/07/05 19:16:25  krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
-        Flags: FdiI
-shell%
-
-
-

In the following example, the user david‘s tickets were forwarded -(f) to this host from another host. The tickets are reforwardable -(F):

-
shell% klist -f
-Ticket cache: /tmp/krb5cc_p11795
-Default principal: david@EXAMPLE.COM
-
-Valid starting     Expires            Service principal
-07/31/05 11:52:29  07/31/05 21:11:23  krbtgt/EXAMPLE.COM@EXAMPLE.COM
-        Flags: Ff
-07/31/05 12:03:48  07/31/05 21:11:23  host/trillium.example.com@EXAMPLE.COM
-        Flags: Ff
-shell%
-
-
-
-
-

Destroying tickets with kdestroy¶

-

Your Kerberos tickets are proof that you are indeed yourself, and -tickets could be stolen if someone gains access to a computer where -they are stored. If this happens, the person who has them can -masquerade as you until they expire. For this reason, you should -destroy your Kerberos tickets when you are away from your computer.

-

Destroying your tickets is easy. Simply type kdestroy:

-
shell% kdestroy
-shell%
-
-
-

If kdestroy fails to destroy your tickets, it will beep and -give an error message. For example, if kdestroy can’t find any -tickets to destroy, it will give the following message:

-
shell% kdestroy
-kdestroy: No credentials cache file found while destroying cache
-shell%
-
-
-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/index.html b/doc/html/user/user_commands/index.html deleted file mode 100644 index 48738c5..0000000 --- a/doc/html/user/user_commands/index.html +++ /dev/null @@ -1,164 +0,0 @@ - - - - - - - - User commands — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

User commands¶

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/kdestroy.html b/doc/html/user/user_commands/kdestroy.html deleted file mode 100644 index 6102f75..0000000 --- a/doc/html/user/user_commands/kdestroy.html +++ /dev/null @@ -1,223 +0,0 @@ - - - - - - - - kdestroy — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kdestroy¶

-
-

SYNOPSIS¶

-

kdestroy -[-A] -[-q] -[-c cache_name]

-
-
-

DESCRIPTION¶

-

The kdestroy utility destroys the user’s active Kerberos authorization -tickets by overwriting and deleting the credentials cache that -contains them. If the credentials cache is not specified, the default -credentials cache is destroyed.

-
-
-

OPTIONS¶

-
-
-A
-
Destroys all caches in the collection, if a cache collection is -available.
-
-q
-
Run quietly. Normally kdestroy beeps if it fails to destroy the -user’s tickets. The -q flag suppresses this behavior.
-
-c cache_name
-

Use cache_name as the credentials (ticket) cache name and -location; if this option is not used, the default cache name and -location are used.

-

The default credentials cache may vary between systems. If the -KRB5CCNAME environment variable is set, its value is used to -name the default ticket cache.

-
-
-
-
-

NOTE¶

-

Most installations recommend that you place the kdestroy command in -your .logout file, so that your tickets are destroyed automatically -when you log out.

-
-
-

ENVIRONMENT¶

-

kdestroy uses the following environment variable:

-
-
KRB5CCNAME
-
Location of the default Kerberos 5 credentials (ticket) cache, in -the form type:residual. If no type prefix is present, the -FILE type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type DIR causes caches within the directory -to be present in the collection.
-
-
-
-

FILES¶

-
-
DEFCCNAME
-
Default location of Kerberos 5 credentials cache
-
-
-
-

SEE ALSO¶

-

kinit, klist

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/kinit.html b/doc/html/user/user_commands/kinit.html deleted file mode 100644 index f43e00b..0000000 --- a/doc/html/user/user_commands/kinit.html +++ /dev/null @@ -1,354 +0,0 @@ - - - - - - - - kinit — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kinit¶

-
-

SYNOPSIS¶

-

kinit -[-V] -[-l lifetime] -[-s start_time] -[-r renewable_life] -[-p | -P] -[-f | -F] -[-a] -[-A] -[-C] -[-E] -[-v] -[-R] -[-k [-t keytab_file]] -[-c cache_name] -[-n] -[-S service_name] -[-I input_ccache] -[-T armor_ccache] -[-X attribute[=value]] -[principal]

-
-
-

DESCRIPTION¶

-

kinit obtains and caches an initial ticket-granting ticket for -principal. If principal is absent, kinit chooses an appropriate -principal name based on existing credential cache contents or the -local username of the user invoking kinit. Some options modify the -choice of principal name.

-
-
-

OPTIONS¶

-
-
-V
-
display verbose output.
-
-l lifetime
-

(Time duration string.) Requests a ticket with the lifetime -lifetime.

-

For example, kinit -l 5:30 or kinit -l 5h30m.

-

If the -l option is not specified, the default ticket lifetime -(configured by each site) is used. Specifying a ticket lifetime -longer than the maximum ticket lifetime (configured by each site) -will not override the configured maximum ticket lifetime.

-
-
-s start_time
-

(Time duration string.) Requests a postdated ticket. Postdated -tickets are issued with the invalid flag set, and need to be -resubmitted to the KDC for validation before use.

-

start_time specifies the duration of the delay before the ticket -can become valid.

-
-
-r renewable_life
-
(Time duration string.) Requests renewable tickets, with a total -lifetime of renewable_life.
-
-f
-
requests forwardable tickets.
-
-F
-
requests non-forwardable tickets.
-
-p
-
requests proxiable tickets.
-
-P
-
requests non-proxiable tickets.
-
-a
-
requests tickets restricted to the host’s local address[es].
-
-A
-
requests tickets not restricted by address.
-
-C
-
requests canonicalization of the principal name, and allows the -KDC to reply with a different client principal from the one -requested.
-
-E
-
treats the principal name as an enterprise name (implies the --C option).
-
-v
-
requests that the ticket-granting ticket in the cache (with the -invalid flag set) be passed to the KDC for validation. If the -ticket is within its requested time range, the cache is replaced -with the validated ticket.
-
-R
-

requests renewal of the ticket-granting ticket. Note that an -expired ticket cannot be renewed, even if the ticket is still -within its renewable life.

-

Note that renewable tickets that have expired as reported by -klist may sometimes be renewed using this option, -because the KDC applies a grace period to account for client-KDC -clock skew. See krb5.conf clockskew setting.

-
-
-k [-i | -t keytab_file]
-
requests a ticket, obtained from a key in the local host’s keytab. -The location of the keytab may be specified with the -t -keytab_file option, or with the -i option to specify the use -of the default client keytab; otherwise the default keytab will be -used. By default, a host ticket for the local host is requested, -but any principal may be specified. On a KDC, the special keytab -location KDB: can be used to indicate that kinit should open -the KDC database and look up the key directly. This permits an -administrator to obtain tickets as any principal that supports -authentication based on the key.
-
-n
-

Requests anonymous processing. Two types of anonymous principals -are supported.

-

For fully anonymous Kerberos, configure pkinit on the KDC and -configure pkinit_anchors in the client’s krb5.conf. -Then use the -n option with a principal of the form @REALM -(an empty principal name followed by the at-sign and a realm -name). If permitted by the KDC, an anonymous ticket will be -returned.

-

A second form of anonymous tickets is supported; these -realm-exposed tickets hide the identity of the client but not the -client’s realm. For this mode, use kinit -n with a normal -principal name. If supported by the KDC, the principal (but not -realm) will be replaced by the anonymous principal.

-

As of release 1.8, the MIT Kerberos KDC only supports fully -anonymous operation.

-
-
-

-I input_ccache

-
-
Specifies the name of a credentials cache that already contains a -ticket. When obtaining that ticket, if information about how that -ticket was obtained was also stored to the cache, that information -will be used to affect how new credentials are obtained, including -preselecting the same methods of authenticating to the KDC.
-
-
-T armor_ccache
-
Specifies the name of a credentials cache that already contains a -ticket. If supported by the KDC, this cache will be used to armor -the request, preventing offline dictionary attacks and allowing -the use of additional preauthentication mechanisms. Armoring also -makes sure that the response from the KDC is not modified in -transit.
-
-c cache_name
-

use cache_name as the Kerberos 5 credentials (ticket) cache -location. If this option is not used, the default cache location -is used.

-

The default cache location may vary between systems. If the -KRB5CCNAME environment variable is set, its value is used to -locate the default cache. If a principal name is specified and -the type of the default cache supports a collection (such as the -DIR type), an existing cache containing credentials for the -principal is selected or a new one is created and becomes the new -primary cache. Otherwise, any existing contents of the default -cache are destroyed by kinit.

-
-
-S service_name
-
specify an alternate service name to use when getting initial -tickets.
-
-X attribute[=value]
-

specify a pre-authentication attribute and value to be -interpreted by pre-authentication modules. The acceptable -attribute and value values vary from module to module. This -option may be specified multiple times to specify multiple -attributes. If no value is specified, it is assumed to be “yes”.

-

The following attributes are recognized by the PKINIT -pre-authentication mechanism:

-
-
X509_user_identity=value
-
specify where to find user’s X509 identity information
-
X509_anchors=value
-
specify where to find trusted X509 anchor information
-
flag_RSA_PROTOCOL[=yes]
-
specify use of RSA, rather than the default Diffie-Hellman -protocol
-
-
-
-
-
-

ENVIRONMENT¶

-

kinit uses the following environment variables:

-
-
KRB5CCNAME
-
Location of the default Kerberos 5 credentials cache, in the form -type:residual. If no type prefix is present, the FILE -type is assumed. The type of the default cache may determine the -availability of a cache collection; for instance, a default cache -of type DIR causes caches within the directory to be present -in the collection.
-
-
-
-

FILES¶

-
-
DEFCCNAME
-
default location of Kerberos 5 credentials cache
-
DEFKTNAME
-
default location for the local host’s keytab.
-
-
-
-

SEE ALSO¶

-

klist, kdestroy, kerberos(1)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/klist.html b/doc/html/user/user_commands/klist.html deleted file mode 100644 index 4e9dd8c..0000000 --- a/doc/html/user/user_commands/klist.html +++ /dev/null @@ -1,268 +0,0 @@ - - - - - - - - klist — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

klist¶

-
-

SYNOPSIS¶

-

klist -[-e] -[[-c] [-l] [-A] [-f] [-s] [-a [-n]]] -[-C] -[-k [-t] [-K]] -[-V] -[cache_name|keytab_name]

-
-
-

DESCRIPTION¶

-

klist lists the Kerberos principal and Kerberos tickets held in a -credentials cache, or the keys held in a keytab file.

-
-
-

OPTIONS¶

-
-
-e
-
Displays the encryption types of the session key and the ticket -for each credential in the credential cache, or each key in the -keytab file.
-
-l
-
If a cache collection is available, displays a table summarizing -the caches present in the collection.
-
-A
-
If a cache collection is available, displays the contents of all -of the caches in the collection.
-
-c
-
List tickets held in a credentials cache. This is the default if -neither -c nor -k is specified.
-
-f
-

Shows the flags present in the credentials, using the following -abbreviations:

-
F    Forwardable
-f    forwarded
-P    Proxiable
-p    proxy
-D    postDateable
-d    postdated
-R    Renewable
-I    Initial
-i    invalid
-H    Hardware authenticated
-A    preAuthenticated
-T    Transit policy checked
-O    Okay as delegate
-a    anonymous
-
-
-
-
-s
-
Causes klist to run silently (produce no output). klist will exit -with status 1 if the credentials cache cannot be read or is -expired, and with status 0 otherwise.
-
-a
-
Display list of addresses in credentials.
-
-n
-
Show numeric addresses instead of reverse-resolving addresses.
-
-C
-
List configuration data that has been stored in the credentials -cache when klist encounters it. By default, configuration data -is not listed.
-
-k
-
List keys held in a keytab file.
-
-i
-
In combination with -k, defaults to using the default client -keytab instead of the default acceptor keytab, if no name is -given.
-
-t
-
Display the time entry timestamps for each keytab entry in the -keytab file.
-
-K
-
Display the value of the encryption key in each keytab entry in -the keytab file.
-
-V
-
Display the Kerberos version number and exit.
-
-

If cache_name or keytab_name is not specified, klist will display -the credentials in the default credentials cache or keytab file as -appropriate. If the KRB5CCNAME environment variable is set, its -value is used to locate the default ticket cache.

-
-
-

ENVIRONMENT¶

-

klist uses the following environment variable:

-
-
KRB5CCNAME
-
Location of the default Kerberos 5 credentials (ticket) cache, in -the form type:residual. If no type prefix is present, the -FILE type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type DIR causes caches within the directory -to be present in the collection.
-
-
-
-

FILES¶

-
-
DEFCCNAME
-
Default location of Kerberos 5 credentials cache
-
DEFKTNAME
-
Default location for the local host’s keytab file.
-
-
-
-

SEE ALSO¶

-

kinit, kdestroy

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/kpasswd.html b/doc/html/user/user_commands/kpasswd.html deleted file mode 100644 index d6c0d01..0000000 --- a/doc/html/user/user_commands/kpasswd.html +++ /dev/null @@ -1,186 +0,0 @@ - - - - - - - - kpasswd — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kpasswd¶

-
-

SYNOPSIS¶

-

kpasswd [principal]

-
-
-

DESCRIPTION¶

-

The kpasswd command is used to change a Kerberos principal’s password. -kpasswd first prompts for the current Kerberos password, then prompts -the user twice for the new password, and the password is changed.

-

If the principal is governed by a policy that specifies the length -and/or number of character classes required in the new password, the -new password must conform to the policy. (The five character classes -are lower case, upper case, numbers, punctuation, and all other -characters.)

-
-
-

OPTIONS¶

-
-
principal
-
Change the password for the Kerberos principal principal. -Otherwise, kpasswd uses the principal name from an existing ccache -if there is one; if not, the principal is derived from the -identity of the user invoking the kpasswd command.
-
-
-
-

SEE ALSO¶

-

kadmin, kadmind

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/krb5-config.html b/doc/html/user/user_commands/krb5-config.html deleted file mode 100644 index 90e87f1..0000000 --- a/doc/html/user/user_commands/krb5-config.html +++ /dev/null @@ -1,238 +0,0 @@ - - - - - - - - krb5-config — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

krb5-config¶

-
-

SYNOPSIS¶

-

krb5-config -[--help | --all | --version | --vendor | --prefix | --exec-prefix | --defccname | --defktname | --defcktname | --cflags | --libs [libraries]]

-
-
-

DESCRIPTION¶

-

krb5-config tells the application programmer what flags to use to compile -and link programs against the installed Kerberos libraries.

-
-
-

OPTIONS¶

-
-
--help
-
prints a usage message. This is the default behavior when no options -are specified.
-
--all
-
prints the version, vendor, prefix, and exec-prefix.
-
--version
-
prints the version number of the Kerberos installation.
-
--vendor
-
prints the name of the vendor of the Kerberos installation.
-
--prefix
-
prints the prefix for which the Kerberos installation was built.
-
--exec-prefix
-
prints the prefix for executables for which the Kerberos installation -was built.
-
--defccname
-
prints the built-in default credentials cache location.
-
--defktname
-
prints the built-in default keytab location.
-
--defcktname
-
prints the built-in default client (initiator) keytab location.
-
--cflags
-
prints the compilation flags used to build the Kerberos installation.
-
--libs [library]
-

prints the compiler options needed to link against library. -Allowed values for library are:

- ---- - - - - - - - - - - - - - - - - - -
krb5Kerberos 5 applications (default)
gssapiGSSAPI applications with Kerberos 5 bindings
kadm-clientKadmin client
kadm-serverKadmin server
kdbApplications that access the Kerberos database
-
-
-
-
-

EXAMPLES¶

-

krb5-config is particularly useful for compiling against a Kerberos -installation that was installed in a non-standard location. For example, -a Kerberos installation that is installed in /opt/krb5/ but uses -libraries in /usr/local/lib/ for text localization would produce -the following output:

-
shell% krb5-config --libs krb5
--L/opt/krb5/lib -Wl,-rpath -Wl,/opt/krb5/lib -L/usr/local/lib -lkrb5 -lk5crypto -lcom_err
-
-
-
-
-

SEE ALSO¶

-

kerberos(1), cc(1)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/ksu.html b/doc/html/user/user_commands/ksu.html deleted file mode 100644 index b7dd194..0000000 --- a/doc/html/user/user_commands/ksu.html +++ /dev/null @@ -1,507 +0,0 @@ - - - - - - - - ksu — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

ksu¶

-
-

SYNOPSIS¶

-

ksu -[ target_user ] -[ -n target_principal_name ] -[ -c source_cache_name ] -[ -k ] -[ -r time ] -[ -pf ] -[ -l lifetime ] -[ -z | Z ] -[ -q ] -[ -e command [ args ... ] ] [ -a [ args ... ] ]

-
-
-

REQUIREMENTS¶

-

Must have Kerberos version 5 installed to compile ksu. Must have a -Kerberos version 5 server running to use ksu.

-
-
-

DESCRIPTION¶

-

ksu is a Kerberized version of the su program that has two missions: -one is to securely change the real and effective user ID to that of -the target user, and the other is to create a new security context.

-
-

Note

-

For the sake of clarity, all references to and attributes of -the user invoking the program will start with “source” -(e.g., “source user”, “source cache”, etc.).

-

Likewise, all references to and attributes of the target -account will start with “target”.

-
-
-
-

AUTHENTICATION¶

-

To fulfill the first mission, ksu operates in two phases: -authentication and authorization. Resolving the target principal name -is the first step in authentication. The user can either specify his -principal name with the -n option (e.g., -n jqpublic@USC.EDU) -or a default principal name will be assigned using a heuristic -described in the OPTIONS section (see -n option). The target user -name must be the first argument to ksu; if not specified root is the -default. If . is specified then the target user will be the -source user (e.g., ksu .). If the source user is root or the -target user is the source user, no authentication or authorization -takes place. Otherwise, ksu looks for an appropriate Kerberos ticket -in the source cache.

-

The ticket can either be for the end-server or a ticket granting -ticket (TGT) for the target principal’s realm. If the ticket for the -end-server is already in the cache, it’s decrypted and verified. If -it’s not in the cache but the TGT is, the TGT is used to obtain the -ticket for the end-server. The end-server ticket is then verified. -If neither ticket is in the cache, but ksu is compiled with the -GET_TGT_VIA_PASSWD define, the user will be prompted for a -Kerberos password which will then be used to get a TGT. If the user -is logged in remotely and does not have a secure channel, the password -may be exposed. If neither ticket is in the cache and -GET_TGT_VIA_PASSWD is not defined, authentication fails.

-
-
-

AUTHORIZATION¶

-

This section describes authorization of the source user when ksu is -invoked without the -e option. For a description of the -e -option, see the OPTIONS section.

-

Upon successful authentication, ksu checks whether the target -principal is authorized to access the target account. In the target -user’s home directory, ksu attempts to access two authorization files: -.k5login and .k5users. In the .k5login file each line -contains the name of a principal that is authorized to access the -account.

-

For example:

-
jqpublic@USC.EDU
-jqpublic/secure@USC.EDU
-jqpublic/admin@USC.EDU
-
-
-

The format of .k5users is the same, except the principal name may be -followed by a list of commands that the principal is authorized to -execute (see the -e option in the OPTIONS section for details).

-

Thus if the target principal name is found in the .k5login file the -source user is authorized to access the target account. Otherwise ksu -looks in the .k5users file. If the target principal name is found -without any trailing commands or followed only by * then the -source user is authorized. If either .k5login or .k5users exist but -an appropriate entry for the target principal does not exist then -access is denied. If neither file exists then the principal will be -granted access to the account according to the aname->lname mapping -rules. Otherwise, authorization fails.

-
-
-

EXECUTION OF THE TARGET SHELL¶

-

Upon successful authentication and authorization, ksu proceeds in a -similar fashion to su. The environment is unmodified with the -exception of USER, HOME and SHELL variables. If the target user is -not root, USER gets set to the target user name. Otherwise USER -remains unchanged. Both HOME and SHELL are set to the target login’s -default values. In addition, the environment variable KRB5CCNAME -gets set to the name of the target cache. The real and effective user -ID are changed to that of the target user. The target user’s shell is -then invoked (the shell name is specified in the password file). Upon -termination of the shell, ksu deletes the target cache (unless ksu is -invoked with the -k option). This is implemented by first doing a -fork and then an exec, instead of just exec, as done by su.

-
-
-

CREATING A NEW SECURITY CONTEXT¶

-

ksu can be used to create a new security context for the target -program (either the target shell, or command specified via the -e -option). The target program inherits a set of credentials from the -source user. By default, this set includes all of the credentials in -the source cache plus any additional credentials obtained during -authentication. The source user is able to limit the credentials in -this set by using -z or -Z option. -z restricts the copy -of tickets from the source cache to the target cache to only the -tickets where client == the target principal name. The -Z option -provides the target user with a fresh target cache (no creds in the -cache). Note that for security reasons, when the source user is root -and target user is non-root, -z option is the default mode of -operation.

-

While no authentication takes place if the source user is root or is -the same as the target user, additional tickets can still be obtained -for the target cache. If -n is specified and no credentials can -be copied to the target cache, the source user is prompted for a -Kerberos password (unless -Z specified or GET_TGT_VIA_PASSWD -is undefined). If successful, a TGT is obtained from the Kerberos -server and stored in the target cache. Otherwise, if a password is -not provided (user hit return) ksu continues in a normal mode of -operation (the target cache will not contain the desired TGT). If the -wrong password is typed in, ksu fails.

-
-

Note

-

During authentication, only the tickets that could be -obtained without providing a password are cached in in the -source cache.

-
-
-
-

OPTIONS¶

-
-
-n target_principal_name
-

Specify a Kerberos target principal name. Used in authentication -and authorization phases of ksu.

-

If ksu is invoked without -n, a default principal name is -assigned via the following heuristic:

-
    -

  • Case 1: source user is non-root.

    -

    If the target user is the source user the default principal name -is set to the default principal of the source cache. If the -cache does not exist then the default principal name is set to -target_user@local_realm. If the source and target users are -different and neither ~target_user/.k5users nor -~target_user/.k5login exist then the default principal name -is target_user_login_name@local_realm. Otherwise, starting -with the first principal listed below, ksu checks if the -principal is authorized to access the target account and whether -there is a legitimate ticket for that principal in the source -cache. If both conditions are met that principal becomes the -default target principal, otherwise go to the next principal.

    -
      -
    1. default principal of the source cache
      2. -
    2. target_user@local_realm
      3. -
    3. source_user@local_realm
      4. -
    -

    If a-c fails try any principal for which there is a ticket in -the source cache and that is authorized to access the target -account. If that fails select the first principal that is -authorized to access the target account from the above list. If -none are authorized and ksu is configured with -PRINC_LOOK_AHEAD turned on, select the default principal as -follows:

    -

    For each candidate in the above list, select an authorized -principal that has the same realm name and first part of the -principal name equal to the prefix of the candidate. For -example if candidate a) is jqpublic@ISI.EDU and -jqpublic/secure@ISI.EDU is authorized to access the target -account then the default principal is set to -jqpublic/secure@ISI.EDU.

    -
    • -

  • Case 2: source user is root.

    -

    If the target user is non-root then the default principal name -is target_user@local_realm. Else, if the source cache -exists the default principal name is set to the default -principal of the source cache. If the source cache does not -exist, default principal name is set to root\@local_realm.

    -
    • -
-
-
-

-c source_cache_name

-
-

Specify source cache name (e.g., -c FILE:/tmp/my_cache). If --c option is not used then the name is obtained from -KRB5CCNAME environment variable. If KRB5CCNAME is not -defined the source cache name is set to krb5cc_<source uid>. -The target cache name is automatically set to krb5cc_<target -uid>.(gen_sym()), where gen_sym generates a new number such that -the resulting cache does not already exist. For example:

-
krb5cc_1984.2
-
-
-
-
-
-k
-
Do not delete the target cache upon termination of the target -shell or a command (-e command). Without -k, ksu deletes -the target cache.
-
-z
-
Restrict the copy of tickets from the source cache to the target -cache to only the tickets where client == the target principal -name. Use the -n option if you want the tickets for other then -the default principal. Note that the -z option is mutually -exclusive with the -Z option.
-
-Z
-
Don’t copy any tickets from the source cache to the target cache. -Just create a fresh target cache, where the default principal name -of the cache is initialized to the target principal name. Note -that the -Z option is mutually exclusive with the -z -option.
-
-q
-
Suppress the printing of status messages.
-
-

Ticket granting ticket options:

-
-
-l lifetime -r time -pf
-
The ticket granting ticket options only apply to the case where -there are no appropriate tickets in the cache to authenticate the -source user. In this case if ksu is configured to prompt users -for a Kerberos password (GET_TGT_VIA_PASSWD is defined), the -ticket granting ticket options that are specified will be used -when getting a ticket granting ticket from the Kerberos server.
-
-l lifetime
-
(Time duration string.) Specifies the lifetime to be requested -for the ticket; if this option is not specified, the default ticket -lifetime (12 hours) is used instead.
-
-r time
-
(Time duration string.) Specifies that the renewable option -should be requested for the ticket, and specifies the desired -total lifetime of the ticket.
-
-p
-
specifies that the proxiable option should be requested for -the ticket.
-
-f
-
option specifies that the forwardable option should be -requested for the ticket.
-
-e command [args ...]
-

ksu proceeds exactly the same as if it was invoked without the --e option, except instead of executing the target shell, ksu -executes the specified command. Example of usage:

-
ksu bob -e ls -lag
-
-
-

The authorization algorithm for -e is as follows:

-

If the source user is root or source user == target user, no -authorization takes place and the command is executed. If source -user id != 0, and ~target_user/.k5users file does not exist, -authorization fails. Otherwise, ~target_user/.k5users file -must have an appropriate entry for target principal to get -authorized.

-

The .k5users file format:

-

A single principal entry on each line that may be followed by a -list of commands that the principal is authorized to execute. A -principal name followed by a * means that the user is -authorized to execute any command. Thus, in the following -example:

-
jqpublic@USC.EDU ls mail /local/kerberos/klist
-jqpublic/secure@USC.EDU *
-jqpublic/admin@USC.EDU
-
-
-

jqpublic@USC.EDU is only authorized to execute ls, -mail and klist commands. jqpublic/secure@USC.EDU is -authorized to execute any command. jqpublic/admin@USC.EDU is -not authorized to execute any command. Note, that -jqpublic/admin@USC.EDU is authorized to execute the target -shell (regular ksu, without the -e option) but -jqpublic@USC.EDU is not.

-

The commands listed after the principal name must be either a full -path names or just the program name. In the second case, -CMD_PATH specifying the location of authorized programs must -be defined at the compilation time of ksu. Which command gets -executed?

-

If the source user is root or the target user is the source user -or the user is authorized to execute any command (* entry) -then command can be either a full or a relative path leading to -the target program. Otherwise, the user must specify either a -full path or just the program name.

-
-
-a args
-

Specify arguments to be passed to the target shell. Note that all -flags and parameters following -a will be passed to the shell, -thus all options intended for ksu must precede -a.

-

The -a option can be used to simulate the -e option if -used as follows:

-
-a -c [command [arguments]].
-
-
-

-c is interpreted by the c-shell to execute the command.

-
-
-
-
-

INSTALLATION INSTRUCTIONS¶

-

ksu can be compiled with the following four flags:

-
-
GET_TGT_VIA_PASSWD
-
In case no appropriate tickets are found in the source cache, the -user will be prompted for a Kerberos password. The password is -then used to get a ticket granting ticket from the Kerberos -server. The danger of configuring ksu with this macro is if the -source user is logged in remotely and does not have a secure -channel, the password may get exposed.
-
PRINC_LOOK_AHEAD
-
During the resolution of the default principal name, -PRINC_LOOK_AHEAD enables ksu to find principal names in -the .k5users file as described in the OPTIONS section -(see -n option).
-
CMD_PATH
-
Specifies a list of directories containing programs that users are -authorized to execute (via .k5users file).
-
HAVE_GETUSERSHELL
-
If the source user is non-root, ksu insists that the target user’s -shell to be invoked is a “legal shell”. getusershell(3) is -called to obtain the names of “legal shells”. Note that the -target user’s shell is obtained from the passwd file.
-
-

Sample configuration:

-
KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
-
-
-

ksu should be owned by root and have the set user id bit turned on.

-

ksu attempts to get a ticket for the end server just as Kerberized -telnet and rlogin. Thus, there must be an entry for the server in the -Kerberos database (e.g., host/nii.isi.edu@ISI.EDU). The keytab -file must be in an appropriate location.

-
-
-

SIDE EFFECTS¶

-

ksu deletes all expired tickets from the source cache.

-
-
-

AUTHOR OF KSU¶

-

GENNADY (ARI) MEDVINSKY

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/kswitch.html b/doc/html/user/user_commands/kswitch.html deleted file mode 100644 index 4905bae..0000000 --- a/doc/html/user/user_commands/kswitch.html +++ /dev/null @@ -1,204 +0,0 @@ - - - - - - - - kswitch — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kswitch¶

-
-

SYNOPSIS¶

-

kswitch -{-c cachename|-p principal}

-
-
-

DESCRIPTION¶

-

kswitch makes the specified credential cache the primary cache for the -collection, if a cache collection is available.

-
-
-

OPTIONS¶

-
-
-c cachename
-
Directly specifies the credential cache to be made primary.
-
-p principal
-
Causes the cache collection to be searched for a cache containing -credentials for principal. If one is found, that collection is -made primary.
-
-
-
-

ENVIRONMENT¶

-

kswitch uses the following environment variables:

-
-
KRB5CCNAME
-
Location of the default Kerberos 5 credentials (ticket) cache, in -the form type:residual. If no type prefix is present, the -FILE type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type DIR causes caches within the directory -to be present in the collection.
-
-
-
-

FILES¶

-
-
DEFCCNAME
-
Default location of Kerberos 5 credentials cache
-
-
-
-

SEE ALSO¶

-

kinit, kdestroy, klist), kerberos(1)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/kvno.html b/doc/html/user/user_commands/kvno.html deleted file mode 100644 index 73f23f3..0000000 --- a/doc/html/user/user_commands/kvno.html +++ /dev/null @@ -1,229 +0,0 @@ - - - - - - - - kvno — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

kvno¶

-
-

SYNOPSIS¶

-

kvno -[-c ccache] -[-e etype] -[-q] -[-h] -[-P] -[-S sname] -[-U for_user] -service1 service2 ...

-
-
-

DESCRIPTION¶

-

kvno acquires a service ticket for the specified Kerberos principals -and prints out the key version numbers of each.

-
-
-

OPTIONS¶

-
-
-c ccache
-
Specifies the name of a credentials cache to use (if not the -default)
-
-e etype
-
Specifies the enctype which will be requested for the session key -of all the services named on the command line. This is useful in -certain backward compatibility situations.
-
-q
-
Suppress printing output when successful. If a service ticket -cannot be obtained, an error message will still be printed and -kvno will exit with nonzero status.
-
-h
-
Prints a usage statement and exits.
-
-P
-
Specifies that the service1 service2 ... arguments are to be -treated as services for which credentials should be acquired using -constrained delegation. This option is only valid when used in -conjunction with protocol transition.
-
-S sname
-
Specifies that the service1 service2 ... arguments are -interpreted as hostnames, and the service principals are to be -constructed from those hostnames and the service name sname. -The service hostnames will be canonicalized according to the usual -rules for constructing service principals.
-
-U for_user
-
Specifies that protocol transition (S4U2Self) is to be used to -acquire a ticket on behalf of for_user. If constrained -delegation is not requested, the service name must match the -credentials cache client principal.
-
-
-
-

ENVIRONMENT¶

-

kvno uses the following environment variable:

-
-
KRB5CCNAME
-
Location of the credentials (ticket) cache.
-
-
-
-

FILES¶

-
-
DEFCCNAME
-
Default location of the credentials cache
-
-
-
-

SEE ALSO¶

-

kinit, kdestroy

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_commands/sclient.html b/doc/html/user/user_commands/sclient.html deleted file mode 100644 index 9b7a65c..0000000 --- a/doc/html/user/user_commands/sclient.html +++ /dev/null @@ -1,171 +0,0 @@ - - - - - - - - sclient — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

sclient¶

-
-

SYNOPSIS¶

-

sclient remotehost

-
-
-

DESCRIPTION¶

-

sclient is a sample application, primarily useful for testing -purposes. It contacts a sample server sserver and -authenticates to it using Kerberos version 5 tickets, then displays -the server’s response.

-
-
-

SEE ALSO¶

-

kinit, sserver

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_config/index.html b/doc/html/user/user_config/index.html deleted file mode 100644 index 252d55d..0000000 --- a/doc/html/user/user_config/index.html +++ /dev/null @@ -1,153 +0,0 @@ - - - - - - - - User config files — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

User config files¶

-

The following files in your home directory can be used to control the -behavior of Kerberos as it applies to your account (unless they have -been disabled by your host’s configuration):

-
- -
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_config/k5identity.html b/doc/html/user/user_config/k5identity.html deleted file mode 100644 index b8ceaa3..0000000 --- a/doc/html/user/user_config/k5identity.html +++ /dev/null @@ -1,202 +0,0 @@ - - - - - - - - .k5identity — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

.k5identity¶

-
-

DESCRIPTION¶

-

The .k5identity file, which resides in a user’s home directory, -contains a list of rules for selecting a client principals based on -the server being accessed. These rules are used to choose a -credential cache within the cache collection when possible.

-

Blank lines and lines beginning with # are ignored. Each line has -the form:

-
-
principal field=value ...
-

If the server principal meets all of the field constraints, then -principal is chosen as the client principal. The following fields are -recognized:

-
-
realm
-
If the realm of the server principal is known, it is matched -against value, which may be a pattern using shell wildcards. -For host-based server principals, the realm will generally only be -known if there is a [domain_realm] section in -krb5.conf with a mapping for the hostname.
-
service
-
If the server principal is a host-based principal, its service -component is matched against value, which may be a pattern using -shell wildcards.
-
host
-

If the server principal is a host-based principal, its hostname -component is converted to lower case and matched against value, -which may be a pattern using shell wildcards.

-

If the server principal matches the constraints of multiple lines -in the .k5identity file, the principal from the first matching -line is used. If no line matches, credentials will be selected -some other way, such as the realm heuristic or the current primary -cache.

-
-
-
-
-

EXAMPLE¶

-

The following example .k5identity file selects the client principal -alice@KRBTEST.COM if the server principal is within that realm, -the principal alice/root@EXAMPLE.COM if the server host is within -a servers subdomain, and the principal alice/mail@EXAMPLE.COM when -accessing the IMAP service on mail.example.com:

-
alice@KRBTEST.COM       realm=KRBTEST.COM
-alice/root@EXAMPLE.COM  host=*.servers.example.com
-alice/mail@EXAMPLE.COM  host=mail.example.com service=imap
-
-
-
-
-

SEE ALSO¶

-

kerberos(1), krb5.conf

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/html/user/user_config/k5login.html b/doc/html/user/user_config/k5login.html deleted file mode 100644 index c8a7541..0000000 --- a/doc/html/user/user_config/k5login.html +++ /dev/null @@ -1,193 +0,0 @@ - - - - - - - - .k5login — MIT Kerberos Documentation - - - - - - - - - - - - - - - - - -
-
- - -

MIT Kerberos Documentation

- -
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- -
-
-
- -
-
-
- -
-

.k5login¶

-
-

DESCRIPTION¶

-

The .k5login file, which resides in a user’s home directory, contains -a list of the Kerberos principals. Anyone with valid tickets for a -principal in the file is allowed host access with the UID of the user -in whose home directory the file resides. One common use is to place -a .k5login file in root’s home directory, thereby granting system -administrators remote root access to the host via Kerberos.

-
-
-

EXAMPLES¶

-

Suppose the user alice had a .k5login file in her home directory -containing just the following line:

-
bob@FOOBAR.ORG
-
-
-

This would allow bob to use Kerberos network applications, such as -ssh(1), to access alice‘s account, using bob‘s Kerberos -tickets. In a default configuration (with k5login_authoritative set -to true in krb5.conf), this .k5login file would not let -alice use those network applications to access her account, since -she is not listed! With no .k5login file, or with k5login_authoritative -set to false, a default rule would permit the principal alice in the -machine’s default realm to access the alice account.

-

Let us further suppose that alice is a system administrator. -Alice and the other system administrators would have their principals -in root’s .k5login file on each host:

-
alice@BLEEP.COM
-
-joeadmin/root@BLEEP.COM
-
-
-

This would allow either system administrator to log in to these hosts -using their Kerberos tickets instead of having to type the root -password. Note that because bob retains the Kerberos tickets for -his own principal, bob@FOOBAR.ORG, he would not have any of the -privileges that require alice‘s tickets, such as root access to -any of the site’s hosts, or the ability to change alice‘s -password.

-
-
-

SEE ALSO¶

-

kerberos(1)

-
-
- - -
-
-
-
-
-

On this page

- - -
-

Table of contents

- - -
-

Full Table of Contents

-

Search

-
- - - - -
-
-
-
-
- -
-
-
Release: 1.15.2
- © Copyright 1985-2017, MIT. -
-
- - Contents | - previous | - next | - index | - Search | - feedback -
-
-
- - - \ No newline at end of file diff --git a/doc/iprop-notes.txt b/doc/iprop-notes.txt index 8efee36..722b039 100644 --- a/doc/iprop-notes.txt +++ b/doc/iprop-notes.txt @@ -5,15 +5,15 @@ Bugs or issues: The "full resync" part of the protocol involves the master side firing off a normal kprop (and going back to servicing requests), and the -slave side stopping all the incremental propagation stuff and waiting -for the kprop. If the connection from the master never comes in for -some reason, the slave side just blocks forever, and never resumes -incremental propagation. +replica side stopping all the incremental propagation stuff and +waiting for the kprop. If the connection from the master never comes +in for some reason, the replica side just blocks forever, and never +resumes incremental propagation. The protocol does not currently pass policy database changes; this was an intentional decision on Sun's part. The policy database is only relevant to the master KDC, and is usually fairly static (aside from -refcount updates), but not propagating it does mean that a slave +refcount updates), but not propagating it does mean that a replica maintained via iprop can't simply be promoted to a master in disaster recovery or other cases without doing a full propagation or restoring a database from backups. @@ -29,17 +29,17 @@ the update log as well; etc. At least initially, we wouldn't treat it as a differently-named database; the installation of the hooks would be done by explicitly checking if iprop is enabled, etc. -The "iprop role" is assumed to be either master or slave. The master -writes a log, and the slave fetches it. But what about a cascade -propagation model where A sends to B which sends to C, perhaps because -A's bandwidth is highly limited, or B and C are co-located? In such a -case, B would want to operate in both modes. Granted, with iprop the -bandwidth issues should be less important, but there may still be -reasons one may wish to run in such a configuration. +The "iprop role" is assumed to be either master or replica. The +master writes a log, and the replica fetches it. But what about a +cascade propagation model where A sends to B which sends to C, perhaps +because A's bandwidth is highly limited, or B and C are co-located? +In such a case, B would want to operate in both modes. Granted, with +iprop the bandwidth issues should be less important, but there may +still be reasons one may wish to run in such a configuration. The propagation of changes does not happen in real time. It's not a -"push" protocol; the slaves poll periodically for changes. Perhaps a -future revision of the protocol could address that. +"push" protocol; the replicas poll periodically for changes. Perhaps +a future revision of the protocol could address that. kadmin/cli/kadmin.c call to kadm5_init_iprop - is this needed in client-side program? Should it be done in libkadm5srv instead as part @@ -67,18 +67,18 @@ db changes, which locking protocols should deal with anyways, (b) existing acl code, (c) existing server process? The incremental propagation protocol requires an ACL entry on the -master, listing the slave. Since the full-resync part uses normal -kprop, the slave also has to have an ACL entry for the master. If +master, listing the replica. Since the full-resync part uses normal +kprop, the replica also has to have an ACL entry for the master. If this is missing, I suspect the behavior will be that every two -minutes, the master side will (at the prompting of the slave) dump out -the database and attempt a full propagation. +minutes, the master side will (at the prompting of the replica) dump +out the database and attempt a full propagation. Possible optimizations: If an existing dump file has a recent enough serial number, just send it, without dumping again? Use just one dump -file instead of one per slave? +file instead of one per replica? -Requiring normal kprop means the slave still can't be behind a NAT or -firewall without special configuration. The incremental parts can +Requiring normal kprop means the replica still can't be behind a NAT +or firewall without special configuration. The incremental parts can work in such a configuration, so long as outgoing TCP connections are allowed. @@ -100,13 +100,13 @@ Would it be overkill to come up with a way to configure host+port for kpropd on the master? Preferably in a way that'd support cascading propagations. -The kadmind process, when it needs to run kprop, extracts the slave +The kadmind process, when it needs to run kprop, extracts the replica host name from the client principal name. It assumes that the principal name will be of the form foo/hostname@REALM, and looks specifically for the "/" and "@" to chop up the string form of the name. If looking up that name won't give a working IPv4 address for -the slave, kprop will fail (and kpropd will keep waiting, incremental -updates will stop, etc). +the replica, kprop will fail (and kpropd will keep waiting, +incremental updates will stop, etc). Mapping between file offsets and structure addresses, we should be careful about alignment. We're probably okay on current platforms, diff --git a/doc/mitK5defaults.rst b/doc/mitK5defaults.rst index 443bcc5..65d904e 100644 --- a/doc/mitK5defaults.rst +++ b/doc/mitK5defaults.rst @@ -29,22 +29,22 @@ Password change port 464 ========================================== ============================= ==================== -Slave KDC propagation defaults ------------------------------- +Replica KDC propagation defaults +-------------------------------- This table shows defaults used by the :ref:`kprop(8)` and :ref:`kpropd(8)` programs. -========================== ============================== =========== -Description Default Environment -========================== ============================== =========== -kprop database dump file |kdcdir|\ ``/slave_datatrans`` +========================== ================================ =========== +Description Default Environment +========================== ================================ =========== +kprop database dump file |kdcdir|\ ``/replica_datatrans`` kpropd temporary dump file |kdcdir|\ ``/from_master`` kdb5_util location |sbindir|\ ``/kdb5_util`` kprop location |sbindir|\ ``/kprop`` kpropd ACL file |kdcdir|\ ``/kpropd.acl`` -kprop port 754 KPROP_PORT -========================== ============================== =========== +kprop port 754 KPROP_PORT +========================== ================================ =========== .. _paths: diff --git a/doc/mitK5features.rst b/doc/mitK5features.rst index b4e4b8b..584f7b8 100644 --- a/doc/mitK5features.rst +++ b/doc/mitK5features.rst @@ -10,7 +10,7 @@ MIT Kerberos features ===================== -http://web.mit.edu/kerberos +https://web.mit.edu/kerberos Quick facts @@ -19,8 +19,8 @@ Quick facts License - :ref:`mitK5license` Releases: - - Latest stable: http://web.mit.edu/kerberos/krb5-1.15/ - - Supported: http://web.mit.edu/kerberos/krb5-1.14/ + - Latest stable: https://web.mit.edu/kerberos/krb5-1.17/ + - Supported: https://web.mit.edu/kerberos/krb5-1.16/ - Release cycle: 9 -- 12 months Supported platforms \/ OS distributions: @@ -31,9 +31,9 @@ Supported platforms \/ OS distributions: Crypto backends: - builtin - MIT Kerberos native crypto library - - OpenSSL (1.0\+) - http://www.openssl.org + - OpenSSL (1.0\+) - https://www.openssl.org -Database backends: LDAP, DB2 +Database backends: LDAP, DB2, LMDB krb4 support: Kerberos 5 release < 1.8 @@ -85,7 +85,7 @@ Starting from release 1.8: Feature list ------------ -For more information on the specific project see http://k5wiki.kerberos.org/wiki/Projects +For more information on the specific project see https://k5wiki.kerberos.org/wiki/Projects Release 1.7 - Credentials delegation :rfc:`5896` @@ -96,9 +96,9 @@ Release 1.7 Release 1.8 - Anonymous PKINIT :rfc:`6112` :ref:`anonymous_pkinit` - Constrained delegation - - IAKERB http://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02 + - IAKERB https://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02 - Heimdal bridge plugin for KDC backend - - GSS-API S4U extensions http://msdn.microsoft.com/en-us/library/cc246071 + - GSS-API S4U extensions https://msdn.microsoft.com/en-us/library/cc246071 - GSS-API naming extensions :rfc:`6680` - GSS-API extensions for storing delegated credentials :rfc:`5588` @@ -132,37 +132,37 @@ Release 1.12 - Plugin to control krb5_aname_to_localname and krb5_kuserok behavior :ref:`localauth_plugin` - Plugin to control hostname-to-realm mappings and the default realm :ref:`hostrealm_plugin` - GSSAPI extensions for constructing MIC tokens using IOV lists :ref:`gssapi_mic_token` - - Principal may refer to nonexistent policies `Policy Refcount project `_ - - Support for having no long-term keys for a principal `Principals Without Keys project `_ + - Principal may refer to nonexistent policies `Policy Refcount project `_ + - Support for having no long-term keys for a principal `Principals Without Keys project `_ - Collection support to the KEYRING credential cache type on Linux :ref:`ccache_definition` - FAST OTP preauthentication module for the KDC which uses RADIUS to validate OTP token values :ref:`otp_preauth` - - Experimental Audit plugin for KDC processing `Audit project `_ + - Experimental Audit plugin for KDC processing `Audit project `_ Release 1.13 - Add support for accessing KDCs via an HTTPS proxy server using the `MS-KKDCP - `_ + `_ protocol. - Add support for `hierarchical incremental propagation - `_, - where slaves can act as intermediates between an upstream master - and other downstream slaves. + `_, + where replicas can act as intermediates between an upstream master + and other downstream replicas. - Add support for configuring GSS mechanisms using ``/etc/gss/mech.d/*.conf`` files in addition to ``/etc/gss/mech``. - Add support to the LDAP KDB module for `binding to the LDAP server using SASL - `_. + `_. - The KDC listens for TCP connections by default. - Fix a minor key disclosure vulnerability where using the "keepold" option to the kadmin randkey operation could return the old keys. `[CVE-2014-5351] - `_ + `_ - Add client support for the Kerberos Cache Manager protocol. If the host is running a Heimdal kcm daemon, caches served by the daemon can be accessed with the KCM: cache type. - - When built on OS X 10.7 and higher, use "KCM:" as the default + - When built on macOS 10.7 and higher, use "KCM:" as the default cachetype, unless overridden by command-line options or krb5-config values. - Add support for doing unlocked database dumps for the DB2 KDC @@ -255,9 +255,9 @@ Release 1.14 * Performance: - - On slave KDCs, poll the master KDC immediately after processing a - full resync, and do not require two full resyncs after the master - KDC's log file is reset. + - On replica KDCs, poll the master KDC immediately after processing + a full resync, and do not require two full resyncs after the + master KDC's log file is reset. Release 1.15 @@ -309,6 +309,168 @@ Release 1.15 - Add support for the AES-SHA2 enctypes, which allows sites to conform to Suite B crypto requirements. +Release 1.16 + +* Administrator experience: + + - The KDC can match PKINIT client certificates against the + "pkinit_cert_match" string attribute on the client principal + entry, using the same syntax as the existing "pkinit_cert_match" + profile option. + + - The ktutil addent command supports the "-k 0" option to ignore the + key version, and the "-s" option to use a non-default salt string. + + - kpropd supports a --pid-file option to write a pid file at + startup, when it is run in standalone mode. + + - The "encrypted_challenge_indicator" realm option can be used to + attach an authentication indicator to tickets obtained using FAST + encrypted challenge pre-authentication. + + - Localization support can be disabled at build time with the + --disable-nls configure option. + +* Developer experience: + + - The kdcpolicy pluggable interface allows modules control whether + tickets are issued by the KDC. + + - The kadm5_auth pluggable interface allows modules to control + whether kadmind grants access to a kadmin request. + + - The certauth pluggable interface allows modules to control which + PKINIT client certificates can authenticate to which client + principals. + + - KDB modules can use the client and KDC interface IP addresses to + determine whether to allow an AS request. + + - GSS applications can query the bit strength of a krb5 GSS context + using the GSS_C_SEC_CONTEXT_SASL_SSF OID with + gss_inquire_sec_context_by_oid(). + + - GSS applications can query the impersonator name of a krb5 GSS + credential using the GSS_KRB5_GET_CRED_IMPERSONATOR OID with + gss_inquire_cred_by_oid(). + + - kdcpreauth modules can query the KDC for the canonicalized + requested client principal name, or match a principal name against + the requested client principal name with canonicalization. + +* Protocol evolution: + + - The client library will continue to try pre-authentication + mechanisms after most failure conditions. + + - The KDC will issue trivially renewable tickets (where the + renewable lifetime is equal to or less than the ticket lifetime) + if requested by the client, to be friendlier to scripts. + + - The client library will use a random nonce for TGS requests + instead of the current system time. + + - For the RC4 string-to-key or PAC operations, UTF-16 is supported + (previously only UCS-2 was supported). + + - When matching PKINIT client certificates, UPN SANs will be matched + correctly as UPNs, with canonicalization. + +* User experience: + + - Dates after the year 2038 are accepted (provided that the platform + time facilities support them), through the year 2106. + + - Automatic credential cache selection based on the client realm + will take into account the fallback realm and the service + hostname. + + - Referral and alternate cross-realm TGTs will not be cached, + avoiding some scenarios where they can be added to the credential + cache multiple times. + + - A German translation has been added. + +* Code quality: + + - The build is warning-clean under clang with the configured warning + options. + + - The automated test suite runs cleanly under AddressSanitizer. + +Release 1.17 + +* Administrator experience: + + - A new Kerberos database module using the Lightning Memory-Mapped + Database library (LMDB) has been added. The LMDB KDB module + should be more performant and more robust than the DB2 module, and + may become the default module for new databases in a future + release. + + - "kdb5_util dump" will no longer dump policy entries when specific + principal names are requested. + +* Developer experience: + + - The new krb5_get_etype_info() API can be used to retrieve enctype, + salt, and string-to-key parameters from the KDC for a client + principal. + + - The new GSS_KRB5_NT_ENTERPRISE_NAME name type allows enterprise + principal names to be used with GSS-API functions. + + - KDC and kadmind modules which call com_err() will now write to the + log file in a format more consistent with other log messages. + + - Programs which use large numbers of memory credential caches + should perform better. + +* Protocol evolution: + + - The SPAKE pre-authentication mechanism is now supported. This + mechanism protects against password dictionary attacks without + requiring any additional infrastructure such as certificates. + SPAKE is enabled by default on clients, but must be manually + enabled on the KDC for this release. + + - PKINIT freshness tokens are now supported. Freshness tokens can + protect against scenarios where an attacker uses temporary access + to a smart card to generate authentication requests for the + future. + + - Password change operations now prefer TCP over UDP, to avoid + spurious error messages about replays when a response packet is + dropped. + + - The KDC now supports cross-realm S4U2Self requests when used with + a third-party KDB module such as Samba's. The client code for + cross-realm S4U2Self requests is also now more robust. + +* User experience: + + - The new ktutil addent -f flag can be used to fetch salt + information from the KDC for password-based keys. + + - The new kdestroy -p option can be used to destroy a credential + cache within a collection by client principal name. + + - The Kerberos man page has been restored, and documents the + environment variables that affect programs using the Kerberos + library. + +* Code quality: + + - Python test scripts now use Python 3. + + - Python test scripts now display markers in verbose output, making + it easier to find where a failure occurred within the scripts. + + - The Windows build system has been simplified and updated to work + with more recent versions of Visual Studio. A large volume of + unused Windows-specific code has been removed. Visual Studio 2013 + or later is now required. + `Pre-authentication mechanisms` - PW-SALT :rfc:`4120#section-5.2.7.3` @@ -318,12 +480,13 @@ Release 1.15 - PKINIT with FAST on client (release 1.10) :rfc:`6113` - PKINIT :rfc:`4556` - FX-COOKIE :rfc:`6113#section-5.2` -- S4U-X509-USER (release 1.8) http://msdn.microsoft.com/en-us/library/cc246091 +- S4U-X509-USER (release 1.8) https://msdn.microsoft.com/en-us/library/cc246091 - OTP (release 1.12) :ref:`otp_preauth` +- SPAKE (release 1.17) :ref:`spake` `PRNG` - modularity (release 1.9) - Yarrow PRNG (release < 1.10) -- Fortuna PRNG (release 1.9) http://www.schneier.com/book-practical.html +- Fortuna PRNG (release 1.9) https://www.schneier.com/book-practical.html - OS PRNG (release 1.10) OS's native PRNG diff --git a/doc/notice.rst b/doc/notice.rst index e8cb4b4..9f9ff2c 100644 --- a/doc/notice.rst +++ b/doc/notice.rst @@ -1,4 +1,4 @@ -Copyright |copy| 1985-2017 by the Massachusetts Institute of Technology. +Copyright |copy| 1985-2019 by the Massachusetts Institute of Technology. All rights reserved. @@ -39,7 +39,7 @@ nationals of those countries. Documentation components of this software distribution are licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License. -(http://creativecommons.org/licenses/by-sa/3.0/) +(https://creativecommons.org/licenses/by-sa/3.0/) Individual source code files are copyright MIT, Cygnus Support, Novell, OpenVision Technologies, Oracle, Red Hat, Sun Microsystems, @@ -304,8 +304,8 @@ the following new or changed files: lib/kdb/kdb_log.c lib/kdb/kdb_log.h lib/krb5/error_tables/kdb5_err.et - slave/kpropd_rpc.c - slave/kproplog.c + kprop/kpropd_rpc.c + kprop/kproplog.c are subject to the following license: @@ -561,7 +561,7 @@ Marked test programs in src/lib/krb5/krb have the following copyright: ------------------- -The KCM Mach RPC definition file used on OS X has the following copyright: +The KCM Mach RPC definition file used on macOS has the following copyright: | Copyright |copy| 2009 Kungliga Tekniska Högskola | (Royal Institute of Technology, Stockholm, Sweden). @@ -1237,3 +1237,50 @@ The following notice applies to STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +------------------- + +The following notice applies to portions of +``src/plugins/preauth/spake/edwards25519.c`` and +``src/plugins/preauth/spake/edwards25519_tables.h``: + +The MIT License (MIT) + +Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS file). + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to +deal in the Software without restriction, including without limitation the +rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +sell copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +IN THE SOFTWARE. + +------------------- + +The following notice applies to portions of +``src/plugins/preauth/spake/edwards25519.c``: + +Copyright (c) 2015-2016, Google Inc. + +Permission to use, copy, modify, and/or distribute this software for any +purpose with or without fee is hereby granted, provided that the above +copyright notice and this permission notice appear in all copies. + +THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY +SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION +OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN +CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. diff --git a/doc/pdf/GMakefile b/doc/pdf/GMakefile deleted file mode 100644 index 6b87ad8..0000000 --- a/doc/pdf/GMakefile +++ /dev/null @@ -1,66 +0,0 @@ -# Makefile for Sphinx LaTeX output - -ALLDOCS = $(basename $(wildcard *.tex)) -ALLPDF = $(addsuffix .pdf,$(ALLDOCS)) -ALLDVI = $(addsuffix .dvi,$(ALLDOCS)) - -# Prefix for archive names -ARCHIVEPRREFIX = -# Additional LaTeX options -LATEXOPTS = - -all: $(ALLPDF) -all-pdf: $(ALLPDF) -all-dvi: $(ALLDVI) -all-ps: all-dvi - for f in *.dvi; do dvips $$f; done - -all-pdf-ja: - for f in *.pdf *.png *.gif *.jpg *.jpeg; do extractbb $$f; done - for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done - for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done - for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done - -for f in *.idx; do mendex -U -f -d "`basename $$f .idx`.dic" -s python.ist $$f; done - for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done - for f in *.tex; do platex -kanji=utf8 $(LATEXOPTS) $$f; done - for f in *.dvi; do dvipdfmx $$f; done - -zip: all-$(FMT) - mkdir $(ARCHIVEPREFIX)docs-$(FMT) - cp $(ALLPDF) $(ARCHIVEPREFIX)docs-$(FMT) - zip -q -r -9 $(ARCHIVEPREFIX)docs-$(FMT).zip $(ARCHIVEPREFIX)docs-$(FMT) - rm -r $(ARCHIVEPREFIX)docs-$(FMT) - -tar: all-$(FMT) - mkdir $(ARCHIVEPREFIX)docs-$(FMT) - cp $(ALLPDF) $(ARCHIVEPREFIX)docs-$(FMT) - tar cf $(ARCHIVEPREFIX)docs-$(FMT).tar $(ARCHIVEPREFIX)docs-$(FMT) - rm -r $(ARCHIVEPREFIX)docs-$(FMT) - -bz2: tar - bzip2 -9 -k $(ARCHIVEPREFIX)docs-$(FMT).tar - -# The number of LaTeX runs is quite conservative, but I don't expect it -# to get run often, so the little extra time won't hurt. -%.dvi: %.tex - latex $(LATEXOPTS) '$<' - latex $(LATEXOPTS) '$<' - latex $(LATEXOPTS) '$<' - -makeindex -s python.ist '$(basename $<).idx' - latex $(LATEXOPTS) '$<' - latex $(LATEXOPTS) '$<' - -%.pdf: %.tex - pdflatex $(LATEXOPTS) '$<' - pdflatex $(LATEXOPTS) '$<' - pdflatex $(LATEXOPTS) '$<' - -makeindex -s python.ist '$(basename $<).idx' - pdflatex $(LATEXOPTS) '$<' - pdflatex $(LATEXOPTS) '$<' - -clean: - rm -f *.dvi *.log *.ind *.aux *.toc *.syn *.idx *.out *.ilg *.pla - -.PHONY: all all-pdf all-dvi all-ps clean -.PHONY: all-pdf-ja - diff --git a/doc/pdf/admin.pdf b/doc/pdf/admin.pdf deleted file mode 100644 index a17fe9cf01d16dee67e61f1c7d9172b77e016a7c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 743212 zcmce<2|SeT_dni3WGN{{q-kFWv(H$Ptq3J+vSb@e_C18MMxw=%NR%a6qol|ZSrUqh z$Wn^RmL#J1UH6zVV|(WLe4qLMpV#wxO*3Y$``qW8>s;@%-aAxe5AK5tp;&gjeEqDM z1r8H|*&3aKiHoxcD-mqWoXlZ36cRT5AB*ro3o9pr15Eg!m7xpEY07keSs zwq*WV;?7?j?KT{X!%D_At!@34Wy9HKIr8zyUxNAj#6OQDR$#Fj9lEPB#Uw?W9=p7k zkhs&6VEc9;-KIw4!M9&MVn_9zYbTPNxAjgXK7G<(aFk{IPV2=9iFen6Rv6|=7EfHX zRC0^Q9DLO+jE()}IU4`s$=epDNIjijO!DH4Y8JPXjl0^4ESbJ0>A%8@B%B(p)zJuVw67OB#BT(yZgAM3bTi;B`@}$P*2R;V!j)YGGL}ic&!ivN z^rVfs@jqlrN!I$?G}hhqMP1&q>~Bnwb4pj9eOaD|W2tVh|MjMkt#*17^>MFae>~=W zq*(vv!4#`=xUkP7shpL23=T6GF>tPu-OsVnfZ_hHW+p^f*Y)MmtG62@s%!5u2;Y6e zKDe^9Q2Ow*5SBfP4KG4=aHF}=Nbw56+h2C`1)5J0dYzxz zM{|dmZ!yf7JeixNd_RmU_-uarx#xOl#<;H9jn5k)u~pLS2uH? zuPNWoDZ4Y8hpmRCf_tX`Pg!BQkQfcmu%1$*pS5n;+<#)3ZU+j0cVDWt zy`>-h;kY~*JCagv_IKrww)f!?ZSP=hhqpJ4BEg5JcRRe@T>2$;;kke2e3axj5tzK4#Wj^s8$4CMW(t0rYYH9(-ZlnLeJ>B5y4Dmt zrGD~HpqId;jMfG>A^5?pblApnkHcSNxPp*~hO7qJe3)5y9+MEmi zpdTXrC-5d?v2Nt49~U%KHVti#4fc5UJ>lbNz7K%~O23$g^)#?*+6 z9bM*W{N-(>XYt_s5u{UJSkGSpXD^8-FDYYd<3zA=a-3NRE<$r91T}GRBzY+*6B7&QT836I2ZAZV zfnZ}ypjsET$hzcPp1mrTyec5j)WXc!Vfvs08^Beff?GEzzj{SEo@+p1P2!jYRy2>k|I(FMa_KFj1<+Z3|)xJQ)osl zCPxa*=vj-+NK$@=DG=R&W~xPLiw`qv(HZeUw=QepXl(03aB!R1V`$nE#8R(^o{^xe zp_8GJp(6oi=U{7RXhz%=lw}u_7kP`#Vk3G+S~H6h1!Ms%)tq%{2?#Y?doeQtvYZyV ztsP_+DE!3G5)x{*24iM~1V|;o4%#|c8#>M0HinjTP_xw(Gb0@p2MZfx3p+zA3Taqc zqCw48M(m7eRBWv*j4i0F6Lv9ikW~>SG)on+GXep0xd20FM!gtq8O%~a+>8v4+7YJZ z3GMdj{Yc*LCM0c|VI_{XU}h;MZbmTkuc9O?r2?CO1=_;GQL8>~Mp!byLOJdunkbl| zGq5W*P8Ph{@Y`mbSn}W+W_SY;5an;{>y^HMX>Mrfdwj2rY41Hm}JS806p6hz$rilx(?XD;7GDI z1bAxt99`@>i-H)+b!Hg}I0eT**Ks5`Ior{=!eSC9>*$>IXXH(-PcwMK)dF~=z;f6S zZH1AcvE@Dhc`1Bb6zPz!Hp>{nDL_Zcjv^TdZx9?P79LI$)?nxC3JR`KB)Ea|mwGK) zlEu#10Tl2e18rBBnkB)Na>F#y3wDmuqh>bjA%YWeL&+XdgIU-R^@Zpr7~48H03U$r z8jFdLtR&buN{?Dlh;Fvd4lq*-2ZAf`NMHa(y4pHe!iW-`k*_A2a@j>O4_TJ8%s!j~ zc_3Ui8(>o{N^1k-=7^FC^bkx9ovoavF)!7Mv;>NqBTx$1QL+Um2=QpLb+B-seKNsm zLLS^4$x<+nij_08u(hp;vlU@6PAm$7$n2eU@WCksyB(V4_HvvuoNm4epHg49o&Wgk(RQ zW)`1e2SS9V1mUwKh@b*S#PuwoNDp-0&x$Niu0RtV0qSRo5kY}RM}fvUKnpv9020YH zpjvq`lR6{H*<7JOq8V=rHXU1lAQ3o?sFtR=8Ry1pC^$%MI%+_L<%k!dEKU>qz!7ug zNdZ6e7dJKpx(;@{)m%f4pc%>m*O|3D5r~=dQ&n6-r?aAJ+ksdaKuyfdTi zh&fWFK%S#uX$K1vBBrK7KSl&|Ll+BM2MVKT!XI!0vpfw11^=ix*t!ryThL{Ie>4jW zA!r72z{<1mA%cR2)a*de4A@v02vJc$wFwj{qL98QJetwX*_@}KBRSxNxe=ofbL{|% z=3bo}o1@?%uqx520Kf%sguOHHX($ILVo}61Bh5L1Is^sus1Y2Y2qMH|a4cI*2XQHk zKrgmQsg|D23JUO%F}JmKgyaX}v(wZ=@h(GhT#o7@G`H)Vz#M{tg~$iov~%QQ=wM-J zL>;+B(8NP<Il(Xl1rCv!LOhee5i<91M$kq1)KybyD%I!fc3Wa7i&+NTP z0YXwx+;%1`2=T|v!H_CWjGzsLFtbq>f&zu6LxdEqqm6zrbL=<;{YwxQ9&wzG zSy1kDQP457cV|n00y&g{Z#3hNlQ1jgj6%{z9CLypNDAUOM6dzy5d<}-kudeDG>@k_ zVG$$+V$9@pAUi`&aV&HVn%iYgtOQ8`8^ALl`u^bbFrQ9SY1mkt-e+ZDNq{-JIXV%j zj2n_R=$Ngs)S$z~!ok)Civ7aoAA!h4k;jZsXDcrScc?qqIzz`PILRRgm7*uKA;%nN z9Z7*4>JEm$-vAp7ii1-vNmG{i+4dMoff`ES(0~F90GU!BMM(5wvLoL)Vpc32Nx>CT zCN7X$WC8+Cb{57|Dn}DfAm%vwND7{qi9UkhBa|c2FaptZXBgxO!*q9BIU8G;=8lRPK~nSqM%}iAG0k51yX1NWCc0oRu(pvRNPn; zNX(Ep$8APZpoEsWg%iQf5Com67hFtYR140&X9|2!cLqSjf;!2DqzM=ha~xzO1u!hC z{Irn6ULg=Dq0Z4DDab*=#)NR1B9O&!gANi8WnEN3&6I_c9#x435>HCCP}f?a0Y(41 z)=Ir56x3Q3_6QU*ZSOAWWZEtgdO}}>;i=F6xQyTgrZQaehj7(+IL$B&R``K66N9YOX^|fczTDNEA*?zp8nv>CA zE^?x>H|L9f>}fsI9!ndKH&b!~9($jsFu0Z5nR$m{#L!n%`ho}gG~*KOU+oyYOd-|}`KgY0ik91nMMJi2R@{J@@lKeqM`tntjfkb9xFRj2h` z&0}#*eeU3)6dkLA?t^a%Pj@L_ZB5>N)ac7M`=MVan#?Y|mv+D4U)BF=Qm3v{gglaJdoYDcu@wVUO=i`v!euPP+Voyb}r`CHNw*=~>Xia6{a79Hcit-C~V zYb5fJc~|x?DS3APIJ}jn(g8!&z!W81pMN8_th8U5{+Df12LcZVJ`p)9dfqNaJ%FWO z@p@HJd0%~zJ)?!ts^~<+!ewzHN6x0`W-#TlS;{tS+SlAtr4^2c<%a>3w5crRql@q>B`%R-hPWa9 zhL>{H*HG_U81&b6mZ7le5Xl?tHF{~xA{p1E5X7&71BP1EpQmZBwn4EvDni@4Ww?)>q z4RgiGCDm=cc+YLS#=2@ueD$r>=r`thdvKc)S8Tl^I6m5C%%rQ8yQIyrLs$sZ06s*% z`f2N4F}U09RmvpdwROW~(2P-$ld2jrz ztmUn{QR39!lM3HP^M?1Hm$5lHa`Ro8=`U86tp49+%sctv3~tRF0)H|B)mmLgw-?YdrHryZi9o$#2|Jn(|!oT7-MhqMKC(Ivg z9p11F6agNMsi`-gM4{Zx3tSy0vf*|fcz#Kg^i|Y}EQQ;n6&F%_>|I})?Efq|lvQ2u zUSeWo_)bvSJ;k&EUQf}1QxbiTT{mUy*1M{qk+H1}-C>fk*0}YA zq_?m32Kb(aBLp`3K4MTioy@SdTkzM51`+%V{Odhvr~8NFFC9q^-W3piF51I%nOZe_ zBqAhTwev+G8yC;Yc*S=m4VtVLLC3igxe^1UnJQEr_ebhawXrt|J-Vg%Nya#AO#mV+ zs^q;fDrhIaR!OSu)|}+%%D3JF_A3g%cLYcn7b)(JwHFSQj65B3 z?A~kRG2`fm!e@ zda1>1HmefL;A1}-J;GbrX_mRcrC``XO!3^K?&rqkFIde2+g@bYo``RMKc2jDJa6pE zu0O2bzWFJYf6!-HKakYd^3}^6%++3(8fAr+ zo3NMXY-tVrGx4VIUfHc?--~NT#@Y+F;9s|$l*Fzsk}ND|n$RE=fBb64Q!u9D-NA3> z>ROvn(AQ-*xyE?&L~Co~!@i!=Uobb#y}@*m6NRb~EW zGFm@$GcaW^hROeYPup)#_p2*%R}$7f|1{EJFW$eZ?4gpk#$n~ty8YFFIn89Oq><3Xe%yzyGA}*Q=fzy(V!LFRF5P z-WzyX*=XPT%wDYU**n!#jXbN?H-fAFZXRSaD=gHPag^|1?=^0@R|hq6OTRWUDLU@+ z(G^YBm((9Bhzi?iKlXmu^&k%3qU6ZMxtHs(!M6N0R*bx>V_9tog(dHAt?$EWEsuI( zaZaH0!m`s+eP<=^yk-%~$aUmnJmcV<-=hui-UhTHfR z>&HjFDzCC&gS*2cxqmAkVVg{b9XwgF#y2Km@=-afcbohqQnn9v^ZtFcX>uw2A$+k6n7R%2wFRN*jSHmBEqr1 z*>>BQ`;i?1e;mK4>3gmaSNt$&?J=BY(f`u6+S8~c;}br@Q~yWo^GV@N@VB=qYX(U-b~mCwDgf)IcZ~gLj??<&N!*KYPL7l#_YX5w-DGEmmArLN=RR-*PmWC)nhA z>5fJ=0-{z0yj%e9b~UnXi8j4+)goYLwCQp1&KgmBVn<`TGorR-dth12W!AqB(22Rhq0B#U`M1Gkx0AKj0!*(`k8{gm0%QbuQ3%tDrf zl(3&|Ie>rvZ!JfpqHU`PTjk*7y7q(vu2n{gIb5sdmR7Hh50uDWUzVAg;j(n2nB5hb z;=f7_hzz4ZhCk8nm%_gm+wA{)=KVFB(=NQfcLaGq8n)Y{^Kegb|It^q%INz|w|j*< zZuIK*Jn6|As<$`a+_s}=-{!l4lXkzw*}cBBKD6xlb7yLG&cMjaVUFfqMV=1cn2v9f zF$@RAHwoEZ4cuIDmFuWx$UujU_~w8~%UCZ3PPoLKiA=swj?eg(IN@nR>67@$3fGWs$NPWbE;iynvxfTD z)t84gHGZuvZMWxa>!`fp5gi%rFkU42_;k%4!BG5};JD3_Pj2ce#i|6 zqxkU`A%%gig5*bGx*eY1lOEl|*9-S|{KbXcc-w&;xgn0x!Bj%=$E(Uu z*PV|V!Vl#X?bLtU@xk4l=Ol-4FE4jiFQI6Mes@%f!j6*6mzj>)mf06fqnkJ;+`jG| zTz5JGn`0oEe&g`3Z33CB4i(N)b&rIquJ`&Bc0Gn|(A{8C<}8(`yWx{VCTsH>-L=_T zZe95r?IlJL4;l17Un~^0{q)9dTUH&fn{#_r+VDaB8`vM;3NLH*T(rUo8{&nJIq2gu zKNeonax42C6wvN(Wg2b3=g%m%qhN(jytQ4(cAay|ZX1v5sD`d+7f|@kb0;bBz0wNI zjg(ggjoKUE*IZ)9%PYDtx+q{i?GeaP%(l#7Z)ShTk#fB&@KNwb?00^F;Nr93U&0%+ zxtfjtlS<60i$BC$XDaf9glcz_D&9p`s-3CS)ulQvMONoP+p;= zL-oWqE$~u1u?<@&X}7;;u&YMR^rx}+^CYiFCI^d+0$fq`=RG}t#PU>Hn(`HQO&;MsexOsp~(|<3~}R9*h+-zcuoYJa7-~xvt4=EQ3jZG!dV*^8$>1;{i}g3mQHt`m~J?gwMV)iz4NucntzMsHx&=%vKGs=nW@S$ z{SUUj))xRTdtd9vfWHl^cx0@4&@>?3|3L1}lec~?mezNkkH^hYvrqZhR2vf*XlZ z^AJ~h^4qL6(P7hu^xoqk=n#JAh*ekE!ZeS#=bd@0m+aZXW^s#iN-^Tmuj{=L67C;sRl zxFhfn5W+xW0BI1#P&@-fU{S<`f+`f&5LR)pHC7`y!E^v4WDmlG)d{DaVAPbL$O!}D zqNMIJIDYyZgTZKHV5Ew?mWYa7528eB`4Z#Zj34HU1tmg_vlkT0G#RtRf)atsdjBtC zL6HkL$lRSK0I-LKSf(#YZnc}kyIEW#M~7!|4FU2J|ML9rk5Trxjp2aKf6?o{sqKuF zsCKJ@Hk&-&js^)16}~uw__J42I=mQ}jkaB{fLrCEqhNoUjXrj~IEmcGXp9`MmvlG)P}byIV2e@13{R@!Q$x$&1J=4++i zocv~YDYZIeLvf*Sim8~I@NT0w?^zix*Itg})BeW)^mmrM{^?_%xC}XUSYLFWdBVP2 zTT-o+b@wie`c1!Dv(6_0ECSw+DmQuVIOhA-_=(5=d^8nw>X$A#BfTb72u z+2xv$Dc11%hA_`c!Hp#sTZ_2wyL$xgd8<_K0~6GHapBainok)oO!^dk5#3H(e;;pm%Of}iIuHp{0t}RjTWSXy9 zsW?b4eSIkCX{mI;sl!^A%?xqg*_VQYA}{i=p5c6Y&(H3_T_v@@gp(63W4$sL+E#X~ z_6f5*lOZZp_WtPem+4)|iPrOq-A69t_zt7E4<{TGdh)bj$YEcGMPy=oi_x&?lmyr1 zO$EWpr^`hHzKNRNG>ORcbGtlpsqgix@Q`DN8uJ1kbtv4pa{r4!(r)9cN^AqpCa?$b z)=O`nQJQFy+cTz+H^g##r*rHcE?(9>o9?jPI!aJkU*UDl{W4E@N^_@sjC_)>++ORn z*4;nL;x@k7vWs;@xfy}u*7>zAhj8J`mJpNFr@j2oot{qI_`d3473R$w!rtEWjD9wk z7`21GBIXW~xBqaav|ZlF5q5e{T$rMwf5*F?o>w9-QaCM`!nxVP8~Zv^zgKN|*SIS9 zp+?BZtv@}|bfkZ8KPT+_Y{?VA#0zhCl=y}h5$uuOS7rYF4Bev9$fj8u6XyMbxgp6+%KZPnPsx#eor$V-Pxc{Tq!)Wxn+>wuxx zOLN07q4lyWv-8sqMWu#F3hjH^f_ZVVr$adLR=b3r^c{ijk1ubRCq3*>etkIpf`iKcx=yTF~ND_VEbSGY)m|BJYPFfF1q7Ox)kC+x!opZKRL(1uM zm&iaCVKrwXsAvc#tOPPnEW*;Z4xomR2zx~Igyn@5gk^Lf`a}TwQ3X{?FdZyhNCX_? zXcSTi14svj&>*XZMuXlbI2?RQiU>s(Z-J#?rfGqZ&)EM)6b>zfN8w;-Bq%b%<6&?V z$YEjujes^3W7;<_5~b|7s6rjfKHH##4pS)3SravH!8x& z)fPmo@!tp|NfCtyuoS>6I2L46f#RS=a6%Xy1a%je<9xE_W9|Q|a*^bS!eNE505y~3 zh{A*77C3G}s>tjjSDI3@i#mlzA9i7oLLmEsfTM-5K+RBC6yP3yLAuD9-s!46YN{Y} zL07Fup^<=FIItA~b-?h_TS`4)-MEJ2#>?T5E#%929ock7_FG^}Rj6Q_HaY7>C zAb>Mybaf*&VWhGH zI#@6gVIWa2Bmzo5;8?&paKr=OTnLY$#j)wiNNU39Zu5~iU{c{Qga~Nv0ICKG4FG+# z7&cw?MMW18bkN6IkW4-j1FBg727v>{;Q&Sf#VkUg6=FdZBO9@K3PvuKqoW*ApbQj1 z8#os9PJ;R%P;~^INDGohwiV>cTxx#N&*qaA3<*j~0mg#1Bo>Q?AyJ^o7Pm0JD1^;3 zVnmckA3>4{LjbD^1PEH|gfQS#0+oD#gESa6&xR3ED}Ct#T>&UyyWoIPNKjr2>M8*k zqs6fKDn@s!kHF)EAe0X=41oud6u|=q(qPy;6GnvfbY&O<2TF{A$|Hz76Tk}q%0M+6 z4Z`M`FruG9U%~*sL4yz)0>EiBI3_`rH(($Qy5^fOy4!pN1|@_6?j8bY7773#P?9f% zLjSXE1xSrpDn@N9=x*~tiwN*P&;TF;+Yj(7XrKT%|DO*daE{I;j9kP^KkEuwd4K}~ z1PQubfuBSaD2f)tNafK~93#4_^ieU=X@mfP2McXUP(Td$h5)!9xv;}VK8xmUNTT0N zAEHQ>6(NEGL}91NK||t13t_PTtoY=~3)I}AJJKhf*#P7qfSZPefVBuXli&;Ui+mQ5 zM>bFsMt7tS2Ve&W>VzRZLxaEt9H1R6h8D->9Y(}Z2VF%8$KZtUAYB9clYq$pgkgb8 zB0`H}^A00o?1jFBp+PSL3UCZ~-birYa18Lo|Jmk~he}XOlI}nsjsgY=6vcv8KHz}> zy3lAL9G(_o^A00&>mVIW7|Bw=5#ZE@j6Mhk;GtLw5+x*p!!CFlk!{6%vgl{>$z+KD zbOX>K5F-K#hXL>dn(_aUs(B|QF>*&&?ZQEr9*Um;uMJc(gHkro?DEe-B=?0-X&1S{ zf(}9?Syr(7kWjb@oQrr6KgEG@4yc8hMK)jL#u93>sNHUmYef+w&i^8*2eum}^fK>< z3+Gx<#K1IJIFwu~xF!mmq)VrL_=vYBPfz)B0_gt+NtvYjVeK{|Mgu=Od9 zm6~I1l~e5kEa^dv>7x?yS(s(7m*sUC4hbh`K6}QR@yvG6!}idV4zJ4QAJ!dmndrxP zcPuB2N_|UKgqmI4+Ix5KU7Z2*re))U+S(OgO+;irR{xGt{0%#jh1|dTIZpAj^fmjs zrw-pef2OvFJEMOt{nqNcWof6jZuX$-FVl-hmu>wtB4KOk=6&j8Wgth({w>#6Yo4jg z`Dwf4rAevfVeC7fnnP~{V%a&qPVpUhx%!H1W>j=xrY3T~TKz|dy_-EVz5IvZUD{i; zCb!l~R&A^2IF_Q~xA`)=F#3~W*1smB-Szk9azSWK6oe0S~9>Vz>oeyEX^(Us?B$1&M> zjH=31)y{jt&r5H`nu<@_1||hH|53fSU(!kRo&NR<*W1J|tY6u>%~Y2iz9rzT#Qohk zqwrCUaBp6}T)9kDQs(FN3%V9QdkXgb zJ|x8x;_HK!JihFeB|87c&ThU}<*-W+i^l#8)l|MJOJdkjnZ4&2lKJ+nh*ew-hI+gG zLZa*+JQUfj{p!#CJAoHnaOE%M4@Dp9lwmnp5OSQ!Z#Xy4#f~laq;!vSVBMq5de_PY z_vx%U&t7!0{Lt!WJ#WXd%SU%|UFN+qSu3t{=S-T>nYAZIy+79Yy0E#pCY!wx@l|Ob z?_J_M`9<13JSXe!Q@;%rAO32$1l};Uu(nb$`|7CaAMCVgcaHX(B?fo9ciaAO$=exc z*6?$wOG-39|Br;ax7#*#+%{cq#`Ll~SvQ2es&YlD!>IWIxrBUw!6O$C@@0SbdNV~o zpVGIwBWAVN%$sZJji$4~I3v!ZVlLyEK{vumZL+RxOuce~xksdKIhs$w7q2EQD1UpT zv$w9$Gdz@CR@C++qA0{!smitgA^yft!oB>!=qC+-7CL}#K;d1WVhjPbS8xI;ZIS%^yi^Z&ui=L3+y5b&y zs?E7o_sXgUo`rn#jTxm?B+y<^pTp(+^W}g`(%DTJXX`iaE9D9&Xw)!>uc}ZeFp?@) z3gr)KZ)vR3Y-p@4a}$Dvc5N53J>k3){rZTawJ_fQbB1Kd!3|N5bJZ^X&hfVWW%bT@ z^N8o5h;`D#Jc3F7{t)9(hS<86P`5LDoNm2X-*1WSZ@IODy6?Eh4S9tBk*UAT+Mn5O z=<&S&Zolj>?&1Xpj7?w*$E|>of|hYJsRvIY_iyPO zxnbm;IJ`dY`-P3e9~vs(Fa~bteNap=xfU0&r_U<#+qVYe^%tupFCdPb$T-l1RzE89 z=4FSs2WBiUoYOyUi-&5Cjcc4Dwrc0QPoGCG#0jcriQOskIWf?nz@M~}Uvh;( z%cjn67d+lX37I8!*63Z@Q?a5~AzL(FCSAp7-(CA_;#XcT>*bCC=+(zXydz#e z<4-dSn!8nPZ9bT3=0Dv2#??U1=(if<`;@o!Z&ugt>tk7)&DonXn(}A0BcJQ-som|% zZfh)eAh6jNI&0ZKoLV|$yQyY@Y%00inCc9kQ^QuGaGs(tw(IV1Mi6~cF-${J}hZHVk;f=IcYr*u_OK-IGNM0r1gm1 z^U(K5^x;VK5!>9r=fsXS=#@ktIF5NJ!0SaoGdN5GnGo#|1krD1z~#}ARPf>aX1hl!oq=rjr-?J8oAAu3UQI!Q0Ye) z1`p*A@E|w{h3`RqoCqKg`Oncy@*Fd2!swTJB;k1sh$R8oO!UW)K&db|;AS8ehR$R+ zV_sy5xLL@UkuHfL4Des^KxZI-77KPa2uFZ4$AWGK899?jrBSns?hy$L2n|A$E1}2) z7F1$jKnzoahNnTExJFGFw7clbFeH>e03i|(Qo@1!5C(+4Xwo$=AVIWl^r4HaUm%u* z1jY{zd><&qjR6@x1Zv?ZG+Dpq1qg}8mOf;W95W1vBter+pvWK=M3^wp*c0r+-Zfdl z$gStpa-{aK{+r^H_=U!S5Gv^F1>@O3CKL%n14RQVs|7Wm%&+-@OLBuc{R|iyq|Kl> z7ZQY%5HK`|e<4NwIiL!~gy%+jiKio71&IccR21+>p}ZqBM-B}P29k!44JezJuOgn; z^rZ}(L69UtvJt2jC>a8IHT*wYd_dT|ElC6r^d$_c8X^WQvEUW341~ZyMZkh8M%H~m z*}Nbjd1L_{l#HzWU}zEsAT2n^5Me=G8ycLJn1xw3qx6t7>ie?!RK2s2$j=UkWlFmNalkHkHnlP3I#GB z2pSw)pg4^@LWB;+f-FgZ?eV}(f{t($7_$U&@ZiK;7+K8d7d{r0pgaM9LXd<3$qpo_gaGX!fQ2;d1$ks6HOuH< zbpqfHH0~Wze^A;1V1@{dtQFwcywoVs8Ky7Ch=rn1Y7`XCf)Yq1fM+6TnjD*#h#?QO zp@Wi<&PpTz_(*V~z<~#Xh3cBnAP0h?aahjRF}hoRB&Z*P1_8qHz|aC7j`9}g+4RshGfJuYe>yY3y1l0aB!XS^;q_!CJOGJ`*h5!yFs00R- z0m}jE^AG@}fg(Cul+Cjl#6TE*^o+DK!2nNCK0#y|5)^A7umEN+;*rdt*m>ZZJbsFP zN``=X7Qk^i?T!#jfpIiExCIIh$&;_>Ko^-^Ah8V<+5)oyQl-Fz0p=|n>6ziyd?C^= z&_kvQV0@@`0XmRCoCmW1SoFd>a)zvVR-YI|rH^irwI1w89LVd!0h_QO{|>=25L^6b zttSsJrP`0=ab$E5BZ)F7zykm)pbP|hNI(`#%c}%3pBo||2Ab*0GpNKC2SP}20I8vp z7(g%VPRjFA^N85HCMFbq6B034BkKoE8NV^60n$ zK;%^f1i0XkCkO05L?M2W=mnKD=T*lLGbr@k03Zenhssa@uW+Ev4-R6mA|f=7O7b9E zsvR(EMj&0haZsc)Ek$q!KzSSRL?ggM8t{TV6qlMZ`q_Wd-UJ>9R1F3=2GU5tGXZr) zG#NHO4ojZ4Og}9H{s&ac4O#_2ogWT{2T{*OqUlsRMjF&h%`obX36%y-PlupAD1ex0 zC2QyZ7v(`{Vm~VR3Z(KN=s@|`lx!; z?-IQc<=JE1SLjxc<0xX5U-EG!^Gas;k2UO4u|5eGWWLz@y$>^k|71Qiz$Bk9P;*&u zOXzzeLw7a2!ngDjCB0*3l9r1c@ho5NX)qv{iZ9OHzb{mRvj@KMH}~33!#>tJouK^z z`iUAp2|_j7brgKKAJtcFbYHV3)0V%_yB&USv{KjO@|Klo&0mQgu7%@2oUfE$;xk#f zz3PeY@uL{AA@@NgWBv8RCM=I))bCb3EHm}ngfB2l82T%9d&P;t4GfBVQ*F|vl!6;j znGVi_gl~C|8m{Px3+~1D+Ocwri5ht9cwpMkZ(8)y>)RUT)rTVWO#=4UZfWd@L1f0& zo7nKQ@4FnimxtgG^CYm?VzA|9|Gv0WoCnp|WV$y>IU~oFkE!pyX|ra_Dpg}y9b+T; zM>;!=#awfZMElJ*x`#I!?-mJ6L&g*_-4pKNw0`tRg;lKWLeRUK9Kq+AJN!R#^%e&> zZ;07e#pZcsqhw7b0v(@blv$w@a`A)AX%?xB6y2X2hb4ZSth;#SUTWy0h~|LUv}0F; zz7^iBy;t}3#r>i!p*im9s%<4VvUxkVu_v<)R_{UW?Ohj@1G;y|YDU||HaRtz{`~fb zsY_wC#hPZezl9#{+`kxD0WXPK)Bw{7@gf4XXdtd z5F0ajqCxcHjlorKl^N`EL!L(;_2CFHtNXt3oVx2xth6kHm!RUr2;to!r*HL z;mlLSE% z7663{b8P1DnP1O3tv~do43a5`>>!}xZ4hb3fKw6#t^XOW&aeBJ)@b@rM$$428bowJ zaX1{5Rp3E(9jX@q5uODpo6)kl^%c`QjJ|XMunIjh0BS@*g1Qt8Xk-Ac?myEtH!nZE zFgIqH}>_GuTApS+kz|2T|D#GYLo&pVAMl=-DhoU>sJP+{1l!aqEWLtrl zXZMMxDt!eBqR~*Q6b{-D;lQH-wF96Hap4dh+3rK>k~xu`>2sdGltB+!g6ai;n+83k z0IC5{vQKJI+~w#;(hfpePU+{QSyY-8OApjHH%KS& zrSH}%Eq}30zGpXsBclV}-|lMxPt2a<-?XpuMDOuSJQpGYZ$P3@s>}+<&cCe^Yz$!^ z^3nOc@hRgH#tz;K3jqBEh9JxZ`ox=@1N4dT`dyk7?0Xp#*Xc0*PS1RnvEMfZR@RqX)#r2% zVv|k3AJwFF(`$9%vM(JT=c*9>{d`*ea-#lbpW9CU?fusJ=1t6KNnDUpV2e)1ligRh zUQ9~KRjGpg()1s#_MT`PIhq!8b3<`fk!v4w*Wwc<=e+-Rg*A=ows{rm2$pRhk^JK@5&H9* zAQ$t>KsMPsTz>>q3Vef*AL}<~7A9SR58Qu!c>DGG9saR36Yh_0M%r_X*|wVQj!Bq` zX{ZuaHL>qYUmM@DRdMyV$>McI*5jq>5!U?Gd6I=5Vp@~66T3yF*O+tqG@-hBnv~y_ zNOO&Q;@P&#?eTukITR?zJwX^%aj`y%jC{xb#HJvRd$=@DX@$kHPVYRu*4GA=-Y|^` zm(FJr_7dR|Y5|eEd2^W!+oYempwz+*PNeDt-~W{2F1aLbO^6lamF zmwVshbE(&_VjKMV{+fZ@+8TYq$c^9$H$T{sN1u0knQke4`}h8~#)qstW8OvDttUmT z3|9;rjB{c_bDB>+az^~LYz`Luq_4ovjYG>b?Q!FU4T`cl+;uQ&>19wlvMU~u`?H`y z9sMe~f9cx2N`Kla9{ZNDJ@vizFrv0r<(FWR#Jh0@#`OMYWgEkJ2(Y!$n=7Ap4&7Q8 z!m?|}phg|jxnEgn!8>9$2}zbA@LVS?v$UuxOHkNmY?a$oBQIpYfK$V$670X$(V^ux_t=cJY3Fw;8o*? z*b~e`eEI52>hIxKrmzg9`n;a%>Hl`cxBy{mS+&o9`O2r8WeD+6JuZpolJ1|sQnK6z zhBrC8#A?&A-9fO6CF>8^e3WCeuVX);9mZ}Znz&J4OFC~)fx-s;!qF6&6_UJhi7@=f zxYCVqo+KW>lqbx6H=Z^6o%PSzvdO-0Rp|04m8D`yU#&-!?(-wIE{oz3+qmid6=j=h z5mz5{bdyEj3d{9HhEH{kZ)uyJI(+t+?PD|5@@LB0s>+;(myA{_ZXF9#ResYS{)NRn zc9X_Fu9U6HM%n(kr4sziqwOMIJt=TyDG%T4H{0q|ytJQMjC(&gZj=<#XraYsA(iP^ zryVfFZyulsQ-Q4;&au-dhl^~hP?jnSS{pC+(tP!)U59l0Ua7AL-tjf+mwBb7TzFF4 zl~nnsT1`y)8_zSGh`fyv4i00xk{B<|P#d@YMACa{L6o0O;DC9_rj9~Wl~g%~UehCE z``EhPZ5*)5-=DNARY~D&2NGA1{4O)ys@f^Ic2Cx_5B{p`g6sS)Wwx#gk>r>#uxxL{ z^ya0#?Oe%N+@b#ok^ zp+u)CuQ2k3Q>qKwlIuhEGMC^XJAPhaWeqIMyZ&SSu04(M4dVSQ=W2AV>(6vz%d%@* z?-_~P=oB8*E@90&qieu+1fd|q`R2&h6p?GLLI?1uOfxsQX7qXA@50+3y4m=DP8e@^ zJ^nfB{;-a?)%xVi@+qv%{p&PNyWM^oVW4@6BRWi7j&dt-GyZ-*TQyE)m^<*IsxG}r&%Tk_HHi?yb2h$sxOc?aj zZujIs*O=bt%+LreE>w14sHi-XXoP}~jH*{wOX{&8} zaCYKSzT4=9g5E)`;lCRLzx-0Hd8Q_KMDE2pZl&Uc4=tJ-1K|OF>9{SzTdQ~_j$LrDt~hmiZ^j-G>~K%fRVtspcg0y(dc zM+Q{^Ktlo+p^ohCFTgZvZ-xlo+9!395TgSFFpVO;8i^ERe z1ZH~rsw`J?piPWZZktQJ!V@N@FY5!0UIlSz|2XW>U~q5B(@g$w3)v{nG>c zN3KQeQjpzdn}_@T$KQR=OYdL1*WCNT|03OgmkeY5`w6EXH`ji1O7T1QJp8*#XWu0^ zu0Ppwg)I*i53c08-1gb+I$E=S)V8C!G+oduCA=ej+(Y(ore*F$&9Ge7Js#<)*ly14 zOp(KZh}!P3>=OZAj%ob{F<6dGgK9Ogc6aTVF8fWX`nx#BlnboeTrM%h=7)SP#lCGa z^YJR?^D&!MwGp?jSw(G^b5CU1a?GGv)7R-&;xg$g*V0@V1HwZ7B;R*QMIAr*MLU;J ze)roQZMbmSvy$seGqiGbCL&+|ijKUnU7#Z3$PfP{!7HD+HI`@HJMS0lW?Ui9ha26O z`*B4R%c(x26@!P~C&_;Gy6fz0J6ygd*d)PH<=i{1m+VY0yalx)cJOdjnG4<#dF<6N zj!SbCV)jjUKKREDZ}EW3dRa}0E&9laxc2ATQu)v=f=}xNY*xR#+^b&Wn0~E`5HKB++>#=dq*h z7f8}s9moT7VP?)m$4 zqS!+i1}{Xs6AsC23vo|1ycH8rU@1d&<)K4&AMWqiduo#ChQx4nymhPMl}aKYYH zR5X9Zp1-7c{=)8$Z+{;vcTX_?QXy<3-JfjrjA^o6^9*wNVZ4o_&5!rlsn4GU#7m8J z3KP!BdGe{PDzH=`WZS;X^18g;a-yhs9Dc3n_ej^X&tlkzgBN!1RJV@&#_naz!^|ly zwK>1#yZ->@@8}z5)#0WKH7Dy_nGH}dwr2dw$J`2bHkuKPChm=+&JjDB+zvL0q{EqcSkrat`=atUw3vI1t|^Nb&cqzab`1>K4-<6FKy*j|{qbj=SA)^Ad~0+w~-tSs}CzbY&p z2pLI)X&>|{zkKSqW=qVV$@`^=7gNqjZ5dgI6ANFpf{~>(*r9#$v7mt6NqGy&Ro=L= zq6pJB@8b2Z8A)$>`cWdy`hK*0@4YWw=X#D4I!g~oN2z`L{HtTtvY&}(6gbX^edjx& zyZdS9??1~zE+Mw=9e9IT`h-vL6jQP@^Ae=oyW`LAu6S=0Xe;TJ<6Awo)8(vZ!C}jS z^3Fu#drWF7c2D!m_^Tb>RR>D9apO!*)-3B?cDQ}T&V!FGpFdN6kSSqha~Q*w3=h?k z`0`*8ecopn*gBJqtBvfo7p!`G3}Gzi6RLA})7J2%3`;uB3LI}vd2@cx?a!es8|};w z8P>4zMs}7C-G~X~h`kYdbGYyEGrNgGw?2Z|s}%gt zFEjhiQr|4!zP9RYHsQUPNB^mzg=#Xvs*$<Y^So3WJC9>7@w~C@W>dsRgJtKLT?8JkU2^2hBtuu;{ep_z7k8_c>=0cpX;RyN z!0|k+RGy*D?0mx7LN<#JmL44U2lusIdtJ)=a?I&sNS3;pAUZPWD*U#j~UK)N_{J?czCr_Qy4`*(!i#*+*oO#O8@mZTTS6nvOFtv4@rk zw|x~=zWzznBFp%CWl}rN^dT0OqVqF`x4HHEt&5Txj!b61qM~$#jBl0nSBC52mY>IY zZEfEs&+3T~(-#Xr;U+VWQkUIRwzpvIb ziCNt^qIXVbP4(&c0yU${XBeOKxQj#$>4?Q=HobIjDzdjuV*Ps-tI?`^>-9dbok$UV z^pnOgwHQ5#BSD#N9HC~lbrB<{f(qVzRo{Tr)fv?ObGIan+wG94?nt%R@u`}+XIJ_5 zE2B%!vBD-AOp7K`tv<)7@vr)((S7jOa{q*{rVqp=U~1la-R}e~e;k?!{R}J6)^L}J zaEtEw?3)@l=58w#bh6)&Eht-vpeEkUuH@`;vsrQX`7gNyMy6XYXF0cp*-K*M@43ccaXG;pZu8-GPzSm4;TrU_}oSIb7(`ji9ONf!2Fz&BA zn#GAS$}F=JFAO|9ZfkRuU|gr%Z3({??l_gRq~o*OAZy>n-_PGyG8#NAUfTG;Ct?Ag zi8x-0jKCJIZWToR!dOsUJwqNSNyLC@BmV<=^Ad7INzB%S|7*1m0<^q=!Uixv z0_xcX(|JL58Vk)wfcoqgX|Y+{+oI#-I&y&s=vu@=bp=oh5NOZ9fcj?4BJ(#W?(@P@ zrQ`fMs96Mz1_4D~ptJ~R3*^{?9w3m&1a%_Fg~t()bHDRjrlz+LeFO>zGiMQ?vlsN4krPl)5L{^4rGq3fV| zXx01rom+wsu zj=3*rKA;?9Gve^9?b#k>-ET^j50Y2cE6C9%5eAv~t_}$Iox&*Eb*2+}7=|f4lE6;`{M+ew#iX7Aw$x zG4LJZX~1C97sZ={~2wd;9yfpX`U3J(z2*omDkzR0UOC zP*RtcjIHg3&5j+e(1s}sbA4;lzAb6I*?r&hd8ylKDrHQ~;WPBx`#n-%yK>SMGSS!N z1hwXI$Y2*x6!Rv_tYEb)W%}&4rXkZVEGe(`jX_#GUuh-DuK9Xb<>TOKX;vTQ4~@N% z#C9>ywP>Vk9!=#oe{_Ezm24%*^-Z*MKg?x&c(|o|5(|l=v49oEnVy8*Va9CD;&YMB zimX^!f(If|dFT@YhDO6K5_cb=m~27zm$#VT5awIAeS<;1kk_qz&CS6Trht0Uft|)i=YzA-%`snnGM zcG>&QM{m%FGO!eEa|0x&-BOE-!`wcR5x_xe{3C=`a zt1_oC_QbO$wj3#8C)#zG_TDNtLn(DCOpW3d4E&&gZh}^Pxfn z%>zWaSrqMUru7O5IkDB}+A32A(@p$6Q)6&F5tm3(p&KS#^!CY0N?Sdhb)p6hRFKz++4XgxH}P@x{qYqA^E;L#J{}kpgAfbO z*m$&kjnN;2#kVk`J%K*z0^9R`*8;73O-{GHhn-EP-z?=s*Pe{6759M;ME~ps$f5{l zNuxY7G7@pc2mX=tN^MEIDL8~F(-DT%z^`uz6{beWDRZOa#gRH5`Tak`1%!A_014@2RWTgs*BZB)ds7IozlZCpDWQ?0Lo;*7tIB8}g@@8)UtJYh1)Afst41_PVe0O9Q({AGcyx;mM z+<~s}<0~C~?Q7!jeK3+~WAi=(@30C1LT1e#=wfX{X55Ehb9!vT5AN`I%Jvpj^ira* z>R-2P-{{5Owj|0g#i9d0_8#?|(s#qanYdKtuXla48e6~@Pfp7#EP%GYmJfMX(yA_0 zZFG)MppQ8Vh>m3uiQD3|<`hTeC(bWn6b^O-ZRm}Gx*~B_tNcg8k2T0AY&?OhSG|7-OP$145qLGNIkxmY;Endq(z7Z_r2a`K> z`bwV0t&Ec|f%wtL6b`?($2+Q3g{rr{S#n-ib_Z5Wz{dKZdu+xvyoPBpVEZnsJD+{EiI83fx#vISn)L24n`w z9J|u4_V!I~?1g5;jiH|kcniGkA~qGj2!|k9hGQYo{62I?k?J%{*{ek}yKh=4$Aifo zxC^6oA*Pr$ZfkvO$pbj74diY7uEaPJXGoYX#!|)^{`|gKjARJu^UMr(wR`TJ4wC|# zb)ZT@=BJ75!0RmwwHn&UWX0kK0!oItJ>vtsQbs|RU*645UDcKBA&^cf;mv_H)zG~1 z>vhuZhQ>@QNM=9XQo`bnnI+Q@&y9VRuDY5j znY|uM23#N2P1-SEbVS)9OhhO1&~uRl?zSpj* z0yk@$Q$NboEy$v>SA@k>BLusJRNyn|%Eu5RrTcF1EI#$RTt8;>Grn;7Xy3j3P%#o_ zY1&aIND<1>xiLpI_4X8xt_1U!CG$G8Kna)(GiooMisJLY6w>=}?^fq@UCTQrU6=%w2or@trHDz;{z)U)V zif&%;OkR}IGe3-)y$KkMZ>cwwIM@FsiuTBRpe)P+*{e2;3-8#)DTDh$JF>o`C91?J z?y>ty!>uzTE#IStsHtMHr&ncMbFsd}9CE(m97IpsF7Dg(Og*1H>4U5D)YOcnf8l%; zp4IxfCE}*m$D{RwM5~gxxT-__#LCyKX{kd_9F0j6;<;ACiEx7}Z{4oG9iwtPnBBcN z%{Xl;r^siYnupHvAa|oVxd-NZ>e7ZejU7~IDodT6xQZEf*He|zcGNMAK1XiYSHC~8 zvudm(pj%EUMT9r&-)4BTEi$aK{EmQ$S7F0pp6jXT5V!RB%9Z%$q)TBf-Zdv((rdx( zDYwYc#XoOikE$hf+%OJuADC}q%hT1i4kHUGfVzudYHKU%OGmy`mN}2dOP3`p6z=RY zA=7L6c&Ct5s=np)40a0c7?1eP#V_%6OOF-0AX^wxbn3;!dOF&&6_f1C;z0K;;uzFh zb5S!n`%DH;_J9Ce`U`y@LlNd<6f{knC&I)4!x93#3j28EhpVKhZ0#d!(zvc=-3#1&!@|s^VC<-d&)>5CkgMef0288*lyMD+FpWhk$Q@ zSL^4NUEIW>S!?@XK=M%)bd3vpCt3J9I}(zQU(U))mZ>rn8ZCO%1Nmf|%}E=E^R~|7 z!2d0Gzy3Viva#;%0Bkqt0+ZibKGf9%s?kaXU5d}SkeH&a>-)}ZkIVKU10Fup=#LVk zPZyomX!q7weTzWSwSa(S^ry zF2zvDco}G4JvzQ|g^8rxlv(;LPac0rXgT;`h)TbFxNl38*i_JZ$RN3Kd$o zn7g}IX;dez(Ux&eqk3>^RJ&UVP7s;-5>sR_bM?3O>-X}?Ls}WUM;V+zH9@0I>o!P0 zO-HTr*_sQl4}vospkwQCpZG_tny-^%j5@q7o-zi$jgYLW*1=n(*wHKM1$XzO+@r#) z%#C44-#u2lDaCz5Bv)Nw`V;EzyIbuK*zo7n-S>y|pB1aWdENeRsJq|Yc3FOR+hzIP zZTC4y>-#9#cWXKTmG`^b?oZU*Kj@A4U3U(c*9N%Veh)|l7!ZDsvjYqg0c_d+f|~ms zSp$aBf029tgZ79&6cB(J6qaW<9)JLy_1U)nIf?VX&20TiW&fZ(B7l1ME1obQ}`6E;E z4;mygGXaHQ)y3sNbe$YJ^@H+s*nS*rwXVxZWdbH~*n+?>LGV{M^(9Ee4)ut~6%Ja1&-9?auS=k}5!Xth7ul4LTYZ1UK=Zx*U&a`5;h zF_w6Yw)QPcz+7Z?qnw*C^Q|I9?3kHKLAC<3EX-YMscNC9FEM)qO;X{2`PwUa=`6ka zjX-8h7}$voENx1n8G?Zqor-XK&Jhg~lcz>{#@$r&4ZaMN6oX=DW8-bWW3j3**W)6^s;T57bJgK|x1ssm~8qJSYzO6t=_ zjz9P0P4>QD|m_%E$SR0oLy%Z#?H)YEXnKMu4H-uv=QdI(S zpD`(V)vmRQ?d%+~x~7yXkBV3oj+VQ9JSwl!h=bwLXKy8mlT!c&`~~@KB(9{ZS}vBP zZH~^1;d6M878_=8@2GFUAIW4YNZ0}cvi-0f*H57wU)MOLt!VL}_YNKO(vVH&!x$B? zKrCy%-m?9K<4<)jcuD-CF)H>=MW5Hcwq-F;{JTt*Hu4Rkf(oNVoU@8G&S-BS@NEr0 zaW%M$`W7=}-VywHJU(J{pUv^a+mB4a(%ETk>Jge*CecFgmq<7y52=!x6GDbUm%pvw zJ{;b6qah9F>9T7yxu0%XcL}uJBcrfGX(Cu37v+HU*o@+kfEuTa_^zx#+UZ}@8%{Za z!x}>^1kzk-C%FY&!L+M5G*D9;zonfruCC+&2fA`Gic5mEusazQg}|KN(|n3-Pa3Rk}5 z41^P#NFr%YK#h2ZB1a;l-gBnYW3={={42m*&zfgjj3({vd=ez=Z{{-bFvjg6BgBXX+T5NzukA>f$6iLw=3@@_ya7 z-N{o3#s4*Z_gbk$Ir{|V3&`f;@N^OLih$e&+YizPHcROmv5kuvUsZcLk*bsj{S>=N z((cj;{B7YfKxxCr+x^PuZW`($Dd%rb?wi2Mp5+`N@OVen)W zADJIEFiTAZ!KkW$;VB00!k`Qq!iY$if2Db~R@?(a^FduIg&9iHe&Iv^nSD+ekvDD< z&2W;~-H7yklUA$LR|LC<^RVp$+!uY3D+`4~tYlpF(McQ>!Jb7zqkLj1JV6liit)zu zu3wX^-q8~TaZcAj1u|2QNhX)=s8~iTH}z9 z%ifs+sjwB|s>0ZTp9kwy#KF=>pjw((lY_pHH;!PWS9)-E#I$>BOPyEg^a-kQGfQ2!PB4ZT^vE9Ug4B<>t|DNqX<=aZ|X z+_`2X+$x`y3j4B!;~Zh{8cKyo(pJt_g3BGg`S8Z)%y=O{8hP$rtmL}+NOrfZVhMno-$2;p0iH_*sZ0 ze^}~o4;Y%WLaA_a>=M1HNd->?3}IiIGm*Cln_Z&4J>?Y6hF6K=(fFyuv(kiFtFp$^ z9;bgGO53sTo97bUD|gI!*@bM-Q&ln<>#3G3Pz7dfk}! z+0&L!nNM$Ne84I1l@qjhmPaD`9k1-%Jv(K=ZX56vnfiXOHwupTo0aTt!?*~y$u>0O zk0_^38Z!a98SymITHg{Kd)GZ{n6-D`XzNlKc%R6gDJJPQec7Q?J?kQVnNL|!a2-!* zJxrjQ)Ns}#+FUjJqUoH{d#W}HHdagS z79D$}#51j3G_u>c`fft711NJQJr{FIF6M%%bBD$xgFf%ujl zinng_2-x|xtvN7=AW0QxM$5#B;f*cby0fYUEDlmW5jP2Da#}^fAi?oVH(4-%Yz^pgsxpFKY#Zd=UTVIP@Kmj{Il)RFMMd7_tsaI3^CJq~K()*@J^?E`G zB*r>}Su|FKhs3O{PCsvtb9ToQKer;2O9k}IzLMc524S7# zBkbckbVu77P|;->OE4~tLG4cqH8#mg$-_vri%kAXgMR*B@}QdeGvl8;4aWC5^hL^jQS!>6Hw}`jhuu{*vxupBEuyXB zt_(5K{l=J#l`&ixobZw!GYtHYn1+-`M(f%!p7dg)o6C+Fi3T3COX>QEP`Q`M?rS2u z>(J|tHe`S;x85D|&01b~RbV0C@DV%Aru+$S0Kf=;Y;yl`Oyakonx7;;zh&9{Z+HVh z7yLJV;CJcI@2NY_)9v5i|85`*;0?YTHv(P($oaSTfB*Ntr|SH~Cw%{%Kd{69O+Wxh zRD2Gf{Fhke**f7l3FtqGRenea0ND6fg!j+2>c2a<0~)`q08GsK-I^aD4R}^10e~p$ zUqQV820;J0Zv8XA@r;kZ$DRO&VHg1YdVseHpj?2X!hfD`2dGGXh3?-E#6NUV0YU0a z0BH^@fO-K~hyr4`0j>_u7xnKeeSTpUzMs>7raWeVoQxIVH}tHzVEb-5@!Kd5z}yA! z{+|jR{xHe&i(Sn>XnXpD#(K6M0_@?lUmz=B=mHQc1yD`>xsA?$tM2o&#q{i|18_Wfwj%zkDX9OU|9(-ge9!LsXDWNP2?Wp*&z7fb&$q*KkOpAF z2yoB-m3RNo_v$a^9si&m_p^5)>$AttkKzEuKC6KKQ+fZUtzn`6BVY8BSMoFM^Zn1t z-!P;2$;|kdg@2)~`JRyW<0}2hB38in$#a6kFC^1Xp1Xgt@L5{}xDkI@_x;b^j}QC{ za_axD$)ulbQh$(B&*HJaNlqPVF4`>AA$wix5rI+2!Wx+?qFhF`Fb{GR&{>tpEC#I| z;Twe{qc>4oky^XoFS`UXeIz}c3pvEK<%b0&W5FJT3pzi2X|?NdmVJG6Fsx>}ZPPi^ zFZ=?s+@<uiRvkiOua&k|MaQXT&}wo* z*sZoyvQnLDx0R$rtdilK>5c$&j!42a5Fj!{NVo{V<1v zY{E~{7Db+Mj1&u!ZD;i24~ABuIBNx}X6LtBsS#+Dc%AmP(6YnuHyz(-s+CWqke|BB z=#h}?l4ct{6fl*pdOS4E_)7PNK1MlP?R1xX-picZ#4)MbUl=8CS3_C=(gCz|*JrL`nV`!PjC z^9$$I;G5IM*#Q+FlmglNoK{*Xl$2{=|C;R@AB8)-=1TZTGgjFpx(;55mof}c6O6UD zEIsj+k$#3-Z)1%F3);`?ctCWB9wYDXV(%5--GCNlKo{$yq}x#$qIY}|<+i60~*stI`{1*1qQ`>i5sIVtO|m)#vD zUPvLT5_~}>*MQR5E&KYcjK_cFMU?@TQxX2iHXOMf6LT$)(Wjl}ms6gi9*zD5sETSd#Z`Eb&Fimgq%B z`PO8?994j`RyS$uyiM-~NtR#;s=Ww|1^pC4>FhpM{p{cs*OrCr3z`O04e%P&4WBJl zD+J*KYig}xQ^Q&g<*~Q~0dQoWsN1BZ+a&bU8St2krIGT=#(3q=?>_fSlY}k`noySM zFCMU|>!|D)rznM8$ZTtWu=^>^({YAy51v{}+k(D6$o!I*4S?}s( z$|ydWNI{XPNMuZYlB4~I-6P)Jo0kVZhb?Wq19Xk4l!cS+uXODr*W_(hI26j)z z?MT*EEV7PI-|-X#al#2O`@Lr?0adyyNgf(I==nsAFj9^w@EJGdO?t{@h`3v@vj9%Y zr2s^9(uv52jwSgaet3dSRWd`YOOEwoZrNhO7ZR+FM>v)vRZxlwlgwjjS@txHB~om~ z4aXxR_F3|GYE6@ETpy>91DMbl%Y<%xvtu0)rEA<8#Rj%+u0EC3sEodp`?LrWVA5DK zyD1gO%J?D*E_bBI=arlGJOsUf-2EYtw^5nFUZGV@ku2>B9X9m4ldHJd7iQH37E0<{R%QcYP>TjF_#_>Tg%Fg~3%*VI zin{SM;hip-@oSi-pcFY`wIb{p#C}XPjM0${Nv&MS{>aXq2e1NlMkSQI;H@eFzCczf#!`qlvp(IiEFZB#EJl+Buf!V+%=<*QhjC^#^RInw2NG5U*1-}ynOPwO0sCcz*ssCAmvh z+DTAVDzi!KzUkCN%#wX z{BjAp+j+#!w5OesYVkI->cl`|Y)45lDrF>lz34B@-5t?^$mwJY6AYd(yo{6@OYW2# z84p@s4N@)J9E2&oczi6`aBs$6+Z;cU*IuO$4XQJ(vrZCkjXFPyd6+tC)Eh4cP4_f$ zbAOMo0)vJe(5r-CMSdL8fmB4Q)+^<5)BDi3NRwUWAnkpnfj(v6PJ*+;fmeGPKJU)j z=r15j8~ze(QO(xfZTeEfV(@J0;TBGOmy0kUheP!n3)O zkN8?rnu5%*1y`|Ac-buVwD#ipK0Xlqw#c3PHH&_5Bo}?wI)bb!A|8#LPzK_}^yfxR zqn#US@8piOodE1mhd2+cr8hjxJOgioj@I5H$i5yFN7Ehk!6V~hXHZK}4JY*pL5%tu zfQK)UYK2=2j!hHS-S`+7?@kK}qj|F^Xp!C;G-Nw}ao^c@;)&eFCN-UTa2 zEtZYiqh{0SOjlV_EHRB8;} z!hV$@7^yD`YWzmygZ!?tu)s|KwIHPk$jClcf^D{`{dnKUR(J|9zEG(2_w@Y{gZ*ct zNSm28hX#SX&Pu_y>CD$3_v*)=>c!aGrLZ~h?$N-ia#UDVd&N$dv2-)Hz}OzQnbTXOZ`a8r*?Hx)-KWw~lvbA);ir(a3aOD;@R;Eu0mXUuW6 zqAqvRb3P}xwf4~}Or_Fhaf{a>M=oeyF5gSc3DX!%;9~Hk#y5_%()*OP1Gv|gIR;wi z8xeS^cSIw+Pmn^i)2nW~v7*;TAJ24RjBX+Z&fU;@uV>inpW?(o50ppOlc4FZ@GA^jrgHGZB~R;VzN*JW#S%0rkv8dOeQ zA(hY5JQAeOQ*OcMf>)1WVrY;+gh5hfJhz=FH@mHl4G1BBLfZgR4gVW$^Zmi`XSv63 zk-`5P+6DkipJ|w%XqWHr{dg+=ztJuL^#=R*fvVp!dI7nhfbR8wHr@rGrGEh?D%xL+ zQGfFAe}2^ezGHs_k^E$_|I0!^PU*8r1VC5t3rP5$v;1Q_{$wEwU~GmNfK7i{`2DK< zSor@LUHse>|DQhi-)nsX0=53<9Q_Mj0N~u;L>JZA77p`ur;T3VrkttKCd8PCzL6JF zO53B_NA^~Go;w@X)@CR*>Pp$~vk&f;U3_%pNl3YzQ^NVo>VcfwJ&wn?>tNoV9BtTa zljqr}pk>oU7@?);L6pO-(Hj^P`koWtG~JY;xf;yDj??Gdy=lfzO$H0YaG+#&^459CZTw=OL33b z8T-i%0^%)gdP>`ei&Kdp6zm^PsEFa)(9{c+jFy+J;H`(G$&D)d?yakrjBX3HObug2 ztJKkQ`OC=3rngFlX^}kdzvZ#f$;qUr>(*iSAQy#g)`${R--NZU*VBJ^9PTr%g@JX2Absh2@vdx#jknlX3@sEAWP4O|*o51KZ`J0pcnSd4-!gI|bSJKl%$-_FcOVPLnc94v`* z6|kFLJ2TNrLNFlbB1Pe!YA$dSWQ&j9d|TezuvEoIQ>{A^=X>KVMlIhF5OLL*Hia$M zYVDfM*ARRkH{{s? z$=&14E;lMeb5&7LXhO*%TzvPYsa&Wc880DLNN)t1yxrH<<)(4yO~(wok(W$dDRKoi z_~}C3#14nq5|$7I={v*E5YoPt^dTdkw!}^4k?^kz)sP`P7>CoB(_fwi3Kv-=nk&`$W@ju2d_`Ey zRJ?-_;?&+ggI}0N8M-V~qws6KSFEC(i-)c`&Yo2hkWfPk?U`5_?U^ZV4Qo$D6Q`#p zuRHc5w1}NmfN8PS0ujidCkdHy2SfYALY=%oV9r}X+Wu?NH>>Sw=#fP1TCh3I#$oz3 z)%bI9J89k&eN!7A<8eC?ifiak@tYn_Vy2uAPD5NKhs#6ueka{XjqwR?G(qEOx>nMw zHgIa(YuAa_$}zH{XG!((J(_K=7CHMD)==X}j6$Ho(N|0M>fiex5C_0aBAp*ZcVPe> zuvei6H&`aa3sRuY@O%aP&=#zkJX(yl@ZcKeW2nWAh7+To zfnVVjl_;a+_r~cX&9_Q4!Yz}a=}vERBIZOZm93m=Y||c?2JoCsoX^fanRXV!7zUUbwcWD?XPcU7{YihA{^?YIHHHS>V{a4nk^H`oK-(P&1_es zC00~Yg%YG?UmJ$fu=bmd1lMzmnIgiHnHMSHxyl^(7lv?%Ly5UlERz*te{t{g1)9w? z^jtmKNKFclSh`}DyxhX!P*+4-M)}vTLe=B#Fa%98-*q2)Ra!dq^lfXM8X^GL?fh=p?=fPo*iEzUC3$O$fosD6q6#93Ft(RWCo>ja zK3d0Xsx8M3H&MtL%U$!zoHhSb646@^OV{(WU>E)}G)cGPw>C0-Dq&nW#KzcnZBQ*C zu#cQLgnn%w67{*J;=EJDGAFhn8~1C9sk(GVG$ErX^>8@DX+9NOvsSfOeZu4)c}Grj zwb?Uy!L6-q%+?wc25!Clb(Nub9kx{Q1#Dk(0(g!ptGE`Btg)5e+-sh0!p+VX+EZ0G zx>iBS3>^g;8%kMwxU4Lf;oyN-UZzGPvnXI2SFnWh^J7l0P+YMlAP?G!y98^X1O(NE zDCh!tdPnw6aED)Fdo}Z(>wJW_BcbELO2v&>IzQoc?R}YXF5c@``p!}}w*!h6lXq~( z6cvIL^@NrKP52VFPeX*Eajq$~;t|M1vbg`f3Eo2YfccpM*WiIT8)?lmEn0>jx3NMh?Si(~+W8^fa6LU$q z7nth?#YauVqq7zi3W*}<-Uyv0{b}{&<9z(MVmHz(r$rXkSvj;VkHN^J@`1(VP1~bB zYCQoy*P5ro0C5i4k?Cu@#N?ykbJCPkiX?Udd9rO#>lJr8BsE>)9;z80mz(`S!J{km z1Yx_N87m7;rSVXQg_3!z9a6)A547W7k&cpcBk@EnljA;p%-k(ul5=*%68M5vV9LRn zjgDH%Ypao?VM4zogWdK*-Z!j=liLYD&Hn8j>fK>b#<_j_r#|cOr(FH{?Ex>i z8`o0LhPQ~-#a8H4t*L6%gCrc6d1JPfGg51En1BA4}+ z1N$2bf?;=T)X$<6JUV_YkuKdQn=JYE)GkV{R@6ZTvjZx?kQ}|P1C2S3(Nc$RQ`bth z7(Z3RnmU&hKTPMW==p7nRPur)Rs^#MQp-&mJ+v)#_el`x#cUiHE5#JW*2Xks3?pB~ zjAqE&veGZ*V8dfj$H~2CJV46sr>{L` z-gUU7)*8=WZd~84js%NpRGyCd)QL_{xaX%FCkNhPwu4PrZG^MhD{hGmLi{visH1uXQx!6fhycCvV#1iCjv9QvnvcXMv z%e}%8(Gd>qX1p+~zKRU52w_z)@*8Ai)>90MU?he3NYvrC3_6XJ&y}yR>+TUzKa|CU zUEh?uUZhj19q}pkv_Ko)^Vx=bY5WOV0l0nr&r{}~i_^b9i2jULehWnU-=LN6p-+J3 z@sIozKwI(`^zsh|Looxa&^Q2{3>HAk6A&!Mz{_AnzL zZ;au)2Or>Pz%^lH1muzZg$LiiHQN7J8teCnoFAnEmSgX1_WFN53(NUy%&b zd3cTnZZ`32;z++D#<#U^n>Ts|T`U$~W!a7}`ey zg|&WMi72UNO!BntL4EPctNCtqt$VWDi84Zbp}@8}Fkwx^pja$4rTTvs48?#OOZ z62t6*hOHmBeKS{J#3+SebGA!Efnh#y#_ZtAg=aZLbv4So2Scz*)WV@J?`>_^RXK1xTmq3Ki~ zOBnSd7;To#Hwwr|WM++Zx7U2Nt%8NpDp?aYyo`RRyID!?dt1$Hq!@njX>kNpgs;^m zsKjp1GBfH%zY>f|`FPy_wPr(;qm-zbIS-X`V5*29R=0E-P{s`u(#P}Ym)o5Sf|5!1 zUuwv0IbamQ&|zGNB3!dvT!VlRckxC!SKiZETTSq97=jbyV196P)hiN=ev{wl_lA~T z%IL@`ovx9I>=ZL@2=!?xsBpP~(h74Frh1&DqP;w~LCm}DqU$2&1tE12LS_TST}`8o zU@`C7seGAu*R|7aYMIz%%!aSA!WD)0i$r~GBbRCB33SxiEJ9btVYJNVEjrLKiMTRu zN37dzKAn=Htuf1CA}S+M_-x;mQya(IEjY|!JC?IEo1uMe@>X~cm2oY93d9+tTq?ZJ zGgSZ~KI80?GQxT5CG`nA5(vV^#S3LVNdbk9^V=*jYqjNu&{a7*q2 zm?(iaArE1P3?Ns<1CT})U!abF)xzsYajkv2cGAE)(@H`&L`*ekpge7+Nix-LGI17A z{jKu4J9(*g7Hz{s2=kM4U5@P<6{?AlfhpmroPcowECG{f+pETgiXGSvy$%xQB#;*s z6aym?1^nWDB!PR%PzH_e(4%Qcx6FoENVg{m`73bu)|C2Q^F^dL1IRD9k{zz2N-I;k zSE07`@l9ha1VzKQkx8`r&e*ST-Y=Ry@|vbHZMJXEGA&y2xT!i)ej;lV7Mp#wC8yHd zlZXp3P|)~teZxsP8y7EVF@vk->#?}3-%|CU&`w=&hUr?Q@Vz*QUq7FU9*q=!z-5re zmU^UXE8H0D3c5Khx%Z=Q+vJOc=L;z#=( zbd$CZc&SwyRR{D2BXP^iDtQoTq;R1;ybPCF|Z<;$&-^d|=|G$;%$a3Ot|2$It-3#G~HQ{45p{J>@e>#n4E zn*^|jXQn|jZFU*+(xxBotAraRJF?Fq=iJow6%IoxUfS0%fej*TceunjnVCjD?)J;c z7z`8JFO-jNM;SK;8uewGqcx;~k<^ffa3lBvX+}b%1aN6>)IOfdxR3LQA_?uHM0P8$yO_#&ar?tgzhDNK?8FM@&)rx-(R#LR>S_%y-dAA%Mv_ zy_O3-5I^LCEd8l)WPR6dd8tuDUl~K~J?gCAf}l`GBU^Lb#LVSqj~vUuDCD=-?loUB zx+TB(mF5|1DB#`FVOVKcS$|2wV(V3$zLS?krCUa(MsQT^TJKrsswV+WN*S_q5u~R< zcABVo1ru=JL@wMLZrK-QiO>`EbqYV3>_|9v#zM@6eDKr7CU9qLR{j@l_V(x|72KTH zUsn{Inw`#VCOu1W8cJES_ohmHVIV)x>$wy<4rOr+r7YmjTwmZs=HX15STb=vMVPaG zb60~^?k$hWR5I!3rrDSCVqhG{d$WFsxtxzZ?&62H_CB5uM|eB@@|7bQxad2nT=fof z(T@^X&}^7;P@8T+39NC~{QVnG(B!Qq9k(Im3+n|8okQT$1S#41Z?;M%>N`#8#bc8V9=z$!y9915 zhuh7!hs~C4sO}az=sM<+Ga0oXd5B!kDyw|A5^s1{ew}&}GP|80DKu2IT=970z8wm_ ze)^VuW@@t@kqa92-NqN(#5*Ghq%Q=fD8Lj>$E~pJkA4ttB;D+h?#Ez@X6Z;yUIAuQJ4av=XJ!eafNG6PupFSm2n z-;*a7@ZXF?``Hys8amxQ2vwU0dk<9MX=x9 z(*V|YzX^-~0#^UAxhrN@1HgSofKHbg;DpBlIDZTPJtrezE|`hoFP!lH)#s%JSkC`q zrOEnJcpL!w|Mq40H=zIbnA;ya{>wtZJ<1N)FTl6R9}zt3_e9_Sv=Fe-00X#R*ZsTP z{?9%TFk=oNk^W@iA58pz{x1S51+XZrfNlNt6aSrg`;$*(1jxGC04Mj43t0e^!2eKo zf3gs8+ySNjs+IliZ_1Co`3rXAC#~$yRLB1`u<8Dt>iB!?#!p56&TcS0pZves%^uX0 za#-&{ZrN8mF)4c!pnoE2y{|JLrK8J5%@I4%v+3(i1Pu#T_qMqB;m%R+8V-U`xb!7~ zJ<)bR;!&EX`=WR4tWDD(o0{H|&g14j;gXT{i+jL?ZLP$E3`(wb0(f$x{dxPXH8ruA z^L54iUE287yak^`>hxy$n?lc>vy3-5*!L#IlJ(6m(#}I6mijffnzP^Aifr7?rysX8 z-|Zdkt;c$wH%ELr7i2sAC}Y=jcT!nPY49)~u??Zo@J_kteKNi5YU|R1?&D+M>p7m} zAo{Ae;zDfUzB0tz)37LOLUntVk0V>1P8;urTvT*GJ)*YZASEJ#aNkiEIPA>{UOld9 z*f_jGVS{y_o6}povzpw#uGT)#b(GW|xvOrTcDU7-<=VWr+Su?rz(9<<{jluEoK6&A zL#j)}B6rkuB%nbHFv!Oe4 zrIcVSInK$~mVjzCz_#H;nw(v^x8cvr92ldFYWSpxe|Yn{7XBrqQJ~|Y&&0NPropSi zCVo{!QO5MQ?JhRU10_}&L&T>#QHh;Cc#2zt)rhR7@3+q?rVQ30j0Mr8^%K4-*V>KSfqb>?A40osOVWJF`?=v5H7Ih z8nRk2u&GdVm!3%&bu3z5TB~O(nK=(J7n^x?p{e!(>8NUOEiqt+u25pD-tKJ)*_F&K z<=Z)1PnG?neO1QW^<5@yb+@B7+N7>@VmpFxovtTSQFAGrHF>1&bN%w83>$)?41R3i z1ZW7AcjpM`TbI{*m&_U51mPzjnE6s~HmG#l(bTIVUwjsgIO4~t^PzCYdmH7@InPi3 zsh-%TWhQh2D_^VTE}>A&l)$L&0yd`5eqj%@mzyGLZ+2-e90!~1qd5-7bD2q7KCoicd^+NSB`SUvreQqsAr)@| zcrJ{kk?!>+KySQ7lx5k1!R?xGm2rpLFu>T^KuH|&pxD6ma)MjULuK)O%9_Y1j42r} zWWff)=UxM~5)#Vcp>)w;<-ide7z2^Y6Rp-p(?Bqdjt=-5CsaZST$-C-=)O3N`m)y~ zG&m=vOu{$ug@ka4T=P`@5)wOeTPZKzz3PmcUVab^2-VcKo6`e=J;65T9+SSgUUQ)Z z6RpcuCPY=fDc|Y?JL+ds-R-Iqg;oa*VsB@pJy7RY7J8IHO@$a`7l?20pgYvwkQ3_* zdyj(oB=?Z{!$KTLbv@pam%BBZyCR9}u(*wBoT-ffIf%|LM5ZR*?=BAVy+ff>OeVRA z+$jWR@zuEU;_p5l(Sb<&+&1Yo;svg2D2=}@@cBx|^Pm7yQ!R26JJ2^_-Neur{{u8U z<_H*s4>~I^OdF^bzl3Q{6IF~)y#Mcj3}3ns><*gON8M% zgf`awN(rT$wz{uwF5=rcR>nTn)7dOFH^1{j*1q#@9t#l@F@wP<2kUv7gBdY!^z$Lm z-^mee#35lTGLe_X6!yj>1FGe4X|97h>G07EwX>W!Y*~ACM;`njwv_lKJXa{$4=3=N z@FI0}R~gXXTgPj3UZATba4V1?&GcL_;r)afFM3QdN2f#MMkNfk6XO%1Ei%u~el5p5 zmqrqY9P`*oKU(4~mhS@}jz1SQ@*Wa6uqX6IcNdZNSvJfheXreq{bTElXjG?BtQ7-Q ze8iEuPxc3ak9h(g^_4ed@`HgUVEQ9-bKB^91(Ux#0P7^kzL(kJ28Km)_!7L9Va}3N zS%Y~GJ)=6DiEJGER(U>_`{L~fRcBzq*At+wSqejFq-rcva<2#Rs?Hj03cB5M;UHJ_ z;$90t;c^b(RxvwFNg9$*mSNzi2nb^5dkrMJml{%Ck{^5XYZ&IA|LIYcx z?Ncx+drt59XAQUsforMY{5K={e)S4Pi`5E3K{6PRmql3940bYt0;%<%00{@flULFT z9Kr(`7X?GG5nt;wmEfC%##yJgsdTDdel6t^Ftnn6cPlt>$S_AXv|PL%L8@8amlmV- zfXsiUB3qzqMv67E+mmZRSAB8A&iJm)R)bwg>~?HVmAjKLJ^D=m2!1(=J{o9VLMfyS zdO0+!D{gO|5GKJ878NP)^2|V+d6W#%#{oCozEy(Y z!03rWguHNDxwbQj)J7o3=L6fkgfPpS-AcKAl z&gSH-pwLOMf*QQbGGk59gQ`m}eloOC{E_*EFF3q>u5u)-e;3Rrn4MxEvn=elPOi-i zit303^t!nWlS{6%@=U}v3axzT5TL_(Q2u?%Y(N7=sGHgJ?ZJq7&Z!UVAeO|9Ck$Eo zBSix~mV-f^k%w($A=gvm^o0SA*R(J?{+uPN(#r%C{41zabvZs4q3GMN^v0huKq|dN z*c(QyO*V7WTsVPm7Q5<{jkRo3c=r~7MauVyzE*L|ubu0FL1Q-KD{KY7)U>CcSyG~C zyW&tQbCwLefgVUYT~@>z$z_L5B_QiB|g6{IcS+Z9?fxrNt;x z0nx>fj5^?#e{$*DmN!)1OOzik-EzkEt9tQxJJ=#pBQ zJRqp1-j(p$v!Eyyw{U&V%Fui`EG|JIwcwoD_OLG?L_E*3TuH5p%~&f+so#XpwjyVb zlzz$&H9zKbl>!{xASHd}0F##K%y8S{g2*b*q093t5vHAq+97+5Xu*ESTOW4K0CxFW z=Zj$)S8{C9Nj|O$T39mTFJt!Q`?f5edsHHLBPEphQ z@A{BPShjQ{ofIFXc;Sb4Lz;Al6_h*UjIpUl1Es_Enka?5V{G8Czr=x3JKyApO`eiu zli|5l4)nT!CW(vjRQgy-HhP;|HGc@9dK)+-H>a1Yec9;{C>bv>Nd96EZByQ@L~7cq zGH-o+`L%1|DKpCdW9_P=vRd{w-O?=x(w#3|(jg$7(jna-DcvC@-3ZbtA>C2}(h}0$ zAYI=^&$;&)=bZc9d;Va(OJvsj+cUFg?|J44fv2td_jN+AX=?b~`mXL%n5-Tl74U5M z-QM&x(C|rrYPxqOt2L%;!6ct6XB0BVF$IRK+9yr3()t|oEM8`BQFpzCJN3|<^ru_O`lz|;D1}_75CmH7plNXN z+9)Q|A=oy)X56b6XiboGCri#3oJ$TYj8D3ySSrw^9`AdY)JZ&+sHH07tn3RLGVoe` zpC9p&)0I&kKED`BztpgmW)lB>BwqB1nw-h~Lvg)_+>BLRZaJLE7{W$8CUOA*q%=qV zl(`o{-1459FoX*fqb4qouUvyrw3wsK5|(nQ*+`uY{V5&2 zTEVa4X?Rj7iB3 zgjiSr3=&Wu|6UsCH%iD~mi7aj_7m3kb;|rRU3Z7_0fc`5dWi0P*s_tQ_x{M=Y!yzs9})4W|K)hCjn;UvI8| zrswYHM*s~9NH75`7rtVCtjs`A2mpyQas3HQ`Wq;JHz|Kam%q!X|KIwJ8NiW&AHa;0 z0{}|zl0bnBn7e=ufb7G?^e6rHyKlhHW)^FU$+3l}?JyZY-P{lmTR zQ})ZZmHMCQI99+T6d<_$t29=?3iD3&^H;U~j(P(Z@zZSk=gxpY0O)<^YWjPp-SGq2 z0H@6Vtg;`?Iln#4{+T|zi}GOxTtn{!SIj^~%$$G~3Gmcs0nlBhKRE{a<9PnuYyaG1 z0d(ima_5`@th*clJru+N)C5?3FazuEpIQ6PO_A{ku4%Uo>O~<~0{U2mHC=A7|{Z8iIgD4_M@W zZum!&qF*%xR?9oToSz&1akPKc5Ew$1Uufk3PUT;B4jXWe3)tfP;v4_??EJ+y-g)Q% znMS{8_~UuTcY_a{paAB_tboPJPuKYMZT9!O?LRrs_%nhgqu3u#I{vfs44}ck=g{wL z%{%eoe|Vm;g5PI1Q+rTSI!}%z`zny6wdP5=k;}x^Wd7t7net~oT~6G4q{v(p%ywT+ zH^ey3@HNVdpDIu*!-vD(4}X!(++@FXHt+<8(VBrlConk1&4mPg&3MgEa5YDL{k8n6 zsLT3{Me38?X=T*C@Jk}Z< zjWpGJ?tCzTn2s`3qYd`uGEGA0iUvLfn_>V)07)Dfg7Kw+_p`1Y$ho8T*a$>J*UZer z_cgZs#RhZFJw0w$iTaC|%4tH;3i%;8qU2A9Al&ME0^&=vO~|n3)I;Iq-iyp5K0;d# zrhU(8o1wVF*AsGK6ll3AwYi%ti}Ct2I@4f!9_N&}CPFMpgSkZwS*8#UWsx!TMdrCp zL;B~VH&w$rDmJybjYspf?-J5HrD(Hh4Q1*raC@wU{8DLTiy^3lZiq=GY&zgx%LPpq z(V1&(6)ViK5fup&oe-*o*(5US!wPj%TJUs2z9Fru%dA#Te?o2t&T|O0R&-1(gF9XI z0X(xqnf9aoiZ?}Qf!{F_hhs5<)_Bbbq0|m@>+yM_F^JJ-@v*vc8Oh14?CHEjHE18( zlr_L23|B1onTwe3eb7-%?tquNik3lUfuNF3o?C&q$!HwR#!y4}D$4m6ZBM_^KH(D< zYo{^__}Rc!krr(d!VW3?#E&SXo}u~BvZfim7RXwpaU#T-yugfv-}Hyr7sS4-P$5hc zkeqpLZDrD+ENai0=h{~v^+`I2x0^@Ffld6S&tj=Wz+ha5@mch0$%8V(md`tU50u6= zKGSIEuD|zp(>92VyJ$te-&Vnj);^P1w>XI$zmw!NojJ9Vc*zRyP}Eo$G~*msM{fP( zeSoELg?D}l7n7;)GHfr{6gxjb&Qe&J6est@FaSzzYF%H{c)uvh8NyM!`| zlY~^>7MVnx9YD(9Vg;&b_PYfQCcway>>l55!nc%2LOh_m1$WKkV#n{al;md5IT$B( z)x{^FLoiOIjI0XDcXp!S@!BC{OIGQrcQo}$LABUnvU1n-iaG}aKaz7=R?&seVR{pS z6OsME;fZ4*@g+SXf=g|N*GwMiBo(Fp1g{r(>#|TBIg?Wtx|eI5u0k!5)7(C8iasre zlc=I9%41nW0|;N6>D-SgAtT;;Meh;HK3(bLNcv@%4>60-!xMtBFKN#+8M48&SboyW z#mNnJWYOpBv3P<61~a+8EMM((OIVc=BNlFwNVh93#IC_aY0g}iwi&YQO&$8`1J(V9 zWC{C|gkYbg=;3KxxS)|`&0lxQf8MRq8#meiD6@*>_b?XujakJOr@?22XX0!*flMzW zumoqor!|!e$DKvDCCyd~{0+KD#LVT$1-XQjCK}Iq=U?MKL!m^J5k7)zEvMhg;>|+W ztue&MOH6=iqqp@d%6oK#7Fni^7JBW`7A^l zqg5BlDQ!ZlXCis^-YAMHfR+V%f?-{@b6oab>Y$dp6}y23uERjG6iEv++NbSjAs^DLe5+kEL8{|%a=}!I|c@U7kLi@Y3`qQd^(3fa}`X` zu)F<~r#-UTL$cmA&)oIy-d19g882_2q4u24$0g9S=q9 zMTW=uq85@A5w_!`QdAOG`=dGi9x}DB=aNx;g>`Sc0V` z0wtx|+Qp^(Pd|c{Ni&at4BjbrxzO)l9w!Uv2sA6z)i#)Ol#3%a-aZhHGd#NOe@T9P ziTuLw_Wo7b$>q7yCV7!BkD622ZR<)G8dN;pC7P$pY7JVTm&GE_)k(*Wj1XKcADoo7 zm+a7ZM0-$Q1zgy!hW3ZKPl!kS%^_56>Gd8@kcEvQMsY(O7#?vpqNZm%#0J~(`>58N zYFFU#-3|>=Eo6(Nq@jSGURO0rPE7MB(^q-$=_XgWoPE(Ut=L-D+K}}B=t%JBbF55n zHc`G`cvUnI>V#R{oXH9{86O3n%d^g*B!h7o$=!%Daw)nlu2kCvUJGZgY_d6I4>2%p z?$XUD1BX>G7QH(Ybs!uzvX1|@dVVaC=LI+K*1TcM-vNq z1}5I7ZB#K5GTA?79EMX6ofuDV8^Vt8cPlb%4c(5QXbF?_T31M=qp2s#ztT>dpKtGj zFV62Z+OlwBZ{#1-sDdTuk)vvgKEatiXU%#?sD_3I38GVXEw2nPDt%|cjJnz#fImA; zEHIVvamP4UrN;@&aDF@?!$VP>EBK~FrP1M@y z1a6$)(meLLMOjxZhUR@RPi)FG)CHwASCu4HE6q@>VA^wae9xTL`GE9yHLHPOwLzN= z-kOPZ`~^>OYf-gi{6H@!-FiyLS?B22T^T8w;h5lxu;JbO-=|vQVUL@eUVV!F>|ML` z0(y9Ro?CW>Cu)*qC#%U;#&w~Jny`^Qr<^{TatYz>c~plb?T2a9FYA_QUiY3%leke# zK92OrIWa}pA4oUCaP1QzLmi%u{+w26o5{OyQA>W2moNV6+&Qm_(&Lyfdo3OMO{Egd z)?j#quD~b+J1@Jd=_6SAX|v}#l)eUT7&~dV1+XkaQSL`CT?ahF{c1E9pluBHJQE<# zOHg;QUW>1W#J|Rk0{{N%p?mlH-yn0g-ym}!SNiVnz9a5_7l``5!AZK!W01z4a0kRgD>v9bI*z}|Dw7-AS28_x)gsK z{C}p~ez%JS097u4l+FwsFMxpKm#?5X^RLm%zbx(ReEerhV+BAi&{s9=x7q-yE?^T1 z084j({-4zLugL~r{XZgvUvH6rrZf;cFyDa_BhYW%2I2xth5&HrFH8I32;}GEqp$bw zKT{wpa9qR&^c^#BpK<}lPhZo>fxf$w@d7B;uMZmj0x9bSm*2($xcUO8em^(-xH8AeV5nt z8&CxL-6NJ5fl>cck^ehpar&443WZRigMNiK| z)Vt7`m&%Xy-)nlQ4H>Jdy$;u;%c16^zT%f9%y<-unk;QcXgspFdybbs|y-0Y}<-BDu4PSb#9p&Y$dE;@5Y4J(^b5N-5U*GDHa^_ z1eoXG$lF9wh=CC)=%41Kpwyo43#YiN&|=2ZWS-hFuSn%IJ!NLP5rFT{!u{wN^iEbO zckhY%p+@DJcI04xv+z;ZyW$qaa~ z18X`v2OA(s08Y06*p(TO>I44gK-N1u@MnsS`VKBOMvT&?R_2U?yu6HeU%)76;9zQP z#i+=rtRQ*!LuKONV8hMG=wM`EVgoFM4E8prRu~?d{B*SQt&M41qMJUtHXeX>0%y;p^Mn-<^1TrzX2wFTZQ|CyVTNhW)>2 z#15GJu>fbSKOyYjS?T|(AqOB|0iHEKHT*iee;>QQUu6F?%>BDSjNdVLX5gLlKg8UN z)wf> zwKl$)f?}7-DE3V*^wjofth-o*j(kHB?tode3z19{#fc@7k1bWFs|;n`{><}ovwrM| zBa}#G&e_h$zdTCJbv;)eldcLaUqPhl;zg#>8GcV`TIni;7z1{Bc{~E=r;i=7oQY6T zENvC;r8|FTs-3cyh9#EN>Esjq65Z>E80hM! zE6m;0thH*l9`CML9uZL=*K5V!Q=T3o8yF?+98yRga|{jJby2ebRMD_%6HeltP?nw#%{YB^b_-WE*QbnS5NK=$lYh9A35@S8d!Eixcu?S4fy_^Gp^Igq`F}bU#85 z+ZYZem&OkTvFln{`w-P@Qa+mCS?mSlsYrwN>b{P)s4u2vf}n$o8-Gm_0e(*^c$C?> zp{_T>sMhzfoppDbu@hgO?5v)a!ZQc)$GcvMb#*%xyLxEv_U#ishV(<}*r8_PCD558 zY<@91)ys^8PcY3N;dJ+IuU@)$b78Te<@KWfiRcnvMOL0o${4At6Q&v6TEQwFLhR-~ z_A3dQ+BF^QFPUa(t7V*M!(DEkSm)MteJ$W)8?}plox|J3ND#=Uh~({Yemr3KFzTub z&miX&CC?(1m@?X0zTmOF352Am(R#dXf<{1I-LeD8n3fIp?66@Q51zVbT|OrkCh|ch zLIZ3;Ehk;YL*HzuY^^H9XB0Nzm$Jyc?A)K>}`L5CQ zg_qcF@blOrNA`v|+nEdd$M43RHeBx?5t7{JNv`&) zUA*VgA4PALD)D6|Bb%^Onwc6i56US7X^L9GuzE?-y4ocnAX^XJ>w#^cAf3 zup}No`cBO7Pd9vG1RzQJ0OgqrS<~XE|SfxNa zed=uJ6;WS{QLdLuTj{!V8Nu#Ibu8y(B#_Y^3?F)k?5k2;2&>%@HtTKMw8ib!<45Tz zx!E3VPeMQr9<$zFanJoVC_MXQHzjGSnkdP_*L(Dg%>Mx0OQ}FUdQ<&813c%he_1-Avr(Ps9 zg*m@Qqd>FZ!W+TYMj}Y|f3*-;V4fTf3oiTO(b6-mSF_{fTT8hYob>wd28-sJ&Zn;9 zdwW@X-%F|GQ%)_x+=8hWT7E!Swwz_}Ynm~(xnb%eg+KQzTaYoBAEiyKFeO>6>0uJ} zF>=Ss+?K}zC&~-q90rquOid8TYKiZ7g$UxwhtxfJp|xU8v96XupCV?h_C)Suoo|EJ zW}E6$Q)gDg*_O`KV@{E_lA_1y6}Dhe<95Z4UOBfc%&`^uLFmt`XQETo9Sdsrqu=|- zb6Zz{AW$iB5~O8hRyj(7uU|Vv>qhDAD9engnf4@FF?piM`!w4WwJ;FqP;J7JY)sb` z5v@Z82&MFG?r@ts$;BvhX;Mh}$!|m%jf2$_WaXCX6KdAFDT0Z9c6#AP zDXuCsIE|)ZM~)?jvofx3THN7vBXM@(7PgpoE+}g0h-3&vpZi!DJwDow8G@;9&GbBi4FzRlg zAq?rj4dY^df_}319Pg7+x;!UIOC#ki+L9iZZUxhjTiUrIJi}CFCwM0^<@-Y~7@~(u z{aVeY^^JjB?H=!$hcn3MgLy zRFMWX%`1b>WKzN)m9lyH2k3nqL2w-lN^eIJdl>Q~BO@v5=NrNwzUhQN+UcF&rCW*# ziPXGR0#5|B!lG>n!_esakC+vCYVb>`zyx~U5PUGsa}CRIz3SUe*aw!=>kxq#?ZN~2 znbFI3M`_%6oR5;~J9=1oJ_yrJ_TWAwZK8WSE9&g4Kqi?@xgaBWsH7oag<1=GcP8nT zY{3dmzst=259D;8%iiM`1kRpukUTrz1i%-yCqn(IBOof=~(jCh1$-k z%l$}^PTNKU!96OON#Awh6WJku+o}iTldZc|QSm|6~>r2Mdr8%?0!tK(_*RVl04moCQFR*Z_q#+n*7Gzc246 z81}nB<-0ffuQTxP(Vd@k)!()I^}ge)H^uLpfS}`K)_?=<;-|ttx6F`5*9{T?qzj1u$kM}QWG(aQ!54Saq z_*(YU?1!_>LN7<9JJ6xPqdkt;B$HpvR0X>+noTv*irU?s%!dRj>Ym-&Np)|Dkjx z=mRfOLtQFk8|OiZ>U0*(R7p==R*A{(rAIl-kw096D(K*IEQR?!J~$mJfs|X9qouLr zsBNNts2!YhThzhBow4@ocYE`9*a(mC&oh)qD6zT@KVanLx zcoTIe*zB>x*eZfYm<%N~l&FAicu`)(zjAw_T#8n2{drRtj78>}xT}%A#ZhY{>0`Ct zym+RA`3;HelkY`lt5urj3kvJH5o8(?L_A$z3b)J=} zNl1H=E8oIp9YY`fLDSwuX-LA;LL=Kt?&}4QH&kPAS-n8X?b)l4p3py!refg*_qR~$WMhto&{M14olkw;yM{*oea-%m% zB^vj=bis9#UhjB;bp~FXdOd!R9#0So*(_%UefiVUJjuPZqUW?b0eoIzJu^8cMLBKu z)fQWJa|hcDTYzKGL&y&&$o9(BY*)6{TTEIUAn{x^4ir%1Yz<*!S=?!}&jZ_bG?;Qn z&QBE}CxMm5N~v;P6wHqKBT`&Ax%(@lF!Y=c`(%7R4%lwKEm&bQlJxcM^A2>|XB8FQ z>JgWopHGsRJ-koWm@_uNuaO14>TQ&}yfU6TdGC30(Ui4};xZ`4x`LvQXXLHD-jYVN zb79eJ!ilmq7UUtFu;cblA(ngeM7U`b8}}D}2lWxOW9|dG8~pP%Au?XwptqT<1gJ=% zdx(?u(?hK!$IPQf^i0-Cn8Py)Q}{QIm=JvO0ZVAmqcOewS* zw^`sqdF!n<>BCtdbjA(ef!-CXUJesalXR1?ATPhQT@edtBGA`#D5jn$m1Q=L#CsYG z-9QCzV?N=y1g3m8E1Z5U<3FYy%|Qj7Nvg!ydtV9jf?H+Hmw<^yp0VdXOg$0?tk31( z@;w>_)Zlm0#L!tv^YOP0H`i+%&DwKU`#YB$M4uaPt}oW&bD(i5x7BRG9)=tX#9>qI zTcT%G<)m(;zVUv}7ntFE)E;bt90d39DQM1Eg_Qi+?n4+K3p429Ei>0X6=K2n@iOE4 zHMr{=eCj^DMZ&Pcr7e2T=Y@+aokbZfBYozwvUS8L3=PRvu+H4NY3J!zu-6t9Vo=F;`D>VziB!iM*({xJS9~9uwsPRa zXyS%z@ia)oTUqjT6WHw1O^DpoL`FL#9e)CH?(mxidhKhQS8GoYH8a57jnol?KA}yl5Zw=>qoA!BL_f({Pm4N64LuEN zX*13>Njq<$IvQ{cCqA7r4g}HK?^KWH_b&M~VeXWtESP6@hAtz8UK5{9`5>3QpYL~7 zwr*|r*j%|rvek(=#&bc5Iwzm5l6C%&w*+_WxF#hJI=Wz{wJsXqXE^G!C4$$=WhNs! z=<`dX(xE+f^k;|}4XphjG|1Xtl4dX!PkLEfB+mJCuUsnv>$KI0UV)*jV!5zR!vX=4 zfoD$FWq=N7)8*=M|fWhpebOCyED!(?+b#DdCMU3Cp;>%A~&jn|i2o_im zA1odyEn98v#AM!=pjOu#NIdH#3+qHqZyqY#0@F{p=oOmqdbM@sKJ&_LJC#p-9*5LT zY+jh4$(Lz%lsq&Nb@9v87~i;#VtS6iwA<4n98zv>ewX&DIV!Pl0r2Njbghkto|jCI=MOLkX=eCb$fcdxbWa zJdu#xb1n%TqTy3#Y%{%-_4QN+jKRKRk)6rVi)rd4v#{Kq9hM|KAMlx7f!XBkUB%D5 z+jSQNiSSCN@^dIV^rA%R1W!n0R>$2b=|lkcWN0tV|WP?ro-3b5Npjw&ULu{+J%!h&KDzZ@{uY&g?n$)YAgO;Zm;ff1_N2z$RqjZNDrpDVJWLwKUA+j z${!GlZ{j8hx;XNW3ubfCua&rRcJ<@5fjIJ)5I^PI|7cvmNvv5x3L+z@4UU?H%6yKJ zza5~hPU+*zTls;Fz&K{+3@nT4G+ZwOx_Kknd^~%;pVK$1YKy`bw|=l563ngFev!(^ zs91{&wxq$Sd3r3|%_~o~Xs9-Xx?}?hvgTsiNBqHD_4 z-{1Gfg~d~|4II~dI`0n+-JB7?CLK9P@DPeEXlL@hNVs+=a5i)e2y>*@(Z`(sAYuAh=fAFjjm4;H7 zmitgqkukyV1*({@*HJD015+J~J@SJ$BbC~lYm~Jwh6hWZ2h!!0j$RTxgROEYcffnG z$1pAFTT-KH<3rJIKhDU+9jU6Nr;~AZS(KSSS?vL{@iI0^3n}911*y^YJFdb~C-o1_ z^G-}8`8RMuYoRHakrUYs_X4I`C*1qMDPOo=6W-&DBWlVB1eYNIvl*ZIf-0?z?abl* z8j3qowjX^vAL5y@CPi@BbK33j=vYxOd-bu;F(a#?44_7uNox-GbHUmV+qJMW!>mM8 zlmq;FEngDGmJwYIHKiweQKNV{>IbF_FuVClV4n#c1k=7MIb3hw!C6;K^B&{fsL7lU zH`KWob?Lyd_H4bxc9q*?lKzy)`g*btQ%*tP65&ga`7|1) zmX8}BiHJ;VAMc!Hg_gL!L<1_uHdBYn&@wt&gS%#IOa)Tpm4JVwz0yU*wep%cf2unXJ z8o$fy{onfSx5|KCV+H7W%zzgnCx9E>RSJyQ-&XdMHt*}K_#G+vCn{sTlc)lR`**{6 z$B?@#6!h!y{9~8>B+UCRa_t`}43ICf0~i)FpfqL%29*_%r*i$RQk&%`AJFe2-Tsln z0I-b}5cl56X72*GS?>yEy`wz{67%vBGb$1@id!pL6ElhsQ~j~aehhg3b|?R%V+nW` zaDl$5EAK#5R-jTAPS(Gz>?aS*A+npZq*W>x` zP(X%XBB%dggars#zSsbR+dHNx*WLUFgqfTG?#u$*w_F^5Uf#dJQyM@z{UfRHyKspA zZOXAR-Fa>PyFNC6!O9NM8~(1oKPbt61fDs5Ov_;ZmfP~T8d{DY(=xtq2&`%V0SH)6 zegaL|z9TW-!L;9fBQQAtLJxHs;ess9m) zgyTDB(SM<>0O$HYL|b<>9>+|xqc;tf4$&vkg!Y|gpTt(BS}cYX>JRRcOUek6ffkWP zd!Z70woB(;fctRvPL`XSqa=sIf$-O1_A~203f0zW`WIT4-Zms>XhL zeM<(jM2Bf1b@wex60JO{k)Zo^--lDxQtJ}_r=l4mwIM2^NQc82aG}Z`wHF)lHe+Dd zm&&+g%I{o>OWJ8ZJU(+OJXICY_Gj@PN|#7-!Dwa9W`c|HS(AG%>|woID#&*Ih-R{B zi20bit)u;|5BBDX_7l$8vZqhnKKT1y6!Z1N7Gau?Ikr2d6cgF#R_*wS69&9XujSo7 z+cIy_3Yt0LjsAE%#37rIgsori#8Yq(l}I#I5_6I{QU=-fcC23SEjKP}JM!#;p=vTG zd=^OCGK(s&B8-w!fn_K~z*>%R%4EtggWxUmrmTGq7D--8z?M#wx}zn=Q)~2u(GS{_ z_>I|P2|RdOoNJv-lDKw)xi>!M?cHr-Mi{y!U6BcJxZ!7);{^r)a0|V>cGNoCTlvzZRn|XwrKSZg%Tr zF?-w@e+Kk%ps&m^sUpNwpP~Z#IhfVy`R` z*{Xoay+e3kZbLtB#gJ7FjeV=FqP8d63M@6X^A!+k9%wr(WNutTCFh&tL>}(TXz@6f zTo9jPT#T2Q{&8qDwE8MtNDGtN6tPYVMZl8A>KIqc!qbJsx?=O0xoK^}FZKaNy^t;8 zSZOhEqPLltjiWe zl|4w={}GG^l#Cn+DARu_SKk}a1Z^bz{R1Tfd?KCgrc}%hLc?J zd5{lFF+=Nt!pxUW8#1%Z4s1R*J#mP z$z?SXfRx5;Mjc^pFpUXt7$kht5Qs0ev z@bNvUav85C7sQT_2Tw3sBr4ZkT|zS$3nguL?qs}Bi{*ev^fHF2 zrS^3~klct+!too>?u!JTDDKUBOVr|9sPGwfDmU##l5d#e`8tLL4+iwq57t(vPm`aQ zdb+n(so(~d3nB`35_-PO{%l&yFq*VgZ_8<8I`?@em5G<`4673S3s?+_Xpb11Z*oNu z_Qp}Se=*WjcPutXU|oBp=oVs?X0rJZu1~0VnU!OweOn z$waFxn$;7rWJ5)3^-*%9!t&4FkPDv!DVD6*IG0MyUlG;^j2~eaj^#s(M7?$`8iZOI zU$?D{u_bwp6J`;M3C4!Aq0se4!}{aEASMr{Iiy(jNV00_oc%0^jvCI9zi5w-U@!r? z`!r<0vz<{sJC9KSKzYcM6%cG8y;$^CmbKE@Ct$LtE4UyuEU_tJ7~ctJ7|L`-{5X~x zihzHH-^9`LaST2KoqQsU5q3QW-2#?yE$fuFMKmaA@oEOL5ub@7Z?cq3*)N{Is45wSN!~F*Sj)6?Sn2Y*MpK!)3P6jP6@K-)V z5^1SP&aL?-knjb0+LO)InNU%heRQo*wy>|x*2k4kRhSAU|Z-a1Tn%7`Cqaw zvY;^vOWU|3_nx$ji1ATOSgprNiWtdyyk6$YuLQHBrsTJOhV%9W38OYtNJKZ-5)5Z7 zHTK5gMf%cJ#VzAn{O!io4dTEcC)@28cNuFdy%+KSb{rlKDep>d@w@jTxd!N(WBHQ^&H3 zh7R7w_cgxr*}(qTrdG2a6F-GKkA9WqkO4M3?X$|;TAN(IYkQ;@z#boP`2J?5Irok2czU2d%q0EHtMta) zH-fgVhVu_O!uXbjpyTindoHf)w^*Lu#^h(0JRD$tS}uqgSHlu8k9+Y^${)8bg{(W- z$N747>~XurRXRgtK+N{hsFR6(a<}D}-0Xt?m4^y+j++kgrR?p3%Bxc%D|8Ke`QV%` zhzlZ?j?Al1ZDJQ6&x8qUvkd8eA4u4UPUlYG+KU(ZeJ4foTkeM!XPH+;wU zAr7y#T450#m+SyOr`SnDI|$Z9T12DH5rr@zdUENIL4(C1^c#`e?Yo z9G6zK4tS(;4=z9QY6rXU?9BPvP-###j*8bTal%V&?Pp5*kJdlSql6DV61{-6Wb|zB zYEYXr1gWDFS79jbUs+a}-akngzj}n2yL{dQrf|){HbgZcXa|Bf)}Wq733I#9xyR}H zQQF7wWTvN1K1OI#YH;q;b|>c5{;K=Jx)vq_L9@~#rN$r+-TniMp#*CP$eo#c-ae4h zdpd7Fak8O~?y8UGQJ#`@-cVENbjjRe-As_bzSRDlwesnL^)rmusgKtq-pR_(h~wq8 z%Z-a|N7{0Fd(i%#4VMv!l!MS%Ywz^mb+oAR;%FyLtGPJsW(bG5Cse&|l=_X|VtEO*e3{`ezsAS~GDI?eB^~ zhXnkDF!dI%Jf1)+-7n5HcO#1p>$lYnjK`6;T1!uiWna#Me`|-THwANIle(MC7@EU> zt^U{vd3NRTN4k59S208({2mJk!mn*nMbRq-(PI0SoUhSm=(X}}w1(+W3MOYovJLY` zJi*v~J@$S^TsgkWe)zUs{(;)|Z7=p6;>z(g1rhkw-^gb<0JAz^&-aJi8;;*{Z8(0* zwc!B#sP1-!9N&_3fX{Ep>mTK^-`f1X5&hq`^dLYA!2!^S01q%g018mufY=N+z*>(T zNcdp>GpgI4%kaKk#y?XUGr+!M0=kEd3t-&=AP6&n^#Uw9AR&kW$oTvvj`S~aC4j*G zfP;MN*ng@rR=`OQfS&WEvj`crN8VfL>V>0G)p$H2_KOPjgfM0QLNbfX>~0{`+_T4(Qy8<^MxK zr%`j(dYTj6b5Ca>zMc9}@u6@Q*^FY6lR(LYQ)!PL&ZHJ@MNx+keGhGqjJ@ae2OEi` zXu=xP@GW7P0|U;Kb6aCh!^v%{E@J_HH);$)2srr91XZoJ(HCgv zET$0AU{7<8t9QyGVLD5Qrjls%*b4@H>b5VhN*q$R+;Iz585$BECqfC#;TMQ3VJHl6 z@Qlpb4aGzDDjtyf$;4lpRb~#`@v6RSV;fw38c^2HwWf#t{%yw!m*{I(={hQT=q<;|sj~n@+m~ z3>cC~`IK&8(ONrB>Z>q`Ye&zyXRBFRcpW@ zb13!Gw5N+_2k6w+8awL*x9FwLtLb1!`!!$l2omB*<{2749C-_?mi&k=PA@vQy4lEZ zy(!2lSBN^Bxq&Uv@_G96LU(vqPVgO0c=FJlhN&qVc#Uy_eX28G=EOPq;$qT>E(z@|xG_Gs&YcD4z;+wCejowDFptZiY!c&yd!LBdCf3RL?lAI~B zc7>sH6T|f^v&(%W{+6EWLABV+&X+$V$(yNE9 zBt-^UqcQvTgBu@wwMmsAVg5Y?-Ai^uj10CpD-PvME$U5yknqAs7ipQkX`Q(=_rqDp z#*-F!h^LVxGQVh2%)IkATiq6V`3a_i0^3lI*uh*wxal>wO=jm*0$b_U3+ywdHm~Rd z4|M$icf}`~x4O(Dk%5O={#)0tNef}{IW?#=i!q%c?u~S_DiO!bU>3MeS8+zbJi+a2 z%(D<^FJD<2r`%WSGZRiwkR19v%vch+$bWJ2b|N_qPB*7}p?F$D_}(TO(fX2Mt`E6b zSiLtsLdCjLhw>;Ex6IY})yP}q`3J1&1y+-pgcV=pNyW#Z+-USC>n+VhB3ZAy?!UAQ zATq=?@H8O;c|Xrt3n-r3eQJS7ggRaE=6=k}gWSf#BxwD5f1~VSPP-g$=e8t68l_7$ zterZ;#PTh*3Maz8x(HVDiJbit{|#;7Z7K4%%V(hxinN&UpfAZ7gc!rR_n_cs=NK0` znH>6E2~hM6x))R&m%Y2R;yEJt!#@U4E$FcXD}3ZX!DPjInJLV?WAHHHQy*D~U>QRg zViZm+=}=cV&JqRBVj`(c8D32`-5_WDCxS+AG>%s8nq7=Zn_Ud`t&Iu2wRbpduIv*c z!RL@;^=H9}Oo4m;zC>afNzrkBE1BlcpPOS0wVZ5(k;9f!MwdfvRj94$Vw$x(ZX`ay zSw2H6QOs7)F8jExO%`BK-*~)g_88}JB8|vLvZCj9XXB0MSb`(LsnrGDE;#cwM6x?& zvHntFPPl_4Zs-Qg^g++i$7{FkGIFM=$%e-)FQYc!KIsy&()@DMitl+l&tU^U-rU%Z z0e;~fP*99u0^_A49E*e!b;3+b(+2TjQHcOoTMr3U)9tBR61!RAhb2xw)+0C$(P=@E zCd*_ju16F-D=b?JiJC~*w#*VJkZcK$_OREbbajV&2mBrTV+da)*hH&;TF~XD5E^?B zEsg)#ZBw6?P+lkREW9MRPS()A!#l%)((4#1r&+i?q;(IamV8^!X|J(caGB4!Z*9qz zf9&%Eyd8G+xD)B1n_TJ-@>6M}go>Zb(c{fw9G5<8O(V~hDTcVpuXVb5JAA~`OR+c0 z?wAjm`MAng!f4QXX?`YCInQxnnj8-O+OT$F;R?w+1p84^qGKx)sWE}=W42K!tjB8i zy4W-e=EQaLPlRbl8guZG!tFf*j!YZgxjtqqY$(!Pvd4r>Z-388JoBkVBySX{b0~*a z6*tiAe2JsG_Y2;GYHocwpP^==^spj4hvI%}dFCgvKJY>9sdQ`ak)!qEYLU5nD12&K zz-0~>;%R9T8lf;gp7<8z=yh}>d;-*QDMb+s35HnFWl)dXyUC+tWfI*R?+H9*Q=6i* ze>PfOk2rBa0fqZOy$OOAOMKvcIuu8su25%hhUWIi*_sn#x5IS;e;P-N#zQn(e>4ot z>UY(+!;@mo8v-)NiBg5t1IGh_R(u-H@4ZS`Xj;ny0_>07T!&4ddeB@Q6C+*UCI>1F zYhhFLEQ?rtL@cipWCV*GO73*hDTsQoaFq9e>ydE9I`#T1x^e}G0$C}!&s%wK5PVIj z(6SC}^lHoNb)wF^tgTNAuSxoMRgpis7IRd8f@RE+cEJo$3M;>13yKpu<=ApRpx)DV zs9zPWWhiuA0C$flB*T=ggjV<2m?~|12R8A+KV{xsnNC-*HUXND^hxd`)(29F+pW9S z229}A+NSkc5RauM^wq94r=z$ePuNHLyl7Ck8zWkJcsI6TO_&p(tv3#GX42z7 zL&QSV=EqG2t(38FE7F85s~ND{Z1?Gsd?qT+Q#qjyouJUaEVs=Z1k<+gx zp7HkB_2A}S>c{4(L{~H1g1T*@q{Y~)S4ip<#aE1uQWAYwi}8(M8`B*kQG9_+8#?kW zs-F`jf<|73XR1lm`;xE*vt;WC=a?qn#%Y=RfTY^w5W66|PQoGBVi3|h{0e)Qy_GOmE%g;7L||>BjM3Dk4CpprddSf zIy3RWmgN)W82%ozi4A)pmlv}&ES61@x?RN;er;>|oY=++Nf8RF7d2)ri+kLuQ*C=U z;1P3duR`xl32D9d@Fn-0TL))o#*tyEQd`KKUK^T`@BqyzwxnV|YkS>yeDyYh@pX)e zfW8ACf5}GoAWXqa|H?p)`>TfgD8d%F7>@tP+gnEEk*(XpxCVE3g1dWgcXzko?(XjH zPH=Y%ZoxgcyAve9_jb&-LKDcCkTFu$t-|-}E zAsiXzua{hUaR_c?Pnx_y!05*C^$JqvpDKD#Of zj^8-5Ut2rNOcGi_zhp>B*Sj@AOqU7j!|(##1*@xge1!Nk&-kP_6=7_v+qU8V>(t2>TPt600v*2 z0?jvfYkLpJ(Fecp%%h}RjL-!}6@VVj$vw>^YMm#s62F^Co~x;3U5Bt z&Z!kNOPi@)INbp!Hrl6T8~h&59fbVvkup zgkIjgpK1p^sl6b(DKbHTJrtV&-ft`Xp3^_X*vgBTUX@W`iGd8)1Ko2&;Dpm7o{{P< zqDLXl&eQTdsvK#Kl3>ukgm8h}c!VU9&K1F>G<+MEr%Cxrv+m4imoZi1tFusM7O9!6L&4M5Pp@eS*6 z*7_^@>yLKW|Azkhm(I@LWNyD`t-ncs{lhJVo#~H;)BrICJ3zzq8~^p63`PFylE35U z|DUn@pAuev$L<^eH~7Da-K(%y5&*4l-ra%-)tWNN;3zv=8hdhQjMw%r{a?hm4&6~d(XFlw$Z$tiVV zhFuXq)gQxk*Y_)8PhDG>)H6-ZGPL%qP9Izf3*26b`O#HoTx3?!oJDFcUx?XTaE_~T zk+-@iWmd6I#EC%jZTQz;?QWkh4wi7B#oegeB2cpqBS#`tSFR6sKiVdP{tQk2=!9H@ ze^$9WhG6uVQh~t!-g#Yu0o64Mo*++JD@V$^eH?ZrCqu2$Ioj^x$WgLV!dpZI#SYZ5 z9+VThyPO+yy1Y3eJmY4g*){6oB0&6X_aG`64+cyyZT!-1Yktp&V6KsZFQb88zQ!Fm z^Ay%^iR)i@CZUl?i?$iq58t-zx*Wb}t+1YI zdV6vYd6G%>8DDNf;m9@ic3P?4AuWC@ z0_kV>&zCCn@{|uExD+j4%#Zze>14(ip{Q$RcfQGfA0Y((G&db4T%chfYvQY?yoM+K z#zvoU3s({Ab zBlT|6N@fW5QwovACSG$9jG7ze_Rtss>G6fW3FRV1IN>9!;Pxj6MzL4JBmwt~-bEoz5DX~?ML%TJ8iQD(uCtO#Iz8_d5w|XSD@?zJ zkSK|S(rtZ0;U+ipD>~`5QYh7*@KKN)hmz6WsWCCf@t_4=x-tlu>UW9+e}M@#DZvB# zoWwLv_Q>^h($9Nb@oBE3g}=M2(4~)9>&nae(ty&_Vk`h*y?Vx9NIJ?O zdfPQPSSpE=hACUVMjjsD<&gIEwU@A`aQRuNIEiR7b&l|n_(~rJMFop9ZYs#)NrL$l zg`*6$M`NLUPE)`TmmDGsJmTh5kd>Wp%Q|YyqUa1uHU(D*ES*|@wr=(cKakPYS#Vb` z40MzHj0Z0L*@{!sXss`8u^S^`ctERmBM)=i4SXB8X{`P2dv2Lb(C}i6m}iBl%V9*f zMGl5B_8BLu_opueG~gLOSAlIjQdFJ6*-B{MA~j7Hgu#56N{{nxxW7YQlA$ zkC9{nO=ldm5HrtnvWg_5eN3V|TZQwR10K0wBa5x((f>GLFRiCPv_howJyQjPW$pu-Sjp^vq}u#AP0`^^iG39DZ=cNZ3|*- zZBsExS@y!Pl8%4scHM*g4-;AIL!9S6lDMAR;ocz)SDQ|u_GRP3gIDZMOeEgn|QD&W3IUxSyb0GbMaxPf`_J@yW+BTYAo z1-ZR6n}+eye0XH=1H>BJGbrQ6lG9g8Zv~+YM5zp$6{*O|w-8bIx&kGH`jc=1aWder z!+nDBsCcS$yDVBy#Q{HQ!#C~Ro)0`T=59UsY z6muDGJgJ8z_^6#N|KW-vM^zAZ_AH`%T8$PN`_kAo%McOgfl7?}G=B0swR=JY(TnSK zb4Eth7?0Jsp>6w)8|xQn5+pJIjs<$%t(k>DV@XP2g)M=y?oSZ%jb0Mucrd=pHRrvo z>#)nJ3FJO`abjdvnaWVIQ za@9c{=wxv^jdX`mY`aX)ggxEadaQZ%N}!KK+;U%a|zBG7Mil3xXR zQH3vU^3E1f-j4(ZM8hc-%!8sGv}qOvU9QsVrp-hlUVN_+V*tO`;%YByvm&*oe0xVE z;tq%~xCkP}+>!bV?`TRpLzS}vw%@Mpx!mu3qFmtGIG4;QNn8Y8>8E~v;%LWr99%QRon_ey`Z0`J8Dd#>QbeB+Q_J&ox~*H0Wqtq( z6Lzu`TeJ@qmFWUX<`1^6Gd>Lt&U=xaBwD#lCm_496C_hF<0GG0daImqz$Z z^j@es3BD&D;W#JTK*IWohqynW*NL4{jlRqtH-ZD->H70sms6@gd#lu^wkFykVOcHU zWN6)p>x9#Xw3OoeQWr~2+H_1D`CwmYhljc$rm6zw_>-jlfTybfeH+PjA-`b+;It-m za#uoA{Koh~MafPcmrbQSKiR5Lsn$n~h>nq!(oU^)`)PN}lj?6L2^czq`5c=_*5-3A zu&g|@lLbFXTx2<^BUU$2Uxuwcu+KbIE)6;=o=Zf|L>dy}UG_Pv?$uqUaT9=|q(r%< zC&+Lc)64NI+8X6#^m@OEo!RVryo=vL+y?JrxhYqYm68$k-IHNDuxzV<285_NNMJ$6 zTDbHML>N}6lR8R_es;`}$5oV$4jF)Y>LYudS$8>xPb}mAEHO3iEeNvBn=cqG7m=^c z+M5cy^>TU4h)RbP@)mU(=QD`p*%F)N=+i!A0L6<+N`3Kq=WGeO1I47M0cV z0?cdkxvy&Ud*K(kXQVa?a3G3FvKo@a?btx&wSFQ^F|w>9V$Yb?+5q7gG8E2?RF%;F zk6|}xKevrHy3bviE3KWH5JOo@oEU3h6h!7?G~4<-S4epQv#Dkm|8`=)HaL3z%2y?r zehs}6xcku0PYxf3?RyakzN4}*=3~pPE>+XX&_N?eTt2CfT?$DYKmZxpB%<`zCo$?l zb)3fwK~M65aRl)8n0j=&+a>Q*yfllTTynxXv9`~CCCDw>&`fs4N`FAcsQlQxAx!Hd zkQH5G7W)d-|CNr6c%I&EyrhP~VPKgrX34dsuEmGPps%?xep2aMRqMnF+-XRE3?(UK z=drZqDA^z}hi`R89x_{Fw70Hbk3PC+G@a)T*4(xp&P+?o&52s3whQOE|jb4TC(gX4!6;8R&`@ zBq4k3Dwj6ewew@`Y6=b?4+e4y`kvv$F*ElO5_gv!Hc~)_`3M4iz9mH-$Vm=`4=m00 z$qk-M-)Wc*Aq?-t&1Sn5h%;6Q`!*OvYs|rfck}X&9~}17E>fgh<}w(kgigm`oP*QK zEW}$Nu%dZS?LFNU?`Ej&t^>7>anra&onvFu()RUsQ;+|U0Ia~Bky$#Vhh^fjv;rW= zyURBeSgf;hxgJkLEOR+Kw{DAlFVHqkWg3`W%wvWiK@~jR3B^YGVjOk+G>G)R4Rzp> z!H_&wp#KDH&!E;eC5w=k?lrz0cYA#7xhVLRxZqkYC01{w5Ym#a7!C1y0F-X3Cna3T zq3h13G#DnN=xq+8{&{+K(s59KnkCSFlUF1_iEH8kKA63oMfz;b3^sEuCDZvUW}8NP z?N@@05O*mYN+c0SQaO{1bP|ZZ$ag}6uX_(2dQ?-Ose7c1$`UMNNRb3cz*I;Qu(Aa{qZPuvh#zop<{iWWY zrkV&Mjym^x1p3?Vn7A-&oJE!p=s9rk3J&O0anGjg9<3}gleR^7mnU4r3U$(6#mV|| zgm-%k!IYNKfGrKq?vo|KK0mu+Gk=bcq@7zvu!t` znh$hsZK6lk;7ZvtoX-+iJgO2r&wQ78FXdB?%jIi8T9~!wqo3hx$iLpo`)em%jBz3D#o-1jD&$2fl9Te*%@Uz~pQZe&G=X&@OdVO7i5dI;*U z2Z;L#1i|>SKH>2#+|qa8*{`J~f5AEcLfQVY8UEL-!!OJYP|hftINCZp7@0T{vICSC z{}a}M{#QSrBcT@H%)b!T{QB&7Lg9ZWssVVm{_2xq1bEVN0P-q->+AW=KkBzIJa*3i zaWpFXuk_mAOZ$x^`88hunIr+2y8dBY|K&u0a0O5xD?q#S&#f;1HMGB9@!zm3e~>)< zlQQBD-7Wvr_X05gW&iIC-oGc4_)~W1?^FvbpyBOrQZ3n<8jjyZ;eD2B(n6KbCsGzH z*)mg=Uh?kaIqZ>ZXw4e--BfVliw!1-KJw61G(YsvPYbXkDAaecB3M26i-MYOfpR!F zcO_I@%D(y7J3M?xPzx6qM60H&R*lyb;X>!SR>SC6=(vx?p;tegWV2BtIDt`}Ys%6fMB(CEUv>q|A3s9*{kO+i$^}EeCK` zDA9rycLTELmK(z{KjdRTX&{mG}a`82<@bLY;8rtCsmQvT8w_^hNcaYQ>F+C5*`0w z9#1@N+}O5X`g7^(kDx^)D1PMdsnnM8c#v9;7p;VSwA;h`6B#j=rxm-src z?PsVnlfn2qq^gR$UQny}>6U%`>H8Q>3n`N9V#P%)1%`$UfAr;&nuPmEYV1Am8K*V7 zt`<}T=ft&g3z4e!9T7XDn0v~V!iZpkiHW)~>P6MbA?3!q%9D%g3u&WNz5Gb=m-+^m z_>@pFmlU$;I};y-(K|PqNSgIkXs6O)Ph&fjUW~f*mJ365q;b}3`J?~@$j}?p6Q7uh z^EL;srzHFslecAxb*=51HeH3?dsn4l+#%w-pDJa%M2T0Q4sre8V?Yk`KC&3fRRzfV z(?TH3#8p5A$Zj!)cXY0wV_7Fc9lP&Z*XoINix(^-+uSTH5Sx7dd0QGzzcpyoijY6_ z66g0Zhy(3e(rs%gDrysJzhx-1MgZDB)eo6eU0o368-2I$!)@E+@nEpq!`=A-OOnGY zyT{MN4H1jYbNY_w1o~0)$9t1&Nz6;=`|UWE zA1-an|FC_n9pKw(BDilMYvkf%Et_e1`z1tRg`tNw% zM$qqFht)m@4-l&uy14HIYL_vP0?3lS$&jrC1=naWKsWCAdigka#?E>L2+Blmb1u78 zqitU+?0c@jmf+z(fYJe_+SABmy0v?+yTbO4gVIzGhw92JjHi8rHROioIRGJQ#aW$U zENKVZ>SccHuS{7cse!j@;e2%FD+!mz_0b<8#6Q}&QTAI@(JImD#)%mr5vI)=AZpHq zDmsxP!3`k_@qo83RDce*5$R6gmT_xak0ML#RqnD{lcddye4nkOTB) zW+;$m>h=^aNJ4P>80fmjj+#E{uBp!)G5y7p7Df zx1Y@y7QN~~08c@G_U&%>(lpaT~{)yXt0SQq_y>BB(i z0@{01bl-y)q*8U|@*C$c9a)afX1wE`NpiSpUw-0CYOD(!`NOt4-iaRQJED$qjtRl2 ztb(-{B40BBn|F`gh1NcLD%**%4FhVe-ne# zN1&dEg4q1wyjE9mbw8BEFaZM3EBb-sjzsd?yq{%GC1-zZ&Pw-d9KB84BH@;mTC#GmRndDt>r!}9$_2lt!!tPs;1L>2D-=yr62vS>}ym`n8 zZR%-vdI(J#Dfv>}pw|>%uH0chA4>|6FiUjoFrhoy(WoK?60Ef%NemtCy&kx_i3s~t)D1`WC`6EcQ&U2i)qr?^tlljil1KoOU&3?QO zZ#E(hIHve6hPbUb=TmzoVXruz=xP$5oo>1wQhnmw+{3~as7vg@V58R7t(}KaL|x>5 z#9|1q){I*z6v{wW(ooNyuQC&H&o7y+)B|5L-u=MCg$GFTHI%m)iz zP4f#=%LO<^dLMN5aT2F7JkhO#!ul9Iotf{5>v*!F8DujJI~4Oi_ALEyr^oHVzQx-5 zDu{AQj!oUpx>|>W@)(U{9Vwz|bue0uGj}WeGPm77~N$X%<=+P3dpeZ zly0!dT!^`6`!EGePSPugs>)9nS`TIi#)+`H+Hhlg$^n)EI+hjjQm$x$#dyB=XCGZn z;LFRccr=N*2#r5~x+s~N=j-?}<@1IHI}#}gXmFS z{*2(FAr&qi0q{ES8*SX^e#KJH&xabR+MnP~#JnRFi8HQ9dmumiZY|tzms@zT4+;gd4sRIJ7Tz z^m#>8m< zc>&$Ya%3a>(MMXd!gLh-eb1FF1w8;k) z9BqNX+Y)j?q12c96jC;4aVu7!5Cq<2C{DLeQ_cq84?=z>9!pvbalD4=B0pw#m2sA5 zkRG6HJ+^MQ;)?rYfzCQ#zQJ!_%@rOG55{~irPRKA;I4z~l=Jlwie|52uhV|F)GH7BlIOKdwo4`CB7Mk~G4b0qFd3>?;8|EnWEW1-N z5BE9Y3a^WF7rCPH(qOQR&9|>;=81lTGnFIe{6&RAp@VB#?*%(A8N@VB*z}h;>{Z#+ zlrAhB%{q72z%NGHamnBYBxy^FYRby&i&2F|rVakQkS;hQM=z+AOuFad36kX~s8=KQ zqMsGVJK%blYl4F(dh#}HkH?444#=Xs>#iX?mX-^se-av37ju@HRaAz*`Xc#=b6z|a zqIC)|ug~iB4mlnBB9hcU%6#Dqu=Z0YQgr+LhAw1aEZjw_B&{@BW4Bbs*Myj8b8F-A z`QV)obWLp=wUD5J&Pqxgj?@)xZ;sP}B z9rVeOaqO>{f&Z*W_yrOFi5d96)*~?gvmSxzZ|V`4{s^`I4PyRV?F0W8R=fZQlYh`B zzk_5ZfJO1&1j$tZE8g$T*E&5r8FFJ+QT!5H z8e)$(_Vgo~n|R$NA_~lZYK2lI1&Tyv%l7mlVy^q8whBQ+gYoT=LxN5*6Z}rdUK^0& zWSxW@u35FKzPC7gR#(aQbz@a{(&BPpUsDRF>j(<0)3p|ysoeT*5s^i_wRlReIGGgc z@hBoTNE;0jl9|z;z-8Z5tlvc~_d!dr9j+py!19O4Ve?O&IWH{&%tGFFnQ({i(?6;K z8^AkJ;HMhByJN?nE*0zt-%wlYnW!|Mi;Ee6OqLc>hBBY+Dyh|+?=)09Lwt0JS$#Du z$!`{CFY72PWZY>U?!u)b+RmesJ5)vY>^?5qQ#n+5a@)}D(l`vhT_tUQ^_Gmvz^axg z96Im!4z2;>ZPM*!Xn&RNadN=)vb3pUV%bP-k(qIeBDFkGQd5ngdR#B9rBQ*FQ&DNmwocpTt=;gc*?7u? zOJCOVR)l`}aDg?!^!UPL^B~TL{!IN@C!#9cv)prcn-^Gg>!VaMh6YolKxoN)=_dSzvv8mYa1L zFpa{h4WT1Ti}t+mEiX*wn2U^O0VQzYvUxUV(~nGF9qykUqvJ)#fIkjQTIgMU z_zdZ;4<&&sYrur1Gg$|*!;FqF?A=D$@p@=t##m>M6MBjl*kgmeBq+R=P|(w|G`XfCVvyg{Mt&--l|Gm ziDU14yL(?jeLaQ2zVrO@euqtfgsA2EPJ5b~l2h|coG&LmfK9tY^Mdls%gjs)Tz;#j zzS3yNGWT^xoi-2gB9gRI8QRR43K|&g6T+4l)KH@G1`Sv}X2Rq0GGb|oCNF{|R;{gb zFCBF*4+FyCKvO{eapJ2<*Eg52ZA&T!HqM(|w_EG4vKa6SYP_|~t@61~{nL>Hp{mx% z@y6HlgQ#hfRN{6Dvb1n=3n@RXN2m=LsufG?6QD<^@V>0Rd?Za4uxA-bCL3I%k(7i7 zze<%Hi*Q1$NkttJ7@2(G!FRpGdfyAOqF^u-I{vu(lTpY&i@+FbYBrfa4w!*MJ+hZO zBM{wt%-|-D$Id3UC$wPg%xer{j?V;OH4f6Qvtk7;stK8GWSI7_&o#r*+z{+jcuVqW zmR@-yb9MKSLDhWWqo=aF0q^cONy(IF{U@Z3tRvt+#JmOz!>h7nf65~wd#?aW!Y`iZ zO2nZ=_F9hnO3b~m&a<$7XRf<~nq=MtWWt-(IVu`5Wk-jpL~^|?g9h*Xjf>L#(OKjZ z)SU~&%$zOAsFPh+ob-EetZx|>ZGk9W`}XR%MCG?_{9aC-d3jU$6Mgj6jRpgwwy{g? z2i@NpR?9p@P=^*GTjS_`Z@SuJ;&6VfjW(?_f5GMWxFqBXVvk>2qWdKiifCJC`G`cJ zxIowtW$PO&+%>EIH90g)LAk$snHvb-;VX1%D9Rn2c-4t$nr~Yp+m7YV{*TSz=2e|C zdKl4-#hALXc%ZxoKm&Knpb;d0fIjMbnx(DyEh^_7U0-QS95Oo}7Jd_^?Rupv7Aj5| ziB*}~?U6dW5Tw)MLplmSUjAzT88WX~3j9KUVV6uaquvkQs!I=VAT)>22Az7}Fgyv{ z_o~xYQ1F*H9KQfWoDc4NtWmD|d|IxdE+M@058mQoeR*r6RU0X;Y0QD?cf0}=C(qaN z*CQ0)Z{nPH_aBGo!n5wh*aqv4T+WvoMRm7cztzco;$w*&{RRvs8BpOyxYZ2yzAyu} zc&MUN_Ev@+n zZkwTvAMjG!fxK!=-*{ErvF;}#!bHNCi@r9?Jrk{&L@a03nrU%kUn7--M3n1klrDp< zrrRYbaxq>~RhFMSPZUNcm+?Gi3}g_{)>{a@#d2x0`ArZ|%4fw6gv+iGMYh_~Y(i5K zu86j@ ycleME~0i;izs<-Y{@P|#NPP!E<`|F2(-%h_J8-7i?o`J^h&P=PwrQm$Z>#&z z13oOf853v=Z(RFn8-)y0VHna7&z%@7I~bf`oJrQ5yux#=qoBBJb&eKjP3%XZZVDdp zfcP;k|1okU+z$-i#c3oh#Hdu$3~=Ug2=Xfu;go<}V4^O6PuTR>*aWC!TDDU?FMaWB zY|IbD4*p+B(M^;P0{zPU^Ro~0by!U337Xq=Vkjj>&ePkt;({f{U3=4%Q%|Uya4LM%wQ=u2Rl;rT=uko9F6GkW$Ps+Cx7jpR) z?uPQ8?m+t^x=;f|OTqY3z3j`P#J^fOl9_1`DMt&gHZaV|R4^dpMN?8qlh>=jmppwDj*DgCspu`{Y+Ai4+RGel8pF5G) z6WL#mf8i)-#dtXiSd+;{{uY(gyeJwWJelA*4OE7)_)Hi9+6bo(-TY~@57$8afP-7u zCRlpMV)sbFx=6FAL=4^sR=ivdP8#q?MJI^e1jEXCiyBkC1#mMT4>#tneGB#zR;Y`Wcxitd zC`>3M(tE3a%}|R{$2M?!lc~W>M`fFnV{c1F4}UEYi!w;P#(|i7eeX2r6{)pvm-nLU z)&*mYAwYP0vAzV?qa9`THgv@Ma3{xu5wtn_UabLm9bvqmu0Fkg-;NAKwx6)(#59Cd zD?jSM=D`!?OR5HT&8px-9XKx9f|Phg$j%Yz{tGY($X@vePWtO@=3h|i&tQ`I|9YDl zu;u%kmi1u>Efv_y4eQ{r5JZ0dBtkDD%JZH6tS+IQnnm>n3$6$6dA$-7jia6jSpw1jv-m zC7~?Nvlq=4nXPL=8G(j#b*3hx$$LfI**|{-5L=8lSKgCg5ts`S0s(J93V`tv1ypFe$tOlWnkv*i|T^rH)xqlmMH)hR%d;*v-F`ihbh$G=FqkM~WPM*!2P#KrZm^ z2X&wjrfXTvc_RY#IpV^@_b#j{oA{MFC+^A7b3KkqkcL7G*(pTXNiro*8-n^6he>cu zzLzwH^gIFhd;Y*z4Ar4(lk8^EH2Kx}!sG6}S~#@?*x-_?0tx1%fILJ&N-sP~7+X2F zpx&0W;Qa7Ib2s*{80-PeGsCKoK-U&Qj{&5O7*1f3W*A6C$C1FFuea(G%!=vF{A4(0I~s zF2>fH2$JDr{k)$x?Eb(`bY{^es7h!lX^E9moUz=H{-E!DxTMMeTR%?DK^swxW+P0hLda#)|CVzk@Fh*faFPGf+*Mb>O!`^&(kFQ8#+#LnD zszmKTXJtEA3m^}CtUKrP_@GPYnz5C^VyIiSQr2QaSr>rrrg3PBhCmlhi1QSCWoO`l zL1FP*AKyt-R7lxkj8hS}{hPXo+z*tLaFg>eGU z_Za#T2qYOrmrI95F~G`jX`RgS*-R;X1nLG)hP0RtrA*r4XuIu52fRLYDSM6!)k&X=X^E`U?DY8bv!RXGd8-OKN)76( ziQ|;oWyZA8D>1P*n1aMuBkyTmvi5>aat?yI(X^^VR8B{sG-Yi9or{%*@svDnZF%&H zPSSkBp5xSzxGM+}K1AB2AtRT#yU5b-IkDgnQQuoX6T*m(?dPn`t-`2KO)5L<6R1uU5vhD^+zyw zyE@ERl#}M`Pg?Cx4S618&UH&|a8p>gq7#Y*Mur;d9M2Ai!q+7O(C*}o0lROIxUI@$ ze>Elkk+%FdQ{pcM^iRqwfaUuCM0xdxelI|(^*>&vzowX9RPBH6_X6ZR{~t~SNST-b zZb5+Nv44>={i^jp%oTr_5&k4)`g_v@AoJ`WrTzExz{CnL-}#%5g?OyXWAPLQO z9o$M4RU|@k29n*GF7>Y3`UD8vD>P7b)?;B#5=R1OiQ;*ayPt?mp<|_Cu7E*bVcxEr zzs=wZGpH}Kg8#eT>jO@HKvFT4V&5wpqIQFDBw;vfq!QA1jK2Pp7uM8@`n9BWE*LfI zp6+nuu6EjoUrsK+MJaD&8mT0m;^0?TTkM9`(=~J#VSH;fo_XGVbyaf(cl1%) zixU>0H_D>*nJJ^%~*=rC}xJ9VmT)G?adW9Em|HAp-eT+Q!2OOm!R8%r19D&_jPyM4MW`oRzpD3l??)~)q_fM z=p_!dItrTPxETc#+~QOuD?(}qCJJosqxvMt6)n-brS-U}6bt+fulaN}Vr!1IUBtA? zVb}uNc3Z1i!Dg;j*ad_BRjhifjieSxc@rnRw3lx_FBkN_?M8apaZVtP_vfDq<`+D&J3v`+%i3i|2&RO$H=Fen8@rppdvI@S$GB`U{#>VYQq@In>vT zm!bl-#Ciy1!AcvPq?2?96XR zH2W*po0T&%Q2MzVBSH`A5BlWgD8sF;N80e|Sj$*_qbgidN#uw9RF07v$H(no{ETH^ z_So_kb=FdQ{HiT+KO~>T`6C#4OZQ64AEBZj&&g0M_XTpA^A2S-InVhVkK^teqtioT z00|$FOH;_YrDpmq-OVduKwu*i&4pX{;=|ux*I7Qt;*0#yZpBffLC4nS^@soVJRM4r z@V2rfPLp57$@A(oapH)qHYx97+}C*rEV!BY?n%dIHmK{f+H`)XH!5-0vqM^wA374# ze}PNV4Bxp?!-w$%-k9UnC4;rNsyn3q8OVKLIZ6@6&@JNt6eE$nufhdiYV&4-jt%{B z*=RcLmX?=$4vSZi=__&|X2c=+ni{7!`Cj8j%U~THEkOxVItg~nI%SqFr>dyih|6@i z6=TJ~=!rLXmK5==&7i5@)Vk;_jJt=n5WVs2UU@|tZCqpSY=FiD3v1;0CT-rTDOcLc zo^E5LlS<>0y&lMdhNw{?A@gn*djii>_!k^ALpR{^shmz`iMPR<1M8*a*L>@U4SMnP z(SpHn z_Zt*OG$U;USTu5XZGy4%W+ZOa>TG3UFCD0Ot zk}G5e``&m^tK}w9u*t9pbVU9k#<))yu&wXPSo>csjVLwnP*GnA-RjL>!|t@V^{yaX zMnTvWCT1C~8_ZS+zsOlD@$1zGC(-P~Dvc~>fS?=0m=mLy^vWetZcQ==`^68ZfpCj0 zVGPhs8*ZXr+1w*>DhitCMTK8BQ^hLNR`)67Jz93&XYw zsahbiY#eBk>{?RXVb}x|>)Qn)9G6y(IY&pjH0hy|7i`FnO&+T%Pv2r>ctG%|Hcj14 zBmEK<6{$kPfxIg6CS7h3M(i4^wahKnL#+tOjk(N-L#U>P{SQGp7#SEfhxQD5Ed+HX zYPOJh?OexAL}Tkfb|de>K*jjHLRh2E$@o=HunzQ%1HPULj3!qFR8pZSF-Un@jQp_e z+b#CZq=Nx@N@_tpAbTRN5@BG7_1m)~bck$#!8o{pVy_2u`VHq7=?s{CCt|^%g%SXc zCSXrl0?uGC(h3|V4k7-)JTY&kKAnb=R+|wDa{0uUaM<-;`uv%=FJ63KZY$VE|k3Bgz zhZa&urMognD)a&y0?lKVN-TZ?8yB=49A+-B`fk#-{)I64f+Z;}EJ;r#I8p}m!p9Dv zo6;)%!SowVQfbcCmnSeFYs-!}6Pv?d@NJ~2`P5Qs*^6VA$sqOydOLktQ6;53;L3rx zi-com&dRZflY&Q&m?Jj~j$h$dmlD%WI$f}b6He=j*v4bNw@*}l&enmHK0APp{oaH##qr`_66ZPe8?bWy~ z7>JF|O|80Ecx`A69k`_E?>s?uuKP|y}_V0H41k71g%E?*93*mHi<<&W8I%>KCYA#$Zxnv=B$b~6O%@;h8%da4#XtKd2q zXp7C5tJ3L_AIe~7wO`J8OaAplMgI=W=M{A=B%bXK*1Nik!w9_uUdeRH`|`87c`X-y zHJdvZ{`ZMx-yqY~ZrpbC$8Qj+#Fd#H@V%uB?%l&jH)f7l4dPvoYPWN_FTmh; zI$3LVpeb>$Xdg@f)=h!!$GTK05yeWSy>n!8@4)OqBDR0AW@q`&YxZAD(m&H!EPr#& z4hWY1wYL99w*YY&;Kg~iX9;P|Lyosbl0zQe_wt7 z@8~XOKui%6JAm$DVgp3oa0197Ksw5AAy9x65>}@F94zzC@kRgjeg5Cn#tBH^W+Y@` zW2fT)WO6V9lCGHm6c`IT2cQq+ufuo%j+=kT<6&m}XS>p0gZ%%rI93Ka4nSDVZ|UKj z096YM8{qig4BI~y_b;I>zwZ41)8d#J={Ny`6-EG+$qBf}EG$fbV*lFX_0I#x@-GAT zN1*t>d*Xg`pamGH0;0SAyE;w|I)MG`|Ejt_Qmp^W>R1>7bT1%%2T&zDAccn!;FHS& zU{sj^7OMbf+P@sUKRj~(5;VsCE0E^*yZRe8|MjBz&-5=l!ymuYznlmNrU&@rvH_CU z{{@@>3vc|VD+2zJ*ni8A`iuUgUoW%YOZ_(l@V^7~e-c>zsXyuO!TmoqRs9b40g+9A z7w%7LXeAc5qWJ)vTU)liG!cVAjjWw%vo$12lW~8WGaeHOY?r}Cgmuf>(90#k3(vGT zTVIvRnbtY<=_WZkuoq(AT=(widAa3|wKYU`9AbY7l^J2nCqUwVV0*E;U3sc?1{GuZ zQLw^vGUC!--#ZIKT(}PU5KMVm zljP}z@lS4JON)TG%(wPbK4yfHqGh0ZLf~%2!iV{-j)Y=$dHbTax_Zfaw%dwWwubsp zRaD0ZCm`(0QZ^_NX=ZuE!LhZ!7N zlVEicTQfRgVk}+iG3>i8!Q#V&UbB=jf=0`#v%3v&ohl@QZ<*pJ6sy{%70L`dvybQ+ z{+w*8_IZ=DArP46+$-i<3yF`f)VkKfnDQEEA;mv|dkB(vkEcnh!Yz%=%^pk+ZZ6#1 z9X!8$UU9PX@1Vmqb|lVfAFXg&h!OlMxNI{ce&-H~$7uK{ z@c*OjEr9CUvaMmbYM(l**4%6Fwf7iP#_VHu^rd>lV}7-Qnju50gfw=gT0fX*d%}>VDMbNHi^q2E zrgD=4tw!q{HymLalRV9a)>DGOvuD}|9&ab4WU#dgmy!cZi|4fAVRJbuLw+a78KLeb z_o!VsAf|RNZ+fz}c2>j4?D#GZInyvr?vpGvG=xzGjdb%i{#1G6)wD*(yJ&U9!s#Ks zcOU~b>~5ffB0}4nenvuf;ubX3>Z=^fV;Lh{XAS1El_E#63q_(URx5)@Ly}k#d*UTj zGp@sv3&uPt?^-P9ct{OUWscuume{nkQuU{cp`h5jshcn2IDSK0e&S`Sj3Tw;-nCBH zANWeKM8)QQjED}iMxETs%k^rpA6yo-VsJ`Pfc8DpNh|Hr8WR%iTODPK<%BTVr1ESa zib`^$Xk>m&s^LYHN%K?sBcTN0yW^f+e!kY1lBazL#n>A#Ut<|$-;&AQPp2Zzz9eBn z0yLUiq^7-Q#~2QiYcoAGj=87pOF`{dhw&TJ<{-FkIF$UlTb~hcK=gEU!y2WB-4m-2 zt3SRRowI7+IVKoUVg^U%2Ofe72SAwGyJ~fVy7g|*taa&nE!#~4ooq?u$7|<49w%7x zUF+OgKVU<0`F>0l!**XPA@=>$wUZOT2k{COg+}exR>y2^NJl;>Oo;p*tBhhnUya1B zstW1j5h(&S1P|sQ6sRi-3ry-^AnX^W(zg-F%L2%lDhZT#2Dg&m-jwAmj4k@I^6~Kw z^RQZb7?a10$IFo{=UAY9@*FDxQj;Z_6MA^uf`O3{a=9b-66^d$S1)TAccw`5^2haw);D19N#LL3Ajve>`?l! zM^dluOh?fY?g--Q;4JW03BW8xOd(>rV1C-Z@-+tm%3}lysn8TehDN*C%B5)F9p?WMHb@)Q3yZ*TYr=J zNoxK*Uo-D6Yt(Z1Db4j!w#UWsX4Ik6l(@8i5E*vbiQ`h}@6)SyG=#-uWj)i!J`{Y*E&p4@QJ;+mPzLeE;al=Rf zj9@d%E#mH7>f9>E53`Uqm_Em!MO*Y-5av?XSAY|;scWoPsDfseI}|>!(V~Ql7(F&A zOhp)OJk_c_1U?EHeb)o~B8z@TU&9wVu0EcDfkdAnwqBeQ6RkduyKkP+oXpcnE-$TE zYaWU2NHx+T{|cq{QJ@@Z1ikJCnfF7jt+|kn_jc zmyz(7elIA$${G!^nWfiPrB@Fr)0y5W2qeM4#~TrxRVIZhx31VPq&~?Qb(9Dq&j?S= zdi%d&s()y;`1|P64>a{hrpo$*NB-w#8h>Z1KSh@Sy(#}0iTMshe;Du=5G;VS{hNVI zfTDGV-=Nn&XD|F=HbB+`BLf{1;QW4ty?+jZ{XFn{Z)0|5K-&urK*t6^t^BW}exi zoOZb(`&1C+hi(_(n^cklCE84imaTa0b2c&>r>&Gg%W8IKFtoCBd_3}P_cM&Co>|v% za(st&X2uiE7aG$VBva>xEJ^$thPXNfQJFpm=Y}+$v9&A*UitF$dM>oC)(UwH;)vZU z_4JCt!y>7)3L5j%Wa~yLc?_PEj-1fXEb{SOg@9E`v-OclkRI>ig$MyCkFR-Hnp zTiAO+4lNtGN`A;Xw2>Ds*p!I;g|?N3R4SCNlrg@{Z%?Fl7*Lpy?V#ily(>Xu)Ee`t ztr^YKS;L^{gE2Pu7bktT80x(iZow{P07#^1lq5T%i8^4EG=rZ+3o3BR5Yk(l+1#q7vGx=&lbUtbVfS+Nr! z*)%K?{xY3U>Yq9Z*T@OeQgJfsS`1XlaVytlfhL6>tSH?iWp*Ulotcdnsm4p5BASDr zufSVlz<6id1CCNdc*8NlwIx&zX>WlaZ~&?QAQ!s#;`#Kv)#CVdx94%{J@8Xo-Uh!% z$HzwqzvBBi)Xz(`Wsn3xx6KaDhIZ-X7iyQQO=dXMnFX&pJnEkV z@yyAvqVu*AKN?9%2vT}SP{~@Fz_7dtj(|KZ+JqX9;E~_0o~j@1bhMjg)$qgvCHx?S z{`%es2nKA6+}j!KW`O5)V13{fm5`v+o3z6}^iV0{ttl0kI`L-uL=c#X7C|E;jJ@m+jnJ5Bt<@c`V5>&Dq4 zPz<8bvtE*q)2o?qoC>)M%waC%O$s=IBS>nAoQO+lY6+Ea^0)ZQS~ZOg#tpfL6XH`) zJ~33`h}5(P7y=;)!FiJ2#e45G-G<(N25$9PUfrf8ULz(}9!V#_CD%%d$ZFwPplg38N{shD5z7eX;vX;mB&+&G{;>f4|@{Fz%{0z zA?B@#)oXNWiG%yb#EDuO?DEpJ^vsNH@-|rov^D0K##zU*VxSTIy7gj6p%zMVSFw3W zJPP=`OxokwwS8$3bzkK+cd#Lv55*zu-#WK|@JKosE1SOw9_#rA>Ca{>UzqAvkZ?g$z!*~xmuO$D(v|JV8&j6u#KC+?y>C;>j2pZ@YWGdHB`-))Z@MU;eruah zBzOYT+nO@FGt0mrde+MqegN!jm?^ulTOnnjx83Y%Li-V~a(G?!2LrHY@eUYXLXtmrVscLpcx_hIb;q3<_902J#Y01XzTw1oXutFd#nilksPjvVBT2 z{g7DHa3CC=x9elWhkm*>w^H)P=r+vwH4e@2-;OL2sDu*V4~KpoQ#)KFzguL44HEM;F55o*81XY%4syqxbJ&P;LwFs}cXkYd^ z27;=ab$GIF(2AoI4Wxo<`mE&;{WYY*fnWm55|hUwlu1cr>0MqmSA;sAY z8?8BC>Y;!Odl!dM!`aQs%8WiSty-^Bi?xufwxI07fkSrpE7V6*+}1fVS5ll0q8^PD zlpJfdZo_-x)%il?d0CkjQz@p!x2<++INLhrj`7w~jB3!Ia1r0fSu!Esc8#*l)6ZIC zbeyO+={WOOnCc*HY>Oc2FKc5ijg|n{ye0*X=+AY1V@AEcbw2&H23%W~c-0_ePu>$y zYdsBxWk!*MjKoOjcmnJ$~-b65f=CtjW1mqpqy`4a_bOMq|Nsu=-}`# z9%34AbHP(}6OO>Q(Opp=EreuvfOgL5DsoTKOCoOuHESy4u*=R(>OL%AoVMNUmES}|;K>SeCVvM~|biFfX>Ce)&lv5IHniE9^I*x=_wd?H- znHl59Vx`kpVgy3t}~Q~Zg4=C%DIW$K1O+$I;~o$zvD98 zEe#YIz9TFNoahXf!1GY>!+=G@q*bx2$+3q+OF7KR8=ADg&IPHW>)ayA1<58);{qe6 zJL%YlM2|O1ft83!FiE~0uW0Ql zW~+|7Gb*8ZAj$;yq|B@>Up$`95GVz#v0Gf<-Sn6=x@ld4aSW*Bi7ciTZx?uxuifh^ zG`y4;$}&wtKG}N}y2p|c$P6D(m#&ON>ZZV2zWrWAp5J~$dRU%Amq&3B!JTr7Q@nUT zApE(_P`q#_ZTCl@>lVyT6EzP&1wGv?{$GZ%fj)s3Z8O`64& z0n#mP?F^V`E|G|{Ti4!Ea^zKYU%7>2td~IFhk1WmbT^0iUFC0^9h}6`&8pp`J$9@s zENdUcqXV+61u&Bsphs`2y~g2;d2-ZPHYol5!GcU&Z8 zCFB1I&L^q5>w&=U{bw*K?MG-EuVyIFowUM~4auTzMHjRo>YbN-Md|}3c~SfhbEPn) zveyS2rIZ#KF(hJ;D5G^j&WMZ$do{y5-~Y<0D1%nyKo2^JYQbBeJQfU9!asco@>GM~ zfW0*5GYcT6pV9U+?b1+F6PAMW_6tJ6g+2)~8+`YmQXB}#tD!q>r+rJPnT+BR0=!dJ zl~n}d-6=%p=`+#gWNr}zF6H4BQ`gv!HT#y4`RPTcQ_<qMS(n z_15T4ySc_O`Z^5DKhv2?dr6f~}!A_!2?Yj~oOuh-u`zW`R z;2B;7eE7;RbITNSk6+sONoK;J9nTT;D17>1R-w_>y;lO-dwktj^@HopOAwV7t2Lay zQrx8gbm!1KubY3vPuYHEaKGoLKRCr7`6(dr`$vTIKdIgS%1_z;94Pr=z+d2}fatfNUHCAR7ED!~8R`{qsNuMnI_Q zHv`%KOilkZkcAmg>cH_EGW_FO{I412A3{VwY192LxF`E>xF-{U82{C%P=ltm?J^tk z^Qm60{Co5e%(y(tAr9P_BDwVf3CBjqeIjTOP3g14yyOoB4MsWq&q26KuPt`wsVeno z+Tnwl$9R~vm2I~a&u)gs)G5aF-cL$PQh&Oxv}sN8sF4Vf5I(a!@w#5C)YvZn`ljKv z+*6SjIFH;njH9xW@Jiddc5_Qyk2d;QOEiW<{vJPA)v^lZd4oXFz$!kyHcrkKuKTUP zuKQ^t*DOND$hKCl`@2;4x0pU#ipWKwE@o<~SuxO_(r1_3dK69-Er=v5%92VkD9lpk znEB7D&K)q_lwYgRyjwDd!{rkk8fHN!&u}t6S}ZPC9yHl7Y7-5-KD2QRSc7vpt!<>g z^h#~u$auZ~cEW8|3)p6l5J{$&Z-X=i8=;FNhy`fsIHbiI-E^8`P}p2t3jK_+5h8mI-iFr>Lz~K6Iupcm?xX zQ$C62>vQ*v%_BGS*Y&#Iwky|Nt#Q;UNjtT$69uX3eOOW!7l)}qbbe4=Pq(Y;&j@_cot!AbsSs;1uwcG^~+0gg)?M8(= zMycNmWAi?w&u|#^VOT4xmz~;Qs`Ze(4L@$K2RUs7|F|Gy!~FW`4b|%cW#{~ws-&nb z%Hrjvx~@lkTd2iXaxF8mUJCH1``}2+F%-)Cgsv9bXF!Q%eePQ=s+IvDb>fse= zJL9WZtj!^VRqmu*+D&FERmLjv_Xp!-6heFsWT5GIpYYZncb@ueJ6_DXE+r+5nP_~1 zu$Qe>%a83HTku)xopr|j0^oy;BgW6N=s6`*v@EpqKfUa z?aM+X<5UBN&H#KYD2WV5&R8tYm(Xy^dzbWdM@1mfas2J7dlFJ_O1W&}<~tVAA>$lT{a|%bA*X!(IxmTyucP*vQk{ zm>TL2+Z8!Kk-`b zKG&{3GfG!yA0Cl~i1j7R&kBKSHl|i~-MnCYo_{VjK9D?s6xYifg5jid9N47U1(nT| zUL`c7F0Y;wF6l6ZIf^&rjJgD?BBw&sC++;s@iMVIx6{Y0>bpss}UW2oBbV794 zJKo9;HR+FaSd?edP^5J4zj$2E(=tHnAIrEWZmxrJYG8UHID&EtJr3p=pf2jO4SeE~ z7Q-B&#Oa9FXM3HIiebYP$Oij_VNyze0+bwLawQI%g^W37>QH`J)jZBTaFqH*>a1#_ zK;g*@A{IIiPfIk?QMN_w7Rm=lu`8^)I$^5%>IT}R@!(AL+MR{8~TG=Ri!5}oQ z5zfkw4kBKkI-aX&6*smQ$^EV>mvBrB5GBAZXY+&`feEf@?;7g3-@KDxOi|^Wf>sGE zmCKRz*L=t4YTqlC!PG50K!#CerRIzHszY3mm{v2sw3BV@?7d8Bw2^1Tt}+?Lx@Q3o&;)| zs7tekqATvT@z8Zev<8~&YggpjTyjfwgX8kad1`ZKJG7#nkD6tBxwDADlP_0Bd91!b zCGQAQax`KvVkz-gAp>(7K*)*OdMB=li(Gj#i3~4OQi|!%f~?*G`<-*NVx)ijq3$(&vCz3n(yKhUfjf zRw^2VWE|HeRG3AoFbE&?bTt+{9oAl~ri{}lS^5Qx0Sso5n0C9_P_FoznbH>ctzSeK zw*(4JY!IPFInGregpkXfZnF|;?zVok7FQbD<7W+MjWSJ186roxdB_Wpkt8wYR*7(o z12}SP6={qarH=j2wG-ENkj}G3zGm|+Md~)GrO|f6Zy^~45A%>aTD&rEJ=8~!gx`D< z;)O4Lo4hk@F}1cqqVdM+6AU+z0j|6k`;E3ZI@NBhI9vb|bw=7XK{A22x8v8#!)#b% zU^){ECNknDnw1m+NkVBzsh6k5p3=%GcJFR2>S}*b^f=5r7&Oj~)^B#sH3h*Tl9YFA zIl*WV?xdrH^sBT~!1Ssmlg|)j73-zQX14q^)LoL)5S87a9;#I{T%DI@Xi6`9^De0X zG_Rn5uJghotMD*Q`#H=`(sw0;I6B)}H_~FTh;s{)-tL=nDHNpZW_o<;8Y@)~hWa>F zNlY#Nn(GL=e@xPsx6#7L4@P?RHqRr6{%uWZ5Hcn%(Vzs)R{7POPc;&YTx!x8d zI1!tjK7z5XJIxFb`qR9ZpE($zx#zEMIHbGMOP5uoKl9$!_bhMsbs5oHtfY3eZ?*M1 zxwySFnunA&y)#%BdtiTdg433}Fxw|vKjaKYutY(p;RaHVmh+N9;L8#QG(#H_HCq)g zNwWu=+n>+&`Z!u(hCC)07}n*>?^t3!As}f;>F*-)Eo~G;*@AwV_w0 zS5=by{!eM{@)$I|~}vHn%e=jT4!e+U5mD-cdE z_7hhBYk69LuHyeZ^?&4PaRPM2|6*BI!y9XWDi+dnrCygjRn?XebUO$hyRxVn?m*Ph z;kKMD?Ss3ZHbS>>) z9%@TNzdER+yVsz$KSn^QH&1F7my+-xd30?SAK8x4RgHP`q1ZvKA<1EPddDU|l*ZeR zdfyGXz~uNG-RYJTT9g-ZS zvdZcQy@f`g0-=yhOz!?l;d&yo0(3?(k|mU%vo%a9egN^7vB-gpnfYq86d}9U!!%dwy`-Ur7(w zg0JSmrd7|y7ziOYy|`%xqlAs`v~C15FhFizQQO;zZYMCu_tY@seWmlfc+@-&KA}es zA|M*rFOKcKW^$X>@7+~Xv1oyPFel^lwCRssVpu1gb;Dz^bO?`Xxp4c%`$G*z!dsfo zIIt8}Zu$iv8Mwrjg?IB|p6s@Vd|FUV6>WV?5bIA9(N9g03s6BG&4@HqXZzB70YqE` z3cGutlUzrpb&?Mv+9x(IWRq0h$6Rlul8oFK-!r}`C1bqDx5tlqIJ0|T^*+Tc0AaphHU8O~@HiU)A z+zA8(#-0d^3){C3Jm+`yqc%dy1?h@&A&8GCNbWfxjGxS`A`t_Oj?ZL^^1aKicH8NE zdS2D&&0e3J_#>QHAN!S^m4tJv@+34ooH_DiwjgB@-KY#+JoTU>cy-$f2~a1>Jdr~g z&3PZlj8k5(fcX0~mb(*2-~zX3>L?g(nh0XnD9WW^Ng4*w;AkDeF(cNNFC5ou#PQPU zb$IA(i?Dn(U^_hqwx4=)#VAm+yQm9<<&W?&4>1o22$%>VR2|Y^J1lT(TB1;0PcH^L zk3&u_6b&R%MXhX=>OF1zV7&LRC2Yl_T1+f72?BxVjwi5(5C=zt39|4==t)-9sokj+ zJybd|w!q~yx#MbXa>+Cu%RF}UMLkgQE9EUp4gn1m0z;w*-h}D^EYfOV_`nBjjUtO3sgGbBs}QS6o>ftc_?2SZe5t)oPD47QSSP>X$pG zvq#7Rs?UJn(*^=J>ap{C;{{n%NhsL*9w5Rh(wAz_@ho;ld?b8%Dpl*OB=O4YnjBwe?$l3c?cHd?WVVbw*R@s9S(JV%Y$tb)wUDki| zm@Ep{mGrO{VEx+ivWDQ3`Wov=|8WGo-zW6ckMqU-^Q*?uJ%SNo#NZS3X@};4z!8Cj z7Y=WgWG$jT$ZBbPT<&6}#$Q<*8o@hdQN7ivt21Sqmu?i! zIFyciu5p?+%?{nSq3sDK*v-$_1k_(lMlSVE=5c;1j$sNu&!|dTz|) zdvTkygQM-iEU}H)L55o45yQ@eZ5uh*_vy{Hn#l)wZV5_Ic_=s3Za&oeFWCM>rY96{ znFYF>5{%N~B`U+XPO;{h$e^f1PESx4O>`2-t(4|0MHW1Ucn#lAHsB(DlG(I1WfLK_ z+hp_Nz~e2641qKe8AW!=jnfngfm7K;w^dhxH86YkoP@o9q|Jl0AptE4`Y}Zi*xeeU z$+Gkn`-jvrpVdTK9dXT)png8?(_hGvqfNws$PEco`+_}U=z9x{p_nh1B*j)J#0+4B`T z5Yk;vKc-of)h9l!%9mcmhg7LxL%C)MGMO!M+j5GwOz09^;}kjIH}C6Or9>f>lpawt zOPw6w%j>>s|Ev(qEU_M=I(X4l?X|5a^&%TD_-c2;2&mag(+|NP?;I*n6Ey42v5&HZ z{{5MUFxuc^wh2r|oj<+H8qfUeg;r)itc_|oahW(za#VjHehreBj<19Z`lm# zgrkUQ0}IfFCVNiEjKCaaR>I5K$IRD5)}smGsj4dw;qw*7ffK9!`B*$LTV`;LzYUS2 zih`|(ELcK8sSbJPVov%dDJDn5f;p<2tbTmM3wU9t$bfm%ksW60NK#tNUN~kgY-F$t zxbVv4m~Oh}<>TH#LR1?oAsaPY7;C+ISUC4oU&^=*QO>zNBP`m_+d?$Im-D<&hlo59 zJW~#IMw*DWK^z@6QsqVEv_PES@_NP-<#OAE?nV@pR}OdVw;Ly9IiblHyo-ad*WYyg z=)OBP;+uf;W`LdMgF`F!H4Mdeu9B<62o}ndPAIAm_+35t?>HO zQiD#&4pQa5{d^iA0iz`q6PqLZk$JA&8fFf|BGVC@CY`TeYW15~$2;rp72i2Q94Q7Y zY@`+oOxP{3vhl#{V(j@akrJ_A4G!A5U1FiELGURlP_W5LY}%WG7{{jq-GHpa`QT#_ zVJlR@8wF|J6tVbA8OGQ70dYdg=cR&g^}qVULM$5u2SF7bpD+3d2LVAaE^z=1)9R$F zct-GXaCd+o#IE}dy6{GePvK;?oLOb4a!DGvDA^WXz@Udv$mQ6LFQOGBmgl+Lbn#)IOQ$Qg zzSNfG2?%i8e6Zp=#Ca?8iP-;{u)-g;66BU2mIw?R@lLpld_P!W{Y%y`MMd;eH_JXEgM9APR-xx~_m57`b$zGAc#ZqId&gM)rZvCwDN`-_Sme zp92EFr+q*0{hw&x_xJ-<0$__`p3u!CFLh|`|tFWkqyAt{~|s8kfvq3D1kb#c8}_<30+{q%6ixujmW#fUb4dX-J$o$I;ZQy0LG29P{pt)i;$l&eQIW zT?K`)Nh)vhOHGtN@50!BshH?>H-DKS$~zI0x0%lUh)2f-Xe{7ti|op5TN9B1$VQBN zd#1M9d*TFb^OB|g(a~#8^WzYLe~3W+mD_dh3_-*5Tcq=7+PJ%|!Tv^8_%{gIHLQL| z1T+yTYO_r@I(~hH{`t1Aw0xTEupdwDjg+Mey0TpR_gJ2RC`CoQ9APGfX6Q6$ikL?=bKg(L1SoV_7WYNIg(_*Uw1VnFL>{M;UCa2pV7Mb%9mph3`NU zNHFvORut{PE%TX&5Rn5OKW7U;1_gyd0xrKZhmA*_*^o>GNyuV(K}G74DVeZhM|r)?330f!8=c=bh!E6m(`J^yYHK^pxO9VL_zm zOR?n>p{h7p1_hByASF(ueDLfDdk>f>Ja5mNL9gft2@2Nst2S`1Gn@&OK8Sic2fQC_ z$<{C&SS3<2aey7Cs|Vl5@^1Z3m#Ex*4+bq7ytT1Fyz%q4;x|gU-sUD;`a+A%Sa|(8 z=8nuxnDeBh`B%<%UV%{nb29VJm@+AB)nMgL28ZoB!SeI4aA9yj(o_6|4PFS3;YQCn z@IXf$xkUF&xa3+D-SJ8m1(O67BkEVIKuHkk+nlt-x_2YSzTt;DhhAeX|pRQ;uw-&kp z0hqRr5LsspG|6p7oG z!8+uSTaQ`Va`&13}9u-FR%O9ax&tjU~ktNoxHI{TogfwSKW#?XfK zPt0a1Vx4etHau8kB1u3%Sd46Plhx#zl>>4_JI!P&sp8^xB3D0Udxu5D`x6pOZJVWq zyIw97_u^sBA9mAao8Z;n+9VW>O25vI-(87p3SMJYe{XF}t(divisQERDxD?*cZlGK zBLwXwV1b;1p@)`+X%&Gfyyro*Oe5 z#+#*^Fdx=?^Jp2u!m51PVf)QgTM>fSu?|Y|yb=(!vmBMZtFQSYr3c{l4&{EQ_Uv%M zDOV;cSd3)-4mxO$Wrp$qFZ!aG9TC4e*Xkt|*FFFC=?LGS9r|YMY!2dlbbeuT0-+~) z=G%n{(<*jrgxYB=kx8`jfF5anvu26iw5G>5175>5?MWPGV!E{FRD`@G;1h`F+UH3E zI)!!GSZ>Xe^xj-Xoy#)Cddul%udh(jvvaO9Wmx9xz8Mkt@@Ymc@($i7%!@C@F7G@R z#H-O+WNOk;VJLwGzpxNsm&(a5R{HhSt-Vmnb$0?|98p}Je@@)F9emrc);FKZ{h1!E z>U3ftb3p>e3!67Vq}Fz@%8RPf8|G_jDb#JsRXp|SEC>;Yut@2g%IzdI$`auWo3naq zs|LGPCv+6QXTgV?@GcXdk988lPy8PxI_#6T*we`xIqYuFqQQdo<({wdpWcA>zLGTI z*vX_LK{Z}nz%Xmq{%jqCg$isfC0I-*WTpCTsT6k11*1jq83DDNn`^n1X^rKyK z5pEe#0p$J`gFU+@x$BMqUyLQHRjbYNtcKA4rMsp5?hL#UOkV_uUCdix=Fr!bRc0Bh zwK-bl-Rmx>sc{82FE|4-Ze_No4cf4aH@bZ%2ZM{4L!3Va!^LPoNa`x=<)QX90RX!mm|gU z*rKz@Y~mD>F-+i@chPUlD1jbxhmyQk3v-1LC!Wcp2oZ#1x=SLV(9DRzJOs*gC5Q&; zu}no~L&eAs!h_GnmouXeUbS(zTy3|n#L$;0Fe+P(VBAx%E86evWY*`+k+OQ#!`C#+ znd4F*%#YjVl2mEKGL2b*(J08H>;2H=kxDJE09>C}F4whNUeZH#IDh zEv{8C++i>X(H3B*__5xfzCqt=cN02eqlcM#6MmZEE|<5UHh<$r_1Yuw{_UlM)_k8` zOrF&e7o@EnR=Ic@?l}sn2xEip;aJ(~+qWfZ8v-U99(u{eK3s3L@+*%P>^a>O1@O0HVd&7^wc``8sI zIOUd;%=?*lZV*wlotd^UOpxXAB|~7a;*GF+T0+piRNqP!`Q0p6wKLB|nMeL_Wj@bbNBk}KuXarlw zIC1lUxa&M!ZgBMc>eUFUc2URpTHPL>FY(zBkMn)&Pzc~edjl){l)R3apgNV*l$=sf z!p}BJwu-Rylm~wk!9&5g+Oo!{)-0z6R zlhD!5kOgjCDT7AS7jSZ3+P zd(kD$jw|fZ;)*^x#j1j;Poa0hy$O#{Hm)F>xd{f`1Z&UL3HA|~+gAMQ!@c5mO-K$O zh|49yp7M=(uucJvZOTei-}j%lCh3?4jZgAM+Y~#=bl4KuNG7u)yeO^bPmP{wET%X_ zw#2^y85jZ0v{l;H-hhQ?!MTXcd!f3(xl`^3i*jPk3&gR&6KcfnNirEyhV*2=mckZ= z()}ox@JRg@_JUGUF6hxq5njQQWu~Oh7+Ma31(nFkY-@=Co#>mgm`^Q~aFk)kRa=az zFP_y6!ub)Se+HbpNQ@Uv72#EBdAHbfrlgCNimJ7aYeky(unjk)VmV8_$DS1$8Hs$yXNGON^~>O~~e z!h2fO@LbuRxmkH|Su&N>d9x)EDz++ERPXa?qDI3((0Og^l$I1HoE%v)y8={RT{}|F z%yA}IPE(`a&ZV%M1n@HdDoT_ z>pm5RdVc8r(Vd|?1T)Jr8Ph_yQPv|74{EQ)soPj?3Ly;honPRA4I>>7?;vFFYF{RF z;$ngug(G3d;zw3lb<1<3z^%HnL}fGrt@3M$jYrj>1|%M;b$ zbh=S-6z3!_gy~r@SZha>KS>Rj@tl@7Y7SYFH93@A9xf1U*-)Sfw4u1Tu=s97Qp@lh@t`X3IJ9Dmh$%( z^k>UBezELlO8j53jDwl(yObP2eF5;q{9z~a?;jjL+r{~dUH`pJ@b?vCX9UQ}0W1T= zgqYa?0)_xP+5Y2#u`>K(*w2xJ|J#Bw1Hw^&ml87r1Hhv1YX#V>fXK^tK?f$b-@l}O zUbA2BGRB|7b^u4r-_XK;j@obl3T6KJ#QA05?+ct*{~#~%n?Y=BoOGfAAjtAzt;DLR1`o=xO>-J&nH{qG|*565Bu$!Ee5PFK^z)))~Yc%kYAr+2R|Y6S-;WhQ8)nx z#`lV*&;Bwn2eh-g#I2-K0hF+9q8nc4Yoo5m<))=+srue4qr1eCPZ)iT%Zb)=+d7(O z<|j9~G}Bh2sV@=etL0KVAMz0J&p8n5qQkT4D$y}~wCz4-yJeh)`v;P(T6$b;kX*rN zybKu$rWCGz2wHTHl`*JjJqq{HV-V(s<%k&pArcNuT7Ij)Wq#o`W&)!tZ7TtJhcmy{bHOLabe25GGokbS7BeO^0v5D`M)c;de26u4@yI1`y@gGD>IB#DlSsO4 z*vk~3G!da3M%`li80}X}q{{KEiIBZ>z0G8fQN7yQJSF43R)NGbE#c;yZOkXFFGu~H zb`BMGOb0H}Y6I``9930GY@2pYgOX4ex92=ts^DZ=h@c!3@0sRiiU%uBdSl(fl=C=E zNkubSQ|w2d`uMB7Q{UIT5Z~Q@F-#KiwtIJv18k1(J?`Ag`wdb|5{02RcIPuo49~T3 z0yx~rW5x}|I-%q-kA5J@PIo*FoCtb$Pgg4?yrF;)Wt0WCE|xYZsRLgt#9TfpTrFus z2+qz2c|&J-Zmb3^DK=+mEI(LrK;;Q%7 zV<*#epQq`P%;qo2i4Q7?Z&|sLQCVsuv6@V+SiA3`BVO9XSJoJOIbcAuiq>-5j7UIG zk9opMks|9EV4QN^b40FBi8Q}weJ*{SXSB^u`=#+7Pc{jnd8J%6l&=`(P3L)tk(@9A zE^9rkFuzQI9S?jr4|J^pqQ!mLL!i3Kq4qX>K4Bu(@ji1$U5bv&t7^o~1mXTL(d~|M zb@JpPj@bzm@snGQA@$cYjVyXIEtRFOzlD5*sU@Vv0Ti=@*r(+QRHL%Sik$l-NJ%M8 z_1#J^rzp!a50d(}T7*8w8THeS+G7cZnZ)winI{rqfD%T5i*X9%g`6+RhC;)+d?k!f z<)nCo$3hSikntPm*yO7M(#r6=WZ>+zfGF*s2PwmFffHI@+7h*v<^;J_sQj3_6AHUk z5cFDfbw`>KgYfxEp}_c^yYL4y1(ogKvV8FP1Jh-G%$QoQG(d?IBvSZ?M2CsQ#7I9Jve3`$XB3uxDYILdEU>3n*DlVGma|exV}%D3!&tk(m`en zB>q6U2D5e07Fz7X?r6rPA3pRL#<4~jAt_&mrMz6?d1*M#j22H%fekX-Nznz*9;R>` zRS`#ckdL|YLh-!{gl_@eYeK)W(8375LLwZ>`383u2_y-}>6H(gPh)@c%FAyq5fM9K zp}-x6yh!)6OeyQKKak&K8z&3AywnWAe8m&rF$^_VmVToUm_oN^BOj`CT<<*>TabAQ z$0wuEd~0r)uEu!d<6E^}M~o45eMSeRl`i%`oQO-N>tvUDAu<%1GA??CnaSiniB8o| zR+qar84`9(6^9Ho}62Z#MA`!oC^I_@Fj0 zJ=c|Urzrr##J;2gV@+V!WvMw{Hdd6`JF|dHY0lg^*%&}D`B&*q?|F#`44a19$J%WY zFTNS$go2%<fl$_XwLWeOu{0$I zi2z3m{76dWmDholU=u(a49CW)phZJtt2Vv{t@BhL zue1oxLL@UnIzO*Dg%QoOOXFlyit&zVelO%wmAJ5FuzVYFJfN1ztS053>USn@qx zKoDL-j5%IwA;r(Vh$*_TeSd$`#<)75ehEHGhv4cm=n&1tD7f( z%{fbXs$k~`x6fLQF3K$BJn1rm?fLq=7hVT~|5`ZYM%h{hcaaMk%k?rw|G{hYfqV-X zy-3{Du!@TNonpadChSa)#0s-fclkqD1?kDSUQ}Epfd@@G#UmBG~kg-KcAG%DX zbt2g1Cw&EF?GEjGMUBi!LrC5fvP!OG1$H*9>|UW$DyNKxU}_XULz|^}Vn%8-xT6ea ztOUjQJU^~M>6gwHJtVddOWuFQ^h={4_gq<=4lb+S8%foHH>SxQJFf|?PEg1Q9@@L# zn-HZagJ@0?#xkqwI1c8hVt;Cvx zAqtwVDz%XwDtSNbQDP}b?`&3b*vGC5Vsnq9zk%y~F#E)n%Iq2gcZKl2Zc6cE9q>D| zh?H(FQh9V);vIk87}iJ|!|qFi@D5Ui>}Iwb>y^fx$;P~(Fi2jI_iHhmZDju+YiAu7 zSCYMbAh^4`LvU@}-GjTkOMu`SG`JHqxCIFwEO^l11P{U80|a<4nVH?0o$PPt-JQSg zr$cx8bls}%I^TNEbJX$0N0X}J$cXAcuyEBNTF%rsJD?+g=f;NR(djzN2)$SjDf4-q zZ12s|Dwc5`6qC8$s;3w@2PU{?xT~D^=G&__J5iiAsR7a$Y8mzV%FoZKU^hm~*!o8? z^m5p&Ei=)tN|sWkinIe4+_C#MbrUH@ixfzMl_ocPTn~Mb0+g|{l_OU_pm)6>`D#2Z zAY6|vi#8rdJoM$7k>8g}Syr@L{i1V~=BKK%DR5l(Nw$*S#cK=Dji!E> zyN#GFRzy^1I@!2;oCYx@S-Qz=Ew>QU3m8MdgSLsb@d?ZeG>)(9fklAGSixLPnsH^y3?RP-}s{>k3GS~S!;G5I`8Ff0Yr zE2j*RMe036Pz_<>BIy&j%C7^VdPlF#rCva!-0*{wP+X5uSoQfY;j!RHmw)PyTR?>; zw7*?X*1Xl6+znFJBWw@suHrdv$*q=I)KjOncdEtIa7webq!%jZ6Z>LOVL~ z1#{Fag6({>bu`y?O-<~S8Ix8@7LxMPdhn!*khdcd5lqm-icdpnhhReqDTGw-!o7R_ zpa=KXwQR1hAEv1h-P48Lub0J14b%1NOSqM3Q6$e{s4pggzMxdfEe&B{Aa53OM0qo zY-tY9EavFoX71qTO8QG;@kc-m82JM@_rCzdAfOe%BM1fo7LC7Le|!8Z2xj{g1Ovr) zzx@3dVEp?w1;6|szhznfV@eH3FI;z7 ze+8Joe5}7GG{6-SF#O;G93lZfdtg|8gT9;q1pu-An?41EKUj)efwDM zj(g%t_wk1%dU*BhO5%}}f_E8R+ zH?M&QHhb}zAQa-yF&0Ty zaQ;~Rs`?pZMh}6K@LruoOO}l~FamAf!@^@-)d(=-2E}C*d0njCd1kV?oCi{qFNmV+ z&lgjlc&II)c#88JBU0kb$7~{^gh6Nwh&RD^&i31Y?WD8f?Jtzgt3Ehwe?Gf6GL*I9 zu=glPo-jp`ieh&Gr<~UX_r(%2Mt2EDh=<$%d|YJ3=Yt%pRhT&+c8V@`xRd8Nc4)38 zr$zNlD+|Ayt9*?*cRD3@bKka+41tqjbKw~I;I()G1(%K8JYV2Je$|3*X>kAYD1GS~ zJn^lrS3_nVi)fHL3}t%#0B#giv7&7ID7`A5=|$+QL2q7k&&r4Gxo`Ienyv=r?Lud` zD;rS3Q^rh7-?vqKW+gg(;$SHW9{jW%;oqOmav&k7)?)@hVB@u$@#m48w?MEQar8=n z^cE&2ckzln8#Q3WiAL6WpqNRDtFH9HQ_JVy77IQhrU&D8BdrkDiFz5R^io!LRc`Kh zNL3p##zOl^RJkqXvcr(yR24X?RlKtcH~5b0CBK9J)yNW~@TF7*Hyk_On0jM*L$?5| zzClM3JU_Qv^{HQ!+xZ!o&0N?xCTS`yf}fStvI*Whly7SCWE{t&xQs0{UR&%6-V0m< z7&1u9-gO>Id^JY7t=pb{lb?xg$t0!cK22hL+S7oUF>e-oE zU@#dcsIJ_3{UD`+`Qr#PH~zrX+!rZR9Ja4bmF)HHKM@JC;`tgL5VVvdFwY2vl{#*> zt--O|f4IF=b`Yu_#GhW*=?^|0H&tinb=(IxhtYCl5ZW{~!EhdtzZ$>nZfl;qLWaJY z9R|gUl7-mzbwtZ*1*3G=f{v1o}&f24j(f%YBjt-vdm#mjfN zYOMm}U^UTB642vu4q7kndFX@hHIh!kPL~@2nxLphI@M zR7oc!&@Lrtth;g?FgaL?IL7-+Oq~Y`=eLgr`K)v`103JZnmlK#5%q2M8NSa0f zm*Q%y(Fz?}spr#}k7B$L)ll5DB#1#ddtGmA^&Fa&8t$J9JmS=B(UOG|s+sgtOTGIH}#&ZRXYKY-yqZ!+JtmA9+ zea(pEk>m!q?d5&arS+@@BfQS^tAhkb)Sxd~gsf)=$594(mK%G`ZxNuun%-UooLz9L z7so;FElyu7)Dpu}LcPg-lgDD*VR6BPVR!^53?4deVSLMidTI3(Yz|^45;x5%nqnHV zO=U@y#1;f+C-2}jM$;5Lxj@MYDP{7Q&%h`vzWn8qeh-;ARqIG*cEA#b3 zbWn(UwAw~|(eRN1VP7u2RGR8{jf)xbf!i8&wGq5;qRj@g&EcdK^5?FyQaEZ{vzV37 zLA~>GBw@09+s)_Byzahwq&y$yYS59oc>-9Se)U!k$c8WA^b!j1|4`8NB5kC zIwgB%&&6XlaH2+6iD>>qN3Wn?XN*;p?|i7NlJ zfQ=4zSWIP{CD_tVRu9xIJv5&%yD+-MPJnA|1Gh@HIq|xez2@YLtg?l>vs8`gbQw=iSFHb2`JOl!{?*X zrMS?+iY(tPuzRQzdjsAi<9Z!5gwkaf*nCC^qxUoM3I!z;Vfu=t)}z*iztf!NU-|~- z>EIc3pi)ALT%)S!_sp73#o#+K#d`1RGYigW%Gs$}nn~y$;zTfcdga?tPbV345E_sNFj=By=+t7Cr$=@B8>RjB8v5<0tQjdj!-|H{%2E zF}ECKe6TkpXwRlXudf)0j8!@#RzlA2zTsAft5ke|Tef@OtuF4Vm<;Q__yJ{voPg2P zSpw1&mO9vwX(1bex_0(+_AucBMPUi#d*{t-B$fegH(t$D@;78L>n9^xbYGYBulw(A50Fj{ zmpNmZ3|+B;qsGo=WfXwpt#vahy?j!-4egTk<~SV=2*nbj3}9rsef7$A>v7%< z#2V!^f_n93E;}>ubKlse>19HlcOcD%c3=4>*JNk!xhIH#8G$0|e0ly!{<^9@a#EyN zRRq_1diRo6W5d{`nVe5is_jVBZBL;?lafGc8eN*Jdu`4*NH(|_MSS9``lZo#rqncq z!sLPioLkFARKC}U0|JVZFJBjF!9RB+6N)TEE@n=58D>lN>uxatlExz@J2utFX15Dch?k*+EV3P^TfJJPgcom+^5ut zWFHSzXmQkX%vL|Vi>g$5$4YZ%?XdnO8h6u1$Izh|oj_uIbQonxQgvvVDuacmP+oP! z*ZM8`w~_TvGB34oTZKWwwh7U8*u|>z`%NvyuLQn-QyLyVT)qn~Ors2dHRuAb4KF-) z>2$lszg8fDFK@p_w4eJ5^I3_KV=0BBA!s5-x*n@EKBn{8Z64@kyl4@-!o~6g#WB8{ zd3iEZ7p_;yDy}kJLuOD3u-tcei6@jtsn?-4g25)vRzQYxzC>O}V=)?rYef*4hV6TG zd{z_aWketNII|OxIkoI`hEd|2qjgFeO12wJ9fpv z_ZLO0KGW+1Ta2D*$jY;D?>>iVzgtBkCxwcb{3iNt-Q+cjy$r5|X~=m^+1z=$#djvB z25El9dc%Zf@hwc@EnZdwEk+=QCPU`Q+gH2!KV75=t4kv6qHTeEYpr7T$Yg0_M>p=2_ty?T<)*SJIV=7Wmv%?C1i-*~>M&5Ysbknces1qF1HR>!Fm zePycC!0=2|Zl1+6`pR&ov=>~%pmRryedxgBJU^E;w6J3EmFY|i;^i^Wn16pB%3guF zpQ38r>2{bs-|5E_#eVItb~EwNUC1o>t^PUl@OK#p@iO$Fh#aqi>6)jkKCT7K@*!4~k zDyf%5YT|pXuLbY$)Cc~Y%50;M46~tK87@g=r}0o(87>W3qt}6aXHg=}3T8&5-!!rA zDWbIFPYoq&hQKR)7+~Ou!U9TMO9OgcHzFB7+^u>We6Q>hNoZcWePDc9XLkCf1Dp8) z14*|BJwf+A97SQOHmOT<)k64Pk1FDcE>l0IXpx}812`kxcI{6n9+0p9Gtc`u#ru&8 z{*mGVb;AE8#bf`K-m(8m?bv^%c0e1=M{4&6TKD6*e-EQz1(YtVK-(A&KwrfJ2sc70c?obxPac6fXbEqQ3&~O zbVL7VXulV|{BKa~hb9x~%gFl3G#^_}0#J+vknRHLgozvU^VXC9XK25d)%WkDWyU)gI*e!#C){^)B=KuWGnK_j*3~HxcOTYPgx>bI}Y@o0I-G$8P&Xdea04sft;p1IztWbXx z=Xi%G+=+QSal+n-aXdl24@G6Sdw#Sx2Nz1t zulMO&F}R_kHM=}3$a2Sl!mZxxdM>u0ZcD#zAvgntVz5#$+n=}G z?B~S4Xd>?Y-UXqm9EnMl(BlcQcTK{Jq@F<&D)FRZI-{-z-IM@FGhTT!L9KMaTSNyo2BomUvbdLAj1pk zQQILhaz9tES&(uyhfj7+He-8M1MQGWn`)=w)U-#0i#qTvnmmXs(k(yyVR=Sunk2GT zC(ka?+!jlQX~?~US;O}^ZOfNu3^31dn|mbQFK09_Q!75*I5lKmK@V+!+Etu3X*(=y zFTQut=Ge1*XHm=lZmDz9ju2_yH6@+MM-lF-Xn9s82HZwDW^9GFtFINQ}uOja_wtm$V&xF@{C4hev@o% zIC3JbsCcrW?;7C_vrzO-xdh|F=p!`{_}yB@-t%WLZ#*BsdmTrICK9A}L=w$qH?<_A z_%1Ceo42RB9t`q^+DuhAMt69Pz_Ab*M){1KcEOm5zZtq1ZY{ozaAO#4T1i@Zo6%%= z*;aZ{K$}Pj-ay<^)Bh_OOlP)bc!-< z>`mfu9yy1rBKx~JkcS$gL1~uWled%a7T;Hme zS5|E6$#jOq**l(^8DZgb5E|< zEP9cb&(NKT6a%QT1F9h0k|JDQI>?*D3a`$tN>=ZZhDE!^gfKxGksO`dE5Yzo4~iip zW)Zs>MRCe*JKph45q+(WQX-RTq7A*92PW4jxzN#xcnDljiaQ7?ZAG{Ow+Q)BMS6GK;XX3-WQ8 z19{kT8TSnv5E2uEVpL)$j4=|?ySsV|gisrQ+{4nj1q9XGn?|d$%OZT$kRBU{{3ct?h>>6=W!uB%m3dLq%Uj|3pzuD1-Z41GSZLj{Y zjnIsR2YcrqP`yGBk|+C}8a3D{bEp4_YJ!T9ESoDtxcTQNHT=G?JxK!ssKF;aN<@Sx z^vK~GpTSvo*C4odv=rROsp--@(77@1;ba_H1eSG3%w6t59$8w?KdWeGAeu_hO z!}e@s9OoT|(pgU>UyKVZVi_64P$F8ONTQgL@*?Q-mMs(Lvl-+B)MoPRR-%COC2HMW z{QmWW!sYghS{e+(BlIv|H3m3$@WGw%1Ds8*T-i~+leJGO;&G;fc1gvOE>q--Y!_+b zXAE0bOgEyc_qXcE&F(9die5nH9g-=A7hb)5hOiHYOtw>lT3g24S;&B;Oc@tYF=Xf&+Uj z^?r>zDh|;kWlGh+7Y>z;Z#!Lz?2W>9=t_c!t>d_Liy2IXs(@?fXMO*A4=Ux_c%UbUSkd!$)UO54;~mH zzS$f|R#4?xYmghaOF{9GP|mF`!X17 z>(TIDb_a^k<`Ju2S1#eFMh5pUhUq`^*Nl|zc!ycP@4j*K&YvBzz1sXt8o>9)TN`3r zo&RPga_4dX-6X^IUeODTFWudBNQC6dCIdm zki5rxvE4HihGSH^J^-fs%}$7)?>bVZ;;eDebzehAyaqIOw07^5veGC1Oeq_4M(3#EPnUaWO6?C^iV3rw5X8SrY;kY zuL|07)o&{6jdv(-HLcO<1iUwx$^>OD$_Q_!-3^n<{dB|CtCZj*@tvxT@4?kq7vxgU zr3&*&&M8$H8Ql3SJB&t?3Ij8Qq{n9FG;{X$us~0Dd>6`#_773k?V+x{?@jFU#VwR3 z1>s^Ax816IJA!DIUaRxS*Y?q?HLD&0I!kMkpctal^h13bgB^vr7x@L&{9}A!xOncm zN3q^TGnY1SdxZ2&4{sx6Rgh}v!^}dO9Rj+$IijmD!;@Zkr8u@_2ic6i?SjRbL6y5@ ziOWaayh?8lhO;9*Uy8_IvG?A;dFa)A@Irb$O8QaVBTeDEg7&5}Ce0v*nYExu%IQ1W z(6p!tkV=MfQeV^rWIjg|+mh{p2Z%vIY=T48I6d9z6-Jfu8h+eTTBqUQATudw_@WuL}gYjsqQr3LqBD!SiRKbmN?SbKF0iphCc*e zg%H6yDMv}{Qi!?wwknj$I}LF~8tkR^HL6i}BaS?;eMz}G9c5B0{x~t(mBdvZ4O^q- zC27dF60!i?IX$O`!FH^U(U3hBv2dNU5|i0R@tRJz5pRAdE6Xd1r+^nW=Wz6m_`aW& ztu}rH>oitYc)Al5M|-d)S+U^jI;lfdcj90XGfeM9p&T8y4@y@-iimkC*LP1|a-uXs z2XfO0;3$P*yP57eookzd#pX}i?QYMg`|Ind(gw<~xGv~j^*{Nrx4Sw44LCM z+2FJzzTyB8ys=k4b1n#lJ0#dRr+9f8(y>%?laakW5Q}&328qyvO9-QN(X?gpQOsoU zqq|IG@bkC60*#Z-16(dpJ~{rV>KEmwMS98l5j!v*g)B`fLumPm9nz4Z(@8)P@5Efn zf_vu`O3wYuB|^SV-elkWAw~p6y`Ch9>My>C0R`BzEv@b4ktnm+&F^BZDo@u690V~~ zdsTSJvq?NIkU++6op)nf=U~+Z#6oa|kTJJCmb03MsvmNQ(M;SJzh_Yik5lr|gsJkF z_a&naU0$rdWnc(9;VXh+eVJ5KE>-tsjPM%<-D|U8UoLeXCk8K`m$~y{vL%&^J2EK3 zUnWmrpo$+l9XbOm--cCL-Q3t=Q$MjY9=3LspR$TU7L%4GlqF5%p^nS}C2>n_uqBO0 z45Q)C6XvNoJdIYH`?!QD=EqRa&v&%6>5L(<)?UmeBD<~X?nI2I!N}JKcS#lL?YKjs zg@A58gVS<$i9mS7K9SD80!;YDae5BYdL=om>^FC;WcxZE?>y;z@!~h=t5=KuA_@xc zH|XLeT<)9Ev*h|>bQ6-b`%G2CpJ4c*bgvLB#56D5TcsnsTfK$G^XsEAW%g%C)X&jj zh{HO9uhcE;Z|q)keXV{xYO;){q&&>#cjkDg3dP`aN^?c?pa51t3i)P)vTk4VSHdHUvpwlE7g24oPsd&Bw|gZs6ZR?EitC{6u>4LZ1Ji!uoSfFzCk(_;JV5d7Z?o*N#}^Ohf1GB25=j17$A8Z>V+Sg_S%4~Ac0jqt z2B;g^xmkcU3LsZb9zgW>A4l!aq5WQ{^}nr6b`T2_CqS3kfVIiN0|09do*yO4Y`~h} zVEH#C-hdAAA5uhm;N|~XN&4d}@9!Bp4nRQ%w1{Bkc!boC?Jl?<4Ngf}ft3IlX#JF< z|E`jhjpI+D{a$DGzYQG+fPh(muSr(Gbd~i{x(Tp;_D3WPs7zV@U3L6F#_gw844@yq z{eBy{N8R3!U%S76g@63M{r1BDZ!G*f68wka&cCMJ1Iq6Id8YFZYcN0t`4_Qp8=gYq z>xR?zjv(E%vRp6-@OFFjerGOcs`(c*3!H`EBgo8%sF3cLcQ><@DY$7%cD>HEsVZ{s zbnYrOl(v^%KK8W_bqaf5!{Y`-eM}$^Vt>>BFZTIxh!Ss

q`cAE?7)Z(g~qpp+->S zgZXix{1o?8E}FTpV%(_TY8>!`E+hLyUQLddMOv6z_P@E)kz0XaLPDRa>@ZV*?tQ2Ruv;al*H?=vs)tq}}Ml}??w;=*Ca*7)`d z8<1P~;2gwEp@0k*5(t*ro#(XV0|ccE10$cJ#iNegB;u$5#n$k_4nfw|hxR1O}R? zllC&9vFV>{UuIBElj?63n9l|gnYKn7nc`{7YAJSusmw3tWK9O??~&3BTuvY8jMkU; z#u$3b7t-<;Tj=qen|0*$W+dftY!x81LOYwVO~^8u=?`Ra&S^I2d;9NFw-K~1d2$;( z)79aNgzuXiNWaxjduixF^i^vd7Uw!$4mu}affSN^EqFy9l{A2!mEt(2w7B{tz?OT( zPYmn@il~`aNL}*eIQJF@h!1fof;4IHD`isD;u~o#h}w$x?@37ScZpp{?bcs|g3;<^ z^~vS znTX9O5lY%4ckpk2akqJaefC0RqBEQ|}v{A+MW3P^c3a#GG$EB3WL9qsjQ zU!7di%A*3qtcp(N6y8XL1xZu{UD2oOT~qN7!$JZ z3kJ!Y)Do!EEDrC5LYs8cp*ytvK0&p!^{1;hon1b+B@~{NL|yXHh9(&OB&G08^1YF9 zc4b?ZgESc%JYThINR69rn3P=S+leg8*!LJ3tvK)7U8DWxjEc->gHqU>eb+0 z!%qdaSuf$%J2Tkhdp@4ik*v}^jU!%DEfRBxaZ}CodZ~fE%f65BhW3k|b(EP;j9DzL zEUL3L{F^QiIIH+O23;K@X~g-E?UB+AYsAU^cRkXCcE*#}%Ha@TuXYyl$-& z$tg0GU02CdEukh!%5pHA0#?HeeDYPz`?YPCPfn1r)r8>@J!Z|~1q?_CDCbYEDarC3 z%LSS+TN3>qFrUWNuSah{8CuxK&)q#LthA?{>Qx0o6U_~}LZ26f>3pg16D9TUty~(+ zeuCAps45wz%?$J6*&F=mHWn@3o9aebrz>^HX&C%|sQ%)r417*@zJtJ()f(?BJxq

`bN3dm}-16=&*5o)d-*?+>|jmNK60>=wZS zAKeSb{p{^kTT4Sx*kd$o*Dh`v3JIxtB+wq1VkV0n%!jer{S~Ngi3$}aSp!5HC;4o_ zIrqzG*j!}mtCrE`poZorR}@`_mb z$C}y^AXN)zp@WS=p^RpD2@R}eQy1l2p!U}WBbj-cv?a|YbU#sy8_`rL?uoV8>n9i|6sYC;dyaS%nq&1&1R> zx%+T;5e+kFXnnrsb&5OX5`|KD=YdvZ{OjpsLf!h2rAV>H-N@C17vpziN^Q3EyX%V^ zU8Px-1mO*}F80ze3?KC;=iFX@m+^IPiy-%;^m{l(YG<#SS9;qxw`a`UaW|IFcW<(> zmFk~T0M|2ac>nh6S`NQ3d4x9R{2UCb8}*mD2WS(K`tymC1hs1N>`Xjo=fTMba1H2> zgFngSIsda3JtUDZo$Zr}6!6 z*Z=40BS4As&mHRHw))4^`wQD@*57Y!|MWs&1OayjVqh zfU%6ROK?AmK}Z0@=NbvT>Wob(<27#(+{o7*NA8uJ_pLnFcjBGbK4jbcy@=dVZmy?8 zjz00=-*2HTMF<&*_bWz3L(#scL@Cic@UJ0z)O7k^+y&v!l0dh}5ZxUV1<;^(n#Z^%n~Vcsj0cTVuEO`-ccF z55H_p*2SG|tZZ*}ERpjVBw{Jl(w{A`S$|%z$SHa;8LiQ9A=nr-W})#gCOaTU3rZlb zgrLsfR$|!`wh%RvE(n?(7!Kc-eN|646@+J0-L^b}KP_^$p|74YT{<-sX5y`s%hl{y zQZGYXTH{iesh^GA;lgwl4c43DhjD{PZA+FLP*kshb|fMllJ#^DWazOOZ0fWJ*Yjfu*$KUA&M6 z>un+|x85*$W-7UNy>IVNF2Ckr=S?}(Iil?R#R4^Q14k{j zV6jzZq~&ueUcDxdilz8C*!f}z(dT*D(YQGIxJ(z#X$%ID+=w<2!s>v2(@XShMU2LI zL}Yr4XC9}g&BF;xi0FZkrBRYvTEVNYdZ&BoP``Yqu_PjV9>Ye!(58W5Fow5Dp%*Jc z!8@S`@gQE2qOfd2q17-=I0%&}LKC|@t|WsT#1xVfQUft-RPEl1k1C4x;lRJiQx4|P z0}n2RZwi9Z9QC+7sS9hdpUjf^Iep5=Qahz`ZCLX{11ZLn$zj5 z&rf6Z=^5IsN_6TQ1gqI4*k`md`fp@BOy$`&;u>F8Gfi-E)})I3-KzOXwH?*;zi&ckHMUJ4+69Yx|0CXm*e)5J0>VS1WG}P zSt;L}N_{sTS1K!FO_WkCMDVTmUTQm*@2%<`V_Sq#FPsX9!F&2O1R&6a@`y8>@5wK4 zt)#$4O-qP8qoyZxVlaJ*kPt?95qqY!)v$%Pqy&P3;HX5vOab{O$(ppc7 z8l~6>;-bUZcP`Nj7kjH`6|GjSXIxfCVk@`Jq``%iZcM|>WF|N9?z5xrZXB#LCYd<8 zj$$^Q+up_t+>g`x4Uk#0GS!re<>l+{5u2=_1}6txVVo#X;1N3tG% zmY9=JvON87&j(JPI>P4GEIDe-Jfp3xf)yL4rM{?pdZWL=;hYF&zdH62ztiKLSS$?O z>%iC0U(Vv+cj>o1pYXc&+Gs2YcG}}wxIBFAX)T35?7>bbASp@2ZZ59WzX;92<`)#l zBFrk(z)wZwbAbN_6&oCfWGB@G%c{bO>SKq#rov3D3=KrDTS?3$G9=eKm03ghB@Zf z^~SbQok5w1O;Imqd4`2}YNA4DBvjKk^^T`_ zH*nIy(;)#AJUL$P!<{iM2cfkLcU%~)Tlf}`;py%jE@yT{Y_oC|4vwLv_cUjE?^^5$ zQD2q!bkaNPQu&RAwOAF)`3sxOeNo%s>J$&snW;jiiB$*xa;+?Gs&K3gyF3Ex!M(m% z2^rpo1Gd9P^rGY8vch8Q zy`66Gp&Z~EvsddJBqOyFRm0segOs#Rxnv89tIy<$hrtz1`CJ=tc{#_F`wXEXH;T;U zYN4z_5HGiv2pnVAkN3e%B0wR#3S+!yL~l;JNvjh&aL$wV^97<%l9>u2kyaJ8^+#QP zqZoqm{j;gE>~%Iv>PXA!>$y>gnFtmiZ6uK(Bo5-B#;$rTN9j)57Aub!AOa`t_c}yLGP=q%$%L4^QQNJ2d1zsuIdJ z98t#QH=e3Nb|p+*Y6ZC*nYP1(+w0GdwVtoNrzrzxU(RF}`s{PCW)(mev?UAs(%Q*g z%JbEUr;gcJ?ZOyepR+PNmJ~+JQ23ZDA zXXOs1skQ1JW0t|0t%`&Wc`K!9BW>S?&s33z$^*cvsD5%NpK3%cIH<6L1&4jIpR7cgNzTEybELH?L-m6s75|gK z4pxlRoW>VO2^mUB(e$ay;oev-&R?cZ^Xnt02F`E3mP?;4kfAx08VJ~iQxutReH0nk zrF)irtWn-pXPsz~Wof8#Vs4d&I!1p_!mRdP=sx<3P^xbWVy)_Tk<-%m98b$Y>d#O5 z5zY-H168rYbw5i%Xe}Ugn7yIcvF8ZzB0w?{8k;BPdG`rSP}#Tl&BjJbkpn$}+=qAX zN+$21aa$DZwaM~(AhCJf?5I$3wFc|JqO)G6$$GJVpt!}M;IhPOkIW^MD`0#Ofyp<| zPRg{TD$IGo!N7v*R}xV{%d}+<1tYD2iQ=VQ^Ef4HgDNwQdrGC{A)DXBIea8DTgR9@ z!MeNHm`T0#O}3&(a1f(G(DHNXk7F>RxWb}}6}j?CYc!nX=O27d&tbd-vvPvZATjTv zc&E1{Zc@PdLIE+SBx4m!fbOOKCrA!158LovvT2#)Sq=QKCqx=^Q2d$?qmwBw-;WR} zdYBkD>SSFf6r1Ixn+Y~4tm{i^$7ma^fU@Y@vuoF7mp@4nyfVa)x2EgGcozbmUr5-t zrVT0_G110O>P8?hB!uG-_6|JMpgyod@rx@StB_5sv{g=z!){2fWQR43gMT`54UYV!NoY&Ah-hv?S-VX)Qe${C_Q zYpKRh^g163xd}FgSL`)GN5m%TRi0hTg!%wvPEwUdtgD`y{8>A6X61P$)kHg^>X=FP57w6qFH|csyyW#$B_z;?K1FiJXBF`#6sAtscsW|i$)uX$o5fDIhB`Es^(w$jYZ4pO~Ky!YvntS(^&CmG2=p~UKN-;H!l zE9W?WC4L1J92E%ec5H=B|H-$Tj2EqbMSrfAT2xc;7>;97CuV5y>$Zn|YSRAR_lvjc zw~QKGUH8Pk8PDSHIGnx>(--(#U@7s}(OZb#eSV7yq5HJKEbvvaA=_H%`7YJC=D`jf zc7SK#VIiT<*U{%oENz3LZV{}JQFRQ!?^ZCgp;0sArB0J~mhfs-mEJ0NLZv(iTc%>= z*|9aE_;`bbdH%gQ)}1y3%veF+3P$mB;4+M%irW>mWrZgSnra3={aU?JMeM_6v?94C zOwfH_Ood`uTv7dxN#agbi+^RJME>f$|j8TJ;^q^@WM}E2vCXf&lL3+@bIs) zh9BwKA7Kd4e+57o|Bby3Pzmq@h5%=|zg&NnGXR9*Pf+B?bN`;y{_&KS3n+-;0&H}- z0K#AA{QVE06cd7 z{{#E`!~m=uzyTwmn|QR3W(Ot#E8w>S_+JBOwH!?B-2Y+Bej*3>af|<+F?(cMkA5e= zM#c{KoIEfc7G(XnCZy)L3P?JB@zWkvX5^xj`oO}P6 z_so*NLnwdk_!H=@_|Kq!JN|r>{rp90(yL<+bVfqI&o<0+q@WwF0WN!ldd9buG@1VX-P~>I&Wn2{IN&DMAi`0^urWj#W5+||quuS|us4ZA zq^Iaf;vA>M76!s5J?ow8#?c=rkBN(xEg!lASPU^uRS;<}&s?13U+m{7XwLIKEhn$6 z^{KShT(F~u?uWcR;xML6A!iKrBMWB{hcP7f6T}xJymJ>9hTBJrRmEi%CvS#wpg(YSFg$qeLwrVvkjKL{bfCv8hdz{Ai~jWP{qUJ%p+)*eXc4DD zoMRsXDkh<-KvcqaN=p`fhgaWS;vG{}mpHf>c66k~21w^H)}I!=lI}NeU(}#>?lnSk{TEAX^%CMNg$1QU~5@FiloipZJenfUL zo=8UeG_79QfWry{-7ZR;E{@ECWPL>hqRBq^NYhe!+8`BNsn3yuD%xEMDa4RIy`DzJ zH@d7AD@BRE88BofH5*E^lO%*f5L?snmyF3E&=McNR2s&DF$H{hezFM30dFw%EVS$} z{48sx4ryscw@0T)V06%$%h6}vqE$E(?6h>r!uwhDY9dU}gomEx=h#rRh^3sH?Ju*1 zTwdaZXp8$#b(@d%-V%ywA>!9m*)E6E(@&$^t0@uU?h1W{6IFp2BT|y@WmsY==Z21X z^HssI1SejE0f%cXGFbwlxMj&shZzD)swO+!f$eQ-U?6#UZ;#ukx9IumEs+W0o&^gC*JZ0X)#{X&{v^9cN`BaW(x#+DLarvNs+puNX;X9d%4EIbIO6myd9)xtLN_B~<|Qwx2V|s8>J2@^1#is9 z`u27@#7;@UbJ74>LA-JO{U}b9+UUo`ve^|y{EzA|SfOm7`u9#K6En)fV7!%|5K zXGp`)L_Tjp�$Bi{mAG&NPYyE8SI$+y%ZbO1_Ex{c|k>xSaDMBP5*??-|rv`XDn^ zyR06JU>JV_md#89B-k!Fj4x%HRi&WY^N8zbrcMq%cl&1eBC zjCamGQHjXzE_xQeL1Q;#Ysn+j86J=Vz@8x2>6L zf(zOK`IPqvuih4lWFhKO83&PPUS!yds*Ej+P%~G|*4lKKMn@2h=^;M2`X2Ulv51pZ z&K?LAeWA-N;k+Mf!{R*ug3Nsn=eL(dIKV)&rC4?+nH&y&%DQ7gug~G*4*mib$}89k z5Gw=wd?6{Y6sYHGUz2e1XiLsMFl3p@HPQ~qze|s2_P%Nai$YuTAK`xof%!GfhEzs* zz{?w5KlT{ar^KS{ zARj;_7!Fot=$^O)$$3qX%|z+Lo6FUjx$mObE#4Hp(JexhMQ_blhwa|`Ch=g?RjZE` zUVD%1R;WOhsW`E5nkBC}6*jWbFa?+&0DeY?@-I$*3!INiLpZvny&QLb*;iwKzrmdJ{&(toDrj8DYSOF7z( z8swx(-%ee?b(;zv7<6gp=4}@<$Wj6KnUAKm{rPol4=wdzdwgfMMY)f6@q3toLzi6f z)?*{>*~V0lw>)v&&)nkkmAG!2B$O8kwe=DG6Nb(|;Zeu6&^g*jY*3?9hr1pI#E|A$ zM47Ots(bW3-+g;OKpkZeHq)n!WIlk-+^a^M4jnJ>HhHl$zD!X% zF;@ghCaJ_Yl#evOV=&KHSN|36_-9E(Bb9IwM$Av+fw;m+;d$2#Mqr=ZjPWrstyez6 zL|eb@LFxWf`Bd>M5#l_F{rmK@{@b;IS5na=3}4shFJ8%oFS7N($Tj0a4hs?Zy?0HA zlAuPujNnB!KEgKsoHbboUXjor=HE;tvA$YquHAaOnK+~bNleE_Nb|B|u~kh**$E`f zFPQD`;>{QNt?SvSR4~}BqG2#EQJMg*jl<#Sm_xPgC2eFPzGAsVyyF&vrVD~HZWxjC zB2`tLTw^~89HMAzi8*)T-l75Xz8Y;MqhWdO!4awlvQzF@)y*j>$mYX&9OcV*P3`&m zufLlnN3)oWAYWHvpQ)vM@M21p=z=-gC{YUUZ$2yV|`1&pssO}nJwhG>#}O2AO~c=AW8^KRytvX zC?Egk1%rr+9W{J7`Y^K@Pi`Kf6`GX}qnoWqOzt3BLT3@Yo>lS(Gm&Et1r2OzuS(H6 zXE2-F@Cbt0=S`C{_1^3it^bdFg58wfMbB;mJI)c ze9#A^vc!^lF3=8zD|y6(6Soce2ozhS%X*^EfqLpy1d|JG%3-Ju2v&JeqiBoPxv%Ho zkqAUtH4$qjXt_vpp6GUSe6e+1x}?KFprkf>c3+9}tvu?2A;&mB+lWX?$WfQS8Tz!j zW`|cjNIE1^^Qxw7nejb4f&o9tu^~DCSEZ}VML5P_PA8eh%*~gohk7vlwG~1qxNhi1 zmM=Q^3#kLBXgKj9+@UaX8SwSnFh<`yUM#X{J{qj{l}@56?DTSXe4vZ;t$Mh)kcRRo zYvWP!rC>zHe2e7Sn(s38)mbDW1eCOz_34Fc5mu6h6lVJrcF^VgT`BArM3CHW&cy$0t>bem^Y=oWh>w^^p;#d6Iw@^oPTx$JKTKk|@98xj~0_z!7x%h6< zA$K;J7(VvdJ0YF$byN)>Us|;B#=PE9I5)D`<&yiCn0$Qr+8BqQaCM4m;W>3Ph-D_sC!{N{mc0eS2AV?5m z`8g0#Oz5LbcnvZk2^^`+^QE`0aH;Y&`Zw`{8wq-1pX?WC8~T3mzX8ge{~jp++>!qg zC<8g9{}E6I!m6LI`>6owM66Bx0|Wj7kpIE|=lln729`zt3Y33e_5HuG2UvdCVQ~V< z^1xa>E3n6a1y~E`0M@bDxqonm|L5d%pfSvEDCPec8c=u>0OZU68XD^lOb-Bt`k#gN z7u5H2Mt=ow|F_VXfvUKyKwl$vAj6ss$Qbw`b^$cwW#?l4p?UGILHysSH2l2A|E0)) z#OfbJd3JUn#{zg=nSqurY(V1m4?SPDf2$wyXJa%j;5+6Kwt;!Eqop8Q9PAs|2dV z@9_M82GoBVLH~L+e+BBC!1MYKfqH`$(88Dp^@oLVpTLk%#XIzmvbSKynODRm2PUdm zi{g#c#@ewB@f1YT0v6Sa-#c0HRZ@)mZ4|U1s;M2h$irCIbK8{XNPGHiPza=gE$+g$eXV+d!(USx|yMOoVE~`_@)c3MJ zKEc>5FZl)sW0W3NH-Vg|?cnr|x)Yot+^hiBxOA653_D+2`tT@X)>18S0e8z zDq~NuofRofBsnp?iJY+IhHuh?U>bS$11BQ7JG% z8QEfnCg^O2wU@dOw2Z8wZb!~W#`}C#nNilZvvtKp{n+K@pRH(jB?G*&*FJTI8*~p?ZnIEUD6$5pk4ei<%FFjWGwG9}qg`r)r!s zHPD0_Zq>{`6NZj?ddhS#y0sYQST|XyD0ej$G1|3%D&?Tt)ii7!orBS}#mo@IHkHrb zEfXX|dSn#3P#Fc0L&UfhtHIKVb7_S=Vp|hoDH$t#y5@6U&=`(t~jrO#_o6kf@9^j@T z5R)9w35^Xlv>ayOC@+kq@zLoC1vn=jqf zv@_cZ@3WFW;+ zzY>n#O5Kik=Yk{Jy|KI`4~feGw$q8##7Gbzr*#Vs^ou=?vMytQ)?;oLr)O!CvOr4~ z2q76l1nwMd6Elc0&5}CO-}=cX#Oa_#!5C6utD_Cce569-1FRdJ6X#TW;XrzE$#!Zt zo;^1sUFlHbVKE{nV~y_9%shwo2MmV<93Dl&@{Sg!Ctrb52L<#*44Ff-JwQPd;D(*G zfIDC!G77g)ULB{BQ&R9Zpj-oBr#o><8*rfXyaeMQ=wzo(O3A_a(el00929WxRh~K{U3%L7_&EwO4{06$Q`*4@4 z@gToc1idd=nvGMSxJRUC`F;!OMYvQLQHse^Jec?b>;ybT=-uXMVF<(!S+7z=;*_zm;Ieg9FNqIz8o0wFkD zS8B@vA~6ysF3hIO`x+wL+ap(atGXZt;Idd90%;{F5W{S0^O-|kO!=tkpFnMHKBdc# zO)e=13q^=eN7qgT_6$b~0(gT@=gEFeP=0VJL<9>>qPI|OxjU%}UY95YjWx8dj~1)e zM4+rx0fn2L)mrMjgmItn-P732)nDq!F%hhVF;vK{w!ckbw}oVOrhh=RrEH+!iO0(I zK}@m7Ods+LAva`l{Qs?ihez8G|u1) z?eI}9l%--vl*iujLRBhZFq{Zb=(cg&}*<#;-&n&(+*zj;_(sA|{dtUlh zRP52@!M(tR;GwmluE59JA^0E+R>u0!k@%jPR2|F|N z>bM2Q2wHZtz`6mXc(>8p<6X!kbi~Ad9(h{biJqqdtuM_yW%{wc{%9yKbzCoch`xMD z;YC!*r)Svqv6*ppL0dsitZLZQgmBoms~x=x9{qZos#%C(X_T*@G$%r3gP+gLcrzzh z1P7Ns1t?s)LtryRr&hE0eBRS}y8Lz=RtA4M_t+G7m%WJ~lF1}pqmim6c<1Zm;c|ZA ztgc?-(IRy*o0K3ahte)S_pM{*-5%@e%&gs+Qhc>D=)$?=$_yt1WLM;{e=My8!+U7x zzJf`BnjZq=(1#pj0lqWiE56GJNUnzM0xVR=K(qHV$E3Qm%+`K+2SNkytv?tSS(AGk zAWm~uY(8DIS|RL4b_vaBavofal73XoExA!le(Jdf2j9IUN-^kd5UZ)#U)X1sJxYL+ zV&@npyh!B6uxr!O6-1Z6XgEa$1RUJ5QAS%>Szg1JJs+@k>C&Az%wsYMs`xHq_I>ex zHCgvb<^6Nz0{?3K7i#sIH+Y%nn3Kzl)cNmhvcmO8Kux3OrYA|5KMlTZhvJLIObQNv zX#1{h#*JDEFL`oAuZSFY@f{p+1f}>l z7#moi{S96Gg2?_{jQ+Wq{v*Z)GRps#7#r9d`x9dWx#&NCa{U8ibNvm*{`uNpck%x> zw8#o9LIZ&8Z4RIVGdHj=m+gmpH8=PFx@Z1p`2VHQSb$vuz@!DoKYHfbfK8^rHezCq zA2!zi8pr-kmHg*?{+q$y;#iIA;<^Au3#r6~U z|G0ENs{s)x)yE^&* zqG$LI{^`GBaSq@^qq~|=XB1!XK zv7&$6=}R15u;Xm)Ni|+d@Ayid2g-)~d{VqJ*Egd3Y=6DbRwn3I)vHFDFa@vf)|Q-5 z6aKa#@=4<^LTh!WOh1d$3Wuw8>Cp7JMPap)QxBbY;XeOEWTVwgqn5(yPgg!9sR%8JBG+? z%_T0mXxtkjbnP789PZJj5^X3DZ9yl75i1AaR%Oml86fvb`#G}6 z1w-3A9o~GX+e$q0#3drQQ)pUXqdpqz{eEN4606M5P7g;Mm^S z#t?QX6n-PYtxL7QyYem&0mfiISbq`{`a)%(#6*+qOUdJlhVEORq;RF- zx^i_|FplC6Ikd(;;O`8nMc~$00iW?dSWL5^8_rjwbk=K%OdTJ)WHdf^3}v)dxJ7Ro zm1W+_E1UE)Gc1vV+q>lm?p?QCb;C?)dwYM6&4L88eLU`R8Mvz)Rp7*MCqmyg+s?FD z!0$P35GLM7$;2uraMo&IZ46Ffc-7_I(#}xoZGc*OWQ{>>lJka)Y(ir@+N+52>!8lj zu?`G7VOT~6`++&PmX(U*;=Avwip*fO@G zuOP`$oIYyrn)%H7liu00cq!RgU6i~IVhR6M8R1W0I~+T0&} z@fGq50F6Ku1_1o!M&Q4GedUOn=YBryPJ-X@qF7RvH3L3es!%xxBG7mcR7~>a^oWzl zrjb}O#~bu9+#u1X=ip9UPO`xVtBE zaOY>}*cAnVvss~><*)J)a@q`#rsSU$7&C6w`hK9ZdZ~;70KRAyGGkU;R-K_Mjf6~= z9m?o$m0-aLUYR`ww=ZY0kYye=IVpIC3T8DT^Yx!6lz6 z3bPU%3jT_%EU%giTTYam`fjQlIrj+tj(|=Ae8s>`$Lkg) zFgZI@%CH^p%Z>YfuIW)Rc!$Md{2@UK?En>+h8N3@D3o1sd!~nj@N@wl^Ij$}UkUKu5AO$8VRt7p1 z4kpZ+wlR*|k7`jBCpq=I(j&0@?JhM4lkH6-W?_^BTnnxnfzsPsS!jOw1zpvP=JPDY z?cZ5(UB?+xMm4SPAWyf&3G48n(B#9(Ex?5AFy+9fpyeyTzwO3K^6l9K;Ls9EJa*il zrLdxCWI%v)HWaTjY#X~oXy_I@$G3KGz@kCGbucF-M7<1RZ-miSX(!={E4;FJo42l1 z`_wgrFIs@JVkUnt4_OjyO#fzDqZ_+VB`Q{OD_28;Wmgu#1UWy;NY$*>#-cZZ!az!P z){)gb*CW}HnbkNm)F;U-pDPl`1Ax%}L`5q;%wT*yx^}6P8W=wMdC{VQ(q9^TgOlPe zVpa0pX#?A0?Q*yoxjmFchJKFpTdMsHOUpXRtS<41%9G*vMI=iU&7CNPsyOZ}=7Awl zRS$7^vu59742c;!na|4l(xia+!Z7}Lss|I6s889tZ?m0y7_(WFqv0WWdxHy^x>Yh* zT0j7H6sfEG6r>q_reOGZs|g=Loy`|j_7VlTGJ&KS8Y|GR2 zUnFqE>o{pcloe*fw{lg2Ad+!iabSCyq*1U;L&HiYv0444n@6-dge^j%?u43wJp4#5 z&7?~Gy<4%z$+Cg(Cqk3e3@IbE6{|qAWI2+pD@ri^*=c{rw4n<&!_!0!XpkTyUCi|3 z&lDt?Qo)gRP1>pw3q+i{9m7l3F;*L^pTDQi7%*5W@fLZUP!Hi41_EdaB`Y(nVkJd9 z7rW0zLJ+f*RMgF2*>tm)2G>a5(x8y}QTgba#N7KodgBWoxlT&@oa3cg*?)Xj7JfAH zX7`SQwI3N8)Q_+_m&4(mVN~BWq30tkj+?Ss^?QP>+^u(XBPp)$A?W3M3+~|Q8O`(7 z6Kok-i)LMD^lNq=W8l){*%|7u4T+Dd8A_c$8J+uWE)P@=*uB{&30--AjElWY|MfbU zaXUGjQARu?f0Oxm)8~Tkx@cDN?mA52qr9u)F(%@uCH(HT&{HFIn72ig`?sxwPmw|Fd|4X0+hVx0G4-I zS$;5}RbAdXd)S*W$ywN1F$weWG5vUdCSfCI3p-mTRVFnR=^tOz=FZOcJWNc^c6QcI zj20%&ri^xuW=!VJHr7mzrba;JFb>8azt8}yb^-##Cbq`FaN)Rqp3MI;a2EC-5=_A2 zD$v7#1K6_-Y`X^nd*CSm8`^QcgbYbkUqj zp8a~fK08B{2U@GZTEPmQreXQJz$qv(q|)c!S0$DsYLqZ<@6S5Jn*7lT_+$3>x5otu zZGG>Ex8f;zcF*?>1!V51<7wixq6tk4*9#SmiVNDk$3~e;rdx3p-4i65>P%{AOKs9^ zqOM2geO55)y!i~-JdNlC_M-U89KHHrRDO+v=ejW;o0@2dD)tME&()f#_>Vd_d^x!NJKMjx6`I2y(9m zE?NjXiP0g15xCqMV0UsYjCn4qW-VNFAkT}mii|#A?7byQFRClG6dl@uO` zkZ4BS2D$}%sle;&0UQ;`RdHPX!DN}9ZikmGq$J;{`f;3%I1Y~Rs^m-BOC z1H6J8K#T3nFZb-sc?P6&`IqpFrO=$Q7D7^GsDcMYzex>@Cqzfrwr|nq$TbnFp%Fko zDm7$k^|U&7TkRd3+%Rd}7pgZx-x?cj5D(Z*27bzI_}V5^0}x-Z=!`S;HDr zB@2R~)9@A?P^rQc0`&!3k;!C*-3EK`ku_Q$xviM5J0_{`+jrHGM-gQ1u(gQRiBsBi z5nSHjbv0(O)Q^0vqvEtwa+hd$1i0sDZ2EEa`AcD*_Y+W8B$L%eQRyd90>-#;MPFT7 zO12VUNWu(o7m_|nx^X&2;FXX8`-JyZ<$z-hzW~RCN<;${d;)d4o%OFsW~VY?T?l5A zP)Fua@1waNSe{GodvBEnq z{)tc>qWx@e`~1XCUaLGWa73DrwXEU=H;vFLk)=KDB=24AEVY3WN+OVP&%;iJhysrO`n$Dmyy04)0A1dsZh9v3YHOy5N_ zMD-snpNjzwyJo#+@yq6_h;`%}Ga87lJ@se(d`POMbcgAlnRccE5PRv=#HiNdFJRw7 zr!|nw=QfhKF1s`?ir2ciduEla*^A~-k36)}zwv)(F#-+vAOeqi>4WK&^&WJ$TpEtj zMyi!xW-Okyp0g)^cyl&U()yUMqa#9b&to-XT3amOZ8$lJg{STe-CLOTJ7TJF(s?le z6=!(7qWJ(wB1h@wv93JP{fB)n6)=SM5WN?>BV;mhc>1EqjoZsBPV zR!;PLRZjFd<%w50JbkD3g9K4~u~SQ4;w0Hq*%Te^CeT;_q;A9BTh7494`5++o+4*c zq8|L@Q=l?pN4Hc&1Got5*l)fsGZ~E+LN5&Fii2%O&-oNDjZB>H?|xCcN04RtQfVWf zK6yEVc~n{v@vVY1@sMHgM^J!hLlX9`cSndgoWc*sPaLp&xO^5W^B{=fvK)5vHBUXHg6&qSoABIcV0|8 zl|?H8xIFYKQ*UZOBSH=;=`ZKz*XScHt+WL?zhua#`{gJ3NroQA+QMLkh|<*gr1V>= zFJ+XvJGuk19(!BTx&+3RZ= zR#!cl;Y;bVx=TUP@*Fk-!Px=EQEa^i2yoI@=Pxfexq?e0U`^Mk){f85fY13g4_X4H zuw)yNHbiAdXMjl=K!h1 zr?2)t1wSLhZg^T2LQBYp!9OzvGY@X^7_9`-xe8Jt2DA~AWXUT=$m^}EzEnX_W~v#t zt`<{-&x;@1ekdxGoN}*Gz&Yc-^gSC-`O{O)vn;3*e~(ngT^CxlJ?jyiDjMP_FW?&_DC2^8_GdM7VdFF{B4$YD^D3OuF*OH_JFz<>!_?^IqSk|Xc#uYM9qXi zhr0{_7Jz+(((T-#)64jQN^AV^5Ch6wv27O%#os(J8HLIQPh)wneAeICDa$lRQJ%Q8 zu*5r=bNjQH=yN`tHLJQ=j`n#*!Jd{fH04l0RO?p(p=;=1D81J(x}2KIxN!ljRr3;M z1bJiJ^zWa!f~elfaG3VTFqjvDAoePlrJk(P*U)S}T0eLeOVw&tjm zg2*r3@yjAFuhU4s!;rnaervd3T1S3#awcucav z>{y)#0jfVS!%mE@_cA-2bVlC1RK5{Pn&e;(wn;%@?i<#!n|=h2pb$@DrSkf8l$4bF zi)r(Uc+vFbkT=}4SD3ZzimxR$_}*-sEg#^VBt74A&@N;;h!iS~7Ec0pKOeu^Ngzc) zO3<8+9unS@8bz62vG~LM&imYy2)-?YtXEJpECFRjSZGQ=Ei6d|A>D*X z0X)Ax&Q`@cYB#p#X^g7>GIQ(`h|-G9w}zAqkM>4&qci#8Pg5VwDMXc&o2{(C_P`vy z_S%Yv^YLVnpWYr$n9_$=VxxF-Ma=bo3}0K$A!8=S_QTarq87$vl%_>KzBJt5LRxi8 zj@g>Jb{>zhle9RZtJ|5DfjmZts$tA0NaSV;pG zQ`vxs{4WE4#`^DI)jt*A`W+$lf8IvQ4fuV*@gIPTnFEL<|I>(I@o?Wrp zYAsf9i_ZV_4M4Q! z!rU($VkYQ|ljPKwC-Z++42=li!$rnWvsPLTF*DYQ^TkU)23PvR@%muR;M_D_e{j-3r~CRbZpVFul*z z21`heux|v~O1%7e0w7 z?8jJ?AJGe=>l?a0Q?@rjP#&~MP&%Vt13!6%&biUZek8M2YKjQd%Hdb$MK)|v;M{pr zp*C_4yt51%8U8(yGDIJYtK+6{`z0 zTVJ^P!m90Oq{g-=+-kI~P9*lx0Qg{hNcOh{Jg|4A#9n7SfiqB5Df4wvRy(e9ZyQF) zxDWd7UYllW&nRvqbnApFYX}JJ>{XJ=9T6)je)Q&?fzEA?sy88d~#l&RKHkiWFTRVxO94bTdYHI2kvL4C! zC?cxpm?H_DK}U8_@3MxWc1@R+6%{RZf?^EVxerDW?R*(p-3~l!O}fTLZvh_b-;UQl zf}`cLqE8U__NN38K&Qtx5eb2*z%;SToT?HqcdEsEOqCbpe)GEIR3O!o2w9EJLE%~y5&2(u&voO8OI#=#ud)-UHzsjOF*JNVgM-#f@|b3=y@mwI=YpnF6V zLI{w;JVhG^pYRqtPzkiGE9QEmuj>~3GexuAH%6tbWgWoApF|8d+Pxj92(e1F?WDH~ zs?+$dN8h%_wg@uJ<16xeNy)LIFo|s)k=%Jmmw1+zTU76y6yYf0o+U7OkYGCCS{GCv zTTmuYZ=evIm5dxx5_?WPFC${Odp09|q3-Aixp8qT7ea9Ttf%A4EtqW+>5chbAkOrb zFL!lE7Rs4bQ(tIfO1gAk6P>gR>wa`cO($k(6AfZ?udec9Hro~)bE7;V%pQ>;&{pMs zSX*h;TLAW{$w6Zz42Hu?Ug_>zjR9T-mWgh4@R|NDpWnBsb!nO)P&76lrT^>C!ZpaiU?2pSFVWvm}f zh4#L8;zhPwFd5H5AZVDr_=I;LGDZC1l5tw3j!*6hPa8+l=ocD zDI<)JzTa(+A$=>K33KkW)Pj)yjbWAjxESomibRLvgIAyTl1~C38aW*e+4iLph$3e- z$q+!HJ}AtQkl24N(lCB^4}5YQGvzTIit^~9C9-}zddbZ(E4%KEjnTP%H(z#OptsQT z77mefo}iq5ej!@|LoBTleN*X9R##j4)J|_W1#_ikb>^^UW3=jYqEly*%8@h^#f(qT z&(CAdDkA^cGF`%u=6jP;jay~j1BAml%Ey_vYA0IK3DlwC!-D^8yCNW~_e<5nZ{pYmsFVpq!H$L1z zzn9;p6_`){<3M0@4^Wbp4QNsD=Zz0HkdO2)2QqW80C`n^-7)=gNq(Kgf0l^;{f_DX zwn<|C{TB4stTZ#QX7L|xlKQo^4BS-5{F1ZufF-@ARnUt{^26=QYtc za^A8%>OZ8!g0CZeT|XDF zgkVss0g;>BZSw?fDz>NGvp47S6tp7`@Ln9zxS|76`>put^k5R?i4!6)sP1p{xedj1 zhK4+Jnv)tYCHjfRp4+)^lY1dSMOc^A-ENr#+wYGy#~IJ9bp)!2~P1!v!s)hKJ?0YF(p1{xwn)SI;hW4_EjUuZfyr8JIK2=;VRoql>EfAVn z@q0d_4|A&X%>@HrZK#w-N*eQF?^GkLx)ojLVYGJfk-YBp<9x~dux2pmCaFE9R%W|I zxE4c?{;Rw2(7FXDN;7d-TVbfWx2f3bVK0hcQ8A_RQCgcDW#pyuqm^=()TW6k&`REzW3%c>$%tEHwT9xrzmJ~;&v^c=}{ z_xLe&ql0Ldu@?R1+vdq!CNem|jX5Wbf9i~bxSy|;?pK>hUBu5h)9;!CtUH(X(&vSe zir0$XYXr>N+vDESCWEAmephJ*}OI1{H6mKvE2!2L^QFF&Xfa|@n%Z3l3g;Y#+OyK?2wewk?_<`z8SSnjH9)( zfh#H=aP0&`+hjd2zk(nUx;ys7ar;p6h6APYvOwny?F zN;)$KFGP5Je^)3?P1#oMIa5!1cSF#BfDZ(}V`Uut(Wo~bH1ey$uAPBZ=V>Fij$O3B zgWQ=E_Q*%(ye5BykY$nqCp=XiYY`Egqgvrs2-!~!jo_&fbv!&5)XDqBlORk8haNMO zDO?}SXX59_17(HQK~6j~-y}znXI#L1X;3&+?8}KW0lRm>J@|0x(0S&6a}Gf(*gc#a z=wJ5~B2H+8*!6OSB3ho=f4K8Bb1em83c!}k8M?m~k!{NDkv$XFGZ??uRi^49V5THQ z^{~G%r~j~vKNH(jsjQx-$h{cInttmc>K5}My#pMlU3^AOxD(}wjJ;yI zdc7Z_ma<72ShpYx+Evy;QL~iVF`^Po93j6tqPVTi!fuuJB!@O~jXk|RbH+GJGNYphJ6 zx%CBC9H6Levc1G&A)4<~m<(;z&#@n7A3{l)Utfsbbw8%}k#p3#b6-oHx5#ya^nN@Gy%&psjZ+Kvf ziSKtp*cablBc3r!^q4NCH0JW8qy-?uncz)$9rCZO%yKw=dw{}U!ltlvub)iHE^@#j ztfX$nL9(T6c*Jri^PN(sIL`7eg}!9Aq8YyvV3h%{7x5BY$3=d!jjGKrms2lP7uW^W ze3SRgw`2&QnyIXqZR_tijDs&Mx^d`QPOmEzH%1OpD!JwM4!(FpjTe1oI_GQgSWo+& z8)taXjD8gZyBb#%#6Ve*aDoe0bqJbct~5@**?JzmB-s-4{dm_J0%9$%!{zy_hWs>^ zde-5{5+XSrlvIx{J_j2;ml!8PkH;x85_iuYeyR2naNe+nd0IX>B$34&CFDjzmCPGw zUqg_if$J9}cn-+`{~GUVmo|3wZ3|XwXg&4KVMvX{g}wVb+6sY2d-b4@Hx5~Z^DPb| z9X732I9D%JqSQ!LAQ>_@EV!2e zPVT@tEgwTHf6gq|fOLw^EXpL7Q7|!5&&Os2;q@?Ul4hhpP>P&tW|nlJA4h=z9_5uB zpy~S?qcOgiLXYR@;*XDhxq)Za+yf{N)%?kuCMcfO{D`YZLNLp=gn-O_c_DYi9K>MV z97z&6pzP6={fDBI{?5+Dmx&Yu1VRK7(NmT)9i;eRU1+|AIjTI$xlE8#;DOFs`AUwF z>mHPeUu(KDCzwUCN}z@sBG=N@^3Aj<%4qIef?c&Glm23jxn%R$7*qL8; z@~^6^GPa{+=>&8h$YH){oo4dU*0iTsC$~}q;6MKS{XcyJ|hCW#D%%&dFms%ZO}X!Pwc<4ff**4Lo0 z9!baY6;MO1)HE4KqGwa+PI8y#Q(fCWM9i}axL=wcN07>*aD@(d9CZOf9BP|BkWNYR z{Hpp>h}+zmR;tl3N*`?vYp}S2&3Ea}2{kOFL-L(D9*XmuvKMsUnA8wN&lX|2?;~1- zwd8>k;KGI^D@|}rrBF03>CJ*%w8|wN_agfX|~j6wMc zw1eS+uuXv-rGKxwqL$5F)IqKX1y}Akm@^s4uxfdA0;d^59-xLEo62$I;`2Dx?qX-n z5PV9MR9|vdEtNNXl3$PF6APa;tokxMw(sR4X2!2?cO&USKdv?BlFsOmeAAF!-x2_2 zBTJVe&!t@5>%7zhcd-kVq{}hI+Aj1pTc=~zOymtG0Neu3Z~DAL-XaN8b)RLzTK-w8 zvX&8aoKl|f=%o@A3GpVO7vC`Wke#Oxy1u16 zJ;varv(2iC)NP|Gz1U#i4xO{=GML4DRVFvXaZe15Z?=^>a6C^6`bZd`*W~aQ`Y>n6 zKI579=TY;GkyGb~$$}MrY5EdSW)VP;s*TEBE=2(rG<(cD0=Y&>2d>^I=}q<$N!msV&^{~;9uV3SMc^lRRdh83ug z19VMgW99t&gwP)^>Yr6|xPLC-|IW<)^dAN4p0EI$41cUvc4h#urwn=A*J&l=FKX!R-INFU->QQ_oR0!RUku!BPV#2 zW(?J!@md(Ud`Txy%y;J^up;!J{5X_T|J}>2hB&T0NWt~XG}?I zl^ltkldZvAk9w#F&R1qElLgRCmRK~2J$12bdQZoJUXXV>uM#KFg>wQ~8C7TU>xeDX z3O;ls8a!Ry!@oCOx0twq;B?e~{>1*>H;xE{JsNU9-@{uR*?4hfx_Nc#l4`=lVWDm` z8G=k_&c!Qz|E{Of!jmMV5Iy_(Ey?6L+Sggu`!|uWl?BOCnv7@(7fpiCUe`p%j>h2e zK`-~hSm+frt~XgPGA!|?qjo|wa{X$Glk&^S3Pjk*6@IoA`k%|oYO&4r2D=Jw#C_~~ zh-Jvn$D3{K+H~h`=WLE)*X*yrB)GSh3m4fI(2fk3Z(I{#)WDXdidn%2UePavz81oq zV1s9c>yK70%&=;sIXT))<;OSIJdS!uRmOjCv?cE0R`qB6PGhmC25A9CrNwTnpK^vk zlGV#07ob6a{S?MUa3Ra2P(j4u@~Hg5K?H53n@P668gog_27yS{&p)?g{-$bgVG-wkCCk#A7Aj7Fd%R*IWeFc&-|bKU%4jwi6vtXCj@v6 z)lzT`*}ZLUws|$&)f(Oo!|mIN|CHxPztyY}Lzl6XO+BwiYX2T0+f~=*$rygk6XD|Q zp}Jz^_<|N=Fu>NwE)~lP*zb?cj}h19EzjgKr-3;J(;Z(YSGpZdJSh(#OY?(Im<G zNM{*tIrSjt9__|JgHIKsXOzsS!7uJ10GEx6^vk=Y<*C;N*LWhezn~4vrsBM}3>x;2 zGeH&bQa9MGr#v)9%nB%!vy??M*Ye&HCSI)s6;X+dkIT56K5wn&llei>1 znD+~^r{)P0%o-Rv*xzY1KlwH-DSB?}h=-yhT_$edfX8Tz0t~7Gqinl z$8WEpD-q6y#87FZurKMk2ZJOjO*B(HF-vN*RZN$K1ZY2b;}y|0>v9)mF$Hk!Qowcnh4zfwvHx)}n=Uo{-x_P9$6Z^e;<n<_)H=(dPKHoxS~cE&N(_l{dH;@G`vb!};d2 zH!^ljz;Yg5XJmQilEv31NefWKXEPiU)cAb}Ww6m;3-Cd(HY!G6_J~k&M7+L8DtV1q z1SNmau!{Lk?3Ru3@C&l{D0DG^OyxQ(g8FuV6T@FvvyAO}lHY$|b;_r)CQD<1sYBT(sI-6xu5OdPeGE9F9B zSE8e<1`SRO6Mzu2BhNz+@py;iz% zE4AlxEXfKaMja1K+F(+w?n&wYG$FJe!Ak=&B#%D*KlR9;faQI(JUv0{YyuS``|q_ z7%lj$F0L7oD$=j0~QXa@eI2p(>k=)6`$Z^Na}Nz zph0$4;)^78H{7-Zq;Rr&tTi*-ZP5f{WCH_YA66B0>Kj7bUdS!@PtBJDoRjj$moB3E zDU@OO5D)oiqAsO#S7{Tc360y$R>iuIJTxpBBYeUB$5H#w#C_Xtx%*IY%JZY5Bw}XSnEYqxd2I zR`#;Y+`NeIqNm0I?_xid_%ysK``fDqMs3}q6J)|?FYyQmY`z=~(xfRm=o5)$Ks6CH z<-JKFMcwR*tl28s^(=ZUvptU~XKUiTmtWf*aiix9a&CT3izu7vnXE@Z3key5NL!3@ zV~$f{qmZCn`(WJ`)x;Q&p#vusGTxEaPcWyFO%B_Pacgk3C4Kq&3!4!=PTZ3>=Ov-p zJ%Tc{E-55!06Zy$b5AjovTe*RAHq`RRvyOZh@HF&SGZcSrD<7v}y zljqgV(ZuS)Rl%3Z&9U^0azjrkrn_ogag8*&JQCi8%!PghPf10+T7}zBzIqDkR7~2A z&)QH4Gkxgyd$F$-R#-DDz>VH5yf>_id|-IV9H}9M{|izEXfX2o#r@Z$%zx}8|EO5x zVf$yK3=jJ~#R4Svt*opazIny+0M&B$qzl_`WDL+6KJtGjy6>V04nQ0MXf0S-08s?6Agn+W zS8ndVXsGgc(f#a8^xsN0SOLt-1K=~(@8JQO4G;h=|IhG#r-Xij=WKtLUfl1!e}IA6 z{)~Zt7znhOWd|D2u>S&F0{qqQoBJDh{?kBKz|{!or27jv`$zH3U!c-IAWUY7A5iHJ zK=cRj`UkxF&rm7AjQsuyzN1p$WBpT9`YN(tzKsRdf8R5de;S>2yV8JHGSBp_9faKr zH@H{N$X8*bRXz%+$x=mf+u-k-a?~%7rhx0W?a4URf5t}8P%l$VYewTm`1C z+M@C?B4dP~g6I*qlZCTTUUn07Y~8^@t%ajrVZ?MRqTBQHn=4f>qg9FM8|Sg~^S~VC z*o{h@BsIgx5A*qFJn<#Xk(fzT%LSPW6eAZ$EhOLBDvY0ej*1 zS^M=v?S5i^WSRl)4tNy(Ez|t{q4v8Bn+I^6`u+XB?X&v;{=v?^f6MRBl3(t#f3{6P ze+~_hu zxM58cK?(1?cTzk8?}}uwq(yvfdtm2uu>E2(EzFPvHyb_z^G_OLS)}fTPW-l@ zT>rB6B~Kv{OlMp7^F0f;w@N$2sZCxUmuo8>OO%JRQ=1oVlueHW9yR!nQ|XW*xt*md zmn1H8tJZY{uFI6>5rDr-T3?H^7|rS`AkexK$n3-FuQW9ei4~keEU)CqzQ{yRie$6g zvz_|PZR|*OTx*KtXa>c&m6eBeTraQ2w5r*)P{CT%M3f%G5}f*;B#JU4@4)2ol+DC= ztg9YW@5je7>;*X7^Ap>~6R+^2u&Lw)0X4vpxGHf*al(cCy7RS?Arz=hR## zNrKDjP2bTqiR$g3;&n6vh? zRjI$vi9U@Y3ZmV5OJcG2_2Uw3xJ#@rEu#pjWVA4nb<-XnHOSCuKb397DPS_XA^UuV zeTR38L<~osGz*3nmJ))~)^~_Tr@d2(Mr!%NNQel!c%djSByp)isy8)d&Xszzak_sv z0rE_~<&&4n=*!@SGg3-lSRhDoI^wMAot$2xhhb#*U zRyHD!T=RK84U~pCE>-0n?>+cp1#fMKeE7P+Hp9+O*}=18Z)&qonT-FjQhz^_kk+nL zyC!~`Jy|)mZe{Iq1KsZIZkix6N=XYlVNdk%4wH2P(O~DnR&dGE{h%AIsW`Umoeh_qc&80=e5?E0;)mCQlNn+gO%FfN^DhQ_QxzYhZ=;|RQn zLh2qTNWFC<&Cte8+m~4gi6U5)7erx`5khRo9r_eI;CVV8AKnq1?%11(1l43vjA`4C z!-y4l6 zNY>~1mNJbUH(rrhZ9Z58>zY+k@>K}Fm8gi7>|=1FCkrBPA2Q6{fnrGQ;^G>2>|tYT zS!8!K=-B-8C01$PV+9UD`p18@wC@MoQVsK%hJtT@4vX4th|juk<pq} zO9@3x@h?MoliP;|ijEi<9qe&tB=M;|z!3S?IihEbtj6j&Y5FQzXikuQBes5fjOuSJ!Rx(c3sr*oW;ygm`ysKUD%U#OJU{29 zp9Iuydh3auLtK?SgAOe_P~oVx@0Io9Z4sxy&N3Sj!Q%%j5_r#v2p;}C^mI%)b0Ya+ zMr#q8QYSM;r&e|wHLa43`3BvdPGKg67Z`*iUEtr0>4jU;NXj-8*A_Uoq^ug zZr~bSPW#zzP^uxrkzfihCfYBqFrYssRDOMhx&Nd8rz^~TYWp8wVg7*2*zar5NO^!1 z+)sGy{%7BBDgPTDWB-;E{e~$3JjMg0?AZbHPA;I+!?zw3zivKZqi?5gVyACoN)KdJ z|D0C4kM`e*49LL)APk7*x5z-8Ai(JbNay|^vHguhCJ)e*#*Jnx+xBVA%2i*%6dYJDFJcM=2d`b7$qES zbQ#=nrcL+xtnPv{m9Y!O43!|+sJpyc+xj2~-SaqA<)UYL zr*N`*nZ>phRKgkXb-=Uyh`fHM+NkMByMDBwl7!|IMf^!+9Py<^UR}KHht7Q3r!NL8 zKj0l!752&|TrctHd^s;bN!Bgau__kOb}eaq;rdZ$qut74wST-GrC1g07N^(I7gV}u zreY94?^9J}ReWo^I^c@ZhB41SVe6OZx=@I&hxa+im{J0LaIaT;>P(|3s+Y3#xQ>2C z_&Cpa3=(A~K78|2Rnhb_iQCJUZIkt$1gt&wnAvq{XpWrTg(C3~Lxa=4ut;u8i~SMI zw^!rKGC()2-3(JT1lZFHn3F<(I;-uG zVLV=2mV2%kHrChXp`B5bf~%ImYIzpb1v%A@U8_q<2rG}NfaIZb5taH?wW>&lFP^lt zAb!T@%zpJzV{%4lJJ~e~hSApy43nY7EffQp*7DEbUA#)S%Bp>p-aJu=W2boYXMq;P=jT&2rM$wbiDK3M?^>QR(F71-ku<|brZYk1p4t51D!o@In}?)R6rwq+?GK&kz(^(HgZ zYtc$sNGJmd4E#) z!jOKX9rmG{?lF$t(R2NUFll)&Vc5`Q=ov)^If)TpfmjktuJ%LULYV$$@RJBmWR}6` z(h5mt9^Drk$S+vD7UuyCRaWx9tR6 zjI(hG`ZIn*i+n1l!4vr5H1ehHR^9M*-LelN`|G)w>H1eguaGdme36X=3wB>{#1$Zy zB}SdL71^Q71Iwd3_V}z;w={T#P&XaoG$`iC5ea$Pw&E*ys+YTQV~3}WfD%{nB_uN- z59{#9TUDNVPdchL*YWVO`$%q7gRSwhsoLs{f?OdArMTccGM9*o?^3cg)^N zWp?wzZyXYgNu@nE&e0upPeIf>K@G8asT7 z?tW)&iI}hH-N^ipT@<4eg(|sxio!FCh6<~=i#zkUWt%{9r(vW!3D&-`&uFi%Cwj8; zg5C+UF%2I!iaPC^l%~b{uf3rveN)S#La~)2#Zjfa&RVpg-a5n4Q6Rge=4cWs0ps^f zD0Q7V8Vll5aSdx49bo}|0I4Lq?}%TtJosFrwmALe>qipv3O!Du3x`>B!V&_tFrWe# zyg)h*@x?X9_>0>}h-noSyqeA590`j) zTn9tNQg5cN{geVWjK?K6(c7oL@O94RVL436rl@ELeAJxn!)fI9=~5q=96ZMHtk`n3 zTx!Dv9As86F_D6OtE^v#e`} zi`qoGl0SCVLv2DvXRrQtZ!EM)13GtzNJ47^hGFL-YUN}O4k`JOnn`2CQc&Cyu~1$~ z#of|b=^dA2pz?(~=xE`2qb(;kOm|*pX;>135CVsv)Tk(!lYVXRbXH!;p7&RA!n~zC zJ3K%7$AU?bbN8z2xD*{rAqUb_h74!%}@xV#Z6viQF=O) zpIbJT0;x3o1ai(0KWt~4^bONnyN(F(P-aYu5cI{9kl5H4IhaY4@QRTJnBmVqV0M3P zYlPUT$Yo>C3SrVCd$eh!f$$Q{F|Yh%3N_b;cS-0(rVhnXiLMX9kScQZqR%_r@{P3k z2i8WIuu^$<&~YXwIOfeUT-{&UEckUgst9Y?h8DDum=*evx*iggPC}Si&&Pj6-RXW; zx+R0xvP$pYuGtFrBv6E5ycIk_sWi#hVb<4!m^3)Xs`D_4yh3r$E`ukTE@_TlCNx$?$hap@H2I@0{mCzs@_8d~ z)3mtHW3F8+jroOBRJK%0rHfVAnv!P4-zT-&y_AE;%m4|1P${XNi#ytgrN}CfA`q9& z*h%LXtEKU4!-$m5g<85Axr8s1Z3l(E0y}MTrg$3j8STZF8Ec-g%&%9>(srD&=GCFQ z?@hE|zj;@}+ zqJGBKe@u$~kJy?GkZj-g>fm5v0pJolCkGQ?;ljlNynuc!F#iL%266oau794!|2CBf z0y3K%K$}obK)U@cG!UTr1p#T;|0}jXf$N{riTAVo9T5I+GxyEal@kPn2h11?K&x;7 zECmZtO8>332n)wwNVtDY#IpW*_JEAw@7Vu;3y&QrE$8H9Ck6U*GO++@M-X5)%K|8h zL4bGbUy70cF1(-f{{QXbasw%LKwJ*Gmq-Jp{ojZbpqU1U4ajP<{zYm3kJ0_Swtp;Q z|KBE$l@*ZVld=PLw`@R1P-%IsVAX-IFE%Ir4w! zxAX&p_R}~vph*lshXHjeeLPBtC7?<((8pQg}%i zy4z@eLUmJT9RV^;zD$#N^_l8bV0_w)$MEbHUV_Pog%KexQRk+|&(raI#ZE~dYNBkL zRxm5ROfOhF-A*~P6a;k$pMgJye_exZ7TFsN2)U`!+XS3X+#MbLAeX#$I9a2_GW0Om zpsF09ua>c%mBZtX?N;G}is*yKHnRk-?Xf-yG+nQhzvII{)pq+hH;VFzsgU>70VboN zLB}ZbF3hOHvOYSY5oKk_^brzylsA1`pHimAnqx*iZ2NXXUbl;RXb2KHOGqTL*Ud7W zEsP8~L77BJ2^e&*T|Gh-nL4TX0tt%MdIlNAawP&r$q6PUqc5L)VTYu}Vdu2Hv~p|a zk&>`jp-WlbRs0$Pc}Zc8ZdFj0d8cEGd6CM-!j9tyMgtlSy~)@()kroskl_pL>&o1m zi~1^p;4wlJ0s~tXVwZ(sBODy-Nz}v5%Myys>&^4jTJPq-e0j|LY2M<*M`sL|PV_YoJaB4hufmiut9|q3 zLkb(tr;10SLDW++&A!$6aaTz!MR{h8g-%j)o5(4FQcnofo$FvKS*S}2B?kCcL_UG| z#+wp2A5~gzPa>6&2#`ymwT2?0a-Q2T><{3%BD^M+_}pWCN(+y--spkv(w&dm-scjTdW(!dcr~-uE^tt8>@Bj-tf7kj+@(%24m_nxkh5|RuS@70 zRawM|{mna}rz0pqmZV{4`nYq%+Qi`HmRu&ItYLeTpm2V)ovKxCMC)iIZ%v{-a}O{# zjvb^lY2-te?LLHfA>-%dY?g;mo=7>u4jZ{mqcaFx`7)hR1#{#cw9k@}F_Yg!dHV+^ z+I|$}u?rmHmQ1uw#J?$>K(V~FE?NGX3D(hu0v8g|8V+ZKN?*&e*|#JdYqXN$?f=n?Q|zNrpf=cx^68`NB4ZZ#C(GbP_Z^p=yvH(?hVuY0oF@y}ZF&)NR=t zV3=iPX?-015a1WPS_O=6SuK2){PdWw%Wy*<r@S;V2k_2Vfn{sGcg7y=s!woar7U;v<$(a*lRFiE2A2+7n0BRt2o5oX3O-yW?Gt zYz3lbDyEjD*m5^fpW#!t;4!(DWz%(PPM#AVzh_;>z*6>06A6OXBswPZ8f+2VbS|BP z$Wi?=5E7$mRfKtwd|WoOc3WgzS4nosQQ2d}W-P|PW$=-e+Yv8io4LuC3u=?bn(?hf zmwCmi$zk7|`Yo~$T~AwfCTmc*AZD1m5d<-t3{M|L94U&~`<@X09uWv}#~gJ63Hl8x z(yeE$8stx~p~gbtPs=3?r6#LznOK%2>{`ZJcCGV}--zl$I8SKxJ5~$N@Ga+4W<^kr zP)i9VO=`0f@*Mkc$u2`3r*M<4rqQN!FBj4E9hk?`f21~oUwDHpX8$7enC|%}^tGZ4 zL2MUk!FRZL(6x4~))H)jyNtD=36~C^x;hr@b?%`8FP(@ zGV1!AUtl=IYyR~c*2O9vcwL@r^JPGQx1|TeSCQiSs$%#~tt0l&rq2iV zjn8BX9X-6hUQX4K?7etJMU!%B-2S zb95#2ht*LP$C#mBu)#$EIaTeX0AXx9suL3H;tx7H4S{f&S*_D@!{C?1o#E)Eg4G$D zc2|7<6V|uReiBgG`#K+8k8fhO7dMliE~IMmXap~~US4(=tmnoDPic=Yq(3W%A?O-= zj^*8gzhm)0t$uv_@?0t12rX5w)Q8~UrtTqUvN^Y#W+)mh>B+k8c^6qoIElKLwDCJM zC1SX!K39RN>zUVIaT8!^o~6%*^OEWsUZjv;iLPJ28KZV#h+!v`)47D}H7nGiS+7Yd z;axeEd(GYU3Ri|575~nER1l2hOO%kvA#C%yg(S7I1}fs|+`D2{;UVk8x!9<(*?^!@ zmK>R9sJN#FU(>cwVNUnA%%9n2un-~RywfaZx9N^=GUvr5^e3iHQ|=O?OAzv4sHQ=e zMT0$bc~{HVLXE7ltchk=Od@~m3zquo>#U@!hXDeiNr|bUIXSiQR~j};XnJ&WC3<}f z&uh^{>(CvQGRw#5tk7~Ux2sojlm{P=T(S*k~KmCL*6QH5G$o(NG|n3CTqArmM;_Hy%5(}c2uMfT&F!A zrG2N@Iplo3BjGf@@|%mne9xIT%h-D)THCiN!_7{lgn?6qI1IHog%-@}bvh-WU8lWu zAFZdY)i-)ZS1ktX%JPredK|r}aM-m)pU6FH9l5)>+!Drkazj+4izk;F`m71?Zd4Z- zxr~cSJoT(yxP0Q6mq*sTj!*EW7>!{Rsv>?6&F1;CorOpzLjS%V6Tgrk=GkdLnkEyg z46+X8IzgRp*R=xV$eqKOws>mWp%IJT(CF|krj%~YBY108MCajl1(Nq1xmq3ZA018% zt>D^5c@QG&vNm_2(G6|9-d)8^f2OeEJ*ez1 za5%@HnN1VEkU_%4fjL?n^3CUoe@cI`D`rjq$Kan=~3-HTH{cS@2x#1xj z%eR7dAQFIE;vr=N0q%f68&VJ#Hxn1nUj+6eDe`l0{~n{n25^EbK!+SQpd13|n+t>o zlxG9YRN21qa;(3uzW)PP$o7-n1INEdC$RyX1`D8^`5xOh%7z^vEB>$8{=^mjJavD` zC;fxN0$5>l19l^SHAMGx_V=y))3|RA-vGY_@KQfR*okEmGUz%2A-D+E`HRL++BE(^jZ9V47ssr*V7r|Vi|GL_) zIb+tOM-tHyn{~Z}qpK?Vj%B*Z%gVL1D_=0Kx}p5>ip6kP*}}%zo0o@|d&_5t$m?#% z?~dKEU87=%nFKrzQ;-&$9udb#@9^Ok`mF@9h6mWY9S$N69_`8PFJ8s)wl_D0rv|(A z#h}ftl%x9ac%1JX$!*9r>3b$N2MXW5)Ges;=$h=`PS_V*G|Ax#H=Y@oJ%{Tht%ke00+a@Ih;2o`X%@KTXwudm1+d<(1Q?Jw$4YC|1|71@}hH z2(hQqMCIAEf^fq2M+*)Mr;Eo>dt3$tZCnAYP?Y&E#tRoqSZ0Tc? zUOt(ifWUC5$6E#wBS^*)>7&xMU#!ioZ9}~pj3_Zh$0Atsly*+g;mL5{IdOPU{xFDL z#Tle?W?n8u-_S6GW>a0EtSn_k@m`h&_;rl-iIIs-K5O1sH~u=)?>0?i zAFLf`Sqs1rehgM|T{d##9t%o8AnN z)PB$?32CYoC(oUAE4AMv<9{KCcK#qZ(x_VEgKvhHR|{_WOs6RwPkHZm0E1JEz(E8P8tL*T>S$%y(HTPE~2T9CY! zk(%k0)zf%bvkOv~d6BBstfhO-a465#(i^=KdN7{JR5*qAG;NI|)QZz!b(O*UMk(%6 zT?^~7XOh_YU}A^x&FsfioH+eH5vEk3$FznqCWyUo=7Y4jVZC^-5)nT|WYR}o^Wdkg zhHW+8)1-n7;{d@ zL>ZQm?JWQ%OP$&F8mi+76d4=2Fe{Y{7ELxddF6TRngn*xiKgj0jH!;Q{+xXmEEEcS)|(HwQO6rR3DelQ64n zz=z9(N6vpp@wK5K)&&gHD;%q)l$=)ADVikb9rS0Z%H`n}1!jrV=aA zpXjOwZC4Sgqf4io`RLFWJPh)yvpQhff{1q)+_Xntt3KNLjA$_gb6`qF4nHeDm;JzW zI-e|KTQ=dn_ERZ0TK)%LPK~kL_L_`i`@l10I#n>o5?W6s-kyO7T(mFWoOe~nM(hxo zw9*xSxIgA7v|l zrZDO(Py`95+>|G8+4(N+O`5U!R?dd_8r}`0f*!9l$iu2R{)kAegOd)Gk|3fbj;^M1 zj?Jmhl97&w>lF+pN}isU2->kP3oUN*mm$c&BufTyxO|QZH6IVU3{ly;8JzqUPbA^= zhUV>Ow4|`jov%X!E69v%t`^K8yJqdwh&)m^kH-Q$9^f z&_~)}&G(fz1L}f8ocW4hG(SDbT;TDZbMhC4#Zp$y@jVY$^?y)2I}%-$NiR7E z9=1{q`;}kt1XdHISs53Car&_L!9WxNkBw-(7()JJAef&EWr#@@jv4c7iUx}>@r7n4 zk>O>|Ndi@jT94)m>`Xj9mS^grSCuHvWxcFM&7G3cQy$bwb}ktTC8Rb9?Ub{ZPFZDq zB@X?Gv+bRE^9;&WHemos{}*nWAf1e<*A1j%WtiTB9Ra9DwNK;{-uY4B$sedPIXPon zAMC+*K$oTtC5&-3E2(TJK;>&2YMiC#U~rmnsK*YkTgoIjR2zQPaA zrk(c*n|}tKD1>N?LXP;zNr63E6L)kzy0^+;y0jAL8e9mQ-@pd0S%{XM`k6$3 zWl6i0Mn6}CzdrDy47=MFQfjZo@?nAHWp z>BXOjQ+i`<@)2_I4pIY@U-Jv81z_R+`|b2UDD=;W`TkD#BVy*f$G87YnF8l;h#9bu zzemVG?(^I059Q(uri zVbV|e(Rj?;rMiBAn&_!HEpN+isTgwD`luOi95ki!hj$ zo&7SyYZ|pqW#lKXd&Hw6-%xQ*QBSF<#6_f^9W+B*RK>e6$#H@;deGdA@Al~4xUbD@ zC$J+w_3C)4R1#V<7z_7wYHw#WuBk`=W+HAdno?^n`AK~ol0i*;L0I`+iiel$=_L(! zS_vgm>-cK_W9pQS&=0MYdb3XpdfmTvUo9nYHR;}-+j=-&6z~jCVXz?`xVOiW6mk0K z!LK`9zB?A|8!jhd)?OCDDwXO=K<8?q7VBD;DimQ#q_nV}7&)6S#8{|rPv=_r0DY}< zT{91*wA0{vHB*nW&%`7+65_m05)4mA!)NWQh+jfL$x`LL00xESxbx=0qxsW zb*3990+usZ9A^!6-B-I6J)14~$eh^E8Xx9o?Y^mah}ts20m}fDooBUWoM5F0M!ND~ zok2;hMO*2q4FYP;#Mex}XM%?gZ!FDhNnf?xQJ#2;lsJked#4WUZ&j7AkLHTfyYBFh z!A>_Yhnwo14Nb!yNLOH_Lkr}khDf!32yat`%=M@^KQt+Ujg!U12~MN}*GybmW@=JP zN6}V7SJ@_EHwuHYVA&y=;`(YCv&TSFX+&8RdXp*3%fDii3z~d039<982#raT7}CJm zC_EnZa{i`@i35QKQ!OC#ZZ{gv0Q-fQ)>6wnINAI7@Cs9bq$F%yB!V~=8~!e`cci|k@QA!BMZ8d$#*5bKUX&mMxgRd zl#+FNb&Zqo0+ezU`kBbY7-m8OdZd1K8n)=NF9tcD5jU}xuFeVEMs2^@;aE;X}#70CRj$;bP-8OFtbl@hnR1bQ5tD>5*ne~Q}+9>JZomNXuuKRDb8TbS2_E)1Vn@~G~!+k?^}Fsvw(=bVMP4(}aI zx*M|t3K>W}Ms6}W&@f4oL%_fZg=|!x8q&R$)M9T86(V&aq@NwB@Qy#U+=5+V;h-x{ zTQWvJGVmhKMljsob_AoFDGLh7r#?kUZlyxW99%3{?iTBkzPQE;h~gC2bga588c7{^ zUqaQRu3=(k<{ZQaqhDg`@HsOS=_A9aWr1b4CC2oqc;kDCTohbGhpTt{uzJEMsJhNK zp+_&C)jH4Q3d~xiX7N%o-N_a8?i)Vuw0u{nE@`!?X-3IsNj&R6XTE(M#INmWG?e7F zB`m+TOWf(0{^>n(@($s&>zXyGgX8IZZYp+o)PrmNX1Ek@a7VUxEJ0it6rU@eN7`E1 zE=C=)I?M^wE_rQ}3>>yJ91fyV=eZ-^n9YOvVRtiFf4p72Ubf5pj7VYX7eo)i@zOf{ ztR@^OBU2G_3}X?ZOK4c}1^!!k*GZ9Wf9yG$OVsJ1_Dbw**(pJa8(~>Hdg^>?TLPp5 zb*M-lSKNL|miDiB{b=dNat!k~U2e{zi;Q@LVY!4@2m&&^cona1<|hecp3vaIgoZ!2 zknE*qTnuEgpm=x_qP(i|9_o{WoSpJ#8IIjG9;ag-pPU#Xb?&b=uIYtnm*i zFt(lfir}-oX+Hg)A(8`zsDtL|c!a?%-MF<}&I-O{hw8+m5(3rH3h{ZDdb@3g9u?j*;G6W=7P$HC&ELT7n59Z|q z29(H`Z?H=mHSyCE+xH&^zt%;r<7h~V5I-)3q_?8h8*~tY7dBuS)DQ;S=xl|#m1RUN zT>yO@*t6J;I%^$U|&`x=ZZQaYeP@=VrG;< zzqbeR=G89PrzpLXtYJw$mG_wLxp+(+z5!dWvIw6n>v89!2!(CF+*wNT`>dNNnt-xu z7|aj|p@GC>%clz>tT#|JrO`+fnE*F0W_;rXuEa zezm~yY5DU2GVN}%C)A77541DWYLg3``{q26VsbZ2KI#m{tIpe4<@y)*Pd*g zIr3)Q3ANEJ_NA}O?(7h@Bk9P{_qu^M(Ixb#;W ztJqFWVuB7Im$;9bqr@x=d3D*!aLu#4ylb>SyO6>jOCP@~s>h5)D#wEsOBzfZaV$4P z2)%$zR9IltLr4-dH`V2ui>A|SVzYA+M>~v>3*^k;d_nA1&1kS=PA4JK76)ZVCov7? z5w0dK`|9g39b!01glwc``!PjKV&33EjW;Os%cZ)WuY`)kAhIm8M8ve%cFJvje7j|{o9A`rDbMS*IXK-1!bRlq zVY#gqPFKcWHci|NwU`CCE-MgJ$7r(*vD!>T!fu(6^>OI8X~JE2OzvH1EA zSPiavh>A2AVeJ|1dC^~r*SE25A@};_ijEOM(HMiYAd**XRwKf0dGRN%(bpo%hQ=7N z92s`H^OAgR6<@)Z_mA8m5$%V3oVb1@$}sfE&>3!zg z;jOQ!L}~Q8f}8`@&56bs$44zyjhe|n3w&6!m;AE2nz?L=`2n27m(dCNHMhWax2In> zHVmM_v1*8B11KI8TjGgfknHeseqy>}#>0HQ5kUlp{tnj?MzZU}JNqveEOgI@H$Ds1 zp^wPgqj}yvhp`HaFIJV?uU{YOZ0M$p#qP>w$msw#==-AdaB(O>h-Gol9W6+8B(D_T zXC~noLw~uIHSS2tojWf$5lLjC%+_}U|KPfwgEk*Bc({D>$7+9!QGg6D|Cqi0UmqL5*5?M@6K5dc>B|ZbX@ET> zDH{jyxZ?WTC)!V;asOFG@Sk=mf7>Yh2VKWE0_}%!zjh+|p^)PjW7q(d(YID3KapKoAxog6_^rYc}N6uX(Ao^7nZ2AS+O4tXkrqqU7 zo-3!dwu||`cgGOeZifsrsUEjm{hwLxX8H`s<&05YPFP`!!CzySE12BzA0zGS=mwG! zb}zd1VX$_WSRBqiwa%`orZW;i;+wW@LY>#*ud;i~Q<39iHRL9K9u7O(cuW(V+Z||T z9YInKLL<^v3=&z6KMkf-NKAlna(m`eCSu*Frg2kay_q>jkFV8m8vs*jeyTb}TcwVW z;Z@#GpxI?8?U&C$Y*xX>OoCsTJ1jbH#oN=atn0=Hr-Aw@{@v;g)J)@`SmY$*II&W5 zXZ|*ZcBl{w@nC!&Ny~%Hqr@tY7WAco^SnkPl~Lae2pd`%AtJD2+owb)v4RT|s=05d znfHYl$#!ZrC`lRcGqQ+wS9Frj3i{a{_%dP=G#V2EG9SJWN9@;c`mm)|#Npv}i>+H| zt~pDHFm}%VQJazb5!%Zkba9CrS0#k$0}Xr$O0pXDaqsP5mLwC^i;m;-Ibjl}<%_T5 zt3ka4_}OjnXlN`pB9M@(MoE?hbx9>om~Bo$n;&!7 z`woZs9@?o^-KqO8eI)Z^+oRfOVI@t5mIf8Hv?@>wW_803U{Eu>_E_ipN^eNoy_Tnt zD=RiYGYn#V>CYxhj6ZIBrGg<7Wz!imq)xuGazyuK#U|M0AZzU634&rKd=Tjy@xmq0 z1uGJ#Y6ClX_cjR_@$!}YrI(kx{o&OWyaW_2orC9L2O_^2w^F^wl~fS2%fZ^)Svt*0 z6>%jpLJ|i)@5=ENZ$Z>-ZO)6-%=cvD7{zL3L$iK8$}QxAL|e!T5NYm2$;%g12qZ@r zI^*>pE$LuvAF*R{R@wR=@Vuh+4=E*BQcgC(RDAZ*vn$M(^8-?nW@S*_7*psw-64x? zF!43RBKI5l%2HTjp1jP4S{Tj^chZ6|xI5n!zSkog4hc{>xo<`4ymlXkHb`@mBVAQJ zGTC}tg!cuJ1YKxqZ91MM6K~fEs&mQIEn*B&ybYQIKPLaB&+#L0 z7E`J(90jNjT5>;<*-)%GFA2lObg&(LG!sPN$G&1((O5r((-jC-+-ESS5eg4SlrQ=J zSo_MbIMbwS+}+(m@F0yRxCM6&?hxEHgx~~scZcBa?(V@YxCVE=PIhKDGs*1E`|bW} zu1;6Fp1YsE`kbm$r^MZu>X8jw?O4H!9;X7RZe{WWhxrx+Ukc1MxabnN=D_LI5oJs@gzAtP%5<;TN%&h_rORkim04V)VxkVuZAfcGrd@CBgah< z849My3CD^7X9U18<4exC4ydhMMj*O;ENtFzNrk4n=yBmm%5P2Q^R|0|RPn}iNN~P+ z*ualR0Q9cDj#w}x5rXnOMvtoLfYd@RX*_bISgD7MIF~v`qf%M5Z%J58R_eTUyasjQCzSq{MIZv*5!#wD9Y) zJrR-`(2lh9>L2&kFYX4BTOYsf8VRhj=$fkdXDV=+D{<#2Qh9O5Wrs!tb76_l%jlZp zDk9>!4O&5~eNio>Qm8jC%FQwNO|nm!X@Dg#;@TEIH5}ZMY8vt!#4QyAXaWMxW#D-dks!N%Le{SD9AAIq~g|c zyYO=b8cne=Z}4)<7f=OwZ&MrQxh;%G5UVGuD5TV<2M8jP*v}?-k{}DUhRoqvWt0Zz z?O!E)?ZSRdHMvPooJ$t1qXm7@Y@P@`5Vx=Y0k)`)g>#Oa!iF(jV|S-2wag8qWf61V zWv)tm?>;h-Ac71h{oH%TpUA;_6}09Y#{jc%t4MTEFp+sJ%&Y-?f@+pAOQ)Q&7q;)QJTr#y7Ru8qF;PUE%;##ree8Xx% z%#GnP`G~mjJ_*3%SU186dIwVeOxd3&)y{a_Oljd|C4=a;0}H>RKmFL=4CL$V&3hld zu_vD~0OHxL$%8bXL;3*^OWa}ZSN@sj~QtT zx6)Ro&{Ns?y;a8%-4iugn#QY}$dh80jgqiqr*zkO{qR`|0~!4D=Hla9QUSZLSJ63~ zxn%iS>*;az?}MM4#81>UmTMX39rvJZ`Ahpr7iW)+U`+c(R*AOf?ovqzCR&{;>6YCR zhLFHhK|YD3K5Rgwa$#c(cMHvEY9YU?s?gm9%edVhF0DQ0dDl?a!b0!bMhEvi|DXb% zqaghA_WRitrnm0L*@F$LM(F$gS!h0E_Vr*74KtoO9P0CoUUf0T<&m;P$fxs93MlJl zCPA&a>Zc`R8l{$o?`D(fP$MT3jBz40aieib_kGibj*(u4S1|!yX^!)U(rxprVd?f+ z)@}Ko*!nQBpQXE=&-s59O>Y(Esb6uHZzMkF!_n~$Solb~3cHM3IR!$-m{!%ZlC9-2 zaBv1VZ@Mvq(K^pKc%kK4-8*&k!3`9iiTHY;?lZw2m}Gjag{4Gw2v2tTK=OfH`g<9) z?Fgr-VbYX>WehUHt47OuW5NYZSH_2E4!`Tx@@aX@rTiJGW9?v&RaU^;abh}J^-rbHn?@@-3QOTY zSs;~e%>pr<&pnl)*6fr0mC$GoJ`AK7HXL8*Lg-bXguv~+QK?DM5)#Y65VxX_3Uz1G z^ek#ZN4{zBtX4Ur@>+E0ZS!asv;y)_m*(3%@2~-1>^{w}Jdw1ZhCwGT?JTiVqk7B8 z@=(h5?aJu9BTdLe?RoJ|BE(Pr;Dehx-S5}p?-#_{_zl@gp{}3PVD;a}6)!44LtA3< zxuDpD&Q0`iowu*0$%&XhBEvP0g8!o0#PMVI{nyo|?}+)2)u!)D$o{{oO&q^flYoNs z?^Prq5BkUBKdMQ8s3LuT?eCo7zvEm$?+khlAf5Q;`oIYkoU;ID34rd8|A$=xKhv&n zSMa~dj+qna!}yKQ12?ICTg%1*oG1Vi=rQ|6Gx&b8|C{_+ zSXqF@86dg;JwIT+tibZdw>caok@d1FPK}O(*$;1ZyP`^zR z0Lvvnrw=CJ1Ay@_PVZkOrJq08A1j34IPUlF$bS~3{6S*#QykEz0$3_x0ve?JnH&Ek zfceAw0fjc-j39u@{h#7~vJ(AsAaD|d1^7k#b0Fs*b_o6z8UJ=0{-Y%P2bTRO3@%m1I11Mx(WVC#)0L=ze&cMzmf4iRFB!xRrS78Jx50NON$MIlmngvqvAp?XHEKW zAE9Vb0SZxtLh>i>B|8vrZ-2w*4C@3T2}h-2yQ!!ti!wW3mWI=;tXiG|i^N0#-BVvK zEjtthtJct8AfV!=Ez(mG=e7>XbG~pq(_`1Se=}X_W6JzsQ%_xM*u1iNS25pE?&NQ) zHWV2x-D(HkioH)(3O_3*MgyDluIb@stF)Fq%}QR!OL`*Es4R^naj##`?riN@3Z3r# zHtcgQ=BTWkc}X9@Nn>hL>rF4>1sF>!Ipia??#B%knv??_J;rM{THC}(NpU~G#wGRh zXfw(Zl100lQws`WG_hS4?GfOBLtd|Dy=HXSjjOxb)7^uNfJlRmmjQ?vSgVFuuX@YD z3#gTV9sF(>W;Er>DPjWOAw5L&F&mP6A~~mvJ^{LC$;Ka!Hu?l2apqCX;j1FD3@r?* z$qgf^Ow%*OdYUzxmoRTy`0NHMc0H8pL}Z#qQbkbtr(=?AA=Ps};2=ciQGe31;M+ND zUb#@Ezi)Ax9$~c|eXTY7T2Z@NJyMMeOWp2~knd4Q5u}+Up#~#Iw zX(Sy}Agvg#x3zD3_*NhvAJ+9If{m3cJ0!79q?F4Y_fh#dh53zl?GbxF338$5C#7##{A>q@-V|`aZwY1IEXDD8aFl+Yc{S zLg*kV1@ZAu4?9&g#{3L|o$BwVyYGl!_R3mW?D6VqxphzK!_G4+gyl{!6{T}bCWG-c z_yjC#H)BUXx8CHv_7->5E5_1m@hp1 zQ(L^|cuisBjGlRx4V5htb)OxFNg=$=sWVp)&b7)6;NB!GjMm!QJ$T^hm3cGx5kfe& zr(PS+A*W46f7;CEQofpL2fis`0_OH7!}bpat#Fx}y8aU!Vj^eIIf;CrbM4lgqWBJ% zg#p0n`mM6Bm#Xwci;}tLBJ~ee2nGZeN@bS>+Kv{&#WEM%tH zFuV$dI36Z|?LiZBp?qk@nv4ZuourdOk|& zMqY1Wjg8fuTEDgoIpxmn93zHE10<&SjuI!si$uC>7=4P8ZR?I_u;|n7X@ZR9CLKbJ zaVa4JHaOP?P)3Aimy1bRH~IO9%C>GEAU{1A4&mk>k4+UWF|E8f z474UXLEYmyz`a&T3~8fJnwRUDPTPO^xg4|Il2V7=P2+}e34q-ehbvYe&?e)a07Hp@ zT?l`CQDJI5dFi^l`L-WGH8-tR%@R0_DULgKsg%i@ArO);G&ofmS}gkf4WJY)IY7~C zDT1Yg-kzV@lPK$!HpW(r4HCG1t27;rgU!H^he}PWFz*yD2Ehcnz5jXDvv#qhwuU1p z$|VTOB}D01`h!iZI*eolCKf_?Y3yr1kQh`$v&>m!S#ylb&9$!zhuJPIo~~*35cY)& z?#-X%#8=sdF}BDrGf3uC0xcHC??GY*5ZvOHaj?Wg}RlqDGv0={G$1bm8Civ znjZ4J1R~Z^m5Ag@&ql_H_6fqA-k%5%O&L^ryVr^>+Hn-9_#Uf*3Jxr=BlUfDQ0H%{ z$I~i?QCeTnL_Ou}6TJ?QtJCqUHLQ_yvwI;cp`ZJ8YXaIEp2Zyn7Om>aHu)@EQINI; zWNS#%b$*SkBDMo@1YVYJ(orStB&2(48IIv$&m#i*lU7fao`ep)%dBK%DTb`EP*BE4 zNe)PyDHwj?z;wOa(XZL474KuKDNbWFaQaZ@%`ztJWEbwhblTu1r6jypU67`T%7VIdY8fp^5shqK>TlX|pGmN~!u3#>5=RM`$ z=J&jT1|=dwz-iO)lDmg}7%u%Boi93z%p|%hJu_dbecw~;X@BYK59KtVT9}R{O-USH*(_2tVNSuW-x>(Lpe8|;^M7bn!Eyf1G_QAr_{^JoPF*_{O{-F7Rrn?PrpdN=}CL(?L@2&F0{W3VH#iNS7C2)HP)Nt>7{QI z9vXl0>6tB*&wlf3H+V2@g>c2zY6>snw`@zQHY~l01FZL2iPZ>Zt*DO;1xluAj1G43 zZJ+g2=;WGj<|k*0_R6#xE}N`{0%G6wCaodbtr;Jtgr=?&6z1TM9Vh z7(cv8)nGxCg0+xnjLY-5UeDaU8K`@#Xq1I={@8Nkbs(Ru|6IkrG{i633cDHpD_g8a z9U=0BV`=Xlbxm_NK~Zau8a6J0>>eh-Y-pj16aM(IdqQo%E!b!znQ3N z){?Bt)JPK?+R~T+Sj=E^sU56+K58oggmaVys4wI$pyT|&qU^9CenX~hGq;`^$t+XIGK zW8V9i*U|$MQ~}BRA?VQ3bZ8XvM;hBBudjwXkTs`2DOJL7)mmZ?l1ML}-M8d_tT8iC znZg{`I{v8fBDQ6_g`~qxiDr)GcAc5mpnZMvLdH05*0?q0#=2$u+CEjM9Q)PW!(6XS zY83bbWv@P$R5En)-ZH8jSX$26+5xd~YQz%$9!WF7>lCh)6R6~74TNN%zKit}qK3`EvRA(GwbHk-R7 zG}h@LWz-1#M<%Y+@cdYuopVd7}LXrkXGRH+hj@XGnI}~EU=kA&s(OyXt6m_d2|(%G47$}lum>{_mGqd zMxW{8@asHm9|52w=YTB0Y?n8Ol3~Jp#vA2RS}AUD^=&DSJf!hoZHQRn;^~c(=3gTX zy0j!4tk8nUxbsYeF875J5j3&R%#}%asG-FZ)+V82;i>4~Y?$imI&3QrIzZYjG(#Ld zpl?u)!3W2MFek{??_-mCC&NRLylmi%CqquzdlC|<-}^nj-_ezG$utsraUJq z3Oqt{lJL&n&MlliM5npl>aZcD%Bo{v5eh7K-!}S?!Yd?6^fD^xPo_1V0M)HZ>0V4y z+`3~d)74Z4pY0YhuO711qnqy2&guQyIBX-|nCUyR30RuO@A znOYO*rFPLDzMjv@CC|o_mUCV;K_PPW?ZKoZ(bZeJ|1_S%{c)zL-dQ+$H2ij#JWz?% zILHtItGfTkDJNlMPtU}jvhSxGTN{S66|q79jfQpOOy zJoL@jRR%p@j!p+`7JbP$qEurWp5%`z8}O@^w-WsW06 zGq24IDhWKLYEu3w&%DFLw?3x9hM4t4c+&cN__$G`c^^j1$#f%%3coayhK6?vhiGcn zRB!4sLcA?caP5L2tL&4kE=-zk;B$}%L}w^CtF{!yDpfld5Tj9)4_Nmaikq=9?mA=N7ib z8rde*veGyD^B(w=h%-@r>7DVRJJgeStYJm6l$%<++pz1pA@X9_GQ(n)d1NmF*L5$% zR6p;VBo4~5$K@R!1Zk&eF1ES+P`7=2IZ1>I991%|RG7 zl2DDA9Y~fko$I7gU9ozVm|N(DKeWh4@2O4>;>htR<6z?WU@`y=KapNgW6G%2inyti_~(mDCPu2&`D}y3^xG zX!mwxH%lj%p4F{N&ICREp0$SR_v0i5n;`D4fHwbVDqN?u8b?0HYDmosKf{a%DC8%= z@tO^TUW=9~bBTeS9onoYicZyG;lNkI?iu8!yHBJk3~rP|et|ixF{|@XrKH4-llO;U z$6DLRJwsCK1!pO~Q1iWUluV$;ClmePusQK^nSx&C34nla!MgmE$TNG{Cz1dy zy8^EU7U(u*!gc5c`ss4Rg|V^GQoR%Lzy@gmrD<&6J9;Jsj7b#tSX+H`p=RXcyQ9d- zJgj|$Hixm#>e}woLKU6RH!Kr#3Em^+tCO!?nB1d#`y^eS7~fx`Sh=`R!@G#TxzJo0 zH~At7;|_zM20<-nb^9Eqqdt%5Occ0mI3WJBO6P~#QEqEHoSp}8lbF#9-m#RP2fP7J z=1&|LYuW6V`L=B#@=pDov;%dBc$x|gYSr$bE;L^@k{w~RaB}oGQ`!maa`9D^FBwFxt#~cJP(J5&~LI5xPtZSJ);v$gM?bB|6W@Ack5`2>hy+DYHY-&R2*MWo(`_E4`@guNKjgImX`D z^Rkye#aBVXZkxkI0?N*iKpF3wr#@_rK0zS%lPQp zP%V%eT1yUatq>D=+oK99hoTSG$&DDro}K5dj>~jJK#wG@>j!_B1gEUvHJdD29P9>o z5kLp>-9fy&Q&LhYmy>!b+2$utTE7@QyRs@>ZehDSVTI+D(wx;#v1Yr~#cAE61xISB zG=FmUc-Yunu)Dk}GIMnKdgk<=ASEikO&-6VcDEv^vC;KNh>ddHaGKgK*W>e87~V5E zs7Kx@C$i6joLk4!@(;W>t@u{laClP4rN|1>Gi_&Ur$QjU*F&-7E2|IC`~h@eY44>_ zh@4r^zM95ChAZe8f0-<5i@x@FIwnwb2iv$d{X`7SLg&TLNwj%Y%G+%ZW!?IMEv%@y z+PHqiY3dRdgvZ68@C!k!seEwy(hh!lm>pvO3FqJ?6fHV9Q8WSVXOzBV5?H}6y|72kfjQo*ge&=pKMt&PXX9pU;|H4)L`+e~H ziTt1W+Yjo^Kdg=WgW~gV@i*Wl{7654CvZT+`oBxymVmva#kz03B%MR_yvz?aUu`oB zsSLZzqb`nIjcJiTUAR zfCR3n68k-73wlJ~c1z`(S6;s4Fuv%0;eDbUMN>DckMG*KRHkPOwXFAIhxPis$C@Q; z)go9e2y4~URu}i_C8qWI^W8$xkCjT+Mb~tr;F9X zXejcKQ8UH7K#P6@PEx}@(-`g}VomYPJ~{UZudBSM*Z&-HEfTTlEVpVxQOSeXnknxs zyIK}ChXg955X=@G?z4#PwdL$Z%MG&W*H{@vRT;dLg>Q8ca<$@E9nW`>eT@{+)*zb+ z2Jxtt=-aOMJVZ=T(THmny0@9nxzJo~)0LNoQFM7Sp5ckSU41DS3{Q5GKAw~KOa!*B zPE*$+TM8Q5Lt(YO9W5cX_R|==Jxctv-AmNqG1L`^`_`G41p{0XTj%RGXd+E3)^VGh z6>TZrw>Bk3W=d5v=@}$+=Xp@9=2f`u$aTL zruJ&-i((#FuD!5BMiB+9nF#dZb!$^!y$B1C>GZ%2s9a6GbBo2FZIq*$i4+qT;KV!v zjIM8OCg;3E^BWJS^%d1)`0eTQwTE`Kn znFCVI)T@i%NIcS;u^Y~=^I;k~RhA=lv|nsaT`ZUvjfu_{HY*h3(A899NkvvjBW8z5 zC05VeDlM`&y%AA0H1;!@py;SKI`OGHg#DZz_+l_u0&SXQpMKN=Cp7dU4^MnB8dOiF z&z%4zR~jd)J4d|x6P^MqQGC`b2{ir@2m>$!VL}iRbk3aj0OIY=iL5CpQis~NiT+3h zBX?#DxK$msTM1dUX-yddtKfd_@q&7kHy!);jE$(r-r z6nM@AB-rSaIPQic+31Zs5)i18;z5G3x_n%ZII(12U5sDy95gMjuCs0MwFMn=>|%-E zoX-$LozD!?el`IUM`q00Z+>H&^tq`Gk`C0rTjmU<7o3V%_1t+0I(^<6&Ynt8J6yCq zuokF!|WXeD^}SkQ<>%N-}OJf zZ+auTr}b!J7PGIdG?BW1>C!@}l;KL#EMywCnr~YtyTdz1p762onoj(FSt% zS@W6azUV6ARS0ZIxJ~{n_ZY=15$~5MOgu5MT^Z*7%+J_RGlE0rc3f~_&>(eX>Xb)Z zV^0OCEJ`GJ9MWS?9C{dMpTjD-Qx!ig_uML9*_NMEFU2q!Row?$ywM=T~!KHU0_U1YcH`)H#&L9dmHLG+3p_&<$rLs5wajAo%mi|g`BoH9jsRDsgR6Q*Nq z>6!P)!qGO6O)C>)ooFgWte(TX(w*8c4+&yo=x|TPtmW`+`k?XQh1O*y)P`Vby!>KD zc{EmtZU}e$&NvS8bdp0Dh<4{Yy} zyTsZM;huZEFLpLSM8KkpGH*rjbK`EwthyV8a%;RQ+_KWzs|bkjgqHDA*n&*I-0(y1 zNWVlMv+p%T$c;TZ^Q4C7)DUaNWh7iipoE!Qt_fhk*38;ts^EtCNGX);LOR@H*q35n zCwK)4m-=K5+AAbPj(q1ixy%r6ruA6&Ze}b6&6U-W{d&Pi%dZ^NF01X!^(%i%d_&3x zxP{M=(_tPHgC)hG_`Si~(QS=z+?`UeL-RP@4SR2~^k#M-(!N!XVHIb-<0)7%ejRt@-)5%2CT_RVIJr+;e=uv_ zs8rBXv)JUAIyz3**aS@x6+rQ2)-W~hw)hJY+NBsHWZ%(^jCX-&=j~2it;9Q*fK)Jr zSM>Vv74~Vcxh4i4RCn^j{vm-AA#Cw}})%k=wW+h63 zy3v?M!l#~mTtUinEj~&)e&nJJ6-6mNHr)!k363fDGsXsjlOK!fzXaL80hm8j@qy2M zm&^TanEkIZJ}~r0ffW$a{g%XkF60AW_~WqC&!GSkR^VLWFBD0@$RFi|zlvl5?mPO` z%3)yWk6NI=LXs>%!2BCB{n32qzXp%MvA=&I=ik61aGdk+SN~Pj6&5%!JhoMwZ=;7; z1R|fSZ5c|a4_K-UApl1 z2=OAv__{Fq@9H~2S>5zx*4gy0D)633ir(Qdk7lBDM|^_aeyNHi-(w*RM<6Pjty4`_ z&Id4(jz~KrPoY$=CX#{Z$-;(rh@sOWlzz{9Yabx}7@wI{`_yD@cBWAz&k#P2B?}#s z8Q&W^lmjT_E&F(n%KvI$i%v*rfKta*qT0`=?UbqTP^VjUb_dejD8gFcu^b|6)7d^s zsl<*Os#4i>SHy5@9umj7KvTQkNIlCPTY!-3ts2B@QkU2mTU^pdluS8@@bYa{)BVJn z7}pNuH>RzGRd3oM;o3!CZW$e-ozz@6jH{&N_M@#&c*YQI&0AF9v7}@+usT>^zI7GJ zcmykwedVxwPEAes9c4%0V6B#Amg!Y0yigV%@slbSQnAv{;77Pz-bGlyQ2_z85qppj{%;7GFe zd{T^a$&|ut1$$9vo}4X_G;$_I`=LlpIi_VlF?5%m;M|MSBpR%-!;Xhgf`lv8C*FJO za2lhe#?U7L)2~iVL-0Wd7vOEaJM(Ea0amGFJVCdDrd@MUqv7+YZLLjGag@u%Ck$aW z8OaITjs5JV9gP`Luxc^UbvdP-C0}I@A^rzX&8}76sE+peG%nV4@2^K)$egde@GDJl z?THzddH6mM69RfKMo=49-z#4PZl36e9;DTw(b zK9OXF?2_Us*sh*Ph;rm&&4-JJJD=GV$Li{Lcw*bIAU}d&8@my0>T6=qxzzJoE%$S>zrLkMUxGxkMox}GimSTHkyWbTLm^+ud z=g(!2smBx8)BWW!aB)U*xP#n{Jop zXjJf9lj|LG-4@`hzbX{&XvXEtgZFZ*gQ!xL4cnt9OOlT_Q*EztYfu();J}HTz(v~7 zt~QX_ws}2_AkAeRzpd2VUuS}R2eZcMcgcy#-A*8^$aNy32ND&WsxVP|w9CcCy_u#k z=}(HF50IT?-?PryzRjJtiX2FRJmr6XRWwT+7Rr;w{yr5U<<)JA)E)z7jXhND1^I~l zyPUJL3935iOAyx*Q|?;%-#hVP2~k1 zXVeQiM7@YK%)}lQsBkeDZYk6&nrPvSSDAe<$C!363DQ%$VGk}Op~(SB^L-*>j(8_7 z0mNghxBcF=0!-wJY0tFaRAs!q7_gkli<`3qed$@Id z4Ao%JC36oy99#sw zqh(PzFbk>NEs&=Q|8sQPk>W*T;H=3uF2nA~tnNtqm&diRPH*BWTwz(hn?h}{j{vyM zonhbk*q2TWnot+H>GtQ!{1&tBRmw}Fi-(CsCwIg*qXinjLMKc=){XuGoqYd={4+ZF ztu82KXke-ASolxV3E;2&KYqo3tp5G> zrRm?vAWLcSm3ztjs`11eSll9Pk$-^GuAui~1Kr_>OG8 zpW5GnQ%paCzn?>aaEhIo9;jCTNvI8c*B^^ozY1jmu3_K+mO1~d@dh5|kAjB3z*B#m ztNsyO{Xtpr!^HL9EXDzTyrceAjAQ+~#kgwRIopMr%O&mhT5%^bj92YVi&eO_lNO2d z;@Y;%gz;Vm(o}NKck3SSi0HEUK1ObQcH+{HY-?|yV_!3fTK&=+bR37h^4Mk&nIS2k zKsO8f3@+#6b83|UV>-2xNaRZGEukUFclvvr-Iaw23?_v}E5$Y4B_{K4YK5!M%y^eE zX_>WAxZF0eOC(M0_3xqig-BjL)!pB$+q!(cf&?YA7Kn`Qct?=KA$5A#?H|UW)_yw* zD?+Ex-|Rh4p+Vyu+keqbjLpF~#)}Gi%aj>8rw~cbYEJM%i%^vU!cahVu(CN-$46~% zZZjZbO77-jmYf(1Y(ow9^u|mZyRqr>eno-^UMlbcgtK7>kPsFV1h^PKI) z<+E|d*4B8PVIsQmM1r#kJ2Dv}Cf>=FVAYqX zXvs#)cGW}ha|WGFeW`7jaWUIV7Yx*INU&?>yM9l}0p24&4ce5*M=DE0tq~|sqt8EXYtx$-$8^j1p~cd97?-u_T%Fw5%G_lIn&1 z1`7(f87k997d@Q?X0V0VQ*HBwdu0cOGYo_Wu1Gr8VkiGe=o$?^iIZO_5-@8})PsAmnD? zCq$O1z5U%q+(^p6u5w>E_6f|?P8Lhl zms~f{(^zCg8HySMxnQTr8x&61gp4tpv8;}n!x{`%1gw;(o5{47cARyUz^7~WvqLHX zI}dz)o_t?yC=U)yrO-1D>`wkvwg3i{OnE@!EUJd}vl&&L2^E{yODwb&^$iO)QWilU zRVmLELph$ZT-=(r$c|9%o@EW~mUr(R>Q%M07{-s^XV$hp&Ah^aDh<)uMc3&^*Ez;h zcu(p~>2I3l+BF36MI8+7T|)#x5)FlD%4?>Y>9`VuddY~6d)fZNxB`Qf<-Mhz9252a zV~5GlC{D+CV6#}C{H717@K$w68@Z+dNr;BJQ1b{yGrJPQw7HS2$X$qd&l!X3hreVw`c7GcK?w7~M#tI1i5~K!hbm+m`c-noYi9 z_zT;w2b!7|R~B{d7Wk!ot&SzH8+nCg%a7XNNE%ZMLrLHZJ~7B+v8tX@26b{tvg(ap zSGK&!r$E(Cn4u`I_iJnGD*ATB_gr#wQQy^J&9pXquYa_Ew+e(zhKkYnC37Ty>f7hHOG4 z-F;){7S*^_`!InHpSf6ycdHb4o*}Amo~J){&a7@<%x*S+cpQqpwO;g0)a1cTCUGg` z*=kB{(^Jqb9TAB;gr!rn+A2j6*rtO>XI@^IzU%RqnGnVUOz_ePX{}RP2bE+wTJgM^ z^Uk#p?CONJ|7zO0o=n$L?gaRfhdjHLa6zI}gR$p)Z-{iMzl9LC%d370$2Xo=w8Xrx z(DvNbJWZK%plIoK@sLh9_%fpoyFAqA*!{yoe=UJjQv($g(hLTB4lZQ=7A@VP+4w=x zsrxl)0J;YX*CLGnLAs=UC;9mBq$e~lGsbS8C|z(;R=2-$!!*!p?W7?**f+Ax(z5_S zcw%qnG@L>|2>rAMZGYLVDl>cG4Si|w#fZ4(Dz{~tuzbH{1b1jo70P!c!{%CXr7EeQ zeZp%4V>~LVj{@VBLgwQ~)S#3S+RIOSn;J)%v&}VKV%4 z34Fw;Sxmn&V!eb3tmx!OKz`*EKGVt?EkO56!22UM`U}AO9m4zx@G^Zzt^ctc2lQw9 z-sFb+SKAv1<^Iw42LADn#y9Yf?>+QCbijXm+5ZLu1AthU8K@0r0nSGPfHQvp;JPYy zAfjXeTBrSbXZ#P&On)AW{4MYQO=c{=HRl1qE$3{&L;bxu4*)jnf%M_mE@1zmIse;v z{*My;M|b}B{C@Aw|EK)^ZFe5E@d(FazX1`*8p@|_Wam0gQpyS}u%l~+16mqbd@}tGL&6!2K$<;`=PcdxEDdZVlMb;(txzF-9ph1@y*KIok~QUBr2nd9 z?$<1ViAcPG z8k}<{+Qe@Fb#vS9qROCU72+k7Tiy(hexP;g)f>^_W~>>Kmr1zfP+8r}B-(WQ>nbJn zp1gXUUgDKhgu8P_LS145fD*0!VJ0#TbZbZm0Rr9oE;5s~_U<(Xg+=&oGR#3H5HeZb z3GxKJfq|`rr(Fpz8Mk51t^hE>SFeXTOAb1`n<1*v`L9;Iiq?ZQg5~_^C7o3r?NcXf zn7I#=o)K0F8WQvidbi$*!)nA`fXfY~tduYDgifAxVu*MCX#@2Vt{p%a6`Go(XsU`#`3X=a{fW&Pis|!~|8f;! z%7Pg-@?wow(y*wIv4rkPyXlVW>y@c@S~JHc+x7F=f&*f)Q-c$Vp~D@X=LhhX!}Z!! zyI`KQ~FP&Lt$){hISb|*4ggq_EC*0@5AXB1MdLDljB3h>SF@i|wX;}QaO6i)UvC^5G zn|6{jPR8_QmLavi8TvxtD%XR2X6w^bjY$grg5CX-PK z9r1$=px!x=-!-+ru8el$865z3Q1;r{1z1=HWvcs4RiM*(2a6+ke$o>}DC3f-YM_A$ z&yiz`ycm|iB=(s`odhY1>wi>zS)hqBk;~eOZ1}33u@dtX#nu*1?^9YF*~e(pKG5oY#K*r1j%eR`tT?9C8St-OwcSsyAfxI(!=^uYl)Mk>Tub>q2;$(`qEVjOm zl(?pahp+waW3-Ff<`ri9*|uI1gTrTVX?{9^_3nNy19U8xP7-C80t+$IvpKnEL(Q=e z-DC5l?MUMIXF@~k1#egnl~HU@0@=^JeevFXs5AFY0U0IPokXzU@UM)-jc7 zMy9CPZUT8@OB8ahQcdRZlq3!NY1RZ&6>9MeuNt5M+*78&3Bo z^i4}}gPz&@fMKZl37CqJ?GS~D3cJQLS>oGvqsUiZQ}!10VNK4HiHDp7L#``($quh? zIFAgm!vYM}^h|=^P4Z~IASgXQ9%!b)>uoV%yQF5n6yAwXRc863HZ?XZGjeoOZfY8V z4jtCso`x#ZgA~>@dQ^>z5*Mnn#KA^*onh*RPg(Y$Jl~bjrMSksyg}=`fNXz%c1PTI z2$yai`C^HO44GF5A?Aib14MHjMiYDA1kW8cjj`W$MrP7ZTuH@7qFlCCmA^J^3Jm#2lC;gn2g_GtdKgX*6g z6#DB>2FE>IDyQB`GF#hda*r4K_cC`I7l`4^l_P4npwT?`XzPD2g{QK-pK@6#D<4t z2J|~HHL^goQdyrrCTz*y?YX3$uIF&|LXk%C8YU?|w~9HWj0!u;wty#+tbSG8NlT3k z{yOoa(ttwum?{%VzY%Or->Fb}z}>-zm2?yRochGW$mYZ3s3D#vuDAnN*F#&@xoMwb z?0%%;{%X5jFjVYiNk`)(5_*kE_3)897ITT-w|kRy&~4Lflvm4SA!;=}JZGLY#JuUA z(E-m`G^SaqIQR*zwN=>mgETtf)88WbXXN+?jI_lBWm0q=nIk>Vbfl%`Qp3Q=F0<$e z^cn7e8p)+ll|im5MjgnJ>;<@;$ciM9TftW22v@Inn#cj?^T6JKRDhRew@}cMotew zH4ky^z#C$ial&6p9hiSC{r&~F`i{*0#H|3|0p|Z7xBATi^pD+y?@#^?ME|>P0u#`k zm=g%XzjYH>fR@7mpd1#s_vm{!f#oljMg3bY#rzYX|9))$xtjp&68xzR@rOVF2^$-b zLb3d;)CI!fpV+{kLRr~?y#ydT{Tb7LH)8$$D8EyeKZSlF)ze%d$V`9U$o83gquSZqbM@FAAlMXZ4|MN z_cdC0wrEG{-b_Hqd=FoN5~EisiY|ZR>)pa!6ZTACzGVmq*R2lRZ_%I2w!Bv z53{c-hn~9Q@#=W>=`5{6@HuRiMf|s8bDx@4Fdrt2S{IZY%#<%2uqx~4!SJEF&V;rx+Yciaml8g9+9 zYA|tYgh*|=XnSq$|MB+Laapa|`!LvfT3Ncqpyi577|?^B-VPK%*``Uh zRGgxj67WbxN(#}oX`?|Y$I{{8r^Xh5!Fq$HP5QKne)AF5;{HJV8ODm|jTyeOL{)MB zMg3V4zkH;ZNIv_3vk`ui{<4&!`PD&jhgW~RM5Q?zsz%9thz#s=Tjc|(@f%_6WmW6B zy9dL`+Yg79Tieplir%!pjK{UUvhm8-$)-n@4`cSw7lT9St{iBSdLzAZL1S&bXrg9W ztG3?#r028zE`T@zHI}Wp~lC8q*rYR zrBtVeth-BBQmxBeP;#zhQ%5&m-|*_^<-_H9Lm}lT4DoWk?o%!K7-%^xqkA8Hl_N7qeG2SmT1xnI0FiLsMMMHyh3hNIe0az)oC6xa+89mv=q*+@v(x}@#9 zWD6Z+YFWOz#h;*)iP%uuerz8ky|STfpM<%zxgo6Fc_dO3MNn5OS#qR$Q+L(Ha`$$_ ze0?ch?&_^!(3V;&0WG|ORdLd+^D5rU&z{?dZIBSKbQ2C93r%}1nUd{TMCv?RX!)0I z5M!~N-FVW1VK5-jI#C8r`6P(Rc`;?-?bGbkht=M&^3AGjYr!8zcfa)rT4R72w3aB} z+@1`(`^Q(*e8WsA*W)B zo6m!t`}kTgi17P(=nr4|nFcsoce5tDi9}cxpA%A!SrFjV9Z@2^CGzQt3PM!Jl86$W z#ndRXJ|hdp%r(wp!M}3F?Y9ai^rd(?Mq$jtI7kNG)Em~Schbd$P>vMfmyQ4f;yYp%t z5f_Z}N}S$nGbbDhdnztEEWH@4Tfl>gR8`mcRNKN?fv|*mZLx4AO?c9U2J{C%a3AYj zZqm@g$xJW38h{s}(8e!2y64w5aK$0NM*Fho$wo_VI{iUAGOm3uE8JuhxuO-01TZX$ zso|F_qU8sxY=48hehW?y8h)8b$K1Honvtl>AQVNgCWb`@&JL57E@NTwAUUZZKe&=e z*K_Vq8>7$A*RW!jtnW)E%)a$dzcw&Oo*ra&3^nvSzk711+PT zIKz{bL$Oi7($;})=&YimI%*q>tVNyS&LuZvF8w0o{E4J8X9|HBtk9G@xAWL^Xs|{P z(^l>pjNp0}rT_)vJD_-%5>2h9p7Ka^2Zlrqq$ZP|2N z-Wx(@sx6!h-b4jcZ+1NJMLsU?`EqcZd5>~yS971#0>s|!a107kwB9#pA9Sm6>e#@j zaW?pUad8Fsd)jU(&=Yzo=iz25{G&5XG z!+gfBX^ZJu8@3#`jt}VrjpES+zNH+^mX%AAIvBC&b5HvA@OWxk{l1h^;$`y_(@lSu zDz3pv)SQK7r?!;Y`w_Cu4OC_blN7(tJ_K`ijN1cc+1N z_ckj*b;%k~-drzvgD5<{S@j;D>TtJ`?lLP%)UUkts;Bag_zGEw9&ZU^op@2~**IUT zkmP_Ht+$!a_;g=ab}xfXVr7y4vZJ&6X{qfqudmG9*BBNDeEqqDE%O9SSJT=VJx6K0 z!T6f{ff8t#*KdcXur#lrJoM&t5`{%UVS_zR%HHPljDW&QqY(0Sg38N@uk(~RLR>>~ zQ^<)!gTgRu?(@tFwIKegFaabd|M4gPPr&mJSnyBaneo2?&wndJ0O{htX>tIh_$zS^ zfV2KNwEuK613fS*lm!qOv#>LL_m3n1FdPjqK9v=Kb8L)%QknR-+5aEW|AyQCJGjsA z-7OSIf&X88tbm9Jz|{XPz<-(k|FNn6oA~Gf(GM#S9|Hs66Z(UWFwxKf@i8zm0)~&w zzb>ErJ-A0d9U|L$)3OG(v_yX?0k{4c2i9Y7xccH{j;N!3sD zZhxz0e6I}sMK(~P_J0O7B86zHCt|*?yC3_Q#~aPbr51PnXzc|QBD?5?PDQE0AMcLV z{D?@qolqmV1Z+U5G45_O-U~aUd|1+cIK171bjFA5nGAQWK9AdSm zts>c#*T}s1e!Om1#XNoQddNt7%8Ir_~y^#VMxBudMz z!^6Pj$h68kEqb;L;lVU=G4b(&8SO=n?5|Ket%9+^k|Ib>liblEfyU1tw)d7*9H<&& zjVl<%3q;cnc;5A0SsLC>U#eoPYCFHEZ|}LX=R=i3CCiSL&-VGM-|>;ax=`51h?8kO z%9mVbQ=e0(dL@3%XO8?9`&c^}8Na{)A?P0-rp(#GUZJDC4{=(Qy$)aUn zN%Tn+q_eKr=N>N1(qyrhlU5^YKJ~BdEFI#QVY~ReXv-Tsyw!Qp?4>u!b4I)Q_}RH= zuIU&**=l{M(9ZncDeu!ui&On$;n+&F+YAc<^zM zLw2aIEgCCm`dP}{YPUucE;MHnki1Z^U+lNp#uX%b8wz1OS(C1Y>26;><11ZWB77Kv z7J0l_)DT(P5b!b&1#LM@8OmaiCG(d)oYIkzWagfB$RDuX^c;KkELGVQYeIE)GRjxldSV@$sbsdSX@yz=j!BrD*WJ#E8G;1)iHW&M;We-7z zN@W)43vLJTaoWmr85?+JTX-5VsOM;FplogdnsjgMNxMV~N4F35Uepu-zmZ6fMx%0_IqjQ6@x?4iZ6_d2LMH4&(1hhwx}PP2V|ppI)>LSd zxt3?|-!l7BB*`T$?bBKFZlCWA!pBHOuauSOQR)KEQ;p_F1B8J1EJ*c`^_q8>;^BL9D6U9RApUcPD_%cLHzq%CGQ>k zifgv+Qkv9ta)Vc}uaVo-tR}Tv`i&}J_)?W^wX88*d;@av4!zDyeX|5C7 zaWNQ*(<*E6P#xa%*_KP9Oc7q0-ruU za(!Uc`uotKFD-R0iJV+})ETl!z0qRJ`z~Tz?LHgdN^Jd`EQ`i0aBNL*Y~S}BW-pB# zOH#y%RtrJ)3K@fVd}jMxe*w=KhV+J(kwhjdhOkvVpbd^!`(=*lV)qZ<(p&3JD z(lOT$PM6*dZu{^|Or*J%uRSiR8~lw&H;GBvAcNz$BoZ>OJ|iL@gVBnQ0Zr`;uC;nC z;2L_L*mRSc=#ctv*SEyRNNj{REh0uLk&WQ`j0`Uz8|bPSnYivNum-fq?w{uQW87dl zK$D-%qI4jMG}*v-`H`h zfPBT!k%^?A&xQ%!mLr5H4f}9}^SXu0A?;HT9O<|+ViDtEtFp=79IDG@P>p3nd$UD} zBU25Wl=*#~d0~Gw`H?_V&fKfLOvE9wy(tH=MUD^F<+R+_mEl9}&)#BBT(0YT8q>^{ z(v80vK9JnUZtbGr=s!#*4UN@)Jv)iPo+8(bau(?WefJfuXQ}9IOrS7l4HTlTSEtPu zl+ZYmeUV>2FV<7oGij|jebM!~5VaM@bLY+0r1W~Fh-%2CQkA)`h-3;=s!p*hGr6mo zK3q;G_?xwRR%8UkH1F3KT`=-_J4BD|9jN`n*bSs(Tl*m zIRbk2?|}j1=zzfkZ0rE#p#wlB^IuXrvHeks1$goQ<4k|x^&hAFSMWNJKK@rrzt=eE zfe3$<8E5_jUjOO00%Z{(mCp{K+CM`5f1Wi*Pxnttzf(eHz)a+iOMhI4za7S(f$rb8 zF8tio@OvBk-!(P-MbQ0|H~(*-n+>3>e-U&~s!PPoccZi%m$gL|ql%n$x3RO^7DsEw zqnpQs7SDl+*@RHT(1FywRNm~#--guT)k!eFS(A@r!$D|pzx{UM7n*YiBXVr@=;nTQ zDMFS5K^on^gwo7{d6+4j>)Wia>h{W?@5e5B}8(J^u3^~Iuhp`s{i9qfssAh!fN z)K>XU0W=dj=q{a*@9DNln`xj8KW>Obd-`)`zQjnvm(3&kfzhh29gY}>WR&iPVLTrk zNyE`qRqQM^OH8Pv#Os(31PU#$7wt&twJa`8T{9MO$MakZ_evJuPMX$x_6}dBa6LI8 zDVOb4(r+-ocoz1WO+fI|a@M%SI2f#Om$~H2oxn4nZ9l7zYr!u0tpOUo^9(IBib3Ee zeD8Ea^P4CRF0Ej#(zlK@S}I3ICi|?IdMsj&hn;E{jny^Uo?bQ3-S@>9<9E->BF?B|3OC>{OoY|kydsF}chf*6`C$Fi#% zGj|-du-Qx_vjTiX!%(*@PPNVwLgez*4x|r14I@moaV>0>i$2u%d*PkB^HQFv?n>og zSvI@P&!DN*e;Vmwp*=oywgjsLrWS>7=@TNFj)O6UN8F8{&^dl7T-=#lqRVm4Rjt!d z8ySy9%xqE0kI%BI91}wn=bW1SDhdv?GrSi^tD3TJ9NKj$Hp@TL+;rxPv@oB(yv#}~ z7IKT^gIGW%rbm4EA|fA&qBC z$jQ1wW(q=3BnkpmHj==J2mwv)cuy%;0Z^7cV^ZHz#o72` zVV~fV2fy;mqr-CqYH-Koy#DeYSudbX6odtn1;3Ex&I)YT1WYu)iEi0^hy*G?DhYHy zMyU{<;#zVMJSO8n9$HJ?YJtyh^JG@>a-1lEY+oDFpF+c#;!PeR?aE8RaYAeCXW~xl ztkgF4a|gHsMs0I$Q5Vl<<}50@xu7P>S4@s;e38~FJ~MJR+YnCGBY!5j4D(@fiJmJH zkeh`BEqth5*yyPmP4X@1ikJ&6@tAP4gsUMezZo(Gr5ti?L-7-{BBxK zKX*)=5ACBuQI_OKf|(m}z8{XyosNv&6Mizlr+O7Er2QI1Bt;d+SKDr#{{3zo9C}qu zzif##RDzFKwUxq?GOrelU~tnT4J!Slka~(W^-ArB$v4~Ry3AwlhM~_uit;_TP6j$v z8cby}jjx&pD@r=~_iJWEN`;&HX`w+`z&Y83-)e=vDH|bZd4^3wxdO+8A{8v7a2g?| zfWKN((^1Y9b)0Ik(XQ7pyJy#TVS4EF^ubk7MXOMTc)q&sP4&&0DMaZo>XW!O+rHv- zm^|*6JHnEYC7wdPShXPC!_bsh6|a*is#N%W#6(pkppQ*wQ8wWq`1mQ#wL? zC2*nZ9VhL1A+IuKYMa>aj816@?SA@dfjlcl60J8))26IOL9&m|(Q4YztvAmN7A&?m z4kzeYKSIw@Z@W?$0`2hO4O^cE5#?-=_1yrvwGWBDLX+{)GsEzWgNrM#R6QEG!5GS| zr`r?Ty`|5RTAqhStX;{3(r?cA(#8)gSJ~_>+p`*C%C@*Ri*&5S*3u_(ZAQoCnFGBg z_+KIBBF7O)(rA;xKxJ*gEGdb=XD9gU2YyB-h8187COqt-_VF}# zSQ1@}e^k9hIVKo=QWH9HY4HTSKu@vsrt(#e+fCJoBRww8!JhJ6wRP@!?Lt&_+JyEB z{EN_wS=^xmovn}gaG*n`M2Fmt(D0%x4fKpM1J(m+uliBKV@B)oYhG4;>R+r(-WbI$ z(shJQs6VvJ!y8VL|LkOXq5Ax$d*mfeigbo&D4cjBU(jq=@>rG0+W;sdEXA)!7n+*5 zO+7b)j|DQhUAvGOXt45E&8q^ZD4$w(N_&}3dY8r!&36{}D4zhbn3NhO>d=i`DOsu|G$ZKH1g)(g`r zIm=5RJ~IPFYlwuX8M?FJ4)c(D7Yq7o9BU_F5?RM9-QFq+^Nkd-$<{e|UG$<5!xAeEi5NPMTiXRPD#Sc=^IB_n{)0IKN$(9!)@z&=B*CDELAfOmeC9OkuO}1BC|J$*Dr)2Br(`j?V<9W4bSw` zwZdAdp7udlN_uJ^T8ys8KnO7X2HP8MNQvGJLYxJSubMo^d&SuJ&eg<}JXPtWe}LD2 zNGZ`_uSt`N;4m3IvYnY``r$S{!3!)6aXypvg~G0NS`t6PH?IcfH%!kf1r+S7L$Gua z9Bnw+)k?&ll7=Lqy&hMs*E6iQqv64M+L^w1vque<)zJ=$-Vx4mq+^r&L{uQ6J+fYi zpi+o&c$QM(evBCR?|rp1;V*>}lBJIw4$YpP909^y_M#{ zd3k9dcnv(4uy|Qz+J3yP*RQ2sY^Xe?EpFn&?BRD)#0o!TSo31U%i2oaKL~vZfC%29 z^PT(r>{bbInD0O8H)`_V5n0B+&n^QzAZZu@>mDXL zpp*mjZ!iO;o6{82@E>EKD>^-){#X9(ERX0!BI}8hXG3iylZnv9tY2CHr6A7r%d^{7CHlctrmD z#188p3Zg$P{9cA-1}0wqu?)-l{VDj{o%qM!2y_p!e}4k~%A5lD!2fzFJrf%+x$swl z(jO1--+t?#Bz1nyw%#S%Zl;*&7AEO< zsf}zAO+8B0^wqj9Dw@V5XdK+tjW9B%*l)GAhigmfj?JyWBh|ruIk;-fDCJ(zd^mpJ zc{{jXr-k{2`Z7MHXxYnH3+jQ#l{zxyG972K8=m;tNXOm99*;^ftvhD8!8WxHgYfL~ zG3y(0y0et(_HH|EC8PP3f&3(bP4R4rTC8V_O;5$2lX9gR2!s+dtW!|c<-n?D?9cX* zYHMfiI}#}*=~5(IT%9v-jDUISAMdhl0u0#kFl9T3*OTJ7@j_pG)1UrC7g)9%i6u{#Xd<6aYc zlb2Lb635;d)mj&0=DLUqUsx6m!Ro^oH z%Cx4Q_3|)6Q;m5lQZ&Gctqd~6PaS3~d+jt8jvpdQS^v4gONtsFs=89t40!BvDg@CW zDhYma@hAgJUQ8!TcZ_#V96Gdz{>v=#A65_nbFNcuf7GAbsKv zRK{s`8=*0i3m6MlIJ-T+jNz71V=-bQ)SU(!Z{C_B9&6W>6dS}>!)7PEe(%b!R?MPz zJ!4_>CUh~QR~Q@|qj@Zl-7hYpzK+?)&vAkI zY}5paxw9GkIEx&`hw7Zp7mw1(fwV-==5LSc!rP@(b{9MBWoyo33!(j?JqU3@0kSx- zovs~ezJ#w&A{K%c^qjt`S8k$L4oBN>WuI+SjsfBw$uo1$yxQs3HXfQaJL;_`D)LW8 zZ*$m;UlF$Zv3-3#gN5tIUnsb$Ru5vu`fMEI1dI36+a`&;c^BwYDL0et*X3*-Ni(xu zvWrvaR+ZjS#b3zNuscfoYc)UTqX!Jo9#LnCvccZG9A}l~Dv>fY+56gXQbS#2)|&F> z+HxbJ4e+Lzaa-KlwA&4reYdnn_i#@`5Ns!pS0VKU>2UZZW{ zARcBuwjJopLW;<`&iM34WS)W+G(pCF_H+J%h%Iuk;-CF6uaHh--CnuWDCOA}Mv_Hs z5aMnwn`pP+y-B3$eS(%h(BFnt^MY|lKBWTNns~7^>axO5VjY}kJsNs1F}%l?i+hFy zG<8U0P1;SI0dzGhGk8>Qr-4T&4~wjL6&59w@d5*F`P*>d?fh-274NJ?>^J4R!!fuR z3|D(hWtDL^cwDF+;yJd@-QUnVLCp%7cd0CW$45R<_3dw5mx6P&9VjaVQhI@5x=Z9v z05?cxQYr}eK6S}+G0Ychh8Nxm1f%84Ypa@00rszORHoE&ecSd66g+e+R;k5_rR8Sc zDX7C($du}YUdvhJy^hXN5x{29B6q!7Dhn)GM@5L~xPj@OWzL@nMEk z-o`;{+7|y&l(i9zs3t?8-uPYH^OtR=He4_l(qD4PbNw4cQk#jw2np*WJIp&kk%k~~ z)^u`^ja@;Qjrj`Lzp*_(s>-jG2J2!yF4Mp3oKeIaWwKcz+fzuyRHF#TTrgn~vrd>nhnE;x12#jixi?R31b^2b z(D>rXyIXr4K0cmp9ckk~dZKx>G{bW@Jsp#{R-3f2Obc`*40ak4EDMZrq^9tic{M!V z+tsKxAEs;3t((les2^)Pi{ttV^5tEJrA!C3^f@2V2I;E(WxOUGfixSHs|41Q>{0n@ zX`o6KK4-~UjJ^{Wr?f_dE8|-E?6e}&@%&;z?S569W6!st9RzNgAr(Wp*rUPsrb=>h z5m>v2j4)D$MClYW?Gw(1M2$)!Vs?1)cXEPXmSck52F}q?=)KZ7zc`|Qk<^L|PVd7w zvLr%`nhkJWXE;p|dNTiVy4jX-i~kvBq_U18wjTX+z&PRqBZTBd?DWB78CT$tW$u}ChS)b=VSM2`p{r~7CNSs_t$R?f(+ntn6dUP4xyx5c;kh+I6}U@C z-E+0eiNu8WSIrSib233s;&iBIPt7A_R=?uhfL`z)fah=US60{95RO*B+R6d2YqJN? z><>`%Pn`Ql=MnJUzcG9JKhFJoFIv{$L+&3S^G6i_9@YY(`~lehv=m@^fU5-{eEdb_ z@TXp>KLMFPjg$KcSN=4c;CEQ`FIEm&e~;vU!3nR#( zwG&$fGW9co5aaGcNaMF%4sVBu1~vz3VXagMw{7lgic;*Zq97u_>T9LDP8m8k7qgrL zrVE2e^IX+SwlqZ@`lpk$>JdzResL3R(xO2PYGk~K7(pIiF-zh049>4TDPPM3;$vcc z^W&PsR!`}+VWuY4D*a?{1K;32fEUBb*Zu|jai4@JNeX&-4Yb3-0fdq`z8@1&5AlSu z6`lvDp&}WN1E=I`CPG{TsZ!b|n>!I!pBj!BtEr}S?JNy>-m~zb@$~E^gnUBwhjaY_ zqjq{-LsDYc`%oQHy?81|P>EWn?!;6*@$(AR#V$rcf4va#h191(WYEFRG$+A5(uMIL zSN=6Hjt{c-f_inM4seXcQ&MgPVNh zymRC{Ghc6GF_pdAOlml1Xg=LmvtQc#DFL?uJ1=&>xG?LuNt!;;RrWXEmJ0<&?34D@1N2qrfh>*dr#|#8rva;-0y#lJjwru3f z*y99O&ivnKp3TJK%0*m%My`GBlxB#AqC2y=noOSDXpJz9Waw$~st!`-5-+LKO^?!M z(ikSRcQ**{3rgryLF1ADYUK6Wx0V_9tJ$)B&0&0=*UZ`;Pa{j9LpR%&Y4~pB9$<{! ze4I!OZWg(UMru?VFL>`ADN=}xNuVIx^{~lX*j@EAr@WkpHSOPpIGX1ZVZ%tFeSPCR z0B$BlStOa;6Wp}|xkh~$2vBpQJa2hNm;I_}+g&2}Chbe|S$7A!W1-h_%z zjgV!|HysV>XNWyzqWTI1jxcj?tEDQ1J3FIaJ=v)Ggp*YAxJubF*6+O1Q(JGit8Z zsJ`nxJq)sIEK5NYVvqN4)_liPl_moNCjTn2r=pR^oyVYqsFb#uz(8SSK#nw1FspPL11>cmbSP6+F6<5yl zLtkE#uqxk9W-egM48E{eGd42iKp%y#NuYP-V{a<)qmRnxBgyMpnI;_V4Ua9p*hdAA zChGAfv1<`|nFtb6 zXB?0WL-^27WYb``b z1K-v#z*95M{H63T`_BX43$w7wvcirQ4HMa z1gRTmdEKUG=1>gb$hz`jUeq>JMXF-BfC0P|l_c0prSXiZ}kUkIy76 z@dl>+FXfZ&VD|&VeBH4iSzTBYghVllLfCUQzQB2=xg*r3@ZpikZuRNyQkLi2ba@4yCRyL^FfM6eyj;8b?JIT)d^WARq|% z#y*HMv9ci`Pb;Gn-hOV+FJOq&vIy4UlL9}Vy;b6xq7LtDsW|#7>W^R$EGsthb%hU; zUlm;qwWkR;BCJLX>xEv^v+#Y@q}VZ3tM@vL5;q0>JdYJ9-#}2uDaLC0%Ur%VnB^Q_ zwiFb$zE(lm&Y7#&jTSBsV0Bl>W+-P(bly&9ON^PwFpCK0*XB%nTz5>5TZ7s#lsfiN#S>pR-oCm|$v@iWpfd*M3Z z70jyG>!hywAe=swpwA5UN`6**Bj!f&jG%_Da3q<$6}jB{eT_-)!W_!2XPa59Qu3-C zgXzu@#T`pqYF`Teu|z^fyaG9xf04k^+S&RSqu|B}FGxBnsCq#cJ&x^W?-k#Gy&@bB z-*Vw|A?UKT$Hx3KbdFO_NQV#k-uYZuRlQjPIg}PAW%{pBF>&&*>nvcf>s5$)|CFA2kb&kcPL7aPiIBZP2rC}XlP z5*d86eLqGPre6-zNqP4K3Hl(t`Ah8o#~!XfV*elYvEL7S13>r>%eudS{n>sL&VKT} zWBpro?PqU>A8-Da|NSp>@a%xIGhise0#wSFfl>h@BcLP%pg#*cAOU6k6NTl!%EA9J zBhLCaIqSb4qsI1ot?l1<&hMB0nNQmff9&6O<5$ZVfjR>#;2-x#b>xqe`EBW6;W$5~ z%YP<3|DRiuewz6G8^@ss;{1yory0xCdcOCf@f~CoFL$25rDAtO12h&Kp`;+Vlwut@%Sm~>_SemO%a(h6ZwGgtLWO31#2 zs@{dsBm^CzGub>TVOOqO3LLJQRHGJNK@Acoa+6}!?VGf*r;_YdTh_S;vr%r0G@wNh zP0haU+?H}}W7%~3Bm?g$ugH<&JbQYASj%kXUO2tewpP^2ANW|qI^G~ZI~M?k`L;Nk zqh1KfyVf(!$TY2Rum7|{TU|LCj+8J}Sp9j{L|!P^#F)*Q@W5UVml`B|I~;efg+a4S zm2+wOSa{@@2<+>k1i1u~a2JWjri){h0diA&{+v4Ea4M7Q2W1*IVmb1$hrOw%Am!_r zFn^NB!{^z2%}M?%SM8O?nd7Q6B%c$7k?(qUM*&*zA>NO1K*zhS*o z=4`co0Ymq756cze#0Ql?)MSSLb?706B%g4Oi}$;3j|{=Lb%h)shK=FB_K*kblrS5a z``c6@3v}-^dB7zpOF^dLG+5A)?4eQlZFRq>vO!12x{Wsv7vY%{`b2Oo)JE??h$~ei zrX(=On$pNHl(0+FN0Z;e^9i}F0t9kR=Qxi&o#fgKSKyc+!hi$*BafQJL@*fJ=U2YO z&)HDvPcTqe2*lV8ziwEy27L54h!+e0X#JeK9a_cZ<9N&xB~zz%d2w8xLDG02>Gbiv z_ZMA<_~9HcMWr{@lFSyJkS04qQFJlLyKm_}XOs%^p&?6DP@i5fveRyrqa7Ke=kcY` zRn8cJok|B&l)aOxY2;JF4$0zE{33gkCa+|v82>2gE zJgzdU+3>dot?y3}Vn>qsRV)M?m zR>VtOvkB}zxXa4nY_TM8nib`K%In~&fMC3X&{`Y>O+V*+hX?yc(9lA#upoW zY&Kf$nfhz6b1Y}aLw~wJt^C*iQp%3}M@@-G%vFpij5;bJ)dX?`4K>P-GIMht0ikie zVjW>GZkKguuEHY-JV!XoVYyH1-ZGPw;2&Gr8LI2gqwZI)<`yiFU9~Qq@dgrl;WTG% zt0kYBKwy_B`1V_ydAPLsggJEHxazH)ALV1Wqo87h^3kHfpxSLQ=%q?x(XQ_BXB!L5 zm{aGSDPm@;fJk!9#nRDa;)iE!P_y(6@uN2ykpwyw@J}=&=o#xvG7%mJa(vxPy(Bxy zP=ZX)HZG+e50wJfeI3MWo;DNBRB3D~!zAJ`f#*jz-Lh?PK{9?Jy)A^L8-D*B>Op)w zm!3)@5QCW4VPm!H1R|eq?zNIq$<^$0ysDMvsL#;a2a2WC;qQ)$uvJ31nB`4O8e8cv za1guIlrGOfg(pEB3u>JWD{x;K<++e5B|HrDD`(kd#9VeOT=~?@NQza$Qr5YLD7KqjU;8aXl*#=SNK7a}s1qN<_GR z6nvgnX&68syeN-(UP5X*;Ti$8C-V}?@craSbDHv1ozf>#hXRa7SSnAgmpoG%cbpPu z?xBPxbp9;1it!#5-7QFnZOgTdx7T3TF#)PCHdUE;(eysfBpe1d{|SVa1|$Kf zIHZ#4fEgVHe~~RnzfHyxM-BA4V;*Zq@mUv2Z8NxnfbxC@jtQRIWivSUO*%qcl0qN% zdGjj)U9v?e>rYJ=6l*V3 z@RwIyHE&9IIAu15lJN0~%neH1KgOTg_9I__}5==;Xr)z&sNd|am4 zzAH>M?qcZM(vGpSYTX-h*XBb=4aXxXj2;|oaxkoG!q(5kN(-Z!0Da+FVY%}z@!fqV zNQ565KhwMEToLUyTahxW*KlE2nvpodQr9@}_vJk!+UFF;-F5UslQ17&)w)_a3#pO2 zE@sLc?2UfDT+fH3S@LRdb#69U!G>teFPNoN=}ZbaPyFUXq}yPay5>?;i(ypd2ywjZ z5`Fz4`IG&whB_p7Yawd)bdRfeNojN=$&iTa&d{h^ybr=q_6tZfCz2p~b!)}EJr)AI zsM;HUy_pf25Am;F8GnKrmOGTVc)(e;AT0K>WS%3Sfo9zxCF ze#^|U1Mg*+WX>RHG z*PDQ?f(1}0P1TVCr_PSm`|xdvf+_MRbhg{GT>sVB*}Ng7OtoNs6e%t1Xk4!n-(88l zJzX1RaBmw(D~19r)P&g(xzx`52*Z(=b( zX7TqIKjddXLLHD!{r#Q4;X&Y?A29p-w|_3yApWQO1_&9y&tzr>tn+>}zyV$k?0_7TnVkjjs`wA3 zTR(1^|IOC@xcXUujzM4x=>V-1)A!>9u4tz3bn;IWjsH%U_v2Rn--O4&#tvAd0O~71 zXvy}yZ;$~H!T~xxCPsF^isawktbe@femq_NH?c9&GXZ9QKuo}cgdXUHV+2O3GXmp= z7=gQ%p6NeOz5O)y{RjX3@%a8L<-wmOvj1@@@CacC=D-8~CV!;PKaDQ`)za^Nh>U;+ z_ZLflU)=lEQYKbF2nby5zgYSQ(cDj;6}X3iPEnwy`KzVBuiXCs%=H1W^Y5Ohf9Lv) z48X+szsU7V)aUIMx=}p0RaOX^r4gLoEBli&fDr>7Vqt`cuR?{!Bgo}Ye_MtJ6}ORb$@0Hof_L4?y$ij>H?7RkQD`)LA8!8X$>~t(EP3azu}uvtNDlb|yju9-bxlH8DpIYrHTDe>g^irVy3?2L zGCTR7Y@cI3CV7kdAxfofS%&gXco>ig9&%HfnyA$(SGt8Zp0e=6=hY)U^FwZY2JvXT zASxf*XDNr#6Xdv3HshAVdzIn{;RSkjy+9#Qk|a)$wJ4CY%vIIX7(_`c)=-kRd7D*& ziy(k>c-DvI!q0H{N|wW*yu#|$OcfH}>9dAH8*;)9z8AQXAJJH|Xv9tbdW za3V8VjCN5yFBvN}J>3&U@(Wx= zc*O>aRhNqi;afPr+_2PYo6&kZz0Z0gF$E$M?R{_K)IwWpFc;L2(>p>&PmgHj$h~%3R)U;Uj=S?dW`JYySi)%@tD3_XRAg ziI*?d&-+5P=@}u3U)I~fv_TZu-5c9Me=iHTBgzcQPlpKkg=yl#MPI_;>D3{-I25T7 ziCL{<+~>POWQeZV)Lk;*&M2^e zmq(bkugb4mDkz%TiuP}x-|x-RzH`4gx=VR6&3X{T+A3)jW-$l3GPkrA?WL`_`)xH+ z!!*7&<(vgjtC%gnOTY^qVXxlrce-QMLw~8_D*lZ0pz53b@M=cd{cU%M-wee^qLU~B zi0VXZsj~z|f;+GSkCMdT?6RIgSi1+zVd>B^z9S+SvUbWbGLKsnW0YEGs*ymMt`g^0 zG;YVjgaI-ZY491`k&upL9!{24D~3qA^nv0~@i;xQZ>h`XO3U|focp3a!ajsu*nbt# zKd1Kup+%pft44`Xz}TDU@b*8$!|vsYLsO=S2g~pir3=Y5z=wQsf)$!w^+#;4r zBrw&lsIHk+A5+}(s8R0tMn=CTg=j^=l~Dp7EHhvuQDFg5J7hPEs7A6bHXJzF%k)uz zKf7>b4Gp&|bv{H%-jM0Eg)-bpq3i2WMfw58C+V>x(aV?H6@zyqcwpMo3M8XFaqHba zcYj6p=nXeokzDW!W$N4YlHjNofp0;Axx1qnPtq>4=U*PAnL*>dAzUP5wdojp9tEp`jCa75{w(2sp}Wz zx(2}%NoMqN)MVgOGcUx_q?Y{2K>Ndo*Ln+llX9_b(%qA*S5w>yf|M4nP+-RXiAW8K z-Lb9shhw`mBOFB0^iXqNNH+5RS4&_yIow&rYFuxk6ktducM!HUF6-w{4d$52ZA^Kd z2eC_$8so(*eqFNo1az;Rk8G>U(#wqDRvU5T^lrVqQ5}Bfcx_1}+Jy2i880%yQzCzM}Kl)ayZRr@UD7mo))0}9`Ur9%VtOhWWZWEK|R?c<$Kixf>~OUcZ{5)`1{W(NSMl`i6s8ECB-pDNhRvzzeG!4Z z+%UJ4{OZ0V8>(@p3ze|x_e4BRgQq1S51Jv;)H#tAFPqByP}R4|iPg%Nx3T6v;)HX3 z87r@;Be3X-cP6ULGtTU?Yep&Jaao2|O!!t8^fe!%%%!r&>Q2WS8*{70Ji;np`YVR@ ztFtg(s8E5E7YdP<`$p+1I~~>->SPnT^XyPyPSA{2XXn?kl4$88Ov8+my;w^4Jm^PT zlJ{&PJp|B%_*0D3r3|pl1Jx`cowXsc2;)d6AES_ z?|fYc>L1uGnTKiqeEyWtSH4g!)Wp%atGNO>O~XvnllB>sY^UNSa*viJA+*SQ?m4ts z(M)UK3TC&jOB~An=axc~P2goY7*uWkU3$xZW>REr1G36?8ZlRu|mr8s&}x^~C- z{aqXM@Xg$o^S-^3T7Jg+^%Za?vx@yP8_Cy+?;l{H{~vR28J1Preh*X9C0$a2QqtWW zN{4i(l(ckrmvn;y(%sz+64Ko%-SBRlXZ|ye&NK6yXFj~&?t|mL+}Gawx)0B_&ULQk zowG2tXfkae_Y)`Yj?x@!56dXYgzP>{HLDH17~d(axnGuD_oY)+66;*4KV1T! zGJ7Ky9NBhzw|>xPa^*E|BrZDH7xbyI`@Xn125GFgDod9-`xp?K7a7(QV>_1dCH*KTi~dHKVesWP9kuO2w?hmGbj zWCVtMc)=USsr0dOv;~K4Dh^}YkQoY4xrW^=q#W;4h)$7pDChWcK+||jS--& zXdg(92a_a#>0|^D*=m0X9o&o5*1N;OX zz;!SI>Rll9fts1^FPSyQKQfZQQ0ecs_COi@a{m4X$MG;w_#2t|&LixX^ zjek&x{C1#!)s3(K|IXj!lE!gN!e*F{uJ2&eHI2dP+Wg35*iHlzOg}Srub`Z}6C+@h zk{)cou5^w}DnPnDWLcG#8U=btZA-K;{SAiE1U)KZ9-yAviu9CdKe8aY8BP&0OjWoXcrgV^5Ss~Uk866kTsirT|hF#a@ z2pWnz%K=A`+?BSKWNCEhSd)f&1M|LCtC;5$Ykwo^K|JDexW#aaf^|QhDJa-m$51wr zLO^C@eX!E8K$FwaU7O0Kue z^V#uPHb?p59_)!GoNmD(iAl5!nn-poH?8MRYU%UA*C3k2F-5P7B|rBxPHG!QeS|sN z2AlaX&(+~NE1qD*R?~)5w)S-QfP$l>QS32XYwl+#SeJ`~Jdh!F{F}7HXc;6a46@dm z_4h5u%*x$)oB>seb?kjzP|*!OpwD0W8_bm^(KFFOxidXgu@HhdoyqNReDZd8X$5vh zA!5Ua%~U9%2r--hBo=8(UP!tpU(079VrkvQ#i;#yq^BMJGR3ywvq- zk%ikGP_r3#B@{E^XeOP*^q;r zQG_xC;0^2e2^Rswhak-AV&c^ z7mXrFF>iL)QNoc;B0o5He|VN`V!bJBxc|fsO7ot{=>P?d)~Qr~fVuEfU2E}EOS1y# z5S4JZ8s#$akbD?7tFYG)clhcDr9e;7ZFUtuN&mdT=$oSQc?n*W`af#TRml) zWZ+*2ITmi_s}{_^{z4r9qWdH_;ti;(l=C1UZ1)CvGk#n>Ilw&mOgWxgs z7UD(25dm5Q&+IZP=CR;UG0po-%la!VHBMu#QA>EiNfJxN8Yi;S@AO=&Q++svH!o*k zr!vajj{Lwh^J|T|Y^X{vWT@_7I7>M5KAXYQnWL(`IAgA+IBG5ZibRo1%Ju|;KY^zp zoYQiO48>;;0;H{*JZ4BK%YRv?|1w1v|0~{dR1WIfy@6Pj6sMFMtWkZ4PznnM^*~=^ zXHWP3N!Wg#&@C79@S)opaPBswI*G^_UHk4wnUK9lDl{)XQGnleO=;T5V{X(zCRUe^ zV!2|H9zE$MAY)s;ezs>n;kx>a;!bDzNUf{|vST(-V5(QNsybr-x&~6l2_knO{LTKR zVKaAb^A4@Z33ypW0EJV;5S=hRthP9mUbEPUQ4sC4XTfWDBEfTkx}w{;9LTc@n9;pC ziOPEHmK|%=Hi2s4yhp}NSDb`Fp@FTBQ};_bzcAeP5O-ii#X|@RK(^}fIF9XaAdQ@W z-ob8V@~n~MS=h^s?b%59?x^RUs)S)(jwe@pxc5Ya^HueImA|uOJOqa!NlfaU+?^+K znokqZG^Y8gWm#+6jbuuCQ;bQ-ZyHybzC{;s=)ePq{mFF#$5Rh90?zR*#B#7?(awR$wrFjh7>E^&aJocndA<&&pf!?NQO6?Nke2Jf+ z@(z2zkZA?%=r+O&%R6G3<MHael(wG97RjEBn%gP4dE3pUguxd~RaJra6Iolb$!7|2jGJJJuuGr0 zh)GGardBqKZAL(X!;P3u=6jz)u_^A}wKYw6zJ*Qf&~CIwwtUBYHx@4_NXFrBufBw$ z*AiWddg_shjc5CN=+5J|dPd^N>)U+I>?QFon2esok?Dn~OkX~lu#Cb$g{G8uA!4pp zS;c*#-A)-0G7A-<#}Oz{?T_-yP6vD0(%w=+Ggl37RHDD3L~9ezp?ow}z(wn5jg(6| ztPKfLO-#cBP${ZnJJatM@U$`L=^UmZ7`Yq~iA4LGPmN@$-Yw?R zg32;e?+8eKHdZ#6nArktLm&+k++x6YFD{kwe@~)V09*4iI>~}GIaXi+C(dhdr0|mi z?hfT}R0;#}TnI)97`i*}< zr<+O;LFm$~7iTEd5K{!dRH(;>mbriK*=4Kj8<6sS8y1)vcr<-?23P4QcDj0~J2&{L z{3bFcIKM0*t7p(6jDa{FQIfnn(|8~HFku{IJ22&{tjXuaXna^$)2*q0({uJ=t~+0hZ&?T3c}X58-7dauJ)f}a2-uF%}UvWj&~P6GH1uyj`V;e zgiPCG zn90ark(hH2Gkd#`c6K(0$3ZjiV(-BAcAW{NGTW|hwp^*f^{(INqSo)itoEJky#V_w z0@&^hWi7bYxPr4T@pdj@fo*u<+@j$N@V3mI>1{^;lBLV}1Ex4+t)|)yoSSRTFZOaI zyi4~}P9YUju3t4)noa}-z;s5c8i$KF+1pqi3ol&SLJrgW3zLsn!t+kn)s9y+^}9Q# z)irV7>-#P=d5sZ$yv~q6Eu0B!>PIHo%xEZbNwCC6G2|R@UwnGhQN=Z|Xh{4~QX^-` znYOHvAlP^ZsYZ$C8u9v~p_U`;cJO?w#p_`7@_yWf9ak-^#^MG6gxP3q_!u(h4&W~>uxX<5U<2UU4?RWBbC=>v{|F@-oMxg-M{l71x1IPgu zhMzbb(S7?V{`w&Q&uIJ40QNtKk)->UeEI86ens1~K)}!6MB8)9$^hC%c3sdULL<}3 zG!d>Rq2QIyvUMaG7#VYU>FHxSQfI8!^I>)FV&R?rX8DAZ%}g2)B)J^f#?}~rNp?M7 zv*E;(;#|e*a08A|4=n@=Q{OS2sgx!yO```^;_n#L?!@E3*5OP%F8hi6@VO9Ma)h*a z3TYyvRNu=E1(j91{Vw%{?k)K1C^?QpNdtQ74=ydx)`A}iFli)HXe94AThhD_v}s5z z@CDKd9PN)#-z!%fDiJQmJ2WNVI4-|K(8||!kMVI?9Ub1j`y~1q zsZlCxBH=n}n}3>5O@Tt)*vn4gwo7O4&Vb-$=MbvLljj$Hgu7IRSeI1p>IN0cRBOtSsrrlKOKj@6UdV^;UvS-K zdKFBFNe2b7u-FXr;4`ba+h3@mJD>}|A0M}L7Q8%Gs0}GAtxLvgY8L1rPhtIXVOq+{ zIV6Tp!RTgovp4|ZW5i&ADf}2I|4GGhA~c)6x>1Zhr!>`Kf^ORna`ja)qhsd-ABFzQlMTSnLkT!>H&TT z2l1|X36Zszk0jRYYa(ViJTZ*~OrH&>)E=j0qC9w|opnJT!hK2cV_#x2Rc7NtwL!eA z52Za#_yGi%&?42L{AEkxEyn(t^7NWpDvKb~T&UOFNda9?Cw-P~Y@0r9@!)~_#^6Q@ zB!k>hSzTs#=|ryE?QavSt52r0$s^TD51X7WIdWGb$;q0L!HhS;U6s_oEbAw&DAReQ zN;rD(7?NrEoe_exzcDVZS>Z9v$lOq1~`P z+nwJ`!6qw3zMlcR2^Ni%tT=%VMg6E?bYRc{aqM2t=Zn70o?3O`aiyZ;BG-V4VYYrz z5W$PaBtm$zrRFcp9@Y-FAzk2s7NT|dijEZ%Y`zJ01oyiA$Xz4gknV&Nr9S2$WbT!i zATI$U+gnAm5MMjph~!Gk;XDb)HgVkC&ysNkyR?e2-}Z%8E#-)fQ-vOpjmEl$*bqx^cokuz~{@X$G7AY=K+}=to-FYOsgR1 zAZe3?S3^8qiDu7UD0ZdXK~YSB=8V)iHQ#}Jq6*?CQL;I?d)$gnx;pSA>$!l|G9BTG z3~yM^SFS;iW(djlbaOw3WL+D9<~iLHPPkm{e97X-c}IDxy|JZHwRCq9IAk2!cRo7d z*^ez1bB_28roN0SFA4~gzH*HrJv=j2{1BgO3%~K+(ti$weK74U zv?WqI9vG&eH*ysR$Tfy?R|B`=gW_}!_DJOsZZEuFgZB7^<4_`VMV@_ zp?73J0VfC)~PPz*xpum;3R2b4vmH?E%4k2<7aB`W`-& zH*}x=Jt7>DbV$ii=y^1)AZY$2E>)Jbc&ra=3sM`uXtxZ>1*QQ}<;?+Zqjt(YWLsRH z__Rt|Reh4%!HMN?*;}0WtIM3CkxV%bGip>vt*b=*Xb#e*CmfOsjCr>c1#acBYfm}G zT!!r{yT9a4Z`Q3;N#@)Zaz&r4uf5r;EqqiZhevcGHBwNQ-Kp(+1**4+`9T#+cHsGw z+75hQ^M6hd+BBQ_RGs8GIxRe|8VqoxmDmabrC}J>C zT+k=45n>4ouO`Y#OA43i8q02HXYYh>_ri&|%0SAdImKIYx@ExCeC7U;Yv1((ZG=kA z5>0UupF;I1Qn6nX-cAr9A68T)EuY78i24_MQtgFQWBTnXAYPj5a*$6>3tUXAHOMb6i{S#R7OV0Lp;t0sM;+4#5$!K%>Uof2j)pNlE=LA`w8h{LQKr=#Vl!sKJ?l=LJ9#U>*VJoc@Eo0f6w2#rH3x zGJiRT4VVD`*QF1#dKMt+{$~wLz)9-AU6mfNq6NHOffSt|8*JZ>`LAd2@09$1tIDSl z{@uv--)yh}t=Zph;{TQWe?PXSL)q-X)buVzlZeWK6*tEy5`~p#(+hl)DGiz zm=bI{Lswm|k8z=U=TPSj{KMrtH2kp#qNArnH37+~$vm~*wtCz#4zbIUuWi(Eypvryr7*-wdOIk3Foe%+liN#o zP-ZW+AOzxH%7`BGBWwHHxy{|U(pR%xUVFQ{?IN!XiGU&|_1vs((CoGo-p{pk2k{$b zR;-5(3D|!e+*}<(HSLnbJEdu|7T3L~FnI6hk2(a?Y$$rc*9Xdqq@>@V{gh;EX;MIY zm7o-K+B?l%)bUj|`5)yC)eeI|9^%-gZtwMiJFidh=Dpc=aj zIVXa!DKng)wLQo8S?aO6vz9~s)}1Z6jauGa=BpI%u`@8o8ycHi)=LkvWr zM;@w>PNqZ9p|F8GLM!QJbrN0eOz0UXb2~P(m=akSdON(hOEWhz_vKgxt>amr?x;z^ z)P56_-^EOBrF)`_pKO+OrW^VC(TUhlfotZe{rf&y9#uEBHcmL);MmQ?V!Ul4A@2B) zXH%uSwzh1O*%#_JQT<=+Q1bMwXcUad)26QhhSwNIV3_H zlwji|vQ$_~$XO~XJvH3OyzA%~51XM;Y$Lc`QobMUXm-X%yt~fh^0Z@O6Cxs=#n=D^vA(bI`M%blu2TvqS{Fx-%F^b_7if)#o7{8 zrJhzJccdrSEwX`KAPejO}@qaYs;j$Pu?+_a2 zR3Vory;P$zB^1<78Ksgaqt;KB@Hl%`w}#0sZ{5U-o5D~fk4h(0)+sV-KTc;K2V^`i);S$YHYcf z+9qc%#>Mp8KFn`B#6NB|!IL(oI*8nJ0(g!@G3iQ zbQ-z05$zE^$mu;)k>BITg}0Bp;py|mbWgxE>w|PlEu~Wl(0M(M&>S&8&qIQ$N?m&B zwx)M_K;893l_CZNPeFjW)^(Etr76pTwl0h{W>Cx@EVa>NfU7;@lVI7i8R4C{nn9;IX8 zQ>@AeJB&(Bl-6`lD?3xzy_UG#8`fFU6hDjZwDgiPgzAsiJcHabwelD_$qe}2(Yj?q zIolQrVkk4lh;}xT`XK0Rzgb#gL+pQJA(&R0&g)=?syYruBYJ(L8Z5Oh13p9U{Xer{VTparpZjP2xyzI#l_vuTLag#4M zj%)}wjw92_o6TG)_Oq`&{8B*%l_R}GMiPDI=x5R8?I~B`RQa!td%T;^N(x^yXun68 z9cyNsHBsGdf6miG=aX@?KKFveK0V~gm{XfOPw_t!;zXoo<2 zm&KYFD8jGU#N3+7?(MMY3a&PMHE$d(LZ&|lBOQiw*jp7r-% zPfkzlAU)go?4J`gYT1Pyy3-YT?cBe=(vyyC&%NuEhuloTQ+Vh38DsT4!4A#HhZj_UN8A;k7*B{sG)ns{2rVduL54m>-SKmag zP9ovw7Df6#`zy{*lHEHHXVI^_QUdt?s9H4a6`|@C{k6u{r z7*yp9`?pjUx7N<*@K&0ybTqyY@rQ;>bTFRsBFq6>pf#i~UdV#GrWSQIY2nUM_UELl z;*VzN*cI^ri$wF)t0PY&6g@b>mKJ8Da3aGu@TgI6Uy4hzG!KFnwJ`(Z3t(Z`ZiP;i zmeu_D;Vy@#mNo;&z|)uk{0NpIjVtEGeZ^76%NSujv+= zwGS=R&^%RQAO3EKRn1mzhl3LhL3Y50sZIoshQnkk?rGV5uxaD-*`fxi$&#ZniAK0r z64Rl5iZf2vk6LyPOW@>S-yB`iDMEy3_QxT0onqc=Ri2A*rxNq;lA?9h$~$Ur9E(%g zhL0=HL(Q*6+YPqA49+7s60}a$cy0;3a1T;_zm@;9I{#b3{I7+~pVax^N{m0WAASi9 z|7UeR5Zd@loe$)F|L4Q6eTe_$WCN!9zsyX3U-^Gq`2A-8aUTK*X8=6w37HrHHXSJa z8Gyb7BQO)n^i2ZxCo`+RvFSgS*Wd2t-`N|WM`Qu&MPQWin-dTnP+ijkzCjG%2*P|5>x0!DrREQ8~>$M(bYHr=-u{_i}t zha44_hsMZ%_QnY0aWH(-asI8n{U|a0b_V~Qy*;#+SRNW9baVi60y08@3i|v@1r1ohmHPcS>m@8++Sbqe^3)08}Ru4W}{?WS=subQF30i zcoC4`4Q=ijzvVTP#5F4KV#R>}(%WnTB{y7N{{EU81fN)_uN3bbYbXv4TI(Ip?%|7o z21+ESw^EJCDfRYkS(xdfvRe`~T*7Fu=*Rqp$YF6T67|;ielU+4sSRr5q<1&gNYc`e zh9dP7KIkj7Db7hpzsqA8%PNpYTI&cS}>a4@5X7@(}Jbj7-;BRXp zvgTZNspC_mm)_2XQ6w+K-4;k+G+2T8JOXpg?hME}i7FpHrl8r@-VqzqRHgCk8n3W} zB@TSgN3{Aim2wLN2T{cxBzO=akQ{{wn2MeNXLM8C2jCNfbO|d#uAB z{Z_oOI7Vp_(g?HK6Z4jPbq0&5XcuGBbyDLcX;fJW|EDDig7g&t^OvOSRZkI;D!-~Bt4TKMu;eGL{z=g zO@U>cxMA$+@*{yPE}J+9nemnt#QhA_i7Gs=sF6$?%W4BhYd>Mx4BFsI1*Xrj6@@Qx4>oo%L&Wa9pns;D4O?Wt1 ziihy9jMIh^&6S7x?;s?GSn-MYE@_SZEs-Wzv$z6Wp7kN~i!vwPcsyzxf-0KbdiD`< z?+WHAS=I~hX0(Wa=+{mS0NjX6pLt2g@lZ-=-8U3)K)v5R>VlRlseC z&Ytu7TnV&lP*C)nX1>NfM)Hp1&4EL45eg<>mJQbKZw7)*1h98#nWaLQLTSb@YP6v$ z;>~8i1l#z@)Pg!e8u)T}HLuZSprO#`A1e(gbq;3xS<$}UfgGM*wNuy^c#Z5Wz=U6v zH1W7wd7)&Huc1PWne}8rbE2$p)KRT8-2LU0yAm54&E9)R8NGb@3hZK$d z5cG_4?f6vI@I~^}KwoVV<{Phe!jiohrI$-&Z*bWxBh|`V*dzrfLkT|_G*}$qu(pYx7RjgNg zQBIlN&fw<$p$_!MF(gA?l>f;xu_vPcffAeajkJnQT#@-+jc&z8+xWexgo5^v&m@pUIn!XBAa{k_uj1JtRlQZ?VTaKZ= zw{^F$@3;~hoo2Xb|EO0BAk`-Gebr0Jr z%}lvXHn@;^HMGNAJJwKYje-IeuTNPU1&JhU?5!HhN!NQWP~Jm`IdE#$1|jTykhZhrN!?$0^)5V}+bObo zo_Qd+D%Fn4#E)^Dq3GCFCRDb-Fq4FW>|}!ptrO*n^hr_P&OMfxW3}QwB$O#%M-yM9 zKk)=~&=(PefWD6xG%w^FQ`M)D%sZ@hP-mv7G!>@ zJ?J~PCd@Y{xUS5Yct`y$ngb$b$bQUG!~1woiqf^NQ*0)Ip|e^XpV$Mmg1@p}_gI)-1E zYXDUI3ThaC>0$tX`6;ORvD5O;K@Cui0}iIl4?H|jE-?U=FdI;1G6T5@Oe}xd&-f8J ze7lA3pWi>-8zTejgJTRK6Cn7a0}$oI0N6vG8h|DMIn!TCgnsO`e0!?@&fe$&R~r^! zX66BL0XU8UP%Y5{ukitJ0d}naclFY@_xvwyjfM7G$l-(f2$0D!0AqA?KsSgE=ngUe zb?V%YZ=98jnFL9 z9=Dltb&qr*!HBMfCt+Q61p3=^j$=-aCp)Jjhp6fGaqWSW2adad@vfIYM9J4exr2iH z`mU^^zI1A*q${EEonzV~sZlZJflsyK+xct0s(7ggRf(KfH!A>v9khQL9b1*$k)9~6qYCB1U!06`} zKwf)EhqDIbEXq2q6m*9$Or#pP3X*yr7%el7c>M)-z3F# z_||oza)e=~j{xP~@yXTH;@^S+F;C;Ev>GgB~v6>t1d|uY4{UG`Z)J`9P>vWR~ zr00+xb{iUondh~YsQD>TW{zJB8brAbqAuITDhZEF^PhlJgfS}17kVX2!`>r-#W;RC zh|(@Z(xtD(Eo&&ZOqqR+xO%gEy0x~}$HF3|q0zwBz|M1fYNaJo2^+NA;%X4vB85dl_p%y=RRG(Ig`>!Bl}iYm zn7pcx^Go=gcyAj|kg21|v62qK;+tKT`Ob621`t6ad&ls5agY}U?5-#fFNBKqIYBtG zW=b`@*{{@EpJfiV632z=8K>ezeHH1hnt*@v6!}qz>lPUH2MjJ!2{7Nm8nH$)m+S&D z?@{OmWXP{9{?WF>jvMGW2y_+n2_9XKM8e+oJu%69Ul0%&CF*aGqO27r|e)N+t{!d^GiAhS3Q}Y;%Z5nM+%uM+p;BY~^HH0&Eo?2ur zhKNp~rWZvymkQxRWv7)Dta8+e%tUuG+a-Ut413i?Yl6LHRtyTGSME8-`1li%I;@i6 ztawxpb1}DEWV80>#gQ|5+IXxG+1BYJ_{Jn6w;ahcALPC1;R_9)I+ukDmoM0>k71rp z_&23&$(*r#P*coX(ZLxSS@FF=GwNU@ghu& zFvf2M=BkWL#Hbp1Ho-FlEhkpr;KDZsmguIo%bAjBdPZB{_kL3bVTSm_5lv^MwaQqf z%nS8se)Gq&`SN^`Hi3HwA8V_%H7$JkPv(NSrJ>Se~Gf^)H1vM2VEMPH`h zEHfeYYQt>${$u1sP<)hI`SAGD>`IG$nvW~_N$z;pQy#4_CgH3RvzLoq1QIlI-h9*$ z&vUC?lFp~+G%9q_kqqim-GrG#Dfnq0J401c5{eD``e;y7R;5>m$8ZxiNR)D7>rC{X zf=(w+C9?}Ujz8NP;5%JntbO5RAaOT<2P3A!bd@Kk6^iH8g_PC&s?x7-Za@HBEIJUs z(?yq$7~dwKW5ejWO1VhPGMEBIp!nTOd|};F@>A=lU@9k6*6E`e)YKn)_mj}wMs>%+ z`;TjV&Qc9OnM9u~m3u+iHz8{ZawuU%hWjie*p-htGfcPmfH9suF%r2RJ6OS6SUsMe zFETpSt8_wsi;_3u7rQnTmL4K43|&K@W2o$E;b0(51m2;3LHiinrIQIXpc2DFN^!Yi z@6}{0!#Q@-Hp?X_+#Mc$8ybCnL)ep?739_QplvwubVl#!gk@6X#Aiyy5tCiV#|$&w zI8(WmA)O#b#Ndq9uYFn5E9!-x%8kTp)>c7|zj?)A9fiMxqNQRSjsTL|qqd-@QS;i? z5Nj8O_{i+NC5!HE)6h1D;d=7CnmlT^y|V2|XYbMn9F-4d)FvV!Rk8Hyi|V}9 z($o2g__t`23ie-z44tnPH`=>%Gq%$$hM2L#bL}3 zD75)(_aZCqQ-Vr$eBXo)lPrl+3GSkdDq;F^$@~7rqEXBuYN*xSwIH(vXi}K9$R^Ip zPL+jbm3=zXK!=oR*9{7_SnHRO9}A~_!;fo28B7f6Ob!-5mdK(smXAZWSoW=IB073^ z&{45)E}{szzbwq%;=eCl&(W_`y4RP24EN@~^lK>if>vF}us)f;ytyMScsHd^pEoe# zd4kT%N;!CI{mx%acIQs8#$f#(R7?^ZjV#hmj8{{#j=D8s}8D3^fN3IkvZ$_xZfGXYf_+n@Pv{?;q_N$vXk z%ItsZW6%RmuMbIb53~170LlS!vA;RJG5{VBe+@={+#296`iFY++pGOMWi{|b{@c=r zIA?llMgW%lSgL*(t^BQ+|L&@QSd1CSatF*W|G4x!@7JF#1Ww&IpU*!o1SW?5f5YK_ zm-+Xf@|b}R@QwYO<#C6K88GaCa@W|@N@n2>-=0s_DBA0?#XR-#P2w5#)H32Gx`(Od zm)71$%HE#6+pEN-@KQY!mNzJ~Ed+uHxl7?mv4*~(m{mdchs(<|J3&QFsE!e3YR?@l zUCNL-b>BS0$nB5o?^v!?yTQ1vUZtR)o3`mA300|6BYlIR9#i)z*K`5hWt>^i$uj3< znc5+%Bfs~TkIX(yC#~3uRLXa*w{0EcryT^Cc;5b)&JoXOQ}x~?Q8U*CEx3kZk`B8m zwTrJ#EjQp+sEQ`Hlxfu0TwDurYPd&dJ|d*SFH_1Qaaw4d4G5huYg!$N(df;fnIMeO z?|bhbwdrV*6dVwErao@^$wfvLrmV8_kRA%_{VJ%p5}zcq6AgP^bfqc6#0Qt-jBdw zUhSPLG;z^`SS~7!Z7QYtS;l*XOIDB1)qOl|>&%WdipizTv86OHw@l+nSaU!$5m%#X=G05g3z0w%)zSU50*B)e$x#5hzKF41f(Mps$cd{Lif1#=#R|b z6^7BCIY>b6dq^TaVT=Qyw?PZ$+J(wO=G|C23kM;HRu@-CHIU zzc~(F1TW+hYq5`U@l;Q(!PI-qGq^m~0CAnP2=;-#)7Gk2gxehs8YzbyUs|>WQoo#! zr>en$9n}HC5N!1{eIwBG$<-8R*e6`aeHFh)X-s@DtQmZSpvEtYhyr=bEFv&*sy@;^ z(eih4oNJDok3Lz>d|r<4pQ1whzK2k~YE^las+nmRR;^9B_3|^J)wcb`g{CD{plZSZ zV@EABsUTYm8xc%Z@F7+h^=slaalRy#HLA5pd!`rre&QLQCqD^joNVi0a%R&h@ZUhd zw7AG8x?^h(LmMe&+8iAI!0WP zhqfQ|ULgj_+E=fj%R9a8WpTNAVY)_00)0FyLElXF9F;RDDx6Eu8ce6dT+@la#5{tr z`Q=Tw?N^0ep?y!o;tt!h_`ee5lpB_#FmAtMOR31jukPsIrEdFpR zPo=(Av`dkblBcybmn1cJiZr9Lu4t3NNsBdan~l{N9~#HO&rA!4>kZabUaG7ZP9 z|0*Edcp04Bm0ez2Vw>OAn zc8u(JOZkX;bE?wFyeEm!nxxDFQb=gwY^uk;5j7dyNfKnkBU-ZdRq;4lIHRX!?2ryM zT;NUzc+tQ}BuE=|wl$HKeW?7fI2Bij!Gf8T0 zX%ZIlyj>(69<`+)zLwp!bZ!#;=zyG{JOAoaPToC)Msz-(lrC5RG2)fRkh7Pgr|XDM z@d5b|eV?vXL$rJ_Rua9Rh3Xfg9$2xj0q4@3-piwLv^^cR!ZobS$KCj6o0UoV!)1-n zOQj$f`WJJSI9sc;i`3>oLiEY-I$IKF>|=?GyeHB!u=BfzkYyzuKNzv= zEMQINgmz~N4N$RB$v7y)L(rc@gzNCYtRj~WZbQu=!>Oy`hthK6YsWc8FA>bScZ0t( zm9WKvhT0K%Yt*7K;j}~3>KC=wM59=25W4cMHwF(&!musY8uPHKJ$FqX$dJ^ z0i}9QrFM=$zidiExKQn>^FWakWH#zdy#V420_Fb;v=>jI7%%g6!u{zSR>Pi$s1>tHac5&OCK#x}9|bpw(}}i|!)OXStqL z;HB?|v5vCNI$`zRZL?Z!L*o%RPN#(X$%|l0azWU-yE4lQA0RTtAUeb5IcrcpxyiB* zUSPtYVGT6Ug$^UOoO|L(g9ks0oT7ZWCdn|@NW=V&8bt5VokTF-vSd-haRp2)DZ|gE z3T9G~QP7%Fq?M6MS4w1v&bZYBnw<6}NfPXO==w4Gp-xmSaNdoqygNfnt zbGtiJh0Y-XO7YQa^ccu58`=1nPsw1(26VL8rV3YVp{TfKJrN`)3QE;Pxs{|a$avF6}7^6zROwtWZz?vWaA|)EOBmNloV}G zu7LZHexz%@NL)kzD{r1!O+0zbC1yz6w#MaG-SFy88NR%{lN^_fi<;NNm{Bv-B&@5s zq{K0w8BDgeY-dpYf5PZYkQT7i z@^)$z#gctvDy3kM(+Az8W?JB4_K}f=wU%`({n;qW212;W4XYh-1CtX5Efthb0~xFSJS&Yv8hF zmjh`P>#bVmFOlDx>X(Avj{-4$gyg%|$8ypRhfVv;#*JS_45KHp)vb*A1P}e}>v%je zXD%2K|Gw|LwU(rg>QMTtc1pNLk`ct{5~~mLy9p4uHxP;~&m1#dKCir*?|lV}@SL18 zC?v=k9YUebw$4BK{G`4B`nt}{-%B$N8jvMxwp8vaB5W z!a#)(Z3);0A1hR|Lme%eM<Vq1uoS9KF*A_0lY366;Xjm3h3UNgWaw zBeV%`&lc$SaE@K+trY`E7jc}zS!Z{j>|K{bGG+O>IAJ@^(%}RT3lEiGP17;ryY!1G6#*2i@b^N0~M#s@-Jt7f70Z``WMlhyM|8Kj3U2GlK!p z2{Hg4iw_+)Ho&Bhfr*8hk@hb=7JuyiecSoJvp1j(1jLmP(gQ9JY=9h*o)$1X1lnZu zbPUw2jCB9K`^P~2qihgp&;17I|F_5XAi@JguYlbHz*Yc;6bwK!5MWg3m>(34Ki?T3 z8vK8{K?)$=ibb+=rJ+Qr>kOseJZvIYB?fY@5 z-_k1o$%NE**+swd1T27W$lv4%3UH^aW|@!FHR;~IQc#BH^;A6T2}sWWGDVV@LxCjL z+kvgasCFFpHT?DU=}ZVDZ+IKFY9zrfD6V4W2#boTb(MDFK~ZB(!_{^j?Yy2V2GrrY zU6Yun1hK59-qL#I*Ul9i5y`zo7fwPWg_ywn{0LPK_%z-S;p*YQC@0c8&Xx z2*vbi-k;TH!T5M*ys0RzbMEd6PukEG*^iZSJrR*z(!EJMd#x2o2rq7>v>lT;eFZj^ z!DsdO-PDaMD&2a6iCuEOKEo=yOj@^}GoTwJal}71A)I^?aj1X&d89g3D1selX4d=b zdr7F{%UHH)sq>e3 zZNxHnDo4S6Kc_L`^-q>&%lPc}Q7^o9Y;N2;$)G)wJabeD@@_^QWf~3$dop`8XS=!v zJ}9Ye_hn*?SYED~_yCH80&Jn_^7VOTkc`Xwr(cjeb{FTH8Xr@gnGY0Obvn{^^LezR zYu(y&R?hJfILLH+Cg=+UZAyTL&wAq|zu%C5Y_JAAkZ#|YK&&OCreeqE*BanRq=csH z&s;H#C5~q*v^3c8w3MhY3_+TEu$PCU5H!R*uAWIY)F=4P+d9mR65>#uc%*5+K`_gx z*dBl~9(n&+jiXDO^rAPf@xz3GBI0K)cr}>~784ty=r+RRBQp-fG5H|fHhLMXtUx2< zw3M$R$lfa@(*0fw3Qkaj=^WT_6ahy>^sJcS1b0N2mLKZBP;ROBnzLls=N7%7|6JXK zNc@(DDSvM0c{gHgW?17*Dg<|s;BLb+XlaLRa|Ma zoT65+`JOmL42s(0<$!Q}=6oyd5o$`a!#Eqyx)FBJD_A=58(P|xL;I|I5R*cwc_Wgr zQp%Z(Sx{Xbii~-0vCT5t_|eKJw~$iB6F7uKzx2!m{=WHP_I?^LLRE6y1lbKA-%~<2 zs}ik8?azky3EvU8jP*vG4?I1^unPPCSbGbwuC}dv7?1|(4r!F`M!HKK)Sn;l8^>z5WWrPp8wUO=N`ZJUZ2ND1lDh_z4qFB&oSqiW2mtZya!!pkc!XY zS}PDI#QMbQ<{8Spg$25B44P!dB5%m#hdeUhJpV$a-XnJ~j3iGE(pZVp$Mp^yeH&yf z7((T7j_@UsWdgEfhg1fe0OZq&KBtNP6WS69hPE;-ut%6~9kJ(G7HZb)J{a6pO8kQ8 zWN5LPww31M=3v~@ul-1}*pzliyqnY}X>vqX--Q!xy%kCeDbB^uAMJfhm1d6=&m3M+ zMLgEW|Kb^Lba|5st;;~S){B?$VG*Eovi$K`Lu%r-DmCikx)@xlAF(;<;3urBH-_8`&F&7PPMGh=F7JcqBz{MPo z3zByE`QQyLJC!RQ(H9H6moL&GWO50JjVifDUOSc6rgzw@@%7IQsCFa-RbobwR}Y&n z3Sb&d)(thwVY%wbfI?Q4iKx-lS-&q7Hge7U2nLNYniCLJp(@2LpJ_AR+f)b>V9dev z#(|aDr&A8&6vJRjic9Z9AEudU8&&|;+sU!cpW zWzn*a_BH7-iNOUKAYY8#t>-a3I*knH1Fp+Mw7vAwNxg6azFIC7;A#@SmLttJ%*7>( zNG`>=mYV7JGOVv+@VLevQ#cdhDN=aVVyz(Mk-9^a86FYUl%Up9^-Z~XS!6qcXH~}F z+P`O0oSDrz>F`;f7Li{NYW!Gn3`e)@JWQVA8nOkZ$_FDv+5^fJdEWIzo7*peqC^WX z61h*?H;EzbvDfHO8DcI?yFLU&cgE0#YmpI=u$_E_ZsEA<#mw1LRVnJ9hktx%q5LR{ z%P^_|&hNsmK}F7i!EHKojWZQ1-l(XyPd~VZF;Frr>$wuMd9YJa(d!X97dp;%)#|5H zp9OJg*O*kj#hHh&uCMjhIq$4hqfWmNh1a$5I)&b4NNm=Fx9+mTX_13+pR5tqhl2_+ znc{iNgM&k@6KWv8=Exw3TxQjX_S@90poOHRr1ZBZr{TBiRXgz1(u|Ix<71&Bq%DC1 z<%mY7_haZGGp8fj3iNsQica+Th>iFI9>tzgRbd&0a@LAFDF6BaGj z6zs1!?9%>uM2H*W5eWFU+{fI+Oldn3JtndvsVUeuGLQ%@63tPos;|o@54}vdV9Ql= zzY(W$eGS_^xfp;WS|_X~W`Eo%2&t=Npl9Jf4JCL5(JTv_>j4$?GD?kVj_(T zDv!8G`o8W+jltpOXJp+99#Ekfsj-rns&Ak?7`e%Cwo*G@xG?8cArdvX*=Q4K_y`#E zrV>PLlPQ?fO^EQ`2GGUVT7SrmSlZhxVblzn${bueM4tz*NK_y0ET+Od>f2C2yeyxl zAQZ6O&l8L5aKgM|!% zHy5nK4b@nMA#3C&P@%*Sh<-V7+CVYun^I*qrlT@nfu;1Ro>1O4Hof5XWfI~$zPy^! zgZ{MEnZ1Zx)`X8$r(y<(PxEXe!#Yz7Ay(T@o+pT(Cwz3V!If{H@K7jt=7iM&J6!& zg(sufg3lO@_zfbG-;WX+3<;#9eapuSEk&^8P1Rke_F?K6N`WG2Y%q(9ohb3p6>m$M z-j^qc`EI^;qh63%= zeG5*Ou=;tRS?q??TJO0(1PPcz0xCG1ID!$NxdLA4hC{w=*)pQH)=7Fcw$$`(|Jz>F zH2-Sz?ex5)5$=R3UIU^jkM4O1(LinkF^FA8u-F1&@&ciHj9s^pLb#Sf9Rys%nrfROwbked$BnUQ)v(T~1R^GiSs{ z<+QS?MKO~*n(nhdc=7d3o=x)xOhRN~8mFlFkb<_*jW{f6&jn7ke)bGfN-=G6q3jK; z0#Eg`dd7Fm+iNThOiQBzH5R2fjUjHV!)JHU=7dLuQPc=#F_a#8w zdsHxZLt_lxv<~_P&7l=0N?@jlE;Wsw{fy#eCuI3{*iZsY2AKkkk8LLHv>8M27Wrc2 zg$2vdVu)%NAzbrP{9UMLWf3WuOa*;-s^PA^Rv3|=;Xq&!4 zpE^*C%b>6->8~86UL$hXd7yr3#)!lR*8P*8LmBGIjgjAG6a_hi`})p{CKrsKi2>a};vPC5cguobp+ z-p#00$)KYblB%McSB%W}gYLK^F{9fPYh3o2edd2r{)EVZ>WV~`!ZiTiQZl+wxIrH- zup#D3_}#VGnh%PPP%&(ci$Ru9A@UMRK;5q<7rGy#Vn2I+ic<^8_f#ZuhnQz;oJf56xx{lz)qast zH=*=EwVDZg=Q-mP8`Z`B4qo3vx1FxV%XX^HsUW|R+(tCg9OzcNQ;5bdeSC}7{&uOt zN^Qi|87$Y(z4DB{9!8GqLckAnrgD9z~xdK?lvWwUBhY3E3Vn_N?jQV3Z0o-x);= zmWO%GrAyHSJw}N$pSIhr_A$YOQd&g4(XG>JF~fBi&t0M4{0% zIR)=z!pkUfmeGR-JNMNSQ~axfHzeJm7CF=o+ihyqhJ$LP9yXdh=ZID>@5G>~IX5|R zap7)Kd`P95t@+`;`0Y-h=Et=)dNEypO!BzR6NF>FLv(-1IQy%-(GTtbe?x75K)!#; z8v)j_|7Yq5;5G0^x(G1t_}3SICXm?vNFV`%kAJXAfTqR=jtU?F3AC=>|MHKmybmAs zzscV)1EP~`0F{^JUKkU|EinUJ4o09S6;SY@rT=IDj-L}a4`=s3nj7G|!3LOmu+TFD z?Zp7w9Y`**-g9CY?gcadHiPpo77TDczsN5E1poh4eu)`q=Vb*N1egHfBL*PR#0)t0 zvfMM^?^}+U{*P^`4_o1XvwRG|^05Ou{a!Ve4VWL}y)YACPs+$bPs{pu^ZS!R1W1qm zoc#Je5%u5Y=72)PgOV*HJqM5{1THO*Mq~!)Q;dv2t1rv%T-u+f_i)erua*w*g$A;u z41mcoJCM3#1a=%dK>2z|Z*u(2{Qk9c00-))m3z30|3_0}Wuc`9b}{g*0OXZ`bS4MT zOn%=K4Kxn3v;Iw9^Utda-0MHj?Wab8ho|Fjq%{BYz`tv0_`%luArtz;@$Q|78EF{- z)2W{`p%0JWKbP@$GNC_o7yQ^9{cmTM-_(lw!5I4gH535z{LM^gf{J=vb`6SGhIX5J zrrDqmU;B{jn*nn56boA8Y3s%U3T$RpV?MjOfr-!48CKP;KC_BvomSO3Ed|#KVLe=K zG3Wam!QTe=UW6Vxt;o=?>=87RehQjpJ*sfP&28+M$NXe`mqfVHVunx%qw+b0b*9W> zX9?Z0pufi4Kp986$=OpiUk6q67FW+hF(I}%iyyCx+n_DuI>Xv)Vd=&Z)gL(q(;fSf zr|E0q1zva|=g_PIKtLx+2Qq-u+% z|7NWB{W=vglyD>LWMTxjqKuAlYC~>}+sIg&qO@Xx@l>kBWDhwn#De#`Q2AQ^U1tdl z`)nBlg@ULKs2D6u=t=U(kNBHtacVVbr%z?Ry=3|P2%&x{18%k;aib{tuoSE-EpPDs zJgXxw_$RBK1AiI=s9uVNseMIxo7YPxI1%;V#D(I%>LJ4kr}~CYRXq(=g|G^JcFeZf zl^Ri^WxBMRy7ml)DIMY30xYWlWz~S@8Ow#r`z&zpmlj@Y0`Ltb5wEZjnPS34-r_r@ z)rzBHbcu5!Zf!)u?+?o&NK8E)cT$@&8{Ah3h*@T8bPYK2!}?${_oB)574q;Cm=ZeN z1ZN?x3|~gI!6aQU6@m28;4TP%Z7EGT^w>QAcPZ>}&Y}K(-^5w`dwfmuE{Ul0cuY5u zALBx7_u<8~yUK3|hPo~>E5@*^XHW$~n6<6DhhYnjy6dRCvDggq)D0h2_WWeS9@~sQ zEI*ROMv6>hAXqp~3ZBPQUtpq$g=?jfEiFpT$FZ0$y%ux{vol4LWd=!<}Bu|rY(}!z)rGxhFEp>U=KzR07azY~w$F5&ybP5__$@4&z zO`QvdzBL2AOKR_{D>z>7GY5ic90g&~89Fn1vdysU?m*^D>&JV+q3ka~*y25MF)rYZ z5=HCsQI+cf)VG8>v>u@<4@4d0hh_#CK-;Cf6^J8UfW;hQ4scH%WbvpZcLvXJ^Ss`< zeqN3KwGXl@`6|8=J`^?=mNqu%2~D3W2biu)p(z zj5oC1NXg|+oZE(SvVs+!$TkhJ!Iq8*er%s2SF-!rmy-;ONTr`dhygeuqR_ca0bgIAn8}Nw=6-zk!YLpJ96Id8rT~f7iwtD^cVqFUGr?bdWhfoFn z>Zckt?*@-LKuK@=CA&>mGAWX!oBY3gx7sUG(*#goBOT;(1c5i=pw=kYgG$jZy(`E+ved}NeR;4TV5%bMKV z8GL!2NKX!)m9tkSAb`!p%!uh-*cb^3rsjvcnuSL7R*yA8%f{^oL1yor_6yp!2Dr)2 ztq!R%B?Nk~vFcjC?6CSs+B+410?l)hz)`cl^nOejKElH-re$S*mnvh>cK&zFcc?k~*?W7$8Cnrx2rvhP>Kwb`$R$%A((9qFcnxFp6Sw9~2A+V|ja+RZGJ z=ggm8Tb~Pg+^l(#L*asv-<(@%vdsw4Gof2rmbIp9CO)1jLT7kG$eu$obz9!?v3w(R zLJQvNES10_CE`&LpK5iG$avS|GqIZv1e-L63=E} z?kwyfOkC8U>^J+$!(XI1W09uIM}vQ`5K&R1__7lnns&E(r9`v^8DGz((AI4O!igFJ zhIj=wX|mc7S>u>QH!$anF)+{`yh!W=(}bBO87*ql-LxF#VQCtSpS;m)`clb|pl8%k ztOF^wI(S}*WHen#i&zCd-+u9BRGnWosPa~InFU#c^`3>A%f3QhokhCF5{-rglUGDJ zd}%@M%(CMbHPhB3RGw6|H?-5*;kH*9HAsx&%ntS29>sZnOP(%G}|)HIG$R|X1cVi3eOtqbM@ zH7=MC$*~Eg(FwH4F|=^a3GWMxR24M_aSW^&f+_Hoc1F#c>ay1Ou+C@Mn*AI7k5J}( z#c$_Is0~Ij=3C(RBj^`lx1p1y=G~7MPkPqqCA&!O4zIs02EVul0bha;-#GC0xV~M> z+Djo*P6Xr7N@p!ie|3{ci@!U%D|on)@#LbBx}(L>?omWvqIRs@*_eEw{2EQmmI%K&Ts)MRFnC_z6 z1-AyE+dpg%7qzN2^5Sfb`*IS?;QBz>dlgrtxPC-EW!zoa-Sre_X+xtOv@5fay0R(K ze&L3=Yh1oXE()9J7_;qGndVow4v-P}_r?92gb9#60Cvicy*7ZY#l!cc4Gm0n1*}~N z)$bDAm{|ZJXu{kLn{X$&+#uU03IGfLn{Ly#D@ipA%1E@ewf8??ZxjqN`ASa zes8DT!;pWU_n$k30e~>S8T1dTTH4RoA>Zz6w;`rcus93AAT5XSvTSnJYq*KO+1k&I zYwT@BGpNK6#~1J1^j^}W=8K8Vnkb+D;?f0oaI*ee~hE|mt)pyOcJ)qC8K16kh&Ott{X*edfUNGy*mQ6C} z_5I|h>8Op-K$r5SYpaEAGWTHQ(eelf&^BSkbnrK`%Yk~Ag_(!f&{ zJ7_2Jqp|R)#ZLOw9%n0<8U#Ek0pE*vmcegp#~hWVcS!r~SWqd2?$G9|cWUhp<8(nYvuftetA zw7QqmMl6z_6$*V0Nsd-b{KNoGFiV@P?(Ckd| zymiHc&9bt&<*jR~co^nE!Ki@Ho08g@_wC+8b%QY5R5u=?+S48JB38MAcQjX7*retpu&Ud zz--9SgKO|5M8-k3KzVVb{q2&$EG3vq>sZ>h^EV!WJHP0Uj(r9)@B+p395gAmQZe*M zCUtlNX4z$udarAIo~>AzC(JFt<)sB`RP0d82ha24)6N}ZUM(*p(Uvk%iLP+tS!MPM zn+$%4;nm>XuN`u6AmE~%s<7<7 z*yFV;?lIZ!S`J>4vLAXtBGXrca2K9IZz>0wbr~>%tG~NbX)7?8AJRMQFThIRvvLCU ziVS#Wca0c^70KO~CS1lC9>p!x^2J4esbt{Q5SCevQE5lQ;)Jo*IFELqJrNYjt|s~I zds^Jfek*g;k7wRsaWB~E27ULx4s*P?hBd=?s&>+o56AyRpq%@GDfiaTJue-!34HbT zL&&?u(DwZil+=zG{*}wK0P9#Ra+Hiy>1s)Q0u`5@=bhm)frB=*RU=7;;i8ulTuZnF ziCR&-&rue(&DNZIaKW2~_~{|+jU%%^K6yL8GJ|YD#QrhJzfu>>d&tqpspBysksdJw zY(`ELv7Uh4v%W8;=}1&M3Q;S%*{WUK;U_$gA3qZ1%jzRxmZD246O6QcoNp@DN;18Y zqo9#Vq-r22W0T7+q5)pbYTr!`uh@s>j2oa$DpRm?v&9aPuv?yZ6INuqf7yfV`Jxw- z01qm7^chK_uXc+cEzeEv=N?V6F1`*`oXuNK5$-|90lma!X{9^TBnG6)0xG*ORmeK9 z%+Pq46MZTO__61`L8ga>ZmRwZ`PoOeg^)!b-y^_0RpbU$hsX|-sCw>nLU(q8h)V*} zNR@|F%4v&)#QZs;dmof)Ie8tVQw6obQvM91AZl1KaTS1T<=BbKcp zPhr`fj_NfnlXj2jd__{+#S=$yvsLpQ7vpUx z2qH0l|1;KLe_3YX^;)cFXUEW@v-6U?H>IVYJZtMbKImXtdvRxY?380oay?7m_T@I6 zo6=HV*;$mXcM|?Q7YB{=^6XtHz74pV9_*^_ZjZrTTkP@OS29n}URRswCpoYtAqH2k zUol-aOZC!?6~yswPzX5_9X55=Ke{AMQv|o^_yB51aq0exn2zxWpX*=8bbrJ@KgM(b z)%W*eI>rYpcVO^?>XAL6IuPao?X>r30{G(3k{94p{_q_}`hS(Y7$3~({|cEN2L74) z{VyRCGdoaDy7xA?mjSwWssm~eKwSiA69(j1e_ea{cLM!qHub}){BNel2y_lVXej|U z?CikjG6Cff26mvN#K81)jc`v% z=V1SjJa0;%*!0(l{c*AXrxRniSI7cfGyrW_MnGYRiIIbrp80QzaDQA)U}8V5*dLqk ze>ySxd%F+74uch_5(2x72@tUb8o~e5HUlR1QwfO?82WD{au2WnxPSi{4gIhOejfNY zWttxz4!;`3!T=Pyeo>?W>b3uAoumWkhRz56Kl2q!%^8vXyG)*%$WK14()2I$6 zWf2yS?yL|pyDaOz^J*NGeid)p8TtI(BVY2F#jWn?$6_wZ>4!Y2O)cD)>&>s4n8mW` zk7<>)@Z8E}z|trW?7n!O@($)4S+dklQlojP4$FLGKN?P&Z|d2}?R(Qi9dh<|Fv-b@ zGVtydG^Ue&<=mJM zxB5;vFe}>r^Efy)EEi}upiBPaeiJ!WV>BGuEY_^`G;h48nAH`XV8*%U>2=c>rdVqWjYWyVGdoT(WYL{rM}qCPW@%fMXqe9oft`Dq+eF%H)#5loEEM>HnObjTGm8DiJXB=e6Pi~4||@( z&q|{$Me9B=i=3%LdXZk2TRyM3hJsdySllOXf*HE)6cf+^|EvivGrS1O8o_C0>N86- zRbLP$%^TKvi~TJ}T~M0D6CMp-B}3|-jSiB zjQ*BR(m#C=*fQCDYc+f@|b+eI6}%TGm(3%1EHFs6_&*kD2YL9p^Dhg0jsba+N3V6~w+>MnZ|2YR}VgRjV_ zu0O3j5)JC?)t+^#EjLDNJ%NtLmW=>Yj2$j)oeS_q8MRf3S|dcc;y`yHG*a5A zT(PepPLXYpV4=TJ)qc{eDQf;T2|;uCZ0Gj$%j)TRBQLE#+ubeqsWcL}!sjIodEz)- z`Bjh9c6jol2s+DSj28c(yQU~o*|KI=6(GPD5>9v;^;_w9+mqB$qGa?Wa|uhe;7Y&=Z_ zf$S1H_c_R9J#zX)M{d@VuRZj@rt?XaPsETbJtUvzMxE&Lsv@F*#W)zcpz@|p@9a+W z)(z-8OP@F&cFsj-mqxSPHsVHoNElFm)Ny^P_uwgoyBOOpwdI;h`xWn#kJ6YjjDFFw$u z*uUUwduCLkjvREBp04(hgYfW|b_kjP5Jcxds%to|qMA3o9krW&{8ZET%;EI9Y&RY+w0fsA-5(@{iPcCE1Wx$4cFAp&G-vq6>M~tgv99 z+I%H+UGq7S@Cy|Lg)%Ej{dlrING@DuovxVG3<%=IC5qa;b!3D z=Aer6Vv_o1JjfiOaoUqZGo=J|oKXZFr2{z9M4`1LBMW=t@_F6KisFUAPa&H8P+dVi z=Q@I9I5JFvtBM;ZPj^?lpYC~WX8X7oN6+(;b-!2nl5|5nSH9!9( z@d$sePX@A8bVMl`NkN7GtnN5JcMKl0t;O6e4Ov%FC}w|m3$3mpn~V&dWZiD2`Ws)9 z$R=`mQ3x|7+=bq*c8@4}w@aBuWxHed1jsAd zP{EUJLBz}tlnAt3DJ^^N_xw`upd`XYCxmrm_nmA8UWMN|vsi5e;6Ae<#M%Ra^2pc3utRB+eQk|`1 zy`~S>Yd&-*>1*pne^KwozBYXxk+}rD-$8H^-9^`ImuX9PcBl`|QVB@<8`-{WlZ} zv=0)tz`5R++h8t>X&{z6m^Hrc(J8tq>^b^`rq&!JcIlKvh75?7?_+j@}+BcTGByZ!_X$K)+Qf*hNaTUZmUS7F*CQo>yIP>vjjx& z!lZAk^}0(EBpflv-OF)mH4;n;Th793``j~8gCNCLct6=NE*kYILW$&QuGJ0fz_VUI z{WO2q3(7faNj|dE{ml}dWQk~#U3TSp%MiI|B0*Wi7-768s=I&CU?CoFk?Wm>1DF!w zNsP2Hl7WsMtMSCrr7VT5_sW1MJ=~D{lqprHf8EmBsU0#%PibUZ(wI+Ob2WkE>?d2! zn}Y?D)+Nz9N1jXP4+xJau*I`G-p0z^ra0EDInnzz&~rr)N)Ho+O=kkqVba!wiob%s z4BzW8{SEYe2nhcQeILN;KUV^O0eu-C0%HLB0vxgj#QOuK^N*kY8T1TGpSz+V|zT|88y!EI@xSP-z27f$RX)@t(ZK z3PkY$&5rHwY#IMwLoV$v8J+jo>Mwxf;p+Y~Fk<*23)K9#9zjdF1^L`tv&f>X?8A*Mki8Pa^@UkDxRgDJSB^yh29%c7V@Q zl+c_aJk}2NSoG@!JJV7R+9J`bPeoeA%1g~d5QXA2b$mNCeaWN=19D1Y@)I0twOf!M z`c*qhmvD4tk2by9_D*SL@4?ue`pjEF9#^j2{;>Y;rId3D|}-nZ?d6Oa&KT)R{I zo?!ZY6cr@lGrj!P=u$%TV%bXV#Rd5ZzgwCt(o!-`$oJ1F0|JbLZ#BM^XMF*Kzg%(& z&N{puBrc2=qOXJb952O!MOFo)$SRtglH9Zh^1zSD$ z=qjsET(ehUSuT4oF6KpNok!3<>?=|SWwe&YmJvlHRm}2owml=>Duukg;se;#@c1H; z5nlNu$Etd-1Wg!;qw}MqbBmtgJvIHw+;IXE(7l)XJpT4$)D=NTt z;z|q9hwQ*vT~X+gED~9hH1@UNSf4T5l=9x}2P^Lvw&(&cDA*iMaz}4Y49Ov-E`1>* zI_}7DZt!%{F=I_P??(Ot?PUkVvP=Ya+=YxfCVFrijxqP~yXIK}MO12bgs=|vZCkEz z_enNRjY!?eT2mAgaTB>VYWmlK$M71RWsc%GSbPXPvkWbA(o9m#VFx!=fp#*qEzjZ8 zOv7uAJ_nhwf*`FkgTkYC^LE-?tw8F(%mL(_#A70ve41f7940b8ee{Gff6Pp%)~NxH zi2J^~p8mFz*7b_#-F&B!Wu8@TY^h&}k}PW7$q;j1f`$N6<+L0pPHos&^KoMe`0aqY zKm8UbnZ{?Y0AZaGeX=qN4@MRKV*wjpauDKR{EsL!lEg!gyzRjp?3KVSmo)E?KH$<% zj}yJ}g3US{k@}MICHU~u^bngv@~vJjC^b}>67ei&oUc4b@sWec+exj&@)IqN&7-?-UkjN=grQb^*OSBQlBNQ9gwXAXvs3AgYzUewi^ zfym-jz$Nk9T5&3$HSLn;{93n9G%;K;Sj&eGudb%SjVny?En<5Y^WF01UBn!ZvLrIF z5B7qB7hY&!P&!d2<+YYwO0o^P=?MyYezFnr{G)sgeoi}Nb%0y(yLE& zff14_a;4ZL$87O0l{9|2C4Y{5{>m7;w{m{ie)5L)){b`ihW0>+$M8_*_`hvQ#_wa( zKQ`7M0pmY!$%n)K$Bp%yI|gt-{`YP1=Z;|px|1IMz|x7BS~wWm5z>iR=sFk*8R}ab z7{US{ZSP=bsA~!9GPkIBsd9fvy$FPHb@enAwsfyxcZu;6%bKQ*l$ zXvYAS7e!HL>(-bA8`I8l!(W#s?fOFdp9k$E6C&6bQ`n1(6=?A^UeeJ%Z%juF{2K7W zBk6-;-4nJx!Bu-J*9o$Pp0nGt)4>$peJiUasoVj?-P&pAQoffPGY7_Q8^bA=)@~=a zA5Zrh-@`cXh9SCbOm+kku-jicxp}(31GiRkzr}Icb6`3J*CndXb%|^}%rhwKykbX> z)E_orN^TgaW;6F-bZ2$Xd)g=Pf|;t|=_kPDJ`P5Evf_&KZF^#Z7BYIM7qW2yHT+8M zgndOmTLO_%|4g{9W%6bUaYQ!xB(bGV)S2+b&C3chH`v?~>ng~<^9CLqc|!SWR` zO$$gxKsK|_i%u*k$M}?((N<^EyaxlJhuLpW{RhW&vi2MlRE8-`;7#h~@ki}}4JSjM*0Ik33 z!-&z{QAZ7Da3;KRSHHHs)L$_d2WP;U@gc?Z#9b)hRyJr_EOT+XfHmw5WIkAF#%YIs z{iweHF~TWP1e!T^UVk@3V1=WiVdHvb1D=%_+#V6}t}8SgAmu)NC6*?<6VPE;&b=(H zfrL{<6{CAFfn24>%7c+RWI_@fs7ZHhB)Xs-KwUGB)XRtw97JhWy?<(K5DHodu zVLzNwME;(97!qr)4Z&g`B-lFmu9jnk2g~sp!6p7$Kqd0_xc|8%VsMsH^9TbR6y>Xx zWw5B?;7a@(^-MP!Sz#zeUHHDe96Y&c;uky2rcXIDb~2ysCZ<(@WJN5e5eK12-W)l{ zzo^dkwdKGK8gnGCw#yH^0|9jdc}b9iuEj@)UA6#nj8vX?tS;tWfZ%K9r)6zS)8^TE-XkyLp>q2k`OnXbNy12P(^dVNkp2E7AjX&ga z?-OOV{GE^QXs9u*XLDT!1q=498RQHKnYj)QEJOgz z#2!2r6p0Hf(CQWYe7*^i4eC>!Lk#~9MHm&7=Fb(nsggzAis+J@s8fSsglsC`Yz0zI z6+%$HJ~2HAP6ZWzD>j8{=A5J{DK)eHT7{1IW2vpjf}~FbCC0|SmNFUb-5YYv8(zCK z!B2~tPUNZ*=5ddiZ4k-nUO5bqlu*fpImq&GEO+PB@-#jL@RQ^r2FYi$^6?sI{Ak)RQMdO@jw6H$!OpG=o#Rc*z!W~6- zykH^KKt#!NYNnWbu}pxpa)s}n!0_}%1!Bm76U#+OQ(=UFMDbgQSnPp(_E6MD=7f-hitor&GM^~QO4**SGP@SZIv^kaPN>8D);e$T0RCJ&%m-rWO=P2 z7Upc`ErzkG^~G^KN5``X7Okz}s^Qa<5qc*=rN?Gwf?ahRd6Kk9Z8?|&B?isCQnt`v z8>s^$d|0Bd>C1qpc<7UAe_`B`0gFC+v^hIJpqw0Zki=cn>+AOOo+6Xf~eKPw~9uEJ^@*?w98m-c! z#%H+ASrO>Zou0!IzEPbnlK)sNZXa4e{PKN?&&5cKNhjMVC@an9(T%N<5-m*nCVi*C z_>fm}OyIS$5o_Qf3d0r$FhQG?5n(#~A{;C3RbEKDXfCq8f_vl(iM70Ectd*B?`rC3WB^8$b{Ini295%l)oj#P;idLY^ z@~Cr)OkVg(&^p}3OaUqi;-;^HB?@cY7HY7Pl#-)hV_wqlvOD_0=pNL&z-?$PNk$vv z7Dq=XcX7hIML2FF;O-p0^wxJ(PLY1+)kmymASkdW3S*{6iE#2RuUo%;`?kxHMw;E8 zaqdI$SQpYk2fk3Mey0`+3$l-B-9n4%lS6F~j<2&r=VshPo*0vZp3R{|WCe(eW1uUI z(xTR0Q9-vwN{fGgWnGla!EVc#LE z7D2Vl8kQ5p32Tw3NKIvAz+(6b;w`+3O%aaZm-4Pdx!T?mHke?(9Wsh4PPwV}t((16GT^2hBj;Y&dZMiw$uGH6)!c7~vA!dPL&JsMmfwu;e4DN-O#4>zPO7NQW=Xq!Dhvf(SuxJdZejdZ+KN<6Ef4PEtkl z_1nr*eA$n8AiS-RBfkoKfiCNR2Y`Qr#U6shza&Tj$Kd~8SnNA)5F^lq{s$9?@qu6j zgwYQe>po=)WDNiHqX+zV|D8Wn7=KKnK77KT@$V0bN&#y-14Fw9@;SXGofw@sognZZ z2EzMns60RiAyj7qQlCsf*7V+LjUC9A0-e&dOhDf*Gc(Xo!EtZ@rr@aO;A&$?CuM47 zPRGy9O?Q6;I(~fzQ)??a1v({p@%z8eOdK3+IO*t|ot_i5Jqg!S)D z?I+EFKeosJX4wFc^Wgf&2>iV##74>r1Xy2f_8HYSv`%p5;eADDi^!w(Oq-^lMjJdFO_77s}Jhmn87 zd}3t!o(c4;VSpPXEueM!b7BX`sr>t?`OA?2D~;us+$Uhk{$VJ<8v{1rua5eC-t1RL zWd^i7SOGbcUrhM>jrq%=z@5qta3p^*^!q*Y%c1wmu)qW87ejxdi2dcdFaeu}3GgEM z#nA8HOTRiQ6R`j8D@wl@`h8C0S3?;A1y*+8P4n|m=Ks6}@8xd+Mc!Xt*B|!a-{ks! zsMGvV!TEvH_8r^pH`6#jIJo|q#-RtOeZQN=!8QkqHpkbuuteX838pk+W5p<2y~NlM zHR3eJ4dBpv&>?9?8yk9Jsd^VTmX@LgdykoB>)JqrArjFzQn82JO>h<x!GasW&B04RYj4wkv2izO2Z9Rb%d;Jb_-) ztcF>iEQS4;&UU4lBEssi7kxWQ`_m6gw+=_EXRA?gkSC_C(OOcZ3H&up7Z+TQ?Nsh4 zGD#(r4wo|%`Ki&u4G&jVli;>pjeWnF?}Mc_d9$=rq9Ieml8z`!rFKyJ)=5F`s4J_+m#)#6R*ibLd`SvJL1B5Z)#NC{3eR1Q(ki!#C8ycOt6x`i&{U~gr+b;sS zs?Iq}2|jJrG}cc~rd?*xFJYw-=xD9(BZ}>7D%`1l7Ixg6<+UMeRiL$fGpUpp2J3MM z;vYP;fo?kewS-{<2Q%GZ@-%EIz1j181ET)&a*xcz%WUJ(r+)56R_`zCh0IQGCi|ai z$K#Lqkf=Ia+Isg@Qp^lw2pb`+TxErvGi-afVsv#=6cuh4tfe};ky zYpt!cxMHBWo?8$O33rEJRx&*lGk=F0Sf~%10Ch_7K_rbUtI9@Ph*aprQ!-g3)dq%C z0s7KdB%o9RUVWA!l%zfWDv`7*30@!cl20f~JV?EsEK=0aZuVHu}qUd$EFwI%QIp5i_|hDyQj7{03xWSrY|dGxjM>)q?3ubE*_!n)e7 z)6`Aff;6Ujpv)$9Ugzso3a`AI%xQlYlV#|_4uK>`z?l}>J(~v z0OH;_$yu$TW%Jt+v?9KAB^F^F!g7?n$BDuLxi_gH&do-X=<+2ezVxyjQe_Xd!)B8o-5pzaD!3HyMIdwxdX8v&#!vW zNsOp=FwaSck-@gH!v~$$cTA{%VSNDQH=_;yR--u}zJe$vXXLdQ-vPA1D`F%840Qu% ztO(M8yDHuzYYEpcnmrq`4y#2Po5A1A3@h5xd$~=F6F*f;n0O5=fBDq^WX%9Myg*{u zj`4{gEZEz$8ib)x*Ns~Yhhb4;7B~7k@L)>HPeKI&H5&u6y=b8IF5zs0q_IQ` zOQ*CYLai&Oq}$rgtKizsMT$r`r1pNsB7yENXXpo?px&`plJL^qjs^(bxKCr@QZ7|@ zEXz8cKK>ZFu2XQdz!q8(M_KsoN#B7xm$R{l^Ok$s+TdF#Ya6`hXeTa1@B~px6D{>1 zkX^G&b4~PQ8n8~pcauDdBBQc7tuY1~q8$OEg=|joI{^hFI%=~-NK9FJQ-ae}yGYbd z*LWiewy3*~5r=HS;g#f zWtiNoMw1dHOU1E2_GTWLyzroecw2Lcf6m(zvBOqT9ra9ZTi+}PWYZ3&IMow8QnhX( zgM2`%4YYcv>twlMo`e0+QaLHNLf)PQ!(-dkl0q-V9|h{^oLFjqfY?wM(MetPyow{A z`S=qUE#>f1xOQuP9$R9KlzxTvOPTRvr%5kfG{aCrlFr$Pqw!&kAfCr<4%sm?&vQfx zo7_}g;6=mZL`XM|k*Dg#A2-{o?UsPnhOe{G)`?Oz9_l!%u(j~L5wV2_i=B4@rBu7- zne5CYnuecsLW-v=m0L2%*A*!~l%%SkJFo0-U~tDjH_T|m^qikpK6%uP(ctY~{}qKo zh>#L$`VL!yvS0nKO!v#l-d)}E;HJ4+WY2eQj41-yDCKX#3AKh;tpsF+Mr{@vg?VMz zyi%`{5K=K|B40!A>Wl1ZWSUx4wYUvv1JRt z7`N8O_|g(6O7HaTFBM;B#OxBEnXqDrLpal@Y0pwcBD(6wz30dN_BAZ4d94lJV-&|< zPmr_feLjI<|C9axC(6gq8aACYC@|meJ#q7`I5Ss+mJCrzI#WIPDpc2sEtuHU8B8=Y zPtSOcMuf7S9*WalBlsTj@Q7>dqD}lHLbf2-sFKZ2Gcg;bW|7v_*;`kV&^@&D)^~3? z%8%h`xGP+|2N(tg7M%6|X`%fsR38caDzjg5$-;Z#YUPI>@zK6L*8qIFE{K!XeY z-$;A?6M%X+jsMa70R9hPtOx)+pgReOMjzDL?v>H*yOS9IV?)b5d+X*X#R# zwV`JOZ0A`4M%kZpy9b|4z&`kobNlz&0Y34xKebQ&al!vLYsbh6$hHBv;oj=uUQvLV z{$9)w0G~j&630KdQ2>+s33{^pgajXMmfwM%KUu{y{xI}D&jcJ1s2%@|Hh!{-|LagD zKxmL2xD3A-`V$oV%Te!bMFB&UpGQ92&3|5nzriU#K$9Op%YTbgzDIR`lFQhDssAQU zd55JLwZMG%%}e-GkA&tlfo-af%QNMCaA(nm{aTa$;$QX?n(UVE_#Y?hMDBbY?Ki0lF zET}d6n(prImhNs4rKP*OySt>My96mo=?*Cc=?)12Dd}#$qj&tx_3EARo0-Qy-~nIG z%PIESYwfijYEgOX7l&Q(``7B1tqb~B&8FURR1h~C+S`aVVpFTl4XGYp!jk&d)G>HU z!@mtSbv)S|icwo$*1q$h6ow%Re=pU@WDuHB%&*;cpYRxS#V?9m$pdTAt3)g@AJ_ZK z*3?v`8b3|vW&}mQOdP#IIFtZ{nKte?x!L{xk;18GDNl?ZqJ&?|99>pVce#Xc@4LK% z1Fn~n3o5l!`xex(6b^PR7ZnJnd;3gUNVN_-HWIUoVVDa!*?Q=O=3xEv&mRrj*CV!S zD>1MnPzVVvQ}Fwqqa{TKL$oEBKZ5vBN7WWb+JtgTf+)3>?gl}IZii0g5emfxdn;ef zzSAjX_I_E{Kg&h1#tF_>X$!}1LZ@!R?n?=Gy8vQ^t~&nhtIbUc=_aC)v#p?ZvB(ag zrM0FczJ$y)<>+-2FK&1AJUF|?jkY^c4(DOktQWUFQZk(Bw*m0Sr)uU$+025f^R};K zw97fNOG%Xbh$=u{LxMjz;4Xh;bVt9v#XcA=XHB=DRYPjCk>@C>^k}U)J^SP@tVaN* zeEK%tsoRVPH;~&yZ&Bs*LP?Xpi;a5nKpYl>@34G6J)3ENWoK~(xy4OU!Z}w zF$`#=S1A|MaL~R%%b~Y`s(!cix{SfySX9!YME$zI1g0nANE-@iGcU`?v|&98o}~qH zEL@SEYwmqR&DcHJnhT=tkJl5CX3U z?Dm9uKdEa$kbbcM2);55XIuH@B3GK6r7Ov)b9u4(YQ7tT153WD_Ajo)Yrb<$ISvhS z80Z@3?s{2|5$vS~Uy*H`M31g_qLa~%$wc>s6}rDh7c3PG47$Lw=wxG|lxy&sYbtbp zmv;~OXviaU6Bpg`DS@?G952NPO6g7_nP%IYBA1iKLe@m5AY|2$oO7~JwF|ls>hB=;d|J{q&gzqGJkkHK z00sq3T%*4u;gy;N$9W=3qTq@}g}6L7>PWGbpueVXHHp^|rX)n~B{Rhd+BMc^r2Uuy zep}?_+H0bBBAvB2Nu@;eFG~9%ULmoi2#8^gK8xD`54czgf{}&lgM|2?&`4E=ROD&@ z*cr6~YY%c-mxLo)pcIRglqugsrdTX|#t~0C0`zq5Q~bnf81FBTLsCvCvqkI$+&7-qq13;w2U~^l&1FTd#E*)Srec+$K4#fAeHm6@Rzp5KzCtz& zhx`a*YnqednIa?x2$GeOq8^&0sjueELzlHmg*p_23#vVQ$64vl&1f~vesYpLT3AYr zVD82c1hzUViaGu=9mvkE{SMy4dhisZem^qEXo3=D?Aj8^Nn5q+N>AL-vVvQv{RoD@ zzMkGN=_333+cP-X9!3I7&4-&#*Rgm}al(jn&kS6fax z@N~{XJshTtXo~BER%*?{a80EVZne^T{6WEZ)+Zzwwbc=-I1kBfM)Cl>;z3Y0EV*(! z^d|1Y@$}jL1Sd~JyHP3FOvYdM(i${Gxinrk8+V>-14Vw_JNQLCcsIfDJU`rL?`oq- z9vtfx6C1G{BAp?|)(usi%cLx@db^JMYUo+I!CZXN!Khat2zoet6lO}%p5qs814X9X zV|eq>xl``_rltJJ^#Dg6s6$MKCT`;AKdds_NG2ljz_;d_Dp2jK=3=-((lpi<}f z<6D2J)c@R3{x2(aPJnU&iU3Yv_?-tJ8(9IXv#(L;TmUo2!~Sm>tY1{Ze{Na-cY9+4 zyp*}Q*#2*C>;NUe4seqHa&JFY!avVhd^@v0Uf=(;QfFrarp!q=0aI@tz$}~{NHPb= z7htzv>*N2B#QJu*|2Mk>jH#IcZjBv)6JN`JfXrnCe)?DHjq6`~)_t`@__<2|Gl2cp z*#E;!?B9FVu>uwCKe5rzOaG1``W6)b{Z#yF87BZlSbte(e|r|cFa4W3`?pH#|76Df zhsgWyd;oCff49z#j+F(3zzCrSSD1oSXozy@RC^8xsqC?rJ2tzc<++jS6JxIP%hc?< z{3#B z*))vHXo^2SgCn=B5(7blAf=?V#h>BuPS(> z-Uh=;IwhOaZnvHsJg??CALgoZnX62|cVqG5Rex~*fH6Mjq|7;WZg$F6)t-IJ69k#l z4tm;P6!)t)GUuQ1*5AC5zn%2IypcJ-bvu6ljr?bgzz@Na-)_EdyZ9YY`t7j)^5*+Z zVhMQj{qwo`ej|O24fsvKR<5y_kOAm}b2c%>Kv#{HH{zQ*hRsr#wL?^=s?~~6PT*mFq8qrgc z;)AOsw~A*#gT89STgaY_=uK>L%l+li%)-n}rf<{LY1$-G z_glu4fK6N$X=R$KKwBWzAmZb@>*q{WTC_>%ugkYJl$(=GEW))UybrM3?Nw@2Wy>wL zB42LizCOTjn(0wf6Hi(^v8RcYsfR@DsZbsA!zM6c5FPOe(K`Al_Bvmc{gom<4qI#1 zQ`N|=Ck%!c$+d+cop|~yl$-RJ(;ap(5*0Xyg}FDm0}9!j8f@+#7Y9NPn(}cJ%W$Jy z{1cQxnk%^Wx&yr`tT8M{Jg9rWM8RrHI=K(D<}hisD3>pgP6(eHdkOcOJeo1a)4%OT z&sH5+LCX9B8l{dBh6Kj$hzFC*wp!HS&lHE`kD5;^y^4V#K00uc*ZdA~ZgKZZ>nuMR z;!xx6?BnUgBuLqcr&DB1-mw0niYC1x$?3|qpZG+mf^`reS_F5)wJ_9QceSY{SsGhq zF@`sa5n_67p<0WIWi)T27!JZ)o9jNRB$u>RRV$~*`dEGnq4@qjB?P5HP|E}~$3IoL zXTJlR;5`Q0ONG}A%q?4}0?HTTPnnf{tTEEYY(0%7o`H$F=R zZQx6Io(mridhZ*BG78GkK#HLAChQpOh0;L_c|yht!h-nTu46yg;^q=GLJ~`Qf@<&~lYoo#(ZEa3Z(zCz3i& z+(KK&o}85C8P{IH46sBiX?zN0w#7UmNt7&4MqE5d64U|m&Rk1HvOF@(Mnx4{^TfvB z5CjwuR`I!~0;XyC@))u)Y{)nsk|H<-Z`fI$SfO7TuRF&om1!rCk2eV;c6a)?O{&)K z7L2=%`5Yj-ObnD{u|*A0f4uB5h8U6Le8)ReQdZYfPDlS`R0od*1+tbV3R5-o+BI17 z*gU)q%Ct-mJ@@i7{kFD{i=|XDG5DTFS|oRV`W-8^?;D~hg*nej*Vb|y$8?-egJy^4 zVVhS4U1|Ij>!7H|(GKvj$D#-J2kmwO5Vaz7>rfJ2o>qy2pPQAln2oSsRuYGgPrC3W zQ(A|Iy!BNRE|Ur53m^_t;Sxjpv^_NH6)i@NT8+M>S-HOv72L$VA_(~y#DpyftMDz2 zBn8;8t&@p1(roY$gs+TOC(k0$VH*z;L|bvi35{{r!IvGmjhnpYL^g21VqxpD#j}ehe3BZjyU79X-UrXo|Tvp$JvocRYywX-4us zCFS7rFVgCrX!_fhvm+&jGd%muMO3i!=OPKl?XqRvP8YXNp_90(Rn-~LI%$$lMHV3R z;)#rI+N&4+_lPz566Pl-@(sobtLLDC^+73PIL{{O9+%6>LT4%T=u`Wm)zEC?kLg5e zW)d6UriSQxLn$S;SXeIHpv?PW;edDtde|HCbq7BR=V;~283`yL@?r+NF5g@|FYMdsg~D%`iAR1TlVG1q7H~x#9IF~RZ&KH+B=OUj!kL$DD_V9oh7M+ z(y$0uogL%$?XqY5C=&|cpqdAf51-~>I%LaFuh~JKe};v4$DJisnm}u#iHp*@^MZCL zZXQV_dc4UZ9>X3(aE6ssd8GIvcML~j^C=+IROPI6hAzKqOpw4a7(o|xd^LUn-w?71BJTnevnD*AcGeUYluYv^eq6C(UGlGX$P z7iqAN8a1(<{_<`OK1L`FXwYL&^^7plQniG%ruo#h4^`GVSW~@-&O|&d#_Cc6u;{{g z3u;3+$zI*hpQ&&{6VtqX((y&lG+)2?%zmocIwuxP_Hjx*u2D)R^vCUOJj6`1^CiL= ziS?bJ0XTNXg1WJ|IdlC+gvlXhLUD&Y%a&nVk_uiO>TrwmFoR}&yu%9~RDmy#_cyWi zv_+!|4eWX@B8AmyTw730xv&?^K&|qNPA|L2v6-_7>OZh0PfcwY_K3`&M~ci>(}H`! zOVzANt9ChVzMLRj%AIb030~W&g>4^6AM;dC(tC#S1<1o5S=Y-eL{F~{+SA;`7*$%D zsm0@s-PVd0(~e?h{EW!U2lPM+-!cUiqYL3f&(^K?u}5#1Wb7=P-CtWeX`p3$qU0^y zERFg2zkZVUg@ek7eP~H4tf(dB<-(hKKX%au-u;>LdK!BdD;bD&BZ(>2gOuEbm!rub zt0Tr!Ut0I)Utx?NurSkBnvuG^YtOtt z1GBq~J)jb53uO1$5aJ1FXi(4;+j8=7i=i)+zK6Ary;k^D{rE$i^xxEv-)gPD)Q{gY z&HtUPGTWH$HcNhR-fGHqm1hxynXbwOO$IkI@ z;WInquXgu83^xA<-3HKGK;#b~&SM1<&A9=tiXD&$a{Y}2^j{bl{&CsA!-D^=FTxH8 z99aR)8^FE+Zg&6!2Vi<;0H3e`9S9cYU&}w8fD8M7*Om^@NB)HHzuk`iqYVP7@I1f( z?)MFH0KEt9uPO2WW`qAYf4{b%_#uz&8zlSoVE+ar`&n!H!^*#DKmdB=f5NYyj|W)o zfA#+dd?SD6`2Z#Ozh3&4(`EjZOF!!m(P_UrDjN%6;{o(WesR=46RH1Y*Mp0M>mTC( z-vp~aq(=Q8SOv7xzX?`*0cXE;P9(s(VhhV9DI=L?hr>&Q+JP#;+SN*6xIYb?p=vSe zY%6Zk)zixF77U^wx!L61xjW})x)V|~5YR*L&ht#IcTP(=-d-+_=VB;400JfAQF}za zAxDo!HQw1YkY#nT8A9A#(xf;P=w-Xen9MKt@uYP!$+kt(wYkE4|4wz&vg%aeB9V$w zCD*vre1%QO*!yUErzjz^G+~5V@bH2l=Momnt12OhdM1aTI_xTkAO_N6l|NObfIJUk zzU#{U_yFCGz6Axk`iAHvFx6P-aX;9IiptDxaZ3q4A9W4K*$!rX`$9RUtTmpFi6?oa z9hSjXJ$qC6>1O%Pw#ksKkv!6xZG)m~T7CJTQ_?FUuunS+B~bAVrv)FevX(HCCl|p^ z3l!e*wVa5!eE|>9)F5(#k`2U5ZXX$E&OgZ`c*A)55ubg!{*_3D8az?+qbYwf^OB^H zJ>0oDVFptReFndyFnW<;w?5PMAitqnxp z1l`CE(UCd%MY^53VkMp!KOy+w%Fkw)z&djA&e~qL2UL13pZX(>8HaR}TYL93x6wKe zEVmIw8Ji@knQqUMEH|`+!Ioauu`zBygP?=rj=e z>KE*%4m1Rn3(pu>+DH(+_z)dtWM;qS!RjZ}aecI!v$>msthT#)qi2E2lM{E?Uh*0{ z6YmAT;gfW^xfe`ejFiwl*~$#auS}-vKDf}xmwe*1S{C}}Vv5|2{0?_feikxxO>y~l5H z8r*LwY1j?fBuS+&Z4_uQNZbg7qD7$y9h)?#niz?Ko-=`Di;c&0BMKFq4^{P^!pbVA zWG!-Vk$Mrh-sc5f@m~!zv_bsy21~ddQWdX^A|6$2vy9H8t(QuJbdkPw4A1eM@d=Kpz z`r953GEW*ZG{CcJ4R%;`MPq=@OevCo0WEA=_ZZ{lRAiJ@(ed%A!j?y6^MDYIp&1g=XcE@15M`YO&4KC5uoCfQV(9~PPOVQ z)IkQQ3ol;VH%i^bKMaqe$WU~HX$-=yLJzLp*Mv_>+{47RiTPB+l6T6%xcNTY(Uz+~ z{y0VwEjv|w6A%tM%d!-c<@$;>+9G@KG{ zL)&I+CCh}gI(r8Rl*ZUJlM-y*h0h*s%d?6_q@MXy#B5T63`|b2 zVDE{bjFUy6xV3nEJ0o~u8JD*`8*dEA3}2ZdvNk;kV&$RRSqoA0Tfspcm;9`9FC%UR*Mh zM3xi2@R^rM?FKK3wx0KutFJHLO)p_HYg9q>+}!@S4ccEmgCUVKf598{Hb}r}c2j!x zk%?KhITd7gDlY1-bkeJY5$+8Y;%0hHB#I@%zD0XHw|C;nZZlL()e88%Yc0EM!xsT| z0rH$aWasMY$oerjv8ywxLvLXZ!@h8ja>Ro4c+H2wWD4)`J||u1?i2_~R165c2V17P zXI)Aw#oSL?xW6)gp{&O)+Gmf_fs6sq82<*PP^#lR*ZAs+)&{hg`YlR8`^;WpY`t~x z^|)huLrijz+BRH;iN%hhDd>wW@9juzB$QXeq(|WG9NTk)C67d&Z@NX;{MdJlKWVe0`>9g zgSLSP(WAWfu4Azn39{W9n|sctb2o`BgF>IjpC=xdkMCxI%GU@@^ieimH~Q`CdjSw=5X=UA`v+KG#u*e@J5YX1M+nZ(Ut#IDYyFV4?##;K$zJ+~)2pJ%Q-CXnN=n2@uGtuDW z`RY7lTwaYuc4wN*se&$L`p(as{;@O*edo10CFRK+Pv4IvsOar+n0%Rnrd(fri`6w)2C2ydQrFxpXJiTp}aWiJYK0K z+iF~B;WdqUj1b0Se*la@*gtcbvdC&&iVQencz*KcxIPFI(@7aAJv*X)53cb5ZR~6=^(#>M zi?Gq31fAb%qQ8L3KQf1ZpOpBspz|LI#yf^23IwJMnc03dZUw-+f3p-oUYvmH@Ta2!;b8xIB?}ke zg8z(IWs>|sAqaF5{y%H@A9BgQ*YMoHN&d|mz8ufWZsGk=i(iPpFAbzP{(ey9mz2UM zj4ANx(&(F-B-j|W;u^uU&pwe?Tz}!KVfzr))99KBZ=ad92>iQ<+GVQ1zF(c{U1ns; zzAx*RAd6QBiTto9`axa1N>`i;i)t+L!_aENg()pKQ)y+j=WFju%j8Fxy-PJif=nlc zeBuw20n*))Gs9X=0-FG&n?7JvAYNN`0miy zBA7F`i)-!3mm(^Bt0`{u{Kc~0`_&1$L!Sec>3R{HR3 z0V}t;21d1YH5X0dILu2^S_w3W(+w9*Rg-qP$lDIwvS|^~U=$q2&{q{zQ8OaDHl^3D zuy|?H`03KpP&+K}_)9#a#WjU=yospH zDYsuL_(s7I;$C)yi;bTtt$R(5li-d)^S!8ZJrxRI=9=T&i>SZyPI1f-?|Ir}1IEn| z@Pz7!zT?QSQ{mU8P3ux@haP+&#rA%>PysWemrzOcVm{pU+f(SGsvJHONaslmA7kyH8y8w>VCFUN z2I0pZiBq5rEnS#A<%%hy?rQX7N6I?>6zt^|#cSGeyVbMcD&e5*v+b|sciB!ROFj;P zsI0IUASTgZ&?`-lHoKsF!_K5AGd*U-N|)K+?y)#?@LZ~S&YwAh=ksPHxU}4$mC0Us zD1F$DIFXTUC(1I*hmlQ{aHfv^>(0;A`HJ@|5_ovLH}-3#WLG5Qr{oJ!1_$mDIGytT`hL^$iJqyENIudSY>R5RMgM< z79?=0I!Rz?{!GdHFf#`x=}^`#_Whf{C*9p{=NoWSa9L@5qj@C5u%d1B85P6VA$!IK z5Wel}{pEG>EO7y1ZD4OtY0f*-GpnYVRrpbsR3#L1S8SgMW2qeYRo_2mJS6631M3Ws zeHO=zl{*GPB|7gf3rM)Wk%t&shVCcKcM%<8S}X6hJA_+bG7 zagaMWmwetVYDG=2Yx1#%Bbywohy}?6j9B-!B1)H*tW>kVDS@c#+Ms)Z1N-r#1%fs> zGU$Lb95)P}^}r#n^+P`jbQ}g_0zYW2kpg%M<5QAtxmh+A4C5FPBZKqX_^I7kM9eSr$C;$9qU=423+xrmOp+MHI)wgKvJhF z%>Fz)&5tapAQ6o8LUy~R;@s=`O54ntft9FMK}0a}1I2=5Ax~eV?`iJe52r08?7UC?9@<{1*E+Q?cz?k^hfSq1n#;U zWL$?FkZOyAl8RXrZRIIMF`j~8WEKVVCkDos-0&guoB^Vza$0IxB34>p^5lUAVqkST;XvX%|h^ zs1JO&go?Qwd6t|T%bOOjCI;ilNQZ2VnD7}4t7h$I*?8tJ<@nBLi^_@-j~Lko+$F1BJ#B^Wk|XEprkUE5Vk$BF?chb%g3)2$)c9M`fljf zHI_+HShw-P4d)G7+|2fB-Jmg3P(j_FCqcc-)dnBAO@&%gpgXr|CC9>2QJa7pt6zFPI#m z!Q)7KaH=H*BMY&fy~Eif>xkwr;E&NkRA*-Q zITH+z%fQra=NaV`^-1jz>U=jw^e#MIkR4?TRwJ9|lS7I1S~J$*9m%bVQLTj)CX*2P zz0f=LmD(wlO-k)M6HGnHTO4 zpbf&{e~?6OQ`WBTF9w%H6jaaPDso=CWU@!c^~99MvghVomV8GML2hBpnB<%QOu_}Winplu!7q(6KqGn3byI3=~gD~(ra zvuKosb74PEcz*GzQGUJ@Re1Q3Fc`}*9QWG159lHc^T+2<&#%2gTf1;rPz0~`KpNKU zof4a#8kgElUesXD#bfq$O(i9qgo2rO$52ctO??=9WFq$cT~6QXM~3z{CUj*V zau*Ml=3&0&5|w!gg^3@M+S%9kCE}PEM@P`_F$l*kIGhL;4rG?Dl`@kUB;##=|MUrm zzVgKDev|bc_%Sd?wdj{y{$!G6K6?n*PytpG@Y-KQR_1wdf=wZj+_8Y^Jr?usI_R5H z&|G;o+C?u~2;wYj!n#P>&gU;M_7k*BxT)>r@?G@u&;HuaTe0c5j)#+MUt z&R_*5201zZW-{>qh_%0QPY0&u{)rC%yZr$s?##fs`fBn1)sq)+K?NLYzLKXrK;YHi zu%`c{C4ZJf{}d<l<7B3!waGjQu-6 z`A=RRf5pbk0MGo#{r;Q$*0D>~8l!k%;&FN4C_7Q#9GS_D_l}7ZV9N5Trtqim@)IIsC>Uei4>oUxvj z?OsZKdV#9kUQ{3fe-mKi2BUM#VwASH?m%H%=f}gL@c8*R`vhlF)8B;se zYYY?5FXD=HwV`?)^=p|=)%D9TLP%Fj9d^6#)u4~~;_xn|(mf;L54Oj8?jVia)I@&y zQu_`0?k`fUS${Xx`n&w%&+^@$QmwzrX1~7O{_S1;$6>!;=wIGtzjw#5{W8`1YkK_e zc2hL8oEGZQd@m|jUa_O+f`Bf0ZVXP!X3n-z2vqTIlJ*TL_$gh z#AoFLk=7s%8uaJKdyG9nE&kAzjEy!AjVPnX!VphzC<1Gw`b4T)+%E#4t#BS_SLi>i zt}K5@4&DLk#{NEJG|pBL*J%y6n^SZz3rq=B@H;8ckl^aL8S5wcew?b#dHHOJC^ z5N);{2$sJqm4{toAR9JgI;9d)7Ql5WJ+Zt<92Ai^=ySJhJ18VFxs<&|CNCuW?0i*0 zr)ITUdUJ@urwFr8xmYiUZT@kDKU@E?GXf8+GTMrHgNXb4k;v}&LkP4+ zDnZde`eU&rNhl2_Xz&{9=BdYvgYSE=KSPCj8Y1)hk`|921V&E9^hxHiE3cz7!Ys1z z>KF@m1scd1g-fs&q4n@H!78@}yvr9JAVg^I;4q;{g+X^E!@YZo0~Ov#8T<32V0Pm9 zB#=nFTOoZY+;H^pIlGR(^QM=b4*kz zPDR1;ONp63j00cCuiZrC*11Ua$q}{GkZ(1fP*w@TKcKxwEWRG~IcV}F>8z&=_KSNX zqgl|7-2GlpqWFBdydL`V9+gx-ZNt}clGr3vmyQ+Gd4?Bcw90f8519SoDB@KF0SYfm>1)<)rZy^sZnt3!TQUv z^xs<&c~Vg_w|Fk@4`@zw1(Y6T8VHan4Jc<`(T=?r*kELQPq_2cZBYr7NkW-;&~z-j zioUZ$0j>dp05tQ}Ou3zg8)d}vpLX!)pQVG0$UP+B(?-?j@5sbvF&M`#YMMzOyv^_q{hM<7A$!dkeJdOD1 z*ly63)r9%u(~m^tr0*cKUM7r&J-SOf<@zjU70IyJ1m9I6pG9v|WpLVszllL<$4u45Aw`%pep%(>V%?Ajzs zY!QWP*o&Q_&4PVbYjTrcQ}~E^7D`HX!)@f_R94Wv!)TV+ek)W!Ue-Z+P*6fONw>4r zi@eo|v4A)p*nV8Djo@R1cM&23v(pBJYUj|e6w0_w63NbnhXb_SCc7;WwVc>pTVGMC zC)7D-)?nhf_M01PoW`0ycHr%U%M^H8v-iowPt=ejb2iDQy@Wlh!9l!l60CBMZZ37- z3O!mq4Wc{w5>>=(*B%}!eV)+?3Err$&2M3lS(BlI~iBfJ`28snG>;tS^BZ$ zzLZHUucSXDZn=eR@nfU zi>BX~4`X3UD`wVuO%O;PjT`@76bgUm3>O*J<9(=mXx`;47jbDJ38t(FRIIeAQNUvr zoeP)|&RXIl&&=V}5XP+B4EAop^aeph7k1_3xJ>aY5nSKGItS(p_0ThU0gl6da7l!n;J&$h=Q&b~4p+@D)$e)&igITb7Yl&rUKhMUeUpW`$$g@(pr^HJgDi zKNh|x_gA8ihvlZ^7vtsr#1=;Wc<_^%MVP>bVH}doCkj?etf_j+WWeFr#;avsWp8xx zvrpC33%FI-`18EJ#x(?c(rS7%T(l!`IQY-p?4y0iV)%UER<Y$049s9C6#UCFbgWcHsI5pawlvtTFQLwmFGT7mez7c4j#>E%oq3oi17Y?(iqHi9# z@j~ph{p0ACg3kOCv_2^jB;k;n$8|Jv(c`F}8s8@H599PdShc@TB=hc8Fd-)XRsu(Aduw-_fM&(u*(%;O@^@SxjkEs!nn#N$FhY@ZX zZ_19ya9`M<{TmDlE!$y*5KRI68NYK?koilopkqp9SH0wlrc-B4+lK!!4WfOv|n`s|_Zy^zSg-ZI82D{4$>C;_e zj?^3RCppBA{L|Oj)=io`NLl1@}oO;C|Z-YlL|YCDs)Kr_f80 zdMV<;+Ot4D+Usz7`=a?A6|7~ko=4egX91f}iBF>oKgWBfl%`Tj29{fEMs1@MJr18j7D zQ(^p7=lS!b>Hje48?bO;2e!lh)g~3d^ejLoIV+&_X8)Sq_U~;{f5B+~5cB-s0eLoH zY?v7s3uR*iva|tJH9ISiM*h_@3D_iHm-Ndn$X`UftjvEE@&0kazoVD`Zi6g9q8*U1 z1|-@6KA~SNoB(ma*X?ow+T&jj5dXPJ^HZmR?Wb(*KOUCfz+^u;1pT=3Z#oUYx&3F; z|`BSF>pwa*J%CFYS9DvC8rNi!k`+jDLvbrzcOJIpr%cE!lPE9qc=Wb^4=WJy5L35UFj(5XZ-ZgVV^7js_=N??9JuS{5rQoXqkhXPWa=MeV3d6jw$60kvVaL7%zK7OF!{PJ# z)Y3LZ#(?m=ub{36n(2}4cqSB5{aL<(CKvc}bHxDK63-)5hpaLS{8a1kBTE$mM^g)} z-P8;hO{&snnu&ZcP|Ibf9flK=)+JX~gkXHAA>Y9nuT;U5T%(jr_O~V|uru%(8Yb~o zJN8zqG938XjiODYB_zy;9k6#Au&hF4?Y^*hhj~j>@ZiVD1!)ZV7;&3prZXDN+SD1B zu~Sog^ZqW}$@yrS_3>pZ^udfHE~+eCB|giPn%B$WQh?Spat*`V+{_8LXnMIBMGfw^?_5^Z1_9#kJBoSBl@ht(p=FXoT1PJ z#PU(r?XDi1d-QSNu)dDZ7QLDgv6wKLupk3xfr8$OeCvQv2@flt2ItoM?20PSe2`t9} zH->fk+zDCnun=Oq0UQi+LcacnlBXpReJCCEV{ahHS5ot5%sUC48QffD1|F3q@Y~Gh zCMlM*JI3!%^03u@vXhne7XOSL7G-8<tWL2YBz${15%bH_Q<3ucxOX2r2 zBv8{jMPF|DoMAc6$~FDKix@g*$+xv-JyS-}StpG)yPlVzqK;=zy2Qhpl95Lp#bhDu z=WGO>_%grP;{AaPc# zl@bZ9lE+Vu#AzJBEzu11ov~l|H^+S8r9J6otWeW}6XMQIOvUSR5kbQs)?t5$qE%kDYmf!_w&v;nTRqMKHb}IpgAi97IB`Kk+4yQ zP?L`a!>2zt?>vdb-n3(^?D-OT@OblOz5-R7{UvyW4i%t z0}NSKTk>%V@$p+2l0n6^(<^NuP4%g{%U${5VZ7~wh=q-=NIC}iM}Y7QqMC}~(kVO7HJcvw&f zlB_saVNh5Oo3#7qaODWxRrs@gqI5mIj5dmC$6&bHO#7%lYtg);y)jN&=&9cM&t|); zbqHD}mJeWDb71|l$71Wk^w3&f7#4@(;E9rWiX*f&ki7zzhp?w^WNJeQCJss1{_J%; zhR%gZ+l(jWqVC$187~*0_UH_82N$JuOqD3ZZjBzD`xSkHMopr@^s8oibl+F> z=;k`fu*y#_&NZ5!dJHfw9lXU>X@#B#ifnYrkW9NOr0a{-_f~-P2A4{ z=5QNV^)xET*A5ZGn3k9i73NCWYpv%aN;O(~riBGiXIRN%Oi(@X8vfq^b zK(;)m3>N+#cWBci(Lo_Y<+<#nTT8R^&Z()^s~Zu#WiVDPk{(JlU4o;9ilFKX{T(1O z<-_@7>Hv#(eH>^#;N{Y14jp2Jw3K>OG5zoATqQte)+_tpCB>Z|dsNE9lN+qh7_YVI zT+eZr-`F@hjK;!{opoy85*QBZjr5l0RP^+oaOFJd>uz!36Ht^ZG8!RinkT59;Dl4V z)BbY*5@$2V)8HCe$-zNO`AkD}6tk3Smd)wXNGT#KwS_j}Outnizo7oDvv;E~md_^7mp z1ffN=i{km0c1exv_^#Vj^X}GjGqnA_KDF~j(Xf@*GS3mmW@+B=Y2S}63|3$h37;KA z=Lg18O6)mMZe%Bdm5G3wf!3UtFnAiV(Da?YtSB}zg7$vwKo1uh!F8TCYz{t#3y`n5 z2XxZ3!y;bD8wfaozRi}pQF*b9Wv&^UBgKl8pKY3-78@&>f3Tt})%4iY{WdT7LA*t`6#OPE>1(~|qsM}PJ>U?e}c(`a)SO{(5uDpXc zcXB=mp{-n4cLH}`o*HqLmisC74fVAGqrhRYhf`2OsmXye zL*kUPq5zJZYNhvc=NZ?okWI* zGKpv9H+_Z?zNOI{j-v!op>g-gm$g6hVO7Q?<{w-jxb zK;qnW!WH~Hb{iOq6lZ=>bCAxMLGo;xzn-pmRvHCC)P_9NkYbUGBzhbHq*<5$Ag6A}no>jyV$=PWw@7|X>klDR+c ze$Y235Gj8OB6ymDde~A^i#!lthIt@?E8yG+y38HDP~$hJje@A#T^*&_TUcLNcX$%- zSC-L)8I!`v`s(Q|!M z?OMbSi;-p|TJDEAZ8G<-Uj%riTaRO6Q&2@$W|=Lx%P$eeN1;G$2R-wxH8^y#fIhqw zveaii{Z&)ohw$vbX$pL+-T%@Q_#Te_?`ZvBGzHk0zYYTeFws{Ey$|f3vr* z`R$y*h$klpU?K%TQ+B}l7l2=!K&1G8Aa!T^7B~OD*%^>h&&UpdHcp@+zydTwSlIzT zF+hI733%B8Iqbh|4E*`D{S+$n#|8f%ZSHGO6OfF<_APk^$m9Sr<^eqiVC)Q>PUe5F z-S~NP-)_SH&F0vd0n1)set`vm=UiVM*#IBjZ(0e!;*RUr(v3f#xSvvS*jWBdU4LsK ze0!9Cqh;}f3DnOkzlND`04MAh_QGu6p8D@6ptSqi1n z@>y{qZk8KLTGCUt!p+PO1m0*^tE#D~__-(qxa~nMMMe@cGI5TWY*Es~N^I%qdc?n@ zk0`)?o%&kbGllOU>%p?OE{AKORU^E!a$!nSyz0T(jiw}TFTM8B&cL{CW`s_==1HfY zA*|gotNg;pCHp=O^it#$A-!8?kE5%=Ae4Z2ZBm_{5fUQnCSj3o#9(&Nr#Wr@{S@c6 zgJnTQT{sm57w4-&*l*pzpGI@~x4L(N;cCn&C8|>RS~Bek+8h(UFzQ$W_%AY&el-(>s>gKF`YKPBo8Yd?WyPjS1-?xh0u7IDk)rQj}#=*KOcY(g@2q= zL+(Axp02ROvv#W2{2+WiqWI~B+Y2tgLK;jum8Tu0dkKB~%~1IMCc>pJ<2g3z$I{P{ zCY)EyOh8+z){GL0sAKDQA_nIW-@B^0YQM#DeQ$fhk06=;IoB{(JOg(lOl#GoNG|H7 z7}aXe5PeC#^oQ|c!povXFsA|yFsfHvobPHE?3z6%n7ZaY4G0<8C-U^R!gW^a1;_fn zC_RZ>VwXtqGt-Xoy0oeg;B!AQ+=((66lMH`RujCu7mIpno$pnYdHB5PP?Qo^?U<1W zbYB}B{lltuz0-hsS}Iv9^}2QN^_VBC$es$H_nqE_9KT^%CXh& zF5o%u@k^~H4G12HsrW7kDAmDiJ&{M6(1%5Hqqx%c?&4M5H|*Y)ihZ6@b5DX05*F^( zuB^?m9kK|0yx^TfX8E8vDQiWIndEc&;e)jF<)n2TrHRW_!Fkhh!{yRznwGj(2rJM| zgvMY3(vKR_DQmeTQuc_Ln$dk9MtSy5 ztSC@JaPTyPtr<*I28>SsM18Qdf~dD_%c#QOcavCCbtXZUbuV8%rb0y_bD<#I;%*ul zdjeNjN3_9#VgonXqmIyk$!f3#L^UcAXOQigOM1=MUz*CYm5<$U<;^)jGzM`$TD71d zK{5wZxJS_g!81F8q@il>bYX@?yI|+8V`mQRO!65=IU~(;Zb&{9gb8*@K&`=I4T#E9 zfWmu+Js!WW^#6E!%c#7vWosCB_YhoyyGw9)3GVLh5L^QU4Nh4c5v6kt_Gs;ueqQVt7rX z7o;|)6}y$mq@;}hbVXVuR+RSaeboKa42KJfD^B3~c$9irpP`ts2VL2hVza{$_Iic} zf>-*k!My_ZEaZsq1Pjehs24gbqGBG78Ad~kG~6Fx`*PISa|B%oVgta`mVKpmI~_k~ zVs0;tu&}=yg%ibSQ0JR|50MnM?Zl24l97#9&p zZKIOON`X%@B+}1~%$mB^p0!XxU76)y!1uBMiA?UcQxAW}R$+!#5} z*<`xu4G}K%2G-}l?uT)dTAZ27w00JI_jNSCn%NfuKUTudbjr{;r#fK;)4&B{*9=G@ z&&+2WG6x^ML|HzopBRBmQrf^A-Z%%#y|2m>=JS_z27|;-KdQH?&{-hd!UxtL0_>$F z@1n3+)s1nwLe4h3>2rZgrd1LMdS5!mK~CYvv(xfYe^$cp_|SV>Ps?zxZ1?2}gU5wg z7g_wPshwO8G%Tn&-fNaCG5Pg=pmtiR>j5oeo*=bmrg?pKKXZ}@PWnu&Kw(9*a567K z>OvnozP_?fB^rK37qVkTUsrr=JCDt=5T*i@^`~xVl>W{D+41h}er0a#Rpb}qEjEXs z(q4g7DYRPB1vfe1(<7BPT6#r{KCfqS4&*K48)fgMYTp~mtk%0sRYJG>_wc79(Gbk} zlLan8L~@LSA&O0w5P@L>T?d~L=Y0JPxAb=4enrytbOu{yqsWAJfyYqIBs(oP?8&7& zABYKaO(YL{fDDczBfgP>QE@QQC#KfP=#f91%GlNL5?ZCWGG$>X@~h{26Ym*lX?A(HN~5e0)ZlSIC~R zF7rE$R&4e6e!2R6B1-s^XE+2de0rK|_gg%=@RBj@!YojZwB72I!+vg9>3yBfDd2W7 zTg`N0YY^M&BnHo`wTa?e1c)n3XmfJC@{O0CL1eZe?yYdwE;X7Dz5J&&$Nh%D^+V~_ z(UsN2LZHyoltR@Xb2VA6IwIng{D@5P=oXCBFfCp{zq&fY8Flh|J(zy4`H8x4iIm;b zW+Im*c4d>t%4Asb(-h)OK?nO*%eim5FT1M+L1z<_BW*`Qx1f3XIO8UEI2NxAd=H_R z_|1z?wB=t3ffUMx3WpM89Ue+~Hs1Md46S&tF5_Kzzb+nXXhRvbdI3R=v7Q~rp$RRv zSx_J$%9>@Aq%~8PLB3UFLobc)Q-E;fhoWC)Y7BBSFDwU_qqw|RKshFvxR8nCW|00 zM!y+T3Q}pZn?Y-yL4IZQNlflLwIA{57hBv!{Bm5)H zV7Ub5HZLBZ3_~^0s(`r*Id7(Q6w@LmkeHH{v+tjPQjSd7E`;30{Ff2Z>&v)9fgk2o z(iA7B@&_uz_BT;97e~pcfWzygljmu5W@%5f1E`T(nAXR&&e=m)1jUz6ac^aB5WpS+ z5mi`GbU(SACmmyRxZJvc#n6*xR#dVnp^peL4E0UHRY=khu#%&l`T%(%DTzQ{^NQu{4#{ zvhs0{Cn(p5gQ`A(Gpq{4;|UVm782R(>e*!E`PLtvmHpG(4>tPe#E&{3A+H-Uano~U z8KE-XhTmxpJp;eHgq!>oOlSPFPVwKs^zZrczrytI>Gpr_zW)_WXZTj6{07qjIOX?m ze&F@r?Rfu+&cFZu4{-3`q4RHcitK=jE;FDI4ZxNFoC%Nx`&KOn=vT8a{TePg{LxDO zlR@lnm+*fR+qcnkfX~c#cnQ!-0*F`xMg#zT3xHk+T1NI?W8nXZjg6M+r@A=6)ANs# z?tiy$EC79MHh>oqBVeK%P_+LaSv5w0w-FQLe`vw~RczmH^#9Gi{m!_2v*@7*42l3` zxL5#<&w!o>z`*;j373DnYkzS{{*Ge5e@6ZR{{3dI^v8z(ycFO=44^ew0UxKIYv_M5 z^8MA)Z*EP155mtY0Zu=E{L}y6q4S@IJbs7HY(I+c1Tb_WW|odd_5^eymU@mxLPiEQ zhDHEeY8VGcdm}w77}tf5N|K6;^hm9{Dto4*NSSp;))d?F5-+gdX5*v^iEH9;)qFg^ zX{y{pB8!SgU^1<$bZ+~4Ej$K-?8tKa0ZxXlL4Y9wU6DK~J0w%glv+O`=7l?4YtS2r zyyQemLlW{s+dd-PaO0xlzJol8lw#`C6Z6<%DfS!^cDvAuerffWH~#vR46x}jDILO$ zw=5ZJ=>!Ll&^Xah(klMFWPZjOZTw&ts@VzGMd&CJT}j!&9XG&db9H2SKp%DU>OFJG z3)eRIIK1A+E8s}>H`-Ek1c=gVzUSDX8F+T_#|w^$T5G2ELh8gw(TbUg5b=oiFjn5S zj7@3Wy}VQi`Iv*mYzQ(W32Bdpz=7W3xC$KnrlhFE?%_StNhxL3$RvfUxlMAeipl5Z zVr30fqECa;ELRD(+dg_C)$j}`Uvx~jvsP6iXdGXh@|hs_at3)oer-q=gKOXI?L>z= zkad==%wxU73Ff0jjFAKNL|Dwb=Fbxq2v*-pg+Mhpbd5%zq4V?#G<-271**LZVppsQ%#;a9fa(NSp4wwGL_LwHq6BPv-3*k zxC&rAM`+`U6Urx^aA;W_=U z4qI|vyEG|A1o(OiGNpJe*zDyTE?RY4Y3$zBmcY{GjuIZxJO?@)U2Bssae~&6X7D0V zDzZJjOMd}LoO8i)CR-^i53*j*_H>Pzg;p;2104z z=fWKR=Ci7;R;|2`v3KT?-XrLQ3;P z6M*vk<4N=1y-%2!0qWdsetU-gmRJ180T`yAtiS;;HNYSH@zDR9ZmZw6_{Ur9pFDg2()si!4)Y%}m4A_E z{QYqY=u!LKXW>6TZcDHR?Ndd*l$Nbw)DB2u1?`U88)_(jcFu9yUc04-HBAUHq6d|~ zyxC8)R#h$eSWk(`Fgba8GXUt9J#B9Ia`$j0&_3%D5DO+l^p-BBA{L*P$NTIf$l58+ z>R{!ZTeT`AS-9fu%*gU*8_a~1uyh?z_Z=fUB(4+>vY~(kkqf}IFG|F7QVualdDr2gPM{?i*S<)V7%G5|B|%bvctL$d z5>t|0t33+0hGH^F2fEEjENCg{VI-q=90)ONMKH<_MIJ`#$(cjGLXKFSVs*qvhS)OE zj5-vAt$mY6-5$mWw`3v576KlEKi#QO`V#K5_1+tu{hnq%dNGSj%8;erMrvnLy{u=y zIWiVxdPJrbSr(zh!uPKjm1etRD!58KdipOWu#8KgYmqu3EU)8U#EC?vSGb3bpuAfw zEG;|FRMz?`6eYmYR5|INY2hTRbKVfL`;?Vn@&qxrXXCN{#us&)1TT?lN>VgGMMwL^ zkbXv!cBm8q(p@XI_zkhf=X>QHUm3Ujp(o3DwojDxAJ{wBlSY72VBkmgcwcl|59i`a z)Ez(z$wq5XUUX}+c)A#Y_AfBOPMadleof)7R_n2S_t;cf{d(#K1YbQ1@*S*q7qc_x z-ovO*olS;{$b4~$IKFlz+)$ly8+B;md~|tjQF606;b1&xmHwElJcHo5+fXXAG@-t1 zpX1hv?*K?#B)M*Tcq9I;n9~f32`-2CcyURQ=u&tC-V{9FqR!=zg zB0fg8(92>F{TZ)lCxcH)VFh&WDuQu1#)RL8Y$e1;qw~sYc|)XN4Hv#m^JjQ5tb}u? zo5WDd;|Pgsa$>uRx@I2YNX;-&kQQj6 zwAO^k8flxgfz?e{gUi08yEb4An}iUufK)9PB|Y$Ab&zcAg(w#_^oNol<5`30Q@1G@ zMgEAhT?PvaWO~Xxvl@o!+O(b`_)56mYmoAnN1v3XhnZtTujBE1uWAD@daIabwb-g# zaN&D_!}#%qPn8x0g2si}HWTI#pxd}-6QxSVEWFk5^?M_%@Vm!jpazTsa0{1P^NHyp z1Vb_e*=z%BbvZmn@WI=&ZjX2Eo=v4R+n3 zYL-7&_a=0nPQ)|DaL6C^R1u)69i6mB7AzB9vPYK8^KSlic{iczklh= z4CXIC4#XCe_DD1yONTLfjwRzaIt&wUEY3xU%g|CgMNgSTNW0xHKC@W<_>BRt}T}GDUs6Fd?3wa0rZtGl5_T*tt@p$ zlQV?+)C)4zvUeYvgC2G=r?twkAv8#jVc4Iv%jGOy(E49P0{Mv??@fPsU|vEl%s}Bmcmn#)NAW&%C9xK^2j^pn#P)ofp?yE;GzJVIyvvJ z2j4V15m_iRe5IS-i=TIE-L&qfuMA?FJ^$G<-#R!s|8aAQhum1jLTT*XE(d!uHw>96 zo>7;{NCudStHq69fW%#R^ct&;RP(c58@vHuXfOC>Z8y7uBKu7Lutdaz7}hus$XHUs znzO7;F!*{E(cKDVD)gwV|28FeFYi}2F|)1TM||mk6a^%9y*20#SVc-% z;V012lN$D4smsdfLy{0?wUv_Eq#0QtH-SN---h!)yLf*a&c|9jTa8whE0FT3D-;yd#I7-uNDV2Ad^ZXF&Ub%5O~&Q) z2J0=5KfJn|W2~O4|uto^7 z)P5!PNGY%ap(LDHCk!l_ zkAY=wMW6*%6HLvSnBDP5Y+s!u#VIe_WWTdcZ{sBPw_HX~~f%=EX<}V5sKaLGxw&R~3o0=CE4vVbkP2S+V z3QQOSE7xen!bd3icKTwm+4CdeOY zw|ICsJlx+jeWqSN={jzzBdIt=L`xkcnc&_bm*(EsAnhD}`Bs80ch<9HqI9{ia=5B` zxG1JQaG=&Ki47dNtSEWS#+cDospXB6(Jfej>%z`_e7sgR+{r5S8ZtX%tn-&}eny^Okr4 z=dQ?UyT)c_*T>jh)@HT75J7RT#p3qu^N%=eCEIW0wvK)Ir0Z5yoIIdy_<`VD&{rlE zwXI)m9R-$!W>JYBLgT)SbE;YBfM#54FIt|EScRwkVtonn-a#Vvu70P)FHHgl=M?SMHE?)RfQ>Nzi+G|V^BrTp+x70V{lO_%(m1861ssP`0!r1 zoqL-L6bD?*$1YTb;j;OQP)(o93vAVTwmr_7!H5$bC;0Wqm$Z;F#KpmB`;jCK^A;!8 zM$WV*y2$5}47QaQU|Ep`=!AoX;PS5tmjmr&LuiytI080&#m@8g2@1(ThkJtNJ!p$Z z(ABv?GvEkIaPv3M1I8P?mX<#$Oe+g{!jPXI@pp}JwV=-wVODfsNVQDZyG;z6*vd<5 zxFq$%LQTp#3Roff@GVrBu9v=voxYo(pHom~;-Um8%nO`KWYYl22g6;>6jf_2bQ%zX zIo^UAr6(VTZZFczt?9V@Y%^q=vDY4P6M2VM6l7A}p;QLnx@F;xR~Uh@;BCvF$w%*Q z3h4)X=qbiTfX|p3sh!OhE`X!PqKpHY0hRuWm2~Fi=h=WXlW}8Q(5tTe85<;gECkZD z+Wi9qFJ6~dRto1FFApv?+ex$b#r6EYLh+~6D0%LEd^)UbQ!XEU!V42TO?+xo0(LC{ zJy8XjkW~Wl$E!bLo@crOkx(}+zD`d<(k-<9AQ!amPz|%?iE1`^XG)IM{L}&JRpaxl z|AEq75Z+g>twJ1izs1KiO~ z>VQ(0DKro9x0a#A>B913Y&~S$`h>WV!9$qiyRNp7rPxz!)FVb*!Eh1cSiw79ws4(a zq1>OyYr`$Ji^(|B?{eG@o_Mwps^RqZvIX12*Tg%BRzJ*}mks3kp5xeS!DLA1UTLx! z*AGmHI_Y{SjTLQqEt!B}(fAqqp`yL%g1DBcOiDQDFXlPGFnUYwzU1>Z4i8)1kL^NM z_4$Q2)Z55+>`x#DX%A@SQ5(WMPWm5W$-%Sx*p0anAg3ob=NJShx&=Ov%v?b8)1doJ z?nLu_Xli(m&iD2GS;`6LGAc-xx<)C}3w^x6=qwrdbUT(ctZ~i4Wf+*{B}9}Dg$$`Q zL3`wpK(6y)%h>Xi#3bmbAb6h{!yk&74^t1F)}pbMB852YXVRpD+d%h z%{NFYXOEyk9|=%sycy#vdKOo2&ThbTAKKigHlV%yDzz{EKbain`@&r__BJg$=`SCg(Nu6`XS-#`e*e4?@lR=Gr1{i4);!%86FGlS5T) z5W<`$POY7$)~Ef};tI6O;>clHZ4)iu5+hdY=xy;a$-a-$brxpQgjDi(JsDQuIc!WC z9p+|Vj!{>%h3WQKxvUrv9fQ%r*@Zi>AZWK$NSKp^5m4wvOt64~ILCU`7#ogVxk(CH zg0MbQ`O>PR*W|Wrbo}N2XvnCzW@)B%7)EoB@L=c3j*e%N8+=R#wAtpVOG++ zbuyZDtgT$sFNx)Qjz(h$v_o|mF?OYMolxe2FRp%zy7GYF-um#MGqn4f8*lQI)#}0c zBM-0wTBkgl+j4b6HuTwEOm3xh;zA}!S9Ur+gUrKv1!9yF%k9ivOb4HTwZyVS*ob_%UXZSv#c*(ejZx&DuvOmD%IB;@uSD~!1hZHZ6?Cs&V1K|X zvFP&+TbRyCnQVvwQBdjg&8y{4Dn?2x1)g;SPIoPu+bPY`E;o01QWY6GAnPn%{7Z${ zqI_?4EX{K-x!DN=@8=5bbCqq5fc@O41DKKNp^J3QWhZH#0}6pOtW|Ca?LQXXPqSLp z>afW*&q0r9BC`u=diAq2+z~6S3GO@``CQzsegb(Mpw8X&mxYS;+gu}o?-YIn4evjM z`c)zbsA~R^S^W)6{GK%ZOCrepz1jR9B!b`7zZ3vvF9IWLLqG}#!vJ8v|MWk$F`6Q0a;91*3zwqbF%LTOH00X~os22IYACo-Z1zE@Zsv>^;ub>pCsvA@waw zvDiJ-TWRRNBZDG7G#)d`QKNUQc&RtU zk)-m?ahk9eD^v^fE=GH*4E2nc8Y-NGVW{bvNv!5-(+vxnVZ%zVB;rOL zb1mC@*YKktWDLcl#!Ra1wLhgel8%@%Co3IF<5yYcwS^{`H&E4}u_zFaaAPoz5I`k9 z)HR)rp7yd~ZjR?$UYD0%*k8+ms8Ee>Q?E0KH=kC%J(^Sxt5*H^{`u=< zs}pM^I*$irOH zE-QN7C}sj`9TpzsCVmLg_6UM61|-+tZs3!ghCi25$Z)RE)i@Shsy=Ka5-@}rM3|d? z=&hYdCtPx_gVXylsf_4>L1oaN2B41m3Bnr4Vq5>v0VU+NCX*N56E_CMqk)q_H2`fdOxHPI9^PK0?&h_5*HMTS79plIO|c$lCx%%=kfLl z;7rQ4%NuT%YtVsd+caK285r$l*g>~+Q6th`YTW_41bTEa*Z7i!}tP7&OHJH%)bf-YUeQ(v8>( zSW=m6Y__E^vi9DSS>k>Zo`duzJAbO3o4zD)Um~&`m~jT2w}BkhQXhtw?*Uj}`E6_W<9*fADH?^xmh09J`oYneTW?HPR}Ko~SmD`n^@t-tjwFVprn0 znNXfXw#yGAHN%RI2-R|C5d@28pS3I3klf`jsg2AIyFu?nSdYU}E#L4Nu-b&`15AO@ zmQ;j#YBlCBa;+a+C$0^x;Bsv5(5nSRLBLpadfT_mGW-Qk`$2$qZ4I=_%?bLQ0A9ZJ%LeOO z5YCUxmJ^YgY^);Np&z93%YL0&rM zoGz&Jbi562$PA9-oqFGUM#4;ZpBWO-^Z6^nBD|n#1v@hZ=rO`2nihJQve7bPrbF$1 zZGq{myyfT@=)%7B7^9v>nD(GLk67H#kO-X`m57w#Cf<#$jSb1V$h+6YaiNz_di$lI z+;V-P%J5l0HB#fLtgq}ul&J(+jEG+zZwdM`PuEg5wuKz^6U-n*7CP6xHk8sSkIV}{ z^);_*f=no=+u-R3V-9qn=|;LwV3}f%IXT^>VAR_>^a@3VB9dIJ>nKD@idLJDx>1+3 zc!Q+QXx~bsk+-&iQ#4?xtYR9Cd25fwd*lmmZqv*PV-`l=z{S?^F zf4Yn=NQye|L}mB9J#O&CR2IMNGHyhf;5qahIr>SKJ5!`b>A7fkG9g_iGF`guN#OBb zic7*3X}#fWb}4vqb;O$$1piGqq5AQysBQRD$L0 z=b(DGGP)d@^e6E>To=;;4S7SmjOn(EL!td29(>&@mb%R}Ke)Z=QIjZ7P-^}VOHnnf z2(r{CBodedU6p8Y)*sx2FJtUNmM)7$ulI833&)rP_3HKe&pTVokc+AykC0upLReUc z=CeJv%|KqLo7Y>rs2VyxFK!c7UozLb&37Dt$M>$i;$zZX;UD5bx><(sKoo7SUvKcC zfS}K!J~V7 z=T`7Fq7@NwdHk&*7&Sh~)tW*49;70p>!VyLBRtZ&(9S!ZC$^@io4dR1!=m}CWt#z! zR^g!6T=uwn6$H1S2MZP0LhCpp4AseL*f{x{Z!#c8eY;9!LF&~rd2fvyW+IS>nH($V z21ZS-qH}YlB#$lROFI@x)cZ)^8yq{LM0y4;gWu}u(ZpaOWIcmN+$Abu>*TnsQdJ~i z>wGXb6nw{B$Y?We=rO?0%JwZv@BAFwO%=WXU$J>-c|o*O_U@F2lB+eWRuH9Br<_rXqc$@t9oMH|eDO zA-No;_G1g&Qt_u4l&)N!1#Gop0{zLv%qfYmxFH9%&HkQFYQ4HHy*UxNH*ts5k%OYi zL=MdAMjQx!*NzPl7r7!r8|7=*zBbxuV8XK*@9(=YD$xR->FkvEX@n{2z?Zab$E~SI zNa}culexRav*xLJuI7k{h+V$=fo12!h(!e&*JiD*PiI}6L6V2NuD5I zd3V_DB<+bx-4^olLr35As!V`Y?U@6SrXsk+2=~VsUn7YTAi~K)Xo8%A2~&y7FGC)S zH4H69<$jW(Y(9+1lpohJ)_ppwciM@lZOGuh7EEj@-T9`{c$dJucZrnoXtZE=w$j?O z+|1hqnv0=C!5YTjcd3Y&@Yq&hCkAdOC}Evz|72H9nHy6eQEqj#)>&%_nJq;&S7_CO z)Fns-<>#J|Yfu9FGQg+k_CTd%S>B4II(w2`W1LP^Jd;pk-dSGY0r&>jD9YRdH`O*P z%a8g^F#1eC)-34@3L#Djqk1(=*R0r=)Npv2cih=9rTk*C@CA?}EOxes0ttQ*Y8R?A zY=a8#UUZtD%*iu}2#tUi_B9}YLAhR)Nn&4GV&5TmK0+5J zEiTSh^B>}f4A%QlKHK>eQ1t38U1=tok8WeJiiWH6L7H+Ev#L13bK5`NP|_40vkvkD zJ!3IAKme3wD*5qq2EpIY%HTqB9=2B66y22($f3*$D-h)>P>J2JmfK3hvEh|a5zy?! zDFc6Pc5`y_bef%R#d87YEJQo1)Ks}4D_sml^2J5oKzWCRsoo`c`)bhWJvcE|XJz$# z<9ug;90aAM#Ni6IBJd^waa%k|V|UUcwpH!BYM?=0B{2MHAT(QN2L!<{W*!AvoEa#+ z_8Dq>6h?EAh_J6_H(1Ne`0VreNK%2EDkQ-UczP}Lx2(T%+QTo_9Q8!>!6Uaw)FC9& zV22i(0ew;^MV$#HSc53au_7{qcyq35q%(T`VadiIYMZ!3;GEV8loJhc7leA@G%Wc3 zJ#sC0D-p9^nt2JZ2zjyA>U{nza;n}KI-anTlEyioqlSa&GBF5(hYirapKc#4^Mf<)Uq(oYsg%#$(=?*=%1*a$TWtQXGEacfebf*M{d zjb?!e0ySV_p;tCzLOMb$h3z@=)m9j=jDvGWWG1TdYy%6_521*@=7sv8)`#FC2BH~& zdvQOOIpOI^(7d{P#?QWl^5o*NZP0f7x)<@|rYH|0j~adxtFO&KFavji-gaggqm>3z zB~sT?cSUB(K$T-Q9G>r+y)8TD-cT!QqPqioXSVtZE%a1|+;L4EaTaBB3X9q`0!t6OfWoY}YsI3F&7KR`WM1aEOibAu;kO}*&h%m- zO`~GOYSC(~x-HmkPAFj=uNF7b_)0tmcAR~6y$=py9H`e_HP5ogWeDp6Qf>XuE_m+A zVi{JXwcc_JDxht8#wk8*LLP5YD`#mD`5$he@|15?S+8!;YqfJqpTT7~1?c!DyN^^H zKCL4+euY0aJ21h@F0@nOXzwSlkxrcNw?Py8D~N54a3}(KSfGyTfEkXNDS8*eOMpNM2H$Ccgv6~ z9xPSIJRZ^}Yt@%GdS0N#Nk79|gqN;Vdvs*9Rp?F)WptEh+W|BD zLJBfzCumDwxygy$vo^cq?Y?B%|LA7t@9#Zh6dCbSzERc0 z?F?Qo`(ph|{oWTt-;)D$IoIo(hmamiv5)uo7-@sTZ_p1M0-m}%4-tid_+(9PBf&X_ z!*1JRYR8lx>(3fuz#&jl$8Ye!X$fd8Geg+U94MG_S2DYx5j+TifDd@Fk?tT?#n5@S zZ`mbs-Gw*q(Zx&5^0W7sw_mE4;o|vTt-MYrCYVaSG51@4rfooYv$^_MCfW4t08XA! zVO%_kxHgHgyQ(nuGU8q|K5q)?=4&3{>X2R2Y_#Wn=$)q|JCqV1I6K`X2rNO?&|29?%yC5K{R)KIU)M zp#WI-@8bKDE(r6_Ql@{A7X9xwkC}yomgCRCebcN3?BT!JyFbUq_S2->&*G)uPvH+p z`ft$ePj;B9P1f$3e6DoBJO8=CSreUBh!vEzHdkQi$!?Fasu{dU6xaBb-74=i@OYPlbsdM@ zq>kwa;2Cm4WcU^=(^t&yC=PJl2IB_!>tf`#nDj(g-Y}3u2;xzUVfqObWNOmleEU&w zoo+ZW%rZC|BJOn_3{72$JTRGn);RtRqb8bJG!D;H)b8{!=BE{w?=$z-j84QyRN8> zo|+YfolIJHjerM-!kzNfLA6vtG$6Jo-i|l<(Y=2xqQW-wNf9x|Jt{O0(>x6r+RrV#UG zYwF2_Z^!V742HPV)H05}3yX15M(-)XtyO(ivgGy7m5p-hK~Ly}&+}t1z6x8Lj_0l8 z-Tp>hU0Ew(q{)4BSEP%|fDh5e{@@)l0of9RrwEs~j`C|A-F9<@djc(Dfs#X?MCP{tW z(=X;nuTfgJ_wQONk~vrT;fT_6s5qr$73HUj>GV^#6JEMPN#{n$MwNYN0mg$O3Nefq{I>Aa0SWK z(=u-gG);RMXNy$`#+TwXtrhZGmYMB&wGm)rtOZF3eZTUov$ASAke!kqhcp;!R!}RJA(kW^M);4FA0<5*@Mh^tq#L>QGHHPEkii1d&5O?OyyuBL} z(l9E6gZ8v8em;Gu|EPz`k&oZRt!TKuoR5z*-z!|bX=IU7h$Nu0T6DT?k}c#a(P2gQ zyQv^enAqO!;f^;MbI7(637%Qz`a-F5YvBGk#2GRU(~9r7yZIoRKTmye-bdN=c_>n^ zF}3xz+fU)Ef**lDTk7qN^YcB5WN@{s#!mZw4og)NQg=y zc+pozYB)=c{=@}$U@dOEqoly)KcU|}VG8WDJ5c_r$Mt%9MI&BH8ySKYUd-RB0?2?H zm8nwHuiUN@7>Ptl;tDG6bb+suJ3%6;g6ESX-`aU63U&oF0ZgJ0efFB-*~|Gp7NAde zhUd|QX(bxWCh!CwU9ec5PB&%TwzECZlo+Ue+gF1?7R4UXUPqHCKOly^V*IT^sSfr&iuTF_JKs~n%!-lmB68ry}JV#oSK1Xj;~RpnoTXvpMT-)p~;2o&H8K|@5ez_UeV87 zs|($B$U9$Rm*U7W);6{&nem`d7+=!z@UfsxOeMl0RC{!Hbn6g64Kltpz7=zn4MhV^^+Z&@P(yM{Lo>vMRWyedPKuyCAsniCW5RHn#MQ-1dnhTlLy8He7Kxp%j5?!A{&Lm2u&aJ!uHTU*W1o+BD@glt=ni zd7&hSkxW}7O_RhIq@*N@`e;B)J6FUF{s`ql3QewmZ?B|Ej^#@|W5-!x8Nfc+b2e6abtG;KoDmEXri$ZKxTw$Y z9uiBcGMU|}fK=Cp@TL!2a?qLM(p9yWkkP=BzL194=6Q0!e1GmSq(9W`>(K>>_ot(g zU zHT!i2XcetXj(r6-|?#N<^h}HUFf?m<;1H10TVy$X>-n&^0$U@4ZPWF9|UYAh+W))_NJ;+%l7|ji(A|Pi+zMRYE4z%U8J1BnUY~53!F|%+0h{2t{b@QqHx6Zwkl4F)pS^(qHYjNafYjR@rE&C zuTV;x!SU*e>xpMYSGbNT#-dJe%?mR-gGL{hNwKxH+@8pG1jMK?wHHQMcnJA{Wn!%? z;m<`gDAc%(^*1s>&+)}Pc{`e58Q!#a$iKja1wr|oU)ojsMn*ZP0tn4gGZ0d45 z%ZQQUp!$p=hEzr|;xW?mZZIAmsJA$v>CTc6)17(?D?<)1AJ!};m0o%IWEXS5kUNxR0n)h<2&Q9Yt2r(^~Fs|J&P1yU|(R$sACCy8DKv5t7j%1$SwKv^9kU(e|12lu; z{h3SjZHm}q%#}-;v4}CAOqeYU%nQA%tYJ8!^}L!}59)A_61UUOxw~-ZV9OhVml0A% z{^T-CYmvhCu{mqKtt(^?AgjAF&-7i@#4lh)qzLA6hNtp|zZ@Amz#vE8?*yyVikl#} zZ!S~sJbm7^c&Jc2Yz1Kz^%ydJHMD}n;4z=&@sR^7x|YhkkxWZz4h}4Dp55;QwIq_P zL<&0xoPQdO0{)Ip?y(F4y52q4n-2b>w69E4ExaGM!{y9bD8%V$WWcWIROa(oO47il zaj6q3_;p^*@4HLQJ>v5)`pEnWsi4w!UkY!m-@)bo8&n09x4zZN7?@ap zh?N2cR(}7<4-^Y9p!oKazk=8A3xD8^{|Q*9^1(?8*R;mS6^46DtRx zm5ce;HW&XRnZZi?vz+DkOZmSE?RPN`W@bh}R~ev1?00h&W`JTTJ0Mqrq2nju<|d$1 zB%l+ud1FIBCqzL0ALqiqZ}9(3cnko&6M#l3KyLE4_!t55t_%QKj(->5pP(z_FZS-+ zP5(a%4q#J4518a&WB|ZxfD|ahH% z;lBfTWKLBj>9|!Gs{(ylUKw14m{vcP?Dl(N7 z>8Z8N&jy&{P}jd=KVN&1L?Tvm!LX=MA{({W-DbR^e48}?;RetEgW(csc^xGFx=YT7+4a)h(%(9MZjb)Er`w=eSj%TE+gpd3fgGs13gUQrf{HnJ>U= z8Nwp7+Pmg8n$ozl^bER_aOJFL1xrVA@RI||Tjtz;bwRdNyMCcBMi-k0+s0SDq5jC3 zy{}2vniC7;-0t+Q?j-lD_@A;dE6Jx<{Fj}+YzTGLT=JB7X$LAoZn$m$9c&Q75)0Sb zfWW_kJPdK*Eh}2>l3TiZ&+q%C3I+~x6%SGPM$BX3$+b8IVJK2)gLmfjG54jF=*tr+ zqjn=f7bn5dLu;Gl;4G&N1I67Fv=b9Yw}-BqYBn}$l?=kWPp^ttCf!00?T@%fdr0} zGO|2kEA(Jhy(Yn#tbc<=G65O>IR>>SHO-tI#dcLcE(mmnf6oVkDwLB_8v+|My!UZc z2zRp_$BBLWMlPr}=xj%|&dN@Mhc>k-;>`e&9fT0)SFe=S3>773de~PvV+7l#40z53 zX;iN^9H^5Xo?fk{JmM*O7hoz-PeYO01`tDi(9s=p0`XZ$4iW-0t7kG0b8<5t}Fi%rUaG?CdVEf7)DFDy{ehv%^pE6x6hY3G$n1Esu*sWPP6xY ziTtZLZ=bHVn_O(lcpu%rZXDcqUD=%SKAxKqN*%73yy$$0&saa#!*ugx2MTSgaP;xG zon3OPzP)vqK|&cu!E=M&L(BAvAt5J6B^Ax0pUiCdVhD4$-ml21>(br%h8;bjR!ibl zZ_Zfy-6htCUP}Ff3IB~A*Cyd%&@zrT^)%4=ail#GXKpfRaR0(Aq*W8KUOy+4pr?Dp zMxMc1jTAjHYl4-Vo#+#c^SdKD`!lxrXuIzEnPtqEP0nSu4g6sMB zKAMy?aEgOqfGG>a6Zk#3|zl#=d{?(Qz>?(S}+q`RbBy1%9S=XrJOKF9N(_xk?hS{FCW z=iynbG3Fd|jGR;PIkltMtCceZ6W^;Z9KmukwO*Xaw{x?RN@k>Iru!ZcDETRmYizv36drmnsmIbOtm`tx*ACDsu$rK-}ceY^%T%>uU zrVFM<+T0^y>~7f@k$J!&fTfFiYi`%IkVoCo>5*l`K6aKLkkL|^6VlL|gUD`{XykV4 zH2w*$_mS#wo?lL4s|8MRU)yDl!^j%jP9W`QOlrKkb7As95VUe!s+FadvOMOUuEAn0 zl1T0ysw6q0>8**cc7D!P_rgw}%Rw6{7=-jQyv$cYQsIi$hn0Lqx}bOZc({nb4BBOX z;n1^!lA>~UO_%XSTljUa^)rmIW3I8w%KEC%)o1)&JIUxEl&ZQ?ZMW+dcxSQWl71)< zkh|zjJNtu$qr+H+95lXT7$BW0ScUt z^%q;dTGj4>Dok`eb-eb_>=J?G3guc;#-+=y&W`7Y_ve$haX}WoBhs8cl|1=8iFmCR zCLqZl5Hlcm@Xx#uEnnTKg-cR8EkUMTf}(Sy7AT+-w+qU}R&m|ZCY6`2D!|R2UbQpX zJf=Q)Ji8b=PYMaKrA^1|_P0z)Rllap-QJ1(9n)a{Q8V`sOyk=J^xv4qw-xk% zb1264mnx5mh5awe@i#j0tLTv5%*@;djzPgz*T&I8kBC9i$jlgyLBQPVt)7+o*Pp?t z$so!g#vrKvmAWtj!MHro8W9*W#}2fn16IlkT<&KBI=M3gE$M-o0>HF+pcNkz>u*8( z54aBS>pbUM#ovL_{|$5k^Ao-e=DrvA)p?2;IJ^1piu)TV{&i3X1lRwToGa&x7yL`P|ShhL_Mbg9f-F31?dXlgb0Q|jl*1jHBNyaV5Eyv2%l#XA z_LVG_w{5MSG!}lkK2{`!vL)K8OYHGf~hW2o%oo=2BS%Hvm57`WUu_m=w zV_`Miz|)4Pb`ZGtge0J#E94Ev{So`;a5b?;yLB!`OmFdI9f+^-Bc{pyo zZy4qMILo)Xf+I)6lBI0zPCd9d_uYtUH(E)AR;qIczVRyjo;k){HpNVEI zm)a%`%_gmn@>dQg7id1np6%*eS^}))^=QvHNnWDYZd-h`FjPxD*a)4jn0Z@)!fK}M zTsgR#QD{;Bq&P9_5SfL+#<6j;n9)W6@6fJW-*4Qdcc`|OwYUG>rk|Ny!ek>3{9@7G zp?+{f#?a7?wxMW99;03zH6$|u4CfpAUa6T5g`^7iFmd9v9nLpoh#~3cE;?Q>aje}q z+@vgw^=grBJT!|5XH59`Qj-S3E)h@*{8xnXa-HRYUfu>3xUI)d<4f#lVvLtVv`7ox zw@+LZ2Z|j7KEPSOQTS4n;y95aQ9|V!D?SRS@w_leP&zr*9O6sQ#fXT>Xi*}FX|VTE z%n{F**R0ScFMCP)KWJ6W%;rx%FFARm1R(KZ1a@D zc!S4GgKn6iWO==*@rbN+CBPL9sbbv8&s57`Premt+rK$E=m0N%XnO55-@sI8(miW0 zgBE}egK^q~((RrOQC-p1yir$lIjP2rwW(_?9g70(C_}WBov_tJ?IXX}Ttl|+j+R)n z!fZT*>MZ)w=|ng3=0#v_->JY3(=!hpj0T1kIB(CHXAdpVOk>eaV9V8WzC3j3!Fjsz zcz5WSeTZ9pN_p;0dln(Do$3O$Fn#ZrPIc;A7M z0)hWZgi`lZ&M4#=;e~CP5xC#nR)IhwBpe+2aa(|J@Ie>FGs^-g&CJATJ!Y-h`k@!Q ziuxBsU0)()Wnc#$_)NStgax5W(r}-cEK3kKFS3r8lI+#79X3QLr#u;F!g6V02V7*~o;6`S zB(moVwaQ)A{r*U`p@es{jKDK2go{{Ghn@H2GeilIywvwYaOA@k6a} zKXmjHyZ&po`8XYw=5fo=C{~8<6es|jK`4ir8htMwa+ZunxO+w#O{h6W_2=3q7ui@8 zzo#n{yG^&p;Q%5y#hOE-u6yWZsIElqbc*Q7_%$^ccdm0U486v!mqO@dY7_MX~wg zlJ0q<-_@=IOWp-T?htYNN-4TAV;!BsCwtWPb|A7_!}wYxhaPdsKi~pGamP#TBs=2v zRC=11SD*>~(t)zZ;pGVOmo>E@$hZbybGYJm4OoJiyV8<)5am;^&{d?R5X~{77hO+u zFrT+aD2Mb^2M)SNH#heZKk1m_Od~s#WnA zjOI?F2v!Ja)rxKkI3*Swommp(0ZTmP!*fG84%w2`oU(n4QRUz(j(lyk9Z8jxVR97= z{Jf^GBHs~BM}If!Hj$JuCJla8mYq9=ljmXB`E)vE=ZwB`z(fztYE#YhFnjisdwfMF z>o|3?MJB~_u&b#LzDC;M4@HnUpKh?CiDuz~+K=osGW*J9kO(=BJ3IpEuz3LQGkEs5 z;W#rmqM_H8*6xg2b23Ro8SmB%Rm>*7pgb)X6EB0!FY&tIS7kU!=Tq;txlpN{{?swn zY}BJeV}H?tM`TeA0TId)rS>{U0dI8R9ZZ*`n$_k>Vq!guzszamN$GP+NlxcC{*wwG zaRxqS*b!|qCLna9gFUUxJJKCizL&gnb&LaPIJ>VK3N~JbkiV1ji81<6s z9YtMu+&;j)xPd8jLn{Fhl;Vh%G7U^;SF<82cc412OUWOgKgz9a; zmU=V3ZPYpn8>jdliagi@qb>`-Y0wZB+VhI7DX#MC^OYLeVyv9G2CTFcP!7gJYvNuq z%4V}EsrkA?>X4_WpoE^BspED0sAuW?E*NT1#IPPcEORyBaj&QKw_Q_mLL5O)z%Iz8 z=C8jDt=;raV%eD@pW)0G?O#2@pYYDoyler*P`R-medvFrfaR~1yQ8Xq`4~s0ICj8q zaDdt)c_Y@_s^UTL0Bx}Gn&fv_4Co{FFHG_eWa=Ak`5PAdruF(0EXMKwfZR7iWKEwcZ&&djDvy;7Xz2#DtN&ge(88AyXvO=#sP9*T_3h^Vr|JW; zQWl^R5@^=O0W@-8VFsq%0Zrb&DmK~w$tmx<m6t{yqu;KGOfg?_>J<6#dqb;wQ!CZ>h~sYlA;YEg3|9 zAkcrvfPR|ye4m@J0!#Zt2Gp!#YCbNC@{p=sz7|Cnp|^anAx#W6d_b4Hu{Uw$vq+f8 zyl9$d{U&0YW7KN;jswZh~%^R&OF z8QEQEwHRQ1a?-uO@fjHTZPdZfOS-V90C)|nT10sYFA_`SCWaluM*d;3h*gflXDcvS z>LInPD_R&!A@^i{o49Hw5BvR;kA zAYlsblw2>mgpcscL5B6s z7_Bs@2jQuEZAMX2kp_e_;`-<$2T*`X+1BC>9bIQiEH2J3UorSZM6!Qds)%n({c&|* z6)G#iO}i+t$)w3p{mDkgjQ+E>W`LMKrzCC%(q@Uh?K-covu}P~5BN)a+9$8TI@DH7 z5)WYN9KhP=yilSYz0+=>wCKxC?4^#W>pX5M($4{@?*=n3B`YhrFF~_Bv*Z1Q+TCJs zKV+njzUG?`l~aJV&0{_CDjH65^Yp0AdZ`A7ZHAwrgB)hbt2|7~#0-#X!6FshAP#NB zO`KIUtO>&m4VvR+d312R*gQYU8j5jiz*q+XYZy-K9VV1MMke_TjS{1k%R;l_8eC1|k1Q8iDMIqPv3 zuk(f*?{RUdqEne@&WtPfG>PP=%qe4X|v#>p%`ZH_d@^o#q+?#Rj6gmTz>@yMvSQjcEntjJ>TgC%v zpUFKi+=(xM=9h?swrC5UUeLUw;$|DtYBU4!M)gs~{^GYi{=H&5%asKJhu(tINUO8y z01j*GYx5SvcYz-}MP%3z%My%v(MOt`tBZ~*T9o4a`qjB-7CFgPZ$ifTzy=lZOME`> zUU8$ql<^dKNom2q(zBRhzfO1LVyyAH=Ro)TEK8d0;Yx9{wd8tl?hp=Y?cuN@Zk&PU z2@Z}wSw>k_-+@ypMA06Z2SXTl{lqN%;1xX$rW7t|7ESts-tBwuXnR=db9L8shZqd$ ztHb_&m+&6PlCoWnqNU~)^*wj^65(AsqW(h77WFq@(-C!yn>zE!^F{91x81J z#0QR6J(!tc5h;^nuA3lU@amE<7tQz zK-uBg4NcE)Quqt-`VdY z6~DF-Jy?4T^A$u2nY5w}nsHu(a`_VrBix|L+Wp$t0vGfIw`;CVPyp_r{ziD7CO~-5Wnf7>;p_Mvz<%mc%+vadXNw&t{rMbk~;U zy{!WGsn-3I>n*m*4evC+EAj6TE$3HI`7_-4#f4=R*EnZ1X(`8E8n%2!u>ul|0N}6Capa={Y(6S;_NX$dv|&fPO(ZoIhf(Z;0dD zt^1!54iI7eaEpIE35=cqMp1AAXE48Dm7lU{e|HkV3Y1X+LvQ|m5*W$*BUAb9QK0V@ zBM0Yijsjo&*CX*KFy{wk^S7bF4|4(_0OAC)8K5ZWE1UUK1oUGc`g;$U8Mr6&rwB+@ zHEN#i|K;Nr&_Y3vC?0sN2Z!NB1-$HkG2@y>X4r)rs3X5%F&k7wT0SiMnz zI>Se}{V=-d?qh!hdo&cY0<@eXyMvQ)3iyIX?J3&3v}tj^8g*R5_t=ikAKSf@scC!M z!Qr#~sj>0qe7A9OlD+h`Bj(%kz~;$ecov+jh_f|GNO_^9cY7|!+RZMGjSa4?S5-Id z^l`7#I#pJ0$f+(=S_l&v9Ftu2Z3wmlwuFIxNbLvIE~dvka)o zrakTT33MJWl2WK`E0%Xtz|7g*f4OP?B`|M35r%3WZJ@!G13w|R@OHyi$>dALRc?C1 z6yQTpNczqj1;wPb_&9*_2J|>oP&VeA_5pnE2gQssg+ck6Zlr@dD(|`EffB~13rlkc zOXG%;yhF?7mC5XAeoRXfnU{*hlnxYz$Eg*piF5?74Iemj) zBx$oyr|sSgf?LfjW6FK5)L6hCI@r~(Qsd!-$QPDqZE8(1;zKK*XFd0zAiQ+E3=U6N zw7bo4;=2^;VBjJM=Z}RzdfC=cNe%{kjN%cKhbqF;wo?=~*iQW{V^5nhNe?~P50i1*ETBlNZpm%U7-Bo%bv1xf zSw-#wdjR{W|644XG3a1Y;yaf`yFuHfL0lhu5rj6LVDe6vJdFyglVq!%qfeB|DS4)8lVM$jCq4BnJZs)N<=8%~;9@H?@6yBW!1!ADjCC~x5O^6JFE zl_Pc&awAR!p{XQ;V>BOZuSltznAg?I4NQ<5G@dOgmdsoHtpj*`Uig@wSFhpUtH*`~HdBf=W`@S&_Kuj&<)=j3r&>JM%-mRvh zqo6=v6U1E4i>ldiD*I?VMpBJ+@423(e=tWDR;tpBvbP;aD_*jVHf?XuwNA@Wm-Z9(q7Zy{}| zCPw3WCm{%-sj7TAI8t}t1U4S$l931Xn-XV|OH+hYX+-e&60t;A4rWd;aV z_0l4yn2^u-0c|C{bFWAh<&L=+tVOejw-=phEsc}0c6-i|*-Evt(CFXWfo>({99m8L zN$q+C>!oGe1w1^lD`7e3E99e0P@jyKS~Sso-YK32eXq^RB$2QKVg@#@C3644DS^LJ z(sWzf(0FFx!*X$+iKN<<3Zj}r5lwE+Y7I0mKMVF-1#Q<&@|t?+7w!;J0QE#eN%c6& z-7r%*Z|ATOUJn=;Oue>QtOfhp4}z~0%TY=~;CDXUvNDyS& zWXu7hRHou^h{!DlQF+4mN#57M4t}!5ekaRmg4>s5R#!Hn*C~zM?-eQ@(ug6Ji`o}; zJDU7T5+6bR3ks>0W^B2Vofr$vS0%$MeP#kXlt_mbI-luf!tadX z@;W|Z%2r-4CTx8i762>JWY{hcZu83DS!BXn!WWD)im{`XnzfqV%hJx1aZxf>V~aFT zNQYdpqL(_)gD?+~!(pN!^%EyT5JUhqoyR@2!55bIN?&yCXk+Y=1@MsT+kw#)Izd&a z<#>prLG!xP?mm_h6>hZ&7F%FKs^W%~Lbg`#Bd;c+_i2k~#b-sLJovV~KAny>JbfFD zxGd=%Gw90$*n`nhwI)jb}E((#WVq%jh=_Ka|SEi zshRF3Al5-7mhph2M@AYmpb)>?o~a#9%$@CtF%|AFF;7no&Z_fuk=v3Xj13l zWN`)YZ=T=puMi~~2ppSxqWN%z8{H5(oH3UX0eAbKSmJZ)JL^VMqTa2THtJ0;!n&zf zUC(I>(MKUvqaK!c%c!o4__8Dn4R`1pMBYRrYQ7XYlD@0^Vk5Jg7?tj8zPWiiI0oQ6 z<##nX;0frNs9mZ(v+WxJa3Iy{nES^oCp6cBzSv#VIEvBdFSrH2<7Uh`gd}=-ACsDz zB@4@0JIxu@Sv|O#xHzb{5jrP9)VLAev!e>G?oK3TP14DRjkV5C99tlVC)~0IlF$0}B>>ES=xIje z3+CFwOP0VG7?SsR6g-x}Pu&C{ zCGb-t@Bh|!W&+xH0qbK1W>x~@EWWCmS-vj3vjX)qEdQ`1@L%Bl9}?PrZ5RTZgI|&8 z|Dv;M2u+9A&(Eno> z_J57se*o)$2G0RM^-{mXb4H-V=?~#~v5I=wd<~lGvUYmy0AF!9M*bk^u;AP{gsDf) z!J#@DMukwRe+;>DWaW(8G7eIH(7|F34?H*~Cz;=8jTf$D@Q2`-O|935hnqu<9I#)g zWQ5Qb4!jg0@;{O!^tNk0aYk@kvUsxVntL0f^P1hHhGeLtcCx)nANy7ppea#tNvW_i z6kB<$j&@h_R1+bQhI@?$EosD_ck#}`{&Wk`?^?CZ=mkzTE#g4uQ11wB9^ZpPTL#C7 z=gav$ls+;qbM%F!JG;(>xm@$E*E_UmV!@ec1ZSfbK%BTl7bi!HzFIr@Npv8(W>6So zUijfw)iX@J8+)IC?hvTJh z+C~1b%`|9$RZmBUnznBPzOCCn;t*Nq%W;5W0sPql*51p=XwByrDW<2@ zDbCp6la`ciKSQhA7_{)Cks(!@Gvj_bvlkK{eeVpxA4Y(Lu|w2#}lvW?l@#RP^&Xd<|xD)d0;h-(H{JvjL${a_%F33cM?N+aJo5C zb~d(W7gnHgdRP2*XXz&_s8aKE4t#i~Qp;VW^;}GIbMCuToIe$7>eBM@E%S$E8Xe_Z zaecb%D59#;&z`E-EA*gQ(ap86iOeW);;9?3pcO~dQh-CKp~NvMv*&`>&ihD^>n$Ak zWg=Ll@gz*YDBq@4W1FU|h@@;O##Fn_RvhbeA?2#5j9oOe(F)8`M-Yc&0J_7NXCI}A8r6omDg?@&J z&$JOKxBRPtY9Nf2RW>LU6m*mRX^&!Lca`S+qC%9s!1Z#b4X{mn+>R-IXz$_a^{IJP z|h#tHuhx*rL!%osS+V zLXE3}KWWdk6>jt(z&E(RX-y0IwlI;Q!dYw!WSZzGQi#hn zQy2A`_HHH~KMO5q?06QcawTGovo63RiP?T`p;oi>F%4t;hIcbwgJ^B$!x@Y8^;33g zoR{2#4?ZCbnus(G4`CY36+lA?VIu2e_?2{4aJf7c*pH=1EW4>{B{fzYgr8N2o&{s!k}&e%dI1kg2)c zHF~}ypUHF-5rvc2@>qz*8FmnU2<~2o)B)qC;vqG3xXOUEwS5oc7wfnITe!m3X{7V3 z4AC!`x<954TY@W2fmb zZwK;umZ>AB`}gNF=|h^IzOc@vqG^zezIjXzw|ndI;sE9y&WBoz6Xm&RdYR_;Q#kLW zO6d}Kn0(VOIM2~ud90#iCDtB(uKT!v?Vy@^MeFSL{`O*;(7bmkdR_hHNK2{hby>Q-GWgt~}nl^4~Ej#I1miYUKkS%^CpPHW@SWhg{>UbZq?i_?R zKzhk$(=13Jy;VjSlrzA2wu56#Bv>== z7Rb&tst@^b{7=WEP-5uJJU!{Nh#;-28_q6UutV3u2u1E_;A^XL_6QbaH!7T#y1PFr zuPkN;$RE0QeCo3Ij+Dj`MMdH^?Yar>lLf6%m37-A-l#=}l(COSTsqnDx0vBhG5YYH z$GXR#yKKQSmRd(9JNYu_wF-8R!WSYE{)ao!tc=g38 z#`YbKnpodysjE-RjTOCcSH0H=o{?taTkg9S`cP7y5`7r{@GJq4#RM6|@XQnqI8=M< z(r$xi5AdID!ODMwY5|Ntc3XdsYX3qXKewd;jNhaY{}!qR`V@Twgg>b%{(A90+Li`p z&d@E>7TC=2#A6D3MOEq|L-S( zH{|36^qpL+fOg{6VH6@Q4OtFhn~`7Q5H zJ=?`eF*mpeaLDufGTzyrTqEO}f<7n+iK*(31$E8|Ge6TQ&TI_QW_W09xf(%s*NS9b zSFLjOf7>q_Q9<>L^EDu3YJS`L?xD9(W^ZqPl5p<>9#@o5U$FX}H+;w7L^1gr0=N5h zzxgM*CpR}YnLIX@&02v8*_{18ca6HkSAoprIPT08{%0Dcye+Mo*?@SICmQAzKjqt#O_XdczyYsN6J{d_0Q&GGMNJVD<*r=N+hLC4&jkgP}e= zoc@J6!?FKUhbe%URyn{GqG-C(AlU!}A+_9J`{S$I5UHpBN~Ui%=6CfO3u?UiRG*4U zxB9RuR{9)!$#UzO@W)1JHqV<{c?;!ud-PMSCb+vrl;?ScpsySZi80HfWD=2IE)bK> zL>@2eqqs=Ri?16WO)hOk8r{w9@FF)5-av+tmU;={kqwj+HI*X94}C(_Yf>0_Ch~@n zF-|88>-N(cycIa@o;f^jJ!f9X{D)Sz4+~n4yMp~G@9sB`y#b)>DbSjWsuN3I&FUZx zEhjpn&-qUs4u(OStaP2;ie5eV7g265NRO>1Ofzs)FCq*i^j|N{@bQ->4Lm!*0CiV_ zsA7#NFb+o8h&vb0I`L0kuz>?BapbP$j8I!HD(2ZgLd*BT77{K(kw%s1-fKnZtKV-v zY>5~D&?hajVJ#0ATx&}Nug|MDYqYSK2(A8>z-G%7fhZVUG+epM&GA#avx^({2_fyEjB%J{(nb*>FTGZf^esxK zhwLn4rIVe-$^u9n@4TM$2$Sw>EJ}4eU7Ro2@g(<0eRUoSjTs(1abZ3aqZEjOsx|lOBbRCuH zIAgibo;-A)mmEVJ7;4^X)%D^VP&!~Y8+a6J^Pi>!b$mK6$5c$>8yABuOiiSEDYFXd zy5hJe^ZzezlwR2fMeh%tVQB zRgDo9xGQ>ZcvT6YxTn}8_8C1nq0-+cS(cp|loeP+72$TsDQe*@vKf@*sa7(YPxtma zpn(3Oz=Hl?fdCd@5*rW;|F;ExmnQ=e z_unNl0Hz;F+c${+?LqtlGV(3u?)z2!dh#F0$hUaA|L)X3WXm!C5+&~QP6 zFcz*`i^~yU3W(d2Ray$mzRuZBC(IL7vL_Mc@jONP+MBJ*l{%@DgGDV{Hd?Hg@C5nS zNt0|0r#Zz@Y^CA~7q35*R@_2no)Sv7_ZIa|kIG?Rp`rxP2P zl#^*~eQ(^jaAc>nh}PFVcBj2(eg38AZtAu|sL?ZI6gxPA116YB2ix=1@u00!GIl~Z zw5A&&PbG0ep&0=agd98xR;)ThB~<>HojP$K>q4q#39F`=?)}6o^J183g9^2cIs!EH zMgwVD73FFLn#Gyu$~2`?TWa+QDH478Z~)`J7bN)bCUOonODsC$_=uxid`1DSmgH

f4*$rV)KMocQy`o5)rm)P$;2AwfYrIU030o*)Rl$h7OlNU z>gEXD5c8+$-9@-4_Vl#_o$Cjt`dbW>N^|UF0>RET7r{-TpfmAT6<3c*VBNCehWf(b ztBt&7_Eh0IGWyO#Bs@WC_R5JRL==fM(AS@`!W!cp;p$W`#GfEvgEY4=Mwk^)JnJv7 zYeR=dRYik(kFyR_l#UKykQ_O!-J*58$yt2Ono}LEVcJ$4}vVZ z+_=g&J{IvK(w6tYuy5*-hgtEFN3<yCzPi7n>|n2{ z{NQ5=L_w3{?VPPGgC!->`$akknt3mZA!U7)n$g2{cWm_T^%wrO7t=3zLj(uOT%4wi z8*0Kny=w%oZTT3~G}(9yZzci^=#gta=wSr@=RwdR;zBSvGpFy~v~J8yZ`OSD~JWK8ppqup2jd#*Xd}(K43$oI&S5b7Ze-ic_FWP;&Jlvqdps5IK<`E7s^sQtpoz`{ zvdTvRvF3OmG&`neMoP*ZwECJ8#q8ufqUE8g#53>WvN;bq87>?3!fcaoFiqt zJw-lyhOi!_<#qh|xf&_;MM6x$5KL=|SGvoHZY`3XBU$!*F);Td;AytrK>Va<_I+df zIIhf_TIMfppqB;yjWZVn>sj~R7xvTON1l5J9|``jOvOTU`k4OIHr+k7?2D6!Q@ z#_OpHC*fU{s$@l|zk_tCV%CV#%P1%Y&7%0ct;p*=G|Ok&kFxn*s%!XN)Pr_wgfDCu zCE!`^aO3q>6yuQeciL&+GYSs3(T3^xYK7{=<}wOKKv()BGj>K1eEifw>!lFy^~fIY zm(ODz&6o+O4G7|r2sFh~M%t`9S8NlKtlO7Dd61obnrwXR)Z*YP35c~p$Kf25U5-=lhdcD#=ui~9>V+4t!R%qauyr^Hf#J#s z#OrwXye2F^5Dz6{^EgIg(!PQ0$wAq}KJ5+_Wb;vkPGC5XLv1UGorOk740_s04iDo6 zzKr3_BuvsDb`2+TmB{DN8^>@Drmf&_>wK--dz~myus#^)G!~>uSBH#a61h&)5W+k_ zTz4u)l}U_Bb4Z1bTd5yahB{n=$qOC%d=1q;nG}x4&4MdYZ4VfH+7DiY{k+|g~#6fnuvXkn?0(p zdI7H=-=4h|n{KUvGw#Inb6eFoN4z&)w`krBBPYCz&&l#43_rTz8i|HX%n1y8fC_X9 z!v&g+LZ9vE`G%JJ;k$O1Z4yRHyd@}2Y(7c-C_bznAq&0qLEN5664R%hc)kt7c%h8; z)g<5`QjGCPL~ejMkVJtJ@H~b~-b>Pyfe!{>UCMM-h+PNx3MW#e3rHCo^Pwhswla95K= zA_D0>FSeA&$iWWDzhKaN{Q-VoqqrO7IeKu`n_j{Jay#JF&75p#>1;to5kDX04lHp} zW@bFW;~kJ?KGV{ouaiIIjMP%>sa?Wm1iO8VB_ zX>Prjr{xpnGCtkG))SuW``X7|^DXdv!O>@r+7`!dc;vKJ`t1A`S1K@=BDxQDQTrcZ zj(IU52_|GKCFVERj}&-68Jt?Em(cyCXzcp!q%^P;0jV%!~ z&<_~E`p+xnKQu*Hf7y!$F#p)^`m25LSMTY66!!t=uz#DM0_{`(B@6tA#siSX|M#bW z{T<*;_t*XbGuz*{kAb`EKmES1JK})frM>{Zy^+5^9e>h!_-QTYht9*_c65M_XG{R* zzbpm*Q1{3De-zhhC*1m&99K`ALA2S-80l zEDV5H0x;)PoPK?K*IH38m;qxI(Oc^C^);g$s@hIAj# z=3tu`yMg@&U{L&(Ola>KhXn!RRF51#gz?5g>iy+DZ(-%>v^zm12Z~3f+H;ys+AsC! zU7nUB_OBAGx3uoAcAab;D}ft1{b|7wlKcD{ECk$)ei4M&bRNj`w3+MvuTi_((xRyBXH$C+B09in+;@TQ$)L7DSl zTejZC0F=h8OjS7F)ov{-6O4;K8CVlUl4 zl}MEqRt&Rn(G?%Fmoi{rEx}(!rY23`cp$3ELgYF1a|XE>pN!0B?Gd0-BP`IHw?-R< zo^^&(fdR_>Hgbw0V_!_cBXu=`Re2|q?Cg@{8XGBXR#Q|JG?_=$kOg`qQGkmTpANkm zhs?wVi9|Z7%JCW-_GmOsDs2?&gS=c^2o#v^Owf|yp4feYN1pC;2KV$0wF;$Do1aoQ z{LSw33LcZ4lrqo=n<%yza%LRxmf&5T=G$w#YfNlSH{DE0;-KuRRklFM&y$9(P&C^Jkvyk%aCY1Px*x%)Rcz6LYBr*6S6V|GZ|FIbEd=!VBg3WbUV>n4Q33V zld3fu@uD9-a?4cJr<*sW73`--UCVAOG??=l9lQy+hzaz{+GJxAQjQqdwiWE%t0`|R zVsdIXoi6MC6z1JXW7RN<{5g@e7`Rzw6RD^vnARjczlfulkIW`n2Wv}8$PJ_8SIg3EFFCV z7~}Gv4!56XP>J!X3-knma-c-V&i5tbu?v{1SWNd&Im-uvc&qB9gP5x3ZeUh9?uH0* zb-C{X8&T+j43(%+hK+L?i8CA?RErl}30_=5CK~8dxBC8*{nq!y39~CzYTP)=rK7f9 zI>Dhtc$uUeqC^&NzZmIQA$Yb%C&0dOj}L~&hIJ`96}mJvGgl?htn4>p_lJue}>DqxA$MZ9TMSAqrP4 z%scJ?ge_<3$64p(#_S`<@JeIJr^qf656Jj_bS@D|83IMUhb+%WDX=Bo4bx*xtNn@k zh%k;5(KzM{Q(G_a2qv-M4ve3NLZL_M|vWI03VY zuCe50>r3Va(KCV(H#+C#0~m|Y9lVaB|4?oDho|#mGnCq{H>b)XB$FI5-~* z2I}GZ25#qT5F%rLG{VgkuZ5U-Y!iVM=0K{ z`1L8y^No_E^wc@4&yA*9v)Iq6)2jOeE;D>6Ox#njKyqonl)$hAvIDF zijnwu_0_Z>F-y!*c6}HA9XO~VxTJx?OBAN~CwTb+o7Za=U&1W`QUvL`ueZa-dxJ%~ zd`Pq35(_<|13=W7kv}0saKs*9SM*Zo69mh@H$f>8h?nXxBwE-Uz9HMlRMb~y5rRww zr>203?mxeZ_P10gfG@6XrLryVlJ?FTdrz9!U^jL0U9|?H zm=ur7`_r{7`$^k5xVLmL<_8~0YU=UW*SVk0&%#cT`B2wC=gSg9l#!ao9Bd9iOS8+! z3cF2#G&`-*ILeD5($$lgFA$RoC^wM|?NM?w*a#1ga@^-FwSl3?@#c;V?n$_TU4vJ zr&VWbF2a8KECYD#@&8BMTL9ISZCk^*J0VE0;O-vWg1fuBySqDq;10nhxVuAecXvr} z3-F($Z@*4=((m^7?ydT(lB!d1R_)2!>+Cbf9Al2jBM%XP=t>*apYNUUL{IBLJ2oae zcm}mW7L8$%GJjJjB z-`A!ce^@|zHu_3tlU?nA+y%zkILZ(FT;#}X(r`Rtv zV1$4Y9zYiMGXD4l>5#MIz+wFelJKVJ#JG~pPhk1Yxz%FZl1&sbAWcwRn^gUtu3orsCS^o$aF)@DE1p?+j zd^4&2?#aXiF!A{f27PbV_=bl7#NNMt@*6_>Gcfx8{@-)A|15n53@ikA2LUpBfJ+U) z)gOS{03JvH;K9NOXqovxstEtoa`K;r#{kg(F#|fte~%B4@dDb+|M&QQaOC}YOvP_I z``_8S?_(YT-877Vk(7*pl=mCWM-Lza83Fx93=Dry$^Hu&eH)$mGwaFlBZT zMn-z^9$f8rPhw(G@UQL?D+nTR64EyZ4mYa;^B`Rjn(j`niLY!XF&Wmivx&%R-+wbD zRyl*rhQSR=q=VvLjV8#QJTGaoY%)px_~ zx>#$G)TDp)>;zau>u z&-6@xQZN7VeEq|N1CZtZ@pu1zaOeS4|33x50B_>00eFBjS2p4!KIl>Cu8_4l)%dbj zRpJs$s+GpNPirrK?2bw#)g2ML>67Q+Mg-MhR7JTzP%uyVd#dtf*l2>|FGp7vc*eX^($lqpT|aH| zf{j{i6ed*<>`5WP_HnHxkEC0l_G{Bv87FF!t{JzR*_9_L`10P9?@`4pC&LWtjfOrQ z-kUkOy82%lCsuDjgYp<;EA(f4B$e|c8wDj@e@BkuLVw0}qg|~{V{J5tM@v$eZ7u^Q(>!0EQ_En1C9dd_vtCVSc!h(qDsRvPWq;<) zzTH8cIOEOTUi7qR+&hjNOiRg`o%V-MYd zvWS|2>MG(x1JEhrW8cT1ll;M9$nNBn{IZhs*CnRIO{4EdUMK=_2p{#fRoeAaRDAg& z*H}WONn*HKYBFyzNqqHAcxhI@3sjySlj61_r=zHo)S0B+3*^%Vf;k@sTbRjjRfx@$oHei}?>m0B9Nh%nzO5?CbYslZF^lj;Hrg4)jzs;PM zl2xC%D8;S%>~8EWERR>9ta7GFvU)lIhmN{2+M4K!e(}9uLRp>e3tC20!PuZaY;&578XC1MfDBGtNGbg zgkv(|6)Tod{H~72T%?Y0D^&0|%6+|M(c`!5)`^0aUviCQ3E7NWQ|wRMa)~efnoLc{ zFJKmVfgzO0LN+7}!3%ngtdtye{ChKiFLe`=+4Jj8a48Qv7#R$(FZClr_>=^uvO?L} z0zn=%vkz*rw@!<*yTmsj$`~{{FXVM@+y~Hx{0ClBIm|`t^k4U1e`zkl59ryWZ1#;% z-W&AP-QM0Y?RRTUk10+PfU&qA zqZO~Ch4gt2HjvK3k|7|pE=R(MU*n-_G(;~Wd(RiA1A3got97vbPO+a zQU81(sgo$&sdbOVhZonu3V5grlCBbXfmC>z(|nSny#S+J$_WU88B5u{D%wBD&a8Iw6C!LxcqYcTp1~E(dV2uJTlj~5BkadA6BLf!8qk$ z{U1Vo&*MtDu7#g1GV+UJZPPXVpi9^P7}Ez4A-Y zE{1o^xG)lpcQTfHfp+eZud9ePI^(yGkKb{K+80?`S8yy~?hYr-v(#RD@wi6 zg*ZJSCevE--RYURDS7`zvivG+_4B5AB~bb`YJts-51YD}C`SxZa#xbzIHR&TJsBg5 zDbfNAbSI8`Y#J~dT(ScB>vN7FiiS&0_O6Z8W>TdKgmsa{YZ5XPN+UP^jg&rNwc$b| zyKRGV3Ty7Ip>J*>A+r#ma5&NZLplk^Vq?cRz4v4(UxzzM_sLY!T{atU`Md?--q%lo zz8pQEg~S(nx+=#Rmd^R40NBgv?XG8|75Ie$fpEBCG_6-_bah|STK(}Jo|6>B6GT}v z-6z7wwn&TCq@!=hzV5lk7m^Ww@{R=_h!_u|k1=k$xhOHS4Si8`>k$Tb+Bzv~EeXc$-HuAJKcHzt^qBEXofkBIw|*^v6^Z^*9f##c;2EPQROKVo(3LzAX%@=+r_3Z|4OJLNm`yjm z`w+&6H3(Y*5Nmn65H<GUVz6YDngXWshT*s%%t#Y9BqIq!B4?>0Af>FOrKBa15p z$mj*w>w1huNOsCS==N6Zj`NJN2l8Mf9QtQocpmts{w0sOD<5#4auN9!uw9f6cNOH*%>^NMPe|xAs~B5A%QExyN(*v?<+D*_;@ zAB-bLQ`XbHLdXYD>kLsqincMb=XExVIGT*ewNd-AJI-xG-r^&hC2`W%NWeE*;mc4K>ND@PJ z*ft+OIHUyn_?g+_OB&|$^}fEZN5eAv?N%WzkO%*I0YC<1h}o|n`wSkEsBrtMR1M(u z`bWz0H>uk9wB|3V8q>ef?>|k|euT;2d%nJ*W5(auLcojP#lZku+~4prVB*McF93P> zw-#xQUFWG%nBF`^Lu0fZj2oO|Nc>AKLgV5d;H&t?3BBV`c(u9Kbk)37`yTW%;!N{C{rg z&l~ssDE@aM`+b-w3&1cNa6jk)#@WmO7MqEc5x`>q+QQ_23GDkvWAs zqXV1+0gikO05g&Ak1XZs_eagY$72kC8Wr;$$^B{Nuj>nd zt^ASg{UwU~-)xxwq{se$FB$wvbN)N>13abvDf0WdWbm#MzfggsLw)A;bdZ`EiipP9 zjjb7lZ%>DVn{+|*4OajwuS)f+;quSopk)^Dm>(--P^X(>o2WZE=FcIsDNYN}d7$~Z zM{}~8HYn$UUw^Va)WZlqE|czbl_lF&UT`^oyEeiNORPvNdVCzTqI%t_a37s@&O>cp zs=HQwg3w9q4N5j#=R07lFw>9F5 zy9BjCida||(%E~m*v!pNMEYazcw~tBeOtA|)Uo-*7U*Z#X?fL^Uw#MuSl{`(@1TF_ zRpboqtsU+34eh^uc)r(E|8M1j@6)V)|LpvB$bS1W`ghuZe_i(XrN2CA|FB#DP+t7; z-TV8YVF4WWe_Ae3Q@3AgLiW0;SSMsgecgaev{b-!Hh9+9Q}kiVw13dR1f_~CmMl4M z(}jem4VKDY38Bj)}TsIwl<=_N<>e@GqT4O2DA)g7Ch}dl(2f!l(Ixlk?HEt z5^F%;QogtlOL7rxar1^q03RAkrR3w^kuV7RxDiIHedmTNbLcHuWvTTw(>yyGBh2&ZAE6SjLw zXabdax=*yEvp^+9W^=dnl@M$MyC+z9`LjNyx}~~zoT=i)Bs0LmXy7Mm#8qHtGMOJy zl}82lj|{5QV}{s6`PpNza1)EwiXO;|(t2vHx&U%wrZv)3(@e;BJj!N!56${=xj{Rp zS;N5qn?)&eBB`+WfXP|Hi%Zd)d{GX4-}YJUFoP0OgW)8yg}dAS_~{U`)rC7p3T}v1 zPY$Ug@?OZ(uN?Z*bBuhC!5odrc51vY(8@M5y|HCmuAV$7Itj>jH--t1y~MmlL1s9- zG8JYXM}?hP&z+=f^ImwpGCCghI!-739T9e_J&h+59)$lrXgm;hj_pvRY1<&|+re

{7I>?%<`*zA3Vb3sWGK3TrhYUp*>GFAQg=Ve9Nb2!-;wqqv z_n=;Nw9dOH>KTpiVbkMZrB3wKc!2^X9lN1Dyy6Hy%%@| z!{z6>yS_@MSGsLW0%LyFLmorLGv&)EJIUwH9mcJ@tB8tP%bTmHR#_Ox5OOHck~0uv zNhaM6F~YV$IAvu-h4M}mX<+!iEQvb(AXs;MYx1oXvIRW{MmJv`yy6PjIbcnC%V(1r z!8H_D_x3Sfci1;RAmzYAK5Q#(?Q^eLV1?rxpzeXx2F41eK=WTvF+h zvg@Kb=FqzuLedjdBB^yU+*NVv3vAN0L8H8cpB#JzjUdxhN^eHY`brbNOEh~T(}dUk zxI+avG&W(b10||O+#EYTMb29HsH2YU6dUx?Ax>au<5s7-!zSW5fL$GTJsG=0o8_(f z%7{aW(TE&LxvkepkJB}XV*t^M6G)SRP^e8^k@mVouy!q)1k^{}Rgd!l*&C!h`A2j$ zcKMUe&FMv$#TVAPiIHbM%^bk~GrHBTNozP+!k#(tOUFRxZpt$+h2~jNc?ghJlqGk3 zvTb1@Di(zLwWS&Y?K{fNjuZ5aFOU$_a5{YAedC(+Fw4sVg5O%lBz9)pgAl0Mc;dw{&eQ(1E+pG!FVQa4z*w9JOX<;NSUYTp5CPCu&DEj5Ah8AC(cQTMP4~p;42(@&wL3B_eV;?Yzgm6?O!z{4Agpx*$ z8oi%g*{>N&R^SjXg{2x)f{r`vi!FhCtMR5Se->l2u&cvD8JS7|w6n7!i}<*Ayn-yQ z1jvwr{maJ#Am2;cN*_>p^>ZIvORTilMp!yXF}5Ed?hCUj!d#h)lU!tCGv`D=rjosl z)p|Q4iWjMq*K;WyjTXGNJGP6LE#HCwTeR50u5(Ae21_vVx7QTxDxBllml0WaB5--( z+?vdCdT-h7yDSvtLm{Vs3l@*-5$4D35r$;}0U973)a);f0`$%{>+V>FueXO8hz`3L z>n-c)#kmaUONgZ0jtX`9B`_Uhb`;l4P>LiQJ;#qO6GSeDO}Jo#t3AAmx*D%QI7GT| zNt1K&1!Ks%;IK+0vTTix4o!tU%%G=X??0~Q3KEwhwm0~W%fx%E*K)VVg4tzJi4aq&on`LOG{bExM zWLfXFUIA@K>JbJSZhMqzxn5MZ)kDc!^{8h+-x@eRIN@38s|=tT^9^x^)gp^w;``fs?U|#5nq{iA0oltV?G#6(ypifn|yJ(|z7Hbj{;w+Gn5-thsVN^s(3pj|+YE12~ z5V~n0@=%@XmGfylhKDsP9Sv(^)pmC=wwSt5(T|w??Nm5&eIsPyELa^kQy5wn^sM%* z9b4OZwv*N2TM^4;vl21xpb)g19A>No$6C1*Qd0eSd zhwTCB!o!`32}%;`K*-MgJig-4HHfa{75HO$#t=71^ruCiC6b1ES-LsCFek| zzc_Yu9m8bn0WB&5S^t86^DJ=bTH6eJ(-TpL$v=ODYkpwKs2uVr)`xyaDMbtf4f$?= zFU!}9{skyYK<~BRfR+9PwG||&F;T>q*$jlIr}KlP5l#BPdO=M;$IKF_E_PG`QTx zFx1EJ47*nKuIE>&IrEQ<*59P&-_zK?l!v~z(*8d%c|Vqi{?!)y=ZeqwAO4l>3`D0sH?=1q~pr|H$LNV~OwE_D`VhPbB=G zR{k35GW==a(9hQc)Up8e1VDM=XXB%vb3|8)hyTac{R<*8e$#yaLx@=W4I%=pRBtNAm$EsK z#Zg-7?2V%AO^@>550ZOMZizT|P%>DKB1D$ZiQK*iNxytFeEu6M++ zhNd{-B)N#@DCEh57p6g@T&~ZR8+B6^Z%TR4S-aA4oq%WU-Rk1#esk^+HV5MMeF5;#G+ymCx5uL~5Ijla>l}521Ub5jMV?o% zbW3=joC0xRHMB-NX?gGrmVnbi_9ZE^5HP+plpq!l*IrAe57to^zj1Gb(HT8qa4HQZ z9@m_TIJKp{dvvomz=514FD{)gAg)Mdc?YrB?WN6{{%PjE{0g;Ag_Ws+J$`3vqPkVf zjf^UO8b(yBq5LFZP!IfB6bUI1f2au@ITXLHs_A~pwx!vBQA2R{>Zqh%xqe!>69!pr zB>_^q-GeW(W~hkX1MfO@pwnL9O$f@!;v?6-#0_~_mE}qer#D$Bo!kl7p$TwPgMav~fg!V)pP zDXV1^i-1JOEmCCoGAN+v_eh;~Hw`*&pS685h?=MAe*57mVV(yfdd=VTLs+0t0asYNv|f`^s5Cfihno{D`el ztRe^8uG0dlk#XSxUA&72WS#8!!U;Sz`nMZBlE-u}A76@xfW}#Z4EF?19A-^sd(nei z-QkwRAQm&QQAKvhsVj`kU(j8Dp*qexb5h3}O52-NOw@zxWhajw-W88M+xAT)WPJsM z>C2kXCkz}7NQjg3e4tVV`-tQN0@t+LJnXNo69Fxcj9{dd=|oR-g`5_KjQtA0>D_~$TlH*D{->aq9vk#1?F+` zmasiE!WoU7(RS?>7F@?lGl^o9#_cg8*GV_BBSyfc+Vr039K?NHBBuQ#W?;E{H>3`_ zpta7I=}ObDC*a$q8x`+hM92MQ^*k_w%{n+GTeo7Vr6*o%>%(c}l)M^LfAQ5w_P`hy z|FWwUM<=66H1)09r+Jj;s$jRI3z;q_H^sFA%Lm>w2A-WHq+a4P%>EY(w%gH4z3m2vGDcXpz2~iXve7s`r$8+rvG7w9P^TH^yIfAkD;X4y+gLqRF(bO=v z-;ljrllMYwjwf38PUM!$4Q6(ew4#f~?j^)37A?^GqWc79H1|bIzz$Sr!sJW|mCF>* zS5GN}R)_<0rzRR#OvLj!=nKynG@eBktJJusOeLz^jo#8lgkXhXuI+A2%<5sGzY|{fenUCG<6!5>*5D< zAbOYteK#c&U2~is(ORw4uP^Kj+i8>evP8Cez1KgSTv6&m;W2dV2_KFH?;7NEImqx8nN z5#DYYNsRLy*Bbs>hVMsAL#@N-fo9k>QCWz(Ao}ulkTu2K8qAki^22Q?o+GyD9wy94 zi*jGY9!9XB%BnjdPQP1=uwPsH7 zlkLNBL8i48O-04LAR>kkuwTBX127>P`R<*zLTgLs&1lLos`m9Y5jZfBCPbDttC;TK zn9^co)@r_CqZBZ1^ycDo91_PI+oWf@^q_lIas|(a5l#1(1U-9%WAntXFyiTBM~vt^%#Qkb$^tI^Lt4qYNkixi;WUShDTQsIv0k~{%rUQ(0-G;{nV*;+(|fz9 zj}?#;U?~`WiAM(S<$Kk%a6$}%@!2gi=)>Yw)t+Tyc8Y^mZY`EIGS zBO*PjKo<@t@fP{^-rJ@STNoC_Mge!Zz0A!%n;orBKPm1?6AX>su`WGA9V zfy(0QYlvGZXmfibuL{8zNh7RL=P?kQVDAoKKm#wJW*J5{EEkId`WVAHCc3Nzys!=T;a=-lTYa&yv zXDc1H_l>o-rRK-3ehF_2cm~^ZED=+1ThU*}d}LuUEJ`J+BVD%EKP;<5NymOgw~CX2 zEs>dDTr%TrDE}%W3f?LvP~L?`42MxTe=PRG>6%~yyl`gCY(K2)62w-fpFY`|%wZRn zn&Ec5pCN)nf$US69GRQ9Dp_u~a&0x3bn@W!+m`9Mn$C~;)YGy7O4;5t>12F?FW!F9 zriap!`4qUPrN7RX(?4VVsX^Oj_VpGrkS{b5m!5_5+j&Sh+`>!bYiJ&?E^Z0Qsbc4N zF1=6vR{~H|M>$v+gmW$T@m5(-y){rmXG?j3sGk_775bevI)L^Ce0{hbpx30|ptYfI z__=H$n@CyE0ojB&9bb^5xYQd(UwmwDLw<#bCXoQ`g$2x$I7Xk@*y1XL=hxEQ*6Mb1 zz58O-{zW+tg(s9AbHdIEM5M0gkTY4oTL_!U2dtWC2p6noJ=S2Fh)HrSh}8E`G` zo1os;TmIfj#;2SK8ItC0=g^9xCu?i6>_AIv>7QO=D|>3%zvQ~1I#uSDvteYq2Ct6` z1;*1&NUIt>4UeMG08}uM5H7?Y1C6~;&5rsjak&+cj<=1LevmSuI`VS zeNyqF3qKfhUe3eoBNFv40N6bW&x7D9q$kgcUlG4GfsA@{EqTw7Et7f9hOh@5kI#0` z6vbYYOJOXQ_^!wA!^PyM_vA{`ADLU$uLLw7dypTkXK~2b%h>I1+wT3ucYyD^QdViA zH0BRqWvK*~Jd9V3a zTmR1YqZdU=U2ZZG3s#b7{We|Yy1-$ndC<#&&YomH&`(a$h3DD#FAWh;MB=(J4X^u$ zj^F4TUSB~>ljz=emnz@Vl+;+i=*A<15M#c)H_Kbp6Zo8+9wT?Qs8AF-4XHthJAoYa zLMZa?(>=T;_qOl|SNnODnhga70vKz^yGK%(FJBZCrar?|*1Yt(Fb=HFZw04fx~SpO!M0eCF`ESLHIw%-Bxe^xwU0yLJe0kqaEfW~|F zZ$q`&0K>`vjoYkrfGLVhzZMGo+Xnpa(f@bi`zByu2ViV~xf)=&Hb9~R5YK$mA^>)X zhK=Rda-P4~>oGI^r0V&;tN)zNzSO8U*{|OKfFrZ%ZZv*_H+2m*O44~uZk21mc zGRgPT`0p!FfRpo6UFT0r0S1Kt)eIeA*5}VBnKeC`FVmR;Hp2?75{&& zu(19Z$sZ&<<3Fviw5qAvFAX4j%>hVwMf1^7I6BC*A^+-8tLrM(gu3(f1_gX*S$Pm( z8lbRQlDp3b8KCHVVyoS>1augemn+(=g2t(s>7Mpy^+(~f?NQrQuS2)(oIKxzCy|J~ zWkfSaA)PpO<8tSDetH+`szhCV_-@KoRhy<^@5Hbl=`&XOCmEN@qTCYZ(4zTpfFVaosg$mWIGW?7e&D5SC~Ht+ z)X?B@c`hw`f45R^0GNOU4V#Qa(Tb9jjgpYBQV~wh+%tK4Ew|B@>S(J3zh2GHSr#;B zz5KZi;dERKIv7qlV>TV>;-br(FK@Qs!y3-4{3h%dkcRWgkCGe6lWV0D=1ZJQ+&}XD2deWNuwH0k6=#wn$&s- zQl2$Z_5A%ly%dX?4}v0uP8wraUB=v2p};FTbxY-L3Wq!JTz=1zJ781Ai6ZXi6pL_N zv`jo82Y%Qa!uzPgx-hHBljI=LMxm^FvNrPi;1QfL#R5^3o}PRD*re+Ye-M_E3@6M4 zhK>B{REgEpll8nImTFd4*7Stth!Iphdj56=+;f<1_sz;QZ<2v6XVb&IbIAuqj$`$G_*?)rmsLhnFOOU`ewGkNpx`iJC zTh;xji)@pob3F`}@WF{aXEG3Z6(=xO$IT1pT8)7vjVXjAC%Ymr!q|g?DK)2*|D3Vj zfBJL_??|iP{n;?ycfH8riKKa3&+E$=?2USDEv{A8?AyJ_0bl9-(RsQRR%c4aWI|2N zvt6=DOQ%s64dkM22Q!7&0~;V?!(n};YP`AFmhL;KuQhOV5}WyVngvy~!?WxfxSab?&HB^(e zTQ|NWGh%aJW<#2f+BD2!jlLsa$sv3je8w6eo)E^I#&sPBcf$@3RHQvt&9o+!;)6`C zUMRCsS1sHT<&!?(NrA!V%6~msg6#rD@wqq5vk1F&S^17m=?izEhJJZhV2ts5`OjUL z{AL6|=7?}-(62!?ysvFkjl~7wA4Z6fb^}N?d1Bbp)5>x<2{b#VRrSG9_zdX1n}@@= zbKYMldJXPEoM$wTj8uu0ysdBE8C}^`!pwl(#K4{Q%16_UaK_%6h3r2|k`;ETpK{@z z>UvDcsr+oE5lz5Jm3Uz|Ygy>zBd1A^+9r(*jORNG9MZ#&*!o(8)bh0uXgdOdm0CzG zcwVBFA1&|Jo~~+OaMU8;Inc`i&qiHR%%E^!?2d@%hUmDTX@mKC^4%xkinAPWt?{Ne z2Mvx)K)xycP|+a?s}o5?5g`YoR|}*gtF&MrE-F@^ZnsKUD=J3W@qIK+JP8lbo@mjZ zIiN9E#Q1XpYbllzBHOig_5+ZL>7&&-;c<1(9g>5&5DI6bB2HjzTo>Mzqz;vq#(v?} zECb?i)~_AAc--pDna!3wO)qmga!lRge9ffka^dW|B}-|OSzhm#SMoJ^FEAO->} zdS7l(4@e1Q2)csk4w6NtQ zHHj{3zxwbht%#VZ`#d>VnC-PGY&Wa~3!M8j^?*e+Mur<5rFVI%eW%dj-9B?t9rfIW zwe?DF4(IBo^3ZZ=Ovzhk>lO!polbB>i`Mo2RcXEFhP-xDr@C< zb_ib!#9q)B+X5_SxVGzyb4rV}ir7P-){QF0^#|P6`D%v1zzk#xA}^;wTNPeP(e`W9 zB-GW1a2{K4d97e{PfJFgXq4_glUZg%T`~84j66YN4!iOQT-~0;s2Ao$Vah@HQgs(! z3QK~9d{)THNyq@CR_-?d8JCL@^Bi7v=2c@oWEqw&m%-CyoQ2eboZ7Y0#Ezg9`Pg>| zGe=2UMthsa-5VqJgB~A#6%@oc6x*+Kg;N?N0y_KK_FMC-3P$sz=@=lsI-F*j zXy*rDJaBY&!_Tt7aA|yD3Mq*8izUlI7Dd`pflNIiO0E9VB;}oX*S%omWN?~RBH<53 zEm=&WE=WQb?83LOQ0iD&+Z?-r-6zOteNY$e<&o>1{csapPhpx*i7l3og=BNo- zj@ws}AmL8w%h;>3PJ+I-@}aP&vB5EG!wXHhW`uJ>6QP&55bo|plG$^ADV)6-9^2*= zT#e;_E5;GzT<5_lU|mU~;Net@gQzM^ehw|f=PqH&a6eux$+NrbG+FlIUqDN z%+IfgTU6-CGjNhkl;q4m-ZBTsfo@_*cG6SzUVsUqE9GSMW>MzNDUPhOb*(Foyzz#@-bW!PHeD1<NoiHKnO zCdQvsyd4E7<@A*)vbmKyutvQJV*ND|H;CM5cbwSg zTM*jT-NAUZ0A(ylt-u-wkP}A413`bZ6RHciUPx~{W-oZatUR3Xj69kmvS)k-Nfh@T zJOzndJ?B@2s~}q;C_bN-^jC;L41J_bAx}s4vk1*i!hK!Z*mDy2;$AETzTIs$XxypZWS_bJ`GCo2%+vt#4JAql;gXUPn&QF$ovTQ`C$* z8=01}xP~B)I<{waLu$o+$c9-9SavRL)l2H zSbM4d)@;c?%XQo_-YTdG_xT9^7AE&&2 z-G~+tZ9nHD9-cpY^{=qypPHxt23vklWdDLK0VYlWH24p&<#)|B;Eg|+83263{sk$2 z)q(N-xBneP^leTLJ3uhN@@?o2px@zpcLBh5js+mwr)T>c?}9)0_+Oy4ADQ3(4DS9e z*atWP0BBu+THu?F8z4eDfGrv8FMC7&0(O6PB?Dl+zhJfRclV!QHP#>5;O{W+PfG!y z@|&~)VC?o2R{J)6^MAYQHy?U78Ww=c;-{rd-w)C6xBBm}8WRA}{&rygLXH2xdDH%A zbPiy{>F}BV)%f!d1=DOlO8kGvYV3fc@(H>Y~&L?UNID+|(K=;At+Yt32B4eAZyH_G14ZTC-~ zDKv-(pbZ-u+B602knbwLpw>2wqPNrXl(y)oG9BfpiaM*-Q@#~GJC|&uEU7w4si8ay z)A@{Os8xzRrrAc&VclCNvgD`5xdF~!{?zhxa2R}4BCU*j{F#PxaST276?N6h%xCYW zaO`y+YK`o7E@xSlPOv-?8;zPCE%$rxhijUzF~92AL5!i5hwZ~X+de(4JWrm~X#v|J zver{#QXTESwmf%erDl>es_gwNwcaGYN5o>Wr@rJG`XVE-l9GTL$Sn{H%lFv6puQ3Xc;ENGARiNJ;h^`-pRj2k97Rw)`1!Ln35;fX?uoErG?gv&)DIU)@o*D6JFI`k)P4MK@vh{C~0sbbg7LET?hh|s8!xn(o* z1D}e@9PdHzEH8BN_V|8{K?G{-SO_)^IWR)#*e!vK=EIV#E&)F)ChXCUMPi!>FKNh$UBbzouJ_cWDejn! zXBbDf1M49(9j!VivCI+i#`*X=dFQ6Z34M4;#FhL)pY-F!RwCYL!8iv6Y*oFkxhq0l ztV%O_9PiHi&v)ft2zE^dunm(T`xrL|64+bvFHOShK70hFb#RH0i~h=tQc_uh71c$1 z@5A>oO%Z|hg)EtI{1%*hu1rJr^HqM~vWTFLf4>;t==xN49^dexT2}n7!dA0Ao&*|^ zQ{eHVK`xKrqm0-Yri}r#I(g%<87K{vB{@_B4KL86N;pFM1g8+9+I9;EtsUa|$u2KXg>*JcCI<72( zyxPEbL)Ym{C6Xdz7L!)Hpz3%!ZG2&gyZ)qTq$*SsFye5F4 z-;`0%Ih%+^5|v=PB0GDqxepq<=r|6|vmhoeE%>;{hX)YEo>fK;_OOZ-a_u4A*yQBz z#YVo4!Su`g0Jgvj(=ST6wauZc%jM@>Cw|`U`=UI}B$!@_H3fqbsHU>(LR4Q8WW9*N z*nwtG>P0wjagpaC*WhD^$;YvI&q?kNA;HI+n47?m82yA(J=C?Po4iM)RRJ56)(h$& zE$V!dd<)xyqH=TU(mt>SGcJnQ8hFx$jk~R= zgD|3X_K4UPv&yAqV38AG5T?`f3>%OyOZi_53IH=q%0whHbCFU!^Xr#?ww}Bu3C6la zI58Rxik6Lfo2SE6PY1MS+RkE77G3#mVMb3mwTUY{>{KA4`<@f80egL@VxWRcNs zk}eyKxZq3xx=GT+fO&9UR9%qnV4x8L0X@2R01K?{CBNLGQVEn7#^8<=9;sZC*o4nb z*fy_C&#R5Nd=|qQOa~kZpaf>2s7=ZGh$XATZkB?xCVZmpm-&v)lrnwg>kE)f-hf#; zCcW?K&Sl*`#Q?yiS>e7Y!&1(aLY_V)R3IuS+pT??RV zsg#XO=@!m~BBq9=AKREko%EA;2kz!YuWc5!){NvWz-RJVmAyyePDzonx~yYV^;ci^ zk}fQ*)M_|*b9C=Q@5Zlq5qY%FWjkpb5Ra2NmL|5HP06J~fRro4e689jy=W7qlr!wP zo4>%Ld$s|+xqp1?;sVw|m1E+{jsn3e?`C}>4LLFKhOqidjsyP#lmeaYzS8Zu7{7F3 zk;<}AHRYR+!|b;1GO~?kQp*LZ7{W26-moQN9rbserj?1>qoJvE`FcTmBNuK2zL`f1 z?Vs`|hl=IfSM!&_dRUa}Mo~|LV+cIM&6pLs5ci5_ipkC`;*^{(&YU>83@P2#vkf6X z4UF4(XqPZ^Uz;u+!sS@m`F+uIi?Bt>R0Crxbhx~ooJbwD#CH|&oHdu4eD!E*nLy^c z7xz_peF|kp-onithGLWqL%EDp8ey=(Zf0(nI4ofFpg^wj&MCJDh}7Qy5y{8&Ej?*z zcw0)EU=V#_68j*H*jk1$E|nUXVBB+@(TD}e3JKzVsF9ach?7uBJ)yUGfnehh27YjUd1qIIc3ce8vD^b zVRd;{wi+h5A_eT^#j!Ij$=Mia#<4^T^p|=v+e&iWbORfvu?-!<(E1GxZ9i@Gob2ql z^d65)(X=MNaJXynXTRxBfn;jXfzkgMmsi;?y+`$$_=~Hj`UbTn1@eMn8 z>|xMD#tBtPW=|SY=6(4|Eg?r2G) zT1X;EoeUw!TaNZ_KL7M6fS!pkLs;A%*@=j4L_XRyLf`~~<0&MhS23Joh2ExzUC<2f zx~^;l>yv=bAuUzHInH!u z@GHZuMp^EQT8(UEL)8u43q=M8(ykigUaT&oN2p{=< zaEf9<;02{7LgYlX*F^0Qhn$0V`k=A+Ys{;iYviQMBJg0#Qv)3Izot`yxCP<`heJd; zfPIA@!yt09!);!N{)EY+Q&Fly?kwi*9wrS;HKBc?p#2tc-w*w=WMwbeXK3#_FFZ2f zUFggNezAP`-84f-=1i9;>1q!GU4C7j+!zAv2`tms;g+DcT%mXO!r^BmmZwtZ%$K3M zmkZH~<<@5NPam&U{ogpd5r4AipR^-tVCfrPFEC5VT+=QjIOaE46T5*l>@-5{98xpcYyF$4E!CI{NFGz0FC~JfdNh0 zKhvt;fBQQy`p@kLU-2;m=w4<3`22VA{jaPg!2j>BnDn<&!@uvrW&L(jfB(z= z4wL>kV(U)|?Z3mM{}hJ)2*ZDep>%)}%0Gmmt*T3QTP!G^H_9K+i4=vPcr~EhC>76? z(iR2{S&qnR5gFy>nZOq!$mOyNuWmor+oI8a>=Tug^THPajyx5rqX}aCJ z-z@oDC}I~Mu0V8T$sa11oG02xq{l8fo4S3n8BDwZJF`-3mAonBu2McJK~v7sTwH|U zsSKD*GH+cGH6u)|3`W~lgJ-2s7Uo|?3x*sux$|&!gFbf@zD5g0=8O8yfc&^$Ca5}Z zS+m76Iu73BnY%M&m%){(+6fvJCByN2xYwKJBO?$Zysn3i2#pNFIfEZ^esZn;74qe} zOQmVsteD4D`TzvwB%Cb?Z(4G*X+(w>Xv`>teJ4VcJkL#HD@BPjM!}&D>;C8WIA3p1 z-fi^Gj9r(tK1#lC&6I1H&{v#uQmB*ERu~cNLmZxVZFk(f(VU5&X|ox&Qk+?4hfb$( ztL2kl3C>WZ52K443^O1rIGAU4oZ;+Q0fiIxrV*V<=K1m>)jt6$ORFR!`m2$JCAo%W_{8*wik>Xp&E{`4gAJp>Fe*K1}B zs4e~Kv&>e)U`oxH8CN;oaP?C*#If%(|?l;)&^bzrJRUpgB- zkAGfjqR7-M-$n{#BPvRF9t|~(GJ#qw>CUF693Kr7-e4&m3MS@FIP|3RQGj=q-cs=p z70zLAVkbgj65@=L56~9~m`YBb^06DsNf80YVl*mqo4P(cw_uU$Q9&5p71^d)Tl+wc zS0=hz&ej*sJa5v%y~u(VV#@%l^QwL7;|ID=Uzc+h1h3#TggEWJ^cQq^GyA)=aGU!U|y8%V{B zwP@Z#g7|zlnNI{>2TZ{r7O&5}5@;Vm2Z%!A5&@`hYmttel#NGF=%M(1+Z!itHY3NE zPG!#JA`WBEPAH%5^su0LQv$HN7pV|Pj13dhxW2roiXLGw^VsCb?ZIQSjhLh|xZG&t znoYH3IoM9V+qY>sd9!mi)qHT#@Z`F`O$ADl^k}<}tp-OFC%`Nc3b0Iz?zPf>vrQEG zbaaaHrookYRzQRZD)5SzB|};KsUnym-?oI9q6C=)*?@-# z7Fp>dp$Tu?^{1+6!<~)VSiKu)(4Vs^KA8%hnt((0x=*VjHlsgWIgfQ~pTgE8z%^q?n3^pHSc z2F(}sX@T$2y*=A{-S63Fe-}R%7wekb^QpDQocEYxbiySa z*j$NwnI`o@4RY_e3zFIjw?mB&bDN#H%mvkIgeb{!qP}eq7=zG?Vs@dOnM28|W{>Ok z8&2xzl-~n2Kh~JuX=Y8t5*|HlLVHFeQ99S75F#i%Ts$c3ju#0l?zW7bf1?-T0jF{5 zjg)SeIFUVQoY9>A01E>qR*0H8FB}EQeNLqn6gs*vr_7Gg-#~#~$(&Cjw4;k38pFijelJ7Q!@ON%l|_|s8fulWQw;G+zKz>zUd2E=T#GLb?KO3yb4rb z7?QD&&gWByx){%(A6qJZG=8gVshwvXI{gZ-DdY2d*FKnx$bEJ^fwalo0da7!l2rU& zeHmj<5#L~VWZVf*DtI6Ve0yFQi9l|=o+?}0U)&)ohmQ^7S2|QL^7qC# zcD?d=*bnwh^Rq>v;{tf`6ZIQ#RJ1^j$gCn#)+{EOrsbwQxOIi3TU7Bg#81D2y*~{5 z{l(S~FwFRMo9BCR6wbd(EBxoy&-YrYoWIb?zGm@vwkQCj*na`DuUiy9gnr?@F@GiI z{j$%%1dL$*n@|=G2Cm=E`h7Ji`UVGow<-(ZC&LBE6#ud+8^B%s^QtUtfP^+6yY-vU z?<<_5*2R!>%6Ni5j&vN}1&ocdOGuaAN zNnl&$UgN;~MY+6Ev|Xr;=srpP{EZDMnXsPr$W*+yl=7ss;n~|a7Zb>ym><2OgZ83P z$V%Ao=d|8uOlgRf5x;M2sJYsPO)K-pjNjQcNLb_T$s{dBo9d%-DZ9|`8f~eps?@Nq zHL6_;-Y_`oGte4SnyAv(0#y)SAE}t_TDNa5`w=^uIaKZzcvNs%-IrfY88PZu8GJ7)WW_e5Jhw5%{t zMZ|atqm@!eneH1ryI>7jaCSDAR=90vN8=DSaFjZA_l#cxYiRj3X44JAt)KG7Rx>+Z z8Q8rgLbzIFi2z zJrz^sNmZ&&Ylh8nuCzft-si40PVnI~7~p=fXoWa@>=J3yM7t=T<7!plP>EO$eH^9D#x6?V65Dm*VF^nwa*_l#f)&WBkT@1T!U)aqnt&<6Q zilG<0X_W0`p)kNc9oJq2G4w{eZM8Q_ld*YbHs&br_HIgAS+#BxFLD@9fu>CbUU3TDA{~VQ2m`kjBe<<5b z+faygi_Hza%eY9=AgtH}&#U}q?jtC}qzl=r57T7F_xqU@%>wkXis!P>-VX*OhEzhk zIEAzA>Uj%BAY+(}ioYhIybPLMA{F$*E8i}DQ9SmM66OTGmIO&xrn@>bFywjnWVOzA zqLqSti1sm@^f5ISi9k|?InwB`Q>CTKlnWIvi}q%Q-ud+XomwHAgoh^k)7A&#`GGd) zgKu1Rvb(pU6UpE*(%I6aq#ITXPhsC-*y7AdX{_1z0!}QL9S}?AP}CHJ>I9gp|a+Pgw!Yv&-d@Twv~>)a`9_>>8(f6N^7jj&sRS zB($LN4|LVOXgBnTn;Yu%vf)sLPR=^VqbNMFfx#$HN9H?id84ZH?g6BYZc~b^jfIy& zpQ&VGRyE#74Z(!X*c`RbLr#6QL?}(g`fw|pYJPVtvd^o=NG(ekiEn%`E<1%s{K#9U zj_F-2+ZMYAMbXG7F|RuND+TMqB2@zB^d@EmpD105wDwJ}abA@Ah}@Lk`d4!drAX(7 zcS!o33cBqlk~qc>ZKzY{XwwjmO}(kRMS7#_dx4pZ|T2J+;@FGV{ zD?IoG>K>JNL3R+cfAcFZFFUM@@i?DtKJX>YS7(E}40Xg}6j9X8twF``h;aHsUJ$7B zpO;Wj9;z5h33|UA43%ORRSLz{%`wr2NTur*FvR7t@3gLR`NU{95&-+^t!8Dodx@c* z8LG~e_RO`lwmr`(SG z@b1r$Brk{22Rp`+A*^u(FWZX*7$lSPOIVrGbefc_X$9- zp;sT!^TBlLGm!AGLN1LP%uuY^hz7lU=IM_lq1iK7zqSYG1dw91fJ6w!jPhwF)Ft85)o8e-3=cF&K;n)Bk!Tb z^ntj3#Bls$7@eOt+3Ne;7G+)Y6#fqj&_xVNmhci$9kWXwxouvU?YNZUICru`lxVDfMFi5DeGyo#bT=^|=2L4B<;q5kA!pM-7}(9?XVv$I+{Fyv=v?*- z8G_2Q+*~(5G~u8V(ewxPJ;3;ApW)>0=vkirT*6*=o#9|r0EMY}00`(U|H;&!O0$?!+jNZoGaBPy_#$)D@(4~Z9xhsOKjZulR=E#LkQjdFcYUik|& z`V~(6)P&{wU!u|PiAY@EW?O)M=&w!KukU_?QU9GLEE~Y~0npF49xPz%@nt00t{x6<~f11u=ckJo*at ze-7mUreuJI_Aje~02iJ=B+LQ=v~vNAL}pH4o(hPT!3QnFQIH- zpSo}N-rp%P{!mr?OSUSsMpDlA{4xm{4n=SKp6=2GS9qo(MW%_6k8X*+i zRi@-~&!U{JDUZOzX7wnk15z$0<*9<7bn9ws;!*SF1qrk8i80>Le(8Oop#NYQf zswO?UOAewD%}pg!Gb0nDcueu?waPnA{UN&W`F{6!48D;*H4d9#LpvU=L6LsV^}2U- z(?xO`a?i~7$I?EYx(Xid#wAn_W-1rjLwduB+q&0W9huf}Ut5X^z!65$q%|>$!OOfe zbvQe_Ck|L`;Oex=W#)Pq9pnE`f!lKjwX0J%HGx0`habDQ4*I>c$0QR!@b~Q;GQdg zG^fHwhbArYRQVuuI@#$gz}#aK+AV;2On+azo1dR>TV_KOr9!jZ`MtpD4d!H8PUS-u z*L3Je+GRGc7^ut;?y&s)mUxtbQs*iKrG1#tTT2@Je7MMY2N5CkET3Ib{mR~;M8Ezn z+-2Xh^3)-&wX&UeqaC4@)6Os{W1)HreOp_I&D72i6-RcqMS)wzn7Nh-FvZjHnSJJCgL*x8qofd-pb7=9xbH_;3k3)q zhNad}?v@B`zPIu&m9R{fB6_k>QoJ3xmf5W2e6%gTA(ye2oH{hptDdu)Mi{>P!cCuy zg}s|1p(=tW1E6G?$Z|P0T=dB%E?r5P8d(E~?AG=Gg57=kkY-f*s-voT+JWp*#>Pvh zn$O5?*E>6djcc85L*kNUi~%oqNavNW)Hq_q>oR6e%S?F0%b%IKC~(ve=s(MwKD*XB zk7Y!CelC>b(Xkr; z;4_iR@M@QRa~l)lUSzmGTFPybnFZ-{PbY|w&%-p90>l0fk&dO1p3*MzkCNcdLx*MJ zP5PzsP`=JqwCuPET|`=@)-NG$p=0MyD{LlNzo3#wb39{efD(+=BwwO9m6%>;78dCq z=;ETT8PKLc)swPWh!8^a5(z=a>fJ?CULNUsCA)+q=?@>`duTj^iQs{%B=z#tTB|#L z9Fh5P8YYZBB#%4eY=$EmreqGD>zku-IZrz=J3L*AE%@?W5B~iGt|ta)?ot{2?ICH~ zuL2(L564KzE-cx~XQ~@jD^FuPSE_nS^uFL$pcDbU)qTDf7gWg(ighATax_p8v|7)b z2pScEqtS04SzV_gYGZI#O{Ca+!_Xu8vb+CzlvM9*Wx+()$MGDngS0($!yX0U7+U@} zV@lbH#^e@x>DCfv zDxFhS@q8+mp{{hS0*^}?qCE&tTMl%E(uckDwhNU2RjqDpP4meT*3N-IS z?JFE`f{c|O?u$5M?LAdv+}O^+H>I7HQ?x~I>=a`3&5CY9bMN=YjaQlL%L=L*cJIUr z3M>f`Iy?(iUhB7eCc1F4e_q=iU|yBXcG&qCnO(1OVr@k;hWNDhyy}F6P~V44dKH6Vk0XN#qKN zKB)W?eEBMTd4MuUio|USX7bbX*BFK%G^;C*(WFK2h}wEB)4hpj)ycO$i-tJK%lld3 zsZ{N%NGS1#a+sgCtb1**awjMVkGiy+eW?A}gaX4qiI6}{Jri(u@iF&;3_`^~D%KV!Y0 zSN+o2Wd)@4ev|O`<ckJ}VNEMJ>GOY{~Cknp~gzcSb>(5?8eXz`+e@c>%)!y??voLpq zQLA0`HMO0BpS1j{!MA4ovuu;AeMFo(uT%+r?G z85!`1y4#%3twRRsgqScyWsxV``PsVVQme=I?84`37*wYX*A|{;IM#u~TdLe1HeQ-! zje02aC|AP{9Y|EvZ80e^YL}yaWEcwgCAg0|!o`4@ue^Wm6c=|Q{3^@zo`^|6 z85M&Vcox&4ELgs?S=rOwNV!OTo%;y^k8j7Rlscu$V$RSU+E4^PIX-@!|4g|}tD7qf zSJxNSQA^I@5-`(~-;%MX_x_~8K>td4=lw86fmT100QB)qYI;o+vV_tDEOH1Qrgz@7 zbMVWGsaa87DGN`*t12lbLP!?qir)6&0BU#Mu zhK7#Nzi%*{v-~o)(&ktLkr;(SZ*AU3LiwfG77LpP(e9^FGKsok>CFite=Wq`?1a)Am-WX#hvu|%So0BwUH#((>7gw{c*TsbO zNvj;&BH~ytc{?^iv7HEO6G@UJrePBvZZ=J!pO<50{X#KvY4P||q4ttsd{FHNd)NH1 zMN1Jph;p`_StHQ~*%%#)9gij-#pT6K8h31DA%K%R}`z1X~IxpM1>FY&_>wOqye&I+1$D z$Pyke3_n>7Ml&GFXJ-g5+JG{_1g18YwkyOTA%`*kr2F>OV??b-=2$JG*ggJnH+IlC z6FRHfS}stEp(v!}9tbBvb6g^+k3sLl<17^d63z?Tm$2eiY!ofFjlf;%nTL8 zyrvs;T;xVS2Xxd&B#C^)ZpZcEqGU`h0$Swe7vo1oJ$bi@^^U8KAmEYK8iemaVQ3dK zdzmM30i0WUr9-jSHtURjY<*OmGeIsp5vHw)EyW0SpjtTjd)0wD%wonv(J?9%e8=JR zjeV^FijWLwJ$35w%?9nW`md+5Q=;Ft*19XoKFFKgS01;og25}aJRTaM7iM6yU)VOmr` zlW;o(F6Wj;Sm~RZCkSofFa{Xjw3HH%4Vr-4fFd^}4<*dJS7dVRnT4^s19*^tjQGd% z$JL}nl9d5m>at8Gcg{t9B$|8=#)_^LUE=-hFHa&iXBJwKgo-6K1Jm6X-Fv~*`*R?C z=#|mdExXYIc6a5m)&TgCG4XpI^Bm%xDs+4jFqBZr5S=O=6$=8 z8RKPX1@Na6+Jfj=@BGFZMGf)2W)1H7VCjy=ONn^z3+KiPT*d zx3!e9nt1KzW(1XfhV&a;&HkFuiU2{G`ANqGf#pdD$`)!Rj+wlV>)R3tAQ0tK6w}=d zw)>BPl6k z71OLW-RVAc#2$ihV))PlqsP>3oS$k+YR-wXMhn zYb6zTAbX&NlMwOP$)wvdw`zFFV3v%=UdZ4I0$87vVod*qM(^%$Rxsq)ah0ZE6$znCJsk&RMXk& zLUnc1IzMtFZ}ry&eYMMG4-ztVBJ7;5L$EYxr#PVx`a2P{3?d4k|{Ho!>fFT|vOBJTb&Bl?f5|2qk?umFNhfN9vb{MbPZoWM!>clrIP zYYbxkr5gBpjsH$H07w`A>t^`U%>;cP%FF@?1_6kb9WWMS{vBO|`IqV0AL4--Xm)@( z%>o?YuizZ`zkgU72>mhw%Lyd-o6ujXiSM)i5(>0$IXQmQbOyZ0{>wKWEMI#pMj3jQ<+?^#S^J7yX@T6ucFuAGWo`s{=#?v zo9*8U)h9q{@`YideR(gB&Ko>}L_n+3U_#Pl#nfy(IbkK33zMQmC=!7}e71Br*+7OQHEM$B()kc8LFeryE9Io8mA^ zITqyckVr*1mygop`sd>z-u?m3BQf#4N^IkN#T2x$HhmP5b z%Y7GpOD6NN-)eFA2L`=68pW53p4MA#dQKi3T>>*)dSCOIMkLRK=rnercE(7dhTHpQ zZ08Phrhp`D^E&JH7JNefUL9@ZT5unD+SZvZ1F^1PjP6OrE(P%Fz}A8xd)a4eU14Bm zHF_5C;~H%rpU!roUXv}%=%nB6A`a|KZf+e7z2}7eV2yZO`<{ER8vm}{EYZ?^reNpO z(qx6ZkMgzEvjp!n0s@kE;-t<-DZX(>r z&{?`<(JG%(;%3@tBgu{*@E2CYm6bZ6n4?NJ41SOkd}yLwI;4!{HU*xF8d*ixZ}@bc0b2D?P=r6h4o447vnDK1N?s@~m_cLE$vCg<*8nXdxPB<=88)L~1Yb zc*eDJOVM);aZ1hxO;1^NS}hZ2b-iMV;Myv>ryGC29K`k#k(Ow%kEPjiVHyw<7o<2 z4BxFUMaG>9+bB5Xno$#MkFtMMZxlWXDn`uXBiOZyX7DDGkLuZ;So%btnHVZC&yO!?A1-(k zWLsxQC*lb-MNN0&p;aG4pb32P^js>o%&<#jzly+eA5u9r5awk?VVa3URaD^w#wCv*eD2+i!>Y4k%=^X-I;tL;r0Zdm=WN$;ngv$f%6i?o@*SVhGP zG{QENSSL>xKvlUzlzKWaQ#3jF;KT;A9%F4~q&Wuh&h6Z)TxF(fk_7Xrd1{W2nIqp? zS8K2GxlSgi2hrPZe7;Y0d+nN{ROb~x)v0}Pz=U5}lq*3RDyA?e{A4sxe&SN#eUZ$W&wn@r@yDuU5){n-$r1ZCaH0t4=??(=H zsuCl*4*}|TS(vI#UX6rUTDc;(q8t!%xNg;&0%tqvR*8bXfP7yJdFb2aC;kqJa2baVQvjAFzJQ5Bu#{FQcdMvNOjO1lONP2FgZ58!ydr3UAsCXH>a^zt>JU~+@*(%*< zk8I=eQQvAK3`7}(_)}d6Eezpj^y!mctx%tzu`?Ma^c{2$Zf0sg#>f#EswY=eFB){cv8IEOjw&%eGE`MT0pzkh~@O3gWqXEfnucwra12?%>1G zHh6zh(-w(nCW1HXZBm}K5nCI9TD=D z7I@&gsX4FpKxS|3SzS|LHU&P}ZU8jjAVOmPu=tu6eKOixDus|cSeYf8LyE%?n$-%J;-0`dN%)W%>dGVIQ_e0cKy7ZLW>W<-- zm4hObvIDOqkukL~q(tzg$5xAI+&tg2H}ng(|c#eUc z8Fb3Cm!SvN`(oU5?ycx}quL}sQjsF}G#=a1@XZFqOaHtIJ@|35?m1x#+gzTTkdOGR z>ci0y+B$r~QC&KhR-DcFtjc-QO3SII$ z>0Ek)#xS-4E)@y}1Fe4Xpxk#o48x&Vi4`gJMJw(gq3d&T@n`La^SEvE`D9Ub4QC5n z^oy%$G*3Dw>}=jf8q>}V6(T-)EZbqc#f!*r-&_>*z-WKYJB<;PW?W6ncka6Y)i4f< zDG!Z-J*IOe?+x0*X~wCvKTN7i>desT{!ned!sZ8;+L&jrCy68t=~1iM#NSceg*S7J}!BCn^lB}k1?ot{VT z;At#=-gwbDoHc2mXnS3nSF&Tt0ttYTAdiJjoW=n9%@O)WxyX+sQOL5has1A9=OJCD z8#PI9Ev%w!)>XS-MD_Y`5bWuGYL0GdB=JF}j=OVt*p$&_c<0oh?!Kax!ayjf+qQGy zYqMe9fv49@VuAux`Wh~`*irbk_~W0`4{N?i<0dtru(U6WBDf${oidd{8RVk zd%YnL%ReeLpfCTm?)#}^`}*!T1o?j~**E})XJA7E1klMr0O_0scmKFN5*58(wzz)_QR%K>oWncs9a8|&?n;96K{mlV?-zNF>3IR1HAY}~D zg?<kfL8UpEA)e3`ENtN2q^<1!M`T_^Z%l}n*`TY#;|E~cCz~B43 zQ~!-!^o0`jH_OXDRaJ`_F|;olzRxqsW_SDaHG|o3rpraQ@i%>5VwP9GhC7j!pbNX+ z;cCvLdu_Rm(V- zXD8=~Wb3t!L#N)$PGj^!__>!o0eEafl%aA?+CTqbg^bti^vw`n^{qBV{iCcg=e^k zr(~E~=&dV1^v9be&-(O*EIHK;?XQh^2Rpq!C@0QQCigcRW^+JPkxat2M5GCe2&R}cL@plLCtC2zj3)0`2}6D;M0)sn0J`&}U~ae23Zq?{ zEG7_PSQ_cM28Z)wci-aOwL3rNC*x>XFlu=kb#oPZDPV|WPTO5U9`3VBg)(!m6YK@o z?UaiM(i!3Kuq8arNJ(k1TZ~OUv3n&l+0bm();J8X*BD16`FrsTF`rD?)pX%^mKFq) z(caXndCclpoC%L4lcdJ5Ocydg=!=GyJE8Sp^2c3rQ`zp#Xv(Iapvro=XNm|<@osTA zL4xR{hxbW5&LZT;fC_Wc3RG&`09 z@=5&2O`AIbe=;_-STeybTD+#doJ>x<&JH347-wBz;&YqX_C7PFcwUV9jy8z4cBWt@ zd#?T-EP@b4%|bmIy@>7>uX92yK4e(TB=@bwhq&D;qMa2_QgA(v9UpyXEB~E|RU749 zgid{jy1A|O2Y}heQ)+~|n9*^x6aOQ`YY!4dr!-mg0l+90EhQ$k$FA;(Wp%1+t%wP0 zrZM5zp5C&?E40>>CrckCoyu(wCrSQr#JXTkXz zQ%6xb2?A+ZXs3Z9hggTU)pKBq^y$KIf=kf&SfC}(d#!~}=Ay2$4+k0~g}ss_M_g`t z_i++Q-;F9%?#sb5vrHP}t=zLNb+c}7uB?90pT#9%gc4mUI2jwLG3nV)6p*{TzI6p3 z;s9?HSoxs^quacuw^DMRGg$+2E+ZkPJlS}`IFl(!uGDc7Pe*fR>a^#ju*YR{(Gxj8Q>*^_-Ll@4$=oYCp~8?G8R`D!(ll-{-tU z8sMT^Qi>_EU_cv}Eylv(F$-yEqmp|PCUS9+JcwC~Gf!NE?cU6xhA0RGm+*tplsNJ% zmK%i@j6~CTSsxDu%5o4R@?mE>JgL+yHY!T!Nd2G}mq^xoJ?^?!_W+u1bz5+ue$Xt* zcqa7WAlvK2M;S|c%A#V_w31EA+Z*0V)drAHdHIxi zI4NkzuouzEe(hjA)r$d@sw%rj`w~@N6?FJ{FdI^D?&FhVg-3lltoG3zOR>M2=hyh? zh$K#aL^&)ITT%7F#@jOKC|{1>=VL^yJJvSrsy9@cVJajEHpuagl)qBk!c%1B!Sz-OS1>wz-PY3S`6Q9_0Bkid zlPVQ~UguODA!96-`_anjU8wD7`6oNEYzB_27gU^|;Ja+2N5x=#HZUwVSC~gu^|8Pa zY0j^YDy8LZETWR3q@RMxiCJ>H4YXKk(G}$t)}XvB$`*(gQV$l)wUc!m9*h)B!vsU7 z^-UHe4*SsZu9d}2Th3^xw=EQ#!TRALaXr-~PBxJLRisUzP89?F>D8S`$lbY6mf(wyyt z7xon&oGPa2x!e6}y&k^kPHsw3lN99pq?hK>z)4 zhulhzqMKPt@8M8+!X|vR{n(CzGm@vurb>&c=7vC zKr57i9RPi7!0rH`WcnKn1vpduX=z|w79e*6dkw#$FMz83=SUV{OMw}{KtG4F|Kj)n z`aWl1GlTid?h7Dp^K&FKP=S26=wCs;@A*xCYe(U4@|%9Jfc+no_xII5_r7c*RHJ{{ zM39Nh6T_{)ux2>wSP7k|lWfm_)YtDNEJXfR1d#t6kfGyuuNxu}l~=!fW6ePO3{N(F zXw&@D3S@vw`2F+74_D@Hb|-4kn!U>cF!RnUwCE*F@|rp1S$b=QtOw>t_Oze7RKs76l#l?@ABjUXjKg#;MQ0_o%Mb&}#T_ zFBR(C7w0kO)3S&FO*QqoIU7dEE7bdjbYb<>JxY$;f!eb!{8~3V!KlcC&e~wz_Y$qJ zUhnTbyua@=4Xap|Ml5Njsq%-vWDw^&08>`&I*eJ0yg~Ce0b2 zbOP39A7W{#%;!2jI%bJdvvY9=zf-Ak=Ur?*A$NL>$OodSk9veo3m`zv(6*^5`|-LP z%W(S-nK#`vvjmmuv?|xs#p6$%^opo?Sj(Clx~vv%OLAtD989G;7`W^yNt#?qB0V%b z3wuNKmasFoiL|>%RUctevnj|~oW8=N4HlGeK$3wOaB6Sfu4Y`=Bv$ph1}bzHFL zzEPq*L?{)XZX+%B05V(^nSSEFe85`{r9Jle%D$e?pz2}z%ny#-IHEmc1}z>rCoFxa zUH2`NVP2(#lG?Kp)Zllwy1um7x$_I}kJpQzCMU^f8P~4l(mV?tp=N9@ zXu)0y&majRexRsqCvSkMIe^0`&zjb%S%ZLrI{L0)@R^rpYINSmJF`F;IrvXHi@Mt0 zEju-!X&50R__GbrP+~JOh(P5*ICMEhRl0HED^FMY5i@x{T~h1L$!(|yqY#1o(%qUH zu);$mdNe&NDzU39&T$>(boY--U%Cl6cF*kP+V*4Ot+7&yZd4bohBDrNqB$V6%`zOS#eMWy5fPhngIY@ilIv*52TewXGQp}MIK8YGKO{| zDY3eF%-X{d`-(uphdgjpi7K0CClk5e;rh9}XEGF&Z@^vZ?I4s%KioSgbVT1{SK{r! z>OgrRFqX<;Gc7_1C!hqxI#vL&1$+|3n7 z>}9X(GE%~@ji6^=ktjp%dAKCL5!w0ebqi~ zrCL z@M_G#(!R$zZQH#O_9$P5;CcKg#Q^9^g2nM%Zox(;jxtqX7`%Z(8XP+8dA!XAf$6E- zIc^|Z6WK(p*F}Cb0s|3@G}KIw4k0Hdk8^>k>15_Doh+^n;sZWoV|JRB3yk@(Hns45 z&^01%_Zk^-{s!vki1H)2Y(}Ml1GyVawun+4CV6c4>HM3AAlSMPHT1XslmT+uVtFku z68O!fS5$IcNaE=IyV`W2Qsg+@mBo)KiaZ_-4lwsad4ulDa8uZg4DIIM?;JjgF05D@ z8pTbTAm7p0M0?$lQ^I$0*<=`~R&{gTJO#z-D3bB$t@Jd?MKa1xW7^NC&? z&vyGchZ9u>ja2c1-?KyhA_R6{y7IkzTYKFTH@LlJDx>PC2sOSQP7WO3BAnuC_07QIZ{Tc%g~NtvysY-=?f+ zeDJB8OA+?3a2wAp+6|8&POK)FINe&1b48|dJx-BZCw}%CerdWAF4ofpIm0$rU*YNX zVLxXBxG$PQk~?glqF3|p@Zwj|@o!D2zru@OFy&8pk?l)A6!_bJ(y0cR5&s|;0ZrL2 zzx?1-5BmD{KFmY-z50QR`m~VbzfVO-<0K5RMkj;-YEwl<^p)R{RW=`#H*h`@eiRulb?zC ztG?o|&=#;{`*SE8C&yQ(yWfQV0^)yKmF2h74WM5T{7+%b0JDc3n1T3p#jkhow@dhU zaQKg8p6_Qle?aK}Ye|04?+oez#T@3p+j=d;o06a9K1+JPS!MN1r(Lan&M8*so^=3$ zb(g?|V&-d1eN#~Nv>A^kL)XFp*X#O9Ql`VichQhh{dxL(htNj4|yKs9l5=_TSL1K zlkWmup#{(Ad1q>8_bG+Eb8sIGfr7`^i7@R^ZJzd$_VF<(L#{C4{!0ed#kJbk3(r+K zD#%J(kJlT}(nI^Z4IujMP8&}!m(13=m3@ydU-qd#cwDwg73J*wT+zAsm8^mDtPWWq z!axQed`;wqJFvUKdOp?H ztjyCb0a%r#T$EnuYv=4{$)wFA#9&3f^2+UISbJUgGByQeg~?|7AtX^bLFVOL%@a5H z+GONc1%VD152IG5s4Cux8P5f2;^`l=4D}Glci~xRFO$9a@S1NAtnumUC#i?BkA)`m zA0rn%;YBTPl3c`7&Jm|M%7RM{H9Bp#C+fU9pBgiGNVv0XjePI(XQVyzXfju3l@AB@ z!Q+TNWJ~Ee!!vB*rMuax1;bg91~Z{?vjvcFA_mtRpv+N|Q}I!wkKu+1AlLf|sy2?% zfJmCfiwY$py<849KTQ*EYsSZMcMf}LQ?VCRB==Y_;O#J>#3$qi_oXFsMQr$dJ4%c{ zgf%8XD_y@&-_9RVz*ri1&tMR2-x`3`@F2am@o6J>k?>Lg180CG{CR7T4VYUmd<2|U z(|b5x=>^y0W3U^FVB?j?nl#`K^%o@_JMurh?t_GonG1?<2usz9TF=#&#nN@QhIgav zx%j-%o}FKoUvpj;j@#a}GK)>4Q#`VH&?8?@nRvD|ew#*0MFnPRbKjPvtItlcu*PC; z9PxsaoPN{nfFJ|6Q$vK{-oU{~w#LIWyTAoKC0zaJJse9G7%n+pf{kIhrabWm>ic8q z?DNiPe#<-EgYUIlKc`3Q z9Eg`V=2q$t>(2MkI2N7MdAXad=60JC385C6D1ZVt&pZ2x)l{NS@w1N%HCFFusQQX} za%!G8?Rt3}N80Hil={KmL%d+ac(kg~puLCsWYu!Hwt?3n)dBpiBA*Bflmjz5e^!IO zpzOGf@xlGWm+17``=Kv_RnaE&p0>?iN8H@T&`C_YT^6r9NlZ=-YvsQ7!H>EaeI#+X zTXEc9HIp~m%ZZBO zQHRY>hwFxM9a#{*!g=iPPrdnceXWScWIsOgb@P?n42$*~ztO;7u#>`kQ-Je;!;fTf zJix)is_AMRauZ7?^?8&hKSWOUb0bQsh+b}wfYC(P;gM@HW7eQ@KU>Z{0rO&uwore$ zW&9LVqea-%n&>WH>8E9JII<6IWaQeMWpg}69xaIw?e!TEw>ubzL4XMpVfsIjBkZ}? zCzwQeE=pckVw^peHiPiQK9QrncuKA+2i;Egrt~%1E+IW%EVf_x6elM1Jld;wMY3`J zP{a^)MBYR10lz9THxC*%Y$_&5Sh7TXwQM8RzS?oN1?(~RQGVNV7%;hk=_O<0p7nhb z27=+oXA_v)1FLc%2B~}^94`O58T;AVO)w+&d_MSF3ncUkwg#8yGVl-cGI$z3fNfoU z-bWj|6f`@Yp||JLxJl*@RasGXk7~zsXxlL}QkM^EU4_p7TykP)ZyCVtGR$#_B&$|M4Sg}0Zx$f#n z7#Ni&npUKHxab8oZ4h37LNLYq71l~r*)#`SUUi6N_t!g8wlAcP zEn;Wo?pn%Zn3ftIb)rtRGzDG0V}G^Dp%l4=TJNJIsN}`Y(u0HvgYubUiXcG$&AOGE z*h>>TSvkr+k{*Qeau!G?;(UhK-I86opxV zzfBUQa2C23t%BRGpn!8nT^0i0{hduvVNWT%&Q?F0_&j?{J(*=8vyi0G&v}%1G*;uOGtiZwVYlK9HZS#AXFisP&#JW% zoT9^3TlvCtTbX*MRfIox%vRIy{qr}HireNVgtIq}@d7=SE;bSgY6det_|1ga?R7JG zMs=3Moo^@#(?V#MF_*hr1Z(A4%iQ!m-Q&R@!UPqZIm*>JzT(T{gD~6T90Un-c83jn z#v+h{Ve8V6P_7P3Jq>8QL+;TIDXclKQwXz(z(_7#J4oI9N zl<+3#Dw;H9nkC>VP8N(SI4X3USY0m*RnBdeqav=~-?;al`>|7Fn7pQT7vT-} zP*koe+tJpY!$Jgl^NnE#p@YP^n>Mtr)FhNzOlww8=WV?Ggz7|mS*A;7#37$BPG$)& z>hg5kG1~d;v86dpBTqb%ks%Gj3I&qj%0rU!GGn%xT$9DV&Zzvpt+i*}?fi^SpZ4=J zv{QW4Ogn_xs_wr@8l8$%y8zCNHOdJSfO}lsts)whR5S1VY&2A}=~F;^ z$^@22ah_yCvWDG6MpI0hrLL(XO4i-}4P#3E#1`sfnuC;!TAYT+kx=5Rca^lo^ZN`K zOd;UNZnRj)H<2i{ADydW*EM2T+&!Y*TE__1KR=wo8ua12q;)ycQDYJ^KA#uBA`q7X{UCY^*^59{-OE zDqxoO9|hG{m#Qyg8(*~`zy9*Ium9yQUyC^4mv2_rpx;?tgTDT&AJhL&t1o62W(HQ^ zPyw^zuQdbn7Y#|ku!@a?<%xEWpcG;O za$yIm0XBf(0Rn`VSU7=K(7(-%`PbaO=Lh}Ya{H%e8VfK1^TpQfi)1{&6=Puq22cLF zWc_nR`2DuSeC4eHt zzyuJl*Z|rPJ3vZe{!&o0{fDRTzi6+{1-QHe*#TziUrg1RfxC|rxC@!tfi}QjoxN{Q z1P8;fb58$7U-d5(CqP@4gbTRa0F9|HyI-upXA(0r@cLH|>;EWsF#u2aZywlRY}G+O z7@Ys96Y=XN+Yh0Cp^gOtC{jOlA$|%2tmD5P*RMT+9~>FKwoQHt1%2T?{!Ts@#Qy!J z>u*DuIDoVI>oz3IFT%S&o}n*tzrZ})Z+0Pp57X~STfbYB4Y+h%z@_~4P=Q}~%|(ptqA<9W_|fF#yn zx;hpqR8!fRF;!;)b)6Nvecz}u)!IABZi6^7y!%HNz(^E67^<8#p-T!JC=90d1K(go zS*FFR%~`LS@y=s8Z=5f$yXtzPET{?D zmkKWE(3%GHy)X)1&vnJT@27*lI(QJ!MWa5KFIV?wC*bg*G7k0s@<_L=kpy>l zhd@GbhY*4jB)Ge~ySux)ySr;}3+^7=-R*mmo}TG+(zko&-u3-qv4Dp<^;Er8XYaGm z+0U#N7r+N`7PD=g-qaScBXY3T2Z-$&@rIswH{YGxAyl?<-=PmRV?MyWz$f+9&RnT6JVfZ#c@Gh-Nq07$ng_@mN0+?ye|r z)A6)&+}p$C&aj7hxHiu{rk=X7B}95*ZgrtBrDA7+Qs?|UjIS{Q(W+kA#J-)VV62(- zHJv!1uYq4%2!_KwX@kn-1$I;YVLOU6dq~rbBCxV$L+N^LOE0pFXyGfFi881PI~I1HTTW%U3WZJTUaQh7lPP^p+j<$_Ww9kY$2x}@-EP^sLCm;)mWG9N z6j{P3u@`3&(_DJ328FE*g>>^Z^WHVedXFlsAoIn1f_CisA|LEBp{Y2~fZ}VknMujz z?FkCl-`N+xg!EliT$N>X#6SRhg@49X5DiRbih;P%QJ_Zn|*VTZ%Sb9Bcv z^G(<_h4&D+qr@4Sa2J43%aVVA98wS(*eY5ZB=L#Gw>3-X<2g-$G*3!}L9iakQz1!M z6J<)NsT|0vr$p~dPy!ZBmt58unW`XYEXgU%25WEkjeWmDIdKUB#AOu9Lz5|VEMN-> zY4Ys*gf+3yU|dv}eIhZsbq)ON z^XtQ>^a>%91#SMl0j)xf}0tPcL4SXiBKtDc{@p z4yTIZ9(PMpV07o@0Qg(5Bl7WFL?1&|A_~IJYrG3{;S@*d>d@^3tWh$4NH54nN0$@k zNx{O(A*AG&AanJp@F!!%c@@|_a8AJP6gLi>>mOLAgcBp6=`_~w*5pSal(#+-gQbKk z!&;{H4aKDg^(oST!3Zo~T#cqeDXFuI;;ALo1AXBy@PK^PwE?RFWW|$q*2sEF|9T*Z z3=&h@E#eZ}&fv5A`IUY+&;dk}28U-Axisquihf!w9nY7~eMGrmCf?vag&uZkl|sZy zY(a zA$;sVX=^dDd+QQ{ICNRej+~{UXqP)p_K7@xP_II`sXoFD=vdPBR+a~eV{(<6Y_430 zYvD_7x2Rg|0Bn(<{1>!TAO3RwD4bWKs&@3uQ=WOr-R;?iSTwx2EJBg**E3@yh?ms4 zPHOC?IvYw2`zk{-dao5w_=9#L#=S)$St&}h6kp$jG*QxLzM3)>(6C~tH@j397ZA#> zUYSBU%Vwv%T01P8EE!kX-D?+~u-SOIS4$0bm`c*_7W?oy*^iDk4iPFB4R$_g17jtZ ztM8*V#rvoD;8IvXsoU7k{5M9UoC|Z~!lPSH$HU#h0Fu>0`GU4rZUC$bR zV$;P+?hFC{#lxv~mF(VD#Q#Mkl+))5Q)`Za9bkR05oyrLDP{dx;G7bz=$&_bQW;qV z80@NR@dT!_1-b`Y2IykFxb3Lo{W#Q&=IBX%iyJ%UBPn{9;Q(IJwmvnXh|^v3Suyr% zxX<7yAr8!=vin_=vuCT%^!2>}=quB6aH72ZiauC)`6LE1QopLkamCb0j5w4VWpo(m zV1WVzSMj6G(B?&LzRk_@4_m~qw&*EMh6LaurA+q6l-I?l6noBchL^H|8g3Q$IaAJe zRlh(y9d9bis;4MBx}Y*MAC4K5s<*S{SLC~Mk)Ht(L6x+@fW7he($rY2m! zOfGb-PO7Vg@x~dM>fYPYAgF+?fA@G^B~GSHI~)}jh(u%NhrCL2xMO53PDYW~Zz9?8 zutvAjJPk!StA_-F${@cpDA7ITk`TDx-DKCu`B)Zoo`68coiwF%EPYDVEr~6cllzDb zCf|ZXaKGok21*Z^mQIK0F{>KRxFURmSJl$7(z4SZ;S$kvndNk%A#?pq3=-bj`!(C1 z3I-BC$?dhy%@1qKx7#XzrV{3$x!muFXwXKM>v3rf$S zLrdp@h7X?bkS3*9IvMT+2^(m2TS7WV>@H^ZlB_Wu^BhG(qT<2A-f9)oglGx;LslmG zv)RHTtk4hU5Ux7SgRujvII>^g_gRpath^hr$Xmh8u5#VM+v8j2Ja;+Wn0Rsur~{8s zqB`X?H;waZa%jvxZl$KZR#@d19(um9Z?!hn=l`U;WEv;G{?e)*&Dz3A7;?=+%ZUnk z+>P#-wAi!J1rJ8}&=# z;Dq!n2&h?x;CdXoU?nB(uw%Kk$^QISq-75eS{6KImVb4@odR6rXn<73C7ct*P)0Hr zAK_F<50=D`9V-l;6E{6y`uNps&^2$pNP#wnYmsN3LlYMW>bL-WY;a*cnZ*>g(2!W^ zWpj4_3FGdRWWYP0q8G879nm`ma=cqIfu__6rV}wzrBey3O41gFcNayt)vgWpR<``2 zl}Itg?9N0SYkTiLlh0$HAEaQK z<)FTf!Pc}|MO`=oHww&pyupj{M9mtT+Wl1MxOODaO-CpV3)C+f25&Q-!$xt{r4n~2 zEg@mJw$3cpdfDK}h1RJ3M&N6N)oH$u^jkPoxg^n@0L@_HPu}}(NU2pHUc- zJ$aTEo>8J{v>Mt~#FUf# zco50*90bqL{OtF74K{tKRl>bz}2h3XdKhsSBiQ{i{)AwN#-&m&a#_Hd{`JIXS-T4myntuP|-2*MwCQQZ<%dS#*-!*YF2`>AR(aI70U`6d}v zVO;yB0|FXSZCUx*@^s=7U?7T-{0Y=|TPU*tj_E##nwddR<0;M^2~nWKD`y^DlJBGq zqLk{%_Cw0SlG|r4>yPzFx^bExV4=gv-e1@01b1olJ=$QBO6xaMN%10RbU!>UKK`r`hXqF*6$Tn_mb%xZAtZWgfvbNKZJwq&t zNx>_j|6*s&M3#swIzYXfA;8CL`gKYZGBLLywRR&_l#A_=BsVhY*EwNGGI0_5a_55` z`CK4fcIVm6q$TeY@$F5r_arY}@AlW^j%JxmWb}5^)_8n_F8cxU7}E6jtZ0Yc+Z<80 zaV(!flqrOl3 zSyn-uw@1O#bYyk3~xZ{Nq`tui^YpbvfwxR8YGjT8ZwCVA1 z91*(0y$k+W@5taY@`&R~U~pml&h^RSc9+tbVa?*z;}p3$a(2j5vKAn@3@SN=upbkpkadl(wFe@haJrJa!F0hpWJn`Kw4e(=)ow)Hl7z~pl zEbx3n|J#(*P3e*G-G;na9syXbikos9a6oQ@JfBmC^OKvJ zdoj;CS+xVjG-HkV4-FjBBs460hOxzjVM+ zIg4C6{6XqV{y@48q^pm+1aZ4}7;q=Lo7vgf^m!j{-QH@V=HQ8U)O3W~d+F2!cDiJ= z>GHf19Q+GwdJZOW;ChALISp_iuy^F~fRRF5FY@hd&RtSP6l-}@Oe%X&CvvYbu(xkR zj;fQ6h`bTP*>2KvVxMPX@AeqaLY)o}TE)M>@~$%_#aZFiKGk;eyGT(hRG%c{*{yoo z@(si_cqaKT2gwa9%Yu>EQJNxvK!Lo{TUWmRqT1U!V;%)j?@Pu~#fSa{HV`R;v4`_* zs=rV$^vUy0v3A9jZ`MvSkXU6XaPg}#=_b0~@SAWrX-=g}_69Q~4b+lowu~~nR86VF z>sc!hMAvqn^(z0F7Gj7NL`qK0-x+}%IP`` ztrjufFW?0+*N;ZPgABU2vT4^A(px=qGQAB&sxvgx$X|M(60*=xog6CRJTNX|=D>Y; zt`#$WtL?0AZ-N~VnQJy{^v2f#lr5G@r1|rb2%R;xiNSRBO|Je^a_hqJWH@fUs!gIt zZh!!xTkE>XHXWsei^W&mkqaj0=9_edm@71=dxQhLkf(-dar5dXE51;no9#lKpgX8aFuXhk)t zUU1p4W0+fQRyK$M_lCwgSx=7~#8)7kjL23Z3}e>fcOMY8tC&H%;9ZdwmXsi-_X`t1 z(;zaW;nN0d>}p!fM1Xn8mYbyJ8-^$#P|r36qUSnij^Z<}gI7y{%|+l;pV<7I8kNuz zxkjEW1Ip`r^=Y&S_%iV%N0<>TmvHtSK!q};IYw-79Qc(_kKVwnmiy$}pAkKGRiz2B z8z$QFgNKZZp>J&~f(RXAH^LKmFD?czy4*>b>*F1!J_?^4l+8pU_c-tOXO}!AC^s*V zf**Z9JF?_wD`}*J+s75@^@K-DVAe;H0g5GamBn{Cyf1pYrbhW>lt z>$h_Hx0)`%@Q8pGAnITN6#JRJi8<&Q{|-|Bx@P_TY<|z^|GnsF831K|0I*;J7+|pg zunsMtfXo1J9{|ApZ=#d`TYUdPzb-mDKy4o&LjcsA0YhW}HGhCWhYmnZFfxC0Z2b!n z%#RrCXOYeixaQy6KRP;q76HIW0Gt=7XaWD1j_G?ZFJNLR!1C$;czJ)Ybo%$g`!Agi zEr2(n1@wf_0&4uMfN3}1q%o|2%jf+1=KIML?3*U(+lTA#0qjq{U_UPXD**eG9oV0j z0l+I2piBE_PzM0D|MSfG4q$(X6(C&zunpfNBtI=>`pFIK&j$rGKztL#{A%e>(uF@C z6+k2~0mdQ!;;27$sQhW^ckba=ZRP+=w7)r5dK!R{20+{Pi=+PW(fq4zq5~*A=zi6u z!t{gb*Dsd>9xM#M5{G;n&-Je_4lRHcr2{;Rei86b5}H44(>ISfz+kGMRx*BnoBaOh z{QnH|nSO8``5oqeV>kXG%wJLzwpwI?1Hk-?3KhmJ|7>yzt3j<-G5tfFy3Khco04_f zN;)-@#0Bd%Q%^T9A;imK*==7J44Ynh5J5x|oJ726hm&P4Qor0f*xZ~8d%v$A<4+3lY?3@Rm4(FByzDwr_`d>#vZ4e!kpC1D%a6yIzlaNJVRZnB7tf$lMQf6<8`tk zuY7pm2HVH?KXFpsGDwo*gEH`Dd$zwFoKvG3dE$s7;4P0VlJ9WN@b|K>SxRYn#weys zf3Ae`7CYEmwm6j4(9WQgb4z|)r^KKpfDwRhuh1p{!Hqg7gKug@c@BfnDnDZmy*lh{h$lWMCJD;+Dp0{vWY`^m8bbHJji`%8D22dm~t_1{`Ua zX>3`@jvcC?SMNo}1515QManJmaxNC@{R^`ABy{_8|eTU=9utRVkhAAb+e*abOuK-F5T=cd5Rnf%Y6Oj=t$RxQbd*0>$+=ko9& zq3^C;yq3pN^!X~oAepAub2*zw9Jb{P>Zlhm)W*AOHk9u_L#wBwbiTO@JgFQ3no&o)SBdX-Wvt>|Nm5X6 z-(J{69)Kz=TnpsTNTWeu3KlzZZXFQcGJ1V(?X)ncWD?|}C>i4nls%(U!Pm`6nT9!A zc3vpx(Bp|JQ{5R6rI$DJ_7?1|^T9qw!;Ze#}Ulg1ldZ%kj|6)kT}F6!$t*m|4WC`kof_UAYO!yVxqXx|vqVAzzdhY1PsN%A8^^}DxeR_Ddz;CJ zbls;uoL`UzZZnTF;PC?Lq<(&ZHg7`h;4%+vJ*nZ;gUhbab55V0GFV_mH6s`)3z$^h zWnK{mg&s5zoB7rHg8VFb0+t(@=qfFJ<9?cZm|h4S%lQfv$#6q8$rqtdf zrOFw(Dn=n}*IF;%UT%){#f+`hWB-ZC%<_m$AKh@F(E#oqTF-UymVVtz8mh7Na@(@S zhHx^@2)8k<)yJBMh&arYPzRIf_0_(Bq$uf9&n9jSeHLyRT3<*~GlsD&CjvGbcv5M9 zgPckXyz}-xmjfs_C?*1DC@e(hCzzcs8!%o6g^zRu1Di|U(2yV4Dcv%!8YE&!vIfeT z3vq&9zv7Qs&NpVyk2+k{D#zs|w|%^_7qK(_Fo(C8!-*M8x+VpYAYgUE6a%sD7-htaF8{XOY4$41Hr~h`*Kk5&3yyH-9+qU} zczC2BmYoF7$b?wg*lG?Z-M>AktE;jd+^53uzrTXSA`SLO%Qq2L;|0e+`A zenR{>G#aBuwi``UrlKdvy8iLOKK>Za*~41v?E#1b0U~dP;sR!eKx);16W^v}QlNGo z=H_&XLUSIbzMeryL`3FWjU<{3=4>$wUWqpA;S^4Gg@PF)80futTPe%Pcu(99+x2-V znCU&U%~0y*>don0mNcWuTBK9K}er!%>-{BLY6At>ZQO*q{7{9(A(WXtV`Qiy4 zIZ)vWo75K(r3)5lwkc^^I#_VB#6;ph5R~GFv9>g0<#2U6MP5IaVN1{C(PM zN4VK(JLi5r4FvX~-W7(04ZUJ?EYyA?Qc+&g`pi)*;(Q$lPQ)hOH2Eg`g~CAtOE~fZ zcHymkkrD7};Tz+UF36#L{n_LglzArAcuhgqqGMw_5;WFb2IqxZw1|jei-B2W8%tL0 z5|e(l-YO^U_kC||BaJeRjmE|~*2@EVs@kSimf00>`%%tMXol_Qpoo%)n2aS*#gw|I1SIQk_LHMz{HgWt}{(vAF0CV}%2 z7^cHj*q($EO(x8?#jO>dRFAzJUb~^EUAMhl@V74lG;uGix~VA?Lsm;-*Gh6vWUcIr zc7>r96Y!P|VU8KSt<->uS; zrb7>!I_eX#o9gREYaiLuNiM1=-_+{ByIwf<8)v2rXq=A&ehLG5hqeweV=Dwm!m0(h z%JijIx5zuvC;D~KFyJ5IVbgP|3SQvbt#)S>$sxkOizDHz;NyKph%66-!6yYbvXXP@ zlW+m{eENj{b<2&9E<=1Q>N&vr0sS=wk#xDhoL^MLsC%AZ!KL|8x&gP>n!vH}M}sZR zNAPo&?EYU6ElfYy;{666|4g*}mWlpIw0!GA|3`8Qrr&%qp#Csk>zm~K$6WrmDE9vRb2NqyAsuDfO@~=?MH9^;nz~#bn?Ub^#No;oDlx3`+d+e<}hrx^R**tc)JxB{GOy>9ojHv_+HV^%tFzX zUePJa~?*B}N;u(8t{>nb$j~vq>uL3P_eWV3f$7p$f-*?Jlw?%=S`=UODRbqPL|ZEzfL-96M=?8KI7G~K+6p!JZU9ykW=#G z(lt@il6^F72eH+9cWb|q(1dcgKUY|N!t~dd@1lgP(~lm%I*-`HJ1`DFqYYJ{L$C7I zpi0SL6{I)TgTx9%OK{4962H?0rrDv#^V5H0QNGJnLCxm&P|k3of<;I8b(ji9z7Uq= zI2C7I-WB~yCmU{s1`RI2=VDbga}??}DwQ@5wUS0~*gHkJfxKKB4@@`E7|!V4n{qRD zC`~rs{qB`+^GK0K2n5b6WZm(1S_kJ??6f%ZMBNQ zvW=Hgvxpe`}2^IXzgxM(vnL zL_m8HNh6>Q6QQ|FE64jPW^ApGw5i!Mr3sSCdpm_n$#vZosbUj%U&9z~dBf@*LgRL- z5%J1gVTmY(NTrW0?HiZ)fac^@-(4C*)*N~CEUOQmf-sQ1L@t$VLFM)oFDKZf@g}v8?&pN^ zU|vgA(@1NARp4T-R7zo{?e`I}m}p-fJVM1imIyM7DX`s^RXSiZ6U?*^To$m>mJ+M=Ih^yR-l4FhA2(zbLBx zda-8v!2)`Qf7^q~M~S6n{1p5%ge@dZg2`&eNa*POMD;eEoxKl%y;)(T{#2l<<#FlPbC`A$awyl|Y@V7Y)UwZvU`pYN4VIYp`Ss!;!8$!6bS%MG6ZD`yaEq8h zuM)878ElYwboF9;F0rvyYsiq@`LQ|ui+0HRI75msMm0@D3j zSWi$NeCCFl=rW5{qwo>RJJW5&4PjkmsJLwsFfg_=jABs| zbIHmx{iWD3WsE#4`g=RVC~{<^mSA+zPs0u0(Nrl6hfR2&_GhR`KqFL)l(=l-HjegI zg(MF~ zM2KXOUNG+{zJ%aX(|JJMfG4=SEXnR0ag{K9(up-KhJcrpp-r(X#QN;(*G$-Rod_z0 z)F=3|+;4BCkh<(Oah^AyFm_5(a=qY$>_e9Bf^W{S8DwP4d`o}UZRnd$j?Z_MPbD!B zq9M(5ip%ASzE7_<=_16D{P;O=@!7T`Tk95G@X?nl$_Od@wV!Us?LRH8OPl&w~V z&rWA42m~x#yd?$4Wy9c;QeQ5v_A$f+TjidNmNzxV240YoiUrX#^&n>$E|RPCaqyX4 zxdm<3e&@?&2I~mglQp$BY+`)A>rf%_-5EDiQ(d|$FL}>GqI0>g&R>&q`h?U{CD0;L z6Ro!i4HfN-jVU|qOgA`Uwb(O?>OxDR$CYbs+3O?r;M9L?E6kPlmNv_O_b#36&IT3T z>oxubjeZLcT67wDQ95l1(Ahxhw9@-PsTln39@SEfIRIv(Dv!E6cxQgv?$Ax(D3x3= zO@ zXF)wZ=tGV}Z%fax*zxMw&4r{0{#%{+VNYqqzIrpDGj?e?tqH!k;AVD|)1 zo?4CWbZ$CW6d~#P_~6DWE>!qHsCkTD#UwHdQg`4P>jzk36HaF zi*D6=w;fIY=(1TcxbNBzsND_xrqQe z$(b1cx^DL0b;s9$Ld&1U#=o7%emWhD!+BaL1Z~pQOfVv|y(_fTD|3?hX^z+{R2SvRAZ95I1Hbe&~5wQT8 z)9C>hmmV+~jt-zIWnuo?*nSd`11jf#Mxoz7F8>7kez(E-eapX9&zOE#`b{PP@J{)a z4L#Ej&K$p5`mGh56`(ZusRqXM-R|UH9hCuaxoCdjU&8c*$K$UKN)PDgrU8tt{>4H6 zT(bM~sRC^50sY*+DvEx8iu@k$KdIRP0s!=+e}8;X^Z(e-O#`?Wf9v-6hgkgwkDA}H zIwOE9`KMSNtKV|5=kiNgyppd>BGYI{Ph?V6Uxk&q=2(Gr|7#ie(T#L(V19Yt)8lj1 zHoq7Qf669H%=EgtvXE0-cy_bv&SAA9(^jXV&niTb;=WBy_bF#uh~0+hFDoFBYMKUZ zkFTGbFE5v;1(a4knyE3?fn#>xA6Hp@ljbHdm3>US&lse4ayn^w#7?~FMw@1c1#3O2 z39rLHa&5f5UmD)V1{CpZpQs|;sSzU35691k@8OrJyl&HMQ^kdvovfR_G!X=^DI6>> zJ>2(bfpM&XE~SQNd|t|EE7Dk-+n_coCX!u2P7U-QJc>-1c5R+?NN}yzQDo;#r3z)w zcHnBXcfDpBMXskqfHb#s&x5)|oh6oM!4(m^=aM7<1v-Fh-F_?e;-h=)9jxCyDnSNB z%#ocl(3+7Msw8)$rl8SA7t!=u5uuBM4@s0ZZlqZ02TKrkWs!w>#}JMZ?=t@Ma^OuW zJ|uUL2SJiR(Hprup!UR_778e5NC-z)+LyyKOeK58869S+SA~gJfR1@y9+)V- ziQK$q=NaqOFv`^Nmih-oqdpO6=XA;M^W>M|ti+T>v1GZ$><#(mW{IDw_m?s04nDr2A^J3}NAJm|C|`TAT%Btw z1a3a0fH{;3`zB63S>#q7d+XFRhWX_Ok)D2C4)?bi=+yC6x|r^uMi5i<5qY^rl$Ir= ziJ0=+0bo+EY&&1qh=Q^w%X9>5@epU-TwK50piFAX=w{QX z0V84G?pSH4kNMPJmV+i?k02@o39Tji=z5FU)m+UYQ{5E=-<|ltT+~@wGUy-S?*1!#yN7}tF9rqLL+_CtLLj8JFMNH;7vx#~WT6#}38Z-G4mxlr})gii$8r+-BI%y-l?c zpj2CJ#z=Yf7Bv6LxPYqL*|x&qXk&`<409l)YUQ0C3)*lxZCqtC{nt11LRx;=vf`P% zRT|6IL?qD+^vkZcL(FceqIPvf&DBNU_Qpr&a6oeZ%*x@H2!Oxi~km5%~K|o@!`62;5i2N!CG7ww; zx?=AUBKK76>%nJu7*0D>C~szunVNQzx2!3hQC)z__9{0Dr56J7SPTRzwBRJ`$!4$P zk)et~(xkHSG`Lt9yrmM+;hV?=(%HB{l$a5$x}Dc8vMNL1Q@NCA7Xh_+L)t?+U(gcu z5Vo-SF~uHz(cPjXah-2qyJ{~H)~sX)MP+0BWjL?4h%QzFF>p+vCGg?{jD#Ctdbf zTi5<@eqy6XVC zM5Q7^<9Yr*`b!(Qu*n;ahDJSM5?bxvTOWy)1;_jT?hNb^GY6a^6#X01uHkIHIM`*l zcgiz7PPUC@{p1s(Y|X9G`t!~4QR9QHBcxuozC{_VMCgdjJYGlxB}rW$b3Cz*tlYqsbn=()Cgn{}CGKC@t7pRJ*R_vUGvJ7zZm zb`#Gpa*CO9AShgh$VSY?N|)rzI}c}V#*q3F@XeDKFFXXjEyMT5cV@&!%Fj+2eN1!X zdAqd2n$~b~6(&Vz=nrypkXtbmLMZ0VKECn|)XKL#?GoPP22Ue=@D-1gASbSTuZ;Bp z2vW7wR|LW^zKAJA&Zk}J1l)U=_9>x4MAg8PXve%Kj3#Kcl{*>FpS~ALBI-S?2_^Ey zWz3i(yOq)Pscx?M9SEO{P!*}fTc12xQmp%XEg95l8(|unxA}3V42p6qFI3Cjl+>rZ z23>lA%OG+#c}zc+&O+l^Wca{0e1bSJE?Z={pBT}ZITGQ)ec!|%cH0V^8m0L85-Q-$ zsxoGJHMrXzRto@@H9e*{P)F8p0iqQ`j!$zB@`^sOWVg1q1#>Ub=mI!D# zzb+uA(yPp%7KL1eLW`S-QjKmEPe+e$-N6tEee`;3?4b4z!IJbU7%P#v?K)^ENtTge zJg#skw`9!Rn%qNtn%Zph`8j8h{IZDU9b#AKEAJfVTEy`&%+J)NM!x)-$a*B!3?wDA z&LY?mv=@%hS%MmNF4&`KP~!I-$JAFImZ_-mgYU6+xcW}IpXucvXSjggwT-Y2!24Lf zO<8ms2))w+C#|HvajV*01K z`yVmKf93A9i~w}-4|Df!`6aUjCIq)@wG2PF3co-?ihyV)b$Pk$mvj4ePS~uqh7pw_V{h=%eVn4M&Rt!0&U76U)1b}0>rz>txD10 z^5Cv{HUv_w80|QN)jkQ*plymoBM0{KFW}Z=%IT%?Rcb<@};|r)c!&G zlX9R)SIj7=r=a`J#>7<7SohSWAV`R$s`yzs4!2{1ImjIfz>8pU!IB8sDF`QBnP&R>?#t|$#TdwW4VF$llG z6xR9R-n;845$#|^BQhBizfXOW@g68#JEpYkG9LvSco24sthDg(#VW;sZ30%efoxpn zUSYLa*gl^-o{jQni4BR8Ikqp|;kXRE(RU@durGGWzEp3tcE|EoDGD=Wgm=dz%i2Wx z7h*-?yy!a@dZUor0E|#R#C%sJzhkE=UD^E_(dgVno6<1LM0t?(K?E80DSVm#Dq|VC z9g~ALor(8d?}1wWQe&0P4e=yX<=dK=o{8-I8LzcHtF99`V^Pyx$Ml$JqLsci_jQz) zEY+Z5$C=7~_M^9WnjFpq2a{hNocq$T9h2>pZ=S)OREPBJc!=KNJ6MA|6L)@A;Y*pj zsb#Cw_tH(`qRBK%W|M>If0V^8lKXY2TVeI|4J#tfowLVQ3=o?B`Sg;h|)d=h)wapm}%a1N*L46nD3fn+T4Xxao_(itI`7KjnmviK@H7+;S#5jnlb4Ps6hI8N#!scUgNoE;t--H^Yi9a}GyfDwo+ zk8LNDRwWHp7RLR2Cp1CGQsb|ZE#132;Vcz>cB-LmQNWuk_9Bq7%b)MHUzR)O_;C_` zIR=}1%Pyb7Ms2)qxk});yt`T1YFObQihQvWO5^VGhEzN;|ye%`h{gyJ65h=;%T~nhKzc-#eh(Ry{Br@ zG&8aaIw02Sa@0b5O+nOkA>i#jz!Y|~zCCE4^=WwzB$?1(^`q1A7v?+L$Hri*ruSev z&%oFZ%PhZo@Bd(_`&aM%?>y5tpARcD8%r%6K!Xz#{dZFPpTGD2NQl$_)@Jd;a1y5P zKm45=`}bJy|LPS1G}f>Hn(Jw407EDNd>>#aDKqU~P~QK;*#69l{$L~bohtmkXa6Wm z`D0S`^HMs%z)wKa4dc(YcmK7&zi-F?I^FogfX5$r!+)4={9yF=J5@*zXsY^$>BjeI zkNijgi{f@-dDP%-uvM2cMKM`cl5WY`*PHe71dxI99zdY((}e)HasXNc)Tmu`kU>??xf>{3r!T^*Dd!oy@KAK{T&Fy5W*7d+Riv{-w*qrOc+MU z(g!|ProLndey}Stk=3@5A{CWI(>?NYsr{%2-0@_m`&BD3Pbei3_yaEi+r9Jidbi(w z(0ghK2#Cgh*|$vpd~?Sqr|C>hJ!5 zA<;icCDaVXi6i2A5GKN+sVr%u+l}Yve?E#6C)iaJt~Szrj{*_=*gM5NbS_hwbeu%_ z%%8|_?5RmuJv$4H5uB;2&#NkM(6mx!W_nzD#6P+0Jks4R;m-aN^`pToek#iJd50q= z5teVcDD|_p91I0rmtY-1J;NJb4*3rlpW|zVuWS^D<$S!**CDP_hWB;kI%C0gs zDDdcX>yI@MaMGdB8SKT(UaY2FS4q$tq%0YGg9*gWFrq4Oer)D?ySa3!b8yzwb7ok^$fL>~uUvWJ$q3L>KZ{I*G@ap=iCJ1d5&V8uAPfaILIBT?bBd}L3w zkxpu+pNX;PsU1X3wNp*AHG03_l+-`LaXwntFiIZn(zS%LtlkqfsK>dq(ob{(N~7*z z+)zbUiN3tLK<%@&QY5OGi?VnOF9VsXI*d`M-j(~{gEQ;;tef4!eFDWTJ)yI8Aq+Wm zmv|j0Qf7RG1^+vZ0M0Bt#uwl~Uu(V2Ze=Y+1s&WJ=FEX~*e&1al5gon!v&fzR`Ai2 zSIoApXvdcHyKJ?jycx(1QH>#*(2OY++Yjaq-%Xgp#Fg_d__Bz)<~^Qy;y=w&p$IDc ze04f7q(8Dz!l|LT3Q3db$lY$fqsFNFNw)y*i%CGt7HIw)9u)jw90V{p9DGcR%XyCm zG%%}|wGGVK7U5gZh~Uj|Sr@nx*>)WTl-

}ikBnw~_TjkEj8LZi*{?M=jSvsIo7 z4X%%rHgLB!fQg}z)BPC>l*H^fs`IA$m8+$7NzRl$`hED=7bIU5D=;LO9a2O8G(hLhx01Fs_#iZIF}D9%;57`gkPy!MIcknWAToWy!E} zx!%D9jAHJN2qD{7U>27sZ9YZJnEJ{bZ%ThY_=f}EhOt35#u3eg#wdLlu#hm4O$JxRgL$bz$yDhO4Bc(p4yS#icBErcp>1{jY}FSn8!@%Q=Ip9<$XKT zt=akP#@syWDljzQhQ+>rZ=3+?EI0ES?eoa}jCSuptsq`>V zFwRvyicc>an@d9!h-A`kX4e>_2wm$wE84f*z|Usy+uA`g&=vSx2I-wE$2tVH%Oq`r z_(;y>Sw+^B;`n?mS4zLDMh9}j$?&f%*aY`+(6(xSWpTV*m`EM-9{%+$ZB`HlR1C-X zW%avMcRUH?aVsOM3@+HTkcxBj!@e&k8t_~#iR1LLqZ$YbN<}3)DtZXdx|irvv1GTc zF=Pb?becV28BW0YYW$j-*F=XV)3EMz;S3OLa=PVm_>+x1Q@4U`0G>FmWXo7|X-7|+ zGouv9AM~-^FebAQ_>5IoaLTMQwXZL-I0P*>tD8ecou=mw9#`#N#n0D4jzZ*J8q=I5 zeFk%NZKmGNUcN3_q3AGZ4Y@Rm*uh2gW`kn?BcEX^*a(jRHbnnJQB6Y4!;QQM+{Fz4 zdqZ;Tp!{5$Fypv4j2s7VP-hJJ@5>y86rl(RZ-9|2x9K=h-&5sc{y)~v0;;OC>*I7t zcXxwycY`$2-AE`YDcvCr(j^_zAt8+*(kJ(=Z~DxC@|~F7%y8k2bfbVU76kLBv`EEuiHhUE%XP7){6Ik zYGsR}Tx<2yozG+COFL?2a;zQRHJ+PB&A;vmR2?CIoud}w&H4h(Cz-P}WA~)Xy4Hx_ z!~;Ux==DZ=0r;G#@T$hSt*8_iXFLC3(aa zrxvS*K8cNEh0$~~e!7$Lm>}(XFAHJO9(S<>sqkww(wPs3#vIR(paC`_n9HirtNb^i zUpnn|IV@!8DxM#@6iSmq9f(ttqZtg(eQ0sGT!&xT>(N0hsO?TQZd#Vto3#W*atPGS zM>#Qd*DZXuEmuFdcimp<3t?(Dp<17Y+|qJCrwC%>8KcAi$v^Cr3 zrg<9oMvtuXFh@||^lU}F;AA2VBim)Rj#g6X71!G6P%8fLEsTUylKi4iS3Xwfeg3r$ zNoIfg{Dv9>fe@;ZuD??aaMu@J(WifKzv$2pg~HeevHQw>H6f3VF!!xoZu_C zBrkpe#D>n%^B8&%w*4KxFZBYp+h0g>%$fPmdRB$rx~)?oMzd`Y^Gbo%18MrijmlgOVJn)ZT;Q@Ypy#l%fAb zZT^c4{d>apCuQzCDEj}P%>6M#{|#FG^C$t1?|=CtCH?O*^dHUoEZ@4zfv)Hu&H60B z%sD2mzev*m*Oc<`0DKNW4*QcP_|&(bAbpEe5jq} z)jeMPobr1aZBi(Nt(pb02pu7~TZlW4o<-J*nb*hfN4?T@SZ9*3@qzMNZ~${m5= z^Q7zmWs8i?#8<@80BJI>Jj4G|m(I$k+z**LD)X|o5u$%Ip`!Ji5(UW{ z+lc&yVJZ9or5vtgTu>wmy3$CyZ)VjVh5-e!tdE(ElV#d%1hZ<*97s`>k^UFRC@-t% znVO}UK8D`U@=o41X?roVX@j-7+v_v5;4*ze2x6YZrd4uXu-UN0YZYSa7&DNPVzY<~82eXSj=9IirSv z+wh^9w<*iA(eN~zR5%@g3S3&6ZrwFb;fwc8I~xg%HLR@)zy)$vIo%U;QcHNh*nD54@T% zeM&x4JsOWfoy9dG&j2y#=R)rHh}^y0wN!k6is=KlEbrK4h*M{`ikNYy23$m{uoM&Z zyyXJ-RTYv{MejJ8Ul_y{(vwOw;*OWowtA>gFWN=pcMDb!+ujFdy__eE2p$q*Y6Zn7 zZ1eG>mO#No{77OI#OwFm$R8F*FZ-+OCq?-99b|Rdy3|g-2zI@`Xd&!Rn)X;P$uEdM zhm6WLpklcu?=qarLD>iy@oA?{+cn+JZ|*(4^w89;U+}EV7Els&z0rt#t)+UPDy|sK z{v_8en_oJLn0XV?kH2f6eX-sfuPS)^wx}@9)9)4chpf`cwE>@|%RT7#+EYhc$N5$2 z3d6k_37fm8oX@G1oo`tScTy^)_h?S+&sOm=3T?s&eBOPi611tJlsVpASd`miwr%P8 zOb$!PadNYF%9~Mskau`jJgdE!^4Pgjk2|ih=&@55o(mSXv+a}C-W=;Va0?vq`S9qK zoC={Nw3lkTpNphw9q*o9o>ZB_O_F|*n_s`+opDlW;<~j9Jv0)! zsA))xyQ|kK2qLvNiFbl9?qjeyuty=X!}aYz3(Hb)If9Om6mp4J6TOlD>Wu>00uzBb zi_9`*~-NSLAQsV%BxsZS-A^uAtyhcvq18i3K4Te;#? zBF-kP0Y4qK#Sgo4rXr_Uxp=6^o#2^lcrclMcxW#TN<*Ym8vA;yS1N-MUqz%jL{?2i zCEq`%zcZhWoEcs4G`;#02|d~yU&&#yTm#3f>i$`W@%C;Dat+e9Wed_KUVc)^PjUl= z8|r7B1d82VC|hMr%yAz<4A_81SiSaaq6r&H{4J>wp~8w0_5GA{$+XPmg%7))ZQfy% zl#wMF_{F1#1wy>1XrA2g-24gY8HXO76{vNLNjIo(o_3SU!V|KxhB343uwpjt%)gaF z`QWEFJWY@Fw83e!N~){PXhkrq)+2a;ofI8?s29J+7-^5*hS6Jgm8S5|?@j8B)zQJB!HyG6iAJ(rvg($Ca#A%WkZrQxMzSMs<2?1c;_Qwh>j+D$atmwMwoc3$2P8TF8iB zUHN%GF=9bMezVuA;>m=b?iC=57Hffk*nfEX=3rcB%EQbU`Vf)FkU-Ahj?d{pVUSFF zt7E>OQrl*C4D*%=C)qcUon3I3%Bf(Q7%t0L%PCvvMen1N0s^esWoe>JsP!N(g?;3k zHk2AZr?FYhQAz5seUfdg=`PuWT70KK#5EgAD+1e8s=OTwj^(ZAUS}-}`ld*`WtEHz z`V>bCZ`){_-TmHpSe1JM|B3jiLX%zGzk{NKC4(S2aA_2Wd1A1-!KMK{36J*<@hHKf zT#2@|taS~Eij7C%KMyhq}3@R#w|jXn2xHUp6{lLgMlsZ5XUONuhzBFs5{fn(}P z^!%dy=}VFkTs(@ad`*P2g+2W*niqm{R^1CEFt)YF^BE+vT0}u%C60>zMz>qwWbWrH zlv7Ei4VS1QzQGi^u|!XIcg-->Rh7n!jqbs1)QlG%sxBVDy#3N+`#lf&Q+4qh1@Hf- z{{w>eZ-)5qQ0YG*$pKsXAF}HIuFPNoOuT@p85sY?0AQX0V>Dnc2ma(>2QW`8f59jF zcSiv~L9qXkrLh1@0esv4yEGO6P6puJ9-dbAZ9h-=J&1rrAHy)E)|D{^l5eaNg2SSgZ#_0Y^L&aDiX1 z`V(>S?1uNs9|L@&4Ye7P!>$7i;-h= z6aQX%R1A8jp|Unx_PSh7Ra&-3mw1*u?&#paZdV8uOm{|3xwy+QBI9IvWdk1??<*9? z0B(M^#0EhXJXSqsP1ta!L8owS2Yd=|aAP0#W!L1o`0GSDl!cHwaXVINEh|gj{!&4> zb>WyUJzO!s@lgx!K5U6L%cq7Wit>mNWt+%1IK+JCdQ&u8(DG)I*Z_hf*id<>J38FT znD4p!Z3F_*x*#?-^CYuc(pcYOJow;HorSyQVitHR7Jifl1XH>=pFmSZYrhzjT3PSX7;^dJ=B*G<@95H8L@M6b`-HYf(YqQ0uCfmnj9$Co}ImMz}AyE87%&h;1)NOinrlY`SleERkjvfNgp|9FrGuD6*C z(ZK>UlUkBt$Qm!bkL9&(r-cNLN`L{5XoM6fUF>ZUMQ9?tFh&pLbSy4>d0J9^r!zGo zWvRHmDj%EDJ91*5TGXhganU;D*36AbX$!h(abSffB_m;c!F^8#3=GH;w(KWk?$(310MSezFmhrabri5u__pUM(j}&6~M$z^RZ}_LNBEXrUr_&lAhIr&;)6+4cURW|}CHL9#Z_ zUrJYe=KNS$oKh(j&9xBaVXZV}|Kj}c*@~VL^L>`MBOWS6z-F-_Tj7&yz3n;S9iK6I zR!t^4yxXvO?-U3-YEH&21nf8qoKJpz#xtMVZz!6Ch2<)^hgw_mITuq!QVO(7OlaE= zi9U`GnxmiBfI_=LtJ+qAH+mYCEq?f*zA5ZnTqnd(zuD9emnqG!J59Cis#3eTsUhc9 z5w9&doo0gbn$vN+*$^#%Cm>!>>-FlB$%`kF9LWm4E>QNX;ZOm}D!|!~U20J2W?LCf z1aeWw*vx%a^37>>#Y+(i2&!}af}Sw6&N}&GiTn&YALJg@#2~GNRY^NQb*Z_KG3S>rkI(Rtpo< zX>A=g7-IL7+EEk^zb%S())<}fZ2Zh)=tA+l!2L~Y*pRX^zs4tJvXwV!_%!T22|cXX zVFAhE`*#>CDorr!TDh-sMKUMNRky}Q+ckHha5%n>_YF+4m&ka8Dz_WkQVH_Kgq+>oAQ&CR-brpyA>gc&ryrKQha`$(?pGVD1bo!OJEcw1u8^Eq@b z3HKD(+!U}>2g&;A@UG~`&n)f^+GX-zQOg*LyHo{f)z(c-#Z@BSY+%Q1Ih5pkFh|?Z zv&cr)_|+-p(_1ER=2yus%VUQ(m7gqrBq+J!P~M(gWv?K)=A4`$o|;{~IW{f15*}Y| zWofzLuZj1|d`~6j4BaV$fAgNYM2$7c`&g|rwI7EvPQ~h)=y{CZi-*#?pAemYAs&DK zCi+u)_nip(cf{l0&@(@cQ27PW$?<&^|5=A+=J*A(`Ew|ciU6>MZ&uP@zuAAmZ2l6; z2F$8_a6;x!T%7Ou#7_$brmwIAHjRh0!k>sW4@LsBHCZ1H{Y9<*(?yv%xf!^CnKBQ& z)L(SxKZgQT9soY^YvlL0^@pPPSLx3mlbk<@mO%RRM{2}h37vma+x(8R__2~7+9nGV z=ig0#_J9eJ08kW|AX)AnV=2Kz2=OGx5^mx>k;yx^+h#YJEM4MI`u?(dQ_GU)mqB$%Fm*-X*R7&gW~}qcXT{ zhx|F#0s~tp30Mpteo@R4xtfIMhP-#O^-4&vc0qfy=J|-S=XGa9POf&+%pe?9n)O=I5=TsB@z0vqAg z*D%8|sk3@0urRi8S?x)T1FR06dx)~e{nZfTMUtis^Y3WOUa^9LpvJheb_K_eJko59 zw{Uu`0S|7Aj+-9jpftbMsOp+#u?BzCF=aZbsTBhfZgHkZG5id1KA9>hWtKe-o+P5Z zIRomr6^1R&!)^k6h15($%GPs;a{)Y^ly=0tq8*%;TdL|r2vq)&=!7?E2yC76B?LA5 zZFbMbsN6%^)_6&%mFHAHC?`?0Fuz1JXWQCshwYvD> zBsMYm-DVTaKAT~ytuGfb$&})1&F+YH;ED;(ek4{2741OmyMrt?;`4+M9K{bm&(Q@W zi-lJGCG~7hT*S6?QIIik%;=s6qSjcOgE*NpjiThcZ>_ ztF{^t-hsC6B6t@`64H`~!YW*XE)EJx5d$O9iSbakdSGzAq6d_NQu2}by=wL!wV+y7 zeBTj0z=3NN=J>wNP7qlP+K|4EY2IGtIO^nTRo^HV|1C?Znq-^B{$;O)*ry2Cc zJnEcQE0y^-A3L7e2oA=dzj90{>sO7V2$<40v>iC;Utw{yh-W2Df--vwQd2v!vfDU< zj%4xTnRl(t$-(jR#8oXPZ*`TIB*(i%War{#BpZhA933?fZ_)E}H=Ae3mRDt27KWRuO!ejwm*BH)^oy3?W zD3OQ|8U0ddCfKMEg(g{HF`;DT7@GsB^40Z-3v#)e2LkiHR=9yt9|110RKY?&0e7P5 z8RYY|i34$jt?VZ0C%zL#O?tWc$GkZ+MK-;2WONM;AJ22WTFvq3Gu6rRDEuWspKIssahd~=S6>cno zqa4yeB|R+PAm@HR-0Tc9bC3P|x)-%l6kChC?!TbmKKt zw(o6u;%n?{swJ-Fp-NbC=s__Sx3Pe!m9}u5QCKU~vthtmM|*;0J!OJ(QSWW;_R<}tp=QdN-Q=>mdn-!INIwQ5yUCn)&Fb@1 zpsdF8n?F^{S#4;yVKI)mVEAm^Utrz{6KqU`5hC}b4*v9cN)ncH6~RgRjB_)7W{@2i zDHzw`!h-WLG7rpl%n*;l$l40l3%*7$$rO3m?q>?@X>H1KRIyi8$?~wPuX2X7mH4W* z{8@_l+i`R^PTsgmO!nL@yiDKa_JTBsKsBolKz;60w4a<_oj0`U3NgLM551-|HDrH_ z>&ks4fz?8AjF%y}afYyp#o$)?NtaNphFjx?vU#6^kHrHcJHI6Z|)$c@Wl2NOz`C) zFwE?o@B63W>aO{u4P?<4%x*g`DCs$iH;?F8MeeOu4}&mK`HIqSd0#(OxkzPNf5g+p z?fH~8QP9-`%c`i%v?${hwW740z!hC|_$@(?6-r6(+sb=L&n!QchcfY>uv~wUiT}p< z`q^mB`AyjSKV;&6v~d8A-QR>(fHUy>58rLufPedUQsmDb?C-z-BPsju^v!Q6GdqyI z0@FqqxBze)D>s0N0Q>=*%$y9ITwMQ2;AH=0aK`tS@XxG`4QTS>1eCxZYhwe@5v+h? z;%~0)7YqXjFzn%93hIBiZ{M6ToB%h01F)-e1EkMy&KSV94p>P5H#_HF?Aw2G#{7en z!*3Hcm;nu)4VWPF&9uP=2-a*sS;58vyw7a^cRD1;cV6m`_w{=T_5DftJJsSZ1VWCV zLV;?L3s}^H67nwu!e2rGVgB1tm0xS9Unqos4rK)z4mg4ShzCOdc%S_GT7P2+asq36 zAoS0Sfj?jM8;^wr=%{=k^pDMh4_%cRm=44OY~8P+-#>hQyg7eSF9Nma-%-eaDjxq( zR{qU;@h8&B54oHT@D}||xqMDT`{gJXy60fo;h|CxNfAT*3+F(?b`JUg5fX$BQ9~B_ zcjz{0T+eyqZm#(&<2s#YPbCb^f)JG)E(eB(hcBBUv=cCEBect)OK!<19}`{rK6=hn zfqfLU!`$o0w|dcs>pu~2TPjyaKN>ANgFYiQv9CB;)wsl#EUuXj#_`sIl9k!ho7 z`K<`jsp(@s*=-~UlnC?dnMJE&PV?JQ(nW~c;5DW44Pvau376@Hi@*}(t_3Y@=7p-# z*Q(0BD1_A&j`LSz?du?Q?#N5=h*?aq5{dO!@F(OEUA;?>6F;~6j1SzBb<OehmoZ##skfq3@mBuy9l zi@jk98GL80%?ud@t3bPdTz`RGx9KP6CJbBJ5-BqK+q`1V2zsPad9L*?$W#opmn-T^ z!AL7iiAY$k=ItYTiIX_Z1{o0#ac6SNj3?WfMF*frZ& zn;H>1d@&CjRddF^P!={(`1DFmkikL?(4HDi&?MovF3A)YDfPAR%NBm@($O0{#cviI z46RwVcMNc|V>#BGlu}I}rx*~d+S-6O?vY9o>M<7BDI&ZRg^*0dm1i1rD=U^au;22Cu)v|vtQJY@mOMFM9s1I)m@m8#x9%}gxBSvOyDY-hnBO2LD_BjU9YXcwm zV7mZ+g|?kt2320I@mup+ibtf%UuFC)U`R^#rwX9BpJMuorzQ;DeZ4B6^e2>e8Ur=+ zxT3BkBa~oRSCDg}U{#QCLT}$L*uFaO9@-{zB;o=vTBSBom1aC3X--7x=(#-ckIoBHNI&jS{yOx=G0&@rji$zF_ zn&U|GKC{{Ly?wjw=b@TQOYU8)e_9qwZgE zel4W~wg95GD9^t#G;(pKWwFRF{-Ma9H8U62NLYx3c>R-ji59Rz@$?!Kbp%N`^=NT@< zZ<)}{^hTJbo+Dt};$WSVHJg4B>-uGMYb)B6dm@D1LaaXN<{A=KiIdK5_M9S52nIwL z`9dgQVE>uJ`T6p~d#o}~l(xr|cCCI>d(SYBHL1x+jhP#D2L<{U=o6F8&S;CVQU_$3 zG>(~)Tl5Z2NGIje*jzP<_x4Ei&0bSvpJYTGGS8TX3>^BPH{YHuZ_K=IVZh$Z zXAQg}hqd66`HGbxFgk_1*)l+lV#nrIu5+CPPkJ%eZ_RM$CY-jn$7pE4L&1l59&S4s9p%(oR z-Eji-+<3R?a^V_jl2e@%+@j1gx(EwDGtKY77i9cvJWN<+H#I401@;B~0#)}g7Dcc@ zw3)_TI6m#ZU29Pia=K~LRm>P1%D};CoPfN`Sm-r8309$04YN<$xz^;UmS3Wy)@zdt zIT{l&DW}r*>)1yJShk*(0huS=>lMi(eZoe_NNm0NY|iez3;8N^St^T~=lpXD@3eeN zgt*k59qp%7H90>T3a*(8w=cTCQO*jJ#!PKAJBvGtD^PUB#EaLgOd09n4rxE>XQUKs zi&k2iiXqJF3+kZKK508ZG7V4BPiawxmhJMV9k+mvm{Nj@fk4TiXBKWcE!S5F5=DQ1 zT!liWu4_d%j{mn`=&Y#`f21gPb-3db$gG9xj6N2lk{*#fGomBMz|Nam>I&A7IXc z`i;nWh!{rC zxM2DyLuGi9vus|s*$0J8&|GG-Q!kjP3X5o$V>Yz{>HW+L(gsZ!ChrVsWt~H;TpH7H z?t#i}_mbkr{r#GKU7(8Enoe~zbJlz>P8@ibN6W{tarRxc37xDviW}IJ_37jjxTd}gE9&P`-e8y9E@+@WKAmtIT%a<2VhfTJsCwfy?3v&ti;Ry@l`TNODT7|nWO+{ofn+-zK6l@bmJ2x)6Z#s#Z z*GjEOCgB866bF8}?BhdFhCf!=p3#p zy#9u5VhP?`bZSDxrh*hP8~$S^kTX7;q5;)d?1gp%r&YNk9vcy;YDCE7mjwh#kjfUM zpfnn|@ICQRqD6=ZO2-mrjR>eGU>5Se$z?I8ccmP;&{U}S4ybPus5f?WIyl}~q_ges z$yc8uI_znJc0;*zicS zv=CD?yv8&qg^6d_i$>fXAHkO14y3?Km22ea>g)1IgT6q65-Fo{IYq#v#FI_UB)3t7 zPR*L86HviiRz$M%_J0C%p=J#UZB=Yz0}F!vHv0=7DMsi!{$Y-;IxsP?c%vxDY@;vx zA8gDWVh?l@$Ahvyy>5J}yew*hF5?>AXkRqSQ-;gGIw7YSZbSuGf@M-LFY}TnHpHKP zx-68zzztxmQ}GE!d%c1jldaX08%fG6g2Hsty~d6hMu_jju?anwLJ0CTpiVJvt}WmQ zG5JH^)>kJ3&_LnIXCk%<@~7pa5We=oSfMCu9cg7%Er?0h)lvj360MYEa9Azl^ z6jsstKp6YMuZIaU;MHeBEUOzospK`eAU&rymqZxeth3E!ik$cHIYI1moR9WUT#lPo zAv4aPdt0%}#xj=;DlH}f$`NmzWu*r#OiU`Jfd`S1=@(SOI+G_TIO#wu4mPbuh2UfP zVQ0})w%yjB3Pi~(A&FA0F$`KQrus3*pe774=eiZHBN5K*oVV*D2o<570UGp8gp-9; z$7A%9H!D?{=2QFPp<_+EJentjAoZ(oP<)Islk9=X?@QxqCTd6hLZs0zy~2r%w|z}|5(R)28# zOAzTeS2YH##1K?3PKiMkCBKhObz6Aw_Vpa2q8_$=ZRE22{4Cbc@LJ&g9Oi7e#lCOf z%DNwNcVQ5li`U^h8lSs#9} zc1#{b#RPxVn$Qx#V53ht?d}=xy0a;My=-RpTLqDoJXHv9gG=mB@FwoXZgXWW2{C?xH@NLZ@G1@^q|5aQ5$#K}oVNx-&=A%Lz94h7z6FACfX%KA(~Y&L zDy;`IaBF>g&+D#EqH^E>jZ9i*u;71>!pkxh6i*D-0E2#<6I&3>v z_41=-xzxnkX7OR=x+OW zw>n!BrDRlouD1@R8ps*#1x0T4Z*8F(d*P8z$Rzq^0 zq$2Wfi6O0+^v)TyR&V@jlm($bw1dQz&+m6C=86l1)H#4M@X~bk~oA6 z8U8t&uUx=WurjN@V#U?hH6^@7R`p>p?-<%^be=6*MjzG>_peaFJx-JUctYnFVoN)@ zk2TrunGI?839YpQ)5N+;akq)hp@lHLn$4fs3 zIECS{=*s=LBs;M1BKA>L^rcNsD+uHO)qQkfyO(1_acmPI-nADinw0MYbtLCcVA+R{ zV1CQ4f371rfl}iCeFOtExBhnW@}1xd%zWqk&g1?5!?*Ewe|Eor|NS2&)qi)Cz{U-vxdFnc3j7HD3kBe(Lymv2TY&Q?ZpDwHpZV_(Z?DnRewp$K z)$?oFB8qAW^Y0UDz;ZZ^NPXm)RmdC-V5h_OEW9oDNpK-kK6L z0}Eb^uyu$1>e{!_%sMzA;JH2k)^+c|rEIw9UaW2!VFq@QH?X=}#%hgY-XaTfn<|xU zn}8w@ist6$tQ{X<@OA>#wQC2`Oy{z*lu4GgjPhjiz)m27ePjQl*P!5RbIT^d`S!>O z59!8$#;bC<(Y;aVxOlexM$WQ|rAEzDKZ(zEF0$)R4Z-(Qou;ZI$)= zv)HO+1nl~&Hr-;ZSdvvL8)5Pw@xn0@5MVvc8tt;%)05g$y5Y1GTX@4%5r$9rdb8f7 z$;GPnMLDiUL&)>Z$54jvoEVmHST{@1(-tc8i(%BP4~ODbB{r||q*G;ZC9uQR*^Td3 z(AAQgE5{0zIO?c8HNuLm%S4epfwpuspVDjT8)YMs+ViZ6qj1V<^6vEYw^|Hj(F4&1 z#~(a|We-xVLM5_Red>im##o$VO1S%6O1~F*H-u$|l*CGWyGl_LuSpD#qO=arc*8Bu zhww(PINkOT$>9xdW(Gev8z`#?w}fk-H!2aU2+{7?WC_Xn0F1vw7`m*FH~}}f8eNyD zMdX)!E3cfFa-Zsu=bqcno?yV;W^&gBr>!maxSh{B`UmoYYUCchQ)W_PT|gsWDElbu zrQ0WI46eqnH>z&Wu=_-Kq4D*}SE9~&TJCa7b6EnHl8g@-=jdp{hj8r+lb~E8_<~02 z(62;x>p9R#gLe30mL{Bp$1%9PEy-u6C$s+-1aEj9H<>L{V$|Ij?++j0VvGnLvmCMJzumd`luQmUW|Kb2L&}eXfkpK#tz)4T|IEp5q zEtbud+3dujddXkKu*~iMdVF?Z zeY2Vf)^aMEoo1$PDYM&y%48Qp+}h8GD$v1~^t~O9N@`;)*LTXN*;7rs;W${=>)XpAJm`4l_ZRaDuPx|^Kw-p&DbUD6e;1&DW}RPA1q zUix!yap!cr>gv)3z@ckFp{M5K?CMXlw9RAQ?OT0W7=3}gYw2|976}5)b=Jy!>fK32 zbHn<1CL9=J>dV^Y_F&SC0kITE@FTz=BYCLVl%w;=p^FP`QYf|#S%KY(M{&N zj?*5&Qta{7Qk7p| zNw*2*5`TOEsuM^647*vB#29rK%Ww{s+V(ZFj=a(ybw+6`9)s*?c;B=8X2t|8N+H_J z0W>#^DNa0!1~Uk;yFt^hxN%I&auIeIZX`y}$t?NG?5o(6;BdAU6}+e0lY&GsR9uMl zsC9U3f67hf0wvzEWvMPXJdekr8625W5R|-N9Zt10^w_EFTOj1@su_7$#9j&@VeoD! zN3Q0pCboK)$#xY%Yw*hX%xNjpmXv-$1TZ3bMBHI5c-+(7kCO}Ro|vOPKPgF;Z5WT! zvmAxz@F}lT}GM=q=c}nUi~xjoRyb1Kvz9 zhICX$W?!+CY94z>H>}))noqA7a-XM%S81$?t6|0HnS?_z1-^j1x?5+@As9u$_ljsW zd36MJJbdSdJx@Oc+Q437*j%Z(Np~#uNljI(*q++J?GXzH`->5`=}u5&U(>VkEvHXn zP;KqPa43DjhZ~q8H9{7~KKW>)afPb>j?0 zm~aW@>ZP0M+O)fYB@b=Rh>46;BJ=jM!Z^YVE2d4!>VpU0T)%6k7bh>KuzY#_@}n@z zZlMRyXW z@3kM}gAVHjTjO`&zT4ffipYml*7m1!+NKqnXj#%g5PhhS`iW!n7lqVs{GXq^Y@E#h ze=i&7cNp-uvWc1Ld)Wm1@LT-^{P4X#`}V(n_q%ca2KN2-H^2McIDfFW0FT%A@ShI$ ze*4FN!5hHwI@>9<6e38)HLxVV6}7yuClbk=aQ{D0T?&s8?RAB?gA5GBCh#SGM}9N)5P z78c+jk?rBa>tA)vFRZfP?u~zD=a>N&*tZGtKbFSM1e9F=VQK&Ijs54E-I>_|hvoNL z^|zhl1_~KKP58Gv_w(|8nSJ})bMz1G9ydTG14wVb?;Z;<^oa$y{r>Ip{`JQGT1e)jkI?3p*zRGyB6r$;*GO?SY%_kG1W8_i@4u_z*dP z*~s7iWCl!yEWmUx4q#pxGvK>qV&(q#4+JN}18e(Z@%-Pd?fdWopxf`8XO#sI*S>v} zumStV41C0}F#p9z$-nlE^A~~SC!F~A>ijqEBJqE8F>nI6(w{VepF;mih4_VA_YL;< zO_lrYionM>@LHH20wD5Z~?aEKT8R$Kk1OazD&UT@aoTk6@UZ#jrB;ItY*`t0+GttNl zYu&rCxHyUCvmL(e(ihDcpXCMp_gcs5vWQTjw4}WyYQ-&$ru(xzvzP9tJ7>d3h54z$ z;?mR`ul69?VNE`nta4A%ZOrWU&YqcB)W{asFIH8iGm0S(2$XVYMvu#3aB6A}&2H${ zN^ig=3STmmM(!*`%9lpo@z@)B0qBDa6Hug7lb5G^(9UX1_l+G% zSOEjsfzw<{0f#BP>XP?-%Yo(tTd$BF=nnb zgwjy5CkeJho>(ot6yW8)|2joszqfod7<;kM93jv3cl2M+K3_~~=nw8BuciRi@4P1i!*L3G8P zB;k8Wbr9(}(#(e8FO@7b8pCZiqH2>X!PhIN*Xt5Ll?o(k#;#hA($cAGqHbKG^*cNs zv0b4LPFde;pykZoeTC)+PmAj}mPna_q`Y=No2#`R9bKOq2`A7ev_|9w6<7=O_}ASa#l@eqb2>~ z*}3+)z!WqM6KY!RMo!7OYBrA;WcK^6l0Dy=uwJy$E_6bpNKrOzD*Ey}X@JRA=(fI? zJxLnOeydn^P;Ce~|G0K7$CXmq8cQ+$U4liV`&n`EsmgdMosb@Bpy=aEi zR`UQ{8%ZPlV9dw~^}33taRIb&`&QWF>(%%0*f?j0pV(cvkUsZ#SrrN|zx6PWBKTsW zTjtDNp+5zDw7wP(Gvok zE?>dT-3`5&<7qa?7GelYD2 z_&16+jNXrwGrX_d!13SGwOU*XHSziT8P{~by`w_EuHG9wtqsXMe+l^hKfv>0LcSH( z$sKrwdZM>KZByb~AR_cgqi_<28`~sIZ>N^2s}T(KOGDv^i!otxr##kLwi?T=;+tFo z!h`K?E=H0P?$QKJyBAhMEo?}mB3FV&CnPN|I}WK_ni*dS`50bdWDy-&YcPWyxPa71 zWjLFEjGCpK#%d!T*ol#dGEOX!bd;VlZ3UY>FQwu1o{s~`d{d=5?HyfR**436%VUu_;$P4M&NvCsZhl$R1* zr{z#B1GcbznPcP~vidW&^M|mLWe6t5>HX5dHX7KjmggAT@u8F?AhKd8y+|NSds9st zr=aes@Qvvo$EyWwY0giDZAA$VWX8j(LojD6gTB@cAi!M&L+Vs5V)c3EB2ut%*CZfR zy`n2JQu0d~gM~6LCoi-#J#9C=dqPi)@x}KdK{K75a+ZM^?Mu=lJJo4Rq(m=hOU|V7 zR0MX;>0TvUYc#=OgTj82YIYhqt=RB%l;}m&Sqr=*)|t2_lE=z&e8G_)Ff8u{g3dun zK9qPw>Za(Wy{YE@SalWv(YQN~WiSXjagmHSCF5eQln2Rydn1HkIyHU)L_NznkI_!V z9lzyLUU!x2a5B{H>qtbM{NzH1pQz?NMQ?4c2Au*E{-MnQ$2ENvzTu4}cq!lyRgHIyT_njSG3+e=BpO#D<$zXTJ5)46p5Q+#0Jjp zpaJd)rYW2nmpD(9Sq%9-Wc)ZvAa--Ua>2a=zfk}`JvG3k7akh6Fv)H-uo*Sl_em;f zGGabx=ol<|`Du25lx7fQB%bn-6!)^=oAX4O%^U(xqRO!g<|Wv)02d8V;5+0@45{Jt z@P#TY_{?AjGd5fsY=^dvVi;x^#Uteg*4%_NoYM}L-jnm*#}Gw(wN{M%%5xG{HeOkX zI24b+;w%eJaH2Sy&Y>Ss-gd9`bPL|4hVlt)+kY7+7w{T`T=sm4d2GhruvxyDpFG77 zD?CFvln)ocjRb#6t1D_ra;hKh`bc?|*uWc)^f{?I^nD0oWwV~S8^R#L%n6Rm2b%3L zCz|!br`land{anYiZ|#!n6L&su4Qnp332TmJ69fUxFsZ}Lp+1O3ye2EO!h^#!m+&Z zoLLIb<9XCj#-ge*sr#9{mfujp@^O{AykCmKE*2W^%tpb86{2wV4ujx!ZSFH9)#qsR zX6JhE$=Bhp-;>W@&&KF%!o?IznGDV%7cZ5RKDx3*Y;?d%d($+`e`qK=qzkT7gVBF+ zjUmETvU0nBeNnX9>cJ@{;?X2CO%a&T)xjz()jM}9V_Y@tv*ObaO~4u0t;}&(Wd6mZ z1B;^nxm{zUV@haVJ#1j~W@BfFjs|=`W+q!@>NQ)?qNGW*^aOiGOLb{{{N$Ezq zLqHJ(38fopknS!?NhL(O1Vp}l@baz*_v!b%{^8uC>#oUKd#^R;m}8Eq^;KZ_gV+Ok zehED@ei~Oi zkbm_K0=~Hjhdi0(G+z3%;QTKf4Pf6hfPpeTW+o`3ftif$1djZr_TdGw`Hw1re`XrA z-Vlg^|6>{$2t3(;*Ru17#+k{e=0YE(-(0nGRmjeloD!2n>( z3ak^fTA2et!@)pV22dnH28N3L{JOE#IX2Jt$MxT_jhPKVsQ}mk!~vjE0G)>gK-7R` z0|RUxj(=dw{EY)$u%rJTD#{8xYhVDXIkk)xs9$CUFsk1(?Sc*cvHIfA9yS(M;MD|R z4G@qiUJ}-3nrgWVw@a(|BiWJAXx!`a?th>5FoPy2n_%$M+WU4!T!sm4RU_n ze#E!_Y)?fzUN?JzIfgKeiP1{cG4>0bj?nnx4&9*{2CDj zQUO09qGyKw6Cw(vhW`67HdYn}Rse4O87Bmtr)B*#AuG@h131ObjRZ)FKUagX|2!1n zGJ?Pt)S$7S>!k7XP%t0@00JJ8pX~)^{c+#VFD{UMf+hlh;=uDmPh5%9efbAq^DKP% zBg%Oe%VZ*B{mU5unne6vO#hp}CNRt2`*jLzLhps&1U8FRRiQ#^05h!jhT@evh+`)& zM?mBzrJm94A#<~v8F)A4afYMPXRs~49oeM_1V$NfTyxeI&WDA2ACh->qtB#KY^_JD zr@MQK)*Y{)_1U)vB}BB?g=F_q`2D2COu$m2FRL;2bgJIGNc*VrC@;Mk_nP;lNMT!v zs^T-N_$%tk)fR=6#CPHMw15z>YoJVWNrXu!hR8ks$jy#}>u^~b2G@mB^s)CA7|nr6 z&9s}>{bLIJVoexCK@L(;n#Fcw#c#b+Y@mp*rwrF)51}uW8hMo#GDk;tjY^7p?`u5i zHok~-t;awhUk9P{Ny?GOI`3TncrRkyn9xE#woE(i zbzCwlzf^1&gUo}fTSY4r<4qhn60@8Mk^T4k3k-}3cVBrXSc~O-N|ugvCzEsBB3<>i z;qVRekE`OH&U3f3Curq~MaHK^!F0F|lI;+_9=f2u!_+2J70=(0hjAo_a^S>YC4vx} zp2nZ?oJA+AHjLeZf%lG)-pCi-Y&Z+M{oPNy{Kvd&QyIQGd;9yE9PIXOvo5OmaTal9 znXoT+L;apnQ5XiB*68|Ooj|($33J+l{}Swj`a1VQE)>)z!69bbh=nGV>uV(D?a#=U zh>&CuCa^OSjeNeSeuJo#1}(Far`6!6y-ag#(;+H0oxEwim6K8QHA+7b_!V{|HC40Q z9WIffiQE_P4Zh58Cy0f`m(*v?49^cAVhs{r+TI!3!CjPt_1fB7T*{i}e}r2=w(gF> zA}E>a4e^lP+zNjlQoIq1!}EZKds#y0%_IlsxS_}gnTS`W+or*_Jv)%iM)MdN$+IGTtOqn9YUdW&64M`0#D3mcDaIC%!3=+^#I zBbWLdx}q?~ZZ@qNTMx8*7(GKGf$%Qd??XlnxFQxj4echBx>A`I%w|6|c+lvUF6t~RBkY|(z(~@&6`*uKg%4tS73#l$& zME`1CZ7zAiaYA&HU1Uk!I#+H$$L)j#nNZZ^e!8s1ir{IcI&bJREaz zwzfW6{d7dzMz!4s>e*l4?JB)ns)tbFV!yMo`I@Zvz%&SERLH~e8a!FvK#DrC_{3z* z)ca!=6G5{10Sw;#To*1C-!KIcKmByhFI%CrFv16gHJ%ew(r-tQX%vSWcI3CUDz z5|P>?Z|b1#sJKk-mY&V6HLLwdUt)wr)&lm=0eRl`0d1MKOxNLF&6_OVhncupA!3k) zdKkQcE#T1b3K1m;PX3AM!;ni;60$1&w<;pEZaWitPgbOxsEK7T_pc6LoA0jH6wHc$ zfp6|Hx~kHyx8i%K5}HS9Y3fWXA~JQE&XPCEGNz3~s(W^U!&V#QzUF|fE$e|t9i)+N z<+*q~ZRhibKEcm?*!@~coR(IF;ZVy`7woXRf-~m(t-Q>&p{-oZulH!&Gs0WimHikU zT#VAXOYV{|TnpPZs)T3BiDaBu$8u{d>V;QMa`mHPcpi#wc;oh%^ZL3$qW9I1_dS|g z*$L%yNyIR(qVi2v91LfD(5I({*GT6vP#`Q$%cql@klD|Bg!TAb+6 zchwII_eoXXh-R`fO%rgpo23hcy-uF;EYs^o6km(3RIT?0W>}odvC{`(6vfOZu2WyO zGGiv(T+3bVf%1cqLYZw=wv6UxS3Yictqi4&4t4D?en)K5KB}bayu3v1-_-6Z zTb34$_H?fZz2F(f2v~#DwZ8DqoxXMyFNTM>6*78sYO5u~Ej8n{f*LQVS}5PRV|pJT zsI|l54G3-#+ail5&ZaCCC9J$vmZCz5kz5n3SJDcMjs@5Hth^yXw8NXO8hXEm&XH)5!`(N_Fcptt zu8)SX?ugGExmi6FSdHwYf79&k^=(S~a91fUqz+DKaO`^&RVLjK~hpu z?eKaCSMRSDc;qFK#MJspuk;?*2n`~0ot3Jc`JXZK4t;@d6)qyTY*zkRUp0mL~#>cmg`sj%p@v4)I+zOjy= zg#(#7l-tGzl}+P-#xb%wj||Lhfan2m3r~lw ze$sIbibI|BSb%;wX{2`Y;gl+O+Jl1~@D#rf|K8C9`j4SZfuHJiolGvW?Bt>SH`ff%E&)I(AQ%VG0#={~ixmK? zn0^t9Uu4+HOZ4v;#tdcY0P!*i3i$w>8)gU)-U4bWARt0!X8t8&b{_gU)9>)lw(~Ct z0|c$10<=b;FDdZgfdGmR1oF#Q-~!8jgdzUSG5{BYcBeeGj2XbD0DR;(Ej#~mo}7ID z(tZNb9NK)`W9B++xZ*?AhYxLJ$wS_oZQT(Y(8c(_7h6pdF%?f zD$nr;&kO~KfWQJW14!t3Ea;4C>iJm#jw_T82~b}z7%AU&ondr2gK|w zF7`JR_OEtcVn5R<;xEJuNMJDkE@GCWVrCr&!TPqUUDxSa2PzJv#0tOrtmF=L*YeG` zah1kg#JYHKw1`(N`?rUuByZ`|zJ1kYz=Eq^Q0erBu}9LOyME)vUJ83r-|`KH7cq^V zC`NY6-km5%{$H5w4Kud-c&-i9Mh}H#H+NchIC1Ofd>~29%5MFXDjA!7+j8}YO6sG7 zAkW^FI~r{oRK<;?QN14d8w;a;eKu?dY{~g=7i2YhsFSX8ZVfHY8TCl$eDj*aCK2nd zeyYat)_?jr*Ki7-sMgiWHOzd4Fb8ho&n=~MD0}JZQJ+v2hf&Q!A|-BGm1uQ1?zU~k zNW((XCXOm{+ikTNWSP1?*(Pug(!@{eSF7ec`BXQ;x(t>I@ap1}xvod@Ieeq>YG>`n zL^i=;f^*u@zAgH!!;fw5-b0tO&Z@wk+?6H^H0~)hOU`I7wm14VR&D zS@*Jn%!4hH`#PD=3Lj)jzY|u)zn=MI1WmEJR{*IP-u<0pvi_<~;q+izWhsq(2kOF# zC;@i~p&W&4tw97I!D6$gZHe3Xl!&RFT+P@*z@Y(~wx>#B6>krFM)t;4lLnYx1BuW% z-6DC%+!m+jx%V*&YUP&M2!Oi8B4)JCcM30L0&NoG2W>fe_`BY=D&g}-X20Vrr|R3$ zL#w@kw>f!3+ES6hlk-Z|$nz?vFxF5volMzUsTYyrG1t>Pg}wL8jyJD&w@AR0J6myZ zy@k|FK16S4U5vVwc%L^tPDLiyNz!W!ad%x0(c;bL=+T_i=(ko07QH z4OzS2KONHWBh|NHub{bK@?=MdSzE~<;;2{OaN7ofCaW0Zn)s(EKO;{@U)nHPR4z&M zDq`lUOp&yH7#r+ySJ}^zS*+w7Z1*hz`FOzw%~a^ z)3l9=y5)L9V*dcDqKt3dCsCy)Rz%U4z2S`$`lI^$4_wGe9rfo9F;E2dVO2eRiSZMC z5z-A{9V$cI21WVIQ}SZaXKM;qQ1LijdW$b9Jt6$8#$@K7#ikbV8d*rcQ~BdK!4Pa} zda=(Se8HCRL>PIXpv8j>q~k}%phcC*EMU>zD;Y<#lC=NV&cgMH$%nCOFHOS2@%Hf8CASEI_z~Gc@9!! zFb4&u`r#oq?AI>oJd`3csg}mF2m9QG|D0db$uz77S$o4WE`v7iv*Cx~Xdw|l{6d5+ z&#Sg8m?*hV6VeJ$s>`8Oie zGG|Y?5fa4SYOW@#xYvZ^*^!7EK9vt|JLb@jj@qI4QT6bEtEjK6uE`RVe+_d}H;>(E z{xBT!qrXDshX3?m6dRHe_rH$fa9HQ)o<+j{fC5S|GK1yR7g!4d5(Gangz^Rsd>jM%u_xkhrom~pk1Js+aJBnQIsV!0bmJbVAf^^uIbVpJiDW#6Cc+EGufh!B;#Mt8O z`-Qn4g$<1wlP=zk)(WGAdx?8pq=$BkxI&K2Ex6K?Rzk#Ko)SWFO|>X15+Gb<3z z069l!z2JEd3h>DO`%o5OR>(z}*)z3LCvMwMlR_J%LjA%ECOua+^3zZNi2^G0E~+>= zd6-UJ)PM5${y8oBqx*LzmHLC2=5OXmPh{awE&0pig8-r9?|OXI%H#6mOjxda%8Pvo z89u8ehoa?|nfM7=RxTM3M8?dveof`QW^uNtHduu)01+Gf#uVjE^FAL|(CZ_Y&Qa^pqjz{l=G91X`0vrikxs8f!&y z(r=9p?h^BSXt<3`yHPU|s>RmbPf^5&rx2iO`JQhB<6x363=Y|oCXgVT+ESPT9OIxo z41YQ47#_PblA!CV5-#OE^c4b4CqC|3IF*tZI5*GdvxZNT#T#m~x+kStqh^IA4RzT% z6g*MFOv~=gG}cYH5Zhdl6#RPR)logUvG;AG$+2OkI|-}!4K5xFtio%N-WtDPtJJS@ z`?B+TTl7bDrYsU^LR{f@FA02YK_E?m*^IyPj;?r)RS%`vAayNRk<&7CZQE2AX<=`F zdeSacVVL3h<#g@tH`c0`mv0lpRcj!-=Wem6yGTuqJ(l%#G`?J9oUw(fqQ$}P$ONm7 zXj;n#f1@akr5d4Fyl~xUY`}wKhdv64htJ0h?WpX{HyLC?qq4TKcGKdUu~CP z^%WZ3wb{?6doIVDJmPWn5inc@{4KR=?44KNw~g6gX~I=@2i|3MeM5O&sRUe)V)V|A zkMUdR0CkI$vHn9|L`=0y`@3n)IaVRhz7p~=)K$)L)4#1yB!syVItSlL4<;N>Z9|PO z4Obwl>@sh30Xf%F3>J}gkcLyQ;C=@CouEWqw# zmX|w36@j_wd!Yot@>I*Yb5LZ~`J(&rk!dU`LnZUW$~p@W_y9WFmEqAqb=oNOE4d zMRe0*tyoqrd%FA3m_j8@izywR0^8y$dR#2q5;|HT`4XudEaLnsdKj*2QHaz);*4>0 z)8_oj-xkwW>Hb6wr)jxk$8_{amYxpNFyn zhzlFg`Q(CG&tEoY4F&^EwV_113x=M*GR_VK0c0L9AUJiw&~uEOpOy)@85uwTDtW{ zO`Gc27zi8aS?C)84K`7&Z5|oun4vn1HK_p2w%AU3S?IA8;a8~7zBVY;NmDP$N5fo^ z^<^%Az54>K4!bg?o5+m zNb(G|d60|P<=S+heK2x%>qHG9a)8bw!=Y7|22Hr&6KV? z)mCfaLHGn8#V;N521^HCuElw{CcF3!ha3yPHtA;ffQU{2!~%Q&vE!}_4p|qS_1Al| zo{|V8_@zT$?_awBf=;)|JJR+|41-JCF43Sy@Voe-j1Wnw;%XWNsakBc(RFyh91J!8_~pV;V70FU4u9;=oHw@~q%iBMp)y&b9_9P$TBL1Vd>+TWO%`?H2_))XI)5HKSk5sqvo^ zk5gq+NYYSVI!g9{V?R=cYj3rA-ejKzVcZ;Ueu6-V&1wp3KGx0f`9lk(cIu3tIqTK2 zx)zK*R@{Ta;kS4&TzNqBo_!Z6)3bxlO@NJiGz?DU@0m#0`0qr z5{Ega{gh+g=XE$tGkrbP!#GfmCYcaU z|5%gsmIpa;`gQi8>W9?pY-=lF2IJI^?^?pQg>=2S9Ut|$BfMSz9rIoiLSo{!?d83j zRb!uw>5O(vT9{<0Hp14zn&)u0XTDhPSeb~)S3mvOe2-2*I=OiolG$Esbtiq3T4Z&q zyFTFMlyBp3zu|5-oY~bEHf3dOwsm#QZnzpbua93lRA7gp?z{W%h2QM8zKd4rcAXD@ zW=J7R`oYRl=zoFTq^?|`gy%;umOtK*=rIT-6w(g)j7ge6^ zFYCQ!Yj7Ek#mZO;)yqgch}SEsn1L3)CPXHcqEsyYkbTZ|MY`-W_>GBGNGsuf|5^>n z%NO5V#!8DVA%5An^@Yu(#@MMvb>FMpern0@`*vK*5P~6rMVYzuwMR1qbtLEU7A}%6 zyua^kJ(~yvrP&oZa!oFWHQBF^nSCxjf>_6!C$gfvD@EtBI5@hbXnRk`(xkg#a5UZv zR9oO)Z9i^zghp0Zx5_nj46(3=h`eH0^45uTCYWi!ES)LzFZzTkNs*2o#c7fEbk}W} z3eCvz<)}LhRiX8jiyVkEtq=Yo);&3Ke{vuIZ2W(Yb-#C(0Irn3+6SBsde8I<_*a5n zfU64R386tR3n1kQWK19ctDWhW*_-o%9w+vm-jaW28Z(e82LX}ge{2H-&_9qJ`c2!; z=i|}qLs)!9 z;q}B(`DrN7)e7K4T*P%gFSYs8P!QlnvH}e5b3P8_M0NIb<1d<(1=@)ONWlC&6m&-H z>7tR)WH!r1?i}Qd;OT`!0a+htp7iHQffwsXKl`72GC+LiFVYL6=nrn#PwArnH(mfa z(V9A4tW!=k1fUT7u7jqgYBAA@?KYe@J^ly=vx(Q?Bkdif$p`y(()*0YTMpDQd z$&DOUvfN*0u9{3GQP9i z?HA(B3DVxyaU7%*!-V){nQs+#d=JfsOiQ=}-#;5=X53268DPtk1nnt2GcqYMczakc zU8U?JNoZgm(*hS};Z}3BKl^ESHVh3>`U{3N1;(KSHSNm23J;$3=6_6an#K z)t?qynS3A4OlW-Fs!zMLtsDk>{I*5tv4u}(#!Q{==8>g-a}^~rB;i`A(c6WfR-$J< zBoo(pYus)uG_b9^?zLpa)zs8{+u1#MKaNt@p)4QzVUc{e;o_F(~{d2)TP9< zlqw=;<}l66W}`jJYB?Z)plC)?99@pjWG0G9DC;M9g_m`{SW|g8(=>>>h>S7dldfyr zxwC>m-geSFHsgsZS?X{fC%29mrgbw4s>TNBf<+~o?Tf=EHD6nwd;EnFIZNipW) zN8D=3`F-XQUsc!7*Jl?(334R4Mh1*Azy*2P{ac&g7_G-qM4e5IBT@9!j*ZYU-ib=9 zG*8xkGHkAu*H2F|LJ(Cm#^4z+oJ~O?2?@YXk6ZPRXq2S`fe5boX+@Gm+wXQZ)^LE> z(?*E;tsCEaBO`<{#u!*k=4tm+qf*domO2!m@9Fx1y4J#F%mb{783YstU zd|vf}-Z4bCPhb#HHZgKi&NA5FjoabMop)r3pH#Tb))X^pI}}SMFcCKj|uZ&B|Y=oHId9kCQu~TDCP~geKJ5UO76S zJTGkbl{7z*S4&_*%As*h3s@+T##2yBFGXHmSj+qJ#Ua@^VeaL)&0 zJSYl21`?{)c3Z0=-@yn7%A^2YBKEf2r%Bon5u8&pJQy^j>WEW_;LYf~u@7rAZ5bNy zb#h2mE7ewOap0i_-fcMFyMtD*tS@O$^M;{~d0l%RgF_X*8SH8+@-QL&kuqQWZ4$5O zyVN4vGU*{yI^)t{<32VLHLtZvl1FMaQXRBhSKbOv$}Om-wqtAGS}n;{L4@QDXQ~a* z&89zBis0y;u=nZ4*NupU(Hm^%&b$JLM_&FuKGWp4z<>6fFN;D9tLEQD zL3{F0xwmgMs(=F}0f%zSV~R#Hd+BX)Tgg)I4cpL{3BHt@3$%GdLA2?dLna>t;kEip zWb84w=^9DJc^!=-WWq=@Db(Qtwj_wjEa60IDKjvW9oaIxXpTtQzozSuRb=zA)hCcZ`%n7|wn)+JJf+@xe9eFH8 z#*o)jm|6(|*Kxom(0}Q6vNG`l($3=jP;(60iuRb0I!aI!=`&6}6;!FPClqiX#H9@lDryrFXNVgnna zj6CovZ}OhZ!(I*LS37Bz$7;q*WXDzT)lbBlFSu4si#unrQ65-onP$P2@dt{j}TfL z4tpi6EpJ0)$mu%9i*`Y*EHL*fRaf@*Wu7@cH0mJZItb@473BX&-F%s3!}U5hyRz~i zrnB{ydGoF^oz5is!7KdQyTTUt8Q*rnkySNT3zDjt8B9^pq~Jlq(L>}DQLhHqvF_sV zrhB`R`hYK|(lF(RSsszRz?_E%R@K#?nedP}@A?{n3Ue@uIP>D>TMSer5AHSY3`?@VG%`=syHtFL! zEo>V4eg~~lKwQEdk+)JAbWsI1$7W;9;(b*@Ysv;0c4m63HZ7>nf)^!@q6IBy=C`}s zTxLdM2MN98TH2DYJraJ>|EBnL412`7fS-85O$MtVrerFws1j%Rl#IdGxtf&~lytFr z8bhR#W4;5Qa_4qACwNI7y?3um5)}+_jQE5a!{$mn%APX6bC|6Y5dQEH)9v=h>#R5T z^h`90pKtrGWd$Z)neHM%d<9lBw-P5DCo5e~gzmbiknjuXzH~XT+w?b~Xf93J zpa&9ufrtb{pTZdO0xsc%lF)KFiVY8H;IE_1dql>nu&t|cXQ?>bt>h>1bzkL$IABtC zsxn~8qA$C-C=n-h?^%8w-cx3r`Z`>MVL-HL_vRSo63mwmFIr?|x~Xqe?*c zja~aRv^-u)NK*dl&B7hx`B@fm_Ht%X)qHmT9*n74F!d)Bv_S7;i>o9VCE9{F`k zycT~O|Iyi{N;yk=*GbL`H@fGlw~!TWE@HSto0cRrsI-h61-fnM3@q-b((yjzzS zWY92%LQgt^F}wdzGA2~A2B4FV0)$5BN?Pf(?EM$g>UhM6v z@Z?P@BYn|Ljf9 z2YRF;)8jsdE1rIj_wX4{$4g3B6!D2*nf9COXx&#|zrAruoZgC*_W6D5ci)hZS(zVR z5Z6P_NcCSF*ME1^&&Kso-Ms%bu7`Z@^Z|shClY-CVIFeQZSUj*G{ijl01X;{qQ`$9 zcp5SMVO$N|9MCdwAhdxJs88Z+R)DJthK5@ZSp_ zF5t*RPQ;l{pEYR2|NS*S&2#-133K1ObH&5P-$-^GIfBPx=3DD+s890Hk9t8v5fSe}09ag3KVG===is=ljWa`m6pE zCh{Yp;w&ceBUd}{35j7iF>BtT6Nn~$B1E>Xf{Vx z?*jW}?xH!Al$0$dOTDXXIcAGY^>{OLd~3WfG=cxCZLpZn`h8^^dsJVNi(8IWrBvKDiKQ1|h5OiKfdb~u7uTsHRqEZ1 z-zaphlF=;9Do2|J2t5!j3l&h&x~?tnH_MMB0tqL*>yNdvy|pW=YVWN}R+ND3VGhPd zxk(q0f}%$$M<@FT2bcRAj|x^MmJoTFm<;a`3!<`a-1RT0QC`mdZ90|^DsYmZt>2~N z!LI^W4A#SZ_IqB21XD|Ts;dv)EbK6P9M2awuBSH2B%c#hPZ&nH<7AWaKqRRsv)zwQ z)0eiJuc8iUJD!N17C)L9$IG~!dh^+=so02AxUq=0k}Jx);vCPITj5oAM9V>U&D64d zBAf}`(hTHAjBz`O4`i0!7cEi^E~Bc~61Pn}>*5YBuO1rtOb7{fxa7B#^SCkuZ)UHa zZ2+yb!^OnvC_B4;`~KHZ)&sI0q8DKn+3lHi^oZ&Y?dKZ>t)<0DzQEPH? zT>CgTsJge|ha_ynXez_G$t(d+dJxpzC~(MA%Iu)g)3E~wD?e^${jr~It9$15=KV4H z;LU?HqY3k#wq&nCBL2?E6x~=Bk1O8_+w}9 z?9_bx5k-08)#64!b8p|ORO9xc3LIaK^`yP2bM!9QXQ1LCa%cyv@MRk3n zkuuQ&ht{hdZ@zqNILzAn@ac%S{OdwZC|ZtRrfG|L)ME|*WCv;NX@kn-21e- zyW2%zxx2b)$50?^{&-6~(n58&`MUPe} ze8o5fzvw+vD$|Nn_nDmIZb2V;O>uetN`!xa5+buX+`|@*yH^)4)2-k3SsreAd|+v? zG7@}4VBfgkAgVlgCiedNwEY&F4TD()^M(z2Nf7IK{Z> zvCPH#FR%fdF!8vUIsp+xAosUd>#GUeD6piShmR0leR=akAq(@=L3er6{P+Ziy4RB^ zf)FbwO&8jBF=1*d|B;Q+#7duU!H_uhGK4RNeDT~EHb`jp$}Rk!)bnrBFD>+p`EQvF zM)UL%+aM4dE{>;9bY}_qt|GenhSKf^B{poUy0G^Kcw=XV1-+oKOaBt9$)r2T95X)K z-|!;MnX?t80VVQ*j01w{4Qegqj%1k-qiLt2Iey#xbvs1@E>=qFrl{Vi2e^AoH_Iy% zrqcEp#uwymkiC##m6_fJ8LrnF@(y`XldwAK#07h(7|m?F$)>}il^tv!mUuaoL{6s&SIOOg(J^*C0oe{`RAr&V~nj{i~ubM1`1&UAd285OhW)BD!$zlu0|a zhC2Fvj4AHJK`e-xk1i(HC(z(GP={%pXi%)wz&PkgTQ0TWjfm@Df0?^Gi1GZXx4^si z4CX}yEh~LPcJdS6!v%z0*;$|~Y-pOKURDp?X2~jTZ^M(W z#*oowo#dSMqBkw(&^>f`UNXeW$63l1T+jV-*_+n*mgt~fdSxK|BksvO_T0>>nE5Qc zDfIgl2$@n_2*P+=;we~P^V*^Z?YD+CST;AgV)H539J^Ib%8^}fgtfY&#WV5w z81_1Uo6bdn;29C|@BZ%3WM;^B)%G*pMj+oief&N{jPdX4YRGBd5U9G;`DpJ9pZ3o@ za4-mvt^%moK>ZP*&j$o~KobWb=wkz-7!L412yOi>7fSle*z`_E! z!OVb~8^AGRU+G|HZa5P3%rw-;=HVo#5bHX8_2Vp+I>a5M;3dk;{2s{aj~& zb3=jRO=f@%e8JFjZvIcRLUqWX8h;lIJ?G~CJQUhe^1_in=dypc7X;KZ1LgY{%=u$r zcz%6>(1HzUObNv87YzM5pZ)Ws(1;Ld8FRtVlh^F@iTj7B;mPMsWesc}h=&WkNo{Nr+^ipr~l>4jRI zs@gJ~wF&W9bb-9ZNAhbMD#o$bq&jXuRO!Eb6}?sXY@X1*qK{+IhFMHzXbAhRjY(S| z#X}sqM$aWO!xoO_;~A`Ngk(A*zKagE3krPC9ctf&7|tGQ-{l&9eW*dc*K`8B!T-=+ zA!kZ3Po9szG#`FNdj$a$(VyboGb8^gHa}Bgec_|=n|ppn6X0~uq1|MDGx#iyeQz<& zhE+Rt1Tgp!4P&QX9Xy5HdCDro(n82&Bb3xGsW+${8HIneW*_z8ULoyx)EmG05Mh$F z&>AihTHUoEzv{TjkJ;=MhW%R+j2YX8JqgJPv)8R&Iu@1h6&$^?~hflE~gXB5?i(}^2P6- zC123{iO+eL#6u#UKP5F@-yh&UAk?eS`V4bT(^~6E{sL&g?%I&ohis5H`MXpEn`Zxq z&&3wMH7tcRRS-YAvPCvt_3}Mt`X_Cdm_e~sjJJk&e7&8KwM9bq2BbD<72s=Vbw75h zK1MZ4E%i1?zGC!(!b%X9D*S2TES&j_w2t?4I{ciE$;kQD#^XYtjz9JdmE3W-T?y+z z#05KQ%9hRlbf?vWXzIP7jwQ*nT&H{G-jl(Rb{e_?=}+Q4+7i`dEnZX7OSZ}As$Z?| z8oR%P5D1g5BIzC9(~L4Z*8^8a)3XDv+8FOd>MvnYe!&#jZ@Hb?T4}dyOe%qr7xZZ> zFKwgYXlH2UjqX%}5**I6G23g3n!1?5z7UlgDfL45*Ah2Yx*{wsNvf}7_7dM3q9chx z^nLY6GxPRLt&0!*F4|UJGslv}gt~5W5DgO{W4oQgH(Qc~YnQt1>?0a(F;qAcXixBT zbt2B|*4}exuODwnfB}tm$YuB>3)m%>wLkvN_4>@&$q&%evu1IL*i!38+Sz3`bx=2 zUT3XDs9JyvZPQe*jeZ8F%>_NiI@-vykm#=HvQbKs3~?MV-|=)8w=cMsD9q39^ay0h zFTQPhU4N>jaJP?B+TApa=mER@Xt$K=0-0obcmtD+FJl%N5fvlswSz(uQe_?tqndK~ z7?%OnK)Zzw_@^p;G8-~3aM1*Z`+bp7yiRPnudj9WQ}BMd^8~*9frSb>F)9Vw&BykO_&{4<0GTezW43;=bcL|;yqL4``?-~{Ahr2+H{! z96gjNrF@N!6%sFz5P{ZXqP7;+4kpEUsYbwq)Lo@cke&ST5%y<&zx8)Y$*W^4;O?;% z#O~(HbJa+O=*xvg&Rxrw8XQ+K=8}Dok;x4k_iCPXW;wdKSCqs- za>9alV^`o(Ud6uK8Cc?+o-t*6cAp_$;=`8RP2MzdP>oj`-g-*FoW$tHl4;)f_)*4_ zM}dc8Z~ZtijQ3MVRXq2TQAUa@r-Z>c*^!YB-imT9ys;?gPd-!zbjp}&mefDHe{{2b z;p>;|l6UJ1%m;U`lyg6^Ar^ZRMInO_!wLVj?S+ZSGO>zEdItC5^_-ngjI|=-GmQ0+ z&S<5;ofgJAwkfseaaE{wx?;vlpE7nrE#K33AH%Gu)WTon-T)5Y-wwk+#B3**`cKI_ zz#aUpK7F6w<9heMI3j$i3 zv!7&;ZGb2h81VI2m^n`BPoaWP>=4NRKYMgWviQ%|4KM*vNCP<1 zfbt5U{Pewv9vBe62U?t6Y}i@(>hqEH8DZo{V`H~?6J8L$vA2@s}&)?NJr;r#5%os$fLoRMh$ zGxJVg2dGdM(5)1Z{08g;g1?iE{zb>Z3s>&Pz~)~v4Up^s`UU*Qw3DS|{r~HYeLs-? z-8U5kaP&a{vEp>uK!6Gq8~A_7^PZfM|Bh|n-&7V301g2PC!pehC(3BwmD7LcRXtZp z@crQacdYx*0|$Ut|5-HvvjbGeF1GCyoV)00`!^Nj{<;^S*J6XqH zQ86yG?MDHuf9FkLVFd&M0qB4kP+*7dEmT(u==b_RtlN(`+#lKo$YQYpS3NTn!~{qg zz)1`cF#s|Kv^(=Z9KFE#_Man;4ydm6TleG6p1?jQ-r28VSI|jko74B`{75M33S0{pln+Br{J7JR7a~85qJWSDu>9Yh zw*OYYaaI-VZ?*j2#EwoXh)+#9B`$yfqRMY#M>%m*7Aa-;EmMce>xF6*GQ`Jh6Qy_3 zG;PyB@n)ckidaoW$|QOdxN3e*^_-auJ$o@>D|32*@ytj zh-G@7+qis?qKhAmZ}9hvY9VUkX>^_MeA);X4;ckk{8!e)qeWA@?Wr4Z6!}6#B6TEUsJDy? zcn>zN+C7#1R_TSk#j{{!H9R)c@6{7+ZN1%sU4n7%rN4(;aJqiQQ_4H2e4npqS!hy0 zA){T@xE55a+~7)K)d)XzD>ovv;P-KgiIuCP2gmyZ8RZTv#QX3yx_fWmxp%BHjAU$o{}JFZ~sEW|jqA`SVBjS9UY^{+K2=~PZC?<9GGa%J`IAsRS~{&{N96B&GluA#3@ z@7$0>6om`Yc;tw_J-U0H+8!;hm|CskXD~VBFBG=^k!6O(H4dSzRQfP;Kr7+3{hCp+`gMq)VpmW>Vue)X&I)JiBYz()q|DMv zdj87~gr1YM@r~) zlMiLijQsu=PDvfl9yZNe?&(%0;w^1-)!!~=%7p6HSY zz){UJ<6+%}709NYnK$6MtJGI7jmR9F?}~k|{*Ge4oUrVod{xTK8zR5NL|)Go%6Emx zIx%}X7EHcmp{@>Jv=sVG1^Jsh6khr1l7IM=Diwa8cN3#;K=?{#(dx&~X7_FiLpro75W+)EVKdSJj71$^1Hwex%5g_W&ahbw60v;kjWX)Q zAsY!Tiw>F1SG+{n4XtzeVd46CoAB=w>@`KVz)Z^z3aT3IjCS6PO^8`t^}T_d$z)1X z@ns}rM#op3IeR=urz~)um>~3iO}(Wyf7}vI!{pOA0zunR%_B2(S~0<1a}+!_k`FSd z9HJutM9EIfBk%xsflaa;^m4xUUJEUUuoBw_(QD#+7{kf}s#jH3CtMM^>;;ic--i(< zWrqw_wDE{*+$ys*W3_zg_2$yV%=|5L!d>;8r=7d3W5W0*pgLdjARVrjQG!++WILXX zJNg4M+4kaQgbC)}e#<#nxo8Y*-==EV$XDlg$ZqCTz4HM(#tZV&jA9 z-T8?kI8)VnO{7Bd2)ddBUGC<0^4=!c7dgaiC=o1|JY@3SPxflU{;bTz2LC3Op5wDw zF$%>!qse?o6v{|MpPW{*4qS<+x0$wH=95qnEi>%f?Gvib-%{bM;3cm3UzRaiNK4bE zmM){#?&ehC?sU5qWV`i$tbGMo7i;r2(%mVDG)Q-eAl)Ec(%oIs-AD*XhqQEecY`1$ zh=Oz}E%hyU{9X}Gy#Moh>Ba9thMj%(+1g zs8__$d1+iCqP@nJgpyJRkHf}syB_(_B;Nmm{K|TYs!xf&vKzc4sd=gOOuZ&Nt)Q)v zc5Cx&Z}UL~zClyW`viL*XbBAnqE!a!xXVh6(f|2 z?3gFr639JVty_em!nR!%Uzs}E*K{tw0d}g&`rN9yLYbspGA1CGt7rPX`+JA{$* zM51xa&!G}1UV6@ZZ0kxn&m4ko8Jc3V%FVK&nZaruEvR*8=(*%7@<7Zz5%msA>2th9 zYPsN{L!Sl}fSzmWMtUhE%ef%vdMxy09hJ->>++#;F$C*fDZU%3DL;bVTNTXf*z30x zAE0yce@^iM1?V4nylV~Ht3=!n6}zhsKYGQ14_9E}`oDhu@U?K-?>V~bU-dIA{C6=s zBhbZ64qs?5Hl;F4+Q8B|MxiYhNR!WT(_UT zFqvPvG z;y=OFzvgRiTi#8l0Mya{@^}CmXJxzY=D1DoxqjyUboEc*IFR3F{-Xx+8ydd})PLdf z{6hqOL;UO~0tW_u{8I!T7QrChPLJ&8co~dq9`t%|x-_|zAeTZ1q(R{U-xgnHrXLB0 z$HTYTV6srz@17)YH|`KNfVD-Je_Xps+7y88iDrn_f`J557B&72@qd ziq7qEZVKeD-pO`0TiGt5oB1}?NkZv&mJdyrC%yHmFC#ObG)Pjpw7#Y3b>9Va{xQzl zNUMX^1_Ix}ci3m^UF}C}CLp?QDNh>84E>v@hxdkyXGF>_-R)66M#u-lHjc4&9}OA1 zpN_f@)%x)*X690(c)WlXtoBo%Z2em=*z2YJ z?FDX2;CB!yQ)iEy-xp*A_U~qel7XkxySzDcDdFx`MFttl6_eI zdBSE;dDdc9=t`|~HxfK!aK2Vz6iPS}ZQ^TIFmjrRj}}d#J`s9e)GPH%H^W--;5q?o z*f(n-A_$HK!$~+p1E^3TAW)XlCCwN1d<(%~s2$9KFhbtFT2)*p`#4ax5to=+uSgi3 zj1+0WXfc4v@9n)iqQuHXfEmt85XeKMwde2gBXAXsbku1@mA8YR=YaIFSVcs~?-uSAurXb?N2 zZ*T!hqLt1_g|JKm;m|txMs9@0yP(Iz%LOKby4-?S0Qz$&_(vEqUupj8%ADg*w8?X| zYU(dym9p~cO1Lt$OsSx=Ms0V4P~fw{FSJ76Aj`m?_$v>5ilf4L)v}gir6YHz0-cAYXl>mnfh$jaEk3DRo_@i`(jV|>Bn-~iyht8%%|+( zM~^41j$dIv-6M+i=O@$>^=X~sXla0ek5VySMoyJCjKNw}IUVp@_M1pcHxE>tGWIUa zN<^t*&mr-06;Y)>SnR`lO#(fD5@dqa$f*a_SynD9M2#pJGc?KhSSw6MK%sid06Es3 zy0l3Z8e!?PLwCRlt-{c0b~>Zj`Kk8fe7mZ+nJOI#-g4G2jDumPv&t20GyeSu?8e!a zW7LI>{&OD+jc8L0{o}V*;^U_cKt^g`eTsJzG|Sy=V=gvH9yY_n4z#cLKst$S9F)S{ zCfzP4^*TdPx9o}rdnJoa?;N+vgs`VPF`N4hFAqE0urF=R$XHkvue;>C2M~t0*(D%_#IDC^SgeAeTwgcL`n$? z*$8?wjTS!08*t? znYml>v_N_Ct^L-v`FxhMI_BQNK*~-*FpblpiZSCGDobR_e1u2G5|5S>Q?xJ=aMmpw zpHCmUrnPm$WMsNXO1SUzu~dJ=cNhvRJZc{;rdwIQ&{r6S3sKN{Jvqizh=fT1?b6-u zgCJBow5g3j#a_RBF~m4(rFEHE`v7}}m>(I_<<433f<7IY^{nA6eYK}!f*KW2`m0707u_Ka-Wb^78-S{yVckH3 zgZ{exI*)dRB?F1z>}-B_K5Ku~N$t6M&FM+?=_BZ|#6G7ZabzFSb>oL`!SSSCXWYvP zMAr0x32{6+gQ8QYvAOGgc|$VlPu`b5^s;VJYJX_B{qy(bubh)>h1Dyt$^MgA!v3RS z0Qk;NVhMmAegM)xRO4=l#j#)ihM#Y{e;MEc9pV5Fo&cE6415I!i(l0Uf$|XxFuRHQ zPs&HSM%q?@*eHMzZ&kIfPw9W;8BpE5nt*dPjU7OH0KEVZIR~ntEDS8bnDM(~@4xcw zSEBpBTr&W(voippFM!p7rDFm@=qr(2W?&{A8{^$2-oJ9}e@7=^x&oS491(y{0JMn% zZOm5#oR|oJ3wbq=>rQa|SDyVUkNfYI>}s;m)hzC-PJ5v1AK+dv078I3qcs4T>Dlit z@BWo%zrvb-=h;;?_v&H-?e(+_KvA3lxSFg$f`JK;OJrdFlltjT^m$hz=2|!M=Phsz z)UF>ge;*D5SMPVQcEj>+h{wQwL!a@^Ao{odi5tbyUz#a^QR4q~rSygz;!m6gu&Dkq zPJ31=)lQH8;T*%Vf>b9(6K@vhUW}MNXqm!;=Q=I2pZQSxc63cR0ojP;`8B(pZDb7) z?ZKkQ4$f-0M*5~bPmkbZTTIC9)%YjdV?V-7?9y+wlR%$nV`8Xu7k_8SW~YnR{7i^p zagK6I0HCxCWF&29cf>ExWLcs*ie^g`y65BjE>Yx9aSo%OnRX=;SU>Rp&07`jQyKBC-G*s^goe72XUbXm28A%;sXs2_Mt2@`gP z-Op(ZZ~Q2Dk?m8?>Jbqgqwk6Qc@l^8E(F4`O8%WMpkHDAkDYuAuwAe5Z-DJu`11b< z*lr0?vR`Xq{{0RG_S&y4N_XzHe+Jk%ZYZ_<1Z-C`N3Z|qL@1*x2vGgQW2i z5wg4F2}~44Xv65hA`C)in#L>Nd!%i+l8scCtAlTm-h2|=*;_4~lX7lxLQgn9NB%DR zwBOrT_JfDR3syXY0K?^$R;zJ+22^WgrVC|EHD(neP`(;08BD88_PSNS4xY>7?{mA~ z22Y${qIuZ8aL~cY^&+|lfg_461b?9-@B{(QB^rwyN+Z>a-Cux5hZm2d)ChHCJM3li zNj@F)?)&JD$u)t4@7mPo4Gr5epEV6T?N=^Z8CD9b2|df;QCmjJ_L`n6Sfz-2?WS$ud7!-_^b(?IjG#47RyQ#xW~_!)6fOyu$_#5w{*$Z%Yvv32<3zLd zD!tBv@sNr>F-O)1aT~Bm`Vi06Go9n02;#%+^LMP|YUO9}HF2iHBG8@Cr4EwlLs6Rf zT9jX7x4+&WG+6h1=}+_0Ie(0&!T)@ybL?>Is~(f8S=R^Xa~(G53NQ> zvk+GC3%+Av{_5s)R1_ocz>TeZ`tMb}b}H2JGK60x>CoNtnYyI{krQIj6QzB9IZEoS zK7?a{tW~Ys%b0x;iVe#XE$PjLi*RxAB#LU|2@uvQ^$egIV4C~X!)r$8`)S=`;*EP2 zCgcMt9r4zp3a2tY;Y?CHkt}-{sr6QQbI7+QCK{(2zBOhbmBISZp%2mz#3V}%Wf&y# zGE%H};OFp;eeKuVZTYJ)K}2Z7!fW@S!$ZL$cWK$*QqpAS`G@d71LeYGHo=5~(XIJf z_FP#_&s@!Ww4$Smf@*W19~6EC9|3fQAS{bV-ba9-HDc}%%c-_+ft2~M+awB9jGZ3I zci32Ha9>RF{mel%D};|IOst`lYhe;WY9K)uzLi}e>_{M2^(==G$w8dBPx(DAIinyq zN(d*DQNIcYa4ngQ0g(R1@XLEp&&J>76@7Tl(f-~fK?MwMD5)L99$Xz9@)7MsxN!)` z%US5xrenB^^vQ4u2C9;j9}Gz*_2;wiPs-~Ts=kLxhigUX0i{jruI1O=!(-~9wuCxk#XVW2sZJ$Ptp4XLrd@I$i0Cq`ZL{mYl#Xg_4pR&HKm7!q0msN& zk~BUvg_lq(Zdy$q6^qIkO=A{wXdw4WNIKUo#4TB$(DyjEbj{|ThQSLXV$6d9qzrrq zf-(CxcM>q@_xL$!2QIxZ;!CXGy14>%M+Gj2Frxfhz@8H}IYWIVnIdARY|u%qJdekW zCn1RFs_1#`jL+|Y*8g3nuwlB9ZHE-Hs8ST3T`rJOrUM~X>oiFq?eUm%er?~LW=jyi zLs~F`g9)7tv+ML>mBS!c?8ch4y*h%{o{yp=pJDuV%$~JbO7I3ujDVG)7uGJau7>^^vAk zl+!xhBH(E8onw1@D<6UcECY6NxhrQbdRpWf?}mJHyYE@b2MJm7BfosRY*qyFVWKsO zxR8hFLn+OE3!YC36*n4e8lqdfKW9@|!a?b9*q`=3dCe6#*RBrXvNm#xC4L#c1vdmr z`2|UNJLQsI>FLQXHq^Jpyzfu^ps>v;h$%|+IkfHmOq?L%rINTXa&0*y~B?S zL_U}cA^2rit3t=7iWR#UoWx}{9VBTv?pxK2AelAi1Pnyza#{W?2LhQc=q6ews9iMN z>e3kB4z14vu_S7^9z=#Lo2p;K!(I+1l%Ltv^#pg%);dW&ZdO^xXJaXK$z{q(Wv?%K z_}1o~?OER#i)k(+ECojuhfCq2n2+Dt@TQZ}0&%yixlOJg6Lqggc-m$T^ot;gD&I3) zy}T@m$!F+Zrl$3ba_170btsdrujo%_3^w2!pH6P~y{9$Vdi&7x!#0+z2m^G^#{nDF zhax-Yh}7)L7H1<=hdf{*5fBo5VW2_x?B`?3^y0QWK<4*dIqwJ%IIgA1euk5G2M9l2 zrZ)ow4q(g%fFS=Kp>kYzSOY)!ODFra-1HSfy%vuKK5$%1L0^CPqhW&Mr|cQWAF^jR z5$X-W>VFrY{}^J;2uO1=0I@0)F!h)bXsNhrEazap8*E)MFMlCl0@F)x;nW+d*#8s% z0DyBx%U+wDp&;v+M7QiS3YCjf_0YF`h04`w!zA^!YV#X`f#r7vfzu*01 z|9$Z|Zb)?hFBXphNH)-4`NaV&B9KC00B|hOQgbI>y>)SK>9GCSn*Y=F15yqQfV>`n zSZM)ycYttyHCX*mWY~UNKX&@t>-Q_p`(Ladkaz%~G{EWx8j%2`1nfZeKPj93?%b`G z6^`VB4LboAn|6vv5b7xvg)HMK5s^idDF{fGUuDYb8k>d02pf=;zSfjJ zvU^Ew+^CjGfF&($ihq9modI)x9&P?@q9rTau%=L6_2H!P>lca1aef+@EA9>94U%h( zYG*a@QGSeS`myQC%v&}X1}C34zA3NeZ-s8=3!&{OXvUb-!ghSdVVKWV?NuBl+4bo_ zihIb)^TD;c_GFRF^VAP(#H}nm_d|>VH9@(Ev z46AG1m0O*9G+Daf;5wp>}`r0Vw~sYRsJntluesAFq3 zM02}2j1w+|Z8}Tk$>1k_ba8Jf!g&Hvx)QiNaJq@H1~TXHC>xlAu)4Fi0x1&~OGgiI z3}Hm`SQtUXzIzxcFhl0SNcME~e% z28AkJUw+K2Y9({Ite{NORLV*DOuB1X@ner#v9irF@Wur^PjM>lH%4}FkuXMSCyh~# zuFAzmR5ODXYfjQx`gs?tyaov`L-|6hzN@L+8|&N(S6<0pfy;U?$u=6D>{@Wxm4cIv zql^|_Upk)0Zfx1^_zI#6cqiL%}fcT-YQv*M_$Ki`#SF8oYz6IEdCF=j|=$>kQPG<0XNMD>@MuZz7fv zuOGau=9v|U(sc!kAaF#gz0WGUpxczqqNX4sW_O597F_2YRslBNU=*nR$}nl^;mN9= zMMYg~HV7}Ks2vV+G?VIQg%?%1g@*}D%$rZ?kRMeesGdmAYQejN3q+EmG93Ey^t?LR zpdg92D3pk=r!|D|VnPXT`kFU=ET6bIS(3UgjfiMF@9n2-oB2td#Cdz$rVCtZZZpW| zXd-y{Rb7%fb_3YJX?{_VseF3AK6{m*P$!vY15*1c3&AX?j{P7N@vDwCXwniUGW>Lu zU}U{bk)o;WB4GMfodUZ`VYYp6)fLKBm-Wz^up)X41i)ZOM2bULIK0TLV)b{ z6Q<4(iAXnw06Bao+XM_trZ0Q;u(jWXHjN*&0*-)pe=g5(!fc`n!bX+0Mc$cPzU=X) z1B#PZ`NsxDUw2GM3yvwOt^n{EXAJWA)Zhd3LvwP3qcL8wbevEIcn8~O(8PRru5k@R zq^nw?Y74e-psz4qi>L-A;#$#KK8}Y>z|j~$z>9L3sFWg`{MZhj@hTy=2tqkv125k% zp*IS#?D;*HP8bw#pLA6vJEF=G9cZWkkWAjbXhsXcH>uE}CMk2|>P#Qrq)(*i8xAVH z51TJeYyGnMWIO#*cLFQ=g@*95@cCZ9|x|U8jm>NaM=`clU zI;ct%^3(YNhzP-SsRopfkPl_Twb5oP4vGy}>&Q`yg72lr=)}4u!kRf6Gxr&|A5CK_ zVyjVBw&}nGR96=_U2Yxh!$Su^!tQ)@MOQF!!PP|}$9iC{1~JX)PhUBq4j%V}35&2F z(*O?&OOkfyfMp9RAnb+V$g{YzF4iPl_q>`MoLU5|Lj$Aato}udB|L;9o#L-Nev(#C zEat+m!1nt=Bp};JSHj`GMc6Xvu74X{f^~cG zI9mJtTYu>g_9p0(Dg2s84s+a9qg5gmw3exq~f?Slr-fTNOz!y|dhGc%(kbELfz zbwoKHO#XT<(+P(#=RPCN1+|C+JIUU0*}dk~^mYHW=8J%f^~)`5XgV=}O=LI`TweIb z_7EQ~ds<^~)1E40Y+Ba-=QY_DA%_JDE=CE!K>K?fm-mb(&F|7|xN4{VPdNMo%KTow z;JA)ae#=fUUYEZAPuU5MpYrM)*LvGmNeQ6Y{Hj`hBL(r}$9~3T{|;qc2`K;q&Hz~! zV1WWvIu<~wnF9z0S(yP`$b2^rw9>ZGHnh>UGNJ@bZbQIdL+gL%90LGKS%7j1>(yK= zAX~)10)Xc$Ml=Abfu;FV5dB9D6X<27y^R8|SM-0gcuYW*91wj6%Hu#EIncVvd{uA- zrt`8~=`1k*4PzTv_giZRh%@|W&s~S=*SqlV5h}16x6s=S)4L%mV0H_+{cc8omG8L= zYTgnI|8dLwbQZWwK;np*^)|3zy`_BkyCpL)xa|(`1u)J3a(%9Z8h|tla0PzHGQbY{ zJ4?V>AX#(E5?G>J`02ML0!Zex>_86c_k%KUF#Spby?s5edLsZL_+3+YIc_x@|Gq|y zOjnu|cO3Nk0rYc&{}a^qFM%3Bx&P0m{aNq4YL@x-j4Yh7-kh2h^o+oZX5t6RKIzbPLg0UFSqol_QUOPe5SEgU04|fwA+#l6!UmUGX znZpU6xp=gu6BlBBu0~G*-5u;r)>le@2pRB%x6b2`YwQ8uLwF_M7^m2F?wt_PEc&K4`nzji7Y*lA%(7TJu>UHUB3$0xSvBF6*UF1)nu(Mof zKrG@D&&^W6g%J!(oUV!W8>+A{=|Y#%H_{12>9L0MuU5FNH>2th=7WPSX+H#gX8DOa zKcBrGk`xtPTJp51TaS&hD1(SDY$;sl+G9MQ&&jdEv5>ZRBbai z|CGZMkyEpSgUn6$;U=0bt-W{5IG{~py_*Ic-D8OXrkeL2(_|2R=M3qu3GT}o!j)B2 zIcpf~qZC0cUtA|+1cabSYPt7M$uQ;EhZi_0HL-I=J$T9WQQ`7SWj3gzweDXS#FA>$ z+Z!k(y)sbm$NHi}HW#3OPr$^_!tY6Sd~}DBDzR-_uCV@*g`aEy%EOI4hujdip~1F2 zd_TP&^MP(JNq?s=hvi0iG5XJ3EiKPie0@%`)ES1}p`WqkfE8q166j=u$(TfjeFLe( zgP|p4m>TwNce9jYFKQ{G!W}bS+XcDsM&1mrHLrjSOc9MUHM6V&ciYh6Rj0CMQ{4x6O`9@lXbtB z*z~tj3lPUuGh&?-{+6_Ez51QGt%KTd{Mlj|J0`w0)E_AD7aB*zUnTA?TGK1z(rS88JpB?-hfG?2;k|Ae>YY=ONVTLG&I8CcwiYCFKS508z z76CEh_06$$%{yK&NwxFz9;Ff}m9eF1m=^&&0$GynJ47CSUI#ArvN1N>flj*b=S>*W z60-p<`v;b8(M)b=&ysw<>S3^7f`xGEx@SER>DM&2NI8u-3j4Hz_WrQ80shgm*7t9n zLQAXYA`Q{j`e2zx=s&&UcMpmgPVSIfZBNL5DY%q7g z@W2VLl4~k7`RTpvXZ%}jQWDS-=j0Xy=L5SAggLb_iU`{K+X0E#uXR2sR$=FoBz8=e z6O}<*+pR4dnH6|z-2Wi7(eL#_=q=_HjELI9Q=47h=$*@Adhci*yH6)UC+=Fz9#Eis z>y8VQ%v-yZrpJNE*vTpYL$G5*HF5Kg25qUk;8r`0dBzz2 z3Bt$jIFCjy&&WgHEBY8~How~Bu38%K=K9Y=_)ntM>j(93(JGMo|F3FkzjQ}%0Of-J z9P|3^cJ0N_0N~H3n=swb!?y7or5{9YdX&n|1C( zfJ(%9vH1P8TxrtKBN-*)s|=OZU49UK+_VO-a=J76Icn6=NGdl%UW6MO4eYb%YZ`II{HX2?N%~N8j>L z*R8pN=S9xN5@=ZgMZZ>te zd_U_OAt4^|ga=wUFy{reClW zC}A(7pK)(K_LV#iBak{VJsk@R`BbwUpIM1rm#^;6$H z;!Vf?unYo51N%VSN{1kndm62QLSFGGEO7JN4KuugCA(Mi>XDMpVADCY8gGI(+wBqi*a^7(&2*9ihdD`%ZT(f_r1+0)p8RRy{acMhlvVV zra@{5GA)SI9c^KzG7A(H6tHV`+H4L{Fu17+Q<3$lnE45qHrvZjmR?jLn6xIWdUJZL zZ>`L1b_ao|-e)4t43eL5n8y{gpwKqgHc^qXgw!^9k89}D&^x)N1^wZp+UV0aj2UoA+Lcs_pfK@U)NQfYQY$Rj zztOHF*HNS|Wgr{JUE0@bN5++L`{siUp#(|mtP^;{5ow>&#PCtTF3P>GBhMZlM?5}x z%^8R$5MTZk{B6_Dp`7${M(*3a_oB-&wVg9>H;4M8 zM^wMa+2&}NaGdD5qj!#lX$C%ju>5Rls>8Szi3PWP)G$OMNifGrUV1<%avX#wRamB{ zmciWiVPR~Z2Bpjy`#BopTtDA<kQ$W(w|eD9=}_oi_l%(^Qo&s z{~hFKTWQ#CjRXpRE^>#M8Y}vRrb2-#l$E-Qj6A!8b(yy>f@(QJsMRJ?AjKZRDbUOi zB`Nbc=IvEHQi=aOMra|8IyGdhAJ9ddA1z{c&5vl7LdHqfg$?DqPlrBHPP4)z(n>`chP99|))u^7=)x?@jx!89<20|SJ({7?e_>Gq=_moh(OVvpX%tF048^xEm>ZISDgds2X zj+rOmm&4#d~aMsuF{Xn`j!ccoS~9 z_25feY}pI$U!xb(Cv>g8#B_bEKwgmSuSE|=-8;B zK{=brVFar*;cj^mrn9Og?LLoyt|jwb@#Gzvt+%qDKZIp(bPsVbUu8W03vSl0@#L*0 zfh)4XRrd35yKRBlAisxNH%x(C6p%t>zq33Jv<&4%1s<8-HxH&aGNKywwyxZXCs zR{#B(Rl4h38336N);qIc*L&ip>7PWTH*!$F^xpqNvcUCtho6V|NfuxQ(qsQH2(46A zv7Kc{bw4Uzcq5O|+QAzkF~Oxr-aW2oXv+F^n_DkCn*z2>Ia>rlv~$s;dCtf)PLCXa zHYR_8V8qDI!;KfwXM+Hq`}x`8`sZ(r!hyP-JbMP^F%G=ppUwJx5rY?npie1DANd64|0wrb=62S!hQ63wxc-bbOBY z@E4kwIn#!6kcjg+wG-MU7Y2McpdNKwIpH0QlQW|te(>`a_{jC{$U2m!lT~u3}-KU>!MVoi)`V!|Lz1L1tuXRvr8~FJ0^9KYbo7 zX6_SWEkhsu{I-(hyF<^+p#w~|EL-B?!IP+jp3XVZZWK7dGZF#QK^5u)apD(t10jT} zrh`t{jo2A#<2JLdPd>Ou4@8e#IK?Cpfr$vn@;sdJV!_DA-;y*e#%4qz6Jb-_Z5CtJ z*tSEZeR0AqCQJfhh^j)Sz_PJw5RE3--5Cn;NcnZ9d;1$R0ZKBx@65O;py<)={DeuQ zqtOz2?D{%HvD-{4fq_rAzvfL{aw|ThN|1xNhdH)?5^-OQojRRLg9dFke@UMWvcWRU z;&4b(PrWMp6}Zq~=?nOR40#5G!y|NMK^UkvpXs(<2zNKU-Uy3=-u|wW5@+YQ^4=^J za=JU@T>kVaAD6^u?vX>9MNgI87}d{GgT3}c3}*cZNO=pw@aALUytD zwHsVh5k=&Pr*IlyTmr$zBmq9v%XJtm*G*$5397+SwNL0I5~ zL&ZEBe=Ui~<<=3}8~dPYsl_gTW}vJfM?D1`UV_RTqTw4>B#7;(xC+k0X=rM3I9jWJMj=daE+7+4FpFPr;d=M5@-YGutbz*ozV;+8EGm zVR>FYd3vOyl+-_cHgy-1i^AMP>C50;`i8SNdisoB*zBnqwx5-_ z5xb;bIAOJm`uh`vJ`g%n?d`N^tbhmO2~;S-omCDG-lcYG5h;XRZUv8xRA;<#sKJH* zR%eoa-+WU+>qElXR1HG>>{G`!sZuuOGMnS7lVG9&kTVJx;lf<5iStiW(@|_x4@&K2 zFy|g1IN-eRaZ5pB(h}K=#ci#5o2Sm!JtXNxVzViRtTm~B zA}PM7cszocoEW%oVonNrj%(W6GpO#;V*^$et=-_X7+clt8ZfCS<^QzaDmDLpmX)|q z5cSuB{J89I20=>>2c;j5&%^yHIUM(NO_OMdC0tcck`Y18Nbl#w1pAc^qw+LfMy~R` z7JFDmPpZsF5*H}Tx~KHgme?m%gI6$$?{j@r#496?W0bDc?&vdcQqmc}L6fFW0wbg^ zNB!4#wgmiVj6riy7N=C-wn)!E8QC8%pF)^dS9Sp*5dAbl|5#t5oX^ll?tRL}VbRur z`+#Q^2j!p@Ca509l5I0lU^?g{uE$$nt#b2-;(bDr{K3mDU>B?e4ajOc6YyN4@ao}% zvYShDUk%NtlZqd@V~JRGjp}4-e88LwUna1Nt@yyC4>emy-5cB!bf|ZdQ~*-eHj}OT zTqPA;&Jt31>Gl1SS*B|IhGO)f#&z7fJO%hwU8SYR-=WRgK0%^V-}e#GklA?wLyj5a z2foR%kD8-y$APD;&il9)#=`6VOTT>tAG9i|)DdE<7E07=D%NL@0@$ z+_GAiKw?P1mm&h9#yoZgwEYkgMo=}U_N)=>%0Xb6n)IyrUwr0^vHHU6DbOE=pvraM z)?+8A+OHFSzei4|`)SjJfuziQGF(U@O-rHWMmr<7G;`%nw4h9?89~{wxK?`@m50f* z29FXy!ZOW=_0f}*&9$ELY3UpC=q{<M57`jFWlG`$OxTqPB@PXNt7eN;; zygpq+_kxSBa6AJ+Sf{iLeQ8Q^?Sb@ReP}SGef8t^qGq_~5RD+-jM`#3a;61ZZ0TCO{1A~^L=MAy|j3$Amcz?pN9exWlq`3OTi$X<%&&*-tC|B5yL5Lbe7)cVRv)` z0zDWZo_K{nH-1{MCmsit+I`Eyi)3squ6|yWGh&;H<;}cVNGh96{q0PYH@QXfPiM^Y zM-#vsVx`dyakqU!lr&81l$c6fT~FUQT6Gm>U{9eRlx{u1XXml@4%#a1d%R*z9LLM= zVoqPWJpdCm;{x*7PkTqGUVZt49^C~8;+c9g7zDZ=^+T)seNw6Gc(R`D>D1pYpsJwt z-XCKd9!aF9&6($=gqT|hCqshLttqB@@}3TWAobj@_Q^oC8zK-q5*hUceZt@OB*Ag& z9w&);U@Eb(TtulCY#kL?PBT>+U36SZd@aOmgH79+q}(3eSvs3RZk$Kxxt$@~3>_Gd zKNAjY9hGj`Fcgsp#Kj--qLkg}5DmC!OVVYTvZIPvxUj<=bec0aGE%2GvH^jW>Lu(e zw_8Gz3{!~`pL|-Nf6pZ2f&vjXWxo~&%6SwtXW0cT{*mOov-68#o ziP9sxF%Nis;t0*{}i zlAoYm=Apf{mi@Q1v$;Y8Byz5x*N8DZuKGiI{9Jmat2@yw;`9X@#F%n=uwvc@MBJTx zDIA&=tZrPX9FH%PSlFr6OqaVEO~0SDOi-(tG(yxAq-!8%Dax6B4_;+X#QtKjn3(}? z*gABh?X^8-A>sS#ZmyG;ZF z<1A`?vYr{30{Vfo0w!aQuovPYxaR7qGb>Nd>iY4r@*Vo;_%)4LC%4DV%*FY*s#o+9 zy2No&(g|q9v9hePQ_ASNwN1_L*%}MO!q)Cw%%;BMQ3XYf@UrEmC5xj%SZkXmKYA*d z)SDUiSjlE+{_>tv0}|?8NbJU#vOme}|1sSR=!~$nw71dKw*{CZKgXs0o$k>cT{0Zk z%=Ih!$V^y(jlk)55DEhinFk-nJ~t-X%Dg`GXE zuBAC0z;LH$rnA+zanQFhv^Un%r{kwH)wj{nx3RRPG1JqwqBXKJH+uwNpq6`;c3>H4p5{l>NUs^gHke6hQvY5@^a{y~7e{DY(Vf`R$<0^h`i6%3T~5faLYp z{$34sUz|1!N( z*81Lb8cgNr_D>ObLuUr;-;%=?AM-qSbF@9!AJ*Q~)4&Xws#SR$WQ7|4f)Oq`am;z8 zNdr9cZC%VdW}Bm0qjE5beQI2NexBXOFK!d80;k%!VwK8}O)iqYZ25|{isLX11m8M7 zw-3HlqO&aGR);8Q+5xXf*+=EE4xXE+M{1G-Js0jiYNNK_hMydYw1#c2+&f&~QM$0( zkxkirvipQb!f3~FHh+pXR-0h1KEJ3Gqb`|Jz7jd|bUG>2|CEMppUCr_dlBs8XBgFR z>{08Vo@qnhH(CdSsheGX!hix5{MaaCDVZocKb{7;PJe!d>J0`-@$9zVb7`fIjtX+} zrwxag{XIw@ln@vy)$=wxVwDOuFs1DSC?U_OeOmf60?`?m72drq!aZ!H{K^elJ@1z^NHYudJ~_`LH{XRuFVJdk9m;W>r5TTUwr+x#RA7<^7LXZ%_XBy zSt~XAz0`Z9FnrE_9rREd9YJCeF!VH~xs`)&W7?*+)D3|mHBQ`TgGZ-zl*cV1PoG2^ z%Xt8DUHLLxVcT@x#1(@sAF*(!~K2c~*?aUVCNWBT&E~KA8pVRhuUcj?ixD@04 zSZSQQ6!*h+0=b!5p+N>+vRz$hpldxmtLWYc1!v5=EdHFbP&ItFu(FrI5PhTErG}f) z1{JZa6L^Qh#1r#^N8yVh+ceD!^G#TuN~bA-{NO(9R-D-E#7!LD*m*+qs2%A$f+`XT zsPvt1gNH&VFEzTIp`=#po3~pr#QZCtwCbdbG0*0mp_zHVMMEX|>TgjMQ@R9AGBrIC zHuro(JAfcF&oY_dv$#*!2G+-SuPr8@aAO!ZY(?76Z zZhBAQb)=;-(^G*i#;-?JYJv_t73EWP-c5RMBxkAbp?EUD89=^tTKB=NWbPP~5SQ^u zQ`BqQdPZ1}#}|H&AZ@?4iInz@a8j4I|C84x2|=J9wBHGfhuK=?Dn@%K1P0nXr#-(j zQ_T7J(dlEiZH3uIz^;lsAztxD#Qx%^mj8f2&N32Rw2=WE{9qLM855E9<=06~jTb!4 zbt)ud2O3Ss2MNT%*+I_y&C4X01CFPvD6Lx1^fn?WzVFO)PW4;8pb(XF$#(MJ7sP;$ zy$u((fqiATiVlrvKyuQ?AcF%a#h30zYtirK3Uc~%`G$om$w66E7i%4W*^{?Ggeo-a z_wKhJ_BNQS5A~Q;v6p3QGOLA($v_4(#erYoNS-ml6Vt&W`wys0Wh$JYJdL%AS(b3) zl;k4xO9q``xY&W=5gZXA$#{MrEhP!{BLSblw7`8mT5V)y<7)j+yt^tN10ETLq@;rH znZBmLXst5@vE-m188!sJXu!vQN66(s1H$2qh}=Rjq~quH056gDsaK8S7nTF1zyN*^ zuX5vfG5kKl-f(wq9JuGhq1>QQmrskwLDYx5rIKD)BXdR$EVwTPBr(3Yqb_TTA%5nyU18ai^2il>ft=6?QN4=1yqWWS80();n30y;775dC-K?1#zd z5~Q(s$iy(GnBJjF$zS=-TaQb@sbHB(h#nSD5JQG=2Xckz!&~pX+}|r+d}YV|C3(g9 zp^(;V_)Qyx>6LCZ`{TeOW;7+rMry^*vejU5IlALdmILnZE9MXxQq~O5hizDeDD+^k zO{GLmR1-t*&265QTwWmXpLrV#5m1S|D=vAozIBqw5BpEJYo(H-PKPa#7eXL`$Ozt3;YK|uV9WawfXKka%IpQ}& zGmIh))JxTej%TdMC|m-k4U0#LBs84f2=>H&Cm(BA7X--p(@4#OhOxq03o``?7%eV(%LUJj^yy^hdy7L=$)5{Dy+%8> zseL6>Q!p1_;66H!E+_B{!Rf}D8Xtkz&L{1$;2M&_S54;3TlAUp_lhIyreZmutYfp7 zrD{d|0y?s=KE__~Pda|a?e+pCKAg5rwj3QJM!gT&Pn)^ zldt2~JN3gg!D$UxBT`tBszsd(mf>*l-z{v2Z-435pzh#5r`nCO+NTq#jWUs>l6_)a z^&uK!=|zJ7$_kkG7h2VZ0QIajQaa-NfiOH)QEsm%=~qN}P96LTUh?*+gGqSM>^aHE8q+ZblNUzSSqf~Z?O z#<@qN@VNaj?&~lac>9))zzWb-fW}uRsKywsWN=R4IyGingNE9T3pr%J-fb>VPP6X*5(b*5 zg#4hNp$(s(vm>V6O@`S=PYQ1oPZrg(%l*3`O%(F?hi8pvpV{0WH4rSQY7u1R?T{0u z7=Of7_6L7@tfh|}{b7alg!tHf-bxg*sBBKjk9%&_17y$l$(=018^Qh$^mD7~dmZBb z#v%kr{{L0g_ZLMDjz30*0&w9+s|)bquFS#>^54G$W>>O{^nf7bl|VQnpw#!X=Y<7m z7yr|?4M1Mtm$s5yQyqVJ{}XonJO6;nFFk-8nOOjKAfU(qC|WQ9u#p)UA4mUZ$_#%6 z8?Tr1f8!Y=(-rC>0Q3Wy0WAwApl1k>W*`8RIDo#3ySs7zaEzJuww48eihjd**W2%( zz*#_o{jW@cazC(kK)U7*cz8V_)}=c!&W^?S}riPE>Te8Y$;npEpNC z=nokqJ1GxoX&awq6N&QEjpmK0tg2HtI$mtVhq}I_m3S=Y_0g`pR!sJC%|`CM{$#bY zCM(OR#&%y;{Gk2<4@sMvTzmu5KA~TzZ$e}9@x|sz=X3xQ3?DcEEg?3HBf*1|%!cM0 zks3%xnvXzH4DuXxh0VDhErO~ zj5b=}{uC+prIQmy^q2wD3yYjc5^dRvdQzBlP=Mfz5eCTy3A#!YXH(%E;V^u>(^FZQ0F9k26oc^onwx&A-$-U2MEWs4uC zyQNeb3F&Smq(QooZfTH~5&;neBm^V{LF!RY1>wKKuLt{{pOU`}Jr|($tghlH+uIM_?0FMD$}{MU z^VV=bvZX_WkNbGFz%Z$T72UDGtNGE!iu?FeR~7ror^?8Y8&YW`+iTey!$OSP6-n9p zkJLJ<-IB^}wZ*U%Wxkj(@Vv&#wc=T<#biHY>PX}B%eqO~zjt=SZDF;I5^Z~arCW>k zIXxCNZr(~%WDPaGj!1tWeJ~X^0ovpKli%>uYDh z@Y%r%j&H|GoJu{R0`;z_($o#VFO89O?;AB;`NC7gWO#^M9IT(%Pj2+m7FN#$mDv?{ zX%)BicsJ_%1l9&jYw!o3*?8kB53gJLZNJj6=dsXf$ZBVI@Hi0I&T;+pxdC&lB4xhj zJT+me(lp_q$Ap11HB1#sL_7E$pT*_Ag0B-RwX z^$CUWZa<3cb04sI!?MCRLG^k#bW|ud)X%pfUYFNg12<;q_LjhwLsv-3s@3J#-Y{X+)N^R3~egKDqaX0z$X>y-!C(!dpQj~kY0 z@W=S791OMjPuSg3F{miiq~uGW=6+(wm9)1_fHVNCdZ3Hbx!u8LtXnHAU7-o{;VW)< z>+o1uNWB;7UBlGiX6bk~qQ;qx_Sp!z8j7NTv)YQXXmG`{s>1}9G;e{>+NOk zcs3!DV>sW9O_qjt)d?s`1g^P4IdyJy{4FF|`SttMu4r6yD5Xvj#eznA2go{Nfh9P?9K!@;rZ zXk6H%5T=fTNjp-R5scraag^fs- z*NhWx3L-SyI?XF&s^E~J7f+N3mA>=!L@INQqDq(H3a;joQgBf~xVO84IFnoLki&&E zOujYeg5qo@{uV!tDfx_MbeJxu)Q^ z#bz(jVnnlWI%&P8?c%KpJ^Y_tW_YZ1y`$hA?XL9Nnc|D>(D||F_z$0V=w{NeU+Zn$ zM|~Hhm+f%XTaS#*)QQllr!sZvZlz=huU%JIWP$$CT+luWf&zlYaXt!N=bLp|p15Pi zO2N1PoqBTA~uN1koJl8#?dy>Cjv>~2wH6Y+|gsjkh0we_AuI+h%tVZD+xSvH*9m?cSQ zn|L#7H%((jpLWGvGBRc9vOWBf*l-&dis$WQ(@*>q95G&^31CU09G%)cf-}yS!1JLp zeFCdIw_(!`m+9K#3fp=-j*oOVOYHMB+v_u|(^lQ{6we)ZI?j8PO($xk4sKWTrFASk z0`#(%O1%}jRw9_C%TfGFx#H)f-mb90Ds=L^)0@+=anZ10FqehpD=ip_YW47JwrLP=`j z4`43$gnnW=9KPWe*^OZ@pRX$+E6PnnqIBi?bNG%=&bw+Wme=TJ7VOd)GlurK^GVOXxibFO6RV+fw$i9&)m&_#Icxh41d)=ObQpn_Crve| z*AX|JGg4)9a^Y5&a0Yp#kD}T2w_wa+qt}gH_!>0wr977?qaNhHt)9dxVSYD1rango zgBz_XH1noD1dq)E|3%vSbx}#;$r?EFh@r%pn@gv5JI^1PR<><_on49iBF9yOcK!xi ze036Ae17~(KdYGEjGANJ?BN#dIV=63 zX|TVL-RqXj5qEt<+zr;_T7u8BUV0i9imoZw`14CEED;(Q?@B7-JeJ!(dz9S3kkKn! z=zq8PF-@~~Dnf(A(+b^!={agd&1j``PJ{WicnXvpIF2xCz1#8E1FMX5SDGE#)olx7 zebHbHO7T0swh=s?&=M&x)s4#{(i_5hr$PUbNGKw#yOcQRD^Vq(OVF+UD~u{j@$p=& z}582tz%6Mno1$KjrJ7qr3D|0I<;Wx34cUu>XVx z^%qJnWcvLlr5A$5^*dXgp$J6(azn`vh3Dgk;Glu#bYPVM-0J+Zqlfa!$ZJ&B=DL6N-ON+mEW{e@EMQWgPG^3GuiG8gsdTZ3&<;7dZ9zZU#$lq^iy+7Kf|3U%%L9_gm0{W9``oo#O-&8;$Kps$bLlw|}u)}&&*V|>H6!+XP zZH{&|tLiejB+R`#v?=rv$$ZuuL#pG6W2sn?O{;tYHxxcE7;vmwZnF^1JaHeGzs7IJ z8OKdq4nr8$Y;stJ&L7he%6WXSvL2Q>Pt=em;kMx7=UkY8a1ZbO^Gzue=O>C&x*`gR zmLI%W)~~zg7bSLk;OM@zP9@OkA96~HL+q>3x6DcIPB0awZn#<=?L@sAINDi!y!W;F zP}-76nmmHIb6bJ9Yk4f-l0x+9%BHtvG~CydP}4B_Dan1}Bf%BnX?y{Tbdy{t9J zAn(OsB`W{Q-^N4yT#9+P&HJ>$)tibh=CZq(c;vMsU6%GMcWH#|xyg%pbQp|xiuLb! zF%Z#PR2h^=L`i)Q8XJ*%F_d(x@L404ci+%eBQd6U;6pjcVb^a}5`pedl@m9WlJ>E~;u-(-E)j(7up zVA1vI%vcoK6&*Z%Yk1j7h9}Qrn+02E1d`4%#E^tW2UPs~ObO-h;%1BeJsUw%Wm~2s3POZ+21O z$tdS9^|;!SKlMe&UcnT^aV+rMKrd5T?YcCIW%|`KY740$;{MzD+Z`WFVqKRT+)~?B zj=QfRyf`UvQ?FqhxF)yluwGp|Qh`B@BT9LavrSYulJo(1smfCRhMq$6F@49Rg zTR-IMwAd0J(@E+qe_9(Aq@CEJ7cdIN{d5jr7|<6U!W$9H$!hT-c||xQgT^&O*7VXu z35;FHnvZ7x?)DqQlu?nIs<%Bg$6@w4E5|YUPm{hRkQqMStNhsWG}WEyM7uQ9!Y$l+ zRLi-)#bsxeB=KIlL7IMv)3ZA*(W$j3qgH3}-d$!0l};_=T8E>=>;2q(Nf{crsFRUn zZNaG;DFm{b^{Er`4h!~!zIzMhV%pvm3Nj7J1a{TWjob5XC_Y>l*9$wzFW&W1dy?1c zpzdQ?VH*7AYQOqgicQB?#Iwz=uy{Wq!SZ2&%=1%$)`%4c`xJP?UA@~WPS2D|O1*=M z#1{4`8s4(qlNp&npKfam8o4KWL?%%SyWqdF>|~FwMI5E@K0{~tOV>=4?vk)}-uTlm zFK)ls<7jG-(HStW>GyuP7LqC2+VfER!!v^=v^54*Qo0$R7d|j!pNL=GKp_iqo1lPs z98~6zv;$KpgtWeAv1&>>cfuvp>T)~js=_@w<(+3=yf9I2BM&qS!`)%fvO=exU8|*b z^VM~@wh|z{ICex_bZ$7^T%>7$iv$4MxjnN53a8!ilX^lCy$RrGaNByrMz|NYSEYG*VnDBID592 zv*;ebW6^a^bL@UUW0W(U!}V$m*HH!vT4}%~dA< zhoUdwY-13u`Y`Hlt+li6yjD%MZD-O@X0(~S^%^;~dOuud5Or=lf3`cf(XHQY5Dj_o zQ@C!@zR>kuA(po-jfjL+WFn_n`{p|am;f&*AV39TyGMx=9e(k z&*~BIc1ce}7V&%?@N$*rAT-WVP~7qD!*~@q*)pa3VMh+YOJFwFOxm(b`4F6Z93HTX zHc5Ko6-q%V(V8zO^}JtDSI8_kIe0+4VbyNV>t-6-v?!;pw885vmU9@ItvDl<&sfKG z^nAQ_`UTH!V2A8wAz!7GF}$WoWVGXg%ur9<*dkL=pvu-BdxOnfD;#-WIBm$FlkUl$Q;!;-j=q1_J^;I`7 zc;5;94@E3t8+7oy=}B%W1DX0Q%unK-GRtY+bDHkU!;1@|B<8PI)nX__{q}30~mD;!*m<%wyYBA z?S2mwioy91YcsmdC7c)fF8sj>$}kI*T+~8&48T8MD zMY+#aX!355fybIRp^*^l%uom7{s@x2)y>JH2;BFPN4_HaJ0{91 zeRo%w8SB_I8A%^M@HaEjDbTuJ(#;*eNfTe;5NMDNoF|t~kFy`kBD-mW&4y$moyoEw zg7>^+J;O#oM7fNAIyt4kmF-LCy)?b$&rgifP_cTe8xt&jsu0zp533Mykzi)aD5BXC zr>*g)zMvzCzk1z9Ud|w40;o>aI@9aoFNAtwjGEfAc+~baJg35Y$yzfI(L=H`vElqL z%VnKTR?m+Kc&0l_4&vG6xgU*`mm|tq;!ltS8}pj*-4<}xUv|0Qd}9=^9r22m)yIdK zvv)=6XX+nf&|Z~ojp!6?b!l@I-`kvZ*L&+o{wc35s~BhhteGgYB*kvjVwi@r$3n#t ziA_)tfy^m*>6p(0|EP3(N`oWl0h&=8^-Q1J(|Td*Pd-;Xnn*3YYl5Y751tNjc53p_ zonK)sx7%%%o{(Vf$QI_|96hh<-W0O2ODw?7%NMS99e}49eLB3wbdZ*saua4)i>rsV z8!-Ki)=Bkq7w9J9q(I9sh}Ib>fF*?Yh+NAfXh zeBtWi&al>-l2J2$i>sc9Y=c4DBCg|H9JWXzx)YOWSKAIxRbs@lTiteTsyRFPTMTyz zlKJME!m!G&A&`ZPAc_aEORfmwwL}iSIs2@LAZUz@zb;!<^W<>$@=3j@IW`L{@~}^D z*Ot}X7Oefj_E)X6`C;}b2^b_b!PeW#g+@X+L%Zg;OLF~*9}v3Z^t%)k*t}I}FNBGI zMRNNqvt=AjqdNS+p+jX5b^JvN;04HTzgRuL;n@9r))mlLe$VQ8kpc)cc76wxW#|8f zT?=S}5YX9QG{OJvj#(~tUcg4i2f%>=J7;+~fa9Y46g)hj;p=Zy8o=S*FFUI*K<52V zo%(YD+9-$t$OQmogKi1Az*De*Gej;9!1&4c7rVay&NTZI;PQW`4YC9DfXX{32$~I; z5;*{MkPkSw%msS<`zz1%KNx3!^_c$?#PEMd90#zS76g*u0DL%d0b8Is0Ngij;1~b^ zEeLF-zfe{EH#?yrfQ?Xv52C0-`pNGost}0BzfO9wdmljXf7IH4EfH9=-~m7YfwhZY zH~m7oBDBQ6P>p|5fPdK9`(N8;e}ct>s>Yxj``@(9R_oe1Oz_~HZ5bA}`K+)MWJs#K zxv__12q?<(UduxGjsN+jwg)DS(_H>S= zytdrhXa-=WA|h%DW|@p-SAvSe@)Bp*!%W!2P7{tp6ZG>f9G0h9J=nDNRR_^~Qnb1n zK4p0LRxlKC*o^6x>S(A=hq3781T{_`4-YsMIMZB}WKI6$?-|w+wjI&U65%U2m;OL- zzPK%L{~lp^9}{!LltD!?!JZ$lOQOu&=xZ{K&QrEv%NyP>YOEuIOVBdMh7Qb81FtRCq zp9TQD8oJ}geSL&<%6z5UYHs17Eq+VRhy^}T;r*w9T-c^P5>`S&yak7CH z!<)~815=8XZkg>o^7UOE+>f7P3YWQRW{+wvMNZF8k`)Y|XtLz^EM8;GVI6oM~wxo-BunUIPY}o zQ8yYW9E>5m5qsRH5vFR}z8h}LB1d(Q3lFe9MSJS0;M;t}BvvhW<*vb8 zW#o&FrJ6t=LK|whur^#^or8V*p+MPSX~&7bY$Y+~$SAV!xTeMpGW|hD4eXMJn1WL0 zYLulS4MD2PO*8>5HN7m(78jbZ1GxBW4QfmL+`Wlc?%Y9i41bD=nW<+qiJ~Wij%Hoq z?UKIwI(OYZ?1T>6=`!+Fmqa2ot{&x+7GJuf4_GPzk5Rho&h~F~*Q-29ny`AGutwoOZh4COqcAPY=~=Z#l*AH9gKa+&v_*YAyYPtjGunY87< zo6Z$4xvGk4kjLmH=k+evdb?&YyZ9;1!~A!B&mR&NV3o(tTyZUYqdvB<5_Ew2xL#w; zsgLAdC)$TSeQ}qZFEqos>fBd?2_g%E$?cIdUxsJfyfbe(6ROOxeC@k##9Mk*|4Ldk znRRNwNny~ui-T|B!`ai-o0N|~?r9EYBbHVb)bHmzzSkRhTCTV9T=-@n#brISD6e;& z=o2bbTLQIyXW>`6ve%sRUK}TAF0vM^zpnHelg<~3)sV;Zc5JDu92oi9jVT&=;~`Au zI)QHtjFWBj8Pe^y${SDA&&j^X1(mbP`mPb#9YNA&vC8sU5yUrz`z4mzF=BfLT6 zzky-xOa(jUX+*58Z++~6a^tdMa+1Fj4vx_kd+|3ENLNsmIvI(zr!5|T&4MTCj?!T% z2{qzfd!3e4h~m6Nk#xbaIJNEy zIW+Cg#AT!3R}iKfCd?JXsdIueUtFWLan$lFt`gf+#*}^CV|$o#?rmYK5-<0%KxA!EoOPxq1#0?_J5vpDT>ZUUCzO|F1S0PrkREJ$ zvv1@slP!rBI89KLIY8e8DQAe4UX_I{NF3Y>*q`-X?ap(1$ z?$NG&-s-oV-86swR@tN`_fDaEuEO}C-e5Sb+@OcpN|xQcEn1?0_LyVzPFDU}gGDb} zu=l4%Q_Wml#fq%R6T>f_2mNB#KV>@j^&qK;qadtaa-Mr49rm!eEewmwhDt_zCKNl0 zyPk^eiu@3cI=q4=tOpw%PT_OoDT`7_%IoiXbW8)t?K4Ku=nQYfBcD*;q z7Ceo)aZ?Ko*49pH{pfyAYW}?Ti<`r7a!;loP(7>V2s5jGDzhp>nOKT{J)e(QS~h3a z;$06euigs`HVo_A63>y-Vxz_3-Nx_T8f6x{yfe5z`d0(rljARjk ztLq}6{9qB6__KoGgkGzU{%?3(5~ALWBZMWYL`CO3M6p8%MZSI0UbA^bzWRl#W|oSr z!2Eqd<~k|Oeq1ThyEsnH$`5dp=dum9;!v@4Of!RS@f9+?ZC1URvM<)SB<+)G!OMp+ zRgOjbY~$rq3e(u(AZkm7tpsA}%c;08^bvaZ6kW0Jv16P>-P30sclEyK>jrG%xrBu{ zg?ZYEHS}PPT}(kVc=5}Wm{=#ezYILLCr-<~bh@`W@EIdUiN^Sx_eGS5ckv>fdZgI% zIbIfhP(UQGc|Ow=Upm3`X_)G%Rt_d^M9#!k2=6kl*A3aSGB>89{t^yJ!)4tZX3e}D z?d~8E4Vp9WH^{n8j&XEpnVqi>clY+@7Dw0nPu4!@jdGP~R6ol%@q6QDGonO$*GE7z zIrpO@vBs0H#-C3tLE2!^C62(Lg!76LT={irw*36dF3GtHruwT+dPr|fz3TAx z9WJ}HVHnz0(kX|3y-Ep>{|5HwB5RVf86T_U^Oc!m&DT=fpN^G~lFPyiI~wc0^syA3 zYpMFbHa@zpEv!QYtGNwZ1o16)1#`G66wB z23yjZ94sVb=P(hp2%T&SuM660%a(bOLj zyKn4`d)r6Tj3?eccuo%|u|VnRu|?!{I(lcRCpG2k;@ZZn8flj*>*M=YZY9ah^-MgW zma4*)?UoKptlb)X?p-A|-SB<}Wy@g{ic3Vt*{>dz+SqCh5HzN4KAK2jjTP~$^Vcf4 zTk0yLl8RP6b2>SwWErnzN#2b=vE73|ZCN!EX*s&I(Ix2j6#n#O;`S<6;^fDIu1*Qm zdmW?e#kDEN;+4;4Yc06v>+>wB^Ht^~<$6rsbE@=JCz!q$!b0A-L=uW-VVqILRYQcl zF*Ftyp3X$0))Hb%t4nt|l>$m1u-< zeeq&qkU67&I#J^FM1S{_n&q@d>S2K)ifAvxlc1|f+xEWNajxS-FPPCgh|hPol&C1f zo_5bSyZP5A`kj91cyajoIL`fefmerUHC4NOc3ba7*Yz)FOyd=Oh+)&~?Vjn+yA3)% zBcJ)Y_m2vtnVdB}F;%Sd#sp{_Cm!Gs{fVn>ak2|Iq#*{aI%ij&9jM7tBAcPqanyr`}9`f|G5 zu`SZ5^QCrvBkShZa~B@h&mx^YM3Sqr*=Uas)T8g+6z6M~e@GQE|K@{yjHp8=muU#@ z6k(Bt?`sa6#E6D+W_c0`@8)+^Z%Y$8MO5!tww1ULY}=7E;mgcnX>H%edeoPbC{li} zOK^PBO^=sUiG%TF0iu$@yMqde*E9J~H6F5Hczjx5$DaD~Jn{~VK?5%9Sd+nublvqr zIE(?Aj?EK2ONXf#>w)kYTvG!$C18_MP)6*h3^P%L;T&YM7W7MqsdDgdEtE~^If^wR z%+c7?32{)INV@9%h9nntbqWarua@Pg@KDv5(#C2Uz>HO=p*9^qWOwV@;=K1ugsQ7(JL3nB5qL}nUmr_;1F>gvUP@0h(8K=OdT+t!Kg6F^Gl%7`v{(A-v5LmKJkWndv7bSYS1zHzGmR&1HSTTR5jB3F z{(*{yyHNVo*-D!aE>0`mfvJU$D4U~eU*Sl!a*ns@L@A&vQnUulu04=~WBW{hl>E5y zSo-w%T_#ehB9i5&rhJ0@`=ruWHu+R-heAX-)@2WidX28%*uz7oz;w z^n_-g15-(^tmrbHU+XU6K6Za3BEwg*kUHIuFq9^BJz}{yB`Ue}vLxcK-f9D?{#mqH zwLr+*UEooIICK% z_j(#h%(iT$9zRpp!hkPfhlOE)!oS65gun`YOo=7{F4l!s)NSM{^}^hno|6~Rs$5K} zsqi?SgnT>9fhrkAWlF(p1&Eo8t51{m5vR75bKkq!jl)qFBbm)>599MoS_!pzUg0To zw_E1HAc=0Q!6FHINuF4t5@p?uDFO?FN@ZO&Gm@3Qt0B9GDK^<8>xVWFbO&vOM@Bya zS^dsTdyCFH7hQzr0=w2r%7F+X3E_;_gs$l}y@0m~knBJwNi@FksIy9Z2pt`sy*#L* zzcl(>9cA%~ddQ{9)&5|lRd9B)(L(xw@^D}NlHXW z*0iw=l6m3GWL6nr!cGv3OHxZyE;7r#E`mXH18~qF*>Hn7?OIG)@399 zUBtC#D@W-Jbuz_znkhbUZ>_NQ?6F6m zTJ-3QW49v+Gd)soU*HaSR%Nm^PelI4om3kp2fzC;?&%Xa`A7wvXSfV;;wlVG&H;mT z48)?lUr?#(#<@RC#Lc`T;56}CegKzF(2nAQ(pT)9Qt_i^LvWj1mN`55If;U|1e@!|?GF~MrN zedeulhs$==Pukxx@?hapo9Eg*s$g}FcZ~@hJgOe?VV8!JWjPQB@Vou^1IXBxu zZlG^)diq(yKBS8H%&Je?B%+BWh14%%d%02a>bU89B7$&!_6OCs z5<+8Prec(`FFj5pFe+p^;_23u?iyY$xRNhGQVw5M^8Vg>yJ~^mZA4}kx&YzeD7|bo zR{~e!ycYZ6Wd*zZ<>6ah3z{56dypKZq{9z=u+{etoJGMc(m(juyvOl8hH%Zi=mTA8G1OS5eihAdWnB^p$3f!v= zjM%Jsmut$(VePk&wwa@4ibA{^MPrv*JI!|DPPfrOY?ab=Lxn68y;=sd1<|CED5+r< z;c87xh{4Ls*6js4naCFhC(y|M8X|IhC3EGis)F8=s>dIh20Y-Fp9VGwR4&QcBw*@B57o{O{k# zYYRNXv?liyvSVMYYo-wBvpi_ zAsoym*ynK6T*{ihpU91pPcv~(T}4Ar7-Q10O*%cRO2?lg1zEY(JiHHch1I^F5_g1w zddXx%q*QW<4DX9!_{*;h7wUyS8lNuI3%@G}f7S~j%Ey1G7ebEBf+r3^Cp*6=h(Cf> z{C5f>0Jy=z3GDp^(5AS7I~RcI#S0)ba09RZ%9Ym7M%7=9z7Ue3%F=&H9pKA{A2^50 z!2yDB@KJC9r%bs4?^d89%g1}M;qs5|zrYURKN+L}KKc4X&4J7@=@z766 z0o|1yZ~_KcLjP=o1d{#;!SYS*{jpTQXw1b6)bApf&ip@a3jTjv?fnVR`n%c-Vxj!5 z+S{xN;CD&k_zY_?^%CL19@fYg(WBA7PUd4yR?jd+us7PFjX`NPFV7-4_X){ZIEvdvXsm@pnUf+y%%@p$^M(mfpJv9_ag2|72;iakuL0sEBTuAuiPkqgEOkZZc40w8%5-WBQ_T5a@Jsu(YT+X*m^Hiv=1~{{0 z#Gmc6jWm$Rsx+PY=62*s!0yTFs6(Fq8N3cY=c^c#0z@IiWQW=2n6AaV%by>7ti(tq ztaObJET7ax7;`gUj|-%~l5VOXqyCQ^!Ea)P$e zD3wQ!ZNv!F;jKxAM)>-}r!sAH@hWr+#^-ra21x-DWNO2Ef*jH4h`iTi|M@FY*^%UU*<5uap=d1AKtgvH{~?o0Nw z%h4nYBlcwlnpkHwOp`UaFQ3)fi5PyBKP1nINRT77niyIfVE5s`*IX=R%Vu0(KQCv- z5*WyN?4+Y%ZYLMEn@_jQV50B2)=Q!RG zFRy1Bj9(3n37DRzFm-PXIWs6U|+N^GC$SNnq6<_ zz)aDY$iCAji~jiwX=s934Uwwc;9=i}PHg|PdP2K2m|JC;+@G-oiXM%B40aONT(%?% zOqu5!j~WaaJk`=tU9P6ZJd7OHzZJ-LwIq-6l4ZJUvL?S`mqpZgG#52Gp)-w8yG-3X zy138Sn)}4p*O|!Ap4}kF)>DG7?C6KHYEI%nWEI!i6kRSE)>Dm>y;@dwO*V^A;e@ZW zYnhyoRsVVN@hQE_mrLpIU|cp{+Jxo3f771<8-dKZH}5;SztB8l0lz{!r7PiP>NjnDZ=olWAAf1_>4Wx;!G=0_B~3#V6u+|q=8{YC+v?S4D}@E6}GNN@h> z8wI5Mk2fj-quRHPO2ET6uMEJ$x33oP@a?MwJbYV#10KE&ctD8|7y!^2-!~8bzymn2 zs)BF8Ve;p19gy%Zw>SN^b4GUHd<#%f4nDwZ0_2u&69 z&gyPueb?O4*wNhC0R6vm=KB_?zo(xa*muPSI$s2wCGr5En&3$t-~!ffK_3R- z>6d@zjM3fQo#o?TP~Xka&S_HYYCtQwr=ZC6`y@7u3gBQ-n ze!Erx^Ux0&aNha=T%P@d-J=jE)KTF z&eksc#wM(48j4!R#%6Y`YC39S5}G`$jzFQmIye13_WgI90ESQCkQsok%uB(^0l>UM ztT_Knw#*#d?QI>5%>a2aHnlZ}_?ZRx;=*cb#wrPb+H!L;v$3=CvGXu6Yy=r51HZrv&!8yH?;!T!(wM`3b@Dx zMgd6m%^903?}%j~h5l3A)1h2lW9x0-Ly6y0F+9yV{#tIRZQbMemz`U{=O&!va_>M`Jr? zD|2f*Gh6fYIT?{`BK`4d_)s5BoM1 z`8#cn^UuD1{*?0KeW;v}bG=Zp__aJh1q232K#TrW0|X@CC$~hulm{NR_b909y*^LqARnFH8!!{^q|xAb_MlPRA}v3Z6)21AL}kK=8lsFu+0!FE=o3T_{XH z*7YwIB7WFM{hNmMpJ33ThIL@r{M{9X$5EAvO>8)l-hR!or4pT;O-^%oIQj3?{UwXX zsBqv3Jw>AlY9nRc(66E8_TBE9PYv5aL%Hg-+I)P=zTVn$^uAv}^mDE_9v0;3I>jjl z1~cNchF8RkY&qc_at2)b8}nR|`y?U0gFGQ42ywXW#TxIi?Owfn%afJUn}6WTSWtb0 zAA3gK`=w_EPu^pz$v(38nh*Lb7p?kXj=_LJja+7-hk^mp+b_SYYZ`Nn`=x!kH2s!# zE-n@Av=F1b@Y%?VX2}|_Jdvf?Hu07$4U5FZ%p&@AcB~LnIlGPNmx#v;+|T{sS+8mF zU8MB=1V8^5N*|U^|!sSgl9L(v0>enb1G;e zY->G}n`o=TJkTQbK78-V`Lo-s7;UK|MEC5&FWLuBLX*vt2a+HadE* zGX}qPwYPO5$}TZmBDx<{oPCj80VjU`^|AU3xq_nk{R>wDkd5DyD-Jd&JRoE)??Rym z=>C9K@of>{JDM@@2D-ce0h0#T2OwC@kcV%}3qN|q_?`pwL;2I}=KI{_pCAVS(;7hU z=H>$27y{ZHJD`8F1M3w4)*raS3ru&!D1?M4Sk)+4r5)5AC|D&Z=pBtM%>f^gzpOYz z>hnJ)i<1Lz*unWPvH&0qUe3R!itEp7^xqrze@qpij&K9#d;VxF034B*_un&Gwd|46ie<6%62Y_J0&#Rlx3;|7kk z@v&d*Dib1F>|7Vn_2cLKe?u1+U~z#UnLtIJ4V?U3yj2iF*9F1_L5_rS5i&u6j3|Hq zjo|$A$udAtzpWd7o6v*%133Ym_oDg9Pmt>W`nvouC1I5Uz7gzPfbUOmq+yi;h7-Wt z1^My2AD-`XAT&KrfOQ-I;0t(x2kCz2`XfGYB#j$-0cqJmt%V2BeZh+tn8|_{xeydm#^xFC(-JK)j>zcqkZpaCC%@3UVt zJsu$J|MKg{dVe2C(Da~f1}sAWi&6lX(Rbc}&)~)O?JZ}9PYlg{Wp05(n9kG?~pK{PjGR(N?=lVj4V764eIW0@%OxK`FC+|*7qGtIGZ+T8(~rNwc+fPEcKKdsNPR#$fIR=G z8}Q5p$UpcFy#MhY$P>~|pqv6>;4|3IpfU@sFQm>NhW&OQ1C2@F`wSPb-T^HKGA93! zKUCg$fD)kb|ID<%7>)V}T!eFdpPL$XGBQ*w_FAp$rFqLn;D^ z2>bv8ptXin2ym(ZX8K3vfW% z7l;keQqYQknSHN11Z)6oZD^(cPHfnLb3IV8;Q|caP-_2bIN%0KfX4r)!vRPOc!7C9 zFOW`tU{(t@F340U$H6*)jDRv6tRpBnka$4YkDpvnt$VhR0eDS=wu(b zgAE8C$bvEjdWSF$2!nQANCSLl9+(CqOdvymMuRXIY(S79Aj83Q-=F_H-v?;`^MW)F zNC%K7G;c5+l-b}Nj03&{uOI6QK11eR-@~ABAj1$hVEy@HUJpgm1m;2C<3hi^&^)1S z@||G-Mc=+-V8cUc{gF98K10F*Jr7zRE&$~Z$_J=0L&G5DfWstE0`wht2QO%vzq>$v;qnIgwre$G zs`sSLwV7&R@kmy&}5_8sH!3pIGNcl5hpt`_P z!w72$B9OpY)l;%vLux@E$-E8IWQYVKM)`ba`nB-`M{P7>7!0FcHWU(fj3wBB=YAmw zFkGF@mm}(D&S3eF935e)3*TQhQh^~s6?-r4cd71pQ^gPExxVsy49nXX$k`zcM(j95 zd{@wCa@Vfsoi<-uM`<}LcpNa_0Mkwuk18p4+plboE;z7Wve1YR58lX_Y-GA*!w3dH zLX5gD_5Bzh+dK4AY)mZ-lGPnnBshQcPS_1N$vQS-5)7=9!@FmLbUPvy$eDd8Jt8kv z{EE&#z(zFJ;T(ux%P@KW42P+p6rMzu>eO3h;K>2KsQLn{$N<6D$b_q%i#`4xzS|hA z5eUSO#HoZ}={r*;w2_0F;}AT~92n5QE=!zY%bb$q9*IzGpDRt&+U$w2d^$h8aZak+ zOc2luD>zR$^9C8Iu9}Tr6#eLH%juijZ#hY3j~$B6Q?1}m!e(pXRa);mnJSA4%w*x< z;vILOw!W$pHc}SmBb-AS3B-MW`Rk{vl+W3S5J*rPt&c6k{nKAPY@0R-j&OW<>GNUl z_8Gx_%IAKT5i!fy4#wsh1R5@CXSKE2enoqZxu%%HeS9Y8lOa54UzFx~gEOew;dk(= zsIgEUO~xQxyCwVe0lMpOEzvSRYT}fE@^Cy$1;CS#0|rN8ND^TOi9Nw+WJ!G z%RVEX2HqiQwGT(QUY*HKe zxs}DA@$zH!;nzehtXVyy&D9lJYp>eJEI1m>yt&m~le$$fq@QshiFB54WukbQEyZC@ zzy@xpe`qls$yw~~np;oYoS>mRar;T|`~n5lBZZVx+t*Wx+Js;Dx(|?upN?fX+2zF^ zO9-~qNXSlk4{9)$sU+9kQz}@x)6nor;(>j^km$JrqD;EDTZ0s}7=i@4y#vihHi|Tk zQQYyW{F_@(3WQxNb5oQ)XdUhbS||%j8%0j;4?hl$k@egvYyJdBHYB$}MLzqXf`9o< zitOQy?V2Ue8Obg2WQ#C3y$IUng!A5qjJI9AlJ}UlZ3_)0PEoG~=Sj!=j#2g)1vM$v zxW#U1XKi8`mhLR6IW;sZRxzDLq~yF_Fpv!W+svo&2f&+KX zlY6kw{<@O8-OCTX%#x83Qlw|7G(j;nQ~idc!?hK)|W^Ho{_;x<~qt&`1SwUD{;or#QPhvvj< z1P#=5>M4D!Vbz(qLf8f!Y6K4N4JmE?gQRM+iYlmHPXw9SX{xwTjF?u$ktjx?3qbnWyDH7O|=zGAdzTu3Ep?cA!zJPH+s%B(PcpJ#}~ zR^r?0%q|Dg;a;D|T@|Aa+MskOvEp14Sg4`B4A)OavlqY7$||)r*5nXNK<|_DsNLnG zj&NRBKP;&%-F>)^S~)b5ZzArqQk{~Epvut;WTUH4n1NsX$@vNknZ zT7C39IP%&$YB5UL)F;Oqv^X1GJ8G0T4>9;v1cuOy2jL+i#28xgzak{qd48Y zHEC&qifNi?6@3u!8I71AcnjH>zb+r4OEHfKE(?3F7(4O3G%M8=eoFe1#e0Nxk9G*o z@D{Hfs697qp!I3Z*8Xsbl=y>zBT12s17-D;U!|aRLr9#AiOJE@Zp}WQ%%wA#n?({l zhACF}yD=kXBB~Fgh|-JAFwg_leUq=~k;bED8||~}-{6#5w6lCEvfX1Od~&kTB-UL( zewwO8C~3Dy-djmS9B^=KbD!*rKzMKYiFi=+MD?@6G)1py)I=H8quj9;RnrOBmKxQs zCIOd|UuJjxz+=Cir!*vcd9<-E9S(HIC{t2p=<+$WNxO=rm07!~^ow@nY7$AQ z&oWz5w|(_W7zJqJ-MCn3g(#Ifp*4MiLjOYAClM;TGuib z%;_4PNu8=ckDp{4^))^iN+I8ptoNPLX43G3M_#g&85&OS^4BxmImioJ8$w-5fpM** zZRHruE_kx>cGxCzN(A4GQT8+L`iS3^ahxG#mf;6q{|{s56eCK|;QKjaiL1lzrVf zs&=;!H$AQYHPb~kMYIP31rORgNmV2NDQZ1}sS|#>pmZ+*y|)+^=6Sw&pUACW8Tk8@ zOmy1duW|gG(bKu9&X4xm0CR<1O9*9%?~eYXs;P>T zyMZ-yqR^SC2SlKOp;Q%}o+DMiNnp1>SSMY7MctXM?R8XctzcLov^b{^s%5C zH?s5FSe8*l49c5LP6l0xBt^WN)$WV?@|8mtwE`++R7{>1#!J-IiBGac?OmH&%iejy zW#t%d9bw7qP%P3XSk2VFQnyc%D`b#$1*qHvw6%m4mDxVM_}WhpU0l>}EULdUQp&=u=ab6$W!=Z8e76E= zVL5YWpQDgJNY&cuxiGG}UodFCc4yfnv^Av)=DDJQs$eGP;arIQ1*Ef?uuImTqB-g@ zj_5WXBEnHfY(>Ac5~yh1HqPm1(_+sU6I)7odHHU2@22mV7D0&BQRfFEd*hr)bWb)@ zj_Vv2bw~4*-yf2aFmrrS?FSYf1zv(5&JY5uJZ@s!VW^o$o$x~KAngP1R+2NT;4iIQ zZ7q&xoV=(3!ii9+u1@ruc4ZGm(KZ+5A;p`lD=&eYUUN4T$T<$PeWS7MIH{Eim`@*w zyf8B7asubtU3Hp^yoE=R@%q54<0fpE+wZ`#8r(5ckxix&D;$fF(es89JJvEwrg(jI zJx4r%yf5IBmCQMM2u0XG;rTbQCdbDtDo4N_|(T<9o7sks| zx&^0WFxdimdJ1OLaD;$U3@%X?oob#C^;MQE4Zpp)HFr{_yVaOB=gRz@ww3 zIye>}Xwb&=%vr(3eDJ~_A_+54jXZz_wiW2*%#!Q+v^pR)M})j5ipeu(SolwCuI}8l zmH&3L#hSh@VHHnkb&x4l+T`0|yQVNN1Dh$TCFQn4_*JrUIcxYxsok6VyOFlS>)OrTYDO5P!pPw4I!5oU;3ZLqepy~q*&-pgl)!{-3^N{hdB%C z8mZXWUv9J^$qF3iP}{`~ack7|N$0!exT|MZi+3%vh_5o7gr(sM*Rayghq-i5U-8Ys zb;hL+&jKmOzP3f-ADuCNGcKf`0deuKgsHR0*%y~L3TbzOQp+{`WM^O|5KD?3#Yjpo zKogKL1*}(6MuQ{k>^7!v$J(uu?6cic{oIx=VRs+`W%is48gGb&{a@RGb?*eRiJWwD zlB=fwb?^GtZ2UB+%JQIX4iVqB5N4<*L6=G9aRbk)rXpH%Jg`xml=JwmZb_5dwQx z6rcd`AzxH;j5qQ0(O?H}X76g4IRxWEvc&6jgR%NduD|idruQOCg1=^CjHvO*EOHc< zevVN%roEsFh(S*^JPLM@;dV%g8pb_5>+NRvypg8~eluZ3#X#g$w3WAjQCb7(b9@_rSE66|OK}D92iq~r8YZQ$q|Cr)75l*(t zGzZlT23-Y){;4_-&zdu+3};zB4k#>`*#k`|b#D$etW~nh#P$+yEQi^Dq%iWJBf|(e z7fp9IHgt&MLF}Jxz~)>8Ke$+g@`EnhuukcAM$Wce=;p9OeIw`vSCWjH(c+w#oa4u+ z61>VkH89KsR4eTfM*SJL;w@#Sf8c3;u3n&ri@^JtYMU=gm>>G88wb3}Q*9qf=RH_p z2xS6;2YD**9@E#xGJKJ-?d&+MEekcdCuBXop}y)ZS-TY8Vz)z^lg6Gq#Y~wVWDB4W z+(cfLaV%CajWk;qC+lFmTMpt~D#13F3_D&C?MZW5WL7^=n1I}>hGyvk{|Nf{lJJw+|pW_AN^;E6_Adt_N8E5 zaaYNw*U)^U`fj>#RNE$4I2XC2f3ca~P+o&nb%~H6vlSMo;9h^@7gWDTmUP##J{kgG ztjltTCL3nD3lq7_4eO?vur8*(19U-nDsyfa3t}lWXZ}L~V~%ZjlEU_Cv0Aekv<=>n zaoBw|mBsj9lINVRQ^tx|Q#E7NKYV)?K2^%bfy zqd!2(E8dpEVQ5={MYrgRZuL<99O$S%8G|qklUZ6)?9R=h*50-a-S^7%VS-Jj#1jGJI3*YjTxd=Ko!6*o@e z2rAkkOb)sB^Fx%MM5`r(2@wi7Pc7E)5-+v3TK}UcQT%ZaR z&qUPIMfDta?nb@Y2$n%`3y@+D>_mXhMIR`_W{BAHCU6f^xm%AxA}iWix(Zs8Gu4qa z&nOnFGrWAx$Wx?G(5NTXxlt`5(_TxM#6sIY6EXz)s0htj0@eVDK8fi&5WG77PnOtlP z7zi;w=P)+LzBL`9Mc^ajiM5N17u3&5L!P%omZK7}PT&BGPmk;umA}*3=qs+CRU(T% zK|io*g%G__o=SjU+`W`7VV!fqHC)3h+-jc-S1OssW1hDL7P^w_MpdhF68=4!iRZ@V zOrXDhzkaqZ6m32_73cSlr;VQri$6{w`)(_`RBtN;{vc!=USafg6I06k{29dZ}vTU%1bV9Izen zV&F8w8enU2zm5yx0|KofGM`REa_jYXm0*ZG&?!*Jfr7U}jF*P;r4N_&0uHMX4;a5N zrMl2@2NnI2H6v2N*LB7tDFQB0 zJ^<5PfZq?JMWi1BcLQgf2clg!wNWE{=7Mix!~nSKdif4i+6^;?1A(L4LYC?vj`88z z-Teq3Cg{v7o3m4Z3hZn4*WDEYk%k)9<4C!5Sd~LO*4-WvwZ4#{IpWS zaUp(+z@{scth_;Adi%TG4!^tFAVW*Ot*j=ilBa%2#P?>HNuKI>=U3JoO9?RU(O!q(mbac3`NRKi{E#q5dx2DEi*Pb?@+Mh=>W3GbqA%Ka4 z@Hx8k;Ly^e05`Q^LhNH!DV2+?3hV6U#)-fLo0QuO1Tf1Khgo9&XfV1s#*bs6OH8kG zC!2_|Cjgdr(DS6nQfjxWxl1Y8p3&Q_{S{a|2}gWb5SJFE6m9z}`1={c6l@4`1WbJj zhpPs4Utx%{{ot=Dsjff&vLg&JwbQZls`CpDVmHQ!!$E_p1GLtNzQ`ByOxRKC^eA2m zZJMIC#eMlB$KQI{_cGyv3IJ@%c3ot zkw#@rFe5zswIYf+VqEi#XC0N0^^${31b!v(-+0>=3^Y)8eiQ(;y7%#}5VNC>fL{0jE z>ScUwTxfuQ!*|(-;X}{ut+aO6+2?-*k3z-{ zhW6%mzee6)%JO?Gqi=2eD@_&^5!Fzmlrgt9aB`5gwUMG0u(dM!9bu(!>VU`eUqb~1 zY+dm*sed)a)c*lwEWc8K|BlyiFf_Jt#QQZLL(&TB+ld*Qo0>WP!l7Tx^Pk84=NvUX z!!H67cht8sH{`c5wKDz>_)&B;wpRHisq~PvYX5x^6C?ZYJlu~|F?7Ie>l|tkf;9? zwg2M8|4X0#H;DR=@R{NN6GTgMb5>aJJSlNApI{{T3-PD%j}A_Qli8SFO!oGVPC~^t)Y9Ak zd)GImoX7=ca`^MfY~L#{7s>_*lSO@LB@C10*9qX13&DqE2CZidQhR%Q+ba(sba}~* zMLjv0^=GkM;+)CR@$tv}jTBh#@Q#=Jx3on)bq$d0$Ga7<>gv+kw|UwJ|GS2j0>}^G z_tW++_G5s<$EnUH#wP&CNsg8Q68Sdsi3(c!`bWey1<~^@|Hk`V02lsAU1tZZ{4xAP z*WAEd_gcb4I^3fsAOj%io4`H0x_`rx+d)73jf=|Ni*ssbxOe#Yf~mI$Oy|JV==8k- zWXkCqR8`j$F~$r0y)J$AO>A^y_QKkKTysO4>YtU+kWg0;)Wx`Ks{$f__p^IuWpnx| zYeO2*W8<53wj+kfX_(?8@xJncdR()zHru}pu?y|!@=cn80Iz4TXJl)AddK>rOXndP z;bY#)roNi~MGEBZOE^0@J2!}NdiaQXO#95c^)|!t=STA?`1yGm=jXclgZ13!U#*=p zphgBme_ieOl=hCk?F}NE3xnUkBsr~4^P|=CegPo!fTK4_K(m0w`$aPi{R(a3)hdT**{cE zOLoDG9-v!XROsCs7(=jFkWYsZHB650o_-i>s!Hx}ILvR$T#j4b-%fyCF?P&v>)_a` zHC_Hx^t7J=vppi4Jy<6BT00gNuv83f4(99~Q*k-u}r?T~CT* zlwpJuWa@nXemkmwJjxYsW%_?5WzLH_s-Cb=kFE>mv&c2Z{=oSjCOc< zv}LfUhFAryb`llijZEQyMm|IiWJgt1XSrq}kD!^7r)F5HgvzA3fp|`9F z#onn>RT#aeqXJfMu8lvg&k{Telw#PWC8_;q5o&nn=)o>C5`uXqB7??7< z9S%#_-@_4i)*4Lz1)eSEQ?>l)oy7fV$6f$Q))_lRB!o3nD$~oXGS+T6su9Kb^gbem zqf9O0d+c5zNWCStltD_BC!TX2S=>b!Ir75-W~dT4I7?w_LLG?ejQO< zr*(S*m-)5t0Yve_GlVUgwO(zAq|CyZolTN@@Nuj$-|tJ7UQ75~1l8K8jC1y)Al}J{ zZ`N?xnOG!{OC^*3mi*p(pqO#MjLV{uXD@;v4q-NK9PlxQ3iE!AMkyn1RzoYP*N_#{k5~gC;m{i(X0NvBRx)){>42?O(5XWUv0&Y9G?uDMLs0kRQb{yujK$JOXyIJkx zFV}rY`OG1Ziak94g3^PlSSs$P{S{rb10#zKW+gdkEh^`dSPNPn{^?DHgJ{ZQBuZUo zLx=FS{r>R}FB4aF$}SVN=U~xNz^sn;nn6vS`y>Xy8JvP};`Vub%q@eR#|^80yZ!`O z(ui8hubSnyfT;K_P`WhQ(s(3_@w!?r%O zmd)2o-JYBu_JAi^N$L&~E4YhZSkdK!{THrJcUpIy%X&2z1t1F(gp4ciyJXaPC8ei| zSHTnS)-v{%5s0rSp?wZ1_<45;6`aGEs|q_M*aB#T`^od_Tv~@MhC0xLC2JBfzeXXl zRQk+AUhr*>cycUGe?O^uMhX3pG#FU2K8HeLH*|agb1>+*(K-VO^Z1ZV7{KZQSC&DC zp}yD{Uo6D~O7WK^swfTy{{fzy3=e+t7z<*7_ue|eL05_8^vI1!Apt^Vu&C;^Jrn}h z^CU4S0h=XYI`nR~$f%-M=+Nswssc4yGPQ@go8Dv)!xpCAwL2D9R-k!!r&DEu!wt?^ z*UcV_<4z~G$MisQBWXV@YSc!`+-gQ|`e%#f8hJOY0965Pw5&)f4e7R8(iHbj%k^tx zWv<19EAAIWo2rO~0`;a(f4GoaPKnG6YIo9@5UY=`q52X(+R~k934rgH{t%9LBxjv2 z5^~Y*%>sDSycvn=F`|#}*f-_=i_R^X_?^O-f8gNqwp6cmxUtTE2XuC&+YN6g_^lp_ zaY%^v)h+2`R%$ieQ(P@X0%JAS%_R5h7gE~ZsfEEm=BZJxo$p6kUE&QNV3mU1x~-AF zmazuLIuv_3JeL8Jb2e8m^XBD(6fR&vY>RkVnE4RmEvFA4TGE4@0oq>>ddQ{IzdQX= z`6HLLtk(4ep0HLKMAmOXxsU8OX(+6H+D4TuZ6eI+?vvj%s7n=@pdm4_D4P4Z{engG zhr;`51N0m(MtMgROF6Kxs&cg}Xx- z$(sbD;W}|iqych5?}pF=oRL`s2U&)WDb3F0D3*5M=xyqL|H`MaqlHb6SynwGdlwns z3s)d=FNX*zA|cT|X;addzRCS2+ZN)Ti#WR?@SLNDJMquZO61fv^Bk*Xv*c5@mMLhx z^Elj>h;#4NG)?_d_(R$@8dmPN_bH^5=hSH^%Y6xbv$fkNZbz?lR6V{nH1B*1cTGPi zg?7h8vPL7jxSUmYDCjKm$$F2BA4P-}I`ciJsP2#|{GP5GHm`|}n&&SW9^A4-tqFv>WYbOWm8G)#fq`YZ| zw42RFEV6Ze#2(5bjU;IJi7OlGSKKxAjNl_j-3%p1d_`0=^S+NA>b|>6x3lG@g`9DB zWKHTqREZPhTs2Y9lF}TmPyvwqiiB<{&Nm>tlIrUZ7DrKiz|ID38SHX5;rs{kE^dZk z)1)mLlD_AY+37k`dsuzKcD%*M1Os|nc%R*|79qtvm{H4CkGN;zYh?@nBmi#oMu^ZB@n-=FidZtwg0^rioXf@}(T@~%>YtV} z#*U(C^*vCvAZh7{d*)cD1R#QeKkKK`NhqKp2e>3|owFLvHfu10Aa^5! zi}$Xh1{T?`(8e<_apKO{2Yd!uF4#v#3uQgN%X_K<9-kfq;Y5~cLwLdoS~A!K(Xf~)un zEjQr+(!gDB)e#=KSr_D>lzi`QJVYcU4-EGkKRfQh^2sUNX@+M9;e zVU^(7e?e+6LR(ayKNnf6bzRUXhx(znh8X$>iTyl-C5zjj3%Bb`0!~`zp3!kIYV5_> zFhTyi8<`hXg+;X%(x9^$5-5}i>+Iq_%x%)01u69DAFhTj*`Om7*65nw)Vsy*Y`jtX zve29*pY7LjHzkZdZ6w_zengw9l?LcCkdbNMN0^ep^9(J_OxmAVDIEB()eL7qix9b4 zb$&Z^ev{FtyTaoju9j05EeVj>dQ1qapWUldrdg@zR{-!gC4(rSoX}X+VLVyNpG~S zh{+RfwibC}FpM_ZVzqBdD{*(^CFy_`qvBYYk_W9Pr{uHT0&XXEEBH2>4&~dA*novw zd5p8Z)g4~lpyMyux*w^!J%QFE@i~g$l(R$^HvFaMJ}u5Q*rF~HTP+KLsHs!d>x3MGQca zSid=AD>XAXxbH3n%fvzuoov-bxd5f6b2Ob47Xz^5MoP!gpyEaLTm&ufAuU`oJ!(Yu4Q4d#Nf zMxbM5!Y1{ByEvRY+TN?!BC>kIbgNPpUvHpzO6!|9ZR3{4DkTVe#1r55R_LnaP_J1s;8Xi^p7=l zDn9ArIEKfA`ghhkD0rLKhyi)i5M9M(Sgq6#dr+0`e-0rvJkOl5v3kH~-Phfj{Gz(Y zSP_#<)BaeJPJOEJixX^#q(*NbEGoY@1Af?Gxu;f^ZeYth`l|pTFIb zNoKzYW$dmZr{s-vP}D%whT1LIj}_hz>OG=$!f~V9p*?IA?iw=<2=s1Eqj z8#tt9)Fm2KC&@rpHtz-0@GTbWJPX;(ecSHjKJ#rPyW&W*L4A1ppdYC-nGL}nu?@q_ z^M*aul;VjH;t=!d=HdB$_JPoRzMm$DaK95!7=Q@FIz2|VFj-m6xokO>zOX%fgB>y5 zx;TF?#PO4?ctmtJ1c)DXNix7FdQF!Rsp;_QA;lOUvfXFReqLVv{>{i@s)>sCOt=x4IZe92 zEav@bd*(G|Q!{L;kLhdy4(rLswa3qUmf+fX05|Q40Q(&9)&WElUX-vSv^N5yqg&?` zqx5noqTcgkw6(8E>r!utHBO`O0_f0D2r+@*vU2qr!6N!Tq`}^@49H~Hfr}iPh&-8} z-O1ROyj-XXgt$0~LOjDZB}j>PgC}4vn#nCJQPOHSDl4s21@1XG-U{A-%0Ms`CX84pk#*q62?|yx(Fcsl z3Di7`*mC>ubZ#d(=dL?xv68CA2uUp%u_rcq3LJ#A3graZic|#&(fUc&2LmJ%dh%33 z5eaqd_OZc0!TU|nqaAAcJg7ndRYqKqfOled)!E4}0UXU1&=(IAp zX6P-C>2T>oV1ErtAt>vtj)#$&p*qiXY-V1U&K^JI z5W(Jzh!_nlp(l6uDaY&WC0`W4(3V81#WONnPxBhz4B|^W%XgHRvsVtE;7DSub2O`` z`OgO;bnk*q0sqRu@@ggog6n|k@%|aOvXQWln#r-!J1hoMa~MZaHhUISSL5E*SyhUMioN18VwoaC5!tJ*PESx27fI-IJ2i_yA&8 zmS}9X!}S*T{27{K6Gx<&+sVkI9|9LKsOOy~2i zOQuxS6RQ+;(NYOi$}2G0uoZ_p$1Od@u&x^!TA_mkGj?$?gVCE&(z{dp&_E==cs-fy zQG8nnNOLr^LCxxhhZpt+({gPPjf26fPIttHgGdqKz3`DRT*C_$cZ2BKiQ!t5Eb2xP z{ms7cHr*dMycyi9WYhZqOl0QKGW`%#m~eLEcU7B18z7I*3yC|q^A$GTLYrLl#J`3Y zb@6(Lza67bh+>}!J&QeE|8iogM2j73V5b~62f&g7&!>vf#A zhpbZES#F1z*LP(L@}C}U-iYB32GY^Gc{JhnZywQf>dbb<7FpYT6kcZ3>O1hm5-<83 zQ?C|E&HivYSpAa#Wi?+LY1m$#Folf*f(dd9r4JFxr7qPK=xWYCy)EXQ65ZS;xxD&1 zM11z@$vg*rrxq|BVLtV?WZSw4aA&LMm~=OS>%O?FnQl$HJP=K`ZV^=F@jLC>Gs=JnF9$0KN#mE+kSM2a1tmb>$I2=5+<9mOD35?ZnB&k=1yBkEBx!>H{ZWM-P z)-Cr>#4uX)e(=5l=1cbb3{-X_?S%c$Mq%8KY$7GIko^%9>d-}_QXwllL~1OW6NaH# z=H}I#L;(V|Ey(`4!k(HGYthTNYymVK*id1)`~JT(T8=_>XMK7iHx2QUA@S+ZlAsc9 zQ58*+k3yQ9kDUW@n=xY7$Ui${^iR(cox-#CmDo8&q!L`PURBuFX=TOPP~cFUPg8JO zAWpOXeAddh-6u-4Zh+n1G%03@O?7niFTxQB758}(MgHZ?z6?;9x?9`jhdT5U{6nUD zlKfJ%^i|K%>`nAk=%LS2|E^8o`!qpXa$_w%{ix=}@~Bl|4SbUtda*`Xr;=4k^pTTs z{kGWxecC4dGyqg(hKLHhLtRW%bIh8Ks3|nXFilArB2^ zzff%Tc7)Th+gzb8uQ5`VNR z8?(CY+{J*v7<%_%DH%Aef>&mg;i)#zp#|ZXbDES$r%L@ePsHnvGaZ;nFutE|V-;0T zvjyBS?33e+-AmX#c=o@-_DFiHl0Ex}ih}AegAI3Yl z8F0Wg!pHWP5<5L8IN~oh3Y(7NAt;)Phqo(P1M~v>9$gVv;guRkorn9AmD?}cJpX7& zJ&SC?XsylE6M489Hz~_FnA}v4M0gcZs2@{P+ZQs-^e913G zQmPb~Yumrv zEI!?L3M1K1zz9j>OhyCkC7Yd#>u&HQ**IED499`qSp>6dd%2qp*n;%YR~-M`3-_u2 zLaIV_`hdESZIvXzs#;QIw*i$9bQ#jw6AghbWfD@VPjvzz=$W16;7qh9s(_lf8hnN{ zT@3xDZ%K0>Si4%{g2>#US>{q>kf2R0Cn9d#iw_X@q60_8R3H&Lpr zA1;{<LpU=SoJ06dR)u&uz#2bTXq4WZ$tRGn94+l9s@g;BzkKu zW8_E)FuQ4&kvG9cH*YPVz<*hWYn(fKa!mJFA2|Jq0{`GYY4vC?$@l!Hq)kb>OR$-- z$MgBX8nn-X%B4ej8-3nT39D^T_+<;1Kh1*Lkk`$L^?6I`?D#fPIEED2;(;-X8dKyW zDBkOu--~9ZMEq8#=LbIBDb&>tpr3Z-*r~o4i59USI5aVl)XKzH^J;0h3lm@B+1eO_ zq-llVMWr74IvPGHb|+18m01gz!|sJhyTF%H+Z@ZFV&r#IivzZLDS|d5hgeQ{tE3LE zXyWB>3KMO*Z(ML}A#$zj4tdr9sNOa67t8gY?p`!uZ#Yt_m78PSD%hZ5mtONp7VD2_ zme&$nK_!8hE)rze7?4L7LCW*P82ggaB~K0Mno(aYn;|>4FMf%EPt=3kh5?=eSH4W~ z?QLx?6XbZ(k7pb~k)NEp{mtFgk~A+xCX7t>0V<{YKd|e}3{Ul*b=!v8fpRDWCUpJa z8;66vdJ;=gJ9E<tLJ9bMhDXf%jf#Z1 zgh0rV?pE**efHyrYLKxn*zLvUa8s?p?{Peb`7ss5*{@!o_x1;_WM0?m_%hfl3-e6@ z1Rx?p3|9LhYHfsV(hG18<8PKn*lJh%y$n4ivkyQYSgg#5Z#Q)fI^HJ)=Zd`FeU>v& zn*3T=wE1LIbeO@*Bep!{N%#4W<1BlwiONWPYj=GGZRpdqIDZ>{E!cIo>~6JWpr=bc z`(obL*s2pDXUN!;xri6?JyM6M%p}TlPX4|Bv zb8bJ(?VNqDWZ&c=0r`Js6}5+M*kiut7y4I=$g}zN|0y(d|Fc(pbMJ1vcazFM-(dw$;$a4=2pe3_n32o@&W%Yl<2ewRY)yhq zSKqEY(t!%VT!v^}O*aKQNFumij<5O++%bF>_K2FMzVCtpaZ`Yc%um+;2+IZ-C1Fg` z_P5O3fI#JM&n8#BmdY(id^z2Y4tOxTfl>$RrAa3lj@-}<{-H5`l2d(PSzgCI86!pr zM*MJnXzDH^#$qRV97=P1hImWomjSA!gU=Y#`1XtPI-~SDJkw~FZzx}zCa55YNtLXi z4(DCBTK9C?BHA&;A&er(yaa7j*>KG5|ai@zM^N!-<7Z4`J>wwvI5x+5pwJSeC}&N}c^4hNIF z{d@=9Hh3)p9Jh;Bz0fm?9``s2M5l#E@E}mch2MVly*mlxQntPoIX$aQj9ApN#b{Uv zKsfN93jj$}rf%l5*oLG#tx@t(obvZ#irrt`d|}@0r(Cw%DAYxFc^Cy&Qed$m3GId9r^3 zdTLK1D+JB51h#AhUxUN?f%RSr3I+H799zjIc~xSHV zm&c~V;6a8WvWqZP?6vrjTW6TA<4KE~oB?n*rG-2yJWfUs9e9bv0L|EL;d-7>73Mez zjJFF3_M5v?vyA7ae0${)>%BuQ6ErdM#nF=N2OCk_PMxCp?(mE~KZ8j^JVo2f&HV7u z?YktElGdtk^}Z33$Lt4c*yA|iv5keO9d%S>SIMdCY z+iaB0$aBt?yXDG&Pq{4k4SF;+;9_oFyi;cVW8ynEY73 zAC9W`1Xg5bP(Egbn*_#~T$jHlo{NSf7F`1=?U*o*uWpSX)%e&NcRG~j|NcaRRG(Q5 zz**6%j9g@;1$U}Zx}I$#y?t9sh0|q1WXixqq#%A&DmR3<{CEcy=4Ci$;;F-;>v9H4 zf?v(pSr1x};Kx^IM&|SKu1rTo2QDuiWkQr%G1VUPy8O~pfv$EQ3udwYq}1cl^wnX# zIy`LM*Mj!IgNS5z1rnr0+<}-(^b5LbC#z@bWD+wSed&5emv!p~WB>^BgO_s4eKd|2 z;FVVNA)~j^G{4S*f_2z<@jDq6GsX%fs4d|A=SiGukrdju=Ig^var96CniT>1eL?Cl zVg_bmpy*R3+_VPsnR7+vF@Q9>h^y#{W?kqa6HAn*P-NX?Na`ZI0kpd-N_W0) zFBiVwVDgqVrTvzm+2;7ZpYyRDpa$q;)iB)4l>IiU{e-1O5MU= z#4;1)zff^2k z?^5rkc5Gc}frNwNO>@|H9)e_13VxPco-hF6Z)?de+7ZS*id=BC(u$u6Hh9D3i1bCn zq5WZD9`Eg%;E)wvQT!1n%tUCZAQnVJ!?gaX85$TEe=MH96(!Y1fQ;`Hm~RZT|D3L| z9BX<$ng|=6@=G37&}j-57mo7h={U@h^#*tr-WP~eUKDHUIL(z)+f&k*1-n!7NLfCk zhIMMBpJh57)c}xkR6!VK{aC9Us#=V&Tl1LtgN^bp7#jTkh-y-Z#|*wFsynocA;+wg zST@2OZ>~5=peGxCjd8qK7%q^=|Age20 zAjZJ6MMY7ti1Y1&N~M)rbjJSedZSnWK#rwzO1b@sB-3y)yQw)ShWM)bu6k#Cc`58R>p3J(yyK67 zphUv2Nx;J%_xyTplM5F+)aNXM%+sI2v{c2N3&b#qwBozHedi!{P(ModA&-6Kp%D!9 zKV5mWu#qO&-g3s(BIzW(jv-b%r?XNo2qX3HW??Vn_5$F8Mbl)c)O%JBkk)uyVSFh| z;BBQK8+FC__nw$;D6YM^Mk$2B)h#jG7bqhEzK;(=Dv8;-ZpB6#af9$vR-2=y07Tka zpQ@jqtf)dxX*7gUwL;edh>fNl4yem@zlwO6ezg1!35|OhGBl3nsnyyp(^hXd>axx% zltpeim1gbkzbd)$yg!hCB9Hx4t~py;#Ir|Leg4jh6b{zk?oW>(In9Nq-;Znu zlyS9=>@Pl=P6Gx&X{8VR@iUB<+=@#^@*}rG@CknG&<+d}O{PLv6ne8rs<>{(iH^Ep zCwFk?8X~7VK8$%vcy+c)J5&7&R5pjw&A5aAEIBbH>Woo$G8X73cNPlIPDOyTOLH0X z86RNh@;+ajiZhmvh69;m)#f(4@6#GVu6RZr;kcwn2YaiE5+!{cz2kFq_$0D|#m-wT zk%jbF`)KYm7y-9E(9@fvD&I}p76$hx#sYuVVsLo)iYv<6`9*v*AdiY&?Oku=5{d@h zGa9L0SG4zCLri>F)qGHK+%-lwT?K6DETZ@XxqWZ>5IV2Yapf+!O-^Wy+?CG}sIH13 zYdQv)NOw93Nkle*r7RjnNQBP~e87y=HEJxe{PbyyDL%%1P2)f*sid?Gc~zmYaXnb(UeI*ys8_B zb+8SFcWB6l&N>wO=Mb4dY=>hk6e5==>zPKO;hzbFiLc)88LBZiu}<=h9`#Srb7Mfv z)tUTpmmOBTZ)2j83XfqlzB?56caK9?Vm7RSl3>muPy}oR&d)*wT?DCX7nQdCUn9JM zF@cOCa(H=KO#OPuFn7pC?fS|s!AY(U{|{sL7#&O4_6t6?ogEuHNyoNr+qRt@+qSi1 z?bx<$+xFx=&pPM4GjnFG`ORggqyBaiW6Nqx%)~yF7Zq&8aGd|zj>LoDK2+b;SX!pkOIm0{lWiTb zPtnVa*0{>Aaoh+|U&!?DEj{p>0Y>qL3?B$lje8kuJ4W_}+&rXqF@JFiz{px2)ND^w z3Qwp)pH86rj*OPFxH*lpSZ>_}2bNBZzN#=9RoaEVmt-!L(3NWC62kByvU5>N;`605 zrC4s5A7G&ky`#m&n5$|g*4LUPm0Gi)L1aDz-6CGsctIkD|3!Y-sq>$N zmJl@Qxn|eeO?8G;U&h+WZg2I6ZY=8|=U+zSp-#H6jKf&Ae8WDYs-jMvgdQBIKGeh0 zRTF~Of0v{tTM(=|wrD(|RMaOr_-xefiQBARJM6XXpTS3@UCe>L&OKOlEY^cF!AAEV zkRqBn29tatO5>}zYxGYH{1??46O+yFp2N{Te=Wy|^b9ltXKtFn&u(0E)bh$jsWuVL zRbET`fLoadcou6ubv zB+sq7-~Ysezz^&TS}lTc-PrD)3`wKL@BZEslSo{VAWS1h+N@CqY%lRMU>{^@?9(

d8!L(e@iz+w@5Bw)BI(2X_SnSxjch(_S#YR zF9Qsc1xXaNAt}?Sk*Q**+&_{lOoX5)GH{h`>mp0WHCa7a2yKzum>gI_h*rSIf9qkI zqmwE{8|iGuo3fpt?pcX(Zs7WS@$h2!)T>;yB45Oz@NU}N7;M5~q&Ei94McWwS?0Lp<}?MrR%EFzV=)+=5BVu0ceDpG+jC`aZiwU|nI}DX za&(ErV(oC^x^Lsn2IM{i2wa_j-lqIZun@H~OXux6vhYg5@^1fLo^69`Pw+kO zDGpiUGT&`0_;;`V-g^>s z*{WXfe&Y=F+gokCuXUC)hZlg&zQb3Cb)xr&h{8>q6`$=6p(tSQ2}4GBI{$bBGh7# z%QYA)){;eS8p%p}!yatFXo8S&&Le5P>HhW5tq208(bk1aJT+0s2DF0xZik;;`)VW^ zPCTMk)M=k#kP)E(Ur%}YwNN;xW^p{A^p&zxJ^_x&XIN1YaOw}!7r&*5_6#3rPqGKk zr7%cml>)(lo&#^Zu1U|O>w%ujNtx2cv`dt7bsCi%NChM$cN!<*p*4hCDgvieoHojh zUC7hJ-4QmcR+Ml-x)iPq1zJzwYfrytbe}1cyT~yzNOfD+AcS;v=%_l=b^eCkqT%rT zRfb?(6zOo#OAtJ>fc%j0*ByJrol~{5@^VC~4#R4@Rm7>tJyp`BKqY7X)G@^EdY>Do zb2^cSh1IP-vUBIFvcJD#{0*k9OY2|d3^A|h`mKN*@k6#_Hl;O2X8YtJwYN?YNS99n z$-t09MJc@r17Cjpe#ZvQlbjPai-@q#?+>Y+q1Ed5cSY49X{k4QAzPNU(j0e@_J7kU zt8P~8Y_G0ykV|5)_AR}7>^cU4@Kz?>Y*$IGW}#a$N#Iq0aC`Jomz=C(X6J!qu|jMn zjpb+z80ut;k+A7M8Wtat@C-6*v$An5qv=DbWXJ6t1YoDT?-!Rue3Mw}eKgQph=y?K z>(NBR+SS@b85S2x1Ifor(2VM#P9WE)kZ2gY28G7rtTFlmz)VuJ=4@q->})BG8e9Z? zNR4NiZe2}!1%!Mgd~dZ+&Ks(9wUx0dhmjIUwNHP?M9um|%lMsf;oSAHpOb19HgZm! zRSTtZT^!KB2z^}Nfw+8|SIABIGO13sc*NYejsmv8>GAW2VAhs?PH{CD+QC}+T@zBBfKSQ<;E8Ma5l9YsHq=UE*Hd8?;6sxGuAG!s?uZp&C6*1Gg@bv+JL&uTS|fl*4Y^ z6`+wuL?E~rX!b>B1ZHINO!`9=WVqXyI{6GeAo?g(dI)^`cJbP6DQZl(JVY0ZD4PDm zqg|W;8R^vP=!ljkIT#T&;D|>8sRC9{jl!#LcU2xr(9I<4g%?U{l6ov}a5;CAX>N`4 z4)y7#-WU!NQwzp+5#xhqy)lRnl1!o2m}ivtjcHRw2i@A=A9S@=v*%x?T%U*h>iP^* z74BldW2aqIG2;@1zI6q|P`<~!>T$Uo3z7ROcy=|=N~#QT)k8`AObNI>d7$u<-Nay~ zUuU!!OBv%WHp-DDWh$nmi>;MEG6r7CJiL=3rWbOJLx`Bds(BE*&G^oh^f8U&$1X*f z>VQN%Sjrvo={$H2%@(xsQd`wQ*=nFwYjaM;WoAxu{8={!s_wa<#ov#Vg+O*J6q`1P zwbGnDcQ|;MRF8li#i86F?%jV)%skxHSv^OOl{pl?aYY74`pS{a(+D=F_P+Xn;_wpx zHhKN0i$o3ECrIJ#n${rhVJt7}Lh=ANf(sTq%lZh4ZaZf)X~-dm!5bT+`&lxln@^bA zhSOC0BO{QVMG}N;J2bv-eqb@`d@o#aTXykuNORP`dOA|-pX2gen7(9QVbLd((FG!V z!8HV%^euqbVf#ov_Id(#dBQl}a~Id_YI#GjKfC@VeC*3Ach%BBbC#Y!ZMGTL1ICEp zZiV+(#ePz7&Z$I3&=!fv&_D%U@~t3c6WWU`#mUARnTJKf1#6<(=(m?6)BXt608QF^ z3@EdRp92sFiW$!4IT$i^7f_)At;WQfDc|xh+@2Hq5w%hsg0hz!MCh4HoU7ZayCpS}uI{4HMpBz2>;boSj7!Jp}NC(D`vR zzb|?!7Hf^2D~kC0KJ8`)Qcl}nkY32byUPvVF8pGTlduQP9NbCNz1R1r4)TKTl+#=` zER1$7f{W~Sf>1$UXX56&Vmnyl-pL(3*=SCG{mOTmsY6OLTCHL3^tKMLKDSa#XGPJ< z&7I5Gj*yJh_lCi-Mp+SXjWUUiZ)Kf791~*^UMMEBBlG zsDp0hjw;#yjnSnfaFbGv9^iD7BtyBsDB7AWl`6NT9PagT zog}JYnG6hjCv z?6d$PxPL8>?1{{uHl-8I+~`r7X$FI~N)^2PYi7_^IvI}~_0e*=+>qHH8f0fovb4+_(sw9wW)*&PF7mc&8a9N3m~kRlWP3uaVurh}uiILzj=m){chs ziwx8!rmrq1c?#vJwB!gv`j9Jr+RLTj0d?vKI{6hQt>!p?SlnH8$sEtuFt-?TQy20u zS8j-d;d!n|P}7=VZqp_40jd8Y&WChLdSX?{Ju{GLy0`k1UEHVa_t{Su`s!@vFA-|l z3fjAf%mgE+4JGXTl_)HrsrCsrw%>(UKD|x-C4g>f88QeIiYB$`){hbo1G%jHWzvq@ z&Q4AUX57ELm8V=+g{yX2JGqWF`i<-wSpxw7Qh@lj0p(&LM&D?io1XpS>4W$QRI(#= ziPP*Gl*Hm0nplos9PZRLQQ?%Cp@WP>!LeUt`w|Kg9eR9vn=_H<;*j*rd|@{Bdx~Yz z!@WxBic~7~tS}X3j{Hh`nEbnUQX#-lmQ8wFzt5kU`BZzFT zzbx04QM=6dp=axFHR-{q#e2J;$nf^+kL8{6u@=D^!gq?I%chwt3lT)H%`K^5RW$S| z0(hUJm!+(tW&33pUDs-3#*{-WjZiUReXFT#^7J($!1!f#~5&vuKcjZ9`;wM81yxnKFlW zUcz`M=m?IE3+Ku;(pML$k97u`myX)Xc50ad+{zaop$ zUznD~Bqk2tywnT%wv(w^D@uTfB>D}b>LHqqsX+%9vf^6~$Q~i~mKfJP@xbQSSc*iw z29tLjZi_8i34I?!?;jYAs74J4@%0 z;z*iAh-z>MSBUEAEh^l`tW%=vD#sBb0L0fUTn_+>9_UdCe|jFFq8K$eW*zm<>+l~} zc-JmR#6K|?&HnejER)${c+WTb{cC(lYpD`f->~25Ke4dtC@mjN;L8Y(V)xP za&VSqFC3CE82uZ*>72B5{mbCV@0GQ2hTChSumqoeZNl5e3)6R%gWqnQ=Sz$?x(&GA zaxu5Hh-QNPG?0`u22)!9DkdqaJT6yfO|JIoX1fu=RJ+1;spa7bv&e1ttAkuhsXeC2 zi&cEp^TxPNVn~){s%l9Kjf?}GnKka4u^H@XzT#J3bHlJ9Z+}-!jRl>*y+Q{M`a1F) zYA)sYFRba{IktH(zGdgt8_>97GF$4D2s7-5DRiXgp~lQqYtn_5>c!dAe?exxfjy&F zB|FGBQs5+7OZ)UNM2qag*oO2L8N68VOl^>|E`L%5Q=txa2YdZ2tgLgt=f2ni8+=Ey zbV0vHcDJzTawB6B$6|MDpSRr1u+i7EwP4ij`7UNVGvxKb$)oG8^F|isH}WV{ zcJI!+$A5oM6x6}WAUG{R_xHll_Ef&PEy%a*=c+qAc?l?y6{ke9xG)9GEUuLjo|Fg#QwKmtLzwtfpO zzM0r77xq$1G(P!aj20g1UfquY)b6>F=6ujV>9UF&UI02#{kMb2#r}Q|T84o1u;~|? z-yeQyc|BX^M^v^n1umZT^|!@7zK45R`hG2Z?YS={=x>SJSx+SbW>M_6@3Zm}Qohp%l4Y}-6Ip9l#OKx7 zHIy?9b%`4GbKDj;Kd4qTW_R|Y(nf7MfdNcBdw<&npzC=jx>6p>-xnk9kOmgksWyQz z^s+k*Dsb)EZaDtoU<{jxB;FLWk5JcVc*)VHhgY*jCCWlD94Ev;QZEo^465$~T4!G$ ziTot@J{1JI_MH-cwv9Ib&gzzulYY)nl9|jVV>rL~__O(%q?q`Z#IudqOF%IZLh;w& zLkC0}BpC2N6NV;Uy(Q?X=(^!Va}c|m_9BiGH`cYMu)%m%r)zK(@;3fyU*bPVQtf?{ z8QERX7|7Pkt#@l)GdsuS@55Z$abk2L4|-?XHt)^OGUvRkiV`DC1inJMyi9?vVYMMT zaK=Js{hq?<5CEfdGooC;u5$y1!#CG+$uQ#C`i|LGEAEUn0Rx?JU{qm_D}9WX_I=j2 zA%Y|lVJ1Sz_L z)RXi=30k7AONXsbYmr1d=joW5d~W#D!9z_@@==ORa$PpCUW&|rW`<%#CF%4Tya_E4 z3tegYd-`pif9`b@A%rLp)ze`#)8ZpYgecWovFxH&G{q2RFj@Rc24e-^!sr1tK^>B$ zI2Ae+iWa{tHi0GYdRzU82*H6CkpJy3RnTZGjCC~AE_}QRFd5L_O0>%E)Gmg}OSGSK zmJAM3h^)IxbzW2M`H1t(SH$Yp_@G=2LYu7C#m}vEo zV=G(V4&YIWxm(#D>TLh%0@Pko(~^=MG&b@Mr3Z)ZApagH6>i#a!(6Xk4u+jNcYNm~ z@OAO(Tu?Q^WTsdE`exTw4yPCZD$%8_wXJdm@!ZODO2@Tyhek+|i6vE1?uz~^7reR? zV?mAb3d0Cjrrjss{Tuq1Ep3MVmp*D{rODO3Mv9xN&-C05xZnj}C}zRn^LTFyFVOIC zJZLF0pQce!O^IDY6$nEdMH)C9jc(wd;(UDwks;-e+Y~FH3yTI@YK1LAD$qj}xw5IE zd@mPV_KaSXHJ;z_;!JqB4<)tmGz2vkurYnSL>yGo_k41w-n1;WfsTkn6^l#xV;`kO z!5NhTyqqR{m{UB{QNHa;0n(GvuE7c|M(;04@j27Fp0Bd{Ct#k6*xkRJ76#qLDI!3= z%V(bFcUoPKDZmbo=bCTUA@7MvUt8_^vb>*^@0^YMcVruFilK4MyTRa*(5~mmezi04 zuONIeg!~%DfZKRUU-P6wwxP@RL0f?`lHj-%_fiYKiE}||jpWnXYMD+MU?VLxjMdMX z@Q|&?mWeT532|*azW~yUZ!aYgn$4GlNKLQnVQ+yI7nNZ=24yEl`$d`HM^mzgCBJTX zj=m;|w5NGiZ^!a^zPUbUQ~freHGM-OG&FnlRkb21%9>g22ugCz5burWy{2crcppoC z3}b*MIxa#FVW_xAq9JU46YQ=q1>Js5kpJ!b;?i#>@7JkFAA*f5K9k8wnB1fs)?{~~ zqaW|z0{r?svNPq!TzoXykXFb#reyra(pqy4H|GMEiI+XTLQN2ZRQS#Sf_E*)^cdL{ z(uF?ejV<|uFi9H*&U$i9@C33~ zmek<(>ZXP@^JU|v7=xg$tanlA9t45 zkO*95x<9@PR#|zC8tG)8qkI%dEEcENo8?t#=zwv7vV=@<;Pv3tob*Vy6d>6MsKbRU zxgxWjPqmIghNghP6Db!ax6V9+EI!+}EII_yOOqqH4?p3Ao);icpV&I$uasy{=X&Ayp8`oR2k7 z-OuAbx|7QgK7ZPAnxTMJ@nDh4dIc-I@UX7XeP}hu+@-co?xhqpEt$G(#+%1ZJFyvz z)Zw4C=7cpW2TQ@N;d_p}t%VdVp!(urFBr~UIdRLYM~B8hw?>r@4lLz~lXcsq5*WLAC;CSXDRupaQ|zbsCmQ z7B_Eh_Pcf#9-*`U@?m7m((Mu+sbZ>JM9tI2`u|?g)Oq9ib8s)%z>AirRld>ByqlZd zBuo4|{)&UB%ckP%0d7wA(6Y7FGyuJ?n8~?N$w_OnC(Vxa9dwp}jtk&LX0&E_vjJki zVBqJXo-0P}tYk1?VdWX)QUQV_|JH8mXFMN6*G5Tzz5Pv=YX10$e|h%E2-lXEUj zy9OmcZWVX|J7s1}x$me<$(ui8#@~pafEz8wVzxk{HWgZ9eTjTah4)@WfD{ct*v6Hs z)dmA6s)HSLZ>cbUUt!N2cDK7|9_nl3g}bQNA2?5qNfU zM`L3-0grRD=YQwM?n=k%|89I&(I>Fv0-i`aY;~O_a5tPeSWQXJtgw^YVRxY zWrK5J(}m2`{aiUyRr zFN326+=;!ZC|s?8Qr5Izv^~$x%S>_CFZdk|L|Vqh*Ue4F!8QW~8uN-SQe6CorAcDj zc-wq_DpxDzQ%^7!g|B_AXtPZdUFFK_uHRkMP1ojzRajl+$vez%{QAuyQA+y4V2cTS z{M$QryW5*_r}y85wdkmhVjEY{%djgK9~j>thAE2WEWRfeND^(X)K1zfR>q|>8(e=* zm*yZfdGBbDoMt_CA!LY{nRu6=&2?aJguIEz>LOe>F)}iUNn!{phY&dt$5EwQp$wg# zw;p^|{8aTKweI@T=H=Lt7dPh*YE?2&gCoVu4_7)=C(|jcG*r5Ni3EUdF0xxUqEm3v zX^}i*y1P1~=TEu%rJM(h>04`dPeR1(yw$@TaV&+_36J~>Titdl?V=1BXu?(L5RKOM zwIG$H0QPS^x@%2(@Y<@-D|?{Hl2K^PQ@dDsf*khe34;LUK5ad=UK2?3s;<*}lCesf zI&nVdv|G?zTkqd`jgNKh%}=%Liv7+)%;4N5?3Pw}sF}#n7GUM3*s^)}JAOc6WLK?D zt301I;V|Xou12>#BU(5R&ATMqLUvK7<}Ayj;9JQf2ug&H#;fW&7SLTbHC5jcqYUUH z0(Y!a!n#H+2WY09z_LfG!Q>|lT(l|HU9Gs|lJM5rN*)9)NP_J*RR4aE;xBRYS!ZRy zYx+NGhyU;J?f-A>P((;nR6yjvYln&^W-k9{?T~@-M>}NtiBJ2l8~011F3KnfrYkO9a7 zBl!i55;)00U=$A;8eU$jZsuz{&ilas(JU8W@>ao0$Hb`LD|Hzu?CIQCgWe|F6S8 z^?yzn0gUXd?QDNuZEOqx#sFhGYwMqzm;n9<_y{m@a51n3n7A8R8`uC$0j3tNCIC}A z7svmmIGO{@J?za*Y=1aMOMn%?`ah_n%@6BnYhh~wuywI9{F#h}nJvH$VE1#t9$;_a zXkz<6hVnnE{|w}3#{Z>C0)Dm@cE$jEYZoVg1Hi$>#L3y>XM7GWcFrcohSvWn{&UHH zv5`(DHWvSxfs={r&mf#E+yVdjESv$(=8h&N0B1KlfD6FI*7#=>Ms|)S09Sw;z#ZTL z@C108INJR`*vbDgCjTGoy_*$bi;%sWn_Fr~$Pf#AFHsBl&rSepmVWQ%CWrv<*7MXvwoCUbi<94j z=5+br1}n8o&PC+|>NDvA41Fdks@lNcs5nf&3HYJS?T(HLY|rv~NFg9JfVQHu!jzTw zrcz3(`D+7%$}7kS_}Aw^2n{R{^vxh^Z}0Ai6@dqOV|1tZt#H(Us!B3g@jyZM`Dp!u zfhIb>=I?#y!Obs$@_fJTo5B3?E@|pb%D97W}Rth0jY? zodXls;#B9%3;?3GH6_gB;0HFhJ>4;sfUE`K0_Fc^2b$X&ZQFe&bgwd1JiF z9w62wzZKdI-0%5g+tUxXK=bbm>^3))5)6IFILw~DIhc46=!>@;6#n;arS#Wrio0%s zJ-^7FZw!xbyS=Xp(eF#-Z@umNZb7M5e}2i5r)$ugSa4AHZF)K&@E$#`qwh$TCdhz} zuh0`e_=SHTkp17#!b^(}o$v(+OV^6Ej16D?P|oono|>9vKsu8)K&mBq&-kA<%g(j6 z&Je(OG}}!d?a@Hwtg=&nw-zfvlRrILmYkT^+jLTpk$xs$bko}%8q9;qhYO8ZUoM$n zc*S?sZ51J@`&@P3WkSf-w|b%7^aBGuIY0#DthNY1sF1&(-;In8fo^>F9zO~0KH&$R zrW*>%E0|_b^S*VNf3I&Be-B^hQuO=z$2-$QYJIR!oK=?~U|bhI>Vw4a?UQa>WiEfz?T=UEer|~a=)y`U2Jg6IS5gzI0R%?TZGo8vfUv4a?G zydc9L>i5Xy&mYRZsqfGb-K{!=1mqIw@VeGp_kYI-R1H?4e%cXf$e2~NJBwdrf z1!J;z4S4!;$9de|qQtIZwMz@-DWb&gw$BVB?JqXpf75(Mp;;GlesW|46Gs@Etc@Nn zf|)BCYQv@qE4_YyZngTC8!_+-UQ{?GpR5ToDy;I|NEA0DrAcY}yp)3B`mB-u>7ua} zx6v)Kg%`M6pYEx-vTYb>&`M}+SQ@d`9t_-Js-}Qd=eM)yDI7}rsH-r;crqWy+CxsC zBSllZ+(7f)K&&yLYQBcZjjV#+ORP)61<0=@FbemE(eJ5&tsE?0T*#vgc{Vf39>b14 zc?YZq<+|qiqR{5(VG7=A1lMZ|N2Q0RT)m-T`;(|T$BWJAo%>i*k^o!ULaueN^82gR zizk-++Eo}=S&5PSr1Lt01UIq98q4C$*CSdJc{F7-f(Ul%R?yh;B3*p+k+V6Gx6Pk&9@I>f5Ok(gYlH zlMV8yJ`^S@oVjiz>g>avVFfuv^(KGbpfJNHxH>WWq2hUOjft@@^~2o1G$jpO2iPqi zLw-V5Z!)Upg1S;n-P`iWe4+c-7%)IVCLcx~ltIs0BWqFlgT{QTd5=ubSnme$+`w)_ zujCMDg{!px0K#sQ)P3{KsE+ah;>%}-^L@TAgLgKr-*3#kv>2mIgegI6tF3NCes}gY z&a4;^St04@W}Jmc76z$Ajez*59G5s#yt15=z}U@KCD05PtD-9`Bf%>au3G^y;-yx! zV=^4+5$yMm{#5P`563d2K~&yMtKRVH>38DNpkiSiuPUfzIUo}ej^48)kQbl3Obc%> zZidy`Fi}OxRxg=~z&p)rc#VK+2W7iu?P4mv>aPgr)9&jN@*RHb_Km6 zK1c8X&=e50&-)i=p0)&c9&*6)SbtwhA-ZjNlMgh374S)Nz@^;m(r^0o9Pm0h6-WCs zjKapz=3b!-!+bJAlQ--av%R!u$cu+k9K$iqVv$9@+5uUquImi_`MCDOvW z)|asGMR8IU{6jXdzRSDi!v3*_WVs#nW>Ukbu(KmTbE@hu9_O4O-`>Ri*31znLl&xcsp{#SZy!?Omu2%S2j22z`ny6P!L8 zMY=E6?{*V%;)|Qd){dlA3`ZF|VG^H_ND@DczYB-pp&=3N1tt}27@*ta9dkN)%b!Bn zFE^pG=)c~zQP>_}`CI8TeJCXB0w+F|eW1WvVHgrt01bY~>ga*e5)(?_e- z_RuY!*k$glczl(Ob)vzik>$%M819{(V5$VL=*j=#+e(^Ifj;pgKswytC7>7A^@W!=-0C0R_qIWiJ;p6KSF9&37Z9lZ{?blBFBB20p-=ewZ%-*?GTiz(Ro$A-y61sW>8(=SCq| ztskVD1e*&eSPOero=N9QcBWHdR;$3&1of0@2>|ii?cL`+3@+x!d(Dqj7i8F-i5Nf;IWkjXpkR3{u>&19-`4C|{_XO-G{vj3DqnM=$d z*Kzm&1U)dxb$B5#RJK4MVHXWq>A^C5jP`0QOLLgwvN6dE>8tk{+-Z=){44w8_JR^J zquMh%LH(Q}1y*W+ve#cZdj*&;QIkUUeDPl6o3wDF6RCTnaS37VXiroi1#|cmM#-Da zkup=q&H7RtHt{r69x znQx=Y*itQ_YB*UwX68ReS(TKg3voD&eeGl{W4iuWVo-ur11LaHMD{__>&7MZ&^we&OYWprdf9Ad70hK)Hq z&K1G4s4`H1{l+Z%@VQ_j=JHy%kHkbQJRLUUt30hnZb~w2p~T>r z>yR>rx3dbkZOto46(E`^Mu-J}Uykw*=bw~x9*ok`1TQVOW)QhhyR)cABx+~)MXg8i z&UqPJxb1_1w1@ME?IlLoN##8MotZ@Zc=FnOtVB`iS6jLLqCWyoI^CMuqA$p9!#GS# z69k_IMbAkWxHhm7?qF7{K7MjU{~FtH0m-H@{p<@71_-&osuE>>xWrjLUME2*=m4NM zZ#3+R0t#9ruK-YwK7g5yHBPs*sIC;E$88y)=NN2!xw zTEl{x)~p?zBjMnebojA%$v?{qXL?f-L{gbC9Sb%Z$`ru*+!Ynwa82o92w4rMPjU>vPHB#l|(qow{mz9&x&(itwjsV0rATR z(Ty4*eBAfwnBHc8zlIBU{DNpD^|bT*!D|-8CsVsg>#F7ea@KnCv#_qqBwax|Ptcec zu2&=`6UkIM(Z3|@&^QRsQoY2ndQ5(dbNP_dKaWGB8zfIF&X5hk9fkW~m!OYefaIn9&H%!L1$B_>TJ$^3;Ay8a9)I=MEP60&b-pm^;Hui2w>@9gac)k56a;tve&b%h>AOc3ofJ~kHEV78Eam7X<65y!Ivpr%lGfF% z72bsfTtz1y#xP_s8KmR^e;Y5RlHsNy`f&St<{FO7v|NI9O-D%066+#c2eCGY+th3Z zc&Hx4z&25r2A%TOw&23+3Ig6raxo|N{{Zia$o8gd?y9j!NCN4l1qi#d6Lqdw#0l*Z{pr*0lg0@iQbQb zAE`G=7_#_gj9x0K6@DdI@!4eYw_H_83PUk{U?U7pqEz!LqTzZ-b$D8!X+11$6~J-+ z6#w9_tUI(q!=7T6;)AF@mLYt%d#6345f^c8kg`Q*aRH0v-*PiUM=S0Yh2EM}FKzbd zV`WX`#qb0zrgWBn7_g(+)@GT^kz$hEr~iE9+m&qobT$H*=kofYUKSm6k0T;?x@6cL z^16wVBnp2Ld_p(6BL1-ioYTcm1}5u9iZ$(+ROch{6URkInON$=+1<=5<&$NPvjAgi zemn0xe>6@MRF$Vc9!w-<{BfBTw-)k7RP3MDMj02&Rw@3|AAgMA)`%t>U7hxCul3zq zln6pwTDtW(*#mLd19Rz?V41*<=~&Kk^VLK+px&_4L=Og8YE&^>h)FV)nU5SCuXaS` z#tnWXDz?s@OuDzMo0i$@xE`8Y2muYrxAVy2SO>I;vOKcB5E*{=Vy>{evEpvXK7U1` z4leqaZ8DAJ_{@-)N)pO1r)V)$@-#%dI+V;J4vifL+9r4-zF;m-_Je=g2S7YcHux|tqt_p>P_APdxQ0PD z`4Kc*?AX++M;ANchc>JQj(Q$Pj?j~V4U$9>e;PeFNU&aeDP$7Qga5|1pQ&0>$_9`+ zSTUrZ6@u!_vt9G>dA_`)TT{5gzmeVbQg*>Xg~f>0ujp<@*+z zf(a^S+;$H6tU39oJX+@XssqK@{Zdqtz9wab>Wz7ow;}?^vn{}i0aO|fxKCl0qFy0Q z+=hFdu0$5`ssXYi&VUmS`QS~6HNfs_c4oiC<)2)J_i><!en*eJMyQzuOVO$%Sq5ocbiNtK-i&av+wH=iZAJm5W1^{53bLtPkE+0i%4 zRj3(C&N1B@U_=034V<9VIIa~Y!#H`!2(x?Rl)R0`-U{Lel!U9j>fuVqp_7={5zEWG zED~9jQ$=cYg^^ep^qXzpF@7whR$)Tc7o1Er%kMx&u5xSy1hnPqDbslFv**sRah?O1 zUXxkIHvu=<2U6rmJ#5oET_km~a;a%kZfx76&Jm%RjzJd)_^CqpQF6#sxM+hN~KHX*nun zTk&*n|0og~pVbqioyTfRxNd}OA6SA?Z>!>y=wK2sZ)ehd?|EzGo7nNj-pceCt_cSO z(qL4{jbSIKF~~;Au&7riW?(^QJ$Q8X7vVCV@^QkuZR1Q*?U~=;oe63g6LIOumL{UC zGtaTZMOdMHxCaz3TIHSCEeJ{tJ{#nRf1zwmD~`r<=G9Et)1nF?PnABn&b!v;>a@h> zpplDAyK0xtDhjsx+^tFMc#@eXhD#O@u@%T$`T@ok-) z2^`<{@P3O7vV9XXq4hJ0oGY%zCyb5HYTw5xsc*M}H4Qno*VF!!{)OM={A`MwYlz?X z_ej6%JXAh0rjZNA3fO@lGnj@!FzF9H+8yhkGgiSdkHxpDlA?Ef1N5>RB0AUCMXBd3 zk676!%GVuYT|B|6i%jdo22>2&IiL&plM2*?B)7od(aF(tv-QgXE0GTckH^%Xd7{x} z<&$Zd8gU9a3>T@22H2N^lt+7bHO~KL#CS`>o#vX>j@Y~^a=F=U9Y%yw`RVZcl}nc4 zm6|M}GxeZr(AnKd9~jLhr~lO>pfFb^Q`wj#@OMLNdh`HFE=r7um5-6TLrfg}XF$JmS<+Ph=SdS;VENp3AH7L6NUo z`9kNbJvF2a7}WN>PB)y5LImXX*iiXgKch}gMNP{vLY|*hprjY|EV9@@2EHskfBtRr z5D$2h^PN9jq&!S8mR}aUDIrZlCx0KSvBORDZIWHo3l!C}s^JEey zc%W)@G{v|@N?#@nDUG5^_AQM)NUfCtH6nzt{W8XZ+L5R1jj}j39_n|^?QFn9Roy&s z*lPhgT0rqq*Rn4&<}8EM`_0ULaS%8Bb_b&ZDiG(1d4J%JvfiF8rcTYBTiq$mXI2Mz zB(D!D?!0QBW8v95A?2*{xRl0d_`+>Y%>V=0^|;zX?XP^PbV z+$%mIP^^mma8oN2ibX1wYVvmyENTmSTp;$%^V$DYFW`>?JyiA!T^9;49wvH0UV)*h zEGa$pEk8aYKr!jRA>!@lU$eCnU!dvPKxs?bSzrJ^@0;Evnxk5Prd0i$n`%IR)YxK!d~gF!hq>l_k&~kjLzE{t8GRy+Oj|rAc>n1PiCUYu z8Yu>5*iM22FmoLEXX*aA+Wc8+ocJ(u0fny;F5~ldUma)Rc@bwJKvhZ#{c7a+bp6+6 z3WlqGyu!*-z^=1mZ!J(XMShegU=n3O)t;aSx7IyF8$#VjbgiSqFiy z_h;qPt&|3ed=}-)qmqPX+X0-pE+J5yn#s`==_;hf`~v44|L6nWn`nb+Yo8f>3d2kl7lA ztP&g-8mRFcW7YsY6SSuQ*$*7hAoy2+OLzR(>et4{)|TQ_73xMTT7>s{okPjvKr^b0 z^}`)kG;U+z_p5-LOJWge*v?UWDPSSF<%;=r6fe{8whOu`)>_&!IkZPipnUtX`~<)K z`3j!0zx9$1-MBJffF?>K-&r&_!G^7+8!0^yB5aK|J=X~XJN^1Qn|&0>Nc+m3W8sEr zWw}Q=VAM-YNZq_v&lN)?pEbTa5x-ixIsK|ng;;rK$oXlPq)E(g-V9twvn_S!MN07k zr!ctv?%a2&474tmsNHO(B#5w`gPE>IKSsQF0ic7^R>I&aW-1LEk=8$s_gA#BZP!rE zJ@DSz8%iuH3S0g$3@7g#*K=qX_OJ4ll^-+mE>O~R$eaCU_uPIpJat=P5o-NExwO=& zk5>y;FS9mVm4rRhY&sG@h&;4yW;z3&`B^I_N(Y!-2j!?y#vYo0k9t=75t#!v=!lUn z{8UQ18R=QPgKB$=I;(P0NrRz(%P)q?Xq9ty1Txpc6xawT4&rU51r9}x(Yb5v_;Y*l zuimaH&?G&w12P0PW4B6+s}6StDPuOi^^&`U_RxwUxxW*p*i@Y0liLoZFSWVe zv$qYZbUAf?j-Jx@&2=jaq-r=tQzk;Jiw-Dl0|K4QnDV|aR29FEh=Kcmk%m;u{$=q^ zZf*Olk2s}qXj9smdMIIj!A>aEoHU|asHC0%?1HlF`A&*CD?`wIZl}L3-RfOk3yWSY z-50zWB%P2vglV8hm%2D_SI@B;y5LeNG(<3Q5*g~h%#&?GG{7Z|@A(=ln&nVl%H`f1 zVdp8h3{$omnaup)1u~ym8y8_;xLl?G(wn<8vaL}N@cYyG!$<@AcT(;}gVuN$h|D(U z{6O6CWLv38LL6NC4wOz(D5)CIOxJ=axO31|Mha=SaidG8F7*NH*~t;n|N8U@#%n@) zdSel2%;he=4R6XFgKSR?uaXC47$_@szU~QwV|dkW@2u3G79nySEPuYw^(7E51Bj2J zBW@gGZd&wHAfF{?i<>Vv!BUf3RHhT1A~gIVRZL*7q6^XdiqmE^q)qGWc%3|be=}&~ zc+zzNYsj({esV9~jSfg04Ei*VDR3zGrA0!YaSe-j!=X_yqwH(egxCl}UW9x#C)R`u z8eNRS!SW)cs^8&0pCd_lICY9++hbFhFY<57844nlzK3;Ih|N0eYfSU>$!Tx`i%ixB z_Ok0;It1{1!W2MQsz2zu%QDFn|NWgdyou`q!gyfxPVMd#Q*upE6YFlQK<}mS%6XhR zb=NJ*Ym@{ZX;+(2F(;9Bt@rgu*C4AU|3LJHk|84V{Xp;?7#yAvd@_iMi5lC4vaiA5 zvp}dVO=k?e{%~N!Gu8n?Xm}ORPP8WIfsV;KYOTXAp`x~Ajun5lx{@MGu%7C)G`JE_ zVqn9PzKX^ycDV;X->FXNFS%Pm9SKiX?k0EBn=`fPVW7_jj#A)CP} zHUPi>*5ZuLqqjH=v4&@Ly&H7}=OEQIB3aX#Xw*NSTDpS~7cIW^3Bq1Ot$U?|=vOTl za48&5py_~0vNser=s>*Yo>>!JKIqR=By4q%FTO>j3GteE2DBAXA~YSG1>Or%dY6LH zi57yJU&4?29pZQyH_`V9Y^rYPlhU_rQTI~9es%CXo6$BR1?iQzA%6Vx5#IHXHO6F; z->mm39Krp`zomaAG1dKFtleXfY~Psg=YTksShJFi2~>>&tmlH0aED~PvnA#^x|BILJqrwKtQ zC971zWq?0ZyxY|vW}k0e{tnRN=zU223cg$iY<`rPhX;g754q`T=J8FJ^PtciLWFO5 zE_e$TBM7V}DkTpHxog!BE_gd|rT$3w;KG|y+Y9~+LLLgO$k=>3ix}r)t<-ZX?hya7 z@==4*89Rh7mc9`kY!c?Tv*3Ajllq!i&*aE&UJ=e;hhhPz&2PTG-6WfgN8_&Gcpqa- z85p>mitz&*E%3)jv%0&pUrp~&YMzQ-upPuw-eb^NTFm*6g6w5fHuX@ZmYnMcjro2m`|$Ze;qJ(1&!nMPmo*CUrpcK6&*9CYlNuU*!q; zhQ0ytoPWAMsJ`Q8Y^-@Ve0BG~I>o*~KU}~UJ(-~KmLcvqSoa3U?Y#BHBI9CR!KLVK z-|xQUdNk^nQDnD+)-{)igMtU<_#fK3zV3XU*pPjJGO&3ElqbkqvAU~R$g4!uk`_#e zs8i3IZqE0$&-55^ojonRKlzw;-S%8LvjKXGADk0{877FMN%ZOm#&SI6jJkNarkn15 z2TK|D5hR}%S#~NQih8F&jk07-FxB_?<`H=@q@+Fq*0A=6vt@Z7ysA_Q@Y6&CjNMH~ z{|d(u^e(S5waFb(A7PC?vc!bGR-EgcG*Xi^@kRQ5_Y`Nv<8o5QN7##)AdgR%zs|qy zMmYZF_)#a&iuOLSIdt-LyV>Zx$104~sQfGnM_y-P>yhk;x>+Z(Qsygb?n=Gb?TW0_ zL#QNc9P&e>?OE89=n?3zui@+nb)N84xnlG+=j5 z)b=OR=$X4L!d7R%u$SIqOqJgDGZq9@$GI6*iIRsZ&H)&UiOcY?sGdyeQV({hVGT@E zf0xXXo)s|RY4qy89uga!>58Pc7Kz-LF$76wYZOU0$kKCO1Zsz>{n9q>mk8So+;69} zb;0>18K$?_sqsqhO$^tuT^Ng~1~w$U?uCaLuqP8lhgLsc430``YV`y;Wvud{%vGat zvh9JGDBgk7(Q$KT%rgc-izZPig88RKB`QUhUe&l|Vg)5-J){=r$4J;pW(hnZfvGgu zltYjS-Vg(|JvS3VdFaH4`#2ag+v8ws50|Da84~IS z;25w+%Qd98U(i0!n#`FF!GVNDi&WyoF%#bXMg%K`HkFr=<%Den8*dY|IJR8D)-Wg0 zW}E=b;ZpEt$;!#9uirA(Qc*4GUN}e8o9KltG84iIykALQ)v!MEgH4*dr!_Dk*}}Uf zAu9*aqoLDp`I?ABf*4qz524fN%ZBty94-$Wmy7oW zJAxL=_tJV!uIZ7+WZUcc{TA(IQbzs#1jYGFIxqY9bi6JgN30c7Z!!Y-eFe^G-e8Nw zLrn2Wv78d67mQ*Kd_mHw6^nWGgo8j=af(cAjcx^>Xz~|Q-E6Gq2qlEx=&W<=+2PoQoGYRI`*V{CL`9)BE&fxTR!xRTn8PYXx&mn1{kMRcTvVg=u zFLrOX$IX0>oYe~wywQB)S;HU}(qk>H<;??d}Jr_BYQR^23Rlvmw#Xo*Xr-WyolDn>BUCnpm-wPC69W1JZ0J%x(Y#4;mJ z<^F~tOJdiWT~D#~g-^{X)}7>B#7(wEE-2wYx~DO2i)-TwefkEjmRa6^a6!7NLfZwi z_TDw2j~V|nWgY8eZKhhFAR4Zu5f>3TKA%G+nSjbbDo(XY=PasvMzx{qMvaesx1Jhu zR<<6R=+Qp?JwVRe`oOV!4iaZ4pGRxSAllwt**KqE6T81_W`)-;L1nYb4)e``0m0hc z0FnV;z<5VKwGrNb5aU#zb&@Ju(i&^GL>S?}+yc$^7UL?wFgCz4qW~Vyf|4CQmLrq7 z6mVn+N*B`EgWF3Ro>G)9=!rLYC5^B^P2K|E52*q&@2;|(wd1=bU5Y)@f1I#6DwB#U zlX+nq>w90Kiqv(p66?Dmgy&pU0O2n$}gDULXX z8d{k@ajGyiYko8RaB|RnxF+oen1HFBN@$A3^Cd9im7o~){S!WGZVjwiDB0@k^_W)? zRRl?{A!rrMQu3VP_@N#09#vW4iJBM}_e@i|EJf0nmXH}R9)ZuH3a;j8+HVTLT3@r2 z2vP9(=dK1`;6u*o8)Mg9Mg;;t#sHWU;d#wcaWf_g(`<13%07XMs~^V>5e(JeH?TvA z@1_z=_3yD~L3u!ae^b-Xj)@xpStqY*|6T>Vt{vhX?5?6q$T~r^xf`j}gqT*c5q~s7 zlio)_<2jAUJZQ%Z7w@8R33BfkEKbV~?^KN#?)4H;t4t+p&O)chKSe{2Yk;gi?9ML` zVptQ5qxsic9aJAx)n{pB#C`onAMs(4tUEr?^m!H^O9Hm z8GN`njm{K!@9*T&>BfcVsOWEceq1;P*rBOBs{FL@V;0DPnlq3?(W5D&-y!$ph1OF` zr%1KOk&P-u3?Ynv*~oQ9*UOU=fM-m9fH}I{|)bSN->;SH$w*qJ;Q4f91tH2ggxr zn1{@~r2GfJGev%mk@}yw4w(jw$oN94w`hsLgV1C$ z?}#!g+sJPWnwQ^~NjqHe3YdKuGY;dUf}`n(0{dRto`}3EN^s1}Kz7$@>EoZqn6f!Y z032#QX^GlI)|eTKgB5W$kTzB#_^nY0I{Mi#->< zP@C(KjN=`zdM*SU>_W_Fk}We}FJPoX$3_d55kr4fiSu%$2+-LaotYYY3BANS^@42wm^(<_@O>-%X z#T)XQMNC*-vNe*JQ+RwE2EjXltjG1AO-Vp5Su38DWG35S3_W*Uil(jZJLx4#CM$Uq zRe82`>_?YXAy9uu)se+>Iw?b6TyNk_(4XKT4u8{*hfH@3IcmDgk%v$*i!6`iJKDYn zu~5o2o7*6>rM3T$q-;<+CL@LJsKVCuQCm3F`YqKDsM8UnqVut=#ZpgjkJF6 zZ3zvK6>CraN&FTsomLc4Ec6KF7==TdBeOUyt83VuECC0HCP(GN0hS4J+kZ( zEFW$+SRdtgGwTkdLPYp7FU00f@V;e<(gt{$hjUcR*1Cr6@x*KiSf|Phdg7E2hH*|o zDDm3`ygMbcnn)8@=Bf}Tno`+Q?cjegq<0%0lYGgyH_d5!o|6c_V)m`Z^w^Et^=zC_ z4H+gh{W8EsUgS8O$uAT++(L$B?y6|Ox}pqC1KjO`b_fdl@x4Qh|mE-GBo^iLj46iyWHNY)yGuDPIc1CK?2!dZmRAV ze~sGFQ2T7&B*URGx`9kL1FCuzp=t3TnJSbUM*WF5x3{k+fLac?0v&@Sls_W3RJMq| zn**8bOF|mNOJWKcM~cmhzNR4YDi=L6)#?>J|Et=``+Ml4;z&I3+|c83@g{MV&RTvi zS-1xL7nB^^;u)4UOAWjRzAqn%qh8;!{IO*L9Lv@5MvY^~T_Q#vJ8%PCbdb z;`9?9DN3}v4&aEh9eant7%}IB8oB7BLxzChU2>7X|JkH@ZxGbViK4qoK-IQx2F&?- z@C@LeRVOIp%gdCeU8UV8RS3`-wCH|^c=P?KI@78znnL&t$}hmitu#>n3R&1$fP#dC z-^F~62i3pV4cWPiRwo7w1L;&XiZru&XdV*tfDdJvtu)Y%Zu>-6G2k}ts7lYR;9hP> zWv@wWRr*{q(b{kiOa>~TiJm@s)@!~@#1#zTaYxcym2(cLx8~Ma?R2Z<Lk#Oo(HU~{|Pw}hm`^4`L!E+wjVUA7x^22JQEN&zlz zTq>F+W5e0)SOcvTe8*}jg53d+lg`O&7)@bCg<9oN#E97q_iIm)%Ct_o=-Ba|un0n( z_}j1|D5hfcB~6~Em2|p|+K=@5q}b;l<0CTm>B3uLjGRX|Q%)Q3ktk*r&*Q;Gu+@2J zQndJ{V&nB1oMR$GGe8gsh0ZA>o1F;6#(yLr$tL1W!WJ`?kLBU?!OD`)>qY69o(4g; zAhtqhtoMamtS#$$4Gd*%iCFI(_DiXi4YatkaIXoms%tVoh++~|K}Tu!@E^(~EDMir z+-eZXYehj(qrtS5Z7OOs@_cD8o-*q-aCAdr_SxDtS(cKAyZehUtP#I1(|we6rGT2@R6=-< znk(e`!Ac;|%DgGGIy|O zZ2EqEcN;gA9N_!8#T1^$^SEdKUgS@XmLbc67tjZlvV_W7hK-~=S>$srM(%Lt@(owl zf74Ock>%?P?*;yF{Ipaq)ptb1Sc*cD=WrIB0_)@x)DLGl@W_hLgrnq|snix5Om+Wh z>t|;YAu_t=cY9Z?#G^Lp`jto^!4yI><)-VgS=`1todKK`>ccZayCT@KpNuBtEQ`da zwe(I)U@*sOy^bNij72Mm>NxdrY|!}Xz#(?8mMj!qFFlON>?A7<_d_>u+g3#3$hKgm z(?0`NsyT1+PK0^uDNP{|qdzyo9MT=W_Cx4uv0>~?oZl(D<{kCH9_e@Vl#T=T^ojnc zDq4AW9sMl^l08+{R%9hJvog{WM#GpvCf8Nk?#0+9FuTh-S7vXoo3%~($BtpMZx2)&SG>Myimq3$aJ4hdD64qLZ0`Fy19n3bt{;tNb!r@Sq}&zO7Y7MHxMBtAqJ8JkOU;IU@@_7r~jiT1<^tkifE)n zQf$7zzY<9IfV24w&*@BE$Aj^$x!F{JT*l1&9bZv=G2uzpWA7s zDwIP2aXtVmu`xETFs*-nY5}MKbYyVhy(ESgC-I(vKOYW^s8PNU06Gem|LX$)Kv6ux ztEm-+BTpI>7yys~Prd=i4$M0O%u{=?2q2z9GdE7qfFJN41^^7KkkLJBe<6Sa3C2EX z2Mhqco8TAR7;wy>b^9SBPX;4Y(6Il!13V4D?XrgM!z@QbEx}cZJq!*!umYXCECke* zYsP{-jC_!I0|5sTaK8|~5xozmFdzcQ2r%HE;g69dkNo|dRT2~!wE4Daax1AjErhJUIYx4cTJjb8huH>yyNnmyn8S|6dkMfK-#E`!cpcq4q2WkP(5rFiocb%X~ zKqAHZ6BN9a{Z^6fK|sD?ncYHy@CoRv=$&8KK}3bV@wj{C`-syR7TDO@m{8u_s-D_P z8GS+OPkQkb`hP;rO#K5t9~{PuDkD81?$CiJCV+n1N$!9G1SB^4ceUB?f5*)3iuCu* zfDzDOeIpo}Aw>u3z{Oyq1qbh)UgZT!V_b!Z9d3SnTpTWb zkG{S97A}AmUy)k9XF>@F!UCy0FAHG zv{zG5nuTnLYR0zfsc+|C&9H^T;b=c(3vB9ar&7^X%S#WECHBxJm?$Qk{wC6CoYw7S4pJ@iy5tpm+2@~xRU9&8lyKsTJHV@#rX1GaI&N6=vd8so`g8i zC5$*A81F#b%M8-aCcAZw^~jtFW9#&HgOCCTY`2+Ng^^=(WA5bG0=!QH+!tOFjcjT{ z+Kl);u(trddOII`t9AJ;tGf6!CExKV4FLkLO8e-YP;-Q%$z>Cr?gJe4!_8-w6MCLH z$o#{S%L#5MoM*S?GQrh`sKkuYb1fcHZgG0J(3{lBmhw$Co^K4WQu^FUq9vh=Q!<|= zX9E*X81q)(^)64e(T_LGO3!;M?HS!i%2aansY+)gLt{FVxSi-IeN;JxyK0@G8qGJUVs(^{F8S73 zi;gcF+Ea!U1J%|SvmN|57&K7T&gi11bLZyD-yLidT8~2dQg28Ysccnd11_CK_MYRm zu>RRB)21uMeYmG70b%J=r;gL!oRq80uOZjLJ~mB3$|{|duEsCP+|s5dDI{Z*FRY{d z;$Z~-uGcwYh!xtALhS7vLQ_b2bRX+Jk}0JzlJGI?ty&2p^6{$t_Tg2O52gB1X*u{l zO-$)KZN&TD^~=9%sPb3M3I8fAHZ>LKVn(n%=j+WuiS{*=T zdgjgZ+}!dDd*M^;$$(BtdmbPtGU;PE2#QILOh4ca^u+AQpsec2SEOR#Sy@l&pEs}} zsz`*A#?Jq$)15LcvnN?5#Snd=)1XWzwT)3jW59lkdsFR^-^6OcE38h1P66m{Roo>~ zE3qfRH;b-OX@@PMaXRDn8E?Ex�Wers!K0nR;#3=wfN^T!$BzMcQgn3!Xf!(dVJi zl8MAKZPdRsT$dq(!?SbLqbPF1nNMvgqXT)}+}Y>Ry9kEZfy=JxIB$+FHz5(Uh(r4h z-0kDH2t1c?Xo)|jrdL&6IE-uPovCr06{6FwD8?u0B$JpGuOvm<+{NakY+I+iXBJA) ztRa!Qcng$}9{I-7;IV~xxBF~~elNYbzC3c2H<$#Rs*mfkqo69)EE_-64mQalk%dWO zcJ+TD^98jKFECPc`O<^EXeJ;p|w~sSVxo~Oqv2nvR zCUsTUvu)PxF!RkRksZ2US-0gX1xA=gX9ZLm-5Vs?-C6XIJDp$>i>aiHogYlJp?<@{ zM>3Yg5YLUQh}V96c`Eqz0azNO{7?rSEuZ{gU6v{jVR8dL_FLT8XUiFn^j+j`xH}^z z@f2lqp!iA@{KYmzR%W}l?^!8N&)08p{3}JZ(PvCU06%6i9fJLan#b9f_r>g5eA(v@ zDPrBR0U`#8x5I2L&r|SkPgaOEl@hgH)(YAZufEC>qB(P4IVCsSwFgtRDYVn)P7Rgp z3fE-O_^i^HQZCclxe)T#-Uku47QT-wkEJTw$n>~H$4YYKj7hL1TGn`jUp2y|LZ%vh zFJkKoZcayTKXFzD!N5&qh;J()pT7`_IYqIERHTmp7cG<^5I*xw_Y_Vl(bd;K@hGXk8RFMV4{kWsc-;{FXBPsu4e~{r!yeL)+`#rXbTE?=??(+g5}5u^@NJX=W9X zbLulsJG5alg8i>)uLv;8{a@n3qe8xx6!YU00JNb6f1S>{90n7D1@$zx48vqI>wLl$ z)N9AIR9Nk>f(q;bF9osn&Y4SD>sZOR*-GeV-^V~S4@m3v_AuBeZ9$icjz=KrM_oO{ zbRkaHb~#(wwG94PU^g{!B=k)D{CVJow~!5$53n+98Kys2xs47~WzfTHY*q~T^@kH0 zYn}}KKo?6d$s^ZbocqMwrTJ4-TjIN;DohdQozG1}ZTR_7Oyg*%^ToNTJ;oPdhq`IA zDyCJEt=-sgX9)+5F{`Vha))p*`8NSiOJ+3Lkt_odT)i2rmKBgo0wob%RI z(JZI?K~h$#`}|hX)&>ta^0R)g7(vC?LYwNk81l2VVF#C1V(q3n**ka2&4#vW9>xXz zBt7vT?PgM4mxG6h5O9LI&SZ{cy~>l*3tneg${PVYktSJqTZ*`@r0~>j1jiL3-m95p z*sBg^%>8E=HkN(SkEN;@II>w#dhr|K?DAR%ubU8QSE`Xfb z-Y(Gtul*$~ruE_Hjmj&pF7xDeqzrxxLn|n#+DfpHjJw_DH!)MJ;XsSYb#fvaG-m?^ zZNj;&M;tioD(v@?_M(DK8$@;hT@CNC+7FZ;=@R_Y`&Nel>+*GTu9~XSJ6k7`{;$b5 z1uQ1kyQ(v%S>5)+-><%_z(MFew3f5TaneW~2;~b#4cdalEb~)>N?>@SHzIhe;v4*a z>_nok;C>a|V}^}(FBKS;qCVjALa(sk$>$Z>pN1w$g{5GNrE{S4nR2 zDCSq0OF)B@d`J$!WmSJqJupjkaQI5@?#r6z&oLir6OC{hXA`a$h;ECv>k+A;Z8#5n z`!%_xnkCW~*H5HAj)M<&t9`(urKxv>?qaN_@ACB)I6hTUDq2ZltwgRzK|o?4u%kFn zGxzzvD5`@x_mugKSJ76o;{DQp$t{#&&zGIQ3a|s3ldTvmRVQ{c7Pw88_)2~BHC2hN zC4%R)EX|@s9>*$>ESogm2SRPCIy_d!NwK2>uey)H+O`W>f9}8Phdm!PsqYlD@;5eT zLEbMmeV@@8jtJog>rU@;RDvh2=ugD@`>ScQi40u1(S{pTWX^AC^1HgSFOhuR z8T~j1H~vuTZC*YsTk_gkbF84%coGJyjB*qI%I94KGbsh-fP^uMx-W5XU%J6q;KV}U zC!HYWF+?6)a%^6}>}Vh<9;7x-_2_GL+p1fuC+t}iakbG7L?4qg3Ca#KhLy<`@d?u9 zzBT8_=MTz(%>|86MG#`$X3~BI9bCa9sxMBWW`XiCM_5!(cF}k<_Q2ZHi(%VK)jfpTHu*x2;KY12>!ih* zY4yqHEANG$=H#7FnvqmG1+B~=zEYXm)&}&TYC5OXksjn;0s6dB#~ql32>Q?R_gd#i zFAB`cE|RhN1KxGi6-!U73VT@8iJANRuNKG?W3K4BsRB59;0e8Sug!;Pt9o^f72bD2 zgr(@8BnwC1Y13}HcT)>4QB8c>ra!1hyf@7y&3SRZRC+I*#J4XyHkg&+MMGPt55phe zmck{N0-2X@5fLIfooch2XHH3>IJS1v<9rp4-pBKEI?p)o!dDz*i9Xwn`)IeAHoU;WsK>ms@tgg4r#}n!rLp&FwXvNT= z*mA?(HuBwU&EO+L1-xsV8Q?u}=;R&QXyR|Z zs(Km$KTcNmjr0c1nbpPu)koyp5eUF)h8^%;5ar}0?yBzv080SQge}A&Lt{?1!Zfdf zADauwbfl7++kPX>os?MkCQAq$vT9=d>+q9gH$TxR&lcWsYnPlcn6zb1@R!GhW_Z!j*FHq251Zv zz$|*uNU$4lrwomy;mA24S)UMzJVg&w72*>+>E1#66iE%>kE2GED9`TH?e{g%%IHqo}pOyhn42 z8s5XZRsxC#JeuOqYT3obJL~ZxaD8rYJi^*NQ`?C&CMG93P*D=abYrbS^90p5jhsC%iPAuyABFV%|{hxUz6|?Q8aG6 zOFqJ$OQH9z-!X***J_>qRVisVH?P6YTk%K%H%4+gzvd`QJ*;3OxK9QFqf;_-D_ip? z7aZ!^4sunk%FXc|GP~m`aa&zQ3clwT z`QR_rs*QOZ6X{~h%P}iCJ;t5k`_@hLBy~xmTRt707|#qR%K2FLCl|xeI}GVn@J{d8Z62Jc7(IC_a25>?)02EhO9)n`fnauYCkjqsQ8 z#PQ*kFR(BD-mNq@@8ERV8g@b4iEXeTprhM@I#kNF&-9SEb9w4^VEV8)d;(L%C&CBu zv}$ME21RG1z7>SNk|letLwl-C(&NmhhJw9i!cBF z=hlgddZ`@GBIgw;L(ohjOx|ZWyp<`HHLSwY?5@vS77p+R`L)*DmicXM3}*PM_;TpV z5Rkj`%B~wdUweGlFf0^wT1I0XhO5`3^Uk%_wj}N*Wrc%vq19S(hW`Qxj(MH6&c0+$ z4TR*hZVHR76*ETDc1( z5FG077wa@?McJbGfcgy(Hugp=A2k#nT_dvXs61gx4?7(fncK_WE4XpI^q4Eyq?@1n z7)Sb#C{@I(wM(QU3>UM%{%-B~P_%sz?2TgwEv~(yFKl1^(R>%L#}DY}ni)Y;x#VR2 zbv>IJH8M7l*R#5hqU$qiKslXUx7Xf->$@fqF01AK5+=)io7VzTr>5kWI&mWAeH`nx|5;Hm=1MvC`71d(`^)p?GP9RC zGWNBo_yHg?jUoalQ*Z&l?J}`j4pYjL>GSiQNZL9k_cHZE@ZbcPYVlG}6wZt@hVYpR zN`De^n*fLN+X2S<>o6Cn*B|7PaS ze+$;VignzIIh`Ze?K`%crq8$+cEqgliAb38gsL*z{!JW1goZ;a2Z64SYP(b+c(A~(O;*@<*lIoSn2_P9&Job&S)w=!g1s$@7Q-{jv18L|pg_Xz zc~k6oA3-ztp$_E6y^kd+s6)`!E=3g3Nw`D6FNvqmfC1;=_A<}`a4j%rtKgeK z`|KKeb`|#u5|m(@C;z+mC+&3>7Y`mD0H{e2sJh@++vuI!vo?m+$EY4|v`df&u#BJ% z0RlY0&RsjpW)0>~ERlUqC38Ya}G66^l!>6M@8_!xnmGLQ$z8=!z5VSsko zmKh4#-iP@}U-PSS*lsx*#&e%f;I~`_Oq(b`@DIkR+TZQZKf#?HyPnAX&zmDx{y$T7 z0Rn?I`2ekbHO62_0Nb4>&%+P;v`_e-eyl6}))ej>oL_1o*YKPGZJzDGO8|W+jzC>s z)Hqi#&O%>l@ZXpg5MM)IKk|5{Bx{gn#ISA7@6u%HT|iUVQ1gL=wpTy(lX+CazPrNZ zXoI-Vmt?^HJU~1@dyiL!Y_SgIT_4w)pQZT@WBgJRL$(MA7+Y}pQQfYjYp{RN@1k1o z9h|#TPG11GeLqfj(0*+apj^PV3}oestcCMAmwT>wKg(rqK(}-KUVRezIT{Jd#iw66 zpJ77xECUNMreyW|ZcvbF%~tE{5$T`|MUcei@e5TqA3%s`{VF-lZ0aw(Ch#MfCi z!Xg6kYPZRI5!6+IWJIy-z-}zZE7=w|B_EkWY7F|_X$a8>u)&*yhH% zO1>U~uLp8#LB+|tj5dIGYn=kj2@+PeU)8)EligIAzPI|tLF%z7WW&n1PAg1-z<^g8 z9#*~4RLVw&ieiatbJ$aFub5)hvpDm{L>1?H9q$G3^RB&n=m=yJSq!q_5$J`2G9(CO zHB-3A*1nX147yEAY~uqWq%2_BzMSeBf-bxiC~ql;M;sD{6?@QDvfdO5xbsaLz z%>9sV-cvjcyM3AgmNawpP;~OO%WKN5t%{xoK1VfuHrH$kgn%kJkb4l`Da&uFI~h9| zO&;ke`w2I=AZpabszy@pzw+nxN<`;<8fT-$a9cMD7#fX6uBI``ZkJwVl7E*EQLG%5 zmA?LXmx9uF-d}#DTQNv`)aR6obXJ1^2L?Ha1-hN-z=i#9`k3>PA?H#Z8b7v16uthpA}c1M7DKu-n)Oc1aNOiNJ|3G`>fwL`?bAGwTa$mFCw-0m}8!0P^bG-19c zF(t#Kay0k%?Q6A4thZG4;xH>13j>S>HF8~VtEWmHmvnHK!wj;^CD=eoB>ra3o|^04 z+(w`80m-+^61B8tp;c*73^?@2Fsg1_*CCL|UoS zSX4FToA>eRckJKLGKckiwmm^Q0ZH7tJ7@v#nrVcH=~p0X5*JCfEQ~hzQBpC_6Xq9e zq7VoNS%jXBEDAw@P2w-I0`t(Q!2zAUshtS}zt+TU&Em;|QH-h9k9#ivbAzqFJm z5=J;p^}ARYNzATi+(FwYuT5{)qWAYVmicFHV@!m1m4!U%7V$o8V zW#d2?RUKLL8Efzjv!G?%cvA20py^N6Kg>0*Wv|>St7@=q(71$OcxBz_WH+59CJya+ zKYJ(_URmeTI~&>KTWW`((%X{6nv(&|Yj{m;vFU!jH#qa%_GI}?&&nXD=&(h8_2Pu3 znSU%x=cRCtbgnk%G%xP8llq}0(vvOK?eW0>p5}s8!LGl$p_emNUR>GgX{PSJGDUI2 z5|3m}Il&MIo>UCaKOuk9!3QG7y7`zntvH#?$~TD`|@*5IgMQ0I7)9k=GF3p%Owj29fK z5LHUkj6_t!T6^FvV$~_b-R@dhYDr0)8D(qrV*s4YMozr+@Gy~y z7;>N9WbkC(K-OtCc53M$TDOhWIl&bBT+rB6u{i%!rso;+ifeNRmgVHB`TpGvMi!Ps z;qgB6hs*F;+R8J^zYKF~a_LhBnc=JY9!nT~z9=P{VMK4;Gh{aFq_+0xL}$|pGlEm~ zs?z$XzAQ%mQPud*I;W6iOT_3^$^wbbsBz^Y&j@iJt-{1wdn|f89fBxA2SwWN zJ#^h~I`K-I-gTn~9j1a-A6a^@vuf)A(Bnba=MP7LP~Q5%DH*UGGc4 z%>$CbC)qbg9}`g2YT$3aK%hk|*YU)DQT6FQX( z58lJ?P_`o3GXb;urY)RM3gZJ#LT9-f==19o;FK&EM}Ns)rC$Su7$XClYvC_YB@y|+=r`(Dhq(dIOpgpu+Y8Wqk_bSAGZpMkMjxT&?AFKnh-pzts72~i}q zb}_xRUWAw_e-6^Psge%x4@J_#e8_Wd)zB6l89UdX^x+gZMx57?`JJ-MZ3bbva4F5F zS0#j`xE^|iyyVtJ=#H}QRO!6StTcs!`z%j+e<8-Shg4#^Mt?;LR1x<9u#DD5h4AhY ze%$G<-%rq)7Fb-_LDotO_nxB3o^cnbkeW^n^fsuzzOiIMSz34*$qy`o&6@gc`?Qi| zU*1YrF%RocxHyGYs?TG2JS2+-REf<5Gj(@T`yNcBKr*Lu9>bTrGd=tK!5)hu&nqgc z8b?Gf4vE*32q2_ZU^h! z9++8*l9W~k-AIhCC?ftQfhb{JIV`8S4ilW=DmvRdF&WdD`Hq8n&LehcDKKpYybHil z5p@p8O9FDrSuKXrGXNNXCt@kaL0Ur1F>Zv!(Pba5y6DeLdC1%w#2hU3O2U|?EQFPD z@~O^D^ZqKD@?2N-n#)z~cANx2E4oS^D0jVsx%8A>Lkp<|!Kep6r-P?`r4zq8kt zRUkEgm^(({!VH&@HI4>ud|2syyug9!nVjt&VBf2VQ#^PIigNS0 zoJR9^GTZh5oSVbj3Ts{4Q%p${8y?rz_QDHXo(|(I#9^H;#q9~iV#!JW@*;YIXPN+x zp5458SxX%23`3ME6?g73`c_Y$!rUkV_A)E8ovMl%7pYp@DAKx>R;72@+ZgHklXbq! zWy?;tLGNQey7HNLfHL~^ftqtsnFewN(WzR;vm#;arm4fP7$I+Jr-v8c8=+h5#RpAg zxoFH_6$}*B6;m@B(co-z$;yG1gGV3627HW4Z*4sdnc2m6cEk4rD=|Aa9pn76HtN2q zl)|(kx18?PVXvul*_nh2x!zD^aN>cpPWtuDg#LR|w|VOzGOPVHs#j?PZ{`i+^Vpsv zM@G8=^n8cJqF$i^a|=zL7Vvi{n_6xTe4=XC6dhqaYWuTn*u=JCEkclVft1^(C1iPe z$aQ&Gc98pJjNbk+%bIFzAGJwW4XE4tgJ$xTrVdn+e)iPVe$WU`Dr7tK43G`_RQ~$i z?%Q9>=&YGwzxP@pe>+hMj0r5+d&Z7%EMN$_(#!2BeTnSq-E@Sd*VSTwlYBG2ffT+k zyNq%{Oz#6r2dhvnN*mS2*P1lAUNctP-7<=WC~D5eg38W}6k29)ud1~mH6`GcvM)_H zlA+PCON~NFxr}%GLaP#muj_piT`?D0gpw=o@w*Y>6a|~zs_Jk@&dF3{)}5{TOm%hW zu+i3|pU&BSU(8XzK*%*|a7kz62&*5F0HfigP7h#+r1C@WCwHD3{P6(6+60o_JtIWl zs*55^Og9CxAgKWKyvp9jq!6X{U$Q>0j#q2~Y$#d{KRaFB*|$Unzb*O1?|d|rzG%YiHyHvGgcb;&$Van6A*ZUWM8s#EdD!{I?5q()Zf=w-fB?4fBQ9A@LGr`4ty4$YJw%NO> zt@bIa_d<*OGxTYG^;%mrGRjPQ)^ao#>&#%mZ?-+h6L&bFRG!B=_sNe;A{%;|aS|qciWKKZ#KoTAZ^x zeh!e!HA0{7L5S}<+x3+p_%XYF#E(x+1tl3SNEKCgH&AkPn7*nGHG`!<6F9>q}WLnil?hVyCMus zo~SF|Fm22oe?`JLV3n(acOu0)(%RR@G_NC{xUTEcf^=+_Cu>WL86CqQXV^VL;hMX< zudh*!DazADL|4A);20h=_z(yf;}D4uw-SUFoZQ{g2V|t;#dav8ct2r?jvB0Zhjc%N zIFLKNDoWpY*65vb{1Yc+7^afVSv}kLXyaG}z*5Y7()HR2((`Ueh5yRVE5N66IsPKhz)=G0%O7ex4u{m{W@BzpTfGv2E@w`ZFfdihLc zrDzOpg#Msnqtf&5!Ls!nuA3#w7wXy-$?4YUqQ8Ux+>7uutxxeAF!UZF4Mihkdu#ln^OGe_JqpuOaJlH%rM%6+C>! zaFOn#jWV!lgZ|oxgKjN``>=sfHwV>|zYbqak{>Nwty+*w@LBcm@LOdu1u*zyqLWe+^vkvq0pz#m@}^J`*IDG@&~F7& zxk(|-TzTOxlIcT#xJa8QgKI}orA8a}&RX+gAOAEedLjy#6`}WFRnpw}oN%*k8h3L_ zzsRB}_puKu-rY3#;)es*p@qNuEGG?q9pLKZdIB(Iu+jQ+vlL%7;QxcMcM29I+`25c z&bDpqY}>YN+qP}nwr$(CZQH1GyQ-`Hu4p}GL`FX3LuPzytU1Si(k7FG2T`tL8eUTV zR_!B|n)Y0c=03G4^3l%0OIFx>I@1YOY2V~L{Oba7<{N3d*gjR$xHzPo;pK3ku_E@U zXVbAe>56(btv9jFj0$gxxS4CBUHn6>^hiC0Ba1jEogfz~Lu7ZZ$lhv#A0TYOd6- z?C&|NeT}5i;%5@ZN9DJ})bkUQdz_3o+cQ^%HLo1E%~q2!eV{|@fllm*X)i0B^$mDw z2wO}y=-&`(^tKgl)&Vx(i{Qd(@X^qA_8siT+}_n<*Y79SzZMe6t|`Iv)TN)6e(TAL zNljvf`0@T=9gOSWf4UbVy9UsP51ZfmZ$*TBXjo=w9VR(@Zj-3M%Z^yEWE+3+?|I4c zu|WTCp$@};AsPQ)P)AN!K~z!Wze1h=7rhQE)4v=H8}omnGxYx((D@Id5!AQ)A7qC0 zKbQX{I>Y$?AlPC1uQZ3@-(CMJIrHD;ICgX}MxkeA z`Cs9b{~AZ3XJcYz`Tr?{scJKHD!yJJ#oTPMR? zc)hu)9p&-7&V55*yWce zE{&ZdP4ibVgK}|Kjj)E8l(YM)YU&rOOkOg? zUG7%RitjRU45}~nG|u$a&);+1j$ZvA3xCoT*cxI!KeD@Atr7r4M@v;QPNdr2_Fqs( zhx#8hXjWBAu*qM6KE4B>IwpJiR^YadADBnh7vAmnS`P7_)(h#ZtgEh{`KiG{0M0d6lh#9|}Dd|6-Vn4QdZ@s~Lzo;I+zww{B*x$CPZ@;(RKeKZQ zHZCp^q%XezUIu5#(QN{~J^p*Aso0VDk2;gh%P%b&lBXqS?JsTVZ_^6U7glvyVfMT4 zg^?eruO{Jv-g_!4Drt%@RJArqH8~9bPit`iky}r@$5vjh>@5smN&G(<7!SRRh-?#@|f3@GsDm@^l`WNE) zPfb>+%ifA#yjkCD=pUk}puqIPcV5FnP$ql2UrzI1$-CH%sp;Wk+Wy~;FW<_a+*99a zE`U73g3R59%Ba@2klLoTw+gb$QoPAQ~v}p2Wo$)B+p1X2*Fv5PGZ>LX#}>;WsVnFt;4j+#q zTyz{<%&Q*%tL@R!+33LHBgXz0Np=!xP!EjGE!GTgfu0UWc7L;|4)*hjnlO5jG}cyQ z3Nb{Y925oFL z+l$fsHyX1HcX*hyu3K)vV-%RfcE7ptryoZgwg4;0W{m>vemF-#Y|8nio~sZ>@oT)C zoJq>u*~SZL$8L55jx5-mSWptL+0-~O&Wi6skIf`B&!VIFsxxoK*wlKH6Srm16)0HG z2@huoqC-7K<U}xfL}{?^i=b&KS_G|Mk+Z!0dId+A^luWp3_RX?77x<#BV8_$Twxa+OkC8B$N%xB*(WA>`VyJ~CV4UoSJrp-rLLGX9dA z)5MITO)8cDH8iT?J*|p=0C@gb!|ECt(guf#nziS)Zsqg4c09|0*HX7*^V#$Op?_QY zw$Gir%EZy_H0~$)gGbk+Jx-;=MZOg0?0{q~jArpXHm88OKlKcMHbI)J=ZgQ9q zEe~^RUKKrYf1Rn`O#9;neqKSJWKI+T)(sY`;)C}BZIVgmAaIlWBbVr=VK}f9$>0(z zgyjWD(7};fs>}uXPkC5iQ8`6c(=Jo|qg@1Nz@;N{6^m~{2e|ofD>DWbYn`8C0VUt# z3eTe!W=~QaPuJ6%Z97CwbNFNz2|fC@Gd*m(~`Tmgipf|*=?Mf+IQZN;YowJWkk>qn?FH|@VEo?s^QuCj*^^R zJ1v?qeZLB1N=MXt|E+MNW1^ge=aTrQu*3UD{e(Eu<5h4fh6atJ$I@Vn%N0t#t)_N3(Ke9hOS(lPsvY@ehjugIuuvaxFW^;V~dSqkmL}m5WKfl23;>!_qOQbckgeS##vJ7r$ll;-OzeOd(z}`dI7%t`%6Qw7qrH4 zAVK^kUSq;=tARpDIG1@^cm-PPSKp&41$OJ zIOmfm_s|$G57f{AAD>M{af6pryS8och(jI-iTft2>Sc?g)y5wcS&IV7-WS<2Q=}a4@E{Mjo9sSrA6i4NU3Ul1FZcD= z>pXbO^CTXWYvj5OGw}UsgGvetlNZ_^)ES|vAA)IPD8Ce-r-XtrrugJ&u4}3*r4G=w zSP`g|+oy?$Rh72!Q^8JjSQFfjk_#f2Vy|H^&YT;nsIoHN)mrZ1iJ)tN`Cm+TGa|CZ zCKN_?nlmeP&Z_U?FwK>{OPDo*w6cMTTDG}c0ZG{Z3}(#Tf9j(hOlTc ztoS##eOkBp;fs!GU~_GJh}~yze!k+SUgw;h9|?ufD}3is5L=U82c{7>^n{SSx45hk z^HlLdI41OI;)aDZ3TE3uG&Lkm z1@f++Og3|U@s$4ftkq1AXsPVoPE+~oDqTjC7!#JYuPA;nr~5=T!0YN@lk!g32vIe- zo3jTBB(${X><4Tgmhm{;o}jsWDWB(M3g-_$Zs<$1ltwgSFtmp6kc!0g==1VA_0!cX z-=9`WeElC!g?;LTD_*O2(3@zSJn)o-=(A;2OJ3krx*{3?hXgE`2 zFb@ev;!J9ID3@(sG%e~-bd@N-+?E1mB}Nyb9MJky%R4(EtvzT3?*pk9glP`Wc6nr$K;Ha;r`=T5I#bi82kcsJv9>_S^lK zPeUin=ISfwx^wcx6$7eULgVzse_ab~tqo##GahyG!vp?}()IfzwQNBF5u#=EndlFc zG0rxRGo{b2be#zedvXPO!3y=S(Jf$$=D6iIeC;BTbHaDg+ zWQJ-`{Tz+jHU;q9rp$>!^$n(xkin*V8FWDG!UIHqbLzM^R_dlT(7GtMyeIpBCgayT zyIE_03kejkKE%YyyD3klL4@;H#twvZDbfOP!o7a8QK>%THf2MAQ}Q8(vr=4lHP(Dv z{Xu=Tje45mFj4;ZM9csxvRNOWIvoASm$2O~u0jGpxr&CIQib?_ zUrAwG#`-a$q@g7KO;E_KIMSB25CXND3R6Ahz~A4+KQN?_HlytD9daC8GgJS*X{qBF z&hlUO@KH?V5tb+rmnO6#OH)V>DC6AXA4TinKX2Hyj78+U=t;^v14kvz2kK#`;|-K5 zx2IPq!spo#Xn||}KvS7&Q$^G#_P{XG?w1L!eQ?vquiBN~3uM(U9CCKPTQ0Z4l^J0E z)8DdW&)E`b;r#XkB1lapqg#)iYtz*zPE_mc8Jyv`7zKY4*f@9{md4+nqp2}*C zhSh{5LbHyo^5EXG=@B&lDPAHj?r4RwS1?WfR@N=t&HT77;^Rh)O~hLriBS_Y2gJH* zrn1)e%@=msLiEiX+yAVq9mriZ8vI+0AP-dlwJlCS7?BxCh4ZQ-0)J|iIm}$>3Nn3W zl;&U|ZKswiL*(vu`C2avVKh>cl93-|Gif|!J4pbyVVUW#WcGKmVdE}Gj*@601?f1S zrWJUov^n~Kh&%trz|xQ-ynPl3=mPDaS` zy=A%IZxBvAGOFiqq6hqPuGa15CR2wdJ99h=g{M4bW|G&CM!31ReB$^acW9r70390w zi7gREDZ(^f6WW!IYCW=1AL!o?+Npx`6RdFfFQs2))38lg#n>@xCS~6dF1fUK_|b22 zyxWWLsBQOjz!vJJ9)rLOvp<*Cfpr^=Fghc=; z>H7!zX_3nL*Sz+bO8o!t%jC3fxdcE6-!Tv~k9>lh}mAzi>t7dwE zq4xStW=LctpL61yZPRIG{O8=|zF<^SWuQ`J-L{Dew-DCmsYlQL=BnY+)g$Fc7^$`u z-6z*Js^|dP8wmmg%_0BX?c&9dF-MshVgq-6CwtQh$~e4Wy+lrVn-RV>8C1MTD8p`d z7PJgYN{0usTRyeiP~J^Z))i0Zel~WktkJn)CO5tulG_KTsAgGrY7J@SnM7lDKA0$O zLws7T)$2p29^&?6Kc;v7LUFZ!8>+%p_!!X2WOI-xETeyfrK>KCsrFiffFp{PImqvr z`y>ugaXrGWi%Qz`o?UqD4W6}StMiPdmFFXb_NJw|#c92VPQ@9`Uso3k2cXc;cYS&E zfnbZBo5`}E!O>WGL{?`*!L^gk@rirRvTb-CA62VC#$ZR~f%T7|d8O0FPLtTw(q5M^ zvVBwpl1B>?JjE|<^GM+hkLfwyq`h+1UuM!#xR1H1fB2Yek`2x`e0im3l_`q2$?cXk zVxD`*PsA;zlHSgdNb*omBFflz<{>u;2c9C7#+v|sN|Tv3(jsaLE0D~pQ-s!b_!2yi zE6j=g#9SS}xHMLQy?Mb&JAAcoLl>_0GPIllt`*Y0I1)(-ZzwpfF6e>>y*h(9T_Lp? z5TIF~ZgLY9OrKddmc`1MO3t^|_dmYx*NfXIHbx^vXb(IH9VI*&6a~lmLn)F`(ew@O zr??ERMY$c_r01KF<<708A98Z+SHOWQ?Ad7_~ zFHaEpuU%3Y5CU$$Xl--7)r^uz{`F>w6lBVP3^KH&uzaE&Kt_AbZu1wwD*K!oHDR+rC ztvn`nzCzz#UO?7CY*IzVyU^teUp#rysKut8K-Zn@J%Gl%#l_dPdH@I9RE9|gYrNst zw_zy;7Q@lFokzY;NY`V6 zoHR_y-8132&g*96lo=pydwe9?e*eQH%ogTbuU}r1Z^?WJuNE+UCIj^D5c9)Rgj5-* ziAT(bEwb*MArN`5pq0EHx6KCv5hrcc1e& zw~%&i?9WkbGM=E%L{2e9N(<=aIk>H{F`|@T{Roe3%sRXC`9rr-B8By))t@Oqr$AdGhWo|smY)}3-Y(!nU=N!w7sj0p{VTjBsOiV^~vT-inj=^PxB$&pTJ(ZI|6`e?A^ArV#zKZ9;S zi1m518kP?5MX%IfepukBiKvNcC>cX6rDTVVe)d~|P)-_2_|fx-%dl@ON4J`5WkU#O zHLlZdW--KdGp+Xr`yaM_Bz3Hwbzr{OE~Ly{h64f?+av=?a(MxV6yWNs(KSR zzVsdy7d)*=4By^>LZXUXX_6Qx9@Kz61YR)lhE2ZUO^%(N1Gno4^M_lgw>jJ@0dw;G zcn6`9AA=+^v7F6?h?FSh_vBHYsM*{2Ju_Xqii5QobPsZsgGt3VJcs(+iC@o)pM2hGEgJZtI2QvrJmljJ2%MY5j6)*R)nlZw=ONx%0HPM4^_Y;7f3m19A9pY+5)He_?>Y0uJ9sS9z^<5KH%7 zbjRW5ruKh>asf|nz%IYZQ5Fk|1U+pDeEy!6c{CmO_JbzaABniRhW?c(~7iJW?qEeSKx)p)CWb&B%3=72!=W|Agl0L{tM>Dw6z zUjSL6Z|&?6AxJlDMzZMC9>>(iVEK;S2)&_FxV^ct#+R^EKkFf9V$ah41^00Rbr=$Epx+Z?T9qVP`9701MVCcMqB=(5zeBE4@i_L4iE zww<5`p)cd4;uOSPljJ0f?$TDP{?-!7i0D4m$uw*E&08cSHm)d#)YZV$TRPHStw?xR zhBx5>QQY3N)E{F=YQb;70HJa2d`hlDSYYlLJvj_laX{V8g$+C4KQ*$5tk~D1FnzRCSkC4(2^Y{>Zst_d=cx!#aunixAECqg! z>sqW)JS=@=5ls!Ms20+4iu&~6)qr}0z*e?u zZ#PtAA!(%1ywg2J^wHlwqManGw0^KVcn=a`iqI70dY~$mVP&^T3UlZ$M*Ufz9#T@Q z!I}ui~(Cy z;;Wn`C?_^OM;l-gPvx;l+O2}^P~d*Kla0{~Fw&NeH~0ClFLSMR$ZLdyZLi|SRaGzS zfCw>5honQJk|Plemy+qUIq+PW9X^Z1D1(6Saw)D`Llc{FKuU>Yx^ikzY6q_l*QF=++Vr$$}yg}7T%3txEzK`WZc(`UGY(Nh~& zH#b?(L*7<+Ybfw0rB$)UF#w3%l!u@Y8z2(ymFvw2tdAWFIYsFeN~5 z4r7e$?uPzeah>BQPuvlNX+stxsAP`r@eTjO-1r#$(&-u0SPTdh4j@Q^zct>RRvR;- zoN!;%rrG-R%^-`A#tDOq?{@j2FsW>ngv4{2O1a3bR+Lj52K`0oJ(8G9aL`xV-> zz`RMt$}MdBtPPy6&mBBnenML3S;!Y`!gzm<`KEi&x) zuuJIplTx{+JCfF;0><}qskvzz2OmLl^JOgx26^&rm^-Gk5oK-)k>bnNO|1XK&>R@l$s+5Mat2-D6=dq|8UD9KM zL56jE46k-KY8u?SOm9LjJxhp+E{4#GhB8X)k6L%~xzebiUzkIsdh}`|GcRm{<|Xla zy*XxXPf-&+1B15r?g~ZjP4-vv&(zBxV@(IDG`5vKO2*Lsw!2r2yHjxG}W^$Yvzp?Poq>oZfT^ zbW>rUbO}34*fLVPK&(KoWK`Y0ztZZ7-C8TfdT9x;nOlSwg4!6eRHRrng<=_kBhrcz zX0kqMxkA(7Z@mcjvm`ERMs(=h+~|^i^sVw# zhogvIXiGdzlQQcr=P_Xa~vvZz<5royEfDY}!O$*OL=on=P`Z8uJWUc~?vFXE*~r@-f3 zsKEDbNgyUR3XvJR(xR?~UJOpBNgHFy0Nm^Y**U{Z-Bg+?m}YGkt^OOG)sb`Lm^=rk zfofD$5Ft{ld}mjG9^+C~3&>h}_w^?m^~9Yc=OFO_yBqa_-|-dp>cd5ea2rvML5vov z+a6mTYFE8;0Zw>Zro8miA&8GCF)j$SLvQC<%FIOarAQ(=^B%Qd1ObBB5t$NUHlSUA$5)Q_FQluu|Fou=x zwht&7$CAlk;$qHYg22!9R#4e7Gc?P;A{}2%`3sut$Mq^qkcB=*@Bl$;9G#&BxW`*& zneGbr>94YreRYZYnIzu?YwUoU$VFxZT5aiksU~qheREc)jDRuSR8|54)s^Mj(=E=A zGRs{lKQ#jD0eq28LWLzND8z(4sjr9QsE(l~M94|ID!d>_5w9$RwsK&~@9Y?qxb^MN znNMp`*vae>r%a%vUEq%#zh51eky+8~UlC~z1BFF-Eu$~<9G<3Li2#MN~vZ*&Pj<^W!sa|1Z=a>GF}2lT?4yQ@q7Ag8$uC%vGrtY-1~kV(aV| zsZp4sqnu9ut46@*Vu^Zr5O9tzG8)gp0$=g`I-9mPvxBI`R4lzMMmCAKOcvI-h*s-E zBK{tFF|}CFjh&*RD#yF~pg4^e_>UBLZ!mz9nbRuKB-g*e3xBa>;Sec^CD&Wj*Z$j zMRZM%NOHif$D_dHFAV;i)SOBU)lr#yeb`0CvvBey=iqT>QO9|Q9~GK25oxwhfk`1> zq0bE16CVJ^sc;L}EJ1+wN$>E6(gM929-v&3A`HgN2V!!4A5{Y|!7c)~S<=#i+5zli zDMs}n%(zufa;*ES<=d#$mHD1Lb*Z!;G1P?bP{syENQCChFmrl_k&ewYi6W;R)Jj6n zv;m2LaS(?oadfZl*l z#8~|9N`J`D=^^G;cRCHP-4uS+Rqq-=QrkylJ!G$gU}w~{|l#6o?j0W$#%wpY{iUH=@h_rQ~LXZF*lPaO97qcj=l*JE;2Cn%S$hux`sEcEObiCNPiwblP-mo)y{%yQ)U!zf*p~&Q zBNObg)(OEqA`CaYVIO?avLvdVlL($qA33HcvUEVT9ph4)tWZexRwr0AbIY%d! z_5f>JI+_(;zgfTil#1OVsBJNXKS<5W*jw5-=t^@p2=M==W()$E11xFKHSVJD3(9KM z+?+>4oQ~$ylFZLJE3v<667b3F)DdwJzhlmykq$j>bL+dEh~{RE%R}XYPj#Mz2|D=J z1^|y^OS+lsgaE4tMXnJzYHy*Ws2*7xO5iDtKH*?8gzyQteu1n>V5{SI!20dHxFb^@ zJA86zA-Z&sfF{xHB5xn)>#3h$R4$qnE$lbItTxoBj7>+H0dn-`jTb%uZWkXh239-Z z<>4GK0;KC(U_lFP1e+<Y`Su@quTRxp6pG}`!?KJ z3xR6VzLCYem6ey}BnXCw5oEoO&X6(jxk8OMoybgxXfP2;y32IZPVd1Ug09#l4W77J zu5H$P%*=IDLxP1gurn+m<9zs>!f!M!?D|Z7z5D&NNuEW%V{0cTmz<&UAan~_i0pb}}$MjluyVDoYw#qFJtt}d-{_39sidyst@RnIs>k4RX zC=R-Mi8Gjz&6X}ktD_uyYjtM)ef9FifO3NvW}K>mTk>X0e6xsQM=empobAO%qSccG z8G5}A-M9`WC@5ETi^!f~%5m|$a3j7B9`Ay(FfRRfkV}(a&f(1k7~T#N^Q`?|kA8C% z_*|K_G5R;}GsX~c9<}F@h;mxhgDx&i1T=i+O*>>O)gZIE$tEH`uaL~CN^i&=4Le!O zE6$V8Jmcv!d^2ZhdlBEAr*op19p>J8d6IZ=S!H;RRbR+`yeUxs0Z$bq1KT3_MttoM zj7K}=A(9DkC8}dxocu7Rvhnei61ht}KIuP`A$@=MyerO^>Zf!xtLAR6wrcEUKK ztnjc7Mx`XNZXNg6<`$Atg8rYRwNkMn!%TD%3$kf28rS>M-f^vb(3lo!RiTx;@$VL9 zi4`1h{%dUaS>ViR0Z5X1EhED!Ydi)4&@E#XX4Ka7=^>i3!&hVSq|VIeFagu|ZNv(V zt_-hzc+-$i*>v97XOK7@f^0K&!*bsvl_`>I&h_Vx^qJR~iZYji?Uy_0E zcMU+Me6;gG@xO4jtrGyN@jH`p)vMdV)4|46E8^fd46Lp|z`L}8D|lxtsrkJWF0162 z8u56aqX0~rqun8fDv6ev&mOQ8!!f)JIFHhI)L2;E@N0ZsEKyifL7Kbdx-IyD|5|$b4<>SS|?=Q`|il~qzE0b+3l)H)FP@Ud8QHGmGJgzNED8d!MnBZi# zB~UtU$rbj7%BRayGY}*5>U0-0r$MKRw}!^N-Lje5-6h5pKBX!iLEub%pmP&u{el}lpUWy2)?ZaX_YuLhXG zwD)w)Gery(zI+b;zF*}RLN8j61%4DiD91T@Qej(U_>Z!@DRsk?9x`4BaAyP*z#PJu zf%uA+6SDr%2oFL5#cr~`3n!%cA?q4S{2|ldRP}kgF)V6=%1%%g2XMYZZv1|nt5r>l zWF|Q#2FWdApOFf0J5qCy0Bbd@;Ci?McnpYVh*IccM8wM~CVi`(c-|~)c8eVN3|qkw zD&|uKUzy7!_RAV;#ct&vp{0p3I(zUzrQfAA&wRpV z+{BB~Dv1U0&(%6mC4L3X=2HA>Es>i^!51Y)ROVxw>{7xct#A{dqCHO1x15$hrJX42 zmRR&R=m2a{?*AaN5tWQdoB+=V9CZgxGM)kCY2Wse-K(amqqZ5D-+PIll=NWny%)FGh%M?KT=Mp9pIW;=@1-$U%M;R08UNc;&3$DUJcC)=D4>`i|a zUyd%r+OXXcYICS8?G5$3fRrB4)FHUI6bk)Ff>Eh7YiOF+^g~vr-;URV} zIm}@)xctBK)rfVW-%FG^l}4egUo~d{3ZsV37QWPesHvg}$Yqy#&IIn@Lj7^d!aW5A zscK~o5xp2cOQ_&w;hgmx)=}PC@)g5ZQDK*`DDM?-N&(Efey=^Y6B8rp6X(`u4!PEHc4Iq!LT8>580`N z5pFD)G5dXKCN>N!LgKw6cjpZ-Gp?^s8_GX+U1{m?c#W>-VyQ)a64|Pw z@<)?Yo!NG}wKtAO;k1Lpuz4DEyL@s0F$7Vf4aWpQjAI&So}3bIEQ9QjcUyaXX+Qk4 zj3+I#0K94r6UgWt?70yZkoh5Rof6`5-eeU6sjsyk|+wfcclPqE0sD$ ze`Dau$fz!gi)CUyFQ;prJFN}|U*SxbWF$I;TEye7qv0YDX%%;&sV|=6`BfP)SB}VQ zQxv#9`FI1R)-$MA==;w)SK3z^Th1NkCfeWGBqI2zWNWIWvo2oSKdQv4{;9{ZK3c&- znsoxcv~H6WCd@d)AtEBrRd(;7a+>bQ-#|B*O`=jf7DDay1YuyfGJ4;XlWT${CX|LM zA7BT=c;z=7WqnSmR@da3zM8^`KDPuzs~nxnbtfnFX*OIqPdIujVTTc**dP7&#~6{3 zMAI|+IqmW?`oq4&JAp4hVF<1$3J9{GClymo=fNOKGX%lX@k74LE|nIH3OQ%+&omQZ`!w8!sRj{CS-})t z6PV>VCbtQ^)L=!~7uJACn!CBYr@;4x0LgcbvXye9RzxrPa#oXD7^_xJ-sjOc zQHL>mAu}7ox8H3^-j-|~77JoM5OM31jI(1%@yv5&rE%y^frbbUrS1jpJO6~rK5UR) zg5S~Gy;pK;Hg0PFyueC&XDtN<4)1mWdJOpI&cWAtp1mbQk!2-NhJ{Dm^iV{J%tThjN%HGinoYWvg`+zUYK|LRXZr)k{3WmIGLfK>d4CN)FX9 zm^#HIbFk+(fhc2TW4u*rk+y}w!@L=i;|O*>$??}7-PDeMIrOo623id1=#H3|HokuM z`25QRSf+|qCIf}=$5n`{^|f%t1>NPaY6Q#53;Qx{Dql0{&tj%M>aBpu+Fz#>Ka$aw z&e#sOq?0-I66C5V;x-M?w<|9f41&*0E=leM#$=l5;9>;^xqzinZQj^h=E=D$2%-gK zTApIK7B)rZ{E3ww!61c&4G~sbKS;~Xa!S)~XnB7E0qWBPd1L>v9n zD32S}n*$Jo;|vEwc9e*-9jY21Q6j^@AE%} z3cu|r)X#=~POlBl^r1B1GnU$+nbMipxHwEP#B@f9 zRaJWWUr(wMH=9Yk1p5{@R4NFYm#oK*f%nB{JuT4n|VC~8A8^Pq~R5(p);aGbGCE?k(2 zwnNKFrP6U#@&nq&LfRq}hO6iHsIytTR{@&88yq%!8rUHK`PR=U_W^O9@aoL9q)lnh zzwi)yX7(UrM3}`WV*>~24B8_~`6Qs{NNS6w;;|qYv`rd8doGs&(mGokP~B(Yg`+p2 zU_6uv4Q~wBZj8hR*bAC~G;?xdClRRjnFSii#sSY;{up>tyOlqLrt^k)0NtZveDx6t zgTKFN%CA8D$n@Bc1D4%H-BQ@Dho(1Kq+{OMT0C#fIk(3T+C5!HEo_;!Rpq~@{)kPPwvJAH%oCEB78JLcdeht z4-Z0tQt~|qU%gAK-8UWUdoiaNp1zF&@ifuC7jNj#?6JlGCQm!a2gNKC34ESr^}ans zWzx;5Q%Na$jIalz!f{Zq;C2`5Mf$TM*Fy3N+J!+aAMIsZ)%c@3n)L$h`EruVa<`w% zyaS{$29HX^h|NY16Kxu9f}6&`krjSpg&Bw#?qcfQ36DhSRdZlitCZ9oqjXH(!OO>n zmQVV^a#b#bbg;xv=EI~xPm?gkn&oAcC5v-fZ02|0K%q>$3k%QnmXjRE$iP=RAe{JV z;%j-h)?Tkls?|fn4*7EG&s<2H>q}fH>>YxHrZQhuC+}K^u`2l3YHFY6%k*btdGsfr z70R*j(p|%*yEj<7yIiBqy&f?Nua{izDBJsDMN2SLcT!G=_XZ8e>-cJl0Tzzjo|4-e zO~SokLKu!a`-}5a-XLF2B>WJ^W9y_tG;VCNRtWHOcC6O2pHk zT26&C(wV6Ua_A4QJyx2U5p1>bUlsl*`;;A=dkFD&M7nz|{)Z)@TrF=xe{xSYQ?Vrm z#5C*mn_(qF)kiRal$2c94^8d19o3$_CY47_!ygU_F5QFV!SYUhMF>}PtxQcITj0ih z)->~&vuRKpMdq|F1N>(AQxwYFnrEK7-pjWw_zVLKY`};?sy(0V+j+%=$!t|l3r-iMbyXaKU}x%DsX(YB%S`OJIG-eJ3wovpDrc}%Osra69IzpOxxQvqo98d+HcwJ zQ*LF)3$J=c2E+!Uve{k)*|J22CDpqLs4Q%o>JZU(oRl_t6004RsRZjS%!L$8#&Br8 ztX{9N)cn~@v{8_8!!BLF`CnP0yf4Qt>M*T_m&u;4ZE)}pP56=XRT1KOUnu|7^vpvw z>$3|#4ZQ~AP}?v4HEU;}hdHNOG1)^4BZ5`t!31HVbkDjd+QuvDu8h*5p@-Vrhhp6x z!{dlwmwAb|?ge#69UYE@Kig_3QNjFp0rWc(bqXf$t;;$1IQ}chg%SVYCf3r_(Gqe| zR$-&PoonwZTz_?^o^BxKgl@9XZ5Fn2{7QA3!HiF6`zz-;|4z%2Wz@NfLAI}i<{j`^ zN2oMpm&AqkSHpY{Twe-aHGH#~UAPyQQH^M7KG~60TMv`1(vS{G+Hw9uJu>RYP7|$- zV|3oLXy}-_hI-}|Q{J^2`1;U6h=E`D+N>}TA2OxaWF9d)eZ>|klY5YJzW>&997pf+ zgGiG_)}ydkR?)k4G8t;I<_cv#q_)bLf#6N739`^^nD04u^IBzM^KOvOX)&MmX5i~a*`bj^v>tY z0{H70i(AsBG*B%IhGL)_yynk9N2He1vFPxp*if;|eQ;AZ?oyD8+Xd~mb1gQdP{{R= zhdQXzRt1wA-N6nTMLqWVg_5@_re~lPTG71n(??R-a-W1k z%z?y;)!eiGq{{1K>Jj9zQjiI81PvG}7bw#DAItTq@O|K9JN)M!c8^y^kj7J@!}BNE zWhr{{J(Wtr$mw$53|9hviloZ1TD78wRCPaAEg1Dx`enNg!kC=n@32dBHQ9jlvVf|E zN9j)A5Mu`zQ`UJwZ9?_6bwvuHs>qKNz1b5;^<5a(APm=%9r9`hY)cl?J^X zeSyK$?&0yErSkd66tv=#B~^U<{a${Wrioqp>xj38%Ggm}lKCkS2^Ju-?gw-FWz?q~ z1qS$+sOgcWpDnpxwi|+}yq%hZA7khu+ETT?MjYce`13y1f?kvF$0>}j{;-o*b{WKq z{7j2}c~zffzxJSm92b+aX(8AoE-oOR@MJDnvICPBW*@YXw<&U8E^)#eYT z^ia%o6?o7UylFsh`pV#wgq&=5jY=t=Eo4K_J)vv&K?c;LS0#)xyJr#yi08u=o7r+q zIPXPLFR3-+7idJ7-4L$7LLiyA3P*0QknPCB^eo6|c^nN_L1B|$+_dH=QqpeB{ zF*25tOEQgMpc!Kb4TCwC^YclZcluB=K979N+r%N?ATZ9Vp>>kbpJ3n>P+49 zOqjKHMrbf4y@;!f#9VEa-% z3O$tx=K&~wJ^Lmx_K=t(Q4k7&4X+@u ztlpPhgPDd7y_hu`g%>dy{~(txZ}QtFAS)ffzqp&_e1lRx`7 z3vl*cmH#|(73l~tt*ncJa)F^TCyFA~_}i`{6ot2Sx}LJ|bghfsjK>-b>;7Okx-iYV zVUFrAulEBl9e#_@1UH5XDep(amBiI+p105}=PsS>owMq1~yETHRkncqWZ*O>gLHTyCice*swFD%;0wk@c?3Q7U8pnUA;iK zNPUz5iTK+qWnF*}7q1P>GBbl}YP#qd;2z!KDx+rKk&CpK0#`~Ai=I2a3&yVbf!MO` z(hg!JLmpinuf=v^yO7a(q*H!Hdx5Fl`MeOTG!!7Dv6~aB^|*wBo~#}Yb5JG;(Q}7@ zRLb;bPdC?Qoi}N-E#k@^o*`E;rdg#!yuyy)fK!NNHP2o@qlv;2qpa1bwVp8d9rOFc z8u*$-k-Ugd(pdYd9@k_RsgeF-sI*aHuX|MADCWy{$05I-Cfrc$L(ZS_t=xu^&)JI3 zVw<{tbvL9v2H;CXF1Yqy0E_`(m1KCChpgbqL%s3z^cn6DI<-$BPWu3gS;y0BWDR$K z-R+>d32+TB5g*?R2FF~s@=F32%Qw@6(eS1A@#wK#W2P^scuMww-pvz6?4fw&IThVN zsYob~tp%}Z*eueaIOV8}^rrmtE}tkN)lSi|9rlRR??vIDyomlidTcSwgl@LC-~!kF z1uMzEOZ7;S*TS7+ssP$)l~M=t@qk%!y~~+u^W_>+iVdhLRWoS|fEa}^7^XFY^Y#<2 zBm(D68@CBU6XY*uMJ5%igTw5B{y%KkH}+uB&QbL?G68aEUZhzeKq9)~@iQUXtd_tO z3x2Kz5797E!?IY)t)h*Uj_QOEn5eK%O{dpZAAJmfJY28mIOj8C4wCVG<+?jp4-g3h zv*6e*8f4WLpK=UZ;Ry|rDpT=o2lhQDU(eHSQ-J$ht3VLcC+P_>;?pOuD)Am3P#^q& ze;0qA`4eI|?vDE8WX+Dpw*Yud1kTYljvS&MNsT*13qpbq6$=k^f&Y$A#@}zX4q@4# z@MAA&Cc7Y+%UIb15nr<1W^gNA%G#rnkFUx?AIZ#?;^NovWsJ1>&wD+>4TjC6%V7*@ zDByb~1fjF%WIQH97Eyoxhf#BspOG8jGt3hHVN-1Hc3X_oCG6=RCFhh+jc5VeT&5I2 zc{Q_d?7B=MoY(vAM09a@y8%(BlCkJ`S`>L6Si$qj#E~I&?4jve`3Lbq?`TwZr!qC! zAM#-eGO!;{*tV!V^drrtqlX>Z@GgeN8{mNncW&-b76RJ%vP%%ITX4}J!!CGSQf5vS z*Ohi_;&5TweZY4#HwdJ7kY74CsVmZ$*|vm8QjIQ5z#5kK%hiNE(rekQy(k}=X^`bt zOy_3KV`08(Xb!1kgL^sWnz7s53P-#cAq}l=r#EJINysiQDp_WMhvn|2>9<45+v8Sv zCmn%@Z#>q3K z8=2f99)jBMyiGJXtE$eQ7BA@u0FT>1?Wi!RV9{rIz<1(~t6QfK9LMNSrw`{kZL(`S z1FW2Esy9KFnU)&mqkNRBv7>_*isYU~tWr~4XO}Tm%m8p&VzHDq{b#Ps!k6Xp=riNz zj+cZYsK~qvNtA?-a+B`nFiB`VYaa183>XH`La`k!a+@h}PZ;K*5%Q1skzg%)A_Izb zbl*VG)_oQ`?K9DXmwbhx$-cpmvEXxZ-m0n)uf=oXN5Q?+R$4QUWh;P%TX&xp02U}; zKD^)hE@YjEwjKZGLq{##qdIYN(SkyXqZ2U6dxDwsHDn~Ayb+qY3?#fICdpR&>n4(B z>pLw@-JEOCG1pYfB-0-WRWC4$XcJf!!46M{Lr!J?cW_T^(MzwkdO9rDvf^)+ll zo)})^FDpmfU@ej34d1x4Xy+Wk5*WW`S7+vN+b!0ENpIY|b!im%9z=x2ASiX!6B~YY ziKaO8m*uBJD49EsNP(Zc1b-eIVWfgB#O9Kfm zGL~??`0U?WK5b@L%zNG9bv;Bhv3g=Mk0k)crb#aD&z@~`%~C_<^QwXW@sWaW;aJhZ z=Bv~|?A_}eJ;9|`sEfwiL@jWLb!cR&35 zfHeQ6nKGmKOEhI+Xm9_wZOY2j%J5q`W&QnZLt~?BXK3~J>HNL*kJGXFM}Wk}!qNWk zuDYSUgQ>OEKLYCpdKQ20{&#Ktd+`5raGm)tpVj}OxMKRZi|1d8E5?5&*6F{$dV0El z_SgT5;);&;`yKy!{9hE;oeWhn%k8C;{O)@-X@f?juUmm%eD^`}dDSIwR3KmrilIj^*1I0Bo+v^$_>g@oN`dLb9 zWGY@*B3-y1pds-Z>7b$HKyO3u3FPG=*aHD-{&{rT~m!8sOKIH?DQ;qz)tpz{8q9#_-@~53<40ty z%kQ25DXVL#zF!T8Alw0BkFMnVDNzfI7xLfxo6F z4=!Ld&H;5eCN93nhkHgoC;A?t-3jEIoSkf$9f3Gn05scH>=4Q2*F(xohfk4*SfHiorslDw|eE^JfjDKL{9I0Qj(ElL0 z);4Tm_rIY0R0IV61OAQg(ANX9adgjg*nYKUdOv_a(`*1^VOns0g*APRon^{qr3s_Q{*%vfKP#TWk00;_dxvKCX(HIgEF$ z8SvSC3Sbi%dK%`s$sFL;hi7bX0r}c^%SZAnTO@~SdGM|~{KMIrYI;jBe0445gX58< zJ0x=;ojsx=L*m>!y=O8`2R0^^etBRXK?kP6wY{bL9NozXmjt5*>sWHT`|^=0B=BI1 z)=|8sv~dH6i1jOo*U9K>^G~{wcj6Rfeqj}H5&zeg#cFp(;udkQ;Km#v$a8mU1LFC_ zr|UES_uX|@fY(L_?i7KsnUTPM#>POm4|cCVz6?IXgCDewL36@?Ed%Ea_4fDnLb$wr z4jpNe_SKfGMe5HBA4Fem5-J5T2 zCh+u=f7l0!Lt9Nwr?hBk!&2PKlpf zYdR0kwB}-EX51*vnX4A)LUibKO`({-Sik4^Jsvbrf+nmsvuRv^YfjsyL7B#Zp-)~G zBq(ju|Lfvh>ZftD10bT6E8rEGHRklY#N6p_4F@ecZjIS3Y;;NdqqVgOm{3qKSi5)M zqt&lj;~_k`8(`ZHIhc_+P0q;7s#8gA9h~)+Osi@^pco<8-%sM$o;mw+JKTnNr4|?J zgxv)}qf#oRn<1qB+OoTqutErNuVAoSW0Ibl5fLk>5P`+wQ;V@!w?}EF@Ml98@NdO- zvbPDY(1yk{TntY8{D;(ul!z_0>u|&)* za}>NGW|E@YxeE>~b0xO=b2!7#VIH*t0xzXrdB1a*-ve>x6A4_;SK#fpf`$>m=NN+; zt--j0ea}~9Hw)2L7)aaA{Hpu9)-X+~66@9r&P-M`Be1j4>i~;NxvSYRGgM%hb62c< zOfKze2Nv`yAnWiFJKBbSVv!?^&@aFvQd9Q6ab*~_Yq@R|Q5Hn(m!>~bC?^p@Ya)x2 zDE26vb54m)%xT>eltvr=S+Wn|ZsUCK2DL{WSl)y7f-0I)d0~r;UL@6uS zr~XYoAP-wGQYNcZEqqwlk+)|u-beE*y*V9iYi2zLlApgeP+8prZP&okQGY|h_I|CX z+>TcgDzB@7XW}tXy)R}P2~un=Sjyyp{w-%)Ac;e2rs%^N2y2NMZqxu{=1y+n4rZq+ zF-zAH2N#3hzZQhhN>{2TTL<&z&FRVzVfnxjwvL-`t8*7>m^8rw=*L(vDDP{ZF>GYP zbd=|96LOC43qQ2u{!k^`eWssk z_;?dX1%W}9vA3csbKR10T)d%-@>#TD^;Zjl=_uG>;&kV@lxN<0v(gNGK&1E(e^{pD zwlZSuaH-~aM}>fy(_>Jr=zG9aiGadzmIu={k?ZDKYnupn?E&Qc)4}Ef5M~|SemIkP z5#F}s{ z%z7c)3q#Oz*D}4fM}MnM?k%dluq2VRxeKA27uiamF9-GNMF8C~$7YFK>}6a1oI`e@ zO*mjYo>s=L!@)}Jqr@H3)k)soW3?&z);wmmOZR}+UMkTdH{$ zNZqbhe4s)0MegGxp^I3n!DzuU!l%UVb zTrQcT>{zgbAHEh_BEpIBKI4OE|1rtb6QXLt1nV-pCW>F!3}W+63gl>F&HfQ1+F^@Q&>QEN zfxNyJcP?8PY*3ELUWC_pTc~ucn@0Kw5nQySm7^#+3JczS?XG6vqrbYO0q(Gq+LFKh zKopixv4IYqID_-mOWV3mIo7Se27ytZ2PNh9Hn^*2TiBrLItpME6)lvtHDk$3aMZfg z6>jN`{CMluNtZS#9Zgg|*gL;<7V)2_kEI9a^O+a;mzQuM&;~wL4n!UhK1@|<@2TW_ zyrtt~w^2zb+a1>6TgYzuFmy%YW}810M&v+*+d29hQCrZm6n+@c*H}Zg1r#7vx-6?l z9ke@BV~Z0JTWCggVe>Bf)vt7FsX4=QKFw!nqzpvki5a7Nox*nf^c#EA(%h}w+!mTa zx<9>*>5j;!(0@lJLoLg+@(d?d&WaQe5R^l>E?>eRXw94`6*%HTelmx1Bf1Tfg|%B% zl{0Xpe5QjRj({6YJATj}%kQ^C45wlZQrb}1#)3u^gDbbIX z_MZ3yPr9Ysb>M#5{{VJnpXQKSsHyn~k7?2oDaHZNRkM>5|Lx@=+hsUkmkO=5hp@Oq zw0a4VaOZ%>q}~$;5+IUkJO`hs>}_&l5bah&X#D#zTWhe>~8i5J|RWy-{#Kb*$Nh#oa}@^wJ`IoAPUx% z2Uboz9XhiM64}_wZ`v4^(V`GY2zfW9iqi4kEy5xwa)Ou*x%B^Ogk5_2<2)qBC^Jj~ zdN*^W5CHta6flBAyA>P1f@!~qwiZf1Ljj$^V1;>P7VpvyIH_U{QL%vc_N<;-!TTcX z)h%Kc78~b~HIbzH8HxPZSZp7B{H6V-|K1wA@pss7;+oK=1dKz&03O-I8a5Dnn~UG5 zm1RyN_3E|6&Xtu;5e8FZWwuHcJsYfK)mvOPj3ZG5<_nFaeI!vDflQa3>y^F}xu$ai z#<$s^t9xFa!mp1dV*xLPlq3MZx9@V|1g2Zt+E@^fl`c#;+tqT^A-E2%$U(Il^gfhB z*23t+;B}!1(n;xK`JwqR7q}e6XsK~4-;*u;xrG{IrjvRKhF-aB!@R*2=hTYundh#ysL4A`7h6xf*&EhX4TuJ2AQ>*^P}P8BN)RDqg#0{ zC}wfXZ+3Vz&YYnHk^|uJldsplX%lU0FAbMn3;ph$=^Us~Y#1hw^Yd0aOKIfp^i zw;1IKk4<$xKpEPGpGalpG<2eiK+Q`7G&rUK^#NgQ{q@g+tqsd=+>o_1GPzwU#0q@` z$Fj@ayH4U)jT&@=;Ui+!ph{?LG;A6>9sy_5=ntoozmZH!H5W17BML&!wm#iwl7Z%+ zUp_tt41a#=JrT_{hs{S?Wp`YU=^u=oM97^Odu2NQ&}wR`H{fA{KZi+}Nu%8!_!Gsg zc07`nlL5s4L#ZdiG~7%JAzwjLopK`;t$B@U%1Qq3%CH4sru3U!LuZ%%jFO`p3ICK|BjD)yl&Gz1P)ZoxQMP@~gpD|>& zw#I);ahA?NLL*;h8C86QaJv<~>g|0P%(JR)I+GeXAHtP0k+2Kq6ORGsh=$8ows23& z45=m)REn+?>JSJkUZ@W{1Kk70uf*7)iBsxj-=!WwKgP+%sjn09PF9f$7p&)}FB_ru z3gd=YgY5mKIaoLSwv@Qnhx**yqi`1N%f%VNIVO9F?~b2YzjAaB9;URNRL$?28iUoB z9VsR1DQc?Q;LO5T!>rt1bImK1CK9+;`2hM`U*|~n;lhUPYd?u&=Re5AdFmDi|EJ%ab=#>nU62PorhZciSaNaBSyUf0qmjL3uqfzR>CPBN(mT;qhv!^sW*ohuW0mKoiQSC9xn{gX-bUV~PRfclS ziD>M2SW(&Pr}BtFHoT#Y&Y?l zp%BlZywmE+lC2b6{A|>TauA@GSH;@z4RpK#mYUrCbJ&f!JA_?%UI&-kImd01Edio6 zjZ3f?tX;C|O+wXPG<*i-0EtakXtc!=?bn%YTprq^sJY^{+B7(%LQoqq2@E2~xX=>{2i5peio-xx z5N9y2bCVcl|E?G_?$F8-NH!_|N{Phw;KeD#3!X4RG_(H%&O4DJtm9vx-@P+m~hGwGF9;q!xBR1FkJMe-9_rlv8%;&$b;Fi^z?Y>!mHW zCM8B(HGUHORE_Z52qz0(drvU6b&ERr{-n)m(7)28d;`b8O)RbA$EgFpr@%b~;-)qH zl11_3_i%&iGsWawH=h~%#z<0h&vyH7fHbco^12}9#cWTD!r$t(WWTJ}9pUFR?Ep`| z8emLuVohwSLy-I}`LKP?B$bE;PiCuOhUo#BTNBq*#De!6fBz&;J6ij*b!|p#up2Fa zoG+b>xY{+w=7ET@jjCL4N5P6wmOvq?{jfEm-ITTI*gTX8fpQ+pL~?B1k*yQH%;u|} zJy-(%D#LwnjLr!QGgqJH?{zvQ6${bw=D*NR(q|uY z6%64Z*u9hggKx{7T(y)*R&4%3ok|U2Is;|q!)dtBN(qfu7@hooO3)I!4 zo@=E1c}c3osujgA{Fd{_fb(=m3;VnmY<5|0!Bu9sMS^8M&iL@rn)xrt#Qi-Q z1K?j*s?$3Dj3MyOmk9{Z*U=yD1{RBmT7fMuJe7u>BxeSBExwg6F0&&BFFG^4rd(Rj zfY5jXX6gB3*Pzlc9fTWUBi_qZ?qJbZ+f#?@+c;BPfURp zSegureEdQchgQbZlw_2x!KcOs+epF$f{pAG@IVwhR&^Z4jkFklta<1Qw2iJuk-@>>mk4QSDp(k_EU zN@s>}Jf#~*kF7Q(jLH)y8Cze&v9>tkA43?+mxj-fO(U|$I#xk9BhK>V7Dzu% z-^Rjz4mA~E9E(s3TD2UtOCQh%ZpVzr3A3Xlr=R80MhYbUfV4Y^Y;M3EQobdws1&@+ zUoYYd!TSTd&HvVKO%~2-Q*HnxO^O{NB<=;-Qp7A-uX@PRC~R+(u} zv#tT14!Z&!dK&PyXZKGy!k3GY8ufXjPAxA|-S32sGd#5yA2Oa_Z&#BO!%d#aAWvO23u(TOtuk!^WW~qn0K6Vx>Ye~ z`bA+Z4g7GH-Ij7F{^SFf{=|-vD<#qnmHBYoMKcMI$m_&!Wz8y{Lit_14w0T|Qk5 zkL4n%F*AgHHc&v#bLQAMH;}tocGkCJ{w$NBC%uCOnagpogrrfRjZ)^~DK>1EHO$z- zP(s^r_NJ%@?V++i-$8MM^O!pxiZG92fLVUT{W3D!dgfkYR15AkZYMNGEgg zR4ltnx9(}dg?C9G9jC(HOJ3pWW}wmD4&c>4je_4c$Och5?;*)w?JJXkkubkWPsl4C zoK2_2Z09a3$9X3#irNkyPa0;Q$5ciEW!{CCJ@(ebuA;LW5vNV%rP8CPR$mVBQfN@X z%1UjNUJorhDx`WN)zQ40YG_{KQQJZMd}ya@4^6S1$&4I)yrBF6ITqdEF`j>HUKNfr zQ-IVjA@ZjSX~uto#Tqz*Faal%JmpJ}qIYqt{g%Nv%-yBnt!6SJKmk{UU!v$Z6CL{a zlPh4m4-OWZVawmSP{ObN1x-0{kCA5Gf52;W!KvZ%$0`J8A&gEpA>wnNE5?lA7UQuj4kVb%AVS`GbE~Uhv zdtIRVt*Om`G@2llL4q--FjhL1Ojy^x)x*g$&Y6EHe6+uWRX2=kM%jUg79u%2uMzc9 zmVTn&TtDkWjN2qfYl2fS7i)++WFsi5BEeA+l8Q$PMh<0ypJ7sRtg>^a$|IZ>>x3wf zEmfGeXZ8chS9UFUD=D z7+v$y0+S77b~HO=5~tDiK}pvg$-if7;zq@1!fLG2KYNh(T8g&hr#(1^D^4AO>|N@j z?e864gdq+QY3(XC({V+E<AI+8%%E@KIuFN_|U`Jbept#G}YIi0FmeLh`pc`pJday550V}Zz-7yVrsi4jC`-Ws46-nB&oQXIb;>)ouf&iv7Eb$ zL4l$(21K2IP?6&CYjU=EU~(t4t@O@-$e;xBauaNAIsp-Gjd3Vfl4|0tJfN#?&HLvt zf~kcP>JONiuQye2G1{ugEu}Wug6xUKT{f^|RRcru*ez@mHWW&t^R zJ~B{8+T67yJUrVf)1705h2th)vhc%iC$B&Le5c%&2yK5V2U4Jx@lmkS>%xgnT#wdPaQ*??bzl#Yx?bKGR2G?U8)qMq>6R5Dr!ND98_yha+tM0#%`Pq534EpFyW9e8`@uy_`y$?w@X~`Y~ zCTgapU<-FmPd%Z}iqrd^knWAO_$>FCtJa)el#=|>)9s%5jP<79YOsT&GSI+ZeCU%H(wWQp@~2qSN#IB=Ip{L%8wT2tih9fBE}8 zdkPg0ZGl-b{1VRd5;ifz>4}5Q6^d260UdN)&LrdVU85CqF6>xjgU{@EwGtOV8f$)q z?V3GR9D2$vhHXNA8FUF3+%ZkaJP(h;?CnvZ;~Aa0Vs&}2S)#likQtR+k!LdJQgw+> zVjvs%^&*c{G6f`RP?w`W&m?k?M$_q$ZeuVFQE~>Dxj&q;gNe68NZ#4Vuw+ZTDBVC@ zEVUQV!NjB0nokOEmGwfChL=ps;Y{76sjwOt7Jo35RX@>`^8u8*tC@My1-3QFlBAM?P)GbBD?F{Uphzm z#GL{)N#LbdEXdLRN~Q$Mn{xaU)do8FH|pkx=cW+h)Z0Q4!EaIx8LiDU=j*h7#VlzX zsY_4Lx^jZ(>kwk>uCF6nR5nPvPqvvBFM7$#&`h3dCa6+v`Zx7rrWY-PD(@BbRy!9>wmy)C1 z{hF8)-rA7v885DZ7a~!=GbZ7?NN*y)s9J!rKemp^ToZSuVD3a;m-XydRB&`$^qdkT z3=(mK&)U^m)&r-})jLWf@pQLdqUH_38Bmt=`fO>E-vR>p<^$)wjfIFlIAvJkQe(-a z<>{CC%iOqLe=_t$^v76?=Pys^vC?LA!3Ru2`{x#$G#b+e#c9%`l2gAda}2zXF{`Vj z7$=Q-4ba*tE~2s9=U)g|0MF*cDirUKZ3 z{T}jHA*txMSQB7MA#~Ns7Un4yy2|XshfJ=BUuDpsOxEAy3#g`LA$ZdVkE1p4`#V;-QZr=T?q!?v~79pT75lbJ=cVr1!_2$S>st7UN znBC7xF(hO}S{-usV(990yR|S4_j70T*Ev(@!!t3hu%%HFw^ZMeS4hBK)_)qbx#MIn z=!MDOVLb0l#!QtlyD8rdX`$qPZTNS7&lrA~SBvk$WEg8GP6+wsM|==#NW=_3k*`t4 zamhN2YxMbf6s1EVAxfX%3>7^}iY{d31`p_}-={skC{52((y_M2G+0uoZ-8P)^+j-B z#Qt)WCuYZ22gN=T#W7z1hC2i|%!TTWDS{Yih#*sc(edQikg_e^Jul90HpH-`Ojmi~YnN^TE@!su!IGls$7dAAlZOeJDM6 z!AH2EFeFQs3zO}{VXU$d3VF(5RRzbeAl2HVTMa4cd3IbLi^rlwIMds8_Q%#D)i57s zex8+5DgCdO2 z7nA9Jx=LM$Q{H->u7#xHz`W5{-os0_Rr7uz#AZyei6cVAIlRpd@nBm!T-ZLnlYTit z8E7F1x?thUAf8wpi<9aFi2e4h4s=wUL?~_b|FVu4mOeFC9;W$pM{4H(9T=@+cydQm z?Ly<_jof|Wyi20Q4J+?w?*J_6%vp3*@=!$PnVTg0Pm$SP z*X(>(+{z#_^3;Q|=_%|b(_MKmKXaCY2gf~ER&icYQk)+ep0>gSHbx@*{`Sl|`$S%< zaLD39F%A39%rJGIq2VE8EnVH1*n-=16bqASu2?xt4X*WA+?M6^aU~vxKS3z=I!U+*ELPfF>eoOsTW5Hiv7yOL_fm z>z0HCIxckD`v{(49&vPntVopTjLfKTl=II1kX292xq1b22TRew!mFL%ybBwb#&`dYxLszDpHsEGb#|ImhiA2Cz-#?I) z3KR_23d-18Brp<_3-ft+Lg|%>R(Rn_xv2#3H=@=j&M%9!70qAJ8NAQq^4`57*&x<+ z5q>u#aAZ6Etafdq@?UXNibh$=T}nU9@o-TKEY<3jQgObK`6|BC;N7*e%X%NGF_S`O0azhu_o z4XEO!j{sfI@t6q>I#)|1T7kkNTz9V4X&581=8r`e*Ix`DLYK#qJYat?=)Q4u=iXhO zbdct=BjYW>G5FWlSXSCNI0HZ-q?u`HnMuMtP$U;*R79veZNxIC$XVpTtnJjVDbkB3FMkRT`T)17 za&Ri& zBo4W4Wrb2B<9K&5u9yj?_(8Rdh(!*92&ie<0i)|^F0-Skyy$wewgtS0LA)j;kc&ji zFcumr+&Vhu?fzJmn3n=18E?zyU&Z%+z6?h)_hXn|d{lTW5zGHztcBamPCEo&2$6L3 z*3hQ!&!GK~$2oRxMsOE(0eWaiq+_QTKN|mGJ6UVG#X%)p+&Z7$D$_;ybDR}Mo5^dt zV7laNYh-C904E`BIoL)HzqaqWh*GkmdzO;G!{)mLP~&?kd3ZS?0TGu3fBEHdY^nZU z?9Py;mu4WBT6Phr?#+YOZr2KfmJSlqTw2-MV|CiN(72w1tum0C#FmYnfckyo3&Xd9 zRWsgEI`0AQrqqUbS8ec8V$Tz#vtP2cCOp&%?6bb@iVWtDjoB#Q7zJjKsdm_7jEDG! z4B{kvILDKXh+2db716$lN677EQl`RBS^kXsSj8WUK5nXw&t3RKE22qyJ**zlwpB`a z;sctKGzV=jLfmyn9ewf#^eb^{Jj0fH1@CQh;#D}xv-$Vie72$+-#=4h$vvHxqON_c z_#OI$mp{Pyb;l=oqPX7X@~A~4rpqba9P*2vc`%g_OW^J47Amk7cv-2HP9UuljhkUi zc+w3f*q&8w_ET2wJj8lG9gDrSWEI+1{HS7lG}an3;xaOW&JQ?Ab{LQH$6kh0hAswV z{fJ#Gn&!=Uc2zu|y#WHUzf}HP+MD^`fZhKS?JcUTAkVM*-_YKo4!RcqJ@HNd&3RKX z&@3z z6pb{E(tmV(^{p)}b^lrO{U>|<-(uJQ1-kw#@%tZGwJptmCVm~Q3=Hk;^{wp;|E~SI z{BOPAzsTqR1%_t%x6k%pFf_yW>HlZ%m!6i6{-130zr)bSe-z~D~eGtmtT@XMV;e#~3U-snA?=p2d`h?N6ClJZLn*ewMB z>(h1y7}H0pDQR-j`wK8>62P8>fFrq^%ck~+%4+IzOWG&@cJ;>ir*;5l#`%}f^5??` zsC?aDAhd0rgAL&OL>VFRjdd0^vJmyxzEjit8Q60AM_=mLf zXT8*)FS*WGfB(p%ZmYE~ic@d98V6gj)fBqk+M3S^)7@K^=GHqL}A*ru! z4xy$b=B%$`^)Dv1U(eQUUq5I~QS!Sj;hPw~D4-b#?z$tBCJ~abdF6?|`^k_#sj(AV zSs!CnR>lwxb+rw^p9_!LmY}pXv&OWIIZQa>}BzD%Eo zEO)w2b~(hQAfF#h|(z#)kJNAO_wc;z&X|N98w$P!^C z9ZWq&AsR?!*YSA<{mK5+uZ8R9shQX=^(BPI0F=E{^DTbc=N{OKDjKB0*9n9S zyr6?&uG^m2Y*i7FHS&Z<&R6hP#X>(WC7Wm*SW3rwH1Ptv)iO6L2P6bF+D@XTAB~fm zk7n6^7f38nie__7sVOXK?9scMN8Ezll~?Z4)@`i9xVs%WJ6C%>Mk}+Ls8dC8SWz<0jfU5=1vt{Vl2NO z{N};?WuisQ3tpCE-567Cr-gxu?TymqQ`M-Jg#fgZr4T2b>j#hgL~PY-Soab&d0L-N zpiO32XrXy(_Q{_j-(iAD#UO$`Rd86ED+Zq5JJ2QSKCtr!qIH%&k*^SCEG||MG=qzv zf+M%AWLC~fZ;%HD7xjr71JX+2a*oaBfVf7f=%10WU9GUq7S*NgRz~9=dD$Q)Ot@8X z+Pct1P@2&aNjtP&%@{Unh0O+L2AcJulLOi zCPIF*YN$EVTyJar9UvCwS zS;mcUQvS2sPaO5SbrsebA0`Q7AU`moYw&Zjdj`})_0mg^a`tLO#hx^oc7fiD)~so< zsHk@Xym5#7V2tU!?5h-$rWP5Mo!QY`boss0E0sar?=LSXIh(p)$E~Me)C30N6fI$n zr38@G#(N6PT^Lc2?ns2*T_t4d3VFE?z_01jO(oy&@p3}gl_0yvuGBFJ&`*4!M4JVt ze>p>Qeh|$QpI|+*%SyR=QLNNUu|i;VF`cr;&|xr0YGab+rj2S>;oyN$6$`-On&m!=htw9pRG+X zCHqnN$lWIQS`$}NKoBAYNRMb)opINe6w$CijPAy%9^0az$$7%Ipz z%3`$jKbSaEz25Ndn_@opS`RfcCzntP<>s8dWHAsgB_Plr6PFckYApRWV+@Ql)` zLzdEd5ZRK1(|}USrjGVzv8WuqlT1k+^%8<~7pRP|wHODHo=Ggz$eo%chnF+u05CGv z-TIH2wrnU&qu%9ma;2#_YuDztgz)ehYGy1C?R}F|3kn4?Tp??)b!u~bDA*j|#aJIn zX2jE{IXw$%K$#4VRhk-C{U1+=^H6ckcSV1NaXs#jVZpNeKL9yE#=pp71lQpyg!p>r zFplLpf;9(4mz)`s(4!lT2X}icgb`6=7XaFU!r$_UIPz`du8H=QBrxLiwq-9@SBDna zoGe6(orBzC61CJH%0eIgxuaIinH~pTTKXoPr-P&6Pled+LQilBw5%2@*p$r0q--n> ztQ|$vmxG#{7<{_vvBYf{I4hB!K2vnb-i$Y{rsq@sQW*=XJsxFo@Ec+V%Xa1GBcJf0 z9mqW+j|wFL7-U_SJ?-n)mCwKjPvb63Ffq?Y%!?1QyVcqQ23fO@I-yj}40`(7toegB z;?xj|m5ykrbh5EW5Vj{bZ)dH)Hy?P*`a*{@Nge|sE@yhgrqhAMManK0s9#^m1C(OG zozJ>r0(LKXWQ-1wRDYw8G3eV%OtD6KG4*9#xlqUu8BdCFs7_^I=(*nLw;BtcmNafV zNUb^4Zt*2MB*Su>)DYbECdkE3-)^QFpB4~tZ8cG5vuHeT_l-2;&bnq?#3{U5a~SeK z1&|xE5trS5?0rt9J;j!V8V9`gRYBxc9P=I$nsoCQvs3;hk_&LwSBS#Wgj#s)9Kt0| zVY3%Wtk!s{m6`5$Gt&If^;44c!%+&$9QeM9tsPr{x~zPlmM{z;x=`K~cKD3>m}poL zR55zhJNEpRm1(g73nV32J(Ca8Wlxl*_Fj+1)YVq$DiV2Zw>JTI54nY&o$K1%kE=yG zgkZeOuwSnCWCh+HLu5MCt^T-MmR>4o4h{YL^uask_0t@fW$A+iAKDS#k#GDN^6grFmIN1XH{~UEm}>|SH_E|fWT;Hlg;k{i{Gts zvY6@4o>ORfHa^%!+j>8S?O;<6wF1+dXzIxzZ5Q)ouiFxb4+Qg5mcBh?*-<=`bY!$x z?P%j-v75UOYUWO3x0L%~LOxhn7go+g=r&_a0jE!+5`WqQDtcu^+I*qCvq8>^5+q@V z-tn+Jd`&Xx{Z@+*bK_nKb>b1ne=iQtN_}xRK1B%R0(5vvU@P;NpGmt^#p1u9$8M$7Lvu_Kj0mla)vj)lxoIn@W zxU+$Q-0dkfDS>&UCGQyCh!sg3rI%($5uMDY`)6caQV;5&;*_kokPdpOez6aFFL5BW zhVc+q^A?6;L~m>5?{-B*>S*(Y@YlgIC4ujGV0p)&7C}TMjQxYdl2}x41`Oam&ra4;yE2hjbgNyI=uWDg zQChgd$J%8Rp4bcI@tv`Y;N9F%RS@SSLxV0y^$J+NxSJv2Taof5G# z!Wymn9)1&+PSe#VZZlc!L&+O;9QV%73aH9vV4)QDn->f~Us%J%yxQByQSgkpc+E3w zK32>Gl}7B#MHi+xnRwU`d;Gp(_b#SlR+9qudbSN4`SyVbMqd!gTK&<8c(u2kV)5~_ zblnywswv^72r8HzRYoX9UeQ+{-L;#~4Baa7Sb87;>Ai&fV#>oK#XSm&4#-V$JGdsX z02{7A-vWVRbl8pwauqf!bcbQ{9c|BNfheXd7(#bEdxjoc;-0kwVqQZf0r3a7#~cdE z_JtN9dXdli$XmL@a$Wrial$ovNh!)1Yvaoj-xLtdCJ#c z+2N!U@Zi`j&_DDlj*^}1^0$f~05I3o&r4@{X`)o0j^TO7mf}sw71?sp-t)ryQLtTW zqm0dcGh3~y3j~aiPU|w1&>_@WN~Ko^1SRtfP(u=rKf^s55|*6$^9w|3g`R%d}eZeBVRfxhD4sJ!ManJ zvat^}M~)eKS|mF>9bH9hKC@z2nR7&bCTFSPR64U06lYK(2xOzEv~tDR7ng23_AeWc z)(pIslI!J7g(wzB^lt@|Vs+X*!A`# zBIW+T2A=h}PQPbj3_}RcE0poRGQ#{C1`oZF3d;zy%xg#cc9{lS?phB>=6ih|v7J09 zL_s4<&I0xP{o|-b3Fwp1$AWd`W40%t_#}5(%?jk4Aa=dP|A{IHW`5>H`61>MhOt*r zgnklJM?PL`yO+ylZW^14&u+WnRO%!HqX`|I$vB_$GV23uPv9(_LP$|SkT|{L0r~kW zq1JI(gzF5I+QiG8|LF`NF!VaZpI~(1dz=3rfsTvmti5})3TIb3?j>)uoG(765K?ty zhBA@+^~bNe$fsX7>}~1BXO)#8Jz$S!UIY33py4xl2ea?}_46EZ;qWw~9cISlWHF7T znnhuJoV}Tm>N}{whm-lSa}JVA&B`Dd#qbV4re$wFex6#{-q1|)Vn;Ezruo$CC(po6 zxVX$A**}evDFg`Qc%b)^e}emhF;bT8^BSwsp*=A)+<#`|yLp^P3KVVS%|I|O*fcb? z4kgyDsBRO&|2oZAUHY6@(eBEsfxitc#kG!jZx{2-pl)7s5Acef9kO{*R*Ii|66E5o z!$egpvz*j&kfR4P0gE;z!rLP!(_P12$$aFA`$kwNMj;e&)VwY!sY5(Sy@N?iE(@lw ziy=%9&MsvqB_P)R(oRbX#}P6LvR>8IH_rJ%~wOwG3@nReFYBi=1I_ z74pJO&2Ly%u)W={TF$|&+z>UxLbH9;>~zedHH%?hbNOpIFlXD&!*k=3lLwCwmA~E7 zvR*>Zw8L7}@Q+JHNGh6B?MItJ;kS^nI<3f^r)Gg+r^GRT5+AskZ(+Mrq&)%HS5W&V z$>p#5P80Qk--qg=&YU!kpR11FAHBHuW1d*%>B$IBsf=+l;SU?>^ykTz() zI!V?EYsI5_(Pw6uOC>b0yCGg<`ped|FVqUlV4#HCeZ{B**NdctuA8B}6ZtSb3gSW` zS&MGhuk^*NDtstIUIA+1H&?Z=ZOm-xr#lOZ>dU9|n^lCeqo43|Ve~Q+Oxw=-ZEK!A zuHzo}t$R!{DnoadzmcH2RzWZ>emQ}|i&YiTrNJjS1r{vjF+do>cozfSM|aA#Z%^luh2GAAltjg2Q}YcKCZPAgjZfgm5Sw3icM zpfsS)GbjL*Et2N_ ztvBtP?>p)EW}kE(Et%F6wO4e8#0S>VY5Im6pH63KcyREbC^A#WU43nEy39RYiCjYh zm7;furGY^u|Kd5OEHeHpEqvzbH*GAbc|IGmJ-P9JRiS#+Bj@zYJJ zgS&5ihmDzLmKxOMp3>8Z@|e?5mRMJtqm!dIB|n`&7p6HVf@>XS+Yf3OR6L5E=9n{l ze86XITFww>$d*bLD zu?G38U1?4=njPs0g9%>uG2T97(6RNf;|OC(#>a_^n&Uzyql>4kc5;{y3>9ZnV-B5i z45#m5i;X@TaNgi7n8SVRPC`Agpe!c`^?8ulCq#U9 z#~Hi*UD4wWoy{mhNvK10?m{EX<|os(<(XUJ8fXd3;Fm+{?hlW>Cp?H2A;fHIBe?Q~ zC{Lty*~Q;5rj}&&i{(ZhDb|0Ik!jFG2o(8#+OH<;+u*I@L?!^33-TRsXrp!wUGhh9)* z3e*)t2`0{LK1j7 z%s7^sYKd0`DtR;s}F$v@J_*og^KQ`+M9eZCa3ahZfQeAB8ZU;|Yi>()Kl>_`{hTILFh}m|( znb=wvE)HOC&=wm5{C2z%@WouPkh@<_kh4pG%G z^=p*3rK>j5SBv5u2!t zJoy?Ze3v?()1v0$%bExi8G_Sll;mY=_E!xO*1NiNOe+_98cH48rMcR3;7i;$T7y)8vPZwVXhu_9mtK{w2X8kplE1rDIqrn&jnk;VGQ ztt`2&cSI1pO8ISDWjyAPY2wiR=QW(uB(bnV->a0fBH=yUPp3Sx6E(a`kitp2SCUjp z5n{9Cs|yZN?}AUQn?5tfW0WUvz%nCT0cB z6+4qEj!wI4WH9<|8vY=sr>`o+X+G>kK62M%K`NA~RT|h!Pa(1sm7i1XWGc@jAIwje zo$cT#eP6-u=^5R|F5JnRxlT4#T6)ce;ewmDvr}ywfg+O`kI^qUKXc+`^` zUB&Pdl`ne3SW2dBVC*J1$5&5Xr4Mg*9U3pmns;;OPoTioh65pW(9O&KxvAZXDc>V% zT5{HtxCfmPKslxkot*63H4$DY++g9|oG$+4iYW-5TCdcQh0Pzv^bork1w}eRZh8S; z*WL%u67$X`H<7?KkEZZBFWU>0eZm%)Ame#0JCbbm3kC9?_hs)yWc?!6xm0HLw2%sr z87*`nNR8PUCu}u}u#7i~F72|^jHib~dnBzVm#Al0!r)lhJ36Q61U|$zg{<08cJ$8g z`3gT-mmU#=g2^}WBpY*;E9+tpf{0a|7_q3jgC~D-sj5KTDX&sUx9`o#jyBCrYlLOX zZlqC5bYD$Mw$zYq!v#)B5pgXm-g9TptLh;dt1Ycuh$9#5x8r;7S){coQIsl5A=VUH zmAOxsQ(u}*1K)GN9NoBk+Cv;A;KVCms&<z655LJf~FytocJY{7L&XOH0dAp3XRLdIPx z>bXRSQEN{&YriXBusCOkz1%j{$lF>0Wl+p=we};(i1RT#y7xIhQ-5AiVUz6g5&ph6 zfNJT}?XqUTd*oghJna~NXVXc}#-W}mH zq2Nh+*>HgM!yQb~3r-;h;f=~bjpKeZ0e_dUDWD%O8^TnB4CMsvd z#N?YpW_*s35V=!U7d811KZzOI^+}+|QUeSl&O@jP@s?ZdM+qe@uEL~{-A@)BQA-t# zhCfQ*So!0ob|0O7si9nsv%GkHQaWPVf|@srRe@RJ2fS)p+CuMfY!+w;{gS6mvL)=! zpMAjlisLWvq#YQL07KCzhA(LX^B^S+El;N~iQTFb$$l%(9y55hoYGT1z>E7#@&$L1 zWZi#lR6_H~Z6s8c+JAa`{UOtZwKg=YZ?Ug_@J)Nv%h4sJw0ipy3}$fLcS=PxK^MM& zQ3O%3n`eZLp=~MP5LK&A8r5?74++z@WJkp&+-)R1bzd@WE`}Sj?Hm**l8`rJ>g%FI`L0Z|%WL=AgS&$-EW0KD@ z!G})xd1$K)=)ORvN$xINgaiaOIsFACGA4d1`crioRikE@!-=(cQ%Z;OM5otB@{kza zirAMbAyif*-3S%Ryl^4RtP(vbU$x=(3a40fw(gxDci}D22Q%7!p*yEW2O>4HGdeg zK$%Bh5o_Vr+Ge3ONquy32=N7T%F+ep=n7gxa6k@onv75wBeq>XBpDYJMucZ2W;UJg z#v-~UNml|^hykE}D=(u0H$*0{DPS25xPHj>9qMaZ8XnaI8zSE_Uk>3#Y$qw{90gQI&BcKb4Mg9p2(Pkk;wYb)eUBRdA_nSD zGf@^pRh!4R+VQNPMdh1Pr-+=vu^(IM{YkKI1WNWg1aP;kVDQj&jTKG9nv=+QW)=z% z+)i!Ds-iGLa`Jw)jj5}*8U)n_)d>&vOcBjAB=lM%x*hgoJpmLZ?WRGz$azc2q;m?* z#nt1JbmzlgQ8}>@cqW~_!(`Ki?`_j6`I0V8&H*q5x#wsw6hNWAUxj=n2J*i!cW2!O ziLq=q2_-WSj4BEUYR;Q-OuU-(*1sv7}gf`jEhS8nNV+!nbmb#R7Hfm z#R_Wr5?!Crrd;wPbXEuX1ns4KOBJeV5}ZHRx3V){O|4G*bO{ru-UMvCaIj+9n7 zB6ek8=x05afU-(a^47v&RkMBRvB{pd`s>`l%gDjzO*hY*qsPnRm_qAv5=4MO`zKmw za0d$R{0IZ*XHSB!!AP_SpKdPf8B3qX?V9O?Stw4j>-t*JD=Go`bov-0ZJwN4gyjTU zl{^-Fh}Rdf%pJ!gny)*@N2CI=5ZM;`u={C@V|<^top|%JIrmM!_^H;--X8Kb?x!?B ztiNBez={`a4iaN*$$1h9u$Z}G zhEqiH<{C5H_RVOQ3*}bf@XHwuQsj)nBDuhUeWYb>T`1y8=A@*u@Yi;JyEs3DuItnd zXOq0@Gs<8g?w*@IvNc}W&*hk>YX)qS4A6a4Ey!3XF=|U$D zBtEpNR)vn$Ok!6KT&_{Bj~COAUq2_4CsE+SPzrE%rl+qAJ~R32J-tydk7G*Rc4a*Z zRX!C%x9WQeOcx-dB>20j$z4sC6em)fj~>M`cET{y8Kt#xAakFhc#J74&kxT+pVBDo zyR@qYeyS{JFNSPhjd;?z<;D@H|IEvodYM$YifmQEV%8ws$gl&o?{+tLh}(sqN=fqFKs1)?*o^WD`d6W@{8^KMDVykdbO z?(w+!jYMRNNP{p2HWGD-hdm#trB~Nt`OQ01&FVs^-Lvbv50-DpltRuEaPsENe3p?6 zF>95yF7=#eyXCkKTlvvdogwFTEg0-Nz`Ce6jvu!@0RXYPhAzQZC-vpc$5!HXNh^?> zhw=RonK3vXu@XMRjFpo2mi5n3lMBZxLHB*qq=aeS^A$%0pD$HKACI%F>ThAVru)Ko zA*wq1FkX=X-Y;j`sjPOsyHLg-MbuXlFX9hWE%9a!}KEqyLgAbM#S{a4(K6)or;e^F^^2txhd`q3N-OrnE>>K@efs!jhd; z)Fp%p1`LQJ+t(q`;n*`t6RU;=jws}|AVde`!$GJB?iIS~1CyuqtK&g=#VAqJH5Pfd zjm$FfpEx|$yXW5V4h!z?TI9@}hoiUh9io3+4#X91i1I37Ya!LpebuH{E2a+MQf^6R zqu!VsEhRml>qH%$TQUG|e!%S%b^VEPMB~!VtD`HLIA~i4L_&H&(uNeG@2+@XE@I1sYVXc*txcq)kvCwx9LW$RdI zdNYA_4s#q}X|OV{>8?hXuPG)lOm|aGI_ON*uwz=sy$(!dGsz3`a=C8PYLh|r9Sg?x ztXoUD7DP_4NlUUDu&^Kf4wP(?@76N&$jIq?Dxe)9zzGmh zWA)de;Qwso*Uz86(KUX_VXyRaUIlZigSE7%a=pJjZ-Up`G-d-Zt?g?HnwMZ1b9%6u z3;Nx%i%N*uP7BajX2nzg?7D=NB zG${NDn$V~KILZ(gcX(q7L9FJkMVruF@1;W~z1fO=?x5PRQMYIR^yF$2_;rfCh*(nbD#`Ys#K>~2I;t% z56B`+JK^T-2RKAyJGh7bsmu{y8c37r2wWwwrP=CLTZ~@FhkkVh9vMB+G`Q?y9%LJz8D^eNO;iI4l zLnZse+fSi_H{>P53$P@np0qsPKX~9pp;~O~!H!h9RH{UAAU5VMqO32Wa3ZZJb{O+p+`G+62kt+AM)9!_5(LvA;w%1NA3yD_DUR|eoYFxaC&%89nj8G?7oSmTHsvESg;t#L8Hw~K6v-edy&}S?U(9A`f0U8V{ht_Gx`$vWk17bqNXSDBWL2RFA62~!7Q3HR`!%B! zSYodSOC1#c zIi=7#^wJ$28ZExuwCJiZ(Z0GP|L}N$-N72Usc{!74LvmDwowFuHXUm{^&%F?O|O^y zqg!Jgya+br9&8E0mIS^g2f=y!ED;xAcrF;Ps`<^97~WW>K=!56l$?5v3$$B0c_n_!XGQ9F-%+e3NxHBXjb~ zq`EYK{qCzA*a=<3J38n)8OqHN``FL%>xSUx3aWrJ(r6~kn#_hZR}lIv4l=Bg@EN!V ztI#&y>dyvS34-hw%QUxu@^GlJBQ^x0+!&GQge^zE{rGUO3+}1~#Plf8xaH!0TEN}? zKunP78;&JC3!*%(d#^A|xyCcJa+W0FrH~$x?@~XdTN(l_;nVbVQB&;NYRj)(qVJ^G zSoi1-K?}ufM|F&K2X62P&r?0Rm~|OZdYU0cFKw9twUwFXP>maN*q5T-WLwOcoXAfI z<+Opyy&8_C6cvaEYgZY<3-U2Uytq7h=pEm(G`wjWUw+d$LPk%gx$#*ErkqKFnB7~m z^Fz=84dN)qa)Hn?DpQ7%;ReExTlD8~{=q=z@<8f_2RY}H-*LC6Il3G3;}~HRo!P%| zt9y@<1|@T12FEo)x zCdAWhP%3E({c|yebh3|?QpDNw=punv?o~Bn?{Ra7zG_mFqRQU5@x3pVm?bFyIqld9 z?6!s5@g{k?j?k;ZC*zINmJw`8Pi^an3;X@?*BiC{iN*Vny+M@U?3|%}xt~$gE2(C1LM(hFr-uNiQ@fG$9zoaX$(7&sx!j zKIdO7s*CqhW(_Oc7xVJJPeD0}aGFMP?ZzJQCWS%|1%6_EImL2)6MxPYWkFg4lKl?c zKp}YX=*{)FOHi^;HOq0#LdE1cXny86t0IQknZWyE$mr2u$BKR{NR)>z8K#nzNLawA zavCf6TrHtxj{_q~R1D0AEfKmmV^s2UYDZk1v?ph)nuNtu6@C1`gZg%D3u`%1r#Aho zoL!5kKF0K}dK&Le-_w<^BFmxp?N51K1=k(AJFgA!!`hVhX@*p%rgtb~6{D zn;y$s^W_8LiZX_DNEj(MJzCJ~Poh)9x`Albn;UWxH0Bia2R5&e1Y^J$wLq?VDu#=` zpDL4wTbF3vE-#U|NEAuz#Pp^lE+rK%vF(kLv$Fp8l#fsl@KaFj^dI1MvZN<1DNQJ! z`+1&VrV}-QTJjg+xic79^cOHiK0~W2NJ0P3q@~T5-3)cNZ02rL&hF+?+VNS$cnSS9 zWzW}Qp34=YfiOd@(UH9ImY>VEZZ_4qfx^Lhfx86My_?sjxJ;iTMgaO4t#+LkUr;!i zqk=d|&Z>%|3oF|37`OBIk2EGOGgsFsP~eAa6)D*f3+2862H8D?e-HCx79%Cwjr^Ig-sXuADzUBu^BVo&bLE^jtValm7!5&Ii^wvY{{s5+EjXOi&Y>g2k zy^o6}b34~lnp$i|NS&BHTy_OTWfhK2ZzUmq6+||7Z+;yL=d5%sng$Y`lOI_+EPoFv zojNaSITb!m^u|dI2?_FL%|1Hhm)&kM%)y)B8XNc#z$A~SI63+z(Z2W-boiG9eaph} zl)TCmbnT!Z&o|`K!q5w)2VW{yb$p(}cFDClFpFD+)XMFleM4qNX@-8SZe2F>Oac1| z;?|$JoxQ)gQ6z38iQ~X2${X(>n@N9=6#F2m+Z@gM4-23`^xQh^ z7}q2bPH!{#WZu;43-KSuz9&FcVp%V4o%i-xnU@tr+=(X*{pbgTcMrUL^85%G8T?UmT5W`1a;(8S4Diuvop$^D*8=k?LL&Csd$9GUc$$!__2?#sR)M{k# z5wxN8>a5$SV_(AicihAFviFaRf{JBBW5+qYy|;IMK(0BxNk=;{{OLsr!Ez-|@;LPb z5H)Hs=&LanoP$&?hmcCr2NNcx-x7G=SKz4vq8E?4BrhkjY6e% zcult_rAGUagmk7_32ep}bfXHyyl<`Bm>!;QGvi)o^~+7_);I!)HX{0s6Kho! z@{VFBz6YY%;ySf1Gx6cRw7xn@#N^((I+Rn2EzP$fa3l)DPH{{?M836>><|iHt)2y? zgccj?I%IIxPs!X8nJU(OkKYU`~Xa-$$3?a00l)_uay`6#+g@C@i?aZ4aFnkS^m7upF5{@Dr4MxQg%iA(O7wza^O>bY$AFbdr_g|1uJIwoy3$`@6==6>pv2x7qNl6=KcAc4~&o8leG6M z?CTO<=lJ1t(OpYo2FSyyf>|$Qk<^wz2Z3wN-`c?S>|MF0I)GtVloN`eEXE_Cy2#CD zWE+$Hwx95@^+o+9MJ57lUL%vfCgUhK5SDUz!y#UXTAx4Wl;u4;L8G(`yq?<4+#`JH zmoEtvi{=bOOI783dMe~CX0BJ~W0hX&te8cao`;$dfvyq9E^YK)rM@=b;NaB4Wp8S% zD_nQC1SOmVNt#9)bGSwh5{!xpYw6ms+FUA)VBGGtx1JNgG(w^3Il__x9{338e?= z@)AK-77FtArXB_=yr=$SpufACiBd^dRLeX7k0>2W5Y^=`KL$RG8-IPPXWBrM^4IKc#G*=_L06BI$o!OuUcA?}472CaDz(>+ zmQ!){z^if;c65;Tvdwj1H0b4-!fN|35p1EpVvq3rtG(rtMocXRlwu{%pd5f4NlWfg zW@Efym-EqX|9BT6#{1FI6&L)jadPewtS6H;XzIJwY7z{_4a_ufk8 zG?oe-pVZO1=GNAO|Bh~5mfg(FoF*}cPtwzbZP9Vgd{WUEse1(euMxZFoW>3IyfhEE z)oq%G1o|oe2WRgI-g)ie4gK*LJ5E)TGumdS>ap5c=QLt_y1h*#Wq;T z7tm~ooDjwZ&aOXnk|v{r0+~D1nlzhm43_~KdUF?Wl>N8R7yQC3bu)64btx*QOr4+k zlA;yKF8mG0!(Lq~QLR>H`w^9VRP)7gRRkGXD?uVrScE0PH8DSzkTzX&t96v%W~pIx_6d#i`jhp#nen^u zs^sF5X7=NN32Mgv+S~HjV6kFz^rpQ;vq1uo{(Le&!?Q%Ueg&`@f;a$rjU`ExkAFK3 zXf_e=6)`_0qIA1W#x74HTG|C{A1@NXO$9o-9m8JCrYUvjAV#qgudo>U3*p0K6wOE3 zXHCZ}pwY6AK`;y#`9|)GP7N$58;x5pV(xh%@Afc{AU1&@_t8X2mDlf=-sXeb-4}q{F(L!;|rRq0ZN2%PJHXGeW-Uw7N<1Izq z0X9PP+KS~%(}SYfYJXAmF?v)qvp)sDCN@^KVEC#B;Y((xB63Zek1vJ_%!AzdCX4n# zk1^ayQZ`{4^5EbHyix?LL4QDQ1@BxgZ+G#sq7pbJoA23l%7r>7WPma{=W6C>y{YD+ z(4VrWU}^YsVovMGt#KVHBcZZrt@fxhoVM2|)m(|{Es;fwn1)V|bgH z?!CJBo|Y%v(P|Zl25pqbnS-A)xxYN}9qqGsyjDU)@lGg!7yXVNbjxI=1Yz2oG;8SF zlhV-6jid3$2OOpgA=>^J;HrSorF8gHV9Inp1QZhYfTOjlMi95+)HGmF>AB&%QDbNy zk7{JZG<;5|#1PzSu&6i#mtlH=3sDm;9w0j7=S<=2ru0F!6eK%c+<41TU8s6oZ2;z zY7Uy-Mfw?f9onm_28`ALHkLed4nezzoXyBH)Q~tStgU%YPoMKb;uE|y?g}<1pOp1C zGQ_w)j!?7YZh&X_+sQ3qFm*)wGts0i2$Aa~sijpIhyG+bdzsiBM_f?C_U&_X*4p7` zrgR}PT9puwy9a@WRahfT>Z#qnc@r?Yu4^f~hcylLknM!q2a5^{mgPYR{ilgzf57d8 z<*2z9iVTQ_CGyxzJTFVIW_V(sE#eEQ*K}_MWaI-{eKcVgCC?we6J@}zhCm47u*!Dq zEYPRM*?>)8Y>vfeR2xXpUB_anYkOp1n~0j3pQxI1d9#MIYnTvEcXc@weLeIyHo%&T zFc^&7P)tAzFz2R_;DbZFfQf2LaBj$t`HtwS-dj5(Kt1w0&;ZHU`o7oU=)?+=W?k(q zc4eWoL`iW8ZvD^*y=nr89ctXdeDZ}?Zi*l4+1(%&hXmgZgghI!V*T!41lAd(!fKAB84+n!|;hHRRIW>6_Ek~P| z+m`gY*j%Cw*bV^Oi`CF#r6c}gF#E#!Q(#*rwOwj~=iNhJm#?@`LYmea=Jg?!rA;G7 zOyEYSb;?9xs#|>^)Ll`>#e(i=QETRRs(5%V?q8*Z#A2?3afdgr!Qk)_d8l$e>FD4- z?N$CAIRHkEWV0<)G&PK+;k=>1l%rPxnTQ55C!4=wgBX{`R4Ath)-_MU6?@D2?JWwu zDa+<3+B{@Lz21Ya+huQJM0layd@Ln0XLK_gI9nH?06XQ0IzmDdb0sh1*-Tq?FalY# z`z%Ijc29_;fi{DHWt46B*^K&6x~&|NZd#c-M|PcZFGjTVo{nsNUh;Aft2V``nF~`p ztB_=e(*(L&e{|y~~^oA>{64K0#2gm9> zlnLF2{hz%Q*@meYg^k3tl^Dl)7F%I`aSyV>LeTYdRa>01d`57)6BS4~8@KdR?EF#F zIu46of%FFfjAlzpWeU3T4U0Tcyg56&DG|R^_!Jl`Xn0-N-(&v20PGMG?;~mrDV7q< zO8tdP<=FZ%gWsr~YL^VbK;L205fQ%SgJ+0ppQw0Lu1T6H5EeG-sE9jDu$r!W^O!OY z@6PGtjCo$w;#eZ_wC_6^yV?o{L}!D!J4LHgBXLv$GAX{*9`qhTw{1c50xRS8o%s}l zFn=mdx&p?_gvib~Sv;JO;$miDJ67<1xXRWB+4%cQkZ5V`6p|-bHQ=jkpYmx)uHI zSxfaNk#8EbD!P2I@lwGogix&E_t573Tx76Ds)#j#(Np+e$@2f{?F7jSCpFq%lzfJz zVB9B)GkPXwYC_fJ7!r8{Yq~Tbc_04E9Z^Tx9g|hnHE7At8RZZ9AN`xBpHls5I;A+J zxfq#lcyy@noSZNJi?WA69xPVjq_jr-t>ZQf-|1`KDR-8`V0ZlNEw{jV-gP()p;z+E zcLO_G_P=Ayf!-GL{jrW*$a%7E+MIO-szdjJ$;b2RtInCdn<`iCc`~EH0eE*GCr+nl zL}gYUOF}%qOq=E@{0yAvFDpM{kPcP+BEvF~511c=e7p!QlcE4ohs5bjm$>a|a}M~m zLU97T8i?$V#3%=~MhR=IDwCghh&n)zXsEwB8w}v$SkRlcC@gcvEDmPb6DFlQKF|C~ z4Aoeq753T(JsEss{sLOLIh8?9ojCxK`xh5~zH;*lyb$rcXK|j~Kc;rKUejKIIWOkZ>hTdCtW5u84#YtRLkNpGk*Ug z=_PZLjMh+Na$#8(Di%FLr*IULSg#WC9CgS%w_WyddD~9jeyYgfiOs>~N~7m2nUykE z7fv7&kJ%1JMuwH7%6++|D=3G$$oHq9zKIKZW?oX<9TxkmgrKzab$eQb-WK<75Se!F z4u!~Hwd6e>isd9P@qz~ygMTi$7>xj@q*CI@sl2!&mgIp;<~KZ3XU@Woe^83rf71j@ zAGUPUU_@UK)vftL`8g})2bQFNGLBL=-$eWvYlwgHsq=a@z|=ZCb5d|lSbm3 zRpPNv1ET8qeuw&HCwo-+StZq2TK5xS*C`L*Erg1-$zBD+^~r19M~FYIqQXqNWLTWS z`X~$rpvGYeVZ>hi@A3n+Cw0okz9b(0LGM0S5xROqDQuhlRz!)nXv5fCSs9#6u5bLU z2{n?fG3=B9{A`W69|ALDrmlX0%i;7cbDLy^ol}=IQ%;2`S{Oc%p4NLzRv>@To4Nv7be)G!>BF z&~B)dw^ZBTt8-d9MeNV<31?PZ71{{-KYA8;qNyImO(Dwx5)1z2c~nTELO8d5x_a3p zaHzI8tam~0iSjqg4096xg3et`3A}<3s6vv5b)l+~4BX-l?J6)pG9B%v;}!w}7@0g_ zv5$i=Y84lSDog>YvR=$X1jLa<8$R>)T$*mm)GG^lPY6i9UgB(0d4c&W)vNO0@%7rV zW#Fp?g7m$LZHl-EUOax}E4Jlq;~P^o>B?WC$DP4(`{kSCJZG+z>Gs>7Dyrm=R4ap6 zuKf2Wvk-4+3Jez)B_E8Cg;ylH0th|@0#v5O`Dgbo0X=v_G_ZvU1kNc97~7jZcBP9f zf8!v`0AQ{N@o{i?=_z1U5P-=XpKNKy;uI^JJ)st95M3vM`0Oenh>SQ6GyyZ7EWy(s=_x zyznuS?VJSDsQ=C%+{l*;FL1$R0epaUSGJ+>Y9-9hm!OTG( z1S*9N3M)znt};WmzJ!XN8B!8Y24&}8kNA+@TZ08EIY*)nYifC9$W??5t)_MmqdDMP z&$1z1$BPZ>%!xO@)cvz5i);)n*O=Q`Zu;EjWWHL>4(NNCS9s2G3R|uDd*`I8wdz%! z!ksgIF_!SZ6sD++J=7$L=R?MLwFS|aIpCVEO~C_dXfRl{%rZz>tkWX)OED()EFlv= z8GZbBC_V)JAO-kP)Q69ozRqb3>q7RikOY+5Aaa?Rg1K!XZZ_*(i2baxAXC-tf9#cduTn9ehw=oD3VU&S6mNgD6N_Xo%dSM{(;A8I# zdfYbiEnUMoa1a7(mNuyc%e@_Z%G6)aSwB@Lx-X&9(wuFTLFdQkwIWI;Tzj9&=(+KK zV^~9@oe|ueZs2Cny>C0e;!*0_r9li8-=UzkQkULkk3I00eSlnnw&h5GXna9;&2D1RI z6cELwNz?Mp1X7NeA_41cf|b&7EluC>i2g`m^E3h)9xPW2e*-DrhB`9}h8+bcW9J!+ z-D7lQ(b^~QxMMr%q+@iFif!ArZQDl2wmY_M+qP{dlY8&HbMMT&Yt4MA+UGf|*4evi zf2p{Zb}OgxG{xMvp(9+5A)UU*zC#U<^t7=ART#r$!fadr#s=0<}^$Q`DMr`fWD9f;Z{ zaA+t3QMyNOhl3vE*<}$wAyX%TB#{b;>j;e6$~FsramdV18K9Vhi~3v_W)YatG&nw( zC+jQw%4*-{-|LX()81Zku?UVt=uNr|)#xrE!a;HkAd)fN>p9K0@+8I2wfPFxs0vLY0Sx)b-t}}5zP>oO4!V&fdjZ*))(O^e%sy^dQoF8h(h}tS#EWyS?f*)p9 zo``rJvcPOBF!j)_r+QN?tYS8=z&Y!8yV6cs zG+AHWrO_$-o;`@d3u1F`ih-cdV(^Mdm?k}?vZYrT`JtzMBw=Wxo<#G;qtm$`11EBJ zT~<?1+d*+Z-yQ3nS{0no!MAR3ap2k9! z`AQVe*2CT84B3FX7vh%HdQr3^MVz&AVzrBxD8YX+uyV{dO?=M0Zs@}b;2p1Vc~ju6R#pXS{QEyJ7!eF z@o31)*pv)s0n8|Z#+Rkvw;JdmoBKv(b`iajk$|7k9Drzuk!zk0zXjTI3j?e(8nWP= z;Q~cXf8LQ6T#)!v@YJb{@#+S&3<0iQoH0>Xz;N|wzII{*smmRbczJ^LqZu%H&M;=di$Y@|7{t`Sigi{~}A`bV+ zY!Ll0>_I6}U~zC(;nVa*MdAtQG>?=e*Njdv^?fvZoS2!mup{jFi!AkMJrq`q4(izp z($tX)P$I?qy^e?-Yv87VE*AkD6a(uLHKjhGW64e#Yxb*FwT*>^WB%c7!WRwo)VtOg z1kvWy$2M)udg7d_#w(ac2QO&aSv=xrhjs+B#;pymJwiLSRkc=r91YvI_h83IGvOkEL6VmOM<1%y-Qd2~VEiOv; z?y|`f_BCijH2>N`_{6Y33o#fkvqd@WUSf+;NCKL>5V4NJTA&yuTnr=$@)ng9mN%Xw z@#e$aV@8Ms|6VS<`E;$Lw=dJO8k81RdibEKiDM+>NIW>2kc|s^H8}1y|9;j5Rw3zf zl-{egT1G4;@4u0_R{nwn+nmg+u9+>8_N#rh*K_;+zP26342(xjsCj2Yzq%upBDO}| zvM@Nr5#r!(QK+S~B9S`F2iEsC7OtCH#HAxY3`+V+RzF;shr&5m3XwFs2FxPpg2@P7 zIb{e$yYhD~!UgzxancFj+vXscckXaf@7zIlAy_J$3y2;ZN^kKZ%E`$mm;IfM(cELF z`Q(F)p0tUiQerc6Klg1b#@XLVQRuH?ojuI(no%{Fl=aD z!(0-?w41~Ciax`KjZO=0jGmih{7}l=RX5)1K#CchobfGRnXOzNL?JjHUQ=oc*b|m~ zGMS+YacYs4PtnFo=fKtRbC^(&qk{i$4Nunpa3=p>hNqyEysU!q|6zE_8<{x$_kJfG zGwUyEdRDq$bhO`+Cma2L0-h}YJK)Jg_n&|#9WylGA1tVu0iU&rrO~f%^zvVPC+j!l zsVZt@W@762i;?NO{BOOJ55Nx)00;tv0KxzffG9u=AP$fKNCKq(>3YfnD%~J0jL7h0P5e?r=EkOk-eFN1wbF5uV)X?x7RZ;vNSSw{MX3-9}oKH(89>^f0e(- z|MP~ErKOQ0zyM%iV`*dk{rX>K=szb2FtRe#b1(%MS^w+J&PmS_VB~6Gsb>W+{uV|5 z7bK2*&A8^b9(+8Y@G99?VxPJsWLI|aA{+>PvQD8BcJjkTk& z+4pZsPs{ud;`IMePuc!sH~w2aWn}rcdP>Jc&-%SR{&n*|)l)iVItKdxPxZ8-$-%Wy z=b!4Sv*nsI`_HwJKUR*GYd_Z-tsIAhhZ=7luDp)MQ_sd(zQ!|nvX0!9H_9$c)mKBy!G~d{fzm+w{YZh7m4RRo5D;*|dB-<<=0;}Md%<}tipu!}L`1%_lYAP1 zBDuamU(QY}&8&aqyua;0)YrIFgRi!{7e046D*}T6)1dSErWV2>{(97slMv>E=A|yo zfrtTF1j31?e(tQ9xq>s);NnZ(v8FL82(M4#&_$qrG9iF+uPQDwe>v$9+M?! zHdh8#`bTDaz^_?K^P2a&?i_1q?O(_m>kf1ZVBRF|Fr4UW>m4AP zfw(k3!;E0TQqwgUH}t1mp;-* zJZE6OS!^zR*5hAdxukx}fQ*ZE5Y_*DOz{%uawAmFgYo zYJgI(R=#rud{!3DCHk&Xx4fsR16vyu3#|AR7pDX*?j%-xzmW zW6w|Qx7D?8?_Yr*7)WD2m0egZtZME+jwx8FscJwzTVFTtN8(pq)1u3%%jutUB9t`3 z&P6^NS3cOEep27z)t{7~Rc6;sw_mDXXUIT)c)Tdh3nU&Wow{ZB<*>=@=j*W)cA0+M z=-07`A+y2@c_3fdZ`xh=*FUqw`<_-22aB*ar<|t-6hflC)K&v(xT$bTHx;*yxcv~Y zqr;lBJ`JFQ7#6q-yx_ zK)mFG##M=_3*Z`Kh@(KNYwet18O`3z5iLwV9}nAJ!5MyWb8AWCQh{e9HQJ0)h}A|E z=gxWMkC5$`;UxcV=g4Dm9}M}e=KIsEwL`UI=?X*H=X7$mEeA_$hVf`nDT36vsw~z6 zh7OpX7n5(;gLEkxXoS61HGX={BH;tL^M|3ae*!hTTEnxqai$e!pe*>KTN7R5bvLe)w zO_(hB-kR#=&@2g0XH=640jes80FI66gsG^#VQQiWJUD~;Vt(L z7FAoZw@Gq?`<$cvug4kuxDt>LI`_W&`O#TG0`_zfr@nY!dQA%`DlLgKD>W0Y^G+LZeoh!V;A(BS;jZ{fPI%ksk9%yC$&~dl!ho zXawqlFJ9_j!W0wUp-RyaFzG{@$24HUkpsfzrY|m{%DAVuD%>ke7fbbX*_IBbOoSwZ z0glL4=u!Y9eizg@Vi_jb(7&rOeDdN!Gc7PTn~%Ks`z-4tg&#T9(MO+8?ALWPVMmvC z#Nr}|$5{=2`VA#RX^NjjDKD3qPA0rg;~^1 zk*@fq-|+B_-6Fp$`vYGk(F@!k#aaJ5bo?9sUC`v#nT*1G`<2tHs~Jm9L9=+?kODy?Iio$7 zLo>+loqA8WCO`NntlhX^9v7@kH)@5P^6=L%AERca?ED&im#3#+OstWSluh7^*YjQ& z_L5)~Q~EGUKVWOY?1xen9wApPU!2a(+-+$*!hLb@n{-A&m9U=xxQ)LX^V&-r3v*?Xe&*C7=Yv-;G!w<3Y#a1# zKpu=1&CEc144&-3$C*2Q@vu>v8_6NAZ~dgil^*k@HC_cDZQ|Pk)BMzA*%dg`pVGM6 zo&?u4dt2`qjJB{$f;;T#$2v<`jZE<#s*A7~rcoy<1U{9`F);@J*L1qC(VoT!*#`!8 zrxkrd)ms~u1C~=;slGEsT&LFu-n}%Nl1aholS;-lLuO}!>|9-8A>p$(9ZWUdINXwr z1UwLot|Yd_!KVpHzr@G_thKw=jN0kPrlL_3*i7BMUfR8{ zeTlD4S>dI!Q3jzE$-n9mHA`)pR}2%Tp5QEVb-M0pOyy(8sg?W0)U_iOPa8WAna}6b zVPN_}Uceu&rx~)9ypT)}z}qkZ1I@R_`Gqk-_~g7mtK!c{GATd7&~+3%Ra>JltLIvi zdB)qMLj+>kM7k(pWC>kaP;XCmEAf zco5Dc07@UKL;i_W&baIEAD?CG+(YjNp*~t65i?2MkXVWAK!K_QB*%4{SIX$ zl)?5$NFQ2zZ!-d&B==IepqUzMdDw*NmB*Xdelw6N{=uQ2a#sYtfA&;)*(IUi+{IMa zhh8q%tQL8u&xWPWuIB5w%d6Ew`Xl=2&Yq4Me)yK$#mwfd77-#v)zN>}cdt-EMc(z;EW zWy0-Uc?^Wy#1Q)u^pQX$nkb^Awo&DWOjeKD(J>S@S76n0cJK~bV3ILOjV^l$0rQ8u zMA$O?T(S}Z$KI4E5zFGw#7$(n)nnJ=P?cY0N|8s+Z$J8GU!lTq8a6RzXI^&8dL}Wy>NpZxA9?BF5I})N8H!DRzb{8vA zkD+Rmb=psvc4qN*u{-+YD^PUCPVVOQ9PmVB?9z7-)YBaV>Jy+qelmJ)fVUKD&>Q(R zS6XaqoDubScii=kd#{ZqNo`Rw)>!bX@4MN_9sVX#BKo!b70H`QHS*-^J|PoKn-fy? z^VzE2VjR!Alpvf$eVXy_t$Y1J0n1?xm0e-Bqb{&nC^Qgjir(7I5oxr32xkWb=l~--#36EDj>QsxJp!j-`~U#$Xos zm2Z8$0(ZIAw6LT4v`HBytP@yNO8`w9G)#SKw-}?lh+KBlEc$z9>DdQI+#~CxzZfH` z7cR*bxtJ7OR)&-Vq-ER*JUv6J;QY$aurXFZ=( zkc`6sr}fmiYxV*G5(1);C?=R)J@vAIeb0^o&X3Bn_})j{UL!ir@3pW4*=L`*_~ewL zz;RlovJlBm6WMSrBgUXBHv!YFO~`ONVmEb`s=Q*2{MtK*e5M|qJ*(BtgU;22G5DTH zmBF8}+FVm)On&PlNLenM)sg{hR0BX{Dn9+k0pUJJncUUQmNzKc&4^xpvaH;@0ep~J zWUV{1JQa|IDIw&VWwOcIAleawdmJ;3r;%=Uvo?6gV73B(3q{Gw`MN;x@i>_iRX52x zufEUJcP(-v8Q&=hh}^?RNq8w(+44LUL9VFv2Zu7LYCo^ z^-+whteCpDxfXR&Su7Tt%L}1UPHeaMMasFye93k7;lR3$yn8VzLLgo=X{NRb27I}r zWSP{`ISZziX|8vOVylD^H%!rpxQ6LjfV6d{2rs=mimD6#@CkD?JrVML#E3m4b743= z0tkSvZVZVT&**Ey)G`FeNpvho20?6*Pul3hp1BW8PNnyqL_cGws6*2VUMw#hkREMD z){e(q8{X~YSa}pF9s;h=s^x8o0$bw z2~KF)x8cLGp3yR}wBv(H#}nWtyCG(E(LW3cQol9ZILVt5RapRWh<+)jnmXj)2# z;0DQ&`3|F!!z5ba9s-{p`Mz*l&JkHSC(3N<$S{VHk2hA<%piDU@sv zjONEFlAcQ7#c7AdvD2w)DFQW0bZY8;+`3Rm!;|VU?#|g=Q@G7Q6qnEBWzyJX#yc3& zTN}JyIcCpAO;u_DJJF@=RZMWtQ6Zlt@Q8Rq&t;NC8P(i)Istu$SY!-n^6wDt@MiU{3!#9E;4)f;u9#_7a^-P z2$51adExspGxIW}OJg@oZ1K&X2Uy3hkzF&^T`2;KXM$1f& zS=>_$P$xuxj0ez^!6IQ!%^1ALO!nDyYi-ao!3%yfe1;3Cl)2BT>RzQNRHL%Q>{h)9z zj;Q$+y!VO-R4oV3xmQO}qJi^|()$qlXLWHkyChqrXQ&O*du9LMG;s6brC4q=@ir-Z zCTzra!}3`Th3VMMcZz4Z7f9-#7)reWkz^e$Z4^vsNh~z^3{=nL3Q0u6WM??d2oyTx z>zV>t#t{d_=9NQ6=>xYOI3&}Es-(5HQdD@6VFB_LOj601=zaDdB)a?b?H zJ?f;iI;RH|yqa)f0aBh80lGk|VUJa2@gYR0;sxUpDTjv5!hq7ReF*NKIIshg4sW2{ zz`$PUjU)+(yY`4w*9j+a(^g9aSK4XVkA`#23{(CR&WT2K$G3!hQ51`38jg8{M928U z=j`uhZ@U=mfl@li{n51A(MgkfzPnzni^ojE;s?(+vacY^BrvumHO&X7xm2r9h4aMj$X z|6JD`$b(g9z>9^+s;^Ru%rrHFi9z$r?M8X%bhmkMc%y~so+AS8y(F?)yS`?u$1yBg zPk6J}i%UxIr4l*SU@SW4Z2I<|1(27|LO{!atEb5kd0N1Gn8hH=aLI_@pa-7=|<9!v4 z8jB4f?fI!J0zHL@=VLm(ja+x~Wsz@gF+RT1!-qBeN_6>sshMKs)iq0MSAL zH1=m;lknuG4V$cN7lp2C(#}$Cmx&qL{L*-g{QQwmNFaQh>Z|IoV7arATw5hNZi@|A z^p9~05lI+<=noJ@fur~_@qLHvJ+ZKsjSWgRw=}7^cxMuI8kcx0N2ZCKbeJJ6!S$O~ z{a9{TVT=}G9N;a$nBg-q^!iY_1?!K6vncF`bR&=O)G3_h zxbAo`zJeqp+M$J7$~;Ws)JD|c*kA=Xq>0yo_*i{=)zhXR7?w+x%rqk;@&%9zIRE3VN95LqAW!sv8>88o_?PS zYEszoRAKK#SiaCW+GkkH4T@Z9sxu94eXN7RdSl>0(FYR-@fF**{%j2zamx1<%ABuX z$A17!$xr5i%X`Bx$o`wHS5KdLjkAA)zkVeN1dA zHq9^+G;GiiV_xKMt#4mwA)!_hA_qQr;+6t^6GuD2Mn;X1wr1QA{yxZcA{w2gFXhj& zxH3pfKNR7nX0LxonW5h*QhE)pFF^Xo-uZ5x+u|@xMqTlMdM`yUSqPl~+B~yyhA-UG zIGyfRLmFmNsLgntN3P+TY7t~ltsoh`q{qu>39eE_E|*qc2pJ1%0y90xifXykaF9=e=`@Ya~!N zEJtfoxDZ5oA@GOZyisG9^+|GXhsc*w1G7MI?q@qsUE8hYtxoL|CM07&8$g_?p_zY( z{}Fc4N~NMm^L1Lf-525D|7cb$6;9^xn^rR@H5gKjgCyn+CN`dCzt@?++%+{){up9( zq-js+$W`+$SzwIbw0uE3usL@fgV65JWS-rr3fZZS=L22c8=K=trc2@(G-M=K>!l+C^ON_d0j9Aj4&7vb;bO6Z=tx1qM- zZ^CfT#jrZd^5r^f{@lI}`BbkA+z#D%ffPpfA1Ym}(8}R()oR)^+B@=Y_Mw2yYT>~%+%=l4bSJEh2#h$SZuB_~#|VER;{*aS6R)u`kWs$$oW(6cXyvW^UI{F zs^(2S-ex|jLL7Jj6IyCt$uezns!R>4oCtY4zrE;hM-;97#Q<>kOglz##Cu!kY1CvX zHk-V_ng?b*7x&p6T|9Bp?Lg=6<2$pZQ#NmqCi>z^kCN5jehA3>E-nmUpr+u!3+Syp zrPUtuAkUCS-zS5;EQ##*e8fQlgV6lppDLgo3)4x>UK}G^F{Yhb_eeqZ87AYkk*ta} zX`~N$LZeXIylH8FH2xBB?69H5#eL!WoCTP!W|adq+|h`25W0I2qK!Wu&WJ3Y^YF6# za&s^55;7E`mGT^ZcyWu4LUXk|(arJ`n=^Zx>(6GO6z2lb5|DlaXZn-EU;YP86ZkhMHHpIMIyy!7@YLWAJrc=$7RBe8hkhx`<8NNE|Sg-1v+8&5*Np4-{bqSP1mDf5xY8)C( z(`0LS7mVT<2SeW2KtOF8Bwe`M*+V0fBKN>6C3Y8rHZnwudZWR;BKq3k^_5L$;7Zzc z4OshgrQ%cAXapz*kJ+Z7F(+lw*Lz$VH1?h$5*Z>aIOs?;isV4v{nRb}O!H@Tp*ioF z1KG3#-dOy!^qm%6Y{y*_d>@FJ-&v4goPTSJo%-3Iu zflwLGZQxLN+ODuCSsb;~k=2uSHyO7JpQIni4`W8$tAS-IGbrZv9$F}AxRS`_y3nO^ zh{7`=^I#dN%W0oZu`P}wVaG@dkY>U=9<{nu{E894iNW{S1`l~A+5!;N@o6)^_7y%a zWKzG5u(kZmI}x{HfB5Ocbc_N~$?pfINxmW|g2~QAPvK3@?oz{`89#8fpnJQ;__&A)v*XH_zeLO;DS2=CiP219eo--z( z<1gaBMx=U~MZ<^_XI~kvSK*>Np_N$vPF7(HmVE1m27cEkU}}9abVK9ki_MqhQ%9N% zZoNNdH_WZ5gSvT`Wi!#v@Z3~P?jmZIwsrA3z8{USc^ou(z;T);3FN{h#LRx@Ht5bD z0qI9@JtpvY3X}@!r$ow;P_1tgT`9zKP`i-#gEn+sK^M-oXqcTKmb!g}B&9*-OZ;TY ztg3XPSklpg^Kp*%&c2?*9AqxOdYA~}Su7SYo0Dw$Xjh{M|LCJLFy_6rWI-+f+|UXe;oebtEZ5%px#60Go+su zhq_KK8hU7!=;_Wyd+UEP!|?Hni@WUL6V6C8_JyS^j(V#?^%Ov4aTfx-hDz3T&_h2;|>+4F$16sVpozlgo`7`%p1!*$~p$JCQ9L zgxC0;yj^ms`RxXTGW)*)jtwv)!%Yy{g|4mEd_LYdTZDb93b-Ag>z&Qk>aVaAe%XKO zu&kQtXvh!9qYlFFGEI8+UK(Qelmm?1}m7vX!R_7Pu#$j#cFZR9hfw2vw9 zK2U8XQ#G+YNBz<{xaRUm`eiO5gaG?20qj@+Z2~ zWpg?_fC~51K;92#IXzWHnOk7&E&v+>3X1@r6rYMRh4~ZG-^UJLQ`n6$p!3$hKVK{FDY}u6bR2kzYnQ1W zNV}j)bfYLshCyG_A5H6t^DI&tOG+eMF*^#uuO#?D$X)AXrpIVSE%{R)%pTc+NiLd| zaO4eR1)NyrZqC04oo#q9CVBms7k3unP-*_zAM;eO==nx&tp z9s&E8W*pT=7IvATT^C4f&R*eatz=JQNNYKSR zYH|eTa6A!!_#+5ohFDgb%bKSpy=#XgKa~^6%8JAJcz03@Uk`20zg=Eq^kh5vyqunO z8Kmfx$t3&*t66sCkW)d{(%$+?FS}K{aYTmQVNo-hu=s8mNC1@mxbC_H4A-a6=lykhgA# z9J@x9^@A=8kVMXjP?>J!r3;>%b~DANuXI91@bEGVm(lUH-I{dHN`5Ku+R|%JB;KU# z5;2ZHuJdj;7c|`tLo%~Hd7BgY6@V;OlHZ_ z%)@lz64xe53TCiKbMydc$!Cd#gSFJ(V|g7SwY#xU!j)~n7l$Jt^sgJ-&P7i=RUf)H zsZ?qQhr+xUUqodemkyq-7P&a&jiydAQg?PhLf1msanSPNKn$Z1T+74?H9{ymI zBuWp5plb8&oXB3C=9}gaIpN%$C3x^N=_4EWCy8|Oe-ga^7;&cWvv_wMT>JIFBr!7K zr`y(nBWx~U5Z5!Co~Wu6Q1!sITLLb1WJUJj6{;DS*odx=v$qH{wdv3YmFE=(dS`G$ zmk?z-9@^FpTY3ALRr#T42m7`w_#DcSsIMB5 zy;u7tP8`z^+oqdn8}VnExz;zdZC(Ua4OW1pv(_sJu?dNangIV~^9e+H2r!p&6f&eK?kEp7L~XYR5FfReX#F!s8@TNMrOiAyx;TdXQf zx~cI|Xee#|jFDK%MG2sin{KfF^4Rv@f4>!W^I3gl!WOba8us7*Xou^1c#DU;PjiAf zgF-4A_7WPGJJ;t)H(=Tee44a(-<91AG}fnhMY%m+oN%8G#Yf&8HBlxA)v`q z{;u}{m&5(Ekc2;hl0`=S^?C_SBaIDH;U(eJI)iO%cLyOKw$wN7qZvOFRk)T&-wd%O z@_gqEx3P2(r?Yru(sJaA=71icEKX0b95s+7B$$$b!m%zF?rBRMHWV>MS*X&MoP3Rm{SxP0Y?=A8Dep~LlQ za}Zfz+!70-WAWCfgP_jPe4pz0n|Jq`^MO6QIFoJ?VIyQ3yj|HqKTJQwkqG?I+#|MR zKVkWk9p&SWw6JjO8C8i2l}dFkIk0G6U#Diu+$wTqvm^73uI z10L+CzJKLlq0~$KDR;N|2Q;P92_Hyu^s}D=<6;}6TPxK{>F5ZA{RVyblZ{v@a^m6P z2C_nGqJUDm-`qtkFf$m~f1Vj;GvuZ#y|5QQJ#W0c7?&`&-yxu@8~DO{@VqI1DZ!w< z|GCXC;<>i;&QhGOU^VvL@Z=xrqs;PNZUc==)&adWE7)l?)fe?Q%vhTgx7+bnClK(h zxz=ZWn$&2mP;KvO5q^snj+>K-ak;wUel{-7_oxhxjMu z^>N#}lhFb6yyy457T>r(JQ`n*BE2`k}ZW2M%mjnIa=eQaTGCbj= zSW_L2GM^lZKo6-3+gwqY{iCPh2yl&vTdck4?oX?bm)tp(vOpU8BLOAX1D7TE58-up zO3SB7aWCyrJo z;Wci!6Q@>PcZNJL`-GUkKv}*Y@TuTO8>Wy)j8~P}ywVJVLkMoA#7TthGFH+&ri&Jp z!A0H;hLJwc2x;8*<)ReaouoLyb>>ZkX1 zAOG2rD;AN15Jd{>SEq^+?CddJ>b}O*yRn{ZQ0;mzHOb65#tYFhH3K~O^w!?vP~L9@h{*O5Co6LN zOh5bkKfve16(X@p`;}#ddYG+gQCl$4iqBBxm=*I90v6}Xwxu#ALrSeqvQ5~vUaKlWMoX@3YQ6@i;%)~NGS|D)i9du_pYfuA{`4HXe`8KP`m ziYd)!xV%#Iyfq07pOH9>jhsoELwp4ztOqVL*@44x;fkiXL%#Y0HF&Sxk#n;GMlgb<`OVu@iJ_OxSt8c z%7^e}&8TM$F^Ei*SYXHL21JoNz?;hAUAuo%3LHtAe}gHn9+f|&D$VbbeIfFcV~e%8 zUNnjr+S(CvE4z)2jJv)9i{+d>42qlgK+z8aR0lr&|1zVtR;w05?y<%pIQ)!O%jmnm zz|NHtUKFD?1zH6tk`H1lzNA@@yK%VotYQb6K-H;_u8HsNn#3k&^}XSD97lZqA;8Sn zo3)Ww5o7lJG>B7MJ9PXFwv-g$YjtT_Uvjer^9fb?C+r@x$UP%Vn^@E9bdv~bW7wEw zN?6&2Wxc<;bsN2o$Fr+edv>XU=7RfAUi^(uUyIBiS;nbl&Msmj+YVRG$u-juz(6m= zg8|1j%LVtOrH^v>8Mh-qER3sY$~wSjzBWkQ9{bxvhsq1K;&&t?e#;$I0O8{g;Y%zs zO9LAfR`0Ux1dhY4zU}x9kZZwn^wOYPH6Gb%_)aRD?t6A1PM#S9RceGAd!NfqFP!sbGEuxuQ_2TR)#rp z4;Z=GtG+cu0Smgkn3$}#(;`nxJoh?s$3PvU1+hE;r9N!L zej$xlTO4b$Nj>xmlaE+>W>%1tX_LmA_iNuLRjmrPL1$EnZ{~*W5WjT+n!$v?D0Yj0$p<+KswNu~;_zI%7B1}6E!dVlo@W*(traO32X#!566@R8QB2DBBZ z)NB87Nan@=Hy&lM$GbnTIekg|ASv=4@jF~s{UeZ?>WU-2r$Y%Pz?}YO{+_5!lA@{X z-!jHiD(gZ%-|@`-{s=a(@Mq@< zhR_>7_-37s0w~3g0#94~zZ4}s2Sz>{j=(yE`31Dn2rrenSS&2iAUODRPRUy@yiAzJ zzz9EBAw0#IXX*fC>RBt9zTe>(Q$eN?rs0j-iZzL4I1joM5SAfJ5Ho4bv82j_C7E)%QslCyjf+t3exNGmbD`I)>eaI6yRn;ShbVGmMl)$3Qz;z*~ z;}>)POmg?dQo(A!nGGIa<#a2QIdmX}*%p`2CN`fY`{ude)BU|C7iKhcgsYte;P9|g zW%6}LDW-oOaMY~45ycYb*4;nKdwVLRnOHST>n;LJ%FwYmn|jwJdsnm@NlMXJR8ZX0 z(FCx8R0_K?-{N`YfXl$*mbQa&QWWbN(D$dHg(N_egm4yAFQ_i0zAW;i#BoPi#=mlf zRUqZP8}#yDboNcx-Y$h-=hB3I>~DfqByhG&XV!~h8`6VjBQWk>*=AgYbYT#t&Jj8WJ zY;7g7Cqh8oYB0J@A|K*>Pps%{`e+quD`4*+6W@g!{832&7FmCn!i%2snAy}icolPxXnNfmMb z83>f7B(?^))z{b`Gp@<Oe9B->oYKLbq1%$zC2Q<&HG&c1oK)& zoz|kxKAH@UXdh?6aET@~73V%&`Oue=_cB=x1Li-o!C+#VceDq52G+Gx3a#=sj!(jT zD3Ua;NM|wg}Vz&afX1f1joVE)G+-n`U4aufRDDK#6$gj(iGf5tr zO{U1Yhp2?+)w1J_77_rN#0gjbcR%h_yai-3Y$-_3IKjeHa96$!niNbtU;P|b3C2dE zFfnVNIew>mw2SF=W9vEX$1Z;@{jC1I#$E4<4PVVG4){sY;)T>15Sa_Q(qb@w67%wXCJD&z9s zSyC|!B>wzruGQOd$Hu2Y{h>wD(2j4BPLkYg??Ry1QF+6vnOod6Qmi8=!aVm0#*|u) zMHNq-fUWEF7v#fg@RTKP!c6BUpI=pCpam%lWf{4}Xj3rl77oyr5~IlRFB%`GogjIh zIhF#?8-#(N{=0Yivu{sVGOKb`S#GKzwl0hCo{Bfh2&EMi`(h}9Y3mss!ME4`s*WL4 z$o%szZ{|kxls~-tu-TttrS^dh`Yzca!VX$8Lx`aQmE3(`>^{AnOHWF8Vd@5^aLN#-1yI@^?%OaWf8AvSsMP)136~#XQYy z`Ku($y1L*u;Aup%pGQ6n88_C zG-%w7Mn&AfJqZTE5O*|*3%G%6h(;ia2IGQ~7*rG&6yI<4@|^DaJ@=0Cntb$5o$l)D z>gww1s_J^~b;|eu?<<%8{(^sg%(=s-9;=u2H{euT=IP+)sJ!a=EKkOX;h~FReiP5r6<3E4givN4xL)PB@=KuMB z-#v2K;eUVQ`m;at_48kJ>B{-5KX=a`e0=ilFReIq=Xc-s%)9;Rk^l37L%;alQ`emQ zyz%w#x!X^-efEjF9kAy^5C7n4cl*GhY!a{hZ>f9@H3z4ht8ymIHOKKtIASI(_n_p}c!+4Rc~p0NE@-+TER*S_WQ z*>lgo_Al3O?_T%(Z$IPq!|%J>JD+s+tYf_OD!i z#VyzGz4Uz-ANhbUAN8yAzVng4+keFu&VBmU$c4t*-z|$-OV4n#|1b2*~Xjy?!v<#^;ggO`ZI@{ z|NA9>{jx1{$L#l}qhEf@6V89p3vRsSytyy`9dCXI9dgV_Z|Ea&d<^jE3 zpZA?Z)@-=!HCJA8*@Mns^5Jhk>qnEveyaD72k!b0n{HqG`?nvq(>HF|HuK9bocH7t zfBpH}A8^+F&Z6Yl`5(V<lY3`=dyDSe)i6Xzhd?|_nYrOe&28W z@JGkJ>sN1l&`0im(K`?S!aJ{g@$R4fzh5q0_v>|?-)}hTPp*2>@!wqbj$gg|TPOV2 zgI@Qf*#m zxBSnKKlHKxJ#hEKpLfFY6CQl}Z=Uj<$Nkj>_jvvbo_NtCZ~NrBW4E4r)x#e7w(rd? zd-?D0@q9{^zFaC%Y9#R$U`r9=5@FH^po$r zqWkGDp8CK`kGSos7ry8h>-Jpsz@NQz-P^vu=hnT}@A2-R-{Uvut@-|~AA8V#Z`l68 ztvBw!{0;Z~=*z$RgWX^Mt+Q9$ciC0Poc8v?FYfu3$9(X^FTM7Xs}8>W#0Q`B*n>{l z_`1*Ra>}Ehbmbi{|L^bJ`tywsf6}i$b=aQIe#jH{eDEFT|I^C9|HTupIpEeqp7?L? zKkJMO=g(iV^v_4*WrI_%z2F1?vGU9>zIyBL|Mr@v{PXN7$9>}Rw_SMRS8mw&h<$(e z>G^fLZoSLkE*CxM;49X=_eZDv=*J)Z<*#3H-WC7;im!hA;XTn}^_o|F`lts# zZr<~P&^ylvW?Mv^qecRDrefsL}yzpzETm9s3{>R#% zod3=(@4aLDNB-(fr|$an2i*PXznh$RuhUl@b=NnZbDvlI^6fvp|NHL!@g-Nk{i9E~ z`2~BQ@~ltqbN+*Ny8h{RJ9DqYsD-`PRd0OLVHYg_@Rz=J?2V5<=KR&~+T(G*9lmt0 z!@hXGo0h(8uMZx1;%w)KH=lOgzhCuF_c{KSPk(*SGp>L4Q@`~;Ke+0>C!f3K4F~?i zvo1X1T}MBSB2M3Y?W=aa>!Xi)jm2*FWp&$GvIKe>>#IN56MC^P*oKcGw5L z`^Dj_PP%pNm2bWB1FMhTx@Nb1F1zIB2i)+^`Lo71e}C&FF{#XC<=KuQANh@CP zsK5Ni37`7YEC2EK$F9HZhyU@I zfv=w%?R48$zw@DMU;MG|PS1JmW!o-(_v*L3e&x?&-Whm{O7LxmmmFX z{Mf-~zVok_{_cb8ulxnMu~+Z^;9XW;w8!0Vd+vL0z4ZKzd%Wj$OCEUnF*_grt2b}I z{kjvEK4P%(VXyl2qxQP^m3+(d`>%Y}F^^q#{?{o=z0>_V`R?^ASAO{sBoBV+ zuFrhr)>ZHM%=^Ck^T&MW?5}+19tYpB=Wov2bIBolp7Y~(zq#}KM?TK~r` zr!Tzc=(@Z7@YkL^%dh#yFZRFn`WL_JnJ3)yx4S*_J`dmjp?B;y ze%hb>=&8G$c=v}af9rEEe!|aY2CshJf8TNIMK>L^b@Pos{mor3Jn^sRcDdi&tw*nX z!=nzk@V`!d$M>(>?U8S}$E81g*XXptwO=^n<~=t(YM0mC=k@=1_tS3qkH7x>)+c{r z=Vy1$zvbD_xN&CJ*|*+w@$vuu&hb^Ry6;{7<%b7-?!a{){lx#iZQTW@>~jCdJ@5LD z{P^)loc>QoUH*uN?(~{-Z@KgbPrm3L_rB=budaRHQ3oFLgO#^^>hu5m-M@I&k+*L9 z;)+N7)yMC4`@^q2YM0;4p8K(lt8Y5(9?$=W|9tSPAO5`Ej{VpTo8N!f7Y@A7Q+K=h zv-f`S9eoC_TlrLWqXOk33=3n~uErci;c^N1uP#vG4iNA#Z=>nw$Rq=&MeB-9GRC z$mqn=mVIgR=S%mv;;sE#uO3~$+ofAx@%i6=^Kq9w<)L>y>z|%}HC68R{^Z{;JL?S> z?fcZd4_)(xv%mZoXWakRSM71Z9oMbg>zb$j_HS?c*%h}ud*#pX|E@b;^QP0@__^QT z{a)AI^2N4V5Tn`R_5F@&K^*s_qfc0QL`y9QE8MV9J%|bQAQ+`H+wt`vh7*c8%$<>H zI}Gig2hDG_3I;R#bSAyJ9>hK!>OjPb5LQQ`sR+@hio{|SA#S%eKMV%>(*SM0b%!-makLsbTfF-+?$P)%XMItp4v!Ad67 zRTTP^MVQ%q(y251?z?0~T*reqoxFMNhE1oy)eY;`%~LPpHM{IZWEMS5s655YYmE~x<;rz5$j_lCV|4{9?M5qZHQ3I z!sZ<-Nra*p>o%M@AFE7+dK0m%MyP_3%TVNk6dUKaZe1}SN^G36WquB-rll_Cwyn4` z#X%}@Kr$k!2^uFoxAo)=8&2M^<>c+Bmqjn81vE^oPF}Hg#XJ>1PFbfSDdxt>=oxwD5I!Bk}HxFqix%;aqav}r$1_nc1$aEP|hQ^JSi3?$(2V!9g=4( z*>ArYAjrj%PH&#<1C;CGTKUs9`vkING;GiqW0heSFJkW;F8)@r-r%I)DAthJ+#e~+HOT{ELpN* zF>3qNy7^l`33TXkw2!^w>2g z9GzI(5S!G#XYbIMQ4!p?>Mc`YK$A}?HezVJ7{#4__m3y}*n?Lea@^BOk{6JMVdB}8 zzkLXtlG|lVH01V^pf5&lzh9QLnI5W(?X)KydE5cVACstEz4`Q`H&2e-=cxI$8(KEo zP&Qj75PgovDZTNiSd_h^uI-0EZm;nPlH(41Y74y!$%JgVisqWfsqNxCZZBfB7>^e# zWhFAa_@=YkRSk~^N!}NuchIv%`{Q`LBXi5s9BjF2-z~!9G{41Y?$6rJsA)cS?v(kh zSX`U8b3U-EkF`2f+tA>nw2zP2uofeuHwpio>CXmPo$1GYGt-|0Z8|gPgf*TSbOZ0o zgKE&zmHh)p9dv`V&kXuub~6Ktk)d2>2BQQYr~jPY3pn zj)FlOMjwtM6~jsRcRA`Pu;EUPI_iWYb7s_u*hk&;?{4~cFa0|lq^qk@2dYi~Kn{=k zas5VvxPGHy8fBFJcO2GpW;70Gd^zg4W1u@V*YRwe(>N%q)idK>9DN)VE&oo`jH70( zMh(pWLq|;~L6qU~D9Y}59OpKkgr8@|lQ{Y$$@U~ntm5#bXKc7rqfWYkb2AePo0;rR z`jMlPB-4{YpMyNcM^AsRr8BX2-i61DtX+Q4K&}W>4Gor zlFn@4*=mMLGw#er#R_B?Io_Ea1*X)4j}3Mw2Oq`hc4mWd%;1b3*xu*PVl}@K0 z_IWjUXJ82K+~A!&J*wEHF{1`&%p`LBk+{>D1iGrhDW~^G3?9~R$%-i3%r32GmutDn zS*P1cGw&vi(&;8u(&@&1Ru3M`rayG%Zt%c08#8WL{)h|9A3=ugr%9%(W#+yAA2aXe znfE$zhfzW>4b|%=ap;B98Y+5Gr&lxY1s!TpxBaBpI{mnx7_*OY+9$I~jZKohgflg1`$^t& zldN_oag8drPl7bw$-$%2n(0iU3CJIr+mmPjb6JQM6MsZmECmX`eytRDV|7D#1}F|;lBotrY2LDI(E=osM;%#e8UF=#KDiJf>N_|Z)T-O17W zLCZ5l)VTZ+wV(ZwB`azLAaRHK(M=>48NGw6Zz@04a;IGf=C}h^n`bf{#!jNF*J48q zC|(>5t$Z=I8*)6>)9M)Rbiv>cQ2@ZyvOH${HfjUg{X6)oW|FEmSJg~!9PS1AYToS@ zzTfy;L+}RbTGKvkl_e_<;LpT`DO-X9flpiJ&zwp2NQJLj;e;=3MZ*_n+ORnzNa*5G zSD`ce%aa#u;y_;93=5%)Qn6&k(eq~;7a~ule(z{RIpk3nN92i#Y3>cJ30<%ZOIqt) z9j6{IzY$&RP)JzC%Iq3V*wd25)lBAIbUijRNv@WCdLn=WT|kY*NTba4{V$5K((vYhdX6R3;lazkB`bo^G4ym-&e>lrsq7WiJG zJ$PqldTHp)qDth0DdXl8&%8*4TlPF^q#?P{3l;^4N0%&IBtE+UGmA31$f9Ugl`IOs zJ9P0z5U7g=@xm-h#HR&FBA28nhXA5hNJF=>DEQ<&5z}Rlnr}fO;^i=}Q<`wWv0%=5 z?9)vhFIElqUPc!eAeyEn#{$Hmi>|G}v3Oxy5M5G8kzvu$tdQI99{F^2<0-7jBRZuu z%*COLmQJ8GT4fD7w*k6IKPH8i0}g3*tif)J z< zaL47GyMhv1+&=17XI>-bNpkW`qU2<&HbzzV8I-%L#f<7kCr+4?GozYOqvVKb(rq!L zx>GZ%>&z&Ru3B6%qq@O3aSV%|r%0>YtC>TQ)~tZyYAEF`MpbueRCT>k<&c*abELD9 zoEBrL8{M{na&Ig-6xE{CO9wis32sZo`JN(~XssBx*q80of{QQfH-m0VH_qN^4+ znS%wxf_dT?HZ`MgLRLqJr?pz#7Rv2+kGxUEIFj0t$Hf)HDGpwv>r4%&6a{P;;ZCbg zKA$4?EJ$f_lOdHBH(Sj~=k$xk#SJEN!i5|sasbY;dLK8VhQ;lOnGzvxPE(T#7kSO1 zJc)#^T--=mxpO-$CKZ0chE``%d0NZGZKGTlmry~2+!LEe2I*YEX5YL1o|bGXrb7og&07=hUF;EN)Qo zDYr;ygih>g0bV5iJcWVpgE>L`;|68C1=vQKrP8>a-YCDJpOJpYU8HI<1UD zR~b~1vWj6X237LfN96UgH^?K0l-3p#3U7HN&}gl9r&kf#fsn9Q9!TPm5lxgLXO@)S zg-(m9)tNf52;kNX%cDmAC&R0dsQ_`yIW@J&|6CMZwTqK!RU&WM#ZwcCV8&v|lOYnX zbcCuy+X8uuLDiWWR2^qf+2;zweI>GAOsM#~W5m>iA{0~6>KC`Np&CI-n=8*GE^f9! z+w^~nsg<%|g1~xH%jv0n&crFE2^Sn|v9&r=TZ^odYKmkYrGHy2B4y>2>ZrxKB9|rh zVLLd-ltY(~$VjU=rpQ|dkz0YUVLv^M$6sbsyAy1Y_lFKxY z0(px?MV3>;7U!69Y^fYmWI%;(CGr;SJGH2YQnphb86h@Q9Nckvwpl`FLOGewDl0L$ z)@OMhQRJN$qqJv(Ra{drwYr?QDvua+S&VHL^4MZKO-(0fIaQb{$5gV?rz~%AOHEBE zXF=6ylZXcX2(>NN)6{r!wo{EZ31>hnCSR~dYIaV|CTBHOXtO;K(RyXuVn0pIC+BCX z(Uw{_nMzaMwpc_{gUH!K723)oOQcWHhF@zYOwA-`CDmxlB}+z7fmZk4)RW}wo*Her zWMbB}SU}U5owI*3+OSIEKnlOs^Pakoy!WU+JMs<dIkXr#Qya&bIGOZ_sa!#EEVURrQ(MQGIyKsI1(jO+wdVWO%5g?c zg*F=of$L)7v=}&3`^K3!HQI91iKP?lf|}Z?o#V}%a+N9@Cy_qg9WACy;Uuc9(oAib zx7aD+*P6homEw#PcP3RG;Y$=yT#POQBr;M-0Ak%E0hE>|oi?cQ&%+uoyS-9|n87e!QIuLn zj;MN`S{u5R+Mcm8h7DHd&c@0VHOL@iWj7u&8Dy;Nrj+M2s00 z9C(6l)!GRTyo@J)?j3j;O^*x;yo@$Q1_fTGw-|9)=pCkv*#t0d^m2~&bgu>3?J;uG z%*k%4hbr0a8#Bl8JjuO{nd9`HD`2zk^08WNwtys#>`2zDIqRrn#Vy0#>`2S)kMd@xG~Ae*p9z8a_ZUf z;$Z5!mE3_ba}sTU+}oHLpJ-)~9vCwx)t(#}Gbhn7%N+wVqv4l9fgABvobcDiP6UrU z!FK4j6C9Wst-IViFf+Xvi3p)&7$422Hba<6Vs)vGhcFXRse6Y|M8G4Q!b&b9C+uBM zZriyQgnkG!!B}duAgp5O(K zwjs;}V=#JBZ-yO4yEg$CbXcuCeTI46PhLNF2E``++>Y;ldJnlY0Sy)=skDNkXjSjF z;1}@H(4e$!lG3857{W$LoN8Ly>SlwY0onp(QE7m-MCoY6U4-@pY>9LnH2Wp!P-VPgQo#zy~Yk_ zs3$sMwWaMxr$*BsX7hS0u{*UhrQJ`@Y4SLxwfpJmNroA}`|*)YgU|Rqh+fc=@+k$m zvv9lZWK7*6vxBl~1~O(3@@mI+aBUd9P`Opdm^;X(Mrviu9Ylvk(=JGTe)>Dzqto#d z*&VOJD-UND?=+C{b`ZUN%|OQ6L3Fb;Fyn20?ViUm-VU>_Pxy?t!&;s?#+vj(UisaD zf{f5>^5BPU7nDvAc9f6NG!^6RC_03icE;OLwp&v>p^ zqZd=jo=Qp2UAO8GLM`4sW9>MfK8bE)ZGPCF$2QiE({s=aGuDn{D4?O+SUXAYDpNbi z9;sE8#$x=YS#@ag_`SsnjJ^7%5hl@H)O0t_PV#LpwKL96@`;&X#@R_KLy?Cz&Q9`` zKD9H>Ork$txos5W&hGjZBRuUw(l^%TIs&=Bv3636iCr4Hv-MWBTLTtrbu>ZaD4T?l zY`Zt`)GwHvEo3u(8kUBR-*$eqlWjK-UV9}wHVy=)QF?)wFfxx(&3|Sw%9q^Oi#d$4 ztsWq(P*USctqmJ-JB1w!5wy~33N62GO?|;Kst!z3W}|F0Mk;LgR!ZKqz$m+PVjGy9 zcCL_Wqo&bB8WubfyRdLv32_$|jEWPLW@9EmZUjAO{cr;iVr|@n-I;GO2Hv`@ zf)`^pJ2oQya1mWsDg|g8q=(yagy6-P&Az+PEqF1~%h5zfa6`5h|nL&>mORr6xtel5*>^J3tBP2Pk+u6Z#?&8S)#H&Vu!lFP`ETs#J~ z?1trT<*#`$$Q~)#WL}I8?x})J=EVS1a?ZRM@ue$k+jg`IZYYfvI8!LM;Oqn|xD|?Z+3^Hc);zdU2wXqYu{@|?weU;TaHeU9s zRUI2IlY1m1G+w4>v>6n5nO>&HVSx;@TRco^61cH|-Do4He*W|ghFvRvCxMwUk0tjG z%&eAv5}292DUlRoX09@qhBapPtIaksZuA#0&~5D0bLho)!IN!b%J&LDrR$@4{-KTJtV;IxFM2>A#h%ejL$|9_fibvDI?A1XGr&ow9 zpf;G^Bd6_I_2JaOnZn^>u0K-})MWujF=edA&nl+tdOfKrMkuQ=d958xh()Gm23)RF zQzGiw&{M0l8PE)(aSl@!Jhc$XI7eMdIQYlYd({*V_?y}{r8}uR77%SX#qFoF^CtB z1=b9@>JDyNZCAx&08>S|-eif#^wA(6utj@QN{x@TfSVo}xny!EwgBsOQ zz*%76!KQ1USa1?n9o)p)PVb^Ug3JKPEStiE3u~B4CKZeeF000%nzj#)nI;%iz>N{Z zeDN>f#?YZ!{?itwcZz}g-bM}4FRwhN-TSsO!|W0);3itb=u4~cn`kx8{b~DfYiV*# z3V4`6_9YbXFm5#0+E>gdD<(!n)vZ|D6}K25Odwm}1w2e3>y9Zr+!TiSeqO-C1hU0A zg$J89Rqrh69NEMsF>cyEu>q776QhHhSexB29eB(HatWm=8arz9HL_`IE{9RJ#2csu zJ}H>#WjS0~X0x$5ZEf?JjY)g$^D%;^gmBGq(`hp<8uTOEx&3@DPr0)w3+||3JLgKp1(ra0wxpVQ24i@T zZJ{YR=s!^_lW;y{=kc_)@o*3i=++4ZtGaCNCe(K8o;Eki8-p)_mv=1emt3t=n30_> zxD9aDT2eJH-g^tMHO}|70&LP5*Q|9eW+-R2a)dAU`YvpO1y;w}8w>L#ycspj1|PGd zv9lZ+bFtIupdAJU>}TIG++CS}*XG|{P$49mrr52$Tc1U&35@JOWR4{_Q|bmHv!ky7 z8<9D@R)E>&O)6LcMzoqVtOnc*Q_{SZra_=-IwfoGrnHD1vAoj@Q*!2lfsOAuMBWV6 z3w(FF!dlyuvY)4E-4C?q=yU@f2JnLCQKD%&C2Q}dw1@?z2)wsVZmXwRe@kot*^50LVwKiCdyUefMO8441Qa zd$K`>%k4zVp}_|C$X28$k~%WR^y2BYz?=&8y}V=X-9jy5I9Pi)+{;0khMGyBMnrNF zsPQ5hw!B~JZcv0hFOYz3Lb;IU^cvL+9Vlv;8``@GEn+Y%?*`r0a~7C^ZCJ0C0o(Mw zT8t{rZGGy71~mYMRMdYd4ogtcB%ar~9P|`#gI|GShm?5rUjvH3cG;ehGs< z@X7-qyERu<)inu(G_we;>uCfB-9o2O-&pVEpl^)Nc{Q2hzU^zTtNNzc{Cf6n!hSXT z%bD=PIxWyq%)&=ILOgTfNwAr{e(Kv+_S$J+TL%-eK3oUJ1cD153KwD+fb^owhJmr6 zC5t-$-Z#ZkwRWq~=4Hs82gXjk@SYI(iL<+g2AzZ()I)75UM|D7ZK4r*v{9JK!bfMI zrkRShc2il*78nOkdu=ohoc1C|gGbR> z)~1sKUE0OXtkoo_he41=Ihf-pUK~odno5`yI!`Fn#*t9%l1=tT+=Ia2z6>) zPF|O4wsn6R*_7*kZpy7DL*2(zMb4XZ=uBZWH}s+x2Tc%!Ud}=-``M2{TysXM|Ix&v zS1`GmKzDgCl5m&@`FB%qnnnE8)MHOKcXRrPaw%rPU||;hMxNb|Hj94t+?KPjo;Hhq zPTTT7nl|Y-y4ImJZP3pl4Byj~Li#YwLi0~_R}3(i4-W(#up@@EhR$dB1)UyX_03O}|=UAUss zQ=*N2bm(@2T35$_Rujz;6By9G&%+IveAm|9It(V>sEJEdXroOxYC9{3%foFGv^hfI zdIo}8jJc{=xU)M3m~rSB&}!IKh@$N{YCH0c(y++QwZiobiyU9u`^AV>W0L_`uU<4B zM~%z1LK|(!QB15~cnbu&9RsYZW55FTUt?I{J_yG1sQqvrM+P((ql(gG*XCeoJ;!i~ zC*QgC7?=c8qRD;qJ;SzZ@vu~*2f7^tCUOb{J7;kvI0m=t+`ycIy znB=H$@gv==;;GTwvnX3WCdJj~(5-cVPBe9~>JDrl*?yhOdR+^x(#86jpV%$qXp@9}TJ5oN81t z46KH;m!ivY*j4!Hyf{)U&Ry>X202Zy_kWtz{C^9<-}u0H}Qqc zxrP?Yz%mP>Se@!OJ6{Looxl3kR(6{4z)#h$w$tNRlhbvu{MD?ToEmD~s^1`qo~?J9 zvK`F=2TB;zaXhf8wMl)|%a&tMs@&>V7I|1&-_?(S38k;D`qcz{n)b#|)vtj?r82C3 zHFY@9Co;k=h*v)NEWdzfM|=n`EeEAnt|TbFr7R8K>Q_50QtGJEW3PtzwKyoNzBbii zX(N=shWCiW=qK|VqHGr)IC<{S*$Ko#c3z3fvUYeCTPUXLSKIZ&^3<<>4U8!FcJ-^t z%P?Npl})|Crt*4S^)-1J#uTH)7-7_lM34vS7_pGaR}C3frquf7ul7s_uTF7kt9}h^ zYJwj8RQ(zlQF`~QU&B;OW4in`JlRQgmKJ3M)C(izQDLwucCTK#JKX;Q{Us$XqCO%@WtkOZ0DWiG~tF~lo> zeWWZXz8xut@IYy@kYtZpG+ZF*C4py?t#*@p%`A(F+POX~ovP(;#`^ql+TpY()TtcA zq6|PtJp<_KXEsFR=aFDYcU+eS%Jh3yf=?8`O+r5t~9r zZbUn%IYW#x}$L0%lq`2m7TTu%y(cKUm-v z&2Lq@JDnJ^GDQl{E;cscQ2t5qn+AKi8t@I2zdQmeKt$K&$oO*|&f5|j<7qiFF*nj2~%|CA_8p7wIKX($ffII5UBVSU_Gb1`JbO5&6X zAKNRFXw~pXCM-s>WYB3f6REEdM8S`lf?gob(@HObfh1u{pG7e$0$nnuy@4yA-*$We zs47{RS)6K3Q0XGiEnVJ#WTq#-7Z4GsB2zU~C`*AKyv*_@GDxhScyfz@I!`l|9s-it zpPuIOvARHFIq_n+pg!U&V+*i)9T&EVA3eR@19P5g3eW+`3z34~Kmvs=quX%dlu4so zXxK@2*qbtX+Ce#qnePDR9h8b%0m*_EUDa))=j{INW!kWmQ3^`IQ;=?<43lS@;(I{y zdZhF&AR>0C?_&K!VWg=>w|6d@a~4#RCnG)hrw(eC!Q@>Bk{2eKPe4Ql{g@a{;mFI& zLC{8|!IXxOku^!OI2bFhP_p+a{*qTHx-qNuXb!XGZ7B#AG!wBfCVMhcvH@e|xu*;w zAbFWmYywDFrUl5bAzN;Id_K#Ir_EF7$dgZ*u-){bIW$o6Pw+<;&-QGjh9l?$tBc?* z5zZP7+&F3&%u6amR%8cUlPZEa#Y6%i;gW6e|IEn?gjErevdf;?P)UCn6G zuJHUX=G|t0Vi8q`ANBLv2FuHzEsb2+h*7hoW=kV|2(hH2G;6{^=uaXlDz}ZAwQjaF z^1DqQQ|86amPY!vWjSgbDVuUx9k*zL_`uVzbn+xIR-R$DH_~T0VR^PU;u2M6#&nsZ z_Q{%{SP$iWi*Xkhg!PR)3V(#vD5qL7*alv75EI-y*@Nb{Zrf_OgDq2jj3RzDHMd)H z&KdJFD-N97Hn(x}DfR);Q}{LoR&HR;k`>2n-?nkXrU(kVfN#5p&sTss?338#sLgBV zR~)}}J~t0|j+{Gbe&g1C_g!)H_S3hXILjZ$t(e$oS*<}q6;lHv*Lj5+tzR1GPCrk!`3XDS+QorwvF>MOOKe}a?<>k&0A*< zSbO@0O&hju+cIb6KxPivzG3Y=&0?pe%VK-}_qgpRor?7E*MVE+=eBL$vh>KgHSt@cFJNY!YvTVh%TQ;xVe)9a5rDv>NN3(qh)01P>U$)|i`E$}a3a{$8`Qd(jS#?WoBbYVDjczjkKD zs=19@=VA1kgP*c|)%J}WPnz4bX`b1yS-)ZH4F4bLdF;%S=eKON36mqxCoQ}?+^4&I zkjbPuQ#*3Qne!}fr?=vu`I9!xZCW;S+8J}()^DAkn>jP}wigYZWd-xkh6_t(O_s(> zD7I(+8FIrJ5`Z4eteeTOSu-o`KQo&e*u?Ca3f3Eq%tk9=MBFB(Y)Tk^PfYFAFpPfA ziwf2w^5fbWKC^7AcC(bR6Z){e9W7MJ8`;TR_66VAjF=KeR$8#AJj@P;3dVHJrYT|I z8<}}s!oU|kEbU=-JXbJk_nIOvVc-j8j7u1e!gE{?vs}p%#vwDb-B!ZD7t$|EnBlV{ z!om7x+?Fu#h04Sw41D3eP6-2F-wrwl8`yQIgc&}&1eP%Hg_`Rn41A%~lY@mvZ6%CT zE!4CtVc-i+r4k0d@BqufMs`suVc-j|p-UL}!nc`A82CaOwuhO;T*3^WUvtA}K9RB= z_(bjv=H<@{5}RdH_61+aJ1k-J4W&ap%xuyUW+jEq$6CUu86z@IKqmNN%XS7c)4zmq z(1wr5lrZpx2SFvw`kHCrVBtHeCCu>Ig}a1-k6m5Ez!%J_vK=t2@w%PW6E>e>*$#Z6 ztWF8DzJA>dW>!qu4t!iXYZ&+jX4;nR=-adVnTJ_4y@Ww=Fi%Su_(H{$5(d7$=uTjE zCo9`gKVo9np%MnZ@O`QhX88QvfQ4FdWjj7zgyvOzo(I;~&kb0}hNpUj0a!ep8?}v5 zvm0aygTC;Iwi3pCdv-@DVel_}EW*Qtf1CUMlzB7Cx|Y-jk?9_j~gWZ4dUBlA#} zFz|&pZY2zSofdpuKery9XjzZpB&0<;d|kUGJ6NdJQo_JDk@X<4%fq0r#h&cG7=?aAs!Rz39|oo1 z3vXDAg@42-WsUeyj~j!M%40t+^tIUDgBF__*>JkV z@QFP+9P@vke^eWFeK~wXfvsx3+?c%01$`lxyKHBD&F|)5Jug>$6HCwY;W$(|@O}N+ z!x&-{g0Cm{Us!6sNQbX)HRc^G#BNI%g(^Z+wuCWXvC*Mr;MWq^&|=SJU&E*RlrPB0 z`7vm@6H{+N@Qnu+9xBIxzTp2VVbBtu3VWD8w|abI%I_IY08XiT4DgLDdC%b+`|})p z;p<3cJHuygy%Gk#iMJCC=H-;q-#veBfiI*|)%d8n>iB}&Cw$1ZY-ji^SW?35#M8S5 zM~dS;_<|$7>8Z0VHZrn z7jhyUeR6j(e3o-iwu3%)e+`3{@G!e<2P}Now1k0gY*EV+#-o~vw-c?e1$N4Iz{F43 zBR5#}Jqp#0VST+_jKc%3WjzM?LU^?t7y3r3i{XLm3%-z?Q1(S2yQ*K%SRyYt72Mfq z`24-1XC%9Ep)Y)ws2rER;bV~=Ci;bstobt(e0{$M!56-M;PAn&nt%Ar)&GK+w(u{M z_ILRDUdQ%vmw4L(`ocRr-`DGQXbz9o%69!8A1-!s1-=l*D%)A#79NDJ=9TTRVnbqk z2?L+35%|Kl7s_@9^RkP!!r-WRYWVC?l#o{d^o^nq^;Z-QlC#C5+Ez@?E=n9^ea~ zUM<^MUq3D|t_O8r%%PB6RQ3g*+(WIe>TH}DE%^LC0$)fLD8~RFtf^@M7AozR?Qq

-8Yy=yS9 zpADbtzrM7i?^x|WoI&nPAsv-aW6dk(i^SA0@P*v-a&89m?F^r{;lPLS?eR@;-zd!A zA#ebMjM;Kr@P)6wmM~7imir(@Ror=m6E3{PDEop>&Mm{I`vcYPXf}KjUqFXh25C74 z_;3UZ3}-7sI za<3(QOzs9GkSWbLJ%oQWlXX-3k5FpQ+u6Xl_;~uL^67LF?Zn>>EWB^2dBEB2Wt@ni z$QpI-<*XowO75lvcKzL+aP3&^2u@$|`;Z;w?N|%f>Kbv($b8ug{;o!J+MiM2L!mnU zA!%Me6NU}>Llv*^e0iIYRvi3-kF72+iJ@7jSI#%$oZdG~h*bT`mO?A@#l7Zq4tqiG z#6)JjzQXAk>S>hoWnYT@2Mo>Y=Z5pp>y0id*3*KQQ1&_0`Lld&kD*J-^FJneTSS#o@NeU znHw5a=7D2H`=WR~KEC!P>&D$#)|YSoYTtoBlL;L|jEoVUD3)?XyNUNV5su=Uk-jfM zL)k~z$}(TRqAmQxJWv>hq8|g%khx*P310~J2v11|5xK%$BIEMKS6Me6`ucg`u@w0u zQ0MQa1U1AK#jsF)j}4-{vd*3dB&hrO5*8O7f#*=xh`a|`BZ5WZ10~=i=K>l>&IN8( z!h50t-v7s<$sLwrVIlXvk~IP^-tR-ZzQ{9P8cX4IeZ^*_Z}{|i-Hs0!dO7Iz)sD5G zobowTHFfyNMfbGyN6IU_6e2@?%^B-iGKt4WvX#u2tCin_Oik<@3*mZvWHZQ~?jiOb zAC5RV8*%=NpN3nq#A2{O#CO9fXz9%*|2U(sj863+G( zzL;0l@!mqm0^{Y9*K2$-Qu)j=Uu#)cug+tWf(3R!bZOreET106RM z$*A@b5nQopfO&mtS!A+CL!Oa(TJZ9FzdWH&&F|#4D*VGgE_W*`H_2Uykc03UD@W!_ zL|ymCSmTYvtwbLHll?&$R`dZC&U7AJ*8E=Otnhn=GlfLjdVP5hFL794l3!;qe>Pga zt>|5g_jozrW~%dm^p}SwuM@F=TWBF0 zww4zQ^@`2Ke7*0LciuQgU0;?+?nhXnLbJV*@bYZ$L3BSI0Peq^N zsS;f>!Y-C|BPQbX20FM)EmIjH^BcOR@1ff{>i( zXG>Jb?WS+5aF!-HEn#`SB`nKd3CnwH3JaCsf-cE0BCcX*o4eEN2zHTwvqC6vATo)I zLe`D6FFAY2))W4rUWCsaQL-rye^@g+>?3r8LC!PG!r)PXBo7JjR`)9yVw|hUou9h?_ZBW$jj;CPNzjCu`K-g z3qJ8t(6{gR5ip6}0h63}gL!)r7=b#^Q`~EA@8bv}=-}H;@S;LGKT|zZ_Z==&!-Wvd$h%JC#Yy2hI-Y{5R-x8Mj zGKGb2;spApu&LddV786CuN0WX{DH}x6PWn)fnjNTo)Vh%Yspp>nIw+mV{NRF_=ef$ zC>p)j{_4QkJ0SyPEs)Nj(GZJRli{BH8yqD8+cztUV0jj#~Ca6F9hSmM=7d3!}Bul zE5Mu0qXthOtnz!hM-H0E0nG%~V!v2e!{g&=m5+Zwu+&Zfruv}IgAy-)ct*UhfWCU> z+0{?`hEFh6ydo)8_Kdwd@n=O3$B*DM=d0r>7P_}F&GRa9N}8Lj2Quz+t>`Ov90F*P z?`V6*-+ws*eA$1&pVPtyx2D+y? zQgj|TH@!R$a1aST&R=aO{#`0Ia6|I6P#eSRSel8AM1;@lPIR5T?;*WO;zH)7_V*cJ zs$_46>llph!0S4%s&4^q8^BwSB3Z^(tG zq_S%}d4CB$yi0{5%| z`)I)@x#Bj4_u-)rAjYp-i=BwOPGt?T5;^7BotIO>#IkODK-v2kEhSLSH@so8r#X(q zM`1bnUQcpk65YgXJrBSZzV%b>eQvsP#`A1ZY@{*D$;-=_jqdjcnVdo&zD?0A^3Dbr38TI*aXJqh>pOZ9p47G=)5XW%xUPn(`4yk} zJcHbsth|MnNiuMKJOF%Z`;ek8vN6HV_Vb`Ri0n5syUz_Jp$(Ul=L^nUfBq8Qmos33 zDW&bSJ`%6v#RovPqxaFG)WpZgH6D+hrw?1y?@JRQw=dcIAgue6x+-s$frYOomFosf z-a`Nr{t;UgTbXu}Yrxzj=0#t5(}m+Oe9WPyg(sOZ56*M9FX=09WenzRTT89=whAzL zYf12&L^sbr=Aq*f!IXALxx$+JemW~cx~*F`U_EVzZRW?|LhbED`l8s}xaOPlw3vDp z7|93} zE4i!ml{^K5DW93H)4MjVKlgczC@~STrNT#TtN9X2^?p{1GI@P!mAJgW-3k!;a|>Ds zvbgoITyamc36@_sU@~9Q9{f2CEo89C7z8FgjQh0HO%^5b_Y^LEVtX@&14Tlecr`^7VNhz))gt46^n77^cN#U!sY@VHH@v(M9c=vB`7FZ{mGjcvYl2U0 zZ!%Ib-2J$k%Wj$Ciq9Sv`M%^8c-i23?&IBzOJvgbjh{cL){WFWACp6^ktXc>lJY6| zNEY(4Yc*WF?j(;^_9{84qU%tn{@x8OWb}JlaG1!r8e^uf+BA4%e9kBBB)8FE-p370 zYM>C-oq%#9nDpBrzD{Ql(z>-_?ZAwF|^G9_}4zf>2W7DEIZFD6o>GS@Pd~YLRq4ln6BK3 z(SBmn;I$B&2J27wXZ}v%GoK9<`X&-LfTI*V^mAiV`+Y=Y!r!sk(>!2xeaSHt`lmFN3-+aCi+7|nYj4?TTxM?U~G`?!{6}htVAYSe* zoy*G$Fp=>wGO2wf=1+QwzIW2JZLAiF>vAG`Sv`())O8OPxi8b z582ywxZIRxf;(QMlHSutT@t4gO_RuapiaG?hSCo5oeRd0T7R@di2S(J zRdeGKsg(Dyz~tS8MKrzd5Ez9K-54fpB5PVhjlMVleP5gu0^`E(bu70=Z%dK#DQ`G{ z>6wDKh#n`STx6Fr7{YtfuDv}(c?Uz{DTcvm8>H8}CE?*@NZdeVcqVOzJ=~ zhJ0@anB)u4SH5{=X}R7O1%`9Utr4#R4?uOw9fxP{5~HV`$_rj3kyGCE`+FmO@sfF( zHBXvXn&OKD#vvem<=cCxcBzX4OzIVYPioQF-29!Lz8r)yuATuzK1CPfj}>{LZh+jG zsO;+Rk{m~pU)ST!x9CJXDBg!cUwJpi5hXcP9OfzqG?OzAn8+H@bMG?(A0OOtydqp7 zI)|{moGIjx%AKjjrwR|$mbX$!UQfaSpYKRtc~fXG$qgVKPV7!BYJYdOh?3|bM%8(s zc!fS5JbQU2Pr=*#h@Zr)ad7J%wERiGx9nN3Uk`FVy>Fd)h`%$0jy-+&@Z?;;KiM*_ z?tNJ0ed|^w)%!s#FGJ|V-zj?#n9m_a_^96I6=Ul6bsS|m4xgL_(I zA^FTPsl~?#OzL)HHObp`Gsj!T#d+vt*WQ);eF;qVIod$cUNhgO+n0R{PrH2t zOyn7u?zb0E2lyCdr)=0|zECaMGaU8%Dso-mU{C z`Gmm4W(6j>1_X-On6*4Zi+szJiH%k|%AiL%j`R>0w^K0OLWJ8yAnD&)+41luS!$Cpp`+lez|sfl#`>=A%`7awdaM z&SZo6`x`KMD`PO93js`G$5?O@?*S$`JHVty1K?5c+8(vX~UIU-Ria4|+_ZNJk zi-AdAkioot4@_#Y8qC{&z@#=6FnOD6FkLq;wqC~Vx-W9Ya|kcv@Wtl<*-Jcs*79ga z-mBTmG#?Y8oqQL?qTN2`WiW65aRx|ypR_(MyH0jVfcCjUv=e_UFo|<=(8~9KXxGLA zx#Q4I_b)JiPScJGH9|ARiaiW}m|r7HF!pPN%iQ~$aKmAt3O*_{co^4Y#V0W;6bTU| z-xnW>(5LU|aR15u7ku(fBwT`0|I}bIH%?lS7pueUWt`6mi~NyTAhJtv$NLF!9f}VM z7;YZN0}B>89~tfBZ6q+==fGs2W7>Lu4t?dDz_>+~SLTcqTCDJbr`b+X4`ai5IWUK( zUvprx-|V@N@E(7i@QQaaGKLwMo)&xjQuhd$_``rHU#t$Z=Zn=y_Pob56P<0fg}se#IqKS%8@1y-F$eD_gg$wb z37^H6X0MrKucG~Q9=P>%T*(UupVZw4#ugEp;h=|+r{MRIr6YNL$}P(K*Kjb(`$k}@ zU+js5;!_#o^`Q3!VU5e%a0_M0UZ84}zdO@T-Wm}uliFVJs;#foR0JQ%Tb_UVmV$PY z>ufODAJ8ZJ0~1N)0JGTpM%bzx=#Cc4gZJ{nmiD=k~i$5Ef#KsKfa~FWA-vY7nK2Xj^$pIqyO1_tcXIS2j&`#oD zj4OUF`ihUyU}AULcgbXZd4%Qp%##q2dqh%YgW#v|8I9%b9NZk4)j$^o92>S)Q93gFMm6d!~eC882a3 zu1Z+mt0gSkO(iVzw1j2)N?4Zr5|;T~!dm9hoIORm=FCelvN5G*141CRN`Ofn8(_Sq zt$7Me?;kwt)jh)!<$0vI3pZlP8@5tw;zzd<2HID?pg8@=G2y)Tn=v$( z7%#fyyjz7!xmyuM6h9oE5xF0cE+A(f-$nMZZL7{Dvdh~W(ZzVK#U8hJHhw)ARn9jm zCCa(L5Q2}lH)59%1ru6`=E=PW)g- zBrvhV>{GvPuVQq{cVvN4Rm{_;`K+{)I4pCM{4j$l&E_nv$3U;?S<71)u}gTKBKw!P zxcD)7vL|N%?hVnq_U6a$4{qY36QM=<$CDbbBZ%+&95mc2Sl{)0ajQrU3oyOYSu9`s zs?V3}s_aW(qMNXudYMdIgLt`TX=1Jq}FXOB&3_Y{I9?JpZV6 zbzO*x%YDlt<=zGXCf_o(v}=D>&`$Cb4d!hSD@*MCCBWnx zk>>66zAxJG(8kS|Q`PGxdqwK+5C#*y#u#45Qdv{?B`0_$(=;EZ>v@ zCbgaoCVB{$g6LCVqKkoedl!5yd}jL!uegWG8evd+eSq|Nd(E=ZeT*I$SOe9>sj|fb@6^}QTM-7g?kbLA|_J+vI5HZ~5 zuAA;wXbAZ>pnY;u>=K^xh#f(s(&u)gAo#euqlKf}-)jjaNG*9_65C-KlD}bAw%5;S zEAdI2E8N>J$Oew|nm%L*ttc=#e`zOm_<(VUN?$qOXearYz(g1G2wZY1fk_?@FsTy= z3mHyOVa}8^QSFBI^5UJ#N~`cWHr1o+>ar7akw%b9)O*K)@Ig|Npq`a#HCi&FBf91F!#pNuD_{$w9NvcnUsB zAbLLy?FhCx`glg*?JL@e&2M2B@ACjAIl{pDUMB*RdZobRjgy6Jy!{M}Q^nJaTgCI4 zQ_I^(^rc$1?~9K@@DT#?vPv5vVNRi+pOWnityKa1_QGCO|P|?y?d`k!chJ`6nFoGMk!SA23d76e@sYMEJSChgwAh0P>8toid-XXnTx!Lx117l|!1SDfqp}|O zK!pcf#eGgHMg*@09L-q3{*FyMl1ZeU${)7?pI2oWazd<{BE677`snHFLo4m(|Z&TI-gUIg> zyaHmc;bZhRKVwL&1DM3d$QZ+O=4qi^xXhPeueMWN!rL3~@3gEm?}G;>xzoTTPnx7n zxl00*dWXQo{{l>6(ZFz5P3OC9%iM;I^IMkeyYI}3<2F2JeukU%c*%;@n>TN>KhZ=p ztCy@eY}2~U_D>cl{PUoh6Za+OV|=is-><}5e}KIn>#rL1R$+x6I2;~09`84^<0j9T g*>ArkTer<^*>?7p`E^Sm4)cD=V;*zxF{_sRe;F$EJ^%m! diff --git a/doc/pdf/admin.tex b/doc/pdf/admin.tex deleted file mode 100644 index 643ed83..0000000 --- a/doc/pdf/admin.tex +++ /dev/null @@ -1,11632 +0,0 @@ -% Generated by Sphinx. -\def\sphinxdocclass{report} -\documentclass[letterpaper,10pt,english]{sphinxmanual} -\usepackage[utf8]{inputenc} -\DeclareUnicodeCharacter{00A0}{\nobreakspace} -\usepackage{cmap} -\usepackage[T1]{fontenc} -\usepackage{babel} -\usepackage{times} -\usepackage[Bjarne]{fncychap} -\usepackage{longtable} -\usepackage{sphinx} -\usepackage{multirow} - - -\title{Kerberos Administration Guide} -\date{ } -\release{1.15.2} -\author{MIT} -\newcommand{\sphinxlogo}{} -\renewcommand{\releasename}{Release} -\makeindex - -\makeatletter -\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% - \let\PYG@ul=\relax \let\PYG@tc=\relax% - \let\PYG@bc=\relax \let\PYG@ff=\relax} -\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} -\def\PYG@toks#1+{\ifx\relax#1\empty\else% - \PYG@tok{#1}\expandafter\PYG@toks\fi} -\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% - \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} -\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} - -\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} -\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} -\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} -\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} -\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} -\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} -\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} -\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} -\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} -\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} -\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} -\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} -\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} -\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} -\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} -\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} -\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} -\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} -\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} - -\def\PYGZbs{\char`\\} -\def\PYGZus{\char`\_} -\def\PYGZob{\char`\{} -\def\PYGZcb{\char`\}} -\def\PYGZca{\char`\^} -\def\PYGZam{\char`\&} -\def\PYGZlt{\char`\<} -\def\PYGZgt{\char`\>} -\def\PYGZsh{\char`\#} -\def\PYGZpc{\char`\%} -\def\PYGZdl{\char`\$} -\def\PYGZhy{\char`\-} -\def\PYGZsq{\char`\'} -\def\PYGZdq{\char`\"} -\def\PYGZti{\char`\~} -% for compatibility with earlier versions -\def\PYGZat{@} -\def\PYGZlb{[} -\def\PYGZrb{]} -\makeatother - -\begin{document} - -\maketitle -\tableofcontents -\phantomsection\label{admin/index::doc} - - - -\chapter{Installation guide} -\label{admin/install:for-administrators}\label{admin/install::doc}\label{admin/install:installation-guide} - -\section{Contents} -\label{admin/install:contents} - -\subsection{Installing KDCs} -\label{admin/install_kdc:installing-kdcs}\label{admin/install_kdc::doc} -When setting up Kerberos in a production environment, it is best to -have multiple slave KDCs alongside with a master KDC to ensure the -continued availability of the Kerberized services. Each KDC contains -a copy of the Kerberos database. The master KDC contains the writable -copy of the realm database, which it replicates to the slave KDCs at -regular intervals. All database changes (such as password changes) -are made on the master KDC. Slave KDCs provide Kerberos -ticket-granting services, but not database administration, when the -master KDC is unavailable. MIT recommends that you install all of -your KDCs to be able to function as either the master or one of the -slaves. This will enable you to easily switch your master KDC with -one of the slaves if necessary (see {\hyperref[admin/install_kdc:switch-master-slave]{\emph{Switching master and slave KDCs}}}). This -installation procedure is based on that recommendation. - -\begin{notice}{warning}{Warning:}\begin{itemize} -\item {} -The Kerberos system relies on the availability of correct time -information. Ensure that the master and all slave KDCs have -properly synchronized clocks. - -\item {} -It is best to install and run KDCs on secured and dedicated -hardware with limited access. If your KDC is also a file -server, FTP server, Web server, or even just a client machine, -someone who obtained root access through a security hole in any -of those areas could potentially gain access to the Kerberos -database. - -\end{itemize} -\end{notice} - - -\subsubsection{Install and configure the master KDC} -\label{admin/install_kdc:install-and-configure-the-master-kdc} -Install Kerberos either from the OS-provided packages or from the -source (See \emph{do\_build}). - -\begin{notice}{note}{Note:} -For the purpose of this document we will use the following -names: - -\begin{Verbatim}[commandchars=\\\{\}] -kerberos.mit.edu \PYGZhy{} master KDC -kerberos\PYGZhy{}1.mit.edu \PYGZhy{} slave KDC -ATHENA.MIT.EDU \PYGZhy{} realm name -.k5.ATHENA.MIT.EDU \PYGZhy{} stash file -admin/admin \PYGZhy{} admin principal -\end{Verbatim} - -See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the default names and locations -of the relevant to this topic files. Adjust the names and -paths to your system environment. -\end{notice} - - -\subsubsection{Edit KDC configuration files} -\label{admin/install_kdc:edit-kdc-configuration-files} -Modify the configuration files, {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} and -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, to reflect the correct information (such as -domain-realm mappings and Kerberos servers names) for your realm. -(See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the recommended default locations for -these files). - -Most of the tags in the configuration have default values that will -work well for most sites. There are some tags in the -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file whose values must be specified, and this -section will explain those. - -If the locations for these configuration files differs from the -default ones, set \textbf{KRB5\_CONFIG} and \textbf{KRB5\_KDC\_PROFILE} environment -variables to point to the krb5.conf and kdc.conf respectively. For -example: - -\begin{Verbatim}[commandchars=\\\{\}] -export KRB5\PYGZus{}CONFIG=/yourdir/krb5.conf -export KRB5\PYGZus{}KDC\PYGZus{}PROFILE=/yourdir/kdc.conf -\end{Verbatim} - - -\paragraph{krb5.conf} -\label{admin/install_kdc:krb5-conf} -If you are not using DNS TXT records (see {\hyperref[admin/realm_config:mapping-hostnames]{\emph{Mapping hostnames onto Kerberos realms}}}), -you must specify the \textbf{default\_realm} in the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} -section. If you are not using DNS URI or SRV records (see -{\hyperref[admin/realm_config:kdc-hostnames]{\emph{Hostnames for KDCs}}} and {\hyperref[admin/realm_config:kdc-discovery]{\emph{KDC Discovery}}}), you must include the -\textbf{kdc} tag for each \emph{realm} in the {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section. To -communicate with the kadmin server in each realm, the \textbf{admin\_server} -tag must be set in the -{\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section. - -An example krb5.conf file: - -\begin{Verbatim}[commandchars=\\\{\}] -[libdefaults] - default\PYGZus{}realm = ATHENA.MIT.EDU - -[realms] - ATHENA.MIT.EDU = \PYGZob{} - kdc = kerberos.mit.edu - kdc = kerberos\PYGZhy{}1.mit.edu - admin\PYGZus{}server = kerberos.mit.edu - \PYGZcb{} -\end{Verbatim} - - -\paragraph{kdc.conf} -\label{admin/install_kdc:kdc-conf} -The kdc.conf file can be used to control the listening ports of the -KDC and kadmind, as well as realm-specific defaults, the database type -and location, and logging. - -An example kdc.conf file: - -\begin{Verbatim}[commandchars=\\\{\}] -[kdcdefaults] - kdc\PYGZus{}listen = 88 - kdc\PYGZus{}tcp\PYGZus{}listen = 88 - -[realms] - ATHENA.MIT.EDU = \PYGZob{} - kadmind\PYGZus{}port = 749 - max\PYGZus{}life = 12h 0m 0s - max\PYGZus{}renewable\PYGZus{}life = 7d 0h 0m 0s - master\PYGZus{}key\PYGZus{}type = aes256\PYGZhy{}cts - supported\PYGZus{}enctypes = aes256\PYGZhy{}cts:normal aes128\PYGZhy{}cts:normal - \PYGZsh{} If the default location does not suit your setup, - \PYGZsh{} explicitly configure the following values: - \PYGZsh{} database\PYGZus{}name = /var/krb5kdc/principal - \PYGZsh{} key\PYGZus{}stash\PYGZus{}file = /var/krb5kdc/.k5.ATHENA.MIT.EDU - \PYGZsh{} acl\PYGZus{}file = /var/krb5kdc/kadm5.acl - \PYGZcb{} - -[logging] - \PYGZsh{} By default, the KDC and kadmind will log output using - \PYGZsh{} syslog. You can instead send log output to files like this: - kdc = FILE:/var/log/krb5kdc.log - admin\PYGZus{}server = FILE:/var/log/kadmin.log - default = FILE:/var/log/krb5lib.log -\end{Verbatim} - -Replace \code{ATHENA.MIT.EDU} and \code{kerberos.mit.edu} with the name of -your Kerberos realm and server respectively. - -\begin{notice}{note}{Note:} -You have to have write permission on the target directories -(these directories must exist) used by \textbf{database\_name}, -\textbf{key\_stash\_file}, and \textbf{acl\_file}. -\end{notice} - - -\subsubsection{Create the KDC database} -\label{admin/install_kdc:create-the-kdc-database}\label{admin/install_kdc:create-db} -You will use the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} command on the master KDC to -create the Kerberos database and the optional \emph{stash\_definition}. - -\begin{notice}{note}{Note:} -If you choose not to install a stash file, the KDC will -prompt you for the master key each time it starts up. This -means that the KDC will not be able to start automatically, -such as after a system reboot. -\end{notice} - -{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} will prompt you for the master password for the -Kerberos database. This password can be any string. A good password -is one you can remember, but that no one else can guess. Examples of -bad passwords are words that can be found in a dictionary, any common -or popular name, especially a famous person (or cartoon character), -your username in any form (e.g., forward, backward, repeated twice, -etc.), and any of the sample passwords that appear in this manual. -One example of a password which might be good if it did not appear in -this manual is ``MITiys4K5!'', which represents the sentence ``MIT is -your source for Kerberos 5!'' (It's the first letter of each word, -substituting the numeral ``4'' for the word ``for'', and includes the -punctuation mark at the end.) - -The following is an example of how to create a Kerberos database and -stash file on the master KDC, using the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} command. -Replace \code{ATHENA.MIT.EDU} with the name of your Kerberos realm: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}util create \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}s - -Initializing database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{} for realm \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, -master key name \PYGZsq{}K/M@ATHENA.MIT.EDU\PYGZsq{} -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: \PYGZlt{}= Type the master password. -Re\PYGZhy{}enter KDC database master key to verify: \PYGZlt{}= Type it again. -shell\PYGZpc{} -\end{Verbatim} - -This will create five files in {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc} (or at the locations specified -in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}): -\begin{itemize} -\item {} -two Kerberos database files, \code{principal}, and \code{principal.ok} - -\item {} -the Kerberos administrative database file, \code{principal.kadm5} - -\item {} -the administrative database lock file, \code{principal.kadm5.lock} - -\item {} -the stash file, in this example \code{.k5.ATHENA.MIT.EDU}. If you do -not want a stash file, run the above command without the \textbf{-s} -option. - -\end{itemize} - -For more information on administrating Kerberos database see -{\hyperref[admin/database:db-operations]{\emph{Operations on the Kerberos database}}}. - - -\subsubsection{Add administrators to the ACL file} -\label{admin/install_kdc:add-administrators-to-the-acl-file}\label{admin/install_kdc:admin-acl} -Next, you need create an Access Control List (ACL) file and put the -Kerberos principal of at least one of the administrators into it. -This file is used by the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon to control which -principals may view and make privileged modifications to the Kerberos -database files. The ACL filename is determined by the \textbf{acl\_file} -variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}; the default is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}. - -For more information on Kerberos ACL file see {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}. - - -\subsubsection{Add administrators to the Kerberos database} -\label{admin/install_kdc:add-administrators-to-the-kerberos-database}\label{admin/install_kdc:addadmin-kdb} -Next you need to add administrative principals (i.e., principals who -are allowed to administer Kerberos database) to the Kerberos database. -You \emph{must} add at least one principal now to allow communication -between the Kerberos administration daemon kadmind and the kadmin -program over the network for further administration. To do this, use -the kadmin.local utility on the master KDC. kadmin.local is designed -to be run on the master KDC host without using Kerberos authentication -to an admin server; instead, it must have read and write access to the -Kerberos database on the local filesystem. - -The administrative principals you create should be the ones you added -to the ACL file (see {\hyperref[admin/install_kdc:admin-acl]{\emph{Add administrators to the ACL file}}}). - -In the following example, the administrative principal \code{admin/admin} -is created: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kadmin.local - -kadmin.local: addprinc admin/admin@ATHENA.MIT.EDU - -WARNING: no policy specified for \PYGZdq{}admin/admin@ATHENA.MIT.EDU\PYGZdq{}; -assigning \PYGZdq{}default\PYGZdq{}. -Enter password for principal admin/admin@ATHENA.MIT.EDU: \PYGZlt{}= Enter a password. -Re\PYGZhy{}enter password for principal admin/admin@ATHENA.MIT.EDU: \PYGZlt{}= Type it again. -Principal \PYGZdq{}admin/admin@ATHENA.MIT.EDU\PYGZdq{} created. -kadmin.local: -\end{Verbatim} - - -\subsubsection{Start the Kerberos daemons on the master KDC} -\label{admin/install_kdc:start-the-kerberos-daemons-on-the-master-kdc}\label{admin/install_kdc:start-kdc-daemons} -At this point, you are ready to start the Kerberos KDC -({\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}) and administrative daemons on the Master KDC. To -do so, type: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc} -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{kadmind} -\end{Verbatim} - -Each server daemon will fork and run in the background. - -\begin{notice}{note}{Note:} -Assuming you want these daemons to start up automatically at -boot time, you can add them to the KDC's \code{/etc/rc} or -\code{/etc/inittab} file. You need to have a -\emph{stash\_definition} in order to do this. -\end{notice} - -You can verify that they started properly by checking for their -startup messages in the logging locations you defined in -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} (see {\hyperref[admin/conf_files/kdc_conf:logging]{\emph{{[}logging{]}}}}). For example: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} tail /var/log/krb5kdc.log -Dec 02 12:35:47 beeblebrox krb5kdc[3187](info): commencing operation -shell\PYGZpc{} tail /var/log/kadmin.log -Dec 02 12:35:52 beeblebrox kadmind[3189](info): starting -\end{Verbatim} - -Any errors the daemons encounter while starting will also be listed in -the logging output. - -As an additional verification, check if \emph{kinit(1)} succeeds -against the principals that you have created on the previous step -({\hyperref[admin/install_kdc:addadmin-kdb]{\emph{Add administrators to the Kerberos database}}}). Run: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit admin/admin@ATHENA.MIT.EDU -\end{Verbatim} - - -\subsubsection{Install the slave KDCs} -\label{admin/install_kdc:install-the-slave-kdcs} -You are now ready to start configuring the slave KDCs. - -\begin{notice}{note}{Note:} -Assuming you are setting the KDCs up so that you can easily -switch the master KDC with one of the slaves, you should -perform each of these steps on the master KDC as well as the -slave KDCs, unless these instructions specify otherwise. -\end{notice} - - -\paragraph{Create host keytabs for slave KDCs} -\label{admin/install_kdc:slave-host-key}\label{admin/install_kdc:create-host-keytabs-for-slave-kdcs} -Each KDC needs a \code{host} key in the Kerberos database. These keys -are used for mutual authentication when propagating the database dump -file from the master KDC to the secondary KDC servers. - -On the master KDC, connect to administrative interface and create the -host principal for each of the KDCs' \code{host} services. For example, -if the master KDC were called \code{kerberos.mit.edu}, and you had a -slave KDC named \code{kerberos-1.mit.edu}, you would type the following: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kadmin -kadmin: addprinc \PYGZhy{}randkey host/kerberos.mit.edu -NOTICE: no policy specified for \PYGZdq{}host/kerberos.mit.edu@ATHENA.MIT.EDU\PYGZdq{}; assigning \PYGZdq{}default\PYGZdq{} -Principal \PYGZdq{}host/kerberos.mit.edu@ATHENA.MIT.EDU\PYGZdq{} created. - -kadmin: addprinc \PYGZhy{}randkey host/kerberos\PYGZhy{}1.mit.edu -NOTICE: no policy specified for \PYGZdq{}host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU\PYGZdq{}; assigning \PYGZdq{}default\PYGZdq{} -Principal \PYGZdq{}host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU\PYGZdq{} created. -\end{Verbatim} - -It is not strictly necessary to have the master KDC server in the -Kerberos database, but it can be handy if you want to be able to swap -the master KDC with one of the slaves. - -Next, extract \code{host} random keys for all participating KDCs and -store them in each host's default keytab file. Ideally, you should -extract each keytab locally on its own KDC. If this is not feasible, -you should use an encrypted session to send them across the network. -To extract a keytab directly on a slave KDC called -\code{kerberos-1.mit.edu}, you would execute the following command: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: ktadd host/kerberos\PYGZhy{}1.mit.edu -Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption - type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab. -Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption - type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab. -Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption - type des3\PYGZhy{}cbc\PYGZhy{}sha1 added to keytab FILE:/etc/krb5.keytab. -Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption - type arcfour\PYGZhy{}hmac added to keytab FILE:/etc/krb5.keytab. -\end{Verbatim} - -If you are instead extracting a keytab for the slave KDC called -\code{kerberos-1.mit.edu} on the master KDC, you should use a dedicated -temporary keytab file for that machine's keytab: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: ktadd \PYGZhy{}k /tmp/kerberos\PYGZhy{}1.keytab host/kerberos\PYGZhy{}1.mit.edu -Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption - type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab. -Entry for principal host/kerberos\PYGZhy{}1.mit.edu with kvno 2, encryption - type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab. -\end{Verbatim} - -The file \code{/tmp/kerberos-1.keytab} can then be installed as -\code{/etc/krb5.keytab} on the host \code{kerberos-1.mit.edu}. - - -\paragraph{Configure slave KDCs} -\label{admin/install_kdc:configure-slave-kdcs} -Database propagation copies the contents of the master's database, but -does not propagate configuration files, stash files, or the kadm5 ACL -file. The following files must be copied by hand to each slave (see -{\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the default locations for these files): -\begin{itemize} -\item {} -krb5.conf - -\item {} -kdc.conf - -\item {} -kadm5.acl - -\item {} -master key stash file - -\end{itemize} - -Move the copied files into their appropriate directories, exactly as -on the master KDC. kadm5.acl is only needed to allow a slave to swap -with the master KDC. - -The database is propagated from the master KDC to the slave KDCs via -the {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} daemon. You must explicitly specify the -principals which are allowed to provide Kerberos dump updates on the -slave machine with a new database. Create a file named kpropd.acl in -the KDC state directory containing the \code{host} principals for each of -the KDCs: - -\begin{Verbatim}[commandchars=\\\{\}] -host/kerberos.mit.edu@ATHENA.MIT.EDU -host/kerberos\PYGZhy{}1.mit.edu@ATHENA.MIT.EDU -\end{Verbatim} - -\begin{notice}{note}{Note:} -If you expect that the master and slave KDCs will be -switched at some point of time, list the host principals -from all participating KDC servers in kpropd.acl files on -all of the KDCs. Otherwise, you only need to list the -master KDC's host principal in the kpropd.acl files of the -slave KDCs. -\end{notice} - -Then, add the following line to \code{/etc/inetd.conf} on each KDC -(adjust the path to kpropd): - -\begin{Verbatim}[commandchars=\\\{\}] -krb5\PYGZus{}prop stream tcp nowait root /usr/local/sbin/kpropd kpropd -\end{Verbatim} - -You also need to add the following line to \code{/etc/services} on each -KDC, if it is not already present (assuming that the default port is -used): - -\begin{Verbatim}[commandchars=\\\{\}] -krb5\PYGZus{}prop 754/tcp \PYGZsh{} Kerberos slave propagation -\end{Verbatim} - -Restart inetd daemon. - -Alternatively, start {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} as a stand-alone daemon. This is -required when incremental propagation is enabled. - -Now that the slave KDC is able to accept database propagation, you’ll -need to propagate the database from the master server. - -NOTE: Do not start the slave KDC yet; you still do not have a copy of -the master's database. - - -\paragraph{Propagate the database to each slave KDC} -\label{admin/install_kdc:kprop-to-slaves}\label{admin/install_kdc:propagate-the-database-to-each-slave-kdc} -First, create a dump file of the database on the master KDC, as -follows: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}util dump /usr/local/var/krb5kdc/slave\PYGZus{}datatrans -\end{Verbatim} - -Then, manually propagate the database to each slave KDC, as in the -following example: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kprop \PYGZhy{}f /usr/local/var/krb5kdc/slave\PYGZus{}datatrans kerberos\PYGZhy{}1.mit.edu - -Database propagation to kerberos\PYGZhy{}1.mit.edu: SUCCEEDED -\end{Verbatim} - -You will need a script to dump and propagate the database. The -following is an example of a Bourne shell script that will do this. - -\begin{notice}{note}{Note:} -Remember that you need to replace \code{/usr/local/var/krb5kdc} -with the name of the KDC state directory. -\end{notice} - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZsh{}!/bin/sh - -kdclist = \PYGZdq{}kerberos\PYGZhy{}1.mit.edu kerberos\PYGZhy{}2.mit.edu\PYGZdq{} - -kdb5\PYGZus{}util dump /usr/local/var/krb5kdc/slave\PYGZus{}datatrans - -for kdc in \PYGZdl{}kdclist -do - kprop \PYGZhy{}f /usr/local/var/krb5kdc/slave\PYGZus{}datatrans \PYGZdl{}kdc -done -\end{Verbatim} - -You will need to set up a cron job to run this script at the intervals -you decided on earlier (see {\hyperref[admin/realm_config:db-prop]{\emph{Database propagation}}}). - -Now that the slave KDC has a copy of the Kerberos database, you can -start the krb5kdc daemon: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{shell}\PYG{o}{\PYGZpc{}} \PYG{n}{krb5kdc} -\end{Verbatim} - -As with the master KDC, you will probably want to add this command to -the KDCs' \code{/etc/rc} or \code{/etc/inittab} files, so they will start -the krb5kdc daemon automatically at boot time. - - -\subparagraph{Propagation failed?} -\label{admin/install_kdc:propagation-failed} -You may encounter the following error messages. For a more detailed -discussion on possible causes and solutions click on the error link -to be redirected to {\hyperref[admin/troubleshoot:troubleshoot]{\emph{Troubleshooting}}} section. -\begin{enumerate} -\item {} -{\hyperref[admin/troubleshoot:kprop-no-route]{\emph{kprop: No route to host while connecting to server}}} - -\item {} -{\hyperref[admin/troubleshoot:kprop-con-refused]{\emph{kprop: Connection refused while connecting to server}}} - -\item {} -{\hyperref[admin/troubleshoot:kprop-sendauth-exchange]{\emph{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}} - -\end{enumerate} - - -\subsubsection{Add Kerberos principals to the database} -\label{admin/install_kdc:add-kerberos-principals-to-the-database} -Once your KDCs are set up and running, you are ready to use -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} to load principals for your users, hosts, and other -services into the Kerberos database. This procedure is described -fully in {\hyperref[admin/database:add-mod-del-princs]{\emph{Adding, modifying and deleting principals}}}. - -You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash. See the following section for the -instructions. - - -\subsubsection{Switching master and slave KDCs} -\label{admin/install_kdc:switching-master-and-slave-kdcs}\label{admin/install_kdc:switch-master-slave} -You may occasionally want to use one of your slave KDCs as the master. -This might happen if you are upgrading the master KDC, or if your -master KDC has a disk crash. - -Assuming you have configured all of your KDCs to be able to function -as either the master KDC or a slave KDC (as this document recommends), -all you need to do to make the changeover is: - -If the master KDC is still running, do the following on the \emph{old} -master KDC: -\begin{enumerate} -\item {} -Kill the kadmind process. - -\item {} -Disable the cron job that propagates the database. - -\item {} -Run your database propagation script manually, to ensure that the -slaves all have the latest copy of the database (see -{\hyperref[admin/install_kdc:kprop-to-slaves]{\emph{Propagate the database to each slave KDC}}}). - -\end{enumerate} - -On the \emph{new} master KDC: -\begin{enumerate} -\item {} -Start the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon (see {\hyperref[admin/install_kdc:start-kdc-daemons]{\emph{Start the Kerberos daemons on the master KDC}}}). - -\item {} -Set up the cron job to propagate the database (see -{\hyperref[admin/install_kdc:kprop-to-slaves]{\emph{Propagate the database to each slave KDC}}}). - -\item {} -Switch the CNAMEs of the old and new master KDCs. If you can't do -this, you'll need to change the {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file on every -client machine in your Kerberos realm. - -\end{enumerate} - - -\subsubsection{Incremental database propagation} -\label{admin/install_kdc:incremental-database-propagation} -If you expect your Kerberos database to become large, you may wish to -set up incremental propagation to slave KDCs. See {\hyperref[admin/database:incr-db-prop]{\emph{Incremental database propagation}}} -for details. - - -\subsection{Installing and configuring UNIX client machines} -\label{admin/install_clients:installing-and-configuring-unix-client-machines}\label{admin/install_clients::doc} -The Kerberized client programs include \emph{kinit(1)}, -\emph{klist(1)}, \emph{kdestroy(1)}, and \emph{kpasswd(1)}. All of -these programs are in the directory {\hyperref[mitK5defaults:paths]{\emph{BINDIR}}}. - -You can often integrate Kerberos with the login system on client -machines, typically through the use of PAM. The details vary by -operating system, and should be covered in your operating system's -documentation. If you do this, you will need to make sure your users -know to use their Kerberos passwords when they log in. - -You will also need to educate your users to use the ticket management -programs kinit, klist, and kdestroy. If you do not have Kerberos -password changing integrated into the native password program (again, -typically through PAM), you will need to educate users to use kpasswd -in place of its non-Kerberos counterparts passwd. - - -\subsubsection{Client machine configuration files} -\label{admin/install_clients:client-machine-configuration-files} -Each machine running Kerberos should have a {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file. -At a minimum, it should define a \textbf{default\_realm} setting in -{\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}}. If you are not using DNS SRV records -({\hyperref[admin/realm_config:kdc-hostnames]{\emph{Hostnames for KDCs}}}) or URI records ({\hyperref[admin/realm_config:kdc-discovery]{\emph{KDC Discovery}}}), it must -also contain a {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section containing information for your -realm's KDCs. - -Consider setting \textbf{rdns} to false in order to reduce your dependence -on precisely correct DNS information for service hostnames. Turning -this flag off means that service hostnames will be canonicalized -through forward name resolution (which adds your domain name to -unqualified hostnames, and resolves CNAME records in DNS), but not -through reverse address lookup. The default value of this flag is -true for historical reasons only. - -If you anticipate users frequently logging into remote hosts -(e.g., using ssh) using forwardable credentials, consider setting -\textbf{forwardable} to true so that users obtain forwardable tickets by -default. Otherwise users will need to use \code{kinit -f} to get -forwardable tickets. - -Consider adjusting the \textbf{ticket\_lifetime} setting to match the likely -length of sessions for your users. For instance, if most of your -users will be logging in for an eight-hour workday, you could set the -default to ten hours so that tickets obtained in the morning expire -shortly after the end of the workday. Users can still manually -request longer tickets when necessary, up to the maximum allowed by -each user's principal record on the KDC. - -If a client host may access services in different realms, it may be -useful to define a {\hyperref[admin/conf_files/krb5_conf:domain-realm]{\emph{{[}domain\_realm{]}}}} mapping so that clients know -which hosts belong to which realms. However, if your clients and KDC -are running release 1.7 or later, it is also reasonable to leave this -section out on client machines and just define it in the KDC's -krb5.conf. - - -\subsection{UNIX Application Servers} -\label{admin/install_appl_srv:unix-application-servers}\label{admin/install_appl_srv::doc} -An application server is a host that provides one or more services -over the network. Application servers can be ``secure'' or ``insecure.'' -A ``secure'' host is set up to require authentication from every client -connecting to it. An ``insecure'' host will still provide Kerberos -authentication, but will also allow unauthenticated clients to -connect. - -If you have Kerberos V5 installed on all of your client machines, MIT -recommends that you make your hosts secure, to take advantage of the -security that Kerberos authentication affords. However, if you have -some clients that do not have Kerberos V5 installed, you can run an -insecure server, and still take advantage of Kerberos V5's single -sign-on capability. - - -\subsubsection{The keytab file} -\label{admin/install_appl_srv:the-keytab-file}\label{admin/install_appl_srv:keytab-file} -All Kerberos server machines need a keytab file to authenticate to the -KDC. By default on UNIX-like systems this file is named {\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}. -The keytab file is an local copy of the host's key. The keytab file -is a potential point of entry for a break-in, and if compromised, -would allow unrestricted access to its host. The keytab file should -be readable only by root, and should exist only on the machine's local -disk. The file should not be part of any backup of the machine, -unless access to the backup data is secured as tightly as access to -the machine's root password. - -In order to generate a keytab for a host, the host must have a -principal in the Kerberos database. The procedure for adding hosts to -the database is described fully in {\hyperref[admin/database:add-mod-del-princs]{\emph{Adding, modifying and deleting principals}}}. (See -{\hyperref[admin/install_kdc:slave-host-key]{\emph{Create host keytabs for slave KDCs}}} for a brief description.) The keytab is -generated by running {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} and issuing the {\hyperref[admin/admin_commands/kadmin_local:ktadd]{\emph{ktadd}}} -command. - -For example, to generate a keytab file to allow the host -\code{trillium.mit.edu} to authenticate for the services host, ftp, and -pop, the administrator \code{joeadmin} would issue the command (on -\code{trillium.mit.edu}): - -\begin{Verbatim}[commandchars=\\\{\}] -trillium\PYGZpc{} kadmin -kadmin5: ktadd host/trillium.mit.edu ftp/trillium.mit.edu - pop/trillium.mit.edu -kadmin: Entry for principal host/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES\PYGZhy{}CBC\PYGZhy{}CRC added to keytab - FILE:/etc/krb5.keytab. -kadmin: Entry for principal ftp/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES\PYGZhy{}CBC\PYGZhy{}CRC added to keytab - FILE:/etc/krb5.keytab. -kadmin: Entry for principal pop/trillium.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES\PYGZhy{}CBC\PYGZhy{}CRC added to keytab - FILE:/etc/krb5.keytab. -kadmin5: quit -trillium\PYGZpc{} -\end{Verbatim} - -If you generate the keytab file on another host, you need to get a -copy of the keytab file onto the destination host (\code{trillium}, in -the above example) without sending it unencrypted over the network. - - -\subsubsection{Some advice about secure hosts} -\label{admin/install_appl_srv:some-advice-about-secure-hosts} -Kerberos V5 can protect your host from certain types of break-ins, but -it is possible to install Kerberos V5 and still leave your host -vulnerable to attack. Obviously an installation guide is not the -place to try to include an exhaustive list of countermeasures for -every possible attack, but it is worth noting some of the larger holes -and how to close them. - -We recommend that backups of secure machines exclude the keytab file -({\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}). If this is not possible, the backups should at least be -done locally, rather than over a network, and the backup tapes should -be physically secured. - -The keytab file and any programs run by root, including the Kerberos -V5 binaries, should be kept on local disk. The keytab file should be -readable only by root. - - -\section{Additional references} -\label{admin/install:additional-references}\begin{enumerate} -\item {} -Debian: \href{http://techpubs.spinlocksolutions.com/dklar/kerberos.html}{Setting up MIT Kerberos 5} - -\item {} -Solaris: \href{http://download.oracle.com/docs/cd/E19253-01/816-4557/6maosrjv2/index.html}{Configuring the Kerberos Service} - -\end{enumerate} - - -\chapter{Configuration Files} -\label{admin/conf_files/index:configuration-files}\label{admin/conf_files/index::doc} -Kerberos uses configuration files to allow administrators to specify -settings on a per-machine basis. {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} applies to all -applications using the Kerboros library, on clients and servers. -For KDC-specific applications, additional settings can be specified in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}; the two files are merged into a configuration profile -used by applications accessing the KDC database directly. {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} -is also only used on the KDC, it controls permissions for modifying the -KDC database. - - -\section{Contents} -\label{admin/conf_files/index:contents} - -\subsection{krb5.conf} -\label{admin/conf_files/krb5_conf::doc}\label{admin/conf_files/krb5_conf:krb5-conf}\label{admin/conf_files/krb5_conf:krb5-conf-5} -The krb5.conf file contains Kerberos configuration information, -including the locations of KDCs and admin servers for the Kerberos -realms of interest, defaults for the current realm and for Kerberos -applications, and mappings of hostnames onto Kerberos realms. -Normally, you should install your krb5.conf file in the directory -\code{/etc}. You can override the default location by setting the -environment variable \textbf{KRB5\_CONFIG}. Multiple colon-separated -filenames may be specified in \textbf{KRB5\_CONFIG}; all files which are -present will be read. Starting in release 1.14, directory names can -also be specified in \textbf{KRB5\_CONFIG}; all files within the directory -whose names consist solely of alphanumeric characters, dashes, or -underscores will be read. - - -\subsubsection{Structure} -\label{admin/conf_files/krb5_conf:structure} -The krb5.conf file is set up in the style of a Windows INI file. -Sections are headed by the section name, in square brackets. Each -section may contain zero or more relations, of the form: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{foo} \PYG{o}{=} \PYG{n}{bar} -\end{Verbatim} - -or: - -\begin{Verbatim}[commandchars=\\\{\}] -fubar = \PYGZob{} - foo = bar - baz = quux -\PYGZcb{} -\end{Verbatim} - -Placing a `*' at the end of a line indicates that this is the \emph{final} -value for the tag. This means that neither the remainder of this -configuration file nor any other configuration file will be checked -for any other values for this tag. - -For example, if you have the following lines: - -\begin{Verbatim}[commandchars=\\\{\}] -foo = bar* -foo = baz -\end{Verbatim} - -then the second value of \code{foo} (\code{baz}) would never be read. - -The krb5.conf file can include other files using either of the -following directives at the beginning of a line: - -\begin{Verbatim}[commandchars=\\\{\}] -include FILENAME -includedir DIRNAME -\end{Verbatim} - -\emph{FILENAME} or \emph{DIRNAME} should be an absolute path. The named file or -directory must exist and be readable. Including a directory includes -all files within the directory whose names consist solely of -alphanumeric characters, dashes, or underscores. Starting in release -1.15, files with names ending in ''.conf'' are also included, unless the -name begins with ''.''. Included profile files are syntactically -independent of their parents, so each included file must begin with a -section header. - -The krb5.conf file can specify that configuration should be obtained -from a loadable module, rather than the file itself, using the -following directive at the beginning of a line before any section -headers: - -\begin{Verbatim}[commandchars=\\\{\}] -module MODULEPATH:RESIDUAL -\end{Verbatim} - -\emph{MODULEPATH} may be relative to the library path of the krb5 -installation, or it may be an absolute path. \emph{RESIDUAL} is provided -to the module at initialization time. If krb5.conf uses a module -directive, {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} should also use one if it exists. - - -\subsubsection{Sections} -\label{admin/conf_files/krb5_conf:sections} -The krb5.conf file may contain the following sections: - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -{\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} - & -Settings used by the Kerberos V5 library -\\ -\hline -{\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} - & -Realm-specific contact information and settings -\\ -\hline -{\hyperref[admin/conf_files/krb5_conf:domain-realm]{\emph{{[}domain\_realm{]}}}} - & -Maps server hostnames to Kerberos realms -\\ -\hline -{\hyperref[admin/conf_files/krb5_conf:capaths]{\emph{{[}capaths{]}}}} - & -Authentication paths for non-hierarchical cross-realm -\\ -\hline -{\hyperref[admin/conf_files/krb5_conf:appdefaults]{\emph{{[}appdefaults{]}}}} - & -Settings used by some Kerberos V5 applications -\\ -\hline -{\hyperref[admin/conf_files/krb5_conf:plugins]{\emph{{[}plugins{]}}}} - & -Controls plugin module registration -\\ -\hline\end{tabulary} - - -Additionally, krb5.conf may include any of the relations described in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, but it is not a recommended practice. - - -\paragraph{{[}libdefaults{]}} -\label{admin/conf_files/krb5_conf:libdefaults}\label{admin/conf_files/krb5_conf:id1} -The libdefaults section may contain any of the following relations: -\begin{description} -\item[{\textbf{allow\_weak\_crypto}}] \leavevmode -If this flag is set to false, then weak encryption types (as noted -in {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}) will be filtered -out of the lists \textbf{default\_tgs\_enctypes}, -\textbf{default\_tkt\_enctypes}, and \textbf{permitted\_enctypes}. The default -value for this tag is false, which may cause authentication -failures in existing Kerberos infrastructures that do not support -strong crypto. Users in affected environments should set this tag -to true until their infrastructure adopts stronger ciphers. - -\item[{\textbf{ap\_req\_checksum\_type}}] \leavevmode -An integer which specifies the type of AP-REQ checksum to use in -authenticators. This variable should be unset so the appropriate -checksum for the encryption key in use will be used. This can be -set if backward compatibility requires a specific checksum type. -See the \textbf{kdc\_req\_checksum\_type} configuration option for the -possible values and their meanings. - -\item[{\textbf{canonicalize}}] \leavevmode -If this flag is set to true, initial ticket requests to the KDC -will request canonicalization of the client principal name, and -answers with different client principals than the requested -principal will be accepted. The default value is false. - -\item[{\textbf{ccache\_type}}] \leavevmode -This parameter determines the format of credential cache types -created by \emph{kinit(1)} or other programs. The default value -is 4, which represents the most current format. Smaller values -can be used for compatibility with very old implementations of -Kerberos which interact with credential caches on the same host. - -\item[{\textbf{clockskew}}] \leavevmode -Sets the maximum allowable amount of clockskew in seconds that the -library will tolerate before assuming that a Kerberos message is -invalid. The default value is 300 seconds, or five minutes. - -The clockskew setting is also used when evaluating ticket start -and expiration times. For example, tickets that have reached -their expiration time can still be used (and renewed if they are -renewable tickets) if they have been expired for a shorter -duration than the \textbf{clockskew} setting. - -\item[{\textbf{default\_ccache\_name}}] \leavevmode -This relation specifies the name of the default credential cache. -The default is {\hyperref[mitK5defaults:paths]{\emph{DEFCCNAME}}}. This relation is subject to parameter -expansion (see below). New in release 1.11. - -\item[{\textbf{default\_client\_keytab\_name}}] \leavevmode -This relation specifies the name of the default keytab for -obtaining client credentials. The default is {\hyperref[mitK5defaults:paths]{\emph{DEFCKTNAME}}}. This -relation is subject to parameter expansion (see below). -New in release 1.11. - -\item[{\textbf{default\_keytab\_name}}] \leavevmode -This relation specifies the default keytab name to be used by -application servers such as sshd. The default is {\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}. This -relation is subject to parameter expansion (see below). - -\item[{\textbf{default\_realm}}] \leavevmode -Identifies the default Kerberos realm for the client. Set its -value to your Kerberos realm. If this value is not set, then a -realm must be specified with every Kerberos principal when -invoking programs such as \emph{kinit(1)}. - -\item[{\textbf{default\_tgs\_enctypes}}] \leavevmode -Identifies the supported list of session key encryption types that -the client should request when making a TGS-REQ, in order of -preference from highest to lowest. The list may be delimited with -commas or whitespace. See {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the accepted values for this tag. -The default value is \code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha384-192 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types -will be implicitly removed from this list if the value of -\textbf{allow\_weak\_crypto} is false. - -Do not set this unless required for specific backward -compatibility purposes; stale values of this setting can prevent -clients from taking advantage of new stronger enctypes when the -libraries are upgraded. - -\item[{\textbf{default\_tkt\_enctypes}}] \leavevmode -Identifies the supported list of session key encryption types that -the client should request when making an AS-REQ, in order of -preference from highest to lowest. The format is the same as for -default\_tgs\_enctypes. The default value for this tag is -\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha384-192 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly -removed from this list if the value of \textbf{allow\_weak\_crypto} is -false. - -Do not set this unless required for specific backward -compatibility purposes; stale values of this setting can prevent -clients from taking advantage of new stronger enctypes when the -libraries are upgraded. - -\item[{\textbf{dns\_canonicalize\_hostname}}] \leavevmode -Indicate whether name lookups will be used to canonicalize -hostnames for use in service principal names. Setting this flag -to false can improve security by reducing reliance on DNS, but -means that short hostnames will not be canonicalized to -fully-qualified hostnames. The default value is true. - -\item[{\textbf{dns\_lookup\_kdc}}] \leavevmode -Indicate whether DNS SRV records should be used to locate the KDCs -and other servers for a realm, if they are not listed in the -krb5.conf information for the realm. (Note that the admin\_server -entry must be in the krb5.conf realm information in order to -contact kadmind, because the DNS implementation for kadmin is -incomplete.) - -Enabling this option does open up a type of denial-of-service -attack, if someone spoofs the DNS records and redirects you to -another server. However, it's no worse than a denial of service, -because that fake KDC will be unable to decode anything you send -it (besides the initial ticket request, which has no encrypted -data), and anything the fake KDC sends will not be trusted without -verification using some secret that it won't know. - -\item[{\textbf{dns\_uri\_lookup}}] \leavevmode -Indicate whether DNS URI records should be used to locate the KDCs -and other servers for a realm, if they are not listed in the -krb5.conf information for the realm. SRV records are used as a -fallback if no URI records were found. The default value is true. -New in release 1.15. - -\item[{\textbf{err\_fmt}}] \leavevmode -This relation allows for custom error message formatting. If a -value is set, error messages will be formatted by substituting a -normal error message for \%M and an error code for \%C in the value. - -\item[{\textbf{extra\_addresses}}] \leavevmode -This allows a computer to use multiple local addresses, in order -to allow Kerberos to work in a network that uses NATs while still -using address-restricted tickets. The addresses should be in a -comma-separated list. This option has no effect if -\textbf{noaddresses} is true. - -\item[{\textbf{forwardable}}] \leavevmode -If this flag is true, initial tickets will be forwardable by -default, if allowed by the KDC. The default value is false. - -\item[{\textbf{ignore\_acceptor\_hostname}}] \leavevmode -When accepting GSSAPI or krb5 security contexts for host-based -service principals, ignore any hostname passed by the calling -application, and allow clients to authenticate to any service -principal in the keytab matching the service name and realm name -(if given). This option can improve the administrative -flexibility of server applications on multihomed hosts, but could -compromise the security of virtual hosting environments. The -default value is false. New in release 1.10. - -\item[{\textbf{k5login\_authoritative}}] \leavevmode -If this flag is true, principals must be listed in a local user's -k5login file to be granted login access, if a \emph{.k5login(5)} -file exists. If this flag is false, a principal may still be -granted login access through other mechanisms even if a k5login -file exists but does not list the principal. The default value is -true. - -\item[{\textbf{k5login\_directory}}] \leavevmode -If set, the library will look for a local user's k5login file -within the named directory, with a filename corresponding to the -local username. If not set, the library will look for k5login -files in the user's home directory, with the filename .k5login. -For security reasons, .k5login files must be owned by -the local user or by root. - -\item[{\textbf{kcm\_mach\_service}}] \leavevmode -On OS X only, determines the name of the bootstrap service used to -contact the KCM daemon for the KCM credential cache type. If the -value is \code{-}, Mach RPC will not be used to contact the KCM -daemon. The default value is \code{org.h5l.kcm}. - -\item[{\textbf{kcm\_socket}}] \leavevmode -Determines the path to the Unix domain socket used to access the -KCM daemon for the KCM credential cache type. If the value is -\code{-}, Unix domain sockets will not be used to contact the KCM -daemon. The default value is -\code{/var/run/.heim\_org.h5l.kcm-socket}. - -\item[{\textbf{kdc\_default\_options}}] \leavevmode -Default KDC options (Xored for multiple values) when requesting -initial tickets. By default it is set to 0x00000010 -(KDC\_OPT\_RENEWABLE\_OK). - -\item[{\textbf{kdc\_timesync}}] \leavevmode -Accepted values for this relation are 1 or 0. If it is nonzero, -client machines will compute the difference between their time and -the time returned by the KDC in the timestamps in the tickets and -use this value to correct for an inaccurate system clock when -requesting service tickets or authenticating to services. This -corrective factor is only used by the Kerberos library; it is not -used to change the system clock. The default value is 1. - -\item[{\textbf{kdc\_req\_checksum\_type}}] \leavevmode -An integer which specifies the type of checksum to use for the KDC -requests, for compatibility with very old KDC implementations. -This value is only used for DES keys; other keys use the preferred -checksum type for those keys. - -The possible values and their meanings are as follows. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -1 - & -CRC32 -\\ -\hline -2 - & -RSA MD4 -\\ -\hline -3 - & -RSA MD4 DES -\\ -\hline -4 - & -DES CBC -\\ -\hline -7 - & -RSA MD5 -\\ -\hline -8 - & -RSA MD5 DES -\\ -\hline -9 - & -NIST SHA -\\ -\hline -12 - & -HMAC SHA1 DES3 -\\ -\hline --138 - & -Microsoft MD5 HMAC checksum type -\\ -\hline\end{tabulary} - - -\item[{\textbf{noaddresses}}] \leavevmode -If this flag is true, requests for initial tickets will not be -made with address restrictions set, allowing the tickets to be -used across NATs. The default value is true. - -\item[{\textbf{permitted\_enctypes}}] \leavevmode -Identifies all encryption types that are permitted for use in -session key encryption. The default value for this tag is -\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha384-192 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4}, but single-DES encryption types will be implicitly -removed from this list if the value of \textbf{allow\_weak\_crypto} is -false. - -\item[{\textbf{plugin\_base\_dir}}] \leavevmode -If set, determines the base directory where krb5 plugins are -located. The default value is the \code{krb5/plugins} subdirectory -of the krb5 library directory. - -\item[{\textbf{preferred\_preauth\_types}}] \leavevmode -This allows you to set the preferred preauthentication types which -the client will attempt before others which may be advertised by a -KDC. The default value for this setting is ``17, 16, 15, 14'', -which forces libkrb5 to attempt to use PKINIT if it is supported. - -\item[{\textbf{proxiable}}] \leavevmode -If this flag is true, initial tickets will be proxiable by -default, if allowed by the KDC. The default value is false. - -\item[{\textbf{rdns}}] \leavevmode -If this flag is true, reverse name lookup will be used in addition -to forward name lookup to canonicalizing hostnames for use in -service principal names. If \textbf{dns\_canonicalize\_hostname} is set -to false, this flag has no effect. The default value is true. - -\item[{\textbf{realm\_try\_domains}}] \leavevmode -Indicate whether a host's domain components should be used to -determine the Kerberos realm of the host. The value of this -variable is an integer: -1 means not to search, 0 means to try the -host's domain itself, 1 means to also try the domain's immediate -parent, and so forth. The library's usual mechanism for locating -Kerberos realms is used to determine whether a domain is a valid -realm, which may involve consulting DNS if \textbf{dns\_lookup\_kdc} is -set. The default is not to search domain components. - -\item[{\textbf{renew\_lifetime}}] \leavevmode -(\emph{duration} string.) Sets the default renewable lifetime -for initial ticket requests. The default value is 0. - -\item[{\textbf{safe\_checksum\_type}}] \leavevmode -An integer which specifies the type of checksum to use for the -KRB-SAFE requests. By default it is set to 8 (RSA MD5 DES). For -compatibility with applications linked against DCE version 1.1 or -earlier Kerberos libraries, use a value of 3 to use the RSA MD4 -DES instead. This field is ignored when its value is incompatible -with the session key type. See the \textbf{kdc\_req\_checksum\_type} -configuration option for the possible values and their meanings. - -\item[{\textbf{ticket\_lifetime}}] \leavevmode -(\emph{duration} string.) Sets the default lifetime for initial -ticket requests. The default value is 1 day. - -\item[{\textbf{udp\_preference\_limit}}] \leavevmode -When sending a message to the KDC, the library will try using TCP -before UDP if the size of the message is above -\textbf{udp\_preference\_limit}. If the message is smaller than -\textbf{udp\_preference\_limit}, then UDP will be tried before TCP. -Regardless of the size, both protocols will be tried if the first -attempt fails. - -\item[{\textbf{verify\_ap\_req\_nofail}}] \leavevmode -If this flag is true, then an attempt to verify initial -credentials will fail if the client machine does not have a -keytab. The default value is false. - -\end{description} - - -\paragraph{{[}realms{]}} -\label{admin/conf_files/krb5_conf:id2}\label{admin/conf_files/krb5_conf:realms} -Each tag in the {[}realms{]} section of the file is the name of a Kerberos -realm. The value of the tag is a subsection with relations that -define the properties of that particular realm. For each realm, the -following tags may be specified in the realm's subsection: -\begin{description} -\item[{\textbf{admin\_server}}] \leavevmode -Identifies the host where the administration server is running. -Typically, this is the master Kerberos server. This tag must be -given a value in order to communicate with the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} -server for the realm. - -\item[{\textbf{auth\_to\_local}}] \leavevmode -This tag allows you to set a general rule for mapping principal -names to local user names. It will be used if there is not an -explicit mapping for the principal name that is being -translated. The possible values are: -\begin{description} -\item[{\textbf{RULE:}\emph{exp}}] \leavevmode -The local name will be formulated from \emph{exp}. - -The format for \emph{exp} is \textbf{{[}}\emph{n}\textbf{:}\emph{string}\textbf{{]}(}\emph{regexp}\textbf{)s/}\emph{pattern}\textbf{/}\emph{replacement}\textbf{/g}. -The integer \emph{n} indicates how many components the target -principal should have. If this matches, then a string will be -formed from \emph{string}, substituting the realm of the principal -for \code{\$0} and the \emph{n}`th component of the principal for -\code{\$n} (e.g., if the principal was \code{johndoe/admin} then -\code{{[}2:\$2\$1foo{]}} would result in the string -\code{adminjohndoefoo}). If this string matches \emph{regexp}, then -the \code{s//{[}g{]}} substitution command will be run over the -string. The optional \textbf{g} will cause the substitution to be -global over the \emph{string}, instead of replacing only the first -match in the \emph{string}. - -\item[{\textbf{DEFAULT}}] \leavevmode -The principal name will be used as the local user name. If -the principal has more than one component or is not in the -default realm, this rule is not applicable and the conversion -will fail. - -\end{description} - -For example: - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - ATHENA.MIT.EDU = \PYGZob{} - auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1](johndoe)s/\PYGZca{}.*\PYGZdl{}/guest/ - auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}1;\PYGZdl{}2](\PYGZca{}.*;admin\PYGZdl{})s/;admin\PYGZdl{}// - auth\PYGZus{}to\PYGZus{}local = RULE:[2:\PYGZdl{}2](\PYGZca{}.*;root)s/\PYGZca{}.*\PYGZdl{}/root/ - auto\PYGZus{}to\PYGZus{}local = DEFAULT - \PYGZcb{} -\end{Verbatim} - -would result in any principal without \code{root} or \code{admin} as the -second component to be translated with the default rule. A -principal with a second component of \code{admin} will become its -first component. \code{root} will be used as the local name for any -principal with a second component of \code{root}. The exception to -these two rules are any principals \code{johndoe/*}, which will -always get the local name \code{guest}. - -\item[{\textbf{auth\_to\_local\_names}}] \leavevmode -This subsection allows you to set explicit mappings from principal -names to local user names. The tag is the mapping name, and the -value is the corresponding local user name. - -\item[{\textbf{default\_domain}}] \leavevmode -This tag specifies the domain used to expand hostnames when -translating Kerberos 4 service principals to Kerberos 5 principals -(for example, when converting \code{rcmd.hostname} to -\code{host/hostname.domain}). - -\item[{\textbf{http\_anchors}}] \leavevmode -When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag -can be used to specify the location of the CA certificate which should be -trusted to issue the certificate for a proxy server. If left unspecified, -the system-wide default set of CA certificates is used. - -The syntax for values is similar to that of values for the -\textbf{pkinit\_anchors} tag: - -\textbf{FILE:} \emph{filename} - -\emph{filename} is assumed to be the name of an OpenSSL-style ca-bundle file. - -\textbf{DIR:} \emph{dirname} - -\emph{dirname} is assumed to be an directory which contains CA certificates. -All files in the directory will be examined; if they contain certificates -(in PEM format), they will be used. - -\textbf{ENV:} \emph{envvar} - -\emph{envvar} specifies the name of an environment variable which has been set -to a value conforming to one of the previous values. For example, -\code{ENV:X509\_PROXY\_CA}, where environment variable \code{X509\_PROXY\_CA} has -been set to \code{FILE:/tmp/my\_proxy.pem}. - -\item[{\textbf{kdc}}] \leavevmode -The name or address of a host running a KDC for that realm. An -optional port number, separated from the hostname by a colon, may -be included. If the name or address contains colons (for example, -if it is an IPv6 address), enclose it in square brackets to -distinguish the colon from a port separator. For your computer to -be able to communicate with the KDC for each realm, this tag must -be given a value in each realm subsection in the configuration -file, or there must be DNS SRV records specifying the KDCs. - -\item[{\textbf{kpasswd\_server}}] \leavevmode -Points to the server where all the password changes are performed. -If there is no such entry, the port 464 on the \textbf{admin\_server} -host will be tried. - -\item[{\textbf{master\_kdc}}] \leavevmode -Identifies the master KDC(s). Currently, this tag is used in only -one case: If an attempt to get credentials fails because of an -invalid password, the client software will attempt to contact the -master KDC, in case the user's password has just been changed, and -the updated database has not been propagated to the slave servers -yet. - -\item[{\textbf{v4\_instance\_convert}}] \leavevmode -This subsection allows the administrator to configure exceptions -to the \textbf{default\_domain} mapping rule. It contains V4 instances -(the tag name) which should be translated to some specific -hostname (the tag value) as the second component in a Kerberos V5 -principal name. - -\item[{\textbf{v4\_realm}}] \leavevmode -This relation is used by the krb524 library routines when -converting a V5 principal name to a V4 principal name. It is used -when the V4 realm name and the V5 realm name are not the same, but -still share the same principal names and passwords. The tag value -is the Kerberos V4 realm name. - -\end{description} - - -\paragraph{{[}domain\_realm{]}} -\label{admin/conf_files/krb5_conf:id3}\label{admin/conf_files/krb5_conf:domain-realm} -The {[}domain\_realm{]} section provides a translation from a domain name -or hostname to a Kerberos realm name. The tag name can be a host name -or domain name, where domain names are indicated by a prefix of a -period (\code{.}). The value of the relation is the Kerberos realm name -for that particular host or domain. A host name relation implicitly -provides the corresponding domain name relation, unless an explicit domain -name relation is provided. The Kerberos realm may be -identified either in the {\hyperref[admin/conf_files/krb5_conf:realms]{realms}} section or using DNS SRV records. -Host names and domain names should be in lower case. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -[domain\PYGZus{}realm] - crash.mit.edu = TEST.ATHENA.MIT.EDU - .dev.mit.edu = TEST.ATHENA.MIT.EDU - mit.edu = ATHENA.MIT.EDU -\end{Verbatim} - -maps the host with the name \code{crash.mit.edu} into the -\code{TEST.ATHENA.MIT.EDU} realm. The second entry maps all hosts under the -domain \code{dev.mit.edu} into the \code{TEST.ATHENA.MIT.EDU} realm, but not -the host with the name \code{dev.mit.edu}. That host is matched -by the third entry, which maps the host \code{mit.edu} and all hosts -under the domain \code{mit.edu} that do not match a preceding rule -into the realm \code{ATHENA.MIT.EDU}. - -If no translation entry applies to a hostname used for a service -principal for a service ticket request, the library will try to get a -referral to the appropriate realm from the client realm's KDC. If -that does not succeed, the host's realm is considered to be the -hostname's domain portion converted to uppercase, unless the -\textbf{realm\_try\_domains} setting in {[}libdefaults{]} causes a different -parent domain to be used. - - -\paragraph{{[}capaths{]}} -\label{admin/conf_files/krb5_conf:id4}\label{admin/conf_files/krb5_conf:capaths} -In order to perform direct (non-hierarchical) cross-realm -authentication, configuration is needed to determine the -authentication paths between realms. - -A client will use this section to find the authentication path between -its realm and the realm of the server. The server will use this -section to verify the authentication path used by the client, by -checking the transited field of the received ticket. - -There is a tag for each participating client realm, and each tag has -subtags for each of the server realms. The value of the subtags is an -intermediate realm which may participate in the cross-realm -authentication. The subtags may be repeated if there is more then one -intermediate realm. A value of ''.'' means that the two realms share -keys directly, and no intermediate realms should be allowed to -participate. - -Only those entries which will be needed on the client or the server -need to be present. A client needs a tag for its local realm with -subtags for all the realms of servers it will need to authenticate to. -A server needs a tag for each realm of the clients it will serve, with -a subtag of the server realm. - -For example, \code{ANL.GOV}, \code{PNL.GOV}, and \code{NERSC.GOV} all wish to -use the \code{ES.NET} realm as an intermediate realm. ANL has a sub -realm of \code{TEST.ANL.GOV} which will authenticate with \code{NERSC.GOV} -but not \code{PNL.GOV}. The {[}capaths{]} section for \code{ANL.GOV} systems -would look like this: - -\begin{Verbatim}[commandchars=\\\{\}] -[capaths] - ANL.GOV = \PYGZob{} - TEST.ANL.GOV = . - PNL.GOV = ES.NET - NERSC.GOV = ES.NET - ES.NET = . - \PYGZcb{} - TEST.ANL.GOV = \PYGZob{} - ANL.GOV = . - \PYGZcb{} - PNL.GOV = \PYGZob{} - ANL.GOV = ES.NET - \PYGZcb{} - NERSC.GOV = \PYGZob{} - ANL.GOV = ES.NET - \PYGZcb{} - ES.NET = \PYGZob{} - ANL.GOV = . - \PYGZcb{} -\end{Verbatim} - -The {[}capaths{]} section of the configuration file used on \code{NERSC.GOV} -systems would look like this: - -\begin{Verbatim}[commandchars=\\\{\}] -[capaths] - NERSC.GOV = \PYGZob{} - ANL.GOV = ES.NET - TEST.ANL.GOV = ES.NET - TEST.ANL.GOV = ANL.GOV - PNL.GOV = ES.NET - ES.NET = . - \PYGZcb{} - ANL.GOV = \PYGZob{} - NERSC.GOV = ES.NET - \PYGZcb{} - PNL.GOV = \PYGZob{} - NERSC.GOV = ES.NET - \PYGZcb{} - ES.NET = \PYGZob{} - NERSC.GOV = . - \PYGZcb{} - TEST.ANL.GOV = \PYGZob{} - NERSC.GOV = ANL.GOV - NERSC.GOV = ES.NET - \PYGZcb{} -\end{Verbatim} - -When a subtag is used more than once within a tag, clients will use -the order of values to determine the path. The order of values is not -important to servers. - - -\paragraph{{[}appdefaults{]}} -\label{admin/conf_files/krb5_conf:id5}\label{admin/conf_files/krb5_conf:appdefaults} -Each tag in the {[}appdefaults{]} section names a Kerberos V5 application -or an option that is used by some Kerberos V5 application{[}s{]}. The -value of the tag defines the default behaviors for that application. - -For example: - -\begin{Verbatim}[commandchars=\\\{\}] -[appdefaults] - telnet = \PYGZob{} - ATHENA.MIT.EDU = \PYGZob{} - option1 = false - \PYGZcb{} - \PYGZcb{} - telnet = \PYGZob{} - option1 = true - option2 = true - \PYGZcb{} - ATHENA.MIT.EDU = \PYGZob{} - option2 = false - \PYGZcb{} - option2 = true -\end{Verbatim} - -The above four ways of specifying the value of an option are shown in -order of decreasing precedence. In this example, if telnet is running -in the realm EXAMPLE.COM, it should, by default, have option1 and -option2 set to true. However, a telnet program in the realm -\code{ATHENA.MIT.EDU} should have \code{option1} set to false and -\code{option2} set to true. Any other programs in ATHENA.MIT.EDU should -have \code{option2} set to false by default. Any programs running in -other realms should have \code{option2} set to true. - -The list of specifiable options for each application may be found in -that application's man pages. The application defaults specified here -are overridden by those specified in the {\hyperref[admin/conf_files/krb5_conf:realms]{realms}} section. - - -\paragraph{{[}plugins{]}} -\label{admin/conf_files/krb5_conf:id6}\label{admin/conf_files/krb5_conf:plugins}\begin{itemize} -\item {} -{\hyperref[admin/conf_files/krb5_conf:pwqual]{pwqual}} interface - -\item {} -{\hyperref[admin/conf_files/krb5_conf:kadm5-hook]{kadm5\_hook}} interface - -\item {} -{\hyperref[admin/conf_files/krb5_conf:clpreauth]{clpreauth}} and {\hyperref[admin/conf_files/krb5_conf:kdcpreauth]{kdcpreauth}} interfaces - -\end{itemize} - -Tags in the {[}plugins{]} section can be used to register dynamic plugin -modules and to turn modules on and off. Not every krb5 pluggable -interface uses the {[}plugins{]} section; the ones that do are documented -here. - -New in release 1.9. - -Each pluggable interface corresponds to a subsection of {[}plugins{]}. -All subsections support the same tags: -\begin{description} -\item[{\textbf{disable}}] \leavevmode -This tag may have multiple values. If there are values for this -tag, then the named modules will be disabled for the pluggable -interface. - -\item[{\textbf{enable\_only}}] \leavevmode -This tag may have multiple values. If there are values for this -tag, then only the named modules will be enabled for the pluggable -interface. - -\item[{\textbf{module}}] \leavevmode -This tag may have multiple values. Each value is a string of the -form \code{modulename:pathname}, which causes the shared object -located at \emph{pathname} to be registered as a dynamic module named -\emph{modulename} for the pluggable interface. If \emph{pathname} is not an -absolute path, it will be treated as relative to the -\textbf{plugin\_base\_dir} value from {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}}. - -\end{description} - -For pluggable interfaces where module order matters, modules -registered with a \textbf{module} tag normally come first, in the order -they are registered, followed by built-in modules in the order they -are documented below. If \textbf{enable\_only} tags are used, then the -order of those tags overrides the normal module order. - -The following subsections are currently supported within the {[}plugins{]} -section: - - -\subparagraph{ccselect interface} -\label{admin/conf_files/krb5_conf:ccselect}\label{admin/conf_files/krb5_conf:ccselect-interface} -The ccselect subsection controls modules for credential cache -selection within a cache collection. In addition to any registered -dynamic modules, the following built-in modules exist (and may be -disabled with the disable tag): -\begin{description} -\item[{\textbf{k5identity}}] \leavevmode -Uses a .k5identity file in the user's home directory to select a -client principal - -\item[{\textbf{realm}}] \leavevmode -Uses the service realm to guess an appropriate cache from the -collection - -\end{description} - - -\subparagraph{pwqual interface} -\label{admin/conf_files/krb5_conf:pwqual-interface}\label{admin/conf_files/krb5_conf:pwqual} -The pwqual subsection controls modules for the password quality -interface, which is used to reject weak passwords when passwords are -changed. The following built-in modules exist for this interface: -\begin{description} -\item[{\textbf{dict}}] \leavevmode -Checks against the realm dictionary file - -\item[{\textbf{empty}}] \leavevmode -Rejects empty passwords - -\item[{\textbf{hesiod}}] \leavevmode -Checks against user information stored in Hesiod (only if Kerberos -was built with Hesiod support) - -\item[{\textbf{princ}}] \leavevmode -Checks against components of the principal name - -\end{description} - - -\subparagraph{kadm5\_hook interface} -\label{admin/conf_files/krb5_conf:kadm5-hook-interface}\label{admin/conf_files/krb5_conf:kadm5-hook} -The kadm5\_hook interface provides plugins with information on -principal creation, modification, password changes and deletion. This -interface can be used to write a plugin to synchronize MIT Kerberos -with another database such as Active Directory. No plugins are built -in for this interface. -\phantomsection\label{admin/conf_files/krb5_conf:clpreauth} - -\subparagraph{clpreauth and kdcpreauth interfaces} -\label{admin/conf_files/krb5_conf:clpreauth-and-kdcpreauth-interfaces}\label{admin/conf_files/krb5_conf:clpreauth}\label{admin/conf_files/krb5_conf:kdcpreauth} -The clpreauth and kdcpreauth interfaces allow plugin modules to -provide client and KDC preauthentication mechanisms. The following -built-in modules exist for these interfaces: -\begin{description} -\item[{\textbf{pkinit}}] \leavevmode -This module implements the PKINIT preauthentication mechanism. - -\item[{\textbf{encrypted\_challenge}}] \leavevmode -This module implements the encrypted challenge FAST factor. - -\item[{\textbf{encrypted\_timestamp}}] \leavevmode -This module implements the encrypted timestamp mechanism. - -\end{description} - - -\subparagraph{hostrealm interface} -\label{admin/conf_files/krb5_conf:hostrealm-interface}\label{admin/conf_files/krb5_conf:hostrealm} -The hostrealm section (introduced in release 1.12) controls modules -for the host-to-realm interface, which affects the local mapping of -hostnames to realm names and the choice of default realm. The following -built-in modules exist for this interface: -\begin{description} -\item[{\textbf{profile}}] \leavevmode -This module consults the {[}domain\_realm{]} section of the profile for -authoritative host-to-realm mappings, and the \textbf{default\_realm} -variable for the default realm. - -\item[{\textbf{dns}}] \leavevmode -This module looks for DNS records for fallback host-to-realm -mappings and the default realm. It only operates if the -\textbf{dns\_lookup\_realm} variable is set to true. - -\item[{\textbf{domain}}] \leavevmode -This module applies heuristics for fallback host-to-realm -mappings. It implements the \textbf{realm\_try\_domains} variable, and -uses the uppercased parent domain of the hostname if that does not -produce a result. - -\end{description} - - -\subparagraph{localauth interface} -\label{admin/conf_files/krb5_conf:localauth-interface}\label{admin/conf_files/krb5_conf:localauth} -The localauth section (introduced in release 1.12) controls modules -for the local authorization interface, which affects the relationship -between Kerberos principals and local system accounts. The following -built-in modules exist for this interface: -\begin{description} -\item[{\textbf{default}}] \leavevmode -This module implements the \textbf{DEFAULT} type for \textbf{auth\_to\_local} -values. - -\item[{\textbf{rule}}] \leavevmode -This module implements the \textbf{RULE} type for \textbf{auth\_to\_local} -values. - -\item[{\textbf{names}}] \leavevmode -This module looks for an \textbf{auth\_to\_local\_names} mapping for the -principal name. - -\item[{\textbf{auth\_to\_local}}] \leavevmode -This module processes \textbf{auth\_to\_local} values in the default -realm's section, and applies the default method if no -\textbf{auth\_to\_local} values exist. - -\item[{\textbf{k5login}}] \leavevmode -This module authorizes a principal to a local account according to -the account's \emph{.k5login(5)} file. - -\item[{\textbf{an2ln}}] \leavevmode -This module authorizes a principal to a local account if the -principal name maps to the local account name. - -\end{description} - - -\subsubsection{PKINIT options} -\label{admin/conf_files/krb5_conf:pkinit-options} -\begin{notice}{note}{Note:} -The following are PKINIT-specific options. These values may -be specified in {[}libdefaults{]} as global defaults, or within -a realm-specific subsection of {[}libdefaults{]}, or may be -specified as realm-specific values in the {[}realms{]} section. -A realm-specific value overrides, not adds to, a generic -{[}libdefaults{]} specification. The search order is: -\end{notice} -\begin{enumerate} -\item {} -realm-specific subsection of {[}libdefaults{]}: - -\begin{Verbatim}[commandchars=\\\{\}] -[libdefaults] - EXAMPLE.COM = \PYGZob{} - pkinit\PYGZus{}anchors = FILE:/usr/local/example.com.crt - \PYGZcb{} -\end{Verbatim} - -\item {} -realm-specific value in the {[}realms{]} section: - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - OTHERREALM.ORG = \PYGZob{} - pkinit\PYGZus{}anchors = FILE:/usr/local/otherrealm.org.crt - \PYGZcb{} -\end{Verbatim} - -\item {} -generic value in the {[}libdefaults{]} section: - -\begin{Verbatim}[commandchars=\\\{\}] -[libdefaults] - pkinit\PYGZus{}anchors = DIR:/usr/local/generic\PYGZus{}trusted\PYGZus{}cas/ -\end{Verbatim} - -\end{enumerate} - - -\paragraph{Specifying PKINIT identity information} -\label{admin/conf_files/krb5_conf:specifying-pkinit-identity-information}\label{admin/conf_files/krb5_conf:pkinit-identity} -The syntax for specifying Public Key identity, trust, and revocation -information for PKINIT is as follows: -\begin{description} -\item[{\textbf{FILE:}\emph{filename}{[}\textbf{,}\emph{keyfilename}{]}}] \leavevmode -This option has context-specific behavior. - -In \textbf{pkinit\_identity} or \textbf{pkinit\_identities}, \emph{filename} -specifies the name of a PEM-format file containing the user's -certificate. If \emph{keyfilename} is not specified, the user's -private key is expected to be in \emph{filename} as well. Otherwise, -\emph{keyfilename} is the name of the file containing the private key. - -In \textbf{pkinit\_anchors} or \textbf{pkinit\_pool}, \emph{filename} is assumed to -be the name of an OpenSSL-style ca-bundle file. - -\item[{\textbf{DIR:}\emph{dirname}}] \leavevmode -This option has context-specific behavior. - -In \textbf{pkinit\_identity} or \textbf{pkinit\_identities}, \emph{dirname} -specifies a directory with files named \code{*.crt} and \code{*.key} -where the first part of the file name is the same for matching -pairs of certificate and private key files. When a file with a -name ending with \code{.crt} is found, a matching file ending with -\code{.key} is assumed to contain the private key. If no such file -is found, then the certificate in the \code{.crt} is not used. - -In \textbf{pkinit\_anchors} or \textbf{pkinit\_pool}, \emph{dirname} is assumed to -be an OpenSSL-style hashed CA directory where each CA cert is -stored in a file named \code{hash-of-ca-cert.\#}. This infrastructure -is encouraged, but all files in the directory will be examined and -if they contain certificates (in PEM format), they will be used. - -In \textbf{pkinit\_revoke}, \emph{dirname} is assumed to be an OpenSSL-style -hashed CA directory where each revocation list is stored in a file -named \code{hash-of-ca-cert.r\#}. This infrastructure is encouraged, -but all files in the directory will be examined and if they -contain a revocation list (in PEM format), they will be used. - -\item[{\textbf{PKCS12:}\emph{filename}}] \leavevmode -\emph{filename} is the name of a PKCS \#12 format file, containing the -user's certificate and private key. - -\item[{\textbf{PKCS11:}{[}\textbf{module\_name=}{]}\emph{modname}{[}\textbf{:slotid=}\emph{slot-id}{]}{[}\textbf{:token=}\emph{token-label}{]}{[}\textbf{:certid=}\emph{cert-id}{]}{[}\textbf{:certlabel=}\emph{cert-label}{]}}] \leavevmode -All keyword/values are optional. \emph{modname} specifies the location -of a library implementing PKCS \#11. If a value is encountered -with no keyword, it is assumed to be the \emph{modname}. If no -module-name is specified, the default is \code{opensc-pkcs11.so}. -\code{slotid=} and/or \code{token=} may be specified to force the use of -a particular smard card reader or token if there is more than one -available. \code{certid=} and/or \code{certlabel=} may be specified to -force the selection of a particular certificate on the device. -See the \textbf{pkinit\_cert\_match} configuration option for more ways -to select a particular certificate to use for PKINIT. - -\item[{\textbf{ENV:}\emph{envvar}}] \leavevmode -\emph{envvar} specifies the name of an environment variable which has -been set to a value conforming to one of the previous values. For -example, \code{ENV:X509\_PROXY}, where environment variable -\code{X509\_PROXY} has been set to \code{FILE:/tmp/my\_proxy.pem}. - -\end{description} - - -\paragraph{PKINIT krb5.conf options} -\label{admin/conf_files/krb5_conf:pkinit-krb5-conf-options}\begin{description} -\item[{\textbf{pkinit\_anchors}}] \leavevmode -Specifies the location of trusted anchor (root) certificates which -the client trusts to sign KDC certificates. This option may be -specified multiple times. These values from the config file are -not used if the user specifies X509\_anchors on the command line. - -\item[{\textbf{pkinit\_cert\_match}}] \leavevmode -Specifies matching rules that the client certificate must match -before it is used to attempt PKINIT authentication. If a user has -multiple certificates available (on a smart card, or via other -media), there must be exactly one certificate chosen before -attempting PKINIT authentication. This option may be specified -multiple times. All the available certificates are checked -against each rule in order until there is a match of exactly one -certificate. - -The Subject and Issuer comparison strings are the \index{RFC!RFC 2253}\href{http://tools.ietf.org/html/rfc2253.html}{\textbf{RFC 2253}} -string representations from the certificate Subject DN and Issuer -DN values. - -The syntax of the matching rules is: -\begin{quote} - -{[}\emph{relation-operator}{]}\emph{component-rule} ... -\end{quote} - -where: -\begin{description} -\item[{\emph{relation-operator}}] \leavevmode -can be either \code{\&\&}, meaning all component rules must match, -or \code{\textbar{}\textbar{}}, meaning only one component rule must match. The -default is \code{\&\&}. - -\item[{\emph{component-rule}}] \leavevmode -can be one of the following. Note that there is no -punctuation or whitespace between component rules. -\begin{quote} - -\begin{DUlineblock}{0em} -\item[] \textbf{\textless{}SUBJECT\textgreater{}}\emph{regular-expression} -\item[] \textbf{\textless{}ISSUER\textgreater{}}\emph{regular-expression} -\item[] \textbf{\textless{}SAN\textgreater{}}\emph{regular-expression} -\item[] \textbf{\textless{}EKU\textgreater{}}\emph{extended-key-usage-list} -\item[] \textbf{\textless{}KU\textgreater{}}\emph{key-usage-list} -\end{DUlineblock} -\end{quote} - -\emph{extended-key-usage-list} is a comma-separated list of -required Extended Key Usage values. All values in the list -must be present in the certificate. Extended Key Usage values -can be: -\begin{itemize} -\item {} -pkinit - -\item {} -msScLogin - -\item {} -clientAuth - -\item {} -emailProtection - -\end{itemize} - -\emph{key-usage-list} is a comma-separated list of required Key -Usage values. All values in the list must be present in the -certificate. Key Usage values can be: -\begin{itemize} -\item {} -digitalSignature - -\item {} -keyEncipherment - -\end{itemize} - -\end{description} - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -pkinit\PYGZus{}cert\PYGZus{}match = \textbar{}\textbar{}\PYGZlt{}SUBJECT\PYGZgt{}.*DoE.*\PYGZlt{}SAN\PYGZgt{}.*@EXAMPLE.COM -pkinit\PYGZus{}cert\PYGZus{}match = \PYGZam{}\PYGZam{}\PYGZlt{}EKU\PYGZgt{}msScLogin,clientAuth\PYGZlt{}ISSUER\PYGZgt{}.*DoE.* -pkinit\PYGZus{}cert\PYGZus{}match = \PYGZlt{}EKU\PYGZgt{}msScLogin,clientAuth\PYGZlt{}KU\PYGZgt{}digitalSignature -\end{Verbatim} - -\item[{\textbf{pkinit\_eku\_checking}}] \leavevmode -This option specifies what Extended Key Usage value the KDC -certificate presented to the client must contain. (Note that if -the KDC certificate has the pkinit SubjectAlternativeName encoded -as the Kerberos TGS name, EKU checking is not necessary since the -issuing CA has certified this as a KDC certificate.) The values -recognized in the krb5.conf file are: -\begin{description} -\item[{\textbf{kpKDC}}] \leavevmode -This is the default value and specifies that the KDC must have -the id-pkinit-KPKdc EKU as defined in \index{RFC!RFC 4556}\href{http://tools.ietf.org/html/rfc4556.html}{\textbf{RFC 4556}}. - -\item[{\textbf{kpServerAuth}}] \leavevmode -If \textbf{kpServerAuth} is specified, a KDC certificate with the -id-kp-serverAuth EKU will be accepted. This key usage value -is used in most commercially issued server certificates. - -\item[{\textbf{none}}] \leavevmode -If \textbf{none} is specified, then the KDC certificate will not be -checked to verify it has an acceptable EKU. The use of this -option is not recommended. - -\end{description} - -\item[{\textbf{pkinit\_dh\_min\_bits}}] \leavevmode -Specifies the size of the Diffie-Hellman key the client will -attempt to use. The acceptable values are 1024, 2048, and 4096. -The default is 2048. - -\item[{\textbf{pkinit\_identities}}] \leavevmode -Specifies the location(s) to be used to find the user's X.509 -identity information. This option may be specified multiple -times. Each value is attempted in order until identity -information is found and authentication is attempted. Note that -these values are not used if the user specifies -\textbf{X509\_user\_identity} on the command line. - -\item[{\textbf{pkinit\_kdc\_hostname}}] \leavevmode -The presense of this option indicates that the client is willing -to accept a KDC certificate with a dNSName SAN (Subject -Alternative Name) rather than requiring the id-pkinit-san as -defined in \index{RFC!RFC 4556}\href{http://tools.ietf.org/html/rfc4556.html}{\textbf{RFC 4556}}. This option may be specified multiple -times. Its value should contain the acceptable hostname for the -KDC (as contained in its certificate). - -\item[{\textbf{pkinit\_pool}}] \leavevmode -Specifies the location of intermediate certificates which may be -used by the client to complete the trust chain between a KDC -certificate and a trusted anchor. This option may be specified -multiple times. - -\item[{\textbf{pkinit\_require\_crl\_checking}}] \leavevmode -The default certificate verification process will always check the -available revocation information to see if a certificate has been -revoked. If a match is found for the certificate in a CRL, -verification fails. If the certificate being verified is not -listed in a CRL, or there is no CRL present for its issuing CA, -and \textbf{pkinit\_require\_crl\_checking} is false, then verification -succeeds. - -However, if \textbf{pkinit\_require\_crl\_checking} is true and there is -no CRL information available for the issuing CA, then verification -fails. - -\textbf{pkinit\_require\_crl\_checking} should be set to true if the -policy is such that up-to-date CRLs must be present for every CA. - -\item[{\textbf{pkinit\_revoke}}] \leavevmode -Specifies the location of Certificate Revocation List (CRL) -information to be used by the client when verifying the validity -of the KDC certificate presented. This option may be specified -multiple times. - -\end{description} - - -\subsubsection{Parameter expansion} -\label{admin/conf_files/krb5_conf:id7}\label{admin/conf_files/krb5_conf:parameter-expansion} -Starting with release 1.11, several variables, such as -\textbf{default\_keytab\_name}, allow parameters to be expanded. -Valid parameters are: -\begin{quote} - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\%\{TEMP\} - & -Temporary directory -\\ -\hline -\%\{uid\} - & -Unix real UID or Windows SID -\\ -\hline -\%\{euid\} - & -Unix effective user ID or Windows SID -\\ -\hline -\%\{USERID\} - & -Same as \%\{uid\} -\\ -\hline -\%\{null\} - & -Empty string -\\ -\hline -\%\{LIBDIR\} - & -Installation library directory -\\ -\hline -\%\{BINDIR\} - & -Installation binary directory -\\ -\hline -\%\{SBINDIR\} - & -Installation admin binary directory -\\ -\hline -\%\{username\} - & -(Unix) Username of effective user ID -\\ -\hline -\%\{APPDATA\} - & -(Windows) Roaming application data for current user -\\ -\hline -\%\{COMMON\_APPDATA\} - & -(Windows) Application data for all users -\\ -\hline -\%\{LOCAL\_APPDATA\} - & -(Windows) Local application data for current user -\\ -\hline -\%\{SYSTEM\} - & -(Windows) Windows system folder -\\ -\hline -\%\{WINDOWS\} - & -(Windows) Windows folder -\\ -\hline -\%\{USERCONFIG\} - & -(Windows) Per-user MIT krb5 config file directory -\\ -\hline -\%\{COMMONCONFIG\} - & -(Windows) Common MIT krb5 config file directory -\\ -\hline\end{tabulary} - -\end{quote} - - -\subsubsection{Sample krb5.conf file} -\label{admin/conf_files/krb5_conf:sample-krb5-conf-file} -Here is an example of a generic krb5.conf file: - -\begin{Verbatim}[commandchars=\\\{\}] -[libdefaults] - default\PYGZus{}realm = ATHENA.MIT.EDU - dns\PYGZus{}lookup\PYGZus{}kdc = true - dns\PYGZus{}lookup\PYGZus{}realm = false - -[realms] - ATHENA.MIT.EDU = \PYGZob{} - kdc = kerberos.mit.edu - kdc = kerberos\PYGZhy{}1.mit.edu - kdc = kerberos\PYGZhy{}2.mit.edu - admin\PYGZus{}server = kerberos.mit.edu - master\PYGZus{}kdc = kerberos.mit.edu - \PYGZcb{} - EXAMPLE.COM = \PYGZob{} - kdc = kerberos.example.com - kdc = kerberos\PYGZhy{}1.example.com - admin\PYGZus{}server = kerberos.example.com - \PYGZcb{} - -[domain\PYGZus{}realm] - mit.edu = ATHENA.MIT.EDU - -[capaths] - ATHENA.MIT.EDU = \PYGZob{} - EXAMPLE.COM = . - \PYGZcb{} - EXAMPLE.COM = \PYGZob{} - ATHENA.MIT.EDU = . - \PYGZcb{} -\end{Verbatim} - - -\subsubsection{FILES} -\label{admin/conf_files/krb5_conf:files} -\code{/etc/krb5.conf} - - -\subsubsection{SEE ALSO} -\label{admin/conf_files/krb5_conf:see-also} -syslog(3) - - -\subsection{kdc.conf} -\label{admin/conf_files/kdc_conf:kdc-conf}\label{admin/conf_files/kdc_conf::doc}\label{admin/conf_files/kdc_conf:kdc-conf-5} -The kdc.conf file supplements {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} for programs which -are typically only used on a KDC, such as the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} and -{\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemons and the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} program. -Relations documented here may also be specified in krb5.conf; for the -KDC programs mentioned, krb5.conf and kdc.conf will be merged into a -single configuration profile. - -Normally, the kdc.conf file is found in the KDC state directory, -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}. You can override the default location by setting the -environment variable \textbf{KRB5\_KDC\_PROFILE}. - -Please note that you need to restart the KDC daemon for any configuration -changes to take effect. - - -\subsubsection{Structure} -\label{admin/conf_files/kdc_conf:structure} -The kdc.conf file is set up in the same format as the -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file. - - -\subsubsection{Sections} -\label{admin/conf_files/kdc_conf:sections} -The kdc.conf file may contain the following sections: - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -{\hyperref[admin/conf_files/kdc_conf:kdcdefaults]{\emph{{[}kdcdefaults{]}}}} - & -Default values for KDC behavior -\\ -\hline -{\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} - & -Realm-specific database configuration and settings -\\ -\hline -{\hyperref[admin/conf_files/kdc_conf:dbdefaults]{\emph{{[}dbdefaults{]}}}} - & -Default database settings -\\ -\hline -{\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} - & -Per-database settings -\\ -\hline -{\hyperref[admin/conf_files/kdc_conf:logging]{\emph{{[}logging{]}}}} - & -Controls how Kerberos daemons perform logging -\\ -\hline\end{tabulary} - - - -\paragraph{{[}kdcdefaults{]}} -\label{admin/conf_files/kdc_conf:kdcdefaults}\label{admin/conf_files/kdc_conf:id1} -With two exceptions, relations in the {[}kdcdefaults{]} section specify -default values for realm variables, to be used if the {[}realms{]} -subsection does not contain a relation for the tag. See the -{\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} section for the definitions of these relations. -\begin{itemize} -\item {} -\textbf{host\_based\_services} - -\item {} -\textbf{kdc\_listen} - -\item {} -\textbf{kdc\_ports} - -\item {} -\textbf{kdc\_tcp\_listen} - -\item {} -\textbf{kdc\_tcp\_ports} - -\item {} -\textbf{no\_host\_referral} - -\item {} -\textbf{restrict\_anonymous\_to\_tgt} - -\end{itemize} -\begin{description} -\item[{\textbf{kdc\_max\_dgram\_reply\_size}}] \leavevmode -Specifies the maximum packet size that can be sent over UDP. The -default value is 4096 bytes. - -\item[{\textbf{kdc\_tcp\_listen\_backlog}}] \leavevmode -(Integer.) Set the size of the listen queue length for the KDC -daemon. The value may be limited by OS settings. The default -value is 5. - -\end{description} - - -\paragraph{{[}realms{]}} -\label{admin/conf_files/kdc_conf:realms}\label{admin/conf_files/kdc_conf:kdc-realms} -Each tag in the {[}realms{]} section is the name of a Kerberos realm. The -value of the tag is a subsection where the relations define KDC -parameters for that particular realm. The following example shows how -to define one parameter for the ATHENA.MIT.EDU realm: - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - ATHENA.MIT.EDU = \PYGZob{} - max\PYGZus{}renewable\PYGZus{}life = 7d 0h 0m 0s - \PYGZcb{} -\end{Verbatim} - -The following tags may be specified in a {[}realms{]} subsection: -\begin{description} -\item[{\textbf{acl\_file}}] \leavevmode -(String.) Location of the access control list file that -{\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} uses to determine which principals are allowed -which permissions on the Kerberos database. The default value is -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}. For more information on Kerberos ACL -file see {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}. - -\item[{\textbf{database\_module}}] \leavevmode -(String.) This relation indicates the name of the configuration -section under {\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} for database-specific parameters -used by the loadable database library. The default value is the -realm name. If this configuration section does not exist, default -values will be used for all database parameters. - -\item[{\textbf{database\_name}}] \leavevmode -(String, deprecated.) This relation specifies the location of the -Kerberos database for this realm, if the DB2 module is being used -and the {\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} configuration section does not specify a -database name. The default value is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/principal}. - -\item[{\textbf{default\_principal\_expiration}}] \leavevmode -(\emph{abstime} string.) Specifies the default expiration date of -principals created in this realm. The default value is 0, which -means no expiration date. - -\item[{\textbf{default\_principal\_flags}}] \leavevmode -(Flag string.) Specifies the default attributes of principals -created in this realm. The format for this string is a -comma-separated list of flags, with `+' before each flag that -should be enabled and `-` before each flag that should be -disabled. The \textbf{postdateable}, \textbf{forwardable}, \textbf{tgt-based}, -\textbf{renewable}, \textbf{proxiable}, \textbf{dup-skey}, \textbf{allow-tickets}, and -\textbf{service} flags default to enabled. - -There are a number of possible flags: -\begin{description} -\item[{\textbf{allow-tickets}}] \leavevmode -Enabling this flag means that the KDC will issue tickets for -this principal. Disabling this flag essentially deactivates -the principal within this realm. - -\item[{\textbf{dup-skey}}] \leavevmode -Enabling this flag allows the principal to obtain a session -key for another user, permitting user-to-user authentication -for this principal. - -\item[{\textbf{forwardable}}] \leavevmode -Enabling this flag allows the principal to obtain forwardable -tickets. - -\item[{\textbf{hwauth}}] \leavevmode -If this flag is enabled, then the principal is required to -preauthenticate using a hardware device before receiving any -tickets. - -\item[{\textbf{no-auth-data-required}}] \leavevmode -Enabling this flag prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal. - -\item[{\textbf{ok-as-delegate}}] \leavevmode -If this flag is enabled, it hints the client that credentials -can and should be delegated when authenticating to the -service. - -\item[{\textbf{ok-to-auth-as-delegate}}] \leavevmode -Enabling this flag allows the principal to use S4USelf tickets. - -\item[{\textbf{postdateable}}] \leavevmode -Enabling this flag allows the principal to obtain postdateable -tickets. - -\item[{\textbf{preauth}}] \leavevmode -If this flag is enabled on a client principal, then that -principal is required to preauthenticate to the KDC before -receiving any tickets. On a service principal, enabling this -flag means that service tickets for this principal will only -be issued to clients with a TGT that has the preauthenticated -bit set. - -\item[{\textbf{proxiable}}] \leavevmode -Enabling this flag allows the principal to obtain proxy -tickets. - -\item[{\textbf{pwchange}}] \leavevmode -Enabling this flag forces a password change for this -principal. - -\item[{\textbf{pwservice}}] \leavevmode -If this flag is enabled, it marks this principal as a password -change service. This should only be used in special cases, -for example, if a user's password has expired, then the user -has to get tickets for that principal without going through -the normal password authentication in order to be able to -change the password. - -\item[{\textbf{renewable}}] \leavevmode -Enabling this flag allows the principal to obtain renewable -tickets. - -\item[{\textbf{service}}] \leavevmode -Enabling this flag allows the the KDC to issue service tickets -for this principal. - -\item[{\textbf{tgt-based}}] \leavevmode -Enabling this flag allows a principal to obtain tickets based -on a ticket-granting-ticket, rather than repeating the -authentication process that was used to obtain the TGT. - -\end{description} - -\item[{\textbf{dict\_file}}] \leavevmode -(String.) Location of the dictionary file containing strings that -are not allowed as passwords. The file should contain one string -per line, with no additional whitespace. If none is specified or -if there is no policy assigned to the principal, no dictionary -checks of passwords will be performed. - -\item[{\textbf{host\_based\_services}}] \leavevmode -(Whitespace- or comma-separated list.) Lists services which will -get host-based referral processing even if the server principal is -not marked as host-based by the client. - -\item[{\textbf{iprop\_enable}}] \leavevmode -(Boolean value.) Specifies whether incremental database -propagation is enabled. The default value is false. - -\item[{\textbf{iprop\_master\_ulogsize}}] \leavevmode -(Integer.) Specifies the maximum number of log entries to be -retained for incremental propagation. The default value is 1000. -Prior to release 1.11, the maximum value was 2500. - -\item[{\textbf{iprop\_slave\_poll}}] \leavevmode -(Delta time string.) Specifies how often the slave KDC polls for -new updates from the master. The default value is \code{2m} (that -is, two minutes). - -\item[{\textbf{iprop\_listen}}] \leavevmode -(Whitespace- or comma-separated list.) Specifies the iprop RPC -listening addresses and/or ports for the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If kadmind fails to bind -to any of the specified addresses, it will fail to start. The -default (when \textbf{iprop\_enable} is true) is to bind to the wildcard -address at the port specified in \textbf{iprop\_port}. New in release -1.15. - -\item[{\textbf{iprop\_port}}] \leavevmode -(Port number.) Specifies the port number to be used for -incremental propagation. When \textbf{iprop\_enable} is true, this -relation is required in the slave configuration file, and this -relation or \textbf{iprop\_listen} is required in the master -configuration file, as there is no default port number. Port -numbers specified in \textbf{iprop\_listen} entries will override this -port number for the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon. - -\item[{\textbf{iprop\_resync\_timeout}}] \leavevmode -(Delta time string.) Specifies the amount of time to wait for a -full propagation to complete. This is optional in configuration -files, and is used by slave KDCs only. The default value is 5 -minutes (\code{5m}). New in release 1.11. - -\item[{\textbf{iprop\_logfile}}] \leavevmode -(File name.) Specifies where the update log file for the realm -database is to be stored. The default is to use the -\textbf{database\_name} entry from the realms section of the krb5 config -file, with \code{.ulog} appended. (NOTE: If \textbf{database\_name} isn't -specified in the realms section, perhaps because the LDAP database -back end is being used, or the file name is specified in the -{[}dbmodules{]} section, then the hard-coded default for -\textbf{database\_name} is used. Determination of the \textbf{iprop\_logfile} -default value will not use values from the {[}dbmodules{]} section.) - -\item[{\textbf{kadmind\_listen}}] \leavevmode -(Whitespace- or comma-separated list.) Specifies the kadmin RPC -listening addresses and/or ports for the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If kadmind fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address at the port specified -in \textbf{kadmind\_port}, or the standard kadmin port (749). New in -release 1.15. - -\item[{\textbf{kadmind\_port}}] \leavevmode -(Port number.) Specifies the port on which the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} -daemon is to listen for this realm. Port numbers specified in -\textbf{kadmind\_listen} entries will override this port number. The -assigned port for kadmind is 749, which is used by default. - -\item[{\textbf{key\_stash\_file}}] \leavevmode -(String.) Specifies the location where the master key has been -stored (via kdb5\_util stash). The default is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/.k5.REALM}, where \emph{REALM} is the Kerberos realm. - -\item[{\textbf{kdc\_listen}}] \leavevmode -(Whitespace- or comma-separated list.) Specifies the UDP -listening addresses and/or ports for the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. If the KDC daemon fails to bind -to any of the specified addresses, it will fail to start. The -default is to bind to the wildcard address on the standard port. -New in release 1.15. - -\item[{\textbf{kdc\_ports}}] \leavevmode -(Whitespace- or comma-separated list, deprecated.) Prior to -release 1.15, this relation lists the ports for the -{\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon to listen on for UDP requests. In -release 1.15 and later, it has the same meaning as \textbf{kdc\_listen} -if that relation is not defined. - -\item[{\textbf{kdc\_tcp\_listen}}] \leavevmode -(Whitespace- or comma-separated list.) Specifies the TCP -listening addresses and/or ports for the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon. -Each entry may be an interface address, a port number, or an -address and port number separated by a colon. If the address -contains colons, enclose it in square brackets. If no address is -specified, the wildcard address is used. If no port is specified, -the standard port (88) is used. To disable listening on TCP, set -this relation to the empty string with \code{kdc\_tcp\_listen = ""}. -If the KDC daemon fails to bind to any of the specified addresses, -it will fail to start. The default is to bind to the wildcard -address on the standard port. New in release 1.15. - -\item[{\textbf{kdc\_tcp\_ports}}] \leavevmode -(Whitespace- or comma-separated list, deprecated.) Prior to -release 1.15, this relation lists the ports for the -{\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon to listen on for UDP requests. In -release 1.15 and later, it has the same meaning as -\textbf{kdc\_tcp\_listen} if that relation is not defined. - -\item[{\textbf{kpasswd\_listen}}] \leavevmode -(Comma-separated list.) Specifies the kpasswd listening addresses -and/or ports for the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon. Each entry may be -an interface address, a port number, or an address and port number -separated by a colon. If the address contains colons, enclose it -in square brackets. If no address is specified, the wildcard -address is used. If kadmind fails to bind to any of the specified -addresses, it will fail to start. The default is to bind to the -wildcard address at the port specified in \textbf{kpasswd\_port}, or the -standard kpasswd port (464). New in release 1.15. - -\item[{\textbf{kpasswd\_port}}] \leavevmode -(Port number.) Specifies the port on which the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} -daemon is to listen for password change requests for this realm. -Port numbers specified in \textbf{kpasswd\_listen} entries will override -this port number. The assigned port for password change requests -is 464, which is used by default. - -\item[{\textbf{master\_key\_name}}] \leavevmode -(String.) Specifies the name of the principal associated with the -master key. The default is \code{K/M}. - -\item[{\textbf{master\_key\_type}}] \leavevmode -(Key type string.) Specifies the master key's key type. The -default value for this is \code{aes256-cts-hmac-sha1-96}. For a list of all possible -values, see {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}}. - -\item[{\textbf{max\_life}}] \leavevmode -(\emph{duration} string.) Specifies the maximum time period for -which a ticket may be valid in this realm. The default value is -24 hours. - -\item[{\textbf{max\_renewable\_life}}] \leavevmode -(\emph{duration} string.) Specifies the maximum time period -during which a valid ticket may be renewed in this realm. -The default value is 0. - -\item[{\textbf{no\_host\_referral}}] \leavevmode -(Whitespace- or comma-separated list.) Lists services to block -from getting host-based referral processing, even if the client -marks the server principal as host-based or the service is also -listed in \textbf{host\_based\_services}. \code{no\_host\_referral = *} will -disable referral processing altogether. - -\item[{\textbf{des\_crc\_session\_supported}}] \leavevmode -(Boolean value). If set to true, the KDC will assume that service -principals support des-cbc-crc for session key enctype negotiation -purposes. If \textbf{allow\_weak\_crypto} in {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} is -false, or if des-cbc-crc is not a permitted enctype, then this -variable has no effect. Defaults to true. New in release 1.11. - -\item[{\textbf{reject\_bad\_transit}}] \leavevmode -(Boolean value.) If set to true, the KDC will check the list of -transited realms for cross-realm tickets against the transit path -computed from the realm names and the capaths section of its -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file; if the path in the ticket to be issued -contains any realms not in the computed path, the ticket will not -be issued, and an error will be returned to the client instead. -If this value is set to false, such tickets will be issued -anyways, and it will be left up to the application server to -validate the realm transit path. - -If the disable-transited-check flag is set in the incoming -request, this check is not performed at all. Having the -\textbf{reject\_bad\_transit} option will cause such ticket requests to -be rejected always. - -This transit path checking and config file option currently apply -only to TGS requests. - -The default value is true. - -\item[{\textbf{restrict\_anonymous\_to\_tgt}}] \leavevmode -(Boolean value.) If set to true, the KDC will reject ticket -requests from anonymous principals to service principals other -than the realm's ticket-granting service. This option allows -anonymous PKINIT to be enabled for use as FAST armor tickets -without allowing anonymous authentication to services. The -default value is false. New in release 1.9. - -\item[{\textbf{supported\_enctypes}}] \leavevmode -(List of \emph{key}:\emph{salt} strings.) Specifies the default key/salt -combinations of principals for this realm. Any principals created -through {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} will have keys of these types. The -default value for this tag is \code{aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal}. For lists of -possible values, see {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}}. - -\end{description} - - -\paragraph{{[}dbdefaults{]}} -\label{admin/conf_files/kdc_conf:id2}\label{admin/conf_files/kdc_conf:dbdefaults} -The {[}dbdefaults{]} section specifies default values for some database -parameters, to be used if the {[}dbmodules{]} subsection does not contain -a relation for the tag. See the {\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} section for the -definitions of these relations. -\begin{itemize} -\item {} -\textbf{ldap\_kerberos\_container\_dn} - -\item {} -\textbf{ldap\_kdc\_dn} - -\item {} -\textbf{ldap\_kdc\_sasl\_authcid} - -\item {} -\textbf{ldap\_kdc\_sasl\_authzid} - -\item {} -\textbf{ldap\_kdc\_sasl\_mech} - -\item {} -\textbf{ldap\_kdc\_sasl\_realm} - -\item {} -\textbf{ldap\_kadmind\_dn} - -\item {} -\textbf{ldap\_kadmind\_sasl\_authcid} - -\item {} -\textbf{ldap\_kadmind\_sasl\_authzid} - -\item {} -\textbf{ldap\_kadmind\_sasl\_mech} - -\item {} -\textbf{ldap\_kadmind\_sasl\_realm} - -\item {} -\textbf{ldap\_service\_password\_file} - -\item {} -\textbf{ldap\_servers} - -\item {} -\textbf{ldap\_conns\_per\_server} - -\end{itemize} - - -\paragraph{{[}dbmodules{]}} -\label{admin/conf_files/kdc_conf:dbmodules}\label{admin/conf_files/kdc_conf:id3} -The {[}dbmodules{]} section contains parameters used by the KDC database -library and database modules. Each tag in the {[}dbmodules{]} section is -the name of a Kerberos realm or a section name specified by a realm's -\textbf{database\_module} parameter. The following example shows how to -define one database parameter for the ATHENA.MIT.EDU realm: - -\begin{Verbatim}[commandchars=\\\{\}] -[dbmodules] - ATHENA.MIT.EDU = \PYGZob{} - disable\PYGZus{}last\PYGZus{}success = true - \PYGZcb{} -\end{Verbatim} - -The following tags may be specified in a {[}dbmodules{]} subsection: -\begin{description} -\item[{\textbf{database\_name}}] \leavevmode -This DB2-specific tag indicates the location of the database in -the filesystem. The default is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/principal}. - -\item[{\textbf{db\_library}}] \leavevmode -This tag indicates the name of the loadable database module. The -value should be \code{db2} for the DB2 module and \code{kldap} for the -LDAP module. - -\item[{\textbf{disable\_last\_success}}] \leavevmode -If set to \code{true}, suppresses KDC updates to the ``Last successful -authentication'' field of principal entries requiring -preauthentication. Setting this flag may improve performance. -(Principal entries which do not require preauthentication never -update the ``Last successful authentication'' field.). First -introduced in release 1.9. - -\item[{\textbf{disable\_lockout}}] \leavevmode -If set to \code{true}, suppresses KDC updates to the ``Last failed -authentication'' and ``Failed password attempts'' fields of principal -entries requiring preauthentication. Setting this flag may -improve performance, but also disables account lockout. First -introduced in release 1.9. - -\item[{\textbf{ldap\_conns\_per\_server}}] \leavevmode -This LDAP-specific tag indicates the number of connections to be -maintained per LDAP server. - -\item[{\textbf{ldap\_kdc\_dn} and \textbf{ldap\_kadmind\_dn}}] \leavevmode -These LDAP-specific tags indicate the default DN for binding to -the LDAP server. The {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon uses -\textbf{ldap\_kdc\_dn}, while the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon and other -administrative programs use \textbf{ldap\_kadmind\_dn}. The kadmind DN -must have the rights to read and write the Kerberos data in the -LDAP database. The KDC DN must have the same rights, unless -\textbf{disable\_lockout} and \textbf{disable\_last\_success} are true, in -which case it only needs to have rights to read the Kerberos data. -These tags are ignored if a SASL mechanism is set with -\textbf{ldap\_kdc\_sasl\_mech} or \textbf{ldap\_kadmind\_sasl\_mech}. - -\item[{\textbf{ldap\_kdc\_sasl\_mech} and \textbf{ldap\_kadmind\_sasl\_mech}}] \leavevmode -These LDAP-specific tags specify the SASL mechanism (such as -\code{EXTERNAL}) to use when binding to the LDAP server. New in -release 1.13. - -\item[{\textbf{ldap\_kdc\_sasl\_authcid} and \textbf{ldap\_kadmind\_sasl\_authcid}}] \leavevmode -These LDAP-specific tags specify the SASL authentication identity -to use when binding to the LDAP server. Not all SASL mechanisms -require an authentication identity. If the SASL mechanism -requires a secret (such as the password for \code{DIGEST-MD5}), these -tags also determine the name within the -\textbf{ldap\_service\_password\_file} where the secret is stashed. New -in release 1.13. - -\item[{\textbf{ldap\_kdc\_sasl\_authzid} and \textbf{ldap\_kadmind\_sasl\_authzid}}] \leavevmode -These LDAP-specific tags specify the SASL authorization identity -to use when binding to the LDAP server. In most circumstances -they do not need to be specified. New in release 1.13. - -\item[{\textbf{ldap\_kdc\_sasl\_realm} and \textbf{ldap\_kadmind\_sasl\_realm}}] \leavevmode -These LDAP-specific tags specify the SASL realm to use when -binding to the LDAP server. In most circumstances they do not -need to be set. New in release 1.13. - -\item[{\textbf{ldap\_kerberos\_container\_dn}}] \leavevmode -This LDAP-specific tag indicates the DN of the container object -where the realm objects will be located. - -\item[{\textbf{ldap\_servers}}] \leavevmode -This LDAP-specific tag indicates the list of LDAP servers that the -Kerberos servers can connect to. The list of LDAP servers is -whitespace-separated. The LDAP server is specified by a LDAP URI. -It is recommended to use \code{ldapi:} or \code{ldaps:} URLs to connect -to the LDAP server. - -\item[{\textbf{ldap\_service\_password\_file}}] \leavevmode -This LDAP-specific tag indicates the file containing the stashed -passwords (created by \code{kdb5\_ldap\_util stashsrvpw}) for the -\textbf{ldap\_kdc\_dn} and \textbf{ldap\_kadmind\_dn} objects, or for the -\textbf{ldap\_kdc\_sasl\_authcid} or \textbf{ldap\_kadmind\_sasl\_authcid} names -for SASL authentication. This file must be kept secure. - -\item[{\textbf{unlockiter}}] \leavevmode -If set to \code{true}, this DB2-specific tag causes iteration -operations to release the database lock while processing each -principal. Setting this flag to \code{true} can prevent extended -blocking of KDC or kadmin operations when dumps of large databases -are in progress. First introduced in release 1.13. - -\end{description} - -The following tag may be specified directly in the {[}dbmodules{]} -section to control where database modules are loaded from: -\begin{description} -\item[{\textbf{db\_module\_dir}}] \leavevmode -This tag controls where the plugin system looks for database -modules. The value should be an absolute path. - -\end{description} - - -\paragraph{{[}logging{]}} -\label{admin/conf_files/kdc_conf:id4}\label{admin/conf_files/kdc_conf:logging} -The {[}logging{]} section indicates how {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} and -{\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} perform logging. It may contain the following -relations: -\begin{description} -\item[{\textbf{admin\_server}}] \leavevmode -Specifies how {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} performs logging. - -\item[{\textbf{kdc}}] \leavevmode -Specifies how {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} performs logging. - -\item[{\textbf{default}}] \leavevmode -Specifies how either daemon performs logging in the absence of -relations specific to the daemon. - -\item[{\textbf{debug}}] \leavevmode -(Boolean value.) Specifies whether debugging messages are -included in log outputs other than SYSLOG. Debugging messages are -always included in the system log output because syslog performs -its own priority filtering. The default value is false. New in -release 1.15. - -\end{description} - -Logging specifications may have the following forms: -\begin{description} -\item[{\textbf{FILE=}\emph{filename} or \textbf{FILE:}\emph{filename}}] \leavevmode -This value causes the daemon's logging messages to go to the -\emph{filename}. If the \code{=} form is used, the file is overwritten. -If the \code{:} form is used, the file is appended to. - -\item[{\textbf{STDERR}}] \leavevmode -This value causes the daemon's logging messages to go to its -standard error stream. - -\item[{\textbf{CONSOLE}}] \leavevmode -This value causes the daemon's logging messages to go to the -console, if the system supports it. - -\item[{\textbf{DEVICE=}\emph{\textless{}devicename\textgreater{}}}] \leavevmode -This causes the daemon's logging messages to go to the specified -device. - -\item[{\textbf{SYSLOG}{[}\textbf{:}\emph{severity}{[}\textbf{:}\emph{facility}{]}{]}}] \leavevmode -This causes the daemon's logging messages to go to the system log. - -The severity argument specifies the default severity of system log -messages. This may be any of the following severities supported -by the syslog(3) call, minus the \code{LOG\_} prefix: \textbf{EMERG}, -\textbf{ALERT}, \textbf{CRIT}, \textbf{ERR}, \textbf{WARNING}, \textbf{NOTICE}, \textbf{INFO}, -and \textbf{DEBUG}. - -The facility argument specifies the facility under which the -messages are logged. This may be any of the following facilities -supported by the syslog(3) call minus the LOG\_ prefix: \textbf{KERN}, -\textbf{USER}, \textbf{MAIL}, \textbf{DAEMON}, \textbf{AUTH}, \textbf{LPR}, \textbf{NEWS}, -\textbf{UUCP}, \textbf{CRON}, and \textbf{LOCAL0} through \textbf{LOCAL7}. - -If no severity is specified, the default is \textbf{ERR}. If no -facility is specified, the default is \textbf{AUTH}. - -\end{description} - -In the following example, the logging messages from the KDC will go to -the console and to the system log under the facility LOG\_DAEMON with -default severity of LOG\_INFO; and the logging messages from the -administrative server will be appended to the file -\code{/var/adm/kadmin.log} and sent to the device \code{/dev/tty04}. - -\begin{Verbatim}[commandchars=\\\{\}] -[logging] - kdc = CONSOLE - kdc = SYSLOG:INFO:DAEMON - admin\PYGZus{}server = FILE:/var/adm/kadmin.log - admin\PYGZus{}server = DEVICE=/dev/tty04 -\end{Verbatim} - - -\paragraph{{[}otp{]}} -\label{admin/conf_files/kdc_conf:otp}\label{admin/conf_files/kdc_conf:id5} -Each subsection of {[}otp{]} is the name of an OTP token type. The tags -within the subsection define the configuration required to forward a -One Time Password request to a RADIUS server. - -For each token type, the following tags may be specified: -\begin{description} -\item[{\textbf{server}}] \leavevmode -This is the server to send the RADIUS request to. It can be a -hostname with optional port, an ip address with optional port, or -a Unix domain socket address. The default is -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/\textless{}name\textgreater{}.socket}. - -\item[{\textbf{secret}}] \leavevmode -This tag indicates a filename (which may be relative to {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}) -containing the secret used to encrypt the RADIUS packets. The -secret should appear in the first line of the file by itself; -leading and trailing whitespace on the line will be removed. If -the value of \textbf{server} is a Unix domain socket address, this tag -is optional, and an empty secret will be used if it is not -specified. Otherwise, this tag is required. - -\item[{\textbf{timeout}}] \leavevmode -An integer which specifies the time in seconds during which the -KDC should attempt to contact the RADIUS server. This tag is the -total time across all retries and should be less than the time -which an OTP value remains valid for. The default is 5 seconds. - -\item[{\textbf{retries}}] \leavevmode -This tag specifies the number of retries to make to the RADIUS -server. The default is 3 retries (4 tries). - -\item[{\textbf{strip\_realm}}] \leavevmode -If this tag is \code{true}, the principal without the realm will be -passed to the RADIUS server. Otherwise, the realm will be -included. The default value is \code{true}. - -\item[{\textbf{indicator}}] \leavevmode -This tag specifies an authentication indicator to be included in -the ticket if this token type is used to authenticate. This -option may be specified multiple times. (New in release 1.14.) - -\end{description} - -In the following example, requests are sent to a remote server via UDP: - -\begin{Verbatim}[commandchars=\\\{\}] -[otp] - MyRemoteTokenType = \PYGZob{} - server = radius.mydomain.com:1812 - secret = SEmfiajf42\PYGZdl{} - timeout = 15 - retries = 5 - strip\PYGZus{}realm = true - \PYGZcb{} -\end{Verbatim} - -An implicit default token type named \code{DEFAULT} is defined for when -the per-principal configuration does not specify a token type. Its -configuration is shown below. You may override this token type to -something applicable for your situation: - -\begin{Verbatim}[commandchars=\\\{\}] -[otp] - DEFAULT = \PYGZob{} - strip\PYGZus{}realm = false - \PYGZcb{} -\end{Verbatim} - - -\subsubsection{PKINIT options} -\label{admin/conf_files/kdc_conf:pkinit-options} -\begin{notice}{note}{Note:} -The following are pkinit-specific options. These values may -be specified in {[}kdcdefaults{]} as global defaults, or within -a realm-specific subsection of {[}realms{]}. Also note that a -realm-specific value over-rides, does not add to, a generic -{[}kdcdefaults{]} specification. The search order is: -\end{notice} -\begin{enumerate} -\item {} -realm-specific subsection of {[}realms{]}: - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - EXAMPLE.COM = \PYGZob{} - pkinit\PYGZus{}anchors = FILE:/usr/local/example.com.crt - \PYGZcb{} -\end{Verbatim} - -\item {} -generic value in the {[}kdcdefaults{]} section: - -\begin{Verbatim}[commandchars=\\\{\}] -[kdcdefaults] - pkinit\PYGZus{}anchors = DIR:/usr/local/generic\PYGZus{}trusted\PYGZus{}cas/ -\end{Verbatim} - -\end{enumerate} - -For information about the syntax of some of these options, see -{\hyperref[admin/conf_files/krb5_conf:pkinit-identity]{\emph{Specifying PKINIT identity information}}} in -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. -\begin{description} -\item[{\textbf{pkinit\_anchors}}] \leavevmode -Specifies the location of trusted anchor (root) certificates which -the KDC trusts to sign client certificates. This option is -required if pkinit is to be supported by the KDC. This option may -be specified multiple times. - -\item[{\textbf{pkinit\_dh\_min\_bits}}] \leavevmode -Specifies the minimum number of bits the KDC is willing to accept -for a client's Diffie-Hellman key. The default is 2048. - -\item[{\textbf{pkinit\_allow\_upn}}] \leavevmode -Specifies that the KDC is willing to accept client certificates -with the Microsoft UserPrincipalName (UPN) Subject Alternative -Name (SAN). This means the KDC accepts the binding of the UPN in -the certificate to the Kerberos principal name. The default value -is false. - -Without this option, the KDC will only accept certificates with -the id-pkinit-san as defined in \index{RFC!RFC 4556}\href{http://tools.ietf.org/html/rfc4556.html}{\textbf{RFC 4556}}. There is currently -no option to disable SAN checking in the KDC. - -\item[{\textbf{pkinit\_eku\_checking}}] \leavevmode -This option specifies what Extended Key Usage (EKU) values the KDC -is willing to accept in client certificates. The values -recognized in the kdc.conf file are: -\begin{description} -\item[{\textbf{kpClientAuth}}] \leavevmode -This is the default value and specifies that client -certificates must have the id-pkinit-KPClientAuth EKU as -defined in \index{RFC!RFC 4556}\href{http://tools.ietf.org/html/rfc4556.html}{\textbf{RFC 4556}}. - -\item[{\textbf{scLogin}}] \leavevmode -If scLogin is specified, client certificates with the -Microsoft Smart Card Login EKU (id-ms-kp-sc-logon) will be -accepted. - -\item[{\textbf{none}}] \leavevmode -If none is specified, then client certificates will not be -checked to verify they have an acceptable EKU. The use of -this option is not recommended. - -\end{description} - -\item[{\textbf{pkinit\_identity}}] \leavevmode -Specifies the location of the KDC's X.509 identity information. -This option is required if pkinit is to be supported by the KDC. - -\item[{\textbf{pkinit\_indicator}}] \leavevmode -Specifies an authentication indicator to include in the ticket if -pkinit is used to authenticate. This option may be specified -multiple times. (New in release 1.14.) - -\item[{\textbf{pkinit\_kdc\_ocsp}}] \leavevmode -Specifies the location of the KDC's OCSP. - -\item[{\textbf{pkinit\_pool}}] \leavevmode -Specifies the location of intermediate certificates which may be -used by the KDC to complete the trust chain between a client's -certificate and a trusted anchor. This option may be specified -multiple times. - -\item[{\textbf{pkinit\_revoke}}] \leavevmode -Specifies the location of Certificate Revocation List (CRL) -information to be used by the KDC when verifying the validity of -client certificates. This option may be specified multiple times. - -\item[{\textbf{pkinit\_require\_crl\_checking}}] \leavevmode -The default certificate verification process will always check the -available revocation information to see if a certificate has been -revoked. If a match is found for the certificate in a CRL, -verification fails. If the certificate being verified is not -listed in a CRL, or there is no CRL present for its issuing CA, -and \textbf{pkinit\_require\_crl\_checking} is false, then verification -succeeds. - -However, if \textbf{pkinit\_require\_crl\_checking} is true and there is -no CRL information available for the issuing CA, then verification -fails. - -\textbf{pkinit\_require\_crl\_checking} should be set to true if the -policy is such that up-to-date CRLs must be present for every CA. - -\end{description} - - -\subsubsection{Encryption types} -\label{admin/conf_files/kdc_conf:id6}\label{admin/conf_files/kdc_conf:encryption-types} -Any tag in the configuration files which requires a list of encryption -types can be set to some combination of the following strings. -Encryption types marked as ``weak'' are available for compatibility but -not recommended for use. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -des-cbc-crc - & -DES cbc mode with CRC-32 (weak) -\\ -\hline -des-cbc-md4 - & -DES cbc mode with RSA-MD4 (weak) -\\ -\hline -des-cbc-md5 - & -DES cbc mode with RSA-MD5 (weak) -\\ -\hline -des-cbc-raw - & -DES cbc mode raw (weak) -\\ -\hline -des3-cbc-raw - & -Triple DES cbc mode raw (weak) -\\ -\hline -des3-cbc-sha1 des3-hmac-sha1 des3-cbc-sha1-kd - & -Triple DES cbc mode with HMAC/sha1 -\\ -\hline -des-hmac-sha1 - & -DES with HMAC/sha1 (weak) -\\ -\hline -aes256-cts-hmac-sha1-96 aes256-cts aes256-sha1 - & -AES-256 CTS mode with 96-bit SHA-1 HMAC -\\ -\hline -aes128-cts-hmac-sha1-96 aes128-cts aes128-sha1 - & -AES-128 CTS mode with 96-bit SHA-1 HMAC -\\ -\hline -aes256-cts-hmac-sha384-192 aes256-sha2 - & -AES-256 CTS mode with 192-bit SHA-384 HMAC -\\ -\hline -aes128-cts-hmac-sha256-128 aes128-sha2 - & -AES-128 CTS mode with 128-bit SHA-256 HMAC -\\ -\hline -arcfour-hmac rc4-hmac arcfour-hmac-md5 - & -RC4 with HMAC/MD5 -\\ -\hline -arcfour-hmac-exp rc4-hmac-exp arcfour-hmac-md5-exp - & -Exportable RC4 with HMAC/MD5 (weak) -\\ -\hline -camellia256-cts-cmac camellia256-cts - & -Camellia-256 CTS mode with CMAC -\\ -\hline -camellia128-cts-cmac camellia128-cts - & -Camellia-128 CTS mode with CMAC -\\ -\hline -des - & -The DES family: des-cbc-crc, des-cbc-md5, and des-cbc-md4 (weak) -\\ -\hline -des3 - & -The triple DES family: des3-cbc-sha1 -\\ -\hline -aes - & -The AES family: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha384-192, and aes128-cts-hmac-sha256-128 -\\ -\hline -rc4 - & -The RC4 family: arcfour-hmac -\\ -\hline -camellia - & -The Camellia family: camellia256-cts-cmac and camellia128-cts-cmac -\\ -\hline\end{tabulary} - - -The string \textbf{DEFAULT} can be used to refer to the default set of -types for the variable in question. Types or families can be removed -from the current list by prefixing them with a minus sign (``-''). -Types or families can be prefixed with a plus sign (``+'') for symmetry; -it has the same meaning as just listing the type or family. For -example, ``\code{DEFAULT -des}'' would be the default set of encryption -types with DES types removed, and ``\code{des3 DEFAULT}'' would be the -default set of encryption types with triple DES types moved to the -front. - -While \textbf{aes128-cts} and \textbf{aes256-cts} are supported for all Kerberos -operations, they are not supported by very old versions of our GSSAPI -implementation (krb5-1.3.1 and earlier). Services running versions of -krb5 without AES support must not be given keys of these encryption -types in the KDC database. - -The \textbf{aes128-sha2} and \textbf{aes256-sha2} encryption types are new in -release 1.15. Services running versions of krb5 without support for -these newer encryption types must not be given keys of these -encryption types in the KDC database. - - -\subsubsection{Keysalt lists} -\label{admin/conf_files/kdc_conf:id7}\label{admin/conf_files/kdc_conf:keysalt-lists} -Kerberos keys for users are usually derived from passwords. Kerberos -commands and configuration parameters that affect generation of keys -take lists of enctype-salttype (``keysalt'') pairs, known as \emph{keysalt -lists}. Each keysalt pair is an enctype name followed by a salttype -name, in the format \emph{enc}:\emph{salt}. Individual keysalt list members are -separated by comma ('','') characters or space characters. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin \PYGZhy{}e aes256\PYGZhy{}cts:normal,aes128\PYGZhy{}cts:normal -\end{Verbatim} - -would start up kadmin so that by default it would generate -password-derived keys for the \textbf{aes256-cts} and \textbf{aes128-cts} -encryption types, using a \textbf{normal} salt. - -To ensure that people who happen to pick the same password do not have -the same key, Kerberos 5 incorporates more information into the key -using something called a salt. The supported salt types are as -follows: - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -normal - & -default for Kerberos Version 5 -\\ -\hline -v4 - & -the only type used by Kerberos Version 4 (no salt) -\\ -\hline -norealm - & -same as the default, without using realm information -\\ -\hline -onlyrealm - & -uses only realm information as the salt -\\ -\hline -afs3 - & -AFS version 3, only used for compatibility with Kerberos 4 in AFS -\\ -\hline -special - & -generate a random salt -\\ -\hline\end{tabulary} - - - -\subsubsection{Sample kdc.conf File} -\label{admin/conf_files/kdc_conf:sample-kdc-conf-file} -Here's an example of a kdc.conf file: - -\begin{Verbatim}[commandchars=\\\{\}] -[kdcdefaults] - kdc\PYGZus{}listen = 88 - kdc\PYGZus{}tcp\PYGZus{}listen = 88 -[realms] - ATHENA.MIT.EDU = \PYGZob{} - kadmind\PYGZus{}port = 749 - max\PYGZus{}life = 12h 0m 0s - max\PYGZus{}renewable\PYGZus{}life = 7d 0h 0m 0s - master\PYGZus{}key\PYGZus{}type = aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 - supported\PYGZus{}enctypes = aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal - database\PYGZus{}module = openldap\PYGZus{}ldapconf - \PYGZcb{} - -[logging] - kdc = FILE:/usr/local/var/krb5kdc/kdc.log - admin\PYGZus{}server = FILE:/usr/local/var/krb5kdc/kadmin.log - -[dbdefaults] - ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn = cn=krbcontainer,dc=mit,dc=edu - -[dbmodules] - openldap\PYGZus{}ldapconf = \PYGZob{} - db\PYGZus{}library = kldap - disable\PYGZus{}last\PYGZus{}success = true - ldap\PYGZus{}kdc\PYGZus{}dn = \PYGZdq{}cn=krbadmin,dc=mit,dc=edu\PYGZdq{} - \PYGZsh{} this object needs to have read rights on - \PYGZsh{} the realm container and principal subtrees - ldap\PYGZus{}kadmind\PYGZus{}dn = \PYGZdq{}cn=krbadmin,dc=mit,dc=edu\PYGZdq{} - \PYGZsh{} this object needs to have read and write rights on - \PYGZsh{} the realm container and principal subtrees - ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file = /etc/kerberos/service.keyfile - ldap\PYGZus{}servers = ldaps://kerberos.mit.edu - ldap\PYGZus{}conns\PYGZus{}per\PYGZus{}server = 5 - \PYGZcb{} -\end{Verbatim} - - -\subsubsection{FILES} -\label{admin/conf_files/kdc_conf:files} -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kdc.conf} - - -\subsubsection{SEE ALSO} -\label{admin/conf_files/kdc_conf:see-also} -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}, {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}, {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} - - -\subsection{kadm5.acl} -\label{admin/conf_files/kadm5_acl:kadm5-acl}\label{admin/conf_files/kadm5_acl:kadm5-acl-5}\label{admin/conf_files/kadm5_acl::doc} - -\subsubsection{DESCRIPTION} -\label{admin/conf_files/kadm5_acl:description} -The Kerberos {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} daemon uses an Access Control List -(ACL) file to manage access rights to the Kerberos database. -For operations that affect principals, the ACL file also controls -which principals can operate on which other principals. - -The default location of the Kerberos ACL file is -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl} unless this is overridden by the \emph{acl\_file} -variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - - -\subsubsection{SYNTAX} -\label{admin/conf_files/kadm5_acl:syntax} -Empty lines and lines starting with the sharp sign (\code{\#}) are -ignored. Lines containing ACL entries have the format: - -\begin{Verbatim}[commandchars=\\\{\}] -principal permissions [target\PYGZus{}principal [restrictions] ] -\end{Verbatim} - -\begin{notice}{note}{Note:} -Line order in the ACL file is important. The first matching entry -will control access for an actor principal on a target principal. -\end{notice} -\begin{description} -\item[{\emph{principal}}] \leavevmode -(Partially or fully qualified Kerberos principal name.) Specifies -the principal whose permissions are to be set. - -Each component of the name may be wildcarded using the \code{*} -character. - -\item[{\emph{permissions}}] \leavevmode -Specifies what operations may or may not be performed by a -\emph{principal} matching a particular entry. This is a string of one or -more of the following list of characters or their upper-case -counterparts. If the character is \emph{upper-case}, then the operation -is disallowed. If the character is \emph{lower-case}, then the operation -is permitted. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -a - & -{[}Dis{]}allows the addition of principals or policies -\\ -\hline -c - & -{[}Dis{]}allows the changing of passwords for principals -\\ -\hline -d - & -{[}Dis{]}allows the deletion of principals or policies -\\ -\hline -e - & -{[}Dis{]}allows the extraction of principal keys -\\ -\hline -i - & -{[}Dis{]}allows inquiries about principals or policies -\\ -\hline -l - & -{[}Dis{]}allows the listing of all principals or policies -\\ -\hline -m - & -{[}Dis{]}allows the modification of principals or policies -\\ -\hline -p - & -{[}Dis{]}allows the propagation of the principal database (used in {\hyperref[admin/database:incr-db-prop]{\emph{Incremental database propagation}}}) -\\ -\hline -s - & -{[}Dis{]}allows the explicit setting of the key for a principal -\\ -\hline -x - & -Short for admcilsp. All privileges (except \code{e}) -\\ -\hline -* - & -Same as x. -\\ -\hline\end{tabulary} - - -\end{description} - -\begin{notice}{note}{Note:} -The \code{extract} privilege is not included in the wildcard -privilege; it must be explicitly assigned. This privilege -allows the user to extract keys from the database, and must be -handled with great care to avoid disclosure of important keys -like those of the kadmin/* or krbtgt/* principals. The -\textbf{lockdown\_keys} principal attribute can be used to prevent -key extraction from specific principals regardless of the -granted privilege. -\end{notice} -\begin{description} -\item[{\emph{target\_principal}}] \leavevmode -(Optional. Partially or fully qualified Kerberos principal name.) -Specifies the principal on which \emph{permissions} may be applied. -Each component of the name may be wildcarded using the \code{*} -character. - -\emph{target\_principal} can also include back-references to \emph{principal}, -in which \code{*number} matches the corresponding wildcard in -\emph{principal}. - -\item[{\emph{restrictions}}] \leavevmode -(Optional) A string of flags. Allowed restrictions are: -\begin{quote} -\begin{description} -\item[{\{+\textbar{}-\}\emph{flagname}}] \leavevmode -flag is forced to the indicated value. The permissible flags -are the same as those for the \textbf{default\_principal\_flags} -variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\emph{-clearpolicy}}] \leavevmode -policy is forced to be empty. - -\item[{\emph{-policy pol}}] \leavevmode -policy is forced to be \emph{pol}. - -\item[{-\{\emph{expire, pwexpire, maxlife, maxrenewlife}\} \emph{time}}] \leavevmode -(\emph{getdate} string) associated value will be forced to -MIN(\emph{time}, requested value). - -\end{description} -\end{quote} - -The above flags act as restrictions on any add or modify operation -which is allowed due to that ACL line. - -\end{description} - -\begin{notice}{warning}{Warning:} -If the kadmind ACL file is modified, the kadmind daemon needs to be -restarted for changes to take effect. -\end{notice} - - -\subsubsection{EXAMPLE} -\label{admin/conf_files/kadm5_acl:example} -Here is an example of a kadm5.acl file: - -\begin{Verbatim}[commandchars=\\\{\}] -*/admin@ATHENA.MIT.EDU * \PYGZsh{} line 1 -joeadmin@ATHENA.MIT.EDU ADMCIL \PYGZsh{} line 2 -joeadmin/*@ATHENA.MIT.EDU i */root@ATHENA.MIT.EDU \PYGZsh{} line 3 -*/root@ATHENA.MIT.EDU ci *1@ATHENA.MIT.EDU \PYGZsh{} line 4 -*/root@ATHENA.MIT.EDU l * \PYGZsh{} line 5 -sms@ATHENA.MIT.EDU x * \PYGZhy{}maxlife 9h \PYGZhy{}postdateable \PYGZsh{} line 6 -\end{Verbatim} - -(line 1) Any principal in the \code{ATHENA.MIT.EDU} realm with an -\code{admin} instance has all administrative privileges except extracting -keys. - -(lines 1-3) The user \code{joeadmin} has all permissions except -extracting keys with his \code{admin} instance, -\code{joeadmin/admin@ATHENA.MIT.EDU} (matches line 1). He has no -permissions at all with his null instance, \code{joeadmin@ATHENA.MIT.EDU} -(matches line 2). His \code{root} and other non-\code{admin}, non-null -instances (e.g., \code{extra} or \code{dbadmin}) have inquire permissions -with any principal that has the instance \code{root} (matches line 3). - -(line 4) Any \code{root} principal in \code{ATHENA.MIT.EDU} can inquire -or change the password of their null instance, but not any other -null instance. (Here, \code{*1} denotes a back-reference to the -component matching the first wildcard in the actor principal.) - -(line 5) Any \code{root} principal in \code{ATHENA.MIT.EDU} can generate -the list of principals in the database, and the list of policies -in the database. This line is separate from line 4, because list -permission can only be granted globally, not to specific target -principals. - -(line 6) Finally, the Service Management System principal -\code{sms@ATHENA.MIT.EDU} has all permissions except extracting keys, but -any principal that it creates or modifies will not be able to get -postdateable tickets or tickets with a life of longer than 9 hours. - - -\subsubsection{SEE ALSO} -\label{admin/conf_files/kadm5_acl:see-also} -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} - - -\chapter{Realm configuration decisions} -\label{admin/realm_config:realm-configuration-decisions}\label{admin/realm_config::doc} -Before installing Kerberos V5, it is necessary to consider the -following issues: -\begin{itemize} -\item {} -The name of your Kerberos realm (or the name of each realm, if you -need more than one). - -\item {} -How you will assign your hostnames to Kerberos realms. - -\item {} -Which ports your KDC and and kadmind services will use, if they will -not be using the default ports. - -\item {} -How many slave KDCs you need and where they should be located. - -\item {} -The hostnames of your master and slave KDCs. - -\item {} -How frequently you will propagate the database from the master KDC -to the slave KDCs. - -\end{itemize} - - -\section{Realm name} -\label{admin/realm_config:realm-name} -Although your Kerberos realm can be any ASCII string, convention is to -make it the same as your domain name, in upper-case letters. - -For example, hosts in the domain \code{example.com} would be in the -Kerberos realm: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} -\end{Verbatim} - -If you need multiple Kerberos realms, MIT recommends that you use -descriptive names which end with your domain name, such as: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{BOSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} -\PYG{n}{HOUSTON}\PYG{o}{.}\PYG{n}{EXAMPLE}\PYG{o}{.}\PYG{n}{COM} -\end{Verbatim} - - -\section{Mapping hostnames onto Kerberos realms} -\label{admin/realm_config:mapping-hostnames-onto-kerberos-realms}\label{admin/realm_config:mapping-hostnames} -Mapping hostnames onto Kerberos realms is done in one of three ways. - -The first mechanism works through a set of rules in the -{\hyperref[admin/conf_files/krb5_conf:domain-realm]{\emph{{[}domain\_realm{]}}}} section of {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. You can specify -mappings for an entire domain or on a per-hostname basis. Typically -you would do this by specifying the mappings for a given domain or -subdomain and listing the exceptions. - -The second mechanism is to use KDC host-based service referrals. With -this method, the KDC's krb5.conf has a full {[}domain\_realm{]} mapping for -hosts, but the clients do not, or have mappings for only a subset of -the hosts they might contact. When a client needs to contact a server -host for which it has no mapping, it will ask the client realm's KDC -for the service ticket, and will receive a referral to the appropriate -service realm. - -To use referrals, clients must be running MIT krb5 1.6 or later, and -the KDC must be running MIT krb5 1.7 or later. The -\textbf{host\_based\_services} and \textbf{no\_host\_referral} variables in the -{\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} section of {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} can be used to -fine-tune referral behavior on the KDC. - -It is also possible for clients to use DNS TXT records, if -\textbf{dns\_lookup\_realm} is enabled in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Such lookups -are disabled by default because DNS is an insecure protocol and security -holes could result if DNS records are spoofed. If enabled, the client -will try to look up a TXT record formed by prepending the prefix -\code{\_kerberos} to the hostname in question. If that record is not -found, the client will attempt a lookup by prepending \code{\_kerberos} to the -host's domain name, then its parent domain, up to the top-level domain. -For the hostname \code{boston.engineering.example.com}, the names looked up -would be: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{boston}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} -\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{engineering}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} -\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{example}\PYG{o}{.}\PYG{n}{com} -\PYG{n}{\PYGZus{}kerberos}\PYG{o}{.}\PYG{n}{com} -\end{Verbatim} - -The value of the first TXT record found is taken as the realm name. - -Even if you do not choose to use this mechanism within your site, -you may wish to set it up anyway, for use when interacting with other sites. - - -\section{Ports for the KDC and admin services} -\label{admin/realm_config:ports-for-the-kdc-and-admin-services} -The default ports used by Kerberos are port 88 for the KDC and port -749 for the admin server. You can, however, choose to run on other -ports, as long as they are specified in each host's -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} files or in DNS SRV records, and the -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file on each KDC. For a more thorough treatment of -port numbers used by the Kerberos V5 programs, refer to the -{\hyperref[admin/appl_servers:conf-firewall]{\emph{Configuring your firewall to work with Kerberos V5}}}. - - -\section{Slave KDCs} -\label{admin/realm_config:slave-kdcs} -Slave KDCs provide an additional source of Kerberos ticket-granting -services in the event of inaccessibility of the master KDC. The -number of slave KDCs you need and the decision of where to place them, -both physically and logically, depends on the specifics of your -network. - -Kerberos authentication requires that each client be able to contact a -KDC. Therefore, you need to anticipate any likely reason a KDC might -be unavailable and have a slave KDC to take up the slack. - -Some considerations include: -\begin{itemize} -\item {} -Have at least one slave KDC as a backup, for when the master KDC is -down, is being upgraded, or is otherwise unavailable. - -\item {} -If your network is split such that a network outage is likely to -cause a network partition (some segment or segments of the network -to become cut off or isolated from other segments), have a slave KDC -accessible to each segment. - -\item {} -If possible, have at least one slave KDC in a different building -from the master, in case of power outages, fires, or other localized -disasters. - -\end{itemize} - - -\section{Hostnames for KDCs} -\label{admin/realm_config:kdc-hostnames}\label{admin/realm_config:hostnames-for-kdcs} -MIT recommends that your KDCs have a predefined set of CNAME records -(DNS hostname aliases), such as \code{kerberos} for the master KDC and -\code{kerberos-1}, \code{kerberos-2}, ... for the slave KDCs. This way, if -you need to swap a machine, you only need to change a DNS entry, -rather than having to change hostnames. - -As of MIT krb5 1.4, clients can locate a realm's KDCs through DNS -using SRV records (\index{RFC!RFC 2782}\href{http://tools.ietf.org/html/rfc2782.html}{\textbf{RFC 2782}}), assuming the Kerberos realm name is -also a DNS domain name. These records indicate the hostname and port -number to contact for that service, optionally with weighting and -prioritization. The domain name used in the SRV record name is the -realm name. Several different Kerberos-related service names are -used: -\begin{description} -\item[{\_kerberos.\_udp}] \leavevmode -This is for contacting any KDC by UDP. This entry will be used -the most often. Normally you should list port 88 on each of your -KDCs. - -\item[{\_kerberos.\_tcp}] \leavevmode -This is for contacting any KDC by TCP. The MIT KDC by default -will not listen on any TCP ports, so unless you've changed the -configuration or you're running another KDC implementation, you -should leave this unspecified. If you do enable TCP support, -normally you should use port 88. - -\item[{\_kerberos-master.\_udp}] \leavevmode -This entry should refer to those KDCs, if any, that will -immediately see password changes to the Kerberos database. If a -user is logging in and the password appears to be incorrect, the -client will retry with the master KDC before failing with an -``incorrect password'' error given. - -If you have only one KDC, or for whatever reason there is no -accessible KDC that would get database changes faster than the -others, you do not need to define this entry. - -\item[{\_kerberos-adm.\_tcp}] \leavevmode -This should list port 749 on your master KDC. Support for it is -not complete at this time, but it will eventually be used by the -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} program and related utilities. For now, you will -also need the \textbf{admin\_server} variable in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. - -\item[{\_kpasswd.\_udp}] \leavevmode -This should list port 464 on your master KDC. It is used when a -user changes her password. If this entry is not defined but a -\_kerberos-adm.\_tcp entry is defined, the client will use the -\_kerberos-adm.\_tcp entry with the port number changed to 749. - -\end{description} - -The DNS SRV specification requires that the hostnames listed be the -canonical names, not aliases. So, for example, you might include the -following records in your (BIND-style) zone file: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZdl{}ORIGIN foobar.com. -\PYGZus{}kerberos TXT \PYGZdq{}FOOBAR.COM\PYGZdq{} -kerberos CNAME daisy -kerberos\PYGZhy{}1 CNAME use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke -kerberos\PYGZhy{}2 CNAME bunny\PYGZhy{}rabbit -\PYGZus{}kerberos.\PYGZus{}udp SRV 0 0 88 daisy - SRV 0 0 88 use\PYGZhy{}the\PYGZhy{}force\PYGZhy{}luke - SRV 0 0 88 bunny\PYGZhy{}rabbit -\PYGZus{}kerberos\PYGZhy{}master.\PYGZus{}udp SRV 0 0 88 daisy -\PYGZus{}kerberos\PYGZhy{}adm.\PYGZus{}tcp SRV 0 0 749 daisy -\PYGZus{}kpasswd.\PYGZus{}udp SRV 0 0 464 daisy -\end{Verbatim} - -Clients can also be configured with the explicit location of services -using the \textbf{kdc}, \textbf{master\_kdc}, \textbf{admin\_server}, and -\textbf{kpasswd\_server} variables in the {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section of -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Even if some clients will be configured with -explicit server locations, providing SRV records will still benefit -unconfigured clients, and be useful for other sites. - - -\section{KDC Discovery} -\label{admin/realm_config:kdc-discovery}\label{admin/realm_config:id1} -As of MIT krb5 1.15, clients can also locate KDCs in DNS through URI -records (\index{RFC!RFC 7553}\href{http://tools.ietf.org/html/rfc7553.html}{\textbf{RFC 7553}}). Limitations with the SRV record format may -result in extra DNS queries in situations where a client must failover -to other transport types, or find a master server. The URI record can -convey more information about a realm's KDCs with a single query. - -The client performs a query for the following URI records: -\begin{itemize} -\item {} -\code{\_kerberos.REALM} for fiding KDCs. - -\item {} -\code{\_kerberos-adm.REALM} for finding kadmin services. - -\item {} -\code{\_kpasswd.REALM} for finding password services. - -\end{itemize} - -The URI record includes a priority, weight, and a URI string that -consists of case-insensitive colon separated fields, in the form -\code{scheme:{[}flags{]}:transport:residual}. -\begin{itemize} -\item {} -\emph{scheme} defines the registered URI type. It should always be -\code{krb5srv}. - -\item {} -\emph{flags} contains zero or more flag characters. Currently the only -valid flag is \code{m}, which indicates that the record is for a master -server. - -\item {} -\emph{transport} defines the transport type of the residual URL or -address. Accepted values are \code{tcp}, \code{udp}, or \code{kkdcp} for the -MS-KKDCP type. - -\item {} -\emph{residual} contains the hostname, IP address, or URL to be -contacted using the specified transport, with an optional port -extension. The MS-KKDCP transport type uses a HTTPS URL, and can -include a port and/or path extension. - -\end{itemize} - -An example of URI records in a zone file: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZus{}kerberos.EXAMPLE.COM URI 10 1 krb5srv:m:tcp:kdc1.example.com - URI 20 1 krb5srv:m:udp:kdc2.example.com:89 - URI 40 1 krb5srv::udp:10.10.0.23 - URI 30 1 krb5srv::kkdcp:https://proxy:89/auth -\end{Verbatim} - -URI lookups are enabled by default, and can be disabled by setting -\textbf{dns\_uri\_lookup} in the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} section of -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} to False. When enabled, URI lookups take -precedence over SRV lookups, falling back to SRV lookups if no URI -records are found. - - -\section{Database propagation} -\label{admin/realm_config:database-propagation}\label{admin/realm_config:db-prop} -The Kerberos database resides on the master KDC, and must be -propagated regularly (usually by a cron job) to the slave KDCs. In -deciding how frequently the propagation should happen, you will need -to balance the amount of time the propagation takes against the -maximum reasonable amount of time a user should have to wait for a -password change to take effect. - -If the propagation time is longer than this maximum reasonable time -(e.g., you have a particularly large database, you have a lot of -slaves, or you experience frequent network delays), you may wish to -cut down on your propagation delay by performing the propagation in -parallel. To do this, have the master KDC propagate the database to -one set of slaves, and then have each of these slaves propagate the -database to additional slaves. - -See also {\hyperref[admin/database:incr-db-prop]{\emph{Incremental database propagation}}} - - -\chapter{Database administration} -\label{admin/database::doc}\label{admin/database:database-administration} -A Kerberos database contains all of a realm's Kerberos principals, -their passwords, and other administrative information about each -principal. For the most part, you will use the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} -program to manipulate the Kerberos database as a whole, and the -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} program to make changes to the entries in the -database. (One notable exception is that users will use the -\emph{kpasswd(1)} program to change their own passwords.) The kadmin -program has its own command-line interface, to which you type the -database administrating commands. - -{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} provides a means to create, delete, load, or dump -a Kerberos database. It also contains commands to roll over the -database master key, and to stash a copy of the key so that the -{\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} and {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemons can use the database -without manual input. - -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} provides for the maintenance of Kerberos principals, -password policies, and service key tables (keytabs). Normally it -operates as a network client using Kerberos authentication to -communicate with {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}}, but there is also a variant, named -kadmin.local, which directly accesses the Kerberos database on the -local filesystem (or through LDAP). kadmin.local is necessary to set -up enough of the database to be able to use the remote version. - -kadmin can authenticate to the admin server using the service -principal \code{kadmin/HOST} (where \emph{HOST} is the hostname of the admin -server) or \code{kadmin/admin}. If the credentials cache contains a -ticket for either service principal and the \textbf{-c} ccache option is -specified, that ticket is used to authenticate to KADM5. Otherwise, -the \textbf{-p} and \textbf{-k} options are used to specify the client Kerberos -principal name used to authenticate. Once kadmin has determined the -principal name, it requests a \code{kadmin/admin} Kerberos service ticket -from the KDC, and uses that service ticket to authenticate to KADM5. - -See {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} for the available kadmin and kadmin.local -commands and options. - - -\section{kadmin options} -\label{admin/database:kadmin-options} -You can invoke {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} or kadmin.local with any of the -following options: - -\textbf{kadmin} -{[}\textbf{-O}\textbar{}\textbf{-N}{]} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-p} \emph{principal}{]} -{[}\textbf{-q} \emph{query}{]} -{[}{[}\textbf{-c} \emph{cache\_name}{]}\textbar{}{[}\textbf{-k} {[}\textbf{-t} \emph{keytab}{]}{]}\textbar{}\textbf{-n}{]} -{[}\textbf{-w} \emph{password}{]} -{[}\textbf{-s} \emph{admin\_server}{[}:\emph{port}{]}{]} -{[}command args...{]} - -\textbf{kadmin.local} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-p} \emph{principal}{]} -{[}\textbf{-q} \emph{query}{]} -{[}\textbf{-d} \emph{dbname}{]} -{[}\textbf{-e} \emph{enc}:\emph{salt} ...{]} -{[}\textbf{-m}{]} -{[}\textbf{-x} \emph{db\_args}{]} -{[}command args...{]} - -\textbf{OPTIONS} -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Use \emph{realm} as the default database realm. - -\item[{\textbf{-p} \emph{principal}}] \leavevmode -Use \emph{principal} to authenticate. Otherwise, kadmin will append -\code{/admin} to the primary principal name of the default ccache, -the value of the \textbf{USER} environment variable, or the username as -obtained with getpwuid, in order of preference. - -\item[{\textbf{-k}}] \leavevmode -Use a keytab to decrypt the KDC response instead of prompting for -a password. In this case, the default principal will be -\code{host/hostname}. If there is no keytab specified with the -\textbf{-t} option, then the default keytab will be used. - -\item[{\textbf{-t} \emph{keytab}}] \leavevmode -Use \emph{keytab} to decrypt the KDC response. This can only be used -with the \textbf{-k} option. - -\item[{\textbf{-n}}] \leavevmode -Requests anonymous processing. Two types of anonymous principals -are supported. For fully anonymous Kerberos, configure PKINIT on -the KDC and configure \textbf{pkinit\_anchors} in the client's -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Then use the \textbf{-n} option with a principal -of the form \code{@REALM} (an empty principal name followed by the -at-sign and a realm name). If permitted by the KDC, an anonymous -ticket will be returned. A second form of anonymous tickets is -supported; these realm-exposed tickets hide the identity of the -client but not the client's realm. For this mode, use \code{kinit --n} with a normal principal name. If supported by the KDC, the -principal (but not realm) will be replaced by the anonymous -principal. As of release 1.8, the MIT Kerberos KDC only supports -fully anonymous operation. - -\item[{\textbf{-c} \emph{credentials\_cache}}] \leavevmode -Use \emph{credentials\_cache} as the credentials cache. The -cache should contain a service ticket for the \code{kadmin/ADMINHOST} -(where \emph{ADMINHOST} is the fully-qualified hostname of the admin -server) or \code{kadmin/admin} service; it can be acquired with the -\emph{kinit(1)} program. If this option is not specified, kadmin -requests a new service ticket from the KDC, and stores it in its -own temporary ccache. - -\item[{\textbf{-w} \emph{password}}] \leavevmode -Use \emph{password} instead of prompting for one. Use this option with -care, as it may expose the password to other users on the system -via the process list. - -\item[{\textbf{-q} \emph{query}}] \leavevmode -Perform the specified query and then exit. - -\item[{\textbf{-d} \emph{dbname}}] \leavevmode -Specifies the name of the KDC database. This option does not -apply to the LDAP database module. - -\item[{\textbf{-s} \emph{admin\_server}{[}:\emph{port}{]}}] \leavevmode -Specifies the admin server which kadmin should contact. - -\item[{\textbf{-m}}] \leavevmode -If using kadmin.local, prompt for the database master password -instead of reading it from a stash file. - -\item[{\textbf{-e} ``\emph{enc}:\emph{salt} ...''}] \leavevmode -Sets the keysalt list to be used for any new keys created. See -{\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of possible -values. - -\item[{\textbf{-O}}] \leavevmode -Force use of old AUTH\_GSSAPI authentication flavor. - -\item[{\textbf{-N}}] \leavevmode -Prevent fallback to AUTH\_GSSAPI authentication flavor. - -\item[{\textbf{-x} \emph{db\_args}}] \leavevmode -Specifies the database specific arguments. See the next section -for supported options. - -\end{description} - - -\section{Date Format} -\label{admin/database:date-format} -For the supported date-time formats see \emph{getdate} section -in \emph{datetime}. - - -\section{Principals} -\label{admin/database:principals} -Each entry in the Kerberos database contains a Kerberos principal and -the attributes and policies associated with that principal. - - -\subsection{Adding, modifying and deleting principals} -\label{admin/database:add-mod-del-princs}\label{admin/database:adding-modifying-and-deleting-principals} -To add a principal to the database, use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} -\textbf{add\_principal} command. - -To modify attributes of a principal, use the kadmin -\textbf{modify\_principal} command. - -To delete a principal, use the kadmin \textbf{delete\_principal} command. - - -\subsection{add\_principal} -\label{admin/database:add-principal}\begin{quote} - -\textbf{add\_principal} {[}\emph{options}{]} \emph{newprinc} -\end{quote} - -Creates the principal \emph{newprinc}, prompting twice for a password. If -no password policy is specified with the \textbf{-policy} option, and the -policy named \code{default} is assigned to the principal if it exists. -However, creating a policy named \code{default} will not automatically -assign this policy to previously existing principals. This policy -assignment can be suppressed with the \textbf{-clearpolicy} option. - -This command requires the \textbf{add} privilege. - -Aliases: \textbf{addprinc}, \textbf{ank} - -Options: -\begin{description} -\item[{\textbf{-expire} \emph{expdate}}] \leavevmode -(\emph{getdate} string) The expiration date of the principal. - -\item[{\textbf{-pwexpire} \emph{pwexpdate}}] \leavevmode -(\emph{getdate} string) The password expiration date. - -\item[{\textbf{-maxlife} \emph{maxlife}}] \leavevmode -(\emph{duration} or \emph{getdate} string) The maximum ticket life -for the principal. - -\item[{\textbf{-maxrenewlife} \emph{maxrenewlife}}] \leavevmode -(\emph{duration} or \emph{getdate} string) The maximum renewable -life of tickets for the principal. - -\item[{\textbf{-kvno} \emph{kvno}}] \leavevmode -The initial key version number. - -\item[{\textbf{-policy} \emph{policy}}] \leavevmode -The password policy used by this principal. If not specified, the -policy \code{default} is used if it exists (unless \textbf{-clearpolicy} -is specified). - -\item[{\textbf{-clearpolicy}}] \leavevmode -Prevents any policy from being assigned when \textbf{-policy} is not -specified. - -\item[{\{-\textbar{}+\}\textbf{allow\_postdated}}] \leavevmode -\textbf{-allow\_postdated} prohibits this principal from obtaining -postdated tickets. \textbf{+allow\_postdated} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_forwardable}}] \leavevmode -\textbf{-allow\_forwardable} prohibits this principal from obtaining -forwardable tickets. \textbf{+allow\_forwardable} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_renewable}}] \leavevmode -\textbf{-allow\_renewable} prohibits this principal from obtaining -renewable tickets. \textbf{+allow\_renewable} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_proxiable}}] \leavevmode -\textbf{-allow\_proxiable} prohibits this principal from obtaining -proxiable tickets. \textbf{+allow\_proxiable} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_dup\_skey}}] \leavevmode -\textbf{-allow\_dup\_skey} disables user-to-user authentication for this -principal by prohibiting this principal from obtaining a session -key for another user. \textbf{+allow\_dup\_skey} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{requires\_preauth}}] \leavevmode -\textbf{+requires\_preauth} requires this principal to preauthenticate -before being allowed to kinit. \textbf{-requires\_preauth} clears this -flag. When \textbf{+requires\_preauth} is set on a service principal, -the KDC will only issue service tickets for that service principal -if the client's initial authentication was performed using -preauthentication. - -\item[{\{-\textbar{}+\}\textbf{requires\_hwauth}}] \leavevmode -\textbf{+requires\_hwauth} requires this principal to preauthenticate -using a hardware device before being allowed to kinit. -\textbf{-requires\_hwauth} clears this flag. When \textbf{+requires\_hwauth} is -set on a service principal, the KDC will only issue service tickets -for that service principal if the client's initial authentication was -performed using a hardware device to preauthenticate. - -\item[{\{-\textbar{}+\}\textbf{ok\_as\_delegate}}] \leavevmode -\textbf{+ok\_as\_delegate} sets the \textbf{okay as delegate} flag on tickets -issued with this principal as the service. Clients may use this -flag as a hint that credentials should be delegated when -authenticating to the service. \textbf{-ok\_as\_delegate} clears this -flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_svr}}] \leavevmode -\textbf{-allow\_svr} prohibits the issuance of service tickets for this -principal. \textbf{+allow\_svr} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_tgs\_req}}] \leavevmode -\textbf{-allow\_tgs\_req} specifies that a Ticket-Granting Service (TGS) -request for a service ticket for this principal is not permitted. -\textbf{+allow\_tgs\_req} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_tix}}] \leavevmode -\textbf{-allow\_tix} forbids the issuance of any tickets for this -principal. \textbf{+allow\_tix} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{needchange}}] \leavevmode -\textbf{+needchange} forces a password change on the next initial -authentication to this principal. \textbf{-needchange} clears this -flag. - -\item[{\{-\textbar{}+\}\textbf{password\_changing\_service}}] \leavevmode -\textbf{+password\_changing\_service} marks this principal as a password -change service principal. - -\item[{\{-\textbar{}+\}\textbf{ok\_to\_auth\_as\_delegate}}] \leavevmode -\textbf{+ok\_to\_auth\_as\_delegate} allows this principal to acquire -forwardable tickets to itself from arbitrary users, for use with -constrained delegation. - -\item[{\{-\textbar{}+\}\textbf{no\_auth\_data\_required}}] \leavevmode -\textbf{+no\_auth\_data\_required} prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal. - -\item[{\{-\textbar{}+\}\textbf{lockdown\_keys}}] \leavevmode -\textbf{+lockdown\_keys} prevents keys for this principal from leaving -the KDC via kadmind. The chpass and extract operations are denied -for a principal with this attribute. The chrand operation is -allowed, but will not return the new keys. The delete and rename -operations are also denied if this attribute is set, in order to -prevent a malicious administrator from replacing principals like -krbtgt/* or kadmin/* with new principals without the attribute. -This attribute can be set via the network protocol, but can only -be removed using kadmin.local. - -\item[{\textbf{-randkey}}] \leavevmode -Sets the key of the principal to a random value. - -\item[{\textbf{-nokey}}] \leavevmode -Causes the principal to be created with no key. New in release -1.12. - -\item[{\textbf{-pw} \emph{password}}] \leavevmode -Sets the password of the principal to the specified string and -does not prompt for a password. Note: using this option in a -shell script may expose the password to other users on the system -via the process list. - -\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode -Uses the specified keysalt list for setting the keys of the -principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a -list of possible values. - -\item[{\textbf{-x} \emph{db\_princ\_args}}] \leavevmode -Indicates database-specific options. The options for the LDAP -database module are: -\begin{description} -\item[{\textbf{-x dn=}\emph{dn}}] \leavevmode -Specifies the LDAP object that will contain the Kerberos -principal being created. - -\item[{\textbf{-x linkdn=}\emph{dn}}] \leavevmode -Specifies the LDAP object to which the newly created Kerberos -principal object will point. - -\item[{\textbf{-x containerdn=}\emph{container\_dn}}] \leavevmode -Specifies the container object under which the Kerberos -principal is to be created. - -\item[{\textbf{-x tktpolicy=}\emph{policy}}] \leavevmode -Associates a ticket policy to the Kerberos principal. - -\end{description} - -\begin{notice}{note}{Note:}\begin{itemize} -\item {} -The \textbf{containerdn} and \textbf{linkdn} options cannot be -specified with the \textbf{dn} option. - -\item {} -If the \emph{dn} or \emph{containerdn} options are not specified while -adding the principal, the principals are created under the -principal container configured in the realm or the realm -container. - -\item {} -\emph{dn} and \emph{containerdn} should be within the subtrees or -principal container configured in the realm. - -\end{itemize} -\end{notice} - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: addprinc jennifer -WARNING: no policy specified for \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{}; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: -Re\PYGZhy{}enter password for principal jennifer@ATHENA.MIT.EDU: -Principal \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{} created. -kadmin: -\end{Verbatim} - - -\subsection{modify\_principal} -\label{admin/database:modify-principal}\begin{quote} - -\textbf{modify\_principal} {[}\emph{options}{]} \emph{principal} -\end{quote} - -Modifies the specified principal, changing the fields as specified. -The options to \textbf{add\_principal} also apply to this command, except -for the \textbf{-randkey}, \textbf{-pw}, and \textbf{-e} options. In addition, the -option \textbf{-clearpolicy} will clear the current policy of a principal. - -This command requires the \emph{modify} privilege. - -Alias: \textbf{modprinc} - -Options (in addition to the \textbf{addprinc} options): -\begin{description} -\item[{\textbf{-unlock}}] \leavevmode -Unlocks a locked principal (one which has received too many failed -authentication attempts without enough time between them according -to its password policy) so that it can successfully authenticate. - -\end{description} - - -\subsection{delete\_principal} -\label{admin/database:delete-principal}\begin{quote} - -\textbf{delete\_principal} {[}\textbf{-force}{]} \emph{principal} -\end{quote} - -Deletes the specified \emph{principal} from the database. This command -prompts for deletion, unless the \textbf{-force} option is given. - -This command requires the \textbf{delete} privilege. - -Alias: \textbf{delprinc} - - -\subsubsection{Examples} -\label{admin/database:examples} -If you want to create a principal which is contained by a LDAP object, -all you need to do is: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: addprinc \PYGZhy{}x dn=cn=jennifer,dc=example,dc=com jennifer -WARNING: no policy specified for \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{}; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: \PYGZlt{}= Type the password. -Re\PYGZhy{}enter password for principal jennifer@ATHENA.MIT.EDU: \PYGZlt{}=Type it again. -Principal \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{} created. -kadmin: -\end{Verbatim} - -If you want to create a principal under a specific LDAP container and -link to an existing LDAP object, all you need to do is: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: addprinc \PYGZhy{}x containerdn=dc=example,dc=com \PYGZhy{}x linkdn=cn=david,dc=example,dc=com david -WARNING: no policy specified for \PYGZdq{}david@ATHENA.MIT.EDU\PYGZdq{}; -defaulting to no policy. -Enter password for principal david@ATHENA.MIT.EDU: \PYGZlt{}= Type the password. -Re\PYGZhy{}enter password for principal david@ATHENA.MIT.EDU: \PYGZlt{}=Type it again. -Principal \PYGZdq{}david@ATHENA.MIT.EDU\PYGZdq{} created. -kadmin: -\end{Verbatim} - -If you want to associate a ticket policy to a principal, all you need -to do is: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: modprinc \PYGZhy{}x tktpolicy=userpolicy david -Principal \PYGZdq{}david@ATHENA.MIT.EDU\PYGZdq{} modified. -kadmin: -\end{Verbatim} - -If, on the other hand, you want to set up an account that expires on -January 1, 2000, that uses a policy called ``stduser'', with a temporary -password (which you want the user to change immediately), you would -type the following: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: addprinc david \PYGZhy{}expire \PYGZdq{}1/1/2000 12:01am EST\PYGZdq{} \PYGZhy{}policy stduser +needchange -Enter password for principal david@ATHENA.MIT.EDU: \PYGZlt{}= Type the password. -Re\PYGZhy{}enter password for principal -david@ATHENA.MIT.EDU: \PYGZlt{}= Type it again. -Principal \PYGZdq{}david@ATHENA.MIT.EDU\PYGZdq{} created. -kadmin: -\end{Verbatim} - -If you want to delete a principal: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: delprinc jennifer -Are you sure you want to delete the principal -\PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{}? (yes/no): yes -Principal \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{} deleted. -Make sure that you have removed this principal from -all ACLs before reusing. -kadmin: -\end{Verbatim} - - -\subsection{Retrieving information about a principal} -\label{admin/database:retrieving-information-about-a-principal} -To retrieve a listing of the attributes and/or policies associated -with a principal, use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} \textbf{get\_principal} command. - -To generate a listing of principals, use the kadmin -\textbf{list\_principals} command. - - -\subsection{get\_principal} -\label{admin/database:get-principal}\begin{quote} - -\textbf{get\_principal} {[}\textbf{-terse}{]} \emph{principal} -\end{quote} - -Gets the attributes of principal. With the \textbf{-terse} option, outputs -fields as quoted tab-separated strings. - -This command requires the \textbf{inquire} privilege, or that the principal -running the the program to be the same as the one being listed. - -Alias: \textbf{getprinc} - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: getprinc tlyu/admin -Principal: tlyu/admin@BLEEP.COM -Expiration date: [never] -Last password change: Mon Aug 12 14:16:47 EDT 1996 -Password expiration date: [none] -Maximum ticket life: 0 days 10:00:00 -Maximum renewable life: 7 days 00:00:00 -Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) -Last successful authentication: [never] -Last failed authentication: [never] -Failed password attempts: 0 -Number of keys: 2 -Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc -Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc:v4 -Attributes: -Policy: [none] - -kadmin: getprinc \PYGZhy{}terse systest -systest@BLEEP.COM 3 86400 604800 1 -785926535 753241234 785900000 -tlyu/admin@BLEEP.COM 786100034 0 0 -kadmin: -\end{Verbatim} - - -\subsection{list\_principals} -\label{admin/database:list-principals}\begin{quote} - -\textbf{list\_principals} {[}\emph{expression}{]} -\end{quote} - -Retrieves all or some principal names. \emph{expression} is a shell-style -glob expression that can contain the wild-card characters \code{?}, -\code{*}, and \code{{[}{]}}. All principal names matching the expression are -printed. If no expression is provided, all principal names are -printed. If the expression does not contain an \code{@} character, an -\code{@} character followed by the local realm is appended to the -expression. - -This command requires the \textbf{list} privilege. - -Alias: \textbf{listprincs}, \textbf{get\_principals}, \textbf{get\_princs} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: listprincs test* -test3@SECURE\PYGZhy{}TEST.OV.COM -test2@SECURE\PYGZhy{}TEST.OV.COM -test1@SECURE\PYGZhy{}TEST.OV.COM -testuser@SECURE\PYGZhy{}TEST.OV.COM -kadmin: -\end{Verbatim} - - -\subsection{Changing passwords} -\label{admin/database:changing-passwords} -To change a principal's password use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} -\textbf{change\_password} command. - - -\subsection{change\_password} -\label{admin/database:change-password}\begin{quote} - -\textbf{change\_password} {[}\emph{options}{]} \emph{principal} -\end{quote} - -Changes the password of \emph{principal}. Prompts for a new password if -neither \textbf{-randkey} or \textbf{-pw} is specified. - -This command requires the \textbf{changepw} privilege, or that the -principal running the program is the same as the principal being -changed. - -Alias: \textbf{cpw} - -The following options are available: -\begin{description} -\item[{\textbf{-randkey}}] \leavevmode -Sets the key of the principal to a random value. - -\item[{\textbf{-pw} \emph{password}}] \leavevmode -Set the password to the specified string. Using this option in a -script may expose the password to other users on the system via -the process list. - -\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode -Uses the specified keysalt list for setting the keys of the -principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a -list of possible values. - -\item[{\textbf{-keepold}}] \leavevmode -Keeps the existing keys in the database. This flag is usually not -necessary except perhaps for \code{krbtgt} principals. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: cpw systest -Enter password for principal systest@BLEEP.COM: -Re\PYGZhy{}enter password for principal systest@BLEEP.COM: -Password for systest@BLEEP.COM changed. -kadmin: -\end{Verbatim} - -\begin{notice}{note}{Note:} -Password changes through kadmin are subject to the same -password policies as would apply to password changes through -\emph{kpasswd(1)}. -\end{notice} - - -\section{Policies} -\label{admin/database:policies}\label{admin/database:id1} -A policy is a set of rules governing passwords. Policies can dictate -minimum and maximum password lifetimes, minimum number of characters -and character classes a password must contain, and the number of old -passwords kept in the database. - - -\subsection{Adding, modifying and deleting policies} -\label{admin/database:adding-modifying-and-deleting-policies} -To add a new policy, use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} \textbf{add\_policy} command. - -To modify attributes of a principal, use the kadmin \textbf{modify\_policy} -command. - -To delete a policy, use the kadmin \textbf{delete\_policy} command. - - -\subsection{add\_policy} -\label{admin/database:add-policy}\begin{quote} - -\textbf{add\_policy} {[}\emph{options}{]} \emph{policy} -\end{quote} - -Adds a password policy named \emph{policy} to the database. - -This command requires the \textbf{add} privilege. - -Alias: \textbf{addpol} - -The following options are available: -\begin{description} -\item[{\textbf{-maxlife} \emph{time}}] \leavevmode -(\emph{duration} or \emph{getdate} string) Sets the maximum -lifetime of a password. - -\item[{\textbf{-minlife} \emph{time}}] \leavevmode -(\emph{duration} or \emph{getdate} string) Sets the minimum -lifetime of a password. - -\item[{\textbf{-minlength} \emph{length}}] \leavevmode -Sets the minimum length of a password. - -\item[{\textbf{-minclasses} \emph{number}}] \leavevmode -Sets the minimum number of character classes required in a -password. The five character classes are lower case, upper case, -numbers, punctuation, and whitespace/unprintable characters. - -\item[{\textbf{-history} \emph{number}}] \leavevmode -Sets the number of past keys kept for a principal. This option is -not supported with the LDAP KDC database module. - -\end{description} -\phantomsection\label{admin/database:policy-maxfailure}\begin{description} -\item[{\textbf{-maxfailure} \emph{maxnumber}}] \leavevmode -Sets the number of authentication failures before the principal is -locked. Authentication failures are only tracked for principals -which require preauthentication. The counter of failed attempts -resets to 0 after a successful attempt to authenticate. A -\emph{maxnumber} value of 0 (the default) disables lockout. - -\end{description} -\phantomsection\label{admin/database:policy-failurecountinterval}\begin{description} -\item[{\textbf{-failurecountinterval} \emph{failuretime}}] \leavevmode -(\emph{duration} or \emph{getdate} string) Sets the allowable time -between authentication failures. If an authentication failure -happens after \emph{failuretime} has elapsed since the previous -failure, the number of authentication failures is reset to 1. A -\emph{failuretime} value of 0 (the default) means forever. - -\end{description} -\phantomsection\label{admin/database:policy-lockoutduration}\begin{description} -\item[{\textbf{-lockoutduration} \emph{lockouttime}}] \leavevmode -(\emph{duration} or \emph{getdate} string) Sets the duration for -which the principal is locked from authenticating if too many -authentication failures occur without the specified failure count -interval elapsing. A duration of 0 (the default) means the -principal remains locked out until it is administratively unlocked -with \code{modprinc -unlock}. - -\item[{\textbf{-allowedkeysalts}}] \leavevmode -Specifies the key/salt tuples supported for long-term keys when -setting or changing a principal's password/keys. See -{\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the -accepted values, but note that key/salt tuples must be separated -with commas (`,') only. To clear the allowed key/salt policy use -a value of `-`. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: add\PYGZus{}policy \PYGZhy{}maxlife \PYGZdq{}2 days\PYGZdq{} \PYGZhy{}minlength 5 guests -kadmin: -\end{Verbatim} - - -\subsection{modify\_policy} -\label{admin/database:modify-policy}\begin{quote} - -\textbf{modify\_policy} {[}\emph{options}{]} \emph{policy} -\end{quote} - -Modifies the password policy named \emph{policy}. Options are as described -for \textbf{add\_policy}. - -This command requires the \textbf{modify} privilege. - -Alias: \textbf{modpol} - - -\subsection{delete\_policy} -\label{admin/database:delete-policy}\begin{quote} - -\textbf{delete\_policy} {[}\textbf{-force}{]} \emph{policy} -\end{quote} - -Deletes the password policy named \emph{policy}. Prompts for confirmation -before deletion. The command will fail if the policy is in use by any -principals. - -This command requires the \textbf{delete} privilege. - -Alias: \textbf{delpol} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: del\PYGZus{}policy guests -Are you sure you want to delete the policy \PYGZdq{}guests\PYGZdq{}? -(yes/no): yes -kadmin: -\end{Verbatim} - -\begin{notice}{note}{Note:} -You must cancel the policy from \emph{all} principals before -deleting it. The \emph{delete\_policy} command will fail if the policy -is in use by any principals. -\end{notice} - - -\subsection{Retrieving policies} -\label{admin/database:retrieving-policies} -To retrieve a policy, use the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} \textbf{get\_policy} command. - -You can retrieve the list of policies with the kadmin -\textbf{list\_policies} command. - - -\subsection{get\_policy} -\label{admin/database:get-policy}\begin{quote} - -\textbf{get\_policy} {[} \textbf{-terse} {]} \emph{policy} -\end{quote} - -Displays the values of the password policy named \emph{policy}. With the -\textbf{-terse} flag, outputs the fields as quoted strings separated by -tabs. - -This command requires the \textbf{inquire} privilege. - -Alias: getpol - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: get\PYGZus{}policy admin -Policy: admin -Maximum password life: 180 days 00:00:00 -Minimum password life: 00:00:00 -Minimum password length: 6 -Minimum number of password character classes: 2 -Number of old keys kept: 5 -Reference count: 17 - -kadmin: get\PYGZus{}policy \PYGZhy{}terse admin -admin 15552000 0 6 2 5 17 -kadmin: -\end{Verbatim} - -The ``Reference count'' is the number of principals using that policy. -With the LDAP KDC database module, the reference count field is not -meaningful. - - -\subsection{list\_policies} -\label{admin/database:list-policies}\begin{quote} - -\textbf{list\_policies} {[}\emph{expression}{]} -\end{quote} - -Retrieves all or some policy names. \emph{expression} is a shell-style -glob expression that can contain the wild-card characters \code{?}, -\code{*}, and \code{{[}{]}}. All policy names matching the expression are -printed. If no expression is provided, all existing policy names are -printed. - -This command requires the \textbf{list} privilege. - -Aliases: \textbf{listpols}, \textbf{get\_policies}, \textbf{getpols}. - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: listpols -test\PYGZhy{}pol -dict\PYGZhy{}only -once\PYGZhy{}a\PYGZhy{}min -test\PYGZhy{}pol\PYGZhy{}nopw - -kadmin: listpols t* -test\PYGZhy{}pol -test\PYGZhy{}pol\PYGZhy{}nopw -kadmin: -\end{Verbatim} - - -\subsection{Policies and principals} -\label{admin/database:policies-and-principals} -Policies can be applied to principals as they are created by using -the \textbf{-policy} flag to {\hyperref[admin/admin_commands/kadmin_local:add-principal]{\emph{add\_principal}}}. Existing principals can -be modified by using the \textbf{-policy} or \textbf{-clearpolicy} flag to -{\hyperref[admin/admin_commands/kadmin_local:modify-principal]{\emph{modify\_principal}}}. - - -\subsection{Updating the history key} -\label{admin/database:updating-the-history-key} -If a policy specifies a number of old keys kept of two or more, the -stored old keys are encrypted in a history key, which is found in the -key data of the \code{kadmin/history} principal. - -Currently there is no support for proper rollover of the history key, -but you can change the history key (for example, to use a better -encryption type) at the cost of invalidating currently stored old -keys. To change the history key, run: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: change\PYGZus{}password \PYGZhy{}randkey kadmin/history -\end{Verbatim} - -This command will fail if you specify the \textbf{-keepold} flag. Only one -new history key will be created, even if you specify multiple key/salt -combinations. - -In the future, we plan to migrate towards encrypting old keys in the -master key instead of the history key, and implementing proper -rollover support for stored old keys. - - -\section{Privileges} -\label{admin/database:privileges}\label{admin/database:id2} -Administrative privileges for the Kerberos database are stored in the -file {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}. - -\begin{notice}{note}{Note:} -A common use of an admin instance is so you can grant -separate permissions (such as administrator access to the -Kerberos database) to a separate Kerberos principal. For -example, the user \code{joeadmin} might have a principal for -his administrative use, called \code{joeadmin/admin}. This -way, \code{joeadmin} would obtain \code{joeadmin/admin} tickets -only when he actually needs to use those permissions. -\end{notice} - - -\section{Operations on the Kerberos database} -\label{admin/database:db-operations}\label{admin/database:operations-on-the-kerberos-database} -The {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} command is the primary tool for administrating -the Kerberos database. - -\textbf{kdb5\_util} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-d} \emph{dbname}{]} -{[}\textbf{-k} \emph{mkeytype}{]} -{[}\textbf{-M} \emph{mkeyname}{]} -{[}\textbf{-kv} \emph{mkeyVNO}{]} -{[}\textbf{-sf} \emph{stashfilename}{]} -{[}\textbf{-m}{]} -\emph{command} {[}\emph{command\_options}{]} - -\textbf{OPTIONS} -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -specifies the Kerberos realm of the database. - -\item[{\textbf{-d} \emph{dbname}}] \leavevmode -specifies the name under which the principal database is stored; -by default the database is that listed in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. The -password policy database and lock files are also derived from this -value. - -\item[{\textbf{-k} \emph{mkeytype}}] \leavevmode -specifies the key type of the master key in the database. The -default is given by the \textbf{master\_key\_type} variable in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\textbf{-kv} \emph{mkeyVNO}}] \leavevmode -Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed. - -\item[{\textbf{-M} \emph{mkeyname}}] \leavevmode -principal name for the master key in the database. If not -specified, the name is determined by the \textbf{master\_key\_name} -variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\textbf{-m}}] \leavevmode -specifies that the master database password should be read from -the keyboard rather than fetched from a file on disk. - -\item[{\textbf{-sf} \emph{stash\_file}}] \leavevmode -specifies the stash filename of the master database password. If -not specified, the filename is determined by the -\textbf{key\_stash\_file} variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\textbf{-P} \emph{password}}] \leavevmode -specifies the master database password. Using this option may -expose the password to other users on the system via the process -list. - -\end{description} - - -\subsection{Dumping a Kerberos database to a file} -\label{admin/database:dumping-a-kerberos-database-to-a-file} -To dump a Kerberos database into a file, use the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} -\textbf{dump} command on one of the KDCs. -\begin{quote} - -\textbf{dump} {[}\textbf{-b7}\textbar{}\textbf{-ov}\textbar{}\textbf{-r13}{]} {[}\textbf{-verbose}{]} -{[}\textbf{-mkey\_convert}{]} {[}\textbf{-new\_mkey\_file} \emph{mkey\_file}{]} {[}\textbf{-rev}{]} -{[}\textbf{-recurse}{]} {[}\emph{filename} {[}\emph{principals}...{]}{]} -\end{quote} - -Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, ``kdb5\_util -load\_dump version 7''. If filename is not specified, or is the string -``-'', the dump is sent to standard output. Options: -\begin{description} -\item[{\textbf{-b7}}] \leavevmode -causes the dump to be in the Kerberos 5 Beta 7 format (``kdb5\_util -load\_dump version 4''). This was the dump format produced on -releases prior to 1.2.2. - -\item[{\textbf{-ov}}] \leavevmode -causes the dump to be in ``ovsec\_adm\_export'' format. - -\item[{\textbf{-r13}}] \leavevmode -causes the dump to be in the Kerberos 5 1.3 format (``kdb5\_util -load\_dump version 5''). This was the dump format produced on -releases prior to 1.8. - -\item[{\textbf{-r18}}] \leavevmode -causes the dump to be in the Kerberos 5 1.8 format (``kdb5\_util -load\_dump version 6''). This was the dump format produced on -releases prior to 1.11. - -\item[{\textbf{-verbose}}] \leavevmode -causes the name of each principal and policy to be printed as it -is dumped. - -\item[{\textbf{-mkey\_convert}}] \leavevmode -prompts for a new master key. This new master key will be used to -re-encrypt principal key data in the dumpfile. The principal keys -themselves will not be changed. - -\item[{\textbf{-new\_mkey\_file} \emph{mkey\_file}}] \leavevmode -the filename of a stash file. The master key in this stash file -will be used to re-encrypt the key data in the dumpfile. The key -data in the database will not be changed. - -\item[{\textbf{-rev}}] \leavevmode -dumps in reverse order. This may recover principals that do not -dump normally, in cases where database corruption has occurred. - -\item[{\textbf{-recurse}}] \leavevmode -causes the dump to walk the database recursively (btree only). -This may recover principals that do not dump normally, in cases -where database corruption has occurred. In cases of such -corruption, this option will probably retrieve more principals -than the \textbf{-rev} option will. - -\DUspan{versionmodified}{Changed in version 1.15: }Release 1.15 restored the functionality of the \textbf{-recurse} -option. - -\DUspan{versionmodified}{Changed in version 1.5: }The \textbf{-recurse} option ceased working until release 1.15, -doing a normal dump instead of a recursive traversal. - -\end{description} - - -\subsubsection{Examples} -\label{admin/database:id3} -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}util dump dumpfile -shell\PYGZpc{} - -shell\PYGZpc{} kbd5\PYGZus{}util dump \PYGZhy{}verbose dumpfile -kadmin/admin@ATHENA.MIT.EDU -krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU -kadmin/history@ATHENA.MIT.EDU -K/M@ATHENA.MIT.EDU -kadmin/changepw@ATHENA.MIT.EDU -shell\PYGZpc{} -\end{Verbatim} - -If you specify which principals to dump, you must use the full -principal, as in the following example: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}util dump \PYGZhy{}verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU -kadmin/admin@ATHENA.MIT.EDU -K/M@ATHENA.MIT.EDU -shell\PYGZpc{} -\end{Verbatim} - -Otherwise, the principals will not match those in the database and -will not be dumped: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}util dump \PYGZhy{}verbose dumpfile K/M kadmin/admin -shell\PYGZpc{} -\end{Verbatim} - -If you do not specify a dump file, kdb5\_util will dump the database to -the standard output. - - -\subsection{Restoring a Kerberos database from a dump file} -\label{admin/database:restore-from-dump}\label{admin/database:restoring-a-kerberos-database-from-a-dump-file} -To restore a Kerberos database dump from a file, use the -{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} \textbf{load} command on one of the KDCs. -\begin{quote} - -\textbf{load} {[}\textbf{-b7}\textbar{}\textbf{-ov}\textbar{}\textbf{-r13}{]} {[}\textbf{-hash}{]} -{[}\textbf{-verbose}{]} {[}\textbf{-update}{]} \emph{filename} {[}\emph{dbname}{]} -\end{quote} - -Loads a database dump from the named file into the named database. If -no option is given to determine the format of the dump file, the -format is detected automatically and handled as appropriate. Unless -the \textbf{-update} option is given, \textbf{load} creates a new database -containing only the data in the dump file, overwriting the contents of -any previously existing database. Note that when using the LDAP KDC -database module, the \textbf{-update} flag is required. - -Options: -\begin{description} -\item[{\textbf{-b7}}] \leavevmode -requires the database to be in the Kerberos 5 Beta 7 format -(``kdb5\_util load\_dump version 4''). This was the dump format -produced on releases prior to 1.2.2. - -\item[{\textbf{-ov}}] \leavevmode -requires the database to be in ``ovsec\_adm\_import'' format. Must be -used with the \textbf{-update} option. - -\item[{\textbf{-r13}}] \leavevmode -requires the database to be in Kerberos 5 1.3 format (``kdb5\_util -load\_dump version 5''). This was the dump format produced on -releases prior to 1.8. - -\item[{\textbf{-r18}}] \leavevmode -requires the database to be in Kerberos 5 1.8 format (``kdb5\_util -load\_dump version 6''). This was the dump format produced on -releases prior to 1.11. - -\item[{\textbf{-hash}}] \leavevmode -requires the database to be stored as a hash. If this option is -not specified, the database will be stored as a btree. This -option is not recommended, as databases stored in hash format are -known to corrupt data and lose principals. - -\item[{\textbf{-verbose}}] \leavevmode -causes the name of each principal and policy to be printed as it -is dumped. - -\item[{\textbf{-update}}] \leavevmode -records from the dump file are added to or updated in the existing -database. Otherwise, a new database is created containing only -what is in the dump file and the old one destroyed upon successful -completion. - -\end{description} - -If specified, \emph{dbname} overrides the value specified on the command -line or the default. - - -\subsubsection{Examples} -\label{admin/database:id4} -To load a single principal, either replacing or updating the database: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}util load dumpfile principal -shell\PYGZpc{} - -shell\PYGZpc{} kdb5\PYGZus{}util load \PYGZhy{}update dumpfile principal -shell\PYGZpc{} -\end{Verbatim} - -\begin{notice}{note}{Note:} -If the database file exists, and the \emph{-update} flag was not -given, \emph{kdb5\_util} will overwrite the existing database. -\end{notice} - -Using kdb5\_util to upgrade a master KDC from krb5 1.1.x: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}util dump old\PYGZhy{}kdb\PYGZhy{}dump -shell\PYGZpc{} kdb5\PYGZus{}util dump \PYGZhy{}ov old\PYGZhy{}kdb\PYGZhy{}dump.ov - [Create a new KDC installation, using the old stash file/master password] -shell\PYGZpc{} kdb5\PYGZus{}util load old\PYGZhy{}kdb\PYGZhy{}dump -shell\PYGZpc{} kdb5\PYGZus{}util load \PYGZhy{}update old\PYGZhy{}kdb\PYGZhy{}dump.ov -\end{Verbatim} - -The use of old-kdb-dump.ov for an extra dump and load is necessary -to preserve per-principal policy information, which is not included in -the default dump format of krb5 1.1.x. - -\begin{notice}{note}{Note:} -Using kdb5\_util to dump and reload the principal database is -only necessary when upgrading from versions of krb5 prior -to 1.2.0---newer versions will use the existing database as-is. -\end{notice} - - -\subsection{Creating a stash file} -\label{admin/database:create-stash}\label{admin/database:creating-a-stash-file} -A stash file allows a KDC to authenticate itself to the database -utilities, such as {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}}, {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}, and -{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}. - -To create a stash file, use the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} \textbf{stash} command. -\begin{quote} - -\textbf{stash} {[}\textbf{-f} \emph{keyfile}{]} -\end{quote} - -Stores the master principal's keys in a stash file. The \textbf{-f} -argument can be used to override the \emph{keyfile} specified in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - - -\subsubsection{Example} -\label{admin/database:example}\begin{quote} - -shell\% kdb5\_util stash -kdb5\_util: Cannot find/read stored master key while reading master key -kdb5\_util: Warning: proceeding without master key -Enter KDC database master key: \textless{}= Type the KDC database master password. -shell\% -\end{quote} - -If you do not specify a stash file, kdb5\_util will stash the key in -the file specified in your {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file. - - -\subsection{Creating and destroying a Kerberos database} -\label{admin/database:creating-and-destroying-a-kerberos-database} -If you need to create a new Kerberos database, use the -{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} \textbf{create} command. -\begin{quote} - -\textbf{create} {[}\textbf{-s}{]} -\end{quote} - -Creates a new database. If the \textbf{-s} option is specified, the stash -file is also created. This command fails if the database already -exists. If the command is successful, the database is opened just as -if it had already existed when the program was first run. - -If you need to destroy the current Kerberos database, use the -{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} \textbf{destroy} command. -\begin{quote} - -\textbf{destroy} {[}\textbf{-f}{]} -\end{quote} - -Destroys the database, first overwriting the disk sectors and then -unlinking the files, after prompting the user for confirmation. With -the \textbf{-f} argument, does not prompt the user. - - -\subsubsection{Examples} -\label{admin/database:id5} -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU create \PYGZhy{}s -Loading random data -Initializing database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{} for realm \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, -master key name \PYGZsq{}K/M@ATHENA.MIT.EDU\PYGZsq{} -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: \PYGZlt{}= Type the master password. -Re\PYGZhy{}enter KDC database master key to verify: \PYGZlt{}= Type it again. -shell\PYGZpc{} - -shell\PYGZpc{} kdb5\PYGZus{}util \PYGZhy{}r ATHENA.MIT.EDU destroy -Deleting KDC database stored in \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{}, are you sure? -(type \PYGZsq{}yes\PYGZsq{} to confirm)? \PYGZlt{}= yes -OK, deleting database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{}... -** Database \PYGZsq{}/usr/local/var/krb5kdc/principal\PYGZsq{} destroyed. -shell\PYGZpc{} -\end{Verbatim} - - -\subsection{Updating the master key} -\label{admin/database:updating-the-master-key} -Starting with release 1.7, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} allows the master key -to be changed using a rollover process, with minimal loss of -availability. To roll over the master key, follow these steps: -\begin{enumerate} -\item {} -On the master KDC, run \code{kdb5\_util list\_mkeys} to view the current -master key version number (KVNO). If you have never rolled over -the master key before, this will likely be version 1: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZdl{} kdb5\PYGZus{}util list\PYGZus{}mkeys -Master keys for Principal: K/M@KRBTEST.COM -KVNO: 1, Enctype: des\PYGZhy{}cbc\PYGZhy{}crc, Active on: Wed Dec 31 19:00:00 EST 1969 * -\end{Verbatim} - -\item {} -On the master KDC, run \code{kdb5\_util use\_mkey 1} to ensure that a -master key activation list is present in the database. This step -is unnecessary in release 1.11.4 or later, or if the database was -initially created with release 1.7 or later. - -\item {} -On the master KDC, run \code{kdb5\_util add\_mkey -s} to create a new -master key and write it to the stash file. Enter a secure password -when prompted. If this is the first time you are changing the -master key, the new key will have version 2. The new master key -will not be used until you make it active. - -\item {} -Propagate the database to all slave KDCs, either manually or by -waiting until the next scheduled propagation. If you do not have -any slave KDCs, you can skip this and the next step. - -\item {} -On each slave KDC, run \code{kdb5\_util list\_mkeys} to verify that the -new master key is present, and then \code{kdb5\_util stash} to write -the new master key to the slave KDC's stash file. - -\item {} -On the master KDC, run \code{kdb5\_util use\_mkey 2} to begin using the -new master key. Replace \code{2} with the version of the new master -key, as appropriate. You can optionally specify a date for the new -master key to become active; by default, it will become active -immediately. Prior to release 1.12, {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} must be -restarted for this change to take full effect. - -\item {} -On the master KDC, run \code{kdb5\_util update\_princ\_encryption}. This -command will iterate over the database and re-encrypt all keys in -the new master key. If the database is large and uses DB2, the -master KDC will become unavailable while this command runs, but -clients should fail over to slave KDCs (if any are present) during -this time period. In release 1.13 and later, you can instead run -\code{kdb5\_util -x unlockiter update\_princ\_encryption} to use unlocked -iteration; this variant will take longer, but will keep the -database available to the KDC and kadmind while it runs. - -\item {} -On the master KDC, run \code{kdb5\_util purge\_mkeys} to clean up the -old master key. - -\end{enumerate} - - -\section{Operations on the LDAP database} -\label{admin/database:operations-on-the-ldap-database}\label{admin/database:ops-on-ldap} -The {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} is the primary tool for administrating -the Kerberos LDAP database. It allows an administrator to manage -realms, Kerberos services (KDC and Admin Server) and ticket policies. - -\textbf{kdb5\_ldap\_util} -{[}\textbf{-D} \emph{user\_dn} {[}\textbf{-w} \emph{passwd}{]}{]} -{[}\textbf{-H} \emph{ldapuri}{]} -\textbf{command} -{[}\emph{command\_options}{]} - -\textbf{OPTIONS} -\begin{description} -\item[{\textbf{-D} \emph{user\_dn}}] \leavevmode -Specifies the Distinguished Name (DN) of the user who has -sufficient rights to perform the operation on the LDAP server. - -\item[{\textbf{-w} \emph{passwd}}] \leavevmode -Specifies the password of \emph{user\_dn}. This option is not -recommended. - -\item[{\textbf{-H} \emph{ldapuri}}] \leavevmode -Specifies the URI of the LDAP server. It is recommended to use -\code{ldapi://} or \code{ldaps://} to connect to the LDAP server. - -\end{description} - - -\subsection{Creating a Kerberos realm} -\label{admin/database:creating-a-kerberos-realm}\label{admin/database:ldap-create-realm} -If you need to create a new realm, use the {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} -\textbf{create} command as follows. -\begin{quote} - -\textbf{create} -{[}\textbf{-subtrees} \emph{subtree\_dn\_list}{]} -{[}\textbf{-sscope} \emph{search\_scope}{]} -{[}\textbf{-containerref} \emph{container\_reference\_dn}{]} -{[}\textbf{-k} \emph{mkeytype}{]} -{[}\textbf{-kv} \emph{mkeyVNO}{]} -{[}\textbf{-m\textbar{}-P} \emph{password}\textbar{}\textbf{-sf} \emph{stashfilename}{]} -{[}\textbf{-s}{]} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} -{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} -{[}\emph{ticket\_flags}{]} -\end{quote} - -Creates realm in directory. Options: -\begin{description} -\item[{\textbf{-subtrees} \emph{subtree\_dn\_list}}] \leavevmode -Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (\code{:}). - -\item[{\textbf{-sscope} \emph{search\_scope}}] \leavevmode -Specifies the scope for searching the principals under the -subtree. The possible values are 1 or one (one level), 2 or sub -(subtrees). - -\item[{\textbf{-containerref} \emph{container\_reference\_dn}}] \leavevmode -Specifies the DN of the container object in which the principals -of a realm will be created. If the container reference is not -configured for a realm, the principals will be created in the -realm container. - -\item[{\textbf{-k} \emph{mkeytype}}] \leavevmode -Specifies the key type of the master key in the database. The -default is given by the \textbf{master\_key\_type} variable in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\textbf{-kv} \emph{mkeyVNO}}] \leavevmode -Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed. - -\item[{\textbf{-m}}] \leavevmode -Specifies that the master database password should be read from -the TTY rather than fetched from a file on the disk. - -\item[{\textbf{-P} \emph{password}}] \leavevmode -Specifies the master database password. This option is not -recommended. - -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\item[{\textbf{-sf} \emph{stashfilename}}] \leavevmode -Specifies the stash file of the master database password. - -\item[{\textbf{-s}}] \leavevmode -Specifies that the stash file is to be created. - -\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum ticket life for -principals in this realm. - -\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum renewable life of -tickets for principals in this realm. - -\item[{\emph{ticket\_flags}}] \leavevmode -Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the \textbf{add\_principal} command in -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - create \PYGZhy{}subtrees o=org \PYGZhy{}sscope SUB \PYGZhy{}r ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -Initializing database for realm \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{} -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: -Re\PYGZhy{}enter KDC database master key to verify: -\end{Verbatim} - - -\subsection{Modifying a Kerberos realm} -\label{admin/database:ldap-mod-realm}\label{admin/database:modifying-a-kerberos-realm} -If you need to modify a realm, use the {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} -\textbf{modify} command as follows. -\begin{quote} - -\textbf{modify} -{[}\textbf{-subtrees} \emph{subtree\_dn\_list}{]} -{[}\textbf{-sscope} \emph{search\_scope}{]} -{[}\textbf{-containerref} \emph{container\_reference\_dn}{]} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} -{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} -{[}\emph{ticket\_flags}{]} -\end{quote} - -Modifies the attributes of a realm. Options: -\begin{description} -\item[{\textbf{-subtrees} \emph{subtree\_dn\_list}}] \leavevmode -Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (\code{:}). This list replaces the existing list. - -\item[{\textbf{-sscope} \emph{search\_scope}}] \leavevmode -Specifies the scope for searching the principals under the -subtrees. The possible values are 1 or one (one level), 2 or sub -(subtrees). - -\item[{\textbf{-containerref} \emph{container\_reference\_dn} Specifies the DN of the}] \leavevmode -container object in which the principals of a realm will be -created. - -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum ticket life for -principals in this realm. - -\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum renewable life of -tickets for principals in this realm. - -\item[{\emph{ticket\_flags}}] \leavevmode -Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the \textbf{add\_principal} command in -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H - ldaps://ldap\PYGZhy{}server1.mit.edu modify +requires\PYGZus{}preauth \PYGZhy{}r - ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -shell\PYGZpc{} -\end{Verbatim} - - -\subsection{Destroying a Kerberos realm} -\label{admin/database:destroying-a-kerberos-realm} -If you need to destroy a Kerberos realm, use the -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{destroy} command as follows. -\begin{quote} - -\textbf{destroy} {[}\textbf{-f}{]} {[}\textbf{-r} \emph{realm}{]} -\end{quote} - -Destroys an existing realm. Options: -\begin{description} -\item[{\textbf{-f}}] \leavevmode -If specified, will not prompt the user for confirmation. - -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H - ldaps://ldap\PYGZhy{}server1.mit.edu destroy \PYGZhy{}r ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -Deleting KDC database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, are you sure? -(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes -OK, deleting database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}... -shell\PYGZpc{} -\end{Verbatim} - - -\subsection{Retrieving information about a Kerberos realm} -\label{admin/database:retrieving-information-about-a-kerberos-realm} -If you need to display the attributes of a realm, use the -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{view} command as follows. -\begin{quote} - -\textbf{view} {[}\textbf{-r} \emph{realm}{]} -\end{quote} - -Displays the attributes of a realm. Options: -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - view \PYGZhy{}r ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -Realm Name: ATHENA.MIT.EDU -Subtree: ou=users,o=org -Subtree: ou=servers,o=org -SearchScope: ONE -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW\PYGZus{}FORWARDABLE REQUIRES\PYGZus{}PWCHANGE -\end{Verbatim} - - -\subsection{Listing available Kerberos realms} -\label{admin/database:listing-available-kerberos-realms} -If you need to display the list of the realms, use the -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{list} command as follows. -\begin{quote} - -\textbf{list} -\end{quote} - -Lists the name of realms. - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H - ldaps://ldap\PYGZhy{}server1.mit.edu list -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -ATHENA.MIT.EDU -OPENLDAP.MIT.EDU -MEDIA\PYGZhy{}LAB.MIT.EDU -shell\PYGZpc{} -\end{Verbatim} - - -\subsection{Stashing service object's password} -\label{admin/database:stashing-service-object-s-password}\label{admin/database:stash-ldap} -The {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{stashsrvpw} command allows an -administrator to store the password of service object in a file. The -KDC and Administration server uses this password to authenticate to -the LDAP server. -\begin{quote} - -\textbf{stashsrvpw} -{[}\textbf{-f} \emph{filename}{]} -\emph{name} -\end{quote} - -Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options: -\begin{description} -\item[{\textbf{-f} \emph{filename}}] \leavevmode -Specifies the complete path of the service password file. By -default, \code{/usr/local/var/service\_passwd} is used. - -\item[{\emph{name}}] \leavevmode -Specifies the name of the object whose password is to be stored. -If {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} or {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} are configured for -simple binding, this should be the distinguished name it will -use as given by the \textbf{ldap\_kdc\_dn} or \textbf{ldap\_kadmind\_dn} -variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. If the KDC or kadmind is -configured for SASL binding, this should be the authentication -name it will use as given by the \textbf{ldap\_kdc\_sasl\_authcid} or -\textbf{ldap\_kadmind\_sasl\_authcid} variable. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util stashsrvpw \PYGZhy{}f /home/andrew/conf\PYGZus{}keyfile - cn=service\PYGZhy{}kdc,o=org -Password for \PYGZdq{}cn=service\PYGZhy{}kdc,o=org\PYGZdq{}: -Re\PYGZhy{}enter password for \PYGZdq{}cn=service\PYGZhy{}kdc,o=org\PYGZdq{}: -\end{Verbatim} - - -\subsection{Ticket Policy operations} -\label{admin/database:ticket-policy-operations} - -\subsubsection{Creating a Ticket Policy} -\label{admin/database:creating-a-ticket-policy} -To create a new ticket policy in directory , use the -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{create\_policy} command. Ticket policy -objects are created under the realm container. -\begin{quote} - -\textbf{create\_policy} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} -{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} -{[}\emph{ticket\_flags}{]} -\emph{policy\_name} -\end{quote} - -Creates a ticket policy in the directory. Options: -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum ticket life for -principals. - -\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum renewable life of -tickets for principals. - -\item[{\emph{ticket\_flags}}] \leavevmode -Specifies the ticket flags. If this option is not specified, by -default, no restriction will be set by the policy. Allowable -flags are documented in the description of the \textbf{add\_principal} -command in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. - -\item[{\emph{policy\_name}}] \leavevmode -Specifies the name of the ticket policy. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - create\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}maxtktlife \PYGZdq{}1 day\PYGZdq{} - \PYGZhy{}maxrenewlife \PYGZdq{}1 week\PYGZdq{} \PYGZhy{}allow\PYGZus{}postdated +needchange - \PYGZhy{}allow\PYGZus{}forwardable tktpolicy -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -\end{Verbatim} - - -\subsubsection{Modifying a Ticket Policy} -\label{admin/database:modifying-a-ticket-policy} -To modify a ticket policy in directory, use the -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{modify\_policy} command. -\begin{quote} - -\textbf{modify\_policy} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} -{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} -{[}\emph{ticket\_flags}{]} -\emph{policy\_name} -\end{quote} - -Modifies the attributes of a ticket policy. Options are same as for -\textbf{create\_policy}. - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H - ldaps://ldap\PYGZhy{}server1.mit.edu modify\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU - \PYGZhy{}maxtktlife \PYGZdq{}60 minutes\PYGZdq{} \PYGZhy{}maxrenewlife \PYGZdq{}10 hours\PYGZdq{} - +allow\PYGZus{}postdated \PYGZhy{}requires\PYGZus{}preauth tktpolicy -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -\end{Verbatim} - - -\subsubsection{Retrieving Information About a Ticket Policy} -\label{admin/database:retrieving-information-about-a-ticket-policy} -To display the attributes of a ticket policy, use the -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{view\_policy} command. -\begin{quote} - -\textbf{view\_policy} -{[}\textbf{-r} \emph{realm}{]} -\emph{policy\_name} -\end{quote} - -Displays the attributes of a ticket policy. Options: -\begin{description} -\item[{\emph{policy\_name}}] \leavevmode -Specifies the name of the ticket policy. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - view\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU tktpolicy -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -Ticket policy: tktpolicy -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW\PYGZus{}FORWARDABLE REQUIRES\PYGZus{}PWCHANGE -\end{Verbatim} - - -\subsubsection{Destroying a Ticket Policy} -\label{admin/database:destroying-a-ticket-policy} -To destroy an existing ticket policy, use the {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} -\textbf{destroy\_policy} command. -\begin{quote} - -\textbf{destroy\_policy} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-force}{]} -\emph{policy\_name} -\end{quote} - -Destroys an existing ticket policy. Options: -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\item[{\textbf{-force}}] \leavevmode -Forces the deletion of the policy object. If not specified, the -user will be prompted for confirmation before deleting the policy. - -\item[{\emph{policy\_name}}] \leavevmode -Specifies the name of the ticket policy. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - destroy\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU tktpolicy -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -This will delete the policy object \PYGZsq{}tktpolicy\PYGZsq{}, are you sure? -(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes -** policy object \PYGZsq{}tktpolicy\PYGZsq{} deleted. -\end{Verbatim} - - -\subsubsection{Listing available Ticket Policies} -\label{admin/database:listing-available-ticket-policies} -To list the name of ticket policies in a realm, use the -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{list\_policy} command. -\begin{quote} - -\textbf{list\_policy} -{[}\textbf{-r} \emph{realm}{]} -\end{quote} - -Lists the ticket policies in realm if specified or in the default -realm. Options: -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - list\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -tktpolicy -tmppolicy -userpolicy -\end{Verbatim} - - -\section{Cross-realm authentication} -\label{admin/database:cross-realm-authentication}\label{admin/database:xrealm-authn} -In order for a KDC in one realm to authenticate Kerberos users in a -different realm, it must share a key with the KDC in the other realm. -In both databases, there must be krbtgt service principals for both realms. -For example, if you need to do cross-realm authentication between the realms -\code{ATHENA.MIT.EDU} and \code{EXAMPLE.COM}, you would need to add the -principals \code{krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU} and -\code{krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM} to both databases. -These principals must all have the same passwords, key version -numbers, and encryption types; this may require explicitly setting -the key version number with the \textbf{-kvno} option. - -In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators -would run the following commands on the KDCs in both realms: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{}: kadmin.local \PYGZhy{}e \PYGZdq{}aes256\PYGZhy{}cts:normal\PYGZdq{} -kadmin: addprinc \PYGZhy{}requires\PYGZus{}preauth krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM -Enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: -Re\PYGZhy{}enter password for principal krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM: -kadmin: addprinc \PYGZhy{}requires\PYGZus{}preauth krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU -Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: -Enter password for principal krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU: -kadmin: -\end{Verbatim} - -\begin{notice}{note}{Note:} -Even if most principals in a realm are generally created -with the \textbf{requires\_preauth} flag enabled, this flag is not -desirable on cross-realm authentication keys because doing -so makes it impossible to disable preauthentication on a -service-by-service basis. Disabling it as in the example -above is recommended. -\end{notice} - -\begin{notice}{note}{Note:} -It is very important that these principals have good -passwords. MIT recommends that TGT principal passwords be -at least 26 characters of random ASCII text. -\end{notice} - - -\section{Changing the krbtgt key} -\label{admin/database:changing-krbtgt-key}\label{admin/database:changing-the-krbtgt-key} -A Kerberos Ticket Granting Ticket (TGT) is a service ticket for the -principal \code{krbtgt/REALM}. The key for this principal is created -when the Kerberos database is initialized and need not be changed. -However, it will only have the encryption types supported by the KDC -at the time of the initial database creation. To allow use of newer -encryption types for the TGT, this key has to be changed. - -Changing this key using the normal {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} -\textbf{change\_password} command would invalidate any previously issued -TGTs. Therefore, when changing this key, normally one should use the -\textbf{-keepold} flag to change\_password to retain the previous key in the -database as well as the new key. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: change\PYGZus{}password \PYGZhy{}randkey \PYGZhy{}keepold krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU -\end{Verbatim} - -\begin{notice}{warning}{Warning:} -After issuing this command, the old key is still valid -and is still vulnerable to (for instance) brute force -attacks. To completely retire an old key or encryption -type, run the kadmin \textbf{purgekeys} command to delete keys -with older kvnos, ideally first making sure that all -tickets issued with the old keys have expired. -\end{notice} - -Only the first krbtgt key of the newest key version is used to encrypt -ticket-granting tickets. However, the set of encryption types present -in the krbtgt keys is used by default to determine the session key -types supported by the krbtgt service (see -{\hyperref[admin/enctypes:session-key-selection]{\emph{Session key selection}}}). Because non-MIT Kerberos clients -sometimes send a limited set of encryption types when making AS -requests, it can be important to for the krbtgt service to support -multiple encryption types. This can be accomplished by giving the -krbtgt principal multiple keys, which is usually as simple as not -specifying any \textbf{-e} option when changing the krbtgt key, or by -setting the \textbf{session\_enctypes} string attribute on the krbtgt -principal (see {\hyperref[admin/admin_commands/kadmin_local:set-string]{\emph{set\_string}}}). - -Due to a bug in releases 1.8 through 1.13, renewed and forwarded -tickets may not work if the original ticket was obtained prior to a -krbtgt key change and the modified ticket is obtained afterwards. -Upgrading the KDC to release 1.14 or later will correct this bug. - - -\section{Incremental database propagation} -\label{admin/database:incremental-database-propagation}\label{admin/database:incr-db-prop} - -\subsection{Overview} -\label{admin/database:overview} -At some very large sites, dumping and transmitting the database can -take more time than is desirable for changes to propagate from the -master KDC to the slave KDCs. The incremental propagation support -added in the 1.7 release is intended to address this. - -With incremental propagation enabled, all programs on the master KDC -that change the database also write information about the changes to -an ``update log'' file, maintained as a circular buffer of a certain -size. A process on each slave KDC connects to a service on the master -KDC (currently implemented in the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} server) and -periodically requests the changes that have been made since the last -check. By default, this check is done every two minutes. If the -database has just been modified in the previous several seconds -(currently the threshold is hard-coded at 10 seconds), the slave will -not retrieve updates, but instead will pause and try again soon after. -This reduces the likelihood that incremental update queries will cause -delays for an administrator trying to make a bunch of changes to the -database at the same time. - -Incremental propagation uses the following entries in the per-realm -data in the KDC config file (See {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}): - -\begin{tabulary}{\linewidth}{|L|L|L|} -\hline - -iprop\_enable - & -\emph{boolean} - & -If \emph{true}, then incremental propagation is enabled, and (as noted below) normal kprop propagation is disabled. The default is \emph{false}. -\\ -\hline -iprop\_master\_ulogsize - & -\emph{integer} - & -Indicates the number of entries that should be retained in the update log. The default is 1000; the maximum number is 2500. -\\ -\hline -iprop\_slave\_poll - & -\emph{time interval} - & -Indicates how often the slave should poll the master KDC for changes to the database. The default is two minutes. -\\ -\hline -iprop\_port - & -\emph{integer} - & -Specifies the port number to be used for incremental propagation. This is required in both master and slave configuration files. -\\ -\hline -iprop\_resync\_timeout - & -\emph{integer} - & -Specifies the number of seconds to wait for a full propagation to complete. This is optional on slave configurations. Defaults to 300 seconds (5 minutes). -\\ -\hline -iprop\_logfile - & -\emph{file name} - & -Specifies where the update log file for the realm database is to be stored. The default is to use the \emph{database\_name} entry from the realms section of the config file {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, with \emph{.ulog} appended. (NOTE: If database\_name isn't specified in the realms section, perhaps because the LDAP database back end is being used, or the file name is specified in the \emph{dbmodules} section, then the hard-coded default for \emph{database\_name} is used. Determination of the \emph{iprop\_logfile} default value will not use values from the \emph{dbmodules} section.) -\\ -\hline\end{tabulary} - - -Both master and slave sides must have a principal named -\code{kiprop/hostname} (where \emph{hostname} is the lowercase, -fully-qualified, canonical name for the host) registered in the -Kerberos database, and have keys for that principal stored in the -default keytab file ({\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}). In release 1.13, the -\code{kiprop/hostname} principal is created automatically for the master -KDC, but it must still be created for slave KDCs. - -On the master KDC side, the \code{kiprop/hostname} principal must be -listed in the kadmind ACL file {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}, and given the -\textbf{p} privilege (see {\hyperref[admin/database:privileges]{\emph{Privileges}}}). - -On the slave KDC side, {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} should be run. When -incremental propagation is enabled, it will connect to the kadmind on -the master KDC and start requesting updates. - -The normal kprop mechanism is disabled by the incremental propagation -support. However, if the slave has been unable to fetch changes from -the master KDC for too long (network problems, perhaps), the log on -the master may wrap around and overwrite some of the updates that the -slave has not yet retrieved. In this case, the slave will instruct -the master KDC to dump the current database out to a file and invoke a -one-time kprop propagation, with special options to also convey the -point in the update log at which the slave should resume fetching -incremental updates. Thus, all the keytab and ACL setup previously -described for kprop propagation is still needed. - -If an environment has a large number of slaves, it may be desirable to -arrange them in a hierarchy instead of having the master serve updates -to every slave. To do this, run \code{kadmind -proponly} on each -intermediate slave, and \code{kpropd -A upstreamhostname} on downstream -slaves to direct each one to the appropriate upstream slave. - -There are several known restrictions in the current implementation: -\begin{itemize} -\item {} -The incremental update protocol does not transport changes to policy -objects. Any policy changes on the master will result in full -resyncs to all slaves. - -\item {} -The slave's KDB module must support locking; it cannot be using the -LDAP KDB module. - -\item {} -The master and slave must be able to initiate TCP connections in -both directions, without an intervening NAT. - -\end{itemize} - - -\subsection{Sun/MIT incremental propagation differences} -\label{admin/database:sun-mit-incremental-propagation-differences} -Sun donated the original code for supporting incremental database -propagation to MIT. Some changes have been made in the MIT source -tree that will be visible to administrators. (These notes are based -on Sun's patches. Changes to Sun's implementation since then may not -be reflected here.) - -The Sun config file support looks for \code{sunw\_dbprop\_enable}, -\code{sunw\_dbprop\_master\_ulogsize}, and \code{sunw\_dbprop\_slave\_poll}. - -The incremental propagation service is implemented as an ONC RPC -service. In the Sun implementation, the service is registered with -rpcbind (also known as portmapper) and the client looks up the port -number to contact. In the MIT implementation, where interaction with -some modern versions of rpcbind doesn't always work well, the port -number must be specified in the config file on both the master and -slave sides. - -The Sun implementation hard-codes pathnames in \code{/var/krb5} for the -update log and the per-slave kprop dump files. In the MIT -implementation, the pathname for the update log is specified in the -config file, and the per-slave dump files are stored in -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/slave\_datatrans\_hostname}. - - -\chapter{Account lockout} -\label{admin/lockout::doc}\label{admin/lockout:account-lockout} -As of release 1.8, the KDC can be configured to lock out principals -after a number of failed authentication attempts within a period of -time. Account lockout can make it more difficult to attack a -principal's password by brute force, but also makes it easy for an -attacker to deny access to a principal. - - -\section{Configuring account lockout} -\label{admin/lockout:configuring-account-lockout} -Account lockout only works for principals with the -\textbf{+requires\_preauth} flag set. Without this flag, the KDC cannot -know whether or not a client successfully decrypted the ticket it -issued. It is also important to set the \textbf{-allow\_svr} flag on a -principal to protect its password from an off-line dictionary attack -through a TGS request. You can set these flags on a principal with -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} as follows: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: modprinc +requires\PYGZus{}preauth \PYGZhy{}allow\PYGZus{}svr PRINCNAME -\end{Verbatim} - -Account lockout parameters are configured via {\hyperref[admin/database:policies]{\emph{policy objects}}}. There may be an existing policy associated with user -principals (such as the ``default'' policy), or you may need to create a -new one and associate it with each user principal. - -The policy parameters related to account lockout are: -\begin{itemize} -\item {} -{\hyperref[admin/database:policy-maxfailure]{\emph{maxfailure}}}: the number of failed attempts -before the principal is locked out - -\item {} -{\hyperref[admin/database:policy-failurecountinterval]{\emph{failurecountinterval}}}: the -allowable interval between failed attempts - -\item {} -{\hyperref[admin/database:policy-lockoutduration]{\emph{lockoutduration}}}: the amount of time -a principal is locked out for - -\end{itemize} - -Here is an example of setting these parameters on a new policy and -associating it with a principal: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: addpol \PYGZhy{}maxfailure 10 \PYGZhy{}failurecountinterval 180 - \PYGZhy{}lockoutduration 60 lockout\PYGZus{}policy -kadmin: modprinc \PYGZhy{}policy lockout\PYGZus{}policy PRINCNAME -\end{Verbatim} - - -\section{Testing account lockout} -\label{admin/lockout:testing-account-lockout} -To test that account lockout is working, try authenticating as the -principal (hopefully not one that might be in use) multiple times with -the wrong password. For instance, if \textbf{maxfailure} is set to 2, you -might see: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZdl{} kinit user -Password for user@KRBTEST.COM: -kinit: Password incorrect while getting initial credentials -\PYGZdl{} kinit user -Password for user@KRBTEST.COM: -kinit: Password incorrect while getting initial credentials -\PYGZdl{} kinit user -kinit: Client\PYGZsq{}s credentials have been revoked while getting initial credentials -\end{Verbatim} - - -\section{Account lockout principal state} -\label{admin/lockout:account-lockout-principal-state} -A principal entry keeps three pieces of state related to account -lockout: -\begin{itemize} -\item {} -The time of last successful authentication - -\item {} -The time of last failed authentication - -\item {} -A counter of failed attempts - -\end{itemize} - -The time of last successful authentication is not actually needed for -the account lockout system to function, but may be of administrative -interest. These fields can be observed with the \textbf{getprinc} kadmin -command. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: getprinc user -Principal: user@KRBTEST.COM -... -Last successful authentication: [never] -Last failed authentication: Mon Dec 03 12:30:33 EST 2012 -Failed password attempts: 2 -... -\end{Verbatim} - -A principal which has been locked out can be administratively unlocked -with the \textbf{-unlock} option to the \textbf{modprinc} kadmin command: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: modprinc \PYGZhy{}unlock PRINCNAME -\end{Verbatim} - -This command will reset the number of failed attempts to 0. - - -\section{KDC replication and account lockout} -\label{admin/lockout:kdc-replication-and-account-lockout} -The account lockout state of a principal is not replicated by either -traditional {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} or incremental propagation. Because of -this, the number of attempts an attacker can make within a time period -is multiplied by the number of KDCs. For instance, if the -\textbf{maxfailure} parameter on a policy is 10 and there are four KDCs in -the environment (a master and three slaves), an attacker could make as -many as 40 attempts before the principal is locked out on all four -KDCs. - -An administrative unlock is propagated from the master to the slave -KDCs during the next propagation. Propagation of an administrative -unlock will cause the counter of failed attempts on each slave to -reset to 1 on the next failure. - -If a KDC environment uses a replication strategy other than kprop or -incremental propagation, such as the LDAP KDB module with multi-master -LDAP replication, then account lockout state may be replicated between -KDCs and the concerns of this section may not apply. - - -\section{KDC performance and account lockout} -\label{admin/lockout:kdc-performance-and-account-lockout} -In order to fully track account lockout state, the KDC must write to -the the database on each successful and failed authentication. -Writing to the database is generally more expensive than reading from -it, so these writes may have a significant impact on KDC performance. -As of release 1.9, it is possible to turn off account lockout state -tracking in order to improve performance, by setting the -\textbf{disable\_last\_success} and \textbf{disable\_lockout} variables in the -database module subsection of {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -[dbmodules] - DB = \PYGZob{} - disable\PYGZus{}last\PYGZus{}success = true - disable\PYGZus{}lockout = true - \PYGZcb{} -\end{Verbatim} - -Of the two variables, setting \textbf{disable\_last\_success} will usually -have the largest positive impact on performance, and will still allow -account lockout policies to operate. However, it will make it -impossible to observe the last successful authentication time with -kadmin. - - -\section{KDC setup and account lockout} -\label{admin/lockout:kdc-setup-and-account-lockout} -To update the account lockout state on principals, the KDC must be -able to write to the principal database. For the DB2 module, no -special setup is required. For the LDAP module, the KDC DN must be -granted write access to the principal objects. If the KDC DN has only -read access, account lockout will not function. - - -\chapter{Configuring Kerberos with OpenLDAP back-end} -\label{admin/conf_ldap::doc}\label{admin/conf_ldap:configuring-kerberos-with-openldap-back-end}\begin{enumerate} -\item {} -Set up SSL on the OpenLDAP server and client to ensure secure -communication when the KDC service and LDAP server are on different -machines. \code{ldapi://} can be used if the LDAP server and KDC -service are running on the same machine. -\begin{enumerate} -\item {} -Setting up SSL on the OpenLDAP server: - -\end{enumerate} -\begin{enumerate} -\item {} -Get a CA certificate using OpenSSL tools - -\item {} -Configure OpenLDAP server for using SSL/TLS - -For the latter, you need to specify the location of CA -certificate location in \emph{slapd.conf} file. - -Refer to the following link for more information: -\href{http://www.openldap.org/doc/admin23/tls.html}{http://www.openldap.org/doc/admin23/tls.html} - -\end{enumerate} -\begin{enumerate} -\setcounter{enumi}{1} -\item {} -Setting up SSL on OpenLDAP client: -\begin{enumerate} -\item {} -For the KDC and Admin Server, you need to do the client-side -configuration in ldap.conf. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{TLS\PYGZus{}CACERT} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{openldap}\PYG{o}{/}\PYG{n}{certs}\PYG{o}{/}\PYG{n}{cacert}\PYG{o}{.}\PYG{n}{pem} -\end{Verbatim} - -\end{enumerate} - -\end{enumerate} - -\item {} -Include the Kerberos schema file (kerberos.schema) in the -configuration file (slapd.conf) on the LDAP Server, by providing -the location where it is stored: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{include} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{openldap}\PYG{o}{/}\PYG{n}{schema}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{schema} -\end{Verbatim} - -\item {} -Choose DNs for the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} and {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} servers -to bind to the LDAP server, and create them if necessary. These DNs -will be specified with the \textbf{ldap\_kdc\_dn} and \textbf{ldap\_kadmind\_dn} -directives in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}; their passwords can be stashed -with ``\code{kdb5\_ldap\_util stashsrvpw}'' and the resulting file -specified with the \textbf{ldap\_service\_password\_file} directive. - -\item {} -Choose a DN for the global Kerberos container entry (but do not -create the entry at this time). This DN will be specified with the -\textbf{ldap\_kerberos\_container\_dn} directive in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. -Realm container entries will be created underneath this DN. -Principal entries may exist either underneath the realm container -(the default) or in separate trees referenced from the realm -container. - -\item {} -Configure the LDAP server ACLs to enable the KDC and kadmin server -DNs to read and write the Kerberos data. If -\textbf{disable\_last\_success} and \textbf{disable\_lockout} are both set to -true in the {\hyperref[admin/conf_files/kdc_conf:dbmodules]{\emph{{[}dbmodules{]}}}} subsection for the realm, then the -KDC DN only requires read access to the Kerberos data. - -Sample access control information: - -\begin{Verbatim}[commandchars=\\\{\}] -access to dn.base=\PYGZdq{}\PYGZdq{} - by * read - -access to dn.base=\PYGZdq{}cn=Subschema\PYGZdq{} - by * read - -access to attrs=userPassword,userPKCS12 - by self write - by * auth - -access to attrs=shadowLastChange - by self write - by * read - -\PYGZsh{} Providing access to realm container -access to dn.subtree= \PYGZdq{}cn=EXAMPLE.COM,cn=krbcontainer,dc=example,dc=com\PYGZdq{} - by dn.exact=\PYGZdq{}cn=kdc\PYGZhy{}service,dc=example,dc=com\PYGZdq{} write - by dn.exact=\PYGZdq{}cn=adm\PYGZhy{}service,dc=example,dc=com\PYGZdq{} write - by * none - -\PYGZsh{} Providing access to principals, if not underneath realm container -access to dn.subtree= \PYGZdq{}ou=users,dc=example,dc=com\PYGZdq{} - by dn.exact=\PYGZdq{}cn=kdc\PYGZhy{}service,dc=example,dc=com\PYGZdq{} write - by dn.exact=\PYGZdq{}cn=adm\PYGZhy{}service,dc=example,dc=com\PYGZdq{} write - by * none - -access to * - by * read -\end{Verbatim} - -If the locations of the container and principals or the DNs of -the service objects for a realm are changed then this -information should be updated. - -\item {} -Start the LDAP server as follows: - -\begin{Verbatim}[commandchars=\\\{\}] -slapd \PYGZhy{}h \PYGZdq{}ldapi:/// ldaps:///\PYGZdq{} -\end{Verbatim} - -\item {} -Modify the {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file to include LDAP specific items -listed below: - -\begin{Verbatim}[commandchars=\\\{\}] -realms - database\PYGZus{}module - -dbmodules - db\PYGZus{}library - db\PYGZus{}module\PYGZus{}dir - ldap\PYGZus{}kdc\PYGZus{}dn - ldap\PYGZus{}kadmind\PYGZus{}dn - ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file - ldap\PYGZus{}servers - ldap\PYGZus{}conns\PYGZus{}per\PYGZus{}server -\end{Verbatim} - -\item {} -Create the realm using {\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} (see -{\hyperref[admin/database:ldap-create-realm]{\emph{Creating a Kerberos realm}}}): - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com create \PYGZhy{}subtrees ou=users,dc=example,dc=com \PYGZhy{}r EXAMPLE.COM \PYGZhy{}s -\end{Verbatim} - -Use the \textbf{-subtrees} option if the principals are to exist in a -separate subtree from the realm container. Before executing the -command, make sure that the subtree mentioned above -\code{(ou=users,dc=example,dc=com)} exists. If the principals will -exist underneath the realm container, omit the \textbf{-subtrees} option -and do not worry about creating the principal subtree. - -For more information, refer to the section {\hyperref[admin/database:ops-on-ldap]{\emph{Operations on the LDAP database}}}. - -The realm object is created under the -\textbf{ldap\_kerberos\_container\_dn} specified in the configuration file. -This operation will also create the Kerberos container, if not -present already. This will be used to store information related to -all realms. - -\item {} -Stash the password of the service object used by the KDC and -Administration service to bind to the LDAP server using the -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} \textbf{stashsrvpw} command (see -{\hyperref[admin/database:stash-ldap]{\emph{Stashing service object's password}}}). The object DN should be the same as -\textbf{ldap\_kdc\_dn} and \textbf{ldap\_kadmind\_dn} values specified in the -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com stashsrvpw \PYGZhy{}f /etc/kerberos/service.keyfile cn=krbadmin,dc=example,dc=com -\end{Verbatim} - -\item {} -Add \code{krbPrincipalName} to the indexes in slapd.conf to speed up -the access. - -\end{enumerate} - -With the LDAP back end it is possible to provide aliases for principal -entries. Currently we provide no mechanism provided for creating -aliases, so it must be done by direct manipulation of the LDAP -entries. - -An entry with aliases contains multiple values of the -\emph{krbPrincipalName} attribute. Since LDAP attribute values are not -ordered, it is necessary to specify which principal name is canonical, -by using the \emph{krbCanonicalName} attribute. Therefore, to create -aliases for an entry, first set the \emph{krbCanonicalName} attribute of -the entry to the canonical principal name (which should be identical -to the pre-existing \emph{krbPrincipalName} value), and then add additional -\emph{krbPrincipalName} attributes for the aliases. - -Principal aliases are only returned by the KDC when the client -requests canonicalization. Canonicalization is normally requested for -service principals; for client principals, an explicit flag is often -required (e.g., \code{kinit -C}) and canonicalization is only performed -for initial ticket requests. - - -\strong{See also:} - - -{\hyperref[admin/advanced/ldapbackend:ldap-be-ubuntu]{\emph{LDAP backend on Ubuntu 10.4 (lucid)}}} - - - - -\chapter{Application servers} -\label{admin/appl_servers::doc}\label{admin/appl_servers:application-servers} -If you need to install the Kerberos V5 programs on an application -server, please refer to the Kerberos V5 Installation Guide. Once you -have installed the software, you need to add that host to the Kerberos -database (see {\hyperref[admin/database:add-mod-del-princs]{\emph{Adding, modifying and deleting principals}}}), and generate a keytab for -that host, that contains the host's key. You also need to make sure -the host's clock is within your maximum clock skew of the KDCs. - - -\section{Keytabs} -\label{admin/appl_servers:keytabs} -A keytab is a host's copy of its own keylist, which is analogous to a -user's password. An application server that needs to authenticate -itself to the KDC has to have a keytab that contains its own principal -and key. Just as it is important for users to protect their -passwords, it is equally important for hosts to protect their keytabs. -You should always store keytab files on local disk, and make them -readable only by root, and you should never send a keytab file over a -network in the clear. Ideally, you should run the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} -command to extract a keytab on the host on which the keytab is to -reside. - - -\subsection{Adding principals to keytabs} -\label{admin/appl_servers:adding-principals-to-keytabs}\label{admin/appl_servers:add-princ-kt} -To generate a keytab, or to add a principal to an existing keytab, use -the \textbf{ktadd} command from kadmin. - - -\subsection{ktadd} -\label{admin/appl_servers:ktadd}\begin{quote} - -\begin{DUlineblock}{0em} -\item[] \textbf{ktadd} {[}options{]} \emph{principal} -\item[] \textbf{ktadd} {[}options{]} \textbf{-glob} \emph{princ-exp} -\end{DUlineblock} -\end{quote} - -Adds a \emph{principal}, or all principals matching \emph{princ-exp}, to a -keytab file. Each principal's keys are randomized in the process. -The rules for \emph{princ-exp} are described in the \textbf{list\_principals} -command. - -This command requires the \textbf{inquire} and \textbf{changepw} privileges. -With the \textbf{-glob} form, it also requires the \textbf{list} privilege. - -The options are: -\begin{description} -\item[{\textbf{-k{[}eytab{]}} \emph{keytab}}] \leavevmode -Use \emph{keytab} as the keytab file. Otherwise, the default keytab is -used. - -\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode -Uses the specified keysalt list for setting the new keys of the -principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a -list of possible values. - -\item[{\textbf{-q}}] \leavevmode -Display less verbose information. - -\item[{\textbf{-norandkey}}] \leavevmode -Do not randomize the keys. The keys and their version numbers stay -unchanged. This option cannot be specified in combination with the -\textbf{-e} option. - -\end{description} - -An entry for each of the principal's unique encryption types is added, -ignoring multiple keys with the same encryption type but different -salt types. - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: ktadd \PYGZhy{}k /tmp/foo\PYGZhy{}new\PYGZhy{}keytab host/foo.mit.edu -Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, - encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab - FILE:/tmp/foo\PYGZhy{}new\PYGZhy{}keytab -kadmin: -\end{Verbatim} - - -\subsubsection{Examples} -\label{admin/appl_servers:examples} -Here is a sample session, using configuration files that enable only -AES encryption: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: ktadd host/daffodil.mit.edu@ATHENA.MIT.EDU -Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab -Entry for principal host/daffodil.mit.edu with kvno 2, encryption type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab FILE:/etc/krb5.keytab -kadmin: -\end{Verbatim} - - -\subsection{Removing principals from keytabs} -\label{admin/appl_servers:removing-principals-from-keytabs} -To remove a principal from an existing keytab, use the kadmin -\textbf{ktremove} command. - - -\subsection{ktremove} -\label{admin/appl_servers:ktremove}\begin{quote} - -\textbf{ktremove} {[}options{]} \emph{principal} {[}\emph{kvno} \textbar{} \emph{all} \textbar{} \emph{old}{]} -\end{quote} - -Removes entries for the specified \emph{principal} from a keytab. Requires -no permissions, since this does not require database access. - -If the string ``all'' is specified, all entries for that principal are -removed; if the string ``old'' is specified, all entries for that -principal except those with the highest kvno are removed. Otherwise, -the value specified is parsed as an integer, and all entries whose -kvno match that integer are removed. - -The options are: -\begin{description} -\item[{\textbf{-k{[}eytab{]}} \emph{keytab}}] \leavevmode -Use \emph{keytab} as the keytab file. Otherwise, the default keytab is -used. - -\item[{\textbf{-q}}] \leavevmode -Display less verbose information. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: ktremove kadmin/admin all -Entry for principal kadmin/admin with kvno 3 removed from keytab - FILE:/etc/krb5.keytab -kadmin: -\end{Verbatim} - - -\section{Clock Skew} -\label{admin/appl_servers:clock-skew} -A Kerberos application server host must keep its clock synchronized or -it will reject authentication requests from clients. Modern operating -systems typically provide a facility to maintain the correct time; -make sure it is enabled. This is especially important on virtual -machines, where clocks tend to drift more rapidly than normal machine -clocks. - -The default allowable clock skew is controlled by the \textbf{clockskew} -variable in {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}}. - - -\section{Getting DNS information correct} -\label{admin/appl_servers:getting-dns-information-correct} -Several aspects of Kerberos rely on name service. When a hostname is -used to name a service, the Kerberos library canonicalizes the -hostname using forward and reverse name resolution. (The reverse name -resolution step can be turned off using the \textbf{rdns} variable in -{\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}}.) The result of this canonicalization must match -the principal entry in the host's keytab, or authentication will fail. - -Each host's canonical name must be the fully-qualified host name -(including the domain), and each host's IP address must -reverse-resolve to the canonical name. - -Configuration of hostnames varies by operating system. On the -application server itself, canonicalization will typically use the -\code{/etc/hosts} file rather than the DNS. Ensure that the line for the -server's hostname is in the following form: - -\begin{Verbatim}[commandchars=\\\{\}] -IP address fully\PYGZhy{}qualified hostname aliases -\end{Verbatim} - -Here is a sample \code{/etc/hosts} file: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZsh{} this is a comment -127.0.0.1 localhost localhost.mit.edu -10.0.0.6 daffodil.mit.edu daffodil trillium wake\PYGZhy{}robin -\end{Verbatim} - -The output of \code{klist -k} for this example host should look like: - -\begin{Verbatim}[commandchars=\\\{\}] -viola\PYGZsh{} klist \PYGZhy{}k -Keytab name: /etc/krb5.keytab -KVNO Principal -\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} \PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} - 2 host/daffodil.mit.edu@ATHENA.MIT.EDU -\end{Verbatim} - -If you were to ssh to this host with a fresh credentials cache (ticket -file), and then \emph{klist(1)}, the output should list a service -principal of \code{host/daffodil.mit.edu@ATHENA.MIT.EDU}. - - -\section{Configuring your firewall to work with Kerberos V5} -\label{admin/appl_servers:conf-firewall}\label{admin/appl_servers:configuring-your-firewall-to-work-with-kerberos-v5} -If you need off-site users to be able to get Kerberos tickets in your -realm, they must be able to get to your KDC. This requires either -that you have a slave KDC outside your firewall, or that you configure -your firewall to allow UDP requests into at least one of your KDCs, on -whichever port the KDC is running. (The default is port 88; other -ports may be specified in the KDC's {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file.) -Similarly, if you need off-site users to be able to change their -passwords in your realm, they must be able to get to your Kerberos -admin server on the kpasswd port (which defaults to 464). If you need -off-site users to be able to administer your Kerberos realm, they must -be able to get to your Kerberos admin server on the administrative -port (which defaults to 749). - -If your on-site users inside your firewall will need to get to KDCs in -other realms, you will also need to configure your firewall to allow -outgoing TCP and UDP requests to port 88, and to port 464 to allow -password changes. If your on-site users inside your firewall will -need to get to Kerberos admin servers in other realms, you will also -need to allow outgoing TCP and UDP requests to port 749. - -If any of your KDCs are outside your firewall, you will need to allow -kprop requests to get through to the remote KDC. {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} uses -the \code{krb5\_prop} service on port 754 (tcp). - -The book \emph{UNIX System Security}, by David Curry, is a good starting -point for learning to configure firewalls. - - -\chapter{Host configuration} -\label{admin/host_config:host-configuration}\label{admin/host_config::doc} -All hosts running Kerberos software, whether they are clients, -application servers, or KDCs, can be configured using -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Here we describe some of the behavior changes -you might want to make. - - -\section{Default realm} -\label{admin/host_config:default-realm} -In the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} section, the \textbf{default\_realm} realm -relation sets the default Kerberos realm. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -[libdefaults] - default\PYGZus{}realm = ATHENA.MIT.EDU -\end{Verbatim} - -The default realm affects Kerberos behavior in the following ways: -\begin{itemize} -\item {} -When a principal name is parsed from text, the default realm is used -if no \code{@REALM} component is specified. - -\item {} -The default realm affects login authorization as described below. - -\item {} -For programs which operate on a Kerberos database, the default realm -is used to determine which database to operate on, unless the \textbf{-r} -parameter is given to specify a realm. - -\item {} -A server program may use the default realm when looking up its key -in a {\hyperref[admin/install_appl_srv:keytab-file]{\emph{keytab file}}}, if its realm is not -determined by {\hyperref[admin/conf_files/krb5_conf:domain-realm]{\emph{{[}domain\_realm{]}}}} configuration or by the server -program itself. - -\item {} -If \emph{kinit(1)} is passed the \textbf{-n} flag, it requests anonymous -tickets from the default realm. - -\end{itemize} - -In some situations, these uses of the default realm might conflict. -For example, it might be desirable for principal name parsing to use -one realm by default, but for login authorization to use a second -realm. In this situation, the first realm can be configured as the -default realm, and \textbf{auth\_to\_local} relations can be used as -described below to use the second realm for login authorization. - - -\section{Login authorization} -\label{admin/host_config:login-authorization}\label{admin/host_config:id1} -If a host runs a Kerberos-enabled login service such as OpenSSH with -GSSAPIAuthentication enabled, login authorization rules determine -whether a Kerberos principal is allowed to access a local account. - -By default, a Kerberos principal is allowed access to an account if -its realm matches the default realm and its name matches the account -name. (For historical reasons, access is also granted by default if -the name has two components and the second component matches the -default realm; for instance, \code{alice/ATHENA.MIT.EDU@ATHENA.MIT.EDU} -is granted access to the \code{alice} account if \code{ATHENA.MIT.EDU} is -the default realm.) - -The simplest way to control local access is using \emph{.k5login(5)} -files. To use these, place a \code{.k5login} file in the home directory -of each account listing the principal names which should have login -access to that account. If it is not desirable to use \code{.k5login} -files located in account home directories, the \textbf{k5login\_directory} -relation in the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} section can specify a directory -containing one file per account uname. - -By default, if a \code{.k5login} file is present, it controls -authorization both positively and negatively--any principal name -contained in the file is granted access and any other principal name -is denied access, even if it would have had access if the \code{.k5login} -file didn't exist. The \textbf{k5login\_authoritative} relation in the -{\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} section can be set to false to make \code{.k5login} -files provide positive authorization only. - -The \textbf{auth\_to\_local} relation in the {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section for the -default realm can specify pattern-matching rules to control login -authorization. For example, the following configuration allows access -to principals from a different realm than the default realm: - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - DEFAULT.REALM = \PYGZob{} - \PYGZsh{} Allow access to principals from OTHER.REALM. - \PYGZsh{} - \PYGZsh{} [1:\PYGZdl{}1@\PYGZdl{}0] matches single\PYGZhy{}component principal names and creates - \PYGZsh{} a selection string containing the principal name and realm. - \PYGZsh{} - \PYGZsh{} (.*@OTHER\PYGZbs{}.REALM) matches against the selection string, so that - \PYGZsh{} only principals in OTHER.REALM are matched. - \PYGZsh{} - \PYGZsh{} s/@OTHER\PYGZbs{}.REALM\PYGZdl{}// removes the realm name, leaving behind the - \PYGZsh{} principal name as the acount name. - auth\PYGZus{}to\PYGZus{}local = RULE:[1:\PYGZdl{}1@\PYGZdl{}0](.*@OTHER\PYGZbs{}.REALM)s/@OTHER\PYGZbs{}.REALM\PYGZdl{}// - - \PYGZsh{} Also allow principals from the default realm. Omit this line - \PYGZsh{} to only allow access to principals in OTHER.REALM. - auth\PYGZus{}to\PYGZus{}local = DEFAULT - \PYGZcb{} -\end{Verbatim} - -The \textbf{auth\_to\_local\_names} subsection of the {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} section -for the default realm can specify explicit mappings from principal -names to local accounts. The key used in this subsection is the -principal name without realm, so it is only safe to use in a Kerberos -environment with a single realm or a tightly controlled set of realms. -An example use of \textbf{auth\_to\_local\_names} might be: - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - ATHENA.MIT.EDU = \PYGZob{} - auth\PYGZus{}to\PYGZus{}local\PYGZus{}names = \PYGZob{} - \PYGZsh{} Careful, these match principals in any realm! - host/example.com = hostaccount - fred = localfred - \PYGZcb{} - \PYGZcb{} -\end{Verbatim} - -Local authorization behavior can also be modified using plugin -modules; see \emph{hostrealm\_plugin} for details. - - -\section{Plugin module configuration} -\label{admin/host_config:plugin-config}\label{admin/host_config:plugin-module-configuration} -Many aspects of Kerberos behavior, such as client preauthentication -and KDC service location, can be modified through the use of plugin -modules. For most of these behaviors, you can use the {\hyperref[admin/conf_files/krb5_conf:plugins]{\emph{{[}plugins{]}}}} -section of krb5.conf to register third-party modules, and to switch -off registered or built-in modules. - -A plugin module takes the form of a Unix shared object -(\code{modname.so}) or Windows DLL (\code{modname.dll}). If you have -installed a third-party plugin module and want to register it, you do -so using the \textbf{module} relation in the appropriate subsection of the -{[}plugins{]} section. The value for \textbf{module} must give the module name -and the path to the module, separated by a colon. The module name -will often be the same as the shared object's name, but in unusual -cases (such as a shared object which implements multiple modules for -the same interface) it might not be. For example, to register a -client preauthentication module named \code{mypreauth} installed at -\code{/path/to/mypreauth.so}, you could write: - -\begin{Verbatim}[commandchars=\\\{\}] -[plugins] - clpreauth = \PYGZob{} - module = mypreauth:/path/to/mypreauth.so - \PYGZcb{} -\end{Verbatim} - -Many of the pluggable behaviors in MIT krb5 contain built-in modules -which can be switched off. You can disable a built-in module (or one -you have registered) using the \textbf{disable} directive in the -appropriate subsection of the {[}plugins{]} section. For example, to -disable the use of .k5identity files to select credential caches, you -could write: - -\begin{Verbatim}[commandchars=\\\{\}] -[plugins] - ccselect = \PYGZob{} - disable = k5identity - \PYGZcb{} -\end{Verbatim} - -If you want to disable multiple modules, specify the \textbf{disable} -directive multiple times, giving one module to disable each time. - -Alternatively, you can explicitly specify which modules you want to be -enabled for that behavior using the \textbf{enable\_only} directive. For -example, to make {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} check password quality using only a -module you have registered, and no other mechanism, you could write: - -\begin{Verbatim}[commandchars=\\\{\}] -[plugins] - pwqual = \PYGZob{} - module = mymodule:/path/to/mymodule.so - enable\PYGZus{}only = mymodule - \PYGZcb{} -\end{Verbatim} - -Again, if you want to specify multiple modules, specify the -\textbf{enable\_only} directive multiple times, giving one module to enable -each time. - -Some Kerberos interfaces use different mechanisms to register plugin -modules. - - -\subsection{KDC location modules} -\label{admin/host_config:kdc-location-modules} -For historical reasons, modules to control how KDC servers are located -are registered simply by placing the shared object or DLL into the -``libkrb5'' subdirectory of the krb5 plugin directory, which defaults to -{\hyperref[mitK5defaults:paths]{\emph{LIBDIR}}}\code{/krb5/plugins}. For example, Samba's winbind krb5 -locator plugin would be registered by placing its shared object in -{\hyperref[mitK5defaults:paths]{\emph{LIBDIR}}}\code{/krb5/plugins/libkrb5/winbind\_krb5\_locator.so}. - - -\subsection{GSSAPI mechanism modules} -\label{admin/host_config:gssapi-plugin-config}\label{admin/host_config:gssapi-mechanism-modules} -GSSAPI mechanism modules are registered using the file -\code{/etc/gss/mech} or configuration files in the \code{/etc/gss/mech.d/} -directory. Only files with a \code{.conf} suffix will be read from the -\code{/etc/gss/mech.d/} directory. Each line in these files has the -form: - -\begin{Verbatim}[commandchars=\\\{\}] -oid pathname [options] \PYGZlt{}type\PYGZgt{} -\end{Verbatim} - -Only the oid and pathname are required. \emph{oid} is the object -identifier of the GSSAPI mechanism to be registered. \emph{pathname} is a -path to the module shared object or DLL. \emph{options} (if present) are -options provided to the plugin module, surrounded in square brackets. -\emph{type} (if present) can be used to indicate a special type of module. -Currently the only special module type is ``interposer'', for a module -designed to intercept calls to other mechanisms. - - -\subsection{Configuration profile modules} -\label{admin/host_config:profile-plugin-config}\label{admin/host_config:configuration-profile-modules} -A configuration profile module replaces the information source for -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} itself. To use a profile module, begin krb5.conf -with the line: - -\begin{Verbatim}[commandchars=\\\{\}] -module PATHNAME:STRING -\end{Verbatim} - -where \emph{PATHNAME} is a path to the module shared object or DLL, and -\emph{STRING} is a string to provide to the module. The module will then -take over, and the rest of krb5.conf will be ignored. - - -\chapter{Backups of secure hosts} -\label{admin/backup_host:backups-of-secure-hosts}\label{admin/backup_host::doc} -When you back up a secure host, you should exclude the host's keytab -file from the backup. If someone obtained a copy of the keytab from a -backup, that person could make any host masquerade as the host whose -keytab was compromised. In many configurations, knowledge of the -host's keytab also allows root access to the host. This could be -particularly dangerous if the compromised keytab was from one of your -KDCs. If the machine has a disk crash and the keytab file is lost, it -is easy to generate another keytab file. (See {\hyperref[admin/appl_servers:add-princ-kt]{\emph{Adding principals to keytabs}}}.) -If you are unable to exclude particular files from backups, you should -ensure that the backups are kept as secure as the host's root -password. - - -\section{Backing up the Kerberos database} -\label{admin/backup_host:backing-up-the-kerberos-database} -As with any file, it is possible that your Kerberos database could -become corrupted. If this happens on one of the slave KDCs, you might -never notice, since the next automatic propagation of the database -would install a fresh copy. However, if it happens to the master KDC, -the corrupted database would be propagated to all of the slaves during -the next propagation. For this reason, MIT recommends that you back -up your Kerberos database regularly. Because the master KDC is -continuously dumping the database to a file in order to propagate it -to the slave KDCs, it is a simple matter to have a cron job -periodically copy the dump file to a secure machine elsewhere on your -network. (Of course, it is important to make the host where these -backups are stored as secure as your KDCs, and to encrypt its -transmission across your network.) Then if your database becomes -corrupted, you can load the most recent dump onto the master KDC. -(See {\hyperref[admin/database:restore-from-dump]{\emph{Restoring a Kerberos database from a dump file}}}.) - - -\chapter{PKINIT configuration} -\label{admin/pkinit:pkinit-configuration}\label{admin/pkinit:pkinit}\label{admin/pkinit::doc} -PKINIT is a preauthentication mechanism for Kerberos 5 which uses -X.509 certificates to authenticate the KDC to clients and vice versa. -PKINIT can also be used to enable anonymity support, allowing clients -to communicate securely with the KDC or with application servers -without authenticating as a particular client principal. - - -\section{Creating certificates} -\label{admin/pkinit:creating-certificates} -PKINIT requires an X.509 certificate for the KDC and one for each -client principal which will authenticate using PKINIT. For anonymous -PKINIT, a KDC certificate is required, but client certificates are -not. A commercially issued server certificate can be used for the KDC -certificate, but generally cannot be used for client certificates. - -The instruction in this section describe how to establish a -certificate authority and create standard PKINIT certificates. Skip -this section if you are using a commercially issued server certificate -as the KDC certificate for anonymous PKINIT, or if you are configuring -a client to use an Active Directory KDC. - - -\subsection{Generating a certificate authority certificate} -\label{admin/pkinit:generating-a-certificate-authority-certificate} -You can establish a new certificate authority (CA) for use with a -PKINIT deployment with the commands: - -\begin{Verbatim}[commandchars=\\\{\}] -openssl genrsa \PYGZhy{}out cakey.pem 2048 -openssl req \PYGZhy{}key cakey.pem \PYGZhy{}new \PYGZhy{}x509 \PYGZhy{}out cacert.pem \PYGZhy{}days 3650 -\end{Verbatim} - -The second command will ask for the values of several certificate -fields. These fields can be set to any values. You can adjust the -expiration time of the CA certificate by changing the number after -\code{-days}. Since the CA certificate must be deployed to client -machines each time it changes, it should normally have an expiration -time far in the future; however, expiration times after 2037 may cause -interoperability issues in rare circumstances. - -The result of these commands will be two files, cakey.pem and -cacert.pem. cakey.pem will contain a 2048-bit RSA private key, which -must be carefully protected. cacert.pem will contain the CA -certificate, which must be placed in the filesytems of the KDC and -each client host. cakey.pem will be required to create KDC and client -certificates. - - -\subsection{Generating a KDC certificate} -\label{admin/pkinit:generating-a-kdc-certificate} -A KDC certificate for use with PKINIT is required to have some unusual -fields, which makes generating them with OpenSSL somewhat complicated. -First, you will need a file containing the following: - -\begin{Verbatim}[commandchars=\\\{\}] -[kdc\PYGZus{}cert] -basicConstraints=CA:FALSE -keyUsage=nonRepudiation,digitalSignature,keyEncipherment,keyAgreement -extendedKeyUsage=1.3.6.1.5.2.3.5 -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -issuerAltName=issuer:copy -subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:kdc\PYGZus{}princ\PYGZus{}name - -[kdc\PYGZus{}princ\PYGZus{}name] -realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} -principal\PYGZus{}name=EXP:1,SEQUENCE:kdc\PYGZus{}principal\PYGZus{}seq - -[kdc\PYGZus{}principal\PYGZus{}seq] -name\PYGZus{}type=EXP:0,INTEGER:1 -name\PYGZus{}string=EXP:1,SEQUENCE:kdc\PYGZus{}principals - -[kdc\PYGZus{}principals] -princ1=GeneralString:krbtgt -princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} -\end{Verbatim} - -If the above contents are placed in extensions.kdc, you can generate -and sign a KDC certificate with the following commands: - -\begin{Verbatim}[commandchars=\\\{\}] -openssl genrsa \PYGZhy{}out kdckey.pem 2048 -openssl req \PYGZhy{}new \PYGZhy{}out kdc.req \PYGZhy{}key kdckey.pem -env REALM=YOUR\PYGZus{}REALMNAME openssl x509 \PYGZhy{}req \PYGZhy{}in kdc.req \PYGZbs{} - \PYGZhy{}CAkey cakey.pem \PYGZhy{}CA cacert.pem \PYGZhy{}out kdc.pem \PYGZhy{}days 365 \PYGZbs{} - \PYGZhy{}extfile extensions.kdc \PYGZhy{}extensions kdc\PYGZus{}cert \PYGZhy{}CAcreateserial -rm kdc.req -\end{Verbatim} - -The second command will ask for the values of certificate fields, -which can be set to any values. In the third command, substitute your -KDC's realm name for YOUR\_REALMNAME. You can adjust the certificate's -expiration date by changing the number after \code{-days}. Remember to -create a new KDC certificate before the old one expires. - -The result of this operation will be in two files, kdckey.pem and -kdc.pem. Both files must be placed in the KDC's filesystem. -kdckey.pem, which contains the KDC's private key, must be carefully -protected. - -If you examine the KDC certificate with \code{openssl x509 -in kdc.pem --text -noout}, OpenSSL will not know how to display the KDC principal -name in the Subject Alternative Name extension, so it will appear as -\code{othername:\textless{}unsupported\textgreater{}}. This is normal and does not mean -anything is wrong with the KDC certificate. - - -\subsection{Generating client certificates} -\label{admin/pkinit:generating-client-certificates} -PKINIT client certificates also must have some unusual certificate -fields. To generate a client certificate with OpenSSL for a -single-component principal name, you will need an extensions file -(different from the KDC extensions file above) containing: - -\begin{Verbatim}[commandchars=\\\{\}] -[client\PYGZus{}cert] -basicConstraints=CA:FALSE -keyUsage=digitalSignature,keyEncipherment,keyAgreement -extendedKeyUsage=1.3.6.1.5.2.3.4 -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid,issuer -issuerAltName=issuer:copy -subjectAltName=otherName:1.3.6.1.5.2.2;SEQUENCE:princ\PYGZus{}name - -[princ\PYGZus{}name] -realm=EXP:0,GeneralString:\PYGZdl{}\PYGZob{}ENV::REALM\PYGZcb{} -principal\PYGZus{}name=EXP:1,SEQUENCE:principal\PYGZus{}seq - -[principal\PYGZus{}seq] -name\PYGZus{}type=EXP:0,INTEGER:1 -name\PYGZus{}string=EXP:1,SEQUENCE:principals - -[principals] -princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT\PYGZcb{} -\end{Verbatim} - -If the above contents are placed in extensions.client, you can -generate and sign a client certificate with the following commands: - -\begin{Verbatim}[commandchars=\\\{\}] -openssl genrsa \PYGZhy{}out clientkey.pem 2048 -openssl req \PYGZhy{}new \PYGZhy{}key clientkey.pem \PYGZhy{}out client.req -env REALM=YOUR\PYGZus{}REALMNAME CLIENT=YOUR\PYGZus{}PRINCNAME openssl x509 \PYGZbs{} - \PYGZhy{}CAkey cakey.pem \PYGZhy{}CA cacert.pem \PYGZhy{}req \PYGZhy{}in client.req \PYGZbs{} - \PYGZhy{}extensions client\PYGZus{}cert \PYGZhy{}extfile extensions.client \PYGZbs{} - \PYGZhy{}days 365 \PYGZhy{}out client.pem -rm client.req -\end{Verbatim} - -Normally, the first two commands should be run on the client host, and -the resulting client.req file transferred to the certificate authority -host for the third command. As in the previous steps, the second -command will ask for the values of certificate fields, which can be -set to any values. In the third command, substitute your realm's name -for YOUR\_REALMNAME and the client's principal name (without realm) for -YOUR\_PRINCNAME. You can adjust the certificate's expiration date by -changing the number after \code{-days}. - -The result of this operation will be two files, clientkey.pem and -client.pem. Both files must be present on the client's host; -clientkey.pem, which contains the client's private key, must be -protected from access by others. - -As in the KDC certificate, OpenSSL will display the client principal -name as \code{othername:\textless{}unsupported\textgreater{}} in the Subject Alternative Name -extension of a PKINIT client certificate. - -If the client principal name contains more than one component -(e.g. \code{host/example.com@REALM}), the \code{{[}principals{]}} section of -\code{extensions.client} must be altered to contain multiple entries. -(Simply setting \code{CLIENT} to \code{host/example.com} would generate a -certificate for \code{host\textbackslash{}/example.com@REALM} which would not match the -multi-component principal name.) For a two-component principal, the -section should read: - -\begin{Verbatim}[commandchars=\\\{\}] -[principals] -princ1=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT1\PYGZcb{} -princ2=GeneralString:\PYGZdl{}\PYGZob{}ENV::CLIENT2\PYGZcb{} -\end{Verbatim} - -The environment variables \code{CLIENT1} and \code{CLIENT2} must then be set -to the first and second components when running \code{openssl x509}. - - -\section{Configuring the KDC} -\label{admin/pkinit:configuring-the-kdc} -The KDC must have filesystem access to the KDC certificate (kdc.pem) -and the KDC private key (kdckey.pem). Configure the following -relation in the KDC's {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file, either in the -{\hyperref[admin/conf_files/kdc_conf:kdcdefaults]{\emph{{[}kdcdefaults{]}}}} section or in a {\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} subsection (with -appropriate pathnames): - -\begin{Verbatim}[commandchars=\\\{\}] -pkinit\PYGZus{}identity = FILE:/var/lib/krb5kdc/kdc.pem,/var/lib/krb5kdc/kdckey.pem -\end{Verbatim} - -If any clients will authenticate using regular (as opposed to -anonymous) PKINIT, the KDC must also have filesystem access to the CA -certificate (cacert.pem), and the following configuration (with the -appropriate pathname): - -\begin{Verbatim}[commandchars=\\\{\}] -pkinit\PYGZus{}anchors = FILE:/var/lib/krb5kdc/cacert.pem -\end{Verbatim} - -Because of the larger size of requests and responses using PKINIT, you -may also need to allow TCP access to the KDC: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{kdc\PYGZus{}tcp\PYGZus{}listen} \PYG{o}{=} \PYG{l+m+mi}{88} -\end{Verbatim} - -Restart the {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} daemon to pick up the configuration -changes. - -The principal entry for each PKINIT-using client must be configured to -require preauthentication. Ensure this with the command: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin \PYGZhy{}q \PYGZsq{}modprinc +requires\PYGZus{}preauth YOUR\PYGZus{}PRINCNAME\PYGZsq{} -\end{Verbatim} - -Starting with release 1.12, it is possible to remove the long-term -keys of a principal entry, which can save some space in the database -and help to clarify some PKINIT-related error conditions by not asking -for a password: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin \PYGZhy{}q \PYGZsq{}purgekeys \PYGZhy{}all YOUR\PYGZus{}PRINCNAME\PYGZsq{} -\end{Verbatim} - -These principal options can also be specified at principal creation -time as follows: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin \PYGZhy{}q \PYGZsq{}add\PYGZus{}principal +requires\PYGZus{}preauth \PYGZhy{}nokey YOUR\PYGZus{}PRINCNAME\PYGZsq{} -\end{Verbatim} - - -\section{Configuring the clients} -\label{admin/pkinit:configuring-the-clients} -Client hosts must be configured to trust the issuing authority for the -KDC certificate. For a newly established certificate authority, the -client host must have filesystem access to the CA certificate -(cacert.pem) and the following relation in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} in the -appropriate {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} subsection (with appropriate pathnames): - -\begin{Verbatim}[commandchars=\\\{\}] -pkinit\PYGZus{}anchors = FILE:/etc/krb5/cacert.pem -\end{Verbatim} - -If the KDC certificate is a commercially issued server certificate, -the issuing certificate is most likely included in a system directory. -You can specify it by filename as above, or specify the whole -directory like so: - -\begin{Verbatim}[commandchars=\\\{\}] -pkinit\PYGZus{}anchors = DIR:/etc/ssl/certs -\end{Verbatim} - -A commercially issued server certificate will usually not have the -standard PKINIT principal name or Extended Key Usage extensions, so -the following additional configuration is required: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{pkinit\PYGZus{}eku\PYGZus{}checking} \PYG{o}{=} \PYG{n}{kpServerAuth} -\PYG{n}{pkinit\PYGZus{}kdc\PYGZus{}hostname} \PYG{o}{=} \PYG{n}{hostname}\PYG{o}{.}\PYG{n}{of}\PYG{o}{.}\PYG{n}{kdc}\PYG{o}{.}\PYG{n}{certificate} -\end{Verbatim} - -Multiple \textbf{pkinit\_kdc\_hostname} relations can be configured to -recognize multiple KDC certificates. If the KDC is an Active -Directory domain controller, setting \textbf{pkinit\_kdc\_hostname} is -necessary, but it should not be necessary to set -\textbf{pkinit\_eku\_checking}. - -To perform regular (as opposed to anonymous) PKINIT authentication, a -client host must have filesystem access to a client certificate -(client.pem), and the corresponding private key (clientkey.pem). -Configure the following relations in the client host's -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file in the appropriate {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} subsection -(with appropriate pathnames): - -\begin{Verbatim}[commandchars=\\\{\}] -pkinit\PYGZus{}identities = FILE:/etc/krb5/client.pem,/etc/krb5/clientkey.pem -\end{Verbatim} - -If the KDC and client are properly configured, it should now be -possible to run \code{kinit username} without entering a password. - - -\section{Anonymous PKINIT} -\label{admin/pkinit:anonymous-pkinit}\label{admin/pkinit:id1} -Anonymity support in Kerberos allows a client to obtain a ticket -without authenticating as any particular principal. Such a ticket can -be used as a FAST armor ticket, or to securely communicate with an -application server anonymously. - -To configure anonymity support, you must generate or otherwise procure -a KDC certificate and configure the KDC host, but you do not need to -generate any client certificates. On the KDC, you must set the -\textbf{pkinit\_identity} variable to provide the KDC certificate, but do -not need to set the \textbf{pkinit\_anchors} variable or store the issuing -certificate if you won't have any client certificates to verify. On -client hosts, you must set the \textbf{pkinit\_anchors} variable (and -possibly \textbf{pkinit\_kdc\_hostname} and \textbf{pkinit\_eku\_checking}) in order -to trust the issuing authority for the KDC certificate, but do not -need to set the \textbf{pkinit\_identities} variable. - -Anonymity support is not enabled by default. To enable it, you must -create the principal \code{WELLKNOWN/ANONYMOUS} using the command: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin \PYGZhy{}q \PYGZsq{}addprinc \PYGZhy{}randkey WELLKNOWN/ANONYMOUS\PYGZsq{} -\end{Verbatim} - -Some Kerberos deployments include application servers which lack -proper access control, and grant some level of access to any user who -can authenticate. In such an environment, enabling anonymity support -on the KDC would present a security issue. If you need to enable -anonymity support for TGTs (for use as FAST armor tickets) without -enabling anonymous authentication to application servers, you can set -the variable \textbf{restrict\_anonymous\_to\_tgt} to \code{true} in the -appropriate {\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} subsection of the KDC's -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file. - -To obtain anonymous credentials on a client, run \code{kinit -n}, or -\code{kinit -n @REALMNAME} to specify a realm. The resulting tickets -will have the client name \code{WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS}. - - -\chapter{OTP Preauthentication} -\label{admin/otp::doc}\label{admin/otp:otp-preauthentication}\label{admin/otp:otp-preauth} -OTP is a preauthentication mechanism for Kerberos 5 which uses One -Time Passwords (OTP) to authenticate the client to the KDC. The OTP -is passed to the KDC over an encrypted FAST channel in clear-text. -The KDC uses the password along with per-user configuration to proxy -the request to a third-party RADIUS system. This enables -out-of-the-box compatibility with a large number of already widely -deployed proprietary systems. - -Additionally, our implementation of the OTP system allows for the -passing of RADIUS requests over a UNIX domain stream socket. This -permits the use of a local companion daemon which can handle the -details of authentication. - - -\section{Defining token types} -\label{admin/otp:defining-token-types} -Token types are defined in either {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} or -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} according to the following format: - -\begin{Verbatim}[commandchars=\\\{\}] -[otp] - \PYGZlt{}name\PYGZgt{} = \PYGZob{} - server = \PYGZlt{}host:port or filename\PYGZgt{} (default: see below) - secret = \PYGZlt{}filename\PYGZgt{} - timeout = \PYGZlt{}integer\PYGZgt{} (default: 5 [seconds]) - retries = \PYGZlt{}integer\PYGZgt{} (default: 3) - strip\PYGZus{}realm = \PYGZlt{}boolean\PYGZgt{} (default: true) - indicator = \PYGZlt{}string\PYGZgt{} (default: none) - \PYGZcb{} -\end{Verbatim} - -If the server field begins with `/', it will be interpreted as a UNIX -socket. Otherwise, it is assumed to be in the format host:port. When -a UNIX domain socket is specified, the secret field is optional and an -empty secret is used by default. If the server field is not -specified, it defaults to {\hyperref[mitK5defaults:paths]{\emph{RUNSTATEDIR}}}\code{/krb5kdc}\code{/\textless{}name\textgreater{}.socket}. - -When forwarding the request over RADIUS, by default the principal is -used in the User-Name attribute of the RADIUS packet. The strip\_realm -parameter controls whether the principal is forwarded with or without -the realm portion. - -If an indicator field is present, tickets issued using this token type -will be annotated with the specified authentication indicator (see -{\hyperref[admin/auth_indicator:auth-indicator]{\emph{Authentication indicators}}}). This key may be specified multiple times to -add multiple indicators. - - -\section{The default token type} -\label{admin/otp:the-default-token-type} -A default token type is used internally when no token type is specified for a -given user. It is defined as follows: - -\begin{Verbatim}[commandchars=\\\{\}] -[otp] - DEFAULT = \PYGZob{} - strip\PYGZus{}realm = false - \PYGZcb{} -\end{Verbatim} - -The administrator may override the internal \code{DEFAULT} token type -simply by defining a configuration with the same name. - - -\section{Token instance configuration} -\label{admin/otp:token-instance-configuration} -To enable OTP for a client principal, the administrator must define -the \textbf{otp} string attribute for that principal. (See -{\hyperref[admin/admin_commands/kadmin_local:set-string]{\emph{set\_string}}}.) The \textbf{otp} user string is a JSON string of the -format: - -\begin{Verbatim}[commandchars=\\\{\}] -[\PYGZob{} - \PYGZdq{}type\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, - \PYGZdq{}username\PYGZdq{}: \PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, - \PYGZdq{}indicators\PYGZdq{}: [\PYG{n+nt}{\PYGZlt{}string}\PYG{n+nt}{\PYGZgt{}}, ...] - \PYGZcb{}, ...] -\end{Verbatim} - -This is an array of token objects. Both fields of token objects are -optional. The \textbf{type} field names the token type of this token; if -not specified, it defaults to \code{DEFAULT}. The \textbf{username} field -specifies the value to be sent in the User-Name RADIUS attribute. If -not specified, the principal name is sent, with or without realm as -defined in the token type. The \textbf{indicators} field specifies a list -of authentication indicators to annotate tickets with, overriding any -indicators specified in the token type. - -For ease of configuration, an empty array (\code{{[}{]}}) is treated as -equivalent to one DEFAULT token (\code{{[}\{\}{]}}). - - -\section{Other considerations} -\label{admin/otp:other-considerations}\begin{enumerate} -\item {} -FAST is required for OTP to work. - -\end{enumerate} - - -\chapter{Principal names and DNS} -\label{admin/princ_dns:principal-names-and-dns}\label{admin/princ_dns::doc} -Kerberos clients can do DNS lookups to canonicalize service principal -names. This can cause difficulties when setting up Kerberos -application servers, especially when the client's name for the service -is different from what the service thinks its name is. - - -\section{Service principal names} -\label{admin/princ_dns:service-principal-names} -A frequently used kind of principal name is the host-based service -principal name. This kind of principal name has two components: a -service name and a hostname. For example, \code{imap/imap.example.com} -is the principal name of the ``imap'' service on the host -``imap.example.com''. Other possible service names for the first -component include ``host'' (remote login services such as ssh), ``HTTP'', -and ``nfs'' (Network File System). - -Service administrators often publish well-known hostname aliases that -they would prefer users to use instead of the canonical name of the -service host. This gives service administrators more flexibility in -deploying services. For example, a shell login server might be named -``long-vanity-hostname.example.com'', but users will naturally prefer to -type something like ``login.example.com''. Hostname aliases also allow -for administrators to set up load balancing for some sorts of services -based on rotating \code{CNAME} records in DNS. - - -\section{Service principal canonicalization} -\label{admin/princ_dns:service-principal-canonicalization} -MIT Kerberos clients currently always do forward resolution (looking -up the IPv4 and possibly IPv6 addresses using \code{getaddrinfo()}) of -the hostname part of a host-based service principal to canonicalize -the hostname. They obtain the ``canonical'' name of the host when doing -so. By default, MIT Kerberos clients will also then do reverse DNS -resolution (looking up the hostname associated with the IPv4 or IPv6 -address using \code{getnameinfo()}) of the hostname. Using the -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} setting: - -\begin{Verbatim}[commandchars=\\\{\}] -[libdefaults] - rdns = false -\end{Verbatim} - -will disable reverse DNS lookup on clients. The default setting is -``true''. - -Operating system bugs may prevent a setting of \code{rdns = false} from -disabling reverse DNS lookup. Some versions of GNU libc have a bug in -\code{getaddrinfo()} that cause them to look up \code{PTR} records even when -not required. MIT Kerberos releases krb5-1.10.2 and newer have a -workaround for this problem, as does the krb5-1.9.x series as of -release krb5-1.9.4. - - -\section{Reverse DNS mismatches} -\label{admin/princ_dns:reverse-dns-mismatches} -Sometimes, an enterprise will have control over its forward DNS but -not its reverse DNS. The reverse DNS is sometimes under the control -of the Internet service provider of the enterprise, and the enterprise -may not have much influence in setting up reverse DNS records for its -address space. If there are difficulties with getting forward and -reverse DNS to match, it is best to set \code{rdns = false} on client -machines. - - -\section{Overriding application behavior} -\label{admin/princ_dns:overriding-application-behavior} -Applications can choose to use a default hostname component in their -service principal name when accepting authentication, which avoids -some sorts of hostname mismatches. Because not all relevant -applications do this yet, using the {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} setting: - -\begin{Verbatim}[commandchars=\\\{\}] -[libdefaults] - ignore\PYGZus{}acceptor\PYGZus{}hostname = true -\end{Verbatim} - -will allow the Kerberos library to override the application's choice -of service principal hostname and will allow a server program to -accept incoming authentications using any key in its keytab that -matches the service name and realm name (if given). This setting -defaults to ``false'' and is available in releases krb5-1.10 and later. - - -\section{Provisioning keytabs} -\label{admin/princ_dns:provisioning-keytabs} -One service principal entry that should be in the keytab is a -principal whose hostname component is the canonical hostname that -\code{getaddrinfo()} reports for all known aliases for the host. If the -reverse DNS information does not match this canonical hostname, an -additional service principal entry should be in the keytab for this -different hostname. - - -\section{Specific application advice} -\label{admin/princ_dns:specific-application-advice} - -\subsection{Secure shell (ssh)} -\label{admin/princ_dns:secure-shell-ssh} -Setting \code{GSSAPIStrictAcceptorCheck = no} in the configuration file -of modern versions of the openssh daemon will allow the daemon to try -any key in its keytab when accepting a connection, rather than looking -for the keytab entry that matches the host's own idea of its name -(typically the name that \code{gethostname()} returns). This requires -krb5-1.10 or later. - - -\chapter{Encryption types} -\label{admin/enctypes:enctypes}\label{admin/enctypes::doc}\label{admin/enctypes:encryption-types} -Kerberos can use a variety of cipher algorithms to protect data. A -Kerberos \textbf{encryption type} (also known as an \textbf{enctype}) is a -specific combination of a cipher algorithm with an integrity algorithm -to provide both confidentiality and integrity to data. - - -\section{Enctypes in requests} -\label{admin/enctypes:enctypes-in-requests} -Clients make two types of requests (KDC-REQ) to the KDC: AS-REQs and -TGS-REQs. The client uses the AS-REQ to obtain initial tickets -(typically a Ticket-Granting Ticket (TGT)), and uses the TGS-REQ to -obtain service tickets. - -The KDC uses three different keys when issuing a ticket to a client: -\begin{itemize} -\item {} -The long-term key of the service: the KDC uses this to encrypt the -actual service ticket. The KDC only uses the first long-term key in -the most recent kvno for this purpose. - -\item {} -The session key: the KDC randomly chooses this key and places one -copy inside the ticket and the other copy inside the encrypted part -of the reply. - -\item {} -The reply-encrypting key: the KDC uses this to encrypt the reply it -sends to the client. For AS replies, this is a long-term key of the -client principal. For TGS replies, this is either the session key of the -authenticating ticket, or a subsession key. - -\end{itemize} - -Each of these keys is of a specific enctype. - -Each request type allows the client to submit a list of enctypes that -it is willing to accept. For the AS-REQ, this list affects both the -session key selection and the reply-encrypting key selection. For the -TGS-REQ, this list only affects the session key selection. - - -\section{Session key selection} -\label{admin/enctypes:session-key-selection}\label{admin/enctypes:id1} -The KDC chooses the session key enctype by taking the intersection of -its \textbf{permitted\_enctypes} list, the list of long-term keys for the -most recent kvno of the service, and the client's requested list of -enctypes. If \textbf{allow\_weak\_crypto} is true, all services are assumed -to support des-cbc-crc. - -Starting in krb5-1.11, \textbf{des\_crc\_session\_supported} in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} allows additional control over whether the KDC -issues des-cbc-crc session keys. - -Also starting in krb5-1.11, it is possible to set a string attribute -on a service principal to control what session key enctypes the KDC -may issue for service tickets for that principal. See -{\hyperref[admin/admin_commands/kadmin_local:set-string]{\emph{set\_string}}} in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} for details. - - -\section{Choosing enctypes for a service} -\label{admin/enctypes:choosing-enctypes-for-a-service} -Generally, a service should have a key of the strongest -enctype that both it and the KDC support. If the KDC is running a -release earlier than krb5-1.11, it is also useful to generate an -additional key for each enctype that the service can support. The KDC -will only use the first key in the list of long-term keys for encrypting -the service ticket, but the additional long-term keys indicate the -other enctypes that the service supports. - -As noted above, starting with release krb5-1.11, there are additional -configuration settings that control session key enctype selection -independently of the set of long-term keys that the KDC has stored for -a service principal. - - -\section{Configuration variables} -\label{admin/enctypes:configuration-variables} -The following \code{{[}libdefaults{]}} settings in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} will -affect how enctypes are chosen. -\begin{description} -\item[{\textbf{allow\_weak\_crypto}}] \leavevmode -defaults to \emph{false} starting with krb5-1.8. When \emph{false}, removes -single-DES enctypes (and other weak enctypes) from -\textbf{permitted\_enctypes}, \textbf{default\_tkt\_enctypes}, and -\textbf{default\_tgs\_enctypes}. Do not set this to \emph{true} unless the -use of weak enctypes is an acceptable risk for your environment -and the weak enctypes are required for backward compatibility. - -\item[{\textbf{permitted\_enctypes}}] \leavevmode -controls the set of enctypes that a service will accept as session -keys. - -\item[{\textbf{default\_tkt\_enctypes}}] \leavevmode -controls the default set of enctypes that the Kerberos client -library requests when making an AS-REQ. Do not set this unless -required for specific backward compatibility purposes; stale -values of this setting can prevent clients from taking advantage -of new stronger enctypes when the libraries are upgraded. - -\item[{\textbf{default\_tgs\_enctypes}}] \leavevmode -controls the default set of enctypes that the Kerberos client -library requests when making a TGS-REQ. Do not set this unless -required for specific backward compatibility purposes; stale -values of this setting can prevent clients from taking advantage -of new stronger enctypes when the libraries are upgraded. - -\end{description} - -The following per-realm setting in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} affects the -generation of long-term keys. -\begin{description} -\item[{\textbf{supported\_enctypes}}] \leavevmode -controls the default set of enctype-salttype pairs that {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} -will use for generating long-term keys, either randomly or from -passwords - -\end{description} - - -\section{Enctype compatibility} -\label{admin/enctypes:enctype-compatibility} -See {\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} for additional information about enctypes. - -\begin{tabulary}{\linewidth}{|L|L|L|L|} -\hline -\textsf{\relax -enctype -} & \textsf{\relax -weak? -} & \textsf{\relax -krb5 -} & \textsf{\relax -Windows -}\\ -\hline -des-cbc-crc - & -weak - & -all - & -\textgreater{}=2000 -\\ -\hline -des-cbc-md4 - & -weak - & -all - & -? -\\ -\hline -des-cbc-md5 - & -weak - & -all - & -\textgreater{}=2000 -\\ -\hline -des3-cbc-sha1 - & & -\textgreater{}=1.1 - & -none -\\ -\hline -arcfour-hmac - & & -\textgreater{}=1.3 - & -\textgreater{}=2000 -\\ -\hline -arcfour-hmac-exp - & -weak - & -\textgreater{}=1.3 - & -\textgreater{}=2000 -\\ -\hline -aes128-cts-hmac-sha1-96 - & & -\textgreater{}=1.3 - & -\textgreater{}=Vista -\\ -\hline -aes256-cts-hmac-sha1-96 - & & -\textgreater{}=1.3 - & -\textgreater{}=Vista -\\ -\hline -aes128-cts-hmac-sha256-128 - & & -\textgreater{}=1.15 - & -none -\\ -\hline -aes256-cts-hmac-sha384-192 - & & -\textgreater{}=1.15 - & -none -\\ -\hline -camellia128-cts-cmac - & & -\textgreater{}=1.9 - & -none -\\ -\hline -camellia256-cts-cmac - & & -\textgreater{}=1.9 - & -none -\\ -\hline\end{tabulary} - - -krb5 releases 1.8 and later disable the single-DES enctypes by -default. Microsoft Windows releases Windows 7 and later disable -single-DES enctypes by default. - - -\chapter{HTTPS proxy configuration} -\label{admin/https:https-proxy-configuration}\label{admin/https::doc}\label{admin/https:https} -In addition to being able to use UDP or TCP to communicate directly -with a KDC as is outlined in RFC4120, and with kpasswd services in a -similar fashion, the client libraries can attempt to use an HTTPS -proxy server to communicate with a KDC or kpasswd service, using the -protocol outlined in {[}MS-KKDCP{]}. - -Communicating with a KDC through an HTTPS proxy allows clients to -contact servers when network firewalls might otherwise prevent them -from doing so. The use of TLS also encrypts all traffic between the -clients and the KDC, preventing observers from conducting password -dictionary attacks or from observing the client and server principals -being authenticated, at additional computational cost to both clients -and servers. - -An HTTPS proxy server is provided as a feature in some versions of -Microsoft Windows Server, and a WSGI implementation named \emph{kdcproxy} -is available in the python package index. - - -\section{Configuring the clients} -\label{admin/https:configuring-the-clients} -To use an HTTPS proxy, a client host must trust the CA which issued -that proxy's SSL certificate. If that CA's certificate is not in the -system-wide default set of trusted certificates, configure the -following relation in the client host's {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file in -the appropriate {\hyperref[admin/conf_files/krb5_conf:realms]{\emph{{[}realms{]}}}} subsection: - -\begin{Verbatim}[commandchars=\\\{\}] -http\PYGZus{}anchors = FILE:/etc/krb5/cacert.pem -\end{Verbatim} - -Adjust the pathname to match the path of the file which contains a -copy of the CA's certificate. The \emph{http\_anchors} option is documented -more fully in {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. - -Configure the client to access the KDC and kpasswd service by -specifying their locations in its {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} file in the form -of HTTPS URLs for the proxy server: - -\begin{Verbatim}[commandchars=\\\{\}] -kdc = https://server.fqdn/KdcProxy -kpasswd\PYGZus{}server = https://server.fqdn/KdcProxy -\end{Verbatim} - -If the proxy and client are properly configured, client commands such -as \code{kinit}, \code{kvno}, and \code{kpasswd} should all function normally. - - -\chapter{Authentication indicators} -\label{admin/auth_indicator:auth-indicator}\label{admin/auth_indicator:authentication-indicators}\label{admin/auth_indicator::doc} -As of release 1.14, the KDC can be configured to annotate tickets if -the client authenticated using a stronger preauthentication mechanism -such as {\hyperref[admin/pkinit:pkinit]{\emph{PKINIT}}} or {\hyperref[admin/otp:otp-preauth]{\emph{OTP}}}. These -annotations are called ``authentication indicators.'' Service -principals can be configured to require particular authentication -indicators in order to authenticate to that service. An -authentication indicator value can be any string chosen by the KDC -administrator; there are no pre-set values. - -To use authentication indicators with PKINIT or OTP, first configure -the KDC to include an indicator when that preauthentication mechanism -is used. For PKINIT, use the \textbf{pkinit\_indicator} variable in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. For OTP, use the \textbf{indicator} variable in the -token type definition, or specify the indicators in the \textbf{otp} user -string as described in {\hyperref[admin/otp:otp-preauth]{\emph{OTP Preauthentication}}}. - -To require an indicator to be present in order to authenticate to a -service principal, set the \textbf{require\_auth} string attribute on the -principal to the indicator value to be required. If you wish to allow -one of several indicators to be accepted, you can specify multiple -indicator values separated by spaces. - -For example, a realm could be configured to set the authentication -indicator value ``strong'' when PKINIT is used to authenticate, using a -setting in the {\hyperref[admin/conf_files/kdc_conf:kdc-realms]{\emph{{[}realms{]}}}} subsection: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{pkinit\PYGZus{}indicator} \PYG{o}{=} \PYG{n}{strong} -\end{Verbatim} - -A service principal could be configured to require the ``strong'' -authentication indicator value: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZdl{} kadmin setstr host/high.value.server require\PYGZus{}auth strong -Password for user/admin@KRBTEST.COM: -\end{Verbatim} - -A user who authenticates with PKINIT would be able to obtain a ticket -for the service principal: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZdl{} kinit \PYGZhy{}X X509\PYGZus{}user\PYGZus{}identity=FILE:/my/cert.pem,/my/key.pem user -\PYGZdl{} kvno host/high.value.server -host/high.value.server@KRBTEST.COM: kvno = 1 -\end{Verbatim} - -but a user who authenticates with a password would not: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZdl{} kinit user -Password for user@KRBTEST.COM: -\PYGZdl{} kvno host/high.value.server -kvno: KDC policy rejects request while getting credentials for - host/high.value.server@KRBTEST.COM -\end{Verbatim} - -GSSAPI server applications can inspect authentication indicators -through the \emph{auth-indicators} name -attribute. - - -\chapter{Administration programs} -\label{admin/admin_commands/index:administration-programs}\label{admin/admin_commands/index::doc} - -\section{kadmin} -\label{admin/admin_commands/kadmin_local::doc}\label{admin/admin_commands/kadmin_local:kadmin}\label{admin/admin_commands/kadmin_local:kadmin-1} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/kadmin_local:synopsis}\phantomsection\label{admin/admin_commands/kadmin_local:kadmin-synopsis} -\textbf{kadmin} -{[}\textbf{-O}\textbar{}\textbf{-N}{]} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-p} \emph{principal}{]} -{[}\textbf{-q} \emph{query}{]} -{[}{[}\textbf{-c} \emph{cache\_name}{]}\textbar{}{[}\textbf{-k} {[}\textbf{-t} \emph{keytab}{]}{]}\textbar{}\textbf{-n}{]} -{[}\textbf{-w} \emph{password}{]} -{[}\textbf{-s} \emph{admin\_server}{[}:\emph{port}{]}{]} -{[}command args...{]} - -\textbf{kadmin.local} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-p} \emph{principal}{]} -{[}\textbf{-q} \emph{query}{]} -{[}\textbf{-d} \emph{dbname}{]} -{[}\textbf{-e} \emph{enc}:\emph{salt} ...{]} -{[}\textbf{-m}{]} -{[}\textbf{-x} \emph{db\_args}{]} -{[}command args...{]} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/kadmin_local:kadmin-synopsis-end}\label{admin/admin_commands/kadmin_local:description} -kadmin and kadmin.local are command-line interfaces to the Kerberos V5 -administration system. They provide nearly identical functionalities; -the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}}. -Except as explicitly noted otherwise, this man page will use ``kadmin'' -to refer to both versions. kadmin provides for the maintenance of -Kerberos principals, password policies, and service key tables -(keytabs). - -The remote kadmin client uses Kerberos to authenticate to kadmind -using the service principal \code{kadmin/ADMINHOST} (where \emph{ADMINHOST} is -the fully-qualified hostname of the admin server) or \code{kadmin/admin}. -If the credentials cache contains a ticket for one of these -principals, and the \textbf{-c} credentials\_cache option is specified, that -ticket is used to authenticate to kadmind. Otherwise, the \textbf{-p} and -\textbf{-k} options are used to specify the client Kerberos principal name -used to authenticate. Once kadmin has determined the principal name, -it requests a service ticket from the KDC, and uses that service -ticket to authenticate to kadmind. - -Since kadmin.local directly accesses the KDC database, it usually must -be run directly on the master KDC with sufficient permissions to read -the KDC database. If the KDC database uses the LDAP database module, -kadmin.local can be run on any host which can access the LDAP server. - - -\subsection{OPTIONS} -\label{admin/admin_commands/kadmin_local:options}\phantomsection\label{admin/admin_commands/kadmin_local:kadmin-options}\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Use \emph{realm} as the default database realm. - -\item[{\textbf{-p} \emph{principal}}] \leavevmode -Use \emph{principal} to authenticate. Otherwise, kadmin will append -\code{/admin} to the primary principal name of the default ccache, -the value of the \textbf{USER} environment variable, or the username as -obtained with getpwuid, in order of preference. - -\item[{\textbf{-k}}] \leavevmode -Use a keytab to decrypt the KDC response instead of prompting for -a password. In this case, the default principal will be -\code{host/hostname}. If there is no keytab specified with the -\textbf{-t} option, then the default keytab will be used. - -\item[{\textbf{-t} \emph{keytab}}] \leavevmode -Use \emph{keytab} to decrypt the KDC response. This can only be used -with the \textbf{-k} option. - -\item[{\textbf{-n}}] \leavevmode -Requests anonymous processing. Two types of anonymous principals -are supported. For fully anonymous Kerberos, configure PKINIT on -the KDC and configure \textbf{pkinit\_anchors} in the client's -{\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. Then use the \textbf{-n} option with a principal -of the form \code{@REALM} (an empty principal name followed by the -at-sign and a realm name). If permitted by the KDC, an anonymous -ticket will be returned. A second form of anonymous tickets is -supported; these realm-exposed tickets hide the identity of the -client but not the client's realm. For this mode, use \code{kinit --n} with a normal principal name. If supported by the KDC, the -principal (but not realm) will be replaced by the anonymous -principal. As of release 1.8, the MIT Kerberos KDC only supports -fully anonymous operation. - -\item[{\textbf{-c} \emph{credentials\_cache}}] \leavevmode -Use \emph{credentials\_cache} as the credentials cache. The -cache should contain a service ticket for the \code{kadmin/ADMINHOST} -(where \emph{ADMINHOST} is the fully-qualified hostname of the admin -server) or \code{kadmin/admin} service; it can be acquired with the -\emph{kinit(1)} program. If this option is not specified, kadmin -requests a new service ticket from the KDC, and stores it in its -own temporary ccache. - -\item[{\textbf{-w} \emph{password}}] \leavevmode -Use \emph{password} instead of prompting for one. Use this option with -care, as it may expose the password to other users on the system -via the process list. - -\item[{\textbf{-q} \emph{query}}] \leavevmode -Perform the specified query and then exit. - -\item[{\textbf{-d} \emph{dbname}}] \leavevmode -Specifies the name of the KDC database. This option does not -apply to the LDAP database module. - -\item[{\textbf{-s} \emph{admin\_server}{[}:\emph{port}{]}}] \leavevmode -Specifies the admin server which kadmin should contact. - -\item[{\textbf{-m}}] \leavevmode -If using kadmin.local, prompt for the database master password -instead of reading it from a stash file. - -\item[{\textbf{-e} ``\emph{enc}:\emph{salt} ...''}] \leavevmode -Sets the keysalt list to be used for any new keys created. See -{\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of possible -values. - -\item[{\textbf{-O}}] \leavevmode -Force use of old AUTH\_GSSAPI authentication flavor. - -\item[{\textbf{-N}}] \leavevmode -Prevent fallback to AUTH\_GSSAPI authentication flavor. - -\item[{\textbf{-x} \emph{db\_args}}] \leavevmode -Specifies the database specific arguments. See the next section -for supported options. - -\end{description} -\phantomsection\label{admin/admin_commands/kadmin_local:kadmin-options-end} -Starting with release 1.14, if any command-line arguments remain after -the options, they will be treated as a single query to be executed. -This mode of operation is intended for scripts and behaves differently -from the interactive mode in several respects: -\begin{itemize} -\item {} -Query arguments are split by the shell, not by kadmin. - -\item {} -Informational and warning messages are suppressed. Error messages -and query output (e.g. for \textbf{get\_principal}) will still be -displayed. - -\item {} -Confirmation prompts are disabled (as if \textbf{-force} was given). -Password prompts will still be issued as required. - -\item {} -The exit status will be non-zero if the query fails. - -\end{itemize} - -The \textbf{-q} option does not carry these behavior differences; the query -will be processed as if it was entered interactively. The \textbf{-q} -option cannot be used in combination with a query in the remaining -arguments. - - -\subsection{DATABASE OPTIONS} -\label{admin/admin_commands/kadmin_local:database-options}\label{admin/admin_commands/kadmin_local:dboptions} -Database options can be used to override database-specific defaults. -Supported options for the DB2 module are: -\begin{quote} -\begin{description} -\item[{\textbf{-x dbname=}*filename*}] \leavevmode -Specifies the base filename of the DB2 database. - -\item[{\textbf{-x lockiter}}] \leavevmode -Make iteration operations hold the lock for the duration of -the entire operation, rather than temporarily releasing the -lock while handling each principal. This is the default -behavior, but this option exists to allow command line -override of a {[}dbmodules{]} setting. First introduced in -release 1.13. - -\item[{\textbf{-x unlockiter}}] \leavevmode -Make iteration operations unlock the database for each -principal, instead of holding the lock for the duration of the -entire operation. First introduced in release 1.13. - -\end{description} -\end{quote} - -Supported options for the LDAP module are: -\begin{quote} -\begin{description} -\item[{\textbf{-x host=}\emph{ldapuri}}] \leavevmode -Specifies the LDAP server to connect to by a LDAP URI. - -\item[{\textbf{-x binddn=}\emph{bind\_dn}}] \leavevmode -Specifies the DN used to bind to the LDAP server. - -\item[{\textbf{-x bindpwd=}\emph{password}}] \leavevmode -Specifies the password or SASL secret used to bind to the LDAP -server. Using this option may expose the password to other -users on the system via the process list; to avoid this, -instead stash the password using the \textbf{stashsrvpw} command of -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}}. - -\item[{\textbf{-x sasl\_mech=}\emph{mechanism}}] \leavevmode -Specifies the SASL mechanism used to bind to the LDAP server. -The bind DN is ignored if a SASL mechanism is used. New in -release 1.13. - -\item[{\textbf{-x sasl\_authcid=}\emph{name}}] \leavevmode -Specifies the authentication name used when binding to the -LDAP server with a SASL mechanism, if the mechanism requires -one. New in release 1.13. - -\item[{\textbf{-x sasl\_authzid=}\emph{name}}] \leavevmode -Specifies the authorization name used when binding to the LDAP -server with a SASL mechanism. New in release 1.13. - -\item[{\textbf{-x sasl\_realm=}\emph{realm}}] \leavevmode -Specifies the realm used when binding to the LDAP server with -a SASL mechanism, if the mechanism uses one. New in release -1.13. - -\item[{\textbf{-x debug=}\emph{level}}] \leavevmode -sets the OpenLDAP client library debug level. \emph{level} is an -integer to be interpreted by the library. Debugging messages -are printed to standard error. New in release 1.12. - -\end{description} -\end{quote} - - -\subsection{COMMANDS} -\label{admin/admin_commands/kadmin_local:commands} -When using the remote client, available commands may be restricted -according to the privileges specified in the {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} file -on the admin server. - - -\subsubsection{add\_principal} -\label{admin/admin_commands/kadmin_local:add-principal}\label{admin/admin_commands/kadmin_local:id1}\begin{quote} - -\textbf{add\_principal} {[}\emph{options}{]} \emph{newprinc} -\end{quote} - -Creates the principal \emph{newprinc}, prompting twice for a password. If -no password policy is specified with the \textbf{-policy} option, and the -policy named \code{default} is assigned to the principal if it exists. -However, creating a policy named \code{default} will not automatically -assign this policy to previously existing principals. This policy -assignment can be suppressed with the \textbf{-clearpolicy} option. - -This command requires the \textbf{add} privilege. - -Aliases: \textbf{addprinc}, \textbf{ank} - -Options: -\begin{description} -\item[{\textbf{-expire} \emph{expdate}}] \leavevmode -(\emph{getdate} string) The expiration date of the principal. - -\item[{\textbf{-pwexpire} \emph{pwexpdate}}] \leavevmode -(\emph{getdate} string) The password expiration date. - -\item[{\textbf{-maxlife} \emph{maxlife}}] \leavevmode -(\emph{duration} or \emph{getdate} string) The maximum ticket life -for the principal. - -\item[{\textbf{-maxrenewlife} \emph{maxrenewlife}}] \leavevmode -(\emph{duration} or \emph{getdate} string) The maximum renewable -life of tickets for the principal. - -\item[{\textbf{-kvno} \emph{kvno}}] \leavevmode -The initial key version number. - -\item[{\textbf{-policy} \emph{policy}}] \leavevmode -The password policy used by this principal. If not specified, the -policy \code{default} is used if it exists (unless \textbf{-clearpolicy} -is specified). - -\item[{\textbf{-clearpolicy}}] \leavevmode -Prevents any policy from being assigned when \textbf{-policy} is not -specified. - -\item[{\{-\textbar{}+\}\textbf{allow\_postdated}}] \leavevmode -\textbf{-allow\_postdated} prohibits this principal from obtaining -postdated tickets. \textbf{+allow\_postdated} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_forwardable}}] \leavevmode -\textbf{-allow\_forwardable} prohibits this principal from obtaining -forwardable tickets. \textbf{+allow\_forwardable} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_renewable}}] \leavevmode -\textbf{-allow\_renewable} prohibits this principal from obtaining -renewable tickets. \textbf{+allow\_renewable} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_proxiable}}] \leavevmode -\textbf{-allow\_proxiable} prohibits this principal from obtaining -proxiable tickets. \textbf{+allow\_proxiable} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_dup\_skey}}] \leavevmode -\textbf{-allow\_dup\_skey} disables user-to-user authentication for this -principal by prohibiting this principal from obtaining a session -key for another user. \textbf{+allow\_dup\_skey} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{requires\_preauth}}] \leavevmode -\textbf{+requires\_preauth} requires this principal to preauthenticate -before being allowed to kinit. \textbf{-requires\_preauth} clears this -flag. When \textbf{+requires\_preauth} is set on a service principal, -the KDC will only issue service tickets for that service principal -if the client's initial authentication was performed using -preauthentication. - -\item[{\{-\textbar{}+\}\textbf{requires\_hwauth}}] \leavevmode -\textbf{+requires\_hwauth} requires this principal to preauthenticate -using a hardware device before being allowed to kinit. -\textbf{-requires\_hwauth} clears this flag. When \textbf{+requires\_hwauth} is -set on a service principal, the KDC will only issue service tickets -for that service principal if the client's initial authentication was -performed using a hardware device to preauthenticate. - -\item[{\{-\textbar{}+\}\textbf{ok\_as\_delegate}}] \leavevmode -\textbf{+ok\_as\_delegate} sets the \textbf{okay as delegate} flag on tickets -issued with this principal as the service. Clients may use this -flag as a hint that credentials should be delegated when -authenticating to the service. \textbf{-ok\_as\_delegate} clears this -flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_svr}}] \leavevmode -\textbf{-allow\_svr} prohibits the issuance of service tickets for this -principal. \textbf{+allow\_svr} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_tgs\_req}}] \leavevmode -\textbf{-allow\_tgs\_req} specifies that a Ticket-Granting Service (TGS) -request for a service ticket for this principal is not permitted. -\textbf{+allow\_tgs\_req} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{allow\_tix}}] \leavevmode -\textbf{-allow\_tix} forbids the issuance of any tickets for this -principal. \textbf{+allow\_tix} clears this flag. - -\item[{\{-\textbar{}+\}\textbf{needchange}}] \leavevmode -\textbf{+needchange} forces a password change on the next initial -authentication to this principal. \textbf{-needchange} clears this -flag. - -\item[{\{-\textbar{}+\}\textbf{password\_changing\_service}}] \leavevmode -\textbf{+password\_changing\_service} marks this principal as a password -change service principal. - -\item[{\{-\textbar{}+\}\textbf{ok\_to\_auth\_as\_delegate}}] \leavevmode -\textbf{+ok\_to\_auth\_as\_delegate} allows this principal to acquire -forwardable tickets to itself from arbitrary users, for use with -constrained delegation. - -\item[{\{-\textbar{}+\}\textbf{no\_auth\_data\_required}}] \leavevmode -\textbf{+no\_auth\_data\_required} prevents PAC or AD-SIGNEDPATH data from -being added to service tickets for the principal. - -\item[{\{-\textbar{}+\}\textbf{lockdown\_keys}}] \leavevmode -\textbf{+lockdown\_keys} prevents keys for this principal from leaving -the KDC via kadmind. The chpass and extract operations are denied -for a principal with this attribute. The chrand operation is -allowed, but will not return the new keys. The delete and rename -operations are also denied if this attribute is set, in order to -prevent a malicious administrator from replacing principals like -krbtgt/* or kadmin/* with new principals without the attribute. -This attribute can be set via the network protocol, but can only -be removed using kadmin.local. - -\item[{\textbf{-randkey}}] \leavevmode -Sets the key of the principal to a random value. - -\item[{\textbf{-nokey}}] \leavevmode -Causes the principal to be created with no key. New in release -1.12. - -\item[{\textbf{-pw} \emph{password}}] \leavevmode -Sets the password of the principal to the specified string and -does not prompt for a password. Note: using this option in a -shell script may expose the password to other users on the system -via the process list. - -\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode -Uses the specified keysalt list for setting the keys of the -principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a -list of possible values. - -\item[{\textbf{-x} \emph{db\_princ\_args}}] \leavevmode -Indicates database-specific options. The options for the LDAP -database module are: -\begin{description} -\item[{\textbf{-x dn=}\emph{dn}}] \leavevmode -Specifies the LDAP object that will contain the Kerberos -principal being created. - -\item[{\textbf{-x linkdn=}\emph{dn}}] \leavevmode -Specifies the LDAP object to which the newly created Kerberos -principal object will point. - -\item[{\textbf{-x containerdn=}\emph{container\_dn}}] \leavevmode -Specifies the container object under which the Kerberos -principal is to be created. - -\item[{\textbf{-x tktpolicy=}\emph{policy}}] \leavevmode -Associates a ticket policy to the Kerberos principal. - -\end{description} - -\begin{notice}{note}{Note:}\begin{itemize} -\item {} -The \textbf{containerdn} and \textbf{linkdn} options cannot be -specified with the \textbf{dn} option. - -\item {} -If the \emph{dn} or \emph{containerdn} options are not specified while -adding the principal, the principals are created under the -principal container configured in the realm or the realm -container. - -\item {} -\emph{dn} and \emph{containerdn} should be within the subtrees or -principal container configured in the realm. - -\end{itemize} -\end{notice} - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: addprinc jennifer -WARNING: no policy specified for \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{}; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: -Re\PYGZhy{}enter password for principal jennifer@ATHENA.MIT.EDU: -Principal \PYGZdq{}jennifer@ATHENA.MIT.EDU\PYGZdq{} created. -kadmin: -\end{Verbatim} -\phantomsection\label{admin/admin_commands/kadmin_local:add-principal-end} - -\subsubsection{modify\_principal} -\label{admin/admin_commands/kadmin_local:add-principal-end}\label{admin/admin_commands/kadmin_local:id2}\label{admin/admin_commands/kadmin_local:modify-principal}\begin{quote} - -\textbf{modify\_principal} {[}\emph{options}{]} \emph{principal} -\end{quote} - -Modifies the specified principal, changing the fields as specified. -The options to \textbf{add\_principal} also apply to this command, except -for the \textbf{-randkey}, \textbf{-pw}, and \textbf{-e} options. In addition, the -option \textbf{-clearpolicy} will clear the current policy of a principal. - -This command requires the \emph{modify} privilege. - -Alias: \textbf{modprinc} - -Options (in addition to the \textbf{addprinc} options): -\begin{description} -\item[{\textbf{-unlock}}] \leavevmode -Unlocks a locked principal (one which has received too many failed -authentication attempts without enough time between them according -to its password policy) so that it can successfully authenticate. - -\end{description} -\phantomsection\label{admin/admin_commands/kadmin_local:modify-principal-end} - -\subsubsection{rename\_principal} -\label{admin/admin_commands/kadmin_local:modify-principal-end}\label{admin/admin_commands/kadmin_local:rename-principal}\label{admin/admin_commands/kadmin_local:id3}\begin{quote} - -\textbf{rename\_principal} {[}\textbf{-force}{]} \emph{old\_principal} \emph{new\_principal} -\end{quote} - -Renames the specified \emph{old\_principal} to \emph{new\_principal}. This -command prompts for confirmation, unless the \textbf{-force} option is -given. - -This command requires the \textbf{add} and \textbf{delete} privileges. - -Alias: \textbf{renprinc} -\phantomsection\label{admin/admin_commands/kadmin_local:rename-principal-end} - -\subsubsection{delete\_principal} -\label{admin/admin_commands/kadmin_local:id4}\label{admin/admin_commands/kadmin_local:delete-principal}\label{admin/admin_commands/kadmin_local:rename-principal-end}\begin{quote} - -\textbf{delete\_principal} {[}\textbf{-force}{]} \emph{principal} -\end{quote} - -Deletes the specified \emph{principal} from the database. This command -prompts for deletion, unless the \textbf{-force} option is given. - -This command requires the \textbf{delete} privilege. - -Alias: \textbf{delprinc} -\phantomsection\label{admin/admin_commands/kadmin_local:delete-principal-end} - -\subsubsection{change\_password} -\label{admin/admin_commands/kadmin_local:id5}\label{admin/admin_commands/kadmin_local:delete-principal-end}\label{admin/admin_commands/kadmin_local:change-password}\begin{quote} - -\textbf{change\_password} {[}\emph{options}{]} \emph{principal} -\end{quote} - -Changes the password of \emph{principal}. Prompts for a new password if -neither \textbf{-randkey} or \textbf{-pw} is specified. - -This command requires the \textbf{changepw} privilege, or that the -principal running the program is the same as the principal being -changed. - -Alias: \textbf{cpw} - -The following options are available: -\begin{description} -\item[{\textbf{-randkey}}] \leavevmode -Sets the key of the principal to a random value. - -\item[{\textbf{-pw} \emph{password}}] \leavevmode -Set the password to the specified string. Using this option in a -script may expose the password to other users on the system via -the process list. - -\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode -Uses the specified keysalt list for setting the keys of the -principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a -list of possible values. - -\item[{\textbf{-keepold}}] \leavevmode -Keeps the existing keys in the database. This flag is usually not -necessary except perhaps for \code{krbtgt} principals. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: cpw systest -Enter password for principal systest@BLEEP.COM: -Re\PYGZhy{}enter password for principal systest@BLEEP.COM: -Password for systest@BLEEP.COM changed. -kadmin: -\end{Verbatim} -\phantomsection\label{admin/admin_commands/kadmin_local:change-password-end} - -\subsubsection{purgekeys} -\label{admin/admin_commands/kadmin_local:id6}\label{admin/admin_commands/kadmin_local:change-password-end}\label{admin/admin_commands/kadmin_local:purgekeys}\begin{quote} - -\textbf{purgekeys} {[}\textbf{-all}\textbar{}\textbf{-keepkvno} \emph{oldest\_kvno\_to\_keep}{]} \emph{principal} -\end{quote} - -Purges previously retained old keys (e.g., from \textbf{change\_password --keepold}) from \emph{principal}. If \textbf{-keepkvno} is specified, then -only purges keys with kvnos lower than \emph{oldest\_kvno\_to\_keep}. If -\textbf{-all} is specified, then all keys are purged. The \textbf{-all} option -is new in release 1.12. - -This command requires the \textbf{modify} privilege. -\phantomsection\label{admin/admin_commands/kadmin_local:purgekeys-end} - -\subsubsection{get\_principal} -\label{admin/admin_commands/kadmin_local:get-principal}\label{admin/admin_commands/kadmin_local:id7}\label{admin/admin_commands/kadmin_local:purgekeys-end}\begin{quote} - -\textbf{get\_principal} {[}\textbf{-terse}{]} \emph{principal} -\end{quote} - -Gets the attributes of principal. With the \textbf{-terse} option, outputs -fields as quoted tab-separated strings. - -This command requires the \textbf{inquire} privilege, or that the principal -running the the program to be the same as the one being listed. - -Alias: \textbf{getprinc} - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: getprinc tlyu/admin -Principal: tlyu/admin@BLEEP.COM -Expiration date: [never] -Last password change: Mon Aug 12 14:16:47 EDT 1996 -Password expiration date: [none] -Maximum ticket life: 0 days 10:00:00 -Maximum renewable life: 7 days 00:00:00 -Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) -Last successful authentication: [never] -Last failed authentication: [never] -Failed password attempts: 0 -Number of keys: 2 -Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc -Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc:v4 -Attributes: -Policy: [none] - -kadmin: getprinc \PYGZhy{}terse systest -systest@BLEEP.COM 3 86400 604800 1 -785926535 753241234 785900000 -tlyu/admin@BLEEP.COM 786100034 0 0 -kadmin: -\end{Verbatim} -\phantomsection\label{admin/admin_commands/kadmin_local:get-principal-end} - -\subsubsection{list\_principals} -\label{admin/admin_commands/kadmin_local:get-principal-end}\label{admin/admin_commands/kadmin_local:id8}\label{admin/admin_commands/kadmin_local:list-principals}\begin{quote} - -\textbf{list\_principals} {[}\emph{expression}{]} -\end{quote} - -Retrieves all or some principal names. \emph{expression} is a shell-style -glob expression that can contain the wild-card characters \code{?}, -\code{*}, and \code{{[}{]}}. All principal names matching the expression are -printed. If no expression is provided, all principal names are -printed. If the expression does not contain an \code{@} character, an -\code{@} character followed by the local realm is appended to the -expression. - -This command requires the \textbf{list} privilege. - -Alias: \textbf{listprincs}, \textbf{get\_principals}, \textbf{get\_princs} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: listprincs test* -test3@SECURE\PYGZhy{}TEST.OV.COM -test2@SECURE\PYGZhy{}TEST.OV.COM -test1@SECURE\PYGZhy{}TEST.OV.COM -testuser@SECURE\PYGZhy{}TEST.OV.COM -kadmin: -\end{Verbatim} -\phantomsection\label{admin/admin_commands/kadmin_local:list-principals-end} - -\subsubsection{get\_strings} -\label{admin/admin_commands/kadmin_local:id9}\label{admin/admin_commands/kadmin_local:get-strings}\label{admin/admin_commands/kadmin_local:list-principals-end}\begin{quote} - -\textbf{get\_strings} \emph{principal} -\end{quote} - -Displays string attributes on \emph{principal}. - -This command requires the \textbf{inquire} privilege. - -Alias: \textbf{getstr} -\phantomsection\label{admin/admin_commands/kadmin_local:get-strings-end} - -\subsubsection{set\_string} -\label{admin/admin_commands/kadmin_local:id10}\label{admin/admin_commands/kadmin_local:set-string}\label{admin/admin_commands/kadmin_local:get-strings-end}\begin{quote} - -\textbf{set\_string} \emph{principal} \emph{name} \emph{value} -\end{quote} - -Sets a string attribute on \emph{principal}. String attributes are used to -supply per-principal configuration to the KDC and some KDC plugin -modules. The following string attribute names are recognized by the -KDC: -\begin{description} -\item[{\textbf{require\_auth}}] \leavevmode -Specifies an authentication indicator which is required to -authenticate to the principal as a service. Multiple indicators -can be specified, separated by spaces; in this case any of the -specified indicators will be accepted. (New in release 1.14.) - -\item[{\textbf{session\_enctypes}}] \leavevmode -Specifies the encryption types supported for session keys when the -principal is authenticated to as a server. See -{\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the -accepted values. - -\item[{\textbf{otp}}] \leavevmode -Enables One Time Passwords (OTP) preauthentication for a client -\emph{principal}. The \emph{value} is a JSON string representing an array -of objects, each having optional \code{type} and \code{username} fields. - -\end{description} - -This command requires the \textbf{modify} privilege. - -Alias: \textbf{setstr} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -set\PYGZus{}string host/foo.mit.edu session\PYGZus{}enctypes aes128\PYGZhy{}cts -set\PYGZus{}string user@FOO.COM otp \PYGZdq{}[\PYGZob{}\PYGZdq{}\PYGZdq{}type\PYGZdq{}\PYGZdq{}:\PYGZdq{}\PYGZdq{}hotp\PYGZdq{}\PYGZdq{},\PYGZdq{}\PYGZdq{}username\PYGZdq{}\PYGZdq{}:\PYGZdq{}\PYGZdq{}al\PYGZdq{}\PYGZdq{}\PYGZcb{}]\PYGZdq{} -\end{Verbatim} -\phantomsection\label{admin/admin_commands/kadmin_local:set-string-end} - -\subsubsection{del\_string} -\label{admin/admin_commands/kadmin_local:set-string-end}\label{admin/admin_commands/kadmin_local:del-string}\label{admin/admin_commands/kadmin_local:id11}\begin{quote} - -\textbf{del\_string} \emph{principal} \emph{key} -\end{quote} - -Deletes a string attribute from \emph{principal}. - -This command requires the \textbf{delete} privilege. - -Alias: \textbf{delstr} -\phantomsection\label{admin/admin_commands/kadmin_local:del-string-end} - -\subsubsection{add\_policy} -\label{admin/admin_commands/kadmin_local:id12}\label{admin/admin_commands/kadmin_local:del-string-end}\label{admin/admin_commands/kadmin_local:add-policy}\begin{quote} - -\textbf{add\_policy} {[}\emph{options}{]} \emph{policy} -\end{quote} - -Adds a password policy named \emph{policy} to the database. - -This command requires the \textbf{add} privilege. - -Alias: \textbf{addpol} - -The following options are available: -\begin{description} -\item[{\textbf{-maxlife} \emph{time}}] \leavevmode -(\emph{duration} or \emph{getdate} string) Sets the maximum -lifetime of a password. - -\item[{\textbf{-minlife} \emph{time}}] \leavevmode -(\emph{duration} or \emph{getdate} string) Sets the minimum -lifetime of a password. - -\item[{\textbf{-minlength} \emph{length}}] \leavevmode -Sets the minimum length of a password. - -\item[{\textbf{-minclasses} \emph{number}}] \leavevmode -Sets the minimum number of character classes required in a -password. The five character classes are lower case, upper case, -numbers, punctuation, and whitespace/unprintable characters. - -\item[{\textbf{-history} \emph{number}}] \leavevmode -Sets the number of past keys kept for a principal. This option is -not supported with the LDAP KDC database module. - -\end{description} -\phantomsection\label{admin/admin_commands/kadmin_local:policy-maxfailure}\begin{description} -\item[{\textbf{-maxfailure} \emph{maxnumber}}] \leavevmode -Sets the number of authentication failures before the principal is -locked. Authentication failures are only tracked for principals -which require preauthentication. The counter of failed attempts -resets to 0 after a successful attempt to authenticate. A -\emph{maxnumber} value of 0 (the default) disables lockout. - -\end{description} -\phantomsection\label{admin/admin_commands/kadmin_local:policy-failurecountinterval}\begin{description} -\item[{\textbf{-failurecountinterval} \emph{failuretime}}] \leavevmode -(\emph{duration} or \emph{getdate} string) Sets the allowable time -between authentication failures. If an authentication failure -happens after \emph{failuretime} has elapsed since the previous -failure, the number of authentication failures is reset to 1. A -\emph{failuretime} value of 0 (the default) means forever. - -\end{description} -\phantomsection\label{admin/admin_commands/kadmin_local:policy-lockoutduration}\begin{description} -\item[{\textbf{-lockoutduration} \emph{lockouttime}}] \leavevmode -(\emph{duration} or \emph{getdate} string) Sets the duration for -which the principal is locked from authenticating if too many -authentication failures occur without the specified failure count -interval elapsing. A duration of 0 (the default) means the -principal remains locked out until it is administratively unlocked -with \code{modprinc -unlock}. - -\item[{\textbf{-allowedkeysalts}}] \leavevmode -Specifies the key/salt tuples supported for long-term keys when -setting or changing a principal's password/keys. See -{\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of the -accepted values, but note that key/salt tuples must be separated -with commas (`,') only. To clear the allowed key/salt policy use -a value of `-`. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: add\PYGZus{}policy \PYGZhy{}maxlife \PYGZdq{}2 days\PYGZdq{} \PYGZhy{}minlength 5 guests -kadmin: -\end{Verbatim} -\phantomsection\label{admin/admin_commands/kadmin_local:add-policy-end} - -\subsubsection{modify\_policy} -\label{admin/admin_commands/kadmin_local:id13}\label{admin/admin_commands/kadmin_local:modify-policy}\label{admin/admin_commands/kadmin_local:add-policy-end}\begin{quote} - -\textbf{modify\_policy} {[}\emph{options}{]} \emph{policy} -\end{quote} - -Modifies the password policy named \emph{policy}. Options are as described -for \textbf{add\_policy}. - -This command requires the \textbf{modify} privilege. - -Alias: \textbf{modpol} -\phantomsection\label{admin/admin_commands/kadmin_local:modify-policy-end} - -\subsubsection{delete\_policy} -\label{admin/admin_commands/kadmin_local:delete-policy}\label{admin/admin_commands/kadmin_local:modify-policy-end}\label{admin/admin_commands/kadmin_local:id14}\begin{quote} - -\textbf{delete\_policy} {[}\textbf{-force}{]} \emph{policy} -\end{quote} - -Deletes the password policy named \emph{policy}. Prompts for confirmation -before deletion. The command will fail if the policy is in use by any -principals. - -This command requires the \textbf{delete} privilege. - -Alias: \textbf{delpol} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: del\PYGZus{}policy guests -Are you sure you want to delete the policy \PYGZdq{}guests\PYGZdq{}? -(yes/no): yes -kadmin: -\end{Verbatim} -\phantomsection\label{admin/admin_commands/kadmin_local:delete-policy-end} - -\subsubsection{get\_policy} -\label{admin/admin_commands/kadmin_local:delete-policy-end}\label{admin/admin_commands/kadmin_local:get-policy}\label{admin/admin_commands/kadmin_local:id15}\begin{quote} - -\textbf{get\_policy} {[} \textbf{-terse} {]} \emph{policy} -\end{quote} - -Displays the values of the password policy named \emph{policy}. With the -\textbf{-terse} flag, outputs the fields as quoted strings separated by -tabs. - -This command requires the \textbf{inquire} privilege. - -Alias: getpol - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: get\PYGZus{}policy admin -Policy: admin -Maximum password life: 180 days 00:00:00 -Minimum password life: 00:00:00 -Minimum password length: 6 -Minimum number of password character classes: 2 -Number of old keys kept: 5 -Reference count: 17 - -kadmin: get\PYGZus{}policy \PYGZhy{}terse admin -admin 15552000 0 6 2 5 17 -kadmin: -\end{Verbatim} - -The ``Reference count'' is the number of principals using that policy. -With the LDAP KDC database module, the reference count field is not -meaningful. -\phantomsection\label{admin/admin_commands/kadmin_local:get-policy-end} - -\subsubsection{list\_policies} -\label{admin/admin_commands/kadmin_local:get-policy-end}\label{admin/admin_commands/kadmin_local:list-policies}\label{admin/admin_commands/kadmin_local:id16}\begin{quote} - -\textbf{list\_policies} {[}\emph{expression}{]} -\end{quote} - -Retrieves all or some policy names. \emph{expression} is a shell-style -glob expression that can contain the wild-card characters \code{?}, -\code{*}, and \code{{[}{]}}. All policy names matching the expression are -printed. If no expression is provided, all existing policy names are -printed. - -This command requires the \textbf{list} privilege. - -Aliases: \textbf{listpols}, \textbf{get\_policies}, \textbf{getpols}. - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: listpols -test\PYGZhy{}pol -dict\PYGZhy{}only -once\PYGZhy{}a\PYGZhy{}min -test\PYGZhy{}pol\PYGZhy{}nopw - -kadmin: listpols t* -test\PYGZhy{}pol -test\PYGZhy{}pol\PYGZhy{}nopw -kadmin: -\end{Verbatim} -\phantomsection\label{admin/admin_commands/kadmin_local:list-policies-end} - -\subsubsection{ktadd} -\label{admin/admin_commands/kadmin_local:ktadd}\label{admin/admin_commands/kadmin_local:list-policies-end}\label{admin/admin_commands/kadmin_local:id17}\begin{quote} - -\begin{DUlineblock}{0em} -\item[] \textbf{ktadd} {[}options{]} \emph{principal} -\item[] \textbf{ktadd} {[}options{]} \textbf{-glob} \emph{princ-exp} -\end{DUlineblock} -\end{quote} - -Adds a \emph{principal}, or all principals matching \emph{princ-exp}, to a -keytab file. Each principal's keys are randomized in the process. -The rules for \emph{princ-exp} are described in the \textbf{list\_principals} -command. - -This command requires the \textbf{inquire} and \textbf{changepw} privileges. -With the \textbf{-glob} form, it also requires the \textbf{list} privilege. - -The options are: -\begin{description} -\item[{\textbf{-k{[}eytab{]}} \emph{keytab}}] \leavevmode -Use \emph{keytab} as the keytab file. Otherwise, the default keytab is -used. - -\item[{\textbf{-e} \emph{enc}:\emph{salt},...}] \leavevmode -Uses the specified keysalt list for setting the new keys of the -principal. See {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{Keysalt lists}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a -list of possible values. - -\item[{\textbf{-q}}] \leavevmode -Display less verbose information. - -\item[{\textbf{-norandkey}}] \leavevmode -Do not randomize the keys. The keys and their version numbers stay -unchanged. This option cannot be specified in combination with the -\textbf{-e} option. - -\end{description} - -An entry for each of the principal's unique encryption types is added, -ignoring multiple keys with the same encryption type but different -salt types. - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: ktadd \PYGZhy{}k /tmp/foo\PYGZhy{}new\PYGZhy{}keytab host/foo.mit.edu -Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, - encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab - FILE:/tmp/foo\PYGZhy{}new\PYGZhy{}keytab -kadmin: -\end{Verbatim} -\phantomsection\label{admin/admin_commands/kadmin_local:ktadd-end} - -\subsubsection{ktremove} -\label{admin/admin_commands/kadmin_local:id18}\label{admin/admin_commands/kadmin_local:ktremove}\label{admin/admin_commands/kadmin_local:ktadd-end}\begin{quote} - -\textbf{ktremove} {[}options{]} \emph{principal} {[}\emph{kvno} \textbar{} \emph{all} \textbar{} \emph{old}{]} -\end{quote} - -Removes entries for the specified \emph{principal} from a keytab. Requires -no permissions, since this does not require database access. - -If the string ``all'' is specified, all entries for that principal are -removed; if the string ``old'' is specified, all entries for that -principal except those with the highest kvno are removed. Otherwise, -the value specified is parsed as an integer, and all entries whose -kvno match that integer are removed. - -The options are: -\begin{description} -\item[{\textbf{-k{[}eytab{]}} \emph{keytab}}] \leavevmode -Use \emph{keytab} as the keytab file. Otherwise, the default keytab is -used. - -\item[{\textbf{-q}}] \leavevmode -Display less verbose information. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kadmin: ktremove kadmin/admin all -Entry for principal kadmin/admin with kvno 3 removed from keytab - FILE:/etc/krb5.keytab -kadmin: -\end{Verbatim} - - -\subsubsection{lock} -\label{admin/admin_commands/kadmin_local:ktremove-end}\label{admin/admin_commands/kadmin_local:lock} -Lock database exclusively. Use with extreme caution! This command -only works with the DB2 KDC database module. - - -\subsubsection{unlock} -\label{admin/admin_commands/kadmin_local:unlock} -Release the exclusive database lock. - - -\subsubsection{list\_requests} -\label{admin/admin_commands/kadmin_local:list-requests} -Lists available for kadmin requests. - -Aliases: \textbf{lr}, \textbf{?} - - -\subsubsection{quit} -\label{admin/admin_commands/kadmin_local:quit} -Exit program. If the database was locked, the lock is released. - -Aliases: \textbf{exit}, \textbf{q} - - -\subsection{HISTORY} -\label{admin/admin_commands/kadmin_local:history} -The kadmin program was originally written by Tom Yu at MIT, as an -interface to the OpenVision Kerberos administration program. - - -\subsection{SEE ALSO} -\label{admin/admin_commands/kadmin_local:see-also} -\emph{kpasswd(1)}, {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} - - -\section{kadmind} -\label{admin/admin_commands/kadmind:kadmind-8}\label{admin/admin_commands/kadmind:kadmind}\label{admin/admin_commands/kadmind::doc} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/kadmind:synopsis} -\textbf{kadmind} -{[}\textbf{-x} \emph{db\_args}{]} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-m}{]} -{[}\textbf{-nofork}{]} -{[}\textbf{-proponly}{]} -{[}\textbf{-port} \emph{port-number}{]} -{[}\textbf{-P} \emph{pid\_file}{]} -{[}\textbf{-p} \emph{kdb5\_util\_path}{]} -{[}\textbf{-K} \emph{kprop\_path}{]} -{[}\textbf{-k} \emph{kprop\_port}{]} -{[}\textbf{-F} \emph{dump\_file}{]} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/kadmind:description} -kadmind starts the Kerberos administration server. kadmind typically -runs on the master Kerberos server, which stores the KDC database. If -the KDC database uses the LDAP module, the administration server and -the KDC server need not run on the same machine. kadmind accepts -remote requests from programs such as {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} and -\emph{kpasswd(1)} to administer the information in these database. - -kadmind requires a number of configuration files to be set up in order -for it to work: -\begin{description} -\item[{{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}}] \leavevmode -The KDC configuration file contains configuration information for -the KDC and admin servers. kadmind uses settings in this file to -locate the Kerberos database, and is also affected by the -\textbf{acl\_file}, \textbf{dict\_file}, \textbf{kadmind\_port}, and iprop-related -settings. - -\item[{{\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}}}] \leavevmode -kadmind's ACL (access control list) tells it which principals are -allowed to perform administration actions. The pathname to the -ACL file can be specified with the \textbf{acl\_file} {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} -variable; by default, it is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl}. - -\end{description} - -After the server begins running, it puts itself in the background and -disassociates itself from its controlling terminal. - -kadmind can be configured for incremental database propagation. -Incremental propagation allows slave KDC servers to receive principal -and policy updates incrementally instead of receiving full dumps of -the database. This facility can be enabled in the {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} -file with the \textbf{iprop\_enable} option. Incremental propagation -requires the principal \code{kiprop/MASTER\textbackslash{}@REALM} (where MASTER is the -master KDC's canonical host name, and REALM the realm name). In -release 1.13, this principal is automatically created and registered -into the datebase. - - -\subsection{OPTIONS} -\label{admin/admin_commands/kadmind:options}\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -specifies the realm that kadmind will serve; if it is not -specified, the default realm of the host is used. - -\item[{\textbf{-m}}] \leavevmode -causes the master database password to be fetched from the -keyboard (before the server puts itself in the background, if not -invoked with the \textbf{-nofork} option) rather than from a file on -disk. - -\item[{\textbf{-nofork}}] \leavevmode -causes the server to remain in the foreground and remain -associated to the terminal. In normal operation, you should allow -the server to place itself in the background. - -\item[{\textbf{-proponly}}] \leavevmode -causes the server to only listen and respond to Kerberos slave -incremental propagation polling requests. This option can be used -to set up a hierarchical propagation topology where a slave KDC -provides incremental updates to other Kerberos slaves. - -\item[{\textbf{-port} \emph{port-number}}] \leavevmode -specifies the port on which the administration server listens for -connections. The default port is determined by the -\textbf{kadmind\_port} configuration variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\textbf{-P} \emph{pid\_file}}] \leavevmode -specifies the file to which the PID of kadmind process should be -written after it starts up. This file can be used to identify -whether kadmind is still running and to allow init scripts to stop -the correct process. - -\item[{\textbf{-p} \emph{kdb5\_util\_path}}] \leavevmode -specifies the path to the kdb5\_util command to use when dumping the -KDB in response to full resync requests when iprop is enabled. - -\item[{\textbf{-K} \emph{kprop\_path}}] \leavevmode -specifies the path to the kprop command to use to send full dumps -to slaves in response to full resync requests. - -\item[{\textbf{-k} \emph{kprop\_port}}] \leavevmode -specifies the port by which the kprop process that is spawned by kadmind -connects to the slave kpropd, in order to transfer the dump file during -an iprop full resync request. - -\item[{\textbf{-F} \emph{dump\_file}}] \leavevmode -specifies the file path to be used for dumping the KDB in response -to full resync requests when iprop is enabled. - -\item[{\textbf{-x} \emph{db\_args}}] \leavevmode -specifies database-specific arguments. See {\hyperref[admin/admin_commands/kadmin_local:dboptions]{\emph{Database Options}}} in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} for supported arguments. - -\end{description} - - -\subsection{SEE ALSO} -\label{admin/admin_commands/kadmind:see-also} -\emph{kpasswd(1)}, {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}, -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}}, {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} - - -\section{kdb5\_util} -\label{admin/admin_commands/kdb5_util:kdb5-util-8}\label{admin/admin_commands/kdb5_util::doc}\label{admin/admin_commands/kdb5_util:kdb5-util} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/kdb5_util:synopsis}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-synopsis} -\textbf{kdb5\_util} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-d} \emph{dbname}{]} -{[}\textbf{-k} \emph{mkeytype}{]} -{[}\textbf{-M} \emph{mkeyname}{]} -{[}\textbf{-kv} \emph{mkeyVNO}{]} -{[}\textbf{-sf} \emph{stashfilename}{]} -{[}\textbf{-m}{]} -\emph{command} {[}\emph{command\_options}{]} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/kdb5_util:kdb5-util-synopsis-end}\label{admin/admin_commands/kdb5_util:description} -kdb5\_util allows an administrator to perform maintenance procedures on -the KDC database. Databases can be created, destroyed, and dumped to -or loaded from ASCII files. kdb5\_util can create a Kerberos master -key stash file or perform live rollover of the master key. - -When kdb5\_util is run, it attempts to acquire the master key and open -the database. However, execution continues regardless of whether or -not kdb5\_util successfully opens the database, because the database -may not exist yet or the stash file may be corrupt. - -Note that some KDC database modules may not support all kdb5\_util -commands. - - -\subsection{COMMAND-LINE OPTIONS} -\label{admin/admin_commands/kdb5_util:command-line-options}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-options}\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -specifies the Kerberos realm of the database. - -\item[{\textbf{-d} \emph{dbname}}] \leavevmode -specifies the name under which the principal database is stored; -by default the database is that listed in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. The -password policy database and lock files are also derived from this -value. - -\item[{\textbf{-k} \emph{mkeytype}}] \leavevmode -specifies the key type of the master key in the database. The -default is given by the \textbf{master\_key\_type} variable in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\textbf{-kv} \emph{mkeyVNO}}] \leavevmode -Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed. - -\item[{\textbf{-M} \emph{mkeyname}}] \leavevmode -principal name for the master key in the database. If not -specified, the name is determined by the \textbf{master\_key\_name} -variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\textbf{-m}}] \leavevmode -specifies that the master database password should be read from -the keyboard rather than fetched from a file on disk. - -\item[{\textbf{-sf} \emph{stash\_file}}] \leavevmode -specifies the stash filename of the master database password. If -not specified, the filename is determined by the -\textbf{key\_stash\_file} variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\textbf{-P} \emph{password}}] \leavevmode -specifies the master database password. Using this option may -expose the password to other users on the system via the process -list. - -\end{description} - - -\subsection{COMMANDS} -\label{admin/admin_commands/kdb5_util:commands}\label{admin/admin_commands/kdb5_util:kdb5-util-options-end} - -\subsubsection{create} -\label{admin/admin_commands/kdb5_util:create}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-create}\begin{quote} - -\textbf{create} {[}\textbf{-s}{]} -\end{quote} - -Creates a new database. If the \textbf{-s} option is specified, the stash -file is also created. This command fails if the database already -exists. If the command is successful, the database is opened just as -if it had already existed when the program was first run. - - -\subsubsection{destroy} -\label{admin/admin_commands/kdb5_util:destroy}\label{admin/admin_commands/kdb5_util:kdb5-util-create-end}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-destroy}\begin{quote} - -\textbf{destroy} {[}\textbf{-f}{]} -\end{quote} - -Destroys the database, first overwriting the disk sectors and then -unlinking the files, after prompting the user for confirmation. With -the \textbf{-f} argument, does not prompt the user. - - -\subsubsection{stash} -\label{admin/admin_commands/kdb5_util:kdb5-util-destroy-end}\label{admin/admin_commands/kdb5_util:stash}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-stash}\begin{quote} - -\textbf{stash} {[}\textbf{-f} \emph{keyfile}{]} -\end{quote} - -Stores the master principal's keys in a stash file. The \textbf{-f} -argument can be used to override the \emph{keyfile} specified in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - - -\subsubsection{dump} -\label{admin/admin_commands/kdb5_util:kdb5-util-stash-end}\label{admin/admin_commands/kdb5_util:dump}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-dump}\begin{quote} - -\textbf{dump} {[}\textbf{-b7}\textbar{}\textbf{-ov}\textbar{}\textbf{-r13}{]} {[}\textbf{-verbose}{]} -{[}\textbf{-mkey\_convert}{]} {[}\textbf{-new\_mkey\_file} \emph{mkey\_file}{]} {[}\textbf{-rev}{]} -{[}\textbf{-recurse}{]} {[}\emph{filename} {[}\emph{principals}...{]}{]} -\end{quote} - -Dumps the current Kerberos and KADM5 database into an ASCII file. By -default, the database is dumped in current format, ``kdb5\_util -load\_dump version 7''. If filename is not specified, or is the string -``-'', the dump is sent to standard output. Options: -\begin{description} -\item[{\textbf{-b7}}] \leavevmode -causes the dump to be in the Kerberos 5 Beta 7 format (``kdb5\_util -load\_dump version 4''). This was the dump format produced on -releases prior to 1.2.2. - -\item[{\textbf{-ov}}] \leavevmode -causes the dump to be in ``ovsec\_adm\_export'' format. - -\item[{\textbf{-r13}}] \leavevmode -causes the dump to be in the Kerberos 5 1.3 format (``kdb5\_util -load\_dump version 5''). This was the dump format produced on -releases prior to 1.8. - -\item[{\textbf{-r18}}] \leavevmode -causes the dump to be in the Kerberos 5 1.8 format (``kdb5\_util -load\_dump version 6''). This was the dump format produced on -releases prior to 1.11. - -\item[{\textbf{-verbose}}] \leavevmode -causes the name of each principal and policy to be printed as it -is dumped. - -\item[{\textbf{-mkey\_convert}}] \leavevmode -prompts for a new master key. This new master key will be used to -re-encrypt principal key data in the dumpfile. The principal keys -themselves will not be changed. - -\item[{\textbf{-new\_mkey\_file} \emph{mkey\_file}}] \leavevmode -the filename of a stash file. The master key in this stash file -will be used to re-encrypt the key data in the dumpfile. The key -data in the database will not be changed. - -\item[{\textbf{-rev}}] \leavevmode -dumps in reverse order. This may recover principals that do not -dump normally, in cases where database corruption has occurred. - -\item[{\textbf{-recurse}}] \leavevmode -causes the dump to walk the database recursively (btree only). -This may recover principals that do not dump normally, in cases -where database corruption has occurred. In cases of such -corruption, this option will probably retrieve more principals -than the \textbf{-rev} option will. - -\DUspan{versionmodified}{Changed in version 1.15: }Release 1.15 restored the functionality of the \textbf{-recurse} -option. - -\DUspan{versionmodified}{Changed in version 1.5: }The \textbf{-recurse} option ceased working until release 1.15, -doing a normal dump instead of a recursive traversal. - -\end{description} - - -\subsubsection{load} -\label{admin/admin_commands/kdb5_util:kdb5-util-dump-end}\label{admin/admin_commands/kdb5_util:load}\phantomsection\label{admin/admin_commands/kdb5_util:kdb5-util-load}\begin{quote} - -\textbf{load} {[}\textbf{-b7}\textbar{}\textbf{-ov}\textbar{}\textbf{-r13}{]} {[}\textbf{-hash}{]} -{[}\textbf{-verbose}{]} {[}\textbf{-update}{]} \emph{filename} {[}\emph{dbname}{]} -\end{quote} - -Loads a database dump from the named file into the named database. If -no option is given to determine the format of the dump file, the -format is detected automatically and handled as appropriate. Unless -the \textbf{-update} option is given, \textbf{load} creates a new database -containing only the data in the dump file, overwriting the contents of -any previously existing database. Note that when using the LDAP KDC -database module, the \textbf{-update} flag is required. - -Options: -\begin{description} -\item[{\textbf{-b7}}] \leavevmode -requires the database to be in the Kerberos 5 Beta 7 format -(``kdb5\_util load\_dump version 4''). This was the dump format -produced on releases prior to 1.2.2. - -\item[{\textbf{-ov}}] \leavevmode -requires the database to be in ``ovsec\_adm\_import'' format. Must be -used with the \textbf{-update} option. - -\item[{\textbf{-r13}}] \leavevmode -requires the database to be in Kerberos 5 1.3 format (``kdb5\_util -load\_dump version 5''). This was the dump format produced on -releases prior to 1.8. - -\item[{\textbf{-r18}}] \leavevmode -requires the database to be in Kerberos 5 1.8 format (``kdb5\_util -load\_dump version 6''). This was the dump format produced on -releases prior to 1.11. - -\item[{\textbf{-hash}}] \leavevmode -requires the database to be stored as a hash. If this option is -not specified, the database will be stored as a btree. This -option is not recommended, as databases stored in hash format are -known to corrupt data and lose principals. - -\item[{\textbf{-verbose}}] \leavevmode -causes the name of each principal and policy to be printed as it -is dumped. - -\item[{\textbf{-update}}] \leavevmode -records from the dump file are added to or updated in the existing -database. Otherwise, a new database is created containing only -what is in the dump file and the old one destroyed upon successful -completion. - -\end{description} - -If specified, \emph{dbname} overrides the value specified on the command -line or the default. - - -\subsubsection{ark} -\label{admin/admin_commands/kdb5_util:kdb5-util-load-end}\label{admin/admin_commands/kdb5_util:ark}\begin{quote} - -\textbf{ark} {[}\textbf{-e} \emph{enc}:\emph{salt},...{]} \emph{principal} -\end{quote} - -Adds new random keys to \emph{principal} at the next available key version -number. Keys for the current highest key version number will be -preserved. The \textbf{-e} option specifies the list of encryption and -salt types to be used for the new keys. - - -\subsubsection{add\_mkey} -\label{admin/admin_commands/kdb5_util:add-mkey}\begin{quote} - -\textbf{add\_mkey} {[}\textbf{-e} \emph{etype}{]} {[}\textbf{-s}{]} -\end{quote} - -Adds a new master key to the master key principal, but does not mark -it as active. Existing master keys will remain. The \textbf{-e} option -specifies the encryption type of the new master key; see -{\hyperref[admin/conf_files/kdc_conf:encryption-types]{\emph{Encryption types}}} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} for a list of possible -values. The \textbf{-s} option stashes the new master key in the stash -file, which will be created if it doesn't already exist. - -After a new master key is added, it should be propagated to slave -servers via a manual or periodic invocation of {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}}. Then, -the stash files on the slave servers should be updated with the -kdb5\_util \textbf{stash} command. Once those steps are complete, the key -is ready to be marked active with the kdb5\_util \textbf{use\_mkey} command. - - -\subsubsection{use\_mkey} -\label{admin/admin_commands/kdb5_util:use-mkey}\begin{quote} - -\textbf{use\_mkey} \emph{mkeyVNO} {[}\emph{time}{]} -\end{quote} - -Sets the activation time of the master key specified by \emph{mkeyVNO}. -Once a master key becomes active, it will be used to encrypt newly -created principal keys. If no \emph{time} argument is given, the current -time is used, causing the specified master key version to become -active immediately. The format for \emph{time} is \emph{getdate} string. - -After a new master key becomes active, the kdb5\_util -\textbf{update\_princ\_encryption} command can be used to update all -principal keys to be encrypted in the new master key. - - -\subsubsection{list\_mkeys} -\label{admin/admin_commands/kdb5_util:list-mkeys}\begin{quote} - -\textbf{list\_mkeys} -\end{quote} - -List all master keys, from most recent to earliest, in the master key -principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} \textbf{getprinc}. A -\code{*} following an mkey denotes the currently active master key. - - -\subsubsection{purge\_mkeys} -\label{admin/admin_commands/kdb5_util:purge-mkeys}\begin{quote} - -\textbf{purge\_mkeys} {[}\textbf{-f}{]} {[}\textbf{-n}{]} {[}\textbf{-v}{]} -\end{quote} - -Delete master keys from the master key principal that are not used to -protect any principals. This command can be used to remove old master -keys all principal keys are protected by a newer master key. -\begin{description} -\item[{\textbf{-f}}] \leavevmode -does not prompt for confirmation. - -\item[{\textbf{-n}}] \leavevmode -performs a dry run, showing master keys that would be purged, but -not actually purging any keys. - -\item[{\textbf{-v}}] \leavevmode -gives more verbose output. - -\end{description} - - -\subsubsection{update\_princ\_encryption} -\label{admin/admin_commands/kdb5_util:update-princ-encryption}\begin{quote} - -\textbf{update\_princ\_encryption} {[}\textbf{-f}{]} {[}\textbf{-n}{]} {[}\textbf{-v}{]} -{[}\emph{princ-pattern}{]} -\end{quote} - -Update all principal records (or only those matching the -\emph{princ-pattern} glob pattern) to re-encrypt the key data using the -active database master key, if they are encrypted using a different -version, and give a count at the end of the number of principals -updated. If the \textbf{-f} option is not given, ask for confirmation -before starting to make changes. The \textbf{-v} option causes each -principal processed to be listed, with an indication as to whether it -needed updating or not. The \textbf{-n} option performs a dry run, only -showing the actions which would have been taken. - - -\subsubsection{tabdump} -\label{admin/admin_commands/kdb5_util:tabdump}\begin{quote} - -\textbf{tabdump} {[}\textbf{-H}{]} {[}\textbf{-c}{]} {[}\textbf{-e}{]} {[}\textbf{-n}{]} {[}\textbf{-o} \emph{outfile}{]} -\emph{dumptype} -\end{quote} - -Dump selected fields of the database in a tabular format suitable for -reporting (e.g., using traditional Unix text processing tools) or -importing into relational databases. The data format is tab-separated -(default), or optionally comma-separated (CSV), with a fixed number of -columns. The output begins with a header line containing field names, -unless suppression is requested using the \textbf{-H} option. - -The \emph{dumptype} parameter specifies the name of an output table (see -below). - -Options: -\begin{description} -\item[{\textbf{-H}}] \leavevmode -suppress writing the field names in a header line - -\item[{\textbf{-c}}] \leavevmode -use comma separated values (CSV) format, with minimal quoting, -instead of the default tab-separated (unquoted, unescaped) format - -\item[{\textbf{-e}}] \leavevmode -write empty hexadecimal string fields as empty fields instead of -as ``-1''. - -\item[{\textbf{-n}}] \leavevmode -produce numeric output for fields that normally have symbolic -output, such as enctypes and flag names. Also requests output of -time stamps as decimal POSIX time\_t values. - -\item[{\textbf{-o} \emph{outfile}}] \leavevmode -write the dump to the specified output file instead of to standard -output - -\end{description} - -Dump types: -\begin{description} -\item[{\textbf{keydata}}] \leavevmode -principal encryption key information, including actual key data -(which is still encrypted in the master key) -\begin{description} -\item[{\textbf{name}}] \leavevmode -principal name - -\item[{\textbf{keyindex}}] \leavevmode -index of this key in the principal's key list - -\item[{\textbf{kvno}}] \leavevmode -key version number - -\item[{\textbf{enctype}}] \leavevmode -encryption type - -\item[{\textbf{key}}] \leavevmode -key data as a hexadecimal string - -\item[{\textbf{salttype}}] \leavevmode -salt type - -\item[{\textbf{salt}}] \leavevmode -salt data as a hexadecimal string - -\end{description} - -\item[{\textbf{keyinfo}}] \leavevmode -principal encryption key information (as in \textbf{keydata} above), -excluding actual key data - -\item[{\textbf{princ\_flags}}] \leavevmode -principal boolean attributes. Flag names print as hexadecimal -numbers if the \textbf{-n} option is specified, and all flag positions -are printed regardless of whether or not they are set. If \textbf{-n} -is not specified, print all known flag names for each principal, -but only print hexadecimal flag names if the corresponding flag is -set. -\begin{description} -\item[{\textbf{name}}] \leavevmode -principal name - -\item[{\textbf{flag}}] \leavevmode -flag name - -\item[{\textbf{value}}] \leavevmode -boolean value (0 for clear, or 1 for set) - -\end{description} - -\item[{\textbf{princ\_lockout}}] \leavevmode -state information used for tracking repeated password failures -\begin{description} -\item[{\textbf{name}}] \leavevmode -principal name - -\item[{\textbf{last\_success}}] \leavevmode -time stamp of most recent successful authentication - -\item[{\textbf{last\_failed}}] \leavevmode -time stamp of most recent failed authentication - -\item[{\textbf{fail\_count}}] \leavevmode -count of failed attempts - -\end{description} - -\item[{\textbf{princ\_meta}}] \leavevmode -principal metadata -\begin{description} -\item[{\textbf{name}}] \leavevmode -principal name - -\item[{\textbf{modby}}] \leavevmode -name of last principal to modify this principal - -\item[{\textbf{modtime}}] \leavevmode -timestamp of last modification - -\item[{\textbf{lastpwd}}] \leavevmode -timestamp of last password change - -\item[{\textbf{policy}}] \leavevmode -policy object name - -\item[{\textbf{mkvno}}] \leavevmode -key version number of the master key that encrypts this -principal's key data - -\item[{\textbf{hist\_kvno}}] \leavevmode -key version number of the history key that encrypts the key -history data for this principal - -\end{description} - -\item[{\textbf{princ\_stringattrs}}] \leavevmode -string attributes (key/value pairs) -\begin{description} -\item[{\textbf{name}}] \leavevmode -principal name - -\item[{\textbf{key}}] \leavevmode -attribute name - -\item[{\textbf{value}}] \leavevmode -attribute value - -\end{description} - -\item[{\textbf{princ\_tktpolicy}}] \leavevmode -per-principal ticket policy data, including maximum ticket -lifetimes -\begin{description} -\item[{\textbf{name}}] \leavevmode -principal name - -\item[{\textbf{expiration}}] \leavevmode -principal expiration date - -\item[{\textbf{pw\_expiration}}] \leavevmode -password expiration date - -\item[{\textbf{max\_life}}] \leavevmode -maximum ticket lifetime - -\item[{\textbf{max\_renew\_life}}] \leavevmode -maximum renewable ticket lifetime - -\end{description} - -\end{description} - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZdl{} kdb5\PYGZus{}util tabdump \PYGZhy{}o keyinfo.txt keyinfo -\PYGZdl{} cat keyinfo.txt -name keyindex kvno enctype salttype salt -foo@EXAMPLE.COM 0 1 aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal \PYGZhy{}1 -bar@EXAMPLE.COM 0 1 aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 normal \PYGZhy{}1 -bar@EXAMPLE.COM 1 1 des\PYGZhy{}cbc\PYGZhy{}crc normal \PYGZhy{}1 -\PYGZdl{} sqlite3 -sqlite\PYGZgt{} .mode tabs -sqlite\PYGZgt{} .import keyinfo.txt keyinfo -sqlite\PYGZgt{} select * from keyinfo where enctype like \PYGZsq{}des\PYGZhy{}cbc\PYGZhy{}\PYGZpc{}\PYGZsq{}; -bar@EXAMPLE.COM 1 1 des\PYGZhy{}cbc\PYGZhy{}crc normal \PYGZhy{}1 -sqlite\PYGZgt{} .quit -\PYGZdl{} awk \PYGZhy{}F\PYGZsq{}\PYGZbs{}t\PYGZsq{} \PYGZsq{}\PYGZdl{}4 \PYGZti{} /des\PYGZhy{}cbc\PYGZhy{}/ \PYGZob{} print \PYGZcb{}\PYGZsq{} keyinfo.txt -bar@EXAMPLE.COM 1 1 des\PYGZhy{}cbc\PYGZhy{}crc normal \PYGZhy{}1 -\end{Verbatim} - - -\subsection{SEE ALSO} -\label{admin/admin_commands/kdb5_util:see-also} -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} - - -\section{kdb5\_ldap\_util} -\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8}\label{admin/admin_commands/kdb5_ldap_util::doc}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/kdb5_ldap_util:synopsis}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis} -\textbf{kdb5\_ldap\_util} -{[}\textbf{-D} \emph{user\_dn} {[}\textbf{-w} \emph{passwd}{]}{]} -{[}\textbf{-H} \emph{ldapuri}{]} -\textbf{command} -{[}\emph{command\_options}{]} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-synopsis-end}\label{admin/admin_commands/kdb5_ldap_util:description} -kdb5\_ldap\_util allows an administrator to manage realms, Kerberos -services and ticket policies. - - -\subsection{COMMAND-LINE OPTIONS} -\label{admin/admin_commands/kdb5_ldap_util:command-line-options}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options}\begin{description} -\item[{\textbf{-D} \emph{user\_dn}}] \leavevmode -Specifies the Distinguished Name (DN) of the user who has -sufficient rights to perform the operation on the LDAP server. - -\item[{\textbf{-w} \emph{passwd}}] \leavevmode -Specifies the password of \emph{user\_dn}. This option is not -recommended. - -\item[{\textbf{-H} \emph{ldapuri}}] \leavevmode -Specifies the URI of the LDAP server. It is recommended to use -\code{ldapi://} or \code{ldaps://} to connect to the LDAP server. - -\end{description} - - -\subsection{COMMANDS} -\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-options-end}\label{admin/admin_commands/kdb5_ldap_util:commands} - -\subsubsection{create} -\label{admin/admin_commands/kdb5_ldap_util:create}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create}\begin{quote} - -\textbf{create} -{[}\textbf{-subtrees} \emph{subtree\_dn\_list}{]} -{[}\textbf{-sscope} \emph{search\_scope}{]} -{[}\textbf{-containerref} \emph{container\_reference\_dn}{]} -{[}\textbf{-k} \emph{mkeytype}{]} -{[}\textbf{-kv} \emph{mkeyVNO}{]} -{[}\textbf{-m\textbar{}-P} \emph{password}\textbar{}\textbf{-sf} \emph{stashfilename}{]} -{[}\textbf{-s}{]} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} -{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} -{[}\emph{ticket\_flags}{]} -\end{quote} - -Creates realm in directory. Options: -\begin{description} -\item[{\textbf{-subtrees} \emph{subtree\_dn\_list}}] \leavevmode -Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (\code{:}). - -\item[{\textbf{-sscope} \emph{search\_scope}}] \leavevmode -Specifies the scope for searching the principals under the -subtree. The possible values are 1 or one (one level), 2 or sub -(subtrees). - -\item[{\textbf{-containerref} \emph{container\_reference\_dn}}] \leavevmode -Specifies the DN of the container object in which the principals -of a realm will be created. If the container reference is not -configured for a realm, the principals will be created in the -realm container. - -\item[{\textbf{-k} \emph{mkeytype}}] \leavevmode -Specifies the key type of the master key in the database. The -default is given by the \textbf{master\_key\_type} variable in -{\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. - -\item[{\textbf{-kv} \emph{mkeyVNO}}] \leavevmode -Specifies the version number of the master key in the database; -the default is 1. Note that 0 is not allowed. - -\item[{\textbf{-m}}] \leavevmode -Specifies that the master database password should be read from -the TTY rather than fetched from a file on the disk. - -\item[{\textbf{-P} \emph{password}}] \leavevmode -Specifies the master database password. This option is not -recommended. - -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\item[{\textbf{-sf} \emph{stashfilename}}] \leavevmode -Specifies the stash file of the master database password. - -\item[{\textbf{-s}}] \leavevmode -Specifies that the stash file is to be created. - -\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum ticket life for -principals in this realm. - -\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum renewable life of -tickets for principals in this realm. - -\item[{\emph{ticket\_flags}}] \leavevmode -Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the \textbf{add\_principal} command in -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - create \PYGZhy{}subtrees o=org \PYGZhy{}sscope SUB \PYGZhy{}r ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -Initializing database for realm \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{} -You will be prompted for the database Master Password. -It is important that you NOT FORGET this password. -Enter KDC database master key: -Re\PYGZhy{}enter KDC database master key to verify: -\end{Verbatim} - - -\subsubsection{modify} -\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-end}\label{admin/admin_commands/kdb5_ldap_util:modify}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify}\begin{quote} - -\textbf{modify} -{[}\textbf{-subtrees} \emph{subtree\_dn\_list}{]} -{[}\textbf{-sscope} \emph{search\_scope}{]} -{[}\textbf{-containerref} \emph{container\_reference\_dn}{]} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} -{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} -{[}\emph{ticket\_flags}{]} -\end{quote} - -Modifies the attributes of a realm. Options: -\begin{description} -\item[{\textbf{-subtrees} \emph{subtree\_dn\_list}}] \leavevmode -Specifies the list of subtrees containing the principals of a -realm. The list contains the DNs of the subtree objects separated -by colon (\code{:}). This list replaces the existing list. - -\item[{\textbf{-sscope} \emph{search\_scope}}] \leavevmode -Specifies the scope for searching the principals under the -subtrees. The possible values are 1 or one (one level), 2 or sub -(subtrees). - -\item[{\textbf{-containerref} \emph{container\_reference\_dn} Specifies the DN of the}] \leavevmode -container object in which the principals of a realm will be -created. - -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum ticket life for -principals in this realm. - -\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum renewable life of -tickets for principals in this realm. - -\item[{\emph{ticket\_flags}}] \leavevmode -Specifies global ticket flags for the realm. Allowable flags are -documented in the description of the \textbf{add\_principal} command in -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H - ldaps://ldap\PYGZhy{}server1.mit.edu modify +requires\PYGZus{}preauth \PYGZhy{}r - ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -shell\PYGZpc{} -\end{Verbatim} - - -\subsubsection{view} -\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-end}\label{admin/admin_commands/kdb5_ldap_util:view}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view}\begin{quote} - -\textbf{view} {[}\textbf{-r} \emph{realm}{]} -\end{quote} - -Displays the attributes of a realm. Options: -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - view \PYGZhy{}r ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -Realm Name: ATHENA.MIT.EDU -Subtree: ou=users,o=org -Subtree: ou=servers,o=org -SearchScope: ONE -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW\PYGZus{}FORWARDABLE REQUIRES\PYGZus{}PWCHANGE -\end{Verbatim} - - -\subsubsection{destroy} -\label{admin/admin_commands/kdb5_ldap_util:destroy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy}\begin{quote} - -\textbf{destroy} {[}\textbf{-f}{]} {[}\textbf{-r} \emph{realm}{]} -\end{quote} - -Destroys an existing realm. Options: -\begin{description} -\item[{\textbf{-f}}] \leavevmode -If specified, will not prompt the user for confirmation. - -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H - ldaps://ldap\PYGZhy{}server1.mit.edu destroy \PYGZhy{}r ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -Deleting KDC database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}, are you sure? -(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes -OK, deleting database of \PYGZsq{}ATHENA.MIT.EDU\PYGZsq{}... -shell\PYGZpc{} -\end{Verbatim} - - -\subsubsection{list} -\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-end}\label{admin/admin_commands/kdb5_ldap_util:list}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list}\begin{quote} - -\textbf{list} -\end{quote} - -Lists the name of realms. - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H - ldaps://ldap\PYGZhy{}server1.mit.edu list -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -ATHENA.MIT.EDU -OPENLDAP.MIT.EDU -MEDIA\PYGZhy{}LAB.MIT.EDU -shell\PYGZpc{} -\end{Verbatim} - - -\subsubsection{stashsrvpw} -\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-end}\label{admin/admin_commands/kdb5_ldap_util:stashsrvpw}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw}\begin{quote} - -\textbf{stashsrvpw} -{[}\textbf{-f} \emph{filename}{]} -\emph{name} -\end{quote} - -Allows an administrator to store the password for service object in a -file so that KDC and Administration server can use it to authenticate -to the LDAP server. Options: -\begin{description} -\item[{\textbf{-f} \emph{filename}}] \leavevmode -Specifies the complete path of the service password file. By -default, \code{/usr/local/var/service\_passwd} is used. - -\item[{\emph{name}}] \leavevmode -Specifies the name of the object whose password is to be stored. -If {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} or {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} are configured for -simple binding, this should be the distinguished name it will -use as given by the \textbf{ldap\_kdc\_dn} or \textbf{ldap\_kadmind\_dn} -variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. If the KDC or kadmind is -configured for SASL binding, this should be the authentication -name it will use as given by the \textbf{ldap\_kdc\_sasl\_authcid} or -\textbf{ldap\_kadmind\_sasl\_authcid} variable. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util stashsrvpw \PYGZhy{}f /home/andrew/conf\PYGZus{}keyfile - cn=service\PYGZhy{}kdc,o=org -Password for \PYGZdq{}cn=service\PYGZhy{}kdc,o=org\PYGZdq{}: -Re\PYGZhy{}enter password for \PYGZdq{}cn=service\PYGZhy{}kdc,o=org\PYGZdq{}: -\end{Verbatim} - - -\subsubsection{create\_policy} -\label{admin/admin_commands/kdb5_ldap_util:create-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-stashsrvpw-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy}\begin{quote} - -\textbf{create\_policy} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} -{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} -{[}\emph{ticket\_flags}{]} -\emph{policy\_name} -\end{quote} - -Creates a ticket policy in the directory. Options: -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\item[{\textbf{-maxtktlife} \emph{max\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum ticket life for -principals. - -\item[{\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}}] \leavevmode -(\emph{getdate} string) Specifies maximum renewable life of -tickets for principals. - -\item[{\emph{ticket\_flags}}] \leavevmode -Specifies the ticket flags. If this option is not specified, by -default, no restriction will be set by the policy. Allowable -flags are documented in the description of the \textbf{add\_principal} -command in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. - -\item[{\emph{policy\_name}}] \leavevmode -Specifies the name of the ticket policy. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - create\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU \PYGZhy{}maxtktlife \PYGZdq{}1 day\PYGZdq{} - \PYGZhy{}maxrenewlife \PYGZdq{}1 week\PYGZdq{} \PYGZhy{}allow\PYGZus{}postdated +needchange - \PYGZhy{}allow\PYGZus{}forwardable tktpolicy -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -\end{Verbatim} - - -\subsubsection{modify\_policy} -\label{admin/admin_commands/kdb5_ldap_util:modify-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-create-policy-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy}\begin{quote} - -\textbf{modify\_policy} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-maxtktlife} \emph{max\_ticket\_life}{]} -{[}\textbf{-maxrenewlife} \emph{max\_renewable\_ticket\_life}{]} -{[}\emph{ticket\_flags}{]} -\emph{policy\_name} -\end{quote} - -Modifies the attributes of a ticket policy. Options are same as for -\textbf{create\_policy}. - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H - ldaps://ldap\PYGZhy{}server1.mit.edu modify\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU - \PYGZhy{}maxtktlife \PYGZdq{}60 minutes\PYGZdq{} \PYGZhy{}maxrenewlife \PYGZdq{}10 hours\PYGZdq{} - +allow\PYGZus{}postdated \PYGZhy{}requires\PYGZus{}preauth tktpolicy -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -\end{Verbatim} - - -\subsubsection{view\_policy} -\label{admin/admin_commands/kdb5_ldap_util:view-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-modify-policy-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy}\begin{quote} - -\textbf{view\_policy} -{[}\textbf{-r} \emph{realm}{]} -\emph{policy\_name} -\end{quote} - -Displays the attributes of a ticket policy. Options: -\begin{description} -\item[{\emph{policy\_name}}] \leavevmode -Specifies the name of the ticket policy. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - view\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU tktpolicy -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -Ticket policy: tktpolicy -Maximum ticket life: 0 days 01:00:00 -Maximum renewable life: 0 days 10:00:00 -Ticket flags: DISALLOW\PYGZus{}FORWARDABLE REQUIRES\PYGZus{}PWCHANGE -\end{Verbatim} - - -\subsubsection{destroy\_policy} -\label{admin/admin_commands/kdb5_ldap_util:destroy-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-view-policy-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy}\begin{quote} - -\textbf{destroy\_policy} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-force}{]} -\emph{policy\_name} -\end{quote} - -Destroys an existing ticket policy. Options: -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\item[{\textbf{-force}}] \leavevmode -Forces the deletion of the policy object. If not specified, the -user will be prompted for confirmation before deleting the policy. - -\item[{\emph{policy\_name}}] \leavevmode -Specifies the name of the ticket policy. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - destroy\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU tktpolicy -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -This will delete the policy object \PYGZsq{}tktpolicy\PYGZsq{}, are you sure? -(type \PYGZsq{}yes\PYGZsq{} to confirm)? yes -** policy object \PYGZsq{}tktpolicy\PYGZsq{} deleted. -\end{Verbatim} - - -\subsubsection{list\_policy} -\label{admin/admin_commands/kdb5_ldap_util:list-policy}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-destroy-policy-end}\phantomsection\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy}\begin{quote} - -\textbf{list\_policy} -{[}\textbf{-r} \emph{realm}{]} -\end{quote} - -Lists the ticket policies in realm if specified or in the default -realm. Options: -\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the Kerberos realm of the database. - -\end{description} - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,o=org \PYGZhy{}H ldaps://ldap\PYGZhy{}server1.mit.edu - list\PYGZus{}policy \PYGZhy{}r ATHENA.MIT.EDU -Password for \PYGZdq{}cn=admin,o=org\PYGZdq{}: -tktpolicy -tmppolicy -userpolicy -\end{Verbatim} - - -\subsection{SEE ALSO} -\label{admin/admin_commands/kdb5_ldap_util:see-also}\label{admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-list-policy-end} -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} - - -\section{krb5kdc} -\label{admin/admin_commands/krb5kdc::doc}\label{admin/admin_commands/krb5kdc:krb5kdc-8}\label{admin/admin_commands/krb5kdc:krb5kdc} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/krb5kdc:synopsis} -\textbf{krb5kdc} -{[}\textbf{-x} \emph{db\_args}{]} -{[}\textbf{-d} \emph{dbname}{]} -{[}\textbf{-k} \emph{keytype}{]} -{[}\textbf{-M} \emph{mkeyname}{]} -{[}\textbf{-p} \emph{portnum}{]} -{[}\textbf{-m}{]} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-n}{]} -{[}\textbf{-w} \emph{numworkers}{]} -{[}\textbf{-P} \emph{pid\_file}{]} -{[}\textbf{-T} \emph{time\_offset}{]} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/krb5kdc:description} -krb5kdc is the Kerberos version 5 Authentication Service and Key -Distribution Center (AS/KDC). - - -\subsection{OPTIONS} -\label{admin/admin_commands/krb5kdc:options} -The \textbf{-r} \emph{realm} option specifies the realm for which the server -should provide service. - -The \textbf{-d} \emph{dbname} option specifies the name under which the -principal database can be found. This option does not apply to the -LDAP database. - -The \textbf{-k} \emph{keytype} option specifies the key type of the master key -to be entered manually as a password when \textbf{-m} is given; the default -is \code{des-cbc-crc}. - -The \textbf{-M} \emph{mkeyname} option specifies the principal name for the -master key in the database (usually \code{K/M} in the KDC's realm). - -The \textbf{-m} option specifies that the master database password should -be fetched from the keyboard rather than from a stash file. - -The \textbf{-n} option specifies that the KDC does not put itself in the -background and does not disassociate itself from the terminal. In -normal operation, you should always allow the KDC to place itself in -the background. - -The \textbf{-P} \emph{pid\_file} option tells the KDC to write its PID into -\emph{pid\_file} after it starts up. This can be used to identify whether -the KDC is still running and to allow init scripts to stop the correct -process. - -The \textbf{-p} \emph{portnum} option specifies the default UDP port numbers -which the KDC should listen on for Kerberos version 5 requests, as a -comma-separated list. This value overrides the UDP port numbers -specified in the {\hyperref[admin/conf_files/kdc_conf:kdcdefaults]{\emph{{[}kdcdefaults{]}}}} section of {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, but -may be overridden by realm-specific values. If no value is given from -any source, the default port is 88. - -The \textbf{-w} \emph{numworkers} option tells the KDC to fork \emph{numworkers} -processes to listen to the KDC ports and process requests in parallel. -The top level KDC process (whose pid is recorded in the pid file if -the \textbf{-P} option is also given) acts as a supervisor. The supervisor -will relay SIGHUP signals to the worker subprocesses, and will -terminate the worker subprocess if the it is itself terminated or if -any other worker process exits. - -\begin{notice}{note}{Note:} -On operating systems which do not have \emph{pktinfo} support, -using worker processes will prevent the KDC from listening -for UDP packets on network interfaces created after the KDC -starts. -\end{notice} - -The \textbf{-x} \emph{db\_args} option specifies database-specific arguments. -See {\hyperref[admin/admin_commands/kadmin_local:dboptions]{\emph{Database Options}}} in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} for -supported arguments. - -The \textbf{-T} \emph{offset} option specifies a time offset, in seconds, which -the KDC will operate under. It is intended only for testing purposes. - - -\subsection{EXAMPLE} -\label{admin/admin_commands/krb5kdc:example} -The KDC may service requests for multiple realms (maximum 32 realms). -The realms are listed on the command line. Per-realm options that can -be specified on the command line pertain for each realm that follows -it and are superseded by subsequent definitions of the same option. - -For example: - -\begin{Verbatim}[commandchars=\\\{\}] -krb5kdc \PYGZhy{}p 2001 \PYGZhy{}r REALM1 \PYGZhy{}p 2002 \PYGZhy{}r REALM2 \PYGZhy{}r REALM3 -\end{Verbatim} - -specifies that the KDC listen on port 2001 for REALM1 and on port 2002 -for REALM2 and REALM3. Additionally, per-realm parameters may be -specified in the {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} file. The location of this file -may be specified by the \textbf{KRB5\_KDC\_PROFILE} environment variable. -Per-realm parameters specified in this file take precedence over -options specified on the command line. See the {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} -description for further details. - - -\subsection{ENVIRONMENT} -\label{admin/admin_commands/krb5kdc:environment} -krb5kdc uses the following environment variables: -\begin{itemize} -\item {} -\textbf{KRB5\_CONFIG} - -\item {} -\textbf{KRB5\_KDC\_PROFILE} - -\end{itemize} - - -\subsection{SEE ALSO} -\label{admin/admin_commands/krb5kdc:see-also} -{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}, {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}, {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}, -{\hyperref[admin/admin_commands/kdb5_ldap_util:kdb5-ldap-util-8]{\emph{kdb5\_ldap\_util}}} - - -\section{kprop} -\label{admin/admin_commands/kprop:kprop-8}\label{admin/admin_commands/kprop::doc}\label{admin/admin_commands/kprop:kprop} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/kprop:synopsis} -\textbf{kprop} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-f} \emph{file}{]} -{[}\textbf{-d}{]} -{[}\textbf{-P} \emph{port}{]} -{[}\textbf{-s} \emph{keytab}{]} -\emph{slave\_host} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/kprop:description} -kprop is used to securely propagate a Kerberos V5 database dump file -from the master Kerberos server to a slave Kerberos server, which is -specified by \emph{slave\_host}. The dump file must be created by -{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}. - - -\subsection{OPTIONS} -\label{admin/admin_commands/kprop:options}\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the realm of the master server. - -\item[{\textbf{-f} \emph{file}}] \leavevmode -Specifies the filename where the dumped principal database file is -to be found; by default the dumped database file is normally -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/slave\_datatrans}. - -\item[{\textbf{-P} \emph{port}}] \leavevmode -Specifies the port to use to contact the {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} server -on the remote host. - -\item[{\textbf{-d}}] \leavevmode -Prints debugging information. - -\item[{\textbf{-s} \emph{keytab}}] \leavevmode -Specifies the location of the keytab file. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{admin/admin_commands/kprop:environment} -\emph{kprop} uses the following environment variable: -\begin{itemize} -\item {} -\textbf{KRB5\_CONFIG} - -\end{itemize} - - -\subsection{SEE ALSO} -\label{admin/admin_commands/kprop:see-also} -{\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}}, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}, {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}} - - -\section{kpropd} -\label{admin/admin_commands/kpropd::doc}\label{admin/admin_commands/kpropd:kpropd}\label{admin/admin_commands/kpropd:kpropd-8} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/kpropd:synopsis} -\textbf{kpropd} -{[}\textbf{-r} \emph{realm}{]} -{[}\textbf{-A} \emph{admin\_server}{]} -{[}\textbf{-a} \emph{acl\_file}{]} -{[}\textbf{-f} \emph{slave\_dumpfile}{]} -{[}\textbf{-F} \emph{principal\_database}{]} -{[}\textbf{-p} \emph{kdb5\_util\_prog}{]} -{[}\textbf{-P} \emph{port}{]} -{[}\textbf{-d}{]} -{[}\textbf{-t}{]} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/kpropd:description} -The \emph{kpropd} command runs on the slave KDC server. It listens for -update requests made by the {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} program. If incremental -propagation is enabled, it periodically requests incremental updates -from the master KDC. - -When the slave receives a kprop request from the master, kpropd -accepts the dumped KDC database and places it in a file, and then runs -{\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} to load the dumped database into the active -database which is used by {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}. This allows the master -Kerberos server to use {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} to propagate its database to -the slave servers. Upon a successful download of the KDC database -file, the slave Kerberos server will have an up-to-date KDC database. - -Where incremental propagation is not used, kpropd is commonly invoked -out of inetd(8) as a nowait service. This is done by adding a line to -the \code{/etc/inetd.conf} file which looks like this: - -\begin{Verbatim}[commandchars=\\\{\}] -kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd -\end{Verbatim} - -kpropd can also run as a standalone daemon, backgrounding itself and -waiting for connections on port 754 (or the port specified with the -\textbf{-P} option if given). Standalone mode is required for incremental -propagation. Starting in release 1.11, kpropd automatically detects -whether it was run from inetd and runs in standalone mode if it is -not. Prior to release 1.11, the \textbf{-S} option is required to run -kpropd in standalone mode; this option is now accepted for backward -compatibility but does nothing. - -Incremental propagation may be enabled with the \textbf{iprop\_enable} -variable in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}}. If incremental propagation is -enabled, the slave periodically polls the master KDC for updates, at -an interval determined by the \textbf{iprop\_slave\_poll} variable. If the -slave receives updates, kpropd updates its log file with any updates -from the master. {\hyperref[admin/admin_commands/kproplog:kproplog-8]{\emph{kproplog}}} can be used to view a summary of -the update entry log on the slave KDC. If incremental propagation is -enabled, the principal \code{kiprop/slavehostname@REALM} (where -\emph{slavehostname} is the name of the slave KDC host, and \emph{REALM} is the -name of the Kerberos realm) must be present in the slave's keytab -file. - -{\hyperref[admin/admin_commands/kproplog:kproplog-8]{\emph{kproplog}}} can be used to force full replication when iprop is -enabled. - - -\subsection{OPTIONS} -\label{admin/admin_commands/kpropd:options}\begin{description} -\item[{\textbf{-r} \emph{realm}}] \leavevmode -Specifies the realm of the master server. - -\item[{\textbf{-A} \emph{admin\_server}}] \leavevmode -Specifies the server to be contacted for incremental updates; by -default, the master admin server is contacted. - -\item[{\textbf{-f} \emph{file}}] \leavevmode -Specifies the filename where the dumped principal database file is -to be stored; by default the dumped database file is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/from\_master}. - -\item[{\textbf{-p}}] \leavevmode -Allows the user to specify the pathname to the {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} -program; by default the pathname used is {\hyperref[mitK5defaults:paths]{\emph{SBINDIR}}}\code{/kdb5\_util}. - -\item[{\textbf{-d}}] \leavevmode -Turn on debug mode. In this mode, kpropd will not detach -itself from the current job and run in the background. Instead, -it will run in the foreground and print out debugging messages -during the database propagation. - -\item[{\textbf{-t}}] \leavevmode -In standalone mode without incremental propagation, exit after one -dump file is received. In incremental propagation mode, exit as -soon as the database is up to date, or if the master returns an -error. - -\item[{\textbf{-P}}] \leavevmode -Allow for an alternate port number for kpropd to listen on. This -is only useful in combination with the \textbf{-S} option. - -\item[{\textbf{-a} \emph{acl\_file}}] \leavevmode -Allows the user to specify the path to the kpropd.acl file; by -default the path used is {\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kpropd.acl}. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{admin/admin_commands/kpropd:environment} -kpropd uses the following environment variables: -\begin{itemize} -\item {} -\textbf{KRB5\_CONFIG} - -\item {} -\textbf{KRB5\_KDC\_PROFILE} - -\end{itemize} - - -\subsection{FILES} -\label{admin/admin_commands/kpropd:files}\begin{description} -\item[{kpropd.acl}] \leavevmode -Access file for kpropd; the default location is -\code{/usr/local/var/krb5kdc/kpropd.acl}. Each entry is a line -containing the principal of a host from which the local machine -will allow Kerberos database propagation via {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}}. - -\end{description} - - -\subsection{SEE ALSO} -\label{admin/admin_commands/kpropd:see-also} -{\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}}, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}, {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}, inetd(8) - - -\section{kproplog} -\label{admin/admin_commands/kproplog:kproplog}\label{admin/admin_commands/kproplog:kproplog-8}\label{admin/admin_commands/kproplog::doc} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/kproplog:synopsis} -\textbf{kproplog} {[}\textbf{-h}{]} {[}\textbf{-e} \emph{num}{]} {[}-v{]} -\textbf{kproplog} {[}-R{]} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/kproplog:description} -The kproplog command displays the contents of the KDC database update -log to standard output. It can be used to keep track of incremental -updates to the principal database. The update log file contains the -update log maintained by the {\hyperref[admin/admin_commands/kadmind:kadmind-8]{\emph{kadmind}}} process on the master -KDC server and the {\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} process on the slave KDC servers. -When updates occur, they are logged to this file. Subsequently any -KDC slave configured for incremental updates will request the current -data from the master KDC and update their log file with any updates -returned. - -The kproplog command requires read access to the update log file. It -will display update entries only for the KDC it runs on. - -If no options are specified, kproplog displays a summary of the update -log. If invoked on the master, kproplog also displays all of the -update entries. If invoked on a slave KDC server, kproplog displays -only a summary of the updates, which includes the serial number of the -last update received and the associated time stamp of the last update. - - -\subsection{OPTIONS} -\label{admin/admin_commands/kproplog:options}\begin{description} -\item[{\textbf{-R}}] \leavevmode -Reset the update log. This forces full resynchronization. If used -on a slave then that slave will request a full resync. If used on -the master then all slaves will request full resyncs. - -\item[{\textbf{-h}}] \leavevmode -Display a summary of the update log. This information includes -the database version number, state of the database, the number of -updates in the log, the time stamp of the first and last update, -and the version number of the first and last update entry. - -\item[{\textbf{-e} \emph{num}}] \leavevmode -Display the last \emph{num} update entries in the log. This is useful -when debugging synchronization between KDC servers. - -\item[{\textbf{-v}}] \leavevmode -Display individual attributes per update. An example of the -output generated for one entry: - -\begin{Verbatim}[commandchars=\\\{\}] -Update Entry - Update serial \PYGZsh{} : 4 - Update operation : Add - Update principal : test@EXAMPLE.COM - Update size : 424 - Update committed : True - Update time stamp : Fri Feb 20 23:37:42 2004 - Attributes changed : 6 - Principal - Key data - Password last changed - Modifying principal - Modification time - TL data -\end{Verbatim} - -\end{description} - - -\subsection{ENVIRONMENT} -\label{admin/admin_commands/kproplog:environment} -kproplog uses the following environment variables: -\begin{itemize} -\item {} -\textbf{KRB5\_KDC\_PROFILE} - -\end{itemize} - - -\subsection{SEE ALSO} -\label{admin/admin_commands/kproplog:see-also} -{\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} - - -\section{ktutil} -\label{admin/admin_commands/ktutil:ktutil-1}\label{admin/admin_commands/ktutil::doc}\label{admin/admin_commands/ktutil:ktutil} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/ktutil:synopsis} -\textbf{ktutil} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/ktutil:description} -The ktutil command invokes a command interface from which an -administrator can read, write, or edit entries in a keytab or Kerberos -V4 srvtab file. - - -\subsection{COMMANDS} -\label{admin/admin_commands/ktutil:commands} - -\subsubsection{list} -\label{admin/admin_commands/ktutil:list}\begin{quote} - -\textbf{list} -\end{quote} - -Displays the current keylist. - -Alias: \textbf{l} - - -\subsubsection{read\_kt} -\label{admin/admin_commands/ktutil:read-kt}\begin{quote} - -\textbf{read\_kt} \emph{keytab} -\end{quote} - -Read the Kerberos V5 keytab file \emph{keytab} into the current keylist. - -Alias: \textbf{rkt} - - -\subsubsection{read\_st} -\label{admin/admin_commands/ktutil:read-st}\begin{quote} - -\textbf{read\_st} \emph{srvtab} -\end{quote} - -Read the Kerberos V4 srvtab file \emph{srvtab} into the current keylist. - -Alias: \textbf{rst} - - -\subsubsection{write\_kt} -\label{admin/admin_commands/ktutil:write-kt}\begin{quote} - -\textbf{write\_kt} \emph{keytab} -\end{quote} - -Write the current keylist into the Kerberos V5 keytab file \emph{keytab}. - -Alias: \textbf{wkt} - - -\subsubsection{write\_st} -\label{admin/admin_commands/ktutil:write-st}\begin{quote} - -\textbf{write\_st} \emph{srvtab} -\end{quote} - -Write the current keylist into the Kerberos V4 srvtab file \emph{srvtab}. - -Alias: \textbf{wst} - - -\subsubsection{clear\_list} -\label{admin/admin_commands/ktutil:clear-list}\begin{quote} - -\textbf{clear\_list} -\end{quote} - -Clear the current keylist. - -Alias: \textbf{clear} - - -\subsubsection{delete\_entry} -\label{admin/admin_commands/ktutil:delete-entry}\begin{quote} - -\textbf{delete\_entry} \emph{slot} -\end{quote} - -Delete the entry in slot number \emph{slot} from the current keylist. - -Alias: \textbf{delent} - - -\subsubsection{add\_entry} -\label{admin/admin_commands/ktutil:add-entry}\begin{quote} - -\textbf{add\_entry} \{\textbf{-key}\textbar{}\textbf{-password}\} \textbf{-p} \emph{principal} -\textbf{-k} \emph{kvno} \textbf{-e} \emph{enctype} -\end{quote} - -Add \emph{principal} to keylist using key or password. - -Alias: \textbf{addent} - - -\subsubsection{list\_requests} -\label{admin/admin_commands/ktutil:list-requests}\begin{quote} - -\textbf{list\_requests} -\end{quote} - -Displays a listing of available commands. - -Aliases: \textbf{lr}, \textbf{?} - - -\subsubsection{quit} -\label{admin/admin_commands/ktutil:quit}\begin{quote} - -\textbf{quit} -\end{quote} - -Quits ktutil. - -Aliases: \textbf{exit}, \textbf{q} - - -\subsection{EXAMPLE} -\label{admin/admin_commands/ktutil:example}\begin{quote} - -\begin{Verbatim}[commandchars=\\\{\}] -ktutil: add\PYGZus{}entry \PYGZhy{}password \PYGZhy{}p alice@BLEEP.COM \PYGZhy{}k 1 \PYGZhy{}e - aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 -Password for alice@BLEEP.COM: -ktutil: add\PYGZus{}entry \PYGZhy{}password \PYGZhy{}p alice@BLEEP.COM \PYGZhy{}k 1 \PYGZhy{}e - aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 -Password for alice@BLEEP.COM: -ktutil: write\PYGZus{}kt keytab -ktutil: -\end{Verbatim} -\end{quote} - - -\subsection{SEE ALSO} -\label{admin/admin_commands/ktutil:see-also} -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}} - - -\section{k5srvutil} -\label{admin/admin_commands/k5srvutil:k5srvutil-1}\label{admin/admin_commands/k5srvutil::doc}\label{admin/admin_commands/k5srvutil:k5srvutil} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/k5srvutil:synopsis} -\textbf{k5srvutil} \emph{operation} -{[}\textbf{-i}{]} -{[}\textbf{-f} \emph{filename}{]} -{[}\textbf{-e} \emph{keysalts}{]} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/k5srvutil:description} -k5srvutil allows an administrator to list keys currently in -a keytab, to obtain new keys for a principal currently in a keytab, -or to delete non-current keys from a keytab. - -\emph{operation} must be one of the following: -\begin{description} -\item[{\textbf{list}}] \leavevmode -Lists the keys in a keytab, showing version number and principal -name. - -\item[{\textbf{change}}] \leavevmode -Uses the kadmin protocol to update the keys in the Kerberos -database to new randomly-generated keys, and updates the keys in -the keytab to match. If a key's version number doesn't match the -version number stored in the Kerberos server's database, then the -operation will fail. If the \textbf{-i} flag is given, k5srvutil will -prompt for confirmation before changing each key. If the \textbf{-k} -option is given, the old and new keys will be displayed. -Ordinarily, keys will be generated with the default encryption -types and key salts. This can be overridden with the \textbf{-e} -option. Old keys are retained in the keytab so that existing -tickets continue to work, but \textbf{delold} should be used after -such tickets expire, to prevent attacks against the old keys. - -\item[{\textbf{delold}}] \leavevmode -Deletes keys that are not the most recent version from the keytab. -This operation should be used some time after a change operation -to remove old keys, after existing tickets issued for the service -have expired. If the \textbf{-i} flag is given, then k5srvutil will -prompt for confirmation for each principal. - -\item[{\textbf{delete}}] \leavevmode -Deletes particular keys in the keytab, interactively prompting for -each key. - -\end{description} - -In all cases, the default keytab is used unless this is overridden by -the \textbf{-f} option. - -k5srvutil uses the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} program to edit the keytab in -place. - - -\subsection{SEE ALSO} -\label{admin/admin_commands/k5srvutil:see-also} -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, {\hyperref[admin/admin_commands/ktutil:ktutil-1]{\emph{ktutil}}} - - -\section{sserver} -\label{admin/admin_commands/sserver:sserver-8}\label{admin/admin_commands/sserver::doc}\label{admin/admin_commands/sserver:sserver} - -\subsection{SYNOPSIS} -\label{admin/admin_commands/sserver:synopsis} -\textbf{sserver} -{[} \textbf{-p} \emph{port} {]} -{[} \textbf{-S} \emph{keytab} {]} -{[} \emph{server\_port} {]} - - -\subsection{DESCRIPTION} -\label{admin/admin_commands/sserver:description} -sserver and \emph{sclient(1)} are a simple demonstration client/server -application. When sclient connects to sserver, it performs a Kerberos -authentication, and then sserver returns to sclient the Kerberos -principal which was used for the Kerberos authentication. It makes a -good test that Kerberos has been successfully installed on a machine. - -The service name used by sserver and sclient is sample. Hence, -sserver will require that there be a keytab entry for the service -\code{sample/hostname.domain.name@REALM.NAME}. This keytab is generated -using the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} program. The keytab file is usually -installed as {\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}}. - -The \textbf{-S} option allows for a different keytab than the default. - -sserver is normally invoked out of inetd(8), using a line in -\code{/etc/inetd.conf} that looks like this: - -\begin{Verbatim}[commandchars=\\\{\}] -sample stream tcp nowait root /usr/local/sbin/sserver sserver -\end{Verbatim} - -Since \code{sample} is normally not a port defined in \code{/etc/services}, -you will usually have to add a line to \code{/etc/services} which looks -like this: - -\begin{Verbatim}[commandchars=\\\{\}] -sample 13135/tcp -\end{Verbatim} - -When using sclient, you will first have to have an entry in the -Kerberos database, by using {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, and then you have to get -Kerberos tickets, by using \emph{kinit(1)}. Also, if you are running -the sclient program on a different host than the sserver it will be -connecting to, be sure that both hosts have an entry in /etc/services -for the sample tcp port, and that the same port number is in both -files. - -When you run sclient you should see something like this: - -\begin{Verbatim}[commandchars=\\\{\}] -sendauth succeeded, reply is: -reply len 32, contents: -You are nlgilman@JIMI.MIT.EDU -\end{Verbatim} - - -\subsection{COMMON ERROR MESSAGES} -\label{admin/admin_commands/sserver:common-error-messages}\begin{enumerate} -\item {} -kinit returns the error: - -\begin{Verbatim}[commandchars=\\\{\}] -kinit: Client not found in Kerberos database while getting - initial credentials -\end{Verbatim} - -This means that you didn't create an entry for your username in the -Kerberos database. - -\item {} -sclient returns the error: - -\begin{Verbatim}[commandchars=\\\{\}] -unknown service sample/tcp; check /etc/services -\end{Verbatim} - -This means that you don't have an entry in /etc/services for the -sample tcp port. - -\item {} -sclient returns the error: - -\begin{Verbatim}[commandchars=\\\{\}] -connect: Connection refused -\end{Verbatim} - -This probably means you didn't edit /etc/inetd.conf correctly, or -you didn't restart inetd after editing inetd.conf. - -\item {} -sclient returns the error: - -\begin{Verbatim}[commandchars=\\\{\}] -sclient: Server not found in Kerberos database while using - sendauth -\end{Verbatim} - -This means that the \code{sample/hostname@LOCAL.REALM} service was not -defined in the Kerberos database; it should be created using -{\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}, and a keytab file needs to be generated to make -the key for that service principal available for sclient. - -\item {} -sclient returns the error: - -\begin{Verbatim}[commandchars=\\\{\}] -sendauth rejected, error reply is: - \PYGZdq{}No such file or directory\PYGZdq{} -\end{Verbatim} - -This probably means sserver couldn't find the keytab file. It was -probably not installed in the proper directory. - -\end{enumerate} - - -\subsection{SEE ALSO} -\label{admin/admin_commands/sserver:see-also} -\emph{sclient(1)}, services(5), inetd(8) - - -\chapter{MIT Kerberos defaults} -\label{mitK5defaults:mitk5defaults}\label{mitK5defaults::doc}\label{mitK5defaults:mit-kerberos-defaults} - -\section{General defaults} -\label{mitK5defaults:general-defaults} -\begin{tabulary}{\linewidth}{|L|L|L|} -\hline -\textsf{\relax -Description -} & \textsf{\relax -Default -} & \textsf{\relax -Environment -}\\ -\hline -\emph{keytab\_definition} file - & -{\hyperref[mitK5defaults:paths]{\emph{DEFKTNAME}}} - & -\textbf{KRB5\_KTNAME} -\\ -\hline -Client \emph{keytab\_definition} file - & -{\hyperref[mitK5defaults:paths]{\emph{DEFCKTNAME}}} - & -\textbf{KRB5\_CLIENT\_KTNAME} -\\ -\hline -Kerberos config file {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} - & -\code{/etc/krb5.conf}\code{:}{\hyperref[mitK5defaults:paths]{\emph{SYSCONFDIR}}}\code{/krb5.conf} - & -\textbf{KRB5\_CONFIG} -\\ -\hline -KDC config file {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} - & -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kdc.conf} - & -\textbf{KRB5\_KDC\_PROFILE} -\\ -\hline -KDC database path (DB2) - & -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/principal} - & \\ -\hline -Master key \emph{stash\_definition} - & -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/.k5.}\emph{realm} - & \\ -\hline -Admin server ACL file {\hyperref[admin/conf_files/kadm5_acl:kadm5-acl-5]{\emph{kadm5.acl}}} - & -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kadm5.acl} - & \\ -\hline -OTP socket directory - & -{\hyperref[mitK5defaults:paths]{\emph{RUNSTATEDIR}}}\code{/krb5kdc} - & \\ -\hline -Plugin base directory - & -{\hyperref[mitK5defaults:paths]{\emph{LIBDIR}}}\code{/krb5/plugins} - & \\ -\hline -\emph{rcache\_definition} directory - & -\code{/var/tmp} - & -\textbf{KRB5RCACHEDIR} -\\ -\hline -Master key default enctype - & -\code{aes256-cts-hmac-sha1-96} - & \\ -\hline -Default {\hyperref[admin/conf_files/kdc_conf:keysalt-lists]{\emph{keysalt list}}} - & -\code{aes256-cts-hmac-sha1-96:normal aes128-cts-hmac-sha1-96:normal des3-cbc-sha1:normal arcfour-hmac-md5:normal} - & \\ -\hline -Permitted enctypes - & -\code{aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes128-cts-hmac-sha256-128 aes256-cts-hmac-sha384-192 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac des-cbc-crc des-cbc-md5 des-cbc-md4} - & \\ -\hline -KDC default port - & -88 - & \\ -\hline -Admin server port - & -749 - & \\ -\hline -Password change port - & -464 - & \\ -\hline\end{tabulary} - - - -\section{Slave KDC propagation defaults} -\label{mitK5defaults:slave-kdc-propagation-defaults} -This table shows defaults used by the {\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} and -{\hyperref[admin/admin_commands/kpropd:kpropd-8]{\emph{kpropd}}} programs. - -\begin{tabulary}{\linewidth}{|L|L|L|} -\hline -\textsf{\relax -Description -} & \textsf{\relax -Default -} & \textsf{\relax -Environment -}\\ -\hline -kprop database dump file - & -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/slave\_datatrans} - & \\ -\hline -kpropd temporary dump file - & -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/from\_master} - & \\ -\hline -kdb5\_util location - & -{\hyperref[mitK5defaults:paths]{\emph{SBINDIR}}}\code{/kdb5\_util} - & \\ -\hline -kprop location - & -{\hyperref[mitK5defaults:paths]{\emph{SBINDIR}}}\code{/kprop} - & \\ -\hline -kpropd ACL file - & -{\hyperref[mitK5defaults:paths]{\emph{LOCALSTATEDIR}}}\code{/krb5kdc}\code{/kpropd.acl} - & \\ -\hline -kprop port - & -754 - & -KPROP\_PORT -\\ -\hline\end{tabulary} - - - -\section{Default paths for Unix-like systems} -\label{mitK5defaults:paths}\label{mitK5defaults:default-paths-for-unix-like-systems} -On Unix-like systems, some paths used by MIT krb5 depend on parameters -chosen at build time. For a custom build, these paths default to -subdirectories of \code{/usr/local}. When MIT krb5 is integrated into an -operating system, the paths are generally chosen to match the -operating system's filesystem layout. - -\begin{tabulary}{\linewidth}{|L|L|L|L|} -\hline -\textsf{\relax -Description -} & \textsf{\relax -Symbolic name -} & \textsf{\relax -Custom build path -} & \textsf{\relax -Typical OS path -}\\ -\hline -User programs - & -BINDIR - & -\code{/usr/local/bin} - & -\code{/usr/bin} -\\ -\hline -Libraries and plugins - & -LIBDIR - & -\code{/usr/local/lib} - & -\code{/usr/lib} -\\ -\hline -Parent of KDC state dir - & -LOCALSTATEDIR - & -\code{/usr/local/var} - & -\code{/var} -\\ -\hline -Parent of KDC runtime dir - & -RUNSTATEDIR - & -\code{/usr/local/var/run} - & -\code{/run} -\\ -\hline -Administrative programs - & -SBINDIR - & -\code{/usr/local/sbin} - & -\code{/usr/sbin} -\\ -\hline -Alternate krb5.conf dir - & -SYSCONFDIR - & -\code{/usr/local/etc} - & -\code{/etc} -\\ -\hline -Default ccache name - & -DEFCCNAME - & -\code{FILE:/tmp/krb5cc\_\%\{uid\}} - & -\code{FILE:/tmp/krb5cc\_\%\{uid\}} -\\ -\hline -Default keytab name - & -DEFKTNAME - & -\code{FILE:/etc/krb5.keytab} - & -\code{FILE:/etc/krb5.keytab} -\\ -\hline\end{tabulary} - - -The default client keytab name (DEFCKTNAME) typically defaults to -\code{FILE:/usr/local/var/krb5/user/\%\{euid\}/client.keytab} for a custom -build. A native build will typically use a path which will vary -according to the operating system's layout of \code{/var}. - - -\chapter{Environment variables} -\label{admin/env_variables:environment-variables}\label{admin/env_variables::doc} -The following environment variables can be used during runtime: -\begin{description} -\item[{\textbf{KRB5\_CONFIG}}] \leavevmode -Main Kerberos configuration file. Multiple filenames can be -specified, separated by a colon; all files which are present will -be read. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the default path.) - -\item[{\textbf{KRB5\_KDC\_PROFILE}}] \leavevmode -KDC configuration file. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the default -name.) - -\item[{\textbf{KRB5\_KTNAME}}] \leavevmode -Default keytab file name. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the -default name.) - -\item[{\textbf{KRB5\_CLIENT\_KTNAME}}] \leavevmode -Default client keytab file name. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for -the default name.) - -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Default name for the credentials cache file, in the form \emph{type}:\emph{residual}. The type of the default cache may determine the -availability of a cache collection. For instance, a default cache -of type \code{DIR} causes caches within the directory to be present -in the global cache collection. - -\item[{\textbf{KRB5RCACHETYPE}}] \leavevmode -Default replay cache type. Defaults to \code{dfl}. A value of -\code{none} disables the replay cache. - -\item[{\textbf{KRB5RCACHEDIR}}] \leavevmode -Default replay cache directory. (See {\hyperref[mitK5defaults:mitk5defaults]{\emph{MIT Kerberos defaults}}} for the -default location.) - -\item[{\textbf{KPROP\_PORT}}] \leavevmode -{\hyperref[admin/admin_commands/kprop:kprop-8]{\emph{kprop}}} port to use. Defaults to 754. - -\item[{\textbf{KRB5\_TRACE}}] \leavevmode -Filename for trace-logging output (introduced in release 1.9). -For example, \code{env KRB5\_TRACE=/dev/stdout kinit} would send -tracing information for kinit to \code{/dev/stdout}. Some programs -may ignore this variable (particularly setuid or login system -programs). - -\end{description} - - -\chapter{Troubleshooting} -\label{admin/troubleshoot:troubleshoot}\label{admin/troubleshoot::doc}\label{admin/troubleshoot:troubleshooting} - -\section{Trace logging} -\label{admin/troubleshoot:trace-logging}\label{admin/troubleshoot:id1} -Most programs using MIT krb5 1.9 or later can be made to provide -information about internal krb5 library operations using trace -logging. To enable this, set the \textbf{KRB5\_TRACE} environment variable -to a filename before running the program. On many operating systems, -the filename \code{/dev/stdout} can be used to send trace logging output -to standard output. - -Some programs do not honor \textbf{KRB5\_TRACE}, either because they use -secure library contexts (this generally applies to setuid programs and -parts of the login system) or because they take direct control of the -trace logging system using the API. - -Here is a short example showing trace logging output for an invocation -of the \emph{kvno(1)} command: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} env KRB5\PYGZus{}TRACE=/dev/stdout kvno krbtgt/KRBTEST.COM -[9138] 1332348778.823276: Getting credentials user@KRBTEST.COM \PYGZhy{}\PYGZgt{} - krbtgt/KRBTEST.COM@KRBTEST.COM using ccache - FILE:/me/krb5/build/testdir/ccache -[9138] 1332348778.823381: Retrieving user@KRBTEST.COM \PYGZhy{}\PYGZgt{} - krbtgt/KRBTEST.COM@KRBTEST.COM from - FILE:/me/krb5/build/testdir/ccache with result: 0/Unknown code 0 -krbtgt/KRBTEST.COM@KRBTEST.COM: kvno = 1 -\end{Verbatim} - - -\section{List of errors} -\label{admin/troubleshoot:list-of-errors} - -\subsection{Frequently seen errors} -\label{admin/troubleshoot:frequently-seen-errors}\begin{enumerate} -\item {} -{\hyperref[admin/troubleshoot:init-creds-etype-nosupp]{\emph{KDC has no support for encryption type while getting initial credentials}}} - -\item {} -{\hyperref[admin/troubleshoot:cert-chain-etype-nosupp]{\emph{credential verification failed: KDC has no support for encryption type}}} - -\item {} -{\hyperref[admin/troubleshoot:err-cert-chain-cert-expired]{\emph{Cannot create cert chain: certificate has expired}}} - -\end{enumerate} - - -\subsection{Errors seen by admins} -\label{admin/troubleshoot:errors-seen-by-admins}\phantomsection\label{admin/troubleshoot:prop-failed-start}\begin{enumerate} -\item {} -{\hyperref[admin/troubleshoot:kprop-no-route]{\emph{kprop: No route to host while connecting to server}}} - -\item {} -{\hyperref[admin/troubleshoot:kprop-con-refused]{\emph{kprop: Connection refused while connecting to server}}} - -\item {} -{\hyperref[admin/troubleshoot:kprop-sendauth-exchange]{\emph{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server}}} - -\end{enumerate} -\phantomsection\label{admin/troubleshoot:prop-failed-end} - -\bigskip\hrule{}\bigskip - - - -\subsubsection{KDC has no support for encryption type while getting initial credentials} -\label{admin/troubleshoot:kdc-has-no-support-for-encryption-type-while-getting-initial-credentials}\label{admin/troubleshoot:init-creds-etype-nosupp} - -\subsubsection{credential verification failed: KDC has no support for encryption type} -\label{admin/troubleshoot:credential-verification-failed-kdc-has-no-support-for-encryption-type}\label{admin/troubleshoot:cert-chain-etype-nosupp} -This most commonly happens when trying to use a principal with only -DES keys, in a release (MIT krb5 1.7 or later) which disables DES by -default. DES encryption is considered weak due to its inadequate key -size. If you cannot migrate away from its use, you can re-enable DES -by adding \code{allow\_weak\_crypto = true} to the {\hyperref[admin/conf_files/krb5_conf:libdefaults]{\emph{{[}libdefaults{]}}}} -section of {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}}. - - -\subsubsection{Cannot create cert chain: certificate has expired} -\label{admin/troubleshoot:cannot-create-cert-chain-certificate-has-expired}\label{admin/troubleshoot:err-cert-chain-cert-expired} -This error message indicates that PKINIT authentication failed because -the client certificate, KDC certificate, or one of the certificates in -the signing chain above them has expired. - -If the KDC certificate has expired, this message appears in the KDC -log file, and the client will receive a ``Preauthentication failed'' -error. (Prior to release 1.11, the KDC log file message erroneously -appears as ``Out of memory''. Prior to release 1.12, the client will -receive a ``Generic error''.) - -If the client or a signing certificate has expired, this message may -appear in {\hyperref[admin/troubleshoot:trace-logging]{trace\_logging}} output from \emph{kinit(1)} or, starting in -release 1.12, as an error message from kinit or another program which -gets initial tickets. The error message is more likely to appear -properly on the client if the principal entry has no long-term keys. - - -\subsubsection{kprop: No route to host while connecting to server} -\label{admin/troubleshoot:kprop-no-route}\label{admin/troubleshoot:kprop-no-route-to-host-while-connecting-to-server} -Make sure that the hostname of the slave (as given to kprop) is -correct, and that any firewalls between the master and the slave allow -a connection on port 754. - - -\subsubsection{kprop: Connection refused while connecting to server} -\label{admin/troubleshoot:kprop-connection-refused-while-connecting-to-server}\label{admin/troubleshoot:kprop-con-refused} -If the slave is intended to run kpropd out of inetd, make sure that -inetd is configured to accept krb5\_prop connections. inetd may need -to be restarted or sent a SIGHUP to recognize the new configuration. -If the slave is intended to run kpropd in standalone mode, make sure -that it is running. - - -\subsubsection{kprop: Server rejected authentication (during sendauth exchange) while authenticating to server} -\label{admin/troubleshoot:kprop-sendauth-exchange}\label{admin/troubleshoot:kprop-server-rejected-authentication-during-sendauth-exchange-while-authenticating-to-server} -Make sure that: -\begin{enumerate} -\item {} -The time is synchronized between the master and slave KDCs. - -\item {} -The master stash file was copied from the master to the expected -location on the slave. - -\item {} -The slave has a keytab file in the default location containing a -\code{host} principal for the slave's hostname. - -\end{enumerate} - - -\chapter{Advanced topics} -\label{admin/advanced/index:advanced-topics}\label{admin/advanced/index::doc} - -\section{LDAP backend on Ubuntu 10.4 (lucid)} -\label{admin/advanced/ldapbackend:ldap-backend-on-ubuntu-10-4-lucid}\label{admin/advanced/ldapbackend::doc}\label{admin/advanced/ldapbackend:ldap-be-ubuntu} -Setting up Kerberos v1.9 with LDAP backend on Ubuntu 10.4 (Lucid Lynx) - - -\subsection{Prerequisites} -\label{admin/advanced/ldapbackend:prerequisites} -Install the following packages: \emph{slapd, ldap-utils} and \emph{libldap2-dev} - -You can install the necessary packages with these commands: - -\begin{Verbatim}[commandchars=\\\{\}] -sudo apt\PYGZhy{}get install slapd -sudo apt\PYGZhy{}get install ldap\PYGZhy{}utils -sudo apt\PYGZhy{}get install libldap2\PYGZhy{}dev -\end{Verbatim} - -Extend the user schema using schemas from standart OpenLDAP -distribution: \emph{cosine, mics, nis, inetcomperson} - -\begin{Verbatim}[commandchars=\\\{\}] -ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /etc/ldap/schema/cosine.ldif -ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /etc/ldap/schema/mics.ldif -ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /etc/ldap/schema/nis.ldif -ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /etc/ldap/schema/inetcomperson.ldif -\end{Verbatim} - - -\subsection{Building Kerberos from source} -\label{admin/advanced/ldapbackend:building-kerberos-from-source} -\begin{Verbatim}[commandchars=\\\{\}] -./configure \PYGZhy{}\PYGZhy{}with\PYGZhy{}ldap -make -sudo make install -\end{Verbatim} - - -\subsection{Setting up Kerberos} -\label{admin/advanced/ldapbackend:setting-up-kerberos} - -\subsubsection{Configuration} -\label{admin/advanced/ldapbackend:configuration} -Update kdc.conf with the LDAP back-end information: - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - EXAMPLE.COM = \PYGZob{} - database\PYGZus{}module = LDAP - \PYGZcb{} - -[dbmodules] - LDAP = \PYGZob{} - db\PYGZus{}library = kldap - ldap\PYGZus{}kerberos\PYGZus{}container\PYGZus{}dn = cn=krbContainer,dc=example,dc=com - ldap\PYGZus{}kdc\PYGZus{}dn = cn=admin,dc=example,dc=com - ldap\PYGZus{}kadmind\PYGZus{}dn = cn=admin,dc=example,dc=com - ldap\PYGZus{}service\PYGZus{}password\PYGZus{}file = /usr/local/var/krb5kdc/admin.stash - ldap\PYGZus{}servers = ldapi:/// - \PYGZcb{} -\end{Verbatim} - - -\subsubsection{Schema} -\label{admin/advanced/ldapbackend:schema} -From the source tree copy -\code{src/plugins/kdb/ldap/libkdb\_ldap/kerberos.schema} into -\code{/etc/ldap/schema} - -Warning: this step should be done after slapd is installed to avoid -problems with slapd installation. - -To convert kerberos.schema to run-time configuration (\code{cn=config}) -do the following: -\begin{enumerate} -\item {} -Create a temporary file \code{/tmp/schema\_convert.conf} with the -following content: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{include} \PYG{o}{/}\PYG{n}{etc}\PYG{o}{/}\PYG{n}{ldap}\PYG{o}{/}\PYG{n}{schema}\PYG{o}{/}\PYG{n}{kerberos}\PYG{o}{.}\PYG{n}{schema} -\end{Verbatim} - -\item {} -Create a temporary directory \code{/tmp/krb5\_ldif}. - -\item {} -Run: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{slaptest} \PYG{o}{\PYGZhy{}}\PYG{n}{f} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{schema\PYGZus{}convert}\PYG{o}{.}\PYG{n}{conf} \PYG{o}{\PYGZhy{}}\PYG{n}{F} \PYG{o}{/}\PYG{n}{tmp}\PYG{o}{/}\PYG{n}{krb5\PYGZus{}ldif} -\end{Verbatim} - -This should in a new file named -\code{/tmp/krb5\_ldif/cn=config/cn=schema/cn=\{0\}kerberos.ldif}. - -\item {} -Edit \code{/tmp/krb5\_ldif/cn=config/cn=schema/cn=\{0\}kerberos.ldif} by -replacing the lines: - -\begin{Verbatim}[commandchars=\\\{\}] -dn: cn=\PYGZob{}0\PYGZcb{}kerberos -cn: \PYGZob{}0\PYGZcb{}kerberos -\end{Verbatim} - -with -\begin{quote} - -dn: cn=kerberos,cn=schema,cn=config -cn: kerberos -\end{quote} - -Also, remove following attribute-value pairs: - -\begin{Verbatim}[commandchars=\\\{\}] -structuralObjectClass: olcSchemaConfig -entryUUID: ... -creatorsName: cn=config -createTimestamp: ... -entryCSN: ... -modifiersName: cn=config -modifyTimestamp: ... -\end{Verbatim} - -\item {} -Load the new schema with ldapadd (with the proper authentication): - -\begin{Verbatim}[commandchars=\\\{\}] -ldapadd \PYGZhy{}Y EXTERNAL \PYGZhy{}H ldapi:/// \PYGZhy{}f /tmp/krb5\PYGZus{}ldif/cn=config/cn=schema/cn=\PYGZob{}0\PYGZcb{}kerberos.ldif -\end{Verbatim} - -which should result the message \code{adding new entry -"cn=kerberos,cn=schema,cn=config"}. - -\end{enumerate} - - -\subsection{Create Kerberos database} -\label{admin/advanced/ldapbackend:create-kerberos-database} -Using LDAP administrator credentials, create Kerberos database and -master key stash: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com \PYGZhy{}H ldapi:/// create \PYGZhy{}s -\end{Verbatim} - -Stash the LDAP administrative passwords: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com \PYGZhy{}H ldapi:/// stashsrvpw cn=admin,dc=example,dc=com -\end{Verbatim} - -Start {\hyperref[admin/admin_commands/krb5kdc:krb5kdc-8]{\emph{krb5kdc}}}: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{krb5kdc} -\end{Verbatim} - -To destroy database run: - -\begin{Verbatim}[commandchars=\\\{\}] -kdb5\PYGZus{}ldap\PYGZus{}util \PYGZhy{}D cn=admin,dc=example,dc=com \PYGZhy{}H ldapi:/// destroy \PYGZhy{}f -\end{Verbatim} - - -\subsection{Useful references} -\label{admin/advanced/ldapbackend:useful-references}\begin{itemize} -\item {} -\href{https://help.ubuntu.com/10.04/serverguide/C/kerberos-ldap.html}{Kerberos and LDAP} - -\end{itemize} - - -\section{Retiring DES} -\label{admin/advanced/retiring-des:retiring-des}\label{admin/advanced/retiring-des::doc}\label{admin/advanced/retiring-des:id1} -Version 5 of the Kerberos protocol was originally implemented using -the Data Encryption Standard (DES) as a block cipher for encryption. -While it was considered secure at the time, advancements in computational -ability have rendered DES vulnerable to brute force attacks on its 56-bit -keyspace. As such, it is now considered insecure and should not be -used (\index{RFC!RFC 6649}\href{http://tools.ietf.org/html/rfc6649.html}{\textbf{RFC 6649}}). - - -\subsection{History} -\label{admin/advanced/retiring-des:history} -DES was used in the original Kerberos implementation, and was the -only cryptosystem in krb5 1.0. Partial support for triple-DES (3DES) was -added in version 1.1, with full support following in version 1.2. -The Advanced Encryption Standard (AES), which supersedes DES, gained -partial support in version 1.3.0 of krb5 and full support in version 1.3.2. -However, deployments of krb5 using Kerberos databases created with older -versions of krb5 will not necessarily start using strong crypto for -ordinary operation without administrator intervention. - - -\subsection{Types of keys} -\label{admin/advanced/retiring-des:types-of-keys}\begin{itemize} -\item {} -The database master key: This key is not exposed to user requests, -but is used to encrypt other key material stored in the kerberos -database. The database master key is currently stored as \code{K/M} -by default. - -\item {} -Password-derived keys: User principals frequently have keys -derived from a password. When a new password is set, the KDC -uses various string2key functions to generate keys in the database -for that principal. - -\item {} -Keytab keys: Application server principals generally use random -keys which are not derived from a password. When the database -entry is created, the KDC generates random keys of various enctypes -to enter in the database, which are conveyed to the application server -and stored in a keytab. - -\item {} -Session keys: These are short-term keys generated by the KDC while -processing client requests, with an enctype selected by the KDC. - -\end{itemize} - -For details on the various enctypes and how enctypes are selected by the KDC -for session keys and client/server long-term keys, see {\hyperref[admin/enctypes:enctypes]{\emph{Encryption types}}}. -When using the {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} interface to generate new long-term keys, -the \textbf{-e} argument can be used to force a particular set of enctypes, -overriding the KDC default values. - -\begin{notice}{note}{Note:} -When the KDC is selecting a session key, it has no knowledge about the -kerberos installation on the server which will receive the service ticket, -only what keys are in the database for the service principal. -In order to allow uninterrupted operation to -clients while migrating away from DES, care must be taken to ensure that -kerberos installations on application server machines are configured to -support newer encryption types before keys of those new encryption types -are created in the Kerberos database for those server principals. -\end{notice} - - -\subsection{Upgrade procedure} -\label{admin/advanced/retiring-des:upgrade-procedure} -This procedure assumes that the KDC software has already been upgraded -to a modern version of krb5 that supports non-DES keys, so that the -only remaining task is to update the actual keys used to service requests. -The realm used for demonstrating this procedure, ZONE.MIT.EDU, -is an example of the worst-case scenario, where all keys in the realm -are DES. The realm was initially created with a very old version of krb5, -and \textbf{supported\_enctypes} in {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} was set to a value -appropriate when the KDC was installed, but was not updated as the KDC -was upgraded: - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - ZONE.MIT.EDU = \PYGZob{} - [...] - master\PYGZus{}key\PYGZus{}type = des\PYGZhy{}cbc\PYGZhy{}crc - supported\PYGZus{}enctypes = des\PYGZhy{}cbc\PYGZhy{}crc:normal des:normal des:v4 des:norealm des:onlyrealm des:afs3 - \PYGZcb{} -\end{Verbatim} - -This resulted in the keys for all principals in the realm being forced -to DES-only, unless specifically requested using {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}}. - -Before starting the upgrade, all KDCs were running krb5 1.11, -and the database entries for some ``high-value'' principals were: - -\begin{Verbatim}[commandchars=\\\{\}] -[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{} -[...] -Number of keys: 1 -Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc:v4 -[...] -[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/admin\PYGZsq{} -[...] -Number of keys: 1 -Key: vno 15, des\PYGZhy{}cbc\PYGZhy{}crc -[...] -[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc kadmin/changepw\PYGZsq{} -[...] -Number of keys: 1 -Key: vno 14, des\PYGZhy{}cbc\PYGZhy{}crc -[...] -\end{Verbatim} - -The \code{krbtgt/REALM} key appears to have never been changed since creation -(its kvno is 1), and all three database entries have only a des-cbc-crc key. - - -\subsubsection{The krbtgt key and KDC keys} -\label{admin/advanced/retiring-des:the-krbtgt-key-and-kdc-keys} -Perhaps the biggest single-step improvement in the security of the cell -is gained by strengthening the key of the ticket-granting service principal, -\code{krbtgt/REALM}---if this principal's key is compromised, so is the -entire realm. Since the server that will handle service tickets -for this principal is the KDC itself, it is easy to guarantee that it -will be configured to support any encryption types which might be -selected. However, the default KDC behavior when creating new keys is to -remove the old keys, which would invalidate all existing tickets issued -against that principal, rendering the TGTs cached by clients useless. -Instead, a new key can be created with the old key retained, so that -existing tickets will still function until their scheduled expiry -(see {\hyperref[admin/database:changing-krbtgt-key]{\emph{Changing the krbtgt key}}}). - -\begin{Verbatim}[commandchars=\\\{\}] -[root@casio krb5kdc]\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{} -\PYGZgt{} aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,des3\PYGZhy{}hmac\PYGZhy{}sha1:normal,des\PYGZhy{}cbc\PYGZhy{}crc:normal -[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{} -\PYGZgt{} \PYGZhy{}keepold krbtgt/ZONE.MIT.EDU\PYGZdq{} -Authenticating as principal root/admin@ZONE.MIT.EDU with password. -Key for \PYGZdq{}krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU\PYGZdq{} randomized. -\end{Verbatim} - -\begin{notice}{note}{Note:} -The new \code{krbtgt@REALM} key should be propagated to slave KDCs -immediately so that TGTs issued by the master KDC can be used to -issue service tickets on slave KDCs. Slave KDCs will refuse requests -using the new TGT kvno until the new krbtgt entry has been propagated -to them. -\end{notice} - -It is necessary to explicitly specify the enctypes for the new database -entry, since \textbf{supported\_enctypes} has not been changed. Leaving -\textbf{supported\_enctypes} unchanged makes a potential rollback operation -easier, since all new keys of new enctypes are the result of explicit -administrator action and can be easily enumerated. -Upgrading the krbtgt key should have minimal user-visible disruption other -than that described in the note above, since only clients which list the -new enctypes as supported will use them, per the procedure -in {\hyperref[admin/enctypes:session-key-selection]{\emph{Session key selection}}}. -Once the krbtgt key is updated, the session and ticket keys for user -TGTs will be strong keys, but subsequent requests -for service tickets will still get DES keys until the service principals -have new keys generated. Application service -remains uninterrupted due to the key-selection procedure on the KDC. - -After the change, the database entry is now: - -\begin{Verbatim}[commandchars=\\\{\}] -[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc krbtgt/ZONE.MIT.EDU\PYGZsq{} -[...] -Number of keys: 5 -Key: vno 2, aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 -Key: vno 2, aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 -Key: vno 2, des3\PYGZhy{}cbc\PYGZhy{}sha1 -Key: vno 2, des\PYGZhy{}cbc\PYGZhy{}crc -Key: vno 1, des\PYGZhy{}cbc\PYGZhy{}crc:v4 -[...] -\end{Verbatim} - -Since the expected disruptions from rekeying the krbtgt principal are -minor, after a short testing period, it is -appropriate to rekey the other high-value principals, \code{kadmin/admin@REALM} -and \code{kadmin/changepw@REALM}. These are the service principals used for -changing user passwords and updating application keytabs. The kadmin -and password-changing services are regular kerberized services, so the -session-key-selection algorithm described in {\hyperref[admin/enctypes:session-key-selection]{\emph{Session key selection}}} -applies. It is particularly important to have strong session keys for -these services, since user passwords and new long-term keys are conveyed -over the encrypted channel. - -\begin{Verbatim}[commandchars=\\\{\}] -[root@casio krb5kdc]\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{} -\PYGZgt{} aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,des3\PYGZhy{}hmac\PYGZhy{}sha1:normal -[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{} -\PYGZgt{} kadmin/admin\PYGZdq{} -Authenticating as principal root/admin@ZONE.MIT.EDU with password. -Key for \PYGZdq{}kadmin/admin@ZONE.MIT.EDU\PYGZdq{} randomized. -[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZhy{}randkey \PYGZbs{} -\PYGZgt{} kadmin/changepw\PYGZdq{} -Authenticating as principal root/admin@ZONE.MIT.EDU with password. -Key for \PYGZdq{}kadmin/changepw@ZONE.MIT.EDU\PYGZdq{} randomized. -\end{Verbatim} - -It is not necessary to retain a single-DES key for these services, since -password changes are not part of normal daily workflow, and disruption -from a client failure is likely to be minimal. Furthermore, if a kerberos -client experiences failure changing a user password or keytab key, -this indicates that that client will become inoperative once services -are rekeyed to non-DES enctypes. Such problems can be detected early -at this stage, giving more time for corrective action. - - -\subsubsection{Adding strong keys to application servers} -\label{admin/advanced/retiring-des:adding-strong-keys-to-application-servers} -Before switching the default enctypes for new keys over to strong enctypes, -it may be desired to test upgrading a handful of services with the -new configuration before flipping the switch for the defaults. This -still requires using the \textbf{-e} argument in {\hyperref[admin/admin_commands/kadmin_local:kadmin-1]{\emph{kadmin}}} to get non-default -enctypes: - -\begin{Verbatim}[commandchars=\\\{\}] -[root@casio krb5kdc]\PYGZsh{} enctypes=aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,\PYGZbs{} -\PYGZgt{} aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal,des3\PYGZhy{}cbc\PYGZhy{}sha1:normal,des\PYGZhy{}cbc\PYGZhy{}crc:normal -[root@casio krb5kdc]\PYGZsh{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}p zephyr/zephyr@ZONE.MIT.EDU \PYGZhy{}k \PYGZhy{}t \PYGZbs{} -\PYGZgt{} /etc/zephyr/krb5.keytab \PYGZhy{}q \PYGZdq{}ktadd \PYGZhy{}e \PYGZdl{}\PYGZob{}enctypes\PYGZcb{} \PYGZbs{} -\PYGZgt{} \PYGZhy{}k /etc/zephyr/krb5.keytab zephyr/zephyr@ZONE.MIT.EDU\PYGZdq{} -Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:/etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des3\PYGZhy{}cbc\PYGZhy{}sha1 added to keytab WRFILE:/etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 4, encryption type des\PYGZhy{}cbc\PYGZhy{}crc added to keytab WRFILE:/etc/zephyr/krb5.keytab. -\end{Verbatim} - -Be sure to remove the old keys from the application keytab, per best -practice. - -\begin{Verbatim}[commandchars=\\\{\}] -[root@casio krb5kdc]\PYGZsh{} k5srvutil \PYGZhy{}f /etc/zephyr/krb5.keytab delold -Authenticating as principal zephyr/zephyr@ZONE.MIT.EDU with keytab /etc/zephyr/krb5.keytab. -Entry for principal zephyr/zephyr@ZONE.MIT.EDU with kvno 3 removed from keytab WRFILE:/etc/zephyr/krb5.keytab. -\end{Verbatim} - - -\subsubsection{Adding strong keys by default} -\label{admin/advanced/retiring-des:adding-strong-keys-by-default} -Once the high-visibility services have been rekeyed, it is probably -appropriate to change {\hyperref[admin/conf_files/kdc_conf:kdc-conf-5]{\emph{kdc.conf}}} to generate keys with the new -encryption types by default. This enables server administrators to generate -new enctypes with the \textbf{change} subcommand of {\hyperref[admin/admin_commands/k5srvutil:k5srvutil-1]{\emph{k5srvutil}}}, -and causes user password -changes to add new encryption types for their entries. It will probably -be necessary to implement administrative controls to cause all user -principal keys to be updated in a reasonable period of time, whether -by forcing password changes or a password synchronization service that -has access to the current password and can add the new keys. - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - ZONE.MIT.EDU = \PYGZob{} - supported\PYGZus{}enctypes = aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal des3\PYGZhy{}cbc\PYGZhy{}sha1:normal des3\PYGZhy{}hmac\PYGZhy{}sha1:normal des\PYGZhy{}cbc\PYGZhy{}crc:normal -\end{Verbatim} - -\begin{notice}{note}{Note:} -The krb5kdc process must be restarted for these changes to take effect. -\end{notice} - -At this point, all service administrators can update their services and the -servers behind them to take advantage of strong cryptography. -If necessary, the server's krb5 installation should be configured and/or -upgraded to a version supporting non-DES keys. See {\hyperref[admin/enctypes:enctypes]{\emph{Encryption types}}} for -krb5 version and configuration settings. -Only when the service is configured to accept non-DES keys should -the key version number be incremented and new keys generated -(\code{k5srvutil change \&\& k5srvutil delold}). - -\begin{Verbatim}[commandchars=\\\{\}] -root@dr\PYGZhy{}willy:\PYGZti{}\PYGZsh{} k5srvutil change -Authenticating as principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. -Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES\PYGZhy{}256 CTS mode with 96\PYGZhy{}bit SHA\PYGZhy{}1 HMAC added to keytab WRFILE:/etc/krb5.keytab. -Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type AES\PYGZhy{}128 CTS mode with 96\PYGZhy{}bit SHA\PYGZhy{}1 HMAC added to keytab WRFILE:/etc/krb5.keytab. -Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5.keytab. -Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 3, encryption type DES cbc mode with CRC\PYGZhy{}32 added to keytab WRFILE:/etc/krb5.keytab. -root@dr\PYGZhy{}willy:\PYGZti{}\PYGZsh{} klist \PYGZhy{}e \PYGZhy{}k \PYGZhy{}t /etc/krb5.keytab -Keytab name: WRFILE:/etc/krb5.keytab -KVNO Timestamp Principal -\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} \PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} \PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{}\PYGZhy{} - 2 10/10/12 17:03:59 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC\PYGZhy{}32) - 3 12/12/12 15:31:19 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (AES\PYGZhy{}256 CTS mode with 96\PYGZhy{}bit SHA\PYGZhy{}1 HMAC) - 3 12/12/12 15:31:19 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (AES\PYGZhy{}128 CTS mode with 96\PYGZhy{}bit SHA\PYGZhy{}1 HMAC) - 3 12/12/12 15:31:19 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (Triple DES cbc mode with HMAC/sha1) - 3 12/12/12 15:31:19 host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU (DES cbc mode with CRC\PYGZhy{}32) -root@dr\PYGZhy{}willy:\PYGZti{}\PYGZsh{} k5srvutil delold -Authenticating as principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with keytab /etc/krb5.keytab. -Entry for principal host/dr\PYGZhy{}willy.xvm.mit.edu@ZONE.MIT.EDU with kvno 2 removed from keytab WRFILE:/etc/krb5.keytab. -\end{Verbatim} - -When a single service principal is shared by multiple backend servers in -a load-balanced environment, it may be necessary to schedule downtime -or adjust the population in the load-balanced pool in order to propagate -the updated keytab to all hosts in the pool with minimal service interruption. - - -\subsubsection{Removing DES keys from usage} -\label{admin/advanced/retiring-des:removing-des-keys-from-usage} -This situation remains something of a testing or transitory state, -as new DES keys are still being generated, and will be used if requested -by a client. To make more progress removing DES from the realm, the KDC -should be configured to not generate such keys by default. - -\begin{notice}{note}{Note:} -An attacker posing as a client can implement a brute force attack against -a DES key for any principal, if that key is in the current (highest-kvno) -key list. This attack is only possible if \textbf{allow\_weak\_crypto = true} -is enabled on the KDC. Setting the \textbf{+requires\_preauth} flag on a -principal forces this attack to be an online attack, much slower than -the offline attack otherwise available to the attacker. However, setting -this flag on a service principal is not always advisable; see the entry in -{\hyperref[admin/admin_commands/kadmin_local:add-principal]{\emph{add\_principal}}} for details. -\end{notice} - -The following KDC configuration will not generate DES keys by default: - -\begin{Verbatim}[commandchars=\\\{\}] -[realms] - ZONE.MIT.EDU = \PYGZob{} - supported\PYGZus{}enctypes = aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96:normal des3\PYGZhy{}cbc\PYGZhy{}sha1:normal des3\PYGZhy{}hmac\PYGZhy{}sha1:normal -\end{Verbatim} - -\begin{notice}{note}{Note:} -As before, the KDC process must be restarted for this change to take -effect. It is best practice to update kdc.conf on all KDCs, not just the -master, to avoid unpleasant surprises should the master fail and a slave -need to be promoted. -\end{notice} - -It is now appropriate to remove the legacy single-DES key from the -\code{krbtgt/REALM} entry: - -\begin{Verbatim}[commandchars=\\\{\}] -[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZdq{}cpw \PYGZhy{}randkey \PYGZhy{}keepold \PYGZbs{} -\PYGZgt{} krbtgt/ZONE.MIT.EDU\PYGZdq{} -Authenticating as principal host/admin@ATHENA.MIT.EDU with password. -Key for \PYGZdq{}krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU\PYGZdq{} randomized. -\end{Verbatim} - -After the maximum ticket lifetime has passed, the old database entry -should be removed. - -\begin{Verbatim}[commandchars=\\\{\}] -[root@casio krb5kdc]\PYGZsh{} kadmin.local \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}purgekeys krbtgt/ZONE.MIT.EDU\PYGZsq{} -Authenticating as principal root/admin@ZONE.MIT.EDU with password. -Old keys for principal \PYGZdq{}krbtgt/ZONE.MIT.EDU@ZONE.MIT.EDU\PYGZdq{} purged. -\end{Verbatim} - -After the KDC is restarted with the new \textbf{supported\_enctypes}, -all user password changes and application keytab updates will not -generate DES keys by default. - -\begin{Verbatim}[commandchars=\\\{\}] -contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kpasswd zonetest@ZONE.MIT.EDU -Password for zonetest@ZONE.MIT.EDU: [enter old password] -Enter new password: [enter new password] -Enter it again: [enter new password] -Password changed. -contents\PYGZhy{}vnder\PYGZhy{}pressvre:\PYGZti{}\PYGZgt{} kadmin \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}q \PYGZsq{}getprinc zonetest\PYGZsq{} -[...] -Number of keys: 3 -Key: vno 9, aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 -Key: vno 9, aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 -Key: vno 9, des3\PYGZhy{}cbc\PYGZhy{}sha1 -[...] - -[kaduk@glossolalia \PYGZti{}]\PYGZdl{} kadmin \PYGZhy{}p kaduk@ZONE.MIT.EDU \PYGZhy{}r ZONE.MIT.EDU \PYGZhy{}k \PYGZbs{} -\PYGZgt{} \PYGZhy{}t kaduk\PYGZhy{}zone.keytab \PYGZhy{}q \PYGZsq{}ktadd \PYGZhy{}k kaduk\PYGZhy{}zone.keytab kaduk@ZONE.MIT.EDU\PYGZsq{} -Authenticating as principal kaduk@ZONE.MIT.EDU with keytab kaduk\PYGZhy{}zone.keytab. -Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes256\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. -Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type aes128\PYGZhy{}cts\PYGZhy{}hmac\PYGZhy{}sha1\PYGZhy{}96 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. -Entry for principal kaduk@ZONE.MIT.EDU with kvno 3, encryption type des3\PYGZhy{}cbc\PYGZhy{}sha1 added to keytab WRFILE:kaduk\PYGZhy{}zone.keytab. -\end{Verbatim} - -Once all principals have been re-keyed, DES support can be disabled on the -KDC (\textbf{allow\_weak\_crypto = false}), and client machines can remove -\textbf{allow\_weak\_crypto = true} from their {\hyperref[admin/conf_files/krb5_conf:krb5-conf-5]{\emph{krb5.conf}}} configuration -files, completing the migration. \textbf{allow\_weak\_crypto} takes precedence over -all places where DES enctypes could be explicitly configured. DES keys will -not be used, even if they are present, when \textbf{allow\_weak\_crypto = false}. - - -\subsubsection{Support for legacy services} -\label{admin/advanced/retiring-des:support-for-legacy-services} -If there remain legacy services which do not support non-DES enctypes -(such as older versions of AFS), \textbf{allow\_weak\_crypto} must remain -enabled on the KDC. Client machines need not have this setting, -though---applications which require DES can use API calls to allow -weak crypto on a per-request basis, overriding the system krb5.conf. -However, having \textbf{allow\_weak\_crypto} set on the KDC means that any -principals which have a DES key in the database could still use those -keys. To minimize the use of DES in the realm and restrict it to just -legacy services which require DES, it is necessary to remove all other -DES keys. The realm has been configured such that at password and -keytab change, no DES keys will be generated by default. The task -then reduces to requiring user password changes and having server -administrators update their service keytabs. Administrative outreach -will be necessary, and if the desire to eliminate DES is sufficiently -strong, the KDC administrators may choose to randkey any principals -which have not been rekeyed after some timeout period, forcing the -user to contact the helpdesk for access. - - -\subsection{The Database Master Key} -\label{admin/advanced/retiring-des:the-database-master-key} -This procedure does not alter \code{K/M@REALM}, the key used to encrypt key -material in the Kerberos database. (This is the key stored in the stash file -on the KDC if stash files are used.) However, the security risk of -a single-DES key for \code{K/M} is minimal, given that access to material -encrypted in \code{K/M} (the Kerberos database) is generally tightly controlled. -If an attacker can gain access to the encrypted database, they likely -have access to the stash file as well, rendering the weak cryptography -broken by non-cryptographic means. As such, upgrading \code{K/M} to a stronger -encryption type is unlikely to be a high-priority task. - -Is is possible to upgrade the master key used for the database, if -desired. Using {\hyperref[admin/admin_commands/kdb5_util:kdb5-util-8]{\emph{kdb5\_util}}}`s \textbf{add\_mkey}, \textbf{use\_mkey}, and -\textbf{update\_princ\_encryption} commands, a new master key can be added -and activated for use on new key material, and the existing entries -converted to the new master key. - - -\chapter{Various links} -\label{admin/various_envs:various-links}\label{admin/various_envs::doc} - -\section{Whitepapers} -\label{admin/various_envs:whitepapers}\begin{enumerate} -\item {} -\href{http://kerberos.org/software/whitepapers.html}{http://kerberos.org/software/whitepapers.html} - -\end{enumerate} - - -\section{Tutorials} -\label{admin/various_envs:tutorials}\begin{enumerate} -\item {} -Fulvio Ricciardi \textless{}\href{http://www.kerberos.org/software/tutorial.html}{http://www.kerberos.org/software/tutorial.html}\textgreater{}\_ - -\end{enumerate} - - -\section{Troubleshooting} -\label{admin/various_envs:troubleshooting}\begin{enumerate} -\item {} -\href{http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html}{http://www.ncsa.illinois.edu/UserInfo/Resources/Software/kerberos/troubleshooting.html} - -\item {} -\href{http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs\_howto\_v3.pdf}{http://nfsv4.bullopensource.org/doc/kerberosnfs/krbnfs\_howto\_v3.pdf} - -\item {} -\href{http://sysdoc.doors.ch/HP/T1417-90005.pdf}{http://sysdoc.doors.ch/HP/T1417-90005.pdf} - -\item {} -\href{http://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html}{http://www.shrubbery.net/solaris9ab/SUNWaadm/SYSADV6/p27.html} - -\item {} -\href{http://download.oracle.com/docs/cd/E19253-01/816-4557/trouble-1/index.html}{http://download.oracle.com/docs/cd/E19253-01/816-4557/trouble-1/index.html} - -\item {} -\href{http://technet.microsoft.com/en-us/library/bb463167.aspx\#EBAA}{http://technet.microsoft.com/en-us/library/bb463167.aspx\#EBAA} - -\item {} -\href{https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528}{https://bugs.launchpad.net/ubuntu/+source/libpam-heimdal/+bug/86528} - -\item {} -\href{http://h71000.www7.hp.com/doc/83final/ba548\_90007/ch06s05.html}{http://h71000.www7.hp.com/doc/83final/ba548\_90007/ch06s05.html} - -\end{enumerate} - - - -\renewcommand{\indexname}{Index} -\printindex -\end{document} diff --git a/doc/pdf/appdev.pdf b/doc/pdf/appdev.pdf deleted file mode 100644 index 98aafa6ce6de118489f31d26d178ca3612f155fe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1445588 zcmce81z1$;*1xn8f>P3h2#Dao6buR?poFA!cS?6jcL*XPDJdY`AcBOXw6t_dhqUy6 zgL*FBwjVT+6*HS; zBX~C}Z;u~7h*mG&B=7w+)=P-8BpX|4Ih-LiQ06kxc&BTX3yg3uXZxHZbybwZMl6zp zC$67xXgk;R@`%yar1+t(!SJhtGHy%`4%so4i#fM>ZuP&l9p>hKJ)3COw~}SrB3rz$ zJ$qY1&8BTX#fEP2_|^M&%jFW-d#{I{>~nvL^vBdJY>AI{+7#tB$0!f7gw$MP+gI`yY@ONS zGv@=xxL*3=cUh8(#{2Z)?XR@uK2gtMZJa9SH%jrW=PNdy&HU;>U5b^KDu3Ajb!KW# zM#!l4Fs9NbZK}kgw#3P*MrF}Ex_|4cx$1sL+{f7Uw-jX}9lgcJI5y8&J<50sE--04 zK-WUQeDU5L0&)%XqU`}JXvkDFS`_{@jaM>?j2h3cD_I0I)>QC4s1L$s66tCUqQ8Q; zf`D-~uq4l2r}Q;AGRBJPx8sXu_X;FqOYPK*Iw$DGEc!~nE`KglJ6OK@f;LX9r73o- zMeJA3*}m!*Q+Z;f!x2dOMx610C;VcB7T`%A1d*5Yq=9A3Ld^LbvK$&-&xt)@51PKu zv(drXdn(c|Ka(CcrB^jp<4mX`appA?eNi|*20#I4IzNN%1#Nh{R72f|fh&G3b=NN6V~8TdZNYB1!oW;cTal$D zy7l1-;gsfwM-5j%vo%_qZ4P-?4q~yAeVKu~xeto2d}Rj&p+~V>X?6OC7uFPAA8aYQ z1}Iwg#cRC){%L>RvX7=_E_O>$CTxqMHKwITLx35}^HVmZC@u>YKPBgt&4NiDY8~dI zS zXOn1>=QHpS>9IfS5h2f1rdQtA5Jl`YnnK_OwIIF&-*}8Fl^2iJ17#(t)@Wh_oa(-6e>k;a@op!kh3%^ZshKoKdMTtSiN?9AA%s>= z!sZKU^IA(Owyvqpcdr8e0z48M`pq-3xwt^A(jZnrGZ`}w>pjqQZ39hnz$d{FCJ^9> z-`|Y*{^slVbZvEw&CCr=^+9%qfHMn9OY=$!GyQlU`(F^X($%&$G&2Q5ekRNLgRHow zi7v?6!Ccqs4^j}e-_nAfWf21VK}^`x(ArSb+RPH9ZKu?EnV18bUA*| z<<-{KH9sM13UGUdAo8~a;b#d#zsE%E>!+*cwYIi2)UvTYLlOE{y7`wF5kFDFC-ut}wK!A*`H1%~sc9xpvCkFQ~y1&;T@+Z1~Xi!)}?tdWr zdp&ZVB@6#Uk0)fsg!w_%W=6WE|1u2tU#anji~VH3@IRDz&rnZK*HYJ1Th|JtrE6`c zt7{4p(ls>E(KJ3)tC+A1NJQ6COV`rO3Ut={;D4pjA0POWVZ;B>=QoEj{-wJhey2p( z&n}JlLx~dRCsttv(gQq3U)Nd%0^=|QJoDswVvhfk6XJLJgn@sO6ygtk3hG*aH+C~q z2NN?Jt6wkScZ!99e-aG)ABvT=0*VtuQy?5_p2n{~OpyJrRQtn2Vc?&9p8XHy%IR7f z>N%Wv=!r0Z$n;B=*?*_WpQ-<$Nl8mXQ*A?YfU1e6siCqQ)Y zrPv?F@>7W6_(QGyW+vvwy4JcNOWp5Q3c7h>g{L2)qiL=Aa~S9NopKRB+YiSd$~Cgo zLi}Xj9KX{e;%7TS{-MWHQm1^KatQ=48*OVF%QGPt`8$OoezpN2DS|; z4}EHR%O$6FC15R0*|>a0ptr()N-S(B^}2-C+=9j0wo<=-;4q(Kpm)>qN2)2VcdM*& zLGdKiIOWPF-l+-}7>eOTC8PQ!pCT9+y`{kSuDrtOc(Kc41RJ$Lx`aRQ4vC8Krkkl2 zx%vVoXfTzx%`1fG9mi=bCwf;?$~R3Ex#Zn_3TAlJmIyP9n=g{N zLg9RC#AY0ve|Sah%ud1N~84>8k>}lDJc%bIB_JpDSaPr_;}hwpv>f+ zW$4oOspy0=EZePJY@Dr}JxmDeq6Z02#Zvob*toKj6K924zW&w^ra1lU+y< z`BdE{hhylkK>UjMl@A|QgOt^s7iz~Nc>UnAB#~);?T|}8(2$7gVQsiS1GRj0y4lr& z)TqWj*A)xQiZ4hkHAmyA3n3Wh2pf7IZtY5u>#-KBzC17NgC6GhXn)m?DrI%EVikN` zl9wF*I{YS;$(C12_>=jDTuD~xD@bPK-20EXaJ?F-G-*Ypt32Q(54Lhh*GIqlaAisn z(%_Jz^{%z-%B@avV%Qp;fi@2A~G;7zj;^_O1v}T(rC5#U5rC!)8`TC6U0B2#rOSEo64Vz>oWqd*{ z;M%ZAsE-pXj4)FDIrKz>AkwQm(&$M>H1f`c*-}WduF|#2g zQN_Nz0X|9>|05Tn=PFk)g+8EK8c6rlXypdi>EP8B&<^^eJ!VHRG{C2XGF z8nfV9zF1o->MHv{3~ezn7vCw5t8J$L!KVYceH)I=sbZCFk4czGflL3(T#5Cu1&Ej*&MbJ{|OLu3J;{c(nn48ZJ$}p%^XL_wU%OD5DHny;KZCC}$VksT4O% zjdL;HfyAVd+)-DV4|67WIYKtHHWf1DuXHwcTMX4(+^(qqB$X~(Vm#E#a`BL66<5Ea zLXF>w+ndB?&*+9Sd@D(m|mQEGNK?X&wh%etDexO13 z=8`c61%51!scuE}a1zN9QXVa$)zF=}CJ@!0cgc-AzZI{J*j%jQoM|M_x!fpeEhViw zgY^yyjhh4Rp6njXJzX!Z6kE4PQoaFUa^M{`?2{;b-A{1)Fvh1WcEpJ^SkFy}VK~M< ze6()Y`GBKtJoiJ@bBlFWh^beVTEdHubxnr25J$+1E4yOixJRiV0riGUo-v6>Wpy~N zBSJ?Q`O`af&v*z#9*eQ;Qp|Yy=p8B_Wgc}7W4r2xc1sVq zZkemcbm*aWHt_iJ!+t4OjH4HO%u$QFRSsE!DM#3g1|QU0kh?~k2I*CT>MstsC#@FD zFr=+K%Q%aRU&lx*2Xb+4Jy)|_NT;7sBE2=8WmHqBA^zm62iIpx;$cQir#Itw(i4<< z<1meso~F4o1n&>iRVBAm@4lQa#pZlTFK{!0uw~feN-O>+H2k+810#TK;DKp=o=|v5qgf zx?^JW^}0R9Qs*~xqAP_`=T)I%>I~hRvQV)q;LaH;Hg>Iha}jt=ER{?K+LjPzh#4jd z8_T*FxBEq`ajq3qGN|>9O*lG|sS~g+Qe4Sh)UBjfn~A6vrmxQF%(2Qd$_vzs>L=KD zn7^?~WFO8^puv;%^1(J8a}JJWgAH$c8MrBW(W7GOEr?WwRHxR4w?u_>+A;@cpjU-3 zPu^kbjqGT(R(L78+UF+~x6Gz{9q4k~DI9D@n=&^9)LwF|FI0re&pt6mvTAa&KD1Or z=1f*Rm3OG!_4gU|Hr9*Mp!CMLO<#_woM2)ebWPb^%z<1%St=NFlv#L}>~+ekVNp!> zmuVk0x)sTXTb|-^3W?Za*b1{xGcgy4 z-2YHlMbLXK=34yzT|>Rs?(ez0Ucal-5U5IA^WRa{+l;77-;r;f%k}r(;bl z+a;U1@vNaR!Tw<9YHjR&CT?b}Dwh`@_nNK5U1(fW{UZ)-D|i~DzZ^CB> zr;`URZToZ_6+Gs5W>=?Lr1dtnU7J%}%5(&(w0!K~9e&Qv>#<~wMtYQ0Q%8cXHHRU_ zZ;nH6?f_38hNxH^)AbJ@H{tE@vwvjk8+v#mJtj+YSP|=MhlWoVzq-tggNPA{L95xd(@bL z%Z(nj7~r)HNvG_K#r-RM%fmZ zBKFI1*3MY=g#fp~1M4Szg(jZx#QYJN?8@Tu72ObLRm?Y z{H5LHNgVq?cJw^C#Ag?^Fj|)GL@=$26MG4@u>l$|2v~BH(UegK(I<$nrTbxT7#4U3EUF^vC8P$TZ7KB0b%=9 zBIEp)#z23=>|l~Y@@$gkv(Rc@v~$|mF(&@34hY-XD*KoE_{PRh3W2bl>~{YXjX>DW z3JOrkHwFOl{6;6=KJrJ)_1|Rolhj~mE$n-5mJ^QrF1Fu0>vHs%Ro7jD#<5-I6^H|9 zbXA1fD4Uo{nRqZ_0ZB_~FD;~nG~OR`ng(AIGEx@qjhgZH@>FEs9bR#Wg6 z@Q!yA&cPj+{KnEnc)(yunU!5=brPz|@)VXQyZV@B097|{Mp1x`oI;*3Eh7}cyn(64 z=ODQ5$|pqm-t$_hgBTlvcTj^g6pTH@@3(WmiP@_tR1v=j+%wSFsXWghcxf_N+lW%w zD6uKS_-#`mUw{2=amMXeEGzxW@rMlE(1v)b?6l9dRPnVestZ@;(ycWZEY%94c3T6B zo2AMR$e_qq`ZI3iv<8%msEZf1iV#{!H%tYwa#;wa`(CWIrhLe}+Ab1WA%f+jy6tp@ zxsNUSDF4J;V{DEqv2%V1Vu3^YkqnlkBp$%mr1kheS zF|!3X=^_7v6-n(RIy)NZn%6V;x6S*Bl7>m^*q^S7%T`94!JCVPnx?cIVyZ*f8mI$~ zWG2{*M?gKgu_kOo$5BY0S^QoX zqGyNAfa0(-hko=#)ORSls!&P#;HnWv|8}bKf>!vP?8jl7hR2Ox62CMHG8S>$zd|uf z?<-4rU@aVq=tgf;y|yCpaGWtq#nbv~u3ZdYcU_d%QZ!#s>1?xL^5_mVG>rfRV$*!r^L!=b zS#e7IMOgdMqdSeqzYc4sapLE&20aPN(lrx z?e+rqkZ*Ax0_3dI*H62;C;vYQzbDs|P=9hgO?ANaJ3YvEdXVq*fYfvPzSCwa@cz@5 z>dEyqAOqL$^q}AAoi;;HUjI%H`iR$5HK5%Q4nw#m>rNWgcAW~13DiF1RRWj zK!CULp612B?#urxcYhP*Kf@Lh0Y1q92p9y60J@hDcA#I6Kmcq)!EiYHFWLIh@cPl& zKg-zJ^5Fj_uOEy-Az*em9FP~lASb{l8yL>{YjORHuWt>OGkpD+EI4EH|EV5-@WsaQ zO^+N%FbpVN5D+970Ym&oVBeaKXBj)2k^d2a!8tj=07MUhaBzY-H~>wuv4auF-|+RV zw|JJXv)!bBhA$)x%mMf&6u}PW0NU1YPB@qy`a6Mr>qwqu>})gPpJ5E}Ob(#?3WY%d zhB!cQByi>UjljN*Nu1^D&&A^Z(Zb*ePB0P(j!+0tigQ3ga1J&w2jq7G`!-&2ma(&y z@;@UmIKU7B5E$SBaDYKL0tpE4Hv;=Mo^h71v(@fD!xs$T3x)(ikbt0oy$cY(z(_Xu zZy5VF;Bl6*lYH>c1lR8|9}Zy$0~;_H1P*v4U|>)J9Ek*A3f3K$tXAT1aWUfF&VSAPt#oMr4EkM}UZ`=G#l41@!S`@kp; zjGY5eE9`%?`XAFTXBqp)13nB62SWiBLZMIqN&px`0COMkU)$G@)cs?I<}73XT)_Wf z_y9w2VB!Y~;{0_QUS~lpjxv$$!ScesIOc22@}$AU^{71ek&V6V=cY z2Vc)e>~VjIoN?h z5D8?*ld=N1B7tPY_G@|lu&y7<4HK=YstYiLnC(J)lPjCtzhKjBy}fLDotf5_oq=;6tZ04Q=#HhioCfL%gh-*$CB;fj9`N(3r~f93n{pcn+$ zgns+^Jt+1Elz2B8rwrG<$lW8+qb$@T-9Iigs*KMPEN`9V&W9~IAX0O;W1x#KkuvML zd`(>|s?h9pbSn%?PH*%1ay*pDOa(7W%h9<>^QMS(#^` z;J>G`9}}vlmh@d^P&oVdk)q$LtXNUmYN+J0%TDe%9fB|)y~Zf5n=^Ro)+4H+#%DuT z4D$xpv7rv{1Di!uj`s@#F|I!gefd^c-RtvYiNfQrwkV$(-f2>hGM3ypMruk9V!}`x z&qta#40Al2oIYGF$;UYC@G-d`YR1(h=RL7U`@AflYj@|vV($k#9^Q?nfX9s-a<^-r zL=ro;exYmBD$&m>X>i(DTApuPII!K`U(o*)TSj8%j5SnPUEr+ON@aRK=;6js+)3V!fzG85@sYi zMT-~v&KJi~>IGwZKT43jkq}QY=K|WF0m!r7V_INIY)%n+d&`JsOa72a)pOBxf7^lj>;R1FK?xpw4%7T`#?kdatP zEh|%eV@Rgwjh6XjEQEQz=OQ~+A(|=4RpBY9Q9wg zIs*wep}2Fj9qcrVPXuYE2?nD-{G8eGAP@@C5TJS$z`4aVB zKkI3Xev&bO=5~>$j5SUQ)|^s815#@LNimv21-Jq`0=Fz$xoj=h)Gd6UbSsoC?XV8AswKH+W+iW}=U{H-q22P9_Qe^{JBY)pZ{ z`jjKYF^@}7=v@$+#>;`-O2a-kzYNpTR@Xh@26Dh(7K^TR(xr^sg=zw=}dP ze6>lwjw45{bA4sVlyYbcn>}x;#b@WrEtdAT^e&S5R+nrlqs@#Qf%nG_rJ=ww+TRDX8gY zbAULO3I8Z^9M`yJhN>n=H7( zb?{5#YU{xscgEbNSKRvJM$E@wJaug#n?fJR=i-ROb+&UTt5mDtgz8*zqc=WB+rM^! zF9(+NpeOnG;Yi=r7n&&H`BGXH^{Y9ATpIoH-b{RMIhZ6vnp&VA+@Y&Z>UiZH*{)TLN+)!~CsCm_QV0ATKTX-?p{=jUUbpC&bz(}WlnUO18xQ%N z*xx`@Gkrsut_g*qUxp7E`??JIE2Xx)ZYC=KB(0XYQ*5vw}bAJdy}M)gf+foUSUX0?J#w=$M;Y0>P(qV7WK#W5iX7EZ@#Sm%LI?EFr_#vR{xvX`xxi`A! zHCi7D?8a02U_0mYlMRcr?!z z@6O1F!bkz4JE+{g8M)XvtKyKA*mtTbFLPH(%;F?2L{>0R-JSWG^A^=D;V$O%0Miq$ z9ZB0ywj<9JOpX|zk%S3^MD^1%tu`-pl(nZz*0;^%8{Yq@@pPNtX8Q4HybEF=_yKVY z*10y+_;H1G8bw;HNnux$@i}ISx4)5s})yL zh4Rw|BYa7z9CU2M@--vU)U>Es++A@NxQ{#9ww7@@*A+P|^dQut!$po-Tldq<2q`Rx zc&EG@T&JARy`9)UH)0m&NSDyh0V*=vN7d}V-`FS3PI2;g8s_XRH^@G4;sN-;W>v=<{ zHu*v~*)cv^mP*1es@orjmd;@J|6bjm)`LG+w?I$he^cF_=~uzO_mNHydjb8S(=%Ns z*YABKVC!+(XF5H-CH3=I!s)X=3f!Mix?eSj*g(L>8rXn+YY;&=0C*4>gg`)mtu_?c z*m4351>p9i0dfjYd~Z3io^+g8dAYb)Pdul<>*#bpvZ_^INQ})@EkL zR$xP2Ydx@;r9P{HwTUsSrJgpF186{<+%N&9_L*JXkE3m8r2HMf{ypbV*a@T$G-tkZ zjy&ll0k{7+=kQ;0es(|lzmz!)U=hv^w72#vVbNA{KV}4Jg)`-&SxI{7k+dGascq7zXX#2oD6b$y!8ZT z0$N^>(}Sy0C&%vo#*o^NBb{eq3K%;u1aSKEH((0#A={~vwGs71!FkFU6ci8iu?1uH zd4@KI5u5#IGhZc%-f8jsV+$|$9qzT`Rrm+@4{iI8pNk~Jo$*2GS*U%GU0J@jx3Z9F zCRXvl6W+JBu%ZbJq+BioJ!o4nE#1>StYs)#O!`F9CXi_}VrptV*;kq-Ejyzq-zSLq zSbF?T$bH#(jce|ewhjW%OPgAIp`|kSg7~mwYkvy6u;2xz*ew$CL&m|0Uy_iP+DD?Qf2~b9Fsl zI9it2$sK)nG_y5S&Qa>hi>V<8k0yRZQJ07r3s2AF;AnWgMaIc-OVw`QgSLE96D_l) zUAB?iL6)R3`1S_owSv)_z5W5Dt*)FqWe^4}J6FXfe<2;(Q*`Wm7`K8n>qCVtM%uH< z6(%vhjM&L%s-Lg*EqT|mKGvZtJ&ZO%rG2Sv{L0)rU)O z&+X7UZ9e|o>o6Pj`AM;MFMBgO_{m|zN5wYNG~ z{j3LHz1X?zZ^!Z^E=Ibq#KR)%S*JcKamTA+<{4#p!4Qo)>z7Ft0?(^Bte?>$FU?)< z0yZvSB~vORlx5hx?a-wNS~Ax`>ClK{$p^DgG*XFdX=yGZF^kqfHyb{`Q7_@AA&=oFXJ;(Ea9vx?YQo;;^pTCWX_iV)$YNlQ~(ndnr=!fb^6w|a| z!b68;N3@IJpz6qbwLs^UhAET6 zFn#`!oKnN#p!ywXPhwh?VqW|5KrfMr>PyIW!XZYxezXJ=3ulkw;Em; z$DkvgAx3gzHn*t)sy93Oa)7kO@K%rm8}=nqPHCSIzdM=jS`Ui{(u3k0Jg;LE=eamV zkL0Tk@Ka%eS8ROOICM+0z0eK1Qv&XuFZN#x%do_$!A9%7?0&w8>B6Bx{y`@L@8l## zw}dqG+E-j3e4ZrKbZrD$laT(EyN>Y>(CaY;&!al?dR04g+&gdCt%;N*Vnom859McL z8A5~MIWlMIsLE4{t9Fn&TaXDVVy4_WzA+SR?I94pYsMimDCt&hCi*N7Rwq!}am#e; z6Katl_=4+wnndrbu%}>)E)+MzE_VZg(XgY!;gBu(#@mblN<2({Yx1r;P?&_)mV(>n z)Q6BH5I?Smx`KkK)18+Km=BRsm%}nHSquaU32J4xGfK^Kg<2X)P{nNJw=`=rH|^Dz z47XWQy;kMsRzJnX4L^eqhmHJSTqKx2AC4hi z%-%QU99Ld=qB>ToC<@^xRG@MQV~+OGPF#ON9URcWt zr%W>%eQ+zCn$;Z5a9umXWYrGildJIT%a-LJ+P90NpVSJilLs*6Ql!yBTluy=JdOUE z=#T2Bym4D;4_&y;w%YN6GGd&@@|M4I*l4^C8G-40b7;ZGt#_fi-igVpZth0 zs@`3?^t4GE#}maxu;!fYV20tKFP*`=n=O&&Sg?&va3s)h%NZ?wK0w{%e4cPhF_^6x z&=)?aiTmKyO6cHlKH7mN=>8jt9h1Y8;$?X+mUaXlL) zVH9^f@5C6*hdf^oc<}3E3V}FPmY0WgxsF1tM(l~ouGeoJk>2-yVQ{CY1a(4;5Ii5V zy7>0xjOwKK$75f;^BJAgw_U!5Ct%-Mgj-Mwtf})6z=wbl&EtakX{5Q-*y z-swxa=jBG0A7+ty`gJ89nvAeuq0gpk zylc!xTRZttB2dsO)!o4UljF$tdJ^mcTA?lbql$PImRq>)aK6i;?>}Hl80tv%ouAQe zbMx*MjY#rM;R?0)d_9PYc6Zt*MRnttKxRB`bF2>^tYqtQo(MN9w=?qXgL9iXmj|Wg z9k^p|+@V&|rlHv?V<^I;ktli>BFI8WgMV(d(fhpzy4v`gY?81d&0C-NmNfWlNGLzf zq5CD5plT;yLr1uNx??ZHKzLthfO?)R`0njbBn|>wMeg|AA}i+=t#}D{^hJFSqS!X7 zzKlvZ$@R<`-PsFexFMLPll+(*&&{8(#?|6#CpxXB(){81yLw;`pTalkZ7(Fg!Z4rU z$vH44OSN49onD^_|aa&)dfAGU%nY-}qwtiKX}r2RP3 zPft%j^@t41J}yz@k$OV}^SPcvo12$X?9RE0)(x>+w`ZlNUAuByLN$w0FDRSx)?==~ zfo#Ih(I}%!q}!7z{?w^5Vne%oBd-hScfTCdt=1+5KCgKf!`~@%PUgjgY{`MV7O_g7 zzy{;R(O1qg)KhUc3dkY`x_@fu|X#C8%&+Aq-3JZg3oug zVi;l)LXAeR!nnUaqHq|RL-1c#_JY@=eJN+vsooB)!q-Rc6UXt%77rgJ#p2Cy%ZoQc zqSEs9Kdh_U-a;T)Ld$$ArAR*b*gEn>m9JNaPsasd^F3Lb9{@R7G;wvfSHng`ydP>L zDYT>yy#a-5Ke`ghG)g+F=tjPFEUR$~KS+FOx3CZ`XsTcXsJ8ef48y?*^1*H`}rv*t2g~@rPo$Ys>U3 zFD`e^?yfvy2d&SOFWx|m?1tZN?;_4v4inIRToWjM{Y7(QMB^6)jOJ~dP|oT^6s=p7Q1Dc~k;y+)#+r$8?M7Y>Ym(N(B$jEv`*wUn z{qaTxuqJdZGK2a}H$taN9{64Em>0nE_zKVZyPqCBHc2#g7Cx8x6{qs0(VlRHX-jST zjq6#}G}Bj~c3H)kUxUDc!dpH&xsbvnnytd07$f4;xU|St+dhWu zh|VO`U#FktFRykGB$(Q57?Zi?9ysh>p&OCscx^)2kcHddNaoPp*R=sf!H`L4H;BJ& z3Nz?U6I6phuW4lJLasnYBL;Ub`^BvJMX|Apqix^vQi_*c78VAo1nK6l#V_H3Kg_!q zuD!$9=D|ITD37Ugr`VqNwNoE*(waywZ=pcjo_}v|>-D+iZ9#enmT>v-vY&L?}diBZAvX>QNmdl1ygkC2RoRINvGaQBbkSB^7Yc3`zR&Bt?bA2DoidGk-VZEDHrbT zzaeCJ5s|E7u?D0K%_GY3Fw*pr^%YXwKlRj~kYUkMw z7MP7+(}A+rO|ER(F8d-TcKlWr=;C|cg#I9MDjHTD^O$olDu|VcK2WOV%OS{@7z?;n z>~B&f6EIS<%Mv8%gWb$#dYh7!5bLkiEnk&oeK_|eUf=az^Ppi5m*YjB0j=I8VN}XM ze;?6$WiUa@%6wQ>GOXMdra#qrgSN%2tgYbk&ia?R*_+oG2Je!`R!Ul^z#ZRju0QUk zkGCqzkX}{PJV<0i=Q@2jjwia8Q`GsW z>*RC_LJYKwK}iw9H;bKLQI2q-()WP~Kh;wO*l4_udoDljUH%wrl6r)wCbZYTm^O5D z@QdKZ*LN+LGhZrDpuQFjqS7`>W^xYU$PzJh7xoaPeW?7n%|n?&EDPU-36_Xse88Mf z;!*av1Q{vi*Hgvr-awdZ_#S@YeN9-qdiTNn$l_4d!JFqdquKH@>{KIJHm&uZU+M^s z@lZpWH9dShpwWzig(I#juMmi@rJu%u`-YnJewm0H&yDx@Ys;w!8C9-fDacB1p_ICV zeB%A@KfdWbR=F*D_oIhed0H=iWTi|}S$_IVQmg$V2ddcz{HW4J4~hoFEQh?iq=MgWv#^1PA7hIZnoCIsdDW67=7& zm{Sq`hiEVq&IXM2K|$=mlqTnoc`yJW<6r}jGT6y@-+v8L`uAm=YWP2120IuAAY$wQ zEC~e=bQquoIAF5uzziPbbSmoq-!lGk2JQFw-uDqI1Ox$QKN*=lfhz$QLO_ApdbX2E z-v8PvAb$e*&LU|4OSt-cU~@RPxHKrJUACU6K84hQDxIsdD$@t?GD8lC?` zABQ1;Nyn2pS|HM%gmpL+21Wp39tKP#v$6kIz2o0Q)oF7150?RD0~&58=RlArAqxS5 zogSP4#)N@^NuU|`Uv=_-^NrKo_@6EVm_vn~7!xqL%MN@M9}GBe1N5JO(;7e@5&8c$ z|DC4x|8yDbz)&`Tz5~911dhwWU_gTfI9d&q6F`&n#o3Y9pZXVPx)eam;$QuXzt^(hIGZHD zPgcU%fUg|T@-b4#UAMfd+por(3eRaW=Zr8`bJWIr|A2Gw95Qb2jQE zkKSF1+aSX~czq+hINVUDcm$7AoD4=&9lmzj zlKo6#)(z8TqT?CGksi=g#zE-~``2bIdvP)Q0z6r~MN#Zlby!7wf|(`hjuqsCbQT4J zS)2$H<&_LUtI7;r&Us;Rx1ZEe@3!%iA&V+WMp@Fj z>$c10c5I70pyI3rvC>Z=8!Qd;cn=8di5@Tus`e~<C-s}?=%Emk%Q#aPgt=BbdqbP)~qO zOUSE5L0V>cwh2nmt$bWGy;(=;zO+h;@Kx;do&$I(2XKPDL<)g5S1dj+yz@JTRyYAy zr%-(CJFi(*x?1@@>2%1oqs3Q@K`Tl5TowkVXbV%V9~BQY=-ma!{p*Ayi7a=l2$rH1rj z1;&vdR?stdZ^xyAky~FxRWxcJ;+vl@oosGu97kMc#v>&49ky#SbT!N z=9ZuI9&g54UDS1}n_-h{HoMHiZ}fI&Bvr$PbJ`%;7R(rhnE-C@f5oJj6;cNe<+25R zoy0`F;L1!;DB!MfK!#2-Q=L!Lq%xk?r1Ffdan`dHa`~;(l(2$#NqB$&AQvp9j}j!p2LjT%|LfMCH7=z(9qY?mt-?V$np$r)>DWeCD~%3TD!t21#OB_b$X2$+yruhm zn0>q4NOI~4e%w(ooTk0VEK7Cb)l2{Z)C3)`VE~WzN!*3El77!?u(&CE%G@C{mz4Nh zHAO=q&i3-TGp&4)R9`PF5tReq)fgO~g4;0>xPU)(hy1J(?*&TPh_2vpa(6P{ zX}r8vj+Rnz^`)!3P+eHY`-hVI(q8 zRv?K$TtJ2Mi_lG!_lJ&jlmqRwpb4a`vVrCkk{vW+LrezESpEvqX7cmu(T&U{p|}@Y zB_Sy6TpqqG5|MK^3w1AAw^BRQw`XO^<_xlT>%B4Z@$6W>6wn^i!a||tad^K=C%@fU zJ3UoIKr~^JAI-C-v}mf9i{wfLwe4#cZ^+c~hk4&)inQYy`=qZIJ2(|`2P37~-6C)- zn;ufdG`fL-}AGx(MgN=3D}>~4`N+Q7E0T>57v}W zulZ75%&(bI%KAd1Lc}p{sYfR8+)aI(mi}^1d^2Na+|zq?M4;HT)w^^kW8fNt-I}m) zX*1&5K@jvB*rA*<$`~y_fuP&OoXgMoF0a-FqvAnUsmgO3MdmnNm@M}nYFuVe7wVr8 z;dxxO-12tgvm>Fy5+;%A76~g^u8oTO4DTy~OZ6x!bo9OVrgq?jZ(U+@7-|~}OgBrG z3v$fFE?!Q}@%y;y;O6cXG4bL}e+f$ol@+h*m+t$z&qzBSKMRgu+B;M;+`r#nA&+=J zi8G~f*dsQ6i^F^)T_`6m{L=BX;^F5)23F36?#JrfQ`bpU2x@b#I$&}TuHjvEAR*U( zi)KM`t>pvbxnsWLr(WluMa+#Ie4b#L@*Ti_P9HrWKqi8fd{@jHG&d0B;gsD)FT1b2 zqJN-`$5GPs%!u|Cvs+2uRq!+wGF?F&W%Q?f@(ap#auS>W*jae=D zlxQgVEw}QmmvYkyTP6}Zja&Eef$ zjlqL0B{XC(K1^jGQBbVxWd$|m{USd57Gr}lKzq1xo*)+$Es;sW!@pog6`6VW88^w1 zxnkdX6H9TD*iavfL|SnHi47bN_@!YmKRjNT(Xlsm9Sr;XZp5$ns`VO?lj% zDl@z-c~cRk_ii&mwtsfZ$H--0KOtxs`VIXhSf;P!K^9<@hy<{~L zuWvC9;X6O0COK>!gk5!bLGwJlU02U9pwTBxvA!<{ru<32jWL46b|2&JBby9l+LNeD z9>MqKBvYPSekz$q#ACk2B!Xy=JynvOnTmQl3H6+dVym!kdWyoGGLwo3dCL%5ErjTJ z3vq$Jy`9(!4o&4&OrPLg#0@zRWrw)J?rPD5w5?u`sm6K9DjT=eXC0y*(U%uCL2MOU zi@m>BQdFbipPfENwoZ8scA>_ME7=gsq;~Rs*@Rh(_JvR5T_$nX!U*4jt5Kt2orK9% z!p8Srh*}zCIrzTDj#1b{Kbl?whv@_>%$544=3=Y0kl_74-rhQ_t|aRo#v!-`_u%dl z++Bk^!6CT2yE_CA1lQp17TnzlF2NnXoAhKREi>ISZ~wl(?(>jax%-?`r)uw2Yp(_2 z6nK$k&MsL)jX^#9K_uzgFkMfn|ICOQr<$>fGdm*aW@_$J6tQdKq7IiUcv*PHBO7~? zmlPN=eHPj#6$F+iMW%Zo(EI31VZp*VUgJ~VC=9Q$KR~Pjq7=VHetwHse=kFRjaYwI zmH!LvYHZ)}WJAmB#H(tc|EBMBb{pk`|esc*wybJ!9BLQZB!T|?hUi`QO z7J7C7j0=Dd|Hf+oP^9vRhnN8f$lnMM{)HFeho{B=GK&}) z0dVHGTMr=S1Efy~0PJg8W`N-YGeD9EAY%2myw3leLjUPa_$?mweLejPc+}5}z&AYV zSK}A~l26}Gnpl62NBuD2_;-mry7W7P2pvpDeX6DqwRO0ULG>ap?;q^4|fm^FCga&Yh?^`~m8{ZQa? zyY71$x&s(pnEKh=M>mk(gGRk>(zf`=mHPgprI}d> zHi(bDBDJk2B)t{8N)ejaH8M=?CSe{a=WM6OX<>poElD-sBOMQydvkNTM~F^D@q9mb2p6^DdGqxw z$cYQD7_Lox{mA}0p6&I{PNR#a_I5R{x-?l>#YW)%dpq?+F|rvV3|L0SFZA%UqFfkY zxV8)>5o-Bbo`~I^JBh&38DHK7=f;D+ndhA_l+#|*sBpw3H95CwHfwLr1oCostGf#+ zNMCRa3Ub|Zw8%Ib!|0hw&RBv+>|T8LidVI**tzRC+XPac?KOi1HhP^0I^O7+M+c2_u%*_K2rzW1TXjca2W02r>+B8LMrT6Jp_Z&c zL+-CCJO#>VsC}3ol{V|OY$#jq(FWo&4HnkYlnrc#TIv0pm<<(e=oYiCD9co%2w!hN zus2TCGDq#<{h3IN56$VOSoshj?t?0mz?xf5<|&rx@(@_{e2yS5v`wO#G{ZMoP?GXF5U(6kja~8p}O}EzLL$G_JM?Y z$}aTs+8VVwT_T^5i}!Iz$~)dKp>RKvw1xw@RCSYwZMT{jx8QXR|*mik}YxzGUB7%08%&)`E4dR@S9Y z7r+)TBilKV6~30!F|>$#MQ3ov-gkTh@tBgiE?#FEb85I(n@?KW=<}A>XT7`Ep2{R( zaer~P9K&HA!B_M~t#HlWqTfuUQr{gK0(9%`RQ+lGZJkpTKnY!C;P*-fD# zvYS({;0v7vN|E5tb*1p{P?Wp&B~aNS;L;7&MpXLX!3b5b>EH@Zk3oL-!$AKq9DD%>5C`Gj4Ue8D{dIY|Ot2tlN z)}{cy`%;q|2A>SIDYW+;GkC9IrIkV`C2*dR^$}e(OnJwvl5=Gcsv*QdPexuWZ>dNK z`f{2+!DNYBe5~z&M=~PVY#18k1XOkQN+P#4m(Z)O{i|4GoC^6skhC-3In?XYkHnyR zC!t;Nx0U0KE6;4BuQQ%5Q1Qd#!0iDybRLp!CrjfOW=XwJ!6QKl* zfy!@9^u>zZ=Xi={)7F;sq7PY}V=iS3KJ&sO%Rov z)B8Ac0fRvEP9Et#+a4RVWZi;~Y0)e(ik`H{LPjRPLzL)_1r2lZ33&h3ft3UI}alUZfxJ_ zy2aEjO+-ikXx1-7o1FEvR@!x>k~nWvrat8*6IAY9SYp3Ld%Hki&kM9IZJ+!L&5sK2 zO?S}e0!&nFO_{D?UDJ-T+++l7M(HTSrF!*M?WKw{GOK=BjQ*Dq zC_)sKM=n#AkYmW+IKJ>WSm*bd-Daq3F&FFMFBjvlHhZ2wJ~kyi ztFt5Xj%nju7z@nP&RB3*??JQLlg4dBDt8{<)LA}8;3!8FLFTXr9o2~E_8#F*_E`y( z-8>i2GJgI-L1#oAVXNA6i}_~I*tu_kg#M9-79Z2>O<~59%u27$I=(YCo_ErF`;B%# z4PMOvG>1EPHd>HOl$6$2Y}rWnz<{?ICf+3ya2@qNa#xHI`9s_R;aB2ZU+y&@bluAZr$O8{)4J$jf4wzu4HNeH7+C$*l&0Wm>b~zQih=H77+_ESC1GQQr^%r+C8;?dX z==Q1M*zBC{cyqLmb=GK$V_2i_Q#_tKUIZ2G2)_>s!E3o9S+WoCDg*Y}tek$8Y0F$T z3hk#h2u$GTV1`?=itA$7=B*L?f;FVcT(IRt?}SYJD*nYGXdx1fr}{daS;HOCe#yt3 z*v;0}*TX59gU)TpQ#s~PvPoA_F-$8vg;t{nlNQ*txn+l==o3ddOap~>5$&CCA4!~$ z(5MdsOm5VHO2xo&A4KW#9^)kphkB_+g}@jyWg*o1w*RK1HxdS=-q5YNb@td1d#)&D zM^?x^t&qx9417-8Iuk8KSwc1r7B#2{i3e}DW5${ag{(3mWVs@|?cT`~*6M63DuY+* z=5(^ihrZ6nC$ZWF7%cy)(?V8yl0jTl_U2uZt10A=%*a`E_MR#F(*bq_i&&_ywMm2f zlEWo@@qyOD@s^h50KEtJ0Re8D!_-yZ@NPz9*$WV(W0C9QZMvKGRYv4~6~mqYO9Xe{ z7Un2yb8@Hg-kKPjP)RvcOGMoV+U}2b{=5VXZ#D_2GSQXVvtON=1Pgv9 zkkB=gJ4lH7l;~zp|8{71)B#qHn>0yS=|R3N8q>?>3qKvjQ{GqpwbESHg6si1_{r7oqbpvYus8-J?(e+xT)uls%tI|3M_0C4cnRkD5$JF@?S z@cP}85&$=T_nZ9o`3ErL_wW9wlK)$Xh#r7$0mKMcSpkaDfZk~)06C5WK!joi2+slj z{ywg?5Wq-7S4W@cCjA|^1gB|-Wq9+3MMTlm?{7~yj+ zyoN0fa{!*$@W{x}$SqBmE}nnK;5gk*&Lp}b7&HaHkTnmCShrli34xk_@`nx=G|>!I|M32 z_^ao|J^2NsIxkY-xqmQ}nd1wbsfr3=cc%l8Aw)x841A2sY@u**C-?B&n$vX&UxYV! zftyu3#-mFEbPkimDAt2Zulw#di)0c9o6``g(_3{*(6i{1W1%Q2#upr0y;~I5PfI96 z%>-_4K0^T^W45_JKOG*GTh0e=H%=RZuA430^+gAz$b{w2q-=hc%(=S&-{Fo><)>`d zOY6+s*1cuqb%;{csWUmPT4bp}L5XCSUuGQ(NRMQuNWX)zx-GKVAE+AC5UkDbt{ zrKCZ+0DB`ruAmA2CVYJ$9pqrVfwf^k&|09$+Dbg}3#o8i=i{>&l=S;NiSt|*S2!BU z1+d+r6RoYn)igI7mw9!_k%Q)zlsuU9Cqv)aqc(cOO0yuh&qc4|O)EdYUTL-;odFwZ zRxEa$KXULjA`NHKdNw%+g4~8o`Jzpb3QUO3}z|G?Cazs)D|VLM_LHupihXtx6o*L zKJu&WE6tHAh=LNNZ-5=38n9FCLs8NV@}MnerG3|f2?8*;&^H7)UhvMnjBG!|yJVy* zer>sstHnY_%h4c!0S~HVVK?;&)5FvacSmjMHOvGw<9=fVdh}X=qej;{X@&7HXPEgT zN5;#6hpj8H%wj{bk!FxS8IHiqw=90{`}OC@$h5V>Ybuco^-`9hlmo{LX7AVxKw3NZ zfkYRWuy|c{q(b;&6s|G1%*d{4PSB-`T{d!cLB`uby7}|l$5#xjmko7ZlZW~*#lb7! z#vzQWY<0C-!y-JFzG-)R=*J-lVn12Ku@12^lp{`fEmS|RZ&+TnnYF@VQj;d{pR-Ho zVOy+&jTv5~e|MR+3}-}B%}M&=LpCI}*TSths#MBnI7+6o5X{z^D}CA0pxgzM;K*}I zI_SE&k_lAXceRwE*rKOhb7xA1qQl18`RVT}rihakHbZ#2b77YtH%SlAa+5+mpVs?_ z+Hea5C?U&dFhPU!EYh^S8ECCAl*J}Yf)NsHEWPWnyCBSxcSJ682*)@v)+_|X3c#T^ zgYAJBU2%YJ4^m&uJ@o18i7jKcRDoP11@@ekh_s zz@c($uwf%aK-EI}s-4o%CTt7pan=nwHX&Ih;#w)KQ9d!_>JpWkx7niE`SReySZe!~ zL&l8Kn_(_{_p6HrH<#q)g!kgv# z63hSxTp1NIaohQg3Ll~|ZcQgyG8;9DZ$90v3Vxl$*1?|ZGI6#YU1OQRt$XEcQYCrE z>o#nM^0KQ(Tp*_rKguH5B&z#OZD!{auC9bc_uey}hNzoO*^&dP3vuUsaK^bNRK}Yi zFa*a;d;0P&Hv;-nWy3|#K7VN9Y4;DPEkJK7pEuk97pVhCgoM5^12OO=py4>^}I}=oa=MU}J zVRCP&&vHX%c5tW?!#_c{K60!s!M?~nz9S++s*i~7;uV&qcu|RQ-r)h#d`;(+D&qY| zDe%unK)+-*zfFO^Z$Q6Efxn-h|K$|;CsC>IR^>l-((haFFGuiyCKUTCpQ_)D`!`xN zKeGz{U<@-r_lg0K;QxNR|G5$6uWa`}k*fa(Q5cS&&$WJN*Rle*2!D}b-J`B%x5)lY zyH;+vi?+s)0SxMEa;e8ycc1eNiW`n$k%G8{uw*o#om0`dd$aKIbTIz1)%~U$LhFrmlvK493bN^JdkPU`Lw1p-8zP33g{W}JgSmr! znMS<0=_8Rm_zcl~*bEzVOJgviVZ-A=vMVMp&UquaW}|Y(TeNF1LkN6Xv0J$BzVw@C z3J14T(T`p}M2|3PfZ8Fsjt~tnqN3dQgf27{y z%=Dk|s$+*(b z+UC8nHigo=q$=?m?-RbkpkY`kXU2_goK9aj1KGd?iH9iZONUAK7#7LP7S_n=<6!Wz zudmiH8Y`{RHec<0s)B|k(0~Bqg?@XJg`U~w!Rf{QtOq-^nx3A%GGu&GF1tgfuk(7+ zhB|$o{VEG`>uRX~q5qO5;e@{z2nR8BOpVk*pyjy3R9-9DDztZ7SMt5IU6om>$p>0b z!F9#5$Aq}rpxpv@d7gLXk_GgKiJxV1Y)FY6`vgpR=8XmfFuBXa_h*gXl6l`+9s*mQ zj-THsd~tw=D8?sUOQ=x?BC9jcc|q}@vAEkexi_#k9Br6uokMQ62(gtue-2c$cL{#U zPz@p5pgf>}Ers>mD-+kHd6o5wzZmGH#u9LZL*wpY+{C;J2#ot|QnozkvyoZyvJ@RH z!Y-jb=$bPh0_eo7VeDII*bZT7oI%{E zZq0YGM;C~%ADjgjUm-+LEheD$8BsVBVzdEtdnsPHmB#xIwhQ%^i*-jv7GtH+Q%HYM zfBA*9uxX)1i8aLZ^tpuk@oM8?_+fwe3;XuSJz)T3B~_;kpJkrBq+dRl6|pcjQ)OF@$5Uvdy3=cyOmEZ`&EsHy#AblRS={BIgC}p+ zN@9ph#O120&UsdFIFK-;O7dUtjA*GaFG>%4JA9HYVk?WM-qZd*thiFB{UfBBdiDkX zq2j@Z0oYFZCkfCZpfLsqm2$ihGH(TC;l!8h9?@>mm`#(L5C zs|b|^kwJ_@cx-zpY!vU7&mtB)24Q*9v+Cc#u>)_#jEc97%F?au5Wqs>`(a>f1nz05 z&|twyxwlfa5(I+qhlekMJdQ)jteiW0FC5Rsg^?Cw!5q1Rx>gEfp}i>boHOe~RY+xP zF%QlAP^lafy%h#BxPSq&>jSZvTQVseNAgjt*_|r|^0@lLTH=v8HY9@Kco{Wl*K{+^ zeRdAdC@|OEi^iK}K4qY-4JOm;k0N~a)a2DcP!JJhTi&t$)rQ3mXO3bZ3^3l(CFgSW z6Z%?80(wJICRfd=xYAvt)&}?#E1#Bcc z6||zLU0w~U@CDZ;!Me3*JtN= zzX=f-lP(Ey@O)m;8!T5(o~1HePy9^S4!yUsrb>% zSbk879Si#*1BeovsZTNNt+4rwBDl#IK($y)HQQ=hPJ#4N-m?O64oYITYpIL??NFeZ z5;j+*-nfBqRWD!o@jki>D(O~_EP<#Cx*~$4ElL&HtTqcjvRq1z@Dn7c5s=A>@6)U! zT@et*=;W7XksFy4rg#2cUzUSkv+XSJR0DB=`RX_?!L0{gOvPbsZP3Rz8P~u^1fL>> zH4K8BqQW8UBMynJj_tzCW}2Rc5Xx7w;-^7U@Am3d=V%sovxHAJ*q#8AuXg&%=}lnY^mKH$q~9$4SKIjoo}NM(2#_DwZSY!z!V@(}!NJ*AQ}D&g84td9w_%RDn?upuQc<|Pw(i`|U-n%+ zZCzPCoH&@ytyZ+Okwx^w1#iGx{N4v_$lu4Uf22|m?j)!K*q0Y${SY7WZR)dw+*UULti?tB68Orq&VETu^H2bx`!+~ zFO0-`dJ)cLkZMe_A+sFa8FVjn(MJ5JeX7ThMjlN^!6W;W*Of&igx2<|cS}##(n_!X z-U5;=Dd0&O)YYD*ee@~-;To0Mm>x*_N?Sm;3=~V(ua&X$A$!qlYf=)AdVcv#4_jMM zV$hgh%) z(WViU0BJ!W1&sd9Ixl%9Y8nuhPob<}FTwaB73KCgS=p}954l@MI(72}cTuGL;g=;E zJR#o=eMA*CEJV9JwupflceS3N9^!FBnX0}+*WKRwj7$<_ekygY`0RcTsV#IV4DjB5 zP?k6U;_ly*cxr~RdhAKSaVU6{sdS~%0w%zS*A(l8>krFO5|t@K%4n^R=K<&KzBSPs z6?k0d6BX`ex%TL_{_4D*9f(kRFOeXZE>qsO7A;sBqhLV)lSY6xJWt!F{pLAY*A-~g zxk*&`1e`_3ClY?>B*@XHDF2S5hsgZ*IPbEY3N|6% zR|hr#9U)QcI-WftVZ>k}JTR6Zl{<7RMp5&6c9j+_UMxgGYbP(x28h~cxu><#wghsp z(sE=)W^_ffsr6-LKYA;RmKss~P)ym&{^)`Jnmoyas>c)H>vu{cN*suh=_-CONd8w9 zz*9I^8s>Ux4+l+CN zZK*B6L3Sn4*nMhLGd-R*R3*KiO*n=k1P;Vc)HNm$^rTAft1?G$>t{d?&Z9Rz(0V5(b(_FzvM#D%pBAwq*phl8_WZLwxk;7wh4w!Z0jA$4jQiCQ5 z^VbV&QkqYP&6}Ffo|hn2A4pEoLeHG4VTdcdi}iXOYOAUZq|b>k%<2jjpDYM8}>~beQeA#0xd1 zgEQ)b3F{svVvTlc9VF8H6&^oOMWyb50PY0E>&rq1~%zxC`QBUwYu zA@A<+R9YnJ2s2Bc6@-^i5b=2)vQ`JMXcsakiVZldiAv`}FN# zO_EcVLJmK;6~!!tvJx?gSum$8Nn2-^d*`3ZzVe1~<=RK~2(L0MGAg3JG7+CsC4j}=wz;|q9n+>B4W3!xL^GtIWvC=u4 ziTNbLq3t2%<%8)LLghZvs>Qn`l$)vhwwo|w zTHkk(45QnK#5FK_bNQLnsZE&;K%iTaA8NF8fiDv)*%c`Cznj~|(XDd=9j)}r12>sP z)UqsB>1|~nzoLDbw*}d$zTfch6k$Tyck)26ujfaNWweltIt!@ zrcI4930L=a`|3W8qtJ3_lI-}Yq|8LA$RW);{i2_Uc1K*R_Y2bk#y+Z)S*6cOKVmYc@7G>5C|&>qQ}@^qcufCo=ir!i6JDykX*9_ zbeqH$pLm*RN8=WJ>Q(D4Bvr zBi=IkZMW|r*qg-H>5~s0&>A1Or|>DFi&k?=nJXFTP6dB0_Tm)tGgeCtwfuch{i|bU`)9 zOv=%R)X1}5(T9Or*&Lm$-CQSyW?R2v|XG>44x3u@| z$5XwKbzWd9usHE`{;I=I@>>MF?~(h#9?-&uxf5-0*@y|?jGLCZ1x)<=b9RGiIxkt( zii$#6NmwEYr#?Yg=R(_&ptSBP>siUiT)b|>Ll{rCH0nCNIksgF=5kw5NweX7>w|x& zVk}m#P_vG35{wugAH}S-yYiAz0#;OH1uBKg?qz%(5^I83q(NkGxc`Gp2x=@)ltM!WoAgY*1^Jl(Oc<Qum17A(cXWE3MjLcJK+>O|nXanox;>>;nYpe1~_``FH~WGma9 z<)(QE`(5bsz-6z|D@Qc??6-aqSYS-VwztPWPM*u-jU1`5%{i%;ejeNp>3mAyPpWK(G?Xb`ucT@fGIOn(QvaOs)F?k!hi*#?oM#@A(VB~ z?dlLYxP6GB*}kjtT&o4&*4tXkF)E@_elQ^%ftzwuNEZDa^j8Q}e(2A-_BVq`$K(v~ zHcFDgRfuQB2(o3$DumUua+Tf5qj(qP>f1ro_6ZM*9c)gt?un`gin z0^}_s6A{J!_%bJfbeyJRl{DKWt(*Z2f90O4)2A;Iwi7_tn@)j(^RcD5GIi~^5B#Vc zCzvCGS81Gmb|VNY;qZ|o25a5a@Iq_hc{1c_V^PWYlE%z7mP?tCnhlN3(_i?UE#=_? ziNcpQzc7yWnx?;mS#T~!I@aFlK_(cUxus0q?TB_eCbZBz(9BQBLm#Ps`}V8p#bn3c z?%FvpqzhLNidSZU_HOtNBwHqzF~~hH2VR`b78gcA!zLsWm)%ZRM>%B1wBe%xj^b%D z6!BZ|C5m-j<8#*>?(38b(D8zkfT3$ah0LnC{+lDIwAAb~uIml6EUs%Og{P!26!obd zuZs`+*6gp(9}{`GjLC`6{4_-}#$k`hK%CUKTo@2Pd-S6@)xT`)1=lenfU+!vIz*6l zLE#>mRFE|x(;#TdVfv`9Sq~!os=9FfY*S0=p%h4LChg%U zaW;(vDVC-6#i2Jr{i}!Z2PWR=!4Uj?!s47R>gG))Ft4%vlpPwdX31Y9lfb5IWHW6M zaGK}~iJ|vHPlX~J`Pv6M1to0;LVYxT6F6{9XuKo+3*yhK(HApulWF)!ha^4o30S)#dn^}_@l&IZlfSbnsJM4{$4h|wbCTawTMWSNeXv|Dd< zTyz;$_8|>mSESEzU`WftD7bQ*4?d(qL;xj{wD9{WkHaVOoKp{8#8ki~%vEJDeI1}- z^(m&f!ZoMEBA^^9RuGhe_h6sdb2cLJtCy?_DEuVG_VMV>rVx7trAf8Vp!mb9d+l1) zwApu+Wn{TUaIuX3|>WdNO8j$aTmf{!n~6;=SU zBIC>D`o@En?d7p8BFwcu{wwk;xp{1&@(y0c+;-sU4sH@>3pHxeUP0#>7Pe&$3T|@h zPY0=mdo%6zTNavnQy7Dz)uzXdGS2;HY07n16`zmM7F^Ax%QE)z8*96IQ#GQ6ImXeN zUM{1|I9x}&U$-p7y(P^7j#?_tlwG}S0K%do`H%=BHzNOv6Or4~>omT1h_nS`k$gH~ zIa)4uanYa3-aB@Nv3~sJ$U6&;x%Sc1l~lnnHrnmFlvB7?ZiCAbGCpA_y~^=-eO$&# zeV`wg&bMyP&i4H+yZ2Dg&ZHoi?JK^BmVLyFz2YI>np=c!8>P~khQjcxE!4UsnrwGJ;}jJc#3-3$=yQ_m09P8AQjaYV6*q32LTPS}NE+jz>)i zu-8>5i`t-qETOD%@5$Z_^$~&%`DTciV20v`B?|`ARX|j4^g=m0yM3TV3{3&Hu_@jY zXUfV}M$9*Ys4k6f zV)V1Nr9tWEDU2^ql1U55<&8roK(af7nkWtuft~5&xiWMu{Qi(86&WCN1`?bCsnqI= z@65qJj?#aHPiI&Ofk3>M;ykKrJGBl;A9$V5pE{?JiIH@07C#S`p*(H263yo4LY0&+ z{WM*0?4evzv=q5YpymB~_n^n{9ClN3I;29Cx*dZQxp4n9H0^^7WA3#TjcSw-X! zEpsH;g2F2kNy8Ob?$Rwk%H{6l16Q?q8m{M@lbJ>19`>zignn<@aJ~Je$6G~L#4G%Z zc47ycOSiMUWklSlNH|I_?v$SIPAP&1*GjB2tg>W5zm`qFE{lwh9 zG9qjeaSG?j*&N0CX7|_{I$U7-_JNslQkZ4*5OD#c#Jfm=#~{IBrbtbdP5mSe9%Q@G zI#U)%RM{k%pjp*EJ>dNc`aD>|f%5*g?TK^oDEcZ7qnF^@W$~|Ker``r*eRRV=is<* z4gE<|$3m@b8EH0l3c4^sO<^DMN>5A3DPcmv5w72*d`vo8fdpQ3m~ZEr@YFd%KxGZE zk&-49P^x;HAPa@!iXg9iDKeFBv_SUor8x|900JZtVh z`oSLK?y#m2A-)QnAL35=IM{f55~g2HEp%_iaF+x;^6onDIeL7lj^rp)Z4lC40Y41Ai8O`w6K0i<#fge9C`heryc?@XjUpbBbY$l7-a*J>pY_j^0sMyx7`& z;b`z?fEzp?cnRE;fHS^-D>+!gpLsni~}Y~dFnWer@7L*4d2s5 ztc#JiK{AXgPrOOJJFurrV-;~6#0Y##yCIN_09y$e!UQi{VrlYNQ9&F41i=$?OK}l{ zKni2dETT(!L^Ar@e}%K9krFxwSCGL`~+oWNoZ(LI(q)955W_M zgpC?xA^kapsU$T|jo51@vPWiEYZAH(rdQ&v&n1 z<1L9mvbAVCVFc*VHjUq&>Y>8RG@(aOyhL6>*(*SCbo5D9SQq5dneAAi5t8p_I<<`2 zZBQNge6L=wbK+ywSq;m=JAKy2rM=gRomSp2cv2&lpc{8)?9f%3B!Q4q++k=xb>v_< z(wR6C$PJcqFkPsK;;CIi0moY~tE>U!K*@S~A8KuucnL7ykAnAKH83MUk@>HzHvnzX@8A2^xdtOZ zf8sam%`ZjqpH+>&{N$gk9X~A>e{E3!bm0FhnjhsLpo0FZZppPC>OJa%}?WQ$VIrAw<6~MrDwwwKzf@RrTA4TAf zabbPs6N?!kXWL_W7}VsvoX;TxeH}#;vn%aqt}Rq&1$VDr)SvS<)2%vs7(|XeFfnHs zDvT9_HQ&w5ie{n>7@F%#aR*kYhm^{C-C;Q{c^ZgG0db0v7y8q+k0Vrz!>v4VCtiA{E=bIJd z_n-WaljpC^7l7i!zXJHjd|~*eSN<2_gBI0A+Z+)@k6D$kXz}W@+wg~}?*`4Snm_j{ ze@<9fR?uUPrLdFNHR!v&yMRK>((qOK2$?!Qww!j%vuxKfv(!10k4Ky7bqU2)DNG%t z4&Nb0ZwhX6vWW0bTJNbUAZADWz=7nYhGyf}@RIwLla_OvlO!s{>u9pV>RzTWH?Rg@ z)rp*7UA>6>8MgZk*RKv-%?HmIUfLljkr+u+{as^m6R&e%UHnluHiLM2uB=3w*>LKB zCDsXoPRoE&b%^0(hiZuRg3$NsoVY~Xz;YjaRhX{~B z7AdD>DXDr*IUt#ObYlWTl-0Cl@_U#hKzZL|M1`(;GSWb#guW@ovg%Y|5_e$0c(if5 z&vwsWWUP`ZoEUKmH%&Z%JMg9~Y~2)v@GnEfo2DLCWPy)!0r#p5H!D=JcIe{ok5mq^ zY{Jh~%R3W(FEyJOE=j5LN_x}Q)s$}!G0Wd{f_|Q?^GPGeA{3<)!#4Lm61MI@h$EDx{Y-_e}q2=a0fQyz< z`xU>&(&1-LYe3@JJL>ZyykCRAMi892W{y%n@kr09sJS2D6)id4$%~h z+#1BzAd#2uGC3dd*lg;{DgC?)+d2#?w{y`?;@@=}^!lNiYb}GXj2I3N%ty~#uai3M z`T4?0w2keNMrykq?8SrX)@gHP@p6oT?;`fzEKlLU`pzw*@bgN3qW=C2Y3`=-`7_VtfrWY&k+K&*PtE;_i7u~lA* ziFgb6P6#$(xgxln8)C7q*EU0>xZ;xqbU@s3&BrEy6)_J*c)SBx+^T7s? zh`q?xW~(aIOV9KGv&}@(H%7KKewwAY76Etgub}a>4E?tzVvOM0epVvWdJ_ECoO=_UosAWu+cyM{TJMt5nwm*?fXB&^S}IG zKQ@kEV*f{L-#@T*g73b>&~$%frtqyOqX#r1{$g|tkc9_i7AycYH2QD4|4hn zfMoK|zyOw{tbZ04>+j?Gxt{!6;sW&IF#)R0f5!DqKm5A{*nhfVtZcu#VLuaU{+7T1 zE({!iraZv*59oOW2uT4>T{ym5l>Dc_*cg5n*zYs&|Kk*+2WU$H-l%^D1~4CC`EHK< z9|L3gU0^>~%zwunW99(3p#WsH04GHN$t}R#2bj75-p2nt_nGK_|0sX1A^w)YzRAo1 z0{U^sm^lD1CmZ9R1jh9HNBJ}V>2C=PusW~+nk0Tqer7;>Fw1v?=>PC28Q6Yz$C!Sb zIDcQ0|2%R2ZvOsb`TLe||7zU7L3zHf+&>2W*XMixHLwE!jDDAsGXfgH|7uPi5iKj* zMGxC^a*N7CiVP?IKJN$#BOH#9q2FR5+gz()%F8~$!$V*aFPd+|;C^r5>i&f@IIy{` z#lROW6M`>=@(}M{RQjrtY338ofm~hq3kXquMzDjNbrt)ukrT`Ln-}cL&&&C-6RKNeRv;!RL{_81zn`z$z`12Y1%TNBt+4k2;yYGJ2 zKmMN|r5y*L!2FA)U61N=)FLag*J_)9YyfPD1JPyr2A=I6t2j28QwRch83kIk)MDr7 zSV@Wbnl?G)m1AncR^X_lnX{A2=RE= zFYDX0s{&S_7n#lU(xAHw3_3h?=XT zeV|aRYEC^bSDW1)ucw#ud#s8xgSEQ(QS*^+lk^acR}@6}3Bl~jS3DY<1Xogn2LyBJo9x^%f7Syl+ogQKL>k5e3RtcTDof~MaxP{r>3I$)7-iR zcGqe9(#qfnpWo;Tj7TyI`!C5}+WpQbWO*#sVifU(oqwXBkZSnaOKl?b zBvJ3C9z+q(X@-;RI^1*iHf0U6w#7PS9g7{78V%ysqW5~`Z$C{NS}oxTOm7RZEmVHU zaj1Z?+$j;_kl*eaz>UJ#jxS1A=d1w5)eq5GR^>r5RTOvL65Eo-l9mSYrEDTx)tz|{ zy;1bKZuATCr_+2=T*tMou8_SQ{1q^+J0x@^rA#H8{f1ap6Qy~M9LPSe7lLXYrIE(ikP-gEuDhMvqA(T4MF6r;%wm=FxrO7t0WyUD`5OQI?j8k0z=XVngk+r zqb&dAB+`H zGpF}3{Y;S2v)-LD1k-TP8XL-!Gc0SK?`%G!p=d+AR%Yc`3b7YL&Iv)J@bxwf9XH#Y zxv{gM0{*h03?dO`lsRa?=#QL;wal>sNviu=8GAT|zV6okEP9EZ_PWT_KH@fbMGDzk zSGWfSP1K2M6bml`dI$$kgv8LFXKw;lyzQ`f0f{0hSvKiD@2+JQbS5)dzm#sP8ZHGY zH^*m-Hy?R5&=UI^0m%_L9ItDPUzirlcX!HC=y*klR_5bp$1>g!2#gOdB%DSNI9CIX zce(?qgo?(4pfZNJ>>&J7DP$SrrvpH@#5nt^!%X!7MOs~(T9O~5l4~E*uU;_qYsRP^ z(%j|ccKW9qVe}(n^$~o2dxI|+W}L;@O62JZgG(ZG?Y>SXPayPq=?1|leW{DYG0JI{ zd&byJRuuy06=hJ_`jop)H3AX(n5VH{eP2Hv3lXTaVCsd|2yaX zKJI!7UFO?CW>`jOgFexSe}d2|#OjIJCZ%$XJ%)~-pFNwqF6;Bxw%2uag7}E+o$A*aueE4|lmn0ifzK3c+e<DT*crz+QAJ`m}p z8Q=SL#W|!}FFE5m*1gAIRcrCvdvf}tS0lYcFHD5^xwe}5B1sK6BgV5&WbABiwBl0V zl4WpK`OG|lkna<}-fLyvae38kK|kgBtfg0@Fxi_&1F1qC{eCSEQKJ>w*U<$C9Hly` zBM9vzsk!!zQunfJ<&-BypSa2;B!700_h5=IE+S4rwG~Z?=eJwb`-Zicy2Yw;^Nup( z(AoY9T#A4%4$NcI9!@#^X5Q&;qdPObR~wV&cJ@c&dS}N__nVZrQe8;=EhI~AI4|Uh z&YEef%&thW@!k+>UUd6XZWdJX@=S?tyu`lLD}7lV!UAR57Vy8t$z4qJPT`+#%grvu zQ472v)l*%2TR`%B|0YA?r8trsQ<$oa7v4%FAeL_6?yJXA{lakpVC-Lx#IGHfgRB0i z;{pV!{ujsPZ)n4TXeU4!z6*mMK@a{}(DQ#r4%09(H$ean^_xEC zAelb!F;}+tPDfMQJbtIW5%hAzezK3TIVQZw+-c08*p<0apEfI2@^L%R8N-sO4@|RI zbJ;dwk`4GU+GH}69Y6F+tR(o+ej%UjijWQ~UBF~tk%}$iIuaQH8OGw{iDzGjn?hFF zZ9==Cw|28ao1frqwWeHb4J>GGs6;BgjlbvzW4%-kdlOt_@Tz6fd+Q7F(zWLH0*QH7 z{CM=JUCYg_Ik(2_;a1W*;j7x4HwfCwZ{$6qejYP)dL-kjqzI8s6n0nFi!08?3%gI( zqM$QFpPpklB}iB1mMe!n;h>;E99~p!Wx$tRUD$-t$fB)nI0UguHWbdA?2sJo3ByxSB^$?JzADKWSNrJyQ+>Lz!x+)%U3iWwO^tsd>*`!aRdv zqi49I>&j}FT5jr~-X@$thH}@G(zu=Y8G5UK{THbqgE`&%i)_zB`&N65yi_A&DBh5h z;h`~q@eV*&(1H$Mls~>nwMf#>DIO3 zCDCMfIJ)GZB14_gFW=?ZjIz;;*~G@EgP`}RIchntp*_KsZ*_^^+EdkjBPQpq@Y~R( z965inw=a^;+0PLsUMum|arU;A)oUZ>y^fqo?+#K;x)hjJSY%5c=voGKr$*WF@V;r@ zet)av8^d&r97oeP4bFn}T=V){m{Je%una=GEEHJ-3C!|ctK<{rp@ho*)}*K(+|FYg zOOyGbKOkqpo6vdw07qbZ$&t!^!?m7&{>#{h{`{cc*BBVS8I-L$$fr;41G(!>#XVoAvraJv`SXgC=glJp++uaV96$8V!gc`SQvRr;p zkKt4B?zOLLJo1Xe8k&aGWfelkxBaR;vxpbfMUbi&(q}YxdD_0VeUgZbyIzzylPcbl z#-}N6%}`6htM|qB6rb9s2W@qUtB~oXWkX(bL$_t~hN#k)KDDQLCqi8b)Sz<2llMPz za_R2MeVv=R|60=M6|UH{vV=}m<xpPI*pi#7dgTxDLjv^(T;J+LHpg>9SljcO zJumgk*P!OGw`r*vH%81}`6#XNfw^Vzlg2f-emeWf`-Wu}-PPl0dRzq#u@ntCE)Q`^ zE`~EIPvYQ~^y4Y!ncf`<6aMh3H6%*CKO%rcukb}TO}DR{N=zH^3n|S$Jg?RHfi=`} zKGjfrXswf*)u(h@b;_^o@gzi&+s38)Ei7TG@~_xz2zR>#G?ww?h=>Tmo9lQCYTF&T#lasde-`t`+EC z{vhvB!k_N>$>DXO$%pm6$`|yuN=putc(6~eD@?!kNlnri=1F-pcH-?tm#a|vix-d< zzjpD*K~(S>5_>-xQIGeuj`UWoT{Qb)|6B|!Hr~BD+oFN^R9Y9=4{u$A)|Ur2e8xn45R7iAsRH*2bhhM6~wz|NK43tOH`?) zePU2n@0T**&ok=Jy)dMB=8NSvk3LtB(}Os+xjo1ofqEmKR_@1?gkt%KwGD%5=E}L< zL7y%f@zzY_UHoz<`VOfB_Z`OjsWl-1I4dMm_ykzYsjsayDC@YH=YqO%uBOYNkr>jy zxFkU|AM>T(!(J}_n-%)En<&>xbL?fF(2<@qZ}G%+!v937@6B zMQ2+h3Z7v3Ne&ow_Y^#wVZzbaT;$4Np}}{gj8sHmJlDb?V#RLdgY^o}u;IepqFaoH z@CIOFI&Nyts{?dU}u16WP^>D%MJHuQoJP@#kJf3gX z#D#{SSdt;r&VA$@WN9z#eb~8?N2%_t@APK!5+z0FQ<0oA_>gsuVewbB9?D^($h!F- z+&*{T*~QQM)~dpz+|Nq1Cun-gUcUJ4b_33=rk0!G`)lQtcP*X$F7hI%Xt{NoYvIE1 z$K*7lrgCUry7yV#&Y#JxN}ODOXSz{DobyCwc@4t7D-7uq320rum%o}L*2hY5*a~$OS!0TaV?x-*Q z=Rki56eu^t)!0F+P$s7wBpV zbb!Gt+^gmR%D6z%7^F_%{XqZ4n?9b6I~dSEW7&7nZcYve3k*yxJXHb(DHEWP1Z1O6 z$l-7v%Pk$u@Sib^9R_kF@BjqNDi08_2I4e80UGom1)Z!{dm9 zO>uJkaU_&D_S~=I55QOZYvKIj8Mwv{7s$!}+`NmOTpwH*?l^teL$4Hf2$5PmR5>t<$iD&WrK2J*lqQh8}70 zH6lqoOi|yO?rHRn$?p0D>myc{)@!dZXfEFKkSD0z42VLh*R$fbUAM|?K-_D*xTKY= zke@S~>3JW!_3^jKIlt_3wZ!LJNDG7;n#{{-_fpC46`U$2y+=c*E^6w|S3d4k<@eS( zgY}sN%x;%9#p>)Cl%f8v<+#Kv?GJg!21&nV2g|?$MKk-H`))hX(0$%a>JLw*k5}Nb zzd)o`<3|`1|M9}5M&8#bY7efx_N>V%MloJR@P}FPrDkmQhN(WdLPgSPF-Rev#gxak z*4J)i+^T>63srVriK^4nS;qD5vl#hL?Vh{P7Nw3=bOnBlly3MPxi zC3KG+I?9mFlt*p6zULfdhj-C!;X#1nMTfE_^4C{6FI;%qrk&p#nH}U2ygG?7gU*={ z(=27l_U7WOJ2TU10S#;_;w-l14g&)>bee19_8Ych1E}@RrS>t5H?MJi8+D)JlC4#{ zJJE_>bW6ar?}6%sk?yIBxy_b~%8|tK{h?T>k?tMan>Lzv#*!tDLT}f6T1g zYA}{x+sI0LVydscW5SM|d`c=^e_IG!ocYyVU6PJRv6XN1Wil$*=&)jJBl=eA#9yWby+rkW4!S;uc_v!S@~jIwd)+vZq5cUd$x*6ghMSY>8N*`!X!G3*73Qt~Y{6 zJR{Q+3E0)%Bl7%B+;oBm1pN|(K7K<-a|d+ZlQ9qU#^lp z{j_hJ&@sDO#DSO-M?o~x%%51l(Uv&2tpJ(F_d`kF!CV-YhQw?}F@wd_UVtjaYy zYx@)(l}zXEgc_N=)eT;LByX!v?iMM8jl;O+WB-X5Nw9qRQcOma+7>ReHONyJ{b-l__CB-A9FwQbrYPq6dh0TX#Nw0e(p+Nx)Hl) z8M^+>8u|t{lZd3Z-gUCqd0I0IXk17MxIPxyH7t5dl}-+vcE}3F67Zr6$V|Z!OL`gC z4MDlPglhi!L0}KR>uX5B*p6-52*-^tJ*!?YvV?T(PX(L9$TCb_c5{|P#DkHF6c^AT zS3qyvQMX>1q>>^GA^6lhy&Bj~o6~+1vbN9A{aSW4Kq%1y& zG*5N;yJ5u_mdxI?T}aHXmw)t(L#r@enVaD8j!2cdRcw)d>zVDLDMwPL=$e}!bVbIv zwXMK}++v6TZj2)V_jBTTwZ_{f&_NdFLRd)OI2kVzN!r z=MX9J5p3c}@vNATl1mP3*kX8*nix zSLjF^IEge8iE~+*3>DYzl{(B}#_anBGxj1F)#rUn%I=};>Y~VMC?&8y^+NtCs(B0q z^;zO-6l0u5vZOleIS>4}b^KFAsL2d3l@j8!X6kX9NUY6MlM*Tj8!nl=&-0=n)NOK% zReh0j8Zk|nN>(VgIF%{eQ1@y02gORpAd~m5&OM^7&7Ar^xl1yN24?6B{33EseV^hp zoUtBCVk(l-wDPWmG}S1+u5rwSg@}E_pp{Ft+WG8x_WCY^#C=bab9ZdbL{une^ESSc z@)%Ksc_=*$s>glF+u$eaQv0Qm63DJd zb$YpV&NDktEXx2&H2&QE`F)pt0Zu-ICpY^7NYPwWqRYBW7QQG2N_;;5kY^z1^+=mP zl?EfFK=M~I3dD0^cuz>HpY<&Wi`K^4(Nt}aI*YMM5zgarXst58xcA=>Wx@a z^b%ian@iA~s-(Xnz_hm4=*RjhFa$aL_8`yV9*JS*3spsXLx)0=PTv<-qI0R^r#ho` zd<=6^$=E=_Pof*O7IG{*29Sg3Pp(7s43 z=nY`2gBWcP=UOO^d-csy|5tk!*Yq*MvjV1pzP2y@ZBb*s*510r`*!ViYIW+a(~ZH> zq}yEEcG`0~ZOWL5ew=}Aa~-nW=VQCfo^2Og&7$PqJ^iU8Wv{_+d7pOcOEjvK???RHU6@yDbs)S#2Rjtm4^GePc0!OjR+G!fwD=}JCyZLz6tfNbuF)b$Y zI$qIF*C84YnMM#;w=6qL#+W8v8eQQ_Hl%|sXq#Mn8D&|6R+rYC!A?Rms4NVT4&sOx z&R;l#*YH{a{Tk^UGs%2(1Tl7Acq8^j>FevuG+|#iH47WND$QPtAUqC?^pZ+uvd*OH z^2m4yOLDUsOmG>wOv8>d@1+~%DUk&;zFgmH^r(*`zUO_(&E{4cuV=4%Q5A`EyrV7< z@C2bor=Y>|T=2F7@K%YDtdJOVo}Y4CY(|91UWe#@e$mALv6M8d=HYIMT)O{GO5|AW zv)7+WCBF{Lgqml@#v`m?>$TVBy7TRDG6_q?kt}4!kvO_*B9Ir#pvSRS4h_c1H|2BJ zp!I&mM73ayZF|7r7+}9APR2j@EZ#cR#{T(~SOudbb9wW4&nX_WFy>6$I>t4gp$n6g z_St-_CU@?R@ll>WI|3^U>!S-Gdll<{(fJ1U%YYQ_s36(A*ADlmo(8G&hdRg&rfeYM z-0#txe@?W0Ke7CjF4ml|B%(a;x?If|@5z#N%sBHR^KW4?VloSoP2f zYS`z-oR+N7hX+{ErurL$&o+M`7EvC2qb=rO9#Nn%%1kAbmb}T!&1WQ~Xf&iS7kA0- z6~qqr1RUDzgi4cayY;|N1q=5gys7+T(3_^qU;|~~HK&tsgh?xWZ z8Qg-05te+VT$P(IxH?C_ViImiVJwWd`QOZOw-NaqlJ%CMi(sa&M03|#=ENhK#cAIz1$zYN^DAv4?Vt>u;w!V5er-^Kp@%y`N{9C@f z5*Om^3mTkD)E)#U8wOm+C#sxQHfT}YxM%0rRL;5`k`W)Ea((xay*jI%v;qn1Q1RYw zrynaz`kwXnSo1_{Sy`dY?oM+!|MRj9(+g+BN3lY2N=(mmG=CD5zIN`J(Q?Ek<}&3i zx^SUrB0sj%J8Dq;D@{GArq28!4rgw%&V3q6*Fe+npMgc~tyJex6TW#)jKsR0p2op0 z8ls3C!xGv|yq>r060P-?tmG>5rd@xyFm7*{E`3_HTIZm_>|8Kf15fhwZS+b0I$3av-4K(x;awhZEq*Iv!BG^;>YlFOZIdulZ+8`;I4YfaW4lAV={7PvGF>1{ll< z)XQI4_UFi|pjzkv9)fWKxn2;WLty}e0n9eI7%>M2&%a|ZAO-q!M)RM=wEyR1>-Rx} zH}wWmC^QF_!nJr0xZ2$RyJdfe5&j!+1p^ow4D2HqI|o2r;Ig_v{Tnp5fk8Q0xK6@{ zARNa4qJI{?{=W_yI}mqa2W`lqY@8sI4oCfffHBWWgT{7jIuEw+pV~H3fmlwU-UIaI=XG{)ru-qp;7gwyknW*S77n<$5-^kv;I{{|#|Pp{ z|AMJOIF9iR{#k(ff1b^QH4pGFc6JCj+Q67`0hkXY|JmW7?n#^TI6?|EmySYkN93U) zH1Os}+yE2&8G<{4z`>!rBhURB?t^pR|K-DgHV*{G!U15lpFfQKKxXU5)c)erpd3Kj z{Z~NY5rwT^JP1T~z~~*92LMV-e>3&}e}wT@@&FKSFgd@=jJP*w+|P;kyj4AVB0AG8 zWWtR}=F(bQnr?8O_@}CBs=`X?hgXQ{ZX`3D$M)P^?)L(YLH< z_+!s|%goiu5x?n*)$S%UBqHk$vv|zf1mDHepV68^TOw}9SUso|%PI)04jGfV>wCU~ zBqsPtWR=XlYDGOpHHmXpmtHWRlDPU!o3eGnT4-si?xsqeh-(~-8U^2XYGd{5e8uwD zkw!#B+f3o6O_r5+iy|pbx1-)c-8S=aM49ngB7&57($9|=kEu{Sp_)>CfQ@=%72u0}Dg}Sge>N^#WNNR(>JW9y$W!0v>Mx}o1cFV0tkJ`<$ z^UV;J1+Gqfn|#hztMR#S- ziD_Qpaym_ybn46bgp#;^2&!^m?wNZ6e1*#8<+AaXS=SJJ&PUEppUo1|46OUAWSIjc zMW7J1%F2v#Ib&`6#PUjj?#t%5+?Z5P?h+PS#C!H)3a5Eyle^-d)u=xDaO=J)pQjM- zz1b!iXy)hpCNk%=$v-@?)O>e~KKC6gN?v=s%=Qy=Y9mm2ZtN=#%!%WeG^qk||uacba*1^Acv?^?)>+ z(@N1W`&=59?u!Z!dkKx>?8Nx|<{b)2LoRD}X5;tX=na;zfgyz=Y7k$82=Y9)dThh~ z%v+efF}Tok*FaW=z|Y?^_p!YK%5`(8J)8syCG40 zVZJ7|$vek&wS=WWFZ#uKrIm}wGo){@KIp!z=+%sKlY0~$rq@;YP8OPWPf%t|?%q(0 z>QGG6N+i`w*RMKKHs)Smb11Q=-^X6JQF7|-h~~+~bFqA*V^m(hPdP2)z(>F*T`EQJ z?9?KJf^pd=YO~HyuCNIPgm#scUaulLcX_mLKQCAad@e}hj zyh)w+9cVA`b5vM}N7k*>p2E35bIJl^nVDiXeNK{du(#Mt;6>}z$Lt)D<1)>H5mW^? zZfjnaku%M?CB#dK_$4kVpYz;wVy&ezn&`~kxiP&6In&4v6m0A#n=jm3MZRq47s$@6 zf5|9&sF~)`$ar1K_6>XI%q)y_Rw}YjoP(*y`so=_t}!uNwLWS zBKn2wh}*ZRmqu16H+w(QqVqAJjwT+QwVlv}dDDd(e?H3nkik zE2AR*2$J~z$>sIE87|1@Q2R?OD%*^fh^tijgWhk0xgF0F)G*FIlzCWvv-4%VkkBJ^ z(B!*wm+`VZ!OUgpnoFCx?2>b}0h@*LE=to5Yvcj;4xCk2Q|1&(D)Dn7(t4lVa}i^_ zfl*ucpjclhgVP*`_3ezlD#>e%s*ao-y?nN!GDUrwrV9I^pmovcR5h$>%`f8u^@Ix* zE-P1ee1hsRXVb+HWHL`RVY+j0tC8La(=om^ct6l+PM+;1jmIK=%Ro9NuB9(4E9?HX zBI~#@oh_cYIpt^c4QY{#=z;iKB`z^Op@UhwnLb4Ldm?8+bMZ;G#?B&csmh)`@ZYr+e>2FF*X3H$b{DmqwGmv(p^ zw%yOrbUfTv9b6!#eY}sTt84r#ZY}UI{_mHPf_#1@BVO+{#z^q0n(!IKAN2Hl30-Y1SN86fhjmbst#& zXDkDbAPW@uwGpXey0QZ!XB)y<46np`cnQ*G~3mO`lFB{5O#b!CX+bE&=8Y-Th@qv|DjI**@m_|Lfc zwvIl`d{no4>fEW!CnNK5eh-~h?oq7^b~*JSS`l55AtED72)ml7|Cz1DZJS0FEu9c` zRPAwEYNz5ygDLgaZ2Q6Wb6Z@GDgDImmOnl3&G3FbPtAHY_U;Xn)Yg!+1pa7cfx4R} z=f`MGCodYyZNGXl_e$GF3NwT({42G5`ckePCZTUx2~*4KIxlg#G$p04P;4cST)i*4 z0eP{_#i@NyUTbN+y&iNu#V$uXMPX?{t#{fp#6&Ue+e8?)@0bT<{7*SP+F*ZJyMqPWpW6eD?$J~1EJkEYFp@M0< zL8Hx+n(M;u42sE~mTH~40d0y;NUtE#SUqWg?i}?_Z1QFX{N&lKVnNT$={Bi7)X&ftCieQDmAc6@yqbX&Q z&&rNeDk~J1d4Ij*f%N95PL|7EayfXky01SXZ{ZDKwl?d0;988Okdwa|qah%DCuLoc zM1Vi1-zPM+knW?49HuD>rpzmW%I9QTu@jKxEziJh&9kYu1QCiT{jC#TQJ0fD^dz`# zcT9Y;Do+u`iO1|%_ANxf6Kg#syg@I_-5xqyv__rA^WZ73%T@-tjW;Gat?Ni}7-^4` zvK7Y2;5}rE0i#b3+nt8YNWUUMacHqm#rtz>~=E zBzAs}4%w{D-fKw{bGFLCFE~Vr&7L}#UirfXZ^P)wPm1VFOLPu4;)Xpp6>19PZ`_~8 zPL`TLix_Ugeb^O&B~;Z3jc`o`T@?O4IV!&dDaOw{T!G|Q{AiqJ z`YD@Q*1}0pdQytSQkDtXlHx*|q}^B=`%LTRS1!faFRBmjJrED^*YOdR3T8;|zQEDcwliiyl5k0!jkO`s z;I)g|-AYxf*L)x9ZY2z`1X=4Vh_s#8%hbLx8o=sbEcbAh<-^0XuF||~H_EZYI*dNm zNMBsVr-|+Jndf9mw&=jB!OXd6ze^J7SO z67SC5LW#Q1>}z$08=K~w+C$H~x#vo#EFod(?+{oEMQ!o5oz&2zKd(%cn-jAM496>q zuHfJas-8}pyxaen>)X|{*pw)Jk|Pd; zEtrDFFc;VDrlQL2CpsC}!XGCvcV*DI(FJG{NDBh{NHd4gqJ^<;bPnWcU1!a~Z`>jd z(77V^GQ~#Qk$Vo;5Z~r`kwPBl400`*zVl~Ds^?93kYs~P)O=ms%s#k zEAL8-O=-6jyKT`oz?q{XAIyU<PX z|2*zsLl4@a%K``Ypp+k8Rd(QL1Bm?K_3s4S!{7aJZT~lq46din4bNKu+#3RrMs{vM z#DxOtCcwSfxK41%j@OJGn*WDP<7Q_8{9ur`fU>YdK%pIAlR`lT4F;6wA?$Do_=5b>S7=6i<4b!&cDZ}z*#=}97sxma!EK1{b#55 za0mSuihpo=|JGcRRrGH~fxqYU0%G!CQNxeYKPcy+&-)wgXW?B+oZ0ZI7k7!w3<#6v zrTZSM>>H}wzL?)kg{S?>85N}?!#KF1qRJ_uetSY|vP5R-^y$30WQ|~}Bo~!Q;>$#0 zCg?5Jx+_GU+Y$^@e8X76{c;lnUsX}K%-5dD_TyH(e={$3=Y@FA z7zsX~%#8^V8J#4k$C&h7k7317D9#h2DeGbJ1PZzHdHhU?$iohSx(lQFrV-`$sI@U$ z=K_+VSY~%}FF^_B%M^AuahzoJy@%V>7%u4f?QEq{Oy=rcynY{l^I3P3RIlhgAGteL zUG1`F%_K8+$lBmW{l&2e`Fk?r*T>?)_#QnL54uJE{;~L1b1lGU|J!82*U^CiC$B$H zNbt7@f4Po+Z?zosQTeeRzpoY!psx1YA=2H($9-%>gWH#KV3=|eK|6K6pPU2Zoe8of zp;VffV;pa=MLhJ+d*=k&Om8m9iB;Q&<*Cq{#O$_RE9y(YBwG-uWneVvw!cE!hlSiui${+( zfG{vKo)Pojwv=?>eXs?0eA^qwq_N9&{-~~1_Bb_CU#q`m;dBClr_VRF1smV&hpV{x zNS~GULLxlt&uOq)ZO$3la*CApnK=h3L1R~$pLYA^iXP0wf8kcfqvi#jwYVobP9$9I zy|EufbZZ@H^P0l6?oH_D^9`dpPtz%TFgKsW65is(B;+4hN!$!4QJf~xV$_>QCt!#Z z5FVouHza(xQsB!;LYNfr4u>~+Bl>~A>l&>x#JKh|YVip6-ta|hu2!7h4U!eADF@n9 ztiI3+%#ZGq5^a2`P+A1sElycBkC$Kcn`>0CeKKJUO=x#ChA!}P60Y>1>AgC}xB zHSx`I`@GqHyaieE2L)T^(nUj&WwhF}TH!UyEW^WJ)q`2Zrn(t~TGaBwlOw6@yUk+sv z3r*~7tLBd$dnIg8qDHJqL>yh$y0wU?$-;Ug3x`Wjd0sfQ5#zI9{naFL=GN5&uo%o= zv6L#@<&wy=SQy6Cx^HPXCo-$o{Xy}SjQGu26FClw?Fcg%J*PQ3qMYx?0t-Z5+m65$ zT>tLgtzT?R07dHAvpN?K_4yf zd7yFM;rs9Y5;({Y-+#9cfEn=jNBpM)+kfoo|K>ma;LbpS`vjU90DX7RB@9q5I9S*? zPN)%rKp^ZtI|2uz`DZNys2@ns(?Ebj$H@)vjmHI=1DxR4K_JJ-7Kao3M@@s52SLGI z4m#hnZ~*`JpeY^42|mitgoeWf_h;<_6fGE_r2tA93l#M8hXGy#^duhC&m54$4e)2} zf^$>gR1g3;1CkH$(SfgiQvbzcBq(^9-One*|GCQ{Xn_F&78qDlz^gszCdhH1e#Hfx zPL6-~(4og@GlyrypB*wbI2I23%Q6T6oKNDk!H)Uo;4l2)A%k}h;RML~|Kp7Tf0%>& z1kw!qal`)Z%l?s*3~We%Vgn-7kHCSG0|XK$Y)ZhM`uQX~IM@H^TtcCM{{s;IAN)ip zj0=?Hopi_^Yin|N)BIV>z^Vc%1;A$o{b2#E4YVKSJ~2DRas0%9UsZqBFpxfjcWr^d zn^l6LgF--)8uk-5CWQO=Wd1pJ;`a-aog2o&2J$!XcA9{g2oi}JhtXWHbU!}3RGlO5Ec!c$j2&J1>t6os7B zuo!auG&^vi{;XvHZGh+XzPms0Nd+BtP8c$tV_?IP-l%_MGQseG<#pJ#^32UGG*hC)bKMRLo4nob7A((>#j30aE*mJ*5vL6Pd zKOXueY;y$h0~PdtmDB$opmU@K;0OE%u-o4SbbJC1gl4X!!2Bf|?bT8MBv~uR_r;36Q>M^n5+6O(3Zx$r5dYRxRk^=*jMs z?4bBKIExQrr~9-4GTlAxo%zah*%O(bguxF@eM}}P}Yw^c))sAPpI>wP~wV6HFmKEwhJdyOr zY?vrR+@o+Dc?qFvH^I8v`0&Du6q2h3zSzVtN{N;iw#G$$IDOaOcSca=E%ck1cURp& z==ISxEb7Gd_1`B1#H+8rz$lKah{Ge{r=}**gV{L>9v&9-{9iDN17)tvV+m7gy3}6CElBN0lBJO)=+}1pmdz+>rBOb^EOyo?C0UGQf8KS|9 zrkVDO8OYu_K^5nV^v{@(RX{O^eC^I&4flzBU2f@<6U!blh@wJBgh3!KgzPCGV)asYJ6K9sU^^JXu#5t(c6J%d3m0X>nOTgAaps7k zby!B=7-Qu52?aGF+{O`-Gb3@9cA1PDJhayv z-^DU@Rd+ru5x-Ix`MPdRf-IVeovhbWoRyrj-bII!PJ|x$%<~ya;-2XZrR`B!xemzv zQr99bn$47%P}V-Ki-K4DUHGSQDxMVzUp)sC5_&g3L`|&=LAZBk)O)rn9)fMjBvr$| zVV~QKf>T{++D1jqj%NwUg0@{uU1e9DM4;}$&G*LUMJnktcx7}xw%-00jmS-M-RnW0 zkuN%=LAo!$lG7lp$y#abFEB}=&36{ain|YvN001Ie|@6sjA4{l(W7ZiWU5g0HD?jN zeT{sRdHGx{z6KHUHi1K;?6nnB{EV$&ZR=_F=3%ZDg?bu0I$w0%r|5%g?OzMsy;{?< zdE3^c0;L6Wk-UgLdGkPmXA4)ta4Q_e+~*eRX0I9t;1w$okV{XuTFP^lQX!yrTrM6* z$yll!n!6RMTCu5R!5iDtXyQ2?IfmhZBj{qrz_abRwvG3W#L@#HHv*4)w=+U>T8%hA z*8IK@{@oIR(ik}`2Mk`};V!d86)nF~8%=V&S)UY4r`Vm3H6OQqwzZIA1BtpN-myeP z_vh zAKAxfunua?gLW?BZD=b|MzpM{Z5^u`GY?+bYV}@GXS}BKB#=1}mE6GOg1;+q0H_(gUM>i;&S=q7@8n&+Q8amzP87^6rm4HDzGeAZXjUmXeO} zY<9C#b%$p4E&7E|ZFOi{bry(NmE4pH`5wwIgX-oI3U=&$%@COU=<%KVX0Ed5u{HTq zR*vJkCelEKk+5qb>PHI1$6cmhGza&{)?}#(K2oKcMys&r6fGOQ&Xm)b8hPoRt$`(kc>G}%dDO4T%frq#5tQ}2_Kr4RX!?}3h1(3nc68gitwpmz*~E!7#o)OY*Xt^~ z=hEv+z`>0oU=bL`XOjmxJv)$aRfZtl+oG17f4yLfmwPN^ZlH5*(X`4`<(bx}2Ljw} z#h;qfs>2asVV%n#@M^K}ndjMJIrgJ)g|*~6%%-Bs#y#A32?;+&rYsCNkQrd+r^l3I zs4S??aw-7bFrIN%+g!yj@w-dqw^v*)v1IPO6cU-6nOkpf#~Ir~CE@my?99lYE46%o z=Q=80bUbXto@GomJ~m^;*h0hA@E2D!$glr(?Em_TKDZfuz?1l`QTtUY;uodm|5pSXv_=LT^8@$^ z1{O9uoFfg;Uch5vft~;p90yj8H0SznV+Ic@*}$S^2i#x|@O{|<_{jmLl^u@corDt~ z3wjTB&!5==@Pb%?y8b`I;A|W=z+V0>!yw0k-XnFG|82;AAd4Je;e#^KA6X@KF3`D+ z^90)a@e%vGGydP~g4Zkn6b=B1hlat)?|^Ov;Nssf?D&WsoOpj`F29c$1Q@~wHo=e6 z3?9gEp9J6i;xs!rga3?W@Y9POq`1II#=--qFM$*ssI)kUu}(DYSI61Gz3^vjgMs;E z14RozY=bu^-~z|lZw=e8jx%t9{B`HT1HXey_+)_PNcsD*=Y9>a9636F@eBt%*U5F9 zmUX12=U2}`;RojN>SgGWlAB*W2p>&=C>V4%d668J zo`f78lYPx{+4`(Y96q@%-*^Yb;}FEKZe#UQ(VqS%J+>v*xk@`bXE94q&e39*bar_q zk}Q)hJ3mSBu^KN^B^Yhoy4!Wbb2nKL4d%HUT>Bv4k#4v`oZ`myi-o+3a$;{fZe-lv z6lFnn+$GT-RU&3LjD14mjxG{Rtzb-CmQK9Sj6UUb_5NowqS3lW9ItS{p8oQ!v$*s@ zRYT{cES9WEKjbbAvF@p8=r_itfm*nKdLtBQN3LFWWo*BuQ^4nv5@fppv0TvA<5SXVxR@ zRGeL{AD2Vg--5w**P%0YKi#-`YwaaT__ud0jm-S<)u))*b^?-4)y5On*h|%3pP(YK zD{4I(^Lb59o6~r7`mR=PpyqJ=Oy#cH8^z1*PC4F9u3f2L454@-MX6UPQe=ZBvDe%C zN_BkMF}>*}7^JbtDDc=w`QDsq=GVA6QDc2I*Fn5_;?{L0Rgx#|bj?UbG8>r5Gcu71 zP4{Q4?UZk93e>ifjz(fIICVXvZ-1NkMnUI{;6gz^x~q7ZFeX$4N4>%S&DG9?5@zf# z#kmTzsh=d7lOLZq+zOI4`i!Qyh^K+RfFAl-Ox)Wl-m8!I)@>}NI3|<`BvEM!pZ4q< zQ5ARe2Ql^yrNS|rCSJXTX?=WJz&3jrT$=*_bBv-B%j8Et<7x z4uN%sREnr}*&j`$OkUtwuEh51athw#O&e744saK3p3o#0{-6cnY{14~)2+X0vY!yD zyD}SN*-6}bfm;H7PmZFTB=r1Cbu`zh)1D(-v_iR5l z`((ZQ7CL`N*~d)VVf{mZ`#G1P@?My_}QFVgo&F4t2t1QVF1#H^zP`_PZM%(7m z9Jx?_(O;!zRX2iaa&k&a&2G-ec*0<>iUR-Bm)jb3`*p^%IeUD4ybSYlasG6HH(i&c zEcDVo-_S+$_r-!_Js$S4@t=8>e5%nGeac?J5Z&&=#%7E> zJ{9Ft734(C38!i5{IfH}%UD4XE)^Yqi(}T}b?>=a8quu*{P6}Fhz6U`{g>N{ml5fE z6u?ZlG58zI&WsfEpY<1bh!%V95*NLVk*QonLcR-@!4R3~d!xGovWBehi0KWu-ek&P zs?KwC(0ld=ZlpbF!y27I5?;Ee%XWU5e?kfSo<1+mY0NIAb4Id)rt@E2;^b*u{ zBHcYng8kD1BjYrBM6|B;F|>Nll_5N&@)xkYn^fK8<*Ot(OKFEx9dY%bu(`>^zni0zujj*OPl6Oj2IOg4yMX}X@i1^49 zhVLR$HHKAq#dt0D^SJ^K7OLUw8^~g8bvfCqwy&Jn`jLwk)7H&1v+pc^4JHw%C%0S0 zWzFWNGG+7c@eoL=EY7Sh>r1H3+tw5>52cCiD04KsPOIFHt@mEOS+FasNo8tlWpI(W zAZU$#iqWurZB>Tzj(#ZuRgD-F5_Zfc>U={V!05gThgOA^?ZwfGl`W zp$UI~h$_I?4lie*>2vUN*!SWLctarg?*nxI`|BYp0Xrxbf&csA^GDE!BSotJEs_9) zK>#~|n&aSh0%VgHYw38xDE72$y1VW58Ff5&SM*2kY2GInkN9RU(72fUvXVCEe3 z5d)gkzhT%f;+w-2`)4eJ0*C?LmFv4@FhB?30%*|hnRc8wdbo-HjA;YM8bGWVljAcK-2e_UxDB1cEN`o3P5G$TQo;V&#A09M+#xfwj zekff0-86Qfe$E3z&fhZamrLz9MErk6-{4hBY;Z;K@3sLB5r{t7f7dqdpW!4BnuCM+ z&y3p-a0DQN5Wt-OF{5Baz*0MbKmDs2{d4RNc5wW|X||B>rooRAcvr;VGVPZ$`Uk-- zu-bUw;K+B|pnwwzXI%cKZO3QyNF5Kr4-S2Wlfe-<7XH^#IQAeo-T=x4m(4g9&Vv;G zzds090tW=apC5!BDJ=WNCj#OO;BO!QMA*+oPDj5Z*bYG7p7R$SB49@f8GiAJp#L9e z`S>eSPxy`yP;&{FVL$#I;hxct4fao1$6vU`Ka+KS!aDv2iTobcafHY91MA=cXUA{y z6Pgtd`3dWAenJu+1&Uv7mBbapfgGv9TaN<0UEk7#-|;km((|oskp;)oe`>?Oz1~S` zU}J5_MaKlcZN%+`!k6=`L!M0H66DKF+`}k*7#P^s@!T*l?%==9aPrHxGGly{teB+T zGM#Gl1(WK0cCdniR=^`w83pZ;+)9h?+=iQ3cE?wTypcO=YQ72~EmzbLUS!>cP zRDSjoj>R{8<|gJaFC;`Y{g`xSF=K36=XR84W}MOI=p*EB<}{X&v&4MgH@VPw2yA!C zk*YQZ+v5aWmN|7zMq<=&9#g+b3#~R*cg~lVn8-;{03SmHAA+p+T-s^nX|Iq7M8X;g zTQqRPNT=rP<=1XVC7D#snPlWe@=6}Hch+dymka!MnZ=f;ayve*YDpotkJCyMkriva zOCy}u(tb6?%QscsuTy+m*0Fd4>6MM&dCnSHx(OOiqK`4(%8^+m$j@JM52#%}$6A{e zNGqW@Wf>+_4$0P4?Ic>8!Oe6}2oiQXP&RXO>~;jV zTIrU`ocP&Vq*^?ED#FR)u%fj!OEvoJI+LGoRVSFE<7R?-~VQ&VDvNwH`GwoD`SGNpn0wdK9q zDi2n!VoI%hOe)-1r++g=d_~XJEKBE>rXitb2USy@bp>nnYI(ZJ8B+zqX$4*-wzn9W z7*-iC3(}gqdxSWu8K&HoU9ieou}nzLs!EnUJ-wdryb$9>*Jsb!u2U=GlFuej8z4V_ z6W9OZL)?no2o_smLfG>M_+NvEWu7cv-Jrrfc{{52R;#T??XLlXfeVZ^1;Y4Yz8frS z7$>@PTJPwdZe=BV-=OVPY_0a3m52ZRW|bmZr`>~~QfmB_OV1zT)c9)~N;;bee*4A4 z&psAf!7F>~>e(|Qjnb4TsjnDt%Nd>!qTx>xp3XteWyW95rcY_aY8SK&>{+42 z>~St6i>TKgQ0tyc#MM4IqYHl~SVc{Mwl#d2vLadGw$!s|_+JC=g`cO>OJ*ihh9jq$ z)Hp&M1h&4ue7$;CAbPQ}f!2qIO|jVUN5v!B%7`d&#UEKJ!Pwu26<8b9XWF~poVy!@ zy4<`d@#YcpNRTvJ?H#3<{HFA&c#KCWkT$)!Sb4C|?;dc34?X&46>zDf}B z6VB<7pyTD6ee3&Jc29PLWhIu6&-cY;)T%L|#ZI+LYn`j!uIc3{pK{dWUuB^U%{{W8 za*8PX-fZlj{4%FvIV`KFwS-DP^P+@uP#1x^-%k}C{&E)C6tggLC1?M0YhNzbl%qW6 zcpY8-LaTEQ`9XSj$5Z~56x<~?!lp^McD*%`WbUf?p4B=}QsN{bxJ?TYO80CE_}gdQ zIazYm1s!e$RMkd)=EkGYcKcit=yOL8E%?z->)Ox4_MS0Qom(CK45QT@qeHrvQ768x z#+%;P7|CU2SlJqw`z+1s(`Ab*$fqx7l506}s!MrzM((CCGMa{?--}JDFucT|A8zdNP*qxf2wEX=jKws(&J$I2Xor z0B!^md+we_wvmG02&EjbbHZNS2-sTy6z4y%RXBFUt-$sH`URkS+h(0`?1)=AU^+4A z|KGufc0{clJEB$&aB76L+Yz$@yNI3d+pHCi9Wm=a@uTf$?)@A8bGijc1rQ+|=+~Lp zz^85b3hj#3M18}$i1TK(4?{LdNjtVf5Ln1o>aDeSO$1|S0 zfWvNRyMV)yLOXDE9zWo)8{016aKza50}img`FQ$m7ea#k@Ie;7JE8ziV&Y;sWPu(q zqQ|J)V*^4^fX;)EwnJkBm<9{@{Ue2T(1;$RbdQ|{(2-yZU^_N;K(>UCjw8l)z=-}6 z3Hr191PEy60z{GBegkoVEf}~f9A!vZf$i7tuLGDp#qMl_5S$(Vio--79D8&u`x*jx z3y8mfLV7=f1GD`2pHBo0xd6iuyhZjwKQP(Xzcgfrn1KhBOyGd|j{I9gpljs?Z`S=! z{O7y!fWHxv=t7lE_BZ_Jh#%AtT)MD<7t_9mu%qE_sDB1;{R7e3gLNGZ-U8k6_c37? z-hyV{5#g;_jVqA+22gqCX^kn7;NbDTUUVXnk7(s^`ZQUyVnmDgiYG-X`dLJ2RV4<( z@Rfq6;#d2wI^arQBHS3nW|$dp>*0Uw<<0A{Qj2{l&`22Z+hP|+IuV;s?DvYM*JTf@ zba4dL#$}>0f+j8(s<$gNKej2-I3ww#Ic749lG0tFrjdImy5;>ElU#>^^!#S}>0*Vr zAbMj#R7%nh^)2I>y`eGrLMBK*YRFh8*a<$rzsH@QNiuVRWf8FA*D z%Zu{$Op2K?45>6wC3>*$Gn%FZS$GM)S$ccPzA(x2XN~8JA*7vNf6}qnAQ|3e^Thc6J}wG9G?N~Z zavpMi;(#wy=+AwK&c86e$*i`iLt0g4xp}$sn|-pbZB&XwVySFaWE`#`x+|+CzmS%> z{6MF3-b?1?t*&fl>lSvl&|($MVvfcc7Xs#6>SAa4&9g#FCZrzqXepgow9jm#%(2LP z=cMwmh^7Hk#GCw$l%>TpM4HN6#&20Mq{xqYvsvGC5fWfz&4<-6f^V$E}dp=^r>itVxD)TzW-={ zFt)TDMV}t}a^553eB|9k7SG3x5i-7_jpY~6!oOR!ev&XQI30#a$J4Ns$x)Si^NA`~ zI#UhKxn|Z^98KObYQ`#qt1Hf2XYvUY#Ep2y(p+9Dk9<}Ck{pJVY}mH`gjLpw>*U$? zUNXbsit4cI!4Lf!k#TXpl_@nvlH*$nUgn7sTgavxS6=_w3k=DK-ehDnzp;;cx5O36 z9r#4(l>EC;>U)IP=bEnYGHEKEh`gLxMYMtzs(g`>w}9M3ftWR)K(=I>frkL6wRzMh zJFDI73-_a3s$?BnlOZ{EGK14DtPW4^hx=s^M@!%aml9<97lfQp_BuO>mYJNQ?~|_Y zu9%*ob1fb@{X+J=ki>g=9C>2qSWeDQeH-EK_+G;4sx!i;d|dP)dD>8{Sd*xXF*lFk zLAa_I+!PLN2n#&Z<*+d>|DgvmYQm3~+!P;9JeO*>3{EG}86?%FB3WZ?=vx+s#5!CzxILi2SD0>7u#WZ(OOqhEM>5WU8R)EyHJof?Gio8 zn(+y@|B;T7%BJ*X!!X_j1;y+eK7sdUD%vlbGsn+8!G3F}?rdwyoK(z=`{w({WCP;J zm+>M#0&LWw{v44n<9uQa=*ZzXw5lWQN}VX`o<4L?4Xu`aYMo52^8Jn3M=H3Ow!7$9 zpOFOC;3$YL2;Vi*jzpoL!I5&T>6hevd*v!jEn> z89u>MQEoRb_2adJbGkZWq5m?wNA%)}OQ=mKfg|t4sj+dVzdO9$ym^bq1Ibl_0#T}k z*uU(=FQMA}g|!Fm^P2{0pwNQEX%<`-TO3}4&vJ3rn!TxK#|*FGi9{Nu-Wu_E^nr}R z1%c)D-GL%Pq7aMDTP1XPdW40QT}4~Z$CcFI_MO+9&x#}S(@0V`Gc!ES3%{B zz{A>h?RjO}gxr=B6g+%zKK<7IBHfKj2*Qqdc}aX+NF*^q9P-O+lX`D_FwisRR+TUt z{EAZ?$5yJYO>x}iWEDZ#wD{CB{%(|*5Vc5LJ6ZZ;oNq0{2c|7j^lQQjJvQuL{R{J4 zo^+gHDC}yQ_0b3)N^j>(sQ&sc{XSU+iGVDb^>;_BxKM8QN(l@a*B69W>t>1wTfMXH zh*cHZhFFbwMjP~S)mY7YU%O+!Wz}!NQplROP|;f=#a;1Pm%QA2)aEKv*;qmWr%ea@ z6es-ErpMWp^3U2{oqx!|CzZsU`sL?41}g7o42J%Q&*$#(h-=^dbr*x`+pmG8JIuj? zyz8}Z;c-}gWoi>^Wk3IhI2wPWN4y&DBjd>%$(5lzX9pR`r-+hXig{rZ`c=HTSY12( zwdzdjhG5u>z>6eNA{4kiY(iR+{e4@f8sl$LJbHX8-s-spNo0!1c!rAGCCrft8{NK_ zohO^0UnJ-ZZ@pDlhAy?lU3`X~@c?87ut5HPe;tg>z+Q2Cks0vL{Ex^CjJykw7ue+; z^tpqyz-qyR@4y5FhP(ieuI*3QlOPMFo$uRBAc)_){okPrGSF_Pg&tctV4y4G?Msa0Zw>3sA&?SO$hFfo$iHwhL`RHqH>;V|zaXw%i~g|Mz|N0ALIDay_27*uaGW2dD@MioXI7X}e$$4-h>a zC9;FIGaw{9t|b6bJXs-MrQOhY!7c(KJwl%ygdFX0*#5))3~c&rKq0pq83!Lk^)8G*}TQK*R-HEWTAvkkDE^$D2y$`qf-8*IP6G21pb_3+m{SEgN zw>{vA(47hdjQ;*a_C1G#0~!J~F_?h++Hw3Y+WS3H$QbWH+-{GG{eTBTK6MA;c6&tT z2Q-9yzQD`u_rDM-A^i8$Kd2pm?VziaeGOr!_}x+bUmzNE!LfY?--C|*n>gmZ_gJ%E*cks@=L<(m8bL#k$MOw;S)UNZQtjX7! zh3z7&qb050Du}-ppS3A$RO$U9&8mIlrgbD6LzH|~q|tJI`cJP%G3J#hfuQ1uIAstG zabiXbdaD30!K{j}+r`L7XL{Y&6Fx^0FSz>V=;D^B%t|Jw&j-cp8xvfw=8IUot2D>& zd?UP4@L9UW!wg2!kL&Wa%_G$J=Be9 zXejFTXZvMq%j;-Gjend3kK7O1hYfL=#aYswK`^;&c z(A{OYBd!!N=Nj^Sro{}~o45r@GR(p~$J3A3In`bMJ88Wl$6c0eWW;$Y?%T~Wp_l8K z5JufGaH4T2wzSiVL~pxGBhIy6(0Jbe>{Zpxd7kosaQ%w7X7k4x6bLhvf2;nn!Om$P^s-^9*H}P7?)z zVpj`x+BcZ*8otv&Uhzo3H{dMLiLvRy3ZQ4r9pv%_Rrj_h0bNwaE`L z**m??mrY7lTJ?|k&!%pQv6qoF z73E{uP?x{XoKRaq>vGbd;98JM!43PAe`lq2OuIh7sz}<>J4N+mc6m-?v(;-pzDZ5f z_BYkdWN5_HuRrJnvfbtom+)HT7)p$^E{w9inxBPr*(7{`=l1jHv%W(r%dPl{VJ*bQ zb$2Idrj6wi&wj}+p}mkSi!H+BScg}3(~sPS=8_4XF!R$g%@@Qg-8Qx^U+Gn293$ww zZt7j@^Rj8OiguDwo`>Xg>+m$zSoFV zc18YzSCidhz=>AoPsOG|3>47+@AI@)lP=G^D9-T?$cli3EMD1LPg4jlZWl<+-&?}b`IuZor z^X|9Sp0H>vnM%jYW(oN#X$eKK)8@p#>RNC|=khiCtcSwzJ%r$cdWhU?9U1&c64_U= zj^yGo;##)Ke4*HzPyHyKex6}=OnrPtL>v_u>1g*;$%_Q?V0*&Yr1_Sx=tUem6X&fjMK9NUue|H5n9ao6G4an}Kv>^9m3^O^uC z7|huL`rJX!z*`@NhJge2_U8_21~R+t@7wM7@R*L#gJdW9fX-&D;8t=s``}~;N3O%H zst-s%j?sf;H~rv*PSoIv7V`dp(vKsBc2NGYr`-IXo$~*RZKvCSkP3+60Otx2Ojr&p zT69nba{Nvt?BF_`1<3z)M-(VWKw@%;mEr*-dW=pae{)~9L;IWia)i(h8qs5QB4LG5 zg?77*10=to$}0fzjuhK|fB?3xcMr^eHrsaAD9{o@g|c=Bloe9499B!=paDHTBnk*r zVMbYy!x9fj33rULjuhE}<9U1xFm^D0To9XNH#ET0g!SH0dX0y3AJ-7J9UsqdLfR!3 zfU7{(K#-93R)C!h8Ow@)1?^!Ay<3%`LCxV zbpu4DQ(WBV);gBlZn?fK{}{b$XMgE}!P7=|)vI)gW1Wr?Tl#FwK^%d}eDB!vZJ&Mj zP@`|baLw0nuav%K!AIq~_?|H#P33Yl8#WTI&)4rulbL?0sVI8bs6D`1=ext0;n2Nq z6mlU$8|3MnOTp^IuKi!K3f~yRc`Mu4%}>C;s{Hi5Xd(PwV(1g`b8lDCBx2VZ+9>Ih zoeZy*wQca=6Uz%y_nNY33`-}N7OtmuG5ZJ);uG77qx$LGPm6Qgak3uh+4;G%AFU!X=48@uAvH+DKQSYVe16%pHkO`YY^G09Im&RX zDLc(TS+!MH{Pg$PY`ieLAeoS2(&bklTO-ReBJw)~dnt!#NuF6T>+boF3Jp3BN7_5H! z)l{f_V!-&q#+t!G_Xqohk@@*a16Bq0xibXl(JlkC_;-D8W3#1|HmZE-xp+5zbiHZ7 zo!xtDX5d|Xs^pMku!!Ettx7|qwp?yS^zq7TI_zuc$jYnOU2lyAUO(GhW~z#POe!G2 z>*iuF88eyKbZ>yAG$sCfcM0z=+x5?a)_DTl6C^y7@1yvP*2;_>7v_2=y|l+YvMakM zKUt32<@Co)*_`UOFjhH-P+Q~ru3#a8Sg+yUeP+Zq1z zGQMi!bPSXd(&jK5K=>Yac_D*Kk8&yXMrp>{+@R|q4)PU*U_9GK*>mdV-svhjF88h# zCtC6`X)z!Os=YmlG#Az{V$ULb9xFGZLW<);*U2DVO=Is=Oa&ark1e-fVhr7R#OlY_ zo+cjgQV*3YZk0n9?knb9LQJ>IZ7Vgd1byRJVexV}+B9)b;PLp!UX+kLa0dY42Uj?m z^J5LIsw$F(1eZlw-G*bwE5#k(ka1wCjknAzvlMug6t1xO(tm6uFD78|L7M%Hx)!gI zR_jHeKX45d{amC(RhF&Ja8o%VxdE+wRpk}-HEP!i+}9@rdr~?vc+x)?jiz{f$5u+N zYloY$NkPSv8Kyni!qa~0I*CpNUA}Vye~)l_mz!0UTDNLe*Hsylf=}Y_W>^POY-J6S ztU_fIu$>?Jt16u`cRcG9dn%ykeV<%PBYz~(rO*0R5oN)qz12K1>Xx6Lcif5Gx-mLe z|A0?7{Hs9l)mCne8zM-C!d~{X>3Kp^+PpkS@Mg_FvPeRO6I?nf)Lti1Wh-%YJCb3Dt_E34-}j%C0PW6uVSU+X_#sD@&i5l^NZl7(hG5G0%T zicZ(MOOcB~wP1=Nx&xHJX0lQ$ggT5XDX zhN_6W*%0nNlWWk5Ee+K{WfdoN*|N0FiC0%cg~KkoUs-u=!NziQ)-7~N@APd4alfR{ z<@nDG!}`q3OBt<6;aERfuSboa#(B@NRwQr1DAH@yyQNj9eSOk1b(Yn)Q?4^S{t?!F z%0Pwu9jDqq9yq(m**kG4P=)88ks1JRc4_x~QQ5;$jqR{ups1}S17l!Oyl zZf<{WqbiUbW&8U!x&qY{*#5qas&MYO3vq7y9s#+}&hNl%|G@9As376*v*N#!AGUjp1LRIDu!=w1fdNqzC+{KH2B-@3do7~vX>y!B z24zrCq3xX>1GFE&fH;Jc0Rm(HP0PRubHzH=z;s)u%6$mE2K6wM0?<)qaj9n$l$w(5%8fuI%4z>f1*GIxYr^p7gK587%6qf34;1bmqqbt z@X{lq&aQU5z|RxL_FSWG@oN#Qo-4XHU_(T)(nYq?+Lox3xb?G<2!KW+cU(#q&8l%s zDrq!sseko|33TD~;HU9?9+X1=g`jQGzA}j|R$$;;kvXZVd15aSa}=3N@~bs6iHB+v z{v3)+$Tj&iEA@B!GSXC5d?;#hA9+`LI;<=%&OByENO~!GNm@im4DSl_;3FNc23>@2 zL$1VY*M|olD)NU0!ewiH%gGmNv$cBP(MjCs+V)-{31{qzFYZc8p#%A;53SYaU)g( zuN1+0N6;jJ&0>2>XN=U35vl3v8{TQ9<{AacOm~*GGhgaXWo{~PK9|r)oLuXkZ#8}? z9{e$UYQh~)yq;@I?ZO)z;kY)OXoIw6`$$m*R%+8sF~a_Uc6mE_O#uq#_GKq3Jl~)@ z_OIHS*mSJF%>;l|SEp%gPv+24XhOAm)_N9&6tUBaDX^3z>``|;1<;Wp(;+F=u&yL zSUl>#q!lmT{VhsH#W$gZ(KDzRv!SG!+J22ktq{{fz%r?#jbYgzQRpOYofTWTnnR;$ z5$8%Dp&YMu*lYjCZ@oke#D!^Il*}(b#4r%k-(0M%&rQ0If@J0&T$j{_bN3w4%A!n8 zcFDb&%ksG{T6HXU4Zh99C*p7fJPQo)O?rm;zDvZ-kVjDNg?D{*6^?r>_s_F6)>2kD z^GNvTrOM9pRg))(AigBMqlASMtX^n3PJz!OcAXi&`8-QU;F&xL=Vs@qaOG~+stDm* zTK=*w?t#~_X<3s<{85$JUeG_V4m7$MYBLgk=8XBxAW~1!Bu4xOngO0$P2%L%g@GBG zi?gIpIq5AQ**$qGLxi!^zc|McbOC6N2>o!R^9w9|zw44t8`@rDpklu2SD=6Cw#nU& zG3JK1GN;JVmnm+MUQ?bfd^*KZ#eL!a53>&eT0fAG?GpwvURvqdRVW*uo-EWNsZ>-Z zRbBO)72o)ps3T;Q@lqsd=;CrgS;%Dev`8oS%K~fm{F`_S@ChdxHA}u?YcdkPB){Ta zgPl}0l}V)+_+^S~>TyA^QrEK3ptw`vuNIM$33WHxn+KyUV}y{VKK(G$y|aS*Bkody z`lD+YA->66E9boUm*A1f3qNGFcj1n{I*VfT?7LW^@6*0|IYU#?7lfVly=d>q;I!3| zT(ZACIeGu1SHUBxSqtT%C{cwG zm!W2C7DM6n{5n57i`B)9m`_(aX9pwjmo)Fb#ZIHjv5B0vIJqVNB*H$dYa-*!`LB%+ zy87RC^gNRuZCYx2o=xNDQ)b5VYqmbWe(7EeGj)?dVp>yZYbmZYv4@ph$ddSd0}tUd zl)@sC)mV}xD{OcR3O^A%PM-_cAA?U2ksrpCvN8W~+26uJFJL`ZG@z?=u!AlsLD&-o zG3jOLrCVDPESI=)y#l^_nUa4Na}d_5uYX-~x|2FlGzET@TsTG8=G-^+oADXVf#^JM zh<@SIdx<|sC!)XWJHL=7aj$3S=W9Cxn-1?n@cWp?^V#!2qhm>{|*nMN6^=YiT z*3+o;h}l%S;1hlK2`-*@^STvsPwCI7<-L=5c&<0PV^bk+_Wkv7zO?tbH|-aeIUnPA z;b3OH9ILvyFx&GwU1w1+vZL>DEvZ!LoL~K_NQXT&)>vxn9mU)Au0nQCoZV7Ft}gm- zpz_<*evxjyHH*TVw^DM}YHqb|kV>yNlWBTx0Mq=wpeQ`)lPjf@HxsmLZu1WOGFkmd z@&2}9730aWr=s=rou);AyHj`SjUK-H)q4Y{6dRMj5h{Fla^)bt$lAN?TWP8_H2w6~ z&(Sg$v1qBG=F1rBw+LN1{imFTACU2U=d)}4O+ymGjdQryNg#HLj9 zk6`lH=pYYoWk<44Vi9;s%p{UXEj}4$-*|pb`gcEfxK3)pV3i!)2rmqnFAbU(-X4I( z?5X;&eeU{=`NFv^^+IR0uxWfeodzYP5Q`m1EJ5xE{E$FS2s8Tuz7gQc`LNLT zRT|q~TE`R{z+r%B2?88|8wIQ)GcO1cRFwtU!heYD7+EI(^ne*#?S#e-+@yfo;Yg9~ zS6BeF6>KNR(`P#~4H6lF0&RaK&TPQA7ud)Cd#4?cIKwu?;EZ_Noia~%Oc z+9TA4@S{Bq*?_Ge@S_7;$nP)^R5kkV-Rhu*&>jR(%HJDua{i83{q{r-pa%m_J)j|U z4BOp>4tOGTl>pS82Q>WWWIw1OFsA}{IKM~AepsZSuqhJ{IDY=#5QzEzJyJ*^3o0=j z(D0uV?0`tw07Z`*(4Y1_5q4PK?VJBQMD|Zq4D{fE46CC-WP5~ZyAT;D%W+hQY(PT` zkg9NQw&e`tu6EEzgduHom72%vwp&llUFid~DpH4_8sr47UpFPWF=LA-jaL%}V&E2~ z9-eM#UNy&a?baO@5OQM^a{C@^&n&@8^C>>(lE@`o3EJRvZaw#ypP6VTl`pc5IM4a$ zbw$$QhW~OcYsu#@&&y*$luwB$3wJ9)mKON#8FO*mCj;eWFFw#FEvYV{MVueRz&m z=yf4-vEsBL#Wc3J5a@%ilcQaC_uy_TOUR>`M|>ZO{BuL+VPoms6{JA|3<70)&%lpM zMK)K5Vx3xp+>0LKeDTIah%m_miq&G_eN>cslOmyQ<#nPYe%R1THW zk&YL$WZpGYMt7!>uOh^s*Ng5vu{kh6ju7UAU@L=$F8(Pr(ZZLC<%U{%GoAZK{wBxK z;-bb?SvA(wrE3$6X7rhj8j%mKq>J^(vt=tM7kzO!dn)0p@^Hsvp~vyxqIKbPo%!xZ ziyMkREIgY=kxjBu$z@l>y5S zQD+|o@~uzKh)R-emiwq&&A#wZ*8J^OerN18T#4(|-%lArYv|Lz!7RQ@VDV%hAI?*2_wc*!r zuu=So=+o4>x#%{9wesZ_MLz@io$JC)LCmS_SFApGWTk=FS%OS=EaDzy_dFXn(IT{( zWRM&nM}4XE>5U|5(bUZr`}lA*XT5;t3wdNUEXdl`>Gtq%8mQ_-X2Z#lYWWaYablH% zDKUs1XEMAh?y{whuUE>B&>3W;j~gRFG*d>gmy6b5;h<``FmFH;hb@4A-()M4)VPgX z;gmG0#6n0T-!u{Z2#V>uGIqDyPf_`E&S+sbbNF}NKZ}WFAmU+0j!3v^%d*0#PfMsM ze=^{yMA?!SJ4@1I{c}NfB*7+l^U*fRbfo7_a3qr#Px9r~FVy&j&p$(uv6)UPf2c4r zG(u2|GepDx11a?J;`JD|p=@BjJB~{Hq@=U$eD~e^wI3pFI&m}gUoK-J$ zTA9ub_KHRG7rZi`DKI_BzCE1GhLg`u}A|Rk?Aq%YchvV3jDZF z11@{bGByl;)ma?6pDUU6**hMthw=o*C$n`u?4XUswO zbE|6poV0q0MvSQQdGamS-A-R)meu-@W2vDo$?4_K%RFIhcX2kC2#@w#P94<<#jVh4 zD)EPv7q4N+m8-ny8FE)QcQqlRj5aMY)-hGHxSH+zt!vYuDT1*YZq|c+ii_>>XjxV% zWuTjxa6&Clsr(?XzVXHKVl7z|u4av8{Zj!`lT)*FwEir z_vAD>0*3MOQI(X`$Ryf6{!VFZ9aK;10B^(-_{I2`=yP5yt{ut=@WSDG)k9&vgg0(g zogH?`{%R-@EG3IlmbmhynnL8Y4|#x~M2o74QbyxiU(~RyoC?+5hF_lP$gR@v7RHLz zo}A>x^C-$#Of6(kVGyafnBx0D^g2dLPsbU~Yzcwmc43C!dxB-M>B|8Bb$uF~3>P?QSP9!=5eAb-S(|Oy?QR!w4Pnd0Lw! zezG>)GSG?2YG`vFzB+w|1dr1-hm16LVg04_hgS=wCmBzvdT z)ZA3_OCAlz#q*&vpxo4R{+9mJuU6@t!Qa}iYLc=wzk-1X;$(6gxHj%Ig&O2O-%TI|4TvLvE#AuXEzhAq8&Pu@l0e{O4R;flHM z==LQ2)(fNX6&v2rp+~*t@1w;y5hAG-@Atc_U;T9=DWR7504Q&dVEteyZ@cRI9w-l{ zkN;0l9#AL1pt~KbCMY}G{=Ngj!DQ(GlG`yO;N13~0^fINRsaZs{d<@tz;93;?6-H% zOn;W0u>#8s$i0&jRQ3kxHaNku046^t5Xyj}LMWZ2BPN3DFo6M_8^ zuns%`cH#LQ==m*FR=@y-ics$FoPPp6{|n53X5{w$+n%E8zZuW`5#NUkRx);XHSK^I zfE;~fFr!mL3m7&NLS8fdGW_Qrz@gomX`PXsDmH(}G0@jqSqwNoB3v{C=@Ba0tKHvt z;auS_(_I~yY^{_c2xxM_s&r5t9&qznU7zWn&iD2tLT5e~s9#$)=*k!(g>xq{*Z}Xs z6PJn=YeJitC}x!krR50Zdl?$*vJLlQ%5=61v7dHLu^lv3RpF0K_t*WlRH(Vmp#yMZ4CT$$FWmYU=W+*~N@BJ)sk07!qcbmmbSR+-|5zIiB7h|>VO^lLQ{K2#^~+?;EfiI A!VBP%4OW-W#S3CGiuF&RUu)Fl= z9hrMp`SBuk__c*2ySLhS?NB{(u}X6{6=w&q>O!zFUdN=Blf1e;+v>>3P(kf zwAqOZFPSfz6vfj=h6`Uc`gMm@P%^MuxT4QA&O-a;{D}7F+>1B4uIbrwa7plHO+l2e+#?c!XR0wcoCD?8rHe6R1?lC#5Vy&1c7Dk_z zy;z6ED=lvqapr173b|6LYd)*tY(++vTgrf#Ircgdc2bJJeSxx}t`(nZjXS$~Eh)L+8n(E?-e6@a^jkH-W3p2NmC*f6P z3aQu2t1DQ;R^}7&L^W)_N_yhUp+@G#cRae&I#G}0plEzn|I@V1l~$q_6+5a6IngC$ zSh;N!n#(ITEpv#sPs{1n`Vt%Z2M@C&h;~(f@vFJQfhPEh@e`xT*`M;uK||ISDb~23 zvl{O7&5};C);+y06>)y<6|1;-i7dq>6)U8)&p#MsZ>><<<}eN{c2x}LO%dn}I#Daq z7rsJAIy*UiUiNkxfyn)k=YE=!S1X6vEpzpW&p)729hiKX)7Ssvu0tc2JVrdv4=!$n zEH^2upJCY_RC64fX*tg7zi44^<`qnT(2R0Br&wFkLD-(qN5KF|!y{MAQ9lyn)Mzv% zwVmu)%};W#Ibx=4(Sm)J5@n?la;Q^DETkz7QC^>~Ag*!wT2EE$fnwQp%hy!-%u9Nv zji@j6Y6y4rYt)Tiil|_GEc-&hB*hacBGQSa@xIwdMvBMiQX71!4rOzR0=+Q5ohdNNy1Y{SsEmRmu5!1-;FF>Ipln4=?$^a?>f+<6Cgi|c!D}w&c6ed>wOhX!>7rQ7 z!?hZ3O6a84>uSguIY2C%~kqR_Ckhy+LO&8Y0Qj>{lWMz1_sAfV`@C%76uO@gk0;v78bHLo8X(mo$Mr6 z_*Ufnef6)T(K-eM;@^n>s+i^c!`hj?i96I;0Uyicq|z;-uzKx9)x z?5yVZGESyj=vY$ziks;tQHQi_?QNgBJC2DjT)3v(LMB@7rt*ypnF>BxU%*puQYymhSpXSM5{LljJz6 zChITbxK5oEiB*iV3>hGueil_FrfGn9gZ4bZsod$R`!mvJ4!3o5U2ftuuxPxdF>$_) zt7bqP8^a?TKs;rr_L=L=muK|dKUioC;8y9Mp5vcSW+Ah!^m4K$do`Ktmd5Xo&4Y5~ zZ=sCm?su+6arf^nAot`yW zMgALxI6a#x)8#@Qu~S2xbV!4hbTirm#eRJSs$T82j#IP|siw{L5gvCjxpBM|<*#v5 zBzA;2;l+oXD1MWGXHa|M4e!S^+eefaKCo<@Zc)GIx&D}T#rbvQFFb)w8=_YM#Hcpk zeDTq{Xox>r6#Sa}xpBX;0+oTGYdY?Nvi>h*G-t1k1HhXDDxLqv!`eRa0Ho$0JS^KWSeu6L%X2)5G6Y%A?zwhv^K>7pwzU_4ct{ivxR@-(+;QKb%vxjGOjE*Zi z**-)R;)1e$U|ayqG64_)6}&%$VZzR{54?f>wY!JLKTC9WQZQij4V-@ecF;LWm9hge zFj)5=Phh+92awyqtju@(R*n+bLHQSKLL5(IklhN%qIcs0*2JK$Jg{*-ysjHBC(rNv zjbrp$;Q;U!s80P?WWaU{=%+yWv?D}z5ETKoW{#)J{u<1kX$CnIb3tSSX)4i!vv@+z>Nh^Ob&yiIrmu(ZSTLw6WY#R z3oT0+=mp7T!Nvyo5Ny1MFd*5vfA2FcnCN;pFbJA}z2OdLy+GUiUNB@&Lx9^r8p8dM z2G<__@V*Cvi3yluJO@xopg;2O2mUWe28<(#m@lX5bS^G%o64|9F6UP zx6Y00j>h7~hBijV=z#g*;An4r-3r~cuTw(~szFt;p*DYw9=`@o>ekrzj^|DfsXv;N ztd1FRupn!YDnCOIbzb^b_G37eHuNm_qwfZO=Wltb&j^;^v9-k?9$p58qD&`>B-=q|Wh38V+NaL2pnCI$!9&(zn%O# zYyFx|e&>B;=4A`2#zoDs2Kb^(tAVf45l=s9%s*PjLat9|jeb4PeYHf4)eDWbmHD$P z96ZXEGl-&G!W7XNo%A_1p<-GSM4mhmskCzUf1P;m(V_f$f++ap3H(I37inj=;Mr$x zcun#VH%1sCQRgsN)s5N+Xq+IKgTI0ssKMWU5+Srq1fPoIGUiJ2s@IzM>zd98_Ak|0 zcL=Fe=EE;AdX9K;ioZQ)@DXd|)mgrJ3EVdI(3ZZ&BGI_YnuznPp7Kc|3JsgqRj#b2 zq33BsO5-{xWkmDuwcIozr}C93llqeEut=VSO{1aIS|fe>mLaWNal93CRL|Kp)Y18j zG(k}=_8DhO=hSv$+;(`a(z$OzmKQoEYI+1OJrCo#e15dShW1`s{Bv$k3;bK6W@qG^ ze2v zU@BB8dy1!-Jn&ZJgVDn}J~-(7371-TU-LSYgN;lJ6$$`4{8( zpIl0fMHLvtia6I7Y4PFv$a>zLcKFuIlWK?#UPW+o<|ll{`bF1%T269Z$v*q}0*hsE zGV5H`nYA(Y>z;3`jp)vvMJKs1K5WEh?)q9&nORuHM1v@XYjLJD;RTPg6=qud8;MI} z+_P98HnP5JY5j1#@kqBbD>*Zsi;#&l#~FD2x{8?M0&k9J#GoPAHwdEXL!wXJP}toen0ZUNn?r#9LX z!Q}=5Y{~Y-h^4Ys@X?58DDOx7k{ZXk8YpSH$u3YQO|Yc#B=R);pc{ir+-QURIlK&ZlaoHIpmTanb%CBzwD3JMnAAHAl&)ao^N~yKT>?@p?N*|;UVmFv1z%LkO%}QXTsFn7-xJOo;B>gMtrNyR!} zdm!8@3Hl@pSDG9*LLTDZv0T4Miq833+F;!6LH$s|C84hR68whzPq=kqREmsQ!xkv3 z6I}`Ci$>o(*tqbR(vL^+N~m! z-htCM2p$zP88ckTbfPnT^zAvHB8fn3H7O+>B|bsSy?{HHwazS4qKX%3MYwz@Y__E7 zjr-69rxR6Q%AEGn(z>rU!=7zj#cDh^!PcS;`$R2Th?MXb(~sljt5IxpYkiFw-BOY2 z9!l50UVIEE^agVjDcD4&jvG|W+q{`AiH}l)nVbH?B|ZIHuolh43>q?-;_b*Aq&DQV z#tt*1hQnLu+KfNSI&H;v-TfF+b2jQ-;MBX}r~Wl1j_gGb3x}*3M6?>Tij28N6^dnf zzSvt@z(*L5d{G#mL+`jmw>C*ZGF#Of5oVNr1z}0z$4#A{IDf^SUS3O1wKBifAdeb1 z%}L=?kxm2U%|#6ryloE81;W_oE+<aG)`@rfBB!5(Mi{JUD0$h! zIC=SJ4SKgg5ve)(nJlc56>f38%!F~hCkeAU?8+Z}31+_C{q@L~Ypd3BBiKlu)-2hS zzyR$Y8O=b9x$o!Tt2Vt8wEjFNT`iiP@unE!cL|p7!@L^z z_1yU2#N*BocrZ#I|S^%tZ%qjx6^*E9Sa<;9Sa<Q9DaKS8opwDgifNQ6aI~PpZ{u|e0 zk0Ilqo&0x_axRd#0l$>L?nR+87N9ovzh_GaWaY5l*gFdU)nNj<2L;x)6d)|{2}xvt z1PUDzyfgt zcJUuBkf9&uGO-{3*`CJ76WK2Q15{YNKv=YU1rPE};F)uXeqsMq+g@156B#>HBM21B z0*M?{pM)Kl`T!p&kT)G6vIAz?_F6xl(10N;jO(!*8z}b&6+t^vX#3HO?cL{iBHQgW zKtACCx9X6WD`Ypy0Vp8cJcsNY2Z(sKH^k!!jROoEU{F9dQBY_Qe#Qb4;G=~GQup7G zv+X_lctYFlHE!Ta3Nn9TgydjLX;f!LLT z6}+1umL@witPr++l+X^^Ibd)5i>e@{>dl;m^1s% zbrfI}{ZDz+|FwD**B-guF8l^vkR1_z8`x6xr(WYP^XmcSBomRD+lHRB3C_m7LPI zQ;aPxl-;E-w;DyM2~c(Ysn2YszjMCp^ycToJv$VBbRoyhSUoG5t!!gr(#_bj=Dw6p5`~a!XaA&Yy!6EZtW`s|g^r*aylDW&-nC$lr6*Sv5lHd*)3?2KTw3*5%7|KQ%?EI_cx#uccokEd2t(@S3q=k;?ZJGVyCT48FlCqkTmEOiiBtDJ)B4(Ghmp;e#Q&r&V@WR=(CWA8e}7)O<|$7> zn%bqrso*C))CNi4R}+)$q~5#U))l29kPtl?%=7UktAg{|sQIVB3bXa)Pclp8+V}G& z{G`#y+a$^s?HY}%ee2`xbM2Zx8LvgM~~}4j?dfYoX`23^E$8h^L@3eVU6TX=VRdqYT_#M z_EtQ4_|ENdEW&pj^K44J9LO|uER{azqVdYtdDxyret~cvIVk%BGAjm&3TqP4Ix(HD zW0=(<(IZg>-Sadv&Wm>nx!usA1X?^Qjwfxeon)*NFrcOmH>kIz*Caq1;d&o^nVO+o z4O5wj_d7{+e%mZ$oy7Vy(eOu#m&Sz2T?R>9{xGAIjuIj{bktSJB>GWz`6W8RA3v1Q zJU+5a4bMM087c3RM2&3BX~MnMd7|`n)7A%d<{pff65pY`i5{k6`5K`=VrWCok-wFn z>~%T+w#U)XG<|J2T{FX8ZFB7QE7Q)QZ|B{W^Q0!rFBH(nK1^>MsxT+p;{ZOx<*@tfz;^)8CdS&SvQQ#n5_p2}HrZ0QIm^kVSSUybQn z#z$o{{X`UGBxSbvg2*!0&h&*ZYYuKq?=&rqwAdLjZoJb%%o#an0#m3}LV2^{hE#oP!xqL(_IABLU2xmU`*flBuly2&E>VewT7cfb4Rdmr;YQ+z9E&9q95jvP+QMe4ig z+<%7E_h~8G)mN1TLToeWcNO)-w%(>KOtWr%bRkg-VndG}3&{dJ^;mjmG}KD2J3mie zHd|dFCKgrJ4KjQ-`T_7B{*CSynhPuTTo;D1ZVes^Ot%tBZu@5*Iy zqgy9tek59b%JQ-(-{_+5|CSrSSj-s9C>mcgGmyC9Osxes_riCS(CtdU$_BQ^*7m^fybJC51I7c{#svbE zW*4>t*@f*ufPZ^i#o2}JKz3m}@Fo8C_jh4CkX_ggWEZvr*}($sgYN8HWAF9;-`1ya z$_^KJ`$Ggkxp8z^H(2FWN@MaAdG-J2{u5$kk88v z+qO@GH3j?-^`C{OqgKw_J#jp-@d9iC46JweVgtp@0Rs}$kN=(6j#xTx502vrZFegK z_8QxTP2m+)!M=?e80mq_=U4rCXkUAbB$PdI2XJ6vK+4?PqX94{sHXJq_h`q;K>_gj2tt8xWw%4y?a^(5Dlh}Ug(xV`FMIT$`)Ft8JD!IC0I=ZI?0MlZSTIHN@q%($ zzzzmCOF@6h13Ii!93uw>uFeU7q?WzVcK6)B6&aN8p!sg+?Ql%@49u_a(%x`_It;vp z;N1x)d%&{+p?tp(o{ku42WcXZ?Kkmn$N>kdQtxjFm(+odctmX{@WME-v)^|`&=6!N zfn3$Y+hriH?Uw`&G=y{C;4kDu`|N|@lY^ncA#6NHPf;EKHPXX>b( z{q}<6pBjSk1=Q&yLOrO?9JnGVQ3xKHqeO@UIbR1ug+trHXg++!ee~ep5g|a>f5M9Y z4$HDH`{}nBEpTt&pWXXMS`+yDe^Z3$(j1I<1|e`yDEE}zV7sDB&CvPU7 z{GEQw>ZV}hkM<8s8jBS_#OM^ioVM<$x*Q#?hC#}_C}!5xr*SiTae-5J(?pO|180+} zAv$?fE#Jw4ih4n4f>o#bo6m;{h9)|~TUQH8D}q>NN%+u5Hzcy?vHe~239vhO(gx3o z%xyIlQFVLOou#RGpr_Wg^zR7uBTx3bbyZhY*FCCmNYQ-_G$#m;zhx zE5tS2Q)tKzSj$O<+SnK5dCU0YIFXtpzLxmUQnrys+$CpGWRG*I957-PMM1(!s_4*6 zL`qaoQM?^v!93==Lc=L0QR4FhQCbRL82A06*;M(v&Fig>P24jf!Gvb-74Ue%ke%Bq z0+Anegil!W31~h0U?RI^dV{)*l+?Zpi6V~0){pXbCb*T0akNussCgvuxC|TlU@u=) z+4sQV{ZX*=*vS-a)Mx=9h-yjpPNTyA4c;)7v0nht3*RN^TUbSE0nkBCxMQ; zloO&H4S-?&ASjiPvN$1Day#$PG=4N7e%@yxA+*iudu8~lkjz{5s;V> zUtd>XmPpX`p$*Eub_Mgp$*L~NX@5=T&a}!CK@GHA&rcSLei+%}>G2Sh5>~D2EWm3& zw@j3N6BqiHY9?|{MAQ)+ku|$3wk(-ekvdaPG!~=83#WlqULGtuW3Viexn)moQmXVxa zN73EFANb#6WM`-{w}0QxnNu_|H9+{pSalR}>$c(orEF`mziHJ}nBS96X9KL_Xp{#f zaMkagZI7z{AbtmF!Kk&)Td6X<(6MA5c7P)S^MS;Eupf$ z;NZ2c=0=_$C{JndK3x&Uc*>MoqT@NG%$u25PLTZi8ZDs%?@LB&5-*LHmAA|Yugr%& z@2S3eHSM${?>8#GXyM1C>zWj`bT;u%FcZu9@`Y(DZlMfXXNDTD#!TNERsc*H(|!g^ zgUXkz-*do5e zi5r7wH?YMp1TnJ{>vOUF#`_2@dWrixfmj58NXhTt)L1?se5Io1}JKZtPr*gw}aIO|4z}6n0OAN5udA{H2a?#p}x% zQbs%xM$pAx-FNPV4E5R5JwrE}B0?A*QDHyF2qZL}O}X56YW5p;#!bzE4$FWCTY2An z&4%Y4a2Px!BVFJ6s3H_1QuIhjd0|Al5s4zu=}&@O??4TP+JJ8fEKOPxbGw zD0^)7dKeZE*M^!NQFV1n-VBHJIbp4?B$Z;Fz8D zpp<+2eq3kZP5(6f`PLccu3pSYsldh@_Z76Kw_s5O}>#FAZWK4g`x!j=h9fim?34%5@E ziXZfZ`l-uXe2TfltYIH(^lzU|o@6e@89~2}ksB34aFc5=Q|T_>w|v{5IHpc4BUV#c zSq@vvc_JSNV)B$UOJo@ax}PPj@JUqUJab}E3>zgoZTpPZ>6X^%DG}N^lI!Do8Py0^ z8=2g5bbp{wh`(mge*2965r=-m^sHz`@y}}~q4FoJ&cYc27_xv@9Y3CYyi`W0A zTkY=f;I5?Ygo)i99(-@W_p3VKM{QRAdYbqjBLnsZxF?<;a01|75xA#-2b}J07tiJY zMS96mq5bu|^1p=!$AN%lFPu2Jy)6biJGfB5@Rb3|3%GS)8xL;VzZN-;ktYOqhQQ#-LA#;t?$>`WGTuY_=)M!(|JIqidK!HD z1wZHB)6)Qe3HbDW<;LLWIp`DFw|V|=k-;lc!9a!y573ms=m+i^utNl{#@`Cr5=Fq_H5&$O+a8eW$Y^-?z`5VUl zE2)qF@L2n+t>VA+D4@)60Ld0`h2e@k{EPr(6mi2vZ^$ns<)bE!W1MTj)45$K3tn6g zl%9lpHw1vglpA~k=EigO}H$x%TfCk7zb460&l&)ZTL49mV+3c{Z|8e z6>w^Dff?hF>~s*rbEqL;7{P$(f4Jd65oq7v2ZkIJh(Je(M+Yf92QLU-xd26cnEL}c zNZ~oukPje?z|?a%(!aj-4)p|pY=M&&t|Q8=Lk?1S4qg$S?Fmq9hp)H~CG|UU6$tzP zhGzy&VEc0{{UKL@yZf7RRg>nRU4JdUd$-=*e9!o=K^rKoqJ{FaD(&)wTD-Sxgvs%Q z&y#o|;CQHS4mqu@iX%}+J{>#X_+1X_!^kJIDjU)`!Xi@{u zhgQ@CZ)q94t}rM(=PBq#p{hzC*7nWQ>^GrF%(6ax0iS7PX0wcaF`aEX;DlQiY(DVp zj7X!ss0zp{I+X_V_qOL|3;l6bo;_(}6HYGvj#&v%iDs;=yBjbGgQF~&eGElXQEvx35)p@IOOkQ8! z9A$5rk?hJ~FIpAbNIXY%|5D3mMtt7Ug5@&i3-?R%z6DkJiM}!CWr7+=tXZsS_J8bd zu4=lMjdNkWaIz$`DE)<;=oN)$90WG9RFtp}r-TAGPF!HQM10r!LbGNnzm?_!;drjvHS$e>UHj{Q4|y(>rnSL2N>No6#3K^4PeUJUbbPn#y4IGYI#E z=PfGRl=dQ-V>`; z1HlcJ_3}sOS&^mMM0d=09Hj3^FIapaW?wK`pO9>8HQ^aBWDldzolCKN!bUdG-fycVfpmB6ggGKIs_V;k=deW33$v>35?%7X$&8h zv*+M$Dg|4uIdl=vB(fL1`Xt%XYBZK-$QyucTPgkY>k2z|iM84*tyjjluqKnrUgm1- z1Vg*HI894Rj(c(UQG71cMu=%sp{j~2*p{PK7ExB+u4=!6Ds!GuID5-SK1Kjr^36|( zZ@?20ws;7yRg!!pLsziwmsJZu*Lpq$vyUq@`6H25~pv|#B<8J5AQ|A)lBPlx1 zjJ8amTk2ibytJ(BH#t(V!j8v(8K1(R$-4sf1vuH-*1p2G4dJ|mygJO z5(${V(|PUT0DC!@o1^$Gv5VTU+}>+lpe7Zp1Yl$b$!6i0%k&_^LApx} zi=D`=`L#_eRL)1WCtD?%JR$U5XWN1}&MC|vJURUk#liH&+eS>9WR+wk^EUt^?^uib?W2udRgA(_i;Dc3Pu+27hRy9ti^3a6u9 z81uhd$k#gJdZh*-e1V$vo9nRBW5UR*=jmcc<$Cx7o%{4?;w+&KsUeA9B~|V$6Cs^+ zUmYHat6vYN?ux{;ZUDYqbhgps_UlFshCfkPAL0QEFY{BGS{cObb1Ww zyKw=+y5os;#O!B;RX?dP&S5LR`gD2}+1dEM(i7x}$Bpcq9y2nDRI*qIbw(QRulhM< z233kmd@@krs{eG;wYfexR&WprE%te}uaa0aE=_siTnd4NYC%y#&3C0sYfX~;>u08a zp2?3_yjwMyp49dc~)i3QI%(;)4i@&TnDnekvEk7EWYO5DeMYr#ZND@(E}R< z9)z7TOOn84lZv5gjWOTb5Bp7x6f##{VM5qp6IV*B{T5J2s_8*D6I9M)8Yu zyD@6|(e=c=#V^lK41ty9_->Y27e%{q7L~h`(FJpOE?v?Yi0-v=!9T6`Xll7LMKq@j zEqB#Sz7|(VQI&3{#v<$ z?i7yyOZhW+QrfoSv<;#G%G54)2UH#3{r;|^wTs;WWzu)PzfGV3KfjCHfqRU$f6s2d z9%L_HZwCkjer{V^+wa6WMl266+;sxB1P}nG1Vjt4GX;(h5Yuiww12&q`M<#B0mcsC zA^JmV01^$zJo=^4G_0@Orp>ydWzPz7hPL(2kNCjuXwZ7aQnE zJ|F<{fvP?tdx{&dOoG&zKOO`4 zgA0r`Oxa&p) zni&Lsl(6fQ1ekG9Xz&-$=Ha<^`(1xLgKY1n?RMv$OA^#WkELrNSJOcMXx z5WM8!=aC0RLnzl@htm;%BR5bRL2msK4gdQ3I;tV?MsgitIow&b?v0b*5e@g*+WwMG zcOdKTFWTa7dEB7Dy8q`r+e@^A{l3SoNmCQfxpM1%HB8sVqM}{Wo-z=T90AD_x?{sb z8sL3afmwCLplhov(2Gd^QV2OyY)MRo`Rgm}#6xZ#ukB{_Cssy#-;U;Mu-h0Cq4C*p zWIhTLqzT0fjkOCGcre$`u%M%oA)TAlb9UyrZ1uZ4Mg5<76iGFSWxh%_Tsr;<$e`2KQWzto{1JXz1I9z_$~qi0)aEjX%im!R*^-M;GZFdBV0v z^lL`n^;%?PRC}S9721_KmsdERtt-17JV2GsjjN2kD(Q)D@>Fwz6WxCg5udAaIyjr!r8c$UM`@?wjnTTOKkw>A}T<&!V&EktR0T=GzF zW|Phs0R`>3aYke8dzJR><&Ne`(}e=*WwBn06W=_zFJ#UX-ZHHDYX4ZHA*@)bg>w#D zv8(=6x>Ry`d^Nj((x)!xMyHbeM@$Q$ zmo<}Uu_9-Ll#psPm+vtcO5IFqmU}nCi8jIdZ6xHY0%|LjHS(in>bcd`*71 zUZW%Q*;~c4u@+r|sy&2QF^rpIui>YEx)NNdiU(CpZd<02j;xEA+8RVht;h>oWlCN$ zy_9zgB14?ZUF1j3cpLj&7)dI&3(328hEd7#sUy%+sXk=^P3+sxcVZc1@? z%X6!AW8$Vf$peGPr}gfz3h6JP&2;nIMn%WQbo%4BqTmP6+G4i$#8{aa_#hc!*XQ4h zy*}3E{S4;=Z)N1q);N5G*Kg9pWZs?ZMbw}i&lGIcCL_69@9zP4-Bs+gsr2Jx27cdQ zEnWse8=E4;x(SJXD?ej-$BLH(@M)=hLuHgtpub1Hchy6e{=51b;?JH9ac6AV`NET5 z(LSPmdoAFDc9Re1GOQ{YZ`0N9oOupq`oo7w@32vXbg>yy%RR4*{unpM5W=(IyQ~-J zlPVwu8HB3ms#}#IkSS+r60xeAoaKveZ`9-#)1Dg5idxT@dho$F#l8GBsY`6XJX`p+ zO>G>T@69r5))|~QS8pSByvrn#!ER2l*q3p}sz9 zJu_V|)jNXaWt?oD)6E2D`S5l7a1PWyC9$6MQ%8My20Jl13A^b-ecr=MvQr=IiH7rX z3)=@&5}u|D`So8DJRx3qiiO@gJwLY(qJJ@rqLun}v7)Hi%=v~d)O7Nq!h|GAis!@>#4?UpR`c>c0{lH0xpDAGlp|(b^WFNz|)i?g{!FB*GNWZS2h0 z9ItOSz5&XbP^qVrG2P?FsFx%+2dE~U1o<{zZz$icFA1eVp2SvKS+K{2Y;Z{nDCLtVq=jq zrGbe}xIozI{7ppR*x1VW=xnN*W)hOt8;*LF&F{D!W$qAB1blNcG?f(*3y*K>=+*p+ z)1!Hvs)9%;(7mYp>MF9X#Z;)N>6eP;7cJQC3%5>2o`)1Ur@EO&lZhhJO14DSwDK}o z2tL=moy_O6tgzC+##;ft!@aDK?}2y4B_aj!g6D7=MjY!B#kr2@ddqk*_ApA4xEp6k z-(gE?&1i^DW;U1@5q+Rl?CT47j-zrmU+C@V7(ivcD29D5TtOOFrnZuNr1{V;+T)#- zu~B>$O;VlY3rT*ByI;sGsUYd<1E!_6OGOzn*d`KY_Z`HZnDSSwEY5xl&)>3=yIE8% z_#9u?72#eO!X0)vxV$^?vnh8-eh@s9(@siWGF0 zA_d*0M?rV#QP5p_6m*v!1>L1b!I=thwF@Nb?0)W)fcdLmYv*_Gt#1C?-WiynfbIr> zr2wM?D6$~CkPob}A%J|qy`4~bj#^lln)4Dhr|gZ(H>f$KsG04IjqJ^CShIqpltXoY zcK+Jqi40x{22|GBmW;T7=En!T1VDQOUIHFavG`x_Pj@=tctYFV2*P1C++a1mw-e-p zyBvN6wmrNP+!+$b6B!(}#RXUweBkCmLDCQ((BJq#9_??1cEnC_XP6#yY}<==pb3IH z$?$w8kc$JP!hgFJ+<9=0IkMdj<=a*Q!QBI?R^V>_b7)7%ZaWY2@x->Lg}_D2KdWEy z07(QC4*TcGju>jkNzmEd*z*9V795qoCp!FAXh#jTV;!+pr4ztbK5p0EAaM7zI84f~3T z{hscyFLiQHcYxPb`%SYF$gKmq1A+URUZw0*veegec-Q9Zts*Y=Khz~H?m%OD_LTnJ zcns~Sfb5pFZl?!WD)cx4wxa`Mx+r*h8~%e->cR!M&R>^$Pd+ex_3;HvPLs3&R-lc_ z<4+QLSwGQR`XwgEgUYV4{FkkSS}j&0QLd_1DNp(8$6P_8ko1Q!HF;z)O>HOBKyzfa z{-+5}>+KgME18DcDulFpEG?!axt_*8aw`Co?Um2Hb-aiQ3*sm;NSl6VtUcd;|1yny zGMekBMMdoSh~YAwT--$1-8^)T=AW=n7pa?3-c`m1oyrW6R<5pjR_P?#7M?mB#3rda z^ubP~*g7`9iJf!FB=5zntxy`I$r4NQVNebF%fgM=$PV z(#Jio#qQC(Y}|2s+&wOwy6A=*MTA%D#Xc0sGetUD9)mu6i*gsnx=J+?|K*s>6T&BG z2I^1-_=r58_r*?7T?|K_H^zr$eR@a1J9<^lHmwljhj zaecB#kC?kSB}X~f96x;GQT15tcwC3Rr9+ZiVYU^i{G8hhoj?Npyn=$SRkonkNgSI~ z=FLnRx7ME$CcoBALAZd?_7a-(dF%azgSy!ADy8tvMius0xwcN9=jYqG(W=}Yvc6Ri zX8b>8K0jVAmAjr!M%|{)P$Y5v17U~XOs1ZRg&3jzM|{S)WIT_P znOwv4_Z1o@cx|CkMM4CbB;M38NAayiMzl>9YsNI4!Y3KuqE1QQE1n-@$E(7vF^h=} zz+e>pVaXadWT@)=#O(oIpHW(zVCa3shdwH_cabk(30e;}n}048#9Yd~pHTGpgm&2* zZFLS2rph?x0FehaB#3mxX>$Z7xwHNc`=4LBD2*B7jC4~O*DI!p78>JR=u4ke|s5tp*n~0o|3sRP1rV)MqWDGAv@uDw5 zpr)0WXE2SjOt_S3?YOH;AceG>4_*1@GMz(fbyiaY>Us4q(blMf#MUfneBmU8oP;h(a^JE+EQxrU&h0QEt-~!w=Yto`}oT1bMZ05;^N|y;}`r)KnPc6 z#$bWoGzm%Q9EEW*ddS?-)b=B?Oib{VE(=;H8){6$d`$8=Lb-*@Oz_0aOCG`ve2SV+ zB;vAhV-0OSh;C6fHj?gkHj;OcZJs?2xTfzna?jJ^X_Mcw9+cQH$}5rtzu#{4ZX^%d zQ%^J2V&(4l6A*()%Lt;HDo7;ua5pDg<27y+DNp2^zI0jTR9;_^lr`kJ%@B~jEUm7i zHaUJ7uDgTFbrASq@|lpFq|t=0@TFa2v(v4%MZ3}j zRPy^R+^(~v(3~uXi1G<-iOl>Bq?lv_WLw}UzM&pewng7%l=uC2?0TszjGk-)hd70`a z$0B$tySk-B6KV+p*hbI@!=5+F>r1#H#&E@%83^lFP2pyUnw-&AUDu5EIn!&LiZc=z zj^WdCr6&xxM-2Q$5K+&715A&euojzoyeBjl?!970vRw|KRh6h|I8XXm%iKwe9dY>b!;=QrjAqo-UYX(1 zjgoqe6YE9JhAAav%~Hx-N301uk)Lx$Emb$1Jeopcj+nRHKG*)y%MVK>jkqO-^~1dj zRyI}zOc%*9O8e8Vb3G9)()z^L!0#Poe>rB|l~{V<1E13EQwdcGa)lmzY(a)tis*$csdYozxC$J`&lG-!pjd(v^)Tuq9latqa)nlvD_4TH+~|d>mYE9ha1{qAeEBXkvV;`&GXtiT|g|J`k z*hWMAPin_D!yB$zz!zNbPxt}~eC|?}pu1Eh=q^p#drta3uU@Xos-lJFl(di42a{gX5oo zi*lz>-!A@%n-6Y|68P66?I0Qny1i8R4Wr6IG}8WtJV(-?p$D-@hZ_A24H^pOq5UG$ zzA%Bv1o(MeM|n-at@`JNJRk)T9L^k)ZnhKb_xcPjYaO^EFFYmga1I_w(f;QPZu{xL z6mjT+`x3Q}xF9^a6Lti^3A!(h`lyD$naKxMNr$eu5B>Fb>eT-O{4^9iS$}rYo;n2s zi@)Dir!K%5M$1oSXQBMaB^Zam-8RdHQ zYVo$r%>ru^{3upe6}1N13;l*VeIXi!lxr+{nQSCxMIS8#q(uYKaT9t&mRw^~6s`5p zX}J^Mgr2_9;#LOR*a-3vhEY4ZhtNl#%M&dA;pc_AT#mzK=#M$q^g^xTp63M5H=EVE zGmb_2QsSsVFZ6HcP@lu0qI7sX-wuku#pYZc>e5*FQH!3Czm&+{cT0UD(4;K0?-sI- zgDz?C{6xd(?PTA(S7|ZmHok@B=e2!|JIQJps6h5LbEB0rjKfMc|DsmWph*(JV}P`dN;Dz>a@7HWt=RRw7= zjzLgZzwxMZ0d|z1O;^U!>5$h^gevLFx8!ikwJ}^ScQh}_lGZSXPh%Mdv*T;aDENOx zV;cC{=r3v$YoAsa8-ar%eZS4R@y)A9O2>)st+`JEU3-&_Mi`OaKA{*N)LjXx=L%i+ zrlwV;kvF`K7g;m+;{@d-uc(n69wbX-;k#d*sZW|m1b))6u9S^l6p>>tYeq*`XDfH@ zh_Q+rN?p(bt_vn&(@zvSq2w3v}N;apSbfzY+f2m zLJHc{jPPXrOR??cr&qFX_+KlywS$ zMvP=IxZ&2I;!P>^1pQAp-m1laIO$cWg_aON&rIuY-`bem`elu1Sdb<8;m^72RV92@ zrS*M^@f&&e9Zr^Jz4~i~UKRCp!7XSAn6E@UzMuNA98$)eJCtQkp&O_CWBlul!u>@NjEV@)^p_0W_U?av@S0oQw*> zIrIfA3D17* zGtHj{9U*jW5mY9$xcK@$i3qJLtU4T2MO^{4Xf(Jbas*XQOWJz5W-8|RXO!PNlBhrAYgR z!a*7wP2#vujl*i+^~sE_KPzfGuFEwjs-4xbH=Kn}E{|6upUj5zVzb9_7d}fdw*NMx zTDY1?L7cE^Z1-%GutdpRQC5Dc4EY%>xHO89+TwnedwzQji_Pl?>X8VM{z{K#>G7_r zOw~J7TZzCgo5Qq-YaItHmWE zJYV7#g%P@)rVDfKFsKY6o5$RISi2CBZJ8)B^nU9ZZK%P8rpU*`@)P2VN#Rp>b15qE zl7AFOI&sh?ZavOwH^UNP9nr5WeUfZQ6iA81qeY?lEj62n)@_kU|5B^8NQF8gr>QjR z$KsY4?nGM)1u`mU?<7AiZss95n%pS|db$df-m~;=$)C^ma>WeZ7=5Imb!`OeBBIqx z!QgWr(o(yOGb~?uRrbmcuxWMiQu;b3D```|qT!yJUVoB}N?Aqd{vOHj_Vg8_4;>Ed zZkSr+HMbX5Jt0ERio3oRflu64_9_Wo*Z9VYC379EqtVLW2Tq}oRvQzk*n_5$)x&}o*X%dsytHwD( zBmztDKi|Sfi$vQm>ir@SsCx{gn_r@g4kv^`cgdCjmkR$4)X-ft5p)+#1O=Yso$v4d z|1Japy2DeVhGTZO|9>0m0NQWk7T}+|V$(Ja0si&w?*S(L?VsO94}kB(b}Tjf#H8(* z_EvrWO&8(arRD7DB73x)|5X^-zD>sy8a!7AUVLOPG=8w`765dW-wN$;@uHocJD$*X z_k_Sp1Q$a7)NBNRafRm>d%`0$o9(f5Jdy2rY4`z>h6j+q_q;T~?C|T*j?!$l$M-SE z1^^!*LtxKK!wWJ)t^JpIWBbinP9c0=O>6|=a( zO#54*9WG0_GgTf>XxrIWU@GMSzB@jUbOQ1aIrzbp3+@<5Hv0EtZ6A{7KaMqcVi-I$ z;C2K1e!xK5CcE)$^N@Zq){dCf_ThW}TV%Vl8c>sfjpmO@jhi3jXZ^~#cnATu^L{(7 z&fF=@2}ee8!&B?PV+k+K`8$yvHKpwX5dF7X1~=V-SJGZ&aCaaN++6t^_v~=F#GN(3 zG2b&_ROAEq3hv;7fqdlcCK!P8dP~;EB=Tzgd z_giumATjlCuDIA&d)#DH6e`}hPc7YE=spo)c!sT-NB88#aW6exfyelXt#3q(%J{xi zNJr0*l#x+G?Ss~<3b;9aVqzi(RUtWN-!S{q^`C59aD4b&Ui-N;2U9b%o|DoWLoBwp zoijQ`Ppa|r8Xwpi%J7mtxQxqHh0l!@A}oj;~Yyvh0hHy*VF6KH|QT$Hl1#` zQt?BpTH+!J$w|YmTANY?H`Cgc;rzSLu?1JPNT%=mJbmgb0UN3#&L-FED-6~w!JnSI zQ`_WsCHhvxxSqJNVXS<(#`3EGPEX{)+PlNBAc`J_5Yqb39m~;gzi1h8I;oVFzifT? z1|L_%$omeFV4m=Ja*x_o9zIsWTUpdF}9X?)G^McZu4Bhw8( zatT~8ut>O!W`OUN+;ge$s_PBSIHoB`^KIkzgReauM;!^IWD z<*ekwAE~OXC=!xtw+GsjdRkR+=WgZIYWDfXJtt3j_TV(_v(OXD)3!B1e4(kutgMy% zPpa<3EysTH_4C%T%VZ&Jc#iuzFYU^-*CkyIUx!tl-V}N&m7gI}X?*?xXO*6aBA}B? zd2%2Fe@CDb$QS(|NZ%Sp_HfsNcN8`s~OXN#yjuQY=>_@ zpwF?iz!H0GUo-Y&@e`ip`H+-8PRTXu5krGI^L&*nYlDUyCQS52Fri>k?Pf+Jj*(^H zf`YXKnhzn5O5uz?qKlr!&B~3K4{{r9%TB}+33{VgZoW!*xp?#{zM)%8xxX&Xoo@03 zB_`9w$!@+Bc11q#Ru%1xTiKn1@o5Z5k4%JQ66O=8*6TNBCZ{`k*FU?il9+qF#?sM4 zFtyD8?B<-Oopt9shaiPs^T^WoO`>a><8}2mV}|)5C$~&;*t1 ztM-x#wp6R_qNexa70o{prUy?8J3z;Tn>McJT|Ff|l*Jgc|kV*9Ba^k53b}P=+Ll zu$#J2^O!|`%s`qeXJH%DkXcg8bt@zD7A%UUd?Tz`w;qr;^WxK%SMmVzeN1zwAgp?K zNT;ri5@xjCq_%;Ak%}t&3lBXbDGvcOipPR_DOq)uIC02y>1pDdibNO*#KzU8hPj#6 ziLTjQQY*G?OL8-*qxxef_%VdfU$XMlX6tNlG>&`q{i0p?=}zp6*9hbsT;GJc71`MJ zE}@{DqB2}^?X_cvVHhon)J^BUt{le$70v(@gA5|Lo@meD{O2#ed&Zjl53HYBH zv!RjAZmFo_exT1LCEB~;jiY1x2uY|ye>JeDnFPOa>V+gR)W~d+V`Fbg)&K@6e(!ALHw=iiYK+H2it-}8ij>0&oX&d-;093n{i}kcxa6v`yoU+w^z)KeL+yG6!*ZYqr<^MRhJ=W6v~>*ox6aD=_%Oo z+`?NUfWaO`jX1*;(^EJk~})<+sJ|I#`?92)TBX&SlcDPkEIsFS}w`z?@1XW485|Ha*5v#-cab&l~OLJ>su3kV8= zue6u=XD2KT^tTF_APf1cO-A)E=6-l8=adp~uS1&8xwVkmD}*O`bVoYoJ$3NawI2{J z6P*9*i}RI0?Q4$bL%Ck-(7_aEakqY##S1@1%87>2Pvc>y+20fQJp0%xaP`^GCu|%ru8{w3 z*$EeKckG{_7Svx|1pC+;`_o!Ln{7jiD)n!rwZQh}i0v&qp+Ly^P2<3lAE>JFsQGawHUV({|0EHvV z^mH*=F_9w&`4?d_k=PJQu@y;KYW()rSPt@w6qHiTcxAltLKAbZWn>nOWgc9A$0d<-JKAH4vpeZV}dbsRc5necQ-$P}and_5lya^YwFh27b5alUrnc zJKE~-5runbWZXSq;}^3@GjluNV^pD+J!tNoY{AdV)0e713A#SX zHWda#6)xZxC~PqI#9u9Z{ate5aT5ohvu4wW+SRV2I5nt+*&VJtllSkjNm-VP8Awk{ zr&E56Nx)(=ql$Y)-@-au=gZGjMk+C!{(dRMZv;6xB1!Qbwn4gYuUMRVip|YBZG3~fT4vf<-F$G5K@fJ!lws)>sPB?;42uPQeMy{-Ic1 zMXY+=-+9ry=^~S^$DjtMQp%gDp%mXYmz0#9=D&OiMpIZZw?*hdV)rpt!W|ljzQJZF zM1*tp@hnTMsf#QVG(DxQtXuAS(Q_)xuxrc+K}HEru7@RK#ZFa}M=xor zzFVgd9wd0vh?Q-VZB{~_IPuBr4sTE7_jEqveyx@<&8zDDOij8c#YeN57m+4!aJZCo zkIZsOs7P5aUC!#O@p`FAnCkssRly^_<6AuOqrSbzOO$Y%t=bXZl~yvMy0AaIsv*nU=B4 z7@+rOZ=if_-{z3F36ahyCmVPjaBGlrM)!=(v{uo@%0jdIkGQeI{ccY|N);TMBnI9x zUYH(_E3(n)U+-}}6+htVZ;c`O@anyutM>*{)%;#6M=c|z4k8*Rkqa7row(!NtI=Hn z!F32GFOUs<8c6W{TwcVDVl`y#$)?<^8!6fi^mhWeqwF?q?-rXGKkg(DPiAnI-RRS> zit#JbxEt_eCa37~XjSC6x$-;bLLSMUs_398>1Z!s2ir;6n-Hj%BFii@hl^0uEPLlX zS{%D~T`Jq;JE-Y5AqDiIrV*8!@zJWWB=>@^MKMwd>nw$E2EfvkI$z{if6-WZ87zZJ zVugCO(kUnFi+;QLYfVueLYcGJ0mWwq38K4R>(0JWT}sC5iRPtWerjyg@{wxyu^S8Dm>Pa~{YFi$hLmC|I^bs~(p+FApTl z;Z~_TJ?V;Bt>8mNdLnf$->F?hawFGto>&S+Hld5k)oazmmzjEN=I1bHs5sjoZEM2W zsutoA#H-$JgLbAguRfYQE{SW4@akQ5z6#Byf@bF!ygA=sJM&ys;%5(+_4J$O+Rd%P zD+q7jmu`)d{^(%!NTUC6+6|=-gZ<_j=O+iX2l3be3t_5GVtN@5vhS~4XuT(c&aXo& zgxdUZN@eqYM>K!flZDm!_&okCq^wI{HIG;U9+Av_a0R$Sk-+5qvlI~wNOk|~3UKE< z9kzpnrG{-|y;Q;H?)P^Pu+*?!^aX4eeF57=U%+3p~Ptx&(ws+Tn%nvW+ z#0#jcTyU~1u$BL^l+zK1SUV5*@r1?;^8U9y0=u!nNfPklBfl3L4~+ZZ6S_U&98YY! zj{y%jwc-K}_`Sz~2VUlc>tAn2cc#GOiHrv%!SI57J08%JaHjyUrvpm$Zv}SbQ}EZl z;eXpG!&6QmfX=-e86T+9ECBA^Z-sW$L-1Ee|9^|@k9)=gDoz9I7ra^xyy`cw_kiyG z#mW4UPXYYZbv*sa3yvd!dkK`K-VP0%k%AEhl4O1>v?CsZeasSY7zW!VOZ^HA0{AF@ z`I`dS`@5GLsX58OjA1sZI8GUi?2SAw4XXKi z--?KJ8c7I3U%OXCWG?kuPyHEpu%WwqX|r+khivxr5#{UUY~c?qzVan&kO>ez@UelOJYFW8+<1z@?i^fsU(oQu18G3r7~sy zqY@KS#MJswO3ICpP+Xd8Av8ZZ$yB;lLt`KHo>LLLkb5_2py#GJRc@nbC^cf@oI8e# z5y4aMHZ*VB+m1ix5Rh&ci_v=jAKua>F4eul0_ZM8sa5gh@&Y89L+G~G{^1bTbgNWOr z*+v#M$L<1+U6zDlIXa~}lvm#MuyLZ~oS%!mtF5ym@15-*%il~AXqkt7u&k~-Uofq+ z3_uXj8zjp^dz?$%>fmX=-oSV#JT@HKU4-)jdHe3I*reVpqcpKEFC&{jP*oAbd90w< zwuF!oQtr~c4QdMCc+jgw@7BlH;b<_dH6>{NSvIbeoia!1iE_?7Grif%%AHLlBy5@&@PjWI?+z3bUr>kHw-3?Uf z$QC7>zAXoV0>7%rcik`f#S_mJR7;D)7e^DbJT^293fU@s>K?_|25lPDi&!di<7H)1 zt(=NUWH`o8^677y0|fI(8*^F3ruEvjrJ~D)3tE*l*I(hwkbaH1VuEKm>eeq$f6GFx z*S%EC>T;DOR8hz6H!03?Q|Bd#(>#%i`YZC`EF&gDXRdgK;L`ci+K#&QJ+B*~%6WR1 zkix0{$;Kkdvg`N_(}(wR<84;W3W;K^?^%7ePiy0DClUPRmW5ly7N?lsaM&JHT^|C($X|vo_v>QC2(2k`VASLWmx{Cc@NcC4>}YL z`Lfa{SC-zYVzqv?OU-$eV|zy3k?F|DrS&IzC zmzhV3|D1+vBRgQ7uW})aOzs9=c|Y&dMH|#`YhH(QiVk|k)>EWo)xDX}SzGF3)e@5> zXx~P$T7O=TZpLu(k&vlFs`t!<>lrc9wThS9P-M3Xv8cNY93>=DrYk4cB`#{!xuuoJ zanHq!Xe0GtzhIn63LdiVl?t*QDqY`Dd@d+6aHp0@yW?SOv&i#LI56c6H(z%--EGDs zvz+0LpqTjJl+K4+C|uI&>J6j6!Z&S%cHuhAGrt-i#|zjE@NlcGWZkh%v<-m@h*)M3 zh}6s5H$-6=aLQ@lF_kkVYGDW`WVQQK!LJ3j#CaCBzoWu+)@E`N&6D8ei6LrH)vG8t zuVTfLXl?e;T6Y%bNepz9&Rd>_SvZnD#h7Mf<#%`LHehGH2r^r&mueU%Ri)@6tokRH zo6{cJ(jyg4nCD%%**Jklu=lUo|2b)B!cH;~SZChdH{mqxy*v5wjw1kFK# z>xKP4y1zCN#9x9%?I3dra!#)5(6v;aae=pLyS5RoJMQ8opPzX1}3YG#MJ@ifmGwgt&6tJ50X^I zlq=LV=FrW|jXLlr!x4UXCTo>3OlN62?F?9$43pNF*Cw3)DjYd43XZVm5JPN~9CXJ8cT@ksf8*my%N zAUhgQoi{!rTyQIU2j!-V#>2;xm7-r#_0lnyq?4pNwVnG`QzEMh-0oU4kj@)yz^%5B zJC6_vG8$%=$l9umz3F}iBSS;>4DE-GlnLoa=o+;<&zP=;LlX#o)1&pZGK6BmqGlq* z6wNE|TU$sWx)gxIKG(-7_HZ4>ul@&gIJs};F~rC*b>6=dBYUsHqp7idPl^*$V-V%h z9)YqaLv|q1BH`ZiU;~84o~0V(>wcjEH!xz{BRUS!BHU~T#0NmF`~QAGoE*4ga38p1 z{7QuE|L()X!{42L4|_3=PX-4>May!M{P_=A>i%DQHjzP^<+6h#B&6#r3&8Sh zz$jgQNNZXg*b7$8NJa(ur7p&qwLM4g?Qe zP@V(PH2e;BLG{jWu>8ms!9ZY30qN`U`#|nJ$EJU|B7}H^P~E=|ga{Un5&^$mkqt~9 z2l%(&2SS=@{Odp#P`JVgw#n}ULA&e|212?v0XF3Kfe=%M|6K7jfF7*hf3y*2D2F&w z?RE(0*?_axX#u^uv_l3r#7Du_uRxd_Nvgh!HbGXAkBx&P!Bt+W-QSAmu}D1%_oJO{ zD^dfZmfIndIfP%sq3orA#>FBqHq3p{p)f;ekVf<2K-G ztuw4g_|oc;yvgDXOEdpT#jC|(s(BR2*Gv+#Ks(8tPm3mz1wy3+yjraev(Mp1h}Y{Y zWsH?2cZD$~f_Mif-(*Cse14A!eW&=^`VZ9aL(fcIGCFQqzBbq?^N+wq7!aj&GGoE4 zXDeY8_X;a6F&Qi?jaYg3AWeugf9XO<@ysngH3gzEl`s8k`O>jQmU=C-98Wq+1Uh;Z zf6&BWFuc-4K|sa)*pPpdR_(smgY4VUSD#MP;aW{UyJ!!8jRO0jvh15WT3ddU6{&e+zW;1OM&=@^-(jCb@6g*Y<;LrV zZO~m()_yU|sLwav-gf74~1U!p=csqGY$kpLHw!N75U2n(mjQoQ6VRZfXfgVI(N!Qlg zT)MMvS0(5Ii^2~r_{a(T1=K!T=Nx#^pk^+;J73g~_fpkA?rX?nBd7W=<|(~zB-EP| zN@U)wEt~45;BjNcEy$v>uZJ&f>yRw!oiDjFmzFI4x@DN1ax@(`Y>p>kq{pE{eM%r~aVk?%U5k8n1(PId3c@A{3Y~ciKi-3Vbr3 zZou}kdAR05<26)GUg_C)PH@PuvW4X`e6(;P@xxgW1cr&-_Umt$$C}+ZqptPb-yV-Z zXQ(!F*+NCTwUmoP%XZDQnPtQ7jY*cRXsOj}xk(CqAvnxeYsuHdxSF9=;1XybFTlX3 zcd@u={*=u^^;1nscx;*FBs-W8K6mas!HcXkzjUbJobfAYBX-hdcTh40>hU6-)LpJ- z?c50}6={n9vXY=Iv8+$Gt9%uS#O{U^OxA;Q=T<~0^^#T2F?9uzkWg0L`$Ww)Tl6N; z<}LiZ+#}&2KmDJZ(C)^audj%-7IkyH5XOZXgS)dSD-=b1OU<#3P!oURGAFgYt#bEk zTqenTcW&Or%lz0JJL>DvSTEdUUave(!Q3pUE1p+cJ39Fa`l{kKceNH}DZ5P690iHP zqpm8o3li^tvf^IIseGCsVWKQpXv}rdm*XdNXn*~^V-V#+5`1(hPzVfW$UQ`$5N|SY{04_Gkh+Dm zp8%hEPAI+l)6Z@HuRS`;|7&gVL1YjMa>%3{=J`M^9mH|&|0+A(pZ~LojFoji1AiDA zj|k1W(FRghq19il&9dJd&=1UFizt>V#4)zu^p@^1V?d0 z>Pp!Feu1E4P+E23UONVa9MYc#7OM#LSut;8-$1|4rUF~ z0fP-x0G=|oKNocG0dqDt!oh;FK*|Qeng4J>SpbCLxv&YkQ0=Wf@S>kioX{F{5Go)7eSU|><1xjiT?v)kGUeG@c!6P z_f9E?H_m@UzrO5R*{VWb|_-z=uP${@?`j#zr=Ceg9^wM?=5(Y1O<@D+~d*8YYF6sLCc0ipw=ld+G zVeSr%Ksd6nI+gZ8jc*KsTIhdB1`crZ{LHhea%cRPDcsOS`{mzklJPa*!b8vRoEH|fx+uj&S^3Jfv+x+K;g6! zST;>ipOfHpTfa(V<%fkJ%l(;#myR8p^=(PdeUo=%v_{yi1yMCs2}83~P^3s$cMF}9 z41EfSlY{h9DS|I!fGq7LQO_dx44 z!mubY+~rB7n93cYd%fzGWpo`or9gdb712V|O$nRk^|1-ppN$QU9(eX2?$)fl-)_}w z^h1CDdDF#xI{H}$id8F$N~PnC*oW>oY9=a6a>Mi2Bolt{_m00=9aR&`WRlr}M;fl= zRH-%DPzg)Ef?|PH<4WL=(2COCe2(R=b>yOIl#k1-+d|p9#98gfp1gYFybM1)EqFDi zil0u;P1h{gcoL{}#D2Va!!qh>Dv{XTItEb*c~kQr>;ayHhOerq3@=sZH>y^zlX_qj z@RnKPgb*0x-Sy4l4cM@6h-cZ0|}V$2aNUepi?IL5q>LGfRxiyc~7e zu)Mv7zWA4mjIGScgC;tG99 zTjAOLIWrae@q=`Qld2pXD$=?OiQzqNv$~)lp6oD6L!|8~O}4VI31>ZGvLPn{lE(gm zF!nzF*3PT1Vc&MNqOWPrm#Q1b`lmq!5x(jS`r?_CDi)-&vC_4TY9LZ2F`c^%hh)@k zSZub&B}HQ>QU=SeQ!ib2$*WJ$>k^aAN-dd%0F0H{-Gmgx5v3{p*!4{VYq$awPgmH~#(FOm_3)$4VY0im0V_x(}c(vb4 zxsuGA0s~Xdx1QtM>MHlh`l82qD`Oym^Q|u1ZquCt?e06`0W3l7Nk1zlvNX_h#Pads z$-4QaZsz9izV947FYEJhOVHATaWn_K=UH)b zdE_w&{J?aMd(YejAZq|?_Yn1-Fb?wh0AcSt>VeM($Q(eD{h#|&1kb(qI}cxQe|HQ# zMBc!!9MaqS@bC;AS%3$}2~IJ`prJFguwey|gB>V#ISxW&13o}tvQ8D*acAefi9gdx zgEU_NYRbbogLv!!@1*}T;5Z_Y{JYg;1s+_SAccPr87s&(F@u!%sUkae&VH4A{#|Hn z5TPdoG44+q8#qM*q;<;3{zMylx69eACL1_HbAvkruQ}ld_$d27G7unJ&={5l0bJ0q`z*dV+KN=;%vv| zNqxb4p|1tbR^y znZ}6$j)aI}L@BAyWL?hHE z-w`ShSVAWxG@{*}(_v}ksEjB28mBS46Ew;9F(~QjC9T#P1PMjc6(mUAei7pqNuKdW zNStqmvw&->$&Gv?RbwC|c;gj5nTXH(WIHz4kv9D1zG`0G&?Fo(LKZ%O*J|$srPk&e z9&LB;*Hn zHtm#kRXIh4mo}p|Vj`e-tgY{0%Gh|QN#`OgFbHMeZrQTybKOjO1g~CS_$WTOV12V1 z{p++oKAj(qjmjq#D-VMUmx{h!gJsy7;}*ZZ=A)=eY<0D@hX*TU2wso56+w$Q5V;;I z#2=4a+jn7ks@Z3h@S5=F#PjKcXm~&SLqEbwd_=vL8KcbvQ@oxo%Jfl~Z}Sr$Wq`NR zXA9f%Mmi<@Kmj^E@8Z?`$<0UMaIy z^pF{SF1zOc^qU$tP^YJ6ex{o!V`Io5Jadkw6iEuNYm4QgAseZkkjP7HBL#IK5Yv3Jf* zZe5<#Oy`b|9*y!wMY{b2gVa`RJxXd!=F$a4W*P%Nk~wyKmgHQaYKD!*ayii_^ej%_ zr{KG*xW(rrEL&*E$nX-k%<2ps@68}$h6WiqJFkwLloVOTTfClZpY+YRc9pBaJH?hD zgeuPFdJVVxBAjnUe#+OpnEYH}$@7G_j7MTeo@ujFyeq%Yobs-U0HH9WxVQoz#jW1`&T6UZzSOeSL&c3JYLhTHyCt{D zm--5JIQ?DXNAs=9$oEMk+Fe*MwSJAL745;-bJrc}4PoKQ^%1TIBIj-y!jn+p&|s%&l&Mp4$T+txwj-Q&m$_|N zS2zL>a$s#K{dET^IMqVVWllJ%TE5>&!a7HW z{yZTt+RuB)AnP&)cK6SvX5|^Y%^-w(Nsf3t(g7EfywhU@<$pfp(B-h7f}dzi@tnHW zu&VH>?m2x?MorJ1=c1ap4aKD2hfv&}J+qhNxD}Q-Ty}Q^W`ZgPJ(?pLO0=Rg`P;YT z)^nv9Z-&?SyHyz&O;P2q)?K>R*;|<7wi#py5yLYt4SgHNzRv>$%>X@zd?n?ly)df=GxcGch(vvGJDag{7O@gCv25vO-cjkB1gni+w${ zzK|j3e)52C4^(CS`?3F+!}b2(c{Z_u7DBl`+8<}@{i#2j&hoK$j z0Z$d$u?zYuKKMJd#116&z>gH9=0QFjOdCX!3h4oV%Gi!s(O)shU&h7?vCx8Oo`Iz} zkgh;v|Jl7NYU;eR|Err+ME^elz$97;>vQ& zKn_6aupHBXj^~KC*>M9w!3i4xqkmrUH{RmtuE+{$-f)cM zdjFMtIII5+oB!7o@YxBVd5+Yq9Aa~b+~<_od;uR+G;^*m7JX3oqRtEjqir7?HH^~G-sPVH7RXv4I*&WBx7pLgSyBWQ5a@s#-6J68O*8a~_B$VGAIM)LQ0>-jfr z)Af3w#UZa-M=> zFXCEx;tJdc8cGJoX5ncNGb`QVb1UF3oe$+%`f!eP)!Vz_rytKie@X|BL>lpWXxLi5 z;*ZUOQoI=*a)Tf6{3_DxKHST0R_0-(L#T}0@?uu9^ z!qU81ljYFY!X*z|4Yg`3j@6X!7K?57`$j@eUi^V(xn`@MO!FOR@1Q*h}{FfE8(B7R#+INt|t4g1g2h7d2UW*$}Ocv%}?n!#xdIx8$ zl){t-?nW4sWJZIevR>;A6zA@;AqU!*7?%X-QfQ_`7rh_EbJ;Pp_g;s(v*>1Q5mx!2 zedAr2>0(X)6S|aKN0=14wgJZH*jb@`j}l0V-Pz~JGU#pJu0^g+$z`eLqE@(SnMe|6 zb%f^%mD)N!;)kQadAd{YcAwar*7F1YY+x3SH{L^i$}&quRTD3x6ZyD*(U@B-M8O_sZeO1;8qS2|C7Mi?=GGS+Lg<00UPRCLkJ=H?rUJ(=}kEc{J z`V2AiwzgKOXx`&u+GhLi!ZJH3T{ub77)kpHf^;YafR3e#?jqEoQ7CRu&ycu|h13;)dh3@_C#0(ZgdW;QB1S4_}p}suaP+4}nC)_z0{?#eEbPkYP;2aHbOsO)ocZ;960q zx_w<)ca&TY5S}EkGq!I_|60W$$JH^s5S2gErDNi9S7gMZ+EZAMclJ(u)Uu|8z{le6X!usuKCM&LIt~fdm zs$O$CkFbVYf!x`u$X{u-SaCB_oxb4u`k+6C)l-|%x4Ef07Kkx)7SYzhfthUGCNPXv z?!|$;SQ^mx)QsMbAy4W_nasT4Ei&P9vVQHS9?$=jLzeZkf~fd{MdU&p)mzIUwvtR? zm`~L{rVFUOeR*k~f?}v#wak|!Kd8Q15B~6U>m`Q4QUfWB_*bf662pXGl97=of;T9$ zcDG>7yYlD6#j^Z7d+1!uFR&s|@01LCOvo&5k%sJ!cRlhz$A9<0SnIaZkKMKJI*Mao zR01D(wZ;k7$z>$i>!*@OlP~@lG8psfDqd`BTcvGu%T|>Ud6O5o;myjHf6mbr4}lnE znDECd1D(qe#&4knUU3P}RAo4ITjjDAbep}0@;0kK_fi&r$-k}e5;Xp#FBcBe3ewO@vWaQPDviek5-hnjY=|Z%@3SMM=Hz~sRI@@PL zKjW+6H&Z;H=|4uoyYig+*4TYbX#|BqDv7*){@j8l!qKXPhA|;@=hB%dR9%}=b%{`q z``epj$blW)k;GFkB7&uKCMjQq3L-`I48D7NPw;#02vi1vZ?>`&o*x2xR87MyQY=;f zP4tlwKPt6;mi#DD1B|-snKZHwix$!FTm4Id-Oqn}Q-+4-AeAsPF8_Y{`}g%v^9ya? zCuVncY~AeGuWlO&3h?sp?&{v!W`4wCNEuXBw6xxlC#$g`al`1<{wAyngq#*Vs7)ww70n-PVhTY2fa?56y@o&S0ER`wH{Zz)Arl`ukOREeW%-3|c6r z(8Z17`oNOWGUbcDg>)JCQB?U_DC$8lWR=*PZ)x4B?pg=Ah5e|ux9v9QcE*SzB)OQ* z!cL}4iL>T4_x)ZwxyJZv zjl)CH-vOcn)WHckxPdd~A;dkEFWfN@cki!0o5&6!?xCCBA;djZXvd+By_Gnd*no;) z?|^(58$^}P1L0FZ88T?b_wQisIMi{(3F+@v6to`W0g?}PphAaKKeB@4GY6oV*f~Hq z>XRxT*nhVm+~2NeGie7~jSU3G^Q*{#6Vjvo|IVfyaaa1gDPskp0lh3>0a$>786@ff zEe3Ho1hD1g(2m<`dpGsj%-TP(9ZVaf_Lv#yT-m^S0*9&pVXOU`CjGm4gLGJ8fjl*U za~3-g>#{;hbs-9H(6t*k*hCz_{Go%o6qBkp-`$>QN}M>n~B;8N+_evH$GZ2D02 zoQuMfMAC+@@^1S1ICQU~e?VN?lJeSO8_Ze1xeEyqSz^9UA@%X+&_ZV{EWY^i8!igD z+SWi-Vnun}OrwKA6500FJ6@p9>0Qb}#*t>@AAF;d%X)Ffl$r6fueWRp76WEsPD_L0tkjip z(ZS|d7iu{uV5DNdv;{h_Rpb=IWrPd*Uv8KenO)VO@$@KFsLIP@3YWOaDmC1QxHIMM zK`*Cs!KEStZwLu`7?Yxbm$LZ@q8ZtOWtM3VWs9=ETk2rQs4tCS3_J4}8e!04LVh4| zv!p89{pIY@E}IxC-R~H>QI(zpb&hJ+5zJ2r8O;p$98^Aed##RtUZH#* zg}-fI(-MSYciZaYCL_IUe&e&&CJaq64{AkP(V@J8OH_1y*pp3`cYBl8+;=hAInn8! z_yi3}z+okZI!1l&V#|6q?a(JA+?gGt?v*v@!7CpVe;2m`g^8tgSt7X;s$b$cRV20M zx4Uv-75a>nPC^47kK1%o?vr>>=8RR=s+8D?#qi!_`!Yjz&!$~lH-z?LE(SgR6Sp-#-+4@lxne-k-HCy6GGx?xnu^RP&ou$OqF3bjJ% zJDZ|ghbo?*Nh*R3;_V~~Z#}zKcioOA7=;Ec(&ZZ*3$3c3yal*%5;|Y5bfpbBb3}@i zH+5Izl4vfC2f!2rt$H*ey|?ZVUAGhFlCtKyS8$)yhhJMdcIuLn03~S}Hd2e0u>4l$ z8q{hs)8*$W4d_e2ei@D9p$DpS?k-q__-P zpXyf$y+4u#7p+e-j*ZS4rjV9OF+V2c2`=m-sjRqDd&ead`bn4D@y+rpnIo(GN~!uojgGgnU9p^%v!7hQT(2GDMZfYqMO%V9mW;tz zEBhRLzTLd>JhNp=*sw}^A#D83I7edTEE558*rDCGL)wEHW&!Go7jc>3?!pA?XWSt^ z_c+{!^yjF2o}mesa`$_aUBYIrtvulz{m7;pe03K+T#L>V>qoQ`2ndlO-DOyY_V)8; zlv%t>vAE{Iu|n$O_M^j|VL?`CmdTSv?;%1HW4W%G@dbIXpfqdRjJ z8;7ht&(a%?z^pUpddDd_%D?1FgkF@fqgn@VAWRbyywP1!2=*1-gd1p%dl99LN*9Av#(YlGd!_?XELi}JR zta1adUKT<8jO%YDt@gsx0!5y`X;g0TM-{I4Y6MEgZd6gW`{Y7V2u&uNPt8JM$d~r? zf`xF!Cpb`Z$FLt2pCF#eVk8#9bV~?_6JJT zRgyZroO8oFC|(Z*H;+Nv$CNt$o_F7S-yF@m@7IR^FKGL~{|r(Bxrd&?!Fd1cL7sij zl?I^gJ+BzZ*8_CT0V#I}pFxw={jUe(4_d_V98|UQ98|UQ>>Vs1KYxJI531XF4yxOa zpz||y1Uoz_axsHcDn#lGPPNQHcFqO9a&dE?bR6UO-QH(^o(@kPe|Pvlz?q!DP>ls( zr9+&#m*!$Qp-A>moVmAfXA{@~&g9?%Ko}(D06v3&I3V)}Is>l%dmEbduV? z<<4eB|CzUgB?Z1ifMx-veW3c8oArdfc8tr_{$t>5VmsJvkY44?U^xzV8^lzb`vfR= zOxAwyxpX#xK}ZY^h+_gM8RrCk?T}&w$aC#9ksY_!_8ygI92x}pf%5YFQNUa*#Em*6j)~h1p&mfa^HRtG`j{X3|u+y1RBeq(0uP5cQy-pa1%fj_AG!uJG==XLJ?+;|KTq9l{EOfIfM9nasuEEX$imr zwh0>tC}09Fn^T2$>}~KX#qgK00W%tIAay&84fv9R^#qkKr|Y16gV#1Iczygn5Qy$h7zlaKALE(4P6JGu7?dL|9dk9Ch=cby;E6H@Ej>t zI;87(PEXhEwL=%j_8bK5(4FYob$!;`?B-<@x$LY=wmulMBMxw0K*AQX+gWn|3S&6< zDwf-7O}~txdd6dBzOqncsU4+eFe-Mf&8F4QT`JtRv*vqNpb>#zv@7NV*mw+^WOv*j z#7a#b3QX4on$z?+`tU;yf9jWMT+|rGQOTj!MXFrPQ&+j9p7U7O=DxO!8O^%a+Y4rf zl)d7gaj{8oKFnr+A8G6HST(r|rTm$c>1BNif&$*{cW(A8wCnb9UUUA?Qie<71)A>B zt;^cCXQJw;(lBWVk;P|)it#>?mf)r_BT8jXZ3VF?jczYMqZ_qRr7x$njOI-=Cbg9f z3MG}0Zg{W4Nt!z))fnIJE8|*1f1gN{$bkO-=WRDz=W=d-?yJ0>UaRdNKc|Y>VT&Qn z(U_#>YAA4~TLwRkGwd$pMZWLHC5m*OIh#4?uHT2BqR-E-O@7mD;70oR9M=*7pA?o2IuQL?lTy{j_8+O?!VamnYy;fKWTy1`FbB!qS&Xg$DiGKWok z{MN5*PMH7}NkYRLd!?(b!|_VX2XgNe{(6|FK9qh)ad$%`p)TX)pc#2&c#D*CVaHl% z1iNY5;Axfm+{ZQH6S+}k*{j6x?AEMsG%c=$xTNm~ztzjL+4vDIX{o4|Uv-tFNV3H* z7x6u3fThO!MhUwuKDqdXe~ddt8ubM;r)4UX-Q_AgQE{6>> zVkR!QD`_M`AJ^I&0!dCw#J1C?M^g?$_0@P5Fz_)=|hT4U#y$fZI6`GIVnO)eN zqYd88ThNTQ%4Wy)etdJ~JyLD!IxP}L*kzifPnt=u=yvm;E|}h8)vWb5wtH*xtcz2d zIbfNH-Cf|Wl&GW1nqrYB6`ANT9Tmb>4-x$J@figcW%X*Bo}8Q2y3XCX9i)Db*QPPe z!<6PA!rHRW;_idECJr|TG3yh`wA7`D#kB`#oDVn@HB zw*=Gg(Bl(=w66DxV%b2J3yLN%3`PQxB1Lcoev6`7V~*x$;eAzh@-!%E{uNPpmckbsE=^;O@d)-6jR#i)NO9;zE15^U>(z7cR!Kg3c)cn&HikCf zbILJqeZ+XT9*zdZRmAFoEu}xU6AGiO-YYLf_D(1D=oEq;PB)5%T%VBW>m08nIj(sY zzBdV~7!W}&vU#nYHJG`j@b#X`(i)K-Pp85-+>t@CzDP+cCKBHrj%N*OKQN zZ=_1PnV56d-~}XyNDu_{-!RV;Pl=v}yD?GIOAGkl_8eaMQ+I{Q(1Sx;#nzpz1cf>vkV&phX(VrIhf>#q1 z&5goj*z4vmh!YQ}&FL@=R}fU#4sa~5xMX~{5Zm>Qau6-O%dsKb6Es5^SleHlKo*Z? zuG4>?-l^ie$}K7tC$x*DG_Mn7qUoG4qQ9A?7oe=oc_*{9aeZxdq1qA`D)`LAI#vFt zny&UsNYXdGr|CVEbsl|h6-ImHcZlZI+lgEymg9_^7rCqRm}bqkoF8mFyEQsHz+?sgXSB&Ns8?v!8D8Y#JIbJS)+Xq)AX%56Kk8x8qosbY+!pH3%z8jx;Bh zM3}z%A|OU)!{AF7h46>2(b}394lkYEVICO|Ca-hy*cVBp3R0h+#@gIu7H?1^-gOun zd%xig=dT_n^8y}Th@+E5wTiQDCaG58qtfi=b1v?i=UAY=o>yJ_Abt#e%KhuPX8!>H zJAHcS8}gq%n-FO}ATdv*Pa)oHdq4M2I|-gWUur;Wf>Yfd4Z3G42KjtIpYAz#K|b$Y z0en56KM$-&cmS=oH}1fCga>E=_CFucu%L8#|MR}s=?G1_ckQ!*p9kk|h{Fg3K7kgO zz~A7sBq{qJB)bke+*>Uz&Zj*bsBG*%!7?5MIpG3*CF#jPcIYUpNgU!YUAnKli3DRl> zFp&_tgN5yc1Pl8g?GyGNh-b5)hnyNG@KFM(pMN+tkUL;!KS7Ce46}Teo*0*brRqA zXM<>n1ob}@&EGwC*?>41lx81>#?A@a(1N15(}l*u@yC;G&%)+#yFo~xy<^uYsI?)~qrpP98IRy@CuX-7D>Q!#6R z)&BK%`iEKr4#uZc!oAjzRvMASs9mFX)Z(c~PI@Np4jP?M8c4yIGErP>bFI&fp_GUu z-PvBa{pz6~At53yBhl-!l)hcrOXt*}(Z?5S66bd}0@_H#OEOvGv=K1T$OR}m@@;=DDNA-}lD6szGD(Qgq^?K3!>Up=5v;uqumd4VozwkPhxvOJe< zK3kIVuoEH~Oi#~X+jfm_+xRm9n4J&a+*^d#xRDug+|Bgtn0;3^p~V?g8y@IXAU;>_ zHf?AdpAnchc{iYmUuoWkCym|s9kT(k>{VN(OuMncJBzRIW=1}Ct`Dd6d`x^A?{8IW zKn1Q07$}lZ(##jPhK%(#I%-l)6}(sbRH5=_b9l*yjcppWSq9DsOIUi0`UgmcB9@K-}#6D#1ORFTXu*_JOa(WnZy+c$EnWY*}pjK!pTM>nO^-&CZ;QENP2qhDxY zy5EaLGVCdbFRr*E?nfMi%nM_-GH2cEmOL#wbB!i=fPhwlVc3x422AX0UI(@~L=>j= zp4o{sBi@?zn{n>6wN}w6jTTeGFP_vaUe}p@;f!qNm#U5*dsh`v;%4}*=g`6JI?q*u z6yGw4Ww5BRCgM%wg+9&q{=$)P`*PH>3r~A%9`G#rN2+-?z8?j_O-FTwuBOU`grM{$fn%T7DSZs zx7rpuDsK|owREo!I7<@9clBnjiq{Y+7$EG_lD)CsO>ejA3T}ys$~CegFrCdR?DKyn z@Y$h$0!}!wO-CT~t2SesfZp2|>Lz8Od+xX0j2hFtkVfVTEA@1p(R#T(wrtf^AD$j$k9GNC#SeEO>tf1QJMzs4&acny8fZ6! zkxMb~O|cr48Jtb9$PEiI(<2|rP)gkp!K!3)eL*>ijAV@~)%w|MN;xrB7Vqkt-dsT& zMt}J_qd~%#(cAXzVZ+Z_*E<(hv^>hoRei1FH#r{`yqJhBDw5=*=d_X^#4AKUhrb)+ zv+$53%4hoCn`=y(8BB>a#@it@;&8pN+~h9jPh1E! zHWUj8k%htV-kig|%=nHEpw(vYq7#v3q0Xg#ROhGPX->xRf;VcuA@&J}!H@jDOX@pg z{LktP<&QelG&lp=uEkSV)O0h)RjNbjQEkURy@=dNMU4Dm%`{oJbN3#ViIyAD)uApD zWqm)`Cqq}pZjfo+@M$5U8^vVUAf$Y-EW1T9wr-KhI@_0a2_c!dqi|*fHF%KcVr@Jo z?nGxlRrbd#JRArZxJ!s15yP#sltnzQ`#2rK zw(<>Xl+7_$qmNfRqhp^v@LU*pAx+#Z^JrMx)hflA?R@Wp+qdQO^4e49QXZry#X)O8 zORPLh^~{=E;9|2p#qiUR4KXEZ;OIPWEg zF5;kjh@s)5G+!igpoB0@3Y7JOcr)i}Q34B-r*ZP<yE;4BGv_AI!t1QSc33wCv{zht<}ePwSlVV zw^Y?UJ;@xYJg@MU#oxN>9w4MCgP}6d6J45lk7Vbbv<7CNxv=Lo+WSFxERTtxMw0JZ z7|n$yjaW3Nmy)WB$B9^G*psjGUs}a_r6)6bzhg^S%=Y;<-_J^3JbaP@jE}Iev5&t& zYrRxkGuGfLqJn18QzWRR!|9M2oXdWjRrz^Y@ePyX=G(8cNnV9hKVmqgzhu_xe90xh zD7khO@o{AHpBx)_&HtKp+&`KAMzS3o1&)Xm!N2X1TmJ*i#=?AH3k1H|C(OV%`-~g- zW}h+x-|TZ`;G2E241BZCx`A)@Rf`~mec2-T=J59%lo|fYtbw2Z_4N0bXK!$90~iXl z?*kGYi1q}KYY^vQ4oGU2^CaojpSS=72MPV~ymv;yfgm{{`XLCf09+(Ez&V_Q`2?vS zC|>#<8Gzt^&4K@2aDbF#2IqcuK(Ik{b*x+v6Ik#W08%ctlL$7B-#HHu+OHVm??Qw0 zSb=2i4`bs1+9pUc{&cZ%{;pL3vHf~-{=3)?2^nC>14x;F3Q{4s9>_fYUGe%S`v*e% z6_@;7Xb?#U8`vRiKqSBlo+1#84CxAbs@RU)Csn zi97yYIJ;`RgGGhR->?02ApSHbHJm+eP4^yyXY>ex=$jxQ5?K540IHY`lrD0B)C3?z zPmb-_HQjqOpK)-2UuFXqau6ve#H|Y42#^fNzuyeUuIU-pXR{s5+`*!PmjNIH0ZRjP zSioxT#Mn50ii86b%P>m7S8JS@Ac219) z*o``Be3J+|t5||xN?1?=OWMY>uX-oA27cXZnc2|b!`LGYE}~6XbG7knOAhDxe5*8# zXmI%g0tAr_yrh_4%4qTpD&UOaIkh{DPuQtIcH$?VeRm7K(VAJ2azPIwk>$Y2ipVk`(3r)@2vt(ImS`AAP4mOo(iy)5~sq zN%*qJr20y}rOU_I*~c_jbPI<+Aq2sdl5W0c)htk6m3{Z-#VgJ=!zkLC@kZ#R+A?x)#QWH;=-XRUd%l12V)UVpzgC5TE#^hc)EI-Fx_gC_pAr;^ zeLuqai>NnG!caN%ggJ_hqSNdItMyoBS-K<+ar!KG`wp;fYW-}Gz$0YVCP1D20s(E zFD(@nX0uNhbY$aC{^c6fyN*Q;J47Nn^JIyLA#kaKJ{!CV_bgNcUa?;p=tG9?%ah6R zDz0A+>t_{){fV6)JH)ifK0dCXXHzCr@aT0b_ICrel9kY=rzy|%Q7|=?9(-2Nd{U=H z799{YS*&cES>C#o?~GvGE%Jl1fH&Bi^h=p&OjD4zjOD|6g>OyCGGz{<;@q0?P}hVu z3;WtsSRO#dV~Dtb7EYJXaa36`)Q2@HLd!5HLFXnpzZHaX;8+sHyMeB{&8M2fAYC@g zuk!?5`q4U<$ zfUk32y^FUhby1Xw_({%$>G*oL&lgNWlFFDQw77XiMW}EMSt&_7Qh!aq!6<#ApLvf% z4R5`CA{42j1w}qDjVWnavr+nSf%S^WU3=pn=_X#J^HluCKGjDp zQE8$UNtL@nSkM$oP%YxPi-;c?>10vKcyFC%_p5p=>^S^wWs`cAOs^fk7-(Pj3+O+< zM~@(Zx@y+ATi%t!uSZ#}ptJA0e8Y=>xc=U%8nsJyrhswu%FE7IPX##|*#vgV3i_=S z8rv8(*K=-4DOr}|;$P14jWWZQHNy3*Q1p2@cJaRN-0;(o%h$zr&2BJ$Bm6$%xGXjW z18q*E#nerH%RkVZJ2O0i1c70EN00bc)cNXH3Cubdt@Bu{Y;G6WuyPm1gtfA8!*=OUNoSBeFx;dt{T$A}cd{@4ZL% zCYzAGDJv@>vXhxj$;wWVmG9$-*Sq5V%IBTm?=RgdR^J>Z8R1C8emFCLZ?J**ZB}qh#qcMF zDZsKG+Y+837U$3fVF9MGff%YI&=J_Of`XcVK$V>2gB*;>(N5&=x(!l?h!O1eSU@@y zz#apC67rXw=v20y=z|>0lQS|7?C%*toY#?Y%mAbU(gIIs+es43S#o>8p*5s%BoiZm zz(SzDAlCu}>N5d12~@EBg9~z!Hg$&F9#8?8mIdOE|F8`LLk8#kr?laHIavaiEUrv4whubezM53aB%*^dMI5XrVHI_$DCc z{JU)@Ez~oF<3QlT5QHxSD+uHOo)|Mdgs}yD-qYB2;zB*RHJ{N!Ju(iG=>`@BMBHNo zjw{1KHrbydI8K^zzaVP~e{nuLAKyzd%H>z=~CKxUGK;;&6Suks~veI9C~)^X73rXvU5-X1yp3;0{a7hepu zVf0~0kYK@%8_%omtTcP=HDlaJcPk#tY$Yjt#8q;>C@RS=ug4jQsq^iK zYO(ATLj8B7o8~$9F2}STppBXz=&lH7m2|%(h2B;Vy}yNwKwZIcTrC`EvmJj>`*FR!H!pB~exbL0tC`{c_WTz^TU(yQ2Q|D2Nu7%y z-0X6V?NsxpnB|5PC@gUm){sWV8Yjqy3DrBiP%$k`%kC5xO^LeuC(D)xe-#}KxxP82 zEwRg7D;kv$KE&!7(cM+xZ@YN8c*)oVj=m)?t4LO536YKN!BDvpMMmOaRZ|P)!mKI3 zvsS4{uG1#bbCZ-0I%c`7YF%X;3*pu2O0zfhVr{Lo3e=bk56 z!jN8T8ydJN@@CxJG%ul|8mYD*9jTyRXnj%zM<$FZ9?TAiP7x^zP>rrQHO@%x=U*t* zp@pDbfY;3HdH%tt3rWs&-8d&;YeV_bwf-9ZI%he`ueesoZjFexQp@jSd*HqKWzF)g z)|h#W>-xh9UjIm(ePbu3@sii0i^Ss>Q&1bi#dLMVG&T$Mw-c;~G7ZoLdtFlVlh&m_1CQAaHjri%RH4Yc&24}fBCc=<3{AXt! z{duQ;ChrxkhhCVitoqpfo9CQgF?b90S*dZ|lS|CO(R6QnQG+*()V-Q{ z<5|_a>|q~l9=TY+A#d||N!q9NHQw0^8^yG+nE0l?U$OJ)DOBnEkSUcaLvJiC5)_e3 z0%U2mAKS0!+-|j1w*FQYwO6NM6=09ocgOZsN2h?ea-~dWtv)|nd1up5Uje02F4HFT z7>(WbGC~mdljj(2d@FF=s&=pI9n2f_JCa@gf)x?tTyk+WuynIF=C19^Zkt`N(G~%Gb*9a zXI1Sar@#NcB*k0X9lGM%Vt*fl!c`<=hFtHyQ)~|5%!4$eBzAqfZ_xs{o?BY9(dYdi z84CD)hj}xNM#9ei(DD_9%yL;u1;ssT1fuX&3aQ1k6zAAPiVETWge!$a%%woLBBM{*_ewGw|;>&tq3SzNlMiI`;A z%}kxDKXU`G<2|PP zo>e+&Caf!Gdw1NV-fNe0?6E^y41FP&_^BXH)wG{vD~N$5^89(HmaSX;`1`p1qoIYk zEqLen@dJ51?mo$+FhS76syAS+A3B#WR8ydmq!5sp|iYdPjw(+glriK z+)@m3_<+J)k$fq-2oZd-{G8VO0&&h_T-o4{&BKka!)n=@@%pR96l~yNm_OZ&3FKZ+ z?Ly!fj?(agzGBl`Ecd*M#VMan{nF>N#RNciaUvkk^JSMurTD*hvxseYMgEy~y_eM5a_4TqYwlH#i`!BxU?+sz=?mk9|g&Bg0{#G=wR-Vi2Y|iY1 zlkz>!xkOSf!!VP+Ew91FOy6PVa>-)~5bnaK@3pW$666*M_XkoYAL`NyX0 zm>}^ZRs3h5F*ubuh#2^v1PS2DL$Y|lM&w9-IK(P}caG!-;PoGV=O|X;5V6ES50Vmo zd~^s``c-~7_~&P{1O7*T0GJ(m5Vi?H-h$K{B33p43}F6Kx((a!WPropdp5Qm$q!(s z#tO1Nj=UN`EP&+H|KGiuvn2l<9^|orV{Je_{pSeuRJNVy)f~)L1%y#BGyE?h9tSh^jEn>RGlbs+$-Mz(tPalJLB7pFkPIWkpC;T%0>lBI?2L?q z5O2Z3=#g>E;AEQ(C^wL^#XlQ&l0SHsaH6B01I{TxvH&O%@B_h81@&1$D#^bu2k@hg zyMqTenX~D*!=-v~H~A_5jFAbV9R3eW_29O5Hl{IxU=HB;9+}2;U=n~EpT@KkS1NF@ z{u7LK;2{2B@e%#mi~b!@0v<6xZuCEzf@}y#asmh$JMLTl9AtI;qL9;i#)J5z-&=x9 z9E%b7?V`*e6burRb3)T&F#^9eg=D7zq4R{6KPzu1*$bhDoJ0o(2|xeZy&x(KRQEaw z4}AE%KAJWE&5H)o(~pA&B9QO!v*Uc0X%PoWzekoFdC_bjQRI|f^pcXK*$6x8i&=#^ zeL78_iS&(uOv&y{W$P(S?sV^z7HiUc8mDUT{O~XU6-8+ zpXb8u2@?Dl9F7hS)|RieG1Knf!&QAllFQNX_*Q^XqZXFxowU4qQ0dd-dZ8pky8TmX zU((z!lTC&!T|Mb-(UpYuI*WGCb!%1XV@&5dITPaF`%TtABdnmeiimv8iz)<@`l={q zB}DB3!Jdl{6lRD>I_2D~h{olNz_h#~_V|Wx)$pWP3v+K=%KR$&%oA@As96yD{1HqCSwPw?O_Onr@r&o`MApc}5PXo=RPyWB0~!)-#7q{Ue>0%vM6< z16!nyPvLLg-HOf{x)Hb2Y!f#184m6dCElt(3Lww0N6_ujH`r zPAfU?yyAbl|1oGidX4>x^rc!fnh{B9>Oj#dugk^@oE#A*qB-FMw$sZumrNBU3g%kl zP-zezB0M4+_j9g?c7nYNODC0YeSyEKg9- zViRQ;E$|VfWgVD)V`rCF&BKC-kejsVi&mDK?I#SfB}%7E65ySpCD0pT%yu;_#>v9y zr8GOp=kh}{BXCDYeTyy!IJAq)w(>_;?>4nZ>Tp>^6mw^Xsj91fvJ>MX1uN^=>GZT* z!xqu6PNYSCi)gQmzT#oQlBjTyfd~z3Ev5+7yq@y4TgC9#bO`jw2(pxEq zs-|mKwS11~%M9^gw)4!mZd%g!CYW}QAfHQQds!)6f-Ecb1wYXhdi%k|gtJI8dh z;J<9++Hy43Czn#hbu2Evh`S4aOCbC0ZPQC`55{5%?yGjmu_-Qf+^IzLFpIParvvPk zF}mqm&QzR5LuTu7M~wjLuPCN&flHR#uM1Grx%bYmEz#n_Fs182SuMWY zpxjr}vz0VmO4c@2DJTn3+316&Nom5^2{d`v#n4AW{IF%QOv|o6Fq}wZxu*DX$6bwF zoA3mKxe0P5#FG2+UtP9d3u=3zVEt5#fZoS5}B z?n2T)hQ(Crr3*NQEc4uGcVfLf`(It*Y{@s7egF7U?~a^%f^Z72DRPxf>BvQW%;rzT zV^=+2p_`$9GVFc`K&RNR25MbjX%% z`H@x~aJ6+Yo^2vkai^KSDcrD_DZ_7 z_xuW`^X0c4S_(R>=UHp6B$T|;v}s!id!_L-j{9=0sO*Ectn|64s5)}85UQX5_JTJto@RF`zqtm7!SR0EoQe397$&|JkF(?c_rZy6S*ZlI z)|q>w&KJUwduh3<8G)HdP;Q#2yB=Qo04UrPz4N(W(D_bBHX z$5eLQ-g4yOz4VC7#Kv6GY@k@8FWTlx4c4q?)*Y;ZH)dwbQtYHT1?|bD+V>iFrXsFu zV0`g-??5!)#O}#7eV)C@KP{8oAU=Iy7;l}L?0(wP>~x({NHv3tS8TBk-~LOlSVu%+ zat*Z&9DyK$I;_TgU8M4mA#ZVhxj`%&LJv)IE!$O@dR^FRDtu~o>9LR$^5$51Jll@3 z4FF=QLu~Hi5B*Bw!p@zUAITF$Fwzq&W$53SM6~XTX-*W%Huur=yC~`FR#H(W8$N0V zv=!YXoa_~yq$d{})|g7Po#ekUl7y;VEOp~m2yBj5cHYYeJB90e1A(iuOT_(N0(_~=L#0NK`u zAN`OAe)aFqo-zp`46_}S_5dl$;0)Hr{h5QI`HX1 z$3egg%)nNFA7=eyh%@~Op5V_1ZGShakg`sUU?3pXu^`5=07wc5B0iOE?Ci%)J44hY z6Np=Z1TP;g1|}dRK`@xC;OG(*HU4)G`Xt+a$r%5;ZaZ?IK?VXu6*Z{RZJ`f|xU)ApuhXbDxPG0&xDrke*QQ4A}Ow@bGuj4Pp!%$lYfI zRj7a`4zj>NmI9%EW^jSu1sA5{qSWs# z0Vf;;@*Qglrq$2-&}mc?$Rp=~2LkXPze*@zcffD}sD*s;lb&))m;_J`|1*mYRTD-? z=Eo^jlTIaZs}Xke+8u>CN|Rgg<7AuBYj-jkTXmVrvu485Wtm}{^53RMr!RKCoG^uQ zzET`zZ)kW2h8SvZ8D$Jp)miav6P+HfYT^rLnlB{8{xgmiWy(U%Xsxj=Lez!jfuZfs zsWPK8YgxYr^y>8I4{!y<6m9H~boH2 z#hX&Y(Fj=WpUr#FWguJ~?STk;_QY4S;EzA_gXwyU9 zD^k;Tx!z3EQcQo`+CZ5?Vp*&*_OZ?_eQJ7HN;ky8`6l!0Hx%s~uPbt>J54(VLXApT zbP}>|J+Ce_4PTEb>c4OESX>|nPM5k2`3+x2UAXO%7fT9!Z@%)d{PN`MQq##Tk?5UL zgJp#$uX4xXM92{|h!S}-ONA>YCJ2dfHeu}KxG7|3smiHKoRhK62^fXLlW3LQXA(xw zsPU7pE!};HA0MoPbqA~4vYH|4Te^#0v4EwwosFnWN;7U^8OaJM*K{?Jj!rGP z+GFxwRd_$@CGvo0Omhz7q-$R>@YF=2Rxjm?wC8QFKai}bi$B%p$ zbYC$IDzI$UfrP`-z@LTB*F&5N(KOPNeDQ7WK1FE(of80!P@bH-KNyxzR?fKo*0cqB?BM^-&IDxAQC> zxgUCqiAf(fPvxVQJpC|m&q4qLL0XiA-0i*_rlv+JUr<6%D(vny@ zKdhFGjIS7Mkhk+nw^d($@gbyw(wF)oyk%N-2`q%8vbt?37G$k`E+bg!WAOJ~w2^h3^_ZfrBZEp=euby; zx_e6+7gIFVzClF(oN3D4{h~yFdVko<{P4)4jiwK8#*Z+QHfW`i@U+fM)USP*Qj%GY z#naqJ8z8y!(VQ;MIL^10Tr3Eu#EUOF(`K?Ay@EU!cUyqk(QEfM<+>26&>ALpL-|L1 zbKww))`n#cr#I&3RHW*bWY32}`8QBxxF}^kkC@^M4Ct9|uGt-}zZpxdPur3h^fjnp z?6cjLP2#|Wu+s&?xRP`Z4N>M78pvLROn%U#p?ZYkKyyzwG!VqB4o>S0!=Dn=N&SZ0><2Nmxiv8!n@zSK;T zOi01k%~G_ut$eT0D7ms(?OM!?f9M<-Fqgxq(PE_?n0y%7$W&Gt$qQHJsEa)-ZLsuC z?)}ase9>u91Y(bel0i4pCYSuhUCHXQ4DOy|Z;`frhCh6-zrSqLW}K&{Y~{V$#T(V_ zd4f#n!=CS2vu}EivIKHSPtF=utZ>zhmEU11Y3)g^@JT@bxK<=H*Ob?|JOU#}NK5cZ zX-8Mw_Cd(V`qV};X*@5?fWxWWXpkZNYf+~Lz&LuS^MbzpbR zPSHYUZ1X1|F;egeU_#H4F1^oaHxT%_pdIZoCq?q41-y4X?JIB6>T%;<){8i(pK+Xc zpw54k33z*cbC%YMo6x<<>fC+8^OH|L*Hfj&cIhYCMceFDeY+&}Wh7MU@qKkQ&V`g% zgLi;A%5}=6WowO zNdo>M+G-?nhH4}!X~JIH9@|Cp$#wQZb0Qs&j;|e)vp3o=m6<#mRQQM=qgl9$RK*%M zK~MYrnN#d@wt7c3b!E?-UUYnD6>9Rm*bDRg(%NP%bOU|5nYR| z?s1!Zhc~ulF;Pt+bYU6^+r#WD{VW=DHE~e|tE+Y+0KSTv)?C#9Kg0Ce3^H4{GM@y^ z5qAu1jgKAA06xe=B`7p)sq5^P+Hg8T@+7av?B*zDHsE5tw+Pu{Ct9gMB=#THNu zzbvbI!R_U^cQE`X!47AES1NaE6Ye{=;k|qR{JH&#iM;u&$#--&=I0FO6!Lpt=*c>J z?br{NzJ0pDQJ{;3L~`r1eO?@eP|rB}^3K4=q}3;rIabu0nbVhEySXG>!h7mDTt+>T zP{rw7iCYeHg?6wJcQ^C)1CKep$t#6zN*gM8*q9EgQ3FM{FUid650G+(Fuz~?s5Wn1 z6m9OW(^Z1Pnkx5&d&9x(+)nMjh*mP{bB(QZvS(p#(sZ#5cStfHPGhI4XgC+_+u!;W zUA6X9uF=ne0Ff57*)>sq8v2R0dEf-Q16b(dL>%gCM?|NBjfH!-u9 zUC*2Dpj_R+i_MXYlbo9D_hsXO6Wd=qFI}=%&eqFAB(m%f{rRl=?@WVml$jveHK1e; zr1~x-6bDkh>{Pa$Jg7gruYYG86VNajAn7%S#vR};AQSI29S6vfzoV7G>iyYY{X63h z7b?&tfSB{om;y@bAF?n`8qi-5kbh^^(SRP>bu^xTw(G>f1ffL#ac~c$fggPFQ-qFy z#rSVcfsD=o(nEkwcU&6y*{eQ&(SHja0l7r~eo+XG7)*m>7X|PAJa13BDiaWjnE;OTEK&?8V>CY4Lq^klYj+PY+!?C9Hzfe3+BZK@mvE!ElHNOZX zr;|Y#et~)%1&^=;F7;_;5XCXO1XfJ9%?I_Q&qP{zz0XcQ`ff{NRx4mHALnki?Du)yh{pBopprh?-Q3Pvr$lYMK}DJu6R(lD zlTa6v2fe8h=d$103ZTCC3we3RjqpW6$oDH~>WEH_5twrqL^S6+-=!rK4Jy}duMh}R z%Z>|{87;vI)W_PtOXIygh+wUs4|CC8{H@dz)a4i$(vI{fD~##xD$OjO*)a+B*WV={ zyTV3uY|JVueR?TgfIfDlr-C1WT7o~XuF-(#_FcUR0$Rj@1@skBx4LG6v2} zJf4fYO8B|LT8xt4ds#a4x{$%;9s@<|yN%bbAm0u{^LM3(yYSG0cd+9knfu&j`J32^ zIc@}Ri7!gK=H1|BU0h@9w=X$OKtW_H0UTKJ^bswGFk5(i^Gn zUv6>ltdCR)iw}Oy5oht{Tp=t!iGBqf8#G;Q=sLBk=R=wlr?hp-&@{zV6nz|VAu^}j zkehlA@CK3D*h9WlKJ=gr3=eh`1-JF9kSFF+JhU8-h#hW(;-C@vqh0PucX=v&30KQ( z%`n>s*YKR6Ko!|GP4e1EgVz#`ebZ?A(ixd0vDgQPFWL} z5v|Mh&RkKoE@xR_ts1$|ZH_36Nktln9K=X;T~2cYyJ(}BYJ)s1J{FY*O-~W7iDe1Z z(TbeYTY%(-gGpVIraUbcr_Li!vj|n_kArIaDzzz6qWvioc>y$UZt`D;m2KXB!hQa} z_EU5jZ}!3QCGM>|J}G3~sD*`bRBg&ejSOqV^XN}m)*`g>A3@Q>8k8C*K2*-a$;Zna z<&7CZkb?<(biEYSQN21u7jK5GTRQqO8DTfQ^i^DQI58-yvP2L3rpvyouot1`Db;Zv z6Mx*lIoGuPHZLGpV`>dm^txl@e)i_bhu#6VUwPQgpG7qluOorRa?=`Hk-He#?zS0SWYH&nOZ+* z?|@E0ZQsPIj{LP-ll0oTuQXtjJ3O0iv<^s?WXO@|4%>o4 zwLP&E+1Rp$oALGsqb0U3Z!jo(a7~F{;{vt_Og!Tf~V*3 z_lkMldd@iJ0uKY^(uEFr>6aFiH_%M1;_etSRTdV^*LU2c_*^JxWIVOpu^kzaP3^&G zCplO9QgAhp{u}?dSPev+>w}&iI<_O8RhLL!zRQ8L>%Ll1Jxbn6#8X~-&*WKh&_JS< zH^Vsw$sQHEOX~Z)4_lY4VI{Sq1#^|=v_ups(=l=R+OA$+(jsdhTWxrN&Coteq`NNd z*FMWXgCNsbw3_B$S(jXtIx0MI_q?|_)c6<+f@CpHT~%(P5lUE2F^)8*C~b8&w-8?G z3#}SHc_wREuh=4gLb{?gsy^-9 z@r0m~T%#@_g(KXn7H6#l^{JzF_wFz|6V!G)m!iCM+rVTn02Jc5LPTSYxZ#wNhsug}RC~%?KL+c#BeI6z6foPndm>fr;;DB?7N%HVc01i}z z!{-Mn{Bv47Jg5{@_g_3rE)~mMem*em+vb11m!*gNty3Hd&d!DNTX|6@IN5*^_S2^5 z$L{iXC;P`E{8uNN;Rl)Pk4`oyQh5+Sf=KsI%^9#II*b{GUN)!%!2roWKP(^30{()KnSb}lj@MlPKkj%J z|F51bBM5G02R1?C5Fo_`8G&cZbO4Sxg>5Ho;(zq~+4S21co0$?<6^*QRf!%>ACva^8rZx#j+4?zEiaETL2tpekI_6h#ZxPRg$K*9#- zupMn>R^0U+rg`i=cqwig)XGwU}mxjJ5C}&U)%mo$tyV+% zFqMXv+@Sg`8Ul0$_U76c3RDOyTFCfg7j9msuU8|aeHcY`m>=9m2u4pLNqVMV8&Ei9 zH!IYbTPfYi(PS}})TRIEb&*|l@%65CcqM7jNfF-W^-ljRo9uF6Kh{&LQZJh1!>fzEa>9JlWfUCymbN*6TIGvxsYO z!*yZbnZ+e2^j_~)f)|dxW=pd^BCtSrt7cq5Jges88ae@ch+B#Hl1j1))#j(045fFX zi62X&>djOaj1;y#Z?i=fvI@G_=G#i6BW?4wPvSZW_18pK z1Jg#$cbNUfgVWQEk&j4tP)AvIbe@~_H8xUvfPx%)RscU}W4r9{py-3M($6=`M9z+* zsz}9#=p}2YQ{eQrtHzbKt;e>S!BL3mHNQAkCp>=~s%@L&MJq-uJI6b(?Q04Xmb`|! z1h12O=sa-H+xz-ysaVbjMvME~>GR$YXr4o%eg%n$xX~F?gn|C&f z1GBOhl*+cm)nBc-3DvQa$ZqM0-D01s41v>+atWxZ-d3Wfoee}$*jL)!d$mjaPL~s} zQGMD57D@%{CDnyi+nm)Wg0FdSg*>v5kzwLK)W+ECA>q{5F50Dazc$&BPK$OJ%obyT z+OU<<qT@cP`LS-s@ zSQcpVjWtRtYM(JdHiiM=qDG0c#E^WLw{Ym%w8w2SN+ zEk4^7Y`6|BVMcgTXyOKVv50f1%XzBf`hw35-)nIO>us#yDbxhhs$*hTZSC?KK7o>r*y&l4*5Bj{B5EhGW#xU&Vqo<>99B_;{}I z=g?z)9(b05DvK=9WpR9ex(tMZB zaSc-%2d{2g;eli(?T6IlZGxx(iQT(XiFiHqP-4Vw+Exl4pwY9PVmvs#Om&fk_)nP!MnClfP+hQ42tdM zZg;+DJhaG+1;+^vjm>T+oTzK09E4ofI2%k}Az_h0>Z5`7rOoKbtsR2vP+Xbr%Tggv z5Thb`gI~o6bhh4ki$80#h*jacJy<^Fc!iRU1?1eD(bqT@TYk})9-rqlw#_c1l7b)yM6#F?gfYYsPr+8uPU6T2vv=4(0|J2d-(mX6p8<%$bHdBzpM}Qks>7IEhUuUSZri`VOEdXp~;f@-37E@U|LM- zH{_I!Z=ht{nr5^S^V5dH-XjhlkCya82qSs(K%!Vbo+SFy7@e2sMw1BEz8jh11w{%2 ztUiXI>6i?~+f|CVn+vvnL1EAhu3P4olQs)%n`%f8nv&YT!jm8%`M+JSP}}yEdhtb^ z{>ANF+xWS8Qa$=M6k7Cw*8;Z;+T+>Wq$-vBy?w985Kg>Io(yEJ;TQ45^CH_QFnLDP zR`V=)Bl|mSBmDW*dyZy0PM8!V=tOpY;RwNI)-FSK^3$V)LFIRhoYayHLyQO|C|_Y) z4I{2#$*Kn$^`a^*dKqzdDpmFu1?#2rDtTeGKPw9*3!Er?(d269>mUCKUi8%`b>sv_ zyP#;xsbr*)0RtXeP?S@?i;ClK5^i;eXaz zMzP}X9TqBCwf~@x7Wc)DMNzYBEag`7TgK+dS|x+T<`d9|qWJ3YyW2~Iiq zLFqX!7nW35D{jme=qvW5U)Hz^%}bKaK9!b8vT8pmN!|GM`2s)xMX5mw8}m(OzWZsL zCWR)Zc3lMfl0DPyg*6K(vk%}Z>ug}j>3meEZ>fjZu6!$0HXq#Q-p+OUT$OY_oV1V! z0nwI-p6vS!>x9ks8)|&!;$j-S6=PAk3q_6+9xluh;T zURXf8P;rtd@JrU}e-Q-^b~wL@0tcL`KcBpxC<*{C_J_mI_`|&iU;5{rBbnd`dI>y> zqc21Dwh#pY#B%?5aRj|&ID%d>96~QaiOVD1;Sjv_tAcP~z!`ZaAO@cqKtWjnW{(3{ z#tcr_I6%$>8$F1cX8J?vMwa7_$w8N#jcLG<00eoECIIqPKnMd7BZOcF;s79N1oVGO z8vuFt#}J)AhUtur14e=r_x~6NDeJ-bC!QnQv2wX!TKw$6oQadp0+6N*U@VWEbO@J% zgXMql($5lud6;~}0)j3ew3Vaeqf^;-qMLq}983V?gj5wgGL9Kg0a!s!&FPFgNfrXr z_dm|n-wi6HUY88XGp<3l&e5N3J`?<&q81VG9S|)Sg^dkcxigNr(@@C*Tu2vm9V9&-jMi9@#0;DvM%L5VnAoHId zGzi4oaN^y*hx*nKL=4+C$&5#r2X!41|68}8Lr~vGrWhP zM3rUl^%iu&)`;OqS|DXpe`CF@f;340K zqSU?OvdX^SeEG4&rV7z2L!MaAAhu=bc90@Fw0B_;?(6L}^!!Q9w`v965-S<%^B{DZ}bXdUG zAZTe=@FZktj_(wdo1|Q=3Bi|+j+UeUE~9j1wY=HE-MRa5pKqPrc36|wwx3h}_|9$; z`b})D3DRKmTSJHe+|cM9s9*6AZt78Q#qvG2nLgk3uy55t0v@qq&HV9|uT_t68oZ31 zixEDX$T!{&qq>;IFl~>c>RajRw2|-2Re|qx(cv-yw+BB$EW3Ua>^zFi0zyw&4qvT( z3k89GXZQ+&Ruw%;#3c@Mgl2ntw5;SH#J2qxwZ8EpB3dKQ#$C}L%xJida8@I*E0gh~ zAw&{#VbbTe8sn^3QEi3~4mLjJDY;~AABPc-UE&~@wDk1`66&k+N4FF3mn|8pt5u3^ z36NEcB{bKD^D&xJHz7{#BCys#^y#=DTGoV@QlU&(3x-OLt*lV=zW9!gSho}( zb08%m9vVHZS7 zCP<1Fb_o8xNaPsip{kj6*|r+` zL^Nypq(liq#4Q&V5wvxKEI1m=>k9(RFP*M^c>9dSLsbFsR$f-+JxNfsQr@b6>48R} zQP}2;Qs&-Pn63?HxU7&y0+v z29eaaiO1q{U)oV%iUn~~F5$d_3ZZJwK+G9*Pf2mkt4y&sf9HYN$bY*$jPcb zCLfBZuKIk#Q0{SwQpGi_E5DE^E|)cc)Gt5><+{w|D&U;0_H}=49Xlv_qPx7$YC-

vkU?&8t=!7#4evPQ59UojRN1>wUe+Y9oMdMsw!!jugb>GEO^ETF7xa3qf z-TFd!V0;FI?1N)b85B8JywCAD#_YnQr4XxsDg1D~&l0bl%;xqj4$toRgpjr`jnX`p zTl5QaZ(l5XP>#lK)d#~M*!PD8$!Rr=QaCA&LYF6+%54gI4G+q{!;`~G(8j1ST{X14 z;#g8sHSx)e19MH)JfTtA8+*uf%^8aC%BT$2Ew+(sT2ll&?*v;EZY=LkX{_A!pe^`P zpgrveg@YiL_k``GYtmJP_X{`Np9J@Fl)&y_%fS$SJxNOWC6)ERNGS);xZk9dBZB82 zk{C{uQVz)I5K-iSbAIsRNF6!A3qsyGf^#x}O~()6g^gqtdn>;!#hd@AB zAe4c_)ACcq7h7nS-2;6NMLE;i5feBKw2xtfY9zAlBz;bZ6 zJR94N1QsAI0{!QoTO0)O0!W|#ZrVw=xL-ml{%*oCfl8zhA`a6*cR~I_c*Y-O#)t5#Q`vUnpdRc7&So({iaBurq3p;wW=PTtV2hm6IEG`j zihk@+&c--q$T14IrTt?ZL^%V>KR@lLV?0C~(I8`SZ446r@^g!-D zq3Q1lRljyFm}5Zjgz&tNH$B*oAI+K5C}RI#ab*~ONsB&G#MnqB$Xc;ucqO^@0pjd8u0;T^o}J06zYGG}n*CDzRU9M?vH8OqkAE%r)( z*RWbOV?AAhEzV(0Y2M}=`UrH2{EJzx9f>{lj5mJz`oW( zzJtW|UAA*Jm+~RQq7XrRn)OcKv|8qPQuPJ?)!M)ZJ5K%!GKSM9ENJrAn{jA{pz=`WM1u`i6UEB{LOLr1BO( zetB&X#^OF^tJ?14ThYtw+UUW~CvrK=Bf z$UhfOZC(4Nw<%H8M;ph^FVu_U8XDKrL1F2QV(o;iA+9mUenNAMh8Ch#5t1H_9O7BQ z$_A+~+I8wl2%n|YQ<@$Y&~KnmHK}I{n%AltxwwqyYC{hQ3@S%zSBx)~6K5rKQwn(L z>*L46u??4tCguBbcHfG3nU~wD_r|u68YFM;L*5U2^O@}B#1g9TxChyFl4sUCwt9oq zF)0}h?onPzV|U+njwHQPej#WZT+_>avm}(v1-?K5wX5RYjZ&;4xxNC-%y(a!f-Bz` z+vR_fFEv@>P%q%eUdp^dGx{QjR-)b7!&PDzu4uYv24r9?*3U5l@M9V0W?7gtHKM<{+1ygfKZELZa0CCSEZX?^W~Xc!vH`WZ|p~SebMM z-1{8`Q6CLSUW*!5dnkxKRS+OtW_mlNgJHpZZrh8PtF4v%<_?sRoL2D2+vgvP2+=!b z6vRp@g#*#rSft;?J4lqAo0GL$2`O2m8%0Oxp&Ek|ET2n*4(un+>7{8Tb%!4DtU*^Z za3dphTHSlg+%E?2D9O`EoLOrBYmj;`&Ige#=UE z{Cv&B&P<0pDW$XR+JynL6*E0*lYuT*>I@`tDDXqg=yu9-wALs#RyYla(Ws@_V%}d} zCmiMccq2dXb6Rmj#9mV6%Zn2Q;#tmbP!O8ZiaNGlQCPTUM_xV0tW z&ZCwEzL7r4*IcZ}hbj4~dH$n*$Ci+Bho^dPKg3&dw~TChAgAnWjmH)?U9iN=gl76| z4A-F^A!Rm9bW3Y(3~ll%c@+f%hoF#fQh!x;C1c1ns?z31GnbtnNkJ)uY!MhGJr+j{ zo+JpI!8c(itzxzR zKqB=9`#$ycD{TWcRbthiZ}MBaP2?^uzvPHydT)IWRZ#NI{uim%AcRHbbirk27EgkX z7ki5iDIv>Qrk-#*Xf{_qF)HNdl~w7i^fe~F%7A|_FIuwS=jg-k;6=${+@=&|_s*nd zCjm+|JpWlgd9`6VR@^b7M8#4kXllxRtQu)9PqxqdK5T78^>`-VzO&UZ zEGF+0G~Wm2xIn0f6Y)BgnrzF1#E=1^wQX1q4@vLU1QFJ*H3nc2#CTuLe5J2^T#kPyN=C zi49Ui?F48K<1yaP@AiTKF+lk~LD^yiH~atGX^wX=xY05L{QL=tnjp#k=jYCeO+mUP zounMqs|l{Cd=n!SL|Y5 zQ-8)6PwtUG(n&t9)Fy#* z-yjjso@Efl!(xuLP?I2~zBuu*iNc-wX>wGPgiFG_sCw9Qebq2H`n+^~N=34Jxo?8*-cumQdI@XhU5y8A#^+_t~MAUQ_j;2;TFW zN_WD)xG@w1MO(@tN6WP2hjTw%)Q*Yg-VK%K$as(6ty9a`j3s*5F#ltb_>hSQk1utZhKAA#J2sC$ zNK(NmX*O6B2<_;gLee%=){ zdL(+K53{+ZTbuIF_ry%+?PbV0=;eCW9pe?g8kb4T)+z1{ zBC*>J=m(F{sLzF{7hZ1U9>?f>;}Ap!ZMzp&#a-1?*8PB@T)XCZJy-4>KXHUYSu=r) zj{0(+n8WZ53yqBOyg2&b)yPj=XA2C_NEnU`HVwj7)vuW2)_7-J6hAy`sjJ2{816(R z5-K0}DW}a+Rhz~8iz#O*ziO(Ejz);WZE<*d7~(rL*Qu@s3X1YMHsuoTphUqSQWLBY zljW=SxPLwG?e$?vK)~Xo_7o0JvAx;Vt!rW5`Nk%_pm){MR(S`4lM9e9Sn)bVe@|HM za|^{%xpa+#;o4SVhnrOMZna|Q^SqtZYmf6WHyBh|eLDXiao-(}_4@yBMnXs-WN(H0 zzO72hCfSia3fX%LA!KEf(G*cgW+W)jA~)Q= z-(KUQ@gU#u^6)ZOiCX8woKt25inw>B2SkQ6!)Cgw_D8T0rS`T>KI)7Ju^@k6Gc<)8-<|Ct zGjKHGVrjmj;_{lNFtymjq_zA@YiroD)(WQ$(lltjF`9(CKGpr4wiPt@IQ21}NA;}Q z%@d{Q&pgp3jbNoH@DkV-n}Cg^i}*#GxL8ig^<#`oWw$Y6k~04XgX90Kx`fvWhxUfnr!HX%B8G>x$-^UbHXnW}W z!XpTj7a)&Yr|kfaA`HX?-9F(!G6?70VZNap)4eo*0UZU^2|)%22PQBG07UL8IFudt z>oxe#mMNrg10F7a#RlR6$pW+}cF}PtW7~7+2AEO-5Ki!~Jp|fIcm;NtZ>aVV6#ilV z+1v_Bi~!~f#Gim)1$qmlgiyk|o6t~Cw>?B|Aa5a%v>}6ohL{_W7Fv^y|9!wC0q6-*E|2nx)H3jN4Ff1tJ{dMe7 zHU+iapvqs{zv}wE2iZ&ibFvOi;J+#w{ZrzCLz1gHw`pIsIse3F&fV zD|@4oqH#L+p;GCRFFK!1u{jdb_$SOEQP!%O(U8n%C6yL@TzdTG=G3ui$<+4`OG9x- zeS{1?`Ln(Wk3DhA@{GO};asU3Ikxnq5aLOUPW5Hy&wcaFcO^Tzo=Do~f!vQ+%jB&B0dt z?cIvbV_PXqx433n@)p|0bh>VJFDYlKn?|~lNt&Ii=ifDqG8kQo{=7KsA9R2`^4*PZ zcds3y_u~#KVvb@US$?h)+qGCRU?b#)5ojG{FTW(kMj03~*2-G`(_i_aeg0ML*xM#A z%5L92EELQ4Q0?>Jou)V5pdH%YqLB?2}h$kuN zT>0uvO(P>Zh5DD5@_1glJgTRB6#i2u#?Yrf=>mr`_89|NyQTL5qJ#;D{i6rN#^*1& z5%=&gV=)C&oF9MsJ=iaYN|C^lH9%ylHICAAo+axT6SveoqKw1>ckIf?wlV21CaYbq zRd%0p2_A|oeB6D~#Z38f=>Bm>k1#LVee>mC-U}EdyJukIGb#2cK2$rSvCqCG=mu-& z_3TcpMczv}SA)sRqqUdEZy&`(8=t%yReTW-&&@`P=do3k#Ub4zLwvEAcd!x-5_73s z3ehGxu+Tpw2fViwT)mFB^6+byqf|k;WWeQ?NH_CUizm#46cGttOWv`uYNLTcdF=%LuUzc!@ue}!rpJ7og8Cs8rG&Kif&GIwRnk;!-6<; zU;Gz>NZ!Y7FH0gz=1$(UWRtO=HKp>Z94YaB$)59w6|Q#cNTz!hhuhbTCn~zO!`5GF z9PX)Mp|zu39SX=DOd~ok_@tFnEv#fnPZ+ec zyS!|vZD(&xuuyvFN)Fle$*MCHZzgf=^|^vNo7D^)gFE5er@kMlC#+F@k$z`NWWdXN zf7FDvS$v0J?h_51BHkqoMRmo4VZu_gter=EUUHY~$x3@W%NDQPtNj_C^OT$fw~2f< zUpVBA)0>omMoe$sD@>20N8o*RpsTpn zR19sX>Ah;kL`KnDLIbQDr^ow)Dr85fl<{+0CT_I3($x*d6zaFRJW+F3#iY7NOQ@Us z>^;ljg$alFagWj*jI$w>T2}Y?bu^A8^OTNXSG?6t&=fk|{i(E-tj!%=`QrHtv37Rq zQ^wqG@p>{oYvsyUqn)@BYD#r}9#0eqaHNH8_lJCuIczug;3i{V7~Ra9N_?#;zj^u# zfMUX{@U_g-&7t0iEcT(-Qsh}Vwy$jex!wj=goPamGs2uS)^(9T|j8=J31lPr+p`>)FvfK z$3vjlEi@OHyV_m$}){6ReCxZQt6#Z2l_=wIr zn8lm>$Ce!$aWuMYr26OwzW4)Jjo! z)@s}R(IKYsxZ?4ioV*N4+clg@*EnT|t7cSmZ%l6Gr$4ZoMzbQoWaZCo)I4}ixX|iM z=asqZ^^eF0sTW_WRM67V-Kx`DgXSmhP&@<+701= zfD1O2bUL`^v+`fc(;e6Jxyyv)*bqu5IZV50qiyfkrEwaDJ5pxWEZdO<^6`y4I5Ka< z^yC%q8iqU0*)>$K2>jRghkt-YkY+ndhIUpCwwDdZrtef+)j0(|mh9kkouP?5(qZ6+(-ep|!8uG}e#!tgrW=Uu;6$}Y7jETPyd$Z3e_UUti zNzT}Jj&!4wnkICW@Nn^doGt}A@=JxECa__j_tvNf*E)O>> zH&4vn<*H(M_}29R1IBaf!YePG9G;^#9laJP8n?696o zDwK^mh}p-tdtXC{atcFhO6i_pBTk6^1zkeNgFE`2l+A+hL zJ4Kw5S#o`^mQxI0bk;|>ywp6*AIa&{myrJirrVWoVb-FR*kHI&@g%7i#(%ji#w7bO z<6^q`ajQrZA*$yuUYM%jVhGZdDF~#$ypctkXlj4{ew~N>IT&{H$0_gA?4!MTnnP$o zK`o7*WT6ci21gW*o=#^BA&N8e)sVRw;A_yTBczL6(9qa(!a(Q-_LGybPo!y?7OByD zqAJaF^I$iz=FOJ8kJQnaW_#Sj3&7>Pgtp|B=FzLB?XOUMO-J+wb=XN6I*f}jMl5j= zgrx5nTif}LX{O*$ec#QMQ*tD;g|%#}BnwMr4>VpcA`@F~18<7j>RNXw%7_hH?5tS^ zNCK@(h7+e5&wLU(-2AW#<0EmzrR7V)Sf7k5-?YL?`oLrO>}S4b3L*=~sN<)sVk1w# zJIi}z!rN3df;3#J$R}O3C+Q2lNK|@^LG0LgjnaWr8X39oXU#H}ynMA^9I#ij?P@vo z{K_bLh-#+jW#dZQ8_)EPJCG%Gy`i_09I+3VJv$ncRR5B@-i4Zb!6ftGsFVY%@)5t| zVqB57vRCzU&>D1AA|GFeWmP{qam$5w^*BvH(Ab-wDvH78v91lzXnUU4INmr^=06pN zp-->jnD`}i>>8yWw`=?z^Ut2f5hNkXjZda}&1iO95-uI`C{o%HonU`D<=a^? zl9PA7)X2**9&D!zWBjDp^Zb5UD*AVN)lcM(Y&7yG7y={&hwiYvxUz=#BDue2IQtXK zmGIN^3gTD$Uc7u-IdQ#5Y5chgj`jJ&bl#f#7n3x9_7^@{Ex3JGtIKS8BIM5TuLHOE z7fVH66H~czW=pdWox>b0%EdA+JyYVT{m$?NW8mnk7yF0Nu=Li@RLSlHqsm{lsOA14 ze_7wUe|y&5@Q&Cye}MtY*!uhL-&I9mK!v&SK#R1tfFZ3dz{3^tpEfN;VVfu@@Q2)F zzr)rw($FLBx*qwrBAy%nbL5HlXVaMc9YO^ELM?->m^&9~o_ z_R#A9_?7YkOq>s(-az@x12P*pV3qR$8$G@qABVOxwKoP}PkRkAkrV(=xyW9Fu4BO0 zb;n-YW>L2>C-x>bkQT2~Qz1tPL16m|16*1GKpRGY2UJkgbBEx7ZNs()=5_b9y$KF_ z>;^s$>vk1Ta0mh5n*!t}y9!PK)u8@*<=T^_09hjPfJYXHa}1Iiz=sAjN5l@9APk10 z+kU-A|5<2|0SN+-K4IV$2gsPgn1ahYpohS~D->XK{+BWR^{W17!66`>{$HUX_#wAp zsP4%wLPI&Czh(k|7TMwbsuENmVsvnOAYV{=t_ZtK0$bI)ZNXFIwRW``#ac0Lw4urcX&cUh zkc8Y&*n5hqhxf&+2QSed4h)usOObVITe zV&MkaJz<5x3!m>K-?@U9UAD*^?$qqbPx~?}ha-uA^-Jo+>oA#Cnhez-=OdqO;ybPv zbk#4Xkd5IP9T81U5NPqCd%fE3IH1L4U)Z*Ao%RhewU*q^(Ii<{T{o<6ua9MarHHuX znqxRUMB+vqyf&!+38%LBxY2PTW>PJ(zN)@{p-J=C0bcvb6$cYKy`3pmY^-M7V_UHp zCeNGAUvR8Q9b{gEB|WOKzhja*-=tI7eZ5KN=-eDekf+^p`^iSW9QVlE*oC+7f(qEJ zE~Z|hSY`ClP4T^0B7~bx6GHK1ETn|aQ13`qT1F0MgYZGL(i0O`ImbC}h{#YhIdvW| zyH%Ok9z(=QeDKPP&+yM3GR{vIsIZmzR31NUSGm*PTS0+`%c0gKj+UwYfkfo+Pz%?{ zt1}9hrwyb8`v&`Q5GthJH)E8{ILu7>%7(Fcm`yt(zDSv9zwY>PLR8_H&5)ZYz2ZPI z{3TwFb!P`*{Sf&g*U%?h1@cR*?Kkfl1cV*;5IwcZ`KtEKWM+Q8cXCF=y#TBSX^KpR z-YLpOzKnEN&i}w|8)eKQQ8<6ofL4BLUZ(rW{_)XsvfY6=B*YboLmy1T2m;0@R=Uwz zGzv$1G7YaE45#%;S-Q(Mto^f0^`hN#Jv$;B&FUALv9kjNFNCj~-WOaV$w~@OxT30W zAnWMqD~-KKSoWrZ9$O5ZF{r!uwSV#L;~3sixJ7W;#PS!}Uv&}-${0wSE_d5~dOp&3 z^Hub)|Cw1j8zMU&731{M6L>LlK+#TPxbL0=!{Xg>F=MpIy0s(ng~hSo>yCeO&FDR1 zrzsX2(uIEDkWfxxf@}D@`ee$aHPXDHF1^Es6Pd2)tadB)^CChiI=CI$OI#{k7`231 zWak*_9NUAKk6?*t^M1fu`+=`Gs_*A}&+C+Am9)B**jqu|$PD?9SB^R0UOy6YS!q8T z$=lFXS{iJRVY5kp=9R2dn4)yj-Yo4WYq3abKb#~?RX?qkaalgY;VWC79QCD%lTp^o zh;h|N<%DX>B!gbLzBKJhhfa%_7V*fnW*UgO3e^o=ykn$oT1f4rrzj>xL4Dx@#;1>t zZ+UbIYuqILy)Z=*T6B}0J$ven!oGUu$+J0g6^FEE?zd@sNvR;2uB3K1NKDI>%zBD- zAy;SeTD@6CU)9snwilE*;R}@?=5CY_M2=SDa>L;zvUdCxpDfkx)n87ur?QZ_#yEVg z=H|IGJtqn=TF5$A&l@^DzG}t3O0F_=HCm+7=EtMCTCs%LWRa)?v9nr)k1I_4c}ds; zqCm>qaWO1?%F7QO^Q$4pZILHew45nf+8eALN9fx-VRAj+UTPT^+Smm5o_0=5?NpL1 zMSL`o!es1X`L5F;R0PL#)SWk+e%C)UHv0Zk!Pu<-Vq~Nz^ZWOai!37#YihntzMUO4 zKk2%>uyX%MgP8y0XX$y8diU+D!dJ|b@8_pkmv^}j4_^>EyEKQX^~#Dvpi-?jKSqD~ zUN#L_qHjFWj*1rE|1c!(Tpz~jJmbS0D-hRCR2?T4kxHCk+~Vc}Z}`@} z{4huItQ&(Xhe3E`5yDo}b@k~!4;Eyfyy`iBLLw_nqh8O4LG zm?ZR%Ibx?`u~*!YdxRw!9Pgx!9|2n))S+yNb+#xBlF3`rDyrdn(r!WBLh;PHGbOz0 z#AKpYf`(O*Z_#kEuWI-+|0bni>F$@E)}yDp>J1$7x!j=OG01tqCS z+eIL^+)Ql&u)LA}BIV#Pq#PWEl!L>Na&Q<@4i0X$o2|fgW}`V$4h~z_Jwl(gE;3yI zVI#xdN^jnKhb+Jk12$)Xs5v8TOa%C<$k-qoGy%}%yNV6v!_Zzj zWC7i+AgI`Y3=Y%@0Qo2gRuBXY+c8(++fHy^pG?TR-JfLyFg{@91ny$cn~MNITi~E% zDJ0k919wvXoebOo7_%)Y`2XNG07HN~E_78zJ}v_?>`vuIP))c!bQ}2VaT&ZZgLmA& zAD4F#8p`>$hh_tivQ!YHcf24Cg@S{4^^i1|7Z7-N>^HD?ZJ%#@Xg44TN%z;wWwo*)z=gwN~* zt?_cBm}+~65p9AUfC{``Z3MY}fP)*D$n5}Mq1rz7(rIARtOVQ-z)LrP)PNHvWLC1P z*ih~t>$iZt8BwI`1`L!y0he|_V1RH^;J^wb$~($RQ0*SSqAq`STKyFow6y`S6wEd_ zpCb=^n*bfQ9gwx2tE zA}@d%1p$p{8;}IV8ap)wT?thMM$r_ydLn1mItKMy!0UyE02YX%>91Hcs;1x)4C+>I zZwcFCX0RLd>YwQH0LuE6RsRdfwLA0*6k+-0>m$)CIEZhT=oO$aD0c%2!(vv`!=#%r zC1$N>!poEQlOE+xdM8}TFv&Y#o*%#|Iydd6TKxRPkym<3EpobHOpc3*(><^37$PIjZ$$f370%983*SYz?%(oDY@^|dgcpJb6ZV_+)2`ck1kcI*G*~q zdM{M^uu@mSmj{ygCcexwzVeCge7G1itKj7B-JLb%V<*(ytkq5F9Uz=L_hK=-bt>;w zJ}&DGp&@M2Pj;jOWt6g-YIn2weMe}7f-gOO>2Kcp;iJ-Phav6UGkMQ2eTmVjfE!}H zsq{;%pV?n$UhXdnm*IZH`Rs8iBmV=M<1J^GeVp4$8x%$nM;!-F%HpdSn7PdGhTQ%LN*${fb=@#QS@Q{(J6;lEBcnG#Qw9)=rZraS#O+iBQ8O3flS z#E(wWm-A7K3}7+)x?4o>xa3&xnQ)b?mdgtipOo;=IJ@cBEe3V!s zf@G5L8oItP!RZwoN}qXGH7f0Q=8@qIxn`fjU|tTd>B;eKb|t8*mp#vZ&CS6)Xvf3R z9jk5_a>CJ|ZQyoXp4>FHF|Tu~DV86%j_6F@vkuuaR5u!B&zO^aJxBd`rSMul&Jrn= z(h*O=_EYVJ8qL0Y>3H%T&dheL8`E5@V^Lc)MUPca5Aq{HLwi}qV zBjN(5%QV^(3-4Sx-Ix&d(k7vIJh><9p3qVPUMQCRyM+BzDb`1B#})M=%Ceq5waG6* zsC}K(okOVOw}>0OdpqS>M|w71tYA%kcI`Hs$LaGF7K~$lxj1dn>E%V@7>IHoZ(@(N zW-_t#;G0;CnJa_1@jr2~N=~X6W!Cg6UCVhBZjhT&rWo_SvoYZ%tNg>I*rZDuGNdyz z*iv0lM+K8wafPMl87ak}v`s?wB8VuUl=(mDF;JN`e|NjUEAx-&Uo2GoA`XCa` z*>tM`zkv=&fZf26@^v_}&MF+KV}~Pk?9k)V<{xhWJ)jkI1%aBcTeGbHu!%Rp*QI{z zzu82N;NUTB^N%;6sI55B9@;J;85GddERa3^DNMA7o=clqI}(UNX6?HKVo(qP)<+b1 zH~Pb??Pk`F3=WyK?=m9qCZ7jvT>9)<40EGlqOF=FLVB7|}@85e3MFP69 zH|$Mh5V`?&4+MDnhk?>AiJi)D@(UtQ=BZ&tzvRJu_z7plt)fFfw?1q%dF(stNAc()g3244+aoAxv`a4&*`&VsCEpt>o5 z7Pg~35Wvc}fw&tNx;>2yJX9gT8xT~d8AJzELcrx_r#B!TVBNEA``BXK@MlwPb3DNe z1I5NbXuzul5~YDd9=0PW&$E4F+ftSpf}}QbgIxfApwP`PGhusE)PUcHCKEYIC|ms_ z-UkrQzo#Cmro3Rlcu}#xpl6>QngR|nRMBlaXtzZ@gz8h_yb%8rg&8P(U7_@E-xUt{ zbzn)N`qW>s&Hq!tZwoaM3HbdFC5?M;1I>~EsaOBfVGmz9Mf+IZ<){>Cr*64oi?RB5 z$<&qTO!{b|Atrol9=AA`jz$X8ni%WOU{8$p*uOKTz)?dd?6cP)I4Nl?yYHxpv>|sP zJ}Cj|LE?5!@?f92FU7}*wIj9Sk|k}Nvd8Ds@QSPIhRtDtEj9Fx{5q7&J@Rl(&cT|= zwuJdB=C0Sgi@AD38jXw|MB9)-7MIh@0~RCpO-s#m_YM*UB-~}VagjUT>0RkZJ^aP~ zedIjU`}jMR=e+8OLURVrk0|4~X>!x+VMwUJmU9`;VR-huSaOL3bhY}Z9M^cQ0R3FK zEdPh%r(f1SUB!{vJv`&W4m zSbScf*=QB(8=3ZuWr?(_L4pfiS&|IgX!AetQyESUemsvWaea%q%6hMoyFns8OCEIFyCoh{5Gkz zzbRNDfS=1Z`2g8ILT07RiRgMfD;s};i|W1n?T=mK&m~IpjP7f@XSc*SFGX)KONGmeU^bkJo5xiV3j}^ zJK5hHM?v4sD=@{~Nv=8n`16rZq_kMIA664v0$GpO-Q_5E?*3|3hldvw@C74@PI$?qRKnNI$%L_CQoeAm$tWzy$L<-52jz5>(&g zt!{dXM`4`@8%s~BVOL2GF%MC3GYt#~ac;!~xAQZY7hTa0NekOS^iE8{z z)skDnba+Ay=9K?2=L4f?wt+?*a}4d}0h+!| zs$*xA|Bc33(tzp3ng}~x(_2xtyV&P{F!~-y(fqM`BJKeKp`Fc<@>uAq4C~Z~#B#QW z^9KDa_zVq{3CA-uSp#D0ZFC*2ozH(X@I1MnNg&YJo`l_n^`yT4gF_3an)a87vV>HB zxTuGFpwr$f%ihvlXUshMM7cRNT-Z7Zec0}DVE?J5x7x=EUpWn(!p8l6``Z0yt2fTK zpLh=M=XyTZ64Lo-@nMMq<)R3#Xy6=mx_9o4te)tQDv$i~ptY>MJ|lZJYF%W&QffzPUNF3p`h75_amey!-t?1XfS~ZD$dI-X!OR&N%c_Y375uu*7cj8eD>@R|*VcJi{;@drf6; z8OCou9q(6G@E^72&mAv4Q{Zv_vlml&q*pFMcv%>*XUUbFDDNM;@72 zg1OC}uWhH)#R^^f$)Q_u*$Ecf!djwT#H^n8`K<7{QdHtDU@h>=(Z6x``knX&Uq9o1 z!#a_IuboO7qaeP)0lR4vTSP*WNV^Jf;&1-bx)xdqy1F6%23hSGj+BJKk&-arU%1%{ zsRV-~m0;lZf&3@rhXTU>#-}4`ccAJe@;Au;&!)U!3+TBKHuApmXV=utEEg(!%nN!F z3H9s>y+f7d!uBo!hf1ezAYvQDJ&1GzFoIo$hC0jLy9^u-kQ4w+{|$O_15^B6$A%)w zU7v1yGo*j@+vb=;x+h4IvMXc}Xa%>YMO*9u{%pP>fLSF-=)qhAx+hSr1zfE8!CK+v z2gV{h5vf2Km2DZ@`l8&MenX<302Koa!oQXRphyAL(SLwF_ppxjCT;ww+EUx3f9 zLPNO}_E6l31bmReApxIV28UuTtna3KGp5Ln+Z zSjQT2ff0Z>X8`PkD)NAm1OUbW#ex8RiF*f95Fe^;`<1owXRCB`DXiBd2XH&`Q~*%i z2?3rRLPK>btRI4VGoldK3DwJ5$LzrQjijLMDmK(>;a9lg&-x7+9AqEN2e@aO6g0@8 z7l>tdK=Dv8SmAqE#Tqg?1ztbv_Q6nWn|`jliVYR^xqf@un=##-ZctGm!1@H>C&Uj0 z^e3Px2Is{N-G&Os+e3;zGB(II7(D4BmjVwUck}T7ho!KG1bw8f6y$~k`3^xF3O~3o z?kYBvOJR%n@(-5+*wy&K96<($0O%W7v%3ur#s0Q_72cZ(_gBwtjw&4Bvfv5=f(4_z z(^(Jb58JOu+tj@q`OI$cS+JS?hIy{1Ldd45@mXM^@at`M9q;_T**^lb+myXqg9Up7 zc!%Q#vh?jJ>o#TYwx&D~4;>Yk6YM$v{yiZQHVjoABJk3;Q&WhyjXL08PeoMS!~-TK zl=`6fuD@oaD4RmJS5z)okcIr;-}V0#7T!YlMZ&_ofHt#B9%%2cb-n4ati0YUpR|Bo zaJ@=B|H=6@0=xTYO|qz>_~hlPXjsI8FF5F@@2~i1D|B1wQI(aIm0Hm0CuD|$ zI3DnYl2bYCR)ZJ#zj@@uB|wF}&CXgIs4{C(u0c*#a_@|2BuX14bS1EY-|Uwry)iGS zbct!HVe}h5iyiq|m|nS3QcrP#CCLe1Ew!4|=6(h$zHc3^7EwX(B$RI|HD%#S#Icn& zc0aAPOcV^!vORg2{FXdf1w|a^i~v_qmwU$4`Fmkbq~0HK^=XGyF04*?o;Z>I)OEC4 zgUn*Mc;5vkamMJHDAp+0cx&zfuyL{aR z>ZgyH#cs`Umhur(Vu@;{Vp7W0PqCX(4Pf<7IjGjFrHo7r@){hidTte;Q}w~=Q1vtO z!x#CvBNTlvcC~-Ktwem_)Iz>TC5DgfrJ=rzxo3XF2G|j4UWgW-dkvXnW?U{W*uJ*S z$ENtL`ll7miXC=pGQ8O5OcP{zjbz4KMU$mKU7rIUPeBwNH70>}Aq9Vd+bpIgr?vJl zM^9E(U4!YD>7eI?Tu*EBZc<=8s!O~2P4!U9(z} zt#p0OX`g)G!Qu~5Y>)YB2mEL=0@RA0o+x+u7(U0*?kKB$d&RQk#igQT&zTV8F2utk z4d0YuNq3cjeaZDhmWoxxm$tYWtYvU zs8o<;G>P;*X{+~dV&rh=oh(J~sf^t@?nBttDb97yFfgF+Xhgd%gS0emgc#rS%QH<% zqa>tuEsITOQiw4+>k2NRU(7Mnz-y3mFEDK5E-#$2!+P`}0rPx<9o;JJe9YTQyO#>N|djrO18kA4bMDXo1BSB7C?t zFj=Km4{`r^&)nGHx*Fuk{yMvL)qq;~g!%l#-js*ghG_cj2Pvx>(c_(Xk{o!F^yE(6 zlQW+miLNnyFKeW4pIW<;OJJ4Hn)syG3zLdPaUOHf2qzqOqUts}Ez^(|RT;jpuyUXN zJ{41*pT-u1UpgM>9*aVEt#WNNG^}5OU3pyLmlVov-bAW&-O4QQ1f}g2gG66bvHfd~ zLE|ixVhQF?hK{kfWM$)GJsz|bzvOoDh#J9V_TbwIOW9ZauHFb>>J6=*Y&5(VEiXvN zS0Z>HlkYN%mThMOVM6vTZNAG)ntYdyk0;ouRT)jX-)bmKb13|=bkBUe7H9F}PX^Xd z_cMWZ$3%G_kQ;D;#mD%})hJZdSEkhGqn@xj+ug{IVNn?EpXBWlSxatyBh2*TYL=P~ zsJJVV)bdcBpcSoJ?3I+NsOOO<`nR&TUurQ-1bvu$ z{-nfDIzdvG+|xg(af%{Hgz8n3m&`8si&ecNa0!J^gkutQ_?EAPVG@1MVJaG-38ay? zMRO7u!>qPFZ?#~+w{Y<2BT=r4gYJlyd)zHkOG9+T)`^u&7$YsKG;`GOvd;$@PC9e> z*(qZr@af_eziw!_k>hnLLUbwYQrw>WC$6U3G*}goIEZE<+c5@T3E_ z@%d}@H6&_%_2P=~E}THN>^1wSaVvILBOmAUDtBrL5ByA|kvH**kUmHCs9EM!VI%t_ zle=oCP$7j_iWP?FrE2PkL#|0=maa)tA2fyBaE=cv)J*Dy!dI@~2$(Gvj*u1i%HO)@ zE&5c-`j#+OnTFDMEv>ul%EUpOD?PCIBc~0|s=o#$nLa0BxuK%6Zc(gkTrIc3yX$Aw zZ}2Ws>-=BfU8Eiv$n?N*3}LwI0yhlu-E}h|;Y9!m;@>v6yx`XY0z2eNs8aJiRQo~dWyt4@ z7pTMd0ksjp*&quBrL1=o8_IlSeYp0f+YrDI4Nwk{u^|LDptN1ah9VtVuXMgQvHjI? z8)FIwY&d?9Q1C*fK6Z2=Lj~CGVddk^>4pHX3j#2?K}q=&ya05CiiN>!S7s9V;*dOM;;H3fv81Yc`C_%shh040}ftQh8#fEwz z{F?0jS#aP<I20>k4>|bI8_#;rZ44@~353kML9CGWbqBNs zjQV!Gb`M$j5Pygts2X6P()>o9Hvp)CnFl-`fe+aZ96eNk?H&@{H`f9W;O0R9(57|) zVh;kw^#8sV_K@cefl@q>d=W?{!TAf|ZNU8kAlR;AL%9~VXe|G1E<6sKW(SMnXVU ztf6`Uz@BWUGI=OD+v|t_-W&=@yq0G(He~&+U4(`Lt_5!HzaSFpV8;5542d%F(DDOs zbpZeXZo@&Ks%d|N8QYrz4Fm9ygX~~XG~I^zZ244xG(mR#;3!4WbQ|XLThk3c5)@QG z1i+B~JzzLMmiYnM6UC=)!+d`GR8Ti`eHTE{^w)O;RNce_d{BY%W?M`67N@y?LW};f zR`wR5FaVyA*VQd#Beu{?k!Xtdcam~beo>{wC!Y8f91JZ?x||k(+Ry~H?j8LYhImir$MLE!WM9LSuk)| zSiQxGN2){|;@!#@h6p~+2jUg-Yzyn)X(n^D01^HH5KEtWh-e!wFf9aLbl?yBiK|^ye^Hm) zGukCf#3_CyRhQ%@=|jsOYDH-nL+8~FxISK*3Uh0v?g5XD|$BCLAE1K)cMqR;wS2T%)5`I zHJ*O26PjUSR$^iIsaIN0c1E{6c#VFjN6;eo3srVmguZnuRz1wy;4Tk;>!V9f2QKM$ zerUUp5p!;W^E}$pm|EtYw5yjIqwwF$u!Jn!B3X3e$nHrXYGUMgK2%#W9C+aL zOa*p4bEwn%Ub=X%1csDjN{_GOL>-l)cz5x8${EEP1>En2BIXv`L^ve3IM!Y7Z0ZsaA&IBB@Q_~6L9x*-`icTx?jZ=Y4} zV+4ync77(O-oNrlX80zS)Hi#KD?(~^0apU99l{f%y*_-1gNQ!a)feNn0_MX}w!^rJ zq;dZJS;9sYRkD3{`%V4ceOlF8VPm8aQnza&uVuRVO1j}(sbB*STnI<+Tl9!oZAgH~ z;W(A?HH#PLByB}QKke&zUF9Z}RlPsl$*3akDpuf+-XoeuhN%*h_?ceS-KJuFX%bN) zh?s+i7{n?tdEN|V(Mbpdx~ABY+BGp$Nf8^IiDA5bGWDzGb-2CnImOeJ(>m^D1FG(E zo(FLVTO^*>v^7Ptk+|PFf}Y(KY+v=_aB-5?%*nSeqnTV5tWvcs>w<{uR+vOSPJFSy z#9yyM#u+|ZQ2Q$MW!SB7vM|~7_BV?x$Gpxo}% zCTLGyo1pb`4`iX4sEV?=-1C&{^4p?GUnRofpvR-{0=t%tJY0jX+$#N8_oMk3Lma*I z_qFMEcSKi`U-3_~W0oZS&OvYKPj|K*u8qcXw$}cf@RnnmJ4MZccXZ^^p%dekJSM&t z4mKfnRFZlTKa(Xfy^!i&e$!8PZR$XgTv2;VZU(z<*i#Bj|I%msU%w6M(-_EgnXAt$d>h!+`~4&4 z=V9DjS*nIN$zSDH1ozFI!an^$-1hc_^jiMH@!>Y!?=1K|uNn_osm3R3`%BJ#cYYEX zCsd26-*9LAsmG71RhE;&uIxv{``}y$IZc{uqPPfL@-Gy)HQTcY^-3pN}x*v@S%K(vHTZ7+S}islPJc;3&+l^ob2T9O?!z}C=um1GHiKwLe5P!RNQ{J zxtHU^$l8hty*&SZ?x~TIC;Q&EuHbwySU`oSLEg-N-*QkRY8&VIRzwXV5CNd;Ke^!p zJ_FR2mIr!k+xP)l(j0*-X^uc@!og)4`8Uv|3TlOvfx;6kyv%kb83p-^{D{z@=Ld-0hLf1Ylc#Vh4x;mA+`B*Y-9t zpveV=wf;)^_yA7B$M?Udd;lH;oxC@pA>k}OKo>#)^ExCBxU1MurFhXtAP|_IgPh~v(|A1R#Zi zC<4%u;016J@SFSh;7}leh&?Rvjl?J+IVVU~k?;os05t+Ti0x1yfg8Kj-t-z0&q4qT zJU&qL3W)^nCN$J50opkCCN?Axh>Q&h1nw?2R4ZZc5md1EuMa5_2n2^7#2fzi*@g-T z+&EwMrsIIT9}qXeU;^_%;A6Osg@aC8HxC3S#J>lJ0tiIxp~87{DZs!>f&f%VeiI3V zOz^mQcL)vDT3A1X_omw*;V@)&i;NB0?I5$;UB!lSG3=qn8NO+Diwq8FcDu{qP^^Y^ z-AkG1jJhTKr zAst@u*a_^N!86egS0o@*_?=%3#L;`UzrmnFmf%SlaB=y;ofM*33jo&(9`F#zw{zK$ zZN8{roBSm-2;bYdf$s)E-KL1%+7uwDKo0?Y9=BtIpeD<|eky1Rb|cVh+fYSNp=XDd z;BE%qYk5#L{q?zN`&R|TW+1T#j7}6y*Xsu(Cl{)wz%&4ukDzD@2h`uc&o-1z0Tj-M zI^bV%=6^y^f2|s_1vCX64_;2dhl8<{*n*%!4;Pz7iFb*hZegh+5mc}gc8j1+{Zch# zT#Wk*T6gNVA=$|K+>rUt&ZnbryN{kv7FBXwS=82I)e#eXo^&!vR!0mE>zOebPO(32 z=m`d@5{lK6l+@I4iVD^k6^Wdn0Mk%zoe0N?siHmulI$FJhRVy}OeyM_4(^)O$ zr>z0IXXN+uo?=%os6KHSqP$iI^W{#<(&PKqkW*VRZ+Am0IX}}_nWS2$_FG*nQHC-VRTLjb5 zpU=oGaRYCV2lSl_GYJmpk|^c1r?H#~ms!;v(9yk1_WAu6*XfFPtOl+J9^IG3;Zh7E z6Z3JBAvgZ08S564MvbQ69E|me?UwY9%(K{;4vxG-&$8cYnJ6)dx~oVLw>@B>=rbwd zD6?#YJt7$@Ps8>%IAS|;L5XqVoqh9|ir(on+D69DDzF!xQfdiGRVJhJ&G+_mjfgAt z6jbshk3oeJFJaKP(wgG)_fX_!(h8n$&G~t>GVZA<$y)3=UzY{14pEGh@Sz9BD+R*2 zdTpuA6Lbms-;X5_93*_Et~pD`0jP>x{AK~KeHc5{_Xj5@qZ7>^>Cs9l$`hwoCy;BG zlppe;4YqRZH7l0=j|m|59x%-PY}1i0_?rrf@RI5pdKR1V-8}Fl&5JVo`+Z%%ZwID)MlHGsFN#GgaNpZ(ni)YwS}2Nf)utvp)Yi0iwdk^AUhZXX zr$BB_!WExSNqV-r`Wmtsn;{|Ec&bT9vn$d4>^j*F|$rUcb zBfok$IfwUG&FIh>q)O>ottl|#utngoVMX|c|D>o|4)e;uA>eV;S`=L@{30%O zi}c#GO{9nS*g=Oo(_Lrc=(FuL<`c&5>#mfpOpMWWHH(Vm&WD95koS^B&D6ImT+KJe zs(CbQAEv2H1v*A zM~^G7Bj`8KZ$nwUGw26iouP9OkL&Len22>v?>gFs#ORRXXut|u zKQ(y(9SHdY5~Bl0=LW=w6i_1oYOwhmB^ESXJ-fg8V?HR^^J+XH^G5w zG=S9vpfpHJ2J$=L_y-bVz)=KX5jSiHJ2C{{_6%i9t@uBiaY#rFB%9m-13)eY1h|0< z!2bh|u)Z7YO}8P(6jGEy?suCt2zC`3%C)eE^7g-CLjdbcz@pj|fI`zwKwt-u6cwRp zW6#{0Tn)gP#}gD zjPF0Jg*{ZbBQZ6whX6`Aaw&kV4iK<+*g{a93wtkbhf1^xfE5PKK7K%#+*N2Om%?7k z+c%AYk-;H-0d^T23Pf!W%NK9@0zeQE7*eD!FgT2Wx!ewu4TUf8#vNskR;d7R1AtJ{ zjnEKaBY~W2{(ES@f+~A*CIC_?P?2vIRR)d}f`U7kW58hB^sco8!&B) zQPB3L|Dcxz#{;-oBF6}2vwzadf}?hara*%ZY&uc+0|J-notgq}IP@gH9lzTq@ZGrl zBfAJ7nvnl1IGlfP3fqoUZs}Ywo51@uAL@92<$CT0NZSIJZ2{7@Kx|-l`X7O`EmT@0 zkOthccMqhk`x$zSsC{pqBo&W1UNe5?kx9#xVYh{dlOyvKHzDh5<;%+5j0v8lRWa@r z3bdW}#;II-zM=1?PK~(Zn)hDnaOHL8IYyNv*b^aTTbnVP$Ml#<>)?x)>`M4Vi^nO( zdexd}89&l)o0C+EgPm1%hUBuVoB<3aGfKnDmKVvn^o_H>nI5kHU@i7+RhBF9iNaD^ z3k@zke)C}LY{Kg?=NSv(vSa4N8U5lI2h57dwLD(8;kWf)A{T7Q`4Xsopl^w7!pyZmMrC-V!gVgdAk1-?`zysB5td^FANTOMmMm$7l==0Uk=Xxc<^;B z<)Q209>of`J!a;+yUtv?$DTNL@Z5*4o|cHi#4FuYu|_qf@fi`PH99236WJv>{Mi<4 zvwRO^Wme_A?G?BFK3eZU*=JxTrj5JLOyEfbqg)xGl)7?zGli9m?LilvJLx}Jwf)b0 zC-^F99L!rDAWGyDeDpp4f zaZYMGx-3LKL!_b}g4S|t?A@vFU8k|E>+TbCbH~uhTVLyHkzWy?5Wqe2w&NB411<$& z{0Z4bzs9&sW#PXayf>8DWOp}4FGnJnVgEC$N8^ojbXfKK zjWm8bN>R9Lu^qZTA;5Fha-P_aYTQ!HqxhCEqf{$mRZPe#;VcQa3pUc+r&`Kp!v0+qBY6Hz@Gtw_#^ily#=&{ zSw7+l!$i`k^YtRBGlh0}fx?TG?8TDanXmy_A)v-`7NUAmB}aH@1%p63eJ zivu!7`lsCz>_v+_;8h$A(0G-jU~9F$mfK1K>_d8H$+jEP5huB|}g^C^WVvF|zM zRwy5-ts)34>3QGl8rm3JU4Oy~mn?5L>h6(>We_~e8Xv7uMxU#y{kq1X&J=gs9E%RTnDkGxUh7Y+U?|k#QuXTe3j9 zCM59d{_r)u@`>JMg}#7-LzP214&(CwkGL<7hkE<}j|h=1mC8=YK7+A`EZMTJ$-XCh z2-ziMs|Z;_C`;CmC52R!C0jy>Q1&G|`JEZ2n`=Hd_cp)B_x^LIF~>Ze?R{R)^LjpC z^Mi@mUahgw1`L;uAHBHL*HTr|8}a2vgjZawkCRh}JTZ1x4OI+Hhy*U3|9x(b9)Frv zoP2VQ#0|VuoCv>ZdE&bLxOB_1ZbYIvZDo*qSYGI3?G@qxRCE+qbwVoST|n_@boHAx)w0sbolzLD<1wJxl$RTw~IqbA)$YPMmC# zrhJ)S^y;JB_ZunDAeqrw7M^3xVpsgXnjcAXl9(Lv()7B+F~oc**N^MXr8)KLCu=w? z+V?(8g>T+p{Bd&ZED>GCL>az0F>!&?$PXy%X1|#w?&FYdrdi|TSvkhcAKXZ?UiMaX zTpn4D_>kz47k7W<{R`5+I%WCQ*gkf*ZsBSgJc#5-GQcHl=y<_=l>mj_w=mj@}fg%{Y^YK|1! z@*p*~Jjmj|AnOYGnXO;Alhi|_>k*RF0}&D+&wd7Pdm_$I25-Nf=l<+Cy&Z%6?2a9lW8Da71@i7alZPG9f!|drXlo{(B-EQAwkAxXb+6m~Oeg!z}8G6<#7-{1HY!zcs=`;o{GO*c;G_3>0AiHBW!K z_ygN~AQ=2jpP?}S;^F%>&_hR`@qmKY@RC>Xc?T#ekaPoT(ENra0F@7RnfPz*p6KZ_ zBtHx4;Xr@oXTi)9fc*zj3XOG~x0ff#TmdyQ|01OTmHB&UDEBoqmT~@RR=EuhNlNVz z912njjm{3pj@uqnBrC-Ot_irfely=tu~O)?b^uk41mLp&ZESG)KNq-D{O{P{={9Ix z3Q)kY!_%se%oHfB3kos)hI2Vo%aBAyZpaGQE|JG(B)XB(ow7cp5B13t8rTI`c`=4a! z4nsLqO+iQi%I~0}C4YS|qihM5FgPpiA~eC#=vQ?Ls-{r5c`hn(H8@rMW9NcX8lt2O zDhc`y8-)K$GL#pgjzSJIk_-hkfc^y;YS#mUS92bCz}rqRO;`GmP&cGlqV$xPyuaAp zIO%*7v%&dns&gBnuU8B2o5kB_{yd}%Cl&D)g^sIuS9T{l>6EcaY;N$Rg| zy7aALm3~WzUVUG#=BE*F6e*W{}HR)X;cty5@~&lg&4ShWLS#mrFi+mMo8nR*V+<=%|W{ zM|kfyGb^6gC0>c_*pyqR$Gs=HZ(LYOPr>}@S%*WlCkUmV%nKZy(Xt%={FMWfg6ZK| zo_re1msnz_PAYe$zQKQiiP_!m?3i_rDf-og3bCmdGw<;P1fmNa?y?*txx4V0Q<5}q zEZtV-vhkxsq4e*7^j~y;y6pTI!POL^f{Il8p2E z4wMoCwG1#D&gWc=YsTj*8%MKwir)@%{$Rzqc=JZiAoDUou9u^&CYkno>KygS{8yfr zViYk>$X-7br6Rwv%!qH1t9A3rVGhe1MxTlfRFVmiJnr-nN$MoO-YNg6ubVtMxmaf@ z2TCNXRpBs7hE2KR96@O06TLDeXnO;TD`i}eP@$Ml#Z}w=WmL^=E3FUO)8{%`O7!pN z^i%COSm4z=;q-3v7#UkZ0RF(ZDpz!Y8wU1a8jN)PJARo)_D4v4{WL_e?TT)l)S^_v zFXsG0P*UjccDL@JG!DsCO$s-clg*38vaweOwam0>n9_$z%y6J=LeL4qz)6z*yqsT) zia#D@^4;H+5rH+-TGLmalcV?Mk|@514St1;O<2z*lGsckBd5mX>ba=^_N2J{Y`3y# zMMY_X+!wwLPn+GWyr=S5#5-L#n>&3s^QFt&&qj=wsyMviEzS$WQQSpY+{kjIv=;Ozx+V9v9Dk z@inPhE-tD*i5IvOtSqNU z)xMU66f`u>&=2-|tB0vSl`j8$ykn~0u*=(FxPJl#<;4rx{q+4i<+ZiN?WDYTw`8LK zjq*a8wgFkwHrIrxdJCtsknU|j%eM6+5Yi!EY-g?U0!<}?#R8>8kuSCxGhU?Rl@}>_ z1+m`tXOPv8LBx!FXY2RuB)HJ%nDh(5g^mIqTfK#R(){5mZrcy;C&RVv2lw9@F2o3; z2OLrd3J!B14-3>n-SUImBQ_K#Oflb7b{f4hW5z}lfJ@i0Bsx5he-#*;W5vjJ^6E;*a4cv_$U12IxZixhklw0l* z-0m5-wMC(~=it?f;iHPwTkf%l$8O`bt!)!M;I?NRu-^w(QGapxpm;Ng!~Q+j1qJ|Z zgNj_K+;C11WIrIK?t8+9a>k)ihrhkWA+aI1xIJP+G2sx;JM@exvg440irnHrNp$$q z{SEDl!t-+L8H^rq+Y=5UY6LMBlD2^>E&)86Hafnj^dY~b|uAD%|GttFA8irnH5Qq|v^{h`?6c2v!VlM-9!Tx5dQ zKhQS3I~3o$o1&&|pu4o7JHHUL`d_RKyaw@K4>D9=$O{}d1;AP3@5yAKnDVbwEy|`K zXBX6NLDdv~tVT|JR82uqJ-BW0uBOmk;?=+ZsocPaPXKfX3cSBgXjESc;e&!NeCYV4;)63C*1lPqZneSoIL6}-oulsD ze&0ey;h=DbMYeAC`Sk65_XCYTI<|cupvB$4)@SE>dct!yf60B$5#r`GhOb0>>e0;6 zn548MQw-yVrK8q%0-i$j*RtmE6PuZn%InsIp+d}4GUyX$cGUYJ(7;F1Q@$D@j! zx_Pd%7n(<~l!+ zp%35kZxGNq35PY%Mb-A(9%&=jdG1ugX{^LM9i}sAOi3jo@%nQFgsg~!g0+|`1s9`0RxWNG{c;-|l z|DZ|YI>+Rh{L3YaTJK63rrv5K}wG2`-y<2icK`u;q=Pt0E; zgxg5Z`)>5Amg`YSZ{TcPZm&n%g)%SFv;^p!m~STG5fXY#it48{Bm=QD`h<|H7W3DL zsGK-HvlZyqb1t(4Tr?1O%%i#Ha=j`0c{WULpWf)mtayyMkstn1Y%DkYZhzK-PXzHy zGhEqJAvCTq`VfCPym}T^v560>VSLTg3@ir-jFW|?ziE!PXURRp$QylV>{E_$5VJLK z%^@#K6esl~I{fKR4U5H+%q_N)nQl36lbVAK z#3_na@oJ}!;WWvLZGIeMn*NWqmwTqE6Eo!^FV@rg5rj!u}Q%>S6Y z!ADQpS#_dwc2kFY&Zm_-OUUM!+NtOXdfg`>$<_Nd_}rZ-@0trR3q5rBRIM)cQZw>m zUbfG^n{i8lK5ox~<5f+XkLgm@-RH{aZq00i2KxrO^^de%dfCIZ5_9nO)et{ZHnYc1 z96D$R_oo&;d@NCIG8RdL%f09Wm5g}dmRAF)k_kDEUQ8GUjUk`O@0M z%Uq;(%?5KF_4Q*D8=;@S4SwHvU8EH_rgL{}<8U53W=)>BUVf)bz8Z#?h~10w%diJ* zvRAlI)UL#z*X;6sykKT?Ur+U37zggyho|;mXs;U*2lNtA<= z3^`MOueR35586{K&1HX*y`pV@YZcLcYd+j3Pe0R4?Eehowo7g+lx7b5GE(LapF1QRPfAq3#un!g<+}TB?shRMz7<&vL?(t-$fLc8)M$y z)pjOy_%`!bRr2I_E7gkMA1~8m`(b{R;jw2sWk~0IrD$+JIo1!$E}<$Nqt`H2kJrs2 zgmb5A^e*-GL)uU6OFA~m*J4AkKU{)B-mO1oCCNMRnVQd(cFHTN-fJRF9PHz@={c{s znBR^67#;0A=UR2M&^=UiCgvp5Q>Z<5fk*)Hi|7~8-|88A?>2JEQ-nN8Cc9G6$5{SE z&D8c@z#^;Djpv*{)*q~tSdG>@YX=TbY92GO`GEm*_0>Q{`T=L0zaIWuXSZFXAL3c{ zH_~rQO8TEjKVGC%l^0pZ7Zex;C;;iliH*YRg#HXZ;F&rg8vpmf2cjp?0}U=XfQt)2 zrvhJb5bOdK0Z=pT2^z}S1Dz^VBsPQ-4ZJQSxIzXT5EvS8r}&#R094YutqFskj)SL} zfXqv9NCYl9022_;01{$v&``y?h$)O7Xxq~b)UpOQ?!T5%fP#Pj<}w>qth>WO`p;GZ z6x6?f``^Gx6?hQq6+GWauW2%-n1bZlb-G917~0jtA3VS{k( z$_?AvdeAeZzyJVr&`)g0LZ5qr2Gn_fmwEE;h{gV_+mOr(Sd?Ht{z>FF%2J~*g=MX-!d+Ih+*nVB3h!7lcj@S#SvO~wcyD7Zb01z1iKZ)I(0m7OB zx%yBx1%W>V)HFiT^w+yhR84u{PjVo@L(%lt>5Hl9Ui5&~p}T;Ozt zqUqoBVR(0RFgS4l+e~=&^6sXHlNqv?{ujsbm(Y(>8UTPG9tdFgq<826|CelVZ!TNl zqUo1~|C8eYOAhhhK~8C_%U8@C!Ixe(x?(12W@2Y*b`bn(rz?(TMm7hpc2DZ)Zs)_a zJP>YY<4k3?QR*qjvc737-}W$vi!83>I?HX=dfByUS7uc{Iorf8c0ofoYON$+g>fF8aZjZ?nDk|er}Q&c2sJy^V%AJgjpF-#vTz@i%Yd?^d(j5jOO8(G88rQP zn&g>4vhOlYV3yi~~{c+Ojmv8n3#KJBEK z2nF*(0FJkaa(ZWPQsoH&0wMe{UyZ9uqunL)W}VeK&7A8$6h+0vlj*K>Ya23kt*`qn z`G*n*K0Rwfx8Lb9#ggPQ#dSJz<2OZFO%+Pf*OQh+n#8SSSc}x`Fe9!(AK~0+*(X+H zK3Q~*F3|F!HqU{O!N==#9Msr39ghexrpDM|EP?g|i2)6EpN>x7B%P~oP$gZRQhF8U z8R;kS`7`?)Ps(@r#l)$>*pZjW-ir4t%lRjd?3@{%D%WIAFUP1f;y~+3q zUGiNj&m@nK5fh#hZXdnI5&vjR?wUdG0t~WY`mEWwt;|{=HmjVY(c4ujPn{K?$|dA< z+bT9i8jdV%Dc>WnTRVy|`%x?9+XmJXXV++-+}BR7dy<#Typp3Al9B48BIDY{qrCE% zN9@6qcivuC7AP6GsLG$7W;8o;M57HmN?tnC=G$5FP;Bo@>_y7rN644b380>ty|CcX zZ!dlKapJqxQUqGS0>l>>j;O?AI6b`_8<29SG1c?^gUF?WO<8`s2_Wa+G^ps2y=YQl_!nyro0&EXsYXV zTE6J$u)9j#uB&g#8aSGxTfmI$ePgrTrJNuJyoIa<+ zYXs(GkJ+-&e@QS}ns1jSb6jGG!3gS>QT|9@AxbHUYjB0q*V?7~^u8bTef1Qpag#ECIlmdkw4m92{*jvJM{Z#oMx<#VWBD|_Oefj)Wf zYV>HNq}E*GsNKn%yaQzPUu<2bvSWv)v@!&~SEwev`Vf`xLs&jn9$A>1UM^~(;YJqr zrA0$qcRrq9r6%JIEXpU>hZ0vRi_FrarB?G^uc89cB~l@7i*&b=Td!>60&1R|W$IH< zdDKe~wMthV5NdiWr02ZAK&+OkXXsa584>OaE0%JZwnbUS)DmnzEXYR$!(hV<)eJ94 zYp93LuuQD3mzu{O(h~?VI-qy=+QONT#QhqS58~%6sZJ5U@*1t>c)>(LmE7d0WT7Tz z?^#ju!+VIQ++j@6vpIdpochWV`GFejFWFXe=hL6vY#@rTnXSQZ?jC%;Npxal-`WS7 zM@QR5S6?U3=3Stv@%N#XrVYovCxQEoQ)J${)4;n^q+d}X=<1SkP;-~k-Ne`73=K3BX*pDW&NpDS>kjASDadN?@u zfK>1CB1L=fN?Kd=#+&bsHMoW&(`w-k_m4Tq9-_dY}QPUPLsG#Kt24JZM0Iz}~R&@$ZT<5tAG}*tRDd zJP{q7W1+zC7p_j-Liii65-|F^k^OqY|HH`!a?Js2u#F7v*TV~JIQE1Lg>YbN8$fTL zL7)f~9x^ls6+{5w{}7rZHYW5yLx$!&z$c9h>~qN2d{5X=E>Xm0i5_t9*qjgW5I@0z z;G7FQNcIR0#Ue#);OGGdw;zLm>=Pt7xRQ|%Xt?(V4g%fH1tA_P=m7`c-1y;|vh69y z4UC0=h8KVZp)2G!j4imo-?dJ67z6#;It5S!fY=HOW03XVBn!XSnm3|C&YnU&PrCer<0o8Vpg*3yI_>iw5?+J+o+U9f7Ls(>UwXG$;wC&(#9GbgRUA zr|y@D90{R;DTeYU!RoRNxtmqTuw+Qch8qeKO`)G+i4`vPjtU&3Ap}~gN{S6fL3bC@ zU>fOyWIBEkB8Ec@YC&}>_Ja6LHGC#D5_;F(*ToKUalSsxqOpAKnLbBr+J!H1iOU-C zOS#{n2DR}E?Qa{6GhQF|t9|G)=&wJP*1m`%9zZYni1Cq&AM74uGLi|$RKI>tO+RsY)-00TL17I#s7=uDH5a=_gU0we zmqzL1*BICFPA3F)M~AxVWe)VSMQYQ~J#rp3FsZIh<7#R+`ms*w6-Iuj^IeFq`a7{} z&jwyr-a8rNNRj)Uh0}I|pZ&XnMF*WudB3dS2Nztmfd%V%rn1wM7gMs&-zuXH_PkcZ zFUOJaHLdc=gZ17sknS+Th#cMNDJo7uy1PMb%Pn6GC13E8tB}MA6EiT=d=a`sz4)bw zm`q^F;Hbee&-sVPob|^pxmW3MJk%+4)Df_P7PB1XcrdBJ>$<<_MR-Z}rHE?o0wPZ6 zi0kcp%I&1~me0BwY}O>nSWR#k2&5J8tc|@%6(-E^2^ph&S5i%qIYKI9GX$axT=OiL zQY%!M)5xsmauz~IqXdQA_%iW^gU&T(DaD#pye?REdPDM!^_GRkN?c99~ zSBqLXFqgWeo}GVm_F{>g=(7i}sy|AqzQ6j2qe%BVDW+5od%xhKaKbq4W4Zv1bJ^}O zR|vmyk&qDH7j~GMma~8i7*@Q(x@6qv$B>L^v@aKrmN_t}W0Mb(FcN=>CS3Uq!6lQE z=b#BO&n$=r8KbzmIQ(n`=xz;#I;%3UDp5R*G@(dhFKi}!tWbHtB%Pctt=Qh!z`J5u zm4SV31+P^LFDr3hq(YFS!vhtIAx1CH_OM8X)Y8eD8{|Stg&$RkCZ`!z)+C4%Fd5Cg zE?%3by%wi+)ugdTZ*t_&==wR z?-TmiRuoK35SM#`L}N-AL-l|vMQHL%`B~lGx|HCqn)eGAEi@NX9hF{Rjq7oWvpCjW zV3k2z&dt;1Z-2n=qvGa^#qTuxzYsy`m}g`zbo7lzQyF_4bPgJN<+J2tL=oFFHg(xo z6OV`$Pdf)!NWI>pmHA14%*)<~H_cQv)#UADN3@+Uu)C~~-6M)%XcRJw&gndJy+qg= ztLHt-efDIvlus^2iYa#Qp04|ne<*JO>M~oOD;R3A$wY6<$H+UQvDma+4fWiKI@3wM zI?+tNBFMDtA?$6aXt`$W_C#N-xJ3z*&RtzMyX^cJ)k++cD%A;(iLzDmxyHx#_a&h& zcYIA4UOo#JqI+?q;MCO9%(1n@d>+DseQ$dY3KA{Qyt6qqX)={~Vxc_}!Zvky$*L&R zzeqELQYiV!<*Il}tivx{-IP@&H02m*RYWEY${1-K)K!O~dLZZdq*kslpQcaa-)K(z zj&aIw{u;i`q4B%j$3H1o38_&vNs65CJ9>_ezxdv|l-!~ZkJ6!|dhYG>o$>3m%XCVd zIEEOJI?`W+l5q){{MZSFVNznMly8VHo`p!Qh1AcdHxs|64mW;qX(Hx}t53lke`r`l zb(eqQsn4M=JS<|271SSPXRk6^3oz$Cw3H;dD-z+I8bu^Pp{plq+o~Qj+)Q{hWj}lF zv2^a2ajUPM3@@-->QB*Ro*rsVdhyh!NHwB{YG~g9uKaoeVhYFg5RI6)6U-&!l)|Mv z*lJ6GmULqblzv||Y?B8XL@6uh8NIQB^oO-py@RSaC1dLNZ?||)jA4b9)(o-z|7-EM(%S7B}d0 zT%;S$rmaiF^dPgV?b5nnzj7ohaB2E%m~w9AlQX;evT;&Q_Q;)6=S<#QJyG>WYdk%dg8s;A z<(V}yL3z&+_aAGl=PrDFM`$h^th6xJJ4TjL!A)i58C%nINZd=c( zomoOKgfizpa&AZ)Dqf@w6)#BX-J-}qF7nn3q-u~CsT$<{sT$le;sT@@I2mkz7=C<# z(`ehp!oiE}-vd7eBYp$}mxtRgwh1~=H68KJ&P*aST0H#Z+~75tKvDbcT410~6ZrRk zh!haLwR5Qc^KCo8#tnKF1`n{{kpl1);Ri~~Jz+x`DIi7=J>cM46cEuPvGKqwz5^@j zJz_%dfy7OcB!@J8_0Fq zVMzpBlem88eU2)V2(j?c0}ToSDKN!o5FYVh`NGSTff$KrFVIlVHZ+Po;krP6I7b7w z)(6<&kq*4T<{rVJm~K04EB-8K{@HQcgUSs&_qpIb2jc}L3x2bQ0R9NJd&0r@O!SQE z_JrdGsV86>Beyqhu+4G(&Ylb9eET&9{ljhpiGIBBdA0=&7=7HP>Go?B{b$&I(r#e60yY8eumh-CcuhudGxN{X7WZzl za_iZP*0}}&a&f>-{+w(OK&XN}_@AMnm~3080rWtFZcjEOHsoyE6E;+{4Ti8qKo2M2(JhvHaIJ^b-djJ z?*=bU^Vhz(yD2y-f!izyDx-MV4#_aerl49QV6S(vSg;*}UQ{iC#RXV_D4YIWP`L9? z1+*JjDu63Q^{u}qZ=w2DZm_e%5B(?r|6Ne{_iqKoeZWBoMe-VKN4;rO-wMnp!8U_} zodnfFe={}^c#TnTCfE&lhk?NVDcQFpc@IhU!EdhiO!nzIwMoM*q*@+)s(!0q%zBkY zIrc1$C20nc?=172;CuDEp$s^!2K`0ddb+od4Dp{%)Ym7~Tbx*F+Gsn06N5phAC{CD zM)lm(h&Y8g&B(q4_t7A((@~jR;s|Yf7*W$}J4VS+XSbBMcy&Xm_Y^YKhp4r(+0G9N zvOBH~T!)S4I&0<_n$3Uh5KJ7ej~bYzUmK9L5X^n@3{jZ!ev^KLm*7cHDv&d`pH$}H zs=#gS1NDwqe&FFaUHu{WB1np5xi#m)0b%tSQGCU7&%^V%aZ3*kRhp5f9F$@qU;rs| zR)^MPGA-LZ$_B2na2@c^NoNhlMLOs4EWt*o$8ifCjH&ld zrs`N~B(QxMlBq!|_yZFSxKO#*H=UETwV-mZ(iP{QC=Ri0NN7o~&&t0iJX}p`WISP4 z5~o$H*Uqc+;>2@?rcurJS=x`eeKd5=TiH;1%Z{^pXc$-&JuQ-5+~8Ey}M&P)tL>$T6We&|^P^aAN?^BgZ$iuc|-bXQy9a z3eL@{6Z9|@c^4%{BBO{WPV%*+>b-{E(F0SBkxX%7bO(v{)scM4m4I0j`^J#JkBsXj zkX1f=Vp3Sxts}4SbVOtbGY#VaX~ppL@b%bJ^=x)oU#&&Br%Iin3&muCAKjlDK^(Wc_xta@#Yoq6=-Q29@BiqQU96q#x+}oDbdRcQ_Dm+ zY7Nztsb)56>fCBdlzI^cfj0HTtS021dW%ZgRCA*i0)k{r;R<9X%W%a$@`!e<_XU*x9ij?hW*rFUWJhd!2} zJ|dw#dqbR8zS9ib=E(;KS%z1l1W_4e`5zAqmGjhpd$~q){uA|d`RPLf>W}Ti9weqR z)@GeCZ2NR$pTv{XpS}mBeLJOC8Iux4BX?m%Ht^=-CF&eoJ7_vt#y*02t2PLIMGp(d z&~S^gkkY)8m!CKl;Rua_ccJr_c8<+c&zOhiGEP;TUq6!;Nk_UuJNi{ZzM%PS(uJl- z1|y}(c^8jvT)r4Bu3)H0TK{DG@j~{E`1SGqkzCj^)M6gaS~vCjiVL+r=pRbU>Xxp` zJ3Xem>eBP<30M=yHZ?}akIjeJ*9 z9C5A>FCnansxFfEHbwgt-zb^B6x%}&5)4j8)VV=r4qg|drN6C?hO6}99rwI|%d$I?5`TNIn{E+ z5N@l>pHf}xJ^e0ZT{Y$mMzSV*b-zv1i%HA8?~28X)HoWmU%bNWK0V$DeLVIw$0GWN za7FuqxR;qdd!36rY#+P$+tFGf%JbKr71ECAj+q&Cy)UL3toosMzd}=jg73#Mu8Tv2 z(;*n)^4b;W))OhTXsJS`Upmx&H4Hy_FpWzzcIXT)OY9l8s+`4g{EU4^dY=0F)YrdF z>69ev_Tr)zx5mzgtVEa;E5yZb>P)8Oltf?g>^n*uxE3fXZ(aK`V_Naa(2?lyw_h$< z77-pS?Xl7CI_G|RFtm3JkI!&J^11yF?N_|Z=3abN_>{5P)Ag?X3BreqMw>0{`V+mb zZuXI^);Qf5W@(epZ>@0u{LSXs=e)-RkL)xz?snpfpCq4*wfLGuK1yWM*ON*~pj39# z`HXA(52=f<`yz#x0@ui!oHMGIA1=|XUl#ow@ma`3LrcV5zfS&>qNRt;H>Z+CmzNzP zWsm*BncAnmz;K*xU8u#YTLy0N2h&N?Qo5fTB;m5{6Sc4%gANsf(g7C+R@tZ16r(!X(P2=`0Gqv zPT2=;EElc3GAEM1KdkayK$0ibHM#jam1MM<3zz4sN$!s4--E9Dj}fmbsJvNTN@=Fh zCw{*n@J;4NrEJ)6-viv`sG6l!ycgbO{fB4?j;-$ZP&4b=-oDJmdaZxVIg^ zgR?J?>Op@7RRA`qaQ_=}0aZ}7!;s_8pdnKk;0cRx-)>|o!=A9A461fme*76YxZ|t< zDB$oD9562fWz_*=xrdHJ8My4Q2l+E_2tEs>;vm6+-UBJ0fIi(DxZRn7upI^@e+KU7 zux?K|C_Etw=-a@o2EJGS9LDqW?kZyjLo7@5EQW3F1FoO~wcmcG908wbV6O5T(;;p? z-oF!VFhFOUNWMVO3vVb=jkg+25t9!wQdJFlLBlxo+<>mz!E^yj!8ypX?{RU>} zKsLRHjzhVHpi#>WFM7xaQnP-718W1GhPNkh0=&EOp}^LIwzcqcRJUgwH&FKh(@207 z%s{T+B+8=NLJ*H;^ehG_;CY~M!W3ZQ1J4_7;Ft%G@ZpyDU_bch)xf=5lnidb(AIC; z3l&J80TuO^&Kz7KfSZ~BK%gSdFKFsEfDOK{flOIYPZ6w%?aRnLVMDo45oap&fa8Wi z;ThvdY&;-=96Ypu-gXcDhI*Z%@0x=LE>D2VI=4Fx?)QdZ$M*sbL zDL7Put7T9KeK)ts3wG$gP8cYg0u?wAs_$k+cT@vM)shFC$9RCX2#Th=xY!+kDo_W2 zBOMG(N)%0ho%yJ~6{Kx|0_-T8{yH&HHU+0!0dN{b@vU&v0pworzZl?ut&;}Y>c526 zdrbG-A#dAefT0lZ(BC5i+<2kKDgM<7?O8dWW zFb)wL9&FzjUz^0n!aZGh=kR?TqWt`|PhR~RubLkFC&pNaHaGv6_rqfn^G&Xa%cF=8 zOd6->GiwpMTFZy{%-Gdx*rAMO?89g?n=Zub9Wa?by=x}v~)|bqr>$~gJ z$qOVA3%i>i%{8T~J$nzw5BJ=ab*mraAM4g9^0+bA4R4UIa?ItAO2!wBD|PAAtmY9) zv&|$nuV#l09i+|;<`!C;K3-BtQGV&TUf*p9F|*ISh#!f0(k-WxBcG*<)TW(snJ9+d zJ12Ny-W8yd(z(#^Tz-Ls;%f=vcRfj5f4$X5!7J;|*Y4a{@wCoURVjMj*dnPciTPO} z=mw^ABZR%i=*ivvrh0+Gbnd3jPGwP6$8X4b6jkZn_y)Zt@qJP@@XUDIW)KA5?j{DI zwh#Ff{tr48>hYfVr#yV|`O8j0`62`RKA(?@2o}BlmbROMK7x|052|d=y8*pG1Tj?n z*4ms^*tt%!%5j;*AT{sXt8b5oGfE^mHnU7s8q(b=PpX|cct_4~Uq-R2QD&3DMPD_X}BKZTKlO_4@*?}9I7Z{2{Bb!H%)>@vTRZu)8xqxmOphn{A8TQ z^>_1ZdC!ba7t4un4&3x2a+`O)yp)s0Qz(8Q>EQ8^edcQ%Ip?nsPiF`Ai5FQG&AIGL z^P`uxw9&>EAEETwSNn#jcU5gBx4Yad`r%#mNsQSn^DMcTH@Hf)q$<64ew0FJu|kh6 zRjW*-bzA5By5i(^$@1w}W_Al?fj#+@mxhp!X+<_|1Ptzh8D4@R>M zg?W}`9<+`+SwY%u5uH3?W7**u|2Dsr?4iU{-^(>+-h#IGx~`Y!!i)^xzHog$aC;Nq z`T0F|^O$4a6dL>sBpEiI)7fWdC;0~J>M)H(4OPOAQ+=XVzF}z+(_pF-f3U`d)h}Kq z^{^Frbp3|*jK~HF^)=sFrk4JjAKGGwe63m4jur}Ia=hWK+6;<(5^*KD?ZdG;g4_8^ zSgWm5&z>%Ox}Oov;#Ks4%xN=u?{f@b;l5ATV)aE>`!M_ZwP#QJ+h*E`<_(gRM%x|~ zLIeF?^cT5nM~|~bY~s0IuZFVKit|p$PN*8n3H!b*%I-gE_t1``@0q8kaFrwV#ZTEp zZZUq}7~d_NpM2A67!`QZ>TZdS?Um%aMH-_*SL0t>k=beJwSO|dk~SR`o)mW>jZv6( zA0$%lj#80hp5viA=M5f9Pfh2kuP&|_dkJ`JR}~r&3qnuwHSj}MGT9XOlN^3AruN1| zU~_1r&ZL1hPI_g-Wt0m>Epa7(!^-V>G?Sc?-pk`_xe&+2&l_v5TJtwYrT4#9%V8z{ z99Gx-fiy=bC28yisZ-mf2I2I0XhiW$QcW4hqHqUWw(sjiD(|ihtH)ednX?`{iY9tg zhWmx_>2L`4rA1vf(Js~ax}trzJHFYWZ0gy#uA{3t>9i^>j~w0`^-j+NT;lF{KO~GQ z8edHT)$G2V4mo;V!BqX8PS?we=8w}`E($h2b|<7CF0&SrY%BM()==tTGjzcrlcVc$ z&{7({m*W%YQH7J7^1vqNCAL)1-PrOWgGc7iExg|MomTIorKFhrZnCchkC*_@VB#Kj zI5ol06geJtQh$11Vn^}v6wNIsN$nOI6+6EmaKDSy?wB_lZ9(*=(1i~~_CI8Pl@w21rtvL78+DLE(IZt{RS(ELbbnv0Wsm=$5HzG+9~)Wy)s7alw@ zhsV?c0Kr;!?n);44Pvf0Pb08w-aRUvj-5)5T4A<~FmWfDX(yp}#-np5+sAcidGpgF zcRSydBOT16vheUlQ)NXqOxKkrf?-ohFAb}BWj8vNlxqlA06HAP%UKII$TIl_Cr z+@pr^ELh%c^JRl$E!H~2%FC}*jMPIbd_Rw8U!;aiEN0(fu0QA|X9HXwl0IbGcpg;d zdmcbYu!>s~nv`%N<>jYFY@1;G(Q(ob76+PU5-yaV55}J!BXu1#o;}o#B?756ety!j zcPLG9-x$M4>)mo5wu=~SPm4#p56n?%l9OU;*aZ|GtaRuKH49&09D%H z!WCRf`9xT1_Q~45g|J=z!TjZ-^QKlFQN5DNaT2VoLWf$uZ?N`MT22R^0bS<`(Y_yv4R(AX#^$CLe~>7e6w<)m+Ir0AV++`ydzuF6NQ zR32cIFTnR3wia~UZg6OzUQ}T(&`=V|XtXro2I~=C%K?cE?kxxb(vdx3L*ZDu zb#g(^GKE*F;Q~i1BsLyEdc*H6_AsI-Ic~&R3O&$%4(ax6gMys|3KUCF@XQkUU6KL> zWxt_s>xIi&K+Z7)?7T3zBPiVP223{yycXB*Hjv#XB!n3hdU}lqoHhjDdGg!H;EvI7 zbEUl? z{h?^O7t;4H0{5SsGC}A8jLEkkOM}4$k21tR_D1^h?a1XvlD=FZWqgmMZ^yP%W;00p z6?w_VNq5Rd$-0|Rx8jO*n~j(*d5F~O8q@l=Q&yWBgq*1i(u#LV$jg~jp!H6}u2m94 z11vA9m6#$p6{$o_=wy`X9^rD7V1!8oNF0?k3atsiKBhC{GJ8#S`D|xQp}uP6qkF?4 z(zAoFYg69vS;cFmugpkhxqT>nM98J)y_)%!yX+!KB|k5BB@hx&sCdy&n=1&LYIHY`;f>F4oEk5+A*1^hC@)E5!@vpHr zjqJW@7@%W%dBv^bB7~H)JCVo#yZxhViNuGGH}X$A>XclfU?1=(t0%HD@|Kh5emZf? zbuu?={%B=>nqh^D`t1Al*m}**waTbCy|l^?#fMi&Cd$5Pd{mdB<$IMf^6YY3<>hy} zIv?|j--%TVv!56i%=eJOmE-3-V9PoqvR`(R!=~|3sj=))?3ca}c71%=qs;~)BjZIy z3oCEUf{q<))~^!qHoiL?=GIv_c`1KTJ=o)WsM6di1sX+K=9KIHkOpj_vfLNSBA%p& zf>=nN-2a4cX=;7Nigo_;dgIMw56xrmehk%q(;CaTai+V4EIOpstp^1A(2P5knV@|$`C-35)B^s)R5_~k# zx2ZA|HK>miv*)p%um6^o$Q)i5+eKa*a^{uOab9XnI%Nu}B|>3|6ylAEwTY`1%6JEZ z<;$Ox7`->r*ndQGLEX)?2J=9jOuqezL~8l;@8`J7FpqsOXC5yvtUVw7@zXq1&7SGx z{JndxT{4YZSpsG>N76OSnbs6CVTD$6a}5W36GTG%xG)FNkYL52OI z4$!WU(PHCaT)6Jg;MUPFZIPgOn9SI9q$wSxL+1^{Sxj1+AO7n(nuJ=4ELO&xW$K z2bXq!6ui6eHI6)w3=(33b0f*RWF=Z8dgwb1v0&0ulNCaz!-LJ8Ne@ihb@2GwP)?v2w~3bQYV;2hpXEct2Nd_ki8lAO z)#^y~DZkOc8#K&vUZ;KB_AHP6_0?GzXTOkZsUxh>_W(&yn#N_bjOTAS$DjP*zaT`x zZg2`?0@vPKl??HM*LFHGGa?yDpmStfKXr}^ER1wmr-WUCk1FeqY&jE9Qv zB8aU$ReI6&*rGOul$owO2f znsw53%7bxiDQrgMbLnTV5c{keeh8mnk$Y=D&nJCn+o8~^Cvsw|)#}`v5A>8ZhqER^ zj04M@?$U&RtKAR?W8@itJiLFn(FcP(X!-309BEosBojGI+i7e2MS^)xtE*%^;51~YA{sGT(le50UryWXbz$YeRsNZ2ar zr$*_;ESWi#j0?8R8_BSzHqx9h^Sdt6| zP4d-j6B@a8ad!#(X7XZ#f;{iiHDZSez~tr}GAkE*=Tpq@_xEj&Gyh+IoL9DSS{puKVycw7R@!-{h?&3x$auBL%T8 zY&m1jO#%uN^Uvf5J~EUJ)H0N|S2VJdFWSE&vyLrW{qmk%C)||ZOvVuBG$U^QP)S>E zr^&*Ho4F6d+@`-f4~2@c5l0NIi65_R;pQJEo=6B7Gxspp6}!DGuK7jtebr}GTUOIc z=jA_PvsY4F@*KUIsFfIY*k8=SVZ5+vQ}@y^M*uhVfxx2NsZ>2xi8;Lm>(<%fd_psr zZNax&Q=m#f9 zD%HISv}@M5ox@V63C?*x6Fu0`%@#iq_A8j7;q>=~Lf!n0u}fK!z3X0* z6PuJa78HrUmR%n(nCfIQZgG z8!KIv@g}B~k|q`k_LUD|QLys>_;>bo>pZd3i-B*;KKHnj&sZIHV;aFG#ckB=r*=(dxt$iL%9?Xy9$~H6eLZ9BDXaB;C~?Ugc~OS8#}ndnD4h_{NHoB`4EmV zNL=tZcx%f>2DATAag=X|5OsG`P#i-5gzRAF{ChA91%v(9975R={7qb73;KIYfbLg% z9#vDgtbz+f_kVB7vnxYv=U)m4NpOV#*5a;~;7fnKA^X<}SHGlHasC=^1Ao200`Wb@ z-aFI*NXaeSig1sy_oR-FU5_-e*N40TdJV~O5w|B|zC4fp8KiD8dO2bGGHSs{Le%d@ z>20nxQANEu63tR@>xsC5q+@g0^EeX1Tp$X)zu^cG60%TRSv?SMa`A8|*G={h)a}vQBP)f`pXMlEvBmE{ z`5}Dex@To{qNf$?0-^1kp)+U7yEBfb@O50xG|Q&hK4jZH(Y6l?6?37Oy6$ zFE>)1rgiawiHU@H3|)S0Wx|U$F|<@OrP=2XT;Z-9pAbGV6-pY#aDfSDP+Q}8{sG- zHaY2fwjQrr9$#G{W3s~o)3sLODBEW-R|+z=-+MB8i zWJ>c#PDoYczxC$KQ_q;f@mMMuxPLj~3c^7aE**rSH)DD7Yf5IM8H0xL592|#PYAguS`yj-3z{RT>Nb0 zgK)kxC)>qctSJ=|2(D6fvj@qL+!#74c6LxgKjyT*6lK6##9M3s0g-lruO5#Xo@Prp z4m1iIEp&E!rb}J1I~V=#;Mxcj%Z#w{zI5%J2c|r6+MSe%4CBm_V~bC(9``2Ee--4k z8a<;bIh%R)IE10<-~~d<3nRK6XPJ*Ls+V+n@2z$Q6I{|#YfG&!k4h(wq-pYSJ}s&mbC1Qz^u#KG43qW*%~C|h z9Z|&td{0iz!@hxH?}i>qy>2I)w@p{{qHC&gR*Q;sP-f2ya*8x^Wiqp23X6Rw zUv}4}O24d}vYgq-p+i>7A75j@7RZEgsHsJ+gb}5H7}R;qbL&%`KKAhbke^L4joG zn~5vWvP4_{vi7;pC)17A)@-EJ6*|fj=$hWBoalzsEPb`R*q!37<8d*mZ_$Uj_Kw|$ zrI~`SS2=i_*qk$IYgP+_J=iSQ`*TM!;8V=Ch_5QpO@eRZ2IMjx^xlY%Rxr6%d)f4mtCb`YJNLc=O+=nAf@yC)Cbl4A9I>@Odwx*G$o#C3x9h>qW{Sb^r z5|tBYdX6z?=$fy~u;`3BM#YJEZq%e36w7}M$$4A87N%8z!RNi-iRtMIs?ZIEMs8Q= zhIkzPEp*#bn*O)Y4LCb*M`Q3C4S2>1()AA1A>Vq358;Rce#D3HH-W!ExRoGYY)5r` zpvonpIUn#|*?zGta^*ufZy-Lr{at(@&kg>WodF*L3G!U@XSdng$6OdVukiwfF7lWQ zPSQXd@|!yql*e53-S+$xFK%P|sY%@nHq__bUypWw)^A9AZDhy6Ll?Nc_MSQp)g|86 z974~aBJH)2;I{0w_XG`vOl50QqX!w1UjRn^a040SbOZHkLAK7n*Dr1@GxR_M;R-?) z1(pE^4~RUFvZy^_Lp9yDmOgsGaf6rx1n{7g>J~U2crF`AW!p=?p`2|ytdRa}De%DU zmbiaH`&sRE4?_yNZI^m+Ykx#fw+R3bd=P|!+gW&BJ}9WPzytJ$JRsSFi~BcuYf%1O zH^y5VHhPe4F9dFo5e9)@6vK@z!Id^VO93d#|C#wf2@UP?XCROSA^a~IW6*0Lod0KN zC>{x04>k1k8j=M>VndcjfoqL_iw*S}{Z%COXX^l2w)7{st-7Uq#I~CR+OdUH_Cn2oY5q5YWk*ve4IePJ_&Y-a;X@dJ zAbVr?H-cs$$&Cw@?;E^)!#{r`ASnPDgo0h+1wI|WY03@c?!d(u1>j##8>j$-3d#U5 z3iCF;9pZA7O+o4{V4F~U>92VA!Up}4VzGns*->EOKgjR+b|gn5*&ui}#~#_BPjT{2 zJuqUQ>D42Z(PNTa`v&X2N0m4*MwoYN3kXmVNr{uZhGyP=0_Y$P85uenxm)x?luO2{ zG`^mOuA*#V{&^ULeFR>VM2d>^Brlnds$&i5h#irLmGU(`SipbqRoj5@HBkoP_F>5w ziICdV6XB24KW7g+-b$BEJmMxaQvsX)G$vILz!#sw$M;d4=p5D!&Td~N_mn$wrJ}fW z6z@OREq@wVxH_}sDU4S?K0VXvFb|N)CuF#M!2ihT1deX6H5FJy&RZJ7!+S7AnG@!^vtgsHgc* zBHya-9^^ut!T6lu+s6*BPI}E+UNYVC7sfK1#@Teb`eiG^6IJ^;C-t;4oJ&~+-ab!# z5^9r?B)+jxJYQuPu6w#a`^>q5sN54$`g|lSN|VQ5RP;0*55d!I zyv*d=(<7TioJAb-eoXIhD@FWi4I8^r*^hl2mu*}a92jtQ8f{?}uOXPTPsfk7K5y(h zLN=KT4Pic)P;V&7@c)SW?s%%-|NV^YJt8|)vcfUWN!cSsb|uLQNk++NknCAjvJ*10 z3mIi5S&3wCNjBND-~BqA&nG$W@_Fa?`2N*-$nEt!_j=vW>%Ok*>CF~VSrf0A9yRDZ zLtY6#UjN-Ehd*Z`hmioQZPB!;X#GG$u)?jLu)^zk8G$jLZ=>btOX=<4YHV(vfzeGp z1*Vs=51R%_MH!LU20M*7g?;wUHK;zI`ZV2ADdE0v(coR7BV_`%<||T1CavceKl%4f z&5WMyyVk7wI{#(9dYi5ij$}dM>Av#IQ6vWmbsgX{u13O_65VnQzL$|u3p>GnNH$)w z@CbHMf01mnww@;OrXot3TQ+pLB5IstLMhqSwl4KR=^)=z{vU>_qmLby=-Au`G-vNN z$t{SQ>2_bbFPW#SQ0nhoZ5tCPALt>Ct&p_Og1U=1LOhUbjU_wPBE-nn+?(on;iQ9g zGhg=&F71ZHJo^Zv=$ggJZ3_}cUvQsF>QR65@VL~0XYcpjvL%<7J(*;J&rpEzpXW{mm-Eu`y-@g(vWAu2 z3(lZ6!~TSq$@2(Y)Jf`rfwIq$&XL=;K?w!VFXi1#V(iX+Xsm5Z_xg+YejYPi^Og6x z4*tVQW8aq&1nI-XbNeQV4~APLW)fW+Y2b8Ba8eAV_RW*X`fe~de(lM<+YelcR5@+G zL~7&r9zWcI7>Xu;(QcvqY?SGM)myLFZ+%iDu{t)fC*m%+cix-9=IbDMOf1*w@*X?< z-D-+ZA}_ZgiQMzbPvrM+@^=m36%Y;PSc@#ho>VG*bHi!5jb3a|3VaoVr(WVkVLVQpz)JOi=0S7$ddszp& z?)K)_aGH4v&Cxpg4y6>C*#_B-T#l&voDgnt?$$R0a^var(7BaZ`l_crl;?n-eRyn-xuq}VKy34^*wfdoFr^u)CA#)~BH z$CaNgCp-FWz247t9eBiW2E%_~_0G%sL;~73iPr|nir$<`OV{pMh?%3n{o#_l5Xb29 z@sKSRob?J`=^6U2v3u{=?{>sQhcU*Dj)erov2e^Em9hy}LI<&+QQmBWSde@CFAxi| zRyX*WlF?;TeJM+O7GxQEVep<4LDH2~^lunh+yv;!c8@UV#lL}wAl;)NAOz*)B?1n~ z8~=r}^b$cid5NH$ydYy#^|AfVsOF8B`Zn z1P*q%okWIqu5B^I`Mb~{q!BV7+l&pWCWrt;jvdAZ7u-hT*y6bJcd=~_DA>=00i6cr z%Lh~-f`1YP0x)-bV7mvIfhv!XYt?38Fn}fi<0_V&1-4E8A+klfi_HEvHQRrbe~2Iz z+^7w4d((fyR*-t{-!}V4Yz3(h|6NldPz4iWJ8s7+wkSr?1uFzlE9i8Grs>a{E4rpI zz|#@|x~OeUh53I*{LnT9)o&3%Jh`o@2vYL?yYDIh&QEY4Xy4v+i;fcAQ~3c_4M{e) zH$@((QBVCpg><$!V4)x#0RQh4(gETc^$s|dV|~Vy;R|V3-jJhRi6OkTxkTeqp$;*M z@8G8fN?Wx$$QBn)ytrI>cC5Mc*cjmhYK5V1qQ`ocZj?0J5o*iFk-ltLKVZ$xyhLJ? z+SYg@d9a=7g@bY3zUGR>8P}<-_vtdiPwgYW1|6|^Grcl*>_J(KXQK@9U8)=1QJ$ZK zYPmfgSj4%7D&jLuCf`>l_hF$KabqbXkGl9l%x^v1Z=Ife3RhdE?Nxw}4%h4bIu{Mh zFb1A*`-Vfx-lspw6de-tT;tl-kpW_ z3NPXG-0L%qjowTouq-kK^1WG(q-FRL1r!L*(iCOgIEk#o4@cUkTILztoDp~&W6bTg zSeVz8l8N!AaWGkHdRz4gu3u|!7rz#iD!fZy8cQWw?GeZP^`h zRycY@T)t>DH|k_itZ%D>eqMb<){yXbFP$_E9~OhF0s5}DJH zeLthTEG^wU+cZP&9>u9VSn<~IO}E73W1g+?_j!klc-~Py=;$;em|*MgXb#SMZxT+? zTZAi;P|q+hEgO9C%&E!KRHEdwdgVOr>OyPqf@pXUXj?x}Wr9Q~EfOC9Q1hTu0)f+>uFVYA)S+ zi*l7OOHW34_Oez9t12W;J+Gg+B_*W&Sdo~`h~QiauM98odG!evW(&2N)c}sB*Age3 z#*++0^M&!wwFk3`RB0EA1nc2EbD7mqg*|3CJEWFHkiDctRjG8k{aTf`-E%rq@swME z0?7%A!)8GOTs=YzsxQdQ0^U!~<({77W@^SfVugq8q0%fjbe!hl*F@o-Qe&oZlPaS_ zu9r)rE(+cpDLy`lf1oW@Ms2T@xRAG(FkNER0wy4o(;QSinc3;sIe4IzdN(Vni zH)~JjWS_ik^Og%AbBG#SQg(ct2txv4t9zEhUO52UYR_^9JI1uv4?-oq7u*;zttG)Y zWO#R8-0?3Ij#X^dR{LrNi#JlDP10d#-QVKqI+*r#;L*26-t_Cl(Fr<91JXD(bcECq z_LgT0uMsaO(9rLhUU}wYDyuxHdD5oSmO2p2e!p>nck*%`L7*%*6IXOzvS{>?=x-5Z z${B2=U-cuux@g=d6(O95$w=nEX4}6X>!H1_K<*Nj*z$zWY0Q3sx1k4|?!9DhB?{Cg z5-VIy#=dI5S6t}cS=u{7F>S2+!7Mb6&*^z63KM13gpXgq@V}$SeEp;Fv!jPi4|Lmj z^t=-~ysGU{+}y2nJ#CpqyRYb*=7iV!^Q1f(4YnMnj3TeN&b+H({=zhO7-=G;2914* zirZ|+(}e3&bR{)Oq9U1@<35N{ms9!Pl6IM@U8l0q-#2ZS{((~^O5~Y&U~cR2^Ij^P zkIi_P9w*qZ=C=yo(P)$*J6M2E%YI`N*E;csq~TR+!Ko37Sl-359!JaPJQ2sg+*rQb z_Ju-*&tW)(^p5K_y0Mh*rGtZSGcVPir4DPN3GTX-%nsOJ1YgqLLO zIVN_}vNTjh!+7!Bs+`^O=^OiLc7y( zAaz54*o1&=9sx*Z0szqfsS^t*JPPhz|A1`3wmZFu?4lC_3P%I@83OW=0635!Frxv+ z4WO3hAM#+>c1w_rWwtxLwi%ir_!kb+Yt%|WN>u)Z$U+3^CAB-D32db3P+2b_fR~_h z^c{tUb|LJd-2iZ{0?Exr%`qrAWdDKubBDp9SqaGfad$gzb4($>0Z2tB2nQg?A7&d` z^bxsZ?@nl&ixkQY`QgAf0wn0dVA{cuby5Go2jbrjARu2MyA#>wLV#u&A9y98pbZ#E zMd5!^-l4-bwm3-q-LAWdZJCp0|w3vP;9~?z{?+4SwS}~JBkhM{sAWJe}h9J2*?B3P8c@;Tl`(q ze?o=84)cd*|A-20DeJvGSRlUw)dvxvKeodiTbz^7HU&=w;2 z*#6WlQdP7~g@F+cx`sdB#{FNSGw>~Hx&NRu;6%Pd!p(T-Y0FNCaI?a7vuPiB-7EIl zrpGSvC$hcn+`yD>Zp`h~sS3zG^LbyBBlc2R)URRgP z=~Hy|>d0bSU!L|Wa|^xr$=mrE!WL0@OvNz|L@Y+VKd4Ic>4#n{7QgjodGPX_{y_;2 zCNGXhnZ?FOl;du^I_6LxM?72n0Iq&(pTlgNZ9wk+;Er$OBM+%b39cWKApH=p32*mK zauc7hDbiA7w4;u^{wT1yWjr6jRr8`P+T15yoU0|~ou;bpZHG=R-EkFC!+vZ+;)1!A z+=O&z0@|1RvPPE;?4(cB$u166H*jB!D6p+dxLuilymglEVx_EK!Vkr$78{q4b=r5q zX&re58QwhM6l4B)r8f*u`n_N&y)McGvmAHHCov8>F5MAN=V)VGb#3MhUq?e$Gh0OI zB{dg?y7!mU%_HVhul4p;-eF|ym{yF);x5P1%@t}#gwpOq9K$i6_)5T4LRrhV#3&M( zyIgpcHYBl4BP3zsjp)4*lMA6<^_RKbIw*`A*)s){!p&J>#wC?ytuzmV;m4GMnGw7DEZlE3-8=kB^!hi(a^N1X0iO?q01ezg_v2c@JLCi@_Q*CI%3z3hu^UawGK$V z%=(H&wfY9Nzg_#-ivCdk(KEKn)`yzjbd^VaCA15#tVvuDD#z!g6_Grp(2-*nP?26- z;S$$ToLzhV;=%pOGs)?b@q(w{4Y5yjIA|55uS8!Uc1l@0f6G-G#sREb-SPV3ux9NE zh`#pZeTX~4A2Qfh+jRIGb*-wv!=v*y3dU;Qm1&ixi!}ojT!lDFr+;8wIK78iXeea< z0>VFOxzNF)dVRfia!uu&^!P1TRcyZr=z@qVI_p(ax zl(o`}Pk9|tpnf~6e~S9VI)N4t&45Y%NisK#Qed~qZ)J@s}<=-GaS z_vflfSDq6m%S%=a<{}nCoR)7kx+&X8(ZTrXay>%Z9k8aek7UqTMGw|qSR;~3YT%~P zC3#Bu^nh!EoY)B*g$j0Bvm1}syJ%50%30e~}A?!V`pA`v9ynOb!(U^Sop6x_Ki%qyxxk1>) zl8PcZRe#)t^p@I0*G%6ItTEi&Pna;9tkL9J8iFSY!;eEJ7v3nZRk_TBsrRf~H<2c0 zPT4vOHhQn-JL!sJuJ#Z2o^w|a!fN=@`{U?$2L?Fi4-AGbOhnn0w_~4T5{Y4Q4hIx& zlg+>*3B)_24<}~Pz2wVx5`2xnCw(76Lh+c3yy3atDi2Z>%Gxzom*i6kE~loBol}RG zN9*%n<;^(%nezOD)yF5^4j3O9OY6yO|JW5)a{9)*{IKYEF*7lfgZ&H4X`#8_mkwsE zB_1@z$ZHpi(#a&L|5SN6%|(UMFHOHq=g`_73t5E^_e+=hJ9Mh5I&{i(+(mR3J)$R6 z!j|JE4_x6m*x#4!aF06VND{4=vsaX=SX+sfSgCcnm@IPwsgZw4@$0M?DFsD&^Q5hG zy1kC1tG*}jWJaY-#`9kV*9jTrTWX(sjGu%i2dV^3szf8cVB#rp&9Qccy1@ zLdXQ9G+>IEHU`gT*BLIA6c>M|GkyEwc%6tD>5;Jm@CLpiX8O6}p9mn2Z{RV2QL^y?j^g*Aye>pgUKfBHwD~(op*#e`YLj=f2cN81iF-0z--3bnrD+Aw0evn%U z@CgE6Y9Js0q6R?S`~6w~;<#jq(7%ef0vP> zG>gDV8JM<$l4QW}0S>mU9mR%zNOv(O1;`)LTO9a?00Ukm*$*IQkZ%b89|;uOow7H! z~my4BrHM$Kk_%uryd$lWGF# znRn9anHBu9 =>rU$((c41wQ969XZXCfH zw_l3ZCq~y}y_No2_qBU&@rKmf^VF}NhpHU^&=PcH&SiS(>Z3!~H4fb}rgu~;=sEZ3 zE7v#E@NSF1{BS^_D9$E6$En$Hp^e7bQ{v`#qxqU|b=PKBJohk-k()hXV_v!RnnCAY zX*Wary=guJ{a$mWjAxZbd+M83;LA3yQAcUXtuWX)!zOsV&XssXy-RVp1Z+}f(ppF> z((=3xJ2^Zx7+);+yA_}Bpe;^&?^W~TWQW)3%k3>+K8Ufca0ETO@VMc|U{S$Ii=Z0; zc`PA>G?5%i*0AF64)+JwJDS}5d*%{6MP#48c#%b1JVhJk)Iy%ZCVxGqe876~32viY zdJkTJXkqVbYT+@ZBOXcKXPY!szf>qimbbq$kJ5QRe{z2e%SW?r0ufizGNMZ(Qx)A<-^Cy)+?XXQ)eE9R4^IhEDKO_gxwbcu=&;-*esqpWn7|q0_9L}4 z0+qBWNuD85!zH-)rx%Y^6)F0P9MW?sC4jTKo-0YnT`ByM>*-zD+-mH$?9VRCK3nKX zSFQv*jWbZ=iheL|K+7bK0t2^~SCg0{W5Y2S*w4&y?I!;AN;j6i%`AIRD*IenG*K{nFQ0XKCw>N*hkq zes5e)T2jy;(QnjF=tWGGJ|9ohVBO7%}asBDJaL`{g)+d$^SM7on>xEs?~d4>kzES1^gYD;SWhDP@_E#?@^ zmHvB;h!Iv^&_3T7W9lbqG#r=Nu`opTjz3hGN}I(L)jay%;kN!HW*K?aVTTGUk}tif zbOs+&#VqrlY2sRp3S^#&*+bNO1E(NQ&w(NH!zr5uZO_$&uZYX;wcKVorHo}OR5p}k z?0qGRPm&{;qbOA_`IxJHHXmAf#;f=hJEBmNZ%m7)q;vW9$yC_fNv%?>LEm8eQP$<#w^5NOf7QVK=6VGMM@A1eMtwhkkal|re|oQ;_W;2Nkp$)Y zgU8mh&nkbNCc#pYERqh6yM&4~nzHzPt+B|L7$aC)SET?)odu{p&9^aBxh&iAx%Nq|}h3 zRXdlc{nS)lyF`meK<^c?8BwcOY}E{ViZMN>I?+ujEANj^LHwizqEo=TDIRBv>lsfn ze=rS|n`>k`Ebk$0{FfgmO&HG0z&~D>v%Qv4Q*d(^J zCm{8yzIO9R72y|h_q?xZ^Oz}WXK+Xcah>`I%Q>=tnb9k*SVq%2O{&lQe7|dnjJcP! zXD7QsylkZ$+?+0dI1LaQ|&&OA2b*Ez)k{p zHt=-&z!!=yBqru>E?bnk&rt*)ZtsjDnUrRc=^l$6GK*h#BMHFdXGvDKi1O5vyL_Ur z+4O8z;xkoQ4<05}Ev+o;Kw=$IOo<PrDVsUIn;S8+;CUImGOk9z6ECA#HHrxqLBMK=Gct>m$kNunII9l5JSUh8$>1 zRU{}E05HR!i6-c<3Y3)#9A)JK-*EW^mxO@Hi$pKrD0dd%Qj7Y@Cc*&+Vup?1K?#@O z8%{Hz`KGuTeApzcz>(VNUj;|V08mG&ze_?k^COh|2P!|>5l;e5ezeggyAv8DI0F6# zNWl^0HvFlR2XMRv7yU(H`dqg1P2oq z0Y*lG0Atw*4l+Uz0+jL{1t%i7t>_FKX~?uYvHhpxHU||3>PiC`NDx$00oTO8hgi^t z_H#n_mumrneIRB8SOS1nC&UlXMgZ`^01_%B@&}(D(B<2*@mt}b8KZS;N9UxyFyAvBs2r8lVpU}V_%qsw< z@=kgUz@*#9^Jg-`-%T}?rweL8Vf+F}C|54Zj2Y$1^Ktx-bqQ|88;ajAe+n)%U{S$=) z(t!Q`i9*2YR|H+1BDSG7Vq|^+X1*=x(GUK zfGTKcnj%k*sDS@Z;h`;@8x%Yw1gd847#?Z^@DSAoJfy)lZ?xQ$V3VMb`03C@P*Bx- zDh4xdbza$us-6Xd1F~iQY^S3OZt*MO)#MXSAog6JPA;iPX{a}e3sOHs=;9my0$#|S z^cBzgEJr%INGd#nW@tc!lJ#9~QRbX$|Mb-pVQSAR#k;zBX$DiZQlEdE^08SH>lhr_ zcY8VETtr3ZnFQ>I_wa}<#~VL13%@3l!Hx|gHOY`Kj`myMPrk>EP>q9N)H*(svpS+- z3HM^{(>0s>$yh6txR}?nrvM~^sc{(xDs#aaJRPd&A%xhT`HYv~s9EC7~ zv$`!b{f7AkHgXPY@D9OqxmP1gQ?7Ih9>4UCx6gbZlcSY!Z9%e#(aYp0+$q{y9imfF zH`&@Ze7B@wId{q4K0XdD*Q@MQ zW-C(01QwnCHZv!uDwcxHf(UJyO~>X~mopxQtGEk_@KA|VHrcpH7`RaJR|Jz?mht^& zbfVATbwO3DjGzRYb_A0-9<@EG^u-Js#A#m%nU_Te>Ntb=G+0Q&Ue(bA_Fz^~`i|EN z7-_Kb!tLc*(k_RN+n%krP%FV4m|luq=9~WLaOtu&<_OaP#&y$g>nr`S(Vuni7{2lf zl?tRHXTu1Pa&O?Pv(+CW^JHpR`lgVi8hJRy#0)Qc!3^)U^OLoivRt?&jcv3W?OA*> zLvwLm^Khnj!dJ?bs>t-&C5LL5nB<32c^4{HRr1tJPVL!0d_ZqfrsJ-yPkl(+FvX%T zYig}k$U?C9#pk_y7P=C+$8WD03X;?&PwpH2*89y#gpy9H0mhoWc%cJF-=anTFrk<4 z8H$0is~Cnvj|Xa$G;s)QERD=f{N}{*0jEtTgHk2EC~#ivtMOq3U! zn@P;=?pkNK$GfSP9PfH(A>tFkHGrvybILy5n;2haDV(9O3nPYaG}fy=luYxYdH!>; zw$S~La;!xk))v3IsE|$Y(M7IRLJj5&4?t9?6)@f~IxX+gGFn#`9eYrGO!O1aLE7F@ z6L!M0C$Bv!gPqz}3UvR8kLy>&peK&)me{_q?46$S3ek&RVcpsDUDyth^Fhjo_MdL`7(2&Q3QLm!;om1?Mp2YX*W%e znpt>nY?M*%Mc(Ji@;44#7c>^QOzYis>98ePqy3$>1%{gyF&FT@^XY!JE$V)poa<05 z^5FaX$#d%F{tTU!V)T;u@o>ZxUoE!yEO#yKXr*x5@I(uPwyBpybuQjMO)ce6I=e(h zvDee@I*zjAWW;+w)$MK2=~Sqf*{mhnVRe*x~@* zLjIX@v7`r*HzWspFNSru6uU0wrBt=uaQGtY5b5}s!RZH63C;uIV29C|yW;wAcb#Y7 z5nUCB*Uk_Y1XjNh|70v)a03s^tCoZ8{-?6XA6ADf#jNw=)Y{GOJX6#Af%(+( z);n}q3z{05+preoJLwl*$VSoUe}%Qckxp)a;QTK|LM_m*!17%eJ^*|-@I|3Nc<}Og+yAvAZcLDL0QQ{gDUwKEdp-*0RFB=sE2^Ak? znS)aP0OCFX0CyCd2x6Nh0ep+S-ro%=j1QDg2G||M%Ynues%DD-^KnPq7j&`hqLstu zbOW>vaPJJtivs9F5F`Xbpzto@PbHpVBHNQb4t){0Mr2kt|6$EAOz}Xf*Q%c z&-u`;1mxzhJE5WSQ2;IgA7DV;0L&{m5H0K|Hnb~Y7o~%sPCd|>0X5BLZ~$%qm1KdK zYbPBC{8_f8q`Rpd1oI4nKOp=H8dPKjUXZs6g0i+i=lJ_UMH|~L?jVqFGI%M#z|J88 z)`Ae^@c?**Fn}Tn3H^c2BrLQ&l}F=__Lnv_5EKL0A*iJQM1i~j2>pGpp<4>bSKlrz z1yF2D5Fp~4q5X%{~x2T=bHv31I5Av`qm@4uD>CO@E$Q=$gU+$5H?+Ff>p7dF0VHg^GuxvxSClQR$*< z3S2D#-4q?dxkW{bwkhCn^MgBYGy(riZ2Uh3N0CAR)T<2zjzR@AcLZdMwqVw)oIQ+pIh-);`8K=8#h#N7cdmjlk*E!G*Pj6dn_3XCY&PG zO>L=>4G;D?K7*Cv`>0T;<}Pud#kV?JepnoTX}O7G?;EY~%Z961k}@pEmTykmPK{Rd z_F!NfhqF4~dq8zowSexTV_5^yyB;~(tn>1AXRcCTPwp%56(d@w>mA{)OrP+*DENW) zG*$VsH^4)`4{^)MkSg60#e7}W*mw0PcFNQ{P5{OAUs0s;-anUeH(mqVI<6+G#NM;- zBPOZ%wNFjggvD19U%wWv=qfYCW~yBOZXv_vCTdjfdBpqm)GJdl7=59n;65uno|JJe zL!FC9#~3I`hdQ{^Qn8dx^#dCW*?PWDhh)oBR5AHI&G10O%&ogC&yYc^pf=MuiV z)jHJ~C#lii*O8D8)FM{sr*3AtNkCY}C~s&c_*vzAc!oK5kFv2s*rFceN=?m(-@WJE z`G}k=Vr!N02Sfpi%yMBqxGqeMElr`9%&KVQT6c`nj|L)z zHzI*Hp+Rf>dw5k+HO%br*itI$jR@^}wVdNZ$4=BJJFku&&XHDN!!Ugr=#X1O)s}Fa z{5U(8Xin}GuAsKZ;x?}L8$I>4JRH(G$r2?ley1A}+0){7=Iu#^HoQi*T$4=d$HW~$ z7Kg=B3F z=^lu~^Kl>D;$m^>1*(Jl6HUuyMzha4UP zntr7ilYIQN2jN~}?IJMEj{hK8H9%W}ki_Sx=V-*qZuj47RCEzMPO zAkgu%5j(}y`kAb%O}c{)^ZEQqOSyCdIM(FsXQB&-+dj*Y@scHf;@6<(y_SQJITOS9 ze7K}aiwqMxiMK`HVPx<671DSXld40~h*=7~vqBhmtZd_JZMF9>-eupXoW6uOX>a{_ z>R26~pG)BLoR^6m#DtOU>x;4vbHrC788tL<68dyU@7^6Bv+~d7dMjaT`j~!U(lb;d zG*f=uGrEy9iKs?S{%z)SQPvgCX~UHV?;kL7bbBq1nDmHNn|TOVRWCj*;CV4nmGF{> zH71tnhzG@6)0ap4IUQY#PO>Py*VoNX5qjgO@~i~kY}t&hB6;DYHTH+9e%t7)bFv?~ z)Z|N|<#d}K+bhyJO!4FN-!XpX@idiil37aSOB`kJ1!6|Uy{l25@2<<|9>+`$cbL`V zOfA(2{YZL{)3?g;SvP@gBbB0mYDc7{f;u1kq$tVCr(lvX0XhFyMYyLMnlF#slT`m; zz%fhY{=G8yqGb)%C5kI~Ys2TPPUgQUUbS_6^R;R1%$Prixp+@$a9_>nWu1v4MM4h$ zK(+U8Qsx?iHLH1QJD<9O98>av z8!n4{9sYvLZm8$}9WE<^BB&vK5Flg}7#D27s3<8P93|z0qojQB4SOf>%bRut-~;OK zAbkg*zk{>`Kz=~|L8RUu`Uy%22uCRa;V2~_9AtOU)3?I0$RJT?fWJ#PAi|drL`DNi z5geQ&1%<#t8j!0X><;m#;%C4#WE+^Wi~bRtd73alK7|18hC&5|0Z0Hm(f{{64LOp# z(`_j8YgB9~tK=QUhBi;zMF}TVghvSQ4^Y8Dcr2h|uY^9wNc z%|R6eK&&uGbpLg1$The-vB4k*c(9>B+Cu@rn-GK`cHo*U1n_PCKY@3kYSp&2fZP^# zCpM&+78pa|sS8*mz(WPla-b~*u!8^u^!v4dcD^BZs@;hV7-Rux2S7ZVu|W(uLC|mi zKDOP1p*Hsr7$EO~UPEmmFvzJJ{)cWu2P|%Jk@>rw7lpCIz?B37{9P2rzN6UC59!Y^ zz~2QY2#9Awz_l6`9JEaNAnEH)Iu4}JXx73mf@GT@`{tlRlu-oGZ~{LZUIgq9oKf_# z{fuP%UB^Mi>mcA?0KlElo+|`E8#w4VNR|gAn!jJD0EyqWhwQ!#oF8l%0)T&yS`7S9 z2`=~_@PBlRVHaiK(By}t{rpHA??1}^9fgK=E$pHS9HL8uQi-V8kZyS3I%{XKp<4>b zGu9IDxh)K)Qi_CAy~Dbhul( z3EUR}MY#aT6t;a=#1Wa?g`*GIHrsLxwpd@TYJrkdXR||W zfEg-Ka6wMP+7;nL)#6FNPlqRVv`Sf>^^kCJ&Qfr{!dXQVjp3?6+rl$nuZLYuW?uYI zaO+;HO|Dzm=Z_18m-Q22&WClE@7vj$50owALek;ozL83wbLVKD@Z#~gu~8f$Sh0@J z^!^&*GfE1-P_p=tT(0)px1#VIue_#@>2bP89rH^hW2DUwa?mhJ`pMvY<8mf9uC57F z_KI%({_w~YeFj&NyQ>qyq>4V3zESLc)%ScO$*&VNW}D?&VE3o7T|QzeJ9gC#<#H6w zD{JMySaMJU0H{gPlIbazGA;ms*3ED)blu9$bn9RV$0w7j$#mdr{>+(76o05j=U7G> zn|_;cRv+=T5z!fL9`g(CebixOi0MO^szm zoxrR4uOGxZ(_b!iDW!QWoYz}qJ3&aIr9nY%6@8W{!;%Hg3j2KW`Yq?$1+IwO-U`F! zkFoDq%liODkR;BRl!U~v1s|Ib$LvyhH8UF9`_3OcgBVn+A_Li{kI|EyJvKUs$xuft zdBNr;&Y3R;t9`~1hlh{1Nd;>J9G|Is)t7V6+u@U?tjfy2WM7=t<`8I&cUZkylm4)Mlv55;yCFYbBXjEM9}LaN=Gd zj>5H(M~>w2M#WcX1L;C73>IoA5$qWnfZDXnyMh2j9t<<69aQMt#}zNa$950o6s zK9pJHH)9Vwdn`R@Ryu06v@+fNl_J5Vl1 zMZ5nh4t??X7hHR8=?4WlLR>1o`wTB)Uwz|!n|L1Y+APnf0cmH-D?+_-)hF#K1o$~#Pv@2kT9>gJ@v|=9E-R+KRzatPGoV+ zbiM8zY!>f6JXpQJ$*!h)&ENA5oe-5KgKG7YGhFFc^&9V#T@0sjBEwV=!aP8y`p}t# zmu&_E)47cIK96){1X!z0QU% zc!p~l>j)PgBTa63bDYmwRr;F6;R5`oN>;3I@z_^hXOkI<-j*@MQ7w;_qKOW=K4f2g z)k&9Q80*Ooa`zZDyQAzeEF!dJZ@kyeyBz3jCBKZ zR)SwYzB?kYmcj1j{SKmm3HEsV08#v_Z^dG!WcxV;CH0u+Zs-|w&UGDRH2QJqfs-^1 zhSGSS=K}4go7X8Pt3R{y4ludfN5%U%G56Yp9KL6h&e_psYcBFZS!}4r%czn1M*KBB zH&@js7`H!Sd(BJSqq_~yr-SLo52dF>T;dnjP%64Y=H-JoCGt_{sNlQjLa$9yz3S*} zmSqI_DyGOdbHt=M_C6X{4P!TxaV`=oc_VW{_zab$<@Y1pFP|_O=}41(x8^kzWVOm} zEA~qk;bG35=bu!4LFhbCq4Y-Y$KAtl2Yd#*kJmY=L;hkgSpD&Cx8}U;-rXtZB zN6fZaJvibnNckhGFgDj%{Hx^!R-;8HuNuj8_ox0TI{FIUFK~QS66H&p{p&O3e+Vb{ zz4RvZ$Yk;(lnyvFdr|CY&$95VC$_n?M#9%_N+f%fOY*%(e5JzSk~+~e#x?xSEi%y& zkLS)_TUNdIbRx#}4Oi!yJa17xo_SPhMRFm*D7wirP!CVHTJFHJVTS?d#Ikowca3}k z@`Q+P;M|du!u5SmkKcbmUYe|;{pj&ZBW>9NJFOam(=OOT4AaVw9AnIhd+KGK_*%(_ z1KAo9xa}AZz5k-w?^MK=(WTU$J}bJn#jX30<5ZOPC=W&`jS9}>(87~@cV=)%)_qUK z^k0yeOu1b2U3z9jJ%j${`3Aqv!=pLO3NQI?(kEaK@D$ljg}=fjmye#YQvY`HmPMCZ zrFmargpTU+LUeRwuy7Ci5eEK!`m3c6MMKt3S_yvi+;d0s%piLO)|bu#+BnHQEic2K46=)I!vN6WM-zRI4@o*ftH&{WBZ9njX+#$7&h z((X&i>M9$qAszpT8(vy>My}h1?kVrEWEo->oqzs~>~Qt`%FO=Chb(ndi8vF1YD{aV zUDlo`?!hM+^mqNvN`_&kaEfc({mH4eYs zdm}mf6$Rcn7i>j=feR9Zoc=2m7=bjS0mv)@WO7LG7lCwpfqsJYZb5$7q}L)gT;HJo z+BpA!51TYy1WF{0Kq@AYtx$guC6b1m(l;J~5=kRaB5A~?NSYr30NKso*}#ssz`+~Q zqE5hnm%a)BSr<6DBH>_&tpjoEM1a4}&fs9gHrmcc2kuU6n^2Ar0%X*{^$nH2?g%+V zlfG^Y>F$JvQn3mHqaldV4H2>+{`HPxLzlm9Otaky4&wVk_y{UEK_CYf2Jq(2f&-%N zUoi;;AZGl!B>ye(57l$1QH2b-_yC(h7ywWrfAmV{=i5Hxkjrs*dQK1wrwAZCLFRM< z;F3fLuu=rTT7=k~{QQ4VoC|Kd8`;<(b|>hLoU3Y;B0so0j5WsU#orxU=$H%vQE&L36{N3g& z2+#&Ta4CrDI6(+YgdqMMbsW0bw!b?6?K*{wAP^7@7MRh2fRIZ8sNj(XdcYR{Pq^kb zJQ(r+K@AV)+t0ob0z#k+=l>3CZoH6pX(?#1yKT!2yDOLE)6nB1SHSj&o#8M{fvG6 z-5N#R+6Zh;HmI}*xXT2w0$TGQ?jC^A@3!p&d9vH3ZUcy;FgQD+LW8c~ppxS|3T?ZG z00Jpd+nvw=E1egp+QFSAs7Zm`I}iXL1Wa&Y;XiF1+bskTTa@Y$3c8Ua?0}n#K&s(U z-)Vc(e}<@GNPXRJTmBCYF5=mHji+@Zm%X?s&-)`jY(|5L1ZOFdT=_Toc&8HtVjS%*K;Ed&v4|{H6EQ{o%KQS_`M|F;n(MtbX`n=)IOo ziz}$HzI6MIqOmG~ilY`kYm7403TT&C-yRu1a7O@9B|qV0E! z+1mok05M{QOeW*VJi4z5735c3BAS^z?i+fx+vE1<>H)RVJm8PM#$U!8GO-_Z->1UgOsNS6QlOk~jn9SNJ0ehjaI85H`f8?!Oama5RR&fV{cQ zqu_gB>+_?cBZjV7SDGy4Kg(!Ll8@I?l=<&D(3w!2mDz?tob_BVwMd%5J2B)HD1$MO zE^$nQk=a=5LNiT&@e9hM_Kjz}drwj}k7Y-&XcQ*vnh-=fUbtf$U)ims!(4af=ZzLr!?ea!_)l-U z*Y~-@U(Ss?UDr;Ys}y)S5S3-9S!dICM>2^Vi_YeF7&pbM>qQDCB$XE0*8OGKm`XMM zRqGbd@zqb7<^+wNx$Mf8|3*xeZedKOgC*z%Uk!rJ^@+b8*DAXN;ei0x8wkvgLGNme zG=k^x1x>F$Jut7rouc&eX_eAtkA-_Wm)a9;LY&?%oyWVUT+0yIHzrd;qjJP|g5utZ zy1Ls}8{4ST_t}$7Phb?gys3ECZ7v&TX*_sHWbR8cUeEPJ1_L#o`Jsxtiw&Ve@_NyZ z`)Vf%vRzgVVC#`EB?a|HkQ#s9|iBUU$_bajiory|A7fgD?K2R&(_l}~8s-8_I zYmqr-g>l`}HAMF`>7CnoIq`^8uSX}6kX$qd-J(YI-t!hS7n< zRNuyC%=A2I#yL;e_ZwP0g@+4ydLAB{HwxQlot76^1R2N1S(<53+hkr_FsPgwV+jo1ye=LvE> zbc#4VIiY(5!yNa=ig~8efWK^iuo|r*Woy4KcdSj@>K&CBe)foEnzpNN1fLn|SbWv= zR_P%3o zXiU!#yQr5I09W*a5X1rGdys!P4C1eV*dQK@2;ZLw1!zpjH|EFgbQ}yEb|6M9DmV}* zAg@9My&VK6BC<^ckJv>uH?lYYQv42G-a~m5q|F3SAb=}{MgG-{`}q|1m#YCtrlG-v z*a09m7|8MXz^d3$Z0HiIT~u?Uh>ZfEG$$W`by37d0iebDcMEm*02w6v4KRODu|a4N zAaa95^v|)O@io}k{dQ+5pt=o^e2_zl>NW@n1Q6xF*x-;m^6mtO>NiwyFkzsp19X!e z1&2nBiP$3kMJ6PhRwjQWB_WUwC#bKry(!4}fb%3&MP^$r18sZ%g}Ko-1YhM^H#ALu2JO&26_j}d6hm|zAEY78@4hPp2>{G|`%|IHv%e1*2HX}v zW#sKm5nJqY&;<;U>yK}E{2C5`wm2?hpQc^PF@}@#Afk|=g`i&plNfP6`wcL zlE(fap?{31%*T~(ySVP9z2`XIWf>6o9rBdLq$~~CN4}3=K8{Lf?jD0mo5*}~D+b%z z@Lj&k$3}|7>b_r#3~tMwBDPdATDbCkn21~F(~4|Jc&UHjdYEONV7|iFcj79F2aR1u z8$7xTRVNpi_Nrj3#_wOGIZx^Lj`U56nX}rJA5M5*ue*wgrr@$`V7D-=wXZyrmy*C% z_jJ)qus2HMcrj&=GW~*Uwwmi;sMUDfdR=#QgqP4)<7-NE&P>ZSdj(et-|9wQud}$+ zUXgdPwc2|&%jY_=z{UEbu1QOWue`@D3F=;ptFZ|=t5bheqbm^O6zfyz!)Hv68r6w; zXE|dyuN`Lfs&v`!_1yQ0y@zc4-52eCkF`%8e2`<2$E@trShvn>#HO)FO*xASo?ymO zL@6^YniH9cce?Ieu8FQEtqyS*`zZdTk}_O-{OUs_#;xH)#nP7R>b7Q-g{gC0 ziW>BR&hPv8#rh3YVvyZ>6yR?7Av0LDW_rQjPCa=4tW~|unG!?9TuaB)MV`JU{=LLD zzPH|Dl6;kC>@u0r%jb9}X)9Gc75iEwhtEeqQ28(;rP3|eICy*bu-rury=N`>O5WLn ziPUOmKPZXeU+dBKzHm%1KCrye;~S!)A%ymsLfF_-S^Ae)@h9J$_l{g4IoN+5L-NPj zgWi`?Wma2HWmi{UlEP*#@q54eQtE9VO!0FS0lBD(XZLO1u_Ka<1aE(wi`n<1h?400^5|2V`}6hszAB%SbRT&sw4ShVSSqyY6B|M2A$-QBFLYEAk={)X3Jn$O z)X71W0mqWu@ETC;bLd+%p`BJxwdhe-qfh3~cpi{_m^yi<&bT*2^T%pnk@A>c zqCEz&!t0TM4vdyH#v}TfU6iX<_*mXo8J}FtNw8I*Wp|Uyi5I*}c>Yju?p<9R+vA$C zj1t4=^>BE)e1&7IYQoxXbyJcQQkVtNojB)4Je&IY4oaJNw3FKoUt&tB7kTkd=6-0^G@ z_lgHD`gXM)o~d*$R;dPk2OJ|qzILSB&=_Ws&p*tRF#2K5!7a5WEqU#jq}10;r<|9E z-(xAKC1Y0kUptMT+QZjo5}a!E_{-AG$Y4=3vc=xSh^&a5%Bw^sa1q&X?&=k+>Y&G# z^?O*HZatIlvzXQz`obIW_#G3gcZ$q7o0tEIwAKK2)%&Y2&K0WO8Tvk9@hM~0o>Ng@ z`}qC+isNfT8S3PFYpICM4b)bJKtukM3n`5Y8;#1M?wsK$q&G zQEYAFer(9{wz%L!nI70m|D5U~HY9jISL{Qe{L=ts0J$IYBans;P=<@NXh42I@iCD0 z3CN!y*(T8MpfX&fQ33Q{U{Bu2d6BiUf6aM!(L{$Im=1vuQ4V3y%?=;LuF$jPvNstK(bPp>8 z>E`~V5<=T?Tf98}E;s?`>!B{f02W1aU=P=;7~aTDmWNGfFRFg!JPz$w&Q+2(*Ip-sN@Y|BS5TqRL8+U zM}oNjO~?J5H2h_7P?bXfWC$QHr9jogO&|jt{y}E>FJjx`*z%XLZQvNF(7>e}zzD#^ z+d*iE?e!Qpc4pLR{_i5&+P_>P1c_Lz44a8rcDg+fPMJv?VqOL{vR49oD$lCU&3L%{X{<(9(l`o(L zL8p}M0fWEy-|Q6KQ<08cVB~*o3VB2Qp(S_?L3Gw%TLL?`Uo}a;_7V(iC;$RL*Ysyz z2D*3!M4+)jch8J;Q}|sk0cTzCR5a;70;tb_|6L&^6bvv0wtv?x<_7P%rD zPhmMNSt+HVdI$Sp&q8Zp=|1;B|GIdGlia=!Zt@=M3BaD8I6me;yDG?ZQ3tn-P?aNT z>K&o7nzDe~d0P8{d^^$AFO*_UOBzFB73HZ@@*2)#gcUqzHO@AJhAbt0#h{H#rO)Z-}0B}Xx1p;A2D#`6wO zl$S0Cn4QovmPJ(A1gH9Tv(4nWPb#KdY=3tud-XN3f`(yQW#_43f$M4K#K z4v~y+x7N||$&FVznan9w8HLq&t|ju7D;_@iPF8Rjsscun6U z%M`y(@WODJU`_4u#DZZ>Lleiwob+`88A0~5_u6G%HWu8SI$#zTZwIe@;Ka%um3Q}P z@PgZ3dUH$RmtnjFCJ52#iT%x-uc}f)92LPrT0om*+p%)db!N<9&#EE z*Ldc=*vVKpJuQUhqG=4IC(~{$tmFB`?bCheLv2(Pc0Ysjz+LQ@iG52d=gRFZ_F3YF zP>tYy^~ikP(s3l|dXL8`ZVdYVw3xsX7>}AHjV>wQz|ALEaY}64W0po&`Zk>)+)sBP zdp`E~J6-3!6rwfEis1#_IKoG45jOaep^ZOCY_xli$zTjshqZpW%Z2^sW?G1C)LtPN zmTX}y!%;&*--<&~ZELaAX7+EIcm^6@v`Q8oevP3~FvVBIXoe?kpnD?r=0xqM4~~np zkKNAf`zGZ?&eYUqC02Tf=Z>-kcj4Md{{me+B~6fprM@x+0jB8f^%w7hGMr!c60?#L z+%hcKe<z)K&*O387pFNHdcsm)jMI?PkjXIxup#r06Sb!3_9{&HQx#A5C@ zQ9Ns!`wSGVJauyzHw_m)nw~8p*|-1Z|0C|b=7!X?7cHGQpwEto#(~%eka%amCq};-}k>~SJ&~pU*~zA=bXp= z+#mOcpmGgQj7o*;4QEe=lQ9Vy@+NOB4lG?;!Mm9zUErD{&Hpj)+s8#F^}|?n^8(oc zhh)y?Z=&UR-Rm`U)7Y|nOw$F{5vyc|7Dg-Jx<&rh@> zc4C3p!;+fO&qXiTL6fIL_fb?&YWKNfebX1lKGzSka>zVfc`n#L=@?$Wy8mvwb2nS_I7EVh5e z;QCa#rS_WcN2mFsf!VnAdS$x;sUr+;?rEt%eCYM|>pIVc2aQ~cv@4h3bY&m3r)3`S zn_eqTaY1{nVqO%{F}JbYK5l6h;c_%m{k8sdRsQ%fd&&Ua-Mj^uoqx3p+}c?F##?O9 z;J+QwZ&l#?cf1ACxkw14|8DUONLwKxq^*z;(pCsEjotpvf4+>QG!O~k5O0A<=l-3p z*hlN3Z3#P)5kN}V_rwUG%I84*ZseBW?{@S5Ezt)U0kCua+Y)_3`{?3;JZREi(T5J2A2+u(QsB_#kDy1juzVV1BpWcTT*f=Cv4(*P@C z&~uQP38=CK6>x_GV{A||`(K2%h}UR;z(K|#+<^Z;f`dbrtsu(T8#t6b_v`NZ@7{;) zSCt2PnqW_jd{v=j03bg7=Z-`5s_rl`{X1wN`2dhl;7lG;69X*>FUZw_=!-pJL;X7Z z8Xx=}I5;F~fW#o%;P`+G3}n!~mwtnB^X$$b+F`Nrci4bx8py>VTN99R1t0>Zf*Z;t z0^<&ZUH|+{QS=*F(0+>{x0k^`%d){2e+yiHYx=)ff!`v}-K~ILgByje8hr6jP5A&_ z2uWmi#elp!Vn7hI?z$@<$~(e&3>0cBG#pkd&xL(%kCx)fDYgikX_SNOdtSStR2 z7X~zHf`A|Uy(QSP{Mz*YX?(sTM*$h1114~<@%fl;FR*DQfoj-=Psy;MVbFJp=eM%h zw7km;{jR|}n!tAcvUCI)+$wBxHpn*6?KBT{%dh{!rPbUCbT{a zd#aiBC32)<2IuK>g|29y(!sj(;bL6?$GIN1rQ7sXr21us!~RSYOya> zP&0<(C{EeC>RT>^z$j~T7%Xrv3*PeWW6OUoT7p3-L^R)$Kg1F5bdHHiA-=C&J{V^P z*E8U41%tfW?Fj*4)$z;L&ZA^C4c#jV17BaxUwFYAXU>v+?7p*u?(1=(l546jtXCc0 zuC_cKC^&T9KKm&_!?10+Vyx&&2RfS^+GQV@9Xjn1v*6rA%iKJ;AZ&215^11&g@zt= z5aTN;w@;UzV^SQefYKOSz?j8mI!AuvgzEKAC#ZPd+~>Vd($VA?QPHS+ol}`7niVm5FXwqqnMp8{lfFCnAQ z>6y-lQ!$4phe=;ZrqnbRsvWj8D05-HTp4?SNHE|BeOBLB!|%#*9i6vdd*mgt;C?+B zP)D&qV@S=WCnHC5hTMUZl_u)}De+IVE^+?CyhDhsy>@GPP&`F89gm`c%rOn zPD%JstuE=&?nj2QSnpgf4AhaeRLNwh_rByQRePL#ESsCl<;!dBI~Vx8>W9|QulQ9H za|_oKTYe)Bk6cKaH%TgaN@W$jUawF;_DMYBLE%-xbILcVH%iYP#|oT`FsA+{krcp6 zQ|`<>9N3z;G4X1g)T!rQTb`1Ob}_rh!N4z!oz%H{=tla-&he(UA3D&W9{N7(Esa>F z;zQlug-l|PW}=R%Mf=kqY;dnLbf+YJ9(T`1e`Pz4|Fd!do`8n$l{%g3SJacLAQ{3Y ziMDx`hoh!n)PgsW9_Q_ajq-M$qcOS+ymg$g`)qU08}>BmBnr5`%jf+9?!EO}e4(l2 z)aE(Cz&KjsPZGfLb0c%gDp5Hm>ct7s$sdu^ZGJY&W6rYHY$^RCO@g(wnUO6tvss$< zKQP%R(b+vehw-y2J_^>qd4~OQ&;jS9G9j}g_H~5=3}GS*S_7`Y&bfq#lK)0|MoB}i z>7bnPv^$~p#V0a>y6kmN6Yd+6V+9(?Y`zaT>B{z<8TVAt*XpPEvpD(>do&nJs5PE; zS5Y63zAo%zkSs&TT-2%adZ4=T+82u`3H$H1d_;H9N#A{)G(V|SYN|KZQX4H--Izap zhk4LQ$)zr``s4`iNO0Xwvm!=-H(e7eu@itZ)!m2p_H4)R&?lV8G%sJ zMGXD`n4v&Lr=C;%QGAai7v;Jxzq@wXb>}YBQ`Lz19-k8mRe!_!`Fnx--8?#qh#yI- zB@asP_uLir4A)kB=wx>FpoZU~kJE`#wXfRFc;i-C?-v<|^^VoH%xRw+Q(5VH@Z?h4 zV)FySc`dYfI~`caRg6y>?dFSm+EHdnu8X6wb@*Bw^3C67F>PsOt;R1F4@SIbA199d ztUJ~+`&l@2c7n?VoA(;=`xCJjPdh1NemVc6Vtsw>)E)ZJ(PRem=dP2?cW`+Vn~6#I zCGK@J*rc}7r22j9KB0M%w34pt&P7wJCM9of=DVc&Ls9t|#D;eLf%4aIjp9>%drdno zyt$q?WlDahTe9=oyRawcztsYi}Dc?$YZHT`}D}Lkc z{*f4l_safWz`dWupDX1F7A`SayqY%;ycu0Iz@L&-f6L-ne<3&Tr3ijGqv$3pm5=Iz z&X%+u;X+ho&C8>Y^~t2VUWI6MzFa~V&}SJ+`apa3M5W0qgR|G%K7^1J$NwaHHx%91 z`jCRNbg4IHCW~%fN=ozA`8tIX=J_CLEvdv{JNETtCBbLkmGY%pZXW!hf%)Ws3*+0I zLYpoz=6F-t_7oL~kb47VF^A6()Tm#@KN8xXM8f`!5{Kz=XY0*-LnY5fnl>LcZiv0{ zYWGhj4E4tqNu)Ts`Cu^XbZ<6y#7dqBh6$W+M%D50EHx@}WQU2@)*f~jIf7U|caS6C zU>>2Y_&4MT5BIix2e{Z0V}Oe-bqBcElHGxeEh+?DY*8WL0^0s)058XF`woBsB6grp zw(UE>1@iA~+jsnG%>f$jCW8KL1~ziPj?5ZBZrJyfHGp!%j_3>I#_;cg36P!(f(W2J z+0M7%1?jM$2KwGo8bBeQ-}CB0&;1%r{3W<;odO?Z5DNC-$m4dXcr&-q|NTfCfcrIk z_&adhp*8T!1(D)^OSwalBjD}+ISkt!S_5dm#u$GG4Qa}W#Ky}HLnx*9gbnqG`!y8# zOK>15TmTs4Ai=?*Lv4_Yv?p-8#Q>n=evNhh4jb?d0?9{^doHLQ207D0$CyB{%*zYj z3V}ZiI6fHPZwKxG+podY-(lM>=Z>HtAn6H|Ck5CNkh~0f?w^MnpjLJvLrjSKGlw8a zCLmjbgU&;eOi=0;;5`2s8mc#89~~y3b7&B|A(H9Ki6G#vzpfOh?h5MK0}gdJmjUdB z|8P@a@sBtF_?-p;H~n=DKy_2N0I1*wm~a$Lf1ROGHU;DhA4+y>H%0YZFYy4|BtBp! zi{h?-`mH>`!&d;XJG-0iV2l12whKCuXVJ2e!?!8nZQ`fvAdK)b3#sDMOF6i<)rGuO(pp*P#GVPB zjO~6@%j2%EIBm;^E@6(I#)debqmAkM6+S+LqRXz|I`L;5EB(Fj zsMJY6cY9;;t&MgM-7&s!DA=A{FJn_TYx#Q}*?ZpDj(h@cKlloQ;kMe%_J_ zuUKzE3A3JcMZbl!U9*#JUaenw;oI}3Sseyqfr%XqW?vsD7`4+7dtcAWJVG<+cU#Ex ziSV(Mq^Y9x2h(Jn7Oov>*0780O!qVl8!A|guT^{patvZ^()XlySG69)>K21H&v}O4 z6I}G6>at=IKW4yzEr9W^?`$znW(6lTofPxPH-pJ~%Coe6O_t<(!+B0I{QX+-7G?+W zH$Tmctr&Q-5xjavbHLj+2AA}>x8U(XsW<5s$ESh>SaENw4S%F(8*b8JsgWgkTBDFt z-?0$v@O31iD_*4HluS6)E6ix;xn?f5(|xk|cTG3mJgL*gmb=e0Ns=mH$&=rfA>y>F&varvR<6J~Y$7b| z1`BevNWi>4<}BxyB0bYG*yxy=%l}b?;ePMWhicXK6N$&P3~g5cmrBctNYb*hbL-2qi+N%&Cjmfe|G7_Y@KbXw(>k>^3f;P)*tez z=$U&LUNEorNo;L?Vll@-V;YPrK(EGl#y02GhrSpaopd@IsVsi1kquKJNdXpu*>RH^ z8F{kI-tX||m{bW@=G;TARg#)W?J%xXI5R!0&b<0IPB%PX`jLTl)P}gR(zUVhNv({Q z4#LF6Gj>LLuLI6Vzft|*-$LZ5tlj5UAA2@~*W+GK*R5~Ef@^l;UAJe0``_C{rLo7G z;$kq!iHb9?bDbl;$j-z0o;!H-;fvsYX-9v_rgI({@Dxu-SmHLz`slz8L^tdRls02umnuQ*#!R_`pyXfD={tV-q z%y(C_5q(}07FhDcyg5d}Q|iM)RWk7nk0TR6kb$lynFYO)p>I^cmB8wq)Xp9>aS zmmUw4UX#}mUY>!W_0Z(=ogW;t;qvay(DC%1zs&Qrq!a^Ffcm%*hJdgNTBfKg%s)0? zH^zMPEOGYi+~;>A{9?7`b*-dN2r1rCK0hAAbzH)HYJTjf3Nx=O&S`OzvqTcy#}jJ3 zGqqzXBiK%!$S{bRP<2+mo66lgJMxT!;M{G!jys2K*P?4KHRuvFjt9#OH##%2F*b$! zue_5#p1|1mf&T~Ighgjjp0Z*x{pQDn;C@E=^(SRNq});nD2I)sCJOSe9`BG9D0rEn z%#eJiUMj2jrC71AHt*ASc`;ZLiuaZeSdlS`@(n+FdU9O$!34{CZi%_c3$swR1nk$h zR~mbaIc8fztZi(L9$%%!Qc)A0cWsMvos?jaJxes-F~p(){9G+Dh7FN`GZB^?;+ol(jC8o4&TU56GZ7MC$TVS*_{_!f7Ue*+8 z6PBh9aRq-bkzkc~OBi{R@+BczT#~MEf&%SWv)37sk8=&?ur-!eN4Y;Frex!B;;$x) zf1y=irQ;WSICJ>oV8!hR;u^u+CQJbq)ZjJhMu4E zC#3^u#R-(q3T)y`j*_A;2Q`mo#foeY;7dx?yfZXnEq}pdB`)`{nh7(A_xh1(8+5MBP5wMIcP;E~k!?4*P%;t{OLPbgK zNSxi;^6sLfwu-p^nr8%ReEbC^wQcSS_S;Ch31PT}AeW%+5Ojgak40P{S*C5<4e(z` z+6v)efcOsb?`+#{fbSsSLA6MbwAFTU6Zi!A2e;k$chXh}Z2J?QY)5raeKCIUXOU6e zzf}2b_tySEgVF|gfh39_NQEIA30@#x5roWc|7F4y0Jnb}0xxjh<%1HWw!uN?yP&Z5 zUctfmcZce~ZnFO}u7gTyfMgmZxb3)ZPaOx&w|7C?kq7>F(6+}L94IaXz#vDCH$Fgc z@bmr)7GXzX{NF)?gMdv4$}z?f&(Ykd57{k9DaO40+OBOV^W!2pf|GFky_?jNC{coTk&zyA&zRB{R`0|=Q>^MgPa zilGrEqyVHK-yf)D)Q@x@r#Da^3sR;a!NEa2Kz?w50H(OTfD`;(8nwOH?az4Ioy0N1dp6Ucp%#E4{434h{zp&6My+k!Kwgi-GhO)1r2F5z87dHAL%}(AM*kQnGg_G zA+fkq`V<7{CHDgMdC22=Tyf1X4Z;{=qE=l&st} zgCKTI`vZ*!@V9WV$^aP^82P|)AF_}K$$3DQ2hjfW6ap$P?t=EaF$xbiVt2b286Ftx zzww+qnxdBBfxo|tz=`Irax1S2J;)1}ve)nB>WYD6zD-U$A1OkEG zO%V|aa-jY%di4K~j5XMfoCqX63e69DrAI;Su2?xLkIt+iQm3lxb0=Gq;Q_psJaPQ$ z@sEPBpG7vxU>qe>Aotg5=&W~xp=kgXLpUDAhG?|>)(5?Ty<8(WX}a zv*~NU@Pg?DQ}NDL|DmtZ)2>+$g!?Tz>HTqJk{_Fws~R-27_wqX40~b0eAk5n9cWF` z-n}!YZAjQ$LOULnGSm}#;lM=>SI*nS5#=mh_&%iQLflX9MK|BWI=q(My5gzi`0_+0 z&dV-^^+e%A$!_7D$-0RXv8~rm+*wp+m28vO(s})0VBvXpXFYB0>!|32AYs)9o&!~u zSI4k#9EfSW)IfMGH#cSW=%AH}QwLr@o@x#cSuO3xRpz*_)hZ+#lMm-ZKMDG?Vb}PF z4i%-opMsyLbnh<>4K;O1Iw#L=T;LFr|K6K9G}L#pfk{*nt?I*?&jIJ3qUR3Yx_5rT z%kc*viKJsAXQh}7{u^bC-d75@l~be`%^JJRmt<%k$>3^>Tdu)b1XmmL$}iB_5ygtmv4JtCm%EIuSiLf zu{qU>S#1<3fACVgU26|oqm5Z_v$FR&(T^e08ivXYb>4Z#^|My^bqY5lRqqGFB8;(@ zt4*UmH;(Ica!ljv>rWI=OST4q0ppQ#qBPWo<4T)Yr*;QD85uJPf9b3_rBDOueczyZ z#%qzydAV2PtT*wmSQ%I(%RKzTztsCppSO1`^(r5kIT~)WOn>+xCJmBno=OI7V_j#d zYJB=ga@J|tNLkeN8EE*`$cTE%>u8 z`P`{add-W@8ue-laLLOwUoXww&L*`A?^mM~$Tyff5Qs}}l%e$z9>`2|+V+RhP;iRG z)uJJa$PS7}X>ziq-T03$`L}9YHsyHxODiObe(tTA;T~~ex$fmUJL*D!W0V#Ie)6lZ z2J6iq%@^)}d3`eI+H7^fM-tU*A7U1h{4qVL9N03|)+^`eJ^Cw28O+c7=`6U8SnC&4 z(lCviM%%h~UXpvvQ0B2RvMEQa-?6ShdsAkF?al`GS=uwv#=&noida});hb4V67%-vQ_=lld%pa(_=yA@xd#D z8_UaI;#4PtSQ04X6ZG}2P7dn`x4s^>(phxA>}hw90WWuuJ#0uS17C%iPu34wHv$mB1w z6LKZhp&uIVD?96*>YA%!;ICN<|3bsaNp?eYU~G`M$mJ4Sx4{Xz>$bL0#UXYNJCD}8 zs(;S26;GP^ilNF`gl$IY+k|bKKy~^pZWnM;Rtm$ym3)jA>t!6lICb=j_t6R#s)W7- zz1zMo-NoenLqdGHzoU9%$gR-b7AcKhMN${A?A=PA12qo3){# z{_>9|9?6;JbJwLc%GnL<5>l~lv)Yu;=Jj0(v+`1SClWpNwYqfW2kX*??djFS@zUqX zRF7gYTHy8FyYPDb^wG7I+FU~0u7ft1QVR-1Xg{$j9SU^|4xCn<;V+haY&jD;Yvu$$#K0#7>2m=M^%Lrow#08Sd zLuBG3K0zwk5LxnwPoOOi;sQx6f~=ISPqvc-d4LiM`3bZQguaX@{E4_g{y{|I4&sxo zKe&@NMEpkNX5;Syo$U||q78vB9x?*k8^OfKvujhl!$9)ykRh28WZoi@DcKV?)G^qv z`_aDx2bId;1KVXJIJgiH&w#jRkKj-RVZZKp{|?-LdT#5X0{2G{lR=hHkl^PJ)s%Ky zKyAM+`#RkCfb#<%V9kN61rTKbW)5u0`TkU*0uI~FFzrYZ`paGeS&D+d?g5F77lhTo z|7lOicy=pj5HrgDbQ(g|20~RNGAPND2ON{^2^+7#?$C9Iugu@|+V=bb7XYqLV4_7% zAW-El{y*v5P;odrd~5y=8uB%OgKSEW@I{ZDK=yN~k}P`@4*cz#951bMbfBwg(&{Qyd7$kpm8zYt<$^Cg%q3VQ!Kwk(d6N1c7a8v`RC&&Sa2OMJp%Ir_f z;qFBXu_fFeY};=GI1vS8COEQzJmsJ&Sy0CPpAyD_qI=i=Z67TPwxPjbKqd>E36L); z3~+ve0)OCJQN5^$ZS(&08q#(G@}Cw0EakTC#Gas`d{6h$p8yUHY~awuwv7!AbgSGz z+rBq&y9;%0M;H6taUjzJ${c|*nxP{v7#x)Sfc=5rhk=y$-2-kPr(b@k=KvTUaM%F$ zA_&_F5ShV1`Ux;k|L6BqPzVLKeVlzkEm*)i{|6iNQ~|NRCujis?rz)1xfj`O+b=3) z;0bxxgMzf+q4*lurw9X}J&A3&})C{7DtyA29{YYHrTQCj(fG?HHjC90pw3pDaP zsMOyuM78aI>RcF9j0T05-v*%O10<(M%zctgNGw7N#({Cuq5&HwRx*DtIyE^zlbrUuDF4 z)Gsz6@?dVp`*uAV_6OGTCf3uNl_n(5&V!>7om)?DjgXGO@W<WbTk92 zbK{#*0;`gHZQ>IZA|icne2wM5+9}LcNN;&eY|vCuERK{`+<|yt`XXz-vj9}5?nmp| z*r%nHPxC%r;-I{tM<}_rWKr~^n^l!$@#O^EmmSFa&c9HuFvaQ=6^vaI0*SRbY5Czn zQ6V`pu!bxgxrglL6Z|jkg=m?d<`jI48(ck~zKq3zPn%@gJjoS8>W%AWUFCmViYho) zv+>dL^c8jHb{p&TTa(;n86TB2WG)|R@Rx!;vyJJfa!U$Ia1xS!!`N)F6dh5pS*WG` zyqo`Bzl~9p4wNlbY4jRno^Ub$q)kF>_; z&T(+f!R5cZhdUXYfxC`%^eYoNJVg zu=x?TPM{!ny{I8s$wzKrpg-No;m3g#w6bqUbtm)sg7j5i;6#Y(74_bw8u>9P@H3e$ zq=B%6@%ANQeYug0zL+%+$PJ4txjn-3WQWyQG%h57{CxHca77Zk)@5iNCF>p5Aqb%srPv^)` z4*v4YzJbrjL1rbPtw+i#*n60hKsHu}{TwdiQdM<=@TiwSkkUsI@@o4NH`39%%Vaw5 z1Q&Fcoa9`}Py2}0N#^E-qeS2@Z$=XS2EFa31^N`XxL>NA+H*hjRHthWrgUz-O!#&E zye>k$Q*gchqS!b3t51ni*!pJOZkqPu3^F=OF<9M^Y9sWmyeP`RDE#(z<$X-5r=~fL z{`e6DrEFnwWJeR&7>#p2J;^O74zsw!K#JjTl}(vtTqShcmR&9CY~cWe0*g$HOHK+otr8DES$G*O0Z>93o)UIb}xsTU&dGn-YDt0)_8Ah|g z066;?F^h78M014DAs!*W0*Pi@0lc6N@wpbKk@=bATYi-M*5AECT_*3puz&j^`%HDt zYVTTIwhVX2cf;o!6Xix5#V-pBn_zrD!W`D6so%S9R=hdcLE~a~S{5yk{;s9<8cEr7 z#eh(do@>aZJ8d_NUw(L$B#I%N-WYZGTxpZWdZY3u{ozHS@lkV`?7NBGX^ zH@M!pMtl!XJiAfrq^Nx4*M}Z~*pU+n*p);9;mz;J0pvT;BeUV}Z7SaPZUlKnw!a zF@uAeL_*-Ed?0q?75ak@86382ySmi_`-2ThID%a(FJK6eVI>^o+k%9=f8OMy2rIXq z$^Jm&1(m*m(HC3*(n|so14wEhsokESp$aRvhRHr*1CJ1@@r?ur@r=NYY>(J>vp+YtAOlxFkqG}4A8Un@|RnuRceUQKPe?{*9GvoVzmEGf#12h;Yh>F@DLPwnIF< z9l0aK8+(l0+jVuJ67!x*Swnh>Dn1zW5@D^$EDoZ!JOwAxR4wJC6|x&)${eEiiptB1 z(Od)1#u@kgkUWm@=9|%7J4(f={_AZbB5q~EE1x5exsnE89Cb~jxqHW3ZTQAn9~qgl z!X7s}^Q;M_CdZuSnn$g=22GR~eP0?b{)BheYTYw07)`8oIOZ5LXY~BDa9TuMJQr1* z*h@OaxT#ld1(i4vJ|6}%JjI0c<4R5&p#@%V(4<|Ylu;kEIi@mD_H2M?_2vTGw`U)J zTF8mHGU5!MUdUAS6iN6ZQMb`3={rLQ$CJmJJ|Ty@5Gghx&N+gOnH)V)sxN=m+%95< zP9n;&pz-C|P2FMo^J+gRuqt8W)hA!JRT15cxDxovb*534G=Ki57X>=&NxYH+noQqc z>n9aDEKIyf5@)@Ib0#+4Tp{w!i&&k>xTb7=$=BHol*v_h*WSf`HZ9iloBSV$W zFLNyepSKUbD0|N)!UHoi{fUQ2*z)qtU{#nDruZA|hgH#;;`H$I*R5Vlzg9m?sIzkW znoy$qRFk@0VbRH(1sNqptu=Me9Vf1udx%Xmsb6Ka(I#6?5og|=Pt8d=?RfjFyxpq{-l*29txKEXihZn z$h4}6-QLS$hTVbj0N1I7Ch@vVu6TIXNzaceh7Nu#bF?`h9acYbYIi4_t$gCIm!y9a zgJFc`OLlbmtvLETUUtasrm^maXDEq&R+%$7{=gUsw$BDzqR=d{Y zF!8-2PU6``FD8?@C$--@Eq>fC^}K%ghxtJUTo z=x=yW-WQYPc+^bgv4^?${Z98OiQwkJj?lZxKewtA|EcswLQZ_r{$v8{hzXpYaneiW z;350>UN7v>?J0G>g`K5*bd`~CB4JuYdd0z;j-1r9ZPlIsmL@54w@$?;DZ1O1hANf! zys^}+ueymP8r24TU%45S{_v-j*|JR)hLC;u2$33ygqmtOljk1T=3knF1ycHe{N{js1$44L=r2d(V$UgKEF)|&*Qz~W7)H{80Rdy; zA7b1OvTL25Il)R65mZqgqBt%#Ci|Ijf?uUouG;vKZL5(6{=lf0%Fpm)q(?)X9GiWs z7;I_ql1)q=9C@G8+iMom8qdg3>oPt~aX{2+ACDOq zrKfr5()$eu@!yC&Ubk*t=q{rORlbRb6A{L88r zW}xV-+=%68ZXa#gN4F*}Q%tv3Fnt!+B0B9TxRy8@`cl8uhV!sV841IAb+a3%s9i1A zX;>NZ%nuEFU32}y_>Jjv#e(pR#`1U0EX_NYp3P1rI)7|@K`7VjymnikMk#fQhP*$7 zv%<{XkV=CGzb%%GIQq2{iERMJgniwMbYFY)&w~C}=!*^#UTBpQpu9MtG(O&zEE+aR ze2v}QbaeRVk8f{3iuL88P2FM2sz*N-rhQvXQ4Blsg+$}gt0hlfJjvpnxocC1fqwwA zSJ~1V7w2r;Lt@5xZXztKnHNWX!W1-%*J@{NWxVL@Ge0z@VzYaZ`4mddEqs4{@v-5f ztPZZIWUj2v&a~FFg*1WkM;V3}4bq#qJWtb&Wl1+!oJj=|7vpC-3?6TFYu+-e5uXi= zS2RvrFuC%|xVp8La3J{`#Y=j3TO~KPPxRhzv&7>tu96(IJBm1p8kx~t5rNBbUIzAp)RDX>H7Na& z|1znX>LC75p}0P0XMO8*T7A%T>jK{B?AX}q%1U<|I=As`s?`T-rXF#)!);9I0v|t2 zZcb6Ab_-W7!{I!gGhRAQpRF9|vF!WRf+w#ojJyxm4Q?(PF6kQcD=#mJ;jR5RuIzlH zmB0e;L}_l6k<5v#>M5mx4BP6`?DkRdYL?d5FJs&BOA013UmWW8*1G5EfT&Ep;cVD+?wu_ zC+_YuZR`1ds(O!a%-J%CM3EO6<35J zjcgZJgxHb%#uaU4f&Y;!;sGbQ(B|itVwgNoak?$m2NXfrzSt6eg8xDiLI`&xpa}(` z!1i~LY3m@p3i%0=SVCs20}p59e{KE29ZJ%z`y%&ve;4s>2UUE$z~3AQY>`0~AIPK= z`WFeopokg(zCX~A=lwu(2sYozC{3I@c2NNjK*jT8hY zX?p~RB2Y#QnEmNENY)2MqeyVu`R9AWhQjg;jEVhwrcnI>kadL|Z;%HdWHP`9Wk>!g zks1{?#9OsL-3BpOP`$SQU<2_aRQm4UWBWCB{LAqMSR(;2De!{gs{-IXg(`?ZmE@qn z_0I|Dd??1-K4$K3&mp`(iXaHWL>`C%1j;L@#;Cxbl*>SxwJTW}=u-A=z#*AHsQ(bE zk}W0>l&#_9hyOt)fr@xW%+UKY-VnBb;9Y7_+%xs{L2rr;icauE7m+b^wj9=XvK~seJAu4JKBz^o7U>;y^ z3CUkjiCA`Ip`ZfH0|x{(D!hoD5^{9?-0H|d1$wNXQD*%rF?sz?r7wvs>uyVi9x=8@?^M3&krh_q zf3MB5MdcV-SXgG$y6C;&3>thrt}`Ddo}D%nj6eLO;#oYOq3)v#eGB0gcE8E+=fPJOr2vwl{==N^ z7QVh;RBBQ+?0%-h&YY~g&A(ZB@v}xS+hXE}SNNOygD>&yTLj`>J{aOTzdXrPMbB}O zSfc$Bf6cv9+P)+~A!-}0caQj;ej3%BIkyt07MQI_!;oK!mU;hpa^<~#|77u}Z)^@u z{5%^1W9IoZqCI4Eiieq}IZ8e+oTv0$jJbf*(YN9Zmo1+ps4ck@Hw-UG_m>`T)AHx# zeIxdT5#s}OPizUk~xyBH*V3j8`5;Pn2|jNi@9KXYNvW1!aS99|rv zqK1c0BvcTp@R4d?pq~=rX%l_Qm^CO={A|%JG{`;qkh{Wbwl}FwZBKDDEqp#}M`j0H zf0QN5WIZa!r{fgY#>ai`uFZK_jW-wgh!qkCIn6(GU*`9K#Wgl%4vo!B@$oPgdx+B~ z5Zsh>)}%bQC@g$xo|eO*Ly;j%B*Z~Rh_^*e_o?-P!_soA!dS3AzdK4Dx2P_&4b4*d zhviR-&njyc9Lj(9+zA@ z6yr?tIOoYKn`7+NU1ch{#2iNg8H^p?JZzPSNx8*K=NlIsL{A{F^mO)F+r7i`$vL>+ zY}9A*6@f>bdo1*-teOix<1w zMZ~zU51t}YP~=Nyap&q~CBVafbBKiUyBq6Afp*4V)1q2@HhtMr-`9K^8%iGhS4Gp@ zR-aI>y9MU<=Fl{*PU*e6-=d*QowFX%^4RIeZStld+52@PWq3m?ZmcSl}FIe(>ln-A8l`TOKwv<$f77)D>+?9L4_?Q{|2`H zv^3vozgwJfI`49Ef_j_!j71k1+{j70W~lr_@rhTJzp%t@#60-!)jVEuvS*m5T`z&} z(J2jBUJ->;-4vZ271~8Sg)Y6D7w+;+UVic5jt|AR+ZNT=NT2n6;#a15Y?59H8w;?+ zJdrZDsLnL>);PE#IpATL+t2H(7v8;o`+oiG^-p58@Usxu0~loc>y;1wz@XN`&~vZM(3>jkwmPL0o7+Za{-h2?b_$0u@q^CIF?-K&nplN zVB&PRVMVT#&8vAIm=->x(K!$NKBuKk-d3w(=3J1dcz22SyM>fH9`^Ch600MkPthI} zfB?UyfTA;5pE!J!xsJG%lZ5u|E!LT6FB{Jr9a>E#)!~`Mp+6q`c;vG^YcQDjnc7^w zaP@RDZHlW0hWI8wOW6cv6N&R$Wovg-ukL2uQTKtoEsC8>#cn*thVd zV9wPk(nhSVc3!bJc{=dU<;!gs^Xz#hnd0W9N(!u`u8C=T9lmm0Zn)o%q(!%~{=}y( z4gCh$0Vm1EC4WA~SN;+$Zc{%UKjqB&zKq`xU3+Mv2^9%}BGqUY34vI=ej_2a(pLW+ z34w4zh6si&yFGBR?VJHFkOTw5x&-l^wPoe+O+l zegHMrfx8ya^MiO*06b-W5PyLl|7U1|+`DY%ww?`g6ZLn{AZr{R;E4la0|r3|-*ret zu{UhHjlZ^r%l=^7?l$PC8Mwp$msWzhQSc9^3mE;NT@hVuSQQkPkKF z<@QHxD8nwqOSM1!2F3T#Y4U%-0arI5`q?Wu6snpX9zuWDb8sNX7l0%_+fNk^eE$W2 z7+`Nbx4U2?n2z=@C`1PO{E)NZFRo-zv57y~xuG0!`zQI~LE4gmBBuNZA`^0P;{kOq z_ka!ch}%C#4sz0ja?rN1!9m3fsOsw;v7s1nJM5VLa=?M24Pb5f4>)9jggx~es89KO z0?yV#woh*=(0zc4uZR_a2P|4}(2oKLJ3KIr{AtmG!*^o?)b?*N{kDh2pGk-viMoiG zen(SacmSwP0aQL=FtC37(_KMRK&pVhwwt~{xMv{y64g!l5H)&H_=Lg0V)f5AWPLTxZN*WDGI1L$=xwp= zPS8L5*n-uV%-0pixx@L%OxECW#WGwGk|%jTrN|SGdrWxZE^>;_l+u)n)6vncR^h9& zrF>O+a5R#@X#56xguic@OVQV++B1i$>NrGnx_w3*VpNmhVWX${W1U3r1_~-S)Y2q= z&`)zJx)m|jQEXG97QtRQs$(`Plc9D0#Jn%4n;GXWvd(?|hVZJn3>x{OKc$-M;{-J9 zfi)|~MZz2SU7JHjpYF62v#aX6DakKiyz%(V&AZvAIL9&EFUk03sp5~Ae!VLa%j%In zt%EDqMNH87pj+s%KE=x*vT_bH4))xu9@ayur-1o;(A)QwVukR_#kt81b*AhmZ#?yH zVzu|o81t@6xi8yVDQ;Vf>KNG#6`?}?)sa?f-#TIrT?CS?lF^ZJNq;_8Rd z;x-&5yn6Nkrohm^eG>Ak1BWdP8u)b|HH<3f4X~d>&wGl|%-}GzisA5BTr#O`DMLOh z!jY0CldiZx@J5%Ubj3!ZD-oO{nzE24A3u!#ZF2r+^vZLOJ5;C`DI5>0^^c7l`0QJ$ z`Sog_d05C`$I$HXU^=f$9--nFf#4s-qP{LPbLe+j*N5v@utIwaC%JJ%c}a+0xm(n{ z49J~)?^_Q$`ncv@p#pA+rJhew7=Dy9rIlw`^@H< zF&8|NPhn_k&xuJ9Y~)o$kk{9BnA+Dwf{tZ?Wq!t4vn@>V0_E3o4n?|2HBxwRufQF& z-aEx)s)e#4ubfYJw)oF+tjHYhJ*ghV|3We<(p282%q7_2!E}*7CR@}i7~Jm>>h7_ za*a3K(-dg@uauQZ(nSl>-QH`xSQdPpEnbvs#OkX>#{<)vmd)(Oj9kh+laTc-mMur~ zG6Sx#Xw{)*E&K+16KSou(c|ywh*$2VmD1d@HAjD-(DNB9Dq7>EVmmp1l7M{R#WQ0f zk^X5-+%o7{#j#HV`|T|sV=+HfhQY{#+5J`9l5Mr$9}Mp@%R2ic(z(;}s`_V`x>W*2 zN+FFI!O0^r2a;*bF#GMhdz~-mmsQt=U3z%S`4Pp`lK8eKYBDQiay^El|AT^ zp7Q;E0UcN2C1IxvPIPQ8D#cAaHfzr#M+3Fa<;^TKom!D=9Br|tP$A@_cgMSRm|*Ny z)y)x{Dq`HHT4ZS#zG#`SoQS;TGERImv+bge?1ORZl9^cEN!m+(hfGUpCS(l=Pf?g9 zWQC3}*_l!0yubO8O-i(t?egJ#lNR0(dWMll8yKxPP4tVFkZB#&ifL=&LVJxGkI10O6~Eg}4OWS2jNHO-#@9 zo+wU{??2+^B5ZJMbF-=L(1J&&m#D?v#ducc19#6Vkdf9d$}6ZwkK;8hDJytKHvN#A z|0e10aa_}19|Kp)=7f1#bQ!6Y*ZJdxm6-{=k{%jWTxRn&QOVuXXG+k|+-q|?X2CZX zHPE<%G2<)h(R4zRrG$3={ZMyp$%ZPpn4p<|e+;%k^YBOi>ki*%b98Jz)W@$4Pfp4$ zlE~kEJzy@05qMok*{ zFQnfX3}mNleHrOD1`L^ypKNnCpl0OOC!jhW@?z`n>?Cmz*pM5WzuT-MnG!x=i4Jm9 zkV=w0d268xz;kM3WH!(jkr`%Q&3B;3H5 zj31mC0|TUg<}`uV!*0FCKAOC27vO~Il>*NrL@`<(pg)51^FUcs|BMZoCGCp%5tHWr z47cqGju)6F2!Na@^F~99Fr}(?Kbo-gYz%%3nzZv;VVSot$RO~+wHvb?BMx$#;{k*}AmYI1|2*J;>&-6O5cu`~f(>G| zw)VJtNX7%XSpV4cf7tdw)pY;6NbbHPX!gHsdw{FeADSX$X5c(!7X=3_bpFs3RBQ!D zawzCVo*k9kQ2~Z(Z~$>Bs=NOBLhvrt{U713Bec%12q zPfo;@+~PP7d6M%FuALsl?kfJCz2y0Q^~(3}`W2;AHIJ^&&9oe9J7nZjCHS?8XRdD( z&fM@|N-CAT##2kx{G7~2T6^l-*5~iiT0~t>ER@jbo;&fdTl{)?6R%Jl>CCZc?Bv`q zg;R}$l0FQ=>kf+!SKawngc#_F7yX4!%V6Mh>8mu|yu@{T;+R;lx8Qf%UR_15Pox*| z=cYd`;T9APm8lqYwFZ2|sUcm$s>H#rVq1*U=r}r znGX%j`din-s#_L|kgBdBVg=LEkU!YM_!JHZ7d*>TH zml{aQ{4_THess6UJKH=1h3NO;(p1t8v@Ss!Ho7yNPku~pc<0!1#59d?FAg%vGHBU^ zUdXggOPgZs$+=?{!t|1E-EQ8@NYtAx)KNZ&WaG{y(*vA6Zmy~84Ug;-MCF3adxd0MH_OkPt3Xv!m7WX@k^L6JAkDuUl>FE4rdMT=~s!Ms(|n-%h{0)FKAxc z7VAo=FrC(U)sz{h;J&Z0WDRumE~qKR*&?_qJycG}9PUXwfIKgmkmF#Vd{d zDJdQMwOpmx;z&`ZV{p!#S(4HN#gXFA*Vxf<30u!Mym`PWNGTg>K-`-dzdTYSZ%78i zljb2yGFDJc$XvV@AKaOv|9l98C}9b`ek#i1RPot!xwO@I6K*TdFb{?~JaZ$2ot5u; zXWHB{u_nb#$41?DFG1#!6cHY!#T8E2@;*YrCVCzK2d*zEMrujy1V#GQ7&&#NJ{Y@61X5Nt*| z(ku~|m2@hY%ejd!ZK=yq)Dn{|`W%4@+#<(3nMNAN3UfVwaeB=6oL;>VZ^;b(7-RW` zw?rJQMPgLXqbPeue$JTrc0a4wc-~=gwbwMAtj;v`i*}>jC+As%TM@a(D7c*-2QQw~ zskQ2V6)wVPf^*nZPpZzn_)z?V)B}P)k1wg6qIxHIcA4$-D@*BOSKAgNn>DAnq};2`Vipn_Lg$*J)Utfl7=O=dS{hVLq zE>QZuuN}Q(bZGKwm#lJi6rl~bt3(|U+TkC9tfPYD;2e ze)Y#kb3>K6?3t_FKdP0rf46kMXh)%bM=+m>)->sV8@z?aD(zX9`;ndqulnmdRt zJGz)jCUE{rynW`r{$pL@k+=;}BT&rd;H}htmwPE~Q zwtk6=i>9OYtD9dAROIH$9T`Jsk_%qP`}Ek?pY%J<;wHK0*@SSScTpbFu3k6?U5^{a zhxju;xe_t)z-n6b&cTtcW5&1CVi?~S%zh|)^u+6y@t3PZ9t`ODr>^txF_GHFJ%4S) z6dyu!P<71D{TLyY(~Hb7N!Mc`pPiZx(ECe;#@QD3C`$1U*!NOM5a(7)@IS^W!Wis0 zy`KA$`P?Sf`#V4S)KWI7$Lu6jzGi>mVl_-cpWhT*w|90g$1V(Ma4yh`oa>o3q^JHN zBwl(&oA7k7WNG4Bvdf9V`Ne2>avQO-xmHDU&IDfE$!#|^PwDtxxiY79 zFz76E{TJqv*_JHNpC9ul8VGWqE5N-6o5#6moICtc(Ta#fu$`ONU9{p>j@XV0sZf^0 zzoivHLK)N+h~9x|&GyAMiO7R=BZ3?Pw*HF;Ne3criFlBqZ&_qOm%>#6A-?oww0Z!mz|G~K$i0Qz;96it=0T`&t z$}9p5z9FM;7*Os5)^tzMP(Bb5^9DWGfTb%U?E#4m4s343pyaB(^qY|2Zc*RXTt*K# zC^HE-Vlj(|fs8M3>xL?gg19^=hRHAfTiX69??=JA?8pd4)f6%}lK=s?-INU?Gaos7Q8k5B zl8~44?xu*F9J1+N*q$9aupJ7qU-IGpi$V-Ua{j(x{AIfY$}aDb?ddvw9M~@HubMVk z;PPZWDAlxbo5P7i9cDd~oP6_Itm$?0>z7q|BG#tYo<*^;s72cr$C%&{)h~)x%-6Az zj$@LVko_zL^=C1rGG9cX6wHR&kygH(qz(VdzGo+aM9j-n z@o?vZ!-Pa0d0juUv|KBpT9O?$z9)^YH))7)=O|vf8nW=HN@HC4kp5}vmqii|FMBty z+nKJPvCvQCo845k%NidV)1nU`|ocoPoO>q2Ih2JD)VrCPB6?D=M6DQZLT{hST4$M|lzZgmTMFr6$^uf6BbIjs?#odYa8l$Yp6F3ZpgA-Z zC`3qmL*XLfjbP$fs)-M6v zA~fn&IFPP-%6Olg%FU2C>lNyVn40d1%AeP8R0(o%=?6yUJ9AjM=gzu_v5be|w6WzC z=@U?vl9cuJO1gxwu}rDW-fJ70SJop*YQ;Dt*mD8b!-&1lHfuHAQQbA8u}A;Ol~IdL zMWM#nda98Iw-f8FLTUad&dh7g+K`h*HD=HE<3z2k#xA9s?H>`Gv-uLN`)0z()lLyd?><`++;Ub#quTUDS8K#VrX#)k z#S3457-c_zxqn+%@yB6b#8k8>pp%75+K%D2>+(^OB z&L7sqar{mp)7$}`0xj#YGZT;bif4t}$D703ZYO3XV1K&m8KNSI;ZOS}%hfzs-}wPY zQ`wo;TRaKxTQg&x^Y!%e9;yAp1H-UuQXU_=Gxc64Z$jYJyh)WuXW~Pe*08Vh2hMd) zZ#Mg!f5_tHfjdk^rPacFKV*R@W!=dGr{LlX(fSNiFU`}3$VQx0iw$3P38xNus4|+f zKS;%v@DRG-OOmcaroiIQR2Rj?nV;u;TEjjJo|IY4sOUjSc}*kx@<3w8BsQF=6*mT7 zU5q1-!@S~>Fq`e6M8B$sPH^cw`=E(uJym%@jt)T%xu34yluN!ADaeoAGfUxq0^=pK zhFihMrsJs{7;4EP@3<1CV5Li{Ska-LUp)e8TnG&9`~pmOK4Lk zMI~h&aPnR$T#|ZcS}@!8JtXXM{iEX9hFXe7zSE_gE`(h(`F@oR1%C+c`@H4Wai(;@F2P=`L#T^Ua5)K<7XW` z!OB7KY4wD7mJUnzwwb&5goH(e`So@&?><{DWzb<48V4Lb#1t&x}6aH3>B zz~(r4^lM8C{l^b6^hADoTavOcY3GGi%KkHTe&hI*R4<&3rS5^=bkEE}7-g~)>qQ5hr8H^-uM-W+?pCBFa{Jw_ zr#wzR4E4RR(aHTLo>7?3BGH8Wn83j?`dS;4!%ETb}lpTvK z@a<8ma!#?=mMoOca~_n8fBo^twF+?~t3MUm`G>)pL-JELYxKG8`6WqUWy^bes zzkNuBK4GDV79r(A3Gqd*FF&V!E9BQIRf353+u0u@%S~EM^%cPhsI17X@_A)&ZfRe! z3(;3Gqig49hCd!N$@;MBp>b0@;?fuTi0TucVY68E_1y1M=DrE~G{U8&Zzd67ytFhp zWFR9ORr6xZOfRkAy^V2;$+@7x!jZa(Z}WqPWbto3F`6to*7PmVUn))d`+)a+++|Yj z;}?CM*c|oP3vty9?*07!5{Ih?-|r+==yieKqd}=ZaZs^Yi2On1U1sYxx{J+1+%o_T#5w>sHy}V00=2S$XbA?^ zE94fx2WTj12sEZmL#AV3pW24DJ=yk#4228M*4Bxh0fiV<@cIXQ9N^%9mp%|^LIf)u z@P?pN?Z5N+s8plEh}|4b*pMR%1MC}M<6*$~A5tH|K?Np>-_;@z+nqMOb-JT>Vt}3@g+VG?aAASud=NN@pA!Xa(VjXE<#hX1@P($1180CZh!w(ss{tHJ z1_tS(zbzt%5*zx0TX2w$5BZI4LxbW+P&w@X4((Sm^3S>rf(9ybFastKD1Sky2CNA| z5Jm;&3*d(i(gS*6}fCvhhj%Mv`)qjQEV zBIVAZvW;)v7n&l*#G~Hkx8zHMWXj}uqvans-f@g8cOw{6BO)~87g+Zb@>FzY&}a)R z9Q&lwDrM|pHA(}LeszsiMbbQsZpU!%tNrp|SyDZwL@n%ng$L_$nSd~F_p^Mz<;yYr zpDw5^d{6Tfic7euZp}!*%J8P?VdunyzNyJ}3QXxI#mWf!Bp(K{20hO{E?g~F2xX05Z;I4+TzKGo*DE1B=` z4MHQbbh8vvIB{{xbEYR1FT39$4^AWP@Q*Ydctbd0oQfBPsZ+4ZHs0I#)8svalKdo> z){Tm6mzCUX{3Q3QymI_xi7A#;igmW1xzkuaMv=J9)}3WtY0IQA$1|$PdP=Hv@JDD- zrmN`Ou_i+H%Z^N3t}|-*bQkcKqL~OB)Cg`crx)JB7p>Los>$y*m{!y<6fF9(lczxj(+VAeUoI!&t14FR>T>_6AoK=c8-~cWK+lqzz_#!E3UV_m|J- zWfd`}IG?}QF_GfTT4$H$j(f6PH}izxems&u;^qB)!%xkrb65Q(UXB*PH{n@nJ%keR zH%&2E{IG3pVyjOG=smWV^e)!#2w~@9578{fP`XJcbhcr@`QSUo1$%D8*+|n!`@6GK zD|Y0kA~0X9GGBI%any2Nd#0o)L*Nj$|10;BHuZtJqAW7AXMsi}Q55?^eSfq_z{UHq z1zTLD&M~C-67@dpJ+5ZpLXgKP^LnX_;PFTC(p%$22XsD66$~$j#0k7USqAT^cr+7^ z^DNB4(&Gbxc(qXYd$_PpPSxa+cpF~BGT-_ABll>oM&4db`&@%Jzov1kCT;#{P0025 zO1~wWmF7mz*f{!OLWcFL*0&TYTG#FvQERJxU}Jnlcr=wMwcTp|IkBuX42~OA^%g$% z_L{OQYf;pl6GaveKBXqznLe+L%xNt#9{P+Hq3ZcZ6&?JK`|Qnh zdS)`Gu!v8q5ZyAl$F=`yYiG{8IqRoR12P=4j90P}E|caRe@qjbR5AMGGtbk+`u6*6D8~)3Jj>sur*(QT;8Y=_WT-YpkW$hLal*UPMPd61^!KkGy&XfUqx+qI$R;>_ z=)TJoqxSlf_Ufd$7c@trc*osJQ$y!w1)pqu`MBRHuglAB^%8&=K&*mtIv>X@f zC4FD6^ms6zrw9;ekNqn43L_^nV33Qj^YQFweRUr>k3_QDkJ@#H$>JVO>s>o|iHb6y zo{QlM*Vv$@Z}UB0T+JjC9`0!lb2>MZJ0T34K~$>K%G$=H{e8@rYAiqdw9FTKelEZ; zqb#Wlxb(e0|9O`4)JgjsLEgod@k@;hYf^8Cq#HRGnP9mE*l!K946Cbu$qEtJ{d_l>AAoF(N1 z%seWa@~sbd@w^W3HC)VG+ju=R|52X9`oiXYstWkI?uXX&8L2i=J)6XoRnIR+FnlNb zG<+pc_LF2D0c$qlep_0ma}CqkKSFL}&r{uwhz#qJjJcCRrp7O#n>BOqVv7o6rEfRA z?PQIf*rllzw`b!HJS~zanLR`S7vxRje=vK9qvjvX9>O}~zoox|WV3BX4rwO__$B0b zkQ5&>MOGMGkhkbNM1mzm)*&-vg%P=Vi0>djaLY9f{LZ%93HSm@6(Sr_pkGG#n;^bG zirNt7BZ%)nH^P64+7M`W_RybFd>|1JXkY$%F^NKXP!j)v)j*@M4xm}V45qzL*eWik^Oh99$qjGbA`Dw@4fa0`>?_ba#%7*soa}e|Yx?Ns_>m z?k{jiif=E23aF1=EE*aUu)#Y5P*otWb9=%;ItM|(heIk#(0~8_E8vAk%Dj$DvOH1^8)%@irWo`vFYQ{1X9uIz++%`QpF#8?b%a z4ei$#$Dd8NZPo<_=tjt%56QZ~#DV(dcSROau`Xy#a7OMSNNmVGWKY;o?;+5}j;8qr zeDuJR4v7sW4oGiEakr;_gNg4NQp8b%9%!IME67fS@?W>c6b>R95`dWB6E;-K6mj~Y z2OFeFlmLf4L{5nVrWy|V4J=h~J^+QW=7fVTUc-pMgUjr$}(f<8+VUP#mW_oZtQo z9DMsYMS|NtPWOZj)p5GRS?&*LwUt1qpQYfA8A6n}Rs9gg7{?P$lN>FlRv7 z6i{>E=C_-f+u@ynswI?vAcnf>E-G=yKNT1iKx%Cec}4M8e?8by{Z$}&1pzOV|I}Xx zA7xVzw170lyZ`DA-@^YtSxB&x{4&%?X(?oWxmOnQ43L&89{|$QVO7n9l%Y5A$@>%3 zZujONIhmD}Z_F2Js}_3PA5YHn>-@yB0yzd|!fol8Yirhgv+E7qHlhfTShqfJe5R9K25 z{x~ebYZ63G2U|~ZGRcmZk}g%_9n4e3JvW=JUy~6yA?$HwaSq4(nq!Jk+ohWn+1lwB z$SH3M5+5>W;-+3%ovj+KQ#F;YkxQ+)`YoyN1dWmlE~zrRBE^G9CZQ^yC9n1V6qo1& zNexjqUZ~uh;(KE~HE!T_XN+v{Rl%#s&DqbKLY0z9CgC6U$(Qxe7>vfvb@a$N`Q!{T z_e@)?4-ZY0y@TZ*S(|F%XmTA=O zhMqY+e74a1v(1!bMw}I!0&!jI$tO$FErZj1Ntbf6Oxe@BE+5l~DaTnMFf8d!Hz87p zlBc~Qy4d;CeCFY(wAguAZeOi$;+Pj{qWZ^-%JC2vonm@Qil98q^h*26yJN==kbZqH zU@v?mdjE)Rf&o?x>shXJ!3sCR-o*ZepcHv0pBC9HYq75(y)> z7>StlG7p%9x;l_lA6t~%1o0KuDiv!Ty`pL@?#C_F9Kp&dLxw>_!P&DnJtJXm zZN*PbU4m|_2GxFXOt`a}YAiRZ8cbay;D0hxp{1^10hf|S@7;{@39Vet>J#llMw%}- z6aA@DPH@uXzKTo>BX~yb5+cRklBzX#FN<(-0w3;h^^#gnd#CH&_vL(+pBN{)z01G# z%G?a`^LG7GPJi0LoMgV6L-8elp36yZ`Ne~VB0+?GSDi9+--Q;+JKKCTCsxg`I?0o+ zH#SOdB-tf8lW;F8`p_hfY(HJ1se;ZUI(MmsfUC~KIXZ(i@%xsk8yQvj*!@}4_ti7X z=QYX8U5YJ9^z?~QAdu5-GOv)qRP81q)=h16Jazlk$<|=!{SI~xak}AL7OKO~Xk9kn zn7v~8D3xbNWJi@GYd)?jeXLeg)U|V3*6j`FJ>6bUIY+pda#4~J4Ngr|#yTTTS^X-P zWLo~M`~eoxn_(}4jo#f1ySx^GnH*pc#74Zc{#yUt$MN@}uU`tqEYF>5VpDu3eH-72fXuY=rr6RF2eEIzHimNl z{mtxCbKOM!Qe1hlKL>GgTBZ$heHLe8rr=9`m$TEFldg15_S1#q+EiFM>Lb7&%>UcvZQ}}cbOOOi|G22_GRsp*v{~VwW#OI*Nd{2EwD`n zuBeLfhB`5x3zI(Ux@;{`;31K}b}CEY_&54#(awv+iI}m$-wRro7gi{g%=GX%N1LxF ze!0kN11qK~{Goll-{&*6$c3;sI^mk6Z$` zT+MB-aP#9EGhB-xF6;g?At% z?`GYLbY2)f)3G#oN_)KBZv;<9bRTuay&3TsOPyfGB&#Eg@2SttKj$`he{a0W?D^6s z!N&Dl%6MigoKYJ6GbDIoeh=HTTNhhpsMc}@SKd0e*zrDLf0^8BVYJO zhuANFaW2?+4R1?1G?yT4Mx>;-5!v6VoJCaJ-$|ajTHYy|5JEFbX(vFpe!kpEM#h)e z?dwYJK$$3Iufx;h0SYgw9VR4wbSDzo@?bZyC3|Kh?9?AUh?qAz210!>$sR4vf`TV% zdhTm+EY#6e7Y9i#$~D~_BCR%GakO*?T)F<%`o4C0yycxr1LnYMY{#=Kx;D9A4-ij> zlvuy$xKSS}LV#2I6Z;3&)BPy)u`oo&^v(zOKlQO&SEZdSI>JfVw*FEA-tgx-`VE6fn^l(m$$fX&}y4JhavoQpkGF~;~>7+ zX5)c;X1f(K#T+KIEtG{JbIpNL1o=D24@9Pz!w?Cl|KQcP@bB!iKjqcI!yjnHKvglI z!hp;jg%ECl|Nbt6@3x5B>QVGS69P;k9CW$};7{OSxS@nuL4P3g36n_xN8_V zThKMzwxK~1d=QI-q@W-r0xVOopZu3Y0dYX1wbKA^B?{OwXgC2n(0RZL7XF)UR|qb# zEA|CQQgnA3F!dD!GYsO?!Nm)*>iZqr4-V4ZXBFZKgPuM^p7LPAgD44PQoD7^17mKW zJN`|;5alV4xK^PD9P*S$fVv^4Ak-FOh)%S0)p% z9g=mV9$5lp>FhZY(BceCCI;7dOKwY2+`z{S?7TBw(thG&Z}SPO_aq@4EMZjFbya!n ze^$|u$!c)tr#v^gphSQZa5e0zcROxSbvXGM}K^w;iw=F4kU7@TEO~@TczmN zSmF8ESnFpprL0avI8Ww&Ezz;d%GeSTgZ2ieDGmBKim3(e*nd0zMD*-M>ukS4i>$;p zg1Z&ZsN-xhKI--{;ZQ_Oe%)A)j9L28^ok10@m@V9yvaw96ZnnQs^8NjfQ%R40R1sg~;9^Z%uw<8G zc~F$(Htb<=OqO_1_-rlB(Jg%bX^NZkgmis~PH0JYd zro<=lTzIXTmlxxi%7t4TE|G+3z<*+JR@F?h4GK3C45U} z%-g>Gf-~1ALnANrE_{^DZdv-_^o(7_>?)D1N+yhjD@vje_ZX?Mp&jJ{ai(E*!swlP zu3`BPipz`EXL@pq-9O-xH2KTk{*a#*Gtl`xc;KqNVMa>hpf8DgpN)mO80pB9W_`?{ z6VrIhZa=l(FFf+2$K+)jh#rqCiWxW)gr|DzXPcKnHs@3R%N+DM2ie0Evbe%?diyzZ zo9P-~jNvA;Tyi^Cm{l3BYd)kLXk{Mh6iBW*$Z9Y*b%4X2?WyPwyGnvm-7K|e7)1c- z3ywhRB>xA39CWAXsFwA5Zw8K-RbvwpYCkg1S`K-nJ;0@r9Ff@fO5o*4f4*5UKgLO7 zwi;Q7X@eC^DIUqn(8p{cA6`aJ_j+7PEPqO){6#|K8>L&Kz7vhrMQP@v{$w(j%;TSu zT_aDiPJDE5%3qw>f70{Z^>lU_4%ZoT?hcE)B+=x4ub77MVWri^ItLqv7O<~(VGfP5 zhKRG#^E0jx)|_R8+ntjp7gD|LFHHP&)W0fJus*c7eC%M4lK-23_*X3j|S<4N72xi5?~kK`~3z4Jz*THo`E6-K_Iqa}Fnf3*BUpsyCk-P6MIn;$NG z^xl7kUuWH1ATX7>`2wlA+3M_&U^r*H?7=GxPE~JcnApI2;UCicxdkv-=9n3>CBc(C^hQ7=dEiCf~Qv#;tJSVcW~7rc_V*z#tX zko?s-+-_g`{y1~d&Z5C9;wwksY!AABwx5F)1s%BbgRV-`TOcO zF|W^3PYzdKzWHIa&L{raQTW$8E}q>_hwqtu)!0}a%rPj^%gHg$QjVf5nLV)wVXshF{utO?2*@ zr+n~_l8{_kSM11mA1?Q4SB;5Q-}4dlm;B0uh%%=Kc=Jczt5|-DnoZD|z8R7pFkD~z zB1q0LlkS+^@iiyA$>&E4Uu#hJ6sRVWO;3l?xxtRA%H-dltHZqj7i9^Vq0hXYAIDL3 zsDM=YzRXKcqeOyL*$W$XUrOLQvXQ);-Q~{b&Av4^xo1(mi|vy9+ z;0t_LLzyQZF;M0|SUmpHR4CEjc0u*F1XdT<>x`QTK{=R315=^hrU*G3+nawK(H$Ca$=RF76XocnP%e;`_DzTKs_`1(Ysy2UU ziQKCtyZ5mE{7Tx)%S5~AvExNgj6?GR%lS``Ns@Y3`=@?Os6Q6LzCIesUR8TN=$Op< z1di%y-$}PmOq|M_>mygm+1suL%aUje$29c`51m?Ok`hl0G)a#sc%&+X(RziA zrKN$h0r)S(Vn_hOY){xwK6?>s5IsW*g90g_IvNrjR2M=J@Qr%}hvMnG!xr$*dJaiz zBf)Lc+Izx=>hX)%snFAJ+e-oRUx1-G>bz2VJQHE5Oi^%+e-oBr$mAL8Mzc- zfO-UQ|9zFBS_)|NMnTd)ko*}`i2=;)76G&;Y$%rk;)FrZkix)r2Gs{dfC4Nzm3Is?Q5dZuQ=?>g^cVqjNkwMQY1;J|s zw(V8ACuk^F>935>pFsl-RDje2hTYq10SZ1ra(hT(3>W*&S`Y&1ZoB*KS5E2Az`=k8 zusArK{{jb$l|?~BaZlh-bsQSKTZBNgP6BkC5O83Cfogg{&H#>j@c$uCm)~5GfYf|f zw;`@{=vfNeJ1;Pkfvh2r8!vS3i~ryACP1yUU-n%DN4RCU#{647Hf)zc18hfAaKJG@3cH({1cUMSL9rV!P*npdH{^fv&!$4~9jSvTn*zWRK#Bj) zroyltPIdo_5QS1Nw=Vnw%HYuWrAYg)b=m*Sbr%fsFaQ3(q|sna?~xGgI@9M2q|v@T z2E)tEbV&e}F*r@NIej7p&nw{pF`)z33y!R?jg!Jy2N&9n|JGsE}01nfi#AIkeZQZ47lgI??9ooYz_ zc-o|mMz66iXG2!w<0G}jR?_wRUn`{UjC;phUmJSYr2Lu&r`@DCK>bekBfS++o1Hx6 zO6ltI%=+h*&q%ePedYKkx+y4F3I!Ukssa(D1DT&UT!v$3q5{CNomkj!q zh8x}9Op^0ZQ2D{WHCzv^)FP%;Bj(S}8F)Zoc7ND;h3sLm?3qA``wDP!uK|X-R)X(E z>z1v<)C|#4Uc?I8jjMBCXw8q7aWkE?$FO91a_7NDcKq6TyrY^e_BBb92{#!^W(lm7411^MV_Yey$tnwtF(O&4 z4M=gBDY?E5x)S1F6@K4m{9O~9fTDhlpyrjrk(q?!r~58pDKFK^!c=i=-BLv{UhjK8 zrRhy+@BXwwEeIpBJwVBAQl}FB4u^l1%K}-_gFm7;XVB(B~#ZdP5OQ+}E!tYWQr-7uO;=yvV{G?#pvwR$Nt5yLiFr?P+6yc7v9svBlYt4+isXn=&6^ z*iHoBNiFU(>DM&p+P$VMV}ASiknOuz*^MYc>~B%~X0T#X&p!RYkH2V?lb`SMIp1tk z)KJ5>DBPLcWA#rT3Er7HTv)d~&QOXcTn^`)$AMY|8Y=@O7zPc5HZ zo~~Zhyr1H~qTkRk6W*+6Hm%(j{?zo@~y?V_hD08 zZTmX!n3>n=CoSsQP43va+c-4U@lBemUd8n0S;KQ4cuND%JETGqbMkX3#+$jX#$QcE zs7>On`MAvLGb^>}FDsmH zWK?MG#JYR=af^_%ebY-tf5E7yvzGFjEgbZxF^TH>5@t})HS5~* zfdD87lE8_HA8%HRBZa=@dtlvI&9#WZ-Y#)n^0pPFdB3*g zFB*3X_Dw2z(o>7(CiVT0)Gxm#;4Y?t<47d+u;TUft(#QDNhDijp+hGwJBzzhcyr2=B{JljO|FX+ z?Sz&?YNXeMV+7gq+ea=Y$^)J~U))ZtvI@BAh|I+c#OCt1MXt1bnQ^cQUYdVLgnztC z5nGX*-DeT|a*f6zRjokl6-oH`;IudNVrCO?1mTEvlG5CWGcH{IAIvGGcwDqKA0@3_V=b;4#-w%Zn0*Qw)emHpa& zA}eE;tdZ=p>Bs%yUTWZ!?>i}y`lPv-ioLOU^OJw{K{L9a=fso; zuwPzryT|MB^Ha5C{5pN0KOHY^z(Ll`w;3F?Wk-{~fA4l2k^9heXo{>4#3eArr3B(sj`8CqA1gJESzl@Y$BfU#th$`OyH9u>)gnEB|LZwO-rkV%ik21M^5Ng8w< zREBM3M~KfHj87@BxMh+Ebv?fspyJ=EtUQX3aa7+Lih>-ys zo`3H*U<#G$dE}Xz=j>1TtFAS zos_aCY$%UY#H|HA;E+ivNN~ucls$q&ahxJt;LrmO8NEY-+ddZdgbmf+i%v_W?WC0L z`L>;tA`CVVG2!3rZYYtV@xX#OV<*YgT;uYr}nJtlpO5@()-quMS```iOf;Nv+O%hmc|I zcWlNl=&E^u-M$=6FMhSp*%7ub&T7lG7~H6`pRC|KJoD~R=^@)&;zTXt>dQ4!EFac5 zZrNfxWT%l0cyKG52ZkJ-3Q&&@eMY`YEFZ)oxhlLidr?wqbvo2v+C%Q^PyWScVxiqC zV&@i22}i5<2|8n4am*b$LuNErXC+)BxjIT9=IS&U!H>f><8dag&zNt_%A=$|Gn#_2 zN~x4U-OP{ZwP|v!+QR{9ex|P-9PMfpcg}M+T&pxR7x*Xt@BSV{s__ft9N;urC{5$ORh z>yHH-Tb7+SkLJs`@gB45x#8m}k5|Vc&R(asZz=b@eVpEZV3U9Ct0TpDM2fbp;{II5 zuXty~HACK{gjO9GD5Ul4CAf~;HbdXGFin7QpJd~iYW`%7F*Dz5qGl$+=Ys0?#1=$9 zbTf|R`5%pUBSDeC9A{*%Rs-{qOO_}K&==Eeqo!yET79;d;7+@!5)x$(C4#X-NA zvBT?%B>wpoqah0E>e22TW2}^4LKQAd3euHI(zQzU6CXMFgWP+#fKJ)g&qrp>RaW9? zlE!B8^7jB!n&@VyR3W$8fm#KYd!ePz_XQ_VCX^j}<{m$(VotM>LBk{)e?yv>iJbiI zxe=cnKB63f*12G=4DO4jt%t=#u?{lT#ViW>1XlJ~etMedKw@(JC~I8`?#Jh_CpS(k zzYau0)9lQ^#1W^`)zLGif zV0GGVeY|G@PvJePXWj1=UClO*{_F}quRKFov_r7(=Y#n}CjV!O` zNKE|1Ki7!)JD&G`A$7%FHZ^5kw#z&I`JfUkU8PWqs;%roedc!z$5wxCS=~b88t2Bq zwxvbd!|yet?k*-g#d{X4+OjTxlwXNr?2CexO+mTWqm!P;4CA?+$B2(SBUNX*ec@0t zEk1?gJO`nEV%(I#XM?t5Q41^9Vn5HxI!jBO#;WJ|?VKDfi;Z4erPWlMzn}#UE zgmeaSqvQAUl=q1f_9`4ul*t_7pP2Nx_qt#Cnwuca+lOU0vzZPk>l=GC3G%fFzO`Us z5)xH>kcWMyVt=A}t#o~9kLJpU>pF&MfwAE~;kzQdbmQQuwsV$bG_hnASM$6?Hb%X?L?vvA1?1l6`roe9=K07v_kAs+EV=D2 zM{Ijd-}5OpYw=mScBhq3H}lkA@X6Y#jCbBJ9@guA9;_cQlKVuJZFJ#sxk;~2Wzsq( zn+}`Z{0$ZH;79v-%pKH~sN5TzE}l&8=+4R)XTD7&l5+PwhRz4;xNFl26&;0l^B+e~ zU8*u&(&w)?%D(p`DK?n>+zksEIzMXaETY4F-R7{*$IiIZahz4jPYczuHPg*N|?_4g0_ zUr{`bS$$0N@g93_crlYgN03l8Pl%Z;>(2$Zay(9Xt%+N5r;o{e^3OEv691^HF^1vWJ6(SRP z2j4Yt@TviUKA!dXb&rP7ntoH|zJ09tUS}=3=7z`aj^fei7E;0U6;8G4W9^H(g~RvS zskWDq_4dH~sC@0i+6_7W7oOBMItobXhEpiS_6&e7i<$K(=uIi>5{Lfv*@A;K#O*+PVQn@XB+g_Y`n`5^> zz&^9GogKeAlDO{vO=H>SDx;J*%a;T^-=BELu6(-gWO{7<4%aEy&&%vyN)}PlA;zWU zm|dhEf$>xo$p$i&9hb9P<8eqlDPbVLAlK}!#=+MbrSbIVON5_T6?|rxHaOw=hRHXV z_fl7`QH=vR&*D3W^F*5Q{8ZNuO0S1}Cf%fPRY}4c_e2v_*_Fv{y2k z>x_$qJLJo@vcou6!+uX#d^ zgX~na%JK5+r*8F|m_I!8E&aen1z#f(d)K(PuRTl#2Yub2WJb|EljOvg-B-Vk-(@qA zQCN18`E&Rh%UDU{guGQ}n2y{u0}eI^{_>3V_$d zq&_!!yS;ZW8({-=QD5$J$+Y+)%@feYtrLb*5v3-+NyL*kpG|eEta1Wwr8N#u2Np|{ zHV+H6(u_jCCtA+5a0ZmA<+aufg^CQm(>VD&A?4fmyUod?qP@o>eHL!487_|1U}t~2 zrqOA6*|Etr4k>HvMHW5-lh0ya~=QBD^cON+3GVTuPfFxp3-rA$zOK8 zB#>30f5oM4+9igwG^4CkP07H|EI0KQdrbKUY}d`w@X0(a^5s4@hSl=E$C2+P6SC@J z!$zCdzpmH)=v)6Zv++Zol9=?R&qIS|`-0D2=S&_?ZJJ)>Rl4VuXa8YE>yk)ma#hmZ z*P0Ppxr{weTsKVhl0MbMbPAKkeAK}$UAMY1>`GmcXyTV>(#Bb>$;p)a^vcmkskY*@ zvs@mB7rR}pmUD3rjm3uaO|~kDp*wpl-{8jcrYSYyum2mq}?b5-d`6+)%h(WQ{{G-y5;cwoY$L}s~Aj}D7brw zuKoMsx5YsGle^!#9PZ@q;ad(O|Bbsx*xfc z!6RjhyO%(c_!8T+J}|!A`VkyyodOr!{v1%i8~LN{&w(R68o(z*b{>ci1WDw`FOVOI z^iY9sd#LP`hVSt0`!o6mvS9^(UQ`&Ap9b%AC^Rg2S;Lq95O_KIB9R#Q0eIb2lUUS`dE3 zq(=kM41}WXcXrq)6YqEUi2fP0?Uf(`to6kq%VbbP3o*dJC__wG!%iP;Lu^8^De$0{#m^%#bbC zzt1;7hW(Q^-#Qf018sY{0n;yj39v6AryDRp13vrz_vyBEOrr-HvQ{84o&lOtAWMY; zBfznDPuNgRx2>xKdcc7g761jJG)QnDZ9@=bBkd8Kgy`-;{gt`9EZFrcy*1=|@E9)tsd40t$*3I6UHE{0-p?re^b07W;=&wx7)p$+z(nb=SFXL)M%C$2pr^%{c7AUk)P*2Yc_v* z!A9D{lQPI8=zi3-A&)toCUVOF&Ui&WqKYrAh$L#A4SzYSoVrO zG0J*6!)>_mZTnz$gUvpz#I#Ng;gdf@hewE|9McZ)wB4y>33XK5$Q^aRDmMD!95$A+ zS)@l`?N1VreK6(h_=DOTcJRuC*?z^hwdG2ug|&>UKO4cr@TE z&ItL&}2RTP{pmEYx)mH*i00^K@~ouO*0mHd5x%z&WAvDyGLl zwn9RNu6n~m)YIE-F|Sbnm2|E64e=v!2j%_685wimRy2NO*M~_7UR{`CKDXv$sLXgR z=5keYtlPcP>td|QEXsuIY})%fuDqIWpRkJQu}WohOH>Ogm%Y-a@ulX<3S9_eqA3*KPmsnC&&s;^I6v2ttRoc54R zuxjp_Yc$c!4(K&$^9}s6&}bDUBjt=e&j0n8M`*v!d?e9|^6dc6_jA6Ny!aEQvIMkh z$7A-}&@Ku4*|ELud}2h1c}V~8H1T+Eu+8TC;+dd8>idO1F5fwjDP2vS@_fniW*R$N zZF7Pf<@bx6uA%`%BlmftX(FHZmczSrl*hf5F^3#$WQwD`OQ__rtOJ6l32qJftb8gi zZ4TANsN!;#p}j3-`6Yj_B94tT<8ng!IlJg2)n#Quxuka#uHj! z1uEUQ)2Vc#4)4yyJeF_oS3Fh9^rmdp?4DuY^qpyAc{2CpVv zKEsxLcifN5Ua#)qbH}=z(iTHl4ttcUvNP`!yMsj0`}NQ8I%ch45)7RP(-^mpVKoSo zkUVH5PN|)osANN=Y?$~wy3#OpR|=+In4NZLOuW4;|pnTANq(3SXea~CNvm)pXyG&;x$`vwvcPa zxsW?Kz%~3i3CkPRf!`rm$Mhw-D%D-x6kl58JDDl%@?YVGn6`~+lk+MTtzEbL4hZ&7(Js$ z$3V;&J~H_7Cc9lg$pLCSa*mAK9eR0P1;%_IF{tE~j$4$%fgQ74_{BjtDWX6dd>)o7 z?hl$>j7OgG8)Xe#%2Ug2kvuN1mDQK#97K5?%dxpJ+W5TUx3fcC%t@_>Hb)l|E%NMh zyuB}-u?yj`=8I1cVSM1n?{waHdIX=(zq!8Mkpw$4TT8nAv4%oLs_4i;B|}-wr1*xV zPYxmhZX=k}WA+@Tx)N4tZ>wAbhHVUG>zj_een3w`>Z>hn7yZVHJN||EC8GOPl30zV z9|?PG$S*QbZdXtdQuwZ>Y_V|W_%7IDobpPYL4{_Q6nY|3i7xWxF4 zI1@{}_AkPn8{I0L46Bbs7d+3|Dx4Ch(%Lw`)YO!Y*Xk!~wsPzwe(!6Yg*kbfJ|+%s zBGvEv1-Y5NS1e7ZzH4r$TT5Uo9nx z4+sAS0|icEye^gGE4m2>joNt4gHO)WUw>-0i6LJ}-++oKMxkNe#T0KHbwmQX7A_91 z&gK>_;Qj>eDu7-6PfRf!VbBRtv_P)7MbUy%BwJr>IcS3)A@mo}?;zbo;7B(SIMPi7 z;w!gXA*o)Zn+P1~CIUygi2!Br_AevdL?FwFt>%ctYUpomyNT?egSXJ4_o@f7h5-$X zydH~zJD-^N?{DtApZbMh{^q{>QGpmy^gt5=9)+TS z@Dl~z5@Mi+6)0Q-m=eIE1M%(euE;>4v+He*m}BUH2Gv`G>iZ#~0o!kWVc^NJH*6^0 z{X1kwfA;Q2@|qAQ0VWEP%z<1L#f1L@nS(~h9OScK1R|Dz-8z!Y*%LODWDXiFb3lDY z@b&^6H4+@;>jOk+djyASP|--{fCPGIVIsi+1^^_ggHXv{MpXz{1n*uA=u3D&Dm0Pc zwiTLt!iI{?L8G4!l5_?Cg@I!OndT1z``hmnnkZD%a5OsRAURjS(m_61$YlxwUi^Z; z<4jOc{97j;P0?QJpq8?xnLF`K$NFMiu4dpULqhk)VOobsH6A2D1Qz%<( zkKj-&Q^XAcJv|4^K==W5_!qeCm9R%_C{`&NO>?#<9H<}xNV>n>oI%tVvgG)8{t)Ga zL*MT9S3S;cY{+_?d%}i#!l7?>gYp^#!NNy&9PpLn7lI0!?xo{|gi%enUkSHAJM6dj zHxN@22bWkOKpz5L6Y_W#6Zs8|4p{A7XTpvQJp{3~otXJskvANXriolcyPJZm66A%A z!ifaFBfAY{OORj!)rH?p1R^p)|Lu>80Ana9cM(O?UG(FQe=6j<0ybt47v9};hlvR) zz@VfoNTx#tc!w<`%BE1=Z4^Z%;X4eRQMD8XS5R;Oqr&?u=ZUH*kf?wpKol(zk3D4n z?u9M=Uz{jlOMj(Ke<4+6Wr+l|ogK_iT3lv6%PgR+sLU*&XW?;qr)?vAN1a$CTPhA7 zaC>A+Aw_$q@_xVe+>Qr>S#g!;`Z=5J&K$g^Fi9+U)7*h_U(t-3v%>1M_X=y%t)A@Pt)GF}xX0*igm+YFR0de|6O^OhSvNqhMJ(e~B>RW0rNHyuig64D?g z(p}P$Qi4cGr=&DWNK1!=beA;JAs`@)NH+*bcS!TDjqY=fU-$FK?>W4GxrIG@-^^Mw zYv!8k{@fN$MQsaqyrd4h&x{lxK3Xjh~KnKJy2f7dD%+mG5kB8%Q$}@ex_`I$^19r#x+jo=M#_ zuSR2t>eH#Syzv!tJIMInvwLYOJS^Bg=arESjoRcY2a8+_YTsr|g}780%5qEeD{1fZ zRMeId@kNc1r;Djp*N#|8&41!^qHj{R?+WS9SvteKPC$A8R)v6A_T+MjlKhKI=RCxU z=6&yLK`1j_t&B(~fHU`2GCner+wc(lyLxkRC7(}si4PBXYfiDc*7FcJZCM(s=x_LA zxQ{EkhSHw*xa8ls!5n~%DYM~qPk}{21bf4vCNZ@Hok*}Gl~1!}BP>$ElSj*Hngj{S zGbU0^P~b~1?*ZISnc-W;kC+)Fp457{&u-CWc91GVXRZoAeQCmxU)JV4NDxX-Ntt~7 z?j$!Zl0!|mdK#ZBY}zXI$hXR?@384n3}KNL?c1n#eCNWIlbuuRyCX;|)7#A3M^iJh0IlyO(~iz&i29 zG#mcG7qcAMBz{LBf5S=2>2GDvuj}0)eI<-=`=qY;`?sDmdCxZ1iR6u)FRBl^c?_+m zv0$MYM*G&S0jfpn4J%ky$?Dk%G-$F=axbg82)kM*^fId8tY2!hp`>)` zt7_4cyTmjqtly&xCzuPa;;)GrwGzhtVA!R`DP~j{iE_(j-`32qG!Q@gfyqa&*#o|a zRWloC@^t3%{BcxtwvRS=@0g+%VscjYjvp7qY)T}Bf21uGMogQ27+gTB_FSBhoCdQ& zn957xbK;DO1e-6xh^K!fE<=>ve)=d~cmr0(Bo3YaI;I^JAH1wK1=oGt$&O6f^_H6p z};sgP6?%+s>2m~>3IaMKj>RZe@Bjo`@D|EU?!}+w$eRI zvM{(M>u%z{-b*hyGi`I)^18$uCTE+4qMx(bl7>kMKN3c&!@aRJ<9GLnlT_tXM^xb5 zB-S3=ae|dpvuICQe%oBzW4hYwH2Gm(^cuRMuY5_z+^Go~!6d#nR-c=a2vH%q*;>eh zo6QY9(kRb2u;g5uqMdjuwuD-oVU+0D*Mq{W2=93hu9YlKdU#AXB*F}p^1;_t7EIh_ zO%Tr|qMyim6oTz!TYBRuf1dZX>a2IdA_SN=$Mm^OF2R1fNhz$=y62SYZpf;l934LG zl{2V}*wYv!&mCYpzmG#5ACD8^H4yYe5x;IlDtKIadhez$!q&s=VLJbQ$hig|t z`s}(()E;4GOyJ$sYf_)}ku_H^rP}-aA^zZqRfVS#3X;bu67oBNhDCmsiN_7x(3vCh z*CHhxSJ#`@Ckrud$gO?pLH#R{8XKl1pd!X{3fg|Kwb3F)q&mvCV&8&H1K=CE@ChW1cb2t@yTEU20*q5BIk(@KV?d zNPD;|L_LDkSvKHL1;@q=U_-co4982w25}E}g|J89#NlGo3l0uQLkFBGmktiX9_|-@ z;=jA7KlgBKK$bdSg#_>6*nki@|5RoP(kAW-*%Ci*H(*o%+snU;JOc6oU|RXZ!3Ct- z?Fz{fV99_DaFB5T2UTFn;8L+cyxp!4EddlNqUQiSx8UFa^eH_ju!Fl~a1d@cK!y9; zX!GxGH^4Xw7UP>I6Oz#som*f@1^G;Q>49 z215U{14nrm1vCE#(h7(sd{sjgEZKriV}Vr%_>2Ikl>s^!{ePEiFV-?wGZw(r2tWgt z160Nn=r&L_f=k5)asK@UpYZRdIG~Eeg=7m3js=)aK$7hxgM%>tUaa}9rssZ?MgW5O z*>fO^BnL3RUotod^Y6tv^lF0p>#_omcuqh#1-ZqUK$jQzm*Y?VXGqiUFWiuSc~ybw z7w}A6c(OsU0bZ1gL-$L?25Ex3Sgl`ezcKwBs?1!#Yz#VZ1eJT{{KHU%IQs%67yh0` zE>zo#z1L+7y}u+f{@(OI09ROl$ufl43|KKR0+!$3CGlU903kI6WqdILy8{SK{|VxT z*c8Ya1J$^N(DXN9`|?*3xs(gkMVOlLhIz!|4P9YZpyymkW)r0QOWq;loshdYVoY= zhfD?%fjp7dii(aY#-A$_cjEhy7|d@uY;CUwca&&qGFFPq(`Kuy=i{)>AX%6BI=VZw z-->Gf>bz?rA(FOR`bEkwHA5rcC{9GSd@QH4B;VAe+$z8Gg?)}m*=ELsQ{~<3rRtaj zd{(z{aulAt8%GrsA*niXI2;<;=_omm$HchC&`Oq3pO}jK$^WJG{u%jG?85UQ81hI; z{};!D1`YZ!Lnd46tM?6u?|Odnv*K3>_zai+TD=L5yi+H07*Wzof9l+P%jFJZ5MwKq z<*s?uLXMfMy}gY6yIp5vFQ2i9>KauAi`&m|hUHZ`M(^!p$mMAlsvsMW6o>~Xh!Gxl zjD0zw#O!r?yf7K^I$#~8E0@+k*ZThXo)<0;&AfORHeA`GvM1}4ZbP4p}`#vN(*WY_if3TAWj>k30YKka-EW5P>)}o3g5!XB$GExPq*K zAH;kEkp>(qyK*qHv5WLbA_hqJGWJJo%QY(HNmZHr+BV5l^EpF%6IU=qU$?g2rRo^^ zR3H06^MlLRah((0RPP%>oS7KxaOw4CVxtIedwcFV-5ZbJ_pe$S|Jt2ybqKASb4|`m z@F|h}9kJ-oig66DS2ds6_+pD$g(Xb81blI>h~STMimm_BoGU|{r&MjWoRVvCGMLwX zzqC5Add2nSBdces?G!p;(kxiH+OEA-othgtS|ryz;g2QHB;GV_sVB;0+`reboMZpw z#iK@#Flu-)_Yg;kxd)OdcVFpHge5m%H5CS@a>!)5TsKV7@_3vm6sN_`%=D3W^vxRO z%C_1$-MfjDww-u8i#N~8^(PE&Swzvm>kvHX8NdC#1)~KjQlx}UzcqiTYRi=Q9K+;U z^%vTACuj2=Qs3u}8Z_de>i06tZItcJzYiRiOr7rJn8l6NK7ZGrQQC)Ll7t!ddQo#) zs`}tNkM(@7>%F6=UcsTJLV;#+FtKT@xRs3i=wD6H(?h z!B6nEd1E|kB2R4~u)2(8om>;DA=kS4iIU*M>&RaQp2qK&jVP5Jz2eY7#eBF>lda}v zFu_vHs`tK(pXP4tlW(uBiFqqOm^qQZ75b zZ|bu?(N%6&Lpce3uMaEJUFO|{xAfPyTRKK!D|X`~Ej&`_#=U!ua?1$%*P#%dw<|j+ z81H>vaV|!?V?cc$u^?)%syDU{9siE)ME^TQEVZ=H@S$`4O)b6x2|6NoSO_uSFrs#K zG<*}ys%06c5ayJL=i^^`W>q?Ht+BGgy`_2I{>TKjl!0ZxuBbNFVo14e<8Eho%nV}UK9327q&cy&&A?mq@eg{OIX7OmEswCSjkCf>m zLW)Z4bYhoGZ{RadM(sT)c=q|3LXrr|_Obk|tz#YwEbFBDEXG^^k9gvwHLOGnV$vVY zU)8nXiYg2p9+u=%U8HyCEow(k zQp}x1sD>n*WU>)Mk3&q{GwUp!&v2dwsWA_Y@P!SHE5_e^7Fo7HCxRS&F3C z_Bdv$d`%+Ywf$Lv5Bm4-i?AYVG#-X+&1d2i0cVy+=5o4F`_{&@;^hH8> z8^w5AEv%YYj` zoO(FIR^7eRCl!W56rISjRhh8R-ldz*|CT#;?;T^6029VshdlBO#aHc$@_CF_jTb0v z6$(nHOK>QXnttw;>u^U<-OcaexACW*h~_B9IEZ0-tHecb67yu8x}4xYbXcG^Sa|!D zb|@!WU>IJy_H=a?$4+Yt@xu*~7q(lUmPeX*c2Z~ii=dZ!eJNbw$czilv}ax;vo6mq zM5l`_yrCk&bncXHK9$xFQg|4F!95E1X_kED9fLnIuBiSAc@v5dnwEqm@2qc0vi-z2 zG#kH&4JKU=*1lUMnJx$Lx;EQq(QN}wPj7p6Y6{`EV!PSbJ`3VL~4{cZ0Ff*14 zX=X{<(xP8?4h`0y+zO30P4_kdGe*dPM>H%p9M)4337`7-IIXUb(KmM8L1i@b-|{{u zM@JDXPmP;f*eR8|Q@&IjJY6;B7h3A%DSm<;@6U5MBzhj%Cab%hYvRFgw;F`ZgM6IL zhvl1pNYm~m!%|-MVJ9%S{+n*N#mm7G2JuoDWd8!nZuMbFm zpK1H^QE%?}>T<#d;7V5CZO^$1nOIY#A^CuggEM3P&iZnO(@lvj&4Mea%!wVdp zC_NU}V%}@0HQ+POkN;4%K9Q%K$5YM}YrB~yMpi})`>;U`;l|WKXDExkXJOQBPq^}m zDwt|rtBE0+!hnD_Y~o`h0)D|x+j3$$!z!OTkM#&5=lR9^hX+x|uj{L|T1JN67#BEh z@_CHa%{F~7hr6%fh9~_^bq}7*2-zz^HF|f7Wb(`ywMC{+#s^!ruTtwAF;Oh+BZLDK zKxF&Jn(fDa=>Hy|{8-ohdVs?A16}fG-#zG9064+8#&7|Xum(I8%&ZsC1O?Cw@aYDa zwE`$tpmziC12Ag^sF4T$$~Q0bwc?*R!y7jORgIc#9o3Mi2s^s8ST^j8RL0MQvh zY2|D{fpn$R@woHG+c!aJ}?gz@2`%;2?+~KgQJ61ov0Z{kW*$#CcG?NX9=DRD&R-0-3$Q zxV@Ule%@`&z)>5J(*4)%#tew$?0>>(L%7|3OgmQ-+TZYHMnKg964d{KFJB@y$hX@S zYU2Qk2_$EMyy>9efYM~ZDFYWUCtoVK-{H$_7bvW&={Z(F9p?g`S>WJ+Q*b~B1n||D z2@c{7cXi%ZP)q?DRBusknI;L-0w|+b4j3f03!Kq6^@!tbx1}0A6Oz<~d zj|KSq|IiX}rvo#|?@fO!&cHX$WhBA>y*d!0(b1Tb{o4R zjBrm&F3zZpmxxGcM6d)kl@4r`2OR~{a7=#iHyh?ieT^`@u)LVAQ|?UnO;3buzM@@M zVoGxevG69xZ)=!$s+BgBc>C?GS%pH?6h~?2(C0qZ+K~)vHUdoEgAw+C0fjra_3tB* z5%kVPwOQZ{h5Hxaz|A#47p?eEH_9`rX}mmg_uzVeeoL!K2aosd(|07;SP31|>tDZL zAD@)M-QO2tY@{oGafsx<0?(A9vW%CCaptW62QOXJ$LRullP zl5leW`siA?Vs#Oau{4C|)n0tr^f6BCiV%0+^S;`wHU zMmEYDK_RT$X3A$0g@5SpKP1b-!G%brrQC)p@I=kmH{EWQ z*`s-zZe*zfHh7=S-14`k9nCh8hUs6lb`rnnDt8N1?zJyYx%k|KY1V$3`%!08I(d&e zdN7qlIq$S(i>L;hP9&_9u|Z(|WzIGKw`k}OZYp$dSHd z`!GZPw+&|w^bFUlp!~>3o{U$aP>`%J-z%!__7=oY4&+@mgsS1qITk|jCr|bD37vXRU|DUs+l%>?o- zg7##%nC?1-`A_Dk3dXU$YLv&-@rry%i5;9_3l-$PY@>etzBO4Ar71=MqYg`e2c1pQ z+5DB8CQM0lf?&2Gll53fu(YKKK8g3+CdW=S76bT;*>9qTqA+0a~jjJA~R zAc@N3C0pKWFTC7pQ8zM@H~30hyTMnuDm10~L{D2mn+_3u%=B9{^UFMc^@4ZoM9-jm z8Y{X8q*b*j?>U&lV)i^E8`*mGP=whMS~3_BYgk0ZM=z`^Z`_NvT=ZMnn~E-q4t+Fz zx9866`bF`A9EsSTq9O9Lu=SrK+*4XkZL{teM;ZhxPm#`h!`plozY)Mk^xB&oq0WZ= zJQy#Gb#(sRpgFbT{$SxY*}AJ|qd3c6N89<9Ue+g1F>E8~o2*b8`D{{$d z9lCtRcX$c_|E+R|&CJ54Ts&pX@rF@@?z-Slk zrJV|*MnU4#>?boN_{4C>lr-uXY0Ou_O@n}I)oOg?fhQR@yNOiEshgA_3SL687GdLy z!}POWDk60G{@iN;({64Ak2+jE-Mmy8!WY8l;K(T9_6CnND3Pywe>J6S+pQF&LkSPi zJpW)+acIpTWj8m4xC>>Q_Xe5u?C%*QX!9Igxy!`$9gdcPGNo zG0PKL^=ZxH9v9y<@ut(Z&CS*}I>J;Lnqckj86FDAdlVLmt>oR}{dQXWHLNg}OLQyie~ zC}cg>=EU#3WwP%RB(sKmggDGdEZ~grsN-eq&0VQvWykE*EHTDYsXNgw91p8(tmo06 z%DSf!#HWxi%BsxDrpgsJ$lRPwVi7YY|K`%GfHNJ?gd{bn^bqyMSm50R8^WU5+^&)D zPrC7&=aNcXzKcO`k{Ns=8hLU0Ml_SCzx=R5QN)&TGmWoxeoc>GmQ4s|Sj}jFNLgD? z{*J8@?_9HFm+KPC^FWqb>|*p2ssU2Lx9%2EZ6>uZqNp=^f3Uw9g3Ns@)3inwuS z4_@|>ZcUI0Whybo0E|_8PYv~42v_Rn0}X7fEVh`r=iR8J!f7-NcPn~LSd2x)Zkb2F zaS6ur5+RY+TWHyaFD&7)9_Bw9?g@US(2_eSax-y2gK7IU!Hw2VzPjgnLO5*9)#9FU zb>h1r+y|t#RQo=(c`+G>HH8a?o3L5fBc?0ERPSxMdDA;c@#xlkkS!g|%|=qP1H1NV|>hvZiz?&l@!#tw$NlwlQQ!rhTYNGL}$S!kzS&n=ALTSNb z8m4jRUdOw4Ta2DH+XZ7Q*=H5CMN>p$7-aIpaTJI0gelb6pQa{wPL`yhcV!ddi4KW< zYod<6aZZFHyW4j8>Ixwi;2=K|SQkrt_6eTskXth^D#s@3$jgbbt<2kc7hvSOs`x_aB7A9~_HcfE}O>5unWdPr@PF1tAV3 z_+1dUE?$7uK>!E#Lkk3$xIbTj)j_~K_46k`@f>Vm%m*77^8wU}`uQF(?*m8{2mb{8 zfneST8?ZV4@qrhK;h->pZ8GR5zsQY0qW!gp{v}bD1Ee#8h#fy!otGkZu(SP^Sox#> zt|qjfL|u@RnG3KF{v_&xT-IEif7tUvBI>dMDUN?{d;XoO_fr942a=$HdjJg7Wd}A~ zOzeLWX(1qz0W$AZhsMSQN9po+fACjNhF7EoPxu75)7#raK0`xlo@c>9I z92}ra2_U&I5gSBt3aArzRhJY*I0b6X{S_R`MF#@GUM4t5`p?DWa5WtVWOe|h)PRoq z*>OLU?JpG?7YpbA&3{pa zVZ-!?M;64`{^{NOcTX%97LcR=uh2lL5sZN8?^2;bRB12PELU^CfsS-Qj{|^yzy;`q zATJ|`HO&kV^*R55abg0_b$^>eE>=-j78(aoB!C&P@dGs*fWracsS0}H11uY$nDBoW z-XRr{0FjojZ0ZHLFd!Z@&4MI9 zz`?O{vR&xdmksVWj1wE{Z+iDns@)%v9iU{rzdQXx+yA90fb0Mc-8q1?rQfu2wqNoF zAvOiFDFDwrgqHtYZbE7afHQ#88wdhD+b=W08B?bCla;5$PSpX}xOA7S!s%_85I5BEh?mE0tzzm3hd-iZ7uAPEqp0m46 zBHIYF_(`(F+mzLzh;xS8ans%Dk1ZX2q(h}j?wAIz z_KqG~ks7qjIw)tQd-0Y=g(H8Q&H8+%+%59N)Ix`iA)w=X#~0_~sGdvaj&;J#{jFvmdq3liM^DOpIIUkz zbeDDX+p@e=-47FeQR0$(9K@Ymo9M$hVD#zGVQRg)NzxHA?Um1A~~ zGFM;STI0f=ewX!P^dZKhv1~(6NeZoQjjIG-jSVKcfjZOc7 z{{8KhX1Cj(WDUdoy|;!%Uu2h9W)vTq;@#ArLY-J22qA{^5%=ZZZT5uMEtN+6f~V4k zE^#-$Z8K$6qhWTR+RYQ%1sT)*C7OmO)N`AOPjrk#iBuy!uLUi(wHa~T;*hh4M*7*$ z!_=|mt)`a8^t6e?WHFIp1+bGsxa=%YI7T>)_@IjS^?QzPFQyh3)4&CLSk9V4hw6=m z`zki!Es=A+Rh9I5A)Fm$(wejKEKk9ZO*5*S&a%?<%Z$~#jaT!prj=H!goln%QFt=_ z&}*7skQVv2t7(v?*jQE&$%$d2HLg?Nr@kq?m*VgOvwdP8t50+K*Y>p)f?L(doT>cR z^n%^@zWRsJwb8G^HM|+Ued8mmouU!hpcz!asLav;R(k-mpUCys`!z0_*;G*n^q(5F z!t6{=Qsi=a)>WlUF)Z&F^225;^u!~_ZOLUP$A$Q^6C7>63>AZ#fbQUOr=1uOWwze` z!dv~wTuD!|nbuC#+)!rpMw((yk&p)sxj5RpFHd+Me-M4!IOZjP{&3`j>-Pqlqi}l$ z&5{^Kvs+GhWK;JG%_Dkx^W>t^dlHh=zRN3kZci^YvU#eJeaFmiSuc5WcMevR|Bgn+ zSdLyG96`!5hD4`b4uYF7kw{*CINsFFM7NU$+am)<_UQL-l1auj~+h@v{l&wXM{b_6t%oV8ExBbi%|cWwYU6OfzrD&&RkVz z&$k3gG3$#-46zEc6whX*cpRtAN)g@1lp;KoGmD{?a~F%trKCw)UbIu3xbatUC9xkJ z9m}qrc+e!p;y9Zuz#eZ+rMYlY@%R!?VDvT65 z5h%u%nqoNU*KCO+^$9VC&{fixhkU3*g3+<=C)wQ6$Ujmtk)oH1xnOuOQdQo~>UIcF)KyE_htHfJxntn7xl;rArw zqi2uB)JRv*H0j4nq>ip*w_j%Vt;%K?ojv#V`i5^Qp3&I8xzPl#vHb&#LBx>rnRBUrgroaR z7~`$Qgs$3*2QQ$fv4zx?uZetyI~ZMN`F`VdxU2zUlORm-H(q48hr}ZvOvFgZAt|R2 za;JZ@T>fA~{HmP(AV~ag$|;yb%m(HVvt3XILE0tYp826>f`P#i02?(g=wqOtToA!7UVuLk*i`*!4zS05z5svVMKSG*H~&yhf#yFx@K*`- zB5d$F>ECUw{t^Qj0k`4b?0`$*ARyVnt`H#!D(V6hyaP}bfaC#kUIFR(jKF66Qn5jl z87?mF)$|)PkUik7>WTv=p}=L zw3WX?yyXQQ8VCg_r~AfpA4HrirTw4J-zN5~lwt1_D0^s?7ZNUV}7Be}Osvy9orG zip&ZK9stMjuMBgL?EA;qAdb>saFPEmIA9c9q~wEx11jMF;ys9PaH-%RUDSW>#{XS# zfA!qYs|q?%U;$j#0Mi$QCHe1H71A*Mg?RbzVgsqDY=CwIP?0X~I2OP^2zn%5DmF+U z>mSd-D;*8YfE4}@+zm*)2WkNQ_ilqU7yuRHZ-M3CbsPAR#molG8Gz;keq>!LHi(1a zVzF>F-3C&%Kz40#a4djHnDIigyhO(_0m9~Qlkdd>=4yfiE92ncek$Xa>NtpF0kovL zn$UoAY=GkdGFJnYt^lM73kW$2AXI_H89mbUm`YUuHS{qE5uR(BsXBa2CC-vqu;=n^b(Bsz=95_;eZAGVg_LW z{`pZ54`9puv8F6DBjaxa0azydeYag`o)^2B%ecOOVGI4<^gmD_fO>uZ^&5d^|A_*@ z_6wB<(l-K=1b|0}r0oJF7XRDd37nh)C#eAX9fG#|3vUO~w}OguumK#B-(}%ncsP)n zG6N+@fJ*?OC8#txcow*fpbT1){w$FGe@e#z6XoAUs?mf zzP7HBOqM}D|2G~bmfsj>`kvfENB**L)K{%hR@PMQRE6r#Odl%Qkck<>>(wVc)I3{8 zYb+8i%DTlbrrkS6YuXu6S=J%4xcqAbLcZQ5_#~&bw$*} z@k?(Zf7ctTWnGGC6$&pixG&Y4BTKmLOv9LGEA)(<{lH5V_~6@mB9Uf=#E@Td_xno4ui@DRjgH=;J-EW~Sf#e$VBk5!-_}^OQ~!an5RuyIpbbxtk#A9VC|A zeNMv>okRE+Dq>2Nq4nxU#5N*(={K4YS{TEu8hy3au|Er5A49Kywv$U5u!hjc2~EmD zhC1b8CtQ=RRJf#jGrvVEmoS*^W0!>G&M}G>0ar=o?%Xc(JLB|?bsJRn*@4z|=-dpO zTKvKj9+iY%8OOT?+oV(Jm}W)AJ}biL{GO4;Aw(-LOJsEGaf_Z*1j)g&TliC`QH?Re zdnua6c*RDmk`U~m^sy%5b;b_yq{e(6zBQ=zb(pNPJn0c;5S$3!RezT$r7r2TH(APv>EP=B82y18!tcW21_&D@I(NT5D8B5CJ&%;S^Zp3gLGx(1ho_Wyj3_@enk-2@oMJP%$}X5;Na4{)4caQdU-lXSu7E4J9W#xTEzPsH4*ZOBk z$O_4~s~cML*I1=)?F+*-(y=S^VLP&a*;D=Aq4}aS){Q4Z=zGMj|4PnTR*!Wvu2Vk~ z>}r<4**M%$(5Kq`3AWuQJH68(tGz@XnrtYoSrL!)yWZy%iW!ZoJ;O-emo0+J<$L($ zW@6t0^2_?voy@I#!-J4vrl(H%Hx9nCst$xG7fy;+NPc%j*#9v91S{%O1;VSM&&zM$ zoH&RN4%&wptXV)gtsfqV^s_P&-}HfsDYePt9PewAFI|6ExV1-(8@@`FQ!z5&>^$eDUWViY<>=V6Wvi+D)S0T%jGKC9QAsJs8emnmg{HHrKZi0&b=m zr3kMU_mZ*`L)9Bg3rky~I%BxTG!ZK7`8r9{Ly@;U>2W5;j!%qqE2W1@h3+YTjf6Fh zNVxv&eJ6$B1O@!3Tao)u(aaI;39Gr_r%lk%8jBIgXk+hGV$>bSegAlk6Pk`PtW@9e zOU1gzEmW`Q=6C@Yk!Sd|W&t1C`p{`wUdf$7F+289CSL0r^`oArzH@|ov=Lw}?&wD` zH3RLo#WiYd62sbL7f$7dKtUh!$+WZ0(m_m?8;^rF@xk5@b*|7H#ZbMwZIwTDc0;Lu z4c&q$LB{QB^90IgesFwjrQw4r9MpNpY$p~ULbboa`atz;a577W`_d|vCNGKCNs{!e z#geSl=5KPoiixb=!|xA%x@h`&u|p#U9|x|7(P^M7!B^}=fVHu+ahTRriV;%_y|`3^ zWz0<3d*(B{wxRvUL7VAyuQjufn*`L+NJtGZjyeq@@8NHBwx^T5AZQ(>=Dpt*Erl7q z8j?2MOTR!I^_UokqvO5>PWi${)DTXhIYR-%B!LVYg=y1m!^#v9*-;VM!9flT+ppA_ zZX`D(7l~$P^0aG|yG}mj=hO5=^bx;qYbiC2GV$b8d51|hVj`uBZbgnzFK*Y5J{id{ z$3dSl@${kn6=PCv577)q*z zBulk%jNx}%%jjmSez+7gpFKC?1OXR^xM7x6*3~7Y>IL?nYmb>?YmD(&!ZSl#4dAm>-V`djq}QeJPWpRyMco}phy@t zo6_okXLS4(Z|%CYERX6A5!p5CZq+!Ag98lu>yvE@BW;$ew{cpFY%DC8#kAb_KqutpKFn01mBCJp zCCq3~((^lXzPnq1Ik87LQoOck3m4K`8mJSLqxb zhK8Hx^~24Igay0BTq<;%>t9f4YR&UZ$3;*QfQOK3Trq40xlCu|wCmiX&y-CV;CXOh-&JIDehuty7373F zts#zeL3lLcK`;R8dzOxdQ1jBma&>*gAmO-LxQa??b2T-H@PROQHv+Qhxj3JEmL*2-mUf%M$&%%eD<+{c>)L5-8QoK$GZbt-GD+AQ+3QJ9FUNSXzAU z@lgQ3{bbsBPfG0lq#Wh8MMq|ppIAX8;RfR@)6kxyMrvbL(qJ?-Jq;_{S^r9E`_o`@ z+|iXSd`g*K2hB8SRrxdZfZ<)I4V_vwL#f=1DIAFb3a<%2b?Y0G@i*B7d=3v)3a=5# z-`!%3!V=Kp=}hfas4_{jxib-!DLGwMyZ;qyI45$U-2a?TQ`1>R{iIZ-u2OYUAjM{D zX0N&TfDk2lDu;29tMLU{ukY=I^tPxw#ImF}r#1ZgOwd&K{4$HX8#@hTs^BbSmf_cG zK5_{^#F4Bwqa<0y)l-aDGcmJx#s?wC8DGvFX5(N@sED;>{MXl`=gd%6mmebPiBYMyCt#0wX@&zs{T9eMDAx)F7Wr zPk+uEr0DD8VVjwk;Ol)E%Ly&d+FBd*XV12GRbC zysP`$+xEOu&M{k=%XK(%**VuZ)LsredQfkEl+QB*zdQPs`MvT!i!#&xH`A?_;*=cT z-GZeauHn^)(N2}lv*ocnxLTet6V=agGM30~Q!=Kpi@!y_p&|y&}qV8V?I!BU*5MHnFt_=`0EY663eCs2`M$U(ccd#SA#n z`QOf>z~FLFap@n&LSS$?Xjk;}C*TvKp9DQ-wjUICV84F>A_N^BU0?-4FMjT0fEVBo z1nO~tKIhlNq$>n^0tgSlHwEyz0k|y}&_6)YAiy^T{2zeZ{-G2kGso}p(iPG?LD*Qp zrN<69R+#{F2gq>A2|!iY0Yoc69R2T_ArmKr(EiEv`*)flSlb7b8!jM^8-$_+vFiaJ zG61QUz`r0+|6Ook6&M`cPs#97u|ZOSe?hGNyU;)eUywf3m_i; zFuOtWM_)X{t}HZ=Kbi@!B7>~WV1G0qeFEo7f4HI${n0>{%inV2g;4pE>Gfxq?=L*5 z-!a+y5KO@O zC~)d{S$(wY2|&bP2SIWHBF2qmDCo^E{3EZ!sw8Inl{2ct^;qA)J&BV`YnM{rC;*5U z78q%xvFn}u!*GJ?Xx)3qB&!oIhF@4)l~x?gu%XuAHoqcv@XuR#fTAr{8zSo4+^=R@ zBO6|>*hrP4{`&dytc1Lbp$o1IJ-QE_29>SqT-9tu$ZXx~T+Vv&fxQd~4jpcChixJI zaX)E_h|dggm_a8?QOyiEJI&3+IB=egL|a0{`-ap_$>o!p02HGZb@%+Mw#aPj3%S&N zqU&T129p!b7C6HMNa*M-!_!)x^`=A)q`XY1dky@@{Ex@VcWPu=g0}RE!m*z7j`-(D zu8&1!B^1nFyMt1)h6y?4;rrxjC?4H9ppKJw~E^ydc6Kltv_saQ+0_;SRw` z*3Ld^R`5>pkycTwMfs6x{=sv#YenM}wkheIE6Xh3aL-!B)5{1sp^HYnmWA$$@lQ^XZy`-+VBmq3LQiwKLre70-R2jGumxDj~I0==sW^Z_VBb*^7M*Wq*I)kAdMnz01?O8pjXO=hj6v z@eGmvE1C<2d=$QzhVit1+sAq_Ohm%8uiV@alNTteW6$@k0HdAb5}7+0R_PZ(mA*Nb zRo#fJYR1PsqsCos!emZ%6%SG^%Om6D1LSeb8)OqpY;f)5jj;&R!!^hQN&xu8Qia)oe zRl|9vzRE${4!yZT5iawkgZ@}hUyjfiJKOZmi}yi#Qp@7}r5FFuGxdiqPrXe}SMj%5 z-m&ux)vieGk5o^MWf{EHKc|WGr6DOtiF;K7RJgkBR8k;37fHANq$4Rw*QN7 zdw#Br{$Lg{I;D}=Qa^edNsnfolP!tT{mtp=Y?~fF_lx43N?-Nfm?;kcp+ybrJWy$AYF1x zTW&qR+!nF+$b`DBQtrVa5WhT1+DZGjTOCE&*;c=$$NUI@<2 zGeXN_Mw&WOUPMehwXa=R-ds95s2xou@RN38IG2lE7w#t}zmJv_?m;i)5`vCjZO(c& zU^ZwF@g>qhjc*ouJi12A!X@e@gdsavEn-kb5_9q~A_k^Ooa0#TAs!+N@k3LQ#E)^17zStOgG1bz|HpfTHa8dRzj^Y)jH4#O3j50ixR?}HzkBNd)`EO}xF|uHGFBc+isH?aTjTfGowz9U zi|ysZWR1_#d-5BX6k@U8U zOG014@qBB7M={=S7E?5VuPm?BXyU85P3@_QjoY@E-JL2MUgI>yGx|y)^pGx0^N8xQ zv$MzetWv}HtME+PjBi@zt>B(VuUT>2`yOW7EHcY~$TGok>|&Ohy;f9lzf_X7Cu2Q| z>wd}iv=V6J6&PmrM-Ki>v8k@%Qm`i0d4^Q?C8lPJBxN-iwPx+QobCy}ZRTh(ZY)|Y z(l~oK^R4({FkUA$_gF9=%o@L~!{#uZ#T^QzC~+@A=ai`j?(XdZdr-~tjO^YSSpDc! zW0aaJx2X;(n-z#*yo!5y!A9$b3%kNuL(FvY8cNkXri@^vZ7kUrBWG3<}&xKJtBXt zEB;`{x?kMraglzbuTVT=8VYw-nM}r%RB4zr31;ti!OzAj)bEwQnZ}e7C&tJ!hfdx7 z%FJn-DUt|XRa76yLzR5PirbFbTgOysx@0;C%kxFk$WuWANhn^kdq)0BIB})a-;ERW zD6`G|>F%Z_6OH1%d(euy`rxo9Kw@-R#r`G_*UhCojPwkeWv7B+HRj<4BXb65fw3W+ zhXxPb^!YHu5vT*akCN$PS|!hfIM@&k9%RGvm!|Fs>PZbbaH$SDING|6%ppWl6MvDc zv7B6fj?IgAzgln2G&}9y?!MS^R!O=`A6@{B4z-UG{?MZ3C#LOJmM32C(DDo&j!V1t zpYhEPLyvZ%!9?Y;+(|Dq@9INE5g&?&%^9n(A9~DT-|>!SUSQ?^$=UKy2MwuSvBP1> zy{HzhQSHs)$KO^odT*xMwP4@~p17x4nC&`dmUzOVW2EBE^E(Yb zxT$AcCg>D>R19Xe0ER0|JJIc%E@WJ@>A2pTPZFurF^La)B@8?)QyTOW|Q1zN#&Oxbk zg03^VKF>vh|8hf^Ajz){>NK4pz8HJCWoRoEQ6kB}k`OY#zMfVOg5T_nV z+;1_>bjc5(c$k?PzrVD5-J~uUmg?i7#ZuHc!O;L#cUi#7(1^8>RQW6Cb=n zYc+Qa_{o|Ge96fKeKy{u>AU!xTjoiU!Y(A$inU^OalZi1$}D^+vmFa)}Tbk3w7#$6TN_nJ{QUsI~Z)s4hGw@UobBL9SfA0{qsFP zZPGv{`NdCu)v+!<3cL*dcl#+ITk@h}6gx=&0P@+Gfn+xpAo+_OR5pa|4;C{P&fgqA zKmNL_i46>v077B}JicJC1gJLjpCW^lHu_oo5E$4ms(b%Q zWP?DK_;CwdX>1_+FW@f)t3`luAMk_zL1crV7X7#2(y$rBb0w`jj_!h9GVgWb_ zoPfx7sn{T?MeJ7y7X5iinE}C%72u14`waxcVEP|QTm2ZhSJZESyPX9<>40Nn0V-QE z0*=JX#m4!YZVE~@_Rl{-kh5e?Jlcj^SFoTf1xR6EFCg+v|i5!N! z1^0J)F)H1}Ks^_l9j1oVTwGZsoYco-YqT<7nY-AlX7V1Ln$OXW3H9VGP0+`8Y&CsK zO|<>^R=uqvSJ-_EI zm+rgE)mzWU6Q4M`b*VCLYa`=^hU82pZ_ICM7i^gt4e*OaKd)WZcWE>5Qbn$CCEpoQ zr#zasQ|oSLmDi%v=TcK%sk=8TRhuh;`e00>yy>VHZD6CCY(o95><~hX&fW0c>n$SP zwjNA6Rj+8G9n!gHF>^3XNsN+6RI>KAq0SJ<`sH?SL;HQ4C0U$yt3^hJq8xlB_{}l0 zCk(}Xq}0}d!0v%J405u&(ad9EL%BX*C8LH%KA!??4K~Tqv`sP&-0=nx602~%$-3_a zhnXrWtGF<{c&0sJiUEf?8qn_n^^7me&=aYNYQ>c?s~}al4x)qGvhL;#jkO+{H+wkrrDpYXYw{ z7cY+ky?vTwXPQ#&D$cOO`C%=<5& zLx}D!6&rb@tGpK;DIt)lwvismB1|`I+uc!E&KxyX8FXVi#) zA3nNLe(-CAbyY$iHakr4>YfX!XQfb3Y4t)iMX2c3JC_c(kR1zS?Li&r{AF#W>&fX~ zKXETwKcR-5^z@>3C)9nL_%zc5q;oKn`=QBJ#jxhBW( z#G<#H6Q=g*?06R6s=7S0*5#KCH6oJ?eVjUdD+0P`w@ueJ2Nv2#79XPd$x+7y2-U}M zLOG-*a6~nm>l5T*j^%$9>0YrFNa0%5aTmd@6pT5cPW zSOhO@Wu*d`r|!(tpFb8AIbbH!fnxS?o5q&kFFq3F6}|6Sc&z$>D4Y0Y`$6CCM|eF3 z%iUz@ro)j+?7clC@c!W6;|t|9wz`Geg^?`mmE*f=H2Sjp#r-eSdD1EjB(O5SI67 z*W8ZvbY<6Qf2;3sp-+(y*llTK4?kw8Ka^6`_n)wfofk8tTXw%oxVUd;AbXAb(W?g2 zsCNOwHSfzD!n8;twdC%a!+UgN_vNDpM)a#bVj6-M7FJA7ekJYCZ&Q_2AFO^>8!pN> z!<`Vzqzbzl4lAz;=kL>d`;h?Fd-o}gvSj}ao!hb0Tq*A5VGXv{0yJ`1l&7&CTGQW> zst^meg}VfibV9R7iAxmDzCNdP&l{o+WS4$odp)HCCvQA;17%n}@i&xK)Kh!eo|3Hs< z<72E@$9!jtZg7TYWA@jQ^;;j3pRmTvzRbqJug1|SJgJ$#_I#*3lx^a`pr_X6rQ$Ws z?4rSe$ncS4uZcd!-=%SC!>oCFD!&^CQ|X3EMdbAe*@V(_hSuTzBFih+vUKt+RXxP6 z5?78rts4;0y@)O^=0HI#lx0UsmOc7?m4YS}=WDjSJ}pCFwAMYH0?iLca#@~^Vjc|@ zIcOPA!Z2?td)99bZ<D%eNO9<56WYvFLjE!X??9l8@p(|nYB6+%cp>=arkvZJKe>; z`!DU4<>2|et1Nju3y!f0h1fpXfvK&Y2NqW<(dx(Gi$>PCC)3)*r!wbx+3@(yEBMLI z6XO_OA5;Ix8^4e))AxYU>GP$PXi_dWzBMc?I_zt&L@pjFF9|Br-G~$Ot|vA(Xz3Yz zc!oe@QrWSYMoP4B$;o<6ER!Pejoc_VcF4k=O?0$6%44VkMvx8r`@r-+0!G9;`X2$~ zmc8JA3K)5jUWdF}omQambGy2M7tv=A3K%)J${fH4WORviKjcMtt|5K~8A~GU#1P-0 zFe}`;9P*s>XF(-0I@(q~B9GF0QjDSsK@bzLKhU^9#tQ}}3n>`o0&OvQxIlRXuqy;s zRlmv7p=jK)byM~k98xk0WfXxJWKWV&7z&Nc)RBP_Ep+zZBe>mC zlC8zNKj5}k9B91*0!q-b9{BEnY(MBI4g$^J371f4zYPye&s7dde-AVvcn z>i?QJ7*sFxyOunt7u>Ib`=5d10>-ucyntTW2FC@qI3Ohjf}_2F$Gbz^kK}Biy2m|pHh*_M>GI8f6=M=t*gtFqkCccicDCfCed4Jd#CntI zx!thF$Uz!uMuSuGMk!$z4a7ar+H4o-Qu)@%>N?W>FKMX%_cAW(tbVl?KtM9&eYr=Hhpdg$0)%f5YI8jqtSyIe;S$bIm;$F!o@_l5C~IyB@Q zn<`|7W0^b3qYC^zuZ=2;d}80UA#wDYR7iOmed_V4(3*-T^^B9$%f`K`FC;dTBg*@vY(Z!m~sG1~8 z^fXWFD^^+!@|I~%%*LsY-?cPoUX%UY*7VA~0#{vbLNcmAeRM^7>fNQ!Y3Dx_xtL7_ z&>p5Z*^@?{e}X|q=8&Ev_qTt_g&-cjpWKU71_t7?0ISH z#LZMLWJ&gMEdkd{jvwG%oMbZYyP%}@PWgSZ(S+*w0&`Qm2edsV(-V@X$oSwcF_msUhP8MDn!kM9VVhjU&#C?PtapJo_egxsM|oRm!-0#*E% zYTN5cE!T7c7#*me9>bVc3(-)aRCS!a!Za{CQ9iTCTzg3G_>ja)tQ+r3>6xz*kDX)? z2;!AMQ}?pFSf;H^VW35>NaZK%B;k9wYB=}!S=JO`As^ymwF5AWNuQ@4Z{!?>@r#aNy1pK` zM%wm4;;Tjw`JJ0T$6jL{9qlVL-1ydJrMB|g>Kk*dmafP$U$v2u*i)yqt8k)klZ{eyqoZ#K zN9YACRW3e^wQG&_jT2|7cc{5RM&5X%II)7#;x+T4VZ*UYIkgi{vK}N{MjunYG|pUW z;eRM+#&)7IKx4%ATY{x?k2%qX!SRzg>~F}AOfgOdv5qDW~RGy=(`ELC83?y%&}eVro%oN0vDe z{~Mt)rI*T+R6niF>G~Sw;5d!Rm^7Ck*9PG9`FcDGdm}b?o4ZM<$e$-<#2$uwF!d{T{fCP3Wj{OFt6E_+P;QX4|(+wEjTzr6&ie#Q|##D*9sw@!XHv9q7b( zaVP3}(PVK>oadk`mv(%tmtue(|C8J9>V1jQCQ|Gae6@?kVIz9;Gbb**eful~K7T-P z6ocUh|3x*70ZIQJR!>|n3a1MWSg3e4j?CXwT2L&`+B1Ff4UwFt-g9D-@Vin|`VNh>ar_jA_1X@cYhK)l zL$`bMJ*n(Or5=ku)s1hHzDyR=5htLmj~7DBbOT| zXiW=Do&J6IK(*X<_=x}M9fc@k=-J%D2K6NcHDr5&238yAt{b|Ku7lgt1}e*-hQP>K zg8>yFkZk;iS=&E_9Tz9yW&s z1og3FDB$0ruFT+;?xsEft@dwM1w+B(4T}0u4gFQ*iR!A5z7?|eM{(6%{M$bObAz`& zXmf;W=q~>4A454oA_O|npt$OmoxazMgEvl=+ z0KLhFvJ44v5JYZ2|D%=&{LC-LOORY^>zwuvf2KdICE6ikMDkLc;P>4lFEybg3G_$6 z@L%DxxD5ja8m?P(?A$jU((|Ti1`as_)K5Il6oxj2%BgOwv*AcHXq}SR;qe{x7j&;0 zpRZl0C9Q9}cQ2;7ddBYaTFsP{CxcW8S1iBBIR+dV;_q#CABTz+XtlD=Ea;BO%;_b; z6B(>-EIEZRTRzk~J#5L`U3}wC$OK33LaAzs>L%i@F*r>r~l~ zf=R?k`Y16@%pIE7r=?uX^?uuO*UTGVXO&rP82z^QaPFzj?t9b+S3G$2>HEewo)>a= zJ-hU=WBKmGnH7+JMjtpZ=h8WJ>yA-Cp&;QAF;C&P2RLNkK>~#Gkqy^yovfHvjbkRXI4g)%v`;{`dtdU zIEFK4P8WseR%BLt&sc{x=KhfR*_2jthW2e|@$I2X>X_Wu{oe~HWo+j}Djdg2goYMB zbbX0*ykoQYWx9N(^ECYdJC1}Qh4=*Bs|l< zse8EOTAHNUl4fcYoSEU{2lv2^@*J}!=J3&ycbv;jjI>mzKQaz}C^O-n%<*5dC6=K% zMI?;odhoK!d41cUSQA1UZ*H^(rDk>|G9}nm&c@{xNOo5Q!itfH!QRoe7thTTz2{)uJ0A4d!OZI zjU8+%3TkcXF4EF76kdpYZBN8?@e2CnS?xysFl&v@wTswV6T?pHr<4s0HCJ_y4Zlg7 zeuq`)P)QKhZjkg-_;lF?o6mRX7Tpx>+E>pwa%9q93Gfo@7INS|d%<=6?F(9&Tw7;} z%oF7$YW4mfag6lU-E%0PTc}X1F-oCP*tos&eSbaL72o%|!owRxqu1lfYMyam( z2MbtW`E)biO<|290L5?#l!bUX$A!^W&}> zo0;qRE_sn38MIj#TZF#S-;=#cp(ehuzHCb-dH^?W)76;2PMJ5V{^O?pTaug*Pv8P_ zNi=qHl3t0@OI7}SN9T=TLmv1+&OSPxBaL_-$i(mnHa z$DcYRmroJbp08GY*hLb*5M>{&&{}zdYU#M{Q!bUsLrRf(Ne{Tl?~xLwCpwB*E{&Pq zeS5B(=xwoIckfNZvM-dUQ)!%0(FG_}?7Qd!#6J9wdJ%*)|3A_N+dhn(yj#}sAn->R zE<*7>!a@=80eXQUK5UhM0Mk(@UjluD^x^=091-8_kR0%$u&n>Dtt_{Xfl%i|KFC~f zD^(9NlfXpzH&G<2!}E^*HGg<`2J&b)NJef$0|{N={ebA^_j_b0lHoi2F8>S}GQb5b zw>W+caN(eI`FDohC@1aLBb*ttbf9a@$9H8;Ep*8igUTaRO}wKkzc$6E>853Sz%Qp3ML7rUK^- z;C22NIBuxg0W#R%%fz9+sk;H%&cLazC-*{vk zxhK=#z4`pYcZi6PaU|3zZ;x^0yb|#FE0qKnGEj6F6U9wH; zbUJv0_d5IR?WANbkBuq4v3u9#RZrc$LQLW#b*WY3#^&Q26%sfsUIOD+@uu!F=6rn= z5%%^*pGx(bG0_PMuXom8x{@015xdBKy1mqkp>mIdK@(e)TXSv3%?|U&`=0Upu(!+4 zF;283=B(Y#A=a0_^StR)#Za{Tccl`xbcWY$fh$~Jz8rnr4tty_S?{8IOXtg5)1so1 zFB&IW8Sci&QBIy3F_3uQ^{%@+x$q_^fyPtJ(xf!foSj>kOX2Ghy+-J2PerwU-(T}* z2W(2=qq0cA|qa7x=F(HCqp&zi;o)O|ahJWA) zX_J}KG=5sIEa{rD&*Q<9(%yVY_YOCGptHUeh?^pgGmaNGGxhR_F9RcemAs8;iMmSDo^GIk29KCc@Y@YB~qz<8I_?uYQ*LGcmE`miB;YSDoP4( zK1N3Xb#=;vid#o#*DQ+;c?gl>ciE%63yBtoX(T65KrL3)(Hm>{wLq>C zvpuzpOViGciuTlxTe?#O{?*nMHZ5iZM>=Z#2I9pimD(2ZZwipzdp~0CD{F9Ow2?3K z;h}fDH`l9aEQJdvoz7oBC~QaB_uApcN$#R_)rXU(nor+FXL;L|79(dn*+_hW;Yw-( zo1ND!Re6QdTWHiet%U!NbGIuROACPHNG z+Aq?RwrsDipw>5h@eCU6p;X7AHi>(+g>|nFTrb2p#(r8}k-&tgBVD~9;VqqbMBUE@!N(kG`f_- zp#*7)PuSnfZE%y<6dfIJO>TsXkSeT%$lH?Zmya6Ond8Z)Wf;|yWA~iBa5MX&f_}45 zW>cPZe7J0SP#LC*`y~5~7LoXhF5;m{tno^t$&(tV^MmhUGfkyMwlEgzooDja_RO(} z9G16DEG72#{1B|9=72RKuYn;(GDF&IazM87md+14k4}^3pQ~@Fas}@6(Wf+U9w{0v_XmwE4pk-WR{k12g|&)Qg5OKs^*9J zp6B)^BmZonSoGwB0cW9P&|u2Q6N*ma+vtXb$zDzk`Pq>h{8$D@NO?8=C(B;myc8^= zh|zAP?vlcNOuZ}`6VpYt0j<>d=?4Mp3l^bQ-Q%-;MDK3CJkprf6#qOd%H(--vsdJz zp1oQ!_2SXD>P&EjIEKX3c$_FOF9*GMt!5SW|(u-|g z;y?E(oaWsTRpxWiN597pvA9yf7Y>n)G9DPC2syYeu_CKk<9(1 zs6^hJ&zkr$*&$)!;;4+)Zgm!1A1a#Cuneu&K~&-4(@(P)Ja1)YUJHIBC+^K4wYtE1 zh9U@O6rFl*Bi=f{f3(Wt)lD2b93i%+`If;OH-Ai}Gf(op%+8xv;p~!W5YZf}q$4yD zM-jBccNjBm9R&Xwv~Ruib_VTGQTKn&@q@$RcKE%Oi3hG>(1{NO1YFdlI^zC ze{Lw$mm0EuKthA82sr?U!2@RVchFGH8XVzou}|2bCQYEs9%MD)pc)1gw}95;;O|_( zZI$zPjcHJ50k$5ceZmH^h8$qIA;CcoZOJU1BFNfj?kw5>rhS@@ccn>QN&pbIr4we zAHQbK_r!Rxi~d5H?2-Q1QBU+2{Q;z^|AGF<1@y-~lN-LWj-gB>ruTbb+d;n#6LS3LcpDMT6Bmv&h=eBDj27^ISy;ZHQqyv0+9^iDii5Gw zRSWywY)O#9z(rzVjD+fjj=^g4XVod_=ok7<*fI=^2@OYh(gGURr!QtDz(|Bg_0c zSH5FD7XImHeitn32Se_qQ-e2*U0*$)!D zOu9ZbZ!pq(Zxr}nu6-RzOdwcuWIXg%C|!1yO-#zbap}YwiU;16=a_x;vYABaBOWG_ zdpuB#Z)4yV7RoVN@E2oP$@2ER(_#JAoe$TS*c9#T#Z@#$jH?N;_!i=}Se-&=@(C5Cc(B>Bpj!PgIh3Bqo&~Mo@?+s! z{hV#@MJThY`YNw=1`Fbre|0i{dL;;Fj65qoX4CObSi|=S?>S~8HQ@*Hj5poH<9$lT z`xT4fb^#2pYugeEDXLnNDV&_GQ(k9D4S(z}O?}jUkksrz=YeWLVH=K@LtWW79b{`) zFpZm;Nbuwvm?*?8=`ITfPL+QwjPaE3>REEX*+FS&g07L(pi{2AVHB6Eo&4o~;syKB zjz~KaY1{0F_o)NIF|(Iegd++auF%V1L?spcFnHt^@U$f^>urtzX6su%73P6*cac^C z(`alxzN?4di^D7J`NBUgnRMipp^+xYe0zB9xR#iYkyI#!QXF#t8U6Vc!?LBTue9{L zy>wX^#v9(&(0n3Te_WZ{7MpeYS#I5(tkWsdm!d9~w)xwb9cE#ppJkQF3~PvHQCUu$ zJ&|gI*L$DXbDhNi&F70ngI4jWuS*;f^q~c$7*e(IKYOpyVH4DdCGh4OW?B2T(q1;q zIfoPbRJ_X`?JDNtgNlysF!d{Kt@dPvItB1nDvU&_#`}>{^Mn$r!`FuPf4!T*1GmZ!{T))=E8;-SKLXoCm*SEn{&!AeG;mve-?3hWqmKm+z7Awe5OOX$6S0|oCc-plNR)2?A1>@EqK1Zk z*d+#25_4icKfz-$Pg={1gkq^u*vnAFOOSG^3oHC?A#UmsQ>=U%#fdn5kJ4Ys_Corjm)*tY2)1VlSbP zJ=bcjI!&=`nB@BUA*W*|POr`rPs$fJT=5uJhNETfd&f+{QaQ@%E~rt5;$I&+sdEr_ z{gNnlj+GHn<$>fgWIqYNJtPL68KOV@v?i(o-!Dphs>4**U0&h+5_pzt82dWCdv{*d zM^h5fgotxj@#9MF7tlUATXQn|;x}!kv=jpuw^Fi^td)|GyNtrea!m{esM0qN)GJzf z5=r`=f587K{u#!VKJtF;j$t;hA&&Wzc{0o`Ip&U8GOyzN19NryQ-}KRX2M(Poj&Jh zRZEqUv6<^zo{OBlh$i)x4Q;(Ni)^v=q(|*%X0u2Xr{Ejqu0`+>e3 zj%fpzZn7tj;xtR78cOR@)HfIF7vs7%BG38y7k|qg;+--N3A0c^#bogODuVnUOa|ip z^$#XvOEU1E)CzEL2~?SU=*_9&!Q0*=&5z>!)BIC#hJVnnuJBM%gRcJ%#=5drO? zp(Dt4VZ&aWB~XQ0hL(Pn>@?Yg|B601jzLXxu>U z01ml(gN7>3LM*m@o;Gl2!5sx1NPx#2)NFna9o+eNc86Jr<-b4Bw$~aDFyTN%e!z4O zD$fOt=0T5;f3Kwm&8>F@S%~Lxe~@tkbq`dkp>w!Oe3byYjH&l8Io=oKC!3`V{|BIwxYZu+0Swn6f z+`wWHu*;Bx4nVjkWGGph9rg)-Hf!5^$2PLG7DlTp^OF(uv!6o6X<3P+;V4>o93@dE-0k{|(W+)!=? zFwuL&w%cKP>tMG(*to$P9pn=J!UkUKd!05^?{~yWbAOP5R(4x=bbGaNaR7fZP?p6B z9$AjxtEF~tABe;6{$PVDKEb&i`5m7HD2IYA26}FHbFJV+{O^FFGDxV$ z(e9xL*S~+eDrB7uX{&b+MTCRMq5q$ftvd>Dx5-w38@5-nwe|0w@`ar}IQLG{aiv@x zFXp`3ucQ)rojECiu}|BJnLPAb{ZE&p1`jY;n`FjY7HCM_kGpNY`DFG)YJu76j^&Dp z<;s`qBof-B*cTq3F*|u7)bkn)S6BG<8D{_14;x>X1D-!;Qz(tLJa;y&Kl*;h*P>yz z>%CWFDEOsbzR?@jk0C#=XqdvbG9%hP86f3a<7*rd=`oKGEd82=w$ST+U`^d>~AHF9}Iq3^0IekXqQA5!iQvqv~p`B$9`2A&s zM0{+OOk}Ir<@m~nr;IV!vq&l}B&PyG`)|?RmVbW=@ zqhX|{y^dbnFnp0dz~Yne$ae*<<{IseH|^k}z+5GGaQJ1a)pve1<02>B?kTp`FE-Vb zqv%1QFKD{UtEN=$4OjFT(PZS2CEkCp7CAX<6> zKbk(tgQ@%Cm4r!4OUrxrZf_V88Pz4To(hjtp|m$O|Ee(0OuDK!AvLJr@P0*s=(~do zg?-M8T=rYY3hOI-4W6}G_#gp zW-&WFM32!$Z8a%+o*ccIEf(wMP11%mY|^J^1$r$>CFn;VuViJiIVyV`ekz!neV4>- zBsup*(Wg@z`LmB}8C*Q4ijsO#U;+&J0*RJ*daI9n190?nm*tl=PDuG(tr4DWuQ0I= z5=(9?m2HR_3Tg8DA$6W&lA1Ax{u%5fn#e7SpMotRV%miD)ZM{691I6c+Jwr^7;Q8^ zt_=1~%#0|{C*1I_U067f%pDX`he73VN)*rk;0dF{>OMGB*IfAQ1s>s{@sN8xm0y(k z>8|Cppk2OP&T%>7(7l(-u9Gv%{!@GwG6(2xMqFV0rlXd2WVEMXac1xppX&ReG4hzu z*xZ83k*DtkwA^0Y|91Mo#PH1sT^Y9CI#D9B^Pg?8NPH6-hSJ}DiWPwg%JrQB)+FY< z9kfm&%!>jpT8Yho%ntM!A(08>VJ!Qqg}R4L84X!Tu5vA06kk@MC-rs`($A zB*9hURUUNi=3!k|i3km_393fKDMt<@E`A~zAt&vJ;eK5s))%i~qjklWcz-0Q>Q#hJ zHree6nRLrK7l|t7$iqK=dSnDXdVKr}A#bu9O?Y?v1Jkd~>0f~_~6n=BQo>V`H8EAQd*9m z%u&yp0P7ITpyrXpbWT>fm*p`c1oW8E94rSNj(CXKb!B6mbPvE1?hqRcD6#yYk+L9l zPRO}SS%U4jH@u!j+gG8C;f3l)J(}kgBi%vdA{QGs1t(vc#4{`Ph}-zQC7FMZ@yzma zL#x;;PusPL2kJH*FM^Lo^46cYfMxjQ;J`$HNCUpGp!BD%9{S=!|Mg|*&DPYRjs`yM z%o($c3@_4)q*o*q)*Xso5EaInC`w~_axOd*tnZ2olswr#ZF%28vbLJl^-flOKo~<` z)CTpn?vDy7*vWi9LwP^;vZTEJVDc={f)G&CUUxB7Yo*)e4>{b@Xy$S=EM+VQ@Mw)C5`N_}{>>^J5VAXQ%o|eA+q)Zx9{=`81?2om_qn{t2Rv4-p zcY*8lcD*yDOSbeb>s)>?Ak>Mgoxi?_cblr3{L`U6J+YX+7THb-9aElD`0w$w?YYrb zhh5N&2S2j4a$azrNL4I+EV%JXSpfejo^f7qZ*P0ookfQnCl}|(ZNTr-C0AN1tM_cYGvs+a%D96iZ?SQ@4)z)Xb4=d!zZD3!??C1``yYa&Md7 zJjP`fUef;lc;Vtk$A#d7T*Y74=+1bw^osW#IQ5y5Y2H2UGb^jg2Qj8&_0m@wPF{av zi=I$+SDlZSiY{!_v{Ivu_?FMTN0m)Y}$>SFV2c56@_+iNX!10+pJavm`!0rtGRkByk7hMYiSEqY#(ylQt zhiCQc|EPIaG_ISIe#0~gM!1+@OjIp}qo?D7MpNs*M@9K-^xEO%gOwaD8)UCCMn6=x9g&=_VmRJ7 zu12QyAQDceH55l#?yUR8`8gGdT7-9pozGlln*c@-s>}!qaoMgKPsCyKADIzAV1nGi zf6I&@J(}Q1k0v<6!Uf7-Y*|Ku4+z@_=o^HI1L6a+*b^u!wh|&BP~HB3tolS)86bWb znHd3QE?YkXM^=v_Wub7SEEEn${)2$V+x}rxnGpnRK*tYg(=8(P8k>HRn<$JlQDEg7Z5gY0LK;r~E8*n2> zv^0Yj92Y2D1911&(hMcG{VT8qEyKXB3(7;c9|nY;9duvYOD8y#(0(PM{&2YgQ+ya$ zUR>OO*9X%E_4eb2G7`XM2oUSPNssWOC}9P;mHm1a{>ni>P5pqF7c4W7g9AAT;5p6t zpRoN}Q2J*Rw~Y~2d&Gt!vxKlo*&l3NFz_&d{N?s@$_+BC(0&I4)h&Fm-xO%TfNp%(nHO|5`Fnpu zBo7dw%wCctJB%TA4+V!`pupfqnE^ofu_0#!)leQ#?hn*ayK@ISEFVyf5a~f0nm&z%OLLLZP7Vv4XGgSE0JofZe zjGpojt{!9xbI)S8F8{!t`eedS%<}V{qSF$O3X@L_*RWHs4o@cxR7;h8oqhMgp+uY8 zZj9pHtWZjz&0*2Uj85Ob|0v2+n9|p1qk40NvSpYq)JN3c#BpVjOYKAU=AZ{@$SZ%9 zGUGBFdHinv`Qsj)Zf)y89;d!OIh` zD;W(edXppW(lC0a#VT;9k}RSneZokLnY%&~LPezp6D4IGo>YC2xj5(F6Zy?e=p}wn zXjO*3j~r~w(&}6wj6|k#*e>G7MzHNCpRy0FLrkHhOd_kdp3NS$=!&d$&tr_Ftw=vT zJ2KkA?{GIGgJaJ8=-q-2$+FT4^qBs2v9#*5r6#lIR|iX%#;TR0)CRhfTUrQTwrxr$ ztGMQt3E-{}JPC4seg{vJ1cNBK9*=5(>zw~H;_~Dk{s)?!$+54bLBV|xr<3)ytHTY2g|z>nuFEHVpdtNGD_ArVZYYO_J8JHIQ)|9 zP`F-1u7z{dyAt#z|Mtm&IU8Q_>f0I=#Lq1=9*8)7H_{+dZ(rs;`=wqo8uq^NoBq9c z+JbUFzI#=3pBk$=IRr~B#b7?!S$^+09-QsY(TzDya(RNej?76X1AD9~#*sGqZMcFN zt93Ack7fD5SRZZ6z2wYQrLq@1-@M&60(;oJNThUH%1B;aAr;DcPM>n@Y(>K>misdg zuL}xw7|)khgj2$M*x4lv2M)l%k^+%4(K(sP?lBY;{f!k1=7=2&b_}n54 zWKXL&Zu@iOd>{3?@l!XBIqZ1r-FpK?3+R^!J)R9__m~!1mYl;~ayAXbvmF@q^v|Ou zA2<`jpW-fAl>8a4y4H(Uns1Qypf5v*C2dlP@~V)~sTr(~6jYqha$ z6^9OCc;nD3lA0_R)^K=TxAUDKs*kmrysCdo+|XF}z~QKxx!1#oPDIvJ$4Eq+vC#J7 z;Z`my=@~WAwe34&M1uSD5#u@e@2990`>zT8h$&*pzOYFa-;^V5dMe$?>~8Q;3}ZvB zCBvHKyC+p>%q|m(MA)q7^8-1$P8ntjDUI5i!jr-@>x+`L6tY%uQaUCo3rsCRT>L|R zB`h$td>L&yJV6!;e2aHiwOYo)9y-2s$9y{cqxaDz+SbGcSSUe@dGg|s9>T>V%+5~U ztOSj$Nx0I4(yFPnR9Z87cTx;_f-*ciWv>(zJ=bE?&0!q3K=ZCMCu}{@$#gZrPT~g9 zEHk&{p|f4li5nzLtBRkhJM|{q6BdOtL#LP2bigCsFKYG$)9YFWd7Ua45@{ zD!NNPE+*@;LVU-&BE*MEmhsveXLE0$E87trvDdUYX66z-#^-b#9vNpSHu`uZ-c7hq zGtnMW=Je*Bvl*P){rgN%XZJ~q&+ocuRpUM$`?zl30CR27!(3tv_ZsPyPe>`oJJztw zALlMdvUvZ3p785F9d#?gl9(GpS3Au`BKvJ>4&Dj#dvir(?Y1q(W%MPX4@}kC6C-bq zrI4MZC#DX1-{8)6`rMpSpa`7dte^XYg;2jnc^JV`vF-624~=CrS4AR*gFnZn*OXwi zz3-haXZK#Ivmd5@>9ji5O;e2Tiyx+SUZTZjQJ-$ z^FD+a@b#EUB#2*3Q0utA@MX16{Kxxlr?JaPRLi$w*<7zazBwYcCL!^mU4Cvrl0{QN z;27?Do9P#|qv@>ZZ-gbI^7D?7sIZ5>U(!x7wtA1fW}P+4aWRz6Bc|2ar8^|hxvri^ z>b^*O;HlCwO>YE4?&d6zs|TbOZ4tmfvNd1<}X zd06Qpr5}~hxA^znKv|+93|sDcia9D(*F`e%L3?=_O%itE<}qrR%W61FD*Ft_^>L;u ztAlOqhe>Wn<=4yb5fxM)BaDmg8MIlzl1jKDz3OZ+mj@DrG3@u*GeTOO2@hUVa+Na5 zYwcDgz;8QQ^SS@&QLD>jKW*L!yl`SkeSbxI$zmm@B;)N`R*v$ZF+45o=@Kf$ z${6T>NauW0(Fm-3-KI7QcW?UPurs%?5M?VRwt1hOo1uDN2hXa0_jB*4=;TfAz!l)p;4VL zqCV>1llq>RlPc;oYcX-{nL~MI1uzw~u7arI8=mcr@njt4oMwWp^_^i$sn>k2d5?sZ zNLMq7E;-LmW8NO^7a!J{t`3sKVLaD5{Hp1er;CDV=g{rV<#>*`C}(>zkL9JvIseR{ z!(8Sgy)$7+cO{8+R|RcDFaA{bT{R?NV1If)EX$|rM-5#+uK;XDXeB~*V>GdO8m_0t za;L^zvUG(s&iZhVu9{nIo)VmbQG1+K3GVk)n18MJo>(5+d7jxOvAl(^bjgh0($0PV znWXn~>huRsSlj`sT33Yx-1pV(QC7V+1WLXmb9`rR4XU9(yxi+h@N*@>SWWNn=*A~_ zOtXV|`&(YqPc{o0kGXd8S zP?8TY(ojoE5MTd0mCD1jn?3?wp8tIM|0^~wUJ$7xGy^=qLk|cqAd^>+;e@P30G0HA z$F{@M@XsCu$eeGBrv#O?faib;llj5wgN!-3e{)Y!O&ekd+Ml(?37SAcex*>+FVvm` zBJQ~WPr!e}9-+jxe~BVcyA75bsQv{T2M{v=Ou#c2Z2Zvopal5eZz)Qe7qLnbixAvlT={3%I6-Ea8&Gk8oa6cR`O7Yj>Z05bT<{V@anW5x^*bhs^Ef9kuYy`w zqZkUEwf+q+x{mA{%L2K#ovKax=NN}2);)4Qca*qJg;iHuyWN9_ zMMQ+fsdF6>W(k$UikNkSyi^a=0WVbw)hv(nnX)4!vZjv)T3BKy>rABN`8ISb+dCQA z-a1WDxOA_S9F3W9w98d@kWD%*5Ow&1^B4u2Rq}hGvZEe8m#tQ2mgYZnPkd;{MSo^- z`GAPvB{978#^aaqtgY;Js)x@6RdjU!e)sqBVkZq?hwmw7~0dN1=L$ymt97(bd$E_95%P4aCm zk7%~lJr-Nm*=!padDokP*@IukBFQW&sFTLSF5{tykC5M*vc{3Hs1rG{oa|HKIq|v6 zg*0#Ls%xk7vl6&x76v}OIrHe~e8n_Zz#Tj(D)Oi!U2m*mdP+VPsX^Kr;R`AiHoZ{- zREk-bwB3(5J*b~smnb?_GhgYQ-K^7Ig z^u~86e4jC`r-CD#aK$*_AO^iSY5#>U;~|d@;B`o!d#0-TgzcPe*tmGUR%>4O zIGMLNBg=Xb{&_7jTp4i(UO@rY^JmXoCMK(Xr0&xD)jro(pytPPdQ!xRfDhHpmYyfb zSVdJb33>G7zJWmaAuLfD4QoT<7)P2$1|E#+_j^dF_Gl;=o!4r<+#OHKA^EtF) zwQ~9CmGIAVf}8EMo3nH1dR$e)eA&;7%8y-N=v>h5wXq?THY^%6wmp&jJR)_hw%pfo)GNf&|tm>AU?t-?NoqQbMt22U{CYt1ELv9|A zeX)ba*|V07Mw=LN2Mp49jeTCGP)snd&?NSKke@VcVO#aT-fkVr*ZehYj9v7kE~rfX z8P4%l2`|8Tdb;h624C%$S9cz@`!j49dpfC2=W=fH7>6#vTi3f|Gge>ZRkN;qtxMFc z%A=)yCGd_(tFchF(DInX3pH9@)xOZj)8IYi=s9LOs7UWKKTLJ|EwOUI#R)IG{1^VG zqXQOJiE@wPlK2s_Sz~xV#>Gpec|dSv3n`+Cbpg}|cC?e(r#xT_B*QE~Re4a;P0;e=@2WgVDE*syXq2<|YdrI3$Pi2j=x~CB#syd|K8UW_12oi&ZU5>l zAwL~Z%K0}ouz|p!4R{aO_;>eP;@jmax%K|rOK=au_P<}0Pz1SiD4_1aO9BRJf_BHP zyY$t&hW?LUDSW$B=>Hta%?oxh@Ipj!(O-9QRCu`oUR14J_;xt`pc)A}L4w9as3LTP zR~K>?+(MO5Y@9Y zb`>scl$nq6N@Vk^UMiAGE@i!(dhqI9(*1JyGs?V<4p^AF+W}zrsbUZ8KG%J)TcXaE ze_33|C3(+M=97zC_ntdW;`vfTJ3PwzC5}Izq)BbM_-a{T&kUBslVrH=%K&CskA`-W zTEqOHnhUvf7$ok~ADZWerS_@yMnI6`-}O(oll*1)Sz5%Xj^#SX9lMaXW%#L~PpMt;n4S6QhJ5~;WR0nbR;Oc35p@p> zG?kU)!y~^4Sx#gauU=PJ>5pqExug5zqZ0+8t#zI`+`-|3XuWB{aKQ%I`ha-dSj2kg zz=%1vu@%^vD(sa0WX%+3X z&tKSHBo9B|oqt#2%qM9HcYRoOg40JO`5xdfm7nPpz znysF3D22U|#2i+-D0|AA!9O!ge?psN;`^tS(_YF?oc#$@t5Wh7HayR9bBbe}O_r9= zQ4=juc}(QxK}#s%C5(QipH+^f@;+u{b?$t!_@{gB7ME~}E6u9jNIQP%l=vw9o~xc) znSEZY!j~e)OsV)|+zJQtHR^{(G@J4q494r0X!PQ4o=-2K3$ghAKjOYSkm@#W-yUUW zRaVH%o(C1Oi|mN9$xbpu_9m;8ktkba7cxS!m6a_cWbYMz_rd9@$9bN-Pk!(F-?x+7 zx!m7-UZ3l8eQ57tNwgrdyQ9hQ56}f{Qn@4O;LFw;2aRWm*)y z!<%#-+XB^X?dI!h+-jC~kC5wg+ieIK#@VOn*KBl$Oib&@Uyq{A;uo=0+5_4F<$_E`6yU1dc;@wQn}zg_=B* z7vdj1qmR*9HGW_9Hahd;np8C39vngb;7-#`VtVsC?0M)V{_oCC#T&e}WX)l}d9C;x zyVZB?6Ri2ekydxQV!IRq3n}Tfx3n@@>P1=f(n-46#IVbs6nc2YoMF9>=17GsMzkZM zA@#ZXBYLZcD@~vWWjPLmcw5$Iw_Y7|$MfUQ- z!^)m$f-A}|`WeoSHkLdo2)}ktxRgJJ5`)1~Ou(i5{wWu#xDUAFXTH16V3^C_y?T3@ zzl<%9(P*w^)U5dGi>s?$T|rKEn>cuWo1D$ub=O{>4^a(Cb)r|I3{H(e_%_E{vsTTX z@Akf6?L@5amrtT6PB@W`tvr$Ra=|y`N2%V`smUwZwPx{tku3&%*W2i&WUQ|0eB}6IL!mi-{bpt!v#P?Q=a}bcRkPde@iRMn zWc=!?#^^1Jc_SSXonA8`R0nmECNY%1MTX4D=}gnz)wEa&=U;qQ!C=1f==2b9}uZOE|}H;7%W?#AsrljBO$H2o6jr)vE5N}lwqry=tl zJQN{lF0$;59Snqlv%svj+!B*M9PY)mPX*Z@cW}DK@ zYz|o}TfE`w_~{0M&&jy=BT0mYK4%=}2^EtwqB>7l6Wnq??)J9-%oQ~pf+S(;_a>xw za@iY~(d|!ojhyw7m#4PPV_BSAm_erUi%4NKRF8Fv!bFRy$FtDRzd4Rz{cbjMDcLcm zIQlX92iyBNpA@MuN}AHeOAuRP#!xew;j-d%5UX`R=k_j{Gu@`7kG{hm zo}c2eLaRAt{WSt9PSyY7LO14`&P&tPZfUA@*Wu!A8_o<>Ym(uok;}@!wdBJ?-{?V=Z<)-=S>7u7msT!@i>^|338(9Co0GMCgC* zTCwduz$gxw4=FV8zV|b`4qDKkf%%Z~!+c1gWd!zr21b>@@`3sH3|K*{eH$b20Q-fz zE=hl@=feMsRsEmc6!z~hM^(>duOngSwm*Xg&Xmy1q965K_A`qP=Mf60`Uj}}`O``6 z&#*zQ_4$B&00s`|e!wN>kp88>5%=$L-M!&!N_oHqgbx~OhSiz@QF7kju^{m7 zrAO(H2=cAD!ORh%jv2AVd$3sUGdRi19Gyxe%pViyGe;4KF-4l&Z;%M9XbT%|Q0q&+-zgm6 z4Y#8-NZhY&#Ki-W>~_@`yC$ZGf(CcE?Jn;}^GdlvZ6lDz2SibO*r2z5F6fjvRKLOD zL3VeXqrnEVF@?QTsK|^5_+uQZN-;kl_rc-zbCmnfR$dOk*RumvB{Zj#3#eCiQ`iAj z4z(iyi~etvNIYBzBsF^*^U-u1EKe6WaRSZCkENFbm|?Q>|3*^-cP<?w&ln(_B{#-aZF(Y)G0rf2CuU%|VO&&DHbU1A690x47_YPD?^Gcz)uiRiwf?)$H zDd6>ZSZrJeQabm}ct?W`T1$%^MAd-Ulocq;_F`DOQWYSb{awyFoLv9CW9QLegNCd? zp8pSQP-+qaq})K#dkAch0|Hg3L*`#R+@Gx>FlPx^zwM_G9}XHn9B2o4WLS2on)-Dr zut(T4x z4|-nXZM9;dz>dcz{u zF5uebB;uqS(YCb{2@{W)pOOS5`&4H3D?9g1^?4YfjXCoce?{P$eoj*3X!?j*g5+wi z2cMx)TGMN`Kz8x9h04(fB+YDW+qMl!`xqIF%QgX?Nsq1S^ zW%OM6hIGNMt0&;%4f*@etm9UmDT<@B@Gy$FG%>_e+l>h+o7aK+p7 zhP`X81cA3^2u>e=rF@}hb={@4pZt3}R=U+}aa)I+XODV=-38nBAn7S))LI?xzP0wS z^j8Xb-8chE;)28CscMKf@Z=2emcKQwe*4zGSoVEmWg=jV@v;)T@=3#0JM>n!TaN@t znJZFCgdo?grz*WVd>$md{kD;Il{`mY`-!gYhl`(iEX+u@n;zgADrs$c>?}=Ac3LQF z6*oJ#Zn|-3?t% z)f>^h8SQ!&Ga1I5kouIO^hS=Z&PMZiSvxDE1qDt_i<9l}EaY11>m<3>!kWhScVo+{ zlYHv86z%#=>4SqvZ_VRAeOzGPjn}2o`UR~^1~HQ`_mZYdhE7n6iIsD&rKa*R77`63 z_8pu88)Q>{L7lgzym3w?RSb>Fa$*(kTg~gJk)Dy4JXJSeh7T;unhF$FzDg}K5zJh5 z4)1=zp9&`}v?Oy0TED$&~*d=qlV(A09O`w$hY5`04Wf}#)}InO2b zuZx=wpJP#zK2~x|LPq#RaaTtk&&@WY=pCL7o~j>q)QT;*ug zy-e5e+^-3J5@9C3>NGvC4z0K+DOIzm=i{L~XLbsVZBNbP%^&0W*~mvqk|S_^@-JW_ z-^=A^w_+_PL3n(d(cQoLa@llgSJp~R-;DH-8ktiNvCypzq7vmm249nl4sDsIALc~T ze_5bnNG>capf5{Z-E_Qvq9XnDO`luV^p`w2TF?2|_~d^)vD)WYf+|OuQ-fTkTAs{i zvtvca-i=LN?vlB+da2z;$DqC1Ug*gM-)^5P7uy4A)5*^=sKv)z6I{5GZ+*S-8J22@ zklI3W65l|g2`c_(c7QY^Nwi5}rKk6Bk6vf7!rQFPqVDz`c4>Bbu^U}cvLarkw&n!6AUfx(jTTW_ zRs`EvEQ7Zd{!m4-pteK1WF(~?xv)G;#k88y?Zp~kb0NG~FY6+3Gy`5y1kn{_mtk`e zM&|Cnd&By4h#NBX2S#=T&o0i{+H)Uz`)Jf+($qK=Z>`@Zf-E6dE&=mS&ox84UL4X_ zeK;TTN+)F_ag5YQ#3~&qNt@)GbjfA;iLJzhox0PXUUUlo)_I!`HB@T7)~2W6_{{e- ziyjr{GXCf8Llnb~*P+p((`tynl9Bl*Dnh z8S4ZM9d7zGvS+xsJL4g-bh3)UQs0yx7x;%RoS>9UCOZ${x{doiqF@m+o zDxN+)M09^62_EYx38H%Wm+uVK$Q`dv&^B7-%^!=>sEB7ng)rYbTc^0)i7z*V^@TA1nNkB2#_0E+Tl8$hJHB>~ zq!ST6$Hp&KLq<#cqdo=GVBV$cC8SS#Ts%-87df}uTqNgH8}`s&tW9Kz*DVZNL+2;A>mWVHvAD^o#nsj0h zEtW&X({Lr9D6&$uaLBIUeNp35t+fey<65U6XWe@;4f9ppgRSOEmt$k*G+n%`-6081 zC}YZjHtAlzqRm+HBgRdbbl0!Bt|~QQ-sCq-!U#rCqKi3EdOIduKXEulyY6kw2^6c^ z>Pry%^6S@MKz*e9<=!Lq#&u^cxrzJY0d^OklX)eD(Z{@Hs@d=u$^_B0j0rZhY@EJ*QpCba+Y0 zK5Tk<(tLiG+Wm%vR}txquO)fGvfjwMdK$5}2IHerVP7=)Qj5+{VI>5$Y}+9dSIzq- z$cSzRbt@<kq^wtA^~B&4aqphqj{0PC1w{Cf}V%uDQn@VG-8scvTYrstY2< zTI8*eCeRwuAMgMRu&uhh5PA?6$g3Dscn5CU($`FoG4D z$pfJNJK+V7R60VVFjz5fZXkh!fXf@KnD?Qu!DW?>&?t-xB(_0|5W>Jgi!cEbDIgs@ zM8|Q!qm_=(DeOnjfdR%2t-=H>>A+wEV1cvN@6>~UH$KQK{o;c4XCn?;U<*)QK-9R4 z4O#`Ab610T2yF0ZrQL~rG?U>+zwOTksPpFTO9qh<2;XlKQQ=Y3ztkA{vu=a2zo1S# z)EF0PPzSBf#{r78fZALCK2dr24tV!MmCJt-AAbgo11O^TK~6E0QiXtF3>AcOgSo*0 zjE^Dwzw;)5gY6f0xj)6Wr`qNKDr9ICJWjyyL)TtV4-GK-zgggbX7NC@;g_83UFv3c z4?K(_6a*Ij>hgn4!Qug4E~p;`hxPd-p&4#dZZNArwDTZgw7b>9=Epw~M*p0S__KlC zPx{9HU|K{#T)7mdI$Y~}|a;GY83ghAX%3bXHe#h3qdL@nvX=%{)^CraqHsLv5BTA5th`CsX zLdrpe9@m&ATW)|=HaWP}Woh(z-W?y2m^~qEqCE`dY{}>7k_%Nl6&Sf6?l@~TRhw~W zBpIxPG!=}R6!$|qD!p~K>Vi*fT3hPRRbQA&J6D!pnfCd$mwIVmyY1^MCWX^9#A|1) zaXYV(*ivEY*e=a%e4~8jO+}OOsOOQXzh2|@sxNF05=R|{Ff}ih4VBbz;)vFXP$$$_ zU4JAF(I9+QxP7BJOaFdypaPkxv$MGJtF85icyDib9-~#uz074k%m2{DO_>nek71!Z zWw6;%taNhs=oB5hd9m?b%%D(&p4+As!FsGqkJ4Od=PP{J6W)DtxQH6}s(@3A zBw!OU+b}-n`v~o4`j`;Xj5mp2`!BIc#^fYZ@x2(tp&AImdm%O;5%?vTf%x2t;yK|_ zA&c?sj#>Pi(gMll=VzHko_4q_if8mxvX-@9ANu_OC!y7D83fx@IRu9ZY*t zdV@Y|n{g=i3vtjn$(!DU@#ooSwo^DZP`_>_dlKpqT4Rb?y&x@2HV^0Qno6Y@uJt*$ zgOV+yJt=$hsz1ctw*!y3d(<+=;Yoy+<2}Ju@^D&4Y8fR$L~&M#4asHNhajCYy*Fd0}nNxjQn5=`A zP)+h-kwdKCwC0fEqY24CV+&TLZiK14#v%4EIs8}J#dDuueIeLbdddX#>otSy?5wbo zlv%7-3okD(802QeSEijx%CL$z{%|t3^e#^e|{M~lZxz(Gr)m3M*p3jeBXnF@% zhTs$8BGSn#pYr`~pn*F$I@%wA!@lw?5!d0=Dk|aAwp5P{Y$?0?uTg??s4Ur=l)mRi zTd6Ly(6D%I>638Ly1CPPMa)Zw5Zu1@9Yd_k=T<~aAOmA?@TCaCP5i_#UlChN#6*bK z7v9zRGdaFA3*@d+Tmnh9*UlDd`Ir)jC#Z0o>%3<D4m<0CELH%InzB)a;QxqGb z$M_f^b+k7f@n@O1BUx51p(5~gslTs%{h0LL2s_>&_Ry?rKz{n#_a|0u?aed&mrt8K z5U*VEMdmBaJkNXEo0_R6Me|aEi(z502LJWMRLRs3RtAfQ8yg!&9QT~pYi4JgwQg?E zV!yeb&wmNo?HeA$*<+qE?G&cu=eE2_YLIA8Ja}Bfe(zKR?&+P;_dRz*Uy==@(W(pO z`Dqs zHeRQCNt)X>LU(-c$P7tezj*7OTu1-#`x!)Onp5iKk}_V+&Dn`dTNc?;>2=2K2rJF% zqg8zDcl+d6$hNsZq|7fFT<>~umR2#F%%qK&0Sm$S+B5dr(~Ym~(3-!wp$0mN1Yo|$ zM#Vp4E0!@PZW}U0qCx^%o$kJT`gLZFIu7s18={)>@FlOQFZm&u#TckWfrMoG zgRC;d%Q)P|@A3HQ-hN0-MoV;m`YO?#qEU%iSAx+0;bnH5bk$8kAu=TMFYJDnK~MVK^!?rthz6U z3pH#;P|VpI?w&VJTA;>V>~q{|s3bG&hj2?=kJYU`=te%&BF4#O~Hd~(s6a%}H8b0Tw>>r`?jLT`S_lWwYx|1=TaAvWB&A zS-furY-cM{qbAA-Da))`Ue1t&D2~k%i@wG?Uf9rQu5w)??Nl216AsVW7I7VhA+OrI z=Oqi`Z=5bI?iQ#p8KL2Q#67s?YAP>0HFxiYsneLGSOR~TJH^y|L(aRE)Zpo5{Y;zO z8>fk)n*EBWJ3Ki<#Ck9U%7pIElbG)K(wpzNj!-xa2;TPe^xsB`BZ|jSBA0O-F%o~p z=3?^j>MPose76Rf*~qiP#e)wi&T&~{RcnbTid>yRbUj`}*FAM#&*_Q}1NC6+kOFyv z%O||UnTMNm`Z6@=DuHV?z;!LZLyZy+ zJp+N0#`kx6X75z?tLzoBmrVQL=ot_I++$_HX>|Vq#>&8a*q}}@`~L-#s{)6ey-)TG z-vBGKZx8|=pf?r3(?E8eR(2ou1+0)=FO%I*_P-0lzEAu>*!O=S1eQDufh7+^P44%8 z;ePV)uW7)$_+jVeKf8SF-`RM;K!xs{{zx&!HAeBd>}z;Q#Xn}B=Q;lRP;R*ul@?nlo7AptNXSg>{F-c8~zw+k1|t z-(bQzDBA<&wRg=SfUu66AF8SU4P6Fj1%doxBlc(g1{2o7ut78A0loJJ*nZ}`{tO#8 zSl#vv820*Ye+fBUw;j~{L4ZE`FFNkepzW_9oPdO5hx#vofDbp+&=9&FbN?>D!+*dV zV(%1lG^1@F8V5IYn}X`X01pb5bq+qD8s_>9{|V<1vUjdJ8fY-Oor4!zq3N#x&!Mov zTiy1~dPf5e7T|$_g9UgF2M*5iws-zK8gM^)4h%5p^n?X?IDpQdo&R^oH#h;Fy)*IA zfZGr70Gr*trDH$9b0}=^mbWAHaQV@1`?CQS-~k0&fNuDI9^iq1bfdr45GXIdcjY=n zGyt;eN(AfigH8WIoC`HH__uEa&HhQ83$=g!_oh6YAkhq-IRpfV`hU|D_{zd9pac0O zpAg>P$q7!WJm7?WAanuQO`QC+ExiIpO}4A5gze%}i`>Od{e~AdxxUn~zKn$O1-;RSb`m(XMT}O6(dj(p2dYYZ_E+ z&TV4j$7k9V^~;l~HX2@5AuJW52oRF(E@8S+Igod9Rhpz7U!pt7vRJ4!nx*2)@y5kzO#QQD?;|H=U$;GcasM}0ShKLTbU+%8@fN)}6KjE2_7?x^2 zSAoS;G$r5MPTb7d)X5PY8gXA<4K$|hw{;7+q)M@Gwo7^`0%+SmWL+RKos1kH@Y0n) z&n~%QVE6h0O{Bi>V4`N^dRF&&m3w@WSFS#k7SqAMn5oe#URu zexiLY-L7Ayvy1vg??~XQ&O1HCjqva49o$mYCezKj7MTR91WnnPTG}|r@!eF(+FU*T z?QN?gT^_VZ(CTB=Cl(E8+E#u;QcZGzH~E_ z)?AR^BX!(^$?mJGnf`^>sI!ajaQl``CIt8-zUvPQS%0PWk7wZYk(0-IcU@uC#zyU9 zl%jmp(#9J3NgT?+Cs>BPFG<}P#faig=~TzCdt-M@MOB@19`4ZMNEcSf*!Z|kkry!X z4k0uu<@k={cXziAqGx50Z+Efu$3JUW`a4Rxp5da24)%F|o{+%Da>YVQ{b5fIvpM6<2khet3v*GQzv>EkHNbvM!#=%txM|k@ zN>ox@+?x2}r}Yx`l%EINz5ZYjbuBp@yT9Az zcI-fJ0W#j~hC_S*R)4#omHA8M8)FX}9WtLAPvTI2tY$Bn<^F6(?J9^EeKJGUwz(JA zWxX{zU(9XH)h5-3%~8pDI^=}HFuCs&ZBa6+Of-h`#!g0aYC<`AN|OSusyr=It?1|2 zzlWX_X5-4oBNOMmX=vg?rxa&+D;F(!@XdCEOUm`FB zkXvC~=d5SIsdYdguq35CX@s4N7b*V%MK`1~=AtKFO$P4gR!|L0#rIWCZgHt`IAy67lmrKQSo&|TQU_P+&ZpF%A%!# zq13%&PT1v@cTLKm)eepY@H=i>0=ZN~1I#@eLf zTcRrU<3wG@86U=%H~#RJL8-k6O- z8#C(^*eJoRE}pSHC^mPwPJ|H>+RZs`dg&<%&KaXbj0jbH2y(d6RMaLlLIA1eNB;g? z=X=3k464U7GV2gcz791z$zh0nE>G{Jz0J*MEX_hgOL+Rmjsw9Z1-;=uy=SYj_mn-wfST2lkAf^t=2!CqQ4ZZGuizZ5Uc6z^DH6m+-^Z8Y z2kOz*<2njF34MJ8#xf*bH>=fTh1`X%KYhxq#K;wDVPcYk96>VwxUE*_F z$rM&%7+P)JmWwxH+i=6*JWpp4cMqqP4{dP0-@Ep`HmV0P|J;I>Z0Z~7W5d1S>8RCB z<{KX>E(x9>9r?7}SOGOsDhA*{phJO8?) zv5l~io+1 zI<$|)cF+U$8zXN8ehv#LX`0+7ki8iC=(RzU`IWfW^NDDvxy=LX5#|jggPyqan3MuH zPA#<9bKP5RBFwm0cD<7}?BkSScYSe*TL>@HQybf>utkxE$N4p;hd$+H} zrVQj{bQ{f6QZdS7g3k9}j@+TBPlM zvL6P3?E05MKiTyZ+kJp>{kwi&yPv?gesE=k^7y~d_j_LlJNO;RtsXF`tnAR*jr)=- zP}3UR>VI>|f+M-w>wu$y29sRzfa^RDi1NTBS3IBsCdk|WcmAH|V3r}|7pw3;>$V?8 znGhiV0wl=3;)(~5BEZ?~-=TqWmVZ}V?TwP7={6YC3uU#y;DeDN+#s`%pZ7Pt29FH+ z#i;MkdJPs=;07h3A<%jz`w^K#VS`JC{Ne@pXW&4k8c+xZP?Y=NpyEw1il`0+4o+ZU zZ+ai;JLLp!A6&pu1NKfixjBHY^fy;}c<=NVOTs_vwtbTsPA+J+GT^sh<*N?^4el%b z#q;pbuyOH%{sLEL7&vY)-grP7^x^vLphX0<^3z}U+&{y{4d@vNcn>gaJb=;ww8Vdh z_A^WKXV74;bbqvQ0f$`dI2va7>|L#+HgVH)zww}PfT&}b%{Tx$r}2><%gn9O3tA;{K5VNi#S`OC2xlWH3k+tJxc>lS&I4I@ zf{XAA!($f7NUhuKKI>XYf$!ANRt?)ZwME}?9dD8>d+;h8l?I7gTTDFV+HnHqxi23_ zx_DDDCHMm~+U(kS%A#(tFePSwqcbLJRodkDHWrkb(tGr%&@@}HzP`@nEQ_j5k|eIh zwMRtHgm?gww=)HP*wt|DLRpGCM9*L5atjW~6 zkD7}yQM`1PzMK;Jl3A0XvGzXoRXx93h+pNS({@)Nb z`r$dBV_!)hu(f_ajzUz^fn3rNiG?5XiGw%4{=RHh`U}VLslL~}A!kMK{b(AaIAS1% zmp-3rF)G31)aHJ6PawY6A?QIwUyhfeh26<+#dhtiB=yw;g`ig^B*2BFW zUtqgavywk(`;M}mtfyk4t9W8QuC-F{+hDTV&147kpa8EPD@)-Xk$`1#pF!!FmSkmvHx-#ojh5eb zFb%5idvcyPcgVr?!yjAXLBOW14Vgvc&O_!7^kG9iCGoD$Rf25^3EOb+x%p5r4TZN} z75nOfX>e>G-NSxVt5Y=$ZNWQas;+2a0Z1Jz&YowsQNzjW;v?AFl^NzNqCOqpiu%-> zm%0&b@sV&5wBw2DmJvpn3>`Q1ntAr{yb2;d6GGap0U5zmiLn~Kn^Q)<`7tEv?@7`L zt36%#7LDe%#-C)AIAI@vxkfHGgJ7y;(d;xWS`_i0HetBd-;gnKamB ztp%TamdwmcS$*%bEE1bZS&Gw|##nUsWt(id>L8vEdH-^BtiiBN?X9o9gLAJ)Y#$-SK{7^=o5G$2qowJwm-=&YXQEZ{c5UHj>N1CRbr6Dwb~UD*~A z?gK45%C^vTo`C|yS;7F4{({iQC9ezUHD~Mx3{@S|@44D^On5vkyZwAX!R>eogz

16LoQGT$!Kv9z6rhPsNcwzhWlV~2T@ z=L6PDtBh4=m$oC8)i=Lb2$8#eX}*hBtvvOeId+wg5A6|6(@9MHQ+M@5YkUf&yE48! zevXN9jOSYXlk3P%iNth5&*~m8bL>nfhgV=H%gMg?@E!tdPvvGaJjMVV`v2PQ_Kr>m z7=zs{@ox%3;Pwsf=KqZ`fSF=KV5XRmUAMd4yFX022XnQAz+5dMFjq@(riXqtxOeWE zcS0XvqCk+qvj1N&!eQ6zX7`8pe)F$n!V$U??q5BDp&l?w{Og)>C`}vOYs$~TygxkC zLhCO6q_=|^`X34#{CmpJ;le)y#|79H4xn24AqE5|Za$#tJRCT9ad=Qg_wPgczZN5f zc|F0v!BlOBQBlGRb?=U9*a`X1`fY!_@qoB2AD9TRYw>PH!Qa)Fg*V=I=h@Lf`(Zc< z5__R#0e%>DLaPV<=Ee?pxb05;qrt`n1hKpziJ4~~8Ey`G8uN3ovXPK;H><73Jml&FvGOigIs>Jer>S@mBXo92Yd%7|@DPt5{y1 z-@R72J@@lf>quq;C-B1r#f^W=2H@$)%Fgo}P7>~H_*sSVXV89>QvozHAUR-*@1dZ< zpAAR1GeB)?!Hz`*EwKr(K`Vno?Hv!(Yw(BL(d`RAx^4fJLdy&RHXJ|&wuO-2s3_s( zxI=#NuKTlh$^~2i*nzbiY`k$nGo*nq`%vKEZ4A6WkGEawWcOfp7@7!V9{jc49c=nf zIwMdt=Qqv%QD+2F!T-G}5A+ZO62%YlJioYZzyr$zB$gcTO36ULF#Y#$h5AQu!>hLg z*)N~TY~90)S2}rZ zPRc-(6u}QYIhi|%OO`XXLqSeX;*#{MMh;mfS|Z7<ni4PmACTC5ks#` zlJJQ*oeFM}taF+!rsbU|V|+Uk&XmTJ!L7u`w=N?~<6fC;J9LGJ$uz?Gj4!)bGNoY_ z9h+hJgA+*4fXYZj#Kj$jxMIQZ&Nd>bigBMvn=qO4HBY*QyXR%nfWhgJEKJ*DI%2}O zfea6pP2}89UFdxxbXw`g<+G$;)YM*PO`=A#jX7{>sfu%GX^f@^tSesB z6)`N&^U}Hat>UzbkyiswJ>%yuG7ddG)7?*K?7Z8D7SI|_P3wP){XlAxJRzs&pQw77 zc8)K!*JSFd`+NFi=}$@|==iebr!tbK6Ve79>)f7&EAbZ0o=plav$K8IP`wq;_{ito()$>HEaU!1%>=@5i-8=CnfOE$9T`XM+Sgle z@u^m>`lSToN1pTb6*itiGKp>PY8-q$D5Oj3Gv=_47~}foLWWzD`x$B5l?PKpV}mM9 z&j+W2x3wzAo5+MSlEu8!`q~7N>OT$(>2rvyy_g~V)*!)ny4Bj2SN8VWOf|Q^P6OML zR7{g?nw8R9HG}~qVm}A6r*h&17w#=~^u!fbHX4l5l_*VhrWH{3F(p(gm)(z2BsLT; zy@Mgp<9-S;gu0W7AcB*G|5Wbr#^<#)dQW{XX_q@FTnQnp!hLC4nXb`@XtG?{WkfY? zW!;qDZQ?25;*D6woB`BHj$ zweL#D$W%I2u=DF=oc%1RbQ5VQ2KaNVECw@#-U-AAKdf_Mm{c|}Wu3I%Jll`hL3oeK z_JmrO#e%22-(%n6{Hta79AYQw+tgocQi%A9eUekN^q~AgC0rwoUWd^Y5o(p-E1Vp5 z?824zvM%bUX3rWwj_j@!8K$3!+8}-Qw!(cTD3?*PQ54^=8o5D~an{J6(G4L$YP?I5 z4W<0*dsi6-?2#Em+j#pATLj){L@Qf4QlbnDFKUTO*bHin@Tc{kN@~tN{ zeKWV5?N4`>BFm&6y;L-C{KAx2pu3UM)w$!^XCyH=0Hhsm?#)Q}x%EUt7!+QZA(?okSjcfyMF(dF+i}Tn8fw#XBRLSaVAExm!Cj zsO;tTmGiYyOr>_Ht}JbZ(W8nyjchkF3$mK9vhv@3EhB%Je(Xxec&3wqO&|Susdb5I z8(;1gyK}kDJqzwOD+T8KEbh~>3Nt7LMkfhs@Cu7FKB^LzTrl?3b^ShZfwzXiaJ&!6 zsO)m6}P;eJjX#8aqrctr9ym~E}fMKCBxctX4dgC1Z%m{R|GWY7wEa2WPN5@J^ypMWsAl!Qp z5~jI9(xGq%w}kEsL7E%K6-mLE2q~%U8|l~^;psuK2s?HJj~LuizU$G%q;3V7rKS4E~rHfkMIGf}DnIKJ5LTU+JCQ?}csNe|F-7(L4M3l;B_vQWy`JvIs9OxZ4v)0}X1p z553aDND3}cdx9MpIvtKdfm2Up@9i87I2cU<1O`x+V!zv<2SiYW^M4*rJyH`b2zZ5{ zWXB#fE>3=M_W@Ng4g(GR9S5qg00XH5GwZ+dPW!zE&2r-b5MksFH#Z3Qa{mV%%Mtoi zK~LG7!0ZlcgvJA+%3QqAvp!TRatLgo-wq~29idYd^ghc8(!XKgpk-LNfllU7;Na<4 zj?k$J$~*ae?lG<`)B_J3tr% zt^(vfgFO9zpQgM#2Vd##`g}Cd_NM~01Ts`$2b&6D2tv8Ve}@K-**U^I_8$}lH%KG~ z?7|Of=P=mdPK6`PW9I@QBxt!SgQ^?wr~Z5vgxeGlf}9|P z_IJFT&{g8EW90uKF9MdVpQ*DS`By+)cF6pz_Ujr-!ykxT#;%RCtaKD5&$5_5RU^iz zH#Fq5SK{H}8YQqrX40<>HSk@WwBFF|JLi#|TRVbUJAI*V%w?S&X9k%}^XYe?3l4S_ z`grkDiYEhSk;IX!FICYH2O3pGRxF43y0Kc=aJ;Y&Ve_F$dsi``8%o#u`pQBB%lCxF zQu^4h$3GiKvRvH#a+}*U{L|aM>YNU@}3g@%v$A-i2$KVa3qgVAchrVNa z+;p|nsj>pA<32XKt^%o0&y7Xbdc3E`x2+cnPfQt9__|_{D%3VuNV_AIe!l)a@3M(I zzG0p8mRhfW?Oo0Xl*{@8DEJghZ69`CYc`Va(5&*;j|Heq82I-+j~iqr{>(tnntyFb z!tQ~p-K55)M_+@nY)|OtEBRgXleW60uRylFATPjC96 z@4Hx!vzcJ5iJ83U{|VnMm|S6u;1qTIXT#YCmLvRYoc>ZHPq-WzJCAP>n8qVC*7@fL z)tG${Xs~j>MQieP%7Cgl#|hLPmZ5$37>!0$o;Heg{#I|xJzD!=y#Qyt5a|nR6+Oj7 zq9}~`Dl1mW>_Td*7@`cvh#;c%=X5oCGat=w1=OjAVBNN1Hsi}%opGhOs*O=8`qIpL zOr*|MAa|;1h|_}ku2_Vqj9POZ`n> zb`_1x-td!D$7`i{2#_bP-i@V~>J~DnV*h+XpIqb&=EJ+mEJM`&y6W0OYhn5W-j5uj z5ga`(j`)VujnEWs6^<162H1EMH1XefL@Q1k_CAS0x73xF)#Xgy*$-64W8ZRvFsJA* z8xLGzt)5wCW$UdMYAS!Tfc@NXQ6g7Ev#6LXGOs={Af+_LK>m?I+n0HvXyQpPOBAL% zr$fkbhF@YkekE#6qb6rAzHFD0=f7@|q%WoLQD@mvN<4r^@8Qxn69GwrT^#;aZfGy=E6mfMlHim8DWo^j`~Yqq)0eJ>u**gVa2 z)+l9)ZtAj*)%JbWWF9Gy>wM+G`bzN4vs7=r&FRm1(~^xZ)Y?nMtWb2?Nc+F~hOzum z@na;SQ&n$9lG0nv?JnoKdh{DY^p|JRSgvx&W|`aTRP)M2ld*f?;ILvyh$b*hRc)@F z;oyFZJEPjwhK|OYSZV9OUHqA?10N?~J@#G)B;lcspL>|tdVe3%r9joBdh`1;QR}6- zG*u_>=NGx+iU$>8o1=Iz$mDE3rHOx-aCgAl^|^^r&c}BiGfH7sJ?6eHHN>#4tLhrd zQyZ~*V}`XL=E+RA-@u)H79`-WrNSM7t*{*VC|zFN?zj%!2gCDYmsGN_Hwl7$tOfghBQBV2nbNy1OWlf{Rp0@j%7^FRqUpev}VAPx1ukvhbRjcdGFlf2E5G?V9B?wtj9|Z_VoJ z(KHN;q^@8I`oz6qoAr0%dJ>1k7H(Tp&mVr?N(76nu|#sIb4xZjQ;s( zwZ)>Hxf!RKb3YMUl(fg%qPPuu$j{hsEqbi<$qxnG8LF3hRBRMwwA$Sner58>)A*-R zK|K#gB{rFelIy=G59hT&x|^4-4(i)Y%A9z6Y&?O7jM+2Z-LBkz4fpEE)`dSH19}yH{9qnVpoki z1{b3u&m=v&o#~K%>suZ?>P6$?)J($#i#eTf@!NTJ#CpqlZjK84#7rp)x?05)ex)2| zGG?^I2k4|NZpK|_=oME%2s6WFkh?~dDPpy(gAuh|OwZ>3xg`U)dS;t+Ty7h&g`8n2 z6}Qx5CA5APsnmlbl~@ONEtmrFJ|6YN>A7NzCY|r{-+|6=#xN!Q7)E5*F`HYuVxHQfWd_7O9u85w!@;vcFe`Wf`L>te+kYlUcL^89= z^=D4t#qD5VVl$BAA0wA2Vc@$Mjz1_Jrnq@IOxe;!MsZwFBjy)`vcZ(*W78B8-s@Wb{}Bssy)ko zz@LG$=-z+rdKW`~X4i>W5!_|=?bN`-UMq0BfgY-%|Fvs7xBIZG0)u|Cixc{=$HRe# zJt-D=fYKtnKfDJ6d;n_(4}hsHpvTk0X}d!g54$$MU}z5 zP5vB3{WFFUrmy%xQw10*TB;J5>0f186r#}IA#|mi2KcEnDU>!$M$B$(a;xM;MxX~Eq?f-adQCL3~I!87&|$*GKODV#{aD6e#qPY zgJ~N)6~iws=6?naQ2QXu1oYefOodjq1y{hN_a&|=T6wC%* zP%@DliV1`}c%aoOLCgf&om?FM4vm-R@0RoX3+&NAgAvCde~%N4GH6{}z=7^^jvVa2 zA&!C3%HMJ`!BYJ*kMf6a6j~hx2y~&wOHgqL7u2Z={Cih}^t)0dpus_GKeH`=hHbyw zxS(|*0Jja>7N9a8{@+!|KDaG_Zu^zH=nlvg1^J?&umRBeaDm)85Is8-G&tJ= z!1gn9^Jmz&AV4n$^0{ExxPikW56A*LEV#eNPyo1t=cNA{L*e28Av&O|;(`_;fu>Lc zjTQ($0I)!}$nl$s8gSHY0Nl?^)1UPmH>f(iA;0-O4!uy*A?qHb|fbHl`Nzi&I(1c9TS-WO|&;(6rb#bU084vq!B8nV5oPV$2 z4Zt1YF$v5EuzKu6;{j0=Xvv_%LOZzn{^F1IX9I43h2!7?f=@8cI6<^?w}cB=O?ZAA zeL7h9eE-OPG@BL|$e)JJOc*#|t+<;40QEFH1UNYFboUx@G~o6-4*0V|y(u}N#m0gD z5!5&W8Q;Iz>JJ1_K(GBgO9A5!KH0l4vHhmlGx))uC(*&C@PjCz+0VlpZnJ+3qU?Hf zzFuCS!n!A zamipnO^Azx(xde0#S_|CZkygqHMO^H9V>t&NO|EV&t%QIBgAk+_Q={us$peq)LRaiOhc9)^;BCo+;`5F`X*W31?G7^YdC#_DTK8U2$AO${)s% zy_RmG&@>=DulFfYyl5KA-b~3vK~3rNN}6l(JKe|YcZAB)azCeGSWe%1ViwNL)NuJB zACtCNb{i=&<@Rdg+%W_j%eg6R;gL(eDAps$q|En}G#Av$B;@EQyY9W4-UniRG_bokih$7DccOw@C(Try~9hP73wpY*sDhdZP8 zY?GKRYUQG!52PadN{cP)olR0DTEC0S*=5Z&zUBSe@)da^s2nS?I8WcaJN3d3fd+rU zEl5vqn7XcG-8P@2JNkoW_neBl-nm8MF8*tH_;!N%=j@o|F6dp+~Nh0r0}-K%{dz1 zRktL)#qmq*pIo1_hv< zosJ?pj8dOKVJ9UulWJ_$E7}}*BGn!`ER2izUMPjMC}tdih@IIpgS;Dq>s&SJBq7)y z+bN4G@vE;8InJ*=FUP~usYSCA=?%T$AeXZehCg^lM))j7;7Z#}0(G~X${=YoTi8@U ztzOVhY$>`f&5O%9m$|l9M{<1qiz~V>3?_x3h|{)7coWv2<63cFy%(v3A;63O{nWyx z$Wz=t&w`|-@vW?IC^qyg{D2F|t*~jAU=uC?w8811qi;kNFW0k@K zw3VEO$7fXt5^KwFVpcEBO3u)WQBkf{rifq@_=-qnw7=}!|0mMb7f{aA zg)fvf)r|-!-AE`1at&WSsh?*1Mq=a`E~S@q;lge2WLFjM2aR)6%HAY;pByy3FGjo) zj32P$%j4!IR0`^e_{v0QYaFq}d#mT#;t5(V^b5>-S|T6OYx(gwP-+Rge0aTZLb}ZK z(W93floJsygzM^-o;Z%WVej>>>vE~%8*QiUq4safK3dH?+iQ;ZjbF`viob=C8e`9C zO`2<$TbX8?m1U!t_h#_vB>i37t>f6Z^+IGcy<^|vKQy&gwg^7#KWQJR!1tEq+JN!U zD$i`OV*8{MWa>+_X?U^BmX;GMg5sJ)XW}=XJ3WY>M<`6PvO2`nEkmy@`v(L$~&&m7C_r8Cf zeX#a(x7M?U`&!p^-QDts-#^*%n8lUjXmMBVDYjYcINW(V|-Qax|(q}x$ z>~W<*R5Xpai&NyuirYzw+}eQEH?gKwgO-Ww`l>k_tdSxpE=wdx-)5$RGiomNJvD{f`BBv?RlE!lgv zNZq?aD}%FOUL(Ry)pFrodh4TWIp}NTcj)EOl4P5GOiCFaE9A|QwjC!`4EVycrmYvC z6tr@Vjz#&ZnVn#2M4QNo^Ox9Yu%T)+!RpQ)LGr+P}EyMDn$jR$zp-H-3 zIr6zll=$Pl;oEY|oEcnEYI^w^rdQCJPc5b0ab8^dt_L3OEOMP%a8M5DYhIAX~0rvoc2*b7i&WBK9 zD!crV{%lNlNQ^)d1!Ts+_zG~B1VHv9BmlbecgkLYJ@o@Xw;dc7wKEe00WnYjh|!Sv zq96<;zQ03^QO<;eL!$ojrGxv0f%Nn*U%LIohI%Uen&bZ2kiyGW!wJxWJHf##1;OAP z+WiEFaw;77>IT1k0@6g}kb-LC04Vqkofp-R9;E&r>HC2Dev64))rETi)PYY!PsigA5MtuqF&A(e9_` z_TGr?oC6MKTY&HMh*8~s;Sl6wxO7_tEN`N}fuc}`_AAcvhtm`+xnLoO02~jl-9_Gq zK>!7r|92~|Fl6t|&Ms3L1bVb19Qr*CKQ zm`B1uSc9VJuS*`Pr-Ca>@Kh+Orh8z$e>_zX22OThVMg)PUl%h}PZa<~u)&#dZ_9tm zu=o5^fu|0_6L)XZU7D(YgXjL;sSo^S=WNV(8mt1KFbCp%{C{3UvFK>Yy6I9s6XlfAunxe0MY# zpV|m@6i#tcRq7$*>F&CY<@fCark`F>s(WL|+;%9p7yszmroe5RT$+VN9rpqN?E2xE?RDL61U zKQ~a-JU;L~3?E(mEz<{&JL2=AT{rBvC{L;YSkCA@PL0C@i+lz)4_CI1>1G@9Ydfsp z@tgr47`Dd~0oO`3!1{HTU|DgptE28><~!%6bs>KG9Cv&Rb6y^e8^@fPFy9Nu`26zWZ25pkO2gpu{h^KNXER!VvjB-IX*S*-l9 zLW{8}+L;CUNcnz=BIk+2=X?#uZb?g;<-cOFJ#zWYLfTZ==|h}dS7MDR7Xx2^Au-O^ zoDeKjh{@@gt@U6m7hU0aG3@fe@4mMSg9`;$(*s>SZ;#>hS08h*ha4`nL>T2wmYa%i z;b@RNt!ho0Kr>FoG!OOAh#UD_gx4=yO+Pv7mUJ`O^8KKMfu(R0y)04K>@>zw|L#~qS5FRoik zKanLF5)aU19YznWxKVJ^df3P{POneu5TVWCxk_oNo=0tzgrOUPic^V1U#m3ht#Htv z_>j4zwi0UI7_-y;YD^_Cp<$*&tsF5skuVB8STRfLrAS&{VZ%wqhM+~L;#oi+G9Jfn@wCgRZ zF!A-Z@g-SYGVyvWGBeouF^2ne%tduJn3j{*xu&igC%w7-cx~mW)uEHJ)D?{;u|$>W zkcrIDY_i^$C*=;oIHx^5Qw%J#M~o_SdS3b1dcGoyV^b2n$7tXOp;Hm7FY&d!pl@?I z-?V>5y{@t^r(`(|^06~bzBHOZhBFpNJt@Ihmi?j{ySJs9!52f03o~`mEI#HA)Q3pa z6VmXa3-xH*4EoK?PJcPoXnC>0nC$0q1y-jcGD+cH6iywCoKLyF574LQTwQBP$gV8m zQ_*X@eeFYDsaTm^Y<^p5TfHKuQY}MAf{uZgHCy?G539Ie)sk30STmgK>NQ$6nvSq~ zph_EVz^yUdC-a(pate!vaK%43*4nr_;rTaEMi*0ijG&F)AyVga7K9)DGF_(WFfNuU zVNWArW7oBLe`mq#pHr^2mEhlKSaUk@nl`JMKAA=<(X_q5(p=-8T3L5uX7pOP%P>*T~R#vrk;IS!&kGWM5{ERS=FG@2xJjZ!dy(94y z_MKkyYTP(9BJ6y{WNg_NXt?auqk@MyLr&QnzGbIl>EeCJ_1plu~?NDMI-`E@6L&+wMOESpLaPi@qK`#FO|psRc3?Q#X(@p$dSW3o0y$P zf7~a7sNNvzC*zmSr_$(t7!*QRmTnwrGo6!va#mUQRNJ`^&fFpfnib5|!VU>}5>U;k z57(P%IPkLvA6_yPbh#QUwn}%8h&jlMXDVn~X+8f%a7oDzXYPDy%+afDKT9`Q(}G4O z7o*}-vYhlAV-xbLZlRT53SrfMHDOwMrsCH9hfv?p*DIM_y7!C;*L?^(ZoIL6orFa* zo9i=OWjpY7#xwWEE0#{%5oSi(;=;lU{L6+ni`i+fo~ooT%UlXSwscZRR^C6*IY`Eu zbl_#ysr2Y?sjFEwYZG5rn(L;+o~JGzyRNJ{FtbK{$zhDDI+^R9O!D$ulBv4aO3v)8 zr(So_g*Q==eNR5roO#so_S;XFB9wY9O0(w&&k#K#EKEIr+>6L_+lND7&IkAz z3=Z}oEP~)4gppL&9ici8#rf)B{%J3@8v6Zkm{-fBmv4nAxj9Ki=94!9#!-;Dzz zA~~4s0Ex8$CZ8~PC^8-07kdiPwrXWzl{6JFx-! z5rFA|2z)=Wp_~hd<>+97697Spg4>P1f&&FnAiyVVU%{b5+YZonU}sFBKzl0;7JuaW z25x-782?70j&e*7ZkEDxWpJkhKq3GZf%i=SI3b7tR?NO)Lpi1g=sNIMa626bx0r;x z=)(~$VaRXv^QhJk#MX8&@7vCp0%9_#O!4=g1u9emhUG812i2#_8KxYquds#m?-26I+_BQ=DM%pgv z2g+vu%1A@Vm5?tVs-|%2Ae=Qo94fFFm} zRI5R>;pjkejGPu%lZD}H*)Be|r|)9p2Q17}j&#jPrgu#>j9%w`S4}CVtd#RK^m-qu z25Xv@T(N3^s=Q-q;B^bB&iI6QbISzLtkTM4KG&qSt;&&m@+nU82IIA(A<3&<(JNHu zm1(Uty7B8iT>~O8TQlXTG8`!yy?_wWYxYd|OU3&rVIJsB3291ZE~YEb?k&Ph&nUktnKSp1A?T zbt~;|78=2Gj_@_WIw7e306R#D6Snv{#X(4)ZiJU2Lx4b;ORQ?~%kbj`mo*)i!Vrj6Dc7osx^SZDGc%|8~g>0P>m z&7LQO_rbidgtuOa=+BUW%g0*Reg*TtROsf&%qQ9_c z`@UF@lfF4|q&(N|4Mqd{qvKz0-?w-6b-xv`XIO9fIlfOj~SQbot4%eqqgJooyJDWCN1P<+iLO`4!9e;MEFxODd{ zjG*+7>@|7c_n>Up&VzD*KYqzngsH{1oC^0lL21hZ}sWy z72ghOMagM&*5D+aTg_Y%?&QXh99&AJG%M%!thJo0X>Nx#GQP~WSv=+Qz2|ghRsP0x zzS*UZjjrcdl}>0u4-J}v}N6h^X68| zqwQ~w3V-TD$Mr30T>p|Ja%aqO>C20wo!xpm=YvLNXs@~zFqKq!p*`yJjBzi(=_x4? zNVJ}&e(KR?@a`KXFOx0q45s)(37YsiS_*$dT~sP#-Er5V?Ac0;H_KV`x7{_eU;UV2 z8yYuCS;^OEIz`^%JD{5>+ivPpSvy14z0N{B{#=X1VKUZrVjSxh{z3t^1B?vg^QFEO zf~N5wRMZqYm%ed5uS_nDhj2X?mr$NKLXvm!Bw_7qlk!1|P?K8RNTM|tlM?$$5dnke zo2Sm+x?N&?epDhsJJi;a^D1WQTB(%=)#vLKLP5?~KVw|KJq?o_G*&&jMB`BrJg1S4 z_c2Hd%OaXl!iYojWA1%i0xe4SBNA)kcbVpwb=`WH(Nf6TGNs*M*NTj2?Z?pyp8K6~ zXO<#-BTg(p!JqgZ_fEI&NsC^Ldc3pba!ohr6}ag;&Jtkg2Hyz5AmB=^QlP`_y3Nn4 z79%QKaT(un4$s(WdZie;A<@9}Gt4#*JMFHk1bV3;M&Kg$*^ibvHDWkynS}G=^pv>A zNTYnc@-9jQ4q(>cURCh_-e5tzA~Qu8=w17Y{IpY9SVE|sjeF-$oC~T-;UgxhC&R9F zFq;Gf8b}A9B|F}GmaykrhK8SWDvP>Q&;v-Of#!;oT=$P$k&Q)g9HEHK_RJmgz>ey+)XV%-+pplAPwgL4m zEAJ961#G-fUhY~Ul2v1$ZK;&%V5H}KFN?!e2gS{~;v}828hmvUJv_#GbHQTzlO|(^ ziMT5*`ujA&UeDFn`gd%}E@dsK@|sAOr<4m!#XEnntmwQL5h1H@cyUl4B#XeYdrVrzYgX(ZY|?9X>p;^_uMMqLu$K6--y@c;XOo zzOdU)Xlb>~j^CR&Y?q&@(CJWfS{_lm8-5~^;dXJmR3|B`EhdldV?`xGH-cvBCDTtD zHAix0is|C|)qF>U%{EM_C|TdW`4BEAq&pMO?s`+ycCg96N0&J%h}ihh6#dKZ4#(>b zlMJ)Uk@UM_V|!Y9AHEp)iRz1W>V-L}U^Z)XW9Lzg0%=>b7cHW=+6*&>Q^VeKK+b->c%P7 zm`P>ESG9M8{Ws&7hl5DNJ2Mvsr~^IOX?=7$pPpi3@;M4MON>dQvlt_v?LXTou2;vu z*gcZV755THW$P!whh~Bg+$G1uiR&~H`}`y8u$^3a4-b$;;cb~;`(hqYHeN7YIb*!0 zzx5!?=}lSkN!FTYZjpD<4c>nrc+Q1Op6fSfa_NdZO*|-ly2+RH&41Z&RFsp6l4U~I zSK#Ig(w~@z?H=Dk0T)70XxIJ;7j7RMcJl|}9{K>G``_R~gzps`-9xxofe#RbxfJ5V z4(|^FvOfd@2n4&x58L;e;E#83LkO^X+xeRvv=M?7)d=nA)jk*?9?zPL|>(4?%s?UUXV%rfsf@Jmgp`psXwucLuH2hg? zNMs3QsPOawi9*0>BcO2J|8dF+7;)g8IGE6oDtJMl6NM97cZzQ8D>T&I27jjyCN=@U z_yn>`AVc1cO%Rldg%gwZ6&wm+X?vO-Ol)v)3kK4(zhVQxhzLB^{fsG!gc<_qX$RJC zpr3$$AEV&T`z8S1KM_#u2%hu*z61hfj|hHyF*=xj+nEYb;BNp0^e_lusetnih*bmieF%^_}}{h%GeHY%>`DIFu3}7XBr5C0R}Yp{l$ig zstwsCe}}_L+sCneAcc@!;`F^u0ksaS!VpyaILI#TILfAgOil)DgKB}e=ptlu5QF<4Q1pM5I zeCog9cK^=G`xhb}py>V0*OQba;5%b)W1?;5$asN~?~L4OM!vIVu8zC4Es$M2W+ZMW z0s!lM;yDp852;blr}T9@JJ{ym5Z3 ziNm;tlR76!Yo5B-@$~JlhBg&?2``=W-#d>V&R8AE&U^bpz4YtNSYGhkqMt3i9-8ri zTxP(Hldx-cWy-&KsI~byImUORFx_<~GF{hZb9<+dXUFrrmiP&nXBXNFLa6QW``fDG zehAfBUpUoQa+~BXE0Kf@|BG8iI0lqe-)S9<-ab$EvHy5K2Cbz?{>Wvy2Y7F3BjZQ5 zE=}bGUoE?)eYKRxKkDe_RgLT;003NU50KWB&iAudepvYNWIMD2XJAE;ko^U-{l%oh z8m$(w$M1TBjpt2rml}AL&gyKMrv~20Z}GJHfgaY;7^eMk*!m(7R}Obj_dB)*EggMt z5fgg(NS6k~0&O)}S+BBIa%#F--dl+z8!p0;A6rsHt|}P#)oFfqeWzoPx!&%5fn7F@ zqRHCHIHLiR5MO~_aYTJO2W>;PHQakWy*Q=C=EC&i>VlG(gMBZ$OJC!s-eZnqLjnZNzT!voBBk+=7GIpG|OLR;$ z*TSTybJ6EWt@ya3(G4`7FOPhleAix(W1ZyZeLM+=gdIyhc%c6fwL=CrR;)&lZ%_%W zHEH8S_#NGk!_;FcOA@Qf0rT!bhK@IiobNT`88@p}#vT$jj8Sg4={1g^Y+j)EDLLn6 z;MqV}ALjTu(zvhuAAcah07_dEdrVOZs*CR^Kst z%eGlQS_iR5;t#~-NQXNyd>&rWi)phiZ=1si7PulfnzeGHCZyH%!OFx7R*~2(y4Zlz zLi7FK%&r+$J`_;-ekR8tU81JkX0pX#;g0o19sRy{6xiCd_dZaxvqi-bS!CTa=&2Mv zr_$~f|B<3J4i|U$F1d+Mj*P+m!q@yQlFX;X)Uovh{U$%;*9+>3^z-*0!hM(d{)`Um zET}wu$l&nXmml9`1Tb>?vfz3ShJ}6$EHdaCV1|Np~*_C;hjJdVv@t@KY6dBrxU%FROmW_kLemd^5uw5lCtC@80LGM z7nk!|q`%2k8+0*$do!64DRD^!Jxy9&=xB*r(+0<6pSl+e z?sIUjM*EZTKNRO&l1YdKnq8x64~{Eo8N~UKWwr8`Ig=sW zB7Qu4sNBP4@2gBw89`9q!#smH{x~;`F*pV-S?KB}M<^axbKCojmY)=Mz24>QCpJNv z_CSw7`!3-XjSmgQR#t8W-;WI?UK(|uFRpBX6(n2U&uFv#h%NncW3u`7yQ_ zQ4ljp@Gwb1r&Te&x7F*~?lZ?6&p9wCvYO@=#wjJsRuT>Lp4)`w5@b1C^IV)C5H7Y5 zUhKClDK8XWt|KkHIEN;2f;rd;;*mi{@*;z-78acVtKv|e85MSxXkQR=K98$hnlYH; zfzRTXF_>5@sw&!pNj>g2bXO(nF&pnDOwtZJI)RUGI^-hhgxa0Bh}I%Q*vYSsLf9Ma z-Wk+X3hR6jBlOTK^O=~(m%SveFz6KdQq8^uviKI5O6(W8(UEgiA=!`*zI|<%w&D|l z)z0H?Tr8X%d{>6+UTQSWu%KASsec6_z2UQ@}ZJox!7Z@ao~tHh4Ju4Q`8tdl)a(|iW%e9vbZKYpqprZ{JvcoH@) zmgczLBKbTq@U_?GY`Q``^@@P;q;AM3uM|t^$+sOTxYWydRx_U>KjePT?)4PDBL4ET zzcG#%q-`b`-{7S;?Z9`xbrzDzV4EW(bUuP-507KJNg81hE_+MR@?UR4!^AkrXrZn@ zEqiB5?CY^t+Dt621g681$Dm1ZTdBI-ShcVXsl2+Mv9VZ5sDdC>F2~)GN=S}fGeb}A6fPO!!kZw6X_ah9}~YYd^y@JiwfmJQ6+Q_ z%C)UM-9?H6_krLL@V}v45Tr^Lvg1c0073X_!%;4TX9?m161YNmiokz@a0o$sKmu0+ zNF+=EiG+cB#%g5bZx zpr#5V+lk{mxkiRho(zu7e2;!4U!QjF1Q% z9Yh$m2?5#1zCuHpry|~&2Ym#fa7y=?-32LuYC zf`T&OZG(#x!O()K3@<1HgZ%~)L6r>da_;%V&_F0~dokdq1czsU7aAz|0oYkWLZX0R z_#3Vbs@Qf}1N~WSU_t^x;NP(c!V5wJYqbA8wu1vz|C$Lqvs3`MQi6IXpdSI?EApE$ zMVUk+*2jaH3Q$0k5dcev0FZeK!}(@_g#v^BKR_^n_t<}<51>Z*KMfTjh$Z`AV%u5W z1OTT7Ud$U_ghT*t3QU=6+&BwJYq>J0p-7#F=bAP}eRs^4_KZ>Vg*< zLs30uTNjBOD^x9oKp_`FaAw+z93fPc|J4*ubBCK@qGmlaKxmAj>921- zs-^(F0h=`niW&qVz4)(yL8UCPGoeDs5T{&Z(?5f{enGeX2LUSFIOK28Z3pUt!dKCK zLS0k(L-s>3GS5{YKustixrl%H1IHw6Ah=Xr_*^Du%)_&fBRG75`F>&)<}xJX~oM&)IMoQde(Ij4tm|?zsz~J zCjQbYX&AX{$Aer@tHx-W;Ksw&(`<6? zgUDR7Bc8fPdnWCzs;Q6fZt$0c8Tw-!R+ZXF9#n8`v*0c|&7KeSHzgWNMz{6M_isOR zlJEw(DWjFgHIEEf7qJrY&(EyoHQz(V=1OCeT<9CR0_Xz) zauTY3CUS=THX4RPNEH9pfC`gXJsyjqH2(;U$lG8__b`?gbT(0wo74B56jvvDSBRZz z1Y_P&OI-98=kN+VwQ%nwTTdo0{DzBRdgpNUk9qnqNIxq3s;(quiufH(QCfNV>uO0HX=70_gp`-VnF@z@%hX~f|-J* zcZ2vCt^)PqJn!(Oomq#Awfctj^fM%1d~YJDRc3BXm@iQH{z{n@|L4(jq3l$(s_4O0 z7qYLyuLNB8y22ogIFI7OyTzwU)ZR5YrgUP+$=u4J z{IrCHFOa&5b)u>?m?rNuJFe-tD|$MAsl-FG%3F_WU6(ivJ&w@U6CJ~Pil#2#ecIEs z>Uncv>*I?qjpbPH6R}>(o+YGGdKh=|+|ccXOag1uxBk#`?_Nv?Sw6jKi)$k=Jg+ol zs~!FA_{dCnd(tzB%5O`hLHZ`yHrGlQB(z0+NrL*`w6l`1*KLr+d1D4TJ$j&5a+ph@ z*;%*Zn(;kGc0O@c!jaF%rc(^C-1)^NaQmw|<+zx~tgjcl;ScpiII^$)Q(-Y!PUo!x(Fhtz<^3^W&a< zzOR~obe&6Dw+OZrKBRX!b3RcsFNd$)7EiSv;(6inBj(!{?PkR^n<+83D?IPz&I(@O z)mS)xzdl5dJ+-jq+6isz_tri%ZmU2qy@x@g?{n6t&{7){kvn&>5{=H}}+mJ~M4 zhOj43DctF}ElrjxJR~aw467&|6`kzKu@eW&GJ33HDsPTp#a_b4kg`#S`CfZ{q1(K% zZC#UUHSLMLw>JHh5-hq_Gy1r@q5OR<%g%rwjf0irCUX(y2?_HLhhmnE*2C3KD$ro* zNP8Dizxlvle79Ira_0Vn`-(4aONakRIsKyI3hU|R83x%K1dj&U!}5>E%ExTd_{bi~ zwF{eAneEpS_vp=U{UMo}W#&+H>_*Qg6LS7eMQOU6#%n?{q3%vEQL z2pZ>cy3m%V2X75>7bI@n7<;M3BkfONe*vTQvL92%YVbU{4qxbzxXxA0XKZe1hQ}mU zxXOFa>6^LF7!HV6byCG_zDoYO@;(3F>zhvXtk7J6u0KoTE+%>XuwD7l>&AY|@v;d0eUqYL zDy;NJPvws?!M;aoUs%2pmo}k?8}V4S;{69=`@2V&-)gjTjd7nJxnqj=NX$~DFZr%J z8^>*$*ruyC%Z5tsCO;1iCbkBZUQXjnJkB5HJ(LyEKYSt6uyQc)dS98#=9eB`%QHF7 z>~H5QN>`7KhK#B=9ve;8=-6_;>1?+${^{f=i&Kta?H?kI2n_};te(x_xu>6yo8eQO z|1|j~V0NK#}AJz!!x86HYa_XMhc+^E z)4{`XW`&9vGuCeXMGwoz1Wu}NHI*`2G@P1k8;Rqbxj&_$hE!6L?N^6W2S*+(_EhD$ z1QC2h+ZstQdh~(DJ<=*2i|p*COAy-y^e?5y&y6rok1{5)j%vV^yocO^H6HzF{ z_P~jVqs%`@a|qenKHx;ic3I|MP4|HF%MR#=bk>90#BalZz{zaq0}>bniQ&#qkQ6yk zvS9lsNF6R@+W`TVG70PWm%Qej~LwZJ)0NT6?DB2H95-~SJ8ZaezYzg+MDbwCjM8*La$pzi?P+yp_| z0k6gIm-tl#uIAitRcjQ&TtI{XLyt@x{tUB%`$K``M0lre3cQpB;E#b=_aS~oQPc&b zSifdre-<0uJ`nIxk+A{Sa!_^yE+XDXY^b0<#OyrSZrhm(05$-AWWea~f2`>OL0EDg zOlShYQH~#g-NE6a+auKVT|?vN)j341^Js6#_W3 z$Zv2y*q*Wi;8x_oCIS-Y0~aiUz&8!KxCsD|2=I9SJ2X^_+b(yhKbr?|X*EFi0j9?* z0Jyqvf}1d?sk^VxP%dtWo#$YNQ~&^caB>zhIN*d2EK>I$++Ls$u^S#xZ~ze%1dAmc ztOW}?98MMm3kZOk0a@xdcLgXhZ^Qm_D2x8i$W=Z;*4gY-?E3$A#30(95uIr7qH zt!&qc6$EI!7>r+%F?i;g=QHyPiN|&|j1{6gmmA5|Vg)}kH7{q?M3rYnt8Vz@GO!Ktb3Z~N&QuEZ8q`wMk7WALA zY!wrWS%}eM$!{-yEKatBGjHq2DR-4=oX}2bF2<&~_FRXoH3_?>Se{}N8j~lc--i{k zPlEYbU&VxQRU+5o1s?Nw*O3jo&a~jYZTFXJa=`PK#itlPm3>0y zmyH6v}b+ zx773>a@kbP*t7D7@=?#Z7zNfYf2I1whW|pVHz#D?CpMgpmv1b;tXo@w!z4PZ&8&ti z`ONf6Q4_XI!mH3X)V8O`*4$!BPG7&C+P`l90sMQc(+b-@j-Sk)Gu8LZ?x|Sr8b|*w z!%kXnaGS5CT5;6k+i@YfVH(Wt2Iw>W%JBvM4?JKD5yJjfbzWbYk-IT(I+&sKC2N>^bQtXtL1? zBwO{$ot7NV-<%1rSEP~hSqcACsYX)THZQ5c$DW11a2wg1DwRB7OA)WtM zejz?8L;W_(b6c^H=cBLCKIdXVa#E?*W5Rwg*5n9D##9(f(I1IYn;DWP*-C98;l4-_T>Ax>Nk0P{|7Li;MF;- z&TLN^PNw-Q{rOD{5AURLUaXEBZ<)Ogv8Qr;I#ONev0VT9d=L}It2#@Y)<(mWdGo69 zzEvi7o^bEEUTu4c&BlvfXQD(gY!V$KdMSJD6Ms6|Bzz`A+qiJyg~94lrg4Mp8MiBT zKJKlN_Qr+cdb2SsCwdDD=#GZ^jtS1gU79%sBB;omt9j@&*a*D?mB`; zXPsIjhpa;UwK!i!>2SzpEtv$wQD6p;xHp#?389&P5?x(qIV*4->XsBEgDp#|ti2^d zOC_5*agE$wP#!-m%v>GkVL>GBMd|tiZHncG?yHVWqXaI#b17Ge&tS2nxkn72de0_z zA3w6>(EAhCZ?88yRfy)sp)YSpSFoOG-g^6bQ>VaEg}wP$cP&@Rarzf(BLx@ohAZeW z184158NR!IwnQtPj5xz7dqg^_aNuRB{;;#g1i=DV=jPYN%@F2Um&F`&wU4K`-ahpu z>2GEcb15pE9ag)c?;N;fGgx9mvXK<&&SGAuL3#1sx27rRTD3B6RAaf&Ip6*k&r)lS zM5=twr#(RBZuNCuZnXi{Utj_f}x;R1H44|zG6ekz1iiZb0GaD1lK@=RB5M>3Y>)| z^t<#870QBmZw_We;pHL#n+0BE1K=a@8mq$KoVBmWP=YLoH~C;f69k1{MFB5vCpJNF zM1?!L?<+PD(Y+}WVs0HwXac~x2@2;Cg5DDVj%tFy1quqV79oT!;BV~gL{LC_yR5kW z>|KKwDS_)|k+JQ_E&u1xcG-RXS!hVK5hS~CAQWEV1q$*g(1UPt({D0M!M*9*E@Q8Q z2@Sk+K#PZ*q1&~Fe*>_fnxTj_`e5EQc!3B}a771h!{DKT%>oF00lJ4MgZ!J&P~8Ur zko@ml@XtC;KnVB%fHfQ$8XOe`nEt*(0}@UCJ^46dBRiOGL!uY}{e=6oAx9LB0RhL1 z|9;m{j_9u`^q+MbvSbfnNh4x|52*+|#{I+w6W!BoP=qxJvfJRu!1h6BA9P1}k@>&h zhP_Sy1;&6PtWW;^iJ;lP!5Gk8%5qds6arT{pyt?K!Xk8+^c!VUU{nE@4e#MPLJ@{6 z{}r$R(3$`=4pq~CLN>d57wnpVxDDV%6c7D%s-cP(3d%XdjRa6M{q>}ZvMJm@5^Onp zo9;5O_{3Adh1dY7a-Rgt1-({yg^!Urt|weEca6jYaC>5UURp+}W|qawzG%L} zj$aN-laF~A$!0iu2!rC7&)KPg$2}n&T4;-+)VQlhyI@actb!2I+fGK!^!cl9dAoXBI0{Nf+y zjZ!#B_RPuGyeT!kkbh4prj2U7Qn}ly-sUpjbL!^Cn^4Rz%$u*3g5oWtG8XSvS@)B{ zxKMH!h>1RarS#9xJ`bA8Q&~~7++LvG-EGWw5y)Pe}DA^ zkGZ!dus73;utY%9sHE8ogZSAw->=`hY%O`tjyUFJ-?T8K9iC5 zR65Svm&9Hv9YGIWN8^W5LYP=(NbjnN9S@ApU9=v<K=OU* zm)M@vW62two~-weR!n4@^mToq>&%3ZV4k)7nYr?mlz7(M{|N&r2ky;$erHgg)4QSU zLfVDF@d&O3Hm9f0Iv9>zfW}HD@g_AWF?4ubaB_a$T6{i{sVixdr<-j}^KBD_gkK(O zBxWy#N%|>+XAH778qiNxvPU%i%!Uo8C^Lp#Xo|3Jlo@b4>TS);=x`ZStEj|YR`@v( zC+46W8nM@-_{udACFZY784bouex@w6~8&6Qu~wOGu(S6{u>ufaHj=Q}A_MP%{%Dc5v~ zk-6rD&eg=e;HUN`l2Z}_eY`0rZDLI=wQe52z*ZB^Gndh5(x?~=%QEZ><~SDc;It~! zpmTnQpYbj4N6}vQ@U^Mlh&S1(8u2&17rx0oq*rSEPHJe}_I2<9 z!5PN86P@KE6fYa1%S4nvM=i7)qq7?^P2GPcamS?kWSwVJcZDz^QL8)MmseZ%I6@bR zd@h+b=U2E4)orp{e{#OCFltU56A~bE-=C3i#!#ekW+Ol+g~w%faN0&m2V0PsPn9mm z2IAcOHdf)ePTeOq@t1BoQ}Xshf=5bgFZiBRDm6`+W#Q3^FK;DIy&W}m8s=}px8=+G zo;r0ogjDdmc8j*(75C5iE==PMx~Iq2zvMQpE_jxejJ{qnKh)HD_bx0>CHD_*mm`Q*362vOo+3L2yS=2PMV*jQ_gG2>*I1qB@gFTm^O(|v?N7u}yJZ|(qg4uKuI8HOd))QDYGfd< zFq~KF^b&Q^kGmvNUxes{suTi7Tb|^6EAvP(*fP94S4ml8Gat-V_c>MA8AFL#>fPIc zblnS&zB`2!Qc1^$N)5<7HPpdvBdd+bKPFMf?Ro3Gj8<0cw@`$}@qdJPM0ZGO;7Gd-!~l;FQ z*qgvVAk0b-ACRq(YF;RG8{*jw=pY`4Jj?vqQFP~&3}?*<0lWiwO5PV}g5s3C-2n#^ z+72>-#F~)M#J)m91x;*^$-%^igeH)|A+d>l1&0EgfFcYC4<2cHXwXLfa323{_~mY>5tJA_#%BMHF0lBB2Q(phOe?UAibNu*a!w zdvYI4ukFlHK}4?bH+m=tavf0X^8YxK-Ck}ECN!iWnjk233O6`Q~w zL92|ApLN>~H5M5fBDV#|>Hb1PF`~Pa=7>ZVu|w|%n*bQV-!H@7rvHXb?D07R3>L(0 zjI0#!@7TmHbvLRf3IfQ6UjT(~7<3P@+jN4 zqY4;K&qDoF#DNF-I{!a~33hR9|AGm?mbg!tpjS`LVMv(d+1&Xhb|+3OG<1?{8lmJC z38vj|G>I8bJV-nK>VqybWu*N_uTgAtEmo}lV^%s-%z+g5sy3Wgjf-E@>3I8!_{K)n z1(lw`f&^ky)|ryZ2?oT;aTEJCi$9^Mp(B+%+mOL|n&R*md%?^I`jou>R>ym1EmPug z3!^W&zj36%D)&M6J$BVFN1)Bwf*GNwO(RnyTP~TDiWuuyn zW}F{-X_O+?qmn&3q2u&eZCQflC!3b`7F{XfSOHz*n&Tg|TG!=Ua^AM(sHI^qk@Tii zWDd;*2{ekG8#hutLen0iS>c4${glenj;)f5<87!Y-jhDxBW3tyc+(7|J}fUyx?XwI z(bFZ8G-#PnLe@;RXlO?Kr%(3TQz(>Jyx{K45#!s+xv}VT++aym7GfOokQ75BB>aJ& z@=GRN=X`bUP=ERS_nbUjubySClU#gb!~em#*2=o<(9IG&=LNQKNOT$AJ2sVLZ4{)< zV(jEL?&%9^p?j84Nus%&*<%+jR17_Ug2~Y;$Mm#&ouf zjM3`YPu^a6+_cK2xJRMK?tJv~OQ2Fvar#Pfwu0Zx?Xaw9HTBU$p9WZ;y%Bwu-KKW$ zd{gc1d)YZvWtCxQ!_-)bpot9G8e^@%%@7(Bzt_Wh zjUb7^ulou;Q(dyKnU}K3&-1HPqJbLsFE8qILO!~4_eYON2|2h^c-7x|H&|GZGn;qj z%k({o01WL+@6*p)MbGxyEUZ#KGna7Y_J6W8COqP#yNVvhAF*_EqVUmuIq3}`625yc8@ z7_YY7{HUbfsj^AT9vGl(vg}{2^?c2q|1@F6Q+~@EQD$0$&e-$UZPf&_d?5ul^x4`- z@z<~4S#f8(_3#>#fi-Oi5epmD`_50Ji8gcM?T*hopGxQ~+`of8QOgh}XWglEB;>vv z>nGcnA-r<0{ASgXZ@NfiO5}SDO2~cd<85=bo1&Me{91fNr9w`kV#1)=O>3YcQ_t|O zo>O*3iP`l*VJS1IM4n`HgN1vXfz@bzNnHNC?xu$==sA?auAF3i=Qizxg->=2v-gnS zti$2rwBRyDJ&EKMSs5NJv4_HyBm;D@noMq+S-Ps4enV6PHEe!7Uiuahv71iChCd#d`aLna}0x+RYX>{oXo%jkn?SdQMATvid=u*_yzYuPE1lel05mXT-h! zl@pa%%V-F@OVleJtM}i<&|PyM6Uj)KU6wQH?-}iHt_b-!Seb}_7+ap?{WtQ405pYj z$=5g2oGAu@K-x35=1hyHT|?tLjl==fn5n`(%drm=?)v%`wEUfhpJ!V&U-_RX%q)~j zQs4TqHb}_n&3)M=u4l3Qw*DgwSPg^nHE0#JaB0xXpn(oYW#$qF;FNaie#AiEO#u!L zo!(EXco?A=W~nMGrZ*O1nEis}i|d!1WDox+7;w)LGw>}gh%b+|6+3~8F{W3UU)aRB zw5e~_j@Edo)%>!FdzyGv&d;`<&av>!51R`;3#Z2Lq#GXmEdNqYMVOQH_Wd1axx-fbCUygtEu0IBxEZKe z9J|a1wof~IQv7WN+U^v8yKv<1UF1;+;^5?d1jPdEr#l~zc34mZxe}hfBYm-;JHA-J zUKWW5AoX?a`9RPB>{=*|4@MZvpOMgkTpny&; z3LN0~mA#@&tq;&=&E6lFIuF4TWTPdrLc*Ar%BP7!d&YA!FO2HSI4p zC<@ZV0g6xIRTKE(@*Uup1hl|FG6raL2w!+5nzai3k#F=M5 zpvf+A=-#HNK@&hg-9vKN^~C=obnMc6qI#k*K;GcB3HBf#{Cn}1e>_zP)MOO}i^`s+ z&|PXyR8JKGI%+|b^&t1sW&ZJ0L9msIqGWXJl4+uPsvw|v3WFK>&wv42@OM27SGIyf z#XnmDHq{<{=pXSy;d&^*ltj^V4~^uXO~H-=${wI-ia0GJ-@*T<_|Ptu)($=d&e;2> zk?8B$&^43Z>@SQ{fRYS(u71VAyB~5~_Ub1yOKQApvNVw_mY1#Wob<15Db!ejWF=6T z9hWI;4tgsvzbIDuaV{t9MVFf20}+MMOGlrHnLxW0RX88C&IL5m8+R}_n7kAU;_dJ9 z9~crPEq#13b1G>V%Wkhmowr%ZCIOaz)h2)u#{nSTrp* zY&b@->3lp2R{*VNwSEd!=L@@elKDPGsNzHRSJR5dl=+LHk{&O*Xy18J8^3g<_be`5 zWac$l8C8RuB_osvt*&Ev{P9>9dB z1)U=7F!J1;*j^glXbTV4IXM!yApBFm0lQl{ z^QTL*5hS!MX}Tv@*Wzgvj!^}2eM%7Z^OsulY=Jy9wYhiUWzhve&CoOaep^8?S99L8 zjbx=o1_Y^ds)}5-8OA}!g$6Mthn{0wtIkQyUG(v>k!wrGW>O3?t{ya{%ONb+WVZ17 zYz#Y_dQ~o9QC({2UFMXIj_h~r$NtR}tSf`s%For^v%*^oJXW|v%A_H)(XT#RlLwz= znL8e#%rP{rM*4;*lr_`f36u2hJlYc{GPn+*kTFe zMdrE?IpdxoCDoSq*R6tTUB5B4O4V5s%zu`O+pygv?RIk<&wSo`&rC~_ub<*Rs-OvPe`Gu8wL(cK><;oUr$ zb-B+#cf{(XAmgPB%ds=#YaAaI&e@E5aTUBv*;g%YnfIT#Ktsft5B7dnT~4c+$oHfdeiQt)hC>c{8BWID6{MFBo5Da9VA zO5)kMhJ}Dz2F-08k=*p?jE$1zdSa9__d=&uI&Nv|rt?>nrUZB-1i_|GJsW)n29N`tET>gC4)J-|E=YXuDo-WI_uipRW~>kwg|beCY&_0KV_%53Xx=cTqzlFZ>0&OT4@y>is~D z{pI(|RwrIL$T`KPDb+Y{oOja9jEQ=UzoKB>q<4v$DI129_#UmsCE)heA_Z1KL&dr} z+)HOla_C@67TFwr_|bJ|h&ruk-1-AZjRvR0(bAJ~H>XtxaZRsHPr^ znL@VT%#OMy7$))9nJhpN`qi{nf~>jbj7Lc~X+SaYXKuM7i24xqGnu8Vg}AY2`0UDM zzDZ#;JsrAqQT#MA${t*ZvC54Q%~n^>AO1B&j}ADnc*0BFY`>(vbc&ncM4DN*nW?; zE)T!JBk9@vaj5wYre!$#H;38O3MHK~t|+U3rU$bl=iJr&i1LjBgkdxO{ETKZ0pw9Tk&m>03+q@tliyiMh6{ z^dU9(poErNgn94oh2ItMHmL9~>N2WezsOCNecv>cik4$yQ{+sT=IcREXBzy;3`>l} zt5Ns*`<%=#O-YK}#vdK0%i=K!m%Ja;e7~H`?~Iv`TT@(_<>vfpm$NFGnWXcu>rO+b zhoX(btUff~wUl1x^__zrGCpBi$QG4ov>dCJFeK9%rFzNlGs(^D* z-}JsWo(CZznsIsC$rRT3lkS*Qwwd1+@vBMallc_sFWhiG(R{?X_QnWP&*wDt zT!vXf>;I3q_l~Ff{r|^hXOmEoJyMy+v5Jf&BYV%X3CXJLt?ZFVW-`i_O{7pH8D+1M zP032a_j(>q@4TG%E1!3Mx8EPHTVBVx&bhm;=e6#S`{VvNr4eAdfFH+-?aw3T#G|00 zby<9A!w{Q&!MEMXsOT-h6VuA#3H)bYCbFVBqPjecmGP*ZX)Vtch>LG(aH;f?B?R!Q zaMF8R5ld{86XPE0;@>niWl!txc%vGusW40ZQf@vX)Zge1>Bu})_Or;Zx8nxoGhdz} ziaJYmP4jF(;z!PFz;0LMoV+_Zwibc4M`j_W%bA7ZTSJkd-eNsgHdAEDahKnuoUV%_&A9_Cq_d=JJy*%Sgra3O0vd7dTpFt|d-$fiIa)8nM1PsIcv!cBqP5EQcAD2z!U?0}Sa65M2)WbWKxU2(>L>sv0Hiyx1de=nAo!?zh3=MqIOzL;dWB!<-p|*l1?+xyhFd=`! zXN7wCiCofSepUsShwrP?gi$fA`5A?i!|cZOzv*KiWIz2r>8A=ouM!*bx` zJH)>9Q%wyX?#f|(`T}+$4coh=S25DdJUT>kqZteD20R<793#?mrqt$JnyDgQe|Xls zAZA@rMR$_Ndg>s{a_Qu~YYyB`vWBTxMnnOCAo`&PVI?TKAX4Mq~Bc2q_~}TESZz5#z)bzdS*2$ z>8&-py%@=K5Qq4C)glk{@2(;)L{II2_0DC- zF1<%^pt|2~-r)B;=HG$)HLQSngk&>_q!qwh?MX+5BJT*$m0%j})2M=u0yI2ik%mz8 z0CpJ$#$|8N1b5lGY%K@-0}Tc;0|kM;^cOY|zTgK8$=sMD|)Y$zAFeKhNV+^YCNu;LduKm~DuX}YJ5<3`1c?xS4~ zWJm)-Kfl1iz}CP6HqX6*L$$zxf)D$(i12^_qX1y)AQLSCaCAWw1BLztF)Dt6Kgu8moIy-QkPf)Y!6C~);2;S2SUN$F+y19=%Y6JOko_KG zM3B9R6YgGE_+4I2Kvs!3MgGzt0@43&x)y9||9QN3f8)Qg@L z;rE>x)we<+Jzj8%`e##c0RDY<`u~$8=G~#7N0P)a5QN#Ih;UY0$MzUMh5Jh0yN9Zh zx`TrKSQOWe@k>X|GTTvVGI?=Dn!6ZUNF~TBf64nYVj@5pcBS0L=Sl%_i2!xvxciN_ ztRp>31g-iH+}v(1m)gcXut;ORTh#m{E|s_b&`Z8}JsYzxV|f&kZ{*A2pS?fcR5~4_ z%Dk}f;_^M~c0dt}&i8ja(zfIZ)XMNLrM@mPEnvE_@kXJFTR2L+K@=+F5JY@$C_zs* zas9fKC+!)=M3D=4PkKx}mgg`MtuJp>9+8q`EmE*~@7`d7o>bY>SCsVjngPYz3xy=X zTq^o8?NyDjaq@(xxP%n=9i!%EV&6Ek)a2T-Z>E-gOIiwnaXdrb#@N!(xrW;YL?fRZEyesK{*t7oZ}Jwi z?}er4Tf7Z)2aQL9pRf#JUdXSkyLxw)x4GIS6W`1{nC((F^WlKaGZ95(a?ZBjTJX7; z^81cN8hQzs)%rYi)5)#3Eb6^4f73ZrLu-EiECtm@AnPIOE2D(I%D#fu#5c#ZbaYB> zEH@1k_;ch*QVwScq}9O06iV^GnwfnRmc{=*gF{SDRwXYfvVO(CuU^6(^9oO)4~v8t zd$2J>LrQI!A3DP|xVb9N6Qzq)-i=YVp_tE%50WV_N4r+?3}bNwigk!wzqj$}<6w}r zc7}VW>R|O{DpMPuxBWiF>I(08kxmV3yVn_QqLd5A zO3O|me!X!iE}4lQLv)e7Q0D8#yOlm)uO-#W{yXav0#sZa;p&!DSm%#-w19CF7S=Vu0#?GCH*62v@w!=08U#BI)oE52zscAvc(p7cra z;>+`Cc+IneRvxv!=toB5647bo-`!LbjnR`9B)IKM$XjMKgr$>Y5*|V(xM|67+AajQ zt?kDgkB%Cj?-1rnek@*FYh?6>$lO_purc)$zIKc6Pl>{!^erdP)XSbQq5rlJ^4V5w zETc#|!Z@NnHS6Bo9bILMldNZ98lxUJ9x0_AoP31MlkiC@DcNu1glru%S-&zl3DxQP zr*bPsT9^$B&RQGKhm1I|!33BQB68=>5BkpIa&qe_OixQs$zn;_~suw;v=Ohu|c+!X^7;h{? zU~2Atd|v(3`+5&|cbAQiS7bV_@lI34EDbzY&7tk*Ey8}J?4|&_R{bG4DQrs8(=;+7 ze5mYfihj|tP0|LOqSv|J!$X@te>k$u=8ETNc3QWYmzWCI+tQ8qJTj7{4zjR$Vfpft zy@Bd?hIWms&k06)6HIGq`BXJBPEpC*)6MwhWF(N_mN&YT&!kYPptIrgv z*Y@4;J;p3SPF%=j}}%Z01v z5Bj(kB5y|+7ts1OzRMQU_~P8ta=`nsyj&7b0PZ63jMA};Rtasj*|$%pSjV1!yP-Om zLhJT6eN8<*hyRtznmX}7;AQ@%WETeO$E(jWTZS^;_>j)cDN+W@Os%pE%+9o!Hm+gI zXduY&cD-c--p{kq3}P>Rv^=?Ae&t&2F7h%guxoNs@Jhw1no-p1qi9(QNy;UfWXX28 zWQgO~EIgWTO1a#p{DQwjp-v%&Tw+?^7$~40}|&l)>2MR994iN3!Cy*igE!e=C4_Ny9TXxB zzv9&-r1(T`w%oFu=qgM2GYLZ5flFoaxsAO$=@jaE&It+Bwy!^%~|oKTP}~wnFpxZ3zVs1-w!NnU9DeTsG;a(+)#Ylm>Q~L zO`|S7QG+@9kS5SwXmo*Gm6>$ZE}S^}rCz~TRtXW6H)jb}nF1YSUtbI-ru}OEJpLtf zo*2t&g0xKCq8$_S<=0GdDctRnXR%jC6cl-%;yf3#b|r@wb?5nBGKm=uZxtUoHcBn* zbDh8Y;GNvz`v&i$mS~kvwZD#EfBcXy&;&b6c)?pi5l4!++;#N@`o?DEx=4ZC7m9Zsz3v1*hYjjW ztj2VG3LN|}?tf&b_K@^?agIjA4Kr-@mR0l561mDGtXRpX&D~)Q4!F$WIo~%=WlA{G zb`~hmWJ(khFz4Bb(Fh9>O>s>GFJatHxWZJKUdLZi@xoz7;9WFnM?qA=h0}ufo?$#) zm~UPWU1Dn@iT1>J!9St>eXjcsU!C5Aioh$1B;V-8?JA2kD)s{-E*^`NrkwAS;ky{ii@2c$hjI;yF@^*ujg$3O>RxcmNaHkiXSLRG zD_Sh|z780snwGUB3$=*DyGGDC^1%IgXaqYt6W8K30)ncf=Z3@lU(a|Nkss8@k#kRDFH@6+8<7X8>p#3WdT4_0dpbXx&u`#gs31m(4hRmM;Fyi3DHOU zgKYbH$p<;m0|^R}2!aDD0Z4NG{d$Rt2--)lv|p4cH#Y|tq{c)t-Fv}?k_g&Ix3phO z_ck~n>e*tt_XZ9H)4iX5X-KAf8{99Zdr#m{5kdQCn1&oyKA>lXe1d*4-QdCu=ElE2 za;S))eRNENsvbas^KEF5Cp{!Ag#XXbcCV!WYq3)p5IaI%OGs=mB-6boY$#ax{}0^U zK!5WZ2=N%)@IS3@yM4m9*6w{>-$0xZNcKSa+HEgLP-y^y`tJ`Ls`U-A zo9quXB+-qK6M~q*dW z5EnYna!P?<3O6DlU71cq1dmhkx~-9li36Pu9jBtC6dk9k$qk2{3JHi){tpsl<~I~B z-6LuHUQ5fiPl^O6dxsehOZHV?EIH@Jrk~>dypbi*5ajm#|Z`N9^5=YOd1yJT=Dho z&xa>SpEb3ri9G6Vy)zk%ow8|KsrTrjZhB7x(a*G}{l(fQI^i&h0JRFmjw8=Etc0&+ ztFv=NSJMaLN@gS}cqCFkxb#d8m&)(#M=Vf!m#x<8UN);)QbDQbeA3xqP4Zg?A)URS zczlQMI`gc$c~=tIwb@BeGf-Wo&@{Ldt*>h+s(-j=#nd{Oji~sW=L?VHGMqTp!aj`w z$vO^>Mz&Ju1X8KrW@GTs~8&vQpGUu1b61;Tb)XF&uwCN?rJ`x)A!`NUBp2FvdfB`Cg@Rb z-j6NU61-uKre{Cu5_O~4o9Sch>gPv=bGL1#cy4=pc76;h3pNwY?Ho(3qQ31HZs>73 zUTCFQ-#)^WC2EOqA&4i5tj7D)@}V+M^Al@yZxe1*eSg9(Q+!REr#g|}h&)n9#+D+* zQ-JC7)S(7BX68{kpW7F;>QB1KyINUZrZtvbvpUtT5ar;K^{t(5#+JX5y%YWU{n)iH zOE+S4v`&)em7aX0)R>mUF?%Q@^he)~0%?BA)Z4F|EmNd#ZY+6P!*T+Z_6(VRJ9msr}BxOXe=b%r1 zC+S_e3#w$thDV0yHD|rvd%{Q>l)@D5l`Ait952W^R#Y)~?pF5u^rxk8-Vp{3*-uVH zeV_azvme(_Ssw07O8j`ED4+6{yvyAR3vBU(wdSV|j$dh2hIFkZtJjC3aKc|jOHflE z&uw|*aM@YfiTQ*o$EjOdU6^Tu8#ed-Nh6bMUr#@%a_(KRAUpruv!O`-h4{Mam(MA~ zYz!gvPGmPMSP3ao=*bRPDcOkzRrBKGABq=&FCW3FKF{__KX}ngL5b?!CCS$lL}4>G zG=fYolFw(h8ukfPb|8!309k~q_8Y%eZ^0k^u@75=$`$M0e%(AW*8ink-{vm!Eu6e(2WrbW zuJ;jDS^ngk=+C=hVb%4c{s6qSh`P|j?xg9+dsc$ixTYgts6la$X0AHA%~gD~9CEh6 z3Esmp49^qSlGUXG+rEYlq)DB=X*qqL=IT6NKBl4U+#q|J-q-g}3Y=mYIJyJZ?bqD} zBB|s&$A;%SF=7r9eQ|$x#U8gQN~!fL^Q*I#{i_O@7BmJ~H&Zn#RAcz>SPpzjbMCpN za~DJCXhL$zhnue_VWTawmzvdtHaO$WuA0}%ej1@_la$8&K^BNjaCyYu5l6s55$<)w zqVfk<{X6I4@$>RcPfu&Kp1DL4^3tcp2QxenZF2ehC;b)zHY?#A;ddX6uDq5mGtyOi zNm(jI9?2IjU+7(y=yLgR@C-k1z_ZzMU;RVMX>7EH98SVR%F4}7KSrn&0;n#M6_4AU zV=*$Fa_m-_b-8z-0(Y+WNo7B`3kD5WK~x?iCYmwhLsm96o^zdt$>r*7$)k%L7J3pX z9A%p6V(BlWwT#3a-i%Egw{!1^>mzG^$8?cCw$LC{2!F`iVB%)oa{ueo>$!vIF8XFe zj3Y8CEKcLDal$P+jmKW)X2VtSyCMb(+H;E=n=Y9QoIOQs49lOdO1nI~uxzJ%(+s>eEVg0BuGv>ih;zuC>-Nd4r=H*GWNs*2_U`iHnU7#Si;>9Q=1WElMhxQlC2&xV6!v2uHj0)Ng@94i9QBZt?15g8ez>5wBh)*7%iQ@uV zJ3c@e@CyC`8mhbQ)&$s}ZUb^+K&^nv2ixGlR01IPif#8*mlud&{&UX$yMEiA2{1UQ zjtJC0pw=X0j0WQe1rY@QP;yvsw>{X_BC$`s28IwK*SDd8A3?(K-jJal(BH3hf7fY% z*#|06P$y!m*P#4h=%%!%UPC3)+geHYr`xs%6cP}^z$Nb&AqD0KSmyqHX+uFsL3ybA z^{jzBXi&ivNbSa?xAZ~JJ= zh_tf=f^aZh!Q%!96sSze9+07Y+7Ks~{TWbb==cGfvkeUjpm2j3u~%%nJW4cNt`Y>jwBRWK$>}27GZqTjLi%%PCY%VZfAG08HP1;sxKji`D(dp9+JD#h^0N;6>PvA)iZB-wJ#{!MsGp zU?U96{;etG^#iRpy8uIGsQ=mSQGF{A{Da8W?v~(r`mN=EqoMypDFf#DcN!X8C%6&c z4KdIEjg#IZ4ZXu)1F0S60`bVb($Ly{*ZZW%+{QJAt)J(7HlD*^Qn1K4PfuGP4^aQU1R^DC^%VE(2qI7DE&b3 zi;wvAZr!IdW(VS9V zJ7M-Ig9O`8exOLn^5$g&-RZlb*R4J101e%klr9?fHvQqy1Vs907b#7;b#>3`As8O zfI5BOlw0O#J9XMBoSVJRzIKxPX@q6A~3L_kg zXKf4L85=q+kHt_F>bKGtiQRA}Fbd%m!lrl($21qsQD^GaU47bHP8b)8cQ&&$JkYR^ z5-uTgQu6$4$F#M6_Y2#BggE(8sl)W^eN$8B#n&fIeM#%RUiaXg3b;X6O%S;_*gS17 z-IMGfE92?q?`Y}z%BKEmoW9E4|8@k716ms{NrZ!kJmnN63GmUTH-cREXPbc>SCxpO*(6Hd3%Ccj`D z(WD=w!-feR^;SFZ+_?H_QsZV@(Una8+Wd;;Sj^O7!IDF{rzE}1v8KH+J6)C^bB2E> zA+><{brQE}CzjkUG#~K841dwRNy3_x{nJE|2-_HKUGYT*tJ5myyfuYM<%dBQ{KfM; zZNw(+Jmi*P7J5JBo?fKuh+N7Qu~yR6UE=!sdX#@gKyoTpd;p&>=%n#V+EZu88>)&Fv(LbYC;IVNl4Mrf5#(SQI#$A>zF$y zhj&Nv-Ac4S5mlNO(Tx9`gAQ?-8NXrW;Ok`3siB(~H){*3QZ8af1;XDH34NcKU?HDU zI5KeBwUGOOi0YZ6wB8gh6IIVzm3`HSKZix%Ng*E*pE4Crnm)7nd=i_`Y?*xg()&=} zxHf|+D%;oB9y1l7eN-#Sf2ZjmUMt*{6yr8=1KrK%Al_RYQpIO5>ee#@z90E$7{60x z(0n;t?Y?Pqi!c6}hcjGweY|J#b4%Xlt(YJ9{^;8FDffeq9$4!rZ@s6Q>GX2$;E#^i zi=$ffDfM_4-^JUwJ`*@Zq%Gmmos;TvWkB~qO@dza`seipGUxxstp`T5xv5d@Jh)D`{>u}PHXqMF|g8Ki!W&$=cRsWMW-wN^K{rzwy&({ zhOP-p7$)!d9r`kQSah7Q@y3NtkY<^6`rnkBdOp?vY-sdWr8Mgio3rP$$m zAB@GCIO;%75K`uvycye5IFYs=w z2EfT0`N`X6WZ)I#2O^yBpszsq*dcz{`oNvk{*KCWf62`O-W(2~!69M-(zAg(86=5? zGPVVI{y=HM`F8W?`)IMb&6U7;z}*#;#(->8VW6u(i4AZE_`}5-ylEG;j~Ha+Isfmv z4HQ8HTpS?GA!#DGRPaJP4)}jKlw{8J2U!uE3k9~{FA{%;ZM)m}fITlT)%!&;0SOL} z0sapZ6JjRpQ@4Q#62!eA%JG6;1FQsyC+!ItN{R_#8ofWzK-go;Fc>OgyyevkiI(>?x5PycYdwD}_hx-Fl27I~!H4MT^K&1=k|AY1#zFQW)b&lDeF-2~tkS?4D9KoOm4f1}0l(E2{|KB-u zIM*(37Rcx2KfK)Ejp_FD20`Ql{N%5Q4Rjj$!&E>OutA*l_OI9AfcHc~;{i3lxWHKs zaZvgLG?d%v4&&v&>ouUz<=_T#Ya}+Pk`@T~?hzY`@Zb(-=fA^-n2jK^wLPMc5fvPY zk?dhaQAHhgI6(g$G8hmPaDj~-2@M7Zeo6r8|B7rEiI2E#AtMLebo{_}T>$*)yNGSb z6!||B2tjP`XbQG_u(Uz0-@BS}?Xb{6*%WLmT%ai9uBN=e5&qx56&T$CM{HCi{th=L zRNo4O8UQdVDjso_L{7>7M#cYE!hI(%|2t#>7vR6HVY5{U#!#Y5grEA}2W*QfYzPOw6TvTGul6#v+_85r5neSM=REc@O8Rc9=Y0qGqUIBX# zte&-6DOD$Xi2G(AzbZ;+nRV(*Pm~Ai8D}XIvJuhOl87bC^%ZASpdk3C# z*ckbFuP9^OtR{&R&F@eo8{RiTWliSQA2S0u4^CZPzlX^fGc{^oX_as-YsCI;mEhW! zBgap^T$QGGp#YrxX9vMeP0gRtt+`I|{XQ92)iLs`<_%12taaiC3UyU`Oto@X3_cdg zDw<3#*O5)k542vnBL6s?ggUvnP_*SaiRs&~GasxI>9BN$VYAELa;%J;U442+maOR$ zbc1iQVojbT%zxDB5Eeb}Ng^H|Gtg6yeJPkOnSAoNrz4fTS)W=AWxN&Z)76Q3we-Q9 zqotZx@AEKRe;zGPU1WTqP=&rf>vOIkoepE&E!mV+Z?BxUIycc=E)F0n*1v0l5EZt#B_z^qbF~>sB2(rZr!#xGUt)ceZIYGSPhGm=Zgo)YM^g*4*ckcF{%C7M9yZ zSIWK%se9zW8X~YQe3(V`RL35_Pvwd4*LAhTpUpX$ioY`N8l_=s4G&rCIL~rMZqPyY zX8Cl9<0D~v+JWasU1S}O3l9rEIK_rz;(C4PX_rKSgK11uw=Y?6J(Gxb&aIFt+jOP# z%4|v1_E%3OP^TZNLVqM9@AI@DmecM56AQe=AagA`Qlx4?HhG#B=kaaDtGMGGB&=V0 zyPYVmNAy*U5?#BdW+_JGzt)+i`0;&rD$~?>;80`6sZ8HB%-l{aB{q|1^4+FtC5hBH zO}N1c)emyW@a`QrsP7P79eROPAzTojBO;x8j>eOP#m>p-@yDrUhSDn{_xo?nsZ{GI zd>fzD?LOt@78M*=W5j5u8YOjm)T&(|K0D%5&*HEE(YIW+4plWRu``_VBqyWJL?5+~ z_dYW-gK?`wNU9DynB70}ha-=YDBGbF{h&o(xwNoXlK!79;@IdGyCW!DnGV&EmFXqu z#aEJeZ(>caiG!C4HI1| zj%G5`T=~GBK_2cmWZ0a880B7rw~m~^Eh)ORs!?`<$ve{e0&VJ-^7Dg-uO|~$_2}ZQqnKeFkI!*w8oY*){3O3s*f;y`R@jqQ z4&kqs;Z&l&azWq7vng+(T{XZ*&wN0Cz8=j{6f^nGWjFD)H&RP!l!AOGpRxtC+@kY~ z^Oq(_SdAL!YdK}3%$4vgp{2t1=foNA`G)T2tM-Pv9-cG~j4Ed?(T{(Z7`x3KnSG~) zU6=k%x6)y8`c#)v<1YKyO?-paWd@%UnF}wEJ@ChFB@RU6;>lmBVPV0uo;woo@oYoq zDI@7##tioW!JiVF6*NVac)a!KD)#K?u)L<0k3m^YbZ%36iSZT74~>i^gfUF&Ej8kV zr#togEnnisf6N<`Y?b>|K+DU*eJ3C9+v3?r4ChF%qp!%D zu?kExl}M@=I6Qe6?aP^i!MJc1H+?Y?8_kAIY%x&rV{B`pLAm|FjVjjM@_`>q-`F2> z>$Xdruh1~Lb?$Tio3LwVZu3~&_wG;rR8d1f$o%AP>rD-Ykt})Rw=N!~M#NvJL~cx= zX|WJlnU#&WaKj(yIr)EzAq@VOj44wtP}0-}!wek=cr>=GU`F6@cH~*zsWa{>@VSxq zd7K6!2Tv7XXKAUZm#Vxd>%a1@;bg+4zFdyrQLpcQF7YSrV20;iYLkNAHzl}EGHc%J z9cIZglf8VpIbLsUB?Lnkiw4)V+GCh3^?7<)Q1GL!hwNS4HP?kh5>j9LnuHj~TE=%9 zH6Aio^*@7SL$s%CM#lh z!RmHTU%3NK%o+`bI?sw*aJRRs!4ma#oupS*x!A9ARJ7ce zKgOHX)u!=t!{yFBC9bYFcqJXt^o8aMM1efP2p`@-++KOiw_d^V6?)#HFz z=JA)r{;=>*N2Ol%_f?Bo88M{bInM+NxXk~!U^oA9(zfQ=>PSzACR$JJoR#O2nA@v^ zm>iVCEXRjS=YUVVjKzdac3etjd5Cs<^{v`yXL8E2l!HVP3nA;9?77w<^91h}+EO&X zti#Bh(ztRIZ!UV=y;BlL{pMoT5iD;O!pMjczBii&d7Ec!^9YCtsXMBLd?QGDHqmY! z5>Z1HEI^T4zAIR;Z_8q8B2C?yfw!%Oq|3_LPgF;WxhX9@iall3VfE4>9osfaz z5cwWt)L`5B4zxm&{NUuf^*IQeJm_-}?sbSCkRJ$4K)2t6{6M7t21My@|7z<4cZLS` z)A@6o<3@%Cc!0kkM888SE#5y!W8vJpd6s?j{e&(=P(?L3Fe8Q3P{@jEa3Bxj;r#=b zf%59RYGoa9T0d)qPRrZ7o^^pF4`~Axy1tM4h@Vsqf19{}YD+3r) z?4{RG^6xvGBmWK?3}lz^fy+4(8?cT67uvl+L&d%$7A)i)^zWb{Y#l(bk`D+Jxj-5> zR3wiJ0tZ3_+=73g^-xhQh&6P7utA2Ppzzl(Y*6w&R90(m*mhUi1O+I;y1YNwwr2uz zl0uOIC{n=31!#EKA10{)*Dhmp-W`6de>bEMGX(`cAzdREkcUHD8kGD4Y99jT>JN4? zsDiRPoLm16+xFVV4Mq}_Kl`<|@c?gLpy2$!uWkG2I0dDp0d+Eni-Ei$u($yMI~@GG zCuk@aH^c#9f1WlN7tquK)_5BmjGrG72;D2T-I33I^uq$$2tXSH)*V>?Kyd*uv;vR} z8$kYJ3LVOYcOMP0U|^#X1d*q0Y*4=;sN20jL$&ZC4tD!9q)^5cNJZcVR?r~i4@@e+ zF$uVXa04%BUV%TYyC}k*`)P)?H4~7N6lh-nQZT?^{ebcQ4{O^F-y{U@i*)4B)Y7H{ z$GZQ{aRX-kKP&d`rjY3gBpF9VkMA;#{^bLL_*T#q6b}XK$8L&yhhq_{FXaP00tXx2 zuBO~OmP(XOL9zlrm>#>D^6s!ALe&(?xex$*%&w*&O#O#m0!6_&AQ$ajO}DOH$S3;$ zOsxNAsPYf>`~R6(2WO<;{s<(o4n->dFT{EY8APo2MF<_fb5g8CAvb>Psog-Q`f;91 zQW7fREd`S7Ow3*5T}kzR8Y*{G%M&IgL7T|(qYAjk-K=nO-z%T@D>jkJrSN}csk?A_*txXkRl5RJhbv!V zU@h%kVkNDC6K;%B^FDWIgF@EmF2;9BSxVX^TZ>=+-h6qLy7LD2jhq4!nkW)<(z+-1 zZqDluWA$`BTt(O2;OpNvT4p}h*m4XGxPH&^ktbHD#>NtMwDMHTQ=J-Bz;g-7rqBtA zDB$AlRb$twic~&?js2FO0n_iRrDkc;+l+CSrPKp;#o9_jqNJ9zSjuyfKgRBrY7`CS zafr?Z91X_q3L5n{ne%ddP;XKBPQwUpO2>N!wp@=Zm^a7ZcLI;=i}t6G>qQSuBHTRg ze<-V5G;(J(4J%Sx%rt#J*&2Cu?I1qEru2nX5z;&FE=0Z)A^k=p`8^VC>F9wA=xOkF zU6V&Y+&yQ^0|kgqMrRP;_Hiz_Xw*1=REJ-i>51_X!3&&4hjK9SU*4Pz$IiP^qIR?J z#)i-pH~V=B^6%N&Z%Dr-gzCn(+Z}nCk*Rv=u1xV&8n+&{pkVWW7mAE30bUp6D=go9 zow$j19@qR$-Z~Cp1Du{Y)k|Pe+RF3-<}%uu;_LbN1z(qO^5O$+;yl&WYmYFr_b_qM zeSBdzF>I|{R;Ie5lr46%MCmN{IYCVIyDaP>dYKCC%AbSSN)C*0Ui~1eR9l~kHd`0- zdX#-|$|w~6*=NA<3Mao14ZSwgy_lz0wMFBy8>-n=g={G_`+_sxe7t(wsn)Tq&H2=M zt6DMPw)R@g*0|94v-m50y!4E?=U6dhP%vn>eZ6B5zpfqHeQ!%mF0LfRdG{c=PUhTDUx#SsZTkrPhfCK|1hA21Cv)>d5; zCnU0>Pk&&)Bm z*(ZP0RJuv6XiO;fd0XY&(N{^EST((Tv`7jT;GpVej-UMHsvxs=r;P>8xBA7wmTDIp zmiOt8Dy7D-)fI2+U(u=2Il$EBrgy7PD&(*g-3n%9)OC;hvRq`o4tO^C8l>WW1NO7T z^;vEbn%TD{SbVfbW#V8`cX5_j91aO(4wPiydYRwk`Qw~XbiP~prF%}_K{g_^8E;5ZS0amv_qE#4GtBQR zDJ$b#l_%?38y|W|6p3McV4~2|@L~|l@3IzpRnzI<`Ra4P1sKi5LBEi+(fo8Dh0lfs z@?2ttubYTxg)mt=!>IMcQ+~{cbNEV1Qup`@5GfgiGio1*q?h_xQ*&5RcIo{kv{+gz z@rI$kgWWeHFF2r6k(+HAvU+08SS6sb{G>@h`+D{G@#8elmAt!19FN~^OAg22shjUG z?Xu30dDt1ilhYN{cRs^ixNj&9qvm^xSA5KhA7%4QhJV0Oor2k?nsDVpd@aq z$gWE{XJiPYdZRwgjL9W@|A}AD@p#$;x@XRMYz9>q+-B%Emunt({L*+paePyCstZ*W zKu|OOw}Zykb@rbO_10lzr<@(O<@fTxG1LevM~FT~8YuH_8z=)hdz-U{AxxyfdteBY zK*SH*6f?vojwXQ4tK0w)P_F}V4OEYbp96?EfKd%l zzW+N*fKqn3k7kwI3%lCxYxz=pMrLM_L{xJP8WRhL^&=Kdf<_8MSixdF?_v#kh)1HiyE;NM3SzPs|#)?C>iXh^yYQcFRC zNrWW@c+&YG{{2s0yzt$QFaO0Bnbc=-*D! zt=f<HC zg>BDNq(K%8m^Z)${xDMk3%a}C_R&d<7m9^}(*+V7lrsPW0n0st0!8`L(01n*Gr^A9X29K|F> zoW1s^&yZ0R;5G#ZY69f8zzy7}KotA`zAb<#^L{OEh}r~z@a2Yq*d5S$fK)PIxdW;% z?gbmlZ2@sY-JgEr1zK&$bP)*-2EzW}+1n#F6uScA(7Zp`esvtM9^?aAo=~+<0g$W8 z4br2))#Kj>l^fNrfH=tS4>%|)3~dA4+u#tk=-~7B1`gG>fbiAaA8;^`q6oHx|9}IV zJ_w`i4IHX{VIOVIevK*^O+JVd2WeV@K&1f8^*Dgn-XBI4)xLnZgY8epfoxcW-#+&? zIB;@Bgf;dE4#mE(k1lL5kP8c<>cGHptLLCyo*N_|>sww0T z3oc)%nnHJc1fqF!^Z}Qnk^1b(1td-5|Wxg$64!73-aL%iE z+GB{6jP7Y&@pM&sfPOG#_@V`Dp@koVhy$Jar|Y*D%cGMDFg&to$;;$dTYb1pae0s8 zQZUB6GmOWfRnPn2n`dm#67LwOp;kHQ%b4?(a z(aq(@%uAd&mT{f4Lw$-ClQgt$DPxwCm9vD^;{gep9|l<<$p+XTPalNPK7+;lx5e248SQpajm8LcRXf=Jg&^c_nAGj-tdPRr&h(xj1u9IUBDU zir_(tYz$_z&V}V4F6DZ3$t#(jPncV34U7FWG+5(qT>^{cJpG=^s4BHH$WHhH?x#Q_ zc=mGnh2r!Zj(v~J++PeEyVArk>*I%G)_b3h8)j^PRhysf=)hE(`7u#+hEtV7dlx!>2T_*%fHB-iXFZ=>s`O0vWGbk?ta z2Qi#Y=2mUHqVv*~5+yj_%D++_AQ9%dx7tn`rxrtUbmi)M|1kP*xJqO9Gw+&+)Ef_| z>fKdavl9}LTe&t9ls#!9^O7z2fpma*&~xK;|5_i{j`B-X45uQ?zqk@e%rWX;ty>5; zDYUNPpLws>G?s2os6(|@rL6jaHA_Uy&Sc0murnL|k`g}VF)kZ2Vb-GRQ*UAyB;w?4 z1p2Lmo?J<~UtS@@cs}L2kt96{_Z2P^jCWx+iI3Oq`-0EK1Qu}PiSnDdcDrpXm5 zeQ0DibMIW@Fyn=OavxbwHG~8v=oyJV}rNVmY$klFb+4~|f;i6Q>uf63}F{HD^77jW!TrE2n%`e1C-NX2hs-8Pe z@KvC8QrN75xTmsA_5&~4nI!vVvD+j?^)v?zpC=091q@tzElZ64=~g`+lMqJ()s1iG zUe*#_)9{H`jliL=l8(Hwl+&1FBwc*ywRX`du`$dCYOV)gIbx-x*S}6ZePAFutC|5X zG$HB;^`j6&YPA_DMRfgCg^$Wgl-~oph{#jpL*}BqGlvFfJ{krvjfUk*P%9e+D47gg zK1fP0#gf-9HfP6Xc%Jbsj~T%u!M>D1vetMYt~dpgKx#jgG> zOi!(^&Zgmv;rV$sS_QHYPKC-&!g{XdO1d=TH;tGo(VqOlU-XOHV6+&10a#E(#NVkz(@!pw+=!@dn(PQ^{Oh=}4 zIH$cus4n9B=N>Uo8+`RVP=WcQ5gL2ry`@VrJw$k}tfE(OyW>@aN=qq)4wA+@+;j4x zPw#y(sAGjDKqlI7S?%=Gnf$Mv_G9qbUaat$yko_>LGrfJA?FVjS4{P(cx_Kg z73fXXeY%;2AC_V|N&DcUo8L!lbDl0@c}L7rNAO>AXQZDHBX0-4)mx2O-!5$zU3rVT z5Oq!O)~vc-iliWq&5_f1R8pk3`%^u#ElkgzFsKm=+qifCiU`^*f4@*gP7&3I!yNOZ z_T;3^=#6q%FL~62S_kI_s|KDe%wpq_3VmyEeSXATT#&3S@_mdSE;0Ru%Brur)xr+A zKc?fTb@&HyFOd1NE~9QA~+?tSjYQ#^s?d3f@f8_#%tmOX6v z?9=wXfwaI&veXAd%X6YI@p9{*&8FFeuKD@0*ysj#x0qYy_nlCEIBp|2U!zQCcrFk9 zGS|zqpY9p4=JZDgtZ%%Q9Jf$9is$C|a5s-Fm zP*r1P9*eNCOEK-7X)m!qn@%_*y0O$1mEfaUC6W?wn~Ov8&HeVn-iy79Vu!H;#4S4C z&VJH1dpt`cJYTc6w7$Gv)K%F*SySV2^T)?ky&PV2Z@F&o?4ju!x6VFS;UF=wkEDH3 z+?M{n?TYKj)H@n%QPm^*t0tz7-42NX3{_R(E3e3-?2itVPz@{j`by7@r+gr)NDo)p zXbyWdEOz>`Vk;?mnL#r13{zg-ds3n=bGTiFN`##s3M@@OPnK+sTDV9HeHj*28_@T& zZujA(Z7cuebQE?+?(p3)avV}#5nghmaJBUe&3O3-AJD#Ex?$#W``iJku>@T@dfd?P z$W^6v^VLxQ$U&il*S@F0%5;>7u&<`w%+N@fv|byS=^Xe{_h3oB%*CBTWaAm33Ktt* zprC0euC_!R$+B9^YVP{7NsU&+!PI#+M%+gng*9juBTvUsBrU)Yoiq3|5e_7=$Y);uU0Y2iz34--C?BY!yEMt&qM*PzCv|_rQ=J zh%`uoAq|qiSsM8sn`9op?DpDOWZ2Qw|zi31Nkr(n)+9uWa zgbgKovcsD6uLJ}v;IispEk38r)ow&>%Y$sDS7H4(<2*f(3&INNNB_4J9=J^La!iTNp@)0paF~n4c#6dPe<$Ri$jFvp=&!}yJ8}@W2|19I!Mj&N?!8v?^*%WHz}m^OG$GPE z{DBU4Us|wOr*{b1@L!aYh{$i@mVZoc(&#aSkM4T^64jF^3raXMNv&Iw3);vqPwn&g zsC(nAq8o3FlOtkOvBxRBQoTNse!P!0Zt<1=r{j4^^T#<^>f`~R-HX%N@eF31ZpOTH zRHv{R?(Du<%EIZ)RdnQ*{VU}n?L*We_84X?{PTlloRF-0s$-RtHLq1+Lxet=m?$u+ zHKLAP+UAmoYn>S0C&0pS(_lHbWXF3p<0jtxx-lAdXvX^HOi%Z#)mkZWLwpjR7v){QV0O!0 zXP9aaq1KH!NK5oR{C?13@++>ds@35l@&x@&*EwEyMN3H=ao^S@V=eh`dHTrV5hGd= zSZ)R%6Z$qC6{a(pm8m8ov@-K1Vjv}KFodHd^!DepDds;_GJFa(Tz3UY11GX9u07<$5y zd8w?^>~YLP>F`HhN``(DQO2hQ2#37Gj)c@2!Igs_b9w0>ATrezZd!_K!n4T23L*V(-;*lK9i7g|?ItWfYY8+W5tCeL~BTQ)> zxlrg&#ulJo|2c3{SoAo{!OVbzY4?ts;TS)sx|01dG`pOVXx_LhQ3oxGBpH8t5?@8D ztDK)v9LL^C?f(&X<>64a?OR2Jq*4@0k_a(lW(<)CiKHZw>=8oN3dxe}O188YMHCe! zTM8vhM53~^s3^*kkd%JcGfNrsyzltl<~V+Te8)Gh+@5Rh=eh6ay3YGN&&%Za`V+U+ ztyOu>{fPZpEB0btRQjQnGuA6~a>{JJuf%f0ozQeQ;GD12rwi*?L$ienOuDWoxMXA; zZYq?1-1a&*lc08fy7-%`-0vLg^XCNUOuHrI{pIl;#aJVU`-g>YWJFdaP2YX|g7kEW zh=L}UQR4NsIv1?*lzV4ZIlR9xW}WU4kzBm}tne<0;MnZYz2${^wtEG)h@CRq(HJS6 zI8`F=V8nykZM-j(hZCPXN~)P1=NY4UIy`sVQHRVOqL(T+>~R*Vzu1`_u+~OoZMSp1 zs@VA_cB{?W)a3U#qS=t&&3eej`;}c) zh4;`WR(#_s{Y}MFrWdvoi=3x&r@!7*`SJSRqsDQPF1Wo%N4Ns+2KydKm*viruXtuO zz<#Cv>a*n|(Sj_y*0`ut_g|8I7(dSnyZWtoU&J@A)Jhz4NG`W*B8F>ZRtY!V2-N)9y)Gems(?#vbE5t6rrR|OR4okF zM~Pnjnmtf{ZI`U`l#)YxHohwM@Bh-)y@g-WR7_;n#h3Wx-r+O1(~kRaTPA*BKkoD6 zn6An`hvnt`aWe<^$cp<*?H)LAc9ZFxutJlKjgJ;Nx`;g9pmc5Vja`A4x@6XUd?9GG zaJJZ+qSm#CoZaRxCLFJcPEQ}e1_lwGuK9JI?Om@QoH~D9C~NAQmFLwR#h>G*8ZVe~ zM(EJ)Yu`6@k1B>Ga6YyEH6?7B!L*|duh@1z(^w~`q2drPpJkft&U#sER4U})dmG0x zhcF#4jXg2jSK-^7jpIU1!}r3fo9`Dy99&^7som4dxh-Z<&89!`6DZ=^%ii{ z9o#)uYN4{rn=LJjch=_M7i;G?1&3VAYBy^ela{J;l#%4#`>bg1O?Oq^7lI}Cqj*AP z5BhiOdmdJ;Om!1}He6U)GVjp{yW+|1*=RT$ic10=^_r9_OrTyvQvRQDHj-5>f~o=k zj|`MS*+Kb0MZ-vrkEGwB;%roRZ@{W3zf3XLlSk5U@^B~(C?BYQkmPWO{2i(z36#;4 z-yykI7|^yC$1%}H7vLf!2~+^C7ZLQNNdGNJ9H9{pFh?0sg7EZc8)>ennd9FT2*Bfp zz`$Dru@pp@UWgnW`R_@PxzQqHUQwk8JWMFzk;8jDKm!=?!$kCk&_5LdWKfGjy-!~r zFtMsanm$3vPK^!e!vzBMNydf(wK37tlmegP5r!T@$bjiWs04VR$ARz8zgK*K8PZSN zc%H-GJ!{m^NM@YCvLQ3}NJbl2Ms_$TkulNG6bs7}hu~~L_ds+52tia4W)0wbz_J)D zP*h}>iJqp=QFo;x0%lQyLx@2@bDUgoXhl3}uVl{lLAj+^ux&7 zLqqFHyEk(}L%Mx}l@X~K9+VS(6J5rTHh|n@kIh^0Ti4FvUJ zW8T(=^!mgiRu;fU25=2zDhS>Nd)y>KLw(qo==DX74M=4Quq}ao3JEublMCP{Gr;Ll zpEXjl#GHjddDbYQQ69C)MTYjMk=)~`k&(bSQcgP=79owH6#Y5_m7vXUwc>V5qusFa4T_>br)jVT7g`K7p>Opdz{L8&MH|}@ zmhbmzpPr>>UHT-C9kG@k^6s~CzmfC4KcQ)8@Y{!*4y_jO<8B25A^{d(U-H}QZwa2jDPF=CV)57I=ZDw11s6Lo6 zFRf+C7nwcfm%!#qC&y*|oMGSVUk^53*A`LIigC%#?N!@(wTT9#y&%@28u7tSL9Qm}mH_!Pm%O*Tqx9 z%Aa&xU*8&t;dm!?hyCKpg@tRgTz!^=9V`zw(!Q~B`YyIRAFfU}zpSNxV{cETf_eyU zZn!}1dyY#ya*NVFFN;Y~-*!{PCq(6`Z~lB%gG`@%@wbEWc|6TNwU>k1hNdXphs`TlM7Kg$E17Kl>%(g5&s25;RQ=3Lfe` z-=M9hyPhR^r2o^~YuEJUbp=NW8;#V=?>q2yTFq%~xzRT>uEw2%D3r1=l_he&S=Q!I z*XX|4$Ho*k%~VNpbm`FXV9(NhoO4=q4WH+M9jBrKMO`n(314omB*?sN;j4O@+jctO z(Hk8C-?LBdr*n&LuDio+^#uA(iVM5Vh{|7D7?+h(mAWg%>-o)=!r8ObMP3ZZ**J36 z++GkFrM{{!aPeh-%*;b#D<8g=4~c&zJl$%wfzM!D|NUy5(B?!{wu_02))%$Co6_CseyoVEIa7eh}Y6ybJ~P2&w1o!ffQ$ioSE&Z^SG?sR}$>2OBFAwUXAH% zG(E4%(^%mj_N3rNWBrP&rB>&ZEBVhmd4^uUB_z(ry4337K78G|fJH5PYS$L}gbog_ z!f?LyDlKa}aAToF>wOWMi{BRA;TNwb%#fO^(bUkak-Mp<>T`#TLOTzR#igX!1e0v( z)t_>oW0?-_gOhbeXshz5K?uG*&-Ywp^T<;7;Mk?+4@Fig#jJ4VtX@$eUni5gf02ad zPGk1|q@XDUynZ$Ju6&c0a{q4U%8$CHC9Uq*MYJ~PEdKlfSlud$Z>cLOclT_iST7wKx`W)6LGTr(wc z%4PqrBWix?eCeFD4xYMuPX`xGj=gF;0Y$$lE9_ zj0EO)SHUpJN;j|i}HvQ0MyFV;1G;P4xw*NDmXO07L5ZQQ&uV#6z$+9@%yG?VRb0T zF%TM~tyCI^y}t_$Dc})6l^PpJEkW20_{d~pL%*rxbK$=W4jPG)*&mdNLpXR)kxeQ# zG`<#T`)1B!psZ62LisI#*QkdzU%)6ib~r0?2qlCM*w7G!aqE0`9ATWq`lIfQcwM zITc`XY~Wc#MDQAFY;X_)e7AqcR8eCaU$Xz*J^ejzl*It~7DCnnCK4*#rGh8nX$st0G+!Q3sB{^QZ&CR~+2-(XKfWteF@t;%+Pls545q zKbp zx9NJEQsR3#YHUB_%ywh_;KY2rlMaOr!o5$9u-n|S3Yz&q%=vq_ub9=;;GJJwds-cG zw7J#WS9PvBsvmZKPuTglm3Id!Rrh!YYJ~3Rf zRPDyhv<(kR)J!@|PChlc(LXJ;ytWYMy}5LQg6Dx_nHz|g#P)w?w-Z;WZ2Be`k$zwL z2i9Lz@uYsSzQpsjyo2ASN+oY9ID7iw5_`6{y|YVpJp2%P>Xw#h#2bZm%j5LtJ{i=k zI3gQgPPCgUsU!EMYSm4=ovoEsP5g?hiiL|T-q{UguI^TG*)OrO>+1pE8@Z2Jv^*_S zMcw7@jD)URyldSa9(5fDIaMXrv}H3kM)mV|HX5va@<2&(R^Z|s?Z;8Rqq{_B{Mh`E ztAvk*!*2HNo^^a%Uw@1)dC@NyVyTpNM15BTd(N5w>lFKA^IJY0=Q`5AZDx4ktH8)U zEpZk-!VcTJkCKNBHQKy4ShI1*taN>Qk_~q-{1aQag!HZE%p2Uem-2H=`4a+ui5@8$ zE-QI4({x#r&Y+$I;a2tIb6$^4u3ywW#kXzC4bzYOQ%qI6k0s>@=xR6G^>njukJ`A( z#IiE|nvTbDhlsaC7jM0N4eW;4h#4uu;vemu)>*gtRmVGoB=n?toG`2`7$)?o&1rY| z!e??oZ>zu6!=_acAu8wXn}feR_+qFDNfEXe+2@7cYd`E+GPr8U>uAp? z&za3(ex8NmCj8Y!+K)qj-mmq+Tc;!@l{*JSnRV}Uikcm6Q#x$*Q6*W-#@-3%Q5F#8U4NKm{x@og!r;~C)(V16wKWC{i1Wj zqj>Mw(%hOhnQK1oeO0f74;<)}E#7`_=b87$R$|kN{7tr<=uBkGpJj60uDGH!Qo5+3 z^wm{x z!!xT(1S?%Itl0L!B*il6Nh)U3BDH&AsnYvB65|JZL^ij(F2o2(H`%&$b+FvPW?j@{ zd*cw2TJz@O74JN4f|UOaov!;GBYQv8?y=#UG6N0lKvD3}fgNO>7>za!PgavLwkt#d zJK&Urf;&)M0TD+MG9*DY1BC9z)Spl=4x}8R{0;@t@?7%GWX{Y{Y8M=&wHSadeq#&}vmB0rvxAu^8XFEkEyNmeQn8^=-1rjY@3uI~LPhE;M0Y`5sE9Wlkx{EK z)P*{}#QD3>u#|<0fT@b`f}k$cNyUb~P{&tMe-|8Op;BX`F4RfIhPqJ4S80D28jiA1 zsj*QP>ZD>recot%gZ?f!>O!SHaMXp0bR7q`%YO$M;3=R3KuGBUb2brqaE?S4Dm6Ch zLY-7>=o2@-BK^CGqoRROI4givEP6u`k`d# z2)Z<)02Cx&2kPxY9SYD99*wVqaF{2cPBZ}nb_6I64r&E@M1@9ujCNHxPbKNXQHGAk z=+TCP={Y>XsNZ!w-w|~vFf0-GHI%E4e>0*DC9#Ci$W(Y5@hj?35=#gzU>d83|5x;g zrj;F)B_szY!johPwI%668+zW5-tY5>5hplGh9A~v3hOuMc6D{^B;quyh1Orx!FWBj zc(qJzvsg4SV&|@>=F&5!U+-Nx^nz`DozQGgmG8DnKEr3FcHY>!;lf81Yb{Gr;*(NK zE5(zwb)UZt2UNKkv@X-US3!KmIybfEoAn*@R5!y^?~ds!;~ZbUs>E89J@WbRT~|pr zXvVU)w_RR~n~2woyQxZ~&dGT_@U`rNqtf@?8ftuMd=Arx*qSs__TvkFZm8ofR}~4$ z$A7qS_LjQ(f^R#LRoD4PX+K-CM2Tms@8+Nx&uWiXUpcB^eAk>c{z?DWt~tTlQ!|>X zB{tgiJZo$6TN$xxLHQfO;qLagdwQzxQr^GU6sXo-S$0s&UCF(ojN}2Y|Xv7 zx=&r2Tf`qlC9O!@e$T=xo@>CBw=~LScpXP^LW`Gb&@?^H)|||*N__dtxkb#h>%*rG zE{g0-Dk!|SMDo$)HFGm=yq~$V`*N7kozM5!*K03V58LdN-gB)x;xn7;R3q*d6RTZk z#%{(%oa3-EDe>_fmQBeeD5PaplKhx-rQWk#e=W%7i{{PT?km3|-FG7rbDqpDhrX zFlX(~BgQXNs)aY6P4J2;PJF!VHfyXs*J)E$uOGWVrqo)dk8o`^HjXc}T_hXgZC2y+ zHhrd%wd3}I^|x|k3;J^GFXWx85)IWVySO^$fztk!u6_b0>-yUZ<-YvVk##hYPIgMX zX3oEUFi1Ps$8V>B>z2~@?c8;SNwJI7;y%}(cHMnt*{LrNCEtJN)ydB`*O7d?O?Omg z!-LmZRu%nhwxz_rN~uRI3NJF7yOj^S&I?VPZ{Htu>*O=rH@e)~{sP4OyK5gbx`v;< zH)yoo$4T!^*-3+APo%c2T0S=GlK7Fb{K76fE2ETw{pDxw8klnVDUa659+8rLxNnSj zq&@VV<;pj+>ux?Oc~X_h{%S3Up>XzHA)#0Of$nbZWu2KX&s=$!UH3&vEV<+Y_gm2u z%S=vaRqJgN>zwtlHRZ*_83}#Lnl;ry$w#MXPPuXNm-HqHtIvZG>jr8(s<;msJ=tFU ztg$;WT0h~zj?;B^lH3@JQ-gIsZszoi2(z?4yZolvt7@sr`&L|r$Q{C3OG(?Yg*G^+ zMnGOmz65l;5yE`PK36Zv5ItmBhS~#5-%;#DsV})Za|? zaCG?euB)#-`*He^>Q!ID(@#Z0Sx%+b&-E=lelFu+qgSHZ89lq6R#(~SWy1+|4kwhp zdA)BK&bofsQee(=$&iPZLL2xzypp|NaVp$cA*ychXxJ~tUBz%nR(9_S4>XJlrRgUf zMn&$aOp8&Gc&-19kb|e{xg(s2VNu#KLhbsBPQzT!s7!?x*URcO)6yb=00QT_&_`C8Ta=}0) zM<8IpVTpl3up&xgh+=y6Un^fq&WeWvF+>VPEiMs>5P(e#a(z5KKtK?tD;nbM?UL(N%fTp<1~IC(J5Py~pI8XT!>F*L%PRB&iT5)*ZMRAdkObt9%b z)O$)wtBDK_iO~Q9(h{U5wtqKm)aJX8&O+CY-+ibj6&m_2WgeIzuLuAY;)g;B4grG@ z>FK0`L%pTU!!oGzM!BWPp)L_{cmzjaw1J>jy-d`{QQ;|=J%rpxecF)r)L;+vzwaPS zRL4C; z;2n^x>?s69=*td00T_4#p=}|g*D#ajjoR%QgkDI-K<@QCnZVHR==gHL5-}!1g1MdMhg;4WIvgiK1C|A!J@= z#fH2%F>roD4GtW@fnNjr2q=^o28W_xC1-O?ebhkdNLmFzdxhN=UZ`*^MO0*vx1ohb zr>(-1((lROQt-0;Gvg%agJvk;Qn1G<0vJROxBytiU?}473AUmrL&t-oXjjD}hZ1ly zhca~hW`sHvJnb-WVv91A4qTe>T@gPpB2Yk4hK^s&Xjerj)zH)gW#stfhBgxM4FtR% zZRq&bfI1WosZj^g;gl1;C>B~NV9~U8cpB0)+BLC|Dj=;2>AxwBB=Mi1uBBZJ;?|w}_~Pruwo9X~ z9Ch_6o2P5<`qJAe#W{O+bp8EGts9pg{xlyh6dCGK`Q*3Y2WH`E3;B-=c8Vpu{BS(& za$25NtK6RW{kO*~){6eX-PIjf@?b1kV7j5hFOS3;aW}(_^F0(?Pc(bqZFnJi=tN`P z@rUbUd8P&Z)CUag%%#o83c%n$@Iznchwj&oxNp1Gu*@0?TXk;f;RJqFZWn)R*}(p5 zi?klu_okm5eC?M0#<#<7@eh@Iw`2rn%S~Cj;=~!5@Z)9C(IuyxjpjzlZK>^YIJmrY zl=Hy$5Vy19AB#?FC+!HpS?sp;4UK^)gy9`c( zk(93sllEg|ul)FS`%}`AX0;e0_v9(<^8<6*l53Y3E}f!wrSqWAGV5M~h>*4Eh0#Dv zWKX171>e;)NAG6Q9B+%S7qDUdht$~aZ>n(T;b&b?Uwa538Mgwijaf<%tLd;{Yl7CuF0YfBBQZ-P1v@u%T=%Jnx9F`asSv=Pz7x58RBlV) z&z#kDrFlQQ@2Mu5J>8vfABT;)1KZrayq=bxbIDy)r32(>HW3tu#DVZ z+jgD%hrB{0wxz{bIW0AjDZ9BRGd3fCZA<+UABSE0Y(IxJ25*?t1Ag`I8*iVw z68U(odYEcKfsm2;-Ss&pd}-mMUc;Y?1v#hX&eP4++wp1B8Sc?oztE2*bF^Z5-h0ax zo=$wza8W4K#E>sH_-sb5G5+qmLj!*NV-2GEt8uRcFD_d(`_&fh=sP3k@){RS`u#S| zQ(J>mo3n45t*NX?9oJI~P8WAgYKcy)vJ7EcB!|vV`95&R?q00Ir^V`|BlzsaosgKG zJD(#(t?rxN$a3l&R9<;5$Fppz^)^|1y<_!yIZ4g8?gS`4(OPtA>SZ^M9OdXm)&1f+ zucx!U&t3G@e4V_=S@G8=y60YK!?lK3%n3H_o0bx9@oQRw2d^+FvE zxwmnfcbj{KRm-hV-*=+stZ&{qL9tir7hEg6Hr(T!5~VgPLE@`sxb=&S;qr(%1^cjR zx=M$iZ6$8a-?r$g@4H3KVfe}$W&-)XUIL$N=Y|M>4_lOVRD2-Zw^ph&S2H)=xFpl= zoHk}&Lq@0S-J?3Oy%%Cx+$|D#CFa(u2B;gb&QRCC6eD0WDkbLN+wQB%yG3+%nV(a> z-kck`V%9e;%y>B;CvP~jW{$}*yFQ+otehI^f@!`LTv2k%N7pCY>|8EZ&lORTUC{Hu ze%mVcS+Q$|_VeF0zHQ|E`fG8mglJX8C@s5H)MINU8g!!VRkrADX^fx4FAyhie%vBO~2w!&gr|k^xFkT zox49uLyK>mbd>Y5XyYXTecmB5$Qpf#eIB?uzaz7um zFFAF|_UCc+vtt>KIQG=c(4g}x}!&7y22+@a( z=fTUB^5OR{Q?WX#zz%w6l7ELl71$9-ykNKlf!chRK+<88enRf^b^V-B#@dL zl72${gVg4`1X7E<34TvVhro#w{Fjg$0Z>6W(4yAMNdCsq+Z3&|BF#RN@?DBk1)Oh^ zJDE|ODkc>hYIQ|=BA62#G-M+6KBNYR15y}x)RPk5NlYAlfkoqN`gfHd)kcE=bu(BU zgT)8Hr(oSr06iLbocxChi^i?u?}CHg(GU!@6Q%@*h~pGMX*8+e(8?GZJB+`J?f1ly z7lS+)@E{Is&>ImRKn9#Jw9uF@*Mn1cXu*l3!{lZIcsa1_CH@Bpgo$!J>a5{_^a?v8 z)lg|kQ5t;uEARj3{oaFYxIkh^iE(-WC+a!mI1=)Q-EUx z(y{=04o(pa+prAQr~;18TOH3t9pUdA3PLzJc>a-2);OR|ks9SHFhCm6PKcN&Bt)7t z5`i*~i1d)yC`LS!3Jv-S)3u<*GqI)n?|FlhH3Sf#?z`aq2(dDlH&kSclwUCCdBcHm z92USAq`?Ie90CYJ6BYRXNd$+oxsg*I=EU}U;wZZt0zTtmor13=pm7WqgCdb`oszRK z=EO$Dp7B8bhQk2r#*1|CB{J$bkCGsf^Fro?hVV5JM+0~vz{ZRH?PxHm*wA)fa<0mp z;E?AH1NskYa7fc=5Hn0FHk6(l1R4S6-@WFk^M-*WR}MMjAT?4)kaBKc|p`mQOpzUB#o&q3}w8@?VY^!u{0o%L*DOXmr4*Q|^66)Eu0FV*DVW@|OH__~dJ z?D%qfKyr!LSqt+uPOKqo=3T+%_GORy=Y6rPpcKcpHZa%biy=d_JGoTbwfw|=qNtRhyeRQY(TPv>WR;GUyl z)}Ny!cz)$4z8vebbH2;J;JUt|KwTdpRV5Vsg_T$enO@E0;3(hf_J%&FUh#ZuOzcyV(kuJuGP;6V=lawEHYp4^z(-YUe8+R zSLJGJ&H0$n9zOP}-Jy<@|e$YLOd5VHfQ@4_tfyO?3E1SGXvrBY$Lo z1ZT5wx+t61I{oyBa!d1OM-C$|*1bMr@1`8izQF!Wrg5Ppv6uf*ae?!NuO?gz(UAx6yvtvH}5a@aplZuNPRDV{UcAsO`(1Pqr>wg*PgzmURF@UGlUJ^ zE)qSes=p&^*$3BV{)KxyZPTXgZCmxBrg)L{c2D6q!}7-kJ_xEEU1AzBI2CJN%$FV? zcH2-k16$#A@vw5i$d4C+HA+(#|*mv4^DQzasVol4248y@9AmLfR2}AmsxU z7^lj-2~?RkfhzMx3`oeo3@6f*4-~pCfvWc=khSY@35tLPJ|Hhu z5Ey6@(F#b?W6q>$qZE)pF(-vaN#`dO8d?EKT6oL}4Tw}E>v25LMynl`jGugJ}a;u`>=0^?gN32bdF^ zJao^5lfvJzA)Sxmza|qJ3SFO^pD-sfEJUV=FhwbMl!SM}LO`Hd1uUa;2{desMwk4T zuTnUfBLLl#8XOL^J{Wj8Ofon{`lUc>Nl%?Q5)46UThFk&Dk6vavn$dM1zzhvNqRv| z#b79$(805dqCrM_z5M%C5zkTdk>hu9w0IHM2{^t(L0o9mM`%N_aQK3pu+c+AB!9Yp zo?tkT067vmFh!~ts6+n==lR3j1RCf6O#PfB+mnXb;4-nMQj zAISq7^o<*26X!mT(mx$7Z)7xgv9Q=6QORdbfb!SjmG-)WFP4EVje4ZI{z z9@7s#b~|pdUEGyI?PE#h5mH!Rv6FLUxaYZP*hzhn`zgtycx$AzW6G|En;hy{HD8sg zbGvN~vKsElw?21lJGb|gU0ycf&QF^=*=ih4-uK>s{LI2s9Tu_-)d82v!ix{mxoNBvB3Lwo@jyL zu8m>lo3zwd^2U97aMSy2$AE3bqd^<9w)EmO?9-$OjOz1+osDPWRroDWR&Bez`YyI| zNAQgg%c5_s4!pi$*w$>i|M6*k*^h7W;ilL7C@q(k>BMoA&P-5pd{#WBb^qOxcd_^% ztlwC6dxm07JaNLC36U1~*1_3=$_Yi9{d{FYZ})CHX4!YV`gPcX;odn~b1rWZW7T_m z*`ZXrGOmp`bLXQQok>fDVvPN|o|pNQ?v~)g@4!Xon;!5O9UB{}@nT_Vc=1_p(?Gv& z+jW^pukew}p0oTd=DYO!Si}=d>N^6@v?LwMx<5TU;N(I5j>>}xJspDlW47Nnnm>In*@@$&gnX=`fVc61BHO`_PE)8!7FGeg?V+-x%T68~N^2iUJ18Yk>=Jh7+ zZ+yI5w5wwANwaKWifFYQ`(IvDpjx_zkZa38BOGrRk%{*1EG=D0Q=Uyk_G=H|=g z6|!WUHy>cPKJi}0;N14|*o-XVud+%_x8}hwT(ef*yOCSVt3AD3HimdaPDth<$3?Ey zIxp5Pa;RcacJxjpdSf?V)+=ACSG?r74ZpI*G2%mW{`Lp+(vO|Jma*~coy!|HcXaIOA$8R*~P+Y15at^Vf7Mo+jWM+d79mHYIPg zHVw45@715W`lXdAz0|# z>dx`g@^hu&`80R4<%Zjb*bbMO5yKm=*1ilLa7mwWgtP8ETM4f~WT5`5ABj6{3w0$N zcvl=L_dM?G{NfW&NAAI`FN7|oVGh^S+WcHuHup#I-sSU-zh9E`K<>=ry8ZpCXgCXv z-NHZMETo-j0?tBa;{PXRB!Oh-K|(sH_y}yOWDtZZXC_eP%miu&OW*@ieut`SMzlKQ zQKYVH$R8w0yhtCY2o6amMEVI8XMr~ec@(vSB@n-;KOz4?TI7YseB|#^3rZqOrRY%; z*-7yS(U2D!bCbUdjcRdDjg4w?KB?GHGg;C-rM_AJE;y>iIW;&Oh&LcbogB9j)Khe( z(*!1Jb}2U%&Xnhk)SGd#kzwdqdgMKnIkQGt2skK(<)ApA?rvangz&rmeb&%+H`1=ooY1gP zuON+ca8Udz0#gJbX8;#=QlX(P1SV>U5!oaLNPpDW5YamPZ*sw*Ed(ZtiGR-<<(?wq zYdL`Za8Si5{wER(6J@)U=M4+Q8XTgCrHZhj`!RHd`47+AczVO%y|AcnQ>+58qTxZK zzD=={i4FaM8xI8hU2up=AQ;<$8znh7902ps*c%qbWG0T@PmaLEhMT`94#=QjUI=&^ zFbP3UjfFE8$O8WTrlPW@n5axab~YSj4p>TXIK(v&h!~R!4yDx!fr;9b-xEh!4ag3M zg(nY-++0SkCTOwIDXIx%pCb{*pcS2>nsz8UGYPCk=&&Q2EB+fZ3G#>ufYpSdVBP~= zf>EF&npR^Z)M>&<c*xGJO>K!-vjCPDkAfB&lT zfCv>R{nU{04^>Fl?Kk+()}AsobN!i~k8G`=61q{~(H10MCd&-=7MTAss3v36tG{ zE~0M<+;>Ke`|Niaaj)+mNFr2jyxnjD*Dur7PsGLz-nU42ck_jX#isb3n^SME|1@M> z9j~pd%rYxxhL1X{-=ZJ5MW-#&<}7d$i?ja`mei5d$0wNujcpb_uKU^dZ1%jhr&OOG zxL@IF7BwgJYoB$F$)g+xMT=`cN-udmzVrNn&oq4_-E+4GP6#iH=T;p#Y+87|q4fJ= zzAb?-K6HPpe(k9I&120Jum_Z!KBQ=*aluJ3@0U&;chg;wpe-r&7L8kUfezKnRv`Fe zwaBfttXujHS&DBNzIjn1RM0o_Hs;xxtvYh+6NbMl`t!y)TP@$4kZ?`V^o`TZThkZR z_ZU8S6Sw>0%pv}g*CY5&;oYpuqNWMdW9$YFoYBu7l)eda=)zT(%D1n|;7L}#J3l$6 zghN_!H{pjGYyU%kzJhyN>GuxinkQ`S`?b=yLi3*7X{qKj2j_~#zj`WPikqLo_VeSJ zuzJ7J%T4&qE7JaL@o}LKlze&mN^A`0VwJC$bO&A9aqoo8x@hAeKJEe~`-XsW`GVn@S$p-@Z>zc} zgc&FaS(pXgD=a4`hLECq|W_pSG>1{i{uDh?P zUdH>we-3}ut;_X_)?=9((f5OIeRq|(c40L~$|}Q`ocj&pdyVFCuVTb*|b4kVv;YVruP9$RWB`97(d@M&Nx>+zub=ch;;FP*bx z)3t!})?;lOt2o#n-I|&sk2QJTxMf7fT59XI)Q+Uw2hUeY287F8l9_gxEx+XUV4C#9Q{SCLb?{Gm5!G4?ULGIoa*$pjzRj;1iJRfAR(xl-Q&gg1Zs2%auo{f9( zn?kD&kzkY}ly*p}!J?u5Gx+~V+Zm|mCoXVKboNsrooCye@Tk@-BWg8bJ zey7{_8Ch?g-rsZo{xHYz4g3t%{yY0GwUmGd^{&v`Bq0;N4u!T z@U8dTDDu2zE5?62ey-}*jo0oiG3Fb1$>n6@pVpivR^8IFeD|4z+)uX^LPw=TPL@1c zxGS?O zj?+;idD2*?FlpW>_mtGm5afuHQstu2hG-mN{w_Ak;|5(b$Oh(A=_{n(a`FtwR%nkK zX>~E@mQwi$c<3I10on?Mj{r8Ij6*|x+(-+aIk6!kIytb*rpAWDL5@rEgq&P(bZ(mD zO^7+c{hl~^c{tey<{?4_18yJ0C`V+Zw5D&*N8T2h6BN(8iiRwDFZ4Q#Lnhgitpl zYC=%h0lM<<_Y)&WPXj~bcz?<@q~;_iJChJNDbO@Sryq(ABf#Gu@0x`=?4JZq3N(^V zw4rz)E`iYoeQm8k*He@Bdm@}tSQ@Y+Pb|wxg+KL)N4qARY68lH0zfFxNGVZ=0+b9r zi|MWjlQjN;K^+Pvz8&H6B7G>zaKfADQfd#9GhLoJdv@A#0!_-p)7{p} znR9>hdt+z;D#u$qAmu6L86i5Q-EG6b$<&4g&jw{`_H#(&E`KhezVVd*t9b@`mFs+V%*h?eVr$mNw@YxFMaCb|2m!x`sobt_}VM$iOydq8C#kEI#AG$s5*N9oH z!5cOxl;H01v)0x0s-#B18gX@P*OMCJrAuTz?J{1}v>@voQ%jzP}jF&-aOw)N`G`J#}<9zEf&&(~UK*wF7f> z5-|L#p)XB4Q#QMsNen1|&hFWnmNWAj>zJTL*TzsImt1l7)5i=~9b#i$=it=N9sSmS zvva@fz>8#oPx`XM+)CJ)udC$-_j`Pdoc*1!{hDiYlIn~Z1119k2AibIOP#f?E+1YQ z+;Kyv&mrWkM98uBs2AH84|L=A@X6}cW(q2AI%f7U*DpTs>cSv3_7%ADghZt*pW=EG z!Qm7FkNmV|Vdt8tA$*_wJ5DzKkVo#((UIZ&*x^Oxg0AnbSa0uG;V&JD5z?t|5?lRY zoy_9S`EOYw(jI=c-&$encJ5(uPG^_?@($t7Oi?LwvF!F4qP~_NN<=FKML51*ecEKy zFtl#$oBhtS$BP`kEZCDjOGU4vHA3XLLdRIY+8#p>{tL6~IQAaN_?&z4!sYqAg{pU) zmkzj_=nDF0HhJGVHv7YMVzz!NAAdI)4V_Qu0;J& zzTs#5=U`#Wg$iYNKYv_IIo1#hp`a=ifo8H%S;Uo z4v3&U1U@$KY7iy0JRBZD^~hk_z{h!FBC5c|ZjF=-6tS>I+;@>2nEtw)_U zx=fL@*GwjXr%`H=k|3I)|CGSP8ktZsOdR%)2|SJb3hjyrLTKPS6r~8tD((KpZ0dLvuw?plMBqIuwZZL|Aet z;Z8iaRG4sUZ~zF%!74==%IL1*fLnrreGz5ozdwRNuK+(Vu;xG;N>_4B2v{Cr+o0AQ zG?EguX+p>_z_p=|m#)*@#94wCjlgC=E9vOYz$Xp`YznF?v?qdw42l*n23&UR2s*ck_BGptL<+AY`1ZfHFDq22BOY8i`ovPMI8x1GBv$JD}J znU_6t;#+xjUOql(TC=fss-|cdpYcvFz5Nma5drqIgTkg}ZwLE|hiq{kTg*;4mV7L_ z%&(hOHgYPvb*ICVoti!38})AYoO;2xEbHc$-WDh4`MO%2*V^vqzeu`B=s7$k?jFB| z(PFz^qnyG8Yd6KqB`bdCKc6oCaqr%d!?E~Ue-XYQ2{Hect)`-eVUK6#C;e1RIm^oy zqAcM$&-2Q>rSlFFlav>yy!5u^vp+A~-O{B~zJ7smYLwpDa@!}zk_XDCj`h^5>et3U z$7of?a(!L4_$D6b;VwRuD?fAd>sha5re``j?f>P#8?3=+F;}(9aag0U(eFjlEnhu% zRf(2^RxkO^G{nhE?mK`<4_s#^oq26P`xR4_HK}Z_wWAMSYYPc`34Y;?wz^*TJeHkX zYt=9=olPTd9}Wqv>>BH+<@>yNh25coT2- zpS!T~PD|kB%mMM1lLhN@-}BiYo;uHGj%V|Nld)9>t{kkQmb~jka-PIqXQ2|9DJW&tZsDPowQd!>E( zvAbrL`q$Y$k2!9+czfEccTar$-&Z}}#5tQoSg-t|%QcsppEu{TYS)CS<==BwU86YW zzj=LRHkVp<3C4GXc+*5$9M2oDU*r3&{K$c(`6nc6rCIaSesOs`OJ4A{!bi|x^|g#% z$J(3+?TdI$IEAm%2S<+XD^piC zH)<}bb@?(T%X{jP_B_p5>Q~%?1>;^>x@;KYV>9?X7_aYg%4_?M#TT1&n;wZeZ}4y` zi)l^#zB%Lh$AwP8gE*6!I-k#!fArX0J~!fB;D)pA4f`LJk9p~~Tij9lo{RU{SNcn; z{6OOaQ(@`E2oJ7@W>u{;fbS4o2$7Kj{rqB7-CvPPoWG19EnQ znA1ToK1Q>Ka(F|dk|Cv(q)mG=wI7X)g?=b{?T10EOa9CT>ac&T{b;l)XhT8P3f~pC}VNesf113O=0*Xib(BXgK(& zL&3;H5p|kq81iUCkp^F2x_}Ze4S^kXDD2=^l&2q~NMBx0m|^f-K=06m;G7E z%4$JQi6Q5ZB9p8@Y1rkI3KTrkBHD#h_tbRK4{&eOe4apLw7Q=Pj^ zc?Gf`-4D8@sT=vVdlg^$^X;X1>4(mW@l>Ah&WStkt5Ns<(_8DkK30Vi_X2n4+q;D- zb9p~{D1E&i7>iM|;$Gb5S^FKf->;DJaPcngzaSAynqHQRYona=-4or6TAE%eId#=2U0v&DfL*<< zKk(X`n|e2{c^aVU?DUvtFO#wPo*C z%RaR$g z$gmskx{)lau(tB6pfkHfd55RmZj7N`zZo;5wH7 z**fyYd6ox(DcSmFyVr_vZ8^C8i`@FridkB%;(J-VJfkqpefFk!zuFI}38Ut`?5-+; zb33~FHe!TCLvqzWTLx@1Q$BXSvJj)WcIMVke^m$qQx%}zM2D5LCVUC1qV%*T)CISD??O`qF6Uh3z2K6^B* zc_>fE-Cm2mJWtTFgKgobtvStK)~W0d5q{j266*eV)u*k4Piuyr;>;fIACTMAzN|qj zKl((|;5`3rc6u!ep5o_M@0~stdTQoPN87{u_VC;iye_VyYVvZ8NowFqBku*jTt>&- z@B8qvE#i(nRF$rOjzL`h%=VGx98k@{iMwI`opOokH)if&bs<4 zZXQ~_Nux?3Ct7s%CTXQls5ePM82Fiz?WaVz_;)!_c zQ>+L7kZcvG9e)sOAaZp{W!oxH*|rMgR^c$7q_IHiO^OyoUV$vU7on{;nb$vBBPgjo(GnW z@a$6o1UMoFlPU(2hCu@mXe3EYDV*ft86!eUL#@)0^bl?iqrwTLN~a-pF()>-gHS&H zuF~a!X-On9LJ-i(bQ+%_ro;v`a~)`Z=at~{W*B6w>7^A5-a6Z3R9zZkFAAf>$%MRAh&d~af`&?OE?_-M&C zC{6#Qy=YfOJk&7|$;5!+tI`z~69UFT&t42_z%;yhw5uYva^SFta#b2$JL*taV0b|4 z=mVyqoudv#dd8xjgV8jSLK`X%;2QyE1m&u9wdRCrLX7H&pg=?!I{uUj^{T)>Rs`q| zWhkTP5IPJ1$V&ep$|G&c{{4|aJkt^c*7nHxy7A zpfn6cw5uXpFJgu;F<$5?O$T{QxHmvQhJeu~m`2L{5B1`>b4gjPaVM6OD-jW1z@HmI zB|O42_CFj_>bF9P*lGMNNi+I}@I$vFH~GXe7U>L!)U6P+3$GAw5z}q-f8}<1O)&?T z^j6szVgESYP&V+@&~;ggwN$qWh3%#IR9S8I@YGt?43ur_v>WasH{(WxVm0s zw7^~T`R3h9Iq zHO!!#=?+=htJie9k82`&)Di9<9-rne))egSI(c5;6MvYcLd=JKD!UKm#q_Cas%9>p z@4zv8Lm+#}hCH9#^OpkxkM(~EFJSEo+TGPGwJa&G*vc?&j7P&=#d-Zk^=Be_s@uw+e@|_$d?_}anO~lyatn$=m++ zeKwv8{dor6Uhh5Dw9+f0qmDCd#f1j@mZOdKal78V!4(c(|CEh2*|mbOLOWZh7ZJ$oi*mY3Pag))uTj}|oAK6;xuW%=Wf z0_|*x7a<>a2gwYz+6hH$KmSPjSF&-4Nn?4ki_s+qUCW9+f>oo7IUjfLkMr3!^z=uV z`@GPtMD_%Oz!_l~Ceg2qUkfkfcyvL^H|!yQvVy|U z{LafQe6F@WyCWB5`CYhn&oeJW%xe3>{HI^KcXaJL+@-tgTSPxGrge0-{K4pw`K~u5 zoLNe2X2=SaY}0#KbiuRY6uU{%gO0beg}L+Y&q~tES780lAC$Js1f_-}((u61YdG>! zq^;o~=|;-0|5U>fshw1jeV@SXuLh2O;-xIV*y9iv1Mz6DH;4G*RsSP(oQ^i1T`1o0k*AFk8mQ73Rhp=gjZXlXGHHO!L-Ga~Ipq`` zu|0<5>)&rE3UolEkr**2G*A{15xj*G8V0&=F*?^oi;SkX6Ox6J-z$?SHHmb(9@?S* zP-+svA^cBzNPoqDEHxpriFL)q3qk`CC=O84ULswCFuI{60W(T91IkQB@dEb|u|ArZ zr$fLKtAmMGMaZx~>P8znu}Y;IiifTP@cy8?Dq z+*U@9AqM0T3Q&*Ie^)yG`NZ#vfwl?=c@c(X z{)}=9>^z^N-Aa#R^J+4lEI8{p+7?}VWnuBB4QbCzGJY;w_HykmVnhBB!O!LrsZ;F6 z(i*EDOXyUlMtbg?}!}lxib*v{+S6dz2oeEO8|0p7*v9`HX%7K4Y<&rMyJR>9>_Gb_s0?yCHrbu`nn^_z5G zyYx|6kLccpcEJ(uR#(pGgY0E=4 zCMV1Dg`L~WuQ%h36C{;{AB5H`xv?HI&%qdV&(LKL`eIQrB=hxc*FK}%(>0f*)||S0 zdj0LIRT_`?DyJmH*|+xZDcEW@s2Uq!c&lxv8_(mfeJh^X9d>EXyS$5Shn4tK?z+OF zs1nYQd;uGk#!G}UB6~n)ih1M0GlsU!!|rA$qF1jLo8oWres{&!qmjzfiYn%85uV|9 zI#o-drugBhcXd(+LL%+b9%impxo@afn?GEzp>W2_MLX~OA8l6x4rSN=BO#TwB7`Uu zVHV6}D?1e-q%0{*D%tlfBq~}&NGeOpQrXECDygiM%9@ChHG7o)=Na^xd7hfy_nZHB zUEg)hJGtlF&pGEg=U#rl`@SGBUKXz*F)8?Amyl6h`DRxv&%4z@a*~tR4I@t-K3&HU zxZXHFuH8?tSE(@O)L>Os z!MCg!KC$y-ev~0O-XJ{o&;2@Q%#kKf=MDxE$D2S(_>YeFLK`)x7wnvOz0gJtN1(7k zPW3`RHORc5|C>2C8~hW&=Ldg7h}J`YOyFe@K0vpxE^%HJN5tZxh`mZVSDY{d3wJ(c zbb~6nLeR>2%HLnQ;&93zj);jw5#68^2pU9G7r1MLlF;P3t|M^Q=C%n%rwwY=1R9tD z1QC?B1P#^zmJ3V9IRbkV7QZ0uTZ(E1HNytItA07+7!diFmLlWqqLAV~gjb2Ox&cQ+ znh;x=LuL~atz=X~a@;7`9BIK1hf*uxXMd%mp|Tg`78EHRJ$Kwtbk@)yQ;vsV84I2` zNV7_iBQqmS8&SHFB5x=fq-mg5JfIE*fzu3Xw}OBanWzs!pTW5!nXRQMJV`8bxLe1r`wWMSmB+Adq7gmI+DhH>q-P=fa#RB3(h`CT z-7q3JKB6ReD-j8!I3idoq9~vYfV?Zhpo^_5BuOkdrf?vrk01&Qe2~m9&=r)vM|@P6 zV@@IpRu3e~ks>wVRQkspL{b<73eG{Lf)EsjIp(CJg5&@WF+K!?>ElR6B>(^g+{*A# zVK9ACQ8WMrKo~9rQJ7;+GAbH?0zk?eNp$fMf;3HNkgNeTVkFVU7-u9=6sQ6R%J3tJ zlG{xv5VOZ1#%f?NebQ-~D|vu0C=vVk-$x-JiwaU(_b)NoAQrx82QEY*05tNiqY%+G zPO;mV%Z6q}oW1HZ^)=|1pZ{^)=F@u9&I8TQm@n#8atK!pe0=C9LW8Q})wqnc6Dyb&zB}4m`(N;J8y^^v`XXKBM?)tVuv-rW9YblDG_BU~zwF!y& zY5C1z;skz1D)Au5xognQIEkK7?zM9L8gz5zM_!il9o+G}ZF*dfRcL;$aF(C3Q}yHv z*lf>St$gtM+SQW7kFF0N59XmN?4WJy*IX{>pYz&I|ET@Bq|DIDYV#XWLwH_~FusoR zhK~Ca$p$g|sVvlG+oW1@a^FVv^=v8L#T9AN)18{7sP@Lz$!=vZ)yn1c=Pm529v(d$ zK&#WhHtIHbXe0WZ2BV+H#(w#G!~J3%jOLe(Kc#eSLK!fWKVS(obKREz&fRRLK~-#e z75m;!97k;7#0G()<0TKaq&mwrv70!XdzhbM^bbKrePyA(n^P*Fz4l^bJa(-PcW}H( zPx0IAXBpYm40-!4CsGGSRU&Pi^d{Fe_N3_Be0}XP>B^}b-ob0c%~j*=Mnk74?KOWdTK^EH~h5_L2(zp=&S9xZ(oGh@`_v?tqg zV$$AEaHIOY@y$ms7n|GDcWd$;#_78M~%r`xy zQmF7$Z^D1tBTOw+aX)Y1?YDZi@Z>nAr}$W=_^pw3ibHh!3|Buqsqid|_H0f0QMZg% zmFSSeTIw}N-P|{vJj}md9J~8vR9@=PMVH8^yGO@zs++oJLg_X1V+F6Rw%^VBQb5gW z)$DR%XU*UN`y0;R6$>S)S+4JGw~OgIS?vEQzN%Xz{;5+%p3cNtEx*i~k&))Rqe=|x z`#AZ>dbDbUM$nURP0p3XhVK;x=n2r1bhdIhAz7ZJVd^iq}lG-wXzL6|nxe z*GonRbGF+Z)N=aKW@4t0)795<{%88T{!*umoploaDidGdez}>|wd9P=1##N%I#hku z&0U9w2OB?c{>H1o{Q1UuTF>bp;orxc4fU6aw{$-X5I|iHcHH(hij&%FTk^`I$FaMQ z3V&Go>iK|iiLth#d~w^y?)se6i9QLMA?K%R$``V`m^e@E7E3x-bt|~0;!!1=TWGPg zY26QFR>vcrle7D?em2ov=~$`Pd|NwY-2{6;CS$E{I_hrW&ymA)D+&tYj5>l(Rz-V6 z?0j4Qlj`{e@5e~-3IaB0!C;v)-eBuz< zTSr;l7GfFm(E7iLWgx0X#66?Pc9R57n-nPMvQR5a5)^R-HD&+o#39tmntRPCI%^=G z2U29fD+lFwaljM90#8DU9O@sSBj9cv5u%YI(}o4nD5y{3f?JLyH1YlqZaL*SCJ+!6 z$MG?bOl;@bB!3%(%FT)FQO#UjGf&3;c_Qoi(q-YS30#z!09UxHJ zl598wS+~XR9z}FRfglABh@8UBS zNfc`TA%Rq<8Yg`>l>q)ks#6W2SjdR}HbO;qntmIh!V@*EL3-BTMyT*aJ-iS_ zp~kC71^poG%%7hXx{Rcdsw+SYH8P^0wg^;@1s((Z|7Vau)S!Q~n-6G#M3cnd2DEDS z89B8`G5fx~-*MpCu8@unywAv*3tdydTc<;WoM0ID~5fQ+xIoeht+$Wj-I$?A-ifxB_#?LqO_f$5!i&UTDV-?`^ zUhl^d7pCSHM&D7+gPIVC=zJY}PxZ#bLw2+yOgyThb;WcgN4r%tXzN}Ut^0whxbkA+ zjBxGiX>7oI;hn{_rv3Eyx6TN2W(aYZU*Vj1f3?WH!a7?u=WgYfQ1=^3oQHqbaBcFL zl<(c5fj+h4q|BD&u;|>XEv!EJOXb^b$dz}?d{oot~Ys7(Z^v|NCqsKv?ADpp z0~>cTJbRvgjxAO+BlE=Bp?k9aAB5yW%CtHnB%W;EaJqAkyN`VOxdRoUH$?~h8zl!F zw)Sc0r15*acl$CsT(MtZXXo`TY2CBT)~!rET!6IU_$tIVr&?LY_N@Vy3yI^i%d7};k*(4WkqFZ+C|eGE87b~ zn?fod94KNRKk}Bdc7MF6 zyZuu4kE@+kLD-$&6VuMU3Ee0?UQxZ5-XewSPDARNTpzIkejH14&dXglP3|jO3Ndv+NmM_Nsf_K^Fg@w1o4g{JQt1aRVt19;fMB-rx-P%g7zx zJl!zSk5jXX2Q2c88P{UKU>3hZCxA zz2d#KP0hQ1n`z1ZD8=RrleF%4VpWzJDv2-*@GdoEw<;S~V_dnK?Mcb{m*434sJZ$P zqIY;AfcBitO&YzMJ1>dRMtA}X?=R3sNYT6bS_>FFfrkJBa`*)b4}O8dgC{`R3IBu? zb)!778g%#ociBI=Y|yL=GCcn5G$Z7)=bmZ7q@jotBLz`Xz>T^+kTw73orc4~3c%xu(8v^-HK-Gp6!0h)78J1WA-9>FYOo3e zco+#|?wt7x*aWnn{xQxVgOynHH(n_o#=syI1BNPSE{x#i;b9C6m?%`7014%fhcPf< zqM%+0h^WHtTs)zr!@|ZwdQM5e4uTkIq$VUBY!8(7H0g(J_R6>ox0lQd<)xMw% zz@=S}a>G!=1>=IbS6|=qNJ|Z2mEN(btgN@$?_pQ;#@4H@yRieCsJfg=&kb}b)pN5r z+xXnrC&Yel`v%5kY)3{y_LZSNh>duh^!S|cY-L;1TY)c4S>6}BLs(?)t1^x*ojIVB zq`{rCv97u-=Jn`x%d6}XPIAr$5v_bCV06ygP(q{d`J3*o=ohuyH+2`sEe1Ts&+v zUmP+VCR4nJlV2RU{&;KjTAM;Yxzug>{ySQ6wDgv6`Q3^Ce&@77s_~QOvf3@_ zZnXJ9+!|$mW(iWMlMyM}PTZnLxb~K8_jMu-DpSvCY(rK=WcBOh-2s{38(Q5=^)B*ulsQTF#94nGZ|dE*Ryy(IJ4r{n z`rFa{{AbaI9@lQu9@?C?~XgY-^H7NW4m5?n}#Vm0Z>n zf~u+O8B`u$VX`8nuxeM|3?;6|O`Aev(4 zpTqJ;Y?CHRhI@GWT%YjJ>GPgAJJTkYbTUxM#zZv!Tcv=SL|*bCPsh7SCx&a#6@e@{ zTgK_4rZ!}o?{qmcOT`f}t$^ek5OuHkjc+i=3Sbb|wREy`aXf741g!Zv?g04`00_PT zo=|oGvim_uija246F6efHw4BP;RAFNk#Gv;1Q!k?idaKZp#KBZa&Ccd4GP%+8XKA9 z0a6}q?pY|R8wSub!T*2hMrhR|Nyc44)@?Crlp^zn0X7eoz*7e_e_;DyfSZ6plbJV! zKEiVgPT6Tgff_vonmV`+q0%#;j275fe>QMY5?C0$A5YZ7hBDIzr5_jZ)G;WK@*|T_ zMslWzI0b|YeV)Q2zRzes9{|JrHY0>50{z29e`k9W=syeVgd_%f%>q9H$@(C|%Oi?P z1Dq*R0ss$d{Q|ZS;ar$|PKf9Yf%p+%n}BsdYA%tA0!IicuSRNUL0v^jyc1GMz~M)< zvxrceNKYy$4XObklSd z3^@-Q6)F;gu$4gLH<&|3GE0EZ z=j8G6c%Ku^`|y6U3eC=S-`w>>yg0`xm)dXgacLRZjv1roBctAqZbME&iY$`_7_)8u zpJ=ek*pWDoPT5_4PRnC8$Au&NKG+x)VZ`Zg+of&Uc{u)6R>q2CUYmJDAO@oE}yyXtmb~y%(hEFK5i0-ppX%@%Y=v4=Y?*_x=2Q z@S|G%sNJZ+;2xd|jFY_f?DdYdD^zLt4t{iaUtDu0vE#z!C)#wcH{9%T4!(Nu)Q_@+ zS*0FY)b>;^w#jW1g|gh7{!~HQoQ`Q}59tdB2RF+lu*;m}36gPr`{mMB$4t$x^H+Blm|C!U^3e-ZyEbI)r3S8)L*MI9AkUUt0M zXj3;Vjw!5%x8~3VD#n#G4Y;L}(RPQ9gf0o8UF*J;s#4w;6hwML%z!l{3-I zeig9$oTbOoq)5$kxVy?yUy71>@lk1wY-2QuxeT3g(?9m!y?&f&Jn+RX1#`W|cHtFr z{-Ti;HeNUV+cpND+o-cgQcSB|Ryq0xe*7K1oKwF%GuJikw!#~ETn%>3`CHhg`HOCkkJlxGr)i_ioNES5y8cs(zBCENY98 z=B4Nzps49-KenGs_~xqG!x<_4nE_n>^45<6#yD6Cyteo-R1cm{<3_(d2db|BxcTns z$?N-{3|Smky|ybS$g1^YmstB)+?nGwX}Qgh?>;-H$AA2(RCV1k|BRmv!&yqcGv(de zmigKZy*N8_u`})CeGzRTuW0eOU0@o5D+37}K7L`K}qXUj{kJHrpy_YS2kK_X(04`zqkvV`du@6MJ zc>h~|1i!$>hMI!U`9Sl84RCzVnK5P=^=_^{wG5x6_hHv}dQ;lrH61ipa` zAHp{azYL7v`EM3}c>!Auv3sC@BEmb*>9$~tP{i(~oSQ{toKZ$MaE(H(!%@HO$>E^ z0F~Y(p%U)E-jgP$8y40eYHpuXR5u7Gjs|PF!1a{`)KD}zcq{_fcka!jtZG;&Gz_v< z3oX9@loE>~lYc>?NCTuGrMH_Ta7U#;(qaLy2#N_qnTQYBv3J)sD}|{<_#<%RGs)2 zh8^I!KwX1B>xPu`CR{5Noi-5v1FUx_e>)dLf~x8Rhv3hup(NnN&WYPxQDoXskXr_T zfD3U!6do$EN&ZrR2ayPuFGc4K1(L~@sB`+Zc9sDB8e=x?Kf1peN_ zD}^Wu0dx_f8w9@J9|fU64uDI+10zK3F_6ZT1O##nQcVFo5w8GI6u@(_AjtwBl?Vfc zC<<*EqzZ$0B8)AfD2UI2w+vxWSmcyw8-c!bz`BCU`XPwIB2T2E;DCU7eIbZ0HlC66 z#e(-2590a=qOd3?$*35p7%`F{EQU!c2#htvs{MEv&jC*&3M!L;+YMTrA_Z)}QEe3)5heSIw4+6dc%uqkZpH`=LE>cl}cS z&o5_iU$w;DLk@8Viz;9Cdd%;CrbGQK{kiBwjngMoZ}@PAMwIF`TU+c+|Bkxc@L9>I zCmV~(KGZ8%8{so}`}sN6>*>j2Z?kuOJFKZX)cQF0xqg=JAk!0US@pv>V~74_4bGtrvdPNh#bJVW0#*xm6tS<}bykoAErr&t6(oLrf*YATeGn?X6xxqe#{ zuJTDq(G}JEtyQZB_aC->=FPpXL(bxi2IHF@)KgUJju$J|`Re;%2b2fZ`Qs(LG#`C! z-}-d*+9mlH51iQGvbW{(+o*wAKmOXy=PlTB?s0nPUG0st4JuZ@yS_S>b26VMg?d!t zh)R0Ej++J-A1d+g;H>I-X-{1cw9_eh%PEh9xSgx$k5OrI+pe!Wt{Is!WBahz$tRt`AIv>s>jpSk(Yt+02Z?2Yd9wKeigXdXU{VeH$n zS3DEj^lxxEZ}dwZfAs0f&jY*7K3vg-RT6>vjpw{PR;65{r*>* zyC21JTS?cSxS-ckdE1+|-8hPB@8y=MHO*IE&3MY}YgW)W&z0FicW!%Gi^7y~gB;%u z`jculcj>N~WhgMNOXDa!9Co*9Iy6EQBkg`vw4nSx6HqQ>;$H~vE6{DR1ws+spvt09 z;rm|^34-DDpO$p7xl9?|fGYtJLKkA1C=f>k{ou%KH+UC9tOQX<8sG(hnVd^`kaJ;y z=;F5sE(!ws0HGp<00jo3i#Iu<=x@;BKy>jYL=*+BDbT>QgxSWB+xAbo07(=y+W?_q zIBo-sx_EmbiUNhD5&SG5x_I>wMFC3&fl>=3NxUVJwSoLXP?Q1zkpM&&hfI(LCG;VM zoAN-C+$3Sam4!v{fPp9p;sdTPR5<{|1W1=giqv<8NrGBLV0z&$B?u8NzGje~6a%>W zD1?TDK$P4DMgw|-B#4`k>I*u&k$Y4$NNRx)2B{<%l-$+_=srSoAp}u!TOXkBzzc^o zD7ozmwSa|M0wWAcZu_DD{10kcg&<09{{jaXkHF&qtG{^r{{MJ}M2Nm$Kp1dZ{Vfp2 za3{o9F6}e4PY&J_M_+mFe(&bphqN#6?7MS&W1_$MzMfP3>y|w4dhbSckyYhcXrIHj z!62Ho?@YYU*|9HSl%it1XZ29rnmtOC5gqXa%Xme4hhpHV+acDX`_`7v3=dpWj^BGM zrDt_;*mdzE;itu$^R_sdKTn_208F0)gz0C)1LKXOVi8+obdKp!Lkrbo8iWqW?EUT4`$1Tto&;1gDrom zt-kH*Tk+w=E8HFld;a3VdM9~BZHWreub&lCTynM?d-Pq?i=92{>z;E@L&7;!8Mo=C zsK$HWwv>MW#wXp$`+Vj@ z<94l-!3&d&T0hyNgKdoI1q7Ef+Ei7oD^~T5Z8x!h(kmQjrV*FM$}n`TLg$mcmwV-U z-}lveio$g%vm9OL5`=#|LsuK%zOe@>JrwH;V+1`mv+o+}^$4l2Anu+6~>wH}yymAWn#qU_tr8ig~RN5!*NiN14Lvlqk ziThG#1ugmtS*&iGSWM&<$(poptFX^lwvx56*2O5KBqx1^*X{6Tw{fw$TW z(WR~BvRUy{!<;wh`Y^qv%^R)}Dmv$50?(V5*_W?V*&LBB5Pnwv<(INb7MYs6+^ihb zQ+)T5GYmRnZZCgSrrZ8DpcS3N+V)19EmTl=K>T%&m&gi_E<@=8`}Na@+vTw(!!eH? zgHpFf8h0n8zNv_x$|-DW{1*7Czp5R7KwG#c^96@`b5_R6+;HLVjZCd98!l8iHXSX{ z*uy$~bx5C%dgk4kS0z!kfp@Q**tpJYdz-sR&g?d!ypL;wH{qh|CL=8_QVB^NmwP^H zWf;pgzBKdA?xo@x_p~BC^_SZkX!^>3>=n=*SX#MjpE}nMyJ$%ocfB*2BR~0k)(M}^#sX7J@37Y7e+xMZ@VmVT94``I^R+QamkzPon3JKmysb+GsD!EcWZ zRE<8x9chs3`}zHm^!J)ooLBPKjx4|Cx1@F*tvr$gOvI;|v;1HVFySB~ae(JAi~q#| z2509Shy~m<1TPvm!1Jho@BzBDAWwK6^$$KQxWx1D81T)4OFTz7AVR9l|2Rdx&0n7I ze3kIO@`T~Yf%(U!sA|6);d#~m!VyMPY_UZ}5%XUPIKm(=`^)_QD@Pas(lEaxC_8Bj zBwj6-gKcZ}dICNhzwEBp`W1MTr(tl9He`78>*KaRc-34P|u$W-3&d`pp*?@QT#(;2DlKA04D<+fYT`E4;P9~8`Rwl3-Xf- z>}o&)1tvS02m+#Ni%sPJZPp-<1K_j(2L{;G7*JUX>NST2$1WBGImqlbNrd%We0~r- zoH>3NA9)v@ltcnnVD5JKMdtv(bckIGH{MA}ByiE+y6B`N61XVvHV{gGg9%!^b>WW+ zLJCm24IpC>^o2P`B#$Zy*t$?9LIlypOOG_FBw*`8g#r;oVcrqxsNn7Z#|)Av%sV0x zg<^=(04G2?D%e+~aST#Ppf4W5&ju5`*s(%-R17$Fq(R_;bWkAr=WU4Q!$8&R;af=x zxa}li7ZP>B%K^3n;>y6>Y*JAW%alY6o{(}#V4D!C_J~MFBBTHo4k@HLLO~G)gc4mK zaSe+okmw6RuaG$TK)b~|>0i3M|DNiNg)-&;tja=W6xe)!>;IO3Hh3U2T0AP^jE&>p z**Wu0>q~XgD9c8L{`Sxf=P$GIJsvFe(e7OCziNBO%jx2r zo)ywdP@zj%Pj+)&tO~4h+VNSX{+vlhby-b+TG)?uT_TmX0ali_G8;p!ZltDG>1`Qt zOrsNvzB*ZTHY*$x8~?)OI;y4o$b=4)adtq%)n2-lnM`MVii)#JMemxey^_FO#C9G??hGo`J}rBqoo9DhO6CT(h)WY;a(DFkqjvaYC~xFAyE@vLYKJ%jR@-mb zvpPWV$_@Gl&U%yA`d;5ORw*4C9L04kF=qFPHtcg*>2&)f*KFvTfU}7SmN!2{TRDh_ z^P6Qmy*N?uewU>6feCE7SHM+okulGKi-+0yL)Au&M}(eZ3b!OTaP6(pHmx)JI^rf@ z?!!3Jl*RJ1Y|Eiysmr0*a;+dh7LY%+o>rK9(qF7v}4uqSf@mW zwaEFrlWt-cLK(I-?iN4I!uexsW6tLXQ&|t4y#yLhoj=!jy7^Fzo=W82u?MqJIWB4k z&rdo>jRcpC?sXFu^cq;J{a$Z_d#UcgORbD=iMzkA+v=Lko_?hEnEQ39o*J+0>pFKU z`!5DrGgzmK$nfZTsy&d~_uNs?AkC_P^XBvRq_(nyE({+V`!DRibJ%@+6xkI8Me8;Ke2SY9WA)#VOz~8|D15^?Ktt7}5L&D)nD-HqG7F!>b znKh6N!UJH@FVz4fSprYaTt`xE@ts5w)v#azF(7#U3xW*H4FKFCv!DpMNCH)dq6-Sx z^}sm&aMTXK!5fN_@r9h4q z%7(!$VIqV%lBg6wVM_sD9zk^R8-*kax^@yXw`~{*J0u_uw_6LVR#Rj$>%<3l< z1@)dJ5OZWi&=*97Ayz+P5{C%hhbRitfdHigpCtmabKw<2lEgw~h{217AiCJBMHB^9 zu|T*9NfhR%kjxSm;7u?H{lu^mq-bt1<#V8;1wR`LaII+Y4kIYM`1nUu7~}&nXe5t} z6wwVI6^b|@)FA*0liN(7d;t{VK~k99X2O7y07xavz^IGQAEal+fIt(JTSb^Am?uaw z!%zb>DMZJW6w?ixCNy9sKt%)Lqr&sjB%`80j0cD4f5N?9QcwxAG98l(x8N<)?ar-aPu-YH*PkQCLZMX4c{WA-WfHhIeY5CQ+eVa7d zpu@E*?t-AucJ-p6lD0?#n!BL?nb6Z0&l*yM_M8$Zr`d0scrw0>DU;XZ$OA?8TJ|VM zwN#N5W7TU}uD3<$EPDy=Os5qyZf8VMWrOi3O%=fEg_?zcDwYU0LP9p zy5Km|8l_E!Bb@4vofaxeDy`8MxLlrexjv5eLbvWXRTi)2aO9G!f!v#=50;6XKIoJ2 zf=S$$C+BV`CnwdB*<)#+Gvm*$|7f`Pt5syBrh#~)!|`wOJ2^Y5vPIdmbhECgyjsIL zEV8w?C+hW;^IG4;zDSh$-&?JBb+pOZ!O<#t{QGt)he4OoE&5WH`+F*fRo}Q|U76Z6 zVk;nbi|3e7u}WE=YTGTTb_eYiTZXaMzPG%8Y?1c75g3-vvzuB%Rnd0kTIT-Xim7#s zVmtyZtnW7ViLMuZ{Q|`}qf=GLHyBz4B=7Q@>_$#m+-DaD-PM_|N-`}FyZ0VP5;YjDTz2W!;Bm4H|qwnwO zKgjf~w!WXVq(y(brOH)(4PW6w#T%W8Ij>}w_6G-wNsP)gSG`*x-SjSQt!HSs`Xr| z!gJ00_gKf>jZ1cHyRkaO^A4wt(!1u*>)j5@`Pnb?J9p^KovndBV{{cemmlA`!+y_l z*F9(XD)>K(d`-OQvvqKHpovo0!~7rT8#gvs_m;dUxNPC!82PZjy50ZP=GRj4&KDX7 ze!9r#*M0W3@=Khpqpfn5{?ukF@v_3%agB{{{`0dgc5P!*Ev?`RPLjDc|3bz6dHJK$v z%HI(YhbS^_Xepoz2v|b_0W>iE(9)2FMy7Bx*qd+QZNzAfkt0>e!Mde}e5AHnP;9Eju# zH-m!-W^5CQBKx*LZ1I~19}z0!2C6T^ogk1!h51h;14@B77aE}e92gX4qLYdOLZKAE zKf-KJ5Ucp(3<2L3c+^k^ic}N>{obD@7l;CkIe-_yL;<~#+_QqjGJshlNs=2B)HMT* znJFrI? zk(CX1qs^rvf4Aqwle;ZdmfJPQ_t{>(^DH9#tKEr%$>=ru&ws>6dq(drtyT!V*ONHI zvMiB4q00KE*})rA!tJ3a9x_LiP0=Y!FfAQxE6v@ZNNZnHU-S7@2zEP-UI$;a#)CmoIPwO=FP z&(gDEYK_0MXJKIW(}P>f1oz)^c&aqw9!__D6^AUo+UDlh-d5{aobBt~DHoL5(K-8L zKCisWS@AsTN3ubhO5IrA39$_JQ#WHf>qoDyyjn88*6zgG>@;n${vcPwnS;KzH#+jz zYEK8d({n3kUF*Ekz<=h;olP8V`)lr-#xyV%twfD`HN5z&yoa4z_f2};+9|XBDlOA# z&-)%3P(2SzU(w+!cuFnpsBq!Iq)%T>m7TU~9=4FI(ohl&I_^~a`iFsjuIAO@ZK$Y_ zJ6fZ-t%=9!b+5+dMxknTL!JyzM@FB~;_!2OCE8L>JtO^`%PPb<&%@(!2!=I3f*R|{K#!u*||kFnAu*LRFvsef9O$c$-;S!euhyQXOT zK6k?IeCW_x7F_s|sgsAM>EVqtYQ{6nmiF4>tb;1r7&l#Q-j36*_v(9@T57iP*fQ+4 z?T%~qjC|^8$iuya)sK6+VrSt8cQ5qO8?U)%PSy`ywmsq9EHZ4dV`@04>Fd+?R?{cd z#B{H8=BCi5$}6yMr(if(1{i}bUU6;Af$bnzTgaol_$%XR0)Oy7_F9k^|VKO>EN4Hsg)#sLOguX(i{##FU(h-`>S@=NHFcWLy5Aw zfowM(g7hxvh5<&g6ghS)0)rHU3BZX*QQaWmER>=8r5nh9^4wK9;7Ux zQec3O2wYD9C5lPNxHV3x4p&ifS`126#$iX2u34y^!{t|+Y<8q5*~ zLJ7=cD7%t;H_}TvuS}{HE155M8`+5k-H~Y8!|y-dISYP^)ce zgkn%Ybn(I?ih|<|w3SB)g%HtW5kaikhJaK#~QE zYXQ0s=IL((c#TBJiO5s(9nrp8Exo(0PG5QEE@5C>$st_z?Bjd49XQ&RT9b^)|cIG$ep3)Ru^pOm)2dmdGIig`;k25x3z9j3~KBvObSAAM!i}w zBXQ?swL68e4p;U+QZuP3YSg&$sJeN~l3hGk=GJ46W2+3eHJGOiFr7^)t1gN0iS@p^ zdv=#_$A*yRDQ=O3Jvnj4@0oLGW~7xf*rz_HU;aFnC3e&iB1M#^^^hpWxH`?@7LM$EU9M_ymhMj1Ndd=p+p8r?V` z$~C+%T@>By91!2fITgF%-O3e`SxFV6_nrls^z5ZofNeV?`6Jzd1O(stUr76 z7hPwCEW@lDuecM=h)tCw&Zs@#aiHK_&q?0eJjs*ym0RLnHU|aPIdy(Zi_Gwi@np6z zm6z&De?1#~Xrk=<_zKQrDz)cuVW9Jd)`lzkqwDEpdlFZaUygQQ;@iVbZ{uSkpPrt* z;h1Apde_JlH#d6rnd9qE7`~(1m$2En*i_j1>MmLKuCajnuvQ_1{b{*&`ud2oF@4MF z*5+%w$`y+oS}J+JK|n?~@gALZcw$^hYztQA77hEpvj>gObak7o;wab5xJUoqL~z@a z!8h$2c6uG4Q7TMh%D^3L%%w?WaU2TShFv8>U;J!D-?Yg zNV$M5Hd$xz)xhP^D{UM1thA-L{k>7x-nS>TB=;0Zc^ohJkwY(QcpS}_9it}G;+xgk zG}=714~<)Ci&}SKl5pYQDb5>Zb+UyEskS%Hy#@%~W}v}ZtW;+iB7J;43DI(Kh^t^@k;#iw5?yHtZt67SMBnOK#F@2VX5XE4_Mr54i2`s z!2uQ=NZ?NRk8v*o;Ry;;5lBdc4-4_C1!(^QLJRy2bPW*xW+4(b5A7!oToI9|DB?g- zE^tM}wW5q};3k2(3N3h0e-*ewD3k@YQlhXgAPE&zh0y6BHUt&^1XXl^M@7co1{^Qa zTr}t%Kxx$=7g!oNX5iMG$Fcww(d689!0LeOw%Dwp$ckblftwDk=zQP`s!JI=^7l#V0i4sNjBrnj9jC!W>VM zr2%~vkvScp%{G~Bhz6Mx;6cJh1wRRkMUajPPB^4e@Zeb&A6-b#iUJDbfTxJ?tmHC8ypDW1aMhgt%KA!g9Cd5Yd$%CIyiBE+8{?im*=GhY`zCj<+}yQFJq6Xnj+$Jq%>%TPVwrO@t9Eys>So$9H+kZbBd!{c(wEA((>lrDu z$lHwUxWXeZA2=sRyc4qO)U-n1OIo*Qmt6I=*rr?KmR4;CR&QrfzEoGH@KpY*PWXYh z(lj;Zv#c!rr>Umf2A{LAQ+Z>?UQL@{I?r6b+MT)jRGQn0v#Uk9cbVFz&}}!d-)-V` zi-zs3bb6gdLa$XOnp?8Ey{;GkNhXzr#@oKWPhTOu+gR*ml3IUc;dp{e%vu)_O@-{# z#3UX4l+ZTzE}q9LWQ$f?d=0fe?5P*wbtM1J6J|-eqAu&7tC|e7!gkS#dK*f{CTK|}~%CY7b3`}2kmL2R)Nh%8#Y!7vA_GsIg@>Z-%!!MjxjCuS)z*G#`|}_mF&)NYklM1eFIM=i|ae@-LyF|%-JW(mo05p zE;McMn7qa{%Y28dFDLfflu)VJe0F1N8A_$tUYV1D6EM)^37exh@B zB14CcZI7q0r7HX9#7xYZ(A+({yzb_H@fp9E(*=*;QA4py! z5$|Wt#)Nr|gg1}`EkU3f{YS5n&?^IS1PLrD!Urg^aC8T^Ml=lnl_iu&WL5^A>xpNFze1 zWQ0;VUvP3~|Y9xiptqlfPqEbj?U63^-Gfj{s zDvfBb6R`&o6$Zf^EC6$n&M*e5ZuIBH0Tc-k!9X&x$gV3I6s*7^q!fTAFmsY*U7-$W z7=-Kzh+V*Pq@XKmgsRP|vjBG>WaQSLiVy`r6?kUu!S2=Nrk6+r+JlF4G*SjF8t+%!tX6SBe(X;Nk z7E_(6RKJS<^W!Ng$%*qOyehbn^}M_9>vY^a85FG|b~X9)%kSnob*pQ3VXr7vr{*3P zqObW;Set#y%}9UCqxg$6Jj$kx8BP*$V@6vWUi;;?r~ zRENaDEoJfQ7I??@JDj4G?_{hFAE9FWG#+tL*I|{)a7a^>t*hSIy?3*+^e*d9-485T z-Fj<@*M_b7FV76##hZ){3%wBDhzeyNEm-0aY?O}w9$vsQd0*q!!=T{0$hy2^)5^Co zJYBw;Bhl4f8b^c`R5k=LMcg%swX#=L>|ME!ty0yeECD#dZBbUjA5JZVvzw))G~%HdEWb+wXKi{FYO?$EQj^G* z)VkcG)sKzkPJh0zKcTYsS&$rlTek2mL0>cWDnnerVRIAloRNC}%RM`=7tbDBk(^-T z&U3rC%We%SbR1*S#w@i9bFcBP@D0 zWM(Mj0jTxs{7gPJaNd&Frx1Xx_E0}q(Gjb317I*>PX zGIPrpW9R9^AHP;HTPEzzo2|#s+!HL`)u`-v`D&5q!R?>KHKTRd5sXGOq1@}jEro0} z&b?>EMk9Kz(aC?}R)XG)gnJuYC(y|Rj7BtpN<;WCpL3W?p%T7<4tY|0l87rr8N&$h z$fUvD2D#RdOG*f0;K*1;pzR;2VKnzl#1r~I0%B31JDvoH{Q(>>h^qh=_C{UFWFww~PE(oD}G!dnXBB}xFkN~vt>nJ{H;3MIXDsiG=L0Do@WcL8r%%lNAnAq+7ANa+sl-sMAnz{PhfO^1K$mzwR{<9RJRldFpV5 zz($V%56*ZGf3fd%RAD~1?nf|ke2tZ&kJ`tKy(HfgSJKCEXrIgzAqaJN76IInVkENjm2v5JR5^ha?)S}O$@G&nAM z9~SDrGh}s2^O~xXYHcn<_HMVtFM|$)OLW-U-0o&RY?3YdG2)kBwdKH-Z>19<=E;J` zn|TFoiVE#cb1)97Mq1KM7sWqqV*$1n&rXo|L+Gz#SjwZnKQr+SjQsOlHAXjd&w z)T|JKP%MPrp=vbb!rMsIXXa*=qVt9UMJ_QA!DhbLC8$*ftbX$I1}jxEx6l;TZH~4A z2pRJrEJDc_^nXBMfnM^YmnY#Z`5WsRhUtf3VT+^a(!dIV-}Ep%KTPbm)-?>zPb&I* z>l%jVhl&2iy2hemcz#k*Nr?Cd0-^9{h2i;OqEM|~1Pcy0AuyAZWOgNiZ35OEX;hd^ zPa=v1W*8m`L zBY9Tff+E8zK!BXws334JiBydd4Wj~(J}VjoR-o7q>6QS-D$LL&Q5Yg1;K7+lDhi$z z<`0mHLLew`WWhy=s7C)kMkf(2ao*?zFyDDH0E4)y&2eW-M?P`YJ;I zO<8dMD?*P-v>54k@rlRA`G<`#e){3r z-Fi|!ZL~4t=j^x$_iI{NYtBQF_|ox#=6j|lX(;USOWUY5gf8iK=n6UAl(Sae`DR78 zl=`7{SM(oD9sTmWP=UpC*}l5efjp7P4{T}na={WBqZR3UHf}X!OU>XIjMwnfmSfkU z?~&bQ^SE5JZKqUhs>t_-eA@ffL(fyCM9^mHm5*Y>%-Z=z_;89mRxM*xbh*HgyjFi+ zPivzO=iUyfzTlv}%TLKJb(07e=G~q$zHjxtk@0Iwm6N3`&+Y6u;OzeKUgnZCTz}La zeGV*>Wf5xkY-2|&?>?F8*5SM;?A>#>mZzQK-?nbGn923`;&lB{`fs(OQ`TMLAH0z@ zIA$m_JX|aGV%MwmBI=xmEi~HnJ4%EOzW1V54HV)wkUhhfa#<;Tg2%x8Eypg&3Y+8E z^5Mf~m7FUozIM{ZhT7MfdZdJ~rW&?)I~WY`TuIB>{WIxo1@DXjT4;~L;Rc2G26qe$ zB6lBfiy1dhf0TEjK>SUSO~bcd&cmI!v6PebZ|m%p9@Bk#pd1mXn0&mjd8|3`SqSx`>Tr&ZaAWNYHu)4d3{2=7RTyuwsCLT8$aK0T9KFb2DNY5 z_}X)~Zf>MyDvULat)58czxzsFvsA~*L%Fl`K`xU_HoEVdqE3*nYfNsAhUI!&X$yB$ zGw)j`E?R@%2C%c+B2@ma4%W zUd)Q#I8lZ(>J5UD$1p$uhM7f48S5 zIZ`hwBhrMV4*68F2u(})ne(CD1c>|ar`q%l{DU{dDPvqS*BllR7P|-xE7B-Xz@{5NgHn zoRl@#xK>SWnH|g0oKD@^G&J^oW+iMHF}0K*efR9_E2bdT7S~mA0?Jh!c*l#Q#nI5 zQTlDCq?T;-2LB`Wj%9qU&wbiYh-MTFXoSUbymPP<)D7m#>}yUL?qQ&Iy+LIieMdd~ z&Z8yyZyzN0It!Obi8T%kRoZRfrFA(OeBu?$@`OyG9WP($XnWxr9Qw^iZrRc>=A7}T zDW7_>k-k8xaav`gx`glcfa(9E?YaZ8Y}|`Y)du1eBgi7{zUbj4N_kCUBeO}-9*Zq0kqw~1VYn;dU{eFi+pDd*u z)s_)&!p$y&T-5J2=P*g2(%Elti?Vn4R=Me3z5e3Kv9V6C_Jb)qN0?qcKna>TJgo~p z#x1txNBh)9_6ua!nlSW=uP%6wZl*gq7xC)B8T-c?vU_=7GW_=O?yl8FUA4>+U)oA7EeR*-|szl%Ud@$vEt7c&kXn`rWO4C7YZk z({|XSZ#|i%a1}a`ZvT+By8lT4Ne+$Lc#rNbv^ABzK;|`zh4Fpjd!;7R^9SS|BLYJC z`;0{Elq5vtcT#AZ)oQlgx_YKY0^?R}oXsOQd>GSM;-Hn*sVJDA@hw8&mYpXdka8t7 z3CHA%3ia>qSGHP2%H2RI>N1351usEfG#uZ!RI_Zp$MH1%LBca5FU=((nIP zFo)1R7!aWX2|1u3fdcw|U0KB#NS;q}Ql0EGmU?;-ISFdAAE zs3M92iZ2);2Bgct81{eR8Z2PL-rBV!95@huY zdIAU};Sm=W-Mf4X5KTdQ5J~=BPzZ(q2gO>P#0mqDw;=R`FN(v*L|POQQ-``x2&R7m z#1Ks(d@@2vD-7cj;JYgbbOeO}R10BISf+w^rGlV90F7NiFong@_@)p%83COH+OdCp zN|3Hp0D=htXdA+!e}07!O~Je~BziU^`}m*l*MAv+gP~d=)nC3mY4Dj_B2S%WSz|pI z2SD>rJ(z#Z_2Axf8dpO2cRGN2u>YB&@vRq`v#k^AjVOjEXjQip3m;`;C#+3abc_(F zaAoIImd!Lh;QZ@))wp3q_1#D=)`7;Ghp*pd<5PA&TF%aJcuyP=hf9nkC+`uTlFg4_ zMQp0Ku^xZwNx(Lm!*qjJY4nGlf2`%1*vWR<_RDpn>V}iV8P7b;9~woIFz+2bs9}+c z+V!AyAu4z#cq?;>O;zcO$+{>>4;GJ&n|^HsD(B-L9vz|#l$_qh8tg_kpQusk=SLP! zKQm-+DZ}QjLncOQa6hE+e)LA}>tth1wL4@UzLgPv8mRM@Fli<|oW7VP;Tcy7zuGx3 zPLvKy*I7=Z7p<;N7^clH1WJjVZJ#ZC81?=9aZ$)K&M1c%#Z+FYAi=M)#kkRd_W0w{ zLDu)*%*W0Kd}omK-6ZnGlu+ni;#1EAo#1P>PDW8Nrj4k&O*MkOnsOiCU6im)mD3He zcHhxWa&F8&N8Wj}dpr>tja%N8(pN%l8*8GY-L*!B=gK82$nJ&*-LPZz33p;RaOcwt z9??pkDzO+gftU%WD!Kl;A-m4*7w!(%lC@~xU~ZL;&Ik1;@4V`v`kcblX74T?xuF`1 z!QGM!Un6$gD|{AGEly29Ao&SOsnn_J5d zugWe*e({)`7iETaynJ5?n)!H#@06C3Y$G>8>nEy~vfC)fp3&QQFMiNl+weW}*1fbA zR3azB69_H%LoS%rk8EvNynp%p=fxShx;{JEgt*H2&MJ&q=C1NM2Z1T#kry#zz1h2W z>X5qciS;IWwb-g8Sb7fj z2lTk4g;`bNTm&X@ zzVtm>*Y^_zC~Ro(!CH0=1@13Kc$Hm4dJAyqi0iUx5Oo^^YV^yG8h}Pa;p~6^7U0kw z*T*%$wS@rf|F{OGX9;6g*)^oM0EbTbzqtkhH6XwcNWAz^AX5bS3?O2P0I7fQu!*d8 z8i4x`LxAB-m-^qF`+XV+fG{1>^I3jHp*gxB&G`E*MSe&BOlQ}}Hz2ac50Es=Zvv2_ z0$;jSzHEqZ!n&UaKwBK!t@_6`@TCLX)4y*UqHBKw*4Aa$M8H%t0R3Hl5r7bx;A%pR zNbdob&anJp!zOsxXmKso2^>Z$+!VPwffj_Zp9FDM1Vte5B}CMh2b|(Ra!RBXg+Rwm z6lrXLAdCS8TNQNNkU^C&9uv$IG_U~B3n6`m@t9zykl-vhpx~J|jEsbD3hCzxATUo* z@V+G81_Nb7AQpxMQ-sl&V2eV^8K8xZ;4iGQfwwBug9U9(B-1}j1xU9Q4Za8{B;qyH z4*pM-0nrpx7@;Yd2oA%lBKQtNV`LD~kuWY2{x)HSSwOIcutU8) z>f#@3u25n714?;78V6+gUl-MIxp2RWY9inTTr>?xHte#$&BHSjX(oQ$KLEq5$` zjgebz`)Q7zX0q|F=9CdhFf&m7Y7ZTkGjl6BRZ^2<=cpskb}Kj1H#G`|t>v%3Mp3$j z_eQmlP18<9Y&KaP#)`@-}dvK?`LnJ{Joq6 zvpZOuw-J7Ce%8uTO5P=Wv@;`>LHV5HqMj#_UhY_d_P%eFZuk7hrK4;@32aaDzi_y> z5Psm(@yAVB-!pPQe`y~cy?V%0nZn?@-DlR+q2uLshZHI}i+-q-+n%75(?z}NZF#%j z_v8V$k`PZ_Cpqg7BNe7*ss5_dcQ30n&WFT>ag=2+y(;<|#@{N=LV8_!w_DbGpGV!> zb2radGkhMRc2KntRWii%m=#lto}3)zRWa$|tO!!JPxWc;dr`*AyGzvT>4po$p|z?Z zT?J9K4JcZ2+cfuzj87D`6P7hWPVSm-)oNcS_O+cWJZ~jy!plb6Ih3rJ(JXpL%bORk_?~bpLs-B?*nxz>kliw8T%<7EP6I!ff*}W_D@cg1vTp_p=IXU#!m8KA(CpRFQyQqE3^f{nj{-!^Ekg7yPj& zN1pEca_>%k?crx^s?pz~x{g$T=jA^#fKp4UCfRl)(qFJ@;@l&-A4XRlxJZ=4%bX=y zMV{WZa3laYgJFcSAPR>pvJ{izmj##JdEBxf3OgX^U!p@ndjeatLt(jdc+@mO?0;Pj zM%N`u2J_5-=+J+{WH9Cg#FncleIdljOa88_YiJOKftKoWY5`{JfoNlu)+a)0fr8O! zmTv4CB6vW=_~QhD4tHErC=>?*a|p}_I9Ly638s@HO>08I^aNm*U`(zE=ncaTJQU7M z3M6+ipymmZRwPsWQx<2?J_OND(F^S%n)E;4g{>6#`H!L-O~} zd=cqV!L0(i81P*Z!NDveS^{?wXK=LNbz%6lxvi+B_-r9PmC@i#c`R*^n86h?o_WxFgGZq6lV~hwC-dSjbl6kOq zl(systpCu+%rUHS{k^M{!qeu04GJ8Kj@bMsMC1i^HHH-@E2ekS zr6-vPKi8ur5qwT-a!Q)HC)~tU>s?NBCha3@lSNUwyyT$=iT(H6^iejKcDC$JG!BTD z4S7hsS%N!s>Zy=EF)DMQj<34DovJ;Lz0kY$=@aGeEWzI%h2GMze>DFh*db!Gg@?vl zvc1hy=gN-qe5x|fx8xz5rt?Gz`#jqxZens%iYT9Pc&w#~UYNj=gJoOQrLNB-lIJiv zBGesQqE1lScIggWR<$VkfY^bwMg$t~^4|%fZ&^Mk@Y!N)wdS}-G=0GprgVLUCM`*L} zTlF6IG@%&T{Lpew+*i!dtiq0j^KrdCwE5asnJxxjKyxMDk0a=5aM;?czVS}hP(h0I zuuMc79i2)PY2n+;Vu4(m{kI2nCPhl__mI)L+VvSXoYD7BU=UQxunn2JtVqKva>s+D z(WUPFHkw@*&GH*}_le2B;x8x9J=JZg`B>`6VQ*t2rIf*!iK=NPV|$c~?ve;ZMi$1G zJmX6g(g2S9Thz zzeG-us7hU|kl43q5m6Lz9sP?>a^HNf5L7Aa~*UN*wB1w`&e-CTFpw@9{3pBwS3M;WgbioZpgRmH&1X!R*Rdh9R z06=zvbt0FZfpy(CNSGBW{t1Ga3{d3_1L@fctdb)E319rS)zVYBKCXew1d*l)m>|65 z8-`y5L~`K&Uz2Ybn5Y5@XY%U*_9_4jBaqKSv0y;32I;p#0V+R0%tFFqKx^dh%^?9H z_$|d5#Ph%Tw%qOmP(Vn4RRFY7Pyqc1C7Hs)tBh6xtt9xnfWxfD<^<^(}Ogq@BEA@v^Fs2>M6y$0G z2xFy1Va0WrC6rpilRO|o`)BPJep>`t&;Wueh**|~p@Z=kMFT||G-z?)XCcBk(~=Pv z1sxM%@CCuQ1pdPEExbDeb`eWHMKFcsTX?3R5Dux{!&VjGhi9eurr?M`lv{>3(eQT( zXesa^W$rMrExw@uI1+@ASb-=QwGU!YO~8mv5i#_<(Ag+&$f*N{-t=9h zkXNzNzh(XO$|-BM2Sx6hjXo7FH493rH-p}Z@sMv938>7md-QO}2h*c;HtO8F9#YTd zZkD^m*K__cokxQ2qif>184`-gowURfM9R0TEhRSw@+K#lxSV#^W_8K6bYI9w4|4aU z3>Td-ntv`650vMqNe$kb7yu39x#zT@rl;jMb7<+D=}crid^#=VJ?jH*ZtER`6Kb^T z0wxcmdgqDS#ZUCR9IlY{s}PZ#IjHip_G@y?4yuhTT>yC7#ox8*n;gg1rbB9R3e^JA z{W*%5g6@lzKaTEI5xsq6`dv!qn^PI|CyH2^o?7mE5|(vM?NskE!TfUliwYLn;^%hA zNWbNvx0mFna4j4p*_TZlyW@u^<$>^~+{_DH2ZNiYoaaXqd(=CstM1xE5F!1etQ2!2jjj?o%~Z;?l<{7Uu&8EnjP&6;MLPVw2)H%v4`M#ly{Z* zjrI!G{S8`&-aI={L`dCR`M9ho;rVtIqZ7(Oc?;3+rtQ5;b+a2bsQA7O$B=4$GB_R= z^Q46(`)Y=n3UjUgyT^C=!EJk(E6X8XwNUoz4?a^(h#26PArfg&!LvjL(GCEcs~=2iea3s+@8E&T~370VN9 zz=SjGSq%OHeP5w8<2T+O2Q<56xcqfkm)PVVc?J+Z@dLien&cS}hV3q0%KEwnTEikB zqFV;lfFXN)qL@|SK1khy^@kc`ph=V<|NF-^h(|B@-vi&4Zuh$Gnjiq809*%4!>I2tvz0hpC>SRS-*iRM2%t^^TwA^a*a#2LS)r9gBOqkY-%VE( zjeyW2tC)h2Nffc74jaybf31Lz4_;|_Fbf7xz*<6h*NOpQyC@=N0|ye1v`x^|ZV=qV zgIU;Y7JPpp2|0f7^+z!M`!fhaelVB{iC+gU^-st*lD}xsvJeF43;wFmV4+p+4bb@p zh+L#d7zfRbv?>ZpoDp=Q(LmsDl~qAL&j*}_ISfo!a~PC303;lqE&$WjokJ3%i?mIG;GhH_G5mW2{DpNU@t$BXYYzB}^zdVuGJku~AuU%S zBq(0RG~ zokyPY#WwUK*?70OyjXe)g1x$WgarQei+SYtcWn`xwh$D*u|d7n;Yz3RS=IqsDl4HG zF~(gHS6w$UamLk*Y!cAcVHKIU<9oc|Bd_$sp55EIOW(X|EWYD!siqM3VX{=q907}Rwc4G25{}|VLNCMMJL9aIUgB(@&m`&^vRD?Ed#p82xz2e zZf=<)AEBZ+Uh%Pahm?R<1e?pvu9$d(M(WMIMc14ieI32s*_OoMiicY~qBkxKY}Fcx z)`DiFjH)+I6=#Ohz4?$%v!RJaSgU>V*O_}k1TJxMP7c$bXU@i$vdnZ5FsW07>U3^z zEV}1oEJdrUt9p4>L}G`gDf7=JkH@Mh7aa%%Wd!-;m5-O?RliggzIf2xp3*tOR(;=& zOY*N#1v*~8G6l{_KL7UMN8PTR8~4nMbm%)cl=n$%%*ax98h%sMmT1?u=PyZ^6pm%y zCSr24k~OB1^7I~oPq$Sb>fcD}&n(!z<)x)@VO9}?8wb<7_x$~KHQPp02>s4Kba*Cf zEW${X#2;fUd~RO2iAC;^Vmf-pqO8$!cbcr^>Fs=zdz#-D$=#UMn^SUjEvea~`joiw zb;wmRjhhvQd8ET08AFD}A;uiR>R(Sj8)d$7VmMk|pGPg1rpY8bz_F?DX@f~ztg4FR z<0*dcuNBt{LaNzw%RPGER1`|8J<7S-Fk##KzI#~zVcI7%=j?$#jYHL*U&bl?i5#ss zH|D*qZ!6P6iI8qpWr=ShR=F!Y^Ht}Yu7e&oXK7;ji|Vg7xp&&cXZFbZF1p1{Elj-F z;|uO8ohCuH_h(6N6Cp=qCa$zD~o>YS^Vj|E3+?S zhB>bv^pbr{X3;6ioLh6DKFf8squcmt>N(|@+07U9GK|jpCDydbm+b8tsVeRXagg+i zVjQl|$aYUUZXn)db>Y?R(2D5zckQnwG8I_MzFCh6s+TrvFx|E<=61X0jbfrTIEcwU zi{g^ZKHK@>dPjPsn$l1-v9RQ!N8BY04kN|S`I<(9jAjLMO!cJsK>~9Q&809u00fwf+dFf6}SnE%75UYe}e(@K@NUV|`r%2dF5( z#Vn^SU<@4}zvwE}d!)1lhupC)yM`78f?MEhUmk)3VV}V0+*Oi21o`cyS7?2<4Jd#C zrEL~82<#x80Py01?GnW*cz{s)@4lf$;k_aphRXl8Z75M70uF-1W#7<1z!;iQ3#p5& z>KkAx!g6FB3e5lJ+wWe{a{3Nx%fevy)|S2_-qAk`yX)f`D9=MOG0QIk#IO@W{fl}G z4uxlZTm#HtAy7<%r1C|fZ9@U1Bzn~s0imG_oBxBt9)D}8Ex;QxIHoIg*x-;me6tm6 z3oxa4TxUVkeI>bfz;FHIc){j5c&n~lTYyPJ;;*`LZ2?A_ftjvYTYz`x@El&Twt$9F zUtp`QR9gTaidD90rP=}-XAT6?2BSfv48q^yXOcim7FHm@yHud;&4)osn$e)AgqIHD znWDfP1W0use^nq`4@;WyO;^hD(KwpoNY}bzmJczy{_e0K(By^2;~_Zw=NArXRcIQj zFw#gTG!B3h$rNyW0HX6;p#3*j-Ynq{e7(rO@rW@<@^=huU9qm?!WUXE#?L&)r5*F$#%0 z=xt~05?c9Lr9Qbf9aQ8bh(IWE;Ogt-i_a7 z1BC)f-iIdX-XSu{67~VP>`E^U?e>g^gcrtwH~Vr(wodoNEaOpI_Q|BGlQ?WKkr<^snV{+nCa2^2d+UK4FYhTc_uTooXQ%~z zW5(Z^gNQsRk0z!jKRi6W=fZGxt2V=@_hHWDS+|-lrG1*-)_8n8W?<2OQ~P0-IrHAC zZB8@Bd1|OZ+3Yh#JF~83)rdO2;5vAs$A6q*x9~T+$_$Cqn)I~Z22B^f)E(6Ru&3jM z_OwB2vY$lY%thiI8;`K?Fc4o6qOQ_dP+;h>;9{k0)K}r`8H?V(;rSqeY~an0wVl@% z=iBzT%M#N5ylf_AqaxC|;cHLX1B5&sn(_CaPw7%vg`cM{eG+i-8T_Y7^ZINSy*4!z}b!g&k-c00kuUi7!=4l|L&P6eEKVp zpjq!t1K_o#w)O864h2b8t_nm%Na4@|fA+-IB~Jo34{*Gp8@iNU0+JEn)vP9pg6P|y zaof812Ka`6r~{2)`Cs<&S@*0ziUw6;mid1m#wkDH``5_?CtTjJuI4cVzBxv&b zfrNyOyWbZ~sX71Ac()_w1(#?vHizGk)z99)n5THk<*Nvq*mj_NBH(-8RIWU=l*zH0 z-Y-S=R~@@uFW)uXL;lg;_1wtC&vu*>7e}fOp%p(SPZq~Ivwb-&^N=b&@e`M)UjO{{ z5W~$^(h|`wibs-X_e>a*^JEUBRi5rv;Igdp>N@|$rRnXQk{scO_Sxx%FO&8Y4o3<( zT{t~x&<8`?{6Q{ zB_gu5x-ONM5O?0&G`EAY)cEFAv9i-07N+0BKWJ|EC7?GIE@LjV{KEJ}kyTl@>NT3b zy6poi)7Zq5o9!NFo_Xn7v$efr$P=-+L+hK}pNW1ZpnW`wnpQB4*_(-z?ZxR$Ih%j> z)O2leZMwypEK6e_wwF-x2Q{11I}iE~UVX$8?Tf~!c-pjws+)dsCBJbWP$TILqu!S6 zCiufwBbCOZFS$}U*saedG4g)Apu1F?<;GIgyl^)ui6@pP+)JB&T$3df=O@kSQM*Fd zp!Q&ZrEoFDNi6PsPQr;OuQ!qR_v!h6JEVQ}6Qj_9QCCg*kfz}I)V3xHhkE_NU7Oua z>JsZRY!B&dRUQ6*=JW$^3DR3Fd`(oLU-w#Hi`>t1_QCPfMd^9Fu5+mKohd!*eqb<2 ze6&Y*lj+uJ;XT_*GtR_^UjHy+e`R1k(B5Qp+qd+@5uJ)*F`lNr6I?;Z`!|?At9z9& z6M5?XCMN>@mLwJj4zIo63y!_oe0x~sq)x~b0*tG(mP!ax2o&r z3H2U-?KbKB>2Nm)j*zqC`tZhJ5%dkM3S$9q;y9uv#u zyxCPN?nuHS!W4SkPU6PH%q!Qn(La5$aHjE5V&KCF2{y9ue7DYl=B#Y?Pr|YLG&$NT zo}7%jZlU<&o9gyol5<~9R1Rz>o}q}%GI?9MF}u!BK)yOB;f!7@$>S6U%u^etGu;7~ zOPCm>j~=~6D1Q2OH&UL610q@>PsDy2@bW|~RpDReiC8WOlmlYRXV@Rm;RpS|k|*$U zKpgJKx`c2T(EWs@yq9ypHFiG{azLC4;QILXPxliPX8}TJP2Ep$A+T9rK$`21Px|`! zw%q;%&^<^-d`<07pd$cFopDGq>*Cr!?ayWG@><%T2-s!t4F0ie*tiD!j;tjphY?KB zIHoHF_J2yC>Z$#4-P@!n>kmE(Uc)PSx=LS?| zU;#3|>582jZ0Pp4O9kl|z$_v~^f*91q)UZ(uaGhg!o7h7t9TAWOfaaOgq|0Tqgd0l4v>Ljg#|1<79+5F2I*vMme(a}5l`Tg_jPFaU5e z(yBQ8z7=Bnl|Ys_gBR8q)8l}Pm-$=(^03yJzBfqzN{A%o-LW|j@gu52vs;vO*=@W&0zL_hFIAstneH5`%BdcyxAror3v6O3J8JufXS^%>Hy1tIlU?fY8OkLvHe_rt-}du>)tH zr(rac)6dvR>>V{R2_CpmnwfQgM&;fkn}fO6JLJPsw-JjIDKlz!IT3NHi=}J0oPMqi zu$DB@V_y^ZQgh!KV{*7|&Q$w?QjWk`C+Us4_JKRFf9;%`Ytmz|oHkmis>82rTg-2<_=MF|c27OoSv42@d*5q!8+cZB)% zq8UXwSy9VnU9JyL#hzHFx-oGlS5^8rVFLT3n=`1CYHu*adFW9wZHXAx(`8<;N--_F zIJ5t8X05jP-cVh7rb9g{Ntp+lHnp1Y4x3gv#>bX@%sr6w=vjA~5=J<;H`In+!86H1Kb6t=Jseks?6E{qMv6| z$<^2IGY9)d$O4NaX4(T8Tv*E`k4GF=(mPf{}t<8Y|K1Ad2Q`W_|f7%=%A`k(Y$J*K)a9w&d4*z9cT!VD!0Zsm& ztOW%IJ^}YuDLf-}u5bu8>*E_x_P{{sLok_17!;?W0jmIn^>^P8fRRhD$8zYiKCVHN z%Rv0F{Io&Cl!aFne@A-SV6+*a8G?P8mk48j;hLdgv>9B}l~My3Wd`4D#dme+z_0kYZjKWd>#n92Q2bD8nc- z_@-!(1@VKI4#D9+(`#&`jd!ikuni1iGX)3Fjc5w8S2SYog#))nGKI#fAu@~5IB;l0 zQ-BaepqhbH5taqvT`FMw@*%MR0jL%~f5Nu}?Ra4Xa1~e-R(8iTh48RI(GTI);6QPa zt`vf+0<<2IDJ+x0UlrUM2>6BnKmdRlEaAg56@aErBZ)LZ=?z|*iEj!${Gh#rzbc41 z{&aYSq++E;!5Z@j9BAos9s%;8wdN5GXDd#JO459q+>v|fSUb`jxC?PeBw?D6JB^zB|25U%Y~0p>O|GU*Xg&)c92;<4L&kStmj;C z%;JmZ22a13n;r_E#!%dvni0dcCGHwRDBo%4+1H5^y!YCk@jmO8wCOju(o(ai4fat} zPc#Jc+V+`ez&Yp0l|*4;@!3_JJ^*l z0n;1!sjYPKoV2MpD^Nn=rsVFHgTi|b8*qek91>uxr2fBICn?@xV? zR`FV>1@rrqah2YwHS{Z0Ju^J~l#|Xf=n6Oa$vs45uei3wroHOd-~35q;dP$aGO8od+^fejAkQ03v2N9Q<@{S#=9D6Lv7mi>xL?`xB57|3qM~%r=FG& z!@i}*Nu1`#lc`?M~Js3VKW9oF_kN&Lh2)aXxHHI0J#_l!UEm>5) z!W^Nr7;TG2NvC0^LoY^B`%~^^mjv0+Y>F&4FSh5x&0FJQCOv*pF%&p=`2ZUM8$&HALx7<*tKl(_s;k&5Sl{pts6X+8XlJ>W4`{{!*0LH@1Su-U zA*im)wgIgoEOK~RNg4%Mzx?P`q#+QPOiQtEV8}W}j zvqCt%QjLCX;WQAZ{9}pV;WP#`#?~B8tI1yp<)_S@so{w3r_hYTrKnKXkaFKfKG&Y~I zD^gjngxcOZPvmle3yTmXCA)IXS08?*zM}0t4V_9CiIgcd>M4eV+AY)vnHwoS^-mwH z;ZJF#+BGd%u&@3OX*^$CsbW>SqM!hQ91|mpB>%mHtrmPY_Q{q9Hs~^4%#5q6*9#uO zG#obZ_e`c@J!T%GT9FxcCGJ({xmimwt-C!eAsZN(E{6ZQ`!exbhYTiUq@%pPP=(uK zOPx;S=MT&S%H~r6(ucC5Yl(Tjz6qR&O73Q=PfgaM$O&@wm-fySd!nZtyK_oTzSDDB zP(VU_zWU*@h)F4omlE&E0}p#YoOkz`R*z&No4i6Vk#sOSa9;jO1hI*3uM%faph48h z&03oEhnaSrJlJb4dma=Vw+0?b+{)Ol)_eUv zs#475F;}SehbcWSgwPd(0B^<*U6-Cs+|U)X1m0geCqP1iMc@1q_*{^Io-O|8b;*l0 zLas~W_p9KQKIK34_QxN*{BNf{~fV9dJAqW_h!bl}P3=H&)f31Mp ziCjm5l9|6hhk_8c1^KrA{dEI~Cus61Li2y=C0~AT{(sIr9EkJpb59uT``XXFr72|) z#1!T2_hrgI=xreLNh8~6Iq4U~U`ScX{iyFvHa}!!D~KclBirGNuxP+ zyAHqGEUT2aGc26y%!Wl$DyBeg&Jo4foV6_L9xUl3!ssA~B#kQCz!te(rAJ@Y|A_ zQ;vI{AKoTIlv^6THNjfv3%8+1dKp3fKQ6&+No};@HiTt7;mYSQzv|iNga83 z#wl#C{Dc@$$Gz-979a;^B)O;k&8FZdaysd88h#u`#zzED5)u z%KVjivmof`G2a@k%8-<~O#9sL1<94}bzX}-5(L*(wiZ-zj5So4FwZk>Il8^@m7PKC z!RP$-j$8$W`NXd(NUj-+yFJ_}*YsTZq48szXg`&Ci{`&vmNsr@cHN24&xm_fElPPwQ4&I1LGaw znj)X=fDDA6aly=1JltV)1$evl#}j6nhrFxdAP=Q<(28IUzW7`-aA>Z0J70Al(G z=N*jcfbTA(MkoX_Q20>^V>-Z0K~%tx(1QaV3|K6Jccp-j$tQ@=`~aH-J9+R-fr2Fv zzDMZRU~urg*aI5h6pI&tC#K+mz)yzpuT>C)F_6qY!ZyL8J-k%~0Z3Q~G4aO%)*?A9 z0Kx)(PzA``wVa(!Oyq^Ov(z2j7SY=*vE3 zjZzG{T-Ce9x6kj`_(REYL&yYx5D#xg?%`&=*8ZD`v~ngM#Sp#kb%`WeewO$PBNk$IlqJ>tl2Vt%w<#e$562G zzBn}Ja*31llB$7zZ1cC>B)1KH2VytH?*G~qLzt{d(CPI4n!PQhrGS8Y`OC^!F27Fg z&Sz)!cbLV4Ag+2No;woVac!8tW{ zTXa~s{*T~Wp<(vrS_bjOc4iaR+UGSbi+PMHV^SRszwqTAcYowk~t1` zetSqg$(WQwD0t}-to%`aoj>yqQ@mHd-Ycnl`6%@szYZ76+m~1fo$L4%2yR6mJLGlB zBflY@#n-dC@9vq0pKTW3$1od)ZmNHC*Sa*-w}c^}Zc-xf;=Uaus(JL@k@^QOnQibk z>kHXKap^6kJ*s_wj`>}xfJ)ov?P9WU) z<`Ct_^u}&^_aZ}@0PC$=U+et}EU@fuX(wunop2D99#MG1;FCK&`Q)J^bMsmCIQtD> z+cH&%CHq5+;+T@W8IB!%aDr429rZLraN|PaUH5S7uh-C zqZ69kodE_X4?dR`uKDoO$iQveHusW))=wOx6Z~9Dwy{1Y+j{vTgKoV?ALY1BH2q#b z8+0e{<4=U8nTFSf9b+z^&eO3z7P8fnyDT?j3Uivb?W=gZjAU#`i}WR_9+n~5cSoHc z>%OzP=<)55fgcgO4Z74nX3NBO=VwujFIun4z9I23sqVWI=Fu5&Mev+NQ9aqfw9$b$ z)elMN05yW^Z9Gih*A{!c``WZsWp>7>bI<$q*L6d} zqqXd^;i^0l{n{N7%)4{PVk50360IhAyS{2{a-AD|Oq(Sdv`g6ij#x)%y*>Y4uY1Sk zB%%t7ufA?sc&RY`I;HoUfrdXb>wdxZiJPydCR-IFWd_y9Zyy$~OPAQ!o5sd%UCot8 zhLQZ**pS(pY}=dWEIU;}m$gSk${Ap)g$oHR#OpgO!mZb|97k$32eu$T@?YLUsEcfk2lESp+7^GMS%STyGRaS^~ zupcD6SZ4{6{O@8N7_=XQ^HAIedfTj=ZoWNNRn*Rx;0+2X|fZOuN=N@}f z;G1I6`LM$YEDAdk@ht%W91)5QusN$NiUAC60ANE{6-Eib-yw)izz_0i{L>T-;;z+J zg*3pBNXZx&B>;a_aGd~dgp?}7H~}zI0IfoTokIXQyv!bNgMl~#2pr&%4!G1mi^fQI z6)J#;BFu&XrmHE1xP%Rput!4&&VTK<-;B{l=k z0i>h|rCDoiH{gIh|5a>erpPEtxe%`1?W;bx(_n7YH{qPpc`~$mVt681>~o`!dka9) zTb$;dLT<$3v#pWpV<$)6v3=-W6QNon?l*{Jt_I|s#PM#qI{YfU7R@6<6{DY0f# zX=m@I7W`!YQ#@iXb@r5RxwBPXo867zb}ip<^Rcm@?I&)&7>%&Mx>&$Nr?Rj5rSQ$G zlFjoMMFq4{I-ib|`^NZ~ zUc;Ho!#6|Sb^BFFDx4_YdnEnTb|me;N5A-7Nc1UL?(>tRPum5DIzE1kbQhkTWX%;j zm2NXX+5NUjyX5`&x8|XH@O-8Bm%*4!;bPa^Z3=X=wHmREs+hTp$^ZKsO)l{p_YXFE z7aCfk6F2{|o2ca8S~5tM=OEhVX_EBWD5Uu>=Pw*9+mf=PIggDMk-&v|8+opOI$RX%HifQsfyG&w3!8h;eSz zwL8Rf%rBDuix3l+jJ|AfcvomikEN@wn~r+U>u!J3mZ6nD>Q!&U$i$$NNE%Q`hj(dnU{;j}-05-n!ePUCc;t zp9No%XSlRQ<5wM#l89pc?cb-^Lr>qo_(avoZIDHvdA{B2YSxj;{{43X_H4MDEB5S5 z2Th>S?JI&76@h6SKJT}+-6hd?^FCDYI`!-G%C9BObQ}$fExLP?dKRfWJ(DIqO>aC1 zdYKk5d2I4WROhK90-+IKPmeZQrR8BXP1pn5f9adOd|=oL=8bn>(p%8QT>AS~bJ9aQvvdhjNi zD?U8JvCl>^UpwuF`M4h@e?j!ktpCy8SsJcQ@yrGiIiekEjP#0M2sC-<81H9@TsCuk zHgTinF57|9in0Lx)Y2hpreBfozM+Mg`<+$3hMC-Vr)z!paBt;>Ta(u={%8rPo4J~a ziewRee){_2V+Y}irmE7m!J;Sj)1f{o+8w9q>GP5)Ijc3yxa1X*gW481OisLDLyFB1 zQ17rF6ZV6I7n@;${NQh^P0&HAL&0V~fPew}fn2=~g#(_%ez|c>SBlQC;LPQ(Hlo>z zbtoK87LqBD_U8lQL_&L5Q24c#Aa|OW^zm*O%1r7rZ zWF%8q;S6tg(U7tty!DR;-rxsH_?AG83Td(&Fogw5_@;s=KXNncfL|79BK*ztSQ1J`7&8AtuuL_8SZB?jpP`uGF0JAvMl*xJp48h(mJNlr<+X}PDe2%dM_(s>m$ zci%`?-#^wfe|0|aKKrTR)dhGt3vq}mlQH0^x zrf$=3Q%*7BUf(X{Ke$z_77$!{} znhcrF#!%C7-fu%=LD4!O}EzYG?-4QMOlb!ij`i|^*U89qwxe6XV_;M#uea@|Wr z)D2I`1oWx&UuJ$hBa~gaKW1B3_HgQy$|%#v^QV<+*abX?i%bpj+pFMYu+e=#c z?)h#8rg0`2c@>$*61-h%Di`g^n?3cX$Ib~4#ca|wN^PUqU~YIaW3%LmDx)Y);k{m0 zVl0?lm93_`o2FHNy&(Mhm_01C;y#i2)9uF_I}MCHays{BYleUM_3f-vdFbAmmy$_) zl0Rta6E|ECjv{p$KXTE;=-HNdYRh5glJ}hNpUeyJOT^S1;j%h#cf&cNW50r))2S;O z?n^jwqm^fh(78?OXo#fMll1$NuE}p_erAwx>?Swj7(YG{XxigY_~jML_estD@#(H^ zUuOjJ+ir1XbsWC(vb=7Agx-Juv$3D!6I|-`6|EfPftg-svxnyVeU!-)UyzAL(vn{? zTaaPT7jk&wo8h##0WDoLMtC{oNYIqdMjP6SHxp($2ab1q^LSUdF@@@3Ux)&+&4=^r9*hWvyY1bue81q9c9D5b2_ z!hqT@QCw*;6y&w97>w+U$s z&x$%twuSt*7RT1Y7c=~m99!(E%hBiOn>SJiNO5-tXBbQ*+8XUwZBA|D`PoxY=R<7v zxyCbsyo%hbU;rr?B zqQY~Nf6Pb~e3F~+5AMt6-^orn`~A4n1F+GyT)|8+ zUjvh;impsHr=!p2?(}mkVI;{TZn;#Rlux|>NUhcjiafdO9T^1qJax}WoDRO7;`QQ) z4^TLhM5)}z!1^rH>}R8r>8Y)5>cO2k4_kxCOut3Vuq0*w{LD0b_$z(!r5(klLXugH zgAv+M=@+t`=O_;?wr^06>9n6YKQDEgIp*M_>fo2nq>p;|L+$Sg&lZh8k1muUiTp}{+eiRI{>w4XSY^vE_SYVDzEkv^GoS)*^-K9Qp6%n>`}pSGA;nub<)syB zVM`-1aK@kmRcf=Os{(!X72rTPP)np;LIH<`0p1AVT4C`ap2LD5 z2m$?W1WQ1t1e000sRf%ZIt zDXb`qzbbGT89a`|75x8?w}f!SQhvuB)&1r%B;4eJ8U(B4;sc^53jgt=w!_@c|ZT?O>Y72QiTfpdt~Zf zV&{R3Sg*>$t}m#|6AI{Z%2y}3%8u)a>{nw;*{Q7C(&sS9>bfzh!)RZ5iWx?GqrbFD z{6;#~rl?nyH)vl6ymSaXE<8-J@ABK;uKgd+QsuLg3(hg8zG`8&Y1^w!SFN3ue>Z=d zV4KFZ^g^qv)aUo?;I;EU{VVN=-w1lI+;hR*Y(i4Rr=&E-k~q-5r}kh7gg*ON@-iMP znf!;K7*ZCw=` zk&dTW^uIZ;jEviRQD z!*#^ZXZzI4ldpA*WrGF2<~K%+{FJ|ze&fdZ(GKC==KZsDb!bgfWfhrfPdSEM@w;=2 z)R9?*2vLs^4l4#Z>RI}t;8vN0utc1H7xh3B+Hrd~OJ1zr0YnSIm@T-bD?~j)09X3A z75@_TKy8Y@n?kDRq98DY9U2g(Xcbd_&<8=HrU=1UE%?_75X(Rn0wKQ#;Hy6m=%=SoIXoe{suGQ^ zapU%&+^WEMkLcvU*Rg|nl=|LgrXziun@6g8Ka@WT)BnP#`{l``WvwW~W_c#-$0mX| zS?+FU+y6kpuROGU6P>1#)T;%Clv z)s4X~{XK_9emW8FzV8}hK~<&o_6v!UQlQNkM}JuNlgSvuofK?-zaG}}A03SlduikK z!E!#7pF4DKevhUiDE35<3y#_kJx9|?6R79}noxahlx+Ov7FHY*{mdB@d+z_}(wm#U zI?-z@k}Jlj7}rzh$TXOg^nLR3lU_z1ukWvp?MuAxZ`#^=nY*HHli9~dj`H(gZ<19} zCGYL^c-T_#Niyto!o8j3b3ZnbpK|?p`Mna)1tV@PvMv$T+AL~9kyBgGI#P~MT>S7= ztna>ZOeKMj!`!%tO7ymctz7Z0Pu`dDz7y_Q_&#w?Nbf?p_pY}B(qZiZ{P9(9^xkrL zy1w1IpHgAZt?26ea`t)Z-UFG`QpYseymudwd&%Vb`5fk&Ods>FkCwedI-P!|Cq>CN z5Pwtfb?XtkQ>Xg%l5G5|XijSVn-?{cd3u;gx&M#1vy7{%?bf|?rx;ll8owcmK}zn;$Ojd#;%Czs9(( zadV{bfl-nKzMV#GuZD*`)G(vRe0~1D+>@MhTlBS|f9SoI;_wHQuXg6Y!1K_hR{C0) z?{KQJ<)yIDr>IPfxAG|QGnZj4t9~tr5zclrPW+LtMTTejq#uKtA(>gF_QdnW)^^R< zcM4-UF6maHJ(VYFiz-j?KECMsT|>c(o~dwa8wL2cA#c0x^R!KZ5yLM&;ZcP~r4s=igp9B_i>5s`*alucI8mbg4o-s0P z;OB4q2D`p-AS9%5D=b3+AFTRx9SXV{tqw+v-+l*YSC8O|Xs4X0YOHz@EmPlacQdwX zf+-zKK+_*2u1xV#E6AF%Pxb9=z|GwR;#CLjQXQ-+v7*m%*O{=%$fo7uMq$dh)^!YWB?kk8K`w79Pz>^?C#+o4>EZ+UbNMcJ@h1!d z$lhF)!eS6W?gk)(Re6ClqyFWNdilh;vRO#G3Rb5JQdjwRQdpfXK7hd%dc!a~U3^!3 zve#|+_XMJAJ6*p!QBX7hb*->EU3^zUG1o211FO@;2k_rRUn=CdhwD3C5c>N!`-R!* z0(#n^SB1pKukUp60gUtjDXdNxAHWX}ErlF?dcFPmx3TG;-<#h_Ebi+|lIvJ9D#^f~kS1oh984z}wB!FY7RM6z-v5+W@d-)F;H z;BTK3+}6QPWk)7fmZkY99NhjrQ(;DeLjydYjizyj@B53Ld0eZgX>DWYM@XOg&TO+% zo%jd-64o{=3Y^-Zd2lsZ;R%Q9fsp&p<2dG!|sUE5yBhYK)2T&1} zqC|Im+k~@MxUB&0I1h9D*6s#!xqxdAnAF9H5OCSH8GOcw>FR0S;jy)QqX5lEG!;cc zOkh)%Y2zq7vr~O~#Gw=wzmnBd$Tj)yxeG}BHKT*EdE(v09<})SbRRnHe%-M5AZbkF zJ>6-w&mqi-LOr*|yUPqGjgGPgL-P4K0_2dj7fkqM)nzb(P*BTNrOQ*KO_M5BjObcH zLWf<_m?9C>`A?$JHbS|cYN|8sE$F(RxaCv4qql~)pcmtzU1$`Ym6l-nVa^|jc8(zI zu%`AbDuCBw9VCYwEWp!G~r!^3EYGhZ(YX<8aLIG#ag>%fmm*ooKr%Ns+*uk~RI?7azm zJIiR8uRm+nggJ(_buDDOlzk6lGjf22W^#7z(gr_`YT zc7q;2`x5g1gwF?%dY!EG_%IH+}jR} z)RCSecOxQB`scyxd6}&Z;-uBkHW|mP8YbJK65`Wz!PUs`LeWCXDQN~Z57*$|ea{`P z!U^0pmfgMUnu_`!_YkiSpMEn{}m(2Ma4fTTt%hmy{5Il?8I%JyE)evTmO1qxZg%W z!`c=rAhmw$#GXgM8Fl(X2iw)`IxvZs zM>s$VnL)~NU2cvKUy_vnY zp-5mQ)E589FO$e$;yjN`?X-w_;Ze*(^4N94b2dxZt^3&-c1-ph9l2fa_r5qYEczu_ z&$Hq~sfUpMG4#G-pZ?EI(vqY{k5Q&Dwi$oD+97W=?PR)JX*MKcLwl$Z&$8n&P>phI ztEKU%;EwYU6&eHTL+|gTMg;7Lu`kgnT;LwS39C(v`f5r^yVvW(Nsw1sDto`4x|PrW zHGtfZZmTR&P`D)a8TORzWAD+Z+&7GHgnokSNQcW+U~*8bx|mFm>M)qM}k+1o>>aaFIvM zSOgGKgbKP22kA#l>Bn&2pm=Ow+xbJ~5qWEnP`eK?e@BMT_pyLB_=p;j<3IvwCDZKE zo_DW(-`z(t{6cA{9rlhOs-L&+W@l6|;z&A;-W|okev{;ATmjpFdW&iv;GZvJ566-aT{Fd;P2WlXR_aHJN?{+*&hlq!yk6#M*ZW|@!9-27v zF2n1*NutH_;1XOLON?V&Ky`Xjb$Gh4RR3jTlCOAU4!ef4WYUVj%9zABp__p6lkC2% ziZf1kNM1ALj~k}}nt4@xZS@I7Uiqrd3iJeX97TcC(WQ!oU97<*J%h-_v}P@t65_fh z$&1v}SfM>eaLBcRZbwJy&SymiZc!g$Qr9%9{*Umrr9rT8Jm_jLG`dA=Sf&QHomXC!G;LC=- zR9HS1KEQA^fD)FEg%2=a1|a=Ch6ggc07#MmUpBP#cNgipWELO5mJLusnn;l0``0ZB zsKP+KHJp(BLLy<;NH1>>|1X^LKP;tOF=YSEIS{|xpL5QoZMbXpnBWwZd;25>;v0Tw zD^QC&9`Rft5z|jZF40%^-Ob$DrpNe>4G%wl9NI&Bw^qC6<&`4DiaU!KSp8-^y8qa} zoaUq6r{GUvw@c~G=u-}qQ0N&jwzE&0UgacPmPT8Jzjb$>y+^xLf7WO6KIJoIoOAVY zOETS?Lt6D|D;E>Ky@ONx$i05ty3!q=LZjH;jp$z(Qan*^x{R9wZIY0%mAw+Akn;UV zL%`OcX~W|f-Jo@T6H$V&!KK%v*uN_Efttb8@q2`NBp*>76p3<{H&%+4$FKZa3(K=} z74hhp;!EAYq%!9<-2g~=hm zS57T{%7QT6wa}J!eDj`b?1Su*@>iz|)stV^4y|aU-&Y144lT2=4VvEqM>eL)uhR$I zE~-*ejKxR|~&VbCF)DQ zSA9%`H*Ea$u6(iRW9c>8_Brl`w}|W}oGsGuU62GeZ^`Q&EI95YjOyKYHEIY+*g7~l zZG$#W;EG&VekFS5YLmhS-2T#~-Y?3}X)Y2kr%-4GZPgOWp-70{@7Gx+?I0NUV@kJG%dgs@Lq8-DnT}jDr zMd=*usN_};ElRBND$uYJ88M=q??$=)lBUwNcduZq%WrDRHtE~6K@_nl5R@3sAWAsO z1RH)E9(ix?Lo0Fmvp z;;UI`{--@lgQtqB^Yw5ejZ*+1@m_stTVzHm?{Ehd(u; z?)ElsOHQ8edwACJ?#R-bdc=b0`6-DmX6@Ky^z7SM=k|u!ntPS%H@@7f5S?zW8fWnG zaceZR)*w2TNHC}Mbf^KNn5f8*o`QHy57{qgVJAope z%NaQTVVMOG`{29W#h(xlAog)p3X6EI_y{iv;>wB;8BF52^eX;+@4ik7yUcPWy>YD+ zW|;+GZic>2NSqqdRJrC^1F#DNln~Di=QWc~AxBOCJU39U66Bzp>(4d*eXz-Ye~hlX zRG!~Qs9%d{0GBfKh9N#<$YCzmRg?f;V}KMgnw9&y;lg}ZrfgrgVaTDEkRw8_dxZgB zW9U`6AWR7vDh=cofYlgU$q7M9{%b-@JbZwGk^t#%q`YSGAmn6*e|=m37pg2*=4t<5 z`rzb%Om(>Yht4i;Zs}-jf16$0Qs2>7)Y#C*$QV+EMR#ztH`cd8cllbJFl+Nw0vAFb ztiQ~pjqlw%Jsm_E%AC865|>d`fQz-EO&4YR^4ajkd1t4JI>Oz~#f~x;(`N47?cNgV zqkG=pUMy)3xw_LkeoGk6^ZTKx$H6hgwJaKO$M5r;Q~Q$y>!zG!RB8{m*L7x=B&Fkp zr}Z5N=gW4W0r`s4rrg3@-swb~#*0nQL~(8Gx#Z~<9_{RqCC5WQ?h+Dl-6)(lB16a3 zZIU>M9@R}o$TGHv1INFReCflyP`%Mi{iu$$aePMNN(%MHjtdd|*;~N1H!$CS+!zy_ z7=X;-8CKSD(7P=&=hO^Jo1)uw;Ykuj|1f#nXB4+bi>6P`j~Xpf@@sskV}Ct1uC(ak zfS6=R!J|z7)*7Qca&#-6=+SiHlEin5YG9qurc<@T&ps*W$70nbbLXn)(}d%kxe-$J zyc{&@=3t$&ncklIh$v;OIp`B8gRy|&LmUy|_4^-;VxnwH*U@&?X zx`8gUx-Uf__~Fyvh$(s0u@qk*);bCSIhvY0l9J8|hT!Ot-o z>Nv@yqMzixi}6iLu+HX`{*)NA;n6JRA6%X;!|Gd}!I=NkHP{~Pa6i0-IX^|?MeBFZ zhh}wS8FCMkhS1{dG*<@v?ATdvsBA=JswvcVU)ev28$q#--?G_W*@w8daMS4U0N!EV4SB1r_BCIlJtm`ln7f z4~crDBFj%H28L+m!+VNa+2+~wv}%q52#lW3QXt>vjWY@={^z|LFHIv>RcufYQ!j?s5RW4TESEWlpCBLCWF zJiu4TB^A-4{wbEuS@zixM#r7f4(&+E3m00n+KO2L%2|9Ru0s?qYw8u60XVj`vx=uS zhoxeKA$6qYTg&>5Qq>)+1F|P<-*F)Wc(zMOR)|V9Yy#@pL%J3=dhFk6TY8lYFLA|Q zASkNWR$d1$kU1m&{nUX0FPC>CD0un%WQ>0o^S-WJ1DM^8{=c_-`OLW@ zg#j-RH2HTjSn%>YuKUj`!Zg49KCSoPNMV^@KtPW&)OEr%zkq-qWoRiZ^ULq~xBt9h zSmqZH(54KvC`|JU2xwD=mclZ>{2u@E&-;aGe)(-x{Wnrr<`)pqrVO=VZdm3Q5YVO! zC4~|5{(a=xKW`Ui%o}t$^!o~ZL#+ub<_$UO4p47|mcoj8^IhH_{$BM@i0NPIHGeh^ z2Xw`g{C9~4LaKiXNsS4RQHA1{ZWniE_hqVS9$q!B7aA%qxA-9aRZuOhU&um z69GY%kJzR-v!*ym^IIG5zTHst*Ub{D;i&WBv~cB|8~pz(_D z-nK`>JDp!F@7H^zuwCFrAl+?>r9z&!-&*pfV^YZy4DmvsY^}X2146WXs;?jJyaOEH62d2h zCCsvg6s%jaxW(FuPgO+EtyJi|59DNAQ3V#cB)ReoDw^U^nYdi$hjF)pY>(ZSldZg8 zXyxw5FPk|fpEx6aHm9ZMo@}lEi8?Jt2^I}xNGmf8q((@=QgXdDfMBbt+E{1(iN;^{ zyL}1q<_}-tMdibzm-?)hPhXd*llcS=?WBgucRr~0>0M9Kebrlz zbhD0AoV4=gAd2CS+xRxp8IkWO8y;|1E$fhIp1a&LEPj#uK7KhSZHC*3!OXT3G&(+4 zmKl0?Z7oL8P^>RMIh2&`!@OIhq9JN%P_0aoQDr#l7+2Cu1x4a=uCFsr8eWMTQy0vc z$OsA?w|?eCXWp+VOwP~DZT#ulo>M(!S8>(d=Y*+^>w7|Gc#A%1`k|M(*xw#1^zEYsgJSK0VkuZn-hcXqUIgNU*ssvQ34xLIhL77 zzIfbacENvRJT8qJ+wb~=2i>FGH`Yo;KjL3oZ0mq=^yib>t`POPj(J=EY992qtoW1!c!m~FIei=W6yZuuS6bP zgEXKkCly?eG=JSYt|ATSGFb7S)nh#IXP*0BP~gV$ zBfu&InmgKJ-wX+)%o+Z?gH zqP$&LjlK@}@c#4JBT>iogNo@B0_X9d*-R;Czdn=Nn((0xfqpEn$)ahTdM%r`3p0)t zn!Uxdv^A${)(I2YVfe|jxT1&|=eb)>xm3@aoKb)H2}N}+N$4+3mkLll(6_-p7^f8P zHQQ`{Q5f5m9k4o-{JfJwD-?+q{!vSyRNVWx_Q?-a@}bcMiZ??!lsobm**or#93eZm zt+8$)Z8Tx%_W3q4r)W2#Bm13iu6g&n}59ReflqX8{N94@~N{oujVfrDUZqm^o z4=02gk#;X~PD^=%(q+-@7>=TZom0p|gc`^^UEB|?1;}KrU#Sh-+H+0q3ymUBw70PJ zvOG{*)s8}F_;UCAX$OPGVzpgmd0vbuHPQ#E@oouTr4-fOJBVTd<$T^m4{5eBgR}#f z#Zo@0?tDaMMRUNfb&>dJK^WgKt~Qw!BfC&SEhA(3>xklx+Cr@!P|nM&4;|2ds`s3`rIzErvpCObOuKU8DaNkgz zAz%%3y!1_)paCb*96>ju!q~*0B>Sie@0WM!%|?7(rEr_wms7sp_vXAJbl^|bnLinR z>M|X?XDz&G)gVFq%2@P^ofuooZDhWcJD$7^2(GNB_udq<%GQ!(?^WTR+}N~RlX`9^ zR3A2MCj~bX40=?3qkWpy{_Vk+E>FT$;|VeXm)1vEB>Ioc4p%fQC2^Lb;E#nQTWfTz z;`rG5X{!%HC#*L_f7N?TP}C;C!locSA{Kw1xi;!5x^Dy36ub4X3&+*LaaJ4 z!q=Q!0BZ(73afDi0{EbzrLg?LkX507umhy9{J|iAjT%}C(;o~1*r)+g82(@oz(ozM zgy|0k0bJAoDJ*~R??cL=h#Tr{h3O9l0S0SBugV3>9}EJxsG+4W{lOrBjT#_@p|-5=`+^bsI=g#&f)M;xS%c*S&l0_gU~4xPlf`O?(kW zZiA~dNMfIjZ)_jli}@)kJxE}_BlhwjVLmzBK_Ph7pTIN|bo|p%P8AVVRXy^8A!htG zFIuk9Phpy7Jl)Pse4hFJ`RaYcj2}nm%>0V|;fy#q$&;&v%{H4CQ*6Cs9kpKL$)_my zYqbSVmkvzcq`W1+sMLH~0$MH1-QU20Csp_~{%f77@3B`{L|7EOzjBeTU$mUoY*>>= z?Dv52S#&glh9evI6*;rj<669U$Q`)cQ3Af43O^?Md!^X+M>3R<9)WR;VkVI&)<&Hs z&O%9pA4iYQckc|^3rhNuFLiu2;)Oi-hCnlSY$Xyz~Dksl%Fs z?(an8$W34tu|76CH_?nk;#;Qb$5kMSoFB*H;fp5QlCpKcgpt)p5i9mANuRyC?S;i7{^xA zeL|nT(;@l=GkD4R2``+x26tr)o z;9#Fs3M{2w&KkB6ZNZSBHb0aTeM=?%czBvji^5u@wvOETekS}5rxpCbR24DlZ&rl{ z=hl4M#_{n~L+UoZO}7iAr0JfgA9pwQCp~bYAaDKFLZ7xvE?4*>X#%sA?2Yey^9L-Gl`Btk5ob|TslV8{B5f6+1`!9 z_2KpDwwzzS?#@nUzho04@xI=USUP-L#GP7@a!SP!J;8Pzxm-zjz#x~uW~*OGHi0ff zC4WFJpi4XFm1GkLknaFp?&43#1(5H!DuqQZfN}o-8O*NL6}#jm^jz8OKSZ`cmzK;c zm<26`S>m}84!Les*d-o-g&X=>VMexr$3j9&VU~CRE^dGlW{C&j;s!`Lc<=H;EGGa9 z3kcxihL&=Jf1k~Djc*17uyF&VzmIRe#(E0^xVQmI$OJjib>j#@02ep36lP)@1Q@Rk zkitrA|K17|q(OZQe-GN@x-L!y0@%2rSB0Fra2E{0Y~XuyC3W^Exb!b=tN$Re4Y~sC zf8!Dtr04v{xb*jQ;-7eZBdbF0vyb5?oXGwBV$JU*VrI6~nS5Y-ShDIhOPf`L`Z6@) zm!4|jw8L4y?8xb4=8V(oqk+1H@7)#cEIAF|28VlxKj7-u63aA}u4_^mO^VHG|KR?r zWAzIoN4CBKVwZ{LNG*>LSiMbZW|rZJM=u_*J|jdfZw!`7S`iW zUz$7B+6IrR#-|JR8PpEkU9;P=$42`Tjsu6Uho9GI@BDkU%<+6IXm`Tx%nbMS41hvXD zfdptN?@Si66w19Bx!Z5t^D~_}aCsB2I}7rZMMb9#QdpxyozcSaP2RA2koN{NJff}v z-rjVf;`w=CQ_mV9r#}{c9FKt|e`VNLN`7>!R&O)v zWbZ0H{5M#P6H7NN;9Y2==z^5LHqhatf0bsy8Z<5IolK)&kX3!>CF|%=L@t#Uqjynr zt88++5r^kXSNwkcV5m`U1IEG-KFixFmYAn94<0LiLQ3l6iL$M2hc7ukJz4XK((lS6 z#iN6(dFZ`F2d6sXB_+=DHCtf30cER>t1cL2BUs0t3;{b=FH=MQ*f3w<5%O9#fgu_OLMCXFI*BkxTkt#nP zZM*X$_z@fr8tM15LAs@uq6{>n109R79<<1d+H6lmUU_kY?ULQ%j) zQNjDvub+B|sDr}7>XKnXe#7*o9aD(k>iOFTQkt>nN5f^4$2=Q*ZkgiWX|i9WSi6R5 z)n|u%0QVehD_13yGRz4U-ni>2X)(ca66xRRNLt$$8Radenm_cJDk$0i&Ml!>YJ8WQ z`VqKA7F7rm437*EXzYYz-afzRQ6a_16WQS};hO)|#l(XU$kKm=l=Mr2l>=SwoJm_S zGh-|w7M%m$N0hDX`607bS94R6^mkpRfaJmsw~g;>&s={{-rTEYT9ve2r8&j-@`}DY zq!kuoPV#Dd^{drE{r<%bNdeKq>saner341cUEU_4s!*4?ng5XG02vn0nR z??C!B(tr0s;)axxI3auiErlF_04Vc8eFnKXAXf2f;S*p`hu$z34w?0*9P1{0B<|A^!MPw>oQ}U+yG}8Kng1}2D*~0`(J>$D~9;LVea=K@P7z%@1M## zKwR66yR3_W1!MEeshhM_#y0qtHo_`aEU_7=O!X=)xGj>N=T*XGsB}m^-!X<gGo>I!2I3(3ly17tV6*$_f|+`YqCa0&K#uCxjP&mued#QZ29hcZNe?tly?P~+{{?< zLz}jfx}RI!O$cOLxNh>?su>q}U)C8pb71QTiQdPVNhDMZrF>DxukaS2i4Nvlw&dg4 zR<=AJdH0N-9K}^!wY+A)qJ^bQi-{H?fDDPTC-3I{`zRJ?Pn$#W=UoFnM-9-V_E-6d zk#-Zm;!DC zMhyGSQC9+kTzphcl>gaQfsMv?v=cQ0_64+ATyC zu?acGp27cYQHzp^J7w;yR9>#7hE}lO?(2v&I&x^@%e=l7-IOe-;+)z_qkgwLp31XIFl^MOUEW6RnE+AA%4T>o}%Y4?|z{<<4a^2JS0Qrd8dDL8R2W)xJ31VcK{s zRZlLz6ulP$nFu-MiICH)P>M71jgGoR&2RV>!7rR&Watjp!PJ#F4-A;PyiGyD)MbL` zKZGejmO^m>?rJQJXOzW^Cbm;!`=prtTddXQ%-bVcIIbwX-tFk5<8 z+_0A%1|@~r(&Gjgm7zDx3$vwnY1X|`$%9%Ic1!O{0O`67!y5Sm0+{=u_X{hF2EiHt zOhN4z0zTJg(LjJ)0Q9P`vS^T1p{FS_w0Y1_q=G08&_4G|-i>-=9#; z|E!}2zLF>SFRFpmKmU+wiW4rWCSdayI)&mB68S?9Dm1;WPha)l9emrVV?r{L@h?Rp zH@!Hk!gawz{lq2Uoi!-qy!s~B%`L#4Hr!q9{b!N&?@DH$Idc`=Tcb?}xFJ!rm&BNj zuTDTzDnc6PfpPbDPCOPs0~2lz?-D{$=G+9+=&{zBHV#>ndWlCIh8_30D8)SyT+Wn- z20|DVYl5Rt^xl%3gtv}sFy@^pBLu&4hfGxNwVlVxdH?G123G!AVOOH#-x!W=0bb9N{Sw695%cNe;a5*z?^4OQGu;nNJEG{|8qfz`pv7KvlDA=Uu zqu~1%3zIkQ%9dV&2yW@wCh)s53Z{B;`NjTWzI&CqZ;d~gm5a)1nKDPBlfN_;e=dp6Z{Md&+Q73O@ErD~w+z`}wJ_&x!S> zWj5h_=ORY8`NlTSgcP+C?vse(7!&jvTA8FfBEAB7boenT%-tTR=|ArzMBY-$Zs@5z zC*v*;JvW6fR^W&!xbgG3$LtzcAA==Wpct#C3D}=b*pMCc+dZVvZ6IA(AvtkK*8v)9ucg|Coo0%T^KdwC7Z& zP`(Z6E7wX|P=#n$ks}h=*}AUv1tBIC8OuwTkPR1}7)!-$KIbSfAMIcX^UTQ*NQQdsO5N1-nA;uGcv0#wJGf$D3q7c z2DOc#d2FN3ih-xrw#$!@P?90pFz*1q`#)CbTJ+31ZkC{Xw|+N?ep2*daEL9aj)f-Z zW`X^(gb`6o(yapOo_d*8`8JWb$O{=ypQ=&~VynfCl2Yr_S(}S3xaB8=h?{q2;`NV; z?NQYVkM+n)oO6lWY$;53*6z&rr#MOIn={A6S}s^>Nz^%`*~gHZPnXg}ktmBLY`mh8 zdm|ll5FeE)PNu%%VfI+W?H*ImcW0{ZH%x)~1GB|KsyDf&;KnpR&lxn{<5lUkG0W;a zcH|5in;iaNyhlJ4EY@SjH^IkS#TYrg`hy__D>^x$^{Bx#mL|#Q3`f@PP0=+h1HO`h zx}IhJx;b5C8SrK7>OW(d-=&4CU5CGR@dqpe2K-RHD!ra%c)$Rv0LWmm3>bhx&{9|| z!_9HU7V`V~4v@lP8884yprx=_2C^!2$pavT#WG+(=n7g2lV!kw&=o)m!=3~Nq^_Wq zFzrcTK8wLC7}xVqx0SY6i{LEI#nEy~(%oE1#`JD`)wo+p(WmO|Ipl;aDH zu8NQRv=ir^ECWU3uS0G8-;zk5aGqoTpE0js>YCn`rShO=JAT6(doH4x|OBwn6xT5AU+l z+7YvFwmR!6Rrb#Fu*?uE#`((|&#R?8U|el5>&-APe@d_3;K3rWvt<7?E_cdGR{u zLHT}$nGnPBb3fVP_$N9T5HmJS`IqcqTH-qskpGZ;=)*iz6vUv8v^_>i*+m{GV}|qB ze){kh%FTkfKmlO{t{U(|waoqHc1UIeaI4ZU;H<9D#I`ek6k_p|v*} z78@TT*g$G`><%3q+}}L8XmfnDMn_YT2hCP5)&KL9DR(C$)EJm zAJ*jrv+5}=M%}%`iA#vP9L$_0PVb@iEq08haO2e%l?c9#2Y8=C&9XYImA<{8m;xgj z)<57$6rZ)@6h=QkxjB1ka$mlCbD)WzZ=XZsq|LL8cCWEv@z;E8LUw04WxooG=(M;& zI>X?Q#ep%dC@X_aXe$At_9l12(7OX9$^Sq9UMx}l2KwzDKh_Tj6gsn zJJV_=l4!z|u9_y|FWwXu=|^}O%x9Q~WID6y)9xPFu82ozc$daq-vD|s~-Y;}3B zgkr19%2-0HGP>DPfFunAlhkXD11{%(JP zAp@YUkwUk>08&W%ix=|dUn7MsF+odVwZA}D0%4a_2KBDOoR|o{5|961K&vZo|2JB3 zLca8Wh*rf3+71~K1Oc08gjx?rzbWc8}x6jAzYCB zz(K_G$vZSZ)928}X~IEm_oIk9{T*Gi)J29w*Gy5?smMbU2K&Q@HQBM_NlV;Kd5;{t zL*D6$>Y+los=S)s4*zJrz)l@x;frTdK(fE1YPr#sy!~;0g5u)-n-rR}g@T%yDM?R# zqDKZ67}fM))fg5@ZeJB8^qkA>*oyno-qZ^*-l*IU}1@%n?O<| zJvj|As3SEgNSEUYvsXgWc;^ z5-uK?$!5FfNGww|*ht$M!~N2~E{bTZ`PiarrscKKuK{G^FCSE}hWvY@w_GAUZ$1zR zSg!qg!?t?1V30l_<@uT{Dg13@lZrU)49FRxIXKUQ`hy3m^OU+n%CzZ=;w6~;(5EIM z%YtR8ga{k((B)KqU|xjC4>?KfK= zj3Req?VptJG-;jT`0!k~={T<>MR71P!8NxFPN@k(D*r&JI z`f;Pb9g9A}7oE&7f0`nH&e>!0%Pf9&?bnFB7o~4z2QTU=)q>;O-0L9dN)ZGG1pSo^ zy5b@SUuKB^LkI%i(Em!){Q(34qI2LY((54zcz`HC1(SgQfjej^tojlU7!bMxNMY8O z0HHf*DXjVuWL3Z;8tN5-*((DBxZ*piZbTlAK&$Ivj|nRxxs|47&d* z&ZT7bl|#Co7e{NqTbI-3em+mHgUvwMiF1IQT{>Mwx7`ALq0L0@_jr6qPOo2FUUw7; z4&@i{G}QK}D2b}a)pQ~0H;qP;-nQD!-HtPaH(E^sr_bHF*~5hiN>$kljtxBbd34Wy zn}CjMJtxV=8k^mP<ZW}ma8?}c`a=r{~p8zwB#%6zUgj2 z5%Epf4)wKoz%cRz?F*OfatjQhr%0{-m8*G$hC=tq#wrFo@>1WZw6!|&rH)jb>nUL6 z4u3f|(_nvb@%iZF_+%u{)D7w0Lot*6REy+%&N183H>6p#0;2VDpB-GWXSfXs9*1cQ z{N%AM-Ph>g(%susZz7K$i(u(_vlrAVCL$?<%N*Om%8VJ0`cCt^F111>2}7K8Mfe;E z9zL-~&TaeKieV~Rn(t|siRVMYH#@0v_|?A_>>`PwDU{aT%%Ipb$b0@;bIE~2#a-+E zP52P_hp))tDr#P4J&Jn$kuf6|-)b+$mle&OkVXKQ#Zze-XuEQ!@w0dMqn{z$?d0;Dz}#XD?OV>C%^g|c{IQ#5fIKbbO?0}O>F z$m=?|i4_;3#Y?Jqs_>*2HL5*3b` zpQ(XG-;!FscB?v$kY@L{s_q$KaI#ecB76|rMlpS$dfE;B%H~ENUl=LxP$Pw=A-*T zt?#i5_#3`r7DQ_L6crdM$b!geAEphQ_gYbr+pdn5WWDOCwfnYOn%V2*q!gy<$d`{E zqsxI}btb$nA9#oRhJ?IksT^97)9UBBA(Pc`4~;RE>KCi>Ao5IVUgwDN{Zjp~YA&%~ zzh=kF*4tP`>c3F)#y1FZ1$Lx`>+Y=(9W5Vh=)Y^iYpSoCnc`H|G24gh*0i-_mc6MS z?fu{ew;y`gb@*{5YXSp5{>r>u#gEH0@E_m@_%a7`CBz2463@N-J^5E8?ho(-kbeVT zkzS7iINg*B%L49LGhOJU9_0t51I04c0FMPNYw4IqUzrw9xP zz(Gr4%qhC2y9M42Zu$uL*Nb5f~7E14v=bDFR=a7Vsy9AIMh}l8A$RO_gr{ z+2}>^rQIBgb2vF6{pkOPTF+Mj$mqpm!lp{o;0)~-x;bb@W=ctqQp`=iVn1qK)(^OW zB9U}{T4ME6WaPQwR;-9beW5dzs>bd&_ZGjxvB?^zF+u^`Uh@%=U$`Wgp_MWMci6h*$H%Is=w^7AyrQt#U$K@7pG3?WRV5F_7f0NH5G?rVIMo(gr$i zxt&O#=@jJ!ha9ZG$Ll%1(q4R_A-uhH!~P=bmbLG;;p(m$rHt7x?UqDazN5%KH_WW6 zy%Z$pVlNGkdg6ZXs+L<8k^N)1ML%CXKt?gHzw`uY~v54N3*s~nyEJ1VbRXpu&9)R%uveij4+dO4Wf}K^Ydn&)74vGVzVS~ z^g_!4%ikuTAQ{$^s@zzJ35d%$fv{w3tbr~4J*Fi$XS%f0ebnG)+kOn(n>2(&lyeiG zQP`HGMm}`~1zJ!ia+PcB)bA#L+~%;xRp7d%midX_plU|{;QZW zmHtkIw12RqW$iM-b=onu1tRkIU~pBd-D{Kz!(ziL=w3D6ra%a8obg=H#={ z7te8&1hp9Fb4L$$T{vfr4)fysHhtI~U%v3tFjiwzbrB;@t?pqsUk4C`E zr{qD8F8;LfA#<8Fi!{C{ZKR%?oWKM8b9k}QREs&hyD!enYw?_ZJivQ4XBOwnmEXC^@QBALF!5<@?+DwdGEGCRSMe^RA90Y3w+ z%3q>l57g?>o>v?}L>dI2ukp;dk>g0Z6^oeOR6LnB=#4Eu0>c+=vZ-MA)n9rP65yKNaG_z4FVRX)AHShpTkm_ z%+j(oD71-4%g5tVXiv17i}_8)o3<*o@P&C_K8WNLW>G2;p3=FP;47MFp*FnxxS||M zOdyp-ip+@-RrZDnA$Na_bvka@@SDx8uZQRUtTP9F} zm-Xb%R!TlxA1yTqspsfk-l&3qJv{d@e*u&IoPrHh@7xhAW);R$@37YrpROUFZ0xm-jWsTx&STZ$0C_$Md{Wd}HI}>%@aI1MZg#!0C&w!gdE`ZB<}5a|5{SpUeW{Q+QsLTNuc zWBq(7|KofN7GQw_X&@O)zygKRprx<@3lvHNNnrvOD3k^*g$-DsR2oPM6R<$3G-xRd zz~W^8wH*H1?7&|s(Eb!AV1e>%ph02W5&(<}s%1f~2AH=5@Pndo(4%s30H<=7wAbL| z0CO|csDRrC#?cxmMF%}9CkJpU2N<8h=VPE&EznX92p5puyG#i>^@N%)2RCr)d0D?! zeozt)G$;oj(1YZ%qreL*;y)y;|KgSa{$DouzgFPC%1V$wFDt#6{Minq5oiap-ya{b z(%bDVQtg+^Ef;%Dy85+N2KTH|e-v%Pm;2{GB9PS!uLgWr6*nxIO8xZG)LE;bAyzZ5 zuF_=k+{l08<2@) zpDpr+It;Yj;o9@O(l)w82)V$ItuvdX165Pt@AVW-2a^+4)-VyuZXYG=h}&ud9Yit+ za&Q@yGpBt=A54mT7xC#|RcaNbM<)q57J0ds9*(+`^2&b8NSTdfz;`bAnuA`CbAH-l z%lOPN?I=@GzF4WgtJmI$k`zA8;6m-8m(8LwPuSOFm)=5|zSqi9IG6j*CW=$^|h3w0$k3nESjI1R8@STJ(JE{`s};+NVqvGj7qftSzBDuG9Bn-RSJ$VWG9Sk;=NwYqng|@BvxkpA+S}s*S#+UorDrTjOV^x z2nOWo z#8^w!m=2xAc_5|bMuT2V7IU8_iMDhk-#@8 zk*=hT-at5-pNY*Uo|dhoEpzY=_YjD4pp@W9R4Tm16pZ}r6=a!s#;SGpMRp*)anT5Wsg#IRZ+M}?E{@~<^MXv$`sb0G4Bnv0nn++wsQiwdq;8^%XjM(n`s5FNS-_oKLg0qsC(jw5-h#Xg=S|+*=y7m4vGdVBgmfMJ zh$|xJt#xd8yz_N~Q9hVH<|PK|pj9dhd1(_W98voBlhd__oaCn*w_B+Y$<{6H211i- zK2&b06}tW?h)nm#_t|opM79G;&&euWc&E*Y+g)TJbW3mu>N?IM#>-g}9=CE8iXVT$K_`yoS2#@kooz1rAnB zBrEC*XjE4utMR#wg$P19ND3d~*&i0FZLt%X`nBY!TEFXyO4KxGSK{N`wJ7naOY_+b zjw&oJT*D>J2}~!3_nY!J9T^_zcg5@t7Fjlf+juGMiZke+RRFgS_oNJ=DTm>szqZqr z&z}Vqq>$TN6wPj)M@VqfUZEtDZEiVy?Cdoa6k$tKe8(s;HVDmZ+Lb@Fkz;oa68bbO zX5&eW*)0mvEzMUC?bX895LF(Wa^p8#ztM@3pZ>G5xYe$Rdo2O!x#7KW71v6_0UOzTpakw!dz{m$pWZ|Rkfw4M5%`CI0( zsYfXYc$J#vvUju$s5pv`XJ<92&SU4ZCWWff?G;oDzrK8za?~f^^hlcGurehS z(ijjI^%@_ic~_)z_4<<%T;9;JM%>c69{xjSCF?uWQBHF9PBd1JCNuM&9Lef;n@)N- zWt6KKBu3!CwYR!1G3>lE@T5+&_2=|@8wK~=Mnc*H*O9tG?Y;N61t+Cs?DW?+25xG5 z26ylyGjGOP$2^H>UI=|8Iy{8sC?p_Co})`U-%Dd(Z1JUAY%ar3FE3h#$aA>Z2m+CMh7K>7S|ETN;N z)=|;(u6bfizS{${G?g8XT=X|-G5O3gWAe#TxQFrPx>cHt>PM%8n7OCU(QObo6Gr;i zk+(~i_NC_a=$jO5W1i*}wpQMNOk`d_acx=NSv= z2QLH^EV?L#fjkgUs0bv3g**^Ys0dmL6L}z@P!UK93wa=*P!Y5gCh|Zo*jImUs~{;X z2VJU!i98^8JM?_HVImL6-3~2c|Z<#kQ65J zfE@17Qdr0X^0$M8uzG$#K>l`UDQx5c`P)HKSjh8__rqUH>3;`#F1XqMLLQ)s^~cEb zLjLEC*}hxHxE?ruuJ5=6PXrh%vgzgYq}6nB{<<=|O=+TGI)ltFA(wuD+JRDLqjz_3 zz1w0hZ@}V%a z%b1&6qkLKk)3%#uQ{Mdd7T3=17j12tEG`WmzD!=zaQ3f0w>UAV&@E;q*P6fwiaTQo zEj3ei{U;;h9CA$RX%eCVqYv&+?*Aka~^KL$M`btcI%6Pk7h7gr`eoE$Vcx+SNj z+9;f7cpP{NJDf@sYSJ}l4vWONs~d9A_X^Iereoc3?Jvjd9{lmMwC%;S;+^E$m_1jH;2BV=IYLku8vPC7iwHSh9<9g;v@M96f z6JfGu$ka&i5kFKZOq;@NV2`yUF9|@>5^ubiS9Ot-H^g^dmp3#F z$!Ve~sT$xudp8N$y=h6gc7@>mHGlFP(xhHdujQxBYHpGg&k}NHWs)gLZTq&_BU?M% z@B|@QEmR>H6*ajDaJIvRN+^LEsG;c^fz46$o37aHP`vYZ%KRsd&JRXAugzQy>I0N=TaB@iM zi|7PlCUGl6R8`3786xB0VVAS5UJODRf@*F}PoNfj^Yo*Du*C&W4w6dN$dm7+SVw5` z(X9Rv-9y;kxhSkOtLuW0GUOtK_!2*(Cy#plD8@r2-S&){ho~7>D4vD;Yf61sk{eWL zS6)zzQ7A*ef%ku|N8A@SwlLbeYEsoqnbtmFz(2U!iS!JR5g5hk<5H7m;&?H*m|x4e67}WngomsS^ya`Sk{Y0-ImSoc|JR zKp`2(uUY&F*npZkU6jHC8&E?hkPIf+fEqeMOJRe}1^@T2-TuOJ0vGzg1e*(Cm&>HE z!3N|2hn_IZo30@s2RO78CfI$tR%W7E4@*Uhfw&WDbU~>bF7aMVd?!AI!6&Z~Ix7pVzm2mU!{GHKIt! zP3Z88Xuabjf}FeYlDf%4Z#4Vn%upv5wQJcfI4(-oh-Rj;y{H^J zxo=Q7I$<-a+|@E`z8h`zMRMEaTxzWcuR+LW(#JI& zCGS(RUl3PL_+!L$#XYI7xLyg!{Ze=7l|ycCu{ajXLK5=6Kr(q$G9(f)PLuBDslT3k zLE|ad6`eC+rf!lS_r^j!(Jb%|X?W#a#BI`tRwLx?A7bD7uO58v*1X!1813}B4=Y+1 zPUG5B3P|2LTFVRo39*z)1(X38giRM^M=f?e_V}XkUucjma%*pzS8pPgH6Ll5t zIXz=KuC1XJQ?qkxst`Ys6p!3UWg^2J<~Mq&MBIT{Y7q{-sIwtHr``l#dICQE2>nF3 z>u&Ic%ieClp->Bm4wQ&W_oA^34UBwCmane^I(K1$MWs_ z{LQzXGvCl0sc$l?K%?*NYGGUJ!%BNdGyJe~hA>cCBBII7huiBg2Vz1i;J9~x4jZQz zzgFiaQfR7D-UZpbA&$cS*+&vtREHl&guFX-$Z)EP^ogQOP2q% z{Dvi-|E|U^&j@fB`pmMa2X{P{=p@ZDC(B4?Xl&JBao`d0S&A9gJXS(Wna;FX1qMB< zNF;X-&QQoen#cya|FNge=XTVg`*3Rf(mLiui0~vQk{o1DS~Tf2h+T0aRB0qyUO3Qo z^VUKXUl6*y?@ot0yG`6#cHTbM^wvt(dY*j$UC4v@8uE!IbDtUFZ|;LSI~8B7&b*)Qb02&ZXO}Dw zkZNPtq}F(cyR+C!vZg_EPiII>?~AkNjr3P=aZXZ;oVM;MuWfnm25RelL?X+3AJ5Ady#o0BmQ@Czf2)Fs4Ore;Nx zuP!+aEv9A8B#v1#tZD9>5%C5aUBvlSes zbXpJDE>#(;<@B^NT~=~l$9k9H>>mI6iHlI`3)s!$ftmBX@pr< zcs8TOY7kwE5-69HGV^%oAdw@H^r%Y5bqY@v#BeG5(D2l+l?`wZh zMmVzEHMDyuLi9>Z`&>^X-h$mTuZkR_Gm~!}S1X~4BD3C>Qn=Ej&G7lBp&)*P4_zjU z%e`rEqsW_P`-@ax9XQ=}g?y5Qe&8ZlFD1Z5x2-jnO=Ab{tRC3tFk?t}J{g{g)g}$@ z?95C>pz3}@uNL8(aeI_g_TJT}b0b$`xDA#%Y1~CQX$NrA|{Z~`N~rF(>2MlbHeQEDeTj^GJzjOUT!*%%`>JgUplis z(E5hjACPgUCPu&0(JtRbihIatbM+`Egrt>MjBPPeu3j-hJY~)QAN>M+t-dm6({+?$}dQ#qOm4D1}!~vCB(!_*QX4SD4C~NyGf~`_fy@^!EsKM1-%+ z>XTo}bG>>wkmtau!;1Vs!9Nj5XM;n#!`Z=HDpem=2;S@)s;4NS$-4!FM=*G+s7r&iXr4ZWa_vJ=!KwoZz;E!F-g`v00X{_c$ zs9Q_NP4DRC$KAg1m%mA$EQqg3%)4XR=lWTQCN`VdGJ6Wu#4K69+{P%K6Nl3ZLDP(s zpU)mWq2OiSfKzL~O2$e3!mzFio%q&(qqE)4T{Y)>>yKImFk0WIvSvOcOfp!Vel5_K z8TF9}fp%O2a?0mx#&dFx*`f99&aAunz+Q{3Mu%&L+MTy3k4`B=)jqBNs7pWIk!u~; zGqHJd4f!ZatozLSun_+x6B(Tg;CRamt4Z!(HM)NEgn=bryi0=^|AB4pq)(1kA>U;{ zbs>cU1E~I)GP`iB_AB`E2S5e+r{zdQgu=we7@#N=Zpa050Rh>)K~fmKIevOlFGlL1l{~<~Bk)k*b4QTj8>9qo zH3BYZzDx>z=QgyIo0ppv0@Rr<85R1fACMFXaPt6;a!xfOb-D4+%K`z}8o%8 zVherwBI#vd#sAqxi*GdSN6({F%<#eWnwKjUr8#U{!M)yJmy>Jh=&2eq zHqTkKcEsMm__0wUf6_WvP691A^b~t@l;ZhYy==5Tz0qQULPE*id8QpgX|>6it-Hq2 z)ZaI!_RnMSM`P|5k##JJ>C>x)DL0F-?XWYCo8_)HQ3gH?iWLrA+V;HGi>S*)t1{G) zUhD^HzSHbgxV)lT$Q&aTL*G>R7@cI71bg9G7?*M)u^OBN@| zTnir=$cn)gC&{E+h+(*hQEQ{T;_sv)M~iD|Aiftk@I4{ZHk_e9G(HjE?EAd(pvjN# zO$cQYsyfDUVMeMc&sn3#$R}|-9ioD@84+|dBno)+WZTL(?%TbJ&2E2vEh6sC?0xO; zZ-YE&S5|pytCU1>GBEn1!TryC~sf`V}~R~gcZ8jAU%8oz1z*?IDG+Ila2<#0i8f%H72&QO^? zCTbyhRoqO-&E6q67Jk(_z9@i-a=wX%xg7r8O?gh0{-gLj!^u4wojpOaSmBtd; z(|d5}YAVFnG;TMLHP83TIov8#l~o$JFSen&_+o^)$hyFx&|DDx9jYgn->0CAG8~tO zP2x0X)`9uVP0xmp==c{{@}(r-%hWZj-3$^kii;qp|8TfGb({h))%F)hzew|2FYNSs6Ym5 zXen%>0vW79QdmR<@>fGEVRk!%fc(`UDXea15RkzdBn3XD%etNMu!9WN&{A04&HyQh zi!Q7NAkGGSN)X^^33}TGq#!PWmI4#z0n%KTNI_r(C56@Pj0f!AfmXt3b_UEBgj7&c zSk2A=DF~^cr7)VE0a6fBK}liV_Q(VFI6*6cVjL%69)$jUfl}u0jQzh(RKP?2KHmQj z)jzK~`h&y07dp1%ayV_%M>xA?@;%1A>$@^HZ|2YtAHI%zjdH{8?xsnBBGKN&v^YER zwTb5PIJ$L%CFb+pU8`^*EGbr9@}?1UX|uWfLA{u7NVA%1w1^x7YAXoHZ41c;)DQ;oSqO+~;8;cGCgy>o^EuMpRWJM=GB67oM_C0N?T~orT&JkW57!3A><@U3O z^0M6)Q{D8z6fO6EyH|infJ1c~P5L~V=ux}b$nkz^6i0;*WjKmy$Dm^|Vbu8CR_ynC zE-dl1&GZk+!W~#f>Ubgv&iT#O7jx?OQNlS51`0jMhi7(+FvHz8ywAIiW_FG_Ypq<6 zQf(%*x@!pZkUqHCouxF&BdlzhOLvjZho{(u)@!ux`;Fz-6JRMBiZL!#W`(7WNZg(T3&6v~Yvk=DJm?mnsJ6CHZ zQ}zj!=gi8I&bG^U%xo6R?l^=q7m$2SA&ND;S2wwhlR~9y!RVTZypA@+5U1<nJ5M=-HsRiq+9GfN&e1#wh|{R*`Py^=}77~_oDjK))y-NF8L>V)d$ z!72+ELB6_zV{-ZWj2-0#3;rJ^A*T0w=a)x~VheY+C0AZmWGX=VQUunXZfnS?v{>If zWi+90w7>Q4x?ir^nADuMQRb7*Yj6+|M5WI@G47gPB&_cXGQAaTaHDDC80RW{29X0E z*w$@MeqVi;OfNLn;_H`pv}w}GEVdfqdQhSQw1xTSO`oX8+)M#lmt zxGQUJVdskk$-Oi#zxF$61vTBTpEt$5-D)qzxm_OrMCjbn8Snc^xoj`T-Cp~1d+w*v z)Z}Ug9AejUI2js?5}AY4&Atbrs=!C0z-#l^Q*SY|qG?&v5{3HDv*H|7B+_d~$WxDH zQV!pLRNgi#mBctcDxrQ|zGy72a-xQ~tY%VdBB5JQ5Ebde=)|`j#>0CG`s=u30#_nu z#U$cCMYreA*Am>`L@=p{(s(JTSnhUL3MnSuu1|(uZ*J%b!6U;8;6g(=%@a6%pTYe_?8xGY zv5+sPZ?rs>JT5oqQ4uIY<4FUcYXi#=&t2>Q0Hy{@p}p>)33I|IRq?Pxd)+}&SfwgJ`gdy|R;db*{@vQ=fKjRfruTc5>rcSy z|Et{^FxB7b@t;awe-K!e_4849}MBs{+?w#f_u%zqO`{ z3Z(jyy4lcR;732jjN0{P=L%|T+9z_Zikw4+Z2qlUc|luIGbT8Mfv@4(WD0$h zsiAC>)7aTI6{l$|H)(1xpUWykrZ?E|b|;coR`+MUxxR_q`*cE=EXwTqNaXR^!3MLu zJAI8UFZ{e!nj(2=4?Y65N=M~)BhyIdvsH=-Dny&_#J?hNy$QBz-L9uuk?8^W=S!uV zfhB1#9qlKpR@;l%up{qBrWZc=R6!qq+7$L-TclXkf5>KS?~qhcYQ8|$hdU|!cyxtY zSlQ9&WtsI$TT$&@g-9G>6KzaVro81^Cp?AnT^S7Oxw}`=ijmO7v@LH(y^j7+dIPRs zQ-bWq**-HRSy?G_r{CyoBwrN%Qz~CmuX=@_0Sm6um^_;+mubZ&=XN>p7Wu^jlGtjRy+c?O&nhlBZh^kAC|=DMJZ^2)O9{O5%EgLH#K=p=Z59a0BM5irMo7b%aP9 zd*oN&C*3v8m=48z5-W?owMo+3*+Z68Y$14omt7~^2pi>E zKjX|{WrkO({HJ>_W$Kt!SE^X-=vUXm1A4oPhMoMUVp&(NdX;oIXw&^@Zr>c!ahLPT z;&eMP#_br4I1%BoEJ?c2ml228HFf)&v>OgS$yB|Wk~(p2VHo~)tH`^>0_rix(})vd zYp+FnM%OC$7LkH-xV*R2BS+4UTsahif2hVN-D4<_$wawoY=)4z^Ch0U{Awl&nx9%5 zzdDK`aqjxu8zhq2mYMZr`Woq~Z`bE&=# zJ+2D`#G`WZnlhf0Xl<_Qy+)|HLfeO5;!~s@ecQ%6=heR{cdlqH+z|FhedJSCtjiE4 z36Z?k|IK^05#z~;3p*}aW(9=_QxBojObi9-PVRT?Ty!qy1okLWh)-FtXw#GKKIG1M zZZkON3@JQkX60mH{F zDM!{)a^y~%itbI@3h}xP($z(~T?2Q~3C|abT7$zrVe2K=znvn{zal#SCDuUy;s#zyKX=qW!5Z+ceL)HfYc9Clf9*xkGMHF%AwF}N6qcolhaKAI z4)vU{{ojBTv=>257?!08kb?FiXekU!6CefQ36vCur3p}ikO*1{!_ovuf8UTU`+#8u z+W_hBd*@|RSe7P03IZFb33I`)Gyzf&*g#8RSekg)p}p>)6>+(x2@ryC9%@WjS$;tJ zcS{MD{~M70-BRL!;r|An>-VMfCs^~JUJ?n+?)QcB7s&vp`+rU{_Z-KiaD1naa8KwT zb-I5tv3;)8NTwEytwNhB%ZbKe5zO%UO)Bl6&omVR^2a+%nJZy5BQ;--SJuaPR+UYL zoYpkPtKU=RWkz76%AKnaXcN;eLd+tv2NI88oQ_{hHh!-Eu8lWo;q29<7dp5CMy6S? zvclmORlk?+w-!v8tj(KdJ>oo*B2?ta-zw0N|CwsbXf1MKDRpi)!x9abl0LFRT2(#U zwz5-Sbbo^z&bu)B;Q52Gj-KVog-S772SlYL|P-A5r ze5JZ?+l`N@RLsYeJCfCet=w4!1W2TFZ5<2d zfUIrgzEqQ{5A!zJ9#Zj16E8uG-c*V%F_Xz=NX`2>QjQs?Y^RssGkRzfr+YRh%wo3O zl8qJpTVKp={IE-BN+zWpqP5$Qw$|Pk`GUzC@Z!lcb#18u{~^DOSA}mCwM$>UrEzRj zr;l^)kj045((UzUK6tEv-P@d$+5PStbFZL~GAq)gY=Z~ch-i!^%^R{cG2L%nE%PgD z4Pk|@b;+!wwu3b~+nk#&1-Iy;4RJr}SO==JScfM0rqC-7`PsiVu0=ND4Y$2Fc$M>H zB6z+$zLcUX^w4LWoW1kGLzfUwL7O*b=dr_fB_gp_#*miQaieSRDV*Q`FsACrm8(a7 z7e(#U&W7*`EdhtuGXDnCPRz@cZh6heSHy=odd#*?k#)Of6DGOT_-RkSQd-NDK4YWs z@}8Vh(j7FZAu@SO@hrK34O0r~?w}!jhe&51LT95}9uY=ZXDQPa!_g29w-1#vCYA^* z+8Q~k0y{U$e$I|%o0l*Hu7P%?gQYO;X5?XqcBO-)u%;n{eRcLjy<>OW){>myF5Gz!obyA@az? zw-EE2DOS8)u4E?L0t^DZdS_E?m3p=_J@-dz+FWNpQpx%ANwy8K+%I!#L2pqv#Pd$R zAJJ=?^^yu@8%qN99L_Sc-;?L~_*pvQcYR9#DxPKYgAo*DlbLFX(JW;uwcaNWQSMT_ zU`T5yqL-WfP|#~WSjg}paLr+4uyV(lv!*U7f-Y~qAQBrp<+Lhnf9$@SaJ`D*Cu}ik z1z##1%jL$_?I-*M@;nu_v1dE>$$r|=2x9?EM6zX!_tt6xq?5UombPhi@hbZ(-nYuy z3kwSS+>KBOTf0B(`lb4Dm}SBp+1p}a6*=iCMsmx$4(rd`hIF$7KcRjoVSZ>CEbyb8YVs~c3_=Z)~aTv`f2$aM1l@#`kD&gzh<7%xd& zP5L zok6-_nQ->>D@~WO{k}>W*@%X&PsbA5n0vCMEYFfHrR-9CXjkV@YVT-)Ml5s1x4@BT zR_>P0vacA|Jc?C%vQf=TjNPvfJn>)5$<&c0f6VeW(;@Oo{w?i$OVW*&o*(fI#GY-6 zcugAco92dX3ajFG8&X*bug=Tbj_4;YUlF9xU9zNCe$7Y~>LXH3+wGG*U3yY@!xBS? zBWrwdIGxnCHHqo7280yO@(uIIP+5p`WFvCCiVEfpv3f$Y4e7?!x4e;6E$4PCYZ%0N zi-o`tB};k+x7>tB^pEqtvB7`+#^{*mb}PEM!^<8u)V)+mFPaBur2D#+6|p7qVsz_`@(FPb#CKir z)v(_W;hNArCXH+0EN+#|qSwtR33*5V)nV-h`o}ZW7jbW-FDuhrh|$2nnP2ZGD4h9~ z-1#qY20BIqya9jy9{h_*VB30tfB5@PvtMv=K?)0Jpd&O;BLXs*ICH`AdD)1tdWivJ zfc8D8$pSsjSb2fd0q{Y^g&@skqr&PX#shs_H0V)bwG!h2-4_j#!fGW3NI|s#s7K|# zypJu9qM zVjO_;2Kqb_S_-3=81N=@I;1s3p zMPo;2&B{dBDgNrQ(c@-FhB2_eHccd`C1G{*?binefn_zvYi$;z;X>F_Z|-fi7KJfo zgk~u@Dz;8vuZ-qo2#Jc9qic6n5<%pkTOvG0%vETw*3 z^r;6_a+;PYRm9b2WS_F$qB9?|5EDqsa!*Q);isq5V>X0OSGv!Sh_W=M6I?aqKTa58 z7k?BslE)U_ZGS3kpw2Jvz4?eGWC&06ro;4cY0C~e2g-X)sVck`D|F)k(OM!BTx;RI zpC+4~`_HFdb=V2HEu&xKYno6gnK5{ex-V*b^tB}}-Xn;>+%eQ!JtGyK7+-7WAq&B( z#G6xbGaW1%*%R|BlqwYOTs0$#mx+cGPTXO6$Rc-m-%mAn>C~ptmZ_)}eUo`s7>yH{ z)qNW6<$(zt9lVp=BAzqne5G(A3$9ca4T)j39HlM%LmrLX&?}Ah7TMcW zS6nxusnADKO3d}0_0UgohArz*LHde82p zqR(gYV5w^@;fzJjYU;0YAWkE3T(5DIW-^gw;_fWZEKgzP_p38b$PlDBzJ9VZ*N4c8 zNZaMeyJ`8n3q2vvOg~1w1#!{gWl>6x%DZ&I6^vtHoLbS^YT<<88l|d43$+?q5|)>x z&DANand|1&DW;g8w%3u3&@(;dYELT|rF4nX$2IA$n9#%1OY1U9AW1KY%JFFEA+D`5Ib#(X9)V`93Um8e9 zS|MCoR;$;03KsX>xSl1brlo%UY?58qZj|qz0N8kB^QNEyvSkjB*c|>C#kW0mEZq;q}{LuFqx>`A)$y3jlFo`xb zHr>B&e&VI7z?vrLn5)@Z?n>S%bu5&Om$=D7goAez9brdJeqGwIb8w@BOnAe-JZdM~ zIGMa|nq4k%zo&Rv?zM>(yn`JMF1M9sZ$Ms;R$Se!FRfut(G4tm3Z`sZ&oeyi|MWQjPwxO07+r<40N{xuoNcG0FBB2-AD9~{_s3N zs16#1IDr=KehiO^Eui}^b#ET92K1+m42?-Vc_!vdNMmks|y3n(Qlpy339 zXn*sluz}`+jrOupVF3;Bs2~D^nlNmj`Q`HcEw>0-5wL&;81?T~1P4r@xzNJp{{Uz% zgaZBrG=JT6_-FMQ;5_K3W!OFT(MR`BQwOTEbJ6c(DZV5s(Ke|>-pu`i;w*5qFC0x_ zQi2tovl13HGVXZv@}=|hcz1o_)yc{!WnCAqH$w7-hMmbmZb@#s1eDANw5VI9=Nwm7 z+D=60y&Cfygb}QBpOJ4m7c6@2*M6~i=Vy~5bRhh|+U3w#;PLr8y=F1u{Bu@fg0=!z z=a5oj3JPS@dIga(_ZZ+XsL?eaDbYuadw9xo^7!d8=)@rXJfg=+)>WxF4O4H3k-&uV2;Fzh}Rir0vZtgR|9O$|H7* zBlD=z^=x$3MA4yK9ozDiWK?`QV#)G$_SYj%xDj_b`j0wM$esitaXV(WhVi$0zw-oI zK8d#rd5x{h@5UY^d&QO#s}(V71YKg$RYF-8Nc!C0wdSX_;@uLkuj@C1=dH<`N- zC?YkT**eYCS>(O=($*9@HtAiJ$mUY2;arngG{0_9p<|41CQ_qqlU8wLCQpN$Z|H_g zHS&4QOuhq|<$*=#JC>X~@0wX&>2=%n+_*-B9AL1qZS6Aen}W;hhWP!Sn#*uPIDy6M zeEpj?9j?_Vwf;59eWcgok7E{;`O!~qyp)<1=T*P@*u`WuDCXQsvD3Hr-BBvJJ|A0f z?0A>U!!KLLdZ-V--*@gP^4I%_7~k&yM)Ez@?J^7FJ-j>Etm`b#9FT1(!*9+ik=!oE zelVF=Afl8Yvv@Ae&*{gM#2|iXCa~%CI&9yPDgnWPxo)8a!9hNscNAG-I*@n@!B3Ay zyn-E<4)JZci~&*T)k0Z5ExPON(o@To3mbCJ2QyrcbH4Lz&y&<3-9>50_oL-!()%7y z#vk7Ky}o+}{~BJQjF@<+$+|$T!aVDkj8Eg^ckU|_*m`C4;n&|Jg;1?z;%>fFqG;R| zK=?Aj^IC1}6_co(8Mk^=18t+i!{BrcWM7XarDMoJo7uox=ILycxUK7S0kWfEdAlLU zkmx;l#KzswYhf1Rvq_QaI$>~`V)rt0%;C)S((I_-Pz1^+wkA;qDQO+!t zYbh~oUOz>DFex|lIFvjZmr?bmP2^!A_To&djn!w;z(ey%HxkTh9^xm&*TRx#>C+n4 zk=j00Pp;d&u*KirnBq_H(PNEeEYzt!8u0hlHV}t@#!VIaVL-QPfl2Iz4R!ni4fc-E zi`qf7CcDMr&0gW|#zHam{) zrywZ@bc71@tN=2x0!L|=C_$hKH7GYb&|eEU`@2N?dlBKX`Ev09QoxvWi4?>aP^12& z8oo=i`#gZT6&i@3q(7;KAGkLAl2QNeYyC+z+?N@Qfez1qGwM&O0qQE3jS3=8s0nj$ zvjd;-C0{H1g|OrQKGgtSPk(#Lzg#YWr{_;kor<(4Y=CIF*MZhIRXE<8z29C-^Ob~^ znMFIPr-x;->q!G%mU||qVW&SLSgP3T-Wf`}mq;X~bj=d(sHmN?WV=qgB{;L5bUsDE zme7pFt>jDRO{9s z$%^>$WK|pP=R$7XbEvWXJT`EWgyBj*WA?U(U@(Ex{d7W;&xG;K6d|}u zRRSqawsu5wp9Xoj_Rvm=-#wr~!7lDK6fT$Yu+VCxS4>}1R%xrj_JDLg$l=W&9<^%dWLQuxWz5*_A^gd_l4~l*1o_iauP`@rd{j_nQ+_RP1I1LsR`A{&vtjS z2`zv?lx)@TYApjMlS!3{Pf+gM>dL-Gr9mu)HQk^cjvz)sGmPC{cWVpFEzNoo(#V(1 zBRlf4gQ2tb+{D$%Hx(GX*dr^yUMS z!K#!1HTU0MkUzIPXerD}2?r?11Cqk3lyHFJIM7laPIgw_%b0=#6vu&i{1UG|7OZ>_8mnvLXuybn6Mw$Hc`C#BqSq26&GK#c`lVu@qCG-8e#q`VZ3KRyw(hDiS|AXEALV4w1H4DJy{)e8DB5irc z30|!FHLV$$UI}*RZ4t)!Wm-jRjipIa6nw2 zpTG=5L^ugRcII(Uj$p+$fAMuH-C%|9QIyW&`<>_<%YDc(&oxq$n&L55sT;z=ZAN9R zNmiA~CpE)oXDcOG3ZJb$I&OUDC$9FZs{a@Mqi)7EzkXh@D&dH>N*-c1<`PQAkpUA|PT*tuipD{BQ z8NV{oPtFz?R-G?qcgvb^Z?5P;uMrkyl7f+BLkYfW(z!x>N86%RN&D=39TK?1O|hd| znQ#GB*3SgEVQ1>!l&YqK9~{`a0-2-b@2G^eUy*r$oZcUMyCCTbLckZn zbJFI)Ba&KEDMHo~Sw!?}o8_!LB)4;lZ>o?cj6~96Bk#t{1Q4juzj;FP5jndITL+Hr z_Bcv%wD!T%_u>oYybtkbJl>7?&f+-ymQ1vgs=uSO%4M#~!A-3RM^Q*S3(MfRMg~rwub5nwT9W+Y1Qmh9Fg8aSY4feJ zAf}HT->x$qBY!W8!xEZ&78IJkk|Z;E>xMA?b$fr5Ov{qnZ*1R~3Tri@;(nEgZN9=n z9D3c1fnP^i;$3%6j5wBRlHLL_9I|EUO?Bx-3Nqg;($OHYkkyUGEcYiJST0EzJ%gX@ zw>ktF7(_;cT=*(G9NZymV~XnL=9{!;QmVY><4kLeL|y%SF2w3OfxLTjwdG{h16-rGL9miq{T`N=@szSwJNg8eC_Je zrzIEZepBooQ=_Rh5u`(`S}SbovS=?z#~ZxLOT^5B*7MojVlUr!c!vnhPFniuRaf+( zp+O?6fUdC87vI@KnDX=Y2Stbu;ZPV0iCWNa4Nh9TfJ;i7*o+KFJG~Z4Li2d$;B?X{ z;+!3!Sal>}mIq04yz|)+a?^@Jwno$BwP7WKY|IYa3OE|-q|RMP2zmZ;VE*?|s&sXy zHET0N)3Di%Yl!HtQNK&G1_moirr3DZX-$&cecx8DFoCZs<=VKs^J&=Gr`Bgkh>Vze zcCg7gW~0la?f(9=5vkaXcWpIl+^k#NU$>qn49{1)c3|2ZK{k(SdCtfquOtXw#tavJ zp~GN?UvC~LX86NU&!x-&s{eCbNGSX}W&nkHE=plB11Qu3lEGvKP^br53abtQxH6!B zoP(sW>JS{DP!F^eW*ve96zTy@i&9*IkE`G{}x{F(`EW z>{{dXBZ4{St;JC~aH%h;VmsvYREXN7XSy}1GJvmT=KDaXY-C_Fjt}8ewD?qH62BO( zmeivc_ZOE-$9BJtIV$mb=q=IV81j0$>vrc=p7)TGGd3L+k{p~{Z69V+Y2{YxFS(SS zB3SRsn-F}$E1g&@biaKYGuDT33X}EehX(ke>_V}dGV@#r#NFS$zir3xxLEkuGQY>^ z86D2|Xu{s}FtE8c3V#pZ_-Z)@D)k!@7PGWHa^hC|dn+dDWe@M?7mzh<$EZe(JZjoa z+2c~?W$JuByC7~(FBP-hQXbLn-SD14)5%jg`%I(`=Ruf34{}NF%&0ipr{E{&~%fV{G_a z->mzrkJ<0+)bGE=zW;JW;`xk!J{^zFSg~9d8YP_bfHaxJ4TSq#Hx}^tJ8mLqHZkMbxl98*ksTz!7BXpUI-TIpp1)p z#AkUT^$K?KWH*Z7_OO@(MqDq@Uw4%)H2E`k2{i| zmoSW~b3dPOpHB#wPPT&lKi5}uiw3{^#4hLNN+Z1qsDwc1F3VuugAqANN(8!@%q&KMB|Ap=O z27&Y6i3AW_^M{Fq<^=8EFl^xd54?u!;s>vNYW8J5XIv?|v7zh-=mAb0Xh;t~J0I=8 z^cN2ymWg7Jw}D}9++16bk}{EK9wt4pmMqO0nMh$A#wkoV%9MHve0o>Re_f~QRPfvd zR(grryMan?e2L7DeXJ*)7-R0Ed7|}cqleyhg`0Q%*DD|3Q!(!0Tzp@+{1(%Gh8413SdW80na^zumpbrx?d=wod4&@vKC7h?*1GNHzt5L|FBbQX0vr= z{q15tc3?%ZiM$p!m(B3WJ9yo{wMROzy=Jbb-L-$G6i$NUt<~}+vyR-}v2WU!G$sj> zcj%i_uE&qJ@9I@0Y35VGPB5iL`pc>e7ssT0+BhG%uSJg+rOH98+Yehr5uGpcN{@rl zzla#IRQSHjlJq5+M_l#q;)Vv(C0xxu9_%(vJ))tFN;Yv@el|@-8-|bL!UIR^JBB|J zHl}IzMyUJjlXXd2NuHf4%anf-4l4_nm6fLx7U&k$$Sfj$^&*2uKk!og4L~V4E!!iK zjzCbo{3tF{ucCt%*rhkKyI091$bzrxgxyNp^J+~Cm6=T^81ryHdiHzgi~FaB^^2+w zcslh|3qM8ZJFh;j(~(7cHt2r6TQ+7`&u<;FxaWU4W#S^oD6<)y@Hw0snJEshct@sp z7lqpcWwgFO(2}T}fhe3pl-GqY=ef@qYN;$%K)>Ue#v;5H#>WBOJ&~u&yuHqy30!SY zy~0bq6X%zP7Z(TJxrk3{l6-re)b=ad9){t(%QY}Y8m5#x-A+jCK|UZ4M;;5I%byEY zxN`&(mBPys09RCEu(w-Y)G`DU@T=U&815xzaRY$3l7ik#zc_I%^oik#QT;;0f{Dva zNK-#+8m0x)?vCt-_En6wr?QBG0Xca=#8uQ9NfdOw1rl|p^h$~KyB;*-Wds^zlij6pBBd?40?=m7*=>dGVI-*~d#~qiX9%GOE$m zwuQ>a>PYXO_Yf|6>si42RZ%Cl--o;Wgl=Mz1)KSS6!pVgt0G%o!D^UkOjc#)yNvq@-j_yh(!-^6)OUJ9R+g`}%ACv&&2b{! zTwT7i*fpwvI$r6#6rA4>ifeSbf`9xKaOrH@i?c$vD}+Q`gnOH*xWNoUF%{R3CNNWR zjVb5Ve9g7Ykx#p;SC@f=;i& z4>rJ}LalgUhv09(qe9O#KrlEEQmB~*2nGjS`rA}+fNUJ(P7A@{KuAHyDYy0E=VXUq zaKNR|Qw^YI5jV?SA*4`K4G<&^xD^GR= z{{=5|qj2=Uy$p!T`9m*L{9OJmh)iidW^}A7d?mSX{w?Z&T>|icCXgyfIppDTU&URt zP#L8kXLCJiOvYgbeylzLqnx(YG$-W#+%f2F=G!ba2tD-W-v1<&G zmKA#G&9#E2th1is&Vs1>^rv&CsZ%r7Y6CwkTRmp8;hX6a&nPtntjsp_znos!WB;(i zS}b%V4^tgsdNYc={Eqirm&QipQf6oAJ{DcOk9zjy?{kqK4JSWB_3jdScOu058VF%l zPRc!yT4Lm~Znk+nNYU>56N@-p&X`D#|9q`m@A+r<3Pu!`?2k*=2=5Gb_-eZItxnpR zp{r+7=rhYhaz|0_E#f0pTVQH?`lmElcl3U`*YovWXz~|CE*)-{W2Jl{1(HE zS{8j0Zq@k=cE#v-DfP9x0oCHL*UcXZ>mnV%38 z2ni!$@h4NKYL(iG&9eO&bLy2v=p}gZquVUj3EN?O`D1E{Q8dXd+#~p3zFuFQJ~H;)+0t_rbT$G6!ywMNG*lhNf|y`e`BR<+$YTw-K`!58l6$q!2&1 zz!#8gT(HE8H}SDE0SGf>KU5*?7HgBR6@<^erzJ*-r=xTiR#YYDAiJ2H2#(PA?YOnX z=)eknCKkz|OJCX#x=;3ZN}k*+kwc=7Ud)pXPoIDD`p21Cu5eWBGv>^4Vn2K4(SfPw zo;sm<`36xXcbIA1EAsk1dFgxKSa5{<2uBf*9y|&e5@Sah#g;k4!TOMai=FX zT73K)pzvWI=J*n z{O$tW5>9XH@C4a2{ZoO}kbJaE{SLC78onGaj z&Wk;^XQvBQ{O<9W7#CyKCi7%rd+zv!yw$0R0v6?3L&xgG)$z$Zvt0w1fGs{R;*vbn z0C`$VgA&}Dj8CsDMWN`~>9w3RTtijYjjcl>&Jq(=UkJ5R%Yh$>P@ zUr92#f6BMJnUnV-rOnY}*=vs6{nu{G_BSqoPDyRyuCcv9ve1$f4RhgWTTYg^`xEb% zvs6EkePZ8V-R5m>V1Q7(&EGuA|DE;-+K_(NrTu}o0W~(b{=&IWY2_lM4= zIYIX~a|>#|de7ZIG1FA-7ui^h;g@QEoTKqALyvc#6DZmq?6F*))*_8%_MA?)kJ0v3 zR5i|C%4o=x(b7!IZ(de8*fFCY&l7Q2o_}Bh4P8{zsn|;K{CYJ4zkt4#PVqJ4OG$0B zpvF}5yk%UddWB|@T2LS+#m&VmL4h*Q0}VmbTG~V$c0H55 zcF}TETls}gQIL=?Lp1egcI%H%lJy+Se|aoUZgkP+hRX^!``Y9cAV&>efQYT=dB+|i(1AkJ*{rMg1Cgx2oi_fG+MDHxD>H>`y zU(1|@_>~t=$51f!t-Y5Nf!*?Pq^aZ13!@b2WGZ)HaW7=W{8$zRRnPvJfTtk#C#5__bJgy+Hq#dbqR-=>&~r1WvcEuTWPYR6t9HL zld4ncD7%r4X;~28;WKIenVJ|D!y&5<6^r_LGJ(ftZpGD_1nj)-| zE3Fye)agq7kLQ2*acIA1pL<_tW3h}udK!VPBAB}q=7iVem*b#*&gF_6zusECaIf;o zlokCuJco)fiIG^E3aKXH5mW~){xhUvJ7QCwJQ{r-T&H)9wd@LaPx_YcdOGe0*~}~z zzLI(M*uMt$%DlO-9Ik1tV{ThMaPL?(o)t!Fv%-9RZ@U6vhWlumk+8k`g`)G_p-dO^ zXjgjo9N*o<0gkB$0lt!&IZ6I2!LlCks$E`RYd=P3r-N7lQ#xV_sz-Wf+ogt;{DLj! zi#tTwlCs6|`td>yxhw3Nv=r!t>WkyUWRAU{K|<;uF=O2-9y>2_>l5ieeRD|`Ja>M2 zn_Ic@6oledt{*>OnV7$M6nP^xHn0CF$?`W``pX@8HA{5MKy%|Sq&=l_iq8cWLyStkN^ccG%R>^IQX|NlM( zaHA>x-#+CxarB2irTDq}@3K^{snTW5?nJ^KmOZH)!R_&KJQ;bKx5gY{a*Qe44Ef_j zt@}#Zz*pksncc{TK0XWGUQ49pn7Oc+CHyv$smF{N@VzOLBw?iRRnd0zaFon%pCDuf zEjye=U@3DyY3(r!ZfYFt0CLpKX%-vzQEAW)NU+;tZysNTn+)K6oJZ64eoDG}faZEO z^+FG8c$F?R6kqQhL7=Xr4S#&rkPr!ZmMe^}$S7;#3QfWwe|qb|vTx54Qpz0@P;Y}G zH}dM73nl{RMHkn4iXorV_6O!s!;@Iq-+C99-z^n-C9Wyf5-aA-Equx@xIJ!HcspRRqsb(*Q zMX(`$XSmz`@G(kFBTXs8VtA!YRY>TjCEn9$Q`IK976~&B^X7yWbS=6#>4USJRoWzUue z2@Rm;JOM}ynH7yo`KrQm!LEppT6~gw%oF|1o${qdDUZnkTH5*f0FwE|cBig+C3J+vIY==IK}ePp*{qH3vQty0trwm{2*C9d&NNWvTN)vIviv;=$$#&?Oz=3_M!c!^ z5$92oG+{!o`hEE|^F`E$Xd2p^?4T))YMq)H`7NlXezl_f#%-$gU6sTLIe>`}<9997 zD{r=2>sEj4?|&;K9Io6t?`6n!5&lrBA|iI$)Im&kmm#O5<>O5Es`x3Yh=lB&;RUzo z7VjytaH;fjWhPdkHv>$9#9s41x$9g7nq3e!0WRy8Wb5(ADv1ST@n(l*!N(}B3_7Zc zaaI~}M&}A)pM?cIp1$q=_6co!4S%eTP{aP2mw#o6V4NvnOU*^oQ;)6BZ87qRZAYg8JxB*ms{ zZ;pIk7i0Mm@P?wz|D%|7C1E{i#+UU4regQ;ZS}B#8>Hav-srDK-c4@=xE|8>pJj3Y zH%Nlt``TZt_}i-di+WhV4de$>db>9QVI|-@)6Izg!W;o^K!&$Pgl3LFQNcH1@Tkz; z5d>xgE`{cfKvBUtR|qMz(wE=k?QZV<;8JMzh!X%oDM3h~l)eBUASG}mG=BsN3VsX- zA%)gH?e{dGe|@RY3=$|Rct^VyJ{}(LM z4L<2_iv$2QY58M|wDdcbaXp^Po09AfKf;ZcrsC!8I?EU0N&MMe-D>m_M?SMVEvb>G z%8lZ?d83?PG!_?wQ9&e}eoo=1Q7qqYc4??0QIFMe#qmTRDu!g~bLk7?j0C@c6B*CR zHCD`2r1R(G70J27#iSO~O0o-lO;0BlLl%8^=)9Bmm-+af%ihl+?U#-Wj|&m;)O)H! zsq)_hp+15Y7wQL=+*_@$WDn%Y|r9|Ypfs}W!O=*Cg84{c~3ME4tY}5 zJQK5!{!=#6xd~2$LqJR}Qb#JSl)=k%!tZJrev3}-rF*?;4Ow<1g8i?4o<6a@XwatF z!K1ztG+%&o54HYH51txFuTOm;;R@A#Y17j}Pbn(!%|w)33Z=gn>pT z7x;F)|H9b}GoW&El!-r-O#{Ego>`d3+p>>-d2es=owvKkV6%(z^QcHPYtDQp&U;uG zReVpRC07Uy!solgauQn1qyi#iSC_)*&A#JeU13B~(;w>%k^}A0J$gGuel_qP1)Vi}4IkT(I=7!V@4nm$5USfhz3jC+Z=E{h_v>xh z6ha$)kp9%uhrQTN@)~{gWh@& zRGEa6Vf;|hnYJ85Rpj{?zu_=;{&X=+^(|XEpSKxJWmCCpV*FrycRJ^IJlR?d&1~@? zU*eOuc_C=8+3<0mk9M)sq)q++XTg3|`640ler&J<1$&K<$A^}> zCey9}pLN>jFB;I|?mpS6v-Cz83}Og!__Z@a|+^%PBpU zo~S;XMhU)t^wgsjXBip79{nCyf`$(}`JFnGD5_&cQIq@8zb0+b?&eSYA_|)vyd@C@ zxWRlvF)?cgm6SH-Lqqw#{*B9`&^menw3Alk+-715YiTd3G z4Qy8iiwMnZfucg}%HUFHb;bY)$m-@Tg5KH<6cu7u28#+k7X<-Yfk)-w0PK?R2^IhXv;vm`dAM1)Ky_rdM1`=kVAl%d0v#rSl8LuSA^bPElpWN2 z1(Y+rMGE2Zz@$)H?*kx6EAVTD+Ik-VL0W-Jp|#!z+#tgL7tGd;)Y;!=iv#rj@P}rr z`nj$RC?Dm0_8zMtNJDJ!sI}-JU1aW)NSexLbDjjV9g)m5BM%>!P)!X4dY+L;^oQci z6k43U{(R`#w6?InN3}c8H_dC)Oj4_p%D(meL%cHI8c~olZ$}C*>Hfn#pb0Tw`fNN4 zwpFaW%7)VX6Ng%{X6p;X^586W1#z<%DEl!R7rCpBuqo7A9uETgzhcb`0{k;VR3aHG z$%9eE7g*QMiWlonswIT!cd>f2Y=xvqPg7=^PPXnki@s}hVSC{y05H!FNRt_}x zG}X7jl0?{T3zp5Tr?vx3yGjysC6?Gw6XoWA}^KPcMJ?8^V&ffhTZHw;R@7r=mQZ6svi}B`BU2V#G zY9FhdSm>l4(yqP^@-V*SX$h^`7p@;Bs9c^L%%U2%R(39|yNe1Oh+kd_qAT|hQ92wR zWqJl2KJxR(t@#+1j1M-4|asEQ|*sdi=Hwt>@kRg z3eTl|%cd3xNtGVTHh(m||LS3Sg;<+9%4>v~-c%>Lm!#XM&RFQ2vTTKB(>{g`uzf|L zY)vbBA>+-6y#oC%hm&b~_hTsflVMLqf@XUcO+DDZXrApx%wlRHSO?_^CPSu4Gb33+OA(s<1f|OQ52GD1UgU)Gj$>zfv2xaZo zZ2SzQlQl5%v`^xz{4^V{Hq5sUmA1b1l1nTQxJTbNK8o*GYL>dJezT#k4+sxYi76b? zGmWhX8WVqTGB${{VV1kiq#@b)(y~N(UX?+*%V_oop4|Jv`>*DiM01Ltep}mGzei|e zwb&mkT00kpd%W!K5VhgP5l%M9faqC)^m=wcGUkCFTTynef<54}BCjv`RYHDHzw%O?%@-(Z%$ngtch8(eZ(% zSx*#PJk1w&<-4)|6Gr#nL>jLfEBspUpJr$XOId6B07GpvxXt+pyIe&>Y;|(mJB4ZU zVC36Io(#F@$)GU$53;PK(-vWsZhl>rtqpZ`uNXnSleylJx+}K(T5Otr2PeZXlL230 z1QVt(b}XgjL2q_;(^gO01ojY#)T zp8d?z6mWhL3u1afC~puJPKtN*!zk>RKVoL!b)GXOj8AlUzo2VG$9E_bx%$xU6wziE z@uSf-JEYou3FEc6*BNG&q@LXYYxx6pa-^^E*;StD@&P}*kxx9Z=e*sH^;9oO#$PAj zef3Z`oRxo6t5}Y|IjExoNxiISMj&o`&U`H z8${2wKzg@UF<-_k-300G}YNI}Dwxj<&;7T@*HRMr2Bk71PrVP<~;Zc5~W zf}mq_dmDpiMvml~9**bz#d^@NHU?N1es6vuK;{ZR_D>Ki1l{vN+M|e_A(}qS3k2Ii1W;B za<-!Ym)r&17>(bKd_4KS?Z}ZBF7Rey>tuKL#g{v~Escq(VXQ2Yv|}^M5n)1aN*JDU zDeNA9mpfu+oaW6W77li%>}jhxq78`{{{BXEH7j!Fxx9@537PPBJcIj}Z2NW%pE8u3 z^P0l@&*f+0cUdtzvXzeA_7zto`%+1oe>ws=ZI+4+)2Lr3#hd$TtkEKVju^)5jzEIN z`K*RkJ4J~T_~tVXySp@^91Y#Q4)eShsJfc$=vc?prf}GCskKcjc$6@Om@w`M+}OKPM5cwt8o371s`e=%gKmD-Ln)DLFrK> zh!!LeWs~+^+K-e&4|&hai7chp~b1l}eCnGO!)<@kavkg#lCsL6wyu#^hL z7x945lSX7dtb`)5j6Vgf8LLOKa_3klLX!=qLG#-cX~`$mQ{tj}hW(=|mckF)!RDyX zrFczioMo$L#o!6=QyRkGts#_Ej<1i4i^~7lftHt(o0pUHlFd;3aCGny)`LaUR}2va zv6J>0vY$x~BO5nW)yxz}n3cPVjm%W7?~7J`$kVk_` zL9Ybvs372&X#!iiuzA!Ei7f1=e#_&76MTJ(KGlJ&O^L0J521j8VkVYwX(6?5;MUATf8WzzNH zI}_svxmN39DO8Og7mc~`okHRno@QkujY=MBQ3hRY=uL@4EnhrH3!pfXU_~2d7Yjqw zc6--X^SoBE3jcXSYWDIAcr}S*kx+eDDx|NCS;IT)!G3kW6XrG6vo+BSzK_dfo)kH2V-mH7q|lHq!TF{UGykTK}&Q!{i|W z5|jnUp8-Z&MscN?^66>!jbh?zJcIEWnAg_Vo)A?uKhzXFju7Ubc{YT#5!9E4^kLJ{ zdtKo}GWqU$59UXnRj+BI)?{>nPviloRhZJ}<{w{`y}nbM%0iGA-`r*l#3|DXEP70( zqsg7nW_-ALf9PUlb7h|{&C}iGS*$eKYoF%rZ5e;zlt9mH25gEBamSOAYW6L7)rABO z+o(&m;XSV85uf##z|@j7t}=e1d*sj3FFWfvBY3-NTB1b{;rCattZ8U#M;eNLncg*R zphncM(V#7;@~&{G6E!OtRN<@5q`Zj#c|PBye0JxuBDg=#L#uP$f>!1iBD{**!EMIm z23HNmm|Q=+!Hmf@%KaZ269}praJ`B@F(wdL^-U=>V*-IxL&%^S69}XlTngQoK#Vqo zkU}*kH!!4YJ9Og~fihUoTJ8a^!MPhI3``2Ounk--9!0(dxBI6;-#w@4u}Sm07ny*Vf7)4xRu zk--9!vh%Wol3%x7>x~Ww|1T!&4}I4SO!05u#r8iaZcPEC9@h0eM^IWjCwiXx zWOjk8(0M<}I(kB&N=3pi`5kp6oS75f!Y?laH2Q3+DH_j;URSSU0n#$g%CeK1y3}xCEJ63KfuB(5!v#?V!eoKP^ zwI+5YgT|K8?$H8oLD}l52afq z*~qfyi$ty-Hwp&?dZZP0X|b9Q?!VV%jH4P)%wQOLL3(e)Jkn9x+di+%&ow9Mh==Z^ zE~G+3OW7`0J%^?(*Elsd)TjvcBvamsN2De1Cuz~Ln3D3H&=f&<%`omZ6a2N6oEd@a znauI~r(1sNq35%Xq+R8*#&{3b)2s5{`bLsuWJ(?gY3tWz#H=&C49P{U`T16Hv$p9& zrlE10O4LpMqZo=nBZqh`yQ`%@&PG9c!qxUd<;sG7EDphC*FWBH; zWk<7p#Nd8W@KS1haWtuuf>W8@+iEb`mN1Q-zMS@nNy-yOwvVmv?L;2&-`iMv5{kWT zNnD$XLUZZjRN(X)QRYhPqNr%zSf7&*L&5us`03!D*JIE743DzEO-2RJ;vN5*DVZBz zNvscx77+Q8Od|9NF;*2rH(PzZPXSNl9vRUKb)lZJVU_9!=q*X%_i(a?rV;@OIN9?j ze9s<6?bPq!H}pjW?`y`0y3iQnBh7P>%nQeWd~-PMoY-J247J|#!^P9K8p{l=hdt{- zbYh4SuPSP|q|C}6ZAb37NxLqR+Rxd+ILCiF>so2M^ZNU}5x#C`d1*Cay^CYlpYdrA zg0jZW24(GC=t?&ya3r4Gjb$$A!aVw^UU+w{OHeE(O_AV)$n){Db^6Ya zGBRYzGBW%9UhlaNL-~?2iiZeMC&lv>0@zAW_GUH%cvFy1rpAlH>$79h{fUmkoa)VY z68XE{=sBOyMQYN#pK1YI7Bq5V5oBoFm`FZTdzb;V(zG}bpvu3%PW9E3R_j=bdh!*3 zD4#Lq=`T8-6)cuh%fZLsdDrW!DK^?wTf)4UGb3@^$NaN2)A5t>SJ=evoyos?`1p~7 zrlSi85nn`(Mk`&YIkOH9>y-e@&)KyQ#?IBA(Nf_fuscvKXa8F8DF zxB*i`aT3>$BQPg%&2RsKlK@=T{M=~X3xGhW0oSYe6DI+IQs0z9a}p33HG~YRlYp$_ zxv^LPIjAm+g%iXsL+&_`g-2jgcAnqZ&uu%-4LtsTzT^DgH+|4+KPTw5|M!mj$FKd@ zMAYA2dVv@Sz7e|QfSkhH(0(G-aU%ecDXOe9+im$_V(o)OH zuT`D(oh5`HTmn&h6fvM^3@ss4Hmt(7jn68hAbOG=^$xIqc-mkcGPFYFWRy6lptx5xEt8@12 zxy>&ZUU{&z@yNpxm`9yX&WCOVsfBZ^RBp5hCwNS9lTEme6JgXKwS+}_r=wTT<06%Y zMmrYr%~WPEeX#BHh|Vz?}=$z1et^ z6tC+VS%y5INsCf_VDZHlt6|T$J6STgoW3j$eg-`FaStZC+ENq_%h`@F6(YU7x?Rkh zrXNwYPGL7Y$Z7ttaEMGX#i;E;N04!NM1?`ST2ODSVc$EYwpKW&$kx(AjMiCe8GuOEW`{ zE|lpFlJ3QYCFc42(aX$oElq4$GtXSNW=d1qPgRX7qV(bVO5E+)RVlt4`^nJ*h7B`O z*yz*INNJhtgz&=^Niu00MU*|xlp>?jFeF&7aid~J*$m2;zs`-2I~~?>6Y65Lki5$D zYRy$6u$NhXcKJCfuBfCF>qBjenZKBVociIZhZa(wD7_xRkkq(nH?rN0tD8{Cc`rDI9N{Lp zB>r~7K1qPKvab{)6(%z~;TOI>z>SI391$)ys9-W*xkxjQ-W(ANt1bDRrmd3MM@=33 z!-p59VwPQKa*P5-+WgDBlyh|<(FITV zac0#m&P!bYJI%^wtY1jrUw)5yRI)mg-V8s-A=d$KD#am3*Sa{I1c=DbB^j&a_&{SS z)j!m;X>*?M)0hhw<9Z?0plhC?CFWdbK)je{MIt}-Oc2JEV3$+@VA~m)m z{vk@jUPpw0Gqp^H<4>Z!H={VJr~=s+&h9Ez^l^*7;G2ny@NV13ZVXd} zvXA{mdZM!a1BC`$H=Xzo_puvYAg*7${sODXS)Z$Gkc0LdZcc7cx3Jq@fgmVqzzr$1 zeGG!2hLAzs#~>(ba4GaRVhD;FLJIYb7=oe(mqJg~Lr~NZQm6&A5EM1I6naeu1Vs%Y zg<8`Afl-4?q1AM-bN$=f1ihvMg1`ok3gG3qmB0o?1#d0`A?4z^oxlb_z}pZ~&=-;C zmQg(HT>s`*10ZMT2KBK8@jbT~s(-%1|Ib~~|JVrKAin=LLTsSYnm;r`zt2DZtAaL5 zz(Fy4VqYqWvYtcU9`WfWUo*y<&s%qM6hwQqs|!s(il}l=AAyf|YaV{}n!Qw=9Ugyq zl;<+xhVMMYT7Se;jv9k6=&py5@#^LE$i9y9v+mYA3E$R!h&{seIUf#PMyon(tW-}5 z%QQNAw1D=L)a3Z;_1NZvAuUYpW~wzF9)s~;R=`gYV>}vN$@r29R9GJ9OD^vEn^Hj( zbldDt;m?0Jt_!D0W!25+?m0XorJg6;UpgszO&im`G*09w=xo|TAxp65hokT)xj2El z*LxTJbf6~9%_v5p3XmmUGYQ*=GiJ$8iPbkNDNm@R#7@#$2l@1-iEC=(lpB{mq{dSwDJ! zRy|P^j}wfzi1al_9JTycX!?MwKP{RCBBG&IWRGvT(IaNw;&vFt_jS$=J_DS=2KJvK zk8yZlDGGVKalNi8rxFe?R53okd_?k5t@5XR_nE*Rt6F7U%=dL-{3L86^N4%K= zm9~eCBhW9D7W`s@{_*{a_F0XK_ZfxW^b)7g2J&TUx53c)g;@iGBj=cDw9v=2&C>3J zpU)GxlWE5k0imO-6@KP^l=SU+vz5pfFh)*JR<;4$TqaiINNRDW#uy<*14>a*86-?T zB*9%{Be0dtNaE^ioiKQQyzTYLcbh`3JlB*5B|33dw6H1MR9^c})i#T)MNik-FAK0m zcsF&08l`aanjI0azV&n#`b?>Km6l)hlf7S}eeBU2RI$c$H_rNm?kvLvweW#Z>Sw_{ zTn$n%-kkAPbgewEc?r9Yf`<> zf1#4t*r~#@^(BvZkc=zqZ4Aq*X5_l zpt0TCaUPq|wm2#DFuyK-ideT4u|)SVeQd3Gk~wnP$SjG(i9$I~KEqw;+xKwm3f_Z# zed{*IbEA_56vy-T*uH-{p6lir|Dof#CanK{GrV>@*Q@xGH}@NWD5Ugu#{=4<{yALi zRvA>sbIq({s1S*Ku&7XxY6wCeJSa3|2y}xXDvZH`LT9QWFnRE((2yZeRERQRu&7Xx zAs_@N4;~dNG6aO6-65pV1{8xj;QXTy`~Sb;0p38z|290o#~S^y;n93LCyV7ZTv~P> zBOPSqe7Y@#3ahAr^7_K|iKc{Eg@0cC1iQf3R-v_Na<1~?gy+cguFZ?}yWHs}#^~)F zKFb9sg663@s3iVO<9U8xDA))H%o5Qgu;gE{eoe+uv%>dwu|v*io^^ckY5H`=T_8PN z>UZjghDEDkFFv_+vdW&{>4YP>Zs<r}ZXZ zPW0?UOVDdF_56X-N(%bC>Cc4FPjuc%fks3uswnlU_v|SP z$v0JjM1ibjt#KwPq^9|aZ47u-36%=@TAf^Ij%N&L*Qp_S-;!4&bHdw60C}D^F+)kh zCHU{?Gh|EL;Ry3YOc%>C02rWhw3|a)>zO1lRn8nfB<33W^SuBo?7aL=}*-ub^yeF@tT3@dz~&LZh-)n7q>& z<*!CZARCdP=C|^7=6&tv$-^JoEiy!akA;;5tIAG>yi3{aa@#atXqXeDb1iYbBqu&p zS$FVE#i=tCrk%J5t?u`6xT$qnXRlYZ7?HU~ORkEcFGmG(gLeW;Q;ArX=L~575lDr*q?k)^!?%m}d7)yby4axngH?#+;)fZd~U{=j#*VI4!9ZIVA~0daDTN z$GGDEdf=^=l2Cbz^#R^!t8u&a`Rh@3^Uwl#-2>!5vp&FU()yon;;&Wwf%O62fV+Qt zn48kutq-J1+33 z0BFe`AOvX*A%&9c0dPZ@OK>UFWY1qe*1vyn{|nyd1~K&C-UpNq{A2GkXAdHHJg3xb zkEotl5QOrRt|wIB4OEDg%REX%>n*2Od$#b9w^*q4ag;rJqM=;K7{1~wp9KLE%=>qh z_S>@-)i~Bp0>PTBMKc*{_kYTQxLK zm~%BZdZw`8&$O9E4_)vlGOO`8@H?J5xTk-Y5^iiYf!7B-w&s>Og-4O@_-Qi|^aRVv z%Mr#elhidS!&`)7VsWAA_=MyU(vPFS#DB5#tUg5)pc4#)$eFWc!p@vbvw4PLK(z(BhdmP3^q+R?zv~g?OxrQPDPn7TpoiJWs7<(qR zbpE%T+%D;fz;98W4-tM*n_-|K)p_QaQNOuYv^t9ZdBFi|AGJyIUU)QmQ{(Hlb=hsc z*E|Yem6rQ5bPdxTQ+UIrtnWqq&UZpov3sq&&)&GKt3Lq3ht z7e8hCqAtWHbQM&K;E7YK1T8xhi8_U11izdZ>7E7CFK^T2Xx0mg_NQgU8;Fa(lc~_h zP!VPiI5`Ru^sbT1?XaZ<98Q>if#*`>MmDuK0oJ-aqnB=fkdd2&%y3|8i1!L1?DdQ) zLLX1m!F}NpI)a+4HqF=mIVL$ylo?Nv_+P=bPV3Syc9kY0XqC975)0VPS|NG3dwy{^Fht3 zm1T#Zc|;-TL@cKp=3^!Ppx5l;S&)2V|Dfc^x#w%&k?CY*zxDew9P2pn%&*O*4Bjy( zeKw+-w_LkYEx_A!dr&BU%taQ>MLP_k&d@e;4TeZctcyp7e*4@jQ|BK8w1^ z_)f$aaFvPAMq%iaa&@9wCcI=qu^dV13PM;_o>-UvE)j; z^lJ!*$crfo-*i!l8JYZ~AA9ybfn#dG&&2rEsN4{*;9KzWxN&TC0L|E8igj5a?7LJ* z`JV31KH#NOW8x4fi^#e6^VIt61;Oh>1XVZd(T7diABFcr_jGM@w*qf7Qa8F;KrvE( zQ_ug%Apx%&X#9sp>Y5w<`?-GY60TSACr0Wo2>cp+y&RmJEL@;`9As1o{2D^a209J8ttt};fnS45fjn$1 zze(#`qJrnVAf(VhXwU$tfAiTu1)+fub1uQ7f>3D|?%M`N10e=oLP*)!S%9EgrCYA` z-+h_bx!73%pwsGGr2p>Q#0~_F)dtyqNa>9hJAdNd{!ymHDhcAs*st%_pVlk^Z{@Gq zK>y>9-J6xotTfiuQ0ak`ChAQ*@-(DW9hZWRND{zrDocw)Tt`p zQ(gF?;jN9FeK&Yd=5n=7zTyi5{1yFxt^K3+=9~-42FDdU3{499mHKeQ-Rv4iZG`yL zVUiC9uz~mB*h(b$Gz|`qK}472d12rL(MdLF9pQh-&GrG9WoGc5G6ii;4U9R zxt#3}HtH}17$xA9@ZD!ca*U%d(S&WMFoHW%)Iyg${MK}4G{vbFmk3XMf%tCyop>r7 zhhf_NXnM-ZFRPU@t=`xa!qds$hI;WYM_`Kvied<-DTrYlDgZi9V9YjjTIe6U)s~>Q z(DzPFRnRpcaQ;NU_lV5sjP=KfE@2lApY65*orZ6Gt}rhdX?4Q|+R(rVDGD6N<%0tl z6rJ$V_5KMuMKMW+b%KW*D&OxteH!?FY|-@5xw~LXLs6&HB_mfzjItKH8Bw)xz^gm2 zMv?;Cf_M{W8+gd%U)q3E;TuR7no4LrtaI{OIz-Zsur?I*Y?3RVgc{NxW0 z3xxX}Yta#i7EZ|9fJ?)T)q9gJU*D(45gmGOv#15Wkwsh(XiPhOh`2H#vbkWzsAiMm z#7jG~Iq~Z8*H3*RI=%Giqg4;|qa|)(NpF%1!Z5?x;U98a= zX%fM3Ssr6$TfVg^D{gUUg%M>Bt^N=fKPr?ay*k6%O2V{stjNjTOaF#z+y32}%J-Gw z8T)EC&-~}(6Dde!dmxt|+gjrx=k+OyN{;mHMY2a;aw|?VfgyM0g_|=lz1X-g-sng< zd)*s0>)rd?T+$z4z<)h|z|u{BiUHqJBMXGUfPpta)qhc21cbnVZ%U!LBnS)`LI%|( zL14h(Qs^!T0t1GSLUlcbj)5%~M1O<);H~!; z!Xtr6K}~U3*g=hKZuw{+JQBE+o1KOGw)$}3_4DEHH=+NbNBT382!wC_X62*MVXw*mT8>p)$I>@NU14n zbmt^oUtR2qN+=2_dLog*N8H4K#EMz<3_H`{eaLW#A1sH48*ZC;afpRe6v?Jx+1%Zv1yJB2Tt?5fz+Fp(I7bb4{-l~gd`<7lVtS&4pBwnrcY3ncjXF}Hl`YZ(- zJyMvxu_6(NgznoQWxY6X5`Kt^M?bu}t|!i_4@`|e6}-l;I`?va3+ ziJuTs9V&`16$XNHL(^Q8d!!H-%afV_9d~MkajyqXc3N_nPcYs~?F)W}tz79Fxf0!e zs#~}pk395<-OoHC+_juYm5WK)&w0_;3?r$@*K}~WExiOeM3L9ThnagOvhhx4H6w1Q z+=o)yM3i^UxX(ymy*aU?I)7~R#*!6|j{N(Fe7K*!{-MLU4qO;bGu>_)FzRnqYw3lh zR#Uk2nq?e*Iw!n+1lSxKJ5(=EC-P;DNWja&_}NTSGKkJ-%tbC914HD{X8M0+}Wm65HCgzSurtgIq?lT9d@S=l>&ujkx*^2t5! z;p_eT{`0xtbMHAl-tYH$-p~8>yq?#y#-?ZSl|^%poi?t?z#4XmQNgV}%!0}W+STb^ zfAYJ?=Ajb@4sIIZcq7AoY^@g7i&Ac^%U@Z$QeskRx1ltSi0eC>fln(Wue#Gtqv+yv2IGP!OM>%H8ndw7_;1R(KD}N z6`S>G>m6pf?C7dvr~zSfonNB2zm5&JHoa?hC0iyofOP<_rct&)F*bNM4N z;mHAudz`&%zIDH(+ma1S)>n`5>fsT6Gw9?xYyTrxuC|}j`MK9qCo{8Voh-_vJ0D;0 zvPDx@*UV1&yms7oOE>A*y3Lr>LAgD(@vSE~rth@%>ZCmKF!zw2vX9r3UtMjzC}>Rm z@_un0AI|P)GILq|%4YyZbt-;iSn1h|qw?Immhr`T+slCICg0-f54$pA--j)i-!0lU z-qNE$I}iG|TAYA7yTlv6VjcbuV4pd)1k} zy$*yI-X8RE!{Ye(F4xspY=9!vkfb)nDWzx37G5?Oxdt z%U=xj^xPSr($?F|@mB7>cHs*GB03I=s($lYIxO-XHa*0D=al1Ruip(^GQp>s^QL0) z8$CytlTJ>tJ6Qa7;;HbyTjq2qt9USGw)X4Sd*SYhv&SCTn-IOVSG&8tdTs7K!pZGH z^Cl~TFDCXpS9;Ugtm1d(&2JaV9{S6i*&?r;>r;Re@`c72;5txu0)St>ZEB*uv zGH8^U^VZ)*IR=d~4Q~5wlw;5+^VeH{ALSS{$~3t3w^2@xN+53Q&oM-(DgJGglcTmv z@Ydf(IXNm&g>L#e_watyj;8r=BXD93Vl;XQ%Gq zA^s5j+1#B^-M!jSW7pOG<|6|}mp>6-XT+T=>*O!il%G{yx_RC9SSP0?AD-<$aHE9v zJZa5F1Dj0hp0@N@Qr|`8vPyUa+zqNSa{02>rGj3yTx>nw+_i-3!zMxHkA*)8{J6?- zUzAO%)tTjoUS@5)ZhkFrPT3hZ1MJ;8WIhf$(R%*uuXE47G`E*Mt3RRfGRuTU9v`0_ zxL-fA=ISoA9+Z`Tb)k<3rLs+Q+b8WLO zCvR;KVrw$PE509--L|!k?@%(TY=wwT4~LkH8ZmI! zwN{foEqn&fDl)3%RfR)bT$3UhU31NCwyjr4LElYRkLN!8vRT7`Mp2y-f^L2-u(6%C zP|GqSU-mu|KU$L*z4h7{lbxpbwfN|eFqHh=UFPg>PDM@ChdJjjfh)%{>1at{l~KG zBQrP0?HhD@aQMPbJ^dPmpWJS-!Ods>{RWv136Db`SijcB4QtZB=-$z`wI6#|ospK+ zV6dl8Z1|iZ=hL<3Px`k!_BNvT<=I2mXq;Af=iTpIMKjNITg>7rst+ zvfE%WcgZ+e*2=Ii_iudv7@j;jV$SzEeokj599cU%?ZeX#Z~WtX?0mPh>9j|_g<34A z(tAMEw5Nx5Smv8_+~?j|$C0P1d~R~5$iq^Wl}=Rd(fjMDV^=qBXw-Cahm~cv&l+`Z zZQ)k$_6OOAt#a^faK2Et5n}`6Cp&9$hgpa0X>&Nmt3>o>g_F{;gm0OsXQSV~=~{Vx zo0UaY+?xIRjHhCM1Diy@4smPSI%REs`s8$gf45F$hwVvo*tuYPs}&|OZS&1*xaO39 z->}V1O7}e4>T$D~wU^jAeK~vRzu}5@suxXW&2MpW_U;c}3u2?5 zU9lgwWP8`v{$*o^_!UX)-|*Dn4f9*oo!NC`ost_WH7~lT{@$_|s&{)1-717BThQSnYj=Q#m&WCao@ z)hiJ7D8ixgw!I&APdBS#S*C1Q*n%GqGI#8MJAC2QX6|)OK77fu_xy`0KeTSKRU26h z=`+Xl+6v!CQYDmgOj*61w&GVVOax!LR>RIg(|VdqYIVpwhtLPUOlIm<54b z4IrdnMoETT8JJx{w;Di5zupRaB}fVj{8a-8>6crj5b)6=i!E@g0UG)1tq|~03YDPB zbCBWxU*a-F4(5AyT!xwb)3|JLJHPuXvniS1%h=!Yv9G56*0WEKoi|?QN$C{7cWvQj zaaUvG+NYm(diw7ANb6IxE!%AOdIqJ9qxTvt9WbTYun`wDUlm{8_YcS_QS@!vEXDIj zepbu!Y?(`unWwt&hz8%sRez^x|1#aP`sYuB^ApCDxm|Qj4U$r_W~vrIZPt#GK2qDsi2 zjpj}JTiMt&&Z_-3&)ox~QZ3bIGv>x72ZwJw_+apZT_!PKOujq3DcZWwg_Pj^VO29P z`!$P8?X$W4!4H)pj@^&4NXfW=EtQ1{5o*8|78DjRKcuI19Y@RCbAj<}XToYtH4tjRcsph5f59<|cTC|` zHihZVa(M#FSFr8fMx6;;)-Ch!C_%|(+?-dZOT7LmSXvMP){$FIzM{KNJwrYA{$qTC$y&gojsk-X(%e>yl zzMmQ~B&f>#1*^JjeC%>={kY}UjmDo!OnWn|epId3edS*hHR>P3qdd2s>zrUQD*cfA zl{?zJy^6UMomQ^iE0X~m)rB*js3tahQZTgp*SwW?+e-q!0_yA6k*)GzjA@=a&I&&EGLkb?b3~2ENw_+`kUWdS6{WWa+^;VfuVoTlU1aAE`Y%{nO zM*s~91q5#WHEjF!R{TX^aO7OJE+QU&kb5PnG>OFTcBFwQp_Y%)W%dZ9e_N9D<(8_V$$}|H^nLiU#=2py(0EropH-*hadm0`cS^pzPp~<2GNaP?Az_y zx!I0h?GDY@GwW-~l)zf^Y6N`PyP@C0x=zt;54G^_w`=<4rYmJ9Zw3Y}KVTEyVfy^h z1+PT(UR|TW3@`t{cFu*z7Yk|e>Q&%Ox5>MET`OxF9$)C3TfqgbEIfO7uiiYl*Z4{k z%@4Y4F1TT6_|rLAn?1%|j$Lxks#sLq*{Sw#NBa+cUo2nK^KP=msq$|&H|o#$GA!w| z#&T_y=9zaL%jD_4Xd)(& z{pkE^;EnH#Mlaqy>(JMHKEp4+zJ0bzLi&W034T+1*6Q?aR^^Z9U%oE4;qdoi6|4F< z)q51SqN7HB=7}?!O8sySJd(AveCbZz553<$&9qxi)sFCPkRaXE;*zuDrr1(9=$Q}Bdhv3}kH$b`ax%B#rHhQ`x<#t}aQXwlgPEv%0THvEKL=4@59 zPkAi%EIzdPnQOzK!1lH0#ywaZ{Kf9jika2YCk`)J%WTpY`JO^=`fl8Er1<-1?+>mEWsP4sbKjOOT|z?gW!TJ= z1Se(AP3ll>N>Xb4$i}Nv{5HRjHrtVQe@@Dr=$GGjj$D!Iwy|8Z+ zyY5`D@8qsotCx%}eb{MGm(V=<{Z1T9uNyn4jDI0QxNrq67uTHDRNAGf8j z-Q2S4dS1D;-nO&3SF3t`mQN{IZA`rxl2tw5HF2?x-ZSlOc-W`{je1{eGj-{C?~Jjf zs+Y5QyKYsj#qXROJX^fk(XrvE1u>2r`fON`>@=joi$_ig@kMrSoiO}bjK%7AitP_w z3oG6Be6qUIVAIYm$(5H58sq3uLOMOpvR>a2L+j3S&vG3Y^T-8t1i&b)i<)s@$o?rr91CYJxvqQECjvCid_syvu9X4QsEH(eiN=VH+!}?ZzAD(advNg$# zzVu&~&}8%`-@Yy8zY8pQ{!81+hqs$%OO>eqJ_{%+BFS=GoZb(h^b=~6Ya=fYQWXUsZv z^rK`}=}n1N<&HaySp2k4so1dCEUz7>Hd*axmo;M9j(o)~d4{|@I;Z=c0-yG8PhQmL z?pUYWOT`t0{fr0w7xlRW}&Au;&zRGdf4fiT~cVh@_Xw|jO)>Jby$4AjZrU>HePZ* zoVIMvz-I5~rhD2vFz*(;piAV`&duK6PG7%te1~K9Gq28V^Lo_wS>I3AQthuX&~3N( zmWGG@qe{oSmJf5PQuAA1ZPcvkJIbu7b0qlM(Ha|`?+j|Srrpg-hg@bXY%jSr^4cl4 z=#0nBgB(s=i#_@J-NAhuN52_2`FW3mX00TB6vypzPZ+!G_SlJOJCp}Uq*~|u6u&p4 z?urppizijS7_NTty20V9RSq7pw91n=tY65!P66fozLy#j{kiJZ{S7+^IrAK#m^ScZIiEr`1Y7=AW!nbfqi&leyeG-Nj|nxevU}T$Y==!rRQ{pt&pj zIP0YK=yrYvb@>Ne(F2nBz|SC;UZC5#WC8bqe=-N=yX0&`qFX0C0Ige_+$u7)>lD~G zAZVzUg4 zDiyezY6~U)t5V=sO)c#0E$lj3*g5)j_Oq~SZecytV}KXV4)WU6H03|s72Tp`W0h12 zu{5j*rCe^S!JtTG=o<*w9d8ECS$}EPe-Yt-9W0!{aaJMKdKq2?9KLK-Sg$BeCr0C6 z+C?jk&2Y(ZI#Qx2St-%jk`kRv1$}$GSxTt}M>Xx=*_ERJ>0if7Yb!-gNugEQQn3#- z@z6OEcA;WkV|;nZ43<}p>ZX6R3;HrtCa-|3KEeJnEPjk3>{L+oj(O`0^zv~%Uuhnr+_T7R%!Hg6tL^R$iu(dg>?^ar9kdP0aqzg0PetgQ>Z2I z7JoZl%W-EKaLmH7v4Jy1u|Sp%pa{U zHMTPam`D1RIN$nM*XV5`l7v)(L4g8 zks^>#pvX{#_YmE{Fix0P>w^v|S1TrC)p*{v)OoqP7)NTgl9kvRs%$QvYgWWMl zvC_YdmJG>t3Bp#$oY+c`T7d9~Eg>j!jGIz!bi4%YV(9JR)lo|fdte{NiJ}R-g|HI^ z(VD*%msEc_kLQ@!oQDIG$BP4sKsuLwZ(P$g3P5Y{aj$bHIi7UFkDx-K>Dy#$7foww(Qi;ma;LG+`gfyb!zz%C9L3I*U*E$8($sKtj;00LEGi%Y;L zcFvyPgye*dBa+}ZAvw@-jd4^}z%F*qp0`UzC^Ygr*>({MZ5+K6u#26u&$f%uUTliI zT{1#@HAYcYL%VX6ivH{3lG-8_#hrhY2y&FbCxDc5=UNCz{oVS?QHT1kcFD0R(s>ry z4%kOo7obWw&tj7_juHxt7dvN9NEZo}DG_)n;qbM16-ikGnGR!Pr7>_2IjU#>b*xYz z0mNQLNG}Cma;zyJ_A)|xjR#%=cCmBxl=+cB(M3i`F9lu*cxWR6j)RTqZ^w(Bqepus z%om;gaptGM3*$y?0LJSg!EG2rMF9p01^1oU#>59zMe9T#2kyrs({G>Qw3g$z=rFfB{vSK3Yf*t)pKIq z1c(F5(SmYKt_ze_m)lR?v{#%mxYXxuoYsx@$5 z9G!uUU8GP>Zd6LpI3QJUCJ;vh!$Eux7i(4y_X92!F_-Js0(& zTU7l@CsIFdP4m(Y@Uk>BwR4@ZC46$-QR>Xy;lT>Dax;4}A}iA`&xp%Tbz|SWI^1>m zp|NkyW!5ex{xQMDU#4YEUo&*cirUWiZV&M-vNtZ)bi38Cm-D}>?Ct6Zkuu8FG?RvEENS4%mzAxHxTHn!LcLVmh)+^LFPx>qO7~vuyN$oPB)rUm z@dcL3KiQi_&u+1B`>HIP$ty}n-RP*{?Pm?fefW^C#qmOhSbD(eiqz`*%1YWjjIq8DWiDhrL zYpw+4I&@L_Y2K78^F89Ot)5zQ(B!aOE%HpB;+$mC`SneUy&Z3M>G5W|@6Bu8tD<&H zn5F99$GrX6qb?)1*;vIiQolNT_)EZGv^Mc7Ycsn|u0e0BN*!Z^UA*ot$y%}Pa^&g> zlA_OT1I|S5Jzly)qYB~j@gb!@KQ#MLO+ac)P?#9lsd>B6??xn5zJ z3&$6pX4ciAXXvIP;Wj>@1rwb@yrzvmGv&T#nJ=4e6#jm(U0Cm}>XjF+wQ@|e_#C(- zCj5rok^xp%P0Z##2%f#DRL~hOhf9mH1{8nY@ny|}zWY-W^L;q?WlZik^v2ucTR6CV z+m?rIUX-h0aj)Ho6zS1h`&~cRlSM4H42%eTUUN-}-YpiaJ=Agg*?6D&p{=Gb`V{Z( z5>fw2a>rE;jb2Z-=$rA({CkT74Jz1HO}81`ywJm;)%JXvxXt%Xg-ZJlSS6PX+hSpN zd(Nl0g{#V(b-be}`s~VzW2=Vy_L%*8`@1oUcTm8%Y1k~=?bWD5cg&wYcoeKp@m+jvZWgRuL-rS2P6dC>7 zt@-}6^sFvbw>i9@S0gRKp;E*0E?vrxmlwR^cYRjp6Bk@Z9MoEGn7l4e`+0LG=CW_T zr}gwydyksCD(qN(uutn#4U4H`A1CJW+4Ay6qpstvK3}XJvAtqom7otm4))Cx?gy5##&`O{9bq<8r>VcpLxTb`b_Up47N zMtElBWT%lGR;H9szULBus?@@9J*Q_Tn_VdoS~C5IcQ1>4mD*gL8yY;?cG29xh+-|fzUIB{`OZu};iB|(4cv1hd7Pa^*I4^{?bl>YdDD2VbJ6HFDc09YZ_s*<@E=H zYfq}&?rQN}s@kn@bhzwa`|2{gGt%#4zV4{lV$(MBo#Sl!^zE_b_0?mYDmF+N;JA5u z(&ZkOalz)r9-JPqs%DL$1BSP>o%|-gVUxOkW4>h-Y+v+Dckk$+W9u3wxBF1?%&JX~ z<#$I|)-r#TcyC45DZx&2N{mc(Z?-+xg40{KEJz$*t66UE3)QNf?ef6$TEP?Vjvojr zYg_o^gyYR!zZZDBd3Z4a+O!hE$Irb(cZPKaVbs*FnV)ZfmoJFUAVksrl9M(KkWY8* zPitWQOPl8YrVElCy6%qjfkG?p3dJ(q2k!aw6&c7~;jEx5x=kA&DB#CeO8s_;4|;~K zQr9SnzS2Kg$yIuCKh{5)a(epP^-o50&0pc4%vCSaT{sNre$2Jp;jZvc=IZ{qEBuqW zRyEue{>fay9Cw9(vaW~-Pew?id$O+7h_3KY<|=;ZF0O`$`@q}GGtL3_@VE0%<{9Tu z%GZB|Oq1?UaN6(m9G-EG1Qh=j|72vW^*`pH%rnkWQ>*`qXPkrI%U|JbMr5PA9q_CE z1OH@Bw3hxlPEz`>c$;~~IR;w)70)<_t^5`K$vop69BBS4-e$mZx+n9Db0yC>SMrQ= z5|hyV1~H}n1OH@B=8i1n8Rtr#ajry=rvEW-GtW3z@{DtwDD=PK8RyVY;ji$c!D*P$ zpWqqiN}h49atpk~|H3a z(#i8L18%aKkDLDuAmh{CD$3+y8S`mxWKD5`GGdlSVsP-~ybT+(NaPMh2o@?NZmG!w z*xWdXlY|5NfamG16=(A5ze*7U^}5{Bxl6NE?Qnh?Su2e`4Vp< zmKRa`;AwzE{q3?R55~wYyoG9bdhEf#p@^7_{2H7Uye%#Nznn*MsI2S)o`SufU_>qA z1fuq7v3+630S@(dK5cWXf95@uHY9Mk`)t8de5Jn4RG}2$)moCU*WEYz0 zkcKV50(eoR8!%2X&Q7Euq(;X}z%F*)p4u3bW&z?j5Zy6ea2sk$A#qTUv6QLMc+ob` zXuOmfP((q zZ^w(FyVp}%Q7y<7@bKG^g5Z9|-`d5_-%~-124!=om_$kv=|42A)F7%rog?bkjNz|B z^T^WQV|{@dj;c}cPLR$5g%m-Ug5Z9+F|T$%b7S$kK3XzhCiEA*(WNhFk1IXAX!ZpQ`*{`Xc%6^1(^2S~Cpi*`hu%eXim4jw}XRz7Lbs*Iibl?G%{9X86w zCQg)=4r4g%gV+Hs5%wJ%wo$V~)uTqnN+U2<41;+D&0J8*k=$VqxM@`VE+evsG5;Vm zTnt@2&Z^jzb)$sW4@X6!3V;O$=VfHHgsfuc<9S?=HfISHHR+KX@N9{J@|Tmy(8pu1 z(J_V)iemdG!l4xJB~FbX_8B=@D-F1hI*6aqn%4teAV*`(|E&0x;(#VGet;EN^DHBI zM8-JqOR?ur%td>TmWW`81trE0u!eRqRK%dxvTAsBDb+p#H%4_kfG*gD1DZr@?7%PJ zPgyEr5MaYGMRXnEWUxm|cq%qWjG2*TFJu?PSYARvlEQ*Y9|42o{6}tIiY**W!@snO zT_i6&YtEdnFnHGYO zFm$jJZ>97v9V$a94CtdFe#dg6LI7+;3J@Pj0tv@!5(zLikA@o~p2O;#K~h3gY_Gy{ zmm*_8m4+%L%T+)Cq>{fKFLth8LE;HO)UAWQ||!)$fI zJ0Ks7JSUYYke8sc4mdHKW@Q>9Tegr{?0h{m+HmHFS)jYCxpWKR@>~N$2r3wvL?PeB z(A6u!8i!8>c?MY(og5kYR4`pIdPYV|Dr6T!Uk@Lp;)*(O79*BBWzVSi1lc@=F_yd1 zpojvuuv=W<98hs6)qa77!?{$v0aWU%GBQ{~MzO(x4zfN8@4>I4f|vkaJb{z>i2}5;(7% zlPLrlM{5Mv6*7yVi^uB*olR~%sc|+_K;!`hFV*nq$T(&st4YK* zO=}702$_eog&eUKWv`9Og$j%oOYsYk9u$C=(eMPJpN^bCks#*Ms931VFmK0kMj4G2 zA}U&1a#XdGQSkTN%EF2>DitbZ6*~t{j+}gz97H#Xmi9zC%_3z+r)*=j_CjVcjN&m^ zT9_jT&kf)y?TX+(z)A%73M1YDHB|YGuJH94+KT-U2d0A~{55M~7qMDxpGVF^u7%cEKfEv7$iTf;>2~h?r73 zU>n0lgsfuc;prqn5}b12^VDUA7*Z<0B*+JoIN|TNLojL$mliu0Pl`cm?1yqN+{ivs zHll<&)!7?^MO2317AJ|$W@%BqF@(mD0wz8ZmKMsjCE!aT9fg#Xkz=cXSqv2~sN7fs z-VYAa+<)Qi5!)bZKvnj}KoKFc*v0TTJ^*_lRv?x-VIrVONhp~?Don;O5tX6W;z|kF zOd>%@6qm|~&q5oaJ}xElqES6nA+s3zct8)N;6Nqz*k?K90WP0ZRgJ2t3R%T4h$kQf zZxH3Exe$w%6lW%!sxd%BW#}HbE(46_5GcHyqp*;>!T}8Kg0xjhc^OqAzjs?gW-;{f z6l!57ghmxfZo(}13H)E2tc@zE3R%U_$5W_->)k{tJnqc zBo9yBm8C?~A~}7ULZU)ovo;pd2#pm(|E{-+_)y50>y5(c2f1`(LuKeku^fK_%Ot;` zt6CM;ZNLxz3#9y%U*Iz5x?)DVmT*|YS`6ryV(0Ad*RPWo8n0N`IX7=vFi)4ZSZ3#vbrU$`38WB4si>4~YI%Z%SSAnf}5t@bVwSM{WwX#pu2BNWHWUMZD& zZPD(Gt-Vi8@hQ2qd26!|iANvwiOsCEEXvY3Wb=xG1A^mUrp<{QT(CxvXOm__)p>R* zT$4K|U9oYkxM6a|g1wIpFZ87P`RkfRE2^&xRfMdoIeUkV>A0;$F0U!kR+^C6VD_b% zw_RtP-zYhB$;>)Es^zw$B|ezm{+8Es#Tn->PZKNNc$pTR+rl|4mr1Glua!4Dw@sQ; zpm$;&hb9j)ORz-_k%$!2LAUCKKG`v`dfknCFMECN>e#RK z^<#BEc2Ml?x#vSI^JO;+kI^p7m21_I)oU9bj8KFoR_YMb#?*R!jhmMyNlcnl$r$}M z_Fx%z*G}P`JvtX_HaNd~iGyvN%@ge3T`OTVa-w?IW-1dtzGF6H*m#Ar@YrAOZgAK;?S$j$Hhkql*w?Ov}wVtuHF1DytrUl z)wRZsnD4`vZ4G?Tn2a=q)h)#2im{RL0g2tLzm;*(JY%%rnh*VdGu z5^Ytp{pnRhW*4lL@}|f2(sA)cvr0LXt0z^iz3SPm*P3~CW+#u5wper~wR@$yC+{C0 z9X33=%+h05BA=(`S=jx^rfo%+x9TwW#+AobyPG|+qL1}JA}L#Ki+S3=(uYE zR_9-~d+guTsm9Lw*0bic&()*!*+wg0`?q&Lb;<2%;dyRbAN$A;cf5Tfa$fZb9up!a zZk%yHv~JNZErujJba~fkNZinAYWEd$K3s~_eu!v(%&EfD0xPrn?0Q_emR-lEW9v6P zKRD2~iTrTf4pXS2pW( z>qfN2+re9FU#&YvxqRg5Q~fV47`}VxvQv9sTng*6bDK-;TG5RsH~aR`CQUoqZq|xD zcBdDv+TA5z^%u^w8oclta`3{CWRKfAN$s)f6vvTT8VcBVv6*;U3JOEL*EMxn&~)b&t{9>o>6&z1kVqf zeW&W0!QD`i!FuT7BG_r*pj^&)iAQU2aaiRnNKV z=2IrUR#*QPx_3qHDTUr8Cr(*aK=om^L!QW1Z=zz`jyXQ*@Xki(8`PdNY-+7T%8paZ z-YoHISLo@M^QS5nAG|&w&hn_*wR4%V6BT7GmJVII^s(8iWtC-f>qzDD-}ib6hS zbEA((F1lZ=wMu(@y+vK8_GbA@9qsVI&!V1Qzc~~kGh7>3NAMB<&wu$&LwJB-0S=<@1|3>?uU=|3J$JvdxFMv#{24J69dzN z+U{LsGH7O%9xbbc4nA6PaHP43$M%PA%Uaqzs@ASe{OY%g+?~r++w7`b? z#=l)rwVG?|@UFLKXoD1&9roSKA9mP%(bdtXkA%0JFtLAp&y0w*-vJU| z;;of7>prchbh~8eac|Sa0sEg?Igfy>GEVIZY#+Sg!TtA9W_Nvd6+CnBnKj>ShLL|Wb@MqsT$_?sj*|9I{K5)`VF38LQ`_o_Ho=;cEK<+F4 zE}YWzSGY&hZzy=@enVR|_d)+;6|c>p0*t_YMd>a52mO=50p_phpRD4w8B|=qYdjDY z!u)UeC-d42NcHQ#LR77LvXp-^ug#zWYOeoEZ!;w#^;h^ObEI|pTf8;{s;Bk8;i%Bu zSNxNCZ3e1X(LD!Q4E+cG$-FiLl?>{>;b~N&8K|d${t9n1 zP)Ge0{>i*H0}9~zulOhP+6~NeMM+NT`J`v1i}Tzx0+BO~2V=Vcpi<(3w@aK*CSX?%CANRVMBD;LFk4YT zl(!{h7A+P=!=)EGAbu3-g788IqVy;sv*>kWWR|`lmuN`z*6{_o;yffFyXZ|~WEZas zK}atAjDEO8`964C49@!?=rA)27^R%*;R%$)9zZWAHAX}|5>N>vvI&Ym(DK>vVIA}vgL70`dE z%d80PN2)Q%M(N@|HlxLh+Hk3YpT3L47>x021g&D{>A^=t(g|r5j!FqUm#CA#yTtf4 zf@U%F^m>n~KpK{M-|9W8D3e9dEQXF=Uw{N}3SKpEW_`VuC}%{_E{2|7Zx_5hGM+yb zfH>gUXe(EtHBW&%qcxA5B1GUhCInQexdJ3K@cIKPgpghAJUw4`C&w~FelvR>MM(#O z^T^KAQ^6KDUi$n#6>M?iC7RziM8kDwPB!z11{+AeW~cY5w}k?y4AK0)K1{&e><%1wtS+-?Epz zXx3WLE{5KovMkty__Q^h&TxQ7ds5?BYk@dI#epYmRy|dp({Z2TElOKct`iJh@w7F> z(0`5VRV+m`u&lU-@FWz2_?L8cP(du7xE8dFowujfpIV$Rs8u8sJ3xjY9ewe{wV+w- zoV^U;DCHMPCx)VWSSbYxBbvDuG>e_D=gmR@2J3jM#531IYl~q_PlH7VelRph7u8eS9j=`W7zk86Oo}!{R}!Nj7|MgGI9#34BvLmEoMOS9 zq7abeMyU4<$~z&dX=H5)S;f%D<3*GMsKky*j{aKfR1WrV9?NQqT(y3}l@j~F8W^m!#>u6hiQ7cWGY8W8zaTqcH*Svcow zkd4YNM8`y`FkKk0T1e@QM3?U$S!uCp4_MgY2WNZbUk-oJOd;(NVTZAd^DqZ#A`>jWIrp>snnYa z=5bUrM!ZJPEQ6yWIw&$*_D}=U=u6QlGsOX@IGTy4rlbbET@{zDXEa`T9U-=motmOz z0~|BNGgAU)vDDE3&PE7Ab}c&Md#HrNOtD&YA-foQdqm1y$8aLdbL?x>aM3gZzcgBl zj@EGo%ZsIsh6-UIp2ugVNahBZ@r+l481+65+OL% zr_88Ny#{9w(Uh5xRqTKps@I}w)9jjb8Z{gj#dBs-gQ5efEoA2F^#xo%i_)or7@?s^ zQ92myhLgw+x=|oEMd?@4wxOzY>Qc|uCW%$03)#g|NCQV#qCW9u>7;2x!m;9I=`sUt z0Uf!F(bkCZA@vx(ES<}M!Yr|}bf6Um)5x_UVq_N1(@>)OPhC3n-w;8G7N!f@#n9E0 zU0hu{X}VKc5@(fIVY;AI3>`h?&$&dWt}>lOKPVw5TA2=P%y1SNdU^yjG>cT4PKXKV zY0!B6L2bHWoXU|T8Lck(E;*<`a-U0tgLog^_ zoi1n>J6}%$jRag!IfPkdoNgZpwThRgO9g;9j?l_#8UfD(Xr}sfIS9$)y$Bd>C zpdisms6rj8VO$(2p~_gX3U#3Q2HuO~LNl_9z%6WzMDWr8y-^@R3uhsoRu_PJSqf_) z-9wTURHCj0L{EVs027!gR-$fr#^!k9j7AHXl9t;1@HOf<+)`T|(QLoanr9f)L+Ar) zL|p2Civ!{E)u5b-X8R2*iAl1NS@cY<0SQliu3rJkcVY&KmZ(eBhG7@S=w~#E$c@pP zs898C0+G~ZM65<#Xbu_1^rZht?0#LMpP~pN&We_(3%CcC!Wu|>k_swcqfX>OlDiho z^b48A(8)u(Ndd2(U89ajUV+#~G}SL;7DJ>Sp^colg2)JIL6cPwmV-@1G}W&%gp|0d z6jlo!FW%2YKjHRB`im#}+0b3`b0ZQ`|7S5^Sizp4q z3^PC&a%TGu7PthZTlzFV@vsR@5>N9BSjEu6Q{Dhohx#lglLxE&?bhW8fX~` zng+DoaU{bUR{;B#Bcm>s=NFj19J&f5$)Kxa{R2q`UEwOf9>paY{!D~HjUt_&>xma( zAW91NKU2GwgS-R0{4MNSdV2(THTUZ0=jnwO%BI5u{JlJUOh?_i6Ln|!YL(fc)U0l= z3d#qBeR?D{-@mu#lAcfZ6pwt@GB~cUJgJH09!1u(x{+&M7g+l6)_nVMuczi8GhzQN z_ZLom2FcG|vK<|LBBA&Az_ImYHBvw9dcC^r4Y#x@>ndt*joR4oNw@s30zzsPthjrv z`OzmSP1i>+@LFg!Y(d!|xunVSeO0aNI*oql|72DBn3GTPw)t_T$V}%ceJ3xmJ7lta zP{q^}y~i9Gmbtfp^_;bnS|$$3-*rXJ8F!D2Y!h|q_0}a`^*gRlu-WQ1a7)!oAKUJK zmUVYW*T7+Sin>qqa%+F_$(xW`Roa$Zd~D6+Q}*Wv6zrNYxkS*y?=cTuAD=sMqJD?P zz5xZty2;$u`Ggj!J~U%f#V-}sxy0vpG;jFAF~twloK)f>!$o4=^^y?%j~o8&c?9Zy+P zt%cS3)|$upSDVJPanu&wWVYn|d?%A8eTL<6ZtOMLW{j0d-l6^4Ca-QRWEmvHcSTYhcWuokY%?-l9dq&2m%bs1Id>2{mN+FqCHL>A6H>{FA@ zd9UnUpYLGdJ`L-qdnQ(nx;kWfvAIP)UFzcEDcK;cz0E(@r)ecz9_OoT;TJl`tnA1M z3%y>fF5AD#jz;&#h1$I_edsd%TfOS#?>MBrzUA2cdzzKm;v=KVEtziJ&!JcMQytSb zY+n*Edw#9Ok|A?z9j`7~Jg%6Zmu5|`N(~eC*~ZjcKlE)@UQd^J=duH(O+Q(b^Q*ep zYJ%C-O65-vxY|>Btorh`)B6@|b?IQJr*qoS&{m)Gm`|HK%4%Ksd#z2<*^3n_O+8+_ zTk03v%3bsM6dSsv@Sw_*&V|cmrTa~jtUEUKQ0secUBZ^eMwBnrHTcS)uJ11&D4&(& zGG^xGQS&Ry9C!N+JA7z+t3hw-kB_@uX7hJd?)S4T>)mgwITHLmdR&#EDR12?4zJKH zE<|D7t@fZcGkfmx-0bSV>#+6tvOgMZw(K(YM7O~;-gj}IwJl;?*ecJ>N9)dv>D1P| zMRU&&rCwMDD*ety)@d?Od!bmB9wX+>Zd&Sj)5|yg3Yom_(R6(J_Di!SCr4Pvm_6G3 z>_lW#=8_j7{Y&RLH?q>@_&X}a>xaI3rmnoZyWaZD1MNdzJgt<+q(P5SH$CrMeI;$R zs$u#vt3$`zE@&H}Ufpw6qcN|>Dk`;lvard?9rbrE^O-()zA9gob%#FX?>jZWb3gM` zpEe<{)YU@DJU!6$(=^jnW_d@{KbmB_*KX3A+Mg{>&9HA;tLfy_XM;oI-ZX7i`eH!J zqZ*U@ENNV}*5T%D*4F72QLAaEQfm||++td|_4T-PE+i<{Y(i1Z>X@XHmv#qx3@i8I z+LL|BtyELDbv|gGujwA`o)fhuIOJ_BF}c%(z9TaGRBrlXZq%wF zADyg1-UPHb8_{I@CHGD5S`UA`JGkwU_2-v`SZ!K!GN$pfXI@{Pw)Py>clk7B*RZ~y zXC$Oft}(KqtNP>+*D{iEV`TT96mGLeJvlRD-KE=!EoxkJbXY!4n}67Z2C63OCj{UB zno`aFhs^%qzOVOhJ#pNUy1lpg-lT(H1IJl846iPKcj!xM)iJfU9<(}|y7I`Oq4l!P z=F0V?Uk(2!j_;%9EZcVES<35%Epm^jXi>Rg{uSeLr7gO5vyVphWm2hKX4{j43#IfN zIJNlmRf)>#JsMXmV(Vu+Gx2eQdQZGN=lf#&F=79KJ(E&>$FF`iZEdIP)4r*WI8It? zZ#J^s;X9)g_WS#{FL^p}*^2jRK5tKTyrA@n{+g70ZEA1#6q7@~M{k|W8oT67{udL! z57my1>=1STn$qg@o8qUUE#d@(57eAy0KX3i3m@pbdQRa3(p^XWwy9k^FV8_94t}F7 zdXSKh3el086Vi9~@b~f!K*AZEBkqSkg%7AjwXXIX=TiL#+Bc~7o0mdR@lpsRgR1)q z)z1141iI6Yxe`kXW!e7xpSIa+^( zx0#nhQ1embO4PFXC%^e@; z$y~(Fec;DgFNL5aS#jO%I#Ck*m{T>OAM;WpYA#~ruJAVV@1UB~_u{_dpUl65RPv*H zGXD;$c{vib{vFIA#Gre@b2=67^*6Qa6xcT)XsDNkUE4vvLrm=){QNz={5jVlakpz_ z*V?XG5BggY&|O`;`a$rEYO1lI`94T8@Z5mbh|^C6j$qusl#Nx?=Z-3AczFn_$si0+ zlzl2>7OfRlW}zD`mM)F~U~%Du2-cPy{zbG4l8{-n3fPz>10)HD%u`RP0jw6jNtAjj zGfdSnl&l~$je2wPJ&-ui51w0;d1@%RsN1Ai4Hi~7h|;{01_8M!Fc2r63YkSNhK*TV z)e*cjbwC13N(Y&W(@uq^klY;`qe$?SO2tG_gv?^+;RLCrf_Svi~YJX0h0rW&u z3Z5khX~c-8LQ_cR19nDHsZq8x3#_6J-=aKIwE+x|Dl~>>fvT_Th=C0nz5z3ebFCQ5 zRLCfH5j?qbj1$P4I=vX`P77gaUA=>`)<;5SG4$`)lQ}c=t&gZnF7>|@<(R4sLUF%p%uGNhfN3M59C}3mo7@8Ky#3v2*a$ z1sYsjj$(=vvyQHmjX27>7_ENE(Pu*PA^pmyofAa zJoR+IEP@lILcm3(%OsE^u0teb7egP9BMvQco?c2DBF=}R-H*_i@>l+!4wYpzjX1Yb zUrC-`O7Ef?eoVamk&s;s-8>Gg68KNP{SmRVw6xs7z%$zaNGdmc8(GRzaCU)Ds&9Zq zVU8Antf)ScOu#I5eqO33asiGNdU~l8?b_6&_ajO#HN+pNZws^i2dkVQ8hryKA|w(V zAxpLKk_KAeHM=^S-z`n>(pMqoAA!g?3r83ZJki+^DdZ__p zQkQ#S<0Pb5RT}vApJGx7Zh$6<@=JxB7ncfRWEa>o65_q;8KyER_C%OTXKZ7*h@e?4 zT|LgN6vy*sA&}4#5mwYL!zPL(2Fh;LBfud|Fnx0-85EKML5LDx1&52Fs|V{y$;GC+ zo>4Ml@FP+Yw@YBS80u7j*ap{*w@=?SO2$bLVZ6k;MhT4gmKoJ(siXg45EF zGZVE-XuMeZdXRDfZ17xR8ZS9u98s>Y;CL}~_H;rdZm_P+7WsJDABmL-4HrAyhNO_; zyLbw-jLM>LG!vyT3yu~;+=gTXh?c8w|0N@CAh^upb_op^!?+&jeE{Ft+-e!(dnqLr z#bwkC189aa6|@IZxgXE@MsSKf3Cm5?E}`*a=j^4B7ttVH&C9#de5#3yF4izj02XAZ zQbAiZ;#8jWO|Uqmx5VY$1kTtDMJi-~N2s56wz?ZZ0XPMTk-mkjVi(ktoFOUM@T6~U zLjrwAl=Q7OAnxl3FO2pdY7q?@2T%GYGu2okV%ly(Rx$MQ*rh3?=e6As<4{B|O8OSE zik*{}qDWZ_nvS0Ijk6ER*|egpZy}@Dxp;ErN^Hz}Z8t!K3aouG(zn{6l0eNhi(#{< z6sVr2v>nf`p)yx3(srWaZbD|U3+0IsPmp}Jwi~t1MMhYZT_a=`JLgW4X>wqKytEs& zS*7$jfzZZUX$x7!E|8~^1`7Cib`7;ZmJ!Eh6#c5Fi zpG6E)aa}h7M35svvayS+(1l7DHE$jgeeE-*JeVM$3`^5vAD(+Qrb>Bj2L|w99uK zqAiJ-$)Y?PA-h=WQqX*n-khFjLu?Hx>CIvJ8`pIca1$K&nvwg0UBtNNb=}A=;t+^( zZ3M@Q9crUMFen9T!*?8l>H_kLWG7Tdjmwi8x>b&u&T6~>;$qojn5ZcsOhFd(4`khh zW|5(@M@2Vfs`XqOQgtKNr?{${kXa0UJ@y_Ae5eATgPNElK%VJHCdRfATw4rXJrF=O zxb8gNhJt)G&S;`^8>zzZ1j|yG0$Yw2K9sA3hmR-ws9TyC;YQFbhOVAVSz~y3SvM>; zI;V-ZXc8JOhOVBfx`Ci(%euk!6SW1Ib&b*1?E+@8)TRJps->4vPq`r>Da3=Kj2od@ zq-(%aZb;h@UQC>GBWM>xM~_7>Cw(jGG^FRiAuA!?&q`<(+2J-M--aU) z$GYJpAmPfCC^8V2brZ6Sp{GZ@fc6~!k#)l{h;+Bac{heY3D;1T(egrAO5Fm8ccbKd z7RXb?rJ|QoqxtdNr0k&%2?pUXA0&AMkDreLYuW#>g&`r~sRb z=iNX#9TWr*Ns#;mgV)%23E0Kf*=ykzc;XFd#Q;?O1Ky2*SqyzWvQk*$q+JjnJy+suLNlE)16jMY6=Zq0PHEJBocBeXekrKF7PBAyb> zBQNZR@gkg8RM<_>E|!5kvauu+2xVPP*$to$s4aiOyfO6lT>U$v@xtzi3gB#t3+eNb z_^CL>MQD971aUBbYNFogDJ~?Vrsg#0psr@TKeNDivGev|e!>pQq63Y)YC@QfRl&wK~R z+*o$U_fm2n=Ss)R^{f^X_5I5Ni(yM6cKTPChw{aLdWiJK}qEWNk>=zH_^&3dSJ+P(dl(C6;gTfs$4 zt(}Jzy>@Wz{zF~T12f+gb}o7Cd#~L4GRB;af4Y8GUu~5!7b09U`xSrQd#=|DceBRk zCiNwEz78qW!CO&8d7^9M-e;9hHgr<_7+YdRkfvO8ftA-rdiO}kqw4-@#+`NLU&Ltr z0{#CS%f124))rs+GG#^V6o;!&5bqfZY{IM;7^()g(-w}ng}SYfMT zVNt2if}=rBhc8cy_}c*3N`7~wkA2f0H*&4G z_wGoGa%cO;IyoHiX|*o)W{TJ4Mva5|4IUe~JmGO!yJn;2m3eLI(SOrA7t71@K2(l; zZ&&+N;XRj{Js!Q(*H^Og>XpZhZ*@#eNj{*ks@E^p_wA}7Q*56VpW3~qwEC!ERf$1% zDcZ)9F5b6p-KutyrAl+#@^+V-1zNvd)2)Pi?mjKgtd=@A?3fnxu-MfMui-WWT|2vc zcrj##edG7uu5sV%+>bp|bACif?_=TSL1Pt?npW|dS#Vd0g0pQw)&FbvUqN+L+;{h=67pe-0GCe(#yrNMmSy?cklMfo$iHtnMT)W zRkuOJ?oOxASXiDu6Oq2A!D5wHwXfG5nn=p`8ko4USj#2(u1v~bt@Gn0ejD?a&R_NO zh4tT;jZ3)r<)XUc&WuH+C#81n6B;pTK#7YRb_b+3-e?jQzqQY+CV3LdK6kBAbL5=` zGaIf*P#){}s#Tlo&erbTEWN(C&!6_tG_u+0@w3yMU-|B-vcz%7?Up6Se&14VUCh@i zohx0wQu)Z>b>SPXg;{1u9^4G7(5R$+mw`c>Vm(tdLqkfhskmsv=-obD(w|>8D|pAT zNTa&>4TEUA#N!zZkL-7~Wtw%i^zx2cosJpXc`v8}Yz9MVV3 zk`zoIGB3VEdi6Wk`}#-Jda}-XL+mZTY0vLnwXU6HJ$t)%iDPw-?)Ocx?Xs-#)t+rC zpM5kohwF*v$t7|dVUu#bS>%AZuv+_$Y=k!MrGHv ztk-s7-b}~K%A|6`#+6*;6`cMyztt;~&I_0H?bQ0#d#kD|?`&^1GcwrXMo46;#C2}_ z*69^1Z9Vj&;!Khk=3uy?ad_U+XjuWhJx zCVXjV(WZ+!_j+9_y8NjGuRHR5o8!*itiQ@LyriptsM)Fb<}bH>JKVT#WV-jXDR~pC zNx$u=8FaW*$db0T?%zur`^|4?+wPZ7&1{^aEYxyf>7@k*eBA&1en#_WUw7Bs7X9+T z>+$<)4UNgl`#nSPVE)6@3Z5as+Y&pZJ@~fR#y)bDYnG+^jeOURe0}R!(5H>M(!E** zCyXsUf7xMKK*3pG2A>FWu{&Gm$2RZvQOi$#@0B&szHrauZyHaGJLw@HrbWoY&wW5x zOiQ;{mvOOAJ*Gj|dT4{8TrLV{??l-hiaUbZk#C@Q|1NVW> z1KbA+z_|~!&C&;6*Gj|dT2ax9{ww~;TmxS*u9b$@wW6eo{x|%Sd0i{&!>aoV!HNC@KZCrkm4?@~ z(g0Z0|Ax02hbR3N{>i+q6?MeXeZ}iqX*e-uvKi?D{a3urysnjo!yLKa@J|LgNB3i1 z*NSRj^jCPBd0i_FuWO~@b*(fyxjFn%Ue}69`}*7YC-b^i8YC`sU-7zD8eZ2*!)wc- z{W1R=el&P(ISsEZr@`5mdyZEB4(3q9(!HU4%=vHXAAI9`&}O-Ao>CO(kvf+sGfp6k z);SDDcA*jul?U0>II4uhaaNogCx8^{{1+p;&|ZXI85L+=AoPMQs~ay-7MkFA(eh(t z7mzOMH^+AuB_2D@*?&MoGemN9-kp(Mpv;mB{;Bc=WCztse?UVsU=vciMrPwh>j|Em zr=gJ;j|92tKcJxr*hOzNqwxZ=1bswK>4|7)GORZx>Yo3Ah9+PaIT$u}$&hb>HXTPp z!`kOcK~*$OIUU}hHt8nnb;;<w~obV-J7DH!G^)1+>dBPXzYia=8{{i7kz%GW) zo;ndxn^P*`#hHz?jksoNVtqV?Ru?;8FXOc8h)G3t8`v93OakYtKOlSw3>QWIY+gng zvU?Jo-FdUzQ`;jW1zJy&i4|s$`DQZpH-Cc3X)OC zwh-M*21=*`M{jYumylTu9X+_0pak(MOET)*M06ZcwwI7u4E;Rn%}AsCr^*tdX{4+~ z$zDQcG4%6DfZ~kEx9}tx6_R)t=Xwd5#n8=DO*n!Ep6f-kNHwA2TrVNJ82Wi)CBQ6w z3r`u560muTbG?MjV(8|n0~caap6i8HWytm z0ohB)E{2XCDn=an24pYl;VGjdH_70LlD(7$vc)apI53H?)L3Dn*{B6|tVBST*g`9T?pW8t*~It$Vgxee?^kW5e*g(QUR zV(9FtkRE=5Cwl?LfuEp&0^=rE8#x3C*~QS?>!mlc^^C~PB4;2@_7bv-p}QxR5Rvw> z^^8ChBJw2;ZN|x7LUu89_c~>lY<(WRvWvJrkC0gm-Mt=(<2h*LE(nPe=b#ztZt7A` zY}^;ZV6eL&Yk_SMJWx)dg#NEM*~@^Bqf3M_GD{D{Wece2fjChC6#<}xOUp4bi%3++ z_hl=n;M74(OmPmHfV1baglz1RQ9S}N96=$JfFmbE9)?s@#UxauLT0h__3)u!?CJYv za;}w_grdwiA+s2|dW;guTV!jf&^v%4doc|a!O>#q=@Ds3&{`u~L=?PI1p^z_S z=i^C4g0fNBGAe4qB%oIU^;xu4G7>@v*u{|m*mwsLA0Xh3?@~m3aZ;oDpR&aqCxMM! za)`odsih5;6jw_K#Z6@3MTJy^-b02O9Ej$DdLvnkb3RN2@CGe*N@9yCsUXepD@Rqs z5jNNiSGHXUB@`g0WZNYsr6M?9?7Tc@7nm;DS}HVNa9rYADgrJ75hN?er9dP|xpkoP z)TxN7gXBoIi080{rjebSR{;K2BhuoV6_L~hbqW;EVGG&C&d-xH2-Of~OR3=CL!A)C zbJ#-D$j;Mqk|m_ofP+3|f2g*RT5gEvu!Y8pp|^*dkf2V2&ta1kjTUx^=dcCrVyVGF z(G{XBl2V}@C}$VAZsIv?A-mWCI0~o@q5~Y4!zTVcK5J2N{qt!t|cCkb1p-Y1I z5gHs=S5zHG(meD42jGLbj9&HJzu{1ENwYhFa$uj?%|y6T;>L_55rl z6$Q?*QW`G6I562rj3YE$44pmVQDPcWYMt5^p&kwu^qNzQ4Jy?~mtlKl>aui<#ML)~t2k_YxM?d1lG;^c1J+ zaWGTjW-5UqPE`upi0@t9QyVVMnwP1;L1ikuB-Fx zk{HvY+K!<)SX5HycrB^28$d=Nl&6Y1Nf=X{r9)IMluvQDObaTkBuPOt^<*UV54E7K zr;Zy0KoAwwd1guU@kquaWn-?VW0@&gRbf4yXO=u4Ph#CJ@Sd!kj&{H(x}ahvY7fLQ zOQPlmju#jmEO92Cf`Gz+q@b{x&RO#K>!fYeh?a>b$*Sojn~h2a%%nblshswCqb1SF zW64u0kad;OW2qzUmX>0=g%pU1>L=+{#Bgb-;As+cq0u6?l2Fja-J;F3iFYW;Dg=M7 zNCB}XDWu-z3KoK}#?LcLqLZgd#7@mh{N%S>aeNh(_<1W{VkA%T0yYga`hge4i3bt9 z4oo<4h2Pym!^mA>h{~Bn0~lLa;Z)#9;zr@MAXF9B_jyLi^YJ>!VN1as{N` z2(Kk9r1Q*@=;MifhmBfQzM;WF5z{ZS1I;lQUMiBpr3+X(o z{{9-0@{LJyAPvelCXE612T4=D!2#f}J;$tk16PZ7W!H8eXI3a!6H@{xJt5mp8%X~REUo7N1tl79{T`w3%wM{qd zWV*MT26Y+s+Za}=XV%OM?0Q~sZ~Rd2S;)rYY2ci_FP48=opd~*Vw2(721hP<=e79m zo09|X?``t5erJv5*yjWFi`Uic(XFWB_qF8HQKg@cEmyWe@lKA%j~DZ?ZdLo?xEm{~ zth@8=X5MUh?jL)YQlNH*qR-A(b*pLhEc9E`;?~_fo-O~l_vzB~Lk8yB-TPUiESt`( zE>|pedM&HixCO_n_$1!6n&o&Z?)#$`r|M0b^Ys4GcTS6we&uc%)M!fkueGmz@~Dzy z@0@*WhAulctX~H2x7IZupQ<%?e3J584eiEH zkMA)0T)t(m-o(Euk`fTm?puz;rP+rDUAmdH)a~2#z|aZd-gy#Yg5L&By`6EC``OWs z4gPe>75pGDZ~PTQKv07dcMF$0Txwmr;a$?%pHAvm`fGNd&I=BuEX}!n!iHWI^IRAn zYrV{KZeD}&@X{IQoR8eMpOH_0viHl|56afgzAWS6m`62M{wUWys#uYh9$gyww9<^7 z9y={(^=~(;k6hXCbmWhBXZLh}biCfqwL51QsM`B`-Ne<$`V8(J43tgE0^{e znej)fa_8e3#NHbab9U|NcZaQuUue{zT%8Fk`svPnSlY5iu4bJ#%<8H;yurKN zp$Gm$FQnLwztC%N+YEhsM(oHIzunvU=&#)4U*BH)X4{Jj4L?qQVqY@mQc{M3^Cxe& zd$7^JQKw}APlBd8*F2h7YQn3;%Hv+tXjHR?%a;!43pplMKIq@NL)gi>k=qLnSli@c z=`E3aexCY1;nl6`m+M7p?ksBeG$^=ixa-S2(-s<+tqw`Na`#K}TKAc5Q%?K{PhUFI z(8sRLhAntGs9KS6KdS9n9OoO+{e6apHH&_(T<_1~wG+0S`)PaO;*(@+|8^@Xzd4v_ zweHuOOBJql$w>9x}%%ro3~V#H_bZXc?@ z=o%AKD|lgS_8rD*-@iopeRZq$;ga^pl>%E{&v|pM|NDwXo_~+H7``QPbdlu2S^u0q z)G4Ctr^SUIE;wbE(4~d8@XDzIrV&vNekbVm|eQgP3Oi5SI)#u zj?GJZF?KI9!Yo_mOqz=b@$w-W33$4rXN#y%7`<)OIB>~Gyja*3%?F->vrGj z$^H*>V)xjbAGYk!pE=!fUv1mB+>7_`7l#E@nKazJ(Hv>RigQkkEgEh2xzl*>Z>Yms}JazYs1D` zwWm%S^lWXPgpZwP_&h(GEv~|rtuN-rT*^~6{h9Ag#_npls>YLH4Vc z`y3m)`(wwZVUtz&0+UX? zfB$>kwf2W9|G0BDp!{%`+p!%6Zm%~ka@FXp?rk$vniYBROrA13XY}d0Yp?H`OAFmR zHo1Md@@3Ed+f#$B-rhJK7M8jGoe6I*Ilbzdt<|~WkGj3>S>%g#*@Ip$`W=-VXN5g= z8;0j;-mwT+eeW@coJJcduQ!QoOzInv3J7 z9@yyT-6PMajHCB#_)<=D?R3cX+nf3ozUX{QTfcMi{g{U1I~=v!7GJ{V^}xxS-=3Ri zyRAmq92I)5^4*_nWas49gPP`yf7E4M**4Qgd2G8IA81#-quZZfkEAHe9YmxZGUIU_^gI4PX~u{5^2`CXZP%tJ^J?> z+`Zr6K~&VIo#S6RI3{6^|49eO$W(8PD9x*49F$LOj$ehmx_Uve2HjzbHWaj|cNBBz zBTD`#-=TDiazUG}a>1UAB!GH{J((%m7@49CDczgC!xU{OX{O#`PX@I zo{W-;=?+u0G2&#Q-eEQ~MH?eiw4uhg>UY?anW7C*3e}I;lbNCol?F{8F-04~HK=!( z&8UZ|ci58^%pr{rQ?xMx=5P8AQ?xNE=rQ^ZQ?#KZnED;|WCa4Ge1|=mDcVp!KK0A& z$xPA4h~uE?Bc^CWjltDB?8!{g#;6o{=~pO4Rpo*`*_Az+DcTTH)bt#tXhRK#)I03S zN{xe_!xU|dOwoq)oYgP0Co@GGLU)=zLg_%gU{7X>Hb$msV`PdpMy6;(3~lp4qH@1JE}B?B$wj^n`XJ6r73~B+Ukr!NGK*`1qg8{k%0#o4BOW z0vn0Crm*g7)Zdx9rU)T}K%o2^xK537rP+nmMEZ-Ah%;c{)>4y80>OzfgO+wlRkT1R z4y-A&91nO1(5z1bW{@*pN}Mle9+|qI9u#LcxKgH8Cx++o?2_r~QT2hBVDLPJvJNjH zgy-?hqCi*9aFMnKwEarK%^LTHgazd0dT*SU} z$9aVz;Xo$F@BzRfLc($FlIZIZ{^_Z#&ID$_z9D2BB*g$={?9&@YnDV;4|a`)y7@7I z8E9j<(C`VNaJ*G7(b-c|5(2iU0y9)F#?e=dgyWed(btp04Adh~V`K_5=pLB{ARNam zsj3zfJpa|WOADm4f>shC&NS|pftQkak@GS_2|;a$1;h(dJQO`^py4INoN*!vMc7!5 zSrB9}4VMb;G7lGyLfX`tiF1cbo~t+8r8c56+XWp^2&tsvBzV&(&($-#SjQ)3mk_bU z9WQxty#~t($5#a#L>V&lTvON@LTnJ%E_uG*JYK+`xe(q=eI11;9Ijmwojq0k|1N3) zuS$4XAq+=n0Rc7TSLM8pB(~-PI5vafXi?dA!SO=~!{M1F(bp3|mJl1@M^FSoDg-Xb zx{5U|IHy@9`7CF+*y>`M7HoA10WZAOrR2gT*`>aX3|qq9#x!6{EH@z~H80sN=rkZ$ zHG2uMPJ_`hha*wdf~mNwI1Z-bDi%cGnI+NLBZWj_;%WyY4QUr6ry~*{;Jk}U4Molz zf^vhj8!5m8hK=F@>)IvM9^jcJ&(X7PPoPP`V-eyXXEP*pgsFO+1!mSLQPTol4`Bu> z28>D%Jfj;b3Br^(&n$T{y#bkLS2$9Z5jPNZ9f=ZQMx1AsJU@@d#n383rWxjuI<}4w zOf-pLjDvmipQA30SrTO}%xjAj>hLO=*On;7tFt`zD|JaZZz3Bl#=mBxCFEc8%#xS9 zF(~r3a0~2MamLBSyoPodLX(2 zZ^=@Y1|r`e8zD?t^30MK&oeL2GM3EC3t7%Qv*dYs0?9&47LZ0b3V`Wx;>R%&30{GI zxXxfXhw_4XwzQx{qBwiDv_$Djo>lUEyxA%oE!?Tqy1L*+SwWsv@?1Q52OL$h{r-{qu4uG66 zOKHg)n# z6t!ukwg{-Im>6prmMXA8NoG+o3KiJDn6acd2(v`YSl%ScbMks@%P0yf2riQ5B6hPL z8>EmK%d6cfT>>Qy7l46oNQ#)Lu^1*-g13mMv0S_4h4J+6Q5J-0P3w(FKOkNfa$~u6 zN%Zr8lu<&LIG9D_C}Bj%mxnp;-tKWvso)> zTsdYbeRcr*U|D&hsk;FGE6mEfb9{unP@WwyNT`*1PO=W`LKZ4-xMb>B0Om;|yWsW{ z2~Cf3zY9?qg-X+ImPuv>I4x-wvBq({0Kt=lB48GhNyPtzMrvx(PMkSZK-{v7!jS^# zMW!=N+*m>{3M&OXvn2X?Fo`vYY?#b6F^OF;7a|&}yX84w!M95qEO>c6HbEvcttS{4 zfF#251!RYT%2cn6VJh5!Oa3ZW@ZRXAm&DlzSDLFPA6A|x#;5 zX(sFXwTNtBbMoFNr{R+~WNYM>a?*QZsE;mU{NAchyocm{Ue3Wf*d4s$Gtxp8jv+Eu-HZGpJ7%N8@JZCaxpZz7TD^2 znFn>Mg^sWEu*-}b*_MY7#=|K59bx+jH z7Q88G;rph)qFY|f84{TPaIw)v$~Db(X@_Ix#IET)TesZ4?MZywm*vhs%swU4?1n8L z2LH6#HK4(&!Ja?YJwLtsrhnhqxr^&hJv6Ooi_leFd~&xabI@?cI=l8m$l>FI?b=_N zwsq#yQ7NMzU$?fpc`do3zQFm2PK&m5Sz4jS%Tvqt)F@hc>5OUB?nOjKUJhO3^w4Hj z%?qQ44Sj1}H1>c^px2PCGv)_0$WuNlF7UT_q|Bec{_Haz5Q_D(NT|Al;_5RoOdZP@z zO158huGN7dW?TNeVX6o=@b=G{b`R$$N zck44Gee~w6wI`qMbbQUyJ|!MLU3~51$|Gk#Ro9R8AGg_O^3jKtw%o8@Kf4GQ8$F^0iwy7RgOW3tOUggQmTDx8?-P|x?$>dfKlO{~?&3&&_%eGJ7muMe)_0?fNo10Z~ zj2Jc1-*7A4>Zpe{gIf2Padb$*QgKs;WLa_XR{wL^()XO}+$7(ZtQU5rZ&~qX-1tsW z8v<*^WD1<0_;yjjj?43neRAwe%>KFAhAuw%tKHcp#k6CFW!-aN#==(K`2xdV?Y%G} z&c9~YX`eQX%D2?Nb(?8*j&7=aBiFj@3-^_oZf95e*27;OBkEtRF|lxbxq}P44zF-I z|Bj=H=krIsN%`$QDbaQPriuER`mMJD&)N2FkvV+#yHgwAbz9-y@xuP6drD@RRrXZ! zGLJn8zl*==rX5=S-R+2#A7%_28<*@AIX1y>Mb&^OHLJG2KJxA0r`}KJY1T(;-pGowMI=>T+d4 zphmxG@jV8N3b1|~z0tV%;;$di=LWVaUVTx9z_p(K zw<0$Hb%8(wvTTl3M=5FHQntruL8ZJ5C zD7vfKmbcxHg?0;gcce#Mx|fw?NsN7!@5gF-s8o+yG<85wTEAP*~p=`V#Ti3h)=+PaYP3S%F)UY2;BVLX;6+Yf!Y>nDI-!8gTzVELxMW)`K zaw#GBV8J!Z2KPLm3!A#(%d3m-UGJRIE+q zjwQ-WySOr^Rp9eG6#_a`ihgr>u-(Rm4G(nqlfTBO^K-ZU%+u!algpNjTex=1_~l=W zTh;ylgK>*{lv~BU#@)O1?p&w;a63O2+@M;to6?i1S?7V^>!NsQVj*U)taKn8WamfJ z6*{{#C#H?^5V{~Mlsgo-C>InfC>K;oQ7%kBzp1$$E=;>3E+{Fk+@YOQxiCE$ zADNzv3)7QvVR|wyOi#uId$P*zb#+nMy|`dcR@uF{!=9|LY3O$$05SbiY>4Uwd$P*z zb#+nMy|`dDtL$FfVK$?eo9V|@b}v3+PsR~j{fIqTW%ojMkc|eyA=7shSSJ~#vU_pC zo~*KaafdxwW%uF^dop4@({ogIFS76K$tt@ScbLrp^Q&KGT(Bpr>|WeqHUj`_dXCEOb#+nMy|`dAsIq%;huN&M zdvS+7S!MU)4tui7?gfj1jkC(`#U1u!mEDUw?8z#-7kAi`Rdz4#uqPw^WwKdi_u`#m zqoJ~U{~6jTZ;hNtmC`d>tQR*l0M=pl!ykM37W=UoNluK=rT}cF$u+4-( zz$gpbj#w&kn>>mfvlu3pwfA5sJRwV$mmfhkO4@Ki%a%@NW|}UtT^e{&Ats48T=cTa z87`DxaSSp;l86k8^sX3^1kQv-aUXyRX=b7Aq5+V6RR8)(_Bwe0a^y<#L{)eJ4u8^1@MMTrqBc-T!XhfAKL*RtWFo_L7Z z*>H);!#um>IeJ8Xa0y_;5)c6gM|4h767?dOpvFQ=Mm^(7+J68lbHnkB;RF?86oOPC zPLOMtL_ZJRWIB*Cpr95dVp2>JlbU(sCDGGEyq{F7Sbq=dDoxtHLaZQnyd=7MND~9| zselD_3UY&}Kd@8CYPKMrVtvVT_7rD9e1yRTLC8WyNQ@TL@T`*O>PeNGUP3dgnOcM) z6CrNzVZp9Zb4QZiMnqi*>Iub&JQl@VlvNRf7C)d-=*AV#iP5+i!VsPtwt z6eAt{f!Gzp7`b*y^z;}WwA3-<80p|oGKWGOBiAm8o*rd>7o;E=kWmZIPbXy|kdbSb zL{E?L0;t7|WTf%ZL6}^KWaQc<&(muul0ZV8K^c`uf;u3Gpp0C*B>H;1j&67zNsW%M zjPyDpYn%osqvgS0rhtX&y%>~{d9O4;898=IboNLfQ40kIWu#oRJ0*K@;5O(|ODq}w z4GKchLY}ur9vqko(tQJ>9!YwdKX)WN$UcL6DiU4D{8*efl*)@-Z_gTisNP;EFu*lS zqPM5^l-RQwmQf2TIMQiCC?nS_iO!zd9iWhARu~|iH5`VBzN>Nl&loDMSu%aSY0K6C z@##*2W~MD$jIiXbEs3sP-GUgzl5Ig^h$YW1iLPGVf>@^ywgrhWmfTsC=;?{{P2fdp z&4mpTM@A5@#TZMTSrXMNC?jD&R*!)!DI)=9ix6bVHA|wSSNCg%vSj0?c3Z0&?9c9?sH6(TMtA6>ImXmKi4jKt{&Y*Q9B^9Yd5$s`~we<9Z4u~!vkz6piDU) z6{mfrtu%GVBbFd!fl$U1*3>!Z76l+G$0!5bx+{`NfE_3~UIWq+hzC&m7uD2xcFD`y z=&;7!6w)Fb1#+i4s`-Gc**nh{|A{A%fp65 zEeo?l>Xq&BeDjvP=h4GLt1a7{o#gi z)j;c=6!Q?aYEwOKaMryDIs9aEdm^wVixL~Xl}@@zKOzQ zIL|D3=^HkMq#KLu5_9vytTWH5zrTkd)2oz6F_~WFI5N*7i%btT(ciY||AkDy*l*bC zDj?JUvZ;2YT^Yv-)~Cu`?NubE-Jyu{FC)S{!-lp`zEu0o(r;fJCu}QJtjdl8iQ(;r z?fm)s$HLcE&HCA_+|kFe^P3e5XB1eSKd_U-zSe;r+d?DDba8&rc2CQyMR#0r-xHkw zoYl)N(N}Zb^0~8j?~86WF=azW^yqcs;h>Zcg9n_f8L>F&Rf7Aqm)21$w3BR`KI&DZ zXaAMCE8e+yVA_g4`c1z!)jprWW|6<`3)ih-iJOLgD^ad%zdxI-?%2=%SpL@)@7gyW zY-!;Twe0$#78SGh?LDDZmUX}Chm7m8E%z_iob7X^+u1nc+0dwQN7{9`kfTZO`H|`B zUKuwb)8@&yle@)lX!>+wbIpvmZJR}VMCCto`uBtVJ=z8=@Ls*K_t}FPYpxwRzMoZn zt6S6m)Xm*GUz4v#p6}{&y8E52JWA3pUsXy>lC#)NRN0!o7|)^Y3`H){`zSPWiHqE>3w!3pUc4Wb8 zlVYCLEdBjqU-$cWUbKIdt9HEG?RFP^YfTzI z?)~l~q2+rFAGoI7`G{Mir+b!&_);)%^SWgl57{=@;_X>*a(v&TM{Pc&H0!l+ZSJEj zY7D;7cAnu#{IrUv`_+A1vE+~F84qtRC@|1^bl=#(&|dEYdRntNw4QrZ9nyMllS@0?P%HIRL3aW;lE1uuU|{MXWcdDt)F6_ zUP)fkbadbRH@Dhvn)bMlrvC7L;XC7ff5nzud+zi71a0{nemCAF20b0>H|CFbv#u4+ z*mS-VbNR!G7w^*N{vPw*Yn}DUd9`x%@rw9ZeB_T-6DB{u*m7&{mp5vSC_1(Gq_asw z5*m*_lW>2}@>`EjciC0G;H;AsmT#GNZ;tn@*VkVqkG7vZwWier_bG+zUCvg&)1$BL zyvHSujCanEdBQ}Okk5lh^}l}7?|MhaGoByQcS`>8*5gH|2X$WNDU-Qrxf|6Mhvm=R zHfQ%SZ5~{G^leeaM=M^J?eJ!Mja|(@R+;hW?`Jz=1C);FQU1Y(; zPBwME=AF^%RgL}YPt^92i# z@Opy2U2wIp5%WX3mumYh>y75gy-WAsuzmQ@0*(c&&aGaO@H{9eHo9B<=0hGYtgj|t zh`9BpU+#!H^(tpxHLRX7!@P47G9UR7k)fmU=?#}*ckFH#FYW8y0Je045O zD`en+c+{eB})al11uJ6DW8aJTNQS1G;14&Q6iaCVs&(blVDPL|O}^(c@h zuW`4Hb?N19zGt>MQO2`MAyJ7i2~qTjPKVA`Y6>7Grya=PU1FIT%H+}cyp zufm~AKXjw^H1fK;cuP~iO%?Z^IUEzU>1F9m^K^IioE~=W$0Da5KCbV#_uBtmGrM)( zy(Q+{=(eZ*$wwRNo%LPX>!MHplB=A{?CBn~V8P>T9wWQ<_%UK|ju)9L{dAB296GYw zbL*lJ6^?p0t!86CbLzQ+ix%(y=3aHy$P>qWe`mRGUu`6ZOt0Z&0sl>=H@W|RlIf{P z2rBUZLZ-(iMW>kN;7O~^eQ}{Y4R=gkvFU=g9QqE9nCb=lDV2hck0`uXzC(F(<$`uj z<$^*+`()+l5#)KVlSo4Wr-#lEFTrLmk<}DEJyi!PhVfzJ^iose72|%Z!4rVHA7~ zqu^7TU;Peyvf5zVRl_Lw;Ayh&Fq;_#U&AQ)8b-lKvkdjiO1X|(z6cE zINwu~MXK^^K+!OprC`@ndl5NvjFhaBAPOrC2V-g8!m}np4kP!r^3Ngo8XB# zc$RjVLO4m&sO~<*c7w((bMs=d8_z6>ZeATOqLmp)$vL(zw0mwZo8#2+IL z9?aE?nLkF3UGmUL%-3rHg&+|Mw!Xv+8=hSfy}cSpu=0v|yu{@d&Ui_5_lWzbJs;u~ z1o!6V>1n90aLkhE?U`9nD|W|;5GPPzo)Lcu^{+Y8C{ZthHJisVQ&H(M+eN|y##AvR zmgA+I@+G+mbr&MOfzp)HbYv9M4U87@8m63sB(v0M1n`s69p=#@840&kM~h>Y#He01 z3pipbR5P=L5PIHV$*WfzfHxpvVT?aSN{7>XhEJiFw%dQyeZVyiYo=z&Xue-P&* zEcJIxxhgqpix7;I({lwg9V~Td(SuTqq>m6qZz;fI%A83uizuEbQnD^8LOe*ork{8q~gahnm zq?e}v=n)h`Ktc?l=XeN-S`j3>qXR_4jGxC@h+zHj{;8+Bcxy|ZpVt#qgjD=gwLEkV zM7kHaDYT^1rbYsHw~$#grRpUudAxa)VW$k74vMXMgAV=`@Hb+1rN#m0tu1*0y&eZe zQa)e+dZ5DrT*ssW&8yRl_kiba+bS9fe2D8BgPg1w-7aut{Tb62qFEJ z2x3!JP|^ev@)XGjHL zp+_m0N*XM{n89c>Yvkz>aZzSasFBArOQL^AGaEQkCXuHnm?urCko>?iOQL^=N|;V* zQ;W@+y4RAn8hnLVB9CX6L=O)ir6s982u{IOG1|3QA&+O4JP*&>s6i_UegZmJRK%cH zQOwD(T=WvTK;oy=%qkd5&H3GB(61Gaw3NToK}wk+6CixFQyUsD#>hK?aO{$ovtjFA3vL@CX!E*H11E!HmrQSuauf;2s$~N`&OipZ|1^{hICjZ% z_iP?n*?`Ss8p;M7yX3ih^E^Un6bEYNzS2O-;Fu-R-K$i}|ACZYX_rK$2rMN86F^KM z*+$166kRA;C6<~pa?Fw!(UVuD9@iS$yoovwuWA4kJ`L3j%X66mRg=35Y4kYqlNuxA zWr(X89J}Osd$#J))Dyc8yuKPuq@kR_u}h-2r|1T`2d18+$C=ECyqAzL!U?_F57^+Gv^QX%ou#OcW@==sb@#Dcw7En zp_QlSf1Pk_V#cpe+VyI<`24Qc8_VVVY2Ut5bB}3TKP~s#(LPbPYu(+lOY^PDmhKM% z1^d#!7q7|EZ1RS3+3xL|lk0MyY6iPZncPqH&X>GpdeMu!JKg>IJy%eRfIp|w`M3^# zyW)-SpeD7ejG5!UYru7@ACqmm&$0edA!}W`K2G7bA0`DqtLZZ1kwb>)^uPPBoH+FR ztHAA93zrI*_%80y_;Tr%jksp>eZ%wVA<-N2M_%p|)Nz+>=QWc%SSN;;oxFP0hH1YG z)%IRj;Csj8tLzdtw#u5(SZMO1O&gMDuTSTcal*V=Rwc>|cfR~1+aJf`qa6>=N$xQ_ z;#U3&2^R|NNuQH6Zrjcu>v3I%jom!*sw6GQ)@R>{e0p^!ERywbDgX5U|_})?^nFfa(!bd z=QEofHvJeGZRlL2U5Uk!IhWoTGwN9SU)%l5%&M_uQtdsvJ5_3*;%rsGrsCIE9l95> zw|Cmx!mIk00XuU3Jhh@p$j$w$I_`Q~-nQwlV+X5`dvyKhumi_C?OAzeU~G+a8plEL zO)KZ9SGVAtgp}agXMde^i7K37%!Su?8+mN|IO%Mz?mk{Kw0A-tl%DR|;>hffi*+un zJ-+zZg%_uSyDScM{}MS-`=v^?hp&9v?TZWwb_=neS*}WyQ`I%kMn1cBCSs2v!E2&- z^vyX>cYF%J7;>UYchAnt-~GwqFn(bEwh!JEo}7N+tTwM>$Id$D8`!_>*UM8k<=^nt zdEK{yo1fbj{JnH(t34Ns@0;n7um35{&$4xceFj{#J$ZJ}0|)z#BWk8AeIU5a&BcR$ z%vhCq(6{3|ejM$crCQf1gX%SWlPTra=N+0tHivc%7}aT;)8g*K>bG)z`Mh|wldqeN zZr$hpTNmemYmcY;ZaJ|iZ12hGbM6^?6)wHNXkR;TsYf|y%{ID>s+g|MsZrNX-StWA zw!rXU{?36>`+PHHs21X-8PvUE#{<>ot(iGG@#BtQr=qQ$uC;2IuhNk<>Hj!Bs8%?+ z!=&9MmyB9>{`8#d$LntTJ?i7k60hd}NI3i^PmjItnoQl{HQuhzqNcCXmHR!l?ty(Z zJ3mzo%VguG`ZrZJXQf! za_i=t&f99wzCx?o?wz>qeayUm!R5oxBFthJdFK1>`|x{pmR0uM`*}t0nOyP3)x-~VdI#Q|**bpitAUvvdQ|-B z=kM0-*q4Gk%0z4(8v3QI@1rJN--XO{>$m+%pWd(gPtFtFZFbdJOXgHfd=vHgW~I}b zlWQOE8aZO@!Su%?Yfl^UAfQM8*)NOftEL||F8I>0=u7jKx2o&lU&(o0Vsb;jxF-*O zk9iaJyZzf*S^aZg)$HA|x8jS9{mOkBd*#FS1{+E@ESD15VEu)biF2CShYro)G^UTH zvF)%Mn^y#9_w)^aad5qllWp!rP7D87ZMU5_fJ55RDkKTE6`6qL|0eC2HkN;qb|6}h z%|=YxLC~wvL;ltQ6U++QsEA^rXwE1X6rw2?bOKf`l;_iTXzy31Z(O??8&Stp@uaj1fq_8hdr4!CB!j8{YY&}=t_qR(*q$&q+YNmBP*xg zVKy^X5*jn8A2C)EmEKKXW~?OY9i-l2PiCwnje>=yKN;mX^*hXF#CggcEn_8V87m3M zH};YGWXKh>JF3lE#!5mv9`=#?WG!n93h8n6BL%MnGaxz1?yx5_RuUwT*+=SVP=4NI zA!8+J5z(9OFjf-uli3~iWTgyDzl*VwAil}I!=B7oNl>k3AF(GhRuakJnSK{zC7~x6 zyTe99NwU-LVyq-oVcB=slNl=sYP{-4N;Z&wim{TY@@@KEN`k4m-9HFIre*)nSM7i8 z)1^^FEujFawy*?z9KwTQpb#&NC7UH#rS>dhv?YRGf^sFKE%B_PsgYzAVta@Lo5eQq zGLcZK7$#&%r`ISwQ)QWjYC9-i)aFCUP~fDCDxZ)`#j}du2T4{b3XOm7s)@oa+>lUd z(~?$V^4yZlLOO>Ai;~a;BSeiz87z^`CeJE*q2*Xb64=0SC>SBqpVI1awuIkuRXWS0 zf)N6N@ZWS7WQOF~g{r6#zL9~1lrD(az=R+n4)R~3+>-_`B5ID<#Y{~#=|$9|^dVH) zc4awsL{d^-K>{ZsR0iw?amsIde zT)X7CdW8O9Gy+#;qUupW#w`sn6U3R8tBax~IirOpe#np`F{f%r;u_gQG0uc*mP}WV zhP!5*3CYu=OS%we!Zk{wp9e16i2aAKsl-y(8UP7ExGV&k@a&Q(_M~*P#o5kGY*f13 zLdZx!Y~-3H&(UisS&!2ex3o76^@kj6r!3D+)pj$R2Hun+1P;S$57$8kf5G~wDM zFPzu9lDawUQsqCjpxzLoL!|zR1E__EP!7wIJOn&~k={kd14Yfsh=Z+=2gD@N+vT-ib3hTzGbh*KiLkt(<*di{@H%8!(ab6U|g?M(!^z|tG)4V~` zQitO;9o0x0NDLR^*(J}{QwuCW#Lev(k9OT+8wjd>$DrdAH8-zX#48lYQNRkN_ zLzsA0$qVQS9N~@w27@qZ04;RKh9rhC@$8c5>Q%C(7T6r5+8NnW3}ND#B`>5$4iJPm zK!sFYS%M6arw}*GFC@%F1fAL}T84tAN|K~W#OS!ePcao4MLONv^oGq)vD;pJK-&&e}noGa`w;+VjYal#@C*DiTZ9(@>;Q<=G? z8M1^%kWGYSY)hCu6>DToqMlOn)Co&1vw&;{8ZU^cA~H75EO|~|PvI7-)@Cv`3K_1H zu?Idh)rMvqvm}aJ=;0XL;N@AJh4@rh`a&u;&nkJbJS8YeFOs^Mfj|g$9^4la5yCPH zZ^`dQ}VS0u24DN8ri{+W;GPq%n zM#Y_ZE@3?bW#oSc^CpymtZ4);6-OyEzgPzb3=%g&ez7HFoM5i9JQvYDsn*E|#_(b= zD-8r=?r=$T^f*at)G`YMOO$LX1rtJsF>ko!IeOAg(ISCl?#~6FJ@7BW{#@MAlIZAh zz9%}iTKl0%1*Az#Fy@&hQQd;Qi$u0`L#Snb7eyVqxOT~N^{n#&t7x#+2WhBiSo#P> z;8>22Fpn2_5=P2eGIpbgq>Av}!gndiCdqa|bH)YmDzjbU96iS_dA^>txcRR;baB_0 zyqF#gLY(=r-qmEd0W3#okBXDw+`kqAC>f6CQ+Cu#hFb3kv*BE`2l_^G^HDFHyyib@6=b9zY*&C4PG9ap_WH?D%Dry(l z!iC9joTe?jgaTlc<0T9z0qFpHHFIZ?hyyoOoDApMCEwfYRPHSE_Bv74nQNE4^bK)R zfvi;0&eUg(4j`^T1PRm5T)X5&_6DRT2|KHWVuI3V4TV{>Jr(y^$ApA z9KuFxT)X6Xd$V0sMF4`zY?ls6fz$+zxOU0&_AHtJ_!=rW zui)(^ZH+iKy1<1p<}5@J2_ht9&T>afuBSJ`EI?7I1DpYapy5o z73(o6TkhxWkv;5KN||jl9$nkn!tTwRH6?PTbLbqrEyvKL+a1R_1eLv>yUCNJ!r${P zo%OJK&z(vBF&VAjX0*#Ws%PzYZ}tRajq6hEl=Vcv!*wS{`v&*eSjRfY^@pRfy)2#3 zzd@x^cIR_=)m!IKCB$=a-3Qu;o?)G8-PoOF-uXg6KKlP*$6ji~Cf%8!@}GL$Mj>Yh4=uyn%Hc&D_9NgST$+e=u%vr$^=Q zCENSDjsIHU`TePh9UNXXZxY+^yIm>&oS*FXd1Wh+?%o3X@e{`%Z??GTuV~+?b6d2n zJo)Zc$Edh2FPhCQ)iTh3%gR!nT6WxCw#=y^ksTcGk3RG(N6%_Q9X;C2>+2Cy>d=~| z8N039R`8r{i@gg&bI)#)xs2DffET^CT-LP=5NKB38j#?!VBaI&qE=k==&v7IhWde%8h>#ccCH!ZpI+n!e= z&KI6j_F0SUxe9-8bZqbHW-aW$xD9vt>=ZV~f0z5Y_BRd={t@{pwCbUEH5*4Itcu=H zysTS0mv1RQ>zxd7shsuvks>4F`W^f}eDCSftveUDs@tOD&Zh;_|14l-*jK)thqh^K zci$R)H*~B~DR)G!s9V+ILmbX~eIDO`dt?R|t1RP}-k;d*gHv*`CEt%;{kS|jAmq=) zM8^>|E_|42<2n5Lsl{7I>?_qYHf#M)H@hqk4IB}CXqr{!P3Jl#W~zH-$R*z;b7vNs zn>{wrcHx0y1!o`aK0IGw(6~USgtrS*N_d3-Y!pAGm#*bdE1%e`mlqB^*=}#_i>rOI z>a=@HeXDKvMKdAx&4G%C7fl)Fb)`yhjNOfV!AY?XkJ&ZLyY5Vj);2pEt=Z&!WM9O< zj<=2$Z(1v8(YCu!%4|+q@U(NQQC0fuU(DIC>`vj7^|l-4ED!lH``z-UCo_1t23~w| z=TnpHZ|#GsfA4v%+DNZ1j#DDv#l&2X+V?VMR=-?%2F^(g(yq;OVaN&Fq3vQHET1xD zcS!q8&lcMIt=wF>=Y;wCm_LWA23-DixWLI8wf9fHI3qT)&cF>xU4J;)U2PtiBm2}1 z&Y3R_E%UmrZ}ZwO>h^73yZ8E9(b=-Unts23k6gW?+U4kbwr0-23&mYmZ{Ors;@p^O zEz4eZEShyg-yI)DJp8mVXWJaM=|2Q~4u5)PV}dUH@Tr5vt1g&bX>8{#9S_PpqrnSnC&Qm8D~)-jfH{+%jmc6*uY#!hFyH$#v8sh;EYR*gqb{Y~G5 zWv;b8T#jC1-E5f0jNqNKGySPpR{yJEe5DSV3eDRTJ@ih+^3Hvq_Q;d*=cs;h&R(#8@6OL9`exZub#V0<6@7UH1SyKE>ShW*AO&-Qo3VQr1 z#D3PIl2(TwVLp0E=gkJPGV{l|c|p@*O< zr0BFL7ZeyM7s~VLBQj9AL;H?$L1DadL2>_GHurO+U^Ev|2`>g~k;7h&`DRXrUXc ze#8j0T1KGNG6Jm@tOL`N8G#leRqPIXG9%Dx8G%;I2((&8pw%jPII@|w_0uYtFXav! z4Mw2VLd??iOBsO{SqRe|9V5`{7=f00uqj{GF#;_q1FCn_CzA@ZdPjY-juB{ej6jRT zhWZ_)3<<+@O5snrP{&!v2(&t-n52Bfp3DfeglIJVE=Hi$F#@el$$HaIF#;{JKJ3fP zX4ckEhvbI(9A-0X>!)J`S{)Qn;lKS-^nWzWK~|6^k^6(`1^4GeLS255t2gsHrR zlI&6mPlO@R(cvJiZSQzz7m4CckQ+9&7>`o$nYyOr*QbwTs-5obkfO15q&4 zP!;+P(u^qFBLylhjC1WGPb0@JbnnC=oy6UcQoxqMItAjkUXu!+j%ybAJvnBX2y|52 zRho5T=L1_NO%-U)>LULx$1L+`sU7(M*rc&TA=;2i{}tX?ar*oI&-w+VbdP|7$w@DF1)kfwWXcMR=nprV~;E3d$8`3H78oR>>(E0R_g{1X6dW<6ISrXkmY0DFP4*wvo z1qvETc334U)pO0Fh)LFHfro`aSx;bF#CYgC1Skk8&|!8p#{Zo3=h`LF%LCHjPLlj4 zJ!#_K5@|rl^0OqFgMckq4}4OC!bBugd@2nnAyQ=FwU;Mpb5&l8;+y|w;E@gtN2p)YXk(56;W z;@Kt9(SwuXf}n&NiR$o9YOqZjk!=uD{5bofl53H)?iCaR>|zu@z^Dz_kc4OpjVou} zOLX-ZCvsVg$tj{J`hY{4~4rl-gB!A%g@LXYXAWv^3SOPsb{QWJLP4VO$;521Ou zD>`l%AULMb=m2~bvky6T$rOEXpf5D0G`m8_w>Wsd_7WZNM4 zi+_pWjfA6+6v>HiloX~UtB@O^8aA!4w&%)%Kid7hq{Si6(R zqgrRtQ{f;jRThp_a{au4CQYrfD4cv`6Vgy+;n*eL(KFFP=1|4;4349hs`y~q7a1W^ z-514`1D;v({X8QcGC!XN;-RHWRj^iaToCe#x;*k8~21 ze^j+QTJ3aR6sE#?E>-E|AjvG`0^Lx#W~p#;scuAg5~@IL+!b~_|3Klz%M9BxeQZc}BUrmLRz=#%r#WbYCEuELrbwkp4A%8@NSe6Q> z9nl?tLvb%rR|{Z-PQfrrvI`}BYDUgd;dHnqP0=)@!Z~)ybM~aFK!;eC3RieDWF`_{ z##Ac@mS#y5eSoGg^~7YEa7CRNC}CkHoEHu%a8o(6sDqdz+Ul57;lOaA^iMTx0ZS8^ zF^jiRLBGnei)4>AsK+YOcLZx82~niGgt>6b%7F=sE6Xg@rGOd+0}Ur?L^d?57%dTZ zRAZ^zZbAl2GK<6=!B_*3QpJy8N1_6UC`Zq=OJY>7j0@7t5MEVaE|^7hpn{!%=eefB zwZ+t1t}cmDJ+hYInIk6;#vyR#ddgd3YZTTFxOPbl>)CjzwF6r9%6JKC2VAox#`RcU zMpTJeqgn_^0mevJY?0EVrFaxoabuZ4TZ0 zRet#7h|{}rR5%jZYTk{)JL`;$h}-Vb$>42Wu2a&_lzWw;lIt{|neKJS{gF5C8Ap9- zKeW)HbH+pdad-V<{#5D~cG=TEtmXN|1Lm!pUMqCZ?A0@ZD-BwBX3V24nWhiVcQ3T< zTr1nMb^KoT8toQ5`ogvrm2-ZaTBGy5QTAgCC-(2rIK0sXhdRa5|MtJ@;!tB-{&@!{ zl&-tl{^!;jJ92JJ-k!Yr&9NKf=cJIqbBd z-j*6Y<7&hmimMeI>tOw(GFrk8YaQ!-uS_+=$Q2pOl{rw}?%2I{ZNBb5bT>Iurof~c zMOw7z)u+U%aapq7)+B~6UlF%|{LY3yBkfAvoxR^R|M>Ysd_3m%@hJB)>yt4zht*hh zaLPMv-U;Q>%}TiF^L*p#==R>L@)TVkUh%D;U!C#ccBjVe&NsVHp&=h<)_R)UX<|gy zNgt-?8o#E%^x8|32ZcT=b-=^DY?ImBz2AN4+Ha^=zfPa$EVA1Fb7)-7;yp$~_arLx!+!hYHN&s8@4dy#q1sDLwa!KNuUtNI zTEMg^@e98u4r)+f(2I;4^rNkN)$vGQdC?Soft5bPj;~8N?G#wmXMiC*cY}_>%ckrb zUT}WErURc==Wg@h^3s|0$8-%oSz%{v*{@x0bRQO8_U)``9+5pCBy{>5_|#`W)RZTm zHXc0FIa{+wC$HD*dZ|HWugHZ9dUP9|kSU>N-lPo^zZ_Z-wxz?2)3fLF_Ri@4aPQ^K zR;3bd&E=N=B}-{y8~b0_i5EKP~exjlXUIQV?8*FWfTiQkVh4D3Go#qSLB zY%&JF++HSmQDA5(2b+Z4^E%#iu5)L=#_>HXKRh^O>YAm;$|U_RKB`{i=L@%^oGUdaOCKrOH-+aF=rDxW-5#fz?G&1G6 zcP^KX@3Y@_>DN9oaZ;h-y~Bn)@M+P-w*Ke#`POuJnYW66_r|{S6Ou;Ed{d+U5YI(J zz4N;6DLFIqwbuRiMf<*wNvL5vvzKvD)!6qzXA2&y=@xco{G&z@+F1XK$5vFFmuH)y zK+9v}s?Rwx=+Eie{)JYZjm~G&s@1riyN?cdm-KwapaK5X`fh0IRdvhzDdodI4KBGk z$iw4Y+uL~NAKKM#`8eFu8UXrJ{q31e(}{SCl-b`Sy=Yd zVg1^=C7uL%FV7$8mBnw{i15vy^Iy7np!?lDi{8!jJmxhcWRgo%kNFP@ubxspW$B4h z4d&g@`*rV{sBh#QTU~p0=+GrSN1W)j@zIS4-2-hMUqb zJ>RXS5j!t6Eb7?%b*4`ZX9rvDnc1%2`*Sh96St0^wJ!5gBPtI^3l8c@o!;celJKGcGWvNU#mQg+O*ep zb@_6sX|zY&FV74!MwIfd($r;D^%n2uU)iu~Ou2j~JI`#hZLiO~EY}lezkl#!Zox5) z=WjK(E|tx>e!iPtA47^XF1$Bv(dG{QO7II$*2|O4d zJ*$?{CUdi;f!BIh>>XG&W7W8K_imo|nE(Bh*MSUn-|V+;^l9W&@S3s1jp!C$TkCE; z_Bp}2*VH|l>s7plE(l$_JLmBc4HkwRsS@Kl=+4&N$C~Ddb9|M>cgmxH23NW^h|3q% zu$N6x&U5h%H?-0Olsf$>%g#Q9*KBIGb>#3df$N7&acK9c?e%L#u58Z~^lH7a^@X+F z&P}Xz`Bq$|Le;~MwCm&4_uBPe&xXz|-7w(A$)UMd)LcDoRfE!#o8Nt77xZau{H8-K zt!=tDURU!%#Fv-FPk*erzS4^+9D1&vb4dGl&so#P^-p>()M>Gq{crSK9c%iD%pE-h z{7BZ&Q^y*5>TsGeeZ(4i>R3ZhDo>~%(b0r{+|&SV1pvFixPL(dtW(%8^xGLHSf?;NlsoLnfJ2xb$T-0| z1*xxmhuN&OAEY~s6HHKA(@!x@u#RzpQH5h4u_rT5u#Rzpb&M0Nb7M9$POy$~f_01& zOj>TH-^Dn=I>rgsF;1|Kae{TMsV<6?>Q6CFFw(^A4%PPP&%qH?yrbcDDf?$lROr17oc94sWtLuv8*-AT4ur44I=Pj`c(6RLdk z=23B(a>h&Pzo8{(sUTU1A4SScLPQIiD_A6IBq~G^{ec`6Q~6eK;CR=BY-X-q&q+dw2#-3{7Qe_HisJsl;xRmiSgq&usT{2z0 zX&#v>x_KUj>|x$`$#eB=9+~_&vr8;L&a+FNvp3rXMl9v5&2|Bdje<)mydR!j^1Qv- zF2HSEi6W@3dm-G0x4tB*YM}50vOM8fuo+z z0x==lhT~L~B!?WQO4=T7fA1}+)TU5K7xtEPwV>dcaxRkWg36A8KtGIk3KG8oH0Lyc zZ8&yGboQ!xl9oU>e^XCN1FD5%m&CXpdp6Q*4Ar7wr>H?8rqhsmSkEy_p0B5O4>p)l zEm|rk5-nDUYT+#}dA^=RoRsCo7@ll-i5Q+}muazQD~f`0mOYCI!CO?sZdgPp#*gsq zlIQESh@f$FG~-7of~Mn{7(c?XOQyC4FpMMv$nYb|`3y0X7(c?ZOMYYzvX3H)&gM}J z)Zp1AF|>yqm;2v<8W4*_Gg{!41oTtA1zpON2A8zz)yST)Pgx`(WS??Umr7Dzu30J~ zf>|X(MDUIqifX7Fs~CriC7@NTdK&W2mZutDcIm{AWhP8p@?5G?BbDK2)l-+fqq_~-XikbpSIwJllM=pwgFp#PqMs^N^6y!;IdB^U#hg%V;4D$g!?2^7(NB_z zG$840BsoST0#JZSWpA`>erdvA$+1fh6>}ptA=dm-QRcz>C`{H{M$jfSm?X0x2;>F` zBFoiNpifQhgw$A#<#6ehh82?R0w=>A1$CCJ*CYSs2C$+qThFyiqPs^(1M-i;jisKP zdQ!T@iAJ2R=Z%-V$ewDlBs-C}6zc9q6DzSSm3k)}q{R0+>r0E!cyz-`^;)P#>k?5>#3^G6N>KyCk#J zbD0LR*AzG?!-YknA*G;HyJ%Q;pha3y+PREGE2tn#B_ItQ{~`WC^?p$aNW(Kro|88~ zluHYg2FjfVLZebt545b1s*8=_-=_={GeOQQvQrth9GV2CzavunnJ_0H)Py&}_M z*ZxV{ryUA#_gOQ(@sD@+{9U5Ut}OiIQN2!?p543|ac5cQ$5F=PKG&D!*!$^2!?{kg zu6FCN?sbv1?-!Kbuqi6rf;T?HK95hAZ`SHjHkxYnw{%%|ro8i=97m_Tt1{zY_SmV7 z>c0IktKdfKdl9bwTgK$k_#aBNjm@0D;@td^uhVa>)n&xf^}qH+-dfhN#P|{J*}Hx8 zZ2iFIwExhzV+SsncB^KK;^lieCoj0Wb4^{}<0mt9A97&u?l%XfKiqi0YW9Tr#26OjRQk6~tB7EiQ%mZ7iubs)w&u|cno&U+X4Z_i+Pc`j#ED7YQ$BC% zpMO@vfw`UfweHYtZ{2(jy*4>d@ON??RwwCAUALwUnzYH8qg{qyaRsY4I{9)$r+ZD3 z%O*aqqd(KFlWQVREfo^~SBdRWbHaLQC6}Y56ynyf?4Wtlh~&sw`VHbLQ2x9eXUFldF02 ztJOLliE(`NWY(=>H>yX5^!(HFS^rr@cP(1k{pWROmli8rXOua3_}iuQZ>rTx$>%*f zC2!@D`i8&rCU3v|xc~6r;dYHqPVeb+|H#D|cL!ET%=gaFv~=h_&m(SgVh2AxaI0Fq znXB*J+W{A(vK2|U`Z{=5$DJPjXhoYu#- z`qp4}^(DK$cexM3Cb#!&f z=+KGh{C-s!d*89*q3QW;T2ERPmUU(p*VjwFugz4^Z^Z%og`LM~<7RzmlkZUZEgn~n zTxorE+pB)sZYOV)Iq7+ENWqX%S(;9pRbi>qMBB5ibA|NWHthKM;)b2Y>o&3ek?rH+ z<{oAD$0z$%)TA6}X73Z{oY|{=nUI#p>P%hfl)FOGq~-J7pSjKS|FC6_P35Rf>(VzY zn6dTKP#IbFwlZmXNWLQVH3K~KX1{Tx4d`}!tV|F^fE zWw_#*|4EV7Z}NS3J*!{QHoGnsE_PwSn{EL|?=INaZ_1;D0+G`PUnpE~>ed1WXSO<> zdB>FRF_rqH+ns-AffMB>7&Dg-d8u1p!P%+jfZz9TSHIEqK!JysV50}&^p8G`p=FL9#{n@;2mz!lThfUs>ufnBvKK`?tU)xdi z+CA6PE2?Do{;IX>m%-k4OSiD}rOQv(Ha$I7Q~1K8jg7DNkI%esL(a0VOKGJC7l`DPg<$vDTf2F3#QJ)J%=MGtP;YA_eWqqPDRoK3~+OVU)>jv~q-qf$9 z+k@7}qe?%Um8*Bm@g*JRTxsMs{80Adr%DzrQGAQfyQ;;X@4D&Y|FeAEVlN-HbB_74 z-m(6|yVJs_j_7=&@2WkWt$Y%Lx+d)ODDnQ{i^F;IEOQ_GvC~&;qkZo7E4w>vIhXRT z>Y!2^8m-))rEH&=(0X?p&F|2<>HPj3vai?{ktOELzL)EDZin3NzZ>@1`@osNc6q0y ze0*CXp>MW_zV_8@JN`fR-U6zswp$w}1wlFu1Oe&pk`h5AL_|^~BqgOm5d~C0LApyi zl#&h!0civ&=>}<}k@)YmWqY3Y$dUIw-~Pux#y`I28QZ;BwdcBHu6fUS&1)X!N)u|_ zW81Hc96UVbErMMoom=j2M9&bw^8@P%hXo%Bd$ZaihhFF*vLKcB^<&a$L6GMk?~UWD z-Tr#F{A)TbFU&&z-=)(6WHtCrWssZ&Y=WZ=XgLns1KCEf4agdSZ9t1WXainT6!^yB zd!W?=><~Pg5|}OteEga@H@kEc)@D^=ny=I z7x2)*_rO~Npm=|^20VusL|x!};CF`C^#$vaqeJi-zG* zb9g~`41N_{W_S)SaEu%sg6Hr;g-3r$2+!dKo;mm)cx%9Ocp<{0qm$uxhUf5twcgPo zcn&Y1N`vo#w+1X60*wTC4lfTphZl;<{<{I#y5K}Q`C|=V=n)Yk*YBKQkSGHJ5@78K*rGrupGeydybXUW6TspJQF6h+ z(@@gkQBE*~_JcCgL7V*@{dBBc&;US8dqD_&D6!~wPB3s6gIe1s=L8=s7c_?uBiHYK z1j)Ambn##P$ODzR`%7}K_Q|)^aPB`12J;JQRkr4BpCPq$U{6So%C3_pmzvjm36F82-Ni;1Odvd{6=MQ z0GAa6OqIvUFCh9dM32MUB0 z1G9mH=Wj~lnBWou=`uJ$XdZ%@!%Hwj(Q&A3^@-TJ$&EhaF+-paPG)zzy|pVC#;N3xUcWB)LLvBY52jPLLtS z^Y38mKq8&o#eoHY5c7J3 zYIFcdKJZ!|)rW?lM-cq)q#6&$XjND^3PEB4P!9)KbHD*@5XFKZ@RytnXgf|W1ZsPb z-Nz5qD!j%6RQDJpou3S7J5DUbDSH@75@LKf0<=M_L;}FpKN-+=oLmUh_7EW@#H?@x zXoE`JbAdVpCj#2|{#0IwB+LLSe<-v22+#(3R5>A?0WFFCUQ+uQu@I>1f$juV*nZd4 zhKdY<5avl#3!wA=&|EN{W<*Uzu&(AiDyhvW2=Lt?zIqbK?pT=+r{$pvIfB6V{JW$! z1lkA2(}^+AW934emWQG80evn=A{7K{Ybd!CDAIqYqV_Reh&Y=b%7=uizy7YM4c6Rz z!00+LG<$4wAc zxe%x2f6E1>(E$X)Z@Ivd7Px=^wq!hJcp*;9L)CJ*U^K|T=$fJ7#tA|%ClY4x{z3it z3siy_#RXNESjE$P9qOgT^{3ihZ0|2vqb?q5z0&z?qt15e}eHPYhxo zCl&(rJaCE#LL?MNM9na<0KDr&ZV^zW?~ivi0?9IAqYFb^#NxDBqvyP zbNz*sg7;6PJ|ej?AfFom>cN?s0nQ9Ev`(fxIkveFr|6+N)c}GAXKDsGI2hvP#K`(_ zYeldYMwIIY(w|Vm=5NXqNO1wA(21dSPQE|aurN>^Vsr#N;R0f6=7n6UPn0ZqMg8h3Q@v>P(Ls5kDnZs zJx(qJs(O%|F93xVf&UpGOrhL-sJ7|JLD}QPLZC?xRy+{PJY)lM00#t=Y|any*qj)Z zJx(qJn)G1F15v_4QCUbVh*A`o5hn*_|D-4Xh2urcpogn2h+zcE$%m`16QiHUPDTW( zdJv3-3QWSIpFCi+ffyQOA`1MCC*!!*LZCqp0W|=0_cyNyn3J$t?T}&rSF&xcKg^q7 zkZZ*BB7}^9G4g@f403PAf^Xipd8@5HC#~L z8iBuW z0j_WWGll{i&~J2V&+T>`e%f4g-!R$OR5eE`XDT0x#TP zaQy{Vf2>>x)b+sG1?miePyx`bKpybS5IhL1yg>8)hs}jRt_*Hy%>&3zL6QbYKZl`| zKmltiAT03t{-qQDyXE{V9S1R82$u<{1!y`#wgV&+0KV|^{sr*-=PMETIR9(3L+R$f z^7j6Xbn{<{dho|NIo+IH8tPK8G6FxSOeHFc#ja#yb^o@Z9hDXpyONYN6}yU|lij~2 zEAhhe=HS0^lza|+w7+uCsj%3kP0j5LZK&9#&GqaIr3~*|85m-LTie>%80uMIIrX=O zX<7AikiS@7V}5*Au5N?#Wi#=aq@>ewgAQq#EShsn2JDQU8FPX_6oH@q*IIk+{( z60QYT`Ip|v>`>D z*}HX%f4A)XdMh$H@xwy7 z34W0LK>u#C?ftv9RizrZ&#l=naZ=qHem1B=?`_VJu)u?v<(8i4v$S`c?}rYPRS1*f zeUhk&6hYCt@94Dh#kUA4jdp8da@we`=UB_Qgp)L}J-LqgFvJ|+fbYw#x58Wj6{k8a z1bUNpD5ihp{Nx@qb;Dh2%6Z51u^vO%(y?G6#-fWV>u!q8Dvn909@CpnYE>f|+J}#l z23)^gREc`Zp~!!_)$8eV27Cki{6lnw)lIDp%Ec+{k-C>;AGbaYL{Hv`tDU1N$}BMG zG1m2-+at<7xRWi$gf7!Hu%l42Bfxjn+6VJ3-_PwQ%9T!T-DW=6?&?+YTe~-#YOxaa zc5n&}e6o(qnmq<0{@;tx{+bm3Eo=5y$|)ARf}w$_o}`r%l@^o)$OrtD{DP3`RMN9C zw6p`R-Cv2LSnLv(mR5GQVD5n#56?S<@rQs!MnLBbo1|a^((ce6cxEjxa5Wz7fnNnH z<_fM|OyFf|WjpD#_s*%w^=z_)y7FuW>gKFEyy`x@jJu@DFEg^DWz&n1X(Kq)X_ zEdm&(pqj+Iz`+Cj=6~zPW8^~IQj!aTWkV4U;4%>eZbL4}jR^2^ydbOw6zP8`7vk2E z(6EQHQ+WYT9|UBAhCNjJn-`i6e`A(Dc6cFfEeQ=Li1LaTU|u+&wJsEj0jiM~><5s5 z|FFIOX~+JbDSA*(6pU{$zM$+0@N$D{*l+`!8!yOW1=I6ClnZgH9x7SO1(99>{45CX zgXst*3jr~qa&LdtUdIf3#Q6;&^fQP!L7@&%t^i2&i>Z|tN;3RgG6x9L|EatXsq8_j z5XhYcPQPE=1i*<81(iXFf&Xv*%;UsDV2U^(H;5P)YtN&0gL@Ilza1+Gq4sb)j28AdT_<=0}$WlOT<}W^!WBU<-${vui@`0!V z4-ZiKP%a0gv|w@qKmOl;0Qw{GP6gJT!e^+T9h5BYh)?I16?0L1tUQSJiM0#xD# zv*2&9pyR|sq^<{+DUgR7cr*ne3mQuN2bLjtJ%U;AH!X3DT);H?uT>Dt^>jp+#ICNP z36@n<`~VXn06?gg_U7jQx~zk(cHs)<|1H4=<>L+L$`f$MhvJ?N;eW%& zC`>+JEJ9-rJ|ge$5}~Tu4Uf8~Q-Uq2dNGI|RB8<_(5==C=eu zN&#@z?>hqNIXRAg0y+s=AO5o|j~?rvL*__n|KF+i|AE^1XFnXhrNGoZ8hY@l3k?Zq z2toY`eU7>xmV^NxF3^7HoPYN9Keyq>;Zu`h|Lxob zi)?72{p$k;rXW~Lz~oCA zAn-q+1MsJYJrK0g1_JzkIB+pE$)KCSCL8>r!Qb%KhK@noP~*UQ1)5o4-|uUHps@Qv z`@k{ix8bb{yC-1A;{wVG@C|@fE4)8`O8~C;Jz3$R{n`QU2b~4`1AZCweRT7G4x6JD z<1xbqv=sb7pqm{%I*hsyYHj#KpEPU$8~yK503c3q8GgOxq22=bhJRr4LE-VEH^hHB zY9Lvl4;0gbe;_#_fG^azP^ZFs9ImC|9S)NLbO`J`@O+S7gdc-C41PVd4I6FHhytJA zqYJt}xDL7xyxkz~MtILaazNYv{D#gw>J!*CFxkO5&^I(%;m6?La2es}LHi*Y;K!kR zL%4gug97{hQ{zKt{C&_s&;8Fa1G^`pXz*k3Z~X81AK?*N&hXNK>CzM&8N znv=d^_xS&R|NZWFs6Akl5o4$r0f}3@@IQeM3! z4KG;QL;sx|k$+cYYiFeMmF~iT!%|SM7(4UCPkzF)>J$T;y_GW&5sp1; ztvcMxl*aErWIoWbzoT8SrSZ~TO2b#8cCe#Mva_Sw_u2D+2(oz0e13b!JJxpo#`yO6 z+!%YjHdVKjyh_x=i;*cPY83`qoRBq1r;#3Fb0aY`KYjl4C59gg)%5J-B1(Rq1FDi) z+JlZS9UX^ZQ*roD)3*-S_lCY><=Y@B9k{OM0Dv-hjg~Cw} z8CyeE*+adUtI$U04D?Rzm9^G1x72*6B)d}8SW|a#c5Ziz0?7_ty(C zuF;I;0p7Dp2f5E~1U5Dg_s;7b_HL2Mf9vRO?QTJzojkQ2bw}gwj}eifcM5|Cjf+@& z^QQzf4}5tXd2A0;liYR=YW6ltBakTWB3qK)vpk&SDnJTH)s9(^FF%|O=nPdn42hr4I)#9k^X-KRnI)-O@PK zME}qc>A0p?{56QVo%(3N=y{Gn~$;`f+*Fn2D>nk_zJ+WsE#SwcJ9$p^ZI*j3G zBMvRlN^hW4u(X6cvoz{Kk|Qdsys{gn{i%AerVe*jcU7&~t$?7as-|U+Qq4!qUM_FJ+X+xkQtrw2--S>{Cu9-gEhW=wcsB*-9ud!F$aV{DeV~qA`i3c#K;p8 z{O%#?oO0kpLS-i7e;O2pUe#JRe(2V)$xa@6sL32&T!K`AMTlrFDh`&&1BQigV7<8S;}2Nni%)q3icVsJ>h7w%W14)K)ZV^@w34x%26V zBSTGuB_COMCVeCo*PC&wGe2bLlaM~VPC;wA7)*+v|03`!cT@00s!Yb%YFr}CKEFTe z&uzP%(>cVC>H3gOQ)$yJhwIt4T8-lTvoGFVy8bBNHNfx5Y)>Y)!zw11*D^iDX3pL; zUt|3&9jS(E9!FTW6g!r8=pFrU604{&^3)&TIC*o6&iXTeLzidhrWZazp-mJR+O7sFRn(6mHFzcB_4r6ItyO zcfYJDV0A%7eEZ6R+|6O<&j~Vm<;$)F+PWWnDHPVpxUlTm4T75ASXgv^k{jNlkN6hd zO33KOG-jz8l15RDj#b2>E5?1Oo64#yw58|KM|r9-^?d1YaSQoG{h_IX6+3Z$6LvJG z^}J6m(ZI)S$eVV$1z3o|;xTh$=z&XD?dap+VSD>ie z#jRlXfIcIQx-`buUyGK>Qln`&eY;G@ouWV~hNEeV`zC`I+bgTnbquGJ%ExJNX)8LF z-zRL~bE8&1VT=7ru$ZvIO0Lhz`MPZ=kba)}RK9~}sLqw={$`R6^zsA}X~>4l+A5dS zWPR^x*t)o_aVRL%clS}%ElAQimtt_>q|c{wJ9yI*j<4+E3TMSR{WM=^79g!Jk@|kS zm(l*Lh-@C_>ldz1guCwd?Mkl4TS`%x;Ob3c_zBlzCXzI;9WB1NqqEz=iFUR4aeIQFBMlKjMb}j4ICzpk*%@p14=WDp$Zqmn;WV0Y;dc0al6Q`M&8}T2(D!Nk z{!fER>3i;VVq4MXI)WFU(i}W`hJi|&`_L|=f{W-!UEdl&F>YjKh7UhncmCw^Nu~HncJMPz3lu1tVaF}|^eRxaSw-2Dj;)LrbIPBHFc_?kT z5cjEH#Gz+42q|2*<6v?34195ePaAzW=53!njU84E(gW+67&30tIz20l%3dpP@{EA6 z)OXxm%NJ$BhpfgG$Ys-PMo^-gKa9{-Jw?0eZLER!Q2^6MjI%;VeQsRU^o6d3O@!48 z9=tgzFBGg*|CeDwQSTBiDbDcthE|cu+rRim=e5qfs)nEXXumZ3XZ6qEYrctXG0~i! zDudHzVWUixk-Pe`q2H#|{F>ctBGq)<7_CX$X48Du?WpscLiL2|XqcTJ-oPTIW~<;- zXsb{pA)1;Pke&0Z6ho_iUl|i+GSS$mgKyo+Iahpp5Qlzm+*-MXMMGFJ?hx&;WbPc^ z$9_%Ojw;IG{0Dd6e6DYrx8B_uD!;Q~uFMuYm?2Ns#w(2zMP{r+x^Rv}GQI_wO;^U} zogv%DO%9S|YY!e<{(NFzmh%~kY>1=Q1$R)Z${XPqeM#83h*r7-Cl2@C* z5x$4Xu;t{_FWs%Q-#kAC2l9mJ@#5agZQBeiVJ0S6|Cu3>xb`)-xgl4{>CVeLH_$Kp zCMei3V14OOLb0LW20lM!Jlim&U8AZ(5EJFxG`&7(!L=iJM%BX6 z%s(D|laPm|ZlnM6n{D4{Z*5(b#A0hZ-%|L=ZsoH7F7o4#B_HDB z2WrQvtk|g+jM^z^tVZc8;~&#Eb#}6D25dDnok=Y_8yr-8H-h=JEZ>igrFYaSLW`k4 zX>^)~2A`W3bZ??**?Mj^#t$(q=IwNq<@g3yUSyG{LVvUvmc{GL`02Edac+;w;IKyX zYK6$NEZ1|GUu{hXqjI+nFb&J2!=CeIw72RfT%0{cPGvLyN|MWQJN{d}&$>E+decbxCKG$=M^+=XT`X&@orCAX zo?Y=9`1TYT+h@&%tv^-OHXs)Ri5wbLo#)?)3B@XatG$w)dCa4tO)_(l412>KY-CQfT}gSPN?w{O9^!FZ?eiktbaqC$P_B}i z1xb(C^d&0x{))yBmyHxHVoW=Zn-ax_4X6|SytFBJzeL_UT7TuayUT#n**G!AKQ=4Ys&k+8EB5q${HuqRz5L*T9%fg2Q?Myaak2IPhspPDB+CP2L3-3yFExdJ0pxYDo z1IGiN@$7{$+gW)$)^_$tcbRYT<1#pT)~mBmgPZy5S+7`7cIu&KJ;@|@pZyl7f9gZ? zhvrVhyvl9C3+n!CRD((MSfqDUr%*yP-D>Jt6cHQF}URjd#wrvW-fl^O;k+e$=38$Xd_pSPg z7crfd`(FL3a_^4uK6+`2%Z+m)i$v+SF9wFaY1^Kraj$SRpmQm7zZ5tkPsKl6#fFTP z$1Rtmz_ayUq56W*j6d1qm=zSys9P!hd?x+hOqR?Cs+I3vmMESzDmG#iE&1m1wLxsg zHLGhUY0dINEbr?HR)Y^pf{migk7z`1zvZ{aQn~AJt|3F4F1W&5+($Rx7(Mv9QG}sgfc{fW-RDbK!LY!)d;q(eeNYfgR@L=}Y#c>UZviz3&LPFR3+*M-z9!@5i*1TMLSJ3MDG{j3j zgnc&sDs6C&_t^-SVKk@l^`wVCw{3^2{nc<)3H>vJf8cn%ir%tM)(bEcnYc2Ownz}Z zc*Wb?Bz3}{;~CS(K2f)Gc12>mdV;!|AtrUYm^t1dGX%XjR@LqQ zYQYtS^h)pNjr&4ln-#0eF}v?O(mGR2dMT?tZ-@Fsv|?8BBRThw>#&w*UF!(!TD|4K zN1{`{+d9(vnxbL!oS+hYl>5L%H?HANXPL%s?7o(b7J2tPSe1Khd*EYO_H~_~+CC*b z4i|R4+e%I4-(Ev&_85*Som3mUx)Irc6*Aw`eov_${~nt`rEtm)z0#{Dd!6cdy7g2Z zJKQrf*<&o(64#htrl585_YxGW^08LFmZsy!#48eS^u2ajfB9Uym(l0WF_Y^b8{7Nl z&^5Xvh}jl)+YwEd7^LYW{Ul}^6hWO z6}*dBmIvp}#APORhU{fr>e5IyEaLP788tNy43qYgq*^$FL>5j-_S-}Xh$#k~{!Gv- zdxIn8s?O!@^{G&ieZOGK9P+|@W$W0(XI6+_^yI$N*Nt%9i*x3}7M6A>cbPL~Xk@!P zscg0oK;B=OI{8IcRg4iWR~>6Nqk3|+pg&FW{7}cbO#+4|lO(s3j4gk2=xXe6cD5LG z_+#e~PRby~uP<#*ZFP3v6~W}a_#(uMlR%tcFb6rbU)Caj)G-nC~J*8U0D5EuM2x zjr`H7>FG1JU$JG*`Zj8X6Mjy*u9w_9LO~K7NKh8`F38r-(ZY9#8pDILW~sre_~y2a ziQO=N<>@n*I1jvDt4C57y?LTo_U76gnxlWc&Ku9rI_+EmeBY^N71b5~DN{@nYNNvQ z&#|AeSz&UK%;wUe3m29o_+K)4lup(CCX1(}4Z|hpg6&~NVP-h`F2{OjU(Y_)3%|*> zunoR=o>HZNcT5bEH>+o-RCo9TLs*+|%*ivYtT#t6$F?M;n%u}eaHBpZu~uWb?)Yd- z%}jdP;8%UhZj`0CK~;kp!GIU#6lXFV6}av>Y+#wD%5kVTHlv`w?$d4Z5mUM-lUZrW zMswhn#`N;2KdOxr>h30X)Wjoh-?8fR=$W{$BOECL<;w%AG2`RNF;7#jsGK8;V6m+E zKH=xKRzb_~^(S^;_L`_$K)fjFB{Ig?mzs+rec3eO=?$)5G-oI}r!LEra2H79i|0PU z=qk>*(3a?L*hz+k*hgBw>p2tFK8tBba>Cj0Of15_ew|9A<(ydhJ%&)ykBOsK z@AoObylbUhm@;CqCcw11PUW4SDT9=ucy%{8=7cc}ek_skFZit?k)47VNoXKQTPBBI8@j z-UP;aC8k_jpmN<>UPLKB^IiTmde7Y@m8rzE z)2*gI%lzLcn;%C{8=r0Mz3&^PUr~837KHFQ z^^BtRDZCBg;W_*0ynRNn^~Bk#jks#fam`DqeU!Lp`C>W{Z4$J{6IO#ZzypnJAxUfzNKV6Wg47%EaVR zrmaS^N+C78LQarU)aD*3O!O*R0r0{@mMDU5s{9a?Jw`n=t1x+$lqj zTzO2p>y*M+vZNI|iCQY1h9Oj!$?Y5DF&|16ONnN`+4rb=E6Zr~4U1pm-i3SFbVOs# zdF*ZSc6Ha~muVwWo~-BX zmh7|r<34K6vmR2!dgqNB&JDKk5uhp*se786mE8__Y{ckx@sWN*;yHINqy8DiG_w{G zW4f5^l8%CW6a0PUv)aKWIbvhGvisz#*z|e+S{&IHA%P={!K%r7TF*aB@BD0T4i}ZZ z9Bm(i#ZybvYHW+6I&hIVgE&;Wa}t&CUV-EU|BEkVFEuTCxuR>9$gT2tC|d;Oe|URc z%^+$Zh`zch^Tv~*dGB5w9&_fYN9VGhc1L-PL_gtid{5x;`L$Xr zn%9Mxd=;2+| z{cUubISwzQtM*ki|McT>5!uHwUjxVb8b|#ZV`F$|<~LtY_cr%PTQ)KfgQ?dl7WwXUwKesixi6?#LwVH;RQ9N%ms+ zF=a-J%U5y}AGUZbHTcZRXvG=sx)g~tPtR=}_?0xC&LZ}!3T%Ugp>;$(PnBKbD07Hfs6o#rPSSPJ+%a9Mb{^1`?B$bw?8Ic> z*_22br4*?-VYiBYRp&7&{kW}*^Ip50fy{1o68~0q=6;{5#%B|+{LYj-W21chcd<{f zah}PN@s<;vGM2Nl$`a<07~!l*W%}VF_E}u>!N?vJBhH2eaetwcm=x{Z$<55C6qDPR ziv8={nVaWr(twJ zkZI~^w{v|5yXs%euJ$#H(k6U&k?^l}cFC+r`|)#=6*nTbRfMTJi8@v8DQDSj_qUmW zq+xMaHF4s!&}4R*h0#$Q6QtrlT6y(hQ|b`ioMG{~hPuX2PA321AxZV3bx%~^N9*C-iaiOQ{5HBHP{U)0{aw>2(9&r?r;YnSzvJ6HdZ@cdh*p27!#>^t03>+N0bI3zcf zEH|XpyK3|0J~=5)54~*H^XlCs_VntdD9^q2()bobVXPFd4foY&FKb3V`Y-8X7reg3 ztzM6%?VrTAU&}SiwOy3{ro6+_wnxzVy=II;(~Y?gyYV?ME`3{P9L0Z;TiA>eZf)>D z?;Z($ybLlf&t=COEK3h&of!m-e7SKCB;p4tb)LDTqaFNk@{_{rU)IQd^DbK~L`dTG zhq95Xu)O*S_5!!^%dKux)(tmfLp5A4p@b}rY@UB0Kok>65r5+eMmo*tDZlNyhCn>W zJ7#Pt+iJdC&|MN*Vd=!h}IB$0FB|Ao*U%{+h617ER4>wS#Z^cFcH#u2!7)1AKu{LQ|4d#u4`fUlHBL? zW!yw#671aOf$!8i`F>FvtVG|iNzzz{HXpy=xU#wt*wkec|54k1Y)xOyWSJlanX6;Z zWRxnGWZN$dFY{F0cBO;7^Au?O|4gRXd=f{hg<(Rj;q9a8<9CqLt!`c}!S7C@7B<^>_Pnd(ml= ztvTOCVu)F+so2AXQj6!V zdeF9cQdJH`Z;Qmy+`iA@)=pTb+2mZZ&_<}6a#7io+!=}L;EOVjh(Zwu8>aFXt~dE% zd%BG4Qxel+QsH!t;X@JXT`4O!d<>jeOh3?Z%&*eO;$0z5Z_RML-MzN05^A;Xh7@AD zX7F5X+zT&9nEpC%QH$@;#hiU>pYrLzP!7)TtLB90%R=Tq=G+5QF4*BKlUl@oS)-303$!1=SKH_t> z?3=oZYaT4%_FW18)vD7wH|c7$ft&)93d#yU8~mH}y$( zQ*-v^&7f--p7Zt^x^v)fR%)y3r(CO>t6`fZxAfq?F>C8VK*aNYwkoXd6oZuczCwQo z^4B?P7Qy9LP*0=qu@63AZKw!OS=D`bUUq0ji@yEafT;{?qVt!)N!w2WIAQwTMqIWN zt+66#f$|5r>1$X`m6bm60qv3T^jD?a>@g3aliG_=etyjN&- z2E&?JDC_4`1*7wB%cWVNkC*vZj7Hdqf2uNKj_kL#WFInwi>IOd!52<4L~e*L>7TnELE3m;;tew9q>5kPAQEtOFxOra8%n>xp| zg_c{bZDf1xRlx=0YdeQnTG5k&Vy=CC({~21SC^ZpkzF;JHPL#PE*rlP-C@NxO0!@s zCxHL*({_x9h=o-(6L;4SPTs!HON3+(9}%=O*1S07vsCZ5Q+q8+UAIupfm@sEc3;C( za6FpA>pV{b)^YkEK@Sf4q$m5^omWIO-xh>dy~cZJ)u`VzkIwNO6Fnf0(b7Gh2vvto zs4->~=j#iQsY#AYulql8b1r=8f59ux)jw=mbTee0zmwIom zsbp<7P)t>cQ}G(!w!IXI_@z|@+?Ci$g^koV~DQo^q124k{#Ul+=We?($9C9K)Qo6O~Pi=*r58g29L zw%2_4RHoJSm#3r#l6^j3CwhEMpg8S)@rN9pZdUJ+q_K`#wGVUA*e)qEj*@g4BW<6B zD_&4)4_&h>UeA^KCi8mm`O@gxR1a3WUC#aBFjqY>C(XWx?=K3GT*-V@dCP9mKRt$# z=iMdt@nF))%F&z&uS(4uo(`Rw=i=Pz1e{ptEM=YKMuQV~W9PyL0r!BlcHIg&!#eTgo(Obw%_uPK(ZSB|@46+GJ zP4x$L3=@Oa5kE^ba-~w%T0h)~ovNM*AewSx%WtujnU6AS(p|IRJ*iv@we8e1RlA-R25uIMJ7M+F9 zk5+;sW*e;LWTewv$M;lG@yqQu$yN_68lS%57_`V0r~6!cQxT6YB4NWRugOte0Y6`i zEoak1vxkuQdE&Ur1bMHjvS2w;-raH@)7c592McHpc3KlJQ=`aTv2S-D0`| z$Ai_ z+}Ja6xS^VoC`7CrAFr3ObS1*N`!!9+YIH!Wx;!csU5mqNdch7&p-)Q-(<*_R0@kHS zG@g6)NL?4QmrElD&z`^Fzgt+K+1bw(gJYwxtwDx^(K|CKTI=i~Et%z1@j3hbISkUz zH#zLXQ8FpRb5&eXo);3tllc$SE))zsH&=XmGbxiiDZ-6|5|2-h_`S}Xd|b9SEt~iG4=mCUlLGR}!_NlUuKz zIAD{Y2WE#Wo7QuA6=tF~)hP#lGm9XI0-JdpmIOEEab)kZox+2utdhk3$D2YvP zB9(%mwdfu?A%*-V7XIq}kMt|KC08*sgunC}$&^?zdT<$SEFJn`wOcINP^yrpd{~#^ zk*w0ZlNhd+m3NIhNOrJt&8$|PE$Q3vK@ifSTzFpl^$SZ(_fO~Si@w>IcZumJCJMx> z-tk_(SQgoc?u_QKsh9GghwMy%+mD#0FWt`BXX2Akn6PlAX%(CfFAnciZj9`vV=Mkd4y@K_)8 zrZwp)<*}2>X){R;Uc9@z(}2g3^kY0;8v7Ran(jbaYQ%R7F+;vu99|ZgY!!w4>kj>R z=mcs)=Y5GP$1$!9>)YOv=6Mq9x1H<4kVdfjJ-cOxTIgN01H;cJxBaED4U!kM@fSbk ziA>&>$UB8JDfy~Rq(GtNj&mD@v=(+!j+mwL`L(YUx6dzs{Fq!C6P?FCHyziQZFpbL zP`4|@*ni%4^BX6(M0}yDm_{I}_+F>=XvQJ!w!a-?K6~YB*;&;}zjOiIvnV|kJ`^N| zZp<4L{V6wJ=1BkiP^DXc=n^+u8IskUIHBlx=_(n2-xzh0qo^7CMqj+yEKTx*=?!6< zSArBO#0{r03$hn_Mm}ZR=&8>vbP~r9NMu^81-+uqPm|saU3k^+<8Uu{=t&LD3jswr z8%$$mFXWzk+$6bvtv0q-{VqI}lR#0{!k~zZ@A)FiRIgm?Ti4`9SfFMox$eRlQp*|W zKe{`hBd=Gy-mbgOrTSi0!ZLaEaftP5ULe})cOKjHX0I48!f<5K$&q$bhzWN!mHY;eozNGt9DUU_ey_|J>dNKWIGok>3RSs>hqOhiMnOV# zLAqfiKR=8;ci)bXc!qiVJ?(wXSk7wmv%aWh-#h*2d##L(mfvrGXmfG3H?6i`+121E zkhH?n8kEeE*>h!YvE?4=A~jy7d)(6ay(cv|@0Px)M7Wn_ZzLzD`qkDwLjP^eK2|AY z4^)bvTx(=nVfXi)dcI>_&R-%9FJ#@C{h>0boS zI=l3|;;_eXNSOI>-PG;z6sP;lf27H&my6Fo(&HOxqDSF2>+Z3vV9Cg`${cUwj^~!cEMX_FCyZ9J<9_ z`IrEKfi^uWz4u*`btw5ZOuAK_zrDuBB5+NaagV=Y%TY-*jbFLyy1F;M#OH zuh|)Kb84WuBm`r8M@2bittwq_p_v#WLfG)K;HxxwOX?d-c4`PjNf8P+~}~U|5BxqB2qEirar8>0D*Hw>vY$?JIhZ zT=?#wxs0X_Dx0bKEmeGE@vEqEWviFp2P0#yuJB)p`$0Rz(w2J;ja4iir?Xhqot);i z^!{&EYs7UL7-dWldZtwUmG^;W4 zpj#|xG_P&S9fsGk-Z=X=~ z&MGynwey3_TkJ%57x7suGh#={g6_#*sk}*SL7etVgT~olOsHP&vT$)f8&bu*r7cO6 zBANR7bp1!FzOVCQ5Ak<)yvI5!=l!j3VCddhKF#q;yUYCw@n^?swEddXp2-ph4#^Ko zJ<6wfF0Gm{FJB&KxyR5UvTD|Qd4D#|?&ey-0vcWATyqWD`D*_!>2EPTE^yL3DiHUV zSiYoKnN_o`PauJZwGsT5`rH||uE^{MBx7@*6Vtdc5oz|61MR@>n>P%h2TLopFQ}u&aYaPwSU&T1R?IT)I69ke zJ9C>wW6&>VRFIC%@>rPHEUnSMAbJzBw?!due|2ua+f&~`V+O}6qy#55Z4FgXtiyUx~cLC2;oTs8Kbz<1X5W$x%avy{d* ziqXuw+n)na$myH&2{nA%zZa)|E1?<5<;p!@-&Aw(Y6kb=rMS;XW;b>XJYy*trad>F zVxT2t^L~`5m0D`y-BA+GLlfJR>v7P&Qb64IRly%Egaz50@0pvT(EV~ggT=G56-as4 zuJb#k6ib=5&^Hd{YFm>Fyv25qP}}Au7OE3`pp5tNOG8GcHA??R(M8_aJ(-c&ueE84 zJcIpJX%o2`tp_$Esv|~(O55zIdwP04wZqU z{;{*ha$SENJZ^ZmP%eVIDhYx)m6>A4-v`jj5s7NhvsqgtmMOBYCr zCuAXJJay0+ndKJz{ZXBGZ+#v*uIOq(L%#F=r6;Y9v$<9)LN*M1Hjha-cB;uMQD<(X zalL46lNCwCVCTzhG7{))dQU-uG{EDidV{MQrJ=A_lDJXmoFm_3>h|0Hvbdh^C7wIm zS$WD-web`2nA_{dcpY zX%l#kR$)51D9NrHrTiY6!E_^1iRj5goFAzg82Rsn3oM-0N1dK*W?(Uuzs!>i0wI}h zOP-<9CM=rlLFO`U6fyK0=|9?(4Q_KtuR&G4yf^RTA~CNBjf zT#uEH|M@AvLu)J}#n(B7MO30Q^dR_tfDIpyKiS0~FX}%6?iRGKARernxi)IuW-=dJ&`jO`=Y$jd-kWlQCMhkkuDD?~16;2nn|5HD(aZ zo)z1hTu(JJ$Qh+I2=b!5UigXJ>I+kg%GDt<522;}5bW(2A96*%AZ^UY=cK55gf$6| zIN|C)rg)e!vEf5H>W~&J-1Wvxt8+PSQpkF$Fem}113xW&Ibm#o;h8FCR#A}bJHP3+ z;4);11adpd5o{;hOOwq}SFx z{P|G2uzXmF!-e3$c4w3f_sZU1KIbXVa$_mskGnEq6yv%rHcc!Gj{>g1k zcJWxzs4I~MIg@U?t+y5>PTfpSR5tg{m~FJlx@Va+NO#-v&VqvzU(9PIW0Kp33b~#k zarV*LOtm|2G*{&pm|X;vzVuWae&!T;gL+kQO>i+~aqfGx6qEN0;@I~Bwn!t(ucxB4 zHAAKH%GT=3XQa+jp%Z$N4BoA5zgbbDhw8$5?v3msX55>WFUDIhb-m~YtF=cvyovb; zb~DL8vOjp*yNKMkO1V&FAC9$qC;kDtze;_72)(*cB5%rtcQ&W7R!-|#30ZmF96uw1 z`ZS`U&{&iH2bO-2W2G%h8I`U=T!9bQ#KRX80hP-)m>hzCB-y>W#VGZCZ&X~GV~vK8 zZ86EEI9J<}uvuv1&9%dGk5F0I0=X!-LiPD#3ghZ9Qy=wyK{L-^JF`^&>V?9>N8V8kxVI<8wfQ&79uj8E5l!4kQwY3A{p6%&;bbTg;I~!W0CU~ot+YK^vy4{qQ zH18%N3wnldD?|``usJ`+GCW1dM*alpoXUsnuS(Hdu|1@_pEld`nW6(i&-*s$+MSQZ zWgieEdSpc@6SVI^hw@k(?ek0#P4U3p=0$G5p0{Gd*zK2arE5^DI;=_4`DU*pzp`h% zw(~(A{X@9Vf)WR*+}wm@c=-W6iwQpa&`#FlG3|blizAc%A);C;H5&g9 zWA_xCSxE;Mkd06lhPihQ4Z-zJ?<400C#Oyt!T;U`)fFsReH_tamvoaU6S6_2DwLD~JO zPukr^13+iiK zXl`=!hKs=ItgoM4aE!zRyPh82l~YHBbdrc?PMJnwdxk38?943DKe<=&?r40JKSTf| zcn6!U#ccr2^>CsBDETYF*$%_fn8S(PKR!n&Yrk`v9uE{>UN8x#ErSt=UTZoJiQc0b z8zhvYf~n$NKAZx4LpLX{?XaSAwU7Az6|3*_xAauQEn!Zu2ath-xT^9N4@1iiK&5nq zWn;EEe_bkbUtreMdMr@P5uBZoZXrpBA+T|V8BUVi=I0JJW}Ae$i?*0Rf|lLWCF918Kx;TgTmDXQI-<~tg-my&lU@MmUPbKnssG5^sBhR%E=Ge--M(fap4&T(=+FV2j2xx z24P$&bR{gwkzX{C`9qh2SL)0s3OOD=L{y^>+d;$vn^!1|Y^NCSzt}3QUU9ezfzQz} zZ-g#I?+YZtGlcUOi~+b+rW`JWnA^h4K`pqPAh zwADdP*RP93nLuW+M1CG)l8%zhkFD$~@CZvb0&3&vBg0_2G0WDWhV`=Lcqwm*A-vdM zt#Rq$|0-^Naw9}YutM;07pP zcZ$yO67nT61k|-fDyMbV9ah*N`ewXg%v78Uyw%Qh4QS{7WBoI3qZ0St~7Q+{zBBXO~!Iup`=twC0#F2z86-W zK=yjHHEE~zjgV-Gw0+7cU+IF>H2f#^z7V(4Znx@xxMIhKW#lFN89Dg?X6o3uOFLw( zdvkv&_V`l}t82a#u1bE-q~W=3jSNVWoda7e7ky5f;1Bw=Nr(lU>+vc_aZ<`FXYj??-} z=*EQ$6XEc=FGEhmEmKGbIEQBYBs;z!1GeyOv@CwYi#qtr`KpU|6-BT z^H~b(@k+<1sq?K2qQg4E7b4>ZrvK2n#bQ<%EcC)Bbq18XponGb3V#kpZyn|;F}**2 zsPCGMT*&V6B&(v@+r)X0hv=M5G5dp}X8UvBQCqPzLSNGB+7Nt2Mh~u8Wx$aGgre z0Oyi;1@`*c7Ahbl@cxK~!v~Aoj8{&oWh$Ga7w`8)2-;}8s$_-H$TajXK!HtCc_c8$ z^%|tA)dqH)E{qxZ1fP;(iy#ihl2_ILTq4ew+r`}UPd+pl=g=@Vg%EeU%Km(JzK|go zQkeGFZR+{J+^kW_6wxnw1-HE_t!ib@fLR(zS zvdDmJVPIssz!C!B z9v3K2ZN>qVTZEI>{|a?L>ym^};3>^;WfI&# zR81R+0(r9_pDvgq&xe4R=}1+?Svk*5j8~QE9Wii2xSu0oT>WaJgHx;Mr;rv7TQ2zy zb#p9VXk@D_k1->s=l)@&X^EBu<_4#un1tB4*bL~S%7n1@qZ&B?nem&cnZS;-9!cw- zl}0bdP4cw#B?VyTK@=vJw74d@0{650w#{nyc@*zyLhQw;Udx-^ZmEVa3jl0T0t z3HNXzQ>D3TA;@EakJv)I`}Ju)+N*9XHbJUGsNtmeMYc4PwWOL~#0|WFG8-HZtGp7| z;x&1=5ApcPQi$rz7x#+j(8cb#SSNG5&`)t47K#u1(fb{r%S9kB#k-z5&mPh)_0`6tXq6iNd3Hm9u&!opocb?1IULk?=Gsr%| zWof(#JMDG45sVCGJZ09Pdx1wsd={n(8b74Fsg`M?cpJNAz^;qDUcGj5tlRyL8?jEy z{=j_FV~b+5kk?ZeVSEFw3R=6mdtoc+w*rGa`&P2L!#mb0k2<%b*Ei8-b(cd^9pG(C zbrnUzwU7dwOVtxi7Q~R-*aTjjz42$M7?>8@tUR@7mabNk_4mwZ(W6{?6HYRphOi_4 z0&mG9OuoDUYi*1=0c*8(qeJxdTyy%{=Iwvcm}kGev9(tc_OmvQ+D~*n=KOR8L0+@! z8$Ud9luXKc4Q%(xmyHu#kk4(u(Ktp-tUlf+2WVZfsicX$@i#+)MO2k4>0RU`%+^JfF&Ngy^=bUVkh%)JDQQO+3D4ASfilQX4C#325xA&b zAh(j^@21@jTm0GT+aui6D(Q9cYjUl*28dVRFZ=Xz9@Z?b3voKM#C1x~p>Si);ZgJ? zQr?sD8-q*zMrth~KIrAH8$);2uSugrwZOBZ-5}Ln?t#Da-+FEJ=)%2Rjb2g9I1DHB z(9fg`!%I!4x+37F42LNlb{T=c2Q>VdD2~}N3r23NpRDVK8)hn>0Et1w+myw~LB6v| zzgrjiF{_+@d6aZ_vf`wF$n5m*ABd<98`L28e!rImSC`jLQb*eup6iFv%wi#Ul*gkD z&ej?1a5YM|Oew8%@7`0f$$iZxwoK|cr4})kRv2$(`!G@=0}l zHDB7dA`;~oFDUaJn;TIvs8HbmE2Oh9Mf<_d{R^!yHS2M$w;E`3xL|eJuF3px@eP~( zQ~%?SLR-qa2AYx2ImPa*1a%FppIkSFl;c;2jlSwR{_))q<3@r+%DuE?Hj8=@<|qoY zZCkdZ3BfzQW`!w8 z>)(x>YHc2Lm4M0pBn1=ltgK-pV8mkvW}CU_y|dzyPdcdYM(Isi=v z$}bKjmMn=;6eurOfYmFgNtQ(^8IHqw>Ly#UDt3J^)K`nm>*dGFp z$YX>(q%5XKR8;%QuOzXSxb2P+qRmSCB)~QV1LJ&FK+!2m+K$&#)W;19@tzQ^>SV53v24>`nL8= z$#!l3!q+dQwq(tKkR`C9Ab?(+ApPg|$HO-^uiOB+5P>*oBlCt&xy%G$nd3;o~rAQVy_ zT_~+@_p`#3+?d=|p+}jNMXNdH0A^bWWOB;)Fx~htzWALkjQ=gNbgz+K16@GZ5x?t? zMPp-J1~JTG8KnhR9+qS8&X^Vo=vAYZlx?}CA&#vUL7zC#dBJ)${y{v3QWxemv}S=~ zO2=Ti2u0oMPgbF+6CYi7TtbwSU{4rr00RE!DFDU*V>4$Uz}Uvg9$*461(*RW0G0qNfHlC{%o+%=0oeRI z+5&8W_GUIl06Ty^zyaW3<_d5GIGWl6fdEGr8-NqQ$=V2L?_g+S4+J;^TmY^BH-J09 z9cXVu{okqim*xWer}4A>PyWNd92cVhEf4)KjFX6$_y1LA{-e_{{hOQrPp9EzVfy#h z|84&NbQ-RIjLrYGPGjg;q+QF9?r5n+%g!VI_pH!Ri}oK=bMnus=`dVxPFUY=ndW+r z^qT&3xcaIab~RC%EXgh}Il{AuM;)i0gT-0J0vWQb#6L~L{zuR-8>>RdBlK8S7M-H| zQpo%Eh_kEP+v|Jeb{C{YHHCJQ#^UC}u!4qy!2h7512JY`U{JUBt&OV6=t>JKBlVTm z5K2lgp|QgT`f|?TnAX@p$2u_Ava*0lW?+L>;rlLt7~*>P9{SLM1hX%R8-FJr z_1<90%>2kjw5wrPY_X`sd>(ctV4nts`S2M}rgC$0Q9U$rB+jzT6}J_voeG(=vQ5 z(-*Fpk>SaMg4Flhe{>q|vkVO$5In!?=zls52x#O4o+bU`=GQ-+#@NE<2>?$C$zqZ4 zZ6pX;3z>ehj;jHRkN0ob&{ql1w+7{oPle9*($d`J_9pwc_$L6tI2u7v#t=f?IJt)l z9{>A@ov9%h_+j#ktSZV1WJ2~^pToZXGl$^gDirqrR@$@h8@gD1B_8 zCEj;2*sss+vWc5*$~&Kc!Ebud@0OAGZ-tHT^4V|a(C_c;<8K)HBO^2F0-MKwI?cZS zkB=^WOOQEVpDQdGulH}Y*6yUVqV;e60U!9^;9roV--vip5}!SjNR8~Tv{0x&=Y6my z@dhXU_=(#aM+X;!7Lm+E%Q8XQ?>Q1@zAubevv;3NWTINA9^sp^`M|vTS0kG zzOx10ldthWo_e6U($c!V5Ldr~^uMMb0bUXwENZ?-+wp0s-}E0oA72hdpSpUYRq$4k zUuo!K5?&SsJ^PP6aNn))Sr?bzw!`~Ygt#%il48JKS`y>&I$$>7+ zH_VvZ5sB>_h`@mStbnK99K{kW;!9b!xqWjTci2AxSyG33Cc-*GB`5gtdgY%Td=HDL zO@K0oYykIa0eyapzO*)+IHdhgD08{5Q*5#R+j-K%-jkady=QpQYkmSNRX8}V82)6J zIcmH7f{g4>udZFn!3vg;afBF85PNW}0SyD0!sSrX*`&8zy#mPAonNH_5;_T7>~3q7 zoeE37hGhoq6yv7))qvT2b<)S*x;Z=EV3<*<{SB7^Qc?!ws$ z2ef=w20X); zuH2(J;MtjX1?&9UGWBuCF$q7;vXcJ^Phv9|K9ezay`bb>xGqBdH3d~O+WDyz4;S6Z zsK2Lu0Uja&3}1Iu*Y)cs5TY8bVMu^JBGqEt>9V2{V2JkE&al*Z718;%{?yxHtWn$} z`KmCf1MR%N`tIu`66=TZ*300pUjdCsmw0V22$l)*lDtmS8tUt;Ol(m{<88H?l2SNt z)@ttBQ#Hb=sT4hSGd49yf`Q2(f;0)>G5T=Y0&Dwevgm$%x@%@5FY)k+SD7N3J@>^t ziwYEgfE5S{cgEjLv&aoRJ*xVqJC_Y0X>ix&P*PU1Um2dg?IVP_n2x+byNZPwB)Wnm ze+x*aixG{JjypIjK42I;n}v5FwoF>fZpM_`j7Qq%te1XT5J$%U_U}7o$8G~r!v<#( zN2n*2?jEoj?A-to+)IkKoJslPCaBuH6&+Cc{5;~y$3AOKSb1D;az+YI`SVKPVVf{u z+MeD2Y-o=@YNN(7>&TNgYUoRUE1;$S+e(b?YpkCoCaAzbHl&hDEXhfnL?GRS;9ca^ z_V>fz*4s6CzF}}ocSDAs=qe4)uXX;vuu?;slNF}4WN$|dcAk?rYPwB0sJ36-`1R*e z7vbuIxccxNL4!Ip-@$`A^}zGk8>>>!Ua#z$lzKcoM_0) zfz`)+OgjMEeE=}0c zy0Q}8yMvaTd5zh!B!vRw>S|f4St^_?qX^Qv_Z7!aa zY*A6TM^`wbXe>E784+jW3vY^3QcLHSmB|(pnah>v977>{@s3T=*YIG4Bwqr4r?N9$ z>GG^PD8gbv_}1UUFe@}-VLw2tU}9bIX*URbF%lso7|sf`+b5gL8hWxdfQKsAtJWq8u%Z>4No@q%7sk}3*%_QUpH5O8)hl9185EUuC})u1oYK- zRyT2yWB{&p(B4FUTh$Ai9NMH>wsh&*&fNmuENNeNKSz8@^JEMTm&{@tk0<$I?9o2x zj#DLTFJaTQh+C&t%_y^p-6H)$Vq6V}BfflVkqPfWEM^FTv|wKNO)iW@>5}Vk9$n!J z@*Kh{3)^1|AwDEOSxs@8vl^nCv#$`-{jPLJdb9H*j{1pamuRZhoSQQ4WGs0aLw z|ND`F8o~BLY1Dm?uDzvoTLaJb>t(R~Ufq9EywA$_$!i5JNO9nbR{h6|kTl+NY%1Fq+=G@ zj9bkbv3NE;LnbmBI%PiSK@BC}>d%mDfaFpWQ4SLP54!=epgClOjxnn_^b_X%lHdJLL zM8ykzmKf^X6^5~|2fR}6;Eu91z-LCX3FoZ0*hBjAw2oxBw2+dOUImAQx{F0U`n5Q7 zp0@6};ZaG?Q{aoAmDF7kXqh#IibAe444$OOn?)p4NCHz#Ka1d3jIu^?>qz zz?pgDn=dunL%DC5?gp@tmE6Bm<_*}UqLY#5XV5)x9&0z`&DiPY)z z)1wlcQzs75+qKJ1@4#1b2C|QNPSrKEdapSPkHpDjh@)h0+!zb9S zDg=6&v4csP(Q3kr-b}`I&^Q0U-Pa{8?}W0nbOe1=Up?Kw0{oRfKjMhdwT`-&B6Jkl zbv3E-ktrV;xvly7d^pJ1e(|)>%xf~n`$75#_$fDR##n0 zsCR;hLb$B&_u*n9)AqgxRJH=yvb}GwMMwObi1Ab4`M6&5;R--ZIBr@H3i4jCI{xGt z&YXRe*XZ%>OL}AlUKFXes(i*}UG`=k{H&wMzlQ$%>`OBmehNdlyY7~WNSJWv<}{X+@R@!sSh^IOH!0NjNc?qbDI#Jw zUwj1`nH#~C+V9w(iHqeY1Su~0kVmZJjgqg!tP@|zhx`~vhs#ju=Pj^OYUQdrZY9A2 zpJG47W)^#of>emmB24gS(s^Tar1%x{8$N_pU5qyTcR6o#yF1>R ziWgK!`D}-i7kUQv6dN}+_8CIW8UKBvv2fx8i+wIE+9y_kjv&aET;fSWd6M~aurOh$ z7Oy77=!uJ|%k|d`3AwgD1YNFa1;)I0_?`_$AB-UB&eFj1H5;GGCeY?lER_Qy4ikOe zc~p)d9N8M|H(BYkuW~=$oe$bqA}t*^XenDEJ0jTAffbw}nn8zqG2CXb@ zW=YQ`?!=tEBC3=smy*;;=DW2S(xINnQovnhc&JAPQZOD%dDjw4H|cYJBoASqk+Mfx z2AadjFCr73yi*~!q z66|%6ZLXgi9X5-6^qJhm`TSPo zW(=~>)n3zrxXd^U;>dGMdI&5_ck_Atey_JB+1QuQnsFmuo! z$;G9mXJTuenjsyT>^{#LEH0+Ah^EESm#{;wuP$NGlIrh-KC)LB zgF@_q3i+z0KnfPlscJJMF%+8LDIelFa7jaco{YlfV9R3|y(#52NvE~yy`W6uL2W!e z5c~qixRuK*Od1huR8-$qXj_4Zzgzau)q6IB8uFX63s^P`U?CYDx#W1cRLOr*LO(^9 zprV&uf4cJ2l#5(gUD%kzc#Aa<(6G7>P^w{E89=2VG`=mOS_LH=no%tgJqu?O?HwDY zI{kdGsFG2yledt z_ElPY*Zr4#i+{JTL$^!B+c-%vb{l1MeRjH70W>?yn`vsiB2%*A`YrbTCbg4G17ei#jtj)=5NCZAG-q0k;@GE@`=2T|8IUPLyIj%ufQ1i70 z#;h?gEyBx{f4}ODEohLeED|ojA`Xfv?j;xWWZ=YWO*>S$xAN|*6wloXMH3#xqbNjF z&$0N0(bGzg({0HRXhqfus*0Cq9@Ro7$2BV_*L2WOp{|7UmL|aa!P@rj*IVm=nxx-)LnySvcMOU* zlu!DX%~rWk(C&svzb5=YLp|E7=xI%OU$d+D-y<{BG9x2)+EDjXdi@84?TG~qImkk84rZ=JRN@`*&ZV?$va|69S9 zaB0Y|DoCL`Tk@#|sM1E&8@6e754&Ks`vF$5U6Mtmc34vLT!}^g+mjUS1YK<5ap3^8 zd-F#USVKaR4%pw^KE(5Zss;Lcfk=HpllP=H88gawOAT8J3knh(@Hd3r7Fy(ru~pjI z^NPVu+4jZCr8Y5KR2CTBl>XQljTDKOie$GGi^NKSkt`Ujd?QiuSk6Y~1mXZh5jMJS zu-|tmyT)Pz0BylR@2ILum^!dS4S!0~POE+z13J{PbyXq5@P(N_<-5%g-G(I=m0kL# zRF%BioI}Gx%tmu_v;I*^%#H^{1qmODrRFT`$t08H^vhMV40r}mlCk36G)W`;6AjHZ zC|*NrYv)$$`OSf&E^nma$Gcs%kAHJr)thr0cl4jK+dQ7A?mbx>zD^A)IM1{zdr{Y} ze;m9PEPlv3>vdJaP;(vJL{%;c;?

^p=w*H#myjzWCBbJ;LY39NLOA~XDga55wa=f2fK8AZ>L zrPIbq23E$&K-+L!(0A&YvOz+5t8`>xR{AO(7Ul_d4iL28N}Jxk(ZZnsCY2(Ftr+Oc zddoXBnSO$)o@JYv&*o7+d{8M%BWi+DJHmur4j&WroOsa>3C!C!S+tbaJKfE92cDKRG(`lT8V6w+3uqWj5hCqg)JN9@7Y%RqZ(c|XO>dwOR3H?;_+8ZpK7;>sv zL2ZY5RC9vb4)Z8mY6oRY63ffNFTXS$dzwY?bqGc`j040w2wF6=Dt8QL%}Z^taKZ`K zfRp}k7UgR`AyTDRSmg5p`IYY2Q!GH&V#kQUKB};=`Y64V)hT}%KwG$f7f5FX{ zJIua;3bwsc%ec4D+FrpZ(x)bCFW4*Oc}4_f66_#|gk0*?)&@O$Rn{EhwnK+Eylx3S zry8!gB<%>X?_96*wH+b|KB^t`!nS}-6xb&+?_nni!Pym|^_?yXtwpf8UR=TCNvw)IPmkv9`4d_vqmv5(|6 zcch)t_q-U94zrx7JYr|{8M;QGH6)-Xs_mdBV~T45NwaY{)8tvD`#KdJnILwm5ZX?n zU`wY~+HRq>Cxo!9MvRvq$$OoC(S@vlpt!$-pllgu`W;~p7;VpI0EZ~}BkW~_WCjL0k2`B_{G zPMF)Kp^9DbYzUe~tvcRpW)6JJ;)6@j2w%K^+!xEP(Iqub> ztu4)E)o`UUuRmKgR5cdf6Y&h*77C{X^bFySc-lbXa&V$;F>A6^*{mtGN!qQKqb!u- zB5(eb*hI)rK6G_~b((#U+!&VH>KDD41A zCVsNSINcQIOFMQ8hyNZsh6L>P?G~xW>}%&(s>PChTii94kc~zF2$vd?TA?JqJCY12 zVoxwxNRJr@Xbs=e^+_wkIoqfo;(3#dk#Osdw17CRx+ASc4yEd-$)6kN$ij6;#!Y4e zBX-uD;cM|@NZ{PQ$-=Qzb7bAfH5GRZpfVnL7dbi5yi~jG0$|z<3AabVngUoof(!}# z6NEbmdLzE%^EX~e;gKC&oPOPrF^3{+N=QQ~Cp^}7)LLdZ5`WG2*qgC}E({6iiE2CO zxk%A9Z%4e40v6Y7YEyMy9kt3t1B*fubR-ST?JIXA>xVPEJ4~sGb`g9nf(!`=?wc%} z$u&oI4xQ{Rpq_PFHVn9D1CkJsKa|<(V8ykjBsT=n_Q``7JG-8tYtc)IKDGdN_~-P7 zwE|*0x!F_`{F@H%(bw$z;zpdn%}#srrQDGz<(R~EanDcqC-_Tg1_6pQO z^zE0x?~zRn>WK;1nmy9st$m%2ES^qz=LO;<2u>@#<~xhcM+IF6R6=jxY~iRPsIr#} zpMyJ+HY9D|9Z4JFb5KX#X>bU*BkeR4EOW=snbz<%2x>^+-@fG{-MyxvZG_{|N>829 z^S*zrl}OqVMlVO+32*CDdEX$K>yDlMPtdj4F(P0m+RUXBb5K*{pg4g=cVwD-+rQ@B z8qWzM>SIwYP~P^}ntu&Nn4)-8$BWO#v#4?We?~TTO9qI()C`mecB*p9sDdKZXSM?OQK6dNg_Vp>yHF9hrUJ^>5i>h7ZOg zvOx1CHq)qF@WA-@d%`K`TJ#ta(9>sk_-6xRO(Jgy=UxAn4>=gBf~wxJZ$}ut9LZ+G z=k#;T=PourckCz^QuccU)4dAYd^-r*fVky&C2CN3WQQ4R)g4(t8L-wEZ1DE3Utc9` znc-c(RM?y>KS39U1pe*YE>xrwur+DEh05sVqYgJ}G$Myta2UBG9TITnxFgH0cm3Pm z;mGi{2&N2sE5;rE*?_nWwk+@Z^$o~&3h+DC5(N!Gyz8$umfH@amt7UqpA+7TqiMpw zaBA0(o_{`h?4V}@V!c1mLIoP6WF~G1rW|y|BjukbZN$wbb!0t^N6H<0+C{)Ml+}=c zo#vZkhY!nhB-KV)I(OJ1(oF#xr+Ue4qXs4G#EKj$qA-F!l#?)cM9dww<;Ki2bS-)e z3Fz$`F4V09s(W?@QoPO`8E+W_WCSEblK02lk=7VR=Jct2mZGYhJN6J1d@X`0iNH3- z4*zUd+;i|>TA9+wamV5zGmhc+oGQt~W&$>+ab0W;-1BD1yFwmef=u`)=vwp`68I-N z@1SRA{2+~hx0*D0y(ikpp{;@X2y#2OtbtoTF6aYwUh6x^ z*_BXk19e}rE8(8asf#UvdkzR)Yzfo{ty`dM39Pk)8WMtbxePwRPSCYqN|GtHyMvu= zihE9A;28x;=3s@{5V+^;xQmbf#XsA_WF?gY_IT|zN3O=(5+LBmkg)Xj?G|1cML1t` zE;NOP-H|skZMBpQ$vV}BzZaUCTa(bm%Q-upR!{lW@;2 zL7ai2ZFULr7KS@AdOrT&bJhQ0*Zn;9A}#*6o`vSJ@97%hF2Ho?0JP@4heG@(Jgv9Um0(0@IF9N7{V&Jw@bp z*e1xDnd71x7OCB6dXqsxjr)|oK)qsjB;|3F6~KrLsjL884}(t`x12mD!7s`6W0^E` zEppK$8`iXKu#-IjNQrMZ*%NdmKJdJ+J2G}M0w~myv6B%%M<$ev06P4s34VgF#g8Gq zO0lrd7u`+v1TLBkmFx*R22dG~9M-z&WX*_75~dj3bhya~;P-pz3Az?Nh6MBk-wt}R zC&-q{=*ga-V*sqt%SWP{jDSII67@>-rJUt-lMO(}j-#4tD?NS;3Ha@sEH{}G%#qG3 zH<=UEfy?-5m*vri%vZj|C8Rt+MgRly5|9x<;*v*9#8cq4{9{PKPoLf4pX>?dNDj@L z> zQk0Aj)jo#s(>nbo+6q`} zm^W;)6+o5oJi>Skb|9Mplwj0|3I9SG0k`@ig8M#~n@tMpl_#jcZ!HhpU|~Ce+r9bs zX47Dg)8QYFb*7X}fl}#Uf}Wsj`NxpJKLNhOKU)=p+6efs1y$b7?%wtXiieWj9+4>J z`bBu&6G`qm{L`_=Kf%`^s3ARqj=|0ml(g~WUgU=BBQbR%I>nR>Q&N-oyVa4;N_X%3 zgE9nn@B5`hz?gr*=+uaSort!Boh^v9`tc@)cW?WHssdaf6B;?}de`Zij!Y46`-gl~ z(t0hosV3M7x|VrybFk-s2Rj=OYZdVZJMa4C<-2|cW0!LTdHzb+<%_E>nM7nJ3#YdI za)Ew=p1^C-V?^MdBzp%x84%^^s{TV@@yNkVDq{(xWDDH2aW` znxH1gTGSX3P}{d#cv_4pvi}Fyyg*H9#CYaq&g9%xJoD~I8w{R#ccil(o_SbZ%1TVo z6Lc+l3<>CI8SHRQmIHI-#p3OLP%Hr-yhmha81ZZd+;#S$;9{P_`#pC~q|+w&3A`3R zh6Mcftriy>WAXvCT1V6t)#UvY#xHMgcklP>=(y0&Lp&h=#ahFhWu|D9gYD!S2{mo~p3d(U2hlJpsOho*W6Fmozt9v?i}r zTN{qslW@v@OR6AxM3zID0(>fyM799;;7r>I|3V7EgCPMyiQW!^k{#YeN_?^>VNg%O zr2#3MjO zWg#9m2g<9e9Z)t01{q4yji)6)Z-SkmYtc*6DJt(U&vwP2G!C&Fp`CX!0xs&v=Qjc_ z?#P64Fk!G;5^(W|z2ztPTKpIi*tc)H5WCSFgFVaPghBlWA}bz|rO?Iz7e11tYlRPv zT@PCWrR@KNe*&+?k0Aj+!Lh?Y8y1vn&On(@`2@ql3D;} z-jX{pK~Au3$azRWZr9zy05dOL*`mY9rG$Apj9e<@Mu#;;3Xb_X0*)GS7p2|!?GzYV zz-#eiNWf3BGG!if7{7E&hz{YmzMrt_7CMAqDgV&X*6s!BkVfVatI>$G&G6!YCOt(De=EO}1@>?wu73S;H^}1jIzz zIlpYo=7>56TM)=0E5S)ojK~+8pQSKYD?YM5kLk*TU&N(A)(*P_R)bZ_V=)MGtYpJ7 zL0T}jJM(VE`*iw!R(P^HX;0EAqm%Z;c88n>?>cV`6=V%!3<&JnwM}@}iirn05O}zM z5!oVZlV3+O)FmP)?UkfZwkGZQJ0|DOZCS(Bpq27gYzoi$WfvBA^&$fHU~vI0wOg(d z`DJ7t&dDRsdXpIDuZx%@4Cw1)btt$Rv{JT;gNt*tm^K@QtY$%zh%e(3npIV#Rdp5r9@lIXYGSPn zN(x}44TR=WM`O$?!PTG@Pc#O2j+Ly^!}1z&>$IaRqubL)q=*#1Pl`}>B<+bSG9$q% zGFM+;NH9i9U~NdnJ!`+hEoXbdk`AGMriAuLc~`c;hY(lQN#^7FLfG$*+TIO4G4&7 zY0u@*20*@N;K~&|Wt!y2`*yx%;FR9H;=FGY-iYK;P=*Mdb?=y8eYOc#jUrkSfjL?> z0CH-)D^^gSJgG15+jyrVpxU>ypTyNFsFfGBri)e3Zml`SOMo?U$VMO7rLl9oWB?!! ziJR-2D;NbcS+}Mp_DJ^P;za@X!R*2RH}*Gl0ulHB@^IU-*em0 zqLqMRB(itz^##Y~*IFw$v(xWkid-V89jq>kH+77ZplW!2QZz@(7C?^ox)=qn z;;15Bi-Pldv?N@Lg7*A-;HTt94*1sV3qPl9N?Q{r42tPfxGqu6)vN~AazdQq@b@W zPtYC}Cq=pqej*RlDYYnvLKw1Ny~fLuZbd_IoCXn%T7`a4sc4bx!B0gQ!egX@ZKNsU7a- zqmAoK@ce;yzcIT6S0jWeN5so@j+XX&CP?(xZit5_EedCZmiq7Ayyi=Csk*?#F~^o% zUxId%ZH!o-9-;w(U%Pe&38f&A;|#7XLE>DZzxHWiNf2qiq-q3QV&vDP6o##rTX1eqR1&b;vKn)u6@Z-lJu^V2+kf z=R9!|`Gr-e_OxDH9D??^UR)c3_Jo)Y)wCx*dbj5Ok_2~*m>_EqV?aPmW9Nvm0J1A= zsS0sTm!Vx0f>=QUU#Cgh6Zqb)Zz+6q@pgS%OzJUOz|~;I?*mp^A#<#}?Q^|GWNW|U z-TIcII2RpWskxe@*1L6f)~K+9exLB=GsS^8#;P|B*-Qgg0(g#<7SS=gh+GBYm@=p? z+N*I6MH*@yO<{(uNV-p(l_T=DRF}|uS84l)c0iYy7mJ_ zGLnk)PJK^xm4q&r`>%hc`{@M>|PxRMLjW&$yg(9+QPbLU8WZfRs zjLR_K-1od=#N;?=5Myia5p#rT&M$5GOpp-J0!Rjhi#hP?s6AcF0kKNt(N0Z!{=Ieu zaw4YskXpDMT5RnBtzARosx6<`L|jL%;y`->R9iLei45ARX;0#;t(sUy{*LEeOvy37 z1X;tclyT|U&YWMsgJmeXwO`Sui2oviqvI>|Ph#cGIy(oiK3KEEr|%oB9S?xE&ju^h zZD5x^ImgO=^kYhAcF_j5sf4elI}yl>a5?~Fnj8e#RC!Up7Kt37!OT&RK1r|-!BO(@A!8{;L&8oU?~*d@x&*`;0o zbVyN15}n=07aWT4X0_`TlPz()MgH}pb+ppc~`U@0Xjr6~1OQbz& z4Nit`kL!_>q1)p+a=`>HAw<4&qT~0N1mf=)F?kLe#266xwQFr~)bj*MP`p`FFe(Zb za(hi71s7ew_n5$!7o7G)HgDF~#ho=qOK>%4F`!4wq?)P?${!*>_ze^I;>$JjOXpYG z6TiG!UsLSg6%r`Bm-z0@x|Et8BPPfi#263|6Upa@>447O8Sz30@>P{vc?>!+(R+2S zVtu>t@C_+@X)$^a-z#o?6Icya$pK(L=Nu~^-C0Z#ExjQ`u3%!LjRJ#aMwX&ZFS z1%98u&nr2!dpVBTCCD1Ycql2bOT?NZrq>@&x8z=PlsRetn|E<4d_*$n$s@j!q)qQj zA95uvDiQ1VJ3askC3k2sAfTnW=4k0jB_>FMrA#^66Tj}}V>0q@HXri)<`g;xF<$kH zgwT7_e1C^uf~?^e0|H{Z=7uUYXo92;^$a9;8IpptSpnZ7pjxGA7w36$@heM%-kGLy zu)jVQ!`>^;v$7GbU2}tK#R5NFM8D~YL*9Z)XxXeNuc_Eq!^aR1+qE_*uIz~uTWscJSLt2PRs&E%%vMWwq0*w?Co5m-1PfGr9HS+;8ngmd zi2W|RbOVI@Oi^jvZT;l;yYG6gnrCXF(zx3yx+iPNWhD50)P^ME`8zv!39<$+26XIN z>V?nc&{k3QJd>~Gi4(%MmWuDWo7V`Z?c#2iM|LGs-dW#Ywu>>t`gnr|1jMwIcMy}_ z%ejU+RB|GboV4J}<-vnqY1!Glx+mk%WhnT4{*KA8Xxj-|-R=d;BU-!GhU;9M?kU&e zu4gJ~PwLHPS9Z<2{KYwy@PJYNOrnFWvGNGj7%v%+jT|x{uxr=cAgJJp6G82pd8C_B zcRgo$$~l)Lk-9z6!B$$%#dP@$o@m<9hk~p{EI6YmPqZtCz>}?8o+cHTS^e8QEY*hF zS#2KXhzajVatMMLQJ!rcK9&mjV}1cwgH^N+m!R2vb=f-1^@l0rZFtglB=ub0N^PgL zv6s{PScoD|vZ7dsZns*Upw%xg1_UvbXwUItbIFg*-1RhPe$vd9I3RwK*@tB_mC(D} zM0=#9MV6JZ@^{8q0an8-ejkw9w>50)J<`!#8)*u8v7`h{+Mymcw;sta;JO^ATs!w6 zGmLgi<^-t@D-8%(i6B!}xf}))L{;^8H8s=8%QZasedLx5_FFnmJ`P@>$-Z}G58jHO zOJFF|p#eQwPUxGXWy|xC+)%C@!o<=3e%N4qBzFh8Mf6YZ4qm8pdm@7k#>dXi^$=v6 z6cVP5h>0k3#OxR2B70C(C@BGyb}p2Q+Y`bzFdxZ_|B!)6UU2?CgrMC!!cY*22lt3Y zLG;)i#3XR}ZCm+&bNa-@PRhsRD6>i0nocMXk) zo+l??J;{m8GVW?dOZDN0!(UT+3YFLW`-JbAor`qs{C%@==b&uJ8ac$m42bPo8btXu zadJ}==W%V=XQqSYS3apKx@~|Kx1pUBq(K;<%&3u z3rG=-k85!WpeK}M0&yWW@leJY?Uvc`(h^h+QVa-4>6`PVI~7Zcp6a@ePbC9*Jci?-m5dzNjV9kgMEaVze~@V%p^I8zs0qz`@O%K5S$$~Ms8q{b0lZ;)HN z|K(T9aivN-9bF&V?=~o}wEjlYBan^x+N!U{jm`Gm2={K(LEG?Q^_J4tb%V%u*E)4t z7p`e2v0G*@M5wAYb$jM@=ZoFQM+uQc5#W~}zW(Xs_umO?!JlanJ$0@k@st*}m$%zs z2_it^a!s{lVz>N~lrXA`J#~BZn!BF5wSSbvxB)^?x&(%Hsj)a>$*b-uH5BdT zI^IlBbxo&E5$e1KV`H}x(RiYMvKyh8 z)xD(d?Fxp#Pm-bGffgeAGg`=fc%Nxdt^o_AH3c~$WUX*s^VMUwqPScvZ){C|vFyIM)0A#NO<_0{od4j1IIIId$MGGj*H2GiySm+^Va@v0k7& z&NW_QM>}Rpvg)2_l#*!a>q#^ugHJ`newLC7J0P;%C)~fBz-)7ZCmbf-(i$_B!lg49 zvDMv(_*kiws%5+6So|@A;Xyj2jGvN2(KdjZEng)%u~a6u+0mMgTa*)W*tbD7-&wbG z1GQqu-6v_K#lN*n4q=cM3xfkSG|Mw;xTF>kP1s9WMgct2lw3-3_jI(;UHu1vft2dj z=$Tr=OmVkqxkryu7A$=|Z7OduMo)?)0o05|3MkP%!`RB78_Sq|JbarcbY4hCIXzX>#1 zH=dLCrShcQE}D!5ASUX;eu3*+iYASf0BnUL zQ@6>n##B?c$uUTVi9b|SER!Q9gx`HGdMY0_d9G`qG|uH9({-&xn!1hg%n~P4Tm)&o zpnPBx9|wT0Yf^psxH+|44cnCu;gAVJ@=uVDw-~1iC~p}|5hNQ-*O~8z1X1C;UiL_% zO^!7do4PFkty`5}Y}8V;iI4m6ze|oGHByR^4?s`F!>*t0K1~GK*4B2dCUqO(HD5G! z8{z3@tb`-#22V^meR_}(m*zlcC)r4<^eu*|l3dHJ|G^iPkPfhuos^@uyC;f;0KK~> zRtqs?b}x5+U( zF%!k}=$Y=Z5y$J+Pvt{6WcgrtAjn(nQqHUbYIcn09Odqr?w1L~=$XD`F!@)L^aYfgnQi>4LFsxMe-1uNvc->7Zn|$C?Nh$J&V7%4?@?3&3aYNMNm;fK_q9>|A=2Xef{HYHI*D9s}9JcI6T2g3%`va!Y;%n7}0tlehz2d_f& z@#SjTK%w&Nu)96?o_rXGv|uzm5acc9sW!E(B32;%#n#$Zx;}MF0C;PALJnJNTY>vD z+T@ry33zW)A727ryW{|fObtc{YKUpiRts-IdeRyHZLHmA<_E9hY4j|n&0}-!o@`DR zov0Z-TWx&1q}%UOLl|UoBxNd|J*9?C!0pmzWT0)e?e1pkHZ^7u2GXL0?#%ii0pHy- z*|M!xirMedV|bRM+-VRGM+Kh}#3tb4FdD63+iKjAoU8}iYSU=##kSgZDK(N4a&6Zt zQm5s1P@W_HP#9$Kz|`wkiw%aSh75WpqCWo39W6b-De>N z>fq?pgH-WEHx_LsN6Lq?v+1dP*aW<<`Qvde+iLfjZ{uQH?LLcs6F)FYGvTwXw%wqO zbK6!c#lv>xLpWrD#BvUcAU-9CO~Cssia`88D9y|Z3C}FLt+N`5juX+j+K}6>-3DS@ z?R0xA(f(ax2>wJ24G)XuEtV>pXE!;i(xDC1O!fqsp z4Y}go-Xn-{$OK_{Ac(MdCLO$(C79Rxj|nJaJWCOi9#g98gqpVG9<%TTcQZWojM%p1 zxYMSO@6tmkWO^_>(BmzpDbW-GwU)e#^ss?g9?Tg`YEy3N-5{ExkFR%<Db zY|NGW)w=`{4w)bf?+G$43LjyH3tXI<=>R+Q${p^(oVMm3Gv~+E)*M&DCM&|$+;-79 zL1tDxcYf$InH&Tz13BK}JH6UQ+%8Q=nC#D+np70cllaVB1r%>{_iW3xF}D?Qj&nl} zIOVmvD;`22(<71NE!HXJt+;Zs)sIdfp%LkxSeTUHbN6gVl`+TYnQoFX$I}s$*vnPM z9NnIKmmb0)(}UqbKHlOxy~;*p))`8&5$T>B=dLn_=$>ILV~+00ViaGwf;geaO$Hn3 zmrpa)jY6V_h6j2G$7cq}O?Du&P824^6Wu+<$n=;cG2CRZ@kq$*<1*Ojp74Uwhwe79 z_XNZ^WP&g}5acZ;Dg_ih>kMOAJGeO~D)AG93}YE=cztKYmcd5%a{&5=3?&vrb_)#_I+4pmDXqAOSOa$Y7&T@JvO>V557YuBkogZj0CMf)NUt9x02? zcEMA6$PNUk$)#~G{{>_ z)SK);W}O)2vLTRwnfSE{^HTyTlLzX|*I;yu~~f?-7lO{&!{9%VB1G zxR5K|leOS-t8~wBmGg}COkVFU3n+dHTgD~M;NhwHl1 zJ<)|O<4X68*0$t$(|o+nDCeNLmu-HR9>O8hgW*9wME9ozv4P0b)H9&GIn1mF-c>iu zvjri)6_>|m81roeU^dv6+~N6+2A&cd(SzZE9+I@D^ss?Q&94bPY#<(H$qKIMO8kF{ zu;_7|$TzR^8mmWeP(}UrG9&fQtU8EI^W(&p!;`Y2zB$q9@Y4rw| zM7{8!!$kUQ$#I`|)~&^Qd~SOfhfEL*!JZ&qxK9Pd2I6sMeB9;IA4(5=1y;f?x>-f{3e631Xk#apr>%!breGfe?Nb$TJIs@T_> z#6jkYsB}+`w*+rR&gaK{DiC!89Y6O}6bt^GGf`-;T3* z#6ywB%l7Vh8f|(!w^6k$GdWT^oxylY4jY2UnF-<|senAAhh2I+U^&(=M1Db-o7=N) zA$)2Jb3u~z=7iJ>oOYEkM9bIaL5E5`CnyEy4^tLx4Ba3aY@kZK& z*f!WsGnWA+yfydYGT0@EaL5E!1 zdg&%(d#r8gwsb7U$u2Pjekq>XxTJo=69?3gh!y(Kljj8c9nk6-qWD|w=R>{bZ%+R1S1pG59NQw`~Nemi}xOXBDI*=S@M^e{nqfX;Q9wcgn zc_#88Nu&2E9Rz(^91ISGc!RqXw~nTq6uiQ3&k?o$RMN zCmha8;BJo)BX{vJdW(5F<_(0<*@G!3oYB#PbN<*=!Y!rVNotQ&7&nc_9M`dfk&_)s zrZv4@QhQ_=d5Lj6g=H~*xhCi`9XTldJRyTl9Q01sxIDzf5GSZQ18!DR4^NiHPGZwX z+0^t}4)+Kl=#zek&SBp4d4oLYsKJyI0o6(4&{g_|j@8*9T}LH_F~=R{-JY8XS?7l+?Lm%}6Wuqe@-e68@3+6h>7#tf}q=HR)O@>J&Mx0|J(&V6tZ_K?D0^7*q zg=EdUM+N{$RA6in2Tk%!9BjBPuMOr4vbfWL_C7gpxeOw`W95O@OJgVM0ozNx6YEXJ z8`nghQ9-aLGDNS09jMQ!V7rY+V8{HniFKdUWO4Pw!|Yxw?m6K(G1u|VxpyLGHnE7y zKBL3P!;1?pii2i(MhM$&vkQ$l<^XqgD-q9|d&idO$tKq9@}OkpJaI*wY+^mX%Z68R zAP&*5%lmt8AcO6;$K)nF-aH{XlUV>x zDJQ7PS4-~%RdBgX9w_3)9FLrkK`t&buf`&Xvs1lG3~`SPf<2KTIceYW+!D{Uc*?Pk zNJ zJe3VYuT^@6NA}n8I0^W;vLL;a1th=O}`5cG)-4DQ9@El(-AB;k>Z3uC6)q$3l5(koP_ z+or9r%jC@qo|c)Vnn@#-mlF19Fv>GahfL?+Jdp()%tB-06XQCwd&dNFjY7tb38Wf> ze0k#h=2joQ*U4Jr8k&18Wjk~*^idWxILLw|?inF$(OoB|En+EvCYPUFn~>hI;&5p~ zddEvfo6O83>6SOY$O*8fWGSXKc~kC&w=hrOww_8f<*c9-q9(eRM4E z3ua7geBGa3^f2s+3=9rrkTgG&2U~QrvXvKGboYtB?IH_?l=O)rwDonL6kB$2z~g;l z$h$Tmso^H^o;(QpLoMEf!B`2u*tE4$BxuHIaavxAH8G! zdX?*o-e<=OLmx#!g99PnU`k47Ung%4T;)&WmcoQcvR~+(5J}b-@8OM4S1$O+4TcFB zWPQ>5lnelnsF0$W4%|Nz2So&#alHGxf*=WY96?M0jP;(K|s#1{A$x$H7&bExi*WGIaKI6elZvw3JNA5CWqZ+Ut+YpoQ8ZJ7 z10mjENV-5EQ%)3s+-YPjOi-2WMejt3(s`YD@mm;muQ#A8b452K&HovYDr_asi7wYaAAx6``f^*_+aCtF$ z$Lw;cuG4*T!lYeTPEMGzj@X2RW=6!yh}u<8h+xU_Er7Xen7Hvz5Xt zGD355VsNb@SUuh=Ws%KR(cNpI`0jSrg3DzkBILCo7Cs}wO&ps&O&|mDHc0_<(Hurj z_<8qtC+399&yck?CXp7|?P(Sm&#mP3kixh=qCTO4Yr|l*k4;Bhw4%_&T96q$i(fpB zhzU2c##RVVE4X*O&UhJAy~|445e35@ML~mmweXe~h2$@t1zRAFz?oQhE)_xVcwZrX zR%0jWLb85m$@wJDYUFZm-y;H$CmN*VwVeacMBxUrxsyCL@Z=S~P0}97jn&AB$w|7Y zdMD24$6XYf)i1+^t=^{xiHBfMWJu0vQ?rucZ$EzXnIQVofy zmfe;QR>aB(_-@6nJVHoI zC40HLNXtN;ni-|`I~cg`7w~tyE5T6K&9(S?n5e9qYw_>!M1AE#F09jHeULx2gMk2Y zgh7}_7>c35L>24eE~KS$rR2EKG7z?n4n%o-7Oj65wc8M zJox-!7{~LI65h{`IoWFgZ_#o7;^F7p729%{5?A2Uu}ls+kx5DX24Bd*k8B&>$2sK@#pl^&40%H4D(BurTME8tj5E&8V@yX z?0T)6e@PV^&wsx3_*2E2 zs-1zKw9Zv=EhleW+*SA%^I$xCNBYw#N}kV5aq?NQ8H{ItbXw=nYn{qHJvRIF)nr!s3~`$*?i1Ecz+al%(jOHMv5l^2UyFvPvz@Gf|=`~B9(;D~y) zE^gJjxK-<-rsZOHRGAyZdn)Rjwp-LWBgffC>aN-rw`yC|It@%(?4MG70i7@?MO4ULmmi{f4_ihH#vh>X<9D}amV zVK_NY`9`3SejZ>E=_4%F?6_C6<6hko zyelG^VC7bG;r_g)u*+N|VbN{p0Lws4-m9~NH%ZFO)d;y)A4QG85oFI28|ZRY-a&?i zAVPpe3nkK}+9bR+Qeml*Tm2RFasj7P!@I{L>aq=BxrDd_M=*UU!cr}id$myN)dXg) zDzsV_rQ*yUEWYQF=z{w((8YQ&!BVME?Uj4AS4zDa~A2Mefy@A@*5-sz%5?2SuWK z^=pKQF2S`5Sw>2?dQI-tvbonl37cjGrEU&6P!d65{}_laI7G6Hv~IO?%5@opquMz& z=1ogwS`MEiSQHUYWKl`{eo1?KjiOtPSWn*NlLIUR zwYwBWMz_|wNc>T#zylu(k2u)YKc0#1r1mhG!~v9n)?I3B3Y2OPEmaoXQY80LEg4?= zctRF#DQ6DFLTw1{K5SoxKMG(l=9I*>`C`V;|@f&EHWK*773OOI+U@!Un}s*aQAm9oyG8V~Ub zGw#2EvaL0-uB0N=c`F5~4~0~M+VxCg$G3Sn#M-A%K;%0catBxH6b$URC30z8X z2vVX+BP7*{^Qb1$qnb#M>U^m;2>~g|YsyjxZe8#nDbs2UJ!({^-Z;dUUs+SlmPd~2 zIC39@iM>OUiATD#T0W0z`8=xS!`m7~0;-Kt3b%E#SX~T-X{eF`N?p*`&yh6lFDW9@WHoRHw_MI$bz77eXvfm+}0; zpB>$bOh3|&)vDobjXFnNZq@7ZsP;#>W;&ey)VmdNP6b)_p*0e}*fGTe^E+}8iygxs zi_{e#fx8UhaQ5Qi=@%gnuS6KKGUWRUzWlLl-u$uX0{&P8kUtiCs~mIolp&Lj4z>A^ z;;ez59(;abG=Eg=ivdH+!XN&q@D74IfdIop%D~d|KA2#sR4674Ggm4U#|$gF!aE4` z^stOAJzYufRiby|2ud+xn6DC{7%{Zu71>Wb+$OUswnrn)TS-uin4-cYjKzp4i`p$_ zSu38cDqf@RgO!ohBA;Ens{Bz=E@>vTR5@L&mUhNw7P~xqQe>=ch(xT5bBBq{@Ams0 zMo&N9s=Hr*`0=M7q1$5meDSMay?prY8)p83rdBWg{{Q^&;pN@Ge*e?^Z@>T37w`U_ zJi8yco3!i+U%dMdKmYXY$M2RVFU~LC{r3Go@ozq3SzLzv-S^*oc=w-v{7`@H@BHTd zA3l8h<6r&NyWjr&Pe1#u+M z`2BY;iyrP_ZtT04cYpo!Pk;XY)5|aZ?r(no<;%O@fBfm&4==y?+Yg`q@Zr<t*aOzFda!-+%b|5C5G_jlcf&rw{Lc z`u@`|e)InKAO6eB|N8jTpI`nAc|Lvm@W+=Q-hcf+pv{->{{GYV-~9abhflxw;hR75 zvtJ&*I=_C!eWG`N`{DomukSy7^W!hR{9^eMsQmi|MKo1RAT`HLT9MpdE@t;3XDDrT6_v;UT`1t<2FJJ!0 z5AT2a^N%0izx;CVim`yKm`6j5xG9on^VJ6OK6rcK}T zJ-eojKM$t?%zpB%`yCH@$_i@Q^gS1jYufnp;7g&Q?W`k9*LFJkzCqKb@A=u2rj0+B zcPK*JMW>^#4Tu$iYTEQY-aF{p=tkfp?Rhaus=OIX8073@R@0{M`C;v*jXx38%nzqo zbic!ctTRf}=I?3OY})wqaFe|s+8pTW+9=H@H+$2j@42FE)5f2a{_OdtHoHZ--*I%8 z-P^SBJ$Tg1kjDl*Xrr2Mgc(U2e9z_4n>jpI2i({uGqh{FoPFoIX%l?6Bv(>7Jsu1> zQY|}vkF$Rdv%W`uX!sqPL=J#vUVV=WPoa%OM>$xU-|2hKB5&F>7D4EK=Qf?+y5Eu1 z6mawR5}h%?WczhvY16^5YrFAaOHWgM&oB3NzXRr=hv=qQUW6IS%Tv&d_4fwwIT^Y6 zoxbOc(YB3XxXVd2ZTcQnc)K|~HsGPQTjbG=@Ssjt;d>~juFYe0mTP{eHrJ+V+we8} zQS_!w@cE8N)8?^BHdseGJN3U?4zqn5g;x_Vm#e$|@9_9VejqMc?nwko_>v@>Xo}^L z+YVt}Qr_k4uu%gGZ5J2L4sB7l(@knlq5%m~d0xK_-F#1DQO1#egaOj`@N=i{@v}rL z%#FByUmrZ98|T28lfUPPZVw-3eEc2(=3sB2b`ga5y#v-#gpY#P!M4!YTjDP&JM4M< zj=>R+1EL!B%i(ZRW>kmAfp?p78>W8xoiiT7*hkWxENPvH``=NxLZiB?DFOb3|RZ4(~O|LK26I5go)4sFB@6D0GE`yz=) z+*U|5Ajds^kD@_I?kU|PFJTWKn@VcCxYS1fJNErNuXC&V-?2P;*^rL7hP5Et`xbUL zR@-!>JsLLgm(u0Q=BGaRppAsZfG=COa^m`V+2bRRjuhyN`sGNyn#d0Cp)(9OY?Cm&2`%j-zBD5LDMy(u%JA4{%&;s-`> zqA6Kei7tqEPiJ_}9k2*9wXYKGd3`+5p68Fk`o$iHZ;^hSAre0@(G`5`aYJQCJUANU z?@^aG!F+aparZrH86~=K{z!a7)5&wwkHy=RV7a)kTKJt`J?YxG%&I76X!Fg`(B@L% zT^o1j6TVzHRk~OAJIw6FUvh4eF6PQ<(pQ{uW9Xt#*6cR`K21 zPV2g?ZKUib-GrvgvO!W$owxd0C?%ivS~PK5N1Pz!V(sZil6Qq~`<}1eh2Pzi{lbb) zIuWlx(tnh8iu*JNuw%4YDVxSYxra}MmV?d8$pD{G+M)BrK3E1_-Jz=BmC~HAZFKw6_$8Jxu?VN^-z8@Zif}4)jLg+bi{<6$|cZ zb>J1**v8fv+Au_YH=rGhRqWfDq0K?YwhgLeeGjFgO!7OlVuXdPzd#p$m)9y6&)0Qc z*A|plc%_Gh0=!YKI4vZ54gY*x3((Y+$inxy{E+52D*_OHmu&$&X-WWSekc8$>`rQX zQoE}A9bPG(TM4)+J{;u*>yJ`MX>3|E{LbZ@8(7%Oc^ojzOB+eZ{r6t41E0|q5sK>) z>pqPW1$^-4;le<5+MSaECWY@_mjy@w^)pLSiI|tTKI)h=O-!cu( zzNXWTWpy}%tZzev5?y%Ex0eHGPZjkjS3G~3)->Xh^Z_1ZM@{0;Y0gH z*}xrfjyyUtIL<-csyqdB!HIaip^=cJ#xMH=lZc_)>M)x(0}ndpb59pnm{CYj`W&cF=cBRHGpAb8icp|3F{ z(i|5aM32AYahm`i%ltL!Y%Xy+->ZiOB1HYiP8Qb(W2mN8=3Qxe!#L|;L0_>Yr|)sq ztd6ZVA%y~?j_@26w{;FK0wsCjrc01rc2zWLfCZS>GtTzCY+rE)G0P;O#kdwI`Ilr3 z-IVN8g$VLkib4eVxZoIh#Nzcs+&z!5Pa|&JTue4PZE;QCu4f))4)b#BE!v_m=%_rs zZeF?9f?V-C7exxcbKSGhHi)@$Os?On{NRdP@}+SfE$uURe3n%%3VE-ay6j7u=hOKw*F-6`$01d0=Xxu2BmUG6?4+@R^o-%3+% zvV=1>8BYWlBCWXAl4z>$Rlcp?Q&c_BluIfrFDvcw7$sWam09=S?Rz|rn7#*-Qd?R_ zq`SHJWyd$ny5vKCU~)x%5TVNY8RtV>Tg2_7?*V6avK`fy;$`q?z_*-3#U1W=-XgM- zVz>mxE@^L6oTTz-r9F;|xDOItO?wab5#pKTm8~qvt~_>?E-T+~cP743Hz>)54CBa4 z>bfNUVr14iRy^3=BHw^zwO>|PFb0x5W0)kmaPvB~am0>uumm$*2nWRV%jJc%28p^v zpRY0ulZ{SWjEl3yU!o6>HUz7uALfB;u(fhe8=GGI9S)O#FNdwwE{li_#Z#7*S#yTV__`oYW=U)pYwR+IitQhlq$T!P!Au)Gx9RqAsD$*X`Ol)E4DWXZxs2 zX!CPK%~<(a{QyMMMrI@TzQS6djn_DPJUFGeL{T@E{Gk*#5HG8aSb2GIy{9nNccc3@ z^jgp*9NyTZdRS;f$)>jRdJZkRgx{r{G3IkkSkJq{hvO`)BgXpbSPviW&a@T?sHCyH zJrn4MLS%tNm~rVRJUI5GHG>V8Xn+$S$v6l3JnuQ_9Cqor76AAd_e;`(T*+=0rBs$`Yn>y}!G-bNriA?*JJpGkcD<0<* zpJ6D$r@%LY4pD~*lz5ImuqxBq!XK7&1m5;Ro9oa88gRtyVL`VOc<$SjOds>o5b%_L zN?VFsDSIRN1eJDE*L2;d9VsdEZuHAK3^z?YldupDF($0tBc4fUBbdz@ zZ2MlapBYQSXg>#)zx>o(D_0zZd~LIB!|m-0t8E)1p7KlBR1Q&>(8k8q&&zkVv+l|d zLb!>SsNJal4jjw!?^4bVu~|O>*}=@wCHm_5T{>@(66l)C{a7in9uH_hGD&PBi6FvE zR!j8FF|Qx;>F0pZd2I6WF!mm8Wwk{gEp5pjg5`eAqo4QW>T97b`4e%$C*LM*IPiNK z@EwjXrLFRpB#d}YW-L+qek^SR8jwU#zgK0PsC}|0^`w2|5vR8pOVt&rw9fGk#n>#F z0qK0Mws=0LZS!|-@TK@Azw;|rJ)JM;H04-#;|ecjWPJ%E|}Hl?n{ zwJN@?I(Fq7?zOOf8S6TbJsvnm((kAw67?F|Aj+=it?;e$a%j(E2^2>>xH+GH=gL|w zeEd!1rHtL?@Xhe{cbrlP(1ba7i8j%I5L(h#GQATloc$8aO1MaKxWaybg}ZO*cPk!tYXyRHw4w7tq-tyjFz}P!)r)_D24wihb0hknWf|x!eyr!7l^^&< z()SeTjJVtKj(Q z`9_|CA6V*mM7G|*U$@07t8B1a#yAcUbr+)TzlYk5co4~o@`uCCj|KN*PXxDnnEBl$ z*>Go4yTkAJ&TXaX3NtCuk(V3?v%KJji}Io)SRR}1U~#Y7=3lyeq2t|q&Lv0QF0vQfu^Zqh^S6lsq?6R@rGuDFpxpW1MJ1-arvT(*bEh)#Ya z+M z`<{#9(zn)K0G4b&Uv$9iX@C*o=PUZLEdII%H@>+LcmF%YD#47;H{nLuD%t`Zqr%xh zwymq$w{uWUqhX`Jk^f$7=tra}cvh{2*sG$PmeJ`TjKDTYXyfdtA*;`>Gtb@q0uP z^1OsA0?g1a`%1}a%W_3peUddL1xCJcCeHY#m;<@G+0RN_^j#~1CB`O1=k;8>(nV2% z01KX=l^>OtGx{ zkMLm95qL(D43R1sbEw$hx!cy$MVVIddmMVmjO>4R!21{F%CxWh{z`k&hw|8z>&NB6 zl&?oy;*sW9{lM!SmjT}}LK5wDp(*0Qh8g8lrhMR$=3U3G^O7o*=8$5Gb8wL*|ISZN z_42}TA+1%?1rp4URO3TA`N@{oK`P)ufH~`XyjRht;d{KD8S&s)mevsh9q5O=Y`U(j z58Aezj;)PTahQXv;mHOe?I!Ns;>W6sD?g+*BFr4O(wgSvmvF-~l6?PEsE9FUtQRuk z3e4-ggSayqG5Hxt3rfCWu2d&|$_|>&YUI5p9+5s2U0;L_ZgC(0Xay%dR;+?XEiQwrTQ<3GZ(J9d0m+*z(U*L%*2xo ziB?$m(e5;V>l`b8IWxueOB!DEhcR!yzmL4EvbKFM>pz7Nlk8#urg=Hz#5KrHn`|kL zDOsLLE{pnrjL#Lmx|h)w?O4K`Dc6rS*GO+=4IZVtON5D&4JSIUG+pV!{i7tOBt|BD zN%>5AgMdY%l@jctyg>RehhSOvs0s@fbvnc1MM}C|sKxbxHJR*eGV<5`W2G~XG9;KW zF7o$Mo`>#fCjT0gk8u*+BuhSXv~%=NqQ%pFPP{ZZHy&CgzkqUFdwoCvl6X(VO=-=M zmt4chG+ka?Z{>=BCRfLLUW#wY7Qp&TJ^USn5zS$WR>7S|xVemZlK9kI$w zkuu_8AFV(elk+mCb z2GgL*j(&H-Q5Z8w)4GnY-=_!%U9MEf9(Fct6BOxu!C@`)hM%;8*3vF;R z>Jr_Xjq8Z?A+%>0O9&(CE5@cc7;Pzcfwov@LUvt>3vujDxo?yYOSK7TOEEt2XvMek zh>W{c7gzeRJXSidZA=_x18tgUpt2-E$9mqnR@Zqsat2+e6re7A$a;>tm^O~+ zJwG&W+@n+}BKovw^Q%9dyb#EV`v-GSEuxG{hA&L=E6i3Blor9xB zlv5T>lySc2C)hhVz%8HkBU-3 z97;K3w53>#+M-QOTZ$#9E&3=#tMv@F((0b>;6qR%875&{^MGb?o-NbVkIe%X>0ai3fB^c@%iuh_Xc7IOGJ}_?=%1Z`TKH=?=8ovOH7# zBin#-VLJ53aN)xi-<1y!9x%{4Ac? znIqd$w1s^E`<{DfLB@FvJmp2wMj~yHNtG23uxNd(dSjK1Yu=+EUy@0*bBv8~4I}xb zX!FZT#;{roDnZ-?Ued(Ke8^)B3$S$C*QMTyJu7 z#d*1X8DZ9yi?j!vxusq4SmlLKThtMxJEnafyFJ;MsxzDTOBf>RA;SCd+^rKtJO`*P z(~p$=xX)k`uJTgx8058Z@qf!NF2BPeo$OQEl5I;{I=kr99brZ`$Y?DxzVeL&W`vn2 zQ<7aC+)4CPNFh$fZ9KbR z{-w89XxrB6I)@InLD#|EHD0m(F4e7|f^MpngLY1Kj>-i^+>p~0H|2LJ_Qdb9P9*a! zu5@&=p&YYTem4kI&g2EM+m2c>)sOywNn&?6{M4A^La)OVP@+8mHJxaK-6mlC$K#>M) zDH&!zci-)K#8;yZR@~ui}Ns{?LaH@ zsKQryLK!T!U2oh_NiLHeir><#c8j$K-*Fu5M^VaWe^QM|Q$}~-DUpcr*PF3_Q z(wUfC)Cc4y$1{mwS=UE}g>Xv30}n;a50eWZ`B`<Qif|*Js(MAG~9Lu6D`D0nVF`tXYhL}ZuaHy+1uQCq0 z!H&?mJHZT5(tA(T+2J%E=OEuF%|Xs_q6?-)Tt`?S(S8w+R+_Fn;<%M~L`*5J502-F z&iH7PPnxR$$-dXqH9_tTOT}%4CBGj)@ABCirn$`?`N13;4eA`6T#}tgI3?)~ z>dYoPk!@i;H?BM~d`Ovdqj%^VDNM$Y11UU=50=U(VV z0`JhN-(#}w?_C4l!uGEEHu-f2D{XLH4{iM5YWb;dhuJU9EPLbri$4+N#y)aWA3wtj z_uPc5>)l!&JMVRF7tWhCyZJ(YgBK_bpJc{I50k?j9qC#Q43E9FJofps79wEJjY{3U zS>e)#3fa(~R<^O&dk2{*#VP0T-Zxiu@$xgrYah=X?8_JIp;L<8o`;SI zn|G+;9;NFOf981ei1!?+m%LDAc*H&5lX(fLIggv;(H);T*q8mbu@ju`@p(M^y(Z_M z`%roK7QM zH!nP2TjyOf4{da6W@B(bYmY7iH6qit%Jt; z87^uXzILgwi)U)*%A;G$v$tn0H}kHgeL5sw3QcBQ^;r4i$&nMWPP~kSN*wG|{>6)@ zu_8aH&*6!9Sa_nW`mR|3Zuu1pF}j}hjjTA^FET)kAaC9~G!(eFlJ>AX?4Cvl?kS%A zw(^L|8vZAjJ^W9#)$%_=CN;NUi5-J|si_t^e%;H5hFr_6nJ+web}cjRiXRqNh&=S{ zFkkb&c%pK;wGkyLFedl+u36&3+7HyX?>=MiIVhw1?IG(Ec3tiF4ql1Q>cuLi($n3z z_)EYde|?*GGL1`5XyZJ_nf2wp_j@*N^G}aQJon?*`D(0`-vi4#^I$wvpYwvzk^<|S ze>d;ze4lxhQO&tYzKYIzugWa$?c<%}`uv_G*P*Mc)>uCrSn3VH(ucsj$vLs#_z5Xo zssR=U{PIIXelIzxVCmO_tFm(jPaK_`c8=bKKJc4hg|#Ba}*utt$6zG`>l#+Z`%H5Z`V9)*TUe+ zxiOkT&y1XYD`g$yUMHbu$2Hf~xZv;RUE9<{0jaswMg7ZuFWGtL zb>m+2{Gt~gk4NUcVAtv;xDs2;8HpeT2OGG?eVx!OV zu;$8(vOF0m}>_lad)TkQ2MfhA86EN|w3 zQKoipQcY*SN0ZSbE_G|~rHb^;`MmCMxig-OjSOX8E?t@T?U#D!R6-PbRkLO^IuJ__ET;ZEbV%)oD@OxZsdwbiQ z4mO>)m2>kx>wC@1ExJBc-=#H{|br@i8AJl7JCD75EbZ3aaPL__2FvuAIMyd zo_J5MWZrv(cGo8W7yhEwa&-$82piW`=th;@-(wSJ4*lgycc zhr}x#H2wjnnr&o#(HZO`dHP^^>*M(S=EH$ub~6WY{_y)3ot}u_wcK+Kdq!X*_s>>C zFrRa1c#(RSs~!xE^42&0Mzu(u+ex=a<~?Ub!_PjXYAipMdmf&sb=$_;E@GIo zl%*OUnGCtuocGLpa4#gc_m_s*b0aMBt@PdH5nNx7PwP2Lv6#VuOwQyjQN!x{qB(Ak zk|dARNB!Xb#ls%ln_}C_-!6ywADaypNstp11ySs$+DO-?-8S zF9Ij;H?DuJ@8)>?_pdp$_}ILgpHkJ`8%^)=HNW;Na?*Lp^PDB|(KG)-SJ&9@^S;?f zV*X&s)c{L>u7f3(Ae$z#2W({z4@&y!|KRU+ZV&!At6s1-URZ0h4;ikZ7ZN4(a^-I; zqpk(h($%#)oH=fNk4$;i$8#|}jM11}U9kH9{zwt)ys~jV_jdC>@$+Y1IY6Ny3el{Y z8Q|;B-vg`f_0)*HN0%bJFxq|iq}=o3nNq#9CU@((AJ19hSJ}rYio0e!EV#nMI!9_> zuR4CuQl?Pqguxu<=e*(z)h)2K@M0!dWS*N9|0z9Z<41SC4^E%+l`pk-`b@e#5Bcq- zgVsCW98V6xGY9`)e=l`ys;E*I2$mjs7AwI&xJ-$aCMG-}`%sEqiVx z;qp4(lGr3zNq8(+aj*Psbg9G36RUjiq65~@hL#dv==qENaqUHe7x`D&hm@jO3(sa_ zi!9UC8E(zb?>%dlf7N*#yHg3!J1xGocZQd6b3;9q*VvA1smQ2%ZhL=EI&1VWu*eGc zGCoG7OV1hoJH4EJ^v;?1MMJp#yAJXf>~Qt?&0e_DsWW!>wZ@q9`1yA4`K8A$kCnF` zTGP=uya|;qu5OOU_xh|)py@U5>wZwP!zV9=Z|O=GphuT~f15nyoA;6X&%DBAOGA>& zI>#lt&0VD`$JXF_NNxp>(ZnTXRdJ&)z33bmf1PU-U!Raj=fK8`zr4MtrAhkrU7M5G z&S0x|8khG74z@l#5&FD8Bl8HQF8-wK4B!1ZqZjNsqxAkf{54jN9jx!c?_nIj=6!xo zdP(S6e$#8*LqpoCt*lVtx%7M$nej(xFaOB0=lA%?dghHs{Yf|_<0J`p&FPJ1E!A_F zYQsz5&v|5Td|xx~y|j=uGdZ7o^lNX2=jRT-@a*S8&sVa%_YG%?t|!|k`aP6BeB*^v z(c0V(SP4IsE57^qS@TQ&K5Lf#w{(E&Bd56pL(fXDSLeDp9{c>6gFzS^Pz9E+@$iJM zSlGF%B;NYXWQymFx$9>B$j}FW_lWA;%j=K6ca=rFz98J-ok#orz4*Qq>xOnO%QChk zZ{70U!{4JnKlrC_M9&7x8G*fXFMpi}*q@h|@I2&=L$LT0!8lt!aeC`}dH-mRh`nEx!j7>HNgY!5(^f&b)6_8JC)x>t4KffwCbPV&|Y+1kV)wq47JT zXMN8Z(KqHSVKlw!z>?ztmK=vWjnXsSV)%w}w8GuTpBO3&BLp&zAk3P@@`n!zcc-5R zSaNj_FOS~&-~}_8yLDM88yCNq@>c%?iwp%z4!E<7{(=s)f*c&&lOTHs!B&qjNAl(l zwtNx{X?@Ibc3J8wg_Bbcq1x&l3w+VD_If$rd!A{}L#Emne)ZN*U%1!eE&NJ`SNIjr z*TzIlN)h|m8-3MX9lE+RUzu!N@^irQZar9Xalqbr6c1jcnSbKhT9`t?i>KIg=2B;t zmuS!Rtohd*w~xnOc<@L4+xzDBmWC80W_?%ixA^mO!%HqASKKqBLZ=t-+23m~E;O0E zub=jgIm_QtHzDN&7IqFb%e&?)UEjS~-Rc(7Pzd1pJ=uQ@am~4z5(EgaKym0W~ zl>0v8)Tu9CWRb0JnDHANT>91edkrlY^#z~Be9|SCK;9YB$wP8JB znfz=9PU78Qe_T82+*j+zG%kD%EItaFXyT!WMW*VUksRSiF1%&MJNM&7S3HN|Lznxz zw991~8AY31d*50V`|esWvAO3*-WTmM zQ$lOpvCln!kBjf&=6K>7&m2%Sd_!Y29)w-9?CId@tehQ3ZP;&xw~A+ekiD1JmSk`* zAtpJ72iv$VSnX9(A+iyy=f+lB`75`3?7!ApC$UF5xcbNgprkey1*`rH3Bf7zWA(b52$eM63L_vV!L zEE#p-C8A87S1G{WK}u3+NPc_rp#C09T)xH)68ju%^(%Yxw9%ZeRG08IuvyF5u<4`j z=kiuO*t@s-TQroN1$gXexc^VS#XTZg%L5pq~L z11)Ro`c}u5`Boah(*2qHtBZm$#`EnPS1;LkIiEAf?d_3Kuf1Ja%<>^Ujn`h_Axpj< zSox5SY|*nx!QzTLG3VwA&YJC40#Wu`UywJrW%jNXU-{^Bk?`rk7zm38Uww`*j*xblOGXPs1{ zAJDR+*PY8F=b^rF`MplrOKUKYH#X6WBI8|Odnfp|{+BCX$lipqy1w)m@Ov`nc3z;+ zmE^ZwA6G_n$3IeO7N<(^ANld3A=dtrQ~5qizxZn{ue0PD**F-dJb^iDX1P3Zzh@40 zK(F6>!@O>sZyj78?7FUu%Bwd>3x_f!GFrKi|H_y}$iEx}Fk=Cs+3`&iBF9^Q{DqrCsWC&r*8( ztVQ-;dQS0xruJXfS9PvyFaN^9LmP-FYf+0lyv`i&H{9OevT_!G;?Bc|4u8+y9vu8R zxwZC|nl7-~Lb7ASCuIP|f1t1n`^RyWe}}c>NwrBRqneHF_t@s(eUIQfY__=5t=_OYgCRJ$rlOApMJ3 zbm`fDu+?oZ%K2r@m9?yZ=<;AIXW;7HKlY8Q<`A4YIOiq{xju9GqRa1p=2+U0L;Cn` zUU-p18XNXnmAt-vk8|jQds21vx|{dWH=ey=<4cp=Lrc$pf9%V#Z; z*>jf7jlXUg&$ka=5W?~jYG=<)TFZ{(ip=k^3}Qpbi|p@7$b8}SSqtMd^z13b;FS9E z<;-InAcLMcw?KZ6pLOZkm*KG@ci-;$6C-$?2W}PnLoVmT4_^DF?gj^PIhXDQlqeye zcLA(Et;@&Uy~)E{+@qnl@9SB!`jnjSIbU~P9@M#)++69k0j4S>-`1yfPjh5%o;J?B zTp0_Kxsbc1)F}57EPnoTanIdifyH)K8D77<6tB?ay+4@!exX14=-r!~j#&%$Ut?%; z-=a@4r^El0oUMPCV2QPk4basCa>m1rO zF7*aresRC$!yDSQzSNl9npghvq@}I{EcKUQ>8%8o+6S=shrr?k)rLUE+2=lf?&S+t zzwV`R;jv)hv0&k`_j?aNeSVK&F=xd2m)do(l@rPms-j~o2C4|rxgFN|+`i6>*?lCp*lT-BV1 zo3OG`I3VvsILY{%oaL8qPj$+?@e5d=hJ6{A+(F|6qce^r8kjJ6Ve4=5d&#%p>dTuO zV2O*%*ojQO=cx7$5@qSTkLo4If3EN7@A0?4=s@<``XcY?(T7f7XD&N?eGkT^e;8Q$ z3xK`p@A*C4B=~DTBZVW$bGv;!_T{sWKc%+RuXz#e69-_)0mA80TM8Ea87%s<_33P| zbF{|-8kbqR3Z+}W)EK4SJytG--D$`1z3Eb982j@0hV_L zz~YkzOFs%{`K~W}ty#u)WIPwZ{kLv|&qMsf`W)7tz z(UIhG=6q?V8y7!~b$tq8JQ8!}U|;qj$h_km$kG*ed&dz+OKZ||)?T<4QM;C(GkV>l z=Zr|C<@Zu1M%Kb9-Fwz|zxRxL|6bm&_3hhd^qjet>94gsFswcJBUWd9H}9jLKJ#8d z=i-!0Vb-k8ljeLo?u^}q36#vdaH^Da$6ccS!aPgXeK3kM4)ZK*^$mtv^uNQw6Qg=? z!2VbsW?1R;9$MLX&lnn*YMiwjZ{EkId(Er#dhId|{8F<5Mg`0qqHTfkw0^>F-Y3@k z%zFuTpX1I0u(sqqKmEwdht|lM+(GFys~>3Pv;HB!#{$`T6`stRjf-sxmRit*#kRV9 z(b?M%4qkJ-agaRtleFuvyKkR-v-h{D|K-d{ycW!%?|vmX&H9WJ@%|k5GwmS_+&Fp?>b;xZmbmoHwHM$J}2Y zp~>&&h&Xd%dFQ})Ls!SKGEQ5?z$B{`Ry;Eea&DI-l5g|QxAS<%N&fvFoeh>6EI*dF zo#2WH-Z}K+2^}EQ8Fy#?_*tJbZ;u`=?Mk~>Sh={mBEZFg-mcLFggL`IsoB9Fw?KF& z*WBvuQmA4tfXN^lyvQ-^yu?h-2%-m9&giXEzj&Q=(ao_j@7pK+9{2V!{sk;&#LE@i z@7~zleaMnopQ^}7`i1j)GkrdB09M^h8qc2P(Z-X%`=SlWjXfi&GrPXam0bFhv>01M zvfAFapLt)nf95@{`g0#r#uAsj_KxfGz2AFsp5DKgdLiFZWHX11%!Nq{dhy-oEXAYp zEgf_4a%*|c{8`HthwmIzkj%@^ka_tT7SEi5;RhG;&m0n8_uHSstX&HiK=+oO-y8}| z?|iFaT4431>GTp`i>S+UZolw+-EFfL+;8#ngXb6SUwA%u*y4aQa%)Fq{|S42uK9lN z;p6Y$i{JY)2eS{(phutlwU7I~NA5qr#{gdZq2|pyMB$L|xjvF7{pAr*>h3Va+Sm;0 z;^i;il6=v)RE^CAvzFwff~8k6SaReJw()rT;0gZR+Yhc@H1yz#e|N_HcAM+D5tzSz z@BMAwa^X>^oqQYF`@!?DaW&uOEif>Tq-7uPei_eNs8TCKd5ogBUkO%dR~yY2UY;{T zl3BCRSjK6o{o=9Dw<@z&;)FS%6R-Z%Vo_ohzn$xnRk_ntQCxcXi(tlSwnt}F96ebPJdXCJTgc+m?@ zD)uzeSljfzeR4mZZ}E~nOCFDkZ7GA{W!=iQAjjViGB^4e3!Z!5iI*L?K%_;X(L zN6UWb`Gr#|&FZXJ&bt@zYn%>#j~@HLt^j@arqSZ^&TB0f97s(2q>Z!H^1jt|-Cw>7 zmb&-b@1vu?_xtYc@LIFH*GHDUVb#Mf$Mti48f|>>weY;I-}YxMFM0H=MT})}a7Ugw zu#KUspWl1Y{}h;|OQuz1cpV)uKG5Bd2$!Z!QW9{oj=58aDfWpBa(SqtVATq#mqT}s=s zXK&9OTG4bZnyu}AuaF?H^x%Z&FSL7)Iq$dnf@Kb|w(M7|Ei|OBX}?XsbwV()te^9E zo!fIB;#)f}2g2TST5S5b=PcPSIU}}9Xxv%u`CdZY-c?t1>F;p*#B5&lEX^{yGKm)-x9D{E6_iGIdeifzBFro^O9%H=zjSwHWVCaPnf$U;t)F3U-a>zyv{>^(eM{Bxvh<) z0jC~Jl5}cE#Pj|(yh-|fVh)!Aw09aT`hjTZ_N7DN&Ew&M?-{voOG7+C8|VDN{fqt{ z+`Df}_tG8XTXNgh4!GZY^!w-cXr6m#q&P(1)xjmUnvU-4-@Q4W^}XkK=lDP8OBLAr z#*O*N{bw98o%Lz69r{x+w0uL?iaj@4M12apO^YiH3me0|yyoDZ9qW90!(Oj$qq!?-It6 z!^~Nn{-JD?1hh`ux4a!6SPf9Js2%si5n8du7af zKfoA{pL2kvM>kiHWY`@i_jl$H$BF#)ZSokwVt0di0eI)o00u(gx|B}`S#SwJtIDf z&;}pH`okP1FU{ed$kg8Exy=Q~gH0rGRdT=gXT@TJZb1tLM^Y!3dobv9j&QBQS-3M(U zk{flcBGzvP)_ZwRmaMF}e9Y|Er+Y^5y!t6TC)dgurDvD5umt9O!8Xsxb8@k#!B}Sd zEggMn%}XEsJvw^!<_`AvQh)hFFRwFt(F@aMZDNVUH1}N}_P2D;8f-qMRKM4_XAXBY zYyNUqc~x@XM1a<|H*4Ovhtv2S-J|5L-ip`01WPT?!AdXaAZIRS6Z&K7<~%e{SU%)w ziN*7s(PMu+_+t=;b`=Zej2LS}L-%`+efj>q^i#O%-XH$r30N< zllOYvS=avXdx-oOt-XIQy$F4q-c(=;qlZrAS#ErqSF}1NRUmo^D|CHO8kHm`A8lw5 zl6kqW150mkfcOQ#Qfmp8SmnXOi-ls=&NJ?v-}%zb?%9z~+C950??TCXO&+7J#PMl? z>HP7z-#g3ao7UIZZ6^y3?%exwSlZ=2;8YlylSYKQts^ zWo4e9i#)o=d0({q;8}!q=D4*y{+wqmToj+@p^-dqQ06@=;uFszq#6V-?28^tl0`3e zy5UV=;Z4^bF6XAlYS$;2wQJF=X>f2+-RMm;i_(Gk$KpkeY;nLhGV}i6`8Dr@XKvB` zJ*`uFkM!RdJpcUOi#FcBm;5@(vG4qihYs}1$Qdzv27fol%@{2bHiC*5c_M8y}W_?&)&P~qj(xjZ(o^Nwz9Y%URgO%r8er#w% zX2z`L_VL``XCLxovp(Lc&=re+`8dle{EBxi`i6*g>~7*HcDE?!qvt#{uHQ)T%#}NP zW2`2Y&)Lq?FnpIr6F%vP_RRgBf{p!FvO(uf?9;dDdvvgszqjV44UAn<%;&s!ZqHqK z&W&Fx>*JTo`pAXgKzaA@@#`uX`NrJJ-9o0ZB^4;gpL2!Gvk!Bq_Wj(OG%`x?C+zn7 z=wYw@l2GwcDE93>#0OvU=tV;;q3%PD*R18{edOgcuQcxb9u#D6UwpL6Q{p>RW*8qH z4`X})@@R`w&WF9LSj5KFE)y)W;)*;6&&E~fx90U79$uci`rw67S$;s(i++FoUW>oH zr3>+^d!MuOt%E%CLd?>=Y=K92e9qht23NvDgM*vn$?JR1k$!^K$7%FQr#k1S2P{~6 zLxQDeI+$?Q=kMKG9zFY63sJGW*lWkpbEw7f)zc;uLvuoFU%DKrDMTCfNxS8p*K=(- z5AT2E%-jEzcSCc?PaJ^NHU*1~V;_$!`*r3B#=l>`_ux+`HRtAPWqlV&+_g|?hF&h) zCw@_Zq1-JJFS-xsf8?~_N&H-#Y2{%;*2Pugy4F`)7c6If!HJa%V4E}H;wMiFjOS-? z^%EorEVVMeB`q?}4GHY6tGwI|3K zlR3Q3v3H9i7Tp3%jGaQcjqMB;J%`sewli3CQ3_UKC(`;>?xTbHn&CdS0qN1Z`o(X{ zWRIS6t+#_`>^|r5g(qGKR`BfSLL2fYLkE~n&VwSBwKNCAlJhPem_W|bi`2K=U+wEc zFZcL-zHN*EcP{??T=t>lF?YeUUs<0fmsy{%OV+19P1YwFF=y01sghNs6Yt*sEX!tK zyvn)z!dtof$RIfr*CTn)oO$%<$}iq@B{fS2CsudA%&6pV$cfIHQB~xT7f_-DgFSwl zXDw8uJ)=ug2wv#zdq$!{U9(u$o)PsR^2iJ3v4y}M{p!8G^p(8q;?3(jSoru)Q=&az zx_8z`_g)$j#R=`Q2IDhlnucEqljMw0LFwvVN!#_^>o9?Rp(_S()(rJIH@T)u_bk7j zIiE+qRbrPjKSOlaN0rY$u81<@^3FUK=0UHF6L|@&y43HCm#!r}OwExuF;7zte?E2^ z9Pn{>EveD*dzBR`(qs4B18`aMWu5GP6<7qPN@cPZEx_`7(iDQzFT7ZKUC;MVscBG- zQ~i(EBE0F^VrO0nx4S-~;<4kOdrq@k9ZnbA=uJ8s#y=#g);rC_3I4SA$@%Ir(>3!r z?RiK!&V7>znl(%2%vnmA=vvZ?;lyh1FJ-ywtA9v+Ky;96M6heV=54!Xu-qdN_4pIP zf>Y^}@eQ-i!^5su_TuGwW$)fZFe1yYFLuYJ-hlCuykXUJsUrnTzi_bX8zOC8^A|tA zj(c76afG2EYDsi6)_L+!)Nq8KQhgFhme$FUbOj=iva^4eX8Zx9Sw%Q5I( zpA`D#e>~06H?B8$_Q75V9k3Tdr!H`Cg#fcY2b}e_ueb=B-hzJP*gk2A0Ijh^KpaK`;vs%h6!dyw|Lc@Oqm9wv$y9;V$~;)Cj4qL+Zh zR#O8LT^THPnOhXw9xQaK{5*83Rwj1OmGLbNNiPoH1^aSFJhzKyc_T|hS|W5_f#;l& zl+VzW9QD0hY9xA=N@cPZ{BQ3TP8VN`EY;ivDoxkSzm~Odq-V_p>)utZ9U_lp6OBH5X9Sm2s()Gfp$9j7$G3;~HNT;_Kdo%YxH$ zh-HqvOJR=W%!2XG<=gb6G%oK*faTrwgO%>N>$*No%648(kHINTKJV<2c*#{0=|~<0 zvrNU>&Ot#4{-lNHPJ65(>(ie)xH@LHb6mk%V6tL9VO&9xQ3@Yan}3cIO=%2LbyVqq zi9Pu9WEg{Rf6t+JeU0H>8@ccZ?|5c?YA6Q>_L02$gRSfV+ur4JbHt)&UND)ApZfqy zz3IW$FAA0#6R_kd9Bg^JGm=%g^Qtq<`h-`9UVdDCLoZ;dE4ofOE04fZ6AYI6X|BWc zl)bhZE6ePS)wKKgi#)tvwzD}zkTNdydB&-@&p1k4V9A5>ElnrmaKMF0%F3Bb0t%j) z3t7u0gyi?$bz{$dFF|L=kstZJt4!T-S0NQxa+7K8$xQ~+W-#Akp9_<+lW{uZWZWg* z?6=gle2XV$+)?>{%dwpOa^~juI7a(>dEzd;)Hb?x$ zVDT3ptaQ+Kh>VNB_+V=%!yYEKIMpN|`%vVbeYmQhxMw5wofR!%l8f`xCMLhv{>2;~ zGT~=^YRT3IWt^a9#w9n3wiX|XwR|~WD(0^5TB0tl?u~-3FY$Ae=4}|T@;|v&;q5fc z@E5SvU+gV8!UtRZ1uXe`V960a*!niX(ud_>YcGJMFCFKGs-Hchzo?OY@jA=fz6-vM zy$_cDj$nBwO)|wD_<5*^aHTyImkJ>imniA5Bk02bN%k7Mpu#Qx4Nxy$#VlsP9>O9 zk;Pwo=NlKF`Gpa~4@6D7U*xy?23Nt_5PmQ56tLaucAv?^7^?hvpaf|sKMHt4AZ>h1SS!F@gnU%_;Ur9o^iF5Pn4}gz?^0R9pk5D-e5n~_n8u$2R^9P$1$*~i;u?{wDwm=& zh#IV4^!IxrJa?7OAH2}{gBO9$U5kvnjbZR}RR(}tVIU6T_Ggf2#z^aLhD-!<8SytBSE)}_T^{~4)SnlspZkKk| z&E~#|;^c0DMduefj@)7;Z|(vdq&@%+;u{7_9z0n60@wa!&y8zo;|9`}D&N$l7Ju@L zR(`mtkpX{qg*HP&SN`@%2V}mq;pO8@m&hK~VDZy<-eu^@?=>G?qpRc>v zu;KtO&ff6il|3xP_%=!I_%^|M9?ZeeA5}TDE4e%8dmTb{ANX$8hwm;AQ<47^`2 zm*+l++`pR4#fxZ9_9o>dc7?3I+^uV!we)=N)a1@wGrc)CY4DMaVBtABu*X*b7P(Kg z?LIt4x3qEPWx;`Imo|Y*#8;aQ6m(#}ym z;#yecj68X;auBLY8{EL%8_}QrHXeXu=l+64M;A5iU8Oo^eafDCM#&%lT?8$5nNpA5 zBdLwqht|irGxCCRXRe9v;y_|w$05p$gM`2;yDvQ~IJo4Q`4*`~KloC23@;vKm~Xj2 zW3OJxO6Se{6(T3~fr_S-M@TOYPQ@2OllWxkP2QJzllKLdIuWqcgd8k55OIj^ed*)7 zKBj%{46AHp-q{+-JG?GR(KoK;)Z*ppb(e-tJ>7GYjhTCS4`p^-a`F+{@9~4&Lvi_5 z53s!-vX*iOdH#zle(ycYYwHr))odv9GMa)H#!Jpa9DDDPNJn&^dq}bKrk5Utki%r| z2Uuk2)wy*Wg9*O<)S?a~^z9T}yph$`Xn{ zr3(2y?%m);$Uk@?W>%)CcTP+lEWQV(P<#(yk*mrk!aJ{&qU+0B&Kz2eTb&rpU66(s z{9#w2A;WSW$}fWhiQN4*??-VUH%=$rY;$pxa5Vo#*T&u%wnpb|&V(w0=pbOxn~43$ zBe2-3$SOKDmtb@_u<{6Ti0}w*;NZD=OUhjuR|6~Gl?atHceQd?BVP zsG_PIymX)CyFB&byH}GQoHD0Fe`jQ>i_Br$r?3oKjnQj zNwib)!MEjMm)N)a0E_M@Dw&w@ zC5U~}5ZzB2=-z2!KePe1^;Uwgd6NMw{W}j9AFZfv>`SolFiAk+VV4+`HM2>U{%GFO z8F=*)&%3Z%aLWI;v@3%zyi=egyb~<`1CIXa$`?>sx)%V64IwxY8v-nLo}febArKL~ z{GCQ)!*|cw+_fmo%DD8cklC0%A|jt(_It+Z{vPLRU<|XI2NNv&xQ0;sdqVV~aW1XU z%a_>6CGU6M`d=v8rK>No6AESYd$9PgDCE(-N&VQXV5KYkG<1r{gBPT+{Qh@a%YJPx zc&2gW_i(4+*$)QK)Z)%tUM#aGIW}O?38gai4ysiMoyy6|n#Jj|<}dP12fxTS=285y zXEH6WaM<1%q0}9xRY~tE8zTE)Lu4P&lHXHwv2-9+EwUCYvR3_cWGz@^?WGql{&?4N zzF?8HjxFbVN7*&M`}Dr_NjM$ebh?iVGI#%;vS0i$r$f8UkN`;FSO^}RVn_lNmQ%F*8&#Wb!B2Vf<@2f z`H#%ITJEe*PFD6Na1~r#0BO%$>VAHYYdv%-xU;%MT2{x?d+F05B;%cvSzJbvSuNN zuGypBi_U89^XhrzJnR&Yp=?vjbU^yeF5#Gc@5k3UX(L2?A$DUzc zM&^Nq=SZyx&jAb1QO6vf16R>IWuC|WaJ=EgNTaytmfv$@ZN<*JUII%8V9^h*1Ke1pow+*oz0+XD3lWgt69xltgIj=KE>(o`XRYrmJen{sEz3{m$-*EF2 zBe4_rsywM zB9S?m6+;_m8mv5GLexIzHQO~Cm)tzC_ggc+^!tOYy#OXL<8yCd@mqk!M*$We#le=I z?Je&RfvG;+d690`LbV+__%VCt4ll>m9G%#VG+ zL1XX6eYyMR>{}d2y9o~3@73?6-z!+&6gXJ%B4wiU#-Hum__M*{&pz1dqHy(v*7%lk zZc^E^76yOLi1GY+Mkl+I2VjQ0FHXvcRxX~^R|F>KDfjIj6y9&KzkZu|nRyeJw7$e^ z54OI!!_@lbz#{X&64wAr9QI)A2LV$wI(q|KKgea_MSj5k>Slf~{m3MHCtu}Y;Riw( ztBV?!H?$76vKA~oq7JtD23UGTfywM!98eRN=kQ8JMuDxq;rA+|z;e$$4ILRJ5*--@ z7J07JeC=P3VXsc^J`}+O#x&Tw#R4m?JcH10(>K7pc~b=}y;Kgib_!VDR5{rCM!;g9 zgT+2S*xKi~OYHN5g(nJct^HKSF#H*8J!Yv^tVVdHCst3`2i> zbIYIMe&fHAi&>((J|!2OSK&#;)A?w}G41nv=gi2sb7@% zm-4jhBW9v++?%^gr(hcsKCNW!!Gq=gUbte<^6JmKzSJ=+{l{f z_A99^G(_|S&zF?7xZ)D*?N{1&wPoUatB?iXRL?xUuCa62+siv&*AzC&$(LooY57pXI_oK153T`d1=B=d8Oj>5b7vin9jkAeBiyS(#SS$ z<)S8zbFhtDfjN=ghg5^*#jp||1y^7A8VMCYrbvFz_a3ABn3t?PC+!D}mkWpa90w*0 zwmgiBv9!yD(r;D8?Hv49!D;iL%$qzYFs5F9Pn0<@g${+q*CJ{VU&}q^lJ%X%wZGRq zsLS3hk6>FMqygJyzGdmbc5Z z!D7>?z>59LP1tjj2bJG*rI)WM4eCDd@!TzJGUrRX2>u*p&Q0=L=dBLRwOKlCJ}c`Z zx#wVCc$j*Pu6cRb$^GBZyf*RGXzy8q#qQzJk3O!wMdZiTXy^AF+}`~Q>vmjf%>_hwp_YaqYvqgz z?Z_FeUE@Chi~oT79RI;@dccM@=+t|UgrZ~PfJKkxVT=v}79B*YQ12UcH}^ek{*I{%Eu;>=odhBz3CsWdsgYzZ*Zb-NCdn!oyE=@l447T}eSKSzT zMro1zV4-Ia9P=)0mW(QR4ru?=_*OQ(7(?fp1aYVST+ z_#a93W!~hZN{G>MY3{kOWb|U{TI8?#+URRWMb^@2x?emod-Ed3-u+YcvcB_N?3(3y zILFe~W9~Kr}ly|(i(rYO9x4DCqwfdmIf>X7xxzob6rCn~2-LIO~ z_^H7ndqjnDFTsKrHLbx5SnzUnu8V`Kb6t4^7G5mM6kZG#T~Fmrc(I1{;lNwDZ)S0lUhd}(Q& zw>g!x@z5?@-VRQQyDhVy}`m`uen2T&qtd%7}`ti3x0 za*x1rk5s+K9|4xQ!I9eDElDT2Z!&ShpGofUzcV?5XZa=B2e;4CA7_2fm-Bk%$Gr(0 zx*}3CFK6GWiG$gYuG$a-A%eeFbhtcXPupHg&+U_qMC{qfp=>{6R!f{0RkxCLhOvOcX zTh&LQHPN@w(7i3Y^ygK}=mM;i*e>VN4;^^$B>Sa%f5I?q=EB}1t?#1mUM=3|w{nm< zF0y7~dhZOcMRast@7Or931ipdoY8Y+l=qCN<9k2OHMe-tk+NsRcer=Z?dTa1T$zLJ zlR3Egmk)^mMOFw|M^?zBi~h_CjSix1ZRkJ`u*eioqkb8u=x6u_cChx=Weu;a1^b)z zV}ixs36_2oV2Q(mQG!3$0+x3Mu%^6$a@k?y!=vQLt)0Dri6-nElFH|djEmnJEV+$X zVssy{#9_fwg8-JCO0e_|1^d(Lz*nii@ddExQecVyf~BSgEIKt9!e3lTvz+@u1V|*? zaeRj(w~R}U16b-)z+CkFUh*u7ne?OtOAaYm;$UE+xI0JtnH!h9G_c5Sk~{rhuJiWZ zX)ukqc3$Z(g(VN_w1d?Jz@krHR^;*su=K_SOAQBDVz^)wv0XD`H~2fFX~(IO$erfz z3=Odd3;V(&Sc##lKjj@`21MRE0`p4Ru1~5)c!V^C!XQ82CPt4tr`~`{BY5)ptrs$y zFMs_H!kaMTUGtZEtIK*_dmk*hoM3s24oqOGpvsdR!RWYH5;NG_5$;+BuT<4=I{m?ONDYd(XLES4TRP zb#)}L)V6>LYG#h~#i8z|H~qB&SzQV&xmI9_lYj|g?7VEN;EHV(TwUeZe#?(kSaO7A zaVNHYncZLJB|>%%TsyepdR?A#Z&=P1cd_Yr-o5y8i|7Y|4eCiA9;0T}Q4$G2zTB;I%~ zfZR*%JaR8l>H0gbisj3=yis6W>T$r5pLiYiBg>?CZ9bfFvSDX$r-CeP@XD_~_%=PFz+^P+`uc8_aj7S!nh6T;wo&uHc4y@eP&OPmX?7mLOspAegEUC>0-Mub>p}2zF+u(P;X?YRPo4AC8NEog3;NpRwdc5z;0pb zJ;vjkUQ&c=d~;{bYzz%7HO63Hc!VsGthqINzD>>Tz3kL^IX82bn#P5OI5%^rsq(pR z+%JnO^%{}!A_S4~(it{~MfG|8AWWCYcqvqo@iOQm<9Ro77gT;lpOk*Ju>^(s^@B+J z&z-p%j^Kboxp=-hjJ-3o$@m%Ej_93NBeC~af8FC??toNB+T0Alelwfjk&eF zn2W5mCXHwB(dE@=A55mDgL|WS?;G`begF31VvelvVoqd~NZ`hBxi>1KL}xa~(75W< zTqDJSC-rt8IwIu0>FN^Mb9w)Z7y0~~3!%GcdeDK@4<~m&{xumz@ljBzBYRkq@tcv1 zkv*aYxkoC=a*wPy_vlD%X`Gl2Z`b8LGD;LN_l+5l`*tprf78}drtxK;aN&l(!1>^i5dOo*L=5YD5H+s|Fh2ONrSsg^W)W(H8;?C>4 z^E!~wq|NQ!mueN>&fE%b=c)>CmwmtSBd;h{Zz6g6dzTQrYo<4auINqK8@(ww{XKc0 zqEYE(aS^K0IJTR4=}p0(`heh%-n4w*0$Vy|lEkMks*zag zl_>6=xhH6|w`-KJ`&F2qGh)yL2UM<(ORg#Bkc{A+gW|d0Vt=7=k%ahOWd&`{r#aG} zm7}!2AWJEpB?O0_wQC9fJT{Yk2r&mQ+8*uRw0haRDn@AaSh@S*O*Gc3ZMXt(u505yqS~_6HM-Hlt%-z>|CvuP!jIJldlDo=NA6<{< z;mf%6D!x>g=!C99?iLZ67^(dB#6B;Vefbp+XlyWHq0p|DcJW&XCrAEzC_TPI={eCI zUEeR`(#L^xOI-q3<7#r=BlqR9=Wg+QeHkYSX!xHz^XRO!zuZAACwGvl65Uo>c=QOF z2Dz&|&AF?(U_=MjDW`W8!Q`&CC$BW9h1Hd%vVR$uItW)1q(~gu_#@6tQ7kARao7zqo~F4gZMUhVIjuPr7S;mMeU4F`rhSP z`6gNsdLhk2FBeK(z9w}w{;+E-w6x)f!m~-J&;gN`Tm!0dY$j>{@gZy85jwc07kh3h z?4nPK=0#7WWk*j`trq=78ea52VmdYx^*;K>pBP9v4+YA5Ka?s&uM@J4zTwH2$N+_( z;q9(MY$2(Gi64<#;n_@**zs2)5!z@kq|5#buVc}L*C}@?O)5cH9-#;!dg7%!E{`}@ zbLij>bNG-P>*yO2s-t&`D3x}(jIut*7QDFASs&{;>yv(!^$DRZjF&JpE}<~`3rj6F zlWc}B<5J_PSiHGvqRz2#pdfw$UW?c+m+-SXE4NE*T;;E;%6ji(r0e z{DR=Ct6V@ic$Nygca?UZyTHWGUAQ3Rp1A;A?t&m%`11vtmLFWuX6Z_xByyT&5gHeP zjIWA%9~$QtNbF7qQ26sb37oyTT1(GTT|(m=Y+uGTXH1@SX{a@T9+=qLTTG$S$?xxV`mwZBLL0gY=t!$%HAMkU{ zvI+ApXMVB4?YVB34~V3huyL;BSxue)*kmIfG=I%`&%n>A|~nf3kM_WZuz<8j)xXcYKK zLpN^we1dsDDr=T!S=jbtyl=Os_QBR?bg=C;elRB2u32Cs^9mAt-a+4{hV5V*>p0lP zIu1r_*m*f9bC#TaS)UrVoLg$x%yAF2XO695yKy-0j!O-jaj9WDnBYXd-J0qfx4Faz z+qV|LQtNxLtzkRZ^6`Uh4coys))nYJ17f2cktRS?7c*}xr6sa-`+u?yRieTMT*1Hfn4m7Gsa1J%Dj?=me%BA zk6gHK_f6n~X?(Oe;AYsnz;l?pAlx{9N53bi9-IozE}g2Lo?MOlR+a3oMQ}Fj6X*=C z1Pzx*$PgZT!5mcYtOZ@=jPwY|yaE=PgY*BBcFiFbCph?{Xz%V#pO~zLS(dXD7RvgV z3x%bxJt4DxOzU%vfpKN{=b%evedn3axV4GxjV`sc!J9ogm!fxqf7c=var`+qZu6E7ws}hjTR#n$FiGaX zu9nugkw#a(Z`US1*!HhG*!B=V*!pR}zUWe{!Lea)9H;N#SvhQI(n*Ham~`R0qA8&@ zDN5nH(iFmPW(LUJ4fcOk5e#fJ_lRI zZSN=hNY5!SPL%BJ91{C`XWR$2xv=+pl*f!)zxR#9ux6YH{n*o2T(R#~9c**=54JVI z2P0H6NA(=(G~>JREs?S~xc>ZwZ9U0-yY(ao`+e-`gE5qMeOI&+*w*{`mYKZwO|)$6 z?i;uE`N1|ecCd}tg584&yOx_cu+5jhZ@2Hv!S+p%gCXer-u4AEj_6*xlA%7n`Wv@- zhX>od!-MTxBnOjpw`*Zy2M3bD3fp+C-;<=Y_g71-(dBR4`u-1A`&{|p_>7Dbj$aVE7+-a_$_t(Q_^pae0Y6=YT>n6Atz6|aq zgYEseUhR87^kpC4x;ezk_bw=P8{hhk+dNRPyaRZ!t@k_F<|ZF(bM6jSok1tF+#@~R z)W;70cm?=bl`g`nAY&9*@X#8f*N(m*T%?`Nt~+n)8sG967D^Y^a+xO-`cxe(sTlhNN(nALANb9cXla_GSO5PKK2=m}4h zg_8IsRVDJA6;+!2O|WR!^4s=;a~E8OCodi7raLiXA0C zJ3a;FAF-pjv`XXnWY&UDhW<2~4PNlcoEtuwbHgVK+jr;S)Qb*Ti#Fh)KYTLt;*&WK zd@}TM71?{fQa^GBwO!3xq~vEU!YPXvs%`X*O9NdTT*>nCQxuu|A?y-<%AAg#BjOO5 z!o=>pdMaiuQbTtwNGLd@@Ne!VDIJ+2k`S44CP{EAZojm4B~!sOrF!X4II1`xSM#ly|Iq0@-yI$% z7rS#%TC=`;fM)K;_2bUGnC#4ZVe#BIUc%x^`qkcFQPa>GO*Hb-lZ1=Edl_~8477vo zIZub>o}9gbg}*>lV&Fo(+hwU64=)l-k^Lt?11MJ2{p9D*62h79LpY#H@@AlpACGH27J9w~-cdMG+{6xRU znKm?Zp}>u?fKdi^eN@7%ncsHq0%I%jP_XD0V9DnKi+>U<_7<2XGrK;jK-PB;+GLz& ziGgh&f4E|+<;>mHe5>Fk^GZR>`oyS)*PT|p_7(@q<}q4}{NkJkbvN@$?#{eyrmVSf z?CW4v8mG!^Z~5sl1z<8!d5d=L@NCJPIs2Fwb@A zO76_$sagwLBm3Y`T)Lu~ZH^MJ4_35z$vYh8z{p2e0o&da##NSqZC&||!w`1fdx&UZ zSZvlu!OGqgW`%}?-aAfK@6I92nK?A*UtXd-Z*>7mQ{~a+mt+p%nf#t)=g<&29lW@M zyN?qz`z;|59AJu}HDtf~>7`(-ZwYMczzI+UvuC6naqVB@qWkb3lqX(J$DW(ikJZK#{96)K-r~OrMe?`H&KJKff=PPr_`lK!de`1yWHnyMRg~FYe zuDm=485F1NjBA>BQX>vOmC z@^>dJW_@Qi?%poFGv8to`SvJ(e-H8Y+pQNr$+$h)z$`Fp;j0h+1nw8lS0=n?PP1MA z%XQa_%;V}S4&;VrZ~CEREf-K(9583H4^2&$UTz!NM{~d>xKbK+4*A~w_V?o8itG2= zdrU2`__?n2XXGlaGdj(oKDhtW_F-|pLYl#gLcY*$dSLsOI-c`Ts1zKC=LOGvP&+Sk zKk^N^te@~+!^pkl@`!GBsmVL9QmDv56&&l6CKk3&)&=fV=Fb@sAGvQ_Eji0eiC$b? zsp{TK`3Ir#YrU9x)#dN`!b)U{yn@iFyn@^6 z%=stjX>odug#zon#MPp&UCckfM|6h{sJlz!;``yTV)^T{lvxJ(yFTI2z0+Uf_P*VI z&2W|X&SX*c0RQuAUbs}_o!xn5!UJ*rC9EI%hO4VSVH zWhYC|GV{U@yqp=`mUnk^4XDrizQI-5Y+w6>N$TBma|g2)O#=4LhOdU(Ts3=i zE|JRO<%(KoExa2W2fGZ6(3PH8;RoW*xkndc-a8|n9KDXaF1pG+fxNs}oH%lyIuxAB zw$0trhic>O7*q0h!K&wo;TA8=g=JmtTYlH&aN`=$S7j=U!ae^Pt$d-CA354v9F z&?;i*5LL@P5=V^O=N<~r=JJi-_MW8K^AM}dnTsQa7wf?kJc|#8zsQQ*n35!T9Y+SI zIAUy5=5+Xr7++)~?@;JZ?5=BJA1%MS^x{1aZnNmDLgmrDnfCELh#uw4#n5u*`VYnK z;mHW^c2n`I8lETshI~8joEK04OySiaqvf_$-J%GzNcZLt8l}GM=(huXGo9Y%JcETeQUW1 zh5B<&T;|Nv(-^L#ZDw!W5y8tfYg+udT!nEsW!xX*pH#}7n2o5$&hZmAnBN2AR{fj< zOrdaK=|^E)de(r&CkPh4!AqEaEnuk`1=C<^*HT^Cxa59-B?k>Gabm(K_5v8?d*_vM zJalhddJ}+Q9Qih}BICZ`O2Sm;s2zHoePuit=grQ01(SiL?~!k#hk?;_@@@KR7$;D? z<39V#|J%R**Z=;1{>#7q;UE6tum0oz_TT^CfB7rc```cJKmM2h@jw3U{tH`w^%aYv`_qs8{P~~$>VN--f8xmb?VmhW{-6K$@BaBe{mno9^Pm3tKmXG||0mb< zZ~x|h{_Fqg@BZ} -\def\PYGZsh{\char`\#} -\def\PYGZpc{\char`\%} -\def\PYGZdl{\char`\$} -\def\PYGZhy{\char`\-} -\def\PYGZsq{\char`\'} -\def\PYGZdq{\char`\"} -\def\PYGZti{\char`\~} -% for compatibility with earlier versions -\def\PYGZat{@} -\def\PYGZlb{[} -\def\PYGZrb{]} -\makeatother - -\begin{document} - -\maketitle -\tableofcontents -\phantomsection\label{appdev/index::doc} - - - -\chapter{Developing with GSSAPI} -\label{appdev/gssapi:for-application-developers}\label{appdev/gssapi::doc}\label{appdev/gssapi:developing-with-gssapi} -The GSSAPI (Generic Security Services API) allows applications to -communicate securely using Kerberos 5 or other security mechanisms. -We recommend using the GSSAPI (or a higher-level framework which -encompasses GSSAPI, such as SASL) for secure network communication -over using the libkrb5 API directly. - -GSSAPIv2 is specified in \index{RFC!RFC 2743}\href{http://tools.ietf.org/html/rfc2743.html}{\textbf{RFC 2743}} and \index{RFC!RFC 2744}\href{http://tools.ietf.org/html/rfc2744.html}{\textbf{RFC 2744}}. Also see -\index{RFC!RFC 7546}\href{http://tools.ietf.org/html/rfc7546.html}{\textbf{RFC 7546}} for a description of how to use the GSSAPI in a client or -server program. - -This documentation will describe how various ways of using the -GSSAPI will behave with the krb5 mechanism as implemented in MIT krb5, -as well as krb5-specific extensions to the GSSAPI. - - -\section{Name types} -\label{appdev/gssapi:name-types} -A GSSAPI application can name a local or remote entity by calling -\href{http://tools.ietf.org/html/rfc2744.html\#section-5.16}{gss\_import\_name}, specifying a name type and a value. The following -name types are supported by the krb5 mechanism: -\begin{itemize} -\item {} -\textbf{GSS\_C\_NT\_HOSTBASED\_SERVICE}: The value should be a string of the -form \code{service} or \code{service@hostname}. This is the most common -way to name target services when initiating a security context, and -is the most likely name type to work across multiple mechanisms. - -\item {} -\textbf{GSS\_KRB5\_NT\_PRINCIPAL\_NAME}: The value should be a principal name -string. This name type only works with the krb5 mechanism, and is -defined in the \code{\textless{}gssapi/gssapi\_krb5.h\textgreater{}} header. - -\item {} -\textbf{GSS\_C\_NT\_USER\_NAME} or \textbf{GSS\_C\_NULL\_OID}: The value is treated -as an unparsed principal name string, as above. These name types -may work with mechanisms other than krb5, but will have different -interpretations in those mechanisms. \textbf{GSS\_C\_NT\_USER\_NAME} is -intended to be used with a local username, which will parse into a -single-component principal in the default realm. - -\item {} -\textbf{GSS\_C\_NT\_ANONYMOUS}: The value is ignored. The anonymous -principal is used, allowing a client to authenticate to a server -without asserting a particular identity (which may or may not be -allowed by a particular server or Kerberos realm). - -\item {} -\textbf{GSS\_C\_NT\_MACHINE\_UID\_NAME}: The value is uid\_t object. On -Unix-like systems, the username of the uid is looked up in the -system user database and the resulting username is parsed as a -principal name. - -\item {} -\textbf{GSS\_C\_NT\_STRING\_UID\_NAME}: As above, but the value is a decimal -string representation of the uid. - -\item {} -\textbf{GSS\_C\_NT\_EXPORT\_NAME}: The value must be the result of a -\href{http://tools.ietf.org/html/rfc2744.html\#section-5.13}{gss\_export\_name} call. - -\end{itemize} - - -\section{Initiator credentials} -\label{appdev/gssapi:initiator-credentials} -A GSSAPI client application uses \href{http://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context} to establish a -security context. The \emph{initiator\_cred\_handle} parameter determines -what tickets are used to establish the connection. An application can -either pass \textbf{GSS\_C\_NO\_CREDENTIAL} to use the default client -credential, or it can use \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} beforehand to acquire an -initiator credential. The call to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} may include a -\emph{desired\_name} parameter, or it may pass \textbf{GSS\_C\_NO\_NAME} if it does -not have a specific name preference. - -If the desired name for a krb5 initiator credential is a host-based -name, it is converted to a principal name of the form -\code{service/hostname} in the local realm, where \emph{hostname} is the local -hostname if not specified. The hostname will be canonicalized using -forward name resolution, and possibly also using reverse name -resolution depending on the value of the \textbf{rdns} variable in -\emph{libdefaults}. - -If a desired name is specified in the call to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred}, the -krb5 mechanism will attempt to find existing tickets for that client -principal name in the default credential cache or collection. If the -default cache type does not support a collection, and the default -cache contains credentials for a different principal than the desired -name, a \textbf{GSS\_S\_CRED\_UNAVAIL} error will be returned with a minor -code indicating a mismatch. - -If no existing tickets are available for the desired name, but the -name has an entry in the default client \emph{keytab\_definition}, the -krb5 mechanism will acquire initial tickets for the name using the -default client keytab. - -If no desired name is specified, credential acquisition will be -deferred until the credential is used in a call to -\href{http://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context} or \href{http://tools.ietf.org/html/rfc2744.html\#section-5.21}{gss\_inquire\_cred}. If the call is to -\href{http://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context}, the target name will be used to choose a client -principal name using the credential cache selection facility. (This -facility might, for instance, try to choose existing tickets for a -client principal in the same realm as the target service). If there -are no existing tickets for the chosen principal, but it is present in -the default client keytab, the krb5 mechanism will acquire initial -tickets using the keytab. - -If the target name cannot be used to select a client principal -(because the credentials are used in a call to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.21}{gss\_inquire\_cred}), or -if the credential cache selection facility cannot choose a principal -for it, the default credential cache will be selected if it exists and -contains tickets. - -If the default credential cache does not exist, but the default client -keytab does, the krb5 mechanism will try to acquire initial tickets -for the first principal in the default client keytab. - -If the krb5 mechanism acquires initial tickets using the default -client keytab, the resulting tickets will be stored in the default -cache or collection, and will be refreshed by future calls to -\href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} as they approach their expire time. - - -\section{Acceptor names} -\label{appdev/gssapi:acceptor-names} -A GSSAPI server application uses \href{http://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context} to establish -a security context based on tokens provided by the client. The -\emph{acceptor\_cred\_handle} parameter determines what -\emph{keytab\_definition} entries may be authenticated to by the -client, if the krb5 mechanism is used. - -The simplest choice is to pass \textbf{GSS\_C\_NO\_CREDENTIAL} as the acceptor -credential. In this case, clients may authenticate to any service -principal in the default keytab (typically \emph{DEFKTNAME}, or the value of -the \textbf{KRB5\_KTNAME} environment variable). This is the recommended -approach if the server application has no specific requirements to the -contrary. - -A server may acquire an acceptor credential with \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred} and -a \emph{cred\_usage} of \textbf{GSS\_C\_ACCEPT} or \textbf{GSS\_C\_BOTH}. If the -\emph{desired\_name} parameter is \textbf{GSS\_C\_NO\_NAME}, then clients will be -allowed to authenticate to any service principal in the default -keytab, just as if no acceptor credential was supplied. - -If a server wishes to specify a \emph{desired\_name} to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred}, -the most common choice is a host-based name. If the host-based -\emph{desired\_name} contains just a \emph{service}, then clients will be allowed -to authenticate to any host-based service principal (that is, a -principal of the form \code{service/hostname@REALM}) for the named -service, regardless of hostname or realm, as long as it is present in -the default keytab. If the input name contains both a \emph{service} and a -\emph{hostname}, clients will be allowed to authenticate to any host-based -principal for the named service and hostname, regardless of realm. - -\begin{notice}{note}{Note:} -If a \emph{hostname} is specified, it will be canonicalized -using forward name resolution, and possibly also using -reverse name resolution depending on the value of the -\textbf{rdns} variable in \emph{libdefaults}. -\end{notice} - -\begin{notice}{note}{Note:} -If the \textbf{ignore\_acceptor\_hostname} variable in -\emph{libdefaults} is enabled, then \emph{hostname} will be -ignored even if one is specified in the input name. -\end{notice} - -\begin{notice}{note}{Note:} -In MIT krb5 versions prior to 1.10, and in Heimdal's -implementation of the krb5 mechanism, an input name with -just a \emph{service} is treated like an input name of -\code{service@localhostname}, where \emph{localhostname} is the -string returned by gethostname(). -\end{notice} - -If the \emph{desired\_name} is a krb5 principal name or a local system name -type which is mapped to a krb5 principal name, clients will only be -allowed to authenticate to that principal in the default keytab. - - -\section{Name Attributes} -\label{appdev/gssapi:name-attributes} -In release 1.8 or later, the \href{http://tools.ietf.org/html/rfc6680.txt\#section-7.4}{gss\_inquire\_name} and -\href{http://tools.ietf.org/html/6680.html\#section-7.5}{gss\_get\_name\_attribute} functions, specified in \index{RFC!RFC 6680}\href{http://tools.ietf.org/html/rfc6680.html}{\textbf{RFC 6680}}, can be -used to retrieve name attributes from the \emph{src\_name} returned by -\href{http://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context}. The following attributes are defined when -the krb5 mechanism is used: -\phantomsection\label{appdev/gssapi:gssapi-authind-attr}\begin{itemize} -\item {} -``auth-indicators'' attribute: - -\end{itemize} - -This attribute will be included in the \href{http://tools.ietf.org/html/rfc6680.txt\#section-7.4}{gss\_inquire\_name} output if the -ticket contains \emph{authentication indicators}. -One indicator is returned per invocation of \href{http://tools.ietf.org/html/6680.html\#section-7.5}{gss\_get\_name\_attribute}, -so multiple invocations may be necessary to retrieve all of the -indicators from the ticket. (New in release 1.15.) - - -\section{Importing and exporting credentials} -\label{appdev/gssapi:importing-and-exporting-credentials} -The following GSSAPI extensions can be used to import and export -credentials (declared in \code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}): - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 gss\PYGZus{}export\PYGZus{}cred(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t cred\PYGZus{}handle, - gss\PYGZus{}buffer\PYGZus{}t token); - -OM\PYGZus{}uint32 gss\PYGZus{}import\PYGZus{}cred(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}buffer\PYGZus{}t token, - gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t *cred\PYGZus{}handle); -\end{Verbatim} - -The first function serializes a GSSAPI credential handle into a -buffer; the second unseralizes a buffer into a GSSAPI credential -handle. Serializing a credential does not destroy it. If any of the -mechanisms used in \emph{cred\_handle} do not support serialization, -gss\_export\_cred will return \textbf{GSS\_S\_UNAVAILABLE}. As with other -GSSAPI serialization functions, these extensions are only intended to -work with a matching implementation on the other side; they do not -serialize credentials in a standardized format. - -A serialized credential may contain secret information such as ticket -session keys. The serialization format does not protect this -information from eavesdropping or tampering. The calling application -must take care to protect the serialized credential when communicating -it over an insecure channel or to an untrusted party. - -A krb5 GSSAPI credential may contain references to a credential cache, -a client keytab, an acceptor keytab, and a replay cache. These -resources are normally serialized as references to their external -locations (such as the filename of the credential cache). Because of -this, a serialized krb5 credential can only be imported by a process -with similar privileges to the exporter. A serialized credential -should not be trusted if it originates from a source with lower -privileges than the importer, as it may contain references to external -credential cache, keytab, or replay cache resources not accessible to -the originator. - -An exception to the above rule applies when a krb5 GSSAPI credential -refers to a memory credential cache, as is normally the case for -delegated credentials received by \href{http://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context}. In this -case, the contents of the credential cache are serialized, so that the -resulting token may be imported even if the original memory credential -cache no longer exists. - - -\section{Constrained delegation (S4U)} -\label{appdev/gssapi:constrained-delegation-s4u} -The Microsoft S4U2Self and S4U2Proxy Kerberos protocol extensions -allow an intermediate service to acquire credentials from a client to -a target service without requiring the client to delegate a -ticket-granting ticket, if the KDC is configured to allow it. - -To perform a constrained delegation operation, the intermediate -service must submit to the KDC an ``evidence ticket'' from the client to -the intermediate service with the forwardable bit set. An evidence -ticket can be acquired when the client authenticates to the -intermediate service with Kerberos, or with an S4U2Self request if the -KDC allows it. The MIT krb5 GSSAPI library represents an evidence -ticket using a ``proxy credential'', which is a special kind of -gss\_cred\_id\_t object whose underlying credential cache contains the -evidence ticket and a krbtgt ticket for the intermediate service. - -To acquire a proxy credential during client authentication, the -service should first create an acceptor credential using the -\textbf{GSS\_C\_BOTH} usage. The application should then pass this -credential as the \emph{acceptor\_cred\_handle} to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.1}{gss\_accept\_sec\_context}, -and also pass a \emph{delegated\_cred\_handle} output parameter to receive a -proxy credential containing the evidence ticket. The output value of -\emph{delegated\_cred\_handle} may be a delegated ticket-granting ticket if -the client sent one, or a proxy credential if the client authenticated -with a forwardable service ticket, or \textbf{GSS\_C\_NO\_CREDENTIAL} if -neither is the case. - -To acquire a proxy credential using an S4U2Self request, the service -can use the following GSSAPI extension: - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 gss\PYGZus{}acquire\PYGZus{}cred\PYGZus{}impersonate\PYGZus{}name(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t icred, - gss\PYGZus{}name\PYGZus{}t desired\PYGZus{}name, - OM\PYGZus{}uint32 time\PYGZus{}req, - gss\PYGZus{}OID\PYGZus{}set desired\PYGZus{}mechs, - gss\PYGZus{}cred\PYGZus{}usage\PYGZus{}t cred\PYGZus{}usage, - gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t *output\PYGZus{}cred, - gss\PYGZus{}OID\PYGZus{}set *actual\PYGZus{}mechs, - OM\PYGZus{}uint32 *time\PYGZus{}rec); -\end{Verbatim} - -The parameters to this function are similar to those of -\href{http://tools.ietf.org/html/rfc2744.html\#section-5.2}{gss\_acquire\_cred}, except that \emph{icred} is used to make an S4U2Self -request to the KDC for a ticket from \emph{desired\_name} to the -intermediate service. Both \emph{icred} and \emph{desired\_name} are required -for this function; passing \textbf{GSS\_C\_NO\_CREDENTIAL} or -\textbf{GSS\_C\_NO\_NAME} will cause the call to fail. \emph{icred} must contain a -krbtgt ticket for the intermediate service. If the KDC returns a -forwardable ticket, the result of this operation is a proxy -credential; if it is not forwardable, the result is a regular -credential for \emph{desired\_name}. - -A recent KDC will usually allow any service to acquire a ticket from a -client to itself with an S4U2Self request, but the ticket will only be -forwardable if the service has a specific privilege. In the MIT krb5 -KDC, this privilege is determined by the \textbf{ok\_to\_auth\_as\_delegate} -bit on the intermediate service's principal entry, which can be -configured with \emph{kadmin(1)}. - -Once the intermediate service has a proxy credential, it can simply -pass it to \href{http://tools.ietf.org/html/rfc2744.html\#section-5.19}{gss\_init\_sec\_context} as the \emph{initiator\_cred\_handle} -parameter, and the desired service as the \emph{target\_name} parameter. -The GSSAPI library will present the krbtgt ticket and evidence ticket -in the proxy credential to the KDC in an S4U2Proxy request; if the -intermediate service has the appropriate permissions, the KDC will -issue a ticket from the client to the target service. The GSSAPI -library will then use this ticket to authenticate to the target -service. - - -\section{AEAD message wrapping} -\label{appdev/gssapi:aead-message-wrapping} -The following GSSAPI extensions (declared in -\code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}) can be used to wrap and unwrap messages -with additional ``associated data'' which is integrity-checked but is -not included in the output buffer: - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 gss\PYGZus{}wrap\PYGZus{}aead(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, - int conf\PYGZus{}req\PYGZus{}flag, gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, - gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}assoc\PYGZus{}buffer, - gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}payload\PYGZus{}buffer, - int *conf\PYGZus{}state, - gss\PYGZus{}buffer\PYGZus{}t output\PYGZus{}message\PYGZus{}buffer); - -OM\PYGZus{}uint32 gss\PYGZus{}unwrap\PYGZus{}aead(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, - gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}message\PYGZus{}buffer, - gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}assoc\PYGZus{}buffer, - gss\PYGZus{}buffer\PYGZus{}t output\PYGZus{}payload\PYGZus{}buffer, - int *conf\PYGZus{}state, - gss\PYGZus{}qop\PYGZus{}t *qop\PYGZus{}state); -\end{Verbatim} - -Wrap tokens created with gss\_wrap\_aead will successfully unwrap only -if the same \emph{input\_assoc\_buffer} contents are presented to -gss\_unwrap\_aead. - - -\section{IOV message wrapping} -\label{appdev/gssapi:iov-message-wrapping} -The following extensions (declared in \code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}) can -be used for in-place encryption, fine-grained control over wrap token -layout, and for constructing wrap tokens compatible with Microsoft DCE -RPC: - -\begin{Verbatim}[commandchars=\\\{\}] -typedef struct gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc\PYGZus{}struct \PYGZob{} - OM\PYGZus{}uint32 type; - gss\PYGZus{}buffer\PYGZus{}desc buffer; -\PYGZcb{} gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc, *gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}t; - -OM\PYGZus{}uint32 gss\PYGZus{}wrap\PYGZus{}iov(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, - int conf\PYGZus{}req\PYGZus{}flag, gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, - int *conf\PYGZus{}state, - gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, int iov\PYGZus{}count); - -OM\PYGZus{}uint32 gss\PYGZus{}unwrap\PYGZus{}iov(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, - int *conf\PYGZus{}state, gss\PYGZus{}qop\PYGZus{}t *qop\PYGZus{}state, - gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, int iov\PYGZus{}count); - -OM\PYGZus{}uint32 gss\PYGZus{}wrap\PYGZus{}iov\PYGZus{}length(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, - int conf\PYGZus{}req\PYGZus{}flag, - gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, int *conf\PYGZus{}state, - gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, - int iov\PYGZus{}count); - -OM\PYGZus{}uint32 gss\PYGZus{}release\PYGZus{}iov\PYGZus{}buffer(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, - int iov\PYGZus{}count); -\end{Verbatim} - -The caller of gss\_wrap\_iov provides an array of gss\_iov\_buffer\_desc -structures, each containing a type and a gss\_buffer\_desc structure. -Valid types include: -\begin{itemize} -\item {} -\textbf{GSS\_C\_BUFFER\_TYPE\_DATA}: A data buffer to be included in the -token, and to be encrypted or decrypted in-place if the token is -confidentiality-protected. - -\item {} -\textbf{GSS\_C\_BUFFER\_TYPE\_HEADER}: The GSSAPI wrap token header and -underlying cryptographic header. - -\item {} -\textbf{GSS\_C\_BUFFER\_TYPE\_TRAILER}: The cryptographic trailer, if one is -required. - -\item {} -\textbf{GSS\_C\_BUFFER\_TYPE\_PADDING}: Padding to be combined with the data -during encryption and decryption. (The implementation may choose to -place padding in the trailer buffer, in which case it will set the -padding buffer length to 0.) - -\item {} -\textbf{GSS\_C\_BUFFER\_TYPE\_STREAM}: For unwrapping only, a buffer -containing a complete wrap token in standard format to be unwrapped. - -\item {} -\textbf{GSS\_C\_BUFFER\_TYPE\_SIGN\_ONLY}: A buffer to be included in the -token's integrity protection checksum, but not to be encrypted or -included in the token itself. - -\end{itemize} - -For gss\_wrap\_iov, the IOV list should contain one HEADER buffer, -followed by zero or more SIGN\_ONLY buffers, followed by one or more -DATA buffers, followed by a TRAILER buffer. The memory pointed to by -the buffers is not required to be contiguous or in any particular -order. If \emph{conf\_req\_flag} is true, DATA buffers will be encrypted -in-place, while SIGN\_ONLY buffers will not be modified. - -The type of an output buffer may be combined with -\textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATE} to request that gss\_wrap\_iov allocate -the buffer contents. If gss\_wrap\_iov allocates a buffer, it sets the -\textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATED} flag on the buffer type. -gss\_release\_iov\_buffer can be used to release all allocated buffers -within an iov list and unset their allocated flags. Here is an -example of how gss\_wrap\_iov can be used with allocation requested -(\emph{ctx} is assumed to be a previously established gss\_ctx\_id\_t): - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 major, minor; -gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[4]; -char str[] = \PYGZdq{}message\PYGZdq{}; - -iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}HEADER \textbar{} GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE; -iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; -iov[1].buffer.value = str; -iov[1].buffer.length = strlen(str); -iov[2].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}PADDING \textbar{} GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE; -iov[3].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}TRAILER \textbar{} GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE; - -major = gss\PYGZus{}wrap\PYGZus{}iov(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, NULL, - iov, 4); -if (GSS\PYGZus{}ERROR(major)) - handle\PYGZus{}error(major, minor); - -/* Transmit or otherwise use resulting buffers. */ - -(void)gss\PYGZus{}release\PYGZus{}iov\PYGZus{}buffer(\PYGZam{}minor, iov, 4); -\end{Verbatim} - -If the caller does not choose to request buffer allocation by -gss\_wrap\_iov, it should first call gss\_wrap\_iov\_length to query the -lengths of the HEADER, PADDING, and TRAILER buffers. DATA buffers -must be provided in the iov list so that padding length can be -computed correctly, but the output buffers need not be initialized. -Here is an example of using gss\_wrap\_iov\_length and gss\_wrap\_iov: - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 major, minor; -gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[4]; -char str[1024] = \PYGZdq{}message\PYGZdq{}, *ptr; - -iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}HEADER; -iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; -iov[1].buffer.value = str; -iov[1].buffer.length = strlen(str); - -iov[2].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}PADDING; -iov[3].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}TRAILER; - -major = gss\PYGZus{}wrap\PYGZus{}iov\PYGZus{}length(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, - NULL, iov, 4); -if (GSS\PYGZus{}ERROR(major)) - handle\PYGZus{}error(major, minor); -if (strlen(str) + iov[0].buffer.length + iov[2].buffer.length + - iov[3].buffer.length \PYGZgt{} sizeof(str)) - handle\PYGZus{}out\PYGZus{}of\PYGZus{}space\PYGZus{}error(); -ptr = str + strlen(str); -iov[0].buffer.value = ptr; -ptr += iov[0].buffer.length; -iov[2].buffer.value = ptr; -ptr += iov[2].buffer.length; -iov[3].buffer.value = ptr; - -major = gss\PYGZus{}wrap\PYGZus{}iov(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, NULL, - iov, 4); -if (GSS\PYGZus{}ERROR(major)) - handle\PYGZus{}error(major, minor); -\end{Verbatim} - -If the context was established using the \textbf{GSS\_C\_DCE\_STYLE} flag -(described in \index{RFC!RFC 4757}\href{http://tools.ietf.org/html/rfc4757.html}{\textbf{RFC 4757}}), wrap tokens compatible with Microsoft DCE -RPC can be constructed. In this case, the IOV list must include a -SIGN\_ONLY buffer, a DATA buffer, a second SIGN\_ONLY buffer, and a -HEADER buffer in that order (the order of the buffer contents remains -arbitrary). The application must pad the DATA buffer to a multiple of -16 bytes as no padding or trailer buffer is used. - -gss\_unwrap\_iov may be called with an IOV list just like one which -would be provided to gss\_wrap\_iov. DATA buffers will be decrypted -in-place if they were encrypted, and SIGN\_ONLY buffers will not be -modified. - -Alternatively, gss\_unwrap\_iov may be called with a single STREAM -buffer, zero or more SIGN\_ONLY buffers, and a single DATA buffer. The -STREAM buffer is interpreted as a complete wrap token. The STREAM -buffer will be modified in-place to decrypt its contents. The DATA -buffer will be initialized to point to the decrypted data within the -STREAM buffer, unless it has the \textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATE} flag -set, in which case it will be initialized with a copy of the decrypted -data. Here is an example (\emph{token} and \emph{token\_len} are assumed to be a -pre-existing pointer and length for a modifiable region of data): - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 major, minor; -gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[2]; - -iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}STREAM; -iov[0].buffer.value = token; -iov[0].buffer.length = token\PYGZus{}len; -iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; -major = gss\PYGZus{}unwrap\PYGZus{}iov(\PYGZam{}minor, ctx, NULL, NULL, iov, 2); -if (GSS\PYGZus{}ERROR(major)) - handle\PYGZus{}error(major, minor); - -/* Decrypted data is in iov[1].buffer, pointing to a subregion of - * token. */ -\end{Verbatim} - - -\section{IOV MIC tokens} -\label{appdev/gssapi:gssapi-mic-token}\label{appdev/gssapi:iov-mic-tokens} -The following extensions (declared in \code{\textless{}gssapi/gssapi\_ext.h\textgreater{}}) can -be used in release 1.12 or later to construct and verify MIC tokens -using an IOV list: - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, - gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, - gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, - int iov\PYGZus{}count); - -OM\PYGZus{}uint32 gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov\PYGZus{}length(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, - gss\PYGZus{}qop\PYGZus{}t qop\PYGZus{}req, - gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, - iov\PYGZus{}count); - -OM\PYGZus{}uint32 gss\PYGZus{}verify\PYGZus{}mic\PYGZus{}iov(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t context\PYGZus{}handle, - gss\PYGZus{}qop\PYGZus{}t *qop\PYGZus{}state, - gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc *iov, - int iov\PYGZus{}count); -\end{Verbatim} - -The caller of gss\_get\_mic\_iov provides an array of gss\_iov\_buffer\_desc -structures, each containing a type and a gss\_buffer\_desc structure. -Valid types include: -\begin{itemize} -\item {} -\textbf{GSS\_C\_BUFFER\_TYPE\_DATA} and \textbf{GSS\_C\_BUFFER\_TYPE\_SIGN\_ONLY}: The -corresponding buffer for each of these types will be signed for the -MIC token, in the order provided. - -\item {} -\textbf{GSS\_C\_BUFFER\_TYPE\_MIC\_TOKEN}: The GSSAPI MIC token. - -\end{itemize} - -The type of the MIC\_TOKEN buffer may be combined with -\textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATE} to request that gss\_get\_mic\_iov -allocate the buffer contents. If gss\_get\_mic\_iov allocates the -buffer, it sets the \textbf{GSS\_C\_BUFFER\_FLAG\_ALLOCATED} flag on the buffer -type. gss\_release\_iov\_buffer can be used to release all allocated -buffers within an iov list and unset their allocated flags. Here is -an example of how gss\_get\_mic\_iov can be used with allocation -requested (\emph{ctx} is assumed to be a previously established -gss\_ctx\_id\_t): - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 major, minor; -gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[3]; - -iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; -iov[0].buffer.value = \PYGZdq{}sign1\PYGZdq{}; -iov[0].buffer.length = 5; -iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}SIGN\PYGZus{}ONLY; -iov[1].buffer.value = \PYGZdq{}sign2\PYGZdq{}; -iov[1].buffer.length = 5; -iov[2].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}MIC\PYGZus{}TOKEN \textbar{} GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}FLAG\PYGZus{}ALLOCATE; - -major = gss\PYGZus{}get\PYGZus{}mic\PYGZus{}iov(\PYGZam{}minor, ctx, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, iov, 3); -if (GSS\PYGZus{}ERROR(major)) - handle\PYGZus{}error(major, minor); - -/* Transmit or otherwise use iov[2].buffer. */ - -(void)gss\PYGZus{}release\PYGZus{}iov\PYGZus{}buffer(\PYGZam{}minor, iov, 3); -\end{Verbatim} - -If the caller does not choose to request buffer allocation by -gss\_get\_mic\_iov, it should first call gss\_get\_mic\_iov\_length to query -the length of the MIC\_TOKEN buffer. Here is an example of using -gss\_get\_mic\_iov\_length and gss\_get\_mic\_iov: - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 major, minor; -gss\PYGZus{}iov\PYGZus{}buffer\PYGZus{}desc iov[2]; -char data[1024]; - -iov[0].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}MIC\PYGZus{}TOKEN; -iov[1].type = GSS\PYGZus{}IOV\PYGZus{}BUFFER\PYGZus{}TYPE\PYGZus{}DATA; -iov[1].buffer.value = \PYGZdq{}message\PYGZdq{}; -iov[1].buffer.length = 7; - -major = gss\PYGZus{}wrap\PYGZus{}iov\PYGZus{}length(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, - NULL, iov, 2); -if (GSS\PYGZus{}ERROR(major)) - handle\PYGZus{}error(major, minor); -if (iov[0].buffer.length \PYGZgt{} sizeof(data)) - handle\PYGZus{}out\PYGZus{}of\PYGZus{}space\PYGZus{}error(); -iov[0].buffer.value = data; - -major = gss\PYGZus{}wrap\PYGZus{}iov(\PYGZam{}minor, ctx, 1, GSS\PYGZus{}C\PYGZus{}QOP\PYGZus{}DEFAULT, NULL, - iov, 2); -if (GSS\PYGZus{}ERROR(major)) - handle\PYGZus{}error(major, minor); -\end{Verbatim} - - -\chapter{Differences between Heimdal and MIT Kerberos API} -\label{appdev/h5l_mit_apidiff:differences-between-heimdal-and-mit-kerberos-api}\label{appdev/h5l_mit_apidiff::doc} -\begin{tabulary}{\linewidth}{|l|l|} -\hline - -{\hyperref[appdev/refs/api/krb5_auth_con_getaddrs:c.krb5_auth_con_getaddrs]{\code{krb5\_auth\_con\_getaddrs()}}} - & -H5l: If either of the pointers to local\_addr -and remote\_addr is not NULL, it is freed -first and then reallocated before being -populated with the content of corresponding -address from authentication context. -\\ -\hline -{\hyperref[appdev/refs/api/krb5_auth_con_setaddrs:c.krb5_auth_con_setaddrs]{\code{krb5\_auth\_con\_setaddrs()}}} - & -H5l: If either address is NULL, the previous -address remains in place -\\ -\hline -{\hyperref[appdev/refs/api/krb5_auth_con_setports:c.krb5_auth_con_setports]{\code{krb5\_auth\_con\_setports()}}} - & -H5l: Not implemented as of version 1.3.3 -\\ -\hline -{\hyperref[appdev/refs/api/krb5_auth_con_setrecvsubkey:c.krb5_auth_con_setrecvsubkey]{\code{krb5\_auth\_con\_setrecvsubkey()}}} - & -H5l: If either port is NULL, the previous -port remains in place -\\ -\hline -{\hyperref[appdev/refs/api/krb5_auth_con_setsendsubkey:c.krb5_auth_con_setsendsubkey]{\code{krb5\_auth\_con\_setsendsubkey()}}} - & -H5l: Not implemented as of version 1.3.3 -\\ -\hline -{\hyperref[appdev/refs/api/krb5_cc_set_config:c.krb5_cc_set_config]{\code{krb5\_cc\_set\_config()}}} - & -MIT: Before version 1.10 it was assumed that -the last argument \emph{data} is ALWAYS non-zero. -\\ -\hline -{\hyperref[appdev/refs/api/krb5_cccol_last_change_time:c.krb5_cccol_last_change_time]{\code{krb5\_cccol\_last\_change\_time()}}} - & -H5l takes 3 arguments: krb5\_context context, -const char *type, krb5\_timestamp *change\_time -MIT takes two arguments: krb5\_context context, -krb5\_timestamp *change\_time -\\ -\hline -{\hyperref[appdev/refs/api/krb5_set_default_realm:c.krb5_set_default_realm]{\code{krb5\_set\_default\_realm()}}} - & -H5l: Caches the computed default realm context -field. If the second argument is NULL, -it tries to retrieve it from libdefaults or DNS. -MIT: Computes the default realm each time -if it wasn't explicitly set in the context -\\ -\hline\end{tabulary} - - - -\chapter{Initial credentials} -\label{appdev/init_creds:initial-credentials}\label{appdev/init_creds::doc} -Software that performs tasks such as logging users into a computer -when they type their Kerberos password needs to get initial -credentials (usually ticket granting tickets) from Kerberos. Such -software shares some behavior with the \emph{kinit(1)} program. - -Whenever a program grants access to a resource (such as a local login -session on a desktop computer) based on a user successfully getting -initial Kerberos credentials, it must verify those credentials against -a secure shared secret (e.g., a host keytab) to ensure that the user -credentials actually originate from a legitimate KDC. Failure to -perform this verification is a critical vulnerability, because a -malicious user can execute the ``Zanarotti attack'': the user constructs -a fake response that appears to come from the legitimate KDC, but -whose contents come from an attacker-controlled KDC. - -Some applications read a Kerberos password over the network (ideally -over a secure channel), which they then verify against the KDC. While -this technique may be the only practical way to integrate Kerberos -into some existing legacy systems, its use is contrary to the original -design goals of Kerberos. - -The function {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} will get initial -credentials for a client using a password. An application that needs -to verify the credentials can call {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}}. -Here is an example of code to obtain and verify TGT credentials, given -strings \emph{princname} and \emph{password} for the client principal name and -password: - -\begin{Verbatim}[commandchars=\\\{\}] -krb5\PYGZus{}error\PYGZus{}code ret; -krb5\PYGZus{}creds creds; -krb5\PYGZus{}principal client\PYGZus{}princ = NULL; - -memset(\PYGZam{}creds, 0, sizeof(creds)); -ret = krb5\PYGZus{}parse\PYGZus{}name(context, princname, \PYGZam{}client\PYGZus{}princ); -if (ret) - goto cleanup; -ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, - password, NULL, NULL, 0, NULL, NULL); -if (ret) - goto cleanup; -ret = krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds(context, \PYGZam{}creds, NULL, NULL, NULL, NULL); - -cleanup: -krb5\PYGZus{}free\PYGZus{}principal(context, client\PYGZus{}princ); -krb5\PYGZus{}free\PYGZus{}cred\PYGZus{}contents(context, \PYGZam{}creds); -return ret; -\end{Verbatim} - - -\section{Options for get\_init\_creds} -\label{appdev/init_creds:options-for-get-init-creds} -The function {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} takes an options -parameter (which can be a null pointer). Use the function -{\hyperref[appdev/refs/api/krb5_get_init_creds_opt_alloc:c.krb5_get_init_creds_opt_alloc]{\code{krb5\_get\_init\_creds\_opt\_alloc()}}} to allocate an options -structure, and {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_free:c.krb5_get_init_creds_opt_free]{\code{krb5\_get\_init\_creds\_opt\_free()}}} to free it. For -example: - -\begin{Verbatim}[commandchars=\\\{\}] -krb5\PYGZus{}error\PYGZus{}code ret; -krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt *opt = NULL; -krb5\PYGZus{}creds creds; - -memset(\PYGZam{}creds, 0, sizeof(creds)); -ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}alloc(context, \PYGZam{}opt); -if (ret) - goto cleanup; -krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}tkt\PYGZus{}life(opt, 24 * 60 * 60); -ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, - password, NULL, NULL, 0, NULL, opt); -if (ret) - goto cleanup; - -cleanup: -krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}free(context, opt); -krb5\PYGZus{}free\PYGZus{}cred\PYGZus{}contents(context, \PYGZam{}creds); -return ret; -\end{Verbatim} - - -\section{Getting anonymous credentials} -\label{appdev/init_creds:getting-anonymous-credentials} -As of release 1.8, it is possible to obtain fully anonymous or -partially anonymous (realm-exposed) credentials, if the KDC supports -it. The MIT KDC supports issuing fully anonymous credentials as of -release 1.8 if configured appropriately (see \emph{anonymous\_pkinit}), -but does not support issuing realm-exposed anonymous credentials at -this time. - -To obtain fully anonymous credentials, call -{\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_anonymous:c.krb5_get_init_creds_opt_set_anonymous]{\code{krb5\_get\_init\_creds\_opt\_set\_anonymous()}}} on the options -structure to set the anonymous flag, and specify a client principal -with the KDC's realm and a single empty data component (the principal -obtained by parsing \code{@}\emph{realmname}). Authentication will take -place using anonymous PKINIT; if successful, the client principal of -the resulting tickets will be -\code{WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS}. Here is an example: - -\begin{Verbatim}[commandchars=\\\{\}] -krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}anonymous(opt, 1); -ret = krb5\PYGZus{}build\PYGZus{}principal(context, \PYGZam{}client\PYGZus{}princ, strlen(myrealm), - myrealm, \PYGZdq{}\PYGZdq{}, (char *)NULL); -if (ret) - goto cleanup; -ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, - password, NULL, NULL, 0, NULL, opt); -if (ret) - goto cleanup; -\end{Verbatim} - -To obtain realm-exposed anonymous credentials, set the anonymous flag -on the options structure as above, but specify a normal client -principal in order to prove membership in the realm. Authentication -will take place as it normally does; if successful, the client -principal of the resulting tickets will be \code{WELLKNOWN/ANONYMOUS@}\emph{realmname}. - - -\section{User interaction} -\label{appdev/init_creds:user-interaction} -Authenticating a user usually requires the entry of secret -information, such as a password. A password can be supplied directly -to {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} via the \emph{password} -parameter, or the application can supply prompter and/or responder -callbacks instead. If callbacks are used, the user can also be -queried for other secret information such as a PIN, informed of -impending password expiration, or prompted to change a password which -has expired. - - -\subsection{Prompter callback} -\label{appdev/init_creds:prompter-callback} -A prompter callback can be specified via the \emph{prompter} and \emph{data} -parameters to {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}}. The prompter -will be invoked each time the krb5 library has a question to ask or -information to present. When the prompter callback is invoked, the -\emph{banner} argument (if not null) is intended to be displayed to the -user, and the questions to be answered are specified in the \emph{prompts} -array. Each prompt contains a text question in the \emph{prompt} field, a -\emph{hidden} bit to indicate whether the answer should be hidden from -display, and a storage area for the answer in the \emph{reply} field. The -callback should fill in each question's \code{reply-\textgreater{}data} with the -answer, up to a maximum number of \code{reply-\textgreater{}length} bytes, and then -reset \code{reply-\textgreater{}length} to the length of the answer. - -A prompter callback can call {\hyperref[appdev/refs/api/krb5_get_prompt_types:c.krb5_get_prompt_types]{\code{krb5\_get\_prompt\_types()}}} to get an -array of type constants corresponding to the prompts, to get -programmatic information about the semantic meaning of the questions. -{\hyperref[appdev/refs/api/krb5_get_prompt_types:c.krb5_get_prompt_types]{\code{krb5\_get\_prompt\_types()}}} may return a null pointer if no prompt -type information is available. - -Text-based applications can use a built-in text prompter -implementation by supplying {\hyperref[appdev/refs/api/krb5_prompter_posix:c.krb5_prompter_posix]{\code{krb5\_prompter\_posix()}}} as the -\emph{prompter} parameter and a null pointer as the \emph{data} parameter. For -example: - -\begin{Verbatim}[commandchars=\\\{\}] -ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, - NULL, krb5\PYGZus{}prompter\PYGZus{}posix, NULL, 0, - NULL, NULL); -\end{Verbatim} - - -\subsection{Responder callback} -\label{appdev/init_creds:responder-callback} -A responder callback can be specified through the init\_creds options -using the {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_responder:c.krb5_get_init_creds_opt_set_responder]{\code{krb5\_get\_init\_creds\_opt\_set\_responder()}}} function. -Responder callbacks can present a more sophisticated user interface -for authentication secrets. The responder callback is usually invoked -only once per authentication, with a list of questions produced by all -of the allowed preauthentication mechanisms. - -When the responder callback is invoked, the \emph{rctx} argument can be -accessed to obtain the list of questions and to answer them. The -{\hyperref[appdev/refs/api/krb5_responder_list_questions:c.krb5_responder_list_questions]{\code{krb5\_responder\_list\_questions()}}} function retrieves an array of -question types. For each question type, the -{\hyperref[appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge]{\code{krb5\_responder\_get\_challenge()}}} function retrieves additional -information about the question, if applicable, and the -{\hyperref[appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer]{\code{krb5\_responder\_set\_answer()}}} function sets the answer. - -Responder question types, challenges, and answers are UTF-8 strings. -The question type is a well-known string; the meaning of the challenge -and answer depend on the question type. If an application does not -understand a question type, it cannot interpret the challenge or -provide an answer. Failing to answer a question typically results in -the prompter callback being used as a fallback. - - -\subsubsection{Password question} -\label{appdev/init_creds:password-question} -The \code{KRB5\_RESPONDER\_QUESTION\_PASSWORD} (or \code{"password"}) -question type requests the user's password. This question does not -have a challenge, and the response is simply the password string. - - -\subsubsection{One-time password question} -\label{appdev/init_creds:one-time-password-question} -The \code{KRB5\_RESPONDER\_QUESTION\_OTP} (or \code{"otp"}) question -type requests a choice among one-time password tokens and the PIN and -value for the chosen token. The challenge and answer are JSON-encoded -strings, but an application can use convenience functions to avoid -doing any JSON processing itself. - -The {\hyperref[appdev/refs/api/krb5_responder_otp_get_challenge:c.krb5_responder_otp_get_challenge]{\code{krb5\_responder\_otp\_get\_challenge()}}} function decodes the -challenge into a krb5\_responder\_otp\_challenge structure. The -{\hyperref[appdev/refs/api/krb5_responder_otp_set_answer:c.krb5_responder_otp_set_answer]{\code{krb5\_responder\_otp\_set\_answer()}}} function selects one of the -token information elements from the challenge and supplies the value -and pin for that token. - - -\subsubsection{PKINIT password or PIN question} -\label{appdev/init_creds:pkinit-password-or-pin-question} -The \code{KRB5\_RESPONDER\_QUESTION\_PKINIT} (or \code{"pkinit"}) question -type requests PINs for hardware devices and/or passwords for encrypted -credentials which are stored on disk, potentially also supplying -information about the state of the hardware devices. The challenge and -answer are JSON-encoded strings, but an application can use convenience -functions to avoid doing any JSON processing itself. - -The {\hyperref[appdev/refs/api/krb5_responder_pkinit_get_challenge:c.krb5_responder_pkinit_get_challenge]{\code{krb5\_responder\_pkinit\_get\_challenge()}}} function decodes the -challenges into a krb5\_responder\_pkinit\_challenge structure. The -{\hyperref[appdev/refs/api/krb5_responder_pkinit_set_answer:c.krb5_responder_pkinit_set_answer]{\code{krb5\_responder\_pkinit\_set\_answer()}}} function can be used to -supply the PIN or password for a particular client credential, and can -be called multiple times. - - -\subsubsection{Example} -\label{appdev/init_creds:example} -Here is an example of using a responder callback: - -\begin{Verbatim}[commandchars=\\\{\}] -static krb5\PYGZus{}error\PYGZus{}code -my\PYGZus{}responder(krb5\PYGZus{}context context, void *data, - krb5\PYGZus{}responder\PYGZus{}context rctx) -\PYGZob{} - krb5\PYGZus{}error\PYGZus{}code ret; - krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}challenge *chl; - - if (krb5\PYGZus{}responder\PYGZus{}get\PYGZus{}challenge(context, rctx, - KRB5\PYGZus{}RESPONDER\PYGZus{}QUESTION\PYGZus{}PASSWORD)) \PYGZob{} - ret = krb5\PYGZus{}responder\PYGZus{}set\PYGZus{}answer(context, rctx, - KRB5\PYGZus{}RESPONDER\PYGZus{}QUESTION\PYGZus{}PASSWORD, - \PYGZdq{}open sesame\PYGZdq{}); - if (ret) - return ret; - \PYGZcb{} - ret = krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}get\PYGZus{}challenge(context, rctx, \PYGZam{}chl); - if (ret == 0 \PYGZam{}\PYGZam{} chl != NULL) \PYGZob{} - ret = krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}set\PYGZus{}answer(context, rctx, 0, \PYGZdq{}1234\PYGZdq{}, - NULL); - krb5\PYGZus{}responder\PYGZus{}otp\PYGZus{}challenge\PYGZus{}free(context, rctx, chl); - if (ret) - return ret; - \PYGZcb{} - return 0; -\PYGZcb{} - -static krb5\PYGZus{}error\PYGZus{}code -get\PYGZus{}creds(krb5\PYGZus{}context context, krb5\PYGZus{}principal client\PYGZus{}princ) -\PYGZob{} - krb5\PYGZus{}error\PYGZus{}code ret; - krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt *opt = NULL; - krb5\PYGZus{}creds creds; - - memset(\PYGZam{}creds, 0, sizeof(creds)); - ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}alloc(context, \PYGZam{}opt); - if (ret) - goto cleanup; - ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}responder(context, opt, my\PYGZus{}responder, - NULL); - if (ret) - goto cleanup; - ret = krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}password(context, \PYGZam{}creds, client\PYGZus{}princ, - NULL, NULL, NULL, 0, NULL, opt); - -cleanup: - krb5\PYGZus{}get\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}free(context, opt); - krb5\PYGZus{}free\PYGZus{}cred\PYGZus{}contents(context, \PYGZam{}creds); - return ret; -\PYGZcb{} -\end{Verbatim} - - -\section{Verifying initial credentials} -\label{appdev/init_creds:verifying-initial-credentials} -Use the function {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} to verify initial -credentials. It takes an options structure (which can be a null -pointer). Use {\hyperref[appdev/refs/api/krb5_verify_init_creds_opt_init:c.krb5_verify_init_creds_opt_init]{\code{krb5\_verify\_init\_creds\_opt\_init()}}} to initialize -the caller-allocated options structure, and -{\hyperref[appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:c.krb5_verify_init_creds_opt_set_ap_req_nofail]{\code{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail()}}} to set the -``nofail'' option. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds\PYGZus{}opt vopt; - -krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}init(\PYGZam{}vopt); -krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds\PYGZus{}opt\PYGZus{}set\PYGZus{}ap\PYGZus{}req\PYGZus{}nofail(\PYGZam{}vopt, 1); -ret = krb5\PYGZus{}verify\PYGZus{}init\PYGZus{}creds(context, \PYGZam{}creds, NULL, NULL, NULL, \PYGZam{}vopt); -\end{Verbatim} - -The confusingly named ``nofail'' option, when set, means that the -verification must actually succeed in order for -{\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} to indicate success. The default -state of this option (cleared) means that if there is no key material -available to verify the user credentials, the verification will -succeed anyway. (The default can be changed by a configuration file -setting.) - -This accommodates a use case where a large number of unkeyed shared -desktop workstations need to allow users to log in using Kerberos. -The security risks from this practice are mitigated by the absence of -valuable state on the shared workstations---any valuable resources -that the users would access reside on networked servers. - - -\chapter{Principal manipulation and parsing} -\label{appdev/princ_handle:principal-manipulation-and-parsing}\label{appdev/princ_handle::doc} -Kerberos principal structure - -{\hyperref[appdev/refs/types/krb5_principal_data:c.krb5_principal_data]{\code{krb5\_principal\_data}}} - -{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{\code{krb5\_principal}}} - -Create and free principal - -{\hyperref[appdev/refs/api/krb5_build_principal:c.krb5_build_principal]{\code{krb5\_build\_principal()}}} - -{\hyperref[appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va]{\code{krb5\_build\_principal\_alloc\_va()}}} - -{\hyperref[appdev/refs/api/krb5_build_principal_ext:c.krb5_build_principal_ext]{\code{krb5\_build\_principal\_ext()}}} - -{\hyperref[appdev/refs/api/krb5_copy_principal:c.krb5_copy_principal]{\code{krb5\_copy\_principal()}}} - -{\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} - -{\hyperref[appdev/refs/api/krb5_cc_get_principal:c.krb5_cc_get_principal]{\code{krb5\_cc\_get\_principal()}}} - -Comparing - -{\hyperref[appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare]{\code{krb5\_principal\_compare()}}} - -{\hyperref[appdev/refs/api/krb5_principal_compare_flags:c.krb5_principal_compare_flags]{\code{krb5\_principal\_compare\_flags()}}} - -{\hyperref[appdev/refs/api/krb5_principal_compare_any_realm:c.krb5_principal_compare_any_realm]{\code{krb5\_principal\_compare\_any\_realm()}}} - -{\hyperref[appdev/refs/api/krb5_sname_match:c.krb5_sname_match]{\code{krb5\_sname\_match()}}} - -{\hyperref[appdev/refs/api/krb5_sname_to_principal:c.krb5_sname_to_principal]{\code{krb5\_sname\_to\_principal()}}} - -Parsing: - -{\hyperref[appdev/refs/api/krb5_parse_name:c.krb5_parse_name]{\code{krb5\_parse\_name()}}} - -{\hyperref[appdev/refs/api/krb5_parse_name_flags:c.krb5_parse_name_flags]{\code{krb5\_parse\_name\_flags()}}} - -{\hyperref[appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name]{\code{krb5\_unparse\_name()}}} - -{\hyperref[appdev/refs/api/krb5_unparse_name_flags:c.krb5_unparse_name_flags]{\code{krb5\_unparse\_name\_flags()}}} - -Utilities: - -{\hyperref[appdev/refs/api/krb5_is_config_principal:c.krb5_is_config_principal]{\code{krb5\_is\_config\_principal()}}} - -{\hyperref[appdev/refs/api/krb5_kuserok:c.krb5_kuserok]{\code{krb5\_kuserok()}}} - -{\hyperref[appdev/refs/api/krb5_set_password:c.krb5_set_password]{\code{krb5\_set\_password()}}} - -{\hyperref[appdev/refs/api/krb5_set_password_using_ccache:c.krb5_set_password_using_ccache]{\code{krb5\_set\_password\_using\_ccache()}}} - -{\hyperref[appdev/refs/api/krb5_set_principal_realm:c.krb5_set_principal_realm]{\code{krb5\_set\_principal\_realm()}}} - -{\hyperref[appdev/refs/api/krb5_realm_compare:c.krb5_realm_compare]{\code{krb5\_realm\_compare()}}} - - -\chapter{Complete reference - API and datatypes} -\label{appdev/refs/index:complete-reference-api-and-datatypes}\label{appdev/refs/index::doc} - -\section{krb5 API} -\label{appdev/refs/api/index:krb5-api}\label{appdev/refs/api/index::doc} - -\subsection{Frequently used public interfaces} -\label{appdev/refs/api/index:frequently-used-public-interfaces} - -\subsubsection{krb5\_build\_principal - Build a principal name using null-terminated strings.} -\label{appdev/refs/api/krb5_build_principal:krb5-build-principal-build-a-principal-name-using-null-terminated-strings}\label{appdev/refs/api/krb5_build_principal::doc}\index{krb5\_build\_principal (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_build_principal:c.krb5_build_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_build\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ}, unsigned int\emph{ rlen}, const char *\emph{ realm}, ...}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{princ} - Principal name - -\textbf{{[}in{]}} \textbf{rlen} - Realm name length - -\textbf{{[}in{]}} \textbf{realm} - Realm name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Call {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{princ} when it is no longer needed. - -\begin{notice}{note}{Note:} -{\hyperref[appdev/refs/api/krb5_build_principal:c.krb5_build_principal]{\code{krb5\_build\_principal()}}} and {\hyperref[appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va]{\code{krb5\_build\_principal\_alloc\_va()}}} perform the same task. {\hyperref[appdev/refs/api/krb5_build_principal:c.krb5_build_principal]{\code{krb5\_build\_principal()}}} takes variadic arguments. {\hyperref[appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va]{\code{krb5\_build\_principal\_alloc\_va()}}} takes a pre-computed \emph{varargs} pointer. -\end{notice} - - -\subsubsection{krb5\_build\_principal\_alloc\_va - Build a principal name, using a precomputed variable argument list.} -\label{appdev/refs/api/krb5_build_principal_alloc_va:krb5-build-principal-alloc-va-build-a-principal-name-using-a-precomputed-variable-argument-list}\label{appdev/refs/api/krb5_build_principal_alloc_va::doc}\index{krb5\_build\_principal\_alloc\_va (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_build_principal_alloc_va:c.krb5_build_principal_alloc_va}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_build\_principal\_alloc\_va}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ}, unsigned int\emph{ rlen}, const char *\emph{ realm}, va\_list\emph{ ap}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{princ} - Principal structure - -\textbf{{[}in{]}} \textbf{rlen} - Realm name length - -\textbf{{[}in{]}} \textbf{realm} - Realm name - -\textbf{{[}in{]}} \textbf{ap} - List of char * components, ending with NULL - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Similar to {\hyperref[appdev/refs/api/krb5_build_principal:c.krb5_build_principal]{\code{krb5\_build\_principal()}}} , this function builds a principal name, but its name components are specified as a va\_list. - -Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to deallocate \emph{princ} when it is no longer needed. - - -\subsubsection{krb5\_build\_principal\_ext - Build a principal name using length-counted strings.} -\label{appdev/refs/api/krb5_build_principal_ext:krb5-build-principal-ext-build-a-principal-name-using-length-counted-strings}\label{appdev/refs/api/krb5_build_principal_ext::doc}\index{krb5\_build\_principal\_ext (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_build_principal_ext:c.krb5_build_principal_ext}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_build\_principal\_ext}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ}, unsigned int\emph{ rlen}, const char *\emph{ realm}, ...}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{princ} - Principal name - -\textbf{{[}in{]}} \textbf{rlen} - Realm name length - -\textbf{{[}in{]}} \textbf{realm} - Realm name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a principal from a length-counted string and a variable-length list of length-counted components. The list of components ends with the first 0 length argument (so it is not possible to specify an empty component with this function). Call {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free allocated memory for principal when it is no longer needed. - - -\subsubsection{krb5\_cc\_close - Close a credential cache handle.} -\label{appdev/refs/api/krb5_cc_close:krb5-cc-close-close-a-credential-cache-handle}\label{appdev/refs/api/krb5_cc_close::doc}\index{krb5\_cc\_close (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_close:c.krb5_cc_close}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_close}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function closes a credential cache handle \emph{cache} without affecting the contents of the cache. - - -\subsubsection{krb5\_cc\_default - Resolve the default credential cache name.} -\label{appdev/refs/api/krb5_cc_default::doc}\label{appdev/refs/api/krb5_cc_default:krb5-cc-default-resolve-the-default-credential-cache-name}\index{krb5\_cc\_default (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_default:c.krb5_cc_default}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_default}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ ccache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{ccache} - Pointer to credential cache name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KV5M\_CONTEXT Bad magic number for \_krb5\_context structure - -\item {} -KRB5\_FCC\_INTERNAL The name of the default credential cache cannot be obtained - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Create a handle to the default credential cache as given by {\hyperref[appdev/refs/api/krb5_cc_default_name:c.krb5_cc_default_name]{\code{krb5\_cc\_default\_name()}}} . - - -\subsubsection{krb5\_cc\_default\_name - Return the name of the default credential cache.} -\label{appdev/refs/api/krb5_cc_default_name::doc}\label{appdev/refs/api/krb5_cc_default_name:krb5-cc-default-name-return-the-name-of-the-default-credential-cache}\index{krb5\_cc\_default\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_default_name:c.krb5_cc_default_name}\pysiglinewithargsret{const char * \bfcode{krb5\_cc\_default\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -Name of default credential cache for the current user. - -\end{itemize} - -\end{description}\end{quote} - -Return a pointer to the default credential cache name for \emph{context} , as determined by a prior call to {\hyperref[appdev/refs/api/krb5_cc_set_default_name:c.krb5_cc_set_default_name]{\code{krb5\_cc\_set\_default\_name()}}} , by the KRB5CCNAME environment variable, by the default\_ccache\_name profile variable, or by the operating system or build-time default value. The returned value must not be modified or freed by the caller. The returned value becomes invalid when \emph{context} is destroyed {\hyperref[appdev/refs/api/krb5_free_context:c.krb5_free_context]{\code{krb5\_free\_context()}}} or if a subsequent call to {\hyperref[appdev/refs/api/krb5_cc_set_default_name:c.krb5_cc_set_default_name]{\code{krb5\_cc\_set\_default\_name()}}} is made on \emph{context} . - -The default credential cache name is cached in \emph{context} between calls to this function, so if the value of KRB5CCNAME changes in the process environment after the first call to this function on, that change will not be reflected in later calls with the same context. The caller can invoke {\hyperref[appdev/refs/api/krb5_cc_set_default_name:c.krb5_cc_set_default_name]{\code{krb5\_cc\_set\_default\_name()}}} with a NULL value of \emph{name} to clear the cached value and force the default name to be recomputed. - - -\subsubsection{krb5\_cc\_destroy - Destroy a credential cache.} -\label{appdev/refs/api/krb5_cc_destroy:krb5-cc-destroy-destroy-a-credential-cache}\label{appdev/refs/api/krb5_cc_destroy::doc}\index{krb5\_cc\_destroy (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_destroy:c.krb5_cc_destroy}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_destroy}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Permission errors - -\end{itemize} - -\end{description}\end{quote} - -This function destroys any existing contents of \emph{cache} and closes the handle to it. - - -\subsubsection{krb5\_cc\_dup - Duplicate ccache handle.} -\label{appdev/refs/api/krb5_cc_dup:krb5-cc-dup-duplicate-ccache-handle}\label{appdev/refs/api/krb5_cc_dup::doc}\index{krb5\_cc\_dup (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_dup:c.krb5_cc_dup}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_dup}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ in}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{in} - Credential cache handle to be duplicated - -\textbf{{[}out{]}} \textbf{out} - Credential cache handle - -\end{description}\end{quote} - -Create a new handle referring to the same cache as \emph{in} . The new handle and \emph{in} can be closed independently. - - -\subsubsection{krb5\_cc\_get\_name - Retrieve the name, but not type of a credential cache.} -\label{appdev/refs/api/krb5_cc_get_name::doc}\label{appdev/refs/api/krb5_cc_get_name:krb5-cc-get-name-retrieve-the-name-but-not-type-of-a-credential-cache}\index{krb5\_cc\_get\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_get_name:c.krb5_cc_get_name}\pysiglinewithargsret{const char * \bfcode{krb5\_cc\_get\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -On success - the name of the credential cache. - -\end{itemize} - -\end{description}\end{quote} - -\begin{notice}{warning}{Warning:} -Returns the name of the credential cache. The result is an alias into \emph{cache} and should not be freed or modified by the caller. This name does not include the cache type, so should not be used as input to {\hyperref[appdev/refs/api/krb5_cc_resolve:c.krb5_cc_resolve]{\code{krb5\_cc\_resolve()}}} . -\end{notice} - - -\subsubsection{krb5\_cc\_get\_principal - Get the default principal of a credential cache.} -\label{appdev/refs/api/krb5_cc_get_principal:krb5-cc-get-principal-get-the-default-principal-of-a-credential-cache}\label{appdev/refs/api/krb5_cc_get_principal::doc}\index{krb5\_cc\_get\_principal (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_get_principal:c.krb5_cc_get_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_get\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ principal}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}out{]}} \textbf{principal} - Primary principal - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Returns the default client principal of a credential cache as set by {\hyperref[appdev/refs/api/krb5_cc_initialize:c.krb5_cc_initialize]{\code{krb5\_cc\_initialize()}}} . - -Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{principal} when it is no longer needed. - - -\subsubsection{krb5\_cc\_get\_type - Retrieve the type of a credential cache.} -\label{appdev/refs/api/krb5_cc_get_type:krb5-cc-get-type-retrieve-the-type-of-a-credential-cache}\label{appdev/refs/api/krb5_cc_get_type::doc}\index{krb5\_cc\_get\_type (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_get_type:c.krb5_cc_get_type}\pysiglinewithargsret{const char * \bfcode{krb5\_cc\_get\_type}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -The type of a credential cache as an alias that must not be modified or freed by the caller. - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_cc\_initialize - Initialize a credential cache.} -\label{appdev/refs/api/krb5_cc_initialize::doc}\label{appdev/refs/api/krb5_cc_initialize:krb5-cc-initialize-initialize-a-credential-cache}\index{krb5\_cc\_initialize (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_initialize:c.krb5_cc_initialize}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_initialize}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ principal}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}in{]}} \textbf{principal} - Default principal name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -System errors; Permission errors; Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Destroy any existing contents of \emph{cache} and initialize it for the default principal \emph{principal} . - - -\subsubsection{krb5\_cc\_new\_unique - Create a new credential cache of the specified type with a unique name.} -\label{appdev/refs/api/krb5_cc_new_unique:krb5-cc-new-unique-create-a-new-credential-cache-of-the-specified-type-with-a-unique-name}\label{appdev/refs/api/krb5_cc_new_unique::doc}\index{krb5\_cc\_new\_unique (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_new_unique:c.krb5_cc_new_unique}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_new\_unique}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ type}, const char *\emph{ hint}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ id}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{type} - Credential cache type name - -\textbf{{[}in{]}} \textbf{hint} - Unused - -\textbf{{[}out{]}} \textbf{id} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_cc\_resolve - Resolve a credential cache name.} -\label{appdev/refs/api/krb5_cc_resolve:krb5-cc-resolve-resolve-a-credential-cache-name}\label{appdev/refs/api/krb5_cc_resolve::doc}\index{krb5\_cc\_resolve (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_resolve:c.krb5_cc_resolve}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_resolve}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ cache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{name} - Credential cache name to be resolved - -\textbf{{[}out{]}} \textbf{cache} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Fills in \emph{cache} with a \emph{cache} handle that corresponds to the name in \emph{name} . \emph{name} should be of the form \textbf{type:residual} , and \emph{type} must be a type known to the library. If the \emph{name} does not contain a colon, interpret it as a file name. - - -\subsubsection{krb5\_change\_password - Change a password for an existing Kerberos account.} -\label{appdev/refs/api/krb5_change_password:krb5-change-password-change-a-password-for-an-existing-kerberos-account}\label{appdev/refs/api/krb5_change_password::doc}\index{krb5\_change\_password (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_change_password:c.krb5_change_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_change\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, const char *\emph{ newpw}, int *\emph{ result\_code}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_code\_string}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_string}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{creds} - Credentials for kadmin/changepw service - -\textbf{{[}in{]}} \textbf{newpw} - New password - -\textbf{{[}out{]}} \textbf{result\_code} - Numeric error code from server - -\textbf{{[}out{]}} \textbf{result\_code\_string} - String equivalent to \emph{result\_code} - -\textbf{{[}out{]}} \textbf{result\_string} - Change password response from the KDC - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Change the password for the existing principal identified by \emph{creds} . - -The possible values of the output \emph{result\_code} are: -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_KPASSWD_SUCCESS:KRB5_KPASSWD_SUCCESS]{\code{KRB5\_KPASSWD\_SUCCESS}}} (0) - success - -\item {} -{\hyperref[appdev/refs/macros/KRB5_KPASSWD_MALFORMED:KRB5_KPASSWD_MALFORMED]{\code{KRB5\_KPASSWD\_MALFORMED}}} (1) - Malformed request error - -\item {} -{\hyperref[appdev/refs/macros/KRB5_KPASSWD_HARDERROR:KRB5_KPASSWD_HARDERROR]{\code{KRB5\_KPASSWD\_HARDERROR}}} (2) - Server error - -\item {} -{\hyperref[appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:KRB5_KPASSWD_AUTHERROR]{\code{KRB5\_KPASSWD\_AUTHERROR}}} (3) - Authentication error - -\item {} -{\hyperref[appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:KRB5_KPASSWD_SOFTERROR]{\code{KRB5\_KPASSWD\_SOFTERROR}}} (4) - Password change rejected - -\end{itemize} - - -\subsubsection{krb5\_chpw\_message - Get a result message for changing or setting a password.} -\label{appdev/refs/api/krb5_chpw_message:krb5-chpw-message-get-a-result-message-for-changing-or-setting-a-password}\label{appdev/refs/api/krb5_chpw_message::doc}\index{krb5\_chpw\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_chpw_message:c.krb5_chpw_message}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_chpw\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ server\_string}, char **\emph{ message\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{server\_string} - Data returned from the remote system - -\textbf{{[}out{]}} \textbf{message\_out} - A message displayable to the user - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function processes the \emph{server\_string} returned in the \emph{result\_string} parameter of {\hyperref[appdev/refs/api/krb5_change_password:c.krb5_change_password]{\code{krb5\_change\_password()}}} , {\hyperref[appdev/refs/api/krb5_set_password:c.krb5_set_password]{\code{krb5\_set\_password()}}} , and related functions, and returns a displayable string. If \emph{server\_string} contains Active Directory structured policy information, it will be converted into human-readable text. - -Use {\hyperref[appdev/refs/api/krb5_free_string:c.krb5_free_string]{\code{krb5\_free\_string()}}} to free \emph{message\_out} when it is no longer needed. - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_expand\_hostname - Canonicalize a hostname, possibly using name service.} -\label{appdev/refs/api/krb5_expand_hostname:krb5-expand-hostname-canonicalize-a-hostname-possibly-using-name-service}\label{appdev/refs/api/krb5_expand_hostname::doc}\index{krb5\_expand\_hostname (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_expand_hostname:c.krb5_expand_hostname}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_expand\_hostname}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ host}, char **\emph{ canonhost\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{host} - Input hostname - -\textbf{{[}out{]}} \textbf{canonhost\_out} - Canonicalized hostname - -\end{description}\end{quote} - -This function canonicalizes orig\_hostname, possibly using name service lookups if configuration permits. Use {\hyperref[appdev/refs/api/krb5_free_string:c.krb5_free_string]{\code{krb5\_free\_string()}}} to free \emph{canonhost\_out} when it is no longer needed. - -\begin{notice}{note}{Note:} -New in 1.15 -\end{notice} - - -\subsubsection{krb5\_free\_context - Free a krb5 library context.} -\label{appdev/refs/api/krb5_free_context:krb5-free-context-free-a-krb5-library-context}\label{appdev/refs/api/krb5_free_context::doc}\index{krb5\_free\_context (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_context:c.krb5_free_context}\pysiglinewithargsret{void \bfcode{krb5\_free\_context}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\end{description}\end{quote} - -This function frees a \emph{context} that was created by {\hyperref[appdev/refs/api/krb5_init_context:c.krb5_init_context]{\code{krb5\_init\_context()}}} or {\hyperref[appdev/refs/api/krb5_init_secure_context:c.krb5_init_secure_context]{\code{krb5\_init\_secure\_context()}}} . - - -\subsubsection{krb5\_free\_error\_message - Free an error message generated by krb5\_get\_error\_message() .} -\label{appdev/refs/api/krb5_free_error_message:krb5-free-error-message-free-an-error-message-generated-by-krb5-get-error-message}\label{appdev/refs/api/krb5_free_error_message::doc}\index{krb5\_free\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_error_message:c.krb5_free_error_message}\pysiglinewithargsret{void \bfcode{krb5\_free\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, const char *\emph{ msg}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{msg} - Pointer to error message - -\end{description}\end{quote} - - -\subsubsection{krb5\_free\_principal - Free the storage assigned to a principal.} -\label{appdev/refs/api/krb5_free_principal::doc}\label{appdev/refs/api/krb5_free_principal:krb5-free-principal-free-the-storage-assigned-to-a-principal}\index{krb5\_free\_principal (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_principal:c.krb5_free_principal}\pysiglinewithargsret{void \bfcode{krb5\_free\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Principal to be freed - -\end{description}\end{quote} - - -\subsubsection{krb5\_fwd\_tgt\_creds - Get a forwarded TGT and format a KRB-CRED message.} -\label{appdev/refs/api/krb5_fwd_tgt_creds:krb5-fwd-tgt-creds-get-a-forwarded-tgt-and-format-a-krb-cred-message}\label{appdev/refs/api/krb5_fwd_tgt_creds::doc}\index{krb5\_fwd\_tgt\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_fwd_tgt_creds:c.krb5_fwd_tgt_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_fwd\_tgt\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, char *\emph{ rhost}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cc}, int\emph{ forwardable}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{rhost} - Remote host - -\textbf{{[}in{]}} \textbf{client} - Client principal of TGT - -\textbf{{[}in{]}} \textbf{server} - Principal of server to receive TGT - -\textbf{{[}in{]}} \textbf{cc} - Credential cache handle (NULL to use default) - -\textbf{{[}in{]}} \textbf{forwardable} - Whether TGT should be forwardable - -\textbf{{[}out{]}} \textbf{outbuf} - KRB-CRED message - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -ENOMEM Insufficient memory - -\item {} -KRB5\_PRINC\_NOMATCH Requested principal and ticket do not match - -\item {} -KRB5\_NO\_TKT\_SUPPLIED Request did not supply a ticket - -\item {} -KRB5\_CC\_BADNAME Credential cache name or principal name malformed - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Get a TGT for use at the remote host \emph{rhost} and format it into a KRB-CRED message. If \emph{rhost} is NULL and \emph{server} is of type {\hyperref[appdev/refs/macros/KRB5_NT_SRV_HST:KRB5_NT_SRV_HST]{\code{KRB5\_NT\_SRV\_HST}}} , the second component of \emph{server} will be used. - - -\subsubsection{krb5\_get\_default\_realm - Retrieve the default realm.} -\label{appdev/refs/api/krb5_get_default_realm:krb5-get-default-realm-retrieve-the-default-realm}\label{appdev/refs/api/krb5_get_default_realm::doc}\index{krb5\_get\_default\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_default_realm:c.krb5_get_default_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_default\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char **\emph{ lrealm}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{lrealm} - Default realm name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Retrieves the default realm to be used if no user-specified realm is available. - -Use {\hyperref[appdev/refs/api/krb5_free_default_realm:c.krb5_free_default_realm]{\code{krb5\_free\_default\_realm()}}} to free \emph{lrealm} when it is no longer needed. - - -\subsubsection{krb5\_get\_error\_message - Get the (possibly extended) error message for a code.} -\label{appdev/refs/api/krb5_get_error_message::doc}\label{appdev/refs/api/krb5_get_error_message:krb5-get-error-message-get-the-possibly-extended-error-message-for-a-code}\index{krb5\_get\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_error_message:c.krb5_get_error_message}\pysiglinewithargsret{const char * \bfcode{krb5\_get\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{code} - Error code - -\end{description}\end{quote} - -The behavior of {\hyperref[appdev/refs/api/krb5_get_error_message:c.krb5_get_error_message]{\code{krb5\_get\_error\_message()}}} is only defined the first time it is called after a failed call to a krb5 function using the same context, and only when the error code passed in is the same as that returned by the krb5 function. - -This function never returns NULL, so its result may be used unconditionally as a C string. - -The string returned by this function must be freed using {\hyperref[appdev/refs/api/krb5_free_error_message:c.krb5_free_error_message]{\code{krb5\_free\_error\_message()}}} - -\begin{notice}{note}{Note:} -Future versions may return the same string for the second and following calls. -\end{notice} - - -\subsubsection{krb5\_get\_host\_realm - Get the Kerberos realm names for a host.} -\label{appdev/refs/api/krb5_get_host_realm:krb5-get-host-realm-get-the-kerberos-realm-names-for-a-host}\label{appdev/refs/api/krb5_get_host_realm::doc}\index{krb5\_get\_host\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_host_realm:c.krb5_get_host_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_host\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ host}, char ***\emph{ realmsp}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{host} - Host name (or NULL) - -\textbf{{[}out{]}} \textbf{realmsp} - Null-terminated list of realm names - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -ENOMEM Insufficient memory - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Fill in \emph{realmsp} with a pointer to a null-terminated list of realm names. If there are no known realms for the host, a list containing the referral (empty) realm is returned. - -If \emph{host} is NULL, the local host's realms are determined. - -Use {\hyperref[appdev/refs/api/krb5_free_host_realm:c.krb5_free_host_realm]{\code{krb5\_free\_host\_realm()}}} to release \emph{realmsp} when it is no longer needed. - - -\subsubsection{krb5\_get\_credentials - Get an additional ticket.} -\label{appdev/refs/api/krb5_get_credentials:krb5-get-credentials-get-an-additional-ticket}\label{appdev/refs/api/krb5_get_credentials::doc}\index{krb5\_get\_credentials (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_credentials}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ out\_creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{options} - Options - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle - -\textbf{{[}in{]}} \textbf{in\_creds} - Input credentials - -\textbf{{[}out{]}} \textbf{out\_creds} - Output updated credentials - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use \emph{ccache} or a TGS exchange to get a service ticket matching \emph{in\_creds} . - -Valid values for \emph{options} are: -\begin{quote} -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_GC_CACHED:KRB5_GC_CACHED]{\code{KRB5\_GC\_CACHED}}} Search only credential cache for the ticket - -\item {} -{\hyperref[appdev/refs/macros/KRB5_GC_USER_USER:KRB5_GC_USER_USER]{\code{KRB5\_GC\_USER\_USER}}} Return a user to user authentication ticket - -\end{itemize} - -\emph{in\_creds} must be non-null. \emph{in\_creds-\textgreater{}client} and \emph{in\_creds-\textgreater{}server} must be filled in to specify the client and the server respectively. If any authorization data needs to be requested for the service ticket (such as restrictions on how the ticket can be used), specify it in \emph{in\_creds-\textgreater{}authdata} ; otherwise set \emph{in\_creds-\textgreater{}authdata} to NULL. The session key type is specified in \emph{in\_creds-\textgreater{}keyblock.enctype} , if it is nonzero. -\end{quote} - -The expiration date is specified in \emph{in\_creds-\textgreater{}times.endtime} . The KDC may return tickets with an earlier expiration date. If \emph{in\_creds-\textgreater{}times.endtime} is set to 0, the latest possible expiration date will be requested. - -Any returned ticket and intermediate ticket-granting tickets are stored in \emph{ccache} . - -Use {\hyperref[appdev/refs/api/krb5_free_creds:c.krb5_free_creds]{\code{krb5\_free\_creds()}}} to free \emph{out\_creds} when it is no longer needed. - - -\subsubsection{krb5\_get\_fallback\_host\_realm} -\label{appdev/refs/api/krb5_get_fallback_host_realm:krb5-get-fallback-host-realm}\label{appdev/refs/api/krb5_get_fallback_host_realm::doc}\index{krb5\_get\_fallback\_host\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_fallback_host_realm:c.krb5_get_fallback_host_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_fallback\_host\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ hdata}, char ***\emph{ realmsp}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{hdata} - Host name (or NULL) - -\textbf{{[}out{]}} \textbf{realmsp} - Null-terminated list of realm names - -\end{description}\end{quote} - -Fill in \emph{realmsp} with a pointer to a null-terminated list of realm names obtained through heuristics or insecure resolution methods which have lower priority than KDC referrals. - -If \emph{host} is NULL, the local host's realms are determined. - -Use {\hyperref[appdev/refs/api/krb5_free_host_realm:c.krb5_free_host_realm]{\code{krb5\_free\_host\_realm()}}} to release \emph{realmsp} when it is no longer needed. - - -\subsubsection{krb5\_get\_init\_creds\_keytab - Get initial credentials using a key table.} -\label{appdev/refs/api/krb5_get_init_creds_keytab:krb5-get-init-creds-keytab-get-initial-credentials-using-a-key-table}\label{appdev/refs/api/krb5_get_init_creds_keytab::doc}\index{krb5\_get\_init\_creds\_keytab (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_keytab:c.krb5_get_init_creds_keytab}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_keytab}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ arg\_keytab}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ start\_time}, const char *\emph{ in\_tkt\_service}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ k5\_gic\_options}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{creds} - New credentials - -\textbf{{[}in{]}} \textbf{client} - Client principal - -\textbf{{[}in{]}} \textbf{arg\_keytab} - Key table handle - -\textbf{{[}in{]}} \textbf{start\_time} - Time when ticket becomes valid (0 for now) - -\textbf{{[}in{]}} \textbf{in\_tkt\_service} - Service name of initial credentials (or NULL) - -\textbf{{[}in{]}} \textbf{k5\_gic\_options} - Initial credential options - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function requests KDC for an initial credentials for \emph{client} using a client key stored in \emph{arg\_keytab} . If \emph{in\_tkt\_service} is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. - - -\subsubsection{krb5\_get\_init\_creds\_opt\_alloc - Allocate a new initial credential options structure.} -\label{appdev/refs/api/krb5_get_init_creds_opt_alloc:krb5-get-init-creds-opt-alloc-allocate-a-new-initial-credential-options-structure}\label{appdev/refs/api/krb5_get_init_creds_opt_alloc::doc}\index{krb5\_get\_init\_creds\_opt\_alloc (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_alloc:c.krb5_get_init_creds_opt_alloc}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_alloc}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} **\emph{ opt}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{opt} - New options structure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 - Success; Kerberos errors otherwise. - -\end{itemize} - -\end{description}\end{quote} - -This function is the preferred way to create an options structure for getting initial credentials, and is required to make use of certain options. Use {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_free:c.krb5_get_init_creds_opt_free]{\code{krb5\_get\_init\_creds\_opt\_free()}}} to free \emph{opt} when it is no longer needed. - - -\subsubsection{krb5\_get\_init\_creds\_opt\_free - Free initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_free::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_free:krb5-get-init-creds-opt-free-free-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_free (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_free:c.krb5_get_init_creds_opt_free}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options structure to free - -\end{description}\end{quote} - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_get_init_creds_opt_alloc:c.krb5_get_init_creds_opt_alloc]{\code{krb5\_get\_init\_creds\_opt\_alloc()}}} - - - - -\subsubsection{krb5\_get\_init\_creds\_opt\_get\_fast\_flags - Retrieve FAST flags from initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags:krb5-get-init-creds-opt-get-fast-flags-retrieve-fast-flags-from-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_get\_fast\_flags (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_get_fast_flags:c.krb5_get_init_creds_opt_get_fast_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_get\_fast\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} *\emph{ out\_flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options - -\textbf{{[}out{]}} \textbf{out\_flags} - FAST flags - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 - Success; Kerberos errors otherwise. - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_address\_list - Set address restrictions in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_address_list:krb5-get-init-creds-opt-set-address-list-set-address-restrictions-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_address_list::doc}\index{krb5\_get\_init\_creds\_opt\_set\_address\_list (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_address_list:c.krb5_get_init_creds_opt_set_address_list}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_address\_list}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} **\emph{ addresses}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{addresses} - Null-terminated array of addresses - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_anonymous - Set or unset the anonymous flag in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous:krb5-get-init-creds-opt-set-anonymous-set-or-unset-the-anonymous-flag-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous::doc}\index{krb5\_get\_init\_creds\_opt\_set\_anonymous (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_anonymous:c.krb5_get_init_creds_opt_set_anonymous}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_anonymous}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ anonymous}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{anonymous} - Whether to make an anonymous request - -\end{description}\end{quote} - -This function may be used to request anonymous credentials from the KDC by setting \emph{anonymous} to non-zero. Note that anonymous credentials are only a request; clients must verify that credentials are anonymous if that is a requirement. - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_canonicalize - Set or unset the canonicalize flag in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize:krb5-get-init-creds-opt-set-canonicalize-set-or-unset-the-canonicalize-flag-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize::doc}\index{krb5\_get\_init\_creds\_opt\_set\_canonicalize (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_canonicalize:c.krb5_get_init_creds_opt_set_canonicalize}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_canonicalize}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ canonicalize}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{canonicalize} - Whether to canonicalize client principal - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt - Set or unset change-password-prompt flag in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt:krb5-get-init-creds-opt-set-change-password-prompt-set-or-unset-change-password-prompt-flag-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_change_password_prompt:c.krb5_get_init_creds_opt_set_change_password_prompt}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_change\_password\_prompt}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ prompt}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{prompt} - Whether to prompt to change password - -\end{description}\end{quote} - -This flag is on by default. It controls whether {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} will react to an expired-password error by prompting for a new password and attempting to change the old one. - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_etype\_list - Set allowable encryption types in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_etype_list:krb5-get-init-creds-opt-set-etype-list-set-allowable-encryption-types-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_etype_list::doc}\index{krb5\_get\_init\_creds\_opt\_set\_etype\_list (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_etype_list:c.krb5_get_init_creds_opt_set_etype_list}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_etype\_list}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ etype\_list}, int\emph{ etype\_list\_length}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{etype\_list} - Array of encryption types - -\textbf{{[}in{]}} \textbf{etype\_list\_length} - Length of \emph{etype\_list} - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_expire\_callback - Set an expiration callback in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback:krb5-get-init-creds-opt-set-expire-callback-set-an-expiration-callback-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_expire\_callback (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_expire_callback:c.krb5_get_init_creds_opt_set_expire_callback}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_expire\_callback}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_expire_callback_func:c.krb5_expire_callback_func]{krb5\_expire\_callback\_func}}\emph{ cb}, void *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{cb} - Callback function - -\textbf{{[}in{]}} \textbf{data} - Callback argument - -\end{description}\end{quote} - -Set a callback to receive password and account expiration times. - -This option only applies to {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} . \emph{cb} will be invoked if and only if credentials are successfully acquired. The callback will receive the \emph{context} from the {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} call and the \emph{data} argument supplied with this API. The remaining arguments should be interpreted as follows: - -If \emph{is\_last\_req} is true, then the KDC reply contained last-req entries which unambiguously indicated the password expiration, account expiration, or both. (If either value was not present, the corresponding argument will be 0.) Furthermore, a non-zero \emph{password\_expiration} should be taken as a suggestion from the KDC that a warning be displayed. - -If \emph{is\_last\_req} is false, then \emph{account\_expiration} will be 0 and \emph{password\_expiration} will contain the expiration time of either the password or account, or 0 if no expiration time was indicated in the KDC reply. The callback should independently decide whether to display a password expiration warning. - -Note that \emph{cb} may be invoked even if credentials are being acquired for the kadmin/changepw service in order to change the password. It is the caller's responsibility to avoid displaying a password expiry warning in this case. - -\begin{notice}{warning}{Warning:} -Setting an expire callback with this API will cause {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} not to send password expiry warnings to the prompter, as it ordinarily may. -\end{notice} - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache - Set FAST armor cache in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache:krb5-get-init-creds-opt-set-fast-ccache-set-fast-armor-cache-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache:c.krb5_get_init_creds_opt_set_fast_ccache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle - -\end{description}\end{quote} - -This function is similar to {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name:c.krb5_get_init_creds_opt_set_fast_ccache_name]{\code{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name()}}} , but uses a credential cache handle instead of a name. - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name - Set location of FAST armor ccache in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name:krb5-get-init-creds-opt-set-fast-ccache-name-set-location-of-fast-armor-ccache-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name::doc}\index{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_ccache_name:c.krb5_get_init_creds_opt_set_fast_ccache_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_fast\_ccache\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, const char *\emph{ fast\_ccache\_name}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options - -\textbf{{[}in{]}} \textbf{fast\_ccache\_name} - Credential cache name - -\end{description}\end{quote} - -Sets the location of a credential cache containing an armor ticket to protect an initial credential exchange using the FAST protocol extension. - -In version 1.7, setting an armor ccache requires that FAST be used for the exchange. In version 1.8 or later, setting the armor ccache causes FAST to be used if the KDC supports it; {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags:c.krb5_get_init_creds_opt_set_fast_flags]{\code{krb5\_get\_init\_creds\_opt\_set\_fast\_flags()}}} must be used to require that FAST be used. - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_fast\_flags - Set FAST flags in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags:krb5-get-init-creds-opt-set-fast-flags-set-fast-flags-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags::doc}\index{krb5\_get\_init\_creds\_opt\_set\_fast\_flags (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_fast_flags:c.krb5_get_init_creds_opt_set_fast_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_fast\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options - -\textbf{{[}in{]}} \textbf{flags} - FAST flags - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 - Success; Kerberos errors otherwise. - -\end{itemize} - -\end{description}\end{quote} - -The following flag values are valid: -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_FAST_REQUIRED:KRB5_FAST_REQUIRED]{\code{KRB5\_FAST\_REQUIRED}}} - Require FAST to be used - -\end{itemize} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_forwardable - Set or unset the forwardable flag in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_forwardable:krb5-get-init-creds-opt-set-forwardable-set-or-unset-the-forwardable-flag-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_forwardable::doc}\index{krb5\_get\_init\_creds\_opt\_set\_forwardable (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_forwardable:c.krb5_get_init_creds_opt_set_forwardable}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_forwardable}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ forwardable}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{forwardable} - Whether credentials should be forwardable - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_in\_ccache - Set an input credential cache in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache:krb5-get-init-creds-opt-set-in-ccache-set-an-input-credential-cache-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_in\_ccache (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_in_ccache:c.krb5_get_init_creds_opt_set_in_ccache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_in\_ccache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle - -\end{description}\end{quote} - -If an input credential cache is set, then the krb5\_get\_init\_creds family of APIs will read settings from it. Setting an input ccache is desirable when the application wishes to perform authentication in the same way (using the same preauthentication mechanisms, and making the same non-security- sensitive choices) as the previous authentication attempt, which stored information in the passed-in ccache. - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_out\_ccache - Set an output credential cache in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache:krb5-get-init-creds-opt-set-out-ccache-set-an-output-credential-cache-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache::doc}\index{krb5\_get\_init\_creds\_opt\_set\_out\_ccache (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_out_ccache:c.krb5_get_init_creds_opt_set_out_ccache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_out\_ccache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle - -\end{description}\end{quote} - -If an output credential cache is set, then the krb5\_get\_init\_creds family of APIs will write credentials to it. Setting an output ccache is desirable both because it simplifies calling code and because it permits the krb5\_get\_init\_creds APIs to write out configuration information about the realm to the ccache. - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_pa - Supply options for preauthentication in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_pa::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_pa:krb5-get-init-creds-opt-set-pa-supply-options-for-preauthentication-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_pa (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_pa:c.krb5_get_init_creds_opt_set_pa}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_pa}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, const char *\emph{ attr}, const char *\emph{ value}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{attr} - Preauthentication option name - -\textbf{{[}in{]}} \textbf{value} - Preauthentication option value - -\end{description}\end{quote} - -This function allows the caller to supply options for preauthentication. The values of \emph{attr} and \emph{value} are supplied to each preauthentication module available within \emph{context} . - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_pac\_request - Ask the KDC to include or not include a PAC in the ticket.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_pac_request:krb5-get-init-creds-opt-set-pac-request-ask-the-kdc-to-include-or-not-include-a-pac-in-the-ticket}\label{appdev/refs/api/krb5_get_init_creds_opt_set_pac_request::doc}\index{krb5\_get\_init\_creds\_opt\_set\_pac\_request (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_pac_request:c.krb5_get_init_creds_opt_set_pac_request}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_pac\_request}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}}\emph{ req\_pac}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{req\_pac} - Whether to request a PAC or not - -\end{description}\end{quote} - -If this option is set, the AS request will include a PAC-REQUEST pa-data item explicitly asking the KDC to either include or not include a privilege attribute certificate in the ticket authorization data. By default, no request is made; typically the KDC will default to including a PAC if it supports them. - -\begin{notice}{note}{Note:} -New in 1.15 -\end{notice} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_preauth\_list - Set preauthentication types in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list:krb5-get-init-creds-opt-set-preauth-list-set-preauthentication-types-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list::doc}\index{krb5\_get\_init\_creds\_opt\_set\_preauth\_list (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_preauth_list:c.krb5_get_init_creds_opt_set_preauth_list}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_preauth\_list}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} *\emph{ preauth\_list}, int\emph{ preauth\_list\_length}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{preauth\_list} - Array of preauthentication types - -\textbf{{[}in{]}} \textbf{preauth\_list\_length} - Length of \emph{preauth\_list} - -\end{description}\end{quote} - -This function can be used to perform optimistic preauthentication when getting initial credentials, in combination with {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_salt:c.krb5_get_init_creds_opt_set_salt]{\code{krb5\_get\_init\_creds\_opt\_set\_salt()}}} and {\hyperref[appdev/refs/api/krb5_get_init_creds_opt_set_pa:c.krb5_get_init_creds_opt_set_pa]{\code{krb5\_get\_init\_creds\_opt\_set\_pa()}}} . - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_proxiable - Set or unset the proxiable flag in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_proxiable::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_proxiable:krb5-get-init-creds-opt-set-proxiable-set-or-unset-the-proxiable-flag-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_proxiable (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_proxiable:c.krb5_get_init_creds_opt_set_proxiable}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_proxiable}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, int\emph{ proxiable}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{proxiable} - Whether credentials should be proxiable - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_renew\_life - Set the ticket renewal lifetime in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_renew_life::doc}\label{appdev/refs/api/krb5_get_init_creds_opt_set_renew_life:krb5-get-init-creds-opt-set-renew-life-set-the-ticket-renewal-lifetime-in-initial-credential-options}\index{krb5\_get\_init\_creds\_opt\_set\_renew\_life (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_renew_life:c.krb5_get_init_creds_opt_set_renew_life}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_renew\_life}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ renew\_life}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Pointer to \emph{options} field - -\textbf{{[}in{]}} \textbf{renew\_life} - Ticket renewal lifetime - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_responder - Set the responder function in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_responder:krb5-get-init-creds-opt-set-responder-set-the-responder-function-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_responder::doc}\index{krb5\_get\_init\_creds\_opt\_set\_responder (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_responder:c.krb5_get_init_creds_opt_set_responder}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_opt\_set\_responder}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_responder_fn:c.krb5_responder_fn]{krb5\_responder\_fn}}\emph{ responder}, void *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{responder} - Responder function - -\textbf{{[}in{]}} \textbf{data} - Responder data argument - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_salt - Set salt for optimistic preauthentication in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_salt:krb5-get-init-creds-opt-set-salt-set-salt-for-optimistic-preauthentication-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_salt::doc}\index{krb5\_get\_init\_creds\_opt\_set\_salt (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_salt:c.krb5_get_init_creds_opt_set_salt}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_salt}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ salt}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{salt} - Salt data - -\end{description}\end{quote} - -When getting initial credentials with a password, a salt string it used to convert the password to a key. Normally this salt is obtained from the first KDC reply, but when performing optimistic preauthentication, the client may need to supply the salt string with this function. - - -\subsubsection{krb5\_get\_init\_creds\_opt\_set\_tkt\_life - Set the ticket lifetime in initial credential options.} -\label{appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life:krb5-get-init-creds-opt-set-tkt-life-set-the-ticket-lifetime-in-initial-credential-options}\label{appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life::doc}\index{krb5\_get\_init\_creds\_opt\_set\_tkt\_life (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_set_tkt_life:c.krb5_get_init_creds_opt_set_tkt_life}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_set\_tkt\_life}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ tkt\_life}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{opt} - Options structure - -\textbf{{[}in{]}} \textbf{tkt\_life} - Ticket lifetime - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_init\_creds\_password - Get initial credentials using a password.} -\label{appdev/refs/api/krb5_get_init_creds_password::doc}\label{appdev/refs/api/krb5_get_init_creds_password:krb5-get-init-creds-password-get-initial-credentials-using-a-password}\index{krb5\_get\_init\_creds\_password (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_init\_creds\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, const char *\emph{ password}, {\hyperref[appdev/refs/types/krb5_prompter_fct:c.krb5_prompter_fct]{krb5\_prompter\_fct}}\emph{ prompter}, void *\emph{ data}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ start\_time}, const char *\emph{ in\_tkt\_service}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ k5\_gic\_options}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{creds} - New credentials - -\textbf{{[}in{]}} \textbf{client} - Client principal - -\textbf{{[}in{]}} \textbf{password} - Password (or NULL) - -\textbf{{[}in{]}} \textbf{prompter} - Prompter function - -\textbf{{[}in{]}} \textbf{data} - Prompter callback data - -\textbf{{[}in{]}} \textbf{start\_time} - Time when ticket becomes valid (0 for now) - -\textbf{{[}in{]}} \textbf{in\_tkt\_service} - Service name of initial credentials (or NULL) - -\textbf{{[}in{]}} \textbf{k5\_gic\_options} - Initial credential options - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -EINVAL Invalid argument - -\item {} -KRB5\_KDC\_UNREACH Cannot contact any KDC for requested realm - -\item {} -KRB5\_PREAUTH\_FAILED Generic Pre-athentication failure - -\item {} -KRB5\_LIBOS\_PWDINTR Password read interrupted - -\item {} -KRB5\_REALM\_CANT\_RESOLVE Cannot resolve network address for KDC in requested realm - -\item {} -KRB5KDC\_ERR\_KEY\_EXP Password has expired - -\item {} -KRB5\_LIBOS\_BADPWDMATCH Password mismatch - -\item {} -KRB5\_CHPW\_PWDNULL New password cannot be zero length - -\item {} -KRB5\_CHPW\_FAIL Password change failed - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function requests KDC for an initial credentials for \emph{client} using \emph{password} . If \emph{password} is NULL, a password will be prompted for using \emph{prompter} if necessary. If \emph{in\_tkt\_service} is specified, it is parsed as a principal name (with the realm ignored) and used as the service principal for the request; otherwise the ticket-granting service is used. - - -\subsubsection{krb5\_get\_profile - Retrieve configuration profile from the context.} -\label{appdev/refs/api/krb5_get_profile::doc}\label{appdev/refs/api/krb5_get_profile:krb5-get-profile-retrieve-configuration-profile-from-the-context}\index{krb5\_get\_profile (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_profile:c.krb5_get_profile}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_profile}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, struct \_profile\_t **\emph{ profile}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{profile} - Pointer to data read from a configuration file - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new \emph{profile} object that reflects profile in the supplied \emph{context} . - -The \emph{profile} object may be freed with profile\_release() function. See profile.h and profile API for more details. - - -\subsubsection{krb5\_get\_prompt\_types - Get prompt types array from a context.} -\label{appdev/refs/api/krb5_get_prompt_types::doc}\label{appdev/refs/api/krb5_get_prompt_types:krb5-get-prompt-types-get-prompt-types-array-from-a-context}\index{krb5\_get\_prompt\_types (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_prompt_types:c.krb5_get_prompt_types}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_prompt_type:c.krb5_prompt_type]{krb5\_prompt\_type}} * \bfcode{krb5\_get\_prompt\_types}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -Pointer to an array of prompt types corresponding to the prompter's prompts arguments. Each type has one of the following values: KRB5\_PROMPT\_TYPE\_PASSWORD KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN KRB5\_PROMPT\_TYPE\_PREAUTH - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_renewed\_creds - Get renewed credential from KDC using an existing credential.} -\label{appdev/refs/api/krb5_get_renewed_creds:krb5-get-renewed-creds-get-renewed-credential-from-kdc-using-an-existing-credential}\label{appdev/refs/api/krb5_get_renewed_creds::doc}\index{krb5\_get\_renewed\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_renewed_creds:c.krb5_get_renewed_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_renewed\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, const char *\emph{ in\_tkt\_service}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{creds} - Renewed credentials - -\textbf{{[}in{]}} \textbf{client} - Client principal name - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache - -\textbf{{[}in{]}} \textbf{in\_tkt\_service} - Server principal string (or NULL) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function gets a renewed credential using an existing one from \emph{ccache} . If \emph{in\_tkt\_service} is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. - -If successful, the renewed credential is placed in \emph{creds} . - - -\subsubsection{krb5\_get\_validated\_creds - Get validated credentials from the KDC.} -\label{appdev/refs/api/krb5_get_validated_creds:krb5-get-validated-creds-get-validated-credentials-from-the-kdc}\label{appdev/refs/api/krb5_get_validated_creds::doc}\index{krb5\_get\_validated\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_validated_creds:c.krb5_get_validated_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_validated\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, const char *\emph{ in\_tkt\_service}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{creds} - Validated credentials - -\textbf{{[}in{]}} \textbf{client} - Client principal name - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache - -\textbf{{[}in{]}} \textbf{in\_tkt\_service} - Server principal string (or NULL) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KRB5\_NO\_2ND\_TKT Request missing second ticket - -\item {} -KRB5\_NO\_TKT\_SUPPLIED Request did not supply a ticket - -\item {} -KRB5\_PRINC\_NOMATCH Requested principal and ticket do not match - -\item {} -KRB5\_KDCREP\_MODIFIED KDC reply did not match expectations - -\item {} -KRB5\_KDCREP\_SKEW Clock skew too great in KDC reply - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function gets a validated credential using a postdated credential from \emph{ccache} . If \emph{in\_tkt\_service} is specified, it is parsed (with the realm part ignored) and used as the server principal of the credential; otherwise, the ticket-granting service is used. - -If successful, the validated credential is placed in \emph{creds} . - - -\subsubsection{krb5\_init\_context - Create a krb5 library context.} -\label{appdev/refs/api/krb5_init_context:krb5-init-context-create-a-krb5-library-context}\label{appdev/refs/api/krb5_init_context::doc}\index{krb5\_init\_context (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_context:c.krb5_init_context}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_context}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}} *\emph{ context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}out{]}} \textbf{context} - Library context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -The \emph{context} must be released by calling {\hyperref[appdev/refs/api/krb5_free_context:c.krb5_free_context]{\code{krb5\_free\_context()}}} when it is no longer needed. - -\begin{notice}{warning}{Warning:} -Any program or module that needs the Kerberos code to not trust the environment must use {\hyperref[appdev/refs/api/krb5_init_secure_context:c.krb5_init_secure_context]{\code{krb5\_init\_secure\_context()}}} , or clean out the environment. -\end{notice} - - -\subsubsection{krb5\_init\_secure\_context - Create a krb5 library context using only configuration files.} -\label{appdev/refs/api/krb5_init_secure_context::doc}\label{appdev/refs/api/krb5_init_secure_context:krb5-init-secure-context-create-a-krb5-library-context-using-only-configuration-files}\index{krb5\_init\_secure\_context (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_secure_context:c.krb5_init_secure_context}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_secure\_context}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}} *\emph{ context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}out{]}} \textbf{context} - Library context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Create a context structure, using only system configuration files. All information passed through the environment variables is ignored. - -The \emph{context} must be released by calling {\hyperref[appdev/refs/api/krb5_free_context:c.krb5_free_context]{\code{krb5\_free\_context()}}} when it is no longer needed. - - -\subsubsection{krb5\_is\_config\_principal - Test whether a principal is a configuration principal.} -\label{appdev/refs/api/krb5_is_config_principal:krb5-is-config-principal-test-whether-a-principal-is-a-configuration-principal}\label{appdev/refs/api/krb5_is_config_principal::doc}\index{krb5\_is\_config\_principal (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_is_config_principal:c.krb5_is_config_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_is\_config\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{principal} - Principal to check - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -TRUE if the principal is a configuration principal (generated part of krb5\_cc\_set\_config() ); FALSE otherwise. - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_is\_thread\_safe - Test whether the Kerberos library was built with multithread support.} -\label{appdev/refs/api/krb5_is_thread_safe::doc}\label{appdev/refs/api/krb5_is_thread_safe:krb5-is-thread-safe-test-whether-the-kerberos-library-was-built-with-multithread-support}\index{krb5\_is\_thread\_safe (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_is_thread_safe:c.krb5_is_thread_safe}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_is\_thread\_safe}}{void\emph{ None}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{None} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -TRUE if the library is threadsafe; FALSE otherwise - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_kt\_close - Close a key table handle.} -\label{appdev/refs/api/krb5_kt_close:krb5-kt-close-close-a-key-table-handle}\label{appdev/refs/api/krb5_kt_close::doc}\index{krb5\_kt\_close (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_close:c.krb5_kt_close}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_close}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keytab} - Key table handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 None - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_kt\_client\_default - Resolve the default client key table.} -\label{appdev/refs/api/krb5_kt_client_default::doc}\label{appdev/refs/api/krb5_kt_client_default:krb5-kt-client-default-resolve-the-default-client-key-table}\index{krb5\_kt\_client\_default (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_client_default:c.krb5_kt_client_default}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_client\_default}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}} *\emph{ keytab\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{keytab\_out} - Key table handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Fill \emph{keytab\_out} with a handle to the default client key table. - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_kt\_default - Resolve the default key table.} -\label{appdev/refs/api/krb5_kt_default:krb5-kt-default-resolve-the-default-key-table}\label{appdev/refs/api/krb5_kt_default::doc}\index{krb5\_kt\_default (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_default:c.krb5_kt_default}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_default}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}} *\emph{ id}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{id} - Key table handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Set \emph{id} to a handle to the default key table. The key table is not opened. - - -\subsubsection{krb5\_kt\_default\_name - Get the default key table name.} -\label{appdev/refs/api/krb5_kt_default_name::doc}\label{appdev/refs/api/krb5_kt_default_name:krb5-kt-default-name-get-the-default-key-table-name}\index{krb5\_kt\_default\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_default_name:c.krb5_kt_default_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_default\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *\emph{ name}, int\emph{ name\_size}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{name} - Default key table name - -\textbf{{[}in{]}} \textbf{name\_size} - Space available in \emph{name} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KRB5\_CONFIG\_NOTENUFSPACE Buffer is too short - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Fill \emph{name} with the name of the default key table for \emph{context} . - - -\subsubsection{krb5\_kt\_dup - Duplicate keytab handle.} -\label{appdev/refs/api/krb5_kt_dup:krb5-kt-dup-duplicate-keytab-handle}\label{appdev/refs/api/krb5_kt_dup::doc}\index{krb5\_kt\_dup (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_dup:c.krb5_kt_dup}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_dup}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ in}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}} *\emph{ out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{in} - Key table handle to be duplicated - -\textbf{{[}out{]}} \textbf{out} - Key table handle - -\end{description}\end{quote} - -Create a new handle referring to the same key table as \emph{in} . The new handle and \emph{in} can be closed independently. - -\begin{notice}{note}{Note:} -New in 1.12 -\end{notice} - - -\subsubsection{krb5\_kt\_get\_name - Get a key table name.} -\label{appdev/refs/api/krb5_kt_get_name::doc}\label{appdev/refs/api/krb5_kt_get_name:krb5-kt-get-name-get-a-key-table-name}\index{krb5\_kt\_get\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_get_name:c.krb5_kt_get_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_get\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, char *\emph{ name}, unsigned int\emph{ namelen}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keytab} - Key table handle - -\textbf{{[}out{]}} \textbf{name} - Key table name - -\textbf{{[}in{]}} \textbf{namelen} - Maximum length to fill in name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KRB5\_KT\_NAME\_TOOLONG Key table name does not fit in namelen bytes - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Fill \emph{name} with the name of \emph{keytab} including the type and delimiter. - - -\subsubsection{krb5\_kt\_get\_type - Return the type of a key table.} -\label{appdev/refs/api/krb5_kt_get_type:krb5-kt-get-type-return-the-type-of-a-key-table}\label{appdev/refs/api/krb5_kt_get_type::doc}\index{krb5\_kt\_get\_type (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_get_type:c.krb5_kt_get_type}\pysiglinewithargsret{const char * \bfcode{krb5\_kt\_get\_type}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keytab} - Key table handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -The type of a key table as an alias that must not be modified or freed by the caller. - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_kt\_resolve - Get a handle for a key table.} -\label{appdev/refs/api/krb5_kt_resolve:krb5-kt-resolve-get-a-handle-for-a-key-table}\label{appdev/refs/api/krb5_kt_resolve::doc}\index{krb5\_kt\_resolve (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_resolve:c.krb5_kt_resolve}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_resolve}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}} *\emph{ ktid}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{name} - Name of the key table - -\textbf{{[}out{]}} \textbf{ktid} - Key table handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Resolve the key table name \emph{name} and set \emph{ktid} to a handle identifying the key table. Use {\hyperref[appdev/refs/api/krb5_kt_close:c.krb5_kt_close]{\code{krb5\_kt\_close()}}} to free \emph{ktid} when it is no longer needed. -\begin{quote} - -\emph{name} must be of the form \textbf{type:residual} , where \emph{type} must be a type known to the library and \emph{residual} portion should be specific to the particular keytab type. If no \emph{type} is given, the default is \textbf{FILE} . -\end{quote} - -If \emph{name} is of type \textbf{FILE} , the keytab file is not opened by this call. - - -\subsubsection{krb5\_kuserok - Determine if a principal is authorized to log in as a local user.} -\label{appdev/refs/api/krb5_kuserok:krb5-kuserok-determine-if-a-principal-is-authorized-to-log-in-as-a-local-user}\label{appdev/refs/api/krb5_kuserok::doc}\index{krb5\_kuserok (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kuserok:c.krb5_kuserok}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_kuserok}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ principal}, const char *\emph{ luser}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{principal} - Principal name - -\textbf{{[}in{]}} \textbf{luser} - Local username - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -TRUE Principal is authorized to log in as user; FALSE otherwise. - -\end{itemize} - -\end{description}\end{quote} - -Determine whether \emph{principal} is authorized to log in as a local user \emph{luser} . - - -\subsubsection{krb5\_parse\_name - Convert a string principal name to a krb5\_principal structure.} -\label{appdev/refs/api/krb5_parse_name::doc}\label{appdev/refs/api/krb5_parse_name:krb5-parse-name-convert-a-string-principal-name-to-a-krb5-principal-structure}\index{krb5\_parse\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_parse_name:c.krb5_parse_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_parse\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ principal\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{name} - String representation of a principal name - -\textbf{{[}out{]}} \textbf{principal\_out} - New principal - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Convert a string representation of a principal name to a krb5\_principal structure. - -A string representation of a Kerberos name consists of one or more principal name components, separated by slashes, optionally followed by the @ character and a realm name. If the realm name is not specified, the local realm is used. - -To use the slash and @ symbols as part of a component (quoted) instead of using them as a component separator or as a realm prefix), put a backslash () character in front of the symbol. Similarly, newline, tab, backspace, and NULL characters can be included in a component by using \textbf{n} , \textbf{t} , \textbf{b} or \textbf{0} , respectively. - -Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{principal\_out} when it is no longer needed. - -\begin{notice}{note}{Note:} -The realm in a Kerberos \emph{name} cannot contain slash, colon, or NULL characters. -\end{notice} - - -\subsubsection{krb5\_parse\_name\_flags - Convert a string principal name to a krb5\_principal with flags.} -\label{appdev/refs/api/krb5_parse_name_flags:krb5-parse-name-flags-convert-a-string-principal-name-to-a-krb5-principal-with-flags}\label{appdev/refs/api/krb5_parse_name_flags::doc}\index{krb5\_parse\_name\_flags (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_parse_name_flags:c.krb5_parse_name_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_parse\_name\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, int\emph{ flags}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ principal\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{name} - String representation of a principal name - -\textbf{{[}in{]}} \textbf{flags} - Flag - -\textbf{{[}out{]}} \textbf{principal\_out} - New principal - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Similar to {\hyperref[appdev/refs/api/krb5_parse_name:c.krb5_parse_name]{\code{krb5\_parse\_name()}}} , this function converts a single-string representation of a principal name to a krb5\_principal structure. - -The following flags are valid: -\begin{quote} -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:KRB5_PRINCIPAL_PARSE_NO_REALM]{\code{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM}}} - no realm must be present in \emph{name} - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:KRB5_PRINCIPAL_PARSE_REQUIRE_REALM]{\code{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM}}} - realm must be present in \emph{name} - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:KRB5_PRINCIPAL_PARSE_ENTERPRISE]{\code{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE}}} - create single-component enterprise principal - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:KRB5_PRINCIPAL_PARSE_IGNORE_REALM]{\code{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM}}} - ignore realm if present in \emph{name} - -\end{itemize} - -If \textbf{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM} or \textbf{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM} is specified in \emph{flags} , the realm of the new principal will be empty. Otherwise, the default realm for \emph{context} will be used if \emph{name} does not specify a realm. -\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{principal\_out} when it is no longer needed. - - -\subsubsection{krb5\_principal\_compare - Compare two principals.} -\label{appdev/refs/api/krb5_principal_compare:krb5-principal-compare-compare-two-principals}\label{appdev/refs/api/krb5_principal_compare::doc}\index{krb5\_principal\_compare (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_principal\_compare}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ1}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ2}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{princ1} - First principal - -\textbf{{[}in{]}} \textbf{princ2} - Second principal - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -TRUE if the principals are the same; FALSE otherwise - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_principal\_compare\_any\_realm - Compare two principals ignoring realm components.} -\label{appdev/refs/api/krb5_principal_compare_any_realm:krb5-principal-compare-any-realm-compare-two-principals-ignoring-realm-components}\label{appdev/refs/api/krb5_principal_compare_any_realm::doc}\index{krb5\_principal\_compare\_any\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_principal_compare_any_realm:c.krb5_principal_compare_any_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_principal\_compare\_any\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ1}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ2}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{princ1} - First principal - -\textbf{{[}in{]}} \textbf{princ2} - Second principal - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -TRUE if the principals are the same; FALSE otherwise - -\end{itemize} - -\end{description}\end{quote} - -Similar to {\hyperref[appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare]{\code{krb5\_principal\_compare()}}} , but do not compare the realm components of the principals. - - -\subsubsection{krb5\_principal\_compare\_flags - Compare two principals with additional flags.} -\label{appdev/refs/api/krb5_principal_compare_flags:krb5-principal-compare-flags-compare-two-principals-with-additional-flags}\label{appdev/refs/api/krb5_principal_compare_flags::doc}\index{krb5\_principal\_compare\_flags (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_principal_compare_flags:c.krb5_principal_compare_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_principal\_compare\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ1}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ2}, int\emph{ flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{princ1} - First principal - -\textbf{{[}in{]}} \textbf{princ2} - Second principal - -\textbf{{[}in{]}} \textbf{flags} - Flags - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -TRUE if the principal names are the same; FALSE otherwise - -\end{itemize} - -\end{description}\end{quote} - -Valid flags are: -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:KRB5_PRINCIPAL_COMPARE_IGNORE_REALM]{\code{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM}}} - ignore realm component - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:KRB5_PRINCIPAL_COMPARE_ENTERPRISE]{\code{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE}}} - UPNs as real principals - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:KRB5_PRINCIPAL_COMPARE_CASEFOLD]{\code{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD}}} case-insensitive - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:KRB5_PRINCIPAL_COMPARE_UTF8]{\code{KRB5\_PRINCIPAL\_COMPARE\_UTF8}}} - treat principals as UTF-8 - -\end{itemize} - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_principal_compare:c.krb5_principal_compare]{\code{krb5\_principal\_compare()}}} - - - - -\subsubsection{krb5\_prompter\_posix - Prompt user for password.} -\label{appdev/refs/api/krb5_prompter_posix:krb5-prompter-posix-prompt-user-for-password}\label{appdev/refs/api/krb5_prompter_posix::doc}\index{krb5\_prompter\_posix (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_prompter_posix:c.krb5_prompter_posix}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_prompter\_posix}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, void *\emph{ data}, const char *\emph{ name}, const char *\emph{ banner}, int\emph{ num\_prompts}, {\hyperref[appdev/refs/types/krb5_prompt:c.krb5_prompt]{krb5\_prompt}}\emph{ prompts}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{data} - Unused (callback argument) - -\textbf{{[}in{]}} \textbf{name} - Name to output during prompt - -\textbf{{[}in{]}} \textbf{banner} - Banner to output during prompt - -\textbf{{[}in{]}} \textbf{num\_prompts} - Number of prompts in \emph{prompts} - -\textbf{{[}in{]}} \textbf{prompts} - Array of prompts and replies - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function is intended to be used as a prompter callback for {\hyperref[appdev/refs/api/krb5_get_init_creds_password:c.krb5_get_init_creds_password]{\code{krb5\_get\_init\_creds\_password()}}} or {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} . - -Writes \emph{name} and \emph{banner} to stdout, each followed by a newline, then writes each prompt field in the \emph{prompts} array, followed by'':'', and sets the reply field of the entry to a line of input read from stdin. If the hidden flag is set for a prompt, then terminal echoing is turned off when input is read. - - -\subsubsection{krb5\_realm\_compare - Compare the realms of two principals.} -\label{appdev/refs/api/krb5_realm_compare::doc}\label{appdev/refs/api/krb5_realm_compare:krb5-realm-compare-compare-the-realms-of-two-principals}\index{krb5\_realm\_compare (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_realm_compare:c.krb5_realm_compare}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_realm\_compare}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ1}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ2}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{princ1} - First principal - -\textbf{{[}in{]}} \textbf{princ2} - Second principal - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -TRUE if the realm names are the same; FALSE otherwise - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_responder\_get\_challenge - Retrieve the challenge data for a given question in the responder context.} -\label{appdev/refs/api/krb5_responder_get_challenge:krb5-responder-get-challenge-retrieve-the-challenge-data-for-a-given-question-in-the-responder-context}\label{appdev/refs/api/krb5_responder_get_challenge::doc}\index{krb5\_responder\_get\_challenge (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge}\pysiglinewithargsret{const char * \bfcode{krb5\_responder\_get\_challenge}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, const char *\emph{ question}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{rctx} - Responder context - -\textbf{{[}in{]}} \textbf{question} - Question name - -\end{description}\end{quote} - -Return a pointer to a C string containing the challenge for \emph{question} within \emph{rctx} , or NULL if the question is not present in \emph{rctx} . The structure of the question depends on the question name, but will always be printable UTF-8 text. The returned pointer is an alias, valid only as long as the lifetime of \emph{rctx} , and should not be modified or freed by the caller. - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_responder\_list\_questions - List the question names contained in the responder context.} -\label{appdev/refs/api/krb5_responder_list_questions::doc}\label{appdev/refs/api/krb5_responder_list_questions:krb5-responder-list-questions-list-the-question-names-contained-in-the-responder-context}\index{krb5\_responder\_list\_questions (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_responder_list_questions:c.krb5_responder_list_questions}\pysiglinewithargsret{const char *const * \bfcode{krb5\_responder\_list\_questions}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{rctx} - Responder context - -\end{description}\end{quote} - -Return a pointer to a null-terminated list of question names which are present in \emph{rctx} . The pointer is an alias, valid only as long as the lifetime of \emph{rctx} , and should not be modified or freed by the caller. A question's challenge can be retrieved using {\hyperref[appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge]{\code{krb5\_responder\_get\_challenge()}}} and answered using {\hyperref[appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer]{\code{krb5\_responder\_set\_answer()}}} . - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_responder\_set\_answer - Answer a named question in the responder context.} -\label{appdev/refs/api/krb5_responder_set_answer:krb5-responder-set-answer-answer-a-named-question-in-the-responder-context}\label{appdev/refs/api/krb5_responder_set_answer::doc}\index{krb5\_responder\_set\_answer (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_set\_answer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, const char *\emph{ question}, const char *\emph{ answer}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{rctx} - Responder context - -\textbf{{[}in{]}} \textbf{question} - Question name - -\textbf{{[}in{]}} \textbf{answer} - The string to set (MUST be printable UTF-8) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -EINVAL question is not present within rctx - -\end{itemize} - -\end{description}\end{quote} - -This function supplies an answer to \emph{question} within \emph{rctx} . The appropriate form of the answer depends on the question name. - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_responder\_otp\_get\_challenge - Decode the KRB5\_RESPONDER\_QUESTION\_OTP to a C struct.} -\label{appdev/refs/api/krb5_responder_otp_get_challenge:krb5-responder-otp-get-challenge-decode-the-krb5-responder-question-otp-to-a-c-struct}\label{appdev/refs/api/krb5_responder_otp_get_challenge::doc}\index{krb5\_responder\_otp\_get\_challenge (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_responder_otp_get_challenge:c.krb5_responder_otp_get_challenge}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_otp\_get\_challenge}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, {\hyperref[appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge]{krb5\_responder\_otp\_challenge}} **\emph{ chl}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{rctx} - Responder context - -\textbf{{[}out{]}} \textbf{chl} - Challenge structure - -\end{description}\end{quote} - -A convenience function which parses the KRB5\_RESPONDER\_QUESTION\_OTP question challenge data, making it available in native C. The main feature of this function is the ability to interact with OTP tokens without parsing the JSON. - -The returned value must be passed to {\hyperref[appdev/refs/api/krb5_responder_otp_challenge_free:c.krb5_responder_otp_challenge_free]{\code{krb5\_responder\_otp\_challenge\_free()}}} to be freed. - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_responder\_otp\_set\_answer - Answer the KRB5\_RESPONDER\_QUESTION\_OTP question.} -\label{appdev/refs/api/krb5_responder_otp_set_answer:krb5-responder-otp-set-answer-answer-the-krb5-responder-question-otp-question}\label{appdev/refs/api/krb5_responder_otp_set_answer::doc}\index{krb5\_responder\_otp\_set\_answer (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_responder_otp_set_answer:c.krb5_responder_otp_set_answer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_otp\_set\_answer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, size\_t\emph{ ti}, const char *\emph{ value}, const char *\emph{ pin}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{rctx} - Responder context - -\textbf{{[}in{]}} \textbf{ti} - The index of the tokeninfo selected - -\textbf{{[}in{]}} \textbf{value} - The value to set, or NULL for none - -\textbf{{[}in{]}} \textbf{pin} - The pin to set, or NULL for none - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_responder\_otp\_challenge\_free - Free the value returned by krb5\_responder\_otp\_get\_challenge() .} -\label{appdev/refs/api/krb5_responder_otp_challenge_free:krb5-responder-otp-challenge-free-free-the-value-returned-by-krb5-responder-otp-get-challenge}\label{appdev/refs/api/krb5_responder_otp_challenge_free::doc}\index{krb5\_responder\_otp\_challenge\_free (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_responder_otp_challenge_free:c.krb5_responder_otp_challenge_free}\pysiglinewithargsret{void \bfcode{krb5\_responder\_otp\_challenge\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, {\hyperref[appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge]{krb5\_responder\_otp\_challenge}} *\emph{ chl}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{rctx} - Responder context - -\textbf{{[}in{]}} \textbf{chl} - The challenge to free - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_responder\_pkinit\_get\_challenge - Decode the KRB5\_RESPONDER\_QUESTION\_PKINIT to a C struct.} -\label{appdev/refs/api/krb5_responder_pkinit_get_challenge:krb5-responder-pkinit-get-challenge-decode-the-krb5-responder-question-pkinit-to-a-c-struct}\label{appdev/refs/api/krb5_responder_pkinit_get_challenge::doc}\index{krb5\_responder\_pkinit\_get\_challenge (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_responder_pkinit_get_challenge:c.krb5_responder_pkinit_get_challenge}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_pkinit\_get\_challenge}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, {\hyperref[appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge]{krb5\_responder\_pkinit\_challenge}} **\emph{ chl\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{rctx} - Responder context - -\textbf{{[}out{]}} \textbf{chl\_out} - Challenge structure - -\end{description}\end{quote} - -A convenience function which parses the KRB5\_RESPONDER\_QUESTION\_PKINIT question challenge data, making it available in native C. The main feature of this function is the ability to read the challenge without parsing the JSON. - -The returned value must be passed to {\hyperref[appdev/refs/api/krb5_responder_pkinit_challenge_free:c.krb5_responder_pkinit_challenge_free]{\code{krb5\_responder\_pkinit\_challenge\_free()}}} to be freed. - -\begin{notice}{note}{Note:} -New in 1.12 -\end{notice} - - -\subsubsection{krb5\_responder\_pkinit\_set\_answer - Answer the KRB5\_RESPONDER\_QUESTION\_PKINIT question for one identity.} -\label{appdev/refs/api/krb5_responder_pkinit_set_answer:krb5-responder-pkinit-set-answer-answer-the-krb5-responder-question-pkinit-question-for-one-identity}\label{appdev/refs/api/krb5_responder_pkinit_set_answer::doc}\index{krb5\_responder\_pkinit\_set\_answer (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_responder_pkinit_set_answer:c.krb5_responder_pkinit_set_answer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_responder\_pkinit\_set\_answer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, const char *\emph{ identity}, const char *\emph{ pin}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{rctx} - Responder context - -\textbf{{[}in{]}} \textbf{identity} - The identity for which a PIN is being supplied - -\textbf{{[}in{]}} \textbf{pin} - The provided PIN, or NULL for none - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.12 -\end{notice} - - -\subsubsection{krb5\_responder\_pkinit\_challenge\_free - Free the value returned by krb5\_responder\_pkinit\_get\_challenge() .} -\label{appdev/refs/api/krb5_responder_pkinit_challenge_free:krb5-responder-pkinit-challenge-free-free-the-value-returned-by-krb5-responder-pkinit-get-challenge}\label{appdev/refs/api/krb5_responder_pkinit_challenge_free::doc}\index{krb5\_responder\_pkinit\_challenge\_free (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_responder_pkinit_challenge_free:c.krb5_responder_pkinit_challenge_free}\pysiglinewithargsret{void \bfcode{krb5\_responder\_pkinit\_challenge\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_responder_context:c.krb5_responder_context]{krb5\_responder\_context}}\emph{ rctx}, {\hyperref[appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge]{krb5\_responder\_pkinit\_challenge}} *\emph{ chl}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{rctx} - Responder context - -\textbf{{[}in{]}} \textbf{chl} - The challenge to free - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.12 -\end{notice} - - -\subsubsection{krb5\_set\_default\_realm - Override the default realm for the specified context.} -\label{appdev/refs/api/krb5_set_default_realm::doc}\label{appdev/refs/api/krb5_set_default_realm:krb5-set-default-realm-override-the-default-realm-for-the-specified-context}\index{krb5\_set\_default\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_default_realm:c.krb5_set_default_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_default\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ lrealm}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{lrealm} - Realm name for the default realm - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -If \emph{lrealm} is NULL, clear the default realm setting. - - -\subsubsection{krb5\_set\_password - Set a password for a principal using specified credentials.} -\label{appdev/refs/api/krb5_set_password:krb5-set-password-set-a-password-for-a-principal-using-specified-credentials}\label{appdev/refs/api/krb5_set_password::doc}\index{krb5\_set\_password (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_password:c.krb5_set_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, const char *\emph{ newpw}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ change\_password\_for}, int *\emph{ result\_code}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_code\_string}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_string}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{creds} - Credentials for kadmin/changepw service - -\textbf{{[}in{]}} \textbf{newpw} - New password - -\textbf{{[}in{]}} \textbf{change\_password\_for} - Change the password for this principal - -\textbf{{[}out{]}} \textbf{result\_code} - Numeric error code from server - -\textbf{{[}out{]}} \textbf{result\_code\_string} - String equivalent to \emph{result\_code} - -\textbf{{[}out{]}} \textbf{result\_string} - Data returned from the remote system - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success and result\_code is set to KRB5\_KPASSWD\_SUCCESS . - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes. - -\end{itemize} - -\end{description}\end{quote} - -This function uses the credentials \emph{creds} to set the password \emph{newpw} for the principal \emph{change\_password\_for} . It implements the set password operation of RFC 3244, for interoperability with Microsoft Windows implementations. - -The error code and strings are returned in \emph{result\_code} , \emph{result\_code\_string} and \emph{result\_string} . - -\begin{notice}{note}{Note:} -If \emph{change\_password\_for} is NULL, the change is performed on the current principal. If \emph{change\_password\_for} is non-null, the change is performed on the principal name passed in \emph{change\_password\_for} . -\end{notice} - - -\subsubsection{krb5\_set\_password\_using\_ccache - Set a password for a principal using cached credentials.} -\label{appdev/refs/api/krb5_set_password_using_ccache:krb5-set-password-using-ccache-set-a-password-for-a-principal-using-cached-credentials}\label{appdev/refs/api/krb5_set_password_using_ccache::doc}\index{krb5\_set\_password\_using\_ccache (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_password_using_ccache:c.krb5_set_password_using_ccache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_password\_using\_ccache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, const char *\emph{ newpw}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ change\_password\_for}, int *\emph{ result\_code}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_code\_string}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ result\_string}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache - -\textbf{{[}in{]}} \textbf{newpw} - New password - -\textbf{{[}in{]}} \textbf{change\_password\_for} - Change the password for this principal - -\textbf{{[}out{]}} \textbf{result\_code} - Numeric error code from server - -\textbf{{[}out{]}} \textbf{result\_code\_string} - String equivalent to \emph{result\_code} - -\textbf{{[}out{]}} \textbf{result\_string} - Data returned from the remote system - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function uses the cached credentials from \emph{ccache} to set the password \emph{newpw} for the principal \emph{change\_password\_for} . It implements RFC 3244 set password operation (interoperable with MS Windows implementations) using the credential cache. - -The error code and strings are returned in \emph{result\_code} , \emph{result\_code\_string} and \emph{result\_string} . - -\begin{notice}{note}{Note:} -If \emph{change\_password\_for} is set to NULL, the change is performed on the default principal in \emph{ccache} . If \emph{change\_password\_for} is non null, the change is performed on the specified principal. -\end{notice} - - -\subsubsection{krb5\_set\_principal\_realm - Set the realm field of a principal.} -\label{appdev/refs/api/krb5_set_principal_realm::doc}\label{appdev/refs/api/krb5_set_principal_realm:krb5-set-principal-realm-set-the-realm-field-of-a-principal}\index{krb5\_set\_principal\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_principal_realm:c.krb5_set_principal_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_principal\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ principal}, const char *\emph{ realm}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{principal} - Principal name - -\textbf{{[}in{]}} \textbf{realm} - Realm name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Set the realm name part of \emph{principal} to \emph{realm} , overwriting the previous realm. - - -\subsubsection{krb5\_set\_trace\_callback - Specify a callback function for trace events.} -\label{appdev/refs/api/krb5_set_trace_callback:krb5-set-trace-callback-specify-a-callback-function-for-trace-events}\label{appdev/refs/api/krb5_set_trace_callback::doc}\index{krb5\_set\_trace\_callback (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_trace_callback:c.krb5_set_trace_callback}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_trace\_callback}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_trace_callback:c.krb5_trace_callback]{krb5\_trace\_callback}}\emph{ fn}, void *\emph{ cb\_data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{fn} - Callback function - -\textbf{{[}in{]}} \textbf{cb\_data} - Callback data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -Returns KRB5\_TRACE\_NOSUPP if tracing is not supported in the library (unless fn is NULL). - -\end{itemize} - -\end{description}\end{quote} - -Specify a callback for trace events occurring in krb5 operations performed within \emph{context} . \emph{fn} will be invoked with \emph{context} as the first argument, \emph{cb\_data} as the last argument, and a pointer to a krb5\_trace\_info as the second argument. If the trace callback is reset via this function or \emph{context} is destroyed, \emph{fn} will be invoked with a NULL second argument so it can clean up \emph{cb\_data} . Supply a NULL value for \emph{fn} to disable trace callbacks within \emph{context} . - -\begin{notice}{note}{Note:} -This function overrides the information passed through the \emph{KRB5\_TRACE} environment variable. -\end{notice} - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_set\_trace\_filename - Specify a file name for directing trace events.} -\label{appdev/refs/api/krb5_set_trace_filename:krb5-set-trace-filename-specify-a-file-name-for-directing-trace-events}\label{appdev/refs/api/krb5_set_trace_filename::doc}\index{krb5\_set\_trace\_filename (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_trace_filename:c.krb5_set_trace_filename}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_trace\_filename}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ filename}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{filename} - File name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -KRB5\_TRACE\_NOSUPP Tracing is not supported in the library. - -\end{itemize} - -\end{description}\end{quote} - -Open \emph{filename} for appending (creating it, if necessary) and set up a callback to write trace events to it. - -\begin{notice}{note}{Note:} -This function overrides the information passed through the \emph{KRB5\_TRACE} environment variable. -\end{notice} - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_sname\_match - Test whether a principal matches a matching principal.} -\label{appdev/refs/api/krb5_sname_match::doc}\label{appdev/refs/api/krb5_sname_match:krb5-sname-match-test-whether-a-principal-matches-a-matching-principal}\index{krb5\_sname\_match (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_sname_match:c.krb5_sname_match}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_sname\_match}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ matching}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{matching} - Matching principal - -\textbf{{[}in{]}} \textbf{princ} - Principal to test - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -TRUE if princ matches matching , FALSE otherwise. - -\end{itemize} - -\end{description}\end{quote} - -If \emph{matching} is NULL, return TRUE. If \emph{matching} is not a matching principal, return the value of krb5\_principal\_compare(context, matching, princ). - -\begin{notice}{note}{Note:} -A matching principal is a host-based principal with an empty realm and/or second data component (hostname). Profile configuration may cause the hostname to be ignored even if it is present. A principal matches a matching principal if the former has the same non-empty (and non-ignored) components of the latter. -\end{notice} - - -\subsubsection{krb5\_sname\_to\_principal - Generate a full principal name from a service name.} -\label{appdev/refs/api/krb5_sname_to_principal:krb5-sname-to-principal-generate-a-full-principal-name-from-a-service-name}\label{appdev/refs/api/krb5_sname_to_principal::doc}\index{krb5\_sname\_to\_principal (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_sname_to_principal:c.krb5_sname_to_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_sname\_to\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ hostname}, const char *\emph{ sname}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ type}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ ret\_princ}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{hostname} - Host name, or NULL to use local host - -\textbf{{[}in{]}} \textbf{sname} - Service name, or NULL to use \textbf{``host''} - -\textbf{{[}in{]}} \textbf{type} - Principal type - -\textbf{{[}out{]}} \textbf{ret\_princ} - Generated principal - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function converts a \emph{hostname} and \emph{sname} into \emph{krb5\_principal} structure \emph{ret\_princ} . The returned principal will be of the form \emph{sname/hostname@REALM} where REALM is determined by {\hyperref[appdev/refs/api/krb5_get_host_realm:c.krb5_get_host_realm]{\code{krb5\_get\_host\_realm()}}} . In some cases this may be the referral (empty) realm. - -The \emph{type} can be one of the following: -\begin{quote} -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_NT_SRV_HST:KRB5_NT_SRV_HST]{\code{KRB5\_NT\_SRV\_HST}}} canonicalizes the host name before looking up the realm and generating the principal. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_NT_UNKNOWN:KRB5_NT_UNKNOWN]{\code{KRB5\_NT\_UNKNOWN}}} accepts the hostname as given, and does not canonicalize it. - -\end{itemize} - -Use krb5\_free\_principal to free \emph{ret\_princ} when it is no longer needed. -\end{quote} - - -\subsubsection{krb5\_unparse\_name - Convert a krb5\_principal structure to a string representation.} -\label{appdev/refs/api/krb5_unparse_name:krb5-unparse-name-convert-a-krb5-principal-structure-to-a-string-representation}\label{appdev/refs/api/krb5_unparse_name::doc}\index{krb5\_unparse\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_unparse\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, register char **\emph{ name}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{principal} - Principal - -\textbf{{[}out{]}} \textbf{name} - String representation of principal name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -The resulting string representation uses the format and quoting conventions described for {\hyperref[appdev/refs/api/krb5_parse_name:c.krb5_parse_name]{\code{krb5\_parse\_name()}}} . - -Use {\hyperref[appdev/refs/api/krb5_free_unparsed_name:c.krb5_free_unparsed_name]{\code{krb5\_free\_unparsed\_name()}}} to free \emph{name} when it is no longer needed. - - -\subsubsection{krb5\_unparse\_name\_ext - Convert krb5\_principal structure to string and length.} -\label{appdev/refs/api/krb5_unparse_name_ext:krb5-unparse-name-ext-convert-krb5-principal-structure-to-string-and-length}\label{appdev/refs/api/krb5_unparse_name_ext::doc}\index{krb5\_unparse\_name\_ext (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_unparse_name_ext:c.krb5_unparse_name_ext}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_unparse\_name\_ext}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, char **\emph{ name}, unsigned int *\emph{ size}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{principal} - Principal - -\textbf{{[}inout{]}} \textbf{name} - String representation of principal name - -\textbf{{[}inout{]}} \textbf{size} - Size of unparsed name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes. On failure name is set to NULL - -\end{itemize} - -\end{description}\end{quote} - -This function is similar to {\hyperref[appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name]{\code{krb5\_unparse\_name()}}} , but allows the use of an existing buffer for the result. If size is not NULL, then \emph{name} must point to either NULL or an existing buffer of at least the size pointed to by \emph{size} . The buffer will be allocated or resized if necessary, with the new pointer stored into \emph{name} . Whether or not the buffer is resized, the necessary space for the result, including null terminator, will be stored into \emph{size} . - -If size is NULL, this function behaves exactly as {\hyperref[appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name]{\code{krb5\_unparse\_name()}}} . - - -\subsubsection{krb5\_unparse\_name\_flags - Convert krb5\_principal structure to a string with flags.} -\label{appdev/refs/api/krb5_unparse_name_flags::doc}\label{appdev/refs/api/krb5_unparse_name_flags:krb5-unparse-name-flags-convert-krb5-principal-structure-to-a-string-with-flags}\index{krb5\_unparse\_name\_flags (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_unparse_name_flags:c.krb5_unparse_name_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_unparse\_name\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, int\emph{ flags}, char **\emph{ name}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{principal} - Principal - -\textbf{{[}in{]}} \textbf{flags} - Flags - -\textbf{{[}out{]}} \textbf{name} - String representation of principal name - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes. On failure name is set to NULL - -\end{itemize} - -\end{description}\end{quote} - -Similar to {\hyperref[appdev/refs/api/krb5_unparse_name:c.krb5_unparse_name]{\code{krb5\_unparse\_name()}}} , this function converts a krb5\_principal structure to a string representation. - -The following flags are valid: -\begin{quote} -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:KRB5_PRINCIPAL_UNPARSE_SHORT]{\code{KRB5\_PRINCIPAL\_UNPARSE\_SHORT}}} - omit realm if it is the local realm - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:KRB5_PRINCIPAL_UNPARSE_NO_REALM]{\code{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM}}} - omit realm - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:KRB5_PRINCIPAL_UNPARSE_DISPLAY]{\code{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY}}} - do not quote special characters - -\end{itemize} - -Use {\hyperref[appdev/refs/api/krb5_free_unparsed_name:c.krb5_free_unparsed_name]{\code{krb5\_free\_unparsed\_name()}}} to free \emph{name} when it is no longer needed. -\end{quote} - - -\subsubsection{krb5\_unparse\_name\_flags\_ext - Convert krb5\_principal structure to string format with flags.} -\label{appdev/refs/api/krb5_unparse_name_flags_ext:krb5-unparse-name-flags-ext-convert-krb5-principal-structure-to-string-format-with-flags}\label{appdev/refs/api/krb5_unparse_name_flags_ext::doc}\index{krb5\_unparse\_name\_flags\_ext (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_unparse_name_flags_ext:c.krb5_unparse_name_flags_ext}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_unparse\_name\_flags\_ext}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, int\emph{ flags}, char **\emph{ name}, unsigned int *\emph{ size}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{principal} - Principal - -\textbf{{[}in{]}} \textbf{flags} - Flags - -\textbf{{[}out{]}} \textbf{name} - Single string format of principal name - -\textbf{{[}out{]}} \textbf{size} - Size of unparsed name buffer - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes. On failure name is set to NULL - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_us\_timeofday - Retrieve the system time of day, in sec and ms, since the epoch.} -\label{appdev/refs/api/krb5_us_timeofday:krb5-us-timeofday-retrieve-the-system-time-of-day-in-sec-and-ms-since-the-epoch}\label{appdev/refs/api/krb5_us_timeofday::doc}\index{krb5\_us\_timeofday (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_us_timeofday:c.krb5_us_timeofday}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_us\_timeofday}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ seconds}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ microseconds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{seconds} - System timeofday, seconds portion - -\textbf{{[}out{]}} \textbf{microseconds} - System timeofday, microseconds portion - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function retrieves the system time of day with the context specific time offset adjustment. - - -\subsubsection{krb5\_verify\_authdata\_kdc\_issued - Unwrap and verify AD-KDCIssued authorization data.} -\label{appdev/refs/api/krb5_verify_authdata_kdc_issued:krb5-verify-authdata-kdc-issued-unwrap-and-verify-ad-kdcissued-authorization-data}\label{appdev/refs/api/krb5_verify_authdata_kdc_issued::doc}\index{krb5\_verify\_authdata\_kdc\_issued (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_verify_authdata_kdc_issued:c.krb5_verify_authdata_kdc_issued}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_verify\_authdata\_kdc\_issued}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, const {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *\emph{ ad\_kdcissued}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ issuer}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ authdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Session key - -\textbf{{[}in{]}} \textbf{ad\_kdcissued} - AD-KDCIssued authorization data to be unwrapped - -\textbf{{[}out{]}} \textbf{issuer} - Name of issuing principal (or NULL) - -\textbf{{[}out{]}} \textbf{authdata} - Unwrapped list of authorization data - -\end{description}\end{quote} - -This function unwraps an AD-KDCIssued authdatum (see RFC 4120 section 5.2.6.2) and verifies its signature against \emph{key} . The issuer field of the authdatum element is returned in \emph{issuer} , and the unwrapped list of authdata is returned in \emph{authdata} . - - -\subsection{Rarely used public interfaces} -\label{appdev/refs/api/index:rarely-used-public-interfaces} - -\subsubsection{krb5\_425\_conv\_principal - Convert a Kerberos V4 principal to a Kerberos V5 principal.} -\label{appdev/refs/api/krb5_425_conv_principal:krb5-425-conv-principal-convert-a-kerberos-v4-principal-to-a-kerberos-v5-principal}\label{appdev/refs/api/krb5_425_conv_principal::doc}\index{krb5\_425\_conv\_principal (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_425_conv_principal:c.krb5_425_conv_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_425\_conv\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}, const char *\emph{ instance}, const char *\emph{ realm}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{name} - V4 name - -\textbf{{[}in{]}} \textbf{instance} - V4 instance - -\textbf{{[}in{]}} \textbf{realm} - Realm - -\textbf{{[}out{]}} \textbf{princ} - V5 principal - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function builds a \emph{princ} from V4 specification based on given input \emph{name.instance@realm} . - -Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{princ} when it is no longer needed. - - -\subsubsection{krb5\_524\_conv\_principal - Convert a Kerberos V5 principal to a Kerberos V4 principal.} -\label{appdev/refs/api/krb5_524_conv_principal:krb5-524-conv-principal-convert-a-kerberos-v5-principal-to-a-kerberos-v4-principal}\label{appdev/refs/api/krb5_524_conv_principal::doc}\index{krb5\_524\_conv\_principal (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_524_conv_principal:c.krb5_524_conv_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_524\_conv\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ princ}, char *\emph{ name}, char *\emph{ inst}, char *\emph{ realm}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{princ} - V5 Principal - -\textbf{{[}out{]}} \textbf{name} - V4 principal's name to be filled in - -\textbf{{[}out{]}} \textbf{inst} - V4 principal's instance name to be filled in - -\textbf{{[}out{]}} \textbf{realm} - Principal's realm name to be filled in - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KRB5\_INVALID\_PRINCIPAL Invalid principal name - -\item {} -KRB5\_CONFIG\_CANTOPEN Can't open or find Kerberos configuration file - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function separates a V5 principal \emph{princ} into \emph{name} , \emph{instance} , and \emph{realm} . - - -\subsubsection{krb5\_address\_compare - Compare two Kerberos addresses.} -\label{appdev/refs/api/krb5_address_compare:krb5-address-compare-compare-two-kerberos-addresses}\label{appdev/refs/api/krb5_address_compare::doc}\index{krb5\_address\_compare (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_address_compare:c.krb5_address_compare}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_address\_compare}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr1}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr2}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{addr1} - First address to be compared - -\textbf{{[}in{]}} \textbf{addr2} - Second address to be compared - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -TRUE if the addresses are the same, FALSE otherwise - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_address\_order - Return an ordering of the specified addresses.} -\label{appdev/refs/api/krb5_address_order:krb5-address-order-return-an-ordering-of-the-specified-addresses}\label{appdev/refs/api/krb5_address_order::doc}\index{krb5\_address\_order (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_address_order:c.krb5_address_order}\pysiglinewithargsret{int \bfcode{krb5\_address\_order}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr1}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr2}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{addr1} - First address - -\textbf{{[}in{]}} \textbf{addr2} - Second address - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 The two addresses are the same - -\item {} -\textless{} 0 First address is less than second - -\item {} -\textgreater{} 0 First address is greater than second - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_address\_search - Search a list of addresses for a specified address.} -\label{appdev/refs/api/krb5_address_search:krb5-address-search-search-a-list-of-addresses-for-a-specified-address}\label{appdev/refs/api/krb5_address_search::doc}\index{krb5\_address\_search (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_address_search:c.krb5_address_search}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_address\_search}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ addr}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ addrlist}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{addr} - Address to search for - -\textbf{{[}in{]}} \textbf{addrlist} - Address list to be searched (or NULL) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -TRUE if addr is listed in addrlist , or addrlist is NULL; FALSE otherwise - -\end{itemize} - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -If \emph{addrlist} contains only a NetBIOS addresses, it will be treated as a null list. -\end{notice} - - -\subsubsection{krb5\_allow\_weak\_crypto - Allow the appplication to override the profile's allow\_weak\_crypto setting.} -\label{appdev/refs/api/krb5_allow_weak_crypto::doc}\label{appdev/refs/api/krb5_allow_weak_crypto:krb5-allow-weak-crypto-allow-the-appplication-to-override-the-profile-s-allow-weak-crypto-setting}\index{krb5\_allow\_weak\_crypto (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_allow_weak_crypto:c.krb5_allow_weak_crypto}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_allow\_weak\_crypto}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}}\emph{ enable}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enable} - Boolean flag - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 (always) - -\end{itemize} - -\end{description}\end{quote} - -This function allows an application to override the allow\_weak\_crypto setting. It is primarily for use by aklog. - - -\subsubsection{krb5\_aname\_to\_localname - Convert a principal name to a local name.} -\label{appdev/refs/api/krb5_aname_to_localname::doc}\label{appdev/refs/api/krb5_aname_to_localname:krb5-aname-to-localname-convert-a-principal-name-to-a-local-name}\index{krb5\_aname\_to\_localname (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_aname_to_localname:c.krb5_aname_to_localname}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_aname\_to\_localname}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ aname}, int\emph{ lnsize\_in}, char *\emph{ lname}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{aname} - Principal name - -\textbf{{[}in{]}} \textbf{lnsize\_in} - Space available in \emph{lname} - -\textbf{{[}out{]}} \textbf{lname} - Local name buffer to be filled in - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -System errors - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -If \emph{aname} does not correspond to any local account, KRB5\_LNAME\_NOTRANS is returned. If \emph{lnsize\_in} is too small for the local name, KRB5\_CONFIG\_NOTENUFSPACE is returned. - -Local names, rather than principal names, can be used by programs that translate to an environment-specific name (for example, a user account name). - - -\subsubsection{krb5\_anonymous\_principal - Build an anonymous principal.} -\label{appdev/refs/api/krb5_anonymous_principal:krb5-anonymous-principal-build-an-anonymous-principal}\label{appdev/refs/api/krb5_anonymous_principal::doc}\index{krb5\_anonymous\_principal (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_anonymous_principal:c.krb5_anonymous_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}} \bfcode{krb5\_anonymous\_principal}}{void\emph{ None}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{None} - -\end{description}\end{quote} - -This function returns constant storage that must not be freed. - - -\strong{See also:} - - -{\hyperref[appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:KRB5_ANONYMOUS_PRINCSTR]{\code{KRB5\_ANONYMOUS\_PRINCSTR}}} - - - - -\subsubsection{krb5\_anonymous\_realm - Return an anonymous realm data.} -\label{appdev/refs/api/krb5_anonymous_realm::doc}\label{appdev/refs/api/krb5_anonymous_realm:krb5-anonymous-realm-return-an-anonymous-realm-data}\index{krb5\_anonymous\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_anonymous_realm:c.krb5_anonymous_realm}\pysiglinewithargsret{const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_anonymous\_realm}}{void\emph{ None}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{None} - -\end{description}\end{quote} - -This function returns constant storage that must not be freed. - - -\strong{See also:} - - -{\hyperref[appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:KRB5_ANONYMOUS_REALMSTR]{\code{KRB5\_ANONYMOUS\_REALMSTR}}} - - - - -\subsubsection{krb5\_appdefault\_boolean - Retrieve a boolean value from the appdefaults section of krb5.conf.} -\label{appdev/refs/api/krb5_appdefault_boolean::doc}\label{appdev/refs/api/krb5_appdefault_boolean:krb5-appdefault-boolean-retrieve-a-boolean-value-from-the-appdefaults-section-of-krb5-conf}\index{krb5\_appdefault\_boolean (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_appdefault_boolean:c.krb5_appdefault_boolean}\pysiglinewithargsret{void \bfcode{krb5\_appdefault\_boolean}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ appname}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ realm}, const char *\emph{ option}, int\emph{ default\_value}, int *\emph{ ret\_value}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{appname} - Application name - -\textbf{{[}in{]}} \textbf{realm} - Realm name - -\textbf{{[}in{]}} \textbf{option} - Option to be checked - -\textbf{{[}in{]}} \textbf{default\_value} - Default value to return if no match is found - -\textbf{{[}out{]}} \textbf{ret\_value} - Boolean value of \emph{option} - -\end{description}\end{quote} - -This function gets the application defaults for \emph{option} based on the given \emph{appname} and/or \emph{realm} . - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_appdefault_string:c.krb5_appdefault_string]{\code{krb5\_appdefault\_string()}}} - - - - -\subsubsection{krb5\_appdefault\_string - Retrieve a string value from the appdefaults section of krb5.conf.} -\label{appdev/refs/api/krb5_appdefault_string::doc}\label{appdev/refs/api/krb5_appdefault_string:krb5-appdefault-string-retrieve-a-string-value-from-the-appdefaults-section-of-krb5-conf}\index{krb5\_appdefault\_string (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_appdefault_string:c.krb5_appdefault_string}\pysiglinewithargsret{void \bfcode{krb5\_appdefault\_string}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ appname}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ realm}, const char *\emph{ option}, const char *\emph{ default\_value}, char **\emph{ ret\_value}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{appname} - Application name - -\textbf{{[}in{]}} \textbf{realm} - Realm name - -\textbf{{[}in{]}} \textbf{option} - Option to be checked - -\textbf{{[}in{]}} \textbf{default\_value} - Default value to return if no match is found - -\textbf{{[}out{]}} \textbf{ret\_value} - String value of \emph{option} - -\end{description}\end{quote} - -This function gets the application defaults for \emph{option} based on the given \emph{appname} and/or \emph{realm} . - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_appdefault_boolean:c.krb5_appdefault_boolean]{\code{krb5\_appdefault\_boolean()}}} - - - - -\subsubsection{krb5\_auth\_con\_free - Free a krb5\_auth\_context structure.} -\label{appdev/refs/api/krb5_auth_con_free:krb5-auth-con-free-free-a-krb5-auth-context-structure}\label{appdev/refs/api/krb5_auth_con_free::doc}\index{krb5\_auth\_con\_free (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_free:c.krb5_auth_con_free}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context to be freed - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 (always) - -\end{itemize} - -\end{description}\end{quote} - -This function frees an auth context allocated by {\hyperref[appdev/refs/api/krb5_auth_con_init:c.krb5_auth_con_init]{\code{krb5\_auth\_con\_init()}}} . - - -\subsubsection{krb5\_auth\_con\_genaddrs - Generate auth context addresses from a connected socket.} -\label{appdev/refs/api/krb5_auth_con_genaddrs::doc}\label{appdev/refs/api/krb5_auth_con_genaddrs:krb5-auth-con-genaddrs-generate-auth-context-addresses-from-a-connected-socket}\index{krb5\_auth\_con\_genaddrs (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_genaddrs:c.krb5_auth_con_genaddrs}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_genaddrs}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, int\emph{ infd}, int\emph{ flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{infd} - Connected socket descriptor - -\textbf{{[}in{]}} \textbf{flags} - Flags - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets the local and/or remote addresses in \emph{auth\_context} based on the local and remote endpoints of the socket \emph{infd} . The following flags determine the operations performed: -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR]{\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR}}} Generate local address. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR]{\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR}}} Generate remote address. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR]{\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR}}} Generate local address and port. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR]{\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR}}} Generate remote address and port. - -\end{itemize} - - -\subsubsection{krb5\_auth\_con\_get\_checksum\_func - Get the checksum callback from an auth context.} -\label{appdev/refs/api/krb5_auth_con_get_checksum_func::doc}\label{appdev/refs/api/krb5_auth_con_get_checksum_func:krb5-auth-con-get-checksum-func-get-the-checksum-callback-from-an-auth-context}\index{krb5\_auth\_con\_get\_checksum\_func (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_get_checksum_func:c.krb5_auth_con_get_checksum_func}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_get\_checksum\_func}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_mk_req_checksum_func:c.krb5_mk_req_checksum_func]{krb5\_mk\_req\_checksum\_func}} *\emph{ func}, void **\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{func} - Checksum callback - -\textbf{{[}out{]}} \textbf{data} - Callback argument - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 (always) - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_auth\_con\_getaddrs - Retrieve address fields from an auth context.} -\label{appdev/refs/api/krb5_auth_con_getaddrs:krb5-auth-con-getaddrs-retrieve-address-fields-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getaddrs::doc}\index{krb5\_auth\_con\_getaddrs (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getaddrs:c.krb5_auth_con_getaddrs}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getaddrs}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} **\emph{ local\_addr}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} **\emph{ remote\_addr}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{local\_addr} - Local address (NULL if not needed) - -\textbf{{[}out{]}} \textbf{remote\_addr} - Remote address (NULL if not needed) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_auth\_con\_getauthenticator - Retrieve the authenticator from an auth context.} -\label{appdev/refs/api/krb5_auth_con_getauthenticator:krb5-auth-con-getauthenticator-retrieve-the-authenticator-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getauthenticator::doc}\index{krb5\_auth\_con\_getauthenticator (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getauthenticator:c.krb5_auth_con_getauthenticator}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getauthenticator}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} **\emph{ authenticator}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{authenticator} - Authenticator - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success. Otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_authenticator:c.krb5_free_authenticator]{\code{krb5\_free\_authenticator()}}} to free \emph{authenticator} when it is no longer needed. - - -\subsubsection{krb5\_auth\_con\_getflags - Retrieve flags from a krb5\_auth\_context structure.} -\label{appdev/refs/api/krb5_auth_con_getflags:krb5-auth-con-getflags-retrieve-flags-from-a-krb5-auth-context-structure}\label{appdev/refs/api/krb5_auth_con_getflags::doc}\index{krb5\_auth\_con\_getflags (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getflags:c.krb5_auth_con_getflags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getflags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{flags} - Flags bit mask - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 (always) - -\end{itemize} - -\end{description}\end{quote} - -Valid values for \emph{flags} are: -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} Use timestamps - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} Save timestamps - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} Use sequence numbers - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} Save sequence numbers - -\end{itemize} - - -\subsubsection{krb5\_auth\_con\_getkey - Retrieve the session key from an auth context as a keyblock.} -\label{appdev/refs/api/krb5_auth_con_getkey::doc}\label{appdev/refs/api/krb5_auth_con_getkey:krb5-auth-con-getkey-retrieve-the-session-key-from-an-auth-context-as-a-keyblock}\index{krb5\_auth\_con\_getkey (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getkey:c.krb5_auth_con_getkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{keyblock} - Session key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success. Otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a keyblock containing the session key from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{keyblock} when it is no longer needed - - -\subsubsection{krb5\_auth\_con\_getkey\_k - Retrieve the session key from an auth context.} -\label{appdev/refs/api/krb5_auth_con_getkey_k:krb5-auth-con-getkey-k-retrieve-the-session-key-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getkey_k::doc}\index{krb5\_auth\_con\_getkey\_k (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getkey_k:c.krb5_auth_con_getkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}} *\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{key} - Session key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 (always) - -\end{itemize} - -\end{description}\end{quote} - -This function sets \emph{key} to the session key from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key]{\code{krb5\_k\_free\_key()}}} to release \emph{key} when it is no longer needed. - - -\subsubsection{krb5\_auth\_con\_getlocalseqnumber - Retrieve the local sequence number from an auth context.} -\label{appdev/refs/api/krb5_auth_con_getlocalseqnumber::doc}\label{appdev/refs/api/krb5_auth_con_getlocalseqnumber:krb5-auth-con-getlocalseqnumber-retrieve-the-local-sequence-number-from-an-auth-context}\index{krb5\_auth\_con\_getlocalseqnumber (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getlocalseqnumber:c.krb5_auth_con_getlocalseqnumber}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getlocalseqnumber}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ seqnumber}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{seqnumber} - Local sequence number - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Retrieve the local sequence number from \emph{auth\_context} and return it in \emph{seqnumber} . The {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} flag must be set in \emph{auth\_context} for this function to be useful. - - -\subsubsection{krb5\_auth\_con\_getrcache - Retrieve the replay cache from an auth context.} -\label{appdev/refs/api/krb5_auth_con_getrcache:krb5-auth-con-getrcache-retrieve-the-replay-cache-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getrcache::doc}\index{krb5\_auth\_con\_getrcache (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getrcache:c.krb5_auth_con_getrcache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getrcache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_rcache:c.krb5_rcache]{krb5\_rcache}} *\emph{ rcache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{rcache} - Replay cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 (always) - -\end{itemize} - -\end{description}\end{quote} - -This function fetches the replay cache from \emph{auth\_context} . The caller should not close \emph{rcache} . - - -\subsubsection{krb5\_auth\_con\_getrecvsubkey - Retrieve the receiving subkey from an auth context as a keyblock.} -\label{appdev/refs/api/krb5_auth_con_getrecvsubkey:krb5-auth-con-getrecvsubkey-retrieve-the-receiving-subkey-from-an-auth-context-as-a-keyblock}\label{appdev/refs/api/krb5_auth_con_getrecvsubkey::doc}\index{krb5\_auth\_con\_getrecvsubkey (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getrecvsubkey:c.krb5_auth_con_getrecvsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getrecvsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{ac} - Authentication context - -\textbf{{[}out{]}} \textbf{keyblock} - Receiving subkey - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a keyblock containing the receiving subkey from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{keyblock} when it is no longer needed. - - -\subsubsection{krb5\_auth\_con\_getrecvsubkey\_k - Retrieve the receiving subkey from an auth context as a keyblock.} -\label{appdev/refs/api/krb5_auth_con_getrecvsubkey_k:krb5-auth-con-getrecvsubkey-k-retrieve-the-receiving-subkey-from-an-auth-context-as-a-keyblock}\label{appdev/refs/api/krb5_auth_con_getrecvsubkey_k::doc}\index{krb5\_auth\_con\_getrecvsubkey\_k (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getrecvsubkey_k:c.krb5_auth_con_getrecvsubkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getrecvsubkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}} *\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{ac} - Authentication context - -\textbf{{[}out{]}} \textbf{key} - Receiving subkey - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets \emph{key} to the receiving subkey from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key]{\code{krb5\_k\_free\_key()}}} to release \emph{key} when it is no longer needed. - - -\subsubsection{krb5\_auth\_con\_getremoteseqnumber - Retrieve the remote sequence number from an auth context.} -\label{appdev/refs/api/krb5_auth_con_getremoteseqnumber:krb5-auth-con-getremoteseqnumber-retrieve-the-remote-sequence-number-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getremoteseqnumber::doc}\index{krb5\_auth\_con\_getremoteseqnumber (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getremoteseqnumber:c.krb5_auth_con_getremoteseqnumber}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getremoteseqnumber}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ seqnumber}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{seqnumber} - Remote sequence number - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Retrieve the remote sequence number from \emph{auth\_context} and return it in \emph{seqnumber} . The {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} flag must be set in \emph{auth\_context} for this function to be useful. - - -\subsubsection{krb5\_auth\_con\_getsendsubkey - Retrieve the send subkey from an auth context as a keyblock.} -\label{appdev/refs/api/krb5_auth_con_getsendsubkey:krb5-auth-con-getsendsubkey-retrieve-the-send-subkey-from-an-auth-context-as-a-keyblock}\label{appdev/refs/api/krb5_auth_con_getsendsubkey::doc}\index{krb5\_auth\_con\_getsendsubkey (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getsendsubkey:c.krb5_auth_con_getsendsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getsendsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{ac} - Authentication context - -\textbf{{[}out{]}} \textbf{keyblock} - Send subkey - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a keyblock containing the send subkey from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{keyblock} when it is no longer needed. - - -\subsubsection{krb5\_auth\_con\_getsendsubkey\_k - Retrieve the send subkey from an auth context.} -\label{appdev/refs/api/krb5_auth_con_getsendsubkey_k:krb5-auth-con-getsendsubkey-k-retrieve-the-send-subkey-from-an-auth-context}\label{appdev/refs/api/krb5_auth_con_getsendsubkey_k::doc}\index{krb5\_auth\_con\_getsendsubkey\_k (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getsendsubkey_k:c.krb5_auth_con_getsendsubkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getsendsubkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}} *\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{ac} - Authentication context - -\textbf{{[}out{]}} \textbf{key} - Send subkey - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets \emph{key} to the send subkey from \emph{auth\_context} . Use {\hyperref[appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key]{\code{krb5\_k\_free\_key()}}} to release \emph{key} when it is no longer needed. - - -\subsubsection{krb5\_auth\_con\_init - Create and initialize an authentication context.} -\label{appdev/refs/api/krb5_auth_con_init:krb5-auth-con-init-create-and-initialize-an-authentication-context}\label{appdev/refs/api/krb5_auth_con_init::doc}\index{krb5\_auth\_con\_init (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_init:c.krb5_auth_con_init}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_init}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{auth\_context} - Authentication context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates an authentication context to hold configuration and state relevant to krb5 functions for authenticating principals and protecting messages once authentication has occurred. - -By default, flags for the context are set to enable the use of the replay cache ( {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} ), but not sequence numbers. Use {\hyperref[appdev/refs/api/krb5_auth_con_setflags:c.krb5_auth_con_setflags]{\code{krb5\_auth\_con\_setflags()}}} to change the flags. - -The allocated \emph{auth\_context} must be freed with {\hyperref[appdev/refs/api/krb5_auth_con_free:c.krb5_auth_con_free]{\code{krb5\_auth\_con\_free()}}} when it is no longer needed. - - -\subsubsection{krb5\_auth\_con\_set\_checksum\_func - Set a checksum callback in an auth context.} -\label{appdev/refs/api/krb5_auth_con_set_checksum_func:krb5-auth-con-set-checksum-func-set-a-checksum-callback-in-an-auth-context}\label{appdev/refs/api/krb5_auth_con_set_checksum_func::doc}\index{krb5\_auth\_con\_set\_checksum\_func (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_set_checksum_func:c.krb5_auth_con_set_checksum_func}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_set\_checksum\_func}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_mk_req_checksum_func:c.krb5_mk_req_checksum_func]{krb5\_mk\_req\_checksum\_func}}\emph{ func}, void *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{func} - Checksum callback - -\textbf{{[}in{]}} \textbf{data} - Callback argument - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 (always) - -\end{itemize} - -\end{description}\end{quote} - -Set a callback to obtain checksum data in {\hyperref[appdev/refs/api/krb5_mk_req:c.krb5_mk_req]{\code{krb5\_mk\_req()}}} . The callback will be invoked after the subkey and local sequence number are stored in \emph{auth\_context} . - - -\subsubsection{krb5\_auth\_con\_set\_req\_cksumtype - Set checksum type in an an auth context.} -\label{appdev/refs/api/krb5_auth_con_set_req_cksumtype:krb5-auth-con-set-req-cksumtype-set-checksum-type-in-an-an-auth-context}\label{appdev/refs/api/krb5_auth_con_set_req_cksumtype::doc}\index{krb5\_auth\_con\_set\_req\_cksumtype (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_set_req_cksumtype:c.krb5_auth_con_set_req_cksumtype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_set\_req\_cksumtype}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success. Otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets the checksum type in \emph{auth\_context} to be used by {\hyperref[appdev/refs/api/krb5_mk_req:c.krb5_mk_req]{\code{krb5\_mk\_req()}}} for the authenticator checksum. - - -\subsubsection{krb5\_auth\_con\_setaddrs - Set the local and remote addresses in an auth context.} -\label{appdev/refs/api/krb5_auth_con_setaddrs::doc}\label{appdev/refs/api/krb5_auth_con_setaddrs:krb5-auth-con-setaddrs-set-the-local-and-remote-addresses-in-an-auth-context}\index{krb5\_auth\_con\_setaddrs (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_setaddrs:c.krb5_auth_con_setaddrs}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setaddrs}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ local\_addr}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ remote\_addr}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{local\_addr} - Local address - -\textbf{{[}in{]}} \textbf{remote\_addr} - Remote address - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function releases the storage assigned to the contents of the local and remote addresses of \emph{auth\_context} and then sets them to \emph{local\_addr} and \emph{remote\_addr} respectively. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_auth_con_genaddrs:c.krb5_auth_con_genaddrs]{\code{krb5\_auth\_con\_genaddrs()}}} - - - - -\subsubsection{krb5\_auth\_con\_setflags - Set a flags field in a krb5\_auth\_context structure.} -\label{appdev/refs/api/krb5_auth_con_setflags:krb5-auth-con-setflags-set-a-flags-field-in-a-krb5-auth-context-structure}\label{appdev/refs/api/krb5_auth_con_setflags::doc}\index{krb5\_auth\_con\_setflags (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_setflags:c.krb5_auth_con_setflags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setflags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{flags} - Flags bit mask - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 (always) - -\end{itemize} - -\end{description}\end{quote} - -Valid values for \emph{flags} are: -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} Use timestamps - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} Save timestamps - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} Use sequence numbers - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} Save sequence numbers - -\end{itemize} - - -\subsubsection{krb5\_auth\_con\_setports - Set local and remote port fields in an auth context.} -\label{appdev/refs/api/krb5_auth_con_setports:krb5-auth-con-setports-set-local-and-remote-port-fields-in-an-auth-context}\label{appdev/refs/api/krb5_auth_con_setports::doc}\index{krb5\_auth\_con\_setports (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_setports:c.krb5_auth_con_setports}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setports}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ local\_port}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *\emph{ remote\_port}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{local\_port} - Local port - -\textbf{{[}in{]}} \textbf{remote\_port} - Remote port - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function releases the storage assigned to the contents of the local and remote ports of \emph{auth\_context} and then sets them to \emph{local\_port} and \emph{remote\_port} respectively. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_auth_con_genaddrs:c.krb5_auth_con_genaddrs]{\code{krb5\_auth\_con\_genaddrs()}}} - - - - -\subsubsection{krb5\_auth\_con\_setrcache - Set the replay cache in an auth context.} -\label{appdev/refs/api/krb5_auth_con_setrcache::doc}\label{appdev/refs/api/krb5_auth_con_setrcache:krb5-auth-con-setrcache-set-the-replay-cache-in-an-auth-context}\index{krb5\_auth\_con\_setrcache (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_setrcache:c.krb5_auth_con_setrcache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setrcache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_rcache:c.krb5_rcache]{krb5\_rcache}}\emph{ rcache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{rcache} - Replay cache haddle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets the replay cache in \emph{auth\_context} to \emph{rcache} . \emph{rcache} will be closed when \emph{auth\_context} is freed, so the caller should relinguish that responsibility. - - -\subsubsection{krb5\_auth\_con\_setrecvsubkey - Set the receiving subkey in an auth context with a keyblock.} -\label{appdev/refs/api/krb5_auth_con_setrecvsubkey:krb5-auth-con-setrecvsubkey-set-the-receiving-subkey-in-an-auth-context-with-a-keyblock}\label{appdev/refs/api/krb5_auth_con_setrecvsubkey::doc}\index{krb5\_auth\_con\_setrecvsubkey (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_setrecvsubkey:c.krb5_auth_con_setrecvsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setrecvsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{ac} - Authentication context - -\textbf{{[}in{]}} \textbf{keyblock} - Receiving subkey - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets the receiving subkey in \emph{ac} to a copy of \emph{keyblock} . - - -\subsubsection{krb5\_auth\_con\_setrecvsubkey\_k - Set the receiving subkey in an auth context.} -\label{appdev/refs/api/krb5_auth_con_setrecvsubkey_k::doc}\label{appdev/refs/api/krb5_auth_con_setrecvsubkey_k:krb5-auth-con-setrecvsubkey-k-set-the-receiving-subkey-in-an-auth-context}\index{krb5\_auth\_con\_setrecvsubkey\_k (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_setrecvsubkey_k:c.krb5_auth_con_setrecvsubkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setrecvsubkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{ac} - Authentication context - -\textbf{{[}in{]}} \textbf{key} - Receiving subkey - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets the receiving subkey in \emph{ac} to \emph{key} , incrementing its reference count. - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_auth\_con\_setsendsubkey - Set the send subkey in an auth context with a keyblock.} -\label{appdev/refs/api/krb5_auth_con_setsendsubkey::doc}\label{appdev/refs/api/krb5_auth_con_setsendsubkey:krb5-auth-con-setsendsubkey-set-the-send-subkey-in-an-auth-context-with-a-keyblock}\index{krb5\_auth\_con\_setsendsubkey (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_setsendsubkey:c.krb5_auth_con_setsendsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setsendsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{ac} - Authentication context - -\textbf{{[}in{]}} \textbf{keyblock} - Send subkey - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success. Otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets the send subkey in \emph{ac} to a copy of \emph{keyblock} . - - -\subsubsection{krb5\_auth\_con\_setsendsubkey\_k - Set the send subkey in an auth context.} -\label{appdev/refs/api/krb5_auth_con_setsendsubkey_k:krb5-auth-con-setsendsubkey-k-set-the-send-subkey-in-an-auth-context}\label{appdev/refs/api/krb5_auth_con_setsendsubkey_k::doc}\index{krb5\_auth\_con\_setsendsubkey\_k (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_setsendsubkey_k:c.krb5_auth_con_setsendsubkey_k}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setsendsubkey\_k}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ ac}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{ac} - Authentication context - -\textbf{{[}out{]}} \textbf{key} - Send subkey - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets the send subkey in \emph{ac} to \emph{key} , incrementing its reference count. - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_auth\_con\_setuseruserkey - Set the session key in an auth context.} -\label{appdev/refs/api/krb5_auth_con_setuseruserkey::doc}\label{appdev/refs/api/krb5_auth_con_setuseruserkey:krb5-auth-con-setuseruserkey-set-the-session-key-in-an-auth-context}\index{krb5\_auth\_con\_setuseruserkey (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_setuseruserkey:c.krb5_auth_con_setuseruserkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_setuseruserkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{keyblock} - User key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_cc\_cache\_match - Find a credential cache with a specified client principal.} -\label{appdev/refs/api/krb5_cc_cache_match:krb5-cc-cache-match-find-a-credential-cache-with-a-specified-client-principal}\label{appdev/refs/api/krb5_cc_cache_match::doc}\index{krb5\_cc\_cache\_match (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_cache_match:c.krb5_cc_cache_match}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_cache\_match}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ cache\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{client} - Client principal - -\textbf{{[}out{]}} \textbf{cache\_out} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KRB5\_CC\_NOTFOUND None - -\end{itemize} - -\end{description}\end{quote} - -Find a cache within the collection whose default principal is \emph{client} . Use \emph{krb5\_cc\_close} to close \emph{ccache} when it is no longer needed. - -\begin{notice}{note}{Note:} -New in 1.10 -\end{notice} - - -\subsubsection{krb5\_cc\_copy\_creds - Copy a credential cache.} -\label{appdev/refs/api/krb5_cc_copy_creds::doc}\label{appdev/refs/api/krb5_cc_copy_creds:krb5-cc-copy-creds-copy-a-credential-cache}\index{krb5\_cc\_copy\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_copy_creds:c.krb5_cc_copy_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_copy\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ incc}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ outcc}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{incc} - Credential cache to be copied - -\textbf{{[}out{]}} \textbf{outcc} - Copy of credential cache to be filled in - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_cc\_end\_seq\_get - Finish a series of sequential processing credential cache entries.} -\label{appdev/refs/api/krb5_cc_end_seq_get:krb5-cc-end-seq-get-finish-a-series-of-sequential-processing-credential-cache-entries}\label{appdev/refs/api/krb5_cc_end_seq_get::doc}\index{krb5\_cc\_end\_seq\_get (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_end_seq_get:c.krb5_cc_end_seq_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_end\_seq\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor]{krb5\_cc\_cursor}} *\emph{ cursor}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}in{]}} \textbf{cursor} - Cursor - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 (always) - -\end{itemize} - -\end{description}\end{quote} - -This function finishes processing credential cache entries and invalidates \emph{cursor} . - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_cc_start_seq_get:c.krb5_cc_start_seq_get]{\code{krb5\_cc\_start\_seq\_get()}}} , {\hyperref[appdev/refs/api/krb5_cc_next_cred:c.krb5_cc_next_cred]{\code{krb5\_cc\_next\_cred()}}} - - - - -\subsubsection{krb5\_cc\_get\_config - Get a configuration value from a credential cache.} -\label{appdev/refs/api/krb5_cc_get_config:krb5-cc-get-config-get-a-configuration-value-from-a-credential-cache}\label{appdev/refs/api/krb5_cc_get_config::doc}\index{krb5\_cc\_get\_config (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_get_config:c.krb5_cc_get_config}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_get\_config}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ id}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, const char *\emph{ key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{id} - Credential cache handle - -\textbf{{[}in{]}} \textbf{principal} - Configuration for this principal; if NULL, global for the whole cache - -\textbf{{[}in{]}} \textbf{key} - Name of config variable - -\textbf{{[}out{]}} \textbf{data} - Data to be fetched - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{data} when it is no longer needed. - - -\subsubsection{krb5\_cc\_get\_flags - Retrieve flags from a credential cache structure.} -\label{appdev/refs/api/krb5_cc_get_flags:krb5-cc-get-flags-retrieve-flags-from-a-credential-cache-structure}\label{appdev/refs/api/krb5_cc_get_flags::doc}\index{krb5\_cc\_get\_flags (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_get_flags:c.krb5_cc_get_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_get\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} *\emph{ flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}out{]}} \textbf{flags} - Flag bit mask - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -\begin{notice}{warning}{Warning:} -For memory credential cache always returns a flag mask of 0. -\end{notice} - - -\subsubsection{krb5\_cc\_get\_full\_name - Retrieve the full name of a credential cache.} -\label{appdev/refs/api/krb5_cc_get_full_name::doc}\label{appdev/refs/api/krb5_cc_get_full_name:krb5-cc-get-full-name-retrieve-the-full-name-of-a-credential-cache}\index{krb5\_cc\_get\_full\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_get_full_name:c.krb5_cc_get_full_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_get\_full\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, char **\emph{ fullname\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}out{]}} \textbf{fullname\_out} - Full name of cache - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_string:c.krb5_free_string]{\code{krb5\_free\_string()}}} to free \emph{fullname\_out} when it is no longer needed. - -\begin{notice}{note}{Note:} -New in 1.10 -\end{notice} - - -\subsubsection{krb5\_cc\_last\_change\_time - Return a timestamp of the last modification to a credential cache.} -\label{appdev/refs/api/krb5_cc_last_change_time:krb5-cc-last-change-time-return-a-timestamp-of-the-last-modification-to-a-credential-cache}\label{appdev/refs/api/krb5_cc_last_change_time::doc}\index{krb5\_cc\_last\_change\_time (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_last_change_time:c.krb5_cc_last_change_time}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_last\_change\_time}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ change\_time}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle - -\textbf{{[}out{]}} \textbf{change\_time} - The last change time of \emph{ccache} - -\end{description}\end{quote} - -If an error occurs, \emph{change\_time} is set to 0. - - -\subsubsection{krb5\_cc\_lock - Lock a credential cache.} -\label{appdev/refs/api/krb5_cc_lock:krb5-cc-lock-lock-a-credential-cache}\label{appdev/refs/api/krb5_cc_lock::doc}\index{krb5\_cc\_lock (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_lock:c.krb5_cc_lock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_lock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_cc_unlock:c.krb5_cc_unlock]{\code{krb5\_cc\_unlock()}}} to unlock the lock. - - -\subsubsection{krb5\_cc\_move - Move a credential cache.} -\label{appdev/refs/api/krb5_cc_move:krb5-cc-move-move-a-credential-cache}\label{appdev/refs/api/krb5_cc_move::doc}\index{krb5\_cc\_move (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_move:c.krb5_cc_move}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_move}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ src}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ dst}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{src} - The credential cache to move the content from - -\textbf{{[}in{]}} \textbf{dst} - The credential cache to move the content to - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; src is closed. - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes; src is still allocated. - -\end{itemize} - -\end{description}\end{quote} - -This function reinitializes \emph{dst} and populates it with the credentials and default principal of \emph{src} ; then, if successful, destroys \emph{src} . - - -\subsubsection{krb5\_cc\_next\_cred - Retrieve the next entry from the credential cache.} -\label{appdev/refs/api/krb5_cc_next_cred::doc}\label{appdev/refs/api/krb5_cc_next_cred:krb5-cc-next-cred-retrieve-the-next-entry-from-the-credential-cache}\index{krb5\_cc\_next\_cred (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_next_cred:c.krb5_cc_next_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_next\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor]{krb5\_cc\_cursor}} *\emph{ cursor}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}in{]}} \textbf{cursor} - Cursor - -\textbf{{[}out{]}} \textbf{creds} - Next credential cache entry - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function fills in \emph{creds} with the next entry in \emph{cache} and advances \emph{cursor} . - -Use {\hyperref[appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents]{\code{krb5\_free\_cred\_contents()}}} to free \emph{creds} when it is no longer needed. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_cc_start_seq_get:c.krb5_cc_start_seq_get]{\code{krb5\_cc\_start\_seq\_get()}}} , krb5\_end\_seq\_get() - - - - -\subsubsection{krb5\_cc\_remove\_cred - Remove credentials from a credential cache.} -\label{appdev/refs/api/krb5_cc_remove_cred:krb5-cc-remove-cred-remove-credentials-from-a-credential-cache}\label{appdev/refs/api/krb5_cc_remove_cred::doc}\index{krb5\_cc\_remove\_cred (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_remove_cred:c.krb5_cc_remove_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_remove\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}in{]}} \textbf{flags} - Bitwise-ORed search flags - -\textbf{{[}in{]}} \textbf{creds} - Credentials to be matched - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -KRB5\_CC\_NOSUPP Not implemented for this cache type - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -No matches found; Data cannot be deleted; Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function accepts the same flag values as {\hyperref[appdev/refs/api/krb5_cc_retrieve_cred:c.krb5_cc_retrieve_cred]{\code{krb5\_cc\_retrieve\_cred()}}} . - -\begin{notice}{warning}{Warning:} -This function is not implemented for some cache types. -\end{notice} - - -\subsubsection{krb5\_cc\_retrieve\_cred - Retrieve a specified credentials from a credential cache.} -\label{appdev/refs/api/krb5_cc_retrieve_cred:krb5-cc-retrieve-cred-retrieve-a-specified-credentials-from-a-credential-cache}\label{appdev/refs/api/krb5_cc_retrieve_cred::doc}\index{krb5\_cc\_retrieve\_cred (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_retrieve_cred:c.krb5_cc_retrieve_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_retrieve\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ mcreds}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}in{]}} \textbf{flags} - Flags bit mask - -\textbf{{[}in{]}} \textbf{mcreds} - Credentials to match - -\textbf{{[}out{]}} \textbf{creds} - Credentials matching the requested value - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function searches a credential cache for credentials matching \emph{mcreds} and returns it if found. - -Valid values for \emph{flags} are: -\begin{quote} -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_TIMES:KRB5_TC_MATCH_TIMES]{\code{KRB5\_TC\_MATCH\_TIMES}}} The requested lifetime must be at least as great as in \emph{mcreds} . - -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:KRB5_TC_MATCH_IS_SKEY]{\code{KRB5\_TC\_MATCH\_IS\_SKEY}}} The \emph{is\_skey} field much match exactly. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_FLAGS:KRB5_TC_MATCH_FLAGS]{\code{KRB5\_TC\_MATCH\_FLAGS}}} Flags set in \emph{mcreds} must be set. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:KRB5_TC_MATCH_TIMES_EXACT]{\code{KRB5\_TC\_MATCH\_TIMES\_EXACT}}} The requested lifetime must match exactly. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:KRB5_TC_MATCH_FLAGS_EXACT]{\code{KRB5\_TC\_MATCH\_FLAGS\_EXACT}}} Flags must match exactly. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:KRB5_TC_MATCH_AUTHDATA]{\code{KRB5\_TC\_MATCH\_AUTHDATA}}} The authorization data must match. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:KRB5_TC_MATCH_SRV_NAMEONLY]{\code{KRB5\_TC\_MATCH\_SRV\_NAMEONLY}}} Only the name portion of the principal name must match, not the realm. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:KRB5_TC_MATCH_2ND_TKT]{\code{KRB5\_TC\_MATCH\_2ND\_TKT}}} The second tickets must match. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_MATCH_KTYPE:KRB5_TC_MATCH_KTYPE]{\code{KRB5\_TC\_MATCH\_KTYPE}}} The encryption key types must match. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:KRB5_TC_SUPPORTED_KTYPES]{\code{KRB5\_TC\_SUPPORTED\_KTYPES}}} Check all matching entries that have any supported encryption type and return the one with the encryption type listed earliest. - -\end{itemize} - -Use {\hyperref[appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents]{\code{krb5\_free\_cred\_contents()}}} to free \emph{creds} when it is no longer needed. -\end{quote} - - -\subsubsection{krb5\_cc\_select - Select a credential cache to use with a server principal.} -\label{appdev/refs/api/krb5_cc_select::doc}\label{appdev/refs/api/krb5_cc_select:krb5-cc-select-select-a-credential-cache-to-use-with-a-server-principal}\index{krb5\_cc\_select (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_select:c.krb5_cc_select}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_select}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ cache\_out}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ princ\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{server} - Server principal - -\textbf{{[}out{]}} \textbf{cache\_out} - Credential cache handle - -\textbf{{[}out{]}} \textbf{princ\_out} - Client principal - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -If an appropriate cache is found, 0 is returned, cache\_out is set to the selected cache, and princ\_out is set to the default principal of that cache. - -\end{itemize} - -\end{description}\end{quote} - -Select a cache within the collection containing credentials most appropriate for use with \emph{server} , according to configured rules and heuristics. - -Use {\hyperref[appdev/refs/api/krb5_cc_close:c.krb5_cc_close]{\code{krb5\_cc\_close()}}} to release \emph{cache\_out} when it is no longer needed. Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to release \emph{princ\_out} when it is no longer needed. Note that \emph{princ\_out} is set in some error conditions. - -If the appropriate client principal can be authoritatively determined but the cache collection contains no credentials for that principal, then KRB5\_CC\_NOTFOUND is returned, \emph{cache\_out} is set to NULL, and \emph{princ\_out} is set to the appropriate client principal. - -If no configured mechanism can determine the appropriate cache or principal, KRB5\_CC\_NOTFOUND is returned and \emph{cache\_out} and \emph{princ\_out} are set to NULL. - -Any other error code indicates a fatal error in the processing of a cache selection mechanism. - -\begin{notice}{note}{Note:} -New in 1.10 -\end{notice} - - -\subsubsection{krb5\_cc\_set\_config - Store a configuration value in a credential cache.} -\label{appdev/refs/api/krb5_cc_set_config::doc}\label{appdev/refs/api/krb5_cc_set_config:krb5-cc-set-config-store-a-configuration-value-in-a-credential-cache}\index{krb5\_cc\_set\_config (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_set_config:c.krb5_cc_set_config}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_set\_config}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ id}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, const char *\emph{ key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{id} - Credential cache handle - -\textbf{{[}in{]}} \textbf{principal} - Configuration for a specific principal; if NULL, global for the whole cache - -\textbf{{[}in{]}} \textbf{key} - Name of config variable - -\textbf{{[}in{]}} \textbf{data} - Data to store, or NULL to remove - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -\begin{notice}{warning}{Warning:} -Before version 1.10 \emph{data} was assumed to be always non-null. -\end{notice} - -\begin{notice}{note}{Note:} -Existing configuration under the same key is over-written. -\end{notice} - - -\subsubsection{krb5\_cc\_set\_default\_name - Set the default credential cache name.} -\label{appdev/refs/api/krb5_cc_set_default_name:krb5-cc-set-default-name-set-the-default-credential-cache-name}\label{appdev/refs/api/krb5_cc_set_default_name::doc}\index{krb5\_cc\_set\_default\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_set_default_name:c.krb5_cc_set_default_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_set\_default\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ name}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{name} - Default credential cache name or NULL - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KV5M\_CONTEXT Bad magic number for \_krb5\_context structure - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Set the default credential cache name to \emph{name} for future operations using \emph{context} . If \emph{name} is NULL, clear any previous application-set default name and forget any cached value of the default name for \emph{context} . - -Calls to this function invalidate the result of any previous calls to {\hyperref[appdev/refs/api/krb5_cc_default_name:c.krb5_cc_default_name]{\code{krb5\_cc\_default\_name()}}} using \emph{context} . - - -\subsubsection{krb5\_cc\_set\_flags - Set options flags on a credential cache.} -\label{appdev/refs/api/krb5_cc_set_flags:krb5-cc-set-flags-set-options-flags-on-a-credential-cache}\label{appdev/refs/api/krb5_cc_set_flags::doc}\index{krb5\_cc\_set\_flags (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_set_flags:c.krb5_cc_set_flags}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_set\_flags}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}in{]}} \textbf{flags} - Flag bit mask - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function resets \emph{cache} flags to \emph{flags} . - - -\subsubsection{krb5\_cc\_start\_seq\_get - Prepare to sequentially read every credential in a credential cache.} -\label{appdev/refs/api/krb5_cc_start_seq_get::doc}\label{appdev/refs/api/krb5_cc_start_seq_get:krb5-cc-start-seq-get-prepare-to-sequentially-read-every-credential-in-a-credential-cache}\index{krb5\_cc\_start\_seq\_get (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_start_seq_get:c.krb5_cc_start_seq_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_start\_seq\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor]{krb5\_cc\_cursor}} *\emph{ cursor}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}out{]}} \textbf{cursor} - Cursor - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} -\begin{quote} - -{\hyperref[appdev/refs/api/krb5_cc_end_seq_get:c.krb5_cc_end_seq_get]{\code{krb5\_cc\_end\_seq\_get()}}} must be called to complete the retrieve operation. -\end{quote} - -\begin{notice}{note}{Note:} -If \emph{cache} is modified between the time of the call to this function and the time of the final {\hyperref[appdev/refs/api/krb5_cc_end_seq_get:c.krb5_cc_end_seq_get]{\code{krb5\_cc\_end\_seq\_get()}}} , the results are undefined. -\end{notice} - - -\subsubsection{krb5\_cc\_store\_cred - Store credentials in a credential cache.} -\label{appdev/refs/api/krb5_cc_store_cred:krb5-cc-store-cred-store-credentials-in-a-credential-cache}\label{appdev/refs/api/krb5_cc_store_cred::doc}\index{krb5\_cc\_store\_cred (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_store_cred:c.krb5_cc_store_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_store\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\textbf{{[}in{]}} \textbf{creds} - Credentials to be stored in cache - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Permission errors; storage failure errors; Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function stores \emph{creds} into \emph{cache} . If \emph{creds-\textgreater{}server} and the server in the decoded ticket \emph{creds-\textgreater{}ticket} differ, the credentials will be stored under both server principal names. - - -\subsubsection{krb5\_cc\_support\_switch - Determine whether a credential cache type supports switching.} -\label{appdev/refs/api/krb5_cc_support_switch::doc}\label{appdev/refs/api/krb5_cc_support_switch:krb5-cc-support-switch-determine-whether-a-credential-cache-type-supports-switching}\index{krb5\_cc\_support\_switch (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_support_switch:c.krb5_cc_support_switch}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_cc\_support\_switch}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ type}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{type} - Credential cache type - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -TRUE if type supports switching - -\item {} -FALSE if it does not or is not a valid credential cache type. - -\end{itemize} - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.10 -\end{notice} - - -\subsubsection{krb5\_cc\_switch - Make a credential cache the primary cache for its collection.} -\label{appdev/refs/api/krb5_cc_switch::doc}\label{appdev/refs/api/krb5_cc_switch:krb5-cc-switch-make-a-credential-cache-the-primary-cache-for-its-collection}\index{krb5\_cc\_switch (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_switch:c.krb5_cc_switch}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_switch}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ cache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cache} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success, or the type of cache doesn't support switching - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -If the type of \emph{cache} supports it, set \emph{cache} to be the primary credential cache for the collection it belongs to. - - -\subsubsection{krb5\_cc\_unlock - Unlock a credential cache.} -\label{appdev/refs/api/krb5_cc_unlock:krb5-cc-unlock-unlock-a-credential-cache}\label{appdev/refs/api/krb5_cc_unlock::doc}\index{krb5\_cc\_unlock (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_unlock:c.krb5_cc_unlock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_unlock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function unlocks the \emph{ccache} locked by {\hyperref[appdev/refs/api/krb5_cc_lock:c.krb5_cc_lock]{\code{krb5\_cc\_lock()}}} . - - -\subsubsection{krb5\_cccol\_cursor\_free - Free a credential cache collection cursor.} -\label{appdev/refs/api/krb5_cccol_cursor_free::doc}\label{appdev/refs/api/krb5_cccol_cursor_free:krb5-cccol-cursor-free-free-a-credential-cache-collection-cursor}\index{krb5\_cccol\_cursor\_free (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cccol_cursor_free:c.krb5_cccol_cursor_free}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_cursor\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor]{krb5\_cccol\_cursor}} *\emph{ cursor}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cursor} - Cursor - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_cccol_cursor_new:c.krb5_cccol_cursor_new]{\code{krb5\_cccol\_cursor\_new()}}} , {\hyperref[appdev/refs/api/krb5_cccol_cursor_next:c.krb5_cccol_cursor_next]{\code{krb5\_cccol\_cursor\_next()}}} - - - - -\subsubsection{krb5\_cccol\_cursor\_new - Prepare to iterate over the collection of known credential caches.} -\label{appdev/refs/api/krb5_cccol_cursor_new::doc}\label{appdev/refs/api/krb5_cccol_cursor_new:krb5-cccol-cursor-new-prepare-to-iterate-over-the-collection-of-known-credential-caches}\index{krb5\_cccol\_cursor\_new (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cccol_cursor_new:c.krb5_cccol_cursor_new}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_cursor\_new}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor]{krb5\_cccol\_cursor}} *\emph{ cursor}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{cursor} - Cursor - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Get a new cache iteration \emph{cursor} that will iterate over all known credential caches independent of type. - -Use {\hyperref[appdev/refs/api/krb5_cccol_cursor_free:c.krb5_cccol_cursor_free]{\code{krb5\_cccol\_cursor\_free()}}} to release \emph{cursor} when it is no longer needed. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_cccol_cursor_next:c.krb5_cccol_cursor_next]{\code{krb5\_cccol\_cursor\_next()}}} - - - - -\subsubsection{krb5\_cccol\_cursor\_next - Get the next credential cache in the collection.} -\label{appdev/refs/api/krb5_cccol_cursor_next::doc}\label{appdev/refs/api/krb5_cccol_cursor_next:krb5-cccol-cursor-next-get-the-next-credential-cache-in-the-collection}\index{krb5\_cccol\_cursor\_next (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cccol_cursor_next:c.krb5_cccol_cursor_next}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_cursor\_next}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor]{krb5\_cccol\_cursor}}\emph{ cursor}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ ccache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cursor} - Cursor - -\textbf{{[}out{]}} \textbf{ccache} - Credential cache handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_cc_close:c.krb5_cc_close]{\code{krb5\_cc\_close()}}} to close \emph{ccache} when it is no longer needed. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_cccol_cursor_new:c.krb5_cccol_cursor_new]{\code{krb5\_cccol\_cursor\_new()}}} , {\hyperref[appdev/refs/api/krb5_cccol_cursor_free:c.krb5_cccol_cursor_free]{\code{krb5\_cccol\_cursor\_free()}}} - - - -\begin{notice}{note}{Note:} -When all caches are iterated over and the end of the list is reached, \emph{ccache} is set to NULL. -\end{notice} - - -\subsubsection{krb5\_cccol\_have\_content - Check if the credential cache collection contains any credentials.} -\label{appdev/refs/api/krb5_cccol_have_content:krb5-cccol-have-content-check-if-the-credential-cache-collection-contains-any-credentials}\label{appdev/refs/api/krb5_cccol_have_content::doc}\index{krb5\_cccol\_have\_content (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cccol_have_content:c.krb5_cccol_have_content}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_have\_content}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Credentials are available in the collection - -\item {} -KRB5\_CC\_NOTFOUND The collection contains no credentials - -\end{itemize} - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_cccol\_last\_change\_time - Return a timestamp of the last modification of any known credential cache.} -\label{appdev/refs/api/krb5_cccol_last_change_time:krb5-cccol-last-change-time-return-a-timestamp-of-the-last-modification-of-any-known-credential-cache}\label{appdev/refs/api/krb5_cccol_last_change_time::doc}\index{krb5\_cccol\_last\_change\_time (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cccol_last_change_time:c.krb5_cccol_last_change_time}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_last\_change\_time}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ change\_time}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{change\_time} - Last modification timestamp - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function returns the most recent modification time of any known credential cache, ignoring any caches which cannot supply a last modification time. - -If there are no known credential caches, \emph{change\_time} is set to 0. - - -\subsubsection{krb5\_cccol\_lock - Acquire a global lock for credential caches.} -\label{appdev/refs/api/krb5_cccol_lock::doc}\label{appdev/refs/api/krb5_cccol_lock:krb5-cccol-lock-acquire-a-global-lock-for-credential-caches}\index{krb5\_cccol\_lock (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cccol_lock:c.krb5_cccol_lock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_lock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function locks the global credential cache collection, ensuring that no ccaches are added to or removed from it until the collection lock is released. - -Use {\hyperref[appdev/refs/api/krb5_cccol_unlock:c.krb5_cccol_unlock]{\code{krb5\_cccol\_unlock()}}} to unlock the lock. - - -\subsubsection{krb5\_cccol\_unlock - Release a global lock for credential caches.} -\label{appdev/refs/api/krb5_cccol_unlock:krb5-cccol-unlock-release-a-global-lock-for-credential-caches}\label{appdev/refs/api/krb5_cccol_unlock::doc}\index{krb5\_cccol\_unlock (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cccol_unlock:c.krb5_cccol_unlock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cccol\_unlock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function unlocks the lock from {\hyperref[appdev/refs/api/krb5_cccol_lock:c.krb5_cccol_lock]{\code{krb5\_cccol\_lock()}}} . - - -\subsubsection{krb5\_clear\_error\_message - Clear the extended error message in a context.} -\label{appdev/refs/api/krb5_clear_error_message:krb5-clear-error-message-clear-the-extended-error-message-in-a-context}\label{appdev/refs/api/krb5_clear_error_message::doc}\index{krb5\_clear\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_clear_error_message:c.krb5_clear_error_message}\pysiglinewithargsret{void \bfcode{krb5\_clear\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\end{description}\end{quote} - -This function unsets the extended error message in a context, to ensure that it is not mistakenly applied to another occurrence of the same error code. - - -\subsubsection{krb5\_check\_clockskew - Check if a timestamp is within the allowed clock skew of the current time.} -\label{appdev/refs/api/krb5_check_clockskew:krb5-check-clockskew-check-if-a-timestamp-is-within-the-allowed-clock-skew-of-the-current-time}\label{appdev/refs/api/krb5_check_clockskew::doc}\index{krb5\_check\_clockskew (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_check_clockskew:c.krb5_check_clockskew}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_check\_clockskew}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ date}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{date} - Timestamp to check - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KRB5KRB\_AP\_ERR\_SKEW date is not within allowable clock skew - -\end{itemize} - -\end{description}\end{quote} - -This function checks if \emph{date} is close enough to the current time according to the configured allowable clock skew. - -\begin{notice}{note}{Note:} -New in 1.10 -\end{notice} - - -\subsubsection{krb5\_copy\_addresses - Copy an array of addresses.} -\label{appdev/refs/api/krb5_copy_addresses:krb5-copy-addresses-copy-an-array-of-addresses}\label{appdev/refs/api/krb5_copy_addresses::doc}\index{krb5\_copy\_addresses (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_addresses:c.krb5_copy_addresses}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_addresses}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ inaddr}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ***\emph{ outaddr}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{inaddr} - Array of addresses to be copied - -\textbf{{[}out{]}} \textbf{outaddr} - Copy of array of addresses - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new address array containing a copy of \emph{inaddr} . Use {\hyperref[appdev/refs/api/krb5_free_addresses:c.krb5_free_addresses]{\code{krb5\_free\_addresses()}}} to free \emph{outaddr} when it is no longer needed. - - -\subsubsection{krb5\_copy\_authdata - Copy an authorization data list.} -\label{appdev/refs/api/krb5_copy_authdata:krb5-copy-authdata-copy-an-authorization-data-list}\label{appdev/refs/api/krb5_copy_authdata::doc}\index{krb5\_copy\_authdata (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_authdata:c.krb5_copy_authdata}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_authdata}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ in\_authdat}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{in\_authdat} - List of \emph{krb5\_authdata} structures - -\textbf{{[}out{]}} \textbf{out} - New array of \emph{krb5\_authdata} structures - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new authorization data list containing a copy of \emph{in\_authdat} , which must be null-terminated. Use {\hyperref[appdev/refs/api/krb5_free_authdata:c.krb5_free_authdata]{\code{krb5\_free\_authdata()}}} to free \emph{out} when it is no longer needed. - -\begin{notice}{note}{Note:} -The last array entry in \emph{in\_authdat} must be a NULL pointer. -\end{notice} - - -\subsubsection{krb5\_copy\_authenticator - Copy a krb5\_authenticator structure.} -\label{appdev/refs/api/krb5_copy_authenticator:krb5-copy-authenticator-copy-a-krb5-authenticator-structure}\label{appdev/refs/api/krb5_copy_authenticator::doc}\index{krb5\_copy\_authenticator (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_authenticator:c.krb5_copy_authenticator}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_authenticator}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} *\emph{ authfrom}, {\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} **\emph{ authto}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{authfrom} - krb5\_authenticator structure to be copied - -\textbf{{[}out{]}} \textbf{authto} - Copy of krb5\_authenticator structure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new krb5\_authenticator structure with the content of \emph{authfrom} . Use {\hyperref[appdev/refs/api/krb5_free_authenticator:c.krb5_free_authenticator]{\code{krb5\_free\_authenticator()}}} to free \emph{authto} when it is no longer needed. - - -\subsubsection{krb5\_copy\_checksum - Copy a krb5\_checksum structure.} -\label{appdev/refs/api/krb5_copy_checksum:krb5-copy-checksum-copy-a-krb5-checksum-structure}\label{appdev/refs/api/krb5_copy_checksum::doc}\index{krb5\_copy\_checksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_checksum:c.krb5_copy_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ ckfrom}, {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} **\emph{ ckto}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ckfrom} - Checksum to be copied - -\textbf{{[}out{]}} \textbf{ckto} - Copy of krb5\_checksum structure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new krb5\_checksum structure with the contents of \emph{ckfrom} . Use {\hyperref[appdev/refs/api/krb5_free_checksum:c.krb5_free_checksum]{\code{krb5\_free\_checksum()}}} to free \emph{ckto} when it is no longer needed. - - -\subsubsection{krb5\_copy\_context - Copy a krb5\_context structure.} -\label{appdev/refs/api/krb5_copy_context:krb5-copy-context-copy-a-krb5-context-structure}\label{appdev/refs/api/krb5_copy_context::doc}\index{krb5\_copy\_context (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_context:c.krb5_copy_context}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_context}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}} *\emph{ nctx\_out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}out{]}} \textbf{nctx\_out} - New context structure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -The newly created context must be released by calling {\hyperref[appdev/refs/api/krb5_free_context:c.krb5_free_context]{\code{krb5\_free\_context()}}} when it is no longer needed. - - -\subsubsection{krb5\_copy\_creds - Copy a krb5\_creds structure.} -\label{appdev/refs/api/krb5_copy_creds:krb5-copy-creds-copy-a-krb5-creds-structure}\label{appdev/refs/api/krb5_copy_creds::doc}\index{krb5\_copy\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_creds:c.krb5_copy_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ incred}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ outcred}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{incred} - Credentials structure to be copied - -\textbf{{[}out{]}} \textbf{outcred} - Copy of \emph{incred} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new credential with the contents of \emph{incred} . Use {\hyperref[appdev/refs/api/krb5_free_creds:c.krb5_free_creds]{\code{krb5\_free\_creds()}}} to free \emph{outcred} when it is no longer needed. - - -\subsubsection{krb5\_copy\_data - Copy a krb5\_data object.} -\label{appdev/refs/api/krb5_copy_data:krb5-copy-data-copy-a-krb5-data-object}\label{appdev/refs/api/krb5_copy_data::doc}\index{krb5\_copy\_data (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_data:c.krb5_copy_data}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_data}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ indata}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} **\emph{ outdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{indata} - Data object to be copied - -\textbf{{[}out{]}} \textbf{outdata} - Copy of \emph{indata} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new krb5\_data object with the contents of \emph{indata} . Use {\hyperref[appdev/refs/api/krb5_free_data:c.krb5_free_data]{\code{krb5\_free\_data()}}} to free \emph{outdata} when it is no longer needed. - - -\subsubsection{krb5\_copy\_error\_message - Copy the most recent extended error message from one context to another.} -\label{appdev/refs/api/krb5_copy_error_message:krb5-copy-error-message-copy-the-most-recent-extended-error-message-from-one-context-to-another}\label{appdev/refs/api/krb5_copy_error_message::doc}\index{krb5\_copy\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_error_message:c.krb5_copy_error_message}\pysiglinewithargsret{void \bfcode{krb5\_copy\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ dest\_ctx}, {\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ src\_ctx}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{dest\_ctx} - Library context to copy message to - -\textbf{{[}in{]}} \textbf{src\_ctx} - Library context with current message - -\end{description}\end{quote} - - -\subsubsection{krb5\_copy\_keyblock - Copy a keyblock.} -\label{appdev/refs/api/krb5_copy_keyblock:krb5-copy-keyblock-copy-a-keyblock}\label{appdev/refs/api/krb5_copy_keyblock::doc}\index{krb5\_copy\_keyblock (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_keyblock:c.krb5_copy_keyblock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_keyblock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ from}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ to}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{from} - Keyblock to be copied - -\textbf{{[}out{]}} \textbf{to} - Copy of keyblock \emph{from} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new keyblock with the same contents as \emph{from} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{to} when it is no longer needed. - - -\subsubsection{krb5\_copy\_keyblock\_contents - Copy the contents of a keyblock.} -\label{appdev/refs/api/krb5_copy_keyblock_contents:krb5-copy-keyblock-contents-copy-the-contents-of-a-keyblock}\label{appdev/refs/api/krb5_copy_keyblock_contents::doc}\index{krb5\_copy\_keyblock\_contents (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_keyblock_contents:c.krb5_copy_keyblock_contents}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_keyblock\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ from}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ to}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{from} - Key to be copied - -\textbf{{[}out{]}} \textbf{to} - Output key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function copies the contents of \emph{from} to \emph{to} . Use {\hyperref[appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents]{\code{krb5\_free\_keyblock\_contents()}}} to free \emph{to} when it is no longer needed. - - -\subsubsection{krb5\_copy\_principal - Copy a principal.} -\label{appdev/refs/api/krb5_copy_principal:krb5-copy-principal-copy-a-principal}\label{appdev/refs/api/krb5_copy_principal::doc}\index{krb5\_copy\_principal (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_principal:c.krb5_copy_principal}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_principal}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ inprinc}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} *\emph{ outprinc}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{inprinc} - Principal to be copied - -\textbf{{[}out{]}} \textbf{outprinc} - Copy of \emph{inprinc} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new principal structure with the contents of \emph{inprinc} . Use {\hyperref[appdev/refs/api/krb5_free_principal:c.krb5_free_principal]{\code{krb5\_free\_principal()}}} to free \emph{outprinc} when it is no longer needed. - - -\subsubsection{krb5\_copy\_ticket - Copy a krb5\_ticket structure.} -\label{appdev/refs/api/krb5_copy_ticket:krb5-copy-ticket-copy-a-krb5-ticket-structure}\label{appdev/refs/api/krb5_copy_ticket::doc}\index{krb5\_copy\_ticket (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_copy_ticket:c.krb5_copy_ticket}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_copy\_ticket}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} *\emph{ from}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ pto}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{from} - Ticket to be copied - -\textbf{{[}out{]}} \textbf{pto} - Copy of ticket - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new krb5\_ticket structure containing the contents of \emph{from} . Use {\hyperref[appdev/refs/api/krb5_free_ticket:c.krb5_free_ticket]{\code{krb5\_free\_ticket()}}} to free \emph{pto} when it is no longer needed. - - -\subsubsection{krb5\_find\_authdata - Find authorization data elements.} -\label{appdev/refs/api/krb5_find_authdata:krb5-find-authdata-find-authorization-data-elements}\label{appdev/refs/api/krb5_find_authdata::doc}\index{krb5\_find\_authdata (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_find_authdata:c.krb5_find_authdata}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_find\_authdata}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ ticket\_authdata}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ ap\_req\_authdata}, {\hyperref[appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype]{krb5\_authdatatype}}\emph{ ad\_type}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ results}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ticket\_authdata} - Authorization data list from ticket - -\textbf{{[}in{]}} \textbf{ap\_req\_authdata} - Authorization data list from AP request - -\textbf{{[}in{]}} \textbf{ad\_type} - Authorization data type to find - -\textbf{{[}out{]}} \textbf{results} - List of matching entries - -\end{description}\end{quote} - -This function searches \emph{ticket\_authdata} and \emph{ap\_req\_authdata} for elements of type \emph{ad\_type} . Either input list may be NULL, in which case it will not be searched; otherwise, the input lists must be terminated by NULL entries. This function will search inside AD-IF-RELEVANT containers if found in either list. Use {\hyperref[appdev/refs/api/krb5_free_authdata:c.krb5_free_authdata]{\code{krb5\_free\_authdata()}}} to free \emph{results} when it is no longer needed. - -\begin{notice}{note}{Note:} -New in 1.10 -\end{notice} - - -\subsubsection{krb5\_free\_addresses - Free the data stored in array of addresses.} -\label{appdev/refs/api/krb5_free_addresses:krb5-free-addresses-free-the-data-stored-in-array-of-addresses}\label{appdev/refs/api/krb5_free_addresses::doc}\index{krb5\_free\_addresses (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_addresses:c.krb5_free_addresses}\pysiglinewithargsret{void \bfcode{krb5\_free\_addresses}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} **\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Array of addresses to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the array itself. - -\begin{notice}{note}{Note:} -The last entry in the array must be a NULL pointer. -\end{notice} - - -\subsubsection{krb5\_free\_ap\_rep\_enc\_part - Free a krb5\_ap\_rep\_enc\_part structure.} -\label{appdev/refs/api/krb5_free_ap_rep_enc_part:krb5-free-ap-rep-enc-part-free-a-krb5-ap-rep-enc-part-structure}\label{appdev/refs/api/krb5_free_ap_rep_enc_part::doc}\index{krb5\_free\_ap\_rep\_enc\_part (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_ap_rep_enc_part:c.krb5_free_ap_rep_enc_part}\pysiglinewithargsret{void \bfcode{krb5\_free\_ap\_rep\_enc\_part}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part]{krb5\_ap\_rep\_enc\_part}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - AP-REP enc part to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the structure itself. - - -\subsubsection{krb5\_free\_authdata - Free the storage assigned to array of authentication data.} -\label{appdev/refs/api/krb5_free_authdata::doc}\label{appdev/refs/api/krb5_free_authdata:krb5-free-authdata-free-the-storage-assigned-to-array-of-authentication-data}\index{krb5\_free\_authdata (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_authdata:c.krb5_free_authdata}\pysiglinewithargsret{void \bfcode{krb5\_free\_authdata}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} **\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Array of authentication data to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the array itself. - -\begin{notice}{note}{Note:} -The last entry in the array must be a NULL pointer. -\end{notice} - - -\subsubsection{krb5\_free\_authenticator - Free a krb5\_authenticator structure.} -\label{appdev/refs/api/krb5_free_authenticator:krb5-free-authenticator-free-a-krb5-authenticator-structure}\label{appdev/refs/api/krb5_free_authenticator::doc}\index{krb5\_free\_authenticator (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_authenticator:c.krb5_free_authenticator}\pysiglinewithargsret{void \bfcode{krb5\_free\_authenticator}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Authenticator structure to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the structure itself. - - -\subsubsection{krb5\_free\_cred\_contents - Free the contents of a krb5\_creds structure.} -\label{appdev/refs/api/krb5_free_cred_contents::doc}\label{appdev/refs/api/krb5_free_cred_contents:krb5-free-cred-contents-free-the-contents-of-a-krb5-creds-structure}\index{krb5\_free\_cred\_contents (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents}\pysiglinewithargsret{void \bfcode{krb5\_free\_cred\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Credential structure to free contents of - -\end{description}\end{quote} - -This function frees the contents of \emph{val} , but not the structure itself. - - -\subsubsection{krb5\_free\_creds - Free a krb5\_creds structure.} -\label{appdev/refs/api/krb5_free_creds::doc}\label{appdev/refs/api/krb5_free_creds:krb5-free-creds-free-a-krb5-creds-structure}\index{krb5\_free\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_creds:c.krb5_free_creds}\pysiglinewithargsret{void \bfcode{krb5\_free\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Credential structure to be freed. - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the structure itself. - - -\subsubsection{krb5\_free\_data - Free a krb5\_data structure.} -\label{appdev/refs/api/krb5_free_data:krb5-free-data-free-a-krb5-data-structure}\label{appdev/refs/api/krb5_free_data::doc}\index{krb5\_free\_data (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_data:c.krb5_free_data}\pysiglinewithargsret{void \bfcode{krb5\_free\_data}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Data structure to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the structure itself. - - -\subsubsection{krb5\_free\_data\_contents - Free the contents of a krb5\_data structure and zero the data field.} -\label{appdev/refs/api/krb5_free_data_contents:krb5-free-data-contents-free-the-contents-of-a-krb5-data-structure-and-zero-the-data-field}\label{appdev/refs/api/krb5_free_data_contents::doc}\index{krb5\_free\_data\_contents (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents}\pysiglinewithargsret{void \bfcode{krb5\_free\_data\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Data structure to free contents of - -\end{description}\end{quote} - -This function frees the contents of \emph{val} , but not the structure itself. - - -\subsubsection{krb5\_free\_default\_realm - Free a default realm string returned by krb5\_get\_default\_realm() .} -\label{appdev/refs/api/krb5_free_default_realm:krb5-free-default-realm-free-a-default-realm-string-returned-by-krb5-get-default-realm}\label{appdev/refs/api/krb5_free_default_realm::doc}\index{krb5\_free\_default\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_default_realm:c.krb5_free_default_realm}\pysiglinewithargsret{void \bfcode{krb5\_free\_default\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *\emph{ lrealm}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{lrealm} - Realm to be freed - -\end{description}\end{quote} - - -\subsubsection{krb5\_free\_enctypes - Free an array of encryption types.} -\label{appdev/refs/api/krb5_free_enctypes::doc}\label{appdev/refs/api/krb5_free_enctypes:krb5-free-enctypes-free-an-array-of-encryption-types}\index{krb5\_free\_enctypes (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_enctypes:c.krb5_free_enctypes}\pysiglinewithargsret{void \bfcode{krb5\_free\_enctypes}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Array of enctypes to be freed - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.12 -\end{notice} - - -\subsubsection{krb5\_free\_error - Free an error allocated by krb5\_read\_error() or krb5\_sendauth() .} -\label{appdev/refs/api/krb5_free_error::doc}\label{appdev/refs/api/krb5_free_error:krb5-free-error-free-an-error-allocated-by-krb5-read-error-or-krb5-sendauth}\index{krb5\_free\_error (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_error:c.krb5_free_error}\pysiglinewithargsret{void \bfcode{krb5\_free\_error}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Error data structure to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the structure itself. - - -\subsubsection{krb5\_free\_host\_realm - Free the memory allocated by krb5\_get\_host\_realm() .} -\label{appdev/refs/api/krb5_free_host_realm::doc}\label{appdev/refs/api/krb5_free_host_realm:krb5-free-host-realm-free-the-memory-allocated-by-krb5-get-host-realm}\index{krb5\_free\_host\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_host_realm:c.krb5_free_host_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_free\_host\_realm}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *const *\emph{ realmlist}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{realmlist} - List of realm names to be released - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_free\_keyblock - Free a krb5\_keyblock structure.} -\label{appdev/refs/api/krb5_free_keyblock:krb5-free-keyblock-free-a-krb5-keyblock-structure}\label{appdev/refs/api/krb5_free_keyblock::doc}\index{krb5\_free\_keyblock (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock}\pysiglinewithargsret{void \bfcode{krb5\_free\_keyblock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Keyblock to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the structure itself. - - -\subsubsection{krb5\_free\_keyblock\_contents - Free the contents of a krb5\_keyblock structure.} -\label{appdev/refs/api/krb5_free_keyblock_contents::doc}\label{appdev/refs/api/krb5_free_keyblock_contents:krb5-free-keyblock-contents-free-the-contents-of-a-krb5-keyblock-structure}\index{krb5\_free\_keyblock\_contents (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents}\pysiglinewithargsret{void \bfcode{krb5\_free\_keyblock\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Keyblock to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{key} , but not the structure itself. - - -\subsubsection{krb5\_free\_keytab\_entry\_contents - Free the contents of a key table entry.} -\label{appdev/refs/api/krb5_free_keytab_entry_contents:krb5-free-keytab-entry-contents-free-the-contents-of-a-key-table-entry}\label{appdev/refs/api/krb5_free_keytab_entry_contents::doc}\index{krb5\_free\_keytab\_entry\_contents (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_keytab_entry_contents:c.krb5_free_keytab_entry_contents}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_free\_keytab\_entry\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{entry} - Key table entry whose contents are to be freed - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -The pointer is not freed. -\end{notice} - - -\subsubsection{krb5\_free\_string - Free a string allocated by a krb5 function.} -\label{appdev/refs/api/krb5_free_string:krb5-free-string-free-a-string-allocated-by-a-krb5-function}\label{appdev/refs/api/krb5_free_string::doc}\index{krb5\_free\_string (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_string:c.krb5_free_string}\pysiglinewithargsret{void \bfcode{krb5\_free\_string}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - String to be freed - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.10 -\end{notice} - - -\subsubsection{krb5\_free\_ticket - Free a ticket.} -\label{appdev/refs/api/krb5_free_ticket:krb5-free-ticket-free-a-ticket}\label{appdev/refs/api/krb5_free_ticket::doc}\index{krb5\_free\_ticket (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_ticket:c.krb5_free_ticket}\pysiglinewithargsret{void \bfcode{krb5\_free\_ticket}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Ticket to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the structure itself. - - -\subsubsection{krb5\_free\_unparsed\_name - Free a string representation of a principal.} -\label{appdev/refs/api/krb5_free_unparsed_name::doc}\label{appdev/refs/api/krb5_free_unparsed_name:krb5-free-unparsed-name-free-a-string-representation-of-a-principal}\index{krb5\_free\_unparsed\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_unparsed_name:c.krb5_free_unparsed_name}\pysiglinewithargsret{void \bfcode{krb5\_free\_unparsed\_name}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, char *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Name string to be freed - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_permitted\_enctypes - Return a list of encryption types permitted for session keys.} -\label{appdev/refs/api/krb5_get_permitted_enctypes:krb5-get-permitted-enctypes-return-a-list-of-encryption-types-permitted-for-session-keys}\label{appdev/refs/api/krb5_get_permitted_enctypes::doc}\index{krb5\_get\_permitted\_enctypes (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_permitted_enctypes:c.krb5_get_permitted_enctypes}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_permitted\_enctypes}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} **\emph{ ktypes}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{ktypes} - Zero-terminated list of encryption types - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function returns the list of encryption types permitted for session keys within \emph{context} , as determined by configuration or by a previous call to {\hyperref[appdev/refs/api/krb5_set_default_tgs_enctypes:c.krb5_set_default_tgs_enctypes]{\code{krb5\_set\_default\_tgs\_enctypes()}}} . - -Use {\hyperref[appdev/refs/api/krb5_free_enctypes:c.krb5_free_enctypes]{\code{krb5\_free\_enctypes()}}} to free \emph{ktypes} when it is no longer needed. - - -\subsubsection{krb5\_get\_server\_rcache - Generate a replay cache object for server use and open it.} -\label{appdev/refs/api/krb5_get_server_rcache:krb5-get-server-rcache-generate-a-replay-cache-object-for-server-use-and-open-it}\label{appdev/refs/api/krb5_get_server_rcache::doc}\index{krb5\_get\_server\_rcache (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_server_rcache:c.krb5_get_server_rcache}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_server\_rcache}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ piece}, {\hyperref[appdev/refs/types/krb5_rcache:c.krb5_rcache]{krb5\_rcache}} *\emph{ rcptr}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{piece} - Unique identifier for replay cache - -\textbf{{[}out{]}} \textbf{rcptr} - Handle to an open rcache - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function generates a replay cache name based on \emph{piece} and opens a handle to it. Typically \emph{piece} is the first component of the service principal name. Use krb5\_rc\_close() to close \emph{rcptr} when it is no longer needed. - - -\subsubsection{krb5\_get\_time\_offsets - Return the time offsets from the os context.} -\label{appdev/refs/api/krb5_get_time_offsets:krb5-get-time-offsets-return-the-time-offsets-from-the-os-context}\label{appdev/refs/api/krb5_get_time_offsets::doc}\index{krb5\_get\_time\_offsets (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_time_offsets:c.krb5_get_time_offsets}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_time\_offsets}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ seconds}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ microseconds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{seconds} - Time offset, seconds portion - -\textbf{{[}out{]}} \textbf{microseconds} - Time offset, microseconds portion - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function returns the time offsets in \emph{context} . - - -\subsubsection{krb5\_init\_context\_profile - Create a krb5 library context using a specified profile.} -\label{appdev/refs/api/krb5_init_context_profile:krb5-init-context-profile-create-a-krb5-library-context-using-a-specified-profile}\label{appdev/refs/api/krb5_init_context_profile::doc}\index{krb5\_init\_context\_profile (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_context_profile:c.krb5_init_context_profile}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_context\_profile}}{struct \_profile\_t *\emph{ profile}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}} *\emph{ context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{profile} - Profile object (NULL to create default profile) - -\textbf{{[}in{]}} \textbf{flags} - Context initialization flags - -\textbf{{[}out{]}} \textbf{context} - Library context - -\end{description}\end{quote} - -Create a context structure, optionally using a specified profile and initialization flags. If \emph{profile} is NULL, the default profile will be created from config files. If \emph{profile} is non-null, a copy of it will be made for the new context; the caller should still clean up its copy. Valid flag values are: -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:KRB5_INIT_CONTEXT_SECURE]{\code{KRB5\_INIT\_CONTEXT\_SECURE}}} Ignore environment variables - -\item {} -{\hyperref[appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:KRB5_INIT_CONTEXT_KDC]{\code{KRB5\_INIT\_CONTEXT\_KDC}}} Use KDC configuration if creating profile - -\end{itemize} - - -\subsubsection{krb5\_init\_creds\_free - Free an initial credentials context.} -\label{appdev/refs/api/krb5_init_creds_free::doc}\label{appdev/refs/api/krb5_init_creds_free:krb5-init-creds-free-free-an-initial-credentials-context}\index{krb5\_init\_creds\_free (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_free:c.krb5_init_creds_free}\pysiglinewithargsret{void \bfcode{krb5\_init\_creds\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context - -\end{description}\end{quote} - - -\subsubsection{krb5\_init\_creds\_get - Acquire credentials using an initial credentials context.} -\label{appdev/refs/api/krb5_init_creds_get::doc}\label{appdev/refs/api/krb5_init_creds_get:krb5-init-creds-get-acquire-credentials-using-an-initial-credentials-context}\index{krb5\_init\_creds\_get (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_get:c.krb5_init_creds_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function synchronously obtains credentials using a context created by {\hyperref[appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init]{\code{krb5\_init\_creds\_init()}}} . On successful return, the credentials can be retrieved with {\hyperref[appdev/refs/api/krb5_init_creds_get_creds:c.krb5_init_creds_get_creds]{\code{krb5\_init\_creds\_get\_creds()}}} . - - -\subsubsection{krb5\_init\_creds\_get\_creds - Retrieve acquired credentials from an initial credentials context.} -\label{appdev/refs/api/krb5_init_creds_get_creds::doc}\label{appdev/refs/api/krb5_init_creds_get_creds:krb5-init-creds-get-creds-retrieve-acquired-credentials-from-an-initial-credentials-context}\index{krb5\_init\_creds\_get\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_get_creds:c.krb5_init_creds_get_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_get\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context - -\textbf{{[}out{]}} \textbf{creds} - Acquired credentials - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function copies the acquired initial credentials from \emph{ctx} into \emph{creds} , after the successful completion of {\hyperref[appdev/refs/api/krb5_init_creds_get:c.krb5_init_creds_get]{\code{krb5\_init\_creds\_get()}}} or {\hyperref[appdev/refs/api/krb5_init_creds_step:c.krb5_init_creds_step]{\code{krb5\_init\_creds\_step()}}} . Use {\hyperref[appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents]{\code{krb5\_free\_cred\_contents()}}} to free \emph{creds} when it is no longer needed. - - -\subsubsection{krb5\_init\_creds\_get\_error - Get the last error from KDC from an initial credentials context.} -\label{appdev/refs/api/krb5_init_creds_get_error:krb5-init-creds-get-error-get-the-last-error-from-kdc-from-an-initial-credentials-context}\label{appdev/refs/api/krb5_init_creds_get_error::doc}\index{krb5\_init\_creds\_get\_error (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_get_error:c.krb5_init_creds_get_error}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_get\_error}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} **\emph{ error}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context - -\textbf{{[}out{]}} \textbf{error} - Error from KDC, or NULL if none was received - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_init\_creds\_get\_times - Retrieve ticket times from an initial credentials context.} -\label{appdev/refs/api/krb5_init_creds_get_times::doc}\label{appdev/refs/api/krb5_init_creds_get_times:krb5-init-creds-get-times-retrieve-ticket-times-from-an-initial-credentials-context}\index{krb5\_init\_creds\_get\_times (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_get_times:c.krb5_init_creds_get_times}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_get\_times}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} *\emph{ times}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context - -\textbf{{[}out{]}} \textbf{times} - Ticket times for acquired credentials - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -The initial credentials context must have completed obtaining credentials via either {\hyperref[appdev/refs/api/krb5_init_creds_get:c.krb5_init_creds_get]{\code{krb5\_init\_creds\_get()}}} or {\hyperref[appdev/refs/api/krb5_init_creds_step:c.krb5_init_creds_step]{\code{krb5\_init\_creds\_step()}}} . - - -\subsubsection{krb5\_init\_creds\_init - Create a context for acquiring initial credentials.} -\label{appdev/refs/api/krb5_init_creds_init::doc}\label{appdev/refs/api/krb5_init_creds_init:krb5-init-creds-init-create-a-context-for-acquiring-initial-credentials}\index{krb5\_init\_creds\_init (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_init:c.krb5_init_creds_init}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_init}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_prompter_fct:c.krb5_prompter_fct]{krb5\_prompter\_fct}}\emph{ prompter}, void *\emph{ data}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ start\_time}, {\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ options}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}} *\emph{ ctx}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{client} - Client principal to get initial creds for - -\textbf{{[}in{]}} \textbf{prompter} - Prompter callback - -\textbf{{[}in{]}} \textbf{data} - Prompter callback argument - -\textbf{{[}in{]}} \textbf{start\_time} - Time when credentials become valid (0 for now) - -\textbf{{[}in{]}} \textbf{options} - Options structure (NULL for default) - -\textbf{{[}out{]}} \textbf{ctx} - New initial credentials context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a new context for acquiring initial credentials. Use {\hyperref[appdev/refs/api/krb5_init_creds_free:c.krb5_init_creds_free]{\code{krb5\_init\_creds\_free()}}} to free \emph{ctx} when it is no longer needed. - - -\subsubsection{krb5\_init\_creds\_set\_keytab - Specify a keytab to use for acquiring initial credentials.} -\label{appdev/refs/api/krb5_init_creds_set_keytab:krb5-init-creds-set-keytab-specify-a-keytab-to-use-for-acquiring-initial-credentials}\label{appdev/refs/api/krb5_init_creds_set_keytab::doc}\index{krb5\_init\_creds\_set\_keytab (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_set_keytab:c.krb5_init_creds_set_keytab}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_set\_keytab}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context - -\textbf{{[}in{]}} \textbf{keytab} - Key table handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function supplies a keytab containing the client key for an initial credentials request. - - -\subsubsection{krb5\_init\_creds\_set\_password - Set a password for acquiring initial credentials.} -\label{appdev/refs/api/krb5_init_creds_set_password:krb5-init-creds-set-password-set-a-password-for-acquiring-initial-credentials}\label{appdev/refs/api/krb5_init_creds_set_password::doc}\index{krb5\_init\_creds\_set\_password (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_set_password:c.krb5_init_creds_set_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_set\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, const char *\emph{ password}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context - -\textbf{{[}in{]}} \textbf{password} - Password - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function supplies a password to be used to construct the client key for an initial credentials request. - - -\subsubsection{krb5\_init\_creds\_set\_service - Specify a service principal for acquiring initial credentials.} -\label{appdev/refs/api/krb5_init_creds_set_service::doc}\label{appdev/refs/api/krb5_init_creds_set_service:krb5-init-creds-set-service-specify-a-service-principal-for-acquiring-initial-credentials}\index{krb5\_init\_creds\_set\_service (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_set_service:c.krb5_init_creds_set_service}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_set\_service}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, const char *\emph{ service}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context - -\textbf{{[}in{]}} \textbf{service} - Service principal string - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function supplies a service principal string to acquire initial credentials for instead of the default krbtgt service. \emph{service} is parsed as a principal name; any realm part is ignored. - - -\subsubsection{krb5\_init\_creds\_step - Get the next KDC request for acquiring initial credentials.} -\label{appdev/refs/api/krb5_init_creds_step::doc}\label{appdev/refs/api/krb5_init_creds_step:krb5-init-creds-step-get-the-next-kdc-request-for-acquiring-initial-credentials}\index{krb5\_init\_creds\_step (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_creds_step:c.krb5_init_creds_step}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_creds\_step}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context]{krb5\_init\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ out}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ realm}, unsigned int *\emph{ flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - Initial credentials context - -\textbf{{[}in{]}} \textbf{in} - KDC response (empty on the first call) - -\textbf{{[}out{]}} \textbf{out} - Next KDC request - -\textbf{{[}out{]}} \textbf{realm} - Realm for next KDC request - -\textbf{{[}out{]}} \textbf{flags} - Output flags - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function constructs the next KDC request in an initial credential exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, \emph{in} should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. - -If more requests are needed, \emph{flags} will be set to {\hyperref[appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and the next request will be placed in \emph{out} . If no more requests are needed, \emph{flags} will not contain {\hyperref[appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and \emph{out} will be empty. - -If this function returns \textbf{KRB5KRB\_ERR\_RESPONSE\_TOO\_BIG} , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the initial credential exchange has failed. - - -\subsubsection{krb5\_init\_keyblock - Initialize an empty krb5\_keyblock .} -\label{appdev/refs/api/krb5_init_keyblock:krb5-init-keyblock-initialize-an-empty-krb5-keyblock}\label{appdev/refs/api/krb5_init_keyblock::doc}\index{krb5\_init\_keyblock (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_keyblock:c.krb5_init_keyblock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_keyblock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t\emph{ length}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}in{]}} \textbf{length} - Length of keyblock (or 0) - -\textbf{{[}out{]}} \textbf{out} - New keyblock structure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Initialize a new keyblock and allocate storage for the contents of the key. It is legal to pass in a length of 0, in which case contents are left unallocated. Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{out} when it is no longer needed. - -\begin{notice}{note}{Note:} -If \emph{length} is set to 0, contents are left unallocated. -\end{notice} - - -\subsubsection{krb5\_is\_referral\_realm - Check for a match with KRB5\_REFERRAL\_REALM.} -\label{appdev/refs/api/krb5_is_referral_realm:krb5-is-referral-realm-check-for-a-match-with-krb5-referral-realm}\label{appdev/refs/api/krb5_is_referral_realm::doc}\index{krb5\_is\_referral\_realm (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_is_referral_realm:c.krb5_is_referral_realm}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_is\_referral\_realm}}{const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ r}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{r} - Realm to check - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -TRUE if r is zero-length, FALSE otherwise - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_kt\_add\_entry - Add a new entry to a key table.} -\label{appdev/refs/api/krb5_kt_add_entry:krb5-kt-add-entry-add-a-new-entry-to-a-key-table}\label{appdev/refs/api/krb5_kt_add_entry::doc}\index{krb5\_kt\_add\_entry (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_add_entry:c.krb5_kt_add_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_add\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ id}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{id} - Key table handle - -\textbf{{[}in{]}} \textbf{entry} - Entry to be added - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -ENOMEM Insufficient memory - -\item {} -KRB5\_KT\_NOWRITE Key table is not writeable - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_kt\_end\_seq\_get - Release a keytab cursor.} -\label{appdev/refs/api/krb5_kt_end_seq_get::doc}\label{appdev/refs/api/krb5_kt_end_seq_get:krb5-kt-end-seq-get-release-a-keytab-cursor}\index{krb5\_kt\_end\_seq\_get (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_end_seq_get:c.krb5_kt_end_seq_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_end\_seq\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor]{krb5\_kt\_cursor}} *\emph{ cursor}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keytab} - Key table handle - -\textbf{{[}out{]}} \textbf{cursor} - Cursor - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function should be called to release the cursor created by {\hyperref[appdev/refs/api/krb5_kt_start_seq_get:c.krb5_kt_start_seq_get]{\code{krb5\_kt\_start\_seq\_get()}}} . - - -\subsubsection{krb5\_kt\_get\_entry - Get an entry from a key table.} -\label{appdev/refs/api/krb5_kt_get_entry:krb5-kt-get-entry-get-an-entry-from-a-key-table}\label{appdev/refs/api/krb5_kt_get_entry::doc}\index{krb5\_kt\_get\_entry (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_get_entry:c.krb5_kt_get_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_get\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, {\hyperref[appdev/refs/types/krb5_kvno:c.krb5_kvno]{krb5\_kvno}}\emph{ vno}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keytab} - Key table handle - -\textbf{{[}in{]}} \textbf{principal} - Principal name - -\textbf{{[}in{]}} \textbf{vno} - Key version number (0 for highest available) - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type (0 zero for any enctype) - -\textbf{{[}out{]}} \textbf{entry} - Returned entry from key table - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -Kerberos error codes on failure - -\end{itemize} - -\end{description}\end{quote} - -Retrieve an entry from a key table which matches the \emph{keytab} , \emph{principal} , \emph{vno} , and \emph{enctype} . If \emph{vno} is zero, retrieve the highest-numbered kvno matching the other fields. If \emph{enctype} is 0, match any enctype. - -Use {\hyperref[appdev/refs/api/krb5_free_keytab_entry_contents:c.krb5_free_keytab_entry_contents]{\code{krb5\_free\_keytab\_entry\_contents()}}} to free \emph{entry} when it is no longer needed. - -\begin{notice}{note}{Note:} -If \emph{vno} is zero, the function retrieves the highest-numbered-kvno entry that matches the specified principal. -\end{notice} - - -\subsubsection{krb5\_kt\_have\_content - Check if a keytab exists and contains entries.} -\label{appdev/refs/api/krb5_kt_have_content::doc}\label{appdev/refs/api/krb5_kt_have_content:krb5-kt-have-content-check-if-a-keytab-exists-and-contains-entries}\index{krb5\_kt\_have\_content (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_have_content:c.krb5_kt_have_content}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_have\_content}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keytab} - Key table handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Keytab exists and contains entries - -\item {} -KRB5\_KT\_NOTFOUND Keytab does not contain entries - -\end{itemize} - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.11 -\end{notice} - - -\subsubsection{krb5\_kt\_next\_entry - Retrieve the next entryfrom the key table.} -\label{appdev/refs/api/krb5_kt_next_entry:krb5-kt-next-entry-retrieve-the-next-entryfrom-the-key-table}\label{appdev/refs/api/krb5_kt_next_entry::doc}\index{krb5\_kt\_next\_entry (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_next_entry:c.krb5_kt_next_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_next\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}, {\hyperref[appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor]{krb5\_kt\_cursor}} *\emph{ cursor}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keytab} - Key table handle - -\textbf{{[}out{]}} \textbf{entry} - Returned key table entry - -\textbf{{[}in{]}} \textbf{cursor} - Key table cursor - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KRB5\_KT\_END - if the last entry was reached - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Return the next sequential entry in \emph{keytab} and advance \emph{cursor} . Callers must release the returned entry with {\hyperref[appdev/refs/api/krb5_kt_free_entry:c.krb5_kt_free_entry]{\code{krb5\_kt\_free\_entry()}}} . - - -\subsubsection{krb5\_kt\_read\_service\_key - Retrieve a service key from a key table.} -\label{appdev/refs/api/krb5_kt_read_service_key::doc}\label{appdev/refs/api/krb5_kt_read_service_key:krb5-kt-read-service-key-retrieve-a-service-key-from-a-key-table}\index{krb5\_kt\_read\_service\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_read_service_key:c.krb5_kt_read_service_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_read\_service\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ keyprocarg}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ principal}, {\hyperref[appdev/refs/types/krb5_kvno:c.krb5_kvno]{krb5\_kvno}}\emph{ vno}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keyprocarg} - Name of a key table (NULL to use default name) - -\textbf{{[}in{]}} \textbf{principal} - Service principal - -\textbf{{[}in{]}} \textbf{vno} - Key version number (0 for highest available) - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type (0 for any type) - -\textbf{{[}out{]}} \textbf{key} - Service key from key table - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error code if not found or keyprocarg is invalid. - -\end{itemize} - -\end{description}\end{quote} - -Open and search the specified key table for the entry identified by \emph{principal} , \emph{enctype} , and \emph{vno} . If no key is found, return an error code. - -The default key table is used, unless \emph{keyprocarg} is non-null. \emph{keyprocarg} designates aspecific key table. - -Use {\hyperref[appdev/refs/api/krb5_free_keyblock:c.krb5_free_keyblock]{\code{krb5\_free\_keyblock()}}} to free \emph{key} when it is no longer needed. - - -\subsubsection{krb5\_kt\_remove\_entry - Remove an entry from a key table.} -\label{appdev/refs/api/krb5_kt_remove_entry::doc}\label{appdev/refs/api/krb5_kt_remove_entry:krb5-kt-remove-entry-remove-an-entry-from-a-key-table}\index{krb5\_kt\_remove\_entry (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_remove_entry:c.krb5_kt_remove_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_remove\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ id}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{id} - Key table handle - -\textbf{{[}in{]}} \textbf{entry} - Entry to remove from key table - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KRB5\_KT\_NOWRITE Key table is not writable - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_kt\_start\_seq\_get - Start a sequential retrieval of key table entries.} -\label{appdev/refs/api/krb5_kt_start_seq_get:krb5-kt-start-seq-get-start-a-sequential-retrieval-of-key-table-entries}\label{appdev/refs/api/krb5_kt_start_seq_get::doc}\index{krb5\_kt\_start\_seq\_get (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_start_seq_get:c.krb5_kt_start_seq_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_start\_seq\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor]{krb5\_kt\_cursor}} *\emph{ cursor}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keytab} - Key table handle - -\textbf{{[}out{]}} \textbf{cursor} - Cursor - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Prepare to read sequentially every key in the specified key table. Use {\hyperref[appdev/refs/api/krb5_kt_end_seq_get:c.krb5_kt_end_seq_get]{\code{krb5\_kt\_end\_seq\_get()}}} to release the cursor when it is no longer needed. - - -\subsubsection{krb5\_make\_authdata\_kdc\_issued - Encode and sign AD-KDCIssued authorization data.} -\label{appdev/refs/api/krb5_make_authdata_kdc_issued:krb5-make-authdata-kdc-issued-encode-and-sign-ad-kdcissued-authorization-data}\label{appdev/refs/api/krb5_make_authdata_kdc_issued::doc}\index{krb5\_make\_authdata\_kdc\_issued (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_make_authdata_kdc_issued:c.krb5_make_authdata_kdc_issued}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_make\_authdata\_kdc\_issued}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ issuer}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ authdata}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ ad\_kdcissued}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Session key - -\textbf{{[}in{]}} \textbf{issuer} - The name of the issuing principal - -\textbf{{[}in{]}} \textbf{authdata} - List of authorization data to be signed - -\textbf{{[}out{]}} \textbf{ad\_kdcissued} - List containing AD-KDCIssued authdata - -\end{description}\end{quote} - -This function wraps a list of authorization data entries \emph{authdata} in an AD-KDCIssued container (see RFC 4120 section 5.2.6.2) signed with \emph{key} . The result is returned in \emph{ad\_kdcissued} as a single-element list. - - -\subsubsection{krb5\_merge\_authdata - Merge two authorization data lists into a new list.} -\label{appdev/refs/api/krb5_merge_authdata:krb5-merge-authdata-merge-two-authorization-data-lists-into-a-new-list}\label{appdev/refs/api/krb5_merge_authdata::doc}\index{krb5\_merge\_authdata (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_merge_authdata:c.krb5_merge_authdata}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_merge\_authdata}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ inauthdat1}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ inauthdat2}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ outauthdat}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{inauthdat1} - First list of \emph{krb5\_authdata} structures - -\textbf{{[}in{]}} \textbf{inauthdat2} - Second list of \emph{krb5\_authdata} structures - -\textbf{{[}out{]}} \textbf{outauthdat} - Merged list of \emph{krb5\_authdata} structures - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Merge two authdata arrays, such as the array from a ticket and authenticator. Use {\hyperref[appdev/refs/api/krb5_free_authdata:c.krb5_free_authdata]{\code{krb5\_free\_authdata()}}} to free \emph{outauthdat} when it is no longer needed. - -\begin{notice}{note}{Note:} -The last array entry in \emph{inauthdat1} and \emph{inauthdat2} must be a NULL pointer. -\end{notice} - - -\subsubsection{krb5\_mk\_1cred - Format a KRB-CRED message for a single set of credentials.} -\label{appdev/refs/api/krb5_mk_1cred:krb5-mk-1cred-format-a-krb-cred-message-for-a-single-set-of-credentials}\label{appdev/refs/api/krb5_mk_1cred::doc}\index{krb5\_mk\_1cred (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_1cred:c.krb5_mk_1cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_1cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ pcreds}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} **\emph{ ppdata}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{pcreds} - Pointer to credentials - -\textbf{{[}out{]}} \textbf{ppdata} - Encoded credentials - -\textbf{{[}out{]}} \textbf{outdata} - Replay cache data (NULL if not needed) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -ENOMEM Insufficient memory - -\item {} -KRB5\_RC\_REQUIRED Message replay detection requires rcache parameter - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This is a convenience function that calls {\hyperref[appdev/refs/api/krb5_mk_ncred:c.krb5_mk_ncred]{\code{krb5\_mk\_ncred()}}} with a single set of credentials. - - -\subsubsection{krb5\_mk\_error - Format and encode a KRB\_ERROR message.} -\label{appdev/refs/api/krb5_mk_error:krb5-mk-error-format-and-encode-a-krb-error-message}\label{appdev/refs/api/krb5_mk_error::doc}\index{krb5\_mk\_error (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_error:c.krb5_mk_error}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_error}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} *\emph{ dec\_err}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ enc\_err}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{dec\_err} - Error structure to be encoded - -\textbf{{[}out{]}} \textbf{enc\_err} - Encoded error structure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates a \textbf{KRB\_ERROR} message in \emph{enc\_err} . Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{enc\_err} when it is no longer needed. - - -\subsubsection{krb5\_mk\_ncred - Format a KRB-CRED message for an array of credentials.} -\label{appdev/refs/api/krb5_mk_ncred::doc}\label{appdev/refs/api/krb5_mk_ncred:krb5-mk-ncred-format-a-krb-cred-message-for-an-array-of-credentials}\index{krb5\_mk\_ncred (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_ncred:c.krb5_mk_ncred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_ncred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ ppcreds}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} **\emph{ ppdata}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{ppcreds} - Null-terminated array of credentials - -\textbf{{[}out{]}} \textbf{ppdata} - Encoded credentials - -\textbf{{[}out{]}} \textbf{outdata} - Replay cache information (NULL if not needed) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -ENOMEM Insufficient memory - -\item {} -KRB5\_RC\_REQUIRED Message replay detection requires rcache parameter - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function takes an array of credentials \emph{ppcreds} and formats a \textbf{KRB-CRED} message \emph{ppdata} to pass to {\hyperref[appdev/refs/api/krb5_rd_cred:c.krb5_rd_cred]{\code{krb5\_rd\_cred()}}} . - -The message will be encrypted using the send subkey of \emph{auth\_context} if it is present, or the session key otherwise. - -\begin{notice}{note}{Note:} -If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in \emph{auth\_context} , \emph{outdata} is required. -\end{notice} - - -\subsubsection{krb5\_mk\_priv - Format a KRB-PRIV message.} -\label{appdev/refs/api/krb5_mk_priv:krb5-mk-priv-format-a-krb-priv-message}\label{appdev/refs/api/krb5_mk_priv::doc}\index{krb5\_mk\_priv (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_priv:c.krb5_mk_priv}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_priv}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ userdata}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{userdata} - User data for \textbf{KRB-PRIV} message - -\textbf{{[}out{]}} \textbf{outbuf} - Formatted \textbf{KRB-PRIV} message - -\textbf{{[}out{]}} \textbf{outdata} - Replay cache handle (NULL if not needed) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function is similar to {\hyperref[appdev/refs/api/krb5_mk_safe:c.krb5_mk_safe]{\code{krb5\_mk\_safe()}}} , but the message is encrypted and integrity-protected, not just integrity-protected. - -The local address in \emph{auth\_context} must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} - Use timestamps in \emph{outdata} - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} - Copy timestamp to \emph{outdata} . - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} - Use local sequence numbers from \emph{auth\_context} in replay cache. - -\item {} -{\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} - Use local sequence numbers from \emph{auth\_context} as a sequence number in the encrypted message \emph{outbuf} . - -\end{itemize} - -\begin{notice}{note}{Note:} -If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in \emph{auth\_context} , the \emph{outdata} is required. - -The flags from \emph{auth\_context} specify whether sequence numbers or timestamps will be used to identify the message. Valid values are: -\end{notice} - - -\subsubsection{krb5\_mk\_rep - Format and encrypt a KRB\_AP\_REP message.} -\label{appdev/refs/api/krb5_mk_rep:krb5-mk-rep-format-and-encrypt-a-krb-ap-rep-message}\label{appdev/refs/api/krb5_mk_rep::doc}\index{krb5\_mk\_rep (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_rep:c.krb5_mk_rep}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_rep}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{outbuf} - \textbf{AP-REP} message - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function fills in \emph{outbuf} with an AP-REP message using information from \emph{auth\_context} . - -If the flags in \emph{auth\_context} indicate that a sequence number should be used (either {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} ) and the local sequence number in \emph{auth\_context} is 0, a new number will be generated with krb5\_generate\_seq\_number(). - -Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. - - -\subsubsection{krb5\_mk\_rep\_dce - Format and encrypt a KRB\_AP\_REP message for DCE RPC.} -\label{appdev/refs/api/krb5_mk_rep_dce:krb5-mk-rep-dce-format-and-encrypt-a-krb-ap-rep-message-for-dce-rpc}\label{appdev/refs/api/krb5_mk_rep_dce::doc}\index{krb5\_mk\_rep\_dce (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_rep_dce:c.krb5_mk_rep_dce}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_rep\_dce}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}out{]}} \textbf{outbuf} - \textbf{AP-REP} message - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. - - -\subsubsection{krb5\_mk\_req - Create a KRB\_AP\_REQ message.} -\label{appdev/refs/api/krb5_mk_req:krb5-mk-req-create-a-krb-ap-req-message}\label{appdev/refs/api/krb5_mk_req::doc}\index{krb5\_mk\_req (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_req:c.krb5_mk_req}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_req}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, char *\emph{ service}, char *\emph{ hostname}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context - -\textbf{{[}in{]}} \textbf{ap\_req\_options} - \code{AP\_OPTS} options - -\textbf{{[}in{]}} \textbf{service} - Service name, or NULL to use \textbf{``host''} - -\textbf{{[}in{]}} \textbf{hostname} - Host name, or NULL to use local hostname - -\textbf{{[}in{]}} \textbf{in\_data} - Application data to be checksummed in the authenticator, or NULL - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache used to obtain credentials for the desired service. - -\textbf{{[}out{]}} \textbf{outbuf} - \textbf{AP-REQ} message - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function is similar to {\hyperref[appdev/refs/api/krb5_mk_req_extended:c.krb5_mk_req_extended]{\code{krb5\_mk\_req\_extended()}}} except that it uses a given \emph{hostname} , \emph{service} , and \emph{ccache} to construct a service principal name and obtain credentials. - -Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. - - -\subsubsection{krb5\_mk\_req\_extended - Create a KRB\_AP\_REQ message using supplied credentials.} -\label{appdev/refs/api/krb5_mk_req_extended::doc}\label{appdev/refs/api/krb5_mk_req_extended:krb5-mk-req-extended-create-a-krb-ap-req-message-using-supplied-credentials}\index{krb5\_mk\_req\_extended (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_req_extended:c.krb5_mk_req_extended}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_req\_extended}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context - -\textbf{{[}in{]}} \textbf{ap\_req\_options} - \code{AP\_OPTS} options - -\textbf{{[}in{]}} \textbf{in\_data} - Application data to be checksummed in the authenticator, or NULL - -\textbf{{[}in{]}} \textbf{in\_creds} - Credentials for the service with valid ticket and key - -\textbf{{[}out{]}} \textbf{outbuf} - \textbf{AP-REQ} message - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Valid \emph{ap\_req\_options} are: -\begin{quote} -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:AP_OPTS_USE_SESSION_KEY]{\code{AP\_OPTS\_USE\_SESSION\_KEY}}} - Use the session key when creating the request used for user to user authentication. - -\item {} -{\hyperref[appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:AP_OPTS_MUTUAL_REQUIRED]{\code{AP\_OPTS\_MUTUAL\_REQUIRED}}} - Request a mutual authentication packet from the reciever. - -\item {} -{\hyperref[appdev/refs/macros/AP_OPTS_USE_SUBKEY:AP_OPTS_USE_SUBKEY]{\code{AP\_OPTS\_USE\_SUBKEY}}} - Generate a subsession key from the current session key obtained from the credentials. - -\end{itemize} - -This function creates a KRB\_AP\_REQ message using supplied credentials \emph{in\_creds} . \emph{auth\_context} may point to an existing auth context or to NULL, in which case a new one will be created. If \emph{in\_data} is non-null, a checksum of it will be included in the authenticator contained in the KRB\_AP\_REQ message. Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. -\end{quote} - -On successful return, the authenticator is stored in \emph{auth\_context} with the \emph{client} and \emph{checksum} fields nulled out. (This is to prevent pointer-sharing problems; the caller should not need these fields anyway, since the caller supplied them.) - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_mk_req:c.krb5_mk_req]{\code{krb5\_mk\_req()}}} - - - - -\subsubsection{krb5\_mk\_safe - Format a KRB-SAFE message.} -\label{appdev/refs/api/krb5_mk_safe:krb5-mk-safe-format-a-krb-safe-message}\label{appdev/refs/api/krb5_mk_safe::doc}\index{krb5\_mk\_safe (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_mk_safe:c.krb5_mk_safe}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_mk\_safe}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ userdata}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{userdata} - User data in the message - -\textbf{{[}out{]}} \textbf{outbuf} - Formatted \textbf{KRB-SAFE} buffer - -\textbf{{[}out{]}} \textbf{outdata} - Replay data. Specify NULL if not needed - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function creates an integrity protected \textbf{KRB-SAFE} message using data supplied by the application. - -Fields in \emph{auth\_context} specify the checksum type, the keyblock that can be used to seed the checksum, full addresses (host and port) for the sender and receiver, and \code{KRB5\_AUTH\_CONTEXT} flags. - -The local address in \emph{auth\_context} must be set, and is used to form the sender address used in the KRB-SAFE message. The remote address is optional; if specified, it will be used to form the receiver address used in the message. - -If {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} flag is set in the \emph{auth\_context} , an entry describing the message is entered in the replay cache \emph{auth\_context-\textgreater{}rcache} which enables the caller to detect if this message is reflected by an attacker. If {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} is not set, the replay cache is not used. - -If either {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} is set, the \emph{auth\_context} local sequence number will be placed in \emph{outdata} as its sequence number. - -Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. - -\begin{notice}{note}{Note:} -The \emph{outdata} argument is required if {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in the \emph{auth\_context} . -\end{notice} - - -\subsubsection{krb5\_os\_localaddr - Return all interface addresses for this host.} -\label{appdev/refs/api/krb5_os_localaddr:krb5-os-localaddr-return-all-interface-addresses-for-this-host}\label{appdev/refs/api/krb5_os_localaddr::doc}\index{krb5\_os\_localaddr (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_os_localaddr:c.krb5_os_localaddr}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_os\_localaddr}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ***\emph{ addr}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{addr} - Array of krb5\_address pointers, ending with NULL - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_addresses:c.krb5_free_addresses]{\code{krb5\_free\_addresses()}}} to free \emph{addr} when it is no longer needed. - - -\subsubsection{krb5\_pac\_add\_buffer - Add a buffer to a PAC handle.} -\label{appdev/refs/api/krb5_pac_add_buffer:krb5-pac-add-buffer-add-a-buffer-to-a-pac-handle}\label{appdev/refs/api/krb5_pac_add_buffer::doc}\index{krb5\_pac\_add\_buffer (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_pac_add_buffer:c.krb5_pac_add_buffer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_add\_buffer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, {\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}}\emph{ type}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{pac} - PAC handle - -\textbf{{[}in{]}} \textbf{type} - Buffer type - -\textbf{{[}in{]}} \textbf{data} - contents - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function adds a buffer of type \emph{type} and contents \emph{data} to \emph{pac} if there isn't already a buffer of this type present. - -The valid values of \emph{type} is one of the following: -\begin{itemize} -\item {} -{\hyperref[appdev/refs/macros/KRB5_PAC_LOGON_INFO:KRB5_PAC_LOGON_INFO]{\code{KRB5\_PAC\_LOGON\_INFO}}} - Logon information - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:KRB5_PAC_CREDENTIALS_INFO]{\code{KRB5\_PAC\_CREDENTIALS\_INFO}}} - Credentials information - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:KRB5_PAC_SERVER_CHECKSUM]{\code{KRB5\_PAC\_SERVER\_CHECKSUM}}} - Server checksum - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:KRB5_PAC_PRIVSVR_CHECKSUM]{\code{KRB5\_PAC\_PRIVSVR\_CHECKSUM}}} - KDC checksum - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PAC_CLIENT_INFO:KRB5_PAC_CLIENT_INFO]{\code{KRB5\_PAC\_CLIENT\_INFO}}} - Client name and ticket information - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:KRB5_PAC_DELEGATION_INFO]{\code{KRB5\_PAC\_DELEGATION\_INFO}}} - Constrained delegation information - -\item {} -{\hyperref[appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:KRB5_PAC_UPN_DNS_INFO]{\code{KRB5\_PAC\_UPN\_DNS\_INFO}}} - User principal name and DNS information - -\end{itemize} - - -\subsubsection{krb5\_pac\_free - Free a PAC handle.} -\label{appdev/refs/api/krb5_pac_free:krb5-pac-free-free-a-pac-handle}\label{appdev/refs/api/krb5_pac_free::doc}\index{krb5\_pac\_free (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_pac_free:c.krb5_pac_free}\pysiglinewithargsret{void \bfcode{krb5\_pac\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{pac} - PAC to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{pac} and the structure itself. - - -\subsubsection{krb5\_pac\_get\_buffer - Retrieve a buffer value from a PAC.} -\label{appdev/refs/api/krb5_pac_get_buffer::doc}\label{appdev/refs/api/krb5_pac_get_buffer:krb5-pac-get-buffer-retrieve-a-buffer-value-from-a-pac}\index{krb5\_pac\_get\_buffer (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_pac_get_buffer:c.krb5_pac_get_buffer}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_get\_buffer}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, {\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}}\emph{ type}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{pac} - PAC handle - -\textbf{{[}in{]}} \textbf{type} - Type of buffer to retrieve - -\textbf{{[}out{]}} \textbf{data} - Buffer value - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{data} when it is no longer needed. - - -\subsubsection{krb5\_pac\_get\_types - Return an array of buffer types in a PAC handle.} -\label{appdev/refs/api/krb5_pac_get_types:krb5-pac-get-types-return-an-array-of-buffer-types-in-a-pac-handle}\label{appdev/refs/api/krb5_pac_get_types::doc}\index{krb5\_pac\_get\_types (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_pac_get_types:c.krb5_pac_get_types}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_get\_types}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, size\_t *\emph{ len}, {\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} **\emph{ types}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{pac} - PAC handle - -\textbf{{[}out{]}} \textbf{len} - Number of entries in \emph{types} - -\textbf{{[}out{]}} \textbf{types} - Array of buffer types - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_pac\_init - Create an empty Privilege Attribute Certificate (PAC) handle.} -\label{appdev/refs/api/krb5_pac_init:krb5-pac-init-create-an-empty-privilege-attribute-certificate-pac-handle}\label{appdev/refs/api/krb5_pac_init::doc}\index{krb5\_pac\_init (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_pac_init:c.krb5_pac_init}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_init}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}} *\emph{ pac}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{pac} - New PAC handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_pac_free:c.krb5_pac_free]{\code{krb5\_pac\_free()}}} to free \emph{pac} when it is no longer needed. - - -\subsubsection{krb5\_pac\_parse - Unparse an encoded PAC into a new handle.} -\label{appdev/refs/api/krb5_pac_parse:krb5-pac-parse-unparse-an-encoded-pac-into-a-new-handle}\label{appdev/refs/api/krb5_pac_parse::doc}\index{krb5\_pac\_parse (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_pac_parse:c.krb5_pac_parse}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_parse}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const void *\emph{ ptr}, size\_t\emph{ len}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}} *\emph{ pac}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ptr} - PAC buffer - -\textbf{{[}in{]}} \textbf{len} - Length of \emph{ptr} - -\textbf{{[}out{]}} \textbf{pac} - PAC handle - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_pac_free:c.krb5_pac_free]{\code{krb5\_pac\_free()}}} to free \emph{pac} when it is no longer needed. - - -\subsubsection{krb5\_pac\_sign - Sign a PAC.} -\label{appdev/refs/api/krb5_pac_sign:krb5-pac-sign-sign-a-pac}\label{appdev/refs/api/krb5_pac_sign::doc}\index{krb5\_pac\_sign (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_pac_sign:c.krb5_pac_sign}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_sign}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ authtime}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ server\_key}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ privsvr\_key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{pac} - PAC handle - -\textbf{{[}in{]}} \textbf{authtime} - Expected timestamp - -\textbf{{[}in{]}} \textbf{principal} - Expected principal name (or NULL) - -\textbf{{[}in{]}} \textbf{server\_key} - Key for server checksum - -\textbf{{[}in{]}} \textbf{privsvr\_key} - Key for KDC checksum - -\textbf{{[}out{]}} \textbf{data} - Signed PAC encoding - -\end{description}\end{quote} - -This function signs \emph{pac} using the keys \emph{server\_key} and \emph{privsvr\_key} and returns the signed encoding in \emph{data} . \emph{pac} is modified to include the server and KDC checksum buffers. Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{data} when it is no longer needed. - -\begin{notice}{note}{Note:} -New in 1.10 -\end{notice} - - -\subsubsection{krb5\_pac\_verify - Verify a PAC.} -\label{appdev/refs/api/krb5_pac_verify::doc}\label{appdev/refs/api/krb5_pac_verify:krb5-pac-verify-verify-a-pac}\index{krb5\_pac\_verify (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_pac_verify:c.krb5_pac_verify}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_pac\_verify}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_pac:c.krb5_pac]{krb5\_pac}}\emph{ pac}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ authtime}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ principal}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ server}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ privsvr}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{pac} - PAC handle - -\textbf{{[}in{]}} \textbf{authtime} - Expected timestamp - -\textbf{{[}in{]}} \textbf{principal} - Expected principal name (or NULL) - -\textbf{{[}in{]}} \textbf{server} - Key to validate server checksum (or NULL) - -\textbf{{[}in{]}} \textbf{privsvr} - Key to validate KDC checksum (or NULL) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function validates \emph{pac} against the supplied \emph{server} , \emph{privsvr} , \emph{principal} and \emph{authtime} . If \emph{principal} is NULL, the principal and authtime are not verified. If \emph{server} or \emph{privsvr} is NULL, the corresponding checksum is not verified. - -If successful, \emph{pac} is marked as verified. - -\begin{notice}{note}{Note:} -A checksum mismatch can occur if the PAC was copied from a cross-realm TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of 10.6) generates PACs with no server checksum at all. One should consider not failing the whole authentication because of this reason, but, instead, treating the ticket as if it did not contain a PAC or marking the PAC information as non-verified. -\end{notice} - - -\subsubsection{krb5\_prepend\_error\_message - Add a prefix to the message for an error code.} -\label{appdev/refs/api/krb5_prepend_error_message:krb5-prepend-error-message-add-a-prefix-to-the-message-for-an-error-code}\label{appdev/refs/api/krb5_prepend_error_message::doc}\index{krb5\_prepend\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_prepend_error_message:c.krb5_prepend_error_message}\pysiglinewithargsret{void \bfcode{krb5\_prepend\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, ...}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{code} - Error code - -\textbf{{[}in{]}} \textbf{fmt} - Format string for error message prefix - -\end{description}\end{quote} - -Format a message and prepend it to the current message for \emph{code} . The prefix will be separated from the old message with a colon and space. - - -\subsubsection{krb5\_principal2salt - Convert a principal name into the default salt for that principal.} -\label{appdev/refs/api/krb5_principal2salt:krb5-principal2salt-convert-a-principal-name-into-the-default-salt-for-that-principal}\label{appdev/refs/api/krb5_principal2salt::doc}\index{krb5\_principal2salt (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_principal2salt:c.krb5_principal2salt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_principal2salt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ pr}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ ret}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{pr} - Principal name - -\textbf{{[}out{]}} \textbf{ret} - Default salt for \emph{pr} to be filled in - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_rd\_cred - Read and validate a KRB-CRED message.} -\label{appdev/refs/api/krb5_rd_cred:krb5-rd-cred-read-and-validate-a-krb-cred-message}\label{appdev/refs/api/krb5_rd_cred::doc}\index{krb5\_rd\_cred (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_rd_cred:c.krb5_rd_cred}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_cred}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ pcreddata}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} ***\emph{ pppcreds}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{pcreddata} - \textbf{KRB-CRED} message - -\textbf{{[}out{]}} \textbf{pppcreds} - Null-terminated array of forwarded credentials - -\textbf{{[}out{]}} \textbf{outdata} - Replay data (NULL if not needed) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} -\begin{quote} - -\emph{pcreddata} will be decrypted using the receiving subkey if it is present in \emph{auth\_context} , or the session key if the receiving subkey is not present or fails to decrypt the message. -\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_tgt_creds:c.krb5_free_tgt_creds]{\code{krb5\_free\_tgt\_creds()}}} to free \emph{pppcreds} when it is no longer needed. - -\begin{notice}{note}{Note:} -The \emph{outdata} argument is required if {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in the \emph{auth\_context} .{}` -\end{notice} - - -\subsubsection{krb5\_rd\_error - Decode a KRB-ERROR message.} -\label{appdev/refs/api/krb5_rd_error:krb5-rd-error-decode-a-krb-error-message}\label{appdev/refs/api/krb5_rd_error::doc}\index{krb5\_rd\_error (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_rd_error:c.krb5_rd_error}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_error}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ enc\_errbuf}, {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} **\emph{ dec\_error}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enc\_errbuf} - Encoded error message - -\textbf{{[}out{]}} \textbf{dec\_error} - Decoded error message - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function processes \textbf{KRB-ERROR} message \emph{enc\_errbuf} and returns an allocated structure \emph{dec\_error} containing the error message. Use {\hyperref[appdev/refs/api/krb5_free_error:c.krb5_free_error]{\code{krb5\_free\_error()}}} to free \emph{dec\_error} when it is no longer needed. - - -\subsubsection{krb5\_rd\_priv - Process a KRB-PRIV message.} -\label{appdev/refs/api/krb5_rd_priv:krb5-rd-priv-process-a-krb-priv-message}\label{appdev/refs/api/krb5_rd_priv::doc}\index{krb5\_rd\_priv (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_rd_priv:c.krb5_rd_priv}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_priv}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication structure - -\textbf{{[}in{]}} \textbf{inbuf} - \textbf{KRB-PRIV} message to be parsed - -\textbf{{[}out{]}} \textbf{outbuf} - Data parsed from \textbf{KRB-PRIV} message - -\textbf{{[}out{]}} \textbf{outdata} - Replay data. Specify NULL if not needed - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function parses a \textbf{KRB-PRIV} message, verifies its integrity, and stores its unencrypted data into \emph{outbuf} . - -If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} flag is set in \emph{auth\_context} , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of \emph{auth\_context} . Otherwise, the sequence number is not used. - -If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} flag is set in \emph{auth\_context} , then two additional checks are performed: -\begin{itemize} -\item {} -The timestamp in the message must be within the permitted clock skew (which is usually five minutes). - -\item {} -The message must not be a replayed message field in \emph{auth\_context} . - -\end{itemize} - -\begin{notice}{note}{Note:} -If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in \emph{auth\_context} , \emph{outdata} is required. - -\emph{auth\_context} must have a remote address set. This address will be used to verify the sender address in the KRB-PRIV message. If \emph{auth\_context} has a local address set, it will be used to verify the receiver address in the KRB-PRIV message if the message contains one. Both addresses must use type \textbf{ADDRTYPE\_ADDRPORT} . -\end{notice} - - -\subsubsection{krb5\_rd\_rep - Parse and decrypt a KRB\_AP\_REP message.} -\label{appdev/refs/api/krb5_rd_rep::doc}\label{appdev/refs/api/krb5_rd_rep:krb5-rd-rep-parse-and-decrypt-a-krb-ap-rep-message}\index{krb5\_rd\_rep (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_rd_rep:c.krb5_rd_rep}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_rep}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part]{krb5\_ap\_rep\_enc\_part}} **\emph{ repl}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{inbuf} - AP-REP message - -\textbf{{[}out{]}} \textbf{repl} - Decrypted reply message - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function parses, decrypts and verifies a message from \emph{inbuf} and fills in \emph{repl} with a pointer to allocated memory containing the fields from the encrypted response. - -Use {\hyperref[appdev/refs/api/krb5_free_ap_rep_enc_part:c.krb5_free_ap_rep_enc_part]{\code{krb5\_free\_ap\_rep\_enc\_part()}}} to free \emph{repl} when it is no longer needed. - - -\subsubsection{krb5\_rd\_rep\_dce - Parse and decrypt a KRB\_AP\_REP message for DCE RPC.} -\label{appdev/refs/api/krb5_rd_rep_dce::doc}\label{appdev/refs/api/krb5_rd_rep_dce:krb5-rd-rep-dce-parse-and-decrypt-a-krb-ap-rep-message-for-dce-rpc}\index{krb5\_rd\_rep\_dce (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_rd_rep_dce:c.krb5_rd_rep_dce}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_rep\_dce}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} *\emph{ nonce}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{inbuf} - AP-REP message - -\textbf{{[}out{]}} \textbf{nonce} - Sequence number from the decrypted reply - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function parses, decrypts and verifies a message from \emph{inbuf} and fills in \emph{nonce} with a decrypted reply sequence number. - - -\subsubsection{krb5\_rd\_req - Parse and decrypt a KRB\_AP\_REQ message.} -\label{appdev/refs/api/krb5_rd_req::doc}\label{appdev/refs/api/krb5_rd_req:krb5-rd-req-parse-and-decrypt-a-krb-ap-req-message}\index{krb5\_rd\_req (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_rd_req:c.krb5_rd_req}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_req}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_const_principal:c.krb5_const_principal]{krb5\_const\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} *\emph{ ap\_req\_options}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ ticket}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context - -\textbf{{[}in{]}} \textbf{inbuf} - AP-REQ message to be parsed - -\textbf{{[}in{]}} \textbf{server} - Matching principal for server, or NULL to allow any principal in keytab - -\textbf{{[}in{]}} \textbf{keytab} - Key table, or NULL to use the default - -\textbf{{[}out{]}} \textbf{ap\_req\_options} - If non-null, the AP-REQ flags on output - -\textbf{{[}out{]}} \textbf{ticket} - If non-null, ticket from the AP-REQ message - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function parses, decrypts and verifies a AP-REQ message from \emph{inbuf} and stores the authenticator in \emph{auth\_context} . - -If a keyblock was specified in \emph{auth\_context} using {\hyperref[appdev/refs/api/krb5_auth_con_setuseruserkey:c.krb5_auth_con_setuseruserkey]{\code{krb5\_auth\_con\_setuseruserkey()}}} , that key is used to decrypt the ticket in AP-REQ message and \emph{keytab} is ignored. In this case, \emph{server} should be specified as a complete principal name to allow for proper transited-path checking and replay cache selection. - -Otherwise, the decryption key is obtained from \emph{keytab} , or from the default keytab if it is NULL. In this case, \emph{server} may be a complete principal name, a matching principal (see {\hyperref[appdev/refs/api/krb5_sname_match:c.krb5_sname_match]{\code{krb5\_sname\_match()}}} ), or NULL to match any principal name. The keys tried against the encrypted part of the ticket are determined as follows: -\begin{itemize} -\item {} -If \emph{server} is a complete principal name, then its entry in \emph{keytab} is tried. - -\item {} -Otherwise, if \emph{keytab} is iterable, then all entries in \emph{keytab} which match \emph{server} are tried. - -\item {} -Otherwise, the server principal in the ticket must match \emph{server} , and its entry in \emph{keytab} is tried. - -\end{itemize} - -The client specified in the decrypted authenticator must match the client specified in the decrypted ticket. - -If the \emph{remote\_addr} field of \emph{auth\_context} is set, the request must come from that address. - -If a replay cache handle is provided in the \emph{auth\_context} , the authenticator and ticket are verified against it. If no conflict is found, the new authenticator is then stored in the replay cache of \emph{auth\_context} . - -Various other checks are performed on the decoded data, including cross-realm policy, clockskew, and ticket validation times. - -On success the authenticator, subkey, and remote sequence number of the request are stored in \emph{auth\_context} . If the {\hyperref[appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:AP_OPTS_MUTUAL_REQUIRED]{\code{AP\_OPTS\_MUTUAL\_REQUIRED}}} bit is set, the local sequence number is XORed with the remote sequence number in the request. - -Use {\hyperref[appdev/refs/api/krb5_free_ticket:c.krb5_free_ticket]{\code{krb5\_free\_ticket()}}} to free \emph{ticket} when it is no longer needed. - - -\subsubsection{krb5\_rd\_safe - Process KRB-SAFE message.} -\label{appdev/refs/api/krb5_rd_safe:krb5-rd-safe-process-krb-safe-message}\label{appdev/refs/api/krb5_rd_safe::doc}\index{krb5\_rd\_safe (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_rd_safe:c.krb5_rd_safe}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_rd\_safe}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ inbuf}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ outbuf}, {\hyperref[appdev/refs/types/krb5_replay_data:c.krb5_replay_data]{krb5\_replay\_data}} *\emph{ outdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{auth\_context} - Authentication context - -\textbf{{[}in{]}} \textbf{inbuf} - \textbf{KRB-SAFE} message to be parsed - -\textbf{{[}out{]}} \textbf{outbuf} - Data parsed from \textbf{KRB-SAFE} message - -\textbf{{[}out{]}} \textbf{outdata} - Replay data. Specify NULL if not needed - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function parses a \textbf{KRB-SAFE} message, verifies its integrity, and stores its data into \emph{outbuf} . - -If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}}} flag is set in \emph{auth\_context} , the sequence number of the KRB-SAFE message is checked against the remote sequence number field of \emph{auth\_context} . Otherwise, the sequence number is not used. - -If the {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME]{\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME}}} flag is set in \emph{auth\_context} , then two additional checks are performed: -\begin{quote} -\begin{itemize} -\item {} -The timestamp in the message must be within the permitted clock skew (which is usually five minutes). - -\item {} -The message must not be a replayed message field in \emph{auth\_context} . - -\end{itemize} - -Use {\hyperref[appdev/refs/api/krb5_free_data_contents:c.krb5_free_data_contents]{\code{krb5\_free\_data\_contents()}}} to free \emph{outbuf} when it is no longer needed. -\end{quote} - -\begin{notice}{note}{Note:} -The \emph{outdata} argument is required if {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME]{\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME}}} or {\hyperref[appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE]{\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}}} flag is set in the \emph{auth\_context} . - -\emph{auth\_context} must have a remote address set. This address will be used to verify the sender address in the KRB-SAFE message. If \emph{auth\_context} has a local address set, it will be used to verify the receiver address in the KRB-SAFE message if the message contains one. Both addresses must use type \textbf{ADDRTYPE\_ADDRPORT} . -\end{notice} - - -\subsubsection{krb5\_read\_password - Read a password from keyboard input.} -\label{appdev/refs/api/krb5_read_password:krb5-read-password-read-a-password-from-keyboard-input}\label{appdev/refs/api/krb5_read_password::doc}\index{krb5\_read\_password (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_read_password:c.krb5_read_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_read\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const char *\emph{ prompt}, const char *\emph{ prompt2}, char *\emph{ return\_pwd}, unsigned int *\emph{ size\_return}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{prompt} - First user prompt when reading password - -\textbf{{[}in{]}} \textbf{prompt2} - Second user prompt (NULL to prompt only once) - -\textbf{{[}out{]}} \textbf{return\_pwd} - Returned password - -\textbf{{[}inout{]}} \textbf{size\_return} - On input, maximum size of password; on output, size of password read - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Error in reading or verifying the password Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function reads a password from keyboard input and stores it in \emph{return\_pwd} . \emph{size\_return} should be set by the caller to the amount of storage space available in \emph{return\_pwd} ; on successful return, it will be set to the length of the password read. -\begin{quote} - -\emph{prompt} is printed to the terminal, followed by'':'', and then a password is read from the keyboard. -\end{quote} - -If \emph{prompt2} is NULL, the password is read only once. Otherwise, \emph{prompt2} is printed to the terminal and a second password is read. If the two passwords entered are not identical, KRB5\_LIBOS\_BADPWDMATCH is returned. - -Echoing is turned off when the password is read. - - -\subsubsection{krb5\_salttype\_to\_string - Convert a salt type to a string.} -\label{appdev/refs/api/krb5_salttype_to_string::doc}\label{appdev/refs/api/krb5_salttype_to_string:krb5-salttype-to-string-convert-a-salt-type-to-a-string}\index{krb5\_salttype\_to\_string (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_salttype_to_string:c.krb5_salttype_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_salttype\_to\_string}}{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ salttype}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{salttype} - Salttype to convert - -\textbf{{[}out{]}} \textbf{buffer} - Buffer to receive the converted string - -\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_server\_decrypt\_ticket\_keytab - Decrypt a ticket using the specified key table.} -\label{appdev/refs/api/krb5_server_decrypt_ticket_keytab:krb5-server-decrypt-ticket-keytab-decrypt-a-ticket-using-the-specified-key-table}\label{appdev/refs/api/krb5_server_decrypt_ticket_keytab::doc}\index{krb5\_server\_decrypt\_ticket\_keytab (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_server_decrypt_ticket_keytab:c.krb5_server_decrypt_ticket_keytab}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_server\_decrypt\_ticket\_keytab}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ kt}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} *\emph{ ticket}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{kt} - Key table - -\textbf{{[}in{]}} \textbf{ticket} - Ticket to be decrypted - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function takes a \emph{ticket} as input and decrypts it using key data from \emph{kt} . The result is placed into \emph{ticket-\textgreater{}enc\_part2} . - - -\subsubsection{krb5\_set\_default\_tgs\_enctypes - Set default TGS encryption types in a krb5\_context structure.} -\label{appdev/refs/api/krb5_set_default_tgs_enctypes::doc}\label{appdev/refs/api/krb5_set_default_tgs_enctypes:krb5-set-default-tgs-enctypes-set-default-tgs-encryption-types-in-a-krb5-context-structure}\index{krb5\_set\_default\_tgs\_enctypes (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_default_tgs_enctypes:c.krb5_set_default_tgs_enctypes}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_default\_tgs\_enctypes}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ etypes}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{etypes} - Encryption type(s) to set - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\item {} -KRB5\_PROG\_ETYPE\_NOSUPP Program lacks support for encryption type - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets the default enctype list for TGS requests made using \emph{context} to \emph{etypes} . - -\begin{notice}{note}{Note:} -This overrides the default list (from config file or built-in). -\end{notice} - - -\subsubsection{krb5\_set\_error\_message - Set an extended error message for an error code.} -\label{appdev/refs/api/krb5_set_error_message::doc}\label{appdev/refs/api/krb5_set_error_message:krb5-set-error-message-set-an-extended-error-message-for-an-error-code}\index{krb5\_set\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_error_message:c.krb5_set_error_message}\pysiglinewithargsret{void \bfcode{krb5\_set\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, ...}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{code} - Error code - -\textbf{{[}in{]}} \textbf{fmt} - Error string for the error code - -\end{description}\end{quote} - - -\subsubsection{krb5\_set\_kdc\_recv\_hook - Set a KDC post-receive hook function.} -\label{appdev/refs/api/krb5_set_kdc_recv_hook::doc}\label{appdev/refs/api/krb5_set_kdc_recv_hook:krb5-set-kdc-recv-hook-set-a-kdc-post-receive-hook-function}\index{krb5\_set\_kdc\_recv\_hook (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_kdc_recv_hook:c.krb5_set_kdc_recv_hook}\pysiglinewithargsret{void \bfcode{krb5\_set\_kdc\_recv\_hook}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_post_recv_fn:c.krb5_post_recv_fn]{krb5\_post\_recv\_fn}}\emph{ recv\_hook}, void *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - The library context. - -\textbf{{[}in{]}} \textbf{recv\_hook} - Hook function (or NULL to disable the hook) - -\textbf{{[}in{]}} \textbf{data} - Callback data to be passed to \emph{recv\_hook} - -\end{description}\end{quote} -\begin{quote} - -\emph{recv\_hook} will be called after a reply is received from a KDC during a call to a library function such as {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} . The hook function may inspect or override the reply. This hook will not be executed if the pre-send hook returns a synthetic reply. -\end{quote} - -\begin{notice}{note}{Note:} -New in 1.15 -\end{notice} - - -\subsubsection{krb5\_set\_kdc\_send\_hook - Set a KDC pre-send hook function.} -\label{appdev/refs/api/krb5_set_kdc_send_hook:krb5-set-kdc-send-hook-set-a-kdc-pre-send-hook-function}\label{appdev/refs/api/krb5_set_kdc_send_hook::doc}\index{krb5\_set\_kdc\_send\_hook (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_kdc_send_hook:c.krb5_set_kdc_send_hook}\pysiglinewithargsret{void \bfcode{krb5\_set\_kdc\_send\_hook}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_pre_send_fn:c.krb5_pre_send_fn]{krb5\_pre\_send\_fn}}\emph{ send\_hook}, void *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{send\_hook} - Hook function (or NULL to disable the hook) - -\textbf{{[}in{]}} \textbf{data} - Callback data to be passed to \emph{send\_hook} - -\end{description}\end{quote} -\begin{quote} - -\emph{send\_hook} will be called before messages are sent to KDCs by library functions such as {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} . The hook function may inspect, override, or synthesize its own reply to the message. -\end{quote} - -\begin{notice}{note}{Note:} -New in 1.15 -\end{notice} - - -\subsubsection{krb5\_set\_real\_time - Set time offset field in a krb5\_context structure.} -\label{appdev/refs/api/krb5_set_real_time::doc}\label{appdev/refs/api/krb5_set_real_time:krb5-set-real-time-set-time-offset-field-in-a-krb5-context-structure}\index{krb5\_set\_real\_time (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_set_real_time:c.krb5_set_real_time}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_set\_real\_time}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ seconds}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ microseconds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{seconds} - Real time, seconds portion - -\textbf{{[}in{]}} \textbf{microseconds} - Real time, microseconds portion - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function sets the time offset in \emph{context} to the difference between the system time and the real time as determined by \emph{seconds} and \emph{microseconds} . - - -\subsubsection{krb5\_string\_to\_cksumtype - Convert a string to a checksum type.} -\label{appdev/refs/api/krb5_string_to_cksumtype:krb5-string-to-cksumtype-convert-a-string-to-a-checksum-type}\label{appdev/refs/api/krb5_string_to_cksumtype::doc}\index{krb5\_string\_to\_cksumtype (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_string_to_cksumtype:c.krb5_string_to_cksumtype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_cksumtype}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}} *\emph{ cksumtypep}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{string} - String to be converted - -\textbf{{[}out{]}} \textbf{cksumtypep} - Checksum type to be filled in - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - EINVAL - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_string\_to\_deltat - Convert a string to a delta time value.} -\label{appdev/refs/api/krb5_string_to_deltat::doc}\label{appdev/refs/api/krb5_string_to_deltat:krb5-string-to-deltat-convert-a-string-to-a-delta-time-value}\index{krb5\_string\_to\_deltat (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_string_to_deltat:c.krb5_string_to_deltat}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_deltat}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}} *\emph{ deltatp}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{string} - String to be converted - -\textbf{{[}out{]}} \textbf{deltatp} - Delta time to be filled in - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - KRB5\_DELTAT\_BADFORMAT - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_string\_to\_enctype - Convert a string to an encryption type.} -\label{appdev/refs/api/krb5_string_to_enctype::doc}\label{appdev/refs/api/krb5_string_to_enctype:krb5-string-to-enctype-convert-a-string-to-an-encryption-type}\index{krb5\_string\_to\_enctype (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_string_to_enctype:c.krb5_string_to_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_enctype}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ enctypep}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{string} - String to convert to an encryption type - -\textbf{{[}out{]}} \textbf{enctypep} - Encryption type - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - EINVAL - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_string\_to\_salttype - Convert a string to a salt type.} -\label{appdev/refs/api/krb5_string_to_salttype:krb5-string-to-salttype-convert-a-string-to-a-salt-type}\label{appdev/refs/api/krb5_string_to_salttype::doc}\index{krb5\_string\_to\_salttype (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_string_to_salttype:c.krb5_string_to_salttype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_salttype}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} *\emph{ salttypep}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{string} - String to convert to an encryption type - -\textbf{{[}out{]}} \textbf{salttypep} - Salt type to be filled in - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - EINVAL - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_string\_to\_timestamp - Convert a string to a timestamp.} -\label{appdev/refs/api/krb5_string_to_timestamp::doc}\label{appdev/refs/api/krb5_string_to_timestamp:krb5-string-to-timestamp-convert-a-string-to-a-timestamp}\index{krb5\_string\_to\_timestamp (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_string_to_timestamp:c.krb5_string_to_timestamp}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_timestamp}}{char *\emph{ string}, {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ timestampp}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{string} - String to be converted - -\textbf{{[}out{]}} \textbf{timestampp} - Pointer to timestamp - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - EINVAL - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_timeofday - Retrieve the current time with context specific time offset adjustment.} -\label{appdev/refs/api/krb5_timeofday:krb5-timeofday-retrieve-the-current-time-with-context-specific-time-offset-adjustment}\label{appdev/refs/api/krb5_timeofday::doc}\index{krb5\_timeofday (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_timeofday:c.krb5_timeofday}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_timeofday}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} *\emph{ timeret}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{timeret} - Timestamp to fill in - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success - -\end{itemize} - -\item[{return}] \leavevmode\begin{itemize} -\item {} -Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function retrieves the system time of day with the context specific time offset adjustment. - - -\subsubsection{krb5\_timestamp\_to\_sfstring - Convert a timestamp to a string, with optional output padding.} -\label{appdev/refs/api/krb5_timestamp_to_sfstring:krb5-timestamp-to-sfstring-convert-a-timestamp-to-a-string-with-optional-output-padding}\label{appdev/refs/api/krb5_timestamp_to_sfstring::doc}\index{krb5\_timestamp\_to\_sfstring (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_timestamp_to_sfstring:c.krb5_timestamp_to_sfstring}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_timestamp\_to\_sfstring}}{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ timestamp}, char *\emph{ buffer}, size\_t\emph{ buflen}, char *\emph{ pad}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{timestamp} - Timestamp to convert - -\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold the converted timestamp - -\textbf{{[}in{]}} \textbf{buflen} - Length of buffer - -\textbf{{[}in{]}} \textbf{pad} - Optional value to pad \emph{buffer} if converted timestamp does not fill it - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -If \emph{pad} is not NULL, \emph{buffer} is padded out to \emph{buflen} - 1 characters with the value of * \emph{pad} . - - -\subsubsection{krb5\_timestamp\_to\_string - Convert a timestamp to a string.} -\label{appdev/refs/api/krb5_timestamp_to_string::doc}\label{appdev/refs/api/krb5_timestamp_to_string:krb5-timestamp-to-string-convert-a-timestamp-to-a-string}\index{krb5\_timestamp\_to\_string (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_timestamp_to_string:c.krb5_timestamp_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_timestamp\_to\_string}}{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}}\emph{ timestamp}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{timestamp} - Timestamp to convert - -\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold converted timestamp - -\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -The string is returned in the locale's appropriate date and time representation. - - -\subsubsection{krb5\_tkt\_creds\_free - Free a TGS request context.} -\label{appdev/refs/api/krb5_tkt_creds_free::doc}\label{appdev/refs/api/krb5_tkt_creds_free:krb5-tkt-creds-free-free-a-tgs-request-context}\index{krb5\_tkt\_creds\_free (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_tkt_creds_free:c.krb5_tkt_creds_free}\pysiglinewithargsret{void \bfcode{krb5\_tkt\_creds\_free}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - TGS request context - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_tkt\_creds\_get - Synchronously obtain credentials using a TGS request context.} -\label{appdev/refs/api/krb5_tkt_creds_get:krb5-tkt-creds-get-synchronously-obtain-credentials-using-a-tgs-request-context}\label{appdev/refs/api/krb5_tkt_creds_get::doc}\index{krb5\_tkt\_creds\_get (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_tkt_creds_get:c.krb5_tkt_creds_get}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_get}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - TGS request context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function synchronously obtains credentials using a context created by {\hyperref[appdev/refs/api/krb5_tkt_creds_init:c.krb5_tkt_creds_init]{\code{krb5\_tkt\_creds\_init()}}} . On successful return, the credentials can be retrieved with {\hyperref[appdev/refs/api/krb5_tkt_creds_get_creds:c.krb5_tkt_creds_get_creds]{\code{krb5\_tkt\_creds\_get\_creds()}}} . - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_tkt\_creds\_get\_creds - Retrieve acquired credentials from a TGS request context.} -\label{appdev/refs/api/krb5_tkt_creds_get_creds:krb5-tkt-creds-get-creds-retrieve-acquired-credentials-from-a-tgs-request-context}\label{appdev/refs/api/krb5_tkt_creds_get_creds::doc}\index{krb5\_tkt\_creds\_get\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_tkt_creds_get_creds:c.krb5_tkt_creds_get_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_get\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - TGS request context - -\textbf{{[}out{]}} \textbf{creds} - Acquired credentials - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function copies the acquired initial credentials from \emph{ctx} into \emph{creds} , after the successful completion of {\hyperref[appdev/refs/api/krb5_tkt_creds_get:c.krb5_tkt_creds_get]{\code{krb5\_tkt\_creds\_get()}}} or {\hyperref[appdev/refs/api/krb5_tkt_creds_step:c.krb5_tkt_creds_step]{\code{krb5\_tkt\_creds\_step()}}} . Use {\hyperref[appdev/refs/api/krb5_free_cred_contents:c.krb5_free_cred_contents]{\code{krb5\_free\_cred\_contents()}}} to free \emph{creds} when it is no longer needed. - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_tkt\_creds\_get\_times - Retrieve ticket times from a TGS request context.} -\label{appdev/refs/api/krb5_tkt_creds_get_times:krb5-tkt-creds-get-times-retrieve-ticket-times-from-a-tgs-request-context}\label{appdev/refs/api/krb5_tkt_creds_get_times::doc}\index{krb5\_tkt\_creds\_get\_times (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_tkt_creds_get_times:c.krb5_tkt_creds_get_times}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_get\_times}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} *\emph{ times}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - TGS request context - -\textbf{{[}out{]}} \textbf{times} - Ticket times for acquired credentials - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -The TGS request context must have completed obtaining credentials via either {\hyperref[appdev/refs/api/krb5_tkt_creds_get:c.krb5_tkt_creds_get]{\code{krb5\_tkt\_creds\_get()}}} or {\hyperref[appdev/refs/api/krb5_tkt_creds_step:c.krb5_tkt_creds_step]{\code{krb5\_tkt\_creds\_step()}}} . - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_tkt\_creds\_init - Create a context to get credentials from a KDC's Ticket Granting Service.} -\label{appdev/refs/api/krb5_tkt_creds_init:krb5-tkt-creds-init-create-a-context-to-get-credentials-from-a-kdc-s-ticket-granting-service}\label{appdev/refs/api/krb5_tkt_creds_init::doc}\index{krb5\_tkt\_creds\_init (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_tkt_creds_init:c.krb5_tkt_creds_init}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_init}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}} *\emph{ ctx}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache handle - -\textbf{{[}in{]}} \textbf{creds} - Input credentials - -\textbf{{[}in{]}} \textbf{options} - \code{KRB5\_GC} options for this request. - -\textbf{{[}out{]}} \textbf{ctx} - New TGS request context - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function prepares to obtain credentials matching \emph{creds} , either by retrieving them from \emph{ccache} or by making requests to ticket-granting services beginning with a ticket-granting ticket for the client principal's realm. - -The resulting TGS acquisition context can be used asynchronously with {\hyperref[appdev/refs/api/krb5_tkt_creds_step:c.krb5_tkt_creds_step]{\code{krb5\_tkt\_creds\_step()}}} or synchronously with {\hyperref[appdev/refs/api/krb5_tkt_creds_get:c.krb5_tkt_creds_get]{\code{krb5\_tkt\_creds\_get()}}} . See also {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} for synchronous use. - -Use {\hyperref[appdev/refs/api/krb5_tkt_creds_free:c.krb5_tkt_creds_free]{\code{krb5\_tkt\_creds\_free()}}} to free \emph{ctx} when it is no longer needed. - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_tkt\_creds\_step - Get the next KDC request in a TGS exchange.} -\label{appdev/refs/api/krb5_tkt_creds_step:krb5-tkt-creds-step-get-the-next-kdc-request-in-a-tgs-exchange}\label{appdev/refs/api/krb5_tkt_creds_step::doc}\index{krb5\_tkt\_creds\_step (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_tkt_creds_step:c.krb5_tkt_creds_step}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_tkt\_creds\_step}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context]{krb5\_tkt\_creds\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ out}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ realm}, unsigned int *\emph{ flags}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{ctx} - TGS request context - -\textbf{{[}in{]}} \textbf{in} - KDC response (empty on the first call) - -\textbf{{[}out{]}} \textbf{out} - Next KDC request - -\textbf{{[}out{]}} \textbf{realm} - Realm for next KDC request - -\textbf{{[}out{]}} \textbf{flags} - Output flags - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function constructs the next KDC request for a TGS exchange, allowing the caller to control the transport of KDC requests and replies. On the first call, \emph{in} should be set to an empty buffer; on subsequent calls, it should be set to the KDC's reply to the previous request. - -If more requests are needed, \emph{flags} will be set to {\hyperref[appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:KRB5_TKT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and the next request will be placed in \emph{out} . If no more requests are needed, \emph{flags} will not contain {\hyperref[appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:KRB5_TKT_CREDS_STEP_FLAG_CONTINUE]{\code{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE}}} and \emph{out} will be empty. - -If this function returns \textbf{KRB5KRB\_ERR\_RESPONSE\_TOO\_BIG} , the caller should transmit the next request using TCP rather than UDP. If this function returns any other error, the TGS exchange has failed. - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_verify\_init\_creds - Verify initial credentials against a keytab.} -\label{appdev/refs/api/krb5_verify_init_creds:krb5-verify-init-creds-verify-initial-credentials-against-a-keytab}\label{appdev/refs/api/krb5_verify_init_creds::doc}\index{krb5\_verify\_init\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_verify\_init\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt]{krb5\_verify\_init\_creds\_opt}} *\emph{ options}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{creds} - Initial credentials to be verified - -\textbf{{[}in{]}} \textbf{server} - Server principal (or NULL) - -\textbf{{[}in{]}} \textbf{keytab} - Key table (NULL to use default keytab) - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache for fetched creds (or NULL) - -\textbf{{[}in{]}} \textbf{options} - Verification options (NULL for default options) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function attempts to verify that \emph{creds} were obtained from a KDC with knowledge of a key in \emph{keytab} , or the default keytab if \emph{keytab} is NULL. If \emph{server} is provided, the highest-kvno key entry for that principal name is used to verify the credentials; otherwise, all unique''host''service principals in the keytab are tried. - -If the specified keytab does not exist, or is empty, or cannot be read, or does not contain an entry for \emph{server} , then credential verification may be skipped unless configuration demands that it succeed. The caller can control this behavior by providing a verification options structure; see {\hyperref[appdev/refs/api/krb5_verify_init_creds_opt_init:c.krb5_verify_init_creds_opt_init]{\code{krb5\_verify\_init\_creds\_opt\_init()}}} and {\hyperref[appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:c.krb5_verify_init_creds_opt_set_ap_req_nofail]{\code{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail()}}} . - -If \emph{ccache} is NULL, any additional credentials fetched during the verification process will be destroyed. If \emph{ccache} points to NULL, a memory ccache will be created for the additional credentials and returned in \emph{ccache} . If \emph{ccache} points to a valid credential cache handle, the additional credentials will be stored in that cache. - - -\subsubsection{krb5\_verify\_init\_creds\_opt\_init - Initialize a credential verification options structure.} -\label{appdev/refs/api/krb5_verify_init_creds_opt_init:krb5-verify-init-creds-opt-init-initialize-a-credential-verification-options-structure}\label{appdev/refs/api/krb5_verify_init_creds_opt_init::doc}\index{krb5\_verify\_init\_creds\_opt\_init (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_verify_init_creds_opt_init:c.krb5_verify_init_creds_opt_init}\pysiglinewithargsret{void \bfcode{krb5\_verify\_init\_creds\_opt\_init}}{{\hyperref[appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt]{krb5\_verify\_init\_creds\_opt}} *\emph{ k5\_vic\_options}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{k5\_vic\_options} - Verification options structure - -\end{description}\end{quote} - - -\subsubsection{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail - Set whether credential verification is required.} -\label{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail::doc}\label{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:krb5-verify-init-creds-opt-set-ap-req-nofail-set-whether-credential-verification-is-required}\index{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_verify_init_creds_opt_set_ap_req_nofail:c.krb5_verify_init_creds_opt_set_ap_req_nofail}\pysiglinewithargsret{void \bfcode{krb5\_verify\_init\_creds\_opt\_set\_ap\_req\_nofail}}{{\hyperref[appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt]{krb5\_verify\_init\_creds\_opt}} *\emph{ k5\_vic\_options}, int\emph{ ap\_req\_nofail}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{k5\_vic\_options} - Verification options structure - -\textbf{{[}in{]}} \textbf{ap\_req\_nofail} - Whether to require successful verification - -\end{description}\end{quote} - -This function determines how {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} behaves if no keytab information is available. If \emph{ap\_req\_nofail} is \textbf{FALSE} , verification will be skipped in this case and {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} will return successfully. If \emph{ap\_req\_nofail} is \textbf{TRUE} , {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} will not return successfully unless verification can be performed. - -If this function is not used, the behavior of {\hyperref[appdev/refs/api/krb5_verify_init_creds:c.krb5_verify_init_creds]{\code{krb5\_verify\_init\_creds()}}} is determined through configuration. - - -\subsubsection{krb5\_vprepend\_error\_message - Add a prefix to the message for an error code using a va\_list.} -\label{appdev/refs/api/krb5_vprepend_error_message::doc}\label{appdev/refs/api/krb5_vprepend_error_message:krb5-vprepend-error-message-add-a-prefix-to-the-message-for-an-error-code-using-a-va-list}\index{krb5\_vprepend\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_vprepend_error_message:c.krb5_vprepend_error_message}\pysiglinewithargsret{void \bfcode{krb5\_vprepend\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, va\_list\emph{ args}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{code} - Error code - -\textbf{{[}in{]}} \textbf{fmt} - Format string for error message prefix - -\textbf{{[}in{]}} \textbf{args} - List of vprintf(3) style arguments - -\end{description}\end{quote} - -This function is similar to {\hyperref[appdev/refs/api/krb5_prepend_error_message:c.krb5_prepend_error_message]{\code{krb5\_prepend\_error\_message()}}} , but uses a va\_list instead of variadic arguments. - - -\subsubsection{krb5\_vset\_error\_message - Set an extended error message for an error code using a va\_list.} -\label{appdev/refs/api/krb5_vset_error_message:krb5-vset-error-message-set-an-extended-error-message-for-an-error-code-using-a-va-list}\label{appdev/refs/api/krb5_vset_error_message::doc}\index{krb5\_vset\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_vset_error_message:c.krb5_vset_error_message}\pysiglinewithargsret{void \bfcode{krb5\_vset\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, va\_list\emph{ args}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{code} - Error code - -\textbf{{[}in{]}} \textbf{fmt} - Error string for the error code - -\textbf{{[}in{]}} \textbf{args} - List of vprintf(3) style arguments - -\end{description}\end{quote} - - -\subsubsection{krb5\_vwrap\_error\_message - Add a prefix to a different error code's message using a va\_list.} -\label{appdev/refs/api/krb5_vwrap_error_message:krb5-vwrap-error-message-add-a-prefix-to-a-different-error-code-s-message-using-a-va-list}\label{appdev/refs/api/krb5_vwrap_error_message::doc}\index{krb5\_vwrap\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_vwrap_error_message:c.krb5_vwrap_error_message}\pysiglinewithargsret{void \bfcode{krb5\_vwrap\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ old\_code}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, va\_list\emph{ args}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{old\_code} - Previous error code - -\textbf{{[}in{]}} \textbf{code} - Error code - -\textbf{{[}in{]}} \textbf{fmt} - Format string for error message prefix - -\textbf{{[}in{]}} \textbf{args} - List of vprintf(3) style arguments - -\end{description}\end{quote} - -This function is similar to {\hyperref[appdev/refs/api/krb5_wrap_error_message:c.krb5_wrap_error_message]{\code{krb5\_wrap\_error\_message()}}} , but uses a va\_list instead of variadic arguments. - - -\subsubsection{krb5\_wrap\_error\_message - Add a prefix to a different error code's message.} -\label{appdev/refs/api/krb5_wrap_error_message:krb5-wrap-error-message-add-a-prefix-to-a-different-error-code-s-message}\label{appdev/refs/api/krb5_wrap_error_message::doc}\index{krb5\_wrap\_error\_message (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_wrap_error_message:c.krb5_wrap_error_message}\pysiglinewithargsret{void \bfcode{krb5\_wrap\_error\_message}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ ctx}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ old\_code}, {\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}}\emph{ code}, const char *\emph{ fmt}, ...}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctx} - Library context - -\textbf{{[}in{]}} \textbf{old\_code} - Previous error code - -\textbf{{[}in{]}} \textbf{code} - Error code - -\textbf{{[}in{]}} \textbf{fmt} - Format string for error message prefix - -\end{description}\end{quote} - -Format a message and prepend it to the message for \emph{old\_code} . The prefix will be separated from the old message with a colon and space. Set the resulting message as the extended error message for \emph{code} . - - -\subsection{Public interfaces that should not be called directly} -\label{appdev/refs/api/index:public-interfaces-that-should-not-be-called-directly} - -\subsubsection{krb5\_c\_block\_size - Return cipher block size.} -\label{appdev/refs/api/krb5_c_block_size:krb5-c-block-size-return-cipher-block-size}\label{appdev/refs/api/krb5_c_block_size::doc}\index{krb5\_c\_block\_size (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_block_size:c.krb5_c_block_size}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_block\_size}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t *\emph{ blocksize}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}out{]}} \textbf{blocksize} - Block size for \emph{enctype} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_checksum\_length - Return the length of checksums for a checksum type.} -\label{appdev/refs/api/krb5_c_checksum_length:krb5-c-checksum-length-return-the-length-of-checksums-for-a-checksum-type}\label{appdev/refs/api/krb5_c_checksum_length::doc}\index{krb5\_c\_checksum\_length (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_checksum_length:c.krb5_c_checksum_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_checksum\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, size\_t *\emph{ length}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type - -\textbf{{[}out{]}} \textbf{length} - Checksum length - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_crypto\_length - Return a length of a message field specific to the encryption type.} -\label{appdev/refs/api/krb5_c_crypto_length:krb5-c-crypto-length-return-a-length-of-a-message-field-specific-to-the-encryption-type}\label{appdev/refs/api/krb5_c_crypto_length::doc}\index{krb5\_c\_crypto\_length (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_crypto_length:c.krb5_c_crypto_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_crypto\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_cryptotype:c.krb5_cryptotype]{krb5\_cryptotype}}\emph{ type}, unsigned int *\emph{ size}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}in{]}} \textbf{type} - Type field (See \code{KRB5\_CRYPTO\_TYPE} types) - -\textbf{{[}out{]}} \textbf{size} - Length of the \emph{type} specific to \emph{enctype} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_crypto\_length\_iov - Fill in lengths for header, trailer and padding in a IOV array.} -\label{appdev/refs/api/krb5_c_crypto_length_iov:krb5-c-crypto-length-iov-fill-in-lengths-for-header-trailer-and-padding-in-a-iov-array}\label{appdev/refs/api/krb5_c_crypto_length_iov::doc}\index{krb5\_c\_crypto\_length\_iov (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_crypto_length_iov:c.krb5_c_crypto_length_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_crypto\_length\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}inout{]}} \textbf{data} - IOV array - -\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Padding is set to the actual padding required based on the provided \emph{data} buffers. Typically this API is used after setting up the data buffers and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} buffers, but before actually allocating header, trailer and padding. - - -\subsubsection{krb5\_c\_decrypt - Decrypt data using a key (operates on keyblock).} -\label{appdev/refs/api/krb5_c_decrypt::doc}\label{appdev/refs/api/krb5_c_decrypt:krb5-c-decrypt-decrypt-data-using-a-key-operates-on-keyblock}\index{krb5\_c\_decrypt (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_decrypt:c.krb5_c_decrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_decrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, const {\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Encryption key - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}inout{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed - -\textbf{{[}in{]}} \textbf{input} - Encrypted data - -\textbf{{[}out{]}} \textbf{output} - Decrypted data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function decrypts the data block \emph{input} and stores the output into \emph{output} . The actual decryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. - -\begin{notice}{note}{Note:} -The caller must initialize \emph{output} and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let {\hyperref[appdev/refs/api/krb5_c_decrypt:c.krb5_c_decrypt]{\code{krb5\_c\_decrypt()}}} trim \emph{output-\textgreater{}length} . For some enctypes, the resulting \emph{output-\textgreater{}length} may include padding bytes. -\end{notice} - - -\subsubsection{krb5\_c\_decrypt\_iov - Decrypt data in place supporting AEAD (operates on keyblock).} -\label{appdev/refs/api/krb5_c_decrypt_iov:krb5-c-decrypt-iov-decrypt-data-in-place-supporting-aead-operates-on-keyblock}\label{appdev/refs/api/krb5_c_decrypt_iov::doc}\index{krb5\_c\_decrypt\_iov (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_decrypt\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keyblock} - Encryption key - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}in{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed - -\textbf{{[}inout{]}} \textbf{data} - IOV array. Modified in-place. - -\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function decrypts the data block \emph{data} and stores the output in-place. The actual decryption key will be derived from \emph{keyblock} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} - - - -\begin{notice}{note}{Note:} -On return from a {\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} call, the \emph{data-\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. - -This function is similar to {\hyperref[appdev/refs/api/krb5_k_decrypt_iov:c.krb5_k_decrypt_iov]{\code{krb5\_k\_decrypt\_iov()}}} , but operates on keyblock \emph{keyblock} . -\end{notice} - - -\subsubsection{krb5\_c\_derive\_prfplus - Derive a key using some input data (via RFC 6113 PRF+).} -\label{appdev/refs/api/krb5_c_derive_prfplus::doc}\label{appdev/refs/api/krb5_c_derive_prfplus:krb5-c-derive-prfplus-derive-a-key-using-some-input-data-via-rfc-6113-prf}\index{krb5\_c\_derive\_prfplus (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_derive_prfplus:c.krb5_c_derive_prfplus}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_derive\_prfplus}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{k} - KDC contribution key - -\textbf{{[}in{]}} \textbf{input} - Input string - -\textbf{{[}in{]}} \textbf{enctype} - Output key enctype (or \textbf{ENCTYPE\_NULL} ) - -\textbf{{[}out{]}} \textbf{out} - Derived keyblock - -\end{description}\end{quote} - -This function uses PRF+ as defined in RFC 6113 to derive a key from another key and an input string. If \emph{enctype} is \textbf{ENCTYPE\_NULL} , the output key will have the same enctype as the input key. - - -\subsubsection{krb5\_c\_encrypt - Encrypt data using a key (operates on keyblock).} -\label{appdev/refs/api/krb5_c_encrypt::doc}\label{appdev/refs/api/krb5_c_encrypt:krb5-c-encrypt-encrypt-data-using-a-key-operates-on-keyblock}\index{krb5\_c\_encrypt (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_encrypt:c.krb5_c_encrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_encrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} *\emph{ output}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Encryption key - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}inout{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed - -\textbf{{[}in{]}} \textbf{input} - Data to be encrypted - -\textbf{{[}out{]}} \textbf{output} - Encrypted data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function encrypts the data block \emph{input} and stores the output into \emph{output} . The actual encryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. - -\begin{notice}{note}{Note:} -The caller must initialize \emph{output} and allocate at least enough space for the result (using {\hyperref[appdev/refs/api/krb5_c_encrypt_length:c.krb5_c_encrypt_length]{\code{krb5\_c\_encrypt\_length()}}} to determine the amount of space needed). \emph{output-\textgreater{}length} will be set to the actual length of the ciphertext. -\end{notice} - - -\subsubsection{krb5\_c\_encrypt\_iov - Encrypt data in place supporting AEAD (operates on keyblock).} -\label{appdev/refs/api/krb5_c_encrypt_iov:krb5-c-encrypt-iov-encrypt-data-in-place-supporting-aead-operates-on-keyblock}\label{appdev/refs/api/krb5_c_encrypt_iov::doc}\index{krb5\_c\_encrypt\_iov (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_encrypt_iov:c.krb5_c_encrypt_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_encrypt\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keyblock} - Encryption key - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}in{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed - -\textbf{{[}inout{]}} \textbf{data} - IOV array. Modified in-place. - -\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function encrypts the data block \emph{data} and stores the output in-place. The actual encryption key will be derived from \emph{keyblock} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} - - - -\begin{notice}{note}{Note:} -On return from a {\hyperref[appdev/refs/api/krb5_c_encrypt_iov:c.krb5_c_encrypt_iov]{\code{krb5\_c\_encrypt\_iov()}}} call, the \emph{data-\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. - -This function is similar to {\hyperref[appdev/refs/api/krb5_k_encrypt_iov:c.krb5_k_encrypt_iov]{\code{krb5\_k\_encrypt\_iov()}}} , but operates on keyblock \emph{keyblock} . -\end{notice} - - -\subsubsection{krb5\_c\_encrypt\_length - Compute encrypted data length.} -\label{appdev/refs/api/krb5_c_encrypt_length:krb5-c-encrypt-length-compute-encrypted-data-length}\label{appdev/refs/api/krb5_c_encrypt_length::doc}\index{krb5\_c\_encrypt\_length (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_encrypt_length:c.krb5_c_encrypt_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_encrypt\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t\emph{ inputlen}, size\_t *\emph{ length}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}in{]}} \textbf{inputlen} - Length of the data to be encrypted - -\textbf{{[}out{]}} \textbf{length} - Length of the encrypted data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function computes the length of the ciphertext produced by encrypting \emph{inputlen} bytes including padding, confounder, and checksum. - - -\subsubsection{krb5\_c\_enctype\_compare - Compare two encryption types.} -\label{appdev/refs/api/krb5_c_enctype_compare::doc}\label{appdev/refs/api/krb5_c_enctype_compare:krb5-c-enctype-compare-compare-two-encryption-types}\index{krb5\_c\_enctype\_compare (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_enctype_compare:c.krb5_c_enctype_compare}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_enctype\_compare}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ e1}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ e2}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ similar}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{e1} - First encryption type - -\textbf{{[}in{]}} \textbf{e2} - Second encryption type - -\textbf{{[}out{]}} \textbf{similar} - \textbf{TRUE} if types are similar, \textbf{FALSE} if not - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function determines whether two encryption types use the same kind of keys. - - -\subsubsection{krb5\_c\_free\_state - Free a cipher state previously allocated by krb5\_c\_init\_state() .} -\label{appdev/refs/api/krb5_c_free_state:krb5-c-free-state-free-a-cipher-state-previously-allocated-by-krb5-c-init-state}\label{appdev/refs/api/krb5_c_free_state::doc}\index{krb5\_c\_free\_state (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_free_state:c.krb5_c_free_state}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_free\_state}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ state}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Key - -\textbf{{[}in{]}} \textbf{state} - Cipher state to be freed - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_fx\_cf2\_simple - Compute the KRB-FX-CF2 combination of two keys and pepper strings.} -\label{appdev/refs/api/krb5_c_fx_cf2_simple:krb5-c-fx-cf2-simple-compute-the-krb-fx-cf2-combination-of-two-keys-and-pepper-strings}\label{appdev/refs/api/krb5_c_fx_cf2_simple::doc}\index{krb5\_c\_fx\_cf2\_simple (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_fx_cf2_simple:c.krb5_c_fx_cf2_simple}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_fx\_cf2\_simple}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k1}, const char *\emph{ pepper1}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k2}, const char *\emph{ pepper2}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{k1} - KDC contribution key - -\textbf{{[}in{]}} \textbf{pepper1} - String''PKINIT'' - -\textbf{{[}in{]}} \textbf{k2} - Reply key - -\textbf{{[}in{]}} \textbf{pepper2} - String''KeyExchange'' - -\textbf{{[}out{]}} \textbf{out} - Output key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function computes the KRB-FX-CF2 function over its inputs and places the results in a newly allocated keyblock. This function is simple in that it assumes that \emph{pepper1} and \emph{pepper2} are C strings with no internal nulls and that the enctype of the result will be the same as that of \emph{k1} . \emph{k1} and \emph{k2} may be of different enctypes. - - -\subsubsection{krb5\_c\_init\_state - Initialize a new cipher state.} -\label{appdev/refs/api/krb5_c_init_state:krb5-c-init-state-initialize-a-new-cipher-state}\label{appdev/refs/api/krb5_c_init_state::doc}\index{krb5\_c\_init\_state (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_init_state:c.krb5_c_init_state}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_init\_state}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ new\_state}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Key - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}out{]}} \textbf{new\_state} - New cipher state - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_is\_coll\_proof\_cksum - Test whether a checksum type is collision-proof.} -\label{appdev/refs/api/krb5_c_is_coll_proof_cksum:krb5-c-is-coll-proof-cksum-test-whether-a-checksum-type-is-collision-proof}\label{appdev/refs/api/krb5_c_is_coll_proof_cksum::doc}\index{krb5\_c\_is\_coll\_proof\_cksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_is_coll_proof_cksum:c.krb5_c_is_coll_proof_cksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_c\_is\_coll\_proof\_cksum}}{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctype} - Checksum type - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -TRUE if ctype is collision-proof, FALSE if it is not collision-proof or not a valid checksum type. - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_is\_keyed\_cksum - Test whether a checksum type is keyed.} -\label{appdev/refs/api/krb5_c_is_keyed_cksum::doc}\label{appdev/refs/api/krb5_c_is_keyed_cksum:krb5-c-is-keyed-cksum-test-whether-a-checksum-type-is-keyed}\index{krb5\_c\_is\_keyed\_cksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_is_keyed_cksum:c.krb5_c_is_keyed_cksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_c\_is\_keyed\_cksum}}{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctype} - Checksum type - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -TRUE if ctype is a keyed checksum type, FALSE otherwise. - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_keyed\_checksum\_types - Return a list of keyed checksum types usable with an encryption type.} -\label{appdev/refs/api/krb5_c_keyed_checksum_types::doc}\label{appdev/refs/api/krb5_c_keyed_checksum_types:krb5-c-keyed-checksum-types-return-a-list-of-keyed-checksum-types-usable-with-an-encryption-type}\index{krb5\_c\_keyed\_checksum\_types (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_keyed_checksum_types:c.krb5_c_keyed_checksum_types}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_keyed\_checksum\_types}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, unsigned int *\emph{ count}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}} **\emph{ cksumtypes}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}out{]}} \textbf{count} - Count of allowable checksum types - -\textbf{{[}out{]}} \textbf{cksumtypes} - Array of allowable checksum types - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_cksumtypes:c.krb5_free_cksumtypes]{\code{krb5\_free\_cksumtypes()}}} to free \emph{cksumtypes} when it is no longer needed. - - -\subsubsection{krb5\_c\_keylengths - Return length of the specified key in bytes.} -\label{appdev/refs/api/krb5_c_keylengths::doc}\label{appdev/refs/api/krb5_c_keylengths:krb5-c-keylengths-return-length-of-the-specified-key-in-bytes}\index{krb5\_c\_keylengths (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_keylengths:c.krb5_c_keylengths}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_keylengths}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t *\emph{ keybytes}, size\_t *\emph{ keylength}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}out{]}} \textbf{keybytes} - Number of bytes required to make a key - -\textbf{{[}out{]}} \textbf{keylength} - Length of final key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_make\_checksum - Compute a checksum (operates on keyblock).} -\label{appdev/refs/api/krb5_c_make_checksum::doc}\label{appdev/refs/api/krb5_c_make_checksum:krb5-c-make-checksum-compute-a-checksum-operates-on-keyblock}\index{krb5\_c\_make\_checksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_make_checksum:c.krb5_c_make_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_make\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) - -\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}in{]}} \textbf{input} - Input data - -\textbf{{[}out{]}} \textbf{cksum} - Generated checksum - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function computes a checksum of type \emph{cksumtype} over \emph{input} , using \emph{key} if the checksum type is a keyed checksum. If \emph{cksumtype} is 0 and \emph{key} is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the checksum type. The newly created \emph{cksum} must be released by calling {\hyperref[appdev/refs/api/krb5_free_checksum_contents:c.krb5_free_checksum_contents]{\code{krb5\_free\_checksum\_contents()}}} when it is no longer needed. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_c_verify_checksum:c.krb5_c_verify_checksum]{\code{krb5\_c\_verify\_checksum()}}} - - - -\begin{notice}{note}{Note:} -This function is similar to {\hyperref[appdev/refs/api/krb5_k_make_checksum:c.krb5_k_make_checksum]{\code{krb5\_k\_make\_checksum()}}} , but operates on keyblock \emph{key} . -\end{notice} - - -\subsubsection{krb5\_c\_make\_checksum\_iov - Fill in a checksum element in IOV array (operates on keyblock)} -\label{appdev/refs/api/krb5_c_make_checksum_iov:krb5-c-make-checksum-iov-fill-in-a-checksum-element-in-iov-array-operates-on-keyblock}\label{appdev/refs/api/krb5_c_make_checksum_iov::doc}\index{krb5\_c\_make\_checksum\_iov (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_make_checksum_iov:c.krb5_c_make_checksum_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_make\_checksum\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) - -\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}inout{]}} \textbf{data} - IOV array - -\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Create a checksum in the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} element over {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA]{\code{KRB5\_CRYPTO\_TYPE\_DATA}}} and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} chunks in \emph{data} . Only the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} region is modified. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_c_verify_checksum_iov:c.krb5_c_verify_checksum_iov]{\code{krb5\_c\_verify\_checksum\_iov()}}} - - - -\begin{notice}{note}{Note:} -This function is similar to {\hyperref[appdev/refs/api/krb5_k_make_checksum_iov:c.krb5_k_make_checksum_iov]{\code{krb5\_k\_make\_checksum\_iov()}}} , but operates on keyblock \emph{key} . -\end{notice} - - -\subsubsection{krb5\_c\_make\_random\_key - Generate an enctype-specific random encryption key.} -\label{appdev/refs/api/krb5_c_make_random_key:krb5-c-make-random-key-generate-an-enctype-specific-random-encryption-key}\label{appdev/refs/api/krb5_c_make_random_key::doc}\index{krb5\_c\_make\_random\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_make_random_key:c.krb5_c_make_random_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_make\_random\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k5\_random\_key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type of the generated key - -\textbf{{[}out{]}} \textbf{k5\_random\_key} - An allocated and initialized keyblock - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents]{\code{krb5\_free\_keyblock\_contents()}}} to free \emph{k5\_random\_key} when no longer needed. - - -\subsubsection{krb5\_c\_padding\_length - Return a number of padding octets.} -\label{appdev/refs/api/krb5_c_padding_length:krb5-c-padding-length-return-a-number-of-padding-octets}\label{appdev/refs/api/krb5_c_padding_length::doc}\index{krb5\_c\_padding\_length (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_padding_length:c.krb5_c_padding_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_padding\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t\emph{ data\_length}, unsigned int *\emph{ size}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}in{]}} \textbf{data\_length} - Length of the plaintext to pad - -\textbf{{[}out{]}} \textbf{size} - Number of padding octets - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - KRB5\_BAD\_ENCTYPE - -\end{itemize} - -\end{description}\end{quote} - -This function returns the number of the padding octets required to pad \emph{data\_length} octets of plaintext. - - -\subsubsection{krb5\_c\_prf - Generate enctype-specific pseudo-random bytes.} -\label{appdev/refs/api/krb5_c_prf:krb5-c-prf-generate-enctype-specific-pseudo-random-bytes}\label{appdev/refs/api/krb5_c_prf::doc}\index{krb5\_c\_prf (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_prf:c.krb5_c_prf}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_prf}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{keyblock} - Key - -\textbf{{[}in{]}} \textbf{input} - Input data - -\textbf{{[}out{]}} \textbf{output} - Output data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function selects a pseudo-random function based on \emph{keyblock} and computes its value over \emph{input} , placing the result into \emph{output} . The caller must preinitialize \emph{output} and allocate space for the result, using {\hyperref[appdev/refs/api/krb5_c_prf_length:c.krb5_c_prf_length]{\code{krb5\_c\_prf\_length()}}} to determine the required length. - - -\subsubsection{krb5\_c\_prfplus - Generate pseudo-random bytes using RFC 6113 PRF+.} -\label{appdev/refs/api/krb5_c_prfplus:krb5-c-prfplus-generate-pseudo-random-bytes-using-rfc-6113-prf}\label{appdev/refs/api/krb5_c_prfplus::doc}\index{krb5\_c\_prfplus (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_prfplus:c.krb5_c_prfplus}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_prfplus}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{k} - KDC contribution key - -\textbf{{[}in{]}} \textbf{input} - Input data - -\textbf{{[}out{]}} \textbf{output} - Pseudo-random output buffer - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -0 on success, E2BIG if output-\textgreater{}length is too large for PRF+ to generate, ENOMEM on allocation failure, or an error code from krb5\_c\_prf() - -\end{itemize} - -\end{description}\end{quote} - -This function fills \emph{output} with PRF+(k, input) as defined in RFC 6113 section 5.1. The caller must preinitialize \emph{output} and allocate the desired amount of space. The length of the pseudo-random output will match the length of \emph{output} . - -\begin{notice}{note}{Note:} -RFC 4402 defines a different PRF+ operation. This function does not implement that operation. -\end{notice} - - -\subsubsection{krb5\_c\_prf\_length - Get the output length of pseudo-random functions for an encryption type.} -\label{appdev/refs/api/krb5_c_prf_length::doc}\label{appdev/refs/api/krb5_c_prf_length:krb5-c-prf-length-get-the-output-length-of-pseudo-random-functions-for-an-encryption-type}\index{krb5\_c\_prf\_length (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_prf_length:c.krb5_c_prf_length}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_prf\_length}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, size\_t *\emph{ len}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}out{]}} \textbf{len} - Length of PRF output - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_random\_add\_entropy - Add entropy to the pseudo-random number generator.} -\label{appdev/refs/api/krb5_c_random_add_entropy::doc}\label{appdev/refs/api/krb5_c_random_add_entropy:krb5-c-random-add-entropy-add-entropy-to-the-pseudo-random-number-generator}\index{krb5\_c\_random\_add\_entropy (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_random_add_entropy:c.krb5_c_random_add_entropy}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_add\_entropy}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, unsigned int\emph{ randsource}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{randsource} - Entropy source (see KRB5\_RANDSOURCE types) - -\textbf{{[}in{]}} \textbf{data} - Data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Contribute entropy to the PRNG used by krb5 crypto operations. This may or may not affect the output of the next crypto operation requiring random data. - - -\subsubsection{krb5\_c\_random\_make\_octets - Generate pseudo-random bytes.} -\label{appdev/refs/api/krb5_c_random_make_octets::doc}\label{appdev/refs/api/krb5_c_random_make_octets:krb5-c-random-make-octets-generate-pseudo-random-bytes}\index{krb5\_c\_random\_make\_octets (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_random_make_octets:c.krb5_c_random_make_octets}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_make\_octets}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}out{]}} \textbf{data} - Random data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Fills in \emph{data} with bytes from the PRNG used by krb5 crypto operations. The caller must preinitialize \emph{data} and allocate the desired amount of space. - - -\subsubsection{krb5\_c\_random\_os\_entropy - Collect entropy from the OS if possible.} -\label{appdev/refs/api/krb5_c_random_os_entropy:krb5-c-random-os-entropy-collect-entropy-from-the-os-if-possible}\label{appdev/refs/api/krb5_c_random_os_entropy::doc}\index{krb5\_c\_random\_os\_entropy (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_random_os_entropy:c.krb5_c_random_os_entropy}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_os\_entropy}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, int\emph{ strong}, int *\emph{ success}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{strong} - Strongest available source of entropy - -\textbf{{[}out{]}} \textbf{success} - 1 if OS provides entropy, 0 otherwise - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -If \emph{strong} is non-zero, this function attempts to use the strongest available source of entropy. Setting this flag may cause the function to block on some operating systems. Good uses include seeding the PRNG for kadmind and realm setup. - - -\subsubsection{krb5\_c\_random\_to\_key - Generate an enctype-specific key from random data.} -\label{appdev/refs/api/krb5_c_random_to_key:krb5-c-random-to-key-generate-an-enctype-specific-key-from-random-data}\label{appdev/refs/api/krb5_c_random_to_key::doc}\index{krb5\_c\_random\_to\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_random_to_key:c.krb5_c_random_to_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_to\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ random\_data}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ k5\_random\_key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}in{]}} \textbf{random\_data} - Random input data - -\textbf{{[}out{]}} \textbf{k5\_random\_key} - Resulting key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function takes random input data \emph{random\_data} and produces a valid key \emph{k5\_random\_key} for a given \emph{enctype} . - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_c_keylengths:c.krb5_c_keylengths]{\code{krb5\_c\_keylengths()}}} - - - -\begin{notice}{note}{Note:} -It is assumed that \emph{k5\_random\_key} has already been initialized and \emph{k5\_random\_key-\textgreater{}contents} has been allocated with the correct length. -\end{notice} - - -\subsubsection{krb5\_c\_string\_to\_key - Convert a string (such a password) to a key.} -\label{appdev/refs/api/krb5_c_string_to_key:krb5-c-string-to-key-convert-a-string-such-a-password-to-a-key}\label{appdev/refs/api/krb5_c_string_to_key::doc}\index{krb5\_c\_string\_to\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_string_to_key:c.krb5_c_string_to_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_string\_to\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ string}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ salt}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}in{]}} \textbf{string} - String to be converted - -\textbf{{[}in{]}} \textbf{salt} - Salt value - -\textbf{{[}out{]}} \textbf{key} - Generated key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function converts \emph{string} to a \emph{key} of encryption type \emph{enctype} , using the specified \emph{salt} . The newly created \emph{key} must be released by calling {\hyperref[appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents]{\code{krb5\_free\_keyblock\_contents()}}} when it is no longer needed. - - -\subsubsection{krb5\_c\_string\_to\_key\_with\_params - Convert a string (such as a password) to a key with additional parameters.} -\label{appdev/refs/api/krb5_c_string_to_key_with_params::doc}\label{appdev/refs/api/krb5_c_string_to_key_with_params:krb5-c-string-to-key-with-params-convert-a-string-such-as-a-password-to-a-key-with-additional-parameters}\index{krb5\_c\_string\_to\_key\_with\_params (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_string_to_key_with_params:c.krb5_c_string_to_key_with_params}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_string\_to\_key\_with\_params}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ string}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ salt}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ params}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}in{]}} \textbf{string} - String to be converted - -\textbf{{[}in{]}} \textbf{salt} - Salt value - -\textbf{{[}in{]}} \textbf{params} - Parameters - -\textbf{{[}out{]}} \textbf{key} - Generated key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function is similar to {\hyperref[appdev/refs/api/krb5_c_string_to_key:c.krb5_c_string_to_key]{\code{krb5\_c\_string\_to\_key()}}} , but also takes parameters which may affect the algorithm in an enctype-dependent way. The newly created \emph{key} must be released by calling {\hyperref[appdev/refs/api/krb5_free_keyblock_contents:c.krb5_free_keyblock_contents]{\code{krb5\_free\_keyblock\_contents()}}} when it is no longer needed. - - -\subsubsection{krb5\_c\_valid\_cksumtype - Verify that specified checksum type is a valid Kerberos checksum type.} -\label{appdev/refs/api/krb5_c_valid_cksumtype:krb5-c-valid-cksumtype-verify-that-specified-checksum-type-is-a-valid-kerberos-checksum-type}\label{appdev/refs/api/krb5_c_valid_cksumtype::doc}\index{krb5\_c\_valid\_cksumtype (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_valid_cksumtype:c.krb5_c_valid_cksumtype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_c\_valid\_cksumtype}}{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ctype} - Checksum type - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -TRUE if ctype is valid, FALSE if not - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_valid\_enctype - Verify that a specified encryption type is a valid Kerberos encryption type.} -\label{appdev/refs/api/krb5_c_valid_enctype:krb5-c-valid-enctype-verify-that-a-specified-encryption-type-is-a-valid-kerberos-encryption-type}\label{appdev/refs/api/krb5_c_valid_enctype::doc}\index{krb5\_c\_valid\_enctype (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_valid_enctype:c.krb5_c_valid_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_c\_valid\_enctype}}{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ ktype}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{ktype} - Encryption type - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{return}] \leavevmode\begin{itemize} -\item {} -TRUE if ktype is valid, FALSE if not - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_c\_verify\_checksum - Verify a checksum (operates on keyblock).} -\label{appdev/refs/api/krb5_c_verify_checksum:krb5-c-verify-checksum-verify-a-checksum-operates-on-keyblock}\label{appdev/refs/api/krb5_c_verify_checksum::doc}\index{krb5\_c\_verify\_checksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_verify_checksum:c.krb5_c_verify_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_verify\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}, const {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ valid}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum - -\textbf{{[}in{]}} \textbf{usage} - \emph{key} usage - -\textbf{{[}in{]}} \textbf{data} - Data to be used to compute a new checksum using \emph{key} to compare \emph{cksum} against - -\textbf{{[}in{]}} \textbf{cksum} - Checksum to be verified - -\textbf{{[}out{]}} \textbf{valid} - Non-zero for success, zero for failure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function verifies that \emph{cksum} is a valid checksum for \emph{data} . If the checksum type of \emph{cksum} is a keyed checksum, \emph{key} is used to verify the checksum. If the checksum type in \emph{cksum} is 0 and \emph{key} is not NULL, the mandatory checksum type for \emph{key} will be used. The actual checksum key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the checksum type. - -\begin{notice}{note}{Note:} -This function is similar to {\hyperref[appdev/refs/api/krb5_k_verify_checksum:c.krb5_k_verify_checksum]{\code{krb5\_k\_verify\_checksum()}}} , but operates on keyblock \emph{key} . -\end{notice} - - -\subsubsection{krb5\_c\_verify\_checksum\_iov - Validate a checksum element in IOV array (operates on keyblock).} -\label{appdev/refs/api/krb5_c_verify_checksum_iov::doc}\label{appdev/refs/api/krb5_c_verify_checksum_iov:krb5-c-verify-checksum-iov-validate-a-checksum-element-in-iov-array-operates-on-keyblock}\index{krb5\_c\_verify\_checksum\_iov (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_verify_checksum_iov:c.krb5_c_verify_checksum_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_verify\_checksum\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ valid}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) - -\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}in{]}} \textbf{data} - IOV array - -\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} - -\textbf{{[}out{]}} \textbf{valid} - Non-zero for success, zero for failure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Confirm that the checksum in the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} element is a valid checksum of the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA]{\code{KRB5\_CRYPTO\_TYPE\_DATA}}} and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} regions in the iov. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_c_make_checksum_iov:c.krb5_c_make_checksum_iov]{\code{krb5\_c\_make\_checksum\_iov()}}} - - - -\begin{notice}{note}{Note:} -This function is similar to {\hyperref[appdev/refs/api/krb5_k_verify_checksum_iov:c.krb5_k_verify_checksum_iov]{\code{krb5\_k\_verify\_checksum\_iov()}}} , but operates on keyblock \emph{key} . -\end{notice} - - -\subsubsection{krb5\_cksumtype\_to\_string - Convert a checksum type to a string.} -\label{appdev/refs/api/krb5_cksumtype_to_string::doc}\label{appdev/refs/api/krb5_cksumtype_to_string:krb5-cksumtype-to-string-convert-a-checksum-type-to-a-string}\index{krb5\_cksumtype\_to\_string (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cksumtype_to_string:c.krb5_cksumtype_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cksumtype\_to\_string}}{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type - -\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold converted checksum type - -\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_decode\_authdata\_container - Unwrap authorization data.} -\label{appdev/refs/api/krb5_decode_authdata_container::doc}\label{appdev/refs/api/krb5_decode_authdata_container:krb5-decode-authdata-container-unwrap-authorization-data}\index{krb5\_decode\_authdata\_container (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_decode_authdata_container:c.krb5_decode_authdata_container}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_decode\_authdata\_container}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype]{krb5\_authdatatype}}\emph{ type}, const {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *\emph{ container}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ authdata}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{type} - \code{KRB5\_AUTHDATA} type of \emph{container} - -\textbf{{[}in{]}} \textbf{container} - Authorization data to be decoded - -\textbf{{[}out{]}} \textbf{authdata} - List of decoded authorization data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_encode_authdata_container:c.krb5_encode_authdata_container]{\code{krb5\_encode\_authdata\_container()}}} - - - - -\subsubsection{krb5\_decode\_ticket - Decode an ASN.1-formatted ticket.} -\label{appdev/refs/api/krb5_decode_ticket::doc}\label{appdev/refs/api/krb5_decode_ticket:krb5-decode-ticket-decode-an-asn-1-formatted-ticket}\index{krb5\_decode\_ticket (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_decode_ticket:c.krb5_decode_ticket}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_decode\_ticket}}{const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ code}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ rep}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{code} - ASN.1-formatted ticket - -\textbf{{[}out{]}} \textbf{rep} - Decoded ticket information - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_deltat\_to\_string - Convert a relative time value to a string.} -\label{appdev/refs/api/krb5_deltat_to_string::doc}\label{appdev/refs/api/krb5_deltat_to_string:krb5-deltat-to-string-convert-a-relative-time-value-to-a-string}\index{krb5\_deltat\_to\_string (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_deltat_to_string:c.krb5_deltat_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_deltat\_to\_string}}{{\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}}\emph{ deltat}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{deltat} - Relative time value to convert - -\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold time string - -\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_encode\_authdata\_container - Wrap authorization data in a container.} -\label{appdev/refs/api/krb5_encode_authdata_container::doc}\label{appdev/refs/api/krb5_encode_authdata_container:krb5-encode-authdata-container-wrap-authorization-data-in-a-container}\index{krb5\_encode\_authdata\_container (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_encode_authdata_container:c.krb5_encode_authdata_container}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_encode\_authdata\_container}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype]{krb5\_authdatatype}}\emph{ type}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} *const *\emph{ authdata}, {\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ***\emph{ container}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{type} - \code{KRB5\_AUTHDATA} type of \emph{container} - -\textbf{{[}in{]}} \textbf{authdata} - List of authorization data to be encoded - -\textbf{{[}out{]}} \textbf{container} - List of encoded authorization data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -The result is returned in \emph{container} as a single-element list. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_decode_authdata_container:c.krb5_decode_authdata_container]{\code{krb5\_decode\_authdata\_container()}}} - - - - -\subsubsection{krb5\_enctype\_to\_name - Convert an encryption type to a name or alias.} -\label{appdev/refs/api/krb5_enctype_to_name::doc}\label{appdev/refs/api/krb5_enctype_to_name:krb5-enctype-to-name-convert-an-encryption-type-to-a-name-or-alias}\index{krb5\_enctype\_to\_name (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_enctype_to_name:c.krb5_enctype_to_name}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_enctype\_to\_name}}{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}}\emph{ shortest}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}in{]}} \textbf{shortest} - Flag - -\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold encryption type string - -\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -If \emph{shortest} is FALSE, this function returns the enctype's canonical name (like''aes128-cts-hmac-sha1-96''). If \emph{shortest} is TRUE, it return the enctype's shortest alias (like''aes128-cts''). - -\begin{notice}{note}{Note:} -New in 1.9 -\end{notice} - - -\subsubsection{krb5\_enctype\_to\_string - Convert an encryption type to a string.} -\label{appdev/refs/api/krb5_enctype_to_string::doc}\label{appdev/refs/api/krb5_enctype_to_string:krb5-enctype-to-string-convert-an-encryption-type-to-a-string}\index{krb5\_enctype\_to\_string (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_enctype_to_string:c.krb5_enctype_to_string}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_enctype\_to\_string}}{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}, char *\emph{ buffer}, size\_t\emph{ buflen}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{enctype} - Encryption type - -\textbf{{[}out{]}} \textbf{buffer} - Buffer to hold encryption type string - -\textbf{{[}in{]}} \textbf{buflen} - Storage available in \emph{buffer} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - - -\subsubsection{krb5\_free\_checksum - Free a krb5\_checksum structure.} -\label{appdev/refs/api/krb5_free_checksum:krb5-free-checksum-free-a-krb5-checksum-structure}\label{appdev/refs/api/krb5_free_checksum::doc}\index{krb5\_free\_checksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_checksum:c.krb5_free_checksum}\pysiglinewithargsret{void \bfcode{krb5\_free\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Checksum structure to be freed - -\end{description}\end{quote} - -This function frees the contents of \emph{val} and the structure itself. - - -\subsubsection{krb5\_free\_checksum\_contents - Free the contents of a krb5\_checksum structure.} -\label{appdev/refs/api/krb5_free_checksum_contents:krb5-free-checksum-contents-free-the-contents-of-a-krb5-checksum-structure}\label{appdev/refs/api/krb5_free_checksum_contents::doc}\index{krb5\_free\_checksum\_contents (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_checksum_contents:c.krb5_free_checksum_contents}\pysiglinewithargsret{void \bfcode{krb5\_free\_checksum\_contents}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, register {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Checksum structure to free contents of - -\end{description}\end{quote} - -This function frees the contents of \emph{val} , but not the structure itself. - - -\subsubsection{krb5\_free\_cksumtypes - Free an array of checksum types.} -\label{appdev/refs/api/krb5_free_cksumtypes:krb5-free-cksumtypes-free-an-array-of-checksum-types}\label{appdev/refs/api/krb5_free_cksumtypes::doc}\index{krb5\_free\_cksumtypes (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_cksumtypes:c.krb5_free_cksumtypes}\pysiglinewithargsret{void \bfcode{krb5\_free\_cksumtypes}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}} *\emph{ val}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{val} - Array of checksum types to be freed - -\end{description}\end{quote} - - -\subsubsection{krb5\_free\_tgt\_creds - Free an array of credential structures.} -\label{appdev/refs/api/krb5_free_tgt_creds::doc}\label{appdev/refs/api/krb5_free_tgt_creds:krb5-free-tgt-creds-free-an-array-of-credential-structures}\index{krb5\_free\_tgt\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_free_tgt_creds:c.krb5_free_tgt_creds}\pysiglinewithargsret{void \bfcode{krb5\_free\_tgt\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ tgts}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{tgts} - Null-terminated array of credentials to free - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -The last entry in the array \emph{tgts} must be a NULL pointer. -\end{notice} - - -\subsubsection{krb5\_k\_create\_key - Create a krb5\_key from the enctype and key data in a keyblock.} -\label{appdev/refs/api/krb5_k_create_key::doc}\label{appdev/refs/api/krb5_k_create_key:krb5-k-create-key-create-a-krb5-key-from-the-enctype-and-key-data-in-a-keyblock}\index{krb5\_k\_create\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_create_key:c.krb5_k_create_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_create\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key\_data}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}} *\emph{ out}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key\_data} - Keyblock - -\textbf{{[}out{]}} \textbf{out} - Opaque key - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - KRB5\_BAD\_ENCTYPE - -\end{itemize} - -\end{description}\end{quote} - -The reference count on a key \emph{out} is set to 1. Use {\hyperref[appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key]{\code{krb5\_k\_free\_key()}}} to free \emph{out} when it is no longer needed. - - -\subsubsection{krb5\_k\_decrypt - Decrypt data using a key (operates on opaque key).} -\label{appdev/refs/api/krb5_k_decrypt:krb5-k-decrypt-decrypt-data-using-a-key-operates-on-opaque-key}\label{appdev/refs/api/krb5_k_decrypt::doc}\index{krb5\_k\_decrypt (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_decrypt:c.krb5_k_decrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_decrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, const {\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Encryption key - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}inout{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed - -\textbf{{[}in{]}} \textbf{input} - Encrypted data - -\textbf{{[}out{]}} \textbf{output} - Decrypted data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function decrypts the data block \emph{input} and stores the output into \emph{output} . The actual decryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. - -\begin{notice}{note}{Note:} -The caller must initialize \emph{output} and allocate at least enough space for the result. The usual practice is to allocate an output buffer as long as the ciphertext, and let {\hyperref[appdev/refs/api/krb5_c_decrypt:c.krb5_c_decrypt]{\code{krb5\_c\_decrypt()}}} trim \emph{output-\textgreater{}length} . For some enctypes, the resulting \emph{output-\textgreater{}length} may include padding bytes. -\end{notice} - - -\subsubsection{krb5\_k\_decrypt\_iov - Decrypt data in place supporting AEAD (operates on opaque key).} -\label{appdev/refs/api/krb5_k_decrypt_iov::doc}\label{appdev/refs/api/krb5_k_decrypt_iov:krb5-k-decrypt-iov-decrypt-data-in-place-supporting-aead-operates-on-opaque-key}\index{krb5\_k\_decrypt\_iov (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_decrypt_iov:c.krb5_k_decrypt_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_decrypt\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Encryption key - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}in{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed - -\textbf{{[}inout{]}} \textbf{data} - IOV array. Modified in-place. - -\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function decrypts the data block \emph{data} and stores the output in-place. The actual decryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the decryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_k_encrypt_iov:c.krb5_k_encrypt_iov]{\code{krb5\_k\_encrypt\_iov()}}} - - - -\begin{notice}{note}{Note:} -On return from a {\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} call, the \emph{data-\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. - -This function is similar to {\hyperref[appdev/refs/api/krb5_c_decrypt_iov:c.krb5_c_decrypt_iov]{\code{krb5\_c\_decrypt\_iov()}}} , but operates on opaque key \emph{key} . -\end{notice} - - -\subsubsection{krb5\_k\_encrypt - Encrypt data using a key (operates on opaque key).} -\label{appdev/refs/api/krb5_k_encrypt:krb5-k-encrypt-encrypt-data-using-a-key-operates-on-opaque-key}\label{appdev/refs/api/krb5_k_encrypt::doc}\index{krb5\_k\_encrypt (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_encrypt:c.krb5_k_encrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_encrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} *\emph{ output}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Encryption key - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}inout{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed - -\textbf{{[}in{]}} \textbf{input} - Data to be encrypted - -\textbf{{[}out{]}} \textbf{output} - Encrypted data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function encrypts the data block \emph{input} and stores the output into \emph{output} . The actual encryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. - -\begin{notice}{note}{Note:} -The caller must initialize \emph{output} and allocate at least enough space for the result (using {\hyperref[appdev/refs/api/krb5_c_encrypt_length:c.krb5_c_encrypt_length]{\code{krb5\_c\_encrypt\_length()}}} to determine the amount of space needed). \emph{output-\textgreater{}length} will be set to the actual length of the ciphertext. -\end{notice} - - -\subsubsection{krb5\_k\_encrypt\_iov - Encrypt data in place supporting AEAD (operates on opaque key).} -\label{appdev/refs/api/krb5_k_encrypt_iov::doc}\label{appdev/refs/api/krb5_k_encrypt_iov:krb5-k-encrypt-iov-encrypt-data-in-place-supporting-aead-operates-on-opaque-key}\index{krb5\_k\_encrypt\_iov (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_encrypt_iov:c.krb5_k_encrypt_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_encrypt\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ cipher\_state}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Encryption key - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}in{]}} \textbf{cipher\_state} - Cipher state; specify NULL if not needed - -\textbf{{[}inout{]}} \textbf{data} - IOV array. Modified in-place. - -\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function encrypts the data block \emph{data} and stores the output in-place. The actual encryption key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the encryption type. If non-null, \emph{cipher\_state} specifies the beginning state for the encryption operation, and is updated with the state to be passed as input to the next operation. The caller must allocate the right number of krb5\_crypto\_iov structures before calling into this API. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_k_decrypt_iov:c.krb5_k_decrypt_iov]{\code{krb5\_k\_decrypt\_iov()}}} - - - -\begin{notice}{note}{Note:} -On return from a {\hyperref[appdev/refs/api/krb5_c_encrypt_iov:c.krb5_c_encrypt_iov]{\code{krb5\_c\_encrypt\_iov()}}} call, the \emph{data-\textgreater{}length} in the iov structure are adjusted to reflect actual lengths of the ciphertext used. For example, if the padding length is too large, the length will be reduced. Lengths are never increased. - -This function is similar to {\hyperref[appdev/refs/api/krb5_c_encrypt_iov:c.krb5_c_encrypt_iov]{\code{krb5\_c\_encrypt\_iov()}}} , but operates on opaque key \emph{key} . -\end{notice} - - -\subsubsection{krb5\_k\_free\_key - Decrement the reference count on a key and free it if it hits zero.} -\label{appdev/refs/api/krb5_k_free_key:krb5-k-free-key-decrement-the-reference-count-on-a-key-and-free-it-if-it-hits-zero}\label{appdev/refs/api/krb5_k_free_key::doc}\index{krb5\_k\_free\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_free_key:c.krb5_k_free_key}\pysiglinewithargsret{void \bfcode{krb5\_k\_free\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{key} - -\end{description}\end{quote} - - -\subsubsection{krb5\_k\_key\_enctype - Retrieve the enctype of a krb5\_key structure.} -\label{appdev/refs/api/krb5_k_key_enctype::doc}\label{appdev/refs/api/krb5_k_key_enctype:krb5-k-key-enctype-retrieve-the-enctype-of-a-krb5-key-structure}\index{krb5\_k\_key\_enctype (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_key_enctype:c.krb5_k_key_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_k\_key\_enctype}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{key} - -\end{description}\end{quote} - - -\subsubsection{krb5\_k\_key\_keyblock - Retrieve a copy of the keyblock from a krb5\_key structure.} -\label{appdev/refs/api/krb5_k_key_keyblock:krb5-k-key-keyblock-retrieve-a-copy-of-the-keyblock-from-a-krb5-key-structure}\label{appdev/refs/api/krb5_k_key_keyblock::doc}\index{krb5\_k\_key\_keyblock (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_key_keyblock:c.krb5_k_key_keyblock}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_key\_keyblock}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ key\_data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{key} - -\textbf{key\_data} - -\end{description}\end{quote} - - -\subsubsection{krb5\_k\_make\_checksum - Compute a checksum (operates on opaque key).} -\label{appdev/refs/api/krb5_k_make_checksum::doc}\label{appdev/refs/api/krb5_k_make_checksum:krb5-k-make-checksum-compute-a-checksum-operates-on-opaque-key}\index{krb5\_k\_make\_checksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_make_checksum:c.krb5_k_make_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_make\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) - -\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}in{]}} \textbf{input} - Input data - -\textbf{{[}out{]}} \textbf{cksum} - Generated checksum - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function computes a checksum of type \emph{cksumtype} over \emph{input} , using \emph{key} if the checksum type is a keyed checksum. If \emph{cksumtype} is 0 and \emph{key} is non-null, the checksum type will be the mandatory-to-implement checksum type for the key's encryption type. The actual checksum key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the checksum type. The newly created \emph{cksum} must be released by calling {\hyperref[appdev/refs/api/krb5_free_checksum_contents:c.krb5_free_checksum_contents]{\code{krb5\_free\_checksum\_contents()}}} when it is no longer needed. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_c_verify_checksum:c.krb5_c_verify_checksum]{\code{krb5\_c\_verify\_checksum()}}} - - - -\begin{notice}{note}{Note:} -This function is similar to {\hyperref[appdev/refs/api/krb5_c_make_checksum:c.krb5_c_make_checksum]{\code{krb5\_c\_make\_checksum()}}} , but operates on opaque \emph{key} . -\end{notice} - - -\subsubsection{krb5\_k\_make\_checksum\_iov - Fill in a checksum element in IOV array (operates on opaque key)} -\label{appdev/refs/api/krb5_k_make_checksum_iov::doc}\label{appdev/refs/api/krb5_k_make_checksum_iov:krb5-k-make-checksum-iov-fill-in-a-checksum-element-in-iov-array-operates-on-opaque-key}\index{krb5\_k\_make\_checksum\_iov (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_make_checksum_iov:c.krb5_k_make_checksum_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_make\_checksum\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) - -\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}inout{]}} \textbf{data} - IOV array - -\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Create a checksum in the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} element over {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA]{\code{KRB5\_CRYPTO\_TYPE\_DATA}}} and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} chunks in \emph{data} . Only the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} region is modified. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_k_verify_checksum_iov:c.krb5_k_verify_checksum_iov]{\code{krb5\_k\_verify\_checksum\_iov()}}} - - - -\begin{notice}{note}{Note:} -This function is similar to {\hyperref[appdev/refs/api/krb5_c_make_checksum_iov:c.krb5_c_make_checksum_iov]{\code{krb5\_c\_make\_checksum\_iov()}}} , but operates on opaque \emph{key} . -\end{notice} - - -\subsubsection{krb5\_k\_prf - Generate enctype-specific pseudo-random bytes (operates on opaque key).} -\label{appdev/refs/api/krb5_k_prf:krb5-k-prf-generate-enctype-specific-pseudo-random-bytes-operates-on-opaque-key}\label{appdev/refs/api/krb5_k_prf::doc}\index{krb5\_k\_prf (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_prf:c.krb5_k_prf}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_prf}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ input}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ output}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Key - -\textbf{{[}in{]}} \textbf{input} - Input data - -\textbf{{[}out{]}} \textbf{output} - Output data - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function selects a pseudo-random function based on \emph{key} and computes its value over \emph{input} , placing the result into \emph{output} . The caller must preinitialize \emph{output} and allocate space for the result. - -\begin{notice}{note}{Note:} -This function is similar to {\hyperref[appdev/refs/api/krb5_c_prf:c.krb5_c_prf]{\code{krb5\_c\_prf()}}} , but operates on opaque \emph{key} . -\end{notice} - - -\subsubsection{krb5\_k\_reference\_key - Increment the reference count on a key.} -\label{appdev/refs/api/krb5_k_reference_key::doc}\label{appdev/refs/api/krb5_k_reference_key:krb5-k-reference-key-increment-the-reference-count-on-a-key}\index{krb5\_k\_reference\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_reference_key:c.krb5_k_reference_key}\pysiglinewithargsret{void \bfcode{krb5\_k\_reference\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{key} - -\end{description}\end{quote} - - -\subsubsection{krb5\_k\_verify\_checksum - Verify a checksum (operates on opaque key).} -\label{appdev/refs/api/krb5_k_verify_checksum::doc}\label{appdev/refs/api/krb5_k_verify_checksum:krb5-k-verify-checksum-verify-a-checksum-operates-on-opaque-key}\index{krb5\_k\_verify\_checksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_verify_checksum:c.krb5_k_verify_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_verify\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}, const {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ valid}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum - -\textbf{{[}in{]}} \textbf{usage} - \emph{key} usage - -\textbf{{[}in{]}} \textbf{data} - Data to be used to compute a new checksum using \emph{key} to compare \emph{cksum} against - -\textbf{{[}in{]}} \textbf{cksum} - Checksum to be verified - -\textbf{{[}out{]}} \textbf{valid} - Non-zero for success, zero for failure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function verifies that \emph{cksum} is a valid checksum for \emph{data} . If the checksum type of \emph{cksum} is a keyed checksum, \emph{key} is used to verify the checksum. If the checksum type in \emph{cksum} is 0 and \emph{key} is not NULL, the mandatory checksum type for \emph{key} will be used. The actual checksum key will be derived from \emph{key} and \emph{usage} if key derivation is specified for the checksum type. - -\begin{notice}{note}{Note:} -This function is similar to {\hyperref[appdev/refs/api/krb5_c_verify_checksum:c.krb5_c_verify_checksum]{\code{krb5\_c\_verify\_checksum()}}} , but operates on opaque \emph{key} . -\end{notice} - - -\subsubsection{krb5\_k\_verify\_checksum\_iov - Validate a checksum element in IOV array (operates on opaque key).} -\label{appdev/refs/api/krb5_k_verify_checksum_iov:krb5-k-verify-checksum-iov-validate-a-checksum-element-in-iov-array-operates-on-opaque-key}\label{appdev/refs/api/krb5_k_verify_checksum_iov::doc}\index{krb5\_k\_verify\_checksum\_iov (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_k_verify_checksum_iov:c.krb5_k_verify_checksum_iov}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_k\_verify\_checksum\_iov}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ cksumtype}, {\hyperref[appdev/refs/types/krb5_key:c.krb5_key]{krb5\_key}}\emph{ key}, {\hyperref[appdev/refs/types/krb5_keyusage:c.krb5_keyusage]{krb5\_keyusage}}\emph{ usage}, const {\hyperref[appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov]{krb5\_crypto\_iov}} *\emph{ data}, size\_t\emph{ num\_data}, {\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} *\emph{ valid}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}in{]}} \textbf{cksumtype} - Checksum type (0 for mandatory type) - -\textbf{{[}in{]}} \textbf{key} - Encryption key for a keyed checksum - -\textbf{{[}in{]}} \textbf{usage} - Key usage (see \code{KRB5\_KEYUSAGE} types) - -\textbf{{[}in{]}} \textbf{data} - IOV array - -\textbf{{[}in{]}} \textbf{num\_data} - Size of \emph{data} - -\textbf{{[}out{]}} \textbf{valid} - Non-zero for success, zero for failure - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -Confirm that the checksum in the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM]{\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM}}} element is a valid checksum of the {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA]{\code{KRB5\_CRYPTO\_TYPE\_DATA}}} and {\hyperref[appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY]{\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}}} regions in the iov. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_k_make_checksum_iov:c.krb5_k_make_checksum_iov]{\code{krb5\_k\_make\_checksum\_iov()}}} - - - -\begin{notice}{note}{Note:} -This function is similar to {\hyperref[appdev/refs/api/krb5_c_verify_checksum_iov:c.krb5_c_verify_checksum_iov]{\code{krb5\_c\_verify\_checksum\_iov()}}} , but operates on opaque \emph{key} . -\end{notice} - - -\subsection{Legacy convenience interfaces} -\label{appdev/refs/api/index:legacy-convenience-interfaces} - -\subsubsection{krb5\_recvauth - Server function for sendauth protocol.} -\label{appdev/refs/api/krb5_recvauth::doc}\label{appdev/refs/api/krb5_recvauth:krb5-recvauth-server-function-for-sendauth-protocol}\index{krb5\_recvauth (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_recvauth:c.krb5_recvauth}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_recvauth}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ fd}, char *\emph{ appl\_version}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ ticket}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context - -\textbf{{[}in{]}} \textbf{fd} - File descriptor - -\textbf{{[}in{]}} \textbf{appl\_version} - Application protocol version to be matched against the client's application version - -\textbf{{[}in{]}} \textbf{server} - Server principal (NULL for any in \emph{keytab} ) - -\textbf{{[}in{]}} \textbf{flags} - Additional specifications - -\textbf{{[}in{]}} \textbf{keytab} - Key table containing service keys - -\textbf{{[}out{]}} \textbf{ticket} - Ticket (NULL if not needed) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function performs the server side of a sendauth/recvauth exchange by sending and receiving messages over \emph{fd} . - -Use {\hyperref[appdev/refs/api/krb5_free_ticket:c.krb5_free_ticket]{\code{krb5\_free\_ticket()}}} to free \emph{ticket} when it is no longer needed. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_sendauth:c.krb5_sendauth]{\code{krb5\_sendauth()}}} - - - - -\subsubsection{krb5\_recvauth\_version - Server function for sendauth protocol with version parameter.} -\label{appdev/refs/api/krb5_recvauth_version::doc}\label{appdev/refs/api/krb5_recvauth_version:krb5-recvauth-version-server-function-for-sendauth-protocol-with-version-parameter}\index{krb5\_recvauth\_version (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_recvauth_version:c.krb5_recvauth_version}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_recvauth\_version}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ fd}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}}\emph{ flags}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ keytab}, {\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} **\emph{ ticket}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ version}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context - -\textbf{{[}in{]}} \textbf{fd} - File descriptor - -\textbf{{[}in{]}} \textbf{server} - Server principal (NULL for any in \emph{keytab} ) - -\textbf{{[}in{]}} \textbf{flags} - Additional specifications - -\textbf{{[}in{]}} \textbf{keytab} - Decryption key - -\textbf{{[}out{]}} \textbf{ticket} - Ticket (NULL if not needed) - -\textbf{{[}out{]}} \textbf{version} - sendauth protocol version (NULL if not needed) - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function is similar to {\hyperref[appdev/refs/api/krb5_recvauth:c.krb5_recvauth]{\code{krb5\_recvauth()}}} with the additional output information place into \emph{version} . - - -\subsubsection{krb5\_sendauth - Client function for sendauth protocol.} -\label{appdev/refs/api/krb5_sendauth:krb5-sendauth-client-function-for-sendauth-protocol}\label{appdev/refs/api/krb5_sendauth::doc}\index{krb5\_sendauth (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_sendauth:c.krb5_sendauth}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_sendauth}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}} *\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ fd}, char *\emph{ appl\_version}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ client}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ server}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ ap\_req\_options}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ in\_data}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_error:c.krb5_error]{krb5\_error}} **\emph{ error}, {\hyperref[appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part]{krb5\_ap\_rep\_enc\_part}} **\emph{ rep\_result}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ out\_creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{{[}in{]}} \textbf{context} - Library context - -\textbf{{[}inout{]}} \textbf{auth\_context} - Pre-existing or newly created auth context - -\textbf{{[}in{]}} \textbf{fd} - File descriptor that describes network socket - -\textbf{{[}in{]}} \textbf{appl\_version} - Application protocol version to be matched with the receiver's application version - -\textbf{{[}in{]}} \textbf{client} - Client principal - -\textbf{{[}in{]}} \textbf{server} - Server principal - -\textbf{{[}in{]}} \textbf{ap\_req\_options} - \code{AP\_OPTS} options - -\textbf{{[}in{]}} \textbf{in\_data} - Data to be sent to the server - -\textbf{{[}in{]}} \textbf{in\_creds} - Input credentials, or NULL to use \emph{ccache} - -\textbf{{[}in{]}} \textbf{ccache} - Credential cache - -\textbf{{[}out{]}} \textbf{error} - If non-null, contains KRB\_ERROR message returned from server - -\textbf{{[}out{]}} \textbf{rep\_result} - If non-null and \emph{ap\_req\_options} is {\hyperref[appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:AP_OPTS_MUTUAL_REQUIRED]{\code{AP\_OPTS\_MUTUAL\_REQUIRED}}} , contains the result of mutual authentication exchange - -\textbf{{[}out{]}} \textbf{out\_creds} - If non-null, the retrieved credentials - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -0 Success; otherwise - Kerberos error codes - -\end{itemize} - -\end{description}\end{quote} - -This function performs the client side of a sendauth/recvauth exchange by sending and receiving messages over \emph{fd} . - -Credentials may be specified in three ways: -\begin{quote} -\begin{itemize} -\item {} -If \emph{in\_creds} is NULL, credentials are obtained with {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} using the principals \emph{client} and \emph{server} . \emph{server} must be non-null; \emph{client} may NULL to use the default principal of \emph{ccache} . - -\item {} -If \emph{in\_creds} is non-null, but does not contain a ticket, credentials for the exchange are obtained with {\hyperref[appdev/refs/api/krb5_get_credentials:c.krb5_get_credentials]{\code{krb5\_get\_credentials()}}} using \emph{in\_creds} . In this case, the values of \emph{client} and \emph{server} are unused. - -\item {} -If \emph{in\_creds} is a complete credentials structure, it used directly. In this case, the values of \emph{client} , \emph{server} , and \emph{ccache} are unused. - -\end{itemize} - -If the server is using a different application protocol than that specified in \emph{appl\_version} , an error will be returned. -\end{quote} - -Use {\hyperref[appdev/refs/api/krb5_free_creds:c.krb5_free_creds]{\code{krb5\_free\_creds()}}} to free \emph{out\_creds} , {\hyperref[appdev/refs/api/krb5_free_ap_rep_enc_part:c.krb5_free_ap_rep_enc_part]{\code{krb5\_free\_ap\_rep\_enc\_part()}}} to free \emph{rep\_result} , and {\hyperref[appdev/refs/api/krb5_free_error:c.krb5_free_error]{\code{krb5\_free\_error()}}} to free \emph{error} when they are no longer needed. - - -\strong{See also:} - - -{\hyperref[appdev/refs/api/krb5_recvauth:c.krb5_recvauth]{\code{krb5\_recvauth()}}} - - - - -\subsection{Deprecated public interfaces} -\label{appdev/refs/api/index:deprecated-public-interfaces} - -\subsubsection{krb5\_524\_convert\_creds - Convert a Kerberos V5 credentials to a Kerberos V4 credentials.} -\label{appdev/refs/api/krb5_524_convert_creds:krb5-524-convert-creds-convert-a-kerberos-v5-credentials-to-a-kerberos-v4-credentials}\label{appdev/refs/api/krb5_524_convert_creds::doc}\index{krb5\_524\_convert\_creds (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_524_convert_creds:c.krb5_524_convert_creds}\pysiglinewithargsret{int \bfcode{krb5\_524\_convert\_creds}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ v5creds}, struct credentials *\emph{ v4creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{v5creds} - -\textbf{v4creds} - -\end{description}\end{quote} -\begin{quote}\begin{description} -\item[{retval}] \leavevmode\begin{itemize} -\item {} -KRB524\_KRB4\_DISABLED (always) - -\end{itemize} - -\end{description}\end{quote} - -\begin{notice}{note}{Note:} -Not implemented -\end{notice} - - -\subsubsection{krb5\_auth\_con\_getlocalsubkey} -\label{appdev/refs/api/krb5_auth_con_getlocalsubkey::doc}\label{appdev/refs/api/krb5_auth_con_getlocalsubkey:krb5-auth-con-getlocalsubkey}\index{krb5\_auth\_con\_getlocalsubkey (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getlocalsubkey:c.krb5_auth_con_getlocalsubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getlocalsubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{auth\_context} - -\textbf{keyblock} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_auth\_con\_getsendsubkey() . - - -\subsubsection{krb5\_auth\_con\_getremotesubkey} -\label{appdev/refs/api/krb5_auth_con_getremotesubkey::doc}\label{appdev/refs/api/krb5_auth_con_getremotesubkey:krb5-auth-con-getremotesubkey}\index{krb5\_auth\_con\_getremotesubkey (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_getremotesubkey:c.krb5_auth_con_getremotesubkey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_getremotesubkey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{auth\_context} - -\textbf{keyblock} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_auth\_con\_getrecvsubkey() . - - -\subsubsection{krb5\_auth\_con\_initivector} -\label{appdev/refs/api/krb5_auth_con_initivector:krb5-auth-con-initivector}\label{appdev/refs/api/krb5_auth_con_initivector::doc}\index{krb5\_auth\_con\_initivector (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_auth_con_initivector:c.krb5_auth_con_initivector}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_auth\_con\_initivector}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_auth_context:c.krb5_auth_context]{krb5\_auth\_context}}\emph{ auth\_context}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{auth\_context} - -\end{description}\end{quote} - -DEPRECATED Not replaced. - -RFC 4120 doesn't have anything like the initvector concept; only really old protocols may need this API. - - -\subsubsection{krb5\_build\_principal\_va} -\label{appdev/refs/api/krb5_build_principal_va:krb5-build-principal-va}\label{appdev/refs/api/krb5_build_principal_va::doc}\index{krb5\_build\_principal\_va (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_build_principal_va:c.krb5_build_principal_va}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_build\_principal\_va}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}}\emph{ princ}, unsigned int\emph{ rlen}, const char *\emph{ realm}, va\_list\emph{ ap}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{princ} - -\textbf{rlen} - -\textbf{realm} - -\textbf{ap} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_build\_principal\_alloc\_va() . - - -\subsubsection{krb5\_c\_random\_seed} -\label{appdev/refs/api/krb5_c_random_seed:krb5-c-random-seed}\label{appdev/refs/api/krb5_c_random_seed::doc}\index{krb5\_c\_random\_seed (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_c_random_seed:c.krb5_c_random_seed}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_c\_random\_seed}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{data} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_calculate\_checksum} -\label{appdev/refs/api/krb5_calculate_checksum:krb5-calculate-checksum}\label{appdev/refs/api/krb5_calculate_checksum::doc}\index{krb5\_calculate\_checksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_calculate_checksum:c.krb5_calculate_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_calculate\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ in}, size\_t\emph{ in\_length}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ seed}, size\_t\emph{ seed\_length}, {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ outcksum}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{ctype} - -\textbf{in} - -\textbf{in\_length} - -\textbf{seed} - -\textbf{seed\_length} - -\textbf{outcksum} - -\end{description}\end{quote} - -DEPRECATED See krb5\_c\_make\_checksum() - - -\subsubsection{krb5\_checksum\_size} -\label{appdev/refs/api/krb5_checksum_size:krb5-checksum-size}\label{appdev/refs/api/krb5_checksum_size::doc}\index{krb5\_checksum\_size (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_checksum_size:c.krb5_checksum_size}\pysiglinewithargsret{size\_t \bfcode{krb5\_checksum\_size}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{ctype} - -\end{description}\end{quote} - -DEPRECATED See krb5\_c\_checksum\_length() - - -\subsubsection{krb5\_encrypt} -\label{appdev/refs/api/krb5_encrypt:krb5-encrypt}\label{appdev/refs/api/krb5_encrypt::doc}\index{krb5\_encrypt (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_encrypt:c.krb5_encrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_encrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ inptr}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ outptr}, size\_t\emph{ size}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ ivec}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{inptr} - -\textbf{outptr} - -\textbf{size} - -\textbf{eblock} - -\textbf{ivec} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_decrypt} -\label{appdev/refs/api/krb5_decrypt:krb5-decrypt}\label{appdev/refs/api/krb5_decrypt::doc}\index{krb5\_decrypt (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_decrypt:c.krb5_decrypt}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_decrypt}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ inptr}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ outptr}, size\_t\emph{ size}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ ivec}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{inptr} - -\textbf{outptr} - -\textbf{size} - -\textbf{eblock} - -\textbf{ivec} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_eblock\_enctype} -\label{appdev/refs/api/krb5_eblock_enctype::doc}\label{appdev/refs/api/krb5_eblock_enctype:krb5-eblock-enctype}\index{krb5\_eblock\_enctype (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_eblock_enctype:c.krb5_eblock_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_eblock\_enctype}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{eblock} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_encrypt\_size} -\label{appdev/refs/api/krb5_encrypt_size:krb5-encrypt-size}\label{appdev/refs/api/krb5_encrypt_size::doc}\index{krb5\_encrypt\_size (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_encrypt_size:c.krb5_encrypt_size}\pysiglinewithargsret{size\_t \bfcode{krb5\_encrypt\_size}}{size\_t\emph{ length}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ crypto}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{length} - -\textbf{crypto} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_finish\_key} -\label{appdev/refs/api/krb5_finish_key:krb5-finish-key}\label{appdev/refs/api/krb5_finish_key::doc}\index{krb5\_finish\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_finish_key:c.krb5_finish_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_finish\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{eblock} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_finish\_random\_key} -\label{appdev/refs/api/krb5_finish_random_key:krb5-finish-random-key}\label{appdev/refs/api/krb5_finish_random_key::doc}\index{krb5\_finish\_random\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_finish_random_key:c.krb5_finish_random_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_finish\_random\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}} *\emph{ ptr}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{eblock} - -\textbf{ptr} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_cc\_gen\_new} -\label{appdev/refs/api/krb5_cc_gen_new:krb5-cc-gen-new}\label{appdev/refs/api/krb5_cc_gen_new::doc}\index{krb5\_cc\_gen\_new (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_cc_gen_new:c.krb5_cc_gen_new}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_cc\_gen\_new}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}} *\emph{ cache}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{cache} - -\end{description}\end{quote} - - -\subsubsection{krb5\_get\_credentials\_renew} -\label{appdev/refs/api/krb5_get_credentials_renew:krb5-get-credentials-renew}\label{appdev/refs/api/krb5_get_credentials_renew::doc}\index{krb5\_get\_credentials\_renew (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_credentials_renew:c.krb5_get_credentials_renew}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_credentials\_renew}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ out\_creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{options} - -\textbf{ccache} - -\textbf{in\_creds} - -\textbf{out\_creds} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_get\_renewed\_creds. - - -\subsubsection{krb5\_get\_credentials\_validate} -\label{appdev/refs/api/krb5_get_credentials_validate:krb5-get-credentials-validate}\label{appdev/refs/api/krb5_get_credentials_validate::doc}\index{krb5\_get\_credentials\_validate (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_credentials_validate:c.krb5_get_credentials_validate}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_credentials\_validate}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ in\_creds}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} **\emph{ out\_creds}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{options} - -\textbf{ccache} - -\textbf{in\_creds} - -\textbf{out\_creds} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_get\_validated\_creds. - - -\subsubsection{krb5\_get\_in\_tkt\_with\_password} -\label{appdev/refs/api/krb5_get_in_tkt_with_password:krb5-get-in-tkt-with-password}\label{appdev/refs/api/krb5_get_in_tkt_with_password::doc}\index{krb5\_get\_in\_tkt\_with\_password (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_in_tkt_with_password:c.krb5_get_in_tkt_with_password}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_in\_tkt\_with\_password}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ addrs}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ ktypes}, {\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} *\emph{ pre\_auth\_types}, const char *\emph{ password}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep]{krb5\_kdc\_rep}} **\emph{ ret\_as\_reply}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{options} - -\textbf{addrs} - -\textbf{ktypes} - -\textbf{pre\_auth\_types} - -\textbf{password} - -\textbf{ccache} - -\textbf{creds} - -\textbf{ret\_as\_reply} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_get\_init\_creds\_password() . - - -\subsubsection{krb5\_get\_in\_tkt\_with\_skey} -\label{appdev/refs/api/krb5_get_in_tkt_with_skey:krb5-get-in-tkt-with-skey}\label{appdev/refs/api/krb5_get_in_tkt_with_skey::doc}\index{krb5\_get\_in\_tkt\_with\_skey (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_in_tkt_with_skey:c.krb5_get_in_tkt_with_skey}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_in\_tkt\_with\_skey}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ addrs}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ ktypes}, {\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} *\emph{ pre\_auth\_types}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep]{krb5\_kdc\_rep}} **\emph{ ret\_as\_reply}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{options} - -\textbf{addrs} - -\textbf{ktypes} - -\textbf{pre\_auth\_types} - -\textbf{key} - -\textbf{ccache} - -\textbf{creds} - -\textbf{ret\_as\_reply} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_get\_init\_creds(). - - -\subsubsection{krb5\_get\_in\_tkt\_with\_keytab} -\label{appdev/refs/api/krb5_get_in_tkt_with_keytab:krb5-get-in-tkt-with-keytab}\label{appdev/refs/api/krb5_get_in_tkt_with_keytab::doc}\index{krb5\_get\_in\_tkt\_with\_keytab (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_in_tkt_with_keytab:c.krb5_get_in_tkt_with_keytab}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_get\_in\_tkt\_with\_keytab}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}}\emph{ options}, {\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} *const *\emph{ addrs}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} *\emph{ ktypes}, {\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} *\emph{ pre\_auth\_types}, {\hyperref[appdev/refs/types/krb5_keytab:c.krb5_keytab]{krb5\_keytab}}\emph{ arg\_keytab}, {\hyperref[appdev/refs/types/krb5_ccache:c.krb5_ccache]{krb5\_ccache}}\emph{ ccache}, {\hyperref[appdev/refs/types/krb5_creds:c.krb5_creds]{krb5\_creds}} *\emph{ creds}, {\hyperref[appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep]{krb5\_kdc\_rep}} **\emph{ ret\_as\_reply}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{options} - -\textbf{addrs} - -\textbf{ktypes} - -\textbf{pre\_auth\_types} - -\textbf{arg\_keytab} - -\textbf{ccache} - -\textbf{creds} - -\textbf{ret\_as\_reply} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_get\_init\_creds\_keytab() . - - -\subsubsection{krb5\_get\_init\_creds\_opt\_init} -\label{appdev/refs/api/krb5_get_init_creds_opt_init:krb5-get-init-creds-opt-init}\label{appdev/refs/api/krb5_get_init_creds_opt_init::doc}\index{krb5\_get\_init\_creds\_opt\_init (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_get_init_creds_opt_init:c.krb5_get_init_creds_opt_init}\pysiglinewithargsret{void \bfcode{krb5\_get\_init\_creds\_opt\_init}}{{\hyperref[appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt]{krb5\_get\_init\_creds\_opt}} *\emph{ opt}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{opt} - -\end{description}\end{quote} - -DEPRECATED Use krb5\_get\_init\_creds\_opt\_alloc() instead. - - -\subsubsection{krb5\_init\_random\_key} -\label{appdev/refs/api/krb5_init_random_key:krb5-init-random-key}\label{appdev/refs/api/krb5_init_random_key::doc}\index{krb5\_init\_random\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_init_random_key:c.krb5_init_random_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_init\_random\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}} *\emph{ ptr}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{eblock} - -\textbf{keyblock} - -\textbf{ptr} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_kt\_free\_entry} -\label{appdev/refs/api/krb5_kt_free_entry:krb5-kt-free-entry}\label{appdev/refs/api/krb5_kt_free_entry::doc}\index{krb5\_kt\_free\_entry (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_kt_free_entry:c.krb5_kt_free_entry}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_kt\_free\_entry}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry]{krb5\_keytab\_entry}} *\emph{ entry}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{entry} - -\end{description}\end{quote} - -DEPRECATED Use krb5\_free\_keytab\_entry\_contents instead. - - -\subsubsection{krb5\_random\_key} -\label{appdev/refs/api/krb5_random_key:krb5-random-key}\label{appdev/refs/api/krb5_random_key::doc}\index{krb5\_random\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_random_key:c.krb5_random_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_random\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_pointer:c.krb5_pointer]{krb5\_pointer}}\emph{ ptr}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} **\emph{ keyblock}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{eblock} - -\textbf{ptr} - -\textbf{keyblock} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_process\_key} -\label{appdev/refs/api/krb5_process_key:krb5-process-key}\label{appdev/refs/api/krb5_process_key::doc}\index{krb5\_process\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_process_key:c.krb5_process_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_process\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, const {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ key}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{eblock} - -\textbf{key} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_string\_to\_key} -\label{appdev/refs/api/krb5_string_to_key:krb5-string-to-key}\label{appdev/refs/api/krb5_string_to_key::doc}\index{krb5\_string\_to\_key (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_string_to_key:c.krb5_string_to_key}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_string\_to\_key}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, const {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} *\emph{ keyblock}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ data}, const {\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} *\emph{ salt}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{eblock} - -\textbf{keyblock} - -\textbf{data} - -\textbf{salt} - -\end{description}\end{quote} - -DEPRECATED See krb5\_c\_string\_to\_key() - - -\subsubsection{krb5\_use\_enctype} -\label{appdev/refs/api/krb5_use_enctype:krb5-use-enctype}\label{appdev/refs/api/krb5_use_enctype::doc}\index{krb5\_use\_enctype (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_use_enctype:c.krb5_use_enctype}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_use\_enctype}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block]{krb5\_encrypt\_block}} *\emph{ eblock}, {\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}}\emph{ enctype}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{eblock} - -\textbf{enctype} - -\end{description}\end{quote} - -DEPRECATED Replaced by krb5\_c\_* API family. - - -\subsubsection{krb5\_verify\_checksum} -\label{appdev/refs/api/krb5_verify_checksum::doc}\label{appdev/refs/api/krb5_verify_checksum:krb5-verify-checksum}\index{krb5\_verify\_checksum (C function)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/api/krb5_verify_checksum:c.krb5_verify_checksum}\pysiglinewithargsret{{\hyperref[appdev/refs/types/krb5_error_code:c.krb5_error_code]{krb5\_error\_code}} \bfcode{krb5\_verify\_checksum}}{{\hyperref[appdev/refs/types/krb5_context:c.krb5_context]{krb5\_context}}\emph{ context}, {\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}}\emph{ ctype}, const {\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} *\emph{ cksum}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ in}, size\_t\emph{ in\_length}, {\hyperref[appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer]{krb5\_const\_pointer}}\emph{ seed}, size\_t\emph{ seed\_length}}{} -\end{fulllineitems} - -\begin{quote}\begin{description} -\item[{param}] \leavevmode -\textbf{context} - -\textbf{ctype} - -\textbf{cksum} - -\textbf{in} - -\textbf{in\_length} - -\textbf{seed} - -\textbf{seed\_length} - -\end{description}\end{quote} - -DEPRECATED See krb5\_c\_verify\_checksum() - - -\section{krb5 types and structures} -\label{appdev/refs/types/index::doc}\label{appdev/refs/types/index:krb5-types-and-structures} - -\subsection{Public} -\label{appdev/refs/types/index:public} - -\subsubsection{krb5\_address} -\label{appdev/refs/types/krb5_address:krb5-address-struct}\label{appdev/refs/types/krb5_address::doc}\label{appdev/refs/types/krb5_address:krb5-address}\index{krb5\_address (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address}\pysigline{\bfcode{krb5\_address}} -\end{fulllineitems} - - -Structure for address. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_address:declaration} -typedef struct \_krb5\_address krb5\_address - - -\paragraph{Members} -\label{appdev/refs/types/krb5_address:members}\index{krb5\_address.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_address.magic}} -\end{fulllineitems} - -\index{krb5\_address.addrtype (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address.addrtype}\pysigline{{\hyperref[appdev/refs/types/krb5_addrtype:c.krb5_addrtype]{krb5\_addrtype}} \bfcode{krb5\_address.addrtype}} -\end{fulllineitems} - -\index{krb5\_address.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address.length}\pysigline{unsigned int \bfcode{krb5\_address.length}} -\end{fulllineitems} - -\index{krb5\_address.contents (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_address:c.krb5_address.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_address.contents}} -\end{fulllineitems} - - - -\subsubsection{krb5\_addrtype} -\label{appdev/refs/types/krb5_addrtype:krb5-addrtype}\label{appdev/refs/types/krb5_addrtype:krb5-addrtype-struct}\label{appdev/refs/types/krb5_addrtype::doc}\index{krb5\_addrtype (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_addrtype:c.krb5_addrtype}\pysigline{\bfcode{krb5\_addrtype}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_addrtype:declaration} -typedef krb5\_int32 krb5\_addrtype - - -\subsubsection{krb5\_ap\_req} -\label{appdev/refs/types/krb5_ap_req:krb5-ap-req}\label{appdev/refs/types/krb5_ap_req::doc}\label{appdev/refs/types/krb5_ap_req:krb5-ap-req-struct}\index{krb5\_ap\_req (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req}\pysigline{\bfcode{krb5\_ap\_req}} -\end{fulllineitems} - - -Authentication header. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_ap_req:declaration} -typedef struct \_krb5\_ap\_req krb5\_ap\_req - - -\paragraph{Members} -\label{appdev/refs/types/krb5_ap_req:members}\index{krb5\_ap\_req.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_ap\_req.magic}} -\end{fulllineitems} - -\index{krb5\_ap\_req.ap\_options (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.ap_options}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_ap\_req.ap\_options}} -Requested options. - -\end{fulllineitems} - -\index{krb5\_ap\_req.ticket (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} * \bfcode{krb5\_ap\_req.ticket}} -Ticket. - -\end{fulllineitems} - -\index{krb5\_ap\_req.authenticator (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_req:c.krb5_ap_req.authenticator}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_ap\_req.authenticator}} -Encrypted authenticator. - -\end{fulllineitems} - - - -\subsubsection{krb5\_ap\_rep} -\label{appdev/refs/types/krb5_ap_rep:krb5-ap-rep-struct}\label{appdev/refs/types/krb5_ap_rep:krb5-ap-rep}\label{appdev/refs/types/krb5_ap_rep::doc}\index{krb5\_ap\_rep (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep}\pysigline{\bfcode{krb5\_ap\_rep}} -\end{fulllineitems} - - -C representaton of AP-REP message. - -The server's response to a client's request for mutual authentication. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_ap_rep:declaration} -typedef struct \_krb5\_ap\_rep krb5\_ap\_rep - - -\paragraph{Members} -\label{appdev/refs/types/krb5_ap_rep:members}\index{krb5\_ap\_rep.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_ap\_rep.magic}} -\end{fulllineitems} - -\index{krb5\_ap\_rep.enc\_part (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_rep:c.krb5_ap_rep.enc_part}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_ap\_rep.enc\_part}} -Ciphertext of ApRepEncPart. - -\end{fulllineitems} - - - -\subsubsection{krb5\_ap\_rep\_enc\_part} -\label{appdev/refs/types/krb5_ap_rep_enc_part:krb5-ap-rep-enc-part-struct}\label{appdev/refs/types/krb5_ap_rep_enc_part::doc}\label{appdev/refs/types/krb5_ap_rep_enc_part:krb5-ap-rep-enc-part}\index{krb5\_ap\_rep\_enc\_part (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part}\pysigline{\bfcode{krb5\_ap\_rep\_enc\_part}} -\end{fulllineitems} - - -Cleartext that is encrypted and put into \code{\_krb5\_ap\_rep} . - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_ap_rep_enc_part:declaration} -typedef struct \_krb5\_ap\_rep\_enc\_part krb5\_ap\_rep\_enc\_part - - -\paragraph{Members} -\label{appdev/refs/types/krb5_ap_rep_enc_part:members}\index{krb5\_ap\_rep\_enc\_part.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_ap\_rep\_enc\_part.magic}} -\end{fulllineitems} - -\index{krb5\_ap\_rep\_enc\_part.ctime (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.ctime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ap\_rep\_enc\_part.ctime}} -Client time, seconds portion. - -\end{fulllineitems} - -\index{krb5\_ap\_rep\_enc\_part.cusec (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.cusec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_ap\_rep\_enc\_part.cusec}} -Client time, microseconds portion. - -\end{fulllineitems} - -\index{krb5\_ap\_rep\_enc\_part.subkey (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.subkey}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_ap\_rep\_enc\_part.subkey}} -Subkey (optional) - -\end{fulllineitems} - -\index{krb5\_ap\_rep\_enc\_part.seq\_number (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ap_rep_enc_part:c.krb5_ap_rep_enc_part.seq_number}\pysigline{{\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} \bfcode{krb5\_ap\_rep\_enc\_part.seq\_number}} -Sequence number. - -\end{fulllineitems} - - - -\subsubsection{krb5\_authdata} -\label{appdev/refs/types/krb5_authdata:krb5-authdata}\label{appdev/refs/types/krb5_authdata::doc}\label{appdev/refs/types/krb5_authdata:krb5-authdata-struct}\index{krb5\_authdata (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata}\pysigline{\bfcode{krb5\_authdata}} -\end{fulllineitems} - - -Structure for auth data. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_authdata:declaration} -typedef struct \_krb5\_authdata krb5\_authdata - - -\paragraph{Members} -\label{appdev/refs/types/krb5_authdata:members}\index{krb5\_authdata.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_authdata.magic}} -\end{fulllineitems} - -\index{krb5\_authdata.ad\_type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata.ad_type}\pysigline{{\hyperref[appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype]{krb5\_authdatatype}} \bfcode{krb5\_authdata.ad\_type}} -ADTYPE. - -\end{fulllineitems} - -\index{krb5\_authdata.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata.length}\pysigline{unsigned int \bfcode{krb5\_authdata.length}} -Length of data. - -\end{fulllineitems} - -\index{krb5\_authdata.contents (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authdata:c.krb5_authdata.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_authdata.contents}} -Data. - -\end{fulllineitems} - - - -\subsubsection{krb5\_authdatatype} -\label{appdev/refs/types/krb5_authdatatype:krb5-authdatatype-struct}\label{appdev/refs/types/krb5_authdatatype::doc}\label{appdev/refs/types/krb5_authdatatype:krb5-authdatatype}\index{krb5\_authdatatype (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authdatatype:c.krb5_authdatatype}\pysigline{\bfcode{krb5\_authdatatype}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_authdatatype:declaration} -typedef krb5\_int32 krb5\_authdatatype - - -\subsubsection{krb5\_authenticator} -\label{appdev/refs/types/krb5_authenticator:krb5-authenticator-struct}\label{appdev/refs/types/krb5_authenticator:krb5-authenticator}\label{appdev/refs/types/krb5_authenticator::doc}\index{krb5\_authenticator (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator}\pysigline{\bfcode{krb5\_authenticator}} -\end{fulllineitems} - - -Ticket authenticator. - -The C representation of an unencrypted authenticator. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_authenticator:declaration} -typedef struct \_krb5\_authenticator krb5\_authenticator - - -\paragraph{Members} -\label{appdev/refs/types/krb5_authenticator:members}\index{krb5\_authenticator.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_authenticator.magic}} -\end{fulllineitems} - -\index{krb5\_authenticator.client (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_authenticator.client}} -client name/realm - -\end{fulllineitems} - -\index{krb5\_authenticator.checksum (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.checksum}\pysigline{{\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} * \bfcode{krb5\_authenticator.checksum}} -checksum, includes type, optional - -\end{fulllineitems} - -\index{krb5\_authenticator.cusec (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.cusec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_authenticator.cusec}} -client usec portion - -\end{fulllineitems} - -\index{krb5\_authenticator.ctime (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.ctime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_authenticator.ctime}} -client sec portion - -\end{fulllineitems} - -\index{krb5\_authenticator.subkey (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.subkey}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_authenticator.subkey}} -true session key, optional - -\end{fulllineitems} - -\index{krb5\_authenticator.seq\_number (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.seq_number}\pysigline{{\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} \bfcode{krb5\_authenticator.seq\_number}} -sequence \#, optional - -\end{fulllineitems} - -\index{krb5\_authenticator.authorization\_data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_authenticator:c.krb5_authenticator.authorization_data}\pysigline{{\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ** \bfcode{krb5\_authenticator.authorization\_data}} -authoriazation data - -\end{fulllineitems} - - - -\subsubsection{krb5\_boolean} -\label{appdev/refs/types/krb5_boolean:krb5-boolean-struct}\label{appdev/refs/types/krb5_boolean::doc}\label{appdev/refs/types/krb5_boolean:krb5-boolean}\index{krb5\_boolean (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_boolean:c.krb5_boolean}\pysigline{\bfcode{krb5\_boolean}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_boolean:declaration} -typedef unsigned int krb5\_boolean - - -\subsubsection{krb5\_checksum} -\label{appdev/refs/types/krb5_checksum::doc}\label{appdev/refs/types/krb5_checksum:krb5-checksum}\label{appdev/refs/types/krb5_checksum:krb5-checksum-struct}\index{krb5\_checksum (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum}\pysigline{\bfcode{krb5\_checksum}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_checksum:declaration} -typedef struct \_krb5\_checksum krb5\_checksum - - -\paragraph{Members} -\label{appdev/refs/types/krb5_checksum:members}\index{krb5\_checksum.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_checksum.magic}} -\end{fulllineitems} - -\index{krb5\_checksum.checksum\_type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum.checksum_type}\pysigline{{\hyperref[appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype]{krb5\_cksumtype}} \bfcode{krb5\_checksum.checksum\_type}} -\end{fulllineitems} - -\index{krb5\_checksum.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum.length}\pysigline{unsigned int \bfcode{krb5\_checksum.length}} -\end{fulllineitems} - -\index{krb5\_checksum.contents (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_checksum:c.krb5_checksum.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_checksum.contents}} -\end{fulllineitems} - - - -\subsubsection{krb5\_const\_pointer} -\label{appdev/refs/types/krb5_const_pointer:krb5-const-pointer}\label{appdev/refs/types/krb5_const_pointer::doc}\label{appdev/refs/types/krb5_const_pointer:krb5-const-pointer-struct}\index{krb5\_const\_pointer (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_pointer:c.krb5_const_pointer}\pysigline{\bfcode{krb5\_const\_pointer}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_const_pointer:declaration} -typedef void const* krb5\_const\_pointer - - -\subsubsection{krb5\_const\_principal} -\label{appdev/refs/types/krb5_const_principal:krb5-const-principal-struct}\label{appdev/refs/types/krb5_const_principal:krb5-const-principal}\label{appdev/refs/types/krb5_const_principal::doc}\index{krb5\_const\_principal (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}\pysigline{\bfcode{krb5\_const\_principal}} -\end{fulllineitems} - - -Constant version of {\hyperref[appdev/refs/types/krb5_principal_data:c.krb5_principal_data]{\code{krb5\_principal\_data}}} . - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_const_principal:declaration} -typedef const krb5\_principal\_data* krb5\_const\_principal - - -\paragraph{Members} -\label{appdev/refs/types/krb5_const_principal:members}\index{krb5\_const\_principal.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_const\_principal.magic}} -\end{fulllineitems} - -\index{krb5\_const\_principal.realm (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_const\_principal.realm}} -\end{fulllineitems} - -\index{krb5\_const\_principal.data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_const\_principal.data}} -An array of strings. - -\end{fulllineitems} - -\index{krb5\_const\_principal.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_const\_principal.length}} -\end{fulllineitems} - -\index{krb5\_const\_principal.type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_const\_principal.type}} -\end{fulllineitems} - - - -\subsubsection{krb5\_cred} -\label{appdev/refs/types/krb5_cred:krb5-cred-struct}\label{appdev/refs/types/krb5_cred::doc}\label{appdev/refs/types/krb5_cred:krb5-cred}\index{krb5\_cred (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred}\pysigline{\bfcode{krb5\_cred}} -\end{fulllineitems} - - -Credentials data structure. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_cred:declaration} -typedef struct \_krb5\_cred krb5\_cred - - -\paragraph{Members} -\label{appdev/refs/types/krb5_cred:members}\index{krb5\_cred.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_cred.magic}} -\end{fulllineitems} - -\index{krb5\_cred.tickets (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred.tickets}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} ** \bfcode{krb5\_cred.tickets}} -Tickets. - -\end{fulllineitems} - -\index{krb5\_cred.enc\_part (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred.enc_part}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_cred.enc\_part}} -Encrypted part. - -\end{fulllineitems} - -\index{krb5\_cred.enc\_part2 (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred:c.krb5_cred.enc_part2}\pysigline{{\hyperref[appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part]{krb5\_cred\_enc\_part}} * \bfcode{krb5\_cred.enc\_part2}} -Unencrypted version, if available. - -\end{fulllineitems} - - - -\subsubsection{krb5\_cred\_enc\_part} -\label{appdev/refs/types/krb5_cred_enc_part::doc}\label{appdev/refs/types/krb5_cred_enc_part:krb5-cred-enc-part}\label{appdev/refs/types/krb5_cred_enc_part:krb5-cred-enc-part-struct}\index{krb5\_cred\_enc\_part (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part}\pysigline{\bfcode{krb5\_cred\_enc\_part}} -\end{fulllineitems} - - -Cleartext credentials information. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_cred_enc_part:declaration} -typedef struct \_krb5\_cred\_enc\_part krb5\_cred\_enc\_part - - -\paragraph{Members} -\label{appdev/refs/types/krb5_cred_enc_part:members}\index{krb5\_cred\_enc\_part.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_cred\_enc\_part.magic}} -\end{fulllineitems} - -\index{krb5\_cred\_enc\_part.nonce (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.nonce}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_cred\_enc\_part.nonce}} -Nonce (optional) - -\end{fulllineitems} - -\index{krb5\_cred\_enc\_part.timestamp (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.timestamp}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_cred\_enc\_part.timestamp}} -Generation time, seconds portion. - -\end{fulllineitems} - -\index{krb5\_cred\_enc\_part.usec (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.usec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_cred\_enc\_part.usec}} -Generation time, microseconds portion. - -\end{fulllineitems} - -\index{krb5\_cred\_enc\_part.s\_address (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.s_address}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} * \bfcode{krb5\_cred\_enc\_part.s\_address}} -Sender address (optional) - -\end{fulllineitems} - -\index{krb5\_cred\_enc\_part.r\_address (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.r_address}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} * \bfcode{krb5\_cred\_enc\_part.r\_address}} -Recipient address (optional) - -\end{fulllineitems} - -\index{krb5\_cred\_enc\_part.ticket\_info (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_enc_part:c.krb5_cred_enc_part.ticket_info}\pysigline{{\hyperref[appdev/refs/types/krb5_cred_info:c.krb5_cred_info]{krb5\_cred\_info}} ** \bfcode{krb5\_cred\_enc\_part.ticket\_info}} -\end{fulllineitems} - - - -\subsubsection{krb5\_cred\_info} -\label{appdev/refs/types/krb5_cred_info:krb5-cred-info-struct}\label{appdev/refs/types/krb5_cred_info::doc}\label{appdev/refs/types/krb5_cred_info:krb5-cred-info}\index{krb5\_cred\_info (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info}\pysigline{\bfcode{krb5\_cred\_info}} -\end{fulllineitems} - - -Credentials information inserted into \emph{EncKrbCredPart} . - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_cred_info:declaration} -typedef struct \_krb5\_cred\_info krb5\_cred\_info - - -\paragraph{Members} -\label{appdev/refs/types/krb5_cred_info:members}\index{krb5\_cred\_info.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_cred\_info.magic}} -\end{fulllineitems} - -\index{krb5\_cred\_info.session (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.session}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_cred\_info.session}} -Session key used to encrypt ticket. - -\end{fulllineitems} - -\index{krb5\_cred\_info.client (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_cred\_info.client}} -Client principal and realm. - -\end{fulllineitems} - -\index{krb5\_cred\_info.server (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_cred\_info.server}} -Server principal and realm. - -\end{fulllineitems} - -\index{krb5\_cred\_info.flags (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_cred\_info.flags}} -Ticket flags. - -\end{fulllineitems} - -\index{krb5\_cred\_info.times (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.times}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} \bfcode{krb5\_cred\_info.times}} -Auth, start, end, renew\_till. - -\end{fulllineitems} - -\index{krb5\_cred\_info.caddrs (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cred_info:c.krb5_cred_info.caddrs}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_cred\_info.caddrs}} -Array of pointers to addrs (optional) - -\end{fulllineitems} - - - -\subsubsection{krb5\_creds} -\label{appdev/refs/types/krb5_creds::doc}\label{appdev/refs/types/krb5_creds:krb5-creds}\label{appdev/refs/types/krb5_creds:krb5-creds-struct}\index{krb5\_creds (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds}\pysigline{\bfcode{krb5\_creds}} -\end{fulllineitems} - - -Credentials structure including ticket, session key, and lifetime info. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_creds:declaration} -typedef struct \_krb5\_creds krb5\_creds - - -\paragraph{Members} -\label{appdev/refs/types/krb5_creds:members}\index{krb5\_creds.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_creds.magic}} -\end{fulllineitems} - -\index{krb5\_creds.client (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_creds.client}} -client's principal identifier - -\end{fulllineitems} - -\index{krb5\_creds.server (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_creds.server}} -server's principal identifier - -\end{fulllineitems} - -\index{krb5\_creds.keyblock (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.keyblock}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} \bfcode{krb5\_creds.keyblock}} -session encryption key info - -\end{fulllineitems} - -\index{krb5\_creds.times (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.times}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} \bfcode{krb5\_creds.times}} -lifetime info - -\end{fulllineitems} - -\index{krb5\_creds.is\_skey (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.is_skey}\pysigline{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_creds.is\_skey}} -true if ticket is encrypted in another ticket's skey - -\end{fulllineitems} - -\index{krb5\_creds.ticket\_flags (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.ticket_flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_creds.ticket\_flags}} -flags in ticket - -\end{fulllineitems} - -\index{krb5\_creds.addresses (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.addresses}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_creds.addresses}} -addrs in ticket - -\end{fulllineitems} - -\index{krb5\_creds.ticket (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_creds.ticket}} -ticket string itself - -\end{fulllineitems} - -\index{krb5\_creds.second\_ticket (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.second_ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_creds.second\_ticket}} -second ticket, if related to ticket (via DUPLICATE-SKEY or ENC-TKT-IN-SKEY) - -\end{fulllineitems} - -\index{krb5\_creds.authdata (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_creds:c.krb5_creds.authdata}\pysigline{{\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ** \bfcode{krb5\_creds.authdata}} -authorization data - -\end{fulllineitems} - - - -\subsubsection{krb5\_crypto\_iov} -\label{appdev/refs/types/krb5_crypto_iov:krb5-crypto-iov}\label{appdev/refs/types/krb5_crypto_iov::doc}\label{appdev/refs/types/krb5_crypto_iov:krb5-crypto-iov-struct}\index{krb5\_crypto\_iov (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov}\pysigline{\bfcode{krb5\_crypto\_iov}} -\end{fulllineitems} - - -Structure to describe a region of text to be encrypted or decrypted. - -The \emph{flags} member describes the type of the iov. The \emph{data} member points to the memory that will be manipulated. All iov APIs take a pointer to the first element of an array of krb5\_crypto\_iov's along with the size of that array. Buffer contents are manipulated in-place; data is overwritten. Callers must allocate the right number of krb5\_crypto\_iov structures before calling into an iov API. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_crypto_iov:declaration} -typedef struct \_krb5\_crypto\_iov krb5\_crypto\_iov - - -\paragraph{Members} -\label{appdev/refs/types/krb5_crypto_iov:members}\index{krb5\_crypto\_iov.flags (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_cryptotype:c.krb5_cryptotype]{krb5\_cryptotype}} \bfcode{krb5\_crypto\_iov.flags}} -\code{KRB5\_CRYPTO\_TYPE} type of the iov - -\end{fulllineitems} - -\index{krb5\_crypto\_iov.data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_crypto_iov:c.krb5_crypto_iov.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_crypto\_iov.data}} -\end{fulllineitems} - - - -\subsubsection{krb5\_cryptotype} -\label{appdev/refs/types/krb5_cryptotype:krb5-cryptotype}\label{appdev/refs/types/krb5_cryptotype::doc}\label{appdev/refs/types/krb5_cryptotype:krb5-cryptotype-struct}\index{krb5\_cryptotype (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cryptotype:c.krb5_cryptotype}\pysigline{\bfcode{krb5\_cryptotype}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_cryptotype:declaration} -typedef krb5\_int32 krb5\_cryptotype - - -\subsubsection{krb5\_data} -\label{appdev/refs/types/krb5_data:krb5-data}\label{appdev/refs/types/krb5_data::doc}\label{appdev/refs/types/krb5_data:krb5-data-struct}\index{krb5\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_data:c.krb5_data}\pysigline{\bfcode{krb5\_data}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_data:declaration} -typedef struct \_krb5\_data krb5\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_data:members}\index{krb5\_data.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_data:c.krb5_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_data.magic}} -\end{fulllineitems} - -\index{krb5\_data.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_data:c.krb5_data.length}\pysigline{unsigned int \bfcode{krb5\_data.length}} -\end{fulllineitems} - -\index{krb5\_data.data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_data:c.krb5_data.data}\pysigline{char * \bfcode{krb5\_data.data}} -\end{fulllineitems} - - - -\subsubsection{krb5\_deltat} -\label{appdev/refs/types/krb5_deltat:krb5-deltat}\label{appdev/refs/types/krb5_deltat:krb5-deltat-struct}\label{appdev/refs/types/krb5_deltat::doc}\index{krb5\_deltat (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_deltat:c.krb5_deltat}\pysigline{\bfcode{krb5\_deltat}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_deltat:declaration} -typedef krb5\_int32 krb5\_deltat - - -\subsubsection{krb5\_enc\_data} -\label{appdev/refs/types/krb5_enc_data::doc}\label{appdev/refs/types/krb5_enc_data:krb5-enc-data}\label{appdev/refs/types/krb5_enc_data:krb5-enc-data-struct}\index{krb5\_enc\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data}\pysigline{\bfcode{krb5\_enc\_data}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_enc_data:declaration} -typedef struct \_krb5\_enc\_data krb5\_enc\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_enc_data:members}\index{krb5\_enc\_data.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_enc\_data.magic}} -\end{fulllineitems} - -\index{krb5\_enc\_data.enctype (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.enctype}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_enc\_data.enctype}} -\end{fulllineitems} - -\index{krb5\_enc\_data.kvno (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.kvno}\pysigline{{\hyperref[appdev/refs/types/krb5_kvno:c.krb5_kvno]{krb5\_kvno}} \bfcode{krb5\_enc\_data.kvno}} -\end{fulllineitems} - -\index{krb5\_enc\_data.ciphertext (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_data:c.krb5_enc_data.ciphertext}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_enc\_data.ciphertext}} -\end{fulllineitems} - - - -\subsubsection{krb5\_enc\_kdc\_rep\_part} -\label{appdev/refs/types/krb5_enc_kdc_rep_part::doc}\label{appdev/refs/types/krb5_enc_kdc_rep_part:krb5-enc-kdc-rep-part}\label{appdev/refs/types/krb5_enc_kdc_rep_part:krb5-enc-kdc-rep-part-struct}\index{krb5\_enc\_kdc\_rep\_part (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part}\pysigline{\bfcode{krb5\_enc\_kdc\_rep\_part}} -\end{fulllineitems} - - -C representation of \emph{EncKDCRepPart} protocol message. - -This is the cleartext message that is encrypted and inserted in \emph{KDC-REP} . - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_enc_kdc_rep_part:declaration} -typedef struct \_krb5\_enc\_kdc\_rep\_part krb5\_enc\_kdc\_rep\_part - - -\paragraph{Members} -\label{appdev/refs/types/krb5_enc_kdc_rep_part:members}\index{krb5\_enc\_kdc\_rep\_part.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_enc\_kdc\_rep\_part.magic}} -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.msg\_type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.msg_type}\pysigline{{\hyperref[appdev/refs/types/krb5_msgtype:c.krb5_msgtype]{krb5\_msgtype}} \bfcode{krb5\_enc\_kdc\_rep\_part.msg\_type}} -krb5 message type - -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.session (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.session}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_enc\_kdc\_rep\_part.session}} -Session key. - -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.last\_req (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.last_req}\pysigline{{\hyperref[appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry]{krb5\_last\_req\_entry}} ** \bfcode{krb5\_enc\_kdc\_rep\_part.last\_req}} -Array of pointers to entries. - -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.nonce (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.nonce}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_enc\_kdc\_rep\_part.nonce}} -Nonce from request. - -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.key\_exp (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.key_exp}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_enc\_kdc\_rep\_part.key\_exp}} -Expiration date. - -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.flags (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_enc\_kdc\_rep\_part.flags}} -Ticket flags. - -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.times (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.times}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} \bfcode{krb5\_enc\_kdc\_rep\_part.times}} -Lifetime info. - -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.server (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_enc\_kdc\_rep\_part.server}} -Server's principal identifier. - -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.caddrs (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.caddrs}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_enc\_kdc\_rep\_part.caddrs}} -Array of ptrs to addrs, optional. - -\end{fulllineitems} - -\index{krb5\_enc\_kdc\_rep\_part.enc\_padata (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part.enc_padata}\pysigline{{\hyperref[appdev/refs/types/krb5_pa_data:c.krb5_pa_data]{krb5\_pa\_data}} ** \bfcode{krb5\_enc\_kdc\_rep\_part.enc\_padata}} -Encrypted preauthentication data. - -\end{fulllineitems} - - - -\subsubsection{krb5\_enc\_tkt\_part} -\label{appdev/refs/types/krb5_enc_tkt_part:krb5-enc-tkt-part}\label{appdev/refs/types/krb5_enc_tkt_part::doc}\label{appdev/refs/types/krb5_enc_tkt_part:krb5-enc-tkt-part-struct}\index{krb5\_enc\_tkt\_part (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part}\pysigline{\bfcode{krb5\_enc\_tkt\_part}} -\end{fulllineitems} - - -Encrypted part of ticket. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_enc_tkt_part:declaration} -typedef struct \_krb5\_enc\_tkt\_part krb5\_enc\_tkt\_part - - -\paragraph{Members} -\label{appdev/refs/types/krb5_enc_tkt_part:members}\index{krb5\_enc\_tkt\_part.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_enc\_tkt\_part.magic}} -\end{fulllineitems} - -\index{krb5\_enc\_tkt\_part.flags (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_enc\_tkt\_part.flags}} -flags - -\end{fulllineitems} - -\index{krb5\_enc\_tkt\_part.session (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.session}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_enc\_tkt\_part.session}} -session key: includes enctype - -\end{fulllineitems} - -\index{krb5\_enc\_tkt\_part.client (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_enc\_tkt\_part.client}} -client name/realm - -\end{fulllineitems} - -\index{krb5\_enc\_tkt\_part.transited (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.transited}\pysigline{{\hyperref[appdev/refs/types/krb5_transited:c.krb5_transited]{krb5\_transited}} \bfcode{krb5\_enc\_tkt\_part.transited}} -list of transited realms - -\end{fulllineitems} - -\index{krb5\_enc\_tkt\_part.times (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.times}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times]{krb5\_ticket\_times}} \bfcode{krb5\_enc\_tkt\_part.times}} -auth, start, end, renew\_till - -\end{fulllineitems} - -\index{krb5\_enc\_tkt\_part.caddrs (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.caddrs}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_enc\_tkt\_part.caddrs}} -array of ptrs to addresses - -\end{fulllineitems} - -\index{krb5\_enc\_tkt\_part.authorization\_data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part.authorization_data}\pysigline{{\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ** \bfcode{krb5\_enc\_tkt\_part.authorization\_data}} -auth data - -\end{fulllineitems} - - - -\subsubsection{krb5\_encrypt\_block} -\label{appdev/refs/types/krb5_encrypt_block:krb5-encrypt-block}\label{appdev/refs/types/krb5_encrypt_block:krb5-encrypt-block-struct}\label{appdev/refs/types/krb5_encrypt_block::doc}\index{krb5\_encrypt\_block (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block}\pysigline{\bfcode{krb5\_encrypt\_block}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_encrypt_block:declaration} -typedef struct \_krb5\_encrypt\_block krb5\_encrypt\_block - - -\paragraph{Members} -\label{appdev/refs/types/krb5_encrypt_block:members}\index{krb5\_encrypt\_block.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_encrypt\_block.magic}} -\end{fulllineitems} - -\index{krb5\_encrypt\_block.crypto\_entry (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block.crypto_entry}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_encrypt\_block.crypto\_entry}} -\end{fulllineitems} - -\index{krb5\_encrypt\_block.key (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_encrypt_block:c.krb5_encrypt_block.key}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} * \bfcode{krb5\_encrypt\_block.key}} -\end{fulllineitems} - - - -\subsubsection{krb5\_enctype} -\label{appdev/refs/types/krb5_enctype:krb5-enctype-struct}\label{appdev/refs/types/krb5_enctype:krb5-enctype}\label{appdev/refs/types/krb5_enctype::doc}\index{krb5\_enctype (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_enctype:c.krb5_enctype}\pysigline{\bfcode{krb5\_enctype}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_enctype:declaration} -typedef krb5\_int32 krb5\_enctype - - -\subsubsection{krb5\_error} -\label{appdev/refs/types/krb5_error:krb5-error-struct}\label{appdev/refs/types/krb5_error:krb5-error}\label{appdev/refs/types/krb5_error::doc}\index{krb5\_error (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error}\pysigline{\bfcode{krb5\_error}} -\end{fulllineitems} - - -Error message structure. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_error:declaration} -typedef struct \_krb5\_error krb5\_error - - -\paragraph{Members} -\label{appdev/refs/types/krb5_error:members}\index{krb5\_error.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_error.magic}} -\end{fulllineitems} - -\index{krb5\_error.ctime (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.ctime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_error.ctime}} -Client sec portion; optional. - -\end{fulllineitems} - -\index{krb5\_error.cusec (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.cusec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_error.cusec}} -Client usec portion; optional. - -\end{fulllineitems} - -\index{krb5\_error.susec (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.susec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_error.susec}} -Server usec portion. - -\end{fulllineitems} - -\index{krb5\_error.stime (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.stime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_error.stime}} -Server sec portion. - -\end{fulllineitems} - -\index{krb5\_error.error (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.error}\pysigline{{\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} \bfcode{krb5\_error.error}} -Error code (protocol error \#'s) - -\end{fulllineitems} - -\index{krb5\_error.client (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_error.client}} -Client principal and realm. - -\end{fulllineitems} - -\index{krb5\_error.server (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_error.server}} -Server principal and realm. - -\end{fulllineitems} - -\index{krb5\_error.text (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.text}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_error.text}} -Descriptive text. - -\end{fulllineitems} - -\index{krb5\_error.e\_data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error:c.krb5_error.e_data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_error.e\_data}} -Additional error-describing data. - -\end{fulllineitems} - - - -\subsubsection{krb5\_error\_code} -\label{appdev/refs/types/krb5_error_code:krb5-error-code}\label{appdev/refs/types/krb5_error_code::doc}\label{appdev/refs/types/krb5_error_code:krb5-error-code-struct}\index{krb5\_error\_code (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_error_code:c.krb5_error_code}\pysigline{\bfcode{krb5\_error\_code}} -\end{fulllineitems} - - -Used to convey an operation status. - -The value 0 indicates success; any other values are com\_err codes. Use {\hyperref[appdev/refs/api/krb5_get_error_message:c.krb5_get_error_message]{\code{krb5\_get\_error\_message()}}} to obtain a string describing the error. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_error_code:declaration} -typedef krb5\_int32 krb5\_error\_code - - -\subsubsection{krb5\_expire\_callback\_func} -\label{appdev/refs/types/krb5_expire_callback_func:krb5-expire-callback-func}\label{appdev/refs/types/krb5_expire_callback_func::doc}\label{appdev/refs/types/krb5_expire_callback_func:krb5-expire-callback-func-struct}\index{krb5\_expire\_callback\_func (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_expire_callback_func:c.krb5_expire_callback_func}\pysigline{\bfcode{krb5\_expire\_callback\_func}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_expire_callback_func:declaration} -typedef void( * krb5\_expire\_callback\_func)(krb5\_context context, void *data, krb5\_timestamp password\_expiration, krb5\_timestamp account\_expiration, krb5\_boolean is\_last\_req) - - -\subsubsection{krb5\_flags} -\label{appdev/refs/types/krb5_flags:krb5-flags-struct}\label{appdev/refs/types/krb5_flags:krb5-flags}\label{appdev/refs/types/krb5_flags::doc}\index{krb5\_flags (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_flags:c.krb5_flags}\pysigline{\bfcode{krb5\_flags}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_flags:declaration} -typedef krb5\_int32 krb5\_flags - - -\subsubsection{krb5\_get\_init\_creds\_opt} -\label{appdev/refs/types/krb5_get_init_creds_opt:krb5-get-init-creds-opt-struct}\label{appdev/refs/types/krb5_get_init_creds_opt::doc}\label{appdev/refs/types/krb5_get_init_creds_opt:krb5-get-init-creds-opt}\index{krb5\_get\_init\_creds\_opt (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt}\pysigline{\bfcode{krb5\_get\_init\_creds\_opt}} -\end{fulllineitems} - - -Store options for \emph{\_krb5\_get\_init\_creds} . - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_get_init_creds_opt:declaration} -typedef struct \_krb5\_get\_init\_creds\_opt krb5\_get\_init\_creds\_opt - - -\paragraph{Members} -\label{appdev/refs/types/krb5_get_init_creds_opt:members}\index{krb5\_get\_init\_creds\_opt.flags (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_get\_init\_creds\_opt.flags}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.tkt\_life (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.tkt_life}\pysigline{{\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}} \bfcode{krb5\_get\_init\_creds\_opt.tkt\_life}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.renew\_life (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.renew_life}\pysigline{{\hyperref[appdev/refs/types/krb5_deltat:c.krb5_deltat]{krb5\_deltat}} \bfcode{krb5\_get\_init\_creds\_opt.renew\_life}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.forwardable (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.forwardable}\pysigline{int \bfcode{krb5\_get\_init\_creds\_opt.forwardable}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.proxiable (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.proxiable}\pysigline{int \bfcode{krb5\_get\_init\_creds\_opt.proxiable}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.etype\_list (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.etype_list}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} * \bfcode{krb5\_get\_init\_creds\_opt.etype\_list}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.etype\_list\_length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.etype_list_length}\pysigline{int \bfcode{krb5\_get\_init\_creds\_opt.etype\_list\_length}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.address\_list (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.address_list}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_get\_init\_creds\_opt.address\_list}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.preauth\_list (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.preauth_list}\pysigline{{\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} * \bfcode{krb5\_get\_init\_creds\_opt.preauth\_list}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.preauth\_list\_length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.preauth_list_length}\pysigline{int \bfcode{krb5\_get\_init\_creds\_opt.preauth\_list\_length}} -\end{fulllineitems} - -\index{krb5\_get\_init\_creds\_opt.salt (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_get_init_creds_opt:c.krb5_get_init_creds_opt.salt}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_get\_init\_creds\_opt.salt}} -\end{fulllineitems} - - - -\subsubsection{krb5\_gic\_opt\_pa\_data} -\label{appdev/refs/types/krb5_gic_opt_pa_data::doc}\label{appdev/refs/types/krb5_gic_opt_pa_data:krb5-gic-opt-pa-data}\label{appdev/refs/types/krb5_gic_opt_pa_data:krb5-gic-opt-pa-data-struct}\index{krb5\_gic\_opt\_pa\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data}\pysigline{\bfcode{krb5\_gic\_opt\_pa\_data}} -\end{fulllineitems} - - -Generic preauth option attribute/value pairs. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_gic_opt_pa_data:declaration} -typedef struct \_krb5\_gic\_opt\_pa\_data krb5\_gic\_opt\_pa\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_gic_opt_pa_data:members}\index{krb5\_gic\_opt\_pa\_data.attr (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data.attr}\pysigline{char * \bfcode{krb5\_gic\_opt\_pa\_data.attr}} -\end{fulllineitems} - -\index{krb5\_gic\_opt\_pa\_data.value (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_gic_opt_pa_data:c.krb5_gic_opt_pa_data.value}\pysigline{char * \bfcode{krb5\_gic\_opt\_pa\_data.value}} -\end{fulllineitems} - - - -\subsubsection{krb5\_int16} -\label{appdev/refs/types/krb5_int16:krb5-int16-struct}\label{appdev/refs/types/krb5_int16:krb5-int16}\label{appdev/refs/types/krb5_int16::doc}\index{krb5\_int16 (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_int16:c.krb5_int16}\pysigline{\bfcode{krb5\_int16}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_int16:declaration} -typedef int16\_t krb5\_int16 - - -\subsubsection{krb5\_int32} -\label{appdev/refs/types/krb5_int32:krb5-int32-struct}\label{appdev/refs/types/krb5_int32::doc}\label{appdev/refs/types/krb5_int32:krb5-int32}\index{krb5\_int32 (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_int32:c.krb5_int32}\pysigline{\bfcode{krb5\_int32}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_int32:declaration} -typedef int32\_t krb5\_int32 - - -\subsubsection{krb5\_kdc\_rep} -\label{appdev/refs/types/krb5_kdc_rep::doc}\label{appdev/refs/types/krb5_kdc_rep:krb5-kdc-rep}\label{appdev/refs/types/krb5_kdc_rep:krb5-kdc-rep-struct}\index{krb5\_kdc\_rep (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep}\pysigline{\bfcode{krb5\_kdc\_rep}} -\end{fulllineitems} - - -Representation of the \emph{KDC-REP} protocol message. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_kdc_rep:declaration} -typedef struct \_krb5\_kdc\_rep krb5\_kdc\_rep - - -\paragraph{Members} -\label{appdev/refs/types/krb5_kdc_rep:members}\index{krb5\_kdc\_rep.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_kdc\_rep.magic}} -\end{fulllineitems} - -\index{krb5\_kdc\_rep.msg\_type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.msg_type}\pysigline{{\hyperref[appdev/refs/types/krb5_msgtype:c.krb5_msgtype]{krb5\_msgtype}} \bfcode{krb5\_kdc\_rep.msg\_type}} -KRB5\_AS\_REP or KRB5\_KDC\_REP. - -\end{fulllineitems} - -\index{krb5\_kdc\_rep.padata (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.padata}\pysigline{{\hyperref[appdev/refs/types/krb5_pa_data:c.krb5_pa_data]{krb5\_pa\_data}} ** \bfcode{krb5\_kdc\_rep.padata}} -Preauthentication data from KDC. - -\end{fulllineitems} - -\index{krb5\_kdc\_rep.client (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_kdc\_rep.client}} -Client principal and realm. - -\end{fulllineitems} - -\index{krb5\_kdc\_rep.ticket (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} * \bfcode{krb5\_kdc\_rep.ticket}} -Ticket. - -\end{fulllineitems} - -\index{krb5\_kdc\_rep.enc\_part (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.enc_part}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_kdc\_rep.enc\_part}} -Encrypted part of reply. - -\end{fulllineitems} - -\index{krb5\_kdc\_rep.enc\_part2 (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_rep:c.krb5_kdc_rep.enc_part2}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_kdc_rep_part:c.krb5_enc_kdc_rep_part]{krb5\_enc\_kdc\_rep\_part}} * \bfcode{krb5\_kdc\_rep.enc\_part2}} -Unencrypted version, if available. - -\end{fulllineitems} - - - -\subsubsection{krb5\_kdc\_req} -\label{appdev/refs/types/krb5_kdc_req:krb5-kdc-req-struct}\label{appdev/refs/types/krb5_kdc_req:krb5-kdc-req}\label{appdev/refs/types/krb5_kdc_req::doc}\index{krb5\_kdc\_req (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req}\pysigline{\bfcode{krb5\_kdc\_req}} -\end{fulllineitems} - - -C representation of KDC-REQ protocol message, including KDC-REQ-BODY. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_kdc_req:declaration} -typedef struct \_krb5\_kdc\_req krb5\_kdc\_req - - -\paragraph{Members} -\label{appdev/refs/types/krb5_kdc_req:members}\index{krb5\_kdc\_req.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_kdc\_req.magic}} -\end{fulllineitems} - -\index{krb5\_kdc\_req.msg\_type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.msg_type}\pysigline{{\hyperref[appdev/refs/types/krb5_msgtype:c.krb5_msgtype]{krb5\_msgtype}} \bfcode{krb5\_kdc\_req.msg\_type}} -KRB5\_AS\_REQ or KRB5\_TGS\_REQ. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.padata (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.padata}\pysigline{{\hyperref[appdev/refs/types/krb5_pa_data:c.krb5_pa_data]{krb5\_pa\_data}} ** \bfcode{krb5\_kdc\_req.padata}} -Preauthentication data. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.kdc\_options (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.kdc_options}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_kdc\_req.kdc\_options}} -Requested options. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.client (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.client}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_kdc\_req.client}} -Client principal and realm. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.server (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_kdc\_req.server}} -Server principal and realm. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.from (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.from}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_kdc\_req.from}} -Requested start time. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.till (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.till}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_kdc\_req.till}} -Requested end time. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.rtime (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.rtime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_kdc\_req.rtime}} -Requested renewable end time. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.nonce (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.nonce}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_kdc\_req.nonce}} -Nonce to match request and response. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.nktypes (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.nktypes}\pysigline{int \bfcode{krb5\_kdc\_req.nktypes}} -Number of enctypes. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.ktype (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.ktype}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} * \bfcode{krb5\_kdc\_req.ktype}} -Requested enctypes. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.addresses (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.addresses}\pysigline{{\hyperref[appdev/refs/types/krb5_address:c.krb5_address]{krb5\_address}} ** \bfcode{krb5\_kdc\_req.addresses}} -Requested addresses (optional) - -\end{fulllineitems} - -\index{krb5\_kdc\_req.authorization\_data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.authorization_data}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_kdc\_req.authorization\_data}} -Encrypted authz data (optional) - -\end{fulllineitems} - -\index{krb5\_kdc\_req.unenc\_authdata (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.unenc_authdata}\pysigline{{\hyperref[appdev/refs/types/krb5_authdata:c.krb5_authdata]{krb5\_authdata}} ** \bfcode{krb5\_kdc\_req.unenc\_authdata}} -Unencrypted authz data. - -\end{fulllineitems} - -\index{krb5\_kdc\_req.second\_ticket (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kdc_req:c.krb5_kdc_req.second_ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} ** \bfcode{krb5\_kdc\_req.second\_ticket}} -Second ticket array (optional) - -\end{fulllineitems} - - - -\subsubsection{krb5\_keyblock} -\label{appdev/refs/types/krb5_keyblock:krb5-keyblock}\label{appdev/refs/types/krb5_keyblock::doc}\label{appdev/refs/types/krb5_keyblock:krb5-keyblock-struct}\index{krb5\_keyblock (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock}\pysigline{\bfcode{krb5\_keyblock}} -\end{fulllineitems} - - -Exposed contents of a key. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_keyblock:declaration} -typedef struct \_krb5\_keyblock krb5\_keyblock - - -\paragraph{Members} -\label{appdev/refs/types/krb5_keyblock:members}\index{krb5\_keyblock.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_keyblock.magic}} -\end{fulllineitems} - -\index{krb5\_keyblock.enctype (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.enctype}\pysigline{{\hyperref[appdev/refs/types/krb5_enctype:c.krb5_enctype]{krb5\_enctype}} \bfcode{krb5\_keyblock.enctype}} -\end{fulllineitems} - -\index{krb5\_keyblock.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.length}\pysigline{unsigned int \bfcode{krb5\_keyblock.length}} -\end{fulllineitems} - -\index{krb5\_keyblock.contents (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keyblock:c.krb5_keyblock.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_keyblock.contents}} -\end{fulllineitems} - - - -\subsubsection{krb5\_keytab\_entry} -\label{appdev/refs/types/krb5_keytab_entry:krb5-keytab-entry}\label{appdev/refs/types/krb5_keytab_entry:krb5-keytab-entry-struct}\label{appdev/refs/types/krb5_keytab_entry::doc}\index{krb5\_keytab\_entry (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry}\pysigline{\bfcode{krb5\_keytab\_entry}} -\end{fulllineitems} - - -A key table entry. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_keytab_entry:declaration} -typedef struct krb5\_keytab\_entry\_st krb5\_keytab\_entry - - -\paragraph{Members} -\label{appdev/refs/types/krb5_keytab_entry:members}\index{krb5\_keytab\_entry.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_keytab\_entry.magic}} -\end{fulllineitems} - -\index{krb5\_keytab\_entry.principal (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.principal}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_keytab\_entry.principal}} -Principal of this key. - -\end{fulllineitems} - -\index{krb5\_keytab\_entry.timestamp (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.timestamp}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_keytab\_entry.timestamp}} -Time entry written to keytable. - -\end{fulllineitems} - -\index{krb5\_keytab\_entry.vno (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.vno}\pysigline{{\hyperref[appdev/refs/types/krb5_kvno:c.krb5_kvno]{krb5\_kvno}} \bfcode{krb5\_keytab\_entry.vno}} -Key version number. - -\end{fulllineitems} - -\index{krb5\_keytab\_entry.key (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keytab_entry:c.krb5_keytab_entry.key}\pysigline{{\hyperref[appdev/refs/types/krb5_keyblock:c.krb5_keyblock]{krb5\_keyblock}} \bfcode{krb5\_keytab\_entry.key}} -The secret key. - -\end{fulllineitems} - - - -\subsubsection{krb5\_keyusage} -\label{appdev/refs/types/krb5_keyusage:krb5-keyusage}\label{appdev/refs/types/krb5_keyusage::doc}\label{appdev/refs/types/krb5_keyusage:krb5-keyusage-struct}\index{krb5\_keyusage (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keyusage:c.krb5_keyusage}\pysigline{\bfcode{krb5\_keyusage}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_keyusage:declaration} -typedef krb5\_int32 krb5\_keyusage - - -\subsubsection{krb5\_kt\_cursor} -\label{appdev/refs/types/krb5_kt_cursor:krb5-kt-cursor-struct}\label{appdev/refs/types/krb5_kt_cursor::doc}\label{appdev/refs/types/krb5_kt_cursor:krb5-kt-cursor}\index{krb5\_kt\_cursor (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kt_cursor:c.krb5_kt_cursor}\pysigline{\bfcode{krb5\_kt\_cursor}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_kt_cursor:declaration} -typedef krb5\_pointer krb5\_kt\_cursor - - -\subsubsection{krb5\_kvno} -\label{appdev/refs/types/krb5_kvno:krb5-kvno}\label{appdev/refs/types/krb5_kvno::doc}\label{appdev/refs/types/krb5_kvno:krb5-kvno-struct}\index{krb5\_kvno (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_kvno:c.krb5_kvno}\pysigline{\bfcode{krb5\_kvno}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_kvno:declaration} -typedef unsigned int krb5\_kvno - - -\subsubsection{krb5\_last\_req\_entry} -\label{appdev/refs/types/krb5_last_req_entry:krb5-last-req-entry}\label{appdev/refs/types/krb5_last_req_entry::doc}\label{appdev/refs/types/krb5_last_req_entry:krb5-last-req-entry-struct}\index{krb5\_last\_req\_entry (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry}\pysigline{\bfcode{krb5\_last\_req\_entry}} -\end{fulllineitems} - - -Last request entry. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_last_req_entry:declaration} -typedef struct \_krb5\_last\_req\_entry krb5\_last\_req\_entry - - -\paragraph{Members} -\label{appdev/refs/types/krb5_last_req_entry:members}\index{krb5\_last\_req\_entry.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_last\_req\_entry.magic}} -\end{fulllineitems} - -\index{krb5\_last\_req\_entry.lr\_type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry.lr_type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_last\_req\_entry.lr\_type}} -LR type. - -\end{fulllineitems} - -\index{krb5\_last\_req\_entry.value (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_last_req_entry:c.krb5_last_req_entry.value}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_last\_req\_entry.value}} -Timestamp. - -\end{fulllineitems} - - - -\subsubsection{krb5\_magic} -\label{appdev/refs/types/krb5_magic:krb5-magic}\label{appdev/refs/types/krb5_magic::doc}\label{appdev/refs/types/krb5_magic:krb5-magic-struct}\index{krb5\_magic (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_magic:c.krb5_magic}\pysigline{\bfcode{krb5\_magic}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_magic:declaration} -typedef krb5\_error\_code krb5\_magic - - -\subsubsection{krb5\_mk\_req\_checksum\_func} -\label{appdev/refs/types/krb5_mk_req_checksum_func:krb5-mk-req-checksum-func-struct}\label{appdev/refs/types/krb5_mk_req_checksum_func::doc}\label{appdev/refs/types/krb5_mk_req_checksum_func:krb5-mk-req-checksum-func}\index{krb5\_mk\_req\_checksum\_func (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_mk_req_checksum_func:c.krb5_mk_req_checksum_func}\pysigline{\bfcode{krb5\_mk\_req\_checksum\_func}} -\end{fulllineitems} - - -Type of function used as a callback to generate checksum data for mk\_req. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_mk_req_checksum_func:declaration} -typedef krb5\_error\_code( * krb5\_mk\_req\_checksum\_func)(krb5\_context, krb5\_auth\_context, void *, krb5\_data **) - - -\subsubsection{krb5\_msgtype} -\label{appdev/refs/types/krb5_msgtype:krb5-msgtype}\label{appdev/refs/types/krb5_msgtype::doc}\label{appdev/refs/types/krb5_msgtype:krb5-msgtype-struct}\index{krb5\_msgtype (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_msgtype:c.krb5_msgtype}\pysigline{\bfcode{krb5\_msgtype}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_msgtype:declaration} -typedef unsigned int krb5\_msgtype - - -\subsubsection{krb5\_octet} -\label{appdev/refs/types/krb5_octet:krb5-octet-struct}\label{appdev/refs/types/krb5_octet:krb5-octet}\label{appdev/refs/types/krb5_octet::doc}\index{krb5\_octet (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_octet:c.krb5_octet}\pysigline{\bfcode{krb5\_octet}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_octet:declaration} -typedef uint8\_t krb5\_octet - - -\subsubsection{krb5\_pa\_pac\_req} -\label{appdev/refs/types/krb5_pa_pac_req:krb5-pa-pac-req-struct}\label{appdev/refs/types/krb5_pa_pac_req::doc}\label{appdev/refs/types/krb5_pa_pac_req:krb5-pa-pac-req}\index{krb5\_pa\_pac\_req (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_pac_req:c.krb5_pa_pac_req}\pysigline{\bfcode{krb5\_pa\_pac\_req}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_pa_pac_req:declaration} -typedef struct \_krb5\_pa\_pac\_req krb5\_pa\_pac\_req - - -\paragraph{Members} -\label{appdev/refs/types/krb5_pa_pac_req:members}\index{krb5\_pa\_pac\_req.include\_pac (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_pac_req:c.krb5_pa_pac_req.include_pac}\pysigline{{\hyperref[appdev/refs/types/krb5_boolean:c.krb5_boolean]{krb5\_boolean}} \bfcode{krb5\_pa\_pac\_req.include\_pac}} -TRUE if a PAC should be included in TGS-REP. - -\end{fulllineitems} - - - -\subsubsection{krb5\_pa\_server\_referral\_data} -\label{appdev/refs/types/krb5_pa_server_referral_data:krb5-pa-server-referral-data-struct}\label{appdev/refs/types/krb5_pa_server_referral_data::doc}\label{appdev/refs/types/krb5_pa_server_referral_data:krb5-pa-server-referral-data}\index{krb5\_pa\_server\_referral\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data}\pysigline{\bfcode{krb5\_pa\_server\_referral\_data}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_pa_server_referral_data:declaration} -typedef struct \_krb5\_pa\_server\_referral\_data krb5\_pa\_server\_referral\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_pa_server_referral_data:members}\index{krb5\_pa\_server\_referral\_data.referred\_realm (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.referred_realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_pa\_server\_referral\_data.referred\_realm}} -\end{fulllineitems} - -\index{krb5\_pa\_server\_referral\_data.true\_principal\_name (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.true_principal_name}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_pa\_server\_referral\_data.true\_principal\_name}} -\end{fulllineitems} - -\index{krb5\_pa\_server\_referral\_data.requested\_principal\_name (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.requested_principal_name}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_pa\_server\_referral\_data.requested\_principal\_name}} -\end{fulllineitems} - -\index{krb5\_pa\_server\_referral\_data.referral\_valid\_until (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.referral_valid_until}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_pa\_server\_referral\_data.referral\_valid\_until}} -\end{fulllineitems} - -\index{krb5\_pa\_server\_referral\_data.rep\_cksum (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_server_referral_data:c.krb5_pa_server_referral_data.rep_cksum}\pysigline{{\hyperref[appdev/refs/types/krb5_checksum:c.krb5_checksum]{krb5\_checksum}} \bfcode{krb5\_pa\_server\_referral\_data.rep\_cksum}} -\end{fulllineitems} - - - -\subsubsection{krb5\_pa\_svr\_referral\_data} -\label{appdev/refs/types/krb5_pa_svr_referral_data:krb5-pa-svr-referral-data}\label{appdev/refs/types/krb5_pa_svr_referral_data::doc}\label{appdev/refs/types/krb5_pa_svr_referral_data:krb5-pa-svr-referral-data-struct}\index{krb5\_pa\_svr\_referral\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_svr_referral_data:c.krb5_pa_svr_referral_data}\pysigline{\bfcode{krb5\_pa\_svr\_referral\_data}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_pa_svr_referral_data:declaration} -typedef struct \_krb5\_pa\_svr\_referral\_data krb5\_pa\_svr\_referral\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_pa_svr_referral_data:members}\index{krb5\_pa\_svr\_referral\_data.principal (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_svr_referral_data:c.krb5_pa_svr_referral_data.principal}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_pa\_svr\_referral\_data.principal}} -Referred name, only realm is required. - -\end{fulllineitems} - - - -\subsubsection{krb5\_pa\_data} -\label{appdev/refs/types/krb5_pa_data:krb5-pa-data}\label{appdev/refs/types/krb5_pa_data:krb5-pa-data-struct}\label{appdev/refs/types/krb5_pa_data::doc}\index{krb5\_pa\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data}\pysigline{\bfcode{krb5\_pa\_data}} -\end{fulllineitems} - - -Pre-authentication data. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_pa_data:declaration} -typedef struct \_krb5\_pa\_data krb5\_pa\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_pa_data:members}\index{krb5\_pa\_data.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_pa\_data.magic}} -\end{fulllineitems} - -\index{krb5\_pa\_data.pa\_type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.pa_type}\pysigline{{\hyperref[appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype]{krb5\_preauthtype}} \bfcode{krb5\_pa\_data.pa\_type}} -Preauthentication data type. - -\end{fulllineitems} - -\index{krb5\_pa\_data.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.length}\pysigline{unsigned int \bfcode{krb5\_pa\_data.length}} -Length of data. - -\end{fulllineitems} - -\index{krb5\_pa\_data.contents (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pa_data:c.krb5_pa_data.contents}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_pa\_data.contents}} -Data. - -\end{fulllineitems} - - - -\subsubsection{krb5\_pointer} -\label{appdev/refs/types/krb5_pointer:krb5-pointer-struct}\label{appdev/refs/types/krb5_pointer:krb5-pointer}\label{appdev/refs/types/krb5_pointer::doc}\index{krb5\_pointer (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pointer:c.krb5_pointer}\pysigline{\bfcode{krb5\_pointer}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_pointer:declaration} -typedef void* krb5\_pointer - - -\subsubsection{krb5\_post\_recv\_fn} -\label{appdev/refs/types/krb5_post_recv_fn:krb5-post-recv-fn}\label{appdev/refs/types/krb5_post_recv_fn:krb5-post-recv-fn-struct}\label{appdev/refs/types/krb5_post_recv_fn::doc}\index{krb5\_post\_recv\_fn (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_post_recv_fn:c.krb5_post_recv_fn}\pysigline{\bfcode{krb5\_post\_recv\_fn}} -\end{fulllineitems} - - -Hook function for inspecting or overriding KDC replies. - -If \emph{code} is non-zero, KDC communication failed and \emph{reply} should be ignored. The hook function may return \emph{code} or a different error code, or may synthesize a reply by setting \emph{new\_reply\_out} and return successfully. -The hook function should use {\hyperref[appdev/refs/api/krb5_copy_data:c.krb5_copy_data]{\code{krb5\_copy\_data()}}} to construct the value for \emph{new\_reply\_out} , to ensure that it can be freed correctly by the library. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_post_recv_fn:declaration} -typedef krb5\_error\_code( * krb5\_post\_recv\_fn)(krb5\_context context, void *data, krb5\_error\_code code, const krb5\_data *realm, const krb5\_data *message, const krb5\_data *reply, krb5\_data **new\_reply\_out) - - -\subsubsection{krb5\_pre\_send\_fn} -\label{appdev/refs/types/krb5_pre_send_fn:krb5-pre-send-fn-struct}\label{appdev/refs/types/krb5_pre_send_fn::doc}\label{appdev/refs/types/krb5_pre_send_fn:krb5-pre-send-fn}\index{krb5\_pre\_send\_fn (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pre_send_fn:c.krb5_pre_send_fn}\pysigline{\bfcode{krb5\_pre\_send\_fn}} -\end{fulllineitems} - - -Hook function for inspecting or modifying messages sent to KDCs. - -If the hook function sets \emph{reply\_out} , \emph{message} will not be sent to the KDC, and the given reply will used instead. -If the hook function sets \emph{new\_message\_out} , the given message will be sent to the KDC in place of \emph{message} . -If the hook function returns successfully without setting either output, \emph{message} will be sent to the KDC normally. -The hook function should use {\hyperref[appdev/refs/api/krb5_copy_data:c.krb5_copy_data]{\code{krb5\_copy\_data()}}} to construct the value for \emph{new\_message\_out} or \emph{reply\_out} , to ensure that it can be freed correctly by the library. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_pre_send_fn:declaration} -typedef krb5\_error\_code( * krb5\_pre\_send\_fn)(krb5\_context context, void *data, const krb5\_data *realm, const krb5\_data *message, krb5\_data **new\_message\_out, krb5\_data **new\_reply\_out) - - -\subsubsection{krb5\_preauthtype} -\label{appdev/refs/types/krb5_preauthtype::doc}\label{appdev/refs/types/krb5_preauthtype:krb5-preauthtype}\label{appdev/refs/types/krb5_preauthtype:krb5-preauthtype-struct}\index{krb5\_preauthtype (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_preauthtype:c.krb5_preauthtype}\pysigline{\bfcode{krb5\_preauthtype}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_preauthtype:declaration} -typedef krb5\_int32 krb5\_preauthtype - - -\subsubsection{krb5\_principal} -\label{appdev/refs/types/krb5_principal:krb5-principal-struct}\label{appdev/refs/types/krb5_principal:krb5-principal}\label{appdev/refs/types/krb5_principal::doc}\index{krb5\_principal (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal}\pysigline{\bfcode{krb5\_principal}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_principal:declaration} -typedef krb5\_principal\_data* krb5\_principal - - -\paragraph{Members} -\label{appdev/refs/types/krb5_principal:members}\index{krb5\_principal.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_principal.magic}} -\end{fulllineitems} - -\index{krb5\_principal.realm (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_principal.realm}} -\end{fulllineitems} - -\index{krb5\_principal.data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_principal.data}} -An array of strings. - -\end{fulllineitems} - -\index{krb5\_principal.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_principal.length}} -\end{fulllineitems} - -\index{krb5\_principal.type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal:c.krb5_principal.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_principal.type}} -\end{fulllineitems} - - - -\subsubsection{krb5\_principal\_data} -\label{appdev/refs/types/krb5_principal_data:krb5-principal-data}\label{appdev/refs/types/krb5_principal_data::doc}\label{appdev/refs/types/krb5_principal_data:krb5-principal-data-struct}\index{krb5\_principal\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data}\pysigline{\bfcode{krb5\_principal\_data}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_principal_data:declaration} -typedef struct krb5\_principal\_data krb5\_principal\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_principal_data:members}\index{krb5\_principal\_data.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_principal\_data.magic}} -\end{fulllineitems} - -\index{krb5\_principal\_data.realm (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_principal\_data.realm}} -\end{fulllineitems} - -\index{krb5\_principal\_data.data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_principal\_data.data}} -An array of strings. - -\end{fulllineitems} - -\index{krb5\_principal\_data.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_principal\_data.length}} -\end{fulllineitems} - -\index{krb5\_principal\_data.type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_principal_data:c.krb5_principal_data.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_principal\_data.type}} -\end{fulllineitems} - - - -\subsubsection{krb5\_const\_principal} -\label{appdev/refs/types/krb5_const_principal:krb5-const-principal-struct}\label{appdev/refs/types/krb5_const_principal:krb5-const-principal}\label{appdev/refs/types/krb5_const_principal::doc}\index{krb5\_const\_principal (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal}\pysigline{\bfcode{krb5\_const\_principal}} -\end{fulllineitems} - - -Constant version of {\hyperref[appdev/refs/types/krb5_principal_data:c.krb5_principal_data]{\code{krb5\_principal\_data}}} . - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_const_principal:declaration} -typedef const krb5\_principal\_data* krb5\_const\_principal - - -\paragraph{Members} -\label{appdev/refs/types/krb5_const_principal:members}\index{krb5\_const\_principal.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_const\_principal.magic}} -\end{fulllineitems} - -\index{krb5\_const\_principal.realm (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.realm}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_const\_principal.realm}} -\end{fulllineitems} - -\index{krb5\_const\_principal.data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.data}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_const\_principal.data}} -An array of strings. - -\end{fulllineitems} - -\index{krb5\_const\_principal.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_const\_principal.length}} -\end{fulllineitems} - -\index{krb5\_const\_principal.type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_const_principal:c.krb5_const_principal.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_const\_principal.type}} -\end{fulllineitems} - - - -\subsubsection{krb5\_prompt} -\label{appdev/refs/types/krb5_prompt:krb5-prompt}\label{appdev/refs/types/krb5_prompt::doc}\label{appdev/refs/types/krb5_prompt:krb5-prompt-struct}\index{krb5\_prompt (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_prompt:c.krb5_prompt}\pysigline{\bfcode{krb5\_prompt}} -\end{fulllineitems} - - -Text for prompt used in prompter callback function. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_prompt:declaration} -typedef struct \_krb5\_prompt krb5\_prompt - - -\paragraph{Members} -\label{appdev/refs/types/krb5_prompt:members}\index{krb5\_prompt.prompt (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_prompt:c.krb5_prompt.prompt}\pysigline{char * \bfcode{krb5\_prompt.prompt}} -The prompt to show to the user. - -\end{fulllineitems} - -\index{krb5\_prompt.hidden (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_prompt:c.krb5_prompt.hidden}\pysigline{int \bfcode{krb5\_prompt.hidden}} -Boolean; informative prompt or hidden (e.g. -PIN) - -\end{fulllineitems} - -\index{krb5\_prompt.reply (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_prompt:c.krb5_prompt.reply}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{krb5\_prompt.reply}} -Must be allocated before call to prompt routine. - -\end{fulllineitems} - - - -\subsubsection{krb5\_prompt\_type} -\label{appdev/refs/types/krb5_prompt_type:krb5-prompt-type-struct}\label{appdev/refs/types/krb5_prompt_type:krb5-prompt-type}\label{appdev/refs/types/krb5_prompt_type::doc}\index{krb5\_prompt\_type (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_prompt_type:c.krb5_prompt_type}\pysigline{\bfcode{krb5\_prompt\_type}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_prompt_type:declaration} -typedef krb5\_int32 krb5\_prompt\_type - - -\subsubsection{krb5\_prompter\_fct} -\label{appdev/refs/types/krb5_prompter_fct:krb5-prompter-fct-struct}\label{appdev/refs/types/krb5_prompter_fct:krb5-prompter-fct}\label{appdev/refs/types/krb5_prompter_fct::doc}\index{krb5\_prompter\_fct (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_prompter_fct:c.krb5_prompter_fct}\pysigline{\bfcode{krb5\_prompter\_fct}} -\end{fulllineitems} - - -Pointer to a prompter callback function. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_prompter_fct:declaration} -typedef krb5\_error\_code( * krb5\_prompter\_fct)(krb5\_context context, void *data, const char *name, const char *banner, int num\_prompts, krb5\_prompt prompts{[}{]}) - - -\subsubsection{krb5\_pwd\_data} -\label{appdev/refs/types/krb5_pwd_data:krb5-pwd-data}\label{appdev/refs/types/krb5_pwd_data::doc}\label{appdev/refs/types/krb5_pwd_data:krb5-pwd-data-struct}\index{krb5\_pwd\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data}\pysigline{\bfcode{krb5\_pwd\_data}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_pwd_data:declaration} -typedef struct \_krb5\_pwd\_data krb5\_pwd\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_pwd_data:members}\index{krb5\_pwd\_data.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_pwd\_data.magic}} -\end{fulllineitems} - -\index{krb5\_pwd\_data.sequence\_count (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data.sequence_count}\pysigline{int \bfcode{krb5\_pwd\_data.sequence\_count}} -\end{fulllineitems} - -\index{krb5\_pwd\_data.element (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pwd_data:c.krb5_pwd_data.element}\pysigline{{\hyperref[appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element]{passwd\_phrase\_element}} ** \bfcode{krb5\_pwd\_data.element}} -\end{fulllineitems} - - - -\subsubsection{krb5\_responder\_context} -\label{appdev/refs/types/krb5_responder_context:krb5-responder-context-struct}\label{appdev/refs/types/krb5_responder_context::doc}\label{appdev/refs/types/krb5_responder_context:krb5-responder-context}\index{krb5\_responder\_context (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_context:c.krb5_responder_context}\pysigline{\bfcode{krb5\_responder\_context}} -\end{fulllineitems} - - -A container for a set of preauthentication questions and answers. - -A responder context is supplied by the krb5 authentication system to a {\hyperref[appdev/refs/types/krb5_responder_fn:c.krb5_responder_fn]{\code{krb5\_responder\_fn}}} callback. It contains a list of questions and can receive answers. Questions contained in a responder context can be listed using {\hyperref[appdev/refs/api/krb5_responder_list_questions:c.krb5_responder_list_questions]{\code{krb5\_responder\_list\_questions()}}} , retrieved using {\hyperref[appdev/refs/api/krb5_responder_get_challenge:c.krb5_responder_get_challenge]{\code{krb5\_responder\_get\_challenge()}}} , or answered using {\hyperref[appdev/refs/api/krb5_responder_set_answer:c.krb5_responder_set_answer]{\code{krb5\_responder\_set\_answer()}}} . The form of a question's challenge and answer depend on the question name. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_responder_context:declaration} -typedef struct krb5\_responder\_context\_st* krb5\_responder\_context - - -\subsubsection{krb5\_responder\_fn} -\label{appdev/refs/types/krb5_responder_fn:krb5-responder-fn-struct}\label{appdev/refs/types/krb5_responder_fn::doc}\label{appdev/refs/types/krb5_responder_fn:krb5-responder-fn}\index{krb5\_responder\_fn (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_fn:c.krb5_responder_fn}\pysigline{\bfcode{krb5\_responder\_fn}} -\end{fulllineitems} - - -Responder function for an initial credential exchange. - -If a required question is unanswered, the prompter may be called. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_responder_fn:declaration} -typedef krb5\_error\_code( * krb5\_responder\_fn)(krb5\_context ctx, void *data, krb5\_responder\_context rctx) - - -\subsubsection{krb5\_responder\_otp\_challenge} -\label{appdev/refs/types/krb5_responder_otp_challenge:krb5-responder-otp-challenge}\label{appdev/refs/types/krb5_responder_otp_challenge:krb5-responder-otp-challenge-struct}\label{appdev/refs/types/krb5_responder_otp_challenge::doc}\index{krb5\_responder\_otp\_challenge (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge}\pysigline{\bfcode{krb5\_responder\_otp\_challenge}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_responder_otp_challenge:declaration} -typedef struct \_krb5\_responder\_otp\_challenge krb5\_responder\_otp\_challenge - - -\paragraph{Members} -\label{appdev/refs/types/krb5_responder_otp_challenge:members}\index{krb5\_responder\_otp\_challenge.service (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge.service}\pysigline{char * \bfcode{krb5\_responder\_otp\_challenge.service}} -\end{fulllineitems} - -\index{krb5\_responder\_otp\_challenge.tokeninfo (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_challenge:c.krb5_responder_otp_challenge.tokeninfo}\pysigline{{\hyperref[appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo]{krb5\_responder\_otp\_tokeninfo}} ** \bfcode{krb5\_responder\_otp\_challenge.tokeninfo}} -\end{fulllineitems} - - - -\subsubsection{krb5\_responder\_otp\_tokeninfo} -\label{appdev/refs/types/krb5_responder_otp_tokeninfo:krb5-responder-otp-tokeninfo}\label{appdev/refs/types/krb5_responder_otp_tokeninfo:krb5-responder-otp-tokeninfo-struct}\label{appdev/refs/types/krb5_responder_otp_tokeninfo::doc}\index{krb5\_responder\_otp\_tokeninfo (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo}\pysigline{\bfcode{krb5\_responder\_otp\_tokeninfo}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_responder_otp_tokeninfo:declaration} -typedef struct \_krb5\_responder\_otp\_tokeninfo krb5\_responder\_otp\_tokeninfo - - -\paragraph{Members} -\label{appdev/refs/types/krb5_responder_otp_tokeninfo:members}\index{krb5\_responder\_otp\_tokeninfo.flags (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_responder\_otp\_tokeninfo.flags}} -\end{fulllineitems} - -\index{krb5\_responder\_otp\_tokeninfo.format (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.format}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_responder\_otp\_tokeninfo.format}} -\end{fulllineitems} - -\index{krb5\_responder\_otp\_tokeninfo.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.length}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_responder\_otp\_tokeninfo.length}} -\end{fulllineitems} - -\index{krb5\_responder\_otp\_tokeninfo.vendor (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.vendor}\pysigline{char * \bfcode{krb5\_responder\_otp\_tokeninfo.vendor}} -\end{fulllineitems} - -\index{krb5\_responder\_otp\_tokeninfo.challenge (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.challenge}\pysigline{char * \bfcode{krb5\_responder\_otp\_tokeninfo.challenge}} -\end{fulllineitems} - -\index{krb5\_responder\_otp\_tokeninfo.token\_id (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.token_id}\pysigline{char * \bfcode{krb5\_responder\_otp\_tokeninfo.token\_id}} -\end{fulllineitems} - -\index{krb5\_responder\_otp\_tokeninfo.alg\_id (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_otp_tokeninfo:c.krb5_responder_otp_tokeninfo.alg_id}\pysigline{char * \bfcode{krb5\_responder\_otp\_tokeninfo.alg\_id}} -\end{fulllineitems} - - - -\subsubsection{krb5\_responder\_pkinit\_challenge} -\label{appdev/refs/types/krb5_responder_pkinit_challenge:krb5-responder-pkinit-challenge-struct}\label{appdev/refs/types/krb5_responder_pkinit_challenge::doc}\label{appdev/refs/types/krb5_responder_pkinit_challenge:krb5-responder-pkinit-challenge}\index{krb5\_responder\_pkinit\_challenge (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge}\pysigline{\bfcode{krb5\_responder\_pkinit\_challenge}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_responder_pkinit_challenge:declaration} -typedef struct \_krb5\_responder\_pkinit\_challenge krb5\_responder\_pkinit\_challenge - - -\paragraph{Members} -\label{appdev/refs/types/krb5_responder_pkinit_challenge:members}\index{krb5\_responder\_pkinit\_challenge.identities (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_challenge:c.krb5_responder_pkinit_challenge.identities}\pysigline{{\hyperref[appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity]{krb5\_responder\_pkinit\_identity}} ** \bfcode{krb5\_responder\_pkinit\_challenge.identities}} -\end{fulllineitems} - - - -\subsubsection{krb5\_responder\_pkinit\_identity} -\label{appdev/refs/types/krb5_responder_pkinit_identity:krb5-responder-pkinit-identity}\label{appdev/refs/types/krb5_responder_pkinit_identity::doc}\label{appdev/refs/types/krb5_responder_pkinit_identity:krb5-responder-pkinit-identity-struct}\index{krb5\_responder\_pkinit\_identity (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity}\pysigline{\bfcode{krb5\_responder\_pkinit\_identity}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_responder_pkinit_identity:declaration} -typedef struct \_krb5\_responder\_pkinit\_identity krb5\_responder\_pkinit\_identity - - -\paragraph{Members} -\label{appdev/refs/types/krb5_responder_pkinit_identity:members}\index{krb5\_responder\_pkinit\_identity.identity (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity.identity}\pysigline{char * \bfcode{krb5\_responder\_pkinit\_identity.identity}} -\end{fulllineitems} - -\index{krb5\_responder\_pkinit\_identity.token\_flags (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_responder_pkinit_identity:c.krb5_responder_pkinit_identity.token_flags}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_responder\_pkinit\_identity.token\_flags}} -\end{fulllineitems} - - - -\subsubsection{krb5\_response} -\label{appdev/refs/types/krb5_response::doc}\label{appdev/refs/types/krb5_response:krb5-response}\label{appdev/refs/types/krb5_response:krb5-response-struct}\index{krb5\_response (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response}\pysigline{\bfcode{krb5\_response}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_response:declaration} -typedef struct \_krb5\_response krb5\_response - - -\paragraph{Members} -\label{appdev/refs/types/krb5_response:members}\index{krb5\_response.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_response.magic}} -\end{fulllineitems} - -\index{krb5\_response.message\_type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.message_type}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} \bfcode{krb5\_response.message\_type}} -\end{fulllineitems} - -\index{krb5\_response.response (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.response}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_response.response}} -\end{fulllineitems} - -\index{krb5\_response.expected\_nonce (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.expected_nonce}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_response.expected\_nonce}} -\end{fulllineitems} - -\index{krb5\_response.request\_time (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_response:c.krb5_response.request_time}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_response.request\_time}} -\end{fulllineitems} - - - -\subsubsection{krb5\_replay\_data} -\label{appdev/refs/types/krb5_replay_data:krb5-replay-data}\label{appdev/refs/types/krb5_replay_data:krb5-replay-data-struct}\label{appdev/refs/types/krb5_replay_data::doc}\index{krb5\_replay\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_replay_data:c.krb5_replay_data}\pysigline{\bfcode{krb5\_replay\_data}} -\end{fulllineitems} - - -Replay data. - -Sequence number and timestamp information output by {\hyperref[appdev/refs/api/krb5_rd_priv:c.krb5_rd_priv]{\code{krb5\_rd\_priv()}}} and {\hyperref[appdev/refs/api/krb5_rd_safe:c.krb5_rd_safe]{\code{krb5\_rd\_safe()}}} . - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_replay_data:declaration} -typedef struct krb5\_replay\_data krb5\_replay\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_replay_data:members}\index{krb5\_replay\_data.timestamp (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_replay_data:c.krb5_replay_data.timestamp}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_replay\_data.timestamp}} -Timestamp, seconds portion. - -\end{fulllineitems} - -\index{krb5\_replay\_data.usec (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_replay_data:c.krb5_replay_data.usec}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_replay\_data.usec}} -Timestamp, microseconds portion. - -\end{fulllineitems} - -\index{krb5\_replay\_data.seq (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_replay_data:c.krb5_replay_data.seq}\pysigline{{\hyperref[appdev/refs/types/krb5_ui_4:c.krb5_ui_4]{krb5\_ui\_4}} \bfcode{krb5\_replay\_data.seq}} -Sequence number. - -\end{fulllineitems} - - - -\subsubsection{krb5\_ticket} -\label{appdev/refs/types/krb5_ticket:krb5-ticket}\label{appdev/refs/types/krb5_ticket::doc}\label{appdev/refs/types/krb5_ticket:krb5-ticket-struct}\index{krb5\_ticket (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket}\pysigline{\bfcode{krb5\_ticket}} -\end{fulllineitems} - - -Ticket structure. - -The C representation of the ticket message, with a pointer to the C representation of the encrypted part. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_ticket:declaration} -typedef struct \_krb5\_ticket krb5\_ticket - - -\paragraph{Members} -\label{appdev/refs/types/krb5_ticket:members}\index{krb5\_ticket.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_ticket.magic}} -\end{fulllineitems} - -\index{krb5\_ticket.server (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket.server}\pysigline{{\hyperref[appdev/refs/types/krb5_principal:c.krb5_principal]{krb5\_principal}} \bfcode{krb5\_ticket.server}} -server name/realm - -\end{fulllineitems} - -\index{krb5\_ticket.enc\_part (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket.enc_part}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_data:c.krb5_enc_data]{krb5\_enc\_data}} \bfcode{krb5\_ticket.enc\_part}} -encryption type, kvno, encrypted encoding - -\end{fulllineitems} - -\index{krb5\_ticket.enc\_part2 (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket:c.krb5_ticket.enc_part2}\pysigline{{\hyperref[appdev/refs/types/krb5_enc_tkt_part:c.krb5_enc_tkt_part]{krb5\_enc\_tkt\_part}} * \bfcode{krb5\_ticket.enc\_part2}} -ptr to decrypted version, if available - -\end{fulllineitems} - - - -\subsubsection{krb5\_ticket\_times} -\label{appdev/refs/types/krb5_ticket_times:krb5-ticket-times}\label{appdev/refs/types/krb5_ticket_times:krb5-ticket-times-struct}\label{appdev/refs/types/krb5_ticket_times::doc}\index{krb5\_ticket\_times (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times}\pysigline{\bfcode{krb5\_ticket\_times}} -\end{fulllineitems} - - -Ticket start time, end time, and renewal duration. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_ticket_times:declaration} -typedef struct \_krb5\_ticket\_times krb5\_ticket\_times - - -\paragraph{Members} -\label{appdev/refs/types/krb5_ticket_times:members}\index{krb5\_ticket\_times.authtime (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.authtime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ticket\_times.authtime}} -Time at which KDC issued the initial ticket that corresponds to this ticket. - -\end{fulllineitems} - -\index{krb5\_ticket\_times.starttime (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.starttime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ticket\_times.starttime}} -optional in ticket, if not present, use \emph{authtime} - -\end{fulllineitems} - -\index{krb5\_ticket\_times.endtime (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.endtime}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ticket\_times.endtime}} -Ticket expiration time. - -\end{fulllineitems} - -\index{krb5\_ticket\_times.renew\_till (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ticket_times:c.krb5_ticket_times.renew_till}\pysigline{{\hyperref[appdev/refs/types/krb5_timestamp:c.krb5_timestamp]{krb5\_timestamp}} \bfcode{krb5\_ticket\_times.renew\_till}} -Latest time at which renewal of ticket can be valid. - -\end{fulllineitems} - - - -\subsubsection{krb5\_timestamp} -\label{appdev/refs/types/krb5_timestamp:krb5-timestamp-struct}\label{appdev/refs/types/krb5_timestamp::doc}\label{appdev/refs/types/krb5_timestamp:krb5-timestamp}\index{krb5\_timestamp (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_timestamp:c.krb5_timestamp}\pysigline{\bfcode{krb5\_timestamp}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_timestamp:declaration} -typedef krb5\_int32 krb5\_timestamp - - -\subsubsection{krb5\_tkt\_authent} -\label{appdev/refs/types/krb5_tkt_authent:krb5-tkt-authent}\label{appdev/refs/types/krb5_tkt_authent:krb5-tkt-authent-struct}\label{appdev/refs/types/krb5_tkt_authent::doc}\index{krb5\_tkt\_authent (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent}\pysigline{\bfcode{krb5\_tkt\_authent}} -\end{fulllineitems} - - -Ticket authentication data. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_tkt_authent:declaration} -typedef struct \_krb5\_tkt\_authent krb5\_tkt\_authent - - -\paragraph{Members} -\label{appdev/refs/types/krb5_tkt_authent:members}\index{krb5\_tkt\_authent.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_tkt\_authent.magic}} -\end{fulllineitems} - -\index{krb5\_tkt\_authent.ticket (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.ticket}\pysigline{{\hyperref[appdev/refs/types/krb5_ticket:c.krb5_ticket]{krb5\_ticket}} * \bfcode{krb5\_tkt\_authent.ticket}} -\end{fulllineitems} - -\index{krb5\_tkt\_authent.authenticator (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.authenticator}\pysigline{{\hyperref[appdev/refs/types/krb5_authenticator:c.krb5_authenticator]{krb5\_authenticator}} * \bfcode{krb5\_tkt\_authent.authenticator}} -\end{fulllineitems} - -\index{krb5\_tkt\_authent.ap\_options (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_tkt_authent:c.krb5_tkt_authent.ap_options}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_tkt\_authent.ap\_options}} -\end{fulllineitems} - - - -\subsubsection{krb5\_trace\_callback} -\label{appdev/refs/types/krb5_trace_callback:krb5-trace-callback-struct}\label{appdev/refs/types/krb5_trace_callback:krb5-trace-callback}\label{appdev/refs/types/krb5_trace_callback::doc}\index{krb5\_trace\_callback (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_trace_callback:c.krb5_trace_callback}\pysigline{\bfcode{krb5\_trace\_callback}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_trace_callback:declaration} -typedef void( * krb5\_trace\_callback)(krb5\_context context, const krb5\_trace\_info *info, void *cb\_data) - - -\subsubsection{krb5\_trace\_info} -\label{appdev/refs/types/krb5_trace_info:krb5-trace-info-struct}\label{appdev/refs/types/krb5_trace_info::doc}\label{appdev/refs/types/krb5_trace_info:krb5-trace-info}\index{krb5\_trace\_info (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_trace_info:c.krb5_trace_info}\pysigline{\bfcode{krb5\_trace\_info}} -\end{fulllineitems} - - -A wrapper for passing information to a \emph{krb5\_trace\_callback} . - -Currently, it only contains the formatted message as determined the the format string and arguments of the tracing macro, but it may be extended to contain more fields in the future. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_trace_info:declaration} -typedef struct \_krb5\_trace\_info krb5\_trace\_info - - -\paragraph{Members} -\label{appdev/refs/types/krb5_trace_info:members}\index{krb5\_trace\_info.message (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_trace_info:c.krb5_trace_info.message}\pysigline{const char * \bfcode{krb5\_trace\_info.message}} -\end{fulllineitems} - - - -\subsubsection{krb5\_transited} -\label{appdev/refs/types/krb5_transited:krb5-transited-struct}\label{appdev/refs/types/krb5_transited::doc}\label{appdev/refs/types/krb5_transited:krb5-transited}\index{krb5\_transited (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_transited:c.krb5_transited}\pysigline{\bfcode{krb5\_transited}} -\end{fulllineitems} - - -Structure for transited encoding. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_transited:declaration} -typedef struct \_krb5\_transited krb5\_transited - - -\paragraph{Members} -\label{appdev/refs/types/krb5_transited:members}\index{krb5\_transited.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_transited:c.krb5_transited.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_transited.magic}} -\end{fulllineitems} - -\index{krb5\_transited.tr\_type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_transited:c.krb5_transited.tr_type}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} \bfcode{krb5\_transited.tr\_type}} -Transited encoding type. - -\end{fulllineitems} - -\index{krb5\_transited.tr\_contents (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_transited:c.krb5_transited.tr_contents}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} \bfcode{krb5\_transited.tr\_contents}} -Contents. - -\end{fulllineitems} - - - -\subsubsection{krb5\_typed\_data} -\label{appdev/refs/types/krb5_typed_data:krb5-typed-data-struct}\label{appdev/refs/types/krb5_typed_data::doc}\label{appdev/refs/types/krb5_typed_data:krb5-typed-data}\index{krb5\_typed\_data (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data}\pysigline{\bfcode{krb5\_typed\_data}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_typed_data:declaration} -typedef struct \_krb5\_typed\_data krb5\_typed\_data - - -\paragraph{Members} -\label{appdev/refs/types/krb5_typed_data:members}\index{krb5\_typed\_data.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{krb5\_typed\_data.magic}} -\end{fulllineitems} - -\index{krb5\_typed\_data.type (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.type}\pysigline{{\hyperref[appdev/refs/types/krb5_int32:c.krb5_int32]{krb5\_int32}} \bfcode{krb5\_typed\_data.type}} -\end{fulllineitems} - -\index{krb5\_typed\_data.length (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.length}\pysigline{unsigned int \bfcode{krb5\_typed\_data.length}} -\end{fulllineitems} - -\index{krb5\_typed\_data.data (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_typed_data:c.krb5_typed_data.data}\pysigline{{\hyperref[appdev/refs/types/krb5_octet:c.krb5_octet]{krb5\_octet}} * \bfcode{krb5\_typed\_data.data}} -\end{fulllineitems} - - - -\subsubsection{krb5\_ui\_2} -\label{appdev/refs/types/krb5_ui_2:krb5-ui-2-struct}\label{appdev/refs/types/krb5_ui_2::doc}\label{appdev/refs/types/krb5_ui_2:krb5-ui-2}\index{krb5\_ui\_2 (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ui_2:c.krb5_ui_2}\pysigline{\bfcode{krb5\_ui\_2}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_ui_2:declaration} -typedef uint16\_t krb5\_ui\_2 - - -\subsubsection{krb5\_ui\_4} -\label{appdev/refs/types/krb5_ui_4:krb5-ui-4}\label{appdev/refs/types/krb5_ui_4:krb5-ui-4-struct}\label{appdev/refs/types/krb5_ui_4::doc}\index{krb5\_ui\_4 (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ui_4:c.krb5_ui_4}\pysigline{\bfcode{krb5\_ui\_4}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_ui_4:declaration} -typedef uint32\_t krb5\_ui\_4 - - -\subsubsection{krb5\_verify\_init\_creds\_opt} -\label{appdev/refs/types/krb5_verify_init_creds_opt:krb5-verify-init-creds-opt-struct}\label{appdev/refs/types/krb5_verify_init_creds_opt::doc}\label{appdev/refs/types/krb5_verify_init_creds_opt:krb5-verify-init-creds-opt}\index{krb5\_verify\_init\_creds\_opt (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt}\pysigline{\bfcode{krb5\_verify\_init\_creds\_opt}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_verify_init_creds_opt:declaration} -typedef struct \_krb5\_verify\_init\_creds\_opt krb5\_verify\_init\_creds\_opt - - -\paragraph{Members} -\label{appdev/refs/types/krb5_verify_init_creds_opt:members}\index{krb5\_verify\_init\_creds\_opt.flags (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt.flags}\pysigline{{\hyperref[appdev/refs/types/krb5_flags:c.krb5_flags]{krb5\_flags}} \bfcode{krb5\_verify\_init\_creds\_opt.flags}} -\end{fulllineitems} - -\index{krb5\_verify\_init\_creds\_opt.ap\_req\_nofail (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_verify_init_creds_opt:c.krb5_verify_init_creds_opt.ap_req_nofail}\pysigline{int \bfcode{krb5\_verify\_init\_creds\_opt.ap\_req\_nofail}} -boolean - -\end{fulllineitems} - - - -\subsubsection{passwd\_phrase\_element} -\label{appdev/refs/types/passwd_phrase_element:passwd-phrase-element-struct}\label{appdev/refs/types/passwd_phrase_element::doc}\label{appdev/refs/types/passwd_phrase_element:passwd-phrase-element}\index{passwd\_phrase\_element (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element}\pysigline{\bfcode{passwd\_phrase\_element}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/passwd_phrase_element:declaration} -typedef struct \_passwd\_phrase\_element passwd\_phrase\_element - - -\paragraph{Members} -\label{appdev/refs/types/passwd_phrase_element:members}\index{passwd\_phrase\_element.magic (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element.magic}\pysigline{{\hyperref[appdev/refs/types/krb5_magic:c.krb5_magic]{krb5\_magic}} \bfcode{passwd\_phrase\_element.magic}} -\end{fulllineitems} - -\index{passwd\_phrase\_element.passwd (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element.passwd}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{passwd\_phrase\_element.passwd}} -\end{fulllineitems} - -\index{passwd\_phrase\_element.phrase (C member)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/passwd_phrase_element:c.passwd_phrase_element.phrase}\pysigline{{\hyperref[appdev/refs/types/krb5_data:c.krb5_data]{krb5\_data}} * \bfcode{passwd\_phrase\_element.phrase}} -\end{fulllineitems} - - - -\subsection{Internal} -\label{appdev/refs/types/index:internal} - -\subsubsection{krb5\_auth\_context} -\label{appdev/refs/types/krb5_auth_context:krb5-auth-context}\label{appdev/refs/types/krb5_auth_context::doc}\label{appdev/refs/types/krb5_auth_context:krb5-auth-context-struct}\index{krb5\_auth\_context (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_auth_context:c.krb5_auth_context}\pysigline{\bfcode{krb5\_auth\_context}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_auth_context:declaration} -typedef struct \_krb5\_auth\_context* krb5\_auth\_context - - -\subsubsection{krb5\_cksumtype} -\label{appdev/refs/types/krb5_cksumtype:krb5-cksumtype}\label{appdev/refs/types/krb5_cksumtype:krb5-cksumtype-struct}\label{appdev/refs/types/krb5_cksumtype::doc}\index{krb5\_cksumtype (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cksumtype:c.krb5_cksumtype}\pysigline{\bfcode{krb5\_cksumtype}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_cksumtype:declaration} -typedef krb5\_int32 krb5\_cksumtype - - -\subsubsection{krb5\_context} -\label{appdev/refs/types/krb5_context:krb5-context}\label{appdev/refs/types/krb5_context:krb5-context-struct}\label{appdev/refs/types/krb5_context::doc}\index{krb5\_context (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_context:c.krb5_context}\pysigline{\bfcode{krb5\_context}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_context:declaration} -typedef struct \_krb5\_context* krb5\_context - - -\subsubsection{krb5\_cc\_cursor} -\label{appdev/refs/types/krb5_cc_cursor:krb5-cc-cursor-struct}\label{appdev/refs/types/krb5_cc_cursor:krb5-cc-cursor}\label{appdev/refs/types/krb5_cc_cursor::doc}\index{krb5\_cc\_cursor (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cc_cursor:c.krb5_cc_cursor}\pysigline{\bfcode{krb5\_cc\_cursor}} -\end{fulllineitems} - - -Cursor for sequential lookup. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_cc_cursor:declaration} -typedef krb5\_pointer krb5\_cc\_cursor - - -\subsubsection{krb5\_ccache} -\label{appdev/refs/types/krb5_ccache:krb5-ccache-struct}\label{appdev/refs/types/krb5_ccache::doc}\label{appdev/refs/types/krb5_ccache:krb5-ccache}\index{krb5\_ccache (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_ccache:c.krb5_ccache}\pysigline{\bfcode{krb5\_ccache}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_ccache:declaration} -typedef struct \_krb5\_ccache* krb5\_ccache - - -\subsubsection{krb5\_cccol\_cursor} -\label{appdev/refs/types/krb5_cccol_cursor:krb5-cccol-cursor-struct}\label{appdev/refs/types/krb5_cccol_cursor::doc}\label{appdev/refs/types/krb5_cccol_cursor:krb5-cccol-cursor}\index{krb5\_cccol\_cursor (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_cccol_cursor:c.krb5_cccol_cursor}\pysigline{\bfcode{krb5\_cccol\_cursor}} -\end{fulllineitems} - - -Cursor for iterating over all ccaches. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_cccol_cursor:declaration} -typedef struct \_krb5\_cccol\_cursor* krb5\_cccol\_cursor - - -\subsubsection{krb5\_init\_creds\_context} -\label{appdev/refs/types/krb5_init_creds_context:krb5-init-creds-context}\label{appdev/refs/types/krb5_init_creds_context::doc}\label{appdev/refs/types/krb5_init_creds_context:krb5-init-creds-context-struct}\index{krb5\_init\_creds\_context (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_init_creds_context:c.krb5_init_creds_context}\pysigline{\bfcode{krb5\_init\_creds\_context}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_init_creds_context:declaration} -typedef struct \_krb5\_init\_creds\_context* krb5\_init\_creds\_context - - -\subsubsection{krb5\_key} -\label{appdev/refs/types/krb5_key::doc}\label{appdev/refs/types/krb5_key:krb5-key}\label{appdev/refs/types/krb5_key:krb5-key-struct}\index{krb5\_key (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_key:c.krb5_key}\pysigline{\bfcode{krb5\_key}} -\end{fulllineitems} - - -Opaque identifier for a key. - -Use with the krb5\_k APIs for better performance for repeated operations with the same key and usage. Key identifiers must not be used simultaneously within multiple threads, as they may contain mutable internal state and are not mutex-protected. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_key:declaration} -typedef struct krb5\_key\_st* krb5\_key - - -\subsubsection{krb5\_keytab} -\label{appdev/refs/types/krb5_keytab:krb5-keytab}\label{appdev/refs/types/krb5_keytab::doc}\label{appdev/refs/types/krb5_keytab:krb5-keytab-struct}\index{krb5\_keytab (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_keytab:c.krb5_keytab}\pysigline{\bfcode{krb5\_keytab}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_keytab:declaration} -typedef struct \_krb5\_kt* krb5\_keytab - - -\subsubsection{krb5\_pac} -\label{appdev/refs/types/krb5_pac:krb5-pac-struct}\label{appdev/refs/types/krb5_pac:krb5-pac}\label{appdev/refs/types/krb5_pac::doc}\index{krb5\_pac (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_pac:c.krb5_pac}\pysigline{\bfcode{krb5\_pac}} -\end{fulllineitems} - - -PAC data structure to convey authorization information. - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_pac:declaration} -typedef struct krb5\_pac\_data* krb5\_pac - - -\subsubsection{krb5\_rcache} -\label{appdev/refs/types/krb5_rcache:krb5-rcache-struct}\label{appdev/refs/types/krb5_rcache::doc}\label{appdev/refs/types/krb5_rcache:krb5-rcache}\index{krb5\_rcache (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_rcache:c.krb5_rcache}\pysigline{\bfcode{krb5\_rcache}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_rcache:declaration} -typedef struct krb5\_rc\_st* krb5\_rcache - - -\subsubsection{krb5\_tkt\_creds\_context} -\label{appdev/refs/types/krb5_tkt_creds_context::doc}\label{appdev/refs/types/krb5_tkt_creds_context:krb5-tkt-creds-context}\label{appdev/refs/types/krb5_tkt_creds_context:krb5-tkt-creds-context-struct}\index{krb5\_tkt\_creds\_context (C type)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/types/krb5_tkt_creds_context:c.krb5_tkt_creds_context}\pysigline{\bfcode{krb5\_tkt\_creds\_context}} -\end{fulllineitems} - - - -\paragraph{Declaration} -\label{appdev/refs/types/krb5_tkt_creds_context:declaration} -typedef struct \_krb5\_tkt\_creds\_context* krb5\_tkt\_creds\_context - - -\section{krb5 simple macros} -\label{appdev/refs/macros/index:krb5-simple-macros}\label{appdev/refs/macros/index::doc} - -\subsection{Public} -\label{appdev/refs/macros/index:public} - -\subsubsection{ADDRTYPE\_ADDRPORT} -\label{appdev/refs/macros/ADDRTYPE_ADDRPORT:addrtype-addrport-data}\label{appdev/refs/macros/ADDRTYPE_ADDRPORT::doc}\label{appdev/refs/macros/ADDRTYPE_ADDRPORT:addrtype-addrport}\index{ADDRTYPE\_ADDRPORT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_ADDRPORT:ADDRTYPE_ADDRPORT}\pysigline{\bfcode{ADDRTYPE\_ADDRPORT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_ADDRPORT} - & -\code{0x0100} -\\ -\hline\end{tabulary} - - - -\subsubsection{ADDRTYPE\_CHAOS} -\label{appdev/refs/macros/ADDRTYPE_CHAOS:addrtype-chaos}\label{appdev/refs/macros/ADDRTYPE_CHAOS:addrtype-chaos-data}\label{appdev/refs/macros/ADDRTYPE_CHAOS::doc}\index{ADDRTYPE\_CHAOS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_CHAOS:ADDRTYPE_CHAOS}\pysigline{\bfcode{ADDRTYPE\_CHAOS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_CHAOS} - & -\code{0x0005} -\\ -\hline\end{tabulary} - - - -\subsubsection{ADDRTYPE\_DDP} -\label{appdev/refs/macros/ADDRTYPE_DDP:addrtype-ddp-data}\label{appdev/refs/macros/ADDRTYPE_DDP::doc}\label{appdev/refs/macros/ADDRTYPE_DDP:addrtype-ddp}\index{ADDRTYPE\_DDP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_DDP:ADDRTYPE_DDP}\pysigline{\bfcode{ADDRTYPE\_DDP}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_DDP} - & -\code{0x0010} -\\ -\hline\end{tabulary} - - - -\subsubsection{ADDRTYPE\_INET} -\label{appdev/refs/macros/ADDRTYPE_INET:addrtype-inet}\label{appdev/refs/macros/ADDRTYPE_INET:addrtype-inet-data}\label{appdev/refs/macros/ADDRTYPE_INET::doc}\index{ADDRTYPE\_INET (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_INET:ADDRTYPE_INET}\pysigline{\bfcode{ADDRTYPE\_INET}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_INET} - & -\code{0x0002} -\\ -\hline\end{tabulary} - - - -\subsubsection{ADDRTYPE\_INET6} -\label{appdev/refs/macros/ADDRTYPE_INET6:addrtype-inet6-data}\label{appdev/refs/macros/ADDRTYPE_INET6:addrtype-inet6}\label{appdev/refs/macros/ADDRTYPE_INET6::doc}\index{ADDRTYPE\_INET6 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_INET6:ADDRTYPE_INET6}\pysigline{\bfcode{ADDRTYPE\_INET6}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_INET6} - & -\code{0x0018} -\\ -\hline\end{tabulary} - - - -\subsubsection{ADDRTYPE\_IPPORT} -\label{appdev/refs/macros/ADDRTYPE_IPPORT:addrtype-ipport}\label{appdev/refs/macros/ADDRTYPE_IPPORT::doc}\label{appdev/refs/macros/ADDRTYPE_IPPORT:addrtype-ipport-data}\index{ADDRTYPE\_IPPORT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_IPPORT:ADDRTYPE_IPPORT}\pysigline{\bfcode{ADDRTYPE\_IPPORT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_IPPORT} - & -\code{0x0101} -\\ -\hline\end{tabulary} - - - -\subsubsection{ADDRTYPE\_ISO} -\label{appdev/refs/macros/ADDRTYPE_ISO::doc}\label{appdev/refs/macros/ADDRTYPE_ISO:addrtype-iso}\label{appdev/refs/macros/ADDRTYPE_ISO:addrtype-iso-data}\index{ADDRTYPE\_ISO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_ISO:ADDRTYPE_ISO}\pysigline{\bfcode{ADDRTYPE\_ISO}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_ISO} - & -\code{0x0007} -\\ -\hline\end{tabulary} - - - -\subsubsection{ADDRTYPE\_IS\_LOCAL} -\label{appdev/refs/macros/ADDRTYPE_IS_LOCAL::doc}\label{appdev/refs/macros/ADDRTYPE_IS_LOCAL:addrtype-is-local}\label{appdev/refs/macros/ADDRTYPE_IS_LOCAL:addrtype-is-local-data}\index{ADDRTYPE\_IS\_LOCAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_IS_LOCAL:ADDRTYPE_IS_LOCAL}\pysigline{\bfcode{ADDRTYPE\_IS\_LOCAL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_IS\_LOCAL (addrtype)} - & -\code{(addrtype \& 0x8000)} -\\ -\hline\end{tabulary} - - - -\subsubsection{ADDRTYPE\_NETBIOS} -\label{appdev/refs/macros/ADDRTYPE_NETBIOS:addrtype-netbios}\label{appdev/refs/macros/ADDRTYPE_NETBIOS::doc}\label{appdev/refs/macros/ADDRTYPE_NETBIOS:addrtype-netbios-data}\index{ADDRTYPE\_NETBIOS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_NETBIOS:ADDRTYPE_NETBIOS}\pysigline{\bfcode{ADDRTYPE\_NETBIOS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_NETBIOS} - & -\code{0x0014} -\\ -\hline\end{tabulary} - - - -\subsubsection{ADDRTYPE\_XNS} -\label{appdev/refs/macros/ADDRTYPE_XNS::doc}\label{appdev/refs/macros/ADDRTYPE_XNS:addrtype-xns-data}\label{appdev/refs/macros/ADDRTYPE_XNS:addrtype-xns}\index{ADDRTYPE\_XNS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ADDRTYPE_XNS:ADDRTYPE_XNS}\pysigline{\bfcode{ADDRTYPE\_XNS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ADDRTYPE\_XNS} - & -\code{0x0006} -\\ -\hline\end{tabulary} - - - -\subsubsection{AD\_TYPE\_EXTERNAL} -\label{appdev/refs/macros/AD_TYPE_EXTERNAL:ad-type-external-data}\label{appdev/refs/macros/AD_TYPE_EXTERNAL::doc}\label{appdev/refs/macros/AD_TYPE_EXTERNAL:ad-type-external}\index{AD\_TYPE\_EXTERNAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AD_TYPE_EXTERNAL:AD_TYPE_EXTERNAL}\pysigline{\bfcode{AD\_TYPE\_EXTERNAL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AD\_TYPE\_EXTERNAL} - & -\code{0x4000} -\\ -\hline\end{tabulary} - - - -\subsubsection{AD\_TYPE\_FIELD\_TYPE\_MASK} -\label{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK:ad-type-field-type-mask}\label{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK::doc}\label{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK:ad-type-field-type-mask-data}\index{AD\_TYPE\_FIELD\_TYPE\_MASK (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AD_TYPE_FIELD_TYPE_MASK:AD_TYPE_FIELD_TYPE_MASK}\pysigline{\bfcode{AD\_TYPE\_FIELD\_TYPE\_MASK}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AD\_TYPE\_FIELD\_TYPE\_MASK} - & -\code{0x1fff} -\\ -\hline\end{tabulary} - - - -\subsubsection{AD\_TYPE\_REGISTERED} -\label{appdev/refs/macros/AD_TYPE_REGISTERED:ad-type-registered-data}\label{appdev/refs/macros/AD_TYPE_REGISTERED:ad-type-registered}\label{appdev/refs/macros/AD_TYPE_REGISTERED::doc}\index{AD\_TYPE\_REGISTERED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AD_TYPE_REGISTERED:AD_TYPE_REGISTERED}\pysigline{\bfcode{AD\_TYPE\_REGISTERED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AD\_TYPE\_REGISTERED} - & -\code{0x2000} -\\ -\hline\end{tabulary} - - - -\subsubsection{AD\_TYPE\_RESERVED} -\label{appdev/refs/macros/AD_TYPE_RESERVED::doc}\label{appdev/refs/macros/AD_TYPE_RESERVED:ad-type-reserved}\label{appdev/refs/macros/AD_TYPE_RESERVED:ad-type-reserved-data}\index{AD\_TYPE\_RESERVED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AD_TYPE_RESERVED:AD_TYPE_RESERVED}\pysigline{\bfcode{AD\_TYPE\_RESERVED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AD\_TYPE\_RESERVED} - & -\code{0x8000} -\\ -\hline\end{tabulary} - - - -\subsubsection{AP\_OPTS\_ETYPE\_NEGOTIATION} -\label{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION::doc}\label{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION:ap-opts-etype-negotiation}\label{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION:ap-opts-etype-negotiation-data}\index{AP\_OPTS\_ETYPE\_NEGOTIATION (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AP_OPTS_ETYPE_NEGOTIATION:AP_OPTS_ETYPE_NEGOTIATION}\pysigline{\bfcode{AP\_OPTS\_ETYPE\_NEGOTIATION}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AP\_OPTS\_ETYPE\_NEGOTIATION} - & -\code{0x00000002} -\\ -\hline\end{tabulary} - - - -\subsubsection{AP\_OPTS\_MUTUAL\_REQUIRED} -\label{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:ap-opts-mutual-required}\label{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:ap-opts-mutual-required-data}\label{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED::doc}\index{AP\_OPTS\_MUTUAL\_REQUIRED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AP_OPTS_MUTUAL_REQUIRED:AP_OPTS_MUTUAL_REQUIRED}\pysigline{\bfcode{AP\_OPTS\_MUTUAL\_REQUIRED}} -\end{fulllineitems} - - -Perform a mutual authentication exchange. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AP\_OPTS\_MUTUAL\_REQUIRED} - & -\code{0x20000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{AP\_OPTS\_RESERVED} -\label{appdev/refs/macros/AP_OPTS_RESERVED::doc}\label{appdev/refs/macros/AP_OPTS_RESERVED:ap-opts-reserved-data}\label{appdev/refs/macros/AP_OPTS_RESERVED:ap-opts-reserved}\index{AP\_OPTS\_RESERVED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AP_OPTS_RESERVED:AP_OPTS_RESERVED}\pysigline{\bfcode{AP\_OPTS\_RESERVED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AP\_OPTS\_RESERVED} - & -\code{0x80000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{AP\_OPTS\_USE\_SESSION\_KEY} -\label{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:ap-opts-use-session-key}\label{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY::doc}\label{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:ap-opts-use-session-key-data}\index{AP\_OPTS\_USE\_SESSION\_KEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AP_OPTS_USE_SESSION_KEY:AP_OPTS_USE_SESSION_KEY}\pysigline{\bfcode{AP\_OPTS\_USE\_SESSION\_KEY}} -\end{fulllineitems} - - -Use session key. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AP\_OPTS\_USE\_SESSION\_KEY} - & -\code{0x40000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{AP\_OPTS\_USE\_SUBKEY} -\label{appdev/refs/macros/AP_OPTS_USE_SUBKEY:ap-opts-use-subkey}\label{appdev/refs/macros/AP_OPTS_USE_SUBKEY:ap-opts-use-subkey-data}\label{appdev/refs/macros/AP_OPTS_USE_SUBKEY::doc}\index{AP\_OPTS\_USE\_SUBKEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AP_OPTS_USE_SUBKEY:AP_OPTS_USE_SUBKEY}\pysigline{\bfcode{AP\_OPTS\_USE\_SUBKEY}} -\end{fulllineitems} - - -Generate a subsession key from the current session key obtained from the credentials. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AP\_OPTS\_USE\_SUBKEY} - & -\code{0x00000001} -\\ -\hline\end{tabulary} - - - -\subsubsection{AP\_OPTS\_WIRE\_MASK} -\label{appdev/refs/macros/AP_OPTS_WIRE_MASK:ap-opts-wire-mask-data}\label{appdev/refs/macros/AP_OPTS_WIRE_MASK:ap-opts-wire-mask}\label{appdev/refs/macros/AP_OPTS_WIRE_MASK::doc}\index{AP\_OPTS\_WIRE\_MASK (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/AP_OPTS_WIRE_MASK:AP_OPTS_WIRE_MASK}\pysigline{\bfcode{AP\_OPTS\_WIRE\_MASK}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{AP\_OPTS\_WIRE\_MASK} - & -\code{0xfffffff0} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_CMAC\_CAMELLIA128} -\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128::doc}\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128:cksumtype-cmac-camellia128}\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128:cksumtype-cmac-camellia128-data}\index{CKSUMTYPE\_CMAC\_CAMELLIA128 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA128:CKSUMTYPE_CMAC_CAMELLIA128}\pysigline{\bfcode{CKSUMTYPE\_CMAC\_CAMELLIA128}} -\end{fulllineitems} - - -RFC 6803. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_CMAC\_CAMELLIA128} - & -\code{0x0011} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_CMAC\_CAMELLIA256} -\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256::doc}\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256:cksumtype-cmac-camellia256}\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256:cksumtype-cmac-camellia256-data}\index{CKSUMTYPE\_CMAC\_CAMELLIA256 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_CMAC_CAMELLIA256:CKSUMTYPE_CMAC_CAMELLIA256}\pysigline{\bfcode{CKSUMTYPE\_CMAC\_CAMELLIA256}} -\end{fulllineitems} - - -RFC 6803. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_CMAC\_CAMELLIA256} - & -\code{0x0012} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_CRC32} -\label{appdev/refs/macros/CKSUMTYPE_CRC32:cksumtype-crc32-data}\label{appdev/refs/macros/CKSUMTYPE_CRC32::doc}\label{appdev/refs/macros/CKSUMTYPE_CRC32:cksumtype-crc32}\index{CKSUMTYPE\_CRC32 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_CRC32:CKSUMTYPE_CRC32}\pysigline{\bfcode{CKSUMTYPE\_CRC32}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_CRC32} - & -\code{0x0001} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_DESCBC} -\label{appdev/refs/macros/CKSUMTYPE_DESCBC:cksumtype-descbc-data}\label{appdev/refs/macros/CKSUMTYPE_DESCBC::doc}\label{appdev/refs/macros/CKSUMTYPE_DESCBC:cksumtype-descbc}\index{CKSUMTYPE\_DESCBC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_DESCBC:CKSUMTYPE_DESCBC}\pysigline{\bfcode{CKSUMTYPE\_DESCBC}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_DESCBC} - & -\code{0x0004} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR} -\label{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR:cksumtype-hmac-md5-arcfour-data}\label{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR:cksumtype-hmac-md5-arcfour}\label{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR::doc}\index{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_MD5_ARCFOUR:CKSUMTYPE_HMAC_MD5_ARCFOUR}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR}} -\end{fulllineitems} - - -RFC 4757. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_HMAC\_MD5\_ARCFOUR} - & -\code{-138} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128} -\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128::doc}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128:cksumtype-hmac-sha1-96-aes128}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128:cksumtype-hmac-sha1-96-aes128-data}\index{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES128:CKSUMTYPE_HMAC_SHA1_96_AES128}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128}} -\end{fulllineitems} - - -RFC 3962. - -Used with ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_HMAC\_SHA1\_96\_AES128} - & -\code{0x000f} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256} -\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256::doc}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256:cksumtype-hmac-sha1-96-aes256}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256:cksumtype-hmac-sha1-96-aes256-data}\index{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_96_AES256:CKSUMTYPE_HMAC_SHA1_96_AES256}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256}} -\end{fulllineitems} - - -RFC 3962. - -Used with ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_HMAC\_SHA1\_96\_AES256} - & -\code{0x0010} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128} -\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128:cksumtype-hmac-sha256-128-aes128-data}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128::doc}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128:cksumtype-hmac-sha256-128-aes128}\index{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA256_128_AES128:CKSUMTYPE_HMAC_SHA256_128_AES128}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128}} -\end{fulllineitems} - - -RFC 8009. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_HMAC\_SHA256\_128\_AES128} - & -\code{0x0013} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256} -\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256:cksumtype-hmac-sha384-192-aes256}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256:cksumtype-hmac-sha384-192-aes256-data}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256::doc}\index{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA384_192_AES256:CKSUMTYPE_HMAC_SHA384_192_AES256}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256}} -\end{fulllineitems} - - -RFC 8009. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_HMAC\_SHA384\_192\_AES256} - & -\code{0x0014} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_HMAC\_SHA1\_DES3} -\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3::doc}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3:cksumtype-hmac-sha1-des3}\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3:cksumtype-hmac-sha1-des3-data}\index{CKSUMTYPE\_HMAC\_SHA1\_DES3 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_HMAC_SHA1_DES3:CKSUMTYPE_HMAC_SHA1_DES3}\pysigline{\bfcode{CKSUMTYPE\_HMAC\_SHA1\_DES3}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_HMAC\_SHA1\_DES3} - & -\code{0x000c} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR} -\label{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR:cksumtype-md5-hmac-arcfour}\label{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR:cksumtype-md5-hmac-arcfour-data}\label{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR::doc}\index{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_MD5_HMAC_ARCFOUR:CKSUMTYPE_MD5_HMAC_ARCFOUR}\pysigline{\bfcode{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_MD5\_HMAC\_ARCFOUR} - & -\code{-137 /* Microsoft netlogon */} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_NIST\_SHA} -\label{appdev/refs/macros/CKSUMTYPE_NIST_SHA::doc}\label{appdev/refs/macros/CKSUMTYPE_NIST_SHA:cksumtype-nist-sha}\label{appdev/refs/macros/CKSUMTYPE_NIST_SHA:cksumtype-nist-sha-data}\index{CKSUMTYPE\_NIST\_SHA (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_NIST_SHA:CKSUMTYPE_NIST_SHA}\pysigline{\bfcode{CKSUMTYPE\_NIST\_SHA}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_NIST\_SHA} - & -\code{0x0009} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_RSA\_MD4} -\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4::doc}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4:cksumtype-rsa-md4}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4:cksumtype-rsa-md4-data}\index{CKSUMTYPE\_RSA\_MD4 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4:CKSUMTYPE_RSA_MD4}\pysigline{\bfcode{CKSUMTYPE\_RSA\_MD4}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_RSA\_MD4} - & -\code{0x0002} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_RSA\_MD4\_DES} -\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES::doc}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES:cksumtype-rsa-md4-des}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES:cksumtype-rsa-md4-des-data}\index{CKSUMTYPE\_RSA\_MD4\_DES (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_RSA_MD4_DES:CKSUMTYPE_RSA_MD4_DES}\pysigline{\bfcode{CKSUMTYPE\_RSA\_MD4\_DES}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_RSA\_MD4\_DES} - & -\code{0x0003} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_RSA\_MD5} -\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5:cksumtype-rsa-md5-data}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5::doc}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5:cksumtype-rsa-md5}\index{CKSUMTYPE\_RSA\_MD5 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5:CKSUMTYPE_RSA_MD5}\pysigline{\bfcode{CKSUMTYPE\_RSA\_MD5}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_RSA\_MD5} - & -\code{0x0007} -\\ -\hline\end{tabulary} - - - -\subsubsection{CKSUMTYPE\_RSA\_MD5\_DES} -\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES:cksumtype-rsa-md5-des-data}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES::doc}\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES:cksumtype-rsa-md5-des}\index{CKSUMTYPE\_RSA\_MD5\_DES (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/CKSUMTYPE_RSA_MD5_DES:CKSUMTYPE_RSA_MD5_DES}\pysigline{\bfcode{CKSUMTYPE\_RSA\_MD5\_DES}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{CKSUMTYPE\_RSA\_MD5\_DES} - & -\code{0x0008} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96} -\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96:enctype-aes128-cts-hmac-sha1-96-data}\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96::doc}\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96:enctype-aes128-cts-hmac-sha1-96}\index{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA1_96:ENCTYPE_AES128_CTS_HMAC_SHA1_96}\pysigline{\bfcode{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96}} -\end{fulllineitems} - - -RFC 3962. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_AES128\_CTS\_HMAC\_SHA1\_96} - & -\code{0x0011} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128} -\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128:enctype-aes128-cts-hmac-sha256-128}\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128:enctype-aes128-cts-hmac-sha256-128-data}\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128::doc}\index{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_AES128_CTS_HMAC_SHA256_128:ENCTYPE_AES128_CTS_HMAC_SHA256_128}\pysigline{\bfcode{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128}} -\end{fulllineitems} - - -RFC 8009. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_AES128\_CTS\_HMAC\_SHA256\_128} - & -\code{0x0013} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96} -\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96:enctype-aes256-cts-hmac-sha1-96-data}\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96::doc}\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96:enctype-aes256-cts-hmac-sha1-96}\index{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA1_96:ENCTYPE_AES256_CTS_HMAC_SHA1_96}\pysigline{\bfcode{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96}} -\end{fulllineitems} - - -RFC 3962. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_AES256\_CTS\_HMAC\_SHA1\_96} - & -\code{0x0012} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192} -\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192:enctype-aes256-cts-hmac-sha384-192-data}\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192:enctype-aes256-cts-hmac-sha384-192}\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192::doc}\index{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_AES256_CTS_HMAC_SHA384_192:ENCTYPE_AES256_CTS_HMAC_SHA384_192}\pysigline{\bfcode{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192}} -\end{fulllineitems} - - -RFC 8009. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_AES256\_CTS\_HMAC\_SHA384\_192} - & -\code{0x0014} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_ARCFOUR\_HMAC} -\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC:enctype-arcfour-hmac}\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC:enctype-arcfour-hmac-data}\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC::doc}\index{ENCTYPE\_ARCFOUR\_HMAC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC:ENCTYPE_ARCFOUR_HMAC}\pysigline{\bfcode{ENCTYPE\_ARCFOUR\_HMAC}} -\end{fulllineitems} - - -RFC 4757. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_ARCFOUR\_HMAC} - & -\code{0x0017} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_ARCFOUR\_HMAC\_EXP} -\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP:enctype-arcfour-hmac-exp-data}\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP:enctype-arcfour-hmac-exp}\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP::doc}\index{ENCTYPE\_ARCFOUR\_HMAC\_EXP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_ARCFOUR_HMAC_EXP:ENCTYPE_ARCFOUR_HMAC_EXP}\pysigline{\bfcode{ENCTYPE\_ARCFOUR\_HMAC\_EXP}} -\end{fulllineitems} - - -RFC 4757. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_ARCFOUR\_HMAC\_EXP} - & -\code{0x0018} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_CAMELLIA128\_CTS\_CMAC} -\label{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC:enctype-camellia128-cts-cmac-data}\label{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC:enctype-camellia128-cts-cmac}\label{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC::doc}\index{ENCTYPE\_CAMELLIA128\_CTS\_CMAC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_CAMELLIA128_CTS_CMAC:ENCTYPE_CAMELLIA128_CTS_CMAC}\pysigline{\bfcode{ENCTYPE\_CAMELLIA128\_CTS\_CMAC}} -\end{fulllineitems} - - -RFC 6803. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_CAMELLIA128\_CTS\_CMAC} - & -\code{0x0019} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_CAMELLIA256\_CTS\_CMAC} -\label{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC:enctype-camellia256-cts-cmac-data}\label{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC:enctype-camellia256-cts-cmac}\label{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC::doc}\index{ENCTYPE\_CAMELLIA256\_CTS\_CMAC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_CAMELLIA256_CTS_CMAC:ENCTYPE_CAMELLIA256_CTS_CMAC}\pysigline{\bfcode{ENCTYPE\_CAMELLIA256\_CTS\_CMAC}} -\end{fulllineitems} - - -RFC 6803. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_CAMELLIA256\_CTS\_CMAC} - & -\code{0x001a} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DES3\_CBC\_ENV} -\label{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV::doc}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV:enctype-des3-cbc-env}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV:enctype-des3-cbc-env-data}\index{ENCTYPE\_DES3\_CBC\_ENV (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DES3_CBC_ENV:ENCTYPE_DES3_CBC_ENV}\pysigline{\bfcode{ENCTYPE\_DES3\_CBC\_ENV}} -\end{fulllineitems} - - -DES-3 cbc mode, CMS enveloped data. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DES3\_CBC\_ENV} - & -\code{0x000f} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DES3\_CBC\_RAW} -\label{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW:enctype-des3-cbc-raw}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW::doc}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW:enctype-des3-cbc-raw-data}\index{ENCTYPE\_DES3\_CBC\_RAW (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DES3_CBC_RAW:ENCTYPE_DES3_CBC_RAW}\pysigline{\bfcode{ENCTYPE\_DES3\_CBC\_RAW}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DES3\_CBC\_RAW} - & -\code{0x0006} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DES3\_CBC\_SHA} -\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA:enctype-des3-cbc-sha}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA::doc}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA:enctype-des3-cbc-sha-data}\index{ENCTYPE\_DES3\_CBC\_SHA (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA:ENCTYPE_DES3_CBC_SHA}\pysigline{\bfcode{ENCTYPE\_DES3\_CBC\_SHA}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DES3\_CBC\_SHA} - & -\code{0x0005} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DES3\_CBC\_SHA1} -\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1::doc}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1:enctype-des3-cbc-sha1}\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1:enctype-des3-cbc-sha1-data}\index{ENCTYPE\_DES3\_CBC\_SHA1 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DES3_CBC_SHA1:ENCTYPE_DES3_CBC_SHA1}\pysigline{\bfcode{ENCTYPE\_DES3\_CBC\_SHA1}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DES3\_CBC\_SHA1} - & -\code{0x0010} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DES\_CBC\_CRC} -\label{appdev/refs/macros/ENCTYPE_DES_CBC_CRC:enctype-des-cbc-crc-data}\label{appdev/refs/macros/ENCTYPE_DES_CBC_CRC:enctype-des-cbc-crc}\label{appdev/refs/macros/ENCTYPE_DES_CBC_CRC::doc}\index{ENCTYPE\_DES\_CBC\_CRC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_CBC_CRC:ENCTYPE_DES_CBC_CRC}\pysigline{\bfcode{ENCTYPE\_DES\_CBC\_CRC}} -\end{fulllineitems} - - -DES cbc mode with CRC-32. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DES\_CBC\_CRC} - & -\code{0x0001} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DES\_CBC\_MD4} -\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD4:enctype-des-cbc-md4-data}\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD4::doc}\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD4:enctype-des-cbc-md4}\index{ENCTYPE\_DES\_CBC\_MD4 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD4:ENCTYPE_DES_CBC_MD4}\pysigline{\bfcode{ENCTYPE\_DES\_CBC\_MD4}} -\end{fulllineitems} - - -DES cbc mode with RSA-MD4. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DES\_CBC\_MD4} - & -\code{0x0002} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DES\_CBC\_MD5} -\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD5:enctype-des-cbc-md5-data}\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD5::doc}\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD5:enctype-des-cbc-md5}\index{ENCTYPE\_DES\_CBC\_MD5 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_CBC_MD5:ENCTYPE_DES_CBC_MD5}\pysigline{\bfcode{ENCTYPE\_DES\_CBC\_MD5}} -\end{fulllineitems} - - -DES cbc mode with RSA-MD5. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DES\_CBC\_MD5} - & -\code{0x0003} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DES\_CBC\_RAW} -\label{appdev/refs/macros/ENCTYPE_DES_CBC_RAW:enctype-des-cbc-raw-data}\label{appdev/refs/macros/ENCTYPE_DES_CBC_RAW:enctype-des-cbc-raw}\label{appdev/refs/macros/ENCTYPE_DES_CBC_RAW::doc}\index{ENCTYPE\_DES\_CBC\_RAW (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_CBC_RAW:ENCTYPE_DES_CBC_RAW}\pysigline{\bfcode{ENCTYPE\_DES\_CBC\_RAW}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DES\_CBC\_RAW} - & -\code{0x0004} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DES\_HMAC\_SHA1} -\label{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1:enctype-des-hmac-sha1-data}\label{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1::doc}\label{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1:enctype-des-hmac-sha1}\index{ENCTYPE\_DES\_HMAC\_SHA1 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DES_HMAC_SHA1:ENCTYPE_DES_HMAC_SHA1}\pysigline{\bfcode{ENCTYPE\_DES\_HMAC\_SHA1}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DES\_HMAC\_SHA1} - & -\code{0x0008} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_DSA\_SHA1\_CMS} -\label{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS:enctype-dsa-sha1-cms-data}\label{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS:enctype-dsa-sha1-cms}\label{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS::doc}\index{ENCTYPE\_DSA\_SHA1\_CMS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_DSA_SHA1_CMS:ENCTYPE_DSA_SHA1_CMS}\pysigline{\bfcode{ENCTYPE\_DSA\_SHA1\_CMS}} -\end{fulllineitems} - - -DSA with SHA1, CMS signature. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_DSA\_SHA1\_CMS} - & -\code{0x0009} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_MD5\_RSA\_CMS} -\label{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS:enctype-md5-rsa-cms}\label{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS:enctype-md5-rsa-cms-data}\label{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS::doc}\index{ENCTYPE\_MD5\_RSA\_CMS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_MD5_RSA_CMS:ENCTYPE_MD5_RSA_CMS}\pysigline{\bfcode{ENCTYPE\_MD5\_RSA\_CMS}} -\end{fulllineitems} - - -MD5 with RSA, CMS signature. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_MD5\_RSA\_CMS} - & -\code{0x000a} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_NULL} -\label{appdev/refs/macros/ENCTYPE_NULL:enctype-null}\label{appdev/refs/macros/ENCTYPE_NULL::doc}\label{appdev/refs/macros/ENCTYPE_NULL:enctype-null-data}\index{ENCTYPE\_NULL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_NULL:ENCTYPE_NULL}\pysigline{\bfcode{ENCTYPE\_NULL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_NULL} - & -\code{0x0000} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_RC2\_CBC\_ENV} -\label{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV:enctype-rc2-cbc-env}\label{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV::doc}\label{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV:enctype-rc2-cbc-env-data}\index{ENCTYPE\_RC2\_CBC\_ENV (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_RC2_CBC_ENV:ENCTYPE_RC2_CBC_ENV}\pysigline{\bfcode{ENCTYPE\_RC2\_CBC\_ENV}} -\end{fulllineitems} - - -RC2 cbc mode, CMS enveloped data. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_RC2\_CBC\_ENV} - & -\code{0x000c} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_RSA\_ENV} -\label{appdev/refs/macros/ENCTYPE_RSA_ENV:enctype-rsa-env-data}\label{appdev/refs/macros/ENCTYPE_RSA_ENV:enctype-rsa-env}\label{appdev/refs/macros/ENCTYPE_RSA_ENV::doc}\index{ENCTYPE\_RSA\_ENV (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_RSA_ENV:ENCTYPE_RSA_ENV}\pysigline{\bfcode{ENCTYPE\_RSA\_ENV}} -\end{fulllineitems} - - -RSA encryption, CMS enveloped data. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_RSA\_ENV} - & -\code{0x000d} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_RSA\_ES\_OAEP\_ENV} -\label{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV::doc}\label{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV:enctype-rsa-es-oaep-env}\label{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV:enctype-rsa-es-oaep-env-data}\index{ENCTYPE\_RSA\_ES\_OAEP\_ENV (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_RSA_ES_OAEP_ENV:ENCTYPE_RSA_ES_OAEP_ENV}\pysigline{\bfcode{ENCTYPE\_RSA\_ES\_OAEP\_ENV}} -\end{fulllineitems} - - -RSA w/OEAP encryption, CMS enveloped data. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_RSA\_ES\_OAEP\_ENV} - & -\code{0x000e} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_SHA1\_RSA\_CMS} -\label{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS::doc}\label{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS:enctype-sha1-rsa-cms-data}\label{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS:enctype-sha1-rsa-cms}\index{ENCTYPE\_SHA1\_RSA\_CMS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_SHA1_RSA_CMS:ENCTYPE_SHA1_RSA_CMS}\pysigline{\bfcode{ENCTYPE\_SHA1\_RSA\_CMS}} -\end{fulllineitems} - - -SHA1 with RSA, CMS signature. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_SHA1\_RSA\_CMS} - & -\code{0x000b} -\\ -\hline\end{tabulary} - - - -\subsubsection{ENCTYPE\_UNKNOWN} -\label{appdev/refs/macros/ENCTYPE_UNKNOWN:enctype-unknown}\label{appdev/refs/macros/ENCTYPE_UNKNOWN::doc}\label{appdev/refs/macros/ENCTYPE_UNKNOWN:enctype-unknown-data}\index{ENCTYPE\_UNKNOWN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/ENCTYPE_UNKNOWN:ENCTYPE_UNKNOWN}\pysigline{\bfcode{ENCTYPE\_UNKNOWN}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{ENCTYPE\_UNKNOWN} - & -\code{0x01ff} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_ALLOW\_POSTDATE} -\label{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE:kdc-opt-allow-postdate}\label{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE:kdc-opt-allow-postdate-data}\label{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE::doc}\index{KDC\_OPT\_ALLOW\_POSTDATE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_ALLOW_POSTDATE:KDC_OPT_ALLOW_POSTDATE}\pysigline{\bfcode{KDC\_OPT\_ALLOW\_POSTDATE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_ALLOW\_POSTDATE} - & -\code{0x04000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_CANONICALIZE} -\label{appdev/refs/macros/KDC_OPT_CANONICALIZE:kdc-opt-canonicalize}\label{appdev/refs/macros/KDC_OPT_CANONICALIZE:kdc-opt-canonicalize-data}\label{appdev/refs/macros/KDC_OPT_CANONICALIZE::doc}\index{KDC\_OPT\_CANONICALIZE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_CANONICALIZE:KDC_OPT_CANONICALIZE}\pysigline{\bfcode{KDC\_OPT\_CANONICALIZE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_CANONICALIZE} - & -\code{0x00010000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT} -\label{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT:kdc-opt-cname-in-addl-tkt-data}\label{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT:kdc-opt-cname-in-addl-tkt}\label{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT::doc}\index{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_CNAME_IN_ADDL_TKT:KDC_OPT_CNAME_IN_ADDL_TKT}\pysigline{\bfcode{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_CNAME\_IN\_ADDL\_TKT} - & -\code{0x00020000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK} -\label{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK:kdc-opt-disable-transited-check}\label{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK::doc}\label{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK:kdc-opt-disable-transited-check-data}\index{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_DISABLE_TRANSITED_CHECK:KDC_OPT_DISABLE_TRANSITED_CHECK}\pysigline{\bfcode{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_DISABLE\_TRANSITED\_CHECK} - & -\code{0x00000020} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_ENC\_TKT\_IN\_SKEY} -\label{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY:kdc-opt-enc-tkt-in-skey}\label{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY::doc}\label{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY:kdc-opt-enc-tkt-in-skey-data}\index{KDC\_OPT\_ENC\_TKT\_IN\_SKEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_ENC_TKT_IN_SKEY:KDC_OPT_ENC_TKT_IN_SKEY}\pysigline{\bfcode{KDC\_OPT\_ENC\_TKT\_IN\_SKEY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_ENC\_TKT\_IN\_SKEY} - & -\code{0x00000008} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_FORWARDABLE} -\label{appdev/refs/macros/KDC_OPT_FORWARDABLE:kdc-opt-forwardable-data}\label{appdev/refs/macros/KDC_OPT_FORWARDABLE::doc}\label{appdev/refs/macros/KDC_OPT_FORWARDABLE:kdc-opt-forwardable}\index{KDC\_OPT\_FORWARDABLE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_FORWARDABLE:KDC_OPT_FORWARDABLE}\pysigline{\bfcode{KDC\_OPT\_FORWARDABLE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_FORWARDABLE} - & -\code{0x40000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_FORWARDED} -\label{appdev/refs/macros/KDC_OPT_FORWARDED::doc}\label{appdev/refs/macros/KDC_OPT_FORWARDED:kdc-opt-forwarded}\label{appdev/refs/macros/KDC_OPT_FORWARDED:kdc-opt-forwarded-data}\index{KDC\_OPT\_FORWARDED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_FORWARDED:KDC_OPT_FORWARDED}\pysigline{\bfcode{KDC\_OPT\_FORWARDED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_FORWARDED} - & -\code{0x20000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_POSTDATED} -\label{appdev/refs/macros/KDC_OPT_POSTDATED:kdc-opt-postdated-data}\label{appdev/refs/macros/KDC_OPT_POSTDATED:kdc-opt-postdated}\label{appdev/refs/macros/KDC_OPT_POSTDATED::doc}\index{KDC\_OPT\_POSTDATED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_POSTDATED:KDC_OPT_POSTDATED}\pysigline{\bfcode{KDC\_OPT\_POSTDATED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_POSTDATED} - & -\code{0x02000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_PROXIABLE} -\label{appdev/refs/macros/KDC_OPT_PROXIABLE:kdc-opt-proxiable-data}\label{appdev/refs/macros/KDC_OPT_PROXIABLE::doc}\label{appdev/refs/macros/KDC_OPT_PROXIABLE:kdc-opt-proxiable}\index{KDC\_OPT\_PROXIABLE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_PROXIABLE:KDC_OPT_PROXIABLE}\pysigline{\bfcode{KDC\_OPT\_PROXIABLE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_PROXIABLE} - & -\code{0x10000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_PROXY} -\label{appdev/refs/macros/KDC_OPT_PROXY::doc}\label{appdev/refs/macros/KDC_OPT_PROXY:kdc-opt-proxy}\label{appdev/refs/macros/KDC_OPT_PROXY:kdc-opt-proxy-data}\index{KDC\_OPT\_PROXY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_PROXY:KDC_OPT_PROXY}\pysigline{\bfcode{KDC\_OPT\_PROXY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_PROXY} - & -\code{0x08000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_RENEW} -\label{appdev/refs/macros/KDC_OPT_RENEW::doc}\label{appdev/refs/macros/KDC_OPT_RENEW:kdc-opt-renew}\label{appdev/refs/macros/KDC_OPT_RENEW:kdc-opt-renew-data}\index{KDC\_OPT\_RENEW (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_RENEW:KDC_OPT_RENEW}\pysigline{\bfcode{KDC\_OPT\_RENEW}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_RENEW} - & -\code{0x00000002} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_RENEWABLE} -\label{appdev/refs/macros/KDC_OPT_RENEWABLE:kdc-opt-renewable}\label{appdev/refs/macros/KDC_OPT_RENEWABLE:kdc-opt-renewable-data}\label{appdev/refs/macros/KDC_OPT_RENEWABLE::doc}\index{KDC\_OPT\_RENEWABLE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_RENEWABLE:KDC_OPT_RENEWABLE}\pysigline{\bfcode{KDC\_OPT\_RENEWABLE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_RENEWABLE} - & -\code{0x00800000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_RENEWABLE\_OK} -\label{appdev/refs/macros/KDC_OPT_RENEWABLE_OK::doc}\label{appdev/refs/macros/KDC_OPT_RENEWABLE_OK:kdc-opt-renewable-ok-data}\label{appdev/refs/macros/KDC_OPT_RENEWABLE_OK:kdc-opt-renewable-ok}\index{KDC\_OPT\_RENEWABLE\_OK (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_RENEWABLE_OK:KDC_OPT_RENEWABLE_OK}\pysigline{\bfcode{KDC\_OPT\_RENEWABLE\_OK}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_RENEWABLE\_OK} - & -\code{0x00000010} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_REQUEST\_ANONYMOUS} -\label{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS:kdc-opt-request-anonymous}\label{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS:kdc-opt-request-anonymous-data}\label{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS::doc}\index{KDC\_OPT\_REQUEST\_ANONYMOUS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_REQUEST_ANONYMOUS:KDC_OPT_REQUEST_ANONYMOUS}\pysigline{\bfcode{KDC\_OPT\_REQUEST\_ANONYMOUS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_REQUEST\_ANONYMOUS} - & -\code{0x00008000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_OPT\_VALIDATE} -\label{appdev/refs/macros/KDC_OPT_VALIDATE:kdc-opt-validate-data}\label{appdev/refs/macros/KDC_OPT_VALIDATE:kdc-opt-validate}\label{appdev/refs/macros/KDC_OPT_VALIDATE::doc}\index{KDC\_OPT\_VALIDATE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_OPT_VALIDATE:KDC_OPT_VALIDATE}\pysigline{\bfcode{KDC\_OPT\_VALIDATE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_OPT\_VALIDATE} - & -\code{0x00000001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KDC\_TKT\_COMMON\_MASK} -\label{appdev/refs/macros/KDC_TKT_COMMON_MASK:kdc-tkt-common-mask-data}\label{appdev/refs/macros/KDC_TKT_COMMON_MASK::doc}\label{appdev/refs/macros/KDC_TKT_COMMON_MASK:kdc-tkt-common-mask}\index{KDC\_TKT\_COMMON\_MASK (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KDC_TKT_COMMON_MASK:KDC_TKT_COMMON_MASK}\pysigline{\bfcode{KDC\_TKT\_COMMON\_MASK}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KDC\_TKT\_COMMON\_MASK} - & -\code{0x54800000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE} -\label{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:krb5-altauth-att-challenge-response}\label{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:krb5-altauth-att-challenge-response-data}\label{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE::doc}\index{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE:KRB5_ALTAUTH_ATT_CHALLENGE_RESPONSE}\pysigline{\bfcode{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE}} -\end{fulllineitems} - - -alternate authentication types - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_ALTAUTH\_ATT\_CHALLENGE\_RESPONSE} - & -\code{64} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_ANONYMOUS\_PRINCSTR} -\label{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:krb5-anonymous-princstr}\label{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:krb5-anonymous-princstr-data}\label{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR::doc}\index{KRB5\_ANONYMOUS\_PRINCSTR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_ANONYMOUS_PRINCSTR:KRB5_ANONYMOUS_PRINCSTR}\pysigline{\bfcode{KRB5\_ANONYMOUS\_PRINCSTR}} -\end{fulllineitems} - - -Anonymous principal name. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_ANONYMOUS\_PRINCSTR} - & -\code{"ANONYMOUS"} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_ANONYMOUS\_REALMSTR} -\label{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:krb5-anonymous-realmstr-data}\label{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:krb5-anonymous-realmstr}\label{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR::doc}\index{KRB5\_ANONYMOUS\_REALMSTR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_ANONYMOUS_REALMSTR:KRB5_ANONYMOUS_REALMSTR}\pysigline{\bfcode{KRB5\_ANONYMOUS\_REALMSTR}} -\end{fulllineitems} - - -Anonymous realm. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_ANONYMOUS\_REALMSTR} - & -\code{"WELLKNOWN:ANONYMOUS"} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AP\_REP} -\label{appdev/refs/macros/KRB5_AP_REP:krb5-ap-rep}\label{appdev/refs/macros/KRB5_AP_REP::doc}\label{appdev/refs/macros/KRB5_AP_REP:krb5-ap-rep-data}\index{KRB5\_AP\_REP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AP_REP:KRB5_AP_REP}\pysigline{\bfcode{KRB5\_AP\_REP}} -\end{fulllineitems} - - -Response to mutual AP request. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AP\_REP} - & -\code{((krb5\_msgtype)15)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AP\_REQ} -\label{appdev/refs/macros/KRB5_AP_REQ:krb5-ap-req}\label{appdev/refs/macros/KRB5_AP_REQ::doc}\label{appdev/refs/macros/KRB5_AP_REQ:krb5-ap-req-data}\index{KRB5\_AP\_REQ (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AP_REQ:KRB5_AP_REQ}\pysigline{\bfcode{KRB5\_AP\_REQ}} -\end{fulllineitems} - - -Auth req to application server. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AP\_REQ} - & -\code{((krb5\_msgtype)14)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AS\_REP} -\label{appdev/refs/macros/KRB5_AS_REP:krb5-as-rep}\label{appdev/refs/macros/KRB5_AS_REP:krb5-as-rep-data}\label{appdev/refs/macros/KRB5_AS_REP::doc}\index{KRB5\_AS\_REP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AS_REP:KRB5_AS_REP}\pysigline{\bfcode{KRB5\_AS\_REP}} -\end{fulllineitems} - - -Response to AS request. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AS\_REP} - & -\code{((krb5\_msgtype)11)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AS\_REQ} -\label{appdev/refs/macros/KRB5_AS_REQ:krb5-as-req}\label{appdev/refs/macros/KRB5_AS_REQ:krb5-as-req-data}\label{appdev/refs/macros/KRB5_AS_REQ::doc}\index{KRB5\_AS\_REQ (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AS_REQ:KRB5_AS_REQ}\pysigline{\bfcode{KRB5\_AS\_REQ}} -\end{fulllineitems} - - -Initial authentication request. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AS\_REQ} - & -\code{((krb5\_msgtype)10)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_AND\_OR} -\label{appdev/refs/macros/KRB5_AUTHDATA_AND_OR::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_AND_OR:krb5-authdata-and-or-data}\label{appdev/refs/macros/KRB5_AUTHDATA_AND_OR:krb5-authdata-and-or}\index{KRB5\_AUTHDATA\_AND\_OR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_AND_OR:KRB5_AUTHDATA_AND_OR}\pysigline{\bfcode{KRB5\_AUTHDATA\_AND\_OR}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_AND\_OR} - & -\code{5} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_AUTH\_INDICATOR} -\label{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR:krb5-authdata-auth-indicator}\label{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR:krb5-authdata-auth-indicator-data}\index{KRB5\_AUTHDATA\_AUTH\_INDICATOR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_AUTH_INDICATOR:KRB5_AUTHDATA_AUTH_INDICATOR}\pysigline{\bfcode{KRB5\_AUTHDATA\_AUTH\_INDICATOR}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_AUTH\_INDICATOR} - & -\code{97} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_CAMMAC} -\label{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC:krb5-authdata-cammac}\label{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC:krb5-authdata-cammac-data}\index{KRB5\_AUTHDATA\_CAMMAC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_CAMMAC:KRB5_AUTHDATA_CAMMAC}\pysigline{\bfcode{KRB5\_AUTHDATA\_CAMMAC}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_CAMMAC} - & -\code{96} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION} -\label{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION:krb5-authdata-etype-negotiation}\label{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION:krb5-authdata-etype-negotiation-data}\index{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_ETYPE_NEGOTIATION:KRB5_AUTHDATA_ETYPE_NEGOTIATION}\pysigline{\bfcode{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION}} -\end{fulllineitems} - - -RFC 4537. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_ETYPE\_NEGOTIATION} - & -\code{129} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_FX\_ARMOR} -\label{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR:krb5-authdata-fx-armor}\label{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR:krb5-authdata-fx-armor-data}\index{KRB5\_AUTHDATA\_FX\_ARMOR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_FX_ARMOR:KRB5_AUTHDATA_FX_ARMOR}\pysigline{\bfcode{KRB5\_AUTHDATA\_FX\_ARMOR}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_FX\_ARMOR} - & -\code{71} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_IF\_RELEVANT} -\label{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT:krb5-authdata-if-relevant-data}\label{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT:krb5-authdata-if-relevant}\label{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT::doc}\index{KRB5\_AUTHDATA\_IF\_RELEVANT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_IF_RELEVANT:KRB5_AUTHDATA_IF_RELEVANT}\pysigline{\bfcode{KRB5\_AUTHDATA\_IF\_RELEVANT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_IF\_RELEVANT} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS} -\label{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:krb5-authdata-initial-verified-cas-data}\label{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:krb5-authdata-initial-verified-cas}\label{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS::doc}\index{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_INITIAL_VERIFIED_CAS:KRB5_AUTHDATA_INITIAL_VERIFIED_CAS}\pysigline{\bfcode{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_INITIAL\_VERIFIED\_CAS} - & -\code{9} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_KDC\_ISSUED} -\label{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED:krb5-authdata-kdc-issued-data}\label{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED:krb5-authdata-kdc-issued}\index{KRB5\_AUTHDATA\_KDC\_ISSUED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_KDC_ISSUED:KRB5_AUTHDATA_KDC_ISSUED}\pysigline{\bfcode{KRB5\_AUTHDATA\_KDC\_ISSUED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_KDC\_ISSUED} - & -\code{4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC} -\label{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC:krb5-authdata-mandatory-for-kdc}\label{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC:krb5-authdata-mandatory-for-kdc-data}\index{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_MANDATORY_FOR_KDC:KRB5_AUTHDATA_MANDATORY_FOR_KDC}\pysigline{\bfcode{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_MANDATORY\_FOR\_KDC} - & -\code{8} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_OSF\_DCE} -\label{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE:krb5-authdata-osf-dce-data}\label{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE:krb5-authdata-osf-dce}\index{KRB5\_AUTHDATA\_OSF\_DCE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_OSF_DCE:KRB5_AUTHDATA_OSF_DCE}\pysigline{\bfcode{KRB5\_AUTHDATA\_OSF\_DCE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_OSF\_DCE} - & -\code{64} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_SESAME} -\label{appdev/refs/macros/KRB5_AUTHDATA_SESAME:krb5-authdata-sesame}\label{appdev/refs/macros/KRB5_AUTHDATA_SESAME::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_SESAME:krb5-authdata-sesame-data}\index{KRB5\_AUTHDATA\_SESAME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_SESAME:KRB5_AUTHDATA_SESAME}\pysigline{\bfcode{KRB5\_AUTHDATA\_SESAME}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_SESAME} - & -\code{65} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_SIGNTICKET} -\label{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET:krb5-authdata-signticket-data}\label{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET:krb5-authdata-signticket}\label{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET::doc}\index{KRB5\_AUTHDATA\_SIGNTICKET (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_SIGNTICKET:KRB5_AUTHDATA_SIGNTICKET}\pysigline{\bfcode{KRB5\_AUTHDATA\_SIGNTICKET}} -\end{fulllineitems} - - -formerly 142 in krb5 1.8 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_SIGNTICKET} - & -\code{512} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTHDATA\_WIN2K\_PAC} -\label{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC:krb5-authdata-win2k-pac-data}\label{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC::doc}\label{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC:krb5-authdata-win2k-pac}\index{KRB5\_AUTHDATA\_WIN2K\_PAC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTHDATA_WIN2K_PAC:KRB5_AUTHDATA_WIN2K_PAC}\pysigline{\bfcode{KRB5\_AUTHDATA\_WIN2K\_PAC}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTHDATA\_WIN2K\_PAC} - & -\code{128} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:krb5-auth-context-do-sequence-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:krb5-auth-context-do-sequence}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE::doc}\index{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_SEQUENCE:KRB5_AUTH_CONTEXT_DO_SEQUENCE}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE}} -\end{fulllineitems} - - -Prevent replays with sequence numbers. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_DO\_SEQUENCE} - & -\code{0x00000004} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_DO\_TIME} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:krb5-auth-context-do-time-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:krb5-auth-context-do-time}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME::doc}\index{KRB5\_AUTH\_CONTEXT\_DO\_TIME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_DO_TIME:KRB5_AUTH_CONTEXT_DO_TIME}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_DO\_TIME}} -\end{fulllineitems} - - -Prevent replays with timestamps and replay cache. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_DO\_TIME} - & -\code{0x00000001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:krb5-auth-context-generate-local-addr}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:krb5-auth-context-generate-local-addr-data}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR}} -\end{fulllineitems} - - -Generate the local network address. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_ADDR} - & -\code{0x00000001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:krb5-auth-context-generate-local-full-addr}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:krb5-auth-context-generate-local-full-addr-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR::doc}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR}} -\end{fulllineitems} - - -Generate the local network address and the local port. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_LOCAL\_FULL\_ADDR} - & -\code{0x00000004} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:krb5-auth-context-generate-remote-addr-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:krb5-auth-context-generate-remote-addr}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR::doc}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR}} -\end{fulllineitems} - - -Generate the remote network address. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_ADDR} - & -\code{0x00000002} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:krb5-auth-context-generate-remote-full-addr}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:krb5-auth-context-generate-remote-full-addr-data}\index{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR:KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR}} -\end{fulllineitems} - - -Generate the remote network address and the remote port. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_GENERATE\_REMOTE\_FULL\_ADDR} - & -\code{0x00000008} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL:krb5-auth-context-permit-all}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL:krb5-auth-context-permit-all-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL::doc}\index{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_PERMIT_ALL:KRB5_AUTH_CONTEXT_PERMIT_ALL}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_PERMIT\_ALL} - & -\code{0x00000010} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:krb5-auth-context-ret-sequence}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:krb5-auth-context-ret-sequence-data}\index{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_SEQUENCE:KRB5_AUTH_CONTEXT_RET_SEQUENCE}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE}} -\end{fulllineitems} - - -Save sequence numbers for application. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_RET\_SEQUENCE} - & -\code{0x00000008} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_RET\_TIME} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:krb5-auth-context-ret-time}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:krb5-auth-context-ret-time-data}\index{KRB5\_AUTH\_CONTEXT\_RET\_TIME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_RET_TIME:KRB5_AUTH_CONTEXT_RET_TIME}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_RET\_TIME}} -\end{fulllineitems} - - -Save timestamps for application. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_RET\_TIME} - & -\code{0x00000002} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY} -\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY::doc}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY:krb5-auth-context-use-subkey-data}\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY:krb5-auth-context-use-subkey}\index{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_AUTH_CONTEXT_USE_SUBKEY:KRB5_AUTH_CONTEXT_USE_SUBKEY}\pysigline{\bfcode{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_AUTH\_CONTEXT\_USE\_SUBKEY} - & -\code{0x00000020} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CRED} -\label{appdev/refs/macros/KRB5_CRED:krb5-cred-data}\label{appdev/refs/macros/KRB5_CRED::doc}\label{appdev/refs/macros/KRB5_CRED:krb5-cred}\index{KRB5\_CRED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CRED:KRB5_CRED}\pysigline{\bfcode{KRB5\_CRED}} -\end{fulllineitems} - - -Cred forwarding message. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CRED} - & -\code{((krb5\_msgtype)22)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CRYPTO\_TYPE\_CHECKSUM} -\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:krb5-crypto-type-checksum-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:krb5-crypto-type-checksum}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM::doc}\index{KRB5\_CRYPTO\_TYPE\_CHECKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_CHECKSUM:KRB5_CRYPTO_TYPE_CHECKSUM}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_CHECKSUM}} -\end{fulllineitems} - - -{[}out{]} checksum for MIC - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CRYPTO\_TYPE\_CHECKSUM} - & -\code{6} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CRYPTO\_TYPE\_DATA} -\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA::doc}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:krb5-crypto-type-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:krb5-crypto-type-data-data}\index{KRB5\_CRYPTO\_TYPE\_DATA (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_DATA:KRB5_CRYPTO_TYPE_DATA}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_DATA}} -\end{fulllineitems} - - -{[}in, out{]} plaintext - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CRYPTO\_TYPE\_DATA} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CRYPTO\_TYPE\_EMPTY} -\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY::doc}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY:krb5-crypto-type-empty}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY:krb5-crypto-type-empty-data}\index{KRB5\_CRYPTO\_TYPE\_EMPTY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_EMPTY:KRB5_CRYPTO_TYPE_EMPTY}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_EMPTY}} -\end{fulllineitems} - - -{[}in{]} ignored - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CRYPTO\_TYPE\_EMPTY} - & -\code{0} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CRYPTO\_TYPE\_HEADER} -\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER:krb5-crypto-type-header}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER:krb5-crypto-type-header-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER::doc}\index{KRB5\_CRYPTO\_TYPE\_HEADER (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_HEADER:KRB5_CRYPTO_TYPE_HEADER}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_HEADER}} -\end{fulllineitems} - - -{[}out{]} header - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CRYPTO\_TYPE\_HEADER} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CRYPTO\_TYPE\_PADDING} -\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING::doc}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING:krb5-crypto-type-padding-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING:krb5-crypto-type-padding}\index{KRB5\_CRYPTO\_TYPE\_PADDING (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_PADDING:KRB5_CRYPTO_TYPE_PADDING}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_PADDING}} -\end{fulllineitems} - - -{[}out{]} padding - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CRYPTO\_TYPE\_PADDING} - & -\code{4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY} -\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:krb5-crypto-type-sign-only}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:krb5-crypto-type-sign-only-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY::doc}\index{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_SIGN_ONLY:KRB5_CRYPTO_TYPE_SIGN_ONLY}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY}} -\end{fulllineitems} - - -{[}in{]} associated data - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CRYPTO\_TYPE\_SIGN\_ONLY} - & -\code{3} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CRYPTO\_TYPE\_STREAM} -\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM:krb5-crypto-type-stream-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM::doc}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM:krb5-crypto-type-stream}\index{KRB5\_CRYPTO\_TYPE\_STREAM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_STREAM:KRB5_CRYPTO_TYPE_STREAM}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_STREAM}} -\end{fulllineitems} - - -{[}in{]} entire message without decomposing the structure into header, data and trailer buffers - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CRYPTO\_TYPE\_STREAM} - & -\code{7} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CRYPTO\_TYPE\_TRAILER} -\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER:krb5-crypto-type-trailer}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER:krb5-crypto-type-trailer-data}\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER::doc}\index{KRB5\_CRYPTO\_TYPE\_TRAILER (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CRYPTO_TYPE_TRAILER:KRB5_CRYPTO_TYPE_TRAILER}\pysigline{\bfcode{KRB5\_CRYPTO\_TYPE\_TRAILER}} -\end{fulllineitems} - - -{[}out{]} checksum for encrypt - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CRYPTO\_TYPE\_TRAILER} - & -\code{5} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_CYBERSAFE\_SECUREID} -\label{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID:krb5-cybersafe-secureid}\label{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID::doc}\label{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID:krb5-cybersafe-secureid-data}\index{KRB5\_CYBERSAFE\_SECUREID (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_CYBERSAFE_SECUREID:KRB5_CYBERSAFE_SECUREID}\pysigline{\bfcode{KRB5\_CYBERSAFE\_SECUREID}} -\end{fulllineitems} - - -Cybersafe. - -RFC 4120 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_CYBERSAFE\_SECUREID} - & -\code{9} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_DOMAIN\_X500\_COMPRESS} -\label{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS::doc}\label{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS:krb5-domain-x500-compress}\label{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS:krb5-domain-x500-compress-data}\index{KRB5\_DOMAIN\_X500\_COMPRESS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_DOMAIN_X500_COMPRESS:KRB5_DOMAIN_X500_COMPRESS}\pysigline{\bfcode{KRB5\_DOMAIN\_X500\_COMPRESS}} -\end{fulllineitems} - - -Transited encoding types. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_DOMAIN\_X500\_COMPRESS} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP} -\label{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP:krb5-encpadata-req-enc-pa-rep}\label{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP:krb5-encpadata-req-enc-pa-rep-data}\label{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP::doc}\index{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_ENCPADATA_REQ_ENC_PA_REP:KRB5_ENCPADATA_REQ_ENC_PA_REP}\pysigline{\bfcode{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP}} -\end{fulllineitems} - - -RFC 6806. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_ENCPADATA\_REQ\_ENC\_PA\_REP} - & -\code{149} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_ERROR} -\label{appdev/refs/macros/KRB5_ERROR:krb5-error-data}\label{appdev/refs/macros/KRB5_ERROR:krb5-error}\label{appdev/refs/macros/KRB5_ERROR::doc}\index{KRB5\_ERROR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_ERROR:KRB5_ERROR}\pysigline{\bfcode{KRB5\_ERROR}} -\end{fulllineitems} - - -Error response. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_ERROR} - & -\code{((krb5\_msgtype)30)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_FAST\_REQUIRED} -\label{appdev/refs/macros/KRB5_FAST_REQUIRED:krb5-fast-required}\label{appdev/refs/macros/KRB5_FAST_REQUIRED:krb5-fast-required-data}\label{appdev/refs/macros/KRB5_FAST_REQUIRED::doc}\index{KRB5\_FAST\_REQUIRED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_FAST_REQUIRED:KRB5_FAST_REQUIRED}\pysigline{\bfcode{KRB5\_FAST\_REQUIRED}} -\end{fulllineitems} - - -Require KDC to support FAST. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_FAST\_REQUIRED} - & -\code{0x0001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GC\_CACHED} -\label{appdev/refs/macros/KRB5_GC_CACHED:krb5-gc-cached}\label{appdev/refs/macros/KRB5_GC_CACHED:krb5-gc-cached-data}\label{appdev/refs/macros/KRB5_GC_CACHED::doc}\index{KRB5\_GC\_CACHED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GC_CACHED:KRB5_GC_CACHED}\pysigline{\bfcode{KRB5\_GC\_CACHED}} -\end{fulllineitems} - - -Want cached ticket only. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GC\_CACHED} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GC\_CANONICALIZE} -\label{appdev/refs/macros/KRB5_GC_CANONICALIZE:krb5-gc-canonicalize-data}\label{appdev/refs/macros/KRB5_GC_CANONICALIZE:krb5-gc-canonicalize}\label{appdev/refs/macros/KRB5_GC_CANONICALIZE::doc}\index{KRB5\_GC\_CANONICALIZE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GC_CANONICALIZE:KRB5_GC_CANONICALIZE}\pysigline{\bfcode{KRB5\_GC\_CANONICALIZE}} -\end{fulllineitems} - - -Set canonicalize KDC option. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GC\_CANONICALIZE} - & -\code{4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GC\_CONSTRAINED\_DELEGATION} -\label{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION:krb5-gc-constrained-delegation}\label{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION:krb5-gc-constrained-delegation-data}\label{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION::doc}\index{KRB5\_GC\_CONSTRAINED\_DELEGATION (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GC_CONSTRAINED_DELEGATION:KRB5_GC_CONSTRAINED_DELEGATION}\pysigline{\bfcode{KRB5\_GC\_CONSTRAINED\_DELEGATION}} -\end{fulllineitems} - - -Constrained delegation. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GC\_CONSTRAINED\_DELEGATION} - & -\code{64} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GC\_FORWARDABLE} -\label{appdev/refs/macros/KRB5_GC_FORWARDABLE:krb5-gc-forwardable-data}\label{appdev/refs/macros/KRB5_GC_FORWARDABLE:krb5-gc-forwardable}\label{appdev/refs/macros/KRB5_GC_FORWARDABLE::doc}\index{KRB5\_GC\_FORWARDABLE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GC_FORWARDABLE:KRB5_GC_FORWARDABLE}\pysigline{\bfcode{KRB5\_GC\_FORWARDABLE}} -\end{fulllineitems} - - -Acquire forwardable tickets. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GC\_FORWARDABLE} - & -\code{16} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GC\_NO\_STORE} -\label{appdev/refs/macros/KRB5_GC_NO_STORE::doc}\label{appdev/refs/macros/KRB5_GC_NO_STORE:krb5-gc-no-store}\label{appdev/refs/macros/KRB5_GC_NO_STORE:krb5-gc-no-store-data}\index{KRB5\_GC\_NO\_STORE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GC_NO_STORE:KRB5_GC_NO_STORE}\pysigline{\bfcode{KRB5\_GC\_NO\_STORE}} -\end{fulllineitems} - - -Do not store in credential cache. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GC\_NO\_STORE} - & -\code{8} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GC\_NO\_TRANSIT\_CHECK} -\label{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK:krb5-gc-no-transit-check-data}\label{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK:krb5-gc-no-transit-check}\label{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK::doc}\index{KRB5\_GC\_NO\_TRANSIT\_CHECK (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GC_NO_TRANSIT_CHECK:KRB5_GC_NO_TRANSIT_CHECK}\pysigline{\bfcode{KRB5\_GC\_NO\_TRANSIT\_CHECK}} -\end{fulllineitems} - - -Disable transited check. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GC\_NO\_TRANSIT\_CHECK} - & -\code{32} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GC\_USER\_USER} -\label{appdev/refs/macros/KRB5_GC_USER_USER::doc}\label{appdev/refs/macros/KRB5_GC_USER_USER:krb5-gc-user-user}\label{appdev/refs/macros/KRB5_GC_USER_USER:krb5-gc-user-user-data}\index{KRB5\_GC\_USER\_USER (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GC_USER_USER:KRB5_GC_USER_USER}\pysigline{\bfcode{KRB5\_GC\_USER\_USER}} -\end{fulllineitems} - - -Want user-user ticket. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GC\_USER\_USER} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:krb5-get-init-creds-opt-address-list}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:krb5-get-init-creds-opt-address-list-data}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST:KRB5_GET_INIT_CREDS_OPT_ADDRESS_LIST}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_ADDRESS\_LIST} - & -\code{0x0020} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:krb5-get-init-creds-opt-anonymous-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:krb5-get-init-creds-opt-anonymous}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ANONYMOUS:KRB5_GET_INIT_CREDS_OPT_ANONYMOUS}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_ANONYMOUS} - & -\code{0x0400} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:krb5-get-init-creds-opt-canonicalize-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:krb5-get-init-creds-opt-canonicalize}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CANONICALIZE:KRB5_GET_INIT_CREDS_OPT_CANONICALIZE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_CANONICALIZE} - & -\code{0x0200} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:krb5-get-init-creds-opt-chg-pwd-prmpt}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:krb5-get-init-creds-opt-chg-pwd-prmpt-data}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT:KRB5_GET_INIT_CREDS_OPT_CHG_PWD_PRMPT}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_CHG\_PWD\_PRMPT} - & -\code{0x0100} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:krb5-get-init-creds-opt-etype-list-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:krb5-get-init-creds-opt-etype-list}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST::doc}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST:KRB5_GET_INIT_CREDS_OPT_ETYPE_LIST}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_ETYPE\_LIST} - & -\code{0x0010} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:krb5-get-init-creds-opt-forwardable}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:krb5-get-init-creds-opt-forwardable-data}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_FORWARDABLE:KRB5_GET_INIT_CREDS_OPT_FORWARDABLE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_FORWARDABLE} - & -\code{0x0004} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:krb5-get-init-creds-opt-preauth-list}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:krb5-get-init-creds-opt-preauth-list-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST::doc}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST:KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_PREAUTH\_LIST} - & -\code{0x0040} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE:krb5-get-init-creds-opt-proxiable-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE:krb5-get-init-creds-opt-proxiable}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE::doc}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_PROXIABLE:KRB5_GET_INIT_CREDS_OPT_PROXIABLE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_PROXIABLE} - & -\code{0x0008} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:krb5-get-init-creds-opt-renew-life-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:krb5-get-init-creds-opt-renew-life}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE:KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_RENEW\_LIFE} - & -\code{0x0002} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT:krb5-get-init-creds-opt-salt-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT:krb5-get-init-creds-opt-salt}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT::doc}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_SALT:KRB5_GET_INIT_CREDS_OPT_SALT}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_SALT} - & -\code{0x0080} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE} -\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE::doc}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:krb5-get-init-creds-opt-tkt-life-data}\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:krb5-get-init-creds-opt-tkt-life}\index{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_GET_INIT_CREDS_OPT_TKT_LIFE:KRB5_GET_INIT_CREDS_OPT_TKT_LIFE}\pysigline{\bfcode{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_GET\_INIT\_CREDS\_OPT\_TKT\_LIFE} - & -\code{0x0001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_INIT\_CONTEXT\_SECURE} -\label{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE::doc}\label{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:krb5-init-context-secure}\label{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:krb5-init-context-secure-data}\index{KRB5\_INIT\_CONTEXT\_SECURE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_INIT_CONTEXT_SECURE:KRB5_INIT_CONTEXT_SECURE}\pysigline{\bfcode{KRB5\_INIT\_CONTEXT\_SECURE}} -\end{fulllineitems} - - -Use secure context configuration. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_INIT\_CONTEXT\_SECURE} - & -\code{0x1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_INIT\_CONTEXT\_KDC} -\label{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:krb5-init-context-kdc}\label{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC::doc}\label{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:krb5-init-context-kdc-data}\index{KRB5\_INIT\_CONTEXT\_KDC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_INIT_CONTEXT_KDC:KRB5_INIT_CONTEXT_KDC}\pysigline{\bfcode{KRB5\_INIT\_CONTEXT\_KDC}} -\end{fulllineitems} - - -Use KDC configuration if available. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_INIT\_CONTEXT\_KDC} - & -\code{0x2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE} -\label{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:krb5-init-creds-step-flag-continue-data}\label{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:krb5-init-creds-step-flag-continue}\label{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE::doc}\index{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_INIT_CREDS_STEP_FLAG_CONTINUE:KRB5_INIT_CREDS_STEP_FLAG_CONTINUE}\pysigline{\bfcode{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE}} -\end{fulllineitems} - - -More responses needed. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_INIT\_CREDS\_STEP\_FLAG\_CONTINUE} - & -\code{0x1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_INT16\_MAX} -\label{appdev/refs/macros/KRB5_INT16_MAX:krb5-int16-max-data}\label{appdev/refs/macros/KRB5_INT16_MAX::doc}\label{appdev/refs/macros/KRB5_INT16_MAX:krb5-int16-max}\index{KRB5\_INT16\_MAX (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_INT16_MAX:KRB5_INT16_MAX}\pysigline{\bfcode{KRB5\_INT16\_MAX}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_INT16\_MAX} - & -\code{65535} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_INT16\_MIN} -\label{appdev/refs/macros/KRB5_INT16_MIN:krb5-int16-min-data}\label{appdev/refs/macros/KRB5_INT16_MIN:krb5-int16-min}\label{appdev/refs/macros/KRB5_INT16_MIN::doc}\index{KRB5\_INT16\_MIN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_INT16_MIN:KRB5_INT16_MIN}\pysigline{\bfcode{KRB5\_INT16\_MIN}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_INT16\_MIN} - & -\code{(-KRB5\_INT16\_MAX-1)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_INT32\_MAX} -\label{appdev/refs/macros/KRB5_INT32_MAX:krb5-int32-max-data}\label{appdev/refs/macros/KRB5_INT32_MAX:krb5-int32-max}\label{appdev/refs/macros/KRB5_INT32_MAX::doc}\index{KRB5\_INT32\_MAX (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_INT32_MAX:KRB5_INT32_MAX}\pysigline{\bfcode{KRB5\_INT32\_MAX}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_INT32\_MAX} - & -\code{2147483647} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_INT32\_MIN} -\label{appdev/refs/macros/KRB5_INT32_MIN:krb5-int32-min-data}\label{appdev/refs/macros/KRB5_INT32_MIN::doc}\label{appdev/refs/macros/KRB5_INT32_MIN:krb5-int32-min}\index{KRB5\_INT32\_MIN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_INT32_MIN:KRB5_INT32_MIN}\pysigline{\bfcode{KRB5\_INT32\_MIN}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_INT32\_MIN} - & -\code{(-KRB5\_INT32\_MAX-1)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AD\_ITE} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE:krb5-keyusage-ad-ite-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE:krb5-keyusage-ad-ite}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE::doc}\index{KRB5\_KEYUSAGE\_AD\_ITE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_ITE:KRB5_KEYUSAGE_AD_ITE}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AD\_ITE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AD\_ITE} - & -\code{21} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:krb5-keyusage-ad-kdcissued-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:krb5-keyusage-ad-kdcissued-cksum}\index{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM:KRB5_KEYUSAGE_AD_KDCISSUED_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AD\_KDCISSUED\_CKSUM} - & -\code{19} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AD\_MTE} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE:krb5-keyusage-ad-mte-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE:krb5-keyusage-ad-mte}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE::doc}\index{KRB5\_KEYUSAGE\_AD\_MTE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_MTE:KRB5_KEYUSAGE_AD_MTE}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AD\_MTE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AD\_MTE} - & -\code{20} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH:krb5-keyusage-ad-signedpath-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH:krb5-keyusage-ad-signedpath}\index{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AD_SIGNEDPATH:KRB5_KEYUSAGE_AD_SIGNEDPATH}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AD\_SIGNEDPATH} - & -\code{-21} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM} -\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM:krb5-keyusage-app-data-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM:krb5-keyusage-app-data-cksum}\index{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_CKSUM:KRB5_KEYUSAGE_APP_DATA_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_APP\_DATA\_CKSUM} - & -\code{17} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT} -\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT:krb5-keyusage-app-data-encrypt}\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT:krb5-keyusage-app-data-encrypt-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT::doc}\index{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_APP_DATA_ENCRYPT:KRB5_KEYUSAGE_APP_DATA_ENCRYPT}\pysigline{\bfcode{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_APP\_DATA\_ENCRYPT} - & -\code{16} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART:krb5-keyusage-ap-rep-encpart}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART:krb5-keyusage-ap-rep-encpart-data}\index{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REP_ENCPART:KRB5_KEYUSAGE_AP_REP_ENCPART}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AP\_REP\_ENCPART} - & -\code{12} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH:krb5-keyusage-ap-req-auth}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH:krb5-keyusage-ap-req-auth-data}\index{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH:KRB5_KEYUSAGE_AP_REQ_AUTH}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH} - & -\code{11} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:krb5-keyusage-ap-req-auth-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:krb5-keyusage-ap-req-auth-cksum}\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM::doc}\index{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM:KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AP\_REQ\_AUTH\_CKSUM} - & -\code{10} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART:krb5-keyusage-as-rep-encpart-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART:krb5-keyusage-as-rep-encpart}\index{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REP_ENCPART:KRB5_KEYUSAGE_AS_REP_ENCPART}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AS\_REP\_ENCPART} - & -\code{3} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AS\_REQ} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ:krb5-keyusage-as-req-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ:krb5-keyusage-as-req}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ::doc}\index{KRB5\_KEYUSAGE\_AS\_REQ (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ:KRB5_KEYUSAGE_AS_REQ}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AS\_REQ}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AS\_REQ} - & -\code{56} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS} -\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:krb5-keyusage-as-req-pa-enc-ts-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:krb5-keyusage-as-req-pa-enc-ts}\index{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS:KRB5_KEYUSAGE_AS_REQ_PA_ENC_TS}\pysigline{\bfcode{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_AS\_REQ\_PA\_ENC\_TS} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_CAMMAC} -\label{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC:krb5-keyusage-cammac}\label{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC:krb5-keyusage-cammac-data}\index{KRB5\_KEYUSAGE\_CAMMAC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_CAMMAC:KRB5_KEYUSAGE_CAMMAC}\pysigline{\bfcode{KRB5\_KEYUSAGE\_CAMMAC}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_CAMMAC} - & -\code{64} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT} -\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:krb5-keyusage-enc-challenge-client-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:krb5-keyusage-enc-challenge-client}\index{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT:KRB5_KEYUSAGE_ENC_CHALLENGE_CLIENT}\pysigline{\bfcode{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_CLIENT} - & -\code{54} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC} -\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:krb5-keyusage-enc-challenge-kdc-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:krb5-keyusage-enc-challenge-kdc}\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC::doc}\index{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_ENC_CHALLENGE_KDC:KRB5_KEYUSAGE_ENC_CHALLENGE_KDC}\pysigline{\bfcode{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_ENC\_CHALLENGE\_KDC} - & -\code{55} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_FAST\_ENC} -\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC:krb5-keyusage-fast-enc-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC:krb5-keyusage-fast-enc}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC::doc}\index{KRB5\_KEYUSAGE\_FAST\_ENC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_ENC:KRB5_KEYUSAGE_FAST_ENC}\pysigline{\bfcode{KRB5\_KEYUSAGE\_FAST\_ENC}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_FAST\_ENC} - & -\code{51} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_FAST\_FINISHED} -\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED:krb5-keyusage-fast-finished-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED:krb5-keyusage-fast-finished}\index{KRB5\_KEYUSAGE\_FAST\_FINISHED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_FINISHED:KRB5_KEYUSAGE_FAST_FINISHED}\pysigline{\bfcode{KRB5\_KEYUSAGE\_FAST\_FINISHED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_FAST\_FINISHED} - & -\code{53} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_FAST\_REP} -\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP:krb5-keyusage-fast-rep-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP:krb5-keyusage-fast-rep}\index{KRB5\_KEYUSAGE\_FAST\_REP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REP:KRB5_KEYUSAGE_FAST_REP}\pysigline{\bfcode{KRB5\_KEYUSAGE\_FAST\_REP}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_FAST\_REP} - & -\code{52} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM} -\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM:krb5-keyusage-fast-req-chksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM:krb5-keyusage-fast-req-chksum}\index{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_FAST_REQ_CHKSUM:KRB5_KEYUSAGE_FAST_REQ_CHKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_FAST\_REQ\_CHKSUM} - & -\code{50} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC} -\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC:krb5-keyusage-gss-tok-mic}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC:krb5-keyusage-gss-tok-mic-data}\index{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_MIC:KRB5_KEYUSAGE_GSS_TOK_MIC}\pysigline{\bfcode{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_GSS\_TOK\_MIC} - & -\code{22} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG} -\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:krb5-keyusage-gss-tok-wrap-integ}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:krb5-keyusage-gss-tok-wrap-integ-data}\index{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG}\pysigline{\bfcode{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_INTEG} - & -\code{23} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV} -\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:krb5-keyusage-gss-tok-wrap-priv-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:krb5-keyusage-gss-tok-wrap-priv}\index{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV:KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV}\pysigline{\bfcode{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_GSS\_TOK\_WRAP\_PRIV} - & -\code{24} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_IAKERB\_FINISHED} -\label{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED:krb5-keyusage-iakerb-finished-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED:krb5-keyusage-iakerb-finished}\index{KRB5\_KEYUSAGE\_IAKERB\_FINISHED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_IAKERB_FINISHED:KRB5_KEYUSAGE_IAKERB_FINISHED}\pysigline{\bfcode{KRB5\_KEYUSAGE\_IAKERB\_FINISHED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_IAKERB\_FINISHED} - & -\code{42} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET} -\label{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET:krb5-keyusage-kdc-rep-ticket-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET:krb5-keyusage-kdc-rep-ticket}\index{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KDC_REP_TICKET:KRB5_KEYUSAGE_KDC_REP_TICKET}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_KDC\_REP\_TICKET} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART} -\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART:krb5-keyusage-krb-cred-encpart-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART:krb5-keyusage-krb-cred-encpart}\index{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_CRED_ENCPART:KRB5_KEYUSAGE_KRB_CRED_ENCPART}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_KRB\_CRED\_ENCPART} - & -\code{14} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM} -\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM:krb5-keyusage-krb-error-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM:krb5-keyusage-krb-error-cksum}\index{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_ERROR_CKSUM:KRB5_KEYUSAGE_KRB_ERROR_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_KRB\_ERROR\_CKSUM} - & -\code{18} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART} -\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART:krb5-keyusage-krb-priv-encpart}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART:krb5-keyusage-krb-priv-encpart-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART::doc}\index{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_PRIV_ENCPART:KRB5_KEYUSAGE_KRB_PRIV_ENCPART}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_KRB\_PRIV\_ENCPART} - & -\code{13} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM} -\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM:krb5-keyusage-krb-safe-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM:krb5-keyusage-krb-safe-cksum}\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM::doc}\index{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_KRB_SAFE_CKSUM:KRB5_KEYUSAGE_KRB_SAFE_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_KRB\_SAFE\_CKSUM} - & -\code{15} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE} -\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE:krb5-keyusage-pa-fx-cookie}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE:krb5-keyusage-pa-fx-cookie-data}\index{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_FX_COOKIE:KRB5_KEYUSAGE_PA_FX_COOKIE}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE}} -\end{fulllineitems} - - -Used for encrypted FAST cookies. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_PA\_FX\_COOKIE} - & -\code{513} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST} -\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST:krb5-keyusage-pa-otp-request}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST:krb5-keyusage-pa-otp-request-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST::doc}\index{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_OTP_REQUEST:KRB5_KEYUSAGE_PA_OTP_REQUEST}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST}} -\end{fulllineitems} - - -See RFC 6560 section 4.2. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_PA\_OTP\_REQUEST} - & -\code{45} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX} -\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX:krb5-keyusage-pa-pkinit-kx-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX:krb5-keyusage-pa-pkinit-kx}\index{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_PKINIT_KX:KRB5_KEYUSAGE_PA_PKINIT_KX}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_PA\_PKINIT\_KX} - & -\code{44} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY} -\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:krb5-keyusage-pa-s4u-x509-user-reply-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:krb5-keyusage-pa-s4u-x509-user-reply}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY::doc}\index{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY:KRB5_KEYUSAGE_PA_S4U_X509_USER_REPLY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY}} -\end{fulllineitems} - - -Note conflict with \code{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE} . - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY} - & -\code{27} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST} -\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:krb5-keyusage-pa-s4u-x509-user-request}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:krb5-keyusage-pa-s4u-x509-user-request-data}\index{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST:KRB5_KEYUSAGE_PA_S4U_X509_USER_REQUEST}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST}} -\end{fulllineitems} - - -Note conflict with \code{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID} . - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST} - & -\code{26} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM} -\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:krb5-keyusage-pa-sam-challenge-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:krb5-keyusage-pa-sam-challenge-cksum}\index{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM:KRB5_KEYUSAGE_PA_SAM_CHALLENGE_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_CKSUM} - & -\code{25} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID} -\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:krb5-keyusage-pa-sam-challenge-trackid}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:krb5-keyusage-pa-sam-challenge-trackid-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID::doc}\index{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID:KRB5_KEYUSAGE_PA_SAM_CHALLENGE_TRACKID}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID}} -\end{fulllineitems} - - -Note conflict with \code{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REQUEST} . - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_PA\_SAM\_CHALLENGE\_TRACKID} - & -\code{26} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE} -\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE:krb5-keyusage-pa-sam-response-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE:krb5-keyusage-pa-sam-response}\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE::doc}\index{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_PA_SAM_RESPONSE:KRB5_KEYUSAGE_PA_SAM_RESPONSE}\pysigline{\bfcode{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE}} -\end{fulllineitems} - - -Note conflict with \code{KRB5\_KEYUSAGE\_PA\_S4U\_X509\_USER\_REPLY} . - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_PA\_SAM\_RESPONSE} - & -\code{27} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY} -\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:krb5-keyusage-tgs-rep-encpart-sesskey}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:krb5-keyusage-tgs-rep-encpart-sesskey-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY::doc}\index{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY:KRB5_KEYUSAGE_TGS_REP_ENCPART_SESSKEY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SESSKEY} - & -\code{8} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY} -\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:krb5-keyusage-tgs-rep-encpart-subkey-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:krb5-keyusage-tgs-rep-encpart-subkey}\index{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY:KRB5_KEYUSAGE_TGS_REP_ENCPART_SUBKEY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_TGS\_REP\_ENCPART\_SUBKEY} - & -\code{9} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY} -\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:krb5-keyusage-tgs-req-ad-sesskey}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:krb5-keyusage-tgs-req-ad-sesskey-data}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY:KRB5_KEYUSAGE_TGS_REQ_AD_SESSKEY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SESSKEY} - & -\code{4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY} -\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:krb5-keyusage-tgs-req-ad-subkey}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:krb5-keyusage-tgs-req-ad-subkey-data}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY:KRB5_KEYUSAGE_TGS_REQ_AD_SUBKEY}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_TGS\_REQ\_AD\_SUBKEY} - & -\code{5} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH} -\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH:krb5-keyusage-tgs-req-auth}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH:krb5-keyusage-tgs-req-auth-data}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH:KRB5_KEYUSAGE_TGS_REQ_AUTH}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH} - & -\code{7} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM} -\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:krb5-keyusage-tgs-req-auth-cksum-data}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM::doc}\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:krb5-keyusage-tgs-req-auth-cksum}\index{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM:KRB5_KEYUSAGE_TGS_REQ_AUTH_CKSUM}\pysigline{\bfcode{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KEYUSAGE\_TGS\_REQ\_AUTH\_CKSUM} - & -\code{6} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KPASSWD\_ACCESSDENIED} -\label{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED:krb5-kpasswd-accessdenied}\label{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED:krb5-kpasswd-accessdenied-data}\label{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED::doc}\index{KRB5\_KPASSWD\_ACCESSDENIED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_ACCESSDENIED:KRB5_KPASSWD_ACCESSDENIED}\pysigline{\bfcode{KRB5\_KPASSWD\_ACCESSDENIED}} -\end{fulllineitems} - - -Not authorized. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KPASSWD\_ACCESSDENIED} - & -\code{5} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KPASSWD\_AUTHERROR} -\label{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:krb5-kpasswd-autherror-data}\label{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:krb5-kpasswd-autherror}\label{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR::doc}\index{KRB5\_KPASSWD\_AUTHERROR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_AUTHERROR:KRB5_KPASSWD_AUTHERROR}\pysigline{\bfcode{KRB5\_KPASSWD\_AUTHERROR}} -\end{fulllineitems} - - -Authentication error. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KPASSWD\_AUTHERROR} - & -\code{3} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KPASSWD\_BAD\_VERSION} -\label{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION:krb5-kpasswd-bad-version-data}\label{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION:krb5-kpasswd-bad-version}\label{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION::doc}\index{KRB5\_KPASSWD\_BAD\_VERSION (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_BAD_VERSION:KRB5_KPASSWD_BAD_VERSION}\pysigline{\bfcode{KRB5\_KPASSWD\_BAD\_VERSION}} -\end{fulllineitems} - - -Unknown RPC version. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KPASSWD\_BAD\_VERSION} - & -\code{6} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KPASSWD\_HARDERROR} -\label{appdev/refs/macros/KRB5_KPASSWD_HARDERROR:krb5-kpasswd-harderror}\label{appdev/refs/macros/KRB5_KPASSWD_HARDERROR:krb5-kpasswd-harderror-data}\label{appdev/refs/macros/KRB5_KPASSWD_HARDERROR::doc}\index{KRB5\_KPASSWD\_HARDERROR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_HARDERROR:KRB5_KPASSWD_HARDERROR}\pysigline{\bfcode{KRB5\_KPASSWD\_HARDERROR}} -\end{fulllineitems} - - -Server error. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KPASSWD\_HARDERROR} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED} -\label{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED:krb5-kpasswd-initial-flag-needed}\label{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED::doc}\label{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED:krb5-kpasswd-initial-flag-needed-data}\index{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_INITIAL_FLAG_NEEDED:KRB5_KPASSWD_INITIAL_FLAG_NEEDED}\pysigline{\bfcode{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED}} -\end{fulllineitems} - - -The presented credentials were not obtained using a password directly. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KPASSWD\_INITIAL\_FLAG\_NEEDED} - & -\code{7} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KPASSWD\_MALFORMED} -\label{appdev/refs/macros/KRB5_KPASSWD_MALFORMED:krb5-kpasswd-malformed-data}\label{appdev/refs/macros/KRB5_KPASSWD_MALFORMED:krb5-kpasswd-malformed}\label{appdev/refs/macros/KRB5_KPASSWD_MALFORMED::doc}\index{KRB5\_KPASSWD\_MALFORMED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_MALFORMED:KRB5_KPASSWD_MALFORMED}\pysigline{\bfcode{KRB5\_KPASSWD\_MALFORMED}} -\end{fulllineitems} - - -Malformed request. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KPASSWD\_MALFORMED} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KPASSWD\_SOFTERROR} -\label{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR::doc}\label{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:krb5-kpasswd-softerror}\label{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:krb5-kpasswd-softerror-data}\index{KRB5\_KPASSWD\_SOFTERROR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_SOFTERROR:KRB5_KPASSWD_SOFTERROR}\pysigline{\bfcode{KRB5\_KPASSWD\_SOFTERROR}} -\end{fulllineitems} - - -Password change rejected. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KPASSWD\_SOFTERROR} - & -\code{4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_KPASSWD\_SUCCESS} -\label{appdev/refs/macros/KRB5_KPASSWD_SUCCESS:krb5-kpasswd-success-data}\label{appdev/refs/macros/KRB5_KPASSWD_SUCCESS::doc}\label{appdev/refs/macros/KRB5_KPASSWD_SUCCESS:krb5-kpasswd-success}\index{KRB5\_KPASSWD\_SUCCESS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_KPASSWD_SUCCESS:KRB5_KPASSWD_SUCCESS}\pysigline{\bfcode{KRB5\_KPASSWD\_SUCCESS}} -\end{fulllineitems} - - -Success. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_KPASSWD\_SUCCESS} - & -\code{0} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME} -\label{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME:krb5-lrq-all-acct-exptime}\label{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME:krb5-lrq-all-acct-exptime-data}\index{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_ACCT_EXPTIME:KRB5_LRQ_ALL_ACCT_EXPTIME}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ALL\_ACCT\_EXPTIME} - & -\code{7} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ALL\_LAST\_INITIAL} -\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL:krb5-lrq-all-last-initial}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL:krb5-lrq-all-last-initial-data}\index{KRB5\_LRQ\_ALL\_LAST\_INITIAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_INITIAL:KRB5_LRQ_ALL_LAST_INITIAL}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_INITIAL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ALL\_LAST\_INITIAL} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ALL\_LAST\_RENEWAL} -\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL:krb5-lrq-all-last-renewal}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL:krb5-lrq-all-last-renewal-data}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL::doc}\index{KRB5\_LRQ\_ALL\_LAST\_RENEWAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_RENEWAL:KRB5_LRQ_ALL_LAST_RENEWAL}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_RENEWAL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ALL\_LAST\_RENEWAL} - & -\code{4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ALL\_LAST\_REQ} -\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ:krb5-lrq-all-last-req}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ:krb5-lrq-all-last-req-data}\index{KRB5\_LRQ\_ALL\_LAST\_REQ (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_REQ:KRB5_LRQ_ALL_LAST_REQ}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_REQ}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ALL\_LAST\_REQ} - & -\code{5} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ALL\_LAST\_TGT} -\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT:krb5-lrq-all-last-tgt-data}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT:krb5-lrq-all-last-tgt}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT::doc}\index{KRB5\_LRQ\_ALL\_LAST\_TGT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT:KRB5_LRQ_ALL_LAST_TGT}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_TGT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ALL\_LAST\_TGT} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED} -\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED:krb5-lrq-all-last-tgt-issued}\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED:krb5-lrq-all-last-tgt-issued-data}\index{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_LAST_TGT_ISSUED:KRB5_LRQ_ALL_LAST_TGT_ISSUED}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ALL\_LAST\_TGT\_ISSUED} - & -\code{3} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ALL\_PW\_EXPTIME} -\label{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME:krb5-lrq-all-pw-exptime-data}\label{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME::doc}\label{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME:krb5-lrq-all-pw-exptime}\index{KRB5\_LRQ\_ALL\_PW\_EXPTIME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ALL_PW_EXPTIME:KRB5_LRQ_ALL_PW_EXPTIME}\pysigline{\bfcode{KRB5\_LRQ\_ALL\_PW\_EXPTIME}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ALL\_PW\_EXPTIME} - & -\code{6} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_NONE} -\label{appdev/refs/macros/KRB5_LRQ_NONE:krb5-lrq-none-data}\label{appdev/refs/macros/KRB5_LRQ_NONE::doc}\label{appdev/refs/macros/KRB5_LRQ_NONE:krb5-lrq-none}\index{KRB5\_LRQ\_NONE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_NONE:KRB5_LRQ_NONE}\pysigline{\bfcode{KRB5\_LRQ\_NONE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_NONE} - & -\code{0} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME} -\label{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME:krb5-lrq-one-acct-exptime}\label{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME:krb5-lrq-one-acct-exptime-data}\index{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_ACCT_EXPTIME:KRB5_LRQ_ONE_ACCT_EXPTIME}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ONE\_ACCT\_EXPTIME} - & -\code{(-7)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ONE\_LAST\_INITIAL} -\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL:krb5-lrq-one-last-initial-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL:krb5-lrq-one-last-initial}\index{KRB5\_LRQ\_ONE\_LAST\_INITIAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_INITIAL:KRB5_LRQ_ONE_LAST_INITIAL}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_INITIAL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ONE\_LAST\_INITIAL} - & -\code{(-2)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ONE\_LAST\_RENEWAL} -\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL:krb5-lrq-one-last-renewal-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL:krb5-lrq-one-last-renewal}\index{KRB5\_LRQ\_ONE\_LAST\_RENEWAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_RENEWAL:KRB5_LRQ_ONE_LAST_RENEWAL}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_RENEWAL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ONE\_LAST\_RENEWAL} - & -\code{(-4)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ONE\_LAST\_REQ} -\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ:krb5-lrq-one-last-req}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ:krb5-lrq-one-last-req-data}\index{KRB5\_LRQ\_ONE\_LAST\_REQ (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_REQ:KRB5_LRQ_ONE_LAST_REQ}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_REQ}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ONE\_LAST\_REQ} - & -\code{(-5)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ONE\_LAST\_TGT} -\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT:krb5-lrq-one-last-tgt-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT::doc}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT:krb5-lrq-one-last-tgt}\index{KRB5\_LRQ\_ONE\_LAST\_TGT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT:KRB5_LRQ_ONE_LAST_TGT}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_TGT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ONE\_LAST\_TGT} - & -\code{(-1)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED} -\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED:krb5-lrq-one-last-tgt-issued}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED:krb5-lrq-one-last-tgt-issued-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED::doc}\index{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_LAST_TGT_ISSUED:KRB5_LRQ_ONE_LAST_TGT_ISSUED}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ONE\_LAST\_TGT\_ISSUED} - & -\code{(-3)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_LRQ\_ONE\_PW\_EXPTIME} -\label{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME:krb5-lrq-one-pw-exptime}\label{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME:krb5-lrq-one-pw-exptime-data}\label{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME::doc}\index{KRB5\_LRQ\_ONE\_PW\_EXPTIME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_LRQ_ONE_PW_EXPTIME:KRB5_LRQ_ONE_PW_EXPTIME}\pysigline{\bfcode{KRB5\_LRQ\_ONE\_PW\_EXPTIME}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_LRQ\_ONE\_PW\_EXPTIME} - & -\code{(-6)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_ENTERPRISE\_PRINCIPAL} -\label{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL:krb5-nt-enterprise-principal-data}\label{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL:krb5-nt-enterprise-principal}\label{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL::doc}\index{KRB5\_NT\_ENTERPRISE\_PRINCIPAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_ENTERPRISE_PRINCIPAL:KRB5_NT_ENTERPRISE_PRINCIPAL}\pysigline{\bfcode{KRB5\_NT\_ENTERPRISE\_PRINCIPAL}} -\end{fulllineitems} - - -Windows 2000 UPN. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_ENTERPRISE\_PRINCIPAL} - & -\code{10} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID} -\label{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID:krb5-nt-ent-principal-and-id-data}\label{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID::doc}\label{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID:krb5-nt-ent-principal-and-id}\index{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_ENT_PRINCIPAL_AND_ID:KRB5_NT_ENT_PRINCIPAL_AND_ID}\pysigline{\bfcode{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID}} -\end{fulllineitems} - - -NT 4 style name and SID. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_ENT\_PRINCIPAL\_AND\_ID} - & -\code{-130} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_MS\_PRINCIPAL} -\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL::doc}\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL:krb5-nt-ms-principal}\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL:krb5-nt-ms-principal-data}\index{KRB5\_NT\_MS\_PRINCIPAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL:KRB5_NT_MS_PRINCIPAL}\pysigline{\bfcode{KRB5\_NT\_MS\_PRINCIPAL}} -\end{fulllineitems} - - -Windows 2000 UPN and SID. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_MS\_PRINCIPAL} - & -\code{-128} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID} -\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID:krb5-nt-ms-principal-and-id-data}\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID::doc}\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID:krb5-nt-ms-principal-and-id}\index{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_MS_PRINCIPAL_AND_ID:KRB5_NT_MS_PRINCIPAL_AND_ID}\pysigline{\bfcode{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID}} -\end{fulllineitems} - - -NT 4 style name. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_MS\_PRINCIPAL\_AND\_ID} - & -\code{-129} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_PRINCIPAL} -\label{appdev/refs/macros/KRB5_NT_PRINCIPAL:krb5-nt-principal}\label{appdev/refs/macros/KRB5_NT_PRINCIPAL::doc}\label{appdev/refs/macros/KRB5_NT_PRINCIPAL:krb5-nt-principal-data}\index{KRB5\_NT\_PRINCIPAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_PRINCIPAL:KRB5_NT_PRINCIPAL}\pysigline{\bfcode{KRB5\_NT\_PRINCIPAL}} -\end{fulllineitems} - - -Just the name of the principal as in DCE, or for users. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_PRINCIPAL} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_SMTP\_NAME} -\label{appdev/refs/macros/KRB5_NT_SMTP_NAME:krb5-nt-smtp-name}\label{appdev/refs/macros/KRB5_NT_SMTP_NAME:krb5-nt-smtp-name-data}\label{appdev/refs/macros/KRB5_NT_SMTP_NAME::doc}\index{KRB5\_NT\_SMTP\_NAME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_SMTP_NAME:KRB5_NT_SMTP_NAME}\pysigline{\bfcode{KRB5\_NT\_SMTP\_NAME}} -\end{fulllineitems} - - -Name in form of SMTP email name. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_SMTP\_NAME} - & -\code{7} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_SRV\_HST} -\label{appdev/refs/macros/KRB5_NT_SRV_HST:krb5-nt-srv-hst-data}\label{appdev/refs/macros/KRB5_NT_SRV_HST::doc}\label{appdev/refs/macros/KRB5_NT_SRV_HST:krb5-nt-srv-hst}\index{KRB5\_NT\_SRV\_HST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_SRV_HST:KRB5_NT_SRV_HST}\pysigline{\bfcode{KRB5\_NT\_SRV\_HST}} -\end{fulllineitems} - - -Service with host name as instance (telnet, rcommands) - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_SRV\_HST} - & -\code{3} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_SRV\_INST} -\label{appdev/refs/macros/KRB5_NT_SRV_INST:krb5-nt-srv-inst-data}\label{appdev/refs/macros/KRB5_NT_SRV_INST::doc}\label{appdev/refs/macros/KRB5_NT_SRV_INST:krb5-nt-srv-inst}\index{KRB5\_NT\_SRV\_INST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_SRV_INST:KRB5_NT_SRV_INST}\pysigline{\bfcode{KRB5\_NT\_SRV\_INST}} -\end{fulllineitems} - - -Service and other unique instance (krbtgt) - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_SRV\_INST} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_SRV\_XHST} -\label{appdev/refs/macros/KRB5_NT_SRV_XHST:krb5-nt-srv-xhst}\label{appdev/refs/macros/KRB5_NT_SRV_XHST:krb5-nt-srv-xhst-data}\label{appdev/refs/macros/KRB5_NT_SRV_XHST::doc}\index{KRB5\_NT\_SRV\_XHST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_SRV_XHST:KRB5_NT_SRV_XHST}\pysigline{\bfcode{KRB5\_NT\_SRV\_XHST}} -\end{fulllineitems} - - -Service with host as remaining components. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_SRV\_XHST} - & -\code{4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_UID} -\label{appdev/refs/macros/KRB5_NT_UID:krb5-nt-uid}\label{appdev/refs/macros/KRB5_NT_UID:krb5-nt-uid-data}\label{appdev/refs/macros/KRB5_NT_UID::doc}\index{KRB5\_NT\_UID (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_UID:KRB5_NT_UID}\pysigline{\bfcode{KRB5\_NT\_UID}} -\end{fulllineitems} - - -Unique ID. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_UID} - & -\code{5} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_UNKNOWN} -\label{appdev/refs/macros/KRB5_NT_UNKNOWN::doc}\label{appdev/refs/macros/KRB5_NT_UNKNOWN:krb5-nt-unknown}\label{appdev/refs/macros/KRB5_NT_UNKNOWN:krb5-nt-unknown-data}\index{KRB5\_NT\_UNKNOWN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_UNKNOWN:KRB5_NT_UNKNOWN}\pysigline{\bfcode{KRB5\_NT\_UNKNOWN}} -\end{fulllineitems} - - -Name type not known. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_UNKNOWN} - & -\code{0} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_WELLKNOWN} -\label{appdev/refs/macros/KRB5_NT_WELLKNOWN:krb5-nt-wellknown-data}\label{appdev/refs/macros/KRB5_NT_WELLKNOWN:krb5-nt-wellknown}\label{appdev/refs/macros/KRB5_NT_WELLKNOWN::doc}\index{KRB5\_NT\_WELLKNOWN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_WELLKNOWN:KRB5_NT_WELLKNOWN}\pysigline{\bfcode{KRB5\_NT\_WELLKNOWN}} -\end{fulllineitems} - - -Well-known (special) principal. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_WELLKNOWN} - & -\code{11} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_NT\_X500\_PRINCIPAL} -\label{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL:krb5-nt-x500-principal-data}\label{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL::doc}\label{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL:krb5-nt-x500-principal}\index{KRB5\_NT\_X500\_PRINCIPAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_NT_X500_PRINCIPAL:KRB5_NT_X500_PRINCIPAL}\pysigline{\bfcode{KRB5\_NT\_X500\_PRINCIPAL}} -\end{fulllineitems} - - -PKINIT. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_NT\_X500\_PRINCIPAL} - & -\code{6} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PAC\_CLIENT\_INFO} -\label{appdev/refs/macros/KRB5_PAC_CLIENT_INFO:krb5-pac-client-info}\label{appdev/refs/macros/KRB5_PAC_CLIENT_INFO::doc}\label{appdev/refs/macros/KRB5_PAC_CLIENT_INFO:krb5-pac-client-info-data}\index{KRB5\_PAC\_CLIENT\_INFO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PAC_CLIENT_INFO:KRB5_PAC_CLIENT_INFO}\pysigline{\bfcode{KRB5\_PAC\_CLIENT\_INFO}} -\end{fulllineitems} - - -Client name and ticket info. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PAC\_CLIENT\_INFO} - & -\code{10} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PAC\_CREDENTIALS\_INFO} -\label{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO::doc}\label{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:krb5-pac-credentials-info}\label{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:krb5-pac-credentials-info-data}\index{KRB5\_PAC\_CREDENTIALS\_INFO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PAC_CREDENTIALS_INFO:KRB5_PAC_CREDENTIALS_INFO}\pysigline{\bfcode{KRB5\_PAC\_CREDENTIALS\_INFO}} -\end{fulllineitems} - - -Credentials information. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PAC\_CREDENTIALS\_INFO} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PAC\_DELEGATION\_INFO} -\label{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO::doc}\label{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:krb5-pac-delegation-info-data}\label{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:krb5-pac-delegation-info}\index{KRB5\_PAC\_DELEGATION\_INFO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PAC_DELEGATION_INFO:KRB5_PAC_DELEGATION_INFO}\pysigline{\bfcode{KRB5\_PAC\_DELEGATION\_INFO}} -\end{fulllineitems} - - -Constrained delegation info. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PAC\_DELEGATION\_INFO} - & -\code{11} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PAC\_LOGON\_INFO} -\label{appdev/refs/macros/KRB5_PAC_LOGON_INFO:krb5-pac-logon-info}\label{appdev/refs/macros/KRB5_PAC_LOGON_INFO:krb5-pac-logon-info-data}\label{appdev/refs/macros/KRB5_PAC_LOGON_INFO::doc}\index{KRB5\_PAC\_LOGON\_INFO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PAC_LOGON_INFO:KRB5_PAC_LOGON_INFO}\pysigline{\bfcode{KRB5\_PAC\_LOGON\_INFO}} -\end{fulllineitems} - - -Logon information. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PAC\_LOGON\_INFO} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PAC\_PRIVSVR\_CHECKSUM} -\label{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:krb5-pac-privsvr-checksum-data}\label{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM::doc}\label{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:krb5-pac-privsvr-checksum}\index{KRB5\_PAC\_PRIVSVR\_CHECKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PAC_PRIVSVR_CHECKSUM:KRB5_PAC_PRIVSVR_CHECKSUM}\pysigline{\bfcode{KRB5\_PAC\_PRIVSVR\_CHECKSUM}} -\end{fulllineitems} - - -KDC checksum. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PAC\_PRIVSVR\_CHECKSUM} - & -\code{7} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PAC\_SERVER\_CHECKSUM} -\label{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:krb5-pac-server-checksum-data}\label{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:krb5-pac-server-checksum}\label{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM::doc}\index{KRB5\_PAC\_SERVER\_CHECKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PAC_SERVER_CHECKSUM:KRB5_PAC_SERVER_CHECKSUM}\pysigline{\bfcode{KRB5\_PAC\_SERVER\_CHECKSUM}} -\end{fulllineitems} - - -Server checksum. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PAC\_SERVER\_CHECKSUM} - & -\code{6} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PAC\_UPN\_DNS\_INFO} -\label{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:krb5-pac-upn-dns-info-data}\label{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO::doc}\label{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:krb5-pac-upn-dns-info}\index{KRB5\_PAC\_UPN\_DNS\_INFO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PAC_UPN_DNS_INFO:KRB5_PAC_UPN_DNS_INFO}\pysigline{\bfcode{KRB5\_PAC\_UPN\_DNS\_INFO}} -\end{fulllineitems} - - -User principal name and DNS info. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PAC\_UPN\_DNS\_INFO} - & -\code{12} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_AFS3\_SALT} -\label{appdev/refs/macros/KRB5_PADATA_AFS3_SALT::doc}\label{appdev/refs/macros/KRB5_PADATA_AFS3_SALT:krb5-padata-afs3-salt}\label{appdev/refs/macros/KRB5_PADATA_AFS3_SALT:krb5-padata-afs3-salt-data}\index{KRB5\_PADATA\_AFS3\_SALT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_AFS3_SALT:KRB5_PADATA_AFS3_SALT}\pysigline{\bfcode{KRB5\_PADATA\_AFS3\_SALT}} -\end{fulllineitems} - - -Cygnus. - -RFC 4120, 3961 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_AFS3\_SALT} - & -\code{10} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_AP\_REQ} -\label{appdev/refs/macros/KRB5_PADATA_AP_REQ::doc}\label{appdev/refs/macros/KRB5_PADATA_AP_REQ:krb5-padata-ap-req-data}\label{appdev/refs/macros/KRB5_PADATA_AP_REQ:krb5-padata-ap-req}\index{KRB5\_PADATA\_AP\_REQ (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_AP_REQ:KRB5_PADATA_AP_REQ}\pysigline{\bfcode{KRB5\_PADATA\_AP\_REQ}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_AP\_REQ} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_AS\_CHECKSUM} -\label{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM:krb5-padata-as-checksum}\label{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM:krb5-padata-as-checksum-data}\label{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM::doc}\index{KRB5\_PADATA\_AS\_CHECKSUM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_AS_CHECKSUM:KRB5_PADATA_AS_CHECKSUM}\pysigline{\bfcode{KRB5\_PADATA\_AS\_CHECKSUM}} -\end{fulllineitems} - - -AS checksum. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_AS\_CHECKSUM} - & -\code{132} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE} -\label{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE:krb5-padata-encrypted-challenge-data}\label{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE:krb5-padata-encrypted-challenge}\label{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE::doc}\index{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ENCRYPTED_CHALLENGE:KRB5_PADATA_ENCRYPTED_CHALLENGE}\pysigline{\bfcode{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE}} -\end{fulllineitems} - - -RFC 6113. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_ENCRYPTED\_CHALLENGE} - & -\code{138} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_ENC\_SANDIA\_SECURID} -\label{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID:krb5-padata-enc-sandia-securid-data}\label{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID:krb5-padata-enc-sandia-securid}\label{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID::doc}\index{KRB5\_PADATA\_ENC\_SANDIA\_SECURID (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ENC_SANDIA_SECURID:KRB5_PADATA_ENC_SANDIA_SECURID}\pysigline{\bfcode{KRB5\_PADATA\_ENC\_SANDIA\_SECURID}} -\end{fulllineitems} - - -SecurId passcode. - -RFC 4120 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_ENC\_SANDIA\_SECURID} - & -\code{6} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_ENC\_TIMESTAMP} -\label{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP::doc}\label{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP:krb5-padata-enc-timestamp}\label{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP:krb5-padata-enc-timestamp-data}\index{KRB5\_PADATA\_ENC\_TIMESTAMP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ENC_TIMESTAMP:KRB5_PADATA_ENC_TIMESTAMP}\pysigline{\bfcode{KRB5\_PADATA\_ENC\_TIMESTAMP}} -\end{fulllineitems} - - -RFC 4120. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_ENC\_TIMESTAMP} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_ENC\_UNIX\_TIME} -\label{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME:krb5-padata-enc-unix-time}\label{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME:krb5-padata-enc-unix-time-data}\label{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME::doc}\index{KRB5\_PADATA\_ENC\_UNIX\_TIME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ENC_UNIX_TIME:KRB5_PADATA_ENC_UNIX_TIME}\pysigline{\bfcode{KRB5\_PADATA\_ENC\_UNIX\_TIME}} -\end{fulllineitems} - - -timestamp encrypted in key. - -RFC 4120 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_ENC\_UNIX\_TIME} - & -\code{5} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_ETYPE\_INFO} -\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO::doc}\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO:krb5-padata-etype-info}\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO:krb5-padata-etype-info-data}\index{KRB5\_PADATA\_ETYPE\_INFO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO:KRB5_PADATA_ETYPE_INFO}\pysigline{\bfcode{KRB5\_PADATA\_ETYPE\_INFO}} -\end{fulllineitems} - - -Etype info for preauth. - -RFC 4120 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_ETYPE\_INFO} - & -\code{11} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_ETYPE\_INFO2} -\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2:krb5-padata-etype-info2-data}\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2:krb5-padata-etype-info2}\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2::doc}\index{KRB5\_PADATA\_ETYPE\_INFO2 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_ETYPE_INFO2:KRB5_PADATA_ETYPE_INFO2}\pysigline{\bfcode{KRB5\_PADATA\_ETYPE\_INFO2}} -\end{fulllineitems} - - -RFC 4120. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_ETYPE\_INFO2} - & -\code{19} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_FOR\_USER} -\label{appdev/refs/macros/KRB5_PADATA_FOR_USER:krb5-padata-for-user}\label{appdev/refs/macros/KRB5_PADATA_FOR_USER::doc}\label{appdev/refs/macros/KRB5_PADATA_FOR_USER:krb5-padata-for-user-data}\index{KRB5\_PADATA\_FOR\_USER (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_FOR_USER:KRB5_PADATA_FOR_USER}\pysigline{\bfcode{KRB5\_PADATA\_FOR\_USER}} -\end{fulllineitems} - - -username protocol transition request - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_FOR\_USER} - & -\code{129} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_FX\_COOKIE} -\label{appdev/refs/macros/KRB5_PADATA_FX_COOKIE:krb5-padata-fx-cookie}\label{appdev/refs/macros/KRB5_PADATA_FX_COOKIE::doc}\label{appdev/refs/macros/KRB5_PADATA_FX_COOKIE:krb5-padata-fx-cookie-data}\index{KRB5\_PADATA\_FX\_COOKIE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_FX_COOKIE:KRB5_PADATA_FX_COOKIE}\pysigline{\bfcode{KRB5\_PADATA\_FX\_COOKIE}} -\end{fulllineitems} - - -RFC 6113. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_FX\_COOKIE} - & -\code{133} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_FX\_ERROR} -\label{appdev/refs/macros/KRB5_PADATA_FX_ERROR:krb5-padata-fx-error}\label{appdev/refs/macros/KRB5_PADATA_FX_ERROR::doc}\label{appdev/refs/macros/KRB5_PADATA_FX_ERROR:krb5-padata-fx-error-data}\index{KRB5\_PADATA\_FX\_ERROR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_FX_ERROR:KRB5_PADATA_FX_ERROR}\pysigline{\bfcode{KRB5\_PADATA\_FX\_ERROR}} -\end{fulllineitems} - - -RFC 6113. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_FX\_ERROR} - & -\code{137} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_FX\_FAST} -\label{appdev/refs/macros/KRB5_PADATA_FX_FAST::doc}\label{appdev/refs/macros/KRB5_PADATA_FX_FAST:krb5-padata-fx-fast}\label{appdev/refs/macros/KRB5_PADATA_FX_FAST:krb5-padata-fx-fast-data}\index{KRB5\_PADATA\_FX\_FAST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_FX_FAST:KRB5_PADATA_FX_FAST}\pysigline{\bfcode{KRB5\_PADATA\_FX\_FAST}} -\end{fulllineitems} - - -RFC 6113. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_FX\_FAST} - & -\code{136} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA} -\label{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA:krb5-padata-get-from-typed-data-data}\label{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA::doc}\label{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA:krb5-padata-get-from-typed-data}\index{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_GET_FROM_TYPED_DATA:KRB5_PADATA_GET_FROM_TYPED_DATA}\pysigline{\bfcode{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA}} -\end{fulllineitems} - - -Embedded in typed data. - -RFC 4120 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_GET\_FROM\_TYPED\_DATA} - & -\code{22} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_NONE} -\label{appdev/refs/macros/KRB5_PADATA_NONE:krb5-padata-none-data}\label{appdev/refs/macros/KRB5_PADATA_NONE:krb5-padata-none}\label{appdev/refs/macros/KRB5_PADATA_NONE::doc}\index{KRB5\_PADATA\_NONE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_NONE:KRB5_PADATA_NONE}\pysigline{\bfcode{KRB5\_PADATA\_NONE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_NONE} - & -\code{0} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_OSF\_DCE} -\label{appdev/refs/macros/KRB5_PADATA_OSF_DCE:krb5-padata-osf-dce}\label{appdev/refs/macros/KRB5_PADATA_OSF_DCE::doc}\label{appdev/refs/macros/KRB5_PADATA_OSF_DCE:krb5-padata-osf-dce-data}\index{KRB5\_PADATA\_OSF\_DCE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_OSF_DCE:KRB5_PADATA_OSF_DCE}\pysigline{\bfcode{KRB5\_PADATA\_OSF\_DCE}} -\end{fulllineitems} - - -OSF DCE. - -RFC 4120 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_OSF\_DCE} - & -\code{8} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_OTP\_CHALLENGE} -\label{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE::doc}\label{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE:krb5-padata-otp-challenge}\label{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE:krb5-padata-otp-challenge-data}\index{KRB5\_PADATA\_OTP\_CHALLENGE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_OTP_CHALLENGE:KRB5_PADATA_OTP_CHALLENGE}\pysigline{\bfcode{KRB5\_PADATA\_OTP\_CHALLENGE}} -\end{fulllineitems} - - -RFC 6560 section 4.1. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_OTP\_CHALLENGE} - & -\code{141} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_OTP\_PIN\_CHANGE} -\label{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE::doc}\label{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE:krb5-padata-otp-pin-change}\label{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE:krb5-padata-otp-pin-change-data}\index{KRB5\_PADATA\_OTP\_PIN\_CHANGE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_OTP_PIN_CHANGE:KRB5_PADATA_OTP_PIN_CHANGE}\pysigline{\bfcode{KRB5\_PADATA\_OTP\_PIN\_CHANGE}} -\end{fulllineitems} - - -RFC 6560 section 4.3. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_OTP\_PIN\_CHANGE} - & -\code{144} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_OTP\_REQUEST} -\label{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST:krb5-padata-otp-request}\label{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST::doc}\label{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST:krb5-padata-otp-request-data}\index{KRB5\_PADATA\_OTP\_REQUEST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_OTP_REQUEST:KRB5_PADATA_OTP_REQUEST}\pysigline{\bfcode{KRB5\_PADATA\_OTP\_REQUEST}} -\end{fulllineitems} - - -RFC 6560 section 4.2. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_OTP\_REQUEST} - & -\code{142} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_PAC\_REQUEST} -\label{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST:krb5-padata-pac-request-data}\label{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST:krb5-padata-pac-request}\label{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST::doc}\index{KRB5\_PADATA\_PAC\_REQUEST (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PAC_REQUEST:KRB5_PADATA_PAC_REQUEST}\pysigline{\bfcode{KRB5\_PADATA\_PAC\_REQUEST}} -\end{fulllineitems} - - -include Windows PAC - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_PAC\_REQUEST} - & -\code{128} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_PKINIT\_KX} -\label{appdev/refs/macros/KRB5_PADATA_PKINIT_KX:krb5-padata-pkinit-kx}\label{appdev/refs/macros/KRB5_PADATA_PKINIT_KX:krb5-padata-pkinit-kx-data}\label{appdev/refs/macros/KRB5_PADATA_PKINIT_KX::doc}\index{KRB5\_PADATA\_PKINIT\_KX (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PKINIT_KX:KRB5_PADATA_PKINIT_KX}\pysigline{\bfcode{KRB5\_PADATA\_PKINIT\_KX}} -\end{fulllineitems} - - -RFC 6112. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_PKINIT\_KX} - & -\code{147} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_PK\_AS\_REP} -\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP:krb5-padata-pk-as-rep-data}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP:krb5-padata-pk-as-rep}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP::doc}\index{KRB5\_PADATA\_PK\_AS\_REP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP:KRB5_PADATA_PK_AS_REP}\pysigline{\bfcode{KRB5\_PADATA\_PK\_AS\_REP}} -\end{fulllineitems} - - -PKINIT. - -RFC 4556 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_PK\_AS\_REP} - & -\code{17} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_PK\_AS\_REP\_OLD} -\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD:krb5-padata-pk-as-rep-old-data}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD::doc}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD:krb5-padata-pk-as-rep-old}\index{KRB5\_PADATA\_PK\_AS\_REP\_OLD (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REP_OLD:KRB5_PADATA_PK_AS_REP_OLD}\pysigline{\bfcode{KRB5\_PADATA\_PK\_AS\_REP\_OLD}} -\end{fulllineitems} - - -PKINIT. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_PK\_AS\_REP\_OLD} - & -\code{15} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_PK\_AS\_REQ} -\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ::doc}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ:krb5-padata-pk-as-req}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ:krb5-padata-pk-as-req-data}\index{KRB5\_PADATA\_PK\_AS\_REQ (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ:KRB5_PADATA_PK_AS_REQ}\pysigline{\bfcode{KRB5\_PADATA\_PK\_AS\_REQ}} -\end{fulllineitems} - - -PKINIT. - -RFC 4556 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_PK\_AS\_REQ} - & -\code{16} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_PK\_AS\_REQ\_OLD} -\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD:krb5-padata-pk-as-req-old}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD:krb5-padata-pk-as-req-old-data}\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD::doc}\index{KRB5\_PADATA\_PK\_AS\_REQ\_OLD (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PK_AS_REQ_OLD:KRB5_PADATA_PK_AS_REQ_OLD}\pysigline{\bfcode{KRB5\_PADATA\_PK\_AS\_REQ\_OLD}} -\end{fulllineitems} - - -PKINIT. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_PK\_AS\_REQ\_OLD} - & -\code{14} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_PW\_SALT} -\label{appdev/refs/macros/KRB5_PADATA_PW_SALT:krb5-padata-pw-salt-data}\label{appdev/refs/macros/KRB5_PADATA_PW_SALT:krb5-padata-pw-salt}\label{appdev/refs/macros/KRB5_PADATA_PW_SALT::doc}\index{KRB5\_PADATA\_PW\_SALT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_PW_SALT:KRB5_PADATA_PW_SALT}\pysigline{\bfcode{KRB5\_PADATA\_PW\_SALT}} -\end{fulllineitems} - - -RFC 4120. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_PW\_SALT} - & -\code{3} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_REFERRAL} -\label{appdev/refs/macros/KRB5_PADATA_REFERRAL:krb5-padata-referral}\label{appdev/refs/macros/KRB5_PADATA_REFERRAL::doc}\label{appdev/refs/macros/KRB5_PADATA_REFERRAL:krb5-padata-referral-data}\index{KRB5\_PADATA\_REFERRAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_REFERRAL:KRB5_PADATA_REFERRAL}\pysigline{\bfcode{KRB5\_PADATA\_REFERRAL}} -\end{fulllineitems} - - -draft referral system - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_REFERRAL} - & -\code{25} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_S4U\_X509\_USER} -\label{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER:krb5-padata-s4u-x509-user-data}\label{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER::doc}\label{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER:krb5-padata-s4u-x509-user}\index{KRB5\_PADATA\_S4U\_X509\_USER (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_S4U_X509_USER:KRB5_PADATA_S4U_X509_USER}\pysigline{\bfcode{KRB5\_PADATA\_S4U\_X509\_USER}} -\end{fulllineitems} - - -certificate protocol transition request - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_S4U\_X509\_USER} - & -\code{130} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_SAM\_CHALLENGE} -\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE:krb5-padata-sam-challenge-data}\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE::doc}\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE:krb5-padata-sam-challenge}\index{KRB5\_PADATA\_SAM\_CHALLENGE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE:KRB5_PADATA_SAM_CHALLENGE}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_CHALLENGE}} -\end{fulllineitems} - - -SAM/OTP. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_SAM\_CHALLENGE} - & -\code{12} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_SAM\_CHALLENGE\_2} -\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2:krb5-padata-sam-challenge-2-data}\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2:krb5-padata-sam-challenge-2}\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2::doc}\index{KRB5\_PADATA\_SAM\_CHALLENGE\_2 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_CHALLENGE_2:KRB5_PADATA_SAM_CHALLENGE_2}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_CHALLENGE\_2}} -\end{fulllineitems} - - -draft challenge system, updated - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_SAM\_CHALLENGE\_2} - & -\code{30} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_SAM\_REDIRECT} -\label{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT::doc}\label{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT:krb5-padata-sam-redirect-data}\label{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT:krb5-padata-sam-redirect}\index{KRB5\_PADATA\_SAM\_REDIRECT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_REDIRECT:KRB5_PADATA_SAM_REDIRECT}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_REDIRECT}} -\end{fulllineitems} - - -SAM/OTP. - -RFC 4120 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_SAM\_REDIRECT} - & -\code{21} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_SAM\_RESPONSE} -\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE:krb5-padata-sam-response-data}\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE::doc}\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE:krb5-padata-sam-response}\index{KRB5\_PADATA\_SAM\_RESPONSE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE:KRB5_PADATA_SAM_RESPONSE}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_RESPONSE}} -\end{fulllineitems} - - -SAM/OTP. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_SAM\_RESPONSE} - & -\code{13} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_SAM\_RESPONSE\_2} -\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2::doc}\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2:krb5-padata-sam-response-2}\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2:krb5-padata-sam-response-2-data}\index{KRB5\_PADATA\_SAM\_RESPONSE\_2 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SAM_RESPONSE_2:KRB5_PADATA_SAM_RESPONSE_2}\pysigline{\bfcode{KRB5\_PADATA\_SAM\_RESPONSE\_2}} -\end{fulllineitems} - - -draft challenge system, updated - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_SAM\_RESPONSE\_2} - & -\code{31} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_SESAME} -\label{appdev/refs/macros/KRB5_PADATA_SESAME::doc}\label{appdev/refs/macros/KRB5_PADATA_SESAME:krb5-padata-sesame}\label{appdev/refs/macros/KRB5_PADATA_SESAME:krb5-padata-sesame-data}\index{KRB5\_PADATA\_SESAME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SESAME:KRB5_PADATA_SESAME}\pysigline{\bfcode{KRB5\_PADATA\_SESAME}} -\end{fulllineitems} - - -Sesame project. - -RFC 4120 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_SESAME} - & -\code{7} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_SVR\_REFERRAL\_INFO} -\label{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO::doc}\label{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO:krb5-padata-svr-referral-info}\label{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO:krb5-padata-svr-referral-info-data}\index{KRB5\_PADATA\_SVR\_REFERRAL\_INFO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_SVR_REFERRAL_INFO:KRB5_PADATA_SVR_REFERRAL_INFO}\pysigline{\bfcode{KRB5\_PADATA\_SVR\_REFERRAL\_INFO}} -\end{fulllineitems} - - -Windows 2000 referrals. - -RFC 6820 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_SVR\_REFERRAL\_INFO} - & -\code{20} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_TGS\_REQ} -\label{appdev/refs/macros/KRB5_PADATA_TGS_REQ::doc}\label{appdev/refs/macros/KRB5_PADATA_TGS_REQ:krb5-padata-tgs-req}\label{appdev/refs/macros/KRB5_PADATA_TGS_REQ:krb5-padata-tgs-req-data}\index{KRB5\_PADATA\_TGS\_REQ (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_TGS_REQ:KRB5_PADATA_TGS_REQ}\pysigline{\bfcode{KRB5\_PADATA\_TGS\_REQ}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_TGS\_REQ} - & -\code{KRB5\_PADATA\_AP\_REQ} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO} -\label{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO:krb5-padata-use-specified-kvno}\label{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO:krb5-padata-use-specified-kvno-data}\label{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO::doc}\index{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PADATA_USE_SPECIFIED_KVNO:KRB5_PADATA_USE_SPECIFIED_KVNO}\pysigline{\bfcode{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO}} -\end{fulllineitems} - - -RFC 4120. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PADATA\_USE\_SPECIFIED\_KVNO} - & -\code{20} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD} -\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:krb5-principal-compare-casefold-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:krb5-principal-compare-casefold}\index{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_CASEFOLD:KRB5_PRINCIPAL_COMPARE_CASEFOLD}\pysigline{\bfcode{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD}} -\end{fulllineitems} - - -case-insensitive - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_COMPARE\_CASEFOLD} - & -\code{4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE} -\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:krb5-principal-compare-enterprise}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:krb5-principal-compare-enterprise-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE::doc}\index{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_ENTERPRISE:KRB5_PRINCIPAL_COMPARE_ENTERPRISE}\pysigline{\bfcode{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE}} -\end{fulllineitems} - - -UPNs as real principals. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_COMPARE\_ENTERPRISE} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM} -\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:krb5-principal-compare-ignore-realm}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:krb5-principal-compare-ignore-realm-data}\index{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_IGNORE_REALM:KRB5_PRINCIPAL_COMPARE_IGNORE_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM}} -\end{fulllineitems} - - -ignore realm component - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_COMPARE\_IGNORE\_REALM} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_COMPARE\_UTF8} -\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:krb5-principal-compare-utf8-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:krb5-principal-compare-utf8}\index{KRB5\_PRINCIPAL\_COMPARE\_UTF8 (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_COMPARE_UTF8:KRB5_PRINCIPAL_COMPARE_UTF8}\pysigline{\bfcode{KRB5\_PRINCIPAL\_COMPARE\_UTF8}} -\end{fulllineitems} - - -treat principals as UTF-8 - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_COMPARE\_UTF8} - & -\code{8} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE} -\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:krb5-principal-parse-enterprise-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:krb5-principal-parse-enterprise}\index{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_ENTERPRISE:KRB5_PRINCIPAL_PARSE_ENTERPRISE}\pysigline{\bfcode{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE}} -\end{fulllineitems} - - -Create single-component enterprise principle. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_PARSE\_ENTERPRISE} - & -\code{0x4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM} -\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:krb5-principal-parse-ignore-realm}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:krb5-principal-parse-ignore-realm-data}\index{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_IGNORE_REALM:KRB5_PRINCIPAL_PARSE_IGNORE_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM}} -\end{fulllineitems} - - -Ignore realm if present. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_PARSE\_IGNORE\_REALM} - & -\code{0x8} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM} -\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:krb5-principal-parse-no-realm-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:krb5-principal-parse-no-realm}\index{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_NO_REALM:KRB5_PRINCIPAL_PARSE_NO_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM}} -\end{fulllineitems} - - -Error if realm is present. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_PARSE\_NO\_REALM} - & -\code{0x1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM} -\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:krb5-principal-parse-require-realm}\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:krb5-principal-parse-require-realm-data}\index{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_PARSE_REQUIRE_REALM:KRB5_PRINCIPAL_PARSE_REQUIRE_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM}} -\end{fulllineitems} - - -Error if realm is not present. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_PARSE\_REQUIRE\_REALM} - & -\code{0x2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY} -\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:krb5-principal-unparse-display-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:krb5-principal-unparse-display}\index{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_DISPLAY:KRB5_PRINCIPAL_UNPARSE_DISPLAY}\pysigline{\bfcode{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY}} -\end{fulllineitems} - - -Don't escape special characters. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_UNPARSE\_DISPLAY} - & -\code{0x4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM} -\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:krb5-principal-unparse-no-realm}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:krb5-principal-unparse-no-realm-data}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM::doc}\index{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_NO_REALM:KRB5_PRINCIPAL_UNPARSE_NO_REALM}\pysigline{\bfcode{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM}} -\end{fulllineitems} - - -Omit realm always. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_UNPARSE\_NO\_REALM} - & -\code{0x2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRINCIPAL\_UNPARSE\_SHORT} -\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT::doc}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:krb5-principal-unparse-short}\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:krb5-principal-unparse-short-data}\index{KRB5\_PRINCIPAL\_UNPARSE\_SHORT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRINCIPAL_UNPARSE_SHORT:KRB5_PRINCIPAL_UNPARSE_SHORT}\pysigline{\bfcode{KRB5\_PRINCIPAL\_UNPARSE\_SHORT}} -\end{fulllineitems} - - -Omit realm if it is the local realm. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRINCIPAL\_UNPARSE\_SHORT} - & -\code{0x1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PRIV} -\label{appdev/refs/macros/KRB5_PRIV:krb5-priv-data}\label{appdev/refs/macros/KRB5_PRIV::doc}\label{appdev/refs/macros/KRB5_PRIV:krb5-priv}\index{KRB5\_PRIV (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PRIV:KRB5_PRIV}\pysigline{\bfcode{KRB5\_PRIV}} -\end{fulllineitems} - - -Private application message. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PRIV} - & -\code{((krb5\_msgtype)21)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD} -\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD:krb5-prompt-type-new-password-data}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD:krb5-prompt-type-new-password}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD::doc}\index{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD:KRB5_PROMPT_TYPE_NEW_PASSWORD}\pysigline{\bfcode{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD}} -\end{fulllineitems} - - -Prompt for new password (during password change) - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD} - & -\code{0x2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN} -\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:krb5-prompt-type-new-password-again}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:krb5-prompt-type-new-password-again-data}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN::doc}\index{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN:KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN}\pysigline{\bfcode{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN}} -\end{fulllineitems} - - -Prompt for new password again. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PROMPT\_TYPE\_NEW\_PASSWORD\_AGAIN} - & -\code{0x3} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PROMPT\_TYPE\_PASSWORD} -\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD:krb5-prompt-type-password-data}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD::doc}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD:krb5-prompt-type-password}\index{KRB5\_PROMPT\_TYPE\_PASSWORD (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PASSWORD:KRB5_PROMPT_TYPE_PASSWORD}\pysigline{\bfcode{KRB5\_PROMPT\_TYPE\_PASSWORD}} -\end{fulllineitems} - - -Prompt for password. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PROMPT\_TYPE\_PASSWORD} - & -\code{0x1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PROMPT\_TYPE\_PREAUTH} -\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH:krb5-prompt-type-preauth-data}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH::doc}\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH:krb5-prompt-type-preauth}\index{KRB5\_PROMPT\_TYPE\_PREAUTH (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PROMPT_TYPE_PREAUTH:KRB5_PROMPT_TYPE_PREAUTH}\pysigline{\bfcode{KRB5\_PROMPT\_TYPE\_PREAUTH}} -\end{fulllineitems} - - -Prompt for preauthentication data (such as an OTP value) - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PROMPT\_TYPE\_PREAUTH} - & -\code{0x4} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_PVNO} -\label{appdev/refs/macros/KRB5_PVNO:krb5-pvno-data}\label{appdev/refs/macros/KRB5_PVNO::doc}\label{appdev/refs/macros/KRB5_PVNO:krb5-pvno}\index{KRB5\_PVNO (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_PVNO:KRB5_PVNO}\pysigline{\bfcode{KRB5\_PVNO}} -\end{fulllineitems} - - -Protocol version number. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_PVNO} - & -\code{5} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_REALM\_BRANCH\_CHAR} -\label{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR::doc}\label{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR:krb5-realm-branch-char}\label{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR:krb5-realm-branch-char-data}\index{KRB5\_REALM\_BRANCH\_CHAR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_REALM_BRANCH_CHAR:KRB5_REALM_BRANCH_CHAR}\pysigline{\bfcode{KRB5\_REALM\_BRANCH\_CHAR}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_REALM\_BRANCH\_CHAR} - & -\code{'.'} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RECVAUTH\_BADAUTHVERS} -\label{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS:krb5-recvauth-badauthvers-data}\label{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS:krb5-recvauth-badauthvers}\label{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS::doc}\index{KRB5\_RECVAUTH\_BADAUTHVERS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RECVAUTH_BADAUTHVERS:KRB5_RECVAUTH_BADAUTHVERS}\pysigline{\bfcode{KRB5\_RECVAUTH\_BADAUTHVERS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RECVAUTH\_BADAUTHVERS} - & -\code{0x0002} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RECVAUTH\_SKIP\_VERSION} -\label{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION:krb5-recvauth-skip-version}\label{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION:krb5-recvauth-skip-version-data}\label{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION::doc}\index{KRB5\_RECVAUTH\_SKIP\_VERSION (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RECVAUTH_SKIP_VERSION:KRB5_RECVAUTH_SKIP_VERSION}\pysigline{\bfcode{KRB5\_RECVAUTH\_SKIP\_VERSION}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RECVAUTH\_SKIP\_VERSION} - & -\code{0x0001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_REFERRAL\_REALM} -\label{appdev/refs/macros/KRB5_REFERRAL_REALM:krb5-referral-realm-data}\label{appdev/refs/macros/KRB5_REFERRAL_REALM::doc}\label{appdev/refs/macros/KRB5_REFERRAL_REALM:krb5-referral-realm}\index{KRB5\_REFERRAL\_REALM (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_REFERRAL_REALM:KRB5_REFERRAL_REALM}\pysigline{\bfcode{KRB5\_REFERRAL\_REALM}} -\end{fulllineitems} - - -Constant for realm referrals. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_REFERRAL\_REALM} - & -\code{""} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW} -\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:krb5-responder-pkinit-flags-token-user-pin-count-low-data}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW::doc}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:krb5-responder-pkinit-flags-token-user-pin-count-low}\index{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW:KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_COUNT_LOW}\pysigline{\bfcode{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW}} -\end{fulllineitems} - - -This flag indicates that an incorrect PIN was supplied at least once since the last time the correct PIN was supplied. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_COUNT\_LOW} - & -\code{(1 \textless{}\textless{} 0)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY} -\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:krb5-responder-pkinit-flags-token-user-pin-final-try}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY::doc}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:krb5-responder-pkinit-flags-token-user-pin-final-try-data}\index{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY:KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_FINAL_TRY}\pysigline{\bfcode{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY}} -\end{fulllineitems} - - -This flag indicates that supplying an incorrect PIN will cause the token to lock itself. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_FINAL\_TRY} - & -\code{(1 \textless{}\textless{} 1)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED} -\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED::doc}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:krb5-responder-pkinit-flags-token-user-pin-locked}\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:krb5-responder-pkinit-flags-token-user-pin-locked-data}\index{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED:KRB5_RESPONDER_PKINIT_FLAGS_TOKEN_USER_PIN_LOCKED}\pysigline{\bfcode{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED}} -\end{fulllineitems} - - -This flag indicates that the user PIN is locked, and you can't log in to the token with it. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_USER\_PIN\_LOCKED} - & -\code{(1 \textless{}\textless{} 2)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_QUESTION\_PKINIT} -\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT:krb5-responder-question-pkinit}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT:krb5-responder-question-pkinit-data}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT::doc}\index{KRB5\_RESPONDER\_QUESTION\_PKINIT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PKINIT:KRB5_RESPONDER_QUESTION_PKINIT}\pysigline{\bfcode{KRB5\_RESPONDER\_QUESTION\_PKINIT}} -\end{fulllineitems} - - -PKINIT responder question. - -The PKINIT responder question is asked when the client needs a password that's being used to protect key information, and is formatted as a JSON object. A specific identity's flags value, if not zero, is the bitwise-OR of one or more of the KRB5\_RESPONDER\_PKINIT\_FLAGS\_TOKEN\_* flags defined below, and possibly other flags to be added later. Any resemblance to similarly-named CKF\_* values in the PKCS\#11 API should not be depended on. - -\emph{\{} - -\emph{identity \textless{}string\textgreater{} : flags \textless{}number\textgreater{},} - -\emph{...} - -\emph{\}} - -The answer to the question MUST be JSON formatted: - -\emph{\{} - -\emph{identity \textless{}string\textgreater{} : password \textless{}string\textgreater{},} - -\emph{...} - -\emph{\}} - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_QUESTION\_PKINIT} - & -\code{"pkinit"} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN} -\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:krb5-responder-otp-flags-collect-pin-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN::doc}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:krb5-responder-otp-flags-collect-pin}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN:KRB5_RESPONDER_OTP_FLAGS_COLLECT_PIN}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN}} -\end{fulllineitems} - - -This flag indicates that the PIN value MUST be collected. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN} - & -\code{0x0002} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN} -\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:krb5-responder-otp-flags-collect-token-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:krb5-responder-otp-flags-collect-token}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN::doc}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN:KRB5_RESPONDER_OTP_FLAGS_COLLECT_TOKEN}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN}} -\end{fulllineitems} - - -This flag indicates that the token value MUST be collected. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_TOKEN} - & -\code{0x0001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP} -\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:krb5-responder-otp-flags-nextotp-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP::doc}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:krb5-responder-otp-flags-nextotp}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_NEXTOTP:KRB5_RESPONDER_OTP_FLAGS_NEXTOTP}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP}} -\end{fulllineitems} - - -This flag indicates that the token is now in re-synchronization mode with the server. - -The user is expected to reply with the next code displayed on the token. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_OTP\_FLAGS\_NEXTOTP} - & -\code{0x0004} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN} -\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:krb5-responder-otp-flags-separate-pin}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:krb5-responder-otp-flags-separate-pin-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN::doc}\index{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN:KRB5_RESPONDER_OTP_FLAGS_SEPARATE_PIN}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN}} -\end{fulllineitems} - - -This flag indicates that the PIN MUST be returned as a separate item. - -This flag only takes effect if KRB5\_RESPONDER\_OTP\_FLAGS\_COLLECT\_PIN is set. If this flag is not set, the responder may either concatenate PIN + token value and store it as ``value'' in the answer or it may return them separately. If they are returned separately, they will be concatenated internally. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_OTP\_FLAGS\_SEPARATE\_PIN} - & -\code{0x0008} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC} -\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:krb5-responder-otp-format-alphanumeric-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:krb5-responder-otp-format-alphanumeric}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC::doc}\index{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC:KRB5_RESPONDER_OTP_FORMAT_ALPHANUMERIC}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_OTP\_FORMAT\_ALPHANUMERIC} - & -\code{2} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL} -\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL:krb5-responder-otp-format-decimal-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL::doc}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL:krb5-responder-otp-format-decimal}\index{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_DECIMAL:KRB5_RESPONDER_OTP_FORMAT_DECIMAL}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL}} -\end{fulllineitems} - - -These format constants identify the format of the token value. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_OTP\_FORMAT\_DECIMAL} - & -\code{0} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL} -\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:krb5-responder-otp-format-hexadecimal-data}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL::doc}\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:krb5-responder-otp-format-hexadecimal}\index{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL:KRB5_RESPONDER_OTP_FORMAT_HEXADECIMAL}\pysigline{\bfcode{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_OTP\_FORMAT\_HEXADECIMAL} - & -\code{1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_QUESTION\_OTP} -\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP:krb5-responder-question-otp}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP:krb5-responder-question-otp-data}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP::doc}\index{KRB5\_RESPONDER\_QUESTION\_OTP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_OTP:KRB5_RESPONDER_QUESTION_OTP}\pysigline{\bfcode{KRB5\_RESPONDER\_QUESTION\_OTP}} -\end{fulllineitems} - - -OTP responder question. - -The OTP responder question is asked when the KDC indicates that an OTP value is required in order to complete the authentication. The JSON format of the challenge is: - -\emph{\{} - -\emph{``service'': \textless{}string (optional)\textgreater{},} - -\emph{``tokenInfo'': {[}} - -\emph{\{} - -\emph{``flags'': \textless{}number\textgreater{},} - -\emph{``vendor'': \textless{}string (optional)\textgreater{},} - -\emph{``challenge'': \textless{}string (optional)\textgreater{},} - -\emph{``length'': \textless{}number (optional)\textgreater{},} - -\emph{``format'': \textless{}number (optional)\textgreater{},} - -\emph{``tokenID'': \textless{}string (optional)\textgreater{},} - -\emph{``algID'': \textless{}string (optional)\textgreater{},} - -\emph{\},} - -\emph{...} - -\emph{{]}} - -\emph{\}} - -The answer to the question MUST be JSON formatted: - -\emph{\{} - -\emph{``tokeninfo'': \textless{}number\textgreater{},} - -\emph{``value'': \textless{}string (optional)\textgreater{},} - -\emph{``pin'': \textless{}string (optional)\textgreater{},} - -\emph{\}} - -For more detail, please see RFC 6560. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_QUESTION\_OTP} - & -\code{"otp"} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_RESPONDER\_QUESTION\_PASSWORD} -\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD:krb5-responder-question-password-data}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD:krb5-responder-question-password}\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD::doc}\index{KRB5\_RESPONDER\_QUESTION\_PASSWORD (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_RESPONDER_QUESTION_PASSWORD:KRB5_RESPONDER_QUESTION_PASSWORD}\pysigline{\bfcode{KRB5\_RESPONDER\_QUESTION\_PASSWORD}} -\end{fulllineitems} - - -Long-term password responder question. - -This question is asked when the long-term password is needed. It has no challenge and the response is simply the password string. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_RESPONDER\_QUESTION\_PASSWORD} - & -\code{"password"} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_SAFE} -\label{appdev/refs/macros/KRB5_SAFE:krb5-safe}\label{appdev/refs/macros/KRB5_SAFE::doc}\label{appdev/refs/macros/KRB5_SAFE:krb5-safe-data}\index{KRB5\_SAFE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_SAFE:KRB5_SAFE}\pysigline{\bfcode{KRB5\_SAFE}} -\end{fulllineitems} - - -Safe application message. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_SAFE} - & -\code{((krb5\_msgtype)20)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD} -\label{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD:krb5-sam-must-pk-encrypt-sad}\label{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD:krb5-sam-must-pk-encrypt-sad-data}\label{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD::doc}\index{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_SAM_MUST_PK_ENCRYPT_SAD:KRB5_SAM_MUST_PK_ENCRYPT_SAD}\pysigline{\bfcode{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD}} -\end{fulllineitems} - - -currently must be zero - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_SAM\_MUST\_PK\_ENCRYPT\_SAD} - & -\code{0x20000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD} -\label{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD:krb5-sam-send-encrypted-sad}\label{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD::doc}\label{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD:krb5-sam-send-encrypted-sad-data}\index{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_SAM_SEND_ENCRYPTED_SAD:KRB5_SAM_SEND_ENCRYPTED_SAD}\pysigline{\bfcode{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_SAM\_SEND\_ENCRYPTED\_SAD} - & -\code{0x40000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_SAM\_USE\_SAD\_AS\_KEY} -\label{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY::doc}\label{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY:krb5-sam-use-sad-as-key}\label{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY:krb5-sam-use-sad-as-key-data}\index{KRB5\_SAM\_USE\_SAD\_AS\_KEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_SAM_USE_SAD_AS_KEY:KRB5_SAM_USE_SAD_AS_KEY}\pysigline{\bfcode{KRB5\_SAM\_USE\_SAD\_AS\_KEY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_SAM\_USE\_SAD\_AS\_KEY} - & -\code{0x80000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_MATCH\_2ND\_TKT} -\label{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:krb5-tc-match-2nd-tkt-data}\label{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:krb5-tc-match-2nd-tkt}\index{KRB5\_TC\_MATCH\_2ND\_TKT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_2ND_TKT:KRB5_TC_MATCH_2ND_TKT}\pysigline{\bfcode{KRB5\_TC\_MATCH\_2ND\_TKT}} -\end{fulllineitems} - - -The second ticket must match. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_MATCH\_2ND\_TKT} - & -\code{0x00000080} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_MATCH\_AUTHDATA} -\label{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:krb5-tc-match-authdata-data}\label{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:krb5-tc-match-authdata}\index{KRB5\_TC\_MATCH\_AUTHDATA (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_AUTHDATA:KRB5_TC_MATCH_AUTHDATA}\pysigline{\bfcode{KRB5\_TC\_MATCH\_AUTHDATA}} -\end{fulllineitems} - - -The authorization data must match. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_MATCH\_AUTHDATA} - & -\code{0x00000020} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_MATCH\_FLAGS} -\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS:krb5-tc-match-flags}\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS:krb5-tc-match-flags-data}\index{KRB5\_TC\_MATCH\_FLAGS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS:KRB5_TC_MATCH_FLAGS}\pysigline{\bfcode{KRB5\_TC\_MATCH\_FLAGS}} -\end{fulllineitems} - - -All the flags set in the match credentials must be set. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_MATCH\_FLAGS} - & -\code{0x00000004} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_MATCH\_FLAGS\_EXACT} -\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:krb5-tc-match-flags-exact}\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:krb5-tc-match-flags-exact-data}\index{KRB5\_TC\_MATCH\_FLAGS\_EXACT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_FLAGS_EXACT:KRB5_TC_MATCH_FLAGS_EXACT}\pysigline{\bfcode{KRB5\_TC\_MATCH\_FLAGS\_EXACT}} -\end{fulllineitems} - - -All the flags must match exactly. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_MATCH\_FLAGS\_EXACT} - & -\code{0x00000010} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_MATCH\_IS\_SKEY} -\label{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:krb5-tc-match-is-skey}\label{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:krb5-tc-match-is-skey-data}\label{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY::doc}\index{KRB5\_TC\_MATCH\_IS\_SKEY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_IS_SKEY:KRB5_TC_MATCH_IS_SKEY}\pysigline{\bfcode{KRB5\_TC\_MATCH\_IS\_SKEY}} -\end{fulllineitems} - - -The is\_skey field must match exactly. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_MATCH\_IS\_SKEY} - & -\code{0x00000002} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_MATCH\_KTYPE} -\label{appdev/refs/macros/KRB5_TC_MATCH_KTYPE:krb5-tc-match-ktype}\label{appdev/refs/macros/KRB5_TC_MATCH_KTYPE:krb5-tc-match-ktype-data}\label{appdev/refs/macros/KRB5_TC_MATCH_KTYPE::doc}\index{KRB5\_TC\_MATCH\_KTYPE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_KTYPE:KRB5_TC_MATCH_KTYPE}\pysigline{\bfcode{KRB5\_TC\_MATCH\_KTYPE}} -\end{fulllineitems} - - -The encryption key type must match. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_MATCH\_KTYPE} - & -\code{0x00000100} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_MATCH\_SRV\_NAMEONLY} -\label{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:krb5-tc-match-srv-nameonly}\label{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:krb5-tc-match-srv-nameonly-data}\index{KRB5\_TC\_MATCH\_SRV\_NAMEONLY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_SRV_NAMEONLY:KRB5_TC_MATCH_SRV_NAMEONLY}\pysigline{\bfcode{KRB5\_TC\_MATCH\_SRV\_NAMEONLY}} -\end{fulllineitems} - - -Only the name portion of the principal name must match. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_MATCH\_SRV\_NAMEONLY} - & -\code{0x00000040} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_MATCH\_TIMES} -\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES:krb5-tc-match-times}\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES:krb5-tc-match-times-data}\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES::doc}\index{KRB5\_TC\_MATCH\_TIMES (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES:KRB5_TC_MATCH_TIMES}\pysigline{\bfcode{KRB5\_TC\_MATCH\_TIMES}} -\end{fulllineitems} - - -The requested lifetime must be at least as great as the time specified. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_MATCH\_TIMES} - & -\code{0x00000001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_MATCH\_TIMES\_EXACT} -\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:krb5-tc-match-times-exact-data}\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT::doc}\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:krb5-tc-match-times-exact}\index{KRB5\_TC\_MATCH\_TIMES\_EXACT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_MATCH_TIMES_EXACT:KRB5_TC_MATCH_TIMES_EXACT}\pysigline{\bfcode{KRB5\_TC\_MATCH\_TIMES\_EXACT}} -\end{fulllineitems} - - -All the time fields must match exactly. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_MATCH\_TIMES\_EXACT} - & -\code{0x00000008} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_NOTICKET} -\label{appdev/refs/macros/KRB5_TC_NOTICKET:krb5-tc-noticket}\label{appdev/refs/macros/KRB5_TC_NOTICKET::doc}\label{appdev/refs/macros/KRB5_TC_NOTICKET:krb5-tc-noticket-data}\index{KRB5\_TC\_NOTICKET (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_NOTICKET:KRB5_TC_NOTICKET}\pysigline{\bfcode{KRB5\_TC\_NOTICKET}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_NOTICKET} - & -\code{0x00000002} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_OPENCLOSE} -\label{appdev/refs/macros/KRB5_TC_OPENCLOSE:krb5-tc-openclose}\label{appdev/refs/macros/KRB5_TC_OPENCLOSE:krb5-tc-openclose-data}\label{appdev/refs/macros/KRB5_TC_OPENCLOSE::doc}\index{KRB5\_TC\_OPENCLOSE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_OPENCLOSE:KRB5_TC_OPENCLOSE}\pysigline{\bfcode{KRB5\_TC\_OPENCLOSE}} -\end{fulllineitems} - - -Open and close the file for each cache operation. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_OPENCLOSE} - & -\code{0x00000001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TC\_SUPPORTED\_KTYPES} -\label{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:krb5-tc-supported-ktypes-data}\label{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES::doc}\label{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:krb5-tc-supported-ktypes}\index{KRB5\_TC\_SUPPORTED\_KTYPES (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TC_SUPPORTED_KTYPES:KRB5_TC_SUPPORTED_KTYPES}\pysigline{\bfcode{KRB5\_TC\_SUPPORTED\_KTYPES}} -\end{fulllineitems} - - -The supported key types must match. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TC\_SUPPORTED\_KTYPES} - & -\code{0x00000200} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TGS\_NAME} -\label{appdev/refs/macros/KRB5_TGS_NAME:krb5-tgs-name-data}\label{appdev/refs/macros/KRB5_TGS_NAME::doc}\label{appdev/refs/macros/KRB5_TGS_NAME:krb5-tgs-name}\index{KRB5\_TGS\_NAME (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TGS_NAME:KRB5_TGS_NAME}\pysigline{\bfcode{KRB5\_TGS\_NAME}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TGS\_NAME} - & -\code{"krbtgt"} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TGS\_NAME\_SIZE} -\label{appdev/refs/macros/KRB5_TGS_NAME_SIZE:krb5-tgs-name-size}\label{appdev/refs/macros/KRB5_TGS_NAME_SIZE:krb5-tgs-name-size-data}\label{appdev/refs/macros/KRB5_TGS_NAME_SIZE::doc}\index{KRB5\_TGS\_NAME\_SIZE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TGS_NAME_SIZE:KRB5_TGS_NAME_SIZE}\pysigline{\bfcode{KRB5\_TGS\_NAME\_SIZE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TGS\_NAME\_SIZE} - & -\code{6} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TGS\_REP} -\label{appdev/refs/macros/KRB5_TGS_REP::doc}\label{appdev/refs/macros/KRB5_TGS_REP:krb5-tgs-rep-data}\label{appdev/refs/macros/KRB5_TGS_REP:krb5-tgs-rep}\index{KRB5\_TGS\_REP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TGS_REP:KRB5_TGS_REP}\pysigline{\bfcode{KRB5\_TGS\_REP}} -\end{fulllineitems} - - -Response to TGS request. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TGS\_REP} - & -\code{((krb5\_msgtype)13)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TGS\_REQ} -\label{appdev/refs/macros/KRB5_TGS_REQ:krb5-tgs-req-data}\label{appdev/refs/macros/KRB5_TGS_REQ::doc}\label{appdev/refs/macros/KRB5_TGS_REQ:krb5-tgs-req}\index{KRB5\_TGS\_REQ (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TGS_REQ:KRB5_TGS_REQ}\pysigline{\bfcode{KRB5\_TGS\_REQ}} -\end{fulllineitems} - - -Ticket granting server request. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TGS\_REQ} - & -\code{((krb5\_msgtype)12)} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE} -\label{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:krb5-tkt-creds-step-flag-continue-data}\label{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE::doc}\label{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:krb5-tkt-creds-step-flag-continue}\index{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_TKT_CREDS_STEP_FLAG_CONTINUE:KRB5_TKT_CREDS_STEP_FLAG_CONTINUE}\pysigline{\bfcode{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE}} -\end{fulllineitems} - - -More responses needed. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_TKT\_CREDS\_STEP\_FLAG\_CONTINUE} - & -\code{0x1} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL} -\label{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:krb5-verify-init-creds-opt-ap-req-nofail}\label{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL::doc}\label{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:krb5-verify-init-creds-opt-ap-req-nofail-data}\index{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL:KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL}\pysigline{\bfcode{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_VERIFY\_INIT\_CREDS\_OPT\_AP\_REQ\_NOFAIL} - & -\code{0x0001} -\\ -\hline\end{tabulary} - - - -\subsubsection{KRB5\_WELLKNOWN\_NAMESTR} -\label{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR::doc}\label{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR:krb5-wellknown-namestr}\label{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR:krb5-wellknown-namestr-data}\index{KRB5\_WELLKNOWN\_NAMESTR (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/KRB5_WELLKNOWN_NAMESTR:KRB5_WELLKNOWN_NAMESTR}\pysigline{\bfcode{KRB5\_WELLKNOWN\_NAMESTR}} -\end{fulllineitems} - - -First component of NT\_WELLKNOWN principals. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{KRB5\_WELLKNOWN\_NAMESTR} - & -\code{"WELLKNOWN"} -\\ -\hline\end{tabulary} - - - -\subsubsection{LR\_TYPE\_INTERPRETATION\_MASK} -\label{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK:lr-type-interpretation-mask-data}\label{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK:lr-type-interpretation-mask}\label{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK::doc}\index{LR\_TYPE\_INTERPRETATION\_MASK (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/LR_TYPE_INTERPRETATION_MASK:LR_TYPE_INTERPRETATION_MASK}\pysigline{\bfcode{LR\_TYPE\_INTERPRETATION\_MASK}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{LR\_TYPE\_INTERPRETATION\_MASK} - & -\code{0x7fff} -\\ -\hline\end{tabulary} - - - -\subsubsection{LR\_TYPE\_THIS\_SERVER\_ONLY} -\label{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY:lr-type-this-server-only-data}\label{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY:lr-type-this-server-only}\label{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY::doc}\index{LR\_TYPE\_THIS\_SERVER\_ONLY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/LR_TYPE_THIS_SERVER_ONLY:LR_TYPE_THIS_SERVER_ONLY}\pysigline{\bfcode{LR\_TYPE\_THIS\_SERVER\_ONLY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{LR\_TYPE\_THIS\_SERVER\_ONLY} - & -\code{0x8000} -\\ -\hline\end{tabulary} - - - -\subsubsection{MAX\_KEYTAB\_NAME\_LEN} -\label{appdev/refs/macros/MAX_KEYTAB_NAME_LEN:max-keytab-name-len-data}\label{appdev/refs/macros/MAX_KEYTAB_NAME_LEN::doc}\label{appdev/refs/macros/MAX_KEYTAB_NAME_LEN:max-keytab-name-len}\index{MAX\_KEYTAB\_NAME\_LEN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/MAX_KEYTAB_NAME_LEN:MAX_KEYTAB_NAME_LEN}\pysigline{\bfcode{MAX\_KEYTAB\_NAME\_LEN}} -\end{fulllineitems} - - -Long enough for MAXPATHLEN + some extra. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{MAX\_KEYTAB\_NAME\_LEN} - & -\code{1100} -\\ -\hline\end{tabulary} - - - -\subsubsection{MSEC\_DIRBIT} -\label{appdev/refs/macros/MSEC_DIRBIT:msec-dirbit}\label{appdev/refs/macros/MSEC_DIRBIT:msec-dirbit-data}\label{appdev/refs/macros/MSEC_DIRBIT::doc}\index{MSEC\_DIRBIT (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/MSEC_DIRBIT:MSEC_DIRBIT}\pysigline{\bfcode{MSEC\_DIRBIT}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{MSEC\_DIRBIT} - & -\code{0x8000} -\\ -\hline\end{tabulary} - - - -\subsubsection{MSEC\_VAL\_MASK} -\label{appdev/refs/macros/MSEC_VAL_MASK:msec-val-mask-data}\label{appdev/refs/macros/MSEC_VAL_MASK::doc}\label{appdev/refs/macros/MSEC_VAL_MASK:msec-val-mask}\index{MSEC\_VAL\_MASK (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/MSEC_VAL_MASK:MSEC_VAL_MASK}\pysigline{\bfcode{MSEC\_VAL\_MASK}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{MSEC\_VAL\_MASK} - & -\code{0x7fff} -\\ -\hline\end{tabulary} - - - -\subsubsection{SALT\_TYPE\_AFS\_LENGTH} -\label{appdev/refs/macros/SALT_TYPE_AFS_LENGTH::doc}\label{appdev/refs/macros/SALT_TYPE_AFS_LENGTH:salt-type-afs-length-data}\label{appdev/refs/macros/SALT_TYPE_AFS_LENGTH:salt-type-afs-length}\index{SALT\_TYPE\_AFS\_LENGTH (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/SALT_TYPE_AFS_LENGTH:SALT_TYPE_AFS_LENGTH}\pysigline{\bfcode{SALT\_TYPE\_AFS\_LENGTH}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{SALT\_TYPE\_AFS\_LENGTH} - & -\code{UINT\_MAX} -\\ -\hline\end{tabulary} - - - -\subsubsection{SALT\_TYPE\_NO\_LENGTH} -\label{appdev/refs/macros/SALT_TYPE_NO_LENGTH:salt-type-no-length-data}\label{appdev/refs/macros/SALT_TYPE_NO_LENGTH::doc}\label{appdev/refs/macros/SALT_TYPE_NO_LENGTH:salt-type-no-length}\index{SALT\_TYPE\_NO\_LENGTH (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/SALT_TYPE_NO_LENGTH:SALT_TYPE_NO_LENGTH}\pysigline{\bfcode{SALT\_TYPE\_NO\_LENGTH}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{SALT\_TYPE\_NO\_LENGTH} - & -\code{UINT\_MAX} -\\ -\hline\end{tabulary} - - - -\subsubsection{THREEPARAMOPEN} -\label{appdev/refs/macros/THREEPARAMOPEN:threeparamopen}\label{appdev/refs/macros/THREEPARAMOPEN:threeparamopen-data}\label{appdev/refs/macros/THREEPARAMOPEN::doc}\index{THREEPARAMOPEN (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/THREEPARAMOPEN:THREEPARAMOPEN}\pysigline{\bfcode{THREEPARAMOPEN}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{THREEPARAMOPEN (x, y, z)} - & -\code{open(x,y,z)} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_ANONYMOUS} -\label{appdev/refs/macros/TKT_FLG_ANONYMOUS::doc}\label{appdev/refs/macros/TKT_FLG_ANONYMOUS:tkt-flg-anonymous}\label{appdev/refs/macros/TKT_FLG_ANONYMOUS:tkt-flg-anonymous-data}\index{TKT\_FLG\_ANONYMOUS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_ANONYMOUS:TKT_FLG_ANONYMOUS}\pysigline{\bfcode{TKT\_FLG\_ANONYMOUS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_ANONYMOUS} - & -\code{0x00008000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_ENC\_PA\_REP} -\label{appdev/refs/macros/TKT_FLG_ENC_PA_REP:tkt-flg-enc-pa-rep}\label{appdev/refs/macros/TKT_FLG_ENC_PA_REP:tkt-flg-enc-pa-rep-data}\label{appdev/refs/macros/TKT_FLG_ENC_PA_REP::doc}\index{TKT\_FLG\_ENC\_PA\_REP (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_ENC_PA_REP:TKT_FLG_ENC_PA_REP}\pysigline{\bfcode{TKT\_FLG\_ENC\_PA\_REP}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_ENC\_PA\_REP} - & -\code{0x00010000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_FORWARDABLE} -\label{appdev/refs/macros/TKT_FLG_FORWARDABLE:tkt-flg-forwardable-data}\label{appdev/refs/macros/TKT_FLG_FORWARDABLE:tkt-flg-forwardable}\label{appdev/refs/macros/TKT_FLG_FORWARDABLE::doc}\index{TKT\_FLG\_FORWARDABLE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_FORWARDABLE:TKT_FLG_FORWARDABLE}\pysigline{\bfcode{TKT\_FLG\_FORWARDABLE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_FORWARDABLE} - & -\code{0x40000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_FORWARDED} -\label{appdev/refs/macros/TKT_FLG_FORWARDED::doc}\label{appdev/refs/macros/TKT_FLG_FORWARDED:tkt-flg-forwarded}\label{appdev/refs/macros/TKT_FLG_FORWARDED:tkt-flg-forwarded-data}\index{TKT\_FLG\_FORWARDED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_FORWARDED:TKT_FLG_FORWARDED}\pysigline{\bfcode{TKT\_FLG\_FORWARDED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_FORWARDED} - & -\code{0x20000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_HW\_AUTH} -\label{appdev/refs/macros/TKT_FLG_HW_AUTH::doc}\label{appdev/refs/macros/TKT_FLG_HW_AUTH:tkt-flg-hw-auth}\label{appdev/refs/macros/TKT_FLG_HW_AUTH:tkt-flg-hw-auth-data}\index{TKT\_FLG\_HW\_AUTH (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_HW_AUTH:TKT_FLG_HW_AUTH}\pysigline{\bfcode{TKT\_FLG\_HW\_AUTH}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_HW\_AUTH} - & -\code{0x00100000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_INITIAL} -\label{appdev/refs/macros/TKT_FLG_INITIAL:tkt-flg-initial}\label{appdev/refs/macros/TKT_FLG_INITIAL::doc}\label{appdev/refs/macros/TKT_FLG_INITIAL:tkt-flg-initial-data}\index{TKT\_FLG\_INITIAL (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_INITIAL:TKT_FLG_INITIAL}\pysigline{\bfcode{TKT\_FLG\_INITIAL}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_INITIAL} - & -\code{0x00400000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_INVALID} -\label{appdev/refs/macros/TKT_FLG_INVALID:tkt-flg-invalid-data}\label{appdev/refs/macros/TKT_FLG_INVALID::doc}\label{appdev/refs/macros/TKT_FLG_INVALID:tkt-flg-invalid}\index{TKT\_FLG\_INVALID (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_INVALID:TKT_FLG_INVALID}\pysigline{\bfcode{TKT\_FLG\_INVALID}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_INVALID} - & -\code{0x01000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_MAY\_POSTDATE} -\label{appdev/refs/macros/TKT_FLG_MAY_POSTDATE:tkt-flg-may-postdate}\label{appdev/refs/macros/TKT_FLG_MAY_POSTDATE::doc}\label{appdev/refs/macros/TKT_FLG_MAY_POSTDATE:tkt-flg-may-postdate-data}\index{TKT\_FLG\_MAY\_POSTDATE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_MAY_POSTDATE:TKT_FLG_MAY_POSTDATE}\pysigline{\bfcode{TKT\_FLG\_MAY\_POSTDATE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_MAY\_POSTDATE} - & -\code{0x04000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_OK\_AS\_DELEGATE} -\label{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE:tkt-flg-ok-as-delegate-data}\label{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE:tkt-flg-ok-as-delegate}\label{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE::doc}\index{TKT\_FLG\_OK\_AS\_DELEGATE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_OK_AS_DELEGATE:TKT_FLG_OK_AS_DELEGATE}\pysigline{\bfcode{TKT\_FLG\_OK\_AS\_DELEGATE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_OK\_AS\_DELEGATE} - & -\code{0x00040000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_POSTDATED} -\label{appdev/refs/macros/TKT_FLG_POSTDATED:tkt-flg-postdated}\label{appdev/refs/macros/TKT_FLG_POSTDATED::doc}\label{appdev/refs/macros/TKT_FLG_POSTDATED:tkt-flg-postdated-data}\index{TKT\_FLG\_POSTDATED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_POSTDATED:TKT_FLG_POSTDATED}\pysigline{\bfcode{TKT\_FLG\_POSTDATED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_POSTDATED} - & -\code{0x02000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_PRE\_AUTH} -\label{appdev/refs/macros/TKT_FLG_PRE_AUTH:tkt-flg-pre-auth-data}\label{appdev/refs/macros/TKT_FLG_PRE_AUTH::doc}\label{appdev/refs/macros/TKT_FLG_PRE_AUTH:tkt-flg-pre-auth}\index{TKT\_FLG\_PRE\_AUTH (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_PRE_AUTH:TKT_FLG_PRE_AUTH}\pysigline{\bfcode{TKT\_FLG\_PRE\_AUTH}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_PRE\_AUTH} - & -\code{0x00200000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_PROXIABLE} -\label{appdev/refs/macros/TKT_FLG_PROXIABLE:tkt-flg-proxiable}\label{appdev/refs/macros/TKT_FLG_PROXIABLE:tkt-flg-proxiable-data}\label{appdev/refs/macros/TKT_FLG_PROXIABLE::doc}\index{TKT\_FLG\_PROXIABLE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_PROXIABLE:TKT_FLG_PROXIABLE}\pysigline{\bfcode{TKT\_FLG\_PROXIABLE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_PROXIABLE} - & -\code{0x10000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_PROXY} -\label{appdev/refs/macros/TKT_FLG_PROXY::doc}\label{appdev/refs/macros/TKT_FLG_PROXY:tkt-flg-proxy}\label{appdev/refs/macros/TKT_FLG_PROXY:tkt-flg-proxy-data}\index{TKT\_FLG\_PROXY (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_PROXY:TKT_FLG_PROXY}\pysigline{\bfcode{TKT\_FLG\_PROXY}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_PROXY} - & -\code{0x08000000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_RENEWABLE} -\label{appdev/refs/macros/TKT_FLG_RENEWABLE::doc}\label{appdev/refs/macros/TKT_FLG_RENEWABLE:tkt-flg-renewable}\label{appdev/refs/macros/TKT_FLG_RENEWABLE:tkt-flg-renewable-data}\index{TKT\_FLG\_RENEWABLE (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_RENEWABLE:TKT_FLG_RENEWABLE}\pysigline{\bfcode{TKT\_FLG\_RENEWABLE}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_RENEWABLE} - & -\code{0x00800000} -\\ -\hline\end{tabulary} - - - -\subsubsection{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED} -\label{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED::doc}\label{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED:tkt-flg-transit-policy-checked}\label{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED:tkt-flg-transit-policy-checked-data}\index{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/TKT_FLG_TRANSIT_POLICY_CHECKED:TKT_FLG_TRANSIT_POLICY_CHECKED}\pysigline{\bfcode{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{TKT\_FLG\_TRANSIT\_POLICY\_CHECKED} - & -\code{0x00080000} -\\ -\hline\end{tabulary} - - - -\subsubsection{VALID\_INT\_BITS} -\label{appdev/refs/macros/VALID_INT_BITS:valid-int-bits}\label{appdev/refs/macros/VALID_INT_BITS:valid-int-bits-data}\label{appdev/refs/macros/VALID_INT_BITS::doc}\index{VALID\_INT\_BITS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/VALID_INT_BITS:VALID_INT_BITS}\pysigline{\bfcode{VALID\_INT\_BITS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{VALID\_INT\_BITS} - & -\code{INT\_MAX} -\\ -\hline\end{tabulary} - - - -\subsubsection{VALID\_UINT\_BITS} -\label{appdev/refs/macros/VALID_UINT_BITS:valid-uint-bits}\label{appdev/refs/macros/VALID_UINT_BITS::doc}\label{appdev/refs/macros/VALID_UINT_BITS:valid-uint-bits-data}\index{VALID\_UINT\_BITS (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/VALID_UINT_BITS:VALID_UINT_BITS}\pysigline{\bfcode{VALID\_UINT\_BITS}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{VALID\_UINT\_BITS} - & -\code{UINT\_MAX} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_const} -\label{appdev/refs/macros/krb5_const:krb5-const}\label{appdev/refs/macros/krb5_const:krb5-const-data}\label{appdev/refs/macros/krb5_const::doc}\index{krb5\_const (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_const:krb5_const}\pysigline{\bfcode{krb5\_const}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_const} - & -\code{const} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_princ\_component} -\label{appdev/refs/macros/krb5_princ_component::doc}\label{appdev/refs/macros/krb5_princ_component:krb5-princ-component-data}\label{appdev/refs/macros/krb5_princ_component:krb5-princ-component}\index{krb5\_princ\_component (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_princ_component:krb5_princ_component}\pysigline{\bfcode{krb5\_princ\_component}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_princ\_component (context, princ, i)} - & -\code{(((i) \textless{} krb5\_princ\_size(context, princ)) ? (princ)-\textgreater{}data + (i) : NULL)} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_princ\_name} -\label{appdev/refs/macros/krb5_princ_name:krb5-princ-name-data}\label{appdev/refs/macros/krb5_princ_name:krb5-princ-name}\label{appdev/refs/macros/krb5_princ_name::doc}\index{krb5\_princ\_name (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_princ_name:krb5_princ_name}\pysigline{\bfcode{krb5\_princ\_name}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_princ\_name (context, princ)} - & -\code{(princ)-\textgreater{}data} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_princ\_realm} -\label{appdev/refs/macros/krb5_princ_realm::doc}\label{appdev/refs/macros/krb5_princ_realm:krb5-princ-realm-data}\label{appdev/refs/macros/krb5_princ_realm:krb5-princ-realm}\index{krb5\_princ\_realm (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_princ_realm:krb5_princ_realm}\pysigline{\bfcode{krb5\_princ\_realm}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_princ\_realm (context, princ)} - & -\code{(\&(princ)-\textgreater{}realm)} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_princ\_set\_realm} -\label{appdev/refs/macros/krb5_princ_set_realm:krb5-princ-set-realm-data}\label{appdev/refs/macros/krb5_princ_set_realm::doc}\label{appdev/refs/macros/krb5_princ_set_realm:krb5-princ-set-realm}\index{krb5\_princ\_set\_realm (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_princ_set_realm:krb5_princ_set_realm}\pysigline{\bfcode{krb5\_princ\_set\_realm}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_princ\_set\_realm (context, princ, value)} - & -\code{((princ)-\textgreater{}realm = *(value))} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_princ\_set\_realm\_data} -\label{appdev/refs/macros/krb5_princ_set_realm_data:krb5-princ-set-realm-data-data}\label{appdev/refs/macros/krb5_princ_set_realm_data::doc}\label{appdev/refs/macros/krb5_princ_set_realm_data:krb5-princ-set-realm-data}\index{krb5\_princ\_set\_realm\_data (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_princ_set_realm_data:krb5_princ_set_realm_data}\pysigline{\bfcode{krb5\_princ\_set\_realm\_data}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_princ\_set\_realm\_data (context, princ, value)} - & -\code{(princ)-\textgreater{}realm.data = (value)} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_princ\_set\_realm\_length} -\label{appdev/refs/macros/krb5_princ_set_realm_length:krb5-princ-set-realm-length-data}\label{appdev/refs/macros/krb5_princ_set_realm_length::doc}\label{appdev/refs/macros/krb5_princ_set_realm_length:krb5-princ-set-realm-length}\index{krb5\_princ\_set\_realm\_length (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_princ_set_realm_length:krb5_princ_set_realm_length}\pysigline{\bfcode{krb5\_princ\_set\_realm\_length}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_princ\_set\_realm\_length (context, princ, value)} - & -\code{(princ)-\textgreater{}realm.length = (value)} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_princ\_size} -\label{appdev/refs/macros/krb5_princ_size:krb5-princ-size-data}\label{appdev/refs/macros/krb5_princ_size::doc}\label{appdev/refs/macros/krb5_princ_size:krb5-princ-size}\index{krb5\_princ\_size (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_princ_size:krb5_princ_size}\pysigline{\bfcode{krb5\_princ\_size}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_princ\_size (context, princ)} - & -\code{(princ)-\textgreater{}length} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_princ\_type} -\label{appdev/refs/macros/krb5_princ_type:krb5-princ-type}\label{appdev/refs/macros/krb5_princ_type:krb5-princ-type-data}\label{appdev/refs/macros/krb5_princ_type::doc}\index{krb5\_princ\_type (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_princ_type:krb5_princ_type}\pysigline{\bfcode{krb5\_princ\_type}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_princ\_type (context, princ)} - & -\code{(princ)-\textgreater{}type} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_roundup} -\label{appdev/refs/macros/krb5_roundup:krb5-roundup-data}\label{appdev/refs/macros/krb5_roundup:krb5-roundup}\label{appdev/refs/macros/krb5_roundup::doc}\index{krb5\_roundup (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_roundup:krb5_roundup}\pysigline{\bfcode{krb5\_roundup}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_roundup (x, y)} - & -\code{((((x) + (y) - 1)/(y))*(y))} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_x} -\label{appdev/refs/macros/krb5_x::doc}\label{appdev/refs/macros/krb5_x:krb5-x}\label{appdev/refs/macros/krb5_x:krb5-x-data}\index{krb5\_x (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_x:krb5_x}\pysigline{\bfcode{krb5\_x}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_x (ptr, args)} - & -\code{((ptr)?((*(ptr)) args):(abort(),1))} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb5\_xc} -\label{appdev/refs/macros/krb5_xc::doc}\label{appdev/refs/macros/krb5_xc:krb5-xc}\label{appdev/refs/macros/krb5_xc:krb5-xc-data}\index{krb5\_xc (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb5_xc:krb5_xc}\pysigline{\bfcode{krb5\_xc}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb5\_xc (ptr, args)} - & -\code{((ptr)?((*(ptr)) args):(abort(),(char*)0))} -\\ -\hline\end{tabulary} - - - -\subsection{Deprecated macros} -\label{appdev/refs/macros/index:deprecated-macros} - -\subsubsection{krb524\_convert\_creds\_kdc} -\label{appdev/refs/macros/krb524_convert_creds_kdc:krb524-convert-creds-kdc-data}\label{appdev/refs/macros/krb524_convert_creds_kdc:krb524-convert-creds-kdc}\label{appdev/refs/macros/krb524_convert_creds_kdc::doc}\index{krb524\_convert\_creds\_kdc (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb524_convert_creds_kdc:krb524_convert_creds_kdc}\pysigline{\bfcode{krb524\_convert\_creds\_kdc}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb524\_convert\_creds\_kdc} - & -\code{krb5\_524\_convert\_creds} -\\ -\hline\end{tabulary} - - - -\subsubsection{krb524\_init\_ets} -\label{appdev/refs/macros/krb524_init_ets:krb524-init-ets-data}\label{appdev/refs/macros/krb524_init_ets::doc}\label{appdev/refs/macros/krb524_init_ets:krb524-init-ets}\index{krb524\_init\_ets (built-in variable)} - -\begin{fulllineitems} -\phantomsection\label{appdev/refs/macros/krb524_init_ets:krb524_init_ets}\pysigline{\bfcode{krb524\_init\_ets}} -\end{fulllineitems} - - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -\code{krb524\_init\_ets (x)} - & -\code{(0)} -\\ -\hline\end{tabulary} - - - - -\renewcommand{\indexname}{Index} -\printindex -\end{document} diff --git a/doc/pdf/basic.pdf b/doc/pdf/basic.pdf deleted file mode 100644 index b11e3af9702c582f967f62eea69f415004d34b6b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 138196 zcmb?@bwJch)V3hq3P{6(Qj)tYupptJbV*8gcY{bMB_W6)NQ2Vd-Q8UR(gI31lHZDQ zMdiNwz3=6pWn*T}?>uMDob#NSp_IBWzyM?fqfqt?G>)JE0n7k%Eh7LI7YdV@u9?1# z0RRGK0et&IVG=MjvC*{xFbSAw+UVZb)i&4BMd9H=v9__&)igzM7&Vm>H=kj~s$5WT zz01VvpK&-izy~92!Lo zRaM?a6yk!HF?^S#J^P``81Yl0S}zB4ywP5#qWtzG@ll45nrl?oYR+dnXXe=SPkxhJ z(cYMSR(N8uUPI`ItDV^|)U%kHXUqAG6Wts63e6VM_Z>-#5tEY?j)(W>XBTCKjO&jh zt89~Ji!AGloUChAmOLYdcPK1W54&S}qc+QkN=3T|3r|sPLzteG-pfO#)ewQxg1e4! zp9hOj1Fm3q1Q8TC8*w!p^Oi<}tRl5W2#u1ZZ*y%0pGc!W3aw~ghd(7gD?Td=R}=la zMH*sngA)_P@L_wt2sRHt0_LP1&G0LN9&};}`VF~@>DmDbHOShiQC4OsQI=8r91BA= zp|d⪼jIZ%4XCl-xvJi*p`elUaUACGBXBNk)I=xvIw%s?zvAN2tOkm`nV7gka?gY z6a5kIq$RbwxdwGw6@vOnL(vOCmcVOF0wYbOS-9{bp-!;d&8~k_o>1O(ArU&@Tuqs>MJs|#CBTov1c_~ zjhgTQ3$9t7F!iv`AUzlf=;4#k{k4okv9}wMRpWjeHE>SVzok{ zA3D%j4UyF@M(qg72JaAcM7Gyz2+$$Azt1EVL!(FJC+5K4&YR&S)uB6imyLTG-|2hW zaP1WM4)+uo27TM_d%E7>d-`VB_f%H>$lHbPgkPWh#9z01XR zk+#(2T%9>A9?ouAR_;Z%Gw(~nI%_WuH9J?YjqkA7EC;r{C3CKB3M7}8v|Yz*+h{LF z(KXZgKC7VrL1!ci=-bRh;o<@?$pDxH&1KC2O!oma+6I~y&^gHnqy<1{;`bl3e*ZBI zzm=|zu9=OYrU^h>Q`S@}V*Z{tZYo=-X@5%fF#>{=7fwkmVn2taL3*G#!7j8AQLz5r2$oeO2STAFytBgw1qx9sUuE{a;W~ zX8-y)($M(F&_?xwyJi3W7#G7PRtVeQhfT8W0no6iVu7v#@z#9J6yhyr-iliOf#ZiR>ctnRlsqnJW#Q*ySgkNlVBkPxn=Mr%yjha?MaWvucbLDXtz?z;@XCYCRuzeV-FvNI9f|m zV+gI%GHg;TtzL7^_sjR|98(^9-(JQguZHitk*sV|J})p>;V>&6JeEWwskQjoa${F% zSl@4)@3Eg}%StcFELY_kle~ZI4N}x{WmC_jN0#u4ug8ie^o!nyQ7?H)Gv3EfKOIFE-+a(ANceBWN zs^4)~qmr>U>kWC_WZkgA5`aamzFkRm+;uOxBog5UE~{MRl}GtEc4#*N3fLN(aX0&3 zB9hc6&)6~bis3R>!^Lc<_4PbxeFGjJg;T?El#$t2Sf-=ocJdVp&OvZ~xa_`Z)L86$ zP&hwUd;G}__=JeZ8u`UE3p&`#so*W5MYZC#PK4F*$dc%M5Z&|e<_Ul%nsd$0)Jku9 zoPwLTKa3NafSoBJI}6wojQhs>Z9(9@%yh!?MM3O|Q*FR#!h|{=gbnlesDb^v$GB*j z>`?Rm`+&aP>>V@Chb`Qg2Z>!2FLE7k$>FrJ#kIc0WF0gpqJ@woAW*!bKiHeqMpRMA zzw*I)l8F%-%@?!uZks=DTBC97O+En)JWe9DYhIjBT3l+sXTKnrN%Xb9Zlhy$;m>8%)JY;X-Yg=sP3%of zbi_rCxuKgl)O*{@-2n)qBXlo?lW|Cb!=9(#?dW6X=-?QjWwj{~iF+xL_<{g_=}zioB%o<{{TrON5Gb2%_3!lUd|IcnelrN-u8hDp8s!OD1pL zPzV2qxdYn!+Tq1aZq`hKPl|Hhy-s<}Kw`S%k@)(>r>1NvCK-GP9b~bt7Y(deE1fK( zs6@fbxcrQ{9N5?Uyz#X%u_#_Z;K^p+MrPGcJPDNz}=zF|V<`hoc{-IhCY0bb5Z z5JDH3NHYDFJDJ4j>ft*?%~SeWcy{GmhId4tmd>|nH*}!tdw=N2G*^n77(YltJ}BCM zMSX<&`Ll;u!?YU8jn%}dX*J(lK44%*^V1gB8Tmtzu=)q&cs9b&fjRlF4qh=+2z)ia+g2+H@RTqjBO?d?0`%a>;@ zPOfQ_9gdCl7cVb3EV6AxeHaexoXxr88vcyTd-b@lS$W_T(R06uNE+$0&R+LMtatKS zB%GiLCR;<(uc%Ptx90Y|;c{SnTN%9bR;@EMF+Ap@B*L)iOW9&!P9`(O zGS}kS!WiJFm^JS8+qfbcH%qRWz!PCcp_=Jd)QrEqu?$hT8rEU>l&;nf*5Tf=8+UF8 zdIPS7c*Pa7H@sJ}!)3ITv>FUHyNNUyMxMH}J);}w3&k(A>3Tz40zhC#KWRF=@o4`r z&aHKlPg(qg17fh59T!P;igIkUY2PEl-Y}KjS{-7!$pkd>s8)*$?QLi=L<2qshT?w_ zmq0s70tl!#U2~6&KPhcMb^Rc80-rm#*YJuLOZ162{THHn4==rA<&*T2o^cdc-JpKy z)6_v^8COpS(PP|$!n$gt6x~wSXLCWv+L_SiD-VaIUExnc59q>|bgLaR{1Q)4mJC|e z+aX_!w+&LO1=T~3xM!?Co5RakyO(kl7N$hXDEo17?1ZRUeNLsESHk0*%P_9Z*N}Lz z|BUM+G441uf>X&9PimazrI*Q1sR9niZ&ttSBK;CQSB%0DO)0<-hTT5?48M@L zJ9U{`;X1!7wexFZA9XBIE?dTUAM6tmZB^pK*VZc|<~R2rOHg_pSue_{IU{h1POq6d zZKWHo^q99gYt>}ValCd`+l*>EVIlzzy`AF;+me>A%YTVKo$Wuc({P<^@!^y_itECy zD)LY+V=W(ZpP=M}m8i$jT>X)e`g;BD;z^&jbRw#Rl0K<|#MP<#x8*?M)zEj&Ao0mt z{o6~>@5GY`WI>&A!G;LIVk{#%5#*9d1im^EwUqs6x}Z)e=!+lp9d$n%dAMFmu%Q=K zxZWe^J5x}n5@mmeEvR$!R)2=6l0WCE%B|9cIi>oKKIJD{0jrF&5Y@@edjNLe>eL4; z-fDsX@0)t9l00l?WK0f^jr31p;B5hsmpG2^vFp!{1N1#g{0nX^RMdQo8LfHk1ZN`t zu6>J^XdW)+1DICKIB)Kp8}(VKnRYOQcPw7ndeziCB78Fsj-VW8YTT*r&pq~zscvS;po1?2^S56$<;OW3?NQW6J)q^L)2em}?LBC-mT)0+P4Wpl zwyWT6l371#@!AtCs^GP1J-n#^ed#>B$zH*0!LzV7+b*NGt?k;D=u)a9P_5-<5AJ^M z?7SI8&}^(nTs?at=vsRmXi{<-#IOf#eH^G_d3tkr{Imsqk2fb~Ywz(}XmeD(=L({F zi*n-5#_^b}JDHxOJ=T+a<_4Xd@e6CrUD4IGJ*N?y8F71HXD9e3{x5PR5`~Wg79!;F zwfWgHN)O|*sirxoj;FBWcL@oMvLD9pM$iwa1$&Pg+oV+L;TdJq@~yB^4XDX@jv9ZK zauTl}HO9_L73W_mq!>`6gTCAzP>Y0qw7NZDwe&~RB*T;8PhG&hydJY@)|Ysc@5%Z_j{<_SJ%1aDR7&Pb)HCCZALFu9 zxpz7RXy2j31^D9AOr&8X+TQ7r7J9kwtfu5ApL6p)&*7)lCxRo-ERs_I?ZO&xbbdLb zbhm>Q9tfD}?kTJA=<9o*>N_7LP%U;r)|$q*;58Y7Q+vw0W|vyt*MFfYsn37RdAgNe z8G2B*T`lqXbJ0dlmj^z+p}SXRuK3k8cn&}&Fq_oKEPcFsuBu3u#7k)mE4_8v^z|gK z_v4@>E$o_mw=#)L-y}X?0^G-@obJ^NwRhy03ywf9Zn}|KJs@B#bSq-4tAQ=1AaKuc z?j+SVc!0eUNoVsCt$n8?&a@^Ag@9bPUU7UkF2JAH zD;6ms1!gIW1yIest5>vX;HQ6w0&+2yz7&cxA%21a@-?IVUqAt+V}6vjpirER4OPn@ zpg0@uydw6C&Ms;T$b7N?@1-*~sP6xEGOoPgwvN1u<>lnk_*%-MR5E~0yLqF*bBmm_ z5gy?di$L6!i2J8Jh{TVcJ-Ye8U?#i=skUYUwR>|l4~ZTIwiuyrjIP^ZF9-;Tw|RcG z0$wA_P1<6L8SlCvEEAmd*1=Y#z4cmW2I5-R-IoA7fDpV)b%*WUtY_#LF6EhgThTpi z^%Vi8+8*)lwiYI-&K@00<8@gCo)49pT(sVM++**Qv$^4bH`FNEbh?o&Jl6cQ@ln4gy# z9lxPvb<~^xBGwpRLiBZo5x#H+r@uCm^}K}GDNKj^5IJFutg>J~OBS}PlSw^|fbF$t z^8)K2I$j60`S(=lME5MqS~g#+7ZTSWMM!@t@V|a@2YcJrsl^HXG>$SMc(R)Im8t$d zW!n-v13I{}godp?G=?0saVIv`skZ2)p*fRCwS&)%L5?BBPkDwj+q;fMwx5o*gD4~U@A|k?$A!U) zFg{A*Nz~jS6z-5k(7CX&bJb=5@vvMGJ% zJ`r4wM6_EPdQVKfb_U)*Y)p0YfE55VB`5+{nf8f5H%iujpTj`ri+bp`5(rJ^zy1iw{H-G(^S7QZPWLl0&fUVdhdvV# zg-OO%%jRrR5i>M1Mq%PJx6;wII$JK7RhfjCgqir2zjn_IT{Wbkm9MXB0wXh28?0bf zMpkHb1<1<52!s&4nkdX}x)fNW_BQtabWo2Pz1an-j ztsioIE1&(4>&$NcTYWKeFtS0d63D^M2x8{|umT}aR9XL^uWu!&3vzw6kpD)m@74u| z>J0+L69{BuWP?^N!5nOi>>&0_lz&&{_W#MW}lNL&alfzFb*9#QIHLzXvz}M;8GG zGc!Vc5)cfXVQc^}D>Ea6gX2ReUl72*pBUW}do8w7z+|HaM(uKNpOJ4Z7w)QDg%#LZEtM0kbm#*)P}E z55ayl`fpLsf2%R*>|=qZ&|fvi3|)L!SfINEK!4KMuU7vp4Et{cJGU@qXjB8;cmj3v zEUc^m79a~F82CRf*5?}tE&_ScOF$FLZvpY2GfN=z#cBLo!^_kBZ*lXv5`N_QUqd10 zZ(%Hx0CW=z@N7%gS=Rp#1MpW_Kk$5S))|rTJ&*nR;os)5|D^qQ-=UVGJuP_pEdE(( z(6dyZn4s`dJ}X8An~bM?C{iP$wRgKm`uO6BGiVfQ8#-Wx7HHtC;jK74Ek2bKMAAO` ztQbKMPV15I)SnsH#{vdRBMCozKGf1N;E%rXO!*^W9sCt|SR$885)vpY^K10<3&Hd4 zA%9LtfM-Gf|3Ae8g!;`N!+nMEZ2Z5#|7^tHq5MJF{2gFWGU&(n-vNV$o{+x!JLp7gyqTX%Nd+RLbS+fOZqu?-y`BkcwtM~bCbRS6}-_ANcUeUtC5oW2>JD`B| zYt+h}M1_y^7SH)|a(ilRO#!y5R=}jsBG|VkP&bb@B3-f?KJxk$uNf?FcW`HLqY>M~ zSGC0xPbv-;2JQD0P93f;mc~+R=9TiAyj9s(q-PT*J)n5bzV~rH*nX>i=kRb0b8K?e zwP2BAQ#ZupIg>Q6P=g+x2ru5V9#=Vt11nOggbTR} zDKjaCpN0V#Wiic~G^phW?~vr-Y6DeO2}i%!5jDlE?v<@|ykff=6Cjs~?BphMf0?_V zFPliN5PafqBdhuvENA*<#g5v&!Ko*6RZf-HJa{BOXP*z4hr{qGzxSAZ46=)cauu!| zyRKV%D6O|imL!TYaotE4!9781Iy^w5{vkS8T0ai?2+t^G6j4o={s9@}v$dQ-1bE?b ziUe!7S6Z)^7me@=@BVH=4_#T&U?ZL(&nIqlsr}Hbw9oC9G;AyKWom&c#m2)cqkQ>g zGc|N~Oh?U&D7Fw_w-5H9EQtl|6LjA%bsWMt2ZtUcxHSs+nO3H$^p#L z(A21HtbwEXY%(Zp!Bt^|-dPrEnO0P`3@^uJ2A>1$AudoSHhe@-x3(+vAPkP1s089T$g3Q#pEa{sQwB$RwfkC!=O@LC=K5; zF5a7(Ha!xJ*v#1BOgsHY*UCXtR$%R}6X$O26qTT%2Mcib`=DZTBxIu24F)LdzL z=MJ_=P5bC0muj0lKVUBof3W}7U8od`7xob!bHR*8&RfY;Od3@9T(90Gkzy{M9XVxL zYC7XLMQOb>!0@|s8X?q3hG4>R+Tg2nETBY$Iij~Fb05e^#+{oh9pJVeFEev;0c}}T zn1}BVM+=DzRYOKb#&IRB6>#>2BkJ_ZKjmh1xYf$4@QtoMru_IIJ{GAMRqTrmsStd* z*nwtf7p`Tx3C=Z+5zWa*)3qbQ@Lm9QqE!u~&CKq^LF5h`=O%i$;8cv4x0V3@B)cg& zwmO8<45kjVl|!x@DP5X40kv2jhytfi`kE-H)zZn~GLWLj>Gkd3%!~0OYFDx5CmI-8 z(AY{e+1mEtA0Q_i0X0TjntcfRiqa`yQ%TXxWfrql(C&sP60>&W;?MeLVQP3hyj6>2 zyXHWQ$f{>raiwwf^__RCw_l+h=qYP)7GJxb%of1FNDz^IM3TnoGu)%q<5$BEWNhC zN97d}l)Z}4%Y(1=%Bb7G2F=T=XQCA+rDn)+86iC!aV>ndDU1R$I+5W+4ek*Hm~=Ie zh{Q4vX52jEt|%*wT|+<>z<*Gut@oa9$Xj<0!eOy?Ipfrv10;6Vf`IXx2BA+aYZX~C z!nZyR?1V~2Y2gd_*JhqRv6p=5c<3%_Tev1?UXF{TnTu3ukMDYoplyOOd&`=WM_6C80HBV zN7EHwDH>;B>%IlD^?iYKOcQGT8pZV!WMg2@LU7LH;NbX!?+0%fn+fe5w?aR$oZ^}o z{-&25M2ka&QkA&ns&74AHQCX<_;6pqOjCjORuSr+)n#!M52>O}%P`inK8RI(cSAd7 z4MjPBhQj{MmHFLpw}{m4jBBL{O=iu-;i=WVJ+OI_Bqr1>uh~Nj9I)kGvrB5@8=8_f z2Nd!{v%@3rDuy?E=GoC7h8NXk_Y5tSV;YavDfj|$VmO%r84vQJ99l<~u-sbT_&#wP zBH2+X(BZ$n%CTwHJIHD`X6=ETtGM1)vd-dhKTrMs1heE5g21S%(!)=?gQL#UylBmL zWPIET(Qph5ghRR1Uw*(9h|8-lou49l@KXI%X;Z387>pfkS`s_ln;dwA>1|xtDZd;z ztd!*?uVyxga=|dW!N+Uc^5#8eEB)>dvI;?BsN2{*&;4;7Q6tTiwfxMe^GnkK;BkHND@Y553C}M{%a%F&Qwr@0_ylZ%BSK79;@(JEqq-hPWVof*c(IQ>9a+-jw{ul=47)KMaBbaUQV{D6-j<(wva4%m)@Dt zTWQ}|#C6ZqB9hm!Zr^H@i3)ct5zaz>%#KOEBcZ=;sjRKrP_;6_@5P9^Fn6y)%E?M+ z_fkZ6+|i>no*SgRT--DCb1o0*)kOHU)b5s|d@7;rp)>&S;5-?4<=)3*0+h#La}9fqE)s~HPK>|MRrMXfjf5oRiPvU$jhviMFt-lS(D zR@hkM;aCDrL&VWDu22$b6s}1i@-g{z!|2BcQK7t?!_~=n$vc{XD5+7 zFYn0^KCDD^*WS@khPj1uz-Q{3B~qzWG~z13r-gKiOz@8Q3hwC&EbH)HtUXuco zxL8~G_M7v>;Qz+&fLNeh0JI?THRT4ffB+yUrvirZ(=1>p5ykR9Gd#aB17|Y-M{==q zKmat@_gE^;nVV+KMk2?#oK7hg||{CVHS*J=8D zLJx)(Z_fVyyz!z?@q_g^8;0widaikLbZZ&~?L+C+)PsC&Fl4-w|u(3(=s&WTg z>x~V*8sS<2tdBi`?he6Zj1$MCCMfu)X4w0;#n~|J1~sui!=0pe?lgAe!B`WBm7>=p z7Yi?X2aPsRtY5{&ZVocHH7n0>VMtX+GdPbfH)D&aYIo*$$_JM^@WrReiA@;IobEcKKFRv zlfiOT9Jtj3^`ZB*9Sc{f0I`BoBWyH)YkA8ni-FWB`4xwQ*s-lv)#l>zQDj21k}-(h z8H)>L-J=tq)eO;#d)871IjiM41*${A{%o4uR4Do}@LeS7`X%yns0<&o7|a=9~^SX&@q@wfJZ+{F<3=YeE8&=H7w4e z+uBz9v=5Ux`eNWh^9!|ujQkkmrKFX%EJS(-$J>4fHYJ7033a5A&pI(t4fcg{wfEX1 z%?&gvluF)939p5f-41_H?sk`&->U`+YV^mX>9i!zNDYo}mCX;#hR0t?S!wsZv5E2VqaqI&F=IYD^b>D@uJPSb zA@bGNT#ZG6b88NJcWL2RP8^=8Rtz;Fg)nNgf`#pd*}UPE0((x)1#I3Jk+pSISkQFD zsmo*Nm>yYFj?teoH?Ke44c7Y@Y%Z)J-eCQ%j14WP3hg@D7hr=1uh@1H{LMQ=6?G-t zf_N*`xpr}u9M7)$**8DD-5wOpZD1M%*U{%S5~wx(9OiD%eBHL9qV3iZj9lh17|S|v zAT~(1!g*&mIX%<2Vp6_`8RaMl*XhtU9Av;MWa#A zl6M9qWakio0(bPhFfQRqG+J%@C|A^sRn8k{l4g3^nqsykY70JV=kQ?3ZBa&&#){NK zdVSSap?zr&Yt!C)Q>VKCqi4;%z!f%ME?FHwW$}CtE~%j~CxdN8u`b2jU^G03Avv9P z#G6|A3Ztswq05gpBbs>IF7<91EQSZ7{3z@N&E>>+KFJ0UNcJrN z_rQJYij@QJrECSWM=;NjfTEv(u?f}c#pD`Vs!~e5;#Nm63dBd(46rHmj=|NeA7E+m zWWxu*;mrwGOidWoucU?wJQ_gJe2B`|`Z4Z-aLUB}#dIvtZ7i!~_!6@FJg@g@=_D;! zi|CVMTv7C|SP#5FMqZzMYqqYCf{Flmnm*#`F<*l_D|YjKKomn^+v>Q1_={Yny53|5 z&Zx91E_pHUWg-%4^vYNx7S%}3NeP6bM!VML7s1-Tn)a_NuvFqJCOb`{R7<-aqn5&I zWWGBkRk34rMxc>$M<*NGd|4Q1ERWV|O;~C>Bo{>QX_=8mpHz=@FEBda#Sn9HD*+cC zqG@Q6qJuy_ZEzbll3-~_Zdq;M8kJe|ETt=v1H!POv!KV;=+^HJyoNnbcc} zNo|R4*9%0k5Qc?Wx;QlgDA@gV2lPvFTjT4LN?=>8iZqLd3UXK!BiHb#(Rs{a(8JuB z;}WL3G@na`*u34;gTT}~%2`dMuU}uP;L;oPV;uv8h==SQ92_j2R@K^-=n&{}@VXCO z_rOL&O)-h6Vm)@xy%Gfp*J#w}VSW@NE`d%ctb>ykC(NIdz(8&jLh!yLpzp3ihTNt|a$X6b2Gel6%-} zVfM>=>m);S*d&jb3u2O!Dew50I-~lkv{d$&CcY>`%3!?pneRU8YXphJMGm>)o}TqK zKGl}O<F@y(dTtfFMwB)9RaoHuk~_dD61N~caUN6Jl&zQ1K7 z9T1_h_^4qg|4K-lf(%Ff&2q_)fsI}e{0d`BVy1@**?S9Pa=uYbuDkksufUEy%%lij9 zIypv9Q0q4^H0UPB^aEepv#03w8_?UvK|Upa?t4WMQXX@^MHbZWm1gg5^Ekq>U)F4I9_BfsH)yyd- zSB+b}n?Ad+sX&?bOx=`TFi@Gq@hC<++xbfZzui^?3kD@-(wmaHzMfW+(<91FN$wKZ zldvr1Ox?o8vYByP%hNuF)0l3r#eCQ4yjX@dLKM&IS{jcTMT*U%Haa=74yW^>H!mC{ zUx6>YuTi~ywBnZ^s;%A^3L>K(I)F<^NF_@*cmR(fJ(P%FwbOBX3pt@<$$~GCI)j)O z#1Mn~tic=Zb}rzh)%AGz3Fa83^<={cjB~Vt-jX&{yqU((e2sg@1cI5OgmU3$*(G+kofSKm2Vb z^HcTsLR#~8$qV?BYUI~c`frn$XxUb?G3X6KOLPt)SN!HBXzyaa2zyJb6qjXghShRC z8mVWd&#dprS>Wy5XdXHoM-YG4=KKaa^5gq(&KqW76AoRtzLptp_}bBDlr%_K5*~Ow z=;#IU)14~cO*CH~9dWx>JpoVNAHju|#N65iao4&HL|qNDpD_7!yg?Ik z^Et%_9WRvo?+Ui%_uzCbT)dIyEj`qfvaciK)+)uRPe=yZNMX_?xrJyXIbbK!ysu4OVC=6op>^bNtpJ6R{A9r7RdwS8YiyD*q0|hot&Xg)p+uYi z0w1xZgj5R!@zs(W19>lk8@fA^g!?JI+y^2$WDmJ$IqwKNO%@51x7#~!PmF-F#paiH z(v|m|Tap-kIW_uRThp5#;;HP^mJi4hs6fh#2)L@o%*M+K9Zk26mpX-wpM&Uc36c*& z<};GN3^ZE~Z6i0|_2Rk#sD&kcVbi8O-qt!Nc(c5FQa}0-Xdj`CyD{-W_9@`R+H5He z?k#c8LQ-?Xd}|pq1c^h6(;QCK9zDEiKP+Ud&R+%I5$*XiHQeE=_ub~9$L(hHRI2n! zN!0HOa5TOmo2xHb=|lJ+aV+LnfYq{g4m$4E3dD^AC_eE zMt3SRe4|~D=5M#}Ck&Ilw<@`O6zhp|7bDRd`Dqh>`-nC%J}@|FQC_b{o>hvX~+s;WPzTh_`Tt;w9uJ;&pkH?zy{sE2!>u^@>|36 zt6%d^GWV_PC_I*`>-12P)4aWK1w_!H?QNoNq@o=u6Y+(ylH zfAQpD(o3#o2PuzDa2lnj^iZ;P`+}j0&X*=`_M7^e1+?H)Qx(5tnkrA>SS&FKJ5CL^ zT>zW12jdsxyQb;a8MlUDqL})Zr&TLZDheyQ)fGMa=T1p>s8ep5qUlQP$>3)cj^gq} zcj{G|cgavxTc##bzuKuGAxq9q>UJ3`Xp0-)@_(`x(UW~2;UU%~VGH;om-da8{xxiY zl2lLz?BdBO;Mrw4e-2wNn=W7N?i`!1OXZmW=l1kJOqcWfdH&U&{%$FQZiM_X{<&>1 z|NVj8kBXwfQEXUMYuQsRvMV$~LR?nLW5&(zM~=PTw`aUQ zw?URWW#yHa(w&o;azFh@KPEL;rxrd*hao-v)|dHrE!$DyX9M!se0FMGP6h{yBbUYo znIf}U?}T-{j=AgNfX>~mgc{}^$i47-9*4eY3#ro^i(AB_rcFwdGblH5_X)Qyca5G{x$`8aTx zXS5zXR-Om4As>g~y{0K2Q}^6MF-pi*M&3{yTH)F+Fzfrwteiz9LS0EO9np6k1K>Fk zASd7O9@u7Fq$CReFWjUuQ3w!68`DdsG-w+Ko z5Yc#vQWO$KvjfAMsG2;;-8PIewZ8F2-*P}l_aU|*J20SMTYEw>&Z^g+z+TQVZW_|9 zQBakT&7jxW+Hou0fcx{SdBejijVAgzI;Ey>JJ$6d4Czc^c48?QK3j6fB5br!9s$$B z(zg+;_}g~ypsEh*jCG9MW^R(NQoWCuN!lY}EB}Pzc9}{)jR}qTAhUSs_8Yu9r8&B%N!8*fT2GORSO68I8L`Da8ssC>N=c$+uBeazLo0X;Xy*bE@MA>_)@9$pa96R z#i2W75OvgBY&~@Pq zUmUT$C5kQmOFWStYSe^&JYKLJr6~tHl^c(ijAj5m4Pm}92;isJLeukPhvipmcl+CN zl7iSgG&!)ZH4G_!DA2Os_J5w;ib3l(IV~i+jOmY_S_OkXhv(%unbj{!T>z>hOUrOX zaq_YwQof?>-yYOo*5$?n^lV0(b%94hXfR4y)$96n1*Ytk1QBfzfskJbCs|~`wctE$ zVJcsVaQ!7c@#y*T2VD2eovc<(vme~+)*!=rmBBOLt0+kRQrY9Ff~+pG+>@pUVV~?d zAOy$Fw&g`H?_k(elejc|oWASi2~V1*Cn>Tmik?5P7mjT+Xy{xlTXU;Mq5YweHTgb` zJ&epk`LKn=AiSV$%hhY^oD8o*)A*5+qi8EV@IaW`#Es!XUde=DTW6}4)arPqyoC}Gz|@b3TM_kl9?P3L6Ivqcth6;kcdy3W=^+3L*9i} z#D@>c{3JN!U3hcW4z@{AVomVc+-pdP`qd3sL=w`%G4`|p!;O^smC`1eIMwhY7^>@02}-c>gb)J zyZ}Q4sTd&=s|Y=yapXqel&u~XkMIUu1TKS}d3W&VO1iOnjJd{-_*20+=@MhD?pkth z#o65)7a!YQ$$k*!!m*j&2p{~i?440}v!!vJPJdFo?5q*}2gY@Cv)I%?_Q+xfv9ibc z1Kfu&TSr+VSDT)ZujQxFW2kQ3J2rSdo$LG-`4;TxSu5*eXy9nI zbtOM?X@95tNs1{;GNFA|_%QCIu0-`7*I2~IrNn0xZVKBAvAG0*lG>{d(%k$WV>oA)dOZbWR~eDZ&c)W*JQbCmhOtB$L!;!srkc;GL z;i5$g&tHwdQ_gD@{W|=Ryn?Mp8zCi`ju>OQ0NQy+rC+IJ-wVm-i3}pl`yDzTG^h4c zX{YC4J$qF^9LL;nZL6!~Qq8^G4eO&zgNJ(xlT|L85_Mt0caSZ@jnQV(A7Y|qBzYXX zY75R53%?4hCnrY~Wa_j^ciXmVnZR4LTg(^Rh!A=bpeo@N%1!OH8aEF7IL=Xstl;rU zjGo~_WuZm>lb8A{#249v~K!fuiO8FYk{n`+E`UD8Qu6*C$?%1N7(?JM=i< zrH^!pwQ2Lyr81DouZJR=z z^S~OqYyPj3u9rY_SRk6`-jOdm)%7U%byGoYO@lzsD zEh+A99cFC6zkr5lTH8txSy>Ld=dtT(=2zdR-5u8;*KZ2}MazFmc+}4S&TH8{ir8i7 z(+HcpT2-=YTI2vKf6^`ab_g!h!y}YnCc`%q?_Uj*E>%9FXJsqp^-Ow;0czzkE&_9hj3d5H@-zd7?vNte5jGd=$7LfFoZF#mC1(k0mz^llQ_;ui_rxaJAHbn_^2JNFBesljnN@Up6G>LNj_)kF3{hgFDpr}(r2eXR z;GVsGi<9+U&H$s23_JR}>a-6gr8F($&JiZpd2Md0t)8rIRht)At#MSF+24!cSTidQ zLgbvxt$GL^n_%?EzMjJ`2fAkIhmGC5Xr0J7A`z|fk-BqkvSP&eMS(j23`WRA5_pot zYpUs-*-g^D`l2n?A%S~SK@K-CHJojYG1Xss?8y%K{tkguZ@Ybuic~C9i2C89`6*L zPbh>t6tm1{-JsG#6C2YnrkRngjM_zxTDP{6~L7>3kYDwV0 z2k)o*MBQzAD7v#>8l9vnhUcFnCRp_WH=@$!u(jtWL|R@j_Nb-Jq`nJ5vy*!%>0~zb z)UQmFu+}_;lIW`C{xgSDm?!KpMS>y;)BY9MCf4fb;_Tw?QaO+0- zC!IU|$#-^l8($&AAvXkeEHmjJ*R#u^ABbq&4_cy}rBF3*o6p5wDmY?@tSh_mMz4Ut zH&Oe&r|?vh3zb@E4$bDN@q|`%B7S94Ac>}w>hOFbp|d$#{6p3hDvY$ph1&pTkMf+v zg@c@Xkl0%dTf$FxvRH!xjKhs;+WCaoPGa`1m7PehtE*{j+2T3HY{`EdtFewDMRyr} ziuUrYW8i&e*280aE?C)jTr@E2iJ7$!O)So86LutWn(gvLu{wBl#lGc}ydvcN)ckGntBuA3wqV78_tn_R-^zTwf*_gib4lOwv zFoI`Dx#I9@QcAZ6Wp9Bx5yzVq5_<( zZufAi$ordM7CeTq6e1;PdBl2cKMAEZ?Y~=lCBIs6Sr!E2`FPPYZVcnbjgJ*>&Nz#* zDzxG?SVIa_`64yLw42uEHo2>UHu1*|wfTh^`P<|at*x+2C5Z}niVi`=+i&R*TS;de zX*Hu-O;1eH(_592zBPc~-O;s>Yrn z=p}r?W9T7uGgFi zy;=x*L~XEoU4E^*@YLaG%E69?oy`oy*YA~sb+CN2$X}rbNe!W~axZW*!Yh|*p@F`{ zqM#yDyu!MR7kVtUDU6jQ@qjCk5=jRQ#+_|Ji-?7oVurWDu(GcK}6*}RfGD3+> zO9`JjwGd?=aR zRhD^)Nx#tI)8jxUc-S1Qozps4(UiUs8;9o5X_cPDV0fFZ+OjtkTpx88xQOWh$v%|3 z^+6IOS*xdQ#88-$oT5yMFGRhoTuk1*5hk66u|}-GNK(TOzP) zxI;mm=V{^6H2H2zs{`atG-}@@mhx@6I*1tfj28*M%LKBlt%DjLehzS5Z)-yfmMj~8 zB6pmehk(6P3t0)ep^=-IU+3awz6M*hzm&=mJ@pjyMe2)A^pQ;udxkb!Sen8i#n1Sm za#l?-ruL$3c5jtvqj$2mWt*$WPm<#`!NTGUpuWrm`&EX}tQeIc&dY6)kME8uFYzR)Awq~iyIL+MZl)e%XIfus9=UTNYAgE9{v1v<=1`w3Oy z+e7T|c7zoeijEFngr!{6X9?++j7}repz)znb^M)a8b`7-I9-f{cFC^(G}D<(DY`wu zrz5-lrqB&wo7AB)>N>)c$*pS>Hy<0>vn^0zm#5WzvgD{!J-XxBWc4t7NmS^=XqCjQTKv0shI|##?uOVaR1(69DWYEzRr_Q3P^<8?cC2xDqnnm{ zy?Mtnn>#zYmU=ti)MpH|dS|Q3i7Oug)DOAh{s&~9*gFnY4Fe8BH=U88GKJ zU&XHQHAweLQ2YACIaG^i-zIDx93|L#V0deud8!BqSQ_caZz=S^)C9MFqadNlB#hH< zG>*z{?{i6IBXB(86r_bZS7ZL}sfXb+CJ8AXor$_-f|3PgIb>(#QEB z4Rhr)C{&+8_-ztcuMKMzo8t)1)Ok5PwmS`;1q${Xf7mDD%cq6H=)w)fP9#X-JoxF5nZ=f1>MN$ylSB7U3h8Vq7GNKCv7Qw}u>LDO9@v>x_l z6o`PE4m6Uc-oV?ZF6Q=-(xgzuB~7@53@S{GmCc#POXj({K6O5Li!BZFB1aw8m;w0dWda9~JqNr=#vV0PR0N zF$aIa^1sy^!UA|~&jq-gWM^Rku)=^x_bluWZ}8axPXO5dgNlwv?GFEVk??2_;3p>O z2VB3?yTn8ckWK;UY4}U;5*vVtX9h^A1Jxuj0p(Yi0E(D6I05<`xEKH`paA)PsB&Ti zYI0%}=Hp`o_MB1p!9WV53ZvRHX`rJrcXG1hVPtf&wY7F+urP5lWw3QHV>EZNv1W8I zHDY51JRSi4Ap0ToLeI=Z4Pc3WdMCi~?>syJihl{>|L2RYU*w2@hX%it`~B(7KLlR> ztqf2x5C_vgs1A^$bDsN(sRRWsZP zUmrZ>_RpmCC#nrn#*jBJbCJRXG1<(e3uob&N2`&=qzKo;QTrXgB%?5Tx}m?)k&#)Q zklu=5Qx zitT?sBcW@1_PLHhHqpP%9aKm`CWAETG_M=W%0MzqnHCwn63mH^lR%G1u4YQ@^`cYMJbD-x4baTcgmC}lHP3X|-Ww%MJrF(N%` zY)793m*SO_G!sPCPq|EC>ylM%qv%(4yB}{Ds4Z54Z<-b!)$^*pJrpQ&kW! z?K$zT5j1?7C)Bql^ko(;yj4}2==)ciYY4_6>5Pa#Mq$pBo`40PIw|&om%2{-Iv*YM zy5*z1*Xw+siWdY2jOs2cz2nkAXjc zRluP>_KFp!{LTcTav3e6C!R@Zv5*VL(^CGJjx0jKL)T~DPF$`|EwmxYDpWrP_AyT(No||_afdNBO zu|cZxULMaJI%%FHo@kod5HU~(SsCJZW%Lqk3?BSFPwm1uXTo+9^ir96Q@gAe zTynv+fAY&PZ# z{*mLT0Oscq2|O2SdO4I!IYGV8#oF?=Q?*vp;H)$~za6k~;VEK^6IUe%MjAx4w3#Sm zlH$P#`_xFg1O9EnjC5@milb8i%}ovM|)TqUbwm;KazSu%IZ2 z$F#N409-6HVV^3hUdX}A2&T`+I+1Tz!zJ6sq*$=yEiU;9zsT!?jtXH$IeUhug!tj~ zOsj@>gr$jc(nEEtOYX#_5uM#^wZkt2WTcspzTX^+Xd|&`cYq07-p>5&xVtCjyL*(G ziOCvHgmE-1$!oSNaw(?jjZ8_+Whj0mn0CW8*(&0l*=7Ge^Nt6^>Z>@nfKssMg#Lymda%FqxS9N(CVJQbemxX@Fz55Xx>xzd zdT?KisH)bKDD%Bxe895UBe|^Q5PUna+?-}r5rI| z{1arv>J(CzXtX9qgTGJgB>BAGzti&8YC^Ch(WE%}vI<||hVs;+yAnC1`Tq6*ME7fH zS^8(Swoth{{Y{4V(j!?Q8DZhlmFFL{ED2k@+?wRZa>5T58(TyL^BZAk`(!Z4(GEnV zD@sZs-^q2Y8h6vj5^*cyy=XvD43HexC=jmLzL0HOC0n>c$QXZL&c134o##quo+L8( z&BBTz4~n;bHWp=S*`mRcYoAhk)p;C=UK7^$#(I68vE2JP&EXyVg(c_yG)rIYRR%VR zZuF@bOaX@44HMLLP)OlIriC@4LCsqo6AD@VYB67;spp&#)icCMYgdzQbp_m{RyHJ5 zv5@7j`<$bwzNx)ldG~oG-vm*YqOE6XZs<$t&UTc}5vq4*gv009^_g%^-B+UTsIVE& zq&GjPH`HGh45dkXqZUQjT)*rjZcH|b+6`*K{MZ&xk#hbrZz^S8v=Ihg7o1+!oi59& zxO8XtUBRKv{6!$)-X?hE>$8Q+vF&&n_@cT>kd84ANf{i@$kc<`A#q6s(^u5NLPSI6 zwrZrSsrD%u6|X~C2+?mvd0yr*m;~|UGpuo9JEP~f?KEe41qV?;?Kiv5$Dh81NbZPv z2G^FPqf>}p4@({oC6~1Hz8GvkfFA?AKdIbvdXBm(g!_8gbOB8a{gHr zlvf9d;K?>yEnG0_VL|aO*UHq$sU;!w_wPetvxYXo8N^k7r^%yN^>5g`MZNK_!DUqE znu+$Rc&3Ea-fm3Vi6m=!;C`bU99A373)~XjsO<{jbFqnmPI)(2|FL(ES1@+@I;L5) zB_=hxdecK>>SjlR#a?}hh;kTK^DsQDr%!*&{utRK%|PA|IuksrR^j}(HsHJ^#t#{B zicJoOv4hDya_d|ESyI(Imtg)em@MkUC#f7nHZZ>Y030o86C8Rjhe zvOdLGrivA}<4jeH8UKCJK+LC}dHJ2`JBCeIB!mnLOFLo(1Vkq+y~-!K=iznZ9bHTI zTIyFT;&CU@pjfVm=I#!kiZZuuPX}0<5mE$XGh7`ny*PKKMO2U%s>qiL;uJgBNMB6{ zpKbFdW15RlOR>>H+_spP!qS2ji^&Qqo$#WF9F`-!20`EG7BmcO(?oc|pV0bx7x1QPZAJg(=h74FCf-m7OF}oZs-^FHctd<+)Jxb zqznYF?N2v=h$vpbB`|WJ=Y1%>4Yl>8 zr+}cAQixbF`94e+C?dL~+jsIifgx`6m}hxfgXXR-0{#TZd|?*oQ77FZtp+n9HxNBb z;gV>$A==OTvGTQ37rkNK3@)ZPY5k;crM)v1x%U8(unG%zpeeGW0SIG(qznO6lCI$XyisxY@ zf1PoE>G}Wfr$GOlalfeK2hN(+bipqwtRJTZ6X5jW;qMQw zfwgQ@=D3jWhRP4W78)0zcqFCSe#N+QQ0W&gBZ_3tD ztN}O@Za~sOq(2I*ec6x{OJ1IKvrrzxhlZt{nAWUm(l@1Lqb{t2m^*6n`$ssN7#mE{ zS;{bTX;#cBjAP3ohTOHUe9aK2hS*W4lb;0MFL^=uj)goBWPJ|Pu3Jb=SRZsDYaygni%_BoOf&pcvA8R>kG3t{^3aNNn44lksUrzdLW{AOHdOpDMj+q@8JWV{wkrmHQU)JUy;dOgI$ zUJ5G4)Dp5;Dy$?%eb9qz5axs;mp=FEdnlxyO`Nu)d}_;-Yt^k^Pp1(hKb6L;tQt2( zQ)CX(bh}RRhczF^BWww?(*i?Z7&&pQ4)ZdQeYPRC_UwxOmMG4T5qaV^*~qSrXxBWG zCphfFB(-$vav>`dJYivOJsd*<#OJTZ!Lqm@&J8cU;Xxoa)6mf*)J@r5$;{;`*K&(< zyD!j0bd2qc9fL1WL@J}Fa!n5@XlXFAFQO#TscTOMa`>f*3@OPeYOhJdRIf+!xh5-F z9k)|AqH>fG=rO;RI0k#I%n2c765{gO4iO?!n=PPpy_TE?$v47*1DUg_izbXSiUK=> zA${e;$Irc*Z9Ja{@J5GMrunl1Y0Fa9wx5=C*+GyWRL>H8GSec<-)S?p1b0MD_KCiq z9$Hs0M|1@@b^}#uUe0USROWAsZY_cK4g01)qY zU`E|_{$AK+=#*|~(5|Jic-%QwC$|ti5U}ZNNqO^%K`~F}6Wnop7Q3mH5E!PpK*o*3 zW@@Gp_!W}EdR<63E7H$sstFts7i)vVdio8vB?ix|v|QW!!{O5izDMi$@wu`(hP<`X z3EC4zy+j^niEi}jzkFSSaBL){)HaW5cDIOG5;X2y=~T4OGZSQ)LetHd(QkL$p3;J{ zI~llHCa?4MuDa)C=11c;oHVyvI9BTnC}a}Y0|#6^eShz+$M8tv%9~lYU%2;! zg$9U+ax6Bs3F^u{-Ah+3(;Fm8t)J&rmC7Xh*^W~&=fklkYg-Fo&xiWd%)GGZ35yMQ zl`P+a5W%xgz-z9G$BpzPS3Rdf@ywt(=tA->2~Ov@xkrQ3Cu{k3bQUUl=PwG9YTsb6 zKWW}XuOC#YauknrTbaG>+P-5CLX;sUesRZyg&0!c;gc-O{5t&7Sr|hZLMPulDEupS zn;lIy3qA(eYbg@r#Nwg^COdm~FFtd|WII^KK0Wj-WL%amOSs+AB&LvbdA0NCc}MbC zCb3z@6-`tUFh8Z^R#kD|T*Fq;WTFkPTid})8@lGKCM4A!9$45HUHq}+J<3iurXxB2eM~Q; zWK8ETdUmX-w!S(UG_J}mPV9I7(X+J~^VA<^I(sO{KTCO9;b z(k!8*NZI_pNrCEZ2(QTA6XzX9yS46Pkf%mH^F|qtqaveA=X)Em?ELdx9~+aNaQvo zz9G2|3^GLCAwc6HYfMNDQl0{gA*UnL;BL}J7-=s=SG}(gr)&KMkcDp`gEud8+v#$X zWSFu^P<60y?j2I;nYIxATj~N7euv+CPkZ z|8(aB&;j-wHPG;5|Ye6EY18GE&E_|=5eh4rey)I)Bcc_ zZPK!ddn9znJ-w&NRY(J!-u-~YCvAnAa2RoTVDg=sdcCs_xF+jYa zPOGl!QWFZAxNml~wV(2`bpZ>>^Wf#3z3a)gCq)woWUS1={({OEm9LU~1`E1tue5GF zr8`L(IP5>>xy2-X#!$Okk`7AvcrO?G*i1APQ2|s%y@?Y z!&H^l%GTmam>Cq&qO+eAk#sv>5c9F{2sablAke9acF^{~%873~I?U))i?9qY4!l(>KIz{-pHqPuhW3CA%QIsw)id_tzVWuM-z%gOm z13|NYMuE5$L^GWXCj(lJ({gRlR@NPU#1qOuwq#YYSo6+qgG16ZAz#|%y|u57xtDZj~a=c^yPIV z4ED-c0jb|}o48HdBY{$g=iko?1}=K~O($riS0lgbNkG`cC~vhme?krq4<|I zFcivM)B)r(oZeWe)_^LD7JZgv*X+&e5eYmxr+B6;mSjlKr=Vbax)3f^c$TJOr2FHV zY^*Xd=-wJ9_la;tUx_509HIIG`6Vx+y%lyQ&STpbTpoekr-k+dqjX}9P zBX=NA?4eV_t-cWx`)6VuRR$mvF%N9oBR^NV^-aS!rtSjErw%2poZD*CR7?StUZu7n zpH(sN6AmZtCk`3abWI6=5jab0%w;JI(YC^4`Ef*hMl-p~Ktsbs2mAY!mF={(RSVO0 zp(T;w(IqMV8)9Kt2aGpLe*T|}HJ`6(6%6Bt#pO66;ztf6M#6sNCg_NsurhwGRR!as z*EwE!#bh|Nkv*~5tH~OwZjqtZkf6}AGygKZVCPfikZ*2wRZu|8gy8C)OyL5%i51HG zVN_n6E|`xRy>^}cFawv)o!f~aL<6Glb3$k>=sZA^Sc_iPT9*_Q)Y(P0;;1&rV1#)za-6M@bqDVPi_#il*VJ1eto zowb`-zTlN^;n`5?NkOx(Minb4`(@F~wcse>^2LRco@MxOtdTYy-&irfb5zU2ihV49 zN)rvjnp99X+VWkwhF+|v*kC}&ik-iFu;4ihq&EV?ttYCwbVkDMWEVA@P8eB#O%K~p zvEwaDJ9q3e9(kA%v~e#o)QXzGTrkH^3PJq&=>u0x<^lOeAM2I5 zW06T*uN$GSNe~&GV6NR1$FVsf&hr8~@eK|5^tg2+2a9)^F7B0A zAkI96QTCA4GY27KXAGm42S4Uv6?rBjWV*Jg6ZX zsMw9wv}M)C=rD5hDAgabB5AR7Evw;2>iz_u7wrgE>Z;>d1I>vxke>5i~4*4P<;L()E2vU?;aet-G-mzBF;NZP;5 z;QjGY;7=s&4?B9l=nZ;^`xS=&tsvMBl9r7XplcPNj_8r51)8<`52lA4{|im~VBGH! zI3R8M!}i~Qv+?{*x&?cOZ{iTpC8-& z35EKv>(yWA(0{vy{po)8k0?}@2aAV~9eAWr0jiDultOh@l9vS+e$q5t?zWWg&nwT8 zGBBjJhv|v@-jj-szlz3R?FQt&`BQ_qP1k2*sfEv;?t#$A8CoxOm4o4zv{Xk)>6bz9fH2{J2OO0@!8vu`@UI(@*G&yWPG%6B4w zi3qJ8x`s8#qw)H8>+xs)7@lMU7)1g=3E*`YH~<$iKtq%qT)(%9WCt*u%)m(vRBZb% z-je0Pe&*w>dRT|Rk^1jX$sR-z|6@4-p9p}E8<_m($O}1piu2zbNSaiF^CmEbfMo=XX9uw4Tmb!Lz<6LfFzzwm-{k;lz%Vxe zxQDnO^#SX7bZh{DP+(mwfV@Ee!2#NM3_rB_BOaLNAs-+e=mXn-%=hR6v}-@W_;)!# zULcGBxOIW^8ZhK=EDr`*fgx=UV0Zq1_y5)y{50f0@Li;&=amFkFhkSs#|DNf9ad{XwfDe@V1?GS38!*fUXyeiUxo^NQ&;iqdKCu3W zwtnjS!_HeGqBRXI|nHI zfZQMc&+(6=4Qv1y{`(UNDF29^9|-)bK0v+)fd4fKenRYz4fi*Q1@z^yDPZ$IfO~j4 z0UVEqCjJ1iz@7gQPi%mf`wzGSfcl@-EIXiu$Nc|S@d|_&=zw)RIv||f06m_6qi*)`!OF7ZNTuud;r7))BeUkAPkHL*7G=S4?Euvv_7B{ z5dPW!8?Au&zhVCo2F|C)v3m3$VSMN#Am6{C^`UMy;CKVu0r>0>D*7Im7%(@m^@o}G zbCrKZ0Qv>2AK34o7b>s>&;jg({xofVP$+QPe}fI2Wq;rvx&UZ~9Uz(U=zzlpv~K%| zibo$f+z&$y7z$wAL$?8K0K>rehbaUIKQ2X}|B&`r4ww%R{&(U82m`P#p#J~^pw7p- zf%QJ380Z7@0ONq}=e`2Nz@d6fd-NYZ59|Onv40aHKgenTA@ZY|zdxNns(c)hA1mxZ zWCfTPh@wYOf5ynq;fHj9!okPxumL1>AJOnQgCEl#+5vzJ?DAtA&DZ#RhQ^g0_N}>}gp9ftU163CKqHcJM@~8U!BC zh?X+W2j-^g?d)Axbb7$vBFs)pbBjS}btJK*5i~q6@{+BZIP)8y6NnT%|GRg4=0{Tq zAJ}j4EM8dco+`@TAKwOD?m*&bO>=<>32BT7R)zb5putP>(u&r!RNec}a6i8ZdmWb> z6fxt&YyiRqGWdi*?!9khq>tgj= z;13U=p$;#CK0@|_-MJgRe?oAlzx;XNW z36Bq@MGbL&Np*pGYn4sz=6I@mi{FrLQqDqS#)iDbJap)LUkY2;R}>NL%2848U^EG% z$ya^iZPnu+y^7`CynOMDZH2o#x2to9rc2biY&(A=jV0`Sl%rKh5VtGmJ*u z$u23uwlp;?=XveC2mv9Mo$%59n{tm%`>d`?b`dBRIy zc!A$#k=Q&|3nIBeR|a!y**RRQn}+Wolq6cbGzQNt>NO2oipx&dD>LaXyX;XrR7l2Y zFEvUBTfA9{I~vHS95(h{#DOJb=Y??XHH)F{v{2yT#l$k#9Go}X=#Xz`ik|*x$ZYd- zxE)BJm-m{`i?mAlo75XzD_=|zK4mqIE}yaurM2>2Qxec6$HGECvn|e2k-d!ZMyguF zW6j~%Id_z1LEl~pOmY2)1qK?y?Y(OF3KG{0;$vl2ffq$ylt`QJMfJzATJpPBw#UOV zpid2T8^8}zF*HR>&L>PyVrV`D8X)EANRL68lR9=vrr6}ZwnX?$QI!fcLmOvz5tk?; zip@uq1WLvB`AK_Yq_Vq~()8Pk_#Uuh^RU)T1AJq+H0hVydW|VrR!=t&LhXkn#-gX@ zD~8;lBk44ER%OMBYHli$mA^+LU345X?{;;pL6IwT==c?+>j$Xs*`o^Ahb)Y$Mh-V; zH5YC@#mr?XUX-j%A!tWMn5uhfwhc+czRYYj*$yfhOOkM?awa2%b<8xxMfz;6 z6*Bf)&*_Xto{8O-zF1pw%((kUCCBF;qcmocVV2G>^v#$UZ3(mCZJd zCq#tgAh+r#^iOuM#)SO{6?9-7ac)qqr@)&MpTQ573v@k~qcP++YC=;R5}SCZ{TUf6 zAxDN8y@5=gRZG0BlTVk{!Spo-mLx+Bt-LMLn?@vE4bI_t3%Wr0z=#8B4O$dxiK3Ni zY}-%$nfA!%%2WXh0nQ7KFzsrIY}r&eIdQs*AK9iYJOlY~;4w;0YM-8Vly7Qw347VF z=mlw`&#_^JrDgDc!e2Co)~5{NaE!zq5O~S!t;D6iA36>?84a8ucd zgL(M2g<5x}mG_<+ZBo0X9PJJq%EgwDZ6=q6Mr@%A1f<%>I!D`Xh-XB14}^zMlWutk zq`d?@xiGtl;Gz>8{$BGu9Uknh%R9H?g7gV)WQO*wFaV=oectPb5En zxH<^tFL$w88AeTKw=f7B(D@?axj|{LXRJz5@m`dE`}M+%Jx+*M668G(Dt!+Q6KwWt z_E$DnCp_DuaE@S#Df!aQ{$hyrWOvbh-yom$M1DxrbW}qxQ|xR6&sjoI%pt}=Ry{D` zVnX3*6gcdL^ zt3Y1zdsj?=__T$VL6Ot#-s?W*kWfd|>b(xu)r#w<5L!Xy=&M|@P)jS$EZoSXQ0<%0 zfm82^ii^1(W1Uwv#1+;wuNIgEU!I;YIyQ_BBG;m_Qzah=7Yd2ag@IHCmCr`iS1&xh zh(K={^1rE7+*ZcBCBZMP_DLzGuyK43Cgoa5Q?^P=VO^Vw%7w{Gc9w3L7m|0;_~ zQbyz&s?U>TXz?vE^ah6?rcE^@HGfoi!@yeqGk4ha3ZX9*qz&)H9#$k5YtrbLU7~=q zq5~!`@}bcky(1jMvsmc*RNB&NrIhaIHxXxP4WS#DyO-G*_TXbOW_7iYxAB*hV4dFX zP#Vu)y){@JXShwmsbZ6@X%^+=cd*B886=f?dd}DL9_4R&68uR16!l~7}@)aeqP zFPX}Motqd;Q0I?qp`H1LR?rh0#wyTTA|JS!v}C`_d#1szMZgf8zPICJ`^2FSQ^P3V z40p%zc=2;BCQU)xAn}k)1KB%^aBoMIZ_Tlut z>1~557mKmvJtIWOro-)mRi;u|z^H%TKQ&8<{|FdU@By~s(Es1#L2%ewA5(uX0m9S*DW?S$xv>e@CH(i4gDEO!& zFA_6o9f<>wugUxOBhIgP1G>!bp$z&}ccblgO)8U9vpbWG>MLJT!I{!f=Z+?SWri5HHQ`kF<$?&o=tS`BKun!;FdRkJnP-qJ^^-=jyx9|>i#()tEIN%* zRAeki3s8v*2^k*0da`3n`MJ z6$8X1H9PGAJwaZ^JuxGPkeaiGx59sSsbsxec$VE!Yv^1*)EUzYFLZDQ(-~cH!?^qD+9c2JW)%1@3J|+h@g$lo}$-~ zrV?IP5|(bm`4InfOFQ4vL?q;10blu6i4a`eGJ*v?a23zFX46iNC03Z$r1(Z>Pqs(r zw3%M8@7)O8K)txPJ1_lZ?ZI2bT3Ia|Qw{?z?a-Yjd7pBc_*1zL;h~|=Y_Y*_-h<*@ z3JW7aaAUVoHcd}e6Q_3}J$2c9cNQUtT_*1NRlwiVK4}ug2?8}?YkrJa2N6k~+Ft!p(@Ur%^RIpFzrA z`J(p{>B@qlgf%RJ!4-&RRd}13?qv*n6;ht8FeS1&biOFRHKS2i=Se;m?wioLkGG0X z4a@k6qG~%6nPxKUVKhD%bx!U3L%q1@JY0;0DZh`0u;0gflPgGK`Hqz14T{i91m#QP z{Bra)5!>skaHsh2oJ}qlFp7_Gyg!5Z)5)=Lu3JOIOzx}72H$pF$f9<}%0eyY zVQSooh^`ME`Hf?%7&JN>osY@dLPAhNgG&Wf0UEn3Q9|T~5l5=}TE0zkaZf@8@`X3a zs`sBp#*H=LNbXip1$LefTYg%qy`7z3)$J&*A5ls68vIC zhm{cc%0^_lT5o%v;7Bqz6^ zPgGt*L3$I0v&GgzeS>_f1LX?W34+KBGiwWGr=L#~%6ep+>RsYk^LNwIm0(TJ?{sJ$8t99C-~ zqR(94Wq21+-|M+_2n#kP6DQ1VMT+d-jlTx%I|-ECXdWa;5e|8Q+9GBAKJK>RPBrT= z0O2ICb?XjtF$rGSft6dfN?S0Y*kSM0WwxPYW@Jf7MGSiI6w*>7NQ3jUF-d@PhF(uP@x`I-zZ@vAt*kEISadw!{G3YCYIk9<8kv}oQl4K3FY2M%cU#uC9Wdv0 zNfm4}tg2m)ObFK>teh8>m@|+bJxIc#ITV!tY;dfcqd`rjSQy zQfXwcYM`5bob@RTZ7jqgnVP2VU8*@iiwCNq>kD-$(|6B# zEG{>krV(emUL`J-WDn$3V)2z~U&lhgx!z`)xL30ovtx+axZMkvM!5UrLO4TY#$8p! zy<^-QC*fAL_=33OL>MMG8qPadZW)5qle0|~XYLTyXmNn%PJ&M}eSBaQv&CA8JN_X- z$-pHQJxlLR?j3gcZmg=8`yKvrvp&qS+>r(A0vzqOumolyYGco$qY(jJI^mvaxkwK< z&H>)IfC&_or5*Ce3^vuyPnHDR{e&`OOZX;pBuRzP`jXM72hYy#o={*|`h*vC_mdV# zDq+=%4il0b!4vDj^6k~nk-ER4bIwr*4`w^|^DgHnMeX3x-G3`#V8y=iO}Z4f;t3s2 zd7KyivMj?crQVt1b$3)-C$wSvTkjdqVlJu4=dHwX>Z>lGk&@$_WoW2`s+ZU=m%ju} zpQ%qRGJ=cEEPtq6&JoL98>?rwPr|Bxo=vv{dw02hrNL`k^)w>UdJt>#16gTlyBZLdv5e+yPn6Tc3h)Vj&pCvu$_^tv=WUh4r0Lg zIhK{jEs0k^%;E{IylKQ;-O2R9CF6=ki0JR{rOkD=-I~wFsV1l|xkJ5VtyVi$Q{)^m zkKVz{Pt?;wi%|%ATV8!T_&z1ye~VvzyGSY(`@roTJh>k0TwoA`d$@R8e4E3R63oz> zY89D$vo4x>#Y?5>p`9F;QXM-f&aa~ltgl}!PzzTJz31^=A7PHY1E0dNL|I@wZ_rCC z*LUR;&BfCgmD&zRr$^ki@ROTPFZ2wDH}z#iyY1?~WYE|4yf?`8j#1XF2Em1FV3b-M zI4T}AuOZ-f=m{3{7DTwzqc&3uJG+|08(;VqwY4Liwp$@`c50m>-;1VNpI#jXHu)}| zGnGDFLDHMyf=q-*>tO!|cGP3L%vR4w7L8UNJG*l*4f74dOzyP9NNg}Yy6YWwl#AU9 z+B;P*8q3T@0(L1Llv`%*eEKW^OpHoll;E2>hqhsh_Px`Z2 zCYfH8lDM|Q({7O-IQvL3ASs64Vp&j{4d539Lneyo_qZON+{hF74l|9_Fiso>h$k5t z^;bZ}5%A5_Nx;Hs?e|Gf3q2WGC&54r$Rdy*b&Vy5Tp+Aj5QU6%f(Lrl!hI6@n zbj`I=#hc~3UdfqaP*F zS!&a_wCCl|@KX#Vf;KR@il~zWE6PO?#`8t02XuKl$aG)1FhN?b9ni|Gg=Mpvp+o`MmeqF3?IJw>%#-k** zW0k{0e>hox@T1NAd{Qx(6KvrwRh8sGadFgG^$Lm{uo$=2i%#LHx1@RMH_?Et| za_JWe7rs2>YnRz< z8*6>zM5h%**22my`YynnoXwn8(=$P73d%&{MpkQ)69r5w$x?HgUF&}FNy4s#)?Aov z4i-cA>T`x`YNG3wz&uYd(wwjO&1n&dlC4KC3BNZr#(hYN&y5fd+xIlzWN$6uV$?r* zkIy(^AlAvorV|bY+Ep#7a6Pl`e#unUe{gr_7(KvcfTATx-X)M3pQkYRvER}Ci)~A^ z33!RuVSz}hWJ9=@X=_%)VS#12ZF%70vrI&kk6>(Lfx~uuEtb(tIt2=E^OO;DLl&Mf z>fIB&gd=%!4N4YqKxil;;6h{eyKXd%zuFm(^F+k4&kfNXC~=a62rLjEq&5e=;li{!FZLv&}zolHFFJTU}Yfk0Ths4qU8tr85VcwQ}aA ztQduUT~_wITZfR!pY_LlHbLluC}(PoKU|HIAoBJO%rH(g(hDBl6Dt%Ktm7t$0%>i? z;Ei`TuKj6{qDE5EGq{)!L=^3seM3i7NG?&!`s0Qw`=7p-vyFT24DoL|-ehwN*nf#0 zM&48i?nDQ?ewny%ObnHTmqUl_rlxHy@LQ}sTYsaSrS<-c)d>ZH#+~tNGB1;&gH~b@ zp%IPG*$Z|-ucqNqgP35(dn-B&j`2y)Eu$4u-=yD!Lv^^qI@NI}!_U0tWKbkbw)T5^ z>EJ}aKC3563~pO>Ym6^?c&c?3dZs}57RxpF^JOE(u&Fw$4bj2zF}Z7<4yu#vC*{}U zLNB5>45g@+Z(^`}?yB^6j_Q3n?R2WT%G@hAQ&BX^xWZo=8CbSTrEJa|8ncD_7C*RSin4^LUa7mn4W(LF+z6iB(e z?aZrt1=psY3)dy^%uh_G@oTml9vHq9UsF2=u z->H@Z=^SZ0(%HsVcRBZmP@Va8eS$Hor+GwvCBx+qP}nwr$(C zZF}dp&wuOLt$ou~r~2+b)#p^dxx26H!!(^Q3GmJw@OP$#1+(-lSq4}YU#Xhm+$N3q z(s2Dk*{Rhtq2w3bl?F7%3q2X4Nt0t^*cbWuGiSiNr{aX!?p+V7lgieo!*x>AEPSy+ zM1w*qNdc-{MtGlT4T^{To2}?+{({_wxLU#ncMkKo2Jfty*AtSEIgx9)WK)7N_C4aZB%tv8f#xk5u>#Ukx)~1rUz&w1}_VmL3LBRAm(sW}lJI$pCgHa!4FtmrNv+_APjq z#7NT@@29T3MIOpt5!C11fYc^n4K%f5qy1K1M{m$H<6`5Cyv=N%jb+>~{<=MZF5?-; zY{>9IbGGic9Q@ua_2lk3;0mn}b0>pFQT<~fYio<{h+}do2oGa!n$h_iBD*E!qfh>; z`BYrfe#QN8`HPmeu8$z@-FWE(Y`^<%fd>W?UEOLVFpdgp$MK=*GD6tV%eKn}V7&s= z*av}zE)v%YY8kEw!}w>UTzpsLc7E10*G+h?hPfqZOG(eAvOgDu#E1ZVLd2&GMJnq# z+?kP3N+}-4UPQ(s+8W-7-ABa@Gi|VJ4Cx@B`r&<@Qcx?;iOy>uWl5b{#<*trk{0^v zh2ib@7pN!4Ibj?Vm@PI5?;|K>gdXbe2MfAk2Sn8C_q0pnnpnQF%bLTmHFWxF-iJKG zI=ya|<;%ZdlQ6m|PSB2nEcSv^s^jKb>=z?!2dsO6S4RN>F|2Uprh_&Pz~1LQ;JiwloNk4L(fR0HF!%7zG|n_6~+GM{p$Sy=eDz7uc$wqE}2vzUx^+6g1)F#Koj3C z>AJWS!}-hA)HZ|k@OuPKHKWDx@xKiiC4k?j>Gf3zEPGIun+wQaC680 zA&0-W`^=RAcEI}djs+frx|hBvGe=8-+#Xq(*=G9um`)}nVV5A;&NC7i#9LoYEV8A! zOT41=R6(O^+b5_XAoDLxB`Rv!3k~c9wVYcjv9JacDhdKKupZ&^!D0V>=$k4<8Lw9t zUJbq^izC26Ew3Eu=!%t70PBS3{h@NaCw1GkZybk8f6J1=d) zwWqI5t&i8%V$RSdz0vBgg=g|ttBN^uJg@T9v50(MV7>Vk2y1i|oS^N6FT@d~ardLe{e@ zR+2+f^i~7IVr})ExQ0M6YXMV)+Paht!c#m-B%YYr{(MU2hd_S!$t;@UZUe2Yb0&=h zf(JE5uecJGG6%xyG4e|>pFQOUEaOYfOp}T9XgU|ESdueP)bx`|=(*1z1NY(w3UnXA=aNc2c)oo-;e~{$2}%$kIdW`pgm6akW6|~T9!5&4LL(6y6R$;zbluf=H|SBU=)}y3oni3o6+o>N9*{0qsD_EERG^Y6S!knHaN6TKS7t5( zolEqOUoUb+xebFj>&op)!NDgbq>6WG6m2JyzHSC3vS*NceO;l^MH@HkXpJcM*pNC& z_QaaI*PW>}iDdr%0?wiV2?j=HHMqB#zZ6BWVK7zQ5nQsNu%$mukpSR48V-CB&ti&uLl==|S z!|5|1aH2$kubR8X=A2Glh#X=Cww&BUBI;+R5-jKu(YX@O%O&X8gRM^E&}E9*rwpi! z4`Y$2R|x}-V{wOuD2soT1(qXndw6NiD6ZF94h`($t}rF={|2m6Qn8b`={QFG{eqn)G_!UT#bf91*YOHn6A)b5{SluJcGIosk4{B6BkF zWX)3#HwG=YWi}HoKgSv&qy;SaKej8qd^XzMkdarAMs{>F3dVHIylIydHJ;xx0o@%( z2oGOgjytoJ8w48twSx`o>VM4-CAXj_Z!wdNXv1sgwliJ6wl&;+j+8y6n_;|xO#4*H zv!I8Agj$W#sOS-O(Tg1qu>##MQz6j^5@uh!A3QF8jvr3Uw-nMcJ5fg7*$6luOl%2g z6HXN<`zbXzqOSO4xtUi9=udt@2-=B*prn6Kgl>hZ{#MQ!5_0V36!NEp&h!ME7Ne$c zt}CVYU{w5(!Y-U6ZoIb~0D}bNi&Jo;f8ogm^E!Y_vxFyq`gs*ieN9&S0WIJ#`Bt)K z4i|YN-K6P$JraZ|LVk@Xg2u43CJkuSN=THx*m?<4jlN)avSA+ubE=0^xA~?W{lR`x z9G~{!xEB@peb83oaC*@N5pG(Bm8cAY6S$TXG<=7E9fG8pi%S9#p6~aO0*2&4-0Q07 zCHH7kl=T_GMBXz=3)Od#)3tdC9l`u2MF2P{TSA&|*cEji>DP z0ZjAJ;pslQ-8~HRSm{S1A~c0+8bx9gCJHWyN|#WHvcYz=f4!a8QzQ(_n5xr{!Hzj= zg!75TBVjAK)`R{7424hG_OLFazB}h6bQqo)Q%KCcXlniSNrIld8{Kso`;-fZ@G5o( zF#r4O;4COP^R`C%HdGXziE*R)D2vbWcw@J4+T~Hb*OBtf6>E!klEdYMcHQF4mK92f zI@TxW5Zue^*!RMbbW*TiI+E!6!`Y!H0Ov*>+NuO5A$VO{mUC5V7$+st%u_<@ok0t? zJ5?7x4j41&lk+_$ZR`j`tMJ8ZT@_rhA~dCDY$$7+Fn8w$a^;egm!OrsnCbmu;Xz=r zGb<(cmS8Xk;95`>?dh9lzr(S2xQD_jc+GyCKQfyP8TjwAr^L+n9XV92jatVJc ze+vpfQ)wr-ty+w^BRF}lNH+>F+`rt}u0o<)P57+t@NY-vh5?6P zL9~LiGnX6OVh5X#AH+6b!Ul3D+SOY7HpG!&;)SXS_t2}9^Y5V1V8XaohHU5k%-`u* zPMO@yh|o&Tz3W29RYYv+6 zLlQFkoSG{;;;EKW3r(tBj168&{qNWMc zbFlXo-nUdgvS-=f7L)z@FM?6NDugZklDHgnFZqMtzy8rP?{<;Ib$&qQnCeui5S zh&%bg8#;wR@+i6K?6Iv8)lCs>gcY&8ay`0vb-^S8fZ+(^>$EFR$byWqbIoMVjudl^ zMN_ne{YI!yr2|BFMy_T)?v()!Z>W4yMKL5vYR0=TC_+}rUO#2f5KIvJH~H);ooO<3OO{p%ib^kTX0G)OBw!8w+4w9uUSXQ5h&8MO7aMsF z(I(-wpm!d8;x00zX{A|1Sc(uAE6fJHAGBq@*XL85kBy3_pu%}2YrTo%(@n(5g(Z$A zT3yPajioBPvwddis6mJTO@t4MjJ&i5=HDHNM@O8-oM*A^xGvxI z{|k?y^e>Qkl#S#fbT&d)JOfRN4z^QLxBUtj8Ej%Vz>fI1S%{#54^2s87`$r(&|2zV+xx(7Q z0vt0?XBkN=ezvd&tOd(nX3yty@yLROK+#_@wNe!e(DRe#PE(-o*)}M@b4gy(%un(4 z@RY#_)YgI6jC^dRW%vssb%^#y|WN0wD>jz z$#GS;*^=;7Y0mRXhvb>0g=z&3wHxn2!V*3lq8m%44wZ}gB5#7&2sN)N=b~?S45PS# z^|fq^;z8xL0;kK*UQjBI=Ue5w5_id8oR{O&TX4~u^AK9w7_K){1vYV|F5&JJyCt@( zPRCGG3g1i&*O=<+0-00VCBG#S@XpTy-fS&7P4kDuGm32bw*LFY-iv7BNu!7PTK2pBgV zfdW~6N@Y>kmV}W={r-`dEE;U=%CXB5t(@)Fy0GEQ)d4HGzt_7f7DYN^vnm`|5^yI!dJ*@C8Hv~BJGuo!|fsNw7pSen0BR-Q%x#p zTU5i4QX}2JTfw75Ic4*nLMdiKkdr@vmVSb~tNXfQG-S#-nOer9)I0@uyL+6F@Mf$X zeoaWLorP6!nB^T^<1hw27y7nV>Z+U1LVRKsjx4%1b zOKl8l)~~*_-oErf0CtKzCgJV^9;QPDpKD-a{Gmp8=7wh}8NXfD)quBFa^%`w6xmwfrn zd{#l0yyQZGIAFZa5&}$RL|`6`r4JAF@M=EkI{Du)VjrT zEDC2qxZ}c=_oie#POw;;AF$!PzZd|T2_4s0&lMSWOt$vkpD#>&Nu-^<&)GMbB-nkK zI?izOsHSZ6w5f8Jxy4{)oE7tkZ0Zo3$313#ooOVS?Ca9VGW?5vsKZ$Nm+)dv8PpbZ z*F5##mh=54TmBe;UXT4GSL+T&8*X3q>A^4TEOoZ8Xg00>{QUL&ideD4Y$MoV48I3& zP9M@JDinq*{wvqVkZ1a$7_McK17KRSS5|L@?`U3JTE(tEaZR{8!#2{XMUa(1(HQ<@ zw`$>W%1+lClqXN6xbFe0J8*eCQ2rapojuNb`F9oH;X-FG(S&*r6wMOI@tOvUm||JV zp(1flUNh+ddoxh?5;}I5uK_^=FUF3I9jQC4fj~eBePB5oYw&`@Eq3cxK015E3mmC7 z)PitPmAu`|FpeqmQKR0C&RWOrdBbH92da#7-et4%>ekr>Orx}7F2}en2OM%^+X|QR z<(~ao_b|UrRiQ2tZ&XnxFj0^<>SE!((!nPL?Znv|+$~$L{(3&8Cxq}|PL+FoR_7x9 zq0Bpvw2vMzr3O=;L*qu}&adx-_vW=NzUi((kkgbR&dXqr$g*$N+5hM$=|cdQ++W9j z(ktV;oBGwSH)Kb0BM9B})e&%KbJvfL|0IsPt~c0X#SE46n=5pVn=h-&V@W`pD|)~% zoBLFu&?Qe!dh01&4!z;rX@(l^BaZadU7v19)VXfO@4eR=0N=2K%2<1occtGpK}CTa zcRsU5v(v!ZVHE=7>S}mb9@e6M$}yf?7VVRFeZnJtl;g6!PLpa)jP?y z=H5nKeV#sJe@_+3&^DiQ(C+B-ufH5RzRro?z;ESz;XN%YTY+S`7*7(-Xo&MHeug zoPl7rtn$vt4Bg%;)rp{C6$$Y*(B-QLyeYiMIe8i=#P_4MZXs)GVy_r!4l>>3Rzf3pBGTL`g`b&IqWp1?+ zJ?N2(7{}xXw|8QmrYouMB8kD~mk5iITcP`%$%df|JXN9Z%Q{C#c%bnwYGPSws9=1u z-;gVt*=}4Jj;RekoUn3fLfh=ZE9Au5>J-^`niA%NWJ3-e@-GyzKTIvLm@x&qhiZwH z=9r53rnH>gcr;OP4|QNumGj_n;Zxj9+HGiqS8U^vZ)erInld&))n66LMV(FN^`(8s z`Vd^MsYk5l{oDxx(k(xkRNJ=bR}!nogM;saU9#JFhMV^8#D(P)B4nvA(vHAtHV}Bq z3n`uWFTNhaNnVlzy`|RJva?iC8yWRsTF8EtYM}Bs@ZC zbe`d-E*JBRx1_8xd9MwfMqj;Sez<6QARE}#GIr;*7DaJh_0u~so%?91b$p}b5 zF;YZUA??({_1nW)%1fncSJ4y_ZCmhRym+@@CXmF!%x}VzLpyqD~-Wn)^xqbN-#eOBU^Ijw; zDwx!cbTIC>7O;&LY~^YBFhoZ*6b#(DU33Q(^+^tZuU>8+eCBJ#YMS3!;i4gBCp9j=ZMr`V(Ll#^5f?@fCgYTyidbhpS`n>eNLKa{!Qci55y zJb_nk8%l*3a}rVp_Q6y-mnMO7Avp*2Pz#Q?RUlk_1)ATJy%h?|42o96BxEG9e2`3} zQAg$5?kj0bw-VLMSM=~xAJwboGa3?)Rz|JD62x^ndQ(Rjp;7U4MajG{+Bgc&=xy+Z4%l0$p-OIUB7B$3|KjskgCNXrLP1kSze}EP~inL_x}Z@lPB2f@>leulFYZ zN6}^hU*MY{K`OADlq8j@hcBecm6CmdjhoD12`zFvfe(HQ4~)BD;C&J#3JV;#pM(ho z&XWMl={8L*<0{F(7l9OMHNVL}fpyGZiHq>i!Wzbo0C}S>Z#!hBa}6|^<4~cUX4#q$ zC2oRfM9mACy`Q-_J_%4-S*rQVYk16`EQn6^jPUeEI}ByjEi^q+U~i)GQ%2ya2*D>Z z+OrAduvYCeB>YCHNHVuB7d(5-2nUGy<60dgPYa?%&BS5}F9nFe3^rC+s#I04zRa&k zwknFsF@&u6Hfw<_Va0rF@M)Y6<=e9G31$W)DxWY8#0ESr<8G`)-eCMRdo~rV$Mo%% z!_~d7?5aKi0sB+(f>H5}Jc|S#bCDsu%@g7or4q%CcqsZgLyR0j{d<}=d=&J4tc?J+06T!4lZ~U1q5i+zM1TXp!N~bv znS+@tz`;__!4%*Ka5S|yG6Fcd*Z`aWPS%D-_6`O%_C^3_fD6DC;0ACvvbUl9pLG&3 z`}cT^|2J|h|Nk}<{ad*I-I4!=km=d}AJq6i?F7?5A?g2NlK(#tGQ%H+|A{C1H;0*} zqmezqf1BfIBxGb@V`%hm8W;yhdm}w77}xbGM+5T}K0>xWXr#@r`=62y*?%B%*$0=WfhVcOa%FlG8hBYeRX`}^Di{fLvxBj& zp5ZY#h3a~GD_a@X#u!7Wzm*j5jSRdH3=D&4Y+VECs?6pp<{<1WSQ^M6KOYb^wQo>J z2xJ@x0YvkQZ6i~QEyUl73e)-7xw)T(2Njs!!2@368}clgsVktw8{TRH?Ak8c(djqb zeIKvCs9+#$8oofr$t(oEsrm8EjsE{&O9_5l0`PiJcB~DcL`^A68b2U*NrKU7XdzH~ zP)-obZ#^JiT~39G9(4zO&k-a$5Dd`FOMbqI7Xtzpg3<4q-`u@;ho%;1hmYR~wT>XE zoLC#|Ju|(SaJ7w~>#eEZ!n<2G5Z@WGUBs{41JB&g@Wo)x_Rb(2>g$}K+Z9w{lHUO( z4MBAeI!#$LI|D$qYaYdv7^n9tl0GBbdfNrl!^zGvKqj#r{|cn|fD|OjJ+KX8Ue<4P zpQDp~7HsY68~^-}gSz_?k8ZBcEkYa~KEgjlf2}xvuaWQm1CT9kY!2>T%x-toeunzy z*PsmzhC@gD-?foXKeabD=i%edYJ}sO|A2z3rvB`)I@SHmq*9OG-2lt|H2q<^A&Hdk zb7sKmu=e_bFjK==lf41q}Y6`Tfw|fA0)_sYHEmkbd`UpZEkNJJ!|7 z(KmbP`1)|s`@WzLLlZ#0UPQh9*hg8>T5)}cT>3~af_(+-{eTf&S$^_BAaXvqP^Mz0 z{p>Y5#y2`brctSJfYJgP53}6-dEcn9Hi5BktZM}AvUq#J0EVN%!TCW_Xs88K-}qv7 zl*#T9B;Z`|G5V&P+38F(JSgT$|5^DkGB5_ct$ld?M0om!(0?nTwYj`BJ%gY1vPn-nx>^1?_$Vp*0nj5k z^VOc|c;ug3TAI9ftN$FmQo}jgIeMx*-fVnt-}|il0N9}p;X#P#0KR^n{K{rK^H~Ind`_GErEpIcu46Y-QnWetSUkRNxRd~EHmpaZyrY|Dyww9&s z3VbDPLOh2|U2Yf`iC3DA9)3~~LlkEt>2lg85BAvf9GR0?9vTPZR1m^5wu1>*meKgr z*QTFiS`VLfJUiRy;z?_tmj&D@dY&~B#Q8COQ&ISCf*f`=M?xx<1Efvt&vkqt)?}2GAQlA_ z`)(n`Yr&1sfOM6&G=GMNPn5HeXNFP9sKk8}maeo3F|Vr#k-adz%1U{>K);Xm!~6ty zM~hd|495x3g@p_(AwzDM308pm*_H=^w7Il&f&G}pj>J0$3w@K+h-j#1BOOv!Mi@EO zJLGB-heRk_kz&Zn(4Of68E|8fogfu&ki`ljN%s`wV0-%{(v-FM;bb~-gDu)Ge_1ws zX+2onDZDTC0E92By=So7oJ+kJ0W8p-y@GdJ|KgAsBc#adoLGwJc) zz{LHbTDt~u+V%AUVc6%IK6Y$cV$DaWt7N)6e(B_zTwOH2`^>O<9I*JH!HJjds93%O zDot^svpN@@G^4~oRCGPeZZtG+I=sRd%*wD){>!=>)Q+51m^X(gb-JSs7T_xWOt2SH z-H~UglUpT=iT7&B{ij6La!gR0{5VA5`Eq|e5VpD*P!CmwSMfxf#+D{+t9vbAlU|}5 z^~3u@lhV2Uvq$ z8Z3gmJk^=}J@}ZQUFr>Pq@G`|mG=y37VWW&l_U28rCQUTVEwG>gcd8aP#*Y}gaDqC z(+W*fm6D+UzA}K?mz>t2b0Ebnw_(hb^aWlr+~D&R>PaUEUR7M*s%65$Gj(N~tPM#G zm8V|>v2}k^RD?qttC%EvCG12VZ0v{e{DQ3@ElO-tZds+Qe$n)jm}QB)Jj<-0KOR7A zaw-(fgDFHrkafP)luG-O*H|;2#oi0ijMjaTi*C4f^K6IL;;)2H2yu9_)?3(yD_Pxa zPEBFoIZlc^Dzm*`%yD4Z+VmVUI%TjMo)U%NNk4?TgrWcolwbc^aI zTt~Rewf8;mYd6}S1J5npYE;l-E66K5jrCjOV^cyq!UNfJXMeuU-8W3a#W{!<3PjXi zLh^fQfj3ccwM<%1|%f&ZuD3Dv54aY z#{3E~;=QzO95bQ_VhFIIU2fdu5c|V*>^p7v#nOK=$@B6 z$KYhEpe~77+hbIV$T~BVCg*;^Nmq@Q{&sxzqW2D_swxIcRxC5zLzNA`986sbQB<6v zRnm#}-KzR@kVt_~%jFrwzCs@rwFpCVI96R9sp2<-n&1Rw4wZsNU2w9s=v^CFbbkdL zgCuU7edPhiz0SVNRuWl2KldudX}a>8k3G&b*o|wCtCLn-4M@{$y%j%q6frL+07V8r zo21`t*dTPCsAttn2icb*j`uV;hNczcxF;sp1`@^6NQi&Rv7LkOMM%UdEHzQ4a3;0q zv}*hI$>d}_se*uEILB?i^k3r+0*n48)0O~V+1<0CT$q4Qe}4la&~64%W-(>zR=?PV zY*{CfFr0lDML!v(n)# z8;5lP*-pSMY0s)^~>e;usG)@X-o=ddOhcCuNdD7nteKWVR()mfAKX z+K~98=2JD71NVBYDfnn-1KjRasMb~HyR>*{LW>{w98_d?M-i3=gqqft)32i3VNOgY8f*wMn`F(39A^WnldRDAv>N9U7m6@%z2 z@;}PD^~Q?p#EZQ!-Lc{{-&-=wS#L%{4nrh+()>AR58(+uCP?fhfBdc7uh)GZna)-| zU3gY@xh*O*k1v(-lNCEHnthGxCh!gN!2p!BP_qyy4=6{feJ z#D(`y1Ii*?CE@ z?$TD+J(4WsIA=3KoT$pVDX7n@Q&*)wunaTRvS4DFC;3jNRhtDQJZs^+(FZ*Co`ZL% z3Nf+Bj&23*Eh!eZM=Q|`eFKlZ=rxki&^?SzP9hP$?*)kTzvLLZ&yI6yP5BgeUy_P& zSm(*kNUZ6aTllaTC_i6}gvVgW!BMw6v;4rm&MpFnS0?cTm(E=d4yQ9omXwOJ60YGb z)@>-I$OQg;6rQ)^UhvP)LZpdXd*@Uo-<3Iotb*!(;?}8wLqJBk3)L{C*`+hJjVj)n z4f?*%5-2jkbM2_M*xg zRBX$5SBAE+w8FV@q8-XJUM%vh#2>eFdmg^3N|+(Uu}u;lrd$&VcnccIGfspNuE?*( z8B-2Ah@oJq>b*hc^8(gUk>acp35Q}T%ZeR;cX7UaU(AT%0M`+gU|#VtkCvg4T5#D} zKS1?YFM1fful2{U-5qVi`>hA9T4^%k{3cS^)H&*mwQ%~3ax}3g@Zn5hNMfq^+X24R zA+K@jd}y3bHuOLn&r}qUq)Fzb$zJ7DR>85)pt~|LX4k|a-0s|O!Q^mbtVG{LIFYTJ zz1(Ricy;o8<`pB~bka&C|Cytvurd`m5?+nd&)XJ{t@T1d17p8(o=}l(?E-G%oUu)j zA|P1;TEMqL2(DCYlVQ4XvAYw_OUN(N?BPCz>9!6fv?AK+dK;F=Pzj{UfR`P0a)GRp zIE0k{#D(|fk%QEofo$SxOVE|;^Q2p*nQ-_jPw~|&#GCN8uoOec`a||Vy@0#XOB|_f$T@UGI z+`t9aX^qHN1T2?r&ZypwO}LUvzYgh0G5LKYUsI*yj;+c0p&W(a3_>_kV`H0l*-(`@ zy2qAo{W#-6!H=*!K19DfwC%H*stdE1QT%DG~b3YVw6T zaKjy;7gh>vWF(bD>zBkxdAyq^Fn^(UCciw44LM7JiR$LIjOL63hqZ7Pu1_w~kw$GM zRCvy}5iJZ`9Sa&A=S~eDP8mn9IN`i?`q3>;6-kWC*PtxfbQ9sW4 z7LU&fX4ZzEsy`{^z&ygk-uN48WakgajBK!%m%pN6(lN_qkF~YUnbgQVHzY8hOa=#= z8L0U@NK%SWEkVIT<(HuDkn%+1(I*l3lN2fLau|BDt@wPHJgR1bJA752+1x>ES<%w* zQ;^2EpIY$0F2QWxAb|?L)Qh=uMBEG|)dHQr!H|u;XYbfYrHZ=FXW0zji_#?GMkVM~WSom-*=&Wcw(WFm$1kS66`7Qfj`1kFd&@JYTrv$=ZW2)Ukkp&4bPg zCm}s)E9J31BPiFdW=3ZdlaAs0P()(NGoVC*&g5(NuCzy%&nJ%9KpGAO1d}8yW?5P^ ztuS1_-|%o#?6*!*slv|xoYH%c_fyS_{k^mZKW zinq^NkJ~EWr9kO?_pfnEWHmzLGx}cZv+nr3-#fbtJ3))0*!fTpXWw*hc)l~Q9Fako zVe$H2*_iYLYD%Ks2e=1~HX0?#NJ_tLwUIrZfjno){Z0wF=4jUYywJx+LRoxqVf2lO z8-c5h{*&(lJG(Z#$`4T}3r8>9^CmVUwV0Hv7J*t9D!3I>y{{*59!)WBER~9Jij-76 zs-^p$ByKVzP19Mm20Qznz5b^V6717LuZlu}!86G8-ay`b;lilqIv_*v-bV&OIriKl zuvNxnkpgFc=5-4AA>axdcvDt%zI|CY6T+xV{M&6aGyem4&7Md|bl%gDD-l>O8KgzW zMnNpRFnWx4ituguh_*}M`!|A;i_o5DMYX-v+!yUD^jiH7+1SK6_>7 zaO@^M#O2YdexQRJgeVs7crjLYbY@zk?`38W5X^g_Q-CSyT%l2m;Exsk88To|{bb)6 zJa9G%NdtdHR?vbAZf1`9p1-7xbvi9lWMaJ5Eq2CV)=B(GK}5Zomm|qi|UAsP?(>|GH2{CmNAwA zcr##M34cfk7qJ+Oz2d zI){q0a2%qoO9AQrm7H85iG!c;jM(Vj_90nq8fF5z6WUrV;xsY&baucytvzXSpXfx=BNXddCF>RK}t zNO6?5=xL5D{gRqoNfLMTHbI-5mAvgBZ=v<$3C*(*|G9n7i#8Vff*K-s^-ai(j7_yN+=plUG1Rkm&<0?BWd(fM8FEs+;;Y^iJ0Ae+9+CE@4R#MtXD@SIh{M;o2X`xiWG zR&S=VX)@~GMW2Y|akM8ot4wb(`4;0m&(r@I%GXk|6V^c1lkSE9E{@DVtoK_~-mrOA z#*G5h%_w8@KFVl~^*`g4`}1~)mzF;*ha}vtf0WKuC*M^SxyFV5-XiO@klF{*9@-wz zXa91$R<__kzKc?>`%4rmW^AVu?+{XQEa}Y@{`A6n)V0MCb(+h1RF{XJ6|j}6+ZI+B zH14{$0{AG<#t@mB93|KTrKM#keolj%qe)V+^z5;PuEm zLqLk1Q=OJY#Y_yO@cHMoD#8awfDrq{fwJC5?$N$_`lx2lz(4*upx;#tJduL_HhC%% zE!O92J>S$aEbgJe8k-U?a$C-)e*+OwdQNcXNg!&H{`f;AV98O|Mwg^G8Se=P zYR$xQ;T1(Lm8y=Qf8!vZw;A>3NS%(ACGcz|jrerK6jr<2v+-Ow>^h7ZFtVa4FlRzw zL%Wc0&2q?+7=U-})xyhG0WP zh@e(%y?f{hasRO@3XA%y@NO&;NJh;LF|J>qnzDdajh4rNb_}5;)49@ZAij=@thQYb z8tKY-_;{@w;q`barxNuG!+l-s6`TJ!kh`Nu`;EIgvl=UdQdN(;N~OaJabt8WBX#V&yn=_?e;DB3Y0 zDOOmJwDu{?4tPZ^iv>Ex#wtC^V7xa3ae~AW%<2Sx>QA@@N+{&_zm&J81&WM(wwt1% znik2w0t^C7;UNPLC=Du24A4BVn_Q0al6O$Nn7h}o7gy*2FG9Eh8O24jq=wGHr@NO;;OfXsIQUJDs7BprgRA???;9IqA zaGs0xS)1CF^Qn1f6Z<|&7~Z!(*#|10!ORLza^o>9)wrP+bJbOaCm>$+IQHxJ&67y4kVYJd2A ze*4qv1sJibaMWQWt42;HTJo{b(ZxM5BU8!u0CBm18^-}!jO4c7&u z=7njxdxm9ukHzJA{uIqSmWnZ9!S{LVNa78;sCK<%&dM%&AEgd~p{#D}C|4A@~oqR(zyzx$?w{22yD#xymG+X zzmuYK{C;~`l{rvh!+8aDj($fTl^D3Yks<*jX}QkU=zfFi3#T@FVoo4AUgT)W={UY4 zR?W0W1)aQM<-0JyCFw@F}Ak)D_II35ohhia$LYijW9k{EMt-yqqih-Gc6hf7_>d)8&1 z0rD9-RD9*8Fp56;u`RrT1y0G7Fs6yO9NVX88w)Ntk>Lw2jx0lqa3qoNpnVtgG;>g@Z0~6}mWL5DfZ8xdH8SC@;-3<#|cN^@iDX{RP5HP8A?fc9K;rae-;OAL*{ zsR7mJL7P}ivyVk5E;t9G7GOCxJGgr*Avj!loq$vB5L`xtOw^^tQz(%LOL}mXi=CRe zeq#dNkGY#r%Eg&(pKJb^Fdx$vQ}C8NhVB@UX#opO9IJjce>}U(p!e`V8#_h zDHszQR)S}bGeQ;wSMY1Z#_rfJd>vNnc|sCZ35+K&uvJH=7V&xrTs<32%S!Gm#{wm( zn?&1{4nG`l*q!#?AKGta=Bk&Ntzwr(GCJ?Df3{MAnd;7eF`>!;2CK&kK$Z>f_k7`# z;P#Lfvn6Ef*nN2pDI7*kYAmLL7UgJIF`Cz0zymN7SKak!3~@SpK#(ctkfqionPyOA@*6R7N&WQg`iAR>DweDY*UbaNI?2hj{-BPV+^jSk>RnIk0D z(q`0%ZzLjE!dsAKTuqrRhxgwjcT`ZH>seqd)s@(}EOYH1k63nk9=3K5V{Mr*kupyI zzc_ox;9A=SYd5xS+qRvRWW~1atYpQuZQHh!72CFL>&v_Q?Cy8>*?sz}GymOHvu4$N ze#}`l#&uuASh}~ef(?g?a5QrJSn;R&U_K!}!>FTJVPE z^yOn{vKAn;V%_|#{Qk6Sb@~O{8YguTHBS=E_tu4!GQSxTbzaTEv%A=V7f0B6^P=b5 z0T{t*ies!4u~XF*89QO}>c!?BsuPwnVw8)w<3EU@K4+|Mx39?6A+yJ{!X~6#K<2S# z0}v^Lmk1{25JW4MSEf5p@`Nkv@C9qbwMO2D#I?5GNeJ=E!uQHR*y7-*qHDvOFh@#* zT5bAr$lP=8=u+u8?9hoKA7vx3{Uj*IXky48U!Z@**7BM2lV30F7*RQY8yC#vBdC+Yph zl;ZQl>EUIMKUZ%815{P@HG%Il(edl%)P9d~?rEo=KD2|wP|H!N>;Yt1cTi!3jyl#k z_WY-^E9mB=Yj=R}_2SlOAhP(Qmif=eS;y%1VsbJV?inn(faXJ2uhX4%jH!|w{v5e_|>}}sA<-=gF;Q2`9=?y9rb`yBFfVDB^u+v#|aT+>UddQ653Bupl=ev7?RA( zr}0v=dHX`)UE*d;x5l<3%(;4a<*p|fU9c!vkwdP#e27+@dk^(0<}_Zx7KmW;iKIwTYa-d*Z!n*|)ti;^ zf?b7P>-cd-cJ8ffW{-+HvY9!_KUKAD&0FC}NG3Ju2(klqin>Y9WEcQKIi;S-kT`2Xt2I6y<+0&B#Eg{1 z?EkzG3$lI&g#8hT1H>JgQD3bz%m4=`@kjQEh2MiR-YKV1!Pse0Wy&1T0`#VSUSe3b zg2mL+g-CwuOY(rj1CgKDs+jxg#(gN44+CyF!9<#}@+6QwNRN9c*?IZQv9j-xL@}G? zx5^&6a_VI#W$spS57Dwury+Jpsk3V7WiHI>`Msif(fnFjb1_RfEMXC8oh>$JeksHd zuDRqLBe6~4=2u>?5Ta>y&lF|c&j>8ZauIP?xc90ri_YrInti5&K>qCB(xv)eEN0j% zT_G7Q9az^v+%TokkH?IgJr~YxeU@(z!gI<${d~%`c}{;KAd7Wy=&VVeq=&oGCM!m^ zrOa=JW)RwP)QrAAVcVPg4LR<7Rubfk*)@r( zkQCK*ZGbultzf`lXlYfk7V09E&juAz5S(s1_DBqHQv==4eo2OK6cDG3AeQV8umn4L zLEJ!w*}8iI7wOd!W{(0!gNonZyF!HgdKYz3#)9MCcDdR-cfSvt?wD3 z_3&!DEs1_Jdjc)#Cx@}pLyh6+1>#GvfiMwv`mtB55%l9JQDYWujxkYGxQA-_FX^g| zQQ5P+>(vacgNfF%-6#}oCQJ&L>u_1$OrEPy*50Eg*24)i2@H1eKBQIXx+F9-6ZP<5 z`mJea7R_oKq|JBa6@j-O2VT^nU=TsKks_J70A;C%)88A0lKT)y=*G(lfUpB44v+x@ z>>yET3_ENY&Zl!Mg!)Wo&>bohKs|2hhW68myW#kY7o^)=;zED;p(p%_!SYa;qlVN4 z-9V$_M}T$Oi69l!Jni#kQ^skAji<7ayOMdA^DPY`9&nsCDmj4cUxysR~W=@8b+smKX9)3@tK1E0#t9Qzf znDSH$@b5z<*-uqXwOvKPFH3F|2Rh1KAsTkzA3b-6J`j{LU~6=P4Uq!Z?zmK5HpKPG zTOeGp?!M+AOg{Fobc&;2<)TObDXKVDxV4Bx5)stD?-STVcvxYVvyFSWHzG(Z-Uw)d zPA*-|+~d`FJcnI{OC^HrZ?|E8psk9PVr+bufQRUiAC|3t?L9O6gZMB)@!(mAd|){w*FUne^CEsTn_!O+u3V zb(gg}J(9IuVpfQCAGK8pD8@6cOJ38XFF&{KDQ@u4kWP7t3x`rTkhfrvV{>p%SoX&X zfM#NU`x_gJ!+rh(uGiH=|MQFu@FLqPy>f>miVJXU@3DX=m08pIyNv^CEOSA_$8F(8 zz;@3P|DeZjA=*wPsKB4GD)5GHf24$OgInXr&xJAkDkcFMZ=|8+%TC|x2K$Bq4C`s2 zld7Lb>LwqOWTX-g@X9s%Jd6vaX9~j3);Dq2tT&IyRG;~u6SIF)GR(Ucm^UsGFazH6 zE%)N{@#A`ME2zQM`X)=#z_^@XNBnUc_>f68<#5K1Llf%DZC{QEwDX^O(<-6_n2<5Aymz4xS4YdZz30guUIr< z6wE|{pnx+WS|c}RTtfzIpIQ_{ieVE6KG{8n(ReKV(y}_2iM;>yJ}0rnrS%4q!DHJO zKkqaKO{#+Az50e(Aw?szb_~p@nWZ!n;0I{`1Mn#ROVMDw5I$?%)CCdTkO2kM3*F}Q z$n4ov0rm4^U5Xe)`_Deept3v_?Og{lS5HKFo>z>mpJu!jJ>F0)F_Dn&^&a+S^i;O#+Tjhcs>%1#3R^R7dt($3$? z8Xxy}snQm<{O*U20sUvadyc9)4A|xU*sns%!(&;Grn}%Bi3?V+C7SVjZUlU!r-nIE zzp^F>GIHkiJw@NE7{Z(K6xs}d~f`zO($q`2Lc)?6$B3p0P)q~J# zNjB`8zv$nw9gfWka_#8g`OC?G4oH4+a&kc>5rA9nyZS;TV|*qvlJ<2a2y~`^;94w1 zU9c09`BWA0{(|<0GHp7=tV`^dPQFscl5{H~6d6vELs^S$sP#4G`5L~O%5u%`egjT4 zfwgG+$W#h+fpBNGfVoaiy$kaKqKKy~l$Z(4KK$J_&Gk{Cd=MB6l4B75A`ibqola;z zk>|;;#a5(Sjs_W;opKRhxhb;6mXVPI=>?zBXG~JVBZ3OOYHLQtt(Y3hYg3FTiJ}{N z?J$BrScb3K$zf?ObK(^~P0M0V`euBVg8Xqf&o(hMiwrnfRK2>UXtqaHg7k5yPx9b1 zrM?B2T)C=`-W*I!z4C;Nn@DjSju#*Pz5t4W`oMTMxgW&%HV)cf#KPfG?4kVvzkFU7 z`aoMqJ3P`CG#dE^!c^S2m)iQY76U)QI}$BN_fCj<4s$RBdJ@IT>mo~wc9FKAf7_Q3 zQHR3!G4<0tfewEj*oU2DbFfG!%noR>G1Ln$ox!147b@y?e}BEyYS|-$;@k>U!b;l( zyVU~*)Jg+{Y5d2YKc0YZ^Jm6PF$S-~kDEG{rU%ueR{oBL{Z5O_DV(w9j*(f_l0hX1 z_i7VnN!2lPx})nqjM2DcCEQ>5Ry+PW|BfF2YeMdygGv7zJ^n*RQb}I@|Dnef^}p$H zAzLe>Z&3N)(c|pQ1hmWy?0@Z=F@JA;ea{yDlOO*c1N%Ea{*U8-^5aa5{}Vs{J>2wP z068o3U!U=B0rJ1_@&7kGuKbOUtNsHZH~0ra{-5ypUkv*{;PJolu5U3b2M4qdS`fL>V2ktrv0EP+c#uvMOFkP$SKS!FHwOZr=zQdxYYpA53NW=h=?f9Tar#0V6y8=;5rF|0|s(?$osc2A_cq)1yXqNb2RKk zjvT-uDwLfsaSi}0u^~3DFs)BcQZA?fbXY*%jUL;uQ%{E1^^7KkiiXWPac3B z3C0d+D+~a=i{J;`FmPm_Wy>BTPbwpn|A5bo9Xt)d)qJn^Y9>abyv!FH-2IQxcW7_r!;L^ydN6m-p4(Rw-*I0)%i3w->;t78AgGQZK+gV6r=yU8~vl z_Lm`$Lol(&SLDnVYGsZ$nA^yM%ekxtDhbRMB4bWM%YL>2hZyoF0u*DAVQ&=xIs%Yx z#g+p!2}qb&Ppq7WqW2QAEeOabEVE0XKRy9{Ilbc(JBX;zCmwf~Y&UT-!z>$HGZV^- zOZh`{5u+DK&0!awT+dgKiLsC0`<>lLep#3s#5Fqb=qS)18_7*j0N=PepY~?kozKXr zEs>t?NiYH$tWN|za!NW%NRaKVuiu|s8(-LwU`P>u-#s-ZT0p?|(RsF?6vla=*xuUP z+v(oi=g`a3AK_g1T)o*;N)$D|by{9(V9oxNHTDXdr3Ju_RrDQs1>4UKf)=O+yac?5 z6PwmK^{&}hF;35u2%)XfrWB-QQP9Dg7y$kX>ziTY!gw{p%d*W2&a~t z!fv)Qr*%o{5@Q>*G_lwie^Kxeo8Vh_29mAtB0(MA&_NXKee4J#Li{WbFZLE)5D-vQ zY-yax?r^;q&M~d&u5SKVYn)V8iOqP%_P8Y&>`9=lDpu1azt`t|UKg+ULC4K$5CFZ- zDnR3&UCEuX4c5Zf~duvJp0Es!bvPyz!|M$sD_X4NMdp43PRU zlFy`!#VE@5HQt7#!wr|pu)VO%mBobC$=!H}Dn!BfQ-#rkAUSL2lwxFIJ0QW{cxbqC zCR;)r=nO_25RA7s`e_nrbB*1y(sFRxh_PwnvsOrs1GdA&q}0H^p)PA|coyEX7VZNt zo<=4qHhEI~2G~OYU$upgy~(oVid9v7f|BoGh=u@xSE*&_TBsq^-sr5JPWujy`tI^Q z-2pvY6=dda-suoG2+pm;e1YJ6Ra9b9;js!2DXSnQMCj$m;kx2w1)f(VutLi8VVpUk zlS2ZZIcF^sPB8Pj-^CVBgu#~w%wp$j6YVkGTjF>^#F0{idK;I9siANdRjCf+)|!`@ z`p_k3?86`a8a#$eHTDDq1{pq+*5BxA_D5JxI(vq6M$wxQ;ku|l<*qBV`YY96eiW#p zytT_VO_{ZRSkWFaBKRC8`ZcM(*5y*gptHnZqn=2 zmT&7eVh!t)!7^dISkR4ol;|6rGJa$~;lW9{)bJd55#VW6@2{xTM)}L|DS=zc*eH=? znDU8rh+jOIz~|RRrWj(WW|$Cr3y07+Qa0V&il<~^QKTe%Bzu!atcYxkGQVv|IptlE zZg_GgzGppC%4Re1jz`TxQi(IHMd#MfQWFtr(%WrKq1yT&rCptCC6jJL*6*LCym*^MePT4iAM!dX=BV&iZqJdr>y*^8sSAqkC6V#x2DNsUhPD-WaT%obMwNiE zqe@*K3JvKnJmWguGyN55GB`XNdmV~=2b`It#$q~<=e5lp9-Y$wh)uYR%GQ&Hh!P_b zL9=MIPrt2helx!l3A@Ia18RC@<=MUH+OEk;`zawh&C&vVk~T7lDe*E=q_r(kVoSZX}h5U)1xjS;U!mltRI_Og0ofa5jM?KTutMe4;Pdzt}8 znItkW@yx$`p2)mF&BSvJRAmb0^c~+DaJEXYHj>aIH}P%RU9j1Lxr2*6OyeZyO-*51 zLmbJP8cCOubg*q0*37Zm^HxneBa9B>yH&y?RJBNGd}&^zS&kAJh?F05Q)6tSO%qR@ znmnysFbzq6sp?oaXt$bpWfscx-z=_Ja}@z2OrWy@DhzG+k!)?wx&AyFWfF@lql}vA zi?gDB!NNx}l*ACv3M-A#ynlMgb$$aZ@>jg8hK`U;xU(!yl7%q31Rwq*Zs@u0h)4P= zay`(I8X0$lvesL0E(-o+9VjEcQPusZkgen8JvZ`^s9fhctR{dTIhO*#eo4*a=*9bF zav{Fpc}t2|eV~VkLE>RIRmJlV@W+i6V)h)8>#d`V9SY;gT z=&?;rDWmjPf@n;7QDhO9an*Dn`E%Euh)W~i+qvs}Ic-=<^qhSeIdbY4*gP$3jGl9) zaFLL)TKALKikyqXzROp%g4elD$(yt>E&4!rcf?4|d7ns)`_+l7y}fo@Ps^~*S9^8Jna5pVNS06!Mw z7CFt7JaT4D+EJ?}Y-)hd1?@QjMv2c;bVzvM$Gm(_v>bpYw4n3Rl+#`SA(($>UE=^u z2D8>XTyBkKWMiqtCM&4GHt@VZTi3Md4@)fz*=B1A-He+^h=yJ%ovuy>D}{CFBGHjh zB;D}yyU2FLiK=!-3!BEiFEi}=dXCu6(XZP(UU)N^AX#4v{l)?M-Nma2KV=3T%(@17 zU*}s+Xsj7B^j&Q%op{$Qy%Fw1Q>TV^QB8@@*79I^oL4>F^OWaT5-10c;_s3uFNA01~7H-SDA?TjFY z$J37M=lN5dzjx!)lYY;v=dZ8wfFnQZc8L*`e#|y2uZST(TI#oQX~b2nsgk{NCtj{< zDraMy(vQ&--)c6HYCG-Tg$9BXOt&R)B%rnCjjv|h+`5bFe{|Di=WAKAV#-xnUUY5k zK+^Lu_9BPH#ClzR>@cO>lK1D?YYEsNy_42_3OQN|sTHAQ)}U5XkeFp=Tu=cFZ|GY- zv?RXD@6Apm`V8(}+A*wOXY*8g_@DsWDo2HE%9>eZO>Sp4R+?mhxOpUe*egvaiIjSB z#@~)tlirvqv#*O2KHFJ~RoNflg`0sm>fO`JGn{T%GsQSu+@GX9IsT%o9%L=G=O$hB z{B|DiB8y^ro;DBEH^zr#2V7j9sA0wYqm{!;a%)G%G-sN5Pm^en(=dZ@C0BGqv_*$V z1#Q)__tU%HCCMa?zMy6_>3#&fuS4Yx9xYk5HE0WCDP@bVE7$&^j8fj>2i9WPN;m{0 z1_C>Z;{3z8$Gr zLxDpxfv@lVnQtdNw&d`PfXRMud<;lcwDSJP(uPHcMrZJ&DB@C`4Tvr#XFQY*WF#xo zFT@8(r<b3ZtQaZTY`%WD>tf^#*UG`?9*)5gU^k^E+sT4<< z&phCG4=?L1tEWNB*!M%~576DB#A*@Td10EvrhYbVRvuj%CLTB4<+eByV+^m2h3D(f zA;-^h$1_#emO*Kip)(o0IOtWnXe6~eE%tY0O-?VD{b`e7owI8!1LyO}6!vve=I z@isu%Zz$>vyHu_4z>4L8w)}&Ws6n7)*d7+uja@Xxgx#;|=ybsPOnDojs#!MAH6SiW z#WH?wazb_N@!Vtft07@Ch-NT}PEI4upRY)|s;L&;zk<#oX|NNyOMpJR$bJ)MHkAIo z`7w*D4%pZBt%upv9zS*h#PL44z^b(L8WUNoqY zdN1S-ZazeU$&Y#A3K1c+&7mrzVe*I+ier5%CE81F|8*oMv+bDkI%LsKhUmS;u$y+B zS+@6<2w-B0=T;;f%0x>y((3LFWrVj`XP=f2yS4BQaM~JJ5BVb^ucF302T!Pd81Y1m zq6tHdV%-IM!@z5;DV2{574+0Af6|fe$Djkj%iyum+lb4tT6TEq9O4inNiXlAT^sM< zYCV6`dHKU2_(6iASC|KA=9DHDs4gPkrhqS218lFytSBchaeGY{09Y(=8f+d885(nf z1*T~^{P1*OnmyHz>5UiCG`>f-L+yH9EB?26WbWM$wJAyUz3PO|xVI|$7b~vQ3Iov5 z=-G|4GMLThWyx9?GfN?%$L{#3lu)GAxE@HOQ^Fbz9!IPrTkXperPNZx3rP6Yi zcnzma+}bbsj*DoHf%v8cW`u(n`TV)$&;#Pq70SR=k1M+ZGQaP9u1~ESx44^9oKJ=p zgGiNoS-+!>JcFv0G>GSVP0MHHEafDYXj_TKgp9XnxdY?TJ3xRRF3!#>A&a;O`q9yujI!n9`c1y12(bwl@NDRE9v)dH=Q)J zF+d}s0H)CW2LoJy+bmpo6yW^R;Sv(!gJT;e@OH{`j5&c-k2*8`?8BoDTi@YK6&S8O6fA+-h`5FHSo35Vxf_)q9=l$S}F1X^G?B;eQ^w=ko;99KEKP$vv*6tZ#N4U9;bs4Pt-sK+LHO%;ZUr7+cH!3Q+DD?`GS+X*XW+I(y zd^&(8J3-GaU1vk<(vo2Oj4kaviq~%Hvrt0&z$|o;qu3tNQ1K)@?#D^ zpO58CyRy&=y+v+(^NRHywd;r@eD{ixj-)n8MB}^N1LLv&XbB(d&e&WqdaFLYl?V(d z{40$X8&{1oma3(#JL)XY&-=~`2`ADu%w^QH$-Xatnz)~Eqs)RiDU6N zT?SfQ-Y#vJsAq~XEI-}DqzM{Ggvq=02iDVmqz@>uH2l`(Ee-*Af&5tRYEJvKGz8Os zmVes&#o(K@`OK~zF;jJLT{|G;e^g9k8H}sbsrAaW+&nMt^1}iL>r|tu^cepM5FGO& zeT9AAlo|-hVZ|60TO)Fs9;UBF0^~J_a^9$=>ml(H{aWI}=G%*XEJjIIq2xnxM?a}j z$}&|-<6`r(G4)#mE2Jr5x#H%?HZf~;lH;@P%7p1A`(XNOx2yP6+ohTLVUe{+##?3>%8d4etAkA@tw$i>{i(@5E$HnL# zdECh$@>*)%ON`8hYKA>(bgq5uU%UdOdYx|%~3o1{r!rf-;Y1+nu$0BYtFFocW zHtE{?4#vLjJxV$8Qq?@^Aj9dD^LMo4Nzwd9uswq9KezmhKD%*#tNtopgYVngJ~@b{ zbjHc-d@+?2J~%v@-MO@bqU|}PM>&yDz1`A|d4+?CMAE%Jg7WzAOg{6b^@16rz4L|* ze_%gVYbg?=e;y{_!s5yyK_QB#)sR} zSy~r!Sk!ZV!5u(YGDRp*n&2#c^I2TSPs|@~Oz-cnL{gTKS!YRag1d*nRC8xKqHrdh zk%W&_P`YD~8w5CTq(gJYph{m{_c1F z@%nxY|BJEamx?P-g5?*P&|)1<9cvx335~I7j3=g)5xWVVAqKM{8dh8((MZ=oEvkAQ z{YqURkratk*pJ5qktUI=c~|a_pGO~_S^QaVT~$|i+Es6D{Mq7KASTq{qPskR!Z=AJ z;IZK4{xmaQSw?xZIF@v#z&XPNR3$*BXz0zt@eDoPW>mSd0NW%iaFzh%@~+&rOv6Aw z0Vw?h5o);9l(j*HwEYvkz;+={2`~UJf}w$W0gwcGa%z=E0fGtM0M+7XF{6ia01IFR z{=`B;_>{oi<~cuJl@WO2WC;o6cSsVHIffr6K$@XSczLC2sJltyL^ z5Ixv?Z6PD1c3YbGkO4rP%Ao{q{kj|21*+}+^6Q*d+mDWoG3w~!q*={|Nx^t$Pl00m z>XQS2EC5mgDfdMc^x=nS@wrxc)|rj+1NVxFxnjTxhk+d2yC$IL2!aU6=>#|p=S+cs z2M{0u!i0eQ?Eb^=GL8TN5h@lVkOdIt2Gd=qsNZu|-3gi@BA^Sv>3`6x2LbW^@#22) zgIA6OEtKSLgDgtDwmE>mctq$uy+eXzUn zxwIc11x);_S@ya*flQ4aN8+N|zJ%)&hZ2AQp>z{O@}s7fKZtS}SUoiJ)?_dbC91A*VT;1+6c59AkA@LMip!q-jjl`mY6 z?&X*FZA#2G1`AM_sQzaXqzsFQEZAKdkz52ZF8JyEd&lyq^Pfzq>^eM)$_cT`AVrD6v*fVzx*ker_CAmO8}E2O^~z7r(7{dZ9tdRNF8P>l5U1SGJ=!Ijg-w z*45};zQAcrUQ5$EW{wSM2$`y3uc2k%c7T9DD^1tykA=CG#zizeV!6s-iqzsMOn&ql zOb;KT{0U9b#e=L1sZ6HY>6WcyVzYx=M5N1EZD~N17#3r^#Uc+Vj?`pHGi(#J*NqM9 zoOS*M$FC!|to_}fK7g^_^dYAF3K)-(P@%bsa}N*U9jZewtau1A-|^bDjY`=X%^`ESeCtVTE-3{K4?{+8=}aXPv9?@#gV(|iJtR0plSGLJT23? z)~JvxlG5ax2N1MyD_%~TF7X^5P%3Q;xIDf5Z;kH_Sd$$&2Z{5Qwu55GNy|5FOpZ?X z;c&dI$Y_jx31r`wMd2{(%-Y{-m6e$~OwKIGnVrYfB!w;D(Qvf!dN?2gSw=Z4I3t^Q?8X+tDplS=b_h0uMG? z#D?57XXA=;m{Mh3Z*qj%neSPO<_Sf4J~i0K4j2F{;hAO_dASx+c}&s)Gn9Ye6=nN} z@!DFb!>P@#NU4xtblVUw*}R#H@5sv3JFf*9{t7pe)0Ad~#|Z4W${IYDu)0ZoYG1OC zV339{)SlS>X|?+RA#7f&o2|BUu3VyL8f{p>(He+f8R2*PwlBJb3V)@0USeQOSD+mL z$1K_%x%k;p!T~|*a?DwFmOH5wwPu%T!PiGq{pdTI4hJ3?|o<}EoYi;iS*+9SZJZDLo2y@&P`@5$h}LwowiOF?2)b&l>S`B_}S7(1G|I5jFu z0mq&eW&#Nwr`mYO7mfFMcypjp%UceX%)lA>%D~7}#m8H+-l;l+%E#GW)LFyWIQO{6 zz?=IXi#<)k(22|hKCiACBb+rvcmBxXg9bS_``q5slei6fXcT;alrnYWc}B)Yk&9CH zIn@$b6ZtxK>ua!kZ29y+SK6>uT5=EaXQ1<1>2LnX=0QIHxs~<_$yXObWW}@tqD8z| zQQPErG3NMvGZOqnq|F!IbJJl=opLus>Cj8LQuHC`)EW?5u)=4;il2uWj?$P;>dLA_Bmw-1TXgc5 zec*Y{ec~6OGjNsQCba}^-t9NFWt6WcF?TCJMw-$+FA#IdoFO5bdnX=EPr4S|E-|uY zx#?=8v*ar-jXcq6k)Cw8ge29&PX5GBAyv})7m-wgM&^u_YVJ-Hlebnp<|*Phq-dtV zd<@zS6`J5)DTPig=($Lj@H1}}s(%{kp)DmyhJ^=5iUp^g>nAB~EatWD zO}|$wLrKG&7vqVuTRO64Uj4pMN^KcQI?+7Mr%E*^(2md8Hmlq<(6<0>xIW^z+Jx%WiTtt`6h(mhP!*y!g*)|ZCSui?|% zYm$yS@W$W6PDwLv{Q<`jFCNoNj(tq}iGW=+#t!xOhsEYnZt4kOR}%{>q)q4CK;-K} z^u{4mP!!>jxl}$&pgS9l&kq$dK~YQ3tQPsH-eg<)E``-!OZ(q;#fxyBKlh| zEhixXjRm&A^iiPbVVQToO<7G#516Y78ylNX-0Xh`3Wdf`Uj0UI`)M$fHY0FA%kS0V z;B@d2AIxep(tI7%sMh4<{xr}?=lq!V)Y%^1-b-f%gw4!~VMd1*yZNBkbK`Fl>aC%Y zLtWsF>}+>(2#zhR@t{Ch+*6TrSR=E#n1@2d%lxJrS6?UkSVsiv@jA=pnHx2G1yM+ZYQjEm-U%UkS>&?T^cWR zA6U}DT`Tsr(6@>IBTAmqY+3S{BE+~w>~0X7Ty%3k_M*WZ)j&`jS?sd9a8QsvC0zHB z=zPhFtYz60idQ#wY_j%O2=7r$+G?eD1bRt|)ii}EMZ(G40vuEP!*v@8-!&Fjig&1| zJN{?i;q`v_49m?((1x`fp(vrd3G&vP@B2#!ga%``M^9J^0#Y`XzS5Z#jt7OcbQYgG z#zJ!>O&tdrci-?`%~p_Mv+U2kxi!njrD2mbTI?w11XT3jvrOS`zgoLmuk4$)DXplF zy~Z-$HVf;tdxIu_tgplrOYhR)5+v#$fEoyUi0Le-1bsZVYW9&*|ISl3{u<*>3!k*1 z>y7AqQs4$VO}rD!H79a|*S!}P;0?Z9vT^SG0G1}?f4@`MQ8bH~vJi5!*}j%Q1y8Zt zugY$FTV#!u9<858ftE_~gKuHi7O7>O6baeX$9V!7U8TbJSz5ly`Y3W&du7PZIjkHT zfTiX}F_1|slYTj)aqG==aJ1pqRw1Ai8vx47r{{xo#!?=hKu}0zD}|jA4@TyX2sSnN zs6&`e%Tc5XVubtY&Lb|+9OSypi??2iE+q(!?`nCezQc}MNL`;p-2r7o&HHj3a~d;4 zpsP+paw`)8eZ`BCc9>JrI1?H3PHW5^UeU#bd`?i zqDL%^K2}hg`cjx_<&aHIpgKMZcD;z{$h$dvQgE;{QTDMjz91W!s&_u=ffkkTPkdqN z9#f5pl!kv0S6{<01~zpvATTQ2Uw*aCw~^6t?w%wlQV53jr8Rg|WTPP*aE!9K*w|;e zBjG13G7phtvQgo8upF}X@D^DQG|NS+zh0k>o26cVegOaTE-OgF;`TZa(jJCvEX~==wFuXx`U#xj+ieDK2eTIn-x(vZK_*CNR0w>*=p4WXUa(JdEeT|m_g6Y%-)cy!|{a+2JsHhxU4zI4Mk(&Hh1Cu6x@9K}u|i z!g4G$=nN_1ade?})M#)jX)YbF38>(J`UfT@YLAgY7L4I%SFaRwR2--2UE4}JBs|8- zD~sCCgwRZ5K;%uUN~(1Ur^#|p^6l#Rg@fc+GH76NxF#cU^d)C(=&1Q*o=%BQUX~

}@00<$TqOslpfry#rT z^AFZ*nC@zioTVqrvsZ=tB>b;lZ+l%`guJSx)3m8#YbX&a)%=Dx=s{LqjO5b01gj5J1sTpdu(8*;`== z`v{mAXglrUP>eNkc{{x#G<`r&%RPa`V2;|i&PuzoKk-dZj*$HKw^er?|OM=xgu@^fx_(|l$|w@y zpe0mS%I`$qYBHBpn50WB*TZJVAa#uO)Oy=ARLAY?@vL0~uarc@?mb+k@rl-WkYGbw<>$hKjc{gl|1+P$p_$bqxp|6buax3t8z`Q^*L{3s6%Z(6^+UgWP5 z738pH(I(e^Ff$>F`XNR;0QT6#qh`6sF|~ME{5_Vm>)J%Gak)K7K9-}v8SR&7m3f<+ z2K+@l%T`+0qWYF78&>stYSNc#7In2t3&VAZ`n<;Pa6p~C8;uy`70 zdI0vtEVVHrG8;#8%Q}92(bZR~nSNE+o^W4fhAC&Ir@^8=O z;K=>2il?OUVA{b|xUiuuT6Uc@Ge@2fP;6!E5&o_AOXJv7o^8ZJb9aPYa)&tL59&no z;ZO$qCX>(Ih>~p-oj7IU*w|U9iIDI@U9uf3520Nc>mrPls2QO9S2gN-UB7^1c?^L5 zU7p1Lw;1Jr%ai1lBo)Nu{+=iOf4G?0S-xe=9ISuQw2c2POZqDv`Y#(Z`(MYu(X`C} zgN>Qv??DpN_q+ZJrv1yptniJ?{uL+vB~P~f)+RfAn~{If|Nhq)>95e}Ut=VWzkUDz zjFH&>l0E-3M*8*}Gk$Zt|8e{~)5^%q$;$SBnIl#HGIT23NV2h7TdB2PYqB;RVxw-d zE;lGPP?bYns~|~K`hDm5AI{^?6L+t3#!c3nanniDszyqQgar(d@l0u2l1!Wp3^j~Y zSHLhfxS~q|WpZ#)ay(ZsP-sW&p5jd4C_ka`g}y%%gCp|me379ff35ecrb0{egND6?@B$^3ZwmF)P3EHH0>oMRYS`{3d!1fV) z4;Vy^1FOB$TZV5sa?jw*_~yntJy5o@RB<;XXFHdt7>CCzUvEODkBtDcDz+(mkEyb; z{fPIqQ$3sgTRGeG;T)`8-FpO!3zOqld11F_Hbb@!J2JL7LC-|r*hRHQ5gLFac20d~ z=#%M%EQ6_PdbfECur*HQ=ZFv9wuQd&u7!;)Ac$9=hrt(XruQS{v+YJY2ltx$SLVgN z%e=RJjXki&vL;hsZH?C=i{o2`wecRr(EU=?Foy;g;J5r(pWVgfQ#Ly|@N5e>@6*!M zj88Hpg`0EL9eA9UW+w$DbDd8LsN~Cqiuv|d(c5$PjG5+XR2e8&1FMxVhmU=-$i#`;xOdnP8ZH7vDX8B1Hvu;Px;s_xk0;j-Fa zc$7ZAfvGRL9;b_JCeBgbkUcl>$$|MV-Lqc_r?$7!NETF33UN+f{d=!2Ik!hhEv4?< z-VSfkDkvG_UuW0o5hW$@=sn54f$`WqJ%f|Cu1|cBH+D>KU+|<~-yY;6_1-@d3xm)( zPb=)qV_O?vLs!}4{@%W^b}WueUzXPM>(V$A{OlLqFy5^b>)P7M&ij~iMxrvad!%~~8q!`;m7#Ex4HjD$(YMY>U#uat zf0|76Zqrtnf!5|~AjnjR%kl1F!! zijfV9bw6wg!QpMs9gz1ZT&L=R7i7j3w7FupZ#JiN3iG+!ar&D{w{V}0exevkGufVv zs?=1h6~KP4%NCW-nXGHulze#}<-`a!+cTri^B;Sp%8l|%4rV3a z*wmMf+dv*mzIk@dy&}WZ?LafRz9$dK5fkHpG#nUKur$A9RN&Op+aLA|X?)MM)OVcC$GtWJ5;U`V((N3#UolCFAv z(VEjm4WSRIV|6a5X1>oLa=BIsj9J$#yeq#^m zZMS*%R7lsgG3ak1O-AvUp8p9O|NDeJ_b_8_P0e!EF5hMB)1K@oVpTHu{PrygJh5qQ zf?5TPwPR?6?ng1Yb3GUT`;|V4<)B;S85ftLVaF%1_^yNmO4?5_kiiO);x(!FfGDXFXga{RfSEy$6&ix*xDwkiH~@Uh%1v9SQh4#UVf&E4I@)(xXkTx5bzvtkd5Dh zj{{kGydo-TpCod8W)^2Q*Kui}C+~SZQYOX^iE!~=(`|*!h(P-oNOpk<@Gz@}xU2iB zat>WA=>{zQFPIH>$alWTAr{~Xiq@{Pl6(TcyuWHkC9&?Xd{VGANi8-P?hEDhk%}~3 zL4qWzOMv#USgOEXV4?3^{vW5wSf{V~Zas@qb~jjC zw#oZZ3L09`;WiH&9e4?rBnBr>i#!W2JAh&(=JQ?H3?!3cOF>%2FRY{6KQy=}^h(gt zM45!#sW1sS8?%W_`@1q5Jz75~*k^WywvAKlK^>1qDm+)m=!ufXD=FvzSPV?^H1V)O z16`l0W$&lJU_amKo-s5}Ia^T|>QU4xUo|u@C7}SJ+jeQ)=~aa{lI;G-O03r3r4Mac zn0i;o{5_tn*P@tKr7{ded6Nc>j8;|J?g%OH%$$?f)X=tsC5_KB;7`K$5^S^o0C`B$ zCu6kHJEvV%JcK((4fQr~mP@m=G+4>ywuG^FIADjv>md2q+j94Kh^~U=J1C@Ak!6$a zA>Bu#<<{Jhrd>AyJWvAmro=t zkM(hg&S_{trz~i$Nag9`F zN2Sxq9%Qo}2{4WCpCT48W%l5v9zRtUl3YYCFiE(@>O7FI>q^j%V#^zww=r8u$1G^4 zl`ALWkzDuD$Ugyfduuts)5XXv_OQStqr9#~* zMp2VV$@Touu;Rljx9;4uQ!Sg?AuMTp(Sg=pDs4qiq%Th4pz5$4>qKC95Z*^WU~IRx z9NgV8O>7!E{^sM!!vpCdzH&`Sv8LKcgc?`T8{+a-JB>Nxp;HZL-$~8LT1dg(!X<*| z|6VwXarcLOX4E*Wxg$KBIml@1JKnOCi@6UnbwKi28q{^};{^<47;R(w`9jsY?$}zj zV?sb9xQ^!4kW~Wb4}5c-)JnF)IGV&AL3_%bn2}MiUT3os5-3dkp7K0xho165p}!ln zR3qFtPRh1hL|o*JDo)`yJO^=E-`lBSe0>uZMNyO%2CkVOUf#}}#CHU>rJmU86&lId zKB_WDg8UrpGcgwno z+{RE|XF{CV*@bM#;3+Tyn)`r#^nMg>cHneRAgff4PGSIS^h3QBKS-OT- zk;Mn10kT$F}$(s})n|3lb2M2Q-N36^Qwwr$(am$q%&wr$(C zZJRG`oAYXFrmOp$s?*DV@oyqFaU#BZuj4<#^IHzV$-q8^BqDEmm8A0%#jX5IQZ@~b zp_bQWr?vl`4VJq_}LaknjounZBny4WMxq z*DEs@8f%2w0;=*xPfLV(cY~_r`$Adx=KTJ?7ZsQq{3bmmb)tQV8L+ za_&H5Q$Uqo(+xk{Uozv+pLk)Z2cY2NjvA?+5J0j-hl1_)Q&UVIVSGZODd_T$^ zwf-ejo>cqybFoiQwOs@c557}WjcNoju|emwG)gJoO6hn5cA#1yg9l@x#z~l!^6|;M zCH=u@Zs3qZUb6-(?X*W20BbkhNPtP&+tZ10B-j<~H_U0MlY zaP>loI-ti`@40BHwtHa4WWSjNJt@l&%ZASg@%?^#^juAtgM3LqcH4Dq7F`E6sDt*= z3vc1713d$gQ%`1bma+;7v%nP@YS`GG6KU4;4TrXt`jbRySP#QhRg99T$x(L;nn*oo zv7V;VDEaRyM2p=6F5pCkV9V9t0!toB^|Pe8O3Lu*y@ZkbrOnO%i^1`h-OwhZ?X;14 zgu5Dzz`j1nQ*vp9Y&^7RaEdq@3%0KCsB z;>%bKR`zemA(u#2`VJ-zC^POGm;mhM`^BqS%rcQT8&jX(t-Y|o*S5N|H^~Th&Tw_R z%ZX0|h4f?08Z}kVxxqD3YP?bkt5whnS5PKM7*E9c$>d-dt*r%e!`9z7zNbX1QA@dr z0=>9?{L*7;YLch zMetdo2qb>+BK}kQZx}`euu*A3g^`D1+91W5RG)Dn$P~Fh!OG-E?srHwjDX#wouV9q zNX=dqT~M)=+0^j|pUY3M=z5Xx^KPyRrwWW^`2OvN3BhXZgK35tMBKsz-0d50Jvu@sv+cAybkr)UEKvx zsJ|;4oasVA_K2_LzW9tg!p;1bR`26qjr3P8*7TzXtpL&oDvlBSzo8$uC5gcJtWwzV zr^WT=jl{-bjiOiH~s72#6)mhVZ<^I_r!W4oTzRk(@ z3@-Nll5Mn^%Fd66zRp74G>M!Mt_xp^M|MIq5qdU_c?u2*mfeQ?mW2yu4zId=gwGwU zSdBor2yB{CPdPnm8Pb6vc5e%?;y4Z);(QSk>Taod@G&{{-c2MbzowO^-%qv0I*)_P ziwOftD$d8!!5+T0nzZ^YOcE#X39mTtAFw>*P%lYfDKui#K8RiKvQ@ev+-Tr`(X1;H zUdGwZ+EZ&_l9OV*nXPi8H82A$4a|p>a~q&eF99@BAt_hFjnv8BIEC+ljg>YCsS!jE z0|<$^bw}aOot*r*99TL72qY8I8H#(P!op^^GU(OEK zR?Ffo+1E&Ubev&H2_zy;sbGC&^&!x`#Io@UGgm9m7K25{xiuCHP7zF_i)*$q>r*%^C^ zom8L2fE%!D=rJj2S&Jc98ePle<(6-){n19QW@W*Uok#`n;l z!XsV9qfV{(+*- zTS}X`5D0}+4rx!e{6Ewg?Kq@{7xoL^VgS+@WX88sW@yP^o}6i7>$} zS$fq;_YkDCkF`nT&C(&{qtr(mLwDu6b!d7em$?r>XT zk-p@Om7%zPBr|s&y}&>}l`5do29uM$)vemZLy(8)v>sslulTE7|0@TBL=EAb9L|Hu zz0j#(Wz%ZqVMK^+)pjjkMozvXFA)vyW3mwUYhC`Z6S7EV7Poi}8n1Hp>ahC( z7dP;c_?z$nkc2|P`Ro=a92Qq!5h^~W#HW`=Lsnm^*G;uY=^rGt@(CNeHHz5{wod)= z-5kvspKpa8bF`(7b4}F^Lq(jZoF}E^u~v(1!$jNh_kDna3Wn7NjQ#gk2WI*CXz(0? z0J+*PaomO7yRq#dPA83l=Pl&m)bCZ*{#mWk8h7Y)LDJ`u@E`d!E)0RT=VKN~agUzq z`}T`ls;2a$Q>3|t?Jp52l+0n=vU`x3?>xE~9)s0EM)J457}qo+DxrJ{dH4->ChNI! zLUQwp>XD25si26JFz0Ieh7WZ29s)Mr8gT}KpFw>PJ?1kV|N{v|;+{g_2E^%xR_>WdA(wQ1g zvcXANq_^8Z3$i`(M1t12FV1(fJm;-_fsfgi6W@hT7fA4dxxk`Bk}C7GtD_JM9o9sf zc~Zte*09H%!=zbxw8G8%<6OhFnamZY*RJyqG@AscRUVY zi-~whURobSY&QWa%pCkO9d0GEme5aJ-9GJ%FSDZY1k5R*Dt;G-ry*&=t7$33i)em^ zGNar^h7qGdI17Kcz=_XwE{H4Gr?T4`*N!Ut1uETH@QB{iTA&R%sYy<#^4iWUX1JVp z^@}qbIFHG{cj&xV5JVTy7bZuON!c?tzCz@e^^GA{N`O`1Qm3|r_c1Dt4JZuCz8&>V zy?d8jEQW5Sr`a=;P)j5_nT#q$dipTL8%JkvabTkQ-p1oN&naKnjXq*et}05D94}Cq zu@BxhEiqo5!8xt-g~dRalMs{PW9r{+c4Q1 z?|(i|8_jFZC{q-eHiu7O|g`J*1cB!D~4aW`*P~g zk+FpGgEHXh_w5tInu29kR?hw9f$67s`B|K2_`{@BChwb80{601@gy-N7qC=DQ(MtT z_@caf5$-2&=e0qAv!ON9{A>Jlfo@)}!)MQRKk$w~mOa?wJK*w>hj(Sb^h_$4l5!d2 zYL<=``T%}ZZ|Ejnah-=bK<_V(Oy>1?DX%^0iRDHV zJrG&&f+Sk%fQK5a-Cp${mZ7-)pc(U+GGrt|3ovgUJQ&FBqsBCrpHvCFh(@w`L>_^u z-cwgL|ML#<`Z7I9DJa@r(&ftp9SpAN-5mJ(~A(GsR3W15j|Q%qjqxEH95lda}k(V*OGqI(sA|^{(;Q&pfxZEL_uhqk8iam zb;9hqp7rn$$?{Rcs3#CcqqGJ+!$e0cNtbkA*8B}qt2#v_oxiR>n0AT3h`pKo^8tXa z)U3KH-|fONN7(q5hf z{N3whHUpO%2hO5G5ku4*veC0p+KjHJ%-~_G2^U|Qm;Opcwt#{TX}Now_d`O(hkwZN zo?%liY2;;GDYKc^O*JqTm+&NIlw!~pMD5wa{nWU1xD{@0C^|bfn3~{NFF9A_3DJ>K z*)#>U(aS=h!s*K%Ok=$S12sfi!}-6qm{Fo>#x_9~L0ZrG#urpja1Ke6G3jS~01n-e zf8%ij984YYZr1R}w(?ut5gRszV)JGY7T3S0O-H1O%}@>tdRyI82fEyI+Lp*3BQ|P7 z9M+Q{65Lt8+9FmXC{U#1^Xt0_ei(o(q+xA}6?cOvX&t~t(_V7%Xq01WRoLt>XCde- zF!yesX-V+#)z}W7j57?{-})xQ(!$$lU1(FWtA`2p3lYxtns1TaBkSkEaq|ae{hLq| zR$?Won3v43a^`1=4coGdW=JUKr5kZ*uo|7B&+jwc;g6o>4-MisyQjsFI{sDj+DDkw zLt*y2B6gTIrD@yM{ih2ihd~7i6mT}J3rYyF=&Wd}4z>KIM(eG2OapPz(EhlG1pFJ| z9F#T1g%TRZsWh9%sMb63ZL>0Pp5QTE+LU3=?e%QrKhrtOQVd)$RoH;vU45)@ zofWKV3j{H6qC2%~#8ld_nWr_}JUH~quOG#ISN(ebMYQA$DchREp{rH7nlMK@)Lrgb zuQ1e|D>>*$4(VIIvLXdOQ}#Fl>oRu-2}6$^B8Yr)w~XYhht!p?>-^_kFCj(78JVag z7A@e744>~3q1+O@eP$n#E_SCw)x+n*Xi3tq0a9tnz%+Ucgtn$In-LV>w>tD&1|K{b z+6e{NerQeu5K|D2rcaYvUs+?3B~R=sW31@-cOm{R(r)Mfh8{+3Ld`(?1Aw~2s*y#v zpt}keZz*kMcGdxdR5SL7;~EX8dwzmGkb#cuy@)rRZe)64H_IfkATv|hT!^SO6|6X& zD%o}?$!Kf3{@T>Fo2GPSv_68~T7RkcM==5s)m3#EJTL4HLuqZ;>C#UT1jl2SFLPcw z_y@q~*OT?SLmv%I|HY?JGZ?VMeEV;Q;-iEuZZHgQ2fY+Z+^B{d2x#J$wyg*Xgw;hz9apr*eq~7HvpGK~kc`W1u-NIZy6reyG@f7h_N|uib5V4? z^XQ>Sqv=MZqK14s8C?*}qwng9!V?et@{(LAfQ~O|%C8X#pEYqa`E`PnaPYL&{`*Ae5Ld@Na1(On8NBB~U*b+ZHee zH&4=W{1LM*Ld+Hrl@a#@5ENlBh9 z@>-epoD&SKp|1O0)@LO_Ju&&+F%d8MMMm};c%9qc79(;gk)}esj$A)ET5u$R4MoVY z?rcCm7SRSIi2()545~{A=Mtk_eV-I_d8R8W;tk#+Y+Pk2!lxiG3lg0e`yab!rd^iWAl#mUA0Dj3rr&CbzEvYA-Q1q2|!F@vA+jjKot- z*uE^zVOohnX-xK#I7$zBD0Hj(VDzFJ$;*~Busx1(amwhm853GuVJ!|}nP$xXDKp#! z{USJYK$aA4utG6~l8BX?H&4hra?~pJM80jBovQvMRVxFaGCYGuAzO0b=oGaQ{r<&n z_a7AU`4tFtSgNU$+x&2-pHZ$kPb**>VB$-3>a8J%_w=}x z-DXjOd#p198#KN99bEmxLNE%99{nNP-o$%-kOSdDsQ}$|hH{XRRjd3L-I}bt++ky$ z5kyQ@aI!W`AMi^vY$jlI)LyQn28T4GWLqb=-QV9O^Kp%@IsGK#^JS8}f0gyec3sw8 zPMm;hDG!K;$TyVgbIaWADbrwRP!UImilrrFb}vy^_W5G>?V@)7`zLj3hf;z2`jS>RsTn ztYs@#szz_7+ous~n9$9zxV`qh{kQ!)no5VOqjTgf1}C?$tyg1EGOBawwq%!n4a4Fy z%Eo;>OEsC6E|V|Uzd%fh2GDF*n`=5fh;g3B$gns}Nx2M}v}f8jA|?O&-3(*3(yCNu zSt0>j2kGxp8rk)_ICU(rNy}`WyI~BFX=JC$*^dtRi zkGX~)wDBSIcP9gJeg~y;rsq13BvlQUA|8oJ)bOxgv=MU*cN+I^vP09UgxUR@t(cXC zk?(bdDEfN$a0Q~{Jj%wP^KfUJ;UdE?-m{f(G@}SS;yhPVH$L~f{gQ=1_(<$mRGzQ> zdJz=Rv^JwMRUd|qsvBtWCoAeMS57mt2iSuub>I{uLvP_*MPb}!adWmY9vK86Sn9I^ z)FL1YRY_O3iFzuER&$o`uQhJolpWr?EzFreZike+3p1aN(ilHL+3-Fhn7)*AU zkvosc>#F%<6y%|owLtw-HQrf8Ll0sZpGnNWtWzaMnYXI5hrJm-(vVTcFfadDe_qg) zqRuj^hTc_aWX7w#|1i!)3Beu`QX5)JzWN?kwW)LT+oJN$LSW2kR z>8sX57oXq6^xSy}!lPFE{i2#RKizZ;HBLs4sqSDLFpDX0&VF%j_(^{0{8cij-)E~L zj=zxWh86x&{RUEq!#lGa;gC=m!yPY|-=STJYf|gRWuNi48LKJ7jNagoW($OA5s;B- z`^Y;xj^4|Zv6e~{yCY6DOg}g`sch)fl*PtmH;GG+8DraBULV@>Xe|(nw`v^A4!)xJ zr)4tcQD!@=$6}2>?x;{kX`u{}wGV~uq)PSp-pUog@MILvxfe_WD3PiM13s9McyrF1 z3X1$Nd!0lLxF^jM0OnU{k`^SUY<(c2Ott#X3KG_NhV3Ui6|3@=_ku)1)>{s$TQcrM zV|P7P1aoBVf1eIU+PM{bu^D+IB=x4GJK|KRlV5D)1gcQe%A z-yPI6Y~0QZb3_b>5y1xZiq@@>^U9XudfjV`wL2DBXv7*U1yx z_6GXzr-MEtA`~QCIV^o$)lB7Cq!`KmQj7F_P8|s}sdZ6`8bhnSE$7<=bpa~5p^>%p zrLwy#hM}V!y^5@=W1|+AB7JL}kbL^U=| zyQ;N}b>*mqO*L9+e}z=|yFW>YYJ^-ppC-YujWPQOBjgvt@& z4FiU84^!4Xj3NzlO0u7h8UJ?fS-Z!F@~T?gaOn+N)X=XZIzx*-mfvIq(_2JYvZBIn zBVE%mLT5;dGq{fG*E~y!1^GVA4Gnp;yQV2JjZHfIJUfo!Ipw@O@p9%Ktjlzp*JsOccW{!wD`Iuw3{$O~Xs|1SI>3 z80==yi89MH0XXlHGZ-$zN80ThT%}Y7jv>y3H#Yxf)sK{x~s6;EACnsFT%CQ zC`)hnrnt$;E(2(Mu{pS(k!qgcm9X0BVhAL$gnzy(=I7>J>gFkdWWvR3M~VWjkrN|y)S$NILCo%7C3R+y<<$eYyG;_;L{3Yy zS98^#J{>z^_1xaHqr=cYG-RDRqrz4K!n1SYmk#eBO_?_nO}sBrRE3=!B;4Ru%lmR0CUB!HXB=F@FFf%nu0w%ZKiI<|R>i z_E{7xUSdD@2F@%69Uw8u9I*mORQS=b$bu~|Sb{pRtvBLs1qqitGFN4G$QZ9j;>PW`T)uFaAuuaD`ksDkZ8_^@&mW zKGScvp!+LwT>9K%uKtbcbeZ`>iu}kRQVJ@X3{9Q#B`0`HE5zVH9kJZr&9%29_0CH5 zNoVte62lU=X3><$ozVhMHkO|scho8o@^(E*^a2%x%VHk(FB<_a``A`n$$rl7b zZ)s{wAb)eUl*3sTjr3@UyxDe~RN*6wIuCnEq0TP0{g*7N{l;4Hszd8J1B1Z|#n;vY z^g);LX_6MzaF2@^4>@0myw^Fr#LK`lW>b*8*g25TX?}tm@e?~!NWuz)r6xpT<1Yg9 zKpn@&wwT3T$On4|4vvoM=4Pc#1)J4r3e(S0o0s;CwO59Zo1{zJaJ~q@WJ~!DJ$rIW z{T}&Yqi_uJSjR=sfW7<_uo z+jslA4{^gmJS4dg!)$KwP46gn0ak0nKIfz)B6#<&eJW9(iZnJtHEmF_KSSh^fuLV6 z7l$M{!WID16=m}R(YlZAVMrk&jwR2uukj|TlUKJd0)s9_Tyas`Gq-J_4ZD-KP`XU% zid)9OJ@}mL51cMIYuG`~VJ6vdudzmua#C*Ij3&a=sCEh%W2(8?j>GsE^5b$51%!}G zA=l+1yIe=HnyVKpF<9n1?=du?9ogRi^Mw<+p;*sxpCD5?}~Ei z73{|7D{23*18Mabi?jSXuEJ1GNsUXk*qd%TMM%&L9GY6=UYN%No;>OoIIdV7H(U{A zn0XL5W3jc970?Gi1yX+cj?M;_ih}NY55nGw%kqG+uHf=~mR2u=95vC~+qvc&1@c~_ zU_zcqD)|>&Xk*pNN!?c7@B&1hKWQ)3HnHwHqO8V*g#@5RiXCiLKfSr)AmW;u*`C$_ z78QbewCJC57#~QK){)XjpoXp!Jl8xN$^u1RwJgO>>a;QB}iTS#RwEi0HgY60{Svhu_=x827io~ z#?iM@YH$KoA_7rJM8kRB}=W@>aluh&i8pvVJ)A z^+uwlB!sScHhWk??LJ99u0|VuL0TV5CW^Mlo&wfzrI2^vUDYu-bwj*I6c8wue0XN< z+Jo4ca-GiUUu?Aq`_4@)6~(qc2N6BHT>dNr>$|6|O08{>Rb{4+(NU$}kFKwgUOT3$ zMQR)jPSM2QE!-2x&J^t-WpplNWxbeFd}1!*!ul>SWH2GwXs~Wax0ldy2fU>b+h3rd zHRHhp{f%;iAjC)OcbLh!y6AqsXeW91d-m*N^rG!fs#Ia#BREQ+eNjs1$IZjQQvMfWadOlo8=5q*BKB{zoAZf9V^D8gb(vB`awf=jN zx{x(4vtY-M)p#uzA|F$!8@>qcswJpbtl=zYkeP=QmP#x!*-}B}8;Ocm2KNJ%gJsrr z*eP%o-J+Ju(c4O@lNSRHyy80UR4rlR0Hn)+szmb|nCjNDRxXaE2G}wcZ$Q6B&C&|v z;Ab;Os(|)6^0tD$o2|{H)d#h>hV)|Ycct|OY2ckt@6e!%m9U3SD2q{ae`uNI{Lb!{ z$@YBB0o6ESZU6LKje#5pvd zL$h(H^q<**J;^;QaN%;l%T!{STNfWe87mnaTi^-M-Y0RBZ3m6e*k=82ra!M}J}u2; zI~YYPqK!GTme6p`=SRiuk62=b13Bx#Sf7?tUo(yEmK@rr0hc6zrIg*&2$L)poCas; z9@o_*Kc$>RUq%l-ou(-SpsqGTLd8^}oj08Ql9*Ni*1?*x$-3^#*n~Rgi@>wp1fbmn zBEWD$C59Im>iKP$*`Aq)lEH&%dV6dn$b5RxFVdlV2ssfe8+|kjKK;r6_~Rr^rj9mc z#2q>cKqb~%b{qIZbkHtt9lAH^^QTw}y73=z1X?kJ`kl8~x+;dwmE<&#M7!lS_q#)> z3vxqoLO$KT6ulZ8rjy5*ID{pROXj=gvT4*1MyT~ORxr=QoPi0M?orr{xJXx|kl{eT zr$mRw_$$NSG0(eWdpT9F`#1HsHR}-3nj@gMX8gHX-Q zI}TlCzMao4`!2?LpNHlg;4)8-VL1Y`AEu*#xc&$-GnA*Bjkpf^N2`%|tp~ogXvIfb znEfS9pC4zoOno^u;|kPiY>)c7SUi}IrW@T11RZva0UBAY!GwIvQN7>kR7E2zXC8>( zrN^zvC2EFG)&9gTzz{+>;Gir&yt!m0KbRUY#j^Z>;UCas03U*11@p2vpaKS=PtW6a zZEf~FoDAlA2i`C-i-kfQ9(wH&PS`!Aw<2VG-49RRcoJCk&nU%=vz1Ui=e>Ftlx++Y zu`av4`{Vw%Ocmy+cPv(jj!|~z5k9z24mVu&7E-~NNn&P5LqDbWS7ZHNqTYjb=P4Xh ztarXC&=oK?y3@|x?cj3aJ|3^EMsQ@$<7!`DKLNJ&tHI6KUM9NHmg&?uqCMo0Cdq4p z#UZiq9n1fQ3$RX1@`_4}pIPDNP2J#UfNP0dkl4ALuNiM3hHoMD)g(e$VXLB<{8NI9f>)#Xxw8QOO_7@++g2Vv+N^kn9{6*7Ooi%tq^B}K@;SiA7AHa^ zyzfTsTM7^$RX^*VJjbV)v!V-qt#s59s))U;N|ETF=N%;{n4&b7GJ)wG8iyP!8hXgP zPxmH~1|)$cj+^>9D!p6?g3zST<*w-20Q8u2g)c5mRR1V{T3~*E)2 zLprkYzk~lc|2O#U{|5hwDk;c{i~WD_pQ4?OoE@hOt*nW$#sA=vV&nMdl44=}5B`sV zfRl~kzg$vmod2{;|Hc3Pzn}lb|1og>5Bwh^%fH|Lf0Gmo+dm}lzW_i%dLepYdJ+2n z00G76CH~ucU@IOl$)^@h^#{XfS`sbedPyLjsHNB~wi{t+s(Qu@9qIWWJHL?9i z6*`+cnwb2DqUs-C=wfSZ;^<^#=V(Ij{@+G4{(~?4KZrvnhW~BR{}U?ww@7Tv|4UWH zM8L?-$@#yU8vh4z$icz%pBat+ySb{m&B)nQr;RMT*l?>|=^u2+MzxB&)tVG(Q)GyZ zy7dn~OsdO$y>^m|dvy6dzrpv4?jfsa1cle z9KOEc#Q`)!n+=$3IfT^%qAppoBDQIqtK`<|Xf z)c?K(?q8o>1$mRVkbClL2+jrw1t9lQGTPT;S8_8_`t(z72Jli6$Iee$+H(V#ht$6@ zH^2O91D|yT$ggQ=iJIVt{7T8%_@*ZG67T9mWAk(I8$h|v&d!O(4S1RL?^8e(9r?{E zYYHiNa3_+@0Uu-8|IWb^UGp zn8Wd(l`CB}eX5t4_A|ob{*AGLYYs7aGgB?Lp1A^$iT+K^YG3~in_XGH*MlwmGBYjz zAu}*HG_$$}WME_sGKp_<`oTsLc=sD+`u^ok{KfzC^&7nZOaAn;m+-mA`H@F=|9kE8 zb31=Px4QZe%H{{YzsC)B=Qe?{3G{P==})ttCu(GK_V)Y8*bJ!Y^>y3*)727s-naC< z=P${L{bLgqU-PbKiE)nkOAEpk0lXtCixTipxd*^3eA&nQnWjCnI=sAqWp4G6w&mA? zDlj%Y{cMUEN9itZbA4pto_^w26Tq+PC+@ND zWOsRaXBorQWnwm+e4UAwd8Y%7+Ra=@xvVekeCtoRk42EBLclM57hYfU9d4~u&}$~b z$0+5^99!H7{|i3&;&K>qPx>kfFJ)=k`x_sLvJWUl))6iaOIQGmX9>i)8P#ONig>II?^$ z9wnG~SeWnYw!jna{=(7lK>R(1;XBzcp`7CjgMGIh!%wig%dvf>=CtL)TS#L0$w|a( z>yePi2SQiSXtM8skogZONaq|yyDATV6Ut0 z++2=nO2;57bTGGNv}U3NF{RaS7fC`^(4O62rK( zDblW|K55l!i$zN-Ib@?~;SBWp3_ja?6iSWI*9#2Aq#Hhfie$h;_|$o)Q<>F1F9GfP z%8y+Q39955B5q|!^i?_>q)p_BKJ*b`1ju*pBat2AH&pqlc}$@Q7kCyS9QdDIXeyp4 zPl9;^*$W@aA8BMVy#8gv+)!F$)jyp4iql{;v*spi@-IG)z*0xBGCS}z6^k~+bu)aC z+0(xGqgyMiPK0<2SIh{S;O_ySgQD|f^gA6!JfWO#oIZII%pB+acj&xj%hKUcn>_m?^#!M!*S2L zCI(u&#)!7YMnf7>amV8YY`WHcN^}zfLIWB>=^ggjG$~kBr|v$bH9|z zmcQpFRJ~S3uoh`gGM8m4&|Qy%`)3>%%!dQxJR9FN z29;Gi&qD`%4QGyZ(MwTKRVJ6^VXI+6kVL8{fxmfD#h%ojiw`1iN)RDOmr92oIy#ha z35p3Ki?+v1k;*pR?0l6J1>+dc$xqV|qiDJN8U*JM9FA9;MjI|rw~i8fC7OE_q%-KV zUHYdRSRI?K1BtL#bu51D!~3q)#>e}Q;!Rqj!MK&ULQd)*6=luFe;`C8q}j2vR?s~w z{d>-a$`>dMLgS2RfuG0kt{xjr5Q0jNbu2*hBD4+JYWckTx!Jup{tUa%iUiTEi~>Jz zr;A1dLx!_zmr`$5IrNM;mfO8is%m37+AD0Lj${^w3QGr`!3>?vVaT8!wAtF^cR!zo zlblKl+}C#PWS!@5S=MQt1@wa(sd&rjuPi>_NGxk!3uX0H$_mVl&{f=}A}|vM;5aMj z52{6&4Ium7iW`8zOM}H}(c~O)6HnKLYEkM@YJ8fSh}5Xn)K?UyfJ5t)3|9S}R;l;A z*bywY2D9(srQM{mxT}ggax!+he$8-@{dS zj_UCN7q`AT>6yH*d?@|xM*3|$`RIQNzB%H;>lx_=rY4R+%Kps_`8El6AFJY#qybM5 z^SP4a-(^O}DM*81_sfPV>mGK^2{|$%*rLKy4_9f^HvISeHptz!w%QZvNJj9*=Grl@ zo6#cn89)9F_);J?O5d$Ws=?#F64GgI9@-y$yC9Kv{dhN+@hghC5BUP()2{Px_m@eu z8K0~nW-N0gsDh*<9-3cmL&*#!7@td=%`m;U4I3bkmTT}I1o;2(K4ap5S3!)1q*~cp z#-;3vH<%bwR3rPoV=RK!w;!Y1uPkY&({2`X1s%J3@lQQkLoUd{F zA&(dkf>JqRJy1&8>~2j3^$XfZKF$OHCcCV0@W)|{m$)jT&svHvITVnR^Ag$Ou=sb_ zpT~u64WZ`@CoAB$$?{#_Wm~f$kr(5d8vPt%8b z(W-pCu_PQU38_pzK_1pkV=WrEcmFHX98voLca)WGy$iAwrMjH5iyWLU#s!Bb!ujfAz` zWa@{t;8z$S5kp6Ymr3S&5PY4&O3$P;9?4zB4_f79@02r9Kk(X2E@vE0XcnytLdd4x zT8`MS;-{GZ7nnG2iJ3Wwz!(!QBr0Qy7Bx49Ay(JjAe1%|`DRVt#`>l`_pc#$(|LqC zP>nqTUG3;uqYVw5*gR?_Kk(nkrd^ILtia@Axr%!>K5@izR{Ws&Z6vZG57OmUe8r)a z2E4rVRlzR~Xnr}hH%r-UOZJY&phcr}1K>;8WjLGSL#$a1_%V|ZL96(S$&uXYc(f|W zG^$L79IpJq#kw?Yq2@kDTgX{Z)k%$k$prewS9p}e*#bXzG!>~9Uj4nQ?stK_R=JsS zMshzr?v~63cP;B!QT+$n(Wg`vi=UCX5B;-&5W7{$+)CTcORurZuHR=>_SL~8L&b`-?-K}@2f1VeCP{NR$zl3_zL|>WHD(ri7WnUg?D+31q z4b&b2&$wM&Z<(z2fif*~_^?bd0c~<(Zd{ zos_Uw`s`7+5hm|Zs?CX>+6v``R+5TSur|c|p+QY4?(96|ZtI@lB^ebL!r1T;?9=zq z)a3=OQYH}3e-vUy9HlMi*6YHaLVJid zq{e0&QR9+>(nWPT?lB&1itJk#HYv|Af~jwVAom+ll(7EkiFgz(bcyUSxGdCqjF&_M zqp1I@6-SFz%ex+Gugj0r`rF-*A2aXXXh=R5R?$9NV)jVBXwKI2R_hb^vBd_xT#A<8 zJWj@%b2#G%E;;o=4m3~wXv4_=WGT^7C$raew$+IL)GU4=cLMqr$DgULN8N>>j9`ka z%d->6{@BznkI1b)>DI%hX6vlP`T;lo@hRVfzj*7HUkuY)YK_8zsGxhSR^f= zj~3C{4-~dSy|%i|APnh4n9Yqy-|nS5lwnm<)p{vda^7jUpCZ~{B_aNIlgGW8?ri~G zoLci?%FwTm+&~w#%l>u0m{hPJtw$`#8H~gHcpxS3gN&?JYJ#|4{@i}F=t$Tx$nyA( z)vT*j3eOE*-rEHbbFU9b?eF$0}XIOOrD0T{BP4r|el6N#AiL!ka zk)1(a5;XNny_>zHU#q@VE-qP8EN0DKET13BiieL;(@)!6D*kgTF=C#o&5AVZv2`(& zcxWJ`+Uc0|FuBG_!RxVGb2$0w6=#(W$mnYg`Q^2u6#NxyK2|8(q;iYqnGEU4dMe&2 z`3mj*UkGr4n^bHf;F8RiF2}4#R=hiHm!GOLM>ykOE6%cttOw*~X*^cM1VioPU`G@m zfC;h;;=W{%ov$`0mshU*$Q;KkyE_9?VEyT0**A*wI9L#e#Px5Vid)1J(072We+-5xR*pwRkc9nMH8p1Q9&$wa0r}kIcX^~&d{Dx;DBFFPI=hi zQd$17rTkCA(kg9T7t2%U5nKNOArm4StE((Q*_za3hi#Oen}d}Flpvqjxp2H{nm<<( zRN%p%C5VG2c$!dy0==eY>GHHX3;hh|Bam`E&7M++0!@zt*7kvW)#^23`~5czR>(O>Rub3o!R{R z>V*oY+U(R@z#`)wbeJmPqlRFlCv;4|lEKWk^Fy>P8Fpe$3_4WoLQ7a)XUHoO5{(g( zHGWSmmnS^YFURvwz;qsDjy}Xgd9fE1+1(_$R?$udFxH5Sdckg4!+rlqUjS^HI4MH& zBh(>Jt=GLYL@R^74KLInJ9k?o&XucO6MwV1we#!xxIXIE0B>yX!raA>$a7bhX|PCr zve9rHkR5@+u@bzVumn6SPnM;n)SPsB(G)uc>%;b%GqlC)9)azDrO{s`lpKzfXK&4m zHX2gczVM-^n#L~Rtk#@v|}^69h7IS#5VW z2M&?DN*`(;mD?SEIb8Nx0j27adq`Adf@(-reNE^{2VM6Ea4XULD&d1430_5L18h%Z4OQ5gKMhhdFkT*~=83 z?>!dGwag1OVOPQU^s4!neJ&SEAa!sDpYs^GSUwS&E63PuaUn8=rLfMjuulCrm)yUi zGC1N#)L)y{#@%??R!t0|Dv&!`cNtB0q zs7oLU^n%gtCybDzd(1RxFRX|YH}-Oe7$6TBh1|fImgu<)h+3xN$MPRI5Tb8zNe7pa zvLso(nQN5x7(gX<+=wZ%c0VF`rK0XWCDTA?vxr&*dKTgoiD84B z{$7mwLA%C#=+IBImz7uLqJN$c>>g#gtohsA6j0o^V3@P3cAnqU zjd3MF`!SZoie<;_a=pFh^p_EkKQ-GA({0!7-%|*^3N9Ron727ah@?|6 zuSx=eH}LoTuMa*3#?!Z^r9tWVj)3;{Qq{0u>H;UWCxPw-+Rk*fW@U?t8Fbwb%FaqB z#EGspnHW(xNgpMDa;yOiF)kNa!;p#GToeDc{rxMzo)#x1g+kiWaAfJ2%F4X?PyD{| zfO~}m>D!~Tabo)dI>863f@(aOYyQ2s@ciKJF%q#zHLvE3vj|Agr7D1R8I2e$xo9 z@lA#N^c6wE*lu*h1cHLWab@}NX~MMCCWx+^>mcviW(Loiid15Ldgy?qM9a}0JKSvNldn2M%w&So2 z)T^Zy+#IIY&Glw~SJkx|c)GSY)=^mf5^hziik!@Zs1?|=qvIRlyQSc=o=0)H#-~kO zfR?J)VK)CbM5}>*15PjCf7i*aT^^{ggU3OLJLgZ??+|7z1GfpXKaRGHcdkrkyVmOeLn6}Ge+G!^?-j^eC<0O%%(_eL(3QO^%PYVC)n=?i zW!8r1kI2VO=#>$cvG2saZUV=kFV?OK15Vuu=zU$rGX4~9P_e(p#Svsbemr$?UKx8cM2gGZQJ61Fi$J5X4h7T*gN~}1CdXA|uv0;9G#@&9*tB%m@ ztw@SIiO61fO<{I3H9_(U%7d(fg5fI}XF2RUcY5{u3~erc$-DE9xP+P#V1SDEq&Skk z`(whYq$At)5Ut~0PjM>eWvk9nrHE082$;q`HMo7!~-IkMZMH zJ@Uh;A{jII3cMhQNA=1@^Qz&x{|lxZ%}!~mRu9yt8!bTsc<<1Dy=%}cVHKT^#BA+M zfY|CmhNf(6H!Mv^_vlEc^t_GvB7z$cA~HW^#n7DOUC^@9L}0js8*DjM&xf-qB%@~VfPLc zMgwtK1`*ItH3+rYI{Mc6>dMk3W*@XZc%sy*g6x1MHgVhEI+27DxNh$Tu9(*uJ+H@W zyCcaydMZcqmZ~F!Ko{6!g-)O;0T@d=oD7Yq4`kKv9TSR$31WGaA>W7!ndcAQE#k!D zuLl$_NLg|zCgY_^GnpzrT;vQxBl3JOct0TNUG%vkA6AP4z-6WJV(ikx_vT`MMxf>E zYFZxF3oEt-j-{aP&;YCtw=TI z%Zd5{j7-~c9T&XS?Majc+`F37P=d+N#!|9pqL6c$3YadePDa(-FBABKMxB<=5dX(^2y^yPvOb~(%qpR6x!!ky zDVIXK9rO_3kK?-UM44hfECR`(b+4YK7K-@?HNl#mS4woo%}vPj@e5$H`VkE*zE%%J zb&C<|_z^E#dII^_-+Z=^R>d+dbm4$8G{D4T#k$H9s#w62s%je3>_Ou~twW4GHm~{t z>+6>>$A$y&{8oeCH^pk^hD{kx)GCqbCfSd=XHfl~C^y?PJ5%igMtx`Nz&TYs{so`z zruy(jm)v{q2YILK6MBTmTupc>upa(mVmC5)>_+_52+#3~{qJQmH5bR~M}Fe`AzB%6 zD|r`78JG-Oulam*jg(AHi}+q72U>~1xrActlJ!|x>b`$fbM2Gi5$ zXF^Q-1peAXWv_*(>9tw8#lFVQ!?R<(fnnaBm12*u?oki?r2j~2AzYS5Ak&-mF!ZLF zk92DdkURJSY35wcGS@-PcXOzvh!`;|KO8sH!cIo#z&@TOg&WI=G%V)wgh^?}#|7{N ziTZu>F0I-}RUn92prROia@DzoYu+e`T}yH@jI{0B0s~yrGqbxFuBtcL#7Q|EAHi># z=J)Va{~$23PP$mTiYO+80>ID%Y1aIkQM9ZfBvO7d$h=FpU5zGJl_~>4Z* z+*jm}UPr&6mR($|v-S=3wedR#1drARqstM$!rn{OJK5;PIfYsa^4!~{#eYrfLOgKS zi&ID@1Cf*-y-Plkd%#3~a~=$w)f|Prve>5?FDN>iMjy)wW(=rkRSllt6&lEB{=&fL z5VH4DIgW@oF(saJc?N26R={NHi#PH748g?QuHGoJJ>DlVz|wUAKkM5H(QONwsm#Dh zM6;0jw*ccJ3W1o+N@z!Xj@5}Ufa}w(V?6SdN*J;iZ-dg=$NtVzFf&pPkqzd)wzy(< zqa9EH`ItWDGO8&lGBF8~emuSeBGK%RuYw0bbGzr&(G0$w%fqg`M?C~A&rZ^fz5xV5 z3N_sNGW2OjwzOPJqc$ZUVQa%rBGsRn27oQw6&doem3)7oIumP&?3= z+MMtLNKv4EBQs>gV9zM54?rH}Ufe&bl}nQ^P{cu#T@=*^r=v6FmcwwAp$17gpA+>5lD zo@O+AVRY{GQ@g-~4@H4mbKypnfQ{{NuacxaW%;V?f@$FdQF*&dU2cO3Mh+3B zXBJNY{#>4GMh2$z1}QWkFviz;^EQvcj|Sq_b8y`A`+f9ThSOPQ=!0C*i}Z?ViZsgH zGAw&fyPcR`F9Cs|wmSj4|`;SejZw)W#jpG{9^h3ZIlU0G@PfmMD zPRr^l+x-c%TeXshX5?SEaNldqR&KpxW6gqKJK%4$_Dq+*AZQXPEM!6w0aEG0Z9lx> zwah;%2*ebFtd|?u8F}A4D+oucUioUwIV?$fPdufEaVTBf#OF+qt@++=n-3bF@SRK(8yJ* zF?|j@L)Z8mcgYDE-zkFqX049A>w1Z0R`Vw@IwOg6i^Bwv=Qs$$i&)is)d zg(0=@Nwl*|moreMORv(oQE~KPf`onp-&z2dZP`$(Lc7eQoiBdNE&+Y)%pgc2>P9P} z?$-^g`jh%~@LjybyJ=Kld0Z$+*_Yh%WZNjNpx3CP z9_Csrx&7W}tzH!aB*YD`vX{*WWSB5L9Fp0~ykcu%t=S%YEK0;jlb=? zIh+-XvBoA1JxkQhiA|=ye`OIs)lf$rtstZCZndw2wLVBb{rq`U-0Y4?_QvZiGuj2I zvj{N=C5#W*jqhl{wX0R0KR6B-V?~2t?#Ki7pThag(}s2V*gC+uK=FD&x)h%DlU&Z@ zgEHnI!J8<26G{V6R<_lDc+Mj)>SVxDub|o!F3aKBz9SfRR+K-i@SL*fsdCfmEGTxl zvy;vX%7Fb+5$$^dg0U%q7V*FIDUP1!WneGi1iB8Jy9j&8<*IvAt#9iUq9B$+g+f+6 z;K1V?U|$5v+mo>dS?j!`Rz(`QJ^7p`_H(Vd;~=ZTqz!b4f)A zrhOAmQG=V7=^hRmU<5VOHmi+z`Z)yMR9|Gs%q-JI;7a4ZEufPY{K2VtRnaTS4?E-I zv0N;8gweZcz!cCSxXwLp>it=<4-7NRkF?qO6PN_4W{n*2I!9bdt(4F71Z*jThj&b& zP6qY5?~t}tqMk%tAm5%Z{dh0FWS3q3;_IL5bv-g!lch{xUgYRwvN-5)v}g~x_@+o#YBO2zfrv=l{c)yX4^tn{8z5wb6W zpo&{#&5NNtB^3lyK%9g7NfQW~ok8F&`SCk*nKv$om5dA2Pq~sbpbjZq<77PFjj*;H zfRm3ZxIe0tD%w=VAQjp_yJJwNXa4g%$mt?n?CUA3kFg3Zn|>lNY5D1p6mqiJg!8Ih zAK~nU;~NxAyMU^)!Zw`z;6+~+R-3bQ!Gny4i(*=nh7^ACp~&mG2!}rl*Rha^}h8Sbb>Ijomm{>2eN=a=xReoJz_33E#|ZRO}!&E){9F6F$b98p*7TK_q0#30|e$oz87gHJRkmj`yRa^JU!a>1k-9F0Y$VQ81ph#a=>E_VH&;vV?S`J z#(ioh277w7VoLtlS*A;B==+cfpcoMZfNQjrjgTOP5?tLO|%UX=XWl>aP?u&5GMC0%<-@qk;19aFsSD-?x?y-Vdbrtm`;ooVDz z0H*xyQ`3OQ$k#Fw-u$PCc^e<%yiFWhC1(ED=Zj!8bn^;67*rt-10NiB$50#?Zp%0Z zL!=;PMk~2RraRs894UK1F$bGXWT}|`=rKm)vm}-bpKAc>`nR@{pyVu>*Qad7nl+ax z)bnlJMPx5JJ&q(>j1qXi=?DB-;HjLaR-?(OEY!r$u>Lwl$F7F)* zBRhOjI%e~TdaB#8PJsBy$hA_^%}q2ECt9o2du=d=Jr8vXGxzI`DQwU0e!sWR6FyeJ`Owc%_M$ z@`{`VUaAHG{sy09gGWqdQMPHFTs}gQ+8lh&;h=e^%1t60FI%5L=q@Wl{b`cVE5s!t zSW~3AU5GDYCS5?9x8?kiU`(yRT7OCl%DgoxVL;%Sg`>2Vs}?j%$hN{1O5$+8mV&@< z(+<9UPIwTdE@SiXB~R`8!rJurK$2`?5338{8mo9~?2qJLs*M6qaG_U43spC3qR`=+ z1VHxO*b*!Eo`^C@m@!TGw(c330s>rf32|HiLn!3<9^Rq;y5F!`t1=Qdbb47|UdQx- ztOAS(4S7W__AiKj9|VO!@u7msQBLf#HIjoOYxIR^G#b>w(I zx<7TofJxcUsrxd%yvAujm(}E+7&VYsug6t1snEu-;lV8NxI3TGSuX40CboBabsQOj zDlh_o%{XMhe&GwuLH$nLoUZ6m1K5-d{OUxU6=gF$lTQS$mn<6NmpQe+Y+7gcVc03?h)D z#VRMV`0b0AGjvcCOpvTglk!)$zAI0+VQS`>bX31jonTasZdF-TMXFGD4u*v!9NIc?SAy7_=N#)Cg!|G-MU2m&lAY2pM#87LxZod+~iXeTN8XonzKVWy%O5IE3 z8!x+g3mi6sDgx+U+*^f%AjdRMMUeq4JQ6SLS*JJM_5FX)cujlAxuArZMXdEVi%-s} zW+3h944#NvwsF{&ra(ijdOFcEkR_c@BL2_>DPOX>O__$|l@-*QQ3O(ni)=5yE@St+lo9=9 z)JV4KSTv||tv+_+k9N!*S_)>Y{2LBE1oPHhccz}|QCdgH7lO!0LlR|8$0-U5UnSbb zj#yKVg|*ZMgdZM!CccEY-i|})2D80l#LnOsRIMpJT|8HcJlyh`E@p~|q?Wmx+WzA- z%A=DEvSdB=x@{Xw6bu#|i9g@*d}?6pr(&UG7vX7Yqg4aGOaQm8eCc7;F}iA)q|t-n zqEF}$8gb^IKJ)Rh7RKf)&MF2h@E~Jp2rr|*QkH?o7{GXRISCg$zehP}$T;a*);k-{ zV5O4sm*~!t{%{dm?EXvBaeEXDyr<#cO?MWC0=UfKl|-GT>HVQy_ob5e(Xf!U^Z*oK zZa0r91Cyb7_5e!AODOTs#(h*yvP`rnhRA=FyCosI@Go*SbM0HfKVVAI#IVo6V0{VN z02Uv6oVoMA3==^xA=$*<>izsUt0kx@7J6p}7&LGQ&yB!{R@O|34igQiX zIib#oNRdN9U1BZ<$%i723ruqzqW%4#5rH3=|5N{7*{ zFMY#Xbg92jxSj)tY`h<*yDtAx1gVAU)EzR_fds~d5OC$lefCQGi zp}{!e9NmmGH-ic)>=3wnLhOK4b)w6=1S*~e_;$NUwI5hC8G$seR)l$I$F>y0s%;3u z>cbGK!2*TNP<#)##FhDgdtQ~eaOKJHft$0}?X{9xsM;sx2FM4ik`8Es6ZF7N;FJlF zdiam=d9F3uaRQ>QAgihh+FULj*YH<@?=E-~T=fAo7#%>Gyp) zy_-9K>w`1{vi0XkiK}{kyx9JbtZdpA31HxrFrE9DOmT=d2Zq+D&iY4CE&)BHxny}g_G>$mOk%lh|!A~ z)_jeJa*t7rmjUe({IEX}TN*2tX?StFE z1vR)Ht=aa^hqUqB4TMfH^XP@?xkEyPhGX^N$$9QKoD1P%q~pXe_x* zl;&Vn?0Uka0z;QfdNG7NiuLPb6+(=-k&_RVjLzQ^-`+^<*MIp1LwOB^!0Jfj2AD6u z8kr+aG=G!1zzCWs+wE2$u{_8S`M}%K_i22@>3BXod2A|^sU7gX?H=I)AVk_Zts5kS zY&e5UJQZ+siB_D2ry!9slEAG}0=_2)?n`E;957c!>PSf+VK%Zi+4-kg#O;{qxF9l$11&W$n*);)y|kQ~8^J0B%^-t=Rtxi$ z4H|IbGD!zhX+#(cR${GZrM$VmR4l_NStwSrRZlWjnvF>~*dUarl3>;}hl9_lhI9%V z8FEqZI405If&MshnB~&r(wc){TT=Q|S`eg?OJ!&u8By?ssrfu~Jda%&4O(=C>(o(H zMSNI1mXwGS@R43%eHQi zeQ<`FiV^?ZZ=Hrs8L>y~75c0^k5zSc5=-fczbngVie}4GS+K0JWW4ieEn$&2ZBD){ z-84`#4UfbY=jO>;2$MxKYHb8Ap+xMwVk- z)_Gt#-$$a^76Gh42$9&*gBBgMlg=h~&22ovP*njzi^XOx8O!o4o2kMY1NHSMe6e}u z0d)T$fe~mj0LH1<`xvb*golBNl~r+`9-c7@#;^A>`W>$m>L7$)i*sa28w)9`VZD)x z^aECwV~$(YOwcSNB!sD;I#QrAKEd57ExQ+%D=jo>x6bTwEGKVZB(ZMndHxC%I9q4i ztkxf(84fOIfF1*Pm{=jLG8+uo1DjHF3y+8{5)yA3eL zaR5z4NKDM9BiA`)baG@hwjn{|u2r*N;P&5YO-m69{2h)V*vKN$Uo;ok=AZcOGmf2I zA(8bBXUQa=3rzwWM@B$22Cx|%e~{TVChz-~`mXsJl$bBsvrMHP>vVmm$d!s;2N3QS z3%lx1uM6uJrU5#}sTc)mX;M;zn=vcy2yEhh%bEQYS&##{3A8U%VsDWIiTeH4uzYwm z^4Y~ZUWoOfVrn~5`KDir-*ujEWgaWrG>v{&81gt;mnyqpK<4WaB zljw7?8>f0S%K4WY2Vl2Unf!2PRrF(8m$EVrF20T;8QdB?93U1uW>6QM78|4}2~8;b zOBDLMP*lkJBJ2~IZgwcfsQl2!_|SLz>CuBk!pq=g7mD!SzgOqUVnvsI`q0m!QImb7 zy0qNnweEe$yGyHJrw|OMpCqq}>9G^@tco)hv^Ol29$Gz}DlM-5tU?Y*Mx#HF-9yy^ z$7(nVz6NUzthTxx+anoqhKcPYS)3dSbT%sd|U@K(No) zJ1->hmz6IaL^_GgOt!A+v3lD)SEE~fjPgKm5*FL;Lz|ueOgd1@gTbqK8zBn0H!Lub zphwkOzsUgdN+1((b+J11+p;WenY zQR8WowR2i5!QL8Dh5VIRrzt-q_#ll~F7O=aE#{1f6X?p>L*23{KUCz){A#Q2HSWyX zKM{|KuHZEoi65eVEFk@i+ox}V&(8-d;I2;$`Fj*33AkEYe1s$1)Wi=t4)>0~@b>e^ z6wy43mAB1fje+eWWAHA+Pp_J~2-WIF*~>hbJ(zhYc$@TDTg!OmjeSkS{LL686bd{4 zOP!Ht>PZB#gmkxbvqlP1Pc$3(g9tRbTlq!fg68Z9qJ3+sVGNoi#+v=ln@x1gkR>UC zE_?NB3;cox;E^jU-t^~Ga9Y;{_*VzuKp-FX$~mY?_HQ%mhl&P&Nu0rG$=ZgODB@*; zY5K4@)aC@>7_Knw{Mw~qQC^kj2qM#R`Q;*IC@5~wb*+eH)cVrgZDIFdJockb23bLM zZ0*;O99v9U?mGVmulj&&9ZTHon$=LbH|Qr-KXV^D{D8`DQ##%_%(@fcER<53<+oT& zy zG*~|P@gN9Q;6eU2UpO8DckZRPLM}JS;46|@;u{Z;IZNg_%rZoaF%D#JlWkSrMgn8( zi6D4tdvO)VhPBlV>nNu)o}@jYEQ4wb=fH&6>uCKJW72}p2&Os2jTJhgDY9LyYS*pM zWmz;{|2VfX8(x|S!Mk{T6k~NNutDBx3VPmVU$%6e9ma08EQtBzYN8j>)Yc=&+r#x- z{#oYUM}+BQ?I0_)D%0aI~MaQi$r4ihu(F36H$#&Ag~;_16MbML9JFN zbe1bpL1=_=Ai0|n2=DEml~A(;C<}43?@VhD23*gNHNw5)rMNJtC2tQKN3-Z zuK@d41L&UG9$SWe?PHb7=7&VAtuB=VC{%FZd;ssz#qdGRZbR*)Am`(g8j$=GCcfG~ z^jV$$kVj?d_MpDZ0GA?^A%hn=HIkO&wij#apn0D2W4g~zSzvVK`x=6(B+~Zm-Zhy&WNuvr33*rI4{uy?$$9FY|CxO#Jl&Mr zvdv^m47aRvNOdey7!0%|kRZW@|D%vu$DUA{!Uvni-)Wzt{9{L)oZbcx8alt-f(ELG zznVYJamu0PU()j0EdU%`LB`*KPD8!=dkkBSgzYY*sIWZ?(!*^Vp+rLc4SPz$?*_~c zD0QoCvOk1L(XTL*Q?h7%hUvhkP{72Omt``Kfp~YIzuS_ojUK+MHpbgwdd&Ly$dT!d zq6LmEYSb`IQUiS9%fnaYLB&kPbrv-VjEpOrGMf(*X%I(Wa2!)Sc8}fAubSHR*p`Q~ zDM=(0)`pqgGihK)y)tD4yVo21rlHg;X29_*tHdSP%0DBV;EnS6i61qtt1OGOc`oP! ze?;W)CHT>pBOH2s)r%Z8*~A9Je$GC;gG6f6sz)4*lgalW)l`BMIJTBeo${Q9ZY6+5 z-#HavLabwBV&~d^puzPY`x1x<9b-t2E>yclCDRUa04Guf_ACj0uNxcMgtT)WPn&;g z$+3!WL6=|3mxlH^QJ(R&khG7Q zYM!YlQHjELddQ--Qind@wmuUvnSl;VguX8N0YpMMz3}$110$9c`XsP-P294wXRUX| zYF*jpmPma679eYacslp8#D&zPMy@z>owV&VWZ%h6k!d^`N zx|@%3V@lDq09wPI@?W-u_XEe!V;M&dbfuRYSw*)6E;ef>P`9d;7W^W zWsvM3AE8v#nejyp`#3S1ISGnCi=OhK8P2=vaF*EPt&X&Eer%P%>p>z|U-&cPHVwLJ`iar@&# zVUT+{YzQT|<@Cyxsv3oBSW2o!}(}JQBr!!hHxHrV9)JLg&4);nd zU%`a0x`#(3ErGv)M^qz{!!Ue_%b9XfB%>F%u?Y+}{|P;ObtKbxGI$T@qW|>#`zr{I zF%6RGS`0hAAo;I?3NL*OS_<6&BVyXZ3hiler(;IveCwbxul6cFRiJVlmR2b_``Y6} z(23LJ+P~rn>4vvbIA{dn8PXt26UwSQ9m0yD)!d%yXOy+RwJhQI+TTiQ9%BX3&c>!m=F7jHDzW-x9U(Dp z5AC4QfG_!@SF9cQFa~ZgI@pS5`MXEI{1~Oh6XoT3$@s3mZNSCUnsrQ8WUA3@W5!c_ z=SiR*J+H4aqWOJ3oN5IWNzhCmQA`0OgCC6Qv>`ohh3KZl-~w2cWJfpU-f z)mB87{ho1G@3!(+Uu_rRqVpcYbi#X*$h9()eO!Vo0~4Y5X2{scn)!>$gV6#|eCtAd zQRH}`V7=X;uX1E98QXXX&!OT@Mc1u4!i^3rNK>=_I8T7?O4&qzW1!O`KrJmM2+-K3^Y5`VH<(6goA~1 z8O4M2iuZF>Jdh*Jq1WjkQ`4g>DwTQ^;dfbRwf}vjCnQy5BlkCPQE5ll>T+qYwf32Ql7$$IFt3k8xi4f`H5Lb^9^SR$ z5_vEU{+qdh%kL2+f{xU*yCy_cGjV%OGr8&FQfv~{y1Y&t40}6p;!d7lY1^u=g@681 zX8s8}|HTq|G6>T|LvRlVV_w^?Pd2Y*wQkX`c)U8?2F@fBRh3?cBag~A*#0x;m?1P3 zJCayuCRNrmTwBMp0jcY#1Qz-EJc|)d$LL_FY2467xcK}pKVBD=0J+9fWU%8yYdcx# zk4t8Q>)n_S-&n9(*Jd|1tThVqMIBV#{zq0yB;{wRs7dTdJwbROe+5Ff1hVbFH%jcO z$I-wuFL|jb23(d=M(p&_1;(3Bd1)DTnYj4Gv^!_jlj+_W z=ZUPx7p(midAl^R*QAEAo!u3lZ!Vdfp`8|la7j!b4hPAp zY7Wj>Lgj3>w@*PduAJ#-t6S5p#Z})~WWFdaz7W^HCyY3I4d)OlXEew?|2Om&6XXA+ zK>h#GTVhhu3gROF4|+?{#LW5sgWh7|`0w-<6U+ZZZ?SXyFZ34cKSk?*&|8db{|9=D zz{|(_~_7Cy;<8JroAJt_JumD&BtN_*k8-R_ujS0ZU+1l_Q*JW;I z1F!|y{@Y;(urqKlvH7pF|5xij=e9F(Ft;@Z*aPgHZJkVv4gZbg-|+r>@Si^a75%6A z9~{iu{68c84-@8S?gseJ75*Q=Fc*O9f6y?1hlztN)xXKKwQ&+Nw=yAQ`Y$Bxe`Uj% z{-+z}f3RUJ>@a};ME}?@CJyF*)BB(Be__Lz**KX9|J(Ne&xTby8Mzg2HCS71Xw+M~ zT5V|mlfzmPW2|wqWw|cZ@hXj+y&k+jE*obWZ+LyDdHI(;wlxYZl$UT>BLhSvk_A^M z`@kso^l!#{`$s2Xy+$vMN52yVB}u z;xO`{SwO>pWq_-yfPUfQ<8#3Hl?4{2HYNub)A(uXh$jA968+Xo>Cpxv*ZmRUBhjg% zy#!9mCAb#Qf)wY@>$;#A`r(jAhXQNW1OYx)Z4vM*D@bT*3Ly2Z5@@30E zG&Qs|fr)Em0$=X{G6ysI(op-KLV+I7AT^h@q4ug+Z41NT~=!uzHlom<;m7`R6LAXRd( zvv+26ZgFq|_cB#MNqiO0u1OjG=UlnezXt&$9OvekB9z$pHb1gIOFV?PV{5H-0BQT@ z{OiC33^G}zjcXm<#pmdoz{#ccr4y1FncOwhL!Af70ZJE@J!R!jPoK+@yXm_%-SZCi znR*?KhiBdO9pm!4alvm{=im&yp26H-U*~ho;`}vfZD4{p^0?CZdn1z@NImVxfZfsY zlj0b`>H8y~>?Z>&V}>|t3ir~w3&>Q!k%Jr@a%Cn7==>*rJnF}j_y_R&vxoThC!+Jm zcmKOX?B@vi=coI`w=~7Bu~~(on25wXD$G>cM$18Xx_8qS7~ z?)Hw0vnO+2V|6m`tH;MudnfZk}Jc<%z&OUF)>085COz5S$rT+8jOb%qff6Go~lcq zpV%f})cVg0THDKWt0U-H6H{YTQ(&*}pNE&)#P6QDu#HTvv@cfiikjhP)7-+B+>jo9 zC3dqDxuKtJh}`U-htC%hAP`>v61z$%gc7g(<#bMs8u(RkBPGLjVNlv#BZHWuDU0GE ze`ka*;Pm(&w~A=pivdin689bMu3vI^JI^M65WC^^*A$;hK>-m^pQC>uA{E%FI@(SV z0@C5eksGI3jJ)Z6$E}4=?U*caFQus}F_XH4kY!yPIR~`)=D`x$Fdz-%_&JE*GEG^? z^q=#Z{PI|nvT_tkaQXS2_n*gR(V>md|fQ+Gn7FT#ymS!y*~7(Df2wlpGO;(&>v`gI%I zyaGwFNB3n0Y-{A7Ltn4s)1l{EPK_5EJ-3=cZZg&8k-f>%%GMfur98JWF)Xkx>$O@Q zB&rlDt5A=7EBV4&ss7?Y?i!F{9MN^iMx#$Xk07tGk0G%6He-}Za`{MvQ0J@;-*co; zKO_^VeE<)HSl~$dA7?AydI`PXZfJ-U%PwU}+&0;FrL|S9d$2wae>9IJNR9hyf)^ro zL3wY_=!>*NEV_PXoYiL+SJ$Xd9=81acB;fEW%7-7WUER+y(A{f&3&Gb%DCU^gAOwF z+Eme5L!cce766QicN#p))=*2;T_z)cC^reu7PVvHbhw*x8tc;Giq%B)Myc|Fvd=L| zV$JQGYGHILpU5%HgImgX&f8)#>VeidZP+uc{oQNw_Cew!qYdwZzVH8az`pyK`JPEA zL6a4HZ+ULR;h&*@c}N7~Hz0npq9T%@Yh2~z{m4|#aEq`dsZ@-*cSxvz=ZNhD8z_=< zdO975J5SewFZH+$ujnsUnLHxB5gi!~w+!F=y2VM)EQti>p+n#+`jGGA@TLz zC24Q0dFudCt>S#7qD4cV4x+BZbGnqo&ij=tg&dw3*yN@5Pkl1ww85QVjL$oI4;+!#~wzV&pT88mT)RUE&Li zolG}o;)=Xe9unO7*v9u$wYik$cOnk+g5jdUc%dkU|}K8fBvkovE|t&BH;E}O=F`>HJHQW_++lrrY9R=+fpm$B$X7) zk{}`!g(#8AGRl|s<_EA3@noLm+{DV2m8zdKHvaa_E)kLmXPz(j_bNOUOqFqIrp$+2 zw42e9IZkc=*4GXHfEUm_DSlzey{!vdB2A-yJ;lN@K4HBL$q-PH+0d8dli_~#mdES~ z&nElAU5wYdgVzd_?Bh9zk7FIa(jp4T$@<%hBcGcN8O7Z!-3+#(-&eCE(3JTqpqZ!|3jNeOmn!m zBeVX~kcq(Akuo&M2F>E+WjqcLN!oHkqCedeOQv|_AL!!-hD#6UP zwVp1~$xhu0`Wq9~cyRb+0h69(EMWxUuI!&II{ewT16!;FiV%d{Km_XU9+0Uu2UDK~ zrPa9?feRS%j9-36tn7{eymngOhs`YBrVGr^-8N zg%*^GC8Nt{0Q>uwK1*9r=JkiUO9per$Z2x!+lb%c(R-eg8M=m)kje zzEwSv#XD~=0Ys$z(U7VZ5hTC5A5c^FEnPeV0F1W&`oiFi&2YB%d8C0N?t}u z4rE%h$C={cX{nfyD_DKHf6Sl4iX(n78I76tuDSdF6%SV)KMYpt4k-Nkm2S zfDTun_Z@w}Bxed7rNx;azl&n)&k&m)_HzRlW~IaECnU{m-L<|#m!E?PEifCuQ!kJN z*l%V4k6lN^#q^QC_NGPzu?y^!+f^$FTR->Nuezb4HT zGlZg34E(0Dlys4#T zjYm9o(u?s#rjn*`o~UT{(T{Fqi%8?hxY^2m!24$Y!n@8Nq4Xbq>+2S>wNSVIiq8u% z-e?erlwMuD*{RJ{eXKWegfz9P&E;ltm5CmCczLeWLxBTklE(b6cb)y@Ow);BI%g_8hbyM^ucxe?m_CxC5asvk!6QGy z91Z$oldh`d!=Fu<`KN(heVZx7DwcA{#=q=WI$vsZ2J@JgH)*Hy!vKNmjm1e>pGeQy z&IA0F?g!^|GD9a6YbPd-pS#F+s#h(s)pq!6Udhd2J5BOQKZORLI?=HSPg9KM`^CBG zCWP=f%|_zIQ=@F6AGwO|biA!PcTxc@(&DD#%gr#b_*xqHVy+M|S(A?_{T|UV$Me%3 z)4>lQPmy7@j;jaBmFBq(5*mJLY_f2=q3_qlnjY+0@*^g+AY#@Aep46L8hhE&P2w2Q z4Z~Nb#k>7j>oX zx8c$)4yCS$lTn`((P}M>TA2YG-0@b|2O|g@Z3ekIV#adCJdj^lp9ljVw3p!+sP#Q( z!KWhA;&oEwjLpSQ*7j`?9cpJtT;4ByKS7sZcS(zIyfXKeeQsnR(F*@{Bg)>(h1a6; zJ74CJS;vewN$X@qTn_a!9A@%|>qpNLe82jT+~h)}p3srr>Fxx~buAfM#nN;uAd1bs zX}3{(M_nT*9F{I%b{)Zk0a{$0dB@@w!bx3vW~u1?RLV8jB!^EhR=9j`MiZlx8{1E* zeg!H3?a*32@}#5MHF3-A+>(N5%I8%!%xP0jx;A|vH#M%{mZhjKFXx(2TM~*O$lnA zZRqOgGiG_Vxab>v1iXDo&J%r11N{_sUM>0 z<-&>wxL;Dgo02L_^YFasR~O`ag-2?gxctY+-Ircn?qRChc}ec^O2^MmfDH%#|eX8iQL z>U_w%XQn+KR>gSf>Kn{=zBHI`vTTZL9vVh)8ILP!PoAfyqr5%L)=3vOoYfuoS-@gk zu1m%5y5vjVrcMSr<3y3$KYs)rIoO)>doIRvE9jR)bkm{$!D6wkp?bsS*tKygzF&#& z>9^QDYm{ve#J1rwiyu^kD=f9$vIKf{zDNCfrq{m^e&#Lrt1lcm z`A01D>(3NCGMc$7RKf>&rB3AA>7u)k)hMicDxf<>bU4uE#_vg?INy+S(h0A=5DH}u z*aswfPT3jU3hw@{|7NVeA0D^D*k{Xn@?giS(dKV=2CBc#Sydgef~QIfKP=W|D{cLy zmj7$z1;tM!tmmFchUP)E(`6a|`!?i$CcG8VM<>6K>d(ekn+7ZhwoWtY0$ooT9%?<_ z*;9p-gs*+qQIxDrQgmeg_nJE^l_|;i&k$EY?tf*epBIid@t1wmD~OrO)0?AQ4NB-9_EXt7{(<2*k4;iz4wFz{z_Z!U z_w%jbb2Oqql_;bLU8#=OxwdfFd<+%w%Kb<(f(Lj72eTLP>6YkSkps zE_!5OUa*$2X*$4aG88iB)$AV_bWbRbmC^DdeL8YQE-8y<&Sg4zkk9Z2n_JF^=*ynW zxHR?#HU1I#e6kadY6%xDPnQ*hW<4mO9V3vGvN-w7aU<7-S>DD-gCIy7eJjS9bfcu| z+nGwre%C{&QjY_=HyM1``Q?SK`DLEv4i)C~rkT*NYMLn-9rf9mbS&~-e~4fWP1c~5 zEK8rVKDT(bCz1M%{WqFU$Us9b?Nx*pCB=6H!tG*1X(A!b%*PkEWZuV7^#|YS7xi-0 z68m8o?&j@ViSTD1X)nnl*HsjvPL8?0{a&3l1N?+6QkcVi{0mW0?sra7*0>DO zN-i0J3sU4-j#DC)~6oLn(0l)Fwb#uDR6U4-I0Lhb(sO5?5K?Kirj)f`-YZP^L^=NSvGniK((b^d&bGP3N3vqJY&h=8r50m|bCnxpZO$rLYCdUJs-KIZ#=c=6*R-0w};#=aBx2bRC+1}dq z{p(HO*XUQbzBZ2f`DXV!>EtXKestk7(zq!RoOuHMMC}y)LZR9-rLCTzDw*SA8w-zy zX+ApXnra%M>Yy=nEbr7ixY9cXP938DutoBzRcpMvK}qI$LhP!kC7;waGAV)qlbDo8 z7d;8z*n7!Ru2Z+`Hq?F4>aV7CIfMB1*_Qn?-K(k_Zy1<*pA41ryO?!ugrEL7M>wc@ zM#J##l==nwC6dlMuY-~fNAr}f@OmMCx7c^db-bNw%TIHkvtzFw;aM28;=X08^|q(F zpt>Rya>qcRwjBD^jrvM{R|an!(j4JDNA$3kGJ*PV)-i`^y~l!n8m-O8?eha{-q5`l zxNkZz^UzD3PBU63_`6{r`z=OoWej;J=0+MDy2)Os*F@^hSH~}$wXBiM^d*lhGiAwd z7e2TCT_MJBv_X%i!@)t}jnJX<>E`*Bl?5!59o-SGWe;xL$!B>X&Y8s0{g8r8%jPIC zE3_2#s*CkVqQ26z*M+{BR!*hGhNSmm@)JhCk|cAzsCX+hD=>0eGFYNzk{ZThGyUb! zyJTZn>96Q)ySO2x$l~_yu-;VLt3RPDmxE)5CTtkZjg#Wup!6;JB<=*Pn3wj|uQG_yIojr2z<>?~~t>Isey zO8B3^T(M|~m_SdUq-2JsE^s{avkGAlnHMlSaXk{{M5F(!-eIUuTO2<5IK?x^vhg&d z|HtO5{adRMC)Aabe9YC>3%Q*v8M2gOehgVY5cS|$`Fc30i;uCMpvxj7Up<=2D(6Sj zW!;bzlvUk9tApD8QS?@e((Eo}6k`%SLC^^w;IRd_O-y#tP`1SY%_m1)@}sTY#|1XX zH036rH?BSzwX*Ls@n#5Zap1j_bRx|`ExPo>fOhw}ACd52sE&$az?N7of-KKy&F$%h zPKFIOwfwZDW2^RpaI zhSt-=$e+e{<7W$GBT$IIY?&c)D~Oec=AG>j<5Lx-mLbL3s?S^xVii(DmA}0{^(i@b zbU+ln^{9QMp_qBIOHRo9?0}!UC7ra|X!`2Kx8$Mu_Q~&lN}oS{cD7>Z(=R>87hCh? zqOX?6?hync3~L1ii=SMn?EJ}>f1mS3d-CN%q-TG|G0!^T&o$-;`KoxHS|7NS;&ItO zcXla=!Rm!H3%bF1xF%%F<(=3|?+8DN62z1G$D zsSNq3?#O|!3c6Nit?T)EfruM@wdU$;GM&XW#x9Fxki%ZBB-a+K*-xeq-h26h?k6Jp zwCNL*Pfkzc7lmi(zdMW`I;=^aF2*c8W_<0(t-}k4G-G*RuD*Of6W?s=DfjqdaJk%< zi;WKNIQ?&ZvX;GFNoCWPC>U1A+5CoHk+k7wmU&=l-*oOv3;5Y))pkFotVeMegEwal zwe6w?uV(oL-WJfT38wk5#PxbpHq5bFdmvoIE9{DLVAGA*>WwtpOuJ6uYm;u*M6?xC zYY%<3Ig_KudGVN9oa&7}CCPa;e%tWdwgxtJO)^K! z*0SIlXYB53Ny@~v<8`a`otV}zsxgj}?#fb$uGeAA zi?cGHQxs!5(!}CZka~I|*)now?$SRU;%OqLpU-4&u&6vt$y1b*ocGo?)M~ooLH;ej zRBbI_xb~Jtc8V>#I6bi<)1w@HKC{DlR#pb@ANSV*-&h)(A;tPS`vLdmvnuK7`Knqi zlY*I5V%m2D%FoE1pT2cU06r$A%dA1jYLOSate9{_EPZkkXLxrhLQ!iGTS6*?`&pl|Lm z%eoC4MoLM;Vc8FS=xf~;{YE_xuQD3^g4+`$Sub6UZ9uoi$Hc5Z<-JmA@8IT}(uVO* z?kGLYlVlgrPn=ZeZ=3^Pi4q*N-?*=+Bu;Uac6yv&qH4Xsk4t0qH4m|zj6b5VFCzkZ zW~y(U+!EVy1AQ&-e;6}s2@qS?|NZP~pRdNr z$sY^G7q-GXUmM>)%H~hBLUylyg)ReCVtP!$Y`Cm7v-PsR(2EfD#*NP=^9R!-`qq01 z#xe%7I4uq$sy4IKjhDM9+)flG<%*p;a98r%9sA=~yNfoK-05sgJ9*}op{(im?x}?& z(Rhmu490~SC^u3Br`pD?nxOr&a$uWmy_DjCx4#~75HIUg({8zDAF##Z+uiC;-niD` zINj8{1~d}OE!{u5daWwzvN*vjzW`OeFVjV<>lYUx&(E) z#rNp05jA1@3Q(!ts(l{)Zk&{iux@oVLhl;z@zcK9CzH!s6%EzKC8KR0QT*YD3ZSX+ zQQRElXW@nfFDX5uB%DoK^)?@n zu=;*KRlrGLIYf_&M#3_^QR>ZeLudUUeWGX$D!(;2rJh;{8J`RWR(h`^`EnKI+G$1p zjEtuBDP10kH;;L|%4Jv(wHuHpA>K2+@gt277Za~v7oN~#37;Q6Ga-Q)CHF>GhfclX zo94@%$jlBn^W+|K%KlAjhi>zs^@`t+7p31}&)1>RL@i}`l?x^+)9Z7vCwC7X`~G?P zXGkDb#`DXE#@DXY&ll93o2dIJ)p=Xx@;y!3Lan?ULUN)nCtRa5(r%v(4li4<%zT+s zn19j*MJvknP(CiMW>$e~wpN1Mh9`+@u_(y5Y86&;Hd0P+O`fsydJk=pSJ=(LTX~P; z#ionew;tJ;ep?fMn_;Ts@YL$X;xZ9IM)2vvv=`l39`fgwFA^(BePwZ(XbV#GC-OSR zUSk7AUEsbTcJ;B%XdCN`93tYeE64+d<)Ung@9mS1f2O+P)%qcdLtT+=X4b3m^uw|r zod{Zi4@DYL(Wt=g@$N>*Gv)!uH-x{Izu7O89Ib_sONgG)HVGw`wk?m&)5@#SJgBOD z{eC?B+M&AlT{NGiZs>9fWm(c3n5L)woq+J@!7Q8{yNw_%_1L1Vlv;Koxv)ZiXv}-n zEl~Yu!NMY=n1eNq=ScrEorE_9>wKO(Z_TcpI(Pg0L&l?4?>`Qfw0CQbPK7d`?ha8= zh7kK`UgvzQrOfiq^3H&3PN!&B>j|$VqhpK`-lOauFX^q~JWACG%I0_$82JWy)|dPU z&iZE4)(agqTX^bP9N^D*LSEd1hqBb0*Y@KCmGq5-;Gf2IT*CK$GzqV+-fZYa%cv2$ z>FWW%c$dKa%)ZadHHQ;=!_bl0SY_Lh-Au247MApeXpuFT(M6p^k zZdXLb+nj^MkS_XFtr^3X?7Nvo1eJT@+dQ0DhfjLhZ^bN|=6JZBkGUN6E@RRq_c7){ z>hT%z9%9J+<-{fOS5D&+s#Pn8T^~x3+)JdgcyRpNA=4^N0*ghCs2R&DMaRbZpOj>4 zm4tUQ<;%P_EDKNGK4e-~Xjl?9s*|=7_Ov4VZ6x0Ua`dT{FQq);^l52P_5&{IEo1V& zL+u=;hU;Xawl@ZpHk61_I+bOU@B79yH++CEc+_P4uK%!R<`a)#AVEtWM+kdp^w_n+ zwtPJu@{p0Tq0R31PZazrGYlD?107=b>C9tP_|Bees=(;v(#3PBe4?-HP<)DXEFvsX z4?0Oja_4+X^~cg*whGprtDYD?!(tZ&sevXl@~^$OxvD3MuE>MkMrY4@36p+h8;Lf9RCV(5c>Yo)2iX02iiBI*Ck@xg4pMy z?R+qND@8BbnwSH4F+{xdaAf2lmB(f5Z>3+*5_j_Ji z&#v7|s-ErpRoh&&(g#VI(x)QSnRh%dbD6mJ$kRHvmY-B%yrjKs@^H-TMR!un&{^V{ zBI0T);iiWYL+JA{2DgPN)Hoc2Q58pOUK37@yb-kFGLW2SBMXOlDw4cktMk!21zeA* z6kFZRcpYT_T6) zGj$U+Y6vxdt`qg(ypb5mVwfCqE`YQ?PM?VeiWGahSx^8u!gn*m3FD%9)AQb`*B>n( zL>AoF)vIfpu^}z%?+=``8+VkvL0Xv{tg&dMH%8c}a3O?%yzmWOZ_Kx8wqsAFO-H-9 z1L#?^KAdd58_`%{7sRr>WFg4x?7x+u`{ZdNQ(1Ejwc6p+3ZH7Ehy6WfVi}YV$HAmb*OlveIT^5l;T@QXjO>3&Op6GL*w(zk?ku|rf z)ePAyS2nhCj&-YBH-5h>>T7%4C?8Un95-rP-5e)L)n_&A=>CTD)34{p7YqoQ<(!-{ zBAnUhJ@l(Zr;@1GdbH$!u?RraJd23B)V3;o;#3{O%mX}Mq)Rx7#6y12q|JRvyhYbj z(bIm^g24sB{9~a0BJDT$ghXK;!N_^*N)ZZ~iSL1{Yl|+OBQcG(;WQ`ulpw;lr|vUL zzWaIXFjLIib7yu`{;WxV;aqg3J5lym#K|;4#qKD&d~*>($Ad~)mj_b< zg=}4({s@lfHj{tJs_#iH_j=j0LyufAhEUE4bMV$n&9n#FqZhwlny^S&(W$ta8cn(pX6fLgIZZ5QLb)$Km}(q9Ilrv&dSc~rSg+~H zK;LZo8+zZFM55$|FcaU&1pJhH>;|t0#tu>XVmg>rw6ECTBQnqiad#`Hoqg?vpPMPk{}`7*JQRwp(X3Kg#v&`RU#M z(Rwy2k=yhTy}#4DtCE2kLW79 z*YaiJPSLjTv&3T!b=n2rviZd7wM2M~Z!)^b-rArOb?7_^f6ADpQ)NJGD=IbA=kjY4CexpfNah{U zxhL*rYg+2tY_ddSbO#pG`04d$8Y>>sWN&NjRMsPd=Fx-^&*jP`rIQVO5`N~^bzSZ8 zBT+ij`0%ztDQ!*jLo;YPO?c43>ro?0hJLvvYU*R5*9ZI=-?J{CVEp=%EOxBkQ1Pgm zzS>OsgA76cMHGb^gy2JKliPS&ros!ko7ay_-8x8M^LBtd?2Eu-3bf@1^7_}TPVTgB zS?C334)Z&)>G_Nli9fE;%5!LnpF859&cgn9{2ALx2Q3VwVe*WRSQ&v;S?19X(cw$= zdAwnkch7qgTQ0=NR_37H2%X9;DtkEk&oRlVDtSbwq0gcR;rAi&48zatIpSHu)ek}m zPY3%7RGM3?Hj+{;bRX6gyLpbSAm-!TH-4VYcQw66wYHL{YZW%@ayFwsqmj}?E9DC# zf+6>ff9K@2MMpgHNIH5`^2C{q&*+M%r}Z=BCU0j$>~zZRZZ;*pAKZ|manG|<1s{27(nHwvO6$>%Rz-OVSC*+i`1v`CH zwJvm-_;4)Hc38NCte@3d=FKCS+m#0WixCU#Lb+e0o7s^c7Z-BR!7OvzD(@}E@W_ae z3T8|DwA|s+x>J>6ZgLgFW4K!DP(3d%D?X(0%;+{kp50JNW6t>jzeD9}|BDy&f^RP$ zzgS`@|C^Kt%59Qdlyv>xjKP(Mw=_)${Qz2bpd({W!a+>0B#fo-;j3C;5!~ ztA|S%!@AR&vz{{=aVq{sf^*J|l5mGUgr;2VCft$HY!L1~>Ge5i#M0}CwsYbW7hm5f zH~-&bQfHlqm^f~kE&IH^X&CZT?wo6`ic7HG6|Dk^EtXVxu~g3|(KP!!)euRO+sPYM zT`29zx8%+GO5#(x7$)mES#>t*a5byQlT&wdd65CU%>w?9 zP1@#Dbe|7a49Xgu?*DdG|Ci+_9!|};Gc=^gC zZ8*=t+Jf0}?vSpK>PpwFE^Aug#}IF%VW$_MJgv;x_Mq8 zlz&qssqk6oO);fr61Vz7;;!dcKTebV@|KQS0G<`IyD3T@N;)@s&Tl$m)aXf65=m>5 z-?dNO=G+HWG(;;W`)8%Jqlj3CWLc8AIvz|i&lKb?$ELjThE>!j${%`0LO~|~nT^f* ztKSi?!!yHtLEoJq^UEjSaji&kZPIrC;`8e|mK{;s=q;N~3M;y9iJG>J?9HMh>^p7m ze*E^E!Fz8=X%H&0QHLfVn-cWe;+J@mkH#bvd_BVaILQ8MKwEXr`Im9T1YC4+Lp*d2 zkb*;(Io^bGg*Y`N8h*Ubr$BWz^9G4i#09>&SDBeULnjpSE^pcibx0She-$HKtj@Gr z85w<-%*2}mqX?wJ07EYskzoCkl%{KQiScTSQMIcaA!5j8q`1m*VO_VQJbPD` z(@ERaHP_l!;bTnPB2yq(W8ht@pL)rV&iSKh^;mSjcE|`uh9RvK@mnej*VnUZ zM2nnP?-jR)OBY6EOn5#2d46&$fnfDsn=G1qb?MIUrMcGhZz+6l_(@}~8|5F%6-+(t zskyAt)z#cA`c@$YeZ}SAEg$lZUM`_v2d{TqG}5!wTfd%4TEJp&`9?^s2`T?v z9lQFvK`i%sp3s0hNu0K;vzp{NrF5<@DiPi%uhXNnyGrAy3XkxFR z1JYT#iC7Cy^3tq-rI?O%H9Y%beM_o-3@)$2L0f z4EaRWo(S;IOY|jiF+k8QQOmz14fXRATho?VUOKjTP#9%WRBI9?et(>s2yxVmvwYXA z{^@3G+JNp^acTswZE2blujE#vU>7N7GuF&1x{4)xDuHe@!O;ZXNcr}wzn8#=7= zZEg5V&ShEN4F{9^sK|Il3*0tgRqFH@eN0Ey<&L11C*r*rvJ<^WR7daApia);|{+;_F z6Sx1!QffMszpIO1K7dm$C6qUzKJXhPpY@Jdli}=IP;F_?cU!N#mk#a?60A(pYrXiS}gI)uX9Fno!uR( zQLIM&s}on#b39qZWQluC$xV~&X?e+LGpI^N-TaYRzqMILW?fjExatg8eHX2|)k(WX zrQF%%bEA~i-i59h^q*)^g$FK(1b!A)?_qt!qy;-VcGj6KGTt#fZQ=(R)!S7&3Q@H! z4u1D|h7K{qN6+&+j}AYvR7VDE^hjUN?z&qC{fH7es+;x2Og*eOB$F~Wan!}Xg`!{g zi=(M$(Zz=%wNtdOO3Q46`Ddk{w~&TkY`94sJ6eaKh$Y*saBcDvdzGPruz0iX_@Y(P zlRcs(+qc|zQ?+}IRn>N=v7p_Ad#M&6WE+BqhPA?`qlB54=Z>`7MnNfkXI6FbR zbeB;Pn}Q?KnuaHA6^0RNWi9<%&(;}bZJHAmr|FQ|))V~HIxm)ne2)caw5MkTWaf$` z30d8AH%L7ZOq&(8u(I@YisrHLMbk(~*wJ)8JnnI4$JgY@oUZ3w zmVN0#+7FCYxuSTyKM-rLbS7GJ!#5q0t|-K6-Ga8|TqnQ()_G8H)5$IIikB?A7z@W@ zo8|h3j%(4${LZvjgTJgl5Mcr=0D6^qzY?*Z zJZn4!cMFOOl5!Fp!|b0Mre@1A=Wnt7Y{_HhrE)$bNBTm7PGmHpRDSP^+&{LYB zcu_dl%F*G|+l;Hi(Ef$z{&%&#I>xE#U#Dx2p^sm>%lczVf7<5pd>>KBXV!~-@|a9< z=fs<1-lyLgu%{L;UO~5hWqR~(v*OE#QEPGQ+V{)vRqNfJJs-RJZhB1T^YUv`ZPFfz z6<&AIK&jaB=f_whXF3?Hgih*A`lV_i8HuHSdm#$=7jLh$w78$@@w`osl;d#=&oqr; zVIWO%WXO9vZ!mc`tmAqXo6_T3%Y14wWP0DmPk)G^senGy`}t5TODpH>`BOg6dft?! z`KcF0ZY(qOi7Or=Xf|VKy`I}|>yguP;ytBI;Ma0xNsm-7r-a)NWSmu4C`ToX8Evy! znSQ=~>mECNl1yac=Ai8@w2Oe#x#mdp+)dlsCga=-G)vNVOEd=*XiE?2MB{Uj zx>tHh$W2dCUcAue6Y9OFEOz-WrBiDTMM$%oWl-PHrinQ-vx(l>2?^@{14OE1@d`%m z4~;S%pHsECL@v3n)oGa8D%@APLLaSf*0W^7NC~yO&Zt-S=4w~m6SLrvZXbuJ#+MeC zTvvY894eX5OUm?B$#mdn>WH|T%&ol;keaCW)u!$A%wp+@dBypITTB76RZ5qCDe-(^ zBEI8d4lkmArFZ;wgkg-+*9<$e26!3yk2EUpFJ1P8i{n>{g5D*5wXGZ1r*0OG*FR8L z_K0IF$4?@0M6PY6PCzzsg-G^IRmH*AzCqp56k*JT51h+}c!qv%yBbLs;b5v=( zTSitsnnqEngif#r% z>9UQ~X59+i%JEF^Go)X$PMpNAtR!S8Td$EgnHNhfr!ce!7^0Ci* zXbtCu4L-vc-!!~?eY!mqid~W#P!G*Y2`ldQR3O>US7cU4UhaDwt8JE@DSayEU~RD)S6j&7%5kQ3k)Sth6taqGWC#j~KL=Yd+GQ=n!~(-g`Ff z7N!!^o_~7KTKaTsxJ`XNSA#&cB(2WV{*_dT&?zlSK+2Y6N9oJ?4|VZ z<0N*)P$_E_Mo)!X&$|d8zcL#?Zsbl#I8S)K!%XFFOO49hktu1DiLLsD0J$-`j$6m2 z)R(4j=`bafU1M>R=@|n7<~_G>k@{Ao#W*;mZ(w zZhE^}wU!a3xns(BlhFiXX>QeO#HV zKBlCfYbNVcxHMJrdd(!UYetuMjeSHYOIwXlH_XUZA&uvuhUvpvriW(eDY<}49^KVGbT zMS{t@AkPQ0E+h6VgGkV(JS5Y)LO+rJn7eqEP1f%h#B^>Z)}1xK=dUYvJ@}P3!~5ig zF8|F(1L|wZgC+Vx7W!A&1`X~AwzJSuSt)%Ltpk2eh7(Q3C#S6h_r-A0Exk>mr|cDY zSt+-Eq73TgI~qpbg%Nb>6F`~G7Ev6R6&9lr^NVg&{M)+GpZaY5{juR(-` zN%{Y)OHfr?R$5E@FI|GbmjT%PuTDV>gcpv6LSRrB6oT2;DTu=C>l6fE{^=BiVG#Q} z1$kjWhoHKPneAl=*kSmmS5N@xFWlQJD9JCyFU^0EUxr_n|I(j6L9k0u<4{yzc%t=JM*x8hA#ZB{H}JUK=+@Cy^|R~*n8*6@3p__ z4s5a8*K`Nn+jO_Be`z}tds8br3qTuI=H_NV^Pq{DGvo>!3(*FGK=AK$Chm3%?rA!N zATZlaggae^e`!602ng)7I_~r^?zAFqw-SPVg4n)A7k7Jp7fUBIGk$Y>SEp^=U^@=Y z+6(bdQXfn21H{+I5}ef^raU7Xl;K`_WYnucJ| z*p5#Ve$bxg{9t?L-o8wGpa;{DAG8x_p+7B=5SRe^Ps8P3x-Yl8L-k2TMImN(roa{< z1-c*qx>*3fbTxMIbTETpcM#x^5=PEuV5=pBUt3jDQC4GT%P890De&%e)dKH=&hBL8 z;9~Ctfy2OVT{WyyQ{BJ5%mQ~TvQo;qg6M}HT zB5}bA03FExs1*zp@ISNAE_TK&Zfc1-(^zy5D8K>fE~p`bYY zH1uy^|E*;m#|yBn@c-Lo1pqz&(d>>D{!O#+zvs+<1N&c@6BqD*>@h&se*o`z_`d)a z#LqD*MiyqyK;pD_1%ec?BUHdd;R1Ap?}Qe4D^nolps_&-B8Vjd85}zm1O~%K8{l88 z4?tiDEZe?FDFCwWx99)glrY4OPywtVATZ=M1{iAh-yQlkwtbWSCFt#&6xi#3UndN` zBNVGCH3&>_=QU<$R(m}1KQ@dwYV!3s}oQ-xG~lC3&U5Jva5>?@Pz_^ zk+53~vSS!99zak#k!sg`|D-7FJAY7F0bhCmL1D3z@{2=II~(zj5_Vii#mUSKg2YWB zC~!s`Q9A9w3 zTCwl$7mLK&4J&p>UpQj7CE)_ZPKqOGX9ofRx4Czh3Wx92n!pbFZMi!ywhgume%oR@ zaJDVRi`b(btcd-S3;Z#ez`vOcv10`6^?n--5xvEq9;& zcEMxqw*!7BVD7Wu{-O}O<=}tp2gkABE*5ad?Zn!D92!g5zl>dH69+;w7&ZQhU^|kq zz_AeasusH}97%sH2HS5j9EaYX1uJ$}>D&Iin;NkC*qL!xAMic?3b9 zb@vshj_s_nR}i>j96^7qimh(`QO90EJIli^0SjiYX23W1%lu=j{ifQHxGiN{_y1T5 zd~?5)Kaml~OuGi$w$qN$wiUXA6RXc1oV)tm8z10UAKINw$;cKw401`?oA9c;7&*Cc zL(te2K)5aehhsh%H=sx?_FV!LplrMEE(PR4?&E=j6zmdqc@Q84s}bO(ujo6C_1ic+Tb~r%H+aVVZA~4@J zLO~papc?+FNen0qyAdENqY3pz_@I((Qt7hX8u%PMx_!0lidk2kiDB zEPAX@LUwon@Ng(r&R(c{X8psrA1gQn7b|uSa039R&6w1>IpgKktCRdhy;N zpgW-U5eO|0G7iD2njo$fPHPu4H4X{ zH7j5MbjP8w3|1gzJ2K+|1g6^t2r%u}A&3E2ht6guE>`w-JXlBD&R7txKSV&6sGWIt zXnZix74T@F6?Sy~4|^r;MM*$ zfC~8^M&Lt&Aa)(m+0}S=N*GobfS>Q`{hzmhAs|Q?25(R84#o=Q+9Pdy$bM9yx9y_Z zJ_BthF*Try*`5@>T|fY@w|6*vyGjF$i8u3}O!xP#0!qZ0ZM$*-q-}2$_)fTnZyRr~ zqIdVye=TWmzSvpPPK1YV>v6Bpy^#MyRePg6a32U{S@=#x{ZF+4-(P@ZFB&C{fGc-< z;Eq@YJjwraaNj*P0u=0KA?4q8ZTPl}Zu2YJo0{=!I-Bh>V}&Rf8JpQS3k&lrx!O8k zfdcl}`WG;C#C*XVX?42Q!_Q3VFgNrlp);1#-_cjmkFL14T4Tvbf|0JEv zjDUMmE(IeEGi`{wm5U_=xV<)WaxycAH~@FVfD*WY)2F?utBIKtmxHM}z{U&X6M*u; z1i1O-%{<-holKp%fXjHSBp^mf8M&B2xTMYl`2!8bz>zS(Nnj{mr~oGv$_elRI{Ggb z4JRW92QyO$|3xDkXEQ*x8q(T)7lAJoG&ZucGXqwvVQJ+I0sd~|IS086elwuG9R%29 z0zjPuNAbe>kh?Gec3^1=z%vLiry+nxA;wllcH9ta2P5Ft*USjwwlf-qjhcJ(?Ez?k z6bhUt;H1z$e}Ll z0baP5510c6d}ZZ+8t|M6yja-F2grlt(txqpP_>s2q=ETt9}U=cVD-3{2FQbfJ9sY* z7>j`6uNMLC{e66ZJTRH>r2+Dw;8o6E8YmA;@;EdBu-e;40|GC2jklKugJUrG_Js-H ztqlr8f_1~*u~6XA9(d=pmj=ia{M%S0{(6yM$+vebAP)u}UiZ=fd3ZhvtQQ3a`MrD~ z4UIboAPD)hX#yAgSW&u^3Y&r-baIDu*a*tG(g_pun6Mm3UFTBy#Pf(QF!)+ zV~}`!z*z9v!`^uT%osfT0v?3xYXClcKLEy}aQpxY1>z1a4UmWH8-P3nc$2gr3;Zwp z7Y@bX@*xly@NBVnEFcdK9s~E%04&%u4lWHm3htvJP$=-?U@r}jhdoN{r2+DQKl}MW z8h8xe$A>^8abp-L4}3ncj}Hn|EO`C`M}SFpKOgEZ`w}P_aQzf;1TaJIABzwK4?z2A z0)X@4(oiTMs^jpXptybyL=6G(LVLeF6cRkm?4<#xT_kRt1ZZgRB6L5WAPT%o+DilG zz~K8X;Np0?LZR^U2kI~DMPtBXbpITJe~ImafLG%23E=ywAQFS)e^96(8rLTQnjm=T zzkgl~6juj88iZl+bO7uR{IN)U8v$Do&nGd0_zR1U|_3xfFZ00sln8J;{0_xFUu=#Bf*9^tAXVUDL8I|?g@ohzJ@6C@ zuSNo@E4&;E(C}h5P{V=8y!~qvMBv2@7zPPGh}+Kx>^IyP3ll_w*9ACy2)z6Y1M(oA zPJwiUr&A0P*CzpgM&s2R;L!oshu}a~#?vzfjYk8<;^iYCrQpv2oLO;o0DRm7&mO?@ zNbrhjpALXSH+b;HrQyX>V8?(Dp>X(s;EqQF5-UCpyo}vH7J&k9{BdXk_;Vnzm(DnR zNbqstei{l$@^~~syuAQN0|^+94~gfKa0HNOaQV%f-VYD2Nv);b;VSxw{{; zAO_!V7~mj)%ZC99KpYz2xw!rZlm|$>8U)CAP+Z>y>Pg)70=^6Us08jDK-k5_f&gMM zt}PKzym}If07_sy%m@@->_iAa@$mtv5pNFQDhiK=K;yWi;@Ai{U1IR+ zCIlLVx6c7pVQ}Lb0?5C3HUjD#JbV~9e$9_TDe+bJ1z<P$uH-eKbN4FUA7t4KG)q1(A5`MGFFn1_uiUj=`(LFbH4=@8<(P;{wMW z3((NG^$=hqym}JYZ$RS0kq1nRySIQHh*!4*G&HUc0W=I=9RciB@I!xl^$gr7008l5 z0=T&X;KM&NA%M@o;Os4c4}+^y7y^!cwy}R+Af4mt4*}dp;nR?~`xlV+7c78MapEq( z2RQUUYjbfj0)EB9iBwn^!mn=S1zec{mtXv9_V&PMm_S{DPs%UZncD-e058M7l7d_j zmX;KNNgz>@XentRgh@)Hphzi6!Hd#RC>l7#W1ymt|7OvL0QaBH;G} -\def\PYGZsh{\char`\#} -\def\PYGZpc{\char`\%} -\def\PYGZdl{\char`\$} -\def\PYGZhy{\char`\-} -\def\PYGZsq{\char`\'} -\def\PYGZdq{\char`\"} -\def\PYGZti{\char`\~} -% for compatibility with earlier versions -\def\PYGZat{@} -\def\PYGZlb{[} -\def\PYGZrb{]} -\makeatother - -\begin{document} - -\maketitle -\tableofcontents -\phantomsection\label{basic/index::doc} - - - -\chapter{Credential cache} -\label{basic/ccache_def:basic-concepts}\label{basic/ccache_def::doc}\label{basic/ccache_def:credential-cache}\label{basic/ccache_def:ccache-definition}\label{basic/ccache_def:kerberos-v5-concepts} -A credential cache (or ``ccache'') holds Kerberos credentials while they -remain valid and, generally, while the user's session lasts, so that -authenticating to a service multiple times (e.g., connecting to a web -or mail server more than once) doesn't require contacting the KDC -every time. - -A credential cache usually contains one initial ticket which is -obtained using a password or another form of identity verification. -If this ticket is a ticket-granting ticket, it can be used to obtain -additional credentials without the password. Because the credential -cache does not store the password, less long-term damage can be done -to the user's account if the machine is compromised. - -A credentials cache stores a default client principal name, set when -the cache is created. This is the name shown at the top of the -\emph{klist(1)} \emph{-A} output. - -Each normal cache entry includes a service principal name, a client -principal name (which, in some ccache types, need not be the same as -the default), lifetime information, and flags, along with the -credential itself. There are also other entries, indicated by special -names, that store additional information. - - -\section{ccache types} -\label{basic/ccache_def:ccache-types} -The credential cache interface, like the {\hyperref[basic/keytab_def:keytab-definition]{\emph{keytab}}} and -{\hyperref[basic/rcache_def:rcache-definition]{\emph{replay cache}}} interfaces, uses \emph{TYPE:value} strings to -indicate the type of credential cache and any associated cache naming -data to use. - -There are several kinds of credentials cache supported in the MIT -Kerberos library. Not all are supported on every platform. In most -cases, it should be correct to use the default type built into the -library. -\begin{enumerate} -\item {} -\textbf{API} is only implemented on Windows. It communicates with a -server process that holds the credentials in memory for the user, -rather than writing them to disk. - -\item {} -\textbf{DIR} points to the storage location of the collection of the -credential caches in \emph{FILE:} format. It is most useful when dealing -with multiple Kerberos realms and KDCs. For release 1.10 the -directory must already exist. In post-1.10 releases the -requirement is for parent directory to exist and the current -process must have permissions to create the directory if it does -not exist. See {\hyperref[basic/ccache_def:col-ccache]{\emph{Collections of caches}}} for details. New in release 1.10. - -\item {} -\textbf{FILE} caches are the simplest and most portable. A simple flat -file format is used to store one credential after another. This is -the default ccache type if no type is specified in a ccache name. - -\item {} -\textbf{KCM} caches work by contacting a daemon process called \code{kcm} -to perform cache operations. If the cache name is just \code{KCM:}, -the default cache as determined by the KCM daemon will be used. -Newly created caches must generally be named \code{KCM:uid:name}, -where \emph{uid} is the effective user ID of the running process. - -KCM client support is new in release 1.13. A KCM daemon has not -yet been implemented in MIT krb5, but the client will interoperate -with the KCM daemon implemented by Heimdal. OS X 10.7 and higher -provides a KCM daemon as part of the operating system, and the -\textbf{KCM} cache type is used as the default cache on that platform in -a default build. - -\item {} -\textbf{KEYRING} is Linux-specific, and uses the kernel keyring support -to store credential data in unswappable kernel memory where only -the current user should be able to access it. The following -residual forms are supported: -\begin{itemize} -\item {} -KEYRING:name - -\item {} -KEYRING:process:name - process keyring - -\item {} -KEYRING:thread:name - thread keyring - -\end{itemize} - -Starting with release 1.12 the \emph{KEYRING} type supports collections. -The following new residual forms were added: -\begin{itemize} -\item {} -KEYRING:session:name - session keyring - -\item {} -KEYRING:user:name - user keyring - -\item {} -KEYRING:persistent:uidnumber - persistent per-UID collection. -Unlike the user keyring, this collection survives after the user -logs out, until the cache credentials expire. This type of -ccache requires support from the kernel; otherwise, it will fall -back to the user keyring. - -\end{itemize} - -See {\hyperref[basic/ccache_def:col-ccache]{\emph{Collections of caches}}} for details. - -\item {} -\textbf{MEMORY} caches are for storage of credentials that don't need to -be made available outside of the current process. For example, a -memory ccache is used by \emph{kadmin(1)} to store the -administrative ticket used to contact the admin server. Memory -ccaches are faster than file ccaches and are automatically -destroyed when the process exits. - -\item {} -\textbf{MSLSA} is a Windows-specific cache type that accesses the -Windows credential store. - -\end{enumerate} - - -\section{Collections of caches} -\label{basic/ccache_def:collections-of-caches}\label{basic/ccache_def:col-ccache} -Some credential cache types can support collections of multiple -caches. One of the caches in the collection is designated as the -\emph{primary} and will be used when the collection is resolved as a cache. -When a collection-enabled cache type is the default cache for a -process, applications can search the specified collection for a -specific client principal, and GSSAPI applications will automatically -select between the caches in the collection based on criteria such as -the target service realm. - -Credential cache collections are new in release 1.10, with support -from the \textbf{DIR} and \textbf{API} ccache types. Starting in release 1.12, -collections are also supported by the \textbf{KEYRING} ccache type. -Collections are supported by the \textbf{KCM} ccache type in release 1.13. - - -\subsection{Tool alterations to use cache collection} -\label{basic/ccache_def:tool-alterations-to-use-cache-collection}\begin{itemize} -\item {} -\emph{kdestroy(1)} \emph{-A} will destroy all caches in the collection. - -\item {} -If the default cache type supports switching, \emph{kinit(1)} -\emph{princname} will search the collection for a matching cache and -store credentials there, or will store credentials in a new unique -cache of the default type if no existing cache for the principal -exists. Either way, kinit will switch to the selected cache. - -\item {} -\emph{klist(1)} \emph{-l} will list the caches in the collection. - -\item {} -\emph{klist(1)} \emph{-A} will show the content of all caches in the -collection. - -\item {} -\emph{kswitch(1)} \emph{-p princname} will search the collection for a -matching cache and switch to it. - -\item {} -\emph{kswitch(1)} \emph{-c cachename} will switch to a specified cache. - -\end{itemize} - - -\section{Default ccache name} -\label{basic/ccache_def:default-ccache-name} -The default credential cache name is determined by the following, in -descending order of priority: -\begin{enumerate} -\item {} -The \textbf{KRB5CCNAME} environment variable. For example, -\code{KRB5CCNAME=DIR:/mydir/}. - -\item {} -The \textbf{default\_ccache\_name} profile variable in \emph{libdefaults}. - -\item {} -The hardcoded default, \emph{DEFCCNAME}. - -\end{enumerate} - - -\chapter{keytab} -\label{basic/keytab_def:keytab}\label{basic/keytab_def::doc}\label{basic/keytab_def:keytab-definition} -A keytab (short for ``key table'') stores long-term keys for one or more -principals. Keytabs are normally represented by files in a standard -format, although in rare cases they can be represented in other ways. -Keytabs are used most often to allow server applications to accept -authentications from clients, but can also be used to obtain initial -credentials for client applications. - -Keytabs are named using the format \emph{type}\code{:}\emph{value}. Usually -\emph{type} is \code{FILE} and \emph{value} is the absolute pathname of the file. -Other possible values for \emph{type} are \code{SRVTAB}, which indicates a -file in the deprecated Kerberos 4 srvtab format, and \code{MEMORY}, which -indicates a temporary keytab stored in the memory of the current -process. - -A keytab contains one or more entries, where each entry consists of a -timestamp (indicating when the entry was written to the keytab), a -principal name, a key version number, an encryption type, and the -encryption key itself. - -A keytab can be displayed using the \emph{klist(1)} command with the -\code{-k} option. Keytabs can be created or appended to by extracting -keys from the KDC database using the \emph{kadmin(1)} \emph{ktadd} -command. Keytabs can be manipulated using the \emph{ktutil(1)} and -\emph{k5srvutil(1)} commands. - - -\section{Default keytab} -\label{basic/keytab_def:default-keytab} -The default keytab is used by server applications if the application -does not request a specific keytab. The name of the default keytab is -determined by the following, in decreasing order of preference: -\begin{enumerate} -\item {} -The \textbf{KRB5\_KTNAME} environment variable. - -\item {} -The \textbf{default\_keytab\_name} profile variable in \emph{libdefaults}. - -\item {} -The hardcoded default, \emph{DEFKTNAME}. - -\end{enumerate} - - -\section{Default client keytab} -\label{basic/keytab_def:default-client-keytab} -The default client keytab is used, if it is present and readable, to -automatically obtain initial credentials for GSSAPI client -applications. The principal name of the first entry in the client -keytab is used by default when obtaining initial credentials. The -name of the default client keytab is determined by the following, in -decreasing order of preference: -\begin{enumerate} -\item {} -The \textbf{KRB5\_CLIENT\_KTNAME} environment variable. - -\item {} -The \textbf{default\_client\_keytab\_name} profile variable in -\emph{libdefaults}. - -\item {} -The hardcoded default, \emph{DEFCKTNAME}. - -\end{enumerate} - - -\chapter{replay cache} -\label{basic/rcache_def:replay-cache}\label{basic/rcache_def:rcache-definition}\label{basic/rcache_def::doc} -A replay cache (or ``rcache'') keeps track of all authenticators -recently presented to a service. If a duplicate authentication -request is detected in the replay cache, an error message is sent to -the application program. - -The replay cache interface, like the credential cache and -{\hyperref[basic/keytab_def:keytab-definition]{\emph{keytab}}} interfaces, uses \emph{type:value} strings to -indicate the type of replay cache and any associated cache naming -data to use. - - -\section{Background information} -\label{basic/rcache_def:background-information} -Some Kerberos or GSSAPI services use a simple authentication mechanism -where a message is sent containing an authenticator, which establishes -the encryption key that the client will use for talking to the -service. But nothing about that prevents an eavesdropper from -recording the messages sent by the client, establishing a new -connection, and re-sending or ``replaying'' the same messages; the -replayed authenticator will establish the same encryption key for the -new session, and the following messages will be decrypted and -processed. The attacker may not know what the messages say, and can't -generate new messages under the same encryption key, but in some -instances it may be harmful to the user (or helpful to the attacker) -to cause the server to see the same messages again a second time. For -example, if the legitimate client sends ``delete first message in -mailbox'', a replay from an attacker may delete another, different -``first'' message. (Protocol design to guard against such problems has -been discussed in \index{RFC!RFC 4120\#section-10}\href{http://tools.ietf.org/html/rfc4120.html\#section-10}{\textbf{RFC 4120}}.) - -Even if one protocol uses further protection to verify that the client -side of the connection actually knows the encryption keys (and thus is -presumably a legitimate user), if another service uses the same -service principal name, it may be possible to record an authenticator -used with the first protocol and ``replay'' it against the second. - -The replay cache mitigates these attacks somewhat, by keeping track of -authenticators that have been seen until their five-minute window -expires. Different authenticators generated by multiple connections -from the same legitimate client will generally have different -timestamps, and thus will not be considered the same. - -This mechanism isn't perfect. If a message is sent to one application -server but a man-in-the-middle attacker can prevent it from actually -arriving at that server, the attacker could then use the authenticator -(once!) against a different service on the same host. This could be a -problem if the message from the client included something more than -authentication in the first message that could be useful to the -attacker (which is uncommon; in most protocols the server has to -indicate a successful authentication before the client sends -additional messages), or if the simple act of presenting the -authenticator triggers some interesting action in the service being -attacked. - - -\section{Default rcache type} -\label{basic/rcache_def:default-rcache-type} -There is currently only one implemented kind of replay cache, called -\textbf{dfl}. It stores replay data in one file, occasionally rewriting it -to purge old, expired entries. - -The default type can be overridden by the \textbf{KRB5RCACHETYPE} -environment variable. - -The placement of the replay cache file is determined by the following: -\begin{enumerate} -\item {} -The \textbf{KRB5RCACHEDIR} environment variable; - -\item {} -If KRB5RCACHEDIR is unspecified, on UNIX, the library -will fall back to the environment variable \textbf{TMPDIR}, and then to -a temporary directory determined at configuration time such as -\emph{/tmp} or \emph{/var/tmp}; on Windows, it will check the environment -variables \emph{TEMP} and \emph{TMP}, and fall back to the directory C:\textbackslash{}. - -\end{enumerate} - - -\section{Performance issues} -\label{basic/rcache_def:performance-issues} -Several known minor performance issues that may occur when replay -cache is enabled on the Kerberos system include: delays due to writing -the authenticator data to disk slowing down response time for very -heavily loaded servers, and delays during the rewrite that may be -unacceptable to high-performance services. - -For use cases where replays are adequately defended against for all -protocols using a given service principal name, or where performance -or other considerations outweigh the risk of replays, the special -replay cache type ``none'' can be specified: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{KRB5RCACHETYPE}\PYG{o}{=}\PYG{n}{none} -\end{Verbatim} - -It doesn't record any information about authenticators, and reports -that any authenticator seen is not a replay. - - -\chapter{stash file} -\label{basic/stash_file_def:stash-file}\label{basic/stash_file_def::doc}\label{basic/stash_file_def:stash-definition} -The stash file is a local copy of the master key that resides in -encrypted form on the KDC's local disk. The stash file is used to -authenticate the KDC to itself automatically before starting the -\emph{kadmind(8)} and \emph{krb5kdc(8)} daemons (e.g., as part of the -machine's boot sequence). The stash file, like the keytab file (see -\emph{keytab\_file}) is a potential point-of-entry for a break-in, and -if compromised, would allow unrestricted access to the Kerberos -database. If you choose to install a stash file, it should be -readable only by root, and should exist only on the KDC's local disk. -The file should not be part of any backup of the machine, unless -access to the backup data is secured as tightly as access to the -master password itself. - -\begin{notice}{note}{Note:} -If you choose not to install a stash file, the KDC will prompt you for the master key each time it starts up. -This means that the KDC will not be able to start automatically, such as after a system reboot. -\end{notice} - - -\chapter{Supported date and time formats} -\label{basic/date_format:supported-date-and-time-formats}\label{basic/date_format::doc}\label{basic/date_format:datetime} - -\section{Time duration} -\label{basic/date_format:duration}\label{basic/date_format:time-duration} -This format is used to express a time duration in the Kerberos -configuration files and user commands. The allowed formats are: -\begin{quote} - -\begin{tabulary}{\linewidth}{|L|L|L|} -\hline - -Format - & -Example - & -Value -\\ -\hline -h:m{[}:s{]} - & -36:00 - & -36 hours -\\ -\hline -NdNhNmNs - & -8h30s - & -8 hours 30 seconds -\\ -\hline -N (number of seconds) - & -3600 - & -1 hour -\\ -\hline\end{tabulary} - -\end{quote} - -Here \emph{N} denotes a number, \emph{d} - days, \emph{h} - hours, \emph{m} - minutes, -\emph{s} - seconds. - -\begin{notice}{note}{Note:} -The time interval should not exceed 2147483647 seconds. -\end{notice} - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -Request a ticket valid for one hour, five hours, 30 minutes -and 10 days respectively: - - kinit \PYGZhy{}l 3600 - kinit \PYGZhy{}l 5:00 - kinit \PYGZhy{}l 30m - kinit \PYGZhy{}l \PYGZdq{}10d 0h 0m 0s\PYGZdq{} -\end{Verbatim} - - -\section{getdate time} -\label{basic/date_format:getdate-time}\label{basic/date_format:getdate} -Some of the kadmin and kdb5\_util commands take a date-time in a -human-readable format. Some of the acceptable date-time -strings are: -\begin{quote} - -\begin{tabulary}{\linewidth}{|L|L|L|} -\hline -\textsf{\relax } & \textsf{\relax -Format -} & \textsf{\relax -Example -}\\ -\hline \multirow{3}{*}{ -Date -} & -mm/dd/yy - & -07/27/12 -\\ -\hline & -month dd, yyyy - & -Jul 27, 2012 -\\ -\hline & -yyyy-mm-dd - & -2012-07-27 -\\ -\hline \multirow{2}{*}{ -Absolute -time -} & -HH:mm{[}:ss{]}pp - & -08:30 PM -\\ -\hline & -hh:mm{[}:ss{]} - & -20:30 -\\ -\hline -Relative -time - & -N tt - & -30 sec -\\ -\hline \multirow{2}{*}{ -Time zone -} & -Z - & -EST -\\ -\hline & -z - & --0400 -\\ -\hline\end{tabulary} - -\end{quote} - -(See {\hyperref[basic/date_format:abbreviation]{\emph{Abbreviations used in this document}}}.) - -Examples: - -\begin{Verbatim}[commandchars=\\\{\}] -Create a principal that expires on the date indicated: - addprinc test1 \PYGZhy{}expire \PYGZdq{}3/27/12 10:00:07 EST\PYGZdq{} - addprinc test2 \PYGZhy{}expire \PYGZdq{}January 23, 2015 10:05pm\PYGZdq{} - addprinc test3 \PYGZhy{}expire \PYGZdq{}22:00 GMT\PYGZdq{} -Add a principal that will expire in 30 minutes: - addprinc test4 \PYGZhy{}expire \PYGZdq{}30 minutes\PYGZdq{} -\end{Verbatim} - - -\section{Absolute time} -\label{basic/date_format:abstime}\label{basic/date_format:absolute-time} -This rarely used date-time format can be noted in one of the -following ways: -\begin{quote} - -\begin{tabulary}{\linewidth}{|L|L|L|} -\hline -\textsf{\relax -Format -} & \textsf{\relax -Example -} & \textsf{\relax -Value -}\\ -\hline -yyyymmddhhmmss - & -20141231235900 - & \multirow{5}{*}{ -One minute -before 2015 -}\\ -\hline -yyyy.mm.dd.hh.mm.ss - & -2014.12.31.23.59.00 - & \\ -\hline -yymmddhhmmss - & -141231235900 - & \\ -\hline -yy.mm.dd.hh.mm.ss - & -14.12.31.23.59.00 - & \\ -\hline -dd-month-yyyy:hh:mm:ss - & -31-Dec-2014:23:59:00 - & \\ -\hline -hh:mm:ss - & -20:00:00 - & \multirow{2}{*}{ -8 o'clock in -the evening -}\\ -\hline -hhmmss - & -200000 - & \\ -\hline\end{tabulary} - -\end{quote} - -(See {\hyperref[basic/date_format:abbreviation]{\emph{Abbreviations used in this document}}}.) - -Example: - -\begin{Verbatim}[commandchars=\\\{\}] -Set the default expiration date to July 27, 2012 at 20:30 -default\PYGZus{}principal\PYGZus{}expiration = 20120727203000 -\end{Verbatim} - - -\subsection{Abbreviations used in this document} -\label{basic/date_format:abbreviation}\label{basic/date_format:abbreviations-used-in-this-document} -\begin{DUlineblock}{0em} -\item[] \emph{month} : locale’s month name or its abbreviation; -\item[] \emph{dd} : day of month (01-31); -\item[] \emph{HH} : hours (00-12); -\item[] \emph{hh} : hours (00-23); -\item[] \emph{mm} : in time - minutes (00-59); in date - month (01-12); -\item[] \emph{N} : number; -\item[] \emph{pp} : AM or PM; -\item[] \emph{ss} : seconds (00-60); -\item[] \emph{tt} : time units (hours, minutes, min, seconds, sec); -\item[] \emph{yyyy} : year; -\item[] \emph{yy} : last two digits of the year; -\item[] \emph{Z} : alphabetic time zone abbreviation; -\item[] \emph{z} : numeric time zone; -\end{DUlineblock} - -\begin{notice}{note}{Note:}\begin{itemize} -\item {} -If the date specification contains spaces, you may need to -enclose it in double quotes; - -\item {} -All keywords are case-insensitive. - -\end{itemize} -\end{notice} - - - -\renewcommand{\indexname}{Index} -\printindex -\end{document} diff --git a/doc/pdf/build.pdf b/doc/pdf/build.pdf deleted file mode 100644 index 6156ae175d993933f5dc3c3e4668654e5d6c5625..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 153691 zcmb?@1z42Z_C6pXjS7O~(51l8jf8YaOLupdq=Yom-6`GD-Cfe%DIs0|k>j~?&hcKo zzyF=*;h7n}*?X^V?X}l>*SpvLh+p&ZzW`Fv!x0aTwoSkR0W<(JO+x@XI~=vBj;Wrt zK7g5?4)Dhdj+)=V*jmRDK+SKgVXecbqh+S81INh;XJu`vqhSJPKV>2-X0}9wQnxN| zj~p@epiR6}-YX>DQxLl%A5L*Mf+W*l<}vERplgE*-IJ+;6EH{Ih8TyVcxEQ9#PKK7 zCxxbuXN``R#IJSqXVR~#IG~xBWapKU3fQ<<$E$5;I5@J`Q_Mc^<(c-#mT#S`vq`Ah z^j&7y5N_Y5H`ndfNWfiWPX}IdOh)@cYm{;|Tm~A6IwUjl53Nx%#h*BzCim8To`Q)~ zQ96MUWQUSANXyh(o~<{6+00NKVxdVfJnd7E`#O((l_#j`8sEQHv}Nl|la#yZKhK`v zgFI}BE}G>18S!$juP{)pfVyM3hSw3Z&&18yZuR;K**_}SX>hK!(5%XM76 zP1bUSMN5T~Rg?0zSM2yPfw{`%K;lsRVKr8j$iP_nExb)QwMP|q2`ss~Fr+5rVgh5Hr0U^hiWYtyO|?A2Z2@rPBE!7_#25@140P=6&(k)@ zuzmDzjA3HN?Ra7tJ^i22WDaV?fC+d~il*ze7H{Ng1<5zUYQe`_n!?3f#GkROe{PIi zE)qkZiDD-1fM4(n#;%k7s}EJ ztLQhKISn0+@QW(U@SExiKHyA40YHgvho`tYE9D2D9gQ(swx4Swm?*S<3YSik7S^3d zeh~*W@P%ZB=>&zuBSa+x=F*+vst>TN$-09~a6SUOoJqG&B60cWUo%7toiuzM?L1t%4e% z-}+MDJmFf-^(;CIR)9OeD+OIp4dA)*NrGxnjx;>G&T}fE#X_y)~YJB?@ zz)bhMoHmwPIsk10OHgYwONSrwGXHXzzvzMXyKjUe<1_nH37R$r#@hetk@nxs(GS7@ zq66B0O_PNAH<7IX)@A@LGgDmyJ)3)qrTur)^`l$*`>Lh=*NmB2ed~=%-@x==GSdB< zSyH0=c6(AF*KS~~a?g_JzTeaRh`_+i`1=t-rY8s#5o*^dYhj4i8W&)QX#7F|$i6K| zY2f)MaK0LZ+>ePD8|Mpi;~IMnk@?0}OKNg=b@!LG*c8{snu2 z5uq(2RH!R<=JNYY<_as!meO)c@^@Ql6g##{HdN#7Rdm;lOr6GVUr{iqbonOS!AgP@ zNpO$+#Ua7=-XrHy|5E?HX{G7Oo@#bERSds_EG6TbHU6<$`(?4P=}a;S&5bRKgA>JZ zJ^vXVM}M!*-65Q1_PQ_Basf$Cap7x}OuRDRSU@R6Ojpe5RZK>aZhJ{l@nNLH4@91G z8PUyIFuOzudj-eDc@eHPiV#H73Ft2uop1{xdL^{CbM#`@m8M8+F#S0uKxzIA7y-U7;i3MnRCqZT5OM%*n+xe)T?Sy+sld7iso z?`5NM-j`(`X2*7`)&sgA6jHUXbtKpQ+*zOEpr4{K$i{)aDSdiOeh83%qJEf6I2;0l z(~`AhOFbltM$-V9c%V8w_^KU@l9_8-o+QpdMm5R(Tre8tMjFS#c5c>S$bXf~VS-uo( z)@q)b3ItRt>4v_VIktZxa~R6Hp&fP1#I^0%Sj*hl?%}pu7s$t&4HzEbaKOEA%pF*f zGw~A}Pjtmx6_a;W#^f-(RukGftvI51&ugl7oHW^@djbzvxO?96kOUV9=`evpd6n-Y zJ#BYNRG$|9jDM2hBNw1en!dps{|LBWzZ<)V>0gU)iApzIc6{!)Q^Ogps8M^(o^Y%& zvU{mtPH==y2tq0naXkb2H}v$5`ZaczmqkExCl*{TdY&+P#X_O9({}%ybql*eZO&D$ zgTk(w8IH^2qio-nVv*cEEN9j|LynzlJDhwnl`vV^e8O3VdF@PWqr(b3n~b513g_DzI8{}u$O^Ak@FQ>9 z;HbtKEqY%PT=~WvGlG)Ln2yh`dlt~O`^+$^j>gNd!BFN5HpJc>TJ<7i@fOrRT#@zx zlEtH1XIe3p)NWSP0&gpd(ju}WUf`GE+9!WKaf3cfiUKFF^>Zb7{Wc`YK%I6RI?(=xgirPIkK8|3Y*$c*VC z9fzma$(E0es1|dK)v=&gfNooJWWXlkUbWV()!GZM=QG=zZ>E?$H*=8*dr@%~N_qvq zwdE<=x~K~GbT4CJQPq!VM&yIH6M2a_^()-Hj5nT6dT47Ihh5Q8Z$_i$Qj;i$!+F7VOu*<39?%jm2c7ZY+lS8XfIrL0cF(x&;dnzPrg^SF9;c6})|JIm%bkF@YE zr>93Mch>DU7!TrS$AkNpi`ZOaJn($>u7^96MsH!f&ML5^9&Tx$4jd%;WPOQ)@p`{L zd+zKQ23-oP^Q3#_c;1427pbLE)Kykk?7?Lx-+gVCdyf@e}Vlmxj!B*QgDU~Bz zVLUzd9O)YG3xZy4ttzh-hu2e=3nL08`r}m9zQ~N2#8nCCagz|4N+DKiQ-x~R%H{Gz z;FPEp+G7edVRgb!kBp(PkmKP^b!r=DQlIWH%Rh+fHE^eF@`teJ-f`n7?nP`xGZ(7` zGmYi~D~yrWRMc$MKODePe=*_yj?sg1bT|^D+`2y+`x5|~3Gt@=^68ti%Vf8%c^)OP z8y05$!@}e^l3TcI!$Z44VW!rF!mfsJi$iLlsb_;~a^z5JrvU=c5g3VaE+&p}lL_Eg zYk%}EF6E}G72b7L@CK@Q<+L@F3q|Cu*zAkTx;cnn(s=EOSwYbL|#zFZ0j^Qc;>;rij6iy z3hnf1fiovri8~S6NHHYKoh0aThOi;6ANM?Ar4o)MftdeA)RUeW4~%l`ft(!<`NzDj zq|OmWzG^5U>^4*>zE5t1wN$V#Bdm5O%m~jM#fiPItTv=oouS!97QdJ{9pxJA4w`j2 zYc}SuutYek9>#ayP~!kUr><~D9ZAVGmxf?076yzSw?4+(kX(?1b6qE@$B$$;()2a+ z{g8FB8}FFFJ`xwFr#tdaEOYZnJGNdhb5n&@OpRpZt1PWp1L&JGt=K%#$k%PqHL=WR zGPHfkVFu7)qI475vG@|1&-}Dwn}|mcbZGltgWmi>-$+Lg@MCnd!wkGhVszhtzM0VW zDH4z5+0gb)5sl=TCB zBsdvO@u=+`4fSrpp=h!ioKra|cVa)UaT^3twTQ=|k9 z`4xBbE_O@8(#J;Xo zN9H(6mE;Y(5<`7r3}xeK+tl+3+sf;8>xBmc7W#Oz#Pu)mKKk64pR*&nY)n@gtzTu| zBA4tP4<4aRkk&g}x-!mham7LMv*S>ih56vMhoMQx1?DZf!5&hkOR4V;Rvj74S6j?CRBuoT?Jd`2Rs}21JMU*yrLqiA@6KN{2Pb@S@)Cqk2q_ETE!%Cl`>UurW4AqOm#YEj%IMlHHry4; z=qr{5@DpRoPm1InmOshPHEKpwLaMF?*0P$dj5!b%_G3BN%ys4-@v9~<9d6ZrkY5ip zW~SC)p_a5%WiD8%4Uur^;`MX&;x; zufYxUi5jyAZCp}ES-|TcjwtE!rGaj?do#Odc3p!ye?!WF@2QgR*QnNweX8?apwi(&lf_^tPiPc<=0d82_xpNEf?d z`9{FC={nf>)9r^Br=Zr?!O9l5gyS=}ortGgMTtkJj;WyL@Vf8iMRYf0#hi^&kQt8i zy>JJu=6THY`&d)fztHq2G&Bv~#vbM+pVB)!LACRq%YG6scMMvOmBY~DWz4I(OfDo@ zWFfg;c#?90`OL6TGUX)p`KW4`&yPxiyXCL4>ppu<8JT3)RUnj)%cY!5v5u-v?^l+K zo=q!erkq3)jLu1UPbqy|<%lsgJPJhEGd6EiF7V#9!Ol`5oZ~%!cqre%`z11W%YeD* z`PCxM_wL$!zdjV3)MK{Kr~3kf51Il~6$5J_p&@$k?dK>zhRMGoQ>oKJ zUY{QmTD+CS<5GIE;rV&m;LEXha#)wt0=dH(tLBNib2w{bnj`c1m2e?(eZe`pf{L=5 zqq;vn^n-IKX8W?pCMSMIa7&nN-GeHu>RF|EL!{!WhCVB+am?}XgPedD(nl`(Ob+CZ z;G!r6rD2K1NNH$FNEkX}X>%VDbezaa{kWGyD94km2nmT{rapNNwZ*Vi!JkOf=jPRe zt2yaj{X}#3DO?!`a~%NnYYjaeIO;!n769Eh-AchxOX*mded9)~0Ce9N2GD=RbhHgL zc+BhpO5a!lMj$PKiG@}L4%C4qh@k<{f8zqAK!h*gJIzG*okF>rB|gBvID|I}il7(* zU}9jRVrHZTnA#W{tK4t)ouK$>Gtii{H2-Y!oddaR!VhAMKp#L{1xRrEZ=!zVEkL(L z{|AQw;=!n2TbgM}>sSMnK)27w51^LOv9|`?7lQt0F^lE9fdPIUv*=z6%G10yU#D&4 zegLLL2DSLlsi41)r++#XcS8JSDnMlW|7j}d?<)v26?bEU)bfj|xEtt!;KoRLyxPlZD1F40 z3Tv|37Pen;UC_H|f3=d6S5dH`UT?%5;0ugK(VGF{!zc>C$;yVy<4#=ZZ=-zF2Jx;t!qxGD8s) zWFsFhw%7GRW=@+o#5#tk){-FHK4_b#vmw=@Nb>)pq-JK4u6TMOQ?Fb2_64mt#liD8 zpU33+iYFOk%EC$w9eXKB66_PtY)_gEis3b+f?T^3vMDnIYF(YX@IV_Y>1V5nGsbr@~FMPOb8QI@I{>b1&C+ra&1XkTYwlFfd~`RmJDBLd`8 z^Mtp!1xl6;Zsld7g0DR+sJszT_}$4DB&ryWbpC1o4ELAVPwoHCto~yE4BytwZ@VID zZc|e;Yb($yr@wP*0QzqpNeV#!&BI6m82<1L41c%+j9feKYz#Q?x8hzdcidl0ByHKs#`klqV0RwhID*=3)_YVxux9Z~ZL+>JX3B(cYh3 zV~VDeRefDaaPI5HTts;IMLVOjM+tzR;=A%#2Hc&G;x!MECPgTi3=)i)P0m)W;lK@D zu;!N|-YWI&(!r5gAv;cifv*x&*J(xxCsW}33W8OxGFT;YD^WB({*8d8NS?umgq@g{ z%mgcp4dChAk6W1S7y#PF^Oz?qaSQpn_@?v{H5gI|1f=p2vSyRKUmX(=BMfjlk3-~+ zrN{#Zc+ITUY4$k8I7teTGIt-#m~f@r?7Eejz1uC*s4y$A&cxtPn(Pv<5gm%rT_ig$ z-yGJ7?I*2rtmYCUBa6DN?_H*zLi3Pr|HRh0JuaSaXUJtSB_!?@-?@fagMJ7DMegrXPNp3V(JW6ly9NsLuQ|nVs3?~{A!qA;$@@}^OC~z2H|i9 z8a4Kuq`jImi<3#{RX7x*P64 zS;OyH!2Ol--2zzti(nEV+Y~xYhEjJ)Y0amk1@Tx=)2vi_F0fR#OM6FbOpXNRxrP#G z4?iT__m=Y|VbpGH%bsuMW@gR25$0nYg2&h80FCSVWLx4#frmuh1In4yk`4#e) zFL;%?S!dHH@0hX>vYv~?bMyhb^vgu0o|8cxN#M!%TNh8Ml13e1uajRkbgA%ZF^cvp zgb$(8Jv=!pb5wK=BImx%W7^&|e4s#UD>+KLI(qp+1^U&#vfTkKG3;=rRJ$)ZCPTKZ z1<#-i6PodD(37C>N%Az9!MBTca>>tFH(}`uZARQi$z_{tO1=c%C{$X?^uZ$0mGr{C z&-Wu2@QEg@Vhg00$va(88f$^q_g0OB>kx@t)pwFf{#wta!_q8Q;kd=W|25_f%JUEr z;o=4NHoO8j17iYM(rl@^t&i1gjdFHHK~!!}F8G6-OcW=&3LqAbv-5nbfE8Uqnb4!{ zj`g{?>Mv}j#{*-{vOAXJA?&e{*6F>aYevLAsqA5*6%68QW(mA4c+o*1mR#YgWytnY zB1oWp@WFHZB6-VE@fPN7HnKhw_Vtsqn`K?+)oW2^1vAb%r9uxLRGuqwFF?>`-pc`@ z&`7T$_|l3|sn%D1jMcL0g-$vv8%9>(-eG|f9}Hn86!u4fziYS`FUJ5eE9a< zBb+=O@3~y7c=s#*NL-uADpQwtE#=!+p5CMppTwU9B_Co>9=D+-%OJDC>b~2`Xj5=M zJltfJNDEJ+d||x(S?AM0CT;hW&KIhE6NIfQ$=N+7>{QMtq4aRZ*SzM!V4YU7;)5UY z`)xR#(x$Cc)?To}@`9!~v9pUznY`2I7V-k9wr~I>F^o44i z#lx@Nk zRb*)lag2RnCyE6g#534(#<=;PbiN3SU+zUb>}k^7F36-UOQ^*rvVmoruAokle$fcn zT_;^~I2eBQrMIG9dcbveH@N+oc*)fXugI$dJXfVeT6nJVTg*&)_IFnXLOk=%p9JHt0d`<;pLh!misu&>KbEP-3@5r;q~ioHQSlF!mBx4t zW*(D6#g;7{TP&ZrwWegv;_UAA>J_;+)kQ;FILkASR@<(ieBOr~h*+zBsZSF%!aL2d zyUs7xDSx<$zp^GdDb;?%apD(ng;`K?g<10nTN5|0B7>y-A)N(QtN4VrfqE&Fkr}(3 z5>O3;UMQ()Beh_k&eWu-K)Adm&i>IF>Z$VW6@@}r&DmH(tLT(scjH@x0FPk!_ z03YH;I)g@hcc%=U%q^421hrp;QV6}WaCJsUrbs8M>9cQt^V|--2JZy?Q5ip^O7MHN zTU^OEu&HF4WT}w;uT#q~IGl;~VXq|Kt7i~RDdj*|JZq`u4o;ir|FWL8iT0i{k0?yP zo<~^{8{RKnGy1Xnn#fnwtHXms7fvS(*96y+rSRnt5#1Gc8L3oQ_~O)2-+^0fy2mrm z4u*_5tzY{+6u`e#fN>)Aj$eF3PGs=Difw=I`fZ+|xr3FHl@mu|5gF1No?eiBZ4HDg z(Oc)}Dlq0RZSb_Mv2hq3nr7yS27@FPgEBR&@$mjEBK)KOTH`WY^kux|^1oyBa7_2uUpp_TuwuPCW zVdfI{XwlI#G0!*8r1DGVNS$f`3#|Ev$~V+@BkMro1eg(GY|cKB_db3LZ2eQ3%ScBo zP$=pxZhf9od7c}~5Uf-*-N6suN%V{~y2Z(PnZ^t6DF{`5Hi*Qcn-5@`f_29CGXb7Soby z*+Cwria?4*T+vf4n4MEM_NuW`X;SLxR!Qa1EPd9ET*U5!G$TT7#Da08VASbi&Pag| zQG3(jp$YXomYsxzv9zI~-p-Soz`!nK$adPRolOsMNSA~qzwC=@q|)}g;Xx+mwTVhA z{DcetFcJn%UMe2KL*LA1K+kwgzHG7);;Gbz<>V)4w#*Qd{OMX5Hi0wIE_u}+G(;4K z$*BOL*6No8VSO{Jr4Lv5sEsi|XWW<{-SU}a5hV5+TSPo-~dVoVMSLqA9b z=D#5+P}w#}F~3Ao_k$D&N&ThO&ym!f#{X2)58Cnv(e*bZb&s|Lk)j|L`j z>VQXC7$LVml~g*@{(@j;@#SJ$&Xj1V!zjZ9v?#B_7bN;8H1f_ge zCLA(-i|cqTd+k$rOf4B(&4NzB&vFX0o25SgbNR6R5?S3T^e@PY<^PDRSpJ5r?#BML zwcQQ(pKRy1>;hD#`V+$d?Y{l4Vbm!qg{4(Ic1coeN>eHSyy5XFzOrja+iF^yZaM6z zNGOBmvwe2cOEA6e^J4>ie8TC46ww59Ezfk*O{1I!Q&=`E7`7zSB9|K*-UVNrrL)lk zSpIki@!Goc3mDtauW#PHlf-cBSCTf`{-g>vFzQf!e!Ld9+P7Qznu9MzfJ5(m=Mz3R zIB5{N6d#RUq|y5J&P`1Xb&pTSIbIK5>{jcmUQmwS(AasL0Hs4l#5bnua(cE8*q&p5 zZnDe1N0?NlRlfb+io?TvgAG@sbFBON@aS-HeN~#UH~}@_VE_!_7Vu05*FyNrT zvt6MGV0@u$k8qxd3(4EMXa2TB4IO)Vl6p0Mf0Cp-)HRj0tMuICqUpJ-+`z@FY%bY) z%5~HM&Fgw`;YZ^RENUq1(@Gy_T(+xmT4{P++<2nr_z%qZVh6~R>bSYE2SSB82#?=H z_}a_4TIGz-9}0xKlBSN3j5CB=mVmXR^fFp;ZX+!#_c6~u&B;EF!1&IRyNj?=5c&p*Q zmc-q)M-nALrRvn3R1sk{iG*Uey*Y5a0dF5TwSb2&PE!g$O!So=n)t1w^#+RnBVWFZ^=0l6* z;(^k6U}hZnK52+?;}^gB@l?C~9w{nAeb^wmws!Dralu06cfByOR6E^>b~O(l=)Jcv zZ7B+Q7X`@|%!5UmnS-I2G)}35vSoOTDzul<$fEMGxT$dY%F%`aBWP^Q8%5D+MYs^U zbnVcf785FU+we=Mwnep)KX^0=im^E>=_F6GLl>kyyBPPDGM!wPpPf)Or)F%{L;1^( zPp8433m|twKZzZotbFxe@!<(cQ>fcJq;f6Cz|Ye}SZ}Ifhl4M7VzR zTb+ctug=+FV)4p>Fa0;c-cLV#Ia+UxGd4u=vDLNzOagApv;N?{A#{2TalRG%@VpoE z(E>MD{N^wev?2E4wqx7v%$N|xCBnr8!XqzoC%Yt@X^o`NmvA%_z6HV1#t!tU6)&Fn z@x09dY9T-a1A{wI7E6l~&g~mRNl^@+S5cNHP0#K&D!Y5zy~`wRYY0vy8S_zwaFX4Z zqzdHQRrhH>vUYJVDQ<$`0T&OJzP-vEapsV@Aw&2ACB872aqh3f6qs2S9A zPoxLCz0%PYro+p53<2_`^O(;!xrlRVDV}JQAZIL|Zw)9(HOv&8IM-lIh*Q@tM^r3C z^bzyPH*GsD1d+n_MdR@#XNT#&s-7mA1Uru7DFV-x@2+l_mVt}#{-(eq4{CKKn$F(cJnK^*U!F?8A^$MH#(pCQktyNM)*N zY{{~LdFp9QFCwc;+R56Dw~KNzvSlo`?<8x$+)wLPHmftNbkP}{$AuDbEB97h23|#x zKGS3H1OG_x$Zuk#iGCCtmG67;a6~=SrjLd%+>z=deds7p*q%#R?91BXoPw)ch&Zt= zX=+$qRlYt0Zf8S@7de%L5Kd&>xh}PZ{f}HBM4K6~&&$cysghRPP$cwli&S`9GIA1x zIvvP1TA!Fy8s*O8!eenXRrn71=S=mG@GGx~g&FG*xiQOM%1%7@mdclY&yYD5kz0`~ z{Dp3eD#r)AUH`?-IVr80qY6zc&8vXWTRM$)>>b5RrDuxu?|{Ldt-y*3&gR!VL!Ozh zz0In8r!ugo{+P9hX$H5%GK=k1d|{i>jTz@k~9;BL%8F!W-paO^T*CN8VwV8?BVN)uXC*WDJ8L9z6EGXk#@&EzcJer zZr6v_36iGJ;GsD>J~>$2TVD5BRB^o8c=1)oY978lnd_$Ct?FPfduYZ!B-O#qV~_#; zNoIAdIkr|()td#LC%d~*yVc=+L8%|9yo}{{@bTVMkVcQ0j#U6JdD4^22*h?nDduCR z!7al&LwTQTY%Gz?PR3|!BMMd9L_sy;JEPKON|2GQ+P+}G)Af{;?3~TT#MHIXt=w9! z!usG#>pM+kcTM7Jty*u3Y^7m>ofB04`D=n=$7(&z+bx=r7Q@p*z7GsIvE&kQ@trs3 zw@Z9Or=rw^i^dNmc|UaCx^I>{uxya!j(v2Yxf~TwdhYxf$n39JX>W+!9A{>yR)3q^ zJ+B&i_6m(8g2Hb!m-sdRlaj&sTE+~^$2yzBJ@c}MuTwWg+K9j{>jr~FC~_he z>$;3>OogS|_Bf~%rjLA*svNgGPGs4|ftXl`*#7i<37G8BsLCu6{uXt*wl3i~qgSh# zQO*gk9Lqc`^ZgO(@sW_jY&TSvG%lhuF{0YAPlHdIIg-=YN zx(@)T^n;3?h8BeBL3I~&06G>HDkeI{pVxudX#OY#0e(Ny`y+X|llFfq8mP>O4s_&} zg_epDv@=f!1XXA;u>6i_f3Kbaf;KmQWFepw2~@oFO|!q+tp)z4W!~DOEUeVS{4YJfqyR`Er1qOM8pU>+57jxTu`OVk7oZ(9`~CV{eCk4J$VCV$lp2f zU(=uE3bSF;^eCDMaIEdcpt}dvfBK%m(2OlDMpP5l5y6Dg)bo zOxqb)>61%Qaco2`s-gBxQy%3#jcV`rSdbbt7}9WBkPZZQpn4kiT&f)%?2Z@x+yv+G z$p{XmxNN$2$7&khW_cVWVb8-K^-gXpD3J=&>Km<}Y@JfhXS0>zf}1!~3-Xjx;ETiK zi9^q0BNDatEHf89eLR2Eg8Bl1L$j<_IpC;2(AjlJL^WyE`kKN|K>P%U>Akv10OpKI zc!y@Gsx+Ee6p>Pql;4RPZ-ze6s+bRlIqgm(m&j5J zw(G~>X=TKn$z}L*vgzQTcSy;Idc`EYsIH$`05Cx4Q$rOg$H3a8VPl-b&q|=5K9HtM z(Mg+pxACHG94UVyh=B$T!Fu8OOQLFwm-_4`eJ%&kN>z)qMP|AKq4vPzf@MXy;A1Tm zqVC{siSoTn!kde2GLqy0yvtLQM^4?vc*pU9jh7!spJ<>tl*GBsi!Q%O@RKXkb<&qCwOGN^ zT?ZdP)YHwO^%BaMVv8LW~raAQyiBH-6P9px5AiI(RWgSFt!~P-c4+EZ>q=kJwY&o(VHHTmZEub z13g>AL#Px{$u>irV5VF&808|vTT?7~Eqka@s!gM}*#qzQ+6SeL+g3<0o zca6P;zSu%0%Yo6`;DnTtwY(1-ASNcYauBOw&ZD*8YBzLt`L?$S@>x!g{}$@pD&XvG0UJo5A)n>EGCJE@WcBB8=qWz#G%m6TP!&ovg3r9_Vw5x>XW<~*GBYo3iW#@)uPfAb zy=jK?=8t!Q0-JiZMeF4dqW~GGm*C|y;7(3n9y05s8wMOHyT!4H_%C=3L^3u5TX_1s zO}0b$+T7Jqjh4(`BfLewfOI2!@JTj_;1l!nu^ZD$(JzPrornw+$)|4FUY`WIU529{ z?utDyvIA4}%85=)Dz$&Pz%Llr9e|O10-ePqGwB(}0;NHtd{`o{L<24Czw{<_Y1Is= zohj3lTWK_qpMGGJUvW_&YkOF4|G`S(X7 zhm3vdijkz>3tjsnIfA*9;J86&Ti8l0r!9msdi#Euj`_THJK8Ma2*+?d+f@l;dHuk1JbN{7TyS(z`fLl0YG2k4S~ zdnfoZmyl8zqty1jD_TZiMg;&0yjuqkL$E{O_uH9@i)PU(%93y*F~mvmZI_-W1yK$Z zCr&S;-AFoEMH1{*B{U3mJW_8vq>l`nQ9RS+wUdhS0wcrs zG=B`~kN%pYl;75B_vV3$D(};OqFEr#eVFoZ;Ord;yz1l7s^7kKsuGz8N8jiUZz z{NDgzG=JkL|Jv~1K(PBz9R&9N-i96sdVJQ;FxY)C^^Qz)CwXe&K%kaXuq z{-h-l79CkQNaKhZGd)J;@}6Y(4Fcxa%Y7dNkL--d$n{sAzNv-frMzyEaCtaPFuG~@V7s}MgWhTE{cKI@^wR73g)h4SP6gp? zZ|AyHKI_)C>QQ>Zvl@QoolshH9(h{QvL2V&=G}YvqJJ_%0l8(2n6q>1Snyq|3KMg& zsU!A;u3;1x!_%Qu_9zvfk$~7|w)p#H^~|4);^G){i>xYNyo7y{HzlF(Y1%N&U{VOl zpLlsNuCP^e8*R})yBZwD934T-2p8)$#hqqco!GYqZhV3F<^fGr2aJQ9mR4cPW6bMF z%njmMcEfBE`m(YJeNBBkAH%WmSK^fZ7m;ffQlV5(CXggVITdQjMpu^6zMVSnU^OG5 zWx(dhwi(M5Klb027|IJfUTf0rxFN!YIa&ADr+V#~_S&jQ>*g14f6S)y!*go*_-XRw zG{$NqT!-$6a8P(1JeDEK2rTQ%9(T&4H564ox4!x)&fJfD>SK+_c;5MBngovqawtAC z+REZLQA^7bJfh|D9gvH#U;x0lWHhte_Dvd=e(|^Dc1VM~sjpGGtydT2U?=sQl}-wc z`Y0h`_tl`*{o$U#yi{^o3x6XL61?<&Qi}CcjJD?d6P4inI3AsDw@jK;3*qa6M)J!< zemjMR{8B$h)}F<206M)q?EnpWinRXbBXt{rX8llaH>}4ceS)y>h7;-(KVdOMqY)ot zPUS?rrV}4!gtLWn4r_HD#~3^2WbB8h7it(ITkasr+V$hFtDy#qV-&uDZZ~hwG@&rY z?|u0oJY>p`#+3kIOQ%>#RbBsLzuc*+ee%u9f`OzRNBCo**)feWFLSQz!BL#>R85Jv zd9>@NN=eKOPq$<_=A9AKN;sS&tjbNMcM!n}5!iXpXO1U7h8v3t;EM5P%D^xpLPS2i z?X+%=(qNU>FLqx@&PfKM`U!;K9Nu2CMuk<=E%`Ez2d9`Y?ok-TxgpK zo)!WP$Do*m#Q{up6kRYPEBWOl%+k&Trk8b!Vp1VA%T(2#FOU4!&u!$y(;3T!={p69 zb}lp`J}jW+JREa=8rz!>uaNZWN_x(*%%e?(l#ih_^i=&*F4XqJixWrTQxFP$PZC0BfX67o2S<-Nzbb_CtNE_FIpo~t1#p?tb=#v} z@sQ)SzZOirlv1@*t-C3DYh!bL>a~R8U$2loK?k#L2IEPJbubzQ;7MOv1%P*}5p8Jd z3w`Z?kxP-DL(aSM(MZLwPq-bN9yiJndvLfL$A?QMa#>XKRDxgS%JKT5Z;UjSYgnLY z6faXP)x66z+LWYY7av?vCRn`VNx8GqF4)0lfa9Z9FZ6hMGw?!t{x(#5|NK;sa0fDi zr%lD?t+_#Z=bB@Rq@SI_9|8SGHgHv5wz8KraWK_)-0-7SX*v=>4jwAU&9E&A{q*#Ifq_2_~sC?JJsavdEyI){pK zt@A1MgW7it^qNsV4LAna;ZZG+Nj|xF4=&XS!9q247Op=D@UmaKl#>~@&p8?>;$j;( ze5EaW%kpIF>~qrMYD*l)%~MNX|CUG7?H__4-6WDX(!fPV(SHa)%6D%Xun}wp#|A{; znJG@%v`C?8+gpEKGy$ApVt0hdJ*kjVlWI;AKVN^@;*)?)qORq5>*<$M#)6*JXeg5m z2|kXW>r$Q$cWz(`@48-}o$O#8{UnsZ3lN3-Xm&T>kjQe$Vkpo})ftWJ=17 ziavF4@P6-w?V$zmYB@!kRzJ}wifXA$b-9?$>MC8{ES?m_HDU|YQ5vbKePO#M9oBq> zJn-rbSCBh4Lf+Tw{@1TAOZ$`k_(y%f7#5$y!LaMVz3%wHh+G%mN1$^7cVGx7VHlAC> zpTB`+P7}V#5aY?>7T!_1RLw|p{}|^!8+*oRKH7cE$@DsW)nVi#j|y%BBT{|Bjh7%Q zM9tf;c< z`135`4p;t#^ag^SLhw6T0uWSNd-uD49SH{BJ&{rh0KDT}|4MxSaqWLZFaL4m7s$dy z#Q-{Z388G+d43CuR8$)nMI@O1cx7im;sqYH}$TEWNlD53pwnk;I{nf}G)Uj&_M(Z)^_w`r5|)X$~wu zka920?$pxn50gES#C2p+`oeS@SI=skd$DKvBt7PK>%tq8np$?p$SSu_2XLL~%rk5D zl^Z=j6NXskxknF|X?=~oi`Bupmj`i1mcFlGI_+`ya+{f}pc(x2yn~dd!&+TwT99hE z_P*1;OZC~Qm$t>K%nn)X`vmt+jkOG6xM!I}7hkwhrpIRW=FH;W2;bTu9uim0GYW*$ zgNg{##fCmao-Ik8Bb#Ier^~Hy(Q_cqpl9zX<+2CvVmfMFV2)QiKI(W$ z`t)>P0fJV>W*W`sfivw0Q6L|Y54GuW0nqVHD*v;AD4}q{(w(;vmW4f+5e!Sp>6=B~ zvb0~ZS}=DV>clH?u+j@z1CQ+EXvFw1)93ifKfFV+^|nLHE`ePh<&rH*HaRA}>U$$y zw83qbzuvL`M&$#eRx9VoJqz=GLpRWH#0KE^+;|jdtfP> zKsUo7=trkCYu)K-3(9`+N;^O2U}(3`eIsD^PM@VJ--8ChfBgn;#!|K;o+!yAC;>9$i}3R+e|y?~k^Ymg0%uAmQA9%seI9_BiSuk)lmbBK$k z3=?Sf%7}nV#*$;H?6ozrn;`?{V4Yt+1%_S}s5lmhB83>4KcwI#W+~R4_}u$>4>!GX z(H=FcmemikmHyVQ^nNImdB{#!RpTS>P#k9F^};l+wNWcQZT)%OuVG85VTmlwyMk-rIl-H7g+~ zDUpL#&=MEX^M@1$-6&H#%ERwJJ~SVH%{+YlJV-qdF^C4>#f}UZ4Sx1u#DMbR0pqe+iV)%fzL!f=$Yj2WRLJ^KiP=7ZX@9XsGYnq}K|V3-TIb3Mb3PlPOfY#z@)^_r)k6Y>w28 za&pA}aK5YJ_4IUfB>qx*wDDazg^OqP?D8uCA8xw4znS3tAJa|dllAQ<49)jZ&eh2<+j*Snf#A^F>yW)A*o@n2k}8u@thU8Tm13lBy)==%700hyMXQ-~ z*kDO@Oj%|U8me2u#_N1Md_^BKLP&;|MLXfS^c2{Bj0@|eXlZUwOUfuNj2oBKKI~u*+!jk*(zfgus;uCehbrsg zYFdWLrdCln(uyr@uhiz1hSz~;12-Fx-~;MkdVhuQjvV6gS(82`Y8ygbrfM?bWEKDT z1b<6=x`Ahg=mx{bMBL|E8LzOkWt`%pY@

<@y$p$f3e~#NL@{EX&l_*1jwRLMgav zLd&LnL{pPpHu45p0!oG^M-dN^e`ONOBrW2bE;XwjualB|K4PAvy>+0ZU~^;}xf2CPv%546%) z4K#t_#F&;eky~h{hAsZkLe<7eA1dh#uA*Q>S+$YokTFsZebo>2bpA&_lFa?z9?Cvg z-guK7Ox5W1yI8)e;>QWa6;?(Tc5v6R8{3A4M=?T2G3sHcOwJZ@rJL1SQW|&{XqZzg zU!3=u@#q>eJV+L8B&wL0I+#%6-Ma;ecg(}VWvI!1)t!oVgFJs)7Le)jp!H%wId}H9>#Xv)Fa|X;LF13QZrAR-2a4f>c)+A=CdNR; zH&A;fulRG~14g9tqFJ{rU8|Ie7n&{PwnH!JjYP7soPSuPcP9itkvu7ae_S~jXBg}h z&BYcTB=*_ncd|_u?`-_BeqzlbQ3S>qLDC|;;$?)i3+emSXjD04$Z3UDgDSX8Q8u~j zkp@vL%f#9szkPXc*pxuu?I#RxQWrxf$AqF8j))ub{Du_O6Ns$M{TNG_2J!^#W`+6? zPl&1?TH!nhm;aj~uoWa*NKlb8c47yQ&T{MFUGZ#yR+Zd;pW-Ez3_5BJae5HAeL*Z_V&Axq#$)H&gAr9B~J{q>uY=VOP?Na?hX^9ne}RQc;-eKIHJKdsA;$DZ z^Y|uxYhrg^t2)*56oesM6)p~h3Uj5Aavp%xAfzDSN#W}FCfVF)xb#gZf+5sI0oM#G zGD)#&MFp43;7ha5HFkp?>_9aE$2yg7>k*IsYgatRD1U+Lh_+8X#4#TMVlzf^R>a+^v6OxADcl!#|Mgp9%sXFJL2& z1)#0>ZvYfvspy|b@ZUHB)V`PjpBMl~ivG3WpAh63#bf0!T%#e7J&UE zE`ZUfe`U!0;uPb#iGK~1|7lI+_ie`C&r|u^s^U> zm(liup*jA(idm)RzRmZ3)TgR1KYa2|2-i03TD15zH~n7^hN4kBy)JxMg93}zdK=)f znYh`98uoacxsbZGUsAWRiJsi!IXt@2#9HToeFg7)dbqHkUN?e|OK(7p^jXi&zA46c z|Ju45=Hct9VN3HM7IE??WY^fOtq1eNz=^Yga(wgqYBclG{mLr!thS1@WYNbQ_)NAm zodEKLjY_YUo5zE*p9cb_V6%?c2B>b;0mlK>&63Wh#NKw;xZ_`Ro1-G~`>3ZZnoj&- zvig499uS){oF5>$Ud{M8XDByE(TNziw?8H{A@3_SiFG_&BeK-Eq9ZutyF~dUNk8PO zi)4yV!4bRc@jMt@8l?JEJ?22mt$ zL{(;iClxjc&BP}s?PIS<-uD%lmJ-+D4JdLI7*<;f)UWOEJH5{Ga@1#HuBmL&8j9; z@+QUn@KQ)iJl~F zsv(QaM%4$=H|gzi_P@k3V^bk&HU?cRDVM0#_7#kT!4jgxu-ZsiaBII7#VJMYLCi2N zk%ajK3+!kbvXX?7AT}5G`^&Mgxms@I__;qWsWQAi=;{{kVoayA)eJDJ; zszq9CEU%2H4k*6=x)c9A}+dG$j5dWR04$Yr@-c28Mz~YYSf0Fx3B&tdy zR@?S==$;QRn&WT@f34xCH;J^w)asf#k2 z`igHrHTJMo`qKSmVX3*tLr9j_o0U`lG#{h2nftzBTxObQSbm&X|G{QfN9Zt z?c*~g)*GSsZq8)rT{J#des$w5C?Ndu0U=WS2ly7{?Cis~{pNM7Q!?g_yYx2Wc@>2M z%nhbLEDn}^I0)k`c$~89jud!a?Iql^;?*8Y*p^MPGNyCTBDi0F8=!#{?I6bUA3zp& zn;&=7PNlJ5j>{)Ol@)K=T)K|3Q&nxcS6WuAfFJ{9z1pbGeqHHw_j$ajwQvikN|sY| zng(2WjRc|pn@?_2Cqiq|xsPe<5@;TF2og$c6lnx$93n^`5{C-B2?}No=C$7jx*==- zc`o`c`iD&yP(s!3p?HQp-J#{vDV3oE;Dg1yzrIt-Pj4u%Fdg@s`x->~v=yhq^bj6D z-9OxM+UR<^KaAX(Pj!N}`I1}qmqOg;9(z)y!DrAM{OE4N<~x0#*6c?(J0|$aPYwsGowvOLHpMqH}Xz`I*gNriMCKbY@mc_DKF2XQoZv};{JLvs0hz00u^F; zd1SI9X1uolK^3D%bQMLiR&a!rEkc(1V4WH!UPsP$uUXx1$poD+I7Li{|6}$YW-r9o zE8@P=q8kFaKEsSNiuD9&i5p4V36;PAZ8TEE@dH8leZNs~R&oO5&1zb} zr-D~w&UZIX(M`Jy7A1zz%7i>(=ne*yat|`xWCwmdMGI_*dUM0f`~DA0*4ioCmnA_~ zhAJ*5iY`zXGMXpcP;A68(3!z)98NAHh#M^Pf`UENW1OIDtfwI31t+lMC;p&p1j0Th zCZ#E*rl3}YfCar*y+?C=U}21^v_nM~+9GR1;uN*&EhkfR&=|Rv2-$ktZvV1Gb5Lpn zo()bu^%XJs6gJR_zkecj*HCSO;s9mh ztfpX(jL}U(h2zL2l@f)PI#Op2@7$l;U8Y>dxgoQnoF!8J=Ae4XS@Ct&glgQvUNlj^ zTDzz9g@|7)OlTFW%MO3FWX~|$IGh3ghd^uM50Dhf1$HU%#zW4m&Mav-z0 zH(}dQc=*dATm1!xBA9sL7uJ1P5bC=bCZpZ$2SSKem_=^pUVTjFi|Te=8Hf-^x*JX+ zm+dfUB$Nk7zBW4P-h4GpS)coQypcz?!~w-V08BKb*sq(H`F0$$1F?K1-RwmDo!Djxf42Y{G5z2RjD^z8U75@T;5k3cjZmV#B%Em zaG*b?Q9hZ5g{~!ep7Ccm@}$}de@UlL#ria6MP(u<`z=*|F3j^Q%<=~Wgl!aob%l`J zpXPnv6l=p%s_BdxR&}z`d=Z96X1B%G5Q`JTir;iJqWsW6jfl6m=a8Q)EsYt*Z}yWp zN*|MiPrjr|bc8W7MHCa_SqU^9-%ar0|hGTm&5`M>~EyQ-jFqh0|LV@q+ctIZJvqlpayR$Ou@>yT&>GO>bZ-6jTv)k3< z&w^9ISJ_=$A4um|lQY4zLc$8~X{G!-_2*&z!&SL&SCPp2^3)x(O{7_{& zxhk4npk0@3?F@>$9?Ee3;q}5H{2OQv9Sm+1zW1kBts{*efTf1nJieXjw9AO+l+4 zErW*dLH^3!k*r~;?zFItUxpjM^QgZ88vUBJF-WDJ{Xihi4&x~8?JGCyRNP_p@oTMW znE1m9AG~<})`&1Db|Q{>{@6$K*Rqn>Xlu55W+mPj7kI)$E&D|{2c1tW@csuF!ij^i zPIfmx@9(J*XmuZ4xJ}JS1BxG_G0f5mXfB~2Abl|Vm+gL8(@Ztkf{(tIEg$lp{rM69 zZT=J-jcxxlk3SBVJlqjjh6CU*lnXwQF#r7ElE+O%=bVcj&+FA#83iJ2b>hdy8}?Gp zi`?%%snh9S9dHYMg7;X~VQ1~Pr2OH)eMr*o1m3-gIsnQd!E1=>J!WtU(7>Cv|9GDzD{oc9=STAVvIeg z9@DSssWf5q#4}0dY()$~A#a37?l8PeICK&pc|!sp2IZ}kjllLVPuTs(3I0|*K}Oy# zF&|?R*tD;>sUt}~?8;6VY}vypFcVzqmVgNOs7z&QA$PQ=ptt#$iFwz!UQ8hu$A4V4 z|2}^A2G>kr+wLPi?D5dKBK@|;+SlWL%lQqf8)!+#NOofRa#Fgslc+Vk z+;XVK+G>z)Q1;>2Ca6G1w#Ak9Xv#AbH;ycrb&QWyBvkH*%HiztVCHaPNSc&7jAn3a z(}^AShT<3b4?5-+Z8?5f-NUI7mXRY9BINwtVCSZy)AI<(se%;hzKAI^oerkuxk0MX zq2Bu*7+vx`@qL#EQ^yXq0gu^K2{4$lM;8@`y~(Ke z)>NFPPki}mT8o%V$WR8XQYA2v^T)cn9Rk^qUB3=TqG`H@q!->8cfy8yyc?41xOH*Q zhpcq=*?JiD&_yZQnmD(aGlP{tSX*m*HNrY2SEs6Dc_`Q*Cu10I;ysK5sh#?CJoi>V zxa|A=3T2{M?~rlWeqZ|Sf-5SvnZewBBorH|^JXBo!uT5jWJojQ&GskItW4Lq$z7J$ zkJdyxnUYWx2%--l^dnytK$kDx=w6EoB@YPaK{SQAUwtdpAwoqBRcn7rf#rGgbn>$x zOoXh2tMZ3S-JmI7%F3MKf?(nngGNEQzq02=MvJEjcCvBpL3Cu=VZl+Ne86hRk(Cz{ zFELTkl}!oZPl@kk%eR{&BVUBh8T!IQXcjv`dTAxQ7jDe+RZ!<>Lw?{GqMI7$8R#ct3^U4gU-(7TKumm)@crJrd`B%UbycK; zaWAVD%p*ta^rp6gc%mp}P!EoP5`=H9(1b<^=?>4v8J|wDmF0`JK=0GggLN`CCXvOD zKvGy?C@6hVUp#X$PRV!=JPYJx%QVVC77a4a?#tI4`eC4WY-{7J9PHcuPa~)`#y&R5 zqO&9OXh!d zNUXGv=(#?^p_8ye#f~(29d1Qg(spnZ=*WS9>^@{8t-yo_G8(r~#Yh#Ea9J>}OyPYr zl}1J=Ki%&V5{?gl%&|*W$q|esb}vpVpH#qYGSDLab@{T;Swm;KBDRWPrH~A*j7r62 z#Z$Ag{Y*h^aMr$69L6s0tjc|Daq*4TS(FkaI9?b@(WTt^CtPsyT}c-^yKiHVqN204 zpAgrx*Ih$Mc?1L3e-RXDT1W-dz)v~H+Bol0(LS2HDLWLuen;2%&7a>2E2Wi@Jt#4y zLr!h+%N2g)cM~}yLU5{$*zj7G_BOIFbU!L_H8c){y*rxF&t_Kjj8AIE)Oy~ispP~; z&K9Q^8^2CVScb_Un-6awhju8tw(=yM6V2v$ zPuI?%l0DV&R)zUO6FB zx-zi|edXMziX|%ANOGFQ&~w*&h41jau(@JgMOy1zQwNp)RQsd0TW$sp3npF9T56u8ZB0Z>STaR}xt*~Pf@%yF(_WrOiLU)uP$Br?z! zxUdDceGpEPC$I&-FC*{wMcra*Ce+&GgO_dJG)iaZVu~hf zZNPUnyyl%bqxD0!2a4t+^)h@Q-B=1V-`|KE9=icjw!4-Qp7W zkP|K?@{gse?3jRs_}VWbDc_Xx_>n;Zgq((0{2f13iXa-QC{kwvd5EH@)PxX%L>8e4 zf+*gFU~lKN;AJg|HL5=}dq@|9XauAWOk$)FAqd-t+5_hZs*qzAnD=aNAXtP1Jw~$; zaiO*nsQN)okSOU}@O%+dLc)r>e)5DS>tyYIR~Lc>(`tFk_jPqHNGR6^SG|UCd7lSF z)6UH6iRLG$&>)Bke*zJ>LKgyc2?^$ITrQ-FQVUBmNZEjb6K=>iJHD>g&tEF&yulk$ zw9m{Ix{0gBl#kzgT$~@Gx{@-@lyW5oL&oe zE_kpH7eYBH_z+nzB+{p1#LCem7?+l!qA_@m*3^rZa!Js1A6yc#Nh#g2>!o5d7)rhvX zc7JJF1(Di8UzrVB?(D&w_D8XMwHEIg3&N8;$lxn*D-|r^2;=7p2~&oiLT<7?Az9%| z&|`zFK+U+{EcxB}wLU(c!zD}Bv0o^J;)%zY=!Q$2&qTg^2DJnZt&N_1AZGJ`ZA_nnVnHO8U-Bk=?tuSIs$!Q{un5TUWGACO0~QF4#Jo z+iu#PQ&*S7W{ljdvVg~n6TBezaA7$_*B?>@oE4+&oFh}PBD=RNuDGa zVcVi_kXSJ{LKj7RxHq)kL<*V?7oc1Qw1u^J;0e(h7ih}{+TZxRHWwhh?r$gWm9rDQ(N?FqD!1c| z5v^y$wDxN82*GDNA9FU;8K+xVGLCK+49O`r=`5wUf}4}>uZ~VoylfIs>6(3#zd`8vE1ZcUulC)6eyJZ!((mnmIzYm9%!`$B&zHU z&(AKdEo#@VymJH?i0^N*&*{X71>RK;!cOVpg0*xa%+8+~5FVG^T0nyC#jc%WyQ=Lb zPlBI5!hehw!uTs>^PdlRKEI3q8QB0F_C2d){~wUezivpfJ{xuX&n7nh)g>MCp9%u4 zF>)}l0i3D)+fF9y@6hHM68+8*U^4>%iI@Ra_5Z!#@7u%wf5$|BZ`1@%{AJIb=tS(Kx9;9iBACf5EO`oNvK2k`(Ztvi~ zJI00T@C|Mc0f7(7BRQ)bSxC0=P42lr*75m(=6>Zi({HGcFgDr7bGNObXMB_eR*E3Wf*7`@y56oI=UaE-sN{N`LGQW3 z$d4L7mz94K60~-TY^5TipLH~ZBGk2CW>Quc2jfTpfkv37$imeBhMOPa(CvljLNbo% zW}T4Hqj#u~(R7&36JLf|NX49D-Sxk63~x zcbfTgr7>?f=Lfh@f}2%-Ep6gJyy*x>NzR4@FEyJ+G1zy?-B?yuS%lL+w;M}s(j3SK z!qc>kq0Z+}#B$h_yQt1$a44hwvh$c=+^^a3qJ^@>L;5TuI>u-n!5r!Z z5f7LBQadCr|GIJLu_v9dMYT5IA*Dz#xsn^;9W8Q`Qz$FFp~R*|X4U18{Zr#ixTsv| z8VW+74Raxr<&qpPl357$i2nSns4R11UN!RTUV7Oz=^4_wf=XDQJ^N?I#U;|cvu0x+ zHS{3|;W1oOKeyu3pBFcA=Y1F3@}Hs!L!bpevxbE)!n~WQ#KllmJNn3MXiLgfw{l2p z&9>Jpo5B>uMWm4>!->_XBG+|>$sAErbeUHs&&!so8l%`6&MP1W=D$-!nQb^*aGnVvo%Nsu-5wm_-in-4i}WOC0Z49 zQLe_4IM}lE`V!4+{{-mk+w?^k*Lho#gW6H{j#<&+5l#cD>8cUs**2=W{e%I!!1~eC z=wEV6PcCZp3$*1d9|@|>Nb-#BrVeFT|ZOCKkn70!MAN}(kY|5 z%71ozw`y{nB6{N-gJ7Q>-g+x`*jO9VMF_5)V|F}^!tbh8Cm>))MAz+m&K7pb0Xg8l ziK8DuBHpH~k~hrLdA4FKmCN7+8%2!;>Hlj#ZbNF0bC#5t9gUz)}s&hGNO#H(UPbz#6}YxR5B zbs*gQnBjGS2yd!;TU>@@mhIq&M5yW{`Jh4E%`eUTo-Ch&=xeOcE~8n_7U2EcFoEk; zdPLS_?f3_bbO&A$_Dz}}Q!E;k;B(Ly)_DaN8OxM7c34?Vya?=*<42eBaU?Qr{(Lap z>O1(pScsj5d?ch-t1~m3%y}mUepU?rC2B9%=Ju?J-g1r-GHcp z8Cx!4>_XiS>h7OKJabVsBAoG3HJYk#Pzdv0y+U+r%{OX6y&1)n@(d+y!!vp>tx+NM zp1+`y?$h@~p{#xI(~-3Z zgHSt5Z1*t z8SeOymt189&nT{s5e0teMOj|xxPZxYpp)R3lr-A1I|hB`p!_wkzo$gn74E_)f+tjq z1GTHPFm*>-?OHzy#D8S@$}(QMu3lsbW&Bkk7H5)4aHA%l;QRI|Gs&^!Umwb2zUNjt z?a2wU4KDKBZ@@khF8bd)EzMU*iN&bhKg4X8=f?!o?6y5ZeH_&)6v3vONRfkj$N%-0 zo({O|!+~N@;hTaJ6Bt@k4%Ol)27Ezt>?N>_g`aTy%z6Dw)!ZfXD6cS!V1t;fz>2s1 zsS%j)SABP_U-jhjXsgH*`b-O6NOIyUZjn7c+hP?VZ# zx5@}USE;<&!W*tIz1<-f^stG2rR`^>tx}ep=du%RIUM*U7Q`bKTd$$AEQl0-#$X;< zGa?fGVpn{d5{ANGjrrw?s=$Z?Nn)c#rFqeHH>`YUiKAc+>L*b*p*u?Js8$lCTrjx>-cyA zW9OyG4i<-ShZ>Z_1fE#&?vq?75{Wqnd-Q$<8#sQPrO3oKAJOMJ3Odq{nGRj=obxe+ z;)Ba*C0aMW!!0aU{)A_u*L{Q2-d&a!-ZE1@{`K)V@_|K9S!1U9W=nkz-ab=Q+Ub7T zVQcbdn?akS?rB(qg>36eFuZM#m!!J>Tjs%x;-`ZyT(b52r#Zu?CnX;Ut`8A!S8+6M zNl6<&ksdz1pZ5zB@2MoXc90{(zu))Q;Jy8f;jg|gjV@Chd`leTGj8w~c;VR-^UDkA zUmx}S!<+PPZm606%a`+iG;sJAJ0XAaV+?$I|HBpZe>BMl&`$ib=Hs6V{x=q3p4~RT zwC>-y0Tep{XDd1W0%HKSI{rsyteh+iEPzb^hB2Ny=7r(^4;bV3y_VmPF#d1%U7r2x zzSQSM&5{{lUFUD&jTudVBNHw(0N&WCWmi&#K}YUrd=*R~$CBzowJ>l0O=d(1jlxbQ zR+GPf|KVaO5{f1+FVQh>NUe;l8k7U?;kp&SUSMhTeqkv*xd}Vj#)wP$9a@;JQ(LN- z0Tw_-Ms(DAu5Ro+*(&K%ok81)D8`t#m$S706+F?fW5e`}@b!7Em-wbU&zxE1t}iPQ zQ_c0mWieo*9Q&ztt-4TPqdw3emUu+%E`03ET^;+lciN2%)#<@X#p0L>PLBWY#z-`yNx2G5p?F-21htp4b>&xJ+?6|wxxZuVQ3Fxyk_1B$9H$pJy+EKksKZcKN4e8;wl8SGxTj{}_q@sgQ zdm2IZ7->Afeaps$5N&WGu+HK73uo`tFacV7+R=J05;;cHnlPlR3y};aekt?Kkfu$9 zVWX>vQ(TP^*d{K{E0JWlK*vypQFt!Gv|C1W4>mJ0H0Wcyeo-Thsk2z6h@37#cxF@I zczami6{EghR}9mdIBUWTN|o3*@CQnME|{U!=H+mWtk$s6%a8pA)%A5aG7M8QgnK?@ zaD|oB6u$xlk&{IF_^NKv6)7!!qipjp0>s2R^Ge=#jHO+5i5H_7z{4_Y%3GoY3`fUz zSdH}~K+_<$q#&e;1e(w{>ZI8e=TV($&?heK^<6C03Hf*7BKbj8vccd{c-;RQdXLvt zWeoZ8KuDVJqy@4x%p@2Dvvgb!acOk>UXhZI; zn$T7Pdoytj39Q5=M^$L`EHbM|%C8!QYMPy2pJ~gBUQa%OuY#2f1e>k44uw_RpfT7p zXt;=WeF8CAmp%h0K*&IZrGSjoJ^=qF3pOR_%!iZ;xAm^NhR-Ke>KB6Fofe^$&ifmw zTPurKhI-eaAe%pb-gN(0ns?sbm=Q@MyXKw*>#4AElY6Fwv zdN=fmO>v>JI;aP&!ioNacA7trTpR~|4q5CKeHq#cU4tFcn2675vHm<#rE1g8p3#?~qXD=fs(<(M1h7Zol8j5uJ$BzZB zXtx~SYaIRBI|}~9K))Z{I^q6m!x7S)SG`SwJ}PLZ7u*p3UTnY6)jB7X*FuH8g$a2# z<~zi~53bb&7`nH7-loNGq0#q4hLB_ebH#W+wH2y{=^K|M8tdu#P~MCk+s-PcdC+uqvb_Cyhp~Z0(LT0E7#oocx^+4neuFMI*Vi==ZBwQDx!v`sy{!UN zhha{GJ<$==1$-ixHOs!N(THVd*v``!R~Ow-nT@}n$X5Mg-!dPZN6CEOcncm&u!AI(k${ovW$X2w~-P#2uFJP5d|Vke|L_hNecI!wQD z^o)gNTiuR*n-v$Qe)F`LU{%wvDRFa-{DIAu(Vs}6hFm4!ktRX7H>w8|PwLm>_&Uxc zt&<*;rRp%9@%zepPZG%W52c~OQzjxtVHM*7d;L<9iMq#ukb0G-U?HUI2M z;#6cE@Ir4sE)7Rh%oy}T{F#FO|xy2GEk@Z4u3H%9Ti8>;JMpTk|U9SQS zdWxiSg`s4(nL4es!PGo`1pOry^dnrs5swc0$fz>90>N`_F`+o+ z)=p1w2~XL$;c$g3C%M~|AE}n)c3#WKEIL1!sU96-Q3P<|!IcKrFW}OWV>>Ama_+#V zY4Fc{G(5<}4hc^oY!k=EZge6J)W!~BXcmt$L9?$RdVSQsQgmYo`d#^PXK&J!K=dM2 zu-$j#TmurFx>w$2_cA?!goXpWq!z*@DuEu!%2EmnxrZ?8^VC5d_VwdEyLMSdd*G$4 zY{aR#(=mey(-tD534~4^t|LXYpVZj60p>jsUEc0+xXnU=Rs4-?YO$)x_9cp9(Qzm4 z9KUlY0oF8#CtXwGZtkn(ZrMrXIK#;SP4n!BV)U9yxc01XYT9voZsDVZLEBv%#;V4_ z43X?@6SuOd+mu8%Sw_en>T-|EJK19=#P1@Y^a{Iz!%!HHHxbGxLT1m2>8fX<{f_+m ze4rc0Ca-e!5JyjaX5wx_tLf#8c?*9vzD+@9x3|GBD3`2-ucx2n;} z;4*>n>Mm34cJD*Qm)Dm+}(fMA9 zh-Idx9GwH;fZt)8(*X!~n@PYoaT1~&JlUoq5Lu5UBqdP)FDjilVTsniU_m)6f2o9A zrkfd~?63_8LiNkbb4Y77Iy$z{4jJ>zoCSi0`!V$CU(QnDQL5Zm-_9!njW?UMU%SI%d`Cf#{z{(!W&M4%j4dSJs6?&` z{pE&@Z|w$yCq4747@$HMqg) zLoANiW;aQ(rZ2d5w?&al7oj}&dczOsqP{LfWT^Y zglK1^hcY{VcM~OiMXH)Q1^zH2l$cnF*$X^|+Cv$Paf`ORQ`SiKJ{LxOJrQ(KmICj? ztF%{jO_;Vt#e#&vcszd9*H|SYB-?xNkimL;>0yl^YncR?&d2;frQ@!1pW zSPn9OkltG#z`jB)tbTK$Q!I8E26a9-;@NUjci6F=;QsK{8Ly0^4cWfcx|QQABxB=2 z{!iEYCQV;3n7iyJ6^k>*Zy4{w-a~98G*akT5C}wdEEWd${|Zt>V1i$e47s86!M|@S zsBw9MwJmdoBo2tm6diA^~&&|Fz)19l-mSa?IRZ44i+(@VSjI zNbEl&!`~0%{aHKjH!Zw>BE!G8`^5e`hW-N$ase#z{9QB{srKGJoeKkC40Jp{MZ;)0 zkO+NgK{mdAA;ELUftLt!qZ`5>TaxAGDiNh%tyM?B?$_?lPR6ko1k@@hl=mpZ#=?Er z+nm@W6+ajFl->|SSd3_tIfP#P6HFcc?LI2TFVLi_sGr-S+HKKMK&Nh*E5XC`XYSY6 zgX<+_<8L8_L`m>G!UcxaP7l7|)?66~`s7{0MPaCsER1w`_2?O%B7=|@k)JG@9fBms zK47f@6lHObJo^n-TX1fUEYTvElvfV7_Fj$S=sVNL=hQSHSuBx(8-@g;I zYb%G0c-rG5ka^$cVU)}iL1UNYY_c)j-(M5tK4nt4;8+gRm?*JS0sYvQg4Mofkwl$} z9baZCtHbe7>TKw^h0NyFUbzPzSzHTO;`6C+V1F8ecYu3)xzP2{0EDy)jCr_HFb1pp z&ZADtVYf!6z{<}r2K4~kZk%cv%E>A#d={MXh)kL9>dtjTX6#dMij^>VfGS%xOOw;K z{6)SXM`z_+b~O$&1vz&~zDV~#k;pfSxUhK~jLC=x{!GqtMmuPoDuGtA&&}^MM=6Bj zhTc-q_E&o@y$}6>C=2jFGPcPxPuZkA?4~D`x@;WDqrPYV-L~~kj6xBy9MbynY4726Y;nzbC zW>KYyR&-I^CIRw24uYCg7fT%@<&%{f*$_=rGacxQ>(%W`bXF0@b?FR9E2%}Y?#rm_ zz8D-k3VI)Z+$u)4ZB5`Er@=~3aK`^4O|8!r4tl#3urNxYACHS>?n(h4K--(oiY`Ra z&=W0#ep(%Je3U$gT#SQ_N9(FET~&V0BfD7Ubw1<;!Cg~RlFlkuHRY-Ame@<7v3P&% zz$JxQ*e!Q{Mau2XeDQhtFgm6iGi=8-fvF!QavIlO&$Y#g^}$HLRqGY=IxQL)ma2gV zrnp~^`ToSL4KYU460X$v1#_+klY^+eih=dh2VGVflmu0!7!$wugOz zAoea=vI0iCpyom)C3A1m)~241A+?_me*6?BlU*GO3=tXg0+FUAZT*X77GQqspUd7~ zFSE~c{m;AnfOElrYnf&LFALDW=`RBont$>Gen)$*z~9hcerEZ9TlN0Axc#nr{5Kc6 zKYoVb-g9tplDq^?z_IS%uQ>r8tXTn04cP%c>7Jhh?9Xul?t%H9^8)T)$^g_60H@pk zc@NC@QU>@OU_cJwtph+05VLbKJ=1)?2G9o5X9F(if5iWI4xkAv0}Q}4U<|AikQea& zB>?LP4A1!hX+T;)-ha^31`ZHFAHy*N)Fqz91ZXy(`2QFFU+sf`c00!(FClR6UnIs1 zkj}G||Bx{78W@yzt=y+&_Wf3m30P}ML_yR}za{#pOWrn=W3gG>7{a!{Vpnbsl z0Y~af-k129KOp_({y86j_VdX9qhEk^2KEmdfG#jUkoHTxf1gdiw+(m=48U|?45a^3 z<|Y2qYy!}InN7eL5PlQuAFqf2u>z_D3@>5@HVH`nrK|p^9AMf5x(JX4Bn3ACM-7y#qvL;#DI0{>UJKCe!|73z;wiW_hiLUYMPNQ)UjsVnMc%;s=Y~9I1l#}*qHung$GvSznin{01hwt|F^OQ)&&@V zG+qL*p4)+@4KgIx%KA;?s z&P%_s0XEfuZ3R99*5i-v|3?gb4txd-|ET*P*TAv#lJ*k6)bY8Ef0X+d(UPzM`x}r3 zjM<+z2VbTckP5IC&!h2olK=Gp&@Lc-V7q^xtiTe$zzSGD0fl~B7yfwp0{qGXnhgy9 zSQh}-FI@m6`NzlYhd0`|#8E|LXo%Z$Ih(!hdA`iT`u_ z?`!=h{_mjdfAap5`By(b<^QML|N0yM=Vcg5Y8e|9{o}c=SJa{r^XG|Hl9I z&YyGt>gWIE761Dc;s4An{NosO^iVYaC-w6*_$kEtU-HL0{)_&IG5%1@{PX+&0G``y z;ApHhPmQ_me6`YK#c}GG!O>(@&(U=0Xt{o|(v&%MdhGeUwT*kddOXd&9nCb9ro>d; zR#uhfP$9&ZS26T6$!7zT(9rClr>kdp1o}sP4YQq{Vr6}lp#*4B3(z|f+ZGvFUz(Q) zO~ReSjtC8(h8Nlt3LZQSKvfNpl9Q9u78!uf9bAS~!T}l$pfRWn6&45Q(_8He5)j?} zOJ;gIb1Lb`8DOlN#+nz)9b6+Pb6h9n`#jQ|7r$o^2!gi00T5^)A;HNIxe#DMJ`59p zEC*+1bObEt!raop3@E0V5pazS*bKni4y`y(JjGCELmlNONfLuM0rq&0B=D?25 zU(okx@7Y%$Dw#gtm2O1f;8@e%mrdU)3*URXr+Y9BbOr$idY|d@1BW)&4iX%!Mc!aS zLsJvDJ$)ZG?WN`Y-w&;TnO}?eXWqs^M>LQ`3ho?OGCpK8Fi~Q&TZcB{0FU39V-eq; zgx@TpAKQdC-r*hJ-vggAkzdUMAK%ZM-=qx%<&lwjv6tI`FVCRBFYf&-zz2Ze8+6RV z(%;p#L>dxU)8G9;-!Kb6U+D+m;879bv)jfYE2-Zo0jaUC+rkniViLb{O6v;4LqU5c zMviQXzl@e^7(m%qRo4K&$=|AtfzVY`Qos9)t@X_Gt)6Ah*}g7;)>6MnU%LrE!`b5# z63$qZ=-R$J6uwakKUCb&oMeK#2fjqepq`4pEpC4Wm6UXX_oVM$LmKKD?E~3rixl`^45T)Ute@(Xr*}s*abxVJ2`+Xn3>G;EexB*D*C?{V^z3^Ae(a&q0)i?x`4m!QNtMvp6;D}=_ zghK(DU$}qF6FUDThvhLBz`!bY{cdoj&Sdkz9ht+8deUE&eJlW|zJv4_HGPAUWg+8e zIf3&}d5}PupKjFes75<%Cg`%Gx4^xUE-N`p_TWX3cBx_O)#RB6iD^Xv(T(9@!+%XJ z_zD}o5HthfE2rS(D3;`O^~%G<#=^ioYYn{M=qVl#4KCba=zEgjCK9v1Wps2irF{i{ zJsLXf8ZSnSkO!Umo3((s&vC}@QOQ6&cK}O3kBu;(G-DYk5X)V>m(6e@UzHR-$gZ4$ z$J;@tOuO55TUU=>ifle21OX4^Nj&Ky)Q?Po@ZwzI(+f%Nc)<0iy-yV(Nq zTq|mC1Nt{17BVhthZSie^KPfDRdnO%?X?zgWuP5P(gcJLRU3^7N^5(vi@FH|JJ=9^=FtRj$y+g)3joi{ieC;)w2R@m>M{AFOg zz8#R%O=Jlfi6&`@*Ru=L+iQ!TXC5N#moI@x|0#=%SCT;vJ;6v8S1^%yGpbc%XK*024He-cl7R>CsT)6I7_CsXffxJ0+!n?g( z!7;g=z<_Lm?&F)OpA#rel&y>Goo08pq2fL-XX2qezV}W?{5MX?(mS>{qNj0ll$_$~ zfur-&JkU1Hau_O@;9vqyEsfMjW8>XQPO|u!KO|qW(QzXsD3Foa+(z{R8gBL)Q1xj^ zE>t2zny9d-2p!gjPO0gP&9I;mKh$+D&0v|jtdQXJ?o73{5a51V9qyekxt1wdrMYeW zp8=9YDr3A{H)y`oah!5d6hbW>E6+=gP*I#_= z_|g)~33U;Wf$*tmAFq7U(w?i2Q=6ikdcp(g#G3C(HG3{#=H;;l>S<`vZ|)o{%-f`= zCHdc_yp#Adt#Lx-PXIMGGUSda!nn@HZ_p*j1ccPYeGsEsQ-Bp^)ejfRdBX6h(>q4< zvqE&NOa06&mg8JGh8l>wg#N`i1@~a?2rwq|LBbYpX_rjcm`VaTcw-W*E}|#bx&k`y zWZEG6r62^%ZY8P#Dco9q5?4qhV|}L>XGIKU?gLg$No5YuL692GPQW{oXLndg0y`#m zj;7K-TV)7ha|~y)7hnt;7tFKVVsg7>w@@g7h}&J;yppf=eLN;zUUDWL3?p2p;v2h+ z!osT31{0F=*dZNbhO*G%83jEYS=eQ9mqfCo68B_3RpXU`+zks?39u$s4lL#wTnXJ9 zz~Q$G9m3)WV1jQhFQlf-^7864susl{k41&NDK09zFC|lSvYZ4>xR!sf;B2*O7rvAt zu4aGU`Ot4H{^BWXs&2g4J6SG!AM{d`k}=3w@eGW&w}4Mmq=6`(JFK5Jq&LENx`cCN zPdlrHS( zk!2U54R;e!;^8(7U19^A6eq7E#QoqM24&d2gZf!#J1Q2%&_#4Du#&G4XEE(d!Rq;U zI8jkB62DOl#|4#f7@GLjm@szvz4VfF-cBI!2~1+RFqvR^>w63sTUZ5y@7?F2 zyzgeoCoYK|X5dVl70sUp8-IfR4;VE5Fj#}Yd(_fkL5hD@n{oc{@Vh^YM{uv@z+}Hj zui}^FM-BeeT2DM%bqVm#5V)YqQ4kue9W#(j{w8)(%ChCqEbVZcg!f^*INr>z8^yI| ztb+OjJ2{%*L4OvxR|GMT+?P-fr01pRvi-S7k0G(MxsIPtGpZm70U`JGSLyk#QPOS( z6+F=+CtqFot^#JR4j*q2kf*_A`V!Xx3M5_rq}Kwg{4?;j<`1I2yu%mLt-&~j|KNIg z@$ zYggwA4I{E$1BWMJR-%1tMfZ@l6%3y;$KQS zl&7r{a7K#^5~0SptC`RRYFkTrBvhxXF>YMRqOQ@Ua__p97M-`FGBb@KCm6=KBjipo zlML?#jY|+YmLwtPH2hNPJj)*ep{o-Q1Df*`jQNb~B-#QD0|~{sXH~C_&K0sleO1d_ z^jPn$oDq5?BUw6TDwl1ovzK`Qy_kvXa6fPY4>FI7RHbz?bdRyHzeGw}?fdXO!m!3R z&7s;}3r!p1ZN75xCA>#V5zbpFU~wKW%8!`}=l&D+lCY2!ulf?aMhi#A2F3@~eJip- z)bCxv)_oU(NS%QG2T0lOTqe6S)~LI(aQ!iub6xa(QsodnzV7ARlfJ9EOjfX4N-xvv zn@l;~Hb{>Q9QG>u_ljeND zDPk13g)tOm8Rk-VLSs1M+%H~R0c3Z)TG_Fmofuf3YESt`69=r&;%@Nw;Io7moO6Z^ zku;3IWF~8j^N|})oe}M2<)@%>w43D_?H$<5>!RQlx&dW=;b+6B7q_!C*9OZ*AYcgc zkK0tDKB>-jdPB>X68aOv&2e3ypp~vRPJ2# zt!WArvEACpF`+gGb-N1>MHC=eH>`n`W);x^hIbkFqQqrs9?b`TuryQ_q5r+! zSLwXw_n@xKGx)e%EC&)Xi{c4y!P^X5-y^q=yNIt7Cfy?GQwsb=WT~B=ES9u%m1*gA~N4I3cs5?TmWlLtfGyu&{ygJ>b z@d+}jz2MU`cRRVuz@=OmP(8t|6}gYgZ-|lrHeRJ#3o?AQ>S*o&7C=&C0GjM&y6ooZ zO?U_;gtUTaMkEHJcuyFzz3t7Pa!*+$ht6lhVmmhol798KhwpO_Q8EJ7ZNu!=N>Mb-YH{DP9xp_w`TSPWqDf)f%3G3qCIhSgrp`@$1w^J; zZbFZ8gmHk0W?idB1q?P^1C68U+65HKb-#`V$Z9>*wC`PoTRn`_=~_d}3Bc|EbprkbxPP zvcXVHb4}efv1ah&Y|&w<4BkW94&I4?l2BN|0euwnfV-az#4PuC{BoApj+U89sg0rI z0_|}qxD(?oy@UEBeV$ef7wxXY+tYnsVTDM67ZNV@>4~FMuGck!G}NnpZ2dxkzBNv{ zPa;KcpoIeP2^R&D?_5hN)RTEVMw*El@F1G6j)27Rn{p!2^RWs0ITe^{LnJq6nD1_f zuV4qYM-@+9L7tQWh841gE^`s)|k@=MX{D&UZghgtkN7P-Kgw| z0cYZ`TFB}a0ikW*unmHt*VX!YTgsj3>!XG0Lc1WB})LAKoNT*NiH4z9c>JrBQ4y>>PI zSaDuzNe|EUC;#SBtDJxv6vBC+NCo$ZYO@ep=z)~;_qV3L1@5VemSNUXT(Es`(7bp_ zqkb_8^cwuYJ|6TUpPiWTkeAyDHdo5oOZZ7>@=ee*TppI8}l{GV~&|!&!iT6KWsUi6#tg-6PQxD<~h_a9QikPH?_uvT% zlQcUpjT3TeAkTWYB`xYyuiX^Y70qMJC73~%V;F=6_B={=RIiy9iYQ}^MuV~HJp)tf z6(?}&w27HlNNwzhjGynH0%*<<1qwA~gRnlVBcNv*b7BQ7{-C?q1j%H75_CgD#%DZK z{yP)A!SUUZD6^D-a*IeX2W#0KtQcZb8mvag&sw*QM0I>_57IK|O_y6EbE5Gk>k7(K zc&n~7Ns;>*dLd9ANuNNTzc5nWoo-OXG9sVDrU_Nl)^TccxAsiAK9CN_K}79U8QRTvf-0^RG*a2q2Ndu94lZ--u}7 zhY`Z1lPTV@-^bU9c)C&Ziu}SfYI+)ylpBh&CYIe)5@iXhl_~uVNf=I_8z$(iv$%TeS26d+jAOa zg1V!bLT5aCW{Qqb9KEb%1l=U4f6-~QTO&pBiy_;%*nEsdc2_y}0yhdJU|UWO(B^EW zl4pU(HIA{2 zwM}+JBN)S(F5is^aoy-N;WuZPE;|E*msFEU267sY+C^F_Nupsk-`vu8FWOK`$KsYj zLC$#DX^;k#miRSxpr^uSpFx4dZbUUYu-XdlArzo2ONIVTHLGOCJmn#?@98Fmn=mW6 z;fI5?a=zlq(b(T8?SsCP<1QcS=d0X?#~HR_eUm%zTK?vKB*#mBf+ZsvrxeC+QU>~L zo}8oKj@<66(cNsd{`v3;-c()7UCheURRJbJ;Av`lGQ-bdY;4<~eX!1KnlK=AxgC@@ z9;ij*j5|EPDa3@r-w$CXyBir$jFZDO+Fw8hASaVe(HXdl0-u_UVmLse$z4-zW zvMX}%jCw0?+#60S{?-Gr;djsOQ^t{>z<(j6fv z`Lg8c4;xVY9}bQQ(76)xL}S0*tZerd3+x{2F_e)7!KP+U+3;dAS5%kSF7Pb>_XLB! zx&klc1bnyld#di5O-}9KQmup~5F=#s^h{A{-$F_nZ-MccUsi@Iro3L!Bsi{3ty4W$GSiPnz%d%yNW~U}r&i zR{dr6R&j{&A%3L`T;>sXK#nlb8L`2RCFZ> zM4qbS`xi0ZX6&VLKGSE1w$6kr0LC@~U^te-`-!NrlJB?mN6l}w17d7ez=;OP0PDbX z!MWj2bj?z%B4}7tCB@msxh_E`GS|dn_3B*#BDHt2wBN2Gz_B?`ZVHCD8;(K(?$^of zTPkmMsl6lQlW>J;!m;tEiLAEJ-o9n^g%Q-zGO?ZNnkN-b#SE7FbuTtY<~XUjH>$9` z0`pU;&VQTLiLQhb#5HI8>IY99STQYAVnnB^bs~nZyQ)R^Zs1TzOc>#>qewCOT0 zGc6iXw*C0FZ<7x^JHR^YQVr#}GnhUEwlYo7{C>XtY*>qOE2v<$JdZx`ZxFr;5Mo_P zO$G1lq~>>%4*5{+fTvQ!M^Is*uz zvNZH7G(Vau38Wra%)APRY`2};CxWfEso10_z_=qD>`t&`DXFf}TJX3#G#=YV?RJH;kQbB

9l#-f)|+p_n8_(5`MP9x87;4icTJ z&)dSzHXmv?r6ANiM<3Hfi*%n$vGMv6v|x8IA&;OmU$MDR6=-`9kNI> z7L5l2A1i1K-_sY!vCp2xNd0|G9mLDz&K%T%L@4vYQI&3Nng>-wKXOfs*RL8$$$_Sk zxIZr~Q6rNRwt8J>vLbk6hf;<9zGlz1eN&_S=TU~QK{8~I6qn=j#J;to-eIU*x*#ZT z(1=-*gic`nwYZ8~jBwypEOLKBdld63-4X+NVy68z5zA&nQs)KuR2sM+T@S{q#%hwJ>rXx#;XYd>OijQNXts#fv-IUK z3l3?2qhz3K0P*ATFVh#Z@4XZZy%1Ugl2>XF###jo^eok0%lUC&L`qy7 zdNa>*k|oV>k=w)vU-&FJKQLhJJWc}Zu)!yQUHS~kk7;RGHIgh^)Xr&z;4Q39mnizw z`r@oN4i`S26W7lM{@6n+h}WefIHNvJXc^Hp-U~c^GN`(IHl)`MFGA08xoaA(Kb--r z@?~6fMdBhV>Uq_i_IQ;*u|rc5ZA$s2g*yR(H;B=^#~C+FR0Gu3HHqx4Ej(@RGBx)J zcQuTHij71co1d^%RZJp*QN9?LB>Lu$Zna6I>?FV6KRcHT7cukG6@&eclfHsz35~F8 zsF=Fj;x&cz3ZmK7TWmj>5h;X1wp>|4Ws*Jlt5*&&-ock9A>%=M9xfzJ0{rv*eExD& zTzNavwm$ijoX2Vd0}k^tAvMB&nZ{slc&2>&BNK#&>4h1Ecr%wlOZ<6)knU4Zj5`;> z;gRXh@VBKjUvI;9$Zz9)Yk*V<)h(ogx8T+83{Umb-{Ed8?o%K?aC;j8rgk(IbBb)E z^&$Y%+Aa9Luf9pRsG43gyrT0rKVX`&7l6mef}7}vNe|1kDZw7L2f|NF3ni=V6IeIz zCu^gDUA-gF*^d=Ow1bB<{R3scH1+ zBG(O6)-f$LG;Sv9(rq#B5QRNUGwf4m6Ri~T1n~E7byR0BNkGhNb}yUVF&A{S67Dh? z-j1LU7%vb0!k7^c;U&$BCu(glwKk+;7YD9ET*UIAzYHe*=U}%|Wh(8$cB9E}WXvh- zp47--z8{iz8{1H6dkZb>bC11|MCjI1aTX-9KNPPamWhzUAk*ZkLe>WChcrOsS6RBw zsZ@mCD|7_BVJm}WCr#NMxgs1IK+H^)DA#`TO~lL9+8DQOE!bFPDNJu>7Ma3pJee>? zIwJY&6~#Tx9sh~V;?Do1)ig6Zi)be+PEf%|V-5RlI8JeXAk+NO6Q}nv?gf0*}`h@%1ezIu3IL| zB#JCV!}*3!%z4SSfgc=vzm7_$D6-l&*~kf|LvFmqX7M19^TW*5hN~x!r13V)j+ode zwvB*HBxJX<{&tJ5iW8j#$TQAq1mF<*993LrdK<*ck)4kqCwZ&XMmy>6E})(VlRrOE zMuN#&rq0>Yt@25)vDZdf4dsmGX3vI*cLqGX`QpLz{I^_Te1~LJfgoH#n2iqW_!DsO^j;Ne)*frkP(S zhcKEDGs}m&jTj6c4@#BT@o`bGR|wS4RNu+vaWFp37jd*uZ~gvtZ*#$r1mg+WYlXl> zp9X3wIUIVeZtdnx!GyJ;+!_ShnyB}i669pq!J!`LR~wXLHOh>pK~Dpdg-OE9UvC&5 zLSoZx-d)O~N5d+uCdAFmTrLScWUq4>Uf^QJ!F0E5LB`h8ufVlP*Y7a8uYy^F3`sG0 z!g*3IMF|iu4CnYQ^MUajAfO3{l?OHxwe3IA%pQgZD!X2`zuBUzFPNfdKD_{8bYc$* z#V(~omq>^%G&4Q^jpk5^s3m-Ie4ucE}uZy3xghmK~(qRNFJy? z%SGDr#Ynb19xB2UJqHW74zy?noXy8tpfr6%MQpS}w*sZnw761^E5t~5HFcZeXydr& z=o|RSYZOC;<^r%_1anZ;9VWPJ9zLAFhX{;L!|0-RmGN9+lJc0g1<(bUG z4unvnA~MxlW%*|9_gVY8r;ZP=?3Ymn?0@p0o*W&{YY0n~Y=iJIJ!5Y^ib4q+1i9zp zYpqk%0xn3f+Fg?!a9A@|wP;jjc@4Z|xs)Er_q+KbPf`}II|`y1s}FHDWYCT!?gm6= zDU$os68qPTzPFA<^abhLuck!kEfOmxmPK+2LAjzH#Bs8=a1R|sPAY1?^f=li*owV> zgl(xFmeq*kgyOLcm8D1~f?g>4M>!qr)fO#~+jyzy@shudK`W9}1tFdJiFoL@#(On6}Ta&R4x?tZ(t( z;G9kZ_E;Ng%-OU0aSP42aFo807j=Vp#pRPqNBb}Dv+ORIW?H3=CrG~|!8*?#l#Gu= z60U9@iCGpXZMPFb%b()}*)Q!OtKZlBpqS+)HDxd8Hpf9{gDhRe+T>fI(1{6LcClvU z((>Cf;_wuCMt1*Rb(^MQi=Dk4b>oc_InU&*eX;hx1KlHRxo(QXcup;aO1_tH2aNZ5QgO#+bd{^ zC;_zD%&;;~&?B+?P>M@Ox=!$wMrrftef;6x5gTw61joIDgo}+o5>`ykSKkdh_ICvx zwNb7g)cA66g}~D6=6IaK)aFpC=`b^ab9%I#C?wTvfw8ch(>N|8OW8Nj3QjW|m|vG| z#vhd7uPGqU56GT7U7H_PXIQs$ZgBf$Byp{{>#+oWi6FhbzPj)}-uv<*XC{Cc>JK?_ zu$Kcz1apYLg9ELF1G~9CFE$d+J#CQ9O#;@{))V8S>oQ=^5Eq(6h#Qd&aeLReDaJ^9 zLt&$#<&P>*-4DIHzgN)5pNE1iS|dby##^wA4*N<`i^zm53#0&d>7`^^I(kYWj8t_6 zQPu{EmD1qT75;Qbr%E#MRsxFco~Exd$>=!Zq0=@m>F3%8lS@Nl;#V|oS$u*%jn^@G zcEk?Ve3OY6>p@e4wOcVo>jdk1k={d%(E`RaGGlfk8eEs9PGdL!@LWvlf(WZ*GTVty z_r*B6Ao7fDV z+CkbnTs=>Nx9R-v+H*p01^L%SZ}va4#<^nNMz+#>Yod_)Lv+2@{Zkluhe`+!eLf&6 zA25+UksPdPwh|@$dL`QAH+UJolwG$*sZ*xn0cl*i0|@&`6dMBGuL#rp)Ca&wpdJm}{vKjLK_8J} z_sfyK9>?6vgz!{#2iqpSQ_o8zExn3p-Q%WLAY)WOEfG!uH@#sui=8%cMAAar5@^5q zJE$l8N$#womnkN$5>I6a!Mv?ypn~LS10t|MRY5gv?`<8kv1sx{T+pif4DGrpmq@iI z^B|h_Ca$3*QhBxo(RlTC0l>|+QzDeGp(GPzDl{+%(e$IL1YNe+>^(l+N2(QRAv=Px z3mQy1)P-)p{cUrn+9;TQ{h95s?k&<%80D2do7s9oEAY1eReT~a|dEz);!XIySi z+n}GP>Y9zPcw&-29jrk1=G*Wa0BhNMuzsGPVC3>FZ=Er@8I%Hx?OnppQgZQU)*b$2 z)-HcZ*yRO}df`q7f@ib*^gXqpVE zU#!+$vDa=+fvXTR!+2!MEC;hS-PChlKPi{nC5V^GjSMq@hLf+RE5e)G(6m`+4Ui`e zp=c7}EGhRoEzV3su3>N;v%?+ZiDowI3Lag)uN}-B-b4)(EDO!a4nbaSmE*YT2GhJ3 z6Rh&g&5UT2#j`-nCg~%tO{u<^4r@8Q>jwn>@h$jY5c`5TgiA(}r+#DzTS^N(92=Vx z#-)|kb;=R4bzUy|6z5d`8xYl_?lvXHybGlUJTt=^a9rrj* zJYtb~&mPh3mDmGOCLLPa=}^bO6!xJ$sNfoTx7`yxraaZm&N_dPOto1=yji`A#+Aoy zZ7ASVnasOS>k-jH)AKg3-ZFvY8|A}^aLmRXvZ$vad_wxmgAI&u1NG-Hlj5T47W79| zpQvbgO)Af#J9T*n2m3`r4UozEvvgKplM$)-3CauA%M$ZvtODDp8F4XVTzmKmvHsI5 z);TO;Ei6lMugCD2MgS(f96>b0)4z&#M*DM>H6Id4;em(uRirs$3yxaZ=hsodAmY`e-KpyV2EpPRwE51$|lW!j=m1wr{H*1k3Z$CP}os<6!@ zgW9@ESt=yr_PKFvq1IV#Q|7epVxG*q9aLSh{Uk*5v*~g6+`z=epwX0YYYnU5gi?e_ z)!r@hW*yDgX~Fn4wpm0dIe=K$4g{I(8@;&1*RkSX0?dXEIh+r$cz`)?YxMPr8uCGy zUNNJmC+Ve`z!^~N-h1b*H|ltUQ8d(E>W{#txtxhEqj6oi%9roQ%Ve~0`xgFS#v@6m z%q5`T5-y)*`%zwJ)L~YNBbXf{G3jy>jswxQxGHu=GSyBtuj0b}vdPWci?*LG^u=_< zAo_H1qYqu~Adp3h4LQtELxn}LYlkea5LgD`%mBLMOj5O%eiAIkn;E_Kc~t&5Ps3q@ zGC}ydv%YxiEjI0A{}sAI77ZJ`Yyp{fy_E`WMzvc8{_+pQolx zO9)>SACtNkP1K1&pV|HI>ea2Datz7OI)|Dxu?->2O4SlWZ_@|5EX&}~Y7zE`AUXq) zU=-;N{nj6;L}pDACDh_4BAu5k+3`&D0`$27JJ0bz?6I97^~l#oE`GbDFs4mL6mA1J z=x0O5qY}jK%^T&hM%swS22T=1DVDKc2%`k0j^j2Z_ z8&q?uYU-sv4|ED&+W=d@LT03|tORLNPxtNKnLWoA0gMbj>+)zCfmPaBZ#&H&ZUe8` zoD9|w2b21H@Z_s?I*jXS4LD~H)ZMQ6b2&k}Z3vv-v0H&Hp~~385zNVo*{CbQ>t>ab z=A7|>7AB?|QzCfk3yh;K4}K?qVJUHKX!XL;Go@bhE|h^NsKy6^N|77fhFC@Rl&W;( zs)VqkCoA*Yg0#zJd}q-nAm+Dml2Y4KAeem4>$6a&9L4&$kU|JE!Rn)Kl7KQH@A5Sz(@x0YXxsE7Jb+d5Cv;n_bkseFTp#Lg7#(UOcg# zZWw*tn#4l?&^?%XgNH1AsBC*mfjF!$8vLs=xnxi@%ClB#4SRB8a4z8q)WD`$fa#Ih&Mz_LfpMoI}7kM>59W!_^|Ur5$l zXul!g?TGBnkiHX^u)D+jzM?3Rj%GsJ8k6~ynr7B9j9JE66(;#2>~gP4lv+iukqTNY zrgt&x2k?8+c#*B@+O1fmKvjWFyW`5G`@B1Cfi1$tYJNTO7PotMeGVo>dgTVKGUo7F zwbTmuW5wScQJ6-SK@;L$C}jysT~uo(Pfz!~iM9qnGD6@L z3t3C>RZSI@+rxmxf%1AIG(;z#MSrx_@xLs@7a_M971N9@1G*D#KB_B<(F7;-C4`fS z5~s^&VR!9TPyaLB}!@z%ym6mzOfrxq}B<#RLPu$x1cjs_O-^M@(lVP3Zi4zQhM#a@Y&W-ey zGl-}Q@S|O__)3I!vDrY6=jVoFgG6NzeX;3vz9;OQjvlh$qbwSF)B5I+QdBx53?=th zRJ>(*aq^f9EeT26Rlv(e#dkclsTSkKlwU^W5%pzy-t4NUUtVCJ&3|&z?SC1h)TMLyJ5`Eif`S z-0AkjOyDy9d{_HzvhdO@4{G^oO9k%eFV{7Y&bf6uRM2MqQh6j}FPn>xSx#*hR%IBa z#YzRN?N*n?Bkv!vVS=vRXeq0NVNjE6g|F+FjZI#~a_TGTk~;M} zJ&bB}IAG_LC&KHay-@^sM_XK>6CM(NFX)@01VQO~jXM>nxQ@~o9($-D3Oc6r1yF(F zX;0v^`g_*SVcm_edTxi5C6XoIMM;xR8QDq&A(zyx;2 z*~5Q?^78#i2E@@cK9c~vKuZ%LZ*bJXNTSY2yvl@YQ*#0EU@1}dIa9FSxEU|^9NrhV z?x5yQG}uN~h5b?dEhrtlsvcMA9~u>mn1Y8B@X|_J5IJPsqi>|H6&wtp>s8>{^s4M7 z?kkqFy}PWWXba@m)V+(b@|$mG<18v;hV!RQNpI0I`N=lyB;5DQA-p{75|W(FRhJ2i z`26t~eNpJHvLImLo1ps1GOYv5cmA>YQ)xEo?Br7?@b|X$plSCeQc3>R$}u zmj)@7Or07)WP@$6io%`<_DP76%4*jWN6mk%nNdF4+y(|vY%+yxhs)AIT1)j zva>b|3`OvXV+!Ra1~3o^0SBeiHePq}PTw?A2(tsIJ!7A`p)$`YEB1*rnn@0{P)3Jl zj@CN>v)3d1d~qn2qrnW6(teo~0x?s)lPkCV8%a8ac+*61wR_znPLF611`)Y>ZS*Qw zyT3{i#lFy5yi{S()!V@M3uvi=*Z|N!2mtjpv{V012xF1yWD(swK_k;N?kTg)TWEgm0W z*B&FAPga*@nWt8hGgDM#121}TVxNFxch-m@+HpPI4g#jh$Z7sV%dEXdVd$NWru-76 z{sz~0sJ;4mu8Btim`FQP@wMF-+4%NGWcTsF8$+|Vn1a9$2V=Z!)RUC5Uzk6HK|XAf zmuif^Vc$7E^yM+Kj82Yi+_nQd?3lQ##X_zu#X<@<@2>Lz)on;x19B8yanUbki_;FL zR@u8TT|rw8#@y!OkX2ih@?f0mOQlC*l2f3mo-Q~yx#;bx{epGxy(*TTK}e546~j~y4_uItQb7K z2MqatC%E-cz8DpztgV=GN^Ylg17{p19M!lUW80&W7|jk;8&wnclun$A+tO~QXFjv> z^{MgE@wCJ72Bcsr9hR7O$Y#-%{bloxB0h9>orW(qzH*2f#(yR^Y0n}cmQrgy&P7<$ zIDcA!z&+qDn{6mrpXfzr&kgT8mNAk%tFn%y0gR=B-E`=dm#v;PKcMxm{qwpMu0ssQ(oMPe6ZrkQWx@X46{{kWKS+%4LmALKd7m8xBbQhK#Plc z{a?R2C z38_XC0S12hpcg+dw(S(--Hc4JFdsPEPr==g>eXHDP|SCFX?yzi!38I>FJ%G^=q1u} z(URgxlVLL4h7%1`by&>ZejUVA9OyORRbp)V&1SF4qbo?liD>+}_nnoQ$20Gn6Vxl- zP40%mwzI51Z8?L|>GS^F6Q&`5lu0=ZUWV%LAJM&$s?rB{7vA zm2bT@LbC^z`6}6Ia4-ywU^=~4{>chG3q(eYimT9s5vgt;`!vYaQ({AMhZ`4;llddU zA4;@%++n!u$HwiaiSnZ0)9hFTN}^J=iVTo)BwDcL9JeRFX-r#g`qAFA^XsvVk&-H} ztLukn`HFpW!RPr!LS2t`(UCCDG!pgSAT=L=A_3lX`Td zaSO;#D>n897z~+BuEzS*arH+2z^%K*()9r z_U_Lh#rI48k*adyNJ<%d@n8vW52BOcj72VrGuiyZt`m4eGIzrpD8jyZ@ks-#2(J&k}s0N0oOb zv77!g%{*8e7eNPxN-SQrbEm}hzvs`m!%!ZuA2OcMKIs5KQ%U6T_8@eRK){G zVMMSB_%r)74h;ksdO>s)oOri^Q8kM@L~r)Xz&06+{n$?)ccB{rBzx%ca#-%3vD{hF z2Z+9LMm2n%{=F0;v+HQPk@Cf%1|=w-u3a9TTp2R|_wyTrfXOwO!|0zkO1$jC79Sc% z2?ol^86S|Uahm(pj=D4RmZ~m;FRCM-6QYRGbKOf9y{PK=8E1W`I;}x>3Fi$&gHiv-!=z+s6Y7R?tU!LkBf=7dwy zB+1Id`0X^PYNX8sj3^W4DS%>cD3KIH`j6rP*+5fW#*3s--Dop&JS3s(m_PcZxt+R2 zz0^&cv(7c@QSG`-hT{DO83YXk?#WSS{~ih+Iq4+?0AZCRLUsR1bea3g(_Z`8JlcTJ zGBd*1lr|Vr8iX8Jz0Gq zGVf45M_9(_UQ=grf+^6kbuTpyf3@9PYdeSUgojh$0(!|12W~-*ZK>j$z-XiqVNbII zMWU@AcT<-?!_65?qX$T_+siVUAW33n`T~;CGmXwl{R1uC8mmD*=;4VGIBz6PHR^5# z_u^@V$pfs0_bAX4-xMRKT0Eqlw>bDjZ`q0P8nWt9w3b~!y7>+MnR~jG%kExn5avGB z1h$Wo(X*dIka-hHnW!%eNGSjh|Knb7>Pywg` z^Z^C{1ARkFM=O0tGk}4EzM-*|v5C{aj~xCP55N#$XlrF_126&@1O7EafU&)^z7@a( zU}ElK3^1{Eb^w?HOdX8%os1m-W&ksHJ2PV&fH}YtUf#J?~8561*O%YVckeAh6y`kp4iKRfJXEM#nGYh?Ug2FB6pd;ZoiZtGP}%1T*V z@ia1at{^{MQ+BVeX!%)c11;@Vb}=@YTRS>BP&Wx%-;TayU32hGvP-Ufo`;`Rl&jPm zES7)4ppYs<=qqX(<_1+op@PB^Ga~W<8(Cjmlv)@Oj}RDG8pAx(IrJ*Z{pJ9Q%H(Ti zF%XgA!}BAXMI(S<03Nbxo~H{ zfNW#~n*08253I4at`2IQ$wTltf~oA!=a&GEqz6$C0wRQ-)L4X00=yUxa|R@y3qRX8 z3X^+iWd+UvJnApy#}dtl?Uz;s+Ixl%=@(WNMfs;@9tVrJHV7A31W1%K7y8cu_Usav z*;7gco*txAEd)D<&pRkzG>{`C@z0VNJhn9uJ{B^S>0)2x=h}?5Z-2pb-y?DV>%bFm zvC;XTL$iILdPfj1BW09?=WkaAEOAMX17`rwCXi-BjF_S(>Pe5p>&6rC-JUZ8$Qm0+ zreC#;?-2t8h!lUci;9R1ej9J^1rDF@f}IQ4TIyHAw_XDHTQ8w!0q*4V?)TFBS;6^L ziF&hB&RXBl;PCd=e7Ph4H3WQk2-V177-XvdF>1blAGd*H1UhrSk}I~6x(1?_`lZk6 z-25h+13SBS4I%%<%*cdK5-DYEUAYNV%*W_P2Ci8WlL&P7mG&){a3%V}7kl?5y7>z0 z{Nl9#QZD#<{QcE({i2&knpste7Fo#)v5OB2aZ{&{1MJ|}<1+b$X=wys@9@St_k~>w z{SGxev$QR_1f9TS0RsJbml88FJPEP;ZP$KfeffkicsWtu9vuTd zgqi)INKZSup8q;{I}!iV)f=>yvXcHvM^z>#{<#n{_X-%$wLvw73`G?F^0~w({W^KM zCWHjh_9wfUfNdu0^xuhJP{=H|tA`jKbnotV&!AI&__=2uuqr$Apk12S=GyB}3C z%)wC?H{kxW;L}>#6#^*0*F{5ufRp#WS81NRfB_XkF6G<-5VVt<&hT5IS#Je#x>{;cDw^9~L&x^x!fA&o_5MQB6I$(b}X3nsm zjAzZ%dz%F(>SocH8Nc)NT%#8=V}Dt}B9eN9g^D{2jl&R{lsXa{`!>g#O%3!!&2)p( zi`KfiBq8=0VoW;Wu^6Ceb)L)X>HTajk75gYRXNb-e+13l_sSi!2Hy81{`}k2tzh@# z`Dc5RRLfTSUmY1_)Ntww4Lwr1hTLH_3n75-Uu5pvbN)+mLt?Ssx0kT-D?4x?1I>oD-J*nrxV|eFp_~{MiAVq4afkPa+3~nB|qk) zB$&Hy!fWY2Se^#gM)kg9J0Gy#rZ_b-x?^7Xu8jwCF84vbbk`^Lp8vL7yM%v%TL6ii zHxAqmv+vTDP4*5vDAT?l5io&4!T*$?Q|wiUGz~mLje@;`9zzM=f$o?M9J#$+6)N2X z=2mRB)WS}$$4v=7lxfTRV*+O; z9=DVDwK)1K*jAeakKT}YY*Uqf8~$h0ot8QCftKhRN59`Ht;4>5IA5tV;kfiBehTwG z`-d7FygmS=oJenqh5i|yud@({tvcwq4e`dR%9YxC9JBM=LLJQBGy@jZ1-L81- z7<~~axSlD)oV|Odf1hR4vZUZL&|^W8 zh!^$%3hYpi=HZ~`)HZI3a*!bqf~_!vYH!m6dLE;0yt=m^mqDZ`MlIMItYoLLEA8z? zYbFf_9l=J}&?!)*qKJudtt7Nxlvac@*Kbo_!t@*>B(!y;(RR;9@ns;h>$=I0H->j^ z?cV}}N-D&znz5?-$@;N|p^^28+kKF-?y1CJ5m+TnCP+ER4s=B*pO$)5MTyh+6$P2` zCy}j4{8e+=2rGnXAcH`hoN)hyec3b#uuE49Bzj1FG+gs}0)xP)N{)V|=iA=w6GvM) z^Q4WomI=GA$DVt9aX;yDz_ELP4{TAM@_CP;W>xqsTChD0z=Y+t}mXRDsbS+#XXr;gcSR>MZ< z*`BFB;TV1n7cQ(E*Le+sq8z-G1bxTLiwd1b+t~o64u_WAJ%n?fJ~nRkk#296vN~P` zNCxpQOMEp>-0f2h7Gb+QEo>Vue^| zkC7kG-6ZC~c6sJ|9zg_wp?L{bPT_2S>jLn_q1tI$8Qec4B!ZUVc} zV|$XYf$6ud3=r4Q@#;ve-YvO|*WZ7^?aGglSH0^Z0A-CE7qqw3NkpM2;%k>8kXJG z)pr$Q*4riNm*7fdvWizB)v22kjuSk1E(}h$LYySurL}Fo0UIibVogRr<=YZ3k-;(i z0Bfxk`i-_LIu~-vnKH}tSt7!m^1_aM`j~X{&|X&lrOD#L<|eKm*-T&_<3ClC=G;-d z{9N}}a4*fIzMV*Drf%hmr?zWNxSumm%gzSBmBy#Mg!fer42$02*!v?Ibf(o0g!^6W z@T$XswEZ!lkS$9?IZkQo@f_an$Iq_yY#E5oKzMcw=?2;ig9y<|Y2(PrG3)g`vM}3M zcX=2od+pRkWBT#=$)0E-q#{k?2{x1PXb>9Y1>%f@^@kLAUt*Cn9bBoV%qM9fThJ#i zu1X?FmCdF~`1@(V=^;%Tq{AWx}+v)F~Yekm<@n_FYH%ab~vV zF=^bg8dJu&?)p&KMRC0EKZzLvN81<_wNcMDeoMV3n>poV=*FKPc|k=i$29)+INj&b zAD#oY%^UrUZrBQ89U*HsOqi8YCqxyR&<(v6q4Te1YYoWJ*hr%H?C{F0bL(HLi4jCM zJP}Nhi0vs^VEeq*SS!^p8<|g)z!CI|4l5%XpZ!dC2@xZtfWs8xMSO3Bw30IWG|HN>@_*Dt@|^NUq(mq9$_m zpbWN%&1rc!@(~f)L5>)KLnvNO_~>eEQ5wfz$^Y)8#{Uu}I)Fc&lwCQh6!dD0h_lMg z2DZ6kqmRS(1Pk6hdfoLbZAEIZ++9(}z5fK};4EY{$j^Ghu;UzZG3dr}|HdI=O5>Z^^)KF;9B8{Dv`+iSt(vV8={+ zKN{ah6g@Mm!l|Q#?Xb*ZIoykF5bacnAU0?@`a0Kd5Xk% z!&Pu;B_@2gf7afLpP2nZyV}h#QQo$;%6KT-S{FG{TpkNaNK5aK{piVE(KkI`ce)3fBZ3OI!Rt z2NyFT@^a%$**S3XQd7tq+%{D}{3t>fIPj&qgL6_86)JeUYB^-&j`VH$ckgOIKMbXk|gIFdS-*V-$CO+W-Ml0|n-M zF`TJ|td$))A%ya=R;E?@hnRf(#(oD^LJ#(PH`WfbTQY@*Pnj6}LQ1Bt=NXsSW-u!r z&s86XFb}Z6kC=xRsSeN{-xD8X_5%`pafNeBit3}w`Mn0gGL=(@8xKRslWrXcjTF%> z`ZAW>^aw*tax<6G6!vw2W>5O5J+u&XqmED#5!c&;H{vNoQyqO>afmX{ z<$6c&a;{;BC6}{dVGMMZjYhl1iS_d{$6JyYaNjfvmaJiK%$MbMdT!ZnjeI05D{)wL zE{cfhVHVj_a>G*hRiFZ(G=Ex@r|!epD{v2tztDugYPUGi*Y(eqWsga*Wq*Pc@5G*r zp(;=UWloVy4>olt=YpZ>58Q%}%idM8w*2KP?Awj%rg2j7u%N^GDkhv+9(H?qEtMU* zy%xP`?^zHPqnzQsnh4yZIC%NcxmIZP#i;sNlxe3dL!}?RITR$&KFNp< zG1&{;2VW%BdE>?upNoi_rIThSCKXR?nZ8_+F~eb%tjnb>mb!gGwg6j&ad>f+O{u5u z;8VQr89U%>>N}a-4O+4z$Z2~Vy#i;zcaUX2I7!K;a(WZcd>d84rraoRq+x8g)OQE` z#Wy#OGF~9vRCM?6M06|t^?KyE#x@@#9k+7JUC50nA}|m^O!H4iM`3|Yku<4f<<^@aq`Yn`rHCge8#%N%m7%`PQJ{5_#LoB?>VtI#;U zr>E)TSyR1|RCRwp@bv_jnpWq&s1hnSnLeA9^AC_hTON*K+n6xxZO~ecV*2H6NqcR=`$+OZ%xERuJ3VsLA6F*S~ zet@4ETW)&90H0yCNZMUZ$+8LyNR=Hd5X?ygJ~E9Em<*n{8q4uMlkJi!bB!Th&Xzd` zdM|-&Dwx}5nHrw+9B`lIqQUOl@Ov19%jAb~A@O+~oP1@>!+Bq6mv8_+cadUtGw_EG zTS`CKL)on}Xt_baI#Ol7M7ARyeh5cyx63JIkntfg6(u=O*vaB=CB%+uZx>M*kInLe zYcM%IoheTE+*@10d^`P(@(~&NVLoc>y?iZ#E&Vfw=p7S_V@H`uE}AP}!QsXsJ`ai8 zegC?(*r5y-J+~v|mZ19r@`zi_NNq^k8za7-NX=PchOs*HK-lY-V`PS^yNy&RJr+Nb zbu;wqJKZ9brjru%aZ#%4Y}30{8TRK!oV=N(S|bCPF2nBHkNpZlcP7g&5Uh9F=RaZT z;NcbdqqsxE2pRF@JKm^3^W4XxT`ho8i;1K^E$4B$=B_jhlBGqE8?qYH^em~L{rMGa zaCcazqn%ijFu#rvlv_nIJUE*)R2}8kkgJEGpY-*EjJ5aHAVaI~qUVddaXOU^BMO;~pLQU706G z%*VD678617o}5HrIFX5;Ebk`u7CLe5N7?I$z+E(z^quES?Ar1En`$Intn#feX)o;VM5)TBQ|E z&qJ*Xy_gptob1ZHY|N-J+d`LvW+;Bq=zBsCj!dUlq7=KX!}q*+gs$5t-)FwRDznY~ z5H$#V0vkDJtL9VaT-30({e;Q~CuTclD+43z7)94&%5vza?l+{=Xu7atn{#|r+-J(q zkzxj}`StF;;VRcH_Jc6+&=cIPY9S$F`iI1)=lw-q;61%oUN!p|hP&Uo75#!roD*|# zXn%T<5>AKO7TQ_RB!X|f@a}%YxN2gjTs750Rt3)ur^~76848f@T!w8tngX^|d z4H2=0%T%FHK!v|vaheH!7;PEHHK;8`jS70X*VWfXd$37#@D+uWEVteI;6Aq22F(>Ar3f9SRdfoxJ9+I(x!IKV|{Uly+OT<@bN%u zYB9eb?G1d{8fdMaqgwpR_c8`kd3jRm2$n8|V8$|ACj2zqiDVGU{ z<2lTNr2;hf?>YPkcl{vzG{#!&O^og>1$iiSgjFsrv+!pu@<`gfThv+vUM@v z#n7Pf7-vpZl(q@?Kv!b~ zV{P#|TJyArcNa%Wi0f@XpU2B&xBB8y1Uv)JP(03t=>9bHsHxLp;~1ixI#LYhNoI`` zctjx@bXb|LPp6WQP@4h%62bZEJrFc|`l)a(cJhOX<^%0G9VBd}1Y7bC=nIQxsNqm= z2;Vc2y3cchfbV&i8yvn3gxFgH!(c{X%5=16#Oyp_n>t7wip^qJJ?<)Xml658slK>| z_1NJmET^|@;FGDrxUlA*$W|cfx0n9MDxx+fy1%8X76(nR>lHHeDA(SjS|02qWv{2m z6Ms~U;@o76q$KV4*i`21ZdGaTQe0FjRY!JtJ|~o^(+aEUX=zButd=#(?H$xF6BdiP z?B!1D@m07!aP$U7nc(go#lQv;8gfWvlBS6uL$W>Q3BS@)lG^ zAx|$=_`qFKqdN5H!z({$;&s?i|Di%S;i>o{tWr7cd+8rD9AkD*)V~yVYNwiy8C0Xu z;Qs4zzj3r7={+IrFvHv`I?AM26v;&8=}9K~qA#rUm3>s7q6#{J^(ZSvwpR$yOf+zm zKWe~`ay}sWLbhz*9GJlNOe>>*19zQk$1u`NfyJ6n)>NZ2{9&$0bxL0>M<+(PbW7|I z4lfOke!_*=&?f?A`@7FXDsQS(-8;O^#PI2gxP97AzXVeZy}8!QVXD4r(yp)hDCx^}^;-)NGj) zYexgBk*)M+>Q>}eH`|q-{`Bm051uHFj1Go5Qi247?09!Df0$lg) z3Gwb&t~WG0j@l}S-~yi~?Gfx6!rPLoc?0SfucI0lkQmuesASi(8#yc$bQ#_|m-J(-5N6QwQ!-YXl|!Gd#?l~%u}u!DzwD0g)~U`yA6lY@HS zDwl%tJ#{zJcg?u>T4C8v5KcLdD z(dH(cP8P?GgA~0WaR5JWeLr)WZuq;%A4@P%h6XonYlh*qG|Lp!4qRoF3XcnOZ7fk& zz)s2>a0P{?`Zm)IGY03?ld{`&lZ6S6y2{p_nx6m1D3Njn$oC^Y_+F7TdSDtO9Ecln zV2m^qYQsPXt#XhMjfePt5W{IcU!~41!Aqq63geABT8-%PJ=m>7km>f%C$PMKQHUiQ zJx>VpG24i56qMryY22;MX@Ii~@_SWPo!Hq{p7M%}#nXiO-bV2ccSn6`54dseCinJQ zTQK6kbZsgvAg#p`e6>Jzp=Q?5QSoIF3_|SpR3bX^!GwY}#J z0w)a@3CPMb@k2haWm|X4Ug-vWXmG(2WwpX+0;D=;z{IjoZ_4xDsreea>~a-n9m*#X zmu23Aa-;?0E5DE(T=OSs<^fqa3_mLu;K%)-fUVK&#TfGr_kL(X9B*x*?PdQ8wl-BZ3S-Td&;H&&C6l?%)&Z-y#$33o!wQRY-E`d%Pm0U>E9jJzq^gX+&>~$434f z^^sIdH{tDZZNu#_%=tlxvB8F`h)p}+`a|8lkf;d0?Z!eIR;8#Twk+d;U*}+tn!-u6 zv=1qhSo@^VK^FGD!yKd`2~PCO>e=rxyGIU2imy z8k(6f;1P3;ti(Q*JRa4YOqk(mnF5l=7;uXk6>q1k4vzZ+t%>cQ0<3Qkrb`69_$ZVzl+%7wP1kf-5Q@OUNZvX~Aw$N7D7N4Ub0O z{hF5ntZ)QKr8a3@U({v~S&eUhb5}}7BNx-+B&BJU9>uy8PC=ku;z;#{@`>2gmRKka zz2WBYg*;FZW^AwcyHd!lQ3-K?b8&JY<)PMU#%Ry=eic4+b?tS~^WH_G;&#TFw>hDQ z8Sp=0qdj85Y9HJ1YfH6=EGGeJ z{9>?61@PvscFXhly@6qFN(#-_&4WaS6U~P$dGxwom%guek4Ck*kXQW{t%K{rhebHt zUfu@lnx%Ypj1PXHW%aD4f^Zwf!yf^kLE}$a{cX5R3@I3vlNQ#HWcrng zSOU;Q>KHRuY~*#zu)HuAYWWC9owVw;grpCn?U6|GPNLv%T-?dOM4^v=Zk~%=zX5OX z&<2BT6tCq>&k`3_6*mCXq!HzEt#!1m;$bTj+pHS%TTIi9TUvQ2Die7!&UZY=&KZZtNlngrjyh8%hykQE39EHrDm zw`EikOYv65Y9Qhf|0>;$efLMC9s68noDz{!QH>k;eWTZS7%GkVS9F&%?eXnuh75?S z7te*{j>UH8+&i>9>k+plmJ%l$@VadAVDjc@qp2dG_j%GKkf?yg*fk+?P9{4m#n zHb{n?n%vf8R;6xzt)FYs&={q4l4NB0mhymt`%0E=1A`7Ym|CUrgOUD zimO#*JzbjNQCD-fIX4E%{Xt;U99L~Jc2u1w1dRl~!Ng4Jp=~`Zz`_=7fo;%VXXP_5 zg-uwwpl_j~ln-)@)2$Ox6%?Iv)CRI;8>`~MS5R#lSnH7_%KOZE)I;D5=`}mW(Bf-h zp~9PaHDAEpL~p7%d*`%mv$*@$s3#=>Z^aaqx1VZa&5tuU4@xd0uX1GwiJZ!@x~Xi( z+bs!tK;~`-SA!i}iFbH?}`Zk%`KnPgy+V-+9~ z5LJWXU00FUV!uyrC8T$Z2KQpjN>#RDpH$6)bhie`^eU3?+}PP){sERBv}%@@S@nG>yTqiA#s*B6<8uO`DO2qBJcl;-Ca3b}L=-A) zEPu=}x8Me6Of1ulAT`{B@#lQr*R*eH+I2p8D;_>pcJ`_N$r!Tv;oMkm6Me%P3yK5t zDWVZRXTU==?MIBebtL$3D;DHirh2l~MjBn9dqMw9Sf%(A#5@x*>{!nxTP&#Cg;joYm%@~7^P6#yw3ST%ep$vrZ3 zGo3UP*Si8Z80K6g98yuaTsnP%%aS9$$R@sC)BW>!rOL?-n>c91$gK&y?J&!V&M+sa zvpJldMjsw_o`b(nh|chK9Ods>EIb&+5km{Li7%sK!KOv<(Ni%vo|zz05iqa+vG&Ih zhamtNxl6Uuf)Gw8Y3JF;3WqH<#hHS0RI0FKU*Cwf#+fDS(xSuBq?w47)&hw9rTN_y zU#D)y4kpa^23Yz=bG*cqF5BkKzFCOJPwg@oB3Zg3Y6&Tl$Em)>>3)h6@K$8ZWpu&! z0D2Ap$Jw}%EXU+da^FS?c3~d~DplwE4&_L8pl0uf#%(oiCo;I(81 zK>pfHt|OZ9iu%#QHEnmVZq4vc5l&rY%3R{nqve&f9+@nvwS+S%zqIA187F&8k52iA z+q6xqramxGYkHYzGx)6TUL03(c{PDT|7jwsgI7Z6wdtZuZ}1lv5tQfdiyKZm7*r_B z%eMs}Q?-gY8&mL-l$wKzZ|FVQhe%^GPl%2b$GU;tK zj@~3Kp{C17)0vgtm3?U$+bH1Fc0YHQD&jW!<3R&|G3}g6#|8drrMAH4S`E+5m&UdT zPYV}&B2(8ACzkiy3ei3&E~{-JE^jQM1w0MYBg0nt+;+xA6RPaYkzMd($7Pcs<8?%# z6m*<~x{vPX7j+;vP?(Oi3=L;J+uG;~69^a0dI4O_Ei;}By7M-tsxwhhjSsN#WGli= zEVi$h9^!-0OgnG*ltOlOxOWN&<>iOg^yv(1aocVl@fDtcuEExO!GWbhy#RQC*rS== z{0kU{5u0JV>p;hDltnP>^2M-oSD22w&#|~fql{!mzcrt4J!%G*U!B39rh)3-B}d6l zRwzbKk_=Zv*6A9cv%o(wgj36f{1B=_GEnC+gxIjje?JDw8qc8GJo^_Ig|EYLhqdB- zCP`Iql0GM^@+~Rw$8>$474ix$VLNWoWBLsx1v78+c;n19K177|RAa#i|91Gl$R;QO z7CxpdV!Z!|pg5rPgsGS$I><^$R5{Bdg66lJ&w6W&C~ea;7ySU~8?Z+6K>U^l!QWQk z&zldHVJ|)XK2wiNS!G=8xuVSuguDqaS9CfhGh)XmcWDltOzqK~6T!TD3T|>jj&kfs zEbG{z4HQ?Pemo?WCVuj&!Lk(wk!kyj&DJybCua8NNvR7Am_;QDJ4(Mm)#Bqr3B9z^ z0#dhJV|^MfZ7a5SlZ=Zr=3w{nQ3IfUhv-2%Kxk4_xE2fYebpf3*WGvmrSI;{^jR?C zH;CKDIz;ReKi2W7QXfc?DvJsU=pu{^u33(aYRfwO81;98OWcMmjFhftS|n@GJOOXW zn%{HzC0(Zk2`lK zGjCz^`Vo8DMoRS{#MPRy8b4A^nbA0rb6NeH2s>rj7Ae6>pCNynN1N~OD$N{%l|Y6W zwCvp^Fp~Xjau(l0i^VU`y)EC_4PI4|K83=B9THR$ic0CyHWdEz#{A|jswU%ZS;=m! z8f|Ni;Pnzw$9NiP458=uPjS1cP;HwTTl{fL6}-2X3Nu1=(|typ7xt#txG=SwrJV7d zO6M>`1(Jlo-4)X+iize{qi%xw3E>cb zP^x?^tEbW7J5FZc73h}d)-q!;op5TZ7Ez-@1=&vFolo8$83hd6i1O+oRV8%`(;du( z2WV^{37t%VQjoiLq^C(T-itze4Mp7;6BPEY1nffcHW2KSxD5@Xe>OrA5qwYLJY9PP zJwor%>CikrJJ=y$2>bYnL*UiO(T6`ncgAjy&LW(kFfu=a-K753h|@qJwCN#dY3B6w z>SFAC-WCS&+6tW;5%_(o0nJWpDV@w8=&uzl?_I(kZ{c?PxCgJ1224e+7&{m6EMz0< zrPaNqO83dLXl+-2u7MjWwimko?Y%0qX6yrTb%;yXiZW!{E_;ld8C$?1NoY)d&c4;> z_@%|1v7lpH`j;D)XkrC~8pd!x*{9m23=WK3Pzs{(jy*`dTN#{7Ef4!elE$QGtV9>* zZ85Jw8TuO1yw;?u;!~;~3~#7A$N2BuLeMVV1|K8TM2k_20Y$Hb)T&WVq#;R7F^}Ng z>7YhR|FYa>o^iH|s+6i%TZ7jA)iO!9JJwrajjQ1SJ9(QpQRxK((yUEh7z!K0;coS1 zt0*_}%0PMW0R`wub=J>xk=zL%ld~*6HlSl_vMfcZs?13?YV8MBGm-Uu|HDj(LRQWM zD>!2aLGH?rI13EFox0d3r%(z}V`Mj=X(^3a_HtI_!fnNKu($$ex)*=_{e=$1owu~( zcVmzdkg%)pS1{n%gNaCMBvZzn?g**gk~nTesQVdb^e>agoTc8hwg6TINn})pwny+&caBRp(`0~(Myb6{y$+*g_p20Z{rYz!_QxvINiKwP+ zMNf4f0DNDvv=J%&;A{WDtZWGr4+54pMtI=d4zY$1jYgX$e+|t7CmpACcYx4NvLriM z_M?1=caitsv)Q)t_Kq@CKy)3j5CbRsGnZTkJX8< zf^D`i8KANO?_WUYgUo3E8>0Uo5#0n_TrhzDFGOEOR#}*z|346YMg4C?U%=MN=o{qz z-w=IPMgkf}I@W*UJ{iB0YT5q_(*Mq%{O^$dzfS)X(r2Lme}eSs|2w76%=phU{$DBm z|I6sh|0kud`Y%TR9|+&tTK~U6`2Q2XH~SCX{(nR5|Ap8C{>9T9yL^-R|4{Y+lc)br zh#uf!>|pypN&0`dd4>N$(*H+N_`g>FzexIjni&3XS|bY^+ka*^{&$d`m6eYEUs;X+ zf5IA-jMWk^n~OV&kg>1}H6_|Pi}Zg$;NX}H>zh%6L!Y9>+91WoBE=$@7atEJ-;Q&5Qa!_5T~bt5E{k(CFc zMI9jDx|`lOTn(p98}n`1SJ1v4-wIZ=T}r z`JxCA?73plx~}4;@ob_W!3YQ-QS@pnc^fbF+zN4n=lhJf1aI~MwH{;@f#MuKb`1L;W-20ey? zgo6GoaYFq7@W^Yrd&q0CC5g!#vz1;`f{t9L8O9^4GnX9uhIS`ZZY1Av(e z3wHKkoB3(;4EC;?-_!OP{UKZhP0RhzkfCej{j_j$;Vtq zFHWx*1sFv4&$Aq#ZFXqr4|ql&7+~(ekE`z1L;UX@diK0>b$m@|^D8e8uWqNE>EW#M zrGB_p0W!V_1_J%$Y$E5d3-yKRaYsYn%Lc;dA%uno%K4p3!Y3vs2SPwew*O{p@JWdB znoF7_&-`aSutw__H;-E^*5Y== zfUkU?$m)1VQ+Y4J%=3N8gQj}ii=EtMp7h8V)^fYjSiaQ9V`ZSWsFkB&&+U$ zv3T*LbSAJ=I1>RnMi7g2hCe-(c+j#iarKllQVZ`YM2|n+}VaM)=3#_nJ3milmd=IrkNRnSpu@)j%6D{ZwlB3W_33%l` z8*qq0Fv?Ahr{Lt)+{eSFK1gP08MTMjZ3!eEfc?t}vk&r#fKmGV@Xqv7MA9pzia8WV z!H)^uZI>^!THbYwXyty04BY0}U#EMqf4Mj%Oi_Gfs{FPwm)@OM2~rw8>-YQmPdgCh z*`2koDf&G;s$;K2>$^iThl8`^XXXB8Ve9&Kv30#?40yNHdX|qAt%K#R?YhNPF}S{JKh0BByEO ze(p$ROA5LdZa2J6jy(K4jX43iU0cRuq{xT<&hFh+g`n}#^a%&&Y>pVIC;KBa59OOf zS&yw|H|{b5+>w`fO=c>1f$}Av5K3FoezvS>4I$mHx8@K-0U&oK` z&Ykd;!MUKq;4M+d1w{#=6iu!-ATD~Kr(Q!Y!0L+APZ;k{wTxgrRO0gO(53A!-yAJL z^a#1nAyFS3<|@{gI`Z5tz#2Lddw_RVccLLA-MwIA4W-DtKpAMlhQt>b=xdnpq)Xuf zF+ZF&&Ri92645L*s>F|O{1T+yqYL_dv4H1=f<6_2UeFqt&STU9kr;S+Z#87`tJRYK z+2uU=_YBNYf4fx7i)U!TXK6Ak3;rIAvV|z5y^DP2JP*K%Qx;Cr5WhL?4+Z90t%Vly# z)iRm6MN`Nrh2fK%ly&-zvuZMSnxJJYnGLCep{z{JmmL~sSu#?yx+e-hrtPQI(bQdu z4c%;3<8O;VyKI|}#=B5aF0W_LF+OuoNNGYu|Q;b@qyZLzfKp%G#%zKkd3!z^Bh zb5`Fd>~7fdJ`M!hA0%|}b}Y6J%lE_{7?VsJ;<>iI+vSO?%I-3`gY#vvc&+}rGMI6f z!j{=m!WQWn6XGOm`E+a%M;X|KRN&QVHJ0WN=5x zN$kU&#vy-++k`Cny6CBY4!p||(Q7Zd6u+c>ST|c7VdJBba6eo>FC#qea@}~uwOD-C z!4=-D0(!-PH_Kn4khDa~W3L_4Inq-FT&O^Mt>vN~7Z+wuUxPZ8nucOH_cxNhvljOS z7-RgP0G>s9K(aXQZ|3@Rcd+}ybrjqq-(EHx z>w}Ow<5`;|Ja6)@ZG_QuOZwFQ(Tmsd$OVz#E#BL-a-+y+VblY`~F z-m8j~z}Au^YQpzv1IS99q{I5e+nh?p2db!V4rU@tzozis3c>Vw&5BfbqE(a9tH+=V}`bK}B})A9!CY zyC;ZRWzL#!kLtfO=H6tBixK8^HrRYNjgoVOJDP(RYEu+r%!O^uc#C%z%n0pEUhn05 z%=SjXy-9nmP!<`K6l0A{X@|$SON}TiykEtikWlWqp;1g($QjY=ed@Lp95h)8c3Q;^ zedo`EILGSdWP3W8;1`P^BwJGX8Tdg9u!=K-)j2UP^`o%FsMl4~Ss>2$L*ReFO#}w1 z6i5z8r(UZ^gGkeI0c==%PN=UJy(6cnZpDlSnSNf(!wSo^HMnT8ZAEG+m#^k^>mATr z(H~UootjMpmW4A<4ZZ<*NJkRbSnkGzZNd26{h`?`N!iWflp;w}^dF<2K`W*+NJ1T| zrC0=S??*j_uQ!lA+1q=7%C^C>#jT-vm3 zgQ)4?2YjE?xL_>hxU&zGvdSD?gfi}z`+TfLsp9kkq-nc87)5%@nXBW6AGbUBp#Z`| z{^C5Y(h`cT;A1pg|1fFs1>? zMfi_+o0L)7g4I@;j8o!)YGc&?cl^=6go@AWBOzZF#k9qk>7=)N2mf?z-hI#@96!S) zkSgdSwvxW?qL$l`vJ7P5R*v$I^JzDUe-gZ10up|1U-d1zkQAu4^zB}G*@YP>(%nbx zC`!iXE%;qPI!B?{fHy_6HmW>7=KOkD-Q21Pg)8?^Xp=<(E~AFN=hc=lK=W6to=Y2Q zTN5;fKT>Db4)LhUNdjRyp3EK@X(AhbY6>S40Lo>Zy6(8buixkMwa0fbn!WTQi-s4M zseKmvScCjUt3vC4-EF9zijkNb7t<{cOErC8RUfBMDMo_0lyjK9wi}kV&MZyQL%@PP zWEs;MwtJm^o+noLB$b5QRta{H%(JaY)2hHG-_HHft>Gc_;b56#n90>#pVB?g@AoL@ z8SN>cJqef#FCD@%y%`erPu`r1FG>5YrQZ55)_KoEf`kk%#h5!iOk!CImkOS%a)=nd zJ5i%4^kHvg8!@;>CSO{Xz10WIABISqU=t4rP~!gn2@aU;63oIid5`;2Oo)n-E2I)j zyc^rf>~43eSSw>?B&GSHPh?7F#l+t8i!ZIaK;ar6ESeWzeov*}(Tzd2vY+vH%A73| zvBmvCLAIhrPhOREi67e|nw#cq1gb%TA@8MZMEHCj0B+gvJ}GSNU_|%-aQ03?wgq6C zW!koF+s>P|ZQHhO+qP}nylLC!+^UL-sP34F>FCG(dLDM{6KnnJBPNEp>OlkVlhnUt zPp261{Yg?R#o`g1k&7MB!ujy!y%!s^H63_6ckCahcRx+0d2W1Ct|0No?bI{FbepFIceLF{nJO668C5g6zLkqfX9i;PM-h$AOp8X z;5KUagic0^AUp*+0K7jk&nmkAa zF8uR|_Un}U4kaSdTIY#fKNS(DOlkKh=?ogYwqve*hJS#D=A9v&-Clku0hjz4K>-a? zEeR*EzbbN|R(gh);FvmjSYarne^+EZz4*joWOW{Sd_L%8 z0X)-0pqU!fxx>igyKAO(;Vu$xX#?cJvXt(AYwh%7d%YKA#eTqHyd%Q#+iWI zlurfD^%yr6iE5LsEn$JC$XP7;*ABaKSl1Q<3Dq`F%P#j)JSD!2t=xylLS2WN$+yxv zuKYaT2xiR(wMnYG{+iJH@&IQXy$;ztKs4%*r%^S~;fQz-BR6(7-h4T9YV(P=p#zs4 zxXUNxx(A*eciSz}qmE9xJSFfQFy|nXp-)}arM&a^g#u`z*f&xUUkNS)L?VU zxlX=o!qUWtg@u#?@2v4DO-QV^(E?M0Gy+G=Gv1toXm4)m$vB;yvAV@_|<1b~^;rI+1Ff5r-#!|>CA zwP#gDL4nPB^zg=Rp83&5m(;0EdEJh|ly(9ph)28UWU@*P(Itn2e(OO0?Zlt?m%u5X zSI&Z~rKG_xlEm0e>c3HUYjHSNUK8t&ZH)u;z_Qf43mxA_JQ}x+uf!m0yY8`W;TB66 z@|4kBPa+Hsjg5*+554XmDRmfA-yL{ifleGt^I?s!vb#-(_u+&rH3p`xmbU0w*hoKt zC00kGTT>WTC_~uY=zpTYwx`Zpq08cjl)vYYVi-m~pnpoIP4OT@T$ok`K(?rYs-+LO zLWM43mNYqY&x%Mw&DL(No-wMguhEf7LR#2KhxRIT8ABh7)u3`1@FBxRf)AlGA5Yg4 zRG!=|3S>q`rq_BexFzzdQW z0Sxok_=Zk1D_b!ALT0%CMlfN@yEvrii6t1>Dh8z0=WRtI{`-`?WWQuVM-nKJ{)KE8 z*VfdpCeqQG-ESu?!UZJ6lY3qQro9nVLZPlyXE{^ixcX333K5^6w(4}sTMMpBqjKxn zF^Nw)dWIV8yc}GP zeiJvt>SpR&z~tm~gRbJ;%#FJ>p}a*e?1|9IXPzxW8f)a}u;h()IRvTC}AW>uf zul(6*4xfpGE4X38eLv%RDrPk|-C~)g@x&xeWzmxu<4&e1 z6_0kGIs1;!`EQc_xZ2ymDknlQ<}p!_ECB00!qLSf8bhPcO<$9Q%LFU6LM6<5AJfph>ArE=iQIz+scc-kfvMhW z;ySxkcViZyf)i(PtbJ-Wga8uX&wFds(`viY4$p*?<_H6)29fx$vNN$*T9?FzYjp{Dz!rpjwH&4;jjG7pnHX|&L~(Xp5d&`IZ8KYK%>}%(@+Pm z#gvBC2Hj#k5FBxmm*a(P`aiu;C|;D)#((OcWsU8!~RI=$Mpjhb>xg(^Y@G zd^E&`U?weMSF^$?MAm4myqVF~6tuBJG9_ZeJ|z4&0A#)3L-&x;t2-TjVQ{|A1QWwVr$2W}RglNI z^wHvO&6Q55=h2nt-Z#Z;9vU9vA>$xDBH7`6H;x-nqiQNx5ae$Ef(%Q(SM}1rO{m|` zWo+!2P3X8v26JZY=aFYhnz^M21($warDvkmR~J(L`$IOh6g_p3-Wa!XHJ#HPJ_BAw zl9hYR9=L1Dx*O(dBZU{1R8QUXSl$_o36E0M86ZH!26!m~~j6W{%Gl2>@9JpDX{`>~2^3Q1mrNLOz?> z?3*09qIC`lWxbQObo6F22TGr14e2&>W2ee`FX!5s_hT4R=#Pu5zowSkw4?r4j&mt^ zTLHwY&5sYFa+%xPsImHSMgnCN4qVF+eB8d?QUixs+qUiLso{rWXs@vG9TH!b2jrjV z4uT|ssa^ta9e&8T`@6Xlb&%$#pJLib>N&p_R9juN_7VYdedV(wFbb~Kus@@})#GF{ zgg)n0lYxiIUm@rX%`v&oLY_3c3V+txJ!h1@x2k%hWh>|}gV2b&s*HtHNH&Q-ltmFi zNp)JOYP|YEJOJiJKR3qICscXj5;4VD5unzYH&}9>b(Q6{o+fmklcN#OnpyA^xRt=* zZ8r9IIQ}NephtJ1h(W2bgE$B;tRnD&bgPb@B;)n{#HCH0dJ%Pv{e1+cxms7v`H&w$ z3^)VM11q~`12$27I}7y&$tkSQM9VARaquOzwTN30fJwr#B3}J-+HkE7XlGj)zET-` z2RUME*{A>Iq+BG3gaQ-@Y8QX88UmsRCLAtr%T}yLr*j&)u12g`A)rZohjJS8+|wTa zy&H(h&TM7ltZzKK5d>bkJnHOgP$v>5=40I3;07>-KYyam&259Wg^r<<)29b}y>w<* zyQQqNlU z?n?0iBm_(2dw+IwWW;8VVMvVWM&uvH&@JXRPlH~4r%|y8`DpK|o9sU{og(gxC!Yon z*@41XKYoDZuaT(#FDd{#!~e*-{r{-|qM{VM z|34de|0|^b4Wp^1w@>Fwhg-dVA1`sdqn_k> zoO$oFEu&<_it?q%ObyIHk$*S1mKYb99f6N%tfRHFldr6guG)>yj04Ef{N*^YaWFH& ziRb4x24_{5=P}1&<-s!n{sfEyn3@70qobqaU{-Ksq-&}J0}?$zWhOcz0Z2k} zs`!JAxHH|Iu-s#lOBOEfN*R8 z$I$X^``eBReD*0f19;^Z#e^g+oig_iLh7HGn_qry0Go09htxE*L`~=c@Ew=B`T;k( zHGekOzc2fMDb+hUx-z*o*Smpvo2nq7{({SzISHTs3*KpXR|2}0=B1Lkj?($1Jhk00 zPnWH3%nz@sL)(^${^g!rTFL9j48vowHl zar%V5M}MpRC#mmKwllZ0yZ&iw+ul|EjTji*fHb#}gdZFJ%2--|XKu>~p~V@}Ya+6+ zvIN&R{0iF|9{I`ZycHPh!~XNWHZAWH$iULj)Zz-B4j{9Sadef!_lIoL|%uLVK6A)~5xPZ)9lv#hw${5z>%ytp`&7EezVs`tJ6Yr~D0@ zD=4cVEBJ^#17wEk_95z4I$G*$2${eMw_=c4fW~Hvdzdm2iH0@q74Mmvqw?g4o2`%KUC+oty(}Bg032 z%@68V5u<~H%MbbU`QWGeJ@>fF3=h%?7_+a6b{*{zNVCMWlw(!z7)ti1<Rt zZ?y{L{AL?v*qJ)j4XP(7s%26UU%7pZt4*_uQ*6c~6_z z1EXwB)X15D1%O}`B?m9D9FK2%83qO}9@bTF=+*XE$wX`j=^^9rg9IO`q@ydleRmDJ zZ*M(snX$z4MzTM(_DxsBThv0SA#JrqRg7**0hnTBNnvRS(^mDV z)EguOF5#buW^Ajia&UZRtq0`-znTR2tS#z3g;7D0`p4E+kYp{6;7c4K<{_i^Nk5Pc z2+J1nqG7k*BAi8I%~UCaBIBc)qQ;5&`Rvdvf{i_d-m} zOs7FN2V+EiPAC5#+`}jgeBTV*!oqJ3*0c>QY=JCfFj|EtOxdUUcEY*v)s5RFxe=L|V>Qa~ab9?cEUiCS*H#zCp~_vZ1Fd)1Yo* zn4h@t-7wWBT%JH$-K*X}<2G2-6JI(#u5W`*zu>Cur9+Ep=}3doC5TxnNKZ{~qXq7; zmA~OqO}Rhm3*RR@Jo3on$Yz{w^tMEiL&!3EwPY1``OKI3ncm>f-n-cCqH`JW*Eng% z&YQN80DsN?@(%Pd*?E06y1*BH)}lIL@18vq*LqGR3j^)gd3R+CHrvbR(>)$>EoO76 z|86&X1rPAG7*3NFy|w2eIZisTXOf~IBE98g-Xv$3voO-cu`h)FyqV`R1}9LT?B zt+R^>0^ke;(IznAe!pgVwYi&|{F{dzw}kDdbDz}_`Sx}ZWqC|eqx@T*Q6G2l(AzyM zi*tVw^hVsMyk1tSC@NX&lmi&X%+!_3Zifq(py#13dueHmBi&||JUdK@+ zOq;I~%(;&fHtI6hYpZ)08`dgaH#s_}7r(Gb_-{qGC%!#AK39@-%~#M2%#FH}ENStG z(zKoksFP?)4>lucTIESOY(kruLY#*Ok?jLgUv}`#g7;Rh5mZEtMW6|H`+Zr3-+f|Vk*$%kzyIhzP^EL7~&lrZHTSvntnJn|RDiM8jyeK(P zlUQepQn;IxA*tAgEW*a9ZbVul>cdPcSt0t}ea(_=Nx2;SCOdBSovIvSV}B7x`Rmb!VkSkfi#(9ADTIp#ZI7h|Z=6#kEk)?Nm-#ij;^x$bh7Si6_q{&*Ms z*gbWbN{vQ!cb*NIyOwdarte6&)3iI4ed%flY?UGucXPH#zS}VQoayY!Detg=QAbnu zFn6+oG%iL^+ADa=iEzC=F?Bf1n?T9*>I@<_Oj)eXSrQqZv$(}kD8l?NnGSz#tX7&S zo5I=L0^gMnuem9o$AA<H)Y!pOR>jj)s)we=+zP^m4=FnN@4SZmV-Fk z)m!MUt8Bf{rG?30$<{8@w9{G@ABi3;2ybX+pwV`^%_ojfRfWS=x|92S@&@XvQy6W& zS&zCVkc<5iE-4=u>{R_}2uRBf@Sk5 zm#9036gVryr4Z?~Z$xFP@W)KE3&FVirk8z4ZETPuWNdrHjW=j$WUWX|Csm zY~-6SZH-yz#Gjb&rsz~6x$X6epr=A7=;koG1jo+h5{nHp*@7m)*Y?ee6#@FApVE@g zr4%-gR(ji=C+(gBAk$4t<(2psjftM#+^!3% z`&?$Mli>7oLyU!W84nGe*Aj}Jsn0?6#ni4U!hAZLzqh~;BF)M0GooxGp2Q8T-3dQv zTwWNtq3LK>C3PYf))MbyB|m`|1N%)qCdOZTa!xx4?v8W^#+CrxY@4RK=v1yY9~Y9| z1Smpl3xy3CP5UEY)-br-)GUu+4(l;>x{*`)QwmTr45<3vS{chl+I2s_DtZKce&r56 zoLOWxPk3A2HEj4~IC918>e6CU#XS%Jr-@r>RxqiV%MY))g1C%B|B4SxS-l*Avs?fx z#c=x>0M^$lSR;|p3ziC8=zR^@m03pzlQ7{$%{j_cHh3|Gbtd9LDF}8rH=7Vl8FG%= z0w|LFmp7L)+0A9h;HR2NU^siE)$v;4B>a^i!#y&}-`sQN?AoS`pC+&~?XMOX6H9fi zZB`e*qYG`UY@l$#!1CfSk$Ih_p?+Q|dUz->aLRAwg;ehAwT(4lPW}fUBNQaNgiBZs zK9#!Hm2Nz>cDJoUvsp<~ihmRc+6Jm)<_7u+8=(0&@7h6I)eIztQS?~9W%Px%5t>KC zC=TzSTrmgD^g#W{2INds0uKxRVr3mbP=F?qoKDb`!cM4u-0nFkBc@g`nfO^!RZrAJ z7)JZxjHZ{rJS+yg{QS==R9_x}pg>OySElchI?$JfV)313g_DrZ+d};2?2K?2eLPsj z0+BdsHrTO-eHD%uU`(Qebv5!uuZ{)`t|Yc_!MIv~bRlVWfCDL&)0Bx7 zmzgrDuYC4nN6It8BaC{lAk{;GhJ)e*X9H@eOzyr1iz)fTc2Q==FPgTu zgd)9sSw};#fCg-u3?fVe4GShS1yU5g}I z3}PC5C(0;7Z2c`%*#ZsQBneRWGllTil=?K_1-nBfWTSH3Nv;M#;sih0GqFm1xuV7? z;I>D!7%O{xe89B&&i$D}VG>+|nufy%J`z*&r@Vh{cq%YxjaMRhz0kg*<5%; zPONhD6|3SQ`F_?Oos65QOwYiGK(9OJ!G`&IAhHW8TXj(lhtOB6@ey3Cv)s}Jsl``L z8UjPH613-{97IupbZK@wdo>`CD#F8SOT9?vJXbR*JPuP?*z;aDaN^GiIf-k9oW|66 z`^SpcUajYTj)~nCCp!q}QpYk@moby{%rIig;t^)a_Fd_po_D2!&Lfcp+0V!y`-J!d zjYA3=oDT_oH=of!CS1!yMPUr1ccIV4A^2X2O1gCKQ;ple;)_xW0E17hugvq7#KJ&F zOu@D{&516AXVs@q0NO7S=xAWuU)#HFkUEQ=x@BS%zOCFhhSx-NXDtHkw55GnD)Eu9 zIrq~m_JOp&4@^eB5FFiP6O30EWd!ZwW#Uy2PLpO;!@N^nnH4?-wrbTa+HP$e z#AAosh=*4drC}1C%CIt6ZefD;4|hNhj@VJKXpV^~e$R)4s8x!10Kc@~&^sZ;auMCD zp!r4T$r8Ehl+^HWE5A-8!r$m-AM=DS9$PT9`Z0(`_knm&Ad_wn6lZc|KxnpLrMpqv zqK{W#ODC?niS3ZRPh0A=gc@Qb18WnyO{j>$lHBcvj2F}&2jJMU^>%I{CfjcJ-^G6% zS6CH3EQz3EWtzYUEP~QrXvDni46jxtE9VG~oF@hA;3soF4mgR*S_!U1~SqE_%L zvm_1QATEl#v$v|S`iBUHVNDHwX~J1sU2CTYf{57N(Y(O|iIlnfrgj*=)L)LPFo-Q- zQ8ZjCIq#;$XG`q!d%Dbs+_@GT&_MD1F$S#MVN*?hWO)(l60P!FWz z(*469zj+~->(J1CHKv!aQxBzVk?Tw%oNXXoqu}+|B+OtefgRTw_8Y=Y--~dDk1TzE{saF6x(06(nym&6!9ki8S%>pFJ8pbdMkjiD zG3Y}{VOh%(0h+rdwhJT?#6uTZg-gA8x<8S+SzgQfs639(~jhK{Ll{FSMcH4TVx!uFNt=cAu!L*Rgi0 zJr@>W(@po@ALHg&A8^Rag=l_KfoP{V9KfWd^CLC~)0MQM$n9(+bKF@8y7LxlVE^%% zX;6@Q11WDj?xEVPWJ)|sqQFfz58~f!hm%1~RRy^_icWlmyUCbYzxga8f# z=cOKQcM3YZDi~%74usHp5h){g!u)LRA_(ahVbtldh^rkh$B6K6#h7_lyIMBPtpKYF z*l0#11Dx%`7KHbYg%p*g)~Tl7W(UXfB7;}?)MNQ$n?3b5BA0{PqTz&XBz+A=^oLhB zZS=94UfoQ-ob0Aav16Xe0@1*6Mo_e@UL9|AaBZVZTa#%-YUZTH0jQTOxbu~VxeTOr z&`)qYeVBW7tQ4cIz@3DQb6J^^fsvk+*o*X+Ef41+)MW4&_slGM7Ym;{%VVtwqR z=Q}IM-GU)e)$3(df_E&tiNM+UB_3@$`75w6|#`WCpUG-_U7)Cz!YJPmgqp(TW-5Br z^#g$j^C>5=skZc@ra(oXXfDlSRt>C_LFWQ^Y+~3JSE(}78 zT`9J|s`|H5i-3n_)u0({qt>cxCD*sEXDw|JHlxa^<>*&%4Acm0oA3+rNXx4)UW5-b z9CxbT%swzc7N`))7HZdz71<0f%=`rf6CV0XOLF^A_w7~jUiE(?>bnQV7}JLCT{%K9 z-kG*75VXs?2_&b*FrdA`s0{X%dII;X$O)&l6EkvhiS+NDTKNbr_aBYTh6A-Te6JaQ z2ed}jb!lx?;OJbl-1w-7vD~N+q}tXq9QkTJFY4=c0eic3*WV zq62a4GHU-zVR8}}P+YLIc>gY(DzTZEsedj=U$vk7d=V<-+Vu>XDBzUepj znD5Zq@VO~wV&_9QM5eO+@W2IP6lyy#9J<0G)r;Pv;N$b{sIKM0GTGxP&|!Znu`u9u zt9GU)jDLvpmL<8TT`*#H8Rb#o@$RYw+LrgSu}qcxNqXJa|B2g`iT_($R_9;h9(n4h z5}X|CLr28GWDDtIDfhURp4QGU)t=f_&B))(uXo`(t+q{fC)E1+Cmm!(`y-k=DwQF2 zp}gHJ5=byQ36bRD)74#fYr4TPQz*^cAH7m2^C#9HmmKy-kVdPTuOJogSCJ6xjO2Vs zg|&8FW>(CJ=RueukKd0c#74*B!r7qtbxBameT}GkhK7XZFZ-&^LUmGH{<1`mW22 zC9%+cSjlHp-b#mEh)e2jP*hAOr-}nLm9*GHlAf=BXRY}Nw2K~BwOm|y*(WWt7QYY3 zOa~uIlW+pM=I2~0cP`H_p@u;%U-eZk;^?@?x52Z~ElKjaM71G#!%(1c`ow`wfU?N8 z4TBF@g!s{VJ?dka(wn3zGT^V|X4@P0mpVkv^$mESG9!2cgY1W%hwAOoftIaX-HK>B zTm>i8F@ipsV*t{|yMQ%T!7=|>J5p#_L^03~=hT#$VnKtkhyrBzIDQoUC~c_(AjRH? zWKaK~yT5#@=!#FHV7}MQ$t{L(U1n`}7<57%N1wd!DP1w*M&Xj@n4saQ`aCSis{sVHKk#A1SgMpi0K6?2LK^{IF_AsOPF;3fKEZ zMTD1wD*4Q+>R8f!e-6v63V2pqGt@z~1R^mBmJ4GWQVc9jlo{0~WK#hzE}Bp+Js}1$ zH5Q{V3`(n0CqPJ0o#az&r4fLtisRA<&x>6Nq7a<7m>^C&=aRSDiZX(ruy2P+XmVA_DnunaC za+A#xl}wD^Akbm_<-vCoOrJS1sQO(s*fsHr5 zUKldZ^M0G$6_UW?6J2`F3igb&_tEDmGfQ)uS#GVVjEy;r2D+ zj)juR4ABoC-{=wKP5F%(ieQ#LE;d6j#Ys9nWxp~7XnaKmdfhZ)P{;<^v2$C#pSeEL zq~^QD!w8@?*D5=f2Ff?zj4!-_o;=prYO5`~*~RwECh!QfWbYg;;F*bIlB>Z6PWEuH zKV4wxw%o*@9`qaMJ$*tr^0aa3b}UiUdTMBo@h^88Ql?TuIp&?yF$ojXfbk6{fgN z^~a8;K|My4yb{)or6u?xOzX<&#j_S9LXHH+%$gK+Rk#lb{|WMY&RNa(HTN8qyu5Od z-v$Oh=fxhlskUerb~rU(0#9pJqM-~wX4;M7KIx*Vcn@6# zwAWpmHe=3dat{gj$aOgtrjY&lqNi~7GjpT z$>9sFn&8tgBz0eaUA7XV%TmvX8>HS5YL?%gC)LY!f0vkQJ;)jW5S?u2M3zT=W^~K> zQ`O${EytXEWCODo=&Xd+u_i6!fXDPprL949(s&JwYSEi*kRqhuB5}$7J(`5aJ42Jm zv>`r~Wf9PqBKH^o1tLFNk`|e9zuRLSI9UD47^h$FAx#YE1!AX zXuiO`-W&OaNun9+o!7-A_gBfy7D6FSXKRO_USmt3(!w00@O})-Z6yyDpkNH-OeG@- z^!pD^OntV%Jw_DWSYR36u4wUWjsAR-oAd5XZp@v?-qTkfq20(X09O+ZX2A$5>bTo& zZTU*9gabp;_*l%M-qy9b0MSX=&9Y%#@`z+7U1q&APf968BTb90k&w|Yu~C z8PNAzgqC9nWJHl%?2p40Kxze$Fb;78=L1%V>jL-XnkDh={gYmhRZ^UPCzm%O9qk_{ zvc8Ed)mRP6>xqJgb>Fp;lnT#=P7i+O;D3QyE7eQr*!P=8(*zPOD3I$HSQT*>d_w*ErQtSi+9#CdaarlRZBp?M;dn-T&Y z?l|5xr_&W-0(XiX*gEM_R`wMioqm>th6deFFEpxd)|rQ~%`={I?&m=n zFtCg=-vT!DKy^t}>C3T)P7JMspl-_W&1IS)DGzoP?7o@c`PA3PKxCUD8AtZF<+cHp zrkNz{EoBYm_)AE=4)GONl$HwjAt_Jj+e;F9Iex*$#-mdy+nvFx+WhO_2?^yx+CAG1 zd8j>(mi97mej(LEIG;vazRN%5_z=}m!-RtBfv|w`i;c~S^Vy9vs+b>loU#&S93n;!LkBC@|(u4MV9IkAeEH0 zB5qciJTR0)ozEYu0NIR^t3$C6IxlxpXqXJfRr&?&Nl+ewd_mG~JajNBdxjCzSiUw^ zd%GKnm~$GQ@s$gXW1IJ1{U$*DF|*Wj483DN+^{@%OAGGyO5Ki4hC$i9Li;7}pXa*q zs*vZho!8{K5>IGww_LYF$iyT7+`Pb&sZX`=WcQWj;HmG|IY~J z1aGv}>~o=($@iyK_>LEM(Td z4f88+1AUsmv{^8RP?~o4m8S5*GW-dDRF& z+#-I<1pIAwebdLK0*)+kkIaHv*1ZsNB&{f(Jx3@M9{IsJzvaxP%mv(7Y9^1MJBAmU znq#ZB%UD=CcXRodvB6nir_8HDK-AN?xY>+eehXYDuletzbHiwyumUfm>})g0gTzms zs9W8*_Ze+u-?S{nj3n5s9Y5WA^)`W#1CV7S@yECuY7e7IdnI4Zl#(Sn41_YwV=H2JGSOl>6RefkYi znUxn-{f;nDGBy$vJno~`w_YcvQ*4|v#M4U_t=K_VJ5LR{?DI{fsYH*YxQ#`luhjud zkZc|^;eC{NmHSiBNJ}76X1DiCc3Uw~Ug`vXJC6^@j;dQJm#)0$lSky;2L=^+0tSl~ zCSoYS>c-fozMNGp5Oc|9rQn^ad13sutsbAU@un&Q0Jf9Xj)am4DRK753e2qck z_VdskodGNaLz>7Mqnd&1;pT{%+i4?Tijbl!$RVk8S3~6Z(OL@zI0h_IylJ{TT;j+` z&R(84kK)7$Z6!#TMf>;tI|uIMQ*3~b^<}}bm!St7Dl%zx{-85Kw%oH0a^KR4_D$KI zcVe#b?N?6p~`Qtf7&TLHE#WHuEbXgB1U|31}cZqv$hcK?(NT9BxnWj*`2>mIz} zdCsF*#}0Gx)#5wZ1Q3fbVsaqu^i@gpi5p{*=K=3bkG98J@Kfcd#ZX|{xY^Wvk72)4 zRB5{OYU`M!xhcj){8)IZ_d(0Y%rHa$0UeO!H`itd^;3sO0`S4`b7c^PVf@$`JNF%6 zRye^xVZGGtdB70^!Y_B6{SoKsg~UOvHWQ;5h$_pBKDI=1Fhde}cz}G+~#l~ z@RexP4TLo`zd>oxZq+Or=uTF{Ie}+ykkkjC_XQ!+HD5tZHgjLqCq^I|M?*9FR!#&L zA=Myp#l2f-$CTdUrN0Uf!4vy&l#oRu2c4&qHkB6tM0uA*r05;vC!S~!7GyXdli zJnZSBlb60Om`^EHG8vMCi}Uy5MMk%PQM!IMBhIaMu{oZoU(hx%89<9!QP4d$9I8jFrxm62_K@Rsp%&*L`=V&5L=r&}&1WK*0I)#{@P5GpVg zZ(O8WixQiX6`1g>)05S~hMbyN&gvJ|f~{HL_U+I^xbGFV2xrzGqPJ5m76bs@1q_xZ zWP@85Om@m(S!*;ruG^-+Vk5^x1`8O4?}WEdcWw$!IL5V;jjUbcUaJp#AEQHy9OX7| zC~pw8Q&~9-YvAd>ub^6d!+0?flLTD+vTnI~_{emJHnmy+$I4eRa|rK7 zCCCm74Uz2!E57>92`8CWX`Td-63(}4(yUM}LSDfMaX84y*-p(eOwCLozh^w!zKwZH zY$BG-eURoT8OHN0bDAHW99XB7y1LcK{i~|=gS~SRe2Aq?90G9DaDTsAw(ayH zXZLI1&%O2X%#Q3S56*&RAyo~6fbUZK$ zmh|F5{*t_Q2E*-og+UaGtAPJjl#FxkBalY4%$656Ux8et>F!ta;|rF3~p_&1$~zWe?67_$s&dH z2|JBEqL1Ss;apOwA9(I)L2UUUGgD+#^ClCSM)X=SgGaj(_8snCeJ^|+&(OU=HA>TA zq(f{|0eW>huh}04qcHW_v2I(RU9kUvT{dxMG$tPrNxAfgI&%!5FvCbQ_-=~5zol6v zvr>?wdwR`RSg#@tNrk)|E8w&;97`PAMC;7l=vAk2CH`R^cnc4vV zBm4$*^a8{~+|%2xd8Y_+keOe{FB9ck1LxS8&w#B)_*9gU9-g6ceAXBlDvSq$Oq&SO~v*@l~xSWQ?QQqv~7Vz->NqK>s`}1ZY3&^i^<~}>`Psh_4JAl zUH5{(BB((L(JMy%G23Vx7pLcS8LLI_mBY?J$EE3UhVr6y40;$nrYki6EG4_3y=J@{ ze#zS0<+=ITY0xDLk%M$JTpcPjG+&A>$%QaKz}bPV|5p?uhHwgManO0M(P=Uag-_k9 zdTHzc0eCmd@)Kpm`0Zk&6gv^z6WG*`*OLgFf8b`WeQm}p6B%~D{-O`}qF*)Y^=4Cd z!e(xW#)-Y=Xdr!wThWFdA}A(egOYEgAeJ8w?{184k@VxpB8o8zqT09z`y6zZml1w7 z=~`K4X{7x`<+!Q|)^OO9g*#qKJ`=P9cV+WQ*!veY<0!>Ks3dn6X*BcyVeB1)D~r}e z?WE&$Y#W`VW81cE+qP}1W7}58wr$&7H~Z-B{e9=ux&P*rMcTU#~-tQNCtZmdxjbulx!s$L&Ub^SZpk(dPO?&?cnbO#@IVzMs5y7QK^0G4l5ExiW39hrWR3aL@6x_xb1R#Q0A z`8_Ag1R?MO%B@_xaj1F-X+1D)%DTrqUND z*Jp-V>A5XOXL(eykqs8V&9GaWp1^>;Ftk>CUQJvw;?p!6mxodQu-Kr@Q`G6IJDgHr z!K_mB;;{0|TB%G~nwbS6BO|hV-x^(Om6ZnAA*PeEABxLsQ9>F6twJhHv>XfC8#fv+ zDq1Co(4CvTG5P3|^|m(YZi~5+(n>7Ag;IaJOjVCBBin6V_9v#x2=%2+2Yjw<`2Kh> z)~OBSbTtSLp|@npJo2cFI+A)lcXyq@&`4_F2mIGrmSuN;xUnLqlqVh!XDiY)N#{C# zH&n}7#+jkJ4Lxcwswrv^dIHqnYT!yh! zBipDN!JP8P@uktMS!Xtakp!o>_ko=syrG8V z^0&(`m&*-8MNb^KNshrV(=}m^>q52ix=WLGJL2)xrZi}@kEN>IAD;)jCWAQ4X(ytr%Bx_bl(duqm z$noWS3}C=Nt(|3V z_Hum?{8*97GS%7O-74hpra7kCwdFgsRN2X@R#V%9uQ}U5v1u@z_G_ zZ=rd?U<~rnmK|7OT^T@xCt!6m{Jb+8<4`>sWeoOFUTBNa4TZ`Q1%)J}T{9ayZO0!C_m zh1e1C=OZ%Sm$E0`v3ljDCZn%(s`RdS*%xvMn9+mL16YWlrorHO735gj%+f zk}h_nRr%>5#uh>2qcH14NVQ`+Uc940CM-n)0-8*w%~TccLO*@!>8i=pOr$}0sl#oG z8E}_0`b{C;p$BZLyn|F;Sr;x`^v%?7+kZ0GeFf3qji_~?GOxlIgI&w}kXWkwmqf5B zF#IZ+ldJ}S)HWX1{dZz3!#@d}|C`wQt+&aki~Wb#s$gp^W6Lf@Ep2RM{y%uFENtIi zD--=cGS_qj>@0Nu*K1{Ar~Bv3^}j9uZ|0hg9h&wZx~#b&zm2JtF~RqD6`hQ&RS4*r zzAyjNYGq=f|KBp#QnddWx>lf7q*bC-rd6R;|F_V!frGxGrLmKhv56Dye_T75o0>U& zi?K%EYOJxnv%VGWKib#-smPkqnz`GVeP^xBX)V8f*?$DEZE0<7jA`v??f%`Fwg0E~ z^}lwnoo$Sa9UKj99gJ!JD}ntlV(q_awErsBew(rcwgwjepZYb^fAy{zzIT<0^?RfK z8?lz2k%8_1RjhSVR?@yqu(or3mbP<+MBCWhTy3>sxkA|34B!NXl(BOS088DGv1=Iz zsFR3Q6;Q~{%>qvh3{8wd$Tc>zIy=idH>x@v zB%3M#WoVB3NnZe6W1thECSyRF{b+V^LSO|3c?HtobM#}If$5!s)7w8h6fXP`#?Ij$ zP)S|Y3#0+7Ow9ofKIE(Zr~h51SHqv+X{S%lYQY2x8oWCaLL6&fCSP6 z21Z+Q;qyyNsE>)tNAXjUkOv_Ea{>z3%9L|qZfalw8PUuH#?|t30{SV6(0hds;g?xT=x z1ZUz>edLRJW7A^y(Lq2Sx8D)^$@wHxd~x!_g&stm(;xU+J$aB6AWyzB_T7cHK|goJ z*fG1kGQToAdQ+A3HN0lJ{2(dgp zXPN9gZ=@{2h5h!OjEo8lCiaVd#CLI2E%7z5;hWh;7kXcwnCU{-H@G^{JBFfz&>*P) z#SyTr_`?j~Ny!Mf4*%#OxCKP?0;ul3rUyPh)=vPTj1|pw_b=5tz*QC4hv;m6jLQ)q<}*-tpzlr_ zmyCtRB*r(bN}HsL+wW*>Nsp1rFF1VjeelzI*^Uk(;Gz=O@A?P8yXBg{vJwzdrm3E} z%JESIy39+E8~ED8dQ-i+eb^8tK}l6=!T5om`DAN)_#6&Y;mH9E3}8)62`G5=#reud zLUn!sa$~IPN&P#}HwCqGcnE&u;Q03CTmLoL|5Vcu0EJ<62|QzHY+`H-(%A!e{Wv$e zv1LMnGl@C!jgG@w8R+})KKtswLAN@B{?Qfr`Apsu#2 zJqF}EJdTTlzI=XZ5{Lz3Pg$i(O9@%(a&adMzr9n%h`P!cq6HwURv2UE4K({iQm{R-ArRdY_f1t#+EEOroyBjvcnytx9S%^v$ z_}!!KzJvPfz2cnPA(KrIh%sdnY-v&J;wuMGq>;s3^f#TR^)~HZ6^*Vj0O{cVA@r*` zDF{zP`ne$*tHs6JU&>Z2m1-af@sSrB)S_SK)jzu}f&9-UJ$w~pW&Divej3D)oa2eu zpUdRzjQCBE`txE?4jj)(e>4q>3hDMK740Ik+cI62Dszjeidb-;YVgdt3nnkKE70|Q zbNWTF)p&6oU6UY~lrS&mc|;T%n!X+kiH7acc5`Jk1(AmZY0a@jQfa}&!3A+;I%G~- zpfYz3%0DcR^-tKG-m&RTb~aGM-N^T-n8DI-SFI6*LRAj@d(JRYg$f*> zVkwna#`i8(gyU2k{$mUeZ;t0SRE8*vuw`r{-zER9!Bl#gB^}l!X;jr7=VA`@m4RPp zk{x=FV+DLAy>+UI~ zZ`u+yHc<$eyzg);ozr>bb*DSI0?|BNyo>HtbVm~1XH)WN&yIzp5%Oju!Ikcro)eFes#4NZJBBZm9~gd7yLoE2FW+9gFCZn&f>RQWz{pDMw`Wl&=Z z+v@U5Ib&bX=5*xUc_wEiGj+^)ZS~;D$xoc>-==BF0@BSrd|7w{2sZ;%EG~o5hjs8YuBhnI1`Nni2L-?=9|@*M~f+MPBpBe~>68d3_6m zw@#9@D6RNjpPVSUrRaON?FH1A|14(}P?ZdqrwsMx^sLJW z`v5%_s}tJik)i{BRusLlR&0{MPMZ1h^j!QBg^NXmSR(l_fGo-VOwUM}LrCa-fN|Og z;R|ZdsPSgVqYO0+gVaKX(6vC-vvTp*$G`C^@C-Ve7pFJRIVn)Y*^%6BFX@-=YvZB3 zTr5%5=1161_a4uk;279`q&Iy%%)M5r(_%y;PuFfRy_X{b(Dgp^OOd0Xd^QWT=k=of5*>nirI2H5OfnuGeZ4Ywl_)u(&RSohg19jUMZzySoMvw8M)tk|qozGxJk>?BA_1W2t%#PXpe4UPB z)8!(RzpcWDwndm2MBSeRkFI=jSa{@V^@1DFqGLV_4C2d6j0yctMjZ|T2v-lbPJlFP`%}JqkRIlv!?MeSFfmLF<4-Eg)LV$W^iZWyk`B*1)c>4&w={zrd(j>p|u2 zTJci>U_YjSpte>ahj&+vL3C!bN23*T$?@VOrau5p4gR$^FNgja7}s@KR{Yz+5{{?Y zD1i8PhOxGZN1%`BhpyF(^gH5pN*i{~~CiZG^M!zqt5 zrjFpbPoK;B0zgVz31-d>CXyVEV|z4RKl%>Bz^8MoAW((sK&I@YY+FeLp4jfG&}=Xx z1p(r)v$pBoM6XldE+Ucc?)145`_-i8ube&i2}?3P!!~Pz3P_aGH>=5hJf2jk?)?4q zF(jL9eBDi6jln}etA!u9JFLWllX-d@I#?3&rKa!SdHj5Jx%#;%cunjKj?~RBfj7UH z6@d7ej+Ng$V$qd5T6kbrMUZMd=~5!ZkD>bqY_g-^*y0^2$x4HWnAB71>X1B<8{g!^bVT}*Y?^L z6L+sFl~x$uPR*dP-mv&T(g35Y>BT~TqtHqyE7?Vir)Vb)(+p~MkC`c|t;n-iU>4_w zLP;AZIOZQn5|epMqWc2qz6LHCki*p!Q1-m8oZ&g zJ)2+yY)+X%3q;igE={zt?tn2VG?Ce*h2fAUy@(D3!`P9DyRczeSmd zniN`-3#Zfrv^K_g8fx_BEjtM=*LM_lc@{J@qVZRw>@vhf^K5AluarO{aw)M+FGAnl zVDpSG+`3zlAp;Z{F0?Llnq(C_`3N$h=6->edaIWm=VJMvvgb8}7+tJC-mTnrx-Z(N zPWx`}sS7(F#66sVClK-=DExMi(3YSUGPIT zgq4eq%gE_^d;*`5zWWwJw{cNd$m@oIjAzy7eOrJUO8nt>I#~EeTHr3~xp_*`w1zY6{kz6m8K5um4FQ&_x3AFAg!- z?Na0OT+8h|Lq^tmPC3L;u6 zIoqD#Bq%v7a1Rta9R{X9Je$+yW}*BTW@UHC9z!$@m{!>O{7sIz*2SGhIL$xI5xD6S|L2#L0Ocw-C5!53)3qM@`+?wv4U^`T{-Kt;1?jp9y+(%XIHZ+7 zJ(HP}70WN|ehqH@yH4(BeHqjM3vaRw@hiqNa%)-Sk;TF5$*wzIEG3>kLiSekwCY?4 zw+#YOf^9HUkd>b1^VG!Eem><~92di@JitqU#3V?|bWXu`L#be~xb)jv5lEDv8Fj|kG{yG32|Kp_JgyE| zWWHE7oxXrY+(}U2^M0-LD+jvIrjL#Ux@T8Dr4u3X13Mvp9^wEYc zJVKtapyH&8%9ImRRRh4vyW5fXNRJ+{Iop9#^t6;>0`DaK+GG{2mXb-*3SL~1a9Uhn zMXXc?omgMXpf%wO__J-C4%9uo0n!+DJ~*eOR#p~bcQg^&tSu50Qx4aNu!E<&r`f-MQ->4 zFSV*A$QgMJa;7DV&I5!Lm&Fx6c# z|D4FT1oPGpJJE_RPIXlMg~w1F97MyW6)Z14W4HD4WZSU(u9asr6Jk=P7QvkSiR=18 zcB9ID+6A#sS%Tyg^rj~hetzC}5yQjO&H)PEDSJJ@Z%*vDLe`Y3CD)nUQ$;|)U%)PXW~2B3D@~;wCcc22@r5T&fS?L-c9?WgMnv; z!@i(qcE;L)4kyW@?cl+DoN9O97G^TEGYR~#jba-TL5a%306-$opJ2ioxAJvT~KAQ1JCCfC}IhqSB1 zOjSE@z&b>&;#-z`8Nm6^E{MJ94@D+4DBMDFLY;|!_utg|{A$xj^06 zbY2=v(3`VA=*V`359E6i$=C-&;Oqwq_xY^=$I$1MP<|W4Kv-9SR{%+4{0{ol_W`1GEmhMHn=Hk!Uj4SpGt}pZh&Nw zRonJMVBX(d53>0xs-AS?KK5d{YZ~IZQj!O__*gRZEr!hr)oGPkj9nnZa6Q$?B40$f zAS&{>UpMN`kETE9EkdyrRW&RoWbGmrJ=TZ7Veu96)85FsF7M<)oV+ebQ?-&I>VA?7 zBhJGrg>f<@CW)pHSnCJS7X?)avMJtbs7I%BuKj@ZDKs>L?S?p7vGzBga{=_hwo48+@|Mue-dZxLk4sV`OtE{ij%`<*5C%keVN% zB=R|{Yms5kh)G4^0B;MAa^~HZXYQNBcSK4aDy8qks1XU7e3#`gSn+k>ik<62&hEksVq8%u+qz9?0P}~W%F58 z{My5+&?{pEx?tbBQ;o>zaWL*x?WZtS-SUTK0(&h5hDN;l5<`1Hlb=^dGlp-H;GGHiQry+< z?}x>w_{U`zEUJu>?Qj`7Uw&PhwE`dgJ-@11CEUODz2A7jKVOqufC;w#W*ND-@y>V! zosk|`LwAW5WA3PrmFsKflbr$(b}uDu@Qcee6*X?MQq`En_ z;hQo9(~$1^krfI9rrckUXk{vSzTP8EsciL-S>YXp~@Dt`6}OBlyBV#4h8- zKi&-kMVb4G-s6Bd^A~Qsy`P;fAn(hChQNbGzSzRlqhp_*13&lUn`Hr4ZluBroFD6S zb)dPNmb>NdN29Ziptw6UvJBO(gUhbyPo))E;O^Onr{gg)1~2IoFfh54GLvcGwoMTK zbNhV4mi!sViF|NPiuCQF)Pl(mS;Hqxg>GG=3Z0=P0pYCIsTp-VWM~^wR#_9z@F@r+ zsq&n|Mbd@oGQ#;DbvPC@v6dCQEiPvZU~eNYiIPIM;Qca)<(ByCQb>amyr8GI@6AHN z6tX(O1faiH$0$_VYH8nmH}v))!tPJ{@{&Vre${`V$qYgWIY)KPM%Tv--0VXyb`=E= zG|#PZeHm1pYi*^n%QuTuqpcs2R4Weaul6Zu)FL=k1L^&nFOuhxp<=b z1r#K=gq^3GH{>S2b+f~z5|oEt+L$-*WhC<_n<-b{y^0W#67qTIs+rW$WTTY_nBzcg z&+}z^&ObO5(#wI{cc1V*IoN%&92l5;1V1sc+WnlYU7E%7E)|X1`p+OK=P(=P!#ynBXtFU);H{-Q3UDaxOn%Z~}rtL~$AOS)-NWI zDMQXgmvs9bSzdzOt$GO44DUW%#SH(z98*lDUM2IU?{LugN0$6(vMDML?)=l%&Sfz zY~@md^naYq>7oe!VTrt#~X*PA5r6wd#>;Bm-QwhJhw}|ZwK?wq7X8c zf-j4$aOnBJ66~&_z>ofUfCwg*2hRIFC7Ny3>~lGXpU^9s(D%#LnUt)(6HL z%y2Wk&K;pTus<4?;wvVE&zlIzA?C)?{5LgA6Qg_8PR$f z2&cVI;u}|2IVid-?9CL!1tlh&!?&9!5;*F<#j;t>*C9CtPy8wj8&9C^y|)QbFyv$; zvsMRG)!f*%wH0ZI8z~qKj+;oXlW7>sd)xL64+kq6!vLKO50ljqTuqe}|LjQi9`$-$EL^5f2q52h^z(pwzFi`-V;F0IG zdKstie+)%+H=~@&^rU7?uoamL_zY;~kaaXKM`<9_@cP;Dq6B=->(*sVp3#4)>xGp; zLmOsqkoEg=_xWVvwV=OCA1-u!$E z)j69=D!F}&BHzQ(Fm;_s6%vv?c(Q41ZV;D|#LZcaM9l(p`>t-!O7Ge)EzH5sfk(k8 z?qb#NB8vMV;zWtc7>LWVbne3+Hh$5lnBHk!D{=J^nil$%8j2_z2B;4>W1mE>r_Gkl zv|uNaU#%y|&En2Jc-z$LJ9&biD&{05^Ckd>fz5zw(uU}$26m0M(deUPVW=|cqn9E^ zBufOvkub{!^PK|GckO$}EbE^{1Lllw!7DdoA(ol?3FMoPq3i3hx!m@&zPCO?Tw_*f zcZ}eX#UmPe{N5RlNSJus(t63{;9-jH(wXHIzmD){p7N_| zYmU6hVc5uIV#o}ywz!C!>9A5jop(+&Z##6`TeYdKS8{}|y8P$@+4UyAw6wvvLH!$v z&Sjn+J=mO%)OmKF_N{2pK0DUII3dGu6s_FPF zAnxe{sz0#|5#1s6_3LmecWR!ApUMT%SOoKpY?*@X0{_bGfN}|b>hLUiX1M$Dom~8` zGQEv{7|qt<*sy~#vZxWtIWw3T6D&KEZv|)QIpa2G^XIR{7NQt$5OmvCOse-CAq1bi z4;K=_o_0IM{W4tvE4bg!2ttwkW9}_wgl{n#ARrkLLPZ~ne{({GG$|wPB?o{L@jVG-{MhH>WaC!jih)FjSnw>5Tv_XNPt6J$HmT@-l**_gw=L+&j z(MGK{1SN}nM@hs|czez_W+IOw3r((1GY+IF#)dI9$_srjw>rxn*S!^o*>deAj4CFO zLzK$X91r~h9$m-9rnA0>zQ9&bfn5v>9e~DjIv_eWs(;VpkiiRIocGhN`VfFq>GUzDmH6Qll9KZ@PfAX8Kz;O4R!2>*2EK!n+?evQlEyPXZ5MsNZ7 zk!H4D=cpu^YWSqt7_$Mya5~1bGIL6V6UjM>>fu}}A)(Htep#oBde&cJQSp31fv;{b z%l?5u>fI7()=FW)jy|z~S>{)Bq)Vkz66BY`mgG`RQdZzR2*shiteCpG1ueycWo{q8 zrR!rIc&4et*%eMmDSGFg6*}H1FG>s9pTfRn zU$?qZ zM(cJXon@;-V%8oZz}5f~5!cKD;nU3(&uBn!1NJL2Ym;(J;Of&vg&8@qd z%ySUZ^~J~Fry`bELk5Itih@FU+fPo|JhJLgQ7rClmA|1Ya&^#e-&JxbXRrwE^{ZPQb;!F3leLw`*J z84dfo;ggYvM5Q5uK91~q&cDS_c6GUI&rXO(a;zLVp#eO$qUbNLwOh~d`Z;JhmP7Ug z#8h9QLGBhG7u{1?uQrgugCpe<_V!@caXS!;HVvy#cFdL68|~jo(jwJ(N)yanMX{?( zOtw$fFV%`%yLD?zajv-eZ#*x(Uim+pPPrTj;27DL{RJ7$lhP0N=NIK7Wn-%htIuSe z8)lNwo{IV3POJ?pQL&)T-uQ}U2$+9Bjr#l6b1I6r203nYo7$G2k!VYOKjTUS8S9Y4 z`%qK8*y5POyUZ*$q^DpLL!|_Wvrlu!dDDKy3xt0Ur++M|RT&KW%dZ zR+WLJr2V`kH_QLYYk}F?jx@DpER0iYq^IzDQ|Z!HH}uzgH^O}A(m0y0g8KU;LoVPR zy3co1Si5w8q#%_N2<<}Yp%t8IB%O ze}<#Nm2dW%Y-w?x%-E36Zp-}04XSqk&KIr?zqU_g8WY@u-Isx3fsbXMi@MfQ=GJPD zMhReiNwO^9v)mQK!JSn}Q|V2*cwiJ!k_m`d>&k`7XvD2OTn9NOojCoohZn6a7x!mN z06EUCLfr-Oo_88zikYQ@@F_MQfgiFAwZfE2jeI8hTI>sLf7`{KsX?gxY*>6E`XsvO zJ~vp}dtl}}Mgekt0m z$UGY()AXSE&)>T&w%6N>u!4VGlfZ6^r1Sj(xD8HYcu!m?FsWUGWh`ZiiRmOi`aMDj zVMLjxRmwD%Z>axnxBE^JKK6p@AG`B4MrGwBA76g5n3$`4sXfQ1oro*yvnu@!rYYwo zY@E6)WUrf8UBGLm&wl$|@aH>=le=)7^#uh|EMzfs_pZF`_^S{83f>G00XQ=NXAR+I zxjA58xlaT-!zh*>YBauGRlz4Id>>%>= zj90Px=!di0)%$&ZNWh_qXpR<QwBUVL5<_*X-14*46q#oGlaZR>)D>eZuEzsSl?T zk;VAohzM3^b{2&jg9J&}M)yNERenR0z8*|;p8KP_s><7Gyl@{m%a9N)_{TAF8^~=( zin=uGs$notW8S(5i;+EV$i9@IC$eU!ObCVF1rzDof}FIA-FX+Mo|qDx0%m+k(D}2# zsU-{WKi3ga12Mfd7D2&WF1=+EGN!^><6jg?Ka~nv24>V&n5htGeY3_yw`)6Wf8ThV z#H@B<4x)fy)mB7xOm!=)ov@|8cZ{d8mKK#w0DYq+kMxEhG!4)zY<*sG-GR2b;byg^ii8%YsQa0Y z$?@tq3(JHs-kgKzrbkkn;fqaU2OC z1;ud`GP10A4^jPtz#C6`04=?3G=&xP+e|ymayxEP3|)$t0CzJN2Fm+Rr3-Ue;)S^C zL91S@%SGn5cD{>jNouo9RgyiYSWmWKmN;0cXPXzIDQ)!Y87i7`{2}B@Wjslxw(RP# z&tK6m(z8EB>F>i!NaltU@?lru(|&Plfi1m(pqft>3Ynipm12scTKesj=xUq$_lsyD%1!{AAq&W=jOXkd;-r59`ZOh02zws(wcVPhd6` zh7$YJWoJ(so@YaL3gIa7u#`u=AqtmKq12Q@Ns85cXck? z<qQb@rkqGINrn`a(l?RgiZF&bx=@IBxO~&;G$+#3EeHGyyV(`b+3{j9;4|>! z!rN%0{E<{ef=r&6{AnXr#Pv9i{z9i3U5uh;PkUEOaSn{sBu4iUSMx(&%N>JUABokv zV3)K~=6M5y#7$dM1=rCR&j;>TnW{dJjK4J~CB4O7jsHasd%JX$7_a1}OiZhb1w5qvX_#3`_*<>@43* zInzHeh_GV+E|F7lu5B%pR1oZ3-%q;(pw0C8*p_7Sr3mFb)*^2mPSsLnkvo*P^ z)p~Pw#ASr_db51p{o;MM_c!OQ`(44)>pJ_tFoj9*4LJ>SXzWbX*1 z-pRKBo(Bwom5DI04Mbg3o6M*7%7*y}%3qPahPYfR;Hqh!eIyy3yCZ{Db zc1aHcU^zyDj0}j}5!sJoW(<^oguI53kP18(AyFAPEPW-74MPq1ARD&IPXx$3H$FVN z0E)DCVF_68@fxIeWN8TFMbzE!f|7 z1)4$BJNiCee`tY_X$H!Tj{nCC3)Dw)=Gqq(At%Io589Hivv1#lHEuReG>)H(j9-uZ zVX!bDyCkvAf1bAv*WY&$NOQg?WvE$X3Xt?byQ!Pjqd^Xm8%^9hIxu;fqZUF2WSCo! zo$UXv3Wpa=kG%IVj;*q3eYOHc3)0L=riJ@Q$D^GTcf z0(j&BsG7-}Qc0J1uOMUBaW z?b9#(UXm=BuV&%ip$l5(2d4)B+7Db|e;cx)J3ew^N53-v#qB?zlGO%=R(pD2jr6bM zmpyCHxyHFA09p=X$K3d$NnVoL4^3kO!w+4m7s=(GI{-!XZvyfn{?8uuS^z^5fD=+? z?8?R0@g0A0WCaT_-Oo!G5YTJ`B&z|g;sQiX%-O&F{>(}UCt`99kRI^`rvErrAL<0@Gje-7r z&d_TgqL`Xic^+i!hy@WZ?~limqPn|6Nv!blvNagn(*2cbbZNB^3e4*)i7-FCn9o&% zUf4p&q<*Rl?@Eq>;vBi12U)z9j-ywd^XoHA+vhbek!y|c6{Bcr*uaT^H6V8hEh{^b z^bZ$z0(=x4Jgf`A|AM=>U@APA^pK(Vdz=!ngoDGfYpX5YTacHtzGJ15xUdelJDKiaqg_deV@jb6# z=ga&*sf?2hj={v>kiH8TZ6qloS|jz3;rSAMv^=$OWtd2|zpEvtW3sAq^RPx4Cx^5` z$3-dsMxu=Bp0jHFX&l!@san4}kcRA^2U94@TGCDRrjg|w00AwDHeqv!Zf!X(K0aQq zh0NoK^$7A&{%shuyS_gJCb?=gfbu)1u`~-?BRJ?t(lX*ysLVdOeU04MV-QLhal6sx zV+xZrUee>(Ikj?qqiS(And~o;AKP>ZulL6CFXhgk`&)E{gj>!~3Y1{u*uQ!)>@H-aEQ3Fd1RlZZP2zB6*%v!6D$v!z7erO&bijQED<#wAR zmQ9f)#7*m=j}G>uT2bTUReuS#u1T~$ARVsE@1(#7=hCR>nk~gz*3(@4$24Ta8EKgs zap=p*C*3{W|aJKHNZZ+Ik4DPXiP$CD{X?j_viUsWS9l2yy$KcLpo zCQPAK8`Oz3KfzNh{&cBuR1)@avj5pAXzKPtI!yvZ1phK=Ula5D<5Fg)UhcB(3K&6)7aPQ+@+sQmO0Y}jZgHtCKJc8AT- zx+OpCxM!Z6nV%G(sbeOS)}UV#EF6M^vLexu61UPjblKsT7m7!RYDx!EejCBM1Vs>2 z&TL{aRoSFWsJe{h{Pdu{r^N(cecn|E7-x@xi$@pfEP5-&N1qavvKx#0>9!pgU?H)p z+&oG{9DujKjVhu99z$J|0>$!Zo{PKx*q=KveCwYr(}jgBRBCqKB?MEJ#$gkBq4_G9 z9vbLi&4t=LjAC3g=%Sy}LOpIIY=Bw-4T4RzT$35y4F9#fqN-YVKS35CE+^56CrSnr z@)*r{?QsfYS37I>(<=iLXCqmxI9&tH0>Jfh)~9eI8Yt>`7kU`#l~t|5$+a9;7k4Uq>V1?cM;b3F&lT%n^&+s6lH|d zkMsy#(WkDBGj6}IS1!z8&?`d^J3KspD|~zBtQi`>)M}K+@7A2gp0Sf|!U{8-6r76jjes(bYKqziATOi^e-VkcpCqntMrYY!e$vC#v*-wq@ zd^7j-%9EhdZtT~)RdZ}(1)~TKMpbxJ{G<{j1l_Hu=hJ;ILhMr34qy4}DNYh_+ju(T zB{QYuDF!u?FV<3*K2X-Y$s350L}v)&G5T60L^LjA`Bw}Z}YHE!5#N+^(G zb^zpYB~3U2>^7EOt(bbF!oF>=zQ#5Toq`gIr}g(~l#z^lUml@|LqO4U0en8plXlCT z>IMfV(UkjMV$Zq7y@6Xv#Kt+28^O(x8fx~wW|LhTCsMOQ+rmMW)#1EzvovKZ>420N z0f_cN=8gQ0#!c_`JjKY4!Pt&NbRMd2NobW#Yw}HeT=RQXSmA9sB8PJ8onCd7oE>*o z8?=h7v!-AA$t)Ky(#^1P_un;iXpg>jj`myQeUN#O;=p~k2ef;*$|SY~-!DKg28qXdC|7M=OV!Frjy!!W zbrr$Q5tYmtp+ZyeweYA4I(^9!xB33(G7G{Wib5h@&mwD9*P-Z7AGFZE@U`S={g+sS zIw53zcX_5D7$y}$NEAu}dnH}2icEwccV)D}oRPWvCilW|y)<1r5ba;(Wz)H8Z0>Y$ zjarPzoRtqcchrU;{8hF0&s#&Exo35iFf`A9J zFc~g|Mgt<<9cH z9#^kmJ~vxB(S?uW7T3h5L_r2_#UvxUcs+G?8-`HABqD-6!B_u9^mrcu6ugmlldt zylJ^dR$lE~D={0O&y^qHI=#KPyFloT1Yr+>BF^e(7 zBE78Zfos+8W4CAJVI>osPoWH)MPhf=ed#( zcD^go>nZZMtVScyNvD!5<>kL})|frVk42vdf?_A5;qP3X&wbTUVec|KWmQpW5Zz?wM)sJfKE{P9Tg0VKrd_df4zD#Ef zoPfF1W%8Oa_u3CH5=2{oiCE!y4r`s%Qpubw1=&{98%+Cr`HUe!Kk~v-C}|8zU=*$a zlE0wGTA0$U=(CWy+COIYIyQw5p&KH$uYY7OBce|bRgA2iW)N;1S{t)EbP{!qOWVMb zofAed2LZglXC6hlJz`i0u9MGw37?qzJg}~MSc>l;9o_iC3nf?kj`8~d<*!LXRnqVt zhfx#Z@MowA>S$PFjzed^oW-?j`)CYKI@UA@x@=XAqbViIrcIw0I~5J2`dw9x^uhSU zrar>HybE%%9*2|p+jN{m9XZQ4(vLPza0E#<#5%sYwim(;?t8GXPO#t^@Kg7E8tbIV z#8Nbv;eB+Y{5a};^WYXk7%Z1in$F>Hce!f{9_$ADtpvxoyn>X6*KLdUQ_t=hK`1hP zL&~?kw+!J^;cROFYEgtAHgmmgG;74l-$)F{liZe+MS7p^IRQl2Br(N3sN~jiFtT}w z#}EZK|B+H?1ECz@hujb7BT5M`+qM(gZmN4IiH8M1gaG7vdF*xJtjARGn3k<_yoWcK zWzKzXcxQ*6yHuC9oAfMqL5IYgS5EluqlwFy16gAW#}<~DH)h-Y&;2*7ky&t(hPKf| zOn~oK_mgP*tE}<();Iws(*sGO$aFynM#RNyh8Z2jgoRHVvYM{x@K_ z{jr6^BX*mtKX%LtmWbRFwqQYyH7uW&mi;e*Bjh+7zIjCr#^O(7PSqT0|F(S!krIy= z{#By8BCkr0fKP{4@%N;FHH_xDq48AWh(Lj2obLlVZdh0<4?fYw;uY8)j?o|^zqOz( zR#SGp@~I26sOa+nE0G}lqU-QlK#B_fEWWIShtNC!3imFFbex>?)gQ5!nVhz5BrH{w=ls{>c(}^kosaqFmb^|TwpoVJ@2JjAyCYnPjD|7A##tb3)K>!@uS~0)*k;Jt<&H5syI*n$fIuOFn!v}IXIp<`GrtR1L- zXJh`o*w8)8YX$uqfim=;(?kYZUwBR#_RVBcs*K)i51HDWXuY?Vy)v|Z<~ezA8^->c zt3W7d8pI_|UGBGe=IS#8fINzOk?#bnLKEG^p1Q$%lRfl{H{o3AsR*2A7wURcopDKV zCCEujb6^$5E<-JjG^J0{Um3R@8XVgAVNwH0jjj%Y^q_U~UcNQyy}VJ$DKa&=Ly8ii$ds=S>^K?J>>4D>4D?^P?RF5}) zT4oQ+aClhr1cJj;^m_a7`f(^rB`%AQY>L2rG(tycbaozh$b)Rc1Kl#~}LR^2gMS@?EAlb9oeF z@!p!_y?v_8qG$fl#m|VE=o+)|PTi|tNvK`VW8B&A(xXk@&MBV3H$jb#NS+37nqHs# z+B0;H%1>!tC(Lc@1%%0|{G~83f3U;YFQ?7925g#S=A6SYAjs;Yqu|rG`4`sFwpnv* z&E&n7%$GS-q$gbi73g;#LstkKH25DsA)|X04P}PBI!C@rvJvqh62l->TLOM{0J$O{ z)fy(8<8)VZxEKGfv-Kv1(@3%{wDR*1Fk^xzDtIBoiZ0W?aEN%87FJp|z4H)r( zll0ifLCRX|r?Pi@=A$8~LMLl6#>O@HJiN>$R+)zkW$dGQa-$7YltvtX8-17GyXm1L zI9*egSs(6svU?BKRRm+o7AvvHo>m0*eA^GnLvEu2U3jg_ed zCDoJ0vsf8bnLtKrA|&yjx`sDGPS7}G%LHYOl} zkocYtbpGpSI(weFqG zlL9Gxd86SUaLqzR7R{-%5N!Ds7D2|ewRqUHm2Kf*M==||Vi6@G(|5=1(rLj7asy~` z$UIAX4R)3h5;59FtFY~jqa@Jg`t!&_>cOlHI|Qaa_HVd5v|sfh`@p50$|DrnzUG&f zO^q)sBh9g!cZCX4W<5iSV42LDVQ8ny)x~Rcs~xsG<-qx-UjbW%LFvp)4CpsWvYMW` z@8)qRLLQiQ3|rdk+depNi*z#i?j8H1!N9wd!=-X8A3%fHCl`68X2KtTLy6d_%`HsT z8udBuiV{b6BLt!80fB9Oq@6JkNm>Dj)b~Za1{3$OE?vMQ%ui<_W=K;J8vZt%*>K^Lkw(oVr(D`HGm24`X5$da&{J`w9`e!K|8Z}~kAJGbyP3iTGGkRQum1VQ4D z5|MoAH#|@e>}wLO7s0+A{i0x1TEK342p;)BjCAWX`E*3NzQ18Mlp+jqW|E=$5=+^H z_I>4BiIFA0-MOG+r4j@+q<~TYma!N@DVWm&Ch0GfdreT)?cfMgJ^qeEi9UG@ z3T1xv3$_7DmnIz;Vm~QF;rSdEzI*iuzDA`8=;>Y3q^Q-Dh2MtHY9-W8H1cxRA?~kVLN0N0otmg_NS{94WFCw?bi0Lfl?%gcAXmFE% z&<=4A_2D!9de~I#(BTqZ~Wkw|2<2TAZAD@r~K z-Z;WH$sY5TIJNx-7g5h=2t+PiR>{&SD3GFlA}Z_@DrF#aUfGII z9JzYr2#r9w2uCr{;3jOId)IG6lN9K3t9_-&Rmv!qR}p-OW2lm@GafF)JTtY@m*qId zxacNR0Ut6tguDaQMDYEcyU5U9d2CwKHumQgptf!Wtf>J)v&ah}IRrWk_>!e8sljbK zE{&;nxp<*R<4QGfru80zM_1H3>Stfl%OWSt?hCv8Bjd(ubm zk`u0bFC~d%Zv*7Ybdco)iek?E^&`c6!&%=e7q6&O^=8tOqMwdIhivRUsCTL&PcI(( z@T_*T?i9B$#d#YGrSNw)yN|R#*ue0|Z`Fi?SP8@CS5>O%E{K*jc8NayGSEt`jnt{V z)bmli^$)DvihS&s$QYq`7(AGU5UV@z``>|nnW>NPwm6_8Gd8d*sxliRqV{$l0c9T9 zk9aGyBmUXO6k^pgAbN}YrE7jy8MfB*EB5EGM9e7+SNI(9BxwHZj|ExQ&R1BR?2c8g zCxR1zz9reD@`PSI{@T3?SyGZz=A0v>1^v&xv=5w20hUf-oZ>AEveHC}8otck&W$%B zm}wD~FiSJ zmP`|R;@>bas&)pp`Gl-D@X3yX!s*TIsDrGbKN7S#ovcsJWsty1-TBBq{sH}Uyy&6* z8)^C)IAzg-wGt1K9YXlv#n%jEI(nDX=J@Se8U4EK6O4@L>XPZHrK|h z*P;9k4$wb1Hc=Y;)$+KpFefMO2;v_sX$jA&q7w$bke4tN&U2k$V&BV)SAX0v(Ls_h z5%f%ddz8(;dlq+VIY%$!m0hRW5sK&hP66ESC|>NL=1k<35le+q4{lIjw2u>nZW9DlR|6vzrD~)|y67rzeAXUftDmt1y#66vsW#WB>4B+h|C3^ZgIA0MU>Y+>0 zae@$uev(bY@2N>E9W$V=BZpn+nwh!J$F+q}&RmPHZw|q^*lw7udO#o|rvw(Xfh0tH z9j4{+$EA^Ai5q4glPgUqs11$UDB6=au1|Yd-o;X3r%YpA7h%&?bgy%x4MI{pK*Ky< zx9i0MQqc&~xk)nSP6XRKQ-whqRi6 zi71a$+TWc1{eBi@+~2}iN%uE)xIY^@{M?uT*1deT2jgR$B-t`Jie?&{8Sh|+%rUL; zz4?4K5^BQZG-e&;!`+ZPLm(<9BwHTR)Wm9S593U-89u9lTM>((%@IF96J&6C_KR6! zP1U3=+I=xiC=O6UvH?+O8na32j9OtZbi5UHm2dMbpEo>wbYmciEZK1%GqH0R5*&uw z0PdIrm58ssK1hu#txB_$*g~dZ3xshs6L}&ND>Z{Xf)TtAW-UUCK`Y?lSA+%wAaN`H zJlOiQrcFP}8&DLX4f5arC8THbmsmO}?y)xSlnzo`n7Gt_`DV?<13&~`E`Gf6FY23X z)1l|1n=s9HMO2L0>;&Nv+Vqwn52O~I#;s1Iduox`8>Z;6DuSp!m9*ue>}^ zUS|aa%Ogyoh8i#d??m4eOXNfaw@?aSiyxB!eS4(XMVpaI=<=_CA-vqvOC}A|4Y#AB z#p!tRE~*Wt$hUTMdllwy0C#uX4Gdx&wx#!Dul#}8w|OA*c2jahJeCuq7I}cQ%fN09 zwusZXsdC%I8Eco@`^ny3ZtpXdVmg@NeV8U>y#S4FcW^wSgcj)fJC5-l_5FLy*#Ye` z`7|i+dmWjTak})ivLl+;D7=I@$Ofd-78B!F^Ir8M&QD9o_xH}DY|VaDNN<#}uHB2H z@YCxpNP6u?S>3E^~{3(uu4>isbE)_B4(L%t(`n zDTqH#X+S7N{q0kD%8$#3K+^UMb^-gG0p`!=CXAcS=`flU#B3Z_Tbp{uF&8aO#r``r z9WPI!NXHXXDr4jbTai$2V@Uo!?1J=(k)ox74eie19HJ0|ATeu}dG1YX_H-E`58GO< za7tM`Z)BScyR>xb@jAuftNvfI%(OCLO)PXxug$Ym>_$AhzHrYq4Z>8C$EpI)V_oYt zF7rw!Y?ffs$VKUb$jDFXJ@IdzFzVnK7YW8^cH+r&bx2hlI0`d1@7?--SHBEInZOXV z(4~%y8h(PRq*&%IX|7X*-~);z)#QE%{w!%G!j6N;jfIS zVW0cK+>Y^E0V|K$w5yMY$LgXxUsK-`PDHRaHCee{Q{#UZnF$7?wf#tRonpB*osm&f z*WW1eJEvz_Ji0ktwCp_EcDWOV2NmpktDcxt@9;Q{v(mI}LTu<^PmpHhIE0AWOzb&n zE@}H$mEg zhlUz++pQibB!|i_N^Hs3tk3{*yLJ3Vj1Y^AHZ%^||6sq1%M8K97uv~xH=(>PJmRzPoqRA{k*j&e|hXSztx=D#s)tbY9pgJ#p&;TD?-8vCD33j)cH^ z(308QVo;BLRc6i<1;_DYYlc_-w?|hd|NLnJEOMvBmm@OeU}C{CgXys73P1hF`+aTO z-!2h2hf-uk@X}_^Yvq%j7rVxw#r-uvXEPMdyOW(Rdtsorr*wMJ&;Tj4Z=sp2i7V@a|j?Lsjf`Ip;F-JQmwgWOaj^!jxt&Ugf!7 zu)%pmVd2&hKax&EQuwEVEr{e}yzgq#vGz0~7o_Ezz28DM@X*3=_vNV8GRBcrrwJIj zYCLD)VA2k~*tD)-qACTzp=MK)(F@16FbFTA-kgm-5KTKCRo7`>)^8;zQ9Ku=EjeQ; zBx#+l9LRmLp6gW^q0|%FH*)32ytoRWl`O4W$fV>bR%;p#Kv7l*IU~gSuwGU7oj$k( z2~Fy=mSu&;30csyYr-sNydeXx04j@Tz4f+E(dRKBPGyo1t9GP}u1DOC0lbx=yhmY( zXRo&z1wy#^NGRa;>Fv3;N5Rdn%Ixp_0T~Ur7+?|bcc1OGfw29# z4#j~N5X@Zp!eU_vG4HO|pEG-$%=Mg3O~Yzm7Gx~5tCzrUr;NeS_j#euLNchyxfAL8 zrRuOKB$hF1p0x8n}4e(^`ch2z%xUGArwrBgg$iHFOd#@EIt}9 zp?z~0ybQB@3+qc>qYG=->qif#ddw6cMRYc5Jw;M5cI$$S=f!m}g`W1kTmefiW69XkMRhV0Z4yJwGl-_QyWdee_k{6@kZ%*bU=#k($c3 z3#&c2(VvTkfI^@DOkO;T@o_3B%EYPe_7^SbugPv{T~kn`A5p8R?XwjYXu(;iAN7)I z>>y_z{>q1kD36SE&Y!KKIihipwkV;kqd6Q1dIGVG_U$&mZ-hc|$yY7b#NSLEg*A)) zUhs4(D`NoMu-uP0JjGwWl&?ygxEQ$lGWlJ#7&{w9joh?V);g*~Q&!*yXl`R;bsUUOi ziu08dbFoKyZuLlQJHYZc&&N_^o;f3Vn4pdoqYTiHWe4%;4Y`gitj(yTUHYDGtx{hW zyZ+$R3dTT_%El=r$~?Fxqrn;LZ6J2X)O|j#uYf8mq5Zb7Zl6|8FIse%^dRxPXnVGqwI8+u9r zCN%~HAEpF9h)4C=M;eW>DhcHWT$fD){BK?P%r}t0^NX_;R(Hy|L+p7{54Xi&vJ|MAlhafj|6?0xAIo@pn8%Msf7l4*|$(D1VCmyDzzEMA?l^hec=pKAm3Y!z$9> zVJjxi<-DOaxM|z0Q{i;A4>i72cCq3}u!4dyNvA`tKqj!kV~Pc;`ZsI4X;eZc77&wn z+O`poTFSPBB=jHz4SsP|Cs<oWpL3MslmI&2(PHF( z>9ku35EeYb=gS?#L+@@7{#n#Dm1XRQl(U=hso|7!Z^4l`G}ON68-M2EWQI+Xk2{t}Np1WtjP1QnUGn4Y z$69BOUl?t}p4cm(&)Ix>c|J2L)JS^XgJnHB;NO8T|4eFUq>ewrYbF_;al^h3myS9i z*XMNFz=O3J0qQZXHQ0Eur9(tz{1PABUT(c&*nDIFR7(&=C9)ig|4_#6?l5=INR1RQ zI6|tdvmdMqLf;QcEcq>oTxW-h+TiPK=bLCM<9%)AvlLyUWI>-xHJEirLX<=Ee55h zWX^FB+}MTr=#7BfF|9CMD@d7pYc4gNCgaM9Cid(L+$_uAQGEN2RLOPg>*G6uN2*{W z4o6)Wsd#pAQ76Th;j`5@dm>tfLg-Q2EdPn4bZ1B&z3d2NQK7ZXDD8C*REc6{W#>IE zRJyAi^F3@6G}tdq+nnRD*Dightc9DGd-dn5pE%F`F%9{5btX0B1)u9Seqf}s`Vu|H zgVX0P;hVG$S7kmMXiuC_7yROiDXI)9=Lt#~-!WO*Q)<9v`0nDSZ*0GSGX6b-($4NO2QC(mN z?u1F8qBi6Mx(d7&@F5Gu5{KCcMXtaO0|;NK)Wv|@z#>8E5rRecc-v>-c*`a;waddx z3#`71*tg&6)QuW?;ZmU{fH>(X6y+5Ygf)C>X_$j9N+HGZ3~8IiUt?PY1Q8}5n?FaU zJ0iVM!ZMo78t@;)a-y}bJ%y^_QtIHvG!YyGUH!L@=bi_ecTTYtmwc?XkcmaU{aK@v zBc4gzbT?0)&={f_czE0_284<0z6Z(GS5gPp-`)`ns{RILt*8&PHi`3)DvZ*fgL0VO z*?xXy8Ry240~2cv)crjVvf7_5E=Zobn~9qBk3bv7M^0tuwZf2N6iiK3h5qJc2}7#+ zd3W*z$om7bB@O(k>9G;M^GoXoGe)KDFf$ATY@w{sylsyvyMY7?4&rV_Eo&ACzi|Z) z7;ku>&rr~Q`E5L%6FjE#a4@f6Am@K@+G5b*#^*Wz`Cfl~{8;5U;I2$gCB=E)QteB( zt1NHm!9Z&04$v8w@?f574AhSQipr3J0ZiG`k~CrPHXQh!&L(tJka-pRv`r}`|1yyE za_;6fxQh9s-=ryB4S7Cqk21Rq0BsuRdM=a4j>G}UAtu(LhKaez;wGJ475Hf#H`>0{ zv(YoWdU+W@tKP!rz#=iGU;AoJRj5|Fw8u(&)>0^@ij~}6e(L^S*sg_fE+m-OyL-7E z>f}s%KRa_E_nYF*_MQ=$DGwNatre=Y3WK(|lat4u{!qi4`z1wg@w9qfKGulOud`HW zWIB+#_kCY=D36JQW1~O^l#A<6nv1Q57$0UZhgXeyqY@v{?`C%E;xxb!hul?w z-ZR(qCofLCaOyo7*uFwrvGy82@^{A+%uJz${NH#o!_kC3D!bezhg*%G*|4BJW! zOB|ryizzNsVimG(t(s*dx{>?4ZfecIIWeqyZbUo{#Q7yWvm|`}$?xtbpB&c=RWZ3) z72re~8r|42E+Bs14-l5ifqkhxGDhXyOqgkI*w%#-@D@nH2m{qwLgBR&`pbBu9r{5c zMg_xE&vYt>IRF>}_yjvVP;-i~-dMw4szW$QqQAJkDwwRFdct*-=Pq|sgx~_!+`SZb7?_o^^k8 z(YdKdd5_^U){9n_B&5RcaT7?=XQbLWHAn-3*nP?}6=J)O4r9yJh?N8?m~cDV?6$Ip z;(zuoA<;N~S)P%C*iVncbtYWy%yU#vl}R2|08A}!9-W#Eg%1d1@H{gXOK26@qs8(o{ zLIp9L4;umw1wXKq!6h13+L}BcS$Ki6BKC75(kr6(=pu(2RFO2>XSA^cQ& z<7uks6nR686q4p;tx8RTtP4stsKx52pf`C4s&0R*G#T*!(mme(%xzw9t|J{qzqz|Hbr9XK|@)0 z##~_yv(7AP_T*;!(|lgC-u}1OA1DTs+%N+a$m2AwX;&aV@=u4cuIr-27`F=N|n;5 zsSFHS)(i_*vTxwaJ}v@%tE4wO+vS~`1@l91u88!Z8Qz@kyv>k&2`yuEk;(>w8x|e6V$9d#&ee1?k*2Lp|0z;VuP*_M*L-)+|)$U=0P(GMj)*+ex88b z$H*l&5QaE8;{YI(V=JU8<^&XEiWW8Pt8qzv5Pw{SXbNr^7);FlbXM5dWDA4YhPeuG zY-Qf5&sA<0Z-oeun7xt}$JJ?p$(8`+!3Nz6Y-8t{*Yi zRefZK<^mzpaRmFR8^!$Euf)djETOZ3!Wy^Sg~*e0Zn>#Tcv`(TDiUV4DG6=`Y-QUt z)|*yb`?e`POOivRb5mTv@t9|@gTI7^?INjUR7iulam$E+sy6Mn{QWCK$4uWK#e|(i zRI}3SB(Jttk4JQ`;&T%ajbenEAbmi3&z)~sF39x>wiIuXk!H=>JEZBF+?;tMFebdN zE|pS@Qp?g3xm|3xN`tGs)qIbzSwKYE&elkV5+&>&B2{QZ`Qr z?&U}Q7a{(JuORkw`}hH!sgES+lEMW$zEDUzXXaoxb3_B%(z29_whe@f3~t%rs%KO& zsE~J@oC8%1z{FVWMI`HuzN$7hXh%uPsm5^Uw#H-$4L8)bF_9HlK0BW)_n-%W&f2Tk zrH&M~JkW7?sZJ#l3Pxo2f@fdqie~`ZIAILWNQ8l~R;qHB&6|RxwPIBY!R)oW4 zre^!R5I=sf@AMqm4%4$+i^qrD%U^XQ-W@f=c=WV8sjI{SvRmHu`M`>e7$&?%8^|U> zloKdfPabLu8Yj5wBU5Z;a6Cg z@-H9le1<$H1QbEpRgO@G0>avO#0UdJ%AHkE)3&cR9}=2F?&Xkf1rTG&t*Wf6+9%^q^>W{T(XRL+ ziM;Qj)=+ot+-aTP3!hCAA0KI!EFt;7+VoSdf3|1mhk`;j&3Xal^C;93W(%3|PHMnP zz59zNLKdGjUfyxH*12L92m;0gcaZ=Q{qMV&uG1E!Ye_iz=n}sVjqpavC6;Af2 zY6ufdWks(}O#Gtq1m~YkRH36TIsSTym`$5J*69thjmvm9j(#IHt1;|SB`h&fe$Sl) z_agwQ+->=2l#wOke_|4fOYv)9M?+HnKu{EjZws1Oi*^+3ajVZlAR}>d>#M;2Jv+8Z zy5MLG0b&X~Ej%iaXELC1p1CCG-9@#gcG{WgLiF(xqW=U}EJjW7(KOiIkR;BX?U0QZ zCvToydzJdHk;E2p#qw1L-$-_!OW?(+F)371_mRp|qlRAXoA{W5!2bQ}bb*dKeCq8q&P+ zh+GpIbhP}6y+L1TH5{4RqyeT5{QdWRLdU5&PGuD!7G!LZv8yy_w$;u1HpSk`X3}fm$_LYKk z&AljV=Q?R)ddESN5%a+Pd*E8jbko38WUneRYTVIRWx=iR?$`G39hq^e7-!hfjCTm- z&A|>ao@u5P3b#!6y+A(87Za=c2^Dv`vprk?n;kBVBM=H$dz1n6ru!6qdzj_mD^Ss) zdN|lbODwiA-7ov_CI#~k#0UeW??U{E-l9+7Vt^)+u-&tx=1ys^6Ow%SU<@t0S3_%6 z-Cx>QZ&xpx5e|#eMS&H=Fd#drT!u8UtOu_cdvaRuqzd20-zUWxh9lyQLCD5}$du$i z+#S3T-^8|jB~cGOEWhrRV>6^Nw%e|T6$vV*=X;dp+guEs{@~- z?7b&uun=7mI7cdzo+!dbru5THGW~kx?Q5oybdF@6pMzKG$mUwOkvem9?x$@~C8XWc z@zo6_wQ!-HKUD#(EEkaT)Mlaiy6`j4Sy&q|i3W)Ib+53_?CAQIf*zKBoGVL0JV_{8 z&?vAhmu&B7EVyeCjNxykd)JTJYcIs!p^NOj*s!rI)N_<`l;$tQs2-OCKd15|5DKe8 zV5UkK!GAkiIH7}cv}17Q!Vl|{YAv4JSC1!c^Ho4PXK-xe$uaZH;5V4pJbuaZFkvM6 z#`wkF0Z3pGvG}dTOXoI+j8!EMjJ5|F90LAHK;BVbQqjPf!;`o{XpRQF5XA=-3b8u# z+8~deNS|U9zH25zYZ4FW13X_?(H>fz@f$m7e9|}}jVKW_3(^(^I**-@;DtbC@u@-u<~`A5Mm%o>oiNt79;8!fAj#Dpr)Qv>gB5pcsIv{O9CfgK-5i-r_P`4D{8$*u zLU@{bFq~e2VG~~){T#}HynbiD0bx8cwWj!rSGW?zDyEel!fdFXh-PAPDUE8L3E$M$ z8LrNpYQ;C&G(yxpp90&#)15MwP``eOQY9w!^@=V_@M%6kxVgy3h%TVqiqe&gJ#`Rl z$2?ha;eNKx0c4``IH9@Bx#fdk%V9?T;Q_6XJU~oX1>-pQ4CnI zn+22h{W)Ova<6FT!5@yJ7RNYUPeH=#9&A%DaGa5w2h7YQyvbQ{jBA{8zO*CSkiVF2 zLAbTdPL?BsS9pO~(0rhbHon;rzFoB3wPm>LT$!3WEzvpzAzJ(y?SN}ag_HWM27IEZ zdmy16kzM#{bq#SHHEqV-_0B29i!jJJdtb34`K zEE#E~Ok}<=)C}8Z92cdx^AvK*FXJz!3_Wn!)SKh0Tl>{9T&)SEZ4G-YyhxDyO)4Zd z_;6|?6~&!eQ=_%Qqrz<}y?RBM$Zw)(Kk5Re^*ZrGhfLx2vwVSrc-|}q6u(b|mZC{q z1E3#^#d2DZVH1~U(@eQ%KtX=YhuQ)`gSWogW6$gyZ$@6nV{xy?S8KC_2NzSH!5GUN zre6%f4t#Xq(!AT#X8vpZx_lo{wV!?%{W&x2hj^}^`3Z~%$=2mmxp7MlCU%phW*SzV z`>!+Mm@NG*gBO)5Z=nMNI=C~o#Q9mo#YuRmbOq!er;HP@7d-?Vu^WX8NtXZy;863y z0Uhs8@2@FGw@f!$S1k+XE>UMQe)J%yjP{rD3JX~|6)dy>Xfy{yYaowUwHd>|YIcCh z0;0*Xsi7s1^6u+SYP4#6V#{`UxJj2%-$HfR@QV?ohs7~Cc-Gg&^39ZUT(+tYlim>iTCh9EG`U){v z1xM@OjSmq+Hyx+Cve3;OCqK`ti8t$C~W z4&*2PJ?iYSV?39@I=tnW9Hp0nu&tbAoam;j4YYpLiSHU4;@NZT0~LQuVnON{cZbkH z^viRM1_cg~rR+r-bf&<;($RebE|IF$LmniEyWoXZp)Dyw`;GWM2GEhp$8vkGOFaby z1?P>rZ;-BJ_DOuJdCRJTy~%%uRN&NlMzugU2lZ|4VlH-NjXt~qx3KwHmMtHd8eT&y zHIYW~QRl;Tt(%+?o~&Z4_afl6^LP5vBud%<<1Xx8j?HaIQXd-dPcJoGzrC8xG<^t? z@<}w(WO#R)SnImKg>2ALz(%mXIktYq)7`FHj4;tddw_f^2fAipG{MI5hlA#ytk|6t zKM*v2q06?ny5CinfM~TgrJ~w~A<0Sd4=dY{D~A zqv|gzJQPG_xF#^Rg^YMF&}SxyfQv)VgMnX0%<(OYc6k;Bw4ADcsQqq0yMaLU(|xb z413|(#j?n;F|57+9D`m3v9@3_L-ri`93TVig&;V__$;X;4h1&a!Uvw?T?%bBBZupL2pm7jG zmvIuXBrOL4InZ^~kC+cyPVR?p)wVw(d}ZdK-*tA=r#B>iFHl^w`eCeSy!v$AYm$ZS zaW)l&LPfmUM?OGvf{1dP&PVkQWH5rYKx|Q{d}Xld^*(n+7tAAb=N_Qw1utYTVmQAa zm~_-;jNYMrBcqkeb7p|%_ME8#NHk9Dtui!5S`SznphZY_{j-EL9w7vP%l8xaMfv-hC=8-`GN|wKoF5Tq}~zy%#LB z-q7;7oqIkcObo5=3)EQ#K}su5#{GfeJ3o-6|5~5%^or3+JIN_Wzg6TPk970Y;|0l+ zALw!`9yRKW{|-SKsf;i>5+1*=_a>P%#f7oXK)p zyKv9~NaI8KshDBUZ}`bN#ca_mhN~b-@v8!1Isj8mmJ&R#hu!`L#YJ#^;8L9S%QG){ zwv756LwU|7b3ozy{rO3uFNoSSv+l8j-a<0GY+AQ?$o!m{st=aY3b;;6r^@~*9j@zR zfA?M2pCSbCg$n->)MCw=FP~Qq+pv*Or;9BUT%*0VCjz)2V2I^G#l0|-;W@6dG-nDJ zBecv(6G>(7{YI8=`;7vL?UP45EwVYxO8t0^1SFv%UNk#u6xzW9TxEM0(qCIkIrSS7 z0D(Ri+e31{AVD5PG$&ZWz7LrJLbw$;%l;2&aMWkm0Y8x}AUX($1{JcQFbBUb{7LOh+MWjeh| z=&R}u2TG$$2o^{SqAN{dlKX{vTp%?dR4un|E<3J;O`Iu0S3Xdsf07ijZQnL_>^|^u ziFmGU7{3(|=l`m5#`-V8uK!!*Ok7z&PDNn@Z1%sYv;R=DS^lQO{(t*ss&r~}>i?9p4V;|+YS&IybcX-VX8+HG zwxNr)waGsuZ6iBtJKMjHHZ}%-Rc&KCYik3?f8g5xgtkp=jSZa4|GTtp;%;PZVDm5F zw&`De+s?(2&W!F~;BCwQpto%;{>t07E;fdLU2O}qf1$Vy98GNhxgz_2Jo`7&`#*ec z2NyeM6Jx`_tNW{d|NF(iz2=`+|9Su4ZaUIA(K(seSp3`ja58cI%YQprxYIdV|6}F< zcjKGR)5Ov4zoy^*5qkTt={L52`6m5m`i+_G-ve)d({D_yEdSwt|CjU|Gc)`DGxY6l zqO7x>Ky!10aI|-Gb7R}TeT@(9=H}Ll-@m=R4G97b7$9YzntI#m^ZC+t+s(KAeVA3R zHm%ZFu~MaCbR{EEQ7}Vpd1G!#a18PHQ#3K$2PR){s(s)(ZOb@q zbnkar($WXCN_Q=8^wsG5S{~M-Nwo;^wNbVWA2QF`EM9M;`rh;T;w6kSE!U5SL@nPj z9$I7C7jdob-q^by6Y-*L%&hE*)!Y-}29Tn=*wXnYWYwrL-I{!oNY13Bse7YWNrp|P|GElyi29(^8W z(>@dgy{U2c-%=u=pAHfB06#8&N{8|OW%5Eo7}}eox6SfL9yCW_>HQj-m7~DQBe>m> zPV$j`z)|}4&RAyZ@Z!=d`J0D`TA}GH;~j}mbd1AR^2ZqC`FaL66BxfO#`|9%JjkQJ z#<`_?BsAkamTR;cnsem4KK8@g4-ZT0K;?P(tB8PgDr1VU$l&y+<$=N3F&wquJ|A}c z03P^#;m!TB{vkBB!{__kJBN1qdOKY5^@Cqpulto&@Pc)c1o+kT5#!5xaU7wm8))9E%Y?%ku7s*h`q zMaTwXT2Ss`z-YbKG{|atpF%l0)~Z}wz4+|h_voZbg+@aSlt!Yh?Nr2Pr4;#;gQ_KZ z8Wd`%S}iq0;+(RG7S=uP=~2i=znEG-Y%k7wqc^~ErOT3}0(bZq_Mou+_JlBNpa%n? z_xqqP7Z$CHjUhq1V1{&cCaLS&-|KG}B-47`?Zm7R?3!VyRa=W4-%XDXOZ(_fRx!*O zQza%;;ZQ;C4%&NYTvZ;9jot*KY@nzlN$AHg``BzFYP{J16IQV3ZDSp+k+R8cz-mIr z_tVQC7_Jsk-Tb*~{G%`0wC3W@FXelex*v76m>F-ESzwQHcqvJ3z0yz9>ky3CtmI_+ z4(pmOu%3+8N>>>IHH)a%kT|GW3E+TgW!anWJH_8(d-LlBZKg#el_@iptSSR#)$Mvh zCCf?In@y2B%pqp2wS~z;&s6nY8Ho6)B1RI*pJ(=D-G|}EBPmssxg=murr(d?(}uMcM4T+jaDQzqR+l6b>S zMy+Z@$p2elXhja&&=aY>i=9eq;W-I4cQRTDm_3Z@1n_N0V7caX4OVaNU%mJJ(lfP; z+lX|v)>@_F5LJmSu3NvvBj+^zLHCQW7#PVK1DUSYc3ITdPxni9uEtQi%W8(Z-k9(O zAF7A;nM~UR(quc5Gbg5&&Rww%EQxr=dMSW3{=pu{%SD<=j~S`!@5yP$#)Da%c%i!2 z2tv@J^`aRye-`GA()6Prlt$5Jz8yk0Uoj0{dwuU2G~maR!AIOR_tWptGt~*_XD6#( z0ZUvr)Wvvi^ro*#cIwByq%j9lw)wFKPQ?Zpw zIk7^-Qax;V6a&hLgjKZ(qOy^^dR(Wj&KYa(;E@cMQbNDCh{c;tTAqcUnQ=odr2Z5) zs8j#g{G6Wl>Svp`SM?ZD#xh+~Cnl4nUOqSeqWNshFEXM3X35J`#Wc|thx+W>kPb8o ztCtQ9G7t~OmOTFUHe$(;sq7u}NCS&egc<*Xy+H^Wc_W!%WQ2sI#O+2oV_M${_iGl* zTO=bC7ash)H5ITgSF3*M_W<{tD5b0MS3w1fYvmqxj>T08I93MILysct3pm2BRV3yq zGB>t2e#-}0EX`|I88VOQTg&a3F7Y%eYU7ao9$;a8`6hO9t(fb|O~w8o;iopk!LIYM zCOS3Civ-mliQD_bnh*eG(q zVme~AMhwuB^YF`JB#K6f<0dKZpj*J@4q}<}`GuhUbvEN3 zZp%R~91r|12+(bl7Ha^{1zEV#meeQnvhp#sEci0szCqvuE<`5vP)@3^9o%}kDKZ9w z>hPEIVf>T8pQJLEJe%b_rY{$U&V@ac5PUAFyRXhJ!l@^{#;dxr;af&tEyaWVq97kD z@R|D+u@2Vgn9E!NNxx>x%u@KE1`dlPJ4^R!qD%rvtlY)L@+NHkG$;vkriG^I7q1q^ z-S)vH#}S)XH+g9DR&72(0%MByTBUj|xaD2oedm}fjS}!3cH3L;c}g78=)jNQ%Bxe^ zc;7cGL(x;D8|TX;vL5+n*Au?ncgLZ4cmpgk_w5n8x7~cdtX!!pFcZMwCG))p z{b>}WukhE#&imzWcN;wJVpI3Pjd5}18@(W;k}v(A{qDM|M;#nRnN@ibu_Vr_*wm~=7NX@}Jo)H0}NX$|k~zb82|u^8*P5KjACZ?bS1^vw}ad@;3cI zfx=c`*XK&ye16Ggc`rfXL^rBI1G;3Tu(-hDd2yr8_e$@ESUc_^FfUr=JOW>8d`G2otCY3eF9Trcv-k$WCA8C1*@k5M#CJ0LQUVLl3ed>*% zMgZ8_o=FZ0n+rY$!kS{l0feqSn33J#7x=A>Sn{5XS7UaKL zII6SU8w#z=Q~7w60}?IXY(&Gd=p2{@%amb(vQqmJCt7|Nzh<269#=ZR;bai5S6fug zNfAC)T2a$fvq#%)QNReg$_bgiW!RvkB6*u8b|TGGK&j=fshX%~VaEOBLU)UROxmO_ zA^b@4=Jmw2d%PZn*mq=y{ev5Fya_k_KJ=+P?8&=J?PvXi(WLDrQU~;rDm3| zm3Cv~Jo|pVF25hbA38kqxQJQdX{msymfjo&H{H!--|7pX;OKrURtjOBAO2hXZ&QV+bL!Du!j*VpbC6ct^{3dq>Blb2+4547vp&{>&`~T74>M# z)X0pMbz38B{)qB{H1SjMw>a2SS*xF){mA%DyzM){ztkeK?kowq+2361>f;w9_C{Lv zSU1Y^$Zv?1^y-do z#Ne(vhYI&+*M8QZCwMr?N+5J?RhN>qT*mmMIJ&0;_k##>*o$X)8f}_#QZpJ^^x-Y6 zZ8*A9aNn>BGi~>fxm|}VtgU)I?0bYg4}fPbZ}^3cSr+-Os(R9WZ2GoWRVA3z;eQTY8^Tx{m26?kmXzbw1;iY#fY$E*I95!Urz1@yNBS?b+KxPb@MAT z@s>4T7#&_(QevXHaP$6{o~c|m?0&UD+eWLl6fDP5_&Ux|M?G^|rh7j?U!iTxzt>Zy zdP_dcl4epPjM?tzlkb-)m-rBM>6=k^x|>7##@^m@n!4l=luJzelep7YCL)ns2CkU+ zJk~?dx8p;*hZB}|WI1_^F7LuKi!eR$$(5m@L+uxE$lF^yo1f#J+&XXuE-?4EkMaH8 zP*C`}{|5L+Zs9S~Nael+@*%N{Fhegl1 zPMS_WyL&nEqgdr98!SsUcbiM{E6E)*p&eU8q+a6@ay>9-@JI_B%E2Wy z_bK4CFGvxWqqwtyK`1|YTV-D;K-v9nd`uDvY!5S6O#VSo~LmviDSxlENayK)2 zo5}=t`1ztI6AaR}$=kj+)~=0;n_z3y9me$LJ79c$9J~7>sb;er2lBPj(rAI)){QZ) z1>NL(cDfDK5IgXzVkvfQdu*N+N^B1HO)|f7mk;cXX54A9DKu7X{L-Vl7KrDr&Yxk% zlxxww13HgW^64;n1syI)Q+(sJiit=t2)sK~9lamf*&cf#AdqN~#~Rn!u{_9X9G?L( z@y`4Mo@WDO75l;^QbXO{TWa`A7g7v%c=O}J%+!G2cG2C~K@X4$YLyX|skP9l90BQ9 zJ{f$^Jg|P_bAHCS?nH1Ck4yogKc`s&L2swPuGK$klzgC7-VydBZfN1v(luK~_m}kX z_6_aeC%3x1FI{lkd-#bh-&@x66aU5Xd(j%acpT|oRO zzb4M|wB5bn)7{15?FgZpZx$GW>f=6$Ye}(32itmIa+wi*=le{>hNBi|X)69e5a)Vk zsU}WaI4J4&60?-3xcps#`*`;r^3BXk)YREeHWeRaOz3HrTw{xg(hbO0!)@_S?pGMr z>LRRjXlxCSClN57-IMoRWTo=R_=?ycXnw8K&p>-<$;GdzXJ(}omG;5!1K;Xi3iYOF z1a|b@_uPdEmv>c7XmtsCyo#HY?H>zfSh#Ws3%fnAl9k?tU7@31ismccNSVzj`|59G zzVrh}h+>kFx*e0BnS;yNtbDBJ(JhI3>%w$wyAKH^d0t){MxLH!+RN=R+voz7ST?5m z8h4(G_F&7jPnZa$Q#s~53ca1y*r*|T-yi>l*?P;X9QUf8NeA{=_&1@X(k)uL&ox9B zGtFnMT(i<{5ceGszMwW}4AM3C|FD)@lrH_XRYitZ9TQJjgu3sSpU$TU>g0>JE!G5n z>Y3qGR_Oaj%EnE1_NVFphM2${^b9`~3?-ZB{ieE1{#8V%KC<@}O>k`HL^ZB>aGBEV z$d0lX>$RolFQ5WuRxf*Yt)6kd`fNx?ofqIWLRK>J1n7Y!lX|wGU6=Ve-muT&n@Zhv zLlrG|N&!XMCzIPM_C8TsJX(=i6SuPgJ-fphM6!wL`HK6n}={)1xT`of*X3-?_a^e)^J+xReI{M?Ix z){f^pC$1rWN()aJrjr+zoHgsS2v~X4M+5XO9R+mT`VDGJk-eW;m^5<+v)WfNo$$jX zp6-=Z>BEg7`OdLHmb#V}3QlevEsaI;Bx4&!5fAwbM$I0qZNFAgOJC0^uGOs4d!s$; zctsCQh?}oRj#?i(;cjnNz7JY|P(fvp7R=w=SA;nrVxKfcqBU=4_njG=LuDL&dog>P zevnKzY{G=B#M(^sU7@uuPTKRItTygTE+f1~8OCb5ieB@v1bU+@{jX-SG&^o%v)$mB zvw3faO9pkO`zm>vv`TJnPD=w1!G6JcmDC06y+cS0tW73)t;U+9Q;HsotM0N5gPo$< z4!aYjr=flaziL2eb-P*6?_v;T{@V!y_D{w_y|O(6S6K`XrPDpXzj5K1W&=I(z?qw% zx>utt9J{?6!*#TBYhIi;Lya)8jrP(CD>Q_+AS;5Is?76o>0V*l+G8s7)*GGg;GzRC zVdYGg4Yya>jn9J>msdrXx)n_Ev|noAQby3c^oMS@?Pp&WYTH167|#A4_OpFJyAv9? zLxaH`C21}j(r09_pGavFwI4_w;8s)d$Pn+rY~Qna4|RqC9g6EM4|mL%+G5=Icq)F` zc``+U(~{MaD#dFDo#XOT{Tawnl|Ir~PqIvt$*4+lkw*y<=b!UOm3pg6+8w{LYa6 zljX}bPlkL8D3FzU^J0Wm_Hhd4_Jm1z)eGSygXOm`(j5k*KwsBO1h{b}i1J$Ib|AAd z>Gm&Ij8~dGvo5)jd%6`}J-}Q)%wfMgDC2b`9#!YZeO+a}V2Y7_?vYcC70-=VPhdZ- z-ug@w$L>Ng=;H~l-0TAh0xp<61!TF>k9H=3plMhWwLKVN-( zUD%`NbsrcKWrAKYMAlAv|9K+EgBHxD$HsM#=&jQB%6^ap$2EC0$DgE)ab~fh%^x$d zfh$MoxaxhT#i`ht)t#=2x<{HVImOgneW#&L9mx|rpi)%8%hdJ$OZkLG3AX-POjs9r zx;mZY5c^f@8{CShU`e8Qe=P^uS)b7}n9#6lBqguF*}L|z=i8(s@MxHPr=i3RGP$4H%Px$L!X?e1&3EI5Z{#GiUL4UN zCRS;PMm?+@FD4XC65PLIOf<13vbFh{eW*FxJ(BpPIweE#>&_vN9^FWvPQ{u(!40Nq zW#Fmso(nx?Ecu}431umPiyef!5{2(0%pLCi#@rzj(a?29NQxz~2&;AE*g?VbUa^Kc zFb1%`>5Ey4>#ISY8+aN9mvF@8t-jI|}p%zN7#dMyo z*WG$CpI2|1th?+kbYq|{)yb8!$l_9#2YWNzS>e)8aBdk3EKj2KXvK$y&UFsu`M(Z(f9RVW zX^@|~2?}UUv(bpFt|5QdMtSGGW1(J?1>2nT_$nySx9-A0)|yP!>xrT32WD;qs$&|| z0lf@vVMPTNLq42-tgkl_ht!{ERKnrXk!UjTN0{6`^>wLs*Ewm@qYEXj?qx;ravR16 zU7FFw?BJIV#_+b?CnB@uMw2dmp;4G}S+zdjQ8Z+wf>d*~JLncf?mGG-GLxs0KNcwM zRhK(I;d}WT`A?Jaf9|oi6t5V9wyy`arPOvW$;pj}`gmjy(O6)A<5S`kK`1Z*&uy78 z7Ks@7I)M=>vgk+b7v2d<8N^@T;`;v1EjpiR{xJgylYe*j)cpY_gkt(<$@Jy%=E!(r zm7@L<5Y>F%4!JAsuZK)Z1_kM#+S6LD#4@Ec1-I$Nmr~ZvjIq&1cush{YX=@JOo@q} zfVY3+=KW{oWAeV=s|SrV@{5ix27L7^l)$=?E|ja`Li@!HH_XD0+=4fAKa2L|>#K~) zBV+6AAEO+rXbkfiEd#qkGw;yTw@l}6@^$7ZeR&t&CPYe%PGT!!EJPCJ3dmbPVLWlS*i^2tXsDyM&E_fYpf(mE5HItq8~PW z(rGIgPvg&f>`pP~Y`;}a)tjH%>^tphFQn&+k+7E=GR^e*;3v!^|JsA-{gCIf8q&t; ziGRVuZH_Gp`d^0oBzqSp{tuh&iu((=uq#kCOZvc+YhtAm>)McHM{gkUO!9`~H~({>zLv z?_4boc2Vqv;cwAfC-K}qXf6mBl&aZX&oQchy5YBP#oP`&jN2k<+F(_;CFQba;O(dl zRVlw)Rna94PZge72;au2b|Jm{Qxyux#?vn#~{P z$Vk6d(UtJkR^05;{_p!{NjD}h`2@Wd&!^tFb~)UAa8@>vHlRup4@ab3+%V^%_>nUo zWufDRl=Taq9A@>NNuu{2WR77$DNU;w{GzY=!_&U4PLe0dwY-#zeJ-3Wl3ENr0!EaE zh4cP+nSVpgWc^4zxe9eK@3NuFx5%*mF_$iU>ft26P4af99D&ag+>v|DlXBoYUIpbJ zg+Jz?jXliMMVpMO=PEALS&UxToqQ6MI87Lz|JF!W#z!u%4&Aa(zA?rnLvE#EEKoCI zVQc_wERa(uo4&cSU&NY9_wM#vJ#mM&*L|RrsT}Ko{#!v#911LSilHO%Q`c`8xV*K= zp;)YtWAE-(2+iDKAis6zOG(JHwQsI0tt!;Ec|WPMU{_p;S#KZI!74iBEm$%bs-x&{ zPx0QlVJwY_`#wA%r5M(KcYsjMwNg4YBA<>#BiY6C?z9n{SBoV?*B66v;d`Ahw5A+3 z=XDe3koht`kGB~mY=^kR$1n^iFfiSmCuh)xWn~m{34UZ01imOQaW%b#7pL(}m zVfs!K`W>V5{S~JoUM?9H7v`14j4Y~D-&8o{gNA}cwaL#pBKvvWu<=hx!$Wg*TQ{#= zYakw^i7QnvTNK(R7*&?JQRvy>{IWffYoD@Ef4u89V|Od`DLC}+O}S%TZ>oY|5bTR zdQhy-9Kokd_?y(!e!q9U}qOYzk=g+7@GeQeCLyiwwl@6eeA#xIDf3?-tV`bhgkc{sEsC|fg1tfYTe zjm-R((6jFgAy;m68>LUCe5X=to^xWl5H#>zSXBK=dhsWm2X8oAGv+)9e=ulc5${tr z>Xbk|ROe{#9i)8{l-#e+eUG~(D@K^~aC3E)G`foUdQVBJ+)-jX)wV<%dR%Of=FgJl0sn3)hOMgA$F#G;QuC6cf`ced$-G|BYi;re6qS-oS7-dcGYyP)-PLSl1;YI4LT2FYatDt7DzMfsb*yqMc)dp(GV z@UdH$08bt8@49g*2FKCXNUqM?Co}OkI)%js$K51-Jre7;T0L{sp;}1Q8DrDEx1`=^ zKNvS|`x_S}zsat_9XPWYm$vB!ft2NugVKUqq1Qr+wWcPhT61_jyA+Q#PJ)@47TjJD zxhQauzHvKw<)F7cWvNlYce;o)q$*y^a2x)t@ggDX<2h+aY^14@C{2n^=B_q@tmoX^ zL7gfOx^31MRjFt&W+*!8Ka1g~y~Q|@-Lc=E6j9qxTp>f4@kYY>lypPod)uFk~cNEf8?1@Ul5}e%ZAF;J#p#&$m#dCwsr1^ zaS)b*f{gVDPQdJ@gOSMlj5p3J7O*4brzU7Jwxe+q?5TmT(_L_BybPG>?|r@bjNJK^ zVfllvw1;@tG6$Fkw7tuoF=1)zUQgxCYguZ+l3TRNCAwyO2*V$)a2|ag-k3)eA>mM)g42< z##lIhBh$N&7c8LCybj{jYENZ!Nlgqi{hBOI%4?_EMlLp)>}gnttt@7R>XO%&Xlwa6 zR+z`d&rgy}daVr7|EzcGNPZ%JA#Z3#@h6){F!)1}vX34PEkEI`k7`0-l8LcQJXvY{ zTrb1Lv5}#jQu0(w&9vtUoeM>*xSDt1CaQ`ZFS`~b1jYFL7$j;%S@>1j3*k)Pe_XhC zIqQu(!@hLQ;+Hy{#KZhKZhjWsKp;9I^W9b-BIW;c(*%GY-MgtfQqZWaZQj|ljb4{+3rkKO#L7O?BQ zD;uSR9sZ;a8k)7}{#x)+A5@riqWzb3;E?#FX)82SJ(#iQD$~U4anGkCPfS)ev~CAH zvE=tZ-0{G4&ErZYm6GtmO(lC_6V%RLW_y{MVp{U>Et63|19UYsn~usw8I9!L!yj+z z!UamyO!-A$Jf4j7=rKKZC0fN6| zHKel3!!{9}XMAt6e&}UX7lig!(A!mw9ZMs&_2lf}NvvJO!W zo~{pu$O)7XIWxP`Fa3VmzSrJaZ@O7!l*pMbQ~@ubs#MUVH2>o1L0>oxN-(SyPw-}5 zc~0XJ9*I+l_A`X{ql2|Nw(e*OTixBEb@lut0b%aJy&jSB=Q$kL+x1(&u=h4NlB8PR za&8PuqXWKCx>#*t-ek=$zG}34r!|^X!;yXPnd7r+hQJPUOqOw_SMPdE4aORTyP+-Uv-BmGzJR*@T%U0X!p<-I#bsD3c;LnI>|v9@k-}0i*#`Nb=Wu`L z23Z&TaMYt>U$A~=4u5xKAvR&JfPf;)TM0F>ZIFJnWPnP3(WA-&U%hgQuC2~VnLU5( zy!nrPy^pDas8y%ApSWIhYoOiP%^~{az!9ZSQF=q5J6?Ng-&IcG#{Qbzg6JAvVSHqE z<|fHPMosd&hE@kWwTFkwKD9O@9@nLf6gIH3L`B|f8V!;BqOudxxx!e)|H^=m_(^J@ zqK~Z?+A7Z~Gy1w=p!Uy>zRO0;J_ge3*;lO0tC)WO}h+||H^=kH8!Nq$m{z2_W zK*ilTT{lh2QFNok0%M8ky9=Mx2R$fw^vSh86*a{iK78Llb2;Nt)Z$`L@mrR?BtE`R zJ%)3-?Nl}je4#S;yqeqjwpZ^-V_q3+rW1sz{J4`AWAKRD-|%Hm;K-$ZsgClO9&?k< zK`x?~>#KGNPpdQL zwID149CXu_EM>kX_SG^8nFmB(-#M6XRD@5Kh_QghYIj!fZ6s&+ab-jg8t?4!`m*-3 z)Ll}}_$l}L5#bZ`jDR<5yx)^&=?b)JGinm*iNobCrIDpu?Zjx-H9E9j*Hydcn&s35 z#||1W7w65tpDPZHex9?s@7l^njz@6Uy2HNTaS2cL{$Vi|?zPZI%DTaRoe>>a=L&9p6p zN~cNfZM0`S^6P}(C($YG2mC8PNjMJ$$0VsP=Gb!hP{-Mz%h08?W7>$e6)F(~P0(|( z&4?&oerzA~LQ3$^IP5_@=@q7XJhm)6cqp3pYKvz^}IJfRq8b<2J(vr2+i;{dzkMQ5g zwLB?08JLEf%?UDtRjolZ93ongmXY7uFNpX-~SI9QN|_%jKDe%T4ht^$4A+ zuX@(x%@1zb+AH*ZRW-}fyoKGv30=Je{yJ}@aHs#jejEoHH@JZHfAInqT1r;syL$ zNRN^aFZlG{Sq_)j9Z<=EJ*~<0c z%Vw$;A???yUW9}XY(*LTOn{GVm}b6Z=+FO9{QSW0@%a1;T}S1_sg%dwB)nihG?Q0e z-@Y;4|8_M$PQ+~LQ^PlgTlx_XHFj(*Kmx+B0$gS3dU5p-(j?O58R_5CfteJlQXw^_ za>RSeh^fi&&C3(Y;;2-a*bTu$(%)W>mIOF0ldl%EI4SZa`HsOoZ7^m5| zEvFIl+c+{;?C_<#HY|BVm%fvCjy&FUU&g+piolef(^jHzas?^aad&Ug=|4=5hi0y( zyk}TUlBJj|rKj@#ddaL_;F|9sS8S%B(9nb1mPdz~jo;8s{WPBpY+4pZuJXXOIXB;G z>q(RnqzmeQ#qJ_m!w%Ee+GaF2Q>;Z6XY`&D?G9&UOxTl;D;VK)gor6o^SB+{yoNk_4mr^K2`V_ z(ZVl|c-$sUL`Uenx(fteX*Yl2*RtKG4-O8anwQ0hT%&k@MG@5Ht=1`YYZ}+3RL84| z`@?r>izXV!pv>N^&z7YhLiggblKQWSbdWaD1II+sSU0}@BN6CRHyV5(H@(kKqd3|e<{ia5#Opczxzwl|frJyf@bKS$xyYJfA z{rHv%R|~ygr|8{nKOseXaCx8W!Q<%8TlXE5Dz&t(SNQ~OvBKWh)F}z>L4$Jkk_hvD z(hCm1$r`t7?C8#`*^w_l7Myn!gz=3~3Ll8s`^&f6WEoaK1?bxnR|(YtA!KTseI!2Ha~+R=5vj2MK<5Ishw>NS4l!B=P2`7f34x1chAIOZ^e&{dohbs zx`pK|t%S16G3wv3QbS(sIjwGe&`!%zvCHM+dIOejz^0+B{DK*o!H&tr(YnfKZIj`)S`R>zl<-aom8DF!C-ZB$lWcl(3(i#V~boJcVqiyW#t*APpuY?SCG#{ z$-1EtMQ1?AwH!3Q_KgT}ReC2Zh^^D1akW^KXl|gZ&{X42TYaKxsEh3=tF`I9>3QwG z3QQteLWO4HBFdrKN4p=zX!m z^vxEr32Jh>KG4)sWau(xBV#v)i{EwoyHYw+hV>hGPqakuzk22vdQahs0beB0Z10~y z6T>hUdWFH{SUGSv)Vkamcp9#{<{YB$30dgqXEZ&4XKKl$^2vz6w7_YZBm8vY&*b*g{bnX z{;tta!33P#i<%*CWpnaHC3bpZZhZXsY>dh$mo3#hVd`Y1~xJY4f9!?mvx z>@`MxE9D_jcvr+i_-bi1izjTa8Js%GlsfOtBPLm(V?1$Li}{7$ym)m1Jc@JuEf;aQ%Z2rZu?S3d`a*2p%?Rut8EtxpMJlrW z>SJP}4}%qyF=b8WN*}rtanu|f__fwC2;(Nt(MA8!{)DzjZ18!C?AEducarUowyCS7*%+ z{tUXxq>lx^rCv3#c~EvmGvvE!YQ~l!1=e0k(iU+^V6|`u!-x7}(ZSeXABd}hSoum~ zK6I%%-}K6Mi=nEB?inSS4V`hOdy)R;zL~>4lCj2L>DNsn2?RnXGJRuOn^>MS#nfmK zN2p$qv;VTR^E%!Ck>+r)k`~{`vPs%Ohsg~i?0$^HVl^1tj3_N_Ax6QQjK3-2Z%G(3$HU9YIZ z%VO2E?{K`Wg3O=rVVQ)@IE0EJJjy`-zyaTIW2{yT5Zw zzXyQ(=D%OYy20CN`eLR6XPbzhJi~p&p}!5|x3w#9ZLWo>Nkq$gk^HaUNfX|sMFcvS zH^RLme+lC5+SP2b4)xrHFs@MX*3(d*vWD zH|Jx6hpOu45pRi&tUZ-Es+l*}mptj{?ex*~E&Ou+sf0WeYH{ZAo&uqmv&Nf`` z`(kOO-VJ;3%h6FqmMICZj%JF=+!uH}P7r0#gn#++D_TAxw5(q}x@Kzh-@VN_y)$!4 z^tB9O5qy0*k6`3!txx1Au^84&w+@Q;Hm`{fhtf_ry>xbv;PWSZ6^b>p;KM)PV<51; zH_^AKb!f_V?O-#EE#}pMjhIcvjleXsU;fl%kp5`Rf;eM2!qv!^3FLc*?=k%fGk95G zb^^^+x}tDGOc=*O>4lfTT1txi7Qs0l!sCAMStN~Dj%O@UHM8bvF$$4BI6xz zh9F)2#a~20G9%`fCbTnTd+|aBC6j&1rMN>kue7S+7s{ErQ<#3fSnG1T;Zv^ln;j`@ zs&AH+Td5*1n?^r98d#@X;MvrU9&Qo4r^$wX(Z*tG&EbCPGn>n$!BwP%Fud<@&g}9& zo_M#(D#~fkNW3_4dF#EeJ>09pHP(~8QzqWE==5zi)1;%tdlUupxgn~{`}z{9^nnr} zdR)I;*YslT1GGwpQMbD|KiR>&+}S^h?k?(D7LaEgPK+lW9ibHvrjY-|Snb2d8L z1Zx4d1Y3ds-&$Ue8(2@9Rh__2)`md4tbvWa5!eOn3U)i&nTqT~J=2-W@potHi6SJd z4Qvd}tW5y1m>C-z0UfpmMh>9+uwzawL2x+uq>&c{=lHuj_q6jD=)*NIvUUW)c}|*d zPnv9x8+B1zcK@^)gAj<*{$W!$TT`I@7NB8fV|dzui)^n2+W?)wjxIJ}M^k$vqm!oL zW1$^4>K?c3p7a|Zw+#R3TCnH1>1pV! zGWwk16oELyDeNCkIT8Omr_ld1r;?HqiqeXxoSw!r6mEeihQckt-alf60z&>HR!*RC z{C^QE=l@--iYkiA_oPpmRkg8FwBeCwQ!p|#J1QUjFmUrYcB`}Z{Q z->g+sQdvP&^Iw?#AB20V-hYgi6EM?%qzeOF;g57VPR-`OaC~gnfS-Z*`Eiat33P0H z|Bd1Qc5wu%C7koHGnRn7^x+S$oTrNTFT8U8-_7=a%fzVsp7XOa{QfQ5W3&A4)__1R z>8xy(^-PQ$fJAKL1OzJJVhm;EeGovb1_$CezMTPd;wm7{ zKeKTiD+vT#?SY()`{W(Z$vd87zJQ|Sn1{cogF?>-=Kr_VL7~S^ z4-+^9LEdb|C5D65hrs)5y#p%Gbsm>yZ^FC!1(`Nq)?9INzV}b-y{YF3at}` z9BWb)bfP8D$u+M=K>KM@!&h5J2t6J_|Z^V5G|eGC&Ibk3qoy%6n%c ziJ7CN5eRl_BqAW#@x=eE^^}UTy^%8rc0&K340;UskIYUe9ZMPq3{d(r^wbdlygjCL z8pjolTpdBj{QO;s!OpDogzT~6kYu5!j`T+vf0KotGJirAmD}S_&vFYr$+Sqar?NvK zdqU}i+ke)5EL#*xr|AZubh@@bl#cZVDB@Uze@6kJOgK@|vA#~FaO%Kph`$tu9CUWJ z|ELQ^TW97vUD5FpPOageB_KaMOYxQzju znxme*BNI^jBB_BG4NUcHfohYP9m)hcNgn@!Aweg8`v;31#soSEM*o4pnE>ZFA!Q3h zI^-D6W70Z6iZZh@b3~b!@f7Q<3n7gKmDv+S2tfbDzCou$ff=CiW9#|@0l0#~Px(3- zh2#ox%KHff0YEs8E#S{64kY9>$o<3We`Ytd-OE z00Z2Aa|BEe+?jK%gX1|lnLs>$f6fK42RWAP-;z8=1*SUTjthmkzm4aQ&W}fMBZ>Vj zAszq#Jqf-ir1St?|ILm*69{o^#HUl40p{^H0W$!=`R~#LCOe@C;G7j65+7A~4n_u! zW;WK$$F_Bw-9BEE}*!%~G)c2|R{sRQ$4Lg;JLyrkVj;-i# z@t$HFGsAdp#M#9lrE_jEXD2~23i-p--ygwF=06qqnTcRXK|mpY)^~Q)vA3P71!WY{ zz)!*^=q%?jcBG}Bgy%DB{hKrtIqUgxXIG4r)+h`j4f-UDp-gn5 z<$u)^{8$+9e-j~`9Vv`IHhX3+I6G1pClT&{T=6llXIG3IcXq`{1^w3*!;gh~TDGB5 zLka`&Z^D4HBZcwDzfgEb`YOjc$45Z|REjzqHwy1a3;M(RNlkN-6o4v*`y_lqPXiK^ z`y_Bdxlfpdo>YW?i|((?aduv$b)AtJ57LKG=RNU3=t;o)o9>xq{i{k)mUUdEqLM#x z7U=QRs(+LJAK8Ypqtg951p!9}K;D9$RK$NJeBkKquf?4lMTzMFCww-*Nt80O(Eq2d z|5F13(mpLbP9idt=UDhB_zE_LM&LURMt_ixiOB2e8(BK=^Me(gtQ_t`fEQ|DJwZX( z@e6xFLB#P3aX~>HK|vg_lC6=o$Z-e-omACl`28y*fWRV7j;6pV2&00GIume+a$LYM ziaMEDB9GEQ02Cx=WDneAXX5~Te1go#bb<%`ujZt04#aBUl^F7b%Eq2iUQgXf6Xas% zXbJ*O#fPa1Oo)Z0N?>~`rlC0?e%PJjSPX!te&NV z5g=Z52~BoM;08c_J!@;=IE_)=)XV_{{5#=?6{LZ@vd_jE1cV<1aM%OmWCLvZ51Rlw zurzt#&=Umk1P4xE_09CGnLrk{dcfh3ksiqTbTlVBGMD@%b5}qLIKZJU4+jq9^p6Jt zq)HB8uVW1Q4-A>rkbfZS|G;>VHOv_pkOq*On7?7bq1tiv^EV85&4YC5voN4~Kp6`F z;K+^U-*^B$2y)l;Hw*$CNF!@OR2UB`49dxcIu?j(=hp#&LXja7g&vd(g%=1w54rvP z8xNqzjob(S4FmXtAqxOh7_$C40|R^wjsgSdaUr+AXYc^QAa_NmFyv|D z1&;$+ccF~sM4pzSz_`!rk{g2DKb*xo?{5$Y=W!Z8i^s)-JS{p4Em zgbIVB`YM3OjXXL3dn^RP&4E1rMuEY(Q04&ej>`)aJj8iB(=-zy=jIusZ;YVL*r73Fz3^B~UK5Dy?4RC-+h zVrx9dXCr6l<$;~cM?l?*+-#h|gTY|u@+u65fT8*z490zqKNt)s&`{_B1l*g2kIFfLS{0sr_Ho;hI<)Hn$Pa`L(Lazaq;6i9G4nR1@<4fg^w{k2)_G>|AVzbMhe1-p=xZfFbwBXJJ6DJ-0Tl++ULadSkYDKiO%H$pmWl#{ai5PvFdjH+3b?gFL(PK#3`iFL$j{MU&&<-u9*3VF1XeS1H#*)>gH>&8fN#)F z&dGrvL0KEy0Pg^+MSh_sBM!RH&mqYrDvkhrO@fPyn;S@lT$17<5STb8AUPlgi3)=L ecN85EaIWHj{F>x=FAs1AM0FfGIte97oc|97o}>r> diff --git a/doc/pdf/build.tex b/doc/pdf/build.tex deleted file mode 100644 index 0adbe89..0000000 --- a/doc/pdf/build.tex +++ /dev/null @@ -1,993 +0,0 @@ -% Generated by Sphinx. -\def\sphinxdocclass{report} -\documentclass[letterpaper,10pt,english]{sphinxmanual} -\usepackage[utf8]{inputenc} -\DeclareUnicodeCharacter{00A0}{\nobreakspace} -\usepackage{cmap} -\usepackage[T1]{fontenc} -\usepackage{babel} -\usepackage{times} -\usepackage[Bjarne]{fncychap} -\usepackage{longtable} -\usepackage{sphinx} -\usepackage{multirow} - - -\title{Building MIT Kerberos} -\date{ } -\release{1.15.2} -\author{MIT} -\newcommand{\sphinxlogo}{} -\renewcommand{\releasename}{Release} -\makeindex - -\makeatletter -\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% - \let\PYG@ul=\relax \let\PYG@tc=\relax% - \let\PYG@bc=\relax \let\PYG@ff=\relax} -\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} -\def\PYG@toks#1+{\ifx\relax#1\empty\else% - \PYG@tok{#1}\expandafter\PYG@toks\fi} -\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% - \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} -\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} - -\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} -\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} -\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} -\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} -\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} -\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} -\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} -\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} -\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} -\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} -\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} -\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} -\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} -\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} -\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} -\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} -\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} -\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} -\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} - -\def\PYGZbs{\char`\\} -\def\PYGZus{\char`\_} -\def\PYGZob{\char`\{} -\def\PYGZcb{\char`\}} -\def\PYGZca{\char`\^} -\def\PYGZam{\char`\&} -\def\PYGZlt{\char`\<} -\def\PYGZgt{\char`\>} -\def\PYGZsh{\char`\#} -\def\PYGZpc{\char`\%} -\def\PYGZdl{\char`\$} -\def\PYGZhy{\char`\-} -\def\PYGZsq{\char`\'} -\def\PYGZdq{\char`\"} -\def\PYGZti{\char`\~} -% for compatibility with earlier versions -\def\PYGZat{@} -\def\PYGZlb{[} -\def\PYGZrb{]} -\makeatother - -\begin{document} - -\maketitle -\tableofcontents -\phantomsection\label{build/index::doc} - - -This section details how to build and install MIT Kerberos software -from the source. - - -\chapter{Prerequisites} -\label{build/index:building-kerberos-v5}\label{build/index:prerequisites}\label{build/index:build-v5} -In order to build Kerberos V5, you will need approximately 60-70 -megabytes of disk space. The exact amount will vary depending on the -platform and whether the distribution is compiled with debugging -symbol tables or not. - -Your C compiler must conform to ANSI C (ISO/IEC 9899:1990, ``c89''). -Some operating systems do not have an ANSI C compiler, or their -default compiler requires extra command-line options to enable ANSI C -conformance. - -If you wish to keep a separate build tree, which contains the compiled -*.o file and executables, separate from your source tree, you will -need a make program which supports \textbf{VPATH}, or you will need to use -a tool such as lndir to produce a symbolic link tree for your build -tree. - - -\chapter{Obtaining the software} -\label{build/index:obtaining-the-software} -The source code can be obtained from MIT Kerberos Distribution page, -at \href{http://web.mit.edu/kerberos/dist/index.html}{http://web.mit.edu/kerberos/dist/index.html}. -The MIT Kerberos distribution comes in an archive file, generally -named krb5-VERSION-signed.tar, where \emph{VERSION} is a placeholder for -the major and minor versions of MIT Kerberos. (For example, MIT -Kerberos 1.9 has major version ``1'' and minor version ``9''.) - -The krb5-VERSION-signed.tar contains a compressed tar file consisting -of the sources for all of Kerberos (generally named -krb5-VERSION.tar.gz) and a PGP signature file for this source tree -(generally named krb5-VERSION.tar.gz.asc). MIT highly recommends that -you verify the integrity of the source code using this signature, -e.g., by running: - -\begin{Verbatim}[commandchars=\\\{\}] -tar xf krb5\PYGZhy{}VERSION\PYGZhy{}signed.tar -gpg \PYGZhy{}\PYGZhy{}verify krb5\PYGZhy{}VERSION.tar.gz.asc -\end{Verbatim} - -Unpack krb5-VERSION.tar.gz in some directory. In this section we will assume -that you have chosen the top directory of the distribution the directory -\code{/u1/krb5-VERSION}. - -Review the README file for the license, copyright and other sprecific to the -distribution information. - - -\chapter{Contents} -\label{build/index:contents} - -\section{Organization of the source directory} -\label{build/directory_org::doc}\label{build/directory_org:organization-of-the-source-directory} -Below is a brief overview of the organization of the complete source -directory. More detailed descriptions follow. - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -appl - & -Kerberos application client and server programs -\\ -\hline -ccapi - & -Credential cache services -\\ -\hline -clients - & -Kerberos V5 user programs (See \emph{user\_commands}) -\\ -\hline -config - & -Configure scripts -\\ -\hline -config-files - & -Sample Kerberos configuration files -\\ -\hline -include - & -include files needed to build the Kerberos system -\\ -\hline -kadmin - & -Administrative interface to the Kerberos master database: \emph{kadmin(1)}, \emph{kdb5\_util(8)}, \emph{ktutil(1)}. -\\ -\hline -kdc - & -Kerberos V5 Authentication Service and Key Distribution Center -\\ -\hline -{\hyperref[build/directory_org:lib]{lib}} - & -Libraries for use with/by Kerberos V5 -\\ -\hline -plugins - & -Kerberos plugins directory -\\ -\hline -po - & -Localization infrastructure -\\ -\hline -prototype - & -Templates files containing the MIT copyright message and a placeholder for the title and description of the file. -\\ -\hline -slave - & -Utilities for propagating the database to slave KDCs \emph{kprop(8)} and \emph{kpropd(8)} -\\ -\hline -tests - & -Test suite -\\ -\hline -{\hyperref[build/directory_org:util]{util}} - & -Various utilities for building/configuring the code, sending bug reports, etc. -\\ -\hline -windows - & -Source code for building Kerberos V5 on Windows (see windows/README) -\\ -\hline\end{tabulary} - - - -\subsection{lib} -\label{build/directory_org:lib}\label{build/directory_org:id1} -The lib directory contain several subdirectories as well as some -definition and glue files. -\begin{itemize} -\item {} -The apputils directory contains the code for the generic network -servicing. - -\item {} -The crypto subdirectory contains the Kerberos V5 encryption -library. - -\item {} -The gssapi library contains the Generic Security Services API, -which is a library of commands to be used in secure client-server -communication. - -\item {} -The kadm5 directory contains the libraries for the KADM5 -administration utilities. - -\item {} -The Kerberos 5 database libraries are contained in kdb. - -\item {} -The krb5 directory contains Kerberos 5 API. - -\item {} -The rpc directory contains the API for the Kerberos Remote -Procedure Call protocol. - -\end{itemize} - - -\subsection{util} -\label{build/directory_org:util}\label{build/directory_org:id2}\begin{description} -\item[{The util directory contains several utility programs and libraries.}] \leavevmode\begin{itemize} -\item {} -the programs used to configure and build the code, such as -autoconf, lndir, kbuild, reconf, and makedepend, are in this -directory. - -\item {} -the profile directory contains most of the functions which parse -the Kerberos configuration files (krb5.conf and kdc.conf). - -\item {} -the Kerberos error table library and utilities (et); - -\item {} -the Sub-system library and utilities (ss); - -\item {} -database utilities (db2); - -\item {} -pseudo-terminal utilities (pty); - -\item {} -bug-reporting program send-pr; - -\item {} -a generic support library support used by several of our other -libraries; - -\item {} -the build infrastructure for building lightweight Kerberos client -(collected-client-lib) - -\item {} -the tool for validating Kerberos configuration files -(confvalidator); - -\item {} -the toolkit for kernel integrators for building krb5 code subsets -(gss-kernel-lib); - -\item {} -source code for building Kerberos V5 on MacOS (mac) - -\item {} -Windows getopt operations (windows) - -\end{itemize} - -\end{description} - - -\section{Doing the build} -\label{build/doing_build::doc}\label{build/doing_build:doing-the-build} - -\subsection{Building within a single tree} -\label{build/doing_build:do-build}\label{build/doing_build:building-within-a-single-tree} -If you only need to build Kerberos for one platform, using a single -directory tree which contains both the source files and the object -files is the simplest. However, if you need to maintain Kerberos for -a large number of platforms, you will probably want to use separate -build trees for each platform. We recommend that you look at OS -Incompatibilities, for notes that we have on particular operating -systems. - -If you don't want separate build trees for each architecture, then use -the following abbreviated procedure: - -\begin{Verbatim}[commandchars=\\\{\}] -cd /u1/krb5\PYGZhy{}VERSION/src -./configure -make -\end{Verbatim} - -That's it! - - -\subsection{Building with separate build directories} -\label{build/doing_build:building-with-separate-build-directories} -If you wish to keep separate build directories for each platform, you -can do so using the following procedure. (Note, this requires that -your make program support VPATH. GNU's make will provide this -functionality, for example.) If your make program does not support -this, see the next section. - -For example, if you wish to store the binaries in \code{tmpbuild} build -directory you might use the following procedure: - -\begin{Verbatim}[commandchars=\\\{\}] -mkdir /u1/tmpbuild -cd /u1/tmpbuild -/u1/krb5\PYGZhy{}VERSION/src/configure -make -\end{Verbatim} - - -\subsection{Building using lndir} -\label{build/doing_build:building-using-lndir} -If you wish to keep separate build directories for each platform, and -you do not have access to a make program which supports VPATH, all is -not lost. You can use the lndir program to create symbolic link trees -in your build directory. - -For example, if you wish to create a build directory for solaris -binaries you might use the following procedure: - -\begin{Verbatim}[commandchars=\\\{\}] -mkdir /u1/krb5\PYGZhy{}VERSION/solaris -cd /u1/krb5\PYGZhy{}VERSION/solaris -/u1/krb5\PYGZhy{}VERSION/src/util/lndir {}`pwd{}`/../src -./configure -make -\end{Verbatim} - -You must give an absolute pathname to lndir because it has a bug that -makes it fail for relative pathnames. Note that this version differs -from the latest version as distributed and installed by the -XConsortium with X11R6. Either version should be acceptable. - - -\subsection{Installing the binaries} -\label{build/doing_build:installing-the-binaries} -Once you have built Kerberos, you should install the binaries. You can -do this by running: - -\begin{Verbatim}[commandchars=\\\{\}] -make install -\end{Verbatim} - -If you want to install the binaries into a destination directory that -is not their final destination, which may be convenient if you want to -build a binary distribution to be deployed on multiple hosts, you may -use: - -\begin{Verbatim}[commandchars=\\\{\}] -make install DESTDIR=/path/to/destdir -\end{Verbatim} - -This will install the binaries under \emph{DESTDIR/PREFIX}, e.g., the user -programs will install into \emph{DESTDIR/PREFIX/bin}, the libraries into -\emph{DESTDIR/PREFIX/lib}, etc. - -Some implementations of make allow multiple commands to be run in -parallel, for faster builds. We test our Makefiles in parallel builds -with GNU make only; they may not be compatible with other parallel -build implementations. - - -\subsection{Testing the build} -\label{build/doing_build:testing-the-build} -The Kerberos V5 distribution comes with built-in regression tests. To -run them, simply type the following command while in the top-level -build directory (i.e., the directory where you sent typed make to -start building Kerberos; see {\hyperref[build/doing_build:do-build]{\emph{Building within a single tree}}}): - -\begin{Verbatim}[commandchars=\\\{\}] -make check -\end{Verbatim} - -However, there are several prerequisites that must be satisfied first: -\begin{itemize} -\item {} -Configure and build Kerberos with Tcl support. Tcl is used to drive -the test suite. This often means passing \textbf{-}\textbf{-with-tcl} to -configure to tell it the location of the Tcl configuration -script. (See {\hyperref[build/options2configure:options2configure]{\emph{Options to configure}}}.) - -\item {} -In addition to Tcl, DejaGnu must be available on the system for some -of the tests to run. The test suite will still run the other tests -if DejaGnu is not present, but the test coverage will be reduced -accordingly. - -\item {} -On some operating systems, you have to run \code{make install} before -running \code{make check}, or the test suite will pick up installed -versions of Kerberos libraries rather than the newly built ones. -You can install into a prefix that isn't in the system library -search path, though. Alternatively, you can configure with -\textbf{-}\textbf{-disable-rpath}, which renders the build tree less suitable for -installation, but allows testing without interference from -previously installed libraries. - -\end{itemize} - -There are additional regression tests available, which are not run -by \code{make check}. These tests require manual setup and teardown of -support infrastructure which is not easily automated, or require -excessive resources for ordinary use. The procedure for running -the manual tests is documented at -\href{http://k5wiki.kerberos.org/wiki/Manual\_Testing}{http://k5wiki.kerberos.org/wiki/Manual\_Testing}. - - -\subsection{Cleaning up the build} -\label{build/doing_build:cleaning-up-the-build}\begin{itemize} -\item {} -Use \code{make clean} to remove all files generated by running make -command. - -\item {} -Use \code{make distclean} to remove all files generated by running -./configure script. After running \code{make distclean} your source -tree (ideally) should look like the raw (just un-tarred) source -tree. - -\end{itemize} - - -\subsection{Using autoconf} -\label{build/doing_build:using-autoconf} -(If you are not a developer, you can ignore this section.) - -In the Kerberos V5 source directory, there is a configure script which -automatically determines the compilation environment and creates the -proper Makefiles for a particular platform. This configure script is -generated using autoconf, which you should already have installed if -you will be making changes to \code{src/configure.in}. - -Normal users will not need to worry about running autoconf; the -distribution comes with the configure script already prebuilt. - -The autoconf package comes with a script called \code{autoreconf} that -will automatically run \code{autoconf} and \code{autoheader} as needed. You -should run \code{autoreconf} from the top source directory, e.g.: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{cd} \PYG{o}{/}\PYG{n}{u1}\PYG{o}{/}\PYG{n}{krb5}\PYG{o}{\PYGZhy{}}\PYG{n}{VERSION}\PYG{o}{/}\PYG{n}{src} -\PYG{n}{autoreconf} \PYG{o}{\PYGZhy{}}\PYG{o}{\PYGZhy{}}\PYG{n}{verbose} -\end{Verbatim} - - -\section{Options to \emph{configure}} -\label{build/options2configure:options2configure}\label{build/options2configure::doc}\label{build/options2configure:options-to-configure} -There are a number of options to configure which you can use to -control how the Kerberos distribution is built. - - -\subsection{Most commonly used options} -\label{build/options2configure:most-commonly-used-options}\begin{description} -\item[{\textbf{-}\textbf{-help}}] \leavevmode -Provides help to configure. This will list the set of commonly -used options for building Kerberos. - -\item[{\textbf{-}\textbf{-prefix=}\emph{PREFIX}}] \leavevmode -By default, Kerberos will install the package's files rooted at -\code{/usr/local}. If you desire to place the binaries into the -directory \emph{PREFIX}, use this option. - -\item[{\textbf{-}\textbf{-exec-prefix=}\emph{EXECPREFIX}}] \leavevmode -This option allows one to separate the architecture independent -programs from the host-dependent files (configuration files, -manual pages). Use this option to install architecture-dependent -programs in \emph{EXECPREFIX}. The default location is the value of -specified by \textbf{-}\textbf{-prefix} option. - -\item[{\textbf{-}\textbf{-localstatedir=}\emph{LOCALSTATEDIR}}] \leavevmode -This option sets the directory for locally modifiable -single-machine data. In Kerberos, this mostly is useful for -setting a location for the KDC data files, as they will be -installed in \code{LOCALSTATEDIR/krb5kdc}, which is by default -\code{PREFIX/var/krb5kdc}. - -\item[{\textbf{-}\textbf{-with-netlib}{[}=\emph{libs}{]}}] \leavevmode -Allows for suppression of or replacement of network libraries. By -default, Kerberos V5 configuration will look for \code{-lnsl} and -\code{-lsocket}. If your operating system has a broken resolver -library or fails to pass the tests in \code{src/tests/resolv}, you -will need to use this option. - -\item[{\textbf{-}\textbf{-with-tcl=}\emph{TCLPATH}}] \leavevmode -Some of the unit-tests in the build tree rely upon using a program -in Tcl. The directory specified by \emph{TCLPATH} specifies where the -Tcl header file (TCLPATH/include/tcl.h) as well as where the Tcl -library (TCLPATH/lib) should be found. - -\item[{\textbf{-}\textbf{-enable-dns-for-realm}}] \leavevmode -Enable the use of DNS to look up a host's Kerberos realm, -if the information is not provided in -\emph{krb5.conf(5)}. See \emph{mapping\_hostnames} -for information about using DNS to determine the default realm. -DNS lookups for realm names are disabled by default. - -\item[{\textbf{-}\textbf{-with-system-et}}] \leavevmode -Use an installed version of the error-table (et) support software, -the compile\_et program, the com\_err.h header file and the com\_err -library. If these are not in the default locations, you may wish -to specify \code{CPPFLAGS=-I/some/dir} and -\code{LDFLAGS=-L/some/other/dir} options at configuration time as -well. - -If this option is not given, a version supplied with the Kerberos -sources will be built and installed along with the rest of the -Kerberos tree, for Kerberos applications to link against. - -\item[{\textbf{-}\textbf{-with-system-ss}}] \leavevmode -Use an installed version of the subsystem command-line interface -software, the mk\_cmds program, the \code{ss/ss.h} header file and the -ss library. If these are not in the default locations, you may -wish to specify \code{CPPFLAGS=-I/some/dir} and -\code{LDFLAGS=-L/some/other/dir} options at configuration time as -well. See also the \textbf{SS\_LIB} option. - -If this option is not given, the ss library supplied with the -Kerberos sources will be compiled and linked into those programs -that need it; it will not be installed separately. - -\item[{\textbf{-}\textbf{-with-system-db}}] \leavevmode -Use an installed version of the Berkeley DB package, which must -provide an API compatible with version 1.85. This option is -unsupported and untested. In particular, we do not know if the -database-rename code used in the dumpfile load operation will -behave properly. - -If this option is not given, a version supplied with the Kerberos -sources will be built and installed. (We are not updating this -version at this time because of licensing issues with newer -versions that we haven't investigated sufficiently yet.) - -\end{description} - - -\subsection{Environment variables} -\label{build/options2configure:environment-variables}\begin{description} -\item[{\textbf{CC=}\emph{COMPILER}}] \leavevmode -Use \emph{COMPILER} as the C compiler. - -\item[{\textbf{CFLAGS=}\emph{FLAGS}}] \leavevmode -Use \emph{FLAGS} as the default set of C compiler flags. - -\item[{\textbf{CPP=}\emph{CPP}}] \leavevmode -C preprocessor to use. (e.g., \code{CPP='gcc -E'}) - -\item[{\textbf{CPPFLAGS=}\emph{CPPOPTS}}] \leavevmode -Use \emph{CPPOPTS} as the default set of C preprocessor flags. The -most common use of this option is to select certain \#define's for -use with the operating system's include files. - -\item[{\textbf{DB\_HEADER=}\emph{headername}}] \leavevmode -If db.h is not the correct header file to include to compile -against the Berkeley DB 1.85 API, specify the correct header file -name with this option. For example, \code{DB\_HEADER=db3/db\_185.h}. - -\item[{\textbf{DB\_LIB=}\emph{libs}...}] \leavevmode -If \code{-ldb} is not the correct library specification for the -Berkeley DB library version to be used, override it with this -option. For example, \code{DB\_LIB=-ldb-3.3}. - -\item[{\textbf{DEFCCNAME=}\emph{ccachename}}] \leavevmode -Override the built-in default credential cache name. -For example, \code{DEFCCNAME=DIR:/var/run/user/\%\{USERID\}/ccache} -See \emph{parameter\_expansion} for information about supported -parameter expansions. - -\item[{\textbf{DEFCKTNAME=}\emph{keytabname}}] \leavevmode -Override the built-in default client keytab name. -The format is the same as for \emph{DEFCCNAME}. - -\item[{\textbf{DEFKTNAME=}\emph{keytabname}}] \leavevmode -Override the built-in default keytab name. -The format is the same as for \emph{DEFCCNAME}. - -\item[{\textbf{LD=}\emph{LINKER}}] \leavevmode -Use \emph{LINKER} as the default loader if it should be different from -C compiler as specified above. - -\item[{\textbf{LDFLAGS=}\emph{LDOPTS}}] \leavevmode -This option informs the linker where to get additional libraries -(e.g., \code{-L\textless{}lib dir\textgreater{}}). - -\item[{\textbf{LIBS=}\emph{LDNAME}}] \leavevmode -This option allows one to specify libraries to be passed to the -linker (e.g., \code{-l\textless{}library\textgreater{}}) - -\item[{\textbf{SS\_LIB=}\emph{libs}...}] \leavevmode -If \code{-lss} is not the correct way to link in your installed ss -library, for example if additional support libraries are needed, -specify the correct link options here. Some variants of this -library are around which allow for Emacs-like line editing, but -different versions require different support libraries to be -explicitly specified. - -This option is ignored if \textbf{-}\textbf{-with-system-ss} is not specified. - -\item[{\textbf{YACC}}] \leavevmode -The `Yet Another C Compiler' implementation to use. Defaults to -the first program found out of: `\emph{bison -y}`, `\emph{byacc}`, -`\emph{yacc}`. - -\item[{\textbf{YFLAGS}}] \leavevmode -The list of arguments that will be passed by default to \$YACC. -This script will default YFLAGS to the empty string to avoid a -default value of \code{-d} given by some make applications. - -\end{description} - - -\subsection{Fine tuning of the installation directories} -\label{build/options2configure:fine-tuning-of-the-installation-directories}\begin{description} -\item[{\textbf{-}\textbf{-bindir=}\emph{DIR}}] \leavevmode -User executables. Defaults to \code{EXECPREFIX/bin}, where -\emph{EXECPREFIX} is the path specified by \textbf{-}\textbf{-exec-prefix} -configuration option. - -\item[{\textbf{-}\textbf{-sbindir=}\emph{DIR}}] \leavevmode -System admin executables. Defaults to \code{EXECPREFIX/sbin}, where -\emph{EXECPREFIX} is the path specified by \textbf{-}\textbf{-exec-prefix} -configuration option. - -\item[{\textbf{-}\textbf{-sysconfdir=}\emph{DIR}}] \leavevmode -Read-only single-machine data such as krb5.conf. -Defaults to \code{PREFIX/etc}, where -\emph{PREFIX} is the path specified by \textbf{-}\textbf{-prefix} configuration -option. - -\item[{\textbf{-}\textbf{-libdir=}\emph{DIR}}] \leavevmode -Object code libraries. Defaults to \code{EXECPREFIX/lib}, where -\emph{EXECPREFIX} is the path specified by \textbf{-}\textbf{-exec-prefix} -configuration option. - -\item[{\textbf{-}\textbf{-includedir=}\emph{DIR}}] \leavevmode -C header files. Defaults to \code{PREFIX/include}, where \emph{PREFIX} is -the path specified by \textbf{-}\textbf{-prefix} configuration option. - -\item[{\textbf{-}\textbf{-datarootdir=}\emph{DATAROOTDIR}}] \leavevmode -Read-only architecture-independent data root. Defaults to -\code{PREFIX/share}, where \emph{PREFIX} is the path specified by -\textbf{-}\textbf{-prefix} configuration option. - -\item[{\textbf{-}\textbf{-datadir=}\emph{DIR}}] \leavevmode -Read-only architecture-independent data. Defaults to path -specified by \textbf{-}\textbf{-datarootdir} configuration option. - -\item[{\textbf{-}\textbf{-localedir=}\emph{DIR}}] \leavevmode -Locale-dependent data. Defaults to \code{DATAROOTDIR/locale}, where -\emph{DATAROOTDIR} is the path specified by \textbf{-}\textbf{-datarootdir} -configuration option. - -\item[{\textbf{-}\textbf{-mandir=}\emph{DIR}}] \leavevmode -Man documentation. Defaults to \code{DATAROOTDIR/man}, where -\emph{DATAROOTDIR} is the path specified by \textbf{-}\textbf{-datarootdir} -configuration option. - -\end{description} - - -\subsection{Program names} -\label{build/options2configure:program-names}\begin{description} -\item[{\textbf{-}\textbf{-program-prefix=}\emph{PREFIX}}] \leavevmode -Prepend \emph{PREFIX} to the names of the programs when installing -them. For example, specifying \code{-{-}program-prefix=mit-} at the -configure time will cause the program named \code{abc} to be -installed as \code{mit-abc}. - -\item[{\textbf{-}\textbf{-program-suffix=}\emph{SUFFIX}}] \leavevmode -Append \emph{SUFFIX} to the names of the programs when installing them. -For example, specifying \code{-{-}program-suffix=-mit} at the configure -time will cause the program named \code{abc} to be installed as -\code{abc-mit}. - -\item[{\textbf{-}\textbf{-program-transform-name=}\emph{PROGRAM}}] \leavevmode -Run \code{sed -e PROGRAM} on installed program names. (\emph{PROGRAM} is a -sed script). - -\end{description} - - -\subsection{System types} -\label{build/options2configure:system-types}\begin{description} -\item[{\textbf{-}\textbf{-build=}\emph{BUILD}}] \leavevmode -Configure for building on \emph{BUILD} -(e.g., \code{-{-}build=x86\_64-linux-gnu}). - -\item[{\textbf{-}\textbf{-host=}\emph{HOST}}] \leavevmode -Cross-compile to build programs to run on \emph{HOST} -(e.g., \code{-{-}host=x86\_64-linux-gnu}). By default, Kerberos V5 -configuration will look for ``build'' option. - -\end{description} - - -\subsection{Optional features} -\label{build/options2configure:optional-features}\begin{description} -\item[{\textbf{-}\textbf{-disable-option-checking}}] \leavevmode -Ignore unrecognized --enable/--with options. - -\item[{\textbf{-}\textbf{-disable-}\emph{FEATURE}}] \leavevmode -Do not include \emph{FEATURE} (same as --enable-FEATURE=no). - -\item[{\textbf{-}\textbf{-enable-}\emph{FEATURE}{[}=\emph{ARG}{]}}] \leavevmode -Include \emph{FEATURE} {[}ARG=yes{]}. - -\item[{\textbf{-}\textbf{-enable-maintainer-mode}}] \leavevmode -Enable rebuilding of source files, Makefiles, etc. - -\item[{\textbf{-}\textbf{-disable-delayed-initialization}}] \leavevmode -Initialize library code when loaded. Defaults to delay until -first use. - -\item[{\textbf{-}\textbf{-disable-thread-support}}] \leavevmode -Don't enable thread support. Defaults to enabled. - -\item[{\textbf{-}\textbf{-disable-rpath}}] \leavevmode -Suppress run path flags in link lines. - -\item[{\textbf{-}\textbf{-enable-athena}}] \leavevmode -Build with MIT Project Athena configuration. - -\item[{\textbf{-}\textbf{-disable-kdc-lookaside-cache}}] \leavevmode -Disable the cache which detects client retransmits. - -\item[{\textbf{-}\textbf{-disable-pkinit}}] \leavevmode -Disable PKINIT plugin support. - -\item[{\textbf{-}\textbf{-disable-aesni}}] \leavevmode -Disable support for using AES instructions on x86 platforms. - -\item[{\textbf{-}\textbf{-enable-asan}{[}=\emph{ARG}{]}}] \leavevmode -Enable building with asan memory error checking. If \emph{ARG} is -given, it controls the -fsanitize compilation flag value (the -default is ``address''). - -\end{description} - - -\subsection{Optional packages} -\label{build/options2configure:optional-packages}\begin{description} -\item[{\textbf{-}\textbf{-with-}\emph{PACKAGE}{[}=ARG{]}}] \leavevmode -Use \emph{PACKAGE} (e.g., \code{-{-}with-imap}). The default value of \emph{ARG} -is \code{yes}. - -\item[{\textbf{-}\textbf{-without-}\emph{PACKAGE}}] \leavevmode -Do not use \emph{PACKAGE} (same as \code{-{-}with-PACKAGE=no}) -(e.g., \code{-{-}without-libedit}). - -\item[{\textbf{-}\textbf{-with-size-optimizations}}] \leavevmode -Enable a few optimizations to reduce code size possibly at some -run-time cost. - -\item[{\textbf{-}\textbf{-with-system-et}}] \leavevmode -Use the com\_err library and compile\_et utility that are already -installed on the system, instead of building and installing -local versions. - -\item[{\textbf{-}\textbf{-with-system-ss}}] \leavevmode -Use the ss library and mk\_cmds utility that are already installed -on the system, instead of building and using private versions. - -\item[{\textbf{-}\textbf{-with-system-db}}] \leavevmode -Use the berkeley db utility already installed on the system, -instead of using a private version. This option is not -recommended; enabling it may result in incompatibility with key -databases originating on other systems. - -\item[{\textbf{-}\textbf{-with-netlib=}\emph{LIBS}}] \leavevmode -Use the resolver library specified in \emph{LIBS}. Use this variable -if the C library resolver is insufficient or broken. - -\item[{\textbf{-}\textbf{-with-hesiod=}\emph{path}}] \leavevmode -Compile with Hesiod support. The \emph{path} points to the Hesiod -directory. By default Hesiod is unsupported. - -\item[{\textbf{-}\textbf{-with-ldap}}] \leavevmode -Compile OpenLDAP database backend module. - -\item[{\textbf{-}\textbf{-with-tcl=}\emph{path}}] \leavevmode -Specifies that \emph{path} is the location of a Tcl installation. -Tcl is needed for some of the tests run by `make check'; such tests -will be skipped if this option is not set. - -\item[{\textbf{-}\textbf{-with-vague-errors}}] \leavevmode -Do not send helpful errors to client. For example, if the KDC -should return only vague error codes to clients. - -\item[{\textbf{-}\textbf{-with-crypto-impl=}\emph{IMPL}}] \leavevmode -Use specified crypto implementation (e.g., \textbf{-}\textbf{-with-crypto-impl=}\emph{openssl}). The default is the native MIT -Kerberos implementation \code{builtin}. The other currently -implemented crypto backend is \code{openssl}. (See -\emph{mitK5features}) - -\item[{\textbf{-}\textbf{-with-prng-alg=}\emph{ALG}}] \leavevmode -Use specified PRNG algorithm. For example, to use the OS native -prng specify \code{-{-}with-prng-alg=os}. The default is \code{fortuna}. -(See \emph{mitK5features}) - -\item[{\textbf{-}\textbf{-with-pkinit-crypto-impl=}\emph{IMPL}}] \leavevmode -Use the specified pkinit crypto implementation \emph{IMPL}. -Defaults to using OpenSSL. - -\item[{\textbf{-}\textbf{-without-libedit}}] \leavevmode -Do not compile and link against libedit. Some utilities will no -longer offer command history or completion in interactive mode if -libedit is disabled. - -\item[{\textbf{-}\textbf{-with-readline}}] \leavevmode -Compile and link against GNU readline, as an alternative to libedit. -Building with readline breaks the dejagnu test suite, which is a -subset of the tests run by `make check'. - -\item[{\textbf{-}\textbf{-with-system-verto}}] \leavevmode -Use an installed version of libverto. If the libverto header and -library are not in default locations, you may wish to specify -\code{CPPFLAGS=-I/some/dir} and \code{LDFLAGS=-L/some/other/dir} options -at configuration time as well. - -If this option is not given, the build system will try to detect -an installed version of libverto and use it if it is found. -Otherwise, a version supplied with the Kerberos sources will be -built and installed. The built-in version does not contain the -full set of back-end modules and is not a suitable general -replacement for the upstream version, but will work for the -purposes of Kerberos. - -Specifying \textbf{-}\textbf{-without-system-verto} will cause the built-in -version of libverto to be used unconditionally. - -\item[{\textbf{-}\textbf{-with-krb5-config=}\emph{PATH}}] \leavevmode -Use the krb5-config program at \emph{PATH} to obtain the build-time -default credential cache, keytab, and client keytab names. The -default is to use \code{krb5-config} from the program path. Specify -\code{-{-}without-krb5-config} to disable the use of krb5-config and -use the usual built-in defaults. - -\end{description} - - -\subsection{Examples} -\label{build/options2configure:examples} -For example, in order to configure Kerberos on a Solaris machine using -the suncc compiler with the optimizer turned on, run the configure -script with the following options: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZpc{} ./configure CC=suncc CFLAGS=\PYGZhy{}O -\end{Verbatim} - -For a slightly more complicated example, consider a system where -several packages to be used by Kerberos are installed in -\code{/usr/foobar}, including Berkeley DB 3.3, and an ss library that -needs to link against the curses library. The configuration of -Kerberos might be done thus: - -\begin{Verbatim}[commandchars=\\\{\}] -./configure CPPFLAGS=\PYGZhy{}I/usr/foobar/include LDFLAGS=\PYGZhy{}L/usr/foobar/lib \PYGZbs{} -\PYGZhy{}\PYGZhy{}with\PYGZhy{}system\PYGZhy{}et \PYGZhy{}\PYGZhy{}with\PYGZhy{}system\PYGZhy{}ss \PYGZhy{}\PYGZhy{}with\PYGZhy{}system\PYGZhy{}db \PYGZbs{} -SS\PYGZus{}LIB=\PYGZsq{}\PYGZhy{}lss \PYGZhy{}lcurses\PYGZsq{} DB\PYGZus{}HEADER=db3/db\PYGZus{}185.h DB\PYGZus{}LIB=\PYGZhy{}ldb\PYGZhy{}3.3 -\end{Verbatim} - - -\section{osconf.hin} -\label{build/osconf:osconf-hin}\label{build/osconf::doc} -There is one configuration file which you may wish to edit to control -various compile-time parameters in the Kerberos distribution: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYG{n}{include}\PYG{o}{/}\PYG{n}{osconf}\PYG{o}{.}\PYG{n}{hin} -\end{Verbatim} - -The list that follows is by no means complete, just some of the more -interesting variables. -\begin{description} -\item[{\textbf{DEFAULT\_PROFILE\_PATH}}] \leavevmode -The pathname to the file which contains the profiles for the known -realms, their KDCs, etc. The default value is \code{/etc/krb5.conf}. - -\item[{\textbf{DEFAULT\_KEYTAB\_NAME}}] \leavevmode -The type and pathname to the default server keytab file. The -default is \emph{DEFKTNAME}. - -\item[{\textbf{DEFAULT\_KDC\_ENCTYPE}}] \leavevmode -The default encryption type for the KDC database master key. The -default value is \code{aes256-cts-hmac-sha1-96}. - -\item[{\textbf{RCTMPDIR}}] \leavevmode -The directory which stores replay caches. The default is -\code{/var/tmp}. - -\item[{\textbf{DEFAULT\_KDB\_FILE}}] \leavevmode -The location of the default database. The default value is -\emph{LOCALSTATEDIR}\code{/krb5kdc}\code{/principal}. - -\end{description} - - - -\renewcommand{\indexname}{Index} -\printindex -\end{document} diff --git a/doc/pdf/fncychap.sty b/doc/pdf/fncychap.sty deleted file mode 100644 index 9a56c04..0000000 --- a/doc/pdf/fncychap.sty +++ /dev/null @@ -1,683 +0,0 @@ -%%% Copyright Ulf A. Lindgren -%%% -%%% Note Premission is granted to modify this file under -%%% the condition that it is saved using another -%%% file and package name. -%%% -%%% Revision 1.1 (1997) -%%% -%%% Jan. 8th Modified package name base date option -%%% Jan. 22th Modified FmN and FmTi for error in book.cls -%%% \MakeUppercase{#}->{\MakeUppercase#} -%%% Apr. 6th Modified Lenny option to prevent undesired -%%% skip of line. -%%% Nov. 8th Fixed \@chapapp for AMS -%%% -%%% Revision 1.2 (1998) -%%% -%%% Feb. 11th Fixed appendix problem related to Bjarne -%%% Aug. 11th Fixed problem related to 11pt and 12pt -%%% suggested by Tomas Lundberg. THANKS! -%%% -%%% Revision 1.3 (2004) -%%% Sep. 20th problem with frontmatter, mainmatter and -%%% backmatter, pointed out by Lapo Mori -%%% -%%% Revision 1.31 (2004) -%%% Sep. 21th problem with the Rejne definition streched text -%%% caused ugly gaps in the vrule aligned with the title -%%% text. Kindly pointed out to me by Hendri Adriaens -%%% -%%% Revision 1.32 (2005) -%%% Jun. 23th compatibility problem with the KOMA class 'scrbook.cls' -%%% a remedy is a redefinition of '\@schapter' in -%%% line with that used in KOMA. The problem was pointed -%%% out to me by Mikkel Holm Olsen -%%% -%%% Revision 1.33 (2005) -%%% Aug. 9th misspelled ``TWELV'' corrected, the error was pointed -%%% out to me by George Pearson -%%% -%%% Revision 1.34 (2007) -%%% Added an alternative to Lenny provided by Peter -%%% Osborne (2005-11-28) -%%% Corrected front, main and back matter, based on input -%%% from Bas van Gils (2006-04-24) -%%% Jul. 30th Added Bjornstrup option provided by Jean-Marc -%%% Francois (2007-01-05). -%%% Reverted to \MakeUppercase{#} see rev 1.1, solved -%%% problem with MakeUppercase and MakeLowercase pointed -%%% out by Marco Feuerstein (2007-06-06) - - -%%% Last modified Jul. 2007 - -\NeedsTeXFormat{LaTeX2e}[1995/12/01] -\ProvidesPackage{fncychap} - [2007/07/30 v1.34 - LaTeX package (Revised chapters)] - -%%%% For conditional inclusion of color -\newif\ifusecolor -\usecolorfalse - - - -%%%% DEFINITION OF Chapapp variables -\newcommand{\CNV}{\huge\bfseries} -\newcommand{\ChNameVar}[1]{\renewcommand{\CNV}{#1}} - - -%%%% DEFINITION OF TheChapter variables -\newcommand{\CNoV}{\huge\bfseries} -\newcommand{\ChNumVar}[1]{\renewcommand{\CNoV}{#1}} - -\newif\ifUCN -\UCNfalse -\newif\ifLCN -\LCNfalse -\def\ChNameLowerCase{\LCNtrue\UCNfalse} -\def\ChNameUpperCase{\UCNtrue\LCNfalse} -\def\ChNameAsIs{\UCNfalse\LCNfalse} - -%%%%% Fix for AMSBook 971008 - -\@ifundefined{@chapapp}{\let\@chapapp\chaptername}{} - - -%%%%% Fix for Bjarne and appendix 980211 - -\newif\ifinapp -\inappfalse -\renewcommand\appendix{\par - \setcounter{chapter}{0}% - \setcounter{section}{0}% - \inapptrue% - \renewcommand\@chapapp{\appendixname}% - \renewcommand\thechapter{\@Alph\c@chapter}} - -%%%%% Fix for frontmatter, mainmatter, and backmatter 040920 - -\@ifundefined{@mainmatter}{\newif\if@mainmatter \@mainmattertrue}{} - -%%%%% - - - -\newcommand{\FmN}[1]{% -\ifUCN - {\MakeUppercase{#1}}\LCNfalse -\else - \ifLCN - {\MakeLowercase{#1}}\UCNfalse - \else #1 - \fi -\fi} - - -%%%% DEFINITION OF Title variables -\newcommand{\CTV}{\Huge\bfseries} -\newcommand{\ChTitleVar}[1]{\renewcommand{\CTV}{#1}} - -%%%% DEFINITION OF the basic rule width -\newlength{\RW} -\setlength{\RW}{1pt} -\newcommand{\ChRuleWidth}[1]{\setlength{\RW}{#1}} - -\newif\ifUCT -\UCTfalse -\newif\ifLCT -\LCTfalse -\def\ChTitleLowerCase{\LCTtrue\UCTfalse} -\def\ChTitleUpperCase{\UCTtrue\LCTfalse} -\def\ChTitleAsIs{\UCTfalse\LCTfalse} -\newcommand{\FmTi}[1]{% -\ifUCT - {\MakeUppercase{#1}}\LCTfalse -\else - \ifLCT - {\MakeLowercase{#1}}\UCTfalse - \else {#1} - \fi -\fi} - - - -\newlength{\mylen} -\newlength{\myhi} -\newlength{\px} -\newlength{\py} -\newlength{\pyy} -\newlength{\pxx} - - -\def\mghrulefill#1{\leavevmode\leaders\hrule\@height #1\hfill\kern\z@} - -\newcommand{\DOCH}{% - \CNV\FmN{\@chapapp}\space \CNoV\thechapter - \par\nobreak - \vskip 20\p@ - } -\newcommand{\DOTI}[1]{% - \CTV\FmTi{#1}\par\nobreak - \vskip 40\p@ - } -\newcommand{\DOTIS}[1]{% - \CTV\FmTi{#1}\par\nobreak - \vskip 40\p@ - } - -%%%%%% SONNY DEF - -\DeclareOption{Sonny}{% - \ChNameVar{\Large\sf} - \ChNumVar{\Huge} - \ChTitleVar{\Large\sf} - \ChRuleWidth{0.5pt} - \ChNameUpperCase - \renewcommand{\DOCH}{% - \raggedleft - \CNV\FmN{\@chapapp}\space \CNoV\thechapter - \par\nobreak - \vskip 40\p@} - \renewcommand{\DOTI}[1]{% - \CTV\raggedleft\mghrulefill{\RW}\par\nobreak - \vskip 5\p@ - \CTV\FmTi{#1}\par\nobreak - \mghrulefill{\RW}\par\nobreak - \vskip 40\p@} - \renewcommand{\DOTIS}[1]{% - \CTV\raggedleft\mghrulefill{\RW}\par\nobreak - \vskip 5\p@ - \CTV\FmTi{#1}\par\nobreak - \mghrulefill{\RW}\par\nobreak - \vskip 40\p@} -} - -%%%%%% LENNY DEF - -\DeclareOption{Lenny}{% - - \ChNameVar{\fontsize{14}{16}\usefont{OT1}{phv}{m}{n}\selectfont} - \ChNumVar{\fontsize{60}{62}\usefont{OT1}{ptm}{m}{n}\selectfont} - \ChTitleVar{\Huge\bfseries\rm} - \ChRuleWidth{1pt} - \renewcommand{\DOCH}{% - \settowidth{\px}{\CNV\FmN{\@chapapp}} - \addtolength{\px}{2pt} - \settoheight{\py}{\CNV\FmN{\@chapapp}} - \addtolength{\py}{1pt} - - \settowidth{\mylen}{\CNV\FmN{\@chapapp}\space\CNoV\thechapter} - \addtolength{\mylen}{1pt} - \settowidth{\pxx}{\CNoV\thechapter} - \addtolength{\pxx}{-1pt} - - \settoheight{\pyy}{\CNoV\thechapter} - \addtolength{\pyy}{-2pt} - \setlength{\myhi}{\pyy} - \addtolength{\myhi}{-1\py} - \par - \parbox[b]{\textwidth}{% - \rule[\py]{\RW}{\myhi}% - \hskip -\RW% - \rule[\pyy]{\px}{\RW}% - \hskip -\px% - \raggedright% - \CNV\FmN{\@chapapp}\space\CNoV\thechapter% - \hskip1pt% - \mghrulefill{\RW}% - \rule{\RW}{\pyy}\par\nobreak% - \vskip -\baselineskip% - \vskip -\pyy% - \hskip \mylen% - \mghrulefill{\RW}\par\nobreak% - \vskip \pyy}% - \vskip 20\p@} - - - \renewcommand{\DOTI}[1]{% - \raggedright - \CTV\FmTi{#1}\par\nobreak - \vskip 40\p@} - - \renewcommand{\DOTIS}[1]{% - \raggedright - \CTV\FmTi{#1}\par\nobreak - \vskip 40\p@} - } - -%%%%%% Peter Osbornes' version of LENNY DEF - -\DeclareOption{PetersLenny}{% - -% five new lengths -\newlength{\bl} % bottom left : orig \space -\setlength{\bl}{6pt} -\newcommand{\BL}[1]{\setlength{\bl}{#1}} -\newlength{\br} % bottom right : orig 1pt -\setlength{\br}{1pt} -\newcommand{\BR}[1]{\setlength{\br}{#1}} -\newlength{\tl} % top left : orig 2pt -\setlength{\tl}{2pt} -\newcommand{\TL}[1]{\setlength{\tl}{#1}} -\newlength{\trr} % top right :orig 1pt -\setlength{\trr}{1pt} -\newcommand{\TR}[1]{\setlength{\trr}{#1}} -\newlength{\blrule} % top right :orig 1pt -\setlength{\trr}{0pt} -\newcommand{\BLrule}[1]{\setlength{\blrule}{#1}} - - - \ChNameVar{\fontsize{14}{16}\usefont{OT1}{phv}{m}{n}\selectfont} - \ChNumVar{\fontsize{60}{62}\usefont{OT1}{ptm}{m}{n}\selectfont} - \ChTitleVar{\Huge\bfseries\rm} - \ChRuleWidth{1pt} -\renewcommand{\DOCH}{% - - -%%%%%%% tweaks for 1--9 and A--Z -\ifcase\c@chapter\relax% -\or\BL{-3pt}\TL{-4pt}\BR{0pt}\TR{-6pt}%1 -\or\BL{0pt}\TL{-4pt}\BR{2pt}\TR{-4pt}%2 -\or\BL{0pt}\TL{-4pt}\BR{2pt}\TR{-4pt}%3 -\or\BL{0pt}\TL{5pt}\BR{2pt}\TR{-4pt}%4 -\or\BL{0pt}\TL{3pt}\BR{2pt}\TR{-4pt}%5 -\or\BL{-1pt}\TL{0pt}\BR{2pt}\TR{-2pt}%6 -\or\BL{0pt}\TL{-3pt}\BR{2pt}\TR{-2pt}%7 -\or\BL{0pt}\TL{-3pt}\BR{2pt}\TR{-2pt}%8 -\or\BL{0pt}\TL{-3pt}\BR{-4pt}\TR{-2pt}%9 -\or\BL{-3pt}\TL{-3pt}\BR{2pt}\TR{-7pt}%10 -\or\BL{-6pt}\TL{-6pt}\BR{0pt}\TR{-9pt}%11 -\or\BL{-6pt}\TL{-6pt}\BR{2pt}\TR{-7pt}%12 -\or\BL{-5pt}\TL{-5pt}\BR{0pt}\TR{-9pt}%13 -\or\BL{-6pt}\TL{-6pt}\BR{0pt}\TR{-9pt}%14 -\or\BL{-3pt}\TL{-3pt}\BR{3pt}\TR{-6pt}%15 -\or\BL{-3pt}\TL{-3pt}\BR{3pt}\TR{-6pt}%16 -\or\BL{-5pt}\TL{-3pt}\BR{-8pt}\TR{-6pt}%17 -\or\BL{-5pt}\TL{-5pt}\BR{0pt}\TR{-9pt}%18 -\or\BL{-3pt}\TL{-3pt}\BR{-6pt}\TR{-9pt}%19 -\or\BL{0pt}\TL{0pt}\BR{0pt}\TR{-5pt}%20 -\fi - -\ifinapp\ifcase\c@chapter\relax% -\or\BL{0pt}\TL{14pt}\BR{5pt}\TR{-19pt}%A -\or\BL{0pt}\TL{-5pt}\BR{-3pt}\TR{-8pt}%B -\or\BL{-3pt}\TL{-2pt}\BR{1pt}\TR{-6pt}\BLrule{0pt}%C -\or\BL{0pt}\TL{-5pt}\BR{-3pt}\TR{-8pt}\BLrule{0pt}%D -\or\BL{0pt}\TL{-5pt}\BR{2pt}\TR{-3pt}%E -\or\BL{0pt}\TL{-5pt}\BR{-10pt}\TR{-1pt}%F -\or\BL{-3pt}\TL{0pt}\BR{0pt}\TR{-7pt}%G -\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}%H -\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}%I -\or\BL{2pt}\TL{0pt}\BR{-3pt}\TR{1pt}%J -\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}%K -\or\BL{0pt}\TL{-5pt}\BR{2pt}\TR{-19pt}%L -\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}%M -\or\BL{0pt}\TL{-5pt}\BR{-2pt}\TR{-1pt}%N -\or\BL{-3pt}\TL{-2pt}\BR{-3pt}\TR{-11pt}%O -\or\BL{0pt}\TL{-5pt}\BR{-9pt}\TR{-3pt}%P -\or\BL{-3pt}\TL{-2pt}\BR{-3pt}\TR{-11pt}%Q -\or\BL{0pt}\TL{-5pt}\BR{4pt}\TR{-8pt}%R -\or\BL{-2pt}\TL{-2pt}\BR{-2pt}\TR{-7pt}%S -\or\BL{-3pt}\TL{0pt}\BR{-5pt}\TR{4pt}\BLrule{8pt}%T -\or\BL{-7pt}\TL{-11pt}\BR{-5pt}\TR{-7pt}\BLrule{0pt}%U -\or\BL{-14pt}\TL{-5pt}\BR{-14pt}\TR{-1pt}\BLrule{14pt}%V -\or\BL{-10pt}\TL{-9pt}\BR{-13pt}\TR{-3pt}\BLrule{7pt}%W -\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}\BLrule{0pt}%X -\or\BL{-6pt}\TL{-4pt}\BR{-7pt}\TR{1pt}\BLrule{7pt}%Y -\or\BL{0pt}\TL{-5pt}\BR{3pt}\TR{-1pt}\BLrule{0pt}%Z -\fi\fi -%%%%%%% - \settowidth{\px}{\CNV\FmN{\@chapapp}} - \addtolength{\px}{\tl} %MOD change 2pt to \tl - \settoheight{\py}{\CNV\FmN{\@chapapp}} - \addtolength{\py}{1pt} - - \settowidth{\mylen}{\CNV\FmN{\@chapapp}\space\CNoV\thechapter} - \addtolength{\mylen}{\trr}% MOD change 1pt to \tr - \settowidth{\pxx}{\CNoV\thechapter} - \addtolength{\pxx}{-1pt} - - \settoheight{\pyy}{\CNoV\thechapter} - \addtolength{\pyy}{-2pt} - \setlength{\myhi}{\pyy} - \addtolength{\myhi}{-1\py} - \par - \parbox[b]{\textwidth}{% - \rule[\py]{\RW}{\myhi}% - \hskip -\RW% - \rule[\pyy]{\px}{\RW}% - \hskip -\px% - \raggedright% - \CNV\FmN{\@chapapp}\rule{\blrule}{\RW}\hskip\bl\CNoV\thechapter%MOD -% \CNV\FmN{\@chapapp}\space\CNoV\thechapter %ORIGINAL - \hskip\br% %MOD 1pt to \br - \mghrulefill{\RW}% - \rule{\RW}{\pyy}\par\nobreak% - \vskip -\baselineskip% - \vskip -\pyy% - \hskip \mylen% - \mghrulefill{\RW}\par\nobreak% - \vskip \pyy}% - \vskip 20\p@} - - - \renewcommand{\DOTI}[1]{% - \raggedright - \CTV\FmTi{#1}\par\nobreak - \vskip 40\p@} - - \renewcommand{\DOTIS}[1]{% - \raggedright - \CTV\FmTi{#1}\par\nobreak - \vskip 40\p@} - } - - -% - - -%%%%%% BJORNSTRUP DEF - -\DeclareOption{Bjornstrup}{% - \usecolortrue - % pzc (Zapf Chancelery) is nice. ppl (Palatino) is cool too. - \ChNumVar{\fontsize{76}{80}\usefont{OT1}{pzc}{m}{n}\selectfont} - \ChTitleVar{\raggedleft\Large\sffamily\bfseries} - - \setlength{\myhi}{10pt} % Space between grey box border and text - \setlength{\mylen}{\textwidth} - \addtolength{\mylen}{-2\myhi} - \renewcommand{\DOCH}{% - \settowidth{\py}{\CNoV\thechapter} - \addtolength{\py}{-10pt} % Amount of space by which the -% % number is shifted right - \fboxsep=0pt% - \colorbox[gray]{.85}{\rule{0pt}{40pt}\parbox[b]{\textwidth}{\hfill}}% - \kern-\py\raise20pt% - \hbox{\color[gray]{.5}\CNoV\thechapter}\\% - } - - \renewcommand{\DOTI}[1]{% - \nointerlineskip\raggedright% - \fboxsep=\myhi% - \vskip-1ex% - \colorbox[gray]{.85}{\parbox[t]{\mylen}{\CTV\FmTi{#1}}}\par\nobreak% - \vskip 40\p@% - } - - \renewcommand{\DOTIS}[1]{% - \fboxsep=0pt - \colorbox[gray]{.85}{\rule{0pt}{40pt}\parbox[b]{\textwidth}{\hfill}}\\% - \nointerlineskip\raggedright% - \fboxsep=\myhi% - \colorbox[gray]{.85}{\parbox[t]{\mylen}{\CTV\FmTi{#1}}}\par\nobreak% - \vskip 40\p@% - } -} - - -%%%%%%% GLENN DEF - - -\DeclareOption{Glenn}{% - \ChNameVar{\bfseries\Large\sf} - \ChNumVar{\Huge} - \ChTitleVar{\bfseries\Large\rm} - \ChRuleWidth{1pt} - \ChNameUpperCase - \ChTitleUpperCase - \renewcommand{\DOCH}{% - \settoheight{\myhi}{\CTV\FmTi{Test}} - \setlength{\py}{\baselineskip} - \addtolength{\py}{\RW} - \addtolength{\py}{\myhi} - \setlength{\pyy}{\py} - \addtolength{\pyy}{-1\RW} - - \raggedright - \CNV\FmN{\@chapapp}\space\CNoV\thechapter - \hskip 3pt\mghrulefill{\RW}\rule[-1\pyy]{2\RW}{\py}\par\nobreak} - - \renewcommand{\DOTI}[1]{% - \addtolength{\pyy}{-4pt} - \settoheight{\myhi}{\CTV\FmTi{#1}} - \addtolength{\myhi}{\py} - \addtolength{\myhi}{-1\RW} - \vskip -1\pyy - \rule{2\RW}{\myhi}\mghrulefill{\RW}\hskip 2pt - \raggedleft\CTV\FmTi{#1}\par\nobreak - \vskip 80\p@} - -\newlength{\backskip} - \renewcommand{\DOTIS}[1]{% -% \setlength{\py}{10pt} -% \setlength{\pyy}{\py} -% \addtolength{\pyy}{\RW} -% \setlength{\myhi}{\baselineskip} -% \addtolength{\myhi}{\pyy} -% \mghrulefill{\RW}\rule[-1\py]{2\RW}{\pyy}\par\nobreak -% \addtolength{}{} -%\vskip -1\baselineskip -% \rule{2\RW}{\myhi}\mghrulefill{\RW}\hskip 2pt -% \raggedleft\CTV\FmTi{#1}\par\nobreak -% \vskip 60\p@} -%% Fix suggested by Tomas Lundberg - \setlength{\py}{25pt} % eller vad man vill - \setlength{\pyy}{\py} - \setlength{\backskip}{\py} - \addtolength{\backskip}{2pt} - \addtolength{\pyy}{\RW} - \setlength{\myhi}{\baselineskip} - \addtolength{\myhi}{\pyy} - \mghrulefill{\RW}\rule[-1\py]{2\RW}{\pyy}\par\nobreak - \vskip -1\backskip - \rule{2\RW}{\myhi}\mghrulefill{\RW}\hskip 3pt % - \raggedleft\CTV\FmTi{#1}\par\nobreak - \vskip 40\p@} - } - -%%%%%%% CONNY DEF - -\DeclareOption{Conny}{% - \ChNameUpperCase - \ChTitleUpperCase - \ChNameVar{\centering\Huge\rm\bfseries} - \ChNumVar{\Huge} - \ChTitleVar{\centering\Huge\rm} - \ChRuleWidth{2pt} - - \renewcommand{\DOCH}{% - \mghrulefill{3\RW}\par\nobreak - \vskip -0.5\baselineskip - \mghrulefill{\RW}\par\nobreak - \CNV\FmN{\@chapapp}\space \CNoV\thechapter - \par\nobreak - \vskip -0.5\baselineskip - } - \renewcommand{\DOTI}[1]{% - \mghrulefill{\RW}\par\nobreak - \CTV\FmTi{#1}\par\nobreak - \vskip 60\p@ - } - \renewcommand{\DOTIS}[1]{% - \mghrulefill{\RW}\par\nobreak - \CTV\FmTi{#1}\par\nobreak - \vskip 60\p@ - } - } - -%%%%%%% REJNE DEF - -\DeclareOption{Rejne}{% - - \ChNameUpperCase - \ChTitleUpperCase - \ChNameVar{\centering\Large\rm} - \ChNumVar{\Huge} - \ChTitleVar{\centering\Huge\rm} - \ChRuleWidth{1pt} - \renewcommand{\DOCH}{% - \settoheight{\py}{\CNoV\thechapter} - \parskip=0pt plus 1pt % Set parskip to default, just in case v1.31 - \addtolength{\py}{-1pt} - \CNV\FmN{\@chapapp}\par\nobreak - \vskip 20\p@ - \setlength{\myhi}{2\baselineskip} - \setlength{\px}{\myhi} - \addtolength{\px}{-1\RW} - \rule[-1\px]{\RW}{\myhi}\mghrulefill{\RW}\hskip - 10pt\raisebox{-0.5\py}{\CNoV\thechapter}\hskip 10pt\mghrulefill{\RW}\rule[-1\px]{\RW}{\myhi}\par\nobreak - \vskip -3\p@% Added -2pt vskip to correct for streched text v1.31 - } - \renewcommand{\DOTI}[1]{% - \setlength{\mylen}{\textwidth} - \parskip=0pt plus 1pt % Set parskip to default, just in case v1.31 - \addtolength{\mylen}{-2\RW} - {\vrule width\RW}\parbox{\mylen}{\CTV\FmTi{#1}}{\vrule width\RW}\par\nobreak% - \vskip -3pt\rule{\RW}{2\baselineskip}\mghrulefill{\RW}\rule{\RW}{2\baselineskip}% - \vskip 60\p@% Added -2pt in vskip to correct for streched text v1.31 - } - \renewcommand{\DOTIS}[1]{% - \setlength{\py}{\fboxrule} - \setlength{\fboxrule}{\RW} - \setlength{\mylen}{\textwidth} - \addtolength{\mylen}{-2\RW} - \fbox{\parbox{\mylen}{\vskip 2\baselineskip\CTV\FmTi{#1}\par\nobreak\vskip \baselineskip}} - \setlength{\fboxrule}{\py} - \vskip 60\p@ - } - } - - -%%%%%%% BJARNE DEF - -\DeclareOption{Bjarne}{% - \ChNameUpperCase - \ChTitleUpperCase - \ChNameVar{\raggedleft\normalsize\rm} - \ChNumVar{\raggedleft \bfseries\Large} - \ChTitleVar{\raggedleft \Large\rm} - \ChRuleWidth{1pt} - - -%% Note thechapter -> c@chapter fix appendix bug -%% Fixed misspelled 12 - - \newcounter{AlphaCnt} - \newcounter{AlphaDecCnt} - \newcommand{\AlphaNo}{% - \ifcase\number\theAlphaCnt - \ifnum\c@chapter=0 - ZERO\else{}\fi - \or ONE\or TWO\or THREE\or FOUR\or FIVE - \or SIX\or SEVEN\or EIGHT\or NINE\or TEN - \or ELEVEN\or TWELVE\or THIRTEEN\or FOURTEEN\or FIFTEEN - \or SIXTEEN\or SEVENTEEN\or EIGHTEEN\or NINETEEN\fi -} - - \newcommand{\AlphaDecNo}{% - \setcounter{AlphaDecCnt}{0} - \@whilenum\number\theAlphaCnt>0\do - {\addtocounter{AlphaCnt}{-10} - \addtocounter{AlphaDecCnt}{1}} - \ifnum\number\theAlphaCnt=0 - \else - \addtocounter{AlphaDecCnt}{-1} - \addtocounter{AlphaCnt}{10} - \fi - - - \ifcase\number\theAlphaDecCnt\or TEN\or TWENTY\or THIRTY\or - FORTY\or FIFTY\or SIXTY\or SEVENTY\or EIGHTY\or NINETY\fi - } - \newcommand{\TheAlphaChapter}{% - - \ifinapp - \thechapter - \else - \setcounter{AlphaCnt}{\c@chapter} - \ifnum\c@chapter<20 - \AlphaNo - \else - \AlphaDecNo\AlphaNo - \fi - \fi - } - \renewcommand{\DOCH}{% - \mghrulefill{\RW}\par\nobreak - \CNV\FmN{\@chapapp}\par\nobreak - \CNoV\TheAlphaChapter\par\nobreak - \vskip -1\baselineskip\vskip 5pt\mghrulefill{\RW}\par\nobreak - \vskip 20\p@ - } - \renewcommand{\DOTI}[1]{% - \CTV\FmTi{#1}\par\nobreak - \vskip 40\p@ - } - \renewcommand{\DOTIS}[1]{% - \CTV\FmTi{#1}\par\nobreak - \vskip 40\p@ - } -} - -\DeclareOption*{% - \PackageWarning{fancychapter}{unknown style option} - } - -\ProcessOptions* \relax - -\ifusecolor - \RequirePackage{color} -\fi -\def\@makechapterhead#1{% - \vspace*{50\p@}% - {\parindent \z@ \raggedright \normalfont - \ifnum \c@secnumdepth >\m@ne - \if@mainmatter%%%%% Fix for frontmatter, mainmatter, and backmatter 040920 - \DOCH - \fi - \fi - \interlinepenalty\@M - \if@mainmatter%%%%% Fix for frontmatter, mainmatter, and backmatter 060424 - \DOTI{#1}% - \else% - \DOTIS{#1}% - \fi - }} - - -%%% Begin: To avoid problem with scrbook.cls (fncychap version 1.32) - -%%OUT: -%\def\@schapter#1{\if@twocolumn -% \@topnewpage[\@makeschapterhead{#1}]% -% \else -% \@makeschapterhead{#1}% -% \@afterheading -% \fi} - -%%IN: -\def\@schapter#1{% -\if@twocolumn% - \@makeschapterhead{#1}% -\else% - \@makeschapterhead{#1}% - \@afterheading% -\fi} - -%%% End: To avoid problem with scrbook.cls (fncychap version 1.32) - -\def\@makeschapterhead#1{% - \vspace*{50\p@}% - {\parindent \z@ \raggedright - \normalfont - \interlinepenalty\@M - \DOTIS{#1} - \vskip 40\p@ - }} - -\endinput - - diff --git a/doc/pdf/plugindev.pdf b/doc/pdf/plugindev.pdf deleted file mode 100644 index 9cdeeceec10d8cd9e7abc6c33c1579e8e2090768..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 140170 zcmb@u1z1#D)ILskNk}RqT>>)mglzAfj5XcBdq3j=S8%F^Gm;shLCID`36ebCM z3qw0200)=_@cj>kN!ZxTPTvN=By6T_r~gD>*HTX(g_jq_*3L#>+Z@Gd(p*8(a)BAE zZbiunGj0;LO{!DLKkAjA2uXP%ipo|TRZgfpHtu}CXM+a|&ScRsl*|2wMCXH79PE54 zV>naC#TM8zrbi1>SNcZNS(jBj2<+?%b7~kxkNCL8svV|zc=A@#El0QCT68IVSU+BQ zB&}iJbCGRNzHyV)T(?ytjdGqh6@I}p@iG`eyOgitBHUEMIgL$tV3~>i)v^0YT6f*( zBx1a}>M^1SH@uv2W{&RSOuZ@MTDHajCv&>VNsqGP;T*~3TM-S>g4XS-ClTQ`@dt_QIF*qGK zY>X$oSVUTIWyj-)pvc7}*hEYUtt@$EYOPor73+|Wrdk29wlEZ0@xkseN&;2_Ru=Ad zhRjtOl0c(tGsMI(M}Z_ZzfeNvoPO;@sHcAP5?O|=C94Ix5lW57x~Q*gEKpuqzdGey z8EuSTd?$%NoxnlafjS=&E+~m(&A1T2it8u0U}TfLo{UsPSVYS2`}thdhjeslB`Kot zTutuv68?2(enUqi>SuKh)HN;TKxp=XFrf4&=ezgyzkJvmbulAo*cm41I?>pSk~XcrI(jM}b41*o+|{HdOpoY0QAi?z#(*eD!bx!Weu3}49{qJ@G2Tsj zPsmN{of}{#-VHDT@^dKUX16uu=H*z(jlAY%pa=c6py7k-Ov?w?zM4Td^Y{yVhqw!T zOOQtRH^EHTIDCr*e(z2rl~MLcOCcvT!UQe@Q{fxb;!XBL6=d%1k-iFXZQD&>a3c8} zSR-+abfBT&>CS2OZ1KRl?j*U3`BWOlU3Yb~!@Xf=`iRADGqN*-)V-lS@`0kX{Vx8e zy{-xreG9!Gs|xZBvLaDH-&ZCIH#dMu4#4!(Qr;54^aMboYou)jS(A)FS^#7v{)mKJvU7IwC@f1F|aA8uo-uWM&)X~78m`9_?7+~}#kg}#lp8NkZS-q6?rplfNN zt8aDdzCh;R-WYUSLm*%cu8w<1}763PCDNbx6vzmaFEr~3rXQOoO&5;TU$p<8$E!vy|$ULo%2tUtQ@}{ zy)EbWhQaoeoIfo?od1a=E5OLo()1?@rrLVutZG0O_OEAd31a!Zp|IZ;#PX-1h*;X% zJ+!lY2r(2h^PglHLC$-n#zZ%g~V zX>i__2L97D1KxjqD!ER1b$&C{Rjmi6}*0Q?CnSpPHu(XWtT@dJho zwROz&|FVO>Fpl*%Q%}eE6E3j+IrE|xdiqX(>G?m*sVeK&-pWF}AY(iATcFGKqhGh3 zCsq!&fA2iWcSS&)r`i?zT11NF#(6{v=8z}=W^fBeCUoI3O0YILKQ`s(#<}8x6j z%qJsD?`sOS40acFAE_*lG(~h5;HH)r7D*aB9q4o4LPxNUQ)epQoGt7zpDix8T*%CS zU%1uEtkSXZepTa@le)o*sfFvvjS#&n-KShQ=T<92&q%gMtS@9XL$)^+Q?jf?I4F$H z63izv=;r)f;$*qVXb{$7&#?qsr(Qgdb+(nJ#t_-2eYj7yv3C z9@bG^_44OdCL`R%V^v6odR}_>h;|>Kgrl{eMm`vYc&{aQ!GUQ&0*|=?E@e++uwUro zOYrn0oCdD5oZP9>COsvOYluk9I|TP{ zStNg90a4BBQ=HiwUBG14tR_AO8|FWK2ex0h_3Z4-|K2hcx-2r8ac2(jQiQU5$-+yV zDHL!&vZZ~@z+@dUDyQYRmxVy~g5msRQ5R87sT69)c8-Y=;?q~K3>;dzwC~V359D5h zhFx;*J9Mlr=d5mY@jI?OEhL@^8yw>>#PNd>OK(8c^r%WvM^9?%JGDvJ~Nh3c!Ko}AD~SR+z{~K z0JvMfmGqe?wDy4wF3Vuq(OJl54ev`8?b<8u*GJkzTNg$j$PVzyAx^z?a#x?xH5lw- zRO4uK@eXL^%6Xp;ED!@$DHhEdkQdxiB3`gf?9R1q z!n0ZJc(0H~Jw`#HkbH)9PA`YVbibU`K6@ZL+Zhiv<*t7A=m1@SuM-eNPvlz#C+Cy{ zhqKIZ+&#$5+08jj%W799mKG(I6G9!3=$+_l03-JiJsuSHR(8I-77dROIZb?`aZnM} zIQThU7G73>0AjnWEpNQW%?$b&V^xOu7eU>~I{~1`gvM!Ia4^+~i>Lyk&dD${Obt`|D8J8FL z@SgdRUv^yhT6?h!lNtPw&nEgl`< zO8ef5N$CD|_H#d1+IYyxJKNbb&2_kQ5rKK!!gJX-y>u7B7w1-)iZA?KA1XNM=zRuW zc7bZy20ig{uZI(6Gg9d=PE_2313BsM_XecFn{ubUIu6fOB|8laC#< zp0BnQ@j^krVPVaRu;x_8bMC&Oqhn8c&E}%j^&MT(i>axhip>?LRkpoXGh>lGi|-zJ zCi;*DZeI;{s1DyC`k$5)%Ob7oo%HRc2IlT0Bl-ue%$&Kq#2}O+>*IX-ax`bny@kpYYCJDQdUX1Dbj=N`hOl;y(@xq?{aPfoMvCjgF`FoGC*TvHNb6dF%K<5K%u8yn4 zU6+>+6DBUl4)^Wu^ZE5az8Y^XRua#?zXtj05eAGa(j7Fz+FA`kTOR+r z9_OZXs^Fsxjh^`I#FQmzgfa6d`3g}kCJW_i&x*wlDZohyTRdz!JTWcu$~$K8#F(#8 zE%a*}r!($uawx$jbQ^oqH-*AD@o#$ZlysxF;#o=7LRq}zgDOsx(^1iBHQMhZ)_OSZ z?aSsvKRg&u@WHP4B}pX!fgSz2{o?NP(~C5(k8=X5lGmIZM*GES$y7HeS0?+8{bKB` z^Ti(7$(NJX z7kpUaZjuaV#LIpG23M-r1=s!4D4zP!L$WvdBgk@|{!Zdoc;_FQ8<6t!t2}+aL|^F^ zLYi+q8EDu^Kk(`IO5l_*`G!nl_bcNrj*Ka4(VIO;aPdR?hS0r>XL%AegE|<$6;^ zTuhTUWcJ=ad;O&Xh4VF~@WTY0u4x~F4I0hhL`avJUk+~S{i%v}!(jJNtNKf3EQ7JlK3bJy5^_34`F9&j|{ z3va@KtYUL%6v5}>u;HUtY|_fH_-6*faG5Q z#}8ljXW#(+@Dl$;ge_j&a*7$PW9J%oHvO?KodQ( zdLh_wB{2vp)Cq*UOmvBgU2Cx5y>gp=Y2oBRd`21US#@A_Pql)!VM}_TN0PN{EOUct z?)8S+O5IBFUZ1rQ=?rE4L((^a*H&lT=pL(66{ahfc{iBvw~zV{u*RwD-EBPC=GOU= z;e@&GFmpGuRSceXn91|{rq z?!B+4(ioll?BYVGiN&-*Oi;X`Ur(vAoX{vr*;v$HWc$waU8q6g7}kaJ8r=@AQylwy zExxy}#g578i%@Oa?fHAF7(0_Td}H6FN7QiMDLF4zD$F+O z#8tp)EQQx{S$-LDCNJ(KcDA4GEI1I>c+I}QUK_2n5^l!9q|M3n%tnKwXrVSr$+_h$ zIAGS_%pg&V#2@|aNg{rrtGtqNZ*$9MLdeJk&yzH!L2?Vy+xdU25%0$y$ zQRti^;tuc*qHJGi>EDaLGkuRfjy{2vo3t2M6|%s-d!Ig}!3*+@iRc~P*fV{#r~Z4% z6sZ@FjScd=o4Nh+>Ke3!8`AfJPgD&K6I%06l)6`ogZ)p~yXX6urK8W!2$$(zw3nti zU7nD&yb_}2q1S2fh#xrrWGm%C>X{RqaOF_T*Dkkv-5GH5w7izj=Hmsq66B-jf}FjU z&x&_tXR%Ap;854|Q?^Hyo^XRsfFrms$lZPa6=8>|0ZGH+^;6HLt4OoTo9Krpkk(g` zYSuU8W79XC=qG&dQVvdBG9b-S4T6-!4OSH--A&UmS&s_+@Auoz30NBSaHX&8F!#Q0 zXzIU7+JBpN0(N(WZx=jMsFeEP60wq`NT4go_O|LGt(fXFC)L$FPWmwsp-J(x^y4Ik zVU3u;NmIMLIs<%@Vp@SMR;pnQIsZx1bs1O5mPu2bqI^lgtq)|w8uXA4x?zoE$hiX< z*FuaBW7`5-AB6JiM*SvD&GYKY(LRhRrXNpo4Qov8R(y~+ol?n3KaM9Go|O%lRDH9= zlW1Xb5RSHOX4R%v6tHDalB-HSE4T-Pq|_j|6JM}y%+bVf`T5@1T%xxJc!1Au@r~^- z5akEOzl|s$wtpY9uajw#YGFpJTcLL|!$giqrdq>;#u1Fs`ogva1(wIT=P%_u*P%?# zR`N&|`%$l}M<4$xlr|Of(;jLcgr~Jw8s#vyOOj~|3_B&hLmT_!pKqR}HWb~_%M4@v zcw!RXZ=>J4n^Usu-e}hJyssqi>7Lc_8B5)lJ^hp$P*7;{Cm6z|+950rew>0dcvI16 z2P~E6c#hdcp&Yy&B@_$+>a-uv7V765lTTV9M8u`{l7!n+Y ze1QZqSl9q;U!xsggBmRC0JiS|4oEziNyf%fS5Ds!pbF{!6JY?8yuOni;I96S84)FB8LJggBR?#ZE)D$We@+GaZD;$JQ}IoSpQZvbZ2zaJV81;;kg514 z8!{}vnTl`X{;-z6joIzd;`|j8|ARLCi_zK|@3Bc{#)6uEB%PkgnIO~j_!pHTIpR=_aJ{EEf_2U&Q6QDfZk-sSQunV zY7##sF9aB|Ca7F!3N;^Q=oR13D?_`hV3L}I&%wR`e(1;j`0}2EUcR!J8bgR`{N@68)fe}0PM`pnIW}wp zP3yI9U%ytCje>CE#+^ErzW5k0``jW~8cJ`uvbw>|EO7BY#sV&5(7h!5nM9r z-oy*8T7O}NNoMgQd)*!}yoUw(v(k%sVyImS>*58qHb9~$C7?h?EJ167#Ul)j%%e7k z2|MHdS+HBd-e;>*?2rwLS*-`IwKO+;aL2_+wft#4FK85GrQK}lLo=OBs9n=Rczksr z9h@=$&lh$z+v@66wH5wNZ$Bo6P5@LGEH*weerlCC?g4!oTwf6mJ2SsGBE-)*S2ej` ztx{VReviaMCqPRDcPx2F{TWDiZv7o2x%W~;{Q0%KpMtX{16?s4w>s_n3E`Oh2sI)5 zcn8trE@9Z@E><2|^7k4<-&G;>)Z3(J08WkeB?PdbxZ-7dbsL484Qj>9QT^tj^*+K{z*^ql31gxXcmHILjqMbko3y4CuL z(xxyYmN3nrQHy&zD3sZaTq;!|Da9oiIUe19qr;Ee1o+R;M|hdkR6p@(&cI9^cJ73lF7h$(vUyF|**JctP5%~RnfNU%EbVL|=*9jGtO4v_kyaMK{uMbPAKx*L z{X5)oe1l~G$2a5vaC`+FSpdgZc!PX=Lv{ei_q#xXy5A0dzYE9ryWC#p-=zHk2j6@4 zO%oI*IeQ(uZ<~pPv4trLlK><^qi^$Vn_yOF5@8Z$5>)*vpBb`S$U-ti5C8%)GBbk# ztYB6~Ru(V-2x4Odg4hA9tYAh~AP{mH|2GK#pHqT=Z8P6G|KDiE!OF-9<^Zs=02x^! zNeK{;nUM`LjF9h)U@+S+wfZYz^*wcPORwAe*#E!L`a>@uCnGBdI{?JV!U*F0swXoe znDf`8^_O1XlMc7^`jG(mwpso+dNH#zvatXmda*MCA>INjkOMNStiKtr@7ao5dVRIm z|8yR~oNSEDtPr)>7+HX909Ix;$ngC}tM94KzqIoFnIWzlm;(ec{@;w&_vGmGc(oC2}3GO}<2z!2@&fxjE9@2S>XYTfqc{+q!9b1;HHoRHB1GlC%y0cPc3 zWd9vPe9z3@QtP%?_TQ+*!o~=2^)cR^$U^Ye$X7F!j@p}&UmR`5H*MFlIhy{YI zkfjKQAS=YJ1+#z|Il!F1(d$Rj_m*O}8O4927!aZuhyws(fj}x`;J_ddBM0a22JAf zD}aTAlM%@BzwSYQB&PowF3#I90ih$`T&CaC5zgDo`0ver%?!UeR)6&WFJ=ga=>OgK zVG@RzCFges=r&{gS1b{-2miHY{U|I1LTZ5iZNB7BmiRamwF=F<%-bj3rz+YfKR6{i zu}Z*(QOWMDw*ZRFxOmg!zVShUbdt9;N=>cZFd{27aJKL^oc>m8HH68u&)1cc2oq`j zvb@8XfrBhyuq=}3v!Kz=?%^=>Js;I2qGos~co<@jU-+v3wA;Uh1HN_fCtsEGo16G= zebrl&etUoaI(y&!%-?a)Z{q$rgMV@Re>GD;=G!LsW2#sov5tQ`RpIiIwo?GCx(y|( zSOXIjBtJXzWP>EBLClSKJ+AXcHaUiD5eKT9`q0PaFV6cz$JHGYPG)_OCdqt?GBNcJ zuWggkVekpNWUBZju)BjEzgT&RPfMq2N9rk=7Zg_*CrJ=|@jw}v*fH0mUGT_q?s%(- z#?n)k@hVT^1`b|s^*l{=Je$H}1(q-F*$5U2O%6=ymy+7xqED;RPoRnUaYYfBIpUvW z7?95JVGj#jBHVd(m(wNX{c(^X=UarrOwv2b`wMPOT}K&kG4j2!&(prFX3<8b!rU|5 zq2|)g1m!qR^v#Z_>)tyat&yAyFK3@!qh8i{NLqCz>#|r;=wA_5WUj9%aKLy-80)U^ zyg+?vn0I}aN}!cPIhY~5>ovx^at%4daucJsMbOMfNHA|{+WfIn)+`YE;DS45izAxz zYG>;0Ml{%G6BVqEMd4Q@9_QYzkr^X-t1x4vA<*nM`dYzQZbbMsu>}rN3RyLA+zf>k z;TvJ}Q$OVeGIV^4!dTQ6v?ZMYa0`eD;P`1z#MAp4)9;;mr)IC3h(xGc@7&=w$OdJ_ zx2jlp#*ueksayudCr0+&Up z4Gs84O@ukIXDz%QHT1>XpN?8z7@{47^*&xz1$aWo_^?9%bGZQ_F_FIjhi#Hqcd@sYQ(b*ms?*fqjboJ~G&C~r`h0yVg!rBVleQA_ znzrWaP}3tplCk6y&>Z>|fnZ{B%g&inP|H(nJrgdA^D_NGLw_d}AomU?jIf2wo4C~c zV5QU$IR+R;AR3p=ZnZ)e9)Id7A=aom>fD(LYI`{{Im2*fhF~`N^_~e@2+zd&TrmN^ z0j=~$?ecW8NYfki9w4xFu zy}kfw!QxPNPC4SwHb>&L*xos3K-szjhoc+7*L!*(V9o2AOFxsfU z>uKG$-z*UGZ?T!%Nm?bKxW)Oo+&-QM+S0pbqcd#TXFUMqM$l%J~AJ<0euQaY6YPVO|e%?a>g zC-xY`Q_2+?t12)e*C7TclIGGVERjMLly+i4M{4^M=~mrSx#dHTGC0bF?4{dvWYel( z`S@)+fM<=kqP$*agMvysgMn4^fW`i4gZpg7`+Oah45RAm2{_@p22VHJlg}m!@bW?lsGD%K?~7xbH^Eq6`Md4w8h)92tNq zsn&%Sf*(Y8YP<}tB|}ptd1|2~+fMiyMnu8m($J5*p=7W41XFxaB?HGX3VU;UqUEI% zrZ$gXR)DA>?#_Do!_{fEXKAq{3rhMxMlIqj^zk5S0soRjs+uIMHVe)5*F{_cI~e*( zoA+*b39a$f!{3p;G!DY9P88u6drT|B7vIvT_!#^F51GAIEj=6

4BJJ+9?6>xD`L zbg!MR*0_6x)-a$xEFtYzo$3svKW~-zCgOh6_xBdSf4MjYaL@YAfo6i~*S? z|7_o`StF!bRRY1J%+TP~*S+P&3T2P_#}hkCJYYa=h)Se#f&5jdvxB>?>}n!S0^5&B z-8)(6KboBQCG**~!NU6-(qANl3^4I2QSM19Ue9$)UdmWJ@b3|VYNjIN62+87r@QZ^ zJ}gvO5jaFQucpF&prCl)MqHu@u~9L%%38t;=p1{lW+#v0BTb5M9kMjor5i>OJbr9x z7?E}xU+ zQW4Uo_(@cX4eZk0;h)Nu@oc^W%RhptRr+>>67OjVhk?V(H5{s<*Do=w-GvZ#(|HWz z{CVa?s6E$uNCfgF;%x-DE%PXJK(9{Ig(9Z=tM{vFDkMwBZR5yw-ljt9tH;Z;9^>P$ zw-;@v9G_FmnImJ~q;Zo&iM@YTiqnp!g4?ImPqb?^xqB+=X6BUPB^14$oN_1fxrkM% zSKG%@ZVt27%6BAELXXK0)2PA-!cv($-%0fT;elXy(X&M=eD7stpfPezKxPB4oriB$Z zmK5gADQWpez9V!XR;OoUjW7by3=MOXgg{R7?n{oaMbb=A>e7)d{!*?rDH#Q7EMI+u zkK_gEW;9a;muurWQgX+zyjamJR2t9bNz@BlGUgnxV|lvqs`eA^8ou!_7!>jY0|KfJ z|a16c5a#=ZiQu%v`@! zWGCI8t!vP@I#_qGzq&)by_8#%Ox%g5!!|IIvBEBs$6efyTZ2b9aruDUGf(L8qex*V z&1Bc7dO0@SMZTT0tbu5H<$_^ePZCEYGpF3umvG6g-=~>`w`oNRcHRnL)6B{ zg7r}b)apsXcvR*s=urx#ZJBR&YlddZdy(&dp(c^7Kp~mp>=%6BWArjt-DFaCHL1p> zfqk7FwK`Z&5m!agD?Ke>#DS#}o%+)UrPOZxko3Mrq>OAJl^3k;!VxmXYG7|zDe+T> zymOT%VE)PBdoAUpp$d6JePf~V4>R?{$q{K~ekt>K%@5RN8u1+1tJ9E-j4CF}oHHI6 zok|!-AZLqoE%0^3Hk3w%n~yo3HVa9rG-C7So6coM1-oK-MIqZ%3?Ch|zF`ce;Y{40 zla*}7jp8Os5D1EZdSY5bB$h{lOYFrV-ceGl_u?}PbkREbVKiPD3)ahlX+;&Q2XzI> zxk{@Xt7Jk)j|(JYlE*Rd@XJ>Y1Mo87&bq3BeQfRFP(V8mLd@Z*ZaiL+hw^C#O8L&M z(R*d`tn}@DU@sd?;fLt1)J@QJ_hGd9p7usAeiAD)E-N4Z^1OoRSvXgBPO`0G_eTAs zX(0=4ku>pXyr^pr#T_ZSZI&H<_Qfc8Xp2i3EnkhBG!xx)Q(rB{5B~3n>}_88d(8R2 zWc(~)3C*KTL-LIDu1Jt>87ov4f>pdm=WHXD3H7#6uLNfUtdseHZ*XaL3Ue-vh#_;T zac}xL4~DYSfc-ZPzBIEC5>YG#eGns;vE&LlY1%#9te7o+?TpRG) z!(g%iAnCir zg*+g{3S?shv#~&~`;lH_`kGy1;^*dO`YM5m|J$=|Oma*LvZ7!AX^iabthkt%9334Q z4K3^$Eo}^$Y%LA!93k}?OpqsgEX}n|^_gfP?(|)2UZn*BrX+cD~|4E38e{GQtWoe}@k?AOHhHjny;BoF`+&t`;Fm;Akq z1ql32I}jxA1BS4se>S|$bAKTa#KsCq`*HlD;om9P-#Q0^MBUjS+17tbyd50-D@yuT zjO}OU4tcZ)2+5~?W$us@f6@5cvDAM@+CaBw@&7>D3YDiKri8KGQ;PxnPoT+@+&`P! zLX)^|+LKV@IM+UJM1~77313YY@y{|KV>q6xcvFx}Mri^%CUVg#Jy%q>f3tzR^r#|Y zr?&odZ+T&Y{tj1gf*-e?g`!mJYmxR82|wFXJKkzbY6dHXI+-KC3yTqn9PW^r4IRhi zgkcY*hmQUk$Kw7iI||RtwSDf^%`Sesu9`XtiHPrgL%*7fe7_ME=7v$nV0TY-oD z;1(E7G#Gl>`H>Bu^k(-pWv8c&n>0nqLE2Mu62kUfhF2%}4eF=MBHc}z?i(_?$JG@k z1g;Noq~KiJ8Qkoakk}%9ERLFpfQu1&(Fv`QCM%D)gKMLx4Z`Jm?vJqUxwW5Pq^Suv zi)U1-Rw?$H*cqEfEao0NVQ~VTxMN2bJyzR-DI(`aLbZz4tKY0B!xzEMHA+~eCBPx0 zE9ZmcdM+RIZOilYb=B5cdY-^)O82~Zui*J1#(4Fj$hj)3q87X$d2Z}cye?kHp-a+> zi&4RW)+0{zX6_I}HN5`JJ(&^9i6)nAwej%9&;aXA<^{(AOgx&a$lhCMBZIAh<~bGA z##X;J;W|9~#rz&^k=?74Lp>Gz8E&(#rw**;B-_TLT$|QhxMR7a6}pVombrYfYr^P? z=KG<3X8YzH_0tcn! z@T(NT$d2?k1#e6a_8la|hgd@z8{}l%SmB4Z6tnG77)gir`Y#9@c~INyH7pJJ5Dqp{ z`D#55x-K=9O3#=YW@~S(+^@#j$Rpg=MUTEvXTRp(M$g)PPU0yV@<{YUr7)bSyYL&H zk81Z}O%`0aaXDCqlTuL(5!qU@sP#G}ZE)`7VH3qL3$oR_;jAozp=ugvZ2W0aM7zrs z*NW6zTvM`fQ)mKkbJi7-2;cbT^+r9xGpH4^&224Jl0D8N$RQCKvVto-?@}++6$|Q= z6n6_?%+YX9O?&s686S!p`c1Y9_Q-nQYZKP+e zU3qHak`_T)$-Xfy0Z07!1v3)`oNl%dbUbxkh8(leQR8Vgp%%XC8>)f>_-)y+3IQJCw-MqqR{Hjj_eYINNhWknKcTLD@YuSt zjq6j=jDzaPvVJx+Jb8OF@i{x4s`SID*c8mSZu8A$-O1?dQE*W9Xvyx`z$hr;u{dFB zyCr?a&G=7ts~IR+Szsj4Ju(`XljVRXok}8EXI1eJ(=uS>L_C~1@Z#C#Yb|S zwb>thG4FYnraC21pntrss%$z^y1xWf{NP^sGY*#B9_;?-1$OzF42^!<2Leji)yJy} z$%DEtlr=pAsa;36%$@2huDuN~WSU{d)yET^Dw?CE*`Yd^`G_obvzFk?GBIk8-!!)j zt6xD%9UDw0zudukg2qXXr9~|Ax>;?y&)8@#XScdUpQY?54ysR8;SJGlO~oTtRe=3j za|A5qH4y1u7?4({G?jM3bA_8AA|v+be!u$W(ZkTt>_eLUoa}gEXl_K4@{7WW+G+E< zZ`hKWm#VWybv(bEHZ^?`q$aHLum~0v@rH=i0iC7ph@*Tl9i@VQu;|z=%~O?0Je_E&Gz}(}waC(kjf2vg}dyqD&$c6?8t5I_5NDCNy{2 zep8F(m1OgDHs;DE3FwlGDAUD@0m4#bg!t77{;Z0gpgONRWZ>?~aGytrEJW=G$uDpz zUDHhzbjv=z>B*r(PjX&u(+1U!f*P;0Su5Zf3#GQCAEDAL(>LLa_LvjElgbhmj5-xJ+5W>J&$I)J zm$}F5JHnFhKDxq#npJXm&&$gu_8R8M@qv@;bxKM=nu{*UYL0J$J7d8h+=t-kQYCQ` z7mx90iRL`oCF0XtxVi#RTX#CVZQ!7_7CLQs@nO^m;IvwZ!cc*Sd=AG>UVxp&p)d;v zLJuu%i_%Fv3KLg((x;;+j3=T5s{sBY71o!W$HU@fb-hX#av$t?((DJpgk3>A$Y}5+ zuz1rrQ|hj-Bt(#BD3-um{Dn~+-t)t`jh_noju^$?W#MS{)u{Qgc6^~k}w(=G(e6L|FBy>MQV`L;icvZ_x29|FScx-~5#VS$d_KBfkEC4Q2R$gSVmlr_iX)FYUJcJCLM6U?{Pk|bBY zGp^hDh|4W-gvWg;@!B;Ei~n<5`3SXJbUFj{Bf$dr`HUr2(yHWOC*0??Wv8^wV+punlY^RaLu8u6 z#&xOd4J2kogc2Xf(GiSYh8$ewL#64+KLNt;wRwvXD21}zjgf(Se9s6y-JM-lNkp2W z$-D1W5es~ti+3v827OkIKCen16n_Y*D)a6_OT>9j)?!~@9@4vzCxe-40yfFW5y-Vr zl4s+ShDY#snI;CzryI?&kml;xt_huF9>ZI>QM@y&;1xLIYTKKkre*A2p?Z66KjTAo zZkbC@2W{+RkKQ)|f4Y|%<$dUM`sD`j^hPR<#7eu7$zCf63*lXFE7Ry&`3KJg0ZLAE zPDjl&bg_`idWRcWj@Yta6g>k$w=+w>&VYS$3V$YTps#NG?=xV(AZ_2?RskVx-`+SO z`%{fK@Q*iH+#--as+E3E+8|XBoRG347D&CwSC<+HVr685q}x~^btG)yuVqvJZ=CHb z#j#~H*0(eGM%#?+%*~i=40OSe9x;CX@i*4?$NMw>FPa0tRx^IB-1tLv4t7RnNa@Re ztU4Qnk^NHj+ci92+08eL_&ss^#=8F?s{d#QDRp87K}w5$L8rdi&L0hbO>TZBG`Dk< zf7XWlJ3jNrYd~%%p;*`hexHOYBr>&KEZ?i~^skRg;RI4Z@%GzsElzWOTuMq= zw9VO~AVjBpcGomSUgQ)0&BZn>6lsR;oCM#U=iH7ZJNoY`HQ_>c80)KQPS;flnaYZF z?=WpUphm;hBV`C>$Z8r_RZcN_?D47vL?^Is)K=koD^(Cgl-BRv za^#fq?Cv^8LPa{9$scbvB5<-Kuu4vF9!-KzCl#)*yxiIj4Be;+onsQHRDFkpAM9mH z!-xE$ZP{wC%d$xab(i$6Hq^;?g8+_X2b^)QY~9Ulu$;^t6O z5KebYB_|bXWSlbh9&2%I^Um;D;ns80O?p=(eJ>J-BdBX@l2i+NM34@p94891!M4aw1U(z&{(RuGS^(H9ax!Xs;`GSH0LoBbl_lst31GX) z_aH$S`U#9dvKv{th{humKhH2KluL{Eoq2R=I5g-jLr}b5i079xcnBzA{5b6uIfoUb z-tUx|&j-?k*9TFqFLS7YnXM3NuOh-F^W5@vy!Vlje1c4xPW|gib}rg3m^_q)`RCo8 zPU0VSk+?un)m7+X3qZKHb`3B_lreDZ6Yv~e7VNt#opCD-~LUYk(^~u8S8ULts9P@$8SHoRfD@bot%;# zm7ncDAadEtp^ZR5B%nf>&(FKtV@-bk#!f<0mU7Vaz|CgHJ;mJC_PCfIAf}s|p?8@j zczF|miUJf;|3|g{J@Tq zMePvD#;b>w14YNFqVTWDUo~>sM=%9B&q~6pQG2}T9Q$}832S1?q7czxmTaGM6*S!a zX^0|8Rh6|xgQ<*R>s&po$rwqnfa4$sIwqTggY==R@FuL2>DDY)ZgLNj`xk1j%_pn5 zNz!NDK^lf^MK_%oLT%nbRIhe*Y02$5vd}Pql<)k@n+lQDjR5BJUg!p?2zFkNGRS8_ z3Nsetuqb34e3#3)k7a4kz+6WHt?cgso z*FE4zTPcO9nNn3XZ&0=B);#fgkcWX+1GtEeg(l-Y2?=Hz{L-iS%xe!{d%x`xy;zzF zhV&$)pKVsSx9)SYK*Efs@c|Q*wpfNnqy$)sc=X{py|e*_a@bmWyO@@(4kfcO4yvFY z$%>_3P#6{!sC+q?`{2!6xklJV+c$Ad&cX>k#d(KlJ@{SnzG4x5mt0?v5=c>CBN+3c zvF8W@LsS6I8bMwRX2#Y#$>@tg*saY%PH>_ zCN_e~N%}ITGkr(_&sMeVae{F>q9kL`bPsp@rh(TL3RT|{Gro%Cfsl%FmpP6XQU=^S zz{-odiJHoh&IUo8UUw#1y=u-7rep==ZHJb#gau3a(HAkw)-2r|qxQ!mK&Iy>QVOS7eFX>x%r+lf5Zu+ttNbuTA zq(nW9Hg4iQa|idz0sZdT(nhS-X6~9_LI3lBRbz{N7=>YSO{l)DQ#CHW{yy5zfc+M` z1*h7##PM`cfzKt?h#e_|2`OJ3&=7vA5}j)^>&)of!Sy&JyGe1vOxQi=)g!F zd$5!Qb|XC7nN#K%14fRcy{O9I;%l`$?Fleh`WZ6_o}-N9`wQ+ntrM&GUbXE z#847<3=$|`0hHd1O?Yz?6k6FxRN5;=7Jpo?eb`crARRuG9A{r^W6JW+@99sUs0lTt zYvaKq3M=5!ty$s0ue=v+oeVF`(8?{&Kw^E9fuzdQ+Wz1olj9Y}vJ5euTxEUvNS37X z)TEp#i9(Xz8&bLwl}qlJ(1oi6ajP)&7EII!X%Yw)mKO#(b93r*j0Y%k)v77eQ+i=+ z8-?@@hy3pS_}0&hBqj{pVpX4VmhcX5rIiW?yl)HWFDUp}m_y@#-{xUX@(L1^9I>Ms z5z&2dhASM_8O(rbkKx68MkWIvoU2++=@t4!`Ci_iAU;YUD=;D=JxJ`%wbB_a=Ul$J z(`g~uoNq_MZAC`Vg=ol%@kL1tXEc`Df1-6Bxr8@2^2xku$OOU{9jXt`-a29z8RpUs zSW+y<1IyYok9cDwL;RR7z7Tefg~*rHtiEE8q`crgCz0=;Cy+;XAGEZZGuBW;-(MiR zi~r56~%$UHbP1;Zg8A%x=K?R!kN zOJZ>t6zE*>@7Jr!vLyUSg?eGioGT`Wj|8Lp)@-`L8!SH9=CN>@i=dEan*CPt@mx9` z&z|zcWk(>&YfzQ&9n?{XLG=s})<4d?~SzZ#>P$+tV zncm|!NLt7oWD2e{TyzCEP@4wkNpH&$re9cvV`xv1SZXn*Gm*}yJ#4r-+287jB%Rgl zTLEVR*1G`W8+QP_a0W+bRJWs8g3)bKOFoArf)k7kmx&O) zI5JA?izav&f~OBZTTD}Bh)iH&WJy+QlGL}Sqyx6(U)DUHf7RezCGT|e;_Z=rMxT(e zkBKmOb6z)I#Ce{}{4;aI7oLX%1}o1-V^L6iPy z6eg}ryAu^iA4>JZ*}79y@N20}^yY-<@@;aiX9HAo*AjVfsgm1Hn!D4yiNc9g@*9Jn zd-8ggWycO;mXX-*1Ws9!A;~L_Ra6v^^37@#TUZnqd(>Ze9Br>-&_Ck4y1YIwtxeQcN08@_9TuwT5K0SI~W>96|WUq^Ai zQQ^NuaekDW{-%!kk0{QqEH&ie!oTEwBmZ9&_!mKg+xf+Rv;zUyAWzo-fxk$lLLLeF zOW?1A20zs@{~0G>68<@u@K<*9Uq%pa$H#tTL|K5~A8)n$7ZC)NnV7|LbkDhlX3GzT z@45EGNzHRv5{i?lViLuVXJ2$jFnlz%*Z&yz#q6Yk>9H3!WtU^Zaf*aD#bYn1Q`j}D zgED0Ho$dN-tCM9{Jo7<7xL( z?gaPX?oJ>`(EF0z*`2RDXZLr`xZ~VEcVtx7;;mJ(s^+SiR?oDzxXiJ{IVzVcsx7X~ zDc5t0U4&@;fR=iybvAZCPtNaZGo$-HRVQQI#e+JHD9wFGLpUQTQ?&L3s^#c?*6xIi zZRou+{Ad=}CvNDQx(}0ZJfCeKtoB|m7KE2`fCV2u5c$tyD#jb9+CM115x2~7W_7`o zK=Pxjmzv6ztUc^)2%<48;gR<&xb?)Mm7zI}l+{mzJpj5RDl)GHD5 zi3}-UodET%{M)!DqwG*Af8{u0;z_3tpH%+x$$-t9v`X5p2o=@%t6hx_&`zFOhMSG# zao~;5AS`adwEJu8LMVG&k$w%ybQYTq)!xv@(cn}U-BJ==1nzuZu|V3u(7?!?qT$@n z(=)e21L!{L6q3ltKss6|-z2tEI;#l1&3;UcjlXRSF(}jdPdh_9AJlSgu$Sz>m#60CG!D6i?Zv%@jXQ)? z&Smu+6<@w#mWochv-+tRMzUlQc*TM?SvBI-%+{k%E>(B2?$ieJCAd*Gf~Tcs9s@~5 zLiQvS@UHL;wk8@I){2%KaMpQ*@7i$79wih%^Ds;_c~Da35vwCP;7Nu(s6BdagBzq4Tg zm4J+%j$P{@TMCWFv0i=*dy{soOgV%QYDhTOWbwe&@O(QO84Lv>G zaKZYRNmL#EaoH7I)@h~Sn%9a!xhSPyS|rtM-)Y|8;{^N5s$|^texkQvjedH>T0a+3 zB+++cICV}e(2y8#2?oN;Op6G132aQ>s#&K(lqY<}50Gab{M@ScV*C->OHZA{>5t-e zx1;(z7o~fl@9*3-?yCI{Lbktnn9V8oY8vnQe0)&vLhO(g26Q*@5&VT~tMR0c1V&Bi?_F#CaST5hgg`;;1%Ij^@{19VjV{j|PWvvyq2p$wz&%~VP$GQT=Lo$; zuyP>T!(E%6Z+4-?+^dA3qum7tkdlGs8>WkNqCG+On zFrLnhkQZp-LVLO8#aUfq3BoZ%<0BG@gSwimdnjZ+-KfQ`azQef&dLp}0Bo-g^o~Uf z^tXl>lKy$6MmK}y9*)drGE7BSr+&iRUf?p%8pWKNyCWc?7Z-$cj!~$RUk4p>LG)m^ z!R3^pv&AziH~J)sp((_KqVDyBg+mu~#Y01+0wGbPi)qy4iN(aXa{4%x&pd_JbW)OZ zFONf0za6#NZ2E@OiknxVzd8OALkj1-p|N1b}ic^sOzdONu*6 zX4JVAlFpaW?71Oa0(GlI)K%p7!#77Q5G@@Ik<&yqXb&0`5E>ACmo&bLzZnvR1(cev z%3p_fwP@xwL}S6LqiW5x3@_o@)a|rWNWN28m?}iQOJ7}>3KF`*VyU2{A6-V3U7Zs$ zr~uC{^a56aHismUK998Eloy3aF3}H#p$WBK4;1Hnz^@`MB1k)M$zNrMI>#K6RI_l! zw$WQJhZ@MFyhWX9*M)mcUBOjl-fNE|*$}i5-(NNNHqS` zQ1R4SG?rDW0Xdca8?lxCUG$}d<_U6{be8oR=(Qv*I5bdnI^e)`rG%_W(+l>MK(cCr zzFgZlR7wY|j9E3SCA#D?r~=R^TJ!r$)(Ytt_OijE7@S^S*ztIXVZ*8~H^~Eb5b!JP z1_RrL?)0!7k0B=6iAe+x^NZ~#bFoNJOquhP_fwG6EZoJEF{X8(3Aj4_B{PP(1*9+e zY$ey4nNQj~(W~$bS%MGVqRDdp^3kzV(Mg41qm_$RV8TmA1ioJI<_z2N7mEJSJ<2i( zd_CZ01Ko2pl`%)rl|kPsWmd8oRAnSkK6=gNriOILuo)n|Nq`(|@aoXu;4$kT;@OIs zsKCodVDcO3^XtHXq>g*MCkku72j-sYyMy(>_kZYPIk~xlDutQPt+ZT~2o{5Ud$ai^A4%qz*1PGZ0kel3`!jc`Hk&!0!^pgl@7)yG+< zeUiK!96>dD>>;whtrO8{9v=u-c}LZDpnZo3&(-pvrQPb2=D%HZY~MCopmbejwfIh` zE`Nr~O9aYw`%J5(q_la@*k2;5ne^P1crnovylKb8U&J$R9%_q-y|nijJBw8!?(Xxv zi1b?x(rZW^$O>b3PimECyv|9Ei%4a`CVg9kW|cyv)ZGuR5eYbKaO9nLpD_W;Y;0l& z7v6-s4RI4Qkf*|?i-^OJ^jTdI+N0~X5)&NA6C2n*d-k?K;LuI$=vsvk1>P!qfO(rk zM?bCxG6)`piF=77{zwuQd@2!@9k(|DxpvqEq>^M{jFqcoQ(PJId2E-?x9gJ^Hc>uX zz2zNTw1-Rmoc0WRj=+OS&v7jYWYKxih$uz1zB?%gB+x)rOs~2Sht|9S4p3{4LHNCay~*6XLDO;r zIBw<-eoq;enA`3CoCEG9#3wW%m$o%Eyk8kjZ(#hhw0k$MS#g_{2QaYk*Rrb7S$@i(`n^u?#8T)t0RwAPx|wzaT-dwX>CAf z?{_%q?9Od8>0!4xbdx@ysrX>JEVvB2%gn%AL7WUL?H$40Ix_066VgE%4?25)J%HxA zXVGl&{%qj0IDe)9YA`wj?^vxi?f(A8skrlzA=a-tobRDZr0gYZ8o87SVix^Qcnlo0 z@b-&c)S`#|%X{R5Mn&7sZne1};t{=7AK)9x&AvZ)TK|ex@SC~$Up=h>Ht?So`hUX4 zF|qs~ds+jKfL^7$zj#>x{Oy++_kYvF8er)MSmjv&2ypBGt35j*0Kb49@J<{6hiibN z_5Yr+-U;AgZE9j{=V_LD z-^u~xRsc8)7XU}&Up;yMV(b1xIaUr1fRX&)ot6JGxPK_e%mKh>0^o`KYkU7S$G>Lf zKg-E~m5qNBnt$^m{+n|0?*jTS&tWcr$MWB_w4Z8fIBho}dEZt|YUP(A1%nCrmP-{3 zw>q7ixTh~_*zFp)j)+Re^e2;};cs(xdbdsixrf}iQ%I`dUy5Wq+KUkxEbd6g?~HTuq^E_F8P72A#glwBD3j!<)7x ztu6m1*m52%b*YL~?j<+;2nrVN&?f0zpA{yFA>=|5u)ASP#br@^#*Rojf(&+=@iEfrtu$HTY{ z1$7%**37gK;KRsY$VwQV203Ymun#B+v_-um4RCKc(n0EL~m*@7^xCM zI-!oYaI^;v_`DHT<)Dk~+QIH?nd5FuKB$k!Ll$(URj)9jN<2SlDW@z&`}l#yeuWf zUh(pbz@T*zXBNDY*fz;?=`=sveY=dc941Wixo7nK4{}w|cAyyp#V*CqI}?r9!6@41Y_^#rsJJ<0f0)6^*(?}TL@Ws6 zY7G*DGlVOGUo;pHrw+^4Y}C=2*2Rhq!>vcv3TnTjJGCYuX%kYh(lm0l^R4Ik#8~B? zywYXGi^twHjC*c@#kjTxtmz@VZlgBeVm$^td5WEfF}b7;WA2u7451v>3))$P|7O+1 zb$pb8n&NeSM53e8d#{}aHdOB?l6l&kWaU9)vzRsy~JYBDTI@w_hK-^x|WaSRV zQe47XQ0?lA3(<;Eu?p2_CLvBH1cE)90FA^QvZ@I8R5H8n#f}}UzRRMkFxPB_r5xNl zf4|ILH|e1Jo&}606w^N&aBdrsU#gzzb8 zrWG(QRB}n@H_jH*zR-iNXp~_!2KZOL-G%v6ajw)fWrGE-FllcR`WO!a=UBPttR=(c z)VL-0-3Eo${Y2eQt-s69rE0|DKn~!nXL$BfC;fL(IG#)f$YaioJ#CR} ztkoQMvjp4en8QehpfB!_Qef@b7DzbTlSaYsDwh0|qQ&6pqS&y@=o{bDHr!TqxHTYb zyQnVUogpk$woTa_BbYlsk-2^Fl|2*K;G#_xB?yz7o#~0}o^T(mheWceJw1&FNu-u9 zNrl0jz!D`{D2k4!e|NAdfg^#@x)X3<-}*&*IwFsBHL-e3AdXq(NqR8O7&n3wJN$Ag z-h6unf8lF$L)Gx@%@L%|ve8O;ZElYEccZpeA2H;&K^%Drfhhe^U$4BZNt|L*3s7T1Xr%X2)ojYoP!{d+%6$00t8oPuzUUGGt48p zJNyRV9uo#X#x@>*(?9UG!L`EMA}nS_U=t*>043*(S&NYA6W}u2)5gEv2N?pjG%9jW z4hl`s5pM(%YABH*ZwTv~j-x#zPBscypAKuStf51+7G?Qx!e_z`CJxlOCJ;JyzXT>y zl)lG|I0_jbXo-;08X8o6+RfKcGeH@XQL(0hF(4Q&@)o$)aera;9fg2D zBlMZ5K}rNw@>9@?O)8#$l;f9{PqK>#S`E(Z%VmKu?MXEZnyQELZyqqbTjr6fgH z=t>-Gh~gnSuzHql8@dAwz0;P;=rh*){Nsie_KDtc6!Da{32xnO(4HJ``^jd$G;uVt z{di0o&;SyS7Cp<6%OMC?SYN{ILVHi7r2AYB;fuREv!jK33OlW zci=qCF}6zfo%T(uAa zJcvkos^6R@;|4C3tuZLz+!&-lg+}S&aiR%V2d4BSHsI*6kf0J%>;$(RioXO}_WT|b z)ZB->Zg5Izr)xdX&e0nztmlN0!&8K z`$eEeW6$>NvyC|iwnrGwHAP8Rsw+pi# z@%DNoe;Ngov&2Oz7?y6-bpYq1Uw8Q&0ntGA@r`Vs{fq){ck(Bo$WMgFv9cOEeYNY7 z1yhit#yR9r%#|@h#TiwnlL^+0Di2GWjG9?YE6Rck8^;Y3lX;9$@4kP5n5TvKZuD69 zwTHwumU@dM^ zAIK?p#G6k1jdj%GT!By#HS~cwr|qM|vd=AFWFy!^keYCnfljv~zBKfNdA{r7-Mb6F zFo1{3hl|tgB>)D207~JB1hoQ=j+-L={`3~VxR0BA_Eh20@yAHNsDP}VKc1=})tiim z$crt<{_Wi#!Sk45x?XQPAAd~gL5p{)G<}O-hrmf9nu#i7A?MJlJ7M+>q9uNT2(*}*$9&4=CYlsy$+S%NEHny z%I!L;!|qm!bj=k@No`Of;Zl6Pbv|^ySIbaO-ndM8ndN%gN3tfG6n_XS?JA9lmvWy`+@Q}ZWN;=hSj|0QhxCmgbWGeH8* zeE!n}`R9|P|1SRhwG1mO080;mYWeSC)$dNy|2M@dfQ4-7=C8v9;TJ^MNTX_taJh?DwkU3a)lcB13(@O!(Vh|;O z0_2_Uv+GrF|5X~me;EvSL=Wn1&!n+G1Ms)o|H5=|7BfN2uzRkDAvm(dAOdc-#G(6 zp@uJd7M({ax%5M=fo7tMUfnXQ(b3}(WCxbKfTWDv#ZKT?l7=7Q2@&mJ<2K_TKKG&_ zXC>}4(|JR;&On5!7plx@59@o(PsOxvlBwMXb!aHv+9*v$;6)Z?&QDZ&SZnSp9}IhG z6wtjn3%hYjS-hThb)?L!ZZ4|PP(gR`fsSt*Nl-QX0U}yr;X(gqIGm4;CK)EbiyKy7 z25~auDtBb*va1hHK)vz%=^Li(7!$lNx?h!SgraCHkHfZ%$15eAdTA(MjvkOn@ou~? zi9^I@laSr%Nz=ci@3g)3yosz`tdzz74g#qbC< zjN)t8?x%Kq?7PfFLl_Y|f97PhSyvF2%Br-B*6^_&t9DKSU2WlK$}h!X2P@1wX;k3L%aMqY zH-hQvuU%-esz6sT(NT_LI&a3TlYs(-tVoHA-RqfYvEw=FM0~Q&@KJwA_(rtT>M{ze zuPFUu5LeNnou_V>&*r?uaIv6ni>qr>ruwTh!u;e?m9nN=F;dM(&G?y`2f(gS78=qZeZ=mb*4<<};{0-AG z^uLgR?Dk8^dSvZ+XgN!ab85$Z^~(`hjRrN^zXMtDQd329v4*kqxHo+Ib{gz9QB|U8 zTheML4V<Qk z*uW(Pchd+(2z1wY5MaT$_}v?IGvlmJKqlpHgsbsH(P2d`lcC6rF^3r5xPI>)uPr*y zXjWTwVu4|fvVoP4!}iGU*(Ew{sqH90qGI4PrIKSM2Pz__;Cpm_djGV!_jFanpNV_E zcfYzq7TF^@G%e$KbICg{d|O|SN08Od0zaxO0h@P7WzVUHRL=+fhGN`BMCwpf;Z6ll z0Xe;zr93L7sm#RG7+Um{&nv=QRKyUsR+^jd2I;H$2!0#edjZ2JB+3J@P7xprQEEca zQ?icKIB1!8hxdxrC9%%|V+-AYWfG+&)PEaV%wS4u$o$9s({1+0KbcbG7C$ZVnh!V%1q%(#`pmMp^ zb&#>#5U5eCd5vC2_QP1rziao>jMmrBP%TQcu84pal7(Zwv>HE=HS!l91Sy(=_>u~8 zL2pw|^w>$h&}3_AymVUgx7j^S#Oe7G*CL5hJKNb6kU$ z!s2jKKEYV%Ekv2{EORm?M!o&1mBVoICm);a+`8|da6!-(EMO_pqUCzJ!a;bU<;MM; zD+r~c<}6|=381EBi+O99nu6eX>~rhJmJ1o4x%MZ$7^=mIQo?hgbJEQbm?23n2bvTq z{fcUe`-X{JzPr|AlNIF(5^4urO(M<(b+d*r$<{r7n|t%dB(!f^;Kca@w4A=ux43u| ztbH>9n?!tW?%aL5!ES;zrv&%dN#{jj%hkk$_}RA%PSD4yVMx?9&(1#PmT;x}{SgRJ z(lzD5-NM!oy>y=6Y^=X3v6o>!mguwdpMEJ(pe+$GM}lI{MLKJ88Ci=*ky{v$g!yO( zF1Tb*3&ZJcKO1lpX;*kO*z))hyG2Jz0p7MRw#M+f|9pZH#3X~eED#hx$xfoHIHZp? z4?;(prRroQNMd0p;Sl*{APDmB?EM6g=V+Hz0$; zot37t7B%B0kx7%7s!JTQ6e6qAspw2fpN4dfHWo1eJa0e4W@w>Bnrm@g?<9=7xSK%A zF_8x7FJdZx{*>ikA1NqpzqSOFT_ZtK!6Uy|5eTxnFl$@B8(21-L*9%N>#o_<`;lSR z?>aEOO+!nKC8-9gD>94R-cvwd&_0Opqr2g9jb%yHt|UApj^aI>0?AiKnF+IGLS$b9 zVfs+Ihg5cT{s558OKSNjCyT68I2Q*BVGmm8U7HNWHSjWtYf1i-eg}jDV8U1`pOjB| zAIlpd!YT6(4mgPXTNbh2y@~8~so9IeDik7sA{%~`DAY7ig^KbN^-BhSne2FXUZT%P z=qZThxQ1aM2KFVl7=Cu^GCvj^e2S|lS>d>nt0ATNW8z7Y5K{-pEF5rY6g3&gmWq%) zBQH0sHFGrxjI*P4NlTCv`#={L72Be(;R#sIVy-f!<|j+|TTAK4cHaD69eF;*KCJuw znaFvV>$shL+5(QAC3*oY)LWjy5F-Xvdd{KL-Y4xKX@998J!mNUzdQc!+NJbC)d%e`_ zl1XMG&CXk$R3jB%F;Gb+!Nc#kC8EYYpRp|2D;Kq?V{k%9@xq8_V~u+vQPLPiP34mL z4e22ydcmfx9scf)Qc!JHKavlf$^|ZuBi$(mNQb0poRuzoucya<+Ydz?BHX*%S@2Uu zhl&v)IYOTX{&apx*!_1enCkR5n^Ld_*lF5nxD$(%5g1#>Fl@TOZz{AxDFhXhBQo!@ z?R;4K0^?lRl1Erm@H2Ve!2s8V1P7-gbDX5PW*{kWZaQJVqecMQxUgj+naTVfKO?&T zxplKERJ^LLfhW!A)6FB1foH$F(N{-*HxK}JB=B+qRzjEaQ1g^BqD{>dSS!Vb6fs}y z^uP|Qk%4gi0-0n^q_7sHf;olZO?F3Iu})eH z8}sEou1IOSA_TKU>#)Nm z)1!HK6L-|k#@zAZJ9@5@VO8Re^3JV5`KKS$?C14Q)>ke*PtZa8`J+bbFpphTWgww( zrcWczQi}{Gr5Bx>elx}_QK;3zYhC4GkIXd|%kb(4_Pwmwlfv0i(i*oZZ=MuOrHPN- zqxLCnj$6B~_UgT=AkEpM=AG6~Q6Ez=ONI5yZ=MWB)7kwl#-^ng^=Y%!3CEnPvo00`>b3F`@3qBmZDVf3wc~n_W}wa-N;PO zY-@tW1ni3u^I)B&y)U~fwqH2=b#n@O+Uh6othd{YbnQjP#%8pU{TaSOdUj+fKtLB0 zx&xh)O?i@o32tRO>iKyf6XsyPKz27Ww1$TIMKDl0-Jib`VYrq&S;NXX)FvP8)_%s< z+X1z(|8Yh!LGruH3u?@o2f z2kOFG3W)3()>(W#&f1yz;*POs$O+!E5b)=vWpK2$&UA9EUQBymO(?213C|xBc1Rsp z;Pi)YHAv7Mkpii_w6|6dqWS$|hI z{4%C80pRxkrqq9mW%Y`k+v)?JhM;yh?hnl;;K+O!!R?`4*+J^^=`ffy&rd=^OgI*X z;HH4%>3p@{AC+n*%IkDcj{M^s$V1neAwk`-HQv03%jNv;(4w>+C$w|`Mf&c*H{v7@ z+XE57QU5--#FQ(Cn?^1Kvr^46%d_UswV4cUl$q@#%N6uc&-J5A+DMPuo8PPwl0FbJ z7OPc^>nF8-Rua-K)gD?xwjU7Q8{=p2;qs{A`SHF-kYj#RZpRNBIDF-cq#FeRf2$nC zogQw|56P32WF>A2M5glQtLL3_ipq8jw+p>`7pNvrwhd}S@}_eULYBQP-EkzS=$_1n z5b;so!F}kf-VgOoc>GACuqY$j4W_q8sf=4ZT@CRy5mFrcK5X zwf_{@lleGh9WWZ50nDyrRvTMHN=g^rQnQgz4hQVUyZ4P-U34fUiD;0Hz+C_QVGFid z>H08M0;!rYVsMrpnHMACfh6Z?x0$Q@!lMs_154}B?ejh`7XQ)|4sz62mSIn4ew4j; z6Xsr5n_K?b1m4;8wx!OE1d0ndJVV!Sm2ejKWS{zqjVC8)DH_dYEVd&Ph+H41U@mll zX}naZQqBvNIkUabdxtzCYiC|3tATepasA~q|8Qn-5z-jx+dF=|Gt6$P`0i+)slkI;lQRjh zkJSiX=w#nGhu=0pvhcG}>&Gfo?9^ zu7q!@8_I%!#zLpP2!&laAo*|Vwfp!ypRq-1a3_o#fV9R1R=NdDi{_O^%FIbDEshXk zMg%0Y890V;QZ=^q)X?ExKw!2^NvWl`u5gYINpTQdA#=c!M)Pw~k9L52d2Q3P5q>sVt>anXXPlAUAN~DQg6*Y=X-gwg z?9?w}og69_2~3Tmz7gi~7ncj3NCUAMt=xDtb9%_Ntj0KL1tvkM5ImVftaN2E!b?F} zp*0M-3Q+Q?MBg^t(+3HWwGEvLQ@>kl&6}Ciz2$|8PyUR#C-9-Aybu$FA4!(kcoD0f zfCvS6PY)vRg%g9k%gfhPUXC5*{T;BA@D#M4aF+J`@-#2f=ol&{6kj}>0gFmef^K{y zGMwJlTSYuYk(i4py5jciPv`;WmR1get&UY{AFf=C=SDg!D3yyRBe|nS+2sTBDX-0s z$-LinH(hEQuiwkcz!+c{ z5JAc3kr~b0C=U({fB*hG3Uo_spG&?E(W+%_guK6OUnierz8eQ1kl!`|-_B z?ZPq)uJ)9CcPKG;fxr&DkV}tOJaA^Jqmx1s22%<5FfMHhSn8}7eJAz1q`{siZ=~Wg zfVDo2)lpcrWmX^JeC0zuD9SJ3;OIgPjik10q8g~ZAW}DvwuAs;yZj+$U%;L)>)N{n zpZT3AS2l{JXKWcU20whX)MS*T_-*!a$k(^fKMd@pZG3EKC}YytA*WCp=hE^@joZGq zj?VHp)^d^B3>^`_uccMs2{+EyxAPE8U=Fu7cbME!6;m(?%N48$g(qh$FzN_Csw@(?OAFRzmSlM7=8~SclMiZZ6ev6%kq+y}K zn)s$cE@)Lnqs&&>?|J5G;O1bYE5qy4J^?m`FO@nHbGIds2{yTJ#AS71!J$}}$#*S| zMAIVJ842JJf)7hA+*vN#CAyfVVlJSm%NsDJ)jPfL_P|#Ok~SiR@DvBJSnYF$M=2cg z5;AFMi-|q+zFnsDjg2-GuJ@0utp>slj!$W zRw*$r_B+gRT)V6^MVO&ci1m46^)j7^a<=gS%Cw3DM zGw_uy{q4XSz@P13*v8im{AYIae=f&N$O6EI1;7^lJL~xSv9UiJjQ;9-_dCeVKhLQB z?<07!{eCj<7wgEz`j1e#|M|Sy81|6kve->!RhP{dDx@>Ckx{C68ErZ01ex-*3`0K= zB@rwzbD&QZomsc{E=DBQLnB0FDmhal%kvN#_5{@%yJJ3Qwz`kBd4z9fBt*Jbi9$pX z%Se?=;La{L#*XIM=4ob5WIm%?t27=*hQ!Yi?Cy3Hn?Gu0=t&80XTjO}Fq(J;fw~^; z7JM;C_&i4^`)DB*Uw;OK&NyBhgLXqC2w)0_e3%(a>r{{FePjTJ zHAw{{IH^?1&IQXfxwzl+;jkW!n`TMmgiVPEEqG{H-4p#l|9Q}6*<`gq^wC}-5}u59 zmKq}DM#9h2s$mHLYkfI6eT-Ba(~E>2CPD0hgn+Hyl=^r@7Mgm+IHyS%6)9XB%Pd1I zSS&z%!QX$;pX|?pGq!M~GMBQa-KdK}QC8{-;yJ(p%Ps_*98%oOotyhfH)HhKT~BvK zOSOS5YPPgJeZpm?-Zm5eJdCj5WFHZ8qKfDTM{3*JGxMpQCT>lCedYA= z02@2~xI->Vx$Q^6}8Y9B%(SdHRlUcv`#OD|7_9EdHx*IY@w`BqmZ zZB}cHxSmr8iSL!2ZMNe6;D z$Sz-xLdjw?j}MyL>-ICtZ1;iM%Gj$1c<$D27w2yi0_T7#he;uUb|zWM&!1O$FEv1* z;`?36U7NYwCR*&>OyRe#@n*g$zwq%9LV0%}MuT-p`U9q0_YgxcM8YT3yU0LGwzol! z5cU0SGq)kCDzy$C{ago)r9DO9*^Vg@0ae5MYKtShRBi|~ZNiVLYuOINFo=+tS>!ZE z`+c`-1r~aHG4*Dj8P=G|d62to@nD^KstH|Che^L>UiUaZU}Seq1* z%M@cET7Qxe!W*%WNZWwE!eGZNcpHHl97#l~x^(-lHG8N!_|RTYEg1ZgP`ZZldWYzW zom3i2cm;waZJ&hBbqNu{TbiJqZ@A0XlW}`ku02#*bhzmB0OQj z{XZz}P?yQB!{rCs=?IQYgEn`M=lLJMSq_Ag+*23TH)duuu%yIC(V=Hb)*&KVDl^Nu z!m`4KEPqx4;I|u`AuS$IAsr zkZdF=_Jt%^MPFRq^AD|AgBMP|#@_Z||G*z@t%ciXB;Ed0fB}i9aI=AfCTg={Xw+RD z7!7v*1d~*9RBT%88l3^U;u`59uU$yEqfdYF7I~>j6{oePU%%I{Umq4P++d1A4`XhP z7S#~sh_PU>Fy*vH0z7HmP7pQY#{wNDjTw*3G+)hbz{tbTPX*?<=@IyddQPlF{&|#OvKQ_wd3TZ0#>~|s1Hdf%gm6yi6LRjM6U9YRQrQOpFCjFtgBsYl<~g6yEv z@hd#Kd@aF-jFP@|O*>KxB2(*ZKrc}-H0LBiM(AoN8LR9I+z~?ewl#=GItS9pnRJXf zo*OTqAANBH?wpV^8a*#vs?TK+`ACTFZ}_2{!Q{*;yW_n*3;Vb4D&j_a?dJQB?LDKQ zpv4oOyG%5|l{A%RE=i|JbxC0*@wx3og$67bQ~A(TR-0Pc zsJYpRTpyg1#XtggZ7_wY&sS1v;)#SYirjjw+znn@xTbZxG^6xhmdEC z_X~F3HZx!JMb8vYR8BM*0P)FbxIG+Ng<5<&Zb^v|b94FZYyRajH8ibu=|61f%;~bJt)z2@jLzBMRXa@jo-kAn^jnl-z5-cl#Y5y zX0T+>lA4zx;oLY;j>#@`RaG0Y&!SNc*ZAqlMn9vRhP-)TbD2G;>ANm(nohmN_^5{L zOzY(9dM52)H13?yVVsy$OEdm_(?TOxn4vlMNCB+5$oYL#4~+J?3D{D6{He&*v?Oi; z_u_f&bkNB4>=DBW{!wg0o!`)~hu&Lk?FD$cxZ39r>^a-3UiX*g^Uv)0Pe$`!*z=zt z5dSeQ9@D?G=WM^bIlXFwe|F$Mv*%1~|Efm*OF_WF8~~_4BOn0#zcc8+>yiJ=p#L6- z^mlNHzcTLsWY+)QK^e9`=ym~^n}1ukTd$@Ooi2t5@aXC$k-%@TFi(yxmpHcmdPzn$ zzBAO23-KPJPCKXD>hf4=Zf>+Y3XR(_v$(S3=&s|)p9?aWi$RUSwJhy{(Y4{3eXr*8 zGB=L_pIMJ&ZX|(?uvro}!3u{iq4r!+=`E*|)@g-Dt%Fa+fbe3>W98VORIF!_{SPyh zdOT~!(j=plUhA$EvwZg|YO?xO#5=!>=39%~_tzt~*Yngs%gHF5(2y*|{05=%b7crw z$?+eb>w6#VTOIJnN|!>n-gwgN-_F_5m_EJregawniQYm4fG5uM_Mz-PD3SVqLC8xs zqP%#Yc&G459<@t``Lc6;%Tpb8U`1^#`(8|S#~ae&J0UA%%9a_tQE2!Lv(o+6blL;u z+Yt<>ub$g>-Ks|0yg?lmrC+yuylB%tHo^<<4eQ3n+!QRuCnvqdsi$8S%Okee;`Y12 z<=Gsrt8M*)$~vBG((C0hW1H?khr{Gn$8zump>Hhl$4cUPo!1-LB%hErtG)Q9sk=>pu)2IrU9^^a znUiO~#!tUh7&%Pcr?T}U<$&RtuFWzxx7~_OtH;AOtq=6iz9scBj!+|qVywQ|5<{U` z_%T`JuiS$7FsjS)T`FUpa7AJHO)ZhAhtM@os&EuM%h@xN9Tw%{imx-J#4sVr0k>)E zkffQ^P?DTUZ#^ca5)gN!BA4W6(-TK7$~X%9kNHc=RI(qvtm>tRV-9hJaj?^op+I*a zyw}^8Vto}Z8Opjj)PSj32M}zzaD$%7;orFoAb86ZH0w4Ku`}}~t{dg#Y>JaFq_tvP zKtESp2vkJaP}@?~RL2Iq_eMm7aZxMLWc%3Qn=_Gu#wcZSBM_Gw{|<|}=vhW+9u#;a ziV=N`5!eeh5KJe-^rCxB)6hgf>g4vDHVtJ zGFibetdkw|lEyPhnAA8G|&6opM!{tTsT5J zMr5wN-Fs}sIb&NF<8l6|Z*k7QUZ*$sr)}szYl(g?r+?js0Ku^TmQnH#+t9yii2$(7 ze@9F77p2S3?d$h)e>O@ovHgBx@(+dBnc3+9k$e7q>jH!%`se2Shk|S@ob-PPD)Vz# ze(mZ1iyiMbE!1zj+~3>S*ni){e`%fo$B_T7(J~Sc4z`yOvF(B8#$0;Vog)fQPb*sy z2^nF%6kp0nij0Fw7Nj%UAr%xEQjR+{Lu0JmpO;d-w%KgnEfAO@g9!Bb4Xxi?!fYjw zUT^9;EUgD;XV7QD{$;t*FRG7B@DIW)Tfq(ZhM3=E?_zy|7Bb_Altwn?i|DAm*^noQ zf^6KFvilU{7VgkmuTMT2gcSe{Vrpud7`Pc9NBY10Mk8NqkLGDIhg4TG9dXfu!DkZAnubu>|B9v8yO2kvA@DWjMz-7!kP)>!0S8mTx6hoo00OOVvZ*a>PNG zq<;GcI%oe~Y4>M#>*whHmCo7!rt$sX>74yvxu%~T_#5oj&nEvT8v2{0@;mAOH>v!C z1tR>e<@n zJiJNgrGvd|Gi7;ud`K{z?l5}v928c{w(rRp;|NPJq}};iyrmcBzFQt-X|+Y?lFU*g zLGm;Y9?EogWJxZyF#3g=@!6#HE>fcX0KTO#>-iI<{Jui{FDT{TPiL^d@|*zT`I~xk zhJVIbWB<995;6he_P#EJe?b8FnfHqr{;Mzlfb0JU);{6S0BJA`e?sqnrFcfbN&o)} zxyHl-zNQyPZ;Jk(9sPf~Q!D@^djNy}-<<*g_H(?V6#VTz{p*6w{`;{LCPEH24th?& z2mY@@%Fo^B*Sowf^nWP_@LSw(#ru*XwKjzsmfl>uVja>9vku>9q_Opj|*ri~mZ1_XAMk zfB*e@|C)aG4?y+ofc)3@d+p!r{jX<#U4QlgkpJuNpU(m6el7EBTz-xlV0>5s^}as; z>)l@OSpjYQy8ixdulKL%HUIVcTK~_s0A+q%e~vkz-e2WjpMCA)>lKiGo7UG^di~C{ zes$~Dw7x$6TKv~g{iAa~Kkr{vz2?0>^QS3&{q0x&uW4d?U5)?IO(sUb&Fh%_YT)(y zGZWCnuLA$4^U4OOCbui$2|SIf1T@B+WJXffbn{5|MmX=;qIM-I}5u0 z!B`X9b~3Riwr$&-*mg3pZQJI=6Wg}!Y%=dN?>@D)RllnJb5qrIy8EEdIiK!}Z|=SQ z6(IX(uD;~{w*Sd}<@yu9FaBTNXZvp;{~BM6e^LJpi0u>bPow`E+^6yv2wz6N=zsVB z%k~%VtNxXozo>lb|E2$Q{Dm5ooR~ge9{i6Bf8G9@&;P>qFYj}N|F5`y`SMkmKW+RgUw*QG{+s+O{I9hC z!{jT5uhjg52{WZ=fW&ZnM z>%S%TCG{oocP9Q*`7-%G9iMT1HNN8h?}hr;=GPQt{=8)R-?Qz1E(M`9{@3kK^}jRi z|3LqS@D=vwhDra*SK8P=53&E!{g3{I>y!7Dim$%EVSn2Hs(pZ{HXE{||`%`tWJL2eP{hC6bdjFNG z|J-kUUYPvH%>N!b|6}rBO8&FLJ`?jlXO}OCzIb0l{Wl{2UH{8x{GVC>RcHF#yy+hd z|7P%){=YH)y7xK4zrHW}RsQMxpXfh3|DgM#Uvd5a48H$`{VN}TSK=rAn;W|SUIqVs zZT&yDlAn7yv(Pg@(f&{C^Qg~C$IAGx`FRliSN&wLf9^j0_4j|i@bESskHV=@F|MSl8lzeW!>Jh# z*+o7AiLiwB$z_@U!63r#MF*P=zuDXFR z1S$)P2^ioT1Ym3oFcXExqdN@1&(dgpZ%kVF3qafmREZK3bNQqG6$yyW_62TYBLmi$ zbROWki*}q>0!xD`yJ1Hsf0Ka12f3- z`%W(CBG6gI7&i8MC-4|H0O|en{4a0!O;cdHI+l6|hUegJowk}kT@XvlE3c8&&nGY6 zNKJM&4|Pp#j87mQ)0CuDZ#O=-le)wC7(UazUx2Bmf5$R2G&sDK5&O7)3w%0poMo+Z z0$>Bu`jjvN06|Y-UsOMCd;9Z-Ha5S0s>76yJytID9tZfn8`m_~#>NoR!S?an4cbfA z`Kw8W&qsxur-p_^llNKUlgjMJw(kBRKs{4ou#x_I+RWsYjWrUZg=&yDm{9NXB3O6- zqfJ{(+?n@dy6^pmIs6_EqrhEKKxa&3LjhJdgemkWzQN8TD~ZqbhqTf22Y1W|7V*0c z!ef`v`Uk7sN15=)3cSCoL5%&QGyMsPVsmF$@Gl)M~@Zq-rOH8)9=4!wg-A(yb>#BkwEy*Vvo3%^uCyGW2 zSALKfzKFD}yF220_8~8rl&$oZoDFso-}Q*X1(66jBVIC~O~eJ1vckFgw`ch8cSrFR zJ-Q#Kme#2@XvsB1XR!8^tm;?D1rcH8dU&dI)mEA>7R5X1`1p$?Mv<(UsT%VN0Gg6$;JF;8|vAN{40 z2XMH1;@v-uMc+=K(!Qusbd>rcQ)$xN6b*Qa2`|~NP2Sjd<%ih|GwK`BBrd)Q!i>Ri zfU4C_qKLCH^c-H0cuBHJyCdcixOy_aT6QpaS_WJ&YB~ZyNT&@?eSkn23`@uWEJGbZ zd}^#|OziF4)cWb#ieat<{vn<}snG9pW)Zj40xF*I!BqBe645$L>&}Mo6ak>aTA3{! z50ae7Z(P~(g+5O8@lNZp9k`V@=R;EHv5aCM7p_%7tlMIf_>ArFY0$gvk3^H67+o~k zWFbvI9ofd)Bai~S81dZ-XH=MS+iBCs9D34Lyytsvz!Xni!?c6e0^Wjqm$36Qm5iK=XB4ly8&;S9l%ok zvQ|A8fQ33@vc!XZPWG6%LfL#Nb5_Vdudmd;TuUnhSu{g8SM8;-WjEW8ov@XV5h^r> z$9C&G+jSa!Iq$l?2b->Rl2H^~)WL=`b#G6ngV-$bGAbw??|Jmy1BY_i(ZQtBce^mH z$*ZoM5hhIX*mEsJDpV{7OJoq-epfXMLvL8K2L-}c6HeR#{JYvYWN$*R*qoG@7Q|d0 zRu^cEqPhFBHj|@-U!;K;)sg~cpyMkPSka2%?yHs&vLFVVXcV~%ToVG&&!m<=MDVMn zWLGwl>K%uPv8k`n$@`Ed#riV(^EM01d_y`v_uNl=q+s(*-Jv$3h82lBwf+cBod*y{ z0yg&VH}X@ggeAYl2O8sk6A{9IQ;P|wJc$T+N;ScK5pbzdx*cq`U6EcJ1VwerqXkA* zs&jgx2aY*P32ID~8P|}s6U*CrNc7UFF=Qp*cyi;^n?jg}t_|eq!EpczY*l{&1>w>I z&1R{uzzdDl*yYErb1nU*`zJ;0UGhy#lNi=S%=P4z1`IpR@w?lWT=yw4lKqkY#knE< z))aL_?o-ft-O$czq!s!}87Mtbm9_;d6looceK}9Ei2y6!7|k}&GDpiu%#_X@<jiuo16l7(xar`R2-aX*BxKIvMYc$4OExw-xcON8 zhg_tr;^_qi;;DFsQh92J5a4d?15=b`>~H)bFTRS&EcB;3KbAhSpUn>8M#hP{nWpp& zC&^T`bekU>{=5&F@KPg>lzThuk>8Nr27fn*$%LP$?Bc*#v;poPUcU%zo{}U&rxiuN zk-O+Fv{RGt-t;$IY7g#wQ#6a& zdpzsuiU%}_uDf>Lj-~_;yQgbBb5kU>76(k?Q`g!kARJKcQFhX8s~4aHmCGu7r{z%N z5WKvtt-g(9+dOW3%l@F%9?W`?t;AQg{m8Y55J5&|BD^X+CI=cjMd(WcCMG#lp@Jfs zI>$7q%?FaSF-^px!Z2-Bx}cjxN@!ThhtX@`^S64+n(s18mQCNFG<2lp z6OJ_q&2KeHv{AhkhmXNP?qK)Q^s;#Ud+Bonwi0` z-Q*Huyp;d}#T9k#@?g8pMagOJ@qH4y_f{Ezn?VW084pQn)H3bO!A@(MTEwqxq9+{h zLi1g-+V~V)ZTqD%)5btNJVrC8GLH;3(FL~CTrdzur)!BfuOZrkCN%|;L*;SRz?_H6 zk_hG8g5mYBj7*D4(+SX-NNIp02QQ)5h-5g<0IqSd{a!D-eIMjQ)&4Ni3*Mg}R93#+}C zH`8OM_L?2r#%UFiUPwJY!GL=L&TX%sSF!DiyTi;e(@+~5UsvI8YSgR!%{m#mN~aM( zYsKi{5Ny{>m^8gi*b4a3xFoW&2Nb5ut|$)Gj)2 z)0~^AU7xo^9dXf{|^kI<0lvioT3Tbs-}Ia+T1BbF^u`L3w9u+L+{!G~u_0o2Hg?k5IO zD}2md`R)e3u~PFli1ok%Kdk#cU*;=0b1F$l{J>6@tyVe=R`NvIB7it?VW3;D0xj3w zl}DWIp|#CdhcVK!~n(hAL*E?oOUplV_cq30Pf@ z@XfinW{ljSff~*$^hin)A|tz>O*zR}(<~WT!e1AML8;7{M!I0#ObZ;oWLGKr^$*qR zS?M|(9iOK*w;EoC(y=yS)~yYw!)uzF9U-J9F<4iV`%8fXwfSEDgk)^_j8(KDYbW$C zGrEC?cb`PhH*qx5n$FCa>*ZcHf9p&s`sQb7Gx5|I|H|j%%-^*|%HvATU>ioL)x=>X zO@ZuI-b8V;g&|7Gn!i4W`qr zQW%RXuRLAD^&ps3kdzC2H+B%zy z2PMqAwHNr+v>uS6q>T+aEUTQM^g$vG%x+%Wj#?Ph0AlJN{FDh>!>`ZMGeES-LgA%} zswzB-Mq>>@?n%D|8{wWcWUMbI%(L>V1QCMv>I`1vuEHvq&H23jqq#B;_7lT{SyqFn z{Jc5j5#C)SqKuep4iEaH3#2rb7(syyeY?C*<*_W^+eriQRu&}aXRk`TY@<$oDk^I2 zoZlESA)Meb>q8^HqTri3{-kOFMDb@Xd}ev1NpU*pb~+*pNn$9rWnQt_7u)B$f^+NO z>A0k39J|=)?B(am&#zyUKl(n}3oab_2L=96q1tdAtL_ll=%xU)535E2Hcx+H=grAq z0jS=-jG+RQ@UVq|?a}!UuP*}#TO}etdZ#|d0>|YdPq9do5;>xB0G;G!<23itV%|c^ zdP#}Ge4ZGGXoNvxoU@*JaJRqM1rT`V#*||; zW(zrlSP*jD*(J?+&w|iA4}+^88mFx9j2cUdaLeO@Ou)Sk6bUF%NzYQc$S|LDBj7aI z=9?%(JnMIL_W+JAH+f`S%vGZzGl&zUa|vOxUeETC>33=yYJ**&R-647#E_+#`CY_! zx+Co*qS@bGrd|X{Q{#0+MxZRmr9OP2ai$uGg5^M54r%UHvmk3zesbV{_Oqq{*m7ea z!mLmNpWbV0)~<#fU~(kyH@Q;h_{9o0SQ_6s3Fi3VmE#Hr#S6zo29S#teB%Ab$BrcI zNPerzTd<~N=~Do6QXzzJnSif>qj()T&Nhg^fBdnHxf2S(RlrV8h%oB1=_p)XPO z4ND?dA94Iq2kcO*U=F&xdg_BGilND_(Y%jQ2Q-0u6sx{ZYoRG%JuYNQ2 z&~t%Y{tczU%J zYSouFr$9|>4crnMT5(^8-Q;KNVhRHUVP%MqGsGdEf7AXnf7extRSKQ)#zNCzAGC&l zH#35xiq)?{S@a1!F+d&z;H2DJ7yP(p{~@~$v2y&4)drfFin8!1HjNXRWbv{pMCAgo z$cKIRgFHT-ikbtcm^q&bj(8RY?>XCXrzVsa))IMoi5;8L@6E&b&N3IGJf!x!>!boo zJe}Y!+?i5W-^zh0MNRqTJaO7%u{)Z}Lllx<(KH&$O*|2~asXa4m`7r{4U-4%Fr5D(D z5!md;FZ&n=zcZV39LRQvaaugYjaio;l}W2CT3JUO?V*o6HA8J=sfy8V-60&iY8Yp=P%r?>$bvagj%fwAxwygt7$xR{gN^UA_*Iv$j^<$vq{T0W$h_oZ{y8FoV`7&UhwJ7X)3LV38 zD1`DX_yBw^gg#td3@4yVeGiLhSi-gx=^Jpr0P`|Jde|7qx2a{>h}{BYQ)VYQPNbiO zQja9X8m3OLa0Rd#z535{FCKmJdsQcQECD8d8;F>a(&ytc=qPF~e+cd1>xx~33rZB& zbR-z3i$YE+J53d-2m3i6EA4&8%j?AW3yu&4-3ZJ$e0j!U{C-Q+Elb&4Ro@CB;pUFV znn)p>Z=g`41>3&>D7FnnIf3mt<-~%c*qYYyY|tx+K(ikhW>vV*fk}yKH|Y>CF{0;h zJv~s_A1v&APsgvnnej5lDp`t)KDfGyZE=(K%ZoOB5rIQ8zN+7$S5B-51lDsO37&flIeC10_99gT(Uc1!I)t<&jasu;Bn z$BJj;E*k4NQ@r37A)Z-%!Zorx?abZy{_4)+p(c$MG`vIG!W-U=9JKIzEjnUjAd|U^ zwXp+IYZ=yr+I&<`Mj%b{X&pO2I)TiUTL&|TK!lr!49TVJ3G4nErl@+H)an9m&*&$^ zf|nv(u1e)nw0DP48FL8t=a(g23HRjf(o2zwK&%;7+v77z&=gp7vLp-1+zDu0CuO~w zVFJA^M6-We5ew`bL3CY9>y0dp@3G-U(!uV>sH)(b=$Lxdc`^7sMYfn%{k{Y8#;U6K zIpG}Jx{exfJOir#G;;XeT87k}@9s*Tq zNlx1=dIe~H2s{K#Ex=LWLdbIP+{oAW3ifZ}0lU_Y{n24VOd~2>UZOxQFyXQEEEcBa zfz}h3Q~;Evh>}?Z8>GK}uqay5Jh1Mp)#nGu0WZ2|{UL^4h0oy3g=F_VP$|&b=^@yY zNm!kjQI{pTDo1-hYb!4o4>h`PCUFF!Sl}4DA`NcS9a!VWll8=M7PKF54R7tv6Re2B zr;EWV8*5B0>W8F)wMo{zXnl8=dXD$1TA#=P_oMb$clMAmTQc9nd3rxBv#r@l*2uAn zgp1akZ}XZ{=X+E=Sr=nVF6E~>G-49`j+?Pdc{O*W(LTvpd4V*VzL!x0QEcwQMu)lD z_tVLQ$gqz8C*mcE$v73&Zx3g|4USR&Zt9aA-#^r&a4b0K?vV!BYa+`6?%Y=@o;F1g zDzz0NI7>ufahN{)-LQp4pWk1wDo)vm^J8f7f8*kMDUVp-eW-4Zz*s&z;ZN8Hnei(>5^0P!XR>dr&A3yyBPAso?e< z;R69Pu97U!l`UK+(@#29T1AW2vG3OCPMg0w05_?S2x7vBt2^0HO6h22C1B{k`7#sr zKe6*344hDl;IzQDfUMkPJ&Uw^9m(r5?tr4+&P=>yzoZGj`nf8iAyRdMSF}&i1BpFR zyk&(8s%Eg~a;3@Zn7QIH`#GE)*$J&4!X$Kr@{^>nWGA6x+i%E^*5;qwq!!0xk5&0966Sv!G-CV{G~f7MpMwk@XG~uI?d4Sc%deECx~BSwytx z)G|_Jx5xBR^pf%htUMs|TyM$)jeOV~u&hb_hP&c^N_tKAjk^+e!5vgVh*p`hN>!)y zbuMAG&OU{|6ek&>zC1d0G1+}!N$j+UYfg->`EkV&?)c|^? z?h66~s1&|l$^s`4!ONtG4-ZaGbmM%hO-j23s6nblWRflIn~s44ivCBN;)m45+iCnnSVh}fjP7vzkRMB2G;?z_VmR}zF*gS~sMSMLIAVyc?JPP9T6#&3qu8Gui@|lmxvRfIr^vqa* zaqD_}&6fshBSM?nUBkZdm(Epm(Yr{f(VYYvft}t+g1)i5ZySBCC4j!L?$B{Yv(&dR=T+zM(N8# zpYjv}p_Lw?DLyA*-U!OGF>?^pz4Wz>l|u3gQ;oYvl4mY`8;1~2Oe-Fa5#OdrxO`MHyga(z}2z0ci;!)$p6ITAI}KUY<7v&1e=FA?%r{u%Uet##<$b}ff>O0 z;$cCZHX}Z}`)8=<$HBE|gkKZAQh9Ic@sWx}Xa+oxC^ng(%P#IBia?yn?fql34sVYd zB(iL_n1NTFGS!-ANZ5<-6dZ8bq*h%3Q!kg5S9;3c zERY++@T?b9J1qI7C52k+3I-EdH=daz`ILA3xb>ou`@qx4Qjnm`B-@VzBfXfUq_S8P z)Dwak&G^_PVLTLf2n5)?H>gEigpP*>>bNrT8{MGUyCQzs>ME>Qelw+r3ugWnHO-Ae z3~PvV-Y`01jy4QGA)#TRV(V7j{GaTc)M6RZjt{xWCG1Y(2F-X!Zhfq?XsPMkU~5FU zJDnk*yz-JIg-NDS5X!n6Z-{e%M#Qgoj1qyi&C;de4bxf)nFRZ4I8YMVeFi(tO^-_n zG^YHxey3VRZ6#~Ps7!(8FT1P7_k$7sFV31IJ4_s|`gLX1a!dibJPe_%PO`bjPl~dR z-^!^xYZ$MAzvF1qHO4eg9l4lOIRo!FD4-|UX*>G80tVe>w&8p{#a-Czuz3_rEF_Ub zE$LtKB;79D-}>3%DXH}87UaUP+N8sK-S@JIH91GCUoNJJa_|!$%}KGe7A#kp;fPj_ z9UTjcmB6f;eS;V*O@owQp8$%B9_72*JL?7E9F4solsHLee`Q}G4B_~ZlP*_YG)X~Q zxdtZNeqAs`sHAKNi#gaeYlxuCIxffZre!l9+-Jfi>M|pM_ULBmp47#u;R6BMX%OB=3H zmb%tR1;5CXPqEY7kntRh59^snhu?nN3<#vRogIUB$kecHH`dBr5DwEA?K_JwVR*A7 z79w_d-I;b$-2-js3KX_#8=;j{Q*aK9o|)XpmY~QfR4e9!u(`ICJ?k!%a-uZT_;LBF z%yg+#;A*=xyspv#!I-!nHP7Xg(-B+euKj}G0433!TmREk;-j%zc-)76TXAe{yiCTP z?@gexQ3kI!VbfMy3c^UYl3w>zX$2QSy*+pk;5e5TpbHfl!hRL9pRym8y?)J@?I21# zj+k-ow0)C(J(F4*`^c*`&dpe0fp|yg%9f>ua;Sxqvn@Q)IbS}-JU|vLllSrO z($J*~^7AL~w(a&ApiMH?Z&VIp>vg{z^k6?IJ-acKoQzJy8cXdMO$nGN0$R*X7z zkw`KBz|Q>k;PuY)Nq3Q?*1jjy*6HOKfw5l9k+3|g5t?s`vT-svh{?wjv^Y&%@mhBv zc-bP4qe@%;Ss|NT0(%=9#k@K{mjB-Q^9mAmJ(q0uqxgl4+a5+l1$q zpr01q6S#AV$T|>|M*B2(>MHfF9M0V4r(u?EfB`an)SGrG7_+4PH+8_9uN=IMyGCvCvtFxx}%^*d+z>}MAkBE{)9&H zy?^Xo?Dm$4jV-LM|JE3L<*0IWZ@HIvP!0Dm2Vf)d4TDlQy_i~WvJ)Vy^!6M_%xD!T zG_F-7x_H|$UB-%wGuxs5MsvCc-Lgu=sgDVhwf6<=}a)a<%OdsCXW@m0BaHv{W@ zUfi?6F+>isX$uAt!@)~Ev5jY+OP~JT1N|`^b7j4h)mWzuNU{N()Hd8JiZSg2kPSM8 z-UK;xRv8S{_JG0z&H(hA2?Qm8`wmNFRLx190JB;zR3H9?^$0b!;lziy<@uj3G+@6U zDotQMZ|}s#bfoxHw0_uEKiUlg(rVrSx*~8;XaV&`30H^v$KDYA<~^mt#H!tD!=-u$ znjjg5J(sW7e%cc4RS#YLHGhs`;d1Pw%8y7;G-k4R4;aQ{phtYK;L^fp)C zd;@qkN0H_Wwir1;zNwd#`B@}xGLx-p{AMN4{d6Lo1*jn0K@;f?8ve%jy{~U8#kApF&<)Bsy1BkMnWOw51 zy4dx(!+W3NpUs1o-TaDJRGOf$RM?I0#iH^6Fc}}SaxUZ!={XB~x~J3;#ZE%L_3WG< zd}i|T_4SJ|VNd~#vdJnV%xM~H&L`XU%JC!Z#fI=I=V;h&Y=3HHAt?2kUpy}=(E(X3 z9u@a<9x+MV(q2&AbUq)BF$TJTmVe_gsq2`7SiZws_r1*`RW3YsZ|R4+e)bO96gAW; zr2by)eiOwavVU&;REC_5l{#nsjNv=~87XCcU%HXb1 zjz0>IyoWDAT44NETvvUlu9zzc+`7$9IP11`By}e4y0J?2H6Q*nB)t~BDm8XlpF&Ej z+p`rX`LXRP!OB5Rm)eNLxf3lI50U%6GVJ*iVW9E`4*x_<;@oD`S&ya4LlxE00NKQ( z>yAfUOID=A_EY1$=I^Au>wMHQDz&;Spc0oz$n$4o-Ag`*KN!B~>VetZ=D}9DXT1(yc9ruZxbv zCY>fV1{$Wn_o|lh%iiM3#aTOeTs9_Shb8%py)9t`o?UQ>$W_^TrEOJptWEm0rEfJw z#QC1iu7qPd7I@STTH|c8NPgewbquO>xnuyWyRHv-2Gm;&lpREL76v;D@99MicZRp7 zH9V-lcx1d~a6^_(+#sWu8ns=02I$P%=ysq4?%Z~@my^37UKrx6RD2b{ncB{a?3vYV z8D8>@w29Yyjwa9;oE`zIlS9lSOv-DK72N)=z1ZLA-4`=lai;BBJbg`&54t~ZJf_B& z1c2s9(6af>#G0v$CN}MmDs189hfC$)Dlx6lQCqzZzx*`%>wK(~w=hi9s>JS(=$sMS zL(tLhssiu%Z+>K><=YW$t8y3G*m|sNX=J>CypNnCi~&F*wn$#=TXtRjyK&7Xs_~QM zRQTuFcdIJNL5nUaJy&p%Dip9DZz)fX4Gx#7mU^C(*)5ftZb`0Z2I$}QAiCV z(KZPv23qZyo)a$t3c6^4Q!ozL#UTc3*r8{9X{?isyWeP;`(;YG`Q+NA3VGt726#+Z zgTYV7#j@i+98|O8Dl0*&uWb*4t1`iSrfI>CuaEPkka{A^u)1>Gi-)%$Cf}i*TwzoQ z)jbr5a-sU#6hwX{OJ7jERPU|j{%i@4*JCt%em5#jmtbe0h=yUua&(gDbh@|#0yiLQ z?(bhOp2b1N(WsOyl=`j7z;H09NzL~CK=wYKxASqW0mYU4yP%@uM7Ih;U+`TMYwdgm z1E~{xXl%9X;d44y3!a(blc9D;F}?7kI?n8^qut1Zx%)U32%tk=Sv1kwdC;GhX!E@v zDNhR_!P)6^zoQf}p+~o^@at3)AE%bgI4iM+iC2FO##4ZcfutWZ3pJBCx5y2NgEk;; z>xWa8Ou|Z{oH5jDE9m)}vcafr?x7qSLUdo=$}vnH#jCf#k1jnL79hP~3*HgfGMiyG zTo_GlW@xVkJctLLc$BYbV;Ubzx`$B9s#Y;+n_DjOlf|8u$n@54p;fvd_A+<{JzfOq z-=3AJqCq?(A%yDdo=#WFp@H0>XW$7IIW94)Fyv4yzm5jGX!F)}i2R1yU~7fzyK9Pm zYxm=28lYT-Hwv z7MFCC1TUM-GJXx@YwnHwE18XW&5HadVx^TJqvl-g0tC5%H1)TFNp(Qx5|8lao}`(K zq1tyW^jc#aedrPChSTPW%UIbEeTuH-1Ob~G^W=nc#p)Z)LfKRlyC6+{6IkG(oyehN znaZZp8=%rWJhl!5rJR{VmKP|%)|)thTWp)@b2N#e!i{H3*7OdOQG~oYY5p>=4Ur>7 zv;^{sdefuaF|iX+dK12t>#jM#e;uIvmrj_nMgKnSc8LC5EvI}CQj6|+R zIUr2Y@r8HDFguq>XRK1dNkr{*O4I1AT#m7c`)daKHlB{j!gZ27?lbGOAe3Nwv>Xc<@aTkoeiF}#CNHPBW#ZPU3<-{6w`&>|mAkT@$Jhjx=F#KQ_b z;mn}^VsO38B^|fKmJufk<&#~8%p4PW4#!IfE_rA4lHkqYMI@Px$J&Mpp9z_Ki~w%{ zerk?Rny=J`24hZ>te+~STc0rIk_RfUEPS$jm37(nE#UK{5vwo>f*av43c|elOzWfb z^jB#&dyjIitk9~GkRjYH=^NfCGM4tOi^>QBXKZm-ARX!P`f_OL_~(cl`?@iO23{e~ z9}x5{f3hnC)Dn{)@>S0ru#d`}?r_@PBSe8AY;1s3$!oKMnGvKsEkzXY*NHm>P8}AYyn+io4(}6FDfE0 zo&5;thkxn=zus@dZ4S5P7n2f*@byTz0bq;))&{j3NZ^I*!HctcQOP`|iMi^mmC$V8 zvOvZkeN8g)IihbjcU>vFH`5UQ5p@V4NsT7I@?9+jH|tsuSx1O1SeF4yx(Q4BxER;G zTshX23FqNg-U)4P&EsWAi;BXNQ{kMvz4Q$+Q|-J>MfjB^u}5Q@{OAoKoP2y63q;BB zP+~|5!xi-~?lt&+^!`osq%xmMIac93Koan!Y+=W3ao%Qm@NT-eJR4IKg=5hiENf*b z#IZT_R?_JrV4&gk2s}7HM*qf(%C{+9pe`ZUzAGA)7lw!HUjI}o`ZAL)*inZSB#lnW z8K9NB22~vdg|@Qo#BvY68Vfu2P5|lILBU_ZnH1fNbu&;+RThqAd>Y(!7d4i{i#e{s z8pKqMR5uYE?sup-=c2~g@wG{AHK*`#5 z?1fIUqUtdBZ+-XW%Kmku9HRs>M61-@X`q91_QIE)vlYQ?pe=8Uzxs3aR4ab@%^Epo zw%_5;;JDq@BtIOAdsx`!s^glUrqt4;Q4Za27zx^J@|uyBsH5s!p^^o3Mee4=xF0e5 zD{4CrloMeH_g*JPyY9+_!X9#1AoUH^bm!uX%;Dey;o;{f=b(KKcz~^g1;(!TcvMj*{3kWwU!M z;k!pG;)qS9rbm6>y&GkMa@??MEhMZqORnosnvblmKK(wy7n!a&|gSEL6|2VdpB93tO&U$Dm@bnL;s80OD(0(!!w( z8M%qte)MvxnPh7v@~)t6!YA*D@9WhnRx5ZJO28@H!O1SC-?e$v*pv|nXTc{B^mr2CeB4%A^F-3qNx~ zv=wF1&F!BOY^oI@t8Bw&WUXlxj^v}sDcWKBDm#p>s|}&%Z1Iku#Kfjip{HU*EdB*5uYL&&#+^i_g(Jdo|)j4BXL%!J-5MRi^c`RZ!gIG|I@v?iHDZi;QJ%HI+iDM`&J{*D2l6zf zI#kipPkbNUGdUGJ=)S%x{=a-3$!J%!rGaKpATY+vJP;k6+PJ>iRMmAo?K zR3Bb6FD0C2e zc_WaLgbPFnLTYqm@0;7Y#J24gvEZd~CS`jlTZdixzyL-&(r$dGFR9iz3W=)wLozm- z=-_+3L#8?7vFZ<99ZGAm1~2*Ae)W|K?3hAq0er*u>tQ77iaQQ0VH!@i=6(knHeY2q zXpKmwQ&~uXWb4K0pF52U(DR*HDhT>s-Su_1KO8XnXX(IBaFjQrISU2@XSIcexr=h4 z$(wit#bj&ozQHb2-nik=XjOWSoL<|Q-#@tfRosf=W6L;z^n74iZMtlk_zgUF@zZg$RR*SY0y6xdol)_C#y+PsrhT;D`$1sCP57FVO9;vfUC?0$i zWn!*^ks z*PEcHoNm(O_X8tCp580SVW{qMD{+kOWkYLanh)288h-kiQ$GbDIVR5923!rOU6!!g zkGcjS!KrwBk1)UFwW(=+9$TmOO0IRS#RM~Z0lc3Jv>|P_`-xwj0Ay%%H$?=U^{}wD zGNg#3BF>leBc&*+dlJ$GpNfV5xCNYMc=#WrqOB?&R1VT+sybYohBgI=r;OhYl)C3)P+7<+Xqk$BTwk zQ*u92F7Odq3jLP)mQ>SW;fNpiKBRN}(KdL=_hi9X zHl`f`2t!6g`zip#;7bOP1T{CqH7_JdiWpA2&qcN`IZL;GHt02P#ex!{o{ch!nij^2 zwLAvrnrXtHe+z76b7q&Xf}l^>ijW7NU8W?^>1~K=7HpKVi@eoNWMQZ6EwlD#Vi|;< zt&$W@GQo8glF~Cgd1N$&v{biJbSto2E=TlKp5YBJ3yr8F!b?AmEH&0`(75e$}l4xIinJtr8q7f?x$nXgy;?&#G93EEsg_{d>mj7ER zy#1C0sbBhA-idJfNF))TTcF{heKDT}wEm=L&Ct;+x-TA7H6Bu|VNE?lZSRwe0KgXLS0aQ^$ z#G9|E7LCaZvh8fyzl*=;AtALK>2w}#o66PPCl0eb&*E*mYhC%e2v;@*ccWd_q^xu*}q>@JcIVaFjQa7vV z^zADXVA~XAoU>^{2C-J%PRd57xS*0732{Fb;Ol}%Y#w)3ab31ehUev56y`4emA5_O zm-$O*>8*GLBh#roT+$I}bUE1LeVeND^CQ>uBtHm7+^hn2Ot4)J_Mj%_&tHs>!IuuD zMGk)}8VEV5JyYvo#6^jNMpjA!J+sR4ll+0O4-fT#R$iT2s5Sd`2oD>J|CADNBy__^ zN+zn-_cBQPrXwm+m7AXWJ$kT_WazqKTsJj!*unCfX&)p~LnDKKP#pCk)LLdBp6uSe z#UG;G=kaqA;_9M%PxV_yMKJCfCiY3dxLD*ZU^}>tTs;@taKf7$uM^ygTrJl6gpnIs zKlwcylz#09&tI7QnKC2#ndg{QzBI*D%j`vx5}L0e?(?dbtpKh<>3YO?zj1G{bERrT z_kDJkv}T6va3pckCv!@tSxIu&QiJpoP* z+_zqZ>|@-4>*M_77=j8>zt`&3@CWTv<7`@mBDDwXBUQxmtn_c9@GFr1w1QI@`#lUi7&9sK^ zvYD#?#$;Jx z(>PbM<17N%SNaUfHI^q-&7izw?Z0S)$G|rBhGyV0_JknF?4DCMf=Aqd!?i)}# z5-1nCT5yPEu`;$H!_=fC-3Td{qTh%>?fA=CHorQ+O`QNEw&+Y68cSGTlKSPwpLGyH zYH)J?tOV4$MSa@E?NWnxuz?-G<<|BAY zaEi0*4O8;q8qL_K)wpP|MUz|2r-R07l}xs3{)0o(NC&O;R-28>WQthSd4~x-?}ytC$TU&Xy2S$ zl0OOX@7E*hg{6&}Xg3!Ona6BzuQ_g8?Cb^o-U@cCq(V~)5W{uTe;t>uY!g(*kB|o` z&%qmbown<83u|Nt!+>ly4L3x>U!N4YEbl8(Nu@GQ?2|`p{(bSYW(7kL{c%$jAO(-0 z&2C5i^RwlLC&>o3Ndc>Y-!qPQxhcD*JFR_uvRMrvijs|@X(8bk27j29Rcy%%-*mp^ z^l(U{=gbrPPLXr(fwN~AQ6C@6ejuExMoKNWZL_zjcni?ZpJA{_OcGJl3-UMaAz~sX zgWIv2Y@8g%+wrPkhfs_}H{Y}kg4aqLq}0?HEfs^}F6n^In%;dgR@h8!ihOhS9WEKa z#f%F3mI^na&8GsJ&Vy+tF%D6j?o>K&EwwJR|3c7goVx>rh3Z!Fe9&l{+ZTr%*Npj7 zVE;x?&|zt}x~K-GX9rX#ezi~!Yo#JyRT^F4w6@tFT&Hst(MsULy=P+s@sYDu>R&7 zCpVta@p+W|Ku=vV9QKGT%OCgfdc7%q2-XuSpg~zY-ERI#Cllc5y6bBj7i4dMwYMvR zlTCw3e#sE^5ohf3St*a#0O40!M3CnSRJGzUtz)J1_mYz?!vvO&%`;Jnik3-vxRHo& zr*d9S7GWBK3)-QasI7$X2PlNg4Zqe^oniC^oH8?%G-96QUcE3{s>0QK$_sfDXEIiW zN-_5M;xg_i2ltc9ix8d`4TS?A&dF=bXc_EprdWws%#&hc*pg~cAPz8P;rzFqE{EKG z7XAGK9v%`362!vBf3a_+!2W6co|$X_$Iwx!Zy*Re9|D>nzArzC2xM?LK2RAqez-tP zNL!^@06cXR%vvAz8t*cV-`@;Tr2-f3I6_Cuo>QYeK{|~ie8uPy!?J>CZU-~Udrd7f zU{p|dqLl*uhaU$oouear8vWhaP9~n%>ex0Ww%M_5W8#Tz zdt!THYhv5BZocn(eh2HGi~p*6@2;v8<;Z%&Kvt-bWaj z2AgtiEqC8ZW*hTCR5C5lUC`l?N`}+Rx@FfyF{=lZvYY|INexX*$%;JB>CmJwVfGE_ zn?T0?zh1<2VUI}D(%KmZJWxe?IRkcfkVC25Wa;t>tgY{buAuGQMocz{>G?ht$@wKw z{WhMc%M4{X7Q0Dz*}t!u7SHKPOLM5ZXh@Egt(_?t7$`icO9e93iSQ9` zs9GEne)6JNJvJ_p&UfJcxcN-3mUHD)Nn zbx7!ME{>RkIIV;4c!Y$OF&=%B!N_VzL-GZ(88F9PlD zgpCUS=nW2)T3v6PAOuKa>GR@kXGkM@;e0$f_(Y|9LKwdMbxD_8Gt5iE_`>^X1r`CQ zSte!^E+>|RKwd1?gAI!wcCj#iM*i#}iTa8YNv;;eJq$Ug7SA)9ZB_5$yq5K~Qd--a zj!d{HRjK}y#Zmtd&-1MEq!O*MgEczTdOS}4Kdew#H@P=3e{~X}CjR70j8M}wo*&eC z(lMO9XI6N3EyV_f92-A6p%#L7Fh=&%+sSr@MlOG%K0v^}J{8Hz(`3gQOI7+}hs%KI zU?9IsE3RjhU1;Sh+;WUn|KSlN7z#e=G0&@#x+~-SMvo?z2a;|HRLHP2`V_vd47o-F zgbgU;+IygeG3+e~rW|%aC|^Zi8a9Y~jI(GX{>EZCRW4AdCsUtrK|EGd6F;sM=cUt0 z-J#9hBtBh=C^wojwCa83@#o4r{~oP3RM-XeI51HQlDS(0EyaUMn4)`{9+anKh8pZV zOIdcJ_=^*M$7vEF$&8|nahtz;E1kZCJl8%$plb@z?Ujwg@EXfSJWyW&o*{rR7s|Tvx>)5Z+2PCXjv2Mup zH&KksKL?KGNE)O04`0;z@_#mGF+kq&GxzFs;X@r)_QMp6%W1<`qDA`18upbl2M~MI zr_`n_kW#zHVKwqjJa_Ax>w;R8X?i;(u61}QrjX4X!X6c<`G5$WJmP-RZ#tmpGX@pEz5W`MRiy{Twc%k5Fh)^2fg-Q#;6xnoLj9f*c&8Y4Ql$=IF4N^hW~KIK|1QMI z#Y1%U*s3Q0<<$lkEaVL8g9v-2FgG2LB$2Q}iz@JKjB#d*Pl z7BKuL){$$Og+7}lRd16Hf-0iXhKO3)%S2H0`#R)|?da&QnwfW*Re0BTB&P0Z9x}`r z^djqy{fy|m(9^fKe(a3i@@>D!hOU)@1GAG^ayk~6$R3~l9LYRA)Wq1COWDe9Zwd}? z#&0r9+xvTb^=bE@d>qzaf9-mQMMCKD0ZXQ73vr;I^+Y5cCvR(X({wA-V~DDl58plr zNPkNrl?Gj=ukIVwQF2-$>9K@LoDtVrMS$XXu!Dy{h-<3k3u}{pTyhCVK(-bnV^cv>J!Kz`RRB!4ldFc;tV@*=FUd)hu z)akrFb+a6}&!p)d$Qt(-ziKT*)){?iy7B-puI>0%0$ghsc77+$B?ME%8A*V<@)W+{ zB7C?LL$!%>C+7I1QacTwueo?iqUPO5lK7)2kIe^*l~$X^2!ONd3RJrn;8=-|**zPC zTpF7ZA817L0ZJ(2KBU%vmXQJwp5Q}$FQ9Yr!s;tRFVuDVizW(9y)z19 zoe*fEG@+$SKY4P@&JhasEbc8a+Nx-~p?i0p|EOMF9P>hbAD732>j*fUigbmcUSGQ{ zCWSR6RV0Ma2ob!ZIy?nqameknQZks0Os6SVAvNFWhn_lbH#;oK|NZ_Evwwfpb32yp zCfeeCallu>OgZC2_K$4I$=MNTX!D=ir7xw^f7y5cZN2=*uqX<2GIq4EceZo;zv z|9z^ku$?=RHvN~1hMt+_ z%Z~IV$m3*U`o}NnWDK-*CSw0u%>WTYdr6>$nYr_q0*3<*@K1OD9HVDq{i;bh8(Lc! z3)z}k1OL(6C_4jf)QDJ_-~bx`@g7!Y_OB+)4IPz%&O}rIA%HMI1Rx3!1Be480FnSH zfDGUVKo%eekOwFL6ah*AWq=Am6`=Mdi`M{X0t^9$HugYACqr8kfT5E!(9y!l3Sa~< zax^psS_4g;|6OwYXL$cAS^=H^^X0GdzYiD#jO}b}3;`wpAOPs#VrUHjx*J;?+5k)e zrWUS1fEmE-Yofmz2bcrQJ?zbawg3x&CBO<`4X_3}IRR_{wg6if8>6prSeV%Y>;QJQ zK!82K-p~)>qRr+^dUxT%5HTi1a*v=6Ma0R#l+yNc{Pk<-T(T@7xpOv`9*A#zw zgTB_l|Hv2na>xDGs`xJr5hLgSkq!MLpX1>C&+7ls5Pj*2{;f&=>chhNYX-iQoYr46 zAqq6MGXZ|tP2v7y4Z5#XxdAnF*5lda?A>6ZW$fMDU@p)a0z!)&+}zw?QP%icpcg@U zVIkZe1-Ev6F4tOb*X(>J#$#`J&D0n48q3wr*L}>XRM=7n=+7qnnIBNFOkFYALH(JB zC&w2w`!VwW&>12(fpp-s##xw?W%(B~5PAJfEQ417$pvo!kp!Ip#m5J6_4V~N!Syff z3@Sk%9$kSHtSPGQzuE?$>!$My0U780JoZ>UMyLw}G2hf%^EdE<<{|pCkGSL4p$HBG z(V_tknoPuqLR6MtPFX_-pPQok7i<`eSddbgQE*`a0f8BsDquVS#f%8NXLbV?kNbyy3+>SGZp;%ha(dxzQ3F+k=bFh8^|z@!M+KcgU4w= zBp(O_6Lh=Qo7mQbt;Ht?F*N0CGfX?jCSGcJXMJRSEBbIR3oa=p&&H;Gr#u~XWO-I_TXm<`pwz9 zKnYcT4EV!tK{PPC)PaC!Wo;U4{Qf+d>^^~bOF5DKj^C5*ciHsGb0Wayuag;IAcJY* z8q=J4z+l%}C5U43w;M`~z{mpG!0a__y>DSVho2*NZWA&8)5;WkLo!usNu(zm1U{FX zxuULfOj{b{{qqMf`I9H^6PfHo0QKopbmKFt<+FOmkL%Cp>h0U*G;_7V@4B+}Rgkyc zK+ukL#z_$J9(}j*Pb@1-XfUr2j+sw_Qt&tE{!b*)je)x=#2u6h4(cV1r4K_0t}%aJ zf6Q_sEGH}fBI>6q3BT1wB1}O_Mi?;fxtmLNu+-(&*3XF&3q-v#GxD(keF~32~FFih)iN5XBuzFM@0xiMF^_*mI*H6Fn<~*i0)&B5vwqnn*m}iVEE5*m)Fj%z07> zFpj9)7-mB);VQIBEVID)ZL@S%O)R9srTXVy#dL55=Z{RBOAg733D6Sjuc%00G!YLG zh8FBxW@I0g63_9y)(GaNr({p0%DhnbRl?Jfy~H5ZHgV0YyHd zhj*XPRO5BLev0B*VGi|{tmcIbQsUr{O=Y}jrQ2PxJ5n|hOH7R@IJ1xWn;cJW8;d~c zAr&m+FwhH13as=aJ#=sSWl2fYAvWHKcpGGLeO3-5-oqSq&+9nOTWLMi{*>UeS59yO zb08Dc%%+MVxbC7Kwuwu2CrkjmX;gE@Xo1>P1Wp5o9BT>#;U$vP0d;8k%4-G`9Httq zkH6H^8DMC_SOoP7EYP~bxJ6<6a?NgW+Pr}Dqs`%UJTVsP@4A-hp0RX$LDx6QrnH2t)-CUdsvnlFMuZ@w{mVZg2r-04?*TMBAzZQf8j4_W94bxAJe6i05(3P2cGPlEsRdNJ#|3 z{_b#CXe_OQX(I=0mRZnIdrt+Xs(6sD6G(FO8hz6&KCRC#>rYezX|hMJ2Ur{@HEo;veF0 zu<=_MUhwyOgyH0yj5HgsB0UAuSmwfAJeY!l6D#^BBq0*M5ib7Lio4M5+@%(%V2kx4 zx+fn<-aUORENgS0=&Y1Qc=|vA{D-ZVkmY6S2#OMU%0Sggs8iA;HsM(odb?S@h#`Rb zyGJ3dL?p8Q7DEI5PJv5M#Ph9X1^NPNwm2jt_N z)4y#(8QyQ^M-lN5e2SwV^1p7DUBdpx?1hhjUoW$l7b~gcgbVn9E3`XB7P=WhPQQIf zX7o9C%SUZV@_#+xK}6t2=0gRGKnypYdA%rC6>$DmLV3(#DQSY^tZOGoDu{sh>XjP) zz>#?5Lgz&c{2S}uJ#X(=(u^&k4YZDe+fCF=@N_t?K%3uN9z`Zs*yk~-XfcyP7O_@z zGFpvqi%O1OR4_)Ye&}w_LH;pd2kO?@*~=83k=<1#4m%W#3h`5^B7AGsCR%QPp(6kw z0K$3hEKV|I%i79nIJ|blVvjn_T|q3|KbY{+0y= zh{bjh4Te779>VyB2u^LM&YFcvaA%~V_EOn?Gx0VDLl=|`WXCtxuBR6PYQd7D>2i(o z*;E%XsbF2It%8^>gHVR;B8Y?LiU8eX;uSYnQR|50Ynup{{g|u93h>A0H+`nMgJEQY z&XY^(9rUnoV&H3*(>F@5FC5%NzZuM57%%?@L$|+_q#7Rd98-udg_coNGJC{L*FnM3 z;WoLc7H=cob>h#&M8tcgcJjE|1~&S5*-%vm&}~2vOo&zr)S|qAh|67Q1a?_|$iAP` zkbvivp-=jx4uAV$cTalm%3;B{qb^aLm?R^Fw`GQ)oF|?Sjx27{_7!nq%?+EhsyngU zhpcr9#TM_FAN#bbx5Tymk@`s5Nx5f+ok5jP$~k81)h_J-Wcvnj?Cg{|XqZfR0As<# zy}aKKNAQmBMA4X(_tRiXT+xBXiy6#;l1q{D{pK%u6U^8?M&rFA7V;}thuZX`G~qQg zyfM8R`#WtD@*dS=C`1kQo@KDU7gNGk+@2H}|12Lmm&%2jhv|(9g8w(>;v_meSj|k1 zOtMWYmH6A?+#s8}G`zPbxv|;f)>V2cg+jl+B+v1~qteDvC}WOmp}C^KN zzbYl4%q`a}fYVTuK!?_1rJ-7Gnyi(m7x3 zt2x`#w;+9On)M9#z((ZavHd18u2P!Wo@$PST3E@o&JY~Au5OxL$7~2ab;J5IS|Ei< zje}?ac2_JgB-2}VGRikAE<5Ey1;+eJr5-H|d)w{z*uo#sPm-lMgJP9m3WH6PvW8u!WwReku`1xxR^p=e9-5I%63I)Gol+F5t~ z%GH6+NHqHzygRPVd6VtSLL2VQFg^wq-d{cpsb>tXo3uBf;x@inJyr()Y}^p}VI&OG z_#s-$>CqmXLa#0|Ze1mhjs*s(FGJOpU0b0LpVds6{FK6wY z42O2r97I-J4a~xfp+a)I;lDlkRv4o6JFHrvJvOPuBK(?GL^r3TCV10PQE(0= zC3Ff@$ZBx5d>}f!6IW~ojs$B^(cwRtLohGvCFDuIjYd+*TYVT~oWQ6sH85DJN^i0n zD+Ri76Sn6@8zi)~2xz(=0)t;V>fj~NTrPjmzsXIPNlP3?r5mKk`U?(tEx%#=)Oxzv z^mmY}QlK_xDVExSFE^k35!KKehLYb*@$J_Nt$WX=?-b;c)cD$oU`6swR@;#6a-pOD znKTy8KbC#jy9%>te8PTE5c<$?xPwHfFx`8t;|E>6N5i$sf!^0dl;Zo#v3T~ANo6ld zKI&J}YhgIPbp5)92i?-`N0*t$*Y0RX?^SBtqbbWxBSPq`D~Tc^zhw@y`;xM2P5yVQ ze1!URf6YZVPro<&M7^9Ec$%&NXo+#R8xF^WIqh|K?gGfCWreRcipxX zemS(D2WxNB#aWKAQcrKOOa&P=a&}?PR{NpM1^;=}&3*9_RJqpzjn*cejNc^^3l@ znzXjrg4UCUZ%_Dt-biHH8h=P~*gVKBk{nFBTo-L!Z8h?1BT(jXDQc^G9?hu_KxBJo z)DUZ}sFlb7om@Z}pS#m6P_Js0=N_qT(TD;)psN+jSABd9r4-mJIoZ0;CI z%D3yMt7DkzZY6uHQn#A0(5G_iWwDa}Kzx|soHTq?mIhj2=aiq9KO+NuTP?TWH$rO|!3Wrq9=dkXuoojBUN-~cm)fOdS)@rWx1hA6ae|O!Axhxtw4rw8@;jmWA&9K3oJVli?P(F7q{N>UkGyD@ zf%%CwUG~!<9rvS|QPSQZouVXRso~tuRL14_t9kEr1eq&&mGmh+&gVZbY{gu*H|bnS z010EqS?kJ9Z&UpPov{UZqk!bbCMB8+aMX!*&2D75aFvd|nLT{DBB)Zt)6>%4llZvT zLM-kPg231RWm4>48RI*FHiM~^~Sc|nrL%Kq# zN<9TlA1$5W(ZfwqE+@jQOkrg z(gNdbCCZMMribgd)&9L9#thg&XohXMdH#*v<#jIy>0E@EyEsDhQV!Qs!r9BC;^u}i zZ#&$gCcLK(2iWy`Tv^@y{^J9}X*0{vZG*%HXP<*j2Dgio=#eTdVSIw54XKHnl;x8t zPxO3Wy1GQ_82Kt_+-+=MXTQ8lz<-Bc*zxiQEx%QL!Y|kJS9Hl^%X$uh2SW)3xI8t= zhk);>;zFi&o9VgjWd+NIex{#sLrB3lzk(_*XB&#quT(m!W(>#;qMfxfRWO%WN&yyP@kJqu9XprRNeYSI1y~D+&WUjw%UY|i(iEGKW0p;K$xxCI+ zT0)gn(-7mHF#)m{m4l8qThrN*8_c^u`+^n-SK4AgU&GBpzKax_-)WdBh6VYHJpS^> zuxEHd$m~jH<@*w);y@|$hx-sEsF=(mJ&WO!JXZ_!!#`*(Zw#$7v$r@Qa`Ey@dcW5I zki&R5&7$2Q5XP$2UyOxPdht`E13Le3*<-HYe~ZXrCb^nCgQ>ogvSVdfV$tMIA!*xe z)t~*Vop+EkFTV@*{c_&g%K4E>tzE8|}Z*H*&xR{-Wsb__egLuslVj zQ2`X$v$H(&GS$ji>aC>84qWJPJ}ehm(u(P_5&I66nRI<_I3Eod7OAlZj|p-vuN6k? zr*U)j&w6esi~1a++48#^9*|iKyoZI>pWA%rgHMASL7lAh^qbB6zb6|tyGnPzd)*L- zc>HMHTo*bu7FoG6lWDPk*MzUbZYIf0kt(JM^@@la4Jok0x6yqm`(4j`iYl)TZ$q<$ zDePbq+r_D%FZ~q&FgQ)BXm|9Yt;l}pA52fBXIN7t#(B??qDXK%f1~2y#sm2(Q@Yr7 z3fP0{Zz~8bL;X0wR-((~K;YvEtl!W79n6j(V#s-(H97Qr(jB?%fLh^4Q*D$E7o4}1 zS`2T1&Gi+pt`5nL22GZfw{@s1M8=1P2Jxm<7zfWC_QaiGwrouFQ1y*3CTYcK*U0pl z^Ah66hr(Y<*h!6VoLO|aO9iS;s%M~hAiRE_aSUN|3KiM zr|Bf=S}bvV4sc1VTNgDc0`%Y6Vt)7f+AZWXRA|bB+7{wNVgpyuR7PnWhrud^;x0qfO|S*_C7+0iVN->eO#_nhce_xR$YZ8G|?p zF!rl>7_0}h?IpX`t+q;WtH|Ulf9OwfzhR05ZLT~#jL%wxNK46$N^;tE9MvaJG~Ek) z{y})qCkn-B&ceHh?N^{GR$w^{uAa?Vl-hY1A-M>ImFC;{tD7DG1z=GP1+h`eQ6*uv{EqieR}onX6Gq zkabB3i|@9lZ}ffjr-5JDFWcW{U{OdT-vg79Gt2%y*4_oKYk!F*k|=D}>~^dN6IgeO z)>`PbBstDs#2yV;HcuCjPS44b{UAp=-6t;2W2|nFu+Jt+c5saQyxrrupL895Y!f7cmnM6^f~D&<+3VGvNL{WCTd6vP_!A6sr+HSZve_>g z{JZEu&>Fh5DAp+>d8CAp5#wD?+z+{dCX%IEZH%47n*~iTQwKj@cn$eUmS^QQaU`OS z*+Wmx0M?lEZcH?FpW571!$*VvusQv00LWDPV_sOfAGzSZRny6)JOa!vo zvZT|5VZ2v|86{R=f7f5a8X+ISr3^wU*XOnGBrsUFGuu9Lt{Y^UPFs^X1eo5g0W`)z z6L`c9lYHFxtU(gNfrQHg{^JI_Zu}JpZw&f~tbNxnS+=s?JXdS<_~8=E`wY9NpCAjY zcnOSCdKS?T1vYdCd)*7WZQ_s;6;wl5_WO_c7Le&KF&_a+#0hYX*{PTixkiMNM$)4k z=}o5xYZR7Q6#TH?nRw^?4t6^d#`|^QOohz2wlq6m#rsij?pt2dGk+a>2d%r5z7};k z%ptohmgwK(DyK`1yrF?V15qqIyI|yE>;g!Jy;*rvp zU89%i67VL>4G*<{{BA7|4E@f*4viC#Ju1KzWK{#{l=-7Ce+vF`aX35t8%jl+kom9n zs+9D2x=Bn*_Kek>+_J%HJ38fb$`PdB)unf`fi7l22@j?u_TQ*}{)%_l11*ZNlvpTm zX(X_d7`PKq{}Cd@j3jp5uhd-i)^x;>yTw* zPM#rE#$^Px^w`cYv1*Ua(*o0Z2A3r%rt;Nxq=Z~xPehnJd2g59ycn5e*Jp~ajq}y=rJ(sH{g$9XvK#z2C zmV&m)izj8W&aho`R3@lf-&J*Yj?!vGk(4J!pFws}YCRkLx}$D%8Gj*IKCjIUVKKe_ zRgS#fX!Xv1#*^rCviohhgJii7-apcvoY;JL*RPZfd2-9LRoq&~?~--5PVoozUh^>Z z%N^`yjdN{=4wAbXTxr&IQ7wLyYo}&T=wT=uY92}<4@ik-bCG@dJ1cO`ggeWHPj3kP zV*@*^;)jDwzYDtyKg`e8n~(eb$dtUo-^_;m#$HWQwsRX>2&*g7uCmx~sxpEa&Txy! zeCF(XuF?UQw?Zoyhi)9CB&73cd$bLNESk{J7(z?_6!Z6Ka6m8&pI<~Qeq9!^Nr{E@ zBkB&!2t-_l|tz=1^fXFzQ?cbGrCZ>^&wm8BbjrrGSTe>)|N2J3kQ~ zp(c9}_J(WvQaEYm`0#w2;+V@T*Lxpqx9w{ln~Ng9JQeIX@rwxJv$3nd@l6&TDxsB= z1iSKx#&wk(>P!0}5x#5pM+U}A(QVz?=AjNNc{#@FLGK($C-EjlhcWbYdci_gCtTZ^ zY~ey}$Nc@o^)Cv7-?Jg1fC`j7Pc=gdR5)fMfqKZ`Hs!o}Nu8a>>_`?=!_3-hfJU+L zyCr66<*2rpj~KVVEXS>Er9{IE;maK#&N>cw!Oz;obBuRX7M`m{R!zdxIVa!e0iuRz zjx2+Pgrz?qCC{R&7!PUb=GK6m@Az~?)^S&177y+YY451kleiwoFlW5uqI zHvfy%^h?xjwFaiFnB(hX#!lBF69{)G5L1brP0`Rqb>6XicOc(VR38i#0=68`A2uHAra7#Wec$4B z!CrN5blQhI9SYEoX=#{MrJ_(J(3WJn2q@rE=_sP9$C1W3Z;JZY3y|Ztd?M=_y4b7; zUw4E@;W~*fY1lsrs$o{~v5M#FA!$E+_AF9!Q1MmhA5$Uecn%!Ng{}OygI+blc^yxQ zY$1AI6)Ls#KXEF&Gdwstqh1ej0c1}7Q)GUuCASV*3G?m0CQB4!M_Z)zOQZ);>)3of zmEn4yr8%-C^Z0te0>-UoNn~Wf{x*DFA>^1_aMBA;sI_@(KiZ|bMp7uIMCIEay(>@J zPdQKJv`Z}+_y3%5VeR9L^p0;a+JeiMGH51PuJ$}9n#SZ%7rNm-+Fa|5Yt>Rgou7O| zW~ARU8JT4#MAnpu>pe)~hzgoxlkXo-65n{-_vC3w-DGn8>v;7iN>Q2J#nYyA(N`pV z9liXSE%nYkZ-o$sKHmjx;;}>h4RP^Z@R5Hb8N|xGHz@pqCm;*49swDX1QTC%mB1e6hMcA_Oc7d({Mv!JyHlqn8+>M@ z^P-X*DoGhk$uH$%UP~x%CDm3kkq~z)Y+Ql6MAZeKOa7NiW9JH$62m@f28Ms zkCrxQM?jZ#6$mxQ#a&PY!CCdnKsq|YqIG`5zXYj!s%+>((!W<_7TTNX`!G{!P*abx zd*}MN(1S!AARl}1NW{2ch$_HyV5WF}hu>)m(PCcJ$9>4ysJK(YhUQsK>WpyTt=*@M zR;aa!EDO;d%&V`oQ@B}-fb}5bKaEm|qeysha)vP~Kl2K4Ov*H5Wrg`AB=O5^_;$pF zuXJ3`?NqCFfi8y^I0rVl6Noi@H>N``qyzlQ>sk*wpu2Gt%wL2onEi zkq&>uV^q>pbXMz92%@DmuOo72reG~^W)^%FZ`!{uY7TD$p12`{EAU6L4z?QKQ>^T6 zd@37QIHc**@wehlxU4J;CSMaR7c#Y!cvugqbA5{1t@_wA7)!C&5E3S@Y!EAf+W9b_ z&tXvlYAu_=_ARKe| z?&Qt8-D4Epx0t1MkvG-;4xTT+a$cx|Tt#_J_?AXMdK#8gHKd@-3uvRqaKJVJ4ROT6 zii$JeT-!e#(4bk<$+HE#(qb)Pw}jz+YU~2&NC7SRTQo(bz^P^TLK?q9l*%~iYwps7 zp6MCxjb4VrM{wM>i$aaGwt=62mB*WoMd{|159H@5QQ$^_G`5nbJO+*V!1Lj1mEQH6*<5$=5mSFMV`rIJ`Td{)kYdQkbKb?K` z=-C(8TC%&2N0ajAzH~lV;>Ipf;l+e^F61xOo)8b%(06$}%1YMt#5ZHMa+FMR%xuB= zlu3&Ce-q)L|I7p`S;F7iAG>huf-FQ2^_sX!5ALqSvoDQ#9ijM$!l}Mp^kbRaRq>z? zUQY1wMC3i4+*9$81{S2W3uY@lPh}5_IE*l%MaWvGf9MwpGp}?MBo~LcYv;hppk5d8 zM>dvDrwOLrjs~cAt*LnN84^z-{IfSp!4i{9PMO!5FO2e(Uw^b`PkI3!mhYLxmYY#? zRi#oi(|shUO~{}v`Ef{xAar%pT>T{Q+Xau|;O;u!$s{;sl@JAP7z~9k;<>^zo^!}G z9-;UKWwlQ}RgU?*P*W7srAfTEO}xjIMfW=eXlY_qRdzHn&!e1bC2e<|a8w$g^vHPW zn-X#?1r!GZz3WHf&6fF!4n2@x=u>1dSE{;S8!!6M7=oR=C|2?j-({3zafffx=vZ!Q zy&9w$;#AxiC~SR#vTO8REfCxH@0Rg%?<97rC~d^BcaD^#IS#7AJmK zpF-R8=blsPl(Lc1Hz9_z^~h98J(7}F;=1|6B?`$QlA?Lz{S=X>Z`AbsjRNUNmCtNB z3%+n+D{k++&(qx!{LjL&P<*@!N6MFdjBNKw7iRBWJr_hrXyEA!czUMtnU^?Jbm^qp z*UQqzx749?MQ4qq(K$7oZ||x7$@l72HOLbd?^4+}!}XQ%YTbWke9sgeTPJhwj}siT zp>+W*VYcP-K;`Gsg~+w+6ZV!B#r|WxCeY#x_g}H{c_c0ThQM7^a<$eBm=Y7e<1?Ni z<*lxZ>*&5A_(cv!I@QZ^q71A2Y8;cHBWP$Xt`K3=#@9#@ZU*e9rk-x2I;6LAC`2Zc z?brcr40mY1!@|`?khw^KpzhFOj8@06hHI+=CeO3K77{p=MQoVxW}*ZH+YxrGB-J*q zisLbpwjp2NnDPr_rfsQPZBG*dH$P{mv^v;vw>Uxg=e3HB7R-EJ?fq+1g5JULTPDPk zYiLEE&4_I})J0Pymh#ljDcZO{zhP7JDhpA{jvlyAV(?hn!a!0W`_k9;kmuSSlV#?v z(>xc<9r;E}>Pj3tc{>n#Ln)15Z1$Y*y{ZA?|HjxZGA-I6i1Arcx&}E%q#Gx zc!Uf%k5#DiDH0wAQ^)=^HXtu5EspMx>7FfMCjO4WlGFFNHw3q`qM}zyExg*=XR+Xu z@)}*cO+sdmX%r+h@QeKWyKxc>t4AuJL)B?L}m>ylDwgn}yna>Hn0xMkJXpZqoIRzdx*xV8N6UQXCsL8d42 ztbS;nhk`?UeFpV9gkqmzCSeMJ+(!|CN}I`h8RBvfA{@~ZBk)ulBRu@9H=gCLYs)No z>w5hUV_E{-H}j{X3A-ju5KM8jhA7#b5ij6%7b&L4>N7lHs&4t%oWlKV)!{dv&@6AH zdjA{j&-~x8?*A{?Uqf8-hm7)n!2ZgHU$DQhowdmq)BV4}{v0es^el`V|KvWie1#)( z{TJ^4m8SgPasPi+{}cCTX8M1^{h9td@6X2aPaFRW@Be?N{r}DS8-C&Z{{ztf7t8+- zng4G%-_*{<@r%&^Z)E;IT>ih1e2Xs(|Njq+@9-b^z3Ug)?_}Zr{|?^&uh{*+Ap8G` z-T#w`Zf9gk#LN4CK>L5vfB)Gq@qf~P*%-OL=HlPA|4!YradL6}EBp8VNBD1*x|xQu zRTGq$XyK#WQ6~f{M&aWI4;V2lF*cecm?Z3Xp+ZvKHvc46z8wgqU1^eaQ{8)Q`Mx2bHAOL)5SIv>qGTnuf{qfB0gRj5LtkpZuNR|o zDhN?%cwvyM9vdZoel}K&;E;k}Cq#5ANCuE0AoF zftbZ=!Xza5eo_poAd_96f>+7doCvU6Lw@ces8q;qRA`YUPqBy-xe6eEzrooDkmiE0 zks9ND7oqphP0oW9gpUZ$zm~%G;v(HL@aM-z5HrdZ2EoF>^?$kr0V()}@&vTRcHm8c zg8~6F;LSDQ+(39iLAY-T76m0xXyCyQ>h%NP!UjP=6gIkM>&XYPC&S)`Y()S8xCy-@ z4TDGbS+(pk@uo4s1r7Mm*dx<{TrOzn-cE7WRui2S*&*N~gDWt&%fi5&xunh7A;*lo5I)9`Bl-zR+=r%YIV#tzO@G-v^!oz_iz9}PJ z-#kGdAc}o5{MybbKlaf+{Vs1e%h)>0;+*=KTg#xBux#I2L5jw~3=ZBpJj)4`!9EKS-(7uuJ=vZ67%xB%L*g0-!vWcSfQ)B?9akVtTUY}-1g=@RVTU%Dn1 zdAXN7^juzjwIT=&E}YBvtu0|HbQkr6E;sw|OMJQl=dN--?W_7B*yL~!IrGU z^E-`kdr`Rut0}#+7jTH?rxNf(jmeuRC42jXYGh$6IMD$(G+Z^4BPjuPiXZ_B#n&7A zIEl8g%3)PyH8^d;)HLx?E3CkY*kNi~X5`RNmpwK-i|kX2^iGgKCz~9XGAVHl?kz~D z-onq(WL0{}rYI?{49O2rhHLJ;2RCDlsbJ7Z$a$rn8%ps zjzknjS$@-2cPtHuL)=HbU1J85*o~-2{cmy#SCu;bRhrMzh3Xiu?ea}i=B@A6^oNW| z2C7YurW=IM2$+znZBYgF$4(99e_Gi`weE!VrJvETli4dwd!5?~>^w(o5dAY*CxCwo zyT2bM1%#!JA398Ub5SogJcXPG`&icpDXX+myBI$v^2h*9lE{XsAK8WkB*KXNUCy(_ zQOmR=ggII`g~!oy7+#lsq>_rGrI4dJnzZ6X<$tLP*!`@azAe^|Ovxhjsb@~zXeQnE z{=JY~>WXODxhYp>D*A)`W{W68c{D*N#Gb19d_7f)7`W-oHdI15Ww`^F?wK>gdvPfs z;zdZc^#gKT#&ZWnky#(tUPxSOaN?Grw=;U<2gahFd|5I!fu+@${&6iks)}SNdCZJ! zjqW(G#Exu%99!&>L4!J#+$LHLlM(MZ_F1)4eigToAipvhJ_)3wNpX`zt;mjy&@`$_ zr3JBo&hd!HXQb{bHLZN=oT__Kbo{A7qn)*(Z5dfY7HzFjEqLs(N}rcX>qi6uuulKf zaQO!X5`nFQ9#w%O{!DUX2?NB_>c%#&-bpab22y5K>v2O=sR@~oc`W8f;AXdgdEl|6 zedDivT7atR>~3sr*JPE$lrV#KSs@`=8-?VQL^(Oy>Lwl+b@MXyHH&bPW)+$A$#bBj z%-{#E2Cogwi|t!u)JyTj`RSg6yuldg`0vBEGFgNK78n0V3SUTb zi9929*}^$Pr?&?D%~IU;WUS~7LOTvOJoYf2uo7>xc&T|aGlbTkPG3QjO4ad%VwceFZHJQogN$kCIQkwJJ%LhcUT;9{wX??6c-XK>i|nHPDe39e;?i+FN)g z2K{IgBKu>#y8A&XN6*)9Zsa{lwa#Z)Ly$0fE)|C3f|l3Gm+#T^Tw=lJh8(qK-vAYx z%-epdn)g2Vk0%?tWC$eSxlA(t2~iHgh~=$yF{49Z(Ba7*E!97}!qRj!hVVtK0JBa3Ut zsF}Jov9>Et(!UlK)M#{Bq+ps_Mq|owRHR}a%zzW+U-M$H050q%CEb)Fde-ms!&Ys? zv|#^p`ZFTzQvb);pOGQ&^NP8#3Lx6>Lav8X&bz_HP(ht_jROdoEIMyUdB3%z8_O&= z*dPVBz~_V5yQa;gt#mBqn{6cZGq0mz8hT~)x;h!HmDb>k#YV!>^drx1quWs@s@t6` zZ5#VO&GG8%IpaDKYUSTyMDGac3y7c64#| z68emC_G#O;ZTqxs`?PJ_wr$(i_HU-tw(sM6`67&S-_c}T1=|6#rhjC3 zd!D-sn2f7~PisE|%XZVm7Nj&jbbSjbsH!rsptPIqhF1||%t3#%@l`TH>R*m}a+(A) z8xPoUmgQJ)g)RBH>sE+t0NQF^BUSGx-;#xR$G1&(ewHPxrks`KMK{(C#66$muX31- zEH~vR4%6B#c>^y#%fJC>oiygt$T5;gtq3J^2DO?3M9i}j0t#Tb!&gGM%c5(1zHEfT zFW|nV9V7a6HqWI;j|#A@a+JuXELla?WOiobrO5_}TgQS&y;20?NNK0%eC@b38I4)e z2fEl1bDg!AmHmM}IGKoJzCFF%BN>J@(+nfU{mI%>6R*nZ!Pb)d9#Taw?-vQKvM8n( z=?g%8mBTXYCjeyut7e)-nB zCY!|571WF+Ka7I+b*Q|<|4LD94c!B4L7yCHEan0hFgR!$>5fVW7hs;L$&pn}#Rd8iY)i=Qs1$bJiEE{yJ@bNlWgxDA;9D` z_nlA#l!=yZl-2z^$|z5>&H)WCR%_uq;EXk}9`a{oUPX=hU)>U^N7QU#JxO6c5OUEYxR6h7v+yb z;D?EdKH*-VS<{-Bpt^{>Tl{{Q4Y0jlbHW@vMC~9Bd&q`#OFEig>W;YVhI z((NfFW;S0*(s`dej=u@9jcwoClb)VA<E}N->~)2d)%593tX4WY32bB&Gy@km7V7oBk?(T?{= z25uW40gwpS{4ZBavZ*k=V$uBhNqNd1wFi>@4R^c^E#*fMSp18X^7)Fx$#^*z5(o?kD z(hb&Moji#el%VwHeZ4xOg~h?=wk!XB zrL)LQXkN9xr*a>4gzsK8(h=7tj%@s}dt^A#A1mQy*&Uw`L2K2gvl4;gV&$w+ z##FVm^+cWHmU-yBgrJ)DL~lAk7#5q~AiUF==lH5HFVGWCCehy%GUh-ZSvC7rW8%8a zBc@sek8RUblxQNJz@axU4cHpW!q&APV!qXRWFNE?;rwTP-(2&)9^h}x$AsTolTlW3 zk5Waydye0`T@fG##{qUdowt`@kn*N2Nl^c-Ig{xWQ;w^kV}55|(}_-UJtu@+Zaw?E z=U@I^$+r%LnOQrB^QMq9qBbnOIesneM%4Zy&Rxd)_^tC}*FEF=`N1QYd|n}5h{t6c z!)7R2E7gqvw51H`Q!ScfP2x^RUKJFq4I?fB^rsT4KG?Bt5Q4iunblj4+arCF6I#`mgms`U03>Nvmh!$RoqonZ!>@EW>PG8qH z4AgVQSY{c|a4Gx-VnMQQ{lSfNiHt!d<_0%ip5jn|SIEzmuIBVFOG7aI7y0LXXL`Tv ztrs@!$l0pHo7%zO0msGEmLWJgomy|4E6od{t`Zj5m}eSIr6+jLfZ!OH8LMmyrc^*k z4y(qnSQ=3?bTEA_Vjyq96bnWzT|bBl?MCd<28@FKM1+F0Lg^3rJ>8T_Df4tGwX2Ox zW7_@4?r%*o%T*6Y*2y`m)4zW<+!--EWFJkP_qvLmJ&UY_f?<%SA~OmT=+hF2gDP$z zu?S);hr|7R2Bo1kWyO8`cdf&zNk2O!(}dSqdEdS7ptMV*X6|PmGi)AXjNrQ<`yLP? z=ZYYOT|OZ_&vb_A?1U+C_Pf4fGjAXB)sWKB0jWhUm|xU4BM8-sH{i_&cLm0rM*_Xmgtvcj|AVHF$ol?NdX)l+HPrTrQ`R zBZfxCayplHQMA2>^(ZD2t9M%3F|M&OkchiCMp2#~U&v=B(go)5n$P1qWH2N=7(YJV2qi6}vd@#>1@?}BDd*31gyBp$q6nTSp>)R~ zH}SDKzU*KuKlihNy8eKiGY{}pu781}{z5zduMi3Izl`AjJ47NYCa0wO?>?meKqUX@ zi~diTgzXfiiA z|0WW0{6`P;pAt3NUM&@a-0T@x3M#cIA5e4c~6WBk0F@9m5<)J7fp1Ej>Ww3-RwTR_6 zN97p=wiLE0Qcxm2s$A!4c9uRnez8yAe|}|e-+6b%3<7ZiOYY-S&*1oxs1Zi<1AgS9 zCo4_p^>wZA$C81{#SSdg)j;?Y1KogQl4uFzD*_SJU@7|F33yTL45I+Dg8UKti-1i* zOxQ-c;sYrpgz|^h-yjy`51a&l9Du+47_7deA-`H*EL0E>!~uxEfe@uZfB{sGFxPu6 zD0tV)#qxGZU~#epXK8 z7(Qh-v-C*tWM2S|1gT6MNTQSj)xo)H6eovIvh+~q-u-TWLGTf+AdLKB0fvBfJXrDg zY8>uhd1J7JEgor!*R**eF z?k6l>-nes)07{P;kDVb|xBK%H`MK+s0peV=Iz_ZpYEO4*mX z2pP_#dpzcbBK}<8zY`&a!U8RASJVgd6aK9d@Eyp}IOF;%9!l5f*QP{}Dl_<0hXYs? zgn0o%4u?q1!|O|9h~gDcLO~bF{YQR01A%M*IUZvGl zI+E%VjExS>4NHO13nSh`p$&zv&DWQs7P&Tv2hyKPjHl9P?eo*a?TP(cWfab?>j#-m zgBm91PD%&C^KLvHGy^7J$1}2Yrhso%yihW>&{jLoyzh3gpV1`!R4&RVe!OmeiBQ5j zAf51Tm=_Us8Qo#Ok#R0!d&HFzQvO<6YO`tH;SeI|#k^XGTU=V)Eo_@^8a(T`k!Jjb zl9j^r)8&Pj9_eB|e8KgxpzN~hXeMxKRuWWy4$Cv7GC)6SL@o77?2;5*Ykpc=msXxl z{wvPcyV=|>sd%RuAYA0V5sdBkLQ#YF+7{Z>CT8;;+&u5|N2QN?=T;lsAW4dPLBUfc zu15S=3ibYs0k}ke6g2Dg%OfuprV>_4_DZsCA@)$SnQw=$wS9Xun8`D3f=<>dx|Ai< zDBDnJ1W*49|M0BjV{=9IDf`yo+>SGFh2pKr`WsUC{oN#kg06JT`zMd#A`R5o&!`!T7Se6LAKAjNV7nW5-?3!c|(Tv@I+ zrr|A9`nS1hQczTvhr2%qAD5>VoT8N<%F#J%QMHOb)UL^7tI!gHPijWRx^r8ZR#M)z z>_qotcj3UnytaD}GV4|MxZ>mnp8}7zx2n)hWh1XQssRrZ>*&YKyK_2Ol94EG!n+1r zCy`?j>7*Y>p1ls^@{zWVMvIy2n4Oi~wyU-^Ya4&Xv9y0v&~k?;hVy?GHktreA5+4F z9zV0G(z!0o!i1(v;l-08_E{d@$DxRukw#wEGhWz*gc^1nOh z3pmp}#WBb;n_G@R}( z_wIsL7yEKGKj9ziumt@nFl3<5OYgGyb^6EKlACV&f@da6b5YkU%Qavoi0a!kzflwE z<(3*PgdaLmJF9`h9a(Kv%bIffxYW;$h0Rtpbl`41Z@fUB$GN(4lqC*e>m*)v*&HKW zwjo2UeSQ~X=bg9MCu+-7_8TCJoRkl*{>`3Q#)6riU z53@gdifo=t;#5!C(-639X{t2g>uoOeeHC+Df;-eus-#E?PaCi?TOKraa&Iacm@?R| zXV0x;`X*bhA?TuHin%#We`tk;Z4^YLZFbKpbTdt~0Fa(3ERO_umlfY1akpexS}CyH z^IWgIQynP@v>T~g+v}K-HfaSHEUcnQWjOl$-6#1>sYB4-N`BRR!tv62)er4+_F6mT z<(<4|N4#dzLL-F_p)sLRfM!vJ!Oaww+yAi`CU6!;ZEN2yLJiLbNHsYQOn!mmNYA-`3f>~~IR`47I91uL1>kn6ld{+<56YBvMZ0(puB3Lk0NGP)2?HN zD}}-IKx?NFo85UFMnJ~$0W0HPGJUytXDaMR;w44aB`xU6r0dFk6sfwGe~D55U7nOu5tk4b`PY@3|BGLfjrm8g$N+ zmL>m5hyTm4$@b6XzpUIa{T~dQ?Ee}h8Gj!2zcy|Z{&QITCmR0eu*mi=ukt^_BI`ez z&i@FD49rYF3eSJL{MXGD21Z6U`u`ahe?s$r=ZkbPR?0k&r@ivqfs=+n*x3BJwfTYl z-oLsM`29cikyn^nNX#wZ-51^_M-!Z`S2?Z6qScQ{e9E$&jp^aPg|p;QAQ*tf1uil% z)YH^n03>#%O=x8-Vy7h#bU;Of5fEV9<{k6oC4E;2X z&AQhN|91Y%2?1i)1O!Ok(}e%0r7paxBA$6Cp&_1>AJYijfw>X1q$PFLe-aQ%&oMR& zIrNtvpgqXSmmol@;KiSvZVg8Rk8zSS5PDGd)qsg!TYY?2$JkF@Qm{WfBezT|qoumtvKsQCre?DMGwh-@*ZeJ&#lBGcR4lazYAevmkI+T^; zV&A}JOsN!)yDhl89haBw&}Gpdt8#gg?a$&K-AMYfvg2&WNgj19KKnye4ij+Y&SF3*4I5gaA058 z&%5dWWM%O;{gNWDu(D;D%-Xil^uLr#{a!;==Yod#lXQsZ@i*ercTGzm+86$0UYASo z9jp%pqPG4K06^du`Gf?*adZ41*>A4ov@dVsZ!Ge!W`qyh+~@C@4d26)Zl1mG?dOl` z(n2jO>m(_@ZkirG8N7tt%LQz?sfS|e4 zy=Igpy)8m$Vfrcp4UIg`m-w?oQo{vN0_4Kl45XI2)-`!<+gXHza9{@A1l)Q1_ACY% zSwT(xZ7^R0l(D|@DGYGTCxy?o)7|Hre`b3#!5NO3o;UXJ-EaT7E`MkZnaRR^v0d{i zN)?W<;|u9qh=?4}0^EVF-s%Prd4XMFYkLigK!+AF{VjKQEmZNHh$@|h(|ZN*+1#bB z_I>rm=kuKi^Gy;}ki`M=vbSJHX-F#XIW!|`H$|82oNajZ6fSA>^5YTR4SdzclUzCx?URSY_@2~l&(IRHaKxB1 zXSdT4@0$cp(PhwC*?ReOxVVO2@T@_OZ3MBBb{V{hWg*T^`ujVYSnk>W9J$0U9`k`JqpNK>lyp^4_Lg*?l~=Tr_BO~F-#?>Ksif<#Mh1;7GrJrv?ECUdkZZ&x~Dj@ zt9|?7)Wu-Mnh2B;5QOhAiI>CAm4~d^YCIIer{(re@NG_%5mRgNrZD?Krp|;!#wJ>8wvCY`5J)|%wCd7GxHLBD6bIP0COj^=o1;e z?2v@~cRC<2$?O1sJCc5KeI;PKIXVTj6SimyPeNvtLtKV~IK%X;H>oP$(MRb(4vfx# zlHP1)|6`7KU7u6B&(5>c>Gw&P5n!B7}RrO5b=N;q`oUhn(AHQ&My1+It1T ze>N66!>&&_o0gV15K)Ylri^?GG+u+1g^yJ^T(~0BJ%v8z#{9etayzU(y(s}m68d78 zI@V|uB@JVO!<=A)fNSIFuaf3=hmf_;nB~)~{+Hl+%{dC1W_lfm+h*%GM%T%p&M=#Y z>437WhMi>oTa0xQlOzfZ#Bw2?j*$9n5PG+o6D-p@nQEku3{_iIx4d;B@@>0r)~wexW3w8j}ULsUKs!KaHt-&L}nG&Q-D z>b_g^?+5t<&y>_RsQX;SWbayCvcV|!>JWx^nncd{?_Um#%mX$&L~^P{)IvF*>fgC= zE)2J?kE(P6DTrGpfHP#-vj-LmJ#tiOpieBTW9l|_ZfO1*lnYTU2fkNu+ZfKF&d4eT zO;UMvit8&Xm$W>Pi%69tqUPqSLNVhrhRWMW;NXq$@a)3V4tL+9OYO9OORRhic!!K+ zYA*O3abG2NLd^Gxt5v>5+4RBZ4~wiH1{?JByrB~nw|j{X5w~` z+hHX*UM1Nd^J2Z$4b_peAvR}MF z+8bTKZ-hI&%je1mMk{0lXubFct1o}PiRpMt=-Oq=w2TjOA}Bc1;hEmVWufqQIoZcF zM&wcC?X7rI^;}0G2So(7w?XK1iaukmVP`mowXAtj>~dH*9o)uM0B=33voifn?gh&2 znyq+yw}&zVOdQ6U%#oIGbdy|Pl;PeiPoD}Vj6aZWj4@WHpcP0@MLjB*!33*}ZMhC{ zZ!2Z`eW5)mE0b)_edsK8O{OIY)EL@6;H8|BD_fWpl2+DT@rd9f%7BU47ehx!Kl0s~ zRf#Buy6LceWHQ;rz`?)8xl3_^?AsxKVFGU6Wp9r;b`vmv-BA|NN=Rq!h#oO zBJx;%~{|LgCI=qQ*+;=ySYbL?re$8P?U+$tyQ(2l1G(i&X_)2LSe#3L^G^2yFtCDwIcO z);_PzD#r}Qf$J-CiE>OBm(DIY@Z;SOuRA07P&^DTwfKq~nedavhP-h@k>K`yI{FEImNVIDnuTcs?j_R;Y2 zBEcrmCZ45FfwI>Wl9i9KWAg&p zv`o<+d9X0ucX07DGkjJGjqV85z6x5*bbANuPm0b19scM#yrI$~f0Vn_X=E+$EC5Nh; z)6%klx@x>IvZLTxV!zqo)zrAAk4aIskJb%4>`+YwZ+!4iA;fX|)y90RfwFu%x;q>u zQlAnXKA96(eygJ6PdsV_~`IUxWyeebJh4@IHo91Rak|aVOVI3EoBtBxWmP|jt075i_K5XF8Y`& zS7njYeY;O*lVkWS&j4{=!bwsag|fciil=r2$%IEXjsm>AE^HSzwo^EoSQ2}FMAGBG?bgN6le^|+Qz zs0jn1+as}LO82M4+La;J;&_)H%BMh3C+YhEf$@*n^9|hEu2*Ia4l@(9V}{$rHR6HL zCuNr$Lq7d;KiZHoXB8&sEjGUIZo8ApAGGA6IT;^zi`eq9=&F0Mc<67>M!;>$kWJ#9 zw9jR|R|$9N8DlPqO=8y5f*RhhyaRDAO1AIL=Wtu`G5ZGQi5x5F#MY6f2H=TK0)k#s zLRj{qLIgvB{Dx9m9y#{)j#aHE163@7P(H)%fwjK9VxLz1fJ=A)3m=MVwNvjYYAnG- z{^g@Lb*7lY!!Rh}H#R^Co=unEdppTR9VFGUk`7zvG%*Euy2(rp0q5x^> zqD)aMf=1ZnxIt}Crw7OtKcgN2aGE(g$xkiwNmmDRm0|*~OlUQ2D6;7*-AM#E12dEq z8Ci09^CnimWxk3ic#C!nU-_Z;Q$VQ#(y6l3KM5BP-5kS-=_ zsdVg@jwpeBQr^Ekk78iv52e|eX~J3>Js#hhH^34xq6IEJCdIK%cob#08s`Px!d#Uj zvb!g84-yYwMy`vhvN1ATJiblEl_CvCu47%lEu!0bMa>u15083s;HSDmNN$Us`(7Bb z@y0QOkREt3q$Tm2U8yY9s$61b&U~;SbH=E({)}`W)Y=oDAm!{e6`9^ zWe{OUN!IRmEg>VHt}gCA z>9xB9pgqA-s^dI81+Wmfj5XJ?XC_04)0$NOzDLkm-zT zXrhN^x;dUrx7%5C>-fHz2c)OS`uyKC9Ot4_ehz?CHXA$Q4g|!^Z|U}s zokggvPE%^YoCE2S{7t3Y8TQ$BMhV03pO%pA0YC`P)W7`o)oEVdyA;xBhL*14*`O1R1MbsNa~E~1Qe@8i5&XC`-Yk;bdaUqjII>7+%?>0V2x|i zbN$E`#8qGD)ti{ii{#ePftw8l$yExOkf5~b&y=B%12@pd5xnF-yMRe}lo>G;D8U0nf9hm{Va z?coe=mmy|b>{CnwA*B(Px>h9!Ea#D_Vdg)Y7AZo~_0mbbC@TN+VE2ro$1y)=EV|@czOx{RRhX$2# zP&lLQVM-Y?5XDE>cfoNW*8OicHz6o3Sw>r%mO%?U?RBYyRX;gr>QWtsa3F~^7_VIOf}gBP_;?j z&c4(47Sr7n>qQ+mgs`F{F-~Nn89dxT+2dXdSJe4){2s~)peM2Ih0PTl;l|1>&ztP2 z^}h+z3CJr2^wUXh!fl`_6rvMtib6I}_4!3wkL>0h00S~G=Km0D>03>`6NH3$cm+#B zMkO!Li$!g}xBhO|OpS&i&Z*t!liym85U_x<^iC7Jtx3D|Az!A{_o}XE3hyw4yQm?k zl9c^Az~@#v>{yfg6;ZbECIOIvQ}xEkf}I#3wOZ_M6W}cCm9H20(!PQSoE+W->al}T ztD-p;%$yKEKeFXz_q2KvwikMWCLFWj#20|;XE^WJ#d$4G{HxzJHsm4~X|$QVscFla zE@f7-!2v$oIGm%)zkF?yJwa<48H?wDp#1vNH=9?U%k2s7RQLdBEeU~7bXdDbp zCe!#@c*}F)Nbc)}Kiu~U`RK~Hz(zki#r3N7fSYng`x;c&>yxh75XfLst&fMwN~ zwx-v8t$%FLdHbvWtXON4y{-?*X-2Ams&nkN2tY$dMent@vhsy-M*Ci{4H}dUow7|b z@SKla`mClcy(K?&w)+J;bV3HN&k?DY&I2}1yoEq?*_eyn(I2$_f^;h-ypRb}Fb`rd zF%`k%2*sRuq$mep35-!Cs`Wh3@Zf6@^EG{N=MMoWWT1+Ut{Oa*$R`Q2RBqTlRtdzV z9i@{yLG}syqJI>?D4Sl`2YPM=mvuL&^L~vQR^(>YXUXG{_J!i`EihHqyH_Q9Q_T;D zU}ka6UmvQ7BVVghD8J+9$As&`{Py6)k5?AHZ!B&c??4Ycrc3g)%2ii2eOT=d1~R`w zdi{mJYH4x@gwV}gEz8@$Quo(Q8cZ(2!!EP_r{6BP9HD11ooFbv1zHy)UJOqg{geD# zo!zR=YwSWRXfQ@g&Q_E8C+6^RiUm`U=|--c#|)Hem8lP5`zSYN5?KosMZISAq~hZ( zrRpYEOZlb7Ijv?!T2`#z05Q9np$C)ot_>&>yua@QI33Hkl%y(Jc#d*&cFyac-gREj zi-kMumK={YXO6Vi*}TSkWot$@I#7-Mi3#@RtraI^y`40KSj0<2I?0eB3s8peg{twF zD>;zA5BiXn7MBOts_J8{I+dE$PPI)%Qzbg?U~D`a&->c}oVwrMvE;Q6eRervGtNqp zv&#uw)PTUj?>z#D@{G$AcNw~m3fkW#Xh_!Cb%B;F5;eVe+vs_H`u+412kt^Hz zEPapnQRvo-SVBJ@vZ{!Mbhh=^CW?1h>Amdl?@O4K_$OdQCuNbZ*!Me15+fdAm`%Ep z=7HC@-S}eY^)v&}z?da6`G&(ika17ajJSb^s=1@bEC%GD1eSJB`N5|Wlc5pPOc>hh zM;YIIr~9|!%n4ULqBI&bP2{59nc|%BA=Xf4RNJY{_}1|wO3Lgql2bMMbs~EkM7>-| zbc#ud>RpIrO*hp}a1XAdXv}Cv4Cgv-w+Wf|X~M}TFAm*Zy7+y>k}$H|D}$7HZpC3} zH0j-?&s4*the@c}HgECLUDV{-K8v)Z1gziL+f|rd+dp4%q0r~T=*)}GI`x#IhD`u~9FpDsz{XEvHMD=JT zNrYenI9H(~%A{JSi)l86*9fAnbij3l2Rst-(o61E&i)K@U7}DR1x(IdS2=r2KM!at z_qqAZP}V1g<@lNDd}y^`ob&M-+WN~u5VF1pxC(uIcCtY^Ew^C9D0{LLl-QCsI@WbF ze2`LQV{o9NIz|y+vF{;1ntim=6Mn9W`DAkE)S%0ZEND_tE&8(xHjtajr-yO}M`u#9 z%3TbB*a40p*f1OwYmqa_=~P=9{eryN8Z=#bXatfeMC9*n3CyS3QF5jp_{6uEQqe!= zXtaA&lU8>mFRm0q&k~Ho>E3ndlF|}>XG&gumscT^v+QAXp3#tZz=X}H69*D+U#Q>p z{3!u=*%Ukb;#g}Os#<-TGu`*kwRIYdN|&#HJy5$yf>mX`P z>eZ;Cj@Q40?$R|@Un0g5hpP%mHOCn>7ob(A%HFqOs97Gtl4dr5_tb?PV>Xj@BXcoe zHlUI8cKaB($+yFlXI(*r#pFJ`pDr6^v@XvDrH542*WMl{0}2e<_?%igjHq77weTE0yvz^GYv_uEYrn z_C=FS2AvJtl_{p#i%ghUHKCLAIR=K378V`X+g#{xhud5Bhur*hX1K29nspd`wyus5 zhEWJ%eHC&cz~8w2x|G5rS`#AM9o$wa4J3*yqc7TTM2!)ya|caCiF@W}$tMfZn7K78*~2B?r0pmTfbp$2k&1@kH@U!GK)MTn z?|elSkdAF{=~<+;T|W#&%Qop7Sv~fAd}S|9f2)DTsDeSO>k{Q2D?0YbQ;}torfOY+ z;$}h-Qf@+Ty&kp2*|9UH78(Df9pU+D-Tk`z%2y}+dA#iVsAvF5orGG*&lfz=@_FERuMg__7U`{{?jVb1U5DL}TLo(4q~5@11P zoNkkp&RJkEB=yJGl<|to(P=l=j*SN7gQ-Ov%XO1m)g4dyRnpK0O~0`(H*>A0mi%O= zOK_m@C0uRrX^ITPSiR>d;EvU*g&4;tJs?UOTsjg%nqpj*b{>WgsVsQ=z%Ep0<#fpC z;?dL*Lv|iq81DeDs>rDi&DlGrYh+)joPrRJ^C7>#feIWKEWU{J<$7lj41d6>R2Y1- zS1ViV8r=ZB z)G)Q?o+aG|Gxmw$DENW=Fb}92s+#b^L=}v*Nfu`gHIjR!>Fja+tH_ z^;VM0EPX|jL$}W9x-z>KL2L+K?VgRQN|z#__&S;Z)H80Q!ueuzgH(?&%;Kz)A-*D4 zOxOQFO_fIO*g8W4Cbh@z018jU*E<4jBU*d4F6b;3EmF;SOCD%1O0jzz%wF^0UFXpqeF^uD$7_3lFo#e2MOYv=nQ(Px!OHkR2-_q78&Bu^ zz~nEif#%8JCjp&CdHK}TUu59FGciOM4f5YhAxHsuHI`A2rjv8lxB~A|SQxu8aCs*h zHUu3d0*;aSW}0zJk(Xb&?D=mYcQMW80e5ImLuU5LJc;pP z^}|5Z+K>4-VUrHI?|9MST>z%Vb4hU5WGU*;TVG=hBR$cWT+jKt-36Z(gy(FuaT0M}}= z12LP<9J+{PRn4NDnVqL@`vD^d9rECp)`;?xjOlSVKEP5p4FTsyd>G_c$`AUKVNaj7 z4_*ne0?!{SbhlS)M~OCChLqJ)5IpZ|7ZZ}y&{$2OMqi>#?j#xCZyoouRP!Sj{cd|> zh5?m3CgM|@2=o(SHEV8wvwfF-QB4_QUie6qrtgsH|Eh$mZ%Z)o{_|?bE$FcOo}GnN z#BSDSCF&dVdYkyRPa^>rbj46EbKN#1eFaZOqcLn828NZjn(vuXj6EU7G%!WkPpGJYqk#cj1sET*QbBzL^}bJ}@dbCQb~L zmf)z^jRRi_&b+gc$lhFcdi?dx6K8-jq>3>_%XbM5a~J0kT`{D)%n=&1<0&a`xe8$1Tn!fatZ#MNLdGR8qef*}GZm)nz(RMbVblJC4DxEkFY*uL zjL$SX&fQ|Jn0mZ*Z7F&8FQf6x^LtD)3E4}^iCOV{d%#i#bk%fM$E$1k%!EEj>#z>~ zV{F!ZxrHGuOlFoUE$L}s<<_}-L)XID#YB)XW>Wy)hXW=N)mhLQ}*wV;l5F=XEg!SrBv z#8Zx&RkH!$ytC-E-={hLXI#KMtE1+ojMQJwD2tlAmjlPzD=V7vA&J_3O{*^R(*b!3 zGNI#F&=`7>SiWqjWLpk4MUoM2`$G->7`n%WE+sz!uWmsdMEB?}X6> z(@cqFV?0Ff*Zww*4c``xgH?Qy@;a+V*mA%y7xoDtoYS8umCf*>ZPWR(+qzEzk{)%I zURxkMpsUf^FcE!oV2J%30tafHG7jdiUdz(E17&z3at9y4z`@E|Tv*KwJcO)=bW+Ks zu!}YHbiNiMgp#KYBub$XQVq1nrxgZCCZ+?v#BGCzUiCDM%3FB~u3MnLF+OvagY?Qn z!U*F_4|9OlJh^{I@K;!sw}RYBP)9X3(R{YgLqZ~^SvKrZ9<#iyC{E0lAhLQJOo$t? zn0P_i6%#6q(e(Su{r25icNgZn<&1pO17eOgvm3eTn>Tv}&u7<12m%|skMNj-;+pPr zvV->sjQ!6(w%LPCYl|S8^1)p}#rFh$lSyDScRtq99rPC`ir2{lVjX9Q{`=yiBbL3N^*{>>rM`}M>$)< z6Nf?2UGT9`*~=!#8MT*OeM~fI6n5Tyd{7A(LHqef`txRBH0YIlpr8^HAbu78du~`X zL6GX4<4&9@ z1Bu|N(u=j_d@D-s+qbk7pI4*9^ z^S5*OHP>~b(eM}AiqT_N{h7f3H-1!W<7sO^Q)Muc4l}91)8`b_`2{eCPi_+ic{P}p z2vs|qFjij&huX41SL0J*ltQ|a=n0N&UAZR^Vvktcp~(=)8eKNHmV;Ms-V}Y0zqN6{ zi@PY0<{b})w(8rs0)~FI%H7ksS~hmzh5V#qc|18?Iq|%%?&N&QZjq)rw;yZtQ3)@o z-5~(KTM4+vNqb*w?-Wg4&t1?~T}!+b5eZ@0VrfRpxD%3r$K{LcL5Fp&r)Y>rxCTMZ zl4g4p6h&!4m#ymU7yWEpdRlQ|N)3wVfk=!@&Xc^cE9%ro~LNEp74zh1u7Qj}I2L293_M&)+@mX-1 z`c5!%_ZtFPca+d zkX9FaUH)?mYZ6wR);kD}SW)vPls_-=yH;ZKY5Y!m2duyNBUUM~%jv3#77dGtdeG3; zfy7&IJ6SlDfD*LE-+e;w+D#nBMp`wfDl)Kmh%1JS&Tr~BYJ5y#eM#vV@xAsUtYxI8BoAI0 zYNDZ+GAyt2ugjXzA4`vdm1|ZfL{+?`@fpsb7iOpVNQ_oK1jWq4P_w`am?6Wtk4~k8 zW1PwpxeXzm%sw!J2mpSgM2KB+>2T=tW{^2t=d(lXrQU|{tP&8s`BFM>nzcp8BTq_G zA*Tw4d*}~wFKsC*ZM@*jP*0gO3uz*FRG9N~8g~UE2UsUcRmqBRc1RtElaVBeQA0Ok znK%;+@{Y@HQcwe#X&Rj=>pPt1oRab23A#v=U$Wz`^Cuk=ZsJsPYd_6t2sYKdgbe$U zs?oZQ@p`H~c_~Gr;#?D}!PDC!$Pk^Ow-wEXMmo+3u8hm?7DBp>9W{)+tY1j#Sy~mlsZ(3 z5A!$39a8+vQpKj|w@+Q>SD#syUweAx$C8-VcaUvP2-$ zKZ9aAWnB@dCHE>xnxzS~@MgpRyC6X9+T-#xLGyuZZpJHVuE$ZGXR-Q*`?W5+wQ?o7 z=H;hlx2pxciU{zJKKtS$dUi#5>CXbl%h`GeX5j?=`*7W(UH6cZKI;(qjC_Xj_h2b6 zNx=7=9dabErAzF`0ot1mAiz->Tl#_oUgr0jfXzeZGAmd5=yprM3 z#LxMvE&Cp|l*mxIDDo+pmy%p`Y*|^tAG*Pav88sPf!9zq6bo!RgvhQff_XR zx4+~Q9#ARyoODHudzw)0uv+hVgUDcsw&Kc}6?;n&Ey40-z1wo>+2C+wT#sih+l1NS zENelBo!#pS{ALvJa82P-^HBgyzD!%@?l^LU>Y`^@#G+`B1;wPspV>OuIWu%CbjCAQ z<8;^GZOw2XllrjX4JW9WBTar5Leq@$Vq8qucH{$&33Ed*jyuO1fw~#89)Vxugr@ld zn<~S;6FHh=ry02wE709KCmsGjvi~68z&_Psu^*cQmzlioGudrENLl%?5w&>!e-aL+f1lz1B^+$5%>PI5%fQae{y*!Z z|98Ss)nVjhV$=EuXVc|c*?O}jJHjOace91E#YW{yS+V}#dxeIlm8agHPv`bMH+LojV2DbdMsY>m+0eky#7uPj^9w6$%Nol&s`EKwIRdE0H&Aa> zr~G+&2#!F2I@H(KL;kb`x_)S5CTYgs2;=~UFK{`sDJN*O0G6;SG+3OR zAHPXoMnLp0U+~j7PxO{XJ+XkcOeV&*D#zN z*bl%AJTClLk1Z|~a%>+Tm8TEz$k^)q>gyF({~U(i6=)Jn(r*C0qXk_^*7vyJR z`sz11E->+14|=n=qgQ|8WrlXzNLlrez3E5wii8maI#6?;{6M23$veG%sJpJ z{u6#OCG5Dy$A6ct{W_iUU4nekEd%4?Sabg#+x*g1{-y^OM>36#L?QYIKif(pr}oxQ z(_AB@{iLH}axr-VKtJ{#m(;-h<~ss&d{+uA{Z7G5?~?eHytuID04T*_0wor7PwvJ6 zT>O(9n7^OmKel;qy}^6GXdb`2W8bwn-*l;Ozt6nCYUUDZ*w`X@*SmmkuQ7mMI*j~W zeY-rsao}H#=GK0)zkK+4)y2`LzvGv^npXZl**Cv{(j%a6tu#a~C%)wdrp7<5a|;>^ z3&6$|*5`(Xfb_r{U)SrsM_4W;1Z3D!TyuJVf0tDOfT5Wledo)y)HBpKzlDHCdsPUy z7JoJS^*Vl%`4UT7s!CG8wtr3gey=guBX8p3f62yUzffzWC?*!2eQSwj?7Q?aG znhSnu>A^!E$(IRf6nfYj@JD~s{XT`+0;=`m*P2tL71$kKKM68s5dJc?qfHovU|eWxMUku{wT%>H+*HE@9qq7HX-)(w^nZ=T*(TUI4{qgJ!!Tq5&UH-uiQc5mG7=wG7-W9_>5G~WonTLx%4 z%+c|7y^v7Ckp?s}s0Ck45Q|NcVLVmJ*cNRcS_# zz&eSV>K^)pQf$=y%9@Gk*fc^SVoZ|y8Ij#N{9%HE2&9s2wE9hq?qY2uBYBI%sUWg> z*jJ$*9=_f)>5PMMexxKqFq8S7N7=-DjdgV~Dj3%qPrz4^mY|+hbF_Sb!WW{*G3Lib zD$iSUl+0D~9*)-N9@U*&$9SNd&_3)PPa!so=sV`=+!0#2n<#-Rdb=GRi=^xUai_si zC9xkFN0P34+}NQ`MV)kg6UTd?MyQY9Yf4VDI|^t~R^XW#XT2i0mo{pMrmkTnrr!}q zTQVoaGeF$h^@mrA9gr3%MKOe-?!uadQ=@Pz24gV+yV#8BOq*F_E9Qf20B@Ymg?Bya zEZnHVl52uPn6+1Llf5!EgAv_=<{v^NYVEbBtz5ziitJbYpKa|XG$W^{-+g~JFNrj~ z;O(z1USt7Bm(ywH9nGig)N@?|$91KmTgh2l@EFPoS0sahMwN3>t`sd&NUQF~93SOd zcf8_eRWVz^$Cb=Q9>?G3zCQ>}Bvp%f&giz~iE@d50teBiS?Q~`=$8t2G?1_Rr-|19 zBaeIJ(`7)UG3N#xOQZk9cu+YgR6Rc(QvGov$s}znr_3=Bzp06!hY7OiIk4p`YuShl z6($Y&!k<0(Oucfko(XZmOJTp_nkUL(v$r}4=vH;Q3pk}5=4U>c%?{oHg5>JQp9|V6 zjQD6Ld&u`_4YC102;FDvM0KY!=zxy6W;P^$Oy@ZVYw*~LVo!!~`S#*|AuFLiy4?85 zynCcNAydm_^zO$#xV3h67%ojj_m38PjOF3T=qSNhp0cg?-$pD#jdPpO)Id4R2dP@HW_rPX z#%`Uk@U7~v?Pt-^?Xj4DKqNcFRlxnE1GUUKsuWC`0Wbl0=IW2f&8XiF8$cLP2n2$T zdHppa9t`dn!c93@{)&vGnOZ$cyTRS`Ug;&X@TnPFQHJXqfkBr6X_vC$$l*|yjX(Pv zB*qyg?6yK~N(;oNRlV{-v4hZ^&u^j~lEN9No?me{SD&ia368*#Tbq|K=1T&OKn|Zf zpc=hJjgfJ{?b6}Dv;&TOtG^^pqQK#_q{oo(SBCrR$PEh#1ltz& z=!jkXr>gD^FLPhyW<6Ya8)w`8d8Q2)@nVFKNHlj^b;60_ltS41sq<*H3cyJJm*%?k z9$k6?5GRYY!Ki=7+^|$*ew1{Ko4_Ru@SF-*`5Y1dJeh|6q2-1iwbGXEs=0jJ79=7{ z3vFU%O@-bj0s=9!-&)MWj6Q&^m0!$z%*p$Lfxt$RX)nw0dDXUl1SYcG6c*unASM7J zNdxasw(uAt-}!VKh_im^=Gk5J&3fhR8)#FW!bgpK+lD0DAiXfqjrNYSf~CEEvi6|z z?}R+Y{i}+Il<#aY;-Cs}dfNe)2Fk(x)A=2c?hdn@rIs-$rSnw=l&^sMw=#E-@M5o%YMl1*SB|t-#nhrm0b52vKY@1bX*cvu1IXxc$}fUQW7h_l}D+ zlHJo6m5n@8yj0a6KDZmmS^wF~i8VQmG&_@ypgrBo#($3*{OkKnLJqbyTd}oALq-1l^5CW@x9u;6CWeo{S-ihQx@}c&C(iP}@7fAEANb|m`gPpUP zzGaMHWAb6ThoY&VWTR)_l^-N~Lh~dSRPI-)gn?~j5@nIpuDr+R@!d?QwEWQ5LAS6l z$jnx5wHQugox3}5+f(g$<10+Ws5j@tvAbg1%3_3&^7;T1x4b;=paw0!FP733v9NOA zvg_LMxyOjw+WjS*7%vDq?KM6022%L@u0ke(nzv{X%Z)MWJ00xBCN7Z0Cn=*; z`plAGn+QWWP_0J`$`f4hID6gVT3e6{8Qv44L+hk$@>|j?ciOfNo$=ej#ZKkTQh zluOyFN+?#17OCIA9g_bV_03npD|mpAMCeBUI3)nrhS{y0S;9YWi)d#1zFV@x1zFU) zX#FP<5}kNy5*H>gLJDD|CL6oChxs}YB>BOV(kY=NjP``e{pitn#$l+M%J2g3%M?(4 zjYLraqbokKSR+)s?Sv^)IuGZq$a%a#mHjxY{m^7*{Z}<%>!(h){Zx2744buT0NXd9 zI7X266mp(@slBp-bZeI|=qc(j!S!>1;OP*38X-N;U3=C%FM&XEO@*^p|$_rf-x}|CS+~$72Zbkv4fMf!1)0F z$;#0B?P|5eM=~jo4(Ya=V~f9K#v2oK8&N0mNarRM5MDb-)jvtUW2oneX2bxzllwK^ zi(~n!|5euYg`+mrtHA|dHkXPLyVQ0DzOxBYXQ14z)`FL-Qe-R@?SgS5cCJ&0bxKt1 zP=pE5a7IE(zBcA5?PoWfCvpbi|KKh}>tk_Z%?&k6k<2yR-?5G2d0=GKd8bws-cQef1f^^w>Gd*vVJ z-^SpR@-D62@--1%nj-KC$gnp?*!BvVP3P#1z*5i_+fHs0SDxr0gu@AQQ824*cg@xb zu4SxBlCT|?ZT>XyXU|v?%)^gtr7{N~g-2mJAcZWNtffj_OJ2-btE04gFB20aa5|#G zrv}INazY0L;YKJrY5QRZqE!-e!-vtIEZT;)tUQQPRmgxNgNrCSJ;9U1Fg=2f8~FL$ zmw~;-q|!1sS!lMGo^L#bFWvwlY7+hB6C zcA_v;g7Sg!BmULa+J_vU{cT<3ZZwwO!9#_Z7YFbO#S^ADr?P8zQJ18v@;c%tGW+d$ zl%Q51pc5i9JwHeR996Eh2bAeAo?TqcYI<#nE#;W7D@nDza#d#3y69Sl@fu%}c3wp? zT9zQ|xBfZY!lrx_i_8K%KCNFqp1HNK@UE|^N zJkAL{Y^bNs1r^*gLOp*9KOeV*B%`EJ=3a2I&KEW>J}BIxv97sHZJC+Ql`z^}B4`e* zb>>A#%Jt-B2ZXhp*OU4S*VRoTU>-VJaf)xwd5mJm3j3pPAo@SAfv1fq9h9B~nQG-5 zNO)PRb*CKj-k7PouC_6}TUY4DqB&T-MgvWoVi*qJEuCiol(=!&1h5rJ7`!{X~y7O*XJNkNGid?mXM&JEV@6vWX%DeV!~qiBG9cQ=C_^!VbONWSXx zerul1rzIpn^xU&Y#}MyCDnXs@RbDZS=4i3ETHx{;#t50RFNxitg=XzPaOa4@+tm?V zSc-PE{+=npv|quqU8gr?I|CN`Rz!ccHvr23+pr1LyFw&k! z+(JG-%c%XWH4s(=$jzcXY0okLF&3a69?C8WMcV4IAi6@4p0{8V*?OW(0{zl*9`A5o zcCUGJs}5hF2_HMfdW*iHm;~s8V)#^n%SmzaW%Gn+9u}5w#r;n4c5KDn#Op+4I^=_&8R7s@idCbys>=L5Gk&t~1RrQhu~PfXYffAiE5SR>^DN}|MwRuGh$MZa z08)c6Ywb2{E|E9Z)nJh|q1ySp4eReLK4yzR3qoDq+EhaO08E6C^e0p+s>odDR zP7eqYuN=Y#{Z zqynq4V)S4vI`HEY5=n7R5SX<4ot!lm31)uqNZ15trxkw@sM?Y_>FIgWswSGJ#yuJ$ zh@6^aT1E%i9MgFL>aSM9s!kW@1`$2HLde_^pJczzSaAQn#d%OT`zQLKeSOV3XAv`% zkJWyL%L$mJu4Zr1qrN(cXqikl&#LUdN{7*ayix&*E(IZxD%&J>0KC~#vUa-mbb>P< zS3_Cl8%hRtBe?a>ceeP8&G@W&NB7<6FS>x3$YfRmmx!gr` zq`UZ{_%$5IsixnG%|K@o*&sm}nTBit$w63A)d}yqsxA{nn@CznmtM=_UUi9AT03ZO z>XM>+He|m-KX^?ekg8}b3u9{-vH<`1Xnt;oc10YCJfZ7)Uo59G{~X+1Hs>5WkSqe& zywtYAoU*x&#ZTsRERvW4mN9@QQS~>nEN`SKeeZuOGsi+v`CTz@s9=}fj!5B2wcP#9 z_VI?Nc_g;|zIA*~;IPAK=!I9l-vx2Dcq}#Sl}EEwxKtO4IG@Bp-y$yRe*S z({!I>+i!LU2_KMdu7Dv`VD++$17(J@7%Vy|18-^R*8S-1*=RM{wnrp|B&v~09nn{8 z4V)gEH1W%52=PfFmY)r{MlUOE6}A-0NX{>ma_8pEjl={SFS&!BU8CU)DMWP8Cj$7@ zjtj;HZ%-8}bKw~|N^CIWud{I2^@{G{QCrKa4QWK18<&qHTomPqSifI~(CkTuhThOJSEv?73sci}uK zM|69>xP66jG($rX;I1+xy#BzD+QobRJRaw{35xz5IW z8KQEeMXcwyYm{R|s^HDcz@Wctgh3o&-D=;-O<|2BF1%!*lb7aNU8tEeO9<6wmtH^H zJpNNH;s~AL(+0XG?e=3^#`S_PH=<{NP{RxBgx%xTYX> zi(9s@p=}lo(W(*nGuu-mS;M7$)Jsd4@kC!Wub2>Rz}#+hr%PU^z@1LpTYaBWrB z9KLnxjzGDf6^`%n!x=Jj;mQr!#TL6rHb57h9EklK*2N^g{tOONG=Qfn-9l`3;GAMe zhYe+4I=7-KW$fPFH9ZEU#DZt}9g|QEjmp5mt;TzCK5Fp`Uf5}K=mJN?U44M&fe*Mk z*O#=Db<80`;xK#9JhmNnu7@M)_mjXW=r$Pb%g>WFi%zioJuV0(0P*Jqe zQo0#n2{2P=6yx7q4kbgRHXi87H1Z-cXE@{oz`*}B;@(oF4M9^NL0HV8h3KCYNYWV+ zAhykrQ_B@yz2MkwJbXz#vPTv5P2%j?p)0tad)*JiIIK1$<|pa*IMc-L8Qv>NeEbdI zDx5`zI2rx@Yqmi*{9`ntpTkA+%3JBUPa7bq?GYK~vK}~rUWNw4b zVbBVH-7p9^nV8lpGWB$W-rnDJn!q_eBI0VdsSzHJp#19XhaZYnawAAOj|cvGegKi< zv+eefDEft48t#)iJaY27gzg|Nw+)sh-9@_^J)7jY$W+T{Q=pbsK)(f%!K@yM^J*UI z{g}hZ2jZ`GAK>X^Cih*qzWhXykE==%;tUV8ayRdy>Et{%kZ6ah*pa=BOABGF#4?3L zCQh*M?{R4>M2+p)DSmz<^> zv8510xb6VYx?YMvr}u+`eHPZNU@~fZbx1o>46tdl-hyT18IZVfZo(b@MTTv8U_A=6 zkWmKDfPR?TYp)=tB#K39Ik}~g!J=Nrq=f|fjE{oxZZMNKBs@5QR%-CVIrW)6RR<|0 z!CFaXt2`{Ap-dq7VOp7{0fY=MhKWQ&dY9YM$7?*_~ubL$)(1+@{xfReB5V%o^5OszysOr?M9d z$AFO+5&fECrN3a;r1$z^tD*7&%fN!j`KryBs>b8i!Zu)-Xe-;fh>g7TauGMaMDeFg zOW8o|hQp0X{p7&(rrHGQA%2pDu^;ZDsKzD0%9|a|UU#6Iu3{~JuT(79b!Gj-=q5cq zB52ylYo}1;A^NmmJa0faC39g_n}~F@vy|c4#e2=tV_$bkEQ`>GqRApPVT68i=nWJ0 z@zYAb1aKL?>f3FLvRv(vJGd?W9_kq{35~gsgkZ6@<+318V5)M`e|#nKC8HW*ZwOZ$ zHqJSFGo($tE@xF=UL>|OX`0j}QHKGnpfLcvSLX^?$x;{OmK0!D$Z!*nQFs(+oQD{j zy%+AA8vbZ*N47uj5~#nr0B`A@4U`Vg1`-?leEz2P}MN z*(6w1rc`8?)EQx@fT6=3p~HOCdcrhFX^sf+@a|(WfBjj9a zDxI1^OTcc!J^wIySN4Xg&ko4N|8dp!CcE;abU!YIIs({Txh_NRe(0B~ zyu5>~m+?)PgS^nr2(CD^-UD(y<#a)nI!-%>)i-pDZV0l-5ZwAr2CFX`bU%LKXa=ds z+;dd_M4J4`R}44zR$O3*0EhFa6P&z3+@a=q4|5$Pz%z(%LAeQTx+^d%@%J)XT7oz1 zZxs+2`Ldh7SHka4hYFuV8ncb#bFVi0%BtW#+m3Q-@Cu3LfX^&WA&^|8HY5nX&E8P7 zMBo|dOd_=iVs@GE=V)HCUbdbI#=Ry`vm76(ybUdEYDp>xtFFVaxtbZ6Z(`|v*gtlt zvZ~(*qMh1Y>%$B-rkSxg<0~XyfpUCnzS5w{pgU)PAw(qC4Z<> zsT?Pdm&0eQpzT9I>E1`buyLiJSFclk_0piNWgEiO~k=7>C-xU_d z$7J;3ip^c1fNxps<#>C7(-I!)E7T6~`o)76C1tvnXWKlIUp3weLqbN$&;W3=KIua@ z|2(5*Fb*m=r4v7njZGh zO~%6nalx+-l_oLS*CasM;Qa*6soB?-Ef~yfBda_ONf_C-)%1}W+CtP1ZO{+q27DZK z-DPh6Mr86#`O&5!;4ax_3`0G2a)z#M7|%biDz+a)z65`hA^#HheZw_*>Z-SU?%PZc z;y-EG@v%LuP)7D@>@*13d_jvOz=$yVFJ?BT# zE|!KMVUUc`{kTf~tK4XcE~%2nULX+C&b;>Vx7mjUowsVCbth`zc582YDaPLMd7>9a zPhX@#gyAbWZ%5ka2)+o$q>{7tzzi!fY5^adRFlsXSGZ=}doyN}UAb&eb`)GPiw{~8 zX*dS6OEu=aUszJ>*WLv4h+2VG$yYG%g9=%c5bXe%c(1)s%7pztQ zuz?yaG8o^hQ)ssJBUxZ3w((5jqAZV2*#4g5!Z@~+{xzR8(2WcNF%->rM#64>_)C^o3F)~n_9c%B98Vl2#&qAizkl2i@o z*bV?K(@!Rf2yXe<`_hunKPz{6vHgTMb|iB*%5EB14h2Jp%|8nAMIkpf)RtEbhinU~ z^3ztQ;e6KmYCnfZFAVo2mZ1t+HjV!2=KD?v-N&`*NYGaij9B7h=$`5{YuhOq?a%!? z1TvTML*v0-S~zc*O4^mqea1&@{_rZgA-hOhIu;F(;nG6K9-p=zPX0bu*N>|V6LRPi z2?o}%$#B}QA#>o0$|J!xldy=nr4-zAKG+3-(Dc&-n;SusBw@^DiYLgL;4o&$J^{HV zD)=}78W(|+r<}bSe2vFPM?z)$Be%V3q-G?zs5X#+?N=7XN352|o7C?L+P#KiXCQSw zHf+SrMDSRRN5QdhKh-3KI``#9~| zpe{UVDI1nFlkd>~9bWBM&{(x$0<2dciqDcAN%D)UD5DF(N;qq1XC~0ic$4f_H7<*~ z+P@)(x%p!|n)RC@@5N>>+F5@Ek z-j=fBWR@JfzFh!+{$aY`!Y+d&Y%!|@PPDKx@XS|aF57%<-}X$W#){`C1^Te0X@rTU z)`b?hr;y_OV5&3*n+`7F5Gm`y&hjXex}Y!*PIT}zDM9zx^0@rJjxsF?;(}X~uwUgT z@lgM(UF?ieqLo*Y+ij<0@v1B3(UJs|qh4Q_QthNDGLBRnWILMg#uD^bwPpr2^D=V! z1n){@;j9M4DEEOy?nOECmc;VPwMC9#a^Ou8#BwY_a}R$yeT;RLI`A99N?7IdM(US# z;s>JYiC^meKn%~PDVBbBPIjgSQ7>AJH0f)7H|CYcdd&fF3tivV<3=AS7*ng_BXt|4K@)u2*=fn5 z)-a%z70N-R>xg zWf9#M+(p2s&qv`ne|84NF|7aRu5@ZK^V%`KLa)^B^t!T@8i2NuOh%sm{?^gA;wBIePH+@Akyw*T8i# z(;1JKEfgcI>EJ5lT=0JFJi}CfAUGQrij>~PoS2V^$Bs=t7+pgQ+(^fn$!au>kFb|V zUfTjyHO_d|u`g@X9UP%qFY_i2-*g0*v#?#GwTCDzlE+bRyrbMx$(=h+HEkUV^XVk# z>IB$ps%#51F_Pf@z#>jNylzlU6Zs-j7>LT1xU~(w1QiPr7I-mtLi=u}M>eka26h8_Hsr8r)Kjd{1mG z>%G?r^;6#74z=aWs=SI}Nphm~t)!f9cg{A*iQ4-F1^;d(%gMQRNw3IU!If6rR-~ok z9F4f5NSRM9$qWS=hk-M;ogWhRiPy4B4Q8hCV5kA@!nC8(O&AyMr!M+T>^Nd2{uS9m zJ1ae)JIs-Zh$I7l#o~aWu9j-obK`(SbC0UwRLp3oTZyx1X+gCcPTp6DRpq ztk<%C*b<^UfCnSkTJ}nNQ}awkPPS1(j&s;FYxSt(fEJqSg+$RWf-UYU?}>-><7C-T z8m;9%^)`77LoX(6XQvn#9vW>tg5fFT?TbAbsZl9%LVhHLreOf?N*MoMxj{cE^yk`P zE=YjGpeu?8u%j_X1RW|$87JEbO%jc?n>1-4q&Vg$)P0}xq53kc?N7{sC3ELU@&ho9 zz0IA4`O)8W+z}|?&L;@bRE%{@kb3q$h9s`vD}-Sl@OKOg2=uUu+uIdzlR|>t?@!Cg zgo7e=B*_Yg`E!~B7p~7^dguV68#E*nvR(jWuUj|V#YDnx&&J4zOAvU675 zlC#cAwS_6Rtjw4)1Md@^Op3~c>6W?oCdBMiNFnh}X0ubfuT>ro@~PG6 z1QpHN$l=@jaSaF6DvL!O!~-@|^L@~XhFwjsH*6;U*$h~z9mS2KdmPVFTNb0 z%IpigL9cUP5bx-UcI5+Mv2*mH@R*EaG0eocOS*DtnTlpBzrd&bP)N{RANzSky zioznW<~ImWFKBf#%pxMnQRhY(+!giE=F|}k1O^Pc;73=Ax;&ch6q?_2FV=S^De2|> z9j?bf1~Q*AHmJ5HxU<+k;R+V8dRtdEZ?otU0^MKU%7(9x#X26p*9X?38y7aF0#kXM zW?k(EXYlr_g{-U04t~j%yHw?VkV#2mVGi zV6Xax%ANnhQ}pBFTE*dsrMjwq+ThYviCz*K*q1qaVBzDL^q#`3G6RCsA?g(@;-}=% zD^Nta?FoGz0%_f68)XG*KGA9yA{oq#r$YO7>~v^hEPv@bCbc~UrWx;Xu0)@qyEk=4 z-p{)>B?i-0&1?1~JNODQAQ*tbJ^gq{1fR&khXom_5H^wM?lJxm)jnU;e3tpXhf7NeRSg@1 zE+y?8;I`CKxZ@c_r6zGs&7cVeyiMBgRWzVJdv!MpglA~b)(lHR+pae2ZXiT+FF4R} zJv5@}ZWdErVa(fphRsUVt2#E>bKp7P;Mq-l8g(#Y-ZBeV__o1B*VeC-EZ%y2tM_Rt zw24qW_idmNItC1kW|Q?zVI*f+SqnQ>63Q`}i+&IlQ}hyM8o?b)8bQ*~{${!rJppy! z!}WDjQ_AOz`q4glS$mA`kI{66$!v4ZXDOCKJPpb4iE6apmc5=bFU;VS=w~n%qAcvI zE^R=*{*1k%8;crNMN(iq`-v-6@46aMhwV;FPfHa{Jc6 zP=po~R+&gTm1gSVe!c2;ud(|SQd7FLKFr(QI|5mJrVccL@Xxc*kypMd{Ywj z+kkhjPs*N4X+~Rneu6~RU--Q0;iY->dNL>rR=hF*nA^7_v?oN6WWCdSEQJGVc9&NL za3P;hSg?v%mv{6f?jqdP?pNPET;m3VE7L+%Y&vxL&?14WZZeJD6~5YKme_TfbO@2d zWiFS^7!ADY9ocS44=Jc)p@k{nkZhz=d@FF9#&$6_kn5|n9oNcO9FJ!i+FlrF#FW+i z+ZB=uCV4E=18!BIi?f}IL&^bm_9OLTT`qx0uWqD_IJ=Dj*%-$;RDuz^>9(vHb4myUZ z(A)Xt=v8VWzpvJ#3b{x=Ie8teg`^96O}-dtPd3xHlK=_(5~=4|n2fOdLOf!eWmA>&o2M?4s~Eg z%JU@f`=15#QZLUB#aa`UlN%oBMEVtbfX_sQJ(Egr>qLa9@12jHM&jk8%nr8^Ai?rn zwn_G8{vDk?W(;L*KG2c|n7lEhc0cae;b-~LrYPVI3E-7nDPYZ{QpKFE&N+S&{Znc& z_&%OjCe<`~zVE;Rj|-FGuJuk862+>RonEVVtuTgsSKZO8zazG!1jlALyGb;%+%{lw zq-we8eohr*o>N34$KU6{XW$n5C#*&1e-DJ7bfzGYg0q8hqxEB?9#et=7rOxW$J8bR zgt7!t{vaDGt{H9Sh&(ua9Q(+JZvxR-6q*S7eZx(mbZ#OJK5LIzmYFWji6VJgpOuX+ zr*Sj4Gka`8812LF1Tu`wfYD# zI?F5aKrfF%Q9v!TLKX}?`4I_Uk}5c-rs$LAco$4%`g~$Q0hZj70~-&WTtHc}Trr6* zi7PtWt-3cZ6FsjGgph!Q|s~uK3!%xYMk! z?@M_*kmQK>iuMXdD<4PAqI-?Xj0#>8&HY=0e!KqZ$Ovq^pK@iIlI@k9r$BaWkv z{vc4ct{{AO8;5hPD&eh@9gIqU4C(eaoMA7S1#xEIWdY&ew7so_xO#YbU*AkA`Y~Zt z8Rmcs%I%S`IM|YQPs5n3zsd%uuq3#^UFG>RGvX*hP?k{lA?JfM#9n0343PpVZua~b zxAS^oci#$y6udgLwTdi>5S`2>rI)UQYQ<$OlLKSLKnYCHn#XtFgtll^StHlhlPB|H z`*$AtTJxTK)cYS~H5RK#Z(sjuCah_RihrT>ulb&r^uA=!lpq~<6j4_*X;7>MS{}Hf z^+Ho9wRS>2nhRhI7$y$H!4wXC*}t3^i8v>kVomHxL^|b+uuw&*QW!L{)Ti{~S13ht zy>$eRYi$DEE@zkgZMfx>uy8t%-(OgF^~7mPGlSQbVdbME=(Ht%kJo~@jl~~qk4db? z{QSDi21<^0j!Ji1YIyTeU|npk^WKAxPGA2%`cuggmi=zF$cYAEh(~{pxG4UbT3qqIxbIMRCZpsBj~!ky~NvWH;5W0(-|v zz3^=<8CYo^&$TY-jL1A>qn^1)X(k#DDa5nWgzB2>^E5|VhhMhdmz^Za!h<@xjxc)^ zo&0gU7wkkaH*7@oR+*+8W?w=yXhyooAj^{GY4sNx$lM;?e!yW-J&SoHIw5N9*!M6@iC^h|v! z48YQNfVl(%?&sr{hA!r+9UrP}_phiR5E6^HO0JEz3$))db^)z}+Yt#jrO%f7OKaaZZx`tY$OX6g67{^srdk}g)X_a)gn zwF(9Ppv??J*)SwQ#4;i22$JC}llyBX$f*6oBKaWFLW>&a=?Cqx8VMb;yHg}>kL)WW zwk|U;;G#`lmcE)11TgY4q?`Xvb0`38UTswXz6q|`y)V~02{a675@bN zUE8l6Pt1vJPsg_HWMbR4Z6_1kHYc`iO`M5s?96rDdiHz2d+%?(y6ac9YOS-XtE=lc z{HEUB@!asCeRBu7BaJ5}4^ZbJ3kzMdlrD`APa}Hh0Sr zgZ+G9h@p6bdxa@Qfi0Zn@PsMWd~!M2S^Nw4L5qNUQ?bzmOoKj%#$B&7RKGl3eNc@ERGMgfOX;0JN$Hx=|?xD11CSl+6O*w>byFTxG9i>%i>ek+IB(F;2qu_&;6WMhzaE`-S zu#}cAtra^u{JKR#9=M5=BXwMs+}Vj1r_vi7na>NtQQ$To>oNyucb{CM%uc)Q)H%y) zjXwVdbp~ri2T6{+Dq%UzCYD zI^0UXX`B}ti`T7cQQ<>pdHY9L;HtsGg~ifD5RyadZelZdbn0aXqF#$~`BnI6`ySV9 zD*GJP5Z5PwTPGOo7x(}VRFm{&tw%SODQlu)Yb6%fvd94_ym^sU6U4FhWy~@@zV!8{ z>FUJQBa|Dl%4+y10O9&8#LExm>l5f8lgcEH^y1E52ns3k3X|;6!AvYrx)RFynq(Hl zNBE6?@hJEiFK6!_p+}AD4ikpFoNCP$ba$091;!kD!ZxK^j6`&Rx{lwz3SHND`w-)F zKX6|tQ5eF+=?jbAJ9PvVX8uuKRh9bPLnPyDKTANqEiFHL20DDur_)uQ_Y6oG?l5_2 zQ;o;dX8D>3Bhe?h6($;L;x(TgtAYHqCf=+Li75VCRex;N*LetF_Kcb8pNGaO9#V4$_oQDLL z!*nWn@lwIIPWUx~s>x==ZINCVa`m1O^bQB&yyRT{4|4MF$dx)|dr1UV*2(D;efE6s za|i+9nhVopL)LW7ocnr9^GLF?CLO>^hyH7-o zjZ@7Cxsdblzw((KW6V6x2@^*#qFTL|Ksgeh&d!+3)j%0qldnGx%dlB`*`YSBJ{{6) zrv8HWcjHZtzAvl2b8m4S>nnCO-FFUi^aBTR=fc?V??zjxY7GiRqfWfX08Vq0Ii6y+ z`*}*3J5_D&p$c%Ip?^@UTT)tU_#SdjN*7DnmEO22!VHJLm>N{>ZK*~piS_a7w?yp9 z3Z&b&AzFAfA^stax~l~2-UZ&jyO)cMfTy`{ zbF^<0H0OPKe(eUejgkRG&sekd>OT3s3kdLK`myTZnhxz18Coz$-xi5TplL7OXui!u z&5HX6dO?OhxF9c>a34icTrTqVt6zDnGDm7Mo!agSe6m&#ox?Q|{`1FLYwjX5w-RhK znu&bt;I{JQj+W3X=4!kj*%W`Oory>am2h74_~jc|txz|M^;bfJNX6ZqV+Uo|FO!A{ z2Ua6=x5rseA$4CyVNGuiC-Mt0v53zzw^19?_hxpu zFp)i`cXgrDo}Oa7FW0_=P)xM&PYuKB7#q=eyH3APm9E@~b^0ba`CABDH@oAM;vGWa zz1U1c6{$(m@6L5GZ3nVa5z%8@-NBOs9kCtk&0_(zV_|jdHqZDDsu1wYs-SHqa%oL` zXjWT>4Stm-mXq1OvD^Y$8~hbxS2{ zLj)(bDu~&K(J-G2@w?8N{%%h-+w0UpmY^0} zf47feKI(Scv`r&U`E zI}p@Id$K^!gctP^ocGuj6xBUXQCTkNx!=NIofeABHNv%#2U6tGM|sJMFtLPmOh8kr z8+JIEC6`WFJS8&&z{hp(tx>>OKxE$?O)U9$QZqyB_VKlL3E46#(0E@#w9l>5yWy2q zJ1G0@h{@V+3cR{cR$))SHO;lKZ|VcQ4rug`Rto#Lc(~oibJBu{XQYD` z2Xd_*iqu{_UpLG5CQ9jY;pxME#!eoBzl2i9#~Z?qt3sNN!$1FyW9S0}MTKhh#mC5$ ztQuN_HT9Dg%)3;QCD8)ajo%UZXV3Tivbe|jNo6@qnA)y+Z&7mUhmOG4TY2*gOF%_B zn&AZ~4hwLXfPbp!VrbRg)6>-*Wi^V(!evt9ne!>olH+1bca>gtGlU51U_AD_#=?oL z+1%v*8LIr@Vd0NEm+Y3c55;h8HimB9ZF9hf&P%zU2_9_x3?Hp#H9%{TeL-AQ)M?%2 ze1+|4-a=goQOmmE84afP+s59A*KCeGOWU2NB6AY!cW{7>=IMyq=qe=Da_Lg6d4N7C z-I)F+en`%1MayT9gm)14BYbb5O%Da~57j;Jj&5@_TB2UQekr{#^eQl<6As^)My6f^}JS6 zZf{f3d5=;qo2Vl?(1o2gJ1ro})^L3LF!BITp^1}k5@kuU&Mob3Nj*)&@0Vgs`V z`rQW1{08Zc_*F1VSFS=mJPprf!$9)MX68Lc@UmyJ4P0G$0+UV}myV?=>8zIa`>Ig- z{6nlzlhTC>_z%I0Wd@1RvD7!2U!s&ym9I0(sEiT9$>r#PvSe}nTDPUFVge$$0WJ%y zpb2v}3b={;1w2{mHhX`+^zDsH^yj$L6qf3aytKo9Cv`9!lXn^mG?>0_B!Vl{x&7`;(i*I)Hk#?e@SfVe{7sICu4U&vZq9St zyHQ%{(%BABvh$`%`(EOMS0cZ1s6S)kieU66u%v9D#f|Nbm=1Fg@B&&Tx#sdtc5AQ0#R7VJ!N;*`QQZB~-pE|8F*^|3kX=9~%?{+dpkk3{3xFgJS)3ApJXC zn}zvP?DTIN6#Zx9wYa06rI`W0wTYz>!KXe+@zZytLhzsI+Dy!Ugi@w@_KHT11QY;% zfB--cAOsNpltPID#6HDPk^m`y^rs$579a9!j{a>rH{oJID;it~R&dJ8n$WZ@tyPpgEv+?&bf3^O8 zX%BD!I2c)({oOAIBWELPfWxP%%E404!4%*Ka5S|yG6Fcd*Z`aWPS%D-_6`Q0X9R#V zzy7%l~WYxT~@%&U!rU z`MJ#QUzy`tSS~Kjzj`({GJm11`&-yT_H685f0#^WJWY1oFu35gb!|45sVJW*x8tSx z3yCLbFOTC)BHoU*2Es${%mxiDZ<146 zo)plLQcE5CB?pQLG!$4Gn1%+(*xK5f4cfOPApb{wQcxkauez3SLU3~OxlVGICJ>qS zhY%03Rt3!|aAG#^x?dA~v@@T_l5F^gT@Do@q-`S@$atltACSB-sg)VHI8bAOKL;PO zDT3p>rNGEU|KjLZ0uv+X1{dI2pmE#`;HD2YASv9_iHdjgiJi zcG=Sesga(6g@O5%(HYdsRAq6g9ek%Yb*%RHq_u%#6bQByANMr&l(x5p*{x;r3G!oe zOQQ=ATX6SJ57QVJBwf9|T?6y|^Z1+i!I9;i3#Roqm3y?0GGF*#unlz1EcM`REuOQU z_8(51AIB({I&G}ZjtzIuoU7Y5)gKi-qYL1s7L!0jSRyOBA zy2j5T8{-pK*(sdUPZuzG?-s_UJP~v(4mHhpASu8T+Zd=gn!Ji2B_AeKjIS4AuU!OJ zAK~2})YtDHVJ{b0Z$Cs|KVGsvGSz!07FBwd&mDl?YfXT%BLza!KqMFb|1PfLxA zF3cnAT3f!jx%sRuoK5&nHmTfq%f@|lZcP!875Vhd(^N`Xoqi|;yx}8GZ=P;_eqEhi zz+)7WE-)Dmn0};Ny)@U)9xAnzxv_%)f5eF^ZuXq=BKXLMg|fMVcpjy)w*cSLWJqPl zT-~tS*VjC~@y@bhI#q)HZ|2H^ZX$~Y;AL_d%uKJ+J?23 z?iIc1gZ1t&y^)d0i~8Y#?dkkJb+Z)%1bGXV)?4|FJ>@!Bz1YO4WzpaePB#2E{4IR| zLI`^@b15o1#3IKnM1iQa!*|S%#UOen*_)ru9<+Fzoo8d7>=$;92O1k8v}% z=y~sXr+Wq5kj6|Dg5zv6kyov%v1|U*+q$!C%c)8#^b}q}L>cFXPQk6NIZz}H0N8$l zE*GI|R%wgKp;G}f2>x;a2T!gPhkHx$Gd&9f*SrV#N>_|*IyQo2k45BJw!KvR>9NtC z=bGU&{L|^=Z-@)Oqkycd0}(Vs*|c+l)nD8X{m5b)YR)JOmE`dUvkm4e<9lB8o)(m& zvJjyJkRB6zw{Y<#ciDGR_Ngp6{cXmXI zRAy@lGqx*MHvipQ$O<|bb>TB_eBwo8^9FzRMbQK)NnP1N#BVqFPM~O(>SQ6s;$lfe zQik%w3^fw(7UY(lHvoTjA*Yl0dnAI@cx7XdJ{fCAmoRI)9hLnOn|JVnt#2mz{#s}s*2ev~fOnls#`8l)>)-eAvQHg zRZkp<%wB>xA4kVSK6o>9jcAfKo0n3){Q1$m;xmzc@7tyOp2rQ2Z;WDyVD4JDNjYvK z9t8HgezbC3(ch`wQ_xyc_$}nM+!hwYWeR{)Q13mM52R#&$PEKv?1h`h9?^AHi1rl+ z@X!(G@Rk>tmLl%mk(+gQMiP8ZXf=NY>xH@vFP%W|AC&5n1XdE)wbg+DHDe`+By%o| zRJxlR(*HES+<;d)-m5uc?|EIEm4*uiq<`V8TMGJsC3y!%tw*8q4Z;#dWE#7vvwTm% zRsrv2ts^Mq-6b0sv1`)`IXub9nOr}QSub&B#z)Wm>F@6L%LXG^jDadKa6@$T(Ujmj zxDe;6e173rG$;aod-#B>dv)yk+_O~lO8_=ca0Zu$Ppd?%y6KZA~Qml27!%w zQAUuoz(VaB^;<{U8nMAo8#0w0DcD{UNeg>)55`tTXEu1Zw$7X?_~?m{j7poThY-Zk zuz>+4I!pWeqyn}Uj+b@-Y~fZ=i;ve!4K}E~YSEW9#gxPxa_|nyNkMh!U7;1WcklRG z*{D(2s_Z=V!|N)THB8IVdA4=)+9A02JRGZ7EA;q#lOlu|tB28U?*pFLc2D zlV-4eyFIkO3GfgT0c>~cpFc2=nbwU zY*#D@;)ocuw;FN$LzIr3ijX^NuO!XP{#TPaJ3THGj|_ z^-X&iBa%d5_uKN$S#YqwR4Ai6T_pk4(;I%~2LN$DWd#y?*r5TDTeL_2*rpBUbJ}Xi zDXU#j^bxjN6eDM;{=92_xC=8?9lW807Hh%I_kQX+duD6T`=pJZZho!l#QyDMLY3%3 zdHT5wN;R7>w!rYOOxfjVjtr-tf%%RO0U+Ftnf@m zhhWtErRiUAJJ+6Z#1V4 zSNcZ1UoNvb2cEWWy)eoUZ~-C;^IV`hgA(J2zK%ZRt(nmiv*8HSEg|+Aj?UUdt>a8E#LJ!8AB29Mi+NiKhqV? zxV7(v33MBLagAA!|7EtyAp5Y0fN>@xhX7`e{2Y8F0=y+?HU`8DF*yM#WiMeATSq(~ z5V~`kzNav^7@;z_s2}JU4z`Wb|KkGAnY5Zk6HFiMX=fJ4*@Z{~^$mzGAYb#1-Rwo1gO0>2!yNPgU#UKYQ zASp#0k=IqHdr;u0M)|{+eALk*CmA{=5DOaETv-=^{8!6&JY)km?>~sTdQDE`qsGX= z+c{{y`a6n{mk~SLt};`@L-Cuf-9V62V776A&Y+$(Mba|gMwuszwil%stFze|$p~TJ z?sqmI-Hjk>w1>WJA+`Lipy{`ri$E5)KM6*1e?KQR-Z*Vm_{EA%L0>GjiUTaOo z2A}yPf1Mp$!|^b7ep-C;~^@{Q?(R(`Cnq8HHi?z*B{gsG@aT~QI4??U>xIQ6?? zzLQ|bV{a+ggKj#L6dvk!uIoG7zIp0P5U9^Abh`j|sNXsLwc(<}OFM6(A7{F5d5{2) zquh-^_18!Gw0FJT>kaIki7xBRGfmX?Pv9r}r~g3B035a_($5x3@ic)l+w4z9~Bq@;mBY=X`Yg29+J1<`dGT)Zw4ckE;*A zn-fSGY1`(Uaf4=-P& z8RJ02B!_{YR+b`n*+sBp@B~_D0`#^;#EWa+c%Hj!7UJ!TzZv)1g_=@l=DQ4+$ESd? zf5Yu+lH0wfo^%40=Z2R4Oshnzdb$>wU6g` zcR_fAu01vn$acTxEkX9CUeAO7_)u~7=hi}fmUdtNqtwOAPZh=#lUtZ~5Xe;SQ zLvXr;gkY+|RhqS){QeS6X>=;FUM&80Gnr#5g}#;rgJ#u<+n7W98SJy3974kn*Ka#K zTtK}AWWNKz_6e{zIDbodOL3zA?$n6QolsThAwY*cmA;5Orkct>QTF;Jtl$z(@l-OL zMwh1~3dU@RudIOSy}!@zSw9LpD1Pk)x9YVOS^~1f8~xt6#Mp~K@+R*MR7F+3J-rt~ zG>sC60EgtMfK!o~P5b5Q5Xzfsvb%)%mOEkqlk)c)q?=}Wi&SA=sZ%VgrhB2TU^Bnp zXPA99M7a~s6UmA`2^#5+vFAE(J{^f{!dB;|9eB06nuVjTqG3;0w~Fj7>in}OFFP_1 zyyHz?7$gghHpsFy} zHE3%#LN1Kr48+Fn5YqbN3(-!~dIdz+2C@i+7DbYj%lX`}+&@tz_F79z^JIgzj$4d_ znNd+V2m!gZm?}>jYI8IzeWG=QU6(q0N}?r>#3HsE8H&?#*AvKA*m9KwP$S@DiFC8C z%wDX4SjlZ1ZQsbp++l80`|Vw#1m-b4spY3uzmnXol4@@xxOQ)&C3x?lN+A&#|Ml913?-cL zOL5}^I;FhYFaDkqI9eKI4iWS$U~|{s4c`gBib_Cum1|p8ubi*PY$57J$}*M`XNiWZ z3~KCkaDY}ZJz=Z`DeZoZQIq=Ok-r!@7F5LbW!&fD7uvgSrfb)%mUWXGd&YS-8GFM;(1Dh= z%_Eo6NyjC3s^r61{-t@Y0-m3DoxtGwn%qyXtRd6R3W@va1Q+_`?FN~%)6n0;8x2kC zR0u|_!@BOhpZ_^S+m?UF{^AsRU{w>|uVvJTIVOI2nExtI73ECdeU)5!E)in)o%m9p zsj!oH*xmN#dy7SH(mvOZp3~TswulxLZwF|(vkqQ1Gm0T18bmv@9fjnqKm;v0>BTz# z&jT8%oqYTqaEepL37aWjN03!f*InC;E2x;&{k2Df>HXaUMy=4a(Embb4yh;`B^}D_ zdn$niy#4vmB~f1(K4KN0GrCIerJ~MKdEp@hYP-di2_2x3s*+2aU26Q(`S9@|Grdg*n6!|%Yv z0_sjVlRii029pHEAY6Qvh@7U`gSc0m^biMT7)yrc5~;+eNOI7;WXbN%t{VQUoDHx% zjCNc1hS@Z&dGuqo05F@4mONPg^IuQvo>ik7`6&uu)!Qo5j;FdtB+WvoHvX7x_6 z@%_O3lJgs#x8eP30jLxvNC2I7PhvEd{p8*30gUhsIsj(c&Q!oY7L zp2#9wz({BbOpBW*?HUO+S8Bh8#O*>OMX`5bp=1%4Aby7oG z;@0WScQ&cWArX2PW1*MM*4SQqL-JMG2{jdVUMNYkDskZ|VY(B{`g}l@lskSUpHtHW z=QQNFyLNyLYczfq-Eb|VCOJPi8VgmbaEo_p{5Vo1lqIWsG4e0Dc(Tu=5R2Eu^WGMr;4rNe`al?GMBL53ODz3(87 z-q^ptDo}s7a^S%~k%U)A_$kB-tTe@xiczL=bSdwgf09R|>}qZy@|1p?Axy}y;1ePX zO|1?7^FT_ubHx$Cf`ozh%IlJ|N=&X`^mgFt3xUAb$FdrDsmPg+y}k&;M}}#=K3_zz z%F2nk={K)m@ce}CQ1*>WavomXv{F<*TJ#rG90V6}akv)o0JEknS29ras9i z>HtqZ7b5jWmYY$YXUwvZtXgR>zlWQ|RsR1dtT$sPmB&XtR-+sq620P^i)`vhH4#OJ~c zp{ol-Nty2fskiI{`O6A7B12lgp{wIbqBj$Sc3#|f=}uu3&pG#T5}IOkE6m*`+T*js(zNMBJ8RRCpagFuI=|WKL>;3& zSoLF2XUdK;!DRdqJ))P5^ixTy`G}spcyt9NW#Vg0{@9uRRH=ww9%6a)%}{n6S>q#u zX2#WKjgpa{80OBI-;*Obo^qE?0wN75Nk+TjRAbqZ|4ZuJT@pEN|I850R!jsk{`VK1jxG|W{1uZ6lc7OV9J=B(1PY80| z^9fiO z^U5YH+lJ+uXnsWI2H|5Vf@TJS9~0w6Htq#kro;hWR|KhR60Z@#*88u^5x(n2zt&69KEuUx zefzvna>!$6_lJy$Lpc5xx$=JI=cq?hPv4eNOn_`?7w331^*oJOHpKQ~Ix)r8K7Anr z3~%|22SnqIk(-Nc)OJAlWu(hvAz<)ZR6p z*1|g0{b1W9=+=yR+l{BB{4+BPCS+_HNe1;>SzONu)`6N`CcL^F$KaG-9W+4ADah>x zJhtSKgee6#O8!Ss>A(!tY3C0CeTTyS^E>uuewT;MpRd(ei75S!d1I(jgP-TRDQpIl z(0=ZcLY@?$vf!{HrPpb}mm$A_6718+?Dxd?O%dEo!|U-HdsiZ0faP0d?VHhI!A_cL zo)LmIZ~jE3fWJao@{CGocPHF?}U07L=B%B9FmrZV?xZGQ3c%ArCAyAHsaL8fD2Xy zJKOY-C*=ro9y2Vs79_$1?8#j;3(&P)Hn`>4KH)g6?{8$2gz=5wPn`zo8ZwMW*l%mV z=tRh0CM^T4VprhQR!7vz7EH^!FOn3{DRLG`;;hH$!H<4AhE2;{Ua3qyX6+5C zC1N_=VWr{hEFV`yE~?scx@S1tAA=G%Vef=H%M1@Mt8~O-{HmAPFAR}cuVwgTSl?^KSKEcM;i%r+Ak`iy z0Y?57gJBsV*d`Zbyo81a2F6Km#R)UGGN6ktYu7HZ=8jN70gQO7`kT-tcyc}0&*@@Q z5RbuSgHi9_k9qx;yX@hm!A%-P7ks3?-Pa*e)Kn93Q>}Z#B$Pg*D7O?nH`ri zlFsT2{4^#=8@nF*T^`Co$}QZ2+MZP#ew6{=?lMLS%vR;=c@F~b23@zyKasUoj zstAuU50qc+-mXt{i=Ui`$VDTFLoej&>(Z`&>kr980dJus7bLy{n{chPds6c1-N}66 zcF>Tm<{%L)y7^02UCvSrkCCle0`9SxwLEztngPCQuhk90YB$5L6+OUTu>+I2PS1#{ zbxzvaj@_ore!nc&xW?I{H+7lUi6CyK?2!exZb(a240I$0 zrpeN4+)0ZBTt2z~#Zra(`1&JlBwZA~@!b?3M4t+6vh0~}H&AqE+2snCRh%G7a3Q+WAu1`9}NXq0hvEEb@}Q{8F!Fv3X3L-EnqFKOHsE;DOndOam0st>w) z0TL8vyX|bLz!!!2b>ZDdVi+vDYX`3`R&YI!yFuDz`P=c353A+b+HMsWeI_n$X&~<* z&fx(G#i^~8q%{_gG3IME#~q{6^_<%rc{?@-jdSh@GAR`9I+0S_p0TEP*wP0~Nk zx{%a{B#wItYY{2qQ??pzzX*#cKP2D?>CzxSa-f4A`+1xlZaZSJZI!z(&*#A$RgWc# zbY-B|Hapt1ub@=7;{yna3NHr1ubpjnvI>6c`YK-?mCwX(-5*oc$-^UD&~@iH$U4ES zI9X3+t&SH>bino^VWplGJ^Jc0oV}L#L?yu4JACC*Rvv@>6srxE_*D(xRS5^X*p%=4Oc}O9s7W zt^s~|!ZF#q5MLbZX><|M*J$Kf7?&b}v@Njv7l(Vn0k7q|M|joZ1Kk6NX_}VD0-GIIWIADr5Nt-OB|= zifk>DhCk#4Z?Jk{n~UW2hApeHBqZtYfW`(S=z0+l2^577M z4E3OFbM>X~1toGjI~p7@gUUEUO4_iO2kzg!9+ldgJvE7axAZtq zvqtQZ^%_|*cB>@48%daS5ZyrJmEVb-gau4dwK2=wbo4pGy)uzuz7W zq&ed)J%YwF7)JVz5_zo8#^Xdah<%QKVPSJvn( zu0O#kLT;{EIniP1xxG0vh`W0_m2)T+bc0;4j%u?|opxJA(%*edd~_ukI9<^AlB#|B zdNXT9fv}d9Sy5W>@w&#A4=f%&>l|IBf_$o7!X>9tSHuNcJgPuei#Zgtzr&=%Z|w*a zt9MS6tK&R3ar}NcFDPRnex=P8DSxa=ClVZNR*^(|J)DQ)|^!A`%$+d3@g=1f57K;FRU174~_UjBNQju;WbQY_|&TaTr zt#_4{s(7Gc2`ckz&3kvDmk^+A48oJd^?B;b3D@{OtIWb(WLH>>ucMqx1a?RehkRd1 zkEd*9Vu>n4$R(;yqd2UGCQJkUPTe_ue5CRE2O%npv6fn&E#G;xt@O;pE-oFrHTW`LcD{jqZ#TT zgeJijS)FY70gbB~=Y$#f+V0m?RYzj^bY*WGpW#xz%HXY}+j~Q=hNst(u<9b~J7hHE z=5$L=FX50vE-M5m;J;8{97)w6+x-DkE4^`{CGjIhZSn1tTrH^isv6H-L=g$>9n&lD z)WVJc`Q9>QWrE3FVTTIp$Uxd1XaK*+;^{F)U;zG_V3h>0bA{`xj5XVj7;d3?P(^s?`^kfeSwGgvw); zw#E>g-B*;dtX{bh&x`E3!OZ1I{kVo|`<}|6m&^foo%7>yWjOWm$UEKl(t3EO)Q@}Y zhlVD`{<=6++>uffCAhx|DsZcn#|i$ynX7chjW)Wu5U|3JZ~TnmMU~sD$K7F)(;?A1 zZJRj?QAuAN;w6N5xNMLkeyI*QDs0p+2%ZK8Z5wk-2_o*LLOZj)Tk@U{3iM9PidAGmPY1cEbnInKX~2iLxYC`cJMUuCZh= z&YwxhvjiyoL{VrT<^Dd{_+w^2rlT@_t;-nC^_Zx07SFjz)=0OtgArkDLPt}Mie^_x z_S>X{Mu2M?zM{~gy=B@d?zvmN+Pd-P8Jn~1@}fk5{5VUWYSVKZO?Cg=G_A&%8g5Z) zLe!il)y*zH^w+Rg0e(_>+XQLux|VTEBbasPUzezPLiYz64JbYP%^M1Ac;lzEWU|ot zR}(aj3ull3)2m_9$z02Qij|n_DBi@(rp^L7y{)pqAxac zF+;_&TJ~R+T&MPf_z+?p+Mdj$Dq44My_gfKwDu8Zmp*U1QJAmruDT$@S6zx4DVUJz z_=|l>a*Bwmxl|geso=rw=98kU96Dt%B;DN-$JfzD;5t-198m!JD&cg>6Tn#+F4DPc zihG`3VIwQK-4`{u3HecH(@)CUw3ah4;SHqNVLvR`y*cpd_+5E7X^)zB&=>W zq%{e(w4n>4{TshICaMhnLUN*^3&ROe#M1co)ff0S8QU(%-WQJCpctpVZ_IIZGcumd zZ4GuG*Mfry$Wtk-zGj&)eoF;~-{`U!ciO~~mD?+~RYbg7?pd783M1;kK=QVD3_h5H zCu{BJ9PpKIh;`_MtQB9m*qRxp#s#`m(VwVIfzWf+MK!=$8nyP_hJJ*FAPfTA!MC{3 zRU%I(smrfswAMMii!=h4u{xc2-ZQ;O-4dj5!nCu0j5H-N(JnGqkcw+MkF9l!P4Wnm z^8taar8vXyZ7;kO8r5@9(nJ+Y0X3VQ4%Z~%VvTmZA%44DvD2q?O|rU!(abCye6S)s`m`T)4OPh3xmUQJFlEO?a|=rU36wEa_zE|7;rQdNMh_=sUq*5xV0FA3m=YX z+!!m8*vyiHUQ?kAFnE%$$t(=pw_gXNM~of%B$JsK#wU+s;Y4z=L@Pasz zV8xk@*>M~XL_VQ2#rnQucKkf(nSwlsw}Pl&dZ^ zl7$jNljz|6F2b5MeOUwaDrJ=YHpqa4KV4}RPK!~4S;z=sRnjbE0sZCRvXfIEFF#{| zrtIJxKv@B>$j}LAXeyE2q|A}7dsvN6_9vMwv_u1M^6L)b7!0;w+IS6EU>9AqYmd%j z*y`BkhPg(dl9w@qPH1gJ2gGaDZLPA(LM>c+OP6JcGf<*~VZK!s7fGg0Kmen&bR3w< zP5E)nLvwf3Md=NSn@Cc@#kMTA^4iMs424 zokpB6$ICwfX6Bwt7r|CZr|2y#7h(={T4ip!43g+5YzKz$Bn&e;MASQ6_xE3`rK*~! zLrFt0v*RBg&Dz%`n=i!dH9>q90E<^W$BYccoaC5Z$sZ~tx z`C`p-y&+p$(7%2$pS2EsGj#-e&nMxGEsS}AUO~8^ARMH{A&jcxQeVXpPg?I z=6UIm=Byi`=w6xfwpcxGo6>|sa)UkW_EH&QBm=6IMSY5yRtl#nJUL(#-F6>UR4*T# zwdQ(QXpPFx@5rD6&X(spl`J5?c(8rJmoSf+y3bs3`p;bP|3Q+le4+{eL6ZDw{);4`XJ`DMBnd4&^FLXVKLpCZ zg2kEsN3b~mzep1Ce=#Hqf6*g<2aW$bV*C#kVgfJ)n7Y}Te!>}M|6)P@UoenAc!%Tv zj&8V7ehz_+wWEmHC-_4D7oG7xcn#M7w8$&Z|lg}MDGd4E*3`B9W+v7IjBEfst4}V)LC^XVO!dkQ@t^Vfi(vVSW%--0`3sx* zC*tx?*u~Pw!2w`o=cH!|FtIn%`|K3~3-kXM@*!Yl{y%a)Y6R@`0DXHs0}CU^KdcP_ zJL5l_f9)m#JM({#GX(6cpJdRVDEYr<_|MFm0sam6*Z^!l*`0q*+rKfJKN~RmYxVRD z%zv%_??EJ>XJY-=p#K-t=Wp;x3z~!k1KW@|(M_%r99 z)heLpVDzU>2mlHK;tI+#|2UqcZLFne|AAzEe){J~us5@Hw6Q0kXZwSCDSTF!nZ1MK zA8_ikGCrxE&pG|8@!54~z;`o4M^gs^dRE52m;GmHeZKRj?*6k9KjAJqg3mq^aB)HZ z)hUAiRmrvOG;##dcfMj?qS#TueVbc^ERnDzWZ4A;lB^WvVOVCfPFRd=liSzlRCkZ3 zyUIXVt%RrCU46PPr>ff+AGc2-eRuNR+3U-Q^s)oeua~zsA>K2jL?;> z(5HaXcb;Ab^!&SvtDgsxZh=OA;%0Rmti#vWMza#*Y|+-wqSauzm%=^!>Gb>4lhm${ zL;wX>X4fV)EIn+IMi)F`*S35y(06aHempv7)c>ZxS?q{`=-4q@Q>fY?1-4iT2)6YU zR&vtIV&JJSJF*b)U!nwnN3c4Sq%GFyf+w(Q^>V{LS5rCQXA&$mZVc}y0Pl#{i|)66 zjk>&i07D@iE~uJpP|qT-yk6X(LY4m8h(+zu6v2w%VDcta`uNj7XC!H4iu}I?wf5^5 z+W1}JXF#BBl-szt^NVMTI>~q0qDb@IyVTCdXQ4|^!1x)TtGL5T?$FyQkJoH5jjv}0 z8+zlzT;3-5>0$nmA#Y{ypFeDF@oiPO$j59EolLA%lrcnu^Gs5m{5xAz3slsi^w{@i zM@1QRY>hBHulhfu{;|%L)ZZs z>^P)DqLtpw;RPqsMqNyvU0Ne@uQhlgF`vuAHed}^6Xq65MIpVcG?jRGl;k8EKqgMZJjx}T;X*G{~E2Qh* zENJE4^6xUOu_Qq26SYR*30CPXv-OsK+*`hbLox7JBk)mc-rxBc(AyN!gMXyA zbn2}LJkct>6_}3fiW8F$pB<5vIxFHHmC~EJRkw+?(^G!K5$C9dwv=lbU6bL`o~8!F z4I~ukDdG(D6fF_xX6n{?OKu-%Dj2{Jt z1b(e3up|g2V)FiDcaLMp7c?!Dv0{*s$g>yzz`@z#(_+I`O~&QKOm-ZMGoZak>GaT4 zs7aF`P=FG6s)!PTALw_G5dJEgMH{H%2D}~`qP!r*I;IQs(n3&g>8aK6>Nx^|Yvc z*2U)qoa+N@cqT!Fx9;C>7R$RY4!jZlEMY_}I7!Ckh9o`QklVr7Tx<*m1qYhqAfk`s zNQO`d2HGw~QVbn-nv4b1GTMKX5`HgC;io_n1bHwRm9pYs>QOUAMD*?`q^QVE2)u|4 z6GL?ziRdt5zle|_gvODGk`P8awgBxEDe2(U55{+vkN5#|;ld#x*ALgD7VX`k%K>%v zp7AMLM)Jt#86PmA+1(A-M-9`*4WCkcX#E1)q33HuMC+k-ZUYP*12;GgJ>hP08h4nd zmGJ~L*eNU-Y?rATr~jW_q~%~x8S*VGm#I#Odm>Gm`;?+?z>2#BP_R)xMUw{1sFZNS z<=HnKZXK7nJG-DG%XmT=I%G(Knpuc;<4KnRYTdpQ&-Btgt_-nEGSm0K#U#jS3_w42Ue z_y7F0T-~fExViM2z>&weu`4FWUm;#<)tXWp>vXfP+~-Ptj&VTw+>onPcYojC;8v-- zUH7o})vI?0C-_r6*WKM6_BFZsxL6nXAMkux{6sgJOWbGzl`dOT?VE#gfQjMQ+8OR2 z5f|Fxiuiib-A#)>?mJv~^WCfEMDk_=GSVgCxR0e&PDsU=;K11}#WR|+;OlGQv+SF7AeTHr} zQyKJGx>R5?M+dM>27P=S^!bd>#wi@D**>sFDQsY>md+9BT+%1}hPl*bq~oBkqLXVT zv&zsX0I3Z66rE{O8Ok9-N4Yiki3RYmPl zj;~UZud0%64A{7m=Mjzvg4ZC^HH&B1MbXU*)7Lg~jfT$0Y+OxecP10L3LrajtI?bz zFivulYMiuHQ*l1P+*-z8)AG1S2>=?7xi!+~t(CTKOS<{V_uGQ(gsc&qsM?l}x7l2+ z49_E_>V_JuY@DhUHT9Vc7rC5sPovh7aR-+~ea9y4%dhxmNIt zF8$?mKCY}Pq0h;j(Z)L#c1@LJ(;J;43ujI0&Tw4%RqD8QV@(W?kPaHf%V!D&xmL6gM% z0Zz1ZGnMWaTw>`EoXXH6Ik`9Mc&)%VBru=rth52RPOMQ{(fhcvqLY7)rSi9_nG7wL z@Nea6QB%;xia4zi_uS`=0dcT(8|#1nB3l>HEI6VmYte(WI5P1ykP5uMq2t0KEMFHg z5vTabwB@!!4qBeSkU6@YPBG)`QtvpwHT21EKF%rn0D#Gi?3Lkkjv2>Qp8FahB>PF% z@>oMeD*DZrd|jAIU@5UVG0yOs0(~y!h|Q|QZ*{Hq4iAgj<>Ftuioh?S{jgka@Cs|t zFEO0neOTfNmh(@?#V?1{tsl4Qm3dWFU$?Hr;oBUws@2CQwJA^9dGY*^Ukh9|t?5G$ Sf1d$ljcfKk`|Q>E$=-jV>Ig9a diff --git a/doc/pdf/plugindev.tex b/doc/pdf/plugindev.tex deleted file mode 100644 index 96f1a2d..0000000 --- a/doc/pdf/plugindev.tex +++ /dev/null @@ -1,801 +0,0 @@ -% Generated by Sphinx. -\def\sphinxdocclass{report} -\documentclass[letterpaper,10pt,english]{sphinxmanual} -\usepackage[utf8]{inputenc} -\DeclareUnicodeCharacter{00A0}{\nobreakspace} -\usepackage{cmap} -\usepackage[T1]{fontenc} -\usepackage{babel} -\usepackage{times} -\usepackage[Bjarne]{fncychap} -\usepackage{longtable} -\usepackage{sphinx} -\usepackage{multirow} - - -\title{Kerberos Plugin Module Developer Guide} -\date{ } -\release{1.15.2} -\author{MIT} -\newcommand{\sphinxlogo}{} -\renewcommand{\releasename}{Release} -\makeindex - -\makeatletter -\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% - \let\PYG@ul=\relax \let\PYG@tc=\relax% - \let\PYG@bc=\relax \let\PYG@ff=\relax} -\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} -\def\PYG@toks#1+{\ifx\relax#1\empty\else% - \PYG@tok{#1}\expandafter\PYG@toks\fi} -\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% - \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} -\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} - -\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} -\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} -\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} -\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} -\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} -\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} -\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} -\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} -\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} -\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} -\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} -\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} -\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} -\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} -\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} -\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} -\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} -\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} -\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} - -\def\PYGZbs{\char`\\} -\def\PYGZus{\char`\_} -\def\PYGZob{\char`\{} -\def\PYGZcb{\char`\}} -\def\PYGZca{\char`\^} -\def\PYGZam{\char`\&} -\def\PYGZlt{\char`\<} -\def\PYGZgt{\char`\>} -\def\PYGZsh{\char`\#} -\def\PYGZpc{\char`\%} -\def\PYGZdl{\char`\$} -\def\PYGZhy{\char`\-} -\def\PYGZsq{\char`\'} -\def\PYGZdq{\char`\"} -\def\PYGZti{\char`\~} -% for compatibility with earlier versions -\def\PYGZat{@} -\def\PYGZlb{[} -\def\PYGZrb{]} -\makeatother - -\begin{document} - -\maketitle -\tableofcontents -\phantomsection\label{plugindev/index::doc} - - -Kerberos plugin modules allow increased control over MIT krb5 library -and server behavior. This guide describes how to create dynamic -plugin modules and the currently available pluggable interfaces. - -See \emph{plugin\_config} for information on how to register dynamic -plugin modules and how to enable and disable modules via -\emph{krb5.conf(5)}. - - -\chapter{Contents} -\label{plugindev/index:for-plugin-module-developers}\label{plugindev/index:contents} - -\section{General plugin concepts} -\label{plugindev/general:general-plugin-concepts}\label{plugindev/general::doc} -A krb5 dynamic plugin module is a Unix shared object or Windows DLL. -Typically, the source code for a dynamic plugin module should live in -its own project with a build system using \href{http://www.gnu.org/software/automake/}{automake} and \href{http://www.gnu.org/software/libtool/}{libtool}, or -tools with similar functionality. - -A plugin module must define a specific symbol name, which depends on -the pluggable interface and module name. For most pluggable -interfaces, the exported symbol is a function named -\code{INTERFACE\_MODULE\_initvt}, where \emph{INTERFACE} is the name of the -pluggable interface and \emph{MODULE} is the name of the module. For these -interfaces, it is possible for one shared object or DLL to implement -multiple plugin modules, either for the same pluggable interface or -for different ones. For example, a shared object could implement both -KDC and client preauthentication mechanisms, by exporting functions -named \code{kdcpreauth\_mymech\_initvt} and \code{clpreauth\_mymech\_initvt}. - -A plugin module implementation should include the header file -\code{\textless{}krb5/INTERFACE\_plugin.h\textgreater{}}, where \emph{INTERFACE} is the name of the -pluggable interface. For instance, a ccselect plugin module -implementation should use \code{\#include \textless{}krb5/ccselect\_plugin.h\textgreater{}}. - -initvt functions have the following prototype: - -\begin{Verbatim}[commandchars=\\\{\}] -krb5\PYGZus{}error\PYGZus{}code interface\PYGZus{}modname\PYGZus{}initvt(krb5\PYGZus{}context context, - int maj\PYGZus{}ver, int min\PYGZus{}ver, - krb5\PYGZus{}plugin\PYGZus{}vtable vtable); -\end{Verbatim} - -and should do the following: -\begin{enumerate} -\item {} -Check that the supplied maj\_ver argument is supported by the -module. If it is not supported, the function should return -KRB5\_PLUGIN\_VER\_NOTSUPP. - -\item {} -Cast the supplied vtable pointer to the structure type -corresponding to the major version, as documented in the pluggable -interface header file. - -\item {} -Fill in the structure fields with pointers to method functions and -static data, stopping at the field indicated by the supplied minor -version. Fields for unimplemented optional methods can be left -alone; it is not necessary to initialize them to NULL. - -\end{enumerate} - -In most cases, the context argument will not be used. The initvt -function should not allocate memory; think of it as a glorified -structure initializer. Each pluggable interface defines methods for -allocating and freeing module state if doing so is necessary for the -interface. - -Pluggable interfaces typically include a \textbf{name} field in the vtable -structure, which should be filled in with a pointer to a string -literal containing the module name. - -Here is an example of what an initvt function might look like for a -fictional pluggable interface named fences, for a module named -``wicker'': - -\begin{Verbatim}[commandchars=\\\{\}] -krb5\PYGZus{}error\PYGZus{}code -fences\PYGZus{}wicker\PYGZus{}initvt(krb5\PYGZus{}context context, int maj\PYGZus{}ver, - int min\PYGZus{}ver, krb5\PYGZus{}plugin\PYGZus{}vtable vtable) -\PYGZob{} - krb5\PYGZus{}ccselect\PYGZus{}vtable vt; - - if (maj\PYGZus{}ver == 1) \PYGZob{} - krb5\PYGZus{}fences\PYGZus{}vtable vt = (krb5\PYGZus{}fences\PYGZus{}vtable)vtable; - vt\PYGZhy{}\PYGZgt{}name = \PYGZdq{}wicker\PYGZdq{}; - vt\PYGZhy{}\PYGZgt{}slats = wicker\PYGZus{}slats; - vt\PYGZhy{}\PYGZgt{}braces = wicker\PYGZus{}braces; - \PYGZcb{} else if (maj\PYGZus{}ver == 2) \PYGZob{} - krb5\PYGZus{}fences\PYGZus{}vtable\PYGZus{}v2 vt = (krb5\PYGZus{}fences\PYGZus{}vtable\PYGZus{}v2)vtable; - vt\PYGZhy{}\PYGZgt{}name = \PYGZdq{}wicker\PYGZdq{}; - vt\PYGZhy{}\PYGZgt{}material = wicker\PYGZus{}material; - vt\PYGZhy{}\PYGZgt{}construction = wicker\PYGZus{}construction; - if (min\PYGZus{}ver \PYGZlt{} 2) - return 0; - vt\PYGZhy{}\PYGZgt{}footing = wicker\PYGZus{}footing; - if (min\PYGZus{}ver \PYGZlt{} 3) - return 0; - vt\PYGZhy{}\PYGZgt{}appearance = wicker\PYGZus{}appearance; - \PYGZcb{} else \PYGZob{} - return KRB5\PYGZus{}PLUGIN\PYGZus{}VER\PYGZus{}NOTSUPP; - \PYGZcb{} - return 0; -\PYGZcb{} -\end{Verbatim} - - -\section{Client preauthentication interface (clpreauth)} -\label{plugindev/clpreauth:client-preauthentication-interface-clpreauth}\label{plugindev/clpreauth::doc} -During an initial ticket request, a KDC may ask a client to prove its -knowledge of the password before issuing an encrypted ticket, or to -use credentials other than a password. This process is called -preauthentication, and is described in \index{RFC!RFC 4120}\href{http://tools.ietf.org/html/rfc4120.html}{\textbf{RFC 4120}} and \index{RFC!RFC 6113}\href{http://tools.ietf.org/html/rfc6113.html}{\textbf{RFC 6113}}. -The clpreauth interface allows the addition of client support for -preauthentication mechanisms beyond those included in the core MIT -krb5 code base. For a detailed description of the clpreauth -interface, see the header file \code{\textless{}krb5/clpreauth\_plugin.h\textgreater{}} (or -\code{\textless{}krb5/preauth\_plugin.h\textgreater{}} before release 1.12). - -A clpreauth module is generally responsible for: -\begin{itemize} -\item {} -Supplying a list of preauth type numbers used by the module in the -\textbf{pa\_type\_list} field of the vtable structure. - -\item {} -Indicating what kind of preauthentication mechanism it implements, -with the \textbf{flags} method. In the most common case, this method -just returns \code{PA\_REAL}, indicating that it implements a normal -preauthentication type. - -\item {} -Examining the padata information included in a PREAUTH\_REQUIRED or -MORE\_PREAUTH\_DATA\_REQUIRED error and producing padata values for the -next AS request. This is done with the \textbf{process} method. - -\item {} -Examining the padata information included in a successful ticket -reply, possibly verifying the KDC identity and computing a reply -key. This is also done with the \textbf{process} method. - -\item {} -For preauthentication types which support it, recovering from errors -by examining the error data from the KDC and producing a padata -value for another AS request. This is done with the \textbf{tryagain} -method. - -\item {} -Receiving option information (supplied by \code{kinit -X} or by an -application), with the \textbf{gic\_opts} method. - -\end{itemize} - -A clpreauth module can create and destroy per-library-context and -per-request state objects by implementing the \textbf{init}, \textbf{fini}, -\textbf{request\_init}, and \textbf{request\_fini} methods. Per-context state -objects have the type krb5\_clpreauth\_moddata, and per-request state -objects have the type krb5\_clpreauth\_modreq. These are abstract -pointer types; a module should typically cast these to internal -types for the state objects. - -The \textbf{process} and \textbf{tryagain} methods have access to a callback -function and handle (called a ``rock'') which can be used to get -additional information about the current request, including the -expected enctype of the AS reply, the FAST armor key, and the client -long-term key (prompting for the user password if necessary). A -callback can also be used to replace the AS reply key if the -preauthentication mechanism computes one. - - -\section{KDC preauthentication interface (kdcpreauth)} -\label{plugindev/kdcpreauth:kdc-preauthentication-interface-kdcpreauth}\label{plugindev/kdcpreauth::doc} -The kdcpreauth interface allows the addition of KDC support for -preauthentication mechanisms beyond those included in the core MIT -krb5 code base. For a detailed description of the kdcpreauth -interface, see the header file \code{\textless{}krb5/kdcpreauth\_plugin.h\textgreater{}} (or -\code{\textless{}krb5/preauth\_plugin.h\textgreater{}} before release 1.12). - -A kdcpreauth module is generally responsible for: -\begin{itemize} -\item {} -Supplying a list of preauth type numbers used by the module in the -\textbf{pa\_type\_list} field of the vtable structure. - -\item {} -Indicating what kind of preauthentication mechanism it implements, -with the \textbf{flags} method. If the mechanism computes a new reply -key, it must specify the \code{PA\_REPLACES\_KEY} flag. If the mechanism -is generally only used with hardware tokens, the \code{PA\_HARDWARE} -flag allows the mechanism to work with principals which have the -\textbf{requires\_hwauth} flag set. - -\item {} -Producing a padata value to be sent with a preauth\_required error, -with the \textbf{edata} method. - -\item {} -Examining a padata value sent by a client and verifying that it -proves knowledge of the appropriate client credential information. -This is done with the \textbf{verify} method. - -\item {} -Producing a padata response value for the client, and possibly -computing a reply key. This is done with the \textbf{return\_padata} -method. - -\end{itemize} - -A module can create and destroy per-KDC state objects by implementing -the \textbf{init} and \textbf{fini} methods. Per-KDC state objects have the -type krb5\_kdcpreauth\_moddata, which is an abstract pointer types. A -module should typically cast this to an internal type for the state -object. - -A module can create a per-request state object by returning one in the -\textbf{verify} method, receiving it in the \textbf{return\_padata} method, and -destroying it in the \textbf{free\_modreq} method. Note that these state -objects only apply to the processing of a single AS request packet, -not to an entire authentication exchange (since an authentication -exchange may remain unfinished by the client or may involve multiple -different KDC hosts). Per-request state objects have the type -krb5\_kdcpreauth\_modreq, which is an abstract pointer type. - -The \textbf{edata}, \textbf{verify}, and \textbf{return\_padata} methods have access -to a callback function and handle (called a ``rock'') which can be used -to get additional information about the current request, including the -maximum allowable clock skew, the client's long-term keys, the -DER-encoded request body, the FAST armor key, string attributes on the -client's database entry, and the client's database entry itself. The -\textbf{verify} method can assert one or more authentication indicators to -be included in the issued ticket using the \code{add\_auth\_indicator} -callback (new in release 1.14). - -A module can generate state information to be included with the next -client request using the \code{set\_cookie} callback (new in release -1.14). On the next request, the module can read this state -information using the \code{get\_cookie} callback. Cookie information is -encrypted, timestamped, and transmitted to the client in a -\code{PA-FX-COOKIE} pa-data item. Older clients may not support cookies -and therefore may not transmit the cookie in the next request; in this -case, \code{get\_cookie} will not yield the saved information. - -If a module implements a mechanism which requires multiple round -trips, its \textbf{verify} method can respond with the code -\code{KRB5KDC\_ERR\_MORE\_PREAUTH\_DATA\_REQUIRED} and a list of pa-data in -the \emph{e\_data} parameter to be processed by the client. - -The \textbf{edata} and \textbf{verify} methods can be implemented -asynchronously. Because of this, they do not return values directly -to the caller, but must instead invoke responder functions with their -results. A synchronous implementation can invoke the responder -function immediately. An asynchronous implementation can use the -callback to get an event context for use with the \href{https://fedorahosted.org/libverto/}{libverto} API. - - -\section{Credential cache selection interface (ccselect)} -\label{plugindev/ccselect:credential-cache-selection-interface-ccselect}\label{plugindev/ccselect::doc}\label{plugindev/ccselect:ccselect-plugin} -The ccselect interface allows modules to control how credential caches -are chosen when a GSSAPI client contacts a service. For a detailed -description of the ccselect interface, see the header file -\code{\textless{}krb5/ccselect\_plugin.h\textgreater{}}. - -The primary ccselect method is \textbf{choose}, which accepts a server -principal as input and returns a ccache and/or principal name as -output. A module can use the krb5\_cccol APIs to iterate over the -cache collection in order to find an appropriate ccache to use. - -A module can create and destroy per-library-context state objects by -implementing the \textbf{init} and \textbf{fini} methods. State objects have -the type krb5\_ccselect\_moddata, which is an abstract pointer type. A -module should typically cast this to an internal type for the state -object. - -A module can have one of two priorities, ``authoritative'' or -``heuristic''. Results from authoritative modules, if any are -available, will take priority over results from heuristic modules. A -module communicates its priority as a result of the \textbf{init} method. - - -\section{Password quality interface (pwqual)} -\label{plugindev/pwqual::doc}\label{plugindev/pwqual:password-quality-interface-pwqual}\label{plugindev/pwqual:pwqual-plugin} -The pwqual interface allows modules to control what passwords are -allowed when a user changes passwords. For a detailed description of -the pwqual interface, see the header file \code{\textless{}krb5/pwqual\_plugin.h\textgreater{}}. - -The primary pwqual method is \textbf{check}, which receives a password as -input and returns success (0) or a \code{KADM5\_PASS\_Q\_} failure code -depending on whether the password is allowed. The \textbf{check} method -also receives the principal name and the name of the principal's -password policy as input; although there is no stable interface for -the module to obtain the fields of the password policy, it can define -its own configuration or data store based on the policy name. - -A module can create and destroy per-process state objects by -implementing the \textbf{open} and \textbf{close} methods. State objects have -the type krb5\_pwqual\_moddata, which is an abstract pointer type. A -module should typically cast this to an internal type for the state -object. The \textbf{open} method also receives the name of the realm's -dictionary file (as configured by the \textbf{dict\_file} variable in the -\emph{kdc\_realms} section of \emph{kdc.conf(5)}) if it wishes to use -it. - - -\section{KADM5 hook interface (kadm5\_hook)} -\label{plugindev/kadm5_hook:kadm5-hook-interface-kadm5-hook}\label{plugindev/kadm5_hook::doc}\label{plugindev/kadm5_hook:kadm5-hook-plugin} -The kadm5\_hook interface allows modules to perform actions when -changes are made to the Kerberos database through \emph{kadmin(1)}. -For a detailed description of the kadm5\_hook interface, see the header -file \code{\textless{}krb5/kadm5\_hook\_plugin.h\textgreater{}}. - -The kadm5\_hook interface has five primary methods: \textbf{chpass}, -\textbf{create}, \textbf{modify}, \textbf{remove}, and \textbf{rename}. (The \textbf{rename} -method was introduced in release 1.14.) Each of these methods is -called twice when the corresponding administrative action takes place, -once before the action is committed and once afterwards. A module can -prevent the action from taking place by returning an error code during -the pre-commit stage. - -A module can create and destroy per-process state objects by -implementing the \textbf{init} and \textbf{fini} methods. State objects have -the type kadm5\_hook\_modinfo, which is an abstract pointer type. A -module should typically cast this to an internal type for the state -object. - -Because the kadm5\_hook interface is tied closely to the kadmin -interface (which is explicitly unstable), it may not remain as stable -across versions as other public pluggable interfaces. - - -\section{Host-to-realm interface (hostrealm)} -\label{plugindev/hostrealm:hostrealm-plugin}\label{plugindev/hostrealm::doc}\label{plugindev/hostrealm:host-to-realm-interface-hostrealm} -The host-to-realm interface was first introduced in release 1.12. It -allows modules to control the local mapping of hostnames to realm -names as well as the default realm. For a detailed description of the -hostrealm interface, see the header file -\code{\textless{}krb5/hostrealm\_plugin.h\textgreater{}}. - -Although the mapping methods in the hostrealm interface return a list -of one or more realms, only the first realm in the list is currently -used by callers. Callers may begin using later responses in the -future. - -Any mapping method may return KRB5\_PLUGIN\_NO\_HANDLE to defer -processing to a later module. - -A module can create and destroy per-library-context state objects -using the \textbf{init} and \textbf{fini} methods. If the module does not need -any state, it does not need to implement these methods. - -The optional \textbf{host\_realm} method allows a module to determine -authoritative realm mappings for a hostname. The first authoritative -mapping is used in preference to KDC referrals when getting service -credentials. - -The optional \textbf{fallback\_realm} method allows a module to determine -fallback mappings for a hostname. The first fallback mapping is tried -if there is no authoritative mapping for a realm, and KDC referrals -failed to produce a successful result. - -The optional \textbf{default\_realm} method allows a module to determine the -local default realm. - -If a module implements any of the above methods, it must also -implement \textbf{free\_list} to ensure that memory is allocated and -deallocated consistently. - - -\section{Local authorization interface (localauth)} -\label{plugindev/localauth:local-authorization-interface-localauth}\label{plugindev/localauth:localauth-plugin}\label{plugindev/localauth::doc} -The localauth interface was first introduced in release 1.12. It -allows modules to control the relationship between Kerberos principals -and local system accounts. When an application calls -\code{krb5\_kuserok()} or \code{krb5\_aname\_to\_localname()}, localauth -modules are consulted to determine the result. For a detailed -description of the localauth interface, see the header file -\code{\textless{}krb5/localauth\_plugin.h\textgreater{}}. - -A module can create and destroy per-library-context state objects -using the \textbf{init} and \textbf{fini} methods. If the module does not need -any state, it does not need to implement these methods. - -The optional \textbf{userok} method allows a module to control the behavior -of \code{krb5\_kuserok()}. The module receives the authenticated name -and the local account name as inputs, and can return either 0 to -authorize access, KRB5\_PLUGIN\_NO\_HANDLE to defer the decision to other -modules, or another error (canonically EPERM) to authoritatively deny -access. Access is granted if at least one module grants access and no -module authoritatively denies access. - -The optional \textbf{an2ln} method can work in two different ways. If the -module sets an array of uppercase type names in \textbf{an2ln\_types}, then -the module's \textbf{an2ln} method will only be invoked by -\code{krb5\_aname\_to\_localname()} if an \textbf{auth\_to\_local} value in -\emph{krb5.conf(5)} refers to one of the module's types. In this -case, the \emph{type} and \emph{residual} arguments will give the type name and -residual string of the \textbf{auth\_to\_local} value. - -If the module does not set \textbf{an2ln\_types} but does implement -\textbf{an2ln}, the module's \textbf{an2ln} method will be invoked for all -\code{krb5\_aname\_to\_localname()} operations unless an earlier module -determines a mapping, with \emph{type} and \emph{residual} set to NULL. The -module can return KRB5\_LNAME\_NO\_TRANS to defer mapping to later -modules. - -If a module implements \textbf{an2ln}, it must also implement -\textbf{free\_string} to ensure that memory is allocated and deallocated -consistently. - - -\section{Server location interface (locate)} -\label{plugindev/locate:server-location-interface-locate}\label{plugindev/locate::doc} -The locate interface allows modules to control how KDCs and similar -services are located by clients. For a detailed description of the -ccselect interface, see the header file \code{\textless{}krb5/locate\_plugin.h\textgreater{}}. - -A locate module exports a structure object of type -krb5plugin\_service\_locate\_ftable, with the name \code{service\_locator}. -The structure contains a minor version and pointers to the module's -methods. - -The primary locate method is \textbf{lookup}, which accepts a service type, -realm name, desired socket type, and desired address family (which -will be AF\_UNSPEC if no specific address family is desired). The -method should invoke the callback function once for each server -address it wants to return, passing a socket type (SOCK\_STREAM for TCP -or SOCK\_DGRAM for UDP) and socket address. The \textbf{lookup} method -should return 0 if it has authoritatively determined the server -addresses for the realm, KRB5\_PLUGIN\_NO\_HANDLE if it wants to let -other location mechanisms determine the server addresses, or another -code if it experienced a failure which should abort the location -process. - -A module can create and destroy per-library-context state objects by -implementing the \textbf{init} and \textbf{fini} methods. State objects have -the type void *, and should be cast to an internal type for the state -object. - - -\section{Configuration interface (profile)} -\label{plugindev/profile:configuration-interface-profile}\label{plugindev/profile::doc}\label{plugindev/profile:profile-plugin} -The profile interface allows a module to control how krb5 -configuration information is obtained by the Kerberos library and -applications. For a detailed description of the profile interface, -see the header file \code{\textless{}profile.h\textgreater{}}. - -\begin{notice}{note}{Note:} -The profile interface does not follow the normal conventions -for MIT krb5 pluggable interfaces, because it is part of a -lower-level component of the krb5 library. -\end{notice} - -As with other types of plugin modules, a profile module is a Unix -shared object or Windows DLL, built separately from the krb5 tree. -The krb5 library will dynamically load and use a profile plugin module -if it reads a \code{module} directive at the beginning of krb5.conf, as -described in \emph{profile\_plugin\_config}. - -A profile module exports a function named \code{profile\_module\_init} -matching the signature of the profile\_module\_init\_fn type. This -function accepts a residual string, which may be used to help locate -the configuration source. The function fills in a vtable and may also -create a per-profile state object. If the module uses state objects, -it should implement the \textbf{copy} and \textbf{cleanup} methods to manage -them. - -A basic read-only profile module need only implement the -\textbf{get\_values} and \textbf{free\_values} methods. The \textbf{get\_values} method -accepts a null-terminated list of C string names (e.g., an array -containing ``libdefaults'', ``clockskew'', and NULL for the \textbf{clockskew} -variable in the \emph{libdefaults} section) and returns a -null-terminated list of values, which will be cleaned up with the -\textbf{free\_values} method when the caller is done with them. - -Iterable profile modules must also define the \textbf{iterator\_create}, -\textbf{iterator}, \textbf{iterator\_free}, and \textbf{free\_string} methods. The -core krb5 code does not require profiles to be iterable, but some -applications may iterate over the krb5 profile object in order to -present configuration interfaces. - -Writable profile modules must also define the \textbf{writable}, -\textbf{modified}, \textbf{update\_relation}, \textbf{rename\_section}, -\textbf{add\_relation}, and \textbf{flush} methods. The core krb5 code does not -require profiles to be writable, but some applications may write to -the krb5 profile in order to present configuration interfaces. - -The following is an example of a very basic read-only profile module -which returns a hardcoded value for the \textbf{default\_realm} variable in -\emph{libdefaults}, and provides no other configuration information. -(For conciseness, the example omits code for checking the return -values of malloc and strdup.) - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZsh{}include \PYGZlt{}stdlib.h\PYGZgt{} -\PYGZsh{}include \PYGZlt{}string.h\PYGZgt{} -\PYGZsh{}include \PYGZlt{}profile.h\PYGZgt{} - -static long -get\PYGZus{}values(void *cbdata, const char *const *names, char ***values) -\PYGZob{} - if (names[0] != NULL \PYGZam{}\PYGZam{} strcmp(names[0], \PYGZdq{}libdefaults\PYGZdq{}) == 0 \PYGZam{}\PYGZam{} - names[1] != NULL \PYGZam{}\PYGZam{} strcmp(names[1], \PYGZdq{}default\PYGZus{}realm\PYGZdq{}) == 0) \PYGZob{} - *values = malloc(2 * sizeof(char *)); - (*values)[0] = strdup(\PYGZdq{}ATHENA.MIT.EDU\PYGZdq{}); - (*values)[1] = NULL; - return 0; - \PYGZcb{} - return PROF\PYGZus{}NO\PYGZus{}RELATION; -\PYGZcb{} - -static void -free\PYGZus{}values(void *cbdata, char **values) -\PYGZob{} - char **v; - - for (v = values; *v; v++) - free(*v); - free(values); -\PYGZcb{} - -long -profile\PYGZus{}module\PYGZus{}init(const char *residual, struct profile\PYGZus{}vtable *vtable, - void **cb\PYGZus{}ret); - -long -profile\PYGZus{}module\PYGZus{}init(const char *residual, struct profile\PYGZus{}vtable *vtable, - void **cb\PYGZus{}ret) -\PYGZob{} - *cb\PYGZus{}ret = NULL; - vtable\PYGZhy{}\PYGZgt{}get\PYGZus{}values = get\PYGZus{}values; - vtable\PYGZhy{}\PYGZgt{}free\PYGZus{}values = free\PYGZus{}values; - return 0; -\PYGZcb{} -\end{Verbatim} - - -\section{GSSAPI mechanism interface} -\label{plugindev/gssapi::doc}\label{plugindev/gssapi:gssapi-mechanism-interface} -The GSSAPI library in MIT krb5 can load mechanism modules to augment -the set of built-in mechanisms. - -A mechanism module is a Unix shared object or Windows DLL, built -separately from the krb5 tree. Modules are loaded according to the -\code{/etc/gss/mech} or \code{/etc/gss/mech.d/*.conf} config files, as -described in \emph{gssapi\_plugin\_config}. - -For the most part, a GSSAPI mechanism module exports the same -functions as would a GSSAPI implementation itself, with the same -function signatures. The mechanism selection layer within the GSSAPI -library (called the ``mechglue'') will dispatch calls from the -application to the module if the module's mechanism is requested. If -a module does not wish to implement a GSSAPI extension, it can simply -refrain from exporting it, and the mechglue will fail gracefully if -the application calls that function. - -The mechglue does not invoke a module's \textbf{gss\_add\_cred}, -\textbf{gss\_add\_cred\_from}, \textbf{gss\_add\_cred\_impersonate\_name}, or -\textbf{gss\_add\_cred\_with\_password} function. A mechanism only needs to -implement the ``acquire'' variants of those functions. - -A module does not need to coordinate its minor status codes with those -of other mechanisms. If the mechglue detects conflicts, it will map -the mechanism's status codes onto unique values, and then map them -back again when \textbf{gss\_display\_status} is called. - - -\subsection{Interposer modules} -\label{plugindev/gssapi:interposer-modules} -The mechglue also supports a kind of loadable module, called an -interposer module, which intercepts calls to existing mechanisms -rather than implementing a new mechanism. - -An interposer module must export the symbol \textbf{gss\_mech\_interposer} -with the following signature: - -\begin{Verbatim}[commandchars=\\\{\}] -gss\PYGZus{}OID\PYGZus{}set gss\PYGZus{}mech\PYGZus{}interposer(gss\PYGZus{}OID mech\PYGZus{}type); -\end{Verbatim} - -This function is invoked with the OID of the interposer mechanism as -specified in \code{/etc/gss/mech} or in a \code{/etc/gss/mech.d/*.conf} -file, and returns a set of mechanism OIDs to be interposed. The -returned OID set must have been created using the mechglue's -gss\_create\_empty\_oid\_set and gss\_add\_oid\_set\_member functions. - -An interposer module must use the prefix \code{gssi\_} for the GSSAPI -functions it exports, instead of the prefix \code{gss\_}. - -An interposer module can link against the GSSAPI library in order to -make calls to the original mechanism. To do so, it must specify a -special mechanism OID which is the concatention of the interposer's -own OID byte string and the original mechanism's OID byte string. - -Since \textbf{gss\_accept\_sec\_context} does not accept a mechanism argument, -an interposer mechanism must, in order to invoke the original -mechanism's function, acquire a credential for the concatenated OID -and pass that as the \emph{verifier\_cred\_handle} parameter. - -Since \textbf{gss\_import\_name}, \textbf{gss\_import\_cred}, and -\textbf{gss\_import\_sec\_context} do not accept mechanism parameters, the SPI -has been extended to include variants which do. This allows the -interposer module to know which mechanism should be used to interpret -the token. These functions have the following signatures: - -\begin{Verbatim}[commandchars=\\\{\}] -OM\PYGZus{}uint32 gssi\PYGZus{}import\PYGZus{}sec\PYGZus{}context\PYGZus{}by\PYGZus{}mech(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}OID desired\PYGZus{}mech, gss\PYGZus{}buffer\PYGZus{}t interprocess\PYGZus{}token, - gss\PYGZus{}ctx\PYGZus{}id\PYGZus{}t *context\PYGZus{}handle); - -OM\PYGZus{}uint32 gssi\PYGZus{}import\PYGZus{}name\PYGZus{}by\PYGZus{}mech(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}OID mech\PYGZus{}type, gss\PYGZus{}buffer\PYGZus{}t input\PYGZus{}name\PYGZus{}buffer, - gss\PYGZus{}OID input\PYGZus{}name\PYGZus{}type, gss\PYGZus{}name\PYGZus{}t output\PYGZus{}name); - -OM\PYGZus{}uint32 gssi\PYGZus{}import\PYGZus{}cred\PYGZus{}by\PYGZus{}mech(OM\PYGZus{}uint32 *minor\PYGZus{}status, - gss\PYGZus{}OID mech\PYGZus{}type, gss\PYGZus{}buffer\PYGZus{}t token, - gss\PYGZus{}cred\PYGZus{}id\PYGZus{}t *cred\PYGZus{}handle); -\end{Verbatim} - -To re-enter the original mechanism when importing tokens for the above -functions, the interposer module must wrap the mechanism token in the -mechglue's format, using the concatenated OID. The mechglue token -formats are: -\begin{itemize} -\item {} -For \textbf{gss\_import\_sec\_context}, a four-byte OID length in big-endian -order, followed by the mechanism OID, followed by the mechanism -token. - -\item {} -For \textbf{gss\_import\_name}, the bytes 04 01, followed by a two-byte OID -length in big-endian order, followed by the mechanism OID, followed -by the bytes 06, followed by the OID length as a single byte, -followed by the mechanism OID, followed by the mechanism token. - -\item {} -For \textbf{gss\_import\_cred}, a four-byte OID length in big-endian order, -followed by the mechanism OID, followed by a four-byte token length -in big-endian order, followed by the mechanism token. This sequence -may be repeated multiple times. - -\end{itemize} - - -\section{Internal pluggable interfaces} -\label{plugindev/internal::doc}\label{plugindev/internal:internal-pluggable-interfaces} -Following are brief discussions of pluggable interfaces which have not -yet been made public. These interfaces are functional, but the -interfaces are likely to change in incompatible ways from release to -release. In some cases, it may be necessary to copy header files from -the krb5 source tree to use an internal interface. Use these with -care, and expect to need to update your modules for each new release -of MIT krb5. - - -\subsection{Kerberos database interface (KDB)} -\label{plugindev/internal:kerberos-database-interface-kdb} -A KDB module implements a database back end for KDC principal and -policy information, and can also control many aspects of KDC behavior. -For a full description of the interface, see the header file -\code{\textless{}kdb.h\textgreater{}}. - -The KDB pluggable interface is often referred to as the DAL (Database -Access Layer). - - -\subsection{Authorization data interface (authdata)} -\label{plugindev/internal:authorization-data-interface-authdata} -The authdata interface allows a module to provide (from the KDC) or -consume (in application servers) authorization data of types beyond -those handled by the core MIT krb5 code base. The interface is -defined in the header file \code{\textless{}krb5/authdata\_plugin.h\textgreater{}}, which is not -installed by the build. - - - -\renewcommand{\indexname}{Index} -\printindex -\end{document} diff --git a/doc/pdf/python.ist b/doc/pdf/python.ist deleted file mode 100644 index 9ffa0f9..0000000 --- a/doc/pdf/python.ist +++ /dev/null @@ -1,11 +0,0 @@ -line_max 100 -headings_flag 1 -heading_prefix " \\bigletter " - -preamble "\\begin{theindex} -\\def\\bigletter#1{{\\Large\\sffamily#1}\\nopagebreak\\vspace{1mm}} - -" - -symhead_positive "{Symbols}" -numhead_positive "{Numbers}" diff --git a/doc/pdf/sphinx.sty b/doc/pdf/sphinx.sty deleted file mode 100644 index 554845f..0000000 --- a/doc/pdf/sphinx.sty +++ /dev/null @@ -1,522 +0,0 @@ -% -% sphinx.sty -% -% Adapted from the old python.sty, mostly written by Fred Drake, -% by Georg Brandl. -% - -\NeedsTeXFormat{LaTeX2e}[1995/12/01] -\ProvidesPackage{sphinx}[2010/01/15 LaTeX package (Sphinx markup)] - -\@ifclassloaded{memoir}{}{\RequirePackage{fancyhdr}} - -\RequirePackage{textcomp} -\RequirePackage{fancybox} -\RequirePackage{titlesec} -\RequirePackage{tabulary} -\RequirePackage{amsmath} % for \text -\RequirePackage{makeidx} -\RequirePackage{framed} -\RequirePackage{ifthen} -\RequirePackage{color} -% For highlighted code. -\RequirePackage{fancyvrb} -% For table captions. -\RequirePackage{threeparttable} -% Handle footnotes in tables. -\RequirePackage{footnote} -\makesavenoteenv{tabulary} -% For floating figures in the text. -\RequirePackage{wrapfig} -% Separate paragraphs by space by default. -\RequirePackage{parskip} -% For parsed-literal blocks. -\RequirePackage{alltt} - -% Redefine these colors to your liking in the preamble. -\definecolor{TitleColor}{rgb}{0.126,0.263,0.361} -\definecolor{InnerLinkColor}{rgb}{0.208,0.374,0.486} -\definecolor{OuterLinkColor}{rgb}{0.216,0.439,0.388} -% Redefine these colors to something not white if you want to have colored -% background and border for code examples. -\definecolor{VerbatimColor}{rgb}{1,1,1} -\definecolor{VerbatimBorderColor}{rgb}{1,1,1} - -% Uncomment these two lines to ignore the paper size and make the page -% size more like a typical published manual. -%\renewcommand{\paperheight}{9in} -%\renewcommand{\paperwidth}{8.5in} % typical squarish manual -%\renewcommand{\paperwidth}{7in} % O'Reilly ``Programmming Python'' - -% use pdfoutput for pTeX and dvipdfmx -\ifx\kanjiskip\undefined\else - \ifx\Gin@driver{dvipdfmx.def}\undefined\else - \newcount\pdfoutput\pdfoutput=0 - \fi -\fi - -% For graphicx, check if we are compiling under latex or pdflatex. -\ifx\pdftexversion\undefined - \usepackage{graphicx} -\else - \usepackage[pdftex]{graphicx} -\fi - -% for PDF output, use colors and maximal compression -\newif\ifsphinxpdfoutput\sphinxpdfoutputfalse -\ifx\pdfoutput\undefined\else\ifcase\pdfoutput - \let\py@NormalColor\relax - \let\py@TitleColor\relax -\else - \sphinxpdfoutputtrue - \input{pdfcolor} - \def\py@NormalColor{\color[rgb]{0.0,0.0,0.0}} - \def\py@TitleColor{\color{TitleColor}} - \pdfcompresslevel=9 -\fi\fi - -% XeLaTeX can do colors, too -\ifx\XeTeXrevision\undefined\else - \def\py@NormalColor{\color[rgb]{0.0,0.0,0.0}} - \def\py@TitleColor{\color{TitleColor}} -\fi - -% Increase printable page size (copied from fullpage.sty) -\topmargin 0pt -\advance \topmargin by -\headheight -\advance \topmargin by -\headsep - -% attempt to work a little better for A4 users -\textheight \paperheight -\advance\textheight by -2in - -\oddsidemargin 0pt -\evensidemargin 0pt -%\evensidemargin -.25in % for ``manual size'' documents -\marginparwidth 0.5in - -\textwidth \paperwidth -\advance\textwidth by -2in - - -% Style parameters and macros used by most documents here -\raggedbottom -\sloppy -\hbadness = 5000 % don't print trivial gripes - -\pagestyle{empty} % start this way - -% Use this to set the font family for headers and other decor: -\newcommand{\py@HeaderFamily}{\sffamily\bfseries} - -% Redefine the 'normal' header/footer style when using "fancyhdr" package: -\@ifundefined{fancyhf}{}{ - % Use \pagestyle{normal} as the primary pagestyle for text. - \fancypagestyle{normal}{ - \fancyhf{} - \fancyfoot[LE,RO]{{\py@HeaderFamily\thepage}} - \fancyfoot[LO]{{\py@HeaderFamily\nouppercase{\rightmark}}} - \fancyfoot[RE]{{\py@HeaderFamily\nouppercase{\leftmark}}} - \fancyhead[LE,RO]{{\py@HeaderFamily \@title, \py@release}} - \renewcommand{\headrulewidth}{0.4pt} - \renewcommand{\footrulewidth}{0.4pt} - % define chaptermark with \@chappos when \@chappos is available for Japanese - \ifx\@chappos\undefined\else - \def\chaptermark##1{\markboth{\@chapapp\space\thechapter\space\@chappos\space ##1}{}} - \fi - } - % Update the plain style so we get the page number & footer line, - % but not a chapter or section title. This is to keep the first - % page of a chapter and the blank page between chapters `clean.' - \fancypagestyle{plain}{ - \fancyhf{} - \fancyfoot[LE,RO]{{\py@HeaderFamily\thepage}} - \renewcommand{\headrulewidth}{0pt} - \renewcommand{\footrulewidth}{0.4pt} - } -} - -% Some custom font markup commands. -% -\newcommand{\strong}[1]{{\textbf{#1}}} -\newcommand{\code}[1]{\texttt{#1}} -\newcommand{\bfcode}[1]{\code{\bfseries#1}} -\newcommand{\email}[1]{\textsf{#1}} - -% Redefine the Verbatim environment to allow border and background colors. -% The original environment is still used for verbatims within tables. -\let\OriginalVerbatim=\Verbatim -\let\endOriginalVerbatim=\endVerbatim - -% Play with vspace to be able to keep the indentation. -\newlength\distancetoright -\def\mycolorbox#1{% - \setlength\distancetoright{\linewidth}% - \advance\distancetoright -\@totalleftmargin % - \fcolorbox{VerbatimBorderColor}{VerbatimColor}{% - \begin{minipage}{\distancetoright}% - #1 - \end{minipage}% - }% -} -\def\FrameCommand{\mycolorbox} - -\renewcommand{\Verbatim}[1][1]{% - % list starts new par, but we don't want it to be set apart vertically - \bgroup\parskip=0pt% - \smallskip% - % The list environement is needed to control perfectly the vertical - % space. - \list{}{% - \setlength\parskip{0pt}% - \setlength\itemsep{0ex}% - \setlength\topsep{0ex}% - \setlength\partopsep{0pt}% - \setlength\leftmargin{0pt}% - }% - \item\MakeFramed {\FrameRestore}% - \small% - \OriginalVerbatim[#1]% -} -\renewcommand{\endVerbatim}{% - \endOriginalVerbatim% - \endMakeFramed% - \endlist% - % close group to restore \parskip - \egroup% -} - - -% \moduleauthor{name}{email} -\newcommand{\moduleauthor}[2]{} - -% \sectionauthor{name}{email} -\newcommand{\sectionauthor}[2]{} - -% Augment the sectioning commands used to get our own font family in place, -% and reset some internal data items: -\titleformat{\section}{\Large\py@HeaderFamily}% - {\py@TitleColor\thesection}{0.5em}{\py@TitleColor}{\py@NormalColor} -\titleformat{\subsection}{\large\py@HeaderFamily}% - {\py@TitleColor\thesubsection}{0.5em}{\py@TitleColor}{\py@NormalColor} -\titleformat{\subsubsection}{\py@HeaderFamily}% - {\py@TitleColor\thesubsubsection}{0.5em}{\py@TitleColor}{\py@NormalColor} -\titleformat{\paragraph}{\small\py@HeaderFamily}% - {\py@TitleColor}{0em}{\py@TitleColor}{\py@NormalColor} - -% {fulllineitems} is the main environment for object descriptions. -% -\newcommand{\py@itemnewline}[1]{% - \@tempdima\linewidth% - \advance\@tempdima \leftmargin\makebox[\@tempdima][l]{#1}% -} - -\newenvironment{fulllineitems}{ - \begin{list}{}{\labelwidth \leftmargin \labelsep 0pt - \rightmargin 0pt \topsep -\parskip \partopsep \parskip - \itemsep -\parsep - \let\makelabel=\py@itemnewline} -}{\end{list}} - -% \optional is used for ``[, arg]``, i.e. desc_optional nodes. -\newcommand{\optional}[1]{% - {\textnormal{\Large[}}{#1}\hspace{0.5mm}{\textnormal{\Large]}}} - -\newlength{\py@argswidth} -\newcommand{\py@sigparams}[2]{% - \parbox[t]{\py@argswidth}{#1\code{)}#2}} -\newcommand{\pysigline}[1]{\item[#1]\nopagebreak} -\newcommand{\pysiglinewithargsret}[3]{% - \settowidth{\py@argswidth}{#1\code{(}}% - \addtolength{\py@argswidth}{-2\py@argswidth}% - \addtolength{\py@argswidth}{\linewidth}% - \item[#1\code{(}\py@sigparams{#2}{#3}]} - -% Production lists -% -\newenvironment{productionlist}{ -% \def\optional##1{{\Large[}##1{\Large]}} - \def\production##1##2{\\\code{##1}&::=&\code{##2}} - \def\productioncont##1{\\& &\code{##1}} - \parindent=2em - \indent - \setlength{\LTpre}{0pt} - \setlength{\LTpost}{0pt} - \begin{longtable}[l]{lcl} -}{% - \end{longtable} -} - -% Notices / Admonitions -% -\newlength{\py@noticelength} - -\newcommand{\py@heavybox}{ - \setlength{\fboxrule}{1pt} - \setlength{\fboxsep}{6pt} - \setlength{\py@noticelength}{\linewidth} - \addtolength{\py@noticelength}{-2\fboxsep} - \addtolength{\py@noticelength}{-2\fboxrule} - %\setlength{\shadowsize}{3pt} - \noindent\Sbox - \minipage{\py@noticelength} -} -\newcommand{\py@endheavybox}{ - \endminipage - \endSbox - \fbox{\TheSbox} -} - -\newcommand{\py@lightbox}{{% - \setlength\parskip{0pt}\par - \noindent\rule[0ex]{\linewidth}{0.5pt}% - \par\noindent\vspace{-0.5ex}% - }} -\newcommand{\py@endlightbox}{{% - \setlength{\parskip}{0pt}% - \par\noindent\rule[0.5ex]{\linewidth}{0.5pt}% - \par\vspace{-0.5ex}% - }} - -% Some are quite plain: -\newcommand{\py@noticestart@note}{\py@lightbox} -\newcommand{\py@noticeend@note}{\py@endlightbox} -\newcommand{\py@noticestart@hint}{\py@lightbox} -\newcommand{\py@noticeend@hint}{\py@endlightbox} -\newcommand{\py@noticestart@important}{\py@lightbox} -\newcommand{\py@noticeend@important}{\py@endlightbox} -\newcommand{\py@noticestart@tip}{\py@lightbox} -\newcommand{\py@noticeend@tip}{\py@endlightbox} - -% Others gets more visible distinction: -\newcommand{\py@noticestart@warning}{\py@heavybox} -\newcommand{\py@noticeend@warning}{\py@endheavybox} -\newcommand{\py@noticestart@caution}{\py@heavybox} -\newcommand{\py@noticeend@caution}{\py@endheavybox} -\newcommand{\py@noticestart@attention}{\py@heavybox} -\newcommand{\py@noticeend@attention}{\py@endheavybox} -\newcommand{\py@noticestart@danger}{\py@heavybox} -\newcommand{\py@noticeend@danger}{\py@endheavybox} -\newcommand{\py@noticestart@error}{\py@heavybox} -\newcommand{\py@noticeend@error}{\py@endheavybox} - -\newenvironment{notice}[2]{ - \def\py@noticetype{#1} - \csname py@noticestart@#1\endcsname - \strong{#2} -}{\csname py@noticeend@\py@noticetype\endcsname} - -% Allow the release number to be specified independently of the -% \date{}. This allows the date to reflect the document's date and -% release to specify the release that is documented. -% -\newcommand{\py@release}{} -\newcommand{\version}{} -\newcommand{\shortversion}{} -\newcommand{\releaseinfo}{} -\newcommand{\releasename}{Release} -\newcommand{\release}[1]{% - \renewcommand{\py@release}{\releasename\space\version}% - \renewcommand{\version}{#1}} -\newcommand{\setshortversion}[1]{% - \renewcommand{\shortversion}{#1}} -\newcommand{\setreleaseinfo}[1]{% - \renewcommand{\releaseinfo}{#1}} - -% Allow specification of the author's address separately from the -% author's name. This can be used to format them differently, which -% is a good thing. -% -\newcommand{\py@authoraddress}{} -\newcommand{\authoraddress}[1]{\renewcommand{\py@authoraddress}{#1}} - -% This sets up the fancy chapter headings that make the documents look -% at least a little better than the usual LaTeX output. -% -\@ifundefined{ChTitleVar}{}{ - \ChNameVar{\raggedleft\normalsize\py@HeaderFamily} - \ChNumVar{\raggedleft \bfseries\Large\py@HeaderFamily} - \ChTitleVar{\raggedleft \textrm{\Huge\py@HeaderFamily}} - % This creates chapter heads without the leading \vspace*{}: - \def\@makechapterhead#1{% - {\parindent \z@ \raggedright \normalfont - \ifnum \c@secnumdepth >\m@ne - \DOCH - \fi - \interlinepenalty\@M - \DOTI{#1} - } - } -} - -% Redefine description environment so that it is usable inside fulllineitems. -% -\renewcommand{\description}{% - \list{}{\labelwidth\z@% - \itemindent-\leftmargin% - \labelsep5pt% - \let\makelabel=\descriptionlabel}} - -% Definition lists; requested by AMK for HOWTO documents. Probably useful -% elsewhere as well, so keep in in the general style support. -% -\newenvironment{definitions}{% - \begin{description}% - \def\term##1{\item[##1]\mbox{}\\*[0mm]} -}{% - \end{description}% -} - -% Tell TeX about pathological hyphenation cases: -\hyphenation{Base-HTTP-Re-quest-Hand-ler} - - -% The following is stuff copied from docutils' latex writer. -% -\newcommand{\optionlistlabel}[1]{\bf #1 \hfill} -\newenvironment{optionlist}[1] -{\begin{list}{} - {\setlength{\labelwidth}{#1} - \setlength{\rightmargin}{1cm} - \setlength{\leftmargin}{\rightmargin} - \addtolength{\leftmargin}{\labelwidth} - \addtolength{\leftmargin}{\labelsep} - \renewcommand{\makelabel}{\optionlistlabel}} -}{\end{list}} - -\newlength{\lineblockindentation} -\setlength{\lineblockindentation}{2.5em} -\newenvironment{lineblock}[1] -{\begin{list}{} - {\setlength{\partopsep}{\parskip} - \addtolength{\partopsep}{\baselineskip} - \topsep0pt\itemsep0.15\baselineskip\parsep0pt - \leftmargin#1} - \raggedright} -{\end{list}} - -% Redefine includgraphics for avoiding images larger than the screen size -% If the size is not specified. -\let\py@Oldincludegraphics\includegraphics - -\newbox\image@box% -\newdimen\image@width% -\renewcommand\includegraphics[2][\@empty]{% - \ifx#1\@empty% - \setbox\image@box=\hbox{\py@Oldincludegraphics{#2}}% - \image@width\wd\image@box% - \ifdim \image@width>\linewidth% - \setbox\image@box=\hbox{\py@Oldincludegraphics[width=\linewidth]{#2}}% - \box\image@box% - \else% - \py@Oldincludegraphics{#2}% - \fi% - \else% - \py@Oldincludegraphics[#1]{#2}% - \fi% -} - -% to make pdf with correct encoded bookmarks in Japanese -% this should precede the hyperref package -\ifx\kanjiskip\undefined\else - \usepackage{atbegshi} - \ifx\ucs\undefined - \ifnum 42146=\euc"A4A2 - \AtBeginShipoutFirst{\special{pdf:tounicode EUC-UCS2}} - \else - \AtBeginShipoutFirst{\special{pdf:tounicode 90ms-RKSJ-UCS2}} - \fi - \else - \AtBeginShipoutFirst{\special{pdf:tounicode UTF8-UCS2}} - \fi -\fi - -% Include hyperref last. -\RequirePackage[colorlinks,breaklinks, - linkcolor=InnerLinkColor,filecolor=OuterLinkColor, - menucolor=OuterLinkColor,urlcolor=OuterLinkColor, - citecolor=InnerLinkColor]{hyperref} -% Fix anchor placement for figures with captions. -% (Note: we don't use a package option here; instead, we give an explicit -% \capstart for figures that actually have a caption.) -\RequirePackage{hypcap} - -% From docutils.writers.latex2e -\providecommand{\DUspan}[2]{% - {% group ("span") to limit the scope of styling commands - \@for\node@class@name:=#1\do{% - \ifcsname docutilsrole\node@class@name\endcsname% - \csname docutilsrole\node@class@name\endcsname% - \fi% - }% - {#2}% node content - }% close "span" -} - -\providecommand*{\DUprovidelength}[2]{ - \ifthenelse{\isundefined{#1}}{\newlength{#1}\setlength{#1}{#2}}{} -} - -\DUprovidelength{\DUlineblockindent}{2.5em} -\ifthenelse{\isundefined{\DUlineblock}}{ - \newenvironment{DUlineblock}[1]{% - \list{}{\setlength{\partopsep}{\parskip} - \addtolength{\partopsep}{\baselineskip} - \setlength{\topsep}{0pt} - \setlength{\itemsep}{0.15\baselineskip} - \setlength{\parsep}{0pt} - \setlength{\leftmargin}{#1}} - \raggedright - } - {\endlist} -}{} - - -% From footmisc.sty: allows footnotes in titles -\let\FN@sf@@footnote\footnote -\def\footnote{\ifx\protect\@typeset@protect - \expandafter\FN@sf@@footnote - \else - \expandafter\FN@sf@gobble@opt - \fi -} -\edef\FN@sf@gobble@opt{\noexpand\protect - \expandafter\noexpand\csname FN@sf@gobble@opt \endcsname} -\expandafter\def\csname FN@sf@gobble@opt \endcsname{% - \@ifnextchar[%] - \FN@sf@gobble@twobracket - \@gobble -} -\def\FN@sf@gobble@twobracket[#1]#2{} - -% adjust the margins for footer, -% this works with the jsclasses only (Japanese standard document classes) -\ifx\@jsc@uplatextrue\undefined\else - \hypersetup{setpagesize=false} - \setlength\footskip{2\baselineskip} - \addtolength{\textheight}{-2\baselineskip} -\fi - -% fix the double index and bibliography on the table of contents -% in jsclasses (Japanese standard document classes) -\ifx\@jsc@uplatextrue\undefined\else - \renewcommand{\theindex}{ - \cleardoublepage - \phantomsection - \py@OldTheindex - } - \renewcommand{\thebibliography}[1]{ - \cleardoublepage - \phantomsection - \py@OldThebibliography{1} - } -\fi - -% disable \@chappos in Appendix in pTeX -\ifx\kanjiskip\undefined\else - \let\py@OldAppendix=\appendix - \renewcommand{\appendix}{ - \py@OldAppendix - \gdef\@chappos{} - } -\fi diff --git a/doc/pdf/sphinxhowto.cls b/doc/pdf/sphinxhowto.cls deleted file mode 100644 index 26e63a7..0000000 --- a/doc/pdf/sphinxhowto.cls +++ /dev/null @@ -1,104 +0,0 @@ -% -% sphinxhowto.cls for Sphinx (http://sphinx-doc.org/) -% - -\NeedsTeXFormat{LaTeX2e}[1995/12/01] -\ProvidesClass{sphinxhowto}[2009/06/02 Document class (Sphinx HOWTO)] - -% 'oneside' option overriding the 'twoside' default -\newif\if@oneside -\DeclareOption{oneside}{\@onesidetrue} -% Pass remaining document options to the parent class. -\DeclareOption*{\PassOptionsToClass{\CurrentOption}{\sphinxdocclass}} -\ProcessOptions\relax - -% Default to two-side document -\if@oneside -% nothing to do (oneside is the default) -\else -\PassOptionsToClass{twoside}{\sphinxdocclass} -\fi - -\LoadClass{\sphinxdocclass} - -% Set some sane defaults for section numbering depth and TOC depth. You can -% reset these counters in your preamble. -% -\setcounter{secnumdepth}{2} - -% Change the title page to look a bit better, and fit in with the fncychap -% ``Bjarne'' style a bit better. -% -\renewcommand{\maketitle}{ - \rule{\textwidth}{1pt} - \ifsphinxpdfoutput - \begingroup - % These \defs are required to deal with multi-line authors; it - % changes \\ to ', ' (comma-space), making it pass muster for - % generating document info in the PDF file. - \def\\{, } - \def\and{and } - \pdfinfo{ - /Author (\@author) - /Title (\@title) - } - \endgroup - \fi - \begin{flushright} - \sphinxlogo% - {\rm\Huge\py@HeaderFamily \@title} \par - {\em\large\py@HeaderFamily \py@release\releaseinfo} \par - \vspace{25pt} - {\Large\py@HeaderFamily - \begin{tabular}[t]{c} - \@author - \end{tabular}} \par - \vspace{25pt} - \@date \par - \py@authoraddress \par - \end{flushright} - \@thanks - \setcounter{footnote}{0} - \let\thanks\relax\let\maketitle\relax - %\gdef\@thanks{}\gdef\@author{}\gdef\@title{} -} - -\let\py@OldTableofcontents=\tableofcontents -\renewcommand{\tableofcontents}{ - \begingroup - \parskip = 0mm - \py@OldTableofcontents - \endgroup - \rule{\textwidth}{1pt} - \vspace{12pt} -} - -\@ifundefined{fancyhf}{ - \pagestyle{plain}}{ - \pagestyle{normal}} % start this way; change for -\pagenumbering{arabic} % ToC & chapters - -\thispagestyle{empty} - -% Fix the bibliography environment to add an entry to the Table of -% Contents. -% For an article document class this environment is a section, -% so no page break before it. -\let\py@OldThebibliography=\thebibliography -\renewcommand{\thebibliography}[1]{ - \phantomsection - \py@OldThebibliography{1} - \addcontentsline{toc}{section}{\bibname} -} - -% Same for the indices. -% The memoir class already does this, so we don't duplicate it in that case. -% -\@ifclassloaded{memoir}{}{ - \let\py@OldTheindex=\theindex - \renewcommand{\theindex}{ - \phantomsection - \py@OldTheindex - \addcontentsline{toc}{section}{\indexname} - } -} diff --git a/doc/pdf/sphinxmanual.cls b/doc/pdf/sphinxmanual.cls deleted file mode 100644 index a6b9b39..0000000 --- a/doc/pdf/sphinxmanual.cls +++ /dev/null @@ -1,148 +0,0 @@ -% -% sphinxmanual.cls for Sphinx (http://sphinx-doc.org/) -% - -\NeedsTeXFormat{LaTeX2e}[1995/12/01] -\ProvidesClass{sphinxmanual}[2009/06/02 Document class (Sphinx manual)] - -% chapters starting at odd pages (overridden by 'openany' document option) -\PassOptionsToClass{openright}{\sphinxdocclass} - -% 'oneside' option overriding the 'twoside' default -\newif\if@oneside -\DeclareOption{oneside}{\@onesidetrue} -% Pass remaining document options to the parent class. -\DeclareOption*{\PassOptionsToClass{\CurrentOption}{\sphinxdocclass}} -\ProcessOptions\relax - -% Defaults two-side document -\if@oneside -% nothing to do (oneside is the default) -\else -\PassOptionsToClass{twoside}{\sphinxdocclass} -\fi - -\LoadClass{\sphinxdocclass} - -% Set some sane defaults for section numbering depth and TOC depth. You can -% reset these counters in your preamble. -% -\setcounter{secnumdepth}{2} -\setcounter{tocdepth}{1} - -% Change the title page to look a bit better, and fit in with the fncychap -% ``Bjarne'' style a bit better. -% -\renewcommand{\maketitle}{% - \begin{titlepage}% - \let\footnotesize\small - \let\footnoterule\relax - \rule{\textwidth}{1pt}% - \ifsphinxpdfoutput - \begingroup - % These \defs are required to deal with multi-line authors; it - % changes \\ to ', ' (comma-space), making it pass muster for - % generating document info in the PDF file. - \def\\{, } - \def\and{and } - \pdfinfo{ - /Author (\@author) - /Title (\@title) - } - \endgroup - \fi - \begin{flushright}% - \sphinxlogo% - {\rm\Huge\py@HeaderFamily \@title \par}% - {\em\LARGE\py@HeaderFamily \py@release\releaseinfo \par} - \vfill - {\LARGE\py@HeaderFamily - \begin{tabular}[t]{c} - \@author - \end{tabular} - \par} - \vfill\vfill - {\large - \@date \par - \vfill - \py@authoraddress \par - }% - \end{flushright}%\par - \@thanks - \end{titlepage}% - \cleardoublepage% - \setcounter{footnote}{0}% - \let\thanks\relax\let\maketitle\relax - %\gdef\@thanks{}\gdef\@author{}\gdef\@title{} -} - - -% Catch the end of the {abstract} environment, but here make sure the abstract -% is followed by a blank page if the 'openright' option is used. -% -\let\py@OldEndAbstract=\endabstract -\renewcommand{\endabstract}{ - \if@openright - \ifodd\value{page} - \typeout{Adding blank page after the abstract.} - \vfil\pagebreak - \fi - \fi - \py@OldEndAbstract -} - -% This wraps the \tableofcontents macro with all the magic to get the spacing -% right and have the right number of pages if the 'openright' option has been -% used. This eliminates a fair amount of crud in the individual document files. -% -\let\py@OldTableofcontents=\tableofcontents -\renewcommand{\tableofcontents}{% - \pagenumbering{roman}% - \setcounter{page}{1}% - \pagebreak% - \pagestyle{plain}% - {% - \parskip = 0mm% - \py@OldTableofcontents% - \if@openright% - \ifodd\value{page}% - \typeout{Adding blank page after the table of contents.}% - \pagebreak\hspace{0pt}% - \fi% - \fi% - \cleardoublepage% - }% - \pagenumbering{arabic}% - \@ifundefined{fancyhf}{}{\pagestyle{normal}}% -} -\pagenumbering{alph} - -% This is needed to get the width of the section # area wide enough in the -% library reference. Doing it here keeps it the same for all the manuals. -% -\renewcommand*\l@section{\@dottedtocline{1}{1.5em}{2.6em}} -\renewcommand*\l@subsection{\@dottedtocline{2}{4.1em}{3.5em}} - -% Fix the bibliography environment to add an entry to the Table of -% Contents. -% For a report document class this environment is a chapter. -\let\py@OldThebibliography=\thebibliography -\renewcommand{\thebibliography}[1]{ - \cleardoublepage - \phantomsection - \py@OldThebibliography{1} - \addcontentsline{toc}{chapter}{\bibname} -} - -% Same for the indices. -% The memoir class already does this, so we don't duplicate it in that case. -% -\@ifclassloaded{memoir}{}{ - \let\py@OldTheindex=\theindex - \renewcommand{\theindex}{ - \cleardoublepage - \phantomsection - \py@OldTheindex - \addcontentsline{toc}{chapter}{\indexname} - } -} diff --git a/doc/pdf/tabulary.sty b/doc/pdf/tabulary.sty deleted file mode 100644 index 7ea572c..0000000 --- a/doc/pdf/tabulary.sty +++ /dev/null @@ -1,449 +0,0 @@ -%% -%% This is file `tabulary.sty', -%% generated with the docstrip utility. -%% -%% The original source files were: -%% -%% tabulary.dtx (with options: `package') -%% DRAFT VERSION -%% -%% File `tabulary.dtx'. -%% Copyright (C) 1995 1996 2003 2008 David Carlisle -%% This file may be distributed under the terms of the LPPL. -%% See 00readme.txt for details. -%% -\NeedsTeXFormat{LaTeX2e} -\ProvidesPackage{tabulary} - [2008/12/01 v0.9 tabulary package (DPC)] -\RequirePackage{array} -\catcode`\Z=14 -\DeclareOption{debugshow}{\catcode`\Z=9\relax} -\ProcessOptions -\def\arraybackslash{\let\\=\@arraycr} -\def\@finalstrut#1{% - \unskip\ifhmode\nobreak\fi\vrule\@width\z@\@height\z@\@depth\dp#1} -\newcount\TY@count -\def\tabulary{% - \let\TY@final\tabular - \let\endTY@final\endtabular - \TY@tabular} -\def\TY@tabular#1{% - \edef\TY@{\@currenvir}% - {\ifnum0=`}\fi - \@ovxx\TY@linewidth - \@ovyy\TY@tablewidth - \count@\z@ - \@tempswatrue - \@whilesw\if@tempswa\fi{% - \advance\count@\@ne - \expandafter\ifx\csname TY@F\the\count@\endcsname\relax - \@tempswafalse - \else - \expandafter\let\csname TY@SF\the\count@\expandafter\endcsname - \csname TY@F\the\count@\endcsname - \global\expandafter\let\csname TY@F\the\count@\endcsname\relax - \expandafter\let\csname TY@S\the\count@\expandafter\endcsname - \csname TY@\the\count@\endcsname - \fi}% - \global\TY@count\@ne - \TY@width\xdef{0pt}% - \global\TY@tablewidth\z@ - \global\TY@linewidth#1\relax -Z\message{^^J^^JTable^^J% -Z Target Width: \the\TY@linewidth^^J% -Z \string\tabcolsep: \the\tabcolsep\space -Z \string\arrayrulewidth: \the\arrayrulewidth\space -Z \string\doublerulesep: \the\doublerulesep^^J% -Z \string\tymin: \the\tymin\space -Z \string\tymax: \the\tymax^^J}% - \let\@classz\TY@classz - \let\verb\TX@verb - \toks@{}\TY@get@body} -\let\TY@@mkpream\@mkpream -\def\TY@mkpream{% - \def\@addamp{% - \if@firstamp \@firstampfalse \else - \global\advance\TY@count\@ne - \edef\@preamble{\@preamble &}\fi - \TY@width\xdef{0pt}}% - \def\@acol{% - \TY@subwidth\col@sep - \@addtopreamble{\hskip\col@sep}}% - \let\@arrayrule\TY@arrayrule - \let\@classvi\TY@classvi - \def\@classv{\save@decl - \expandafter\NC@ecs\@nextchar\extracolsep{}\extracolsep\@@@ - \sbox\z@{\d@llarbegin\@nextchar\d@llarend}% - \TY@subwidth{\wd\z@}% - \@addtopreamble{\d@llarbegin\the@toks\the\count@\relax\d@llarend}% - \prepnext@tok}% - \global\let\@mkpream\TY@@mkpream - \TY@@mkpream} -\def\TY@arrayrule{% - \TY@subwidth\arrayrulewidth - \@addtopreamble \vline} -\def\TY@classvi{\ifcase \@lastchclass - \@acol \or - \TY@subwidth\doublerulesep - \@addtopreamble{\hskip \doublerulesep}\or - \@acol \or - \@classvii - \fi} -\def\TY@tab{% - \setbox\z@\hbox\bgroup - \let\[$\let\]$% - \let\equation$\let\endequation$% - \col@sep\tabcolsep - \let\d@llarbegin\begingroup\let\d@llarend\endgroup - \let\@mkpream\TY@mkpream - \def\multicolumn##1##2##3{\multispan##1\relax}% - \CT@start\TY@tabarray} -\def\TY@tabarray{\@ifnextchar[{\TY@array}{\@array[t]}} -\def\TY@array[#1]{\@array[t]} -\def\TY@width#1{% - \expandafter#1\csname TY@\the\TY@count\endcsname} -\def\TY@subwidth#1{% - \TY@width\dimen@ - \advance\dimen@-#1\relax - \TY@width\xdef{\the\dimen@}% - \global\advance\TY@linewidth-#1\relax} -\def\endtabulary{% - \gdef\@halignto{}% - \expandafter\TY@tab\the\toks@ - \crcr\omit - {\xdef\TY@save@row{}% - \loop - \advance\TY@count\m@ne - \ifnum\TY@count>\z@ - \xdef\TY@save@row{\TY@save@row&\omit}% - \repeat}\TY@save@row - \endarray\global\setbox1=\lastbox\setbox0=\vbox{\unvbox1 - \unskip\global\setbox1=\lastbox}\egroup - \dimen@\TY@linewidth - \divide\dimen@\TY@count - \ifdim\dimen@<\tymin - \TY@warn{tymin too large (\the\tymin), resetting to \the\dimen@}% - \tymin\dimen@ - \fi - \setbox\tw@=\hbox{\unhbox\@ne - \loop -\@tempdima=\lastskip -\ifdim\@tempdima>\z@ -Z \message{ecs=\the\@tempdima^^J}% - \global\advance\TY@linewidth-\@tempdima -\fi - \unskip - \setbox\tw@=\lastbox - \ifhbox\tw@ -Z \message{Col \the\TY@count: Initial=\the\wd\tw@\space}% - \ifdim\wd\tw@>\tymax - \wd\tw@\tymax -Z \message{> max\space}% -Z \else -Z \message{ \@spaces\space}% - \fi - \TY@width\dimen@ -Z \message{\the\dimen@\space}% - \advance\dimen@\wd\tw@ -Z \message{Final=\the\dimen@\space}% - \TY@width\xdef{\the\dimen@}% - \ifdim\dimen@<\tymin -Z \message{< tymin}% - \global\advance\TY@linewidth-\dimen@ - \expandafter\xdef\csname TY@F\the\TY@count\endcsname - {\the\dimen@}% - \else - \expandafter\ifx\csname TY@F\the\TY@count\endcsname\z@ -Z \message{***}% - \global\advance\TY@linewidth-\dimen@ - \expandafter\xdef\csname TY@F\the\TY@count\endcsname - {\the\dimen@}% - \else -Z \message{> tymin}% - \global\advance\TY@tablewidth\dimen@ - \global\expandafter\let\csname TY@F\the\TY@count\endcsname - \maxdimen - \fi\fi - \advance\TY@count\m@ne - \repeat}% - \TY@checkmin - \TY@checkmin - \TY@checkmin - \TY@checkmin - \TY@count\z@ - \let\TY@box\TY@box@v - {\expandafter\TY@final\the\toks@\endTY@final}% - \count@\z@ - \@tempswatrue - \@whilesw\if@tempswa\fi{% - \advance\count@\@ne - \expandafter\ifx\csname TY@SF\the\count@\endcsname\relax - \@tempswafalse - \else - \global\expandafter\let\csname TY@F\the\count@\expandafter\endcsname - \csname TY@SF\the\count@\endcsname - \global\expandafter\let\csname TY@\the\count@\expandafter\endcsname - \csname TY@S\the\count@\endcsname - \fi}% - \TY@linewidth\@ovxx - \TY@tablewidth\@ovyy - \ifnum0=`{\fi}} -\def\TY@checkmin{% - \let\TY@checkmin\relax -\ifdim\TY@tablewidth>\z@ - \Gscale@div\TY@ratio\TY@linewidth\TY@tablewidth - \ifdim\TY@tablewidth <\TY@linewidth - \def\TY@ratio{1}% - \fi -\else - \TY@warn{No suitable columns!}% - \def\TY@ratio{1}% -\fi -\count@\z@ -Z \message{^^JLine Width: \the\TY@linewidth, -Z Natural Width: \the\TY@tablewidth, -Z Ratio: \TY@ratio^^J}% -\@tempdima\z@ -\loop -\ifnum\count@<\TY@count -\advance\count@\@ne - \ifdim\csname TY@F\the\count@\endcsname>\tymin - \dimen@\csname TY@\the\count@\endcsname - \dimen@\TY@ratio\dimen@ - \ifdim\dimen@<\tymin -Z \message{Column \the\count@\space ->}% - \global\expandafter\let\csname TY@F\the\count@\endcsname\tymin - \global\advance\TY@linewidth-\tymin - \global\advance\TY@tablewidth-\csname TY@\the\count@\endcsname - \let\TY@checkmin\TY@@checkmin - \else - \expandafter\xdef\csname TY@F\the\count@\endcsname{\the\dimen@}% - \advance\@tempdima\csname TY@F\the\count@\endcsname - \fi - \fi -Z \dimen@\csname TY@F\the\count@\endcsname\message{\the\dimen@, }% -\repeat -Z \message{^^JTotal:\the\@tempdima^^J}% -} -\let\TY@@checkmin\TY@checkmin -\newdimen\TY@linewidth -\def\tyformat{\everypar{{\nobreak\hskip\z@skip}}} -\newdimen\tymin -\tymin=10pt -\newdimen\tymax -\tymax=2\textwidth -\def\@testpach{\@chclass - \ifnum \@lastchclass=6 \@ne \@chnum \@ne \else - \ifnum \@lastchclass=7 5 \else - \ifnum \@lastchclass=8 \tw@ \else - \ifnum \@lastchclass=9 \thr@@ - \else \z@ - \ifnum \@lastchclass = 10 \else - \edef\@nextchar{\expandafter\string\@nextchar}% - \@chnum - \if \@nextchar c\z@ \else - \if \@nextchar l\@ne \else - \if \@nextchar r\tw@ \else - \if \@nextchar C7 \else - \if \@nextchar L8 \else - \if \@nextchar R9 \else - \if \@nextchar J10 \else - \z@ \@chclass - \if\@nextchar |\@ne \else - \if \@nextchar !6 \else - \if \@nextchar @7 \else - \if \@nextchar <8 \else - \if \@nextchar >9 \else - 10 - \@chnum - \if \@nextchar m\thr@@\else - \if \@nextchar p4 \else - \if \@nextchar b5 \else - \z@ \@chclass \z@ \@preamerr \z@ \fi \fi \fi \fi\fi \fi \fi\fi \fi - \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi \fi} -\def\TY@classz{% - \@classx - \@tempcnta\count@ - \ifx\TY@box\TY@box@v - \global\advance\TY@count\@ne - \fi - \let\centering c% - \let\raggedright\noindent - \let\raggedleft\indent - \let\arraybackslash\relax - \prepnext@tok - \ifnum\@chnum<4 - \global\expandafter\let\csname TY@F\the\TY@count\endcsname\z@ - \fi - \ifnum\@chnum=6 - \global\expandafter\let\csname TY@F\the\TY@count\endcsname\z@ - \fi - \@addtopreamble{% - \ifcase\@chnum - \hfil \d@llarbegin\insert@column\d@llarend \hfil \or - \kern\z@ - \d@llarbegin \insert@column \d@llarend \hfil \or - \hfil\kern\z@ \d@llarbegin \insert@column \d@llarend \or - $\vcenter\@startpbox{\@nextchar}\insert@column \@endpbox $\or - \vtop \@startpbox{\@nextchar}\insert@column \@endpbox \or - \vbox \@startpbox{\@nextchar}\insert@column \@endpbox \or - \d@llarbegin \insert@column \d@llarend \or% dubious "s" case - \TY@box\centering\or - \TY@box\raggedright\or - \TY@box\raggedleft\or - \TY@box\relax - \fi}\prepnext@tok} -\def\TY@box#1{% - \ifx\centering#1% - \hfil \d@llarbegin\insert@column\d@llarend \hfil \else - \ifx\raggedright#1% - \kern\z@%<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< - \d@llarbegin \insert@column \d@llarend \hfil \else - \ifx\raggedleft#1% - \hfil\kern\z@ \d@llarbegin \insert@column \d@llarend \else - \ifx\relax#1% - \d@llarbegin \insert@column \d@llarend - \fi \fi \fi \fi} -\def\TY@box@v#1{% - \vtop \@startpbox{\csname TY@F\the\TY@count\endcsname}% - #1\arraybackslash\tyformat - \insert@column\@endpbox} -\newdimen\TY@tablewidth -\def\Gscale@div#1#2#3{% - \setlength\dimen@{#3}% - \ifdim\dimen@=\z@ - \PackageError{graphics}{Division by 0}\@eha - \dimen@#2% - \fi - \edef\@tempd{\the\dimen@}% - \setlength\dimen@{#2}% - \count@65536\relax - \ifdim\dimen@<\z@ - \dimen@-\dimen@ - \count@-\count@ - \fi - \loop - \ifdim\dimen@<8192\p@ - \dimen@\tw@\dimen@ - \divide\count@\tw@ - \repeat - \dimen@ii=\@tempd\relax - \divide\dimen@ii\count@ - \divide\dimen@\dimen@ii - \edef#1{\strip@pt\dimen@}} -\long\def\TY@get@body#1\end - {\toks@\expandafter{\the\toks@#1}\TY@find@end} -\def\TY@find@end#1{% - \def\@tempa{#1}% - \ifx\@tempa\TY@\def\@tempa{\end{#1}}\expandafter\@tempa - \else\toks@\expandafter - {\the\toks@\end{#1}}\expandafter\TY@get@body\fi} -\def\TY@warn{% - \PackageWarning{tabulary}} -\catcode`\Z=11 -\AtBeginDocument{ -\@ifpackageloaded{colortbl}{% -\expandafter\def\expandafter\@mkpream\expandafter#\expandafter1% - \expandafter{% - \expandafter\let\expandafter\CT@setup\expandafter\relax - \expandafter\let\expandafter\CT@color\expandafter\relax - \expandafter\let\expandafter\CT@do@color\expandafter\relax - \expandafter\let\expandafter\color\expandafter\relax - \expandafter\let\expandafter\CT@column@color\expandafter\relax - \expandafter\let\expandafter\CT@row@color\expandafter\relax - \@mkpream{#1}} -\let\TY@@mkpream\@mkpream -\def\TY@classz{% - \@classx - \@tempcnta\count@ - \ifx\TY@box\TY@box@v - \global\advance\TY@count\@ne - \fi - \let\centering c% - \let\raggedright\noindent - \let\raggedleft\indent - \let\arraybackslash\relax - \prepnext@tok -\expandafter\CT@extract\the\toks\@tempcnta\columncolor!\@nil - \ifnum\@chnum<4 - \global\expandafter\let\csname TY@F\the\TY@count\endcsname\z@ - \fi - \ifnum\@chnum=6 - \global\expandafter\let\csname TY@F\the\TY@count\endcsname\z@ - \fi - \@addtopreamble{% - \setbox\z@\hbox\bgroup\bgroup - \ifcase\@chnum - \hskip\stretch{.5}\kern\z@ - \d@llarbegin\insert@column\d@llarend\hskip\stretch{.5}\or - \kern\z@%<<<<<<<<<<<<<<<<<<<<<<<<<<< - \d@llarbegin \insert@column \d@llarend \hfill \or - \hfill\kern\z@ \d@llarbegin \insert@column \d@llarend \or - $\vcenter\@startpbox{\@nextchar}\insert@column \@endpbox $\or - \vtop \@startpbox{\@nextchar}\insert@column \@endpbox \or - \vbox \@startpbox{\@nextchar}\insert@column \@endpbox \or - \d@llarbegin \insert@column \d@llarend \or% dubious s case - \TY@box\centering\or - \TY@box\raggedright\or - \TY@box\raggedleft\or - \TY@box\relax - \fi - \egroup\egroup -\begingroup - \CT@setup - \CT@column@color - \CT@row@color - \CT@do@color -\endgroup - \@tempdima\ht\z@ - \advance\@tempdima\minrowclearance - \vrule\@height\@tempdima\@width\z@ -\unhbox\z@ -}\prepnext@tok}% - \def\TY@arrayrule{% - \TY@subwidth\arrayrulewidth - \@addtopreamble{{\CT@arc@\vline}}}% - \def\TY@classvi{\ifcase \@lastchclass - \@acol \or - \TY@subwidth\doublerulesep - \ifx\CT@drsc@\relax - \@addtopreamble{\hskip\doublerulesep}% - \else - \@addtopreamble{{\CT@drsc@\vrule\@width\doublerulesep}}% - \fi\or - \@acol \or - \@classvii - \fi}% -}{% -\let\CT@start\relax -} -} -{\uccode`\*=`\ % -\uppercase{\gdef\TX@verb{% - \leavevmode\null\TX@vwarn - {\ifnum0=`}\fi\ttfamily\let\\\ignorespaces - \@ifstar{\let~*\TX@vb}{\TX@vb}}}} -\def\TX@vb#1{\def\@tempa##1#1{\toks@{##1}\edef\@tempa{\the\toks@}% - \expandafter\TX@v\meaning\@tempa\\ \\\ifnum0=`{\fi}}\@tempa!} -\def\TX@v#1!{\afterassignment\TX@vfirst\let\@tempa= } -\begingroup -\catcode`\*=\catcode`\# -\catcode`\#=12 -\gdef\TX@vfirst{% - \if\@tempa#% - \def\@tempb{\TX@v@#}% - \else - \let\@tempb\TX@v@ - \if\@tempa\space~\else\@tempa\fi - \fi - \@tempb} -\gdef\TX@v@*1 *2{% - \TX@v@hash*1##\relax\if*2\\\else~\expandafter\TX@v@\fi*2} -\gdef\TX@v@hash*1##*2{*1\ifx*2\relax\else#\expandafter\TX@v@hash\fi*2} -\endgroup -\def\TX@vwarn{% - \@warning{\noexpand\verb may be unreliable inside tabularx/y}% - \global\let\TX@vwarn\@empty} -\endinput -%% -%% End of file `tabulary.sty'. diff --git a/doc/pdf/user.pdf b/doc/pdf/user.pdf deleted file mode 100644 index 77c3c75f54f764cbe21dfc18d4bbeee25c7d5631..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 200362 zcmcfpbzD{3_CF5OD4o)(<)|FibmYtOO9dXF*395ok%oVdgdFdGbmq36TfPZ(ej2gpX>9K_F$ z!7goNZQ^JOg2SMoZyyYH2{TJaBYP0Lgr%ONk+_k8jiC{Spdf~WqrH)y6^84um6D9j zGzVVIf{H6{>@f1%yYEy2A0`J#QkE59sISH{W``*f5KZ=Y*Lgt+hYR-*+^Opl+_sb9 z+(M~?gd=-J)&ye~yVG}1j7&!}k1GYxxVe=kG;s>~gm?$vIFAYlJYUGL8Cc7=ZdWS( zytlw7tL@Zzl;w1F`7E=sX0=Kd0A=M^X%Nod!GC0 z9W?{P=y6&ad+3t$Amcl)` zmwdppFi;;iQ!GO=8V_e^#heU{5R)OaW19}*BnnWNHnmUsoOG#>tdK^;f9mkIAI-qr zLSkgWp{7F09Leds+`86!%qcB6=8~>jFd}zvI9T?*+ZAe~+0xAccT3WyWmZEhE4Ai| z#|qCB?if$t-bezQg`n`Fh%p*nHh^`>w=}nXB7M-_Oiv)rm_UZrj?qHO$U@dsov$yw z+eS(_qt|BMLJC@F(BJ8FD<(ZoMt>H}0-PU6a(9DZ~;)5tPj7^$Xzy-W2;Z{Tvv&MSSkJ(~$iV^RX!GqBz^RSX1;)X! zKi&cQ%N@9X+~Fr2c20VhW{z$kXCr$vV>1K2uMhm!6Ttrq{U2EW!awA@&BVB-Xl7tx zO1P0S${?R8+8Yeiy2_?Er8$tQWNN(1#Re0c`BP3x%{2DrJ2J8;(rn)gbj94 zl+d4|6gL9qhmG6c=^K8#@Dm>BpQQN<_pqPRRB`}TIs+SPV>1(wv6e^e{L zNErU5SDb&64eZy)M*O0JF#XruKRJ~X=-k34qQ=k9X5ZUp9D6OoZP{#OHZ@1?v zHkw_m7JJ#sctNMtcu|?n^t0TOg4JdY_15K*MeSr)E#n0XYmbj-H(5Nczt2H&YqmA< zj^g6ud?dFLy0)U6nrSNur#Jl)Z#De%`b2F)<9CZHj9X-BG$-5g|@ za3t55Z*0*mui<;X3VRjSIifK#)c%HFS(`L;Ge^U+YF^@Fwd;&b%t-b%S^dS&cAItVs^)U z5wd`e+rhnJ?*v9ABn4ibua}~WgWfWoDc%#2#12g5u~e28){_s;k%q4X_LGW>1~h3e zUKJ4zz7t%-;lumDwnQ-qV^u2gU2XG9cdZ?&85>SQrd~BtD#u-)9L*w>J+hbtAKQFi zla8Z$&HVM5V7PmWL-Qsy5|2q|r-t#QOC+Zv3GE6or&1Dv>Z>ce%v&H8Lfx(Ot9=jA zshV=8o!NV(i8<;}Qa82xdTzEofsGEMXcM_9C>*G)urLUCgi6K~qj}z2@!v9kTON8? zIzQ5Ivg8B4Pa)`VIbsTm4GZ#k{S@7{PHo39(f;JqvebMu%Y%g0agZLCXZ`NvYVV75 z6`$a6L=P+pXDf1UC@c_0{3Q74>nM?e7vxoow+P423_!z~<2od8F5JKSb3ES-!9~sF z2CT_H54GB@pK%b4Z4;;7%<7_xcUvultIfZ<1&!%>6U7XKeTy7U}S-4d|F&5s}FW^Rf=>DR6 zR@o|4W-!&8d`?EiTa#SC{6y#W=l!zn>kq`Nb#~K+nvC}_F^X2dG+kn(2BWxr!ecou z2v!(z*{834_Lxj!h%-+J^i}~@7eu=a-l$zooFWgarnM)6_PyTy61q|)_(WZ=`h-7a zSFeBd$h4Gho8&4GXvrqEcblHVVD6?>F7`*oU|SC!Y9W|t3{1V~_Otz#u-pYZmmWjG zIiby>wyIHqquuT2Ax$r(UaV1g@~)W+th{ldD!8TT_-AO0pAL2fWwp(5g4!=-Tdg|rLHC0u?Gvq zxrX0+`N818AfcSy$ASIU{j%a`vCm^~P+9E;WW`1-wG_#*E0Drj;ERpDSTN%T`5Xl` zbvhxo6+ezDa9{6(x3L^KFr4(z2j4g4DwWm zlY1#7(U`pBE1<;IN!X=moir&Vajx1n(InfD>`fIuH0T#aHXC9$m(Y#` zA0K_Je%bW&lYa#M?!kC9EzgHB9U*SqTA}J@^dlvsy6GibvZ@0)?+I!X7njbAs+Aer zQ+xxOqmhyR@|6YGMXt@{vB9X$nPNWg1V5VKwUfS9jSpw&fd^$2@|Qjv?sspd1?Q|M zp$9%#82jSs9)tGkvJv6?+1&{{{#Bf&a%pd+J2J@28AZ4r#r&P~gLj6Gm5-dbcVV{>-eQmPK|;R!P>iK*{NQZ`{1OUD}p+jOEI40UZ?Puj(4vZU#|7E_S=oTwd1RP zJ0zd0RAxEykrn5JW*y6{SzK_Kvo*P+FA4cP8e?asKYgw#1%v_Y$fisiR?*{#*y zc$d$VrhC+pKl=2_3S0#_zQfFyr6CN-Rb<6S;AIDP zGqJ5qHG=gMA%vm?1$}k>X49>13f&u@eEqrnSU&W{k(N4kJ)x`sp>boMwj5niJvd7D zX`2w$kU8ann{E}QCo!I3oS1L9^xWZYo-Assdu+GG4z>=c(@u};ZGLBl1$GC=k$#c6 zi*=d}lF(_v_fN_=t!&2h9+NypeL1_|{748->b?x?7mE3SAmbB_(-)^bqZr;s(f#sg zxgRepcn7*loe&?EHr8EwZdB>*HyeFoPyh^Hy*DWDjd~h)$da&ZROgl-mUW7;Y}%&N z4*z1YW13rcODFDFVA|oc4XT2JeGLE7jWB+m-N)MYpK}@J)k%0~^DP=)>E4Yv z@Z+DOBpzi#^Qf2<%uUx2Nky|zf0*OT78xP#{?&clr6yGs1z@x_(MDo+0e= zPG72o822V(8*X~AK=GBP!rTI9L~=gcM`Cp+(tVHu{a}>i1owxJm+GtqPwtOCv37N) z_`(q4UAb*brBTjYw<_D)DZ}}C@Yyo^M9Q+}Ld`Zg@jfxtdfIz)O?(zgLXqI7VzY?}rfG>GmQ@a4o3Q4m2|Be%_PR{~ z7I=PCNEwMY$1~i;_g15Bzdd8U#jWaqj4MhW-z9htLU>x<%B=O|_`s{SVn*x?BJSd{ zxi>h=uhZfZKJW1Q1ng|hzf-iiO4QvPHQ2w@*)VQLFgDSe;*k)SV1HOE^v1QFnKhE< zerPIp}b`&t^$2qxQhWl)F2b4j%h51!>W;Q7wb^e0=?F zhWf&uLWg3D;xOZcLA)ckrR(cNuCd%DxG=YDbpmGwJ*f{^ih+rSjBCoLTS8SKeil2doH4y*Jk#k+ts2j3OA?mcQ3Xjv{SgZ zK37MpEJRqs+4XqX@7Zg^3#Y3es<<_M2?-hxv@}l8r3^&nW2i#YNVl>Lr`Pb6aU)mN zkdH(gXSw}_?0Ht^s5BZ^N=~nCzZ&^y`$KFVNhxPk=i6Mf%q%5R#TF&lpRkAUauR2P zD?_KbH>g=c>wJK3?BvD7gZGRyZv}29(We~=n;Ad%ZR8JlUQ?$lQJ1k9vaeyh6W^S> zuhOwt6cV`4-7(qCAsc=8g>3%%qn20cuE+ayP02Tz1z7a!yyAKf-#gs(qVdiSi9d0! z7HU!0IDHqif2*uo$iD69stR!EJi5wVEo3XWus+kSV7z1C{XWa9(omvKKgb2v{lL?6 zE19g-!kDsd=Jb|#!%387#aZ-?ePHxSl&0O;)xpuTci8(v#i`r-?oWZ?n8puOq>LAp zWIQc0a5;Ai0;zi(CPZyaJ9#q});YRT>Kb~^61Vcx_hFtMs4Ze&lq&9)x<@V~Dw7(B zaphMYr57EN2^YU$1AH3I>|7FN$|%CJfYl{5B+ zc|T~6Y?PNuAB?DHXY9q%eHfPy8rI006G*T&-;Tgqv$TDySs1kHM46*;bzE!{>5@vF z*m~TH&t~uj*5fIv!HEQ4FIcZoz)YUQZ!F69xcs6;fj}YO3<~Ja7NthE>Mk-EZ{>to zW1LuffI?_Q5)WToghS~uo$cKK$$$#N>HVQ9ReC?_wmm@@G?n%fa)ao-0tsy-WZyZw zYD(gdok?_$3&*{1<7YnSZ=5}kq8UWt&DeF`sTs#}EK$SYXTa4VoWC@1D;M2W5qH7c zD{GKIXYhDCztGy4`jh^H2H|l;rj}-$Y7;|3kV~=kn)*y)pHO_Qk@o(gDPGZ)0U)Xq+8@vAox9^#VbKDf&Y>hzdazNS|gI&zV+7ZYDIDmM*A}f!mi2Pt?X0r13RJzy*eYxOpI27yto#U?d34@ii4750tAw-;?A# z-_s=LHxmc_Od+VMsRK(0h?|p}4Gtunteq?^wJr|(o}BpYFyN*Tj=vB2p8q%>A^|)K z@C8U!K)C>}zB2nYZvkXB!GN#&^#sV{v&-4r7$^YAWDNiTaS0H+qLHg3=pq|nj^C|X zJl|F9ALtlVPEv(K&UOJ(FM^C9(E3(C%oh%4-q1nCTbh`2{2_pOWSI;YK9kcwl~`B*RkkbVnpzRVh*%M`R-0Z zvxMCr8Q}N{`5ZRJ_#xi)#C5pr2PPe2iYIAUy1CI*iP3dqQEw4>5np7NX_x2S>z7^e z6Ww?ES3=C<>B>r0=^pS$n$NuJUBDaGp+Z^Z=#HNQceX@^k-c8fBe*;5mQ3{Vtwk&1 zT(kc$ie-59C(bwXiM3i4_SkNZUJgH3Ih1%!!o;lyx!0DtwM46B_;GPBx6a};VrPtQ z#6dILX0-=b@qMioIWFd9R`Lfj;nvs+vfLF@i6d%P7;m=U2!9Iieqk4#$hup!)QI&e zy1n@&;Ya|+eo*L#=Z=T3tPdw{G$vf9&Wky+zmuFhfj51PRWb2Nt)57*;RrsjLMQ%i z=9POS7Rm35Y^T-Rk)Bdj$MuSDNg zemM|7gB)o4hgU1pxFQ!uZ?!MeDc*iD7xlqBTuNzF@mX%_K(yWMW`tFm9#h$;ks9~T z=4?%0RCH9%DK8pdpYXAkth#ZzWc*TJ;$#k-z2tTCZZUEF=FIV3F|4-en2`YKm14@6 zHxeXUG zXTPx8?h2|*<>Bz8$gVE`V1(Vjl32O=xlvlr+jJiXo!RE$d{`IGwOjs|*6~Xgu}e&8 z*_H6e9LL>j(gezzgu{-OvyahMJs&xnuRJUXj#L?N-8RjhUOO^hY4_a_yhKq{{dvYr zcT7zZmsVI23wGFUJXaKhK ze4zl2U#+}6a6G330-u*BfphRTTMGu(iSz5{Wyr6;e>Hhuk6+E}*W>x}0vx~71AnIn z{!R}t_vimRF9QPqKQHxtJ)Rpu;P{>1c}ef<@89V`zSDzzqxXxEI_Ld|HT#Cu`GaAw zD>&&po-d2iX4V!M?4m$v*U0{S!Q;?kmt?=qE~fGIxj2AzPaY`af;70nY#e|U=Y&Do zxBz^?a85QJZU~5z6UN2~1_OT+IbVzZdqw%L_3|5({|;MU*?_@8oKP?uCs0mQ1u%)`bB=LSJwU^Xr;D8MKO8;s}oc>TrL zw=(Mm#(vboFDU*0s~~?c#=(6qNC<=nU<^PI3}@qna{d9aZzax)j9pv?|2M?GYZwe* z5DthG%nf1V07{229xgU+2={Lp`%#YkJ6;#dHUAr1-|>QRL)o~2@*@Py#l{1a17UC& zfZJEU@b8NMLy$j;@fY#Bn63YJ7~=x7!2wSR0)et|0B$A>z>S;Z_jvuq*xwQRyNC8a zY8VX0b1p~-n3D}C>B6`;00934*xwcGqIdf500ss8aiD4f0ZbVbu%a*+oQ<33Pk?=^ zcwdy{MHlmbW9*0K1F8kACSbs%@&Kz13<78xoaeV1_CxXi4%gS!;9oVZFb)_S5b}Uw zz%=CM0l~lkcM#Zbx%#1AKiU>9qIEGw`rpv{J|UqzfPDZaBA63k3^4sL4hS$Ye-GDR zjQw5j|2>ocU5rp*0)pYNbH*TWC2djtQf9HE?WHZV}e1_SEO z!O01Na`CWn@ciFPn0xx0a~R1%k@>1fVBWYp+I*J z^#7caKl)HE^7XGuc>>ra4v>$$ne z*uQS{A>3SSoPfIu1~iKs@D3pW!+)HT-#U0M^7XG9eFztz$Z!BKDBxQFMhpUYWiZbF zdo=>qtMi_q3yc97)W25Auj!%lpzJP2RVl zj$Hz1?E^!1??-FmIa}Y8QD7ht{r35Dn)qi5Pxu*TC6@1NU%w2$%4omb zkksgeN>O_@6~}yEQ4G0HQVqi0pZY{IDD$tWG&FZ0NiJMNaX_`_3AA0RB1>Xc{j8Qq zmcSg4=^M@g?t{W$@|SMkdob{><3l+1rk}vMm}pLfmT}GNvExZ`fV=f8AcwI2d4IL z?{^6k9k$3e%c$cos(k9a$8R5?rS3fHkun5LOL{Dyj2#If75RKgs}?p)*t;8PzRsM| zSiUtrcCxTG@^Oq?2*HgJLS=4Kx~a%`lUz#HB;%pTN&&`t&DmHK`$YcQ1ly_V$?Ur< zg6KZlzIJgGb@z4-f`rH7r|rug^fgsFGO_)3bdMy*@j)sd3SA^vj*1XufA# zV^umNdXr~cdq-~}((-2u@kKgp)Aim?XWJ*s#LR^s-rY^V^Y9~q)18DN8%$>8I-asH zBck9_+Vwa6NG8KbCYd_Uuk~Gm7!%*{_CLPb(G5FUze#$OeWE)Y0)U*T@)z( z$lif%`NoYD^fn_sbB*C`(big3)>6gOI#->+6&ZzB2NV9Fe9SAol&i_zpZtpSuHP2k z9i4Wo2eW4psdc#A=dc?5ApA_!J7rrp&BdEqCW+*l?9Eyz(!5CHy51AVY&O%zmF<$J z8HAJ12h*?He0tsK^(i#bN3WnQMPB_V``V3et{c6?*^mJ&4|V+zG?nb6Uggd>G$Sht zI?Kt>VGHNA#IC3EB6kMr(387A2KwOC6DQS9#1zj#dh;9-%_LU(S#yBX}43 z#og+S^_`D=c^X!cr73K(nq!J7dL-1dkJ1{`Nu4=@wMHn*t1Qa8MHNgY73_M*W zdI*>3pNcn}UH_P&(uG>!JU+E`%!v%s&dNi zUF4u$GVM0W5EzEX<@8t0BRxw9>dkp0oUM83V9GJu%d8<}~Yb=G&Vs9n-ZEb#gS6L-$w~BAKSMAb_kI__AfS7NS zks*i`8;v)uYhqUb>j_`KQ|$maM|{vVpD0)OwRg|-7-2`ZEhw*qHVyg$8`$u zx^#K4a_)X#;~^DCZ>A%Zq++_NZfKD@u}ND>X{`Z z$KA&~Ba!{WwMgn0DMt&ZQVAm}YjC^uj3P3KBB+-&=-CcZuj3>Q6{$o5@{DY#RYDM* zbnqt++s4$_*Y2bX>e;{Z^AJ|Corn9vtZ(bxWyUwo2yPIRf1;qKhDlN3Ij!XkBp zt2fo%jE_mKVDxZ3F957R^kIl#m>Zi@8@`*@%=#e z)$@`v?oiKFiZ9ZC_N;n$c0G*cqZ5&+u#o`qSc;g{YxlBo_g|25zAU?6tswQ0DIliiNjJ$9!@p+T z_=YO;&|5eJL03SO)n(Jx9LyBJT`^sZa#_oEvR-Qivw|8`=(IAkE!M$^@}A}NJ48Yp zoDNCN7<(N)OW`-e$=MWw67Sz;FJ$Uoo8+FDH^L?`bXD?mXn27nG4ghMLBj0w8|C}> zgEfa_LQzWehKZ-xOf})LAbX>F?3WO`vfKClUj>?BML39ZiQclkOiUJwOXEvqCi_;G zO9cHn&*kn4^Ur#Qaa&rIZ#9g4UUBX*H%}#Ef8M@tVeOm7;Y*0yB5ADyr~Z^JJCJrzAV^{y7~?(NFA!0LL$!lQMYB|H4DoXR5tNW%IMg# z4wivzO(D{wETl8%{fZrV-3-Xd7bG2t9?a*o8(KRRNP+5UwSEmcJhGxQ+$lxD>glKE zv>8Ry2u|_*mp^9kCbb@i7q;)uEUxo$s91vecTy!43lUu2>mmw*8~2Fsv}vK_V<)r%uNYI6TjAy$mpbBat@QYeqBveLey6xOTqWx>+C z(#|G$?~0zR2xY*uVEOVGYU7l}ijS=r@lK%bs&ifKC3ZvFnS)mib>;)KzCw$-|v%9a$iB@r}URJz-MA zBVw;9M|CWZrMK7MH}HkXib#Sjh*H?n8$Q!DnStAApSxGEcYzku;a*t~s(C#jk3Tf#%i z!SXXPBmT@!89UbIP|vjFvn+OHq`U?ugYC9D(Uxd}J5sWNJ$oCk(vzi*X*xghOa8{+ z1DxN#Jn(P%p#Svu&OM}G{XJj@>Himh??M#^_Px4tzAZ=o*8=$YwI43s|CXBq0tp~1 z43tTLq!|~$Erg33h*yAm#Mc}s?ElU&0PhBLFrmz`zh7D+>l9 zIv@lF14%|8z=QoM;{02B>c@7YpK;K+JpVxe1-t0ye+{618Tk7E>SF%n9}fA$U0_^5 z&JZZP{bx%C_*}t$sKQ^N+6C_(2-PmeZJg&>n6Fw1v|a#NZt(fWs(;#g!Fe$b{Smjp zflWf^pFhWK1*&7;f`B?v8z$tce97C7Kjh3O$|RPVxrZQ+(k>yZWLs$&w#Ck}9#2eQ znOu`9bDyyWenu%y$F?=u+c}IH(v?x*kIQ}bCPa1mB{2a?WI!Ld zun)4RJLz|Dn)ysxJlS+EHXIU7PsYrw)>79^f8ZD|aqr*_v{R0gqHp|h*6NVHnAECW zMqjaj<4pKo4;FNOqUO${5V5C|cjulWM5jEr83?O_-)=PUsJ~0jHBk5uc8?+{#CQRbF#rLefXY_-!a}LuUjxxNR z#0;_T6vFQ@Wgk2mxPkFHH*tZV+=A9=UPXx{)T%*4Ttg}4MsOJ)n&J^j zBVtJI)H@}qRF`sB-b63tDp5$f3RbSI_cRAFEsjgDSGq5{_QDVa-M+I8?}7!rC`@g9 zi)lnFf(e#>M@v<=pW*?zl;?ujPTCP2ruTX>GxD*Bp&a^Cy&zLw67?3}NCThPSvAFW zgo6@C@v3*hY1y?`3hIyH}V)YZoh2453(B{Tl7FfDc*8 z%9Z2}>T?f8aYi-OXYde|!^n0d)1G{?9!Bh%re2-t@YYAldECRh3!f>Fg_=xfM)%lF zGbI{3S(Qt_d%EF}>|MA*!~*ZnN}GewhzsnnUe}|Hso0;NyMet{b>$@@R~bvuQ?k47 z8$U%GTVu<@{n<&$^R_S(J8=Y>Qt28N5GJ=qd<_EiGq0~$)}iO87!XPODrAoHgd>qt z*Gkeq_E(Bh(jr{)T|joXTtq@>a!jPFL{;uE8`%?+RaEes6o|%-Cg`uH`POC8<5 z9oyvOQD^7YkeOY2(~6z>Hx8{kI)@4!vAhl+6x8dUZ>k6H3&vXD%DQ(rVw){Lf?*D# zle`lqkMLnpHy4mx+;my|DLIi#igbS4^EA5q9(if?Et``=PN{|^^f7bK zE<1hfPn#$$ z0vWyoB9z(ZY)CGCgwKkYhb_=!DMr#NH@n(Tv1^l&#qt#;Gc5Lx&7Nnx5$P2GE3YxW z3qY^--&(nR-2nTcxFSpP-cr2NRpSyf%-!ig3N`!x(vfd#gUK$~~Y_^qAZNbu`dSYXs*^ zHPh@}mHilEjoO$mS4Rxllf#c4JtU8rV=D`t8X{__DA8jFae|5{#c){kQ&NJd?`;pT>rJIP~<#w zNl)NsLn`Bz(mrG>_EKc4Yo0HaW631w@A)FGk+jCpk+pnD^;7sXF^krA?Bk`pgKYHX z@U=j6SEPWUsity6KADMN@Z#pAUyboz{Y=FISw}?82a{p7&A3Tf=8ZPxl7X z=0xYGs^Zs;rMh$m`cP(%=7URL$ogC+VtV9u{bA)hL{0C}#FNR16Z&}&=<~Mvy0pP) z*aHvR*L)s(1E^2WaD&S^Vt?bKa{j%y;Xi%U^9B4@AN73i^gqu@Ui4AFdISIIn_lz~ z{x{zgs70Rlp#p6vK#_qP1O+-ifc!p)iyNq>asS`-w%=5Af9(4H=>nd^^$%RYi>Q8e z=YARYdk^ruhw6u0_M0&<4xs%9C=2|}pZl?q{hZ1FKlpPO{m$?H9E9sfzxJQ~xmY#X z_z^Cgy6&7FtGRu1r4Kq5Hm`?z zT8C@7Mcp0c*8AeMPAck$^yuVRd0#3B?5?2;zO2O=t3co}^Talt* zz^v@@gfFRpI#d&m+No6{1WTWm5N}3KG3qV8>gai_-bc;C1?4qsx7SZY z_1u@o^$eaK?SU|~UmoX-CCqtOVvNBSJ&Lqse4HaH5(dYqTkip zkpk{d?P$ zs^$J@!PJkonQlFlC$JkO8~ZP)pM2^qp<4eqsO<;dl0ovNH^X*&7m=_X^o(E2RK2XC zjanwIKDrO)ozG69DrT7F$yM)MSH7I(n*hI~FC2002J|4wDl{G4vHEJQH>&L;*$uYN zr%&HE$h8R5M3kybu8c*HLf?0ZG_NH+Az6?2tCW7%CZ#una1B4e$c5^`u>~a)6HHxw zerm?62<>BOiy0z5$K-p6B6_PI{7Jj$dxf0goFyKXD zooy=z+*%{=YGdPS#VScCG4N?onG{!hboNVfie7N_O+8E@mLM5QiycU3(3in@nTIx> zzoasVo||B7OSIdmbv&a5OkJI7~y@lpNjH{HK<(K5o9>W zJX0hHIwUwUV04r+T=P*)NB5etsF^$;5wL9DZG@7ryi zEFTZ!2+|sVtodAM$t`TJD@><6iVvygnPFe+h$7@8y)wwD7!tzRLPt`;6D`Vy?-^S5f=Ji+b4A1!MR# zu_li9QB&Sei)C7P#u6fG#N17d&pP4kGVn9CY1JmXjH|otTr7>|kD_%J9ly3;^C9sj z^Z;o^eF)*@noYe*Poq`=?Llv(1-`#JT@spCupj1&m`?|szAte)c`FeYALSuMaWD`{ zi>$~Gf3Oyk)$G-O(twX2G7n}NMJE3&Yl>0j@ugL1*Sat}O{#!%xh}^ES<#pZ+eNu$ z`xsk4vV-iL9&f2s5-XB5rwU* zbSL>v$V(Qg)Q)7FODm2$dgeT%BJF`WGSe0@;nbpoq2cp|zQ^kNO~r_huYQam&XIWB zPk2jC&w@VPy)}lBcJ7ML=@2cMW=D)2Dd~%WKJuhD&n_Qu;GIt2aa==_ucaduE_;rS z?1ie-EKFg8R({ZcJ3*9a{0Xcw?!104P{%XL`5A}VAdI^(ck;S{!nXFls#Lw|EB6OX38_^mZ{(@%O;y#oLB-QQ627R_6K`ZY`jI7X_ zBG>a%bBGShia#?rcIU^1DBy0NR1h!YHzgfLt7+R?DxIOW4BJJ<*$>S$S~X}9$Ce6a zTKT+Olif`ak7bY}ud3RT0bP&5oGQmC<$a+rMu=~4+1nzq%7OEhapQByl-}aJGnPf_ zX77aEm`~#g(?>~l16fLQ{X05Z?XPYzJ{J&ew7m*x#H4EL@4VemeOt)vz`;YlqXVwO zChfp+!|df&NW6Y-;#&fuwbt%3uiFV~%5qa1G96EPU;=bLiv>%I*r@65>$B-*p3xDF zg&7%_%VJy7eV2e2n+ZdyVmsikhh$|L$Zx8Okzmgw2WTPGxLFEU_Br#9zvSantGoWb z#Z}3GY%x3_zatEz$S$~x%?RHj-v8Mr!|ln68z>U;5^@Nvs6p%&gYPTJ>ElkxlR98~ zdJi8KJ;;N9VT#ttE|jbh-Ws78)p&5o8oF($R+${z&OhaV9#n}cwzAXHkQ*wLE3is7 z#lh6$m(7exgX_O3=3Pbo*(*ID_3BPqf|tB|an7TZ(QG%2cAmhwy_*Uc+z*Q;hn6d*3o2=H#(#<+LP`B32UYb9(M|C%J za;ZtP5Dt}m{80;MFXr*`6H5f06mK?Wp+mw~dOq4E&C)xipEB<$-!0hIF5CLzpk_um zr{uPtmMtc!YELRRm#W%^O5(n;Oi$AI0<0@4wY?=wlZ;s0qC23?u4f?<{YjKWVo|oN zN>URoc&fTdvUjmC)L zgxUW2?~8XC>5Rj*q3lL#z4?;};_{tRsZkg@K4!!PBG$X!d9*zRIUw^K|4rM#-Ugkezc#`dKm8ev1W`tGnw57!W{POs7k$gp(?RM zku*kOYQ!S?%1l)_Vw`5$Qe7Fw6M7otBm^I^6Wb9Uq7?KqAY_g4K|3 z9NC83=0?FFxB;67k^EY>sIO2sE}xY)Hj7PYuk=%66p?PqZGEY+tf!wp5om$k&=SmO zj9+A>i#1H$8MUXlS!~G1dP-b($Is*u1*{{qm_$q@vd9&b3A* zV!q4T&@yjo$s5KqOZ}V2LeJfQv$Z%al$y*c!2$ToIrmUC&!-}yS}~Q?m|1zkGD$w70R6VmHc_P*nc*W0NLQL z5!|;XlHZ3i=i51c31xmA1LFd^k-52k6Utodiu?Z@%3SC#`e*$qKi+tCj>(Tuh6gAd z{KM4rTk@etBQ2Yrb$;y3zDjhE3PdJcZK^T`wK#*`+)P7(4gxWPD>&rA2`5L6vip;C zuea2PGo4>>EG{iACDc+7y=c0VUt8l|QggV>tzB_vh2F90qjO#8sM2g}S(@t$t2gc@ zHR^o6S)VDCinR2UI^Aa^UhX;|ueGvM=GEu65?(H5A{ zK5?F_FVvswVXLJIF)d{&9IqjHK{Uy((zy4?)oDQW?R#7U*ZCLaDrXf029ciLEibQH zPTg$Y3~+dl%PxTf(&ShE$y*$r(4&$_^CS+U=EPA>>% zGILEq9V~$T@)OtfiS0KSvK7P4wJ9i5<}>gOtOL_TS5Ur6cj_>?41%a36ZLZa6+E`} z54SA`cRNlfjZ&WGB{PhzxzF4b>HawU(&uIVb&|Cqk*S-}v^!yVsr-}nIy#U?W*Zf7 z1SEISzU2chy!(R2Raa%Eu#GvjQSUBZrK_+Y63G)ld}u?U+6g_%ONGcLk1WfOdd#y; z`i(a4Ws~q^1#;(=qNHLJ%?mM=UY$ZfL3x_S9qyKwDA6D!`)U}3B;>)o>yBg~$bq9~ z{fJ^7j#%ht? zn|^;vnI7(iXJM3?z$Zx?qNP*@VIgB$I=hP)KOR=7$D41i z(9b2$P3;rtcb{}3sx}}bxB4F1wu^E6-DiPC_am0v&}_GFZ>*59I2PHRWYl;B_|h?sC!1ch zC42D?BnE*34ehm_Vbz2$psh;77n|!3@0wV_1!;(FHMb!WKBVt_S?5A%L#4qC_X?Hn zl}c}_a;9%%meFtTsXC$Ks0Okgh2fC|6DX^9N-wF#O2oc0qN-twS0sY;qz^*Xl;^DO zId%F;phZ$KY|6JRh@kZKiqp?3!qVxZbW3o0kM^3c8)eMkVaYlvua(4f+u7@>9YODgjXru+C^{2^kRiXwLK(9T~i}7#SnSX zWnE0Vq&_2ot>3?s`go5P6%$$Ng_Mr?r4hss%n@t>Rvu9krKV=ojU1a?UiW}8pnxHvH!^0asH1CEHY`cc9MhGIP^9?y>H`ixi zQcA2n9Iv#q98=bkxf)Ii>#Izm@Mje9!U1bny-CEpgit4{)Ki*Pc%=JQ2-zJX1U4~% zzkA{D{HCJm#%u;^P>r~a<$&p`Z?8x@4O%>f^a&OM=yDN8$Zgj`C4^7B3ZN{p8(+wD zQDYIF`6xHkyZf`PC3AiT%it++=yoruXFcWkTs&UMXo6n!xRl30N&T)sM51y>B!2ia znI^uyxIXktJp?Mv&oS^_nMR_-`X2GfS?F;T_BI@3q&h`BJIuUOAuI_O`=a6d5VJO+ zTrGO8q^mTRqiD#>QFK+L8V_!7JlA#nNuQeG@C`b~%hndX=LuDywOlm1uIzasO`ZUx zK#kOh9JzMlPG_nnR!a7b%5h9MzVM~>V2*KI)otCI{zeTq3?@?HMwg%7zINMkqOSU2 z$kQWr6&E$~uA-d@n;w=M_EmJRhGu`~{{k0|07qO_iW=&bajTIHxh z5GpZndAEWT>^wQ+X=;i|HI8>muktx_EYPCnnv3cvJknT}fYI2wipzgC-NLjD$6Eg# z4Z>Sj`UzKhnrVHJMCAT?-C8B#we-HodPVV#r?vS}F|y2Wa;L>b z=jcbyu={+Wezgu<8TkGq8;$jmGkknDNKSAJ14g^H5eCE8GWwWuXT4mP_OIeTmAAY! zXkMz5c^_Y@HA1LI;(?XkqQgwL6v`)o;5YNnw~pC$sYJ1|b5oE(s9@TY2gcblSiP?? zrt7b54-Q_tedFfiNfp@9erFKcdfBjjD+@K}j#naHknOXTeL}QHm*d;%&H@NfYEAg; zj+y9Pb0vl8P~`XJGWj%$sXyIExMwcOD_q6Xf#K|mHBIUDdE?sAsFK`+_2GN4M3e`# zhyrqnc^36wv|B#xDW$6L>h9dm%d=1rC3<+{ebY%euDlTY7uFF6!UxzH-sQ8!&^3uP z1CM7`EoH3%bq`m4bDDuyNfp=3VveL<0poNz1wO5bIx$;&viCSc`-J+vQM2o^jIiL&JQQN5To(4)z7Gu2l7S~lhkQ|)dU zUy5T~z!SzI_t!W`VU?qU3D^5?Gc-nSBsBBlZtksBZwKIc%EOv#5GRRBb>ivpfA$lhE1V?lMiCx3!Sxc4B|ldaZQX>>EL%v9$Ob zJP-BZpl~6u;6B5uk9S4#zI?fDgSd6)2nQ|oP9yr-XnG=bhZz1zCPh<1+=Ibzz0oQxdt)%Lc zFy379m1lBGSZ;@QmFv0e%?~#h++vuzA!F|yHv%tfV)n*AvhPN5@g`Ehmp-|YrcotF z-hT^!MMx1P!INm?NOL@i+bf8(WW{a!pa}sBxhY_9e=LaMm^R7hnE}()E0A zG5knl(J=XJLqWfT11n>Z$_jKrGd&$Ip-c6P4TyH!2CsA$UFbgy8^sD_h_4f7QzB+C zItsE#H{4Hl#ihy$(xPUSWUwvJwl@iF!1(rMnyH?rupzx@RhPo{}a{a`--yHXZ2V9Cs#(O$cfmb*wg_r-W*QYWd2IGq>3+B>i9btVy^ zMW5Y1dH8%ps|jz6y&KMkwyqy?t-22TTzq_ceKe!BTJy_Al&Mdp-9UzK|O>!nfV zT7scCHF7FrYQa~Ba%WtRMpUwj!*GlEXi=$Jjb4&)&x4iO@Mi9h0h%RXk!eV)ImPBn zs;-EV7-aD+8eVp%Yj#@zJY&Jv9D`9G^d8Ben?t)rHk?i{| ze!EpgwAeHeyYX#93z#g+q$^9Pt5JH35y4eNLjFK03-T*oN-jvbd<=c%Bf>C7{jzJO8CpG zdzx@hyH~1xABWnN_}$v9Z}m3Gm56*OlnIsQG_@43`)70>s3=Da5$E2M>pLM6TG7B+ zCg)}#bppdhlsa5%S~;athlf141uWL7a40-d8oQSCg&+2(UQ#Vs^k2pqi4SMhvcT04 zbdO`b1<}rgI__TMs?pe05PsHxjslepCR>p|mzTuCbZ~3T^=2mO3sL%*oWnfYRa0|h zYE;BR3#B%0Zv6pv6vmTb9Z`ZsnE#~z^O;0fi9}*=V1mV!$LvHI9JrgC7OGZI@nyTk zvJgCHe2n1Pn%{FHCIf@~F5}6(cr8!*6szKR|QwT}8*DEpHkk*{cL7y|au}dLS?V!}L!wRDl zFcCQ!EL$v!a~_yyX8jMWat|23E*>Ao_Ur2TJQIYB0U>XHlI)@k4N&XsqbD4@j_U*a zY^oP%%dz?ax;~g=O7D~x&pi`WB4Z0V)NXNzl9&N=T}I%wUQ`Ln*9sE2F!jcn0bBU` zhl^=NH)~gDys+xhs}%{diW&S98q{MxYGsD)%)WK&>eCjq$Imp6Ll7YnVK@tkNW=JN zC5>itzFIaPc<+zUMxU$HMprIb*d42`Vj}RaP(0P&6dc5J)O*sM`Q(6xNqGgO z4|jxTOP?{UqCc<*IFkh=jGR*9KLWKA8yM&I47J)wRC5zG7ADFUgE8&Oum?uJ*c<_- z3pz(-8!d4c^#kpM5@gO1rtpOKTG5a`#tp?rPKJ}6R651|@Y)#5SZ)6H%rdKjOigRN z(n39$uoYD0Bk&obpu?-rC7CQAL!)ZUIETCAZPT4iVhY1Z1@E1q9MpRUc8l4)eVjIr z%82K{j9U$6P5|agSU_?{LPv_Fhqe|_q6-R_AHAC)|})-W7$S}5eW6SoVIF< zH5@v6{+6|Qc26b1I(@iPHjvs@7Ldy&_$6HABN^|K*mTj#FQR};LLz-&gMq81)4(tl z1mQicD8-P`L5sXV3@}14g&>A+*7+gm!I{Pe_yZBE^Qv#KG~V$fsBG^SUw(b6SU#j% zu3|H4dQwKYut2^$dPB3tCT!;cnT9Ex{7JnrT)=QnS-xe$8Lk$LLNC1WIl{Umo}2SffPOu`N=&eAY?XMYZc#M0*DGIK(U zAaY0jI5q};l9Uf-6PAfXbLH0o9*M8-bA;B?cz}$jsexbPYn_V8b_Zgn@kF7KOCgis ztk3YoEm{}6Grgdhf}Kt>Z-`NzK@7<@ibTmlHP;f~EWLI9@^P%=)R$5!G@t!;(m>p4 zqaFIt+@vro+c4m8%EDz`L}u1o#BDwjrIGajBM)l>zufw#MM5XyUe0$z>` ztE&4m#{TXUXF8mb&V&xZT);qtYc>=U?krAhYlw}ky6Itnq;Wo~9D`pxIUx*8t&6B% z%2t8gy%;~xeQwv$7@#U|FhQL)!Svz*PGUV1*cUvld!z1y%)5nw9)Ct$i8vdk>JQf) z>|1w;pNa=xAqbvU4Ft|!`y0AT$dXyNvR115chGC73CbqSep;1j*g#^Ntk&e33G;y3 zEAVf|fOTAHsi=5d95xV|On6RKqOat(YJGTl zr}I#svs2U=9 zAQ*eubve=B`bvVpD8@Cl$m9UQ1Ml+zGlqAD5ylul*bu}pw@Mj4vqe!p?g0L33*;6E z_m+P8BKIIfVwqgh!p$@LOd54{GsDN_+q1SV!0dxabEWmrSL1j?1{$&zaYsYs*IBtd zKZlNJhDB$PFlAIh4v{#4A6*K*&J7QPfa}0cfCEtcvM+`wxKWTsa8AFl|NIpFg`*H! zrMD-K#5N~7J3*k_W1gR9`F1XWRPv3(dwla3ljDZ>6V;411bF;lyH)xdY1q%c5{vvd zSLegQf)1p(Nq{eL>G2`-O6pyS&V+4HM|l~s?sOPDQ&wRC4gVUbR#jXk+5omFE75Vs zu=kwLvyuT+IUVQ&H$taONm%qjL{>M~@36v);X`+0CR`K(Moj@AZtWPia>!XOI%b>97IzfzqZ zq!=62%_Xi$X1-bY$A;b1yBm5IA~_r|PuBQ2f{^p|Ti53x_7PeJSNp1{>V46UQmfH| zs6>(+$%jRVrcvM{I~T0D{>Ktwtq?CJ0Hv=y0#3nH_A0r9L!Mr5UrqZ`O$`Pa@SMYwIp!pftn3*5v zcZBQb($MecTfPJFzYwnP8eV@t&-`n_?Yq$lKo#t}vB|fe->Z3lo^$zOhVmWx|1Sv` zKy-)|z!})+S!vk;S|`lx0D%PnA!B1;qh(`f{~Kk6UsP*;*s=T{tnA++EUX+XwDf>k z3UQ&WXr9-lD-wBQVQ}m4a&ME#q}LX68wcNU z9UdH2g+ZzoQOZfk+B_V)S!YtKd@@(H7e(;5zK7=pdI9(&%7zrdoAPMr>Uf*hOCb>Q zi7{!2ScLeiekTgLROQa}D1tuG>xQSSeTJ{u?|7OssPG;u0-sqgbz_WO-33l|77X2| z0;H$s9tndXg}Yncw(vD3r9Ilb20|0<%(VVg_TH$!QroLr7UFhU6r-FZ;>f(%u+tEB zndt8J;MjOZLXzmb(26Mj=0P`48IxE{R7H zJe1|`W`h@oQix;*FS|GFzRF~+SqxW4Y^7?}+H*h6L7`E-*A*nSB1e@#C0~%*am@@} zd%F%3a=KH~Gaa6YYXT!5jQpWaeB9l!5L?+aZV26VZ7hD!*1<*H3#oFpC3(v;){(_C zZ+kcQq*&QOYv@c-?FR3uu%9t~|E`g3JW|=q&5u{}?dW8q_M9h$091%3-}9SLZoA?s zDK$117p7(%j3+G*_08(Q>U@fad(~;}^F&YoX;RF%coj{(qtDR>?J-cKWv)_ex%5lu zdb-eJYcRS4gHm>w(2Gogp2F|RKT2bG!mnkivBj%$rYoyzWf(3Iq*`eC_mGqD>V+vk zyPxmowP^y3yBTBJ-;w&j0CZ=M}?b@hEb%AC?=JBvT;cK&N zJ{l(FoGH`t1)4;~O)HG?WT{kE7sa$>3u39aB~Oe^*F32EeK}KVjTIA*R{XeO0$_bVHR0U*$5wOl27!wT*?Xp?AOn@#;FQ|Mp3|-1r*hDymag0fUSffJ9}$r z7(+utM=#yo2}y8^3+;&IKzz5%;;Sc2cVh;LEF|AMYe}UEI28<-;LEEh@ov`?bt!}$ zEwnURm`T(hBX2l@wh;6cv21o9Z%>Bz;(SI}2PuvtAtp|LOu}4~j2JMV3G4D0uTJ(K zcx0JyqK68Nv7J3DZ}GuDeff$+m+pR#?~B_$V4JI7IHarj4V8?8+$ai0Z#4B9jFbvis_bW9`Z3R!*;3zwHg-f7Onzm@Q6kD zJ3|El_TbX`t3s|7MEe&KR#O%ws^^Z>g^D)#jw`Gm24|_lSc)(p3QUciOyS~0;vFa` zgye81hW)7uQ?D)9MUcdz-?X|Sf8@FooxyfNyvH#rOb`q2KHfM_!cNQ?HsYZq_RS!d2h3}O|#Il*n;adP+?D41p$nCQgA%X>dtSEwYDBld#1gw!439y)E1 zCFNs96HLqgwkuF)+`eWfno9if*lWJ>FOjbiDC1@P*T*Tgp-cpLAvb*qx4P3WnRtP8 z`fuPf2)RMq5h#zdKM2*-m#^KJnlt6oLr&w+_E~S2=|3;Lz3O$QnFLOwZ2~uy9_V=W z@CI10E0f{t26I;d5FEve)s(I`HCy)%eA}P|HAOFi4VN~KlomTKM_UQ!KV~Nsj?a*x z+7n>=TM!{BF3}I&&*A}<8*=eecQ0r`tr8h8#5@+^)A09jGH>^W7_kRJP-FT#49EyJ zA#CgO?f>g7b-diT7PN`S;WT6<>Wq0a=OfW6Qov25rR5K)1N%L=gEfbc>t=lvhAPLo zpo9qS#2^ust3A)Try}DCbQYPFPfg>!a$EQG{4|~tePyd7k;gsfUhtcnA|NGVOq$jY zHEkOzqTLQSgMGO-tQo1CVw&M26_t1?4aK~D!2Bvr48qkOu@orA`Z?w);z|GcBdqs~ zw3xSZ@=|RC-}RuqE>GrE+cXZnd&Eo1louuulcs4PWUWToehJBv)+E6#wRw-{^gw!C z2*7%(v5v&lg@boM+oByoDMEH4k!R@k&Byd)AHp6>p7IaH;t=<*^PsBn^lut#jx6I1 z(~Qs0AQG>E-~-e89o}N*9u0A|*SlclESbTGV4n*fryMp8-=o?I7iB2DzhbHB&>YAh zT5Kj(&`x5eD|W--)Sj94LL|Me$s1g>xoa3(E^EbYeg~p}GIiy?7!a;k9T2G1Q!iAf zzEK%qT$p3^)I;ZrhzZk3a1ud$jZ`JfuGBa(q&Q3(RG+uyrGl6 zh~`rDMIFB{DR7-zIz0j+cIo4x{>RH2v-BCP?6=}T^9)_;P-pN^J40M4NIGNZ16T)4 z&v<>1J#>>|HZMOmu#NbsvqS&~r6N0)gH~cYu5#g#?fL4?9BEvLXwH0c%XbmG0MEX8 z#&;w1n+d(ipMiO8p5Z;yrKQ7>+1?FufEJzFZrrV9&5o`63|4j=dSP_f{mk26`slb+ z%%P*wcG~Y`^)iu`B+gF+O$LY9WaJJy%v0fzA(P(?J-}_;(JCqG@Vb72e$zE_CsH7|^8tS9`6u#t@${qRS z@~O~!gBPYTj*vQOM-kV(_a6vN!XfYI?_C(&-1^b_Y)TRYLy>KAtcNK3{JV&@P09tY zd#xyALrn1{lNqCDXj3aC$-Nv;4hs;v-x-c^koHRHEF{jMrb6MP%7>`lxt!Wu_3K?3 zzHVa?Sn>6F>BAJAxoPS6oS1=j!bjxmQZm|Wb{HjtHHGDo^vFQWaG?7YHH$2P^2m|$ zy&9qh!!aI84v1Z5LjOcPIVL(0j2I)edswNH@6mR2)JD@Te5TCNwg$_-Ops8ueONI^ zCrH}o4lgTE52JM{ddsCqU{aM;H9nrM4C|Fdk9Xa)+Chn7 zI#~}3Af5q(teFf#=h>NfoSDt;D`_HHy?{>+p=)JTB=I5aK&dmm_xNe$v*_C zrcNT5M_Y`~HVsu|9w`h2@oO*VP`E7fKrP67UQ{k_d%Nkj-#L}@N(`S(hDI{Q!m?e| z8br7@BphfCpK*WA9B=MN~ zfvkvzzIegXOAZ>`D++sTMcr^H4sE6QJ;+zjPcwvdxZn#dL{xZfZ-)|Hzv#e$#8`pi zrVK~he8bQRdC4to=&hHCqw`KrNIno1N#)IB3Y;%SN7BYLUFY)d7u$Mdt9;DWK=OIhuBG2O3 zpH>pyJ-)}%szsKh58eeYPMOdH>5zdbK+^y{y#pdR%?QUF9Wo(XQ8q!d43*eQ^>g58 zcFqh)44uXfz4r0u@VcU1LFS6lmEYYi{k*6EiA0Y=Et!W0W|PIwoRpv3S^%%hqv(KJ zg&#KiLJP=Er}$M6`tyyb039^)cn#~^60q}2vvs5B9V8R@($-PVl~0ttX`QK!UB|!HK+1FYF1OGH8)6t+7MK zrm7vr#=R97*5kba9`z_$%`h4yc?l<_un^nqenAsX-u*p;7#dlt_@K0MRFYNBm~|Hw zP6C%s*i)nnrx2Di?Sp>Cs1noMqH&6g@>e?%F~o0^eXwcnhIlO>)4dNj9~*gJr|1l7 zgPT8cy2MGeid_ztp6z=PwfgHM$gzGY0){}<=i4xaE!7^ZBuQQ&Qn=zH?LgB1-52%G zl>R@YsJXzrVF$mQ_dWe_vHx%q z{aJP7j}*$E+5!IA;RDbl{^Q<$+vlrFBvjiP4d=oEEHKd z3ZnElydm6tC#Me0+CB=FEB{(+?^Vp@!LrZ{aJ!s_h>eT9IwYq`4Pts51N(Y46iX-k z)R~ej@%SxeDq6NXuEN)${%*oy`Pv6|doe}-vnA5IKQG8d|K?ZahkfyX z!8G4D_0O2*yB#v%rGNOV@)M>3WK{onLf<}p-xu%?FwGAK=I;yr?I-CUenfsZ$jktk zllX`D1fbJqH(!GcNV(~xiw_G^@N2wD%i}DFZjf4^aNJHwtg;gqtNI#9q!|6a`?CQPxmDV3-U1t& zzVqd3e1}32(^?B#BJIiJ;^J|(Xr_`@F(FJ=*9@gVrIID0GZqY0;);K{Q!w3F~vjwiOU&4zK3I>I|T zO0s_4vk_#-NH)d4ly<3!*K2*Qba;8F6sJQRZX;Pt2aR$dD&F5jqttGOZ0#hMw*QWK zY*kZsu_1GrBeL&{LuyugDb(@4=KAZY%fPFW_hj0R4tB>4{YAFn;Dg6=?f_*j7Mg;> zk^+h8U2cR>_teza+z$#9_OCtGoB4>1T`GH$lWuy|M9X*bTNdL2jHmD`jak)c_cbRo zwfOs)2vt7!cD2|II-xM@n{MZJ-YFS4=37KNX+y$^v<_itvvi>iDk^TL}FxJ z_UV#*H}vBvK?m8i`|4$n)3SC8YN^)?f^@s}9<-ib3EE8!++JQDo~M?=*2pl{o?s13 zu83fApWJLLhHsx?cHW>Y6^CwOC9S~1)g?lPqPb#UJ>Cs?w9aE&IUF>yw@vX%hrx%? zz7|wcI1Cn6tx7f11zM>+r;Z>77Ojzzr3tlAsyVRF6+uo@obuX#U$cO==(=&!74irr zW@xDUsO+y<{@_gIoZz%k!o~`%OJntih+a+ST9(v4gVsm;_Q&OGa_b@n&V zHG(v&Y*=oi6-Dhs>Y*2$M$Rzs>~z)dMiutV_)6ojM%}j1hpgy)cJK3g+foA4kUoKK zt)L9eIWddMYsszFFKyL_Qjn)v&#d>ylQbN!|^%sSbkivz9eZVBnNj!rgM3>(% z%d#6BS{qo4_pz^3v{AB`=y{vz0E^c4`Xy)kBP@hBqsRL!W{zQH7cI&nb`S|Tzmo-& z|2=F@&kmwBHJWe3#PMY-lvZxU&g|iE=b&(CT@uAqNEHCIF2Ws7B?>4*Y>e+m{ct3Z?8*=Q~Ad#I&^Rr6T^5PcmsV0|YgHe1V zQjmmzSBG0lL_&1a5g#kep!YMjfpT_1Bu+m6=7%%&FMJqK9F+t)aJH400>O!3j)u%i zck~3&>_z6`0k0FCM5#*#Wz-QSB2+HX0<9sn(%voO1PLHVwtFj0Gp~p8RB6hJtz~-U zl7U@oAg?+~g=eKggYgqn8eLU&>GvK zD(EQAroE1lkLs}0zYqZ*6r57coR#eb=`Nz>D_UryE>=UA3x@NlD#%i5SNXGiv3 zPd&5g8Ubx$+${@>IOWF*3gpLf2)zawxlbfLh*Q8=Eg-T6C%*LF93IUg4iW=t$PR*# zL($RYWgr@%g9JOG^VI*y-k`)C{K^cgzjD(R;Ue7^ESn-wj=UKf>OHd_#K>1acF}jO zcG`YmFY;hNWMtoSzoADSncQuCZuYu$(?gn(8|moQcCf@<=c<}<-i^=h zA~!p4&3ywrac-V3+j%2R`Z|9!OqSUGI)BvB&Rs84htUtaByqudF{%TC3XIPQFtcjN z2mI0eioUOby?li}L0bl~oYEjVCJ#vhZ>Bfc?w;SrfA_S4TovEVVfU!E2Qm*V0VvCvN3ZG>@^NZTkFC}M+OKS3_CP1K~z1KQly)f?-SSr$Y({38(P zkq6|A4Osw^aqD}7)7{;#47{1BuS#CHOP5HY#G&*`j#WOigK7;jzwL$^gVwp2Xu>gI zaJ|bgqYu5mURp}fLh5?&Bj-USeoyV5T)U*pm^HKEb-aS^S@cDyctXyz&7m#q!eZ5A z?U=rYkwGBMkGR)D8Cx zzA7b^dshjJt^RWfbR*z#4YC^C!}=&aB*20B9c<*c+*Z=c=k@nuTL*`eUs3SVQYJNb zF4-nVpLT~Ouq-9FR?VLLT0Be(5{T*Hdm}qAww-{z;?Ex;Y+*TC;j;>Yv*EsXt3Htx@Px}UZ5f2u?OGw2K0x<9t*2Rot%*q;1z=nF{A zp?VINB9;a9b__&k35$V37afjeE;cxZzkuBd6sU<+38r?5UZB3eyzdd}%{r*-S3=FF z)Pf)0Gf$WuTHZ51~!C(|7hbboym{Xeb{YnB`_#hPoj7 z`HZ>+9q+?X6U&yiTS_nU>Cr$*@ypL(EjdmOr|00cI0!A0-nv5|q?eSWUm##aV~!CR z-$(VzfHy^P8|h-iM2(%@EYqFx4iFD{IAROnDk|GwKgST1Q>$Q!1R5RVTt9DG1VE(sG_EWs%$lUNQDU(*5ve6 zyT`1ylO`Lp3Gk4jvI5)CtfDGE2-a~@mKs`Pk$E+1)r}unj z#~~$bx2KXF*4J$_ie(AbN(y6Qd-D#g`-2|g zrz&c`YQ0Fh-~?pTmQ{VFqjMC46?YA|MhxQYRxMu}VaPR_j7jA=&=oq8R}k>bv9<}_ zXRO1Gae=C)+hH$t_xZEqN8DS%=SzH09E;)asV48K)a-&^wUmAIS*=-)u7>y9Tk%;x zpGygb3iTXku~r}Ug**X{k_MWpn9(m6eL?ibLmtg*d*3P-iPn~QVWxFZlEgDDcHT~w z;Z36W3vR5Yyr!WsNVffRqmr}|4puSEE^&6+c&zeh)(n^uRX!MN#hyV| zrCTqLu*_-7mME)MT87u7Jm)BhTlhc^*q`(6tlbL`U}JPWc;{?1(3rbI_y0_bUN)F#lg$yZ1wzR>aDS-0H#E22kntAkcA&nqlW?~M$ zTvfDYuak$6t?`hjc92oex@Ujcxs&*TTv{a4+lFCgsZ-k)`EJ&zaS<_iv>VE!Fu^ zHQfjbF|(;MmX7xN&_QcO+iL?cI!i0B^nDg#w-XK#y|-TQW-y33GNW64^s{v zzDamBHGJ6HB?Rz^=Zbo^pz9Zz_Tgp&XjhkJ7!6zP?K2uGWC2w%LfL}eN|I^g^Vf#T z2Yo3<_qK>Ixs13m)?AQ9u(-mASETI>T+>obsfc6SSd2YYjPwIBx&8^@E zJ_LaVsuoPxVn|vsRLl3ptGVurTG>mhpE~89(u6(=oM}tw^^3*qF z-(?^vYPTa1B;!@M%{@ko)4z&_KU4^$0+N7KCiN>#LBX(Leh;dwwIJgur`0QlFy4YC`pT;wTNJ z^!rm9SKcsPANF$l1mhA^&_avSA*F;u(Jl}}*pdvfSWf&X;jI-2u|AC!+(%k-H#|cs z*nNFr&MU$>%LA14wv`H+6h-XJSrUg(UVemf9jWI5maZ>o;srODths9f;ePLM%w-8J z-7dr9Y^1W)v(!;#!k5XM0GIkw^+hb`MJ!K`y~mJBcB$don2ywO;|Iv_@;hnL9!Sp_e{D2gEk#IUC$Ab1DY=1jW2iNlZMUO<$HudRNAI061; zf1rlnBhK%@;?EgE0BHISLjUK8^SfF34}|m$%zagKb5dbj%fRXR;_A@<-U#3 z&$HCysE!@7Pmv6Yn_?yZxD%zIak&q3KwFxXTIZlGj0~e!-r5G7-`aQza(qZ)Jza_d zJ>8nE)$=6^LfCebW;&*S*ryicwp5FMO~vKyQS{utbEm@0{79AN~qyP_Dxn7^T zh8s~XN%Vv~12J>dlHR7~T~G^-y9!R~TRu8ZmOTYTT2!IOs2+j~qp+9+xk3;3tI>Sv z2y~C_kFa7rU*%Kx56D)Wf%9MWg_JdVd;#hneLYUgjlSpA>e?s#>G*CzM;*{crZ+LR-ZsWLAJUJh-}&#DoF|+lv`M_a z9W%8*v}re0c{Kq4+8m%9RjkMh3T8n6j;cn~F1I-%;XTmlUT<8SlF;X7`7pK@>SXblJzYd(;wO&VUN061k&P6*U$-KSkbn$AARf2?oo?-{ojh!GtZkU{cKSPG zpoFT!Wm-TJrpr--5YH-^#wnffug@G8#W~i0US5c6xG|;5IYy5*jFnEjXwglm_ISjF zwztU%{W3MDRO|BLDOJI=*#>=l^W}novh;SJOLR7=SxFt;7}er}N@cH+A&U~{xYB~1 zh3Zc1l7eY;ECveq7b!7N@NCM{*iRKs{qFLlySYW1u2Q)&ojzW+i@_;I-3@3}S90WY z8$;$UdGWh>1UjyldOF5ArKdB!tc9Kn*5rh)B56>c+ITr{&oj;kfX?+MX4Z=gUA73> z<;8?0)U56(0_aIqr=T)Xa+7t*&Z);GgtPjk_H0uRzP2bHZWFg%oxsb}GQ-~4cKw~Ho0IZR#e~#{ zDb>2MT2>@etqk=@a^L|J;L&5_wrWIDJS#$h+5qm4%mpj3gA9Ceu0=c|BnB5j^Dzb_ z(8*UHTiZBLSc#p-*Wpp!p$$fI!PD~Ps}i=nRVrhUumry*Q)^=xJz?UZvGAAAe;P9P zG&Tb|E|yfQ5CU!mQH_8x!U4eXwar#o-E^Ppg3@B<{n!E;p>u0_x6MwGP(cZwz!k3g zszsVCKaVWJufDIF7>bHxQe$UrX&1(0OOC3SR8nn~m0ZIKUIJGZ11o%%En|Yh%!PAZ zN^OY?3bOOxZQC7v6DWi+pAErWmd(%q^416r@0wfUgGrH40hee&;Y-$)6edPUC$)Oc z@?+z90r@umD~T4V_Kw5PBFf}J!;{fvFFS7-n9L>DT(HI;U^^PwUE2rjlj4KVF|fr{ zfhVyfU!7RSTOAH+#!)*o?OEPYha*=-Pbih?a$pBE5vzK}Sf!fc zykdj{Cr>!*cQ-J;R#v zKzyK@B2NAA)mK=`xX95-|1pY+Xx&KCnZ+p3f6$d-GqbeczFMlH+)4*SLT!)b0FTqr zcx0(747B#uDK36Fz3!6yBb6T}#H(w%Dm-=g*RI~Z5WepO(fCGWiB^PX>s;K=Jd46x z<31Lq8MEHyEYefE{g)UPfN3OPcIB_w;TwYaFKhfZ8v$^41pu#K1Ak5#{brHO0JH+|X#Gv# z&w0w<1p-Xk=>cOkzh3b#!0ON2`3)Zd6uSYgCBFv#1z7zO2yjYe|Lr~goCN$&!0Hdg z^w<2{9}RMJuK_9vjP&2ruLS=LSOH9d|9CJzQgRG{9=d-Btcumt|DBQ>nK#JLb3vjs zZN+O~#;mZkKsW9PEP^x$jR@$AChrwvI_N%*`se_2SQnyA6cXQI_c+86R&KYgvz-@% zU;1__jcHYw0$G858iqVWdL^hQGQlpDo$V+HYPE#gxFSX70DZDETVUr&tF6}a-ZX~H zb`9yEnE_OpF~){;@P&XsG3TxO<9YAwWiKB&nDke8hP)e!Rv#wq)CKo0X^?e3E{t*t zd%TO!vFiZYwnQeL+e0umoZ7d--nwD=I`85Mq@hsWLX>i1LJ1&k+rJ`dgRE?Y+$Hw) z-#XjuW@p3ep5bY^*))GgdU>UB!y}^Koy}{$6&P@Byq%YaPY&C7?8$?D;N^C7eH{V> zjueDhDMd?`aqk>6nPC&LSd`H1ptiA9sFJW91Z7c_PXkH3z`d0tX`q#7GZi+xek%um z%claa&*BDGilE7_pw3F#;rW*du$uvR$Aq(CFw_W)>mG&5S z@wKWS7)9956qeP%SUlcQHifyVNAK8Y&z!U{0e(Df3_qFof;z4Ggdio@ZX@d|>jfoR z#{xR=5Zb!^R79e-sV%&o4JlfZ-8Gx&+K9y381+C!gx+!CvzAF{9)hq8$d)giy;Mwq zFl;I`PhHk-nakvS9eAA187mD|gv6z2 zyA3@W*H!Sp;OjiM>OWr1jCq=)ip-O4`h%AY%=C2wL7 zeNw#k3XC((L?fhCv(Q$ffb#EHnfK7qb;`qA4q|lhzJRcRum^0 z3F%CU+s`o%6579Wiso~ z`hAwS`~B*4O^2fF>>MqvvdHbgDzN=ax~PY@^Q*jPV*5}wn(@1mEN_zM92xzPeQHiU z&;0@jPz^LE7P@D z;C|H1vjf$xc2e#dk=}G#hdOVfFgJuXBv5_DZIbzXpg^5$C)%Fyb)=42yRMUvgM(J%Y*_CZb5Kxsjb zE^pcPERn--WHEU;vQ4_kFIJm_n<-KF(w557;Awi}Ke($x_koHY_^CB4e-W5DVRyb~=gGB9NDmL&Lg{mXg96{}Bqbrj%3t?J_Cz4qyM#LVuVZVnLZ8%-+4^>**>=4NvA~2r9kA;OfKj9_n_dK5yB3_i zcab0Gw?^}lQchN6nv0P-#+7lUO2$&GC|6=-8SBk$#v7w%vQk^z%aPHVCy*|%s((QZ zH&kZe8)vBQZK=8xsj)Au?~=*x+qR0W|Vc)QV~&TgGZcrQ2VnFoC6P`5bDqUt|R8r6vJyMD>| zdW3NNcCcSBH2-=}Q2TVQ@gQ9+!P1dGm?)IzbR_;td&1{^mXZkWl>+frD-HFt%}%Z% z;0qbH=6t;;p}UyC=?3a&m&OTNAjf@Q+>)l7XtZ3l|6+4@~+O37@ z`7BRx(k{?i#0hDJ^`(@ox(r)uq$&0+!e=EQyUc5v{fPx0m6uA7*b*aw8|PBQ@8grW z_Jw@GkWx?YJ_EmCQlmsE)JrQsh1<-0PC4ELKXa?|i~rKoq1bal$L_x0)p64Gj^B}tD9->1RuJLQR->*n)a*_p)VAg1V`+6r zF1whHn*(v-@Gwz~1uD7pmg(6YO9BD}{~E)@L^v&25|i>kvxh}RF{4a$J}z4yiRF3~_z zeZxOCH!x6H<>J-emql$K3Uqd7@NrUonc|E!*=%)_LNVOy35W*)?Zxw5+Z`9&n-PCz zS$+x{|4ZHn9DFSe24A?j11p^|DU^X|Mh=A0Q0}r@?FXqnoiz9&)&t_kbq9o z)Y1%^PSDEMz|dCx+gs6V(!HS*qZ3m9_I~t$fp0lOeR~4+ALG{m@|hyPmZ|INC-cLB2zu>N~p3;-8IRzSAzpDpaK)7OlD^`l|@{xtud z%`gJ6{2x#K8{q#_;P2@SBg4 z-{=$LZ<4l*07J$9dUMR*(!{^%6JTWg_JR5@OZ_JIM$hzXO9SKgUxy!o|ACbJ#5VpL zDfube`#(2wWMupeLt$b8w0HbNhSG#JA2Hu`=>hO@oCHDdUp-06;o{NIZY5D3`R&0IR zEh|2a6}0Eg8xdy;8{oAqOI}{*TTffH*x;h~uh@yaBc!*Jl)^WO2`v8l^m=LNt`N;Jo^cD7aJ>H(6d_|HRm>V6$Hi8UGxNP_~am3tH94LQD~07_livOsvF>JEV8==Sa{uNFeK2R zZ-YVvU|R#8?wHb|rY9|Zbktnd&$QjOw|!N$;oqWH0AK1`KHb+LokqZL-YnW#pmGRoR4K=mlCc>0Ff;eqlt(!NJz~`!A+yvsE<4 zka1ij?zz(wkCIoiK+0}*29&{E-a;EN@5Q$QsE`Fh60ja+CNC9b6UL0yVV?KiX;<9b zwnLTA+diwP7Q>RHpt2BIGik-OIA zbz6yfb1=hj2X!MGx|^pC$DS7CevgF1FGF`5E90iB*L%9p0xZ!)&`(<&A3?Nc&aCJ} zkHiUnI}7hJnGw8t(QJkgbGfR9@nX+@%SOQsMA#P$E`tS2$eg$4@gzvyq$e?E&|1ho zsP%>&a{79FkfLQlNPn+24VVBkQixuP35i^Bto&_*-|~|RI-1-^T6FAg-(th<;)ekV zf-Gj>p)!I5#0Ky-e+Pf;ljCR)`80n9Vek*w=tze#ET%&*3F7axkY|Hmd^$M$I1q|* zh)0At4<&N7eTwm}Ow$`8h8Nq|aWl>QqyW#^ds6*C5*4&sCtAxe20=FJ;LwCIg?Jk-}(j1D&J9q2IRc;Ixz z9rQ*u;Ha4^!EiQ^o>fa(wH$C$IZ_*l3v6cMQ6}Wpth4Td>yJd#w$%lWy9)K!YA`3%FIYfNzOH;MnqdK1qWV zgfnCy$UF4|ixtt%m&fz(l|=Waz+$_k;izLtj#U>sD=kE|pP{*mbs~`CX)H?3#YF%c zyAEx!uq4qk7g$fS<<#|mzd4-PYRzwd>eO$`2o%LIe0>D6u}~ul|&nfc!BxMh9Sht>i{-BSwFV-I{*wgMoiJ)F`8`wZ&042 zi9)mNb&#XPIvY6BOiL`Y+n13JGT#VF(I<;oAsH=YJJjn(6@pfu21B+L5i#7ONw;^c zcep(^5hl)F&xa@Ae7hc=f{goWhd1dNLgnPD+eD#bR(1$Y5D;QR=bc$%&1dy= zlEVZ?w3?9?K~sff)Dsj=oi9gWVYX|6w)^I4M~EUJ87 zpXweD72(54&UZ4tV^T!ko^$sWX-e{5!yQ(4Bad1L6&o_XPAuf!ZV{sr3AliO)Lw?B zo~WKlM8gQNzmW3oy9s$1kubi|c#T5BHw%Pne=@d@d8kLZIzjv^)=f>y9#a3MMAbRILz5%!t;o{T5z}r?^--)pu717*XVXq$>}Y2 z_zARGoO|GA84_7JLE>87))%8h?Y&U9#@0u?uuh_(o{DQu)F4(=`5w2`omt|-ml%ip zIEcaPLCSLZ&YMvo>xK{`91)<0LjXTG zH12os{BLvc2-Y${OuO(oP%3?)Tp2b@cP2YYsypNtMe63Cckv$U-Cxr%s7DiF6-KGRT0izmotaLBz)Iynz|U z2KP@#-RHZUB#G>c!OV&IrI$!e1VsD^~2|?{rVO3Dobh4qOktY(}lm-^E>Z62%x2PUT`KOg}`-qR} zqd57LTHMun)MuQ--Qj>VwU~+t8G;ycM+O9C6#3><=v}P12um_zm3+*+C02B?a)gu37>&pq686sT zdvOgcp(*Z~y)6mXxQ?yIzLe0J$bPyAjzuR*gb?9>)xr~f&j$Fuu~Bve%ot~S@ObP? zgAAg`!KD1?Ho{P(y2J(@HbR-K`a+c-h#Y{`>M_||e@QH&j#~_NVRk@#t>VxWYrtl_ zoU2rVx;jiljbi#OtU$v$9!?@86o+q!el*n6UZuBSB*n%Jhn=l$#Z80oi&|Tj9Q7-< zN+Mkk8M-R$BSK(8XzB|qZc{*fHvik`+7RGqsh_Xy)}}o;lh9j1BZ6UNa(G98+O6T_ zH3*8X4@uOAbO#n>sD}=moV0I+7T`{_n!|#FwLN+6m9a~-pCUfkm0L>@kgw7@biKqz z_{+FpZ3x{-G1x7C7O%x76FBQGMR`bk{w%e`pF+ZJ*(x{aKzQLWA`Al}>jT9LPI4hP zmG0m|?3%F*sSUs88-A{}?wm;}8PDlG5V!bDj+9-P*v`;4rF#8*N0>!cQPEh1EGL;u zFk1Nq6>!W9n)zA`s9(I0%p6vwGUvS-%UBj~wlgU!GcwrbLW%8uqr&Cr&(DC;^Ed|C z8(SG${;_5fI%q=atS<|5yWoA|%IdrsK>p1g%T>Hw=L0Nb2O0aJ`GYUA8FRQj23~D1 z^uqQkYsReRSzwB+fMN-TmnW);G`n*qAxlUrZxUL8%4`O@t8^DrfySB8IT99K-U^4-7$$7WcOXJJNO~=XZ0*a+!o=_0qzELtgUR zOiz^kSv=Cq)nHBgU>39<_^*Pr-C8O`tvXS*NOxQGGsNNu=kKW{#G*$OD zzpKmRIj`iJE(|qxWDjIZhnb8y{!`S;8L3A3MIJRj{i@G=IA%n*BMkvrrqXe)BxKt1 z#2NY5zWD?cH0_cAzFbOpoU%M);i1t!*0K_ny#gAY<~kk|x(&9dj-yxml^pI!{=!Ih zlkv(e#~+mD=A}n2{C?=YNr**BP8}4A+>;UQ^L>~E4snUc?Bgxl;Zvy z#pkEZPk*oY{7xf(R(t^eYsCjRvi=vP=l9qCAk66w5&Ze~_C zdM2PtnGLv$i}AnnTmMB-0osp$mH>XgTmL{&`ThRJ;jAAM6O<$s2Z4}}IUPH8`N`DabZlknTb;c6c#Y>C_k7KP^jJaS z7;nFq>4fmB{T)7nhZ%uc(0zEELOpOZdvzV?gczEhs|7 z<(~TLz?PEr{W+q$c$vfYKVOo5KuX!nYZTL)POpqfzE57sQCN+a;&^M{P_ECO!=KlNx~#>0bPnXn z`=!{a4&Ds}C_NF$2i*zcoONF=2}H>Mf-lw{vt*|}nD@tJ9 z)35X~A{3+)re-jLcq+$T3s14XjTDbJ_Lc(!Yb~yAtFmZR_u|q!V|@b2KD>fy|EeWV z&@(!=xHx6PBmUhShumB7D#fp|E+Zn?H{$UHBU%&(bA(b9!@1j>iI4K%zlgfH?vP|* zBia=51LNAbA-{jCiW6?ug+^)m7`oJ~8nVm^)Bc`!5e=-pXra@2BkgXCu z9W6>BoGgakU-$`yP7M_=OmQnJHtId1r|}2KuX73J3Q?MZ(#{>Lg1uFN z-Z-=V>rY;6hV>QxCCSpixI(m&A_yiVfhJlIv-?tljkbvnmL8wsvN~gJkQQ?r*<~-v?O` z5X|f&b96!7{G@4#js2m<5<>Gf2iB+Jt6IvDF};z%Wxn|#a4IBC#wqab@#Dv>KAD=L zJymz%b;tTrZ?n)Aw3+7;o~W-o`kMPhnCRGb=^tkJxjE<Y+D3~8xc>_S2 zO=NXlHXBPmu5B^xF+GU$8LJWna<7(x`7zCR8bOT|vC(ixO1i+lHskuqV!wQ~EDlK@ ze*NL>^2*qj*`b);kf+Mq<^8oghR1S^A90U}k-22))wOuq=c-qd{5l{1i@n5KUy_t1 z$R5}0_qyPvp0d$1EGnv;F)bT;tX>2(`HZMTMp}r54#^x^%6!9U*T*xdeqUBvemvt7 zVJmzQe7BU`5Dmpv|Jt+E*8;pWN<5`w4~ zadf$X6z#LEu{9`BGLLWZXi#K>HcO_pOqR97Jl<-r6tN}L@Tl$wJ+tC+tNL{@$hK5X z6Ut=BaUY()>(|edKP9)v-cRG83JpNWKET2OXd16Ymc%W*S-t?CrFPqPtoPzw6{L2= zDdIU%Wc$+BH{XSpwk;K^TWweob3Tbn+KyNHEOA5(okwvsT>E3kJ)H?S3HkP{d`%~2 z=RV@*)t+zbx|5va;4?>gYkpen-Emfl;HaOSdaJe|FiATy$tkE)kzQS6omZs*)|%2) zz9fk8y@>C9+2Q;1zFR+bj}yVfJL|0H@?_4BjZUo}SH{8w+F>_d8Pv4UB;k@xH#Zib z?AOn+@{gwKau1hHOs;<{cxXdkMnh@mBVJbX>Z#s{K5A1gf6gKMtmt;rp^d39B%V2i zv^b@JrJyEHC0WNSnk*efl|gg0|HaF#pMZc3g7hSKuCD)Ur0Qu*t4d16jiPfFs~7oo zXTdzyK|2@vmToF|(N51dM+()Y=whB##^CLKrB5*?PT&CPL#4rM5PonQuYi_MSB8W8 z-Ce~DW?Wo6Lhqu9Ml*zIs`p!meK(pGtKV2R6|uq*1;Djoi#j_d5pUhnbfnZL`iHrE zwR;wWWdqHu<+k0RLdmJEZBc9m3u@tVl&)JMdNa0Mq7>FD*&QS6`L2=0Q2HH3A8`&e z=}k<*Cy{3s>xgNnfJR}kqy&Lf%p^hLduljs2jXD_p;Vll5}CaZ1;@IJ$IY?Z@PKlc zcEU4PQuFR$)|-qP+oj2hyln-oj^|nXEBAQeYXKP?N*&z^n50$AGJR#0q+C3|B4LZu zRHx5Ern0^5X#764ub?vrFOz=<^8VZd`FoJ}J5cxqj7ure*<}d z-&fK6($@R^XMaGW{~Or*&$b>58*sl4u%8EXin0R(Pgs5nS7!hBp~}ENj?}-6dHt7L z_CL=0|K?o4juJaC+Mjtl_&_B8(i2xa~ar2lb6zxCRF zD*VkL!A#EyH17Uo91l1Y_-_kYIe>-0G^4*3{<-1wH}Ck{hFo@FgY(zIpEeKuO&tph zaHB3Thwj%p0I>b`Z%@j?2y_nvdyaoC{I%uz%e`S{{mldn_?yCC+n&D^0ytTKUBSP( zH-JAkF#rFg1T264So|@!$oS7!Ee&XHIIgjw{+9CBq{NIO?L#JUml>NL*ZMJzQ+p|? z-Vr>!I*>`Ul-TfR9{HKtUDLu{Xrb`^3&Z;+!fda@&FhS4vr9EIes7q7IQNq6 zUd;_oU*z{VjFgCI3^L$m37mTCW02uGsvD)2Jzh=an9>B47oR>nSgR4v%~ z24|tq-OMgFlRq2}wChs*KP_|!ho44+myldTyh+D$qL4|C$MgTnagrZxOcudSg52FL zH*%GMTY+0$y z95qYj>$`Xwsl`9u^}N#g{3xhpsyW9DF0ko8 z+R~KoC5>TXznu8IDsW4lgV)0e2Odp6LaX2i@g5x|1A__DHarN0rq?`XCC0{2Pzm~O zS(?l28O$yi+-8s$Be>egb!*J4g7I8*n{Thx#tyqxRx;mG4>@O%6M~%|`O$^{tBY#N z`BGTpn=!qMw2e+*>w|ZRg8l9(zR$(q(wpC^Wpp`-+p?)ilBRXA2BAo9&B%9Spe!bg zBAWu5B0jWS+!-sztDRI7s7j&cZm-)Tg9u=Okmb%LX&jJ9M5JaKFU$Eyv5R~b6?^l6 zyqt^H;CwC*;#;Y>F0Jj!qd_`I1cg@;U69ncb@kqeJ|uzss>XNir8d0lXqpN=#m5X* z)-f7YWtM9hNM2|}ZfpEwl3gng4U8$QB!~=W_B4kc()-W#7|#`@H&3u*Cs28SS^_D= z_U{Q#iWP}hLMfjX2EL2**O>{#4F}QKTNuQPKP1T&AyW%D%SeB~Wexn#PKSwYCDzr{98;zz<7> zzk(C=?QQqq)GE5M1=aBwTJOD^xf*V9hZMMxG)g%PpIm;!Lh7TWY-8&@!-WD<$mf$B z+8fZ)qsqbJooOt->M?8V9K3j?Q&{ z-j0y%IoyjXzB>u}jcLxpO9+ z>br33=fXWDh;5yG@DYTBmxNcroEumWT^;T1Q_s7o-wo&mO*Y&^RuvAx%*~ogQzIbG zv360WD@s4xW4gp&&0J9=_FfUxQwZLQGvVHLv6)a%hH!vnHJpJA82S3dQk}%uc;P+_ zHpz!UesDX)k{R|HQhBgfyqwoE5*a5$56C^2XqJq_tE^qjdFbOn$IQbBhKP6#F;X!! z)vM7(Npdo^qmwrP9PBDN1mwqSlg+F;9mcmfK!cxF&f2N^++jn385w;b(wj-&$>!{xm)^%{i%2UqR3(l(V7PW>$sGzQ6;noeUzK=OCzfsL$dZM^MV$&c?N;A^MhdseHzsR*A&La=_ zs3Q+Xk8M@anBn#d!l1JFR-N=kf)035oC8?%qY=Mb#RAc06*M~$D%FzN+zr< z{_pNTESyWh9tvF`atEaOIWF5m>uDifOfu)N)?_n>a?Yfv0>2h1za1l7@;AcbHTg&v zv{X+U!Kj)SpgbVAszKS4Z`3!LpASl&JLLK#)7&z8OVpi)8_FWkeUQ2Ob>nn*8KsHY zIix5j=|LBjC3r(;-xr6VU_;_&E*($e+s7`gZl@f}jPv8QK@lutYI!b$>= zMgS?#wIK?h(Jo*Qtn|^?YDE=JdQ6Xsx8c#e(`$ZPX}9bq)H1gF2G!ZrySX`)mN+{W z($E;YrHdl4w(^Tw!WUw_kVu@7d0H58sGJvW!Kk+))M^~3ElzfjnlvfI_CsQNj;(C zuNHsP-mr!NcN0r*wSk}{PZr03q&sk&@vWoOhMh+KgYAu%B}4ALsoH!rVZYA)TQ;mi z!s;8ysYE^$5Bt?2y8x*6xVr{B#ts4``hXus(o9Z79w?e01gl>dR z+sZ_Pq1UI*_nXSo2r(4*7Pr_~UJ;HocB8XNJCU4hCZ~@1p>3;d_~fnFsE;9+zqK=> zkXcHxutkqP)_0r=Wp%#ob*}G1ZYN$`qCuJvSeV?vUdJgD#cJ6%Sk#?+{VYPvaXj!! z!ucZ_F$AV%2o~GD830bjXv99#nt&6_l3D?91O!3YP!gs`ES0_?c3$ z{3b{K_ml$gyCE3(d%q9-ITC3T0hoU$Bfzi!0e=6y!}C9W_6N}Ye?lpkSlH=-=Oo(AM&g&h-~U@oQEO;P+?w4+sTNr2ZLg z|5OMdVg~X80FZV31#JVR?tfbd08%yp<6n6J0JtOP-xe|fsTL>4U(_^ii6L-TH`HYAPgqv514AoH{*xu^}V{kd||WFtE?? z6sdbWGcUUi*I)Yvj#B!oMcC$1O@VSE0SLfU9VX z{2EC>STeT8Ig{2n-M1?73OHP^Oh`?)Ley?5Rx`hF#k)tyzU!)#E^VC|Rjr}LMQEa@ zu@0!kD_>Sujb-n(_>uwFk`vR(8qnq+sz-$avj0?&A`!kY@t!FP8GlyeO#wD|0}o0Z zev};PE+^KEx>BslR0Y_Z&rE!eRQahGRg2qf`>UUtkCim}M)&rMfo$~EwkK+CK2SJ}D+#>W#OdYJXY=ZtMjH$8LGp3gL4 zxTI0cb}JxiBSl_X*nP9@X{LtcZAVZKf=UIgsV#ggHk=@yEKC23$UrK|Hwv`VCQ&{?7DI6==YUzgaJgTlkYK1Pl&4loLVfJh2NCggdLf)A}PmM62WlWKJz2V7`~ z9*8;`pLd~DbL&20bsN#qgiC3l{fBQ;R6!G#(fIfktV7?q)ROway9FiBIM&E$DeXd{ z?WPkKUuCxiP)=PKcb45k{Dk|Dm=!J{_j{Qj4_BR92%9%a&EInbjj0Q4pqYcR1Uwu! zCM@7Veg&Q2Bw1optL8k!uRqa&X2EFlqoVAPfeEkHed zuTn6QuQ@IDtQ+UnNRQTr&g9C@mHHrW$xK-Sx5~C<6H8ZiTVc8H$xS0o)n@Xp3}X7T zb*Xt%90CM7G4w)KH*VcFT(-iJR|Y(!-9?gx>9nf&Y2WIe3;2sxj(8d;okr@?#4tTE zn3}Yj{0G3m>X@_mR$2Q2e_=b{Ep;I`ebhb(XcW-Arz2yFpEAj{di35kX?_Q^)Ci8J zV?9-l1K(x0o6v70&ufvY$GSFBMAS7aHSuMd?Zz$VIZG)&KBawDK{uS623|ahdlh9N zC~k(yW!~e6u9$z{>onYE^0d-f8P!dS=~h>H@yCe@R+CF3J}&_$9L>ND;nbqs)`Ro&W)kP@F+6Yvz`yj*yFr|ErU??8L9)MSWxF;~ucp4aG5pF$y>Z4~8z z6*jWOvAP9#rf8jreS!`$d?6K@m)nec6_)wIgtEm@9Yu2I!wY*K`VghacEAsdmW2m% z{GD@V!;Y8j;?qVrkKx~;z5iZ7{{0`_FKF+d3CMq-y+4Vue=%4Cm*)Kw&GV0c>HSoXSA=bYDshtg|qIdA}R_pk5x>teoN?+Y;Rke(BG(|@f40L9vWdx^{}EcC2El=j!cUv<)7 zP6}XWrDp|dqJJ&?vrhUqPXlPurU$V7O(AfN;eQ?VUqHV9`OL*XLwP?fvHU|*Wdi4Qp{41##_?M+`SzHaq$;sYI@#ew+ipG&=g{3efh3Kna?ChD*3va%spR|hTC=M} zJjsANDkzwjSEQ+nuy4~>u*->+E!(L{J>@S0R2U+zP14bDzJ_5PF`^*@^KH7WS!T9} z$y3J8lx3W-rY5}il2{WziVe!MHtSb}CcW^+-=~CrNEypdH1$C_2pR9%{PFRlo5$TD zHq@doG#!kc0TsLugBQ>93+ojI<7*lw5svs~-22-jCX^oAi;eW}-WVD+{y7g3Nd4+8 z_C8=ZI3r%4h?6X|$fA|rY=7)!V_O~+JeKIj?Xb`_5zUL=>nU$ZI`|@2vT5qJYZjOS zI_jvvY4L4PCO<)EICms=-9|2M-g;_`#iF)WAk7fI;JyNn4-pgspztM!QzYpxH*Gn1xJEUChv(_bj#{f7nu_d_nS|NdZykku zc-rdX`N}p9s|FNUQF|57Rs0)Nm3Y&fNq4H{0@f>@Tc@;8NbEg*YMhRI6C#ch7820)8P6B&zkF@TawM%FJkLkU@rGHo8$rDJFdiyKHE&~oANus0s%~LkbDTp z$jj8>Pyzz2FG-U5_dfP;uy|O)utEA~X!+oK=7No&pr|@Az|kV1kgYEkAh6)W3Mr7r z_D#?M%685~@GbAHL~9QCYOp`V7S>jNN}hg)Dxsrl(SX~MSFk09C=o-%1=dmt5Y`|U zLq;iC1wmBl39lGA?Yv=$Mb>V&r$H`Q)PWb21Pz!Oh0>kr)>^sL7e}WIF46U} zdZDBSmZNaoz5F8gQ#<>|>n{DlzK&I>-Ku4 zw9H?^^zLi9*^#GP-ci4}bU5}}wq0jE(spT4((pU)mY7@)zBe^LCfmiw!r7ZV4VZwXP#*}WarxzO>gqtG7M6RbQR9P=w>@m32i#SI%KR%l= zj7t!O4@K_v$JO=R#KJ^pVWPi;Mo7fRv=l9vP?~6B!?RWyds{kj&cdZ(Z<7~~0Cvt+7UZ5}Psa8#l&kFeAPg&?>qyLMX29FeS+wc-}T7Ny3q zG|hFTmUs)d4qMDb| z8CtmAe;z|>8bVjQTw6UDxDOp&l4USd@A<&});Wpm+swqEY1`H&;__)`Ys10D5Hn}u zZT6?!AysX3-JlByi_;wBB0<*Wptww^Nj(Ojq0j5~`0ivk*vNt4A^V9ex3D!lnT;IY zL)mnTRp83fN=8G4exi!nML&=fYGArlieMtYg2>>BujCv`nJ48wTC+l8u?u9F+4(=P{xfU5#vjbG!N0S=2F7@6xleh(3Z=_jvqhKiI;?8*G~HN7!Yj#Zr4wcKSToh(8(!ahVawQf=0iK0 z0u{~2Vd^Y0%>yBpp#0g95y#7<=uODORWM(|lq|d>MHfa3O8{$hcHwv%Q56I6$AfTl z_ii9P{+!1G`P$3ebnuw~O341AQv0~4TCmJcWFgg^cq!M}iFX`IgHYZPLRJ$6Cy=3P z!>vMHW%uX}pN2ks@AB{QSjm@oOIYl<(L;XOHm;@4j$?V;E?<_DyEdH+9(}s*IF=mz z;2v9Oa%yv0F%h4pl@>|w8t?wyyI`q)Zctxb5b0JEb4QG~7S8^DX5~NDi~o5M6yT2qPyfx# z%HL3qpSFGfhC6>hz&}t$|1!MrQz0;*iIo|+1L|+EHP8e6Ux4*5?+Bb90fKpEU?kD6 z5c${LfhDfOFCR_6?a?fWenQQuEisUs=E}mk3}7PP_oayZ&1E zD+~CwkO{bV95{{qm%^WX;{RhX|C75KNMV?M=LW!MDfTDL_n#sApP18sB75fF?&Lp2 z_6;~IvAd1eUY$a=IZC9-loDjBCFM(XZMzK}lTj3s1NJQ(sHP%FqN6h|v;ns{$yPxm#fZynwS_K+jAFEr45$Yw~0q=Y2#S9WzaYw5i>p!Ae{ zA<0!%`W*adSl9LNWyr23@VW{!M?$5>)lBUivxIJ2o56LMQJmmZ*@4rd4Q!5DEn+N(vmclK;Lfzv*=!&6~dM6~G(+wcE0?%f+Rstaqwd zfY%4C1b=XPMaI!8B64@{u0vsin^Cx z141poVviC3?9N?wo5M8kyHcDd#LGk!|0(}IM2Lk~ix#O~GAeP9E%=2(JP@1;`m}fK z`nBh!uc@5AxMVP`wx@b!2foDGdqK6@Vxm{s(0m1Dsj|*gAB@42r2U92(;Sf2VmaQF zW_Cg$vf+J}Oo#fOjnrP5Qx(my9Z#-V-Iykxm)-2B{1r;KCn#$5yP$39Gv&$I*^Ic1 z?0v`@_p;P9GB**pNV2R*aflgj?{VVoq!I7P@O_Jw7q0ot!FK5 zxG3sdzU={;iF_DP@aP2oR|l-i6U%Q)YiWl&CuM8ccq$aeIGW~mHV|0(qSGYWN^j%m zH%>g}V;#z&agqU0iA+ZNJG!b%^R096xq4!Pdb}*|(%?q6DiBMI4;ch)rO+cYeiaw& zy3XRKZ(>h znWg9HSH7ON#BB^=U0#jmo!VT{t>?|q(Ze!P*d>ThS!%cmEPFAt+81=5nqKoI!ul@C zILw-Uyqf5e2auN=E1Wgvs=PE~d51vy`E3-xVGwVbiXZAwO_hsNHqXF_M!;Z0^A{#L zu0hGge9|_Gw5N|}Y)?*o!8Qn3LZ1&uXAP}#A$EDhRmw#a(dW1gn)73%m3eCKw+%*` zP-70*yhs*4GN--0f>45`cFgL#*rqG&pmtlM1C7l7!hDKg1cj98IG7d`^cBUq*A@DR z;KU*C^O*#c?X*;9nfnA~jIgh$^BUjRClBbebO{xX7YB7HD&pcnYSW@QtS?C3_d<`+o`quUX0jCNdgPk zG$hl2JR_O1odCy7r8jv-;31I}ufc1l=fJq=vk&Z*iUI z8Yw3-!(ukD8&4v@$tSR{wzv;2rJx?dLo)clM-WCr-EF9q_w?2BJ6gzYQI{V7^YODu zCe)OT&5!Ga^4E9WHr#~u3leU5oOSv$gNxocA`weIi}+K%_^aB^^+9kr)sFe)Q znT9(yV-y@CA}~xzm`3eus<>p>U?zObGUfT%CUU_HAKp$j+!UNfUbA{Byz>S3a~Dg_ zQ8fpfRvfb<=yZO*()U&K)G4|@&pxFLTEDt!TxbuiL}&R(9+rSU(g*HWShJfmQE7#v zOPZDkOK(=rIg{-5D0250bzVPc^uy8IqxGtKZW@|d+$1pS5>_Y|y$fOLvhZV8s>E(f z=0FarCi*J{?--yc3j=fqhoyYSn&I(=`4R^TT}9QI;idmN4sCEQAKk%MDB$QhP6Qpm zS6H}mnU>n==JCC1YE-7cxe>iG-@D&>*CmrXl1;yO|H>I8&4oawfSy3=OX~3;WEYF^ z6vVlNVq6WJ;7MN&15Vz@z3vCzM@_8|5{Ho`si|X#YWk^{<*eO(%;KeYc^Yyhe6Aum z-#!}$Dg<&NeJ~v-gHbmn?4yw*A*5B48h3bkHe@Ex+(d>oo>x*7Fx`ceZ-Vyc#_I82 zw{qIrie~k&m*0wfoT!i&aLi$kw&D}i_pDjLj`@@s#5PFP_F{jcQeL{e-Lou%$G+?d zK|yCZG?>rgvwjPmE1B|~W@5lH8A!y~^+9$Oig~RRe6V3-PRUedHZ0j8nJ!q+-{p%e zlrCPw(N1z%)i%TowAQ5!ctmO#VxsQ&1e(3Zw(Nu;x2TpxYk!gdppNkzmo69uom|E- zTD0cI&I}T|de@~CWr@NNSuziFHp1Fxa$W~ziecGY(;*$EZETiOSCZVF{1*Y^8d9pr zx&Sp@*2Ux|ghBQ1p_2~1@D+((qLNu9lgSACp>0?7(CYO(HUmt&gBD{lsP^rflfenk z!WEK2Ghm;H-dg&QwM!M!1w_P(<~pGGPV=cuj4Q*~0Muu0^wGBmy0!YqzY|5+8Tg?E z*+s2B4)38ua_1dWb7UTbD!BF7ad$LlL3$o|7D5^ick~=crZ`x$Qo~InJ^rYT|11F0 zn)kx0r=apxQhMyX)3T73KNLUntQP&Y`N4BAE1Zx>qJU5Qg#fyPI}8tE9FQU(w?4cV zTdEG<=cIEOtO%)Guy zHIXGf{v^-LY;3Eu$*9(J?StS>H8k_w8uM6BU-g5X+k=ryhB;v7+!XJjat$@R4umHI_9}k_ zL}l!DlO;921Q->Hq&xZ|Ku0Bk1c&0-nbgKmfcKEMFER{%>921@nA2ICd=vx|OOE8& z6OuiPM>yF)6FwJcRXGYO$(!B9EAF;(8*GzSg0waQa9P+axG6FtiGI$Td&_xL;(I-W z-2mwiAufYqpGdPXlfgYBMX5F7PFj@9`UT_~xv7Or&K-`dMNKSk5$B7$Blied_g+n} zPp}=!o;sod*v{ldXzKlViz=eUdjRID7u}*0=XL!!i)c8BOeHt|?qvT!vG#@v}0Q$i(6s#v+^?H7TSv(Ef(xs3|-zxh13(IXVnj2^1|sxMQciK4u%ZT;fho0pGu;? zED?}>S#%*4DNgTuhWv8Xp8oP_II!;KgRoy4eYNiq?Jn8+PNohU=W^va|Pmg{$h$ zD~iDoGnWrOeiHx^BL_`y;sI>gN2i5`2?7ARyO$J4fDgV=oo!Q@X3-geTYPPSz`!Co zY@cMdpm}$CDAcxxhvV&CY--h}r-$fiC@iB$JKKcb3?NY-<3a*uu6%p6h}CG+g%&16 zHpNgGO0V_XboWw<^!(xSwt#>2=cU`!CE_mRc&`{vS*i{mR6U0nXME=?dg7!y&y#+` zVbVtljk#l9NH59P zCq{#`9qgOfLZPp>=E)4gar$%57az52qJ-StJqt2Q<7UY5(xvR_;rw}s)h|*mZr2#< z4yU?=8Lr`n`CY6z7p2!7VhIS0mVFRNJ5=y%Y8e*teK+Hac%~13a_`pBa;2 zUiia?$QN}K9zF7J2uS&@n%&E|XiTtlK8fm~60&GKO;dCDDACWTrX$mSsIOsqTM9XW zgeYlFh__is4=3zr;iq zbJqq_W+9t}&LJ>9D^2^P3!-~R@`Ml$R!B2DVPVp9?Vx_-_Qjjv35%?;Xugou z8fW*Fd+#nVHg|4EQ*~6nJ)5zoG)V54- zV?E>+=+t>4((e(*7ml2hY-{(!+$O0(H%&wnS+Hf3$MVOLy2?NCaq4AxavIn*H2KhS ztdp!yzrj5IvA4^xX$XFmg_(IeG_&*me3d~2xu;1(C+p?3f6n+`F9~!Za}1nN9@0v& zuNUQN<4R$0T|+90Vc<07(A`@i8r^0)C~UOLdtzr-%02Vj&c@>k;4b}kVE@BT54IQm z6#w-0)62lK3+CzT?AgG={?iNphtscSRRLHd1KQ=yJ|Dzs zAIhn`I5C!wlh3@V#k*T{|0bu$%e!z^o2&4I%6$-4zj_&`G`EFU%ksMChDQLAE{GBH z5CW;^=oxWYf~${@MIjEqi*i&GAZ+<<)C&8XilkohyM>&IGSp$S3x|D=&N{XD=kY>3 zdc4gyaqR&`2iC&OvPwpcYT8eJ@NAkZ2a+?$lh(TD&|i-g78XhfT+FqVxKiV@2#)3{ z*64diV=K)+JMzJi+fuk3m}ohrjVq|2hk4KvVxji4A-#3;k9mR302v+|iOQ5(&&Y@J zq~db+R~B@_2+^U&8WPCC5y0^8GSZvRoU%AxQ4f(jX|))__C%qGgt0&nNx z72pEK+@7#|QdX*NJv?hMu?-bd^KN2;k%@eerI{oZ#_=+jiN+&OU^g!-Mt2O{M=8QN z@Ab>w-@S7{W{>>z(8DzxUCHh9zVK17gh^)1IE#7?K0$1F)^)Lh2$p6GI+X{YTJbZWOQ%BRG(-6gIMVbb-WN*R`|y)!{*MRN){B zAMQ#>JI3NCO%_Z|rDtb}!w5le2C$O_6)a0@6>aE*T9%vrKXb?5NU@UGLJyTm#mQdx zdQZtTPgCWKQ*CRj?ZeHaPYyG{=#KamjR!uzNO! zO|NEfBm@T~4?`Sr%yQO8uO1cQ52kk0kU`e78sOBKbDSdq+#|Ymg3pa`_coWRVbb4j{V}NBto$I*;igRfjMJk8{fLpXjvqmX8*Glp0K{y6U9om zcQ|T^7qlhaw~X-f^sQS1p4v?ZxtH-nq_ni% z(Iy1j6uY-GU$o^Y)7)#M*c_1I$I)wL(}G*rtnE0Th07{M83fsIv8t}2=0sINR7^k3 zvfNWul`b9x^X1XLQQ#)hk18=Zd!lonC3pAgu1kScABU2pQ%UCh`sC?V=iSlyct5Z* zu|`hz*=%Wv@cm>MQZ$pax1F%M4WJ#R-ePZ&zH!yx*&>y7qLEgvVJg8#R7N9=C!7R& zINP@uVe50MSPpCq2xU!=ey@p-&snF^xv1kTg^qa{*PPLQ0yIxf1!=YZjjr7n9RpME zEOsfgofsW3!@?<%a?+DADI;9Sq6wYFf*T)CNjwhj1hby($<<1=W7dfhKVMJ`Jhv5U zm$#=_XmJNUMdc?Q4k(O^@6p6YKkO{I%BJot^ar}4Ze9`KZ|b{7BZ}tPLero+xi+8$=+_e4||d)}Xd}IUb&)TE}Bt z)&be5VdX6@&gRJmDYGv&1*2+_3sNcjbhf$`!LCrnHFe7eB3KQt5$|K`vSoynWC=UF z+{~J6PR@{J_2W~Q(Jz;lx-i(n*Q3FUqBr;T^p%^H43+d%W}juz&1Yj76#>a&k|;R) zpm7k6?ZUW}JtU>-2QiMiuGUD`T7-!{dwE!253+8)}XLVdKrT4h_ zX3DN81xfW93y-#W4Sn<$wLvP>s5W?$Doe(*HkWi_kLv>;4ZjXDfbhmpd8tmY)#9C# zN3f13gu(A)CfHAdX07+D&)Sek)qgD$`;g z&<39lZR~jLD1D&so!u#rJCH7)F71(aQK6`ZGF@|++`AI=SKp5GNc6KmrSMZ z{}~E0rzey)WNy{6va#uQ3_~4-afe1Ow9Iu`Ukx8BFb`)Ju4Blq;vg4Ux7(<|7j&rv z6wKYvz-kuk>V5nUQT0|yA5gwf!AeId?j`pt7KZ6PlTTQDG#6rM+M0ZBavWtuxBeE0 zYbR7v3qN#1uY(d6swW8hqM<^~fl*8!{#|GF(CG6zVgJ&Y#Pq4KMe{pxzqfm!^Q8q? zDhX^XDl<^*wnRB#1zV;Kmh{D}j-B&fGrNby>pY2ZB46)k+A>?R$T!%NSpC!BpTrXu z*5A_koV8uD$tYqj=)UI*Yjx=%tucBpV>nb?g%wOBebx*><*vkyj`kuXbTIQ)iNcFR z^bVg0c@jgZFdRlxI?P0BaA%3-iZuce@?_JoKKrGT-JD(Yoyt^!&Hh5((fmx~ zD&WEw!5yp9FR92Wc#QR&*e4DYELPCn(Sf~d*(z%+|#QMzLi?l(kSwj={ul&cb!aodkb(sHVQ06s=Sp9c zI^#a|W;DLBV8LXe_bjI49k*C(R$MdgLwL>ANKm|s#h`daJbk>Px1N3y?OtM9j=4Ar zV_;Yq!5aTAwI_gjT#RR+W%qTw9+7yQ9mfj|qh){8-Jn*oo($pf7xp_PjUZ&!Vyh`z zA;{44^xTRfxqM0luR!|mX5dAbbM12=XPy#)YkDrCxuTq0s4K-cP}26@%wh8Jpr1t! z%zng(rZc^>w>e!~+reKqIL0L(MDUdduOnJRq|VIYMbKgMxaxDbCrCG|h#_N5W*#lC zx93#~uNTn&f_o8CtP2z8j<0C1EY75`=Yf=tDXqH42AxVA&F$DMsW`nUzC7qU%L4|D;PC+eM-3n%854qOB zv>h=6x9l+w-xa}JlZ$O4cE>Y!QxO4pHFRg%#2qB>g+w#5EWDP6Beszj~FUZK%~NAKUl4IIAoDaPth?-Xeu&tI>$%p@lT zm3@92*Sbu>;R+I=9gX}uJ@n_j#ouobvpuMef7u`g*o69T^w6Kqqyjv<{Gw|C5%>q1 z9sAD;GjN}m?PtJ$q1gdWfBu`=0Gq>X?0^%Sf8QKt1YBGCw}6a*OFF;VR0e$h4{)r2 z!>qqkCE5R`gZ{O7fW3CW<(}VM-hW`l|FJ6h*F9b~z#i`(XK4SKD*51O{ju&xRr0?$ zu-Txx9X?x$a_{2meU&5M<>8M3Q!9}rsqL6h{{DkzTrBsR519<-XA0RDIcfv=S5+S| z;0{RMoOQ$w^nc<50k_4tzS#9x(yoHWC@SP_YIL}g6$$hr3H3vtoE4@GIXqIu&A_51eEjIlAwmc0<$EQkHp%`&|+Gi*SFHxmlHK?*RB4^uQ{m`$kw_G%A*q z7^}7*>A)CY>IjC=TL(CB!)N6mU-?Jz$4`ivdZ5XgDJ~2Jl~O9%C{)Y`uIltqvfFkEEIIZy#q&8INlosm8A~p!nGt$vSXaYr<(HN@ zyw+nc3{a%5(lRL==piIIv}HW9aLR-@nbZq#5rz#}NQut_Q;nk-5htb*{2-^BdQGX{ z8YV3?-t0%vcYI-gzJGZZQgFQ6W|`r&L0sf@64qskie2dfZxd63>&Qq%T?igtn}!yn zBCLg3?{s^PF_=_&-8OpLhCstf#F!e3p4j~k8?jbfD5%zwk~cMmq32yz>@)t~0Sj$`atkf1|%p9XD$0l((pb}Zb zpB9xt;+Sjf@pgJ=K~xX-x3wqhq=1Otp(f`!u*d8n37_>ja5XkJIaH-|#w+RAp<*4h zTBbhj5z40%KpQ$|pTHHzD$r_%tbl2;q$>n1gJ6RBD3&l{JHs?Zs`X-O_8s<)Qi<+s z{p8Ac(={bJC1IgaLCl3*7YBpw$<-nl&tX}jm#xk}$y5iu!MPfAU1Kx=;i6eJvI?acnDr6AGKpPt@Ae^Pvy>ur?CZ0FU~f%|E=C-DQ@0|9 zdeVZ9(@oqM7L=H0*l>=Sc8@44`PmY@41_$THCSfiIxve)nYuRnn)JgAr{;=Ji46gub0~+a2V!njJ9q&3Yoh$Ay>JgZxJDrhUo}_R0D|fdpD=(QffPrju95>uMYf&UiIdMf+Lev&zu@*HS6 zI4Wq|86=Dwc%7nD6>L5rdM=*G9|6 z)j_CPtxv?ih2+83)nE9YzSo0ogf)W!E1bkahb4-85|sb3W$|pl#u|jhvX~k1h|$a{ zg`MW;96eGH|A^PY4Bk4e1{Vbzd&N3QLvq$77AtYmkN8AyHH;cjim@c=CVSH6D$l~7OK!LFrAWIkb0tuN3}>Q`$x2x0x?4WaPKkX>ed zh(4XdLKE5!@MF4mHGbOfs`0YvauStq=(x(P>Dm%Kfe$j$PYYlqWiyw+FEaTZ{2|^; z8J$G;b$5}(pf_f&rbA2ctMX5tBcN}ZSM@R2CC{dVs8;c!1cOwIgo`IozMXho`^L`i zuIVHAX8p_R9U8S8+^d3Nl$ur}3CWq9p){GRwA)^ec&K*0E4h6I9eF(ngR$r})~@HT zrA*Q}$D!W#?8BCZ;74%j!!c165K(5&l$CB#*PFl)$M|LJ1-O{aTP5B)c^P{e3)vB2 z)-T|Us239R6lq~XejW33 zYY`|}yo3=UFJp4I+m|p_ml0ku0u=n`ZCX47-+AK&Sk$zYv(vwY=iXcs=DF z>d6zeHF-0a^oa0wo`Xtum>Il>Y zAN!#~sdaX;0@pJ^`>d~CW%n-hC~i~FGM{`mTHBsjP&9-REg6>ffGHRoU_p~SAgs>N z%q_3>wybq2O-2d{VKa@&gSX8aJkU$^uU7N=E(jV*nF7WbDs@{bxc$1M#S@Rx^+O^1 zPU>2iNT9$(7ibcPl5}~6;>Sp1h?!`O8$vSS9tP&NT;lisbuD)M80b0%AKT&g7(QYO z$edou?a_OIoPfVSU0voTXC#=Hs&2zHW~yyV@pf(Ef-mk}Xq#?pbu63Rih54PD(NDOnA(=X+L= zjs)JMcSFuC1XSnWXiaWvg=MDWg(%71`9G;iZYREmd9{Hmg+l5Kfi$yMhKE_1Cm4L4 z4&{(PiQmsQf8zx^TfH+>dK(bHYqrdgF_p@JBIh^R@_pfXoCUe8)U){t`1gBe?;z79 zZy?;~X!SlhoUNvqQe@bwy)$b}O?v4hGML)2Ei(j>+|$o~HL%Bb$8|xvN#U49QIeE* z>7nUohvX$Fqg#%zK1v8dYcHKfXF^S((=#26XI$SM*y-X=;OVMuvBKMhlpyI3d4tY~ zCk49{oXUeHH8zEnMxKjSiJq`j_>4#1R>MYjCe8-f=MWtC09Y}ISmcINrZGv zTUP9ds@G!@O*VoJmos)gL`ckGR|?P13qR>ALl9CKW`3yKI)@3JkXCyZK+LK%_5$=c zhhw@pH=n#56CZY;cYj%q^kNq$esLorBzCv{!)Lfd0t|&SXVoDnDArzwgoORD0f zztDFo*V6hp!$pkHsPJY4Z|uz;OD6l5&J5uT%oIwmIphY)v-Pc>d5wO2cEf5m7-t>c zw>A>XOV~O~EVfLUiZA<0Dto$Xb)Rg#H@r!bn0i26wpc?c_Am~d{q2E7k%Nq#LJw=UAwpPzwYQ|@rhLSlC`oZ!~60 zzBG8RkVdLSBVFZJpFMa`{$@fVw%o}gS3Wdk#1qMD{rJW;Ce)q_&0QWUVY#2Tzb>fp zO+63Xu^NpoCa+qk=$aSKoFlx=J4wM$I8H$<%hzwnFW#vUnSUG2DxAF(=e)o*?Q;tC zs7xQTRQ*1U(9|i>K=t*+wZ{j>riBis_Q3TMeo;KOhGwbj02n6a?PlRV!$FEvkvSo3p6C zNL=DA!%dnK27|6^RSKPbS{+ax$~NM=%<5_J*$X?aCH`4jT*$k^Q1xxwV9Y(4I`j5I zcT6&?3OY5mon&sht!cI1JDBqHrv$ef;QFOJpaaHI^yfG%&I)5NLaqg0-ZunpGeo{2 z;ihQXRBlvMAAYI3A_6&s;AL&233-b6Y=vW#lh%MS!8AP1MX8RscjMG^g(E|&#-y~G zczHe7UdT*Sc1ox%`NhkbMz*2Mqqj|QWNC#oV@qBgHi_sQ`PBaVuw|x9q_UG3lt;d( z4T4cJ)gYLj?>JKLDI?@S=-o!|N4k3uRH525m(ZL?rg(zdl`25N_zHJ-0DfI3 zH*FG7c!JNli_LQ545>1S2}G{&l!u1^qLZ7`vct!BGAJeA#(5cvnhUX8Ydb1~&V@Rp znguGJO3)p(L7KpBD}#Bt5sJQjqN4$3XV3gaOv=-<;`8Ojq7?07-;<9Htbz5LN0)x} z4Se7(*Zek#`J;INI}#&|r{aV z@21~io4grD#pq@)Rt1YtekM^P={Hs0J)%r5{q@PpGufc!I{dSQk0&dR6YR@|zE9SW z&)T>pY5ZJp*0c_g*R*^hhy7Z#46zR1)0D#_Q-iYaxn;O(fpSi^q%%?UY#;gPK-vo~ zSgGEjVCTBltwZ1rQeA=Rc|ii8}nQ~^4}FYN==hhm=m7zKsXu1nt~1nxvD|zLrS-Z6|tbmr4CM>I4%0vAHxyC zdHV$8cbtz8AYm+*(7JnD-kQ-SIqDmEFVzUV8E_`>dK;vGm`dB}iK^C6X8-iwIH6HPxADTW5LJV9bL^Hzixq`$`#%bX3)gw+kWLU1&`6 zTML}Tf?&>?IGqMfR9SayQiGGd&){muwvv~k`F9#c?0q~U3kxMnOYwTW ztqFe#81d7S0C0K$6ZBu*44W=x%V!yx@q|mk;+~M2whWxQfz=kQB`Hbc zQ$3S)?1SN8LZva4Man`i4<+6<*nrL3fL=L+EU${R#8+Vy;b}HH-ClL9P9Gna)u~HT zrZ%9Pacg}dXx9yS?jDj$_@SE8XEBpUm+5-&387nSqv4L_MX53gmpkF*;g(d2T{_k{7b z&Jd5+iYu`;<5}3<`e<{!Xwh}%Gf{R|?7_qw!}E#+!vmc1XqiC>c2xWr|LHT|uKQ$F ze2K_c6WbMG>Eo-0IB0L}@9WYh?v^7bfe0;jywa=`->#nr*u`OKk!P=T z2YdHr8OmN6f}ORV%QFgOfY#3?2rZ!-`f8s!6ASlK+>5b|TaOj1bJY3cvRLbeP5kxf zkfQ~ffkoP+r?(MyhT(!?V(9) z&${bM>&5%0Rs)<1O&ef{b?=xu&F=yjqA&APD5w^oFv|l$k&Eysbd0ZN12~>~VB}^e z!@MNVU@}@9sLwg93JFxlv@|(ya0G*m+UKM}o01J+EDcd}_`+K8z5>V58_Cdq=$$vj zq;$e_L6{nbC*|4@Ytf@z>$fSNz+Yg~a(8`39ulGCY@377k{*`q3!1l`K69YcnhJNJ zLXI;sLl}}3z&-JNzFSj}Nuh(E5hKB-IIU_&tWLdrYct^?6dxmDb@U?Ri)_-+)^(x7 zp{c;;buJD`>qgz416S|K8)5Amus0nb!5)x(k;8!c_4YDr^jTa%4W4Q4QMpQyLv#oI)#!O-0+Lc^i9~a8TGMS~<@zXrJWLCT zrB6=7%rl9~O(ib*?(c0!Vc1hKl{CJ8ChHv*FZ0DKlY+hvhStu8K{YQkSsFdzlP&)%0s2HzG>(!YI zv|$d|`)d&D=UB$m&f+q^>z(hC3YXY2CCdEW+}N)#hh2H{bm?}fp6)eD$H+Lb&!$iw`q1e zUs0^df}ZKHwecZW_AJ9}JkNHloZ{uuqw-$qe%6R_N}^ko;v$dVwuI=zYfYbitfPt< z7)Z80R?6;rb#ilfl*jo@@O++FMV74Xj6sPH1jFQMh0=2HdV?TnH-xjMPusoYksABB z(*5k{q3e54I3*bJRKzfE%=`!rY|1GJw5K@}xe+*~>-W@x76rf2p*Vit68yam^`JET zqC@?|GqeEzxj0BJ|1y#DzYnB1s&r%We#L<>QQ1*bBT2XK{`WF#8k6WrhLGz{vJ7EQB zZ41nKs_R=P05YBmCP$-z^Q7#DKp3RXNEYlHhGy@saX)DGAe3jHuf&k4ypgcO*H53r z@bj*hs}Z+Aa}}x(3qC>lGJj*wHL>caV~mf;QAxMfl$;okoRAoEXl*;pc(CPFA~ILP z@&#VrVr6*t(3;b_+S!i#``jHoCEqqi-{I0FIHWcyZ&0u={A@Dm==A1#<@KQLY&)bl z6F;0N4$@_LP*7cR@ti*FtHm^KoF|H=8rkLX(yPq%_K~B8Qqu{}NlDHL68iIFhe=~F zI=8HHd1F*N-=~)R=po+IoPT^VEDw?7SdND2E#kqp{q&s}u55r8e|D<_(aJj-M{0pj zFcp+Uw^G5vesP*_>$l5Zfnb|bSVoIjV9rD2HJ-w>tLW`6Vt|$o?D`pIB8O;0*?)o5 z=clF{I6SnowdTEKPfn0XmP<`!-WE`Us)C(hWGcG+#EdkZ2%koWDOW@PRErXWae&A# z*&eA?w(<%_pdN9g3&CA4%$B%Kw<1gnkL1uj)-OsQp4FvL7_KKj0$kM$R4wX7$~2>`Eg#E3#onQlB~;|{ji`hIy=!zPRJsM192X!ietzSD2LRc zeWC+qs!GbRVspq7&JWuPcbpkofaifHY=I|af#yoHkO!iF+7zF@$_`(=&J$g+b(6OA z>YcV!l!zlLh6`UqbJ2vK);OEAUx`oc<@?yVu0T)5asI}-?@6Ik7{w&t=6x%T(k`Z4 z0?fE?nK_gaELd;plLlO)=n))LGfKS7Ndo*Dw{`ORNA( zrF2zat-24EsSmpCxR=q!5jnG?sK$v+itLK!QV-NvJB_0}sLQ;k-4@t#i6&>_%Y{=G za3Mn*4l+${VRr;N+uQH~cuahm2YCL$BR{Uf@p^%3Q zOX}n)MQ+93pG(kO=6dKtz8Eh#vI$~+i-Sbzp=6pQz7XsfoznIQcnB{kHY!66&4hhHC{_25-L2Z5$bi zfhTSFGx4K2o|?Wz=6|1U2bozt+7w?soR(~r2) z0>59$rBb#yEte0c$)-(nW_^Yo+&_GKaJ!SgQr1atIY#OpLl%^~mwr~$;hLB~C!iC) z{}s|$Q)Av57jrn71+hCHDY^A- zGcho>3UAZ~tG)Fro$mr&%|h#_?X#mK-Ja9WT$lQN&s`UsxFh0S;*S#bJ)Nh^tUx;b zu1_jNonPhc@m%$RPA|i|25wdOjF><^; zlnIXpLoMk9lj1Yz_VSS0WMS{g3s^l1xVQDgcn!4qQw2DD+4K6=MeQ7(Z=B9P+3n9aaAt&iRFZoS ze72095oK#p*I1ZhvT4sKxA4U$-L^rdD=oCT2YnKdM*ep>frjsjY1 z`L}?~jBKvbNOIGJ&<5=}?)qoMlCJK36&@7!mgh z0V#6+@U&)yv_h_TQ=Dwq+7PyMN}9M$OznKTE)aqsEb1BCxOg)897df15+cE5jg{KE zZ`r=tfJRc_&}(JXqoJBleX}(U`tbe&3Pp)4z6?%q1~zBMv3dQKnrrUkv@5C2GO6p#LkHPM4oxzHIdR32?dTkujpnM`cZDAZ8btgox7uEmkKIGQ_$YP3y+IM*`dgLJx4 zQ~XxaoR~44#cQUUCw2mA<~qRi+M9Necc5jlH0>zU$huAO-0(x}YEunu^oLwKrgcug z$fRo1BgWqCa(cMPZD+wOs=UVdK5;lAV!Z5Srk1q+yfDhIE>OKOFsvt$?<@6m?s;d6 zMyK4@z1~@npQS#{f|-vDnA!TKi`@8a^MHmC=j4bR#|IOn6T-JJS1c+6ixY|49vr=x zi4CSNCi0UGm%m`_-uJ1F=M*YLlchVB*viTi@LSC7SBgqEYmlaeUD4yr6CY~$Jx3ci zQqtI195+6D)5UxXEju85hm0HRee*?5_gotP6bcE;_`djM>#N!4olGkFMwANGi)+(S zoOA2K{E<~*M$a#EqD`_G!E!0=edH=i#|?dE7#30$YOtTnGVQ-h_$p(91^J3jYps;0 z%&4l($*$_LF^MJCe%^(=ZWhig ztrpJRquKgyuEZ*ng;QyTNE)u^%6#_Al3>@H%H7#>KNjNCGC-cg5eeGBc03cA#!m!uQ!v@n^gOX~!U z?Oa;o4n}>ISkBbMoChwrifZ2nkV*?tmWQF$mzj;rjl396`sq9A*TXQ6^!GZ->hN$= z5ME*DOcrhAZ4g6N8tcAE?b6sae63Cx;NIvHonk6J%C7tNw8Me>V;l{$DD;5#5H)yh zNS^{DsHj_kb6!}0BRx~P^(1+--0brcOrKp-ygvEPHd^~IOnvtk3iBvS0OLM_Bb0dA zr%Xn^<=v;&5!vP0Dgq2h1-AxB;>HG}AikP5ayANz&&E*TsomWp7zRaZKu5NQN}f<} ziK2sS*>T(UIlzy%zo>>`8#8}udV)5`zT!DfJ!ihdP;Ehy=WBlatWw0h?KRq*x%2l( zNN9O}@rn(++1y?8XqwXJ=j6gYwj7LJuwXT!ey|*Y?cg%tM{XZdn_>J8NW@QL*VuVy zna3qRLI_&ZeLzL$5qv%e4a+NE;-oLYY(ay>gU*ZiT^=3051*J8FY*P*)et99UUi0c z83$5uQ0|z2=L+;m>P!7|Zm^SklTDu9Tz!d6)**RCmQ#~tqf)c0R%o`o;R32%cp{Ug z;87*w&TBz`P>+$*psa|LyttPR^^Lf_!Cu1dAK71m7<0a4$4{@wt$Hs}kWHs_=hzt5 zA@cgwIF(t>Gj(4*8%e>~3!#2FnNN*y@4dDwm;8~O4QUee;?c3yt2o@KQ3Q;=$0y?5 zvGD>A$kD*8A?8G%eIZyrjuCFeG#H4njKD*3vv^v7S0h$u z%!Oqweq$hPI%pMGDmULljW^yOv~Q+=_uf>$w^x(4@bGqN>nLk=wcm<%V(CO1p(SbI z3#)>Ryj}hLtg%;HzwcX<1^HEt`yrI6@0%tsns}n3_t=RR)m-uG9c=u4T+c_3V#Z~< z>$_2BW+}1VI_D0O5SiAddFjYUjW49obxc;$W?oSk*SG~1VJfusMtg#_nG@8Y`Waa*3rqoN)(B*t?Yr|3!TgPxFdcuIuTpeem znq!PNyvaOxglfvth33+}-2SEzW9;+;22`d0t{VPib4vdllKyy`t2IUkMCGb)+@!P} z(V9+_oxi`BWn6YS79-f<5ycK(Qz$>hS$;jIBp7!vqi*Iz6g>b)v@s#qJ%(Jn)IziV9f@2h+gAK?KE8E-5kZ~KD-Frb3 zc@YHXs8KPc!fFTKv6f@L45C@=_Eti;>e<}8qR1*bH&D+WF3b=*dfJ`Eq`50)}yrdgqsB=ec4ZRn|?^(~)*TSwza5nUI>U{d2H7Mk>&TicyV4rtF!_xurjc0(fmM>UMB00%7p zt)H4dQ2pOQ>rrv~f!3dj(?7xMSG@@!^8O+dKk)J&XeSK63e$f9{JnO<#PF*i{R z)3O4NEd2`jmrF0dg99weGylf^Bh!Q1`^O&gJ3xAX%hlf~8BC17s&2nDkpbY?lL2rY z>Q_wv7=Vv8{@2RF|Gky}2d}k{bw3{00{F-Mr^-U2te8|QA9CYUKTzmQy1@<_+RZ{xY$i2}iA6T!XQ#UO z*#Yhz0C@jc{{s5u1z4f^FW0}A{^DR3I7okZVWv}7Q6&Ia*q_ALvbAmGCQaPPqcSd(A{{Kzr_ zrea_m_|X6H^G06!ssc0E39fXV&m_yZn5`~Z0$z609F z4tNLVd&moTe}n zt-v@Crw5(@@;bp7DsL9B0ekLa-pB9(e?a=<`$IlJ*$*S( z2VEZM1{ej*fO3KP{~Set_|K#3VU+x!J1`D>fa$;xSpFle9>c$kt{-IqaRkBuo}bwI zL*V+&qzT9lEdH--1x`hOOf0~nfN8)yznd_D-yYK++4S?I$v_Xl3rLg43V`7Q{{Iim znj8Re?12wI`1BZm;46@Zz=i_&0IVMv2hxfI&_H0mhj-vC3CstiHGp@I{06>1G~^*8 z;02iQ*y@J{0q*4k3;nZk0AL{HfQ39#@S)Lw_eW|2(|~axaUMDg0RAC-gaIJ>P#)m@ z0bw9gz&wEGp-jMG8b(I?pP2kZr~M6+0quIM7FgsDL;>>fALHN=#s9=)27t|iM4eF0cL0PX>A01m*A8DQcL*xrXYkhMS9@E8KW zKhon*+yQxjaUg9T(;h=$eqdjGXd@sW@H-IS$8=y@nSt~M)&mGx9=xhP4mV&fV2+1g z`3M3m@{bRIb^%|2?f!YtK9mW7Vgm342n5XhQ~&v~8v+Y3Me&37z^?ZXo`<#o+Yi|M zdVGNN;{eRNk34w{ANU4HdmLvE?FZEHC$9kIJmdx7@W5Xn{T}%Zg!>T(^6H^1U_bbU zR}VM<%6u#vnEuFXU393R>6*p(mC9_j(G8QA2`v zJi`2^@SzMqJ&&vdhCp2ZKgPa4*$$+~!;l1ofcQ^r{dtAx4;7yQpk6RA!qWZm2KX6Z zV_;xj{;eLicuH&w}1X|f>GWjj)0GOO728W{QX zxnOkgdat30XQ6B`*|`z_Ll8@zk%oEcor z3!A8_s&E}?P}S-uch5P#k&_E0x^>bjp4n=5((-Azkq*HVKr%xVmp)Opv$Oj~4)Wy; zF-cMpJ&G2@$mW^Eb572y`_h}IPv{SCl9QUa5(}tzKq6c<=iFG&5G(n(qMMNKC$SaW z`P>3Ykl&f=fr0x`Qoa|Xdi5lms zuK^;yyW5w4N6{a9NEcPi)QtIU2ZXuest#d83)cFgOBl%y%|RWiZ^C=Qq3O#kZHpPsZsM=$ zVm!mgn+&Tt-%hLCV1PNeJsoPD>gj{r*tx-2qdR*!e_6x{djIyc6A_U$>3+uKz9{>? zqvdM{mZ8o7bXV&YTUJi*;vBl7t-1I;d_Z|(4Ue1m<)STVAAG+i zYN!60Eo%}8Qwj%8xJN_pVg$(6Jy#^w{k71YS;$3`@V9$(`}=$U>*VLRX1*8q`}TKI zhA>Ll*bq9iO<)K6aF7S*J|$4ypm#Mo#zBd9noFIPiU5p!5$>_FVQ$!Z?vZfbW2`jw zBUhGPP(d>h9XEYa96(jX<6|PB!jKblt10PUl)UXNG&O*<6bWrf0hM zmFge)dQvz4vS9t93eM2rEcyF=zzN-!_}7^k#-lIR_x4$LRBtwm&S;I25MBLmgJr+( z_TNn|})VUyB2dc_7=D3UhksIWNYjDiPE@h;zbk0{orX6Brfy`NL*_H z?QHxJ#M>+bz3MTYbp)w^&9n0oHzZ&72$q~@7?5K#=T}+2`v>w^4U^vVtWw7=m5#KD z98NghLwKLhw5Fv`GoRd}Azy?I-%tw8r|*3K!UeC(NG{mNJ{fe@s2VZrGqj{T!9JHL zugE~|>`R!ir)%X=R!QIZgs9U_GaOD$s!EcCC#Dla%~AXW$+Ns zEhD_(#=+}Wm@@h#7|M{flgzatn;Pfa!Ko;V%vVo6EWk9s*yqFqL0|9SX5y3aEoJ(0 z`ny+ZlgX3U$q2`z0&Z3-^om1iH_b!=&WnY@1urZa`av)&-+E_ zD`{>YYJ{vs?n{-z)FUqf#{s|*<9XGH(=$99c?9;#J%kWn_8Smef?lflww}mZQhHrm%2c0AjrbIYLbq&<4})*RYEUojrL@=Z zyKZJ*xhp^K&ERWkw#T@~maf>R*dyNRGsR7-&h6OTp>9E4q#KMwhZLF)!aY=~4f*hP zyhIB>@;ld458B=VF?&kzuOsQ+nz3};ycHxGy)tqvlm=*_x1aOtX*v4}HeEfl52E@C+3lDMpNdt!)zZKGE}FS=!`Ult-t2Qm^a&ZapmJm+ zT4F;BK2}c%WPfazQNx}4w@F!iD;)R6*0k_9j?k(;C2_U-5v$_lUfpBgrOr!Bjd}~K z_ByrwnOYZ!wN%->BAb|GW`l4?M;q+M7C5U*E_q*x;@(O@7(uxYC{V}QK)E?P%BHqi z9}O{;iKI087RQ9p6A^!efGVy{{aU6O_IxQ`nUpTRk~UzegtyXL#&H3ZWHyW*1B-i? zAdzjV>>Xx2IGT}Me1*l zH89_Lj}*RRAn52HRgfx-2R+JYUP@%_4QIHb&|JGlkkgevrOr$s9`8YdqS)~V^29HVKJkU^m#ZqG))Q7V9`j3yc?tpGtA2M0>y8midoC9;b*_wDPRSAkN!A!Lb081&A*MntQx4Rf>d8TIN-MY`6px;9oo27{?Tzb4c>Fp#T;}{qdT<|RxtsO5AP9%wD4KhZ()iQUS8M$O zgk}eF^HQlR)i^XflbpG*VFCT*qJ?!I`k-(`6tD%a-A?kF4<rDXaYkWZ{4T;_pNAd&5bO^$S@QIr(YoSB>uyx0h- z3&?pE!mtY$6K3!lYWN?am(BJNcJ|fqe8j!p0LpLh*~rw z?am)NbSAjCN%WjAR|Joyy>xaT~GS5B0iFR4tB*6PNExx9Jb^rFu{?Di6bR>;t{cOC-0^im< zD?Clcp&Z9y$rn3D`8v)&CZC)v#zL~_81Ou0y)wtufcyOX8PPBcy~(Ka$%GhYfqw?< zE~1*!dYo_*p?Cwj^?*G{KWm+CM&wjay((3{g3y^o@$?k7Gc6i76A?cahB9xkvUPeCKJiJ9xd zz!!?Bs~d?7s(S%Vbe&=6+XRXR9mctC!K{NP5THW?S1N3DQRz985{NA;)|5P1D6rbo z%{zioDkyfa7dnZLne&EOr)4aBm%p&bR$O`2Y2{ukbhFbP@=7ktGg}YddfOC(oZHp? zJ++5~gNdjbFYIRhhUXVIsn@$4{@$+H5Gx^ZA27-9v0dAF2&rBAFTF**%u~mtL5l-s z&9A1~r6O`sZW=c7de2X)j859<;- z_?BMR!JSn0M!nlWz=AHMutI`?{gVJYGuAMg>|~vkbxkG2C<#2$#2mb`8jrC#g$@RV zF0$JcJ1-*M34wfDU_Cw zl?JEfM{i1s1-frfY$FJ*hId_J(ZRTobyoNK#ivq^n&o7Z^Q(Z9s06WH2hnON1&oX! zV4uL((k69wde@afhU3V_+LsonDpzk?C>v)Iog2F5VnxWwM;o*=lVv_t`CzYeQuk4} zPnq&iwaht%({crL<2^cV@x}){d5WbTJqG7)SBY7DANO|(u^ zCnEb{mAxD=YMDfy$j1cuq=X#sC?D+$dBV{IzJD87h!9Q5?$V(7^}a(4;5siR+48kW`Rdwf-868T-Pqep)h`53c3CwQ>$ii86M<^f6Lu@OwqO zf#Hy9JG$`7g6>5rS$#TZFbHJ*L?=F}YFVE35>>G4}c4hseVANUns@ zqJC4!31iRGuTF_RULo16xVzI$`3mT>8pnl}PzJ@J2Xuf6w3Hcs_|La+cp|mBO7jO)V;SbF5Y!l@eFU&{%Uzbi1%IuLFI3TaumU z_cGpRt!kCjy|M-}U}jWYY$4`caRug!BHU`IZY0^dxetDAvvO_fX$;JFg#12im`N?c z2o>R(6|M%z3$80^o02CKHRWjthe_Xv1R@5HzDH)^+kL!BE>~jYG>SP+_jHJ3-{k05 zd>?Astr1hq0d{R4$~ZwJ+XRCY4R2i=h1^tSPImcZ*iXesR;Fq|q4_I*i#HXM;0DhJ zIrq}3*f(d-kFny&umrsg+&fb$Y4z!~qk`y)sM7$mHxn*+g8g8yGR!vRJwmzTu zQkhsfl0jR5j;)cs>2>)4wiE?JI}%n#<%QYJCSZwKZ%!D72i!}8Zn&3KQO_DVtZ*z%xzF#Do0^b zmqxLwLe28h>SJIr4xc5Be?oy2$Tus;UW6UmeBtgL-wP%Hr9bI@47a}Aj@5k5^I9`{ zKM2F9RM>@n!l)S|6dpP#!bYbwIq2QEA^W76A-#i`>4h>rnIkJqX~M#~OqKhSH2_aBX!FhJh-ypNJ1ds{+^i5~P@ka=|UhZ}+f? z%F8?Y1_X4ik*)aD*Gl-7E)lf5F2tbW5l|aU_;Psjw^&mhXy=jdNJzT->`v2<-7@#+ z=AjL?#CxmEwKmpH7g{I;s=`5c)|)@X;8{!@ov=TNPt~NyH<3h-vkR^g<|QiPkQe)k zf9-7~@ZO&RIp>9Jr-^fnHW4eSjQZqTIAZqNjSoJe8;j*q%NnBxW?L@hWi!UXxHi0& z#zj-|G?L4nFF%eD%`}3mp71{PKsEJ;Y^inKl9cH#=aL)Mt5P^@sgG+W!jYrk(4gtv z{wxak3GCMm4&h@ebfdxImZ`t&MsWz!sNdY`=nUCo zkZYf27lMEf+0jLVX3IlM12$dOeN-weWOHrn_6-T4f~AzrBN>BTYk} zX-#wI{?L&Gug@axP4@){mvx}OcRcJ?&~6pLDL7#si&gd-V_P#=!CT}=gY&NV6!}+p z`^iGs#Vp#&R(s=C9Ou-Q%EuzoJMZ*~HxKNgS^t>#Z+J+r8HOMXMW3ofRyNG7O% zVsbPXjq=j{DMXRJE1JMJe&yH7>$B8C#QQ`gPg@VeMg2UOs8LIW+23^1kmCCBI% zz`=wsdmR=}%+lw$Hw9-i-@FY4X#zE@LxlaL)~tKIM4+*#qiJM!iU}PwS_`Mzr8_mN z97sRU1#hD2qBYrdCgfH1e=+usL7D_zyKZaRnzn5{ZQC}dZQIkHwr$(CZQHhOoqoUf z>^S>G>>vA2)k;*Z%F3v$T#*&mJ#dG3@49T=r$BKVcbOGA)X`E-h0ZOnDID6{L<1|d zmRTC-PN0zr&=mU2eE5=#rJPc+!_=_VYh8+^AQDm^4C)=9Wgrxy0 zjG%ITVjV+&$yXIO+UkJk`%vy6oBWS6PY>`JH8c}pw1$J0p{8+t;1R9o$M{gtT8Nh%M!EDAcv7viIoXj?&69!o)T@M_%9Oa6sJZ_ zNM_oA_S`RH_XWH!BWrbbkhGZ+AoejtbXPY+D1nNjszEb+!xT0m`!C>CXUY_Ao=rEW z62@m=3P&KC6`xlsW5 z$s(XyJOND*-*t%s+Gz%4ISwpGQ?S1-{5;ls@vv$rjyMNnI%O3k>`ArM&;MQ(NVYmu zn(by}U{&Qt(X@M&M$#IN^LJc9aBQZb@Ys03mmgQvnX@ITU?a7pSgFcoW{c{QU@vz} zCFECCC9nB>s^X1If?N61R4V3W7&c(;;9X@vRwi4#=^JA%t??Ij&BZeYb&M|jj`w(v z(&}hRaetA8ZCsq7pg5}!NEB16fTMwO6#B?U=A(HkEGByG8nqFs5OcK6>YMrvgMEUS zwlL+>`}g@pa{)gdWyZtfy^y$aV13ZhzEcXvmQ;G1P6o?QPIr`HEl2V!-!{l32>8WiVvq{1|BP!6sR27n2 zRcU6X!7&MUEAl9$ouQCOZJ~KJE`kHcnN?bxn-|nc!;b{Jq0=yc$SQ_ar;{l&>Rk4!0ge+{!;0yKdWu zb1^Xv>JPvx+rz%|NH#~Kk7`}ju7@iCSAc~e4=e*x%++w6dHUOK#?=gcNYA?)0EJuEz9dsE8OsBc12F?oGOuZ%TTO_hF}c%V%A#I z1@Ws;P>b0^h9Zp@^bA}ew>vi}rt3^LtQQgYOXAa#5$SqgK(ji|vr)ijo3^QtL%q!b zh5YhlYn8+DdNCKF=ZdK~TT8`iItLxeK(_YrG?26!l%h`{791Rc@bq9h?(^j<+?#;e zQRxu+#7>O0s{V5B{Z%hC)UUuC(jw2|1fuCOipJkp1VI2_=l|Ce|p&_Q3HH-GA5f z(N95fBR+P%wmlFVHHGll_`@7{&E9pWg@2H#s>T(&A73Hqa72SEE2EC@)U#{J`NHPo zbb$Dm1oP{2{qhhJ-z=xOeq)XLqh!Awg-q_G!QC;5xJ!m!s}}o<3`yW({7Gmmp*%ptfsM2}s~-zx7ezn8Fa?dL(r ziOCYZSL@I1C>-1dQRD1UlE#@XB2eR7QG&Sl`^H3y+_z__`xRF{){rKt?>Lr46jp@N zZb~aHyj~y=9X@Kdsq078u)(<0cogocjqipyxF5WQj-Q; zgLFl$H*?A-C}pU3>nYfDdfuuJ{2|>-_l#;cb?OB0VuG|HVS8i*Z5JnZtu2n${YCOP zAq9guY!jpuLfj7}A71gk!50Y`gGt?yG@HzKTZvLi)#a&Gl$pGQYPbAQt32;!g8~Hu zD30BUnQ}Hwc#RDXK5vdRIMf)IZG4Dd5*qb#_>tstTNdHP-82z{h4I3U#)L>Jt%k|a z!GAZB{T{JwFwv%F+HX}-thD5GUqDY~eF7MN^!@6sCrNpzb2*6iIVxdm0u~@L#dIEJ zE{7X&ihDjYpdTS+uK*bG&+`@sDVX|@Y^0>K$RKHJlnAhL6?#pUCEf3&cz3*_>+6yU z5%8%^olCzhD+Y64BwzSF(-i{1L3Q%DiEP4#9zb>(Go?SLWh2!G@fpxMr{{yV(mGwE z>QWqw@ZQ^91h!AzKbeJM4y_-m9rM`ZUpkOtoE#S4#^J~4 z2%}KWWu;3PXHb(*%A+>K$^{B)?&EEh&Ce*<^$9x$`er%EJtxCzq|&TN<>;=WY_^du zxk-5{A`n$BAbp-sdKQ}xspc8z^Lc{hDs^a=ZiNd)k2^XaTN}KFPY4%}c3N}0$zbJh zA*`gPs;>%^l`yb#qR?oyI->@}k@8$OW%uR}GiIorJcc~`+Bo#%fKswDP9yB)6MiGw z1}%O>!;>xVY1HALEdI8GRjHF--;D+@?cEH1-In-WSBg=j9`s^L++G`C5VbSFBSO-$ zcmC=QeT>sJnA21}&d62{Wh9;MkO-~13Q`Mxu+WxDNdbPP_?Mc8)W5nYntMmkBuROx zBzzAoZ}w2`jqeLuZuIJ{K;#IIr$kccoQ4Z5_Vl!ed!nXv<}qx{o`xDIFE=&;>)zT- z)0ti6xs_6k?!}V(pEx%f(Qh~r9aUHju<5Vi&l_JOhUwj7UI*=g$!FkT^XTPcWcSmm z=-r@%rHy}$sWig+k;L)l$9^Q7V-DU!C& zsJIGTm*LnXbQj@U8mjSh2Y7;|HH{5X^=pn-(8`bl9bH!8YhA{^k?=U)&j1n+*onF> zQipv{8aBp zY@df`6xol|C)K%+dS#e!!B_A0QQ3ZHX^G)YqlouL$`|PxRm*Ui>BkF>&Bdi>1FD~? zw8T6EdMV}wUJtEd1;uh^x1!X1nr#Nv)D(vYqral^AXo3k+h3R}wrUG7`MBVruFn%# zLK`SPy>i&eJ6Gym^~BDOEpDr<4{r3#-6cHR1BVje90ZvHFKhAhIN^?iugv_H3+<)B zSoUs?g1m9-iUp&$Pa1KZ!Jm7TNN5ApO z*}R=YhQ;O`44=Q(7ZLJ}a~lIWmOe)n$BB;y@k3{c*7(hOpg@oN$ zU0&`#Ex~h+F!b$079#kOR(W00@)lcPSTy7?zM-;mF=$f9VXB?=g9CC&rq8r>Noad;DVs6?3lc zIUkz=kQrILifj16E>ldkQ`6Rs#$58!&e#9)ujXNMFd<`m;t2R_+^|wL8B$TbCt{tG zio}G+8m>#1m>4Ktgl{B${zjH!0qjtsvNjV>7jHSxtL%T5=m5GE24oUSt;C62uWC}% zs7tkxmbxHKyGIy|n~cwuJNE0bV5bItQm}hWEc9w-LoR)Hr_C*%aiY6+TAlNO6s%cf zVZsbAhZmQ+$+GdZQptq3rPA{kj05qcv^p4l$o`SZFFYsoGo8`=R#AU*^My%@yxSoJ zJ^~U8ZJ}M7qGyvz?WW(GS-CtC1}LWw9$PKjxwB7xb9bm*{5<&rWI5bi9_!!)nbM5J##l_hjp z4w*NSYL;}uqT&$u?%>}awKSFoZF)DBx}!d~@w0@q-xlCsz}?q z18j9$tg<|ZqeR_vlo|jIU=Z5vln<^GswJXb&hrhcyGJy&0N6^LDZ7=XmZ&~CT@O^s zii5oyT`L`(rDuP!t?dq&6gy?Ra>0=vTtFZf6`=($PSe1j2#?U(MXZ(ESHqAl4Gg7_ zdHPg>$_|YS_z5ax^}rp~yeJks+Va&iIezM9J^TGaUWtccu@^XxHEjm&(QF>LUs}MM zt8+BnsNYroWa`?1ZJ8D?0>1otL)_uvZ#+P}LY?c|3pL!MhlSoQGg}70_u3rl8e3{$ zZG`XThu-{@3s6Ykf;@Ah=qAUN8E<>{!+Te_w>Ojq=1HB|eK4GR__%b$`3f{BR&ay0 zyxpZag$7>}v5_(Cq&kw;<4*R>Jx>a5gm8nbe>$}Ui*nPqVQ%?(N_<4;@IhmS$c8?G zF(ZYbo20HQ6aY()sl=G0SgK}l(&w1ebl}hj*($^J)bqD|t{#UcXsks2ID<+<@({o= zmmGh_o&qbxhKLuBP8g>kDQeT2XN(IC)8P>~+TbkdAKUx%Cuk?@5KO_c_X&sbfCjIf z-xK5ADu4d4XtNe8sMP8}E?nN=eeH0*`0`#3T83>75=PVBp1Z3PbQK3S!!Asi4#fCM zs+WqMl0>8Sas}JlPJhr?Gd#Q}k0uMCq2>KF8_t+||JzyRnC7Lpnk<-@XyLnaTf*WH zRB-C@dd+Sx0{OUGL#?c@ULDkXiqCnS#m7U|y~ziS3VvSVd}pbMJOF9QcfV~gEw zMWN4Yn# zS)yBQawonrYeaNV#6y<2=TlF1@UaftC=l~uA5IC(9nr^;V&+V}oMZ!I%b%2BV83n{ zGD4*P%$?qywGeI2#$h-X@6A0jtFD?%n_)K7GpP)ppJ9-u2BiTTB`AUt4HnU7tWCEl zfm+3@ACgyt-=Z{@fem-O&0nf%tZ-15WtStQj7Z-@pZhoUCXjY+NI0(lbni{nxsJPj z0`6SeR(`o(0SQ%g`qL?8RPNP*(ePP6O$#5lcw|!WS-jzR7$KPwSF9P~1D2f(tJ5LW zQZ&hal+-=ppzs(b4Xbzu2!b{385g>s{=6vfy~4V)Y2@9T%zK|C+6cJVjUUA;)w%q# z&?N(Dxcxt|W{vN!@_;+V=Fhq{s*QxXzoX7`e4vV=hJzoLvNDQH5{WYp?>FGzM%?8@ z3f&6{Vug*LuyKAi1l*^ZQPNiFVA7!~x)N>UFf=4^*nW9;c>?!`hW#lNV0rXeL|}#6 z=n(3v}-ZzqFX& z?f({Ty`P!p3+y*$s+xO~`+)Dk0YgnU}MNe%}4 zk}>rgN^%5U(*Z=A*rwvLQrI8alIdm?Z(u^%mMpfIPrMzw;scy^WQ-P_&#$b-ckmek zg1?w`7>zJ6m%ka2uW{Q0#912V1mE-T6I#U!(fyFr$x#G3@;gSGw&P=G9JaVLrzm3suD36MRcS)&Eq5tfZ4{(-2z zx1{{WoqA%j?xVuwR9Qxhrn!~=V@@a#_VmznwH~Gred_^&7eH*o1nZ~(UeO?Ec8RCT zSlYu=j%PI0+=&mlGYnR>Z)Qo)LGI$t^_2KnfUm#pzIh4Aa5+&O&Ecco)?y~hmVM<@ZZ zlFuqPN{Fd0cJ5#Q7RF!axv9&#WknEmAp7EeHujQE3(c7h=g4!beD%Y1>nzQdU+ppX z#wa04rRI?FHAO_YCq!wfHmp9-pZAjl9;R-Eu&pl%HiMIon?o=(=JvDMnl!4gmoH zE%r?4LI=SSXT=LqghQS1kj&}kc(+`xqK%Tw-k0vM98)f=+{*2{j|P=yaBIl!l%^H9 z{zw4G_P=S*|41{9`Z#Z&*d4th=n0&{Gd%Kp;+gQ%zWWjZPltc$H)$35mKpRXB<4_j zTCpPSvyFEYuAuNsR&(-YqEooY7>vIZyJSMwuBiUz>V%EL#w~QzN|@3BTy>gp3!mO_ z%A63CGI|bK3C{RVj+G5uFm+;ze(?zS+>(ugvFYazq}Fh|c>%D5fC#YJ>T9NnU$!O>q>$=-2?86Cq9oX5Ktzp#$G3LS)bM}ug?m!>-e#4d7~@*(&&Sb>;>Y3TBW%O zvTSXVmynwI52W9JfS3GKp#*3{X`r(HZP-lg%b9`MSV_hFvTHcI3cBaS3)Rda6Q)dHrRTlpV_r@s zeFRb@E%HEG6$9KDnTxpQt@?Ox?+eUIEb*VJ4sxi+SI)=U#_a*;BFT9juYAg!_;m|T zl8C?Gg?9^`m?E36FZTcJPI?5DC_UvHR=whTGhw}%hN(bb`nsWR`T@*EAz{uR5H&k# zu9aU$HNE0q;@RvL?9=76o|H+csCXc>no=^^U8$%5iL(cSY;PFh*L;wQUj+n)5L?X@ zBMv&zQFOmT3E(^w(w4To-Tr8Ap!nO{+g|FUlG;DW>>^H!W3)_Qxk zdf`UExAS({d$4|kSzcUo?}=y6Zy6oC2~1?{8E_U}G%wQ`c(DniSk?UZX2;EC84~<8 zXH3Y2ak+~tS5G&o)<652*EfFxH-)aE6vePAa@U?v2}}JWQa2#laBgTO3_0Mwj$kv+ zOwIhGam&9@@sWT$b_Tw>Nm_Ig{EV=JN=TP8@i2Q0C#{OltUfSWBFChCuZwEr{t@

B15uGQ^$ED-PeJb$ z?`_>%lBJt~Ps57%JW(hRk@DJWk)@%ZK$@E{Zc+dJSN7Np=h#&{{%F7i^GI~Ab>!kI zck2O~+=a%)iL8|F)`cn-6(iLxdLfrRL_Jn%sXFxe>?xtj_%{Q|T8j>JmEoUBM zYhJ*R?6z8e3g+p6jvyg8#R;D_r;g5mj3j1aQSG<+_wKMpH;!Bg;p{_h$?@q_K9z2^ zHws%?Pa2-O`bs-hAE7?nm?6#(yxLeB)H<}yf!cLRa8&Otxt7w4nh^OngmG8L34#)+ z$5Eks(3}dE?+hGmp*^ZSpWn^yOn|jkhgYlpQqM^=GD6^Kpen^g@Rho#PN+sXAd?E2 z>URad4QYow(t=yP^?a#`eewkgZnTY@ke7>KvK`HV0*FRJpKQ}}u$9s2csM={#QBg; zdfn5f6M;Byu!iu+Xor_bkrO~7{CJoTu|l$znLEq+3U^uf7)3>TS9R&`#iTBkVep)$ z$Fm&;$>>PjD1S>BycQCbXm5O4H86K#CRAqJKnlcqZ0`SHUV=N)PfDB_+RM6 z)A^wwxpVKcR2J#*BTq+71T~}@8C9DBzS|p$F$?Tl!kpIK3j@`|UDd!!E$DQ*5Sn#( z?I3Be#RGFd0H>)&@oEnae}}3XZwg8?7N_wnvQHtNXJZTZi8i@*!)B8cOMf(8L~68( zK7}Nj{C&o0T#ESZ-!ZdqUS67&x~2_JCdE6_e?>;`f4!{DjK%4;TlgS+KD@-eQVz>y zZ3PCl*=RZcJ#gv13Lv&cy0glqLIJ6hJcNocDkzEzKI_GZqlT$o-Mo`w zD~!4e(Hd&`B0q>NUlY|B}U_tP8bl zhanr+5)R@fQ_T|B;FY#s$g5azaaywT93_gnTj%@ zB4Le%Pg&|QXDX)D$=q`URbYo8mChA2fV4wRYCGxqjF5X7rowzk-sW;kMZc%BIf-o)IZwRKe2AF0wHF*4nd17)o5zcv z4Ww)111xm&iOi>)i|q1l1DF(VY&mZiDcVF_j1NE5ayUN3PwP9B^}K+Jg=v>@yB2mK zA9NcviIdOH)i}gRs05qqK*C@e`sKj3y^6aZ6-8bNE#a+&-=w?NY?t=Za@)uh>?r`Ts8LU_wzS?=NtRl zcfii~uUEvmWJAr2d+ZGBKwS4|)FD4sKkniCPZ=p5C<}AzLYG=M_%Gfmx1AARP zmJel^1m1!D%MHa1JDyjn9xh%-sSjyiQxHqSBL2)GTvEWmhHa%0C|YVDm-a~}0UqQ+ z7b&8sx9_o;d<@YnQ*Bx1V{`{4(aD#v?4g9#7@WoW)R59T_R&4-S31_yk*4RUoQy-%sq1 zt|Y=ptOY8J!`{8Zq8GOvyEiDp+Ji-F-aqx!U|7ihq{;12KY=t$@}Yfg?%-a+=`FP_ z&dVySX*vMKz=*rFb~*paiuzYK-D z{{4AR(gntlC;wpbSi)=ps*!kfW%TR|PXZ2w)G>56jc2|GO^k3brP#z5-*CZ~c!QOT zMKziRG<00cu7^u39oAH&QiisC;2C0#*%Ym=GUFzl;7sZhCJtD>u&E3`#tOo##ULl@ z9V7(e;Soj3mLuSROD4k)tML{A;YE@|6L)p>|bs}qtORq_l;X_27|X% zGQ2Q|x+5fL@?C@~9>7%ceK%UwI;>&R+AAGsXh(IDVF6c}UITWHL@72-wg9(A*Oz<@ zYH{P*KLofa(BUASKiSQtr+W}a$utDk!FrvS;|}L|*m&xsFe;m4Y` z5ByD_^G=K3;x?lRGcM`+Hh~ma9RO$VrpF7um67Rr^S_cPzGqd!Grz(=@A8;eRbE-< z- z*lon~#PV!mF2(nf@X*=J84QA_*xGoWVcdJtD2OK^utN>Qsu^f5$UP4pTq1@J>V2_G zy`2ACG5y;_188<=OIUQ!oZUZCt^M0v%+elss-wbm$~*$0q?D%fhm{2CFlHEa4PEa- zV)K*UV&4NJoS2EwV75mzjO!j%d5|;a@cT1JE$;bFDcv0-dymkdML%edzH~t2B%QgkSt+& zH5tceDn;|~S1Ig#kXF+Kx6_zp0-g?PHW&<#>pob&2E!`_e&QOO#)zVLZV64AGRN@@ zl+0U|<~H;Wr~Gj(Dd$p<_3fn#a#Q(srJgUQ@ET#pWIpv52Gq8$sb|eGWD}Tkt2h-T zSv*aB4E@%+1la+pXsvOn(!R-g8)_E|ygfpXbdhn9*_?~PF73ey=5NoIwd_Tqe)vZq zF^8~@G>pO!d9AKG^vWpPV~UrGQN53;DMje$geQ>9Kf^Tnik+)GX}=jFdU5LS)|6n# zUB@ug@QlkBCM#Dz=?UtvhRK+c3dkzDmXF4(na5w=v4MEh)B=mdN!w&4osNw(C9~aJ z<$l(rq~or!L;*`RrQ(f9HFfrTqvUFUvA$=rC5uY;KNq64_A+wYJ( z9u73T;ttr6Bj_EKI{^9W*>L5!wl~vd*Ydv3S)wp6SI4qNupj{ROFCntuzj@c$)m|# zPpP0o5jd@7kVz^~!N|FR=V*hG5XiE;3|^5Tx9~HHGgH5B?ld&Tq25RFA?2vR8kPt0 znkxUIwzfyUEB2yFhZS0%ii&RgHB);V^LiRPnN#-KH+9&GRr0#gx;|QJd)wdk#KjdI z&q}}}FlxU2xiOpfxXv=5V+AA<9N5iCd%%^r~Lv`T&DD&5#KTX`H|=6R9; zGaPW8Yc^GswUCOYk{(y^j3^^Jd|yEuQ?USv%?6_d5^3Q zGOu6%g@N4j#uvRHYECbhBS1!r)lE%Y8m=x+0>mElO^5Si73ztMSLT zp9O6%*_mGlZ-&{$X@}}->TRMcC$pe8Tu2|0rAt@ke{dCQW7InY-zEbPO=o+?Rtm>y zh+1F6_CIs>SRGZSg`5Ef>y26I8VS_g4{8dYw#t0b^4fBg_<~H!yG+6%Y2_H|b1k*S zjjvw))Jq0}tw9_glz|1R=TGo=vyQ+UrKF-`9`FOL4V2lJ5I$B`&9-^r}QrzNjGu z(N~)J=Zs<4k4!DuqPpW^jyh4_!l$#9?uN|rt>LGVnqG}nE|!irQd2KTZwH?|*EbYq zmN>O&)QD*xOBdVY|2C5OH++J12u;Ou=8x+M@nIFxnsLaDho0!PUM0@bR>|r@=WnTg z_KS4;M&$)tlJ_JTXbS2`%Om?H$uftIdjbJBW|nFnwZNoPacgUTjX=Q`lBEpy%a=u9 zN$H>3@{^Fcu8rs8rk4UOGE;A=W}m%a$R3t)p7Xypg`3A_UaUfA^BD{J>Spco)3%Dr zzg}ESv)2l6{EiVrN?|F*W?>QVgl-DkYai($n^e(kQYo~Q3h$;VgSxBWr{`K?1i8`{ z>{RuxSRaDv!zc@Bs1--+n_OjUkd~&3Nx)(sA+w&HD|_z`%*U&dj|%C zgC<$A3*lWtZd7ttjR5%Y*pKL7nay(+pA>Q!1{Q{j_yZ$VAV{3%YF)9?XYEbu;d+O1 zOeUs;UEf#}`qBH$2n+)x7zO?{dJ+M<;F?%UCi4VqGOV{_g$uvCHkvCc)%_xipP>H( zwx#R3iD5=dW`CEC^KcQqELs3t@3r1T7Jb$n zR|=s0@SP@0itl>lcO#EXIz@k%^z>_B*)vusreH{R)?-?$u>*1b=tR8PRp3#J>6#Pv zD~8myDV62~W}`^v42cLocZ?ZCrN?oxahp-jFLH%ZUq6&^RllGc;v;PYpw3trH+$hz z;wQ>h$)>o<{l$Yu049GH7Vz{g4@RsiyWz-*d!=!E0jrt08{+>}eUrRs?5#9!U9?JJ z4_w{#xz#MM$v(Ox(hFiO>!!K{rxFvXUadj&)4#!=cRI~W$L6(r!14dJipuKdc*wx5< z;ydFKZ2Il@qRg8^nd$Ddny5_$sO~-cqL&Q`V&Tng3YpDikh_!MhTHd{yMg^UDRdpMvhxzi%s@6%OvD5dK@Q~1V~ zT6z#M>=G}$1+#eS;IY*PS}EDd2AvBLW6e)rLu3e;!ZkDa)Lig%Qunf|x_fmpAGV1Y z{mFF1KkmEmt$GhK5}2$nnMF&-w+XmI`a{5z=fhmJxDX~`?)3UFbZWz_K)KLXAThPWln{9yw~Wf^;DMFH>r>vd`K14jb! z4qas<;n^&)o6?j4=$LPmKq&+kCj_@kE?LU8U|-UST2;Jj`TI}l4a8$+sL0XW{-R

lZ>8ttU8Sx7Sm z&LoBNIy{IpqoDM$R|-FoYJj%fgK(C~YUUqtgHoplWe&3Dt0dfC)*WUdiWcZ7qu0YJ zO3GE$U(c(1+P>5uFgpkDbNjcsS2<4{{RPCVk1U@F)w0t zc|ButWJ)Cy?7%4N{Iw*^)etYPxjsEOJ-G&%L(9Z#=Qi&-I=;3Xky0!DVwCWAJFbdM zObNx_mfNP_A!_H))9FS7YP2#vg(tJDf9de0k39SWyL{L4_qnNyE-3;Sx%bpa;*?AQ zmL1rKULiSqi9tXI48QUIaL{}SaQJehC7PdjaiS>uyJ?V6a0d6iPKYu+KvjmY1@?PIB6^C3 ztUl-XJIi6gfW-irP_0=%E!fT4>3(^KfUT^zJ$`3J0@M0$QOin@ow%Cxbi7dInkV{R z-GV@8&Ig)_6OaIjPH`L0K8i+9kEOGW9 z;YOz(9BxF+X3-)9K70rh5$UyrHftXJkM*e99};WZX^YG^>!;HosL)(fJW8V>S!UPC z_{~owA>^|Ojf!zVP?eN-`=Ln6vvc@BKU?Aayrriz+^FAhao$~!aK_7PN8{j92cmVm zc~=R-oYOSRn2>0_0;+PMvX`4fYC!wy{V97V6r#4t{|Cq^)BjE){x4wkKY&ePV@E>= zb2}$nhac|DPg+*r+L!>KprIitBSbB0Zf)S~C}V3QO{-{Z>iko~O5fCxfcd{w1qE&0 z2sCMbnAEh4Og|K*A1V|(!~Y2EI2!&?QwdlZS$+_z`gY>R=B8#&Kd2lwXuyBm{ilqU zf%zvT;iPY6ZYW@5YGwQ%6poUUv9&4zGXpe0{r|m&nUVFU2{U~MC1WQ73V;AW5Fi8) z28aMe0b&4gfCNAaAPtZK$O7a5@&HAE5XX!G!HNXn7P}T8QTEN0TuvDfEB>X*wGPS z4X^>&nA;cwY@DqPj2#@!O>F?S0NbAoJAj?OgR#y3IR78(zpm|!9scu(06%AQTO)uy zz~0%`$=Jxi>c7T+D>(oh0glElKh7M@-2ngXj1$1g%)!_g;N)rxa0WQr82xxNv~@5B zxBy%MZUA?{UtH$t(a)Vsj;5Qo-jf^n(|@K*%jzxFE;&VHs`932OyC)QNecDIPF&DfeE^Zh zRF>A~w?V1;9u@FUg~gd)e_=fE*Th=WW5;otzd@bdB+S@?nt zOl<-inID4X%q!0qnHm|r6(3e3`j)=?{N1wQ{72IZl-7)oo&z^9g$C*J*Z)OVR~Z5X zSXPza_tywGWQ@G(Y@*5=Sk8Mv0n`f^7$~l^6%f@_(GMcb7i0t$(gkb|l!gEvDBTAK z$ON&51NQ^57^W+k1W)jxyIXN6k55lSD7YAq8Cn$dukQ4-R&AcW; z1_2P_%EZv>2LQy@1!iPB-~xxh_IHzQ7aKilNPc{ND(J`*)J>9#h~gVQcV>lj#@E;- zRZ}MF9|>=c zf?0jB{`p}RjawgG?A#QcY*&9)9(;3u^BnN!V9&t1o8uXfA(~~r(N30P@mcCgD|R=h z8i_&*3!JZCkqQ-Pf655lI z*p3fx6rF#HwO`I&tbwGxROgzz_f*vfRgDgov3y=mDNEDeMg9m5WtD{(xaWGSPM~Ym z-B#LM%Y9ENTo~GEGF%eUS3AbVohQNB*qnQULx6v9)$V(|Kx8r*B2a)y*?A|yjV0%7 z#pcplPUUH5RJ$`J0gH@Je}wO?-%wM?byDiR3i}=IUBk&Fj=Hx2$!4kbl$y9g&Y7^E z@*;1zgA+WDvBEH+%m=&jwQ*8LC#%jHJN>9`HMVy39n1Ymr%n>p>%HzH%*MIXa5vNMNZR?7YNY;XE=FBH7|hhLV-R9~$?0urF;u zkH7I$#Lq|!Fcr@PqE8rrFPRKosvwl`N`DNux6dL>eI-rgF$^7>Qd&XaICQ5E26aOB z>0C}p;B#;ocjMb&{^u!P#0(s%_~{r&;IiN)vDW%rua--yuZ0v9x5@EG%AgGc3{!P4 z?uO^p79QSAg1FNX^S%C+MAJK$mZ-}5L}M?oe*1Oi1Fg5>SfALWcaSUVS5Qn1s`dim zMDiaw>M=XtwEHgBY*g`^K$?w~TuCF07U*Tws%`yohvJ+Myd=hQQ8y0x_M9bUlLN=E zX}-}#Qji=Zb*}@Jv%k4qB|<1Zu$-*be(P#WA6Dmf>-!_BfoJAf#$ej9by>NpG^?aY z_NwMYw-ZpaMf&QVQLaf+8VI4a&&GW8qZH0uwh-R?Pv@TSyEuLTOlNe)+wTJ_( z?+0r1Q*i|H0cUpxg`U_Qsc3`=Voz%NKiSAOTuYZGJStzmLc48x@zFC`#4T1*+=_fV zQxGH0v4w7?V1jrON?`Q6l4CwkyHbT4k!^}RhZ|^^t*LooCbOL?$v9bz7Rb|l>K#)p ztt7cKn&r5E`{a2&Ykj?3sh&EKfHD8#BJTB+BwQOH6f)8zLFEAb8dy@}*z!m0{8Tq) z+SihsXYGqvBlNxq4He9DBy$-TVrRKY1#{l8D+AS+upa&QW^MDP}QmG zdrTbCl!s$$?+kyI`C@{!j3p+>N>LV@qIIUY2&<}d-bEC?%o28T^`c=zjD;Yf6*Jw@OZm92}u4|y(GaavY z&(-sxd3gkpG|&^dQb;_@?iix7xv6qQ<;%8xOXGe7`-{W3haH%{*G80Ep~^XckqAoz zT7qBU=MYT?9B6%no0fO_7#SEmVHK1|d1vO66H}FJ0FN*xr`AF+I~7WzuAdkwu#7$d z#Mk=TbjgeNdJ24aZKVEEYbkrbVR3U4cuD!Yr*_Ey={O}(GL3lNS`))l=AM}t9E=x! zG7w*po}R5$cjE;=E=~i#O{n0Qn52=)8QsYz_&2X%-_iw^$B7sl(@!OK8TU>6C zp5HuDjiW2yTBG_$&-R573lh)ONMWy!tzF?nH?5Eu%fL*4?LSd)QkX#u>E6G0a;Z0^ z2RS$Tic>3Q>2dh~JQY6Ixn(SU>QFyECr4J|-qntV1@cfs-S0tpSR0#2v2@|CaKTAl ze<;wt_WmLC(EdaSUyYp5Z6no{H;Ga#G_Zgo>a#4Ha7Pg6(}vpaWK=uh4ff5;v)mq3hH z)I8k_#)4qrb@c!Z6NW@iA22UIdFKo`&0(K3&n=$%Glv(#Y z&wda!JXuP27+BPu&k3D2EWaCwOI=FdiMKw__sFSzVZ5lXd6-EVCzNvLRzLHVF+SCq zB`gA9U*5|Qm239|&;^CR4s&+0?TT3Wzp5X^Pfp>{JyNbhMsy8|NcYX>lcuxPY{0yY z4k;2!b87}NJ!Z<`?qT1t>#VaK^6^w#eDW&=hy?XfS3m;pzDV$@sWXp;WzWS++G*@h zREO>Y&qtJVZE>Wzine%RcgOHz@0A|Z)-V+iFxaCSVxbEm(~ab%GgL8Nm4qKuFka6aYc&mn2kp-B zjuRVSUScktjGUSn6KBshygW$L}+O7DC_7RH@e%VwoYf zNqi=h5R0=C_6k^!GJ0Ct=GaXgC^1N|^3RhcR!Js!*EF@L)R0JS} z)uG&Fzt>gJOM<1_EGT!1@~I(7|{bwq98) z2-&#^ECetbm8#fUiLup?v0{HvI!g}hn}U|KQbCCQAYWt9J!z!SClYw!kG@PNYVf9B zUSwsXf_MQTgXeS`?C;KRqrR|g=8^zHz&^`FPNf5_48Xu34{{9wvxAvv^>+!`XgMBd z>&71Ph|RcuNkL*JdiU7EU)~V*Ww;A(lbe`h^ec#jIi%@4yP+0EQ%m0|TlhO+fod~+ zlN1bEn5VGvN=}E)8?l+uPk1@UL zE%563>!rNi)9)@`0b@q>0tQk$Wl9yU+D&_KkZ2k?if)h#bvJE0y|Cmh@?m!_OM*so z0ilh-ftwyI|HgBq+p^cBnYQC^2M zN1n`q_<2Um-2buaGMcHB(Jmz)4KNyja6KZEg{wL9LCh6r82*hLvj9aa^h@~rO|?QY zC{C#tHvq*ls#lTlB-#?Y{se|UC=1VO$Jr+7JIszK9<1^o9AEz!`S>$mw#YVm?F zv+@ONePC`)AX$w$b!T=&_&&4wW~@&^B~z&}IPw!=PYG)IRH#DW#r>nP7naPAW*S$b zq8OvFD6LWpf?Y;zL2&zB=HLnDgy(`BWj~iZD79h%pdR*=UCHD$U``# znj~5hvTrgoz_T_KIn+VZW|7rNKevMGdWxYF8@pXSUp=cy^g-cC)8=ey#pW|b=5#Y+gOMcB=?!#ft_}ENeH(;-!lkLqXZHH?+=jaegh+{%giLNYPeZL#j~vH>$tEQJUlbBWXX)ideOfMN zM{Wq(0)}ydJfpCV;uD5nys_DX*x{g(<&Idt^5J+3DOj$?F{s;sT4;$w($q7$iNn2l zxEGvnKdSZV)F>?q&ZSowU_j*xS;p=a`B$nIi6rYX@@?^~4|xf}4y+=#+TB-Qiqvhy zY11Ybod>a~V9&6$jY3Vh?e%=>i36qe0~LGq!C>>RQ(^yv)D4-syz3SNARn2zv4LQs zuh34n&$vhi-3U|Sb`@kGOk=1bqd@=&IvQF7I8z~URO4ndkHa|NM|%koxd67Gj#5?3 zcIACIjLSD@T{+x3N4C}xT{RIrj|IZ_L)lpo3Qw>BuC;Hr`*L7RSNtAodfE+t)ZrAQq9{mlI&|B6r(OU<1Q- zGQ~UhX{4gfQlxNXWqf&fjyBghST@7j{re%a4kgit54O87IE|IBgkq=~2f%l1`1*)@ z)O9iK{;lu|%qA~N-r6T>Ws867*T(_6fzl%AaRwzsMrC`#pZ7=6!H+P5R>?dZDUX{c zd28G1o|``rJe--(e0;Omd$!=5U(e3+VYVqC*u3zdd>O`!m-XC#TS%TwZ~R8xjOP_fTXi^*XpUi^Fg$oeCO$AGTh#8w zAkP_qa!xP2YR>4dbQVvHWk*O&68zmgRnBm}@%~ngn61|3&T@JUZ8Y1i)C9pVuok86 zYsD>GloipMRK}K-z7xUZSGF}SWo@!^hN>;LZba-?Oc1+sn$=OOc@*tn*KS{0xz?qu z>hg@H3A6s>t}mL&t$dXy1|nBv>(@2qw%Fs9;T_KO{U6$v&|~P=VN|&}KHY#Q{msGlm8B0MR>um= z^-P&bUp^F`fBtH%*5=((BBPejOM9*Ga{r1sVcI)r!sDz()>4nBoSP7Wj(N{_(r(To z79PaXnq|6giY;@PX4+rkIp5Fh*7R4~JRbiW!hq8{6cbn6-v-Izz7M4 z`?{0=azY{b7VJjJbVsyoMpu=zzr8^7Nos_b2BbBQZxvZWXKi0V?Aggviutp&#?Y+j{9j+~ad+HE8CZt2C& z!7=W3xjD+lQ?1lZvZd&Z9!dReM;~~7U`Q_)c@DzXx~^DEk2I#>=rJR~zB;M7jtm7| zwIGUid2pAft*SngH9S&P@IS_%g>tDl`O;dEibag|&QwfaNr$hALJiSyC{ zysFlHDg#gOxLqNa3Uw)(m$j8t!J`-W7Su20G!BXyB7&og*W zcQavf24r#zl&R)>OlyWz!0=?8HD#{l@sGFGl+!>ZyZ*6Q3Fp56v3 z#KO1N7nsrn^}Fh$rPZ@+^eBjV8&jb=RJH`{?z8a@5N;VKlH$M(fr$eaDJQOin% zQTPOFox(Rt&0n~M)IJ4%*##+kn`2YoF_KoKt)46f{wtwWpQ&qjB~HWQ7%ORYdu~1B z_DcIJRFSR<4Nz}%NH2DAMwntYZ{!sRz_vpNvNH{`N6@nCCr5bi42feaB9 z4R|$f5f)A-jf8LW)#Hy2_8Unh~5qN_rUnF)fPQMXK=J6t&yG_PS_^8ljIDazqchJUO>1W35v*%coA> zXJlOzgFVR&vLTZiqDGfjw#Yj)1_1{jsZgJ}1ZD2YM0KYAn0r;O%#hhgGLMagT|35} z$PUEY)j#U$kFdVcc~392#=ZL)J_|PR1n;>ci?OXOtWs#oycX)Fx_U3QMxKi(wv2J; zm>*=S&3m+)cj6oWb~hiMIx8_cih!MbRV#V2_`-cYRu6p;BA)Td{J39JmRAm4-!>+w zwvOrM$g7gqTyK5(utjlNd$7eJ^wls~S7S z&^;+&5Mz@80ooEA3yNcC7C>w)-x;QABTAMb4Cgq1qJ!Ue6JPjq8FFvF7;>3>=ePhF z--og_0%t;!D}OMme8yZFQvc;75Oy@yzwVo_Ne4%EEi%c?kws}>@oHRBXGJ@fy;{XS zED8RA)P-+)G@2g9g0rLvry`rS$ zbc6=}uKLYSL8^L}W4&b@@g&Q;nPo0oIVr>0|F*`lA?89|MZzP+AlhisUHnSVH^ZR) zllQA39KF?H4nv*b;!YQ0yzzIs7Dnj(A)DV?HKE#GUkBjh-+|oBscF^p5UWh&B&~sCW5cl=Ea8z~-@g z+3In_OuI`jgQ)kl>1jBF&(dj`(9_W%AR1$EvMf0Y5*rNHn|o6$2Pjx5Dx6ugwVkbw zk~EfkRBUAuj1*`_90$mEJw16iy;T+i_Ht_;MGp|aH?f3^#yS{Vj8h^H!Vvo;HER#_ zf#A9CLEfuV&7CD82(o->gIr2u6U2`6sFiYyB0|XttXt9_`l7M>j~LEPjwabF=RBvG zGr>q*`G(;BxrqoiE>?%II9M_*zp_;lSF3IuaZqZTwg;7=Xdl^};@;fx;Y=SV)RVFc zh6_nHVtjF~V&1|d+x~-ICCA}PyCnHjjd!1@DZX>yD@`sU{eGqtc47lY?pXs$TrRBuwURf5ECOp?+5(O#vKx%#g^ zEd#VRFSo;~Qr{BAcA~^6uUs5T$h8l1FWuqBwbAT= zXxtnd1IzmEXx-0v_XMbS@q+0ZSxy+(+mXY2_XO++O@&%IC9P_;V|%G|&N6>B%l8^r z^?ODqR+lPQBz7u->DX>t-NuLUuGlBCe#%&GYSle86$wP+%9oMN>z8V{NNGvfz8^o! zXnJCcQD7XbZXO!%$@{G`6}N6N#`z-W4XJyuD*lamdS*Tdy-Sq(*yWYKMa?L@3>wd@ zwW9H`5mir_TBSe5!{&KR(*(hQ%Eaq4i5b=P3XBN7hp!eK4dyHEFOaMC>L^;dFqr6I z6>rw_-zu)OvDV1KllHczx_b%W;(1Zi=LXWwr%?uexZ(orN#n!2C}j3A(t^jTcd?Sr zpx@RaeQ-(eCz#GOjnY(s;NTZA?lXE3VG=o=;_*q)PY2e%T1Ecrpt{2pRX}c?PjPr- zalsd1N)bGGVHj5~Qdz&8IXp`!Q5+lN6N&D10?$v6eSc=vc zUDHCIj~7CpJk#yRJ{EjZ69|nnJfck$LE9fs2fgVzn(%pVnmKQ9@5UQ*T+(4zQo`7wsB zm#KKZ^ae%aZQ=CFp58oZzq_A#JQb7lC{)b0XMnVcQxvBoux(+Am*SNp7!8mh*Y4fz zauB1<*OER^^+xUzKN4dG>FWC^^p@2ugJWTMh#??_$4>bcH+C3#>TOO{ma*DBC216%D4u+;GN)%`xZP4hIa#5)E-X+=8f6>dnX zi(ad{uLFEmgsMmt9~2tu)3FmnenXpzSY&s6il4y00dI7x1TqLVir)L8JEg?{kQrW7VTxthCY?`D;DDVG`0H| zr=dYL&f}5Uw%)C9wT@B6r6B_VdbVUKupjVuM7Z4-tKzFE^t&R9Wg77ItsMop5oK}L za(0?>W$ill(@G{NE(5odTmD=XnO})hpuY!4@Y<09CKH668zuOse+eoL;W69=HVjx} zWn&x8dDR+8g^mLX0R*@(Z1f09*Z>N^MROGuysFJ`fn<$Asi;fI?2QopIs-X83bs_D z_WoaT;#u|ADF=T7lbaOP4z)^sJ1$!obNCa3RWv2YkZn|<%SAnH43=kwNOk8V$)s<2yNQi@ay0jYa$0UAglpep zg_-{&(cFlb>+TJ}N=rGD3D<)R2_YL^wogZ*x#k@vUt{5*l7>C-BwUUPvu|SdAA>SP zQuBcko$Q?)_A~+GFxy~SPZD|A>AoZ?VLdSMO!S`wZsOvBVlnfML6ICfdTV{f{Bwe} zAPh)qGJlN{$65y*>m>5XUiZFpZUOr-!%yi%g4=2?!y_B z7eEM-R#m&GfS|hbawjyiLa*Sv+D71M`U*)d*YqH5Y3`xWuZVu(ot_QkQ-E5nQ!YgUM=H=8}ph?2wW>#owlovA`D(=oVAh~f=;Y#^m<^IZPBjr zXU88UF*C|d63)35=-`jBpE1?<7%wI4Rbzki#*I1?`(hGZs*!h&s?TYgn87dTOBm>ez!D{-O}RxG>lX`+=Bx1X+gaK@D5C7}KPGC7ohqnm&W#%*C6_kp%W`bK;>*eIRX5T;3=!PIjiok9fbj%gu z(Vg+n_79HQEmYj+q%*)qK(5YuDC$)SeSj_ZPFkq9-O~#gBCll`_Dq*xm1!jM3;Zs`dvB)Mh-OxFT6jhv{^ai=3CvXXpst~DM?(6p_*0NItGTxSnl>0L= zceZY74J)?J+HCA>qTXhZjZ2VrVCJh2;xEa?Q3=NVCNSTf`sjtGBz>#d^cQqXvg_q!TV9d%T@$w0Uvl9sS8fgOo)-I5>7vY$EB zmM1IlSP2c!i~a&JZ-g|+Al3J=-H)jLtB`9g3*+a3vu zHe~CPChvaJz?S(gTlEVDX-#uwiQ0i2 z?Xjh*f+l;^hNna9B7Ypb3`RN4e&1edVn{s$kth^vSdaH)@uhgq^0^ukn(oymu?sPM zul}s=u0a^A#Ftq@lXct{gcnM;<`YFaX;DYKolm)?kFlDi;m^3q6vqTiQt3*3BpuUl@ zPt&@3-WbW5*HSlF?pYt0zwOQBP#HHlEUSyZCpj$Mw$Z1FtIMv#&r2n1$Yq1_kBDV; z{TyZ@`?$WO0&R7#I>A>BkJ-QrDfd+zG)s863x&@ZdfKI8fluh}=hwbQv1PemKd*Fd zrU^&-{R>eFz@&;ps`1Ct(RWipOGv#(lZMz9kU$cYW+(C2uq6!7ci3EOz6QgJMClHB zoj0)Kgzs7E*zm6sn*%(8Kh^$+TE*iYz2U(E2rx$;`=4}CUd4dy|a_NZH}*^4^9rKEyoBq&U9HN+@(ptyE8Iy+oIQ9p%l zttcaQ^Vr9+f+3zwmSk~WSLA5nhjFOkKmcUtRmKHatX!~qahtI!d?UILX=W0b=N1|< zX%GJd!(=$DDfK`VHnt|abs21$8l+z|J5?=56K&aPGTtxVJ1*PxnYGaJM(xIwec`}D z;oe`mfaPd}CqwfI*Hi6C4~vM?M3QmD=?~#suxpI$AMb+hlB`PV<|w+BSb1L1Gn-nr z9wY(N#Sk-B#UE0T5l|Ewmqvw^J~_bBe(T!(lnSd$W|r2dzHY?Wwz~Zx?JSI_hQK*m z{iQ+Hu-~%DI;)9(BW}a^6p$b)mDyD_(a5p7I!%wB%RzhR8K3|XumO!y17FBPxFGHs z7ORvHv$oJp3;Wgx?nIr$Me5B;Ib2?9E$rAW8plgf59u6tfC`*S05#ASo?g<=rwVUg zq>4j#DP>|N^APA~mwg6%GgFOPR<0(tpnQdJDt9YLUB^`RLf{wO08`m>mrA=l-t@I{V3B1#E;<>tDVfL)~3cNz3tjE0u z344ZzT*ZBlLZvV*uXK39f(vffR|jStfX7qUXIh#kKm6G_(z$@>MrJHfdp@ zDm9m1uF_LgI=k{UXy<}_oDZjntuH4ZEwT*XP;asDD@Fo^>kD29VTBWq_8*U7bw9{^ z5SThK!(Y~E(tv#W$M@ry;Nl&&+l9Ec-kYt2Tx6Ejq+N|!H1Ltrr5dvopwvxPg9hwi!p&PX9w;2HMF3wuf)`osIy8J>AQeC322!a*#B8P&HQ)s zI;Soaz2Lv|1b^2$|5w)F-;V#u8Za^bZ>$01e}xTLng6-Qe}N7Dcho@fzrhBY^jd#` z1EYV#2L2ToFthv@R^Y!d0{;*K{|N{DClT-;rT>2|`2TCQ|DQhp|Ip_Dx9j6)Yjv?FxAGq99tVMiGsYNRBHA2v7p)8FV(EeY6Cxri@|UDj1(@yo z5x7mm;DCYL8}s)NMx=mur$CA>e~pKoDNq1dL4|S%BrX78B{s&!6{Za+NGk*tfQ||& zx|784<|N)T2;jqk5j83h0zgN>3V3}004PpCcr~@caO6pc0s{at;3+WR*nxRRfO+Z& z5dp+gXyL{Q9`py^!vKJR6*9VG9Vh~DAi>xN?SuiKcNhGE8wZXZvhFx!6*D{4{+niKYTkhkl4^qgaBGl$bf(q6kx>QfyMJ;>iRv2d`rI`%)^7w*I%pH z-};RSj1wJ5r1MKMP{||TfM$msCXOVv0|yPa1R4q;_Z4lrQFx?x>q0?e-@5dO(DV*5nCw5^MwYI}xN zk+C49<0#*VLk#&F0g5rqc(4ut9RWzcX4eUt1SCpqAW^|b*?$$;9t7kYmf1Zt7@vT? zn%?<^9Yj><8;`qBzMnXqVUdlkoeAa5z51!WjL{FI;iL~wVc;js%rqeA^TA=FxGKsE z;ualvauVp5o#YNEKwwf+KzFB*@1BS9G{$A9*x}~K$NAyX_t@LZFX2M?LW9LjN)!#gEm~e`VC~_I zP4*hQ)!%?U8|eFrO7`D91RYSn@lx=f{@8UcX}X4Z3|DN4M&BHzjlEUX-EIhg0}B=K zqIML+NYvwLZ>=V5YDZ&McwV@&g+vjr6#uMXk)Q4x>E2Fo8jB`hLWxG zB0-(p(Lt0Qe(eh)LdaD|m-~zU77$QY?r5FK@9}&TE--KCuW$d_Y@JnAOU!x2_PHk* z9Y~?AE7#B`e>CKM-4d^nqT}W?3W45Y6`=VmzVmJlPPdQ^Rn6RXJ@xAvsvWU#I2;>* zY=upm>ryJdY<=lPvcw+V1QW#u1EhYA^Gqvdal>7@Sv+n!?l`kQYGprAKmh8a~7RnHngV*~=}WyKVWhEDn+>{j72A7F*un;|QMwwxq;N}{nxvA9Q@*f{@r#EO1h`)1iXm2NM+vcaa0pE!<fM#AG!u~_ zz276qR-Q~240WKWyV}l>BsAT1VI3>SpR+oE%JRxz;JLox7xu=d*pmUBmi9V8P-N1_ zau5`g9G!W<8|;nUkwID2ldnv}z_YTR(*M)QhNvPDMjE%^RzeUg=35V8%V`_R;)y2d3#=hBF z$2lQ7?aC5-k}fidIq@n|q|IGyPRjOm$~$JERLxovsq?oW3F*;qEDau8h#K_+M|p!O!0CqgZaWI9GR^XdL+ucgToPHBWMmeW)QBGu=@%mn**^VD;fHeVZeOk+}4bv@e_-A*&V+)~-$yOniYt})>KN> z`dBMzOTGK6N{Qyp{p6I~ZPy-5)uz!-pSv_vaw=U@L=&>hV#~Np>*hnrU;7?J+*|oR zE72KVU+<)S&3_^gL$q?UGLOPbjM^zXQyTjcB?6iuoi;8# zRm?6ps5G->9TC%FMx+|S&Vxg37EfBgJ}Ra!qvuxf3u#>xHAQ~oz{?!TU;8g-`PU$R zTm|?W>4$aHzfD7?Ki+Ac^0u#r@MA&llGDs7BIh<_opx%&W`+b@(Owc@R0O=lM?{By zEh`qpD*$Li3%Z@oxg3TNf(7?BwT{5#FzbB66*g$cwpLp0u!0Kg0WSx$_05}0S?gHI zx7$kS=iJ3YvOmLr=yR>|YYD;`~ zR);I%yz{whsEs^7ifJ4TcfB|_cf|T3>`*svR>!tUvUM06?kwY=F=n?k5wWZ^>+}<& z=sveGVtV7PJrRB=vu>Yw5{b9Wvqw=BFl49@??L*{5Pk^Lxb|EK(|tJJCzGU(qb`b) zRZrxPfVBIenysFH^;|gJg$B%YGlHC)%{y;h7SC~d93*F_c`R%dZ*A~^BR}i+i4jzO zEw-z!iy=Q-8+LMOCDm=Jlf84NUTqL5;_4hbJ4avFLc<(P`F|Ch0Z&Y1+cblhlAZ7An z7+OI=)m4FoX5Q|$yos4&jRaXtt&tMwS7X1Ib`%$G+90w6=xX?k z*L|S;NSETD-nBUdT34)_bJbRt-P$^l417(!DPS?N-d3ME&FOX&{d)CV1rA2XQd#OBmQiAPNph7lh z%`LMfcd(eMOfy2mH5*xQIzI~?MNn}ay%KQPEM zo^9MP$2eX-oTfWF{idoJW-EQ@B~$kLahdEck79nAwG1>g#fRhoTwa~3Wy37h$>Art zyDw{AFwcCbO*G1BoI|)?D7r1$p+}^Kw&6VZ?ceO4W|l->(lD9!H~~J?qxJ!hmag6z zwu`ZvvCG$2==fAcsc0pIwGy=+4FQRPz>eZP!`$!pqNon)+*|HHQB7OLisz>Pl2;_d zULd=08E6MIFIzcOrcUf`EO3(|@s;-IXQ~ocM+DDlS(Z(SJb_gxSw3aF4}{uWeR!;l zlWIo=UVRsfwQU!={ycCw0Q+amq@hdDD!|yB1$n>3^nG$UJ*LWJCNh*CtS6)2Q3;;7 zav%xo?_bkq6B)Q_qa8Q6*qqe1Kg zwpEW-Z}_t);%bu}h(0D~GL#);EGv^M;uECHU0d#v?>)+a%{h%wWiVp>X7YX|9bDmK zubu+dTsp-8d%MZvu3BeyJPqeuhO_K<5pc4PpKYGa%cynY=Lz)}=s{U(y$J5IFwIHZ z@L!7{k3J0(kC*;hR}zUShTrz@*W2$g=kIFg3w6(qQ5m(d3t7A*=ncAfB#j3h_D`Lx z1XFk2yFD)YaUzE#b0QLlg*aP_Y(Ki`E9>Mu^B7J-U!M_5!Z zcF_bg_Mp1c^AXz%)jfo|cKIUDkfZ`N>*S@`8TF~>OP|G`mXw_^n$a{m1+A=LzA~A* zwnp^e8ak)6(O%>}0s8zh#~ql(Nczu;_d4fCZwkz+Zj$kZ1KxGi6-zIyN_$w;$=SQR zuU5ztW3HI`=|VVq;7Pp<@6Cr9s|IzA72bD2gyoo@WD7^X8PguRcT)>4QB8c>=6lp5 z-s_gqmi%}(mA-Q)@$HMw4Q6F{(XdwP!-xmC

F;Am-mUhzOBgPIWmgv!|p`99z2? z@qP+N?-K>NU1yxP5i1U|M4uhT{j^)m@`Lw805fwu_af0yW;*(@HV+>t6TIzuN3?%g zlhO~sd0Suu8-EmguHrdHlG}bWBOE6v7B8ho9urrt zQ-)^x+&Gkw1zFA%4Qce_miJSN^U2a;5UF#o8TK@h=TJ3!mZrX6g{~y=$M*W%C>JJY zH|oE3am&@k`2ID=)(P|D3iuev!cw)EA!fwyLa!OFYch*P^g__@U1%A(q)OR0>d;Ws zK^tn)Z5!)oH2)b=g`y~mwPRfSDtg`P4{WO_+~4H6KIE;<*M2G*-{njWd?_0vBMk#n zMv-j^>Cx|CAMBpca}d_WR%=m7db^nC{Bx?gwokkNA=^(x#dpOWBZ&rwG;(LvN@2@o zrR3C;j0!hbzi8FZnEKKREX4dV*oV=&1TgEsK_qsqx(Z0gfvc8zQ0gSYA5>QBEW#Rf zkupNTtr9(;_)VUR0$urp7ynRRFO${W^=!7-$-=qI^_sW7$4M5GY#qvAzJTYX@s}#R zQJkuIDi%Tw*}>*lK|IK;r9ZmganaJn0F8wLm_rX94RHtVvU2B9f(y=uOG!x%Pi&dN z+pjJ#!n|Kq{N!HdR3azQb;TPPe`t$3}4*Tqi=B*wjj=5CFCiK97`v^bUa zTl#I*5jhU4+uX*;rydGR%~us>Uz6|?Q8a#{TRzgBOQG*=z%i8s*J_>qRVjHlFTc^w zNAXAjH&$|{p!O(RJ-l!uq+bRBqf0VtD@XGu4;<>s4sunk+THOTGNa&bI8ot+!{9>JZX2jmQ@z4l6#>;c6&uA;~q44;j zWg&q^#_!(l1PQ)y6!YiFB#;_HO5#X+3=KNny*HW7zEp8gf&jtK^0oDuMszPt{R)xv!>$VTno)gaS{p%)rlDZ@@ zt)C80jAw?E6@0AwQ%m9Kord%_A~2xv?=(7WTn(yN>elw&sEa&ukG)qA)JxtNZAS=W z5=&b|_j*g5-!+yc2BK-ChT9^hoEYQl7HAD-?z_Aa>Sgdac5P)TW|GOA21~Mloe`|; zeTU(eJH024p)1j@0h@=G+7HbD1@WKLf$wc5xoHC`HN&3yfgcWKfS8;|IL-9FKEk1@ z+xDcP!*`a<=CjQC?!wN+y+v(jdTGsE5DtaS93S2V0{hbMJxcQn4o(+s;pfC%*anLN zI=Zc>!)09iOby zP_Va5xCt?yM;&o<&65{jC8pC-McVRFO(BljQwz8zM zM^so^JoI_XBLLnYzt;NNv%am3!3z(U>W*(4M}&e;%W15`arJt2 z-nrJ=m&M(stZ=Z-wc0Ar@LvGIF|V@M*_X|!fsmZmO<}RMV&~~$hB_ob-oq%DO*;CX zQm@f(C9dqiC>hSgD9LJ60w^BnXVofM<|=92?c`cBA3pbmv?Z+9y`0%*7H$3%1Z;US zVS33wnY$kJmAiVE*@%R}AkW5RmnJi0CX;gh%s*w@J;j^A_dyOlBE&3~L5jM4L3*F-jnO-ZQsExNi5z*c-8Y)KYkM zkIHtS@`Nir>~x-IZU6RJ!Hwso$6UcC-Td6gIMRPasU}{nTP7W4IG=O-JKFK3X#XJC zo4^iUT6;xb+`hcmd>3!P5A5uo9Ys^Q;AD2YnoElw9iPnaUEN2~^&K;yoJpzQ>*&V3 z!NEi#>ED__d475&U--~@!%WcK|G8)$(`=m*u|6Zw0AWQ}R!n zJQ4Fbj`QCCtSlUNr5yisONq((@_M<*>SKpwvNraNc#{xI02?wy3iAaGvkaUe5QiZpMu;bz~TIMfU*8M%meBR0J&iK#b3Mm z4UUS2e(^trA%6`y|0&e@KZPOk5(+Bna{oOH`Nxvy{-_q>6TfRXJV!P9?a5sWMxZ2x)u7qbv6J0r{gty!qkR6*CanJlKeyV)^(?;4Gu zLwi1!8`~Y?`uZAfaC>`OH%NNEAo&%HeR*$dZqf~yt`VB_V3nYRWe0o zZ{vcLUfhVt)Hi5+fx*Roe%&&|XddAOjK)Kw8)xnOFh4xP4=v*kAg0J>`BX&{zM24k8`Fv@jZr8JK=#FM&L=w|AD}0!{HZ6B(PE!5e(t+jmw* z5Bs0#1j_wbAzbk@3%{U;Bv$t3#)1!^ScDA}8Nk11BME%?k1;*?<4^p+qWrWYeC`U} z{9t$fq!#~NA^r64oc>^GO^%F;4URwG0DO9n0esV85_1pi@&dnty_zp{tbP0I#Msc< z@_hf~d{?)U-R@e9T-wU~RLg;xJhqb-xt;i1z72gI?+QtqQ%buRR3?#*{{k{FGkIv& z|4FLe%mm7{q4_)E@%&Pk29&AM@B2j0%?d4zY~AJuaro8-ZDIbZzx`2qqQ9j{LTW;q zY=Zd-KYphdF6|cvPM@aXJ& z{lr)Lrbf8%&pVD4kW0G;*zR}rH~dn6`gwSpOaAtUB(^j+vVWgjs|bp@l=+d{_(A$C zW^;6OdY8WKr~BEh`Z@fp&jbhB4kUxHo_Z$xiX)fNf;i4D}}WZ z1^s4y=Jm5Q?Cwbovu_=oj$QJ>x5bk-hr0=HdK542H~VDJ%_Uk zD;7w*DINcFnx&|>8oldQ;L_1&fpaBGRqaFX8BCaWZQvf%?N{_r?m&AxR^;O%aK|e7 zg&DmaxdIWUsP5q=m+Nu=D8bCZ#>BJi4883xF`j@7Ek9x(a*^#LmIiXq;L>H!@D||b zc;ELHJ89%y;JluWrAr?v0}8NT~+JZ)0`^50sNhz~ zn^~Xk7Gi~oqeBE{9Wg~f9qy+Xf8iTt2P7C8hs#ei?c~32QW>0PT3=;d3d?>o0>ck# zOcY9$?0g!5{eWU}D3eDCRl)vztm1*pG|LeM;> zM?&wjIeTnemC38w9`qtGklUuCKPtt)A-B-QUT?JVjzaRO136@#_X;f6qQUbLyPxzZ z45f;rF@a`rdwZ;^l+ZDRr@3wzl(*^=j9f4U9G>{Ptyl+YmeyVg?`{B14(>CT)a5|J zN_)e^dX-|5*a@%wPR@I#nkT&Agh|YKvl^yVARZ8HV1~YsU<4A;uy5Uf zC0ld8^SeH;7T875>tPKVUa1Tz#A|UTHLD2>%+m?(?__)fJ-m+~whT`w13}02S#w-7 ziQ6wX-ee)`=>LbZdkPjE3>P%L)?T)4+qP}nwr$(CZQI_i|3^*E#}dmzw!<7==6(b@7l7~1bGPo58F4BNVj zMo+6@fw4yBF%ZkNQyaQS)Da*d7gsrWYLMh3n_t2!YMZh-PuY_{T#|UgA3f3Q`2s5j z-){%Y0yj5pOh7FCYQR@a{8oM5Av&_(emv&lRv&T9%Ep(-awqO=HTm_3o}rG+DnZ0u zJD+4_(#F}XXD{BXcN8H@*w^yF8ED070?xTNwl*BRvEYY`^> z1STI^UlZv0?%PsTOu#e&Slok;OSV}By)EY&Ky}zG?0ZIy zhq8NDG$p!N4~i(rPcP*i@04XTlyZ$sK)yTI3%+LH5fY{>yT$g3`+2G)qN%-L0igqt zx+@Tm{?bGD@(ksK_zSaHZ)+EGap}}=583N&<3%=gQwyN%dxfgA)$NKg2%(waL2ugH z`5qD@Rm{GNTwE~wM1}hpi6=?XVZ4SsQ|2Z!Ljz!OKqb;}RMlT#p?|ds3bIa!8zP@F zu**53XKnK3<4HSWHoy;t=@Sv6uGvH3fj*6n7>v`&Im9bsO9Fvua1vp}DCy=cjgDF< zlT37JOsf>mm)eAqPhHWHnNb<#EFb7cb3~&>ODrN>7i@KL1OIZ5%C-sIVy0+u6%{&{ z9$LR1wDjlZPQk@vGKJ-Nu<|ODfptuiohY6>;>D78K9axD6w67v$qRuOD-(2CaZNrt zcxm#$>4;ekKu5iVRlKI_8poD%rhbyik-L3v58}dN;t*<^>SC3MA`wXL^%R(Nl?LrQ zdAmd-4n^N8^KZ4YQ~NA#T=fYs1N8g;n-mYLm7_#*!}%1#QQZ}3GWcwS6x=3|?cB5vCLvDw z;@u6{&y`4JTPyDjnPA4JRR4Tq-5Bhi-)Un-xRp--;h!M8>q7-V5qCXRv=>T#m+XKT z-%@yR6iz@ZTK1s60o>QiSXdf0<0)lN1SO?nIO4B*x*_PByIL-! zb1NY$O+Nly^Q0u2FPeg7nCCv4!6kc_((L3U5|88FC}RBzk+6Fg8wUiQ2^=ZsKB^xd zy1pV-v0I$VNyoM%@IjbZEHf~M1EOry^BZa%Ekpbm4jBUmb96Ld&!lhrzbyvPDhX-Oeoss3Zv8GU>BH~J$7&qM! z&@eXJPv%m3v~4o)0rRu;mJEKOg^{T{pDp#LQK99%TY6bmILsAgsxO`5A`|^{u-Sxz zF0#5uXz5}cyj{hjD)!n5{4fHwrg{Xohkx7C_tPQbP29h(b|l8iT0D7!H!MCvd4E@) zKs~lH(jwl)v0$C1vjB^dH}!x#l(v7TivR7S%(BB`5*U!Q6;mvAtQ}zb6PN=FR!$-F zXh2z|u|?@z-!S#c_y%HiP-x5nDcVnJ7o~A$s522IZ)p}IaMPd&Q`Q>rPmnU$o%NHH zVLmUpIEn>y?d32ue?y@UUkOZgbQdID$;4S@h>pXVW41wn*kGreP_Vw)POfQ(9Luf}A$`!Lyes{X3q)V!^kg8{sty7~ zpLoj{0$NTNiht{UG9@d(v0h>~1SFB7@cc}Bt7ybNXU1F=-QZs-h*}im{R^&`n9G}r ztmg~!X)^3^_4ry-M_$`*Urb!35QcVp zcJa_al83%ljtTNYp0KqW?DPtEq@2ZUaMn-;_t1K{@hO$UXUtoTiKCjJ>OlCqYQCE5 zk!$`;M5E+5n0~hP&RWi!;%{rw&vN4h;@M`s@YmiZaY&cbP-T;Ea9Oc0B$RFl$d7pk z6oMbpEn+KrU!x3R$L6o}1fw!aZ=%6AOXHvaTx8EcMtK8BjtXSowMZ;1x^*5<_xMB^ z2opdQD$q^u5EqcJKU?7LQowuXu*1LM5G(fFl1TZKo$4C^T_;#l2}ju-%!~5I_%}x~ z^gE$#TC`zcdhD>`cV)#cXoTjUkPZ-kW78-WJuD(RRoQ9Z zuz+NQM|@LZ^0j(MF-m!7%;fBc`e+ciY=)%u5T4E0IVcz(+%%{2BVWsMagCNvFJQoi zxNw4cV79oLHDzY6SAcJZp^(!AkS-|Sj>WL>5EQfgcAcL}K`uFdHOoy9U@1YLa0sL9 z&ZlEqCX&6}y)Cb!dt4&A1zf{uOTHQ07@A)w*iHlD^B-?6Vq%@04nQQAoj;bu23GHIR2OH`LUfk6P z&Iy3+zW=eXHW)E%B!rvs%(K)zK!IwLs)@Y*-c-JbiBhaRx5xxs71GRggWIpJ6*-ft zmN{F?3B&f`wY`mN>$o9ToNl!e03AS56>+&Pq)Y(x)N0Vzc1>eam=0Be7@(2Rgan~p z;RQP$=61{<8tug^S%~hGalrUgi=>8)@@(_HyHZrHQU!+@awvej9Y#f=sJ6X5qI2b; zsnM?jrR4#&hG}BmS`h&jLkSdaU7@d=;A|Jh0A~)?{ODsi$QJ^^S{I>e_j(E1j%D=e z@#xGk%J!PIow}0;;%ygMWmgVFe1~t3qaQ7G`wS(B_6h?yP+nVLTc=jEn7AW9)Ud7f&%K(D z(i+EU?Yjx0?I@cvL$>j9j_}^Y%v{e&L)awKOFDk$Qgj@CJQdS~pj%kT_weH}3x2xM zH+%91Z@Hl+U(#GIn;2<3m`-Nz-VWxZN$ih0FL`54SSW8xPDQ(JQvw zgRc1mz=r_+b;i%6CTnwt18VMmLRt@9Ar7kf3Bxr<;N(=p5gAnOo)Ve{iS>c6)E%Z5z+PXR)Du(550m~V@e%oi&a zF-jnjtF3)E8J+NA4TAylhsqOQ8V>v&BEqITBvTS0to|&~fed;5R0_4)Y253k}$ock= zlX?EEo0BzDHg3@9zV&U1zy1=mlc+pir2lC{sfeg(Qg-0~e!e^|GH-s)yEl+wrBI@+ zemNe`8FNSx=_Ww`zJ6DffKG6aOA8^evV@?Ji9oNtxsH~g5*{*(m@Ce`S-1CtM%v%< z70uZkM%czu0xtpRJu`71{ur3+hvB50usnE2cak)AgUtFITliZQppkEo3`$f9ktG7} zz~UWN>E&bmIfN*waurC%LJE8Tk>!PN!64t+zbz`A1pGc2sHX$-FmdL+GGG2a23XCB zNT1jIHXeyclL@qbPs?c8EAPOL_k}3N*uX%|3bqvX>4Smk`R&C+ z<4}o$k#9Wb`q}Rql+YF)$wggr79ryU?OlmXor2FMT|@*RryxzFBMafFaZOJ(Xab(zcMb z^@_WR<(*CMTz&=tk-ZH*>)Wi7XaR4%ClsDZjrAmHb;}eO8ey_?$y}lHz?&?B5|Cm&?3tGlp({$R1jG69rnyir^$W5AyC%!i_Jz=FhvmEH+w{RgN8^2 zTF|O8@iS&NQ^S&G6(x$!=6$(n=`{BmF!?qG(S+G0%ZfFU3f?f0Wps+IBLn>l>I(a{ z?^gFv=ays?(*Zfs$_H)Y%Bo(l`nslM{y}jBT~DRB5)-|#j5gB;$ZnXFvlcZ zRT4cZtM#7znK)`qani(Ql>tMs#+Tuq=Q&>ecXBdKWpNj6Nbxu}bKNCZ+ziymQWx8Y?;LPm>_I#OomBMan9wUX+A!<57rZGU1|@>6=oWa7o}Gj|uc3 zv-9M2@`djutySD9x=?#9PeyVw+Y7l;TZyH0L(ncExj2`N_zNCa_y$v%m@H0y%Fle1VTDgD~s$QCE8enV&A9Rg#COw zlcMecmU)zj0q)EwPJc-Cj_eS2x)lLdTEWL&N1{pJ`obhND{}+hqM8bV;NKA&cDXQ6 zTkW3lo6B|y4=5PISrNfzq!XB~?jt|8&pp_D@sH2~89mGrIL&cn`KKgI#XSbi;J+I) zT&UkPHs&b0Lzm*|55W@6+2Yvu_?Wi?jw=1`>UnvnP!~ui7G*QUFN{-HXTiUJTW!VB z<5bqK5KG!kHPJh@pp`hB8zFy4&~d_;s0DhUh$90Yq~-?ub^WQ^v}`VCnJgv9#EgOw z?1IT12^nB|oo!%41z2lLr}7H|`z@N6nU2!M(;7(1ijqE8To~p0U z>#fh2*d$U?n#~)WfKj0H6Zg!x$&S2$tn^8cJ~ma(qG*C&Vsi@hCCK*R3_8EBP^z7_ zU6dtX1yx-bDyH%CW5&93Z$)4o$#UE+;%}G*rE^loUN1+`b07*B8Y#>~V^GJ{ngp^r zww995hY!Yi^>|QqqbzEaAoMm07#5yBc7x7MxrbNauhN3Q^`3$I`y7_YuL)5U;``o% z^UvMgm@@u!7zX1qshWtn<>|9H8j4BMfh=!$q_gul!$xx_=C@$S z(s)YiDCb9Bv(EHDPH&Zq!>+Jzm-Lwkq1pfo7u8726=>ssSfC{s7Gp?S>-8+d`(x<~ zTw&e0u;305PO=$m4?T`rNDItnA4C`WzB02k@@J2u{lzOpMdI6OU&xHz{RbUiK983U z>Lf`zrp(#+myhhF3Gbpe$KTP69&Vi4U5ho_negpD_#_ZUQUacZN1j5>}*u$0a+`1aq#Il7b7uVlD{b1*j0?SnH}=kZvP zWpP9&8=|O3G``6npmMS8J;02E`9EHQj+gF=qA|&%SL}3UDTdjg$>ox`3Z9BGKhwHB zQVfy(ITB_VH>1?PQpCrP#Ev#F_1_fSYdJi~19Lk@x2<-mNtG(x?w&qY(ca6>S3HzV z=aMvRjTB&J-(a=+x5O#FP_xzl4ln67Agi5v7yU?w%^!)f7bDtkT+PZYmtsN9+7WR3euq*4&PEp%e2#0K?3%oviF~$mt!1(i7;dw&pharx zx#u)a9g%BbxPA7;kGG)Q1)Z&;F31-+hcV!xO@e#QS&BepsGhxf%r-T9};29VluY?@}n2Zf%? zc=0WVS8HkFR^azij7SO%pDgsV%267wU8?a962~ z*>g2@j$Y)9MmP0X)ScPdzt|8++rQ6p$kAG1s0)b4bXvYOjd5sy(qmo$yOqZe%srA`v`!*UcJp)T{l?P+-mDz{e*7|l=B zFK!HRp^TnL9;+-68{qU>APdfV6v|w_wBU~XF~0)O!jJTv9zrz0MoC5NRE3Rz$3~H6 z$TmSx^u(W?q@TL;bleTEPmqaDJUg^~!sW|)00DiLg%9ARLa@8uEm)ZtmgEa0KN=iX zQetq=F=xFvwd|O0WNj|sf9U6lq5f=?6|o(;k+b!dod@fEEyHW#zJ^NiJUN);JLsK} zxEul;>hU`JL_$jcao4MGLnck4-_o{E&v!Sxda5qqGA#f;tTUv<9jtCXtX~Zw*c~fS z;B4yL5z#n1>`|Nqw1r$V)Jw%oM~>?THor|&U{Xb*cmI|&TG~J^SH17MHpW03IL%{1P{46_ z;(SU>TFbP8dl4ysyw+j2G8qj>X5T5aQ<0IIk@~U-M$36$+N|w~o?w~{HY9djw^7}< zE9L!y+Jo!y5U!cZ%({3L}t}EQ(s+9$* z&5d@{=T>)=x+Mf``YFeoVIm%yE^P^2C=g8)Mcg#Teg=Jr9&K!b8%Ks zEX;9vYMz{(WuCnZ6_>Y}4hzbus!|j$jZ70HRUkJkpL2M^Bk4=R;HtD+pg81SS?}%J zweOK5%L&N{?6D(TBOqHEOv560*Xo56Ub?E|S^R!NJvzByIcAY(WtVGUaRk0nV7pDL zcvc$b8^jPd<(rkwqx4#Jh=2kPOy;SA$jq@!uQ}PA%p+-s03zkzw5HRO`C7h8mm1E8 z5y#)T8m^Whx2eTSHv?`W^d^?Z<5P-dP%e994WR7XhHFwu;Zx^V<>bf>0f6(eT?rr!mnC zZ#F+!=825H!nRn(QxEhu${@0o^9mNE*6j)e+8CXCyk5-kbfC>1&fcLdJ zXbjC`Y%$;mpJ0|q7M75j`5_MuS*QD)_wqL}7M~J<6Rjq%&`=9lQ)E-V!_W&ZZJ=yy zf>2V{(`{_A1nyCEbq!;DC#(iC9@-{bQ?K%ipKvrVoFMWHKel-XuX(xH_ZNM0_@8I) zl_y6UVF!vK%aNbTIdTJ^yDRp$?oM&J+{rwX_`?sFPw#^Xk^V99Le zCI+iKk_@G!n6G*VY-(_?@0$ywVnj(YIQL%$5jV+{=tmcxZs)YZwTwa}LsV*zv~VHC zJztaC)e&)h^n_0_(NXJmYz6%Pg7y4uX<}xfa%%%7B7MAz`1q^aa3WLA)xmR~ZcG$F z-3Hc9Fh>gKW7P=>SJy4-D!;SZH}w@M-@*!KXcrO$sz-k%=qU28P#-HPNMd}eKqvOp z6Rr`#?ztW{+L_IrdqHWV8;I-}wI@@*cn$v*%LMl5s?wUgskaDH;1twxii-FPrFyNP50Y@)v(x3~?FnojTB9 zx%&lAZRI9=MAsYqG7U)Q)3Cwb_xZ_yCZM*Mgki{>E-Co=N$I<26s4`dZBV(Yzm)w@ zzFRg%bB?1u$})U8bCID!1(gB=j|poy)19iflKC4f3bJUf^olV?guIoB(C>j_152Q_ zaJGS?$|N0&d3$+J>roS7=ndNy4U4vg253JzWF3bG&;QF+Dm#Lm~9Ee|B6? zDic5y@C$BE6-v1q!3AepsFkT1h;#)*Y=+OJDSf&@uU)7lUCLC;lA)8s7``@63(dB# zW4DBuMe3XHrjZ^>#_Lv{28RBAHYyE+`{Feh#Ow*#uFnis7RQO!bP*8r=;=$$)-e|vO?M?O zhWS?OHD|ekP#WQq8Nx=HJ{$l;wf#e&usgh}fJv=383-WFWRl~07?Y*d)s+>ED{nEG zn9e?dGWUrTA|;O?6&P~d9JP-BjHp*RpeIQwpV3cL*=G2?>ndH}SSHwi!`fUuuN6DM zBwBHDzL$spu-2V4bg?aSAh-~)I2i|))Bl;Uj!PCQDE6{)LN^aJD_$mQ#*t7XawXG8 zVgO2HoM8+>lJ|qugn{rAdacvC*mmJYW5#h_^GX;!SUAwr5=3?%;eMa9dW%Pgl(+c} zS`QLaHB@-r@y@!wvHwM+CcWRg!I&`ri@HYR8L@qBAM+ZGqxb_uddHq!m{&3pfdI7d z#YA8bJg$oM1t}Z9%M79$0NlcdYF8SjY1I0rp{U+Sf+XZiGbEX4uz!@ z<|6(*wjR%xRn<)i(YJGvjRsk}<+;D-;0F1sbu?Jf-C)XAuu7F`HE0v~C+~(FLmx}! z50=ikqpiA_e2O%5H?{bY)h|zTMC9pSDCGLG4Y;l~;4O4?A#5oBr8tC?$qVBmA-ac= z2`d|IcNoK>OcL&>*PlFf+!zpvds13QCa6Pm>fZtABQQmE75&}9so7~#x#PB0)$Scx?qaxfNobN;UAGzpD^OVgPg2Ik8A@ShX=70 zj=Y05S@!*o6Ul{uO8e}T#@&EIUmb34t$@exEShmjHUwrJ`BqymSM-G71XOp$8a-{G-n+WK)eRp^mB60V$4S^g$T+2()3wr@Txgqg;%kH1LR6 zk@A@&)DfBr*I2nsKE2uTv<7Bbfzi@{nD1>yC8?J_E;U$F1{51{v1a$Q_UnTq;)VoK zB>pGyS`lTw^H|uxcOWG^Me)Q>q$A7#6|T`@9X@+tdZ}cK#bbfP$71LZ0m6;b^(13R zQ8K5ldzMxA(q*D67Jva@m9Bd7lj03Lff=y!Ss^=zpV>eAV0_yvmJ=I&o`epF%Ts3*I-6?!I=k{9fW6a>q zI6_d4G!WW9l2&S_Mgc#Xl=L60nG1({jw2u>76@En;-uHz=D+9PWB)E&1ttJ^^C9HfyNxjen159uBo!s@9urDh!n0YCW zc3c~z931EgW#ov>heRKc;;4WQ`Jv38(czTn_zHH`4RS?4NUT~dQ9;7Vr!1C!d;yQZUunS3D*QA7Eh$=mZKf8FLeOJj2&kNp`LigpDH@gj=4cr?*ClWHKS0iJ z4R?SXRvDq3S^-4u9Q~Y$;_^{8g0x^u$(2E` zZoxI5X82Uu%4N{(zHu#UwJ%+sh^alsl~BObb*elZHz?=`)uaP=u?`&?)U zlUwK5PY2@&?O(i=)8gi+)A407p&dg?_uH(GD@>v13!8C32G(~W{ltkcY+o7YX|&P& z`43t~ha7$4tL885>$zDomm+37RakVkUt(+-y9;~n4maJbX5P2SVA;a7At&Z~ZY#^U zl!Bj1sO+0NIXlhX3D6ACHM(GvR?RGHKrV6noJjk}_4a4YB>lB@u$ioFQsN zs(vA_l=6e z>(Y*L=Rl5S! zx>&`}I{iVxBoC`Glg^S1t8iKrdQ&iOJyGRrG_PhJ=FC@AVwnp-pE`dEZdrr6VX8%7 zj3Yx2@_Q`FE5ruBUC+rX1^P1WLZ(843;moyo+{K{##4FEefy*8e8YgF;7lPWoMInE zWG&w3pUJsIXkaHnRDy7q+DkDx$o=z+&Db3~+f{6cZrY!7cKf1{3qodMv;i@&pdhx& zLajF5p$X5qoQa|Ubvgq**XHQ{?l}yZ*$Ot*$?YJCL;@u;XxJu)C&zK}yv07zQAthh z=OO4r?%lynVBuja&y_mtceTc&$ifl-S;TQ-TG`WYNV2!ta^!t{p=pprvHbf?c^jCz zw80w{#hPZQVdp(p5c4wrytHg+PZLpqt2fs7Z9p(Qsp_9QINA1L+kh3B#@?&FBK3fd z!K643nShaMO?|dy9>bQtKE!g$<-GFZy-oSLOT$$ijO_^jH}(M{$rG^ zr7tT;c6@xD#R=#*uN`&l8YpsgwV8vWHzZ{jjH#P7(e!K8CHKL{HksKI4f4=ewt$fp zkNNCtx7pS`$8>x3{`cuT2x38M#tfSMct*I75~%<%r50=36=T9F5j&(8Gd1>hYJvw} znLa?OXg;B2u$}?&eJXOjNl@-kjn=|WhV3XQ#p>c?BOIP+ruJUTyes?Jf3xiMKh|2N zr#&8$`8Oq&e<NxRJs4cn*7EzO+z^Dx3QMH4x*9O+Zm6oNOW`Dp?Q*? z%?DGm1d2AeW@TTwH?MT@x90lvUY`JcdMSn1i)V8SsNbH_nY#n2Ep8en2DGfR zY#?+8|Ll@Rs*agL#LOXPbU7kant2qA)=U&lOd)r>51F z=N6m*&W0z4I(*;AF;E}^Ddq_JQwL+UosredVv2Yqv#VJHAyVnBzGJ+jh2;f)!$$g% zM2B9pSR!>&OUIu4yHtBR3C(~bKm2(P0DVfCR2r%f$EHeboiTBobYVvPo_qiNV&8|4 z|7B?{V^Fvmxu|!#^B&&h(tla1h;*l|Muq#fPd-zhn(ip5lCUR2bCl+3rl#-wQ*st( z)F5Nh3nvBT;$?6Ziw$}a_=YcC1;eh=Js!;~2R4d63>vntP>HtaL;1J1|IKq6efpt6 zex@wgPrF;CE$mSO{1=@r7Mp%{bZ0KlArmZ-Wl~K$Fi;C6X1>5T|F<`dF^fvLnRH0j zPWnIwyKbNd2+a6CInS>^1}-;>&Vn#q*?gLjuQ`o_U4DbXPog}_V$NGuXTxt?8OKV@ww)-W+LDh@qMUFFEY%@Gooi+!bkRX{yXuJBdb1G>!d2wNp)}}l44nL9E zWJliP1pOVDXhUBjRt>3ZT)TbLZ2n~O*J4QsSZvShl5wB?>-bV7qR^50=uaHxED8We6YQKmF;Qo5w@jD627z zk%Y$&8IcRMqvdJ23ZT@0}^ReL*Bvzm0 z7kRNNa6`0fGE~PF zl#5>mP4Dg3TOla=_~l8Hm9Bn--dZUqA30zU7^dw^0X04srchZMJYBDro^B-2{&w(A z^{fGDv6IabLA4^z1s)W9^SG~IY0medH0NYu%$;Co+|F|DJ;y;xs@9^1-q~KIGl_pn zlgk5!CLkQp(L`BsCkXl1&fzy6A&t)JBh*kj-d3T6(_9G5+nNm(P!6Po8Th98qeb}) z-FOS2)}zAO!8$fQyrE;9mv9I0c9mVvnU9^Gv34evU}^c-4fdS-p2$ofAqwttWG}uZ z8fa)g{Bx1he&OFVV82MvO2*orpw)AZA^E-@(MAGrmpnKv_!usZr+oSpglrG(yh%nf z;GRHT)N@gC3Qr+ItUNEP+@?vMQd58zbXj&|L%}3+VV)8 zxSE=!)-Z90G>KP$W<@WkMj~;zVFr^{!(e)sN^XSBL4fsIR;_%VOxS7uk*t=t#YbkpRMUO z8)dY9?d*Sica{_j&s7KkpOCxCgl z&#x&!WD7(BlJ_9Bu-Q?%M1BO@9xp?VZe9iQUWVh&?6SuiBz}JnS~n@#qHVIMWFOSaNg7s0lf!?;DBCMMSidr(Xx4nfB#ZrJC4 zV#gdnz=JQrslCWmg+J!QdEt$j9#}j3NOW&8e+qbJ-@xpFJm&Z73*9jkxW&Ww$Y^=- zS+iVb(pIveOE%lAt+_6ckT*Rk3rbQ3H#W1nu3JuWcWs0g0dw_QKYmaA zym67^Xi*RvFvrMnqygD35zfa{Ao84lF)k!k5B09K?I7bGO{jd5jBw!Q5ZCVX(`9#~ z>Nz-DS*1SAH9M&`QClYuy~j_o(#q{hD#T#c#=C&gFy;OuWT5ZwRego3yuM6#JP)|j z>#*$W=^{87J8Xj8%!;pFNx>|+*ZP>>t3ynYUm>@DP_Jr`H96hpUW)<(dBG{6I4z2l z;$oXtxk1|@0?Sy_AC0ELw2}jbRidDlz_+8{9+5WbM{8rD8N6C6(yi_os?a5H@89~{ z!v^ym_GR)?muX28z+Mbg4to2@pIrRMW%-enezwE}Z_Gx)`T!Kufxo?MXQH@^2|xOK zS&31N>Fbm5CIR_<3Dh&(GU^-7_w&{|0HlW2Tn?Ydxx86zOg_YZ!QU#_NwO&76;v>zz`^X3U1aC=3B<~lfy6Wxq!Z@oqL$8lzYdG;zU$3V1G9tn+E(z+G; zW4<+szXquUM53}JQgjNj%@+7dui}+$>~=dy^4#rWKcY5Rg*6_Ki%B$XV-`J4T~yX?$=NXMnB z+&A3uw)m~3^XyHmG5DKLR}HwG{Mv9MfEu+O={YZj@Xf|85|%*@Yt7Pd&ni?(H%g+p zcIX5RT#MLgpO^7&KH-NuOvX4nuY0##vtTNBXB;X$1|~|ZI4L{ux}bJx0at4e4bl2* zS_ZPi_7U)jEo_|Ad#W?n)GmtpH61xfT)#}1DqH}qdZT|&itf~Gy;HucTpZQGA8ZrR1X%5@BSYYfT9&DE`M5Q zlfz7&7>o(jP7>8fSz+@*BB4mN*P!Ajct>N~^*|YL5Q~BLO6tW>J~U4`nJNRSRgdZ| zL<&FA6h&(W6T&xRxYvgrzFWv4i8!u3i(+KtGUGFeb}5Rwdms<3lhK-NB~dEjYb1Is z?AY&;RahkFjcj{m@0s{ofZS%#!mvjW|mndK$O6K|}yPfnV-D%Io z5SoTu9n7vi3*Q44_54MZ0Ay%^W=4A~1SdFs@wx#B`NrZmbH`i~<$~S3&~ALbC|TtM z1ZcrW^iVpfQ+8_Kx=uSEO{Vg*+;d(&3Xo*CV}7O)5!k+WKL1*|emm!FAB(YWoq%gD zl{!jycs@YifaLkBr2nE03??MhWQapU6H$Jw6TDFEH(!;=;MqTF^NiBHv|I_)N1_El zQa(zD(W?}KOgQLx3L0jCDt7>9kXou<8~wA#DsMCc8DO}s$70h$(-=T(CZyDexK-0qBf7ZvPBS7 zWJ?(WnIJ-*qKoqzg@=a+FfHucs%O{iIF64*NY8{R(uW=ZT4b5En22xTheWUwGx!FB zHu5$$r>`*sFzXn42Oj>{3B0oiww*{%M5AX}9rL$znEc6UatTFLSj?legp;Lfl@YM) z8yCvBD8Rp8fp8RaKQ;yAbN`IY*If2^Df9*2I@1U>xp`DwSxUaVSG5@;V^(ZF!Q+zP zEu|fHF_afn<@&3Yh-NsS3SC3R_|rr72qCmu<9PoCKYC zjJq_$Tu(&3`Bmhofg4};AZIO59!2v*N%J!K;>mvD0jZn!pe00JQF}G;sB}uo)~AV^BFKe(?$(B$8ay);mjq zvgrprDQl>=V&U#g&U5QQgH{xB4|z(jK@v#LHcAWMw_tI33#cr#eU4T9SQbVRi3W2% z#}@2yq^ND##$6`=YA69EUq^eGE8!F9$zCUkrYkGzl>(g?^6kd#p#x59%kWH6v^u;Q zjj26(sixSeGeG_>W5(ylX35DuGdN-u?iRvd7~N_h$fzIykq=4kV6O2Vs~^6fwEPZo zMYp_V!LyjzTB6!S@?JO{1;n<=wrfm$4`}ayANCW^8WXwDTjW@HbOM}WE&53YRL~Cl zxH5Q)Zg6TNwCzs<61P{)7Q;|s#$5O=V{~%t-}5U0*WUGDOESryDU8s~FS04doxwKB zHah0lp#&%|xeNTz$g?_^4n*3Z2IEfXxb+84(M$yjB%M^jj594D%PV~dSU>ReRo?3U z-x_z8|0C`G|7zStge8R)B>%HpXTp>-~Hd_FFgk&-G7wx7DfWLX4WS7|ISr%HnCB~XJG!f`9A}9W>$v( zYW@n+{omDJMLH!qWjYl)RXQ~~_5T!q4GkRW3>^)OtW2D(O-!Bt=eDDTnYr_S=YXy4 zZ0U^uRr4keE(X?grvK{s{{(^m?bx|E(wWiy|1yF9s|4&~Yi#1^WMt=PLiZmiu={_o zz;vD_j{lDs|3A|E{~F`7{vS{5f5-UD|BC`<#OL5({dWid$Fcv?;?uJ;{0|xU-vhI- zb~bUurxUd{a5fP(F|so@f#l_dbaHkyF|dJj->7jjQP#d}q`~EGmpX*6c5wSw{j$xe zBbjgE1abkpkpY7z?%fOk4M5;(2M!T=^*PPpoc4U4?mQNGRo9s=S6AAtR5GCAq;!&2 z1)~iAA%=1YY;>##1Ocqn7lUF`g9$I96z0!R0Wk(q_0Qx2(51&!=H#S6i|0Uwc1UCm z3j_x2#HaFS9!Kn-fY^hFhvzQ=5*Nts(e7t$l?Nzl4W&h5Vw&uu_R|JH)&1qyCDa*U zl?C`n19OW98eT^@0`@6*!vnJnhVNBlwreP{;e_zh48 zn88OAtFOA8WCFN?tao5=3+&wjME(Q7rNP;*@lCNeVhi(Lg>Qy79u;;7^&(gb>k!hZ z+3BBC;Gb4~vC!zZ3emz6_A_w}=^FqDe~BhX6<)HLm-;iPYpyF_&apOu0s!J6_Du_N20{&h79Z0Ql>#)r{2X!;@;Q6`RVCN&cfPZ= zzCLhSXFjf{`&$hN?E=D~-c;ad-+R;?+Z{Ku?>9$tWqLqhdF$Q;;Ae-)KTX8w2H1U_1;C^~&*bm~{H@8ZKlN9xxPxeI;Ic33 z+s#gAZdXJ~5WD&Z=QB%haN*AwYG0sUrnQ)Y+Motx}_OJJ&UVbdrQyNhKwpc z3TO@DiSSO(?Gy1I7>reF0@d2=_E7{py9+-)aj}c#K7UpBu+cUh$M2uEdHb96Ootomm!mRO zK&vn3PY@3Segx3{^?UeQmvrAZKhCZpSp5?nPr9@(e{&Dh9T;1cWsWV8^jX9vrxj_}8rBJpjn28qKL%p#%PhSevPSi!_nzJsv@Y|Pp3(1o^euae zvW@`#?vG0=+vtvEdNMD5f}HoUqX2J*DP*w&9rSR~_jUBSU4|}R+-~SHc#x8s^Ia6L z$L$B3(C*zHzuzf_;VUYIlPx!7PCQ3}-vyuwC&Ua)L>hOm)*R;S&XT_up=&d!^q%K);h^;>c zZ|(~2lN@!JI=wZ^AhR1k4up%wWe^Uz3EeEy5U3Z=))5JocC|o_FS2_s$gdfU_7C1k@0kp3S{c zgqkyRxYH^={Rg8?7MP`B!jsXLZ422BX6%P#OZ&lPKSI$$7%n?;#Br<9)Vcq4zMB=+ zcuHiR9$Kje8ZN$01rH(T&H$?~_y9s`hba4?AHTcUR+Cdz{CJ6VeI5;@-=p+gS-#?q z?T#J`IW!|CcgLqR#BZ(G`aJ28LCM1nmc^cdc*ty6jpx%J^V@}y`tB*VA#kfQN?`HR z6VvpF-iLOcwgf3~v5IBYET7`R!z;s@YqQ!=xFzL`C%l+Z$5k>r@=V9+!^w@;v1g+SM@1>v zt#QX!O9sGY^v0O@2=((rvUE~r>EIBZ3p(F2-Ksj*2370foeSf91fNs(#m3+GNStJ$ z2~pMk42xHWWilCd6<+LFt{ZA2Y?Cp*Oz-c%&u>=aGuM_?NiqULrpo5~h(diPT3&bs zxe54U9q1$Ym zAYz!#;2P_U4mN-I97+Cesjj6dnvKQzYF3ZWvOOjWimJ*|$v_!>^rxtU5bb}L;ANzm z-0g1Q8pORAM!X{`^SO=2k-)H+Sj(kmn}%?qwnotbNud(2(}c1*R7Xu@(Qr><+Z4Bd z{^|WVyFTJsDptjcl#5I;%iduitaclx{a3gs@8V6s&HtO#j<>MVcFcB)NsjTyB@yJ^ ze^COHZ|`fdtt0BObT)DOq;2!8{ADlCh0icTuWK}(9tJcA)h2L{u1<>-cB!e}u;uaQfTqW`5_P_f{_1GMsOO}Ad%(__sAo%~_ z5Ey-U%)7bBU(eIP-sW1bPVeXKYhp*eo^h7dP)0nDK1|gh5nx=DPQKhXFFvca@=?Qb z`^y))>KK%32~Jx|E!xET(u~B?Nce!Q{;Wcpri^2t!!y0bggV^}!yc4f1T1E_6T0bv z7u6W8!qGyS1TzVg#u+%Wq&nnu<#W^&ToPUM>ORA6k-(nS-=n;rs$Q3F$xrM(S9(V^ z130=zfgwN==G`?8O`b@;)U62$lND`Ih3^?*y%SzPbTp5|tP*S{5`WDR;bM0QA)ub; zswygB45Li<9qxmp)P3;iU`WTIfuXqn&2&|Uxw~%a=n9hK zbx8Ie1NtG0ZjPJf{Kpn_*i6MYaX`d{^+dGbQuah0mZF8`fqf#>XyJOyk*Gf9!<-j$ zPmLMP3)LKl;i0KDd-WW&wW|m)7Hn{PQ26}lN@7UFW z;4u=5Gz<4Nv>? z4Y>uQWAPymmA#0`L?8qwJgB|ciBvPMp1|79FJ%9%N$Z!DPzRF$dE85^SUS^ryaF($ zQ_;?(Iv@T~80DF?RCTsxYMTPs$vWt>4@U`brc1+nM8M5!RASQv z)jj;G*L+_p=iYbZV^p%}7`CxjKN+Q&+d0pNM0?4scGae0-5>Q!3i@`bw2QgUh`!uj zvquM9_N#Z`DX)NLYDKnFd8tZTWS4ycm&d9p^wj0SD!4l`>*!MWaYJXyCD(#fncAjQ zIVyVs>AWz+ZT$*+*wr%ACHt+2M+>LA#UNgOK5=CmCA6guV}*-l($G1N^2?UYh`L|0 z5Vz%CW2dHNzDo%ij>;UZ6lb~N$Noq1NjiR0q_&l93d{@%{V5xn_^vwQXpRXV&D~re zF3;n_E~)WH0kEhxZ1V?W-`&yZ>RI&+KaZ8YGXd4qI-)^GF$STpvyfU=*g%P0Pb|mw zrEZmetn4*|+Go!i?3FN_*(sK|{Undx8*!AIIT#>n4wBF)>`K`^;U8U{8C8d*v1Zvi zHrnP{GR5!3#b?Qf&dgi{Fs|d(9W)w!j6((lg6zJ9!hPKKca)4j`xLj{1+`3q8%t=F zYEfU%UlL_ojHC@ zu`6&j4 zLLpbOYe-JK+C)@@8g_?^37(qhfN+$9+184YzdDsB(Y-QF=w=F&OeWz2KZmA*ooPT! z2_4(rf~O}n;J=rN9UOf5^kh~?p0y=H=@PQmZhB)HrtbL zc?C6*@nlnlX?UGhVZxU)Jw7|nUn)_|{zUU6vau9(-~N7OKh$V1O(Jr|2LJA5hRv^s zCwQ;BTJjia0Pm0t7xZ*RA6q($t?L{kl}R&H3CB^wh67nzTWZgFZ*nhT z#iv9Ybr)y7cas^VpMyAvJQ6gX8$t;8>GYk`B}pgNlGX0OEUTvCrjK>1SUW>b7_PgB z$KPM_rWoyCddPDd_H}`?$o)!?=;YPzHs0eF`NPO={ga_MjZqOY(U~Je?i*Fe*2N6v z4)6II2YJ{w0yOQ!Rk;>_9eH2DWq9H{Z#JBg`SRcfSE9zet?7u(1LC}D9;koI>`dBJ zy&IMj7fLKAptQ|{@zKV(_xEcuPIJ0@LL-c-A5y~5|wl5e%#P^f9WU(7N{%-hr^DvoDeIO~xYza{X9K6yJMO|}BB zGjh4-%J^t1n?Sseh3coWsH3W@VI z?0YR4+fFuuN{3%%mBzBJJGA$pukI^MPQ7iow}!!@%`E7fr8)cn1IS-4r+=m$WFv@; zD}^K^0oc)#^GQ!EBF~G4?sFW6Dj9i~KyfXFJ=;?R7KM)xJQzi*+eiajGU^T4?4_3! z8TobFqE?DiI~Q{ey&F^x?3D3u<=y-Ke>y}=PDQ5tLdiOFpof;OKeAV@u@<5k?VP5b z{t9|8AZdPAd>YhUsPaVO+=*Hi0b=>KCDZmAZ?(mcy%WM~(GxwUi4Vg${)98d;+h<3 zzMF#3wxpuJBNhisJy|15>c!VtzKX_ZyekzVBPM}H>rl@C|31Rgrf&9Hj<#P9`cr^H zcP@o9nSW$f^TLtsgPA!di7hq`-{`{V+rX0UBLls#V}nMAFzg`Sb9XSR8_7}5&~1wS zG(}i?xfjwX%TK5WO*PTIr!$F{Cv3d22VERmOhgkgjhn5mnNqe;tu+Ve8GjzKrsu45 zagHMgTS~_JX<_oGy^2C~+-MDCxR|B+ad}h)@I*XPyaH38MV)5WTj4T{LpWzIk)7ti z>=$R;&ck%`E5@;!P{6jpQc>{?xX6pVS@%MYoBI}65{V3BN125T6Vh`)@VL#|#!nTF z7xQ=)XWQh{FUwMS&SiM?`33;ck&N`{?|WUAjLJ6W!snY%XQ#1lglD#Io%*@<2-@9k zdt{zH{IU#KkMA$TKeA|J3YN=`!A{*^1(^KK6Yea2Cn3xf+{0OWREh@eugNX=7E1s5 zJJfEgAy|nID}y_okrR`C$o;ju?43+QmI6M`Tk#?la$CzZMDQ)#;BJF1?pKJWSG^Xj zU;RFdc>b=F)Yu?Z{Eb&C-#7+C!76GIRlx5Z!A+WmDF;j1|dW7X%>$k<8A+Z@|oFAeTn=G%$?E4p|+Tvfl z-M_ywKCo(4+@Qs*H&X*luXa%9iK1lC&s(MOadssz!*{Uc5?27wVyK5?xc#mjSw;k+!*V-Uix$N}cdLSYJnBVWemcGP4Mn3vi-@WZ184p_Wb2SiF zmR@U{667sA$J1};cccmf&B#TC*vk(jFQTNT+RPI8-JzDdqhJ5u9SOlvLsa4KoLHLnhr4w0V)jG z=VV|G2+pv+B@*AzUHXS2zu{;DRvrbo$SZX%^!%Di*YB3Z3-W+HN5+4!q@K1SJAxG3 zHRIpclpH7mZgpd?-b{!c{nJwNG-KaE=j|PaomRXO#z`0Rtl9abk)Z;~YtJHag*m3` z6c-a0T`Z2`)DrR%dISwvdvOx?p$G4RK}Q6$&Mu}L|}Cl&qaOm1IOO=Qtv`VKONV9+7U3Q>)J`A)P_@cpf}n^Jf$A$+m{P9N<&N)R&&!DaHoFJ+fo zZdaXnLK%!#y)`OaA)_@{jQeW8*{x22HYgf~Bsngf(#U|ESdZD#ly@2ddTYnSoytnt z312nff}PVqBZcwkxWGP|?{f9S@lNZ@@>WSagqfKqRJqVkrArt2#T#K$&$<(5_Cfhd~ zqh0AfFN*RoCTYRuRM?$h>)*-=1rX9a>^7?sR>9B6Nf?nQm}1r;NMDu#&nRlnyA6sO z0m)MoeLRTcSntEx1a(+IF!I6_FO?baiXihj-=u9X5|YQb%fe6?%7UR#vA5 zU!IBJz54b(IF5_^OzK^}HRyh)z{09zL8h-1Lb?w;VO^tlQ_@Gt@rbxd9IGlXZ-p1a zq$^d?)DTt0ME!Z(R;fVFfrl{Lqi*HG?Q`&fMZJc=?72l1?bH&dB2FtC&S(5^`6Cf$ z!w&Jy+P6>~8x{ri(Se)B+NO_paDw+ut6_%OQJ`5k@1*u~0|zp@w10qw&bWfetJ`;# z7<6hCI9E+D8JHRTaDbFEQBj9OZ)I9i4{lrEHHCaTYX1r6$$7!AdsbTM+({FcQ?sH( zWQ9gQ=FaYFb-rcZHH6`DOzNQn`QP5RiqWNdzTt(DK>>(Rs>tdqZ5@e&3d6ryZ16js zuk42Yh!CylcCJU{#Nf5lIKu4@B%B7fJ7!rGU*4dgwGBFlM}F+v3>v0DE&01f+{1zw zb56RrX$q8ZlI8nZR1#ij0 z6(=-u(nu=r^gv_C7R6Z4si5 zy1XH*J)X#V#-!PgW2(ol7d4OgFG$$2>GfoQ+_qBhYll>idJIi9YcnXfwF@2fVW zFF2ekh3c8#j4Dxe3XQ8G`$Z+}!%!a>ymoaY5clgiU6+qQKSo<2%SvMBUnvgsQXRM9 zu|wxiHwh5rAZ6hpMBNO(Y+pt^D*joH@XpKK*=<6#Ky>9j-`TCn=?1hqMaiynuHLZ0dZNMZ z{OKol0?1Ml<8j%xY1N&9rizG4pHtrj3}TH-9ql~3Py}0T?fB)8!;7lR-9xdipt}nq z#ZOpyQl@wswaEv|vUWg4T->)~VLeJVlB4#l*-3A7@p04;r?QXF z(ggY|v1;RcFn&Gascw7=vhpkoxXNJSg8}eljtWlyQz5!t0g)B#vVTR< z^Gcb-V|ZuZ<3oo$52;OI9w!*N1p3^z(m217sT29jfH;)wIFtGPVwh(iAI90x5ew?_Um-?b9mko@!Y6%7viUJ58=zihRZ zc#5k4Xh z$bMw^!78yIER86VKTTB>50xk^EZ|(KfvD5ilp;L0e&qY5hZ&0P@w^mJavFz<3iMtc zDpoNcDQyi%riZ0Sn-r4DqyWLcmgHX?j8+#P)h9Zf>EK7I7d6COFp57JI%4MVxlfL9 zuiQ@dRHC0YOyA`~(NoWT(u+0BW_nAs$7$#huwucq5y@Z&FroxXzwHTnX%{iI`6G29 zpTBnZ6V`-UU|Oa6*Mso3%lx~;XByD`sNOCh)vjku0Gm-P^oA+(v+%?6bz=ksd5NC%9rI)Uasrs02xE zg5*)Q+g;-~LKx_($eJ!f1v!Yv+&HyokG2;eV3-7>@EZMR)})Bg;)2&*AA3OR-#ZIE z?CocWhgGHvMG}hU-EtU=BIiJvTQ~)b|+|^&|=#evQef&GjfSLi2d{2)Qa}O0%=ie2*P&8&U2~NBS z!H)rUeN!$uV{u#UdQWca;Wv}29kE8?Bv>;LxvjNeRG|iku2>;7;`40OR+7`fXsd4V zLWy`r)&uix7hDr)Qdf_l1U7+t(Cx)atmFwQw3pH+A~^Lw?bw4Dz+_%CJp`ZyW%G~E z50!TjxR9q8wE?0D7(o3>m(8ycTs*RVTZB#Zqb>a7vvHWNNN*fV=JGgp3v1j z=eh^69hRvt;_NiMrZ6TYoqJJ7;h%f*oKtxY2qqo}P`vkb8bmbK6c;R< zluR_3(N_HjnLQ$xoZh`tkR-3#c=OYHwD)0_$6?dRU+L@36jtBkNrSRDsuy`VoVs@% zz#MGx3ieF7F+K;u%!V@E-*mMjk+`^66iMJ+G;4pe)*C5l2-XiQVX4e0JH9Wiag6z_ z$Iq9*X{mZ|9j#GWtB`W-C+7IlQMk!EVX1ph2W;n=lL?aQ?|Bj(4Yfij<|d3Jr&-iN zF)<;{bY%~D+>ecu*rulQ-j+`N1@PlggX$d3O|^#tj|5k1n73!eL2<`TEhv6#t&4%P zJaK&y-X8D%1!F1@$ltnWO5@O3#B}T&9~!r-W;Y2tQhND_h_dOBk_h_DH3Yug( z)$FsH1Wz&Uhl<;zt66lqq`G#L3mQ&pPiT;6L&fC1@}`G~L*Pg)!Q}@@CI0!P%Yx{} zK8}O%$EzAJhf8xa-DQJbtDfC<1&ihJik*s<`3h^MAWUnd`R_wc!eEUlLCNF5?exBX z^+Kt(<<+y$IAJVFY&k)ak}Nrrt;m&>!{0bcWvP^)rv`qk##foarS1UcJ*TdKzl&-X z%-*?7Fb2RR|99Zc#!uU;E2pdvcW+Wu@8ZM;FZIlJPZ;uWqx;rv(O z9#^v)b9lb0Y|)ddpHUhnexqlNW8|Wd8oX{pi%&!4SRD^|$w{jz+9FY}&*}}MX16IJ zKa7PK;iM5K^{J+C`=28_mpt%0w&MflWYzPM{^POyL2`@+Ia(GLtQBa^Kn{~?g`a+| zy(xj!MV>>JqG8jSoyg!AJz@G9q=>A_M8c^ ze32B-^_eO`s{t#?HJhhL!BU#}H`Dyn^)R>l+uK8C9T0<6NBxrmV7*PxNR`VX2J)4& zD>k@$iJ@g9Yiqxiu*!xyBE~$9_R2&Rwvp~gTM{+)iv;h13v)y{Vb*-4?lY_7jjca7 z>w4DsUCvdq&yAK^kMB1Oz5R^sS#T?=@mjzCBxCtT3ulH2XlLQ8e@-zI2VK#s+BN%>8n+vP z4Ds5B3HoqZ{w!$gUyO9L-bJ2+Y@1QsNT^gecdOnDpdj7n#a8?GnI!LG@jhN@y?%p^ zisTb53{|g(`h-S-@&{T5l=!m?mF4iXg>Sx-la>a98N+=v@9_iI>AR}V;1ulnbtR0I zsUY708I#B9$eg9hA$F;p1fz61`X7%8{Dsp?-k~KdeId{~x;w}SMP1Y9LwnxCWp?V| z=rGoL9)W>Rc5rJQy<+WZY9=!i92(T-{Q+HFfUny&@9&5v;!sRqVr~?`E;~{i)B}H= z*;pZf*REQEXfHQ{HL7;`2J0Lx?r&^oe|ondx-9u3O;rg<0;oDr70TrZ|`nv&L?uvsI-8Z(3XpBw&a<<*tv~Y+-qE2v{a~huG;QfGZAB??U1^Mkz|uKv1ZbgIM{M zMv6p_6n4Su*2zf+Zg_w#9QhJWfUcr`iRaU;lrw7m**S4e3LlI%;Igg;K3Fy%R>||8( z{cPsA%sY^uKl6P1vqQwaWL>RW2LoZ~v$LrBJkjN{+&^!8FWu%k+ilt31tV65VZyE0 ztfG=)DVm|8R!cGhUtLJ{Bp>36b42SO$u(v3W|bWvMqS#)jjj*XKnA1m4`PKG%CJxC z<&sThCWS})tfJRFNW&6eCs)Bfk@Kag=KBg>DA%q@F28p;b5*eREGOibl>@swCbG7SH#o{!XS&Qg<=GmEgdfn(!dS zJs2N+E^OUg^n4kS@h!=K7e*Yy(LJ%jdue(_4GvNOjiNdt0*T2X&m!A-ZVtZ7;0cfk zI&9iRKYF28g|H+0d8xW#(H%$~cR5l}|suviVK*UsFEp6kdP0G^hOCLMU^hgDS z^#cS1KAQn-6M?c5a5Bmku(Uko^64h7>D&`|#H`RUvZ^A?AIVJGx^lwAdllSj>wAUt zA!CS1;ZAPiPHn@RyT%8{#YGM*>j>(h6$?y8g>Z0$8T+$}MVNId|u zaw+Dpr}`kyUbxRaovL!edO3z}8Q$9!kj}<|9r;CMOo0MV*wkN7=vG%3jvYYtN%QS7 zvmYzQs)uSJxd(@qUQ;FGP3w^ByxS=loq$yw&8r2gOlr?2LwWc;wozrf=;V(oY|WITx^g>MYP;l`j>rGkMRkq z`~&w*LV}F?TNMKmm9bQ_ypl|}6d8u~liTx`Kb+c}GuOkJ4-)ruCi=~uSUAAH5c&2I zyLbKBN`1S%A%Ng>%0Iz?M<%WuU6PVCaD93dYY;&5fEK9Kki3h#27B5z!bKHwA9a=f z#jQ9jt$$e3o!koal1Y;FVO0?!`Tqqr{@*vXn17ft9Sbw-e*o-{H)j2B-k6i~e|Y2nEdTf3n2zbEqxFA@ zW9I)Mj(?D?u(_e5@*ihHN`~M6w>Oq%kY$kj@x_J=Mn7=)KVGr;v9;rl<$FXw-|aQ~0_W%)U`|8vDm$i&IT`QxGg z7wDIZlbP}VXMn4!)!5low}l*c!}WUAmAYcJIeW9tWtUf3ULENc>*cjiqA7!S@ z(rg9!8t2-jq!jr(8Li|004ZyL#_u{^iLHN_PpA?5DpuX?=-jJ$0$`CG?@sQ<0tltV25mbS(Ib z#Xmf-AT_xY%wJ1L51!D_)a=;A1XRJ9tr<8I$RvQ=)OFgF70Ahp!hh-q`=WaBDDVC! zzx6frcKu)Zt@I3_@AeFj^mML|!U9Onbgng!?CkGuQ2%KlSPBxJv>rbDI!K@^8EYNc zZ^_-7&CM@;XfDpR@21+%%6HfjbHL@k^*)%hJ@7|N1ts+tfLE6`M&~Qy3htv4Vm0f# ziM5Ht;j^^J@9eApW2qer`06h(y(vEZ_aHMnXgbJ$^|!uC z3F2%Dw>_rXK*3*Pej=Z;Zfi?bA;`lII@BhaR2%@0Irt{rn+a8|%Xu>u-eK9yhpM zKq6B;=*JcdkY=wy)bQ}=+4qUD32fu-hrmxm%L=~1uk`1hkmShpwvh^O#qcXPG&T8Z zK{};Hcwl5v1#3^&0GW)j{(8F9cVy#HW}*0%m%XNM`@N(F1PaS??>ASj1tME@^+gnL zutUwlv+%9er{DgSB9K%T85o+3yY+3__cft#3m|MQ^W^@Rx)P{JXyEwF4f8Vy4!Pn3 z+J>Y3y9orLW}Djc46qa8t-9>~&WisAF?yY8_?r-gIt!Y2-(qW;>ZkfmFyoi=@C6&4 zo*mJ3CQw+oZ)9Tj=C=M-x=YX$QJJ)$pZMJb^riMGF#VnB#lnKfg4)`I?v-Rmq;{r> zP5-#+QMgdR9rQ`NTbPgVN48=p1i0zR=j#l)gI6^a;F2Fb)zF!Xmorg{Kma-47lFS!8D0aJ%!=I`0_D7hKRB>5ct@=%IlG4VHBLP&(0Gsgo% zs%~t<_u`zyqE>et?k$cCZ=vpX2QGC6vlffR0`kf>uf3k?R+J=x!K;D>6P;RQO>ZB_ zEi())rr0!x9yr9HIAc0Flst+Yv<&5xWxG?o1a9pk9RWMEUD=jtt)mFgegZb}8i}GL zbSG=Sf(m6=Nd$&J7GY$WQWY#tg(j31<>L1<4s{&6&`ROZgrcxZkTNPIm(VGL=WcB; zD1A52fs17&h-`;{shFehK>M(bG-Ee^w!^%phXglP^_$Na;pgk8(5xPS`Q7gY6x*;F zL#t0~s4_(V`z-`p(lYp%x7;?NbFEz4wI5n2WxK|XdOs|2q`3LIS$y8|c=qs666F9! zL=S^AjfcoSk$m0f&K_ea`K0HcJkbj?ICk=0S8AE-Lr90c62r=|a3PX=dabr+<_1&x z=TX$*OYT)H9o)UsXyi@yjJ!-Oo;?EV82L|3BNm5J962BGn?bKhpY^?XyBcaU@=dig z503aq=WQFI)FcM&w!6!W{*#X>s@5UA%oYJ{@wg95&j3+oV!t85^2ijO6&H~}4MdW4 zPnh{D$zW5@5Dz+<_Jvu*KVjw2f#biwRG!4N0{_(2J+?~H<%{8fQMR8)3&tr$vHFIH z=VXOdJU$g#H_s<`WzdF*O>$rpw0Gk`E7wy`A^VLDqpac1;UH+EZS>YU1}Vfrn7Jg2 zbHo`y!li}@i8ccWBmLEKykyZ74?6&uLpU>RMW^wK)`AMke{h51H+Q6j6bwpU?=F0i zu3RwVBw^rQ*%%5S(=J`Dry*SN1!yW5OoUwkHyeneas76F>W9^#77SxB`?m$#I=p` z)NP@vF(Fa++Ix?tCt9;Le zH@x{E@xo*s+jlaNF%4pEd-|LkTfx0VDhyom-_cy~f4?%ja^8W^~QM|Qus)x-NV<$TFMGbW5(ctJ4V;JN3=zeHq z^UAKP>4?|y7AML?oyX zz)BOIuhUNbI5+!8Js^%0u2?O51KE^$#?FC%SYsm1r-}g3>m1>+%Tt{Jp8uMG#s9aL z00z@Z0iCpqLAE5WoU@erT74dd!1z~5@J?~}+sgnBqNWc)-?O+KzwH@xd&xxZSKkFW z5u6MHSs{KW^g=_OI>$C(FnO>m)A}tQ8;hzpB+Of5_7pKctNls~QeayO8mTf1Q*=Rw zSs{@VPMSF~*S%3{@FTF~Cbe%Ti2PqxEOT|d@_=Nr)^ytz(}`s$>4)Nt-^CdLb~GpB z01SrzQhcDWcM^WRerUy+yP)`)2CkAB`t(0E9fUHj%Ht z6q;7@TmIvXL%`+<*%`XKqY}OTe&);?x8vUYql6E&0 zG#_hHZSGkE=P10bs0%_-=>J}Advx?nSN49{{5`AIY+<=~bu060ITKnkr&a*Ci9wG4 z-gek4_@wSTfZ3YKjAblK6m%Vhs5Ygs^xxQLShkHzMY=2?)+**#Z7bEn9&tDi&{;(B zI0BoYdoYPXW?%`Cf^&u%De8mbk4agulgz&X!R{`DYPZQ}k}uN%?B^)pp}e|~OM3#l zfl?9F3hICe3}a^8)AF{f2iV&WbHg<9y5*)R;0$e|8n=n8%=Yvq+;(6aFCCk%x*_-VcciFeN#IFGc5;uQCU8S7)$3cOp-$3U0Hhgh&4@`2uK$!aU7hI`GOa>oIbzj{IdgQ$Dt}e+_Z{;MZ zsZ%n{b;#S_)|(c=59HH4MeM1o#$&>=)jTA!*V*OrjB(YAuBSw0KPM^^KWcY4Bocjl z7s<)MDVOHWAP@;LH7v5dPfAbxmX~D}+>f`A3n2a&N+c6I6{T=_BSdOCncL&hYOeGW zT5#;(iU-&6o+N2|lwCui$wB0Ni{+QK9XQD;kxtED=Kz#8BP+>{0zVTIG9nF zBoK;HI^s6y>CpTmr~ytcYbjQS=PkHLDdlvZNby5`d@Qu z?+`W6D3sB2_aT|*-mO=|uIMvFRcse(JB3D-2s);|B&-JzSmV7N+OYMhG69pAqr+{Z zcMEge^$5fOZ~-EkNO!BEfJaO^ay8}ftx9^Role;mcmcIs!sg-WZiaW+v$PMc6L4@J zqGT^D)k9>XqWJ`@5VQ zKsioa(|q?=fjy#)#GMU5UIQJozzM6~WUG3z2mHaQX+KR3#aNo<_!R)PuluCNE?EUW zgv==LB*}bz^dqq~R+F7wc^0_ZULl{0$j&<3GdgimyfI+ojV-t-K_aFD=k3+aqscmh>KEwKeq1R z8RXw^@W8hKn1{cYJn$ib#5|O6!QTxg%gy7K2=2b*{wNtt7PP%1A+3w%AVI5hiG>p2 z<#Tehw2-T_AQLO#OV$S}f(HMl{q!4#7%?L!29*9yIsA6eFwaDfIpSrWwNkGg1M~{S z?pCr2+4le|D{&$3?e>^!N1Rf;cFskE+Jq+(oMH1T#r~0o+`~8-2irf2O9{m1K^MJP zac$4)KI89a#G+EYZE&L&tK8p~jqmTQ0_$@2*XUY;$YJs3p0^ySTo^6IzCFyhNBeoc z7M)k+;Ju93u?rdJ{L)(!_L`$%DNAd9SlN~7@;#%rfsFmVsuDI|J6U8W8ZP1hK&6So(^p}}REKNhvBV@}S96bCPw&J@}j!wj$ zf6zs4Z-VOIFN{We^-j3Booc^n)ka>Ii-DkQoWcecElifpl;|j7q1}c~HAStxTI6B9 zbX!CI(&R2F#Hxw?Nz;#YO$UAcOLf1OyCVjP9$g726bT#OP<+aLVFzu^bK(fv*pu=G z>mlJ#j0LVyjy)_gL-z73IzVd{J)IAVqX2Udu8m^gF2HAWbDvJQ=B>`Rraz2la~!|P z>l!#e^;OD>2}?0`)X|yQ8;#yht8P_+UPAq3Ra)Pi@zHr1qbmJQAi{ zQ;Xs;k4Q^@kt8U3fLUSQ((x#2U=3Z+W*m1q95f0Bc24qZC?myZoInAnL3F)?cvHTf zijKi~*j+Q@p$GX6XW?gj3B&e2a=SylAc6ITwFlm%{|%?_6$P-y#op)IS8jiUr4WvY zX=?uG=gt;BO(8M2qtFY5mFI^O86T#d8JM6aDJCIw%i{J_)6m655!Pp@%gox+gy#eg z-_6)*kG9WOJC&Dpn>nNLYyRJfU;O|bNjU?uQkTZ@p$|UR+D>*l&C{)WNwgzsLi8dQ zHv=L7N`y}t$15snT$V~f6KZA$H5~E9X|E}=DHNqLZ0>pA$E6pL^(0j}X zU~NCZmFc)b4K9qFO`*?aWu`gfAVjkg4G>7t2bB}lb)zM{op#114nk9+gb1rF>*uTN zlhDQZTL>rosEDy>+nf|su=4#}*Ku-KJOW~gI}$cdBPE(I@mTI7^9DDX5xB~An&yQW zdXf{p;l)W&bRa5^Mjl=b`xN6#?|p{kmT)2R4|RLsTFubLi{^d?DLzbSzz84j@B;>h zH7+d5vj)it`6rTl!N~29#Mxz6j7~>(&=3K!~@UE2=;^)L*zZvR>F>ImHW zARdej(s^Dd+lj}D!ZRApxjbPG<{epc*6TeUT6ZY9o<KtD-Y);|; zHXq{~FJ+Qs_7cN^U9FSy>w5e1QQ$rhC7zVQT7hX(%1{ib24J_m@K4#hl>sf!Ka`aG zQLxF)0sPX+8l^Q57&Fn>yq}spN>6Is5WpA;MVqY)|M(#%q z#lDXgm{M-nYzTJ*FXA-Luk3Qcih#ybt*T`V!)H zl}-uEF|9DB(}Ls!nz?-X8FIQY{*FN)r2@LvGnBX@s7cXHZiW@!+bA}KSq%~%>|ZP# zjJU#W%&=$yWL~JW2vYBTlAj1>EG_-Hb;TZSj)yGn#r;Wq*31wML^}kR=_TND@+AIF zc4us2QsB!;q80Y}DZHNCRA;B1$$(y|8`xv_bD_S2dOW|^Lhu3UgLth*iLz3rSok~Y z5Z33D@BuqXQ}c3Jb&Mu9qJ_C20YOJ?jBsi{bfy#BNEgN%nC_c5>xZ7j0Y+VK&QR1m zES~7C4hv*yXV?sd=|fL^0rsJnBrRi$FSwYtnviiE{ozO>odo=OYT}uB_pDLm2CxMZ zCGoXta+ z{CG^_8A)rIl{U-k&hN*$9pgx(K>*WZzgK(mbT23FQGP5nbx`K3)}49d zic(XHp9P}@DRi$Glr(lq<{i>#{YD4e^Cz3VM*~gJ?-rYI=!WscU`80fr7bG59?E2E z=zHiy!@TyekCy)JXkP4gi`f=1G7ipsvBq#kBd^LuCLzqS+3@xX&7&CFO*5i2%!^e! zJxNq^gfI%WPa^S7{`DCv*c#l!dG|CQ`X{!dPvXaique;+j_JXk(Btrj;Wv0F;!W)_ zIy6L|f;RDWmI3bJ%Ar~JCo+X{L34r&bs-E`VGSx>a~Vh?;5#YJTkHnGdzwtbz3yt- zhbJk}en3rIO=+CwsLSHx(7J(VNP?pK(kakD3$OAutm*3Z%6+C#anMQ3gEOW~Pd#T% z2$=2lTvnbO{+}kL^;m8Qkcr$!A{J0ae1diSfmcjlY1*X=W-IOskjIB^Tb>nz?Qrty zsh#7t0j?FZkKgc3dj|WGT#Oy0&tk;xPO!=8lI_L#{M!>=ZK^DY;Mwa8~j1jto@z|XzMC5%o6 z0a?BbbD1ZYyv#LFGIUZ(0qsUEccwk92;T0U*=&{8=$(fyqfdi68PUmgEmFIZJHYqA z%DjHtjCqgrnt1Xk6H)zlxSv2zuivo2%DGaaA4CK5mpzv`2FF0;%iu|3H7w&ukhB&G z&AioD`iUOPT}SfLKTg+#kFVcQY@ekw@w0|oVK!>SuP1}6De?XCY7}C0=&VN^Hg8Dr zpIqH!7GR~n@Dote3?Fu-w@Byu4mts$Yd2fzp=k~1-0EtlcoC)PwN(A-Qs#D_oC$pS zW%r3Gqdu5}GcKD=J^>IRz)F|W{e@Y%vpzWOeK59rDW(`2v5RMV^P~SF^i$WIjVG?3 z_Kh`;`$VTyvM;bweuh!%x~oZ z8{XYW#bF zgO0Pciomj6u*jiCX^ThW@d8sWZV{GarY@$iI?3%}vKHlh$RM_8mEsN{#oP_QZU3sC z_%krvpzV0vXHR&gAkW>N4W7yY>~VP1esPebER)0DlXuB>Tg(#cARn14SM?>X-ehfS z{p|6b7#t}WqcI@tjnRyBH!hL*?e|pXfYEhZ4vZ%m`M>&HE85sTUK+dNb|yo<+0oW{YqSseK!t*B)`PxPY(@EY6n&}2dRn)E(4 zS<)YTFl^Pe#;q~Puw2-Zj+_m?s&4klZ%Z$QHNF<0m!$h`^!uA84cYDzNYFEIwW^@Ji8 zqZ6szQ;C{dz&p$5`Tz0z39!4)#|!_6kH5{v4_A#M?!oHL-R|n8FBmaJkFr7YjknN5 z3V^!LAJ8bWy}EIty?#X79@TI!VzPDRoJ<*H0+{OR$_fkbZv-`Cc_0pUDWcKIQ?l#~ zbd&XJHv_IY^`y+cbH%7vOw9b{(T6NypTIRH4@^-Lq) ze#I_;+r%Y$H)F}kn?nQ=O+d7=1={nH3H>~f>Z4dRdDwraePm~`}f(ojLgi>hmRd>R)g`9b?rDQsT}=bmot+`LmyM|$~9~a)EH*&RCBo9oFK?r@;E2hW%WFd}sDM{~^UFjG;qrb7CFW zq&284lu=$<8f$T?9k8Fh}dwE(8k={fSxgv3p!0c8kT>bH(8x>m6HNHqhB%p9$5uYrF(k#f^y4 z8+FtGjmzdqI~}p>LoLB>VeC3z$Z+eeNTQUsvKy%i{(T72qFMuLGQ$eO6YLf0qSbSd zR!AVr)FC?*+$B_jG9ixxw(LaqtlSm&Yhr{I`)e1bgij;TMnl8t!;?lI8-w++y zz>^veHKkpL_@nmfR$@WU9kch(^Pwl}7wZQ~MWYDa;Iy22d#)7vE&w!Th`O-nD~245 z3qVEGY_vW+gWQD|B3i7N+%u3|m8e<0K#eq(DCEUCIrYKa8ue5&62!!@qLjE9xcTn} zJSre^njMfEVWU>WUX9dITYRfn%Qh+@KM~BP`MZ2G@iPD%- zfQW%srF101AXS?@9^~)|&%BDDYI!G?JKI^%jmRZX?qx}w?z1&{NMaY*4?6zef3%O} z`nu;vn`o1i=s5OKw7vmZkW==5L4?F+EvZ4$rI%PtE_A^1=jy8$fHq^swH96ztuYw;L@q!P=bwmgoZd4|kCO zf?*ekqCNG_o=Q>W>Q4|+{N)7%8)y;{R;n-X(4fp+@6ZX*K$9zk)!mv?Qlk< zMpMZJ1Cx#DfLMV0e#8~DSy8zNDq}y}uj0^4X@gnc6kk-hVCspp-k6OWbT03PeJfN% z-w$}iuHBF(gGsu2xLacxD7K@Fm6=;(2t)@2nNUUSarUd_1i$BEU2Gba;y#Ia*r?x929+lz>8Tb_c_F{?l>89W;RB2q4Nm;yje2>-R z3rYetPJAUd?Whw7-`1j>tvqjT2^PWkp;kWgfq5azHx_ueAyS?4^3l0RvzXO776-Ao z%42o#eqo=&cu~H&691G$k2yqUDjbx}+SRoa#9mRW>nLLF_t^384vIfQXyLLE-E#@UV%#Q_Ta}tt$P04ec^S;3k>**$#nufTDF=7fA&ejz7-eg3O7!yN??v4bky<- zKAtf3M-Y#d+e!i-36Y={6|!dWk!@h;N*ksULizz@?VdpNe=!KZsZJ}?i2zRGn z>bV)Q;#g9n{A=H)j8J{?y{azl$9LitN=H)wS47|w-c`_}3{B{g%A?;0`UWE>?UPV613RW}9Li!3# zRAFIf6I6K@bW(16Ab`wzpprgyWq7R8g$RlHN+oEjC>IjX_&AK3)J2J4*zzK4CDM(SKsk$)=>3U}139x+9eaJ+(t}7trj{O){a}JkK2{U& zS%%mO82CIO2YbySKpsZi+F)U%AX;c;w*XTYdI|BfD0G2f*@;8+Oyb`S{2)!f^0KHG zxI^R-`6pDL!k@RqFE{&%p5{|x1_4C2{K&V^l$=f~kg}-0Ps-;~55jf#h;WKlpLH~F z7Tf=VOgnlD1fa^&rh2^~fm8gV$TcjFwSok#QoRpplw=unSisTg74eFDOK6h zMaS|^UDMBI1=%ZQMMyoiT2?@(xYU20_j9+^!kwoL(tzlm5!wt`A0WwR*&-isQNocT zIYlxRQQifwUzz~>-lE3B5j39pqsOAi;)NYCQRX&wP(hn|gBr9BVrYp^V89)NfHwf} zT3-e5(lUiQBVP1!ObOY{+F+fEqoeh`XUSKmQB9MHU{~vCrZmKqg53C08B&$-nT8mn z%g8ac!gr4k1+GjibANQ8?WnjLB6FeghS+FR z=4e|0%dFq6+RpH&H#KIx%IKxiW_kPeHHXD&%W;VqU(KfL`uQPr9AJ{2vS)K8TQCxL zxB;L5HV@P5SYtdPTr8_88#h^ZdW17}mY*v%dksW|NfAz)OaNY=1CMGeXpXmNMCX8J zbz``Fax?a$dID~lmJQ!~Z$lSg#B&&DqEz^4x9w!R1Jn@Kk+#L<4ze90Qi~xSHR}4k zGuuPn%Wq}rG2g=-VL%OItzhU`uSFKRV&y+rywy zGwj2A`43Ne*wzu(X(*%hL{0GGWcs#IAUCY;M%x*OP!$9MUe0m)J+2L%*{o{j!zaih z6w8z>CjNr24dGDp-HPeP_QRWYV}z#7(<7(aIzzh|i^&E*|JGoYCp<4(EFQalWSE({ z&?zSkYmU4Hw{>D7gC*Tw7@x^K-RXe-X$?f&G~^#FGc zV*2AV(6dKJqxC*Fm2DO%B)GtcS`m@4Y~xV_xJ;Q|G`t!<$@F2J+=vISl;azAxD{Z^ ze&2gD!HqitVb1|GfyJrf7U{u_i*3xsE~{sNY%1E58Pw?eVr61|6#78dNtj>~Z%t#U zS@dn^t#WpS?xC{V*^@r#(Y*tve`g^Ll>1k^X+hv+p(S!B=EM4;PEl~Scze6t^9CFy zm*bxu3Mo;uLWg4qswIX3L#_^di5;VRV>YQBrkFYI0Vd*dn}K+m9Cq(p{0G~NFA{>X zW^^{Ox;Dwx_i^62QT1583fyfg25A`)bu|RE@%l(XGF&8^4)LA3h3+D!&RjE7amF+G&cXX% zFcHJj&?A8^3ZBy$x%9qNJGbev&y=9HE?4N zpfH7R{D}@44;bOv7D-&9&S*Oea2_dUWHFM9tuDmHMju|jz>!rDTT21*8Xu_< zcn3Z@@v_E;6jex`)+LIX?^vQ@Ps>HUuFryimxf`Hf3V3f&&MJ+11^np__Zue%JZ#% zl(jVs>+5l)l9AD*j{1#?r@j(wnw(?P12q=PV72@^#(rK0it&UHYtLFYv5fr-^{bc$ zC$%-UxRkt-@m|mCOGu3osurxTu7z~^$zcUFCC_H5Cz~nAL2lHUtN7BU?_!G+A1hIv^G3Zf||cu~7J+i60`q5ui(iFOYxN8v%7idtXWPA-`1P*^qafBudU6 zmU7mVnkWyszh{Tb{-B1Bx6FA0*C=UPOHqk@5`&{ivbFL1k^NNDDB$RjvlQMl60!k7 z;Ffr@*^y!?Cs&(uzElkBW?A7v~gRNrsa?(3y|9Q8ja?i5eCCpY|Dzk38k(Ak^JFnx#v4tN_F=;f6?i3;@2 z?@uDbEW0R1^M;JKV~52E8PFn{M=#n%S=!StWOq+HZr_t!QXU0LGn1C7@R(P!qhHRU z(|oil)YOrysegxF ztQH6Sc>WpDM!m2cVNeg!y4v{ccxu)1Qb9^=xmHH-#X4!HVeyFzl9q__u4`zO^}(ZJ z2J4+Tr*M8gXw&&<)=s{B)}{N#;BgYlkE*+g7M|5=-_MLqdaT~zgf*|LOlJqW^%ZBY z5apF#co=%Js-$qFe#u;=^X=a_pHvla=BC9Mf=6nJCiF z%Gil5PWjQrmwC zL7^EXl&$tC7;&>TL{A4MB{G;Ge~&AY&6naE|Go#w+1)|pe5Yvhtz|3z4WDQKPB<{x zuZ2j~p2*ngsqZD>pK2_i@l{iU+287kaz*!hH8KkvXmx8CSZ&4WqID^w4);$0oRFBY z{M^CnsW4ttEZPs8hN0w)UfT`*nyV>f2}0FFH9bNcg@MymU1gB;>!ui9hUpVZGQ{c)PL{*TtIw~XIFGQT`$4b@kU;|3JO_E zR(EdghK4oluYvwnJEwAH`ri<{(!4}&68cUayBbC)U64N)eDc50O5)$!7nXT`n`3h%J9G_`)<VAM&T0hJvbaW?SCtSw-CnKSIY<_3wS80e zm0b@W?l*CwsA{dYvhwzX6T#G_sHa9WRFB=@1&(c_q+PR1s#lTS)kpNfs&EXo>4%e_+vAF?`p&tYVz69uR`u3-KEb zLt#HIs=`9+eS+pdbF#Os%^tlt6m^xJbHqgQ-Pd+k#4s2sSClBW4wN8CYAifLMn1`e zN;m*8`_sf4q#VpEU^8Q+#;&8AgU)(RbiQ7Hgf`WAGqQj_Lyt`e(Z<6$!3C5d9Ubgz`C+jhqK2bu7F#av$gc=GZriQg&rLZ*?w3MsA-7vvYVs0T8+P0JbarJ z_3H27v104aL!jVz{6vZoJK0C4UKna3*DakqLYrkDaBSG{zn_?~*(cx@s%5 z6{yfc&l4@J7&fY*PS4V{#^xtXya$(57UXKb`YuD=z$kE5@V#BOKk10VrM&geIOON@ zOF&ACU?*6rC`G7g?Pwr`!Gp)oHT((I?0makDEXiZyBx&ylJ3Y}vala$?pX%nWf`i-0Nnm3(UG7L46ePeT<*lb@>TrZiV4$xAfW;g1g?t$H`LV?bv?ac3K3GcT(`xF^)}dxWeMv)H$)m@hfyOQk>vUe(k}Uw_9IHwFJzDS! zSKz%!M{BmV)o4oi_%>1PfYf`YfU&@Cacb1wwjx+VfhukWZph3P3$$EXh+n2X6yLob zHvN&{sGdrB=Ff}KtD>Sll*hpdnmTk%jhHGp+CpIJ*Je|Z_K$}uKzJ9uj2xLCMpO3u zTYheG9`Da3qef+yk6j?ukJ6!_k8KXD#V5ofV>t-O^j~Cm_2FxeEUeUvayaPf2JUZwWR8%$Zs0)hnVmURA9mcA@A?&QkKF{T-x+7-&x|Uvrh9;7B zC!(%dc#CE})vH$+;HNXb1Rxbm&Kup4wtSwk__y7<07ZWu0K|79G1u6CaBkUPP+*14 zZ=)UOx#?sTR^oz2-$y5uP&8elCh6Zl)FGpqZpWX5M`9pKVJGmry6$@#(BhB`AFa&Sb0bw3 zSZoR238ttg=A#HW5MiQ}DIag>#@oHTny`PWaKg%laD2x*2CC(Qj~F{TM1D8z92Tr- zt}`jamM5KB()Gpir3nEC36pUw%VnFw)RaL*h4}zUNZsgg=V~3`cLDw^77$S8xN?g` zBcsxbNe?wBy*5=%_$Wh-bZK!`Z|(I|_T4YXU-KwuL(^1(GMI&?X2u_g_3*F5RFU6Cv~n0>-~Of) zdF%{V7m_-F) z!ROk;n6TA~8+Wql3g_|mh5<}&P85!+K}XD%%zf9les-=NJ9yQ62p0~NU(hgAX3jl! ziYN70yjx4xhENP?yAmNzvAV$Z+O}iJPc+F7cx-aci^46#qT>mq1h#O^{z2!p_|OL& ztaG`QJ?|g;5bb7Z^A}Y}st@Dp{054cGyK%MCLbmyju{A{z_o#fYSLFDa#j|Wn(g<# zOP0i^me=HCKhs1*Xp-!Wu~iTj!AhdL&~1@4$g@z8i<;ZiARcBaMNJiY%4lLE8mg!F zPHGxHx%(&{geSIXqO#`00+!*DMJYgk{mXJH=#rx0tpzDxYn;S8C+16Cjzr9i;n`;c z7VQr-r2=yhz)m+8e!@OliyaH&Z7RsqveN53w&nR$2-cr(XlN)_Cexd6n@a2)usH&v zX#jNxy9Ff9ZcHYe62g9{w5udCR)RkSWid69(%m(r?gMjnmXBzOXf7Eil%@`gGN4TP z6`*U)t6Hxot?1$d9~@1EmNzz@dULs88Yxc3)GT?9T={$u6`^U1W3Y@fG$$@M1#2!f zSm%KBm*IFqI`1E?b1KFdOdQ7HKCDU;NV4^Z>U1?bDqu%AQdrBZIVQ6P7$&^2+9-&V}g1$z9! zCutPNB3luIJkC$0|8!T}^b6bkdJqt0JPQw@b_W&eVK;_XX$}rfb^RlVFH@%GDgSf< zhV5Qhr=R-G{VhW* zKgRath6eNXF0JY~bslzFh=B1Kgcvl?Iho#(CWam%EKcdNcjMIX03gZ9+mH(v7&Dn= zL|GB4FYN{eWM@s}5K@=j5^xB~&lLiTt^s8oOMWm_WR9|M6H#0DwvOxuPBOK%f1&5A z-2Z2mH`WZJn{->g{r-xXV!EHUTrXV-7tZ=Ig~YKq1cB<=qK}9n!b^A5euE$1WcM(q zD$3$rh+bk$olA#qS={lobyLv-B_r8RKD1_a*M^hVy7q-Fy|~EwoVYre0x@qckV%pSj71)Rl#{;sJZ4$Z4k8KXV$~O)Z>%H*xSp| zx`J)B26n^ZanoO}6pId!Dlf13L1wu*LS0KPDdGg(Kk`>`?rfe*e4%7>)1%Q1Iw#E0 zU-pJ7w@Fy2AAH`bN3OWid6FhhdI*W{IEXo4r8N)SZfHt)2H3QW$27Gc8iS|wjg!qD z-4g`n9gV?!;FRGK+-zD#Moc}CP%dc}>=7`p(HLAFR;t)KFDu3n>33`Cgb-pXlY=ZI zTOjEx9}=b`(RX5<3T={-<}0|d($J2#N|XElZoE>uwD3!tbNKMsWHWt;pUvMVx;stwM-r;JBsOeI1rmN4{Nm4 z!q!p9-2C9h5Y8UB2!?6jF2AH$-FMRjMP|+`aD1wBezn&}qV)B7C|3wXNOM5Ze(X`p zXao4!-yPk6DX2tfbmR2N2E|7aYP%D4(c<79#q@@ zV`=LN4k7+RgYOuinir&z5*F^(3~*2=4+7rVl+^9CB&uFf;D{5FB#V1+=Y~#sWAWU+ zI13W=C0(K->xumrcxj?5k5_lHSml4l=_xU#>S69xm~=BAov|h8#zg;`fqk9NjU5}? zGfNt<5G-I?XueZSq^N01vpYy`U!n8WJ1E&_f^D%T$bG&@)zVvSXAEH{I5s zVFX3WcJo!vg}^2BB>e##&*I{zNed*Mb+lP_z;a}f7|F!6+>XEWmGbUmhd5DJ`oJ@X zV&>>0XpPACjl@`8=lEDz>t8Z&5gI;?mBx9gu?5ZQkN(-NL)nbSn+qA~rDpyrWCPZ6 zDTYN0*tQn#(zKG6kx7ljHB)TP*6Fe}qrjWu z=mD;G6w=M;6|-Ob<)998z{!_o{w67x^*-Dosxf&f_C_5B8|D#I4XT=mdJQ;!4}(G_ z-)>txhy7o2&V4LF3AG77KcI#%IS;xx^o&{JOoJ~?*B6~UniAi^x(&uDk@pS;)kvRy zG|q;Unn0rz+JXrQJNc_ zA+%nQuPtk&dMx&c2uMHA`OSai>Ol4pB;nFtk@{Ev?_}~{m<27@#lvh*z|3(2* z1;^=H9s~fx&4@1&tZBOkwn;OB=7o1B%Q=Mp<5@B799pomDml1eqr~EOX1mIKwr~CF zvbAzqd~@V5`huaCb+b?vHI;NlG~K)|qs2593{aHpV7G`0-Z!eWSqWG2X}jtl&~W~;z3c3?}O z7XtZb%1;*Q^`UQ^G8U{)iXbdytnP!HpWit5#ED>fmP3a&)>0-#d>78z2WTB=l*cTB zJEX#?tB&tvE~@)g2(1L#cZ3fLigEHc^XT2_-EQ&?J*VyIwgnr9%^!dC zm>+E0!{{XySJ2+?@D!YM*MIsk!+9;EP=GI7VSn-EK)F(2`3|m4KmpDiIEQN8?yR`d z15^*YGGSXgin8Y2z=>^EqYwbM=Jm4vJ-oUEDM#y+R-JjXecPDE8-TP)(K~Ch^wOmZ z1<_$gOifvU9n4&MK0RB;wR&q}0}3~2el4Cbxq&EU{_ZnDI0Tw0t~=n|CWFStH5HUn zl6w<(>aRSVcp1qNMqczu=Z*cEpXhw58c31)N%x;Ph4D-1-MP3}(b`G=Y#BZGH~Zww z(nCprisizLaE}xl-ZI>2T^}sm&~$+dcHDEEvR(+_vFHjFPVL(3okm1oYO}Y*c|;AD z2b;(@l7OjLGGGT=WlMeKd%r~GC?a4bpeG!x7#<=l(4nh{*-wU0cjWr?SUKDAjZ_vT zKws}-9l98{XHlxGcoFAANYs4rw>J12+tDtbSOmAoSq&<5L(UPp`Qaig{$4Yls>yP2 zn*7AdAOMvT4jp;WO@0;9YuW`?1a7^L$#OILl0*FN0B)l6dw7ekSgZ?{#P#Um&Pq5+ z?Vq4!LkYuPnPzo#SysaO!^LOaLma}qrT$B}B>pgZ$JZTErbD*FamaA)i%h)oKODnoL4*r_zH3cB6}~ z!jE@j9Lz-L0T0I9J*n9)k1Adozp9^y1|jRlOMy^Nv9CxbrkOVv#9`x%PBMrK&2u2R z?Iv+1>UIE`yIA?sh*rE^Gz-%i`N(Zs75^&brSnlEg>52!MeLJuRcf^8IYaI}&ML&q zr1Z?uE~OHWsb|9HrnXdRb=b!y*|JYNOr;ay9**g$OJ45%%tKT{6^Lx4$($#HW=0K+ z&KaGCSOio3JhxZprFGARpVwjbM$)q@4hS*mZPoQZVfc$;fPh#l47{kv%taVh6ll{f z=?|WlBquMTG>K}bd|9#G<$IxoE^mrt!wFFK9$v%m78g|XT_lCJ|CCMfjy)z~U-NJffpx@KwCEhBPCPm;doLe!O zzxdv#R@tN2)baP&X#lHLO6~EJBy8-1p)M@h^f06?8Fds_Z6V{fH5VM39Z%dyF^HS} zyJkUEqPhTNF~`HH?8`tepZ3wydYhM}DUC+`Ofs~$G3$UgV^bs*lIbb9}DZ38d_ z)uW6IBF;2?X~rZ$#Wvzc7V4jW=F_|B18-Q4R5x~!dC`5DlrE&6&xwZ<@-hsiKv_IZq(GZLEz$4~lgH?4+K5H7&GQ1k5n0&|U`5)wOo(lHDQOAc#3P`)w z?cyU+q$p!VfMfYTbc=B=W-OZH+p42zhB`}~B#BrMo>(^bb;R3YAq1t-8^LKt`EZKk<}k$Xo^KvCpO z2g8W-7=OvA7hqQz;N%bbLq{1_z30qGq-VnEJg0zOzwC`;1=Up!qm6z7QO42K1p%*I zxI~h}%kv{JF8?al^`~S>*3Q;1>=c-{u)pSi6Y;^&?wu6MS7y8!Jz)1fTiHfRN1b)P z5_Q52g35sktik81g}{!*2{%Z|j|7P~j|;$Oef#txOFXeQ6K78Z*!&sa7bwUBY=fkX=;)+R?l|UKemX(} z0~hFBglpq}-Ei2!ccl7!NSO`sGvykO(in~Xs|ApxdgIg{vDoJ%f*TmM!7%X}jKczt zlFJ*GIdHK4W8bOaAy1Q13tIWfEw zSja##OH}~j@dgmjT)MgOOYR_T#J;zJVcEn~jV=%{tR8 zA6yY5r28lR<4x$Rtv>`_fF1yIv&O1-D?FDMjLVTq9BE_|3{+dGNo9|9nQsx65vxsKyfhtmN7>wcn!hbw!!3Kc7=oRvV5xfWa z++|=hXc}?%3j=^->?!raw^X4rIp=an=`|fQfA(auF*=Coe~EOHhoV22zAiHRZmQAe zwV8tY3$L-BrX&9<-CC_r;}rw~uHtakX(d-C3;=B82pYY;h$+G(UlOGFjGQ1Wm#fzw z3AGA_O!+mRN+}3(?zr9NBIR&1cnCEX-DbbRcNyAqWs&PX63V{7c#@$8Q52!;Qs1-- z8ET|}5Z~F;k-BD3;^m)%JeYd-1k7nnM1N{R1~HFwZha64O0>y$uIWf2Qi--gHR zUl^mmp-pOClzHyuwzSzcXI_J7myluXTC z{~uD^OdS6$#m)3T(|GLvD~-qctH}Ki8jq3f|0c!F@k`|W_YybjFGTl0yLkV5iCcf6{0`IJgx- ztPKCtuj_vhf-LO+%?$h{1Q|G({?FZTMmBcl|Br;=Z#P^+XDgBJ`dSX$-5uik8Y!zd zaCj@Y1I*nW2?A>~d-vK7Fi3lL;w78Y`Iz%%`d`~a!N*#~c6m#=+ERHJ`V+V+tQn&- zICFesa2GW*H}qeC-$1wd@p1mOLCIxr&1fZDy-SiaYZGXv@utM$BGNR0vU+WBS78~o z1VAn@6SzcB000~u05?BBKN71zf8X2$rj6whRPKV(N}joi$$Q!%J!(M43V(vTG}AT>G>Gt1i-0DauWa(fp`3aH&VHs zS+fCw03r;?T1UVsAR62>z=l5!fB?9+^R0eaTWzOvL>qt%AYCj0!Rr>xAtVUr_itMq zM{wHB06p!+9AFjH;LOJA=Di!d8V;bAcXoN|vj$-M2o263{P6Vhw%YI|wkxTOtF^Tq zAiFQNI>5cAJaPUfd|_#P@riziZr2@S*Wj+&@*2S9gSx1v&OOt8aS6rd2FL-_v;F&M z;`i`1cn8ONrdQX8AGxy&*bi>lU+C5CdwoO(z%0Sk;_2gN0`#=sr>=Y4PV_y2zNMdw zV`H23{I$71tDgQb2I%SvG^5c-T;kmD1yiK9jCa>}82|;)9~N6%*}PXD7#!xaM@IIl zw^{Ee`>x0OBH$bG$=~6d`x74B=sEQU)yV9`Z14LI#w8K#Ge|~7kZzzF0JQSP%hZQ< zwW&RvQ#0sB@OISa%Xc?+UELRUu_Y+j`s$A=?6toDf%k*|%wCtBzj-fJRXzP|<$>cRvf$Sb@&mlWLbPupvhl+I=!^6tRo^Z>lU@vf;ifAq~r!oT2)ho6C~ z9g)i)E$WPRuHat?&W6Uu<}%>r$N&4giRqIai_$wc_)XupaL>xh{(IZ&hw>E~teum) zNB#50@;2v_;fY&xQ*C3 zfIwAc7ayS{7Z-o=4SpsTj#*d8jRx__bnG|@T8qe=G^bC(U+Q7-tr+hW>f?0!BJ48o zJUIJqUkuYiKH-``@q+i^4{<6T*;M9lD?Xc87F)2Y7$s=dd3cEsk z7!w?Zn`>a*3bjYnv{+(&A4N^d+FmubgLY4H?})JTRW)rqHRW{q+Agy|9qMVC-X zw^U|mr6c)u@$eNr~Y$18yh%OY{{yAkLoxM@AoRI{ZvYPq$ zV-6tlVp|B-RCl561Nz7gWpl?TD_Cf?y@T~7q2~FTgGKcEH3=-!ID z?J?nu@C*{S3FR5>ij|WHbiQVN{HYdbY#&;2ar*pi7(4}-VYwQTM$@^;Vy{C~O0Y{a zCatKN&8BdXM$1@Jy(s{ zhs==IVX>y>Jh>DgmkH`adv~5Yk&#K2rl5(w=4&5*Mbg{O-CG*RL62g-T$N*4k+k!S zVLL`7mm;-8oxCDy7+pWWt_#0{QfWvc_9O+;_W{hB>CVp@{Y67NYg3g-Hg-9!`q_Am~QrD~#NzQ3)THxD!UDQ^s zF%c4)gm9{Rw5X`P*sV9dor8}&oHNk?)e~9rSa$s2axiKJ;dBFcJu4cq-+k<*{}mAc z&ht#|+flmjtI2GN+YO7^Q$*$j$28!yR+I@TfJV*jFPvq#7S_h)DXD3`PP&os+O=bM zGbxT#Jzkf6d`1`q56(jG>@_nARofXHLgHDb6conltv)qRFZkQ@*AE_*QL8Yj(` zi(SrJ{|$yw+BH3>3`B@H0KRFd;Rfk9Wwm+@l1Q_Fm&pJ=t-2tXC((h^u+6`?QO4s; z(UNrWQ0ai8EPBa|ylbiE9-BfdUewmF+{#?-Lv+Xjre0+6R#u2?X?TbhPQ|#Aa08;_ zn$_I@+c+b3C!*(wU4q3EsFI1P&SOlBwK^tvX4^S?)bF;_*UDj4;GGwC1TF!>+{QsE z(0drPN4X#Qi(=v=9XhOJ@Akyco<^@{53hlIvwg_4f!%mKHc38fLQmh4o?DUMZ%av! zap>&FWxTiGuy5Tk{aX{}w@In1`28l%KDZ1U1i+ccnawki5gpn-ZSa^Yw6q1J%^+}C|>b2BCqB4^+k*GUWwihylx$-qY)Hks_oUZ!dL-m zF2qr#xxdC4|23bOKjF_`V2v=lezOzZg1WYX`wJd66(nzB%D3M)4vwLjTm!eF*Q%C- zbf=NW2m5En|M^|{`>9HjnvKbjgr_a%H|gCtHYz7R!e&|f_()@9iqC`_k(n!7A} zVI8`fd4f_M0vkS$h28jJteD)w=)eQn4$a(7f()wc`Wc3a@N$te%s7wvFP`;+@p(u$ zz?(#dw8YJ#$jx5a>GDwy726e9SR&(fb>M?|^^;IT;ovvdz~5Z*aO0jmq16RU17eYQ z>uaVF1X>78FiZ7R0C~iZzZ%^$uJ%@{DdlAP55U+_BpdVYHIH#t)v`KxjvwS;aP>V5 zCCIFi_e>zKH+Rml9r769!=P4#rXe4xlV})|*?9=EE>q%3BTvw}`tt!Y&8G;dW!oY+ z1WDV-@|TXQeQ(SM8RFyv;X=9{Ww0{M8)w<%Sss8V6l8`Qnug~1Ueh0FF}Tkx$SCDh zp-$weycC&zF^e{m96It&p=(%E@o`X17on<-OD;y813mB6$7bu;FbuQqHYzaW3S2AU zu_`tlI=4hjvgvIfpVe1#%H0c}R>E&=ty9x0cuLqFl##(Jor>iCAH|x%wO} zd&_M-9U9)MnlelE%I-r8<{=@*#9Yu#FZcAFABy=0(2-j&n->HoV>RMetc}E`KM4mn z5~%9wj$@ahLNdH+7R<4R^lE!p;1CkHx6OC|nri&(I6TNybVrTvk>0$=W{b1ylCQKX zf$NrU*?7)+Pib^?@e?tH;a7FmHJDpj8Owm*7k}^8>gCpsYh)HzKN&iM47LV+1?)@_ z?wP^Cgdu%+C9134_9KZru0w+r?-0Z$=Ny_hKO^@+VSHI7P{>ng7 z1GkD`Q>6QW0^--U@lji2v;-c6qb*ZWJ;pd_B(KYktqqwp#=m#@zET6enSt#$0M{WI zO)PE%ti$G2+01FFxr@f3h|Nc?FrGJ^N-J%S&qQ_A9STNaUIctWsNIcIk9%ow{A8M< z4qC^yd~A6gKHK|d&iP6QbY6tpcOfD$B99?KuI=FtAgimtrBv$x4a%xv*iO6_pMaFzD z*^+utcaW6natKN=sMgzC*8+J^IYecC;UUx749G?QQ`$^)NtZq{nP( z`C5F2-}#IU1lxCHBDey!nTz)N`ku0T^lPi3s${kNRhKKTbCiypVC=4t0`N*-D1H#4 zd@U6ZSZuvp$|-9udAI&VrYMizt*J0aCvC(Xc1!#A6Z5fE6MT}kY)?K0dngmPd)F9! z5$emyUj7Zun0Ok<;w?Z znhy1Cr&lr9wCXa}z85vA7HGwyaRMO7@k9b{Y^ZsR1TM|L^R7 zN;3aVLk0FH3b3}VGwveJoikX0!=44`v2>Y(THfX%A7+h3g1m6F7z~}i4Os90)!CQ8 z)wF$&KV&G8CQ*i)G*R7oqCvAtgC-e5qvl(;L6cdiq(K8h6e7<2s?&(f>y0b7myrzSYvEu0E+)1~#I(%7m!zQsjN}_Q%bW#sa zMS0>!_M3D9t~+*eth_XFul;k0>8-rbAkWHQ93$$a{8oSh+dv%%?B$NQ$p0`WPjc^#qj5^dNSmVL|EfyIzBj|Y) zP9??u%)76lL-?6$*2(tqh7Y6W)}Nol{^&4zc&*o~z*|=S%C>b1C+wD&hKu;qb3OYM zBt-Y_$c%5Ld)h5(yp&P?dyUY3wTs{BHT^%W|H(9MZVK6wAvxAyqQ3wa7;kdmYXTu| zmFBW#jIq&ny+v0=PMz&H{gHk&??hUa%#@mM@wVyhspmCY4+NF2q`W&nc<+5~Q>x!U z;iF-(_Ev#NlK))CP!Z|6WQ8xU;_o#)ob)n&<@PJ{R|>3tCa_UN>A6q@tJz0u%L#+) z3PZGZTiSEAfx`D|OG82yb-Z!)cva5!T`Di-PjUIN&x_oCUG8Unl1SIokTr68y>)xf zZFy_+{pHgWy&iXxyAwkSR);+5T%~8~yeH#<;yFjZ`#)CYH>FLUj1y9y7k>u-&Pk=T z(1TgOPc_>m;I@pL>8&3B*UOU+-pGvYT3xX;PPoUicA6W(91ch@jG z+{9Y!kiAv!(4;JWrpcdoH|k$JpVDn2cm;tBdE%cP8r1 zR!*wa*qNM(yJ{R2AHY&K3aEc`E10QRms20^QA>RG$U2}&M5!cFgQR-!uz__Q%Xdy# z!}F1~4Dzj*ywR0PLUps7B*F~(O~W_lPCv9w{8{X%|MTAm4N7v=?JP^5uV2+L7Ng0O zN*x>>CGMgWUx{5qFvxrx|1N3AuWgsMFPPFiO>pkCs>2Cqe-c!W`#;V2RAOeb&NKCN zL1nGlFDd=g2fLM~e~xueAKhZMy^#YM0@WE}9&xv1+3*6MYKJSlmJs-3{ z@8sSUwnEO=b}dU&n!A5Rr|8+;VfoDprsC3KYFV_e%x(SyPZMN5ZVs!A)XHhl8Oi^6 zsCM7hl^ufX9CO8POb?rD^ctT&tuS@Q^Nh>8@NZV68+>^d8#Xk@cdFl;h`M^^+(kc{ z(qb2O=c^tqdRkFilOyG-nXD$}F3?iu7Cf&dLhwc6N+X$1gEiN)e|co=?pvQcO8gPr zrKA#9x?|I?wtp@@Bo61FOl|j?lzmwCaiEo$*`|&2t3s>BX5OrrMHp6U&a-%~d|E&H z<|OauYHGjjZjMyAE$x3=D5Br^$~}5#*^)A0XN7=!$1H{=+)D>mUawnV@HSC`;y}?! zX`3_PTs`_@)eAMoI|m=>6Bd>9w09PhhH*_VTgC4<={2sZ{Kqtc4Z_?VrZ z`zeu+zG~&ahOdQQ8=|_+a>%v_Eu2I>UaFXX;H~3COA-cCB_WkJ!n-Rh$+OVkf zjO&8>;xkR1La&=oZ(H{9jBkGa+bBP&0E38xQ*_^=tmWrtNzmWCJa|3mz2(Rh1I4gq z3+%oXB>E>8#}f56{cu|7Be=)^kOo)wwt?Vfm}fIoVe2dc+ z=i}}qlFX+V6*W8{JwksF1p}HLE<^M%Ee55S&G^upF&g5VZ|OW= z9$R~4s*_w}H||$@qe4A+f&3)B#Mr}`^myAd z55KDyWaryS`L=&L{%wkg{zktl)w-K_U*#A3~oKbOo~cAybDurPCUdJt1mp{!qU zPU19K#8AJ;`?1;qziBTY6dj7LeY>gs_3_TGn5DjMHxw$wRV0l+1lV0Y`z&Gb;Qmpq z{sxI@eG3j8taa))&+c^lNqwx!H16NnWHBS|{eaZxGJ|Kb?+EAi&mnE?PpwUU@=(S6 zrFZ7TExQCmD(;&rFP@~;AH?b`HBFoz^4o{EFY)wX5Sngd8z2LwuPOYS2oGnYX;_>#v8x25E@FS z)Ssj~mfRj{7#m^^2N-9rEc`Ze$<(^=41ugGdB$EdJ*Ml6y)Z5gjj8?^CSuYf^LIq7}{?t#>s6+RD znpgMNE72NV31_3MPo?jee=P2DjqsZ~d)a*3aFHE#$?t2M8`P!qH)n@sZFs7?Wc$3y z4bx7SuMi{)b}o5fUEXmZ>{>6|z~sH{y_>U;OB)1y6zFxlC>v`tHHhw^0AWWsm( z2HpKvf(klil!)CzQ$Mj^X9nTJtEK6B^F>ptm{T1JX4qw>WfVIEow-#!+d$=(4IysF zplAAl+*57Ug7}-+pJocpGujy?W0QCAQaeRmA#Q4=&cN)iRI6smTMLtmvc6}}xX`Mr z8ky?VsCkqW)tH%)wxd;jk<-sS<%RNQq334xM6!jw>TT`|3hp_O<20x2h-Bgkze=Y4 z;@=BXY@UbNU71tg>SVaseX+?uvC%rB0Y)>-U6oxT{4$iLG<|sA@j1w3wd132Cw=z$ z?3!LKSH5O`QGA-D>Y%usXUp-Uvdm!c|K?5E^=493XG@SwpO+r3DeIj=%-q7p`V+k; zubnAvrxz?`D9>ECxAtEo0zm~r*skLAxYdsdVwn%6J_0`jdl4e>Ug8p1J+d zaQM_XR@=-QWoGxz$SOpRcA5?Cz4uU4A!GZNlSb)R9bfo2^^YcXR6JQj>Z#Z#HasQB z9zW^k(?f+#Qi2Z;pL^Vy5)vF^u{2Bcw#l^}R%-=bOR1TzUh_?Sbfm(YaCIHcNr|0j z{p029N})B*z5-uIJH;QVDeT@K;IS$4d8yPYwO!=TChs&4El=%GJ3ecrrhUNO8mEr4 zWxA4PyC3w$><()Qi*=Ukc{pr?zuWF53znKNeivvF_9Mr`0`Qw`;6b%gPXAF;b#tKlDtTy~}*71j~H%;^wi8 z_}94#OAhy_Zi)V#6jHEL&D`&y%FX3#MMs?yy8OM$YBc!?_Yc_8n5_rgKx&VzQ#zo<_Qv@3aeV4PVq_|9mM2#}Z!@IXcgQ7N z{7xCnyi{Cex8us)bW*&@5!r9Qh0=DvJNm7_@PPKpF6*`&$J-~W^97oct0Tlp^fkh6 zEs`AZpPSb;WviMEnY5hY5*~N+X!QE<(~+?nmHMxQYkU_i-4E`0KELGQI}ny2bm_w0 z*e1p36y1)nZylFRi>7BWG>Rv=rrz$GzB&7mvqZB=U$e)C(3O=Yf~15yXUct!WLyXu znCcv!zUZb#hn)`fWK^hkE^B_J^j3+`Z1-tS^38MKY|e1FxSLVxD!W=^Q+<|Ix4zef zAH6Ku9apYgSG;@0;hBbwzRTyDsU{y(8ES9j#m_Gkn0M*))v6EuHx(;$+y-Jz9(qkP zlkR*nI9Xuh=As~FwX6lDg5LP`H7zP)4P#$c$6ZL06K?qxKIgW$R@`NcA)lA`)@elD z40d~oqi@hU=VEVqx5Gj(bELA1lo)UHb(@UCf{@;(khhG_M`kIAThH5i?6R%9!_gae zF22>8bk^=2W0TQxY5Q9{M$V`Q8~teC`TJJZ&UQ0pg?jO}XS<7Xt`z?ISk^1?c|q+7 zzgUG{yTrrV|McZntaLXwQ4)3vIa-odmNTOJWBV0KM~&ce3v zL+ie@D;gMId{QLX+q!$kjCoO_1L9})Sg3wk^K{zUnaVokx0c&-S!{ty_xq;`Hy9-D zN>Et*(LtYNwkccxYrlc!!Z~kmcyxbe9IF#~YpCpM2mb#8<`=?o4^7Ay4cC5YEU7$d z9FwF^Z0R-=@KNfLOuVYAJ&=}RO*4yE6cFCk^Y*vjyd`VaDh#$Unrt(d)UGdnm;X!q z{hdc!O5C?=eJQM3G3((u>Q1Y;tzL7)`^2N>-ro^kq4s&`(a8&T+ft8apQOfje|b@M zl>RzJSm{7Hv93#K-)y<8#48OWlbMo7uQlh7de0z=pS$i*u-&uob$w?=%NFy#C6(VV zXMXV8Dq(!4NxR!ZQ+`RZ<64rwrToZLLPzA}NqMAzKJz?D3t#U`wK+)&%I|)ZNe6()g65sm{=vYqQc2*&q|A<-%Nyhz^qL(~;3XB!;Pi)>MN z*h#Q`` zO*6t5Mtzy-arm}};`Mf6A-@!d?=r*=TFQm!TG8EYC4$N)PT9}kXW%!nb|>@zkP4$GYzGxmfnm-^UD3SURu92>FKhKsE%B0*HTdQ zbHT!|N=i~yvw!Q}s;OlK+}$Gj;OOH=43X4NSF)9J;zXV>3*X%JxP4;Aehq1ATfOR( z#*9bwrJgdgtUTE}H_Xz?vpx6GC)p(`vUBaMC7A-lWoNps_#D&k_I!MyAZzT}2XD8@ z+75yiv-DUkWwTv7$==Um;&rx1jksC7G#+^!wN<~>_=&81mFBn3pr4)M3+-aco{Ze? zR#G9{yKtk+*4|z$vSqm5I?y}Ob=g5_hnQI_j+GyGQv5Yo(6DXhbUm&0g|nwCUKTl+ zP&}(-^agw8$dSmG$-di;>?zvv#Q(7WGRvmU>9cOXl^CmNy>P_(wXE)}zQ7F^R|NVd zzWY>f(jvL;`J+cKE!VA!tw=pG-?}4yr$cI|>f7$hz|GcPA>VX1N!_0rdhy84x8^>% z50BcvbDA8qST?Y~J?7iclT!snadqCcgvE*Tn)H4juPxMRl<^S>4qI%d7}|YGcX;Kz z?VkCcX+|?7hM(Qov6`x^)4pw+s%^04-Z8i1N+iLax@&L4`xDRp8f7}Y4Rp`FlQDYt zj^Xx%E#LP&iv2+h%~5R9cj&ocb}amze$1(pf;)y1Om=8Z5hSnk*jSc@s|a#8c9>dl zJvdH}nIV3TzU_`HG)^ zV$PR2x4$|yHuk?Ata9A!R`}ZAW6Hw=UB$WV*q1{UwToNm>4!zd-h8_?Tr^_6(fo|a ziA%|ar`lxBlux}gX**l!i@~{1B@Y&!-M;#Mk>vBxZ^rL^<`n;98=P0Kv`OyB;ms}S zM+~YninUA{+Y=&(W^eDioTIv5^u7G2>dTtzTXRecPMoe2Ugw&Tt+zH@<0M?#g-VjjIhJ;yWbgyBoSmwhoCJ zw%lkiiK&ym=a1X6es0MR`2?4nXGY(#y^by$7Q6UG{aeoz|7@zJ|2)5^vBN5d7JQg- zuBK$o=50e?rBj^^HmWYZc1YaLrnF|)HSz3uLJspUYbTC01bb3FN)pqaRI6wV$$B;h zJi1eSp|^P&RWRb$xrF77_)*Etsn63lCRHouoM>Bra~M|}rj{SRw|ApFey#PBeTIVx zUYX=${og+fFWTseCy8_fYU6`%91=OW+rZHLXLpp_4fiirB4dl>L`#R~-%~kPaCy(d zvysJbXf@etVk2MVjhWVWGg7w9p{)pIEe-Tmy6*VEcCf|CB~DGwL|^hk;{vG@2{%IO z{KAh#_8b#l`9|7YW^CQ%p9Q9CHycI9Dy3Kg9x^OtKGjW@mjI#Hgw?jL|e)d}l2M=$Rw36#csO`NOu~A`)$cc{A zgzQyWW62L5`&%5&O%A)x9;@Hc#9FcczLt7H5TkF-CkvZ`+RpS0 z6+bLRQ%cuRU7YG$*yPmdAylKIlQJuGgN)kZp~lRC1M zww*c1S`hbHX~*0pQ=eXxeN#R#V$``Q_u`9S&kt@^B1Dt8*L7ZD({yt0om#nE!Lp?h^KCIEw-*iSZ#2<6MSVv6fc>~`KO*&xH7wM4%s@cyV+$|rv;mL-(A}&y!KbX!0RWkO%9AH#w44H%nn=CUf%xn z9^37S%_GO#M^Zd0epY`Cy6+{&zF8{c^yJyF$ytl5D`PCndql4d2^XBK6s$bB=s>z| zz(;zh#|Vu?Eo{g=s-mJWjc~1g%`%CViw<5h90*-$e^cjxexHpfyUX0_R7L2Er9V9O zhh-*_quR92o-Z>ovpi)cCZlQIeK^Z@l7bgO;mNLq-y}0*!3Uq7rimLKFUMyI2Bqd0 z$wqEH)64RhRjgAMJ6&^0zRjVp3&dvEs(UU7TPtmzNzNAZeOXOkyu;>}WSG(!znu$X zT2yxAY9s$F1fpBlBd%r)$rckGM1U%cf> zC26$~sT^F(5%1o_o2EIf5meglDi@2i*V2yb6Dll=E9w-T& ze&P`(Z!$@FQ_sM=u}k5yivP%}yQt@0W7+HAa_zLMwGU>kKbm~{hO=9#Q|`4ql|aKv zJL%5oH`McX%N-YO%Va!`UqW2up;`6Ye!WlgTjo%z?2nQy^XKVQe}Cfd9P&(C;d^Sx zrR%9~3-4GP3S4U1`*gzx54Gm%O+Wpw#-6p#tr__8=IxBz-;Af2md|oZlWEHWigkC& z+J$~ss!5+b*iF)f#R*%x_cO)K#|WbKmu8nYZza77Zhu;pw6V4^)fS#ot;i?wTlNksijw-Q<8(gS8-09`*RCzIQ(#8Ia^bU!h6fc~gm&lIh^zb0v`H&D)WEEt zKjLSI)2_H~a9KU)hhyU$d*kWVNy%T+PiPY)ge{*HYVDnVJk=<_@EBdYq?bJ0_faLn zSyFw3`PTc%wbk`MFPYUhD2py;^;I~?e?CYT6*$W-J-y@V+^D|o0~!CA?6g9t2|o+V^wDN#m_m_pZ6`_O(5Cih5bdvtRS<0Y>y4s^q-MCWj9kyeup1#<+8u;)5c%wDQSgc7k3^%_aHkeMV~HAX_Am&x7~7h z^ibYPW94Y#Ew}0M+MS~jcUbc*l#UJ_AKX2-@wrOU$%6hTbOkSuGu7p>N2bJ%IZ~Q8 zi2ZEa9CciOw#G8OqGeOMRrZ|}Nt&8Am0+arOZ(@5gJ$}1<-(U1ANsdhOT0AJnqzmh zKIy!?zzmm#$6cR4E1G)d$AcBujlbppiZ|L*=-@D*C?)k`p0`?~%&2Jo!-p?w6WNj7 zdp~bUycxW9e%tb*Ej}qizkUlSuC1EFYM7z04u8t+n)&%XX)_11(^`+sdP?o`+!1jx z=Evdo($#5qx&n^dzDt*o%n5F-vbpN5Z*n=$JKoH#?AgOdYd%X(k`38We1A%gSQ}}< zt33-w%$0w-=YLkebKoE41&cO4JMqFQWodA+{SVK_m1ku8qZQfmdj}fx?o>SU?^*Q5 z`+nA2mEr@w4h`KO&)uIE|7Pc)*7`m9+T{waPD4rWcaKuyUarx<8!%8V=yyBf`8Rqq z{f_r!^}|b)mc+_VU7PJTQWdAFW@KqkwrALRcv*>6mNy?RyMFwPsr1miuaZv%owFa` z)_UtNFFm9i@mpl`71q@W-WyPfd^f`X>%D=2xtWfR-UROri~=0I{_V{H6Q@d|6TrQ4 zA_2!lyg8tOd*-?hzN=lJi~2Yk^ym1S10s`*d~={m1aA$j0$jXpanM_Z@mB{F@KWK= zs{=#4EqF=bhV+ed@!W?Byk`S=pFnR% z7q-9qHXj_Bjt7qooLqbYaAYRuVFC9E!bI;99Q?tf26ul?9EF1CJdNN!Z{R*y;Jhvf zbzyU45wM+w4{&3Cx9lP8B%E)-@N$E4x|eVl<{oLFoZ zjx6A36@N^?bpoaPf@c~WwFcsY@Z0gh_z-+3yd3w{3GWRGN3IV3PVVjj?q1F=I3k5U z{*>d-`wj5OgENxz6a`1567ig8C-y>`nm899XO^Rf5Ro$R(;i^efsO$ozAiXCWF5eq zbsYR%AdAA`*REf0Y^uw3I8&C-8ddJ=9`GsTDr|S(02Uh<420Se*r7YyKLGLu9GL>1 zbO7bUe-KIF0na*j=Kwc%|ZnIjnvgT=IadXxTIP+08({W zUd|lX;3t&=1snvaBm|{^|8Yv`{{y8H$FILpYQEaSdYu`XQf>%C36?@eQ%eD&{3BQ> zD2=$xTuYX>8H>3_)zrn=eFE7+*#9D1 zU=!oSQvQ=z5&@F`|Bcvnx;A<`<`WS6FXH8D_>bNGyD@O>=5J<8hM4-l5&X9&bZA?^ zI2nRi=*ir;bh(Q78?hAVb=Lol*#FAED1zbK{uguLCzxyJe{Mh>9b@`Na}PqQT)D2NhiqrzAQ@%p?wRh((#$aD-SC1dNGQN@8-5 zli^HZi6awXi^q{kumt!Q;TXeT?1lu&IgX(aVG{$&fz=Lv!kPdqz`_APVR|i**ddW3 zv6}}5c!39-z%b#sf`gU8iP|`xWpYfG!k3>J2!C`B0M#6W>+#w+j_k&z!NX#~b_v2U zIQai$dKfTH5(g7EAOK8U*Wk((i3t{}5Z=rsH~%MWKbQA4bb%bRx7gE+;TrF6n>J z!k;41ay%PCOXD&+AzCgc9JCzL`Ore2qR@`3jP@6mah#2-GA`+SXt64zjjN3M7nO0M z7Y{93W$>p+YN^~zs*R>TLEyF13FMgv}3yXU$9@cR|~DGJlL zlE_FUk*WMLAaP{?Bu^kDK7o)So{@`l(jp`fxSsjr)V$?jfpE+C zKdOWQC`{w3 zBi>(7${?cS4-7yu!KoP_GXRYf{@Bish+lOuG5o57K1AXiR~*XIIQU`tVn~CQLt^=( zCj?#NzQNHGB0g~GgyqSllP6Cyzc;|ai?^DYgE!O`QPN{Msagd%umhBFOqc_lk`ZVG zsS%ZNBu+Zz0!R=5ws|gq3;|$y;gp=*9DG49WEnJ#Nal{>0wEX-u?ISL_jV6JEz6q> z#vzLjNEB#tc{l+zL@v2J5TJ*%RUaoujiQX>)V(+*Ur^#A<1z|IPP3XbR<~QJZykc5*hX^9)t=YoEjJ#JSR?bhme2>Nt}9$2Z2P$tu8qv zkiaZ5r~bqe3Kkt7g){(uA43pIf^^LZ2E4gIfMibi;zGa>BBu)A0>B6&r-J2AR^wXa9}s6Al4EFLj7pJHpcF)ym@Oz5acT{OXrYCmq{NHO2--PufKxT1 zW^sI(m(fwPAYpLI)PLa^S{2ZWlrIzskQ`5xp;1dg!sWzQ3^qs@yvhbO3laurJAs-7 z#~9Lh-&F|Uw9&<<1qKH_ZGP_y7zN8;5Es96xloXz#Watzaoq>+N*c%qU4wG^adPBcdm zNafHzkxHnrwm5wN%q*C8Y+wMv8J6yNB7r+@md9K$gm$uTq!spE<24+O_F zm@V2wfd+g8Rd3vmDsm<88BiseQwpParorOi6;r6yAaRT*Dt?}6usAq9;(z5CrWQ>J z1<5nqeEq9k(_ry(8f+NaA>$p-k4OTc*u|^aP;7xD0)4$7r?NrLf{J7&FJJS2M2AFA z=7j&haEysv&^&~e;T->0j_Hs}$P=a$IuuXH6Q&b7q!KcG76lb-NZJ8eWKO2Rd;~;D zo-i{oV2(MP>VM@JrWLswG!Mz~gk=*yfee`A3DXG!=6J$%!hkvEq!Scd49IB6q=|IQ zP=h$;v`$d7m@voK@)jXXm{ugm&^#o^kOlo!$4r=GPX7c$1*Bt6^XOmY4$ntZfyx=M z&+w?=oE(rjff-cLoESpp9{-TJ@sP~jW|29CEdTO+-GvD^C$Jl$R^uMAkU7m<9GSDh z1wT0+M&=$mkvS2Ke>Heh#o1Bt8w#cpKy>A~JaU5>nH#ytoOUxzgE zoP7&tyeZ4s1#jc;!W#@DS>xd7;^nWdjyDVR_TNYVzgXcNG&M=^FKkUs3jB+nrl!57 zrV!rT*TqL0-tFQzdky|3864udT;cHAfdOvd4v3Pek+m|oLIU^Hl}udN;Jy&c9|y=_ z;|v4con63(oS{m}oKfJXRiL8>*i?hxbfK?5WwDjkI9R*b;kLU6xZ%J>As05=#TDlZ zF5dt#DB~^IEayNc7q*hGvnv>;3Mzeq8j+%mH*pEs&SE?JD}lREFeb1~*8^Xtic`{C z0S-aw1SaSTf%=okR3%Up2?Rwj4oK<0hFG&5e0^PvvH6 zK*8YF4FX1_Goh%)4+HoJP^X_C2Jit+Ffe!@i5Lg^OHe199|n%enUMSN!vH?GBuByE z^JN5#1ndY!3&01yvlfGo3|0S#xquRkOaVTqzr{Ze;G;u%gdYazqd|kkK$Gh9h7k1{G>t@WTK;D%M_zG^ozt9|zW;K^X}F1Gl}P zCN4h=!Uxq?{4g*V7!ei*Wje$-kOQF;JboC!hm|t{7y_0)2DGo^pGyF_6uLFR4}FGco=_W-!ol2KeB;FnTVOSJ5!2XM=!Iz%>>W4B#U|br)hB0k{HM_5g;l z7l02s)Zm{B@DZRRLw*>602w|O2A$C&#!)B~s0F|eBQmHMpN8;3eO&%=00#b{U{oRy z77_;VF`ya@Jr`rU03Wn(LyV)+7*JD&9|rKzp*|cx4A4S`PI1vNj2}@!a+v@hbT0)p zmx5jwtUB=o8WSDEhzzhjK*=7!=;-_g zPDW_hJVPgA^C}(g^&)8j;zQXLfk20MsK{}Uv!eL`?uMDmU}9~Y38aOd%Y?hM$TgVo zz6b@QLR(@K44XedS%R%|m`sdcf>H&OkHGydOpE~G6dhkcsY1oX7b1ZU9i$-W1K(8- z)$T|bk${eWfD&NRm~mu`e-J?`!{Vc1;y8#9&`mVtx}Z;v@i$PGV01~RU~Ce6#S$jo z6G_1Ik!t|^gAY3S*9CUU#MmS#r7(FAWDiWPAc8YrG<`(SG)2cC;xuD|5*e(e&EaW)A8y#wJBjy4X zVPY}p31Z?9xE+D6MM2tPKs##`J_@wUM#6{`Obra~VPfh@aNz=K2q5P|1t1zmXJX<3 zi3+Bn$1$+EkxZmu_$32F#m=Q;Y?n-gFQ6jm1E=s%3k?YaB_^5=aGMo61VoMlR|~M? zn3#A)25A8^7q}prW-=K#KY9&NRHN(})WsC&?f{Y&DidQvWHKG&Gh|>cSbQXmUxNM> zbZH5>1`X~f@xy>kf(jZv4!8%}uE=0xfyD=kAM{*clGwQnOsz}?ZiJo7#OR0u_G)O^ zQwR*G^TW>vfy@N02^0)i8YTx&CfMszK=4G{5P+fM29Ones~NE_h)kHc0brQDDc}O* zZxo0aG|dzm)R9E40nnlC6!b(Uz=xrk0JacV`Y3Sc47mmc1akDc6e`9JK$Q)h(IDr7 zq7^e2s2mHUpzCo!A01Omfv|?|gAhPPgV81ELt*w6AeCYA7L~xnz$gp`CZAJ@WK1nU z1+f!tr&N$c(Yyf|#_qum0-XZ@AE3xY$q&FVIfY7r4?_`hhPDQnxggwQVW8^5tiiy@tW9I^!#K?dG3S;CNz(1H+e(7Y4?E*<*YG7bNm>f?9y&KdT1hD5s`z3&Z zo+OeM2!`=Nu)oB_5-J@uZ_sn;@I3^i?CB(oet{=o>H`qQG4&OwfU*2CnHb-qffdod z1z?zX0QR+*JWT_eY;@cJFpSP=z{Jrq1ywPow+Xd<&~*gV%0S0S8i-*Snt_{RXraI_ zW)L!k(jaCW9c(~Q`T%Btksl2NA`C5b8kRRY9kY+80hhtZfX=||<7srzaKg~S#Mls6 z0po+ftT1~6&@RE$a9}Rlk3eGyyT_q}?F?GZP^%dOqk?iCMKh@6p#vX;?7x6bvLE zGz{!(F>^_vfr=al-u^K#dIMDxrbYteF!7lI%n!2$IEqEbAyEHe;vd-4VQO#SN0_}h z)F(v6Q_$T25f#M;0Tgy<7&!hy`vU0nfo1_}E(yFJM9CCr2xEVsI;CR9fqERhHw7IO z2Bwz=!V9`y1Hm4kMA1SgfPjF4F~D^!^f*8Y1|QfqqGJTG7NB4>J~{>M`(PYqzY1WO z^9lfCqW8(52|`5IlK=+aN#eIt00YGenif!&p!LfD|4{K6+(ZSPF7#XwhER47#(^_W z%s7ngg6pdUbbJ9YGJ1awU{rLx0x%HRP-_74&~*toiNT($F@dPi^fAGH8VdslQkXSB z)W*PohA}WEmN#&ugrOOv8NM|F*bd?%>NvcWdnouO4{+Fvw`8%vYi6k4fZkRb z`M9#cUqFlSUwXKW>Y&il*JaXZ`uh4hbUMj^!q6k@0go~uX_NISWNl5{e-E+8ffIj! X=zR-(&I}&CQfUMsd3k+v1EK#1IVR^M diff --git a/doc/pdf/user.tex b/doc/pdf/user.tex deleted file mode 100644 index d8245f4..0000000 --- a/doc/pdf/user.tex +++ /dev/null @@ -1,1923 +0,0 @@ -% Generated by Sphinx. -\def\sphinxdocclass{report} -\documentclass[letterpaper,10pt,english]{sphinxmanual} -\usepackage[utf8]{inputenc} -\DeclareUnicodeCharacter{00A0}{\nobreakspace} -\usepackage{cmap} -\usepackage[T1]{fontenc} -\usepackage{babel} -\usepackage{times} -\usepackage[Bjarne]{fncychap} -\usepackage{longtable} -\usepackage{sphinx} -\usepackage{multirow} - - -\title{Kerberos User Guide} -\date{ } -\release{1.15.2} -\author{MIT} -\newcommand{\sphinxlogo}{} -\renewcommand{\releasename}{Release} -\makeindex - -\makeatletter -\def\PYG@reset{\let\PYG@it=\relax \let\PYG@bf=\relax% - \let\PYG@ul=\relax \let\PYG@tc=\relax% - \let\PYG@bc=\relax \let\PYG@ff=\relax} -\def\PYG@tok#1{\csname PYG@tok@#1\endcsname} -\def\PYG@toks#1+{\ifx\relax#1\empty\else% - \PYG@tok{#1}\expandafter\PYG@toks\fi} -\def\PYG@do#1{\PYG@bc{\PYG@tc{\PYG@ul{% - \PYG@it{\PYG@bf{\PYG@ff{#1}}}}}}} -\def\PYG#1#2{\PYG@reset\PYG@toks#1+\relax+\PYG@do{#2}} - -\expandafter\def\csname PYG@tok@gd\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.63,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gu\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.50,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@gt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.27,0.87}{##1}}} -\expandafter\def\csname PYG@tok@gs\endcsname{\let\PYG@bf=\textbf} -\expandafter\def\csname PYG@tok@gr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{1.00,0.00,0.00}{##1}}} -\expandafter\def\csname PYG@tok@cm\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@vg\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@m\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@cs\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\colorbox[rgb]{1.00,0.94,0.94}{\strut ##1}}} -\expandafter\def\csname PYG@tok@ge\endcsname{\let\PYG@it=\textit} -\expandafter\def\csname PYG@tok@vc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@il\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@go\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.20,0.20,0.20}{##1}}} -\expandafter\def\csname PYG@tok@cp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@gi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.63,0.00}{##1}}} -\expandafter\def\csname PYG@tok@gh\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.00,0.50}{##1}}} -\expandafter\def\csname PYG@tok@ni\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.84,0.33,0.22}{##1}}} -\expandafter\def\csname PYG@tok@nl\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.13,0.44}{##1}}} -\expandafter\def\csname PYG@tok@nn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@no\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.38,0.68,0.84}{##1}}} -\expandafter\def\csname PYG@tok@na\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@nb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.05,0.52,0.71}{##1}}} -\expandafter\def\csname PYG@tok@nd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.33,0.33,0.33}{##1}}} -\expandafter\def\csname PYG@tok@ne\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@nf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.49}{##1}}} -\expandafter\def\csname PYG@tok@si\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.44,0.63,0.82}{##1}}} -\expandafter\def\csname PYG@tok@s2\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@vi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@nt\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.02,0.16,0.45}{##1}}} -\expandafter\def\csname PYG@tok@nv\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.38,0.84}{##1}}} -\expandafter\def\csname PYG@tok@s1\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@gp\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@sh\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@ow\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@sx\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.78,0.36,0.04}{##1}}} -\expandafter\def\csname PYG@tok@bp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c1\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@kc\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@c\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.50,0.56}{##1}}} -\expandafter\def\csname PYG@tok@mf\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@err\endcsname{\def\PYG@bc##1{\setlength{\fboxsep}{0pt}\fcolorbox[rgb]{1.00,0.00,0.00}{1,1,1}{\strut ##1}}} -\expandafter\def\csname PYG@tok@kd\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@ss\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.32,0.47,0.09}{##1}}} -\expandafter\def\csname PYG@tok@sr\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.14,0.33,0.53}{##1}}} -\expandafter\def\csname PYG@tok@mo\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@mi\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.13,0.50,0.31}{##1}}} -\expandafter\def\csname PYG@tok@kn\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@o\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.40,0.40,0.40}{##1}}} -\expandafter\def\csname PYG@tok@kr\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@s\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@kp\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@w\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.73,0.73,0.73}{##1}}} -\expandafter\def\csname PYG@tok@kt\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.56,0.13,0.00}{##1}}} -\expandafter\def\csname PYG@tok@sc\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sb\endcsname{\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@k\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.00,0.44,0.13}{##1}}} -\expandafter\def\csname PYG@tok@se\endcsname{\let\PYG@bf=\textbf\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} -\expandafter\def\csname PYG@tok@sd\endcsname{\let\PYG@it=\textit\def\PYG@tc##1{\textcolor[rgb]{0.25,0.44,0.63}{##1}}} - -\def\PYGZbs{\char`\\} -\def\PYGZus{\char`\_} -\def\PYGZob{\char`\{} -\def\PYGZcb{\char`\}} -\def\PYGZca{\char`\^} -\def\PYGZam{\char`\&} -\def\PYGZlt{\char`\<} -\def\PYGZgt{\char`\>} -\def\PYGZsh{\char`\#} -\def\PYGZpc{\char`\%} -\def\PYGZdl{\char`\$} -\def\PYGZhy{\char`\-} -\def\PYGZsq{\char`\'} -\def\PYGZdq{\char`\"} -\def\PYGZti{\char`\~} -% for compatibility with earlier versions -\def\PYGZat{@} -\def\PYGZlb{[} -\def\PYGZrb{]} -\makeatother - -\begin{document} - -\maketitle -\tableofcontents -\phantomsection\label{user/index::doc} - - - -\chapter{Password management} -\label{user/pwd_mgmt:for-users}\label{user/pwd_mgmt::doc}\label{user/pwd_mgmt:password-management} -Your password is the only way Kerberos has of verifying your identity. -If someone finds out your password, that person can masquerade as -you---send email that comes from you, read, edit, or delete your files, -or log into other hosts as you---and no one will be able to tell the -difference. For this reason, it is important that you choose a good -password, and keep it secret. If you need to give access to your -account to someone else, you can do so through Kerberos (see -{\hyperref[user/pwd_mgmt:grant-access]{\emph{Granting access to your account}}}). You should never tell your password to anyone, -including your system administrator, for any reason. You should -change your password frequently, particularly any time you think -someone may have found out what it is. - - -\section{Changing your password} -\label{user/pwd_mgmt:changing-your-password} -To change your Kerberos password, use the {\hyperref[user/user_commands/kpasswd:kpasswd-1]{\emph{kpasswd}}} command. -It will ask you for your old password (to prevent someone else from -walking up to your computer when you're not there and changing your -password), and then prompt you for the new one twice. (The reason you -have to type it twice is to make sure you have typed it correctly.) -For example, user \code{david} would do the following: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kpasswd -Password for david: \PYGZlt{}\PYGZhy{} Type your old password. -Enter new password: \PYGZlt{}\PYGZhy{} Type your new password. -Enter it again: \PYGZlt{}\PYGZhy{} Type the new password again. -Password changed. -shell\PYGZpc{} -\end{Verbatim} - -If \code{david} typed the incorrect old password, he would get the -following message: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kpasswd -Password for david: \PYGZlt{}\PYGZhy{} Type the incorrect old password. -kpasswd: Password incorrect while getting initial ticket -shell\PYGZpc{} -\end{Verbatim} - -If you make a mistake and don't type the new password the same way -twice, kpasswd will ask you to try again: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kpasswd -Password for david: \PYGZlt{}\PYGZhy{} Type the old password. -Enter new password: \PYGZlt{}\PYGZhy{} Type the new password. -Enter it again: \PYGZlt{}\PYGZhy{} Type a different new password. -kpasswd: Password mismatch while reading password -shell\PYGZpc{} -\end{Verbatim} - -Once you change your password, it takes some time for the change to -propagate through the system. Depending on how your system is set up, -this might be anywhere from a few minutes to an hour or more. If you -need to get new Kerberos tickets shortly after changing your password, -try the new password. If the new password doesn't work, try again -using the old one. - - -\section{Granting access to your account} -\label{user/pwd_mgmt:grant-access}\label{user/pwd_mgmt:granting-access-to-your-account} -If you need to give someone access to log into your account, you can -do so through Kerberos, without telling the person your password. -Simply create a file called {\hyperref[user/user_config/k5login:k5login-5]{\emph{.k5login}}} in your home directory. -This file should contain the Kerberos principal of each person to whom -you wish to give access. Each principal must be on a separate line. -Here is a sample .k5login file: - -\begin{Verbatim}[commandchars=\\\{\}] -jennifer@ATHENA.MIT.EDU -david@EXAMPLE.COM -\end{Verbatim} - -This file would allow the users \code{jennifer} and \code{david} to use your -user ID, provided that they had Kerberos tickets in their respective -realms. If you will be logging into other hosts across a network, you -will want to include your own Kerberos principal in your .k5login file -on each of these hosts. - -Using a .k5login file is much safer than giving out your password, -because: -\begin{itemize} -\item {} -You can take access away any time simply by removing the principal -from your .k5login file. - -\item {} -Although the user has full access to your account on one particular -host (or set of hosts if your .k5login file is shared, e.g., over -NFS), that user does not inherit your network privileges. - -\item {} -Kerberos keeps a log of who obtains tickets, so a system -administrator could find out, if necessary, who was capable of using -your user ID at a particular time. - -\end{itemize} - -One common application is to have a .k5login file in root's home -directory, giving root access to that machine to the Kerberos -principals listed. This allows system administrators to allow users -to become root locally, or to log in remotely as root, without their -having to give out the root password, and without anyone having to -type the root password over the network. - - -\section{Password quality verification} -\label{user/pwd_mgmt:password-quality-verification} -TODO - - -\chapter{Ticket management} -\label{user/tkt_mgmt:ticket-management}\label{user/tkt_mgmt::doc} -On many systems, Kerberos is built into the login program, and you get -tickets automatically when you log in. Other programs, such as ssh, -can forward copies of your tickets to a remote host. Most of these -programs also automatically destroy your tickets when they exit. -However, MIT recommends that you explicitly destroy your Kerberos -tickets when you are through with them, just to be sure. One way to -help ensure that this happens is to add the {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} command -to your .logout file. Additionally, if you are going to be away from -your machine and are concerned about an intruder using your -permissions, it is safest to either destroy all copies of your -tickets, or use a screensaver that locks the screen. - - -\section{Kerberos ticket properties} -\label{user/tkt_mgmt:kerberos-ticket-properties} -There are various properties that Kerberos tickets can have: - -If a ticket is \textbf{forwardable}, then the KDC can issue a new ticket -(with a different network address, if necessary) based on the -forwardable ticket. This allows for authentication forwarding without -requiring a password to be typed in again. For example, if a user -with a forwardable TGT logs into a remote system, the KDC could issue -a new TGT for that user with the network address of the remote system, -allowing authentication on that host to work as though the user were -logged in locally. - -When the KDC creates a new ticket based on a forwardable ticket, it -sets the \textbf{forwarded} flag on that new ticket. Any tickets that are -created based on a ticket with the forwarded flag set will also have -their forwarded flags set. - -A \textbf{proxiable} ticket is similar to a forwardable ticket in that it -allows a service to take on the identity of the client. Unlike a -forwardable ticket, however, a proxiable ticket is only issued for -specific services. In other words, a ticket-granting ticket cannot be -issued based on a ticket that is proxiable but not forwardable. - -A \textbf{proxy} ticket is one that was issued based on a proxiable ticket. - -A \textbf{postdated} ticket is issued with the invalid flag set. After the -starting time listed on the ticket, it can be presented to the KDC to -obtain valid tickets. - -Ticket-granting tickets with the \textbf{postdateable} flag set can be used -to obtain postdated service tickets. - -\textbf{Renewable} tickets can be used to obtain new session keys without -the user entering their password again. A renewable ticket has two -expiration times. The first is the time at which this particular -ticket expires. The second is the latest possible expiration time for -any ticket issued based on this renewable ticket. - -A ticket with the \textbf{initial flag} set was issued based on the -authentication protocol, and not on a ticket-granting ticket. -Application servers that wish to ensure that the user's key has been -recently presented for verification could specify that this flag must -be set to accept the ticket. - -An \textbf{invalid} ticket must be rejected by application servers. -Postdated tickets are usually issued with this flag set, and must be -validated by the KDC before they can be used. - -A \textbf{preauthenticated} ticket is one that was only issued after the -client requesting the ticket had authenticated itself to the KDC. - -The \textbf{hardware authentication} flag is set on a ticket which required -the use of hardware for authentication. The hardware is expected to -be possessed only by the client which requested the tickets. - -If a ticket has the \textbf{transit policy} checked flag set, then the KDC -that issued this ticket implements the transited-realm check policy -and checked the transited-realms list on the ticket. The -transited-realms list contains a list of all intermediate realms -between the realm of the KDC that issued the first ticket and that of -the one that issued the current ticket. If this flag is not set, then -the application server must check the transited realms itself or else -reject the ticket. - -The \textbf{okay as delegate} flag indicates that the server specified in -the ticket is suitable as a delegate as determined by the policy of -that realm. Some client applications may use this flag to decide -whether to forward tickets to a remote host, although many -applications do not honor it. - -An \textbf{anonymous} ticket is one in which the named principal is a -generic principal for that realm; it does not actually specify the -individual that will be using the ticket. This ticket is meant only -to securely distribute a session key. - - -\section{Obtaining tickets with kinit} -\label{user/tkt_mgmt:obtaining-tickets-with-kinit}\label{user/tkt_mgmt:obtain-tkt} -If your site has integrated Kerberos V5 with the login system, you -will get Kerberos tickets automatically when you log in. Otherwise, -you may need to explicitly obtain your Kerberos tickets, using the -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}} program. Similarly, if your Kerberos tickets expire, -use the kinit program to obtain new ones. - -To use the kinit program, simply type \code{kinit} and then type your -password at the prompt. For example, Jennifer (whose username is -\code{jennifer}) works for Bleep, Inc. (a fictitious company with the -domain name mit.edu and the Kerberos realm ATHENA.MIT.EDU). She would -type: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit -Password for jennifer@ATHENA.MIT.EDU: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type jennifer\PYGZsq{}s password here.] -shell\PYGZpc{} -\end{Verbatim} - -If you type your password incorrectly, kinit will give you the -following error message: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit -Password for jennifer@ATHENA.MIT.EDU: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type the wrong password here.] -kinit: Password incorrect -shell\PYGZpc{} -\end{Verbatim} - -and you won't get Kerberos tickets. - -By default, kinit assumes you want tickets for your own username in -your default realm. Suppose Jennifer's friend David is visiting, and -he wants to borrow a window to check his mail. David needs to get -tickets for himself in his own realm, EXAMPLE.COM. He would type: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit david@EXAMPLE.COM -Password for david@EXAMPLE.COM: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type david\PYGZsq{}s password here.] -shell\PYGZpc{} -\end{Verbatim} - -David would then have tickets which he could use to log onto his own -machine. Note that he typed his password locally on Jennifer's -machine, but it never went over the network. Kerberos on the local -host performed the authentication to the KDC in the other realm. - -If you want to be able to forward your tickets to another host, you -need to request forwardable tickets. You do this by specifying the -\textbf{-f} option: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit \PYGZhy{}f -Password for jennifer@ATHENA.MIT.EDU: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type your password here.] -shell\PYGZpc{} -\end{Verbatim} - -Note that kinit does not tell you that it obtained forwardable -tickets; you can verify this using the {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} command (see -{\hyperref[user/tkt_mgmt:view-tkt]{\emph{Viewing tickets with klist}}}). - -Normally, your tickets are good for your system's default ticket -lifetime, which is ten hours on many systems. You can specify a -different ticket lifetime with the \textbf{-l} option. Add the letter -\textbf{s} to the value for seconds, \textbf{m} for minutes, \textbf{h} for hours, or -\textbf{d} for days. For example, to obtain forwardable tickets for -\code{david@EXAMPLE.COM} that would be good for three hours, you would -type: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kinit \PYGZhy{}f \PYGZhy{}l 3h david@EXAMPLE.COM -Password for david@EXAMPLE.COM: \PYGZlt{}\PYGZhy{}\PYGZhy{} [Type david\PYGZsq{}s password here.] -shell\PYGZpc{} -\end{Verbatim} - -\begin{notice}{note}{Note:} -You cannot mix units; specifying a lifetime of 3h30m would -result in an error. Note also that most systems specify a -maximum ticket lifetime. If you request a longer ticket -lifetime, it will be automatically truncated to the maximum -lifetime. -\end{notice} - - -\section{Viewing tickets with klist} -\label{user/tkt_mgmt:viewing-tickets-with-klist}\label{user/tkt_mgmt:view-tkt} -The {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} command shows your tickets. When you first obtain -tickets, you will have only the ticket-granting ticket. The listing -would look like this: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist -Ticket cache: /tmp/krb5cc\PYGZus{}ttypa -Default principal: jennifer@ATHENA.MIT.EDU - -Valid starting Expires Service principal -06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU -shell\PYGZpc{} -\end{Verbatim} - -The ticket cache is the location of your ticket file. In the above -example, this file is named \code{/tmp/krb5cc\_ttypa}. The default -principal is your Kerberos principal. - -The ``valid starting'' and ``expires'' fields describe the period of time -during which the ticket is valid. The ``service principal'' describes -each ticket. The ticket-granting ticket has a first component -\code{krbtgt}, and a second component which is the realm name. - -Now, if \code{jennifer} connected to the machine \code{daffodil.mit.edu}, -and then typed ``klist'' again, she would have gotten the following -result: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist -Ticket cache: /tmp/krb5cc\PYGZus{}ttypa -Default principal: jennifer@ATHENA.MIT.EDU - -Valid starting Expires Service principal -06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU -06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU -shell\PYGZpc{} -\end{Verbatim} - -Here's what happened: when \code{jennifer} used ssh to connect to the -host \code{daffodil.mit.edu}, the ssh program presented her -ticket-granting ticket to the KDC and requested a host ticket for the -host \code{daffodil.mit.edu}. The KDC sent the host ticket, which ssh -then presented to the host \code{daffodil.mit.edu}, and she was allowed -to log in without typing her password. - -Suppose your Kerberos tickets allow you to log into a host in another -domain, such as \code{trillium.example.com}, which is also in another -Kerberos realm, \code{EXAMPLE.COM}. If you ssh to this host, you will -receive a ticket-granting ticket for the realm \code{EXAMPLE.COM}, plus -the new host ticket for \code{trillium.example.com}. klist will now -show: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist -Ticket cache: /tmp/krb5cc\PYGZus{}ttypa -Default principal: jennifer@ATHENA.MIT.EDU - -Valid starting Expires Service principal -06/07/04 19:49:21 06/08/04 05:49:19 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU -06/07/04 20:22:30 06/08/04 05:49:19 host/daffodil.mit.edu@ATHENA.MIT.EDU -06/07/04 20:24:18 06/08/04 05:49:19 krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU -06/07/04 20:24:18 06/08/04 05:49:19 host/trillium.example.com@EXAMPLE.COM -shell\PYGZpc{} -\end{Verbatim} - -Depending on your host's and realm's configuration, you may also see a -ticket with the service principal \code{host/trillium.example.com@}. If -so, this means that your host did not know what realm -trillium.example.com is in, so it asked the \code{ATHENA.MIT.EDU} KDC for -a referral. The next time you connect to \code{trillium.example.com}, -the odd-looking entry will be used to avoid needing to ask for a -referral again. - -You can use the \textbf{-f} option to view the flags that apply to your -tickets. The flags are: - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -F - & -Forwardable -\\ -\hline -f - & -forwarded -\\ -\hline -P - & -Proxiable -\\ -\hline -p - & -proxy -\\ -\hline -D - & -postDateable -\\ -\hline -d - & -postdated -\\ -\hline -R - & -Renewable -\\ -\hline -I - & -Initial -\\ -\hline -i - & -invalid -\\ -\hline -H - & -Hardware authenticated -\\ -\hline -A - & -preAuthenticated -\\ -\hline -T - & -Transit policy checked -\\ -\hline -O - & -Okay as delegate -\\ -\hline -a - & -anonymous -\\ -\hline\end{tabulary} - - -Here is a sample listing. In this example, the user \emph{jennifer} -obtained her initial tickets (\textbf{I}), which are forwardable (\textbf{F}) -and postdated (\textbf{d}) but not yet validated (\textbf{i}): - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist \PYGZhy{}f -Ticket cache: /tmp/krb5cc\PYGZus{}320 -Default principal: jennifer@ATHENA.MIT.EDU - -Valid starting Expires Service principal -31/07/05 19:06:25 31/07/05 19:16:25 krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU - Flags: FdiI -shell\PYGZpc{} -\end{Verbatim} - -In the following example, the user \emph{david}`s tickets were forwarded -(\textbf{f}) to this host from another host. The tickets are reforwardable -(\textbf{F}): - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} klist \PYGZhy{}f -Ticket cache: /tmp/krb5cc\PYGZus{}p11795 -Default principal: david@EXAMPLE.COM - -Valid starting Expires Service principal -07/31/05 11:52:29 07/31/05 21:11:23 krbtgt/EXAMPLE.COM@EXAMPLE.COM - Flags: Ff -07/31/05 12:03:48 07/31/05 21:11:23 host/trillium.example.com@EXAMPLE.COM - Flags: Ff -shell\PYGZpc{} -\end{Verbatim} - - -\section{Destroying tickets with kdestroy} -\label{user/tkt_mgmt:destroying-tickets-with-kdestroy} -Your Kerberos tickets are proof that you are indeed yourself, and -tickets could be stolen if someone gains access to a computer where -they are stored. If this happens, the person who has them can -masquerade as you until they expire. For this reason, you should -destroy your Kerberos tickets when you are away from your computer. - -Destroying your tickets is easy. Simply type kdestroy: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdestroy -shell\PYGZpc{} -\end{Verbatim} - -If {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} fails to destroy your tickets, it will beep and -give an error message. For example, if kdestroy can't find any -tickets to destroy, it will give the following message: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} kdestroy -kdestroy: No credentials cache file found while destroying cache -shell\PYGZpc{} -\end{Verbatim} - - -\chapter{User config files} -\label{user/user_config/index::doc}\label{user/user_config/index:user-config-files} -The following files in your home directory can be used to control the -behavior of Kerberos as it applies to your account (unless they have -been disabled by your host's configuration): - - -\section{.k5login} -\label{user/user_config/k5login:k5login-5}\label{user/user_config/k5login:k5login}\label{user/user_config/k5login::doc} - -\subsection{DESCRIPTION} -\label{user/user_config/k5login:description} -The .k5login file, which resides in a user's home directory, contains -a list of the Kerberos principals. Anyone with valid tickets for a -principal in the file is allowed host access with the UID of the user -in whose home directory the file resides. One common use is to place -a .k5login file in root's home directory, thereby granting system -administrators remote root access to the host via Kerberos. - - -\subsection{EXAMPLES} -\label{user/user_config/k5login:examples} -Suppose the user \code{alice} had a .k5login file in her home directory -containing just the following line: - -\begin{Verbatim}[commandchars=\\\{\}] -bob@FOOBAR.ORG -\end{Verbatim} - -This would allow \code{bob} to use Kerberos network applications, such as -ssh(1), to access \code{alice}`s account, using \code{bob}`s Kerberos -tickets. In a default configuration (with \textbf{k5login\_authoritative} set -to true in \emph{krb5.conf(5)}), this .k5login file would not let -\code{alice} use those network applications to access her account, since -she is not listed! With no .k5login file, or with \textbf{k5login\_authoritative} -set to false, a default rule would permit the principal \code{alice} in the -machine's default realm to access the \code{alice} account. - -Let us further suppose that \code{alice} is a system administrator. -Alice and the other system administrators would have their principals -in root's .k5login file on each host: - -\begin{Verbatim}[commandchars=\\\{\}] -alice@BLEEP.COM - -joeadmin/root@BLEEP.COM -\end{Verbatim} - -This would allow either system administrator to log in to these hosts -using their Kerberos tickets instead of having to type the root -password. Note that because \code{bob} retains the Kerberos tickets for -his own principal, \code{bob@FOOBAR.ORG}, he would not have any of the -privileges that require \code{alice}`s tickets, such as root access to -any of the site's hosts, or the ability to change \code{alice}`s -password. - - -\subsection{SEE ALSO} -\label{user/user_config/k5login:see-also} -kerberos(1) - - -\section{.k5identity} -\label{user/user_config/k5identity:k5identity-5}\label{user/user_config/k5identity:k5identity}\label{user/user_config/k5identity::doc} - -\subsection{DESCRIPTION} -\label{user/user_config/k5identity:description} -The .k5identity file, which resides in a user's home directory, -contains a list of rules for selecting a client principals based on -the server being accessed. These rules are used to choose a -credential cache within the cache collection when possible. - -Blank lines and lines beginning with \code{\#} are ignored. Each line has -the form: -\begin{quote} - -\emph{principal} \emph{field}=\emph{value} ... -\end{quote} - -If the server principal meets all of the field constraints, then -principal is chosen as the client principal. The following fields are -recognized: -\begin{description} -\item[{\textbf{realm}}] \leavevmode -If the realm of the server principal is known, it is matched -against \emph{value}, which may be a pattern using shell wildcards. -For host-based server principals, the realm will generally only be -known if there is a \emph{domain\_realm} section in -\emph{krb5.conf(5)} with a mapping for the hostname. - -\item[{\textbf{service}}] \leavevmode -If the server principal is a host-based principal, its service -component is matched against \emph{value}, which may be a pattern using -shell wildcards. - -\item[{\textbf{host}}] \leavevmode -If the server principal is a host-based principal, its hostname -component is converted to lower case and matched against \emph{value}, -which may be a pattern using shell wildcards. - -If the server principal matches the constraints of multiple lines -in the .k5identity file, the principal from the first matching -line is used. If no line matches, credentials will be selected -some other way, such as the realm heuristic or the current primary -cache. - -\end{description} - - -\subsection{EXAMPLE} -\label{user/user_config/k5identity:example} -The following example .k5identity file selects the client principal -\code{alice@KRBTEST.COM} if the server principal is within that realm, -the principal \code{alice/root@EXAMPLE.COM} if the server host is within -a servers subdomain, and the principal \code{alice/mail@EXAMPLE.COM} when -accessing the IMAP service on \code{mail.example.com}: - -\begin{Verbatim}[commandchars=\\\{\}] -alice@KRBTEST.COM realm=KRBTEST.COM -alice/root@EXAMPLE.COM host=*.servers.example.com -alice/mail@EXAMPLE.COM host=mail.example.com service=imap -\end{Verbatim} - - -\subsection{SEE ALSO} -\label{user/user_config/k5identity:see-also} -kerberos(1), \emph{krb5.conf(5)} - - -\chapter{User commands} -\label{user/user_commands/index::doc}\label{user/user_commands/index:user-commands}\label{user/user_commands/index:id1} - -\section{kdestroy} -\label{user/user_commands/kdestroy:kdestroy}\label{user/user_commands/kdestroy::doc}\label{user/user_commands/kdestroy:kdestroy-1} - -\subsection{SYNOPSIS} -\label{user/user_commands/kdestroy:synopsis} -\textbf{kdestroy} -{[}\textbf{-A}{]} -{[}\textbf{-q}{]} -{[}\textbf{-c} \emph{cache\_name}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/kdestroy:description} -The kdestroy utility destroys the user's active Kerberos authorization -tickets by overwriting and deleting the credentials cache that -contains them. If the credentials cache is not specified, the default -credentials cache is destroyed. - - -\subsection{OPTIONS} -\label{user/user_commands/kdestroy:options}\begin{description} -\item[{\textbf{-A}}] \leavevmode -Destroys all caches in the collection, if a cache collection is -available. - -\item[{\textbf{-q}}] \leavevmode -Run quietly. Normally kdestroy beeps if it fails to destroy the -user's tickets. The \textbf{-q} flag suppresses this behavior. - -\item[{\textbf{-c} \emph{cache\_name}}] \leavevmode -Use \emph{cache\_name} as the credentials (ticket) cache name and -location; if this option is not used, the default cache name and -location are used. - -The default credentials cache may vary between systems. If the -\textbf{KRB5CCNAME} environment variable is set, its value is used to -name the default ticket cache. - -\end{description} - - -\subsection{NOTE} -\label{user/user_commands/kdestroy:note} -Most installations recommend that you place the kdestroy command in -your .logout file, so that your tickets are destroyed automatically -when you log out. - - -\subsection{ENVIRONMENT} -\label{user/user_commands/kdestroy:environment} -kdestroy uses the following environment variable: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the default Kerberos 5 credentials (ticket) cache, in -the form \emph{type}:\emph{residual}. If no \emph{type} prefix is present, the -\textbf{FILE} type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type \textbf{DIR} causes caches within the directory -to be present in the collection. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/kdestroy:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -Default location of Kerberos 5 credentials cache - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kdestroy:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} - - -\section{kinit} -\label{user/user_commands/kinit:kinit-1}\label{user/user_commands/kinit:kinit}\label{user/user_commands/kinit::doc} - -\subsection{SYNOPSIS} -\label{user/user_commands/kinit:synopsis} -\textbf{kinit} -{[}\textbf{-V}{]} -{[}\textbf{-l} \emph{lifetime}{]} -{[}\textbf{-s} \emph{start\_time}{]} -{[}\textbf{-r} \emph{renewable\_life}{]} -{[}\textbf{-p} \textbar{} -\textbf{P}{]} -{[}\textbf{-f} \textbar{} -\textbf{F}{]} -{[}\textbf{-a}{]} -{[}\textbf{-A}{]} -{[}\textbf{-C}{]} -{[}\textbf{-E}{]} -{[}\textbf{-v}{]} -{[}\textbf{-R}{]} -{[}\textbf{-k} {[}-\textbf{t} \emph{keytab\_file}{]}{]} -{[}\textbf{-c} \emph{cache\_name}{]} -{[}\textbf{-n}{]} -{[}\textbf{-S} \emph{service\_name}{]} -{[}\textbf{-I} \emph{input\_ccache}{]} -{[}\textbf{-T} \emph{armor\_ccache}{]} -{[}\textbf{-X} \emph{attribute}{[}=\emph{value}{]}{]} -{[}\emph{principal}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/kinit:description} -kinit obtains and caches an initial ticket-granting ticket for -\emph{principal}. If \emph{principal} is absent, kinit chooses an appropriate -principal name based on existing credential cache contents or the -local username of the user invoking kinit. Some options modify the -choice of principal name. - - -\subsection{OPTIONS} -\label{user/user_commands/kinit:options}\begin{description} -\item[{\textbf{-V}}] \leavevmode -display verbose output. - -\item[{\textbf{-l} \emph{lifetime}}] \leavevmode -(\emph{duration} string.) Requests a ticket with the lifetime -\emph{lifetime}. - -For example, \code{kinit -l 5:30} or \code{kinit -l 5h30m}. - -If the \textbf{-l} option is not specified, the default ticket lifetime -(configured by each site) is used. Specifying a ticket lifetime -longer than the maximum ticket lifetime (configured by each site) -will not override the configured maximum ticket lifetime. - -\item[{\textbf{-s} \emph{start\_time}}] \leavevmode -(\emph{duration} string.) Requests a postdated ticket. Postdated -tickets are issued with the \textbf{invalid} flag set, and need to be -resubmitted to the KDC for validation before use. - -\emph{start\_time} specifies the duration of the delay before the ticket -can become valid. - -\item[{\textbf{-r} \emph{renewable\_life}}] \leavevmode -(\emph{duration} string.) Requests renewable tickets, with a total -lifetime of \emph{renewable\_life}. - -\item[{\textbf{-f}}] \leavevmode -requests forwardable tickets. - -\item[{\textbf{-F}}] \leavevmode -requests non-forwardable tickets. - -\item[{\textbf{-p}}] \leavevmode -requests proxiable tickets. - -\item[{\textbf{-P}}] \leavevmode -requests non-proxiable tickets. - -\item[{\textbf{-a}}] \leavevmode -requests tickets restricted to the host's local address{[}es{]}. - -\item[{\textbf{-A}}] \leavevmode -requests tickets not restricted by address. - -\item[{\textbf{-C}}] \leavevmode -requests canonicalization of the principal name, and allows the -KDC to reply with a different client principal from the one -requested. - -\item[{\textbf{-E}}] \leavevmode -treats the principal name as an enterprise name (implies the -\textbf{-C} option). - -\item[{\textbf{-v}}] \leavevmode -requests that the ticket-granting ticket in the cache (with the -\textbf{invalid} flag set) be passed to the KDC for validation. If the -ticket is within its requested time range, the cache is replaced -with the validated ticket. - -\item[{\textbf{-R}}] \leavevmode -requests renewal of the ticket-granting ticket. Note that an -expired ticket cannot be renewed, even if the ticket is still -within its renewable life. - -Note that renewable tickets that have expired as reported by -{\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}} may sometimes be renewed using this option, -because the KDC applies a grace period to account for client-KDC -clock skew. See \emph{krb5.conf(5)} \textbf{clockskew} setting. - -\item[{\textbf{-k} {[}\textbf{-i} \textbar{} \textbf{-t} \emph{keytab\_file}{]}}] \leavevmode -requests a ticket, obtained from a key in the local host's keytab. -The location of the keytab may be specified with the \textbf{-t} -\emph{keytab\_file} option, or with the \textbf{-i} option to specify the use -of the default client keytab; otherwise the default keytab will be -used. By default, a host ticket for the local host is requested, -but any principal may be specified. On a KDC, the special keytab -location \code{KDB:} can be used to indicate that kinit should open -the KDC database and look up the key directly. This permits an -administrator to obtain tickets as any principal that supports -authentication based on the key. - -\item[{\textbf{-n}}] \leavevmode -Requests anonymous processing. Two types of anonymous principals -are supported. - -For fully anonymous Kerberos, configure pkinit on the KDC and -configure \textbf{pkinit\_anchors} in the client's \emph{krb5.conf(5)}. -Then use the \textbf{-n} option with a principal of the form \code{@REALM} -(an empty principal name followed by the at-sign and a realm -name). If permitted by the KDC, an anonymous ticket will be -returned. - -A second form of anonymous tickets is supported; these -realm-exposed tickets hide the identity of the client but not the -client's realm. For this mode, use \code{kinit -n} with a normal -principal name. If supported by the KDC, the principal (but not -realm) will be replaced by the anonymous principal. - -As of release 1.8, the MIT Kerberos KDC only supports fully -anonymous operation. - -\end{description} - -\textbf{-I} \emph{input\_ccache} -\begin{quote} - -Specifies the name of a credentials cache that already contains a -ticket. When obtaining that ticket, if information about how that -ticket was obtained was also stored to the cache, that information -will be used to affect how new credentials are obtained, including -preselecting the same methods of authenticating to the KDC. -\end{quote} -\begin{description} -\item[{\textbf{-T} \emph{armor\_ccache}}] \leavevmode -Specifies the name of a credentials cache that already contains a -ticket. If supported by the KDC, this cache will be used to armor -the request, preventing offline dictionary attacks and allowing -the use of additional preauthentication mechanisms. Armoring also -makes sure that the response from the KDC is not modified in -transit. - -\item[{\textbf{-c} \emph{cache\_name}}] \leavevmode -use \emph{cache\_name} as the Kerberos 5 credentials (ticket) cache -location. If this option is not used, the default cache location -is used. - -The default cache location may vary between systems. If the -\textbf{KRB5CCNAME} environment variable is set, its value is used to -locate the default cache. If a principal name is specified and -the type of the default cache supports a collection (such as the -DIR type), an existing cache containing credentials for the -principal is selected or a new one is created and becomes the new -primary cache. Otherwise, any existing contents of the default -cache are destroyed by kinit. - -\item[{\textbf{-S} \emph{service\_name}}] \leavevmode -specify an alternate service name to use when getting initial -tickets. - -\item[{\textbf{-X} \emph{attribute}{[}=\emph{value}{]}}] \leavevmode -specify a pre-authentication \emph{attribute} and \emph{value} to be -interpreted by pre-authentication modules. The acceptable -attribute and value values vary from module to module. This -option may be specified multiple times to specify multiple -attributes. If no value is specified, it is assumed to be ``yes''. - -The following attributes are recognized by the PKINIT -pre-authentication mechanism: -\begin{description} -\item[{\textbf{X509\_user\_identity}=\emph{value}}] \leavevmode -specify where to find user's X509 identity information - -\item[{\textbf{X509\_anchors}=\emph{value}}] \leavevmode -specify where to find trusted X509 anchor information - -\item[{\textbf{flag\_RSA\_PROTOCOL}{[}\textbf{=yes}{]}}] \leavevmode -specify use of RSA, rather than the default Diffie-Hellman -protocol - -\end{description} - -\end{description} - - -\subsection{ENVIRONMENT} -\label{user/user_commands/kinit:environment} -kinit uses the following environment variables: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the default Kerberos 5 credentials cache, in the form -\emph{type}:\emph{residual}. If no \emph{type} prefix is present, the \textbf{FILE} -type is assumed. The type of the default cache may determine the -availability of a cache collection; for instance, a default cache -of type \textbf{DIR} causes caches within the directory to be present -in the collection. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/kinit:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -default location of Kerberos 5 credentials cache - -\item[{\emph{DEFKTNAME}}] \leavevmode -default location for the local host's keytab. - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kinit:see-also} -{\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}}, kerberos(1) - - -\section{klist} -\label{user/user_commands/klist:klist}\label{user/user_commands/klist::doc}\label{user/user_commands/klist:klist-1} - -\subsection{SYNOPSIS} -\label{user/user_commands/klist:synopsis} -\textbf{klist} -{[}\textbf{-e}{]} -{[}{[}\textbf{-c}{]} {[}\textbf{-l}{]} {[}\textbf{-A}{]} {[}\textbf{-f}{]} {[}\textbf{-s}{]} {[}\textbf{-a} {[}\textbf{-n}{]}{]}{]} -{[}\textbf{-C}{]} -{[}\textbf{-k} {[}\textbf{-t}{]} {[}\textbf{-K}{]}{]} -{[}\textbf{-V}{]} -{[}\emph{cache\_name}\textbar{}\emph{keytab\_name}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/klist:description} -klist lists the Kerberos principal and Kerberos tickets held in a -credentials cache, or the keys held in a keytab file. - - -\subsection{OPTIONS} -\label{user/user_commands/klist:options}\begin{description} -\item[{\textbf{-e}}] \leavevmode -Displays the encryption types of the session key and the ticket -for each credential in the credential cache, or each key in the -keytab file. - -\item[{\textbf{-l}}] \leavevmode -If a cache collection is available, displays a table summarizing -the caches present in the collection. - -\item[{\textbf{-A}}] \leavevmode -If a cache collection is available, displays the contents of all -of the caches in the collection. - -\item[{\textbf{-c}}] \leavevmode -List tickets held in a credentials cache. This is the default if -neither \textbf{-c} nor \textbf{-k} is specified. - -\item[{\textbf{-f}}] \leavevmode -Shows the flags present in the credentials, using the following -abbreviations: - -\begin{Verbatim}[commandchars=\\\{\}] -F Forwardable -f forwarded -P Proxiable -p proxy -D postDateable -d postdated -R Renewable -I Initial -i invalid -H Hardware authenticated -A preAuthenticated -T Transit policy checked -O Okay as delegate -a anonymous -\end{Verbatim} - -\item[{\textbf{-s}}] \leavevmode -Causes klist to run silently (produce no output). klist will exit -with status 1 if the credentials cache cannot be read or is -expired, and with status 0 otherwise. - -\item[{\textbf{-a}}] \leavevmode -Display list of addresses in credentials. - -\item[{\textbf{-n}}] \leavevmode -Show numeric addresses instead of reverse-resolving addresses. - -\item[{\textbf{-C}}] \leavevmode -List configuration data that has been stored in the credentials -cache when klist encounters it. By default, configuration data -is not listed. - -\item[{\textbf{-k}}] \leavevmode -List keys held in a keytab file. - -\item[{\textbf{-i}}] \leavevmode -In combination with \textbf{-k}, defaults to using the default client -keytab instead of the default acceptor keytab, if no name is -given. - -\item[{\textbf{-t}}] \leavevmode -Display the time entry timestamps for each keytab entry in the -keytab file. - -\item[{\textbf{-K}}] \leavevmode -Display the value of the encryption key in each keytab entry in -the keytab file. - -\item[{\textbf{-V}}] \leavevmode -Display the Kerberos version number and exit. - -\end{description} - -If \emph{cache\_name} or \emph{keytab\_name} is not specified, klist will display -the credentials in the default credentials cache or keytab file as -appropriate. If the \textbf{KRB5CCNAME} environment variable is set, its -value is used to locate the default ticket cache. - - -\subsection{ENVIRONMENT} -\label{user/user_commands/klist:environment} -klist uses the following environment variable: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the default Kerberos 5 credentials (ticket) cache, in -the form \emph{type}:\emph{residual}. If no \emph{type} prefix is present, the -\textbf{FILE} type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type \textbf{DIR} causes caches within the directory -to be present in the collection. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/klist:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -Default location of Kerberos 5 credentials cache - -\item[{\emph{DEFKTNAME}}] \leavevmode -Default location for the local host's keytab file. - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/klist:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} - - -\section{kpasswd} -\label{user/user_commands/kpasswd:kpasswd}\label{user/user_commands/kpasswd::doc}\label{user/user_commands/kpasswd:kpasswd-1} - -\subsection{SYNOPSIS} -\label{user/user_commands/kpasswd:synopsis} -\textbf{kpasswd} {[}\emph{principal}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/kpasswd:description} -The kpasswd command is used to change a Kerberos principal's password. -kpasswd first prompts for the current Kerberos password, then prompts -the user twice for the new password, and the password is changed. - -If the principal is governed by a policy that specifies the length -and/or number of character classes required in the new password, the -new password must conform to the policy. (The five character classes -are lower case, upper case, numbers, punctuation, and all other -characters.) - - -\subsection{OPTIONS} -\label{user/user_commands/kpasswd:options}\begin{description} -\item[{\emph{principal}}] \leavevmode -Change the password for the Kerberos principal principal. -Otherwise, kpasswd uses the principal name from an existing ccache -if there is one; if not, the principal is derived from the -identity of the user invoking the kpasswd command. - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kpasswd:see-also} -\emph{kadmin(1)}, \emph{kadmind(8)} - - -\section{krb5-config} -\label{user/user_commands/krb5-config:krb5-config-1}\label{user/user_commands/krb5-config:krb5-config}\label{user/user_commands/krb5-config::doc} - -\subsection{SYNOPSIS} -\label{user/user_commands/krb5-config:synopsis} -\textbf{krb5-config} -{[}\textbf{-}\textbf{-help} \textbar{} \textbf{-}\textbf{-all} \textbar{} \textbf{-}\textbf{-version} \textbar{} \textbf{-}\textbf{-vendor} \textbar{} \textbf{-}\textbf{-prefix} \textbar{} \textbf{-}\textbf{-exec-prefix} \textbar{} \textbf{-}\textbf{-defccname} \textbar{} \textbf{-}\textbf{-defktname} \textbar{} \textbf{-}\textbf{-defcktname} \textbar{} \textbf{-}\textbf{-cflags} \textbar{} \textbf{-}\textbf{-libs} {[}\emph{libraries}{]}{]} - - -\subsection{DESCRIPTION} -\label{user/user_commands/krb5-config:description} -krb5-config tells the application programmer what flags to use to compile -and link programs against the installed Kerberos libraries. - - -\subsection{OPTIONS} -\label{user/user_commands/krb5-config:options}\begin{description} -\item[{\textbf{-}\textbf{-help}}] \leavevmode -prints a usage message. This is the default behavior when no options -are specified. - -\item[{\textbf{-}\textbf{-all}}] \leavevmode -prints the version, vendor, prefix, and exec-prefix. - -\item[{\textbf{-}\textbf{-version}}] \leavevmode -prints the version number of the Kerberos installation. - -\item[{\textbf{-}\textbf{-vendor}}] \leavevmode -prints the name of the vendor of the Kerberos installation. - -\item[{\textbf{-}\textbf{-prefix}}] \leavevmode -prints the prefix for which the Kerberos installation was built. - -\item[{\textbf{-}\textbf{-exec-prefix}}] \leavevmode -prints the prefix for executables for which the Kerberos installation -was built. - -\item[{\textbf{-}\textbf{-defccname}}] \leavevmode -prints the built-in default credentials cache location. - -\item[{\textbf{-}\textbf{-defktname}}] \leavevmode -prints the built-in default keytab location. - -\item[{\textbf{-}\textbf{-defcktname}}] \leavevmode -prints the built-in default client (initiator) keytab location. - -\item[{\textbf{-}\textbf{-cflags}}] \leavevmode -prints the compilation flags used to build the Kerberos installation. - -\item[{\textbf{-}\textbf{-libs} {[}\emph{library}{]}}] \leavevmode -prints the compiler options needed to link against \emph{library}. -Allowed values for \emph{library} are: - -\begin{tabulary}{\linewidth}{|L|L|} -\hline - -krb5 - & -Kerberos 5 applications (default) -\\ -\hline -gssapi - & -GSSAPI applications with Kerberos 5 bindings -\\ -\hline -kadm-client - & -Kadmin client -\\ -\hline -kadm-server - & -Kadmin server -\\ -\hline -kdb - & -Applications that access the Kerberos database -\\ -\hline\end{tabulary} - - -\end{description} - - -\subsection{EXAMPLES} -\label{user/user_commands/krb5-config:examples} -krb5-config is particularly useful for compiling against a Kerberos -installation that was installed in a non-standard location. For example, -a Kerberos installation that is installed in \code{/opt/krb5/} but uses -libraries in \code{/usr/local/lib/} for text localization would produce -the following output: - -\begin{Verbatim}[commandchars=\\\{\}] -shell\PYGZpc{} krb5\PYGZhy{}config \PYGZhy{}\PYGZhy{}libs krb5 -\PYGZhy{}L/opt/krb5/lib \PYGZhy{}Wl,\PYGZhy{}rpath \PYGZhy{}Wl,/opt/krb5/lib \PYGZhy{}L/usr/local/lib \PYGZhy{}lkrb5 \PYGZhy{}lk5crypto \PYGZhy{}lcom\PYGZus{}err -\end{Verbatim} - - -\subsection{SEE ALSO} -\label{user/user_commands/krb5-config:see-also} -kerberos(1), cc(1) - - -\section{ksu} -\label{user/user_commands/ksu:ksu-1}\label{user/user_commands/ksu:ksu}\label{user/user_commands/ksu::doc} - -\subsection{SYNOPSIS} -\label{user/user_commands/ksu:synopsis} -\textbf{ksu} -{[} \emph{target\_user} {]} -{[} \textbf{-n} \emph{target\_principal\_name} {]} -{[} \textbf{-c} \emph{source\_cache\_name} {]} -{[} \textbf{-k} {]} -{[} \textbf{-r} time {]} -{[} \textbf{-pf} {]} -{[} \textbf{-l} \emph{lifetime} {]} -{[} \textbf{-z \textbar{} Z} {]} -{[} \textbf{-q} {]} -{[} \textbf{-e} \emph{command} {[} args ... {]} {]} {[} \textbf{-a} {[} args ... {]} {]} - - -\subsection{REQUIREMENTS} -\label{user/user_commands/ksu:requirements} -Must have Kerberos version 5 installed to compile ksu. Must have a -Kerberos version 5 server running to use ksu. - - -\subsection{DESCRIPTION} -\label{user/user_commands/ksu:description} -ksu is a Kerberized version of the su program that has two missions: -one is to securely change the real and effective user ID to that of -the target user, and the other is to create a new security context. - -\begin{notice}{note}{Note:} -For the sake of clarity, all references to and attributes of -the user invoking the program will start with ``source'' -(e.g., ``source user'', ``source cache'', etc.). - -Likewise, all references to and attributes of the target -account will start with ``target''. -\end{notice} - - -\subsection{AUTHENTICATION} -\label{user/user_commands/ksu:authentication} -To fulfill the first mission, ksu operates in two phases: -authentication and authorization. Resolving the target principal name -is the first step in authentication. The user can either specify his -principal name with the \textbf{-n} option (e.g., \code{-n jqpublic@USC.EDU}) -or a default principal name will be assigned using a heuristic -described in the OPTIONS section (see \textbf{-n} option). The target user -name must be the first argument to ksu; if not specified root is the -default. If \code{.} is specified then the target user will be the -source user (e.g., \code{ksu .}). If the source user is root or the -target user is the source user, no authentication or authorization -takes place. Otherwise, ksu looks for an appropriate Kerberos ticket -in the source cache. - -The ticket can either be for the end-server or a ticket granting -ticket (TGT) for the target principal's realm. If the ticket for the -end-server is already in the cache, it's decrypted and verified. If -it's not in the cache but the TGT is, the TGT is used to obtain the -ticket for the end-server. The end-server ticket is then verified. -If neither ticket is in the cache, but ksu is compiled with the -\textbf{GET\_TGT\_VIA\_PASSWD} define, the user will be prompted for a -Kerberos password which will then be used to get a TGT. If the user -is logged in remotely and does not have a secure channel, the password -may be exposed. If neither ticket is in the cache and -\textbf{GET\_TGT\_VIA\_PASSWD} is not defined, authentication fails. - - -\subsection{AUTHORIZATION} -\label{user/user_commands/ksu:authorization} -This section describes authorization of the source user when ksu is -invoked without the \textbf{-e} option. For a description of the \textbf{-e} -option, see the OPTIONS section. - -Upon successful authentication, ksu checks whether the target -principal is authorized to access the target account. In the target -user's home directory, ksu attempts to access two authorization files: -{\hyperref[user/user_config/k5login:k5login-5]{\emph{.k5login}}} and .k5users. In the .k5login file each line -contains the name of a principal that is authorized to access the -account. - -For example: - -\begin{Verbatim}[commandchars=\\\{\}] -jqpublic@USC.EDU -jqpublic/secure@USC.EDU -jqpublic/admin@USC.EDU -\end{Verbatim} - -The format of .k5users is the same, except the principal name may be -followed by a list of commands that the principal is authorized to -execute (see the \textbf{-e} option in the OPTIONS section for details). - -Thus if the target principal name is found in the .k5login file the -source user is authorized to access the target account. Otherwise ksu -looks in the .k5users file. If the target principal name is found -without any trailing commands or followed only by \code{*} then the -source user is authorized. If either .k5login or .k5users exist but -an appropriate entry for the target principal does not exist then -access is denied. If neither file exists then the principal will be -granted access to the account according to the aname-\textgreater{}lname mapping -rules. Otherwise, authorization fails. - - -\subsection{EXECUTION OF THE TARGET SHELL} -\label{user/user_commands/ksu:execution-of-the-target-shell} -Upon successful authentication and authorization, ksu proceeds in a -similar fashion to su. The environment is unmodified with the -exception of USER, HOME and SHELL variables. If the target user is -not root, USER gets set to the target user name. Otherwise USER -remains unchanged. Both HOME and SHELL are set to the target login's -default values. In addition, the environment variable \textbf{KRB5CCNAME} -gets set to the name of the target cache. The real and effective user -ID are changed to that of the target user. The target user's shell is -then invoked (the shell name is specified in the password file). Upon -termination of the shell, ksu deletes the target cache (unless ksu is -invoked with the \textbf{-k} option). This is implemented by first doing a -fork and then an exec, instead of just exec, as done by su. - - -\subsection{CREATING A NEW SECURITY CONTEXT} -\label{user/user_commands/ksu:creating-a-new-security-context} -ksu can be used to create a new security context for the target -program (either the target shell, or command specified via the \textbf{-e} -option). The target program inherits a set of credentials from the -source user. By default, this set includes all of the credentials in -the source cache plus any additional credentials obtained during -authentication. The source user is able to limit the credentials in -this set by using \textbf{-z} or \textbf{-Z} option. \textbf{-z} restricts the copy -of tickets from the source cache to the target cache to only the -tickets where client == the target principal name. The \textbf{-Z} option -provides the target user with a fresh target cache (no creds in the -cache). Note that for security reasons, when the source user is root -and target user is non-root, \textbf{-z} option is the default mode of -operation. - -While no authentication takes place if the source user is root or is -the same as the target user, additional tickets can still be obtained -for the target cache. If \textbf{-n} is specified and no credentials can -be copied to the target cache, the source user is prompted for a -Kerberos password (unless \textbf{-Z} specified or \textbf{GET\_TGT\_VIA\_PASSWD} -is undefined). If successful, a TGT is obtained from the Kerberos -server and stored in the target cache. Otherwise, if a password is -not provided (user hit return) ksu continues in a normal mode of -operation (the target cache will not contain the desired TGT). If the -wrong password is typed in, ksu fails. - -\begin{notice}{note}{Note:} -During authentication, only the tickets that could be -obtained without providing a password are cached in in the -source cache. -\end{notice} - - -\subsection{OPTIONS} -\label{user/user_commands/ksu:options}\begin{description} -\item[{\textbf{-n} \emph{target\_principal\_name}}] \leavevmode -Specify a Kerberos target principal name. Used in authentication -and authorization phases of ksu. - -If ksu is invoked without \textbf{-n}, a default principal name is -assigned via the following heuristic: -\begin{itemize} -\item {} -Case 1: source user is non-root. - -If the target user is the source user the default principal name -is set to the default principal of the source cache. If the -cache does not exist then the default principal name is set to -\code{target\_user@local\_realm}. If the source and target users are -different and neither \code{\textasciitilde{}target\_user/.k5users} nor -\code{\textasciitilde{}target\_user/.k5login} exist then the default principal name -is \code{target\_user\_login\_name@local\_realm}. Otherwise, starting -with the first principal listed below, ksu checks if the -principal is authorized to access the target account and whether -there is a legitimate ticket for that principal in the source -cache. If both conditions are met that principal becomes the -default target principal, otherwise go to the next principal. -\begin{enumerate} -\item {} -default principal of the source cache - -\item {} -target\_user@local\_realm - -\item {} -source\_user@local\_realm - -\end{enumerate} - -If a-c fails try any principal for which there is a ticket in -the source cache and that is authorized to access the target -account. If that fails select the first principal that is -authorized to access the target account from the above list. If -none are authorized and ksu is configured with -\textbf{PRINC\_LOOK\_AHEAD} turned on, select the default principal as -follows: - -For each candidate in the above list, select an authorized -principal that has the same realm name and first part of the -principal name equal to the prefix of the candidate. For -example if candidate a) is \code{jqpublic@ISI.EDU} and -\code{jqpublic/secure@ISI.EDU} is authorized to access the target -account then the default principal is set to -\code{jqpublic/secure@ISI.EDU}. - -\item {} -Case 2: source user is root. - -If the target user is non-root then the default principal name -is \code{target\_user@local\_realm}. Else, if the source cache -exists the default principal name is set to the default -principal of the source cache. If the source cache does not -exist, default principal name is set to \code{root\textbackslash{}@local\_realm}. - -\end{itemize} - -\end{description} - -\textbf{-c} \emph{source\_cache\_name} -\begin{quote} - -Specify source cache name (e.g., \code{-c FILE:/tmp/my\_cache}). If -\textbf{-c} option is not used then the name is obtained from -\textbf{KRB5CCNAME} environment variable. If \textbf{KRB5CCNAME} is not -defined the source cache name is set to \code{krb5cc\_\textless{}source uid\textgreater{}}. -The target cache name is automatically set to \code{krb5cc\_\textless{}target -uid\textgreater{}.(gen\_sym())}, where gen\_sym generates a new number such that -the resulting cache does not already exist. For example: - -\begin{Verbatim}[commandchars=\\\{\}] -krb5cc\PYGZus{}1984.2 -\end{Verbatim} -\end{quote} -\begin{description} -\item[{\textbf{-k}}] \leavevmode -Do not delete the target cache upon termination of the target -shell or a command (\textbf{-e} command). Without \textbf{-k}, ksu deletes -the target cache. - -\item[{\textbf{-z}}] \leavevmode -Restrict the copy of tickets from the source cache to the target -cache to only the tickets where client == the target principal -name. Use the \textbf{-n} option if you want the tickets for other then -the default principal. Note that the \textbf{-z} option is mutually -exclusive with the \textbf{-Z} option. - -\item[{\textbf{-Z}}] \leavevmode -Don't copy any tickets from the source cache to the target cache. -Just create a fresh target cache, where the default principal name -of the cache is initialized to the target principal name. Note -that the \textbf{-Z} option is mutually exclusive with the \textbf{-z} -option. - -\item[{\textbf{-q}}] \leavevmode -Suppress the printing of status messages. - -\end{description} - -Ticket granting ticket options: -\begin{description} -\item[{\textbf{-l} \emph{lifetime} \textbf{-r} \emph{time} \textbf{-pf}}] \leavevmode -The ticket granting ticket options only apply to the case where -there are no appropriate tickets in the cache to authenticate the -source user. In this case if ksu is configured to prompt users -for a Kerberos password (\textbf{GET\_TGT\_VIA\_PASSWD} is defined), the -ticket granting ticket options that are specified will be used -when getting a ticket granting ticket from the Kerberos server. - -\item[{\textbf{-l} \emph{lifetime}}] \leavevmode -(\emph{duration} string.) Specifies the lifetime to be requested -for the ticket; if this option is not specified, the default ticket -lifetime (12 hours) is used instead. - -\item[{\textbf{-r} \emph{time}}] \leavevmode -(\emph{duration} string.) Specifies that the \textbf{renewable} option -should be requested for the ticket, and specifies the desired -total lifetime of the ticket. - -\item[{\textbf{-p}}] \leavevmode -specifies that the \textbf{proxiable} option should be requested for -the ticket. - -\item[{\textbf{-f}}] \leavevmode -option specifies that the \textbf{forwardable} option should be -requested for the ticket. - -\item[{\textbf{-e} \emph{command} {[}\emph{args} ...{]}}] \leavevmode -ksu proceeds exactly the same as if it was invoked without the -\textbf{-e} option, except instead of executing the target shell, ksu -executes the specified command. Example of usage: - -\begin{Verbatim}[commandchars=\\\{\}] -ksu bob \PYGZhy{}e ls \PYGZhy{}lag -\end{Verbatim} - -The authorization algorithm for \textbf{-e} is as follows: - -If the source user is root or source user == target user, no -authorization takes place and the command is executed. If source -user id != 0, and \code{\textasciitilde{}target\_user/.k5users} file does not exist, -authorization fails. Otherwise, \code{\textasciitilde{}target\_user/.k5users} file -must have an appropriate entry for target principal to get -authorized. - -The .k5users file format: - -A single principal entry on each line that may be followed by a -list of commands that the principal is authorized to execute. A -principal name followed by a \code{*} means that the user is -authorized to execute any command. Thus, in the following -example: - -\begin{Verbatim}[commandchars=\\\{\}] -jqpublic@USC.EDU ls mail /local/kerberos/klist -jqpublic/secure@USC.EDU * -jqpublic/admin@USC.EDU -\end{Verbatim} - -\code{jqpublic@USC.EDU} is only authorized to execute \code{ls}, -\code{mail} and \code{klist} commands. \code{jqpublic/secure@USC.EDU} is -authorized to execute any command. \code{jqpublic/admin@USC.EDU} is -not authorized to execute any command. Note, that -\code{jqpublic/admin@USC.EDU} is authorized to execute the target -shell (regular ksu, without the \textbf{-e} option) but -\code{jqpublic@USC.EDU} is not. - -The commands listed after the principal name must be either a full -path names or just the program name. In the second case, -\textbf{CMD\_PATH} specifying the location of authorized programs must -be defined at the compilation time of ksu. Which command gets -executed? - -If the source user is root or the target user is the source user -or the user is authorized to execute any command (\code{*} entry) -then command can be either a full or a relative path leading to -the target program. Otherwise, the user must specify either a -full path or just the program name. - -\item[{\textbf{-a} \emph{args}}] \leavevmode -Specify arguments to be passed to the target shell. Note that all -flags and parameters following -a will be passed to the shell, -thus all options intended for ksu must precede \textbf{-a}. - -The \textbf{-a} option can be used to simulate the \textbf{-e} option if -used as follows: - -\begin{Verbatim}[commandchars=\\\{\}] -\PYGZhy{}a \PYGZhy{}c [command [arguments]]. -\end{Verbatim} - -\textbf{-c} is interpreted by the c-shell to execute the command. - -\end{description} - - -\subsection{INSTALLATION INSTRUCTIONS} -\label{user/user_commands/ksu:installation-instructions} -ksu can be compiled with the following four flags: -\begin{description} -\item[{\textbf{GET\_TGT\_VIA\_PASSWD}}] \leavevmode -In case no appropriate tickets are found in the source cache, the -user will be prompted for a Kerberos password. The password is -then used to get a ticket granting ticket from the Kerberos -server. The danger of configuring ksu with this macro is if the -source user is logged in remotely and does not have a secure -channel, the password may get exposed. - -\item[{\textbf{PRINC\_LOOK\_AHEAD}}] \leavevmode -During the resolution of the default principal name, -\textbf{PRINC\_LOOK\_AHEAD} enables ksu to find principal names in -the .k5users file as described in the OPTIONS section -(see \textbf{-n} option). - -\item[{\textbf{CMD\_PATH}}] \leavevmode -Specifies a list of directories containing programs that users are -authorized to execute (via .k5users file). - -\item[{\textbf{HAVE\_GETUSERSHELL}}] \leavevmode -If the source user is non-root, ksu insists that the target user's -shell to be invoked is a ``legal shell''. \emph{getusershell(3)} is -called to obtain the names of ``legal shells''. Note that the -target user's shell is obtained from the passwd file. - -\end{description} - -Sample configuration: - -\begin{Verbatim}[commandchars=\\\{\}] -KSU\PYGZus{}OPTS = \PYGZhy{}DGET\PYGZus{}TGT\PYGZus{}VIA\PYGZus{}PASSWD \PYGZhy{}DPRINC\PYGZus{}LOOK\PYGZus{}AHEAD \PYGZhy{}DCMD\PYGZus{}PATH=\PYGZsq{}\PYGZdq{}/bin /usr/ucb /local/bin\PYGZdq{} -\end{Verbatim} - -ksu should be owned by root and have the set user id bit turned on. - -ksu attempts to get a ticket for the end server just as Kerberized -telnet and rlogin. Thus, there must be an entry for the server in the -Kerberos database (e.g., \code{host/nii.isi.edu@ISI.EDU}). The keytab -file must be in an appropriate location. - - -\subsection{SIDE EFFECTS} -\label{user/user_commands/ksu:side-effects} -ksu deletes all expired tickets from the source cache. - - -\subsection{AUTHOR OF KSU} -\label{user/user_commands/ksu:author-of-ksu} -GENNADY (ARI) MEDVINSKY - - -\section{kswitch} -\label{user/user_commands/kswitch:kswitch-1}\label{user/user_commands/kswitch:kswitch}\label{user/user_commands/kswitch::doc} - -\subsection{SYNOPSIS} -\label{user/user_commands/kswitch:synopsis} -\textbf{kswitch} -\{\textbf{-c} \emph{cachename}\textbar{}\textbf{-p} \emph{principal}\} - - -\subsection{DESCRIPTION} -\label{user/user_commands/kswitch:description} -kswitch makes the specified credential cache the primary cache for the -collection, if a cache collection is available. - - -\subsection{OPTIONS} -\label{user/user_commands/kswitch:options}\begin{description} -\item[{\textbf{-c} \emph{cachename}}] \leavevmode -Directly specifies the credential cache to be made primary. - -\item[{\textbf{-p} \emph{principal}}] \leavevmode -Causes the cache collection to be searched for a cache containing -credentials for \emph{principal}. If one is found, that collection is -made primary. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{user/user_commands/kswitch:environment} -kswitch uses the following environment variables: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the default Kerberos 5 credentials (ticket) cache, in -the form \emph{type}:\emph{residual}. If no \emph{type} prefix is present, the -\textbf{FILE} type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type \textbf{DIR} causes caches within the directory -to be present in the collection. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/kswitch:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -Default location of Kerberos 5 credentials cache - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kswitch:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}}, {\hyperref[user/user_commands/klist:klist-1]{\emph{klist}}}), kerberos(1) - - -\section{kvno} -\label{user/user_commands/kvno:kvno-1}\label{user/user_commands/kvno::doc}\label{user/user_commands/kvno:kvno} - -\subsection{SYNOPSIS} -\label{user/user_commands/kvno:synopsis} -\textbf{kvno} -{[}\textbf{-c} \emph{ccache}{]} -{[}\textbf{-e} \emph{etype}{]} -{[}\textbf{-q}{]} -{[}\textbf{-h}{]} -{[}\textbf{-P}{]} -{[}\textbf{-S} \emph{sname}{]} -{[}\textbf{-U} \emph{for\_user}{]} -\emph{service1 service2} ... - - -\subsection{DESCRIPTION} -\label{user/user_commands/kvno:description} -kvno acquires a service ticket for the specified Kerberos principals -and prints out the key version numbers of each. - - -\subsection{OPTIONS} -\label{user/user_commands/kvno:options}\begin{description} -\item[{\textbf{-c} \emph{ccache}}] \leavevmode -Specifies the name of a credentials cache to use (if not the -default) - -\item[{\textbf{-e} \emph{etype}}] \leavevmode -Specifies the enctype which will be requested for the session key -of all the services named on the command line. This is useful in -certain backward compatibility situations. - -\item[{\textbf{-q}}] \leavevmode -Suppress printing output when successful. If a service ticket -cannot be obtained, an error message will still be printed and -kvno will exit with nonzero status. - -\item[{\textbf{-h}}] \leavevmode -Prints a usage statement and exits. - -\item[{\textbf{-P}}] \leavevmode -Specifies that the \emph{service1 service2} ... arguments are to be -treated as services for which credentials should be acquired using -constrained delegation. This option is only valid when used in -conjunction with protocol transition. - -\item[{\textbf{-S} \emph{sname}}] \leavevmode -Specifies that the \emph{service1 service2} ... arguments are -interpreted as hostnames, and the service principals are to be -constructed from those hostnames and the service name \emph{sname}. -The service hostnames will be canonicalized according to the usual -rules for constructing service principals. - -\item[{\textbf{-U} \emph{for\_user}}] \leavevmode -Specifies that protocol transition (S4U2Self) is to be used to -acquire a ticket on behalf of \emph{for\_user}. If constrained -delegation is not requested, the service name must match the -credentials cache client principal. - -\end{description} - - -\subsection{ENVIRONMENT} -\label{user/user_commands/kvno:environment} -kvno uses the following environment variable: -\begin{description} -\item[{\textbf{KRB5CCNAME}}] \leavevmode -Location of the credentials (ticket) cache. - -\end{description} - - -\subsection{FILES} -\label{user/user_commands/kvno:files}\begin{description} -\item[{\emph{DEFCCNAME}}] \leavevmode -Default location of the credentials cache - -\end{description} - - -\subsection{SEE ALSO} -\label{user/user_commands/kvno:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, {\hyperref[user/user_commands/kdestroy:kdestroy-1]{\emph{kdestroy}}} - - -\section{sclient} -\label{user/user_commands/sclient:sclient}\label{user/user_commands/sclient::doc}\label{user/user_commands/sclient:sclient-1} - -\subsection{SYNOPSIS} -\label{user/user_commands/sclient:synopsis} -\textbf{sclient} \emph{remotehost} - - -\subsection{DESCRIPTION} -\label{user/user_commands/sclient:description} -sclient is a sample application, primarily useful for testing -purposes. It contacts a sample server \emph{sserver(8)} and -authenticates to it using Kerberos version 5 tickets, then displays -the server's response. - - -\subsection{SEE ALSO} -\label{user/user_commands/sclient:see-also} -{\hyperref[user/user_commands/kinit:kinit-1]{\emph{kinit}}}, \emph{sserver(8)} - - - -\renewcommand{\indexname}{Index} -\printindex -\end{document} diff --git a/doc/plugindev/certauth.rst b/doc/plugindev/certauth.rst new file mode 100644 index 0000000..8a7f7c5 --- /dev/null +++ b/doc/plugindev/certauth.rst @@ -0,0 +1,27 @@ +.. _certauth_plugin: + +PKINIT certificate authorization interface (certauth) +===================================================== + +The certauth interface was first introduced in release 1.16. It +allows customization of the X.509 certificate attribute requirements +placed on certificates used by PKINIT enabled clients. For a detailed +description of the certauth interface, see the header file +```` + +A certauth module implements the **authorize** method to determine +whether a client's certificate is authorized to authenticate a client +principal. **authorize** receives the DER-encoded certificate, the +requested client principal, and a pointer to the client's +krb5_db_entry (for modules that link against libkdb5). It returns the +authorization status and optionally outputs a list of authentication +indicator strings to be added to the ticket. A module must use its +own internal or library-provided ASN.1 certificate decoder. + +A module can optionally create and destroy module data with the +**init** and **fini** methods. Module data objects last for the +lifetime of the KDC process. + +If a module allocates and returns a list of authentication indicators +from **authorize**, it must also implement the **free_ind** method +to free the list. diff --git a/doc/plugindev/general.rst b/doc/plugindev/general.rst index dff6807..fba9bf6 100644 --- a/doc/plugindev/general.rst +++ b/doc/plugindev/general.rst @@ -94,5 +94,25 @@ fictional pluggable interface named fences, for a module named return 0; } -.. _automake: http://www.gnu.org/software/automake/ -.. _libtool: http://www.gnu.org/software/libtool/ +Logging from KDC and kadmind plugin modules +------------------------------------------- + +Plugin modules for the KDC or kadmind daemons can write to the +configured logging outputs (see :ref:`logging`) by calling the +**com_err** function. The first argument (*whoami*) is ignored. If +the second argument (*code*) is zero, the formatted message is logged +at informational severity; otherwise, the formatted message is logged +at error severity and includes the error message for the supplied +code. Here are examples:: + + com_err("", 0, "Client message contains %d items", nitems); + com_err("", retval, "while decoding client message"); + +(The behavior described above is new in release 1.17. In prior +releases, the *whoami* argument is included for some logging output +types, the logged message does not include the usual header for some +output types, and the severity for syslog outputs is configured as +part of the logging specification, defaulting to error severity.) + +.. _automake: https://www.gnu.org/software/automake/ +.. _libtool: https://www.gnu.org/software/libtool/ diff --git a/doc/plugindev/index.rst b/doc/plugindev/index.rst index 3fb9217..5e78346 100644 --- a/doc/plugindev/index.rst +++ b/doc/plugindev/index.rst @@ -25,11 +25,14 @@ Contents ccselect.rst pwqual.rst kadm5_hook.rst + kadm5_auth.rst hostrealm.rst localauth.rst locate.rst profile.rst gssapi.rst internal.rst + certauth.rst + kdcpolicy.rst .. TODO: GSSAPI mechanism plugins diff --git a/doc/plugindev/kadm5_auth.rst b/doc/plugindev/kadm5_auth.rst new file mode 100644 index 0000000..b483961 --- /dev/null +++ b/doc/plugindev/kadm5_auth.rst @@ -0,0 +1,35 @@ +.. _kadm5_auth_plugin: + +kadmin authorization interface (kadm5_auth) +=========================================== + +The kadm5_auth interface (new in release 1.16) allows modules to +determine whether a client principal is authorized to perform an +operation in the kadmin protocol, and to apply restrictions to +principal operations. For a detailed description of the kadm5_auth +interface, see the header file ````. + +A module can create and destroy per-process state objects by +implementing the **init** and **fini** methods. State objects have +the type kadm5_auth_modinfo, which is an abstract pointer type. A +module should typically cast this to an internal type for the state +object. + +The kadm5_auth interface has one method for each kadmin operation, +with parameters specific to the operation. Each method can return +either 0 to authorize access, KRB5_PLUGIN_NO_HANDLE to defer the +decision to other modules, or another error (canonically EPERM) to +authoritatively deny access. Access is granted if at least one module +grants access and no module authoritatively denies access. + +The **addprinc** and **modprinc** methods can also impose restrictions +on the principal operation by returning a ``struct +kadm5_auth_restrictions`` object. The module should also implement +the **free_restrictions** method if it dynamically allocates +restrictions objects for principal operations. + +kadm5_auth modules can optionally inspect principal or policy objects. +To do this, the module must also include ```` to gain +access to the structure definitions for those objects. As the kadmin +interface is explicitly not as stable as other public interfaces, +modules which do this may not retain compatibility across releases. diff --git a/doc/plugindev/kdcpolicy.rst b/doc/plugindev/kdcpolicy.rst new file mode 100644 index 0000000..74f21f0 --- /dev/null +++ b/doc/plugindev/kdcpolicy.rst @@ -0,0 +1,24 @@ +.. _kdcpolicy_plugin: + +KDC policy interface (kdcpolicy) +================================ + +The kdcpolicy interface was first introduced in release 1.16. It +allows modules to veto otherwise valid AS and TGS requests or restrict +the lifetime and renew time of the resulting ticket. For a detailed +description of the kdcpolicy interface, see the header file +````. + +The optional **check_as** and **check_tgs** functions allow the module +to perform access control. Additionally, a module can create and +destroy module data with the **init** and **fini** methods. Module +data objects last for the lifetime of the KDC process, and are +provided to all other methods. The data has the type +krb5_kdcpolicy_moddata, which should be cast to the appropriate +internal type. + +kdcpolicy modules can optionally inspect principal entries. To do +this, the module must also include ```` to gain access to the +principal entry structure definition. As the KDB interface is +explicitly not as stable as other public interfaces, modules which do +this may not retain compatibility across releases. diff --git a/doc/resources.rst b/doc/resources.rst index 5bead12..9d25f2c 100644 --- a/doc/resources.rst +++ b/doc/resources.rst @@ -7,10 +7,10 @@ Mailing lists * kerberos@mit.edu is a community resource for discussion and questions about MIT krb5 and other Kerberos implementations. To subscribe to the list, please follow the instructions at - http://mailman.mit.edu/mailman/listinfo/kerberos. + https://mailman.mit.edu/mailman/listinfo/kerberos. * krbdev@mit.edu is the primary list for developers of MIT Kerberos. To subscribe to the list, please follow the instructions at - http://mailman.mit.edu/mailman/listinfo/krbdev. + https://mailman.mit.edu/mailman/listinfo/krbdev. * krb5-bugs@mit.edu is notified when a ticket is created or updated. This list helps track bugs and feature requests. In addition, this list is used to track documentation criticism @@ -31,23 +31,23 @@ resource for general Kerberos discussion and support. The main IRC channel for MIT Kerberos development is `#krbdev` on freenode. -For more information about freenode, see http://freenode.net/. +For more information about freenode, see https://freenode.net/. Archives -------- -* The archive http://mailman.mit.edu/pipermail/kerberos/ contains past - postings from the `kerberos@mit.edu` list. +* The archive https://mailman.mit.edu/pipermail/kerberos/ contains + past postings from the `kerberos@mit.edu` list. -* The http://mailman.mit.edu/pipermail/krbdev/ contains past - postings from the `krbdev@mit.edu` list. +* The https://mailman.mit.edu/pipermail/krbdev/ contains past postings + from the `krbdev@mit.edu` list. Wiki ---- -The wiki at http://k5wiki.kerberos.org/ contains useful information +The wiki at https://k5wiki.kerberos.org/ contains useful information for developers working on the MIT Kerberos source code. Some of the information on the wiki may be useful for advanced users or system administrators. @@ -55,6 +55,6 @@ administrators. Web pages --------- -* http://web.mit.edu/kerberos/ is the MIT Kerberos software web page. +* https://web.mit.edu/kerberos/ is the MIT Kerberos software web page. -* http://kerberos.org/ is the MIT Kerberos Consortium web page. +* https://kerberos.org/ is the MIT Kerberos Consortium web page. diff --git a/doc/user/user_commands/kdestroy.rst b/doc/user/user_commands/kdestroy.rst index b8c67ab..becfcef 100644 --- a/doc/user/user_commands/kdestroy.rst +++ b/doc/user/user_commands/kdestroy.rst @@ -26,7 +26,8 @@ OPTIONS **-A** Destroys all caches in the collection, if a cache collection is - available. + available. May be used with the **-c** option to specify the + collection to be destroyed. **-q** Run quietly. Normally kdestroy beeps if it fails to destroy the @@ -41,6 +42,11 @@ OPTIONS **KRB5CCNAME** environment variable is set, its value is used to name the default ticket cache. +**-p** *princ_name* + If a cache collection is available, destroy the cache for + *princ_name* instead of the primary cache. May be used with the + **-c** option to specify the collection to be searched. + NOTE ---- @@ -53,15 +59,8 @@ when you log out. ENVIRONMENT ----------- -kdestroy uses the following environment variable: - -**KRB5CCNAME** - Location of the default Kerberos 5 credentials (ticket) cache, in - the form *type*:*residual*. If no *type* prefix is present, the - **FILE** type is assumed. The type of the default cache may - determine the availability of a cache collection; for instance, a - default cache of type **DIR** causes caches within the directory - to be present in the collection. +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. FILES @@ -74,4 +73,4 @@ FILES SEE ALSO -------- -:ref:`kinit(1)`, :ref:`klist(1)` +:ref:`kinit(1)`, :ref:`klist(1)`, :ref:`kerberos(7)` diff --git a/doc/user/user_commands/kinit.rst b/doc/user/user_commands/kinit.rst index 3f9d534..d692e27 100644 --- a/doc/user/user_commands/kinit.rst +++ b/doc/user/user_commands/kinit.rst @@ -197,19 +197,14 @@ OPTIONS specify use of RSA, rather than the default Diffie-Hellman protocol + **disable_freshness**\ [**=yes**] + disable sending freshness tokens (for testing purposes only) ENVIRONMENT ----------- -kinit uses the following environment variables: - -**KRB5CCNAME** - Location of the default Kerberos 5 credentials cache, in the form - *type*:*residual*. If no *type* prefix is present, the **FILE** - type is assumed. The type of the default cache may determine the - availability of a cache collection; for instance, a default cache - of type **DIR** causes caches within the directory to be present - in the collection. +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. FILES @@ -225,4 +220,4 @@ FILES SEE ALSO -------- -:ref:`klist(1)`, :ref:`kdestroy(1)`, kerberos(1) +:ref:`klist(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` diff --git a/doc/user/user_commands/klist.rst b/doc/user/user_commands/klist.rst index c24c741..88e4578 100644 --- a/doc/user/user_commands/klist.rst +++ b/doc/user/user_commands/klist.rst @@ -105,15 +105,8 @@ value is used to locate the default ticket cache. ENVIRONMENT ----------- -klist uses the following environment variable: - -**KRB5CCNAME** - Location of the default Kerberos 5 credentials (ticket) cache, in - the form *type*:*residual*. If no *type* prefix is present, the - **FILE** type is assumed. The type of the default cache may - determine the availability of a cache collection; for instance, a - default cache of type **DIR** causes caches within the directory - to be present in the collection. +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. FILES @@ -129,4 +122,4 @@ FILES SEE ALSO -------- -:ref:`kinit(1)`, :ref:`kdestroy(1)` +:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` diff --git a/doc/user/user_commands/kpasswd.rst b/doc/user/user_commands/kpasswd.rst index 1b64632..0583bbd 100644 --- a/doc/user/user_commands/kpasswd.rst +++ b/doc/user/user_commands/kpasswd.rst @@ -33,7 +33,14 @@ OPTIONS identity of the user invoking the kpasswd command. +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + SEE ALSO -------- -:ref:`kadmin(1)`, :ref:`kadmind(8)` +:ref:`kadmin(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` diff --git a/doc/user/user_commands/krb5-config.rst b/doc/user/user_commands/krb5-config.rst index ee0fcea..2c09141 100644 --- a/doc/user/user_commands/krb5-config.rst +++ b/doc/user/user_commands/krb5-config.rst @@ -80,4 +80,4 @@ the following output:: SEE ALSO -------- -kerberos(1), cc(1) +:ref:`kerberos(7)`, cc(1) diff --git a/doc/user/user_commands/ksu.rst b/doc/user/user_commands/ksu.rst index b2f9121..29487a8 100644 --- a/doc/user/user_commands/ksu.rst +++ b/doc/user/user_commands/ksu.rst @@ -385,3 +385,16 @@ AUTHOR OF KSU ------------- GENNADY (ARI) MEDVINSKY + + +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + + +SEE ALSO +-------- + +:ref:`kerberos(7)`, :ref:`kinit(1)` diff --git a/doc/user/user_commands/kswitch.rst b/doc/user/user_commands/kswitch.rst index 56e5915..010332e 100644 --- a/doc/user/user_commands/kswitch.rst +++ b/doc/user/user_commands/kswitch.rst @@ -32,15 +32,8 @@ OPTIONS ENVIRONMENT ----------- -kswitch uses the following environment variables: - -**KRB5CCNAME** - Location of the default Kerberos 5 credentials (ticket) cache, in - the form *type*:*residual*. If no *type* prefix is present, the - **FILE** type is assumed. The type of the default cache may - determine the availability of a cache collection; for instance, a - default cache of type **DIR** causes caches within the directory - to be present in the collection. +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. FILES @@ -53,4 +46,5 @@ FILES SEE ALSO -------- -:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`), kerberos(1) +:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`klist(1)`, +:ref:`kerberos(7)` diff --git a/doc/user/user_commands/kvno.rst b/doc/user/user_commands/kvno.rst index 31ca244..88607df 100644 --- a/doc/user/user_commands/kvno.rst +++ b/doc/user/user_commands/kvno.rst @@ -14,6 +14,7 @@ SYNOPSIS [**-P**] [**-S** *sname*] [**-U** *for_user*] +[**--u2u** *ccache*] *service1 service2* ... @@ -63,14 +64,17 @@ OPTIONS delegation is not requested, the service name must match the credentials cache client principal. +**--u2u** *ccache* + Requests a user-to-user ticket. *ccache* must contain a local + krbtgt ticket for the server principal. The reported version + number will typically be 0, as the resulting ticket is not + encrypted in the server's long-term key. ENVIRONMENT ----------- -kvno uses the following environment variable: - -**KRB5CCNAME** - Location of the credentials (ticket) cache. +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. FILES @@ -83,4 +87,4 @@ FILES SEE ALSO -------- -:ref:`kinit(1)`, :ref:`kdestroy(1)` +:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)` diff --git a/doc/user/user_commands/sclient.rst b/doc/user/user_commands/sclient.rst index ebf7972..1e3d38f 100644 --- a/doc/user/user_commands/sclient.rst +++ b/doc/user/user_commands/sclient.rst @@ -17,8 +17,14 @@ purposes. It contacts a sample server :ref:`sserver(8)` and authenticates to it using Kerberos version 5 tickets, then displays the server's response. +ENVIRONMENT +----------- + +See :ref:`kerberos(7)` for a description of Kerberos environment +variables. + SEE ALSO -------- -:ref:`kinit(1)`, :ref:`sserver(8)` +:ref:`kinit(1)`, :ref:`sserver(8)`, :ref:`kerberos(7)` diff --git a/doc/user/user_config/index.rst b/doc/user/user_config/index.rst index 6b3d439..ad0dc1a 100644 --- a/doc/user/user_config/index.rst +++ b/doc/user/user_config/index.rst @@ -8,5 +8,6 @@ been disabled by your host's configuration): .. toctree:: :maxdepth: 1 + kerberos.rst k5login.rst k5identity.rst diff --git a/doc/user/user_config/kerberos.rst b/doc/user/user_config/kerberos.rst new file mode 100644 index 0000000..56412f0 --- /dev/null +++ b/doc/user/user_config/kerberos.rst @@ -0,0 +1,170 @@ +.. _kerberos(7): + +kerberos +======== + +DESCRIPTION +----------- + +The Kerberos system authenticates individual users in a network +environment. After authenticating yourself to Kerberos, you can use +Kerberos-enabled programs without having to present passwords or +certificates to those programs. + +If you receive the following response from :ref:`kinit(1)`: + +kinit: Client not found in Kerberos database while getting initial +credentials + +you haven't been registered as a Kerberos user. See your system +administrator. + +A Kerberos name usually contains three parts. The first is the +**primary**, which is usually a user's or service's name. The second +is the **instance**, which in the case of a user is usually null. +Some users may have privileged instances, however, such as ``root`` or +``admin``. In the case of a service, the instance is the fully +qualified name of the machine on which it runs; i.e. there can be an +ssh service running on the machine ABC (ssh/ABC@REALM), which is +different from the ssh service running on the machine XYZ +(ssh/XYZ@REALM). The third part of a Kerberos name is the **realm**. +The realm corresponds to the Kerberos service providing authentication +for the principal. Realms are conventionally all-uppercase, and often +match the end of hostnames in the realm (for instance, host01.example.com +might be in realm EXAMPLE.COM). + +When writing a Kerberos name, the principal name is separated from the +instance (if not null) by a slash, and the realm (if not the local +realm) follows, preceded by an "@" sign. The following are examples +of valid Kerberos names:: + + david + jennifer/admin + joeuser@BLEEP.COM + cbrown/root@FUBAR.ORG + +When you authenticate yourself with Kerberos you get an initial +Kerberos **ticket**. (A Kerberos ticket is an encrypted protocol +message that provides authentication.) Kerberos uses this ticket for +network utilities such as ssh. The ticket transactions are done +transparently, so you don't have to worry about their management. + +Note, however, that tickets expire. Administrators may configure more +privileged tickets, such as those with service or instance of ``root`` +or ``admin``, to expire in a few minutes, while tickets that carry +more ordinary privileges may be good for several hours or a day. If +your login session extends beyond the time limit, you will have to +re-authenticate yourself to Kerberos to get new tickets using the +:ref:`kinit(1)` command. + +Some tickets are **renewable** beyond their initial lifetime. This +means that ``kinit -R`` can extend their lifetime without requiring +you to re-authenticate. + +If you wish to delete your local tickets, use the :ref:`kdestroy(1)` +command. + +Kerberos tickets can be forwarded. In order to forward tickets, you +must request **forwardable** tickets when you kinit. Once you have +forwardable tickets, most Kerberos programs have a command line option +to forward them to the remote host. This can be useful for, e.g., +running kinit on your local machine and then sshing into another to do +work. Note that this should not be done on untrusted machines since +they will then have your tickets. + +ENVIRONMENT VARIABLES +--------------------- + +Several environment variables affect the operation of Kerberos-enabled +programs. These include: + +**KRB5CCNAME** + Default name for the credentials cache file, in the form + *TYPE*:*residual*. The type of the default cache may determine + the availability of a cache collection. ``FILE`` is not a + collection type; ``KEYRING``, ``DIR``, and ``KCM`` are. + + If not set, the value of **default_ccache_name** from + configuration files (see **KRB5_CONFIG**) will be used. If that + is also not set, the default *type* is ``FILE``, and the + *residual* is the path /tmp/krb5cc_*uid*, where *uid* is the + decimal user ID of the user. + +**KRB5_KTNAME** + Specifies the location of the default keytab file, in the form + *TYPE*:*residual*. If no *type* is present, the **FILE** type is + assumed and *residual* is the pathname of the keytab file. If + unset, |keytab| will be used. + +**KRB5_CONFIG** + Specifies the location of the Kerberos configuration file. The + default is |sysconfdir|\ ``/krb5.conf``. Multiple filenames can + be specified, separated by a colon; all files which are present + will be read. + +**KRB5_KDC_PROFILE** + Specifies the location of the KDC configuration file, which + contains additional configuration directives for the Key + Distribution Center daemon and associated programs. The default + is |kdcdir|\ ``/kdc.conf``. + +**KRB5RCACHETYPE** + Specifies the default type of replay cache to use for servers. + Valid types include ``dfl`` for the normal file type and ``none`` + for no replay cache. The default is ``dfl``. + +**KRB5RCACHEDIR** + Specifies the default directory for replay caches used by servers. + The default is the value of the **TMPDIR** environment variable, + or ``/var/tmp`` if **TMPDIR** is not set. + +**KRB5_TRACE** + Specifies a filename to write trace log output to. Trace logs can + help illuminate decisions made internally by the Kerberos + libraries. For example, ``env KRB5_TRACE=/dev/stderr kinit`` + would send tracing information for :ref:`kinit(1)` to + ``/dev/stderr``. The default is not to write trace log output + anywhere. + +**KRB5_CLIENT_KTNAME** + Default client keytab file name. If unset, |ckeytab| will be + used). + +**KPROP_PORT** + :ref:`kprop(8)` port to use. Defaults to 754. + +Most environment variables are disabled for certain programs, such as +login system programs and setuid programs, which are designed to be +secure when run within an untrusted process environment. + +SEE ALSO +-------- + +:ref:`kdestroy(1)`, :ref:`kinit(1)`, :ref:`klist(1)`, +:ref:`kswitch(1)`, :ref:`kpasswd(1)`, :ref:`ksu(1)`, +:ref:`krb5.conf(5)`, :ref:`kdc.conf(5)`, :ref:`kadmin(1)`, +:ref:`kadmind(8)`, :ref:`kdb5_util(8)`, :ref:`krb5kdc(8)` + +BUGS +---- + +AUTHORS +------- + +| Steve Miller, MIT Project Athena/Digital Equipment Corporation +| Clifford Neuman, MIT Project Athena +| Greg Hudson, MIT Kerberos Consortium +| Robbie Harwood, Red Hat, Inc. + +HISTORY +------- + +The MIT Kerberos 5 implementation was developed at MIT, with +contributions from many outside parties. It is currently maintained +by the MIT Kerberos Consortium. + +RESTRICTIONS +------------ + +Copyright 1985, 1986, 1989-1996, 2002, 2011, 2018 Masachusetts +Institute of Technology diff --git a/src/Makefile.in b/src/Makefile.in index 2ebf2fb..91a5f4b 100644 --- a/src/Makefile.in +++ b/src/Makefile.in @@ -12,21 +12,26 @@ SUBDIRS=util include lib \ plugins/audit/test \ @audit_plugin@ \ plugins/kadm5_hook/test \ + plugins/kadm5_auth/test \ plugins/hostrealm/test \ plugins/localauth/test \ plugins/pwqual/test \ plugins/authdata/greet_server \ plugins/authdata/greet_client \ + plugins/certauth/test \ plugins/kdb/db2 \ @ldap_plugin_dir@ \ + @lmdb_plugin_dir@ \ plugins/kdb/test \ + plugins/kdcpolicy/test \ plugins/preauth/otp \ plugins/preauth/pkinit \ + plugins/preauth/spake \ plugins/preauth/test \ plugins/tls/k5tls \ - kdc kadmin slave clients appl tests \ + kdc kadmin kprop clients appl tests \ config-files build-tools man doc @po@ -WINSUBDIRS=include util lib ccapi windows clients appl +WINSUBDIRS=include util lib ccapi windows clients appl plugins\preauth\spake BUILDTOP=$(REL). SRCS = @@ -58,9 +63,9 @@ world: INSTALLMKDIRS = $(KRB5ROOT) $(KRB5MANROOT) $(KRB5OTHERMKDIRS) \ $(ADMIN_BINDIR) $(SERVER_BINDIR) $(CLIENT_BINDIR) \ $(ADMIN_MANDIR) $(SERVER_MANDIR) $(CLIENT_MANDIR) \ - $(FILE_MANDIR) \ + $(FILE_MANDIR) $(OVERVIEW_MANDIR) \ $(ADMIN_CATDIR) $(SERVER_CATDIR) $(CLIENT_CATDIR) \ - $(FILE_CATDIR) \ + $(FILE_CATDIR) $(OVERVIEW_CATDIR) \ $(KRB5_LIBDIR) $(KRB5_INCDIR) \ $(KRB5_DB_MODULE_DIR) $(KRB5_PA_MODULE_DIR) \ $(KRB5_AD_MODULE_DIR) \ @@ -145,12 +150,10 @@ WINMAKEFILES=Makefile \ util\et\Makefile util\profile\Makefile util\profile\testmod\Makefile \ util\support\Makefile \ util\windows\Makefile \ - util\wshelper\Makefile \ - windows\Makefile windows\lib\Makefile \ - windows\cns\Makefile windows\ms2mit\Makefile \ - windows\wintel\Makefile windows\kfwlogon\Makefile \ - windows\leashdll\Makefile windows\leash\Makefile \ - windows\leash\htmlhelp\Makefile + windows\Makefile windows\lib\Makefile windows\ms2mit\Makefile \ + windows\kfwlogon\Makefile windows\leashdll\Makefile \ + windows\leash\Makefile windows\leash\htmlhelp\Makefile \ + plugins\preauth\spake\Makefile ##DOS##Makefile-windows: $(MKFDEP) $(WINMAKEFILES) @@ -260,18 +263,12 @@ WINMAKEFILES=Makefile \ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##util\windows\Makefile: util\windows\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##util\wshelper\Makefile: util\wshelper\Makefile.in $(MKFDEP) -##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##windows\Makefile: windows\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##windows\lib\Makefile: windows\lib\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##windows\cns\Makefile: windows\cns\Makefile.in $(MKFDEP) -##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##windows\ms2mit\Makefile: windows\ms2mit\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ -##DOS##windows\wintel\Makefile: windows\wintel\Makefile.in $(MKFDEP) -##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##windows\kfwlogon\Makefile: windows\kfwlogon\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##windows\leashdll\Makefile: windows\leashdll\Makefile.in $(MKFDEP) @@ -280,6 +277,8 @@ WINMAKEFILES=Makefile \ ##DOS## $(WCONFIG) config < $@.in > $@ ##DOS##windows\leash\htmlhelp\Makefile: windows\leash\htmlhelp\Makefile.in $(MKFDEP) ##DOS## $(WCONFIG) config < $@.in > $@ +##DOS##plugins\preauth\spake\Makefile: plugins\preauth\spake\Makefile.in $(MKFDEP) +##DOS## $(WCONFIG) config < $@.in > $@ clean-windows:: Makefile-windows @@ -431,6 +430,8 @@ install-windows: @if not exist "$(KRB_INSTALL_DIR)\include\gssapi\$(NULL)" @mkdir "$(KRB_INSTALL_DIR)\include\gssapi" @if not exist "$(KRB_INSTALL_DIR)\lib\$(NULL)" @mkdir "$(KRB_INSTALL_DIR)\lib" @if not exist "$(KRB_INSTALL_DIR)\bin\$(NULL)" @mkdir "$(KRB_INSTALL_DIR)\bin" + @if not exist "$(KRB_INSTALL_DIR)\bin\plugins\$(NULL)" @mkdir "$(KRB_INSTALL_DIR)\bin\plugins" + @if not exist "$(KRB_INSTALL_DIR)\bin\plugins\preauth\$(NULL)" @mkdir "$(KRB_INSTALL_DIR)\bin\plugins\preauth" copy include\krb5.h "$(KRB_INSTALL_DIR)\include\." copy include\krb5\krb5.h "$(KRB_INSTALL_DIR)\include\krb5\." copy include\win-mac.h "$(KRB_INSTALL_DIR)\include\." @@ -443,8 +444,6 @@ install-windows: copy lib\$(OUTPRE)*.lib "$(KRB_INSTALL_DIR)\lib\." copy lib\$(OUTPRE)*.dll "$(KRB_INSTALL_DIR)\bin\." $(INSTALLDBGSYMS) lib\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\." - copy windows\cns\$(OUTPRE)krb5.exe "$(KRB_INSTALL_DIR)\bin\." - $(INSTALLDBGSYMS) windows\cns\$(OUTPRE)krb5.pdb "$(KRB_INSTALL_DIR)\bin\." copy appl\gss-sample\$(OUTPRE)gss-server.exe "$(KRB_INSTALL_DIR)\bin\." $(INSTALLDBGSYMS) appl\gss-sample\$(OUTPRE)gss-server.pdb "$(KRB_INSTALL_DIR)\bin\." copy appl\gss-sample\$(OUTPRE)gss-client.exe "$(KRB_INSTALL_DIR)\bin\." @@ -464,9 +463,6 @@ install-windows: copy windows\kfwlogon\$(OUTPRE)*.exe "$(KRB_INSTALL_DIR)\bin\." copy windows\kfwlogon\$(OUTPRE)*.dll "$(KRB_INSTALL_DIR)\bin\." $(INSTALLDBGSYMS) windows\kfwlogon\$(OUTPRE)*.pdb "$(KRB_INSTALL_DIR)\bin\." - copy util\wshelper\$(OUTPRE)$(DLIB).lib "$(KRB_INSTALL_DIR)\lib\." - copy util\wshelper\$(OUTPRE)$(DLIB).dll "$(KRB_INSTALL_DIR)\bin\." - $(INSTALLDBGSYMS) util\wshelper\$(OUTPRE)$(DLIB).pdb "$(KRB_INSTALL_DIR)\bin\." copy ccapi\lib\win\srctmp\$(OUTPRE)$(CCLIB).dll "$(KRB_INSTALL_DIR)\bin\." $(INSTALLDBGSYMS) ccapi\lib\win\srctmp\$(OUTPRE)$(CCLIB).pdb "$(KRB_INSTALL_DIR)\bin\." copy ccapi\lib\win\srctmp\$(CCLIB).lib "$(KRB_INSTALL_DIR)\lib\." @@ -488,12 +484,14 @@ install-windows: $(INSTALLDBGSYMS) clients\kdeltkt\$(OUTPRE)kdeltkt.pdb "$(KRB_INSTALL_DIR)\bin\." $(INSTALLDBGSYMS) clients\kpasswd\$(OUTPRE)kpasswd.pdb "$(KRB_INSTALL_DIR)\bin\." $(INSTALLDBGSYMS) clients\kswitch\$(OUTPRE)kswitch.pdb "$(KRB_INSTALL_DIR)\bin\." + copy plugins\preauth\spake\$(OUTPRE)$(SPAKELIB).dll "$(KRB_INSTALL_DIR)\bin\plugins\preauth\." + $(INSTALLDBGSYMS) plugins\preauth\spake\$(OUTPRE)$(SPAKELIB).pdb "$(KRB_INSTALL_DIR)\bin\plugins\preauth\." check-prerecurse: runenv.py $(RM) $(SKIPTESTS) touch $(SKIPTESTS) -check-unix: +check-unix: check-lmdb-$(HAVE_LMDB) cat $(SKIPTESTS) check-pytests-no: check-postrecurse @@ -501,9 +499,13 @@ check-pytests-no: check-postrecurse $(SKIPTESTS) check-cmocka-no: check-postrecurse - @echo 'Skipped cmocka tests due to missing library or header file' >> \ + @echo 'Skipped cmocka tests: cmocka library or header not found' >> \ $(SKIPTESTS) +check-lmdb-yes: +check-lmdb-no: + @echo 'Skipped LMDB tests: LMDB KDB module not built' >> $(SKIPTESTS) + # Create a test realm and spawn a shell in an environment pointing to it. # If CROSSNUM is set, create that many fully connected test realms and # point the shell at the first one. @@ -520,6 +522,9 @@ pyrunenv.vals: Makefile done > $@ echo "tls_impl = '$(TLS_IMPL)'" >> $@ echo "have_sasl = '$(HAVE_SASL)'" >> $@ + echo "have_spake_openssl = '$(HAVE_SPAKE_OPENSSL)'" >> $@ + echo "have_lmdb = '$(HAVE_LMDB)'" >> $@ + echo "sizeof_time_t = $(SIZEOF_TIME_T)" >> $@ runenv.py: pyrunenv.vals echo 'env = {}' > $@ @@ -527,6 +532,7 @@ runenv.py: pyrunenv.vals clean-unix:: $(RM) runenv.py runenv.pyc pyrunenv.vals + $(RM) -r __pycache__ COV_BUILD= cov-build COV_ANALYZE= cov-analyze @@ -577,12 +583,11 @@ INDENTDIRS = \ lib/krb5 \ plugins \ prototype \ - slave \ + kprop \ tests \ util BSDFILES = \ - kadmin/cli/strftime.c \ kadmin/server/ipropd_svc.c \ kadmin/server/kadm_rpc_svc.c \ lib/apputils/daemon.c \ @@ -591,9 +596,8 @@ BSDFILES = \ lib/kadm5/kadm_rpc.h \ lib/kadm5/kadm_rpc_xdr.c \ lib/kadm5/srv/adb_xdr.c \ - lib/krb5/krb/strftime.c \ lib/krb5/krb/strptime.c \ - slave/kpropd_rpc.c \ + kprop/kpropd_rpc.c \ util/support/getopt.c \ util/support/getopt_long.c \ util/support/mkstemp.c \ @@ -617,8 +621,6 @@ OTHEREXCLUDES = \ lib/krb5/unicode \ plugins/kdb/db2/libdb2 \ plugins/kdb/db2/pol_xdr.c \ - plugins/kdb/ldap/libkdb_ldap/princ_xdr.c \ - plugins/kdb/ldap/libkdb_ldap/princ_xdr.h \ plugins/preauth/pkinit/pkcs11.h \ plugins/preauth/pkinit/pkinit_accessor.h \ plugins/preauth/pkinit/pkinit_crypto.h \ @@ -636,8 +638,7 @@ OTHEREXCLUDES = \ util/profile/profile_tcl.c \ util/support/fnmatch.c \ util/verto \ - util/k5ev \ - util/wshelper + util/k5ev EXCLUDES = `for i in $(BSDFILES) $(OTHEREXCLUDES); do echo $$i; done | $(AWK) '{ print "-path", $$1, "-o" }'` -path /dev/null diff --git a/src/aclocal.m4 b/src/aclocal.m4 index 9c46da4..3752d9b 100644 --- a/src/aclocal.m4 +++ b/src/aclocal.m4 @@ -169,7 +169,7 @@ if test "$enable_thread_support" = yes ; then fi dnl Maybe this should be inside the conditional above? Doesn't cache.... if test "$enable_thread_support" = yes; then - ACX_PTHREAD(,[AC_MSG_ERROR([cannot determine options for enabling thread support; try --disable-thread-support])]) + AX_PTHREAD(,[AC_MSG_ERROR([cannot determine options for enabling thread support; try --disable-thread-support])]) AC_MSG_NOTICE(PTHREAD_CC = $PTHREAD_CC) AC_MSG_NOTICE(PTHREAD_CFLAGS = $PTHREAD_CFLAGS) AC_MSG_NOTICE(PTHREAD_LIBS = $PTHREAD_LIBS) @@ -450,13 +450,13 @@ krb5_ac_warn_cflags_set=${WARN_CFLAGS+set} krb5_ac_warn_cxxflags_set=${WARN_CXXFLAGS+set} ]) dnl -AC_DEFUN(TRY_WARN_CC_FLAG,[dnl +AC_DEFUN(TRY_WARN_CC_FLAG_1,[dnl cachevar=`echo "krb5_cv_cc_flag_$1" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[[^a-zA-Z0-9_]]/_/g` AC_CACHE_CHECK([if C compiler supports $1], [$cachevar], [# first try without, then with AC_TRY_COMPILE([], 1;, [old_cflags="$CFLAGS" - CFLAGS="$CFLAGS $1" + CFLAGS="$CFLAGS $cflags_warning_test_flags $1" AC_TRY_COMPILE([], 1;, eval $cachevar=yes, eval $cachevar=no) CFLAGS="$old_cflags"], [AC_MSG_ERROR(compiling simple test program with $CFLAGS failed)])]) @@ -466,6 +466,21 @@ AC_DEFUN(TRY_WARN_CC_FLAG,[dnl eval flag_supported='${'$cachevar'}' ])dnl dnl +dnl Are additional flags needed to make unsupported warning options +dnl get reported as errors? +AC_DEFUN(CHECK_CC_WARNING_TEST_FLAGS,[dnl + cflags_warning_test_flags= + TRY_WARN_CC_FLAG_1(-Werror=unknown-warning-option) + if test $flag_supported = yes; then + cflags_warning_test_flags=-Werror=unknown-warning-option + fi +])dnl +dnl +AC_DEFUN(TRY_WARN_CC_FLAG,[dnl +AC_REQUIRE([CHECK_CC_WARNING_TEST_FLAGS])dnl +TRY_WARN_CC_FLAG_1($1)dnl +])dnl +dnl AC_DEFUN(WITH_CC,[dnl AC_REQUIRE([KRB5_AC_CHECK_FOR_CFLAGS])dnl AC_REQUIRE([AC_PROG_CC])dnl @@ -528,7 +543,7 @@ if test "$GCC" = yes ; then TRY_WARN_CC_FLAG(-Wno-format-zero-length) # Other flags here may not be supported on some versions of # gcc that people want to use. - for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers ; do + for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized no-maybe-uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers error=implicit-int ; do TRY_WARN_CC_FLAG(-W$flag) done # old-style-definition? generates many, many warnings @@ -615,8 +630,16 @@ else # works, but it also means that declaration-in-code warnings won't # be issued. # -v -fd -errwarn=E_DECLARATION_IN_CODE ... - WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION,E_BAD_PTR_INT_COMB_ARG,E_PTR_TO_VOID_IN_ARITHMETIC,E_NO_IMPLICIT_DECL_ALLOWED,E_ATTRIBUTE_PARAM_UNDEFINED" - WARN_CXXFLAGS="-errtags=yes +w +w2 -xport64" + if test "x$krb5_ac_warn_cflags_set" = xset ; then + AC_MSG_NOTICE(not adding extra warning flags because WARN_CFLAGS was set) + else + WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION,E_BAD_PTR_INT_COMB_ARG,E_PTR_TO_VOID_IN_ARITHMETIC,E_NO_IMPLICIT_DECL_ALLOWED,E_ATTRIBUTE_PARAM_UNDEFINED" + fi + if test "x$krb5_ac_warn_cxxflags_set" = xset ; then + AC_MSG_NOTICE(not adding extra warning flags because WARN_CXXFLAGS was set) + else + WARN_CXXFLAGS="-errtags=yes +w +w2 -xport64" + fi fi fi AC_SUBST(WARN_CFLAGS) @@ -1352,7 +1375,6 @@ dnl ============================================================= dnl Internal function for testing for getpeername prototype dnl AC_DEFUN([KRB5_GETPEERNAME_ARGS],[ -AC_DEFINE([GETPEERNAME_ARG2_TYPE],GETSOCKNAME_ARG2_TYPE,[Type of getpeername second argument.]) AC_DEFINE([GETPEERNAME_ARG3_TYPE],GETSOCKNAME_ARG3_TYPE,[Type of getpeername second argument.]) ]) dnl @@ -1397,7 +1419,6 @@ if test "$sock_set" = no; then fi res1=`echo "$res1" | tr -d '*' | sed -e 's/ *$//'` res2=`echo "$res2" | tr -d '*' | sed -e 's/ *$//'` -AC_DEFINE_UNQUOTED([GETSOCKNAME_ARG2_TYPE],$res1,[Type of pointer target for argument 2 to getsockname]) AC_DEFINE_UNQUOTED([GETSOCKNAME_ARG3_TYPE],$res2,[Type of pointer target for argument 3 to getsockname]) ]) dnl @@ -1634,8 +1655,9 @@ if test $krb5_cv_pragma_weak_ref = yes ; then fi]) dnl dnl -m4_include(config/ac-archive/acx_pthread.m4) -m4_include(config/ac-archive/relpaths.m4) +m4_include(config/ac-archive/ax_pthread.m4) +m4_include(config/ac-archive/ax_recursive_eval.m4) +m4_include(config/pkg.m4) dnl dnl dnl diff --git a/src/appl/gss-sample/Makefile.in b/src/appl/gss-sample/Makefile.in index 28e59f9..35d808d 100644 --- a/src/appl/gss-sample/Makefile.in +++ b/src/appl/gss-sample/Makefile.in @@ -32,11 +32,11 @@ gss-client: gss-client.o gss-misc.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o gss-client gss-client.o gss-misc.o $(GSS_LIBS) $(KRB5_BASE_LIBS) ##WIN32##$(GSSSERVER): $(OUTPRE)gss-server.obj $(OUTPRE)gss-misc.obj $(GLIB) $(KLIB) $(SERVERRES) -##WIN32## link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib $(SCLIB) +##WIN32## link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib ##WIN32## $(_VC_MANIFEST_EMBED_EXE) ##WIN32##$(GSSCLIENT): $(OUTPRE)gss-client.obj $(OUTPRE)gss-misc.obj $(GLIB) $(KLIB) $(CLIENTRES) -##WIN32## link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib $(SCLIB) +##WIN32## link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib ##WIN32## $(_VC_MANIFEST_EMBED_EXE) clean-unix:: diff --git a/src/appl/gss-sample/gss-misc.c b/src/appl/gss-sample/gss-misc.c index 080ac4d..856ca4a 100644 --- a/src/appl/gss-sample/gss-misc.c +++ b/src/appl/gss-sample/gss-misc.c @@ -115,7 +115,7 @@ read_all(int fildes, void *data, unsigned int nbyte) FD_ZERO(&rfds); FD_SET(fildes, &rfds); - tv.tv_sec = 10; + tv.tv_sec = 300; tv.tv_usec = 0; for (ptr = buf; nbyte; ptr += ret, nbyte -= ret) { diff --git a/src/appl/gss-sample/gss-server.c b/src/appl/gss-sample/gss-server.c index c0d0da3..6b5959a 100644 --- a/src/appl/gss-sample/gss-server.c +++ b/src/appl/gss-sample/gss-server.c @@ -781,6 +781,7 @@ main(int argc, char **argv) /* Accept a TCP connection */ if ((work->s = accept(stmp, NULL, 0)) < 0) { perror("accepting connection"); + free(work); continue; } diff --git a/src/appl/gss-sample/t_gss_sample.py b/src/appl/gss-sample/t_gss_sample.py index 8a6b030..77f3978 100755 --- a/src/appl/gss-sample/t_gss_sample.py +++ b/src/appl/gss-sample/t_gss_sample.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # Copyright (C) 2010 by the Massachusetts Institute of Technology. # All rights reserved. # @@ -31,22 +29,20 @@ gss_server = os.path.join(appdir, 'gss-server') # Run a gss-server process and a gss-client process, with additional # gss-client flags given by options and additional gss-server flags # given by server_options. Return the output of gss-client. -def run_client_server(realm, options, server_options, expected_code=0): +def run_client_server(realm, options, server_options, **kwargs): portstr = str(realm.server_port()) server_args = [gss_server, '-export', '-port', portstr] server_args += server_options + ['host'] server = realm.start_server(server_args, 'starting...') - out = realm.run([gss_client, '-port', portstr] + options + - [hostname, 'host', 'testmsg'], expected_code=expected_code) + realm.run([gss_client, '-port', portstr] + options + + [hostname, 'host', 'testmsg'], **kwargs) stop_daemon(server) - return out # Run a gss-server and gss-client process, and verify that gss-client # displayed the expected output for a successful negotiation. def server_client_test(realm, options, server_options): - out = run_client_server(realm, options, server_options) - if 'Signature verified.' not in out: - fail('Expected message not seen in gss-client output') + run_client_server(realm, options, server_options, + expected_msg='Signature verified.') # Make up a filename to hold user's initial credentials. def ccache_savefile(realm): @@ -81,10 +77,10 @@ def pw_test(realm, options, server_options=[]): # IAKERB, gss_aqcuire_cred_with_password() otherwise). def wrong_pw_test(realm, options, server_options=[], iakerb=False): options = options + ['-user', realm.user_princ, '-pass', 'wrongpw'] - out = run_client_server(realm, options, server_options, expected_code=1) failed_op = 'initializing context' if iakerb else 'acquiring creds' - if 'GSS-API error ' + failed_op not in out: - fail('Expected error not seen in gss-client output') + msg = 'GSS-API error ' + failed_op + run_client_server(realm, options, server_options, expected_code=1, + expected_msg=msg) # Perform a test of the server and client with initial credentials # obtained with the client keytab @@ -97,22 +93,26 @@ def kt_test(realm, options, server_options=[]): for realm in multipass_realms(): ccache_save(realm) + mark('TGS') tgs_test(realm, ['-krb5']) tgs_test(realm, ['-spnego']) tgs_test(realm, ['-iakerb'], ['-iakerb']) # test default (i.e., krb5) mechanism with GSS_C_DCE_STYLE tgs_test(realm, ['-dce']) + mark('pw') pw_test(realm, ['-krb5']) pw_test(realm, ['-spnego']) pw_test(realm, ['-iakerb'], ['-iakerb']) pw_test(realm, ['-dce']) + mark('wrong pw') wrong_pw_test(realm, ['-krb5']) wrong_pw_test(realm, ['-spnego']) wrong_pw_test(realm, ['-iakerb'], ['-iakerb'], True) wrong_pw_test(realm, ['-dce']) + mark('client keytab') realm.extract_keytab(realm.user_princ, realm.client_keytab) kt_test(realm, ['-krb5']) kt_test(realm, ['-spnego']) diff --git a/src/appl/simple/client/sim_client.c b/src/appl/simple/client/sim_client.c index bd3c38c..cda7d22 100644 --- a/src/appl/simple/client/sim_client.c +++ b/src/appl/simple/client/sim_client.c @@ -62,7 +62,7 @@ int main(int argc, char *argv[]) { int sock, i; - unsigned int len; + socklen_t len; int flags = 0; /* flags for sendto() */ struct servent *serv; struct hostent *host; diff --git a/src/appl/simple/server/sim_server.c b/src/appl/simple/server/sim_server.c index fce5a9c..f09489c 100644 --- a/src/appl/simple/server/sim_server.c +++ b/src/appl/simple/server/sim_server.c @@ -33,6 +33,7 @@ */ #include "krb5.h" +#include "port-sockets.h" #include #include #include @@ -64,7 +65,7 @@ int main(int argc, char *argv[]) { int sock, i; - unsigned int len; + socklen_t len; int flags = 0; /* for recvfrom() */ int on = 1; struct servent *serv; diff --git a/src/appl/user_user/client.c b/src/appl/user_user/client.c index 28901a6..9a05345 100644 --- a/src/appl/user_user/client.c +++ b/src/appl/user_user/client.c @@ -36,7 +36,7 @@ int main (int argc, char *argv[]) { int s; - register int retval, i; + int retval, i; char *hname; /* full name of server */ char **srealms; /* realm(s) of server */ char *princ; /* principal in credentials cache */ @@ -53,7 +53,7 @@ int main (int argc, char *argv[]) if (argc < 2 || argc > 4) { fputs ("usage: uu-client [message [port]]\n", stderr); - return 1; + exit(1); } retval = krb5_init_context(&context); @@ -68,7 +68,7 @@ int main (int argc, char *argv[]) else if ((serv = getservbyname ("uu-sample", "tcp")) == NULL) { fputs ("uu-client: unknown service \"uu-sample/tcp\"\n", stderr); - return 2; + exit(2); } else { port = serv->s_port; } @@ -76,13 +76,13 @@ int main (int argc, char *argv[]) if ((host = gethostbyname (argv[1])) == NULL) { fprintf (stderr, "uu-client: can't get address of host \"%s\".\n", argv[1]); - return 3; + exit(3); } if (host->h_addrtype != AF_INET) { fprintf (stderr, "uu-client: bad address type %d for \"%s\".\n", host->h_addrtype, argv[1]); - return 3; + exit(3); } hname = strdup (host->h_name); @@ -90,7 +90,7 @@ int main (int argc, char *argv[]) #ifndef USE_STDOUT if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) { com_err ("uu-client", errno, "creating socket"); - return 4; + exit(4); } else { cli_net_addr.sin_family = AF_INET; cli_net_addr.sin_port = 0; @@ -98,7 +98,7 @@ int main (int argc, char *argv[]) if (bind (s, (struct sockaddr *)&cli_net_addr, sizeof (cli_net_addr)) < 0) { com_err ("uu-client", errno, "binding socket"); - return 4; + exit(4); } } @@ -109,7 +109,7 @@ int main (int argc, char *argv[]) while (1) { if (host->h_addr_list[i] == 0) { fprintf (stderr, "uu-client: unable to connect to \"%s\"\n", hname); - return 5; + exit(5); } memcpy (&serv_net_addr.sin_addr, host->h_addr_list[i++], @@ -128,7 +128,7 @@ int main (int argc, char *argv[]) retval = krb5_cc_default(context, &cc); if (retval) { com_err("uu-client", retval, "getting credentials cache"); - return 6; + exit(6); } memset (&creds, 0, sizeof(creds)); @@ -136,13 +136,13 @@ int main (int argc, char *argv[]) retval = krb5_cc_get_principal(context, cc, &creds.client); if (retval) { com_err("uu-client", retval, "getting principal name"); - return 6; + exit(6); } retval = krb5_unparse_name(context, creds.client, &princ); if (retval) { com_err("uu-client", retval, "printing principal name"); - return 7; + exit(7); } else fprintf(stderr, "uu-client: client principal is \"%s\".\n", princ); @@ -150,7 +150,7 @@ int main (int argc, char *argv[]) retval = krb5_get_host_realm(context, hname, &srealms); if (retval) { com_err("uu-client", retval, "getting realms for \"%s\"", hname); - return 7; + exit(7); } retval = @@ -167,7 +167,7 @@ int main (int argc, char *argv[]) 0); if (retval) { com_err("uu-client", retval, "setting up tgt server name"); - return 7; + exit(7); } /* Get TGT from credentials cache */ @@ -175,7 +175,7 @@ int main (int argc, char *argv[]) &creds, &new_creds); if (retval) { com_err("uu-client", retval, "getting TGT"); - return 6; + exit(6); } i = strlen(princ) + 1; @@ -188,7 +188,7 @@ int main (int argc, char *argv[]) retval = krb5_write_message(context, (krb5_pointer) &s, &princ_data); if (retval) { com_err("uu-client", retval, "sending principal name to server"); - return 8; + exit(8); } free(princ); @@ -197,19 +197,19 @@ int main (int argc, char *argv[]) &new_creds->ticket); if (retval) { com_err("uu-client", retval, "sending ticket to server"); - return 8; + exit(8); } retval = krb5_read_message(context, (krb5_pointer) &s, &reply); if (retval) { com_err("uu-client", retval, "reading reply from server"); - return 9; + exit(9); } retval = krb5_auth_con_init(context, &auth_context); if (retval) { com_err("uu-client", retval, "initializing the auth_context"); - return 9; + exit(9); } retval = @@ -218,36 +218,30 @@ int main (int argc, char *argv[]) KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR); if (retval) { com_err("uu-client", retval, "generating addrs for auth_context"); - return 9; + exit(9); } retval = krb5_auth_con_setflags(context, auth_context, KRB5_AUTH_CONTEXT_DO_SEQUENCE); if (retval) { com_err("uu-client", retval, "initializing the auth_context flags"); - return 9; + exit(9); } retval = krb5_auth_con_setuseruserkey(context, auth_context, &new_creds->keyblock); if (retval) { com_err("uu-client", retval, "setting useruserkey for authcontext"); - return 9; + exit(9); } -#if 1 /* read the ap_req to get the session key */ retval = krb5_rd_req(context, &auth_context, &reply, creds.client, NULL, NULL, &ticket); - free(reply.data); -#else - retval = krb5_recvauth(context, &auth_context, (krb5_pointer)&s, "???", - 0, /* server */, 0, NULL, &ticket); -#endif - + krb5_free_data_contents(context, &reply); if (retval) { com_err("uu-client", retval, "reading AP_REQ from server"); - return 9; + exit(9); } retval = krb5_unparse_name(context, ticket->enc_part2->client, &princ); @@ -261,18 +255,20 @@ int main (int argc, char *argv[]) retval = krb5_read_message(context, (krb5_pointer) &s, &reply); if (retval) { com_err("uu-client", retval, "reading reply from server"); - return 9; + exit(9); } retval = krb5_rd_safe(context, auth_context, &reply, &msg, NULL); if (retval) { com_err("uu-client", retval, "decoding reply from server"); - return 10; + exit(10); } printf ("uu-client: server says \"%s\".\n", msg.data); - +#ifndef USE_STDOUT + close(s); +#endif krb5_free_ticket(context, ticket); krb5_free_host_realm(context, srealms); free(hname); diff --git a/src/appl/user_user/t_user2user.py b/src/appl/user_user/t_user2user.py index 8bdef8e..2c054f1 100755 --- a/src/appl/user_user/t_user2user.py +++ b/src/appl/user_user/t_user2user.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # If uuserver is not compiled under -DDEBUG, then set to 0 @@ -10,9 +9,9 @@ for realm in multipass_realms(): else: srv_output = realm.start_server(['./uuserver', '9999'], 'Server started') - output = realm.run(['./uuclient', hostname, 'testing message', '9999']) - if 'uu-client: server says \"Hello, other end of connection.\"' not in output: - fail('Message not echoed back.') + msg = 'uu-client: server says "Hello, other end of connection."' + realm.run(['./uuclient', hostname, 'testing message', '9999'], + expected_msg=msg) success('User-2-user test programs') diff --git a/src/ccapi/common/win/OldCC/ccutils.c b/src/ccapi/common/win/OldCC/ccutils.c index 13f72cb..403c67e 100644 --- a/src/ccapi/common/win/OldCC/ccutils.c +++ b/src/ccapi/common/win/OldCC/ccutils.c @@ -101,9 +101,6 @@ HANDLE createThreadEvent(char* uuid, char* suffix) { event_name = allocEventName(uuid, suffix); if (!event_name) status = cci_check_error(ccErrNoMem); } -#if 0 - cci_debug_printf("%s event_name:%s", __FUNCTION__, event_name); -#endif if (!status) { hEvent = CreateEvent(psa, FALSE, FALSE, event_name); if (!hEvent) status = cci_check_error(GetLastError()); @@ -125,9 +122,6 @@ HANDLE openThreadEvent(char* uuid, char* suffix) { event_name = allocEventName(uuid, suffix); if (!event_name) status = cci_check_error(ccErrNoMem); -#if 0 - cci_debug_printf("%s event_name:%s", __FUNCTION__, event_name); -#endif if (!status) { hEvent = OpenEvent(EVENT_MODIFY_STATE, FALSE, event_name); if (!hEvent) status = cci_check_error(GetLastError()); diff --git a/src/ccapi/common/win/OldCC/ccutils.h b/src/ccapi/common/win/OldCC/ccutils.h index f91c777..9da3d87 100644 --- a/src/ccapi/common/win/OldCC/ccutils.h +++ b/src/ccapi/common/win/OldCC/ccutils.h @@ -29,9 +29,6 @@ #ifdef __cplusplus extern "C" { #endif -#if 0 -} -#endif #define REPLY_SUFFIX (char*)"reply" #define LISTEN_SUFFIX (char*)"listen" diff --git a/src/ccapi/common/win/OldCC/opts.cxx b/src/ccapi/common/win/OldCC/opts.cxx index bd5f503..c977663 100644 --- a/src/ccapi/common/win/OldCC/opts.cxx +++ b/src/ccapi/common/win/OldCC/opts.cxx @@ -29,45 +29,6 @@ #include #include -#if 0 -const struct Opts* -GetOpts( - ) -{ - bool done = false; - struct Opts* o; - if (!(o = new Opts)) - goto cleanup; - if (!(o->pszString = new char[lstrlenA(opts.pszString) + 1])) - goto cleanup; - if (!(o->pszEndpoint = new char[lstrlenA(opts.pszEndpoint) + 1])) - goto cleanup; - strcpy(o->pszString, opts.pszString); - strcpy(o->pszEndpoint, opts.pszEndpoint); - done = true; - cleanup: - if (!done) { - FreeOpts(o); - o = 0; - } - return o; -} - -void -FreeOpts( - struct Opts* o - ) -{ - if (o) { - if (o->pszString) - delete [] o->pszString; - if (o->pszEndpoint) - delete [] o->pszEndpoint; - delete o; - } -} -#endif - bool ParseOpts::IsValidOpt( char ch diff --git a/src/ccapi/common/win/OldCC/secure.hxx b/src/ccapi/common/win/OldCC/secure.hxx index 3714c6f..1b2e753 100644 --- a/src/ccapi/common/win/OldCC/secure.hxx +++ b/src/ccapi/common/win/OldCC/secure.hxx @@ -38,12 +38,6 @@ public: static void Start(SecureClient*& s); static void Stop(SecureClient*& s); -#if 0 - static DWORD CheckImpersonation(); - static bool IsImp(); - static DWORD DuplicateImpAsPrimary(HANDLE& hPrimary); -#endif - SecureClient(); ~SecureClient(); DWORD Error(); diff --git a/src/ccapi/common/win/OldCC/util.h b/src/ccapi/common/win/OldCC/util.h index 082f608..45e069a 100644 --- a/src/ccapi/common/win/OldCC/util.h +++ b/src/ccapi/common/win/OldCC/util.h @@ -29,9 +29,6 @@ #ifdef __cplusplus extern "C" { #endif -#if 0 -} -#endif BOOL isNT(); diff --git a/src/ccapi/lib/win/Makefile.in b/src/ccapi/lib/win/Makefile.in index 4567609..ef6c1cc 100644 --- a/src/ccapi/lib/win/Makefile.in +++ b/src/ccapi/lib/win/Makefile.in @@ -96,7 +96,7 @@ $(CCLIBRES): $(VERSIONRC) $(OUTPRE)$(CCLIB).dll: $(OBJS) $(CCLIB).def $(CCLIBRES) $(LINK) $(LFLAGS) -entry:$(ENTRYPOINT) -dll /map:$*.map /out:$@ /DEF:$(CCLIB).def $(OBJS) \ - /implib:$(CCLIB).lib $(dllflags) $(LIBS) $(KFWLIB) $(SCLIB) $(CCLIBRES) rpcrt4.lib $(conlibsdll) $(conflags) + /implib:$(CCLIB).lib $(dllflags) $(LIBS) $(KFWLIB) $(CCLIBRES) rpcrt4.lib $(conlibsdll) $(conflags) $(CCLIB).def: echo ;$(CCLIB).def is generated by a Makefile rule. > $(CCLIB).def diff --git a/src/ccapi/lib/win/OldCC/client.cxx b/src/ccapi/lib/win/OldCC/client.cxx index 4b2d718..0f95dfc 100644 --- a/src/ccapi/lib/win/OldCC/client.cxx +++ b/src/ccapi/lib/win/OldCC/client.cxx @@ -118,9 +118,6 @@ DWORD find_server(Init::InitInfo& info, LPSTR endpoint) { char* szDir = 0; BOOL bRes = FALSE; char* cmdline = NULL; -#if 0 - HANDLE hToken = 0; -#endif psa = isNT() ? &sa : 0; @@ -156,38 +153,6 @@ DWORD find_server(Init::InitInfo& info, LPSTR endpoint) { } if (!status) { - -#if 0 - if (SecureClient::IsImp()) { - cci_debug_printf(STARTUP "Token is impersonation token")); - SecureClient::DuplicateImpAsPrimary(hToken); - } - else { - cci_debug_printf(STARTUP "Token is NOT impersonation token")); - } -#endif - -#if 0 - if (hToken) - bRes = CreateProcessAsUser(hToken, - szExe, // app name - NULL, // cmd line - psa, // SA - psa, // SA - FALSE, - CREATE_NEW_PROCESS_GROUP | - //CREATE_NEW_CONSOLE | - NORMAL_PRIORITY_CLASS | - // CREATE_NO_WINDOW | - DETACHED_PROCESS | - 0 - , - NULL, // environment - szDir, // current dir - &si, - &pi); - else -#endif alloc_cmdline_2_args(szExe, endpoint, "-D", &cmdline); bRes = CreateProcess( szExe, // app name NULL, //cmdline, // cmd line is @@ -223,10 +188,6 @@ DWORD find_server(Init::InitInfo& info, LPSTR endpoint) { cci_debug_printf(" unexpected error while looking for server: 0D%d / 0U%u / 0X%X", status, status, status); } -#if 0 - if (hToken) - CloseHandle(hToken); -#endif if (szDir) free_alloc_p(&szDir); if (szExe) free_alloc_p(&szExe); if (hEvent) CloseHandle(hEvent); diff --git a/src/ccapi/lib/win/ccapi_os_ipc.cxx b/src/ccapi/lib/win/ccapi_os_ipc.cxx index 35589a5..1b1f874 100644 --- a/src/ccapi/lib/win/ccapi_os_ipc.cxx +++ b/src/ccapi/lib/win/ccapi_os_ipc.cxx @@ -132,9 +132,6 @@ extern "C" cc_int32 cci_os_ipc_thread_init (void) { cci_check_error(err); } -#if 0 - cci_debug_printf("%s UUID:<%s>", __FUNCTION__, tspdata_getUUID(ptspdata)); -#endif // Initialize old CCAPI if necessary: if (!err) if (!Init:: Initialized()) err = Init:: Initialize( ); if (!err) if (!Client::Initialized()) err = Client::Initialize(0); @@ -243,10 +240,6 @@ extern "C" cc_int32 cci_os_ipc_msg( cc_int32 in_launch_server, if (!GetTspData(GetTlsIndex(), &ptspdata)) {return ccErrBadParam;} uuid = tspdata_getUUID(ptspdata); lenUUID = 1 + strlen(uuid); /* 1+ includes terminating \0. */ -#if 0 - cci_debug_printf("%s calling remote ccs_rpc_request tsp*:0x%X", __FUNCTION__, ptspdata); - cci_debug_printf(" rpcmsg:%d; UUID[%d]:<%s> SST:%ld", in_msg, lenUUID, uuid, sst); -#endif /* copy ptr into handle; ptr may be 4 or 8 bytes, depending on platform; handle is always 8 */ memcpy(tspdata_handle, &ptspdata, sizeof(ptspdata)); ccs_rpc_request( /* make call with user message: */ @@ -282,11 +275,6 @@ extern "C" cc_int32 cci_os_ipc_msg( cc_int32 in_launch_server, if (!err && server_died) { err = cci_check_error (ccErrServerUnavailable); } -#if 0 - if (err == BOOTSTRAP_UNKNOWN_SERVICE && !in_launch_server) { - err = ccNoError; /* If the server is not running just return an empty stream. */ - } -#endif if (!err) { *out_reply_stream = tspdata_getStream(ptspdata); @@ -365,9 +353,6 @@ cc_int32 ccapi_connect(const struct tspdata* tsp) { ReleaseMutex(hCCAPIv2Mutex); if (!status) { -#if 0 - cci_debug_printf("%s Waiting for replyEvent.", __FUNCTION__); -#endif status = WaitForSingleObject(replyEvent, INFINITE);//(SECONDS_TO_WAIT)*1000); status = cci_check_error(RpcMgmtIsServerListening(CLIENT_REQUEST_RPC_HANDLE)); cci_debug_printf(" Server %sFOUND!", (status) ? "NOT " : ""); diff --git a/src/ccapi/lib/win/ccs_reply_proc.c b/src/ccapi/lib/win/ccs_reply_proc.c index bf8c7f4..b4dbc0d 100644 --- a/src/ccapi/lib/win/ccs_reply_proc.c +++ b/src/ccapi/lib/win/ccs_reply_proc.c @@ -47,9 +47,7 @@ void ccs_rpc_request_reply( struct tspdata* tsp; k5_ipc_stream stream; long status = 0; -#if 0 - cci_debug_printf("%s! msg#:%d SST:%ld uuid:%s", __FUNCTION__, rpcmsg, srvStartTime, uuid); -#endif + memcpy(&tsp, tspHandle, sizeof(tsp)); if (!status) { status = krb5int_ipc_stream_new (&stream); /* Create a stream for the request data */ @@ -77,9 +75,7 @@ void ccs_rpc_connect_reply( HANDLE hEvent = openThreadEvent(uuid, REPLY_SUFFIX); DWORD* p = (DWORD*)(tspHandle); -#if 0 - cci_debug_printf("%s! msg#:%d SST:%ld uuid:%s", __FUNCTION__, rpcmsg, srvStartTime, uuid); -#endif + SetEvent(hEvent); CloseHandle(hEvent); } diff --git a/src/ccapi/lib/win/dllmain.cxx b/src/ccapi/lib/win/dllmain.cxx index 82cacad..aa5d00a 100644 --- a/src/ccapi/lib/win/dllmain.cxx +++ b/src/ccapi/lib/win/dllmain.cxx @@ -163,17 +163,7 @@ BOOL WINAPI DllMain(HINSTANCE hinstDLL, // DLL module handle // using multiple DLLs that use this DLL. // WaitForSingleObject( hCCAPIv2Mutex, INFINITE ); -#if 0 - bool process_teardown_workaround = false; - if (lpvReserved) { - Init::InitInfo info; - status = Init::Info(info); - if (status) break; - if (!info.isNT) process_teardown_workaround = true; - } - if (process_teardown_workaround) - break; -#endif + // return value is ignored, so we set status for debugging purposes status = Client::Cleanup(); status = Init::Cleanup(); diff --git a/src/ccapi/server/mac/ccs_os_pipe.c b/src/ccapi/server/mac/ccs_os_pipe.c index 67f9030..5d9fff2 100644 --- a/src/ccapi/server/mac/ccs_os_pipe.c +++ b/src/ccapi/server/mac/ccs_os_pipe.c @@ -27,7 +27,7 @@ #include "ccs_os_pipe.h" #include -/* On Mac OS X ccs_pipe_t is a mach_port_t */ +/* On macOS ccs_pipe_t is a mach_port_t */ /* ------------------------------------------------------------------------ */ @@ -73,7 +73,7 @@ cc_int32 ccs_os_pipe_release (ccs_pipe_t io_pipe) { cc_int32 err = 0; - /* Nothing to do here on Mac OS X */ + /* Nothing to do here on macOS */ return cci_check_error (err); } diff --git a/src/ccapi/server/win/ccs_os_server.cpp b/src/ccapi/server/win/ccs_os_server.cpp index f842394..7c50120 100644 --- a/src/ccapi/server/win/ccs_os_server.cpp +++ b/src/ccapi/server/win/ccs_os_server.cpp @@ -245,10 +245,7 @@ cc_int32 ccs_os_server_listen_loop (int argc, const char *argv[]) { if (worklist_remove(&rpcmsg, &pipe, &buf, &serverStartTime)) { uuid = ccs_win_pipe_getUuid(pipe); -#if 0 - cci_debug_printf("%s: processing WorkItem msg:%ld pipeUUID:<%s> pipeHandle:0x%X SST:%ld", - __FUNCTION__, rpcmsg, uuid, ccs_win_pipe_getHandle(pipe), serverStartTime); -#endif + if (serverStartTime <= getMySST()) { switch (rpcmsg) { case CCMSG_CONNECT: { @@ -472,13 +469,6 @@ void receiveLoop(void* rpcargs) { } // End receiveLoop -#if 0 - - return status; -} -#endif - - /* ------------------------------------------------------------------------ */ /* The connection listener thread waits forever for a call to the CCAPI_CLIENT_ @@ -647,17 +637,6 @@ RPC_STATUS send_connection_reply(ccs_pipe_t in_pipe) { return (status); } -#if 0 -DWORD alloc_name(LPSTR* pname, LPSTR postfix) { - DWORD len = strlen(sessID) + 1 + strlen(postfix) + 1; - - *pname = (LPSTR)malloc(len); - if (!*pname) return GetLastError(); - _snprintf(*pname, len, "%s.%s", sessID, postfix); - return 0; - } -#endif - RPC_STATUS GetPeerName( RPC_BINDING_HANDLE hClient, LPTSTR pszClientName, int iMaxLen) { diff --git a/src/ccapi/server/win/ccs_request_proc.c b/src/ccapi/server/win/ccs_request_proc.c index 461c441..c0328ea 100644 --- a/src/ccapi/server/win/ccs_request_proc.c +++ b/src/ccapi/server/win/ccs_request_proc.c @@ -45,9 +45,7 @@ void ccs_rpc_request( k5_ipc_stream stream; UINT64* p = (UINT64*)(tspHandle); WIN_PIPE* pipe = NULL; -#if 0 - cci_debug_printf("%s rpcmsg:%d; UUID:<%s> SST:<%s>", __FUNCTION__, rpcmsg, pszUUID, serverStartTime); -#endif + status = (rpcmsg != CCMSG_REQUEST) && (rpcmsg != CCMSG_PING); if (!status) { @@ -72,9 +70,7 @@ void ccs_rpc_connect( UINT64* p = (UINT64*)(tspHandle); WIN_PIPE* pipe = ccs_win_pipe_new(pszUUID, *p); -#if 0 - cci_debug_printf("%s; rpcmsg:%d; UUID: <%s>", __FUNCTION__, rpcmsg, pszUUID); -#endif + worklist_add( rpcmsg, pipe, NULL, /* No payload with connect request */ @@ -89,9 +85,7 @@ CC_UINT32 ccs_authenticate(const CC_CHAR* name) { PDWORD pvalue = 0; CC_UINT32 result = 0; DWORD status = 0; -#if 0 - cci_debug_printf("%s ( %s )", __FUNCTION__, name); -#endif + hMap = OpenFileMapping(FILE_MAP_ALL_ACCESS, FALSE, (LPSTR)name); status = !hMap; diff --git a/src/ccapi/server/win/ccs_win_pipe.c b/src/ccapi/server/win/ccs_win_pipe.c index d23e444..99c6670 100644 --- a/src/ccapi/server/win/ccs_win_pipe.c +++ b/src/ccapi/server/win/ccs_win_pipe.c @@ -61,9 +61,7 @@ struct ccs_win_pipe_t* ccs_win_pipe_new (const char* uuid, const UINT64 h) { out_pipe->uuid = uuidCopy; out_pipe->clientHandle = h; } -#if 0 - cci_debug_printf("0x%X = %s(%s, 0x%X)", out_pipe, __FUNCTION__, uuid, h); -#endif + return out_pipe; } diff --git a/src/ccapi/test/Makefile.in b/src/ccapi/test/Makefile.in index 85fe172..23befe8 100644 --- a/src/ccapi/test/Makefile.in +++ b/src/ccapi/test/Makefile.in @@ -151,7 +151,7 @@ build-tests: $(TEST_NAMES) $(TEST_NAMES): @echo DBG: $@ - $(CC) $(ALL_CFLAGS) -Fe$(TESTDIR)$(S)$@.exe -Fd$(OBJDIR)$(S)$@.obj $@.c $(OBJECTS) $(LIBS) + $(CC) $(ALL_CFLAGS) -Fe$(TESTDIR)$(S)$@.exe -Fd$(OBJDIR)$(S)$@.pdb $@.c $(OBJECTS) $(LIBS) # Clean .obj from .: $(RM) $@.$(OBJEXT) ##-- These two rules build each element of the list. diff --git a/src/ccapi/test/pingtest.c b/src/ccapi/test/pingtest.c index d44839f..0ffc15e 100644 --- a/src/ccapi/test/pingtest.c +++ b/src/ccapi/test/pingtest.c @@ -74,12 +74,6 @@ int main( int argc, char *argv[]) { if ((dwTlsIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) return FALSE; -// send_test("krbcc.229026.0.ep"); - -#if 0 - err = cc_initialize(&context, ccapi_version_7, NULL, NULL); -#endif - if (!err) { err = cci_os_ipc_thread_init(); } diff --git a/src/clients/kcpytkt/kcpytkt.c b/src/clients/kcpytkt/kcpytkt.c index 47147cd..0b88022 100644 --- a/src/clients/kcpytkt/kcpytkt.c +++ b/src/clients/kcpytkt/kcpytkt.c @@ -7,26 +7,29 @@ #include "k5-platform.h" static char *prog; +static int quiet = 0; -static void xusage() +static void +xusage() { - fprintf(stderr, "xusage: %s [-c from_ccache] [-e etype] [-f flags] dest_ccache service1 service2 ...\n", prog); + fprintf(stderr, "xusage: %s [-c from_ccache] [-e etype] [-f flags] " + "dest_ccache service1 service2 ...\n", prog); exit(1); } -int quiet = 0; +static void +do_kcpytkt(int argc, char *argv[], char *fromccachestr, char *etypestr, + int flags); -static void do_kcpytkt (int argc, char *argv[], char *fromccachestr, char *etypestr, int flags); - -int main(int argc, char *argv[]) +int +main(int argc, char *argv[]) { int option; - char *etypestr = 0; - char *fromccachestr = 0; + char *etypestr = NULL, *fromccachestr = NULL; int flags = 0; prog = strrchr(argv[0], '/'); - prog = prog ? (prog + 1) : argv[0]; + prog = (prog != NULL) ? prog + 1 : argv[0]; while ((option = getopt(argc, argv, "c:e:f:hq")) != -1) { switch (option) { @@ -49,25 +52,24 @@ int main(int argc, char *argv[]) } } - if ((argc - optind) < 2) + if (argc - optind < 2) xusage(); do_kcpytkt(argc - optind, argv + optind, fromccachestr, etypestr, flags); return 0; } -static void do_kcpytkt (int count, char *names[], - char *fromccachestr, char *etypestr, int flags) +static void +do_kcpytkt(int count, char *names[], const char *fromccachestr, char *etypestr, + int flags) { krb5_context context; krb5_error_code ret; - int i, errors; krb5_enctype etype; - krb5_ccache fromccache; - krb5_ccache destccache; + krb5_ccache fromccache, destccache; krb5_principal me; krb5_creds in_creds, out_creds; - int retflags; + int i, errors, retflags; char *princ; ret = krb5_init_context(&context); @@ -75,8 +77,7 @@ static void do_kcpytkt (int count, char *names[], com_err(prog, ret, "while initializing krb5 library"); exit(1); } - - if (etypestr) { + if (etypestr != NULL) { ret = krb5_string_to_enctype(etypestr, &etype); if (ret) { com_err(prog, ret, "while converting etype"); @@ -88,7 +89,7 @@ static void do_kcpytkt (int count, char *names[], retflags = KRB5_TC_MATCH_SRV_NAMEONLY; } - if (fromccachestr) + if (fromccachestr != NULL) ret = krb5_cc_resolve(context, fromccachestr, &fromccache); else ret = krb5_cc_default(context, &fromccache); @@ -118,9 +119,10 @@ static void do_kcpytkt (int count, char *names[], ret = krb5_parse_name(context, names[i], &in_creds.server); if (ret) { - if (!quiet) + if (!quiet) { fprintf(stderr, "%s: %s while parsing principal name\n", names[i], error_message(ret)); + } errors++; continue; } @@ -140,24 +142,18 @@ static void do_kcpytkt (int count, char *names[], if (ret) { fprintf(stderr, "%s: %s while retrieving credentials\n", princ, error_message(ret)); - krb5_free_unparsed_name(context, princ); - errors++; continue; } ret = krb5_cc_store_cred(context, destccache, &out_creds); - krb5_free_principal(context, in_creds.server); - if (ret) { fprintf(stderr, "%s: %s while removing credentials\n", princ, error_message(ret)); - krb5_free_cred_contents(context, &out_creds); krb5_free_unparsed_name(context, princ); - errors++; continue; } diff --git a/src/clients/kdeltkt/kdeltkt.c b/src/clients/kdeltkt/kdeltkt.c index 9c7a549..cd0bf63 100644 --- a/src/clients/kdeltkt/kdeltkt.c +++ b/src/clients/kdeltkt/kdeltkt.c @@ -7,26 +7,28 @@ #include "k5-platform.h" static char *prog; +static int quiet = 0; -static void xusage() +static void +xusage() { - fprintf(stderr, "xusage: %s [-c ccache] [-e etype] [-f flags] service1 service2 ...\n", prog); + fprintf(stderr, "xusage: %s [-c ccache] [-e etype] [-f flags] service1 " + "service2 ...\n", prog); exit(1); } -int quiet = 0; +static void +do_kdeltkt(int argc, char *argv[], char *ccachestr, char *etypestr, int flags); -static void do_kdeltkt (int argc, char *argv[], char *ccachestr, char *etypestr, int flags); - -int main(int argc, char *argv[]) +int +main(int argc, char *argv[]) { int option; - char *etypestr = 0; - char *ccachestr = 0; + char *etypestr = NULL, *ccachestr = NULL; int flags = 0; prog = strrchr(argv[0], '/'); - prog = prog ? (prog + 1) : argv[0]; + prog = (prog != NULL) ? prog + 1 : argv[0]; while ((option = getopt(argc, argv, "c:e:f:hq")) != -1) { switch (option) { @@ -49,15 +51,16 @@ int main(int argc, char *argv[]) } } - if ((argc - optind) < 1) + if (argc - optind < 1) xusage(); do_kdeltkt(argc - optind, argv + optind, ccachestr, etypestr, flags); return 0; } -static void do_kdeltkt (int count, char *names[], - char *ccachestr, char *etypestr, int flags) +static void +do_kdeltkt(int count, char *names[], const char *ccachestr, char *etypestr, + int flags) { krb5_context context; krb5_error_code ret; @@ -75,7 +78,7 @@ static void do_kdeltkt (int count, char *names[], exit(1); } - if (etypestr) { + if (etypestr != NULL) { ret = krb5_string_to_enctype(etypestr, &etype); if (ret) { com_err(prog, ret, "while converting etype"); @@ -111,9 +114,10 @@ static void do_kdeltkt (int count, char *names[], ret = krb5_parse_name(context, names[i], &in_creds.server); if (ret) { - if (!quiet) + if (!quiet) { fprintf(stderr, "%s: %s while parsing principal name\n", names[i], error_message(ret)); + } errors++; continue; } @@ -133,9 +137,7 @@ static void do_kdeltkt (int count, char *names[], if (ret) { fprintf(stderr, "%s: %s while retrieving credentials\n", princ, error_message(ret)); - krb5_free_unparsed_name(context, princ); - errors++; continue; } @@ -147,14 +149,11 @@ static void do_kdeltkt (int count, char *names[], if (ret) { fprintf(stderr, "%s: %s while removing credentials\n", princ, error_message(ret)); - krb5_free_cred_contents(context, &out_creds); krb5_free_unparsed_name(context, princ); - errors++; continue; } - krb5_free_unparsed_name(context, princ); krb5_free_cred_contents(context, &out_creds); } diff --git a/src/clients/kdestroy/kdestroy.c b/src/clients/kdestroy/kdestroy.c index f955549..774b729 100644 --- a/src/clients/kdestroy/kdestroy.c +++ b/src/clients/kdestroy/kdestroy.c @@ -37,11 +37,8 @@ #define BELL_CHAR '\007' #endif -extern int optind; -extern char *optarg; - #ifndef _WIN32 -#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x)) +#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/') + 1 : (x)) #else #define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x)) #endif @@ -49,14 +46,15 @@ extern char *optarg; char *progname; -static void usage() +static void +usage() { -#define KRB_AVAIL_STRING(x) ((x)?"available":"not available") - - fprintf(stderr, _("Usage: %s [-A] [-q] [-c cache_name]\n"), progname); + fprintf(stderr, _("Usage: %s [-A] [-q] [-c cache_name] [-p princ_name]\n"), + progname); fprintf(stderr, _("\t-A destroy all credential caches in collection\n")); fprintf(stderr, _("\t-q quiet mode\n")); fprintf(stderr, _("\t-c specify name of credentials cache\n")); + fprintf(stderr, _("\t-p specify principal name within collection\n")); exit(2); } @@ -64,18 +62,18 @@ static void usage() static void print_remaining_cc_warning(krb5_context context) { - krb5_error_code retval; + krb5_error_code ret; krb5_ccache cache; krb5_cccol_cursor cursor; - retval = krb5_cccol_cursor_new(context, &cursor); - if (retval) { - com_err(progname, retval, _("while listing credential caches")); + ret = krb5_cccol_cursor_new(context, &cursor); + if (ret) { + com_err(progname, ret, _("while listing credential caches")); exit(1); } - retval = krb5_cccol_cursor_next(context, cursor, &cache); - if (retval == 0 && cache != NULL) { + ret = krb5_cccol_cursor_next(context, cursor, &cache); + if (ret == 0 && cache != NULL) { fprintf(stderr, _("Other credential caches present, use -A to destroy all\n")); krb5_cc_close(context, cache); @@ -85,25 +83,21 @@ print_remaining_cc_warning(krb5_context context) } int -main(argc, argv) - int argc; - char **argv; +main(int argc, char *argv[]) { - krb5_context kcontext; - krb5_error_code retval; - int c; + krb5_context context; + krb5_error_code ret; krb5_ccache cache = NULL; krb5_cccol_cursor cursor; + krb5_principal princ; char *cache_name = NULL; - int code = 0; - int errflg = 0; - int quiet = 0; - int all = 0; + const char *princ_name = NULL; + int code = 0, errflg = 0, quiet = 0, all = 0, c; setlocale(LC_ALL, ""); progname = GET_PROGNAME(argv[0]); - while ((c = getopt(argc, argv, "54Aqc:")) != -1) { + while ((c = getopt(argc, argv, "54Aqc:p:")) != -1) { switch (c) { case 'A': all = 1; @@ -119,6 +113,14 @@ main(argc, argv) cache_name = optarg; } break; + case 'p': + if (princ_name != NULL) { + fprintf(stderr, _("Only one -p option allowed\n")); + errflg++; + } else { + princ_name = optarg; + } + break; case '4': fprintf(stderr, _("Kerberos 4 is no longer supported\n")); exit(3); @@ -132,65 +134,85 @@ main(argc, argv) } } + if (all && princ_name != NULL) { + fprintf(stderr, _("-A option is exclusive with -p option\n")); + errflg++; + } + if (optind != argc) errflg++; - if (errflg) { + if (errflg) usage(); - } - retval = krb5_init_context(&kcontext); - if (retval) { - com_err(progname, retval, _("while initializing krb5")); + ret = krb5_init_context(&context); + if (ret) { + com_err(progname, ret, _("while initializing krb5")); exit(1); } + if (cache_name != NULL) { + code = krb5_cc_set_default_name(context, cache_name); + if (code) { + com_err(progname, code, _("while setting default cache name")); + exit(1); + } + } + if (all) { - code = krb5_cccol_cursor_new(kcontext, &cursor); + code = krb5_cccol_cursor_new(context, &cursor); if (code) { com_err(progname, code, _("while listing credential caches")); exit(1); } - while ((code = krb5_cccol_cursor_next(kcontext, cursor, - &cache)) == 0 && cache != NULL) { - code = krb5_cc_get_full_name(kcontext, cache, &cache_name); + while (krb5_cccol_cursor_next(context, cursor, &cache) == 0 && + cache != NULL) { + code = krb5_cc_get_full_name(context, cache, &cache_name); if (code) { com_err(progname, code, _("composing ccache name")); exit(1); } - code = krb5_cc_destroy(kcontext, cache); + code = krb5_cc_destroy(context, cache); if (code && code != KRB5_FCC_NOFILE) { com_err(progname, code, _("while destroying cache %s"), cache_name); } - krb5_free_string(kcontext, cache_name); + krb5_free_string(context, cache_name); } - krb5_cccol_cursor_free(kcontext, &cursor); - krb5_free_context(kcontext); + krb5_cccol_cursor_free(context, &cursor); + krb5_free_context(context); return 0; } - if (cache_name) { - code = krb5_cc_resolve (kcontext, cache_name, &cache); - if (code != 0) { - com_err(progname, code, _("while resolving %s"), cache_name); + if (princ_name != NULL) { + code = krb5_parse_name(context, princ_name, &princ); + if (code) { + com_err(progname, code, _("while parsing principal name %s"), + princ_name); exit(1); } + code = krb5_cc_cache_match(context, princ, &cache); + if (code) { + com_err(progname, code, _("while finding cache for %s"), + princ_name); + exit(1); + } + krb5_free_principal(context, princ); } else { - code = krb5_cc_default(kcontext, &cache); + code = krb5_cc_default(context, &cache); if (code) { - com_err(progname, code, _("while getting default ccache")); + com_err(progname, code, _("while resolving ccache")); exit(1); } } - code = krb5_cc_destroy (kcontext, cache); + code = krb5_cc_destroy(context, cache); if (code != 0) { - com_err (progname, code, _("while destroying cache")); + com_err(progname, code, _("while destroying cache")); if (code != KRB5_FCC_NOFILE) { - if (quiet) + if (quiet) { fprintf(stderr, _("Ticket cache NOT destroyed!\n")); - else { + } else { fprintf(stderr, _("Ticket cache %cNOT%c destroyed!\n"), BELL_CHAR, BELL_CHAR); } @@ -198,9 +220,10 @@ main(argc, argv) } } - if (!quiet && !errflg) - print_remaining_cc_warning(kcontext); + if (!quiet && !errflg && princ_name == NULL) + print_remaining_cc_warning(context); + + krb5_free_context(context); - krb5_free_context(kcontext); return errflg; } diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c index f1cd1b7..3fdae28 100644 --- a/src/clients/kinit/kinit.c +++ b/src/clients/kinit/kinit.c @@ -26,7 +26,7 @@ #include "autoconf.h" #include -#include "k5-platform.h" /* for asprintf and getopt */ +#include "k5-platform.h" /* For asprintf and getopt */ #include #include "extern.h" #include @@ -37,40 +37,41 @@ #include #ifndef _WIN32 -#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x)) +#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/') + 1 : (x)) #else #define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x)) #endif #ifdef HAVE_PWD_H #include -static -char * get_name_from_os() +static char * +get_name_from_os() { struct passwd *pw; - if ((pw = getpwuid((int) getuid()))) - return pw->pw_name; - return 0; + + pw = getpwuid(getuid()); + return (pw != NULL) ? pw->pw_name : NULL; } #else /* HAVE_PWD_H */ #ifdef _WIN32 -static -char * get_name_from_os() +static char * +get_name_from_os() { static char name[1024]; DWORD name_size = sizeof(name); + if (GetUserName(name, &name_size)) { - name[sizeof(name)-1] = 0; /* Just to be extra safe */ + name[sizeof(name) - 1] = '\0'; /* Just to be extra safe */ return name; } else { - return 0; + return NULL; } } #else /* _WIN32 */ -static -char * get_name_from_os() +static char * +get_name_from_os() { - return 0; + return NULL; } #endif /* _WIN32 */ #endif /* HAVE_PWD_H */ @@ -81,7 +82,7 @@ typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type; struct k_opts { - /* in seconds */ + /* In seconds */ krb5_deltat starttime; krb5_deltat lifetime; krb5_deltat rlife; @@ -99,11 +100,11 @@ struct k_opts int verbose; - char* principal_name; - char* service_name; - char* keytab_name; - char* k5_in_cache_name; - char* k5_out_cache_name; + char *principal_name; + char *service_name; + char *keytab_name; + char *k5_in_cache_name; + char *k5_out_cache_name; char *armor_ccache; action_type action; @@ -121,46 +122,39 @@ struct k5_data krb5_context ctx; krb5_ccache in_cc, out_cc; krb5_principal me; - char* name; + char *name; krb5_boolean switch_to_cache; }; -/* if struct[2] == NULL, then long_getopt acts as if the short flag - struct[3] was specified. If struct[2] != NULL, then struct[3] is - stored in *(struct[2]), the array index which was specified is - stored in *index, and long_getopt() returns 0. */ - +/* + * If struct[2] == NULL, then long_getopt acts as if the short flag struct[3] + * were specified. If struct[2] != NULL, then struct[3] is stored in + * *(struct[2]), the array index which was specified is stored in *index, and + * long_getopt() returns 0. + */ const char *shopts = "r:fpFPn54aAVl:s:c:kit:T:RS:vX:CEI:"; +#define USAGE_BREAK "\n\t" + static void usage() { -#define USAGE_BREAK "\n\t" - -#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable" -#define USAGE_LONG_PROXIABLE " | --proxiable | --noproxiable" -#define USAGE_LONG_ADDRESSES " | --addresses | --noaddresses" -#define USAGE_LONG_CANONICALIZE " | --canonicalize" -#define USAGE_LONG_ENTERPRISE " | --enterprise" -#define USAGE_LONG_REQUESTPAC "--request-pac | --no-request-pac" -#define USAGE_BREAK_LONG USAGE_BREAK - fprintf(stderr, "Usage: %s [-V] " "[-l lifetime] [-s start_time] " USAGE_BREAK "[-r renewable_life] " - "[-f | -F" USAGE_LONG_FORWARDABLE "] " - USAGE_BREAK_LONG - "[-p | -P" USAGE_LONG_PROXIABLE "] " - USAGE_BREAK_LONG + "[-f | -F | --forwardable | --noforwardable] " + USAGE_BREAK + "[-p | -P | --proxiable | --noproxiable] " + USAGE_BREAK "-n " - "[-a | -A" USAGE_LONG_ADDRESSES "] " - USAGE_BREAK_LONG - "[" USAGE_LONG_REQUESTPAC "] " - USAGE_BREAK_LONG - "[-C" USAGE_LONG_CANONICALIZE "] " + "[-a | -A | --addresses | --noaddresses] " USAGE_BREAK - "[-E" USAGE_LONG_ENTERPRISE "] " + "[--request-pac | --no-request-pac] " + USAGE_BREAK + "[-C | --canonicalize] " + USAGE_BREAK + "[-E | --enterprise] " USAGE_BREAK "[-v] [-R] " "[-k [-i|-t keytab_file]] " @@ -199,15 +193,17 @@ usage() } static krb5_context errctx; -static void extended_com_err_fn (const char *myprog, errcode_t code, - const char *fmt, va_list args) +static void +extended_com_err_fn(const char *myprog, errcode_t code, const char *fmt, + va_list args) { const char *emsg; - emsg = krb5_get_error_message (errctx, code); - fprintf (stderr, "%s: %s ", myprog, emsg); - krb5_free_error_message (errctx, emsg); - vfprintf (stderr, fmt, args); - fprintf (stderr, "\n"); + + emsg = krb5_get_error_message(errctx, code); + fprintf(stderr, "%s: %s ", myprog, emsg); + krb5_free_error_message(errctx, emsg); + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); } static int @@ -215,18 +211,13 @@ add_preauth_opt(struct k_opts *opts, char *av) { char *sep, *v; krb5_gic_opt_pa_data *p, *x; + size_t newsize = (opts->num_pa_opts + 1) * sizeof(*opts->pa_opts); + + x = realloc(opts->pa_opts, newsize); + if (x == NULL) + return ENOMEM; + opts->pa_opts = x; - if (opts->num_pa_opts == 0) { - opts->pa_opts = malloc(sizeof(krb5_gic_opt_pa_data)); - if (opts->pa_opts == NULL) - return ENOMEM; - } else { - size_t newsize = (opts->num_pa_opts + 1) * sizeof(krb5_gic_opt_pa_data); - x = realloc(opts->pa_opts, newsize); - if (x == NULL) - return ENOMEM; - opts->pa_opts = x; - } p = &opts->pa_opts[opts->num_pa_opts]; sep = strchr(av, '='); if (sep) { @@ -242,10 +233,7 @@ add_preauth_opt(struct k_opts *opts, char *av) } static char * -parse_options(argc, argv, opts) - int argc; - char **argv; - struct k_opts* opts; +parse_options(int argc, char **argv, struct k_opts *opts) { struct option long_options[] = { { "noforwardable", 0, NULL, 'F' }, @@ -260,7 +248,7 @@ parse_options(argc, argv, opts) { "no-request-pac", 0, &opts->not_request_pac, 1 }, { NULL, 0, NULL, 0 } }; - krb5_error_code code; + krb5_error_code ret; int errflg = 0; int i; @@ -271,16 +259,16 @@ parse_options(argc, argv, opts) break; case 'l': /* Lifetime */ - code = krb5_string_to_deltat(optarg, &opts->lifetime); - if (code != 0 || opts->lifetime == 0) { + ret = krb5_string_to_deltat(optarg, &opts->lifetime); + if (ret || opts->lifetime == 0) { fprintf(stderr, _("Bad lifetime value %s\n"), optarg); errflg++; } break; case 'r': /* Renewable Time */ - code = krb5_string_to_deltat(optarg, &opts->rlife); - if (code != 0 || opts->rlife == 0) { + ret = krb5_string_to_deltat(optarg, &opts->rlife); + if (ret || opts->rlife == 0) { fprintf(stderr, _("Bad lifetime value %s\n"), optarg); errflg++; } @@ -307,18 +295,18 @@ parse_options(argc, argv, opts) opts->no_addresses = 1; break; case 's': - code = krb5_string_to_deltat(optarg, &opts->starttime); - if (code != 0 || opts->starttime == 0) { + ret = krb5_string_to_deltat(optarg, &opts->starttime); + if (ret || opts->starttime == 0) { /* Parse as an absolute time; intentionally undocumented * but left for backwards compatibility. */ krb5_timestamp abs_starttime; - code = krb5_string_to_timestamp(optarg, &abs_starttime); - if (code != 0 || abs_starttime == 0) { + ret = krb5_string_to_timestamp(optarg, &abs_starttime); + if (ret || abs_starttime == 0) { fprintf(stderr, _("Bad start time value %s\n"), optarg); errflg++; } else { - opts->starttime = abs_starttime - time(0); + opts->starttime = ts_delta(abs_starttime, time(NULL)); } } break; @@ -332,8 +320,7 @@ parse_options(argc, argv, opts) opts->use_client_keytab = 1; break; case 't': - if (opts->keytab_name) - { + if (opts->keytab_name != NULL) { fprintf(stderr, _("Only one -t option allowed.\n")); errflg++; } else { @@ -341,10 +328,12 @@ parse_options(argc, argv, opts) } break; case 'T': - if (opts->armor_ccache) { + if (opts->armor_ccache != NULL) { fprintf(stderr, _("Only one armor_ccache\n")); errflg++; - } else opts->armor_ccache = optarg; + } else { + opts->armor_ccache = optarg; + } break; case 'R': opts->action = RENEW; @@ -353,8 +342,7 @@ parse_options(argc, argv, opts) opts->action = VALIDATE; break; case 'c': - if (opts->k5_out_cache_name) - { + if (opts->k5_out_cache_name != NULL) { fprintf(stderr, _("Only one -c option allowed\n")); errflg++; } else { @@ -362,7 +350,7 @@ parse_options(argc, argv, opts) } break; case 'I': - if (opts->k5_in_cache_name) { + if (opts->k5_in_cache_name != NULL) { fprintf(stderr, _("Only one -I option allowed\n")); errflg++; } else { @@ -370,10 +358,9 @@ parse_options(argc, argv, opts) } break; case 'X': - code = add_preauth_opt(opts, optarg); - if (code) - { - com_err(progname, code, _("while adding preauth option")); + ret = add_preauth_opt(opts, optarg); + if (ret) { + com_err(progname, ret, _("while adding preauth option")); errflg++; } break; @@ -398,59 +385,49 @@ parse_options(argc, argv, opts) } } - if (opts->forwardable && opts->not_forwardable) - { + if (opts->forwardable && opts->not_forwardable) { fprintf(stderr, _("Only one of -f and -F allowed\n")); errflg++; } - if (opts->proxiable && opts->not_proxiable) - { + if (opts->proxiable && opts->not_proxiable) { fprintf(stderr, _("Only one of -p and -P allowed\n")); errflg++; } - if (opts->request_pac && opts->not_request_pac) - { + if (opts->request_pac && opts->not_request_pac) { fprintf(stderr, _("Only one of --request-pac and --no-request-pac " "allowed\n")); errflg++; } - if (opts->addresses && opts->no_addresses) - { + if (opts->addresses && opts->no_addresses) { fprintf(stderr, _("Only one of -a and -A allowed\n")); errflg++; } - if (opts->keytab_name != NULL && opts->use_client_keytab == 1) - { + if (opts->keytab_name != NULL && opts->use_client_keytab == 1) { fprintf(stderr, _("Only one of -t and -i allowed\n")); errflg++; } if ((opts->keytab_name != NULL || opts->use_client_keytab == 1) && - opts->action != INIT_KT) - { + opts->action != INIT_KT) { opts->action = INIT_KT; fprintf(stderr, _("keytab specified, forcing -k\n")); } - if (argc - optind > 1) { fprintf(stderr, _("Extra arguments (starting with \"%s\").\n"), - argv[optind+1]); + argv[optind + 1]); errflg++; } - if (errflg) { + if (errflg) usage(); - } - opts->principal_name = (optind == argc-1) ? argv[optind] : 0; + opts->principal_name = (optind == argc - 1) ? argv[optind] : 0; return opts->principal_name; } static int -k5_begin(opts, k5) - struct k_opts* opts; - struct k5_data* k5; +k5_begin(struct k_opts *opts, struct k5_data *k5) { - krb5_error_code code = 0; + krb5_error_code ret; int success = 0; int flags = opts->enterprise ? KRB5_PRINCIPAL_PARSE_ENTERPRISE : 0; krb5_ccache defcache = NULL; @@ -459,17 +436,17 @@ k5_begin(opts, k5) const char *deftype = NULL; char *defrealm, *name; - code = krb5_init_context(&k5->ctx); - if (code) { - com_err(progname, code, _("while initializing Kerberos 5 library")); + ret = krb5_init_context(&k5->ctx); + if (ret) { + com_err(progname, ret, _("while initializing Kerberos 5 library")); return 0; } errctx = k5->ctx; if (opts->k5_out_cache_name) { - code = krb5_cc_resolve(k5->ctx, opts->k5_out_cache_name, &k5->out_cc); - if (code != 0) { - com_err(progname, code, _("resolving ccache %s"), + ret = krb5_cc_resolve(k5->ctx, opts->k5_out_cache_name, &k5->out_cc); + if (ret) { + com_err(progname, ret, _("resolving ccache %s"), opts->k5_out_cache_name); goto cleanup; } @@ -480,9 +457,9 @@ k5_begin(opts, k5) } else { /* Resolve the default ccache and get its type and default principal * (if it is initialized). */ - code = krb5_cc_default(k5->ctx, &defcache); - if (code) { - com_err(progname, code, _("while getting default ccache")); + ret = krb5_cc_default(k5->ctx, &defcache); + if (ret) { + com_err(progname, ret, _("while getting default ccache")); goto cleanup; } deftype = krb5_cc_get_type(k5->ctx, defcache); @@ -493,59 +470,58 @@ k5_begin(opts, k5) /* Choose a client principal name. */ if (opts->principal_name != NULL) { /* Use the specified principal name. */ - code = krb5_parse_name_flags(k5->ctx, opts->principal_name, flags, - &k5->me); - if (code) { - com_err(progname, code, _("when parsing name %s"), + ret = krb5_parse_name_flags(k5->ctx, opts->principal_name, flags, + &k5->me); + if (ret) { + com_err(progname, ret, _("when parsing name %s"), opts->principal_name); goto cleanup; } } else if (opts->anonymous) { /* Use the anonymous principal for the local realm. */ - code = krb5_get_default_realm(k5->ctx, &defrealm); - if (code) { - com_err(progname, code, _("while getting default realm")); + ret = krb5_get_default_realm(k5->ctx, &defrealm); + if (ret) { + com_err(progname, ret, _("while getting default realm")); goto cleanup; } - code = krb5_build_principal_ext(k5->ctx, &k5->me, - strlen(defrealm), defrealm, - strlen(KRB5_WELLKNOWN_NAMESTR), - KRB5_WELLKNOWN_NAMESTR, - strlen(KRB5_ANONYMOUS_PRINCSTR), - KRB5_ANONYMOUS_PRINCSTR, - 0); + ret = krb5_build_principal_ext(k5->ctx, &k5->me, + strlen(defrealm), defrealm, + strlen(KRB5_WELLKNOWN_NAMESTR), + KRB5_WELLKNOWN_NAMESTR, + strlen(KRB5_ANONYMOUS_PRINCSTR), + KRB5_ANONYMOUS_PRINCSTR, 0); krb5_free_default_realm(k5->ctx, defrealm); - if (code) { - com_err(progname, code, _("while building principal")); + if (ret) { + com_err(progname, ret, _("while building principal")); goto cleanup; } } else if (opts->action == INIT_KT && opts->use_client_keytab) { /* Use the first entry from the client keytab. */ - code = krb5_kt_client_default(k5->ctx, &keytab); - if (code) { - com_err(progname, code, + ret = krb5_kt_client_default(k5->ctx, &keytab); + if (ret) { + com_err(progname, ret, _("When resolving the default client keytab")); goto cleanup; } - code = k5_kt_get_principal(k5->ctx, keytab, &k5->me); + ret = k5_kt_get_principal(k5->ctx, keytab, &k5->me); krb5_kt_close(k5->ctx, keytab); - if (code) { - com_err(progname, code, + if (ret) { + com_err(progname, ret, _("When determining client principal name from keytab")); goto cleanup; } } else if (opts->action == INIT_KT) { /* Use the default host/service name. */ - code = krb5_sname_to_principal(k5->ctx, NULL, NULL, KRB5_NT_SRV_HST, - &k5->me); - if (code) { - com_err(progname, code, + ret = krb5_sname_to_principal(k5->ctx, NULL, NULL, KRB5_NT_SRV_HST, + &k5->me); + if (ret) { + com_err(progname, ret, _("when creating default server principal name")); goto cleanup; } if (k5->me->realm.data[0] == 0) { - code = krb5_unparse_name(k5->ctx, k5->me, &k5->name); - if (code == 0) { + ret = krb5_unparse_name(k5->ctx, k5->me, &k5->name); + if (ret == 0) { com_err(progname, KRB5_ERR_HOST_REALM_UNKNOWN, _("(principal %s)"), k5->name); } else { @@ -574,23 +550,22 @@ k5_begin(opts, k5) fprintf(stderr, _("Unable to identify user\n")); goto cleanup; } - code = krb5_parse_name_flags(k5->ctx, name, flags, &k5->me); - if (code) { - com_err(progname, code, _("when parsing name %s"), - name); + ret = krb5_parse_name_flags(k5->ctx, name, flags, &k5->me); + if (ret) { + com_err(progname, ret, _("when parsing name %s"), name); goto cleanup; } } if (k5->out_cc == NULL && krb5_cc_support_switch(k5->ctx, deftype)) { /* Use an existing cache for the client principal if we can. */ - code = krb5_cc_cache_match(k5->ctx, k5->me, &k5->out_cc); - if (code != 0 && code != KRB5_CC_NOTFOUND) { - com_err(progname, code, _("while searching for ccache for %s"), + ret = krb5_cc_cache_match(k5->ctx, k5->me, &k5->out_cc); + if (ret && ret != KRB5_CC_NOTFOUND) { + com_err(progname, ret, _("while searching for ccache for %s"), opts->principal_name); goto cleanup; } - if (code == 0) { + if (!ret) { if (opts->verbose) { fprintf(stderr, _("Using existing cache: %s\n"), krb5_cc_get_name(k5->ctx, k5->out_cc)); @@ -599,9 +574,9 @@ k5_begin(opts, k5) } else if (defcache_princ != NULL) { /* Create a new cache to avoid overwriting the initialized default * cache. */ - code = krb5_cc_new_unique(k5->ctx, deftype, NULL, &k5->out_cc); - if (code) { - com_err(progname, code, _("while generating new ccache")); + ret = krb5_cc_new_unique(k5->ctx, deftype, NULL, &k5->out_cc); + if (ret) { + com_err(progname, ret, _("while generating new ccache")); goto cleanup; } if (opts->verbose) { @@ -623,9 +598,9 @@ k5_begin(opts, k5) } if (opts->k5_in_cache_name) { - code = krb5_cc_resolve(k5->ctx, opts->k5_in_cache_name, &k5->in_cc); - if (code != 0) { - com_err(progname, code, _("resolving ccache %s"), + ret = krb5_cc_resolve(k5->ctx, opts->k5_in_cache_name, &k5->in_cc); + if (ret) { + com_err(progname, ret, _("resolving ccache %s"), opts->k5_in_cache_name); goto cleanup; } @@ -635,10 +610,9 @@ k5_begin(opts, k5) } } - - code = krb5_unparse_name(k5->ctx, k5->me, &k5->name); - if (code) { - com_err(progname, code, _("when unparsing name")); + ret = krb5_unparse_name(k5->ctx, k5->me, &k5->name); + if (ret) { + com_err(progname, ret, _("when unparsing name")); goto cleanup; } if (opts->verbose) @@ -656,33 +630,22 @@ cleanup: } static void -k5_end(k5) - struct k5_data* k5; +k5_end(struct k5_data *k5) { - if (k5->name) - krb5_free_unparsed_name(k5->ctx, k5->name); - if (k5->me) - krb5_free_principal(k5->ctx, k5->me); - if (k5->in_cc) + krb5_free_unparsed_name(k5->ctx, k5->name); + krb5_free_principal(k5->ctx, k5->me); + if (k5->in_cc != NULL) krb5_cc_close(k5->ctx, k5->in_cc); - if (k5->out_cc) + if (k5->out_cc != NULL) krb5_cc_close(k5->ctx, k5->out_cc); - if (k5->ctx) - krb5_free_context(k5->ctx); + krb5_free_context(k5->ctx); errctx = NULL; memset(k5, 0, sizeof(*k5)); } -static krb5_error_code -KRB5_CALLCONV -kinit_prompter( - krb5_context ctx, - void *data, - const char *name, - const char *banner, - int num_prompts, - krb5_prompt prompts[] -) +static krb5_error_code KRB5_CALLCONV +kinit_prompter(krb5_context ctx, void *data, const char *name, + const char *banner, int num_prompts, krb5_prompt prompts[]) { krb5_boolean *pwprompt = data; krb5_prompt_type *ptypes; @@ -694,34 +657,27 @@ kinit_prompter( if (ptypes != NULL && ptypes[i] == KRB5_PROMPT_TYPE_PASSWORD) *pwprompt = TRUE; } - return krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts); } static int -k5_kinit(opts, k5) - struct k_opts* opts; - struct k5_data* k5; +k5_kinit(struct k_opts *opts, struct k5_data *k5) { int notix = 1; krb5_keytab keytab = 0; krb5_creds my_creds; - krb5_error_code code = 0; + krb5_error_code ret; krb5_get_init_creds_opt *options = NULL; krb5_boolean pwprompt = FALSE; + krb5_address **addresses = NULL; int i; memset(&my_creds, 0, sizeof(my_creds)); - code = krb5_get_init_creds_opt_alloc(k5->ctx, &options); - if (code) + ret = krb5_get_init_creds_opt_alloc(k5->ctx, &options); + if (ret) goto cleanup; - /* - From this point on, we can goto cleanup because my_creds is - initialized. - */ - if (opts->lifetime) krb5_get_init_creds_opt_set_tkt_life(options, opts->lifetime); if (opts->rlife) @@ -738,63 +694,62 @@ k5_kinit(opts, k5) krb5_get_init_creds_opt_set_canonicalize(options, 1); if (opts->anonymous) krb5_get_init_creds_opt_set_anonymous(options, 1); - if (opts->addresses) - { - krb5_address **addresses = NULL; - code = krb5_os_localaddr(k5->ctx, &addresses); - if (code != 0) { - com_err(progname, code, _("getting local addresses")); + if (opts->addresses) { + ret = krb5_os_localaddr(k5->ctx, &addresses); + if (ret) { + com_err(progname, ret, _("getting local addresses")); goto cleanup; } krb5_get_init_creds_opt_set_address_list(options, addresses); } if (opts->no_addresses) krb5_get_init_creds_opt_set_address_list(options, NULL); - if (opts->armor_ccache) - krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, opts->armor_ccache); + if (opts->armor_ccache != NULL) { + krb5_get_init_creds_opt_set_fast_ccache_name(k5->ctx, options, + opts->armor_ccache); + } if (opts->request_pac) krb5_get_init_creds_opt_set_pac_request(k5->ctx, options, TRUE); if (opts->not_request_pac) krb5_get_init_creds_opt_set_pac_request(k5->ctx, options, FALSE); - if ((opts->action == INIT_KT) && opts->keytab_name) - { + if (opts->action == INIT_KT && opts->keytab_name != NULL) { #ifndef _WIN32 if (strncmp(opts->keytab_name, "KDB:", 4) == 0) { - code = kinit_kdb_init(&k5->ctx, - krb5_princ_realm(k5->ctx, k5->me)->data); - if (code != 0) { - com_err(progname, code, + ret = kinit_kdb_init(&k5->ctx, k5->me->realm.data); + errctx = k5->ctx; + if (ret) { + com_err(progname, ret, _("while setting up KDB keytab for realm %s"), - krb5_princ_realm(k5->ctx, k5->me)->data); + k5->me->realm.data); goto cleanup; } } #endif - code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab); - if (code != 0) { - com_err(progname, code, _("resolving keytab %s"), + ret = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab); + if (ret) { + com_err(progname, ret, _("resolving keytab %s"), opts->keytab_name); goto cleanup; } if (opts->verbose) fprintf(stderr, _("Using keytab: %s\n"), opts->keytab_name); } else if (opts->action == INIT_KT && opts->use_client_keytab) { - code = krb5_kt_client_default(k5->ctx, &keytab); - if (code != 0) { - com_err(progname, code, _("resolving default client keytab")); + ret = krb5_kt_client_default(k5->ctx, &keytab); + if (ret) { + com_err(progname, ret, _("resolving default client keytab")); goto cleanup; } } for (i = 0; i < opts->num_pa_opts; i++) { - code = krb5_get_init_creds_opt_set_pa(k5->ctx, options, - opts->pa_opts[i].attr, - opts->pa_opts[i].value); - if (code != 0) { - com_err(progname, code, _("while setting '%s'='%s'"), + ret = krb5_get_init_creds_opt_set_pa(k5->ctx, options, + opts->pa_opts[i].attr, + opts->pa_opts[i].value); + if (ret) { + com_err(progname, ret, _("while setting '%s'='%s'"), opts->pa_opts[i].attr, opts->pa_opts[i].value); goto cleanup; } @@ -804,43 +759,39 @@ k5_kinit(opts, k5) } } if (k5->in_cc) { - code = krb5_get_init_creds_opt_set_in_ccache(k5->ctx, options, - k5->in_cc); - if (code) + ret = krb5_get_init_creds_opt_set_in_ccache(k5->ctx, options, + k5->in_cc); + if (ret) goto cleanup; } - code = krb5_get_init_creds_opt_set_out_ccache(k5->ctx, options, - k5->out_cc); - if (code) + ret = krb5_get_init_creds_opt_set_out_ccache(k5->ctx, options, k5->out_cc); + if (ret) goto cleanup; switch (opts->action) { case INIT_PW: - code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, - 0, kinit_prompter, &pwprompt, - opts->starttime, - opts->service_name, - options); + ret = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me, 0, + kinit_prompter, &pwprompt, + opts->starttime, opts->service_name, + options); break; case INIT_KT: - code = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me, - keytab, - opts->starttime, - opts->service_name, - options); + ret = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me, keytab, + opts->starttime, opts->service_name, + options); break; case VALIDATE: - code = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->out_cc, - opts->service_name); + ret = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->out_cc, + opts->service_name); break; case RENEW: - code = krb5_get_renewed_creds(k5->ctx, &my_creds, k5->me, k5->out_cc, - opts->service_name); + ret = krb5_get_renewed_creds(k5->ctx, &my_creds, k5->me, k5->out_cc, + opts->service_name); break; } - if (code) { - char *doing = 0; + if (ret) { + char *doing = NULL; switch (opts->action) { case INIT_PW: case INIT_KT: @@ -856,41 +807,40 @@ k5_kinit(opts, k5) /* If reply decryption failed, or if pre-authentication failed and we * were prompted for a password, assume the password was wrong. */ - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY || - (pwprompt && code == KRB5KDC_ERR_PREAUTH_FAILED)) { + if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY || + (pwprompt && ret == KRB5KDC_ERR_PREAUTH_FAILED)) { fprintf(stderr, _("%s: Password incorrect while %s\n"), progname, doing); } else { - com_err(progname, code, _("while %s"), doing); + com_err(progname, ret, _("while %s"), doing); } goto cleanup; } - if ((opts->action != INIT_PW) && (opts->action != INIT_KT)) { - code = krb5_cc_initialize(k5->ctx, k5->out_cc, opts->canonicalize ? - my_creds.client : k5->me); - if (code) { - com_err(progname, code, _("when initializing cache %s"), - opts->k5_out_cache_name?opts->k5_out_cache_name:""); + if (opts->action != INIT_PW && opts->action != INIT_KT) { + ret = krb5_cc_initialize(k5->ctx, k5->out_cc, opts->canonicalize ? + my_creds.client : k5->me); + if (ret) { + com_err(progname, ret, _("when initializing cache %s"), + opts->k5_out_cache_name ? opts->k5_out_cache_name : ""); goto cleanup; } if (opts->verbose) fprintf(stderr, _("Initialized cache\n")); - code = krb5_cc_store_cred(k5->ctx, k5->out_cc, &my_creds); - if (code) { - com_err(progname, code, _("while storing credentials")); + ret = krb5_cc_store_cred(k5->ctx, k5->out_cc, &my_creds); + if (ret) { + com_err(progname, ret, _("while storing credentials")); goto cleanup; } if (opts->verbose) fprintf(stderr, _("Stored credentials\n")); } notix = 0; - if (k5->switch_to_cache) { - code = krb5_cc_switch(k5->ctx, k5->out_cc); - if (code) { - com_err(progname, code, _("while switching to new ccache")); + ret = krb5_cc_switch(k5->ctx, k5->out_cc); + if (ret) { + com_err(progname, ret, _("while switching to new ccache")); goto cleanup; } } @@ -901,24 +851,21 @@ cleanup: #endif if (options) krb5_get_init_creds_opt_free(k5->ctx, options); - if (my_creds.client == k5->me) { + if (my_creds.client == k5->me) my_creds.client = 0; - } if (opts->pa_opts) { free(opts->pa_opts); opts->pa_opts = NULL; opts->num_pa_opts = 0; } krb5_free_cred_contents(k5->ctx, &my_creds); - if (keytab) + if (keytab != NULL) krb5_kt_close(k5->ctx, keytab); - return notix?0:1; + return notix ? 0 : 1; } int -main(argc, argv) - int argc; - char **argv; +main(int argc, char *argv[]) { struct k_opts opts; struct k5_data k5; @@ -928,11 +875,11 @@ main(argc, argv) progname = GET_PROGNAME(argv[0]); /* Ensure we can be driven from a pipe */ - if(!isatty(fileno(stdin))) + if (!isatty(fileno(stdin))) setvbuf(stdin, 0, _IONBF, 0); - if(!isatty(fileno(stdout))) + if (!isatty(fileno(stdout))) setvbuf(stdout, 0, _IONBF, 0); - if(!isatty(fileno(stderr))) + if (!isatty(fileno(stderr))) setvbuf(stderr, 0, _IONBF, 0); memset(&opts, 0, sizeof(opts)); @@ -940,7 +887,7 @@ main(argc, argv) memset(&k5, 0, sizeof(k5)); - set_com_err_hook (extended_com_err_fn); + set_com_err_hook(extended_com_err_fn); parse_options(argc, argv, &opts); diff --git a/src/clients/kinit/kinit_kdb.c b/src/clients/kinit/kinit_kdb.c index 47baf90..fbd174b 100644 --- a/src/clients/kinit/kinit_kdb.c +++ b/src/clients/kinit/kinit_kdb.c @@ -36,38 +36,36 @@ #include #include "extern.h" -/** Server handle */ +/* Server handle */ static void *server_handle; -/** - * @internal Initialize KDB for given realm - * @param context pointer to context that will be re-initialized - * @@param realm name of realm to initialize - */ +/* Free and reinitialize *pcontext with the KDB opened to the given realm, so + * that it can be used with the KDB keytab type. */ krb5_error_code kinit_kdb_init(krb5_context *pcontext, char *realm) { kadm5_config_params config; - krb5_error_code retval = 0; + krb5_error_code ret; if (*pcontext) { krb5_free_context(*pcontext); *pcontext = NULL; } memset(&config, 0, sizeof config); - retval = kadm5_init_krb5_context(pcontext); - if (retval) - return retval; + + ret = kadm5_init_krb5_context(pcontext); + if (ret) + return ret; + config.mask = KADM5_CONFIG_REALM; config.realm = realm; - retval = kadm5_init(*pcontext, "kinit", NULL /*pass*/, - "kinit", &config, - KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL, - &server_handle); - if (retval) - return retval; - retval = krb5_db_register_keytab(*pcontext); - return retval; + ret = kadm5_init(*pcontext, "kinit", NULL, "kinit", &config, + KADM5_STRUCT_VERSION, KADM5_API_VERSION_4, NULL, + &server_handle); + if (ret) + return ret; + + return krb5_db_register_keytab(*pcontext); } void diff --git a/src/clients/klist/Makefile.in b/src/clients/klist/Makefile.in index b93d567..3234825 100644 --- a/src/clients/klist/Makefile.in +++ b/src/clients/klist/Makefile.in @@ -22,7 +22,7 @@ klist: klist.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ klist.o $(KRB5_BASE_LIBS) ##WIN32##$(KLIST): $(OUTPRE)klist.obj $(SLIB) $(KLIB) $(CLIB) $(EXERES) -##WIN32## link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib $(SCLIB) +##WIN32## link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib ##WIN32## $(_VC_MANIFEST_EMBED_EXE) clean-unix:: diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c index ba19788..70adb54 100644 --- a/src/clients/klist/klist.c +++ b/src/clients/klist/klist.c @@ -32,13 +32,14 @@ #include #include #include + /* Need definition of INET6 before network headers, for IRIX. */ #if defined(HAVE_ARPA_INET_H) #include #endif #ifndef _WIN32 -#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x)) +#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/') + 1 : (x)) #else #define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x)) #endif @@ -48,42 +49,39 @@ #include #endif -extern int optind; - int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0; int show_etype = 0, show_addresses = 0, no_resolve = 0, print_version = 0; int show_adtype = 0, show_all = 0, list_all = 0, use_client_keytab = 0; int show_config = 0; char *defname; char *progname; -krb5_int32 now; +krb5_timestamp now; unsigned int timestamp_width; -krb5_context kcontext; +krb5_context context; -krb5_boolean is_local_tgt (krb5_principal princ, krb5_data *realm); -char * etype_string (krb5_enctype ); -void show_credential (krb5_creds *); +static krb5_boolean is_local_tgt(krb5_principal princ, krb5_data *realm); +static char *etype_string(krb5_enctype ); +static void show_credential(krb5_creds *); -void list_all_ccaches (void); -int list_ccache (krb5_ccache); -void show_all_ccaches (void); -void do_ccache_name (char *); -int show_ccache (krb5_ccache); -int check_ccache (krb5_ccache); -void do_keytab (char *); -void printtime (time_t); -void one_addr (krb5_address *); -void fillit (FILE *, unsigned int, int); +static void list_all_ccaches(void); +static int list_ccache(krb5_ccache); +static void show_all_ccaches(void); +static void do_ccache(void); +static int show_ccache(krb5_ccache); +static int check_ccache(krb5_ccache); +static void do_keytab(const char *); +static void printtime(krb5_timestamp); +static void one_addr(krb5_address *); +static void fillit(FILE *, unsigned int, int); #define DEFAULT 0 #define CCACHE 1 #define KEYTAB 2 -static void usage() +static void +usage() { -#define KRB_AVAIL_STRING(x) ((x)?"available":"not available") - fprintf(stderr, _("Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] " "[-a [-n]]] [-k [-t] [-K]] [name]\n"), progname); fprintf(stderr, _("\t-c specifies credentials cache\n")); @@ -114,21 +112,19 @@ extended_com_err_fn(const char *prog, errcode_t code, const char *fmt, { const char *msg; - msg = krb5_get_error_message(kcontext, code); + msg = krb5_get_error_message(context, code); fprintf(stderr, "%s: %s%s", prog, msg, (*fmt == '\0') ? "" : " "); - krb5_free_error_message(kcontext, msg); + krb5_free_error_message(context, msg); vfprintf(stderr, fmt, args); fprintf(stderr, "\n"); } int -main(argc, argv) - int argc; - char **argv; +main(int argc, char *argv[]) { - int c; - char *name; - int mode; + krb5_error_code ret; + char *name, tmp[BUFSIZ]; + int c, mode; setlocale(LC_ALL, ""); progname = GET_PROGNAME(argv[0]); @@ -136,7 +132,7 @@ main(argc, argv) name = NULL; mode = DEFAULT; - /* V=version so v can be used for verbose later if desired. */ + /* V = version so v can be used for verbose later if desired. */ while ((c = getopt(argc, argv, "dfetKsnacki45lAVC")) != -1) { switch (c) { case 'd': @@ -164,11 +160,13 @@ main(argc, argv) show_addresses = 1; break; case 'c': - if (mode != DEFAULT) usage(); + if (mode != DEFAULT) + usage(); mode = CCACHE; break; case 'k': - if (mode != DEFAULT) usage(); + if (mode != DEFAULT) + usage(); mode = KEYTAB; break; case 'i': @@ -198,9 +196,8 @@ main(argc, argv) } } - if (no_resolve && !show_addresses) { + if (no_resolve && !show_addresses) usage(); - } if (mode == DEFAULT || mode == CCACHE) { if (show_time || show_keys) @@ -215,7 +212,7 @@ main(argc, argv) if (argc - optind > 1) { fprintf(stderr, _("Extra arguments (starting with \"%s\").\n"), - argv[optind+1]); + argv[optind + 1]); usage(); } @@ -228,77 +225,82 @@ main(argc, argv) exit(0); } - name = (optind == argc-1) ? argv[optind] : 0; - + name = (optind == argc - 1) ? argv[optind] : NULL; now = time(0); - { - char tmp[BUFSIZ]; - if (!krb5_timestamp_to_sfstring(now, tmp, 20, (char *) NULL) || - !krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp), - (char *) NULL)) - timestamp_width = (int) strlen(tmp); - else - timestamp_width = 15; + if (!krb5_timestamp_to_sfstring(now, tmp, 20, NULL) || + !krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp), NULL)) + timestamp_width = (int)strlen(tmp); + else + timestamp_width = 15; + + ret = krb5_init_context(&context); + if (ret) { + com_err(progname, ret, _("while initializing krb5")); + exit(1); } - { - krb5_error_code retval; - retval = krb5_init_context(&kcontext); - if (retval) { - com_err(progname, retval, _("while initializing krb5")); + if (name != NULL && mode != KEYTAB) { + ret = krb5_cc_set_default_name(context, name); + if (ret) { + com_err(progname, ret, _("while setting default cache name")); exit(1); } - - if (list_all) - list_all_ccaches(); - else if (show_all) - show_all_ccaches(); - else if (mode == DEFAULT || mode == CCACHE) - do_ccache_name(name); - else - do_keytab(name); } + if (list_all) + list_all_ccaches(); + else if (show_all) + show_all_ccaches(); + else if (mode == DEFAULT || mode == CCACHE) + do_ccache(); + else + do_keytab(name); return 0; } -void do_keytab(name) - char *name; +static void +do_keytab(const char *name) { + krb5_error_code ret; krb5_keytab kt; krb5_keytab_entry entry; krb5_kt_cursor cursor; - char buf[BUFSIZ]; /* hopefully large enough for any type */ + unsigned int i; + char buf[BUFSIZ]; /* Hopefully large enough for any type */ char *pname; - int code; if (name == NULL && use_client_keytab) { - if ((code = krb5_kt_client_default(kcontext, &kt))) { - com_err(progname, code, _("while getting default client keytab")); + ret = krb5_kt_client_default(context, &kt); + if (ret) { + com_err(progname, ret, _("while getting default client keytab")); exit(1); } } else if (name == NULL) { - if ((code = krb5_kt_default(kcontext, &kt))) { - com_err(progname, code, _("while getting default keytab")); + ret = krb5_kt_default(context, &kt); + if (ret) { + com_err(progname, ret, _("while getting default keytab")); exit(1); } } else { - if ((code = krb5_kt_resolve(kcontext, name, &kt))) { - com_err(progname, code, _("while resolving keytab %s"), name); + ret = krb5_kt_resolve(context, name, &kt); + if (ret) { + com_err(progname, ret, _("while resolving keytab %s"), name); exit(1); } } - if ((code = krb5_kt_get_name(kcontext, kt, buf, BUFSIZ))) { - com_err(progname, code, _("while getting keytab name")); + ret = krb5_kt_get_name(context, kt, buf, BUFSIZ); + if (ret) { + com_err(progname, ret, _("while getting keytab name")); exit(1); } printf("Keytab name: %s\n", buf); - if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor))) { - com_err(progname, code, _("while starting keytab scan")); + ret = krb5_kt_start_seq_get(context, kt, &cursor); + if (ret) { + com_err(progname, ret, _("while starting keytab scan")); exit(1); } @@ -314,12 +316,14 @@ void do_keytab(name) printf("\n"); } else { printf("KVNO Principal\n"); - printf("---- --------------------------------------------------------------------------\n"); + printf("---- ------------------------------------------------" + "--------------------------\n"); } - while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) { - if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) { - com_err(progname, code, _("while unparsing principal name")); + while ((ret = krb5_kt_next_entry(context, kt, &entry, &cursor)) == 0) { + ret = krb5_unparse_name(context, entry.principal, &pname); + if (ret) { + com_err(progname, ret, _("while unparsing principal name")); exit(1); } printf("%4d ", entry.vno); @@ -332,40 +336,38 @@ void do_keytab(name) printf(" (%s) " , etype_string(entry.key.enctype)); if (show_keys) { printf(" (0x"); - { - unsigned int i; - for (i = 0; i < entry.key.length; i++) - printf("%02x", entry.key.contents[i]); - } + for (i = 0; i < entry.key.length; i++) + printf("%02x", entry.key.contents[i]); printf(")"); } printf("\n"); - krb5_free_unparsed_name(kcontext, pname); - krb5_free_keytab_entry_contents(kcontext, &entry); + krb5_free_unparsed_name(context, pname); + krb5_free_keytab_entry_contents(context, &entry); } - if (code && code != KRB5_KT_END) { - com_err(progname, code, _("while scanning keytab")); + if (ret && ret != KRB5_KT_END) { + com_err(progname, ret, _("while scanning keytab")); exit(1); } - if ((code = krb5_kt_end_seq_get(kcontext, kt, &cursor))) { - com_err(progname, code, _("while ending keytab scan")); + ret = krb5_kt_end_seq_get(context, kt, &cursor); + if (ret) { + com_err(progname, ret, _("while ending keytab scan")); exit(1); } exit(0); } -void -list_all_ccaches(void) +static void +list_all_ccaches() { - krb5_error_code code; + krb5_error_code ret; krb5_ccache cache; krb5_cccol_cursor cursor; int exit_status; - code = krb5_cccol_cursor_new(kcontext, &cursor); - if (code) { + ret = krb5_cccol_cursor_new(context, &cursor); + if (ret) { if (!status_only) - com_err(progname, code, _("while listing ccache collection")); + com_err(progname, ret, _("while listing ccache collection")); exit(1); } @@ -373,31 +375,31 @@ list_all_ccaches(void) printf("%-30s %s\n", "Principal name", "Cache name"); printf("%-30s %s\n", "--------------", "----------"); exit_status = 1; - while (!(code = krb5_cccol_cursor_next(kcontext, cursor, &cache)) && + while ((ret = krb5_cccol_cursor_next(context, cursor, &cache)) == 0 && cache != NULL) { exit_status = list_ccache(cache) && exit_status; - krb5_cc_close(kcontext, cache); + krb5_cc_close(context, cache); } - krb5_cccol_cursor_free(kcontext, &cursor); + krb5_cccol_cursor_free(context, &cursor); exit(exit_status); } -int +static int list_ccache(krb5_ccache cache) { - krb5_error_code code; + krb5_error_code ret; krb5_principal princ = NULL; char *princname = NULL, *ccname = NULL; int expired, status = 1; - code = krb5_cc_get_principal(kcontext, cache, &princ); - if (code) /* Uninitialized cache file, probably. */ + ret = krb5_cc_get_principal(context, cache, &princ); + if (ret) /* Uninitialized cache file, probably. */ goto cleanup; - code = krb5_unparse_name(kcontext, princ, &princname); - if (code) + ret = krb5_unparse_name(context, princ, &princname); + if (ret) goto cleanup; - code = krb5_cc_get_full_name(kcontext, cache, &ccname); - if (code) + ret = krb5_cc_get_full_name(context, cache, &ccname); + if (ret) goto cleanup; expired = check_ccache(cache); @@ -408,87 +410,82 @@ list_ccache(krb5_ccache cache) printf("\n"); status = 0; + cleanup: - krb5_free_principal(kcontext, princ); - krb5_free_unparsed_name(kcontext, princname); - krb5_free_string(kcontext, ccname); + krb5_free_principal(context, princ); + krb5_free_unparsed_name(context, princname); + krb5_free_string(context, ccname); return status; } -void +static void show_all_ccaches(void) { - krb5_error_code code; + krb5_error_code ret; krb5_ccache cache; krb5_cccol_cursor cursor; krb5_boolean first; int exit_status, st; - code = krb5_cccol_cursor_new(kcontext, &cursor); - if (code) { + ret = krb5_cccol_cursor_new(context, &cursor); + if (ret) { if (!status_only) - com_err(progname, code, _("while listing ccache collection")); + com_err(progname, ret, _("while listing ccache collection")); exit(1); } exit_status = 1; first = TRUE; - while (!(code = krb5_cccol_cursor_next(kcontext, cursor, &cache)) && + while ((ret = krb5_cccol_cursor_next(context, cursor, &cache)) == 0 && cache != NULL) { if (!status_only && !first) printf("\n"); first = FALSE; st = status_only ? check_ccache(cache) : show_ccache(cache); exit_status = st && exit_status; - krb5_cc_close(kcontext, cache); + krb5_cc_close(context, cache); } - krb5_cccol_cursor_free(kcontext, &cursor); + krb5_cccol_cursor_free(context, &cursor); exit(exit_status); } -void -do_ccache_name(char *name) +static void +do_ccache() { - krb5_error_code code; + krb5_error_code ret; krb5_ccache cache; - if (name == NULL) { - if ((code = krb5_cc_default(kcontext, &cache))) { - if (!status_only) - com_err(progname, code, _("while getting default ccache")); - exit(1); - } - } else { - if ((code = krb5_cc_resolve(kcontext, name, &cache))) { - if (!status_only) - com_err(progname, code, _("while resolving ccache %s"), - name); - exit(1); - } + ret = krb5_cc_default(context, &cache); + if (ret) { + if (!status_only) + com_err(progname, ret, _("while resolving ccache")); + exit(1); } exit(status_only ? check_ccache(cache) : show_ccache(cache)); } /* Display the contents of cache. */ -int +static int show_ccache(krb5_ccache cache) { krb5_cc_cursor cur; krb5_creds creds; krb5_principal princ; - krb5_error_code code; + krb5_error_code ret; - if ((code = krb5_cc_get_principal(kcontext, cache, &princ))) { - com_err(progname, code, ""); + ret = krb5_cc_get_principal(context, cache, &princ); + if (ret) { + com_err(progname, ret, ""); return 1; } - if ((code = krb5_unparse_name(kcontext, princ, &defname))) { - com_err(progname, code, _("while unparsing principal name")); + ret = krb5_unparse_name(context, princ, &defname); + if (ret) { + com_err(progname, ret, _("while unparsing principal name")); return 1; } printf(_("Ticket cache: %s:%s\nDefault principal: %s\n\n"), - krb5_cc_get_type(kcontext, cache), - krb5_cc_get_name(kcontext, cache), defname); + krb5_cc_get_type(context, cache), krb5_cc_get_name(context, cache), + defname); /* XXX Translating would disturb table alignment; skip for now. */ fputs("Valid starting", stdout); fillit(stdout, timestamp_width - sizeof("Valid starting") + 3, (int) ' '); @@ -496,32 +493,34 @@ show_ccache(krb5_ccache cache) fillit(stdout, timestamp_width - sizeof("Expires") + 3, (int) ' '); fputs("Service principal\n", stdout); - if ((code = krb5_cc_start_seq_get(kcontext, cache, &cur))) { - com_err(progname, code, _("while starting to retrieve tickets")); + ret = krb5_cc_start_seq_get(context, cache, &cur); + if (ret) { + com_err(progname, ret, _("while starting to retrieve tickets")); return 1; } - while (!(code = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) { - if (show_config || !krb5_is_config_principal(kcontext, creds.server)) + while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) { + if (show_config || !krb5_is_config_principal(context, creds.server)) show_credential(&creds); - krb5_free_cred_contents(kcontext, &creds); + krb5_free_cred_contents(context, &creds); } - krb5_free_principal(kcontext, princ); - krb5_free_unparsed_name(kcontext, defname); + krb5_free_principal(context, princ); + krb5_free_unparsed_name(context, defname); defname = NULL; - if (code == KRB5_CC_END) { - if ((code = krb5_cc_end_seq_get(kcontext, cache, &cur))) { - com_err(progname, code, _("while finishing ticket retrieval")); + if (ret == KRB5_CC_END) { + ret = krb5_cc_end_seq_get(context, cache, &cur); + if (ret) { + com_err(progname, ret, _("while finishing ticket retrieval")); return 1; } return 0; } else { - com_err(progname, code, _("while retrieving a ticket")); + com_err(progname, ret, _("while retrieving a ticket")); return 1; } } /* Return 0 if cache is accessible, present, and unexpired; return 1 if not. */ -int +static int check_ccache(krb5_ccache cache) { krb5_error_code ret; @@ -530,26 +529,26 @@ check_ccache(krb5_ccache cache) krb5_principal princ; krb5_boolean found_tgt, found_current_tgt, found_current_cred; - if (krb5_cc_get_principal(kcontext, cache, &princ) != 0) + if (krb5_cc_get_principal(context, cache, &princ) != 0) return 1; - if (krb5_cc_start_seq_get(kcontext, cache, &cur) != 0) + if (krb5_cc_start_seq_get(context, cache, &cur) != 0) return 1; found_tgt = found_current_tgt = found_current_cred = FALSE; - while (!(ret = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) { + while ((ret = krb5_cc_next_cred(context, cache, &cur, &creds)) == 0) { if (is_local_tgt(creds.server, &princ->realm)) { found_tgt = TRUE; - if (creds.times.endtime > now) + if (ts_after(creds.times.endtime, now)) found_current_tgt = TRUE; - } else if (!krb5_is_config_principal(kcontext, creds.server) && - creds.times.endtime > now) { + } else if (!krb5_is_config_principal(context, creds.server) && + ts_after(creds.times.endtime, now)) { found_current_cred = TRUE; } - krb5_free_cred_contents(kcontext, &creds); + krb5_free_cred_contents(context, &creds); } - krb5_free_principal(kcontext, princ); + krb5_free_principal(context, princ); if (ret != KRB5_CC_END) return 1; - if (krb5_cc_end_seq_get(kcontext, cache, &cur) != 0) + if (krb5_cc_end_seq_get(context, cache, &cur) != 0) return 1; /* If the cache contains at least one local TGT, require that it be @@ -560,7 +559,7 @@ check_ccache(krb5_ccache cache) } /* Return true if princ is the local krbtgt principal for local_realm. */ -krb5_boolean +static krb5_boolean is_local_tgt(krb5_principal princ, krb5_data *realm) { return princ->length == 2 && data_eq(princ->realm, *realm) && @@ -568,24 +567,20 @@ is_local_tgt(krb5_principal princ, krb5_data *realm) data_eq(princ->data[1], *realm); } -char * -etype_string(enctype) - krb5_enctype enctype; +static char * +etype_string(krb5_enctype enctype) { static char buf[100]; - krb5_error_code retval; + krb5_error_code ret; - if ((retval = krb5_enctype_to_name(enctype, FALSE, buf, sizeof(buf)))) { - /* XXX if there's an error != EINVAL, I should probably report it */ + ret = krb5_enctype_to_name(enctype, FALSE, buf, sizeof(buf)); + if (ret) snprintf(buf, sizeof(buf), "etype %d", enctype); - } - return buf; } static char * -flags_string(cred) - register krb5_creds *cred; +flags_string(krb5_creds *cred) { static char buf[32]; int i = 0; @@ -615,27 +610,21 @@ flags_string(cred) if (cred->ticket_flags & TKT_FLG_TRANSIT_POLICY_CHECKED) buf[i++] = 'T'; if (cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE) - buf[i++] = 'O'; /* D/d are taken. Use short strings? */ + buf[i++] = 'O'; /* D/d are taken. Use short strings? */ if (cred->ticket_flags & TKT_FLG_ANONYMOUS) buf[i++] = 'a'; buf[i] = '\0'; - return(buf); + return buf; } -void -printtime(tv) - time_t tv; +static void +printtime(krb5_timestamp ts) { - char timestring[BUFSIZ]; - char fill; - - fill = ' '; - if (!krb5_timestamp_to_sfstring((krb5_timestamp) tv, - timestring, - timestamp_width+1, - &fill)) { + char timestring[BUFSIZ], fill = ' '; + + if (!krb5_timestamp_to_sfstring(ts, timestring, timestamp_width + 1, + &fill)) printf("%s", timestring); - } } static void @@ -663,35 +652,35 @@ print_config_data(int col, krb5_data *data) putchar('\n'); } -void -show_credential(cred) - register krb5_creds * cred; +static void +show_credential(krb5_creds *cred) { - krb5_error_code retval; + krb5_error_code ret; krb5_ticket *tkt; char *name, *sname, *flags; int extra_field = 0, ccol = 0, i; - retval = krb5_unparse_name(kcontext, cred->client, &name); - if (retval) { - com_err(progname, retval, _("while unparsing client name")); + ret = krb5_unparse_name(context, cred->client, &name); + if (ret) { + com_err(progname, ret, _("while unparsing client name")); return; } - retval = krb5_unparse_name(kcontext, cred->server, &sname); - if (retval) { - com_err(progname, retval, _("while unparsing server name")); - krb5_free_unparsed_name(kcontext, name); + ret = krb5_unparse_name(context, cred->server, &sname); + if (ret) { + com_err(progname, ret, _("while unparsing server name")); + krb5_free_unparsed_name(context, name); return; } if (!cred->times.starttime) cred->times.starttime = cred->times.authtime; - if (!krb5_is_config_principal(kcontext, cred->server)) { + if (!krb5_is_config_principal(context, cred->server)) { printtime(cred->times.starttime); - putchar(' '); putchar(' '); + putchar(' '); + putchar(' '); printtime(cred->times.endtime); - putchar(' '); putchar(' '); - + putchar(' '); + putchar(' '); printf("%s\n", sname); } else { fputs("config: ", stdout); @@ -712,7 +701,7 @@ show_credential(cred) extra_field++; } - if (krb5_is_config_principal(kcontext, cred->server)) + if (krb5_is_config_principal(context, cred->server)) print_config_data(ccol, &cred->ticket); if (cred->times.renew_till) { @@ -748,8 +737,8 @@ show_credential(cred) } if (show_etype) { - retval = krb5_decode_ticket(&cred->ticket, &tkt); - if (retval) + ret = krb5_decode_ticket(&cred->ticket, &tkt); + if (ret) goto err_tkt; if (!extra_field) @@ -758,13 +747,12 @@ show_credential(cred) fputs(", ",stdout); printf(_("Etype (skey, tkt): %s, "), etype_string(cred->keyblock.enctype)); - printf("%s ", - etype_string(tkt->enc_part.enctype)); + printf("%s ", etype_string(tkt->enc_part.enctype)); extra_field++; err_tkt: if (tkt != NULL) - krb5_free_ticket(kcontext, tkt); + krb5_free_ticket(context, tkt); } if (show_adtype) { @@ -783,19 +771,18 @@ show_credential(cred) } } - /* if any additional info was printed, extra_field is non-zero */ + /* If any additional info was printed, extra_field is non-zero. */ if (extra_field) putchar('\n'); - if (show_addresses) { - if (!cred->addresses || !cred->addresses[0]) { + if (cred->addresses == NULL || cred->addresses[0] == NULL) { printf(_("\tAddresses: (none)\n")); } else { printf(_("\tAddresses: ")); one_addr(cred->addresses[0]); - for (i=1; cred->addresses[i]; i++) { + for (i = 1; cred->addresses[i] != NULL; i++) { printf(", "); one_addr(cred->addresses[i]); } @@ -804,45 +791,45 @@ show_credential(cred) } } - krb5_free_unparsed_name(kcontext, name); - krb5_free_unparsed_name(kcontext, sname); + krb5_free_unparsed_name(context, name); + krb5_free_unparsed_name(context, sname); } #include "port-sockets.h" -#include "socket-utils.h" /* for ss2sin etc */ +#include "socket-utils.h" /* For ss2sin etc. */ #include "fake-addrinfo.h" -void one_addr(a) - krb5_address *a; +static void +one_addr(krb5_address *a) { struct sockaddr_storage ss; + struct sockaddr_in *sinp; + struct sockaddr_in6 *sin6p; int err; char namebuf[NI_MAXHOST]; - memset (&ss, 0, sizeof (ss)); + memset(&ss, 0, sizeof(ss)); switch (a->addrtype) { case ADDRTYPE_INET: if (a->length != 4) { - broken: printf(_("broken address (type %d length %d)"), a->addrtype, a->length); return; } - { - struct sockaddr_in *sinp = ss2sin (&ss); - sinp->sin_family = AF_INET; - memcpy (&sinp->sin_addr, a->contents, 4); - } + sinp = ss2sin(&ss); + sinp->sin_family = AF_INET; + memcpy(&sinp->sin_addr, a->contents, 4); break; case ADDRTYPE_INET6: - if (a->length != 16) - goto broken; - { - struct sockaddr_in6 *sin6p = ss2sin6 (&ss); - sin6p->sin6_family = AF_INET6; - memcpy (&sin6p->sin6_addr, a->contents, 16); + if (a->length != 16) { + printf(_("broken address (type %d length %d)"), + a->addrtype, a->length); + return; } + sin6p = ss2sin6(&ss); + sin6p->sin6_family = AF_INET6; + memcpy(&sin6p->sin6_addr, a->contents, 16); break; default: printf(_("unknown addrtype %d"), a->addrtype); @@ -850,25 +837,22 @@ void one_addr(a) } namebuf[0] = 0; - err = getnameinfo (ss2sa (&ss), sa_socklen (ss2sa (&ss)), - namebuf, sizeof (namebuf), 0, 0, - no_resolve ? NI_NUMERICHOST : 0U); + err = getnameinfo(ss2sa(&ss), sa_socklen(ss2sa(&ss)), namebuf, + sizeof(namebuf), 0, 0, + no_resolve ? NI_NUMERICHOST : 0U); if (err) { printf(_("unprintable address (type %d, error %d %s)"), a->addrtype, - err, gai_strerror (err)); + err, gai_strerror(err)); return; } - printf ("%s", namebuf); + printf("%s", namebuf); } -void -fillit(f, num, c) - FILE *f; - unsigned int num; - int c; +static void +fillit(FILE *f, unsigned int num, int c) { unsigned int i; - for (i=0; i #include @@ -15,18 +16,18 @@ #ifdef HAVE_PWD_H #include -static -void get_name_from_passwd_file(program_name, kcontext, me) - char * program_name; - krb5_context kcontext; - krb5_principal * me; +static void +get_name_from_passwd_file(char *program_name, krb5_context context, + krb5_principal *me) { struct passwd *pw; - krb5_error_code code; - if ((pw = getpwuid(getuid()))) { - if ((code = krb5_parse_name(kcontext, pw->pw_name, me))) { - com_err(program_name, code, _("when parsing name %s"), - pw->pw_name); + krb5_error_code ret; + + pw = getpwuid(getuid()); + if (pw != NULL) { + ret = krb5_parse_name(context, pw->pw_name, me); + if (ret) { + com_err(program_name, ret, _("when parsing name %s"), pw->pw_name); exit(1); } } else { @@ -35,9 +36,8 @@ void get_name_from_passwd_file(program_name, kcontext, me) } } #else /* HAVE_PWD_H */ -void get_name_from_passwd_file(kcontext, me) - krb5_context kcontext; - krb5_principal * me; +static void +get_name_from_passwd_file(krb5_context context, krb5_principal *me) { fprintf(stderr, _("Unable to identify user\n")); exit(1); @@ -49,13 +49,11 @@ int main(int argc, char *argv[]) krb5_error_code ret; krb5_context context; krb5_principal princ = NULL; - char *pname; + char *pname, *message; + char pw[1024]; krb5_ccache ccache; krb5_get_init_creds_opt *opts = NULL; krb5_creds creds; - char *message; - - char pw[1024]; unsigned int pwlen; int result_code; krb5_data result_code_string, result_string; @@ -73,48 +71,48 @@ int main(int argc, char *argv[]) com_err(argv[0], ret, _("initializing kerberos library")); exit(1); } - if ((ret = krb5_get_init_creds_opt_alloc(context, &opts))) { + ret = krb5_get_init_creds_opt_alloc(context, &opts); + if (ret) { com_err(argv[0], ret, _("allocating krb5_get_init_creds_opt")); exit(1); } - /* in order, use the first of: - - a name specified on the command line - - the principal name from an existing ccache - - the name corresponding to the ruid of the process - - otherwise, it's an error. - We always attempt to open the default ccache in order to use FAST if - possible. - */ + /* + * In order, use the first of: + * - A name specified on the command line + * - The principal name from an existing ccache + * - The name corresponding to the ruid of the process + * + * Otherwise, it's an error. + * We always attempt to open the default ccache in order to use FAST if + * possible. + */ ret = krb5_cc_default(context, &ccache); - if (ret != 0) { + if (ret) { com_err(argv[0], ret, _("opening default ccache")); exit(1); } ret = krb5_cc_get_principal(context, ccache, &princ); - if (ret != 0 && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { + if (ret && ret != KRB5_CC_NOTFOUND && ret != KRB5_FCC_NOFILE) { com_err(argv[0], ret, _("getting principal from ccache")); exit(1); - } else { - if (princ != NULL) { - ret = krb5_get_init_creds_opt_set_fast_ccache(context, opts, - ccache); - if (ret) { - com_err(argv[0], ret, _("while setting FAST ccache")); - exit(1); - } + } else if (princ != NULL) { + ret = krb5_get_init_creds_opt_set_fast_ccache(context, opts, ccache); + if (ret) { + com_err(argv[0], ret, _("while setting FAST ccache")); + exit(1); } } ret = krb5_cc_close(context, ccache); - if (ret != 0) { + if (ret) { com_err(argv[0], ret, _("closing ccache")); exit(1); } - if (pname) { + if (pname != NULL) { krb5_free_principal(context, princ); princ = NULL; - if ((ret = krb5_parse_name(context, pname, &princ))) { + ret = krb5_parse_name(context, pname, &princ); + if (ret) { com_err(argv[0], ret, _("parsing client name")); exit(1); } @@ -122,33 +120,37 @@ int main(int argc, char *argv[]) if (princ == NULL) get_name_from_passwd_file(argv[0], context, &princ); - krb5_get_init_creds_opt_set_tkt_life(opts, 5*60); + krb5_get_init_creds_opt_set_tkt_life(opts, 5 * 60); krb5_get_init_creds_opt_set_renew_life(opts, 0); krb5_get_init_creds_opt_set_forwardable(opts, 0); krb5_get_init_creds_opt_set_proxiable(opts, 0); - if ((ret = krb5_get_init_creds_password(context, &creds, princ, NULL, - krb5_prompter_posix, NULL, - 0, "kadmin/changepw", opts))) { - if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) + ret = krb5_get_init_creds_password(context, &creds, princ, NULL, + krb5_prompter_posix, NULL, 0, + "kadmin/changepw", opts); + if (ret) { + if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) { com_err(argv[0], 0, _("Password incorrect while getting initial ticket")); - else + } else { com_err(argv[0], ret, _("getting initial ticket")); + } + krb5_get_init_creds_opt_free(context, opts); exit(1); } pwlen = sizeof(pw); - if ((ret = krb5_read_password(context, P1, P2, pw, &pwlen))) { + ret = krb5_read_password(context, P1, P2, pw, &pwlen); + if (ret) { com_err(argv[0], ret, _("while reading password")); krb5_get_init_creds_opt_free(context, opts); exit(1); } - if ((ret = krb5_change_password(context, &creds, pw, - &result_code, &result_code_string, - &result_string))) { + ret = krb5_change_password(context, &creds, pw, &result_code, + &result_code_string, &result_string); + if (ret) { com_err(argv[0], ret, _("changing password")); krb5_get_init_creds_opt_free(context, opts); exit(1); @@ -158,17 +160,15 @@ int main(int argc, char *argv[]) if (krb5_chpw_message(context, &result_string, &message) != 0) message = NULL; printf("%.*s%s%s\n", - (int) result_code_string.length, result_code_string.data, + (int)result_code_string.length, result_code_string.data, message ? ": " : "", message ? message : NULL); krb5_free_string(context, message); krb5_get_init_creds_opt_free(context, opts); exit(2); } - if (result_string.data != NULL) - free(result_string.data); - if (result_code_string.data != NULL) - free(result_code_string.data); + free(result_string.data); + free(result_code_string.data); krb5_get_init_creds_opt_free(context, opts); printf(_("Password changed.\n")); diff --git a/src/clients/kpasswd/ksetpwd.c b/src/clients/kpasswd/ksetpwd.c deleted file mode 100644 index 2aafb6c..0000000 --- a/src/clients/kpasswd/ksetpwd.c +++ /dev/null @@ -1,309 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -#include -#include -#include -#include - -#define TKTTIMELEFT 60*10 /* ten minutes */ - -static int verify_creds() -{ - krb5_context kcontext; - krb5_ccache ccache; - krb5_error_code kres; - - kres = krb5_init_context(&kcontext); - if( kres == 0 ) - { - kres = krb5_cc_default( kcontext, &ccache ); - if( kres == 0 ) - { - krb5_principal user_princ; - - kres = krb5_cc_get_principal( kcontext, ccache, &user_princ ); - if( kres == 0 ) - krb5_free_principal( kcontext, user_princ ); - krb5_cc_close( kcontext, ccache ); - } - krb5_free_context(kcontext); - } - return kres; -} - -static void get_init_creds_opt_init( krb5_get_init_creds_opt *outOptions ) -{ - krb5_preauthtype preauth[] = { KRB5_PADATA_ENC_TIMESTAMP }; - krb5_enctype etypes[] = {ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_CRC}; - krb5_get_init_creds_opt_set_address_list(outOptions, NULL); - krb5_get_init_creds_opt_set_etype_list( outOptions, etypes, sizeof(etypes)/sizeof(krb5_enctype) ); - krb5_get_init_creds_opt_set_preauth_list(outOptions, preauth, sizeof(preauth)/sizeof(krb5_preauthtype) ); -} - -typedef void * kbrccache_t; -#define CCACHE_PREFIX_DEFAULT "MEMORY:C_" - -static kbrccache_t userinitcontext( - const char * user, const char * domain, const char * passwd, const char * cachename, int initialize, - int * outError ) -{ - krb5_context kcontext = 0; - krb5_ccache kcache = 0; - krb5_creds kcreds; - krb5_principal kme = 0; - krb5_error_code kres; - char * pPass = strdup( passwd ); - char * pName = NULL; - char * pCacheName = NULL; - int numCreds = 0; - - memset( &kcreds, 0, sizeof(kcreds) ); - kres = krb5_init_context( &kcontext ); - if( kres ) - goto return_error; - if( domain ) - kres = krb5_build_principal( kcontext, &kme, strlen(domain), domain, user, (char *) 0 ); - else - kres = krb5_parse_name( kcontext, user, &kme ); - if( kres ) - goto fail; - krb5_unparse_name( kcontext, kme, &pName ); - if( cachename ) - { - if (asprintf(&pCacheName, "%s%s", cachename, pName) < 0) - { - kres = KRB5_CC_NOMEM; - goto fail; - } - kres = krb5_cc_resolve( kcontext, pCacheName, &kcache ); - if( kres ) - { - kres = krb5_cc_resolve( kcontext, CCACHE_PREFIX_DEFAULT, &kcache ); - if( kres == 0 ) - pCacheName = strdup(CCACHE_PREFIX_DEFAULT); - } - } - else - { - kres = krb5_cc_default( kcontext, &kcache ); - pCacheName = strdup( krb5_cc_get_name( kcontext, kcache ) ); - } - if( kres ) - { - krb5_free_context(kcontext); - goto return_error; - } - if( initialize ) - krb5_cc_initialize( kcontext, kcache, kme ); - if( kres == 0 && user && passwd ) - { - long timeneeded = time(0L) +TKTTIMELEFT; - int have_credentials = 0; - krb5_cc_cursor cc_curs = NULL; - numCreds = 0; - if( (kres=krb5_cc_start_seq_get(kcontext, kcache, &cc_curs)) >= 0 ) - { - while( (kres=krb5_cc_next_cred(kcontext, kcache, &cc_curs, &kcreds))== 0) - { - numCreds++; - if( krb5_principal_compare( kcontext, kme, kcreds.client ) ) - { - if( kcreds.ticket_flags & TKT_FLG_INITIAL && kcreds.times.endtime>timeneeded ) - have_credentials = 1; - } - krb5_free_cred_contents( kcontext, &kcreds ); - if( have_credentials ) - break; - } - krb5_cc_end_seq_get( kcontext, kcache, &cc_curs ); - } - else - { - const char * errmsg = error_message(kres); - fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg ); - } - if( kres != 0 || have_credentials == 0 ) - { - krb5_get_init_creds_opt *options = NULL; - kres = krb5_get_init_creds_opt_alloc(kcontext, &options); - if ( kres == 0 ) - { - get_init_creds_opt_init(options); -/* -** no valid credentials - get new ones -*/ - kres = krb5_get_init_creds_password( kcontext, &kcreds, kme, pPass, - NULL /*prompter*/, - NULL /*data*/, - 0 /*starttime*/, - 0 /*in_tkt_service*/, - options /*options*/ ); - } - if( kres == 0 ) - { - if( numCreds <= 0 ) - kres = krb5_cc_initialize( kcontext, kcache, kme ); - if( kres == 0 ) - kres = krb5_cc_store_cred( kcontext, kcache, &kcreds ); - if( kres == 0 ) - have_credentials = 1; - } - krb5_get_init_creds_opt_free(kcontext, options); - } -#ifdef NOTUSED - if( have_credentials ) - { - int mstat; - kres = gss_krb5_ccache_name( &mstat, pCacheName, NULL ); - if( getenv( ENV_DEBUG_LDAPKERB ) ) - fprintf( stderr, "gss credentials cache set to %s(%d)\n", pCacheName, kres ); - } -#endif - krb5_cc_close( kcontext, kcache ); - } -fail: - if( kres ) - { - const char * errmsg = error_message(kres); - fprintf( stderr, "%s user init(%s): %s\n", "setpass", pName, errmsg ); - } - krb5_free_principal( kcontext, kme ); - krb5_free_cred_contents( kcontext, &kcreds ); - if( pName ) - free( pName ); - free(pPass); - krb5_free_context(kcontext); - -return_error: - if( kres ) - { - if( pCacheName ) - { - free(pCacheName); - pCacheName = NULL; - } - } - if( outError ) - *outError = kres; - return pCacheName; -} - -static int init_creds() -{ - char user[512]; - char * password = NULL; - int result; - - user[0] = 0; - result = -1; - - for(;;) - { - while( user[0] == 0 ) - { - int userlen; - printf( "Username: "); - fflush(stdout); - if( fgets( user, sizeof(user), stdin ) == NULL ) - return -1; - userlen = strlen( user); - if( userlen < 2 ) - continue; - user[userlen-1] = 0; /* get rid of the newline */ - break; - } - { - kbrccache_t usercontext; - password = getpass( "Password: "); - if( ! password ) - return -1; - result = 0; - usercontext = userinitcontext( user, NULL, password, NULL, 1, &result ); - if( usercontext ) - break; - } - } - return result; -} - -int main( int argc, char ** argv ) -{ - char * new_password; - char * new_password2; - krb5_context kcontext; - krb5_error_code kerr; - krb5_principal target_principal; - - - if( argc < 2 ) - { - fprintf( stderr, "Usage: setpass user@REALM\n"); - exit(1); - } - -/* -** verify credentials - -*/ - if( verify_creds() ) - init_creds(); - if( verify_creds() ) - { - fprintf( stderr, "No user credentials available\n"); - exit(1); - } -/* -** check the principal name - -*/ - krb5_init_context(&kcontext); - kerr = krb5_parse_name( kcontext, argv[1], &target_principal ); - - { - char * pname = NULL; - kerr = krb5_unparse_name( kcontext, target_principal, &pname ); - printf( "Changing password for %s:\n", pname); - fflush( stdout ); - free( pname ); - } -/* -** get the new password - -*/ - for (;;) - { - new_password = getpass("Enter new password: "); - new_password2 = getpass("Verify new password: "); - if( strcmp( new_password, new_password2 ) == 0) - break; - printf("Passwords do not match\n"); - free( new_password ); - free( new_password2 ); - } -/* -** change the password - -*/ - { - int pw_result; - krb5_ccache ccache; - krb5_data pw_res_string, res_string; - - kerr = krb5_cc_default( kcontext, &ccache ); - if( kerr == 0 ) - { - kerr = krb5_set_password_using_ccache(kcontext, ccache, new_password, target_principal, - &pw_result, &pw_res_string, &res_string ); - if( kerr ) - fprintf( stderr, "Failed: %s\n", error_message(kerr) ); - else - { - if( pw_result ) - { - fprintf( stderr, "Failed(%d)", pw_result ); - if( pw_res_string.length > 0 ) - fprintf( stderr, ": %s", pw_res_string.data); - if( res_string.length > 0 ) - fprintf( stderr, " %s", res_string.data); - fprintf( stderr, "\n"); - } - } - } - } - return(0); -} diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c index 90aafbd..8919218 100644 --- a/src/clients/ksu/authorization.c +++ b/src/clients/ksu/authorization.c @@ -123,23 +123,6 @@ krb5_error_code krb5_authorization(context, principal, luser, "In krb5_authorization: if auth files exist -> can access\n"); } -#if 0 - if (cmd){ - if(k5users_flag){ - return 0; /* if kusers does not exist -> done */ - }else{ - if(retval = k5users_lookup(users_fp,princname, - cmd,&retbool,out_fcmd)){ - auth_cleanup(users_fp, login_fp, princname); - return retval; - }else{ - *ok =retbool; - return retval; - } - } - } -#endif - /* if either file exists, first see if the principal is in the login in file, if it's not there check the k5users file */ diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c index a0736f2..2a99521 100644 --- a/src/clients/ksu/ccache.c +++ b/src/clients/ksu/ccache.c @@ -278,11 +278,11 @@ krb5_error_code krb5_check_exp(context, tkt_time) context->clockskew); fprintf(stderr,"krb5_check_exp: currenttime - endtime %d \n", - (currenttime - tkt_time.endtime )); + ts_delta(currenttime, tkt_time.endtime)); } - if (currenttime - tkt_time.endtime > context->clockskew){ + if (ts_after(currenttime, ts_incr(tkt_time.endtime, context->clockskew))) { retval = KRB5KRB_AP_ERR_TKT_EXPIRED ; return retval; } @@ -323,21 +323,11 @@ char *flags_string(cred) return(buf); } -void printtime(tv) - time_t tv; +void printtime(krb5_timestamp ts) { - char fmtbuf[18]; - char fill; - krb5_timestamp tstamp; - - /* XXXX ASSUMES sizeof(krb5_timestamp) >= sizeof(time_t) */ - (void) localtime((time_t *)&tv); - tstamp = tv; - fill = ' '; - if (!krb5_timestamp_to_sfstring(tstamp, - fmtbuf, - sizeof(fmtbuf), - &fill)) + char fmtbuf[18], fill = ' '; + + if (!krb5_timestamp_to_sfstring(ts, fmtbuf, sizeof(fmtbuf), &fill)) printf("%s", fmtbuf); } diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c index 0d055e4..3eb28ab 100644 --- a/src/clients/ksu/heuristic.c +++ b/src/clients/ksu/heuristic.c @@ -266,7 +266,6 @@ get_authorized_princ_names(luser, cmd, princ_list) retval = list_union(k5login_list, k5users_filt_list, &combined_list); if (retval){ - close_time(k5users_flag,users_fp, k5login_flag,login_fp); return retval; } *princ_list = combined_list; diff --git a/src/clients/ksu/ksu.h b/src/clients/ksu/ksu.h index ee8e9d6..3bf0bd4 100644 --- a/src/clients/ksu/ksu.h +++ b/src/clients/ksu/ksu.h @@ -150,7 +150,7 @@ extern krb5_boolean krb5_find_princ_in_cred_list extern krb5_error_code krb5_find_princ_in_cache (krb5_context, krb5_ccache, krb5_principal, krb5_boolean *); -extern void printtime (time_t); +extern void printtime (krb5_timestamp); /* authorization.c */ extern krb5_boolean fowner (FILE *, uid_t); diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c index 28342c2..d9596d9 100644 --- a/src/clients/ksu/main.c +++ b/src/clients/ksu/main.c @@ -121,6 +121,9 @@ main (argc, argv) krb5_boolean restrict_creds; krb5_deltat lifetime, rlife; + if (argc == 0) + exit(1); + params = (char **) xcalloc (2, sizeof (char *)); params[1] = NULL; @@ -411,6 +414,16 @@ main (argc, argv) if (hp){ if (gb_err) fprintf(stderr, "%s", gb_err); fprintf(stderr, _("account %s: authorization failed\n"), target_user); + + if (cmd != NULL) { + syslog(LOG_WARNING, + "Account %s: authorization for %s for execution of %s failed", + target_user, source_user, cmd); + } else { + syslog(LOG_WARNING, "Account %s: authorization of %s failed", + target_user, source_user); + } + exit(1); } @@ -919,7 +932,7 @@ cleanup: int standard_shell(sh) char *sh; { - register char *cp; + char *cp; char *getusershell(); while ((cp = getusershell()) != NULL) @@ -932,7 +945,7 @@ int standard_shell(sh) static char * ontty() { - char *p, *ttyname(); + char *p; static char buf[MAXPATHLEN + 5]; int result; diff --git a/src/clients/ksu/setenv.c b/src/clients/ksu/setenv.c index a7895c6..c7bd369 100644 --- a/src/clients/ksu/setenv.c +++ b/src/clients/ksu/setenv.c @@ -57,12 +57,12 @@ extern void unsetenv(char *); #ifndef HAVE_SETENV int setenv(name, value, rewrite) - register char *name, *value; + char *name, *value; int rewrite; { extern char **environ; static int alloced; /* if allocated space before */ - register char *C; + char *C; int l_value, offset; if (*value == '=') /* no `=' in value */ @@ -77,8 +77,8 @@ setenv(name, value, rewrite) } } else { /* create new slot */ - register int cnt; - register char **P; + int cnt; + char **P; for (P = environ, cnt = 0; *P; ++P, ++cnt); if (alloced) { /* just increase size */ @@ -119,7 +119,7 @@ unsetenv(name) char *name; { extern char **environ; - register char **P; + char **P; int offset; while (_findenv(name, &offset)) /* if set multiple times */ @@ -156,12 +156,12 @@ getenv(name) */ static char * _findenv(name, offset) - register char *name; + char *name; int *offset; { extern char **environ; - register int len; - register char **P, *C; + int len; + char **P, *C; for (C = name, len = 0; *C && *C != '='; ++C, ++len); for (P = environ; *P; ++P) diff --git a/src/clients/kswitch/kswitch.c b/src/clients/kswitch/kswitch.c index f26ecea..9cba7cb 100644 --- a/src/clients/kswitch/kswitch.c +++ b/src/clients/kswitch/kswitch.c @@ -27,9 +27,6 @@ #include "k5-int.h" #include -extern int optind; -extern char *optarg; - #ifndef _WIN32 #define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x)) #else diff --git a/src/clients/kvno/kvno.c b/src/clients/kvno/kvno.c index 80bee59..f4fa048 100644 --- a/src/clients/kvno/kvno.c +++ b/src/clients/kvno/kvno.c @@ -32,44 +32,47 @@ #endif #include -extern int optind; -extern char *optarg; - static char *prog; +static int quiet = 0; -static void xusage() +static void +xusage() { fprintf(stderr, _("usage: %s [-C] [-u] [-c ccache] [-e etype]\n"), prog); fprintf(stderr, _("\t[-k keytab] [-S sname] [-U for_user [-P]]\n")); - fprintf(stderr, _("\tservice1 service2 ...\n")); + fprintf(stderr, _("\t[--u2u ccache] service1 service2 ...\n")); exit(1); } -int quiet = 0; - -static void do_v5_kvno (int argc, char *argv[], - char *ccachestr, char *etypestr, char *keytab_name, - char *sname, int canon, int unknown, - char *for_user, int proxy); +static void do_v5_kvno(int argc, char *argv[], char *ccachestr, char *etypestr, + char *keytab_name, char *sname, int canon, int unknown, + char *for_user, int proxy, const char *u2u_ccname); #include -static void extended_com_err_fn (const char *, errcode_t, const char *, - va_list); +static void extended_com_err_fn(const char *myprog, errcode_t code, + const char *fmt, va_list args); -int main(int argc, char *argv[]) +int +main(int argc, char *argv[]) { + enum { OPTION_U2U = 256 }; + struct option lopts[] = { + { "u2u", 1, NULL, OPTION_U2U }, + { NULL, 0, NULL, 0 } + }; + const char *shopts = "uCc:e:hk:qPS:U:"; int option; char *etypestr = NULL, *ccachestr = NULL, *keytab_name = NULL; - char *sname = NULL, *for_user = NULL; + char *sname = NULL, *for_user = NULL, *u2u_ccname = NULL; int canon = 0, unknown = 0, proxy = 0; setlocale(LC_ALL, ""); - set_com_err_hook (extended_com_err_fn); + set_com_err_hook(extended_com_err_fn); prog = strrchr(argv[0], '/'); prog = prog ? (prog + 1) : argv[0]; - while ((option = getopt(argc, argv, "uCc:e:hk:qPS:U:")) != -1) { + while ((option = getopt_long(argc, argv, shopts, lopts, NULL)) != -1) { switch (option) { case 'C': canon = 1; @@ -94,7 +97,7 @@ int main(int argc, char *argv[]) break; case 'S': sname = optarg; - if (unknown == 1){ + if (unknown == 1) { fprintf(stderr, _("Options -u and -S are mutually exclusive\n")); xusage(); @@ -102,7 +105,7 @@ int main(int argc, char *argv[]) break; case 'u': unknown = 1; - if (sname){ + if (sname != NULL) { fprintf(stderr, _("Options -u and -S are mutually exclusive\n")); xusage(); @@ -111,12 +114,20 @@ int main(int argc, char *argv[]) case 'U': for_user = optarg; /* S4U2Self - protocol transition */ break; + case OPTION_U2U: + u2u_ccname = optarg; + break; default: xusage(); break; } } + if (u2u_ccname != NULL && for_user != NULL) { + fprintf(stderr, _("Options --u2u and -P are mutually exclusive\n")); + xusage(); + } + if (proxy) { if (keytab_name == NULL) { fprintf(stderr, _("Option -P (constrained delegation) " @@ -129,42 +140,197 @@ int main(int argc, char *argv[]) } } - if ((argc - optind) < 1) + if (argc - optind < 1) xusage(); - do_v5_kvno(argc - optind, argv + optind, - ccachestr, etypestr, keytab_name, sname, - canon, unknown, for_user, proxy); + do_v5_kvno(argc - optind, argv + optind, ccachestr, etypestr, keytab_name, + sname, canon, unknown, for_user, proxy, u2u_ccname); return 0; } #include static krb5_context context; -static void extended_com_err_fn (const char *myprog, errcode_t code, - const char *fmt, va_list args) +static void extended_com_err_fn(const char *myprog, errcode_t code, + const char *fmt, va_list args) { const char *emsg; - emsg = krb5_get_error_message (context, code); - fprintf (stderr, "%s: %s ", myprog, emsg); - krb5_free_error_message (context, emsg); - vfprintf (stderr, fmt, args); - fprintf (stderr, "\n"); + + emsg = krb5_get_error_message(context, code); + fprintf(stderr, "%s: %s ", myprog, emsg); + krb5_free_error_message(context, emsg); + vfprintf(stderr, fmt, args); + fprintf(stderr, "\n"); +} + +/* Request a single service ticket and display its status (unless quiet is + * set). On failure, display an error message and return non-zero. */ +static krb5_error_code +kvno(const char *name, krb5_ccache ccache, krb5_principal me, + krb5_enctype etype, krb5_keytab keytab, const char *sname, + krb5_flags options, int unknown, krb5_principal for_user_princ, int proxy, + krb5_data *u2u_ticket) +{ + krb5_error_code ret; + krb5_principal server = NULL; + krb5_ticket *ticket = NULL; + krb5_creds in_creds, *out_creds = NULL; + char *princ = NULL; + + memset(&in_creds, 0, sizeof(in_creds)); + + if (sname != NULL) { + ret = krb5_sname_to_principal(context, name, sname, KRB5_NT_SRV_HST, + &server); + } else { + ret = krb5_parse_name(context, name, &server); + } + if (ret) { + if (!quiet) + com_err(prog, ret, _("while parsing principal name %s"), name); + goto cleanup; + } + if (unknown) + krb5_princ_type(context, server) = KRB5_NT_UNKNOWN; + + ret = krb5_unparse_name(context, server, &princ); + if (ret) { + com_err(prog, ret, _("while formatting parsed principal name for " + "'%s'"), name); + goto cleanup; + } + + in_creds.keyblock.enctype = etype; + + if (u2u_ticket != NULL) + in_creds.second_ticket = *u2u_ticket; + + if (for_user_princ != NULL) { + if (!proxy && !krb5_principal_compare(context, me, server)) { + ret = EINVAL; + com_err(prog, ret, + _("client and server principal names must match")); + goto cleanup; + } + + in_creds.client = for_user_princ; + in_creds.server = me; + ret = krb5_get_credentials_for_user(context, options, ccache, + &in_creds, NULL, &out_creds); + } else { + in_creds.client = me; + in_creds.server = server; + ret = krb5_get_credentials(context, options, ccache, &in_creds, + &out_creds); + } + + if (ret) { + com_err(prog, ret, _("while getting credentials for %s"), princ); + goto cleanup; + } + + /* We need a native ticket. */ + ret = krb5_decode_ticket(&out_creds->ticket, &ticket); + if (ret) { + com_err(prog, ret, _("while decoding ticket for %s"), princ); + goto cleanup; + } + + if (keytab != NULL) { + ret = krb5_server_decrypt_ticket_keytab(context, keytab, ticket); + if (ret) { + if (!quiet) { + fprintf(stderr, "%s: kvno = %d, keytab entry invalid\n", princ, + ticket->enc_part.kvno); + } + com_err(prog, ret, _("while decrypting ticket for %s"), princ); + goto cleanup; + } + if (!quiet) { + printf(_("%s: kvno = %d, keytab entry valid\n"), princ, + ticket->enc_part.kvno); + } + if (proxy) { + krb5_free_creds(context, out_creds); + out_creds = NULL; + + in_creds.client = ticket->enc_part2->client; + in_creds.server = server; + + ret = krb5_get_credentials_for_proxy(context, KRB5_GC_CANONICALIZE, + ccache, &in_creds, ticket, + &out_creds); + if (ret) { + com_err(prog, ret, _("%s: constrained delegation failed"), + princ); + goto cleanup; + } + } + } else { + if (!quiet) + printf(_("%s: kvno = %d\n"), princ, ticket->enc_part.kvno); + } + +cleanup: + krb5_free_principal(context, server); + krb5_free_ticket(context, ticket); + krb5_free_creds(context, out_creds); + krb5_free_unparsed_name(context, princ); + return ret; +} + +/* Fetch the encoded local TGT for ccname's default client principal. */ +static krb5_error_code +get_u2u_ticket(const char *ccname, krb5_data **ticket_out) +{ + krb5_error_code ret; + krb5_ccache cc = NULL; + krb5_creds mcred, *creds = NULL; + + *ticket_out = NULL; + memset(&mcred, 0, sizeof(mcred)); + + ret = krb5_cc_resolve(context, ccname, &cc); + if (ret) + goto cleanup; + ret = krb5_cc_get_principal(context, cc, &mcred.client); + if (ret) + goto cleanup; + ret = krb5_build_principal_ext(context, &mcred.server, + mcred.client->realm.length, + mcred.client->realm.data, + KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, + mcred.client->realm.length, + mcred.client->realm.data, 0); + if (ret) + goto cleanup; + ret = krb5_get_credentials(context, KRB5_GC_CACHED, cc, &mcred, &creds); + if (ret) + goto cleanup; + + ret = krb5_copy_data(context, &creds->ticket, ticket_out); + +cleanup: + if (cc != NULL) + krb5_cc_close(context, cc); + krb5_free_cred_contents(context, &mcred); + krb5_free_creds(context, creds); + return ret; } -static void do_v5_kvno (int count, char *names[], - char * ccachestr, char *etypestr, char *keytab_name, - char *sname, int canon, int unknown, char *for_user, - int proxy) +static void +do_v5_kvno(int count, char *names[], char * ccachestr, char *etypestr, + char *keytab_name, char *sname, int canon, int unknown, + char *for_user, int proxy, const char *u2u_ccname) { krb5_error_code ret; int i, errors; krb5_enctype etype; krb5_ccache ccache; krb5_principal me; - krb5_creds in_creds; krb5_keytab keytab = NULL; krb5_principal for_user_princ = NULL; - krb5_flags options; + krb5_flags options = canon ? KRB5_GC_CANONICALIZE : 0; + krb5_data *u2u_ticket = NULL; ret = krb5_init_context(&context); if (ret) { @@ -191,7 +357,7 @@ static void do_v5_kvno (int count, char *names[], exit(1); } - if (keytab_name) { + if (keytab_name != NULL) { ret = krb5_kt_resolve(context, keytab_name, &keytab); if (ret) { com_err(prog, ret, _("resolving keytab %s"), keytab_name); @@ -209,6 +375,16 @@ static void do_v5_kvno (int count, char *names[], } } + if (u2u_ccname != NULL) { + ret = get_u2u_ticket(u2u_ccname, &u2u_ticket); + if (ret) { + com_err(prog, ret, _("while getting user-to-user ticket from %s"), + u2u_ccname); + exit(1); + } + options |= KRB5_GC_USER_USER; + } + ret = krb5_cc_get_principal(context, ccache, &me); if (ret) { com_err(prog, ret, _("while getting client principal name")); @@ -216,135 +392,18 @@ static void do_v5_kvno (int count, char *names[], } errors = 0; - - options = 0; - if (canon) - options |= KRB5_GC_CANONICALIZE; - for (i = 0; i < count; i++) { - krb5_principal server = NULL; - krb5_ticket *ticket = NULL; - krb5_creds *out_creds = NULL; - char *princ = NULL; - - memset(&in_creds, 0, sizeof(in_creds)); - - if (sname != NULL) { - ret = krb5_sname_to_principal(context, names[i], - sname, KRB5_NT_SRV_HST, - &server); - } else { - ret = krb5_parse_name(context, names[i], &server); - } - if (ret) { - if (!quiet) { - com_err(prog, ret, _("while parsing principal name %s"), - names[i]); - } - goto error; - } - if (unknown == 1) { - krb5_princ_type(context, server) = KRB5_NT_UNKNOWN; - } - - ret = krb5_unparse_name(context, server, &princ); - if (ret) { - com_err(prog, ret, _("while formatting parsed principal name for " - "'%s'"), names[i]); - goto error; - } - - in_creds.keyblock.enctype = etype; - - if (for_user) { - if (!proxy && - !krb5_principal_compare(context, me, server)) { - com_err(prog, EINVAL, - _("client and server principal names must match")); - goto error; - } - - in_creds.client = for_user_princ; - in_creds.server = me; - - ret = krb5_get_credentials_for_user(context, options, ccache, - &in_creds, NULL, &out_creds); - } else { - in_creds.client = me; - in_creds.server = server; - ret = krb5_get_credentials(context, options, ccache, - &in_creds, &out_creds); - } - - if (ret) { - com_err(prog, ret, _("while getting credentials for %s"), princ); - goto error; - } - - /* we need a native ticket */ - ret = krb5_decode_ticket(&out_creds->ticket, &ticket); - if (ret) { - com_err(prog, ret, _("while decoding ticket for %s"), princ); - goto error; - } - - if (keytab) { - ret = krb5_server_decrypt_ticket_keytab(context, keytab, ticket); - if (ret) { - if (!quiet) { - fprintf(stderr, "%s: kvno = %d, keytab entry invalid\n", - princ, ticket->enc_part.kvno); - } - com_err(prog, ret, _("while decrypting ticket for %s"), princ); - goto error; - } - if (!quiet) { - printf(_("%s: kvno = %d, keytab entry valid\n"), - princ, ticket->enc_part.kvno); - } - if (proxy) { - krb5_free_creds(context, out_creds); - out_creds = NULL; - - in_creds.client = ticket->enc_part2->client; - in_creds.server = server; - - ret = krb5_get_credentials_for_proxy(context, - KRB5_GC_CANONICALIZE, - ccache, - &in_creds, - ticket, - &out_creds); - if (ret) { - com_err(prog, ret, - _("%s: constrained delegation failed"), princ); - goto error; - } - } - } else { - if (!quiet) - printf(_("%s: kvno = %d\n"), princ, ticket->enc_part.kvno); - } - - continue; - - error: - if (server != NULL) - krb5_free_principal(context, server); - if (ticket != NULL) - krb5_free_ticket(context, ticket); - if (out_creds != NULL) - krb5_free_creds(context, out_creds); - if (princ != NULL) - krb5_free_unparsed_name(context, princ); - errors++; + if (kvno(names[i], ccache, me, etype, keytab, sname, options, unknown, + for_user_princ, proxy, u2u_ticket) != 0) + errors++; } - if (keytab) + if (keytab != NULL) krb5_kt_close(context, keytab); krb5_free_principal(context, me); krb5_free_principal(context, for_user_princ); krb5_cc_close(context, ccache); + krb5_free_data(context, u2u_ticket); krb5_free_context(context); if (errors) diff --git a/src/config-files/services.append b/src/config-files/services.append index a32fae6..34d1956 100644 --- a/src/config-files/services.append +++ b/src/config-files/services.append @@ -8,5 +8,5 @@ kpop 1109/tcp # Pop with Kerberos kshell 544/tcp cmd # and remote shell klogin 543/tcp # Kerberos authenticated rlogin eklogin 2105/tcp # Kerberos encrypted rlogin -krb5_prop 754/tcp # Kerberos slave propagation +krb5_prop 754/tcp # Kerberos replica propagation krb524 4444/tcp # Kerberos 5 to 4 ticket xlator diff --git a/src/config/ac-archive/README b/src/config/ac-archive/README index 7bc626e..409d4b3 100644 --- a/src/config/ac-archive/README +++ b/src/config/ac-archive/README @@ -1,51 +1,9 @@ -*- text -*- These macros are taken from the autoconf archive at -ac-archive.sourceforge.net. Unless otherwise noted, they are under -this modified version of the GNU General Public License version 2 -(also copied from ac-archive.sourceforge.net): +https://www.gnu.org/software/autoconf-archive/ . They are licensed +under a modified version of the GNU General Public License as noted in +the comments near the top of each file. - Every Autoconf macro presented on this web site is free software; - you can redistribute it and/or modify it under the terms of the - GNU General Public License as published by the Free Software - Foundation; either version 2, or (at your option) any later - version. - - They are distributed in the hope that they will be useful, but - WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - General Public License for more details. (You should have received - a copy of the GNU General Public License along with this program; - if not, write to the Free Software Foundation, Inc., 59 Temple - Place -- Suite 330, Boston, MA 02111-1307, USA.) - - As a special exception, the Free Software Foundation gives - unlimited permission to copy, distribute and modify the configure - scripts that are the output of Autoconf. You need not follow the - terms of the GNU General Public License when using or distributing - such scripts, even though portions of the text of Autoconf appear - in them. The GNU General Public License (GPL) does govern all - other use of the material that constitutes the Autoconf program. - - Certain portions of the Autoconf source text are designed to be - copied (in certain cases, depending on the input) into the output - of Autoconf. We call these the "data" portions. The rest of the - Autoconf source text consists of comments plus executable code - that decides which of the data portions to output in any given - case. We call these comments and executable code the "non-data" - portions. Autoconf never copies any of the non-data portions into - its output. - - This special exception to the GPL applies to versions of Autoconf - released by the Free Software Foundation. When you make and - distribute a modified version of Autoconf, you may extend this - special exception to the GPL to apply to your modified version as - well, *unless* your modified version has the potential to copy - into its output some of the text that was the non-data portion of - the version that you started with. (In other words, unless your - change moves or copies text from the non-data portions to the data - portions.) If your modification has such potential, you must - delete any notice of this special exception to the GPL from your - modified version. - -acx_pthread.m4 version 1.5 2004/03/01 +ax_pthread.m4 serial 24 2017-02-06 +ax_recursive_eval.m4 serial 1 2017-01-05 diff --git a/src/config/ac-archive/acx_pthread.m4 b/src/config/ac-archive/acx_pthread.m4 deleted file mode 100644 index 6a1537d..0000000 --- a/src/config/ac-archive/acx_pthread.m4 +++ /dev/null @@ -1,239 +0,0 @@ -dnl @synopsis ACX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) -dnl -dnl This macro figures out how to build C programs using POSIX -dnl threads. It sets the PTHREAD_LIBS output variable to the threads -dnl library and linker flags, and the PTHREAD_CFLAGS output variable -dnl to any special C compiler flags that are needed. (The user can also -dnl force certain compiler flags/libs to be tested by setting these -dnl environment variables.) -dnl -dnl Also sets PTHREAD_CC to any special C compiler that is needed for -dnl multi-threaded programs (defaults to the value of CC otherwise). -dnl (This is necessary on AIX to use the special cc_r compiler alias.) -dnl -dnl NOTE: You are assumed to not only compile your program with these -dnl flags, but also link it with them as well. e.g. you should link -dnl with $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS -dnl -dnl If you are only building threads programs, you may wish to -dnl use these variables in your default LIBS, CFLAGS, and CC: -dnl -dnl LIBS="$PTHREAD_LIBS $LIBS" -dnl CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -dnl CC="$PTHREAD_CC" -dnl -dnl In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute -dnl constant has a nonstandard name, defines PTHREAD_CREATE_JOINABLE -dnl to that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX). -dnl -dnl ACTION-IF-FOUND is a list of shell commands to run if a threads -dnl library is found, and ACTION-IF-NOT-FOUND is a list of commands -dnl to run it if it is not found. If ACTION-IF-FOUND is not specified, -dnl the default action will define HAVE_PTHREAD. -dnl -dnl Please let the authors know if this macro fails on any platform, -dnl or if you have any other suggestions or comments. This macro was -dnl based on work by SGJ on autoconf scripts for FFTW (www.fftw.org) -dnl (with help from M. Frigo), as well as ac_pthread and hb_pthread -dnl macros posted by AFC to the autoconf macro repository. We are also -dnl grateful for the helpful feedback of numerous users. -dnl -dnl @version $Id: acx_pthread.m4,v 1.5 2004/03/01 19:28:29 guidod Exp $ -dnl @author Steven G. Johnson and Alejandro Forero Cuervo - -AC_DEFUN([ACX_PTHREAD], [ -AC_REQUIRE([AC_CANONICAL_HOST]) -AC_LANG_SAVE -AC_LANG_C -acx_pthread_ok=no - -# We used to check for pthread.h first, but this fails if pthread.h -# requires special compiler flags (e.g. on True64 or Sequent). -# It gets checked for in the link test anyway. - -# First of all, check if the user has set any of the PTHREAD_LIBS, -# etcetera environment variables, and if threads linking works using -# them: -if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" - AC_MSG_CHECKING([for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS]) - AC_TRY_LINK_FUNC(pthread_join, acx_pthread_ok=yes) - AC_MSG_RESULT($acx_pthread_ok) - if test x"$acx_pthread_ok" = xno; then - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" - fi - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" -fi - -# We must check for the threads library under a number of different -# names; the ordering is very important because some systems -# (e.g. DEC) have both -lpthread and -lpthreads, where one of the -# libraries is broken (non-POSIX). - -# Create a list of thread flags to try. Items starting with a "-" are -# C compiler flags, and other items are library names, except for "none" -# which indicates that we try without any flags at all, and "pthread-config" -# which is a program returning the flags for the Pth emulation library. - -acx_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" - -# The ordering *is* (sometimes) important. Some notes on the -# individual items follow: - -# pthreads: AIX (must check this before -lpthread) -# none: in case threads are in libc; should be tried before -Kthread and -# other compiler flags to prevent continual compiler warnings -# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) -# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) -# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) -# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) -# -pthreads: Solaris/gcc -# -mthreads: Mingw32/gcc, Lynx/gcc -# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it -# doesn't hurt to check since this sometimes defines pthreads too; -# also defines -D_REENTRANT) -# pthread: Linux, etcetera -# --thread-safe: KAI C++ -# pthread-config: use pthread-config program (for GNU Pth library) - -case "${host_cpu}-${host_os}" in - *solaris*) - - # On Solaris (at least, for some versions), libc contains stubbed - # (non-functional) versions of the pthreads routines, so link-based - # tests will erroneously succeed. (We need to link with -pthread or - # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather - # a function called by this macro, so we could check for that, but - # who knows whether they'll stub that too in a future libc.) So, - # we'll just look for -pthreads and -lpthread first: - - acx_pthread_flags="-pthread -pthreads pthread -mt $acx_pthread_flags" - ;; -esac - -if test x"$acx_pthread_ok" = xno; then -for flag in $acx_pthread_flags; do - - case $flag in - none) - AC_MSG_CHECKING([whether pthreads work without any flags]) - ;; - - -*) - AC_MSG_CHECKING([whether pthreads work with $flag]) - PTHREAD_CFLAGS="$flag" - ;; - - pthread-config) - AC_CHECK_PROG(acx_pthread_config, pthread-config, yes, no) - if test x"$acx_pthread_config" = xno; then continue; fi - PTHREAD_CFLAGS="`pthread-config --cflags`" - PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" - ;; - - *) - AC_MSG_CHECKING([for the pthreads library -l$flag]) - PTHREAD_LIBS="-l$flag" - ;; - esac - - save_LIBS="$LIBS" - save_CFLAGS="$CFLAGS" - LIBS="$PTHREAD_LIBS $LIBS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - - # Check for various functions. We must include pthread.h, - # since some functions may be macros. (On the Sequent, we - # need a special flag -Kthread to make this header compile.) - # We check for pthread_join because it is in -lpthread on IRIX - # while pthread_create is in libc. We check for pthread_attr_init - # due to DEC craziness with -lpthreads. We check for - # pthread_cleanup_push because it is one of the few pthread - # functions on Solaris that doesn't have a non-functional libc stub. - # We try pthread_create on general principles. - AC_TRY_LINK([#include ], - [pthread_t th; pthread_join(th, 0); - pthread_attr_init(0); pthread_cleanup_push(0, 0); - pthread_create(0,0,0,0); pthread_cleanup_pop(0); ], - [acx_pthread_ok=yes]) - - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - - AC_MSG_RESULT($acx_pthread_ok) - if test "x$acx_pthread_ok" = xyes; then - break; - fi - - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" -done -fi - -# Various other checks: -if test "x$acx_pthread_ok" = xyes; then - save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - - # Detect AIX lossage: threads are created detached by default - # and the JOINABLE attribute has a nonstandard name (UNDETACHED). - AC_MSG_CHECKING([for joinable pthread attribute]) - AC_TRY_LINK([#include ], - [int attr=PTHREAD_CREATE_JOINABLE;], - ok=PTHREAD_CREATE_JOINABLE, ok=unknown) - if test x"$ok" = xunknown; then - AC_TRY_LINK([#include ], - [int attr=PTHREAD_CREATE_UNDETACHED;], - ok=PTHREAD_CREATE_UNDETACHED, ok=unknown) - fi - if test x"$ok" != xPTHREAD_CREATE_JOINABLE; then - AC_DEFINE(PTHREAD_CREATE_JOINABLE, $ok, - [Define to the necessary symbol if this constant - uses a non-standard name on your system.]) - fi - AC_MSG_RESULT(${ok}) - if test x"$ok" = xunknown; then - AC_MSG_WARN([we do not know how to create joinable pthreads]) - fi - - AC_MSG_CHECKING([if more special flags are required for pthreads]) - flag=no - case "${host_cpu}-${host_os}" in - *-aix* | *-freebsd*) flag="-D_THREAD_SAFE";; - *solaris* | *-osf* | *-hpux*) flag="-D_REENTRANT";; - esac - AC_MSG_RESULT(${flag}) - if test "x$flag" != xno; then - PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" - fi - - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - - # More AIX lossage: must compile with cc_r - AC_CHECK_PROG(PTHREAD_CC, cc_r, cc_r, ${CC}) -else - PTHREAD_CC="$CC" -fi - -AC_SUBST(PTHREAD_LIBS) -AC_SUBST(PTHREAD_CFLAGS) -AC_SUBST(PTHREAD_CC) - -# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: -if test x"$acx_pthread_ok" = xyes; then - ifelse([$1],,AC_DEFINE(HAVE_PTHREAD,1,[Define if you have POSIX threads libraries and header files.]),[$1]) - : -else - acx_pthread_ok=no - $2 -fi -AC_LANG_RESTORE -])dnl ACX_PTHREAD diff --git a/src/config/ac-archive/ax_pthread.m4 b/src/config/ac-archive/ax_pthread.m4 new file mode 100644 index 0000000..5fbf9fe --- /dev/null +++ b/src/config/ac-archive/ax_pthread.m4 @@ -0,0 +1,485 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_pthread.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_PTHREAD([ACTION-IF-FOUND[, ACTION-IF-NOT-FOUND]]) +# +# DESCRIPTION +# +# This macro figures out how to build C programs using POSIX threads. It +# sets the PTHREAD_LIBS output variable to the threads library and linker +# flags, and the PTHREAD_CFLAGS output variable to any special C compiler +# flags that are needed. (The user can also force certain compiler +# flags/libs to be tested by setting these environment variables.) +# +# Also sets PTHREAD_CC to any special C compiler that is needed for +# multi-threaded programs (defaults to the value of CC otherwise). (This +# is necessary on AIX to use the special cc_r compiler alias.) +# +# NOTE: You are assumed to not only compile your program with these flags, +# but also to link with them as well. For example, you might link with +# $PTHREAD_CC $CFLAGS $PTHREAD_CFLAGS $LDFLAGS ... $PTHREAD_LIBS $LIBS +# +# If you are only building threaded programs, you may wish to use these +# variables in your default LIBS, CFLAGS, and CC: +# +# LIBS="$PTHREAD_LIBS $LIBS" +# CFLAGS="$CFLAGS $PTHREAD_CFLAGS" +# CC="$PTHREAD_CC" +# +# In addition, if the PTHREAD_CREATE_JOINABLE thread-attribute constant +# has a nonstandard name, this macro defines PTHREAD_CREATE_JOINABLE to +# that name (e.g. PTHREAD_CREATE_UNDETACHED on AIX). +# +# Also HAVE_PTHREAD_PRIO_INHERIT is defined if pthread is found and the +# PTHREAD_PRIO_INHERIT symbol is defined when compiling with +# PTHREAD_CFLAGS. +# +# ACTION-IF-FOUND is a list of shell commands to run if a threads library +# is found, and ACTION-IF-NOT-FOUND is a list of commands to run it if it +# is not found. If ACTION-IF-FOUND is not specified, the default action +# will define HAVE_PTHREAD. +# +# Please let the authors know if this macro fails on any platform, or if +# you have any other suggestions or comments. This macro was based on work +# by SGJ on autoconf scripts for FFTW (http://www.fftw.org/) (with help +# from M. Frigo), as well as ac_pthread and hb_pthread macros posted by +# Alejandro Forero Cuervo to the autoconf macro repository. We are also +# grateful for the helpful feedback of numerous users. +# +# Updated for Autoconf 2.68 by Daniel Richard G. +# +# LICENSE +# +# Copyright (c) 2008 Steven G. Johnson +# Copyright (c) 2011 Daniel Richard G. +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation, either version 3 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 24 + +AU_ALIAS([ACX_PTHREAD], [AX_PTHREAD]) +AC_DEFUN([AX_PTHREAD], [ +AC_REQUIRE([AC_CANONICAL_HOST]) +AC_REQUIRE([AC_PROG_CC]) +AC_REQUIRE([AC_PROG_SED]) +AC_LANG_PUSH([C]) +ax_pthread_ok=no + +# We used to check for pthread.h first, but this fails if pthread.h +# requires special compiler flags (e.g. on Tru64 or Sequent). +# It gets checked for in the link test anyway. + +# First of all, check if the user has set any of the PTHREAD_LIBS, +# etcetera environment variables, and if threads linking works using +# them: +if test "x$PTHREAD_CFLAGS$PTHREAD_LIBS" != "x"; then + ax_pthread_save_CC="$CC" + ax_pthread_save_CFLAGS="$CFLAGS" + ax_pthread_save_LIBS="$LIBS" + AS_IF([test "x$PTHREAD_CC" != "x"], [CC="$PTHREAD_CC"]) + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + AC_MSG_CHECKING([for pthread_join using $CC $PTHREAD_CFLAGS $PTHREAD_LIBS]) + AC_LINK_IFELSE([AC_LANG_CALL([], [pthread_join])], [ax_pthread_ok=yes]) + AC_MSG_RESULT([$ax_pthread_ok]) + if test "x$ax_pthread_ok" = "xno"; then + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" + fi + CC="$ax_pthread_save_CC" + CFLAGS="$ax_pthread_save_CFLAGS" + LIBS="$ax_pthread_save_LIBS" +fi + +# We must check for the threads library under a number of different +# names; the ordering is very important because some systems +# (e.g. DEC) have both -lpthread and -lpthreads, where one of the +# libraries is broken (non-POSIX). + +# Create a list of thread flags to try. Items starting with a "-" are +# C compiler flags, and other items are library names, except for "none" +# which indicates that we try without any flags at all, and "pthread-config" +# which is a program returning the flags for the Pth emulation library. + +ax_pthread_flags="pthreads none -Kthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" + +# The ordering *is* (sometimes) important. Some notes on the +# individual items follow: + +# pthreads: AIX (must check this before -lpthread) +# none: in case threads are in libc; should be tried before -Kthread and +# other compiler flags to prevent continual compiler warnings +# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) +# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads), Tru64 +# (Note: HP C rejects this with "bad form for `-t' option") +# -pthreads: Solaris/gcc (Note: HP C also rejects) +# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it +# doesn't hurt to check since this sometimes defines pthreads and +# -D_REENTRANT too), HP C (must be checked before -lpthread, which +# is present but should not be used directly; and before -mthreads, +# because the compiler interprets this as "-mt" + "-hreads") +# -mthreads: Mingw32/gcc, Lynx/gcc +# pthread: Linux, etcetera +# --thread-safe: KAI C++ +# pthread-config: use pthread-config program (for GNU Pth library) + +case $host_os in + + freebsd*) + + # -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) + # lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) + + ax_pthread_flags="-kthread lthread $ax_pthread_flags" + ;; + + hpux*) + + # From the cc(1) man page: "[-mt] Sets various -D flags to enable + # multi-threading and also sets -lpthread." + + ax_pthread_flags="-mt -pthread pthread $ax_pthread_flags" + ;; + + openedition*) + + # IBM z/OS requires a feature-test macro to be defined in order to + # enable POSIX threads at all, so give the user a hint if this is + # not set. (We don't define these ourselves, as they can affect + # other portions of the system API in unpredictable ways.) + + AC_EGREP_CPP([AX_PTHREAD_ZOS_MISSING], + [ +# if !defined(_OPEN_THREADS) && !defined(_UNIX03_THREADS) + AX_PTHREAD_ZOS_MISSING +# endif + ], + [AC_MSG_WARN([IBM z/OS requires -D_OPEN_THREADS or -D_UNIX03_THREADS to enable pthreads support.])]) + ;; + + solaris*) + + # On Solaris (at least, for some versions), libc contains stubbed + # (non-functional) versions of the pthreads routines, so link-based + # tests will erroneously succeed. (N.B.: The stubs are missing + # pthread_cleanup_push, or rather a function called by this macro, + # so we could check for that, but who knows whether they'll stub + # that too in a future libc.) So we'll check first for the + # standard Solaris way of linking pthreads (-mt -lpthread). + + ax_pthread_flags="-mt,pthread pthread $ax_pthread_flags" + ;; +esac + +# GCC generally uses -pthread, or -pthreads on some platforms (e.g. SPARC) + +AS_IF([test "x$GCC" = "xyes"], + [ax_pthread_flags="-pthread -pthreads $ax_pthread_flags"]) + +# The presence of a feature test macro requesting re-entrant function +# definitions is, on some systems, a strong hint that pthreads support is +# correctly enabled + +case $host_os in + darwin* | hpux* | linux* | osf* | solaris*) + ax_pthread_check_macro="_REENTRANT" + ;; + + aix*) + ax_pthread_check_macro="_THREAD_SAFE" + ;; + + *) + ax_pthread_check_macro="--" + ;; +esac +AS_IF([test "x$ax_pthread_check_macro" = "x--"], + [ax_pthread_check_cond=0], + [ax_pthread_check_cond="!defined($ax_pthread_check_macro)"]) + +# Are we compiling with Clang? + +AC_CACHE_CHECK([whether $CC is Clang], + [ax_cv_PTHREAD_CLANG], + [ax_cv_PTHREAD_CLANG=no + # Note that Autoconf sets GCC=yes for Clang as well as GCC + if test "x$GCC" = "xyes"; then + AC_EGREP_CPP([AX_PTHREAD_CC_IS_CLANG], + [/* Note: Clang 2.7 lacks __clang_[a-z]+__ */ +# if defined(__clang__) && defined(__llvm__) + AX_PTHREAD_CC_IS_CLANG +# endif + ], + [ax_cv_PTHREAD_CLANG=yes]) + fi + ]) +ax_pthread_clang="$ax_cv_PTHREAD_CLANG" + +ax_pthread_clang_warning=no + +# Clang needs special handling, because older versions handle the -pthread +# option in a rather... idiosyncratic way + +if test "x$ax_pthread_clang" = "xyes"; then + + # Clang takes -pthread; it has never supported any other flag + + # (Note 1: This will need to be revisited if a system that Clang + # supports has POSIX threads in a separate library. This tends not + # to be the way of modern systems, but it's conceivable.) + + # (Note 2: On some systems, notably Darwin, -pthread is not needed + # to get POSIX threads support; the API is always present and + # active. We could reasonably leave PTHREAD_CFLAGS empty. But + # -pthread does define _REENTRANT, and while the Darwin headers + # ignore this macro, third-party headers might not.) + + PTHREAD_CFLAGS="-pthread" + PTHREAD_LIBS= + + ax_pthread_ok=yes + + # However, older versions of Clang make a point of warning the user + # that, in an invocation where only linking and no compilation is + # taking place, the -pthread option has no effect ("argument unused + # during compilation"). They expect -pthread to be passed in only + # when source code is being compiled. + # + # Problem is, this is at odds with the way Automake and most other + # C build frameworks function, which is that the same flags used in + # compilation (CFLAGS) are also used in linking. Many systems + # supported by AX_PTHREAD require exactly this for POSIX threads + # support, and in fact it is often not straightforward to specify a + # flag that is used only in the compilation phase and not in + # linking. Such a scenario is extremely rare in practice. + # + # Even though use of the -pthread flag in linking would only print + # a warning, this can be a nuisance for well-run software projects + # that build with -Werror. So if the active version of Clang has + # this misfeature, we search for an option to squash it. + + AC_CACHE_CHECK([whether Clang needs flag to prevent "argument unused" warning when linking with -pthread], + [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG], + [ax_cv_PTHREAD_CLANG_NO_WARN_FLAG=unknown + # Create an alternate version of $ac_link that compiles and + # links in two steps (.c -> .o, .o -> exe) instead of one + # (.c -> exe), because the warning occurs only in the second + # step + ax_pthread_save_ac_link="$ac_link" + ax_pthread_sed='s/conftest\.\$ac_ext/conftest.$ac_objext/g' + ax_pthread_link_step=`$as_echo "$ac_link" | sed "$ax_pthread_sed"` + ax_pthread_2step_ac_link="($ac_compile) && (echo ==== >&5) && ($ax_pthread_link_step)" + ax_pthread_save_CFLAGS="$CFLAGS" + for ax_pthread_try in '' -Qunused-arguments -Wno-unused-command-line-argument unknown; do + AS_IF([test "x$ax_pthread_try" = "xunknown"], [break]) + CFLAGS="-Werror -Wunknown-warning-option $ax_pthread_try -pthread $ax_pthread_save_CFLAGS" + ac_link="$ax_pthread_save_ac_link" + AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], + [ac_link="$ax_pthread_2step_ac_link" + AC_LINK_IFELSE([AC_LANG_SOURCE([[int main(void){return 0;}]])], + [break]) + ]) + done + ac_link="$ax_pthread_save_ac_link" + CFLAGS="$ax_pthread_save_CFLAGS" + AS_IF([test "x$ax_pthread_try" = "x"], [ax_pthread_try=no]) + ax_cv_PTHREAD_CLANG_NO_WARN_FLAG="$ax_pthread_try" + ]) + + case "$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG" in + no | unknown) ;; + *) PTHREAD_CFLAGS="$ax_cv_PTHREAD_CLANG_NO_WARN_FLAG $PTHREAD_CFLAGS" ;; + esac + +fi # $ax_pthread_clang = yes + +if test "x$ax_pthread_ok" = "xno"; then +for ax_pthread_try_flag in $ax_pthread_flags; do + + case $ax_pthread_try_flag in + none) + AC_MSG_CHECKING([whether pthreads work without any flags]) + ;; + + -mt,pthread) + AC_MSG_CHECKING([whether pthreads work with -mt -lpthread]) + PTHREAD_CFLAGS="-mt" + PTHREAD_LIBS="-lpthread" + ;; + + -*) + AC_MSG_CHECKING([whether pthreads work with $ax_pthread_try_flag]) + PTHREAD_CFLAGS="$ax_pthread_try_flag" + ;; + + pthread-config) + AC_CHECK_PROG([ax_pthread_config], [pthread-config], [yes], [no]) + AS_IF([test "x$ax_pthread_config" = "xno"], [continue]) + PTHREAD_CFLAGS="`pthread-config --cflags`" + PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" + ;; + + *) + AC_MSG_CHECKING([for the pthreads library -l$ax_pthread_try_flag]) + PTHREAD_LIBS="-l$ax_pthread_try_flag" + ;; + esac + + ax_pthread_save_CFLAGS="$CFLAGS" + ax_pthread_save_LIBS="$LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + + # Check for various functions. We must include pthread.h, + # since some functions may be macros. (On the Sequent, we + # need a special flag -Kthread to make this header compile.) + # We check for pthread_join because it is in -lpthread on IRIX + # while pthread_create is in libc. We check for pthread_attr_init + # due to DEC craziness with -lpthreads. We check for + # pthread_cleanup_push because it is one of the few pthread + # functions on Solaris that doesn't have a non-functional libc stub. + # We try pthread_create on general principles. + + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include +# if $ax_pthread_check_cond +# error "$ax_pthread_check_macro must be defined" +# endif + static void routine(void *a) { a = 0; } + static void *start_routine(void *a) { return a; }], + [pthread_t th; pthread_attr_t attr; + pthread_create(&th, 0, start_routine, 0); + pthread_join(th, 0); + pthread_attr_init(&attr); + pthread_cleanup_push(routine, 0); + pthread_cleanup_pop(0) /* ; */])], + [ax_pthread_ok=yes], + []) + + CFLAGS="$ax_pthread_save_CFLAGS" + LIBS="$ax_pthread_save_LIBS" + + AC_MSG_RESULT([$ax_pthread_ok]) + AS_IF([test "x$ax_pthread_ok" = "xyes"], [break]) + + PTHREAD_LIBS="" + PTHREAD_CFLAGS="" +done +fi + +# Various other checks: +if test "x$ax_pthread_ok" = "xyes"; then + ax_pthread_save_CFLAGS="$CFLAGS" + ax_pthread_save_LIBS="$LIBS" + CFLAGS="$CFLAGS $PTHREAD_CFLAGS" + LIBS="$PTHREAD_LIBS $LIBS" + + # Detect AIX lossage: JOINABLE attribute is called UNDETACHED. + AC_CACHE_CHECK([for joinable pthread attribute], + [ax_cv_PTHREAD_JOINABLE_ATTR], + [ax_cv_PTHREAD_JOINABLE_ATTR=unknown + for ax_pthread_attr in PTHREAD_CREATE_JOINABLE PTHREAD_CREATE_UNDETACHED; do + AC_LINK_IFELSE([AC_LANG_PROGRAM([#include ], + [int attr = $ax_pthread_attr; return attr /* ; */])], + [ax_cv_PTHREAD_JOINABLE_ATTR=$ax_pthread_attr; break], + []) + done + ]) + AS_IF([test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xunknown" && \ + test "x$ax_cv_PTHREAD_JOINABLE_ATTR" != "xPTHREAD_CREATE_JOINABLE" && \ + test "x$ax_pthread_joinable_attr_defined" != "xyes"], + [AC_DEFINE_UNQUOTED([PTHREAD_CREATE_JOINABLE], + [$ax_cv_PTHREAD_JOINABLE_ATTR], + [Define to necessary symbol if this constant + uses a non-standard name on your system.]) + ax_pthread_joinable_attr_defined=yes + ]) + + AC_CACHE_CHECK([whether more special flags are required for pthreads], + [ax_cv_PTHREAD_SPECIAL_FLAGS], + [ax_cv_PTHREAD_SPECIAL_FLAGS=no + case $host_os in + solaris*) + ax_cv_PTHREAD_SPECIAL_FLAGS="-D_POSIX_PTHREAD_SEMANTICS" + ;; + esac + ]) + AS_IF([test "x$ax_cv_PTHREAD_SPECIAL_FLAGS" != "xno" && \ + test "x$ax_pthread_special_flags_added" != "xyes"], + [PTHREAD_CFLAGS="$ax_cv_PTHREAD_SPECIAL_FLAGS $PTHREAD_CFLAGS" + ax_pthread_special_flags_added=yes]) + + AC_CACHE_CHECK([for PTHREAD_PRIO_INHERIT], + [ax_cv_PTHREAD_PRIO_INHERIT], + [AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], + [[int i = PTHREAD_PRIO_INHERIT;]])], + [ax_cv_PTHREAD_PRIO_INHERIT=yes], + [ax_cv_PTHREAD_PRIO_INHERIT=no]) + ]) + AS_IF([test "x$ax_cv_PTHREAD_PRIO_INHERIT" = "xyes" && \ + test "x$ax_pthread_prio_inherit_defined" != "xyes"], + [AC_DEFINE([HAVE_PTHREAD_PRIO_INHERIT], [1], [Have PTHREAD_PRIO_INHERIT.]) + ax_pthread_prio_inherit_defined=yes + ]) + + CFLAGS="$ax_pthread_save_CFLAGS" + LIBS="$ax_pthread_save_LIBS" + + # More AIX lossage: compile with *_r variant + if test "x$GCC" != "xyes"; then + case $host_os in + aix*) + AS_CASE(["x/$CC"], + [x*/c89|x*/c89_128|x*/c99|x*/c99_128|x*/cc|x*/cc128|x*/xlc|x*/xlc_v6|x*/xlc128|x*/xlc128_v6], + [#handle absolute path differently from PATH based program lookup + AS_CASE(["x$CC"], + [x/*], + [AS_IF([AS_EXECUTABLE_P([${CC}_r])],[PTHREAD_CC="${CC}_r"])], + [AC_CHECK_PROGS([PTHREAD_CC],[${CC}_r],[$CC])])]) + ;; + esac + fi +fi + +test -n "$PTHREAD_CC" || PTHREAD_CC="$CC" + +AC_SUBST([PTHREAD_LIBS]) +AC_SUBST([PTHREAD_CFLAGS]) +AC_SUBST([PTHREAD_CC]) + +# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: +if test "x$ax_pthread_ok" = "xyes"; then + ifelse([$1],,[AC_DEFINE([HAVE_PTHREAD],[1],[Define if you have POSIX threads libraries and header files.])],[$1]) + : +else + ax_pthread_ok=no + $2 +fi +AC_LANG_POP +])dnl AX_PTHREAD diff --git a/src/config/ac-archive/ax_recursive_eval.m4 b/src/config/ac-archive/ax_recursive_eval.m4 new file mode 100644 index 0000000..0625aca --- /dev/null +++ b/src/config/ac-archive/ax_recursive_eval.m4 @@ -0,0 +1,56 @@ +# =========================================================================== +# https://www.gnu.org/software/autoconf-archive/ax_recursive_eval.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_RECURSIVE_EVAL(VALUE, RESULT) +# +# DESCRIPTION +# +# Interpolate the VALUE in loop until it doesn't change, and set the +# result to $RESULT. WARNING: It's easy to get an infinite loop with some +# unsane input. +# +# LICENSE +# +# Copyright (c) 2008 Alexandre Duret-Lutz +# +# This program is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License as published by the +# Free Software Foundation; either version 2 of the License, or (at your +# option) any later version. +# +# This program is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General +# Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program. If not, see . +# +# As a special exception, the respective Autoconf Macro's copyright owner +# gives unlimited permission to copy, distribute and modify the configure +# scripts that are the output of Autoconf when processing the Macro. You +# need not follow the terms of the GNU General Public License when using +# or distributing such scripts, even though portions of the text of the +# Macro appear in them. The GNU General Public License (GPL) does govern +# all other use of the material that constitutes the Autoconf Macro. +# +# This special exception to the GPL applies to versions of the Autoconf +# Macro released by the Autoconf Archive. When you make and distribute a +# modified version of the Autoconf Macro, you may extend this special +# exception to the GPL to apply to your modified version as well. + +#serial 1 + +AC_DEFUN([AX_RECURSIVE_EVAL], +[_lcl_receval="$1" +$2=`(test "x$prefix" = xNONE && prefix="$ac_default_prefix" + test "x$exec_prefix" = xNONE && exec_prefix="${prefix}" + _lcl_receval_old='' + while test "[$]_lcl_receval_old" != "[$]_lcl_receval"; do + _lcl_receval_old="[$]_lcl_receval" + eval _lcl_receval="\"[$]_lcl_receval\"" + done + echo "[$]_lcl_receval")`]) diff --git a/src/config/ac-archive/relpaths.m4 b/src/config/ac-archive/relpaths.m4 deleted file mode 100644 index 15f24b3..0000000 --- a/src/config/ac-archive/relpaths.m4 +++ /dev/null @@ -1,155 +0,0 @@ -dnl @synopsis adl_COMPUTE_RELATIVE_PATHS(PATH_LIST) -dnl -dnl PATH_LIST is a space-separated list of colon-separated triplets of -dnl the form 'FROM:TO:RESULT'. This function iterates over these -dnl triplets and set $RESULT to the relative path from $FROM to $TO. -dnl Note that $FROM and $TO needs to be absolute filenames for this -dnl macro to success. -dnl -dnl For instance, -dnl -dnl first=/usr/local/bin -dnl second=/usr/local/share -dnl adl_COMPUTE_RELATIVE_PATHS([first:second:fs second:first:sf]) -dnl # $fs is set to ../share -dnl # $sf is set to ../bin -dnl -dnl $FROM and $TO are both eval'ed recursively and normalized, this -dnl means that you can call this macro with autoconf's dirnames like -dnl `prefix' or `datadir'. For example: -dnl -dnl adl_COMPUTE_RELATIVE_PATHS([bindir:datadir:bin_to_data]) -dnl -dnl adl_COMPUTE_RELATIVE_PATHS should also works with DOS filenames. -dnl -dnl You may want to use this macro in order to make your package -dnl relocatable. Instead of hardcoding $datadir into your programs just -dnl encode $bin_to_data and try to determine $bindir at run-time. -dnl -dnl This macro requires adl_NORMALIZE_PATH. -dnl -dnl @category Misc -dnl @author Alexandre Duret-Lutz -dnl @version 2001-05-25 -dnl @license GPLWithACException - -AC_DEFUN([adl_COMPUTE_RELATIVE_PATHS], -[for _lcl_i in $1; do - _lcl_from=\[$]`echo "[$]_lcl_i" | sed 's,:.*$,,'` - _lcl_to=\[$]`echo "[$]_lcl_i" | sed 's,^[[^:]]*:,,' | sed 's,:[[^:]]*$,,'` - _lcl_result_var=`echo "[$]_lcl_i" | sed 's,^.*:,,'` - adl_RECURSIVE_EVAL([[$]_lcl_from], [_lcl_from]) - adl_RECURSIVE_EVAL([[$]_lcl_to], [_lcl_to]) - _lcl_notation="$_lcl_from$_lcl_to" - adl_NORMALIZE_PATH([_lcl_from],['/']) - adl_NORMALIZE_PATH([_lcl_to],['/']) - adl_COMPUTE_RELATIVE_PATH([_lcl_from], [_lcl_to], [_lcl_result_tmp]) - adl_NORMALIZE_PATH([_lcl_result_tmp],["[$]_lcl_notation"]) - eval $_lcl_result_var='[$]_lcl_result_tmp' -done]) - -## Note: -## ***** -## The following helper macros are too fragile to be used out -## of adl_COMPUTE_RELATIVE_PATHS (mainly because they assume that -## paths are normalized), that's why I'm keeping them in the same file. -## Still, some of them maybe worth to reuse. - -dnl adl_COMPUTE_RELATIVE_PATH(FROM, TO, RESULT) -dnl =========================================== -dnl Compute the relative path to go from $FROM to $TO and set the value -dnl of $RESULT to that value. This function work on raw filenames -dnl (for instead it will considerate /usr//local and /usr/local as -dnl two distinct paths), you should really use adl_COMPUTE_REALTIVE_PATHS -dnl instead to have the paths sanitized automatically. -dnl -dnl For instance: -dnl first_dir=/somewhere/on/my/disk/bin -dnl second_dir=/somewhere/on/another/disk/share -dnl adl_COMPUTE_RELATIVE_PATH(first_dir, second_dir, first_to_second) -dnl will set $first_to_second to '../../../another/disk/share'. -AC_DEFUN([adl_COMPUTE_RELATIVE_PATH], -[adl_COMPUTE_COMMON_PATH([$1], [$2], [_lcl_common_prefix]) -adl_COMPUTE_BACK_PATH([$1], [_lcl_common_prefix], [_lcl_first_rel]) -adl_COMPUTE_SUFFIX_PATH([$2], [_lcl_common_prefix], [_lcl_second_suffix]) -$3="[$]_lcl_first_rel[$]_lcl_second_suffix"]) - -dnl adl_COMPUTE_COMMON_PATH(LEFT, RIGHT, RESULT) -dnl ============================================ -dnl Compute the common path to $LEFT and $RIGHT and set the result to $RESULT. -dnl -dnl For instance: -dnl first_path=/somewhere/on/my/disk/bin -dnl second_path=/somewhere/on/another/disk/share -dnl adl_COMPUTE_COMMON_PATH(first_path, second_path, common_path) -dnl will set $common_path to '/somewhere/on'. -AC_DEFUN([adl_COMPUTE_COMMON_PATH], -[$3='' -_lcl_second_prefix_match='' -while test "[$]_lcl_second_prefix_match" != 0; do - _lcl_first_prefix=`expr "x[$]$1" : "x\([$]$3/*[[^/]]*\)"` - _lcl_second_prefix_match=`expr "x[$]$2" : "x[$]_lcl_first_prefix"` - if test "[$]_lcl_second_prefix_match" != 0; then - if test "[$]_lcl_first_prefix" != "[$]$3"; then - $3="[$]_lcl_first_prefix" - else - _lcl_second_prefix_match=0 - fi - fi -done]) - -dnl adl_COMPUTE_SUFFIX_PATH(PATH, SUBPATH, RESULT) -dnl ============================================== -dnl Substrack $SUBPATH from $PATH, and set the resulting suffix -dnl (or the empty string if $SUBPATH is not a subpath of $PATH) -dnl to $RESULT. -dnl -dnl For instace: -dnl first_path=/somewhere/on/my/disk/bin -dnl second_path=/somewhere/on -dnl adl_COMPUTE_SUFFIX_PATH(first_path, second_path, common_path) -dnl will set $common_path to '/my/disk/bin'. -AC_DEFUN([adl_COMPUTE_SUFFIX_PATH], -[$3=`expr "x[$]$1" : "x[$]$2/*\(.*\)"`]) - -dnl adl_COMPUTE_BACK_PATH(PATH, SUBPATH, RESULT) -dnl ============================================ -dnl Compute the relative path to go from $PATH to $SUBPATH, knowing that -dnl $SUBPATH is a subpath of $PATH (any other words, only repeated '../' -dnl should be needed to move from $PATH to $SUBPATH) and set the value -dnl of $RESULT to that value. If $SUBPATH is not a subpath of PATH, -dnl set $RESULT to the empty string. -dnl -dnl For instance: -dnl first_path=/somewhere/on/my/disk/bin -dnl second_path=/somewhere/on -dnl adl_COMPUTE_BACK_PATH(first_path, second_path, back_path) -dnl will set $back_path to '../../../'. -AC_DEFUN([adl_COMPUTE_BACK_PATH], -[adl_COMPUTE_SUFFIX_PATH([$1], [$2], [_lcl_first_suffix]) -$3='' -_lcl_tmp='xxx' -while test "[$]_lcl_tmp" != ''; do - _lcl_tmp=`expr "x[$]_lcl_first_suffix" : "x[[^/]]*/*\(.*\)"` - if test "[$]_lcl_first_suffix" != ''; then - _lcl_first_suffix="[$]_lcl_tmp" - $3="../[$]$3" - fi -done]) - - -dnl adl_RECURSIVE_EVAL(VALUE, RESULT) -dnl ================================= -dnl Interpolate the VALUE in loop until it doesn't change, -dnl and set the result to $RESULT. -dnl WARNING: It's easy to get an infinite loop with some unsane input. -AC_DEFUN([adl_RECURSIVE_EVAL], -[_lcl_receval="$1" -$2=`(test "x$prefix" = xNONE && prefix="$ac_default_prefix" - test "x$exec_prefix" = xNONE && exec_prefix="${prefix}" - _lcl_receval_old='' - while test "[$]_lcl_receval_old" != "[$]_lcl_receval"; do - _lcl_receval_old="[$]_lcl_receval" - eval _lcl_receval="\"[$]_lcl_receval\"" - done - echo "[$]_lcl_receval")`]) diff --git a/src/config/config.guess b/src/config/config.guess index c4bd827..18f8edc 100755 --- a/src/config/config.guess +++ b/src/config/config.guess @@ -1,8 +1,8 @@ #! /bin/sh # Attempt to guess a canonical system name. -# Copyright 1992-2016 Free Software Foundation, Inc. +# Copyright 1992-2018 Free Software Foundation, Inc. -timestamp='2016-05-15' +timestamp='2018-08-29' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -15,7 +15,7 @@ timestamp='2016-05-15' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see . +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -27,7 +27,7 @@ timestamp='2016-05-15' # Originally written by Per Bothner; maintained since 2000 by Ben Elliston. # # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess +# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.guess # # Please send patches to . @@ -39,7 +39,7 @@ Usage: $0 [OPTION] Output the configuration name of the system \`$me' is run on. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -50,7 +50,7 @@ version="\ GNU config.guess ($timestamp) Originally written by Per Bothner. -Copyright 1992-2016 Free Software Foundation, Inc. +Copyright 1992-2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -84,8 +84,6 @@ if test $# != 0; then exit 1 fi -trap 'exit 1' 1 2 15 - # CC_FOR_BUILD -- compiler used by this script. Note that the use of a # compiler to aid in system detection is discouraged as it requires # temporary files to be created and, as you can see below, it is a @@ -96,34 +94,39 @@ trap 'exit 1' 1 2 15 # Portable tmp directory creation inspired by the Autoconf team. -set_cc_for_build=' -trap "exitcode=\$?; (rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null) && exit \$exitcode" 0 ; -trap "rm -f \$tmpfiles 2>/dev/null; rmdir \$tmp 2>/dev/null; exit 1" 1 2 13 15 ; -: ${TMPDIR=/tmp} ; - { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || - { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir $tmp) ; } || - { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir $tmp) && echo "Warning: creating insecure temp directory" >&2 ; } || - { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } ; -dummy=$tmp/dummy ; -tmpfiles="$dummy.c $dummy.o $dummy.rel $dummy" ; -case $CC_FOR_BUILD,$HOST_CC,$CC in - ,,) echo "int x;" > $dummy.c ; - for c in cc gcc c89 c99 ; do - if ($c -c -o $dummy.o $dummy.c) >/dev/null 2>&1 ; then - CC_FOR_BUILD="$c"; break ; - fi ; - done ; - if test x"$CC_FOR_BUILD" = x ; then - CC_FOR_BUILD=no_compiler_found ; - fi - ;; - ,,*) CC_FOR_BUILD=$CC ;; - ,*,*) CC_FOR_BUILD=$HOST_CC ;; -esac ; set_cc_for_build= ;' +tmp= +# shellcheck disable=SC2172 +trap 'test -z "$tmp" || rm -fr "$tmp"' 1 2 13 15 +trap 'exitcode=$?; test -z "$tmp" || rm -fr "$tmp"; exit $exitcode' 0 + +set_cc_for_build() { + : "${TMPDIR=/tmp}" + # shellcheck disable=SC2039 + { tmp=`(umask 077 && mktemp -d "$TMPDIR/cgXXXXXX") 2>/dev/null` && test -n "$tmp" && test -d "$tmp" ; } || + { test -n "$RANDOM" && tmp=$TMPDIR/cg$$-$RANDOM && (umask 077 && mkdir "$tmp" 2>/dev/null) ; } || + { tmp=$TMPDIR/cg-$$ && (umask 077 && mkdir "$tmp" 2>/dev/null) && echo "Warning: creating insecure temp directory" >&2 ; } || + { echo "$me: cannot create a temporary directory in $TMPDIR" >&2 ; exit 1 ; } + dummy=$tmp/dummy + case ${CC_FOR_BUILD-},${HOST_CC-},${CC-} in + ,,) echo "int x;" > "$dummy.c" + for driver in cc gcc c89 c99 ; do + if ($driver -c -o "$dummy.o" "$dummy.c") >/dev/null 2>&1 ; then + CC_FOR_BUILD="$driver" + break + fi + done + if test x"$CC_FOR_BUILD" = x ; then + CC_FOR_BUILD=no_compiler_found + fi + ;; + ,,*) CC_FOR_BUILD=$CC ;; + ,*,*) CC_FOR_BUILD=$HOST_CC ;; + esac +} # This is needed to find uname on a Pyramid OSx when run in the BSD universe. # (ghazi@noc.rutgers.edu 1994-08-24) -if (test -f /.attbin/uname) >/dev/null 2>&1 ; then +if test -f /.attbin/uname ; then PATH=$PATH:/.attbin ; export PATH fi @@ -132,14 +135,14 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown -case "${UNAME_SYSTEM}" in +case "$UNAME_SYSTEM" in Linux|GNU|GNU/*) # If the system lacks a compiler, then just pick glibc. # We could probably try harder. LIBC=gnu - eval $set_cc_for_build - cat <<-EOF > $dummy.c + set_cc_for_build + cat <<-EOF > "$dummy.c" #include #if defined(__UCLIBC__) LIBC=uclibc @@ -149,13 +152,20 @@ Linux|GNU|GNU/*) LIBC=gnu #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^LIBC' | sed 's, ,,g'` + eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^LIBC' | sed 's, ,,g'`" + + # If ldd exists, use it to detect musl libc. + if command -v ldd >/dev/null && \ + ldd --version 2>&1 | grep -q ^musl + then + LIBC=musl + fi ;; esac # Note: order is significant - the case branches are not exclusive. -case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in +case "$UNAME_MACHINE:$UNAME_SYSTEM:$UNAME_RELEASE:$UNAME_VERSION" in *:NetBSD:*:*) # NetBSD (nbsd) targets should (where applicable) match one or # more of the tuples: *-*-netbsdelf*, *-*-netbsdaout*, @@ -169,30 +179,30 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # portion of the name. We always set it to "unknown". sysctl="sysctl -n hw.machine_arch" UNAME_MACHINE_ARCH=`(uname -p 2>/dev/null || \ - /sbin/$sysctl 2>/dev/null || \ - /usr/sbin/$sysctl 2>/dev/null || \ + "/sbin/$sysctl" 2>/dev/null || \ + "/usr/sbin/$sysctl" 2>/dev/null || \ echo unknown)` - case "${UNAME_MACHINE_ARCH}" in + case "$UNAME_MACHINE_ARCH" in armeb) machine=armeb-unknown ;; arm*) machine=arm-unknown ;; sh3el) machine=shl-unknown ;; sh3eb) machine=sh-unknown ;; sh5el) machine=sh5le-unknown ;; earmv*) - arch=`echo ${UNAME_MACHINE_ARCH} | sed -e 's,^e\(armv[0-9]\).*$,\1,'` - endian=`echo ${UNAME_MACHINE_ARCH} | sed -ne 's,^.*\(eb\)$,\1,p'` - machine=${arch}${endian}-unknown + arch=`echo "$UNAME_MACHINE_ARCH" | sed -e 's,^e\(armv[0-9]\).*$,\1,'` + endian=`echo "$UNAME_MACHINE_ARCH" | sed -ne 's,^.*\(eb\)$,\1,p'` + machine="${arch}${endian}"-unknown ;; - *) machine=${UNAME_MACHINE_ARCH}-unknown ;; + *) machine="$UNAME_MACHINE_ARCH"-unknown ;; esac # The Operating System including object format, if it has switched # to ELF recently (or will in the future) and ABI. - case "${UNAME_MACHINE_ARCH}" in + case "$UNAME_MACHINE_ARCH" in earm*) os=netbsdelf ;; arm*|i386|m68k|ns32k|sh3*|sparc|vax) - eval $set_cc_for_build + set_cc_for_build if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ELF__ then @@ -208,10 +218,10 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in ;; esac # Determine ABI tags. - case "${UNAME_MACHINE_ARCH}" in + case "$UNAME_MACHINE_ARCH" in earm*) expr='s/^earmv[0-9]/-eabi/;s/eb$//' - abi=`echo ${UNAME_MACHINE_ARCH} | sed -e "$expr"` + abi=`echo "$UNAME_MACHINE_ARCH" | sed -e "$expr"` ;; esac # The OS release @@ -219,46 +229,55 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # thus, need a distinct triplet. However, they do not need # kernel version information, so it can be replaced with a # suitable tag, in the style of linux-gnu. - case "${UNAME_VERSION}" in + case "$UNAME_VERSION" in Debian*) release='-gnu' ;; *) - release=`echo ${UNAME_RELEASE} | sed -e 's/[-_].*//' | cut -d. -f1,2` + release=`echo "$UNAME_RELEASE" | sed -e 's/[-_].*//' | cut -d. -f1,2` ;; esac # Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM: # contains redundant information, the shorter form: # CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used. - echo "${machine}-${os}${release}${abi}" + echo "$machine-${os}${release}${abi-}" exit ;; *:Bitrig:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/Bitrig.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-bitrig${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-bitrig"$UNAME_RELEASE" exit ;; *:OpenBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/OpenBSD.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-openbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-openbsd"$UNAME_RELEASE" exit ;; *:LibertyBSD:*:*) UNAME_MACHINE_ARCH=`arch | sed 's/^.*BSD\.//'` - echo ${UNAME_MACHINE_ARCH}-unknown-libertybsd${UNAME_RELEASE} + echo "$UNAME_MACHINE_ARCH"-unknown-libertybsd"$UNAME_RELEASE" + exit ;; + *:MidnightBSD:*:*) + echo "$UNAME_MACHINE"-unknown-midnightbsd"$UNAME_RELEASE" exit ;; *:ekkoBSD:*:*) - echo ${UNAME_MACHINE}-unknown-ekkobsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-ekkobsd"$UNAME_RELEASE" exit ;; *:SolidBSD:*:*) - echo ${UNAME_MACHINE}-unknown-solidbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-solidbsd"$UNAME_RELEASE" exit ;; macppc:MirBSD:*:*) - echo powerpc-unknown-mirbsd${UNAME_RELEASE} + echo powerpc-unknown-mirbsd"$UNAME_RELEASE" exit ;; *:MirBSD:*:*) - echo ${UNAME_MACHINE}-unknown-mirbsd${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-mirbsd"$UNAME_RELEASE" exit ;; *:Sortix:*:*) - echo ${UNAME_MACHINE}-unknown-sortix + echo "$UNAME_MACHINE"-unknown-sortix exit ;; + *:Redox:*:*) + echo "$UNAME_MACHINE"-unknown-redox + exit ;; + mips:OSF1:*.*) + echo mips-dec-osf1 + exit ;; alpha:OSF1:*:*) case $UNAME_RELEASE in *4.0) @@ -310,28 +329,19 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # A Tn.n version is a released field test version. # A Xn.n version is an unreleased experimental baselevel. # 1.2 uses "1.2" for uname -r. - echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` + echo "$UNAME_MACHINE"-dec-osf"`echo "$UNAME_RELEASE" | sed -e 's/^[PVTX]//' | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz`" # Reset EXIT trap before exiting to avoid spurious non-zero exit code. exitcode=$? trap '' 0 exit $exitcode ;; - Alpha\ *:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # Should we change UNAME_MACHINE based on the output of uname instead - # of the specific Alpha model? - echo alpha-pc-interix - exit ;; - 21064:Windows_NT:50:3) - echo alpha-dec-winnt3.5 - exit ;; Amiga*:UNIX_System_V:4.0:*) echo m68k-unknown-sysv4 exit ;; *:[Aa]miga[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-amigaos + echo "$UNAME_MACHINE"-unknown-amigaos exit ;; *:[Mm]orph[Oo][Ss]:*:*) - echo ${UNAME_MACHINE}-unknown-morphos + echo "$UNAME_MACHINE"-unknown-morphos exit ;; *:OS/390:*:*) echo i370-ibm-openedition @@ -343,7 +353,7 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in echo powerpc-ibm-os400 exit ;; arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*) - echo arm-acorn-riscix${UNAME_RELEASE} + echo arm-acorn-riscix"$UNAME_RELEASE" exit ;; arm*:riscos:*:*|arm*:RISCOS:*:*) echo arm-unknown-riscos @@ -370,38 +380,33 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in sparc) echo sparc-icl-nx7; exit ;; esac ;; s390x:SunOS:*:*) - echo ${UNAME_MACHINE}-ibm-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo "$UNAME_MACHINE"-ibm-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" exit ;; sun4H:SunOS:5.*:*) - echo sparc-hal-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-hal-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:5.*:* | tadpole*:SunOS:5.*:*) - echo sparc-sun-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-sun-solaris2"`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" exit ;; i86pc:AuroraUX:5.*:* | i86xen:AuroraUX:5.*:*) - echo i386-pc-auroraux${UNAME_RELEASE} + echo i386-pc-auroraux"$UNAME_RELEASE" exit ;; i86pc:SunOS:5.*:* | i86xen:SunOS:5.*:*) - eval $set_cc_for_build - SUN_ARCH=i386 - # If there is a compiler, see if it is configured for 64-bit objects. - # Note that the Sun cc does not turn __LP64__ into 1 like gcc does. - # This test works for both compilers. - if [ "$CC_FOR_BUILD" != no_compiler_found ]; then - if (echo '#ifdef __amd64'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null - then - SUN_ARCH=x86_64 - fi - fi - echo ${SUN_ARCH}-pc-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + UNAME_REL="`echo "$UNAME_RELEASE" | sed -e 's/[^.]*//'`" + case `isainfo -b` in + 32) + echo i386-pc-solaris2"$UNAME_REL" + ;; + 64) + echo x86_64-pc-solaris2"$UNAME_REL" + ;; + esac exit ;; sun4*:SunOS:6*:*) # According to config.sub, this is the proper way to canonicalize # SunOS6. Hard to guess exactly what SunOS6 will be like, but # it's likely to be more like Solaris than SunOS4. - echo sparc-sun-solaris3`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo sparc-sun-solaris3"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; sun4*:SunOS:*:*) case "`/usr/bin/arch -k`" in @@ -410,25 +415,25 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in ;; esac # Japanese Language versions have a version number like `4.1.3-JL'. - echo sparc-sun-sunos`echo ${UNAME_RELEASE}|sed -e 's/-/_/'` + echo sparc-sun-sunos"`echo "$UNAME_RELEASE"|sed -e 's/-/_/'`" exit ;; sun3*:SunOS:*:*) - echo m68k-sun-sunos${UNAME_RELEASE} + echo m68k-sun-sunos"$UNAME_RELEASE" exit ;; sun*:*:4.2BSD:*) UNAME_RELEASE=`(sed 1q /etc/motd | awk '{print substr($5,1,3)}') 2>/dev/null` - test "x${UNAME_RELEASE}" = x && UNAME_RELEASE=3 + test "x$UNAME_RELEASE" = x && UNAME_RELEASE=3 case "`/bin/arch`" in sun3) - echo m68k-sun-sunos${UNAME_RELEASE} + echo m68k-sun-sunos"$UNAME_RELEASE" ;; sun4) - echo sparc-sun-sunos${UNAME_RELEASE} + echo sparc-sun-sunos"$UNAME_RELEASE" ;; esac exit ;; aushp:SunOS:*:*) - echo sparc-auspex-sunos${UNAME_RELEASE} + echo sparc-auspex-sunos"$UNAME_RELEASE" exit ;; # The situation for MiNT is a little confusing. The machine name # can be virtually everything (everything which is not @@ -439,44 +444,44 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in # MiNT. But MiNT is downward compatible to TOS, so this should # be no problem. atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*) - echo m68k-atari-mint${UNAME_RELEASE} + echo m68k-atari-mint"$UNAME_RELEASE" exit ;; milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*) - echo m68k-milan-mint${UNAME_RELEASE} + echo m68k-milan-mint"$UNAME_RELEASE" exit ;; hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*) - echo m68k-hades-mint${UNAME_RELEASE} + echo m68k-hades-mint"$UNAME_RELEASE" exit ;; *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*) - echo m68k-unknown-mint${UNAME_RELEASE} + echo m68k-unknown-mint"$UNAME_RELEASE" exit ;; m68k:machten:*:*) - echo m68k-apple-machten${UNAME_RELEASE} + echo m68k-apple-machten"$UNAME_RELEASE" exit ;; powerpc:machten:*:*) - echo powerpc-apple-machten${UNAME_RELEASE} + echo powerpc-apple-machten"$UNAME_RELEASE" exit ;; RISC*:Mach:*:*) echo mips-dec-mach_bsd4.3 exit ;; RISC*:ULTRIX:*:*) - echo mips-dec-ultrix${UNAME_RELEASE} + echo mips-dec-ultrix"$UNAME_RELEASE" exit ;; VAX*:ULTRIX*:*:*) - echo vax-dec-ultrix${UNAME_RELEASE} + echo vax-dec-ultrix"$UNAME_RELEASE" exit ;; 2020:CLIX:*:* | 2430:CLIX:*:*) - echo clipper-intergraph-clix${UNAME_RELEASE} + echo clipper-intergraph-clix"$UNAME_RELEASE" exit ;; mips:*:*:UMIPS | mips:*:*:RISCos) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #ifdef __cplusplus #include /* for printf() prototype */ int main (int argc, char *argv[]) { @@ -485,23 +490,23 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in #endif #if defined (host_mips) && defined (MIPSEB) #if defined (SYSTYPE_SYSV) - printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssysv\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_SVR4) - printf ("mips-mips-riscos%ssvr4\n", argv[1]); exit (0); + printf ("mips-mips-riscos%ssvr4\\n", argv[1]); exit (0); #endif #if defined (SYSTYPE_BSD43) || defined(SYSTYPE_BSD) - printf ("mips-mips-riscos%sbsd\n", argv[1]); exit (0); + printf ("mips-mips-riscos%sbsd\\n", argv[1]); exit (0); #endif #endif exit (-1); } EOF - $CC_FOR_BUILD -o $dummy $dummy.c && - dummyarg=`echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` && - SYSTEM_NAME=`$dummy $dummyarg` && + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && + dummyarg=`echo "$UNAME_RELEASE" | sed -n 's/\([0-9]*\).*/\1/p'` && + SYSTEM_NAME=`"$dummy" "$dummyarg"` && { echo "$SYSTEM_NAME"; exit; } - echo mips-mips-riscos${UNAME_RELEASE} + echo mips-mips-riscos"$UNAME_RELEASE" exit ;; Motorola:PowerMAX_OS:*:*) echo powerpc-motorola-powermax @@ -527,17 +532,17 @@ EOF AViiON:dgux:*:*) # DG/UX returns AViiON for all architectures UNAME_PROCESSOR=`/usr/bin/uname -p` - if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ] + if [ "$UNAME_PROCESSOR" = mc88100 ] || [ "$UNAME_PROCESSOR" = mc88110 ] then - if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \ - [ ${TARGET_BINARY_INTERFACE}x = x ] + if [ "$TARGET_BINARY_INTERFACE"x = m88kdguxelfx ] || \ + [ "$TARGET_BINARY_INTERFACE"x = x ] then - echo m88k-dg-dgux${UNAME_RELEASE} + echo m88k-dg-dgux"$UNAME_RELEASE" else - echo m88k-dg-dguxbcs${UNAME_RELEASE} + echo m88k-dg-dguxbcs"$UNAME_RELEASE" fi else - echo i586-dg-dgux${UNAME_RELEASE} + echo i586-dg-dgux"$UNAME_RELEASE" fi exit ;; M88*:DolphinOS:*:*) # DolphinOS (SVR3) @@ -554,7 +559,7 @@ EOF echo m68k-tektronix-bsd exit ;; *:IRIX*:*:*) - echo mips-sgi-irix`echo ${UNAME_RELEASE}|sed -e 's/-/_/g'` + echo mips-sgi-irix"`echo "$UNAME_RELEASE"|sed -e 's/-/_/g'`" exit ;; ????????:AIX?:[12].1:2) # AIX 2.2.1 or AIX 2.1.1 is RT/PC AIX. echo romp-ibm-aix # uname -m gives an 8 hex-code CPU id @@ -566,14 +571,14 @@ EOF if [ -x /usr/bin/oslevel ] ; then IBM_REV=`/usr/bin/oslevel` else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" fi - echo ${UNAME_MACHINE}-ibm-aix${IBM_REV} + echo "$UNAME_MACHINE"-ibm-aix"$IBM_REV" exit ;; *:AIX:2:3) if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #include main() @@ -584,7 +589,7 @@ EOF exit(0); } EOF - if $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` + if $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` then echo "$SYSTEM_NAME" else @@ -598,7 +603,7 @@ EOF exit ;; *:AIX:*:[4567]) IBM_CPU_ID=`/usr/sbin/lsdev -C -c processor -S available | sed 1q | awk '{ print $1 }'` - if /usr/sbin/lsattr -El ${IBM_CPU_ID} | grep ' POWER' >/dev/null 2>&1; then + if /usr/sbin/lsattr -El "$IBM_CPU_ID" | grep ' POWER' >/dev/null 2>&1; then IBM_ARCH=rs6000 else IBM_ARCH=powerpc @@ -607,18 +612,18 @@ EOF IBM_REV=`/usr/bin/lslpp -Lqc bos.rte.libc | awk -F: '{ print $3 }' | sed s/[0-9]*$/0/` else - IBM_REV=${UNAME_VERSION}.${UNAME_RELEASE} + IBM_REV="$UNAME_VERSION.$UNAME_RELEASE" fi - echo ${IBM_ARCH}-ibm-aix${IBM_REV} + echo "$IBM_ARCH"-ibm-aix"$IBM_REV" exit ;; *:AIX:*:*) echo rs6000-ibm-aix exit ;; - ibmrt:4.4BSD:*|romp-ibm:BSD:*) + ibmrt:4.4BSD:*|romp-ibm:4.4BSD:*) echo romp-ibm-bsd4.4 exit ;; ibmrt:*BSD:*|romp-ibm:BSD:*) # covers RT/PC BSD and - echo romp-ibm-bsd${UNAME_RELEASE} # 4.3 with uname added to + echo romp-ibm-bsd"$UNAME_RELEASE" # 4.3 with uname added to exit ;; # report: romp-ibm BSD 4.3 *:BOSX:*:*) echo rs6000-bull-bosx @@ -633,28 +638,28 @@ EOF echo m68k-hp-bsd4.4 exit ;; 9000/[34678]??:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - case "${UNAME_MACHINE}" in - 9000/31? ) HP_ARCH=m68000 ;; - 9000/[34]?? ) HP_ARCH=m68k ;; + HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` + case "$UNAME_MACHINE" in + 9000/31?) HP_ARCH=m68000 ;; + 9000/[34]??) HP_ARCH=m68k ;; 9000/[678][0-9][0-9]) if [ -x /usr/bin/getconf ]; then sc_cpu_version=`/usr/bin/getconf SC_CPU_VERSION 2>/dev/null` sc_kernel_bits=`/usr/bin/getconf SC_KERNEL_BITS 2>/dev/null` - case "${sc_cpu_version}" in + case "$sc_cpu_version" in 523) HP_ARCH=hppa1.0 ;; # CPU_PA_RISC1_0 528) HP_ARCH=hppa1.1 ;; # CPU_PA_RISC1_1 532) # CPU_PA_RISC2_0 - case "${sc_kernel_bits}" in + case "$sc_kernel_bits" in 32) HP_ARCH=hppa2.0n ;; 64) HP_ARCH=hppa2.0w ;; '') HP_ARCH=hppa2.0 ;; # HP-UX 10.20 esac ;; esac fi - if [ "${HP_ARCH}" = "" ]; then - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + if [ "$HP_ARCH" = "" ]; then + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #define _HPUX_SOURCE #include @@ -687,13 +692,13 @@ EOF exit (0); } EOF - (CCOPTS="" $CC_FOR_BUILD -o $dummy $dummy.c 2>/dev/null) && HP_ARCH=`$dummy` + (CCOPTS="" $CC_FOR_BUILD -o "$dummy" "$dummy.c" 2>/dev/null) && HP_ARCH=`"$dummy"` test -z "$HP_ARCH" && HP_ARCH=hppa fi ;; esac - if [ ${HP_ARCH} = hppa2.0w ] + if [ "$HP_ARCH" = hppa2.0w ] then - eval $set_cc_for_build + set_cc_for_build # hppa2.0w-hp-hpux* has a 64-bit kernel and a compiler generating # 32-bit code. hppa64-hp-hpux* has the same kernel and a compiler @@ -712,15 +717,15 @@ EOF HP_ARCH=hppa64 fi fi - echo ${HP_ARCH}-hp-hpux${HPUX_REV} + echo "$HP_ARCH"-hp-hpux"$HPUX_REV" exit ;; ia64:HP-UX:*:*) - HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'` - echo ia64-hp-hpux${HPUX_REV} + HPUX_REV=`echo "$UNAME_RELEASE"|sed -e 's/[^.]*.[0B]*//'` + echo ia64-hp-hpux"$HPUX_REV" exit ;; 3050*:HI-UX:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #include int main () @@ -745,11 +750,11 @@ EOF exit (0); } EOF - $CC_FOR_BUILD -o $dummy $dummy.c && SYSTEM_NAME=`$dummy` && + $CC_FOR_BUILD -o "$dummy" "$dummy.c" && SYSTEM_NAME=`"$dummy"` && { echo "$SYSTEM_NAME"; exit; } echo unknown-hitachi-hiuxwe2 exit ;; - 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* ) + 9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:*) echo hppa1.1-hp-bsd exit ;; 9000/8??:4.3bsd:*:*) @@ -758,7 +763,7 @@ EOF *9??*:MPE/iX:*:* | *3000*:MPE/iX:*:*) echo hppa1.0-hp-mpeix exit ;; - hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* ) + hp7??:OSF1:*:* | hp8?[79]:OSF1:*:*) echo hppa1.1-hp-osf exit ;; hp8??:OSF1:*:*) @@ -766,9 +771,9 @@ EOF exit ;; i*86:OSF1:*:*) if [ -x /usr/sbin/sysversion ] ; then - echo ${UNAME_MACHINE}-unknown-osf1mk + echo "$UNAME_MACHINE"-unknown-osf1mk else - echo ${UNAME_MACHINE}-unknown-osf1 + echo "$UNAME_MACHINE"-unknown-osf1 fi exit ;; parisc*:Lites*:*:*) @@ -793,127 +798,120 @@ EOF echo c4-convex-bsd exit ;; CRAY*Y-MP:*:*:*) - echo ymp-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo ymp-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*[A-Z]90:*:*:*) - echo ${UNAME_MACHINE}-cray-unicos${UNAME_RELEASE} \ + echo "$UNAME_MACHINE"-cray-unicos"$UNAME_RELEASE" \ | sed -e 's/CRAY.*\([A-Z]90\)/\1/' \ -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/ \ -e 's/\.[^.]*$/.X/' exit ;; CRAY*TS:*:*:*) - echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo t90-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*T3E:*:*:*) - echo alphaev5-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo alphaev5-cray-unicosmk"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; CRAY*SV1:*:*:*) - echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo sv1-cray-unicos"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; *:UNICOS/mp:*:*) - echo craynv-cray-unicosmp${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/' + echo craynv-cray-unicosmp"$UNAME_RELEASE" | sed -e 's/\.[^.]*$/.X/' exit ;; F30[01]:UNIX_System_V:*:* | F700:UNIX_System_V:*:*) FUJITSU_PROC=`uname -m | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz` FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | sed -e 's/ /_/'` echo "${FUJITSU_PROC}-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; 5000:UNIX_System_V:4.*:*) FUJITSU_SYS=`uname -p | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/\///'` - FUJITSU_REL=`echo ${UNAME_RELEASE} | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` + FUJITSU_REL=`echo "$UNAME_RELEASE" | tr ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz | sed -e 's/ /_/'` echo "sparc-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}" exit ;; i*86:BSD/386:*:* | i*86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*) - echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE} + echo "$UNAME_MACHINE"-pc-bsdi"$UNAME_RELEASE" exit ;; sparc*:BSD/OS:*:*) - echo sparc-unknown-bsdi${UNAME_RELEASE} + echo sparc-unknown-bsdi"$UNAME_RELEASE" exit ;; *:BSD/OS:*:*) - echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE} + echo "$UNAME_MACHINE"-unknown-bsdi"$UNAME_RELEASE" + exit ;; + arm:FreeBSD:*:*) + UNAME_PROCESSOR=`uname -p` + set_cc_for_build + if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ + | grep -q __ARM_PCS_VFP + then + echo "${UNAME_PROCESSOR}"-unknown-freebsd"`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`"-gnueabi + else + echo "${UNAME_PROCESSOR}"-unknown-freebsd"`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`"-gnueabihf + fi exit ;; *:FreeBSD:*:*) UNAME_PROCESSOR=`/usr/bin/uname -p` - case ${UNAME_PROCESSOR} in + case "$UNAME_PROCESSOR" in amd64) - echo x86_64-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; - *) - echo ${UNAME_PROCESSOR}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` ;; + UNAME_PROCESSOR=x86_64 ;; + i386) + UNAME_PROCESSOR=i586 ;; esac + echo "$UNAME_PROCESSOR"-unknown-freebsd"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" exit ;; i*:CYGWIN*:*) - echo ${UNAME_MACHINE}-pc-cygwin + echo "$UNAME_MACHINE"-pc-cygwin exit ;; *:MINGW64*:*) - echo ${UNAME_MACHINE}-pc-mingw64 + echo "$UNAME_MACHINE"-pc-mingw64 exit ;; *:MINGW*:*) - echo ${UNAME_MACHINE}-pc-mingw32 + echo "$UNAME_MACHINE"-pc-mingw32 exit ;; *:MSYS*:*) - echo ${UNAME_MACHINE}-pc-msys - exit ;; - i*:windows32*:*) - # uname -m includes "-pc" on this system. - echo ${UNAME_MACHINE}-mingw32 + echo "$UNAME_MACHINE"-pc-msys exit ;; i*:PW*:*) - echo ${UNAME_MACHINE}-pc-pw32 + echo "$UNAME_MACHINE"-pc-pw32 exit ;; *:Interix*:*) - case ${UNAME_MACHINE} in + case "$UNAME_MACHINE" in x86) - echo i586-pc-interix${UNAME_RELEASE} + echo i586-pc-interix"$UNAME_RELEASE" exit ;; authenticamd | genuineintel | EM64T) - echo x86_64-unknown-interix${UNAME_RELEASE} + echo x86_64-unknown-interix"$UNAME_RELEASE" exit ;; IA64) - echo ia64-unknown-interix${UNAME_RELEASE} + echo ia64-unknown-interix"$UNAME_RELEASE" exit ;; esac ;; - [345]86:Windows_95:* | [345]86:Windows_98:* | [345]86:Windows_NT:*) - echo i${UNAME_MACHINE}-pc-mks - exit ;; - 8664:Windows_NT:*) - echo x86_64-pc-mks - exit ;; - i*:Windows_NT*:* | Pentium*:Windows_NT*:*) - # How do we know it's Interix rather than the generic POSIX subsystem? - # It also conflicts with pre-2.0 versions of AT&T UWIN. Should we - # UNAME_MACHINE based on the output of uname instead of i386? - echo i586-pc-interix - exit ;; i*:UWIN*:*) - echo ${UNAME_MACHINE}-pc-uwin + echo "$UNAME_MACHINE"-pc-uwin exit ;; amd64:CYGWIN*:*:* | x86_64:CYGWIN*:*:*) - echo x86_64-unknown-cygwin - exit ;; - p*:CYGWIN*:*) - echo powerpcle-unknown-cygwin + echo x86_64-pc-cygwin exit ;; prep*:SunOS:5.*:*) - echo powerpcle-unknown-solaris2`echo ${UNAME_RELEASE}|sed -e 's/[^.]*//'` + echo powerpcle-unknown-solaris2"`echo "$UNAME_RELEASE"|sed -e 's/[^.]*//'`" exit ;; *:GNU:*:*) # the GNU system - echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-${LIBC}`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'` + echo "`echo "$UNAME_MACHINE"|sed -e 's,[-/].*$,,'`-unknown-$LIBC`echo "$UNAME_RELEASE"|sed -e 's,/.*$,,'`" exit ;; *:GNU/*:*:*) # other systems with GNU libc and userland - echo ${UNAME_MACHINE}-unknown-`echo ${UNAME_SYSTEM} | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`-${LIBC} + echo "$UNAME_MACHINE-unknown-`echo "$UNAME_SYSTEM" | sed 's,^[^/]*/,,' | tr "[:upper:]" "[:lower:]"``echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`-$LIBC" exit ;; - i*86:Minix:*:*) - echo ${UNAME_MACHINE}-pc-minix + *:Minix:*:*) + echo "$UNAME_MACHINE"-unknown-minix exit ;; aarch64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; aarch64_be:Linux:*:*) UNAME_MACHINE=aarch64_be - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; alpha:Linux:*:*) case `sed -n '/^cpu model/s/^.*: \(.*\)/\1/p' < /proc/cpuinfo` in @@ -927,63 +925,63 @@ EOF esac objdump --private-headers /bin/sh | grep -q ld.so.1 if test "$?" = 0 ; then LIBC=gnulibc1 ; fi - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; arc:Linux:*:* | arceb:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; arm*:Linux:*:*) - eval $set_cc_for_build + set_cc_for_build if echo __ARM_EABI__ | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_EABI__ then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" else if echo __ARM_PCS_VFP | $CC_FOR_BUILD -E - 2>/dev/null \ | grep -q __ARM_PCS_VFP then - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabi + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabi else - echo ${UNAME_MACHINE}-unknown-linux-${LIBC}eabihf + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC"eabihf fi fi exit ;; avr32*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; cris:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo "$UNAME_MACHINE"-axis-linux-"$LIBC" exit ;; crisv32:Linux:*:*) - echo ${UNAME_MACHINE}-axis-linux-${LIBC} + echo "$UNAME_MACHINE"-axis-linux-"$LIBC" exit ;; e2k:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; frv:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; hexagon:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; i*86:Linux:*:*) - echo ${UNAME_MACHINE}-pc-linux-${LIBC} + echo "$UNAME_MACHINE"-pc-linux-"$LIBC" exit ;; ia64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; k1om:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; m32r*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; m68*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; mips:Linux:*:* | mips64:Linux:*:*) - eval $set_cc_for_build - sed 's/^ //' << EOF >$dummy.c + set_cc_for_build + sed 's/^ //' << EOF > "$dummy.c" #undef CPU #undef ${UNAME_MACHINE} #undef ${UNAME_MACHINE}el @@ -997,64 +995,70 @@ EOF #endif #endif EOF - eval `$CC_FOR_BUILD -E $dummy.c 2>/dev/null | grep '^CPU'` - test x"${CPU}" != x && { echo "${CPU}-unknown-linux-${LIBC}"; exit; } + eval "`$CC_FOR_BUILD -E "$dummy.c" 2>/dev/null | grep '^CPU'`" + test "x$CPU" != x && { echo "$CPU-unknown-linux-$LIBC"; exit; } ;; + mips64el:Linux:*:*) + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" + exit ;; openrisc*:Linux:*:*) - echo or1k-unknown-linux-${LIBC} + echo or1k-unknown-linux-"$LIBC" exit ;; or32:Linux:*:* | or1k*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; padre:Linux:*:*) - echo sparc-unknown-linux-${LIBC} + echo sparc-unknown-linux-"$LIBC" exit ;; parisc64:Linux:*:* | hppa64:Linux:*:*) - echo hppa64-unknown-linux-${LIBC} + echo hppa64-unknown-linux-"$LIBC" exit ;; parisc:Linux:*:* | hppa:Linux:*:*) # Look for CPU level case `grep '^cpu[^a-z]*:' /proc/cpuinfo 2>/dev/null | cut -d' ' -f2` in - PA7*) echo hppa1.1-unknown-linux-${LIBC} ;; - PA8*) echo hppa2.0-unknown-linux-${LIBC} ;; - *) echo hppa-unknown-linux-${LIBC} ;; + PA7*) echo hppa1.1-unknown-linux-"$LIBC" ;; + PA8*) echo hppa2.0-unknown-linux-"$LIBC" ;; + *) echo hppa-unknown-linux-"$LIBC" ;; esac exit ;; ppc64:Linux:*:*) - echo powerpc64-unknown-linux-${LIBC} + echo powerpc64-unknown-linux-"$LIBC" exit ;; ppc:Linux:*:*) - echo powerpc-unknown-linux-${LIBC} + echo powerpc-unknown-linux-"$LIBC" exit ;; ppc64le:Linux:*:*) - echo powerpc64le-unknown-linux-${LIBC} + echo powerpc64le-unknown-linux-"$LIBC" exit ;; ppcle:Linux:*:*) - echo powerpcle-unknown-linux-${LIBC} + echo powerpcle-unknown-linux-"$LIBC" + exit ;; + riscv32:Linux:*:* | riscv64:Linux:*:*) + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; s390:Linux:*:* | s390x:Linux:*:*) - echo ${UNAME_MACHINE}-ibm-linux-${LIBC} + echo "$UNAME_MACHINE"-ibm-linux-"$LIBC" exit ;; sh64*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; sh*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; sparc:Linux:*:* | sparc64:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; tile*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; vax:Linux:*:*) - echo ${UNAME_MACHINE}-dec-linux-${LIBC} + echo "$UNAME_MACHINE"-dec-linux-"$LIBC" exit ;; x86_64:Linux:*:*) - echo ${UNAME_MACHINE}-pc-linux-${LIBC} + echo "$UNAME_MACHINE"-pc-linux-"$LIBC" exit ;; xtensa*:Linux:*:*) - echo ${UNAME_MACHINE}-unknown-linux-${LIBC} + echo "$UNAME_MACHINE"-unknown-linux-"$LIBC" exit ;; i*86:DYNIX/ptx:4*:*) # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there. @@ -1068,34 +1072,34 @@ EOF # I am not positive that other SVR4 systems won't match this, # I just have to hope. -- rms. # Use sysv4.2uw... so that sysv4* matches it. - echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION} + echo "$UNAME_MACHINE"-pc-sysv4.2uw"$UNAME_VERSION" exit ;; i*86:OS/2:*:*) # If we were able to find `uname', then EMX Unix compatibility # is probably installed. - echo ${UNAME_MACHINE}-pc-os2-emx + echo "$UNAME_MACHINE"-pc-os2-emx exit ;; i*86:XTS-300:*:STOP) - echo ${UNAME_MACHINE}-unknown-stop + echo "$UNAME_MACHINE"-unknown-stop exit ;; i*86:atheos:*:*) - echo ${UNAME_MACHINE}-unknown-atheos + echo "$UNAME_MACHINE"-unknown-atheos exit ;; i*86:syllable:*:*) - echo ${UNAME_MACHINE}-pc-syllable + echo "$UNAME_MACHINE"-pc-syllable exit ;; i*86:LynxOS:2.*:* | i*86:LynxOS:3.[01]*:* | i*86:LynxOS:4.[02]*:*) - echo i386-unknown-lynxos${UNAME_RELEASE} + echo i386-unknown-lynxos"$UNAME_RELEASE" exit ;; i*86:*DOS:*:*) - echo ${UNAME_MACHINE}-pc-msdosdjgpp + echo "$UNAME_MACHINE"-pc-msdosdjgpp exit ;; - i*86:*:4.*:* | i*86:SYSTEM_V:4.*:*) - UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'` + i*86:*:4.*:*) + UNAME_REL=`echo "$UNAME_RELEASE" | sed 's/\/MP$//'` if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then - echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL} + echo "$UNAME_MACHINE"-univel-sysv"$UNAME_REL" else - echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL} + echo "$UNAME_MACHINE"-pc-sysv"$UNAME_REL" fi exit ;; i*86:*:5:[678]*) @@ -1105,12 +1109,12 @@ EOF *Pentium) UNAME_MACHINE=i586 ;; *Pent*|*Celeron) UNAME_MACHINE=i686 ;; esac - echo ${UNAME_MACHINE}-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}${UNAME_VERSION} + echo "$UNAME_MACHINE-unknown-sysv${UNAME_RELEASE}${UNAME_SYSTEM}{$UNAME_VERSION}" exit ;; i*86:*:3.2:*) if test -f /usr/options/cb.name; then UNAME_REL=`sed -n 's/.*Version //p' /dev/null >/dev/null ; then UNAME_REL=`(/bin/uname -X|grep Release|sed -e 's/.*= //')` (/bin/uname -X|grep i80486 >/dev/null) && UNAME_MACHINE=i486 @@ -1120,9 +1124,9 @@ EOF && UNAME_MACHINE=i686 (/bin/uname -X|grep '^Machine.*Pentium Pro' >/dev/null) \ && UNAME_MACHINE=i686 - echo ${UNAME_MACHINE}-pc-sco$UNAME_REL + echo "$UNAME_MACHINE"-pc-sco"$UNAME_REL" else - echo ${UNAME_MACHINE}-pc-sysv32 + echo "$UNAME_MACHINE"-pc-sysv32 fi exit ;; pc:*:*:*) @@ -1142,9 +1146,9 @@ EOF exit ;; i860:*:4.*:*) # i860-SVR4 if grep Stardent /usr/include/sys/uadmin.h >/dev/null 2>&1 ; then - echo i860-stardent-sysv${UNAME_RELEASE} # Stardent Vistra i860-SVR4 + echo i860-stardent-sysv"$UNAME_RELEASE" # Stardent Vistra i860-SVR4 else # Add other i860-SVR4 vendors below as they are discovered. - echo i860-unknown-sysv${UNAME_RELEASE} # Unknown i860-SVR4 + echo i860-unknown-sysv"$UNAME_RELEASE" # Unknown i860-SVR4 fi exit ;; mini*:CTIX:SYS*5:*) @@ -1164,9 +1168,9 @@ EOF test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; 3[34]??:*:4.0:* | 3[34]??,*:*:4.0:*) /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ && { echo i486-ncr-sysv4; exit; } ;; @@ -1175,28 +1179,28 @@ EOF test -r /etc/.relid \ && OS_REL=.`sed -n 's/[^ ]* [^ ]* \([0-9][0-9]\).*/\1/p' < /etc/.relid` /bin/uname -p 2>/dev/null | grep 86 >/dev/null \ - && { echo i486-ncr-sysv4.3${OS_REL}; exit; } + && { echo i486-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep entium >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } /bin/uname -p 2>/dev/null | /bin/grep pteron >/dev/null \ - && { echo i586-ncr-sysv4.3${OS_REL}; exit; } ;; + && { echo i586-ncr-sysv4.3"$OS_REL"; exit; } ;; m68*:LynxOS:2.*:* | m68*:LynxOS:3.0*:*) - echo m68k-unknown-lynxos${UNAME_RELEASE} + echo m68k-unknown-lynxos"$UNAME_RELEASE" exit ;; mc68030:UNIX_System_V:4.*:*) echo m68k-atari-sysv4 exit ;; TSUNAMI:LynxOS:2.*:*) - echo sparc-unknown-lynxos${UNAME_RELEASE} + echo sparc-unknown-lynxos"$UNAME_RELEASE" exit ;; rs6000:LynxOS:2.*:*) - echo rs6000-unknown-lynxos${UNAME_RELEASE} + echo rs6000-unknown-lynxos"$UNAME_RELEASE" exit ;; PowerPC:LynxOS:2.*:* | PowerPC:LynxOS:3.[01]*:* | PowerPC:LynxOS:4.[02]*:*) - echo powerpc-unknown-lynxos${UNAME_RELEASE} + echo powerpc-unknown-lynxos"$UNAME_RELEASE" exit ;; SM[BE]S:UNIX_SV:*:*) - echo mips-dde-sysv${UNAME_RELEASE} + echo mips-dde-sysv"$UNAME_RELEASE" exit ;; RM*:ReliantUNIX-*:*:*) echo mips-sni-sysv4 @@ -1207,7 +1211,7 @@ EOF *:SINIX-*:*:*) if uname -p 2>/dev/null >/dev/null ; then UNAME_MACHINE=`(uname -p) 2>/dev/null` - echo ${UNAME_MACHINE}-sni-sysv4 + echo "$UNAME_MACHINE"-sni-sysv4 else echo ns32k-sni-sysv fi @@ -1227,23 +1231,23 @@ EOF exit ;; i*86:VOS:*:*) # From Paul.Green@stratus.com. - echo ${UNAME_MACHINE}-stratus-vos + echo "$UNAME_MACHINE"-stratus-vos exit ;; *:VOS:*:*) # From Paul.Green@stratus.com. echo hppa1.1-stratus-vos exit ;; mc68*:A/UX:*:*) - echo m68k-apple-aux${UNAME_RELEASE} + echo m68k-apple-aux"$UNAME_RELEASE" exit ;; news*:NEWS-OS:6*:*) echo mips-sony-newsos6 exit ;; R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*) if [ -d /usr/nec ]; then - echo mips-nec-sysv${UNAME_RELEASE} + echo mips-nec-sysv"$UNAME_RELEASE" else - echo mips-unknown-sysv${UNAME_RELEASE} + echo mips-unknown-sysv"$UNAME_RELEASE" fi exit ;; BeBox:BeOS:*:*) # BeOS running on hardware made by Be, PPC only. @@ -1262,49 +1266,56 @@ EOF echo x86_64-unknown-haiku exit ;; SX-4:SUPER-UX:*:*) - echo sx4-nec-superux${UNAME_RELEASE} + echo sx4-nec-superux"$UNAME_RELEASE" exit ;; SX-5:SUPER-UX:*:*) - echo sx5-nec-superux${UNAME_RELEASE} + echo sx5-nec-superux"$UNAME_RELEASE" exit ;; SX-6:SUPER-UX:*:*) - echo sx6-nec-superux${UNAME_RELEASE} + echo sx6-nec-superux"$UNAME_RELEASE" exit ;; SX-7:SUPER-UX:*:*) - echo sx7-nec-superux${UNAME_RELEASE} + echo sx7-nec-superux"$UNAME_RELEASE" exit ;; SX-8:SUPER-UX:*:*) - echo sx8-nec-superux${UNAME_RELEASE} + echo sx8-nec-superux"$UNAME_RELEASE" exit ;; SX-8R:SUPER-UX:*:*) - echo sx8r-nec-superux${UNAME_RELEASE} + echo sx8r-nec-superux"$UNAME_RELEASE" exit ;; SX-ACE:SUPER-UX:*:*) - echo sxace-nec-superux${UNAME_RELEASE} + echo sxace-nec-superux"$UNAME_RELEASE" exit ;; Power*:Rhapsody:*:*) - echo powerpc-apple-rhapsody${UNAME_RELEASE} + echo powerpc-apple-rhapsody"$UNAME_RELEASE" exit ;; *:Rhapsody:*:*) - echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE} + echo "$UNAME_MACHINE"-apple-rhapsody"$UNAME_RELEASE" exit ;; *:Darwin:*:*) UNAME_PROCESSOR=`uname -p` || UNAME_PROCESSOR=unknown - eval $set_cc_for_build + set_cc_for_build if test "$UNAME_PROCESSOR" = unknown ; then UNAME_PROCESSOR=powerpc fi - if test `echo "$UNAME_RELEASE" | sed -e 's/\..*//'` -le 10 ; then + if test "`echo "$UNAME_RELEASE" | sed -e 's/\..*//'`" -le 10 ; then if [ "$CC_FOR_BUILD" != no_compiler_found ]; then if (echo '#ifdef __LP64__'; echo IS_64BIT_ARCH; echo '#endif') | \ - (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ - grep IS_64BIT_ARCH >/dev/null + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_64BIT_ARCH >/dev/null then case $UNAME_PROCESSOR in i386) UNAME_PROCESSOR=x86_64 ;; powerpc) UNAME_PROCESSOR=powerpc64 ;; esac fi + # On 10.4-10.6 one might compile for PowerPC via gcc -arch ppc + if (echo '#ifdef __POWERPC__'; echo IS_PPC; echo '#endif') | \ + (CCOPTS="" $CC_FOR_BUILD -E - 2>/dev/null) | \ + grep IS_PPC >/dev/null + then + UNAME_PROCESSOR=powerpc + fi fi elif test "$UNAME_PROCESSOR" = i386 ; then # Avoid executing cc on OS X 10.9, as it ships with a stub @@ -1315,7 +1326,7 @@ EOF # that Apple uses in portable devices. UNAME_PROCESSOR=x86_64 fi - echo ${UNAME_PROCESSOR}-apple-darwin${UNAME_RELEASE} + echo "$UNAME_PROCESSOR"-apple-darwin"$UNAME_RELEASE" exit ;; *:procnto*:*:* | *:QNX:[0123456789]*:*) UNAME_PROCESSOR=`uname -p` @@ -1323,19 +1334,25 @@ EOF UNAME_PROCESSOR=i386 UNAME_MACHINE=pc fi - echo ${UNAME_PROCESSOR}-${UNAME_MACHINE}-nto-qnx${UNAME_RELEASE} + echo "$UNAME_PROCESSOR"-"$UNAME_MACHINE"-nto-qnx"$UNAME_RELEASE" exit ;; *:QNX:*:4*) echo i386-pc-qnx exit ;; - NEO-?:NONSTOP_KERNEL:*:*) - echo neo-tandem-nsk${UNAME_RELEASE} + NEO-*:NONSTOP_KERNEL:*:*) + echo neo-tandem-nsk"$UNAME_RELEASE" exit ;; NSE-*:NONSTOP_KERNEL:*:*) - echo nse-tandem-nsk${UNAME_RELEASE} + echo nse-tandem-nsk"$UNAME_RELEASE" + exit ;; + NSR-*:NONSTOP_KERNEL:*:*) + echo nsr-tandem-nsk"$UNAME_RELEASE" exit ;; - NSR-?:NONSTOP_KERNEL:*:*) - echo nsr-tandem-nsk${UNAME_RELEASE} + NSV-*:NONSTOP_KERNEL:*:*) + echo nsv-tandem-nsk"$UNAME_RELEASE" + exit ;; + NSX-*:NONSTOP_KERNEL:*:*) + echo nsx-tandem-nsk"$UNAME_RELEASE" exit ;; *:NonStop-UX:*:*) echo mips-compaq-nonstopux @@ -1344,18 +1361,19 @@ EOF echo bs2000-siemens-sysv exit ;; DS/*:UNIX_System_V:*:*) - echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE} + echo "$UNAME_MACHINE"-"$UNAME_SYSTEM"-"$UNAME_RELEASE" exit ;; *:Plan9:*:*) # "uname -m" is not consistent, so use $cputype instead. 386 # is converted to i386 for consistency with other x86 # operating systems. + # shellcheck disable=SC2154 if test "$cputype" = 386; then UNAME_MACHINE=i386 else UNAME_MACHINE="$cputype" fi - echo ${UNAME_MACHINE}-unknown-plan9 + echo "$UNAME_MACHINE"-unknown-plan9 exit ;; *:TOPS-10:*:*) echo pdp10-unknown-tops10 @@ -1376,14 +1394,14 @@ EOF echo pdp10-unknown-its exit ;; SEI:*:*:SEIUX) - echo mips-sei-seiux${UNAME_RELEASE} + echo mips-sei-seiux"$UNAME_RELEASE" exit ;; *:DragonFly:*:*) - echo ${UNAME_MACHINE}-unknown-dragonfly`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'` + echo "$UNAME_MACHINE"-unknown-dragonfly"`echo "$UNAME_RELEASE"|sed -e 's/[-(].*//'`" exit ;; *:*VMS:*:*) UNAME_MACHINE=`(uname -p) 2>/dev/null` - case "${UNAME_MACHINE}" in + case "$UNAME_MACHINE" in A*) echo alpha-dec-vms ; exit ;; I*) echo ia64-dec-vms ; exit ;; V*) echo vax-dec-vms ; exit ;; @@ -1392,32 +1410,44 @@ EOF echo i386-pc-xenix exit ;; i*86:skyos:*:*) - echo ${UNAME_MACHINE}-pc-skyos`echo ${UNAME_RELEASE} | sed -e 's/ .*$//'` + echo "$UNAME_MACHINE"-pc-skyos"`echo "$UNAME_RELEASE" | sed -e 's/ .*$//'`" exit ;; i*86:rdos:*:*) - echo ${UNAME_MACHINE}-pc-rdos + echo "$UNAME_MACHINE"-pc-rdos exit ;; i*86:AROS:*:*) - echo ${UNAME_MACHINE}-pc-aros + echo "$UNAME_MACHINE"-pc-aros exit ;; x86_64:VMkernel:*:*) - echo ${UNAME_MACHINE}-unknown-esx + echo "$UNAME_MACHINE"-unknown-esx exit ;; amd64:Isilon\ OneFS:*:*) echo x86_64-unknown-onefs exit ;; esac +echo "$0: unable to guess system type" >&2 + +case "$UNAME_MACHINE:$UNAME_SYSTEM" in + mips:Linux | mips64:Linux) + # If we got here on MIPS GNU/Linux, output extra information. + cat >&2 <&2 </dev/null` /usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null` /usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null` -UNAME_MACHINE = ${UNAME_MACHINE} -UNAME_RELEASE = ${UNAME_RELEASE} -UNAME_SYSTEM = ${UNAME_SYSTEM} -UNAME_VERSION = ${UNAME_VERSION} +UNAME_MACHINE = "$UNAME_MACHINE" +UNAME_RELEASE = "$UNAME_RELEASE" +UNAME_SYSTEM = "$UNAME_SYSTEM" +UNAME_VERSION = "$UNAME_VERSION" EOF exit 1 # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" diff --git a/src/config/config.sub b/src/config/config.sub index a1f8229..f208558 100755 --- a/src/config/config.sub +++ b/src/config/config.sub @@ -1,8 +1,8 @@ #! /bin/sh # Configuration validation subroutine script. -# Copyright 1992-2016 Free Software Foundation, Inc. +# Copyright 1992-2018 Free Software Foundation, Inc. -timestamp='2016-08-25' +timestamp='2018-08-29' # This file is free software; you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by @@ -15,7 +15,7 @@ timestamp='2016-08-25' # General Public License for more details. # # You should have received a copy of the GNU General Public License -# along with this program; if not, see . +# along with this program; if not, see . # # As a special exception to the GNU General Public License, if you # distribute this file as part of a program that contains a @@ -33,7 +33,7 @@ timestamp='2016-08-25' # Otherwise, we print the canonical config type on stdout and succeed. # You can get the latest version of this script from: -# http://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub +# https://git.savannah.gnu.org/gitweb/?p=config.git;a=blob_plain;f=config.sub # This file is supposed to be the same for all GNU packages # and recognize all the CPU types, system types and aliases @@ -57,7 +57,7 @@ Usage: $0 [OPTION] CPU-MFR-OPSYS or ALIAS Canonicalize a configuration name. -Operation modes: +Options: -h, --help print this help, then exit -t, --time-stamp print date of last modification, then exit -v, --version print version number, then exit @@ -67,7 +67,7 @@ Report bugs and patches to ." version="\ GNU config.sub ($timestamp) -Copyright 1992-2016 Free Software Foundation, Inc. +Copyright 1992-2018 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." @@ -89,12 +89,12 @@ while test $# -gt 0 ; do - ) # Use stdin as input. break ;; -* ) - echo "$me: invalid option $1$help" + echo "$me: invalid option $1$help" >&2 exit 1 ;; *local*) # First pass through any local machine types. - echo $1 + echo "$1" exit ;; * ) @@ -110,1242 +110,1159 @@ case $# in exit 1;; esac -# Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any). -# Here we must recognize all the valid KERNEL-OS combinations. -maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'` -case $maybe_os in - nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc | linux-newlib* | \ - linux-musl* | linux-uclibc* | uclinux-uclibc* | uclinux-gnu* | kfreebsd*-gnu* | \ - knetbsd*-gnu* | netbsd*-gnu* | netbsd*-eabi* | \ - kopensolaris*-gnu* | \ - storm-chaos* | os2-emx* | rtmk-nova*) - os=-$maybe_os - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'` - ;; - android-linux) - os=-linux-android - basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`-unknown - ;; - *) - basic_machine=`echo $1 | sed 's/-[^-]*$//'` - if [ $basic_machine != $1 ] - then os=`echo $1 | sed 's/.*-/-/'` - else os=; fi - ;; -esac +# Split fields of configuration type +IFS="-" read -r field1 field2 field3 field4 <&2 + exit 1 ;; - -ptx*) - basic_machine=`echo $1 | sed -e 's/86-.*/86-sequent/'` + *-*-*-*) + basic_machine=$field1-$field2 + os=$field3-$field4 ;; - -windowsnt*) - os=`echo $os | sed -e 's/windowsnt/winnt/'` + *-*-*) + # Ambiguous whether COMPANY is present, or skipped and KERNEL-OS is two + # parts + maybe_os=$field2-$field3 + case $maybe_os in + nto-qnx* | linux-gnu* | linux-android* | linux-dietlibc \ + | linux-newlib* | linux-musl* | linux-uclibc* | uclinux-uclibc* \ + | uclinux-gnu* | kfreebsd*-gnu* | knetbsd*-gnu* | netbsd*-gnu* \ + | netbsd*-eabi* | kopensolaris*-gnu* | cloudabi*-eabi* \ + | storm-chaos* | os2-emx* | rtmk-nova*) + basic_machine=$field1 + os=$maybe_os + ;; + android-linux) + basic_machine=$field1-unknown + os=linux-android + ;; + *) + basic_machine=$field1-$field2 + os=$field3 + ;; + esac ;; - -psos*) - os=-psos + *-*) + # A lone config we happen to match not fitting any pattern + case $field1-$field2 in + decstation-3100) + basic_machine=mips-dec + os= + ;; + *-*) + # Second component is usually, but not always the OS + case $field2 in + # Prevent following clause from handling this valid os + sun*os*) + basic_machine=$field1 + os=$field2 + ;; + # Manufacturers + dec* | mips* | sequent* | encore* | pc533* | sgi* | sony* \ + | att* | 7300* | 3300* | delta* | motorola* | sun[234]* \ + | unicom* | ibm* | next | hp | isi* | apollo | altos* \ + | convergent* | ncr* | news | 32* | 3600* | 3100* \ + | hitachi* | c[123]* | convex* | sun | crds | omron* | dg \ + | ultra | tti* | harris | dolphin | highlevel | gould \ + | cbm | ns | masscomp | apple | axis | knuth | cray \ + | microblaze* | sim | cisco \ + | oki | wec | wrs | winbond) + basic_machine=$field1-$field2 + os= + ;; + *) + basic_machine=$field1 + os=$field2 + ;; + esac + ;; + esac ;; - -mint | -mint[0-9]*) - basic_machine=m68k-atari - os=-mint + *) + # Convert single-component short-hands not valid as part of + # multi-component configurations. + case $field1 in + 386bsd) + basic_machine=i386-pc + os=bsd + ;; + a29khif) + basic_machine=a29k-amd + os=udi + ;; + adobe68k) + basic_machine=m68010-adobe + os=scout + ;; + alliant) + basic_machine=fx80-alliant + os= + ;; + altos | altos3068) + basic_machine=m68k-altos + os= + ;; + am29k) + basic_machine=a29k-none + os=bsd + ;; + amdahl) + basic_machine=580-amdahl + os=sysv + ;; + amiga) + basic_machine=m68k-unknown + os= + ;; + amigaos | amigados) + basic_machine=m68k-unknown + os=amigaos + ;; + amigaunix | amix) + basic_machine=m68k-unknown + os=sysv4 + ;; + apollo68) + basic_machine=m68k-apollo + os=sysv + ;; + apollo68bsd) + basic_machine=m68k-apollo + os=bsd + ;; + aros) + basic_machine=i386-pc + os=aros + ;; + aux) + basic_machine=m68k-apple + os=aux + ;; + balance) + basic_machine=ns32k-sequent + os=dynix + ;; + blackfin) + basic_machine=bfin-unknown + os=linux + ;; + cegcc) + basic_machine=arm-unknown + os=cegcc + ;; + convex-c1) + basic_machine=c1-convex + os=bsd + ;; + convex-c2) + basic_machine=c2-convex + os=bsd + ;; + convex-c32) + basic_machine=c32-convex + os=bsd + ;; + convex-c34) + basic_machine=c34-convex + os=bsd + ;; + convex-c38) + basic_machine=c38-convex + os=bsd + ;; + cray) + basic_machine=j90-cray + os=unicos + ;; + crds | unos) + basic_machine=m68k-crds + os= + ;; + da30) + basic_machine=m68k-da30 + os= + ;; + decstation | pmax | pmin | dec3100 | decstatn) + basic_machine=mips-dec + os= + ;; + delta88) + basic_machine=m88k-motorola + os=sysv3 + ;; + dicos) + basic_machine=i686-pc + os=dicos + ;; + djgpp) + basic_machine=i586-pc + os=msdosdjgpp + ;; + ebmon29k) + basic_machine=a29k-amd + os=ebmon + ;; + es1800 | OSE68k | ose68k | ose | OSE) + basic_machine=m68k-ericsson + os=ose + ;; + gmicro) + basic_machine=tron-gmicro + os=sysv + ;; + go32) + basic_machine=i386-pc + os=go32 + ;; + h8300hms) + basic_machine=h8300-hitachi + os=hms + ;; + h8300xray) + basic_machine=h8300-hitachi + os=xray + ;; + h8500hms) + basic_machine=h8500-hitachi + os=hms + ;; + harris) + basic_machine=m88k-harris + os=sysv3 + ;; + hp300) + basic_machine=m68k-hp + ;; + hp300bsd) + basic_machine=m68k-hp + os=bsd + ;; + hp300hpux) + basic_machine=m68k-hp + os=hpux + ;; + hppaosf) + basic_machine=hppa1.1-hp + os=osf + ;; + hppro) + basic_machine=hppa1.1-hp + os=proelf + ;; + i386mach) + basic_machine=i386-mach + os=mach + ;; + vsta) + basic_machine=i386-pc + os=vsta + ;; + isi68 | isi) + basic_machine=m68k-isi + os=sysv + ;; + m68knommu) + basic_machine=m68k-unknown + os=linux + ;; + magnum | m3230) + basic_machine=mips-mips + os=sysv + ;; + merlin) + basic_machine=ns32k-utek + os=sysv + ;; + mingw64) + basic_machine=x86_64-pc + os=mingw64 + ;; + mingw32) + basic_machine=i686-pc + os=mingw32 + ;; + mingw32ce) + basic_machine=arm-unknown + os=mingw32ce + ;; + monitor) + basic_machine=m68k-rom68k + os=coff + ;; + morphos) + basic_machine=powerpc-unknown + os=morphos + ;; + moxiebox) + basic_machine=moxie-unknown + os=moxiebox + ;; + msdos) + basic_machine=i386-pc + os=msdos + ;; + msys) + basic_machine=i686-pc + os=msys + ;; + mvs) + basic_machine=i370-ibm + os=mvs + ;; + nacl) + basic_machine=le32-unknown + os=nacl + ;; + ncr3000) + basic_machine=i486-ncr + os=sysv4 + ;; + netbsd386) + basic_machine=i386-pc + os=netbsd + ;; + netwinder) + basic_machine=armv4l-rebel + os=linux + ;; + news | news700 | news800 | news900) + basic_machine=m68k-sony + os=newsos + ;; + news1000) + basic_machine=m68030-sony + os=newsos + ;; + necv70) + basic_machine=v70-nec + os=sysv + ;; + nh3000) + basic_machine=m68k-harris + os=cxux + ;; + nh[45]000) + basic_machine=m88k-harris + os=cxux + ;; + nindy960) + basic_machine=i960-intel + os=nindy + ;; + mon960) + basic_machine=i960-intel + os=mon960 + ;; + nonstopux) + basic_machine=mips-compaq + os=nonstopux + ;; + os400) + basic_machine=powerpc-ibm + os=os400 + ;; + OSE68000 | ose68000) + basic_machine=m68000-ericsson + os=ose + ;; + os68k) + basic_machine=m68k-none + os=os68k + ;; + paragon) + basic_machine=i860-intel + os=osf + ;; + parisc) + basic_machine=hppa-unknown + os=linux + ;; + pw32) + basic_machine=i586-unknown + os=pw32 + ;; + rdos | rdos64) + basic_machine=x86_64-pc + os=rdos + ;; + rdos32) + basic_machine=i386-pc + os=rdos + ;; + rom68k) + basic_machine=m68k-rom68k + os=coff + ;; + sa29200) + basic_machine=a29k-amd + os=udi + ;; + sei) + basic_machine=mips-sei + os=seiux + ;; + sequent) + basic_machine=i386-sequent + os= + ;; + sps7) + basic_machine=m68k-bull + os=sysv2 + ;; + st2000) + basic_machine=m68k-tandem + os= + ;; + stratus) + basic_machine=i860-stratus + os=sysv4 + ;; + sun2) + basic_machine=m68000-sun + os= + ;; + sun2os3) + basic_machine=m68000-sun + os=sunos3 + ;; + sun2os4) + basic_machine=m68000-sun + os=sunos4 + ;; + sun3) + basic_machine=m68k-sun + os= + ;; + sun3os3) + basic_machine=m68k-sun + os=sunos3 + ;; + sun3os4) + basic_machine=m68k-sun + os=sunos4 + ;; + sun4) + basic_machine=sparc-sun + os= + ;; + sun4os3) + basic_machine=sparc-sun + os=sunos3 + ;; + sun4os4) + basic_machine=sparc-sun + os=sunos4 + ;; + sun4sol2) + basic_machine=sparc-sun + os=solaris2 + ;; + sun386 | sun386i | roadrunner) + basic_machine=i386-sun + os= + ;; + sv1) + basic_machine=sv1-cray + os=unicos + ;; + symmetry) + basic_machine=i386-sequent + os=dynix + ;; + t3e) + basic_machine=alphaev5-cray + os=unicos + ;; + t90) + basic_machine=t90-cray + os=unicos + ;; + toad1) + basic_machine=pdp10-xkl + os=tops20 + ;; + tpf) + basic_machine=s390x-ibm + os=tpf + ;; + udi29k) + basic_machine=a29k-amd + os=udi + ;; + ultra3) + basic_machine=a29k-nyu + os=sym1 + ;; + v810 | necv810) + basic_machine=v810-nec + os=none + ;; + vaxv) + basic_machine=vax-dec + os=sysv + ;; + vms) + basic_machine=vax-dec + os=vms + ;; + vxworks960) + basic_machine=i960-wrs + os=vxworks + ;; + vxworks68) + basic_machine=m68k-wrs + os=vxworks + ;; + vxworks29k) + basic_machine=a29k-wrs + os=vxworks + ;; + xbox) + basic_machine=i686-pc + os=mingw32 + ;; + ymp) + basic_machine=ymp-cray + os=unicos + ;; + *) + basic_machine=$1 + os= + ;; + esac ;; esac -# Decode aliases for certain CPU-COMPANY combinations. +# Decode 1-component or ad-hoc basic machines case $basic_machine in - # Recognize the basic CPU types without company name. - # Some are omitted here because they have special meanings below. - 1750a | 580 \ - | a29k \ - | aarch64 | aarch64_be \ - | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] | alphapca5[67] \ - | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] | alpha64pca5[67] \ - | am33_2.0 \ - | arc | arceb \ - | arm | arm[bl]e | arme[lb] | armv[2-8] | armv[3-8][lb] | armv7[arm] \ - | avr | avr32 \ - | ba \ - | be32 | be64 \ - | bfin \ - | c4x | c8051 | clipper \ - | d10v | d30v | dlx | dsp16xx \ - | e2k | epiphany \ - | fido | fr30 | frv | ft32 \ - | h8300 | h8500 | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ - | hexagon \ - | i370 | i860 | i960 | ia64 \ - | ip2k | iq2000 \ - | k1om \ - | le32 | le64 \ - | lm32 \ - | m32c | m32r | m32rle | m68000 | m68k | m88k \ - | maxq | mb | microblaze | microblazeel | mcore | mep | metag \ - | mips | mipsbe | mipseb | mipsel | mipsle \ - | mips16 \ - | mips64 | mips64el \ - | mips64octeon | mips64octeonel \ - | mips64orion | mips64orionel \ - | mips64r5900 | mips64r5900el \ - | mips64vr | mips64vrel \ - | mips64vr4100 | mips64vr4100el \ - | mips64vr4300 | mips64vr4300el \ - | mips64vr5000 | mips64vr5000el \ - | mips64vr5900 | mips64vr5900el \ - | mipsisa32 | mipsisa32el \ - | mipsisa32r2 | mipsisa32r2el \ - | mipsisa32r6 | mipsisa32r6el \ - | mipsisa64 | mipsisa64el \ - | mipsisa64r2 | mipsisa64r2el \ - | mipsisa64r6 | mipsisa64r6el \ - | mipsisa64sb1 | mipsisa64sb1el \ - | mipsisa64sr71k | mipsisa64sr71kel \ - | mipsr5900 | mipsr5900el \ - | mipstx39 | mipstx39el \ - | mn10200 | mn10300 \ - | moxie \ - | mt \ - | msp430 \ - | nds32 | nds32le | nds32be \ - | nios | nios2 | nios2eb | nios2el \ - | ns16k | ns32k \ - | open8 | or1k | or1knd | or32 \ - | pdp10 | pdp11 | pj | pjl \ - | powerpc | powerpc64 | powerpc64le | powerpcle \ - | pyramid \ - | riscv32 | riscv64 \ - | rl78 | rx \ - | score \ - | sh | sh[1234] | sh[24]a | sh[24]aeb | sh[23]e | sh[234]eb | sheb | shbe | shle | sh[1234]le | sh3ele \ - | sh64 | sh64le \ - | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet | sparclite \ - | sparcv8 | sparcv9 | sparcv9b | sparcv9v \ - | spu \ - | tahoe | tic4x | tic54x | tic55x | tic6x | tic80 | tron \ - | ubicom32 \ - | v850 | v850e | v850e1 | v850e2 | v850es | v850e2v3 \ - | visium \ - | we32k \ - | x86 | xc16x | xstormy16 | xtensa \ - | z8k | z80) - basic_machine=$basic_machine-unknown - ;; - c54x) - basic_machine=tic54x-unknown - ;; - c55x) - basic_machine=tic55x-unknown - ;; - c6x) - basic_machine=tic6x-unknown - ;; - leon|leon[3-9]) - basic_machine=sparc-$basic_machine - ;; - m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip) - basic_machine=$basic_machine-unknown - os=-none + # Here we handle the default manufacturer of certain CPU types. It is in + # some cases the only manufacturer, in others, it is the most popular. + w89k) + cpu=hppa1.1 + vendor=winbond ;; - m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | v70 | w65 | z8k) + op50n) + cpu=hppa1.1 + vendor=oki ;; - ms1) - basic_machine=mt-unknown + op60c) + cpu=hppa1.1 + vendor=oki ;; - - strongarm | thumb | xscale) - basic_machine=arm-unknown + ibm*) + cpu=i370 + vendor=ibm ;; - xgate) - basic_machine=$basic_machine-unknown - os=-none + orion105) + cpu=clipper + vendor=highlevel ;; - xscaleeb) - basic_machine=armeb-unknown + mac | mpw | mac-mpw) + cpu=m68k + vendor=apple ;; - - xscaleel) - basic_machine=armel-unknown + pmac | pmac-mpw) + cpu=powerpc + vendor=apple ;; - # We use `pc' rather than `unknown' - # because (1) that's what they normally are, and - # (2) the word "unknown" tends to confuse beginning users. - i*86 | x86_64) - basic_machine=$basic_machine-pc - ;; - # Object if more than one company name word. - *-*-*) - echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2 - exit 1 - ;; - # Recognize the basic CPU types with company name. - 580-* \ - | a29k-* \ - | aarch64-* | aarch64_be-* \ - | alpha-* | alphaev[4-8]-* | alphaev56-* | alphaev6[78]-* \ - | alpha64-* | alpha64ev[4-8]-* | alpha64ev56-* | alpha64ev6[78]-* \ - | alphapca5[67]-* | alpha64pca5[67]-* | arc-* | arceb-* \ - | arm-* | armbe-* | armle-* | armeb-* | armv*-* \ - | avr-* | avr32-* \ - | ba-* \ - | be32-* | be64-* \ - | bfin-* | bs2000-* \ - | c[123]* | c30-* | [cjt]90-* | c4x-* \ - | c8051-* | clipper-* | craynv-* | cydra-* \ - | d10v-* | d30v-* | dlx-* \ - | e2k-* | elxsi-* \ - | f30[01]-* | f700-* | fido-* | fr30-* | frv-* | fx80-* \ - | h8300-* | h8500-* \ - | hppa-* | hppa1.[01]-* | hppa2.0-* | hppa2.0[nw]-* | hppa64-* \ - | hexagon-* \ - | i*86-* | i860-* | i960-* | ia64-* \ - | ip2k-* | iq2000-* \ - | k1om-* \ - | le32-* | le64-* \ - | lm32-* \ - | m32c-* | m32r-* | m32rle-* \ - | m68000-* | m680[012346]0-* | m68360-* | m683?2-* | m68k-* \ - | m88110-* | m88k-* | maxq-* | mcore-* | metag-* \ - | microblaze-* | microblazeel-* \ - | mips-* | mipsbe-* | mipseb-* | mipsel-* | mipsle-* \ - | mips16-* \ - | mips64-* | mips64el-* \ - | mips64octeon-* | mips64octeonel-* \ - | mips64orion-* | mips64orionel-* \ - | mips64r5900-* | mips64r5900el-* \ - | mips64vr-* | mips64vrel-* \ - | mips64vr4100-* | mips64vr4100el-* \ - | mips64vr4300-* | mips64vr4300el-* \ - | mips64vr5000-* | mips64vr5000el-* \ - | mips64vr5900-* | mips64vr5900el-* \ - | mipsisa32-* | mipsisa32el-* \ - | mipsisa32r2-* | mipsisa32r2el-* \ - | mipsisa32r6-* | mipsisa32r6el-* \ - | mipsisa64-* | mipsisa64el-* \ - | mipsisa64r2-* | mipsisa64r2el-* \ - | mipsisa64r6-* | mipsisa64r6el-* \ - | mipsisa64sb1-* | mipsisa64sb1el-* \ - | mipsisa64sr71k-* | mipsisa64sr71kel-* \ - | mipsr5900-* | mipsr5900el-* \ - | mipstx39-* | mipstx39el-* \ - | mmix-* \ - | mt-* \ - | msp430-* \ - | nds32-* | nds32le-* | nds32be-* \ - | nios-* | nios2-* | nios2eb-* | nios2el-* \ - | none-* | np1-* | ns16k-* | ns32k-* \ - | open8-* \ - | or1k*-* \ - | orion-* \ - | pdp10-* | pdp11-* | pj-* | pjl-* | pn-* | power-* \ - | powerpc-* | powerpc64-* | powerpc64le-* | powerpcle-* \ - | pyramid-* \ - | riscv32-* | riscv64-* \ - | rl78-* | romp-* | rs6000-* | rx-* \ - | sh-* | sh[1234]-* | sh[24]a-* | sh[24]aeb-* | sh[23]e-* | sh[34]eb-* | sheb-* | shbe-* \ - | shle-* | sh[1234]le-* | sh3ele-* | sh64-* | sh64le-* \ - | sparc-* | sparc64-* | sparc64b-* | sparc64v-* | sparc86x-* | sparclet-* \ - | sparclite-* \ - | sparcv8-* | sparcv9-* | sparcv9b-* | sparcv9v-* | sv1-* | sx*-* \ - | tahoe-* \ - | tic30-* | tic4x-* | tic54x-* | tic55x-* | tic6x-* | tic80-* \ - | tile*-* \ - | tron-* \ - | ubicom32-* \ - | v850-* | v850e-* | v850e1-* | v850es-* | v850e2-* | v850e2v3-* \ - | vax-* \ - | visium-* \ - | we32k-* \ - | x86-* | x86_64-* | xc16x-* | xps100-* \ - | xstormy16-* | xtensa*-* \ - | ymp-* \ - | z8k-* | z80-*) - ;; - # Recognize the basic CPU types without company name, with glob match. - xtensa*) - basic_machine=$basic_machine-unknown - ;; # Recognize the various machine names and aliases which stand # for a CPU type and a company and sometimes even an OS. - 386bsd) - basic_machine=i386-unknown - os=-bsd - ;; 3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc) - basic_machine=m68000-att + cpu=m68000 + vendor=att ;; 3b*) - basic_machine=we32k-att - ;; - a29khif) - basic_machine=a29k-amd - os=-udi - ;; - abacus) - basic_machine=abacus-unknown - ;; - adobe68k) - basic_machine=m68010-adobe - os=-scout - ;; - alliant | fx80) - basic_machine=fx80-alliant - ;; - altos | altos3068) - basic_machine=m68k-altos - ;; - am29k) - basic_machine=a29k-none - os=-bsd - ;; - amd64) - basic_machine=x86_64-pc - ;; - amd64-*) - basic_machine=x86_64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - amdahl) - basic_machine=580-amdahl - os=-sysv - ;; - amiga | amiga-*) - basic_machine=m68k-unknown - ;; - amigaos | amigados) - basic_machine=m68k-unknown - os=-amigaos - ;; - amigaunix | amix) - basic_machine=m68k-unknown - os=-sysv4 - ;; - apollo68) - basic_machine=m68k-apollo - os=-sysv - ;; - apollo68bsd) - basic_machine=m68k-apollo - os=-bsd - ;; - aros) - basic_machine=i386-pc - os=-aros - ;; - asmjs) - basic_machine=asmjs-unknown - ;; - aux) - basic_machine=m68k-apple - os=-aux - ;; - balance) - basic_machine=ns32k-sequent - os=-dynix - ;; - blackfin) - basic_machine=bfin-unknown - os=-linux - ;; - blackfin-*) - basic_machine=bfin-`echo $basic_machine | sed 's/^[^-]*-//'` - os=-linux + cpu=we32k + vendor=att ;; bluegene*) - basic_machine=powerpc-ibm - os=-cnk - ;; - c54x-*) - basic_machine=tic54x-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - c55x-*) - basic_machine=tic55x-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - c6x-*) - basic_machine=tic6x-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - c90) - basic_machine=c90-cray - os=-unicos - ;; - cegcc) - basic_machine=arm-unknown - os=-cegcc - ;; - convex-c1) - basic_machine=c1-convex - os=-bsd - ;; - convex-c2) - basic_machine=c2-convex - os=-bsd - ;; - convex-c32) - basic_machine=c32-convex - os=-bsd - ;; - convex-c34) - basic_machine=c34-convex - os=-bsd - ;; - convex-c38) - basic_machine=c38-convex - os=-bsd - ;; - cray | j90) - basic_machine=j90-cray - os=-unicos - ;; - craynv) - basic_machine=craynv-cray - os=-unicosmp - ;; - cr16 | cr16-*) - basic_machine=cr16-unknown - os=-elf - ;; - crds | unos) - basic_machine=m68k-crds - ;; - crisv32 | crisv32-* | etraxfs*) - basic_machine=crisv32-axis - ;; - cris | cris-* | etrax*) - basic_machine=cris-axis - ;; - crx) - basic_machine=crx-unknown - os=-elf - ;; - da30 | da30-*) - basic_machine=m68k-da30 - ;; - decstation | decstation-3100 | pmax | pmax-* | pmin | dec3100 | decstatn) - basic_machine=mips-dec + cpu=powerpc + vendor=ibm + os=cnk ;; decsystem10* | dec10*) - basic_machine=pdp10-dec - os=-tops10 + cpu=pdp10 + vendor=dec + os=tops10 ;; decsystem20* | dec20*) - basic_machine=pdp10-dec - os=-tops20 + cpu=pdp10 + vendor=dec + os=tops20 ;; delta | 3300 | motorola-3300 | motorola-delta \ | 3300-motorola | delta-motorola) - basic_machine=m68k-motorola - ;; - delta88) - basic_machine=m88k-motorola - os=-sysv3 - ;; - dicos) - basic_machine=i686-pc - os=-dicos - ;; - djgpp) - basic_machine=i586-pc - os=-msdosdjgpp - ;; - dpx20 | dpx20-*) - basic_machine=rs6000-bull - os=-bosx - ;; - dpx2* | dpx2*-bull) - basic_machine=m68k-bull - os=-sysv3 - ;; - e500v[12]) - basic_machine=powerpc-unknown - os=$os"spe" - ;; - e500v[12]-*) - basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` - os=$os"spe" + cpu=m68k + vendor=motorola ;; - ebmon29k) - basic_machine=a29k-amd - os=-ebmon - ;; - elxsi) - basic_machine=elxsi-elxsi - os=-bsd + dpx2*) + cpu=m68k + vendor=bull + os=sysv3 ;; encore | umax | mmax) - basic_machine=ns32k-encore + cpu=ns32k + vendor=encore ;; - es1800 | OSE68k | ose68k | ose | OSE) - basic_machine=m68k-ericsson - os=-ose + elxsi) + cpu=elxsi + vendor=elxsi + os=${os:-bsd} ;; fx2800) - basic_machine=i860-alliant + cpu=i860 + vendor=alliant ;; genix) - basic_machine=ns32k-ns - ;; - gmicro) - basic_machine=tron-gmicro - os=-sysv - ;; - go32) - basic_machine=i386-pc - os=-go32 + cpu=ns32k + vendor=ns ;; h3050r* | hiux*) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - h8300hms) - basic_machine=h8300-hitachi - os=-hms - ;; - h8300xray) - basic_machine=h8300-hitachi - os=-xray - ;; - h8500hms) - basic_machine=h8500-hitachi - os=-hms - ;; - harris) - basic_machine=m88k-harris - os=-sysv3 - ;; - hp300-*) - basic_machine=m68k-hp - ;; - hp300bsd) - basic_machine=m68k-hp - os=-bsd - ;; - hp300hpux) - basic_machine=m68k-hp - os=-hpux + cpu=hppa1.1 + vendor=hitachi + os=hiuxwe2 ;; hp3k9[0-9][0-9] | hp9[0-9][0-9]) - basic_machine=hppa1.0-hp + cpu=hppa1.0 + vendor=hp ;; hp9k2[0-9][0-9] | hp9k31[0-9]) - basic_machine=m68000-hp + cpu=m68000 + vendor=hp ;; hp9k3[2-9][0-9]) - basic_machine=m68k-hp + cpu=m68k + vendor=hp ;; hp9k6[0-9][0-9] | hp6[0-9][0-9]) - basic_machine=hppa1.0-hp + cpu=hppa1.0 + vendor=hp ;; hp9k7[0-79][0-9] | hp7[0-79][0-9]) - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k78[0-9] | hp78[0-9]) # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893) # FIXME: really hppa2.0-hp - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[0-9][13679] | hp8[0-9][13679]) - basic_machine=hppa1.1-hp + cpu=hppa1.1 + vendor=hp ;; hp9k8[0-9][0-9] | hp8[0-9][0-9]) - basic_machine=hppa1.0-hp - ;; - hppa-next) - os=-nextstep3 - ;; - hppaosf) - basic_machine=hppa1.1-hp - os=-osf - ;; - hppro) - basic_machine=hppa1.1-hp - os=-proelf - ;; - i370-ibm* | ibm*) - basic_machine=i370-ibm + cpu=hppa1.0 + vendor=hp ;; i*86v32) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv32 + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + os=sysv32 ;; i*86v4*) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv4 + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + os=sysv4 ;; i*86v) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-sysv + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + os=sysv ;; i*86sol2) - basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'` - os=-solaris2 + cpu=`echo "$1" | sed -e 's/86.*/86/'` + vendor=pc + os=solaris2 ;; - i386mach) - basic_machine=i386-mach - os=-mach - ;; - i386-vsta | vsta) - basic_machine=i386-unknown - os=-vsta + j90 | j90-cray) + cpu=j90 + vendor=cray + os=${os:-unicos} ;; iris | iris4d) - basic_machine=mips-sgi + cpu=mips + vendor=sgi case $os in - -irix*) + irix*) ;; *) - os=-irix4 + os=irix4 ;; esac ;; - isi68 | isi) - basic_machine=m68k-isi - os=-sysv - ;; - leon-*|leon[3-9]-*) - basic_machine=sparc-`echo $basic_machine | sed 's/-.*//'` - ;; - m68knommu) - basic_machine=m68k-unknown - os=-linux - ;; - m68knommu-*) - basic_machine=m68k-`echo $basic_machine | sed 's/^[^-]*-//'` - os=-linux - ;; - m88k-omron*) - basic_machine=m88k-omron - ;; - magnum | m3230) - basic_machine=mips-mips - os=-sysv - ;; - merlin) - basic_machine=ns32k-utek - os=-sysv - ;; - microblaze*) - basic_machine=microblaze-xilinx - ;; - mingw64) - basic_machine=x86_64-pc - os=-mingw64 - ;; - mingw32) - basic_machine=i686-pc - os=-mingw32 - ;; - mingw32ce) - basic_machine=arm-unknown - os=-mingw32ce - ;; miniframe) - basic_machine=m68000-convergent - ;; - *mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*) - basic_machine=m68k-atari - os=-mint - ;; - mips3*-*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'` - ;; - mips3*) - basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown - ;; - monitor) - basic_machine=m68k-rom68k - os=-coff - ;; - morphos) - basic_machine=powerpc-unknown - os=-morphos - ;; - moxiebox) - basic_machine=moxie-unknown - os=-moxiebox - ;; - msdos) - basic_machine=i386-pc - os=-msdos - ;; - ms1-*) - basic_machine=`echo $basic_machine | sed -e 's/ms1-/mt-/'` - ;; - msys) - basic_machine=i686-pc - os=-msys - ;; - mvs) - basic_machine=i370-ibm - os=-mvs + cpu=m68000 + vendor=convergent ;; - nacl) - basic_machine=le32-unknown - os=-nacl - ;; - ncr3000) - basic_machine=i486-ncr - os=-sysv4 - ;; - netbsd386) - basic_machine=i386-unknown - os=-netbsd - ;; - netwinder) - basic_machine=armv4l-rebel - os=-linux - ;; - news | news700 | news800 | news900) - basic_machine=m68k-sony - os=-newsos - ;; - news1000) - basic_machine=m68030-sony - os=-newsos + *mint | mint[0-9]* | *MiNT | *MiNT[0-9]*) + cpu=m68k + vendor=atari + os=mint ;; news-3600 | risc-news) - basic_machine=mips-sony - os=-newsos - ;; - necv70) - basic_machine=v70-nec - os=-sysv + cpu=mips + vendor=sony + os=newsos ;; - next | m*-next ) - basic_machine=m68k-next + next | m*-next) + cpu=m68k + vendor=next case $os in - -nextstep* ) + nextstep* ) ;; - -ns2*) - os=-nextstep2 + ns2*) + os=nextstep2 ;; *) - os=-nextstep3 + os=nextstep3 ;; esac ;; - nh3000) - basic_machine=m68k-harris - os=-cxux - ;; - nh[45]000) - basic_machine=m88k-harris - os=-cxux - ;; - nindy960) - basic_machine=i960-intel - os=-nindy - ;; - mon960) - basic_machine=i960-intel - os=-mon960 - ;; - nonstopux) - basic_machine=mips-compaq - os=-nonstopux - ;; np1) - basic_machine=np1-gould - ;; - neo-tandem) - basic_machine=neo-tandem - ;; - nse-tandem) - basic_machine=nse-tandem - ;; - nsr-tandem) - basic_machine=nsr-tandem + cpu=np1 + vendor=gould ;; op50n-* | op60c-*) - basic_machine=hppa1.1-oki - os=-proelf - ;; - openrisc | openrisc-*) - basic_machine=or32-unknown - ;; - os400) - basic_machine=powerpc-ibm - os=-os400 - ;; - OSE68000 | ose68000) - basic_machine=m68000-ericsson - os=-ose - ;; - os68k) - basic_machine=m68k-none - os=-os68k + cpu=hppa1.1 + vendor=oki + os=proelf ;; pa-hitachi) - basic_machine=hppa1.1-hitachi - os=-hiuxwe2 - ;; - paragon) - basic_machine=i860-intel - os=-osf - ;; - parisc) - basic_machine=hppa-unknown - os=-linux - ;; - parisc-*) - basic_machine=hppa-`echo $basic_machine | sed 's/^[^-]*-//'` - os=-linux + cpu=hppa1.1 + vendor=hitachi + os=hiuxwe2 ;; pbd) - basic_machine=sparc-tti + cpu=sparc + vendor=tti ;; pbb) - basic_machine=m68k-tti - ;; - pc532 | pc532-*) - basic_machine=ns32k-pc532 + cpu=m68k + vendor=tti ;; - pc98) - basic_machine=i386-pc - ;; - pc98-*) - basic_machine=i386-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentium | p5 | k5 | k6 | nexgen | viac3) - basic_machine=i586-pc - ;; - pentiumpro | p6 | 6x86 | athlon | athlon_*) - basic_machine=i686-pc - ;; - pentiumii | pentium2 | pentiumiii | pentium3) - basic_machine=i686-pc - ;; - pentium4) - basic_machine=i786-pc - ;; - pentium-* | p5-* | k5-* | k6-* | nexgen-* | viac3-*) - basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumpro-* | p6-* | 6x86-* | athlon-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentiumii-* | pentium2-* | pentiumiii-* | pentium3-*) - basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - pentium4-*) - basic_machine=i786-`echo $basic_machine | sed 's/^[^-]*-//'` + pc532) + cpu=ns32k + vendor=pc532 ;; pn) - basic_machine=pn-gould + cpu=pn + vendor=gould ;; - power) basic_machine=power-ibm - ;; - ppc | ppcbe) basic_machine=powerpc-unknown - ;; - ppc-* | ppcbe-*) - basic_machine=powerpc-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppcle | powerpclittle) - basic_machine=powerpcle-unknown - ;; - ppcle-* | powerpclittle-*) - basic_machine=powerpcle-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64) basic_machine=powerpc64-unknown - ;; - ppc64-*) basic_machine=powerpc64-`echo $basic_machine | sed 's/^[^-]*-//'` - ;; - ppc64le | powerpc64little) - basic_machine=powerpc64le-unknown - ;; - ppc64le-* | powerpc64little-*) - basic_machine=powerpc64le-`echo $basic_machine | sed 's/^[^-]*-//'` + power) + cpu=power + vendor=ibm ;; ps2) - basic_machine=i386-ibm - ;; - pw32) - basic_machine=i586-unknown - os=-pw32 - ;; - rdos | rdos64) - basic_machine=x86_64-pc - os=-rdos - ;; - rdos32) - basic_machine=i386-pc - os=-rdos - ;; - rom68k) - basic_machine=m68k-rom68k - os=-coff + cpu=i386 + vendor=ibm ;; rm[46]00) - basic_machine=mips-siemens + cpu=mips + vendor=siemens ;; rtpc | rtpc-*) - basic_machine=romp-ibm - ;; - s390 | s390-*) - basic_machine=s390-ibm - ;; - s390x | s390x-*) - basic_machine=s390x-ibm + cpu=romp + vendor=ibm ;; - sa29200) - basic_machine=a29k-amd - os=-udi + sde) + cpu=mipsisa32 + vendor=sde + os=${os:-elf} ;; - sb1) - basic_machine=mipsisa64sb1-unknown + simso-wrs) + cpu=sparclite + vendor=wrs + os=vxworks ;; - sb1el) - basic_machine=mipsisa64sb1el-unknown + tower | tower-32) + cpu=m68k + vendor=ncr ;; - sde) - basic_machine=mipsisa32-sde - os=-elf + vpp*|vx|vx-*) + cpu=f301 + vendor=fujitsu ;; - sei) - basic_machine=mips-sei - os=-seiux + w65) + cpu=w65 + vendor=wdc ;; - sequent) - basic_machine=i386-sequent + w89k-*) + cpu=hppa1.1 + vendor=winbond + os=proelf ;; - sh) - basic_machine=sh-hitachi - os=-hms + none) + cpu=none + vendor=none ;; - sh5el) - basic_machine=sh5le-unknown + leon|leon[3-9]) + cpu=sparc + vendor=$basic_machine ;; - sh64) - basic_machine=sh64-unknown + leon-*|leon[3-9]-*) + cpu=sparc + vendor=`echo "$basic_machine" | sed 's/-.*//'` ;; - sparclite-wrs | simso-wrs) - basic_machine=sparclite-wrs - os=-vxworks + + *-*) + IFS="-" read -r cpu vendor <&2 - exit 1 + # Recognize the canonical CPU types that are allowed with any + # company name. + case $cpu in + 1750a | 580 \ + | a29k \ + | aarch64 | aarch64_be \ + | abacus \ + | alpha | alphaev[4-8] | alphaev56 | alphaev6[78] \ + | alpha64 | alpha64ev[4-8] | alpha64ev56 | alpha64ev6[78] \ + | alphapca5[67] | alpha64pca5[67] \ + | am33_2.0 \ + | arc | arceb \ + | arm | arm[lb]e | arme[lb] | armv* \ + | avr | avr32 \ + | asmjs \ + | ba \ + | be32 | be64 \ + | bfin | bs2000 \ + | c[123]* | c30 | [cjt]90 | c4x \ + | c8051 | clipper | craynv | csky | cydra \ + | d10v | d30v | dlx | dsp16xx \ + | e2k | elxsi | epiphany \ + | f30[01] | f700 | fido | fr30 | frv | ft32 | fx80 \ + | h8300 | h8500 \ + | hppa | hppa1.[01] | hppa2.0 | hppa2.0[nw] | hppa64 \ + | hexagon \ + | i370 | i*86 | i860 | i960 | ia16 | ia64 \ + | ip2k | iq2000 \ + | k1om \ + | le32 | le64 \ + | lm32 \ + | m32c | m32r | m32rle \ + | m5200 | m68000 | m680[012346]0 | m68360 | m683?2 | m68k | v70 | w65 \ + | m6811 | m68hc11 | m6812 | m68hc12 | m68hcs12x | nvptx | picochip \ + | m88110 | m88k | maxq | mb | mcore | mep | metag \ + | microblaze | microblazeel \ + | mips | mipsbe | mipseb | mipsel | mipsle \ + | mips16 \ + | mips64 | mips64el \ + | mips64octeon | mips64octeonel \ + | mips64orion | mips64orionel \ + | mips64r5900 | mips64r5900el \ + | mips64vr | mips64vrel \ + | mips64vr4100 | mips64vr4100el \ + | mips64vr4300 | mips64vr4300el \ + | mips64vr5000 | mips64vr5000el \ + | mips64vr5900 | mips64vr5900el \ + | mipsisa32 | mipsisa32el \ + | mipsisa32r2 | mipsisa32r2el \ + | mipsisa32r6 | mipsisa32r6el \ + | mipsisa64 | mipsisa64el \ + | mipsisa64r2 | mipsisa64r2el \ + | mipsisa64r6 | mipsisa64r6el \ + | mipsisa64sb1 | mipsisa64sb1el \ + | mipsisa64sr71k | mipsisa64sr71kel \ + | mipsr5900 | mipsr5900el \ + | mipstx39 | mipstx39el \ + | mmix \ + | mn10200 | mn10300 \ + | moxie \ + | mt \ + | msp430 \ + | nds32 | nds32le | nds32be \ + | nfp \ + | nios | nios2 | nios2eb | nios2el \ + | none | np1 | ns16k | ns32k \ + | open8 \ + | or1k* \ + | or32 \ + | orion \ + | pdp10 | pdp11 | pj | pjl | pn | power \ + | powerpc | powerpc64 | powerpc64le | powerpcle | powerpcspe \ + | pru \ + | pyramid \ + | riscv | riscv32 | riscv64 \ + | rl78 | romp | rs6000 | rx \ + | score \ + | sh | sh[1234] | sh[24]a | sh[24]ae[lb] | sh[23]e | she[lb] | sh[lb]e \ + | sh[1234]e[lb] | sh[12345][lb]e | sh[23]ele | sh64 | sh64le \ + | sparc | sparc64 | sparc64b | sparc64v | sparc86x | sparclet \ + | sparclite \ + | sparcv8 | sparcv9 | sparcv9b | sparcv9v | sv1 | sx* \ + | spu \ + | tahoe \ + | tic30 | tic4x | tic54x | tic55x | tic6x | tic80 \ + | tron \ + | ubicom32 \ + | v850 | v850e | v850e1 | v850es | v850e2 | v850e2v3 \ + | vax \ + | visium \ + | wasm32 \ + | we32k \ + | x86 | x86_64 | xc16x | xgate | xps100 \ + | xstormy16 | xtensa* \ + | ymp \ + | z8k | z80) + ;; + + *) + echo Invalid configuration \`"$1"\': machine \`"$cpu-$vendor"\' not recognized 1>&2 + exit 1 + ;; + esac ;; esac # Here we canonicalize certain aliases for manufacturers. -case $basic_machine in - *-digital*) - basic_machine=`echo $basic_machine | sed 's/digital.*/dec/'` +case $vendor in + digital*) + vendor=dec ;; - *-commodore*) - basic_machine=`echo $basic_machine | sed 's/commodore.*/cbm/'` + commodore*) + vendor=cbm ;; *) ;; @@ -1353,200 +1270,246 @@ esac # Decode manufacturer-specific aliases for certain operating systems. -if [ x"$os" != x"" ] +if [ x$os != x ] then case $os in - # First match some system type aliases - # that might get confused with valid system types. - # -solaris* is a basic system type, with this one exception. - -auroraux) - os=-auroraux + # First match some system type aliases that might get confused + # with valid system types. + # solaris* is a basic system type, with this one exception. + auroraux) + os=auroraux ;; - -solaris1 | -solaris1.*) - os=`echo $os | sed -e 's|solaris1|sunos4|'` + bluegene*) + os=cnk ;; - -solaris) - os=-solaris2 + solaris1 | solaris1.*) + os=`echo $os | sed -e 's|solaris1|sunos4|'` ;; - -svr4*) - os=-sysv4 + solaris) + os=solaris2 ;; - -unixware*) - os=-sysv4.2uw + unixware*) + os=sysv4.2uw ;; - -gnu/linux*) + gnu/linux*) os=`echo $os | sed -e 's|gnu/linux|linux-gnu|'` ;; - # First accept the basic system types. + # es1800 is here to avoid being matched by es* (a different OS) + es1800*) + os=ose + ;; + # Some version numbers need modification + chorusos*) + os=chorusos + ;; + isc) + os=isc2.2 + ;; + sco6) + os=sco5v6 + ;; + sco5) + os=sco3.2v5 + ;; + sco4) + os=sco3.2v4 + ;; + sco3.2.[4-9]*) + os=`echo $os | sed -e 's/sco3.2./sco3.2v/'` + ;; + sco3.2v[4-9]* | sco5v6*) + # Don't forget version if it is 3.2v4 or newer. + ;; + scout) + # Don't match below + ;; + sco*) + os=sco3.2v2 + ;; + psos*) + os=psos + ;; + # Now accept the basic system types. # The portable systems comes first. - # Each alternative MUST END IN A *, to match a version number. - # -sysv* is not here because it comes later, after sysvr4. - -gnu* | -bsd* | -mach* | -minix* | -genix* | -ultrix* | -irix* \ - | -*vms* | -sco* | -esix* | -isc* | -aix* | -cnk* | -sunos | -sunos[34]*\ - | -hpux* | -unos* | -osf* | -luna* | -dgux* | -auroraux* | -solaris* \ - | -sym* | -kopensolaris* | -plan9* \ - | -amigaos* | -amigados* | -msdos* | -newsos* | -unicos* | -aof* \ - | -aos* | -aros* | -cloudabi* | -sortix* \ - | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \ - | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \ - | -hiux* | -386bsd* | -knetbsd* | -mirbsd* | -netbsd* \ - | -bitrig* | -openbsd* | -solidbsd* | -libertybsd* \ - | -ekkobsd* | -kfreebsd* | -freebsd* | -riscix* | -lynxos* \ - | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \ - | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \ - | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \ - | -chorusos* | -chorusrdb* | -cegcc* \ - | -cygwin* | -msys* | -pe* | -psos* | -moss* | -proelf* | -rtems* \ - | -midipix* | -mingw32* | -mingw64* | -linux-gnu* | -linux-android* \ - | -linux-newlib* | -linux-musl* | -linux-uclibc* \ - | -uxpv* | -beos* | -mpeix* | -udk* | -moxiebox* \ - | -interix* | -uwin* | -mks* | -rhapsody* | -darwin* | -opened* \ - | -openstep* | -oskit* | -conix* | -pw32* | -nonstopux* \ - | -storm-chaos* | -tops10* | -tenex* | -tops20* | -its* \ - | -os2* | -vos* | -palmos* | -uclinux* | -nucleus* \ - | -morphos* | -superux* | -rtmk* | -rtmk-nova* | -windiss* \ - | -powermax* | -dnix* | -nx6 | -nx7 | -sei* | -dragonfly* \ - | -skyos* | -haiku* | -rdos* | -toppers* | -drops* | -es* \ - | -onefs* | -tirtos* | -phoenix*) + # Each alternative MUST end in a * to match a version number. + # sysv* is not here because it comes later, after sysvr4. + gnu* | bsd* | mach* | minix* | genix* | ultrix* | irix* \ + | *vms* | esix* | aix* | cnk* | sunos | sunos[34]*\ + | hpux* | unos* | osf* | luna* | dgux* | auroraux* | solaris* \ + | sym* | kopensolaris* | plan9* \ + | amigaos* | amigados* | msdos* | newsos* | unicos* | aof* \ + | aos* | aros* | cloudabi* | sortix* \ + | nindy* | vxsim* | vxworks* | ebmon* | hms* | mvs* \ + | clix* | riscos* | uniplus* | iris* | isc* | rtu* | xenix* \ + | knetbsd* | mirbsd* | netbsd* \ + | bitrig* | openbsd* | solidbsd* | libertybsd* \ + | ekkobsd* | kfreebsd* | freebsd* | riscix* | lynxos* \ + | bosx* | nextstep* | cxux* | aout* | elf* | oabi* \ + | ptx* | coff* | ecoff* | winnt* | domain* | vsta* \ + | udi* | eabi* | lites* | ieee* | go32* | aux* | hcos* \ + | chorusrdb* | cegcc* | glidix* \ + | cygwin* | msys* | pe* | moss* | proelf* | rtems* \ + | midipix* | mingw32* | mingw64* | linux-gnu* | linux-android* \ + | linux-newlib* | linux-musl* | linux-uclibc* \ + | uxpv* | beos* | mpeix* | udk* | moxiebox* \ + | interix* | uwin* | mks* | rhapsody* | darwin* \ + | openstep* | oskit* | conix* | pw32* | nonstopux* \ + | storm-chaos* | tops10* | tenex* | tops20* | its* \ + | os2* | vos* | palmos* | uclinux* | nucleus* \ + | morphos* | superux* | rtmk* | windiss* \ + | powermax* | dnix* | nx6 | nx7 | sei* | dragonfly* \ + | skyos* | haiku* | rdos* | toppers* | drops* | es* \ + | onefs* | tirtos* | phoenix* | fuchsia* | redox* | bme* \ + | midnightbsd*) # Remember, each alternative MUST END IN *, to match a version number. ;; - -qnx*) - case $basic_machine in - x86-* | i*86-*) + qnx*) + case $cpu in + x86 | i*86) ;; *) - os=-nto$os + os=nto-$os ;; esac ;; - -nto-qnx*) + hiux*) + os=hiuxwe2 ;; - -nto*) - os=`echo $os | sed -e 's|nto|nto-qnx|'` + nto-qnx*) ;; - -sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \ - | -windows* | -osx | -abug | -netware* | -os9* | -beos* | -haiku* \ - | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*) + nto*) + os=`echo $os | sed -e 's|nto|nto-qnx|'` ;; - -mac*) - os=`echo $os | sed -e 's|mac|macos|'` + sim | xray | os68k* | v88r* \ + | windows* | osx | abug | netware* | os9* \ + | macos* | mpw* | magic* | mmixware* | mon960* | lnews*) ;; - -linux-dietlibc) - os=-linux-dietlibc + linux-dietlibc) + os=linux-dietlibc ;; - -linux*) + linux*) os=`echo $os | sed -e 's|linux|linux-gnu|'` ;; - -sunos5*) - os=`echo $os | sed -e 's|sunos5|solaris2|'` + lynx*178) + os=lynxos178 ;; - -sunos6*) - os=`echo $os | sed -e 's|sunos6|solaris3|'` + lynx*5) + os=lynxos5 ;; - -opened*) - os=-openedition + lynx*) + os=lynxos ;; - -os400*) - os=-os400 + mac*) + os=`echo "$os" | sed -e 's|mac|macos|'` ;; - -wince*) - os=-wince + opened*) + os=openedition ;; - -osfrose*) - os=-osfrose + os400*) + os=os400 ;; - -osf*) - os=-osf + sunos5*) + os=`echo "$os" | sed -e 's|sunos5|solaris2|'` ;; - -utek*) - os=-bsd + sunos6*) + os=`echo "$os" | sed -e 's|sunos6|solaris3|'` ;; - -dynix*) - os=-bsd + wince*) + os=wince ;; - -acis*) - os=-aos + utek*) + os=bsd ;; - -atheos*) - os=-atheos + dynix*) + os=bsd ;; - -syllable*) - os=-syllable + acis*) + os=aos ;; - -386bsd) - os=-bsd + atheos*) + os=atheos ;; - -ctix* | -uts*) - os=-sysv + syllable*) + os=syllable ;; - -nova*) - os=-rtmk-nova + 386bsd) + os=bsd + ;; + ctix* | uts*) + os=sysv + ;; + nova*) + os=rtmk-nova ;; - -ns2 ) - os=-nextstep2 + ns2) + os=nextstep2 ;; - -nsk*) - os=-nsk + nsk*) + os=nsk ;; # Preserve the version number of sinix5. - -sinix5.*) + sinix5.*) os=`echo $os | sed -e 's|sinix|sysv|'` ;; - -sinix*) - os=-sysv4 + sinix*) + os=sysv4 ;; - -tpf*) - os=-tpf + tpf*) + os=tpf ;; - -triton*) - os=-sysv3 + triton*) + os=sysv3 ;; - -oss*) - os=-sysv3 + oss*) + os=sysv3 ;; - -svr4) - os=-sysv4 + svr4*) + os=sysv4 ;; - -svr3) - os=-sysv3 + svr3) + os=sysv3 ;; - -sysvr4) - os=-sysv4 + sysvr4) + os=sysv4 ;; - # This must come after -sysvr4. - -sysv*) + # This must come after sysvr4. + sysv*) ;; - -ose*) - os=-ose + ose*) + os=ose ;; - -es1800*) - os=-ose + *mint | mint[0-9]* | *MiNT | MiNT[0-9]*) + os=mint ;; - -xenix) - os=-xenix + zvmoe) + os=zvmoe ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) - os=-mint + dicos*) + os=dicos ;; - -aros*) - os=-aros - ;; - -zvmoe) - os=-zvmoe + pikeos*) + # Until real need of OS specific support for + # particular features comes up, bare metal + # configurations are quite functional. + case $cpu in + arm*) + os=eabi + ;; + *) + os=elf + ;; + esac ;; - -dicos*) - os=-dicos + nacl*) ;; - -nacl*) + ios) ;; - -ios) + none) ;; - -none) + *-eabi) ;; *) - # Get rid of the `-' at the beginning of $os. - os=`echo $os | sed 's/[^-]*-//'` - echo Invalid configuration \`$1\': system \`$os\' not recognized 1>&2 + echo Invalid configuration \`"$1"\': system \`"$os"\' not recognized 1>&2 exit 1 ;; esac @@ -1562,261 +1525,265 @@ else # will signal an error saying that MANUFACTURER isn't an operating # system, and we'll never get to this point. -case $basic_machine in +case $cpu-$vendor in score-*) - os=-elf + os=elf ;; spu-*) - os=-elf + os=elf ;; *-acorn) - os=-riscix1.2 + os=riscix1.2 ;; arm*-rebel) - os=-linux + os=linux ;; arm*-semi) - os=-aout + os=aout ;; c4x-* | tic4x-*) - os=-coff + os=coff ;; c8051-*) - os=-elf + os=elf + ;; + clipper-intergraph) + os=clix ;; hexagon-*) - os=-elf + os=elf ;; tic54x-*) - os=-coff + os=coff ;; tic55x-*) - os=-coff + os=coff ;; tic6x-*) - os=-coff + os=coff ;; # This must come before the *-dec entry. pdp10-*) - os=-tops20 + os=tops20 ;; pdp11-*) - os=-none + os=none ;; *-dec | vax-*) - os=-ultrix4.2 + os=ultrix4.2 ;; m68*-apollo) - os=-domain + os=domain ;; i386-sun) - os=-sunos4.0.2 + os=sunos4.0.2 ;; m68000-sun) - os=-sunos3 + os=sunos3 ;; m68*-cisco) - os=-aout + os=aout ;; mep-*) - os=-elf + os=elf ;; mips*-cisco) - os=-elf + os=elf ;; mips*-*) - os=-elf + os=elf ;; or32-*) - os=-coff + os=coff ;; *-tti) # must be before sparc entry or we get the wrong os. - os=-sysv3 + os=sysv3 ;; sparc-* | *-sun) - os=-sunos4.1.1 + os=sunos4.1.1 ;; - *-be) - os=-beos + pru-*) + os=elf ;; - *-haiku) - os=-haiku + *-be) + os=beos ;; *-ibm) - os=-aix + os=aix ;; *-knuth) - os=-mmixware + os=mmixware ;; *-wec) - os=-proelf + os=proelf ;; *-winbond) - os=-proelf + os=proelf ;; *-oki) - os=-proelf + os=proelf ;; *-hp) - os=-hpux + os=hpux ;; *-hitachi) - os=-hiux + os=hiux ;; i860-* | *-att | *-ncr | *-altos | *-motorola | *-convergent) - os=-sysv + os=sysv ;; *-cbm) - os=-amigaos + os=amigaos ;; *-dg) - os=-dgux + os=dgux ;; *-dolphin) - os=-sysv3 + os=sysv3 ;; m68k-ccur) - os=-rtu + os=rtu ;; m88k-omron*) - os=-luna + os=luna ;; - *-next ) - os=-nextstep + *-next) + os=nextstep ;; *-sequent) - os=-ptx + os=ptx ;; *-crds) - os=-unos + os=unos ;; *-ns) - os=-genix + os=genix ;; i370-*) - os=-mvs - ;; - *-next) - os=-nextstep3 + os=mvs ;; *-gould) - os=-sysv + os=sysv ;; *-highlevel) - os=-bsd + os=bsd ;; *-encore) - os=-bsd + os=bsd ;; *-sgi) - os=-irix + os=irix ;; *-siemens) - os=-sysv4 + os=sysv4 ;; *-masscomp) - os=-rtu + os=rtu ;; f30[01]-fujitsu | f700-fujitsu) - os=-uxpv + os=uxpv ;; *-rom68k) - os=-coff + os=coff ;; *-*bug) - os=-coff + os=coff ;; *-apple) - os=-macos + os=macos ;; *-atari*) - os=-mint + os=mint + ;; + *-wrs) + os=vxworks ;; *) - os=-none + os=none ;; esac fi # Here we handle the case where we know the os, and the CPU type, but not the # manufacturer. We pick the logical manufacturer. -vendor=unknown -case $basic_machine in - *-unknown) +case $vendor in + unknown) case $os in - -riscix*) + riscix*) vendor=acorn ;; - -sunos*) + sunos*) vendor=sun ;; - -cnk*|-aix*) + cnk*|-aix*) vendor=ibm ;; - -beos*) + beos*) vendor=be ;; - -hpux*) + hpux*) vendor=hp ;; - -mpeix*) + mpeix*) vendor=hp ;; - -hiux*) + hiux*) vendor=hitachi ;; - -unos*) + unos*) vendor=crds ;; - -dgux*) + dgux*) vendor=dg ;; - -luna*) + luna*) vendor=omron ;; - -genix*) + genix*) vendor=ns ;; - -mvs* | -opened*) + clix*) + vendor=intergraph + ;; + mvs* | opened*) vendor=ibm ;; - -os400*) + os400*) vendor=ibm ;; - -ptx*) + ptx*) vendor=sequent ;; - -tpf*) + tpf*) vendor=ibm ;; - -vxsim* | -vxworks* | -windiss*) + vxsim* | vxworks* | windiss*) vendor=wrs ;; - -aux*) + aux*) vendor=apple ;; - -hms*) + hms*) vendor=hitachi ;; - -mpw* | -macos*) + mpw* | macos*) vendor=apple ;; - -*mint | -mint[0-9]* | -*MiNT | -MiNT[0-9]*) + *mint | mint[0-9]* | *MiNT | MiNT[0-9]*) vendor=atari ;; - -vos*) + vos*) vendor=stratus ;; esac - basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"` ;; esac -echo $basic_machine$os +echo "$cpu-$vendor-$os" exit # Local variables: -# eval: (add-hook 'write-file-hooks 'time-stamp) +# eval: (add-hook 'before-save-hook 'time-stamp) # time-stamp-start: "timestamp='" # time-stamp-format: "%:y-%02m-%02d" # time-stamp-end: "'" diff --git a/src/config/pkg.m4 b/src/config/pkg.m4 new file mode 100644 index 0000000..13a8890 --- /dev/null +++ b/src/config/pkg.m4 @@ -0,0 +1,275 @@ +# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- +# serial 12 (pkg-config-0.29.2) + +dnl Copyright © 2004 Scott James Remnant . +dnl Copyright © 2012-2015 Dan Nicholson +dnl +dnl This program is free software; you can redistribute it and/or modify +dnl it under the terms of the GNU General Public License as published by +dnl the Free Software Foundation; either version 2 of the License, or +dnl (at your option) any later version. +dnl +dnl This program is distributed in the hope that it will be useful, but +dnl WITHOUT ANY WARRANTY; without even the implied warranty of +dnl MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +dnl General Public License for more details. +dnl +dnl You should have received a copy of the GNU General Public License +dnl along with this program; if not, write to the Free Software +dnl Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA +dnl 02111-1307, USA. +dnl +dnl As a special exception to the GNU General Public License, if you +dnl distribute this file as part of a program that contains a +dnl configuration script generated by Autoconf, you may include it under +dnl the same distribution terms that you use for the rest of that +dnl program. + +dnl PKG_PREREQ(MIN-VERSION) +dnl ----------------------- +dnl Since: 0.29 +dnl +dnl Verify that the version of the pkg-config macros are at least +dnl MIN-VERSION. Unlike PKG_PROG_PKG_CONFIG, which checks the user's +dnl installed version of pkg-config, this checks the developer's version +dnl of pkg.m4 when generating configure. +dnl +dnl To ensure that this macro is defined, also add: +dnl m4_ifndef([PKG_PREREQ], +dnl [m4_fatal([must install pkg-config 0.29 or later before running autoconf/autogen])]) +dnl +dnl See the "Since" comment for each macro you use to see what version +dnl of the macros you require. +m4_defun([PKG_PREREQ], +[m4_define([PKG_MACROS_VERSION], [0.29.2]) +m4_if(m4_version_compare(PKG_MACROS_VERSION, [$1]), -1, + [m4_fatal([pkg.m4 version $1 or higher is required but ]PKG_MACROS_VERSION[ found])]) +])dnl PKG_PREREQ + +dnl PKG_PROG_PKG_CONFIG([MIN-VERSION]) +dnl ---------------------------------- +dnl Since: 0.16 +dnl +dnl Search for the pkg-config tool and set the PKG_CONFIG variable to +dnl first found in the path. Checks that the version of pkg-config found +dnl is at least MIN-VERSION. If MIN-VERSION is not specified, 0.9.0 is +dnl used since that's the first version where most current features of +dnl pkg-config existed. +AC_DEFUN([PKG_PROG_PKG_CONFIG], +[m4_pattern_forbid([^_?PKG_[A-Z_]+$]) +m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$]) +m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$]) +AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility]) +AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path]) +AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path]) + +if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then + AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) +fi +if test -n "$PKG_CONFIG"; then + _pkg_min_version=m4_default([$1], [0.9.0]) + AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) + if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then + AC_MSG_RESULT([yes]) + else + AC_MSG_RESULT([no]) + PKG_CONFIG="" + fi +fi[]dnl +])dnl PKG_PROG_PKG_CONFIG + +dnl PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +dnl ------------------------------------------------------------------- +dnl Since: 0.18 +dnl +dnl Check to see whether a particular set of modules exists. Similar to +dnl PKG_CHECK_MODULES(), but does not set variables or print errors. +dnl +dnl Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +dnl only at the first occurence in configure.ac, so if the first place +dnl it's called might be skipped (such as if it is within an "if", you +dnl have to call PKG_CHECK_EXISTS manually +AC_DEFUN([PKG_CHECK_EXISTS], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +if test -n "$PKG_CONFIG" && \ + AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then + m4_default([$2], [:]) +m4_ifvaln([$3], [else + $3])dnl +fi]) + +dnl _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) +dnl --------------------------------------------- +dnl Internal wrapper calling pkg-config via PKG_CONFIG and setting +dnl pkg_failed based on the result. +m4_define([_PKG_CONFIG], +[if test -n "$$1"; then + pkg_cv_[]$1="$$1" + elif test -n "$PKG_CONFIG"; then + PKG_CHECK_EXISTS([$3], + [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null` + test "x$?" != "x0" && pkg_failed=yes ], + [pkg_failed=yes]) + else + pkg_failed=untried +fi[]dnl +])dnl _PKG_CONFIG + +dnl _PKG_SHORT_ERRORS_SUPPORTED +dnl --------------------------- +dnl Internal check to see if pkg-config supports short errors. +AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG]) +if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then + _pkg_short_errors_supported=yes +else + _pkg_short_errors_supported=no +fi[]dnl +])dnl _PKG_SHORT_ERRORS_SUPPORTED + + +dnl PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +dnl [ACTION-IF-NOT-FOUND]) +dnl -------------------------------------------------------------- +dnl Since: 0.4.0 +dnl +dnl Note that if there is a possibility the first call to +dnl PKG_CHECK_MODULES might not happen, you should be sure to include an +dnl explicit call to PKG_PROG_PKG_CONFIG in your configure.ac +AC_DEFUN([PKG_CHECK_MODULES], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl +AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl + +pkg_failed=no +AC_MSG_CHECKING([for $2]) + +_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) +_PKG_CONFIG([$1][_LIBS], [libs], [$2]) + +m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS +and $1[]_LIBS to avoid the need to call pkg-config. +See the pkg-config man page for more details.]) + +if test $pkg_failed = yes; then + AC_MSG_RESULT([no]) + _PKG_SHORT_ERRORS_SUPPORTED + if test $_pkg_short_errors_supported = yes; then + $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1` + else + $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD + + m4_default([$4], [AC_MSG_ERROR( +[Package requirements ($2) were not met: + +$$1_PKG_ERRORS + +Consider adjusting the PKG_CONFIG_PATH environment variable if you +installed software in a non-standard prefix. + +_PKG_TEXT])[]dnl + ]) +elif test $pkg_failed = untried; then + AC_MSG_RESULT([no]) + m4_default([$4], [AC_MSG_FAILURE( +[The pkg-config script could not be found or is too old. Make sure it +is in your PATH or set the PKG_CONFIG environment variable to the full +path to pkg-config. + +_PKG_TEXT + +To get pkg-config, see .])[]dnl + ]) +else + $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS + $1[]_LIBS=$pkg_cv_[]$1[]_LIBS + AC_MSG_RESULT([yes]) + $3 +fi[]dnl +])dnl PKG_CHECK_MODULES + + +dnl PKG_CHECK_MODULES_STATIC(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], +dnl [ACTION-IF-NOT-FOUND]) +dnl --------------------------------------------------------------------- +dnl Since: 0.29 +dnl +dnl Checks for existence of MODULES and gathers its build flags with +dnl static libraries enabled. Sets VARIABLE-PREFIX_CFLAGS from --cflags +dnl and VARIABLE-PREFIX_LIBS from --libs. +dnl +dnl Note that if there is a possibility the first call to +dnl PKG_CHECK_MODULES_STATIC might not happen, you should be sure to +dnl include an explicit call to PKG_PROG_PKG_CONFIG in your +dnl configure.ac. +AC_DEFUN([PKG_CHECK_MODULES_STATIC], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +_save_PKG_CONFIG=$PKG_CONFIG +PKG_CONFIG="$PKG_CONFIG --static" +PKG_CHECK_MODULES($@) +PKG_CONFIG=$_save_PKG_CONFIG[]dnl +])dnl PKG_CHECK_MODULES_STATIC + + +dnl PKG_INSTALLDIR([DIRECTORY]) +dnl ------------------------- +dnl Since: 0.27 +dnl +dnl Substitutes the variable pkgconfigdir as the location where a module +dnl should install pkg-config .pc files. By default the directory is +dnl $libdir/pkgconfig, but the default can be changed by passing +dnl DIRECTORY. The user can override through the --with-pkgconfigdir +dnl parameter. +AC_DEFUN([PKG_INSTALLDIR], +[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])]) +m4_pushdef([pkg_description], + [pkg-config installation directory @<:@]pkg_default[@:>@]) +AC_ARG_WITH([pkgconfigdir], + [AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],, + [with_pkgconfigdir=]pkg_default) +AC_SUBST([pkgconfigdir], [$with_pkgconfigdir]) +m4_popdef([pkg_default]) +m4_popdef([pkg_description]) +])dnl PKG_INSTALLDIR + + +dnl PKG_NOARCH_INSTALLDIR([DIRECTORY]) +dnl -------------------------------- +dnl Since: 0.27 +dnl +dnl Substitutes the variable noarch_pkgconfigdir as the location where a +dnl module should install arch-independent pkg-config .pc files. By +dnl default the directory is $datadir/pkgconfig, but the default can be +dnl changed by passing DIRECTORY. The user can override through the +dnl --with-noarch-pkgconfigdir parameter. +AC_DEFUN([PKG_NOARCH_INSTALLDIR], +[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])]) +m4_pushdef([pkg_description], + [pkg-config arch-independent installation directory @<:@]pkg_default[@:>@]) +AC_ARG_WITH([noarch-pkgconfigdir], + [AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],, + [with_noarch_pkgconfigdir=]pkg_default) +AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir]) +m4_popdef([pkg_default]) +m4_popdef([pkg_description]) +])dnl PKG_NOARCH_INSTALLDIR + + +dnl PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, +dnl [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) +dnl ------------------------------------------- +dnl Since: 0.28 +dnl +dnl Retrieves the value of the pkg-config variable for the given module. +AC_DEFUN([PKG_CHECK_VAR], +[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl +AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl + +_PKG_CONFIG([$1], [variable="][$3]["], [$2]) +AS_VAR_COPY([$1], [pkg_cv_][$1]) + +AS_VAR_IF([$1], [""], [$5], [$4])dnl +])dnl PKG_CHECK_VAR diff --git a/src/config/post.in b/src/config/post.in index 7c7d86d..3643aba 100644 --- a/src/config/post.in +++ b/src/config/post.in @@ -156,7 +156,7 @@ clean: clean-$(WHAT) clean-unix:: $(RM) $(OBJS) $(DEPTARGETS_CLEAN) $(EXTRA_FILES) - $(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog + $(RM) et-[ch]-*.et et-[ch]-*.[ch] testlog testtrace -$(RM) -r testdir clean-windows:: diff --git a/src/config/pre.in b/src/config/pre.in index e062632..ce87e21 100644 --- a/src/config/pre.in +++ b/src/config/pre.in @@ -7,7 +7,7 @@ # srcdir=@srcdir@ # top_srcdir=@top_srcdir@ # but these are only set by autoconf 2.53, and thus not useful to us on -# Mac OS X yet (as of 10.2): +# macOS yet (as of 10.2): # abs_srcdir=@abs_srcdir@ # abs_top_srcdir=@abs_top_srcdir@ # builddir=@builddir@ @@ -209,6 +209,8 @@ ADMIN_CATDIR = $(KRB5MANROOT)/cat8 SERVER_CATDIR = $(KRB5MANROOT)/cat8 CLIENT_CATDIR = $(KRB5MANROOT)/cat1 FILE_CATDIR = $(KRB5MANROOT)/cat5 +OVERVIEW_MANDIR = $(KRB5MANROOT)/man7 +OVERVIEW_CATDIR = $(KRB5MANROOT)/cat7 KRB5_LIBDIR = @libdir@ KRB5_INCDIR = @includedir@ MODULE_DIR = @libdir@/krb5/plugins @@ -389,6 +391,7 @@ DL_LIB = @DL_LIB@ CMOCKA_LIBS = @CMOCKA_LIBS@ LDAP_LIBS = @LDAP_LIBS@ +LMDB_LIBS = @LMDB_LIBS@ KRB5_LIB = -lkrb5 K5CRYPTO_LIB = -lk5crypto @@ -402,10 +405,10 @@ HESIOD_LIBS = @HESIOD_LIBS@ KRB5_BASE_LIBS = $(KRB5_LIB) $(K5CRYPTO_LIB) $(COM_ERR_LIB) $(SUPPORT_LIB) $(GEN_LIB) $(LIBS) $(DL_LIB) KDB5_LIBS = $(KDB5_LIB) $(GSSRPC_LIBS) GSS_LIBS = $(GSS_KRB5_LIB) -# needs fixing if ever used on Mac OS X! +# needs fixing if ever used on macOS! GSSRPC_LIBS = -lgssrpc $(GSS_LIBS) KADM_COMM_LIBS = $(GSSRPC_LIBS) -# need fixing if ever used on Mac OS X! +# need fixing if ever used on macOS! KADMSRV_LIBS = -lkadm5srv_mit $(HESIOD_LIBS) $(KDB5_LIBS) $(KADM_COMM_LIBS) KADMCLNT_LIBS = -lkadm5clnt_mit $(KADM_COMM_LIBS) @@ -435,22 +438,28 @@ TCL_INCLUDES = @TCL_INCLUDES@ CRYPTO_IMPL = @CRYPTO_IMPL@ PRNG_ALG = @PRNG_ALG@ -# Crypto back-end selection and flags for PKINIT -PKINIT_CRYPTO_IMPL = @PKINIT_CRYPTO_IMPL@ -PKINIT_CRYPTO_IMPL_CFLAGS = @PKINIT_CRYPTO_IMPL_CFLAGS@ -PKINIT_CRYPTO_IMPL_LIBS = @PKINIT_CRYPTO_IMPL_LIBS@ - # TLS implementation selection TLS_IMPL = @TLS_IMPL@ TLS_IMPL_CFLAGS = @TLS_IMPL_CFLAGS@ TLS_IMPL_LIBS = @TLS_IMPL_LIBS@ +# SPAKE preauth back-end libraries +SPAKE_OPENSSL_LIBS = @SPAKE_OPENSSL_LIBS@ + # Whether we have the SASL header file for the LDAP KDB module HAVE_SASL = @HAVE_SASL@ +# Whether we are building support for NIST SPAKE groups using OpenSSL +HAVE_SPAKE_OPENSSL = @HAVE_SPAKE_OPENSSL@ + +# Whether we are building the LMDB KDB module +HAVE_LMDB = @HAVE_LMDB@ + # Whether we have libresolv 1.1.5 for URI discovery tests HAVE_RESOLV_WRAPPER = @HAVE_RESOLV_WRAPPER@ +SIZEOF_TIME_T = @SIZEOF_TIME_T@ + # error table rules # ### /* these are invoked as $(...) foo.et, which works, but could be better */ diff --git a/src/config/win-post.in b/src/config/win-post.in index 6535c1b..3f43bda 100644 --- a/src/config/win-post.in +++ b/src/config/win-post.in @@ -121,14 +121,6 @@ clean-windows-files: !else @if exist $(OUTPRE3)$(DIRNUL) deltree /y $(OUTPRE3) !endif -!if 0 - $(RM) .\$(OUTPRE)*.obj .\$(OUTPRE)*.res - $(RM) .\$(OUTPRE)*.exe .\$(OUTPRE)*.dll - $(RM) .\$(OUTPRE)*.lib .\$(OUTPRE)*.pdb - $(RM) .\$(OUTPRE)*.exp .\$(OUTPRE)*.map - $(RM) .\$(OUTPRE)*.idb .\$(OUTPRE)*.ilk - $(RM) .\$(OUTPRE)*.manifest -!endif # Dependencies !if exist($(srcdir)/deps) diff --git a/src/config/win-pre.in b/src/config/win-pre.in index bb4cc3d..a3fb46e 100644 --- a/src/config/win-pre.in +++ b/src/config/win-pre.in @@ -34,6 +34,13 @@ CPU=i386 !if ( "$(CPU)" != "i386" ) && ( "$(CPU)" != "ALPHA" ) && ( "$(CPU)" != "ALPHA64" ) && ( "$(CPU)" != "IA64" ) && ( "$(CPU)" != "AMD64" ) !error Must specify CPU environment variable ( CPU=i386, CPU=ALPHA, CPU=ALPHA64,CPU=IA64, CPU=AMD64) !endif + +!if ("$(CPU)" == "IA64" ) || ("$(CPU)" == "AMD64" ) || ("$(CPU)" == "ALPHA64" ) +BITS=64 +!else +BITS=32 +!endif + # # End of figuring out CPU # @@ -88,25 +95,8 @@ C=.^\ srcdir = . top_srcdir = $(srcdir)\$(BUILDTOP) -DNS_LIB=$(BUILDTOP)\util\wshelper\$(OUTPRE)$(DLIB).lib -DNS_INC=$(BUILDTOP)\windows\include - -!if defined(KRB5_NO_WSHELPER) -DNSMSG=resolver -!else -DNSMSG=wshelper -DNSFLAGS=-DWSHELPER=1 -!endif -!if !defined(DNS_INC) -!message Must define DNS_INC to point to $(DNSMSG) includes dir! -!error -!endif -!if !defined(DNS_LIB) -!message Must define DNS_LIB to point to $(DNSMSG) library! -!error -!endif -DNSLIBS=$(DNS_LIB) -DNSFLAGS=-I$(DNS_INC) $(DNSFLAGS) -DKRB5_DNS_LOOKUP=1 +DNSLIBS=dnsapi.lib +DNSFLAGS=-DKRB5_DNS_LOOKUP=1 !if defined(KRB5_USE_DNS_REALMS) DNSFLAGS=$(DNSFLAGS) -DKRB5_DNS_LOOKUP_REALM=1 !endif @@ -131,13 +121,12 @@ CPPFLAGS=-I$(top_srcdir)\include -I$(top_srcdir)\include\krb5 $(DNSFLAGS) -DWIN3 CCOPTS=-nologo /EHsc /W3 $(PDB_OPTS) $(DLL_FILE_DEF) LOPTS=-nologo -incremental:no -manifest -!if ("$(CPU)" == "IA64" ) || ("$(CPU)" == "AMD64" ) || ("$(CPU)" == "ALPHA64" ) +!if ("$(BITS)" == "64" ) ENTRYPOINT=_DllMainCRTStartup !else ENTRYPOINT=_DllMainCRTStartup@12 !endif CCLINKOPTION= -SCLIB= DEBUGOPT=/Zi #if the compiler is vstudio 8, generate manifest @@ -194,28 +183,13 @@ PERL=perl WCONFIG_EXE=$(BUILDTOP)\$(OUTPRE)wconfig.exe WCONFIG=$(WCONFIG_EXE:.exe=) $(WCONFIG_FLAGS) -CLIB=$(BUILDTOP)\lib\$(OUTPRE)comerr32.lib -PLIB=$(BUILDTOP)\lib\$(OUTPRE)xpprof32.lib -KLIB=$(BUILDTOP)\lib\$(OUTPRE)krb5_32.lib -K4LIB=$(BUILDTOP)\lib\$(OUTPRE)krb4_32.lib -SLIB=$(BUILDTOP)\lib\$(OUTPRE)k5sprt32.lib -GLIB=$(BUILDTOP)\lib\$(OUTPRE)gssapi32.lib -DLIB=wshelp32 -CCLIB=krbcc32 -WLIB= - -!if ("$(CPU)" == "IA64" ) || ("$(CPU)" == "AMD64" ) || ("$(CPU)" == "ALPHA64" ) -CLIB=$(BUILDTOP)\lib\$(OUTPRE)comerr64.lib -PLIB=$(BUILDTOP)\lib\$(OUTPRE)xpprof64.lib -KLIB=$(BUILDTOP)\lib\$(OUTPRE)krb5_64.lib -K4LIB=$(BUILDTOP)\lib\$(OUTPRE)krb4_64.lib -SLIB=$(BUILDTOP)\lib\$(OUTPRE)k5sprt64.lib -GLIB=$(BUILDTOP)\lib\$(OUTPRE)gssapi64.lib -DLIB=wshelp64 -CCLIB=krbcc64 -WLIB= - -!endif +CLIB=$(BUILDTOP)\lib\$(OUTPRE)comerr$(BITS).lib +PLIB=$(BUILDTOP)\lib\$(OUTPRE)xpprof$(BITS).lib +KLIB=$(BUILDTOP)\lib\$(OUTPRE)krb5_$(BITS).lib +SLIB=$(BUILDTOP)\lib\$(OUTPRE)k5sprt$(BITS).lib +GLIB=$(BUILDTOP)\lib\$(OUTPRE)gssapi$(BITS).lib +CCLIB=krbcc$(BITS) +SPAKELIB=spake$(BITS) KRB4_INCLUDES=-I$(BUILDTOP)/include/kerberosIV diff --git a/src/configure b/src/configure deleted file mode 100755 index e214022..0000000 --- a/src/configure +++ /dev/null @@ -1,14580 +0,0 @@ -#! /bin/sh -# Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for Kerberos 5 1.15.2. -# -# Report bugs to . -# -# Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2007, 2008, 2009 -# Massachusetts Institute of Technology. -# -# -# -# Copyright (C) 1992-1996, 1998-2012 Free Software Foundation, Inc. -# -# -# This configure script is free software; the Free Software Foundation -# gives unlimited permission to copy, distribute and modify it. -## -------------------- ## -## M4sh Initialization. ## -## -------------------- ## - -# Be more Bourne compatible -DUALCASE=1; export DUALCASE # for MKS sh -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : - emulate sh - NULLCMD=: - # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST -else - case `(set -o) 2>/dev/null` in #( - *posix*) : - set -o posix ;; #( - *) : - ;; -esac -fi - - -as_nl=' -' -export as_nl -# Printing a long string crashes Solaris 7 /usr/bin/printf. -as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' -as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo -as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -# Prefer a ksh shell builtin over an external printf program on Solaris, -# but without wasting forks for bash or zsh. -if test -z "$BASH_VERSION$ZSH_VERSION" \ - && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then - as_echo='print -r --' - as_echo_n='print -rn --' -elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then - as_echo='printf %s\n' - as_echo_n='printf %s' -else - if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then - as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' - as_echo_n='/usr/ucb/echo -n' - else - as_echo_body='eval expr "X$1" : "X\\(.*\\)"' - as_echo_n_body='eval - arg=$1; - case $arg in #( - *"$as_nl"*) - expr "X$arg" : "X\\(.*\\)$as_nl"; - arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; - esac; - expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" - ' - export as_echo_n_body - as_echo_n='sh -c $as_echo_n_body as_echo' - fi - export as_echo_body - as_echo='sh -c $as_echo_body as_echo' -fi - -# The user is always right. -if test "${PATH_SEPARATOR+set}" != set; then - PATH_SEPARATOR=: - (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { - (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || - PATH_SEPARATOR=';' - } -fi - - -# IFS -# We need space, tab and new line, in precisely that order. Quoting is -# there to prevent editors from complaining about space-tab. -# (If _AS_PATH_WALK were called with IFS unset, it would disable word -# splitting by setting IFS to empty value.) -IFS=" "" $as_nl" - -# Find who we are. Look in the path if we contain no directory separator. -as_myself= -case $0 in #(( - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break - done -IFS=$as_save_IFS - - ;; -esac -# We did not find ourselves, most probably we were run as `sh COMMAND' -# in which case we are not to be found in the path. -if test "x$as_myself" = x; then - as_myself=$0 -fi -if test ! -f "$as_myself"; then - $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 - exit 1 -fi - -# Unset variables that we do not need and which cause bugs (e.g. in -# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" -# suppresses any "Segmentation fault" message there. '((' could -# trigger a bug in pdksh 5.2.14. -for as_var in BASH_ENV ENV MAIL MAILPATH -do eval test x\${$as_var+set} = xset \ - && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : -done -PS1='$ ' -PS2='> ' -PS4='+ ' - -# NLS nuisances. -LC_ALL=C -export LC_ALL -LANGUAGE=C -export LANGUAGE - -# CDPATH. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - -# Use a proper internal environment variable to ensure we don't fall - # into an infinite loop, continuously re-executing ourselves. - if test x"${_as_can_reexec}" != xno && test "x$CONFIG_SHELL" != x; then - _as_can_reexec=no; export _as_can_reexec; - # We cannot yet assume a decent shell, so we have to provide a -# neutralization value for shells without unset; and this also -# works around shells that cannot unset nonexistent variables. -# Preserve -v and -x to the replacement shell. -BASH_ENV=/dev/null -ENV=/dev/null -(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -case $- in # (((( - *v*x* | *x*v* ) as_opts=-vx ;; - *v* ) as_opts=-v ;; - *x* ) as_opts=-x ;; - * ) as_opts= ;; -esac -exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -# Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. -$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 -as_fn_exit 255 - fi - # We don't want this to propagate to other subprocesses. - { _as_can_reexec=; unset _as_can_reexec;} -if test "x$CONFIG_SHELL" = x; then - as_bourne_compatible="if test -n \"\${ZSH_VERSION+set}\" && (emulate sh) >/dev/null 2>&1; then : - emulate sh - NULLCMD=: - # Pre-4.2 versions of Zsh do word splitting on \${1+\"\$@\"}, which - # is contrary to our usage. Disable this feature. - alias -g '\${1+\"\$@\"}'='\"\$@\"' - setopt NO_GLOB_SUBST -else - case \`(set -o) 2>/dev/null\` in #( - *posix*) : - set -o posix ;; #( - *) : - ;; -esac -fi -" - as_required="as_fn_return () { (exit \$1); } -as_fn_success () { as_fn_return 0; } -as_fn_failure () { as_fn_return 1; } -as_fn_ret_success () { return 0; } -as_fn_ret_failure () { return 1; } - -exitcode=0 -as_fn_success || { exitcode=1; echo as_fn_success failed.; } -as_fn_failure && { exitcode=1; echo as_fn_failure succeeded.; } -as_fn_ret_success || { exitcode=1; echo as_fn_ret_success failed.; } -as_fn_ret_failure && { exitcode=1; echo as_fn_ret_failure succeeded.; } -if ( set x; as_fn_ret_success y && test x = \"\$1\" ); then : - -else - exitcode=1; echo positional parameters were not saved. -fi -test x\$exitcode = x0 || exit 1 -test -x / || exit 1" - as_suggested=" as_lineno_1=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_1a=\$LINENO - as_lineno_2=";as_suggested=$as_suggested$LINENO;as_suggested=$as_suggested" as_lineno_2a=\$LINENO - eval 'test \"x\$as_lineno_1'\$as_run'\" != \"x\$as_lineno_2'\$as_run'\" && - test \"x\`expr \$as_lineno_1'\$as_run' + 1\`\" = \"x\$as_lineno_2'\$as_run'\"' || exit 1 -test \$(( 1 + 1 )) = 2 || exit 1" - if (eval "$as_required") 2>/dev/null; then : - as_have_required=yes -else - as_have_required=no -fi - if test x$as_have_required = xyes && (eval "$as_suggested") 2>/dev/null; then : - -else - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -as_found=false -for as_dir in /bin$PATH_SEPARATOR/usr/bin$PATH_SEPARATOR$PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - as_found=: - case $as_dir in #( - /*) - for as_base in sh bash ksh sh5; do - # Try only shells that exist, to save several forks. - as_shell=$as_dir/$as_base - if { test -f "$as_shell" || test -f "$as_shell.exe"; } && - { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$as_shell"; } 2>/dev/null; then : - CONFIG_SHELL=$as_shell as_have_required=yes - if { $as_echo "$as_bourne_compatible""$as_suggested" | as_run=a "$as_shell"; } 2>/dev/null; then : - break 2 -fi -fi - done;; - esac - as_found=false -done -$as_found || { if { test -f "$SHELL" || test -f "$SHELL.exe"; } && - { $as_echo "$as_bourne_compatible""$as_required" | as_run=a "$SHELL"; } 2>/dev/null; then : - CONFIG_SHELL=$SHELL as_have_required=yes -fi; } -IFS=$as_save_IFS - - - if test "x$CONFIG_SHELL" != x; then : - export CONFIG_SHELL - # We cannot yet assume a decent shell, so we have to provide a -# neutralization value for shells without unset; and this also -# works around shells that cannot unset nonexistent variables. -# Preserve -v and -x to the replacement shell. -BASH_ENV=/dev/null -ENV=/dev/null -(unset BASH_ENV) >/dev/null 2>&1 && unset BASH_ENV ENV -case $- in # (((( - *v*x* | *x*v* ) as_opts=-vx ;; - *v* ) as_opts=-v ;; - *x* ) as_opts=-x ;; - * ) as_opts= ;; -esac -exec $CONFIG_SHELL $as_opts "$as_myself" ${1+"$@"} -# Admittedly, this is quite paranoid, since all the known shells bail -# out after a failed `exec'. -$as_echo "$0: could not re-execute with $CONFIG_SHELL" >&2 -exit 255 -fi - - if test x$as_have_required = xno; then : - $as_echo "$0: This script requires a shell more modern than all" - $as_echo "$0: the shells that I found on your system." - if test x${ZSH_VERSION+set} = xset ; then - $as_echo "$0: In particular, zsh $ZSH_VERSION has bugs and should" - $as_echo "$0: be upgraded to zsh 4.3.4 or later." - else - $as_echo "$0: Please tell bug-autoconf@gnu.org and krb5-bugs@mit.edu -$0: about your system, including any error possibly output -$0: before this message. Then install a modern shell, or -$0: manually run the script under such a shell if you do -$0: have one." - fi - exit 1 -fi -fi -fi -SHELL=${CONFIG_SHELL-/bin/sh} -export SHELL -# Unset more variables known to interfere with behavior of common tools. -CLICOLOR_FORCE= GREP_OPTIONS= -unset CLICOLOR_FORCE GREP_OPTIONS - -## --------------------- ## -## M4sh Shell Functions. ## -## --------------------- ## -# as_fn_unset VAR -# --------------- -# Portably unset VAR. -as_fn_unset () -{ - { eval $1=; unset $1;} -} -as_unset=as_fn_unset - -# as_fn_set_status STATUS -# ----------------------- -# Set $? to STATUS, without forking. -as_fn_set_status () -{ - return $1 -} # as_fn_set_status - -# as_fn_exit STATUS -# ----------------- -# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -as_fn_exit () -{ - set +e - as_fn_set_status $1 - exit $1 -} # as_fn_exit - -# as_fn_mkdir_p -# ------------- -# Create "$as_dir" as a directory, including parents if necessary. -as_fn_mkdir_p () -{ - - case $as_dir in #( - -*) as_dir=./$as_dir;; - esac - test -d "$as_dir" || eval $as_mkdir_p || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break - done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" - - -} # as_fn_mkdir_p - -# as_fn_executable_p FILE -# ----------------------- -# Test if FILE is an executable regular file. -as_fn_executable_p () -{ - test -f "$1" && test -x "$1" -} # as_fn_executable_p -# as_fn_append VAR VALUE -# ---------------------- -# Append the text in VALUE to the end of the definition contained in VAR. Take -# advantage of any shell optimizations that allow amortized linear growth over -# repeated appends, instead of the typical quadratic growth present in naive -# implementations. -if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : - eval 'as_fn_append () - { - eval $1+=\$2 - }' -else - as_fn_append () - { - eval $1=\$$1\$2 - } -fi # as_fn_append - -# as_fn_arith ARG... -# ------------------ -# Perform arithmetic evaluation on the ARGs, and store the result in the -# global $as_val. Take advantage of shells that can avoid forks. The arguments -# must be portable across $(()) and expr. -if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : - eval 'as_fn_arith () - { - as_val=$(( $* )) - }' -else - as_fn_arith () - { - as_val=`expr "$@" || test $? -eq 1` - } -fi # as_fn_arith - - -# as_fn_error STATUS ERROR [LINENO LOG_FD] -# ---------------------------------------- -# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -# script with STATUS, using 1 if that was 0. -as_fn_error () -{ - as_status=$1; test $as_status -eq 0 && as_status=1 - if test "$4"; then - as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 - fi - $as_echo "$as_me: error: $2" >&2 - as_fn_exit $as_status -} # as_fn_error - -if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -else - as_expr=false -fi - -if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then - as_basename=basename -else - as_basename=false -fi - -if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then - as_dirname=dirname -else - as_dirname=false -fi - -as_me=`$as_basename -- "$0" || -$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ - s//\1/ - q - } - /^X\/\(\/\/\)$/{ - s//\1/ - q - } - /^X\/\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits - - - as_lineno_1=$LINENO as_lineno_1a=$LINENO - as_lineno_2=$LINENO as_lineno_2a=$LINENO - eval 'test "x$as_lineno_1'$as_run'" != "x$as_lineno_2'$as_run'" && - test "x`expr $as_lineno_1'$as_run' + 1`" = "x$as_lineno_2'$as_run'"' || { - # Blame Lee E. McMahon (1931-1989) for sed's syntax. :-) - sed -n ' - p - /[$]LINENO/= - ' <$as_myself | - sed ' - s/[$]LINENO.*/&-/ - t lineno - b - :lineno - N - :loop - s/[$]LINENO\([^'$as_cr_alnum'_].*\n\)\(.*\)/\2\1\2/ - t loop - s/-\n.*// - ' >$as_me.lineno && - chmod +x "$as_me.lineno" || - { $as_echo "$as_me: error: cannot create $as_me.lineno; rerun with a POSIX shell" >&2; as_fn_exit 1; } - - # If we had to re-execute with $CONFIG_SHELL, we're ensured to have - # already done that, so ensure we don't try to do so again and fall - # in an infinite loop. This has already happened in practice. - _as_can_reexec=no; export _as_can_reexec - # Don't try to exec as it changes $[0], causing all sort of problems - # (the dirname of $[0] is not the place where we might find the - # original and so on. Autoconf is especially sensitive to this). - . "./$as_me.lineno" - # Exit status is that of the last command. - exit -} - -ECHO_C= ECHO_N= ECHO_T= -case `echo -n x` in #((((( --n*) - case `echo 'xy\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. - xy) ECHO_C='\c';; - *) echo `echo ksh88 bug on AIX 6.1` > /dev/null - ECHO_T=' ';; - esac;; -*) - ECHO_N='-n';; -esac - -rm -f conf$$ conf$$.exe conf$$.file -if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file -else - rm -f conf$$.dir - mkdir conf$$.dir 2>/dev/null -fi -if (echo >conf$$.file) 2>/dev/null; then - if ln -s conf$$.file conf$$ 2>/dev/null; then - as_ln_s='ln -s' - # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. - ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -pR' - elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln - else - as_ln_s='cp -pR' - fi -else - as_ln_s='cp -pR' -fi -rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file -rmdir conf$$.dir 2>/dev/null - -if mkdir -p . 2>/dev/null; then - as_mkdir_p='mkdir -p "$as_dir"' -else - test -d ./-p && rmdir ./-p - as_mkdir_p=false -fi - -as_test_x='test -x' -as_executable_p=as_fn_executable_p - -# Sed expression to map a string onto a valid CPP name. -as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" - -# Sed expression to map a string onto a valid variable name. -as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" - - -test -n "$DJDIR" || exec 7<&0 &1 - -# Name of the host. -# hostname on some systems (SVR3.2, old GNU/Linux) returns a bogus exit status, -# so uname gets run too. -ac_hostname=`(hostname || uname -n) 2>/dev/null | sed 1q` - -# -# Initializations. -# -ac_default_prefix=/usr/local -ac_clean_files= -ac_config_libobj_dir=. -LIBOBJS= -cross_compiling=no -subdirs= -MFLAGS= -MAKEFLAGS= - -# Identity of this package. -PACKAGE_NAME='Kerberos 5' -PACKAGE_TARNAME='krb5' -PACKAGE_VERSION='1.15.2' -PACKAGE_STRING='Kerberos 5 1.15.2' -PACKAGE_BUGREPORT='krb5-bugs@mit.edu' -PACKAGE_URL='' - -ac_unique_file="aclocal.m4" -# Factoring default headers for most tests. -ac_includes_default="\ -#include -#ifdef HAVE_SYS_TYPES_H -# include -#endif -#ifdef HAVE_SYS_STAT_H -# include -#endif -#ifdef STDC_HEADERS -# include -# include -#else -# ifdef HAVE_STDLIB_H -# include -# endif -#endif -#ifdef HAVE_STRING_H -# if !defined STDC_HEADERS && defined HAVE_MEMORY_H -# include -# endif -# include -#endif -#ifdef HAVE_STRINGS_H -# include -#endif -#ifdef HAVE_INTTYPES_H -# include -#endif -#ifdef HAVE_STDINT_H -# include -#endif -#ifdef HAVE_UNISTD_H -# include -#endif" - -ac_subst_vars='LTLIBOBJS -DEFCKTNAME -DEFKTNAME -DEFCCNAME -OSX -GROFF -VERTO_VERSION -VERTO_LIBS -VERTO_CFLAGS -RL_LIBS -RL_CFLAGS -sam2_plugin -LDAP -ldap_plugin_dir -HAVE_SASL -LDAP_LIBS -SUPPORTLIB_MAJOR -DB_EXTRA_LIBS -HAVE_RESOLV_WRAPPER -CMOCKA_LIBS -HAVE_CMOCKA -HAVE_PYTHON -PYTHON -HAVE_RUNTEST -LIBOBJS -PKINIT -PASS -GSSRPC__BSD_TYPEALIASES -GSSRPC__NETDB_H -GSSRPC__SYS_PARAM_H -GSSRPC__UNISTD_H -GSSRPC__SYS_TIME_H -GSSRPC__SYS_SELECT_H -rpcent_define -include_xom -RUNTEST -PRIOCNTL_HACK -DO_ALL -EXPECT -PERL_PATH -S_TOP -RBUILD -DO_TEST -have_PERL -have_RUNTEST -YFLAGS -YACC -NSLOOKUP -DIG -FCTSH -BASH -SH5 -SH -DO_TCL -KRB5_RCTMPDIR -SETENVOBJ -KSU_LIBS -EXTRA_SUPPORT_SYMS -GETTIMEOFDAY_ST_OBJ -GETTIMEOFDAY_OBJ -MKSTEMP_ST_OBJ -MKSTEMP_OBJ -LEXLIB -LEX_OUTPUT_ROOT -LEX -ASAN -ASAN_FLAGS -KRB5_RUN_VARS -KRB5_RUN_ENV -AESNI_FLAGS -AESNI_OBJ -YASM -TLS_IMPL_LIBS -TLS_IMPL_CFLAGS -TLS_IMPL -PKINIT_CRYPTO_IMPL_LIBS -PKINIT_CRYPTO_IMPL_CFLAGS -PKINIT_CRYPTO_IMPL -PRNG_ALG -CRYPTO_IMPL_LIBS -CRYPTO_IMPL_CFLAGS -CRYPTO_IMPL -audit_plugin -AUDIT_IMPL_LIBS -AWK -PRINTF_ST_OBJ -PRINTF_OBJ -FNMATCH_ST_OBJ -FNMATCH_OBJ -GETOPT_LONG_ST_OBJ -GETOPT_LONG_OBJ -GETOPT_ST_OBJ -GETOPT_OBJ -STRLCPY_ST_OBJ -STRLCPY_OBJ -po -MSGFMT -LIBUTIL -PROG_RPATH_FLAGS -RPATH_FLAG -CXX_LINK -CC_LINK -GEN_LIB -UNDEF_CHECK -MAKE_DYNOBJ_COMMAND -DYNOBJEXT -LIBINSTLIST -PFLIBEXT -DEPLIBEXT -SHLIBSEXT -SHLIBVEXT -SHLIBEXT -STLIBEXT -INSTALL_SHLIB -DYNOBJ_EXPFLAGS -DYNOBJ_EXPDEPS -SHLIB_EXPORT_FILE_DEP -SHLIB_EXPFLAGS -SHLIB_RPATH_FLAGS -MAKE_SHLIB_COMMAND -KDB5_PLUGIN_LIBS -KDB5_PLUGIN_DEPLIBS -PLUGININST -PLUGINLINK -PLUGIN -LIBLINKS -LIBLIST -PERL -AR -INSTALL_DATA -INSTALL_SCRIPT -INSTALL_PROGRAM -ARADD -ARCHIVE -RANLIB -LN_S -PROFFLAGS -PICFLAGS -PFOBJEXT -SHOBJEXT -STOBJEXT -OBJLISTS -TCL_MAYBE_RPATH -TCL_RPATH -TCL_LIBPATH -TCL_LIBS -TCL_INCLUDES -KRB5_VERSION -EGREP -GREP -DL_LIB -THREAD_SUPPORT -PTHREAD_CFLAGS -PTHREAD_LIBS -PTHREAD_CC -acx_pthread_config -krb5_cv_host -host_os -host_vendor -host_cpu -host -build_os -build_vendor -build_cpu -build -CONFIG_RELTOPDIR -MAINT -MAINTAINER_MODE_FALSE -MAINTAINER_MODE_TRUE -HESIOD_LIBS -HESIOD_DEFS -KDB5_DB_LIB -DB_HEADER_VERSION -DB_VERSION -DB_LIB -DB_HEADER -SS_VERSION -SS_LIB -COM_ERR_VERSION -compile_et -LD -CPP -WARN_CXXFLAGS -WARN_CFLAGS -HAVE_GCC -ac_ct_CXX -CXXFLAGS -CXX -OBJEXT -EXEEXT -ac_ct_CC -CPPFLAGS -LDFLAGS -CFLAGS -CC -EXTRA_FILES -SYSCONFCONF -runstatedir -target_alias -host_alias -build_alias -LIBS -ECHO_T -ECHO_N -ECHO_C -DEFS -mandir -localedir -libdir -psdir -pdfdir -dvidir -htmldir -infodir -docdir -oldincludedir -includedir -localstatedir -sharedstatedir -sysconfdir -datadir -datarootdir -libexecdir -sbindir -bindir -program_transform_name -prefix -exec_prefix -PACKAGE_URL -PACKAGE_BUGREPORT -PACKAGE_STRING -PACKAGE_VERSION -PACKAGE_TARNAME -PACKAGE_NAME -PATH_SEPARATOR -SHELL' -ac_subst_files='lib_frag -libobj_frag -libnover_frag -libpriv_frag -libnodeps_frag' -ac_user_opts=' -enable_option_checking -with_size_optimizations -with_system_et -with_system_ss -with_system_db -with_netlib -enable_dns_for_realm -with_hesiod -enable_maintainer_mode -with_ldap -enable_delayed_initialization -enable_thread_support -enable_static -enable_shared -enable_rpath -enable_profiled -with_tcl -enable_athena -with_vague_errors -enable_audit_plugin -with_crypto_impl -with_prng_alg -with_pkinit_crypto_impl -with_tls_impl -enable_aesni -enable_kdc_lookaside_cache -enable_asan -enable_pkinit -with_libedit -with_readline -with_system_verto -with_krb5_config -' - ac_precious_vars='build_alias -host_alias -target_alias -CC -CFLAGS -LDFLAGS -LIBS -CPPFLAGS -CXX -CXXFLAGS -CCC -CPP -LD -SS_LIB -DB_HEADER -DB_LIB -YACC -YFLAGS -DEFCCNAME -DEFKTNAME -DEFCKTNAME' - - -# Initialize some variables set by options. -ac_init_help= -ac_init_version=false -ac_unrecognized_opts= -ac_unrecognized_sep= -# The variables have the same names as the options, with -# dashes changed to underlines. -cache_file=/dev/null -exec_prefix=NONE -no_create= -no_recursion= -prefix=NONE -program_prefix=NONE -program_suffix=NONE -program_transform_name=s,x,x, -silent= -site= -srcdir= -verbose= -x_includes=NONE -x_libraries=NONE - -# Installation directory options. -# These are left unexpanded so users can "make install exec_prefix=/foo" -# and all the variables that are supposed to be based on exec_prefix -# by default will actually change. -# Use braces instead of parens because sh, perl, etc. also accept them. -# (The list follows the same order as the GNU Coding Standards.) -bindir='${exec_prefix}/bin' -sbindir='${exec_prefix}/sbin' -libexecdir='${exec_prefix}/libexec' -datarootdir='${prefix}/share' -datadir='${datarootdir}' -sysconfdir='${prefix}/etc' -sharedstatedir='${prefix}/com' -localstatedir='${prefix}/var' -includedir='${prefix}/include' -oldincludedir='/usr/include' -docdir='${datarootdir}/doc/${PACKAGE_TARNAME}' -infodir='${datarootdir}/info' -htmldir='${docdir}' -dvidir='${docdir}' -pdfdir='${docdir}' -psdir='${docdir}' -libdir='${exec_prefix}/lib' -localedir='${datarootdir}/locale' -mandir='${datarootdir}/man' - -ac_prev= -ac_dashdash= -for ac_option -do - # If the previous option needs an argument, assign it. - if test -n "$ac_prev"; then - eval $ac_prev=\$ac_option - ac_prev= - continue - fi - - case $ac_option in - *=?*) ac_optarg=`expr "X$ac_option" : '[^=]*=\(.*\)'` ;; - *=) ac_optarg= ;; - *) ac_optarg=yes ;; - esac - - # Accept the important Cygnus configure options, so we can diagnose typos. - - case $ac_dashdash$ac_option in - --) - ac_dashdash=yes ;; - - -bindir | --bindir | --bindi | --bind | --bin | --bi) - ac_prev=bindir ;; - -bindir=* | --bindir=* | --bindi=* | --bind=* | --bin=* | --bi=*) - bindir=$ac_optarg ;; - - -build | --build | --buil | --bui | --bu) - ac_prev=build_alias ;; - -build=* | --build=* | --buil=* | --bui=* | --bu=*) - build_alias=$ac_optarg ;; - - -cache-file | --cache-file | --cache-fil | --cache-fi \ - | --cache-f | --cache- | --cache | --cach | --cac | --ca | --c) - ac_prev=cache_file ;; - -cache-file=* | --cache-file=* | --cache-fil=* | --cache-fi=* \ - | --cache-f=* | --cache-=* | --cache=* | --cach=* | --cac=* | --ca=* | --c=*) - cache_file=$ac_optarg ;; - - --config-cache | -C) - cache_file=config.cache ;; - - -datadir | --datadir | --datadi | --datad) - ac_prev=datadir ;; - -datadir=* | --datadir=* | --datadi=* | --datad=*) - datadir=$ac_optarg ;; - - -datarootdir | --datarootdir | --datarootdi | --datarootd | --dataroot \ - | --dataroo | --dataro | --datar) - ac_prev=datarootdir ;; - -datarootdir=* | --datarootdir=* | --datarootdi=* | --datarootd=* \ - | --dataroot=* | --dataroo=* | --dataro=* | --datar=*) - datarootdir=$ac_optarg ;; - - -disable-* | --disable-*) - ac_useropt=`expr "x$ac_option" : 'x-*disable-\(.*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid feature name: $ac_useropt" - ac_useropt_orig=$ac_useropt - ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` - case $ac_user_opts in - *" -"enable_$ac_useropt" -"*) ;; - *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--disable-$ac_useropt_orig" - ac_unrecognized_sep=', ';; - esac - eval enable_$ac_useropt=no ;; - - -docdir | --docdir | --docdi | --doc | --do) - ac_prev=docdir ;; - -docdir=* | --docdir=* | --docdi=* | --doc=* | --do=*) - docdir=$ac_optarg ;; - - -dvidir | --dvidir | --dvidi | --dvid | --dvi | --dv) - ac_prev=dvidir ;; - -dvidir=* | --dvidir=* | --dvidi=* | --dvid=* | --dvi=* | --dv=*) - dvidir=$ac_optarg ;; - - -enable-* | --enable-*) - ac_useropt=`expr "x$ac_option" : 'x-*enable-\([^=]*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid feature name: $ac_useropt" - ac_useropt_orig=$ac_useropt - ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` - case $ac_user_opts in - *" -"enable_$ac_useropt" -"*) ;; - *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--enable-$ac_useropt_orig" - ac_unrecognized_sep=', ';; - esac - eval enable_$ac_useropt=\$ac_optarg ;; - - -exec-prefix | --exec_prefix | --exec-prefix | --exec-prefi \ - | --exec-pref | --exec-pre | --exec-pr | --exec-p | --exec- \ - | --exec | --exe | --ex) - ac_prev=exec_prefix ;; - -exec-prefix=* | --exec_prefix=* | --exec-prefix=* | --exec-prefi=* \ - | --exec-pref=* | --exec-pre=* | --exec-pr=* | --exec-p=* | --exec-=* \ - | --exec=* | --exe=* | --ex=*) - exec_prefix=$ac_optarg ;; - - -gas | --gas | --ga | --g) - # Obsolete; use --with-gas. - with_gas=yes ;; - - -help | --help | --hel | --he | -h) - ac_init_help=long ;; - -help=r* | --help=r* | --hel=r* | --he=r* | -hr*) - ac_init_help=recursive ;; - -help=s* | --help=s* | --hel=s* | --he=s* | -hs*) - ac_init_help=short ;; - - -host | --host | --hos | --ho) - ac_prev=host_alias ;; - -host=* | --host=* | --hos=* | --ho=*) - host_alias=$ac_optarg ;; - - -htmldir | --htmldir | --htmldi | --htmld | --html | --htm | --ht) - ac_prev=htmldir ;; - -htmldir=* | --htmldir=* | --htmldi=* | --htmld=* | --html=* | --htm=* \ - | --ht=*) - htmldir=$ac_optarg ;; - - -includedir | --includedir | --includedi | --included | --include \ - | --includ | --inclu | --incl | --inc) - ac_prev=includedir ;; - -includedir=* | --includedir=* | --includedi=* | --included=* | --include=* \ - | --includ=* | --inclu=* | --incl=* | --inc=*) - includedir=$ac_optarg ;; - - -infodir | --infodir | --infodi | --infod | --info | --inf) - ac_prev=infodir ;; - -infodir=* | --infodir=* | --infodi=* | --infod=* | --info=* | --inf=*) - infodir=$ac_optarg ;; - - -libdir | --libdir | --libdi | --libd) - ac_prev=libdir ;; - -libdir=* | --libdir=* | --libdi=* | --libd=*) - libdir=$ac_optarg ;; - - -libexecdir | --libexecdir | --libexecdi | --libexecd | --libexec \ - | --libexe | --libex | --libe) - ac_prev=libexecdir ;; - -libexecdir=* | --libexecdir=* | --libexecdi=* | --libexecd=* | --libexec=* \ - | --libexe=* | --libex=* | --libe=*) - libexecdir=$ac_optarg ;; - - -localedir | --localedir | --localedi | --localed | --locale) - ac_prev=localedir ;; - -localedir=* | --localedir=* | --localedi=* | --localed=* | --locale=*) - localedir=$ac_optarg ;; - - -localstatedir | --localstatedir | --localstatedi | --localstated \ - | --localstate | --localstat | --localsta | --localst | --locals) - ac_prev=localstatedir ;; - -localstatedir=* | --localstatedir=* | --localstatedi=* | --localstated=* \ - | --localstate=* | --localstat=* | --localsta=* | --localst=* | --locals=*) - localstatedir=$ac_optarg ;; - - -mandir | --mandir | --mandi | --mand | --man | --ma | --m) - ac_prev=mandir ;; - -mandir=* | --mandir=* | --mandi=* | --mand=* | --man=* | --ma=* | --m=*) - mandir=$ac_optarg ;; - - -nfp | --nfp | --nf) - # Obsolete; use --without-fp. - with_fp=no ;; - - -no-create | --no-create | --no-creat | --no-crea | --no-cre \ - | --no-cr | --no-c | -n) - no_create=yes ;; - - -no-recursion | --no-recursion | --no-recursio | --no-recursi \ - | --no-recurs | --no-recur | --no-recu | --no-rec | --no-re | --no-r) - no_recursion=yes ;; - - -oldincludedir | --oldincludedir | --oldincludedi | --oldincluded \ - | --oldinclude | --oldinclud | --oldinclu | --oldincl | --oldinc \ - | --oldin | --oldi | --old | --ol | --o) - ac_prev=oldincludedir ;; - -oldincludedir=* | --oldincludedir=* | --oldincludedi=* | --oldincluded=* \ - | --oldinclude=* | --oldinclud=* | --oldinclu=* | --oldincl=* | --oldinc=* \ - | --oldin=* | --oldi=* | --old=* | --ol=* | --o=*) - oldincludedir=$ac_optarg ;; - - -prefix | --prefix | --prefi | --pref | --pre | --pr | --p) - ac_prev=prefix ;; - -prefix=* | --prefix=* | --prefi=* | --pref=* | --pre=* | --pr=* | --p=*) - prefix=$ac_optarg ;; - - -program-prefix | --program-prefix | --program-prefi | --program-pref \ - | --program-pre | --program-pr | --program-p) - ac_prev=program_prefix ;; - -program-prefix=* | --program-prefix=* | --program-prefi=* \ - | --program-pref=* | --program-pre=* | --program-pr=* | --program-p=*) - program_prefix=$ac_optarg ;; - - -program-suffix | --program-suffix | --program-suffi | --program-suff \ - | --program-suf | --program-su | --program-s) - ac_prev=program_suffix ;; - -program-suffix=* | --program-suffix=* | --program-suffi=* \ - | --program-suff=* | --program-suf=* | --program-su=* | --program-s=*) - program_suffix=$ac_optarg ;; - - -program-transform-name | --program-transform-name \ - | --program-transform-nam | --program-transform-na \ - | --program-transform-n | --program-transform- \ - | --program-transform | --program-transfor \ - | --program-transfo | --program-transf \ - | --program-trans | --program-tran \ - | --progr-tra | --program-tr | --program-t) - ac_prev=program_transform_name ;; - -program-transform-name=* | --program-transform-name=* \ - | --program-transform-nam=* | --program-transform-na=* \ - | --program-transform-n=* | --program-transform-=* \ - | --program-transform=* | --program-transfor=* \ - | --program-transfo=* | --program-transf=* \ - | --program-trans=* | --program-tran=* \ - | --progr-tra=* | --program-tr=* | --program-t=*) - program_transform_name=$ac_optarg ;; - - -pdfdir | --pdfdir | --pdfdi | --pdfd | --pdf | --pd) - ac_prev=pdfdir ;; - -pdfdir=* | --pdfdir=* | --pdfdi=* | --pdfd=* | --pdf=* | --pd=*) - pdfdir=$ac_optarg ;; - - -psdir | --psdir | --psdi | --psd | --ps) - ac_prev=psdir ;; - -psdir=* | --psdir=* | --psdi=* | --psd=* | --ps=*) - psdir=$ac_optarg ;; - - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil) - silent=yes ;; - - -sbindir | --sbindir | --sbindi | --sbind | --sbin | --sbi | --sb) - ac_prev=sbindir ;; - -sbindir=* | --sbindir=* | --sbindi=* | --sbind=* | --sbin=* \ - | --sbi=* | --sb=*) - sbindir=$ac_optarg ;; - - -sharedstatedir | --sharedstatedir | --sharedstatedi \ - | --sharedstated | --sharedstate | --sharedstat | --sharedsta \ - | --sharedst | --shareds | --shared | --share | --shar \ - | --sha | --sh) - ac_prev=sharedstatedir ;; - -sharedstatedir=* | --sharedstatedir=* | --sharedstatedi=* \ - | --sharedstated=* | --sharedstate=* | --sharedstat=* | --sharedsta=* \ - | --sharedst=* | --shareds=* | --shared=* | --share=* | --shar=* \ - | --sha=* | --sh=*) - sharedstatedir=$ac_optarg ;; - - -site | --site | --sit) - ac_prev=site ;; - -site=* | --site=* | --sit=*) - site=$ac_optarg ;; - - -srcdir | --srcdir | --srcdi | --srcd | --src | --sr) - ac_prev=srcdir ;; - -srcdir=* | --srcdir=* | --srcdi=* | --srcd=* | --src=* | --sr=*) - srcdir=$ac_optarg ;; - - -sysconfdir | --sysconfdir | --sysconfdi | --sysconfd | --sysconf \ - | --syscon | --sysco | --sysc | --sys | --sy) - ac_prev=sysconfdir ;; - -sysconfdir=* | --sysconfdir=* | --sysconfdi=* | --sysconfd=* | --sysconf=* \ - | --syscon=* | --sysco=* | --sysc=* | --sys=* | --sy=*) - sysconfdir=$ac_optarg ;; - - -target | --target | --targe | --targ | --tar | --ta | --t) - ac_prev=target_alias ;; - -target=* | --target=* | --targe=* | --targ=* | --tar=* | --ta=* | --t=*) - target_alias=$ac_optarg ;; - - -v | -verbose | --verbose | --verbos | --verbo | --verb) - verbose=yes ;; - - -version | --version | --versio | --versi | --vers | -V) - ac_init_version=: ;; - - -with-* | --with-*) - ac_useropt=`expr "x$ac_option" : 'x-*with-\([^=]*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid package name: $ac_useropt" - ac_useropt_orig=$ac_useropt - ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` - case $ac_user_opts in - *" -"with_$ac_useropt" -"*) ;; - *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--with-$ac_useropt_orig" - ac_unrecognized_sep=', ';; - esac - eval with_$ac_useropt=\$ac_optarg ;; - - -without-* | --without-*) - ac_useropt=`expr "x$ac_option" : 'x-*without-\(.*\)'` - # Reject names that are not valid shell variable names. - expr "x$ac_useropt" : ".*[^-+._$as_cr_alnum]" >/dev/null && - as_fn_error $? "invalid package name: $ac_useropt" - ac_useropt_orig=$ac_useropt - ac_useropt=`$as_echo "$ac_useropt" | sed 's/[-+.]/_/g'` - case $ac_user_opts in - *" -"with_$ac_useropt" -"*) ;; - *) ac_unrecognized_opts="$ac_unrecognized_opts$ac_unrecognized_sep--without-$ac_useropt_orig" - ac_unrecognized_sep=', ';; - esac - eval with_$ac_useropt=no ;; - - --x) - # Obsolete; use --with-x. - with_x=yes ;; - - -x-includes | --x-includes | --x-include | --x-includ | --x-inclu \ - | --x-incl | --x-inc | --x-in | --x-i) - ac_prev=x_includes ;; - -x-includes=* | --x-includes=* | --x-include=* | --x-includ=* | --x-inclu=* \ - | --x-incl=* | --x-inc=* | --x-in=* | --x-i=*) - x_includes=$ac_optarg ;; - - -x-libraries | --x-libraries | --x-librarie | --x-librari \ - | --x-librar | --x-libra | --x-libr | --x-lib | --x-li | --x-l) - ac_prev=x_libraries ;; - -x-libraries=* | --x-libraries=* | --x-librarie=* | --x-librari=* \ - | --x-librar=* | --x-libra=* | --x-libr=* | --x-lib=* | --x-li=* | --x-l=*) - x_libraries=$ac_optarg ;; - - -*) as_fn_error $? "unrecognized option: \`$ac_option' -Try \`$0 --help' for more information" - ;; - - *=*) - ac_envvar=`expr "x$ac_option" : 'x\([^=]*\)='` - # Reject names that are not valid shell variable names. - case $ac_envvar in #( - '' | [0-9]* | *[!_$as_cr_alnum]* ) - as_fn_error $? "invalid variable name: \`$ac_envvar'" ;; - esac - eval $ac_envvar=\$ac_optarg - export $ac_envvar ;; - - *) - # FIXME: should be removed in autoconf 3.0. - $as_echo "$as_me: WARNING: you should use --build, --host, --target" >&2 - expr "x$ac_option" : ".*[^-._$as_cr_alnum]" >/dev/null && - $as_echo "$as_me: WARNING: invalid host type: $ac_option" >&2 - : "${build_alias=$ac_option} ${host_alias=$ac_option} ${target_alias=$ac_option}" - ;; - - esac -done - -if test -n "$ac_prev"; then - ac_option=--`echo $ac_prev | sed 's/_/-/g'` - as_fn_error $? "missing argument to $ac_option" -fi - -if test -n "$ac_unrecognized_opts"; then - case $enable_option_checking in - no) ;; - fatal) as_fn_error $? "unrecognized options: $ac_unrecognized_opts" ;; - *) $as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2 ;; - esac -fi - -# Check all directory arguments for consistency. -for ac_var in exec_prefix prefix bindir sbindir libexecdir datarootdir \ - datadir sysconfdir sharedstatedir localstatedir includedir \ - oldincludedir docdir infodir htmldir dvidir pdfdir psdir \ - libdir localedir mandir -do - eval ac_val=\$$ac_var - # Remove trailing slashes. - case $ac_val in - */ ) - ac_val=`expr "X$ac_val" : 'X\(.*[^/]\)' \| "X$ac_val" : 'X\(.*\)'` - eval $ac_var=\$ac_val;; - esac - # Be sure to have absolute directory names. - case $ac_val in - [\\/$]* | ?:[\\/]* ) continue;; - NONE | '' ) case $ac_var in *prefix ) continue;; esac;; - esac - as_fn_error $? "expected an absolute directory name for --$ac_var: $ac_val" -done - -# There might be people who depend on the old broken behavior: `$host' -# used to hold the argument of --host etc. -# FIXME: To remove some day. -build=$build_alias -host=$host_alias -target=$target_alias - -# FIXME: To remove some day. -if test "x$host_alias" != x; then - if test "x$build_alias" = x; then - cross_compiling=maybe - elif test "x$build_alias" != "x$host_alias"; then - cross_compiling=yes - fi -fi - -ac_tool_prefix= -test -n "$host_alias" && ac_tool_prefix=$host_alias- - -test "$silent" = yes && exec 6>/dev/null - - -ac_pwd=`pwd` && test -n "$ac_pwd" && -ac_ls_di=`ls -di .` && -ac_pwd_ls_di=`cd "$ac_pwd" && ls -di .` || - as_fn_error $? "working directory cannot be determined" -test "X$ac_ls_di" = "X$ac_pwd_ls_di" || - as_fn_error $? "pwd does not report name of working directory" - - -# Find the source files, if location was not specified. -if test -z "$srcdir"; then - ac_srcdir_defaulted=yes - # Try the directory containing this script, then the parent directory. - ac_confdir=`$as_dirname -- "$as_myself" || -$as_expr X"$as_myself" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_myself" : 'X\(//\)[^/]' \| \ - X"$as_myself" : 'X\(//\)$' \| \ - X"$as_myself" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$as_myself" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - srcdir=$ac_confdir - if test ! -r "$srcdir/$ac_unique_file"; then - srcdir=.. - fi -else - ac_srcdir_defaulted=no -fi -if test ! -r "$srcdir/$ac_unique_file"; then - test "$ac_srcdir_defaulted" = yes && srcdir="$ac_confdir or .." - as_fn_error $? "cannot find sources ($ac_unique_file) in $srcdir" -fi -ac_msg="sources are in $srcdir, but \`cd $srcdir' does not work" -ac_abs_confdir=`( - cd "$srcdir" && test -r "./$ac_unique_file" || as_fn_error $? "$ac_msg" - pwd)` -# When building in place, set srcdir=. -if test "$ac_abs_confdir" = "$ac_pwd"; then - srcdir=. -fi -# Remove unnecessary trailing slashes from srcdir. -# Double slashes in file names in object file debugging info -# mess up M-x gdb in Emacs. -case $srcdir in -*/) srcdir=`expr "X$srcdir" : 'X\(.*[^/]\)' \| "X$srcdir" : 'X\(.*\)'`;; -esac -for ac_var in $ac_precious_vars; do - eval ac_env_${ac_var}_set=\${${ac_var}+set} - eval ac_env_${ac_var}_value=\$${ac_var} - eval ac_cv_env_${ac_var}_set=\${${ac_var}+set} - eval ac_cv_env_${ac_var}_value=\$${ac_var} -done - -# -# Report the --help message. -# -if test "$ac_init_help" = "long"; then - # Omit some internal or obsolete options to make the list less imposing. - # This message is too long to be a string in the A/UX 3.1 sh. - cat <<_ACEOF -\`configure' configures Kerberos 5 1.15.2 to adapt to many kinds of systems. - -Usage: $0 [OPTION]... [VAR=VALUE]... - -To assign environment variables (e.g., CC, CFLAGS...), specify them as -VAR=VALUE. See below for descriptions of some of the useful variables. - -Defaults for the options are specified in brackets. - -Configuration: - -h, --help display this help and exit - --help=short display options specific to this package - --help=recursive display the short help of all the included packages - -V, --version display version information and exit - -q, --quiet, --silent do not print \`checking ...' messages - --cache-file=FILE cache test results in FILE [disabled] - -C, --config-cache alias for \`--cache-file=config.cache' - -n, --no-create do not create output files - --srcdir=DIR find the sources in DIR [configure dir or \`..'] - -Installation directories: - --prefix=PREFIX install architecture-independent files in PREFIX - [$ac_default_prefix] - --exec-prefix=EPREFIX install architecture-dependent files in EPREFIX - [PREFIX] - -By default, \`make install' will install all the files in -\`$ac_default_prefix/bin', \`$ac_default_prefix/lib' etc. You can specify -an installation prefix other than \`$ac_default_prefix' using \`--prefix', -for instance \`--prefix=\$HOME'. - -For better control, use the options below. - -Fine tuning of the installation directories: - --bindir=DIR user executables [EPREFIX/bin] - --sbindir=DIR system admin executables [EPREFIX/sbin] - --libexecdir=DIR program executables [EPREFIX/libexec] - --sysconfdir=DIR read-only single-machine data [PREFIX/etc] - --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] - --localstatedir=DIR modifiable single-machine data [PREFIX/var] - --libdir=DIR object code libraries [EPREFIX/lib] - --includedir=DIR C header files [PREFIX/include] - --oldincludedir=DIR C header files for non-gcc [/usr/include] - --datarootdir=DIR read-only arch.-independent data root [PREFIX/share] - --datadir=DIR read-only architecture-independent data [DATAROOTDIR] - --infodir=DIR info documentation [DATAROOTDIR/info] - --localedir=DIR locale-dependent data [DATAROOTDIR/locale] - --mandir=DIR man documentation [DATAROOTDIR/man] - --docdir=DIR documentation root [DATAROOTDIR/doc/krb5] - --htmldir=DIR html documentation [DOCDIR] - --dvidir=DIR dvi documentation [DOCDIR] - --pdfdir=DIR pdf documentation [DOCDIR] - --psdir=DIR ps documentation [DOCDIR] -_ACEOF - - cat <<\_ACEOF - -Program names: - --program-prefix=PREFIX prepend PREFIX to installed program names - --program-suffix=SUFFIX append SUFFIX to installed program names - --program-transform-name=PROGRAM run sed PROGRAM on installed program names - -System types: - --build=BUILD configure for building on BUILD [guessed] - --host=HOST cross-compile to build programs to run on HOST [BUILD] -_ACEOF -fi - -if test -n "$ac_init_help"; then - case $ac_init_help in - short | recursive ) echo "Configuration of Kerberos 5 1.15.2:";; - esac - cat <<\_ACEOF - -Optional Features: - --disable-option-checking ignore unrecognized --enable/--with options - --disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no) - --enable-FEATURE[=ARG] include FEATURE [ARG=yes] - --enable-dns-for-realm enable DNS lookups of Kerberos realm names - --enable-maintainer-mode - enable rebuilding of source files, Makefiles, etc - --disable-delayed-initialization - initialize library code when loaded [delay until - first use] - --disable-thread-support - don't enable thread support [enabled] - - --disable-rpath suppress run path flags in link lines - --enable-athena build with MIT Project Athena configuration - --enable-audit-plugin=IMPL - use audit plugin [ do not use audit ] - --disable-aesni Do not build with AES-NI support - --disable-kdc-lookaside-cache - Disable the cache which detects client retransmits - --enable-asan Build with asan memory checking - --disable-pkinit disable PKINIT plugin support - -Optional Packages: - --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] - --without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no) - --with-size-optimizations enable a few optimizations to reduce code size - possibly at some run-time cost - --with-system-et use system compile_et and -lcom_err [default: build - and install a local version] - --with-system-ss use system -lss and mk_cmds [private version] - --with-system-db use system Berkeley db [private version] - --with-netlib=LIBS use user defined resolver library - --with-hesiod=path compile with hesiod support [omitted] - --with-ldap compile OpenLDAP database backend module - --with-tcl=path where Tcl resides - --with-vague-errors Do not [do] send helpful errors to client - --with-crypto-impl=IMPL use specified crypto implementation [builtin] - --with-prng-alg=ALG use specified PRNG algorithm. [fortuna] - --with-pkinit-crypto-impl=IMPL - use specified pkinit crypto implementation [openssl] - --with-tls-impl=IMPL use specified TLS implementation [auto] - --without-libedit do not compile with libedit - --with-readline compile with GNU Readline - --with-system-verto always use system verto library - --with-krb5-config=PATH path to existing krb5-config program for defaults - -Some influential environment variables: - CC C compiler command - CFLAGS C compiler flags - LDFLAGS linker flags, e.g. -L if you have libraries in a - nonstandard directory - LIBS libraries to pass to the linker, e.g. -l - CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I if - you have headers in a nonstandard directory - CXX C++ compiler command - CXXFLAGS C++ compiler flags - CPP C preprocessor - LD linker command [CC] - SS_LIB system libraries for 'ss' package [-lss] - DB_HEADER header file for system Berkeley db package [db.h] - DB_LIB library for system Berkeley db package [-ldb] - YACC The `Yet Another Compiler Compiler' implementation to use. - Defaults to the first program found out of: `bison -y', `byacc', - `yacc'. - YFLAGS The list of arguments that will be passed by default to $YACC. - This script will default YFLAGS to the empty string to avoid a - default value of `-d' given by some make applications. - DEFCCNAME Default ccache name - DEFKTNAME Default keytab name - DEFCKTNAME Default client keytab name - -Use these variables to override the choices made by `configure' or to help -it to find libraries and programs with nonstandard names/locations. - -Report bugs to . -_ACEOF -ac_status=$? -fi - -if test "$ac_init_help" = "recursive"; then - # If there are subdirs, report their specific --help. - for ac_dir in : $ac_subdirs_all; do test "x$ac_dir" = x: && continue - test -d "$ac_dir" || - { cd "$srcdir" && ac_pwd=`pwd` && srcdir=. && test -d "$ac_dir"; } || - continue - ac_builddir=. - -case "$ac_dir" in -.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; -*) - ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` - # A ".." for each directory in $ac_dir_suffix. - ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` - case $ac_top_builddir_sub in - "") ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; - esac ;; -esac -ac_abs_top_builddir=$ac_pwd -ac_abs_builddir=$ac_pwd$ac_dir_suffix -# for backward compatibility: -ac_top_builddir=$ac_top_build_prefix - -case $srcdir in - .) # We are building in place. - ac_srcdir=. - ac_top_srcdir=$ac_top_builddir_sub - ac_abs_top_srcdir=$ac_pwd ;; - [\\/]* | ?:[\\/]* ) # Absolute name. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir - ac_abs_top_srcdir=$srcdir ;; - *) # Relative name. - ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_build_prefix$srcdir - ac_abs_top_srcdir=$ac_pwd/$srcdir ;; -esac -ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix - - cd "$ac_dir" || { ac_status=$?; continue; } - # Check for guested configure. - if test -f "$ac_srcdir/configure.gnu"; then - echo && - $SHELL "$ac_srcdir/configure.gnu" --help=recursive - elif test -f "$ac_srcdir/configure"; then - echo && - $SHELL "$ac_srcdir/configure" --help=recursive - else - $as_echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 - fi || ac_status=$? - cd "$ac_pwd" || { ac_status=$?; break; } - done -fi - -test -n "$ac_init_help" && exit $ac_status -if $ac_init_version; then - cat <<\_ACEOF -Kerberos 5 configure 1.15.2 -generated by GNU Autoconf 2.69 - -Copyright (C) 2012 Free Software Foundation, Inc. -This configure script is free software; the Free Software Foundation -gives unlimited permission to copy, distribute and modify it. - -Copyright 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2007, 2008, 2009 -Massachusetts Institute of Technology. - -_ACEOF - exit -fi - -## ------------------------ ## -## Autoconf initialization. ## -## ------------------------ ## - -# ac_fn_c_try_compile LINENO -# -------------------------- -# Try to compile conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_compile () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext - if { { ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compile") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_compile - -# ac_fn_cxx_try_compile LINENO -# ---------------------------- -# Try to compile conftest.$ac_ext, and return whether this succeeded. -ac_fn_cxx_try_compile () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext - if { { ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compile") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_cxx_werror_flag" || - test ! -s conftest.err - } && test -s conftest.$ac_objext; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_cxx_try_compile - -# ac_fn_c_try_cpp LINENO -# ---------------------- -# Try to preprocess conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_cpp () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if { { ac_try="$ac_cpp conftest.$ac_ext" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_cpp conftest.$ac_ext") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } > conftest.i && { - test -z "$ac_c_preproc_warn_flag$ac_c_werror_flag" || - test ! -s conftest.err - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_cpp - -# ac_fn_c_try_link LINENO -# ----------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. -ac_fn_c_try_link () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - rm -f conftest.$ac_objext conftest$ac_exeext - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - grep -v '^ *+' conftest.err >conftest.er1 - cat conftest.er1 >&5 - mv -f conftest.er1 conftest.err - fi - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { - test -z "$ac_c_werror_flag" || - test ! -s conftest.err - } && test -s conftest$ac_exeext && { - test "$cross_compiling" = yes || - test -x conftest$ac_exeext - }; then : - ac_retval=0 -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=1 -fi - # Delete the IPA/IPO (Inter Procedural Analysis/Optimization) information - # created by the PGI compiler (conftest_ipa8_conftest.oo), as it would - # interfere with the next link command; also delete a directory that is - # left behind by Apple's compiler. We do this before executing the actions. - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_link - -# ac_fn_c_try_run LINENO -# ---------------------- -# Try to link conftest.$ac_ext, and return whether this succeeded. Assumes -# that executables *can* be run. -ac_fn_c_try_run () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } && { ac_try='./conftest$ac_exeext' - { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; }; then : - ac_retval=0 -else - $as_echo "$as_me: program exited with status $ac_status" >&5 - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - - ac_retval=$ac_status -fi - rm -rf conftest.dSYM conftest_ipa8_conftest.oo - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - as_fn_set_status $ac_retval - -} # ac_fn_c_try_run - -# ac_fn_c_check_func LINENO FUNC VAR -# ---------------------------------- -# Tests whether FUNC exists, setting the cache variable VAR accordingly -ac_fn_c_check_func () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval \${$3+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -/* Define $2 to an innocuous variant, in case declares $2. - For example, HP-UX 11i declares gettimeofday. */ -#define $2 innocuous_$2 - -/* System header to define __stub macros and hopefully few prototypes, - which can conflict with char $2 (); below. - Prefer to if __STDC__ is defined, since - exists even on freestanding compilers. */ - -#ifdef __STDC__ -# include -#else -# include -#endif - -#undef $2 - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char $2 (); -/* The GNU C library defines this for functions which it implements - to always fail with ENOSYS. Some functions are actually named - something starting with __ and the normal name is an alias. */ -#if defined __stub_$2 || defined __stub___$2 -choke me -#endif - -int -main () -{ -return $2 (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - eval "$3=yes" -else - eval "$3=no" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_func - -# ac_fn_c_check_header_mongrel LINENO HEADER VAR INCLUDES -# ------------------------------------------------------- -# Tests whether HEADER exists, giving a warning if it cannot be compiled using -# the include files in INCLUDES and setting the cache variable VAR -# accordingly. -ac_fn_c_check_header_mongrel () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - if eval \${$3+:} false; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval \${$3+:} false; then : - $as_echo_n "(cached) " >&6 -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -else - # Is the header compilable? -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 usability" >&5 -$as_echo_n "checking $2 usability... " >&6; } -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -#include <$2> -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_header_compiler=yes -else - ac_header_compiler=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_compiler" >&5 -$as_echo "$ac_header_compiler" >&6; } - -# Is the header present? -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking $2 presence" >&5 -$as_echo_n "checking $2 presence... " >&6; } -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include <$2> -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - ac_header_preproc=yes -else - ac_header_preproc=no -fi -rm -f conftest.err conftest.i conftest.$ac_ext -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_header_preproc" >&5 -$as_echo "$ac_header_preproc" >&6; } - -# So? What about this header? -case $ac_header_compiler:$ac_header_preproc:$ac_c_preproc_warn_flag in #(( - yes:no: ) - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&5 -$as_echo "$as_me: WARNING: $2: accepted by the compiler, rejected by the preprocessor!" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 -$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} - ;; - no:yes:* ) - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: present but cannot be compiled" >&5 -$as_echo "$as_me: WARNING: $2: present but cannot be compiled" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: check for missing prerequisite headers?" >&5 -$as_echo "$as_me: WARNING: $2: check for missing prerequisite headers?" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: see the Autoconf documentation" >&5 -$as_echo "$as_me: WARNING: $2: see the Autoconf documentation" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&5 -$as_echo "$as_me: WARNING: $2: section \"Present But Cannot Be Compiled\"" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $2: proceeding with the compiler's result" >&5 -$as_echo "$as_me: WARNING: $2: proceeding with the compiler's result" >&2;} -( $as_echo "## -------------------------------- ## -## Report this to krb5-bugs@mit.edu ## -## -------------------------------- ##" - ) | sed "s/^/$as_me: WARNING: /" >&2 - ;; -esac - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval \${$3+:} false; then : - $as_echo_n "(cached) " >&6 -else - eval "$3=\$ac_header_compiler" -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -fi - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_header_mongrel - -# ac_fn_c_check_header_compile LINENO HEADER VAR INCLUDES -# ------------------------------------------------------- -# Tests whether HEADER exists and can be compiled using the include files in -# INCLUDES, setting the cache variable VAR accordingly. -ac_fn_c_check_header_compile () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval \${$3+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -#include <$2> -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$3=yes" -else - eval "$3=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_header_compile - -# ac_fn_c_check_type LINENO TYPE VAR INCLUDES -# ------------------------------------------- -# Tests whether TYPE exists after having included INCLUDES, setting cache -# variable VAR accordingly. -ac_fn_c_check_type () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2" >&5 -$as_echo_n "checking for $2... " >&6; } -if eval \${$3+:} false; then : - $as_echo_n "(cached) " >&6 -else - eval "$3=no" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -if (sizeof ($2)) - return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -if (sizeof (($2))) - return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - -else - eval "$3=yes" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_type - -# ac_fn_c_check_member LINENO AGGR MEMBER VAR INCLUDES -# ---------------------------------------------------- -# Tries to find if the field MEMBER exists in type AGGR, after including -# INCLUDES, setting cache variable VAR accordingly. -ac_fn_c_check_member () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for $2.$3" >&5 -$as_echo_n "checking for $2.$3... " >&6; } -if eval \${$4+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$5 -int -main () -{ -static $2 ac_aggr; -if (ac_aggr.$3) -return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$4=yes" -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$5 -int -main () -{ -static $2 ac_aggr; -if (sizeof ac_aggr.$3) -return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$4=yes" -else - eval "$4=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$4 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_member - -# ac_fn_c_check_decl LINENO SYMBOL VAR INCLUDES -# --------------------------------------------- -# Tests whether SYMBOL is declared in INCLUDES, setting cache variable VAR -# accordingly. -ac_fn_c_check_decl () -{ - as_lineno=${as_lineno-"$1"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - as_decl_name=`echo $2|sed 's/ *(.*//'` - as_decl_use=`echo $2|sed -e 's/(/((/' -e 's/)/) 0&/' -e 's/,/) 0& (/g'` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $as_decl_name is declared" >&5 -$as_echo_n "checking whether $as_decl_name is declared... " >&6; } -if eval \${$3+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$4 -int -main () -{ -#ifndef $as_decl_name -#ifdef __cplusplus - (void) $as_decl_use; -#else - (void) $as_decl_name; -#endif -#endif - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$3=yes" -else - eval "$3=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$3 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - eval $as_lineno_stack; ${as_lineno_stack:+:} unset as_lineno - -} # ac_fn_c_check_decl -cat >config.log <<_ACEOF -This file contains any messages produced by compilers while -running configure, to aid debugging if configure makes a mistake. - -It was created by Kerberos 5 $as_me 1.15.2, which was -generated by GNU Autoconf 2.69. Invocation command line was - - $ $0 $@ - -_ACEOF -exec 5>>config.log -{ -cat <<_ASUNAME -## --------- ## -## Platform. ## -## --------- ## - -hostname = `(hostname || uname -n) 2>/dev/null | sed 1q` -uname -m = `(uname -m) 2>/dev/null || echo unknown` -uname -r = `(uname -r) 2>/dev/null || echo unknown` -uname -s = `(uname -s) 2>/dev/null || echo unknown` -uname -v = `(uname -v) 2>/dev/null || echo unknown` - -/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null || echo unknown` -/bin/uname -X = `(/bin/uname -X) 2>/dev/null || echo unknown` - -/bin/arch = `(/bin/arch) 2>/dev/null || echo unknown` -/usr/bin/arch -k = `(/usr/bin/arch -k) 2>/dev/null || echo unknown` -/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null || echo unknown` -/usr/bin/hostinfo = `(/usr/bin/hostinfo) 2>/dev/null || echo unknown` -/bin/machine = `(/bin/machine) 2>/dev/null || echo unknown` -/usr/bin/oslevel = `(/usr/bin/oslevel) 2>/dev/null || echo unknown` -/bin/universe = `(/bin/universe) 2>/dev/null || echo unknown` - -_ASUNAME - -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - $as_echo "PATH: $as_dir" - done -IFS=$as_save_IFS - -} >&5 - -cat >&5 <<_ACEOF - - -## ----------- ## -## Core tests. ## -## ----------- ## - -_ACEOF - - -# Keep a trace of the command line. -# Strip out --no-create and --no-recursion so they do not pile up. -# Strip out --silent because we don't want to record it for future runs. -# Also quote any args containing shell meta-characters. -# Make two passes to allow for proper duplicate-argument suppression. -ac_configure_args= -ac_configure_args0= -ac_configure_args1= -ac_must_keep_next=false -for ac_pass in 1 2 -do - for ac_arg - do - case $ac_arg in - -no-create | --no-c* | -n | -no-recursion | --no-r*) continue ;; - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil) - continue ;; - *\'*) - ac_arg=`$as_echo "$ac_arg" | sed "s/'/'\\\\\\\\''/g"` ;; - esac - case $ac_pass in - 1) as_fn_append ac_configure_args0 " '$ac_arg'" ;; - 2) - as_fn_append ac_configure_args1 " '$ac_arg'" - if test $ac_must_keep_next = true; then - ac_must_keep_next=false # Got value, back to normal. - else - case $ac_arg in - *=* | --config-cache | -C | -disable-* | --disable-* \ - | -enable-* | --enable-* | -gas | --g* | -nfp | --nf* \ - | -q | -quiet | --q* | -silent | --sil* | -v | -verb* \ - | -with-* | --with-* | -without-* | --without-* | --x) - case "$ac_configure_args0 " in - "$ac_configure_args1"*" '$ac_arg' "* ) continue ;; - esac - ;; - -* ) ac_must_keep_next=true ;; - esac - fi - as_fn_append ac_configure_args " '$ac_arg'" - ;; - esac - done -done -{ ac_configure_args0=; unset ac_configure_args0;} -{ ac_configure_args1=; unset ac_configure_args1;} - -# When interrupted or exit'd, cleanup temporary files, and complete -# config.log. We remove comments because anyway the quotes in there -# would cause problems or look ugly. -# WARNING: Use '\'' to represent an apostrophe within the trap. -# WARNING: Do not start the trap code with a newline, due to a FreeBSD 4.0 bug. -trap 'exit_status=$? - # Save into config.log some information that might help in debugging. - { - echo - - $as_echo "## ---------------- ## -## Cache variables. ## -## ---------------- ##" - echo - # The following way of writing the cache mishandles newlines in values, -( - for ac_var in `(set) 2>&1 | sed -n '\''s/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'\''`; do - eval ac_val=\$$ac_var - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( - *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 -$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( - BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( - *) { eval $ac_var=; unset $ac_var;} ;; - esac ;; - esac - done - (set) 2>&1 | - case $as_nl`(ac_space='\'' '\''; set) 2>&1` in #( - *${as_nl}ac_space=\ *) - sed -n \ - "s/'\''/'\''\\\\'\'''\''/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\''\\2'\''/p" - ;; #( - *) - sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" - ;; - esac | - sort -) - echo - - $as_echo "## ----------------- ## -## Output variables. ## -## ----------------- ##" - echo - for ac_var in $ac_subst_vars - do - eval ac_val=\$$ac_var - case $ac_val in - *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac - $as_echo "$ac_var='\''$ac_val'\''" - done | sort - echo - - if test -n "$ac_subst_files"; then - $as_echo "## ------------------- ## -## File substitutions. ## -## ------------------- ##" - echo - for ac_var in $ac_subst_files - do - eval ac_val=\$$ac_var - case $ac_val in - *\'\''*) ac_val=`$as_echo "$ac_val" | sed "s/'\''/'\''\\\\\\\\'\'''\''/g"`;; - esac - $as_echo "$ac_var='\''$ac_val'\''" - done | sort - echo - fi - - if test -s confdefs.h; then - $as_echo "## ----------- ## -## confdefs.h. ## -## ----------- ##" - echo - cat confdefs.h - echo - fi - test "$ac_signal" != 0 && - $as_echo "$as_me: caught signal $ac_signal" - $as_echo "$as_me: exit $exit_status" - } >&5 - rm -f core *.core core.conftest.* && - rm -f -r conftest* confdefs* conf$$* $ac_clean_files && - exit $exit_status -' 0 -for ac_signal in 1 2 13 15; do - trap 'ac_signal='$ac_signal'; as_fn_exit 1' $ac_signal -done -ac_signal=0 - -# confdefs.h avoids OS command line length limits that DEFS can exceed. -rm -f -r conftest* confdefs.h - -$as_echo "/* confdefs.h */" > confdefs.h - -# Predefined preprocessor variables. - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_NAME "$PACKAGE_NAME" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_TARNAME "$PACKAGE_TARNAME" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_VERSION "$PACKAGE_VERSION" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_STRING "$PACKAGE_STRING" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_BUGREPORT "$PACKAGE_BUGREPORT" -_ACEOF - -cat >>confdefs.h <<_ACEOF -#define PACKAGE_URL "$PACKAGE_URL" -_ACEOF - - -# Let the site file select an alternate cache file if it wants to. -# Prefer an explicitly selected file to automatically selected ones. -ac_site_file1=NONE -ac_site_file2=NONE -if test -n "$CONFIG_SITE"; then - # We do not want a PATH search for config.site. - case $CONFIG_SITE in #(( - -*) ac_site_file1=./$CONFIG_SITE;; - */*) ac_site_file1=$CONFIG_SITE;; - *) ac_site_file1=./$CONFIG_SITE;; - esac -elif test "x$prefix" != xNONE; then - ac_site_file1=$prefix/share/config.site - ac_site_file2=$prefix/etc/config.site -else - ac_site_file1=$ac_default_prefix/share/config.site - ac_site_file2=$ac_default_prefix/etc/config.site -fi -for ac_site_file in "$ac_site_file1" "$ac_site_file2" -do - test "x$ac_site_file" = xNONE && continue - if test /dev/null != "$ac_site_file" && test -r "$ac_site_file"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: loading site script $ac_site_file" >&5 -$as_echo "$as_me: loading site script $ac_site_file" >&6;} - sed 's/^/| /' "$ac_site_file" >&5 - . "$ac_site_file" \ - || { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "failed to load site script $ac_site_file -See \`config.log' for more details" "$LINENO" 5; } - fi -done - -if test -r "$cache_file"; then - # Some versions of bash will fail to source /dev/null (special files - # actually), so we avoid doing that. DJGPP emulates it as a regular file. - if test /dev/null != "$cache_file" && test -f "$cache_file"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: loading cache $cache_file" >&5 -$as_echo "$as_me: loading cache $cache_file" >&6;} - case $cache_file in - [\\/]* | ?:[\\/]* ) . "$cache_file";; - *) . "./$cache_file";; - esac - fi -else - { $as_echo "$as_me:${as_lineno-$LINENO}: creating cache $cache_file" >&5 -$as_echo "$as_me: creating cache $cache_file" >&6;} - >$cache_file -fi - -# Check that the precious variables saved in the cache have kept the same -# value. -ac_cache_corrupted=false -for ac_var in $ac_precious_vars; do - eval ac_old_set=\$ac_cv_env_${ac_var}_set - eval ac_new_set=\$ac_env_${ac_var}_set - eval ac_old_val=\$ac_cv_env_${ac_var}_value - eval ac_new_val=\$ac_env_${ac_var}_value - case $ac_old_set,$ac_new_set in - set,) - { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&5 -$as_echo "$as_me: error: \`$ac_var' was set to \`$ac_old_val' in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,set) - { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' was not set in the previous run" >&5 -$as_echo "$as_me: error: \`$ac_var' was not set in the previous run" >&2;} - ac_cache_corrupted=: ;; - ,);; - *) - if test "x$ac_old_val" != "x$ac_new_val"; then - # differences in whitespace do not lead to failure. - ac_old_val_w=`echo x $ac_old_val` - ac_new_val_w=`echo x $ac_new_val` - if test "$ac_old_val_w" != "$ac_new_val_w"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: error: \`$ac_var' has changed since the previous run:" >&5 -$as_echo "$as_me: error: \`$ac_var' has changed since the previous run:" >&2;} - ac_cache_corrupted=: - else - { $as_echo "$as_me:${as_lineno-$LINENO}: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&5 -$as_echo "$as_me: warning: ignoring whitespace changes in \`$ac_var' since the previous run:" >&2;} - eval $ac_var=\$ac_old_val - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: former value: \`$ac_old_val'" >&5 -$as_echo "$as_me: former value: \`$ac_old_val'" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: current value: \`$ac_new_val'" >&5 -$as_echo "$as_me: current value: \`$ac_new_val'" >&2;} - fi;; - esac - # Pass precious variables to config.status. - if test "$ac_new_set" = set; then - case $ac_new_val in - *\'*) ac_arg=$ac_var=`$as_echo "$ac_new_val" | sed "s/'/'\\\\\\\\''/g"` ;; - *) ac_arg=$ac_var=$ac_new_val ;; - esac - case " $ac_configure_args " in - *" '$ac_arg' "*) ;; # Avoid dups. Use of quotes ensures accuracy. - *) as_fn_append ac_configure_args " '$ac_arg'" ;; - esac - fi -done -if $ac_cache_corrupted; then - { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: error: changes in the environment can compromise the build" >&5 -$as_echo "$as_me: error: changes in the environment can compromise the build" >&2;} - as_fn_error $? "run \`make distclean' and/or \`rm $cache_file' and start over" "$LINENO" 5 -fi -## -------------------- ## -## Main body of script. ## -## -------------------- ## - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - - -build_dynobj=no - -# If $runstatedir isn't set by autoconf (<2.70), set it manually. -if test x"$runstatedir" = x; then - runstatedir=$localstatedir/run -fi - - -# Don't make duplicate profile path entries for /etc/krb5.conf if -# $sysconfdir is /etc -if test "$sysconfdir" = /etc; then - SYSCONFCONF="" -else - SYSCONFCONF=":${sysconfdir}/krb5.conf" -fi - - -ac_reltopdir="." -if test ! -r "$srcdir/./aclocal.m4"; then - as_fn_error $? "Configure could not determine the relative topdir" "$LINENO" 5 -fi -ac_topdir=$srcdir/$ac_reltopdir -ac_config_fragdir=$ac_reltopdir/config -# echo "Looking for $srcdir/$ac_config_fragdir" -if test -d "$srcdir/$ac_config_fragdir"; then - ac_aux_dir= -for ac_dir in ./config "$srcdir"/./config; do - if test -f "$ac_dir/install-sh"; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install-sh -c" - break - elif test -f "$ac_dir/install.sh"; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/install.sh -c" - break - elif test -f "$ac_dir/shtool"; then - ac_aux_dir=$ac_dir - ac_install_sh="$ac_aux_dir/shtool install -c" - break - fi -done -if test -z "$ac_aux_dir"; then - as_fn_error $? "cannot find install-sh, install.sh, or shtool in ./config \"$srcdir\"/./config" "$LINENO" 5 -fi - -# These three variables are undocumented and unsupported, -# and are intended to be withdrawn in a future Autoconf release. -# They can cause serious problems if a builder's source tree is in a directory -# whose full name contains unusual characters. -ac_config_guess="$SHELL $ac_aux_dir/config.guess" # Please don't use this var. -ac_config_sub="$SHELL $ac_aux_dir/config.sub" # Please don't use this var. -ac_configure="$SHELL $ac_aux_dir/configure" # Please don't use this var. - - -else - as_fn_error $? "can not find config/ directory in $ac_reltopdir" "$LINENO" 5 -fi - - - - -krb5_ac_cflags_set=${CFLAGS+set} -krb5_ac_cxxflags_set=${CXXFLAGS+set} -krb5_ac_warn_cflags_set=${WARN_CFLAGS+set} -krb5_ac_warn_cxxflags_set=${WARN_CXXFLAGS+set} - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}gcc", so it can be a program name with args. -set dummy ${ac_tool_prefix}gcc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_CC+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="${ac_tool_prefix}gcc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -$as_echo "$CC" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -fi -if test -z "$ac_cv_prog_CC"; then - ac_ct_CC=$CC - # Extract the first word of "gcc", so it can be a program name with args. -set dummy gcc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_ac_ct_CC+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="gcc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -ac_ct_CC=$ac_cv_prog_ac_ct_CC -if test -n "$ac_ct_CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 -$as_echo "$ac_ct_CC" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - if test "x$ac_ct_CC" = x; then - CC="" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - CC=$ac_ct_CC - fi -else - CC="$ac_cv_prog_CC" -fi - -if test -z "$CC"; then - if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}cc", so it can be a program name with args. -set dummy ${ac_tool_prefix}cc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_CC+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="${ac_tool_prefix}cc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -$as_echo "$CC" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - fi -fi -if test -z "$CC"; then - # Extract the first word of "cc", so it can be a program name with args. -set dummy cc; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_CC+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else - ac_prog_rejected=no -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - if test "$as_dir/$ac_word$ac_exec_ext" = "/usr/ucb/cc"; then - ac_prog_rejected=yes - continue - fi - ac_cv_prog_CC="cc" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -if test $ac_prog_rejected = yes; then - # We found a bogon in the path, so make sure we never use it. - set dummy $ac_cv_prog_CC - shift - if test $# != 0; then - # We chose a different compiler from the bogus one. - # However, it has the same basename, so the bogon will be chosen - # first if we set CC to just the basename; use the full file name. - shift - ac_cv_prog_CC="$as_dir/$ac_word${1+' '}$@" - fi -fi -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -$as_echo "$CC" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -fi -if test -z "$CC"; then - if test -n "$ac_tool_prefix"; then - for ac_prog in cl.exe - do - # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. -set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_CC+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$CC"; then - ac_cv_prog_CC="$CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CC="$ac_tool_prefix$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -CC=$ac_cv_prog_CC -if test -n "$CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CC" >&5 -$as_echo "$CC" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$CC" && break - done -fi -if test -z "$CC"; then - ac_ct_CC=$CC - for ac_prog in cl.exe -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_ac_ct_CC+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$ac_ct_CC"; then - ac_cv_prog_ac_ct_CC="$ac_ct_CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CC="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -ac_ct_CC=$ac_cv_prog_ac_ct_CC -if test -n "$ac_ct_CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CC" >&5 -$as_echo "$ac_ct_CC" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$ac_ct_CC" && break -done - - if test "x$ac_ct_CC" = x; then - CC="" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - CC=$ac_ct_CC - fi -fi - -fi - - -test -z "$CC" && { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "no acceptable C compiler found in \$PATH -See \`config.log' for more details" "$LINENO" 5; } - -# Provide some information about the compiler. -$as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler version" >&5 -set X $ac_compile -ac_compiler=$2 -for ac_option in --version -v -V -qversion; do - { { ac_try="$ac_compiler $ac_option >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compiler $ac_option >&5") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - sed '10a\ -... rest of stderr output deleted ... - 10q' conftest.err >conftest.er1 - cat conftest.er1 >&5 - fi - rm -f conftest.er1 conftest.err - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } -done - -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files a.out a.out.dSYM a.exe b.out" -# Try to create an executable without -o first, disregard a.out. -# It will help us diagnose broken compilers, and finding out an intuition -# of exeext. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the C compiler works" >&5 -$as_echo_n "checking whether the C compiler works... " >&6; } -ac_link_default=`$as_echo "$ac_link" | sed 's/ -o *conftest[^ ]*//'` - -# The possible output files: -ac_files="a.out conftest.exe conftest a.exe a_out.exe b.out conftest.*" - -ac_rmfiles= -for ac_file in $ac_files -do - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; - * ) ac_rmfiles="$ac_rmfiles $ac_file";; - esac -done -rm -f $ac_rmfiles - -if { { ac_try="$ac_link_default" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link_default") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then : - # Autoconf-2.13 could set the ac_cv_exeext variable to `no'. -# So ignore a value of `no', otherwise this would lead to `EXEEXT = no' -# in a Makefile. We should not override ac_cv_exeext if it was cached, -# so that the user can short-circuit this test for compilers unknown to -# Autoconf. -for ac_file in $ac_files '' -do - test -f "$ac_file" || continue - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) - ;; - [ab].out ) - # We found the default executable, but exeext='' is most - # certainly right. - break;; - *.* ) - if test "${ac_cv_exeext+set}" = set && test "$ac_cv_exeext" != no; - then :; else - ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - fi - # We set ac_cv_exeext here because the later test for it is not - # safe: cross compilers may not add the suffix if given an `-o' - # argument, so we may need to know it at that point already. - # Even if this section looks crufty: it has the advantage of - # actually working. - break;; - * ) - break;; - esac -done -test "$ac_cv_exeext" = no && ac_cv_exeext= - -else - ac_file='' -fi -if test -z "$ac_file"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -$as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error 77 "C compiler cannot create executables -See \`config.log' for more details" "$LINENO" 5; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for C compiler default output file name" >&5 -$as_echo_n "checking for C compiler default output file name... " >&6; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_file" >&5 -$as_echo "$ac_file" >&6; } -ac_exeext=$ac_cv_exeext - -rm -f -r a.out a.out.dSYM a.exe conftest$ac_cv_exeext b.out -ac_clean_files=$ac_clean_files_save -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of executables" >&5 -$as_echo_n "checking for suffix of executables... " >&6; } -if { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then : - # If both `conftest.exe' and `conftest' are `present' (well, observable) -# catch `conftest.exe'. For instance with Cygwin, `ls conftest' will -# work properly (i.e., refer to `conftest.exe'), while it won't with -# `rm'. -for ac_file in conftest.exe conftest conftest.*; do - test -f "$ac_file" || continue - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM | *.o | *.obj ) ;; - *.* ) ac_cv_exeext=`expr "$ac_file" : '[^.]*\(\..*\)'` - break;; - * ) break;; - esac -done -else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot compute suffix of executables: cannot compile and link -See \`config.log' for more details" "$LINENO" 5; } -fi -rm -f conftest conftest$ac_cv_exeext -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_exeext" >&5 -$as_echo "$ac_cv_exeext" >&6; } - -rm -f conftest.$ac_ext -EXEEXT=$ac_cv_exeext -ac_exeext=$EXEEXT -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -FILE *f = fopen ("conftest.out", "w"); - return ferror (f) || fclose (f) != 0; - - ; - return 0; -} -_ACEOF -ac_clean_files="$ac_clean_files conftest.out" -# Check that the compiler produces executables we can run. If not, either -# the compiler is broken, or we cross compile. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are cross compiling" >&5 -$as_echo_n "checking whether we are cross compiling... " >&6; } -if test "$cross_compiling" != yes; then - { { ac_try="$ac_link" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_link") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } - if { ac_try='./conftest$ac_cv_exeext' - { { case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_try") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; }; then - cross_compiling=no - else - if test "$cross_compiling" = maybe; then - cross_compiling=yes - else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot run C compiled programs. -If you meant to cross compile, use \`--host'. -See \`config.log' for more details" "$LINENO" 5; } - fi - fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $cross_compiling" >&5 -$as_echo "$cross_compiling" >&6; } - -rm -f conftest.$ac_ext conftest$ac_cv_exeext conftest.out -ac_clean_files=$ac_clean_files_save -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for suffix of object files" >&5 -$as_echo_n "checking for suffix of object files... " >&6; } -if ${ac_cv_objext+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -rm -f conftest.o conftest.obj -if { { ac_try="$ac_compile" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compile") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; then : - for ac_file in conftest.o conftest.obj conftest.*; do - test -f "$ac_file" || continue; - case $ac_file in - *.$ac_ext | *.xcoff | *.tds | *.d | *.pdb | *.xSYM | *.bb | *.bbg | *.map | *.inf | *.dSYM ) ;; - *) ac_cv_objext=`expr "$ac_file" : '.*\.\(.*\)'` - break;; - esac -done -else - $as_echo "$as_me: failed program was:" >&5 -sed 's/^/| /' conftest.$ac_ext >&5 - -{ { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "cannot compute suffix of object files: cannot compile -See \`config.log' for more details" "$LINENO" 5; } -fi -rm -f conftest.$ac_cv_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_objext" >&5 -$as_echo "$ac_cv_objext" >&6; } -OBJEXT=$ac_cv_objext -ac_objext=$OBJEXT -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C compiler" >&5 -$as_echo_n "checking whether we are using the GNU C compiler... " >&6; } -if ${ac_cv_c_compiler_gnu+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -#ifndef __GNUC__ - choke me -#endif - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_compiler_gnu=yes -else - ac_compiler_gnu=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -ac_cv_c_compiler_gnu=$ac_compiler_gnu - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_compiler_gnu" >&5 -$as_echo "$ac_cv_c_compiler_gnu" >&6; } -if test $ac_compiler_gnu = yes; then - GCC=yes -else - GCC= -fi -ac_test_CFLAGS=${CFLAGS+set} -ac_save_CFLAGS=$CFLAGS -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC accepts -g" >&5 -$as_echo_n "checking whether $CC accepts -g... " >&6; } -if ${ac_cv_prog_cc_g+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_save_c_werror_flag=$ac_c_werror_flag - ac_c_werror_flag=yes - ac_cv_prog_cc_g=no - CFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_prog_cc_g=yes -else - CFLAGS="" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - -else - ac_c_werror_flag=$ac_save_c_werror_flag - CFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_prog_cc_g=yes -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ac_c_werror_flag=$ac_save_c_werror_flag -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_g" >&5 -$as_echo "$ac_cv_prog_cc_g" >&6; } -if test "$ac_test_CFLAGS" = set; then - CFLAGS=$ac_save_CFLAGS -elif test $ac_cv_prog_cc_g = yes; then - if test "$GCC" = yes; then - CFLAGS="-g -O2" - else - CFLAGS="-g" - fi -else - if test "$GCC" = yes; then - CFLAGS="-O2" - else - CFLAGS= - fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $CC option to accept ISO C89" >&5 -$as_echo_n "checking for $CC option to accept ISO C89... " >&6; } -if ${ac_cv_prog_cc_c89+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_cv_prog_cc_c89=no -ac_save_CC=$CC -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -struct stat; -/* Most of the following tests are stolen from RCS 5.7's src/conf.sh. */ -struct buf { int x; }; -FILE * (*rcsopen) (struct buf *, struct stat *, int); -static char *e (p, i) - char **p; - int i; -{ - return p[i]; -} -static char *f (char * (*g) (char **, int), char **p, ...) -{ - char *s; - va_list v; - va_start (v,p); - s = g (p, va_arg (v,int)); - va_end (v); - return s; -} - -/* OSF 4.0 Compaq cc is some sort of almost-ANSI by default. It has - function prototypes and stuff, but not '\xHH' hex character constants. - These don't provoke an error unfortunately, instead are silently treated - as 'x'. The following induces an error, until -std is added to get - proper ANSI mode. Curiously '\x00'!='x' always comes out true, for an - array size at least. It's necessary to write '\x00'==0 to get something - that's true only with -std. */ -int osf4_cc_array ['\x00' == 0 ? 1 : -1]; - -/* IBM C 6 for AIX is almost-ANSI by default, but it replaces macro parameters - inside strings and character constants. */ -#define FOO(x) 'x' -int xlc6_cc_array[FOO(a) == 'x' ? 1 : -1]; - -int test (int i, double x); -struct s1 {int (*f) (int a);}; -struct s2 {int (*f) (double a);}; -int pairnames (int, char **, FILE *(*)(struct buf *, struct stat *, int), int, int); -int argc; -char **argv; -int -main () -{ -return f (e, argv, 0) != argv[0] || f (e, argv, 1) != argv[1]; - ; - return 0; -} -_ACEOF -for ac_arg in '' -qlanglvl=extc89 -qlanglvl=ansi -std \ - -Ae "-Aa -D_HPUX_SOURCE" "-Xc -D__EXTENSIONS__" -do - CC="$ac_save_CC $ac_arg" - if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_prog_cc_c89=$ac_arg -fi -rm -f core conftest.err conftest.$ac_objext - test "x$ac_cv_prog_cc_c89" != "xno" && break -done -rm -f conftest.$ac_ext -CC=$ac_save_CC - -fi -# AC_CACHE_VAL -case "x$ac_cv_prog_cc_c89" in - x) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: none needed" >&5 -$as_echo "none needed" >&6; } ;; - xno) - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unsupported" >&5 -$as_echo "unsupported" >&6; } ;; - *) - CC="$CC $ac_cv_prog_cc_c89" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cc_c89" >&5 -$as_echo "$ac_cv_prog_cc_c89" >&6; } ;; -esac -if test "x$ac_cv_prog_cc_c89" != xno; then : - -fi - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - -ac_ext=cpp -ac_cpp='$CXXCPP $CPPFLAGS' -ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_cxx_compiler_gnu -if test -z "$CXX"; then - if test -n "$CCC"; then - CXX=$CCC - else - if test -n "$ac_tool_prefix"; then - for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC - do - # Extract the first word of "$ac_tool_prefix$ac_prog", so it can be a program name with args. -set dummy $ac_tool_prefix$ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_CXX+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$CXX"; then - ac_cv_prog_CXX="$CXX" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_CXX="$ac_tool_prefix$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -CXX=$ac_cv_prog_CXX -if test -n "$CXX"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $CXX" >&5 -$as_echo "$CXX" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$CXX" && break - done -fi -if test -z "$CXX"; then - ac_ct_CXX=$CXX - for ac_prog in g++ c++ gpp aCC CC cxx cc++ cl.exe FCC KCC RCC xlC_r xlC -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_ac_ct_CXX+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$ac_ct_CXX"; then - ac_cv_prog_ac_ct_CXX="$ac_ct_CXX" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_CXX="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -ac_ct_CXX=$ac_cv_prog_ac_ct_CXX -if test -n "$ac_ct_CXX"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_CXX" >&5 -$as_echo "$ac_ct_CXX" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$ac_ct_CXX" && break -done - - if test "x$ac_ct_CXX" = x; then - CXX="g++" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - CXX=$ac_ct_CXX - fi -fi - - fi -fi -# Provide some information about the compiler. -$as_echo "$as_me:${as_lineno-$LINENO}: checking for C++ compiler version" >&5 -set X $ac_compile -ac_compiler=$2 -for ac_option in --version -v -V -qversion; do - { { ac_try="$ac_compiler $ac_option >&5" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$ac_compiler $ac_option >&5") 2>conftest.err - ac_status=$? - if test -s conftest.err; then - sed '10a\ -... rest of stderr output deleted ... - 10q' conftest.err >conftest.er1 - cat conftest.er1 >&5 - fi - rm -f conftest.er1 conftest.err - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } -done - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether we are using the GNU C++ compiler" >&5 -$as_echo_n "checking whether we are using the GNU C++ compiler... " >&6; } -if ${ac_cv_cxx_compiler_gnu+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -#ifndef __GNUC__ - choke me -#endif - - ; - return 0; -} -_ACEOF -if ac_fn_cxx_try_compile "$LINENO"; then : - ac_compiler_gnu=yes -else - ac_compiler_gnu=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -ac_cv_cxx_compiler_gnu=$ac_compiler_gnu - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_cxx_compiler_gnu" >&5 -$as_echo "$ac_cv_cxx_compiler_gnu" >&6; } -if test $ac_compiler_gnu = yes; then - GXX=yes -else - GXX= -fi -ac_test_CXXFLAGS=${CXXFLAGS+set} -ac_save_CXXFLAGS=$CXXFLAGS -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CXX accepts -g" >&5 -$as_echo_n "checking whether $CXX accepts -g... " >&6; } -if ${ac_cv_prog_cxx_g+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_save_cxx_werror_flag=$ac_cxx_werror_flag - ac_cxx_werror_flag=yes - ac_cv_prog_cxx_g=no - CXXFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_cxx_try_compile "$LINENO"; then : - ac_cv_prog_cxx_g=yes -else - CXXFLAGS="" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_cxx_try_compile "$LINENO"; then : - -else - ac_cxx_werror_flag=$ac_save_cxx_werror_flag - CXXFLAGS="-g" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_cxx_try_compile "$LINENO"; then : - ac_cv_prog_cxx_g=yes -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - ac_cxx_werror_flag=$ac_save_cxx_werror_flag -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_cxx_g" >&5 -$as_echo "$ac_cv_prog_cxx_g" >&6; } -if test "$ac_test_CXXFLAGS" = set; then - CXXFLAGS=$ac_save_CXXFLAGS -elif test $ac_cv_prog_cxx_g = yes; then - if test "$GXX" = yes; then - CXXFLAGS="-g -O2" - else - CXXFLAGS="-g" - fi -else - if test "$GXX" = yes; then - CXXFLAGS="-O2" - else - CXXFLAGS= - fi -fi -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking how to run the C preprocessor" >&5 -$as_echo_n "checking how to run the C preprocessor... " >&6; } -# On Suns, sometimes $CPP names a directory. -if test -n "$CPP" && test -d "$CPP"; then - CPP= -fi -if test -z "$CPP"; then - if ${ac_cv_prog_CPP+:} false; then : - $as_echo_n "(cached) " >&6 -else - # Double quotes because CPP needs to be expanded - for CPP in "$CC -E" "$CC -E -traditional-cpp" "/lib/cpp" - do - ac_preproc_ok=false -for ac_c_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # Prefer to if __STDC__ is defined, since - # exists even on freestanding compilers. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifdef __STDC__ -# include -#else -# include -#endif - Syntax error -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - -else - # Broken: fails on valid input. -continue -fi -rm -f conftest.err conftest.i conftest.$ac_ext - - # OK, works on sane cases. Now check whether nonexistent headers - # can be detected and how. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - # Broken: success on invalid input. -continue -else - # Passes both tests. -ac_preproc_ok=: -break -fi -rm -f conftest.err conftest.i conftest.$ac_ext - -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.i conftest.err conftest.$ac_ext -if $ac_preproc_ok; then : - break -fi - - done - ac_cv_prog_CPP=$CPP - -fi - CPP=$ac_cv_prog_CPP -else - ac_cv_prog_CPP=$CPP -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $CPP" >&5 -$as_echo "$CPP" >&6; } -ac_preproc_ok=false -for ac_c_preproc_warn_flag in '' yes -do - # Use a header file that comes with gcc, so configuring glibc - # with a fresh cross-compiler works. - # Prefer to if __STDC__ is defined, since - # exists even on freestanding compilers. - # On the NeXT, cc -E runs the code through the compiler's parser, - # not just through cpp. "Syntax error" is here to catch this case. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifdef __STDC__ -# include -#else -# include -#endif - Syntax error -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - -else - # Broken: fails on valid input. -continue -fi -rm -f conftest.err conftest.i conftest.$ac_ext - - # OK, works on sane cases. Now check whether nonexistent headers - # can be detected and how. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - # Broken: success on invalid input. -continue -else - # Passes both tests. -ac_preproc_ok=: -break -fi -rm -f conftest.err conftest.i conftest.$ac_ext - -done -# Because of `break', _AC_PREPROC_IFELSE's cleaning code was skipped. -rm -f conftest.i conftest.err conftest.$ac_ext -if $ac_preproc_ok; then : - -else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "C preprocessor \"$CPP\" fails sanity check -See \`config.log' for more details" "$LINENO" 5; } -fi - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - -test "$program_prefix" != NONE && - program_transform_name="s&^&$program_prefix&;$program_transform_name" -# Use a double $ so make ignores it. -test "$program_suffix" != NONE && - program_transform_name="s&\$&$program_suffix&;$program_transform_name" -# Double any \ or $. -# By default was `s,x,x', remove it if useless. -ac_script='s/[\\$]/&&/g;s/;s,x,x,$//' -program_transform_name=`$as_echo "$program_transform_name" | sed "$ac_script"` - -# Make sure we can run config.sub. -$SHELL "$ac_aux_dir/config.sub" sun4 >/dev/null 2>&1 || - as_fn_error $? "cannot run $SHELL $ac_aux_dir/config.sub" "$LINENO" 5 - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking build system type" >&5 -$as_echo_n "checking build system type... " >&6; } -if ${ac_cv_build+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_build_alias=$build_alias -test "x$ac_build_alias" = x && - ac_build_alias=`$SHELL "$ac_aux_dir/config.guess"` -test "x$ac_build_alias" = x && - as_fn_error $? "cannot guess build type; you must specify one" "$LINENO" 5 -ac_cv_build=`$SHELL "$ac_aux_dir/config.sub" $ac_build_alias` || - as_fn_error $? "$SHELL $ac_aux_dir/config.sub $ac_build_alias failed" "$LINENO" 5 - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_build" >&5 -$as_echo "$ac_cv_build" >&6; } -case $ac_cv_build in -*-*-*) ;; -*) as_fn_error $? "invalid value of canonical build" "$LINENO" 5;; -esac -build=$ac_cv_build -ac_save_IFS=$IFS; IFS='-' -set x $ac_cv_build -shift -build_cpu=$1 -build_vendor=$2 -shift; shift -# Remember, the first character of IFS is used to create $*, -# except with old shells: -build_os=$* -IFS=$ac_save_IFS -case $build_os in *\ *) build_os=`echo "$build_os" | sed 's/ /-/g'`;; esac - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking host system type" >&5 -$as_echo_n "checking host system type... " >&6; } -if ${ac_cv_host+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test "x$host_alias" = x; then - ac_cv_host=$ac_cv_build -else - ac_cv_host=`$SHELL "$ac_aux_dir/config.sub" $host_alias` || - as_fn_error $? "$SHELL $ac_aux_dir/config.sub $host_alias failed" "$LINENO" 5 -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_host" >&5 -$as_echo "$ac_cv_host" >&6; } -case $ac_cv_host in -*-*-*) ;; -*) as_fn_error $? "invalid value of canonical host" "$LINENO" 5;; -esac -host=$ac_cv_host -ac_save_IFS=$IFS; IFS='-' -set x $ac_cv_host -shift -host_cpu=$1 -host_vendor=$2 -shift; shift -# Remember, the first character of IFS is used to create $*, -# except with old shells: -host_os=$* -IFS=$ac_save_IFS -case $host_os in *\ *) host_os=`echo "$host_os" | sed 's/ /-/g'`;; esac - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for grep that handles long lines and -e" >&5 -$as_echo_n "checking for grep that handles long lines and -e... " >&6; } -if ${ac_cv_path_GREP+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -z "$GREP"; then - ac_path_GREP_found=false - # Loop through the user's path and test for each of PROGNAME-LIST - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_prog in grep ggrep; do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_GREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_GREP" || continue -# Check for GNU ac_path_GREP and select it if it is found. - # Check for GNU $ac_path_GREP -case `"$ac_path_GREP" --version 2>&1` in -*GNU*) - ac_cv_path_GREP="$ac_path_GREP" ac_path_GREP_found=:;; -*) - ac_count=0 - $as_echo_n 0123456789 >"conftest.in" - while : - do - cat "conftest.in" "conftest.in" >"conftest.tmp" - mv "conftest.tmp" "conftest.in" - cp "conftest.in" "conftest.nl" - $as_echo 'GREP' >> "conftest.nl" - "$ac_path_GREP" -e 'GREP$' -e '-(cannot match)-' < "conftest.nl" >"conftest.out" 2>/dev/null || break - diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val - if test $ac_count -gt ${ac_path_GREP_max-0}; then - # Best one so far, save it but keep looking for a better one - ac_cv_path_GREP="$ac_path_GREP" - ac_path_GREP_max=$ac_count - fi - # 10*(2^10) chars as input seems more than enough - test $ac_count -gt 10 && break - done - rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -esac - - $ac_path_GREP_found && break 3 - done - done - done -IFS=$as_save_IFS - if test -z "$ac_cv_path_GREP"; then - as_fn_error $? "no acceptable grep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 - fi -else - ac_cv_path_GREP=$GREP -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_GREP" >&5 -$as_echo "$ac_cv_path_GREP" >&6; } - GREP="$ac_cv_path_GREP" - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for egrep" >&5 -$as_echo_n "checking for egrep... " >&6; } -if ${ac_cv_path_EGREP+:} false; then : - $as_echo_n "(cached) " >&6 -else - if echo a | $GREP -E '(a|b)' >/dev/null 2>&1 - then ac_cv_path_EGREP="$GREP -E" - else - if test -z "$EGREP"; then - ac_path_EGREP_found=false - # Loop through the user's path and test for each of PROGNAME-LIST - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH$PATH_SEPARATOR/usr/xpg4/bin -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_prog in egrep; do - for ac_exec_ext in '' $ac_executable_extensions; do - ac_path_EGREP="$as_dir/$ac_prog$ac_exec_ext" - as_fn_executable_p "$ac_path_EGREP" || continue -# Check for GNU ac_path_EGREP and select it if it is found. - # Check for GNU $ac_path_EGREP -case `"$ac_path_EGREP" --version 2>&1` in -*GNU*) - ac_cv_path_EGREP="$ac_path_EGREP" ac_path_EGREP_found=:;; -*) - ac_count=0 - $as_echo_n 0123456789 >"conftest.in" - while : - do - cat "conftest.in" "conftest.in" >"conftest.tmp" - mv "conftest.tmp" "conftest.in" - cp "conftest.in" "conftest.nl" - $as_echo 'EGREP' >> "conftest.nl" - "$ac_path_EGREP" 'EGREP$' < "conftest.nl" >"conftest.out" 2>/dev/null || break - diff "conftest.out" "conftest.nl" >/dev/null 2>&1 || break - as_fn_arith $ac_count + 1 && ac_count=$as_val - if test $ac_count -gt ${ac_path_EGREP_max-0}; then - # Best one so far, save it but keep looking for a better one - ac_cv_path_EGREP="$ac_path_EGREP" - ac_path_EGREP_max=$ac_count - fi - # 10*(2^10) chars as input seems more than enough - test $ac_count -gt 10 && break - done - rm -f conftest.in conftest.tmp conftest.nl conftest.out;; -esac - - $ac_path_EGREP_found && break 3 - done - done - done -IFS=$as_save_IFS - if test -z "$ac_cv_path_EGREP"; then - as_fn_error $? "no acceptable egrep could be found in $PATH$PATH_SEPARATOR/usr/xpg4/bin" "$LINENO" 5 - fi -else - ac_cv_path_EGREP=$EGREP -fi - - fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_path_EGREP" >&5 -$as_echo "$ac_cv_path_EGREP" >&6; } - EGREP="$ac_cv_path_EGREP" - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for ANSI C header files" >&5 -$as_echo_n "checking for ANSI C header files... " >&6; } -if ${ac_cv_header_stdc+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -#include -#include - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_header_stdc=yes -else - ac_cv_header_stdc=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - -if test $ac_cv_header_stdc = yes; then - # SunOS 4.x string.h does not declare mem*, contrary to ANSI. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "memchr" >/dev/null 2>&1; then : - -else - ac_cv_header_stdc=no -fi -rm -f conftest* - -fi - -if test $ac_cv_header_stdc = yes; then - # ISC 2.0.2 stdlib.h does not declare free, contrary to ANSI. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "free" >/dev/null 2>&1; then : - -else - ac_cv_header_stdc=no -fi -rm -f conftest* - -fi - -if test $ac_cv_header_stdc = yes; then - # /bin/cc in Irix-4.0.5 gets non-ANSI ctype macros unless using -ansi. - if test "$cross_compiling" = yes; then : - : -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -#if ((' ' & 0x0FF) == 0x020) -# define ISLOWER(c) ('a' <= (c) && (c) <= 'z') -# define TOUPPER(c) (ISLOWER(c) ? 'A' + ((c) - 'a') : (c)) -#else -# define ISLOWER(c) \ - (('a' <= (c) && (c) <= 'i') \ - || ('j' <= (c) && (c) <= 'r') \ - || ('s' <= (c) && (c) <= 'z')) -# define TOUPPER(c) (ISLOWER(c) ? ((c) | 0x40) : (c)) -#endif - -#define XOR(e, f) (((e) && !(f)) || (!(e) && (f))) -int -main () -{ - int i; - for (i = 0; i < 256; i++) - if (XOR (islower (i), ISLOWER (i)) - || toupper (i) != TOUPPER (i)) - return 2; - return 0; -} -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - -else - ac_cv_header_stdc=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - -fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_stdc" >&5 -$as_echo "$ac_cv_header_stdc" >&6; } -if test $ac_cv_header_stdc = yes; then - -$as_echo "#define STDC_HEADERS 1" >>confdefs.h - -fi - -# On IRIX 5.3, sys/types and inttypes.h are conflicting. -for ac_header in sys/types.h sys/stat.h stdlib.h string.h memory.h strings.h \ - inttypes.h stdint.h unistd.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_compile "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default -" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - - EXTRA_FILES="" - - -$as_echo "#define _GNU_SOURCE 1" >>confdefs.h - - -$as_echo "#define __STDC_WANT_LIB_EXT1__ 1" >>confdefs.h - - -if test $ac_cv_c_compiler_gnu = yes ; then - HAVE_GCC=yes - else HAVE_GCC= -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for GNU linker" >&5 -$as_echo_n "checking for GNU linker... " >&6; } -if ${krb5_cv_prog_gnu_ld+:} false; then : - $as_echo_n "(cached) " >&6 -else - krb5_cv_prog_gnu_ld=no -if test "$GCC" = yes; then - if { ac_try='$CC -Wl,-v 2>&1 | grep "GNU ld" > /dev/null' - { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5 - (eval $ac_try) 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; }; then - krb5_cv_prog_gnu_ld=yes - fi -fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_prog_gnu_ld" >&5 -$as_echo "$krb5_cv_prog_gnu_ld" >&6; } - -# Check whether --with-size-optimizations was given. -if test "${with_size_optimizations+set}" = set; then : - withval=$with_size_optimizations; -else - withval=no -fi - -if test "$withval" = yes; then - -$as_echo "#define CONFIG_SMALL 1" >>confdefs.h - -fi -# -Wno-long-long, if needed, for k5-platform.h without inttypes.h etc. -extra_gcc_warn_opts="-Wall -Wcast-align -Wshadow" -# -Wmissing-prototypes -if test "$GCC" = yes ; then - # Putting this here means we get -Os after -O2, which works. - if test "$with_size_optimizations" = yes && test "x$krb5_ac_cflags_set" != xset; then - { $as_echo "$as_me:${as_lineno-$LINENO}: adding -Os optimization option" >&5 -$as_echo "$as_me: adding -Os optimization option" >&6;} - case "$CFLAGS" in - "-g -O2") CFLAGS="-g -Os" ;; - "-O2") CFLAGS="-Os" ;; - *) CFLAGS="$CFLAGS -Os" ;; - esac - fi - if test "x$krb5_ac_warn_cflags_set" = xset ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: not adding extra gcc warning flags because WARN_CFLAGS was set" >&5 -$as_echo "$as_me: not adding extra gcc warning flags because WARN_CFLAGS was set" >&6;} - else - { $as_echo "$as_me:${as_lineno-$LINENO}: adding extra warning flags for gcc" >&5 -$as_echo "$as_me: adding extra warning flags for gcc" >&6;} - WARN_CFLAGS="$WARN_CFLAGS $extra_gcc_warn_opts -Wmissing-prototypes" - if test "`uname -s`" = Darwin ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: skipping pedantic warnings on Darwin" >&5 -$as_echo "$as_me: skipping pedantic warnings on Darwin" >&6;} - elif test "`uname -s`" = Linux ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: skipping pedantic warnings on Linux" >&5 -$as_echo "$as_me: skipping pedantic warnings on Linux" >&6;} - else - WARN_CFLAGS="$WARN_CFLAGS -pedantic" - fi - if test "$ac_cv_cxx_compiler_gnu" = yes; then - if test "x$krb5_ac_warn_cxxflags_set" = xset ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: not adding extra g++ warnings because WARN_CXXFLAGS was set" >&5 -$as_echo "$as_me: not adding extra g++ warnings because WARN_CXXFLAGS was set" >&6;} - else - { $as_echo "$as_me:${as_lineno-$LINENO}: adding extra warning flags for g++" >&5 -$as_echo "$as_me: adding extra warning flags for g++" >&6;} - WARN_CXXFLAGS="$WARN_CXXFLAGS $extra_gcc_warn_opts" - fi - fi - # Currently, G++ does not support -Wno-format-zero-length. - cachevar=`echo "krb5_cv_cc_flag_-Wno-format-zero-length" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[^a-zA-Z0-9_]/_/g` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if C compiler supports -Wno-format-zero-length" >&5 -$as_echo_n "checking if C compiler supports -Wno-format-zero-length... " >&6; } -if eval \${$cachevar+:} false; then : - $as_echo_n "(cached) " >&6 -else - # first try without, then with - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - old_cflags="$CFLAGS" - CFLAGS="$CFLAGS -Wno-format-zero-length" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval $cachevar=yes -else - eval $cachevar=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS="$old_cflags" -else - as_fn_error $? "compiling simple test program with $CFLAGS failed" "$LINENO" 5 -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$cachevar - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - if eval test '"${'$cachevar'}"' = yes; then - WARN_CFLAGS="$WARN_CFLAGS -Wno-format-zero-length" - fi - eval flag_supported='${'$cachevar'}' - - # Other flags here may not be supported on some versions of - # gcc that people want to use. - for flag in overflow strict-overflow missing-format-attribute missing-prototypes return-type missing-braces parentheses switch unused-function unused-label unused-variable unused-value unknown-pragmas sign-compare newline-eof error=uninitialized error=pointer-arith error=int-conversion error=incompatible-pointer-types error=discarded-qualifiers ; do - cachevar=`echo "krb5_cv_cc_flag_-W$flag" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[^a-zA-Z0-9_]/_/g` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if C compiler supports -W$flag" >&5 -$as_echo_n "checking if C compiler supports -W$flag... " >&6; } -if eval \${$cachevar+:} false; then : - $as_echo_n "(cached) " >&6 -else - # first try without, then with - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - old_cflags="$CFLAGS" - CFLAGS="$CFLAGS -W$flag" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval $cachevar=yes -else - eval $cachevar=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS="$old_cflags" -else - as_fn_error $? "compiling simple test program with $CFLAGS failed" "$LINENO" 5 -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$cachevar - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - if eval test '"${'$cachevar'}"' = yes; then - WARN_CFLAGS="$WARN_CFLAGS -W$flag" - fi - eval flag_supported='${'$cachevar'}' - - done - # old-style-definition? generates many, many warnings - # - # Warnings that we'd like to turn into errors on versions of gcc - # that support promoting only specific warnings to errors, but - # we'll take as warnings on older compilers. (If such a warning - # is added after the -Werror=foo feature, you can just put - # error=foo in the above list, and skip the test for the - # warning-only form.) At least in some versions, -Werror= doesn't - # seem to make the conditions actual errors, but still issues - # warnings; I guess we'll take what we can get. - # - # We're currently targeting C89+, not C99, so disallow some - # constructs. - for flag in declaration-after-statement ; do - cachevar=`echo "krb5_cv_cc_flag_-Werror=$flag" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[^a-zA-Z0-9_]/_/g` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if C compiler supports -Werror=$flag" >&5 -$as_echo_n "checking if C compiler supports -Werror=$flag... " >&6; } -if eval \${$cachevar+:} false; then : - $as_echo_n "(cached) " >&6 -else - # first try without, then with - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - old_cflags="$CFLAGS" - CFLAGS="$CFLAGS -Werror=$flag" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval $cachevar=yes -else - eval $cachevar=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS="$old_cflags" -else - as_fn_error $? "compiling simple test program with $CFLAGS failed" "$LINENO" 5 -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$cachevar - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - if eval test '"${'$cachevar'}"' = yes; then - WARN_CFLAGS="$WARN_CFLAGS -Werror=$flag" - fi - eval flag_supported='${'$cachevar'}' - - if test "$flag_supported" = no; then - cachevar=`echo "krb5_cv_cc_flag_-W$flag" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[^a-zA-Z0-9_]/_/g` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if C compiler supports -W$flag" >&5 -$as_echo_n "checking if C compiler supports -W$flag... " >&6; } -if eval \${$cachevar+:} false; then : - $as_echo_n "(cached) " >&6 -else - # first try without, then with - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - old_cflags="$CFLAGS" - CFLAGS="$CFLAGS -W$flag" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval $cachevar=yes -else - eval $cachevar=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS="$old_cflags" -else - as_fn_error $? "compiling simple test program with $CFLAGS failed" "$LINENO" 5 -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$cachevar - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - if eval test '"${'$cachevar'}"' = yes; then - WARN_CFLAGS="$WARN_CFLAGS -W$flag" - fi - eval flag_supported='${'$cachevar'}' - - fi - done - # We require function declarations now. - # - # In some compiler versions -- e.g., "gcc version 4.2.1 (Apple - # Inc. build 5664)" -- the -Werror- option works, but the -Werror= - # version doesn't cause implicitly declared functions to be - # flagged as errors. If neither works, -Wall implies - # -Wimplicit-function-declaration so don't bother. - cachevar=`echo "krb5_cv_cc_flag_-Werror-implicit-function-declaration" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[^a-zA-Z0-9_]/_/g` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if C compiler supports -Werror-implicit-function-declaration" >&5 -$as_echo_n "checking if C compiler supports -Werror-implicit-function-declaration... " >&6; } -if eval \${$cachevar+:} false; then : - $as_echo_n "(cached) " >&6 -else - # first try without, then with - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - old_cflags="$CFLAGS" - CFLAGS="$CFLAGS -Werror-implicit-function-declaration" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval $cachevar=yes -else - eval $cachevar=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS="$old_cflags" -else - as_fn_error $? "compiling simple test program with $CFLAGS failed" "$LINENO" 5 -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$cachevar - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - if eval test '"${'$cachevar'}"' = yes; then - WARN_CFLAGS="$WARN_CFLAGS -Werror-implicit-function-declaration" - fi - eval flag_supported='${'$cachevar'}' - - if test "implicit-function-declaration_supported" = no; then - cachevar=`echo "krb5_cv_cc_flag_-Werror=implicit-function-declaration" | sed -e s/=/_eq_/g -e s/-/_dash_/g -e s/[^a-zA-Z0-9_]/_/g` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if C compiler supports -Werror=implicit-function-declaration" >&5 -$as_echo_n "checking if C compiler supports -Werror=implicit-function-declaration... " >&6; } -if eval \${$cachevar+:} false; then : - $as_echo_n "(cached) " >&6 -else - # first try without, then with - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - old_cflags="$CFLAGS" - CFLAGS="$CFLAGS -Werror=implicit-function-declaration" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval $cachevar=yes -else - eval $cachevar=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS="$old_cflags" -else - as_fn_error $? "compiling simple test program with $CFLAGS failed" "$LINENO" 5 -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$cachevar - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } - if eval test '"${'$cachevar'}"' = yes; then - WARN_CFLAGS="$WARN_CFLAGS -Werror=implicit-function-declaration" - fi - eval flag_supported='${'$cachevar'}' - - fi - # - fi - if test "`uname -s`" = Darwin ; then - # Someday this should be a feature test. - # One current (Jaguar = OS 10.2) problem: - # Archive library with foo.o undef sym X and bar.o common sym X, - # if foo.o is pulled in at link time, bar.o may not be, causing - # the linker to complain. - # Dynamic library problems too? - case "$CC $CFLAGS" in - *-fcommon*) ;; # why someone would do this, I don't know - *-fno-common*) ;; # okay, they're already doing the right thing - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: disabling the use of common storage on Darwin" >&5 -$as_echo "$as_me: disabling the use of common storage on Darwin" >&6;} - CFLAGS="$CFLAGS -fno-common" - ;; - esac - case "$LD $LDFLAGS" in - *-Wl,-search_paths_first*) ;; - *) LDFLAGS="${LDFLAGS} -Wl,-search_paths_first" ;; - esac - fi -else - if test "`uname -s`" = AIX ; then - # Using AIX but not GCC, assume native compiler. - # The native compiler appears not to give a nonzero exit - # status for certain classes of errors, like missing arguments - # in function calls. Let's try to fix that with -qhalt=e. - case "$CC $CFLAGS" in - *-qhalt=*) ;; - *) - CFLAGS="$CFLAGS -qhalt=e" - { $as_echo "$as_me:${as_lineno-$LINENO}: adding -qhalt=e for better error reporting" >&5 -$as_echo "$as_me: adding -qhalt=e for better error reporting" >&6;} - ;; - esac - # Also, the optimizer isn't turned on by default, which means - # the static inline functions get left in random object files, - # leading to references to pthread_mutex_lock from anything that - # includes k5-int.h whether it uses threads or not. - case "$CC $CFLAGS" in - *-O*) ;; - *) - CFLAGS="$CFLAGS -O" - { $as_echo "$as_me:${as_lineno-$LINENO}: adding -O for inline thread-support function elimination" >&5 -$as_echo "$as_me: adding -O for inline thread-support function elimination" >&6;} - ;; - esac - fi - if test "`uname -s`" = SunOS ; then - # Using Solaris but not GCC, assume Sunsoft compiler. - # We have some error-out-on-warning options available. - # Sunsoft 12 compiler defaults to -xc99=all, it appears, so "inline" - # works, but it also means that declaration-in-code warnings won't - # be issued. - # -v -fd -errwarn=E_DECLARATION_IN_CODE ... - WARN_CFLAGS="-errtags=yes -errwarn=E_BAD_PTR_INT_COMBINATION,E_BAD_PTR_INT_COMB_ARG,E_PTR_TO_VOID_IN_ARITHMETIC,E_NO_IMPLICIT_DECL_ALLOWED,E_ATTRIBUTE_PARAM_UNDEFINED" - WARN_CXXFLAGS="-errtags=yes +w +w2 -xport64" - fi -fi - - - -if test -z "$LD" ; then LD=$CC; fi - - - -# Check whether --with-system-et was given. -if test "${with_system_et+set}" = set; then : - withval=$with_system_et; -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which version of com_err to use" >&5 -$as_echo_n "checking which version of com_err to use... " >&6; } -if test "x$with_system_et" = xyes ; then - # This will be changed to "intlsys" if textdomain support is present. - COM_ERR_VERSION=sys - { $as_echo "$as_me:${as_lineno-$LINENO}: result: system" >&5 -$as_echo "system" >&6; } -else - COM_ERR_VERSION=k5 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5" >&5 -$as_echo "krb5" >&6; } -fi -if test $COM_ERR_VERSION = sys; then - # check for various functions we need - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for add_error_table in -lcom_err" >&5 -$as_echo_n "checking for add_error_table in -lcom_err... " >&6; } -if ${ac_cv_lib_com_err_add_error_table+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcom_err $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char add_error_table (); -int -main () -{ -return add_error_table (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_com_err_add_error_table=yes -else - ac_cv_lib_com_err_add_error_table=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_com_err_add_error_table" >&5 -$as_echo "$ac_cv_lib_com_err_add_error_table" >&6; } -if test "x$ac_cv_lib_com_err_add_error_table" = xyes; then : - : -else - as_fn_error $? "cannot find add_error_table in com_err library" "$LINENO" 5 -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for remove_error_table in -lcom_err" >&5 -$as_echo_n "checking for remove_error_table in -lcom_err... " >&6; } -if ${ac_cv_lib_com_err_remove_error_table+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcom_err $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char remove_error_table (); -int -main () -{ -return remove_error_table (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_com_err_remove_error_table=yes -else - ac_cv_lib_com_err_remove_error_table=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_com_err_remove_error_table" >&5 -$as_echo "$ac_cv_lib_com_err_remove_error_table" >&6; } -if test "x$ac_cv_lib_com_err_remove_error_table" = xyes; then : - : -else - as_fn_error $? "cannot find remove_error_table in com_err library" "$LINENO" 5 -fi - - # make sure compile_et provides "et_foo" name - cat >> conf$$e.et <&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_compile_et+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$compile_et"; then - ac_cv_prog_compile_et="$compile_et" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_compile_et="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -compile_et=$ac_cv_prog_compile_et -if test -n "$compile_et"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $compile_et" >&5 -$as_echo "$compile_et" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$compile_et" && break -done -test -n "$compile_et" || compile_et="false" - - if test "$compile_et" = false; then - as_fn_error $? "cannot find compile_et" "$LINENO" 5 - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compile_et is useful" >&5 -$as_echo_n "checking whether compile_et is useful... " >&6; } -if ${krb5_cv_compile_et_useful+:} false; then : - $as_echo_n "(cached) " >&6 -else - - if compile_et conf$$e.et >/dev/null 2>&1 ; then true ; else - as_fn_error $? "execution failed" "$LINENO" 5 - fi - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include "conf$$e.h" - -int -main () -{ - &et_foo_error_table; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - : -else - as_fn_error $? "cannot use et_foo_error_table" "$LINENO" 5 -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - # Anything else we need to test for? - rm -f conf$$e.c conf$$e.h - krb5_cv_compile_et_useful=yes - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_compile_et_useful" >&5 -$as_echo "$krb5_cv_compile_et_useful" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether compile_et supports --textdomain" >&5 -$as_echo_n "checking whether compile_et supports --textdomain... " >&6; } -if ${krb5_cv_compile_et_textdomain+:} false; then : - $as_echo_n "(cached) " >&6 -else - - krb5_cv_compile_et_textdomain=no - if compile_et --textdomain=xyzw conf$$e.et >/dev/null 2>&1 ; then - if grep -q xyzw conf$$e.c; then - krb5_cv_compile_et_textdomain=yes - fi - fi - rm -f conf$$e.c conf$$e.h - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_compile_et_textdomain" >&5 -$as_echo "$krb5_cv_compile_et_textdomain" >&6; } - if test "$krb5_cv_compile_et_textdomain" = yes; then - COM_ERR_VERSION=intlsys - fi - rm -f conf$$e.et -fi - -if test "$COM_ERR_VERSION" = k5 -o "$COM_ERR_VERSION" = intlsys; then - -$as_echo "#define HAVE_COM_ERR_INTL 1" >>confdefs.h - -fi - - -# Check whether --with-system-ss was given. -if test "${with_system_ss+set}" = set; then : - withval=$with_system_ss; -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking which version of subsystem package to use" >&5 -$as_echo_n "checking which version of subsystem package to use... " >&6; } -if test "x$with_system_ss" = xyes ; then - SS_VERSION=sys - { $as_echo "$as_me:${as_lineno-$LINENO}: result: system" >&5 -$as_echo "system" >&6; } - # todo: check for various libraries we might need - # in the meantime... - test "x${SS_LIB+set}" = xset || SS_LIB=-lss - old_LIBS="$LIBS" - LIBS="$LIBS $SS_LIB" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether system ss package works" >&5 -$as_echo_n "checking whether system ss package works... " >&6; } -if ${krb5_cv_system_ss_okay+:} false; then : - $as_echo_n "(cached) " >&6 -else - - if test "$cross_compiling" = yes; then : - krb5_cv_system_ss_okay="assumed" -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -int main(int argc, char *argv[]) { - if (argc == 42) { - int i, err; - i = ss_create_invocation("foo","foo","",0,&err); - ss_listen(i); - } - return 0; -} -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - krb5_cv_system_ss_okay=yes -else - as_fn_error $? "cannot run test program" "$LINENO" 5 -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_system_ss_okay" >&5 -$as_echo "$krb5_cv_system_ss_okay" >&6; } - LIBS="$old_LIBS" - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if ss_execute_command needs a prototype provided" >&5 -$as_echo_n "checking if ss_execute_command needs a prototype provided... " >&6; } -if ${krb5_cv_func_ss_execute_command_noproto+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -#undef ss_execute_command -struct k5foo {int foo; } xx; -extern int ss_execute_command (struct k5foo*); -ss_execute_command(&xx); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_func_ss_execute_command_noproto=yes -else - krb5_cv_func_ss_execute_command_noproto=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_func_ss_execute_command_noproto" >&5 -$as_echo "$krb5_cv_func_ss_execute_command_noproto" >&6; } -if test $krb5_cv_func_ss_execute_command_noproto = yes; then - -$as_echo "#define NEED_SS_EXECUTE_COMMAND_PROTO 1" >>confdefs.h - -fi - - -else - SS_VERSION=k5 - { $as_echo "$as_me:${as_lineno-$LINENO}: result: krb5" >&5 -$as_echo "krb5" >&6; } -fi - - - - -# Check whether --with-system-db was given. -if test "${with_system_db+set}" = set; then : - withval=$with_system_db; -fi - - - -if test "x$with_system_db" = xyes ; then - DB_VERSION=sys - # TODO: Do we have specific routines we should check for? - # How about known, easily recognizable bugs? - # We want to use bt_rseq in some cases, but no other version but - # ours has it right now. - # - # Okay, check the variables. - test "x${DB_HEADER+set}" = xset || DB_HEADER=db.h - test "x${DB_LIB+set}" = xset || DB_LIB=-ldb - # - if test "x${DB_HEADER}" = xdb.h ; then - DB_HEADER_VERSION=sys - else - DB_HEADER_VERSION=redirect - fi - KDB5_DB_LIB="$DB_LIB" -else - DB_VERSION=k5 - -$as_echo "#define HAVE_BT_RSEQ 1" >>confdefs.h - - DB_HEADER=db.h - DB_HEADER_VERSION=k5 - # libdb gets sucked into libkdb - KDB5_DB_LIB= - # needed for a couple of things that need libdb for its own sake - DB_LIB=-ldb -fi - - - - - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 -$as_echo_n "checking for an ANSI C-conforming const... " >&6; } -if ${ac_cv_c_const+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - -#ifndef __cplusplus - /* Ultrix mips cc rejects this sort of thing. */ - typedef int charset[2]; - const charset cs = { 0, 0 }; - /* SunOS 4.1.1 cc rejects this. */ - char const *const *pcpcc; - char **ppc; - /* NEC SVR4.0.2 mips cc rejects this. */ - struct point {int x, y;}; - static struct point const zero = {0,0}; - /* AIX XL C 1.02.0.0 rejects this. - It does not let you subtract one const X* pointer from another in - an arm of an if-expression whose if-part is not a constant - expression */ - const char *g = "string"; - pcpcc = &g + (g ? g-g : 0); - /* HPUX 7.0 cc rejects these. */ - ++pcpcc; - ppc = (char**) pcpcc; - pcpcc = (char const *const *) ppc; - { /* SCO 3.2v4 cc rejects this sort of thing. */ - char tx; - char *t = &tx; - char const *s = 0 ? (char *) 0 : (char const *) 0; - - *t++ = 0; - if (s) return 0; - } - { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ - int x[] = {25, 17}; - const int *foo = &x[0]; - ++foo; - } - { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ - typedef const int *iptr; - iptr p = 0; - ++p; - } - { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying - "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ - struct s { int j; const int *ap[3]; } bx; - struct s *b = &bx; b->j = 5; - } - { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ - const int foo = 10; - if (!foo) return 0; - } - return !cs[0] && !zero.x; -#endif - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_c_const=yes -else - ac_cv_c_const=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 -$as_echo "$ac_cv_c_const" >&6; } -if test $ac_cv_c_const = no; then - -$as_echo "#define const /**/" >>confdefs.h - -fi - - -# Check whether --with-netlib was given. -if test "${with_netlib+set}" = set; then : - withval=$with_netlib; if test "$withval" = yes -o "$withval" = no ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"netlib will link with C library resolver only\"" >&5 -$as_echo "\"netlib will link with C library resolver only\"" >&6; } - else - LIBS="$LIBS $withval" - { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"netlib will use \'$withval\'\"" >&5 -$as_echo "\"netlib will use \'$withval\'\"" >&6; } - fi - -else - - # Most operating systems have gethostbyname() in the default searched - # libraries (i.e. libc): - ac_fn_c_check_func "$LINENO" "gethostbyname" "ac_cv_func_gethostbyname" -if test "x$ac_cv_func_gethostbyname" = xyes; then : - -else - - # Some OSes (eg. Solaris) place it in libnsl: - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gethostbyname in -lnsl" >&5 -$as_echo_n "checking for gethostbyname in -lnsl... " >&6; } -if ${ac_cv_lib_nsl_gethostbyname+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lnsl $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char gethostbyname (); -int -main () -{ -return gethostbyname (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_nsl_gethostbyname=yes -else - ac_cv_lib_nsl_gethostbyname=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nsl_gethostbyname" >&5 -$as_echo "$ac_cv_lib_nsl_gethostbyname" >&6; } -if test "x$ac_cv_lib_nsl_gethostbyname" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBNSL 1 -_ACEOF - - LIBS="-lnsl $LIBS" - -else - - # Some strange OSes (SINIX) have it in libsocket: - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gethostbyname in -lsocket" >&5 -$as_echo_n "checking for gethostbyname in -lsocket... " >&6; } -if ${ac_cv_lib_socket_gethostbyname+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsocket $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char gethostbyname (); -int -main () -{ -return gethostbyname (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_socket_gethostbyname=yes -else - ac_cv_lib_socket_gethostbyname=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_gethostbyname" >&5 -$as_echo "$ac_cv_lib_socket_gethostbyname" >&6; } -if test "x$ac_cv_lib_socket_gethostbyname" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBSOCKET 1 -_ACEOF - - LIBS="-lsocket $LIBS" - -else - - # Unfortunately libsocket sometimes depends on libnsl. - # AC_CHECK_LIB's API is essentially broken so the following - # ugliness is necessary: - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gethostbyname in -lsocket" >&5 -$as_echo_n "checking for gethostbyname in -lsocket... " >&6; } -if ${ac_cv_lib_socket_gethostbyname+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsocket -lnsl $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char gethostbyname (); -int -main () -{ -return gethostbyname (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_socket_gethostbyname=yes -else - ac_cv_lib_socket_gethostbyname=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_gethostbyname" >&5 -$as_echo "$ac_cv_lib_socket_gethostbyname" >&6; } -if test "x$ac_cv_lib_socket_gethostbyname" = xyes; then : - LIBS="-lsocket -lnsl $LIBS" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for gethostbyname in -lresolv" >&5 -$as_echo_n "checking for gethostbyname in -lresolv... " >&6; } -if ${ac_cv_lib_resolv_gethostbyname+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lresolv $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char gethostbyname (); -int -main () -{ -return gethostbyname (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_resolv_gethostbyname=yes -else - ac_cv_lib_resolv_gethostbyname=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_gethostbyname" >&5 -$as_echo "$ac_cv_lib_resolv_gethostbyname" >&6; } -if test "x$ac_cv_lib_resolv_gethostbyname" = xyes; then : - LIBS="-lresolv $LIBS" -fi - -fi - - -fi - - -fi - - -fi - - ac_fn_c_check_func "$LINENO" "socket" "ac_cv_func_socket" -if test "x$ac_cv_func_socket" = xyes; then : - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lsocket" >&5 -$as_echo_n "checking for socket in -lsocket... " >&6; } -if ${ac_cv_lib_socket_socket+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsocket $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char socket (); -int -main () -{ -return socket (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_socket_socket=yes -else - ac_cv_lib_socket_socket=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_socket" >&5 -$as_echo "$ac_cv_lib_socket_socket" >&6; } -if test "x$ac_cv_lib_socket_socket" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBSOCKET 1 -_ACEOF - - LIBS="-lsocket $LIBS" - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for socket in -lsocket" >&5 -$as_echo_n "checking for socket in -lsocket... " >&6; } -if ${ac_cv_lib_socket_socket+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsocket -lnsl $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char socket (); -int -main () -{ -return socket (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_socket_socket=yes -else - ac_cv_lib_socket_socket=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_socket_socket" >&5 -$as_echo "$ac_cv_lib_socket_socket" >&6; } -if test "x$ac_cv_lib_socket_socket" = xyes; then : - LIBS="-lsocket -lnsl $LIBS" -fi - -fi - -fi - - -enable_dns=yes - # Check whether --enable-dns-for-realm was given. -if test "${enable_dns_for_realm+set}" = set; then : - enableval=$enable_dns_for_realm; -else - enable_dns_for_realm=no -fi - - if test "$enable_dns_for_realm" = yes; then - -$as_echo "#define KRB5_DNS_LOOKUP_REALM 1" >>confdefs.h - - fi - - -$as_echo "#define KRB5_DNS_LOOKUP 1" >>confdefs.h - - - - if test "$enable_dns" = yes ; then - # We assume that if libresolv exists we can link against it. - # This may get us a gethostby* that doesn't respect nsswitch. - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lresolv" >&5 -$as_echo_n "checking for main in -lresolv... " >&6; } -if ${ac_cv_lib_resolv_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lresolv $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_resolv_main=yes -else - ac_cv_lib_resolv_main=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_main" >&5 -$as_echo "$ac_cv_lib_resolv_main" >&6; } -if test "x$ac_cv_lib_resolv_main" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBRESOLV 1 -_ACEOF - - LIBS="-lresolv $LIBS" - -fi - - -for krb5_func in res_ninit res_nclose res_ndestroy res_nsearch ns_initparse ns_name_uncompress dn_skipname res_search; do - -# Solaris 9 prototypes ns_name_uncompress() in arpa/nameser.h, but -# doesn't export it from libresolv.so, so we use extreme paranoia here -# and check both for the declaration and that we can link against the -# function. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $krb5_func" >&5 -$as_echo_n "checking for $krb5_func... " >&6; } -if eval \${krb5_cv_func_$krb5_func+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -#include -#include -int -main () -{ -/* - * Use volatile, or else optimization can cause false positives. - */ -void (* volatile p)() = (void (*)())$krb5_func; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - eval "krb5_cv_func_$krb5_func=yes" -else - eval "krb5_cv_func_$krb5_func=no" -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -eval ac_res=\$krb5_cv_func_$krb5_func - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -if test `eval 'as_val=${'krb5_cv_func_$krb5_func'};$as_echo "$as_val"'` = yes; then : - -cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$krb5_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - if test $krb5_cv_func_res_nsearch = no \ - && test $krb5_cv_func_res_search = no; then - # Attempt to link with res_search(), in case it's not prototyped. - ac_fn_c_check_func "$LINENO" "res_search" "ac_cv_func_res_search" -if test "x$ac_cv_func_res_search" = xyes; then : - -$as_echo "#define HAVE_RES_SEARCH 1" >>confdefs.h - -else - as_fn_error $? "cannot find res_nsearch or res_search" "$LINENO" 5 -fi - - fi - fi - - -fi - -# Check whether --with-hesiod was given. -if test "${with_hesiod+set}" = set; then : - withval=$with_hesiod; hesiod=$with_hesiod -else - with_hesiod=no -fi - -if test "$with_hesiod" != "no"; then - HESIOD_DEFS=-DHESIOD - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for res_send in -lresolv" >&5 -$as_echo_n "checking for res_send in -lresolv... " >&6; } -if ${ac_cv_lib_resolv_res_send+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lresolv $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char res_send (); -int -main () -{ -return res_send (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_resolv_res_send=yes -else - ac_cv_lib_resolv_res_send=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_resolv_res_send" >&5 -$as_echo "$ac_cv_lib_resolv_res_send" >&6; } -if test "x$ac_cv_lib_resolv_res_send" = xyes; then : - res_lib=-lresolv -fi - - if test "$hesiod" != "yes"; then - HESIOD_LIBS="-L${hesiod}/lib -lhesiod $res_lib" - else - HESIOD_LIBS="-lhesiod $res_lib" - fi -else - HESIOD_DEFS= - HESIOD_LIBS= -fi - - # Check whether --enable-maintainer-mode was given. -if test "${enable_maintainer_mode+set}" = set; then : - enableval=$enable_maintainer_mode; USE_MAINTAINER_MODE=$enableval -else - USE_MAINTAINER_MODE=no -fi - -if test "$USE_MAINTAINER_MODE" = yes; then - MAINTAINER_MODE_TRUE= - MAINTAINER_MODE_FALSE='#' - { $as_echo "$as_me:${as_lineno-$LINENO}: enabling maintainer mode" >&5 -$as_echo "$as_me: enabling maintainer mode" >&6;} -else - MAINTAINER_MODE_TRUE='#' - MAINTAINER_MODE_FALSE= -fi -MAINT=$MAINTAINER_MODE_TRUE - - - - CONFIG_RELTOPDIR=$ac_reltopdir - -lib_frag=$srcdir/$ac_config_fragdir/lib.in - -libobj_frag=$srcdir/$ac_config_fragdir/libobj.in - -libnover_frag=$srcdir/$ac_config_fragdir/libnover.in - -libpriv_frag=$srcdir/$ac_config_fragdir/libpriv.in - -libnodeps_frag=$srcdir/$ac_config_fragdir/libnodeps.in - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pragma weak references are supported" >&5 -$as_echo_n "checking whether pragma weak references are supported... " >&6; } -if ${krb5_cv_pragma_weak_ref+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#pragma weak flurbl -extern int flurbl(void); -int -main () -{ -if (&flurbl != 0) return flurbl(); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - krb5_cv_pragma_weak_ref=yes -else - krb5_cv_pragma_weak_ref=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_pragma_weak_ref" >&5 -$as_echo "$krb5_cv_pragma_weak_ref" >&6; } -if test $krb5_cv_pragma_weak_ref = yes ; then - -$as_echo "#define HAVE_PRAGMA_WEAK_REF 1" >>confdefs.h - -fi - - -# Check whether --with-ldap was given. -if test "${with_ldap+set}" = set; then : - withval=$with_ldap; case "$withval" in - OPENLDAP) with_ldap=yes ;; - yes | no) ;; - *) as_fn_error $? "Invalid option value --with-ldap=\"$withval\"" "$LINENO" 5 ;; -esac -else - with_ldap=no -fi - -if test "$with_ldap" = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: enabling OpenLDAP database backend module support" >&5 -$as_echo "$as_me: enabling OpenLDAP database backend module support" >&6;} - OPENLDAP_PLUGIN=yes -fi - -krb5_cv_host=$host - -. $ac_topdir/config/shlib.conf - -# Check whether --enable-delayed-initialization was given. -if test "${enable_delayed_initialization+set}" = set; then : - enableval=$enable_delayed_initialization; -else - enable_delayed_initialization=yes -fi - -case "$enable_delayed_initialization" in - yes) - -$as_echo "#define DELAY_INITIALIZER 1" >>confdefs.h - ;; - no) ;; - *) as_fn_error $? "invalid option $enable_delayed_initialization for delayed-initialization" "$LINENO" 5 ;; -esac -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for constructor/destructor attribute support" >&5 -$as_echo_n "checking for constructor/destructor attribute support... " >&6; } -if ${krb5_cv_attr_constructor_destructor+:} false; then : - $as_echo_n "(cached) " >&6 -else - rm -f conftest.1 conftest.2 -if test -r conftest.1 || test -r conftest.2 ; then - as_fn_error $? "write error in local file system?" "$LINENO" 5 -fi -true > conftest.1 -true > conftest.2 -if test -r conftest.1 && test -r conftest.2 ; then true ; else - as_fn_error $? "write error in local file system?" "$LINENO" 5 -fi -a=no -b=no -# blindly assume we have 'unlink'... -if test "$cross_compiling" = yes; then : - as_fn_error $? "Cannot test for constructor/destructor support when cross compiling" "$LINENO" 5 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -void foo1() __attribute__((constructor)); -void foo1() { unlink("conftest.1"); } -void foo2() __attribute__((destructor)); -void foo2() { unlink("conftest.2"); } -int main () { return 0; } -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - test -r conftest.1 || a=yes -test -r conftest.2 || b=yes -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - -case $krb5_cv_host in -*-*-aix4.*) - # Under AIX 4.3.3, at least, shared library destructor functions - # appear to get executed in reverse link order (right to left), - # so that a library's destructor function may run after that of - # libraries it depends on, and may still have to access in the - # destructor. - # - # That counts as "not working", for me, but it's a much more - # complicated test case to set up. - b=no - ;; -esac -krb5_cv_attr_constructor_destructor="$a,$b" - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_attr_constructor_destructor" >&5 -$as_echo "$krb5_cv_attr_constructor_destructor" >&6; } -# Okay, krb5_cv_... should be set now. -case $krb5_cv_attr_constructor_destructor in - yes,*) - -$as_echo "#define CONSTRUCTOR_ATTR_WORKS 1" >>confdefs.h - ;; -esac -case $krb5_cv_attr_constructor_destructor in - *,yes) - -$as_echo "#define DESTRUCTOR_ATTR_WORKS 1" >>confdefs.h - ;; -esac - -if test -z "$use_linker_init_option" ; then - as_fn_error $? "ran INITFINI before checking shlib.conf?" "$LINENO" 5 -fi -if test "$use_linker_init_option" = yes; then - -$as_echo "#define USE_LINKER_INIT_OPTION 1" >>confdefs.h - -fi -if test "$use_linker_fini_option" = yes; then - -$as_echo "#define USE_LINKER_FINI_OPTION 1" >>confdefs.h - -fi - - -# Check whether --enable-thread-support was given. -if test "${enable_thread_support+set}" = set; then : - enableval=$enable_thread_support; -else - enable_thread_support=yes -fi - -if test "$enable_thread_support" = yes ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: enabling thread support" >&5 -$as_echo "$as_me: enabling thread support" >&6;} - -$as_echo "#define ENABLE_THREADS 1" >>confdefs.h - -fi -if test "$enable_thread_support" = yes; then - - - -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - -acx_pthread_ok=no - -# We used to check for pthread.h first, but this fails if pthread.h -# requires special compiler flags (e.g. on True64 or Sequent). -# It gets checked for in the link test anyway. - -# First of all, check if the user has set any of the PTHREAD_LIBS, -# etcetera environment variables, and if threads linking works using -# them: -if test x"$PTHREAD_LIBS$PTHREAD_CFLAGS" != x; then - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS" >&5 -$as_echo_n "checking for pthread_join in LIBS=$PTHREAD_LIBS with CFLAGS=$PTHREAD_CFLAGS... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char pthread_join (); -int -main () -{ -return pthread_join (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - acx_pthread_ok=yes -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $acx_pthread_ok" >&5 -$as_echo "$acx_pthread_ok" >&6; } - if test x"$acx_pthread_ok" = xno; then - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" - fi - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" -fi - -# We must check for the threads library under a number of different -# names; the ordering is very important because some systems -# (e.g. DEC) have both -lpthread and -lpthreads, where one of the -# libraries is broken (non-POSIX). - -# Create a list of thread flags to try. Items starting with a "-" are -# C compiler flags, and other items are library names, except for "none" -# which indicates that we try without any flags at all, and "pthread-config" -# which is a program returning the flags for the Pth emulation library. - -acx_pthread_flags="pthreads none -Kthread -kthread lthread -pthread -pthreads -mthreads pthread --thread-safe -mt pthread-config" - -# The ordering *is* (sometimes) important. Some notes on the -# individual items follow: - -# pthreads: AIX (must check this before -lpthread) -# none: in case threads are in libc; should be tried before -Kthread and -# other compiler flags to prevent continual compiler warnings -# -Kthread: Sequent (threads in libc, but -Kthread needed for pthread.h) -# -kthread: FreeBSD kernel threads (preferred to -pthread since SMP-able) -# lthread: LinuxThreads port on FreeBSD (also preferred to -pthread) -# -pthread: Linux/gcc (kernel threads), BSD/gcc (userland threads) -# -pthreads: Solaris/gcc -# -mthreads: Mingw32/gcc, Lynx/gcc -# -mt: Sun Workshop C (may only link SunOS threads [-lthread], but it -# doesn't hurt to check since this sometimes defines pthreads too; -# also defines -D_REENTRANT) -# pthread: Linux, etcetera -# --thread-safe: KAI C++ -# pthread-config: use pthread-config program (for GNU Pth library) - -case "${host_cpu}-${host_os}" in - *solaris*) - - # On Solaris (at least, for some versions), libc contains stubbed - # (non-functional) versions of the pthreads routines, so link-based - # tests will erroneously succeed. (We need to link with -pthread or - # -lpthread.) (The stubs are missing pthread_cleanup_push, or rather - # a function called by this macro, so we could check for that, but - # who knows whether they'll stub that too in a future libc.) So, - # we'll just look for -pthreads and -lpthread first: - - acx_pthread_flags="-pthread -pthreads pthread -mt $acx_pthread_flags" - ;; -esac - -if test x"$acx_pthread_ok" = xno; then -for flag in $acx_pthread_flags; do - - case $flag in - none) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work without any flags" >&5 -$as_echo_n "checking whether pthreads work without any flags... " >&6; } - ;; - - -*) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether pthreads work with $flag" >&5 -$as_echo_n "checking whether pthreads work with $flag... " >&6; } - PTHREAD_CFLAGS="$flag" - ;; - - pthread-config) - # Extract the first word of "pthread-config", so it can be a program name with args. -set dummy pthread-config; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_acx_pthread_config+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$acx_pthread_config"; then - ac_cv_prog_acx_pthread_config="$acx_pthread_config" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_acx_pthread_config="yes" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_prog_acx_pthread_config" && ac_cv_prog_acx_pthread_config="no" -fi -fi -acx_pthread_config=$ac_cv_prog_acx_pthread_config -if test -n "$acx_pthread_config"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $acx_pthread_config" >&5 -$as_echo "$acx_pthread_config" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - if test x"$acx_pthread_config" = xno; then continue; fi - PTHREAD_CFLAGS="`pthread-config --cflags`" - PTHREAD_LIBS="`pthread-config --ldflags` `pthread-config --libs`" - ;; - - *) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for the pthreads library -l$flag" >&5 -$as_echo_n "checking for the pthreads library -l$flag... " >&6; } - PTHREAD_LIBS="-l$flag" - ;; - esac - - save_LIBS="$LIBS" - save_CFLAGS="$CFLAGS" - LIBS="$PTHREAD_LIBS $LIBS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - - # Check for various functions. We must include pthread.h, - # since some functions may be macros. (On the Sequent, we - # need a special flag -Kthread to make this header compile.) - # We check for pthread_join because it is in -lpthread on IRIX - # while pthread_create is in libc. We check for pthread_attr_init - # due to DEC craziness with -lpthreads. We check for - # pthread_cleanup_push because it is one of the few pthread - # functions on Solaris that doesn't have a non-functional libc stub. - # We try pthread_create on general principles. - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -pthread_t th; pthread_join(th, 0); - pthread_attr_init(0); pthread_cleanup_push(0, 0); - pthread_create(0,0,0,0); pthread_cleanup_pop(0); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - acx_pthread_ok=yes -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $acx_pthread_ok" >&5 -$as_echo "$acx_pthread_ok" >&6; } - if test "x$acx_pthread_ok" = xyes; then - break; - fi - - PTHREAD_LIBS="" - PTHREAD_CFLAGS="" -done -fi - -# Various other checks: -if test "x$acx_pthread_ok" = xyes; then - save_LIBS="$LIBS" - LIBS="$PTHREAD_LIBS $LIBS" - save_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - - # Detect AIX lossage: threads are created detached by default - # and the JOINABLE attribute has a nonstandard name (UNDETACHED). - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for joinable pthread attribute" >&5 -$as_echo_n "checking for joinable pthread attribute... " >&6; } - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -int attr=PTHREAD_CREATE_JOINABLE; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ok=PTHREAD_CREATE_JOINABLE -else - ok=unknown -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - if test x"$ok" = xunknown; then - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -int attr=PTHREAD_CREATE_UNDETACHED; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ok=PTHREAD_CREATE_UNDETACHED -else - ok=unknown -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - fi - if test x"$ok" != xPTHREAD_CREATE_JOINABLE; then - -$as_echo "#define PTHREAD_CREATE_JOINABLE \$ok" >>confdefs.h - - fi - { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${ok}" >&5 -$as_echo "${ok}" >&6; } - if test x"$ok" = xunknown; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: we do not know how to create joinable pthreads" >&5 -$as_echo "$as_me: WARNING: we do not know how to create joinable pthreads" >&2;} - fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if more special flags are required for pthreads" >&5 -$as_echo_n "checking if more special flags are required for pthreads... " >&6; } - flag=no - case "${host_cpu}-${host_os}" in - *-aix* | *-freebsd*) flag="-D_THREAD_SAFE";; - *solaris* | *-osf* | *-hpux*) flag="-D_REENTRANT";; - esac - { $as_echo "$as_me:${as_lineno-$LINENO}: result: ${flag}" >&5 -$as_echo "${flag}" >&6; } - if test "x$flag" != xno; then - PTHREAD_CFLAGS="$flag $PTHREAD_CFLAGS" - fi - - LIBS="$save_LIBS" - CFLAGS="$save_CFLAGS" - - # More AIX lossage: must compile with cc_r - # Extract the first word of "cc_r", so it can be a program name with args. -set dummy cc_r; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_PTHREAD_CC+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$PTHREAD_CC"; then - ac_cv_prog_PTHREAD_CC="$PTHREAD_CC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_PTHREAD_CC="cc_r" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_prog_PTHREAD_CC" && ac_cv_prog_PTHREAD_CC="${CC}" -fi -fi -PTHREAD_CC=$ac_cv_prog_PTHREAD_CC -if test -n "$PTHREAD_CC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PTHREAD_CC" >&5 -$as_echo "$PTHREAD_CC" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -else - PTHREAD_CC="$CC" -fi - - - - - -# Finally, execute ACTION-IF-FOUND/ACTION-IF-NOT-FOUND: -if test x"$acx_pthread_ok" = xyes; then - -$as_echo "#define HAVE_PTHREAD 1" >>confdefs.h - - : -else - acx_pthread_ok=no - as_fn_error $? "cannot determine options for enabling thread support; try --disable-thread-support" "$LINENO" 5 -fi -ac_ext=c -ac_cpp='$CPP $CPPFLAGS' -ac_compile='$CC -c $CFLAGS $CPPFLAGS conftest.$ac_ext >&5' -ac_link='$CC -o conftest$ac_exeext $CFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' -ac_compiler_gnu=$ac_cv_c_compiler_gnu - - - { $as_echo "$as_me:${as_lineno-$LINENO}: PTHREAD_CC = $PTHREAD_CC" >&5 -$as_echo "$as_me: PTHREAD_CC = $PTHREAD_CC" >&6;} - { $as_echo "$as_me:${as_lineno-$LINENO}: PTHREAD_CFLAGS = $PTHREAD_CFLAGS" >&5 -$as_echo "$as_me: PTHREAD_CFLAGS = $PTHREAD_CFLAGS" >&6;} - { $as_echo "$as_me:${as_lineno-$LINENO}: PTHREAD_LIBS = $PTHREAD_LIBS" >&5 -$as_echo "$as_me: PTHREAD_LIBS = $PTHREAD_LIBS" >&6;} - # AIX and Tru64 don't support weak references, and don't have - # stub versions of the pthread code in libc. - case "${host_os}" in - aix* | osf*) - # On these platforms, we'll always pull in the thread support. - LIBS="$LIBS $PTHREAD_LIBS" - CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - # We don't need to sometimes add the flags we've just folded in... - PTHREAD_LIBS= - PTHREAD_CFLAGS= - ;; - hpux*) - # These are the flags that "gcc -pthread" adds. But we don't - # want "-pthread" because that has link-time effects, and we - # don't exclude CFLAGS when linking. *sigh* - PTHREAD_CFLAGS="-D_REENTRANT -D_THREAD_SAFE -D_POSIX_C_SOURCE=199506L" - ;; - solaris2.[1-9]) - # On Solaris 10 with gcc 3.4.3, the autoconf archive macro doesn't - # get the right result. XXX What about Solaris 9 and earlier? - if test "$GCC" = yes ; then - PTHREAD_CFLAGS="-D_REENTRANT -pthreads" - fi - ;; - solaris*) - # On Solaris 10 with gcc 3.4.3, the autoconf archive macro doesn't - # get the right result. - if test "$GCC" = yes ; then - PTHREAD_CFLAGS="-D_REENTRANT -pthreads" - fi - # On Solaris 10, the thread support is always available in libc. - -$as_echo "#define NO_WEAK_PTHREADS 1" >>confdefs.h - - ;; - esac - THREAD_SUPPORT=1 -else - PTHREAD_CC="$CC" - PTHREAD_CFLAGS="" - PTHREAD_LIBS="" - THREAD_SUPPORT=0 -fi - -for ac_func in pthread_once pthread_rwlock_init -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -old_CC="$CC" -test "$PTHREAD_CC" != "" && test "$ac_cv_c_compiler_gnu" = no && CC=$PTHREAD_CC -old_CFLAGS="$CFLAGS" -# On Solaris, -pthreads is added to CFLAGS, no extra explicit libraries. -CFLAGS="$CFLAGS $PTHREAD_CFLAGS" - -old_LIBS="$LIBS" -LIBS="$PTHREAD_LIBS $LIBS" -{ $as_echo "$as_me:${as_lineno-$LINENO}: rechecking with PTHREAD_... options" >&5 -$as_echo "$as_me: rechecking with PTHREAD_... options" >&6;} -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for pthread_rwlock_init in -lc" >&5 -$as_echo_n "checking for pthread_rwlock_init in -lc... " >&6; } -if ${ac_cv_lib_c_pthread_rwlock_init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lc $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char pthread_rwlock_init (); -int -main () -{ -return pthread_rwlock_init (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_c_pthread_rwlock_init=yes -else - ac_cv_lib_c_pthread_rwlock_init=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_c_pthread_rwlock_init" >&5 -$as_echo "$ac_cv_lib_c_pthread_rwlock_init" >&6; } -if test "x$ac_cv_lib_c_pthread_rwlock_init" = xyes; then : - -$as_echo "#define HAVE_PTHREAD_RWLOCK_INIT_IN_THREAD_LIB 1" >>confdefs.h - -fi - -LIBS="$old_LIBS" -CC="$old_CC" -CFLAGS="$old_CFLAGS" - - -old_LIBS="$LIBS" -DL_LIB= -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dlopen" >&5 -$as_echo_n "checking for library containing dlopen... " >&6; } -if ${ac_cv_search_dlopen+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dlopen (); -int -main () -{ -return dlopen (); - ; - return 0; -} -_ACEOF -for ac_lib in '' dl; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_dlopen=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_dlopen+:} false; then : - break -fi -done -if ${ac_cv_search_dlopen+:} false; then : - -else - ac_cv_search_dlopen=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dlopen" >&5 -$as_echo "$ac_cv_search_dlopen" >&6; } -ac_res=$ac_cv_search_dlopen -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -if test "$ac_cv_search_dlopen" != "none required"; then - DL_LIB=$ac_cv_search_dlopen -fi -LIBS="$old_LIBS" - -$as_echo "#define USE_DLOPEN 1" >>confdefs.h - -fi - - - - - for ac_header in keyutils.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "keyutils.h" "ac_cv_header_keyutils_h" "$ac_includes_default" -if test "x$ac_cv_header_keyutils_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_KEYUTILS_H 1 -_ACEOF - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for add_key in -lkeyutils" >&5 -$as_echo_n "checking for add_key in -lkeyutils... " >&6; } -if ${ac_cv_lib_keyutils_add_key+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lkeyutils $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char add_key (); -int -main () -{ -return add_key (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_keyutils_add_key=yes -else - ac_cv_lib_keyutils_add_key=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_keyutils_add_key" >&5 -$as_echo "$ac_cv_lib_keyutils_add_key" >&6; } -if test "x$ac_cv_lib_keyutils_add_key" = xyes; then : - -$as_echo "#define USE_KEYRING_CCACHE 1" >>confdefs.h - - LIBS="-lkeyutils $LIBS" - -fi - -fi - -done - - - - for ac_header in keyutils.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "keyutils.h" "ac_cv_header_keyutils_h" "$ac_includes_default" -if test "x$ac_cv_header_keyutils_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_KEYUTILS_H 1 -_ACEOF - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for keyctl_get_persistent in -lkeyutils" >&5 -$as_echo_n "checking for keyctl_get_persistent in -lkeyutils... " >&6; } -if ${ac_cv_lib_keyutils_keyctl_get_persistent+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lkeyutils $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char keyctl_get_persistent (); -int -main () -{ -return keyctl_get_persistent (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_keyutils_keyctl_get_persistent=yes -else - ac_cv_lib_keyutils_keyctl_get_persistent=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_keyutils_keyctl_get_persistent" >&5 -$as_echo "$ac_cv_lib_keyutils_keyctl_get_persistent" >&6; } -if test "x$ac_cv_lib_keyutils_keyctl_get_persistent" = xyes; then : - -$as_echo "#define HAVE_PERSISTENT_KEYRING 1" >>confdefs.h - - -fi - -fi - -done - - - -KRB5_VERSION=1.15.2 - - - - - -ac_fn_c_check_header_mongrel "$LINENO" "stdint.h" "ac_cv_header_stdint_h" "$ac_includes_default" -if test "x$ac_cv_header_stdint_h" = xyes; then : - -else - as_fn_error $? "stdint.h is required" "$LINENO" 5 -fi - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether integers are two's complement" >&5 -$as_echo_n "checking whether integers are two's complement... " >&6; } -if ${krb5_cv_ints_twos_compl+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - -int -main () -{ -static int test_array [1 - 2 * !(/* Basic two's complement check */ - ~(-1) == 0 && ~(-1L) == 0L && - /* Check that values with sign bit 1 and value bits 0 are valid */ - -(INT_MIN + 1) == INT_MAX && -(LONG_MIN + 1) == LONG_MAX && - /* Check that unsigned-to-signed conversions preserve bit patterns */ - (int)((unsigned int)INT_MAX + 1) == INT_MIN && - (long)((unsigned long)LONG_MAX + 1) == LONG_MIN)]; -test_array [0] = 0; -return test_array [0]; - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_ints_twos_compl=yes -else - krb5_cv_ints_twos_compl=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_ints_twos_compl" >&5 -$as_echo "$krb5_cv_ints_twos_compl" >&6; } - -if test "$krb5_cv_ints_twos_compl" = "no"; then - as_fn_error $? "integers are not two's complement" "$LINENO" 5 -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether CHAR_BIT is 8" >&5 -$as_echo_n "checking whether CHAR_BIT is 8... " >&6; } -if ${krb5_cv_char_bit_8+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#if CHAR_BIT != 8 - #error CHAR_BIT != 8 -#endif - -_ACEOF -if ac_fn_c_try_cpp "$LINENO"; then : - krb5_cv_char_bit_8=yes -else - krb5_cv_char_bit_8=no -fi -rm -f conftest.err conftest.i conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_char_bit_8" >&5 -$as_echo "$krb5_cv_char_bit_8" >&6; } - -if test "$krb5_cv_char_bit_8" = "no"; then - as_fn_error $? "CHAR_BIT is not 8" "$LINENO" 5 -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if va_copy is available" >&5 -$as_echo_n "checking if va_copy is available... " >&6; } -if ${krb5_cv_va_copy+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -void f(va_list ap) { - va_list ap2; - va_copy(ap2, ap); - va_end(ap2); -} -va_list x; -int main() -{ - f(x); - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - krb5_cv_va_copy=yes -else - krb5_cv_va_copy=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_va_copy" >&5 -$as_echo "$krb5_cv_va_copy" >&6; } -if test "$krb5_cv_va_copy" = yes; then - -$as_echo "#define HAS_VA_COPY 1" >>confdefs.h - -fi - -# Note that this isn't checking if the copied value *works*, just -# whether the C language constraints permit the copying. If -# va_list is defined as an array type, it can't be assigned. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if va_list objects can be copied by assignment" >&5 -$as_echo_n "checking if va_list objects can be copied by assignment... " >&6; } -if ${krb5_cv_va_simple_copy+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -void f(va_list va2) { - va_list va1; - va1 = va2; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_va_simple_copy=yes -else - krb5_cv_va_simple_copy=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_va_simple_copy" >&5 -$as_echo "$krb5_cv_va_simple_copy" >&6; } -if test "$krb5_cv_va_simple_copy" = yes; then - -$as_echo "#define CAN_COPY_VA_LIST 1" >>confdefs.h - -fi - -# The following lines are so that configure --help gives some global -# configuration options. - - -# Check whether --enable-static was given. -if test "${enable_static+set}" = set; then : - enableval=$enable_static; -else - enable_static=no -fi - -# Check whether --enable-shared was given. -if test "${enable_shared+set}" = set; then : - enableval=$enable_shared; -else - enable_shared=yes -fi - - -if test "x$enable_static" = "x$enable_shared"; then - as_fn_error $? "--enable-static must be specified with --disable-shared" "$LINENO" 5 -fi - -# Check whether --enable-rpath was given. -if test "${enable_rpath+set}" = set; then : - enableval=$enable_rpath; -else - enable_rpath=yes -fi - - -if test "x$enable_rpath" != xyes ; then - # Unset the rpath flag values set by shlib.conf - SHLIB_RPATH_FLAGS= - RPATH_FLAG= - PROG_RPATH_FLAGS= -fi - -if test "$SHLIBEXT" = ".so-nobuild"; then - as_fn_error $? "Shared libraries are not yet supported on this platform." "$LINENO" 5 -fi - -DEPLIBEXT=$SHLIBEXT - -if test "x$enable_static" = xyes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: using static libraries" >&5 -$as_echo "$as_me: using static libraries" >&6;} - LIBLIST='lib$(LIBBASE)$(STLIBEXT)' - LIBLINKS='$(TOPLIBD)/lib$(LIBBASE)$(STLIBEXT)' - PLUGIN='libkrb5_$(LIBBASE)$(STLIBEXT)' - PLUGINLINK='$(TOPLIBD)/libkrb5_$(LIBBASE)$(STLIBEXT)' - PLUGININST=install-static - OBJLISTS=OBJS.ST - LIBINSTLIST=install-static - DEPLIBEXT=$STLIBEXT - -$as_echo "#define STATIC_PLUGINS 1" >>confdefs.h - - - KDB5_PLUGIN_DEPLIBS='$(TOPLIBD)/libkrb5_db2$(DEPLIBEXT)' - KDB5_PLUGIN_LIBS='-lkrb5_db2' - if test "x$OPENLDAP_PLUGIN" = xyes; then - KDB5_PLUGIN_DEBLIBS=$KDB5_PLUGIN_DEPLIBS' $(TOPLIBD)/libkrb5_ldap$(DEPLIBEXT) $(TOPLIBD)/libkdb_ldap$(DEPLIBEXT)' - KDB5_PLUGIN_LIBS=$KDB5_PLUGIN_LIBS' -lkrb5_kldap -lkdb_ldap $(LDAP_LIBS)' - fi - # kadm5srv_mit normally comes before kdb on the link line. Add it - # again after the KDB plugins, since they depend on it for XDR stuff. - KDB5_PLUGIN_DEPLIBS=$KDB5_PLUGIN_DEPLIBS' $(TOPLIBD)/libkadm5srv_mit$(DEPLIBEXT)' - KDB5_PLUGIN_LIBS=$KDB5_PLUGIN_LIBS' -lkadm5srv_mit' - - # avoid duplicate rules generation for AIX and such - SHLIBEXT=.so-nobuild - SHLIBVEXT=.so.v-nobuild - SHLIBSEXT=.so.s-nobuild -else - { $as_echo "$as_me:${as_lineno-$LINENO}: using shared libraries" >&5 -$as_echo "$as_me: using shared libraries" >&6;} - - # Clear some stuff in case of AIX, etc. - if test "$STLIBEXT" = "$SHLIBEXT" ; then - STLIBEXT=.a-nobuild - fi - case "$SHLIBSEXT" in - .so.s-nobuild) - LIBLIST='lib$(LIBBASE)$(SHLIBEXT)' - LIBLINKS='$(TOPLIBD)/lib$(LIBBASE)$(SHLIBEXT) $(TOPLIBD)/lib$(LIBBASE)$(SHLIBVEXT)' - LIBINSTLIST="install-shared" - ;; - *) - LIBLIST='lib$(LIBBASE)$(SHLIBEXT) lib$(LIBBASE)$(SHLIBSEXT)' - LIBLINKS='$(TOPLIBD)/lib$(LIBBASE)$(SHLIBEXT) $(TOPLIBD)/lib$(LIBBASE)$(SHLIBVEXT) $(TOPLIBD)/lib$(LIBBASE)$(SHLIBSEXT)' - LIBINSTLIST="install-shlib-soname" - ;; - esac - OBJLISTS="OBJS.SH" - PLUGIN='$(LIBBASE)$(DYNOBJEXT)' - PLUGINLINK='../$(PLUGIN)' - PLUGININST=install-plugin - KDB5_PLUGIN_DEPLIBS= - KDB5_PLUGIN_LIBS= -fi -CC_LINK="$CC_LINK_SHARED" -CXX_LINK="$CXX_LINK_SHARED" - -if test -z "$LIBLIST"; then - as_fn_error $? "must enable one of shared or static libraries" "$LINENO" 5 -fi - -# Check whether to build profiled libraries. -# Check whether --enable-profiled was given. -if test "${enable_profiled+set}" = set; then : - enableval=$enable_profiled; if test "$enableval" = yes; then - as_fn_error $? "Sorry, profiled libraries do not work in this release." "$LINENO" 5 -fi -fi - - -TCL_INCLUDES= -TCL_LIBPATH= -TCL_RPATH= -TCL_LIBS= -TCL_WITH= -tcl_dir= - -# Check whether --with-tcl was given. -if test "${with_tcl+set}" = set; then : - withval=$with_tcl; -else - with_tcl=try -fi - -if test "$with_tcl" = no ; then - true -elif test "$with_tcl" = yes -o "$with_tcl" = try ; then - tcl_dir=/usr - if test ! -r /usr/lib/tclConfig.sh; then - cat >> conftest <<\EOF -puts "tcl_dir=$tcl_library" -EOF - if tclsh conftest >conftest.out 2>/dev/null; then - if grep tcl_dir= conftest.out >/dev/null 2>&1; then - t=`sed s/tcl_dir=// conftest.out` - tcl_dir=$t - fi - fi # tclsh ran script okay - rm -f conftest conftest.out - fi # no /usr/lib/tclConfig.sh -else - tcl_dir=$with_tcl -fi -if test "$with_tcl" != no ; then - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for tclConfig.sh" >&5 -$as_echo_n "checking for tclConfig.sh... " >&6; } -if test -r "$tcl_dir/lib/tclConfig.sh" ; then - tcl_conf="$tcl_dir/lib/tclConfig.sh" -elif test -r "$tcl_dir/tclConfig.sh" ; then - tcl_conf="$tcl_dir/tclConfig.sh" -elif test -r "$tcl_dir/../tclConfig.sh" ; then - tcl_conf="$tcl_dir/../tclConfig.sh" -else - tcl_conf= - lib="$tcl_dir/lib" - for d in "$lib" "$lib"/tcl7.[0-9] "$lib"/tcl8.[0-9] ; do - if test -r "$d/tclConfig.sh" ; then - tcl_conf="$tcl_conf $d/tclConfig.sh" - fi - done - fi -if test -n "$tcl_conf" ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $tcl_conf" >&5 -$as_echo "$tcl_conf" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: not found" >&5 -$as_echo "not found" >&6; } -fi -tcl_ok_conf= -tcl_vers_maj= -tcl_vers_min= -old_CPPFLAGS=$CPPFLAGS -old_LIBS=$LIBS -old_LDFLAGS=$LDFLAGS -if test -n "$tcl_conf" ; then - for file in $tcl_conf ; do - TCL_MAJOR_VERSION=x ; TCL_MINOR_VERSION=x - { $as_echo "$as_me:${as_lineno-$LINENO}: checking Tcl info in $file" >&5 -$as_echo_n "checking Tcl info in $file... " >&6; } - . $file - v=$TCL_MAJOR_VERSION.$TCL_MINOR_VERSION - if test -z "$tcl_vers_maj" \ - || test "$tcl_vers_maj" -lt "$TCL_MAJOR_VERSION" \ - || test "$tcl_vers_maj" = "$TCL_MAJOR_VERSION" -a "$tcl_vers_min" -lt "$TCL_MINOR_VERSION" ; then - for incdir in "$TCL_PREFIX/include/tcl$v" "$TCL_PREFIX/include" ; do - if test -r "$incdir/tcl.h" -o -r "$incdir/tcl/tcl.h" ; then - CPPFLAGS="$old_CPPFLAGS -I$incdir" - break - fi - done - LIBS="$old_LIBS `eval echo x $TCL_LIB_SPEC $TCL_LIBS | sed 's/^x//'`" - LDFLAGS="$old_LDFLAGS $TCL_LD_FLAGS" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ -Tcl_CreateInterp (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - tcl_ok_conf=$file - tcl_vers_maj=$TCL_MAJOR_VERSION - tcl_vers_min=$TCL_MINOR_VERSION - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $v - working" >&5 -$as_echo "$v - working" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $v - compilation failed" >&5 -$as_echo "$v - compilation failed" >&6; } - -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: older version $v" >&5 -$as_echo "older version $v" >&6; } - fi - done -fi -CPPFLAGS=$old_CPPFLAGS -LIBS=$old_LIBS -LDFLAGS=$old_LDFLAGS -tcl_header=no -tcl_lib=no -if test -n "$tcl_ok_conf" ; then - . $tcl_ok_conf - TCL_INCLUDES= - for incdir in "$TCL_PREFIX/include/tcl$v" "$TCL_PREFIX/include" ; do - if test -r "$incdir/tcl.h" -o -r "$incdir/tcl/tcl.h" ; then - if test "$incdir" != "/usr/include" ; then - TCL_INCLUDES=-I$incdir - fi - break - fi - done - # Need eval because the first-level expansion could reference - # variables like ${TCL_DBGX}. - eval TCL_LIBS='"'$TCL_LIB_SPEC $TCL_LIBS $TCL_DL_LIBS'"' - TCL_LIBPATH="-L$TCL_EXEC_PREFIX/lib" - TCL_RPATH=":$TCL_EXEC_PREFIX/lib" - if test "$DEPLIBEXT" != "$SHLIBEXT" && test -n "$RPATH_FLAG"; then - TCL_MAYBE_RPATH='$(RPATH_FLAG)'"$TCL_EXEC_PREFIX/lib$RPATH_TAIL" - else - TCL_MAYBE_RPATH= - fi - CPPFLAGS="$old_CPPFLAGS $TCL_INCLUDES" - ac_fn_c_check_header_mongrel "$LINENO" "tcl.h" "ac_cv_header_tcl_h" "$ac_includes_default" -if test "x$ac_cv_header_tcl_h" = xyes; then : - -$as_echo "#define HAVE_TCL_H 1" >>confdefs.h - tcl_header=yes -fi - - - if test $tcl_header=no; then - ac_fn_c_check_header_mongrel "$LINENO" "tcl/tcl.h" "ac_cv_header_tcl_tcl_h" "$ac_includes_default" -if test "x$ac_cv_header_tcl_tcl_h" = xyes; then : - -$as_echo "#define HAVE_TCL_TCL_H 1" >>confdefs.h - tcl_header=yes -fi - - - fi - CPPFLAGS="$old_CPPFLAGS" - tcl_lib=yes -else - # If we read a tclConfig.sh file, it probably set this. - TCL_LIBS= -fi - - - - - - - if test $tcl_lib = no ; then - if test "$with_tcl" != try ; then - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: trying old tcl search code" >&5 -$as_echo "$as_me: WARNING: trying old tcl search code" >&2;} -if test "$with_tcl" != yes -a "$with_tcl" != no; then - TCL_INCLUDES=-I$with_tcl/include - TCL_LIBPATH=-L$with_tcl/lib - TCL_RPATH=:$with_tcl/lib -fi -if test "$with_tcl" != no ; then - krb5_save_CPPFLAGS="$CPPFLAGS" - krb5_save_LDFLAGS="$LDFLAGS" - CPPFLAGS="$CPPFLAGS $TCL_INCLUDES" - LDFLAGS="$LDFLAGS $TCL_LIBPATH" - tcl_header=no - ac_fn_c_check_header_mongrel "$LINENO" "tcl.h" "ac_cv_header_tcl_h" "$ac_includes_default" -if test "x$ac_cv_header_tcl_h" = xyes; then : - -$as_echo "#define HAVE_TCL_H 1" >>confdefs.h - tcl_header=yes -fi - - - if test $tcl_header=no; then - ac_fn_c_check_header_mongrel "$LINENO" "tcl/tcl.h" "ac_cv_header_tcl_tcl_h" "$ac_includes_default" -if test "x$ac_cv_header_tcl_tcl_h" = xyes; then : - -$as_echo "#define HAVE_TCL_TCL_H 1" >>confdefs.h - tcl_header=yes -fi - - - fi - - if test $tcl_header = yes ; then - tcl_lib=no - - if test $tcl_lib = no; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Tcl_CreateCommand in -ltcl8.0" >&5 -$as_echo_n "checking for Tcl_CreateCommand in -ltcl8.0... " >&6; } -if ${ac_cv_lib_tcl8_0_Tcl_CreateCommand+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ltcl8.0 -lm $DL_LIB $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char Tcl_CreateCommand (); -int -main () -{ -return Tcl_CreateCommand (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_tcl8_0_Tcl_CreateCommand=yes -else - ac_cv_lib_tcl8_0_Tcl_CreateCommand=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tcl8_0_Tcl_CreateCommand" >&5 -$as_echo "$ac_cv_lib_tcl8_0_Tcl_CreateCommand" >&6; } -if test "x$ac_cv_lib_tcl8_0_Tcl_CreateCommand" = xyes; then : - TCL_LIBS="$TCL_LIBS -ltcl8.0 -lm $DL_LIB $LIBS" - tcl_lib=yes -fi - - fi - if test $tcl_lib = no; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Tcl_CreateCommand in -ltcl7.6" >&5 -$as_echo_n "checking for Tcl_CreateCommand in -ltcl7.6... " >&6; } -if ${ac_cv_lib_tcl7_6_Tcl_CreateCommand+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ltcl7.6 -lm $DL_LIB $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char Tcl_CreateCommand (); -int -main () -{ -return Tcl_CreateCommand (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_tcl7_6_Tcl_CreateCommand=yes -else - ac_cv_lib_tcl7_6_Tcl_CreateCommand=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tcl7_6_Tcl_CreateCommand" >&5 -$as_echo "$ac_cv_lib_tcl7_6_Tcl_CreateCommand" >&6; } -if test "x$ac_cv_lib_tcl7_6_Tcl_CreateCommand" = xyes; then : - TCL_LIBS="$TCL_LIBS -ltcl7.6 -lm $DL_LIB $LIBS" - tcl_lib=yes -fi - - fi - if test $tcl_lib = no; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Tcl_CreateCommand in -ltcl7.5" >&5 -$as_echo_n "checking for Tcl_CreateCommand in -ltcl7.5... " >&6; } -if ${ac_cv_lib_tcl7_5_Tcl_CreateCommand+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ltcl7.5 -lm $DL_LIB $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char Tcl_CreateCommand (); -int -main () -{ -return Tcl_CreateCommand (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_tcl7_5_Tcl_CreateCommand=yes -else - ac_cv_lib_tcl7_5_Tcl_CreateCommand=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tcl7_5_Tcl_CreateCommand" >&5 -$as_echo "$ac_cv_lib_tcl7_5_Tcl_CreateCommand" >&6; } -if test "x$ac_cv_lib_tcl7_5_Tcl_CreateCommand" = xyes; then : - TCL_LIBS="$TCL_LIBS -ltcl7.5 -lm $DL_LIB $LIBS" - tcl_lib=yes -fi - - - fi - if test $tcl_lib = no ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Tcl_CreateCommand in -ltcl" >&5 -$as_echo_n "checking for Tcl_CreateCommand in -ltcl... " >&6; } -if ${ac_cv_lib_tcl_Tcl_CreateCommand+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-ltcl -lm $DL_LIB $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char Tcl_CreateCommand (); -int -main () -{ -return Tcl_CreateCommand (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_tcl_Tcl_CreateCommand=yes -else - ac_cv_lib_tcl_Tcl_CreateCommand=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_tcl_Tcl_CreateCommand" >&5 -$as_echo "$ac_cv_lib_tcl_Tcl_CreateCommand" >&6; } -if test "x$ac_cv_lib_tcl_Tcl_CreateCommand" = xyes; then : - TCL_LIBS="$TCL_LIBS -ltcl -lm $DL_LIB $LIBS" - tcl_lib=yes -fi - - - fi - if test $tcl_lib = no ; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: \"tcl.h found but not library\"" >&5 -$as_echo "$as_me: WARNING: \"tcl.h found but not library\"" >&2;} - fi - else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Could not find Tcl which is needed for the kadm5 tests" >&5 -$as_echo "$as_me: WARNING: Could not find Tcl which is needed for the kadm5 tests" >&2;} - TCL_LIBS= - fi - CPPFLAGS="$krb5_save_CPPFLAGS" - LDFLAGS="$krb5_save_LDFLAGS" - - - - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: \"Not looking for Tcl library\"" >&5 -$as_echo "\"Not looking for Tcl library\"" >&6; } -fi - - else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Could not find Tcl which is needed for some tests" >&5 -$as_echo "$as_me: WARNING: Could not find Tcl which is needed for some tests" >&2;} - fi - fi -fi -# If "yes" or pathname, error out if not found. -if test "$with_tcl" != no -a "$with_tcl" != try ; then - if test "$tcl_header $tcl_lib" != "yes yes" ; then - as_fn_error $? "Could not find Tcl" "$LINENO" 5 - fi -fi - -# Check whether --enable-athena was given. -if test "${enable_athena+set}" = set; then : - enableval=$enable_athena; -fi - - -# Begin autoconf tests for the Makefiles generated out of the top-level -# configure.in... - - - - - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether ln -s works" >&5 -$as_echo_n "checking whether ln -s works... " >&6; } -LN_S=$as_ln_s -if test "$LN_S" = "ln -s"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no, using $LN_S" >&5 -$as_echo "no, using $LN_S" >&6; } -fi - -if test -n "$ac_tool_prefix"; then - # Extract the first word of "${ac_tool_prefix}ranlib", so it can be a program name with args. -set dummy ${ac_tool_prefix}ranlib; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_RANLIB+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$RANLIB"; then - ac_cv_prog_RANLIB="$RANLIB" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_RANLIB="${ac_tool_prefix}ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -RANLIB=$ac_cv_prog_RANLIB -if test -n "$RANLIB"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RANLIB" >&5 -$as_echo "$RANLIB" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -fi -if test -z "$ac_cv_prog_RANLIB"; then - ac_ct_RANLIB=$RANLIB - # Extract the first word of "ranlib", so it can be a program name with args. -set dummy ranlib; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_ac_ct_RANLIB+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$ac_ct_RANLIB"; then - ac_cv_prog_ac_ct_RANLIB="$ac_ct_RANLIB" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ac_ct_RANLIB="ranlib" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -ac_ct_RANLIB=$ac_cv_prog_ac_ct_RANLIB -if test -n "$ac_ct_RANLIB"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_ct_RANLIB" >&5 -$as_echo "$ac_ct_RANLIB" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - if test "x$ac_ct_RANLIB" = x; then - RANLIB=":" - else - case $cross_compiling:$ac_tool_warned in -yes:) -{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: using cross tools not prefixed with host triplet" >&5 -$as_echo "$as_me: WARNING: using cross tools not prefixed with host triplet" >&2;} -ac_tool_warned=yes ;; -esac - RANLIB=$ac_ct_RANLIB - fi -else - RANLIB="$ac_cv_prog_RANLIB" -fi - -# Extract the first word of "ar", so it can be a program name with args. -set dummy ar; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_ARCHIVE+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$ARCHIVE"; then - ac_cv_prog_ARCHIVE="$ARCHIVE" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ARCHIVE="ar cqv" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_prog_ARCHIVE" && ac_cv_prog_ARCHIVE="false" -fi -fi -ARCHIVE=$ac_cv_prog_ARCHIVE -if test -n "$ARCHIVE"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ARCHIVE" >&5 -$as_echo "$ARCHIVE" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -# Extract the first word of "ar", so it can be a program name with args. -set dummy ar; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_ARADD+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$ARADD"; then - ac_cv_prog_ARADD="$ARADD" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_ARADD="ar cruv" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_prog_ARADD" && ac_cv_prog_ARADD="false" -fi -fi -ARADD=$ac_cv_prog_ARADD -if test -n "$ARADD"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ARADD" >&5 -$as_echo "$ARADD" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -# Find a good install program. We prefer a C program (faster), -# so one script is as good as another. But avoid the broken or -# incompatible versions: -# SysV /etc/install, /usr/sbin/install -# SunOS /usr/etc/install -# IRIX /sbin/install -# AIX /bin/install -# AmigaOS /C/install, which installs bootblocks on floppy discs -# AIX 4 /usr/bin/installbsd, which doesn't work without a -g flag -# AFS /usr/afsws/bin/install, which mishandles nonexistent args -# SVR4 /usr/ucb/install, which tries to use the nonexistent group "staff" -# OS/2's system install, which has a completely different semantic -# ./install, which can be erroneously created by make from ./install.sh. -# Reject install programs that cannot install multiple files. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for a BSD-compatible install" >&5 -$as_echo_n "checking for a BSD-compatible install... " >&6; } -if test -z "$INSTALL"; then -if ${ac_cv_path_install+:} false; then : - $as_echo_n "(cached) " >&6 -else - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - # Account for people who put trailing slashes in PATH elements. -case $as_dir/ in #(( - ./ | .// | /[cC]/* | \ - /etc/* | /usr/sbin/* | /usr/etc/* | /sbin/* | /usr/afsws/bin/* | \ - ?:[\\/]os2[\\/]install[\\/]* | ?:[\\/]OS2[\\/]INSTALL[\\/]* | \ - /usr/ucb/* ) ;; - *) - # OSF1 and SCO ODT 3.0 have their own names for install. - # Don't use installbsd from OSF since it installs stuff as root - # by default. - for ac_prog in ginstall scoinst install; do - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_prog$ac_exec_ext"; then - if test $ac_prog = install && - grep dspmsg "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then - # AIX install. It has an incompatible calling convention. - : - elif test $ac_prog = install && - grep pwplus "$as_dir/$ac_prog$ac_exec_ext" >/dev/null 2>&1; then - # program-specific install script used by HP pwplus--don't use. - : - else - rm -rf conftest.one conftest.two conftest.dir - echo one > conftest.one - echo two > conftest.two - mkdir conftest.dir - if "$as_dir/$ac_prog$ac_exec_ext" -c conftest.one conftest.two "`pwd`/conftest.dir" && - test -s conftest.one && test -s conftest.two && - test -s conftest.dir/conftest.one && - test -s conftest.dir/conftest.two - then - ac_cv_path_install="$as_dir/$ac_prog$ac_exec_ext -c" - break 3 - fi - fi - fi - done - done - ;; -esac - - done -IFS=$as_save_IFS - -rm -rf conftest.one conftest.two conftest.dir - -fi - if test "${ac_cv_path_install+set}" = set; then - INSTALL=$ac_cv_path_install - else - # As a last resort, use the slow shell script. Don't cache a - # value for INSTALL within a source directory, because that will - # break other packages using the cache if that directory is - # removed, or if the value is a relative name. - INSTALL=$ac_install_sh - fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $INSTALL" >&5 -$as_echo "$INSTALL" >&6; } - -# Use test -z because SunOS4 sh mishandles braces in ${var-val}. -# It thinks the first close brace ends the variable substitution. -test -z "$INSTALL_PROGRAM" && INSTALL_PROGRAM='${INSTALL}' - -test -z "$INSTALL_SCRIPT" && INSTALL_SCRIPT='${INSTALL}' - -test -z "$INSTALL_DATA" && INSTALL_DATA='${INSTALL} -m 644' - -# Extract the first word of "ar", so it can be a program name with args. -set dummy ar; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_AR+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$AR"; then - ac_cv_prog_AR="$AR" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_AR="ar" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_prog_AR" && ac_cv_prog_AR="false" -fi -fi -AR=$ac_cv_prog_AR -if test -n "$AR"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AR" >&5 -$as_echo "$AR" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -if test "$AR" = "false"; then - as_fn_error $? "ar not found in PATH" "$LINENO" 5 -fi -# Extract the first word of "perl", so it can be a program name with args. -set dummy perl; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_PERL+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$PERL"; then - ac_cv_prog_PERL="$PERL" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_PERL="perl" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_prog_PERL" && ac_cv_prog_PERL="false" -fi -fi -PERL=$ac_cv_prog_PERL -if test -n "$PERL"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PERL" >&5 -$as_echo "$PERL" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -if test "$ac_cv_prog_PERL" = "false"; then - as_fn_error $? "Perl is now required for Kerberos builds." "$LINENO" 5 -fi - - - - - - - - - - - - - - - - - - - - - - - - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for working regcomp" >&5 -$as_echo_n "checking for working regcomp... " >&6; } -if ${ac_cv_func_regcomp+:} false; then : - $as_echo_n "(cached) " >&6 -else - -if test "$cross_compiling" = yes; then : - as_fn_error $? "Cannot test regcomp when cross compiling" "$LINENO" 5 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -#include -regex_t x; regmatch_t m; -int main() { return regcomp(&x,"pat.*",0) || regexec(&x,"pattern",1,&m,0); } - -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - ac_cv_func_regcomp=yes -else - ac_cv_func_regcomp=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_regcomp" >&5 -$as_echo "$ac_cv_func_regcomp" >&6; } -test $ac_cv_func_regcomp = yes && -$as_echo "#define HAVE_REGCOMP 1" >>confdefs.h - -if test $ac_cv_func_regcomp = no; then - save_LIBS="$LIBS" - LIBS=-lgen - for ac_func in compile step -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - LIBS="$save_LIBS" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for compile in -lgen" >&5 -$as_echo_n "checking for compile in -lgen... " >&6; } -if ${ac_cv_lib_gen_compile+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lgen $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char compile (); -int -main () -{ -return compile (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_gen_compile=yes -else - ac_cv_lib_gen_compile=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_gen_compile" >&5 -$as_echo "$ac_cv_lib_gen_compile" >&6; } -if test "x$ac_cv_lib_gen_compile" = xyes; then : - GEN_LIB=-lgen -else - GEN_LIB= -fi - - -fi - - - - - - -# for slave -ac_fn_c_check_type "$LINENO" "mode_t" "ac_cv_type_mode_t" "$ac_includes_default" -if test "x$ac_cv_type_mode_t" = xyes; then : - -else - -cat >>confdefs.h <<_ACEOF -#define mode_t int -_ACEOF - -fi - - - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if daemon needs a prototype provided" >&5 -$as_echo_n "checking if daemon needs a prototype provided... " >&6; } -if ${krb5_cv_func_daemon_noproto+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifdef HAVE_UNISTD_H -#include -#endif -int -main () -{ -#undef daemon -struct k5foo {int foo; } xx; -extern int daemon (struct k5foo*); -daemon(&xx); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_func_daemon_noproto=yes -else - krb5_cv_func_daemon_noproto=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_func_daemon_noproto" >&5 -$as_echo "$krb5_cv_func_daemon_noproto" >&6; } -if test $krb5_cv_func_daemon_noproto = yes; then - -$as_echo "#define NEED_DAEMON_PROTO 1" >>confdefs.h - -fi - - - -sock_set=no -for sock_arg1 in "struct sockaddr *" "void *" -do - for sock_arg2 in "size_t *" "int *" "socklen_t *" - do - if test $sock_set = no; then - -krb5_lib_var=`echo "$sock_arg1 $sock_arg2" | sed 'y% ./+-*%___p_p%'` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if getsockname() takes arguments $sock_arg1 and $sock_arg2" >&5 -$as_echo_n "checking if getsockname() takes arguments $sock_arg1 and $sock_arg2... " >&6; } -if eval \${krb5_cv_getsockname_proto_$krb5_lib_var+:} false; then : - $as_echo_n "(cached) " >&6 -else - -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -extern int getsockname(int, $sock_arg1, $sock_arg2); - -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "krb5_cv_getsockname_proto_$krb5_lib_var=yes" -else - eval "krb5_cv_getsockname_proto_$krb5_lib_var=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -if eval "test \"`echo '$krb5_cv_getsockname_proto_'$krb5_lib_var`\" = yes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - sock_set=yes; res1="$sock_arg1"; res2="$sock_arg2" -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - fi - done -done -if test "$sock_set" = no; then - { $as_echo "$as_me:${as_lineno-$LINENO}: assuming struct sockaddr and socklen_t for getsockname args" >&5 -$as_echo "$as_me: assuming struct sockaddr and socklen_t for getsockname args" >&6;} - res1="struct sockaddr *" - res2="socklen_t *" -fi -res1=`echo "$res1" | tr -d '*' | sed -e 's/ *$//'` -res2=`echo "$res2" | tr -d '*' | sed -e 's/ *$//'` - -cat >>confdefs.h <<_ACEOF -#define GETSOCKNAME_ARG2_TYPE $res1 -_ACEOF - - -cat >>confdefs.h <<_ACEOF -#define GETSOCKNAME_ARG3_TYPE $res2 -_ACEOF - - - - -$as_echo "#define GETPEERNAME_ARG2_TYPE GETSOCKNAME_ARG2_TYPE" >>confdefs.h - - -$as_echo "#define GETPEERNAME_ARG3_TYPE GETSOCKNAME_ARG3_TYPE" >>confdefs.h - - -LIBUTIL= -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lutil" >&5 -$as_echo_n "checking for main in -lutil... " >&6; } -if ${ac_cv_lib_util_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lutil $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_util_main=yes -else - ac_cv_lib_util_main=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_util_main" >&5 -$as_echo "$ac_cv_lib_util_main" >&6; } -if test "x$ac_cv_lib_util_main" = xyes; then : - -$as_echo "#define HAVE_LIBUTIL 1" >>confdefs.h - -LIBUTIL=-lutil - -fi - - - -ac_fn_c_check_header_mongrel "$LINENO" "libintl.h" "ac_cv_header_libintl_h" "$ac_includes_default" -if test "x$ac_cv_header_libintl_h" = xyes; then : - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing dgettext" >&5 -$as_echo_n "checking for library containing dgettext... " >&6; } -if ${ac_cv_search_dgettext+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char dgettext (); -int -main () -{ -return dgettext (); - ; - return 0; -} -_ACEOF -for ac_lib in '' intl; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_dgettext=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_dgettext+:} false; then : - break -fi -done -if ${ac_cv_search_dgettext+:} false; then : - -else - ac_cv_search_dgettext=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_dgettext" >&5 -$as_echo "$ac_cv_search_dgettext" >&6; } -ac_res=$ac_cv_search_dgettext -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - - -$as_echo "#define ENABLE_NLS 1" >>confdefs.h - -fi - -fi - - - -# Extract the first word of "msgfmt", so it can be a program name with args. -set dummy msgfmt; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_MSGFMT+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$MSGFMT"; then - ac_cv_prog_MSGFMT="$MSGFMT" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_MSGFMT="msgfmt" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -MSGFMT=$ac_cv_prog_MSGFMT -if test -n "$MSGFMT"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MSGFMT" >&5 -$as_echo "$MSGFMT" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -po= -if test x"$MSGFMT" != x; then - po=po -fi - - -# for kdc -for ac_header in sys/sockio.h ifaddrs.h unistd.h fnmatch.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - -for ac_func in strftime vsprintf vasprintf vsnprintf strlcpy fnmatch -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - -EXTRA_SUPPORT_SYMS= -ac_fn_c_check_func "$LINENO" "strlcpy" "ac_cv_func_strlcpy" -if test "x$ac_cv_func_strlcpy" = xyes; then : - STRLCPY_ST_OBJ= -STRLCPY_OBJ= -else - STRLCPY_ST_OBJ=strlcpy.o -STRLCPY_OBJ='$(OUTPRE)strlcpy.$(OBJEXT)' -EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_strlcpy krb5int_strlcat" -fi - - - - -ac_fn_c_check_func "$LINENO" "getopt" "ac_cv_func_getopt" -if test "x$ac_cv_func_getopt" = xyes; then : - GETOPT_ST_OBJ= -GETOPT_OBJ= - -$as_echo "#define HAVE_GETOPT 1" >>confdefs.h - -else - GETOPT_ST_OBJ='getopt.o' -GETOPT_OBJ='$(OUTPRE)getopt.$(OBJEXT)' -EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS k5_optind k5_optarg k5_opterr k5_optopt k5_getopt" -fi - - - - -ac_fn_c_check_func "$LINENO" "getopt_long" "ac_cv_func_getopt_long" -if test "x$ac_cv_func_getopt_long" = xyes; then : - GETOPT_LONG_ST_OBJ= -GETOPT_LONG_OBJ= - -$as_echo "#define HAVE_GETOPT_LONG 1" >>confdefs.h - -else - GETOPT_LONG_ST_OBJ='getopt_long.o' -GETOPT_LONG_OBJ='$(OUTPRE)getopt_long.$(OBJEXT)' -EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS k5_getopt_long" -fi - - - - -ac_fn_c_check_func "$LINENO" "fnmatch" "ac_cv_func_fnmatch" -if test "x$ac_cv_func_fnmatch" = xyes; then : - FNMATCH_ST_OBJ= -FNMATCH_OBJ= -else - FNMATCH_ST_OBJ=fnmatch.o -FNMATCH_OBJ='$(OUTPRE)fnmatch.$(OBJEXT)' -EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS k5_fnmatch" -fi - - - - -ac_fn_c_check_func "$LINENO" "vasprintf" "ac_cv_func_vasprintf" -if test "x$ac_cv_func_vasprintf" = xyes; then : - PRINTF_ST_OBJ= -PRINTF_OBJ= -else - PRINTF_ST_OBJ=printf.o -PRINTF_OBJ='$(OUTPRE)printf.$(OBJEXT)' -EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_asprintf krb5int_vasprintf" -fi - - - - -if test "x$ac_cv_func_vasprintf" = xyes; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if vasprintf needs a prototype provided" >&5 -$as_echo_n "checking if vasprintf needs a prototype provided... " >&6; } -if ${krb5_cv_func_vasprintf_noproto+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include - -int -main () -{ -#undef vasprintf -struct k5foo {int foo; } xx; -extern int vasprintf (struct k5foo*); -vasprintf(&xx); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_func_vasprintf_noproto=yes -else - krb5_cv_func_vasprintf_noproto=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_func_vasprintf_noproto" >&5 -$as_echo "$krb5_cv_func_vasprintf_noproto" >&6; } -if test $krb5_cv_func_vasprintf_noproto = yes; then - -$as_echo "#define NEED_VASPRINTF_PROTO 1" >>confdefs.h - -fi -fi - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if swab needs a prototype provided" >&5 -$as_echo_n "checking if swab needs a prototype provided... " >&6; } -if ${krb5_cv_func_swab_noproto+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#ifdef HAVE_UNISTD_H -#include -#endif -/* Solaris 8 declares swab in stdlib.h. */ -#include - -int -main () -{ -#undef swab -struct k5foo {int foo; } xx; -extern int swab (struct k5foo*); -swab(&xx); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_func_swab_noproto=yes -else - krb5_cv_func_swab_noproto=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_func_swab_noproto" >&5 -$as_echo "$krb5_cv_func_swab_noproto" >&6; } -if test $krb5_cv_func_swab_noproto = yes; then - -$as_echo "#define NEED_SWAB_PROTO 1" >>confdefs.h - -fi - - - -for ac_prog in gawk mawk nawk awk -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_AWK+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$AWK"; then - ac_cv_prog_AWK="$AWK" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_AWK="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -AWK=$ac_cv_prog_AWK -if test -n "$AWK"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $AWK" >&5 -$as_echo "$AWK" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$AWK" && break -done - - ac_fn_c_check_member "$LINENO" "struct sockaddr" "sa_len" "ac_cv_member_struct_sockaddr_sa_len" "#include -#include -" -if test "x$ac_cv_member_struct_sockaddr_sa_len" = xyes; then : - -$as_echo "#define HAVE_SA_LEN 1" >>confdefs.h - - -fi - - -for ac_header in sys/types.h sys/socket.h netinet/in.h netdb.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - -for ac_func in inet_ntop inet_pton getnameinfo -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for getaddrinfo" >&5 -$as_echo_n "checking for getaddrinfo... " >&6; } -if ${ac_cv_func_getaddrinfo+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifdef HAVE_NETDB_H -#include -#endif -int -main () -{ - -struct addrinfo *ai; -getaddrinfo("kerberos.mit.edu", "echo", 0, &ai); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_func_getaddrinfo=yes -else - ac_cv_func_getaddrinfo=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_getaddrinfo" >&5 -$as_echo "$ac_cv_func_getaddrinfo" >&6; } -if test $ac_cv_func_getaddrinfo = yes; then - -$as_echo "#define HAVE_GETADDRINFO 1" >>confdefs.h - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for IPv6 compile-time support without -DINET6" >&5 -$as_echo_n "checking for IPv6 compile-time support without -DINET6... " >&6; } -if ${krb5_cv_inet6+:} false; then : - $as_echo_n "(cached) " >&6 -else - -if test "$ac_cv_func_inet_ntop" != "yes" ; then - krb5_cv_inet6=no -else -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#include -#include -#include - -int -main () -{ - - struct sockaddr_in6 in; - AF_INET6; - IN6_IS_ADDR_LINKLOCAL (&in.sin6_addr); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_inet6=yes -else - krb5_cv_inet6=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_inet6" >&5 -$as_echo "$krb5_cv_inet6" >&6; } -if test "$krb5_cv_inet6" = no && test "$ac_cv_func_inet_ntop" = yes; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for IPv6 compile-time support with -DINET6" >&5 -$as_echo_n "checking for IPv6 compile-time support with -DINET6... " >&6; } -if ${krb5_cv_inet6_with_dinet6+:} false; then : - $as_echo_n "(cached) " >&6 -else - -old_CC="$CC" -CC="$CC -DINET6" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#include -#include -#include - -int -main () -{ - - struct sockaddr_in6 in; - AF_INET6; - IN6_IS_ADDR_LINKLOCAL (&in.sin6_addr); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_inet6_with_dinet6=yes -else - krb5_cv_inet6_with_dinet6=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -CC="$old_CC" -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_inet6_with_dinet6" >&5 -$as_echo "$krb5_cv_inet6_with_dinet6" >&6; } -fi -if test $krb5_cv_inet6 = yes || test "$krb5_cv_inet6_with_dinet6" = yes; then - if test "$krb5_cv_inet6_with_dinet6" = yes; then - -$as_echo "#define INET6 1" >>confdefs.h - - fi -fi - - ac_fn_c_check_member "$LINENO" "struct sockaddr" "sa_len" "ac_cv_member_struct_sockaddr_sa_len" "#include -#include -" -if test "x$ac_cv_member_struct_sockaddr_sa_len" = xyes; then : - -$as_echo "#define HAVE_SA_LEN 1" >>confdefs.h - - -fi - - -ac_fn_c_check_func "$LINENO" "sigprocmask" "ac_cv_func_sigprocmask" -if test "x$ac_cv_func_sigprocmask" = xyes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigset_t and POSIX_SIGNALS" >&5 -$as_echo_n "checking for sigset_t and POSIX_SIGNALS... " >&6; } -if ${krb5_cv_type_sigset_t+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -sigset_t x - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_type_sigset_t=yes -else - krb5_cv_type_sigset_t=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_type_sigset_t" >&5 -$as_echo "$krb5_cv_type_sigset_t" >&6; } -if test $krb5_cv_type_sigset_t = yes; then - -$as_echo "#define POSIX_SIGNALS 1" >>confdefs.h - -fi - -fi - - -# --with-vague-errors disables useful error messages. - - -# Check whether --with-vague-errors was given. -if test "${with_vague_errors+set}" = set; then : - withval=$with_vague_errors; -else - withval=no -fi - -if test "$withval" = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: Supplying vague error messages to KDC clients" >&5 -$as_echo "$as_me: Supplying vague error messages to KDC clients" >&6;} - -$as_echo "#define KRBCONF_VAGUE_ERRORS 1" >>confdefs.h - -fi - -# Check which (if any) audit plugin to build -audit_plugin="" -# Check whether --enable-audit-plugin was given. -if test "${enable_audit_plugin+set}" = set; then : - enableval=$enable_audit_plugin; -else - enableval=no -fi - -if test "$enableval" != no; then - case "$enableval" in - simple) - # if audit_log_user_message is found, we assume - # that audit_open and audit_close are also defined. - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for audit_log_user_message in -laudit" >&5 -$as_echo_n "checking for audit_log_user_message in -laudit... " >&6; } -if ${ac_cv_lib_audit_audit_log_user_message+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-laudit $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char audit_log_user_message (); -int -main () -{ -return audit_log_user_message (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_audit_audit_log_user_message=yes -else - ac_cv_lib_audit_audit_log_user_message=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_audit_audit_log_user_message" >&5 -$as_echo "$ac_cv_lib_audit_audit_log_user_message" >&6; } -if test "x$ac_cv_lib_audit_audit_log_user_message" = xyes; then : - AUDIT_IMPL_LIBS=-laudit - ac_config_files="$ac_config_files plugins/audit/simple/Makefile:$srcdir/./config/pre.in:plugins/audit/simple/Makefile.in:plugins/audit/simple/deps:$srcdir/./config/post.in" - - - - audit_plugin=plugins/audit/simple -else - as_fn_error $? "libaudit not found or undefined symbol audit_log_user_message" "$LINENO" 5 -fi - - ;; - *) - as_fn_error $? "Unknown audit plugin implementation $enableval." "$LINENO" 5 - ;; - esac -fi - - - -# WITH_CRYPTO_IMPL - -CRYPTO_IMPL="builtin" - -# Check whether --with-crypto-impl was given. -if test "${with_crypto_impl+set}" = set; then : - withval=$with_crypto_impl; CRYPTO_IMPL=$withval -{ $as_echo "$as_me:${as_lineno-$LINENO}: k5crypto will use '$withval'" >&5 -$as_echo "$as_me: k5crypto will use '$withval'" >&6;} - -else - withval=builtin -fi - -case "$withval" in -builtin) - ;; -openssl) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS7_get_signer_info in -lcrypto" >&5 -$as_echo_n "checking for PKCS7_get_signer_info in -lcrypto... " >&6; } -if ${ac_cv_lib_crypto_PKCS7_get_signer_info+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcrypto $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char PKCS7_get_signer_info (); -int -main () -{ -return PKCS7_get_signer_info (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_crypto_PKCS7_get_signer_info=yes -else - ac_cv_lib_crypto_PKCS7_get_signer_info=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_PKCS7_get_signer_info" >&5 -$as_echo "$ac_cv_lib_crypto_PKCS7_get_signer_info" >&6; } -if test "x$ac_cv_lib_crypto_PKCS7_get_signer_info" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBCRYPTO 1 -_ACEOF - - LIBS="-lcrypto $LIBS" - -fi - - ;; -*) - as_fn_error $? "Unknown crypto implementation $withval" "$LINENO" 5 - ;; -esac -ac_config_commands="$ac_config_commands CRYPTO_IMPL" - - - - - - -# Check whether --with-prng-alg was given. -if test "${with_prng_alg+set}" = set; then : - withval=$with_prng_alg; PRNG_ALG=$withval -{ $as_echo "$as_me:${as_lineno-$LINENO}: k5crypto will use '$withval'" >&5 -$as_echo "$as_me: k5crypto will use '$withval'" >&6;} - -else - PRNG_ALG=fortuna -fi - -ac_config_commands="$ac_config_commands PRNG_ALG" - - -if test "$PRNG_ALG" = fortuna; then - -$as_echo "#define FORTUNA 1" >>confdefs.h - -fi - -# WITH_PKINIT_CRYPTO_IMPL - -PKINIT_CRYPTO_IMPL="$CRYPTO_IMPL" - -# Check whether --with-pkinit-crypto-impl was given. -if test "${with_pkinit_crypto_impl+set}" = set; then : - withval=$with_pkinit_crypto_impl; PKINIT_CRYPTO_IMPL=$withval -{ $as_echo "$as_me:${as_lineno-$LINENO}: pkinit will use '$withval'" >&5 -$as_echo "$as_me: pkinit will use '$withval'" >&6;} - -else - withval=$PKINIT_CRYPTO_IMPL -fi - -case "$withval" in -builtin|openssl) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS7_get_signer_info in -lcrypto" >&5 -$as_echo_n "checking for PKCS7_get_signer_info in -lcrypto... " >&6; } -if ${ac_cv_lib_crypto_PKCS7_get_signer_info+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcrypto $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char PKCS7_get_signer_info (); -int -main () -{ -return PKCS7_get_signer_info (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_crypto_PKCS7_get_signer_info=yes -else - ac_cv_lib_crypto_PKCS7_get_signer_info=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_PKCS7_get_signer_info" >&5 -$as_echo "$ac_cv_lib_crypto_PKCS7_get_signer_info" >&6; } -if test "x$ac_cv_lib_crypto_PKCS7_get_signer_info" = xyes; then : - PKINIT_CRYPTO_IMPL_LIBS=-lcrypto -fi - - PKINIT_CRYPTO_IMPL=openssl - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for CMS_get0_content in -lcrypto" >&5 -$as_echo_n "checking for CMS_get0_content in -lcrypto... " >&6; } -if ${ac_cv_lib_crypto_CMS_get0_content+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcrypto $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char CMS_get0_content (); -int -main () -{ -return CMS_get0_content (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_crypto_CMS_get0_content=yes -else - ac_cv_lib_crypto_CMS_get0_content=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_CMS_get0_content" >&5 -$as_echo "$ac_cv_lib_crypto_CMS_get0_content" >&6; } -if test "x$ac_cv_lib_crypto_CMS_get0_content" = xyes; then : - -$as_echo "#define HAVE_OPENSSL_CMS 1" >>confdefs.h - -fi - - ;; -nss) - if test "${PKINIT_CRYPTO_IMPL_CFLAGS+set}" != set; then - PKINIT_CRYPTO_IMPL_CFLAGS=`pkg-config --cflags nss` - fi - if test "${PKINIT_CRYPTO_IMPL_LIBS+set}" != set; then - PKINIT_CRYPTO_IMPL_LIBS=`pkg-config --libs nss` - fi - -$as_echo "#define PKINIT_CRYPTO_IMPL_NSS 1" >>confdefs.h - - save_CFLAGS=$CFLAGS - CFLAGS="$CFLAGS $PKINIT_CRYPTO_IMPL_CFLAGS" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 12) -#error -#elif NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH < 11 -#error -#endif - -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - -else - as_fn_error $? "NSS version 3.12.11 or later required." "$LINENO" 5 -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS=$save_CFLAGS - ;; -*) - as_fn_error $? "Unknown crypto implementation $withval" "$LINENO" 5 - ;; -esac -ac_config_commands="$ac_config_commands PKINIT_CRYPTO_IMPL" - - - - - -# WITH_TLS_IMPL - - -# Check whether --with-tls-impl was given. -if test "${with_tls_impl+set}" = set; then : - withval=$with_tls_impl; TLS_IMPL=$withval -else - TLS_IMPL=auto -fi - -case "$TLS_IMPL" in -openssl|auto) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_CTX_new in -lssl" >&5 -$as_echo_n "checking for SSL_CTX_new in -lssl... " >&6; } -if ${ac_cv_lib_ssl_SSL_CTX_new+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lssl -lcrypto $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char SSL_CTX_new (); -int -main () -{ -return SSL_CTX_new (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_ssl_SSL_CTX_new=yes -else - ac_cv_lib_ssl_SSL_CTX_new=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ssl_SSL_CTX_new" >&5 -$as_echo "$ac_cv_lib_ssl_SSL_CTX_new" >&6; } -if test "x$ac_cv_lib_ssl_SSL_CTX_new" = xyes; then : - have_lib_ssl=true -else - have_lib_ssl=false -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for OpenSSL" >&5 -$as_echo_n "checking for OpenSSL... " >&6; } - if test x$have_lib_ssl = xtrue ; then - -$as_echo "#define TLS_IMPL_OPENSSL 1" >>confdefs.h - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - TLS_IMPL_LIBS="-lssl -lcrypto" - TLS_IMPL=openssl - { $as_echo "$as_me:${as_lineno-$LINENO}: TLS module will use OpenSSL" >&5 -$as_echo "$as_me: TLS module will use OpenSSL" >&6;} - else - if test "$TLS_IMPL" = openssl ; then - as_fn_error $? "OpenSSL not found!" "$LINENO" 5 - else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: OpenSSL not found!" >&5 -$as_echo "$as_me: WARNING: OpenSSL not found!" >&2;} - fi - TLS_IMPL=no - { $as_echo "$as_me:${as_lineno-$LINENO}: building without TLS support" >&5 -$as_echo "$as_me: building without TLS support" >&6;} - fi - ;; -no) - { $as_echo "$as_me:${as_lineno-$LINENO}: building without TLS support" >&5 -$as_echo "$as_me: building without TLS support" >&6;} - ;; -*) - as_fn_error $? "Unsupported TLS implementation $withval" "$LINENO" 5 - ;; -esac - -if test "$TLS_IMPL" = no; then - -$as_echo "#define TLS_IMPL_NONE 1" >>confdefs.h - -fi - - - - - -# Check whether --enable-aesni was given. -if test "${enable_aesni+set}" = set; then : - enableval=$enable_aesni; -else - enable_aesni=check -fi - -if test "$CRYPTO_IMPL" = builtin -a "x$enable_aesni" != xno; then - case "$host" in - i686-*) - aesni_obj=iaesx86.o - aesni_machine=x86 - ;; - x86_64-*) - aesni_obj=iaesx64.o - aesni_machine=amd64 - ;; - esac - case "$host" in - *-*-linux* | *-*-gnu* | *-*-*bsd* | *-*-solaris*) - # All Unix-like platforms need -D__linux__ for iaesx64.s to - # use the System V x86-64 calling convention. - aesni_flags="-D__linux__ -f elf -m $aesni_machine" - ;; - esac - if test "x$aesni_obj" != x && test "x$aesni_flags" != x; then - # Extract the first word of "yasm", so it can be a program name with args. -set dummy yasm; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_YASM+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$YASM"; then - ac_cv_prog_YASM="$YASM" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_YASM="yasm" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -YASM=$ac_cv_prog_YASM -if test -n "$YASM"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $YASM" >&5 -$as_echo "$YASM" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - for ac_header in cpuid.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "cpuid.h" "ac_cv_header_cpuid_h" "$ac_includes_default" -if test "x$ac_cv_header_cpuid_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_CPUID_H 1 -_ACEOF - -fi - -done - - if test x"$YASM" != x -a "x$ac_cv_header_cpuid_h" = xyes; then - AESNI_OBJ=$aesni_obj - AESNI_FLAGS=$aesni_flags - -$as_echo "#define AESNI 1" >>confdefs.h - - { $as_echo "$as_me:${as_lineno-$LINENO}: Building with AES-NI support" >&5 -$as_echo "$as_me: Building with AES-NI support" >&6;} - fi - fi - if test "x$enable_aesni" = xyes -a "x$AESNI_OBJ" = x; then - as_fn_error $? "AES-NI support requested but cannot be built" "$LINENO" 5 - fi -fi - - - -# Check whether --enable-kdc-lookaside-cache was given. -if test "${enable_kdc_lookaside_cache+set}" = set; then : - enableval=$enable_kdc_lookaside_cache; -else - enableval=yes -fi - -if test "$enableval" = no ; then - -$as_echo "#define NOCACHE 1" >>confdefs.h - -fi -KRB5_RUN_ENV="$RUN_ENV" -KRB5_RUN_VARS="$RUN_VARS" - - - -# asan is a gcc and clang facility to instrument the code with memory -# error checking. To use it, we compile C and C++ source files with -# -fsanitize=address, and set ASAN=yes to suppress the undefined -# symbols check when building shared libraries. -# Check whether --enable-asan was given. -if test "${enable_asan+set}" = set; then : - enableval=$enable_asan; -else - enable_asan=no -fi - -if test "$enable_asan" != no; then - if test "$enable_asan" = yes; then - enable_asan=address - fi - ASAN_FLAGS="$DEFS -fsanitize=$enable_asan" - ASAN=yes - UNDEF_CHECK= -else - ASAN_FLAGS= - ASAN=no -fi - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of signal handlers" >&5 -$as_echo_n "checking return type of signal handlers... " >&6; } -if ${ac_cv_type_signal+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include - -int -main () -{ -return *(signal (0, 0)) (0) == 1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_type_signal=int -else - ac_cv_type_signal=void -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_signal" >&5 -$as_echo "$ac_cv_type_signal" >&6; } - -cat >>confdefs.h <<_ACEOF -#define RETSIGTYPE $ac_cv_type_signal -_ACEOF - - - -# from old include/configure.in - - -ac_config_headers="$ac_config_headers include/autoconf.h" - -for ac_prog in flex lex -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_LEX+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$LEX"; then - ac_cv_prog_LEX="$LEX" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_LEX="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -LEX=$ac_cv_prog_LEX -if test -n "$LEX"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $LEX" >&5 -$as_echo "$LEX" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$LEX" && break -done -test -n "$LEX" || LEX=":" - -if test "x$LEX" != "x:"; then - cat >conftest.l <<_ACEOF -%% -a { ECHO; } -b { REJECT; } -c { yymore (); } -d { yyless (1); } -e { /* IRIX 6.5 flex 2.5.4 underquotes its yyless argument. */ - yyless ((input () != 0)); } -f { unput (yytext[0]); } -. { BEGIN INITIAL; } -%% -#ifdef YYTEXT_POINTER -extern char *yytext; -#endif -int -main (void) -{ - return ! yylex () + ! yywrap (); -} -_ACEOF -{ { ac_try="$LEX conftest.l" -case "(($ac_try" in - *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;; - *) ac_try_echo=$ac_try;; -esac -eval ac_try_echo="\"\$as_me:${as_lineno-$LINENO}: $ac_try_echo\"" -$as_echo "$ac_try_echo"; } >&5 - (eval "$LEX conftest.l") 2>&5 - ac_status=$? - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking lex output file root" >&5 -$as_echo_n "checking lex output file root... " >&6; } -if ${ac_cv_prog_lex_root+:} false; then : - $as_echo_n "(cached) " >&6 -else - -if test -f lex.yy.c; then - ac_cv_prog_lex_root=lex.yy -elif test -f lexyy.c; then - ac_cv_prog_lex_root=lexyy -else - as_fn_error $? "cannot find output from $LEX; giving up" "$LINENO" 5 -fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_root" >&5 -$as_echo "$ac_cv_prog_lex_root" >&6; } -LEX_OUTPUT_ROOT=$ac_cv_prog_lex_root - -if test -z "${LEXLIB+set}"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking lex library" >&5 -$as_echo_n "checking lex library... " >&6; } -if ${ac_cv_lib_lex+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ac_save_LIBS=$LIBS - ac_cv_lib_lex='none needed' - for ac_lib in '' -lfl -ll; do - LIBS="$ac_lib $ac_save_LIBS" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -`cat $LEX_OUTPUT_ROOT.c` -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_lex=$ac_lib -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - test "$ac_cv_lib_lex" != 'none needed' && break - done - LIBS=$ac_save_LIBS - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lex" >&5 -$as_echo "$ac_cv_lib_lex" >&6; } - test "$ac_cv_lib_lex" != 'none needed' && LEXLIB=$ac_cv_lib_lex -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether yytext is a pointer" >&5 -$as_echo_n "checking whether yytext is a pointer... " >&6; } -if ${ac_cv_prog_lex_yytext_pointer+:} false; then : - $as_echo_n "(cached) " >&6 -else - # POSIX says lex can declare yytext either as a pointer or an array; the -# default is implementation-dependent. Figure out which it is, since -# not all implementations provide the %pointer and %array declarations. -ac_cv_prog_lex_yytext_pointer=no -ac_save_LIBS=$LIBS -LIBS="$LEXLIB $ac_save_LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - #define YYTEXT_POINTER 1 -`cat $LEX_OUTPUT_ROOT.c` -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_prog_lex_yytext_pointer=yes -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_save_LIBS - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_prog_lex_yytext_pointer" >&5 -$as_echo "$ac_cv_prog_lex_yytext_pointer" >&6; } -if test $ac_cv_prog_lex_yytext_pointer = yes; then - -$as_echo "#define YYTEXT_POINTER 1" >>confdefs.h - -fi -rm -f conftest.l $LEX_OUTPUT_ROOT.c - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for an ANSI C-conforming const" >&5 -$as_echo_n "checking for an ANSI C-conforming const... " >&6; } -if ${ac_cv_c_const+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -int -main () -{ - -#ifndef __cplusplus - /* Ultrix mips cc rejects this sort of thing. */ - typedef int charset[2]; - const charset cs = { 0, 0 }; - /* SunOS 4.1.1 cc rejects this. */ - char const *const *pcpcc; - char **ppc; - /* NEC SVR4.0.2 mips cc rejects this. */ - struct point {int x, y;}; - static struct point const zero = {0,0}; - /* AIX XL C 1.02.0.0 rejects this. - It does not let you subtract one const X* pointer from another in - an arm of an if-expression whose if-part is not a constant - expression */ - const char *g = "string"; - pcpcc = &g + (g ? g-g : 0); - /* HPUX 7.0 cc rejects these. */ - ++pcpcc; - ppc = (char**) pcpcc; - pcpcc = (char const *const *) ppc; - { /* SCO 3.2v4 cc rejects this sort of thing. */ - char tx; - char *t = &tx; - char const *s = 0 ? (char *) 0 : (char const *) 0; - - *t++ = 0; - if (s) return 0; - } - { /* Someone thinks the Sun supposedly-ANSI compiler will reject this. */ - int x[] = {25, 17}; - const int *foo = &x[0]; - ++foo; - } - { /* Sun SC1.0 ANSI compiler rejects this -- but not the above. */ - typedef const int *iptr; - iptr p = 0; - ++p; - } - { /* AIX XL C 1.02.0.0 rejects this sort of thing, saying - "k.c", line 2.27: 1506-025 (S) Operand must be a modifiable lvalue. */ - struct s { int j; const int *ap[3]; } bx; - struct s *b = &bx; b->j = 5; - } - { /* ULTRIX-32 V3.1 (Rev 9) vcc rejects this */ - const int foo = 10; - if (!foo) return 0; - } - return !cs[0] && !zero.x; -#endif - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_c_const=yes -else - ac_cv_c_const=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_const" >&5 -$as_echo "$ac_cv_c_const" >&6; } -if test $ac_cv_c_const = no; then - -$as_echo "#define const /**/" >>confdefs.h - -fi - -ac_header_dirent=no -for ac_hdr in dirent.h sys/ndir.h sys/dir.h ndir.h; do - as_ac_Header=`$as_echo "ac_cv_header_dirent_$ac_hdr" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_hdr that defines DIR" >&5 -$as_echo_n "checking for $ac_hdr that defines DIR... " >&6; } -if eval \${$as_ac_Header+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include <$ac_hdr> - -int -main () -{ -if ((DIR *) 0) -return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$as_ac_Header=yes" -else - eval "$as_ac_Header=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -eval ac_res=\$$as_ac_Header - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_hdr" | $as_tr_cpp` 1 -_ACEOF - -ac_header_dirent=$ac_hdr; break -fi - -done -# Two versions of opendir et al. are in -ldir and -lx on SCO Xenix. -if test $ac_header_dirent = dirent.h; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing opendir" >&5 -$as_echo_n "checking for library containing opendir... " >&6; } -if ${ac_cv_search_opendir+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char opendir (); -int -main () -{ -return opendir (); - ; - return 0; -} -_ACEOF -for ac_lib in '' dir; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_opendir=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_opendir+:} false; then : - break -fi -done -if ${ac_cv_search_opendir+:} false; then : - -else - ac_cv_search_opendir=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_opendir" >&5 -$as_echo "$ac_cv_search_opendir" >&6; } -ac_res=$ac_cv_search_opendir -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -fi - -else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing opendir" >&5 -$as_echo_n "checking for library containing opendir... " >&6; } -if ${ac_cv_search_opendir+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char opendir (); -int -main () -{ -return opendir (); - ; - return 0; -} -_ACEOF -for ac_lib in '' x; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_opendir=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_opendir+:} false; then : - break -fi -done -if ${ac_cv_search_opendir+:} false; then : - -else - ac_cv_search_opendir=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_opendir" >&5 -$as_echo "$ac_cv_search_opendir" >&6; } -ac_res=$ac_cv_search_opendir -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - -fi - -fi - -ac_fn_c_check_decl "$LINENO" "strerror_r" "ac_cv_have_decl_strerror_r" "$ac_includes_default" -if test "x$ac_cv_have_decl_strerror_r" = xyes; then : - ac_have_decl=1 -else - ac_have_decl=0 -fi - -cat >>confdefs.h <<_ACEOF -#define HAVE_DECL_STRERROR_R $ac_have_decl -_ACEOF - -for ac_func in strerror_r -do : - ac_fn_c_check_func "$LINENO" "strerror_r" "ac_cv_func_strerror_r" -if test "x$ac_cv_func_strerror_r" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_STRERROR_R 1 -_ACEOF - -fi -done - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether strerror_r returns char *" >&5 -$as_echo_n "checking whether strerror_r returns char *... " >&6; } -if ${ac_cv_func_strerror_r_char_p+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ac_cv_func_strerror_r_char_p=no - if test $ac_cv_have_decl_strerror_r = yes; then - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$ac_includes_default -int -main () -{ - - char buf[100]; - char x = *strerror_r (0, buf, sizeof buf); - char *p = strerror_r (0, buf, sizeof buf); - return !p || x; - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_func_strerror_r_char_p=yes -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - else - # strerror_r is not declared. Choose between - # systems that have relatively inaccessible declarations for the - # function. BeOS and DEC UNIX 4.0 fall in this category, but the - # former has a strerror_r that returns char*, while the latter - # has a strerror_r that returns `int'. - # This test should segfault on the DEC system. - if test "$cross_compiling" = yes; then : - : -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -$ac_includes_default - extern char *strerror_r (); -int -main () -{ -char buf[100]; - char x = *strerror_r (0, buf, sizeof buf); - return ! isalpha (x); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - ac_cv_func_strerror_r_char_p=yes -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - - fi - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_func_strerror_r_char_p" >&5 -$as_echo "$ac_cv_func_strerror_r_char_p" >&6; } -if test $ac_cv_func_strerror_r_char_p = yes; then - -$as_echo "#define STRERROR_R_CHAR_P 1" >>confdefs.h - -fi - -for ac_func in strdup setvbuf seteuid setresuid setreuid setegid setresgid setregid setsid flock fchmod chmod strftime strptime geteuid setenv unsetenv getenv gmtime_r localtime_r bswap16 bswap64 mkstemp getusershell access getcwd srand48 srand srandom stat strchr strerror timegm -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - -ac_fn_c_check_func "$LINENO" "mkstemp" "ac_cv_func_mkstemp" -if test "x$ac_cv_func_mkstemp" = xyes; then : - MKSTEMP_ST_OBJ= -MKSTEMP_OBJ= -else - MKSTEMP_ST_OBJ='mkstemp.o' -MKSTEMP_OBJ='$(OUTPRE)mkstemp.$(OBJEXT)' -EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_mkstemp" -fi - - - - -ac_fn_c_check_func "$LINENO" "gettimeofday" "ac_cv_func_gettimeofday" -if test "x$ac_cv_func_gettimeofday" = xyes; then : - GETTIMEOFDAY_ST_OBJ= - GETTIMEOFDAY_OBJ= - -$as_echo "#define HAVE_GETTIMEOFDAY 1" >>confdefs.h - - -else - GETTIMEOFDAY_ST_OBJ='gettimeofday.o' - GETTIMEOFDAY_OBJ='$(OUTPRE)gettimeofday.$(OBJEXT)' - EXTRA_SUPPORT_SYMS="$EXTRA_SUPPORT_SYMS krb5int_gettimeofday" -fi - - - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for sys_errlist declaration" >&5 -$as_echo_n "checking for sys_errlist declaration... " >&6; } -if ${krb5_cv_decl_sys_errlist+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -int -main () -{ -1+sys_nerr; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_decl_sys_errlist=yes -else - krb5_cv_decl_sys_errlist=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_decl_sys_errlist" >&5 -$as_echo "$krb5_cv_decl_sys_errlist" >&6; } -# assume sys_nerr won't be declared w/o being in libc -if test $krb5_cv_decl_sys_errlist = yes; then - -$as_echo "#define SYS_ERRLIST_DECLARED 1" >>confdefs.h - - -$as_echo "#define HAVE_SYS_ERRLIST 1" >>confdefs.h - -else - # This means that sys_errlist is not declared in errno.h, but may still - # be in libc. - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sys_errlist in libc" >&5 -$as_echo_n "checking for sys_errlist in libc... " >&6; } -if ${krb5_cv_var_sys_errlist+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -extern int sys_nerr; -int -main () -{ -if (1+sys_nerr < 0) return 1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - krb5_cv_var_sys_errlist=yes -else - krb5_cv_var_sys_errlist=no; -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_var_sys_errlist" >&5 -$as_echo "$krb5_cv_var_sys_errlist" >&6; } - if test $krb5_cv_var_sys_errlist = yes; then - -$as_echo "#define HAVE_SYS_ERRLIST 1" >>confdefs.h - - # Do this cruft for backwards compatibility for now. - -$as_echo "#define NEED_SYS_ERRLIST 1" >>confdefs.h - - else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: sys_errlist is neither in errno.h nor in libc" >&5 -$as_echo "$as_me: WARNING: sys_errlist is neither in errno.h nor in libc" >&2;} - fi -fi -for ac_header in unistd.h paths.h regex.h regexpr.h fcntl.h memory.h ifaddrs.h sys/filio.h byteswap.h machine/endian.h machine/byte_order.h sys/bswap.h endian.h pwd.h arpa/inet.h alloca.h dlfcn.h limits.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - -ac_fn_c_check_header_compile "$LINENO" "regexp.h" "ac_cv_header_regexp_h" "#define INIT char *sp = instring; -#define GETC() (*sp++) -#define PEEKC() (*sp) -#define UNGETC(c) (--sp) -#define RETURN(c) return(c) -#define ERROR(c) - -" -if test "x$ac_cv_header_regexp_h" = xyes; then : - -fi - - -ac_fn_c_check_member "$LINENO" "struct stat" "st_mtimensec" "ac_cv_member_struct_stat_st_mtimensec" "#include -#include -" -if test "x$ac_cv_member_struct_stat_st_mtimensec" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_STAT_ST_MTIMENSEC 1 -_ACEOF - - -fi -ac_fn_c_check_member "$LINENO" "struct stat" "st_mtimespec.tv_nsec" "ac_cv_member_struct_stat_st_mtimespec_tv_nsec" "#include -#include -" -if test "x$ac_cv_member_struct_stat_st_mtimespec_tv_nsec" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_STAT_ST_MTIMESPEC_TV_NSEC 1 -_ACEOF - - -fi -ac_fn_c_check_member "$LINENO" "struct stat" "st_mtim.tv_nsec" "ac_cv_member_struct_stat_st_mtim_tv_nsec" "#include -#include -" -if test "x$ac_cv_member_struct_stat_st_mtim_tv_nsec" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC 1 -_ACEOF - - -fi - - -for ac_func in re_comp re_exec regexec -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - -ac_fn_c_check_type "$LINENO" "off_t" "ac_cv_type_off_t" "$ac_includes_default" -if test "x$ac_cv_type_off_t" = xyes; then : - -else - -cat >>confdefs.h <<_ACEOF -#define off_t long int -_ACEOF - -fi - - -# Fancy caching of perror result... -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for perror declaration" >&5 -$as_echo_n "checking for perror declaration... " >&6; } -if ${krb5_cv_decl_perror+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "perror" >/dev/null 2>&1; then : - krb5_cv_decl_perror=yes -else - krb5_cv_decl_perror=no -fi -rm -f conftest* - -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_decl_perror" >&5 -$as_echo "$krb5_cv_decl_perror" >&6; } -if test $krb5_cv_decl_perror = yes; then - -$as_echo "#define HDR_HAS_PERROR 1" >>confdefs.h - -fi - - -if test "x$ac_cv_func_strptime" = xyes; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if strptime needs a prototype provided" >&5 -$as_echo_n "checking if strptime needs a prototype provided... " >&6; } -if ${krb5_cv_func_strptime_noproto+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -#undef strptime -struct k5foo {int foo; } xx; -extern int strptime (struct k5foo*); -strptime(&xx); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_func_strptime_noproto=yes -else - krb5_cv_func_strptime_noproto=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_func_strptime_noproto" >&5 -$as_echo "$krb5_cv_func_strptime_noproto" >&6; } -if test $krb5_cv_func_strptime_noproto = yes; then - -$as_echo "#define NEED_STRPTIME_PROTO 1" >>confdefs.h - -fi -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking if argument to wait is int *" >&5 -$as_echo_n "checking if argument to wait is int *... " >&6; } -if ${krb5_cv_struct_wait+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -extern pid_t wait(int *); -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_struct_wait=no -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -union wait i; -#ifdef WEXITSTATUS - WEXITSTATUS (i); -#endif - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_struct_wait=yes -else - krb5_cv_struct_wait=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_struct_wait" >&5 -$as_echo "$krb5_cv_struct_wait" >&6; } -if test $krb5_cv_struct_wait = no; then - -$as_echo "#define WAIT_USES_INT 1" >>confdefs.h - -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for use of sigprocmask" >&5 -$as_echo_n "checking for use of sigprocmask... " >&6; } -if ${krb5_cv_func_sigprocmask_use+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -sigprocmask(SIG_SETMASK,0,0); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - krb5_cv_func_sigprocmask_use=yes -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -sigmask(1); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - krb5_cv_func_sigprocmask_use=no -else - krb5_cv_func_sigprocmask_use=yes -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_func_sigprocmask_use" >&5 -$as_echo "$krb5_cv_func_sigprocmask_use" >&6; } -if test $krb5_cv_func_sigprocmask_use = yes; then - -$as_echo "#define USE_SIGPROCMASK 1" >>confdefs.h - -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5 -$as_echo_n "checking for uid_t in sys/types.h... " >&6; } -if ${ac_cv_type_uid_t+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "uid_t" >/dev/null 2>&1; then : - ac_cv_type_uid_t=yes -else - ac_cv_type_uid_t=no -fi -rm -f conftest* - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5 -$as_echo "$ac_cv_type_uid_t" >&6; } -if test $ac_cv_type_uid_t = no; then - -$as_echo "#define uid_t int" >>confdefs.h - - -$as_echo "#define gid_t int" >>confdefs.h - -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking type of array argument to getgroups" >&5 -$as_echo_n "checking type of array argument to getgroups... " >&6; } -if ${ac_cv_type_getgroups+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test "$cross_compiling" = yes; then : - ac_cv_type_getgroups=cross -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -/* Thanks to Mike Rendell for this test. */ -$ac_includes_default -#define NGID 256 -#undef MAX -#define MAX(x, y) ((x) > (y) ? (x) : (y)) - -int -main () -{ - gid_t gidset[NGID]; - int i, n; - union { gid_t gval; long int lval; } val; - - val.lval = -1; - for (i = 0; i < NGID; i++) - gidset[i] = val.gval; - n = getgroups (sizeof (gidset) / MAX (sizeof (int), sizeof (gid_t)) - 1, - gidset); - /* Exit non-zero if getgroups seems to require an array of ints. This - happens when gid_t is short int but getgroups modifies an array - of ints. */ - return n > 0 && gidset[n] != val.gval; -} -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - ac_cv_type_getgroups=gid_t -else - ac_cv_type_getgroups=int -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - -if test $ac_cv_type_getgroups = cross; then - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "getgroups.*int.*gid_t" >/dev/null 2>&1; then : - ac_cv_type_getgroups=gid_t -else - ac_cv_type_getgroups=int -fi -rm -f conftest* - -fi -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_getgroups" >&5 -$as_echo "$ac_cv_type_getgroups" >&6; } - -cat >>confdefs.h <<_ACEOF -#define GETGROUPS_T $ac_cv_type_getgroups -_ACEOF - - - -ac_fn_c_check_func "$LINENO" "sigsetjmp" "ac_cv_func_sigsetjmp" -if test "x$ac_cv_func_sigsetjmp" = xyes; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for sigjmp_buf" >&5 -$as_echo_n "checking for sigjmp_buf... " >&6; } -if ${krb5_cv_struct_sigjmp_buf+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -sigjmp_buf x - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_struct_sigjmp_buf=yes -else - krb5_cv_struct_sigjmp_buf=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_struct_sigjmp_buf" >&5 -$as_echo "$krb5_cv_struct_sigjmp_buf" >&6; } -if test $krb5_cv_struct_sigjmp_buf = yes; then - -$as_echo "#define POSIX_SETJMP 1" >>confdefs.h - -fi - -fi - - -# *rpcent return types needed for lib/rpc - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of setrpcent" >&5 -$as_echo_n "checking return type of setrpcent... " >&6; } -if ${k5_cv_type_setrpcent+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#ifdef __cplusplus -extern "C" -#endif -extern void setrpcent(); -int -main () -{ -int i; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - k5_cv_type_setrpcent=void -else - k5_cv_type_setrpcent=int -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $k5_cv_type_setrpcent" >&5 -$as_echo "$k5_cv_type_setrpcent" >&6; } - -cat >>confdefs.h <<_ACEOF -#define SETRPCENT_TYPE $k5_cv_type_setrpcent -_ACEOF - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of endrpcent" >&5 -$as_echo_n "checking return type of endrpcent... " >&6; } -if ${k5_cv_type_endrpcent+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#ifdef __cplusplus -extern "C" -#endif -extern void endrpcent(); -int -main () -{ -int i; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - k5_cv_type_endrpcent=void -else - k5_cv_type_endrpcent=int -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $k5_cv_type_endrpcent" >&5 -$as_echo "$k5_cv_type_endrpcent" >&6; } - -cat >>confdefs.h <<_ACEOF -#define ENDRPCENT_TYPE $k5_cv_type_endrpcent -_ACEOF - - - -# bswap_16 is a macro in byteswap.h under GNU libc -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for bswap_16" >&5 -$as_echo_n "checking for bswap_16... " >&6; } -if ${krb5_cv_bswap_16+:} false; then : - $as_echo_n "(cached) " >&6 -else - -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#if HAVE_BYTESWAP_H -#include -#endif -int -main () -{ -bswap_16(37); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - krb5_cv_bswap_16=yes -else - krb5_cv_bswap_16=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_bswap_16" >&5 -$as_echo "$krb5_cv_bswap_16" >&6; } -if test "$krb5_cv_bswap_16" = yes; then - -$as_echo "#define HAVE_BSWAP_16 1" >>confdefs.h - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for bswap_64" >&5 -$as_echo_n "checking for bswap_64... " >&6; } -if ${krb5_cv_bswap_64+:} false; then : - $as_echo_n "(cached) " >&6 -else - -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#if HAVE_BYTESWAP_H -#include -#endif -int -main () -{ -bswap_64(37); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - krb5_cv_bswap_64=yes -else - krb5_cv_bswap_64=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_bswap_64" >&5 -$as_echo "$krb5_cv_bswap_64" >&6; } -if test "$krb5_cv_bswap_64" = yes; then - -$as_echo "#define HAVE_BSWAP_64 1" >>confdefs.h - -fi - -# Needed for ksu and some appl stuff. - -case $krb5_cv_host in -alpha*-dec-osf*) - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for setluid in -lsecurity" >&5 -$as_echo_n "checking for setluid in -lsecurity... " >&6; } -if ${ac_cv_lib_security_setluid+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lsecurity $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char setluid (); -int -main () -{ -return setluid (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_security_setluid=yes -else - ac_cv_lib_security_setluid=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_security_setluid" >&5 -$as_echo "$ac_cv_lib_security_setluid" >&6; } -if test "x$ac_cv_lib_security_setluid" = xyes; then : - -$as_echo "#define HAVE_SETLUID 1" >>confdefs.h - - KSU_LIBS="-lsecurity" - -fi - - ;; -esac - - -if test $ac_cv_func_setenv = no || test $ac_cv_func_unsetenv = no \ - || test $ac_cv_func_getenv = no; then - SETENVOBJ=setenv.o -else - SETENVOBJ= -fi - - -# Check what the return types for gethostbyname_r and getservbyname_r are. - -ac_fn_c_check_func "$LINENO" "gethostbyname_r" "ac_cv_func_gethostbyname_r" -if test "x$ac_cv_func_gethostbyname_r" = xyes; then : - -ac_cv_func_gethostbyname_r=yes -if test "$ac_cv_func_gethostbyname_r" = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if gethostbyname_r returns an int" >&5 -$as_echo_n "checking if gethostbyname_r returns an int... " >&6; } - if ${krb5_cv_gethostbyname_r_returns_int+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - extern int gethostbyname_r (); -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_gethostbyname_r_returns_int=yes -else - krb5_cv_gethostbyname_r_returns_int=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_gethostbyname_r_returns_int" >&5 -$as_echo "$krb5_cv_gethostbyname_r_returns_int" >&6; } - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if gethostbyname_r returns a pointer" >&5 -$as_echo_n "checking if gethostbyname_r returns a pointer... " >&6; } - if ${krb5_cv_gethostbyname_r_returns_ptr+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - extern struct hostent *gethostbyname_r (); -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_gethostbyname_r_returns_ptr=yes -else - krb5_cv_gethostbyname_r_returns_ptr=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_gethostbyname_r_returns_ptr" >&5 -$as_echo "$krb5_cv_gethostbyname_r_returns_ptr" >&6; } - - if test "$krb5_cv_gethostbyname_r_returns_int" = "$krb5_cv_gethostbyname_r_returns_ptr"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cannot determine return type of gethostbyname_r -- disabling" >&5 -$as_echo "$as_me: WARNING: cannot determine return type of gethostbyname_r -- disabling" >&2;} - ac_cv_func_gethostbyname_r=no - fi - if test "$krb5_cv_gethostbyname_r_returns_int" = yes; then - -$as_echo "#define GETHOSTBYNAME_R_RETURNS_INT 1" >>confdefs.h - - fi -fi -if test "$ac_cv_func_gethostbyname_r" = yes; then - -$as_echo "#define HAVE_GETHOSTBYNAME_R 1" >>confdefs.h - - ac_fn_c_check_func "$LINENO" "gethostbyaddr_r" "ac_cv_func_gethostbyaddr_r" -if test "x$ac_cv_func_gethostbyaddr_r" = xyes; then : - -fi - -fi - -fi - - - -ac_fn_c_check_func "$LINENO" "getpwnam_r" "ac_cv_func_getpwnam_r" -if test "x$ac_cv_func_getpwnam_r" = xyes; then : - ac_cv_func_getpwnam_r=yes -else - ac_cv_func_getpwnam_r=no -fi - -ac_fn_c_check_func "$LINENO" "getpwuid_r" "ac_cv_func_getpwuid_r" -if test "x$ac_cv_func_getpwuid_r" = xyes; then : - ac_cv_func_getpwuid_r=yes -else - ac_cv_func_getpwuid_r=no -fi - -if test "$ac_cv_func_getpwnam_r" = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of getpwnam_r" >&5 -$as_echo_n "checking return type of getpwnam_r... " >&6; } - if ${krb5_cv_getpwnam_r_return_type+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - extern int getpwnam_r(); -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - getpwnam_r_returns_int=yes -else - getpwnam_r_returns_int=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - extern struct passwd *getpwnam_r(); -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - getpwnam_r_returns_ptr=yes -else - getpwnam_r_returns_ptr=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - case "$getpwnam_r_returns_int/$getpwnam_r_returns_ptr" in - yes/no) krb5_cv_getpwnam_r_return_type=int ;; - no/yes) krb5_cv_getpwnam_r_return_type=ptr ;; - *) krb5_cv_getpwnam_r_return_type=unknown ;; - esac -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_getpwnam_r_return_type" >&5 -$as_echo "$krb5_cv_getpwnam_r_return_type" >&6; } - if test $krb5_cv_getpwnam_r_return_type = int; then - -$as_echo "#define GETPWNAM_R_RETURNS_INT 1" >>confdefs.h - - elif test $krb5_cv_getpwnam_r_return_type = unknown; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot determine getpwnam_r return type, disabling getpwnam_r" >&5 -$as_echo "$as_me: WARNING: Cannot determine getpwnam_r return type, disabling getpwnam_r" >&2;} - ac_cv_func_getpwnam_r=no - fi -fi -if test "$ac_cv_func_getpwnam_r" = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking number of arguments to getpwnam_r" >&5 -$as_echo_n "checking number of arguments to getpwnam_r... " >&6; } - if ${krb5_cv_getpwnam_r_args+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - struct passwd pwx; char buf[1024]; -int -main () -{ -getpwnam_r("", &pwx, buf, sizeof(buf)); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - args4=yes -else - args4=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - struct passwd pwx, *p; char buf[1024]; -int -main () -{ -getpwnam_r("", &pwx, buf, sizeof(buf), &p); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - args5=yes -else - args5=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - case $args4/$args5 in - yes/no) krb5_cv_getpwnam_r_args=4 ;; - no/yes) krb5_cv_getpwnam_r_args=5 ;; - *) krb5_cv_getpwnam_r_args=unknown ;; - esac -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_getpwnam_r_args" >&5 -$as_echo "$krb5_cv_getpwnam_r_args" >&6; } - if test "$krb5_cv_getpwnam_r_args" = unknown; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Cannot determine number of arguments to getpwnam_r, disabling its use." >&5 -$as_echo "$as_me: WARNING: Cannot determine number of arguments to getpwnam_r, disabling its use." >&2;} - ac_cv_func_getpwnam_r=no - else - -$as_echo "#define HAVE_GETPWNAM_R 1" >>confdefs.h - - if test "$krb5_cv_getpwnam_r_args" = 4; then - -$as_echo "#define GETPWNAM_R_4_ARGS 1" >>confdefs.h - - fi - fi -fi - -if test "$ac_cv_func_getpwnam_r" = no && test "$ac_cv_func_getpwuid_r" = yes; then - # Actually, we could do this check, and the corresponding checks - # for return type and number of arguments, but I doubt we'll run - # into a system where we'd get to use getpwuid_r but not getpwnam_r. - { $as_echo "$as_me:${as_lineno-$LINENO}: getpwnam_r not useful, so disabling getpwuid_r too" >&5 -$as_echo "$as_me: getpwnam_r not useful, so disabling getpwuid_r too" >&6;} - ac_cv_func_getpwuid_r=no -fi -if test "$ac_cv_func_getpwuid_r" = yes; then - -$as_echo "#define HAVE_GETPWUID_R 1" >>confdefs.h - - # Hack: Assume getpwuid_r is the shorter form if getpwnam_r is. - if test "$krb5_cv_getpwnam_r_args" = 4; then - -$as_echo "#define GETPWUID_R_4_ARGS 1" >>confdefs.h - - fi -fi - -if test "$ac_cv_func_gmtime_r" = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether gmtime_r returns int" >&5 -$as_echo_n "checking whether gmtime_r returns int... " >&6; } - if ${krb5_cv_gmtime_r_returns_int+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - extern int gmtime_r (); -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - return_int=yes -else - return_int=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - extern struct tm *gmtime_r (); -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - return_ptr=yes -else - return_ptr=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - case $return_int/$return_ptr in - yes/no) krb5_cv_gmtime_r_returns_int=yes ;; - no/yes) krb5_cv_gmtime_r_returns_int=no ;; - *) # Can't figure it out, punt the function. - ac_cv_func_gmtime_r=no ;; - esac -fi - - if test "$ac_cv_func_gmtime_r" = no; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: unknown -- ignoring gmtime_r" >&5 -$as_echo "unknown -- ignoring gmtime_r" >&6; } - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_gmtime_r_returns_int" >&5 -$as_echo "$krb5_cv_gmtime_r_returns_int" >&6; } - if test "$krb5_cv_gmtime_r_returns_int" = yes; then - -$as_echo "#define GMTIME_R_RETURNS_INT 1" >>confdefs.h - - fi - fi -fi - -ac_fn_c_check_func "$LINENO" "getservbyname_r" "ac_cv_func_getservbyname_r" -if test "x$ac_cv_func_getservbyname_r" = xyes; then : - -ac_cv_func_getservbyname_r=yes -if test "$ac_cv_func_getservbyname_r" = yes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if getservbyname_r returns an int" >&5 -$as_echo_n "checking if getservbyname_r returns an int... " >&6; } - if ${krb5_cv_getservbyname_r_returns_int+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - extern int getservbyname_r (); -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_getservbyname_r_returns_int=yes -else - krb5_cv_getservbyname_r_returns_int=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_getservbyname_r_returns_int" >&5 -$as_echo "$krb5_cv_getservbyname_r_returns_int" >&6; } - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if getservbyname_r returns a pointer" >&5 -$as_echo_n "checking if getservbyname_r returns a pointer... " >&6; } - if ${krb5_cv_getservbyname_r_returns_ptr+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - extern struct servent *getservbyname_r (); -int -main () -{ -1; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_getservbyname_r_returns_ptr=yes -else - krb5_cv_getservbyname_r_returns_ptr=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_getservbyname_r_returns_ptr" >&5 -$as_echo "$krb5_cv_getservbyname_r_returns_ptr" >&6; } - - if test "$krb5_cv_getservbyname_r_returns_int" = "$krb5_cv_getservbyname_r_returns_ptr"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cannot determine return type of getservbyname_r -- disabling" >&5 -$as_echo "$as_me: WARNING: cannot determine return type of getservbyname_r -- disabling" >&2;} - ac_cv_func_getservbyname_r=no - fi - if test "$krb5_cv_getservbyname_r_returns_int" = yes; then - -$as_echo "#define GETSERVBYNAME_R_RETURNS_INT 1" >>confdefs.h - - fi -fi -if test "$ac_cv_func_getservbyname_r" = yes; then - -$as_echo "#define HAVE_GETSERVBYNAME_R 1" >>confdefs.h - - ac_fn_c_check_func "$LINENO" "getservbyport_r" "ac_cv_func_getservbyport_r" -if test "x$ac_cv_func_getservbyport_r" = xyes; then : - -fi - -fi - -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for yylineno declaration" >&5 -$as_echo_n "checking for yylineno declaration... " >&6; } -if ${krb5_cv_type_yylineno+:} false; then : - $as_echo_n "(cached) " >&6 -else - # some systems have yylineno, others don't... - echo '%% -%%' | ${LEX} -t > conftest.out - if egrep yylineno conftest.out >/dev/null 2>&1; then - krb5_cv_type_yylineno=yes - else - krb5_cv_type_yylineno=no - fi - rm -f conftest.out -fi - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_type_yylineno" >&5 -$as_echo "$krb5_cv_type_yylineno" >&6; } - if test $krb5_cv_type_yylineno = no; then - -$as_echo "#define NO_YYLINENO 1" >>confdefs.h - - fi - - -ac_fn_c_check_header_mongrel "$LINENO" "dirent.h" "ac_cv_header_dirent_h" "$ac_includes_default" -if test "x$ac_cv_header_dirent_h" = xyes; then : - -$as_echo "#define USE_DIRENT_H 1" >>confdefs.h - -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for uid_t in sys/types.h" >&5 -$as_echo_n "checking for uid_t in sys/types.h... " >&6; } -if ${ac_cv_type_uid_t+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include - -_ACEOF -if (eval "$ac_cpp conftest.$ac_ext") 2>&5 | - $EGREP "uid_t" >/dev/null 2>&1; then : - ac_cv_type_uid_t=yes -else - ac_cv_type_uid_t=no -fi -rm -f conftest* - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_type_uid_t" >&5 -$as_echo "$ac_cv_type_uid_t" >&6; } -if test $ac_cv_type_uid_t = no; then - -$as_echo "#define uid_t int" >>confdefs.h - - -$as_echo "#define gid_t int" >>confdefs.h - -fi - - -ac_fn_c_check_header_mongrel "$LINENO" "termios.h" "ac_cv_header_termios_h" "$ac_includes_default" -if test "x$ac_cv_header_termios_h" = xyes; then : - ac_fn_c_check_func "$LINENO" "tcsetattr" "ac_cv_func_tcsetattr" -if test "x$ac_cv_func_tcsetattr" = xyes; then : - -$as_echo "#define POSIX_TERMIOS 1" >>confdefs.h - -fi - -fi - - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking POSIX signal handlers" >&5 -$as_echo_n "checking POSIX signal handlers... " >&6; } -if ${krb5_cv_has_posix_signals+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -#ifdef signal -#undef signal -#endif -extern void (*signal ()) (); -int -main () -{ - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_has_posix_signals=yes -else - krb5_cv_has_posix_signals=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_has_posix_signals" >&5 -$as_echo "$krb5_cv_has_posix_signals" >&6; } -if test $krb5_cv_has_posix_signals = yes; then - stype=void - -$as_echo "#define POSIX_SIGTYPE 1" >>confdefs.h - -else - if test $ac_cv_type_signal = void; then - stype=void - else - stype=int - fi -fi - -cat >>confdefs.h <<_ACEOF -#define krb5_sigtype $stype -_ACEOF - -for ac_header in poll.h stdlib.h string.h stddef.h sys/types.h sys/file.h sys/param.h sys/stat.h sys/time.h netinet/in.h sys/uio.h sys/filio.h sys/select.h time.h paths.h errno.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - - -# If compiling with IPv6 support, test if in6addr_any functions. -# Irix 6.5.16 defines it, but lacks support in the C library. -if test $krb5_cv_inet6 = yes || test "$krb5_cv_inet6_with_dinet6" = yes ; then -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for in6addr_any definition in library" >&5 -$as_echo_n "checking for in6addr_any definition in library... " >&6; } -if ${krb5_cv_var_in6addr_any+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#ifdef HAVE_SYS_TYPES_H -#include -#endif -#include -#include -#include - -int -main () -{ - - struct sockaddr_in6 in; - in.sin6_addr = in6addr_any; - printf("%x", &in); - - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - krb5_cv_var_in6addr_any=yes -else - krb5_cv_var_in6addr_any=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_var_in6addr_any" >&5 -$as_echo "$krb5_cv_var_in6addr_any" >&6; } - if test $krb5_cv_var_in6addr_any = no; then - -$as_echo "#define NEED_INSIXADDR_ANY 1" >>confdefs.h - - fi -fi - -# then from osconf.h, we have - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether time.h and sys/time.h may both be included" >&5 -$as_echo_n "checking whether time.h and sys/time.h may both be included... " >&6; } -if ${ac_cv_header_time+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -#include - -int -main () -{ -if ((struct tm *) 0) -return 0; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_header_time=yes -else - ac_cv_header_time=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_header_time" >&5 -$as_echo "$ac_cv_header_time" >&6; } -if test $ac_cv_header_time = yes; then - -$as_echo "#define TIME_WITH_SYS_TIME 1" >>confdefs.h - -fi - -ac_fn_c_check_type "$LINENO" "time_t" "ac_cv_type_time_t" "$ac_includes_default" -if test "x$ac_cv_type_time_t" = xyes; then : - -else - -cat >>confdefs.h <<_ACEOF -#define time_t long -_ACEOF - -fi - - -# Determine where to put the replay cache. - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for replay cache directory" >&5 -$as_echo_n "checking for replay cache directory... " >&6; } -if ${krb5_cv_sys_rcdir+:} false; then : - $as_echo_n "(cached) " >&6 -else - -if test $cross_compiling = yes; then - krb5_cv_sys_rcdir=/var/tmp -else - for t_dir in /var/tmp /usr/tmp /var/usr/tmp /tmp ; do - test -d $t_dir || continue - krb5_cv_sys_rcdir=$t_dir - break - done -fi -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_sys_rcdir" >&5 -$as_echo "$krb5_cv_sys_rcdir" >&6; } -KRB5_RCTMPDIR=$krb5_cv_sys_rcdir - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for socklen_t" >&5 -$as_echo_n "checking for socklen_t... " >&6; } -if ${krb5_cv_has_type_socklen_t+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include - -int -main () -{ -sizeof (socklen_t); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_has_type_socklen_t=yes -else - krb5_cv_has_type_socklen_t=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_has_type_socklen_t" >&5 -$as_echo "$krb5_cv_has_type_socklen_t" >&6; } -if test $krb5_cv_has_type_socklen_t = yes; then - -$as_echo "#define HAVE_SOCKLEN_T 1" >>confdefs.h - -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct lifconf" >&5 -$as_echo_n "checking for struct lifconf... " >&6; } -if ${krb5_cv_has_struct_lifconf+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include - -int -main () -{ -sizeof (struct lifconf); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_has_struct_lifconf=yes -else - krb5_cv_has_struct_lifconf=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_has_struct_lifconf" >&5 -$as_echo "$krb5_cv_has_struct_lifconf" >&6; } -if test $krb5_cv_has_struct_lifconf = yes; then - -$as_echo "#define HAVE_STRUCT_LIFCONF 1" >>confdefs.h - -fi -# HP-UX 11 uses stuct if_laddrconf -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for struct if_laddrconf" >&5 -$as_echo_n "checking for struct if_laddrconf... " >&6; } -if ${krb5_cv_has_struct_if_laddrconf+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#include -#include - -int -main () -{ -sizeof (struct if_laddrconf); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_has_struct_if_laddrconf=yes -else - krb5_cv_has_struct_if_laddrconf=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_has_struct_if_laddrconf" >&5 -$as_echo "$krb5_cv_has_struct_if_laddrconf" >&6; } -if test $krb5_cv_has_struct_if_laddrconf = yes; then - -$as_echo "#define HAVE_STRUCT_IF_LADDRCONF 1" >>confdefs.h - -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for h_errno in netdb.h" >&5 -$as_echo_n "checking for h_errno in netdb.h... " >&6; } -if ${krb5_cv_header_netdb_h_h_errno+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -int x = h_errno; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_header_netdb_h_h_errno=yes -else - krb5_cv_header_netdb_h_h_errno=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_header_netdb_h_h_errno" >&5 -$as_echo "$krb5_cv_header_netdb_h_h_errno" >&6; } -if test $krb5_cv_header_netdb_h_h_errno = yes; then - -$as_echo "#define HAVE_NETDB_H_H_ERRNO 1" >>confdefs.h - -fi - - -# Check whether --enable-athena was given. -if test "${enable_athena+set}" = set; then : - enableval=$enable_athena; -$as_echo "#define KRB5_ATHENA_COMPAT 1" >>confdefs.h - -fi - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for inline" >&5 -$as_echo_n "checking for inline... " >&6; } -if ${ac_cv_c_inline+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_cv_c_inline=no -for ac_kw in inline __inline__ __inline; do - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#ifndef __cplusplus -typedef int foo_t; -static $ac_kw foo_t static_foo () {return 0; } -$ac_kw foo_t foo () {return 0; } -#endif - -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ac_cv_c_inline=$ac_kw -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - test "$ac_cv_c_inline" != no && break -done - -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_c_inline" >&5 -$as_echo "$ac_cv_c_inline" >&6; } - -case $ac_cv_c_inline in - inline | yes) ;; - *) - case $ac_cv_c_inline in - no) ac_val=;; - *) ac_val=$ac_cv_c_inline;; - esac - cat >>confdefs.h <<_ACEOF -#ifndef __cplusplus -#define inline $ac_val -#endif -_ACEOF - ;; -esac - - - - -ac_fn_c_check_type "$LINENO" "struct cmsghdr" "ac_cv_type_struct_cmsghdr" " -#include -#include -#include - -" -if test "x$ac_cv_type_struct_cmsghdr" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_CMSGHDR 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "struct in_pktinfo" "ac_cv_type_struct_in_pktinfo" " -#include -#include -#include - -" -if test "x$ac_cv_type_struct_in_pktinfo" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_IN_PKTINFO 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "struct in6_pktinfo" "ac_cv_type_struct_in6_pktinfo" " -#include -#include -#include - -" -if test "x$ac_cv_type_struct_in6_pktinfo" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_IN6_PKTINFO 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "struct sockaddr_storage" "ac_cv_type_struct_sockaddr_storage" " -#include -#include -#include - -" -if test "x$ac_cv_type_struct_sockaddr_storage" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_SOCKADDR_STORAGE 1 -_ACEOF - - -fi - -ac_fn_c_check_type "$LINENO" "struct rt_msghdr" "ac_cv_type_struct_rt_msghdr" " -#include -#include -#include - -" -if test "x$ac_cv_type_struct_rt_msghdr" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_STRUCT_RT_MSGHDR 1 -_ACEOF - - -fi - - -# stuff for util/profile - -# AC_KRB5_TCL already done -DO_TCL= -test "$TCL_LIBS" != "" && DO_TCL=ok - - -# types libdb2 wants - -ac_fn_c_check_type "$LINENO" "ssize_t" "ac_cv_type_ssize_t" "$ac_includes_default" -if test "x$ac_cv_type_ssize_t" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_SSIZE_T 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "u_char" "ac_cv_type_u_char" "$ac_includes_default" -if test "x$ac_cv_type_u_char" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_CHAR 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "u_int" "ac_cv_type_u_int" "$ac_includes_default" -if test "x$ac_cv_type_u_int" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "u_long" "ac_cv_type_u_long" "$ac_includes_default" -if test "x$ac_cv_type_u_long" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_LONG 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "u_int8_t" "ac_cv_type_u_int8_t" "$ac_includes_default" -if test "x$ac_cv_type_u_int8_t" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT8_T 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "u_int16_t" "ac_cv_type_u_int16_t" "$ac_includes_default" -if test "x$ac_cv_type_u_int16_t" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT16_T 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "u_int32_t" "ac_cv_type_u_int32_t" "$ac_includes_default" -if test "x$ac_cv_type_u_int32_t" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_U_INT32_T 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "int8_t" "ac_cv_type_int8_t" "$ac_includes_default" -if test "x$ac_cv_type_int8_t" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT8_T 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "int16_t" "ac_cv_type_int16_t" "$ac_includes_default" -if test "x$ac_cv_type_int16_t" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT16_T 1 -_ACEOF - - -fi -ac_fn_c_check_type "$LINENO" "int32_t" "ac_cv_type_int32_t" "$ac_includes_default" -if test "x$ac_cv_type_int32_t" = xyes; then : - -cat >>confdefs.h <<_ACEOF -#define HAVE_INT32_T 1 -_ACEOF - - -fi - - -# Some libdb2 test programs want a shell that supports functions. -FCTSH=false -# Extract the first word of "sh", so it can be a program name with args. -set dummy sh; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_SH+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $SH in - [\\/]* | ?:[\\/]*) - ac_cv_path_SH="$SH" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_SH="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_path_SH" && ac_cv_path_SH="false" - ;; -esac -fi -SH=$ac_cv_path_SH -if test -n "$SH"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SH" >&5 -$as_echo "$SH" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -# Extract the first word of "sh5", so it can be a program name with args. -set dummy sh5; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_SH5+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $SH5 in - [\\/]* | ?:[\\/]*) - ac_cv_path_SH5="$SH5" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_SH5="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_path_SH5" && ac_cv_path_SH5="false" - ;; -esac -fi -SH5=$ac_cv_path_SH5 -if test -n "$SH5"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $SH5" >&5 -$as_echo "$SH5" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -# Extract the first word of "bash", so it can be a program name with args. -set dummy bash; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_BASH+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $BASH in - [\\/]* | ?:[\\/]*) - ac_cv_path_BASH="$BASH" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_BASH="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_path_BASH" && ac_cv_path_BASH="false" - ;; -esac -fi -BASH=$ac_cv_path_BASH -if test -n "$BASH"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $BASH" >&5 -$as_echo "$BASH" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -for prog in $SH $SH5 $BASH; do - { $as_echo "$as_me:${as_lineno-$LINENO}: checking if $prog supports functions" >&5 -$as_echo_n "checking if $prog supports functions... " >&6; } - if $prog -c 'foo() { true; }; foo' >/dev/null 2>&1; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - FCTSH=$prog - break - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - fi -done - - -# Test for POSIX 2001 *printf support (X/Open System Interfaces extension -# to ANSI/ISO C 1999 specification). Specifically, positional -# specifications; not checking for other features like %zx at present. -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for POSIX printf positional specification support" >&5 -$as_echo_n "checking for POSIX printf positional specification support... " >&6; } -if ${ac_cv_printf_positional+:} false; then : - $as_echo_n "(cached) " >&6 -else - -if test "$cross_compiling" = yes; then : - as_fn_error $? "Cannot test for printf positional argument support when cross compiling" "$LINENO" 5 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -#include -#include -const char expected[] = "200 100"; -int main () { - char buf[30]; - sprintf(buf, "%2\$x %1\$d", 100, 512); - if (strcmp(expected, buf)) { - fprintf(stderr,"bad result: <%s> wanted: <%s>\n", buf, expected); - return 1; - } - return 0; -} -_ACEOF -if ac_fn_c_try_run "$LINENO"; then : - ac_cv_printf_positional=yes -else - ac_cv_printf_positional=no -fi -rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \ - conftest.$ac_objext conftest.beam conftest.$ac_ext -fi - -fi - -# Nothing for autoconf.h for now. -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_printf_positional" >&5 -$as_echo "$ac_cv_printf_positional" >&6; } - - -# for t_locate_kdc test - -# Extract the first word of "dig", so it can be a program name with args. -set dummy dig; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_DIG+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $DIG in - [\\/]* | ?:[\\/]*) - ac_cv_path_DIG="$DIG" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_DIG="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_path_DIG" && ac_cv_path_DIG="false" - ;; -esac -fi -DIG=$ac_cv_path_DIG -if test -n "$DIG"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $DIG" >&5 -$as_echo "$DIG" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -# Extract the first word of "nslookup", so it can be a program name with args. -set dummy nslookup; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_NSLOOKUP+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $NSLOOKUP in - [\\/]* | ?:[\\/]*) - ac_cv_path_NSLOOKUP="$NSLOOKUP" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_NSLOOKUP="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - test -z "$ac_cv_path_NSLOOKUP" && ac_cv_path_NSLOOKUP="false" - ;; -esac -fi -NSLOOKUP=$ac_cv_path_NSLOOKUP -if test -n "$NSLOOKUP"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NSLOOKUP" >&5 -$as_echo "$NSLOOKUP" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - -# for kadmin - -for ac_prog in 'bison -y' byacc -do - # Extract the first word of "$ac_prog", so it can be a program name with args. -set dummy $ac_prog; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_YACC+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$YACC"; then - ac_cv_prog_YACC="$YACC" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_YACC="$ac_prog" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -YACC=$ac_cv_prog_YACC -if test -n "$YACC"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $YACC" >&5 -$as_echo "$YACC" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - test -n "$YACC" && break -done -test -n "$YACC" || YACC="yacc" - -ath_compat= -# Check whether --enable-athena was given. -if test "${enable_athena+set}" = set; then : - enableval=$enable_athena; ath_compat=compat -fi - -# The following are tests for the presence of programs required for -# kadmin testing. -# Extract the first word of "runtest", so it can be a program name with args. -set dummy runtest; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_have_RUNTEST+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$have_RUNTEST"; then - ac_cv_prog_have_RUNTEST="$have_RUNTEST" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_have_RUNTEST="runtest" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -have_RUNTEST=$ac_cv_prog_have_RUNTEST -if test -n "$have_RUNTEST"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $have_RUNTEST" >&5 -$as_echo "$have_RUNTEST" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -# Extract the first word of "perl", so it can be a program name with args. -set dummy perl; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_have_PERL+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$have_PERL"; then - ac_cv_prog_have_PERL="$have_PERL" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_have_PERL="perl" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -have_PERL=$ac_cv_prog_have_PERL -if test -n "$have_PERL"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $have_PERL" >&5 -$as_echo "$have_PERL" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -if test "$have_PERL" = perl -a "$have_RUNTEST" = runtest -a "$TCL_LIBS" != ""; then - DO_TEST=ok -fi - - -# The following are substituted into kadmin/testing/scripts/env-setup.sh -RBUILD=`pwd` - -case "$srcdir" in -/*) S_TOP=$srcdir ;; -*) S_TOP=`pwd`/$srcdir ;; -esac - -# Extract the first word of "perl", so it can be a program name with args. -set dummy perl; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_PERL_PATH+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $PERL_PATH in - [\\/]* | ?:[\\/]*) - ac_cv_path_PERL_PATH="$PERL_PATH" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_PERL_PATH="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - ;; -esac -fi -PERL_PATH=$ac_cv_path_PERL_PATH -if test -n "$PERL_PATH"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PERL_PATH" >&5 -$as_echo "$PERL_PATH" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -# Extract the first word of "expect", so it can be a program name with args. -set dummy expect; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_EXPECT+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $EXPECT in - [\\/]* | ?:[\\/]*) - ac_cv_path_EXPECT="$EXPECT" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_EXPECT="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - ;; -esac -fi -EXPECT=$ac_cv_path_EXPECT -if test -n "$EXPECT"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $EXPECT" >&5 -$as_echo "$EXPECT" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -# For kadmin/testing/util/Makefile.in -if test "$TCL_LIBS" != "" ; then - DO_ALL=tcl -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to use priocntl hack" >&5 -$as_echo_n "checking whether to use priocntl hack... " >&6; } -if ${krb5_cv_priocntl_hack+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $krb5_cv_host in -*-*-solaris2.9*) - if test "$cross_compiling" = yes; then - krb5_cv_priocntl_hack=yes - else - # Solaris patch 117171-11 (sparc) or 117172-11 (x86) - # fixes the Solaris 9 bug where final pty output - # gets lost on close. - if showrev -p | $AWK 'BEGIN { e = 1 } -/Patch: 11717[12]/ { x = index($2, "-"); -if (substr($2, x + 1, length($2) - x) >= 11) -{ e = 0 } else { e = 1 } } -END { exit e; }'; then - krb5_cv_priocntl_hack=no - else - krb5_cv_priocntl_hack=yes - fi - fi - ;; -*) - krb5_cv_priocntl_hack=no - ;; -esac -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_priocntl_hack" >&5 -$as_echo "$krb5_cv_priocntl_hack" >&6; } -if test "$krb5_cv_priocntl_hack" = yes; then - PRIOCNTL_HACK=1 -else - PRIOCNTL_HACK=0 -fi - -ac_config_files="$ac_config_files kadmin/testing/scripts/env-setup.sh:kadmin/testing/scripts/env-setup.shin" - -# for lib/kadm5 -# Extract the first word of "runtest", so it can be a program name with args. -set dummy runtest; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_RUNTEST+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$RUNTEST"; then - ac_cv_prog_RUNTEST="$RUNTEST" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_RUNTEST="runtest" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -RUNTEST=$ac_cv_prog_RUNTEST -if test -n "$RUNTEST"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $RUNTEST" >&5 -$as_echo "$RUNTEST" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -# Extract the first word of "perl", so it can be a program name with args. -set dummy perl; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_PERL+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$PERL"; then - ac_cv_prog_PERL="$PERL" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_PERL="perl" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -PERL=$ac_cv_prog_PERL -if test -n "$PERL"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PERL" >&5 -$as_echo "$PERL" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - -# lib/gssapi -ac_fn_c_check_header_mongrel "$LINENO" "xom.h" "ac_cv_header_xom_h" "$ac_includes_default" -if test "x$ac_cv_header_xom_h" = xyes; then : - - include_xom='awk '\''END{printf("%cinclude \n", 35);}'\'' < /dev/null' -else - - include_xom='echo "/* no xom.h */"' -fi - - - - - -# lib/rpc -### Check where struct rpcent is declared. - -# This is necessary to determine: -# 1. If /usr/include/netdb.h declares struct rpcent -# 2. If /usr/include/rpc/netdb.h declares struct rpcent - -# We have our own rpc/netdb.h, and if /usr/include/netdb.h includes -# rpc/netdb.h, then nastiness could happen. - -# Logic: If /usr/include/netdb.h declares struct rpcent, then check -# rpc/netdb.h. If /usr/include/rpc/netdb.h declares struct rpcent, -# then define STRUCT_RPCENT_IN_RPC_NETDB_H, otherwise do not. If -# neither netdb.h nor rpc/netdb.h declares struct rpcent, then define -# STRUCT_RPCENT_IN_RPC_NETDB_H anyway. - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking where struct rpcent is declared" >&5 -$as_echo_n "checking where struct rpcent is declared... " >&6; } -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -struct rpcent e; -char c = e.r_name[0]; -int i = e.r_number; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -struct rpcent e; -char c = e.r_name[0]; -int i = e.r_number; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - { $as_echo "$as_me:${as_lineno-$LINENO}: result: rpc/netdb.h" >&5 -$as_echo "rpc/netdb.h" >&6; } -rpcent_define='#define STRUCT_RPCENT_IN_RPC_NETDB_H' -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: netdb.h" >&5 -$as_echo "netdb.h" >&6; } -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: nowhere" >&5 -$as_echo "nowhere" >&6; } -rpcent_define='#define STRUCT_RPCENT_IN_RPC_NETDB_H' -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - - -for ac_header in sys/select.h sys/time.h unistd.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - -fi - -done - -if test $ac_cv_header_sys_select_h = yes; then - GSSRPC__SYS_SELECT_H='#include ' -else - GSSRPC__SYS_SELECT_H='/* #include */' -fi - -if test $ac_cv_header_sys_time_h = yes; then - GSSRPC__SYS_TIME_H='#include ' -else - GSSRPC__SYS_TIME_H='/* #include */' -fi - -if test $ac_cv_header_unistd_h = yes; then - GSSRPC__UNISTD_H='#include ' -else - GSSRPC__UNISTD_H='/* #include */' -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for MAXHOSTNAMELEN in sys/param.h" >&5 -$as_echo_n "checking for MAXHOSTNAMELEN in sys/param.h... " >&6; } -if ${krb5_cv_header_sys_param_h_maxhostnamelen+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -int i = MAXHOSTNAMELEN; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_header_sys_param_h_maxhostnamelen=yes -else - krb5_cv_header_sys_param_h_maxhostnamelen=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_header_sys_param_h_maxhostnamelen" >&5 -$as_echo "$krb5_cv_header_sys_param_h_maxhostnamelen" >&6; } -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for MAXHOSTNAMELEN in netdb.h" >&5 -$as_echo_n "checking for MAXHOSTNAMELEN in netdb.h... " >&6; } -if ${krb5_cv_header_netdb_h_maxhostnamelen+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -int i = MAXHOSTNAMELEN; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_header_netdb_h_maxhostnamelen=yes -else - krb5_cv_header_netdb_h_maxhostnamelen=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_header_netdb_h_maxhostnamelen" >&5 -$as_echo "$krb5_cv_header_netdb_h_maxhostnamelen" >&6; } - -GSSRPC__SYS_PARAM_H='/* #include */' -GSSRPC__NETDB_H='/* #include */' -if test $krb5_cv_header_sys_param_h_maxhostnamelen = yes; then - GSSRPC__SYS_PARAM_H='#include ' -else - if test $krb5_cv_header_netdb_h_maxhostnamelen = yes; then - GSSRPC__NETDB_H='#include ' - else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: can't find MAXHOSTNAMELEN definition; faking it" >&5 -$as_echo "$as_me: WARNING: can't find MAXHOSTNAMELEN definition; faking it" >&2;} - fi -fi - - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for BSD type aliases" >&5 -$as_echo_n "checking for BSD type aliases... " >&6; } -if ${krb5_cv_type_bsdaliases+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#if HAVE_UNISTD_H -#include -#endif -int -main () -{ -u_char c; -u_int i; -u_long l; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - krb5_cv_type_bsdaliases=yes -else - krb5_cv_type_bsdaliases=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $krb5_cv_type_bsdaliases" >&5 -$as_echo "$krb5_cv_type_bsdaliases" >&6; } -if test $krb5_cv_type_bsdaliases = yes; then - GSSRPC__BSD_TYPEALIASES='/* #undef GSSRPC__BSD_TYPEALIASES */' -else - GSSRPC__BSD_TYPEALIASES='#define GSSRPC__BSD_TYPEALIASES 1' -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of setrpcent" >&5 -$as_echo_n "checking return type of setrpcent... " >&6; } -if ${k5_cv_type_setrpcent+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#ifdef __cplusplus -extern "C" -#endif -extern void setrpcent(); -int -main () -{ -int i; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - k5_cv_type_setrpcent=void -else - k5_cv_type_setrpcent=int -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $k5_cv_type_setrpcent" >&5 -$as_echo "$k5_cv_type_setrpcent" >&6; } - -cat >>confdefs.h <<_ACEOF -#define SETRPCENT_TYPE $k5_cv_type_setrpcent -_ACEOF - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking return type of endrpcent" >&5 -$as_echo_n "checking return type of endrpcent... " >&6; } -if ${k5_cv_type_endrpcent+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#ifdef __cplusplus -extern "C" -#endif -extern void endrpcent(); -int -main () -{ -int i; - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - k5_cv_type_endrpcent=void -else - k5_cv_type_endrpcent=int -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $k5_cv_type_endrpcent" >&5 -$as_echo "$k5_cv_type_endrpcent" >&6; } - -cat >>confdefs.h <<_ACEOF -#define ENDRPCENT_TYPE $k5_cv_type_endrpcent -_ACEOF - -ac_config_files="$ac_config_files include/gssrpc/types.h:include/gssrpc/types.hin" - -PASS=tcp - - -# for pkinit -# Check whether --enable-pkinit was given. -if test "${enable_pkinit+set}" = set; then : - enableval=$enable_pkinit; -else - enable_pkinit=try -fi - -if test "$enable_pkinit" = yes || test "$enable_pkinit" = try; then - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for a recent enough OpenSSL" >&5 -$as_echo_n "checking for a recent enough OpenSSL... " >&6; } -if ${k5_cv_openssl_version_okay+:} false; then : - $as_echo_n "(cached) " >&6 -else - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -#if OPENSSL_VERSION_NUMBER < 0x10000000L -# error openssl is too old, need 1.0.0 -#endif -int i = 1; - -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - k5_cv_openssl_version_okay=yes -else - k5_cv_openssl_version_okay=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $k5_cv_openssl_version_okay" >&5 -$as_echo "$k5_cv_openssl_version_okay" >&6; } - old_LIBS="$LIBS" - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PKCS7_get_signer_info in -lcrypto" >&5 -$as_echo_n "checking for PKCS7_get_signer_info in -lcrypto... " >&6; } -if ${ac_cv_lib_crypto_PKCS7_get_signer_info+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcrypto $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char PKCS7_get_signer_info (); -int -main () -{ -return PKCS7_get_signer_info (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_crypto_PKCS7_get_signer_info=yes -else - ac_cv_lib_crypto_PKCS7_get_signer_info=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_crypto_PKCS7_get_signer_info" >&5 -$as_echo "$ac_cv_lib_crypto_PKCS7_get_signer_info" >&6; } -if test "x$ac_cv_lib_crypto_PKCS7_get_signer_info" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_LIBCRYPTO 1 -_ACEOF - - LIBS="-lcrypto $LIBS" - -fi - - LIBS="$old_LIBS" -fi -if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then - ac_config_files="$ac_config_files plugins/preauth/pkinit/Makefile:$srcdir/./config/pre.in:plugins/preauth/pkinit/Makefile.in:plugins/preauth/pkinit/deps:$srcdir/./config/post.in" - - - - PKINIT=yes -elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then - as_fn_error $? "Version of OpenSSL is too old; cannot enable PKINIT." "$LINENO" 5 -else - -$as_echo "#define DISABLE_PKINIT 1" >>confdefs.h - - { $as_echo "$as_me:${as_lineno-$LINENO}: Disabling PKINIT support." >&5 -$as_echo "$as_me: Disabling PKINIT support." >&6;} - PKINIT=no -fi - - -# for lib/apputils -ac_fn_c_check_func "$LINENO" "daemon" "ac_cv_func_daemon" -if test "x$ac_cv_func_daemon" = xyes; then : - $as_echo "#define HAVE_DAEMON 1" >>confdefs.h - -else - case " $LIBOBJS " in - *" daemon.$ac_objext "* ) ;; - *) LIBOBJS="$LIBOBJS daemon.$ac_objext" - ;; -esac - -fi - - - -# for tests/ -if test x"$RUNTEST" != x; then - HAVE_RUNTEST=yes -else - HAVE_RUNTEST=no -fi - - -# For Python tests. -# Extract the first word of "python", so it can be a program name with args. -set dummy python; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_prog_PYTHON+:} false; then : - $as_echo_n "(cached) " >&6 -else - if test -n "$PYTHON"; then - ac_cv_prog_PYTHON="$PYTHON" # Let the user override the test. -else -as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_prog_PYTHON="python" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - -fi -fi -PYTHON=$ac_cv_prog_PYTHON -if test -n "$PYTHON"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $PYTHON" >&5 -$as_echo "$PYTHON" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - -HAVE_PYTHON=no -if test x"$PYTHON" != x; then - # k5test.py requires python 2.4 (for the subprocess module). - # Some code needs python 2.5 (for syntax like conditional expressions). - vercheck="import sys;sys.exit((sys.hexversion < 0x2050000) and 1 or 0)" - if python -c "$vercheck"; then - HAVE_PYTHON=yes - fi -fi - - -# For cmocka tests. -CMOCKA_LIBS= -HAVE_CMOCKA=no -HAVE_CMOCKA_H=no -HAVE_CMOCKA_LIB=no -ac_fn_c_check_header_compile "$LINENO" "cmocka.h" "ac_cv_header_cmocka_h" " -#include -#include -#include -" -if test "x$ac_cv_header_cmocka_h" = xyes; then : - HAVE_CMOCKA_H=yes -else - : -fi - - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for _cmocka_run_group_tests in -lcmocka" >&5 -$as_echo_n "checking for _cmocka_run_group_tests in -lcmocka... " >&6; } -if ${ac_cv_lib_cmocka__cmocka_run_group_tests+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lcmocka $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char _cmocka_run_group_tests (); -int -main () -{ -return _cmocka_run_group_tests (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_cmocka__cmocka_run_group_tests=yes -else - ac_cv_lib_cmocka__cmocka_run_group_tests=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_cmocka__cmocka_run_group_tests" >&5 -$as_echo "$ac_cv_lib_cmocka__cmocka_run_group_tests" >&6; } -if test "x$ac_cv_lib_cmocka__cmocka_run_group_tests" = xyes; then : - HAVE_CMOCKA_LIB=yes -fi - -if test "$HAVE_CMOCKA_LIB" = yes && test "$HAVE_CMOCKA_H" = yes; then - HAVE_CMOCKA=yes - CMOCKA_LIBS='-lcmocka' -fi - - - -# For URI lookup tests. Requires resolv_wrapper >= 1.1.5 for URI -# support. -HAVE_RESOLV_WRAPPER=0 -if pkg-config --atleast-version=1.1.5 resolv_wrapper; then - HAVE_RESOLV_WRAPPER=1 -fi - - -# for plugins/kdb/db2 - -# AIX is unusual in that it wants all symbols resolved at link time -# Fortunately, it will allow us to link the kdb library now, even if -# it is linked again later. -case $krb5_cv_host in -*-*-aix*) - DB_EXTRA_LIBS=-ldb - ;; -*) - DB_EXTRA_LIBS= - ;; -esac - - - - -# Check for thread safety issues. -# (Is there a better place for this?) -# tsfuncs="getpwnam_r getpwuid_r gethostbyname_r getservbyname_r gmtime_r localtime_r" -# Removed getpwnam_r and getpwuid_r because include/configure.in has some -# more careful checks, and may decide to pretend that they're not found if -# the function signatures can't be figured out. -tsfuncs="gethostbyname_r getservbyname_r gmtime_r localtime_r" -for ac_func in $tsfuncs -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - -if test "$enable_thread_support" = yes; then - tsmissing="" - for ts in $tsfuncs; do - if eval "test \"\${ac_cv_func_$ts}\" != yes"; then - tsmissing="$tsmissing $ts" - fi - done - if test "$ac_cv_func_res_nsearch/$ac_cv_lib_resolv_res_nsearch" = "no/no"; then - tsmissing="$tsmissing res_nsearch" - fi - if test "$tsmissing" != ""; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Some functions that are needed for library thread" >&5 -$as_echo "$as_me: WARNING: Some functions that are needed for library thread" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: safety appear to be missing." >&5 -$as_echo "$as_me: WARNING: safety appear to be missing." >&2;} - for ts in $tsmissing; do - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: missing thread-safe function: $ts" >&5 -$as_echo "$as_me: WARNING: missing thread-safe function: $ts" >&2;} - done - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: Without these functions, the installed libraries" >&5 -$as_echo "$as_me: WARNING: Without these functions, the installed libraries" >&2;} - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: may not be thread-safe." >&5 -$as_echo "$as_me: WARNING: may not be thread-safe." >&2;} - fi # tsmissing not empty -fi # enable_thread_support - -# Sadly, we seem to have accidentally committed ourselves in 1.4 to -# an ABI that includes the existence of libkrb5support.0 even -# though random apps should never use anything from it. And on -# the Mac, to which that didn't apply, we can't use major version 0. - -case $krb5_cv_host in -*-*-darwin* | *-*-rhapsody*) SUPPORTLIB_MAJOR=1 ;; -*) SUPPORTLIB_MAJOR=0 ;; -esac - - - -if test "$COM_ERR_VERSION" = k5 ; then - ac_config_files="$ac_config_files util/et/Makefile:$srcdir/./config/pre.in:util/et/Makefile.in:util/et/deps:$srcdir/./config/post.in" - - - -fi -if test "$SS_VERSION" = k5 ; then - ac_config_files="$ac_config_files util/ss/Makefile:$srcdir/./config/pre.in:util/ss/Makefile.in:util/ss/deps:$srcdir/./config/post.in" - - - -fi - - -ldap_plugin_dir="" -ldap_lib="" -if test -n "$OPENLDAP_PLUGIN"; then - for ac_header in ldap.h lber.h -do : - as_ac_Header=`$as_echo "ac_cv_header_$ac_header" | $as_tr_sh` -ac_fn_c_check_header_mongrel "$LINENO" "$ac_header" "$as_ac_Header" "$ac_includes_default" -if eval test \"x\$"$as_ac_Header"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_header" | $as_tr_cpp` 1 -_ACEOF - : -else - as_fn_error $? "$ac_header not found" "$LINENO" 5 -fi - -done - - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ldap_init in -lldap" >&5 -$as_echo_n "checking for ldap_init in -lldap... " >&6; } -if ${ac_cv_lib_ldap_ldap_init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lldap $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char ldap_init (); -int -main () -{ -return ldap_init (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_ldap_ldap_init=yes -else - ac_cv_lib_ldap_ldap_init=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ldap_init" >&5 -$as_echo "$ac_cv_lib_ldap_ldap_init" >&6; } -if test "x$ac_cv_lib_ldap_ldap_init" = xyes; then : - : -else - as_fn_error $? "libldap not found or missing ldap_init" "$LINENO" 5 -fi - - old_LIBS="$LIBS" - LIBS="$LIBS -lldap" - for ac_func in ldap_initialize ldap_url_parse_nodn ldap_unbind_ext_s ldap_str2dn ldap_explode_dn -do : - as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh` -ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var" -if eval test \"x\$"$as_ac_var"\" = x"yes"; then : - cat >>confdefs.h <<_ACEOF -#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1 -_ACEOF - -fi -done - - LIBS="$old_LIBS" - - BER_OKAY=0 - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ber_init in -lldap" >&5 -$as_echo_n "checking for ber_init in -lldap... " >&6; } -if ${ac_cv_lib_ldap_ber_init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lldap $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char ber_init (); -int -main () -{ -return ber_init (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_ldap_ber_init=yes -else - ac_cv_lib_ldap_ber_init=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_ldap_ber_init" >&5 -$as_echo "$ac_cv_lib_ldap_ber_init" >&6; } -if test "x$ac_cv_lib_ldap_ber_init" = xyes; then : - BER_OKAY=1 -fi - - if test "$BER_OKAY" = "1"; then - LDAP_LIBS='-lldap' - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ber_init in -llber" >&5 -$as_echo_n "checking for ber_init in -llber... " >&6; } -if ${ac_cv_lib_lber_ber_init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-llber $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char ber_init (); -int -main () -{ -return ber_init (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_lber_ber_init=yes -else - ac_cv_lib_lber_ber_init=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_lber_ber_init" >&5 -$as_echo "$ac_cv_lib_lber_ber_init" >&6; } -if test "x$ac_cv_lib_lber_ber_init" = xyes; then : - BER_OKAY=1 -else - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: libber not found" >&5 -$as_echo "$as_me: WARNING: libber not found" >&2;} -fi - - if test "$BER_OKAY" = "1"; then - LDAP_LIBS='-lldap -llber' - else - as_fn_error $? "\"BER library missing - cannot build LDAP database module\"" "$LINENO" 5 - fi - fi - -$as_echo "#define ENABLE_LDAP 1" >>confdefs.h - - - - for ac_header in sasl/sasl.h -do : - ac_fn_c_check_header_mongrel "$LINENO" "sasl/sasl.h" "ac_cv_header_sasl_sasl_h" "$ac_includes_default" -if test "x$ac_cv_header_sasl_sasl_h" = xyes; then : - cat >>confdefs.h <<_ACEOF -#define HAVE_SASL_SASL_H 1 -_ACEOF - HAVE_SASL=yes -else - HAVE_SASL=no -fi - -done - - - if test "$HAVE_SASL" = no; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: not building LDAP SASL support" >&5 -$as_echo "$as_me: WARNING: not building LDAP SASL support" >&2;} - fi - - ac_config_files="$ac_config_files plugins/kdb/ldap/Makefile:$srcdir/./config/pre.in:plugins/kdb/ldap/Makefile.in:plugins/kdb/ldap/deps:$srcdir/./config/post.in" - - - - ac_config_files="$ac_config_files plugins/kdb/ldap/ldap_util/Makefile:$srcdir/./config/pre.in:plugins/kdb/ldap/ldap_util/Makefile.in:plugins/kdb/ldap/ldap_util/deps:$srcdir/./config/post.in" - - - - ac_config_files="$ac_config_files plugins/kdb/ldap/libkdb_ldap/Makefile:$srcdir/./config/pre.in:plugins/kdb/ldap/libkdb_ldap/Makefile.in:plugins/kdb/ldap/libkdb_ldap/deps:$srcdir/./config/post.in" - - - - ldap_plugin_dir='plugins/kdb/ldap plugins/kdb/ldap/ldap_util' - LDAP=yes -else - LDAP=no -fi - - -# This check is for plugins/preauth/securid_sam2 -sam2_plugin="" -old_CFLAGS=$CFLAGS -CFLAGS="$CFLAGS $PTHREAD_CFLAGS" -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for SD_Init in -laceclnt" >&5 -$as_echo_n "checking for SD_Init in -laceclnt... " >&6; } -if ${ac_cv_lib_aceclnt_SD_Init+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-laceclnt $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char SD_Init (); -int -main () -{ -return SD_Init (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_aceclnt_SD_Init=yes -else - ac_cv_lib_aceclnt_SD_Init=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_aceclnt_SD_Init" >&5 -$as_echo "$ac_cv_lib_aceclnt_SD_Init" >&6; } -if test "x$ac_cv_lib_aceclnt_SD_Init" = xyes; then : - - { $as_echo "$as_me:${as_lineno-$LINENO}: Enabling RSA securID support" >&5 -$as_echo "$as_me: Enabling RSA securID support" >&6;} - ac_config_files="$ac_config_files plugins/preauth/securid_sam2/Makefile:$srcdir/./config/pre.in:plugins/preauth/securid_sam2/Makefile.in:plugins/preauth/securid_sam2/deps:$srcdir/./config/post.in" - - - - sam2_plugin=plugins/preauth/securid_sam2 - -fi - - -CFLAGS=$old_CFLAGS - -# Kludge for simple server --- FIXME is this the best way to do this? - -if test "$ac_cv_lib_socket" = "yes" -a "$ac_cv_lib_nsl" = "yes"; then - -$as_echo "#define BROKEN_STREAMS_SOCKETS 1" >>confdefs.h - -fi - -# Compile with libedit support in ss by default if available. Compile -# with readline only if asked, to avoid a default GPL dependency. -# Building with readline also breaks the dejagnu test suite. - -# Check whether --with-libedit was given. -if test "${with_libedit+set}" = set; then : - withval=$with_libedit; -else - with_libedit=default -fi - - -# Check whether --with-readline was given. -if test "${with_readline+set}" = set; then : - withval=$with_readline; -else - with_readline=no -fi - -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for readline support" >&5 -$as_echo_n "checking for readline support... " >&6; } -if test "x$with_readline" = xyes; then - with_libedit=no -fi -RL_CFLAGS= -RL_LIBS= -if test "x$with_libedit" != xno; then - if rl_cflags=`pkg-config --cflags libedit 2>&1`; then - RL_CFLAGS=$rl_cflags - RL_LIBS=`pkg-config --libs libedit` - -$as_echo "#define HAVE_LIBEDIT 1" >>confdefs.h - - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using libedit" >&5 -$as_echo "using libedit" >&6; } - elif test "x$with_libedit" = yes; then - # We were explicitly asked for libedit and couldn't find it. - as_fn_error $? "Could not detect libedit with pkg-config." "$LINENO" 5 - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: not using any" >&5 -$as_echo "not using any" >&6; } - fi -elif test "x$with_readline" = xyes; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: using GNU Readline" >&5 -$as_echo "using GNU Readline" >&6; } - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for main in -lreadline" >&5 -$as_echo_n "checking for main in -lreadline... " >&6; } -if ${ac_cv_lib_readline_main+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lreadline -lncurses $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - - -int -main () -{ -return main (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_readline_main=yes -else - ac_cv_lib_readline_main=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_readline_main" >&5 -$as_echo "$ac_cv_lib_readline_main" >&6; } -if test "x$ac_cv_lib_readline_main" = xyes; then : - : -else - { { $as_echo "$as_me:${as_lineno-$LINENO}: error: in \`$ac_pwd':" >&5 -$as_echo "$as_me: error: in \`$ac_pwd':" >&2;} -as_fn_error $? "Cannot find readline library. -See \`config.log' for more details" "$LINENO" 5; } -fi - - -$as_echo "#define HAVE_READLINE 1" >>confdefs.h - - RL_LIBS='-lreadline -lhistory -lncurses' -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: not using any" >&5 -$as_echo "not using any" >&6; } -fi - - - - -# Check whether --with-system-verto was given. -if test "${with_system_verto+set}" = set; then : - withval=$with_system_verto; -else - with_system_verto=default -fi - -VERTO_CFLAGS= -VERTO_LIBS="-lverto" -VERTO_VERSION=k5 -if test "x$with_system_verto" != xno; then - if verto_cflags=`pkg-config --cflags libverto 2>&1`; then - VERTO_CFLAGS=$verto_cflags - VERTO_LIBS=`pkg-config --libs libverto` - VERTO_VERSION=sys - else - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for verto_set_flags in -lverto" >&5 -$as_echo_n "checking for verto_set_flags in -lverto... " >&6; } -if ${ac_cv_lib_verto_verto_set_flags+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_check_lib_save_LIBS=$LIBS -LIBS="-lverto $LIBS" -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char verto_set_flags (); -int -main () -{ -return verto_set_flags (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - ac_cv_lib_verto_verto_set_flags=yes -else - ac_cv_lib_verto_verto_set_flags=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext -LIBS=$ac_check_lib_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_verto_verto_set_flags" >&5 -$as_echo "$ac_cv_lib_verto_verto_set_flags" >&6; } -if test "x$ac_cv_lib_verto_verto_set_flags" = xyes; then : - VERTO_VERSION=sys -else - if test "x$with_system_verto" = xyes; then - as_fn_error $? "cannot detect system libverto" "$LINENO" 5 - fi -fi - - fi -fi -if test "x$VERTO_VERSION" = xsys; then - { $as_echo "$as_me:${as_lineno-$LINENO}: Using system libverto" >&5 -$as_echo "$as_me: Using system libverto" >&6;} -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: Using built-in libverto" >&5 -$as_echo "Using built-in libverto" >&6; } -fi - - - - -# Extract the first word of "groff", so it can be a program name with args. -set dummy groff; ac_word=$2 -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 -$as_echo_n "checking for $ac_word... " >&6; } -if ${ac_cv_path_GROFF+:} false; then : - $as_echo_n "(cached) " >&6 -else - case $GROFF in - [\\/]* | ?:[\\/]*) - ac_cv_path_GROFF="$GROFF" # Let the user override the test with a path. - ;; - *) - as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - for ac_exec_ext in '' $ac_executable_extensions; do - if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then - ac_cv_path_GROFF="$as_dir/$ac_word$ac_exec_ext" - $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 - break 2 - fi -done - done -IFS=$as_save_IFS - - ;; -esac -fi -GROFF=$ac_cv_path_GROFF -if test -n "$GROFF"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $GROFF" >&5 -$as_echo "$GROFF" >&6; } -else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } -fi - - - -# Make localedir work in autoconf 2.5x. -if test "${localedir+set}" != set; then - localedir='$(datadir)/locale' -fi - - -# For KCM lib/krb5/ccache to build KCM Mach RPC support for OS X only. -case $host in -*-*-darwin* | *-*-rhapsody*) OSX=osx ;; -*) OSX=no ;; -esac - - -# Build-time default ccache, keytab, and client keytab names. These -# can be given as variable arguments DEFCCNAME, DEFKTNAME, and -# DEFCKTNAME. Otherwise, we try to get the OS defaults from -# krb5-config if we can, or fall back to hardcoded defaults. - - - - -# Check whether --with-krb5-config was given. -if test "${with_krb5_config+set}" = set; then : - withval=$with_krb5_config; -else - with_krb5_config=krb5-config -fi - -if test "x$with_krb5_config" != xno; then - if test "x$with_krb5_config" = xyes; then - with_krb5_config=krb5-config - fi - if $with_krb5_config --help 2>&1 | grep defccname >/dev/null; then - { $as_echo "$as_me:${as_lineno-$LINENO}: Using $with_krb5_config for build defaults" >&5 -$as_echo "$as_me: Using $with_krb5_config for build defaults" >&6;} - : "${DEFCCNAME=`$with_krb5_config --defccname`}" - : "${DEFKTNAME=`$with_krb5_config --defktname`}" - : "${DEFCKTNAME=`$with_krb5_config --defcktname`}" - fi -fi -if test "${DEFCCNAME+set}" != set; then - case $host in - *-*-darwin[0-9].* | *-*-darwin10.*) - # Use the normal default for OS X 10.6 (Darwin 10) and prior. - ;; - *-*-darwin*) - # For OS X 10.7 (Darwin 11) and later, the native ccache uses - # the KCM daemon. - DEFCCNAME=KCM: - ;; - esac - if test "${DEFCCNAME+set}" != set; then - DEFCCNAME=FILE:/tmp/krb5cc_%{uid} - fi -fi -if test "${DEFKTNAME+set}" != set; then - DEFKTNAME=FILE:/etc/krb5.keytab -fi -if test "${DEFCKTNAME+set}" != set; then - _lcl_receval="$localstatedir" -exp_localstatedir=`(test "x$prefix" = xNONE && prefix="$ac_default_prefix" - test "x$exec_prefix" = xNONE && exec_prefix="${prefix}" - _lcl_receval_old='' - while test "$_lcl_receval_old" != "$_lcl_receval"; do - _lcl_receval_old="$_lcl_receval" - eval _lcl_receval="\"$_lcl_receval\"" - done - echo "$_lcl_receval")` - DEFCKTNAME=FILE:$exp_localstatedir/krb5/user/%{euid}/client.keytab -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: Default ccache name: $DEFCCNAME" >&5 -$as_echo "$as_me: Default ccache name: $DEFCCNAME" >&6;} -{ $as_echo "$as_me:${as_lineno-$LINENO}: Default keytab name: $DEFKTNAME" >&5 -$as_echo "$as_me: Default keytab name: $DEFKTNAME" >&6;} -{ $as_echo "$as_me:${as_lineno-$LINENO}: Default client keytab name: $DEFCKTNAME" >&5 -$as_echo "$as_me: Default client keytab name: $DEFCKTNAME" >&6;} - -cat >>confdefs.h <<_ACEOF -#define DEFCCNAME "$DEFCCNAME" -_ACEOF - - -cat >>confdefs.h <<_ACEOF -#define DEFKTNAME "$DEFKTNAME" -_ACEOF - - -cat >>confdefs.h <<_ACEOF -#define DEFCKTNAME "$DEFCKTNAME" -_ACEOF - - -ac_config_files="$ac_config_files build-tools/krb5-config" - -ac_config_files="$ac_config_files build-tools/kadm-server.pc build-tools/kadm-client.pc build-tools/kdb.pc build-tools/krb5.pc build-tools/krb5-gssapi.pc build-tools/mit-krb5.pc build-tools/mit-krb5-gssapi.pc build-tools/gssrpc.pc" - - - ac_config_files="$ac_config_files ./Makefile:$srcdir/./config/pre.in:./Makefile.in:./deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files util/Makefile:$srcdir/./config/pre.in:util/Makefile.in:util/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files util/support/Makefile:$srcdir/./config/pre.in:util/support/Makefile.in:util/support/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files util/profile/Makefile:$srcdir/./config/pre.in:util/profile/Makefile.in:util/profile/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files util/profile/testmod/Makefile:$srcdir/./config/pre.in:util/profile/testmod/Makefile.in:util/profile/testmod/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files util/verto/Makefile:$srcdir/./config/pre.in:util/verto/Makefile.in:util/verto/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/Makefile:$srcdir/./config/pre.in:lib/Makefile.in:lib/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/kdb/Makefile:$srcdir/./config/pre.in:lib/kdb/Makefile.in:lib/kdb/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/Makefile:$srcdir/./config/pre.in:lib/crypto/Makefile.in:lib/crypto/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/krb/Makefile:$srcdir/./config/pre.in:lib/crypto/krb/Makefile.in:lib/crypto/krb/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/Makefile.in:lib/crypto/$CRYPTO_IMPL/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/enc_provider/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/enc_provider/Makefile.in:lib/crypto/$CRYPTO_IMPL/enc_provider/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/hash_provider/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/hash_provider/Makefile.in:lib/crypto/$CRYPTO_IMPL/hash_provider/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/des/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/des/Makefile.in:lib/crypto/$CRYPTO_IMPL/des/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/md4/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/md4/Makefile.in:lib/crypto/$CRYPTO_IMPL/md4/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/md5/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/md5/Makefile.in:lib/crypto/$CRYPTO_IMPL/md5/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/sha1/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/sha1/Makefile.in:lib/crypto/$CRYPTO_IMPL/sha1/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/sha2/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/sha2/Makefile.in:lib/crypto/$CRYPTO_IMPL/sha2/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/aes/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/aes/Makefile.in:lib/crypto/$CRYPTO_IMPL/aes/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/$CRYPTO_IMPL/camellia/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/camellia/Makefile.in:lib/crypto/$CRYPTO_IMPL/camellia/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/crypto/crypto_tests/Makefile:$srcdir/./config/pre.in:lib/crypto/crypto_tests/Makefile.in:lib/crypto/crypto_tests/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krb5/Makefile:$srcdir/./config/pre.in:lib/krb5/Makefile.in:lib/krb5/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krb5/error_tables/Makefile:$srcdir/./config/pre.in:lib/krb5/error_tables/Makefile.in:lib/krb5/error_tables/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krb5/asn.1/Makefile:$srcdir/./config/pre.in:lib/krb5/asn.1/Makefile.in:lib/krb5/asn.1/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krb5/ccache/Makefile:$srcdir/./config/pre.in:lib/krb5/ccache/Makefile.in:lib/krb5/ccache/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krb5/keytab/Makefile:$srcdir/./config/pre.in:lib/krb5/keytab/Makefile.in:lib/krb5/keytab/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krb5/krb/Makefile:$srcdir/./config/pre.in:lib/krb5/krb/Makefile.in:lib/krb5/krb/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krb5/rcache/Makefile:$srcdir/./config/pre.in:lib/krb5/rcache/Makefile.in:lib/krb5/rcache/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krb5/os/Makefile:$srcdir/./config/pre.in:lib/krb5/os/Makefile.in:lib/krb5/os/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krb5/unicode/Makefile:$srcdir/./config/pre.in:lib/krb5/unicode/Makefile.in:lib/krb5/unicode/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/gssapi/Makefile:$srcdir/./config/pre.in:lib/gssapi/Makefile.in:lib/gssapi/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/gssapi/generic/Makefile:$srcdir/./config/pre.in:lib/gssapi/generic/Makefile.in:lib/gssapi/generic/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/gssapi/krb5/Makefile:$srcdir/./config/pre.in:lib/gssapi/krb5/Makefile.in:lib/gssapi/krb5/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/gssapi/spnego/Makefile:$srcdir/./config/pre.in:lib/gssapi/spnego/Makefile.in:lib/gssapi/spnego/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/gssapi/mechglue/Makefile:$srcdir/./config/pre.in:lib/gssapi/mechglue/Makefile.in:lib/gssapi/mechglue/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/rpc/Makefile:$srcdir/./config/pre.in:lib/rpc/Makefile.in:lib/rpc/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/rpc/unit-test/Makefile:$srcdir/./config/pre.in:lib/rpc/unit-test/Makefile.in:lib/rpc/unit-test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/kadm5/Makefile:$srcdir/./config/pre.in:lib/kadm5/Makefile.in:lib/kadm5/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/kadm5/clnt/Makefile:$srcdir/./config/pre.in:lib/kadm5/clnt/Makefile.in:lib/kadm5/clnt/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/kadm5/srv/Makefile:$srcdir/./config/pre.in:lib/kadm5/srv/Makefile.in:lib/kadm5/srv/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/kadm5/unit-test/Makefile:$srcdir/./config/pre.in:lib/kadm5/unit-test/Makefile.in:lib/kadm5/unit-test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/krad/Makefile:$srcdir/./config/pre.in:lib/krad/Makefile.in:lib/krad/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files lib/apputils/Makefile:$srcdir/./config/pre.in:lib/apputils/Makefile.in:lib/apputils/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files kdc/Makefile:$srcdir/./config/pre.in:kdc/Makefile.in:kdc/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files slave/Makefile:$srcdir/./config/pre.in:slave/Makefile.in:slave/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files config-files/Makefile:$srcdir/./config/pre.in:config-files/Makefile.in:config-files/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files build-tools/Makefile:$srcdir/./config/pre.in:build-tools/Makefile.in:build-tools/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files man/Makefile:$srcdir/./config/pre.in:man/Makefile.in:man/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files doc/Makefile:$srcdir/./config/pre.in:doc/Makefile.in:doc/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files include/Makefile:$srcdir/./config/pre.in:include/Makefile.in:include/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/hostrealm/test/Makefile:$srcdir/./config/pre.in:plugins/hostrealm/test/Makefile.in:plugins/hostrealm/test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/localauth/test/Makefile:$srcdir/./config/pre.in:plugins/localauth/test/Makefile.in:plugins/localauth/test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kadm5_hook/test/Makefile:$srcdir/./config/pre.in:plugins/kadm5_hook/test/Makefile.in:plugins/kadm5_hook/test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/pwqual/test/Makefile:$srcdir/./config/pre.in:plugins/pwqual/test/Makefile.in:plugins/pwqual/test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/audit/Makefile:$srcdir/./config/pre.in:plugins/audit/Makefile.in:plugins/audit/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/audit/test/Makefile:$srcdir/./config/pre.in:plugins/audit/test/Makefile.in:plugins/audit/test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kdb/db2/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/Makefile.in:plugins/kdb/db2/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kdb/db2/libdb2/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/Makefile.in:plugins/kdb/db2/libdb2/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kdb/db2/libdb2/hash/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/hash/Makefile.in:plugins/kdb/db2/libdb2/hash/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kdb/db2/libdb2/btree/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/btree/Makefile.in:plugins/kdb/db2/libdb2/btree/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kdb/db2/libdb2/db/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/db/Makefile.in:plugins/kdb/db2/libdb2/db/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kdb/db2/libdb2/mpool/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/mpool/Makefile.in:plugins/kdb/db2/libdb2/mpool/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kdb/db2/libdb2/recno/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/recno/Makefile.in:plugins/kdb/db2/libdb2/recno/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kdb/db2/libdb2/test/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/test/Makefile.in:plugins/kdb/db2/libdb2/test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/kdb/test/Makefile:$srcdir/./config/pre.in:plugins/kdb/test/Makefile.in:plugins/kdb/test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/preauth/otp/Makefile:$srcdir/./config/pre.in:plugins/preauth/otp/Makefile.in:plugins/preauth/otp/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/preauth/test/Makefile:$srcdir/./config/pre.in:plugins/preauth/test/Makefile.in:plugins/preauth/test/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/authdata/greet_client/Makefile:$srcdir/./config/pre.in:plugins/authdata/greet_client/Makefile.in:plugins/authdata/greet_client/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/authdata/greet_server/Makefile:$srcdir/./config/pre.in:plugins/authdata/greet_server/Makefile.in:plugins/authdata/greet_server/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files plugins/tls/k5tls/Makefile:$srcdir/./config/pre.in:plugins/tls/k5tls/Makefile.in:plugins/tls/k5tls/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files clients/Makefile:$srcdir/./config/pre.in:clients/Makefile.in:clients/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files clients/klist/Makefile:$srcdir/./config/pre.in:clients/klist/Makefile.in:clients/klist/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files clients/kinit/Makefile:$srcdir/./config/pre.in:clients/kinit/Makefile.in:clients/kinit/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files clients/kvno/Makefile:$srcdir/./config/pre.in:clients/kvno/Makefile.in:clients/kvno/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files clients/kdestroy/Makefile:$srcdir/./config/pre.in:clients/kdestroy/Makefile.in:clients/kdestroy/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files clients/kpasswd/Makefile:$srcdir/./config/pre.in:clients/kpasswd/Makefile.in:clients/kpasswd/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files clients/ksu/Makefile:$srcdir/./config/pre.in:clients/ksu/Makefile.in:clients/ksu/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files clients/kswitch/Makefile:$srcdir/./config/pre.in:clients/kswitch/Makefile.in:clients/kswitch/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files kadmin/Makefile:$srcdir/./config/pre.in:kadmin/Makefile.in:kadmin/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files kadmin/cli/Makefile:$srcdir/./config/pre.in:kadmin/cli/Makefile.in:kadmin/cli/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files kadmin/dbutil/Makefile:$srcdir/./config/pre.in:kadmin/dbutil/Makefile.in:kadmin/dbutil/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files kadmin/ktutil/Makefile:$srcdir/./config/pre.in:kadmin/ktutil/Makefile.in:kadmin/ktutil/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files kadmin/server/Makefile:$srcdir/./config/pre.in:kadmin/server/Makefile.in:kadmin/server/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files kadmin/testing/Makefile:$srcdir/./config/pre.in:kadmin/testing/Makefile.in:kadmin/testing/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files kadmin/testing/scripts/Makefile:$srcdir/./config/pre.in:kadmin/testing/scripts/Makefile.in:kadmin/testing/scripts/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files kadmin/testing/util/Makefile:$srcdir/./config/pre.in:kadmin/testing/util/Makefile.in:kadmin/testing/util/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files appl/Makefile:$srcdir/./config/pre.in:appl/Makefile.in:appl/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files appl/sample/Makefile:$srcdir/./config/pre.in:appl/sample/Makefile.in:appl/sample/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files appl/sample/sclient/Makefile:$srcdir/./config/pre.in:appl/sample/sclient/Makefile.in:appl/sample/sclient/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files appl/sample/sserver/Makefile:$srcdir/./config/pre.in:appl/sample/sserver/Makefile.in:appl/sample/sserver/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files appl/simple/Makefile:$srcdir/./config/pre.in:appl/simple/Makefile.in:appl/simple/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files appl/simple/client/Makefile:$srcdir/./config/pre.in:appl/simple/client/Makefile.in:appl/simple/client/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files appl/simple/server/Makefile:$srcdir/./config/pre.in:appl/simple/server/Makefile.in:appl/simple/server/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files appl/gss-sample/Makefile:$srcdir/./config/pre.in:appl/gss-sample/Makefile.in:appl/gss-sample/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files appl/user_user/Makefile:$srcdir/./config/pre.in:appl/user_user/Makefile.in:appl/user_user/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/Makefile:$srcdir/./config/pre.in:tests/Makefile.in:tests/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/resolve/Makefile:$srcdir/./config/pre.in:tests/resolve/Makefile.in:tests/resolve/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/asn.1/Makefile:$srcdir/./config/pre.in:tests/asn.1/Makefile.in:tests/asn.1/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/create/Makefile:$srcdir/./config/pre.in:tests/create/Makefile.in:tests/create/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/hammer/Makefile:$srcdir/./config/pre.in:tests/hammer/Makefile.in:tests/hammer/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/verify/Makefile:$srcdir/./config/pre.in:tests/verify/Makefile.in:tests/verify/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/gssapi/Makefile:$srcdir/./config/pre.in:tests/gssapi/Makefile.in:tests/gssapi/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/dejagnu/Makefile:$srcdir/./config/pre.in:tests/dejagnu/Makefile.in:tests/dejagnu/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/threads/Makefile:$srcdir/./config/pre.in:tests/threads/Makefile.in:tests/threads/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/shlib/Makefile:$srcdir/./config/pre.in:tests/shlib/Makefile.in:tests/shlib/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/gss-threads/Makefile:$srcdir/./config/pre.in:tests/gss-threads/Makefile.in:tests/gss-threads/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files tests/misc/Makefile:$srcdir/./config/pre.in:tests/misc/Makefile.in:tests/misc/deps:$srcdir/./config/post.in" - ac_config_files="$ac_config_files po/Makefile:$srcdir/./config/pre.in:po/Makefile.in:po/deps:$srcdir/./config/post.in" - -cat >confcache <<\_ACEOF -# This file is a shell script that caches the results of configure -# tests run on this system so they can be shared between configure -# scripts and configure runs, see configure's option --config-cache. -# It is not useful on other systems. If it contains results you don't -# want to keep, you may remove or edit it. -# -# config.status only pays attention to the cache file if you give it -# the --recheck option to rerun configure. -# -# `ac_cv_env_foo' variables (set or unset) will be overridden when -# loading this file, other *unset* `ac_cv_foo' will be assigned the -# following values. - -_ACEOF - -# The following way of writing the cache mishandles newlines in values, -# but we know of no workaround that is simple, portable, and efficient. -# So, we kill variables containing newlines. -# Ultrix sh set writes to stderr and can't be redirected directly, -# and sets the high bit in the cache file unless we assign to the vars. -( - for ac_var in `(set) 2>&1 | sed -n 's/^\([a-zA-Z_][a-zA-Z0-9_]*\)=.*/\1/p'`; do - eval ac_val=\$$ac_var - case $ac_val in #( - *${as_nl}*) - case $ac_var in #( - *_cv_*) { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: cache variable $ac_var contains a newline" >&5 -$as_echo "$as_me: WARNING: cache variable $ac_var contains a newline" >&2;} ;; - esac - case $ac_var in #( - _ | IFS | as_nl) ;; #( - BASH_ARGV | BASH_SOURCE) eval $ac_var= ;; #( - *) { eval $ac_var=; unset $ac_var;} ;; - esac ;; - esac - done - - (set) 2>&1 | - case $as_nl`(ac_space=' '; set) 2>&1` in #( - *${as_nl}ac_space=\ *) - # `set' does not quote correctly, so add quotes: double-quote - # substitution turns \\\\ into \\, and sed turns \\ into \. - sed -n \ - "s/'/'\\\\''/g; - s/^\\([_$as_cr_alnum]*_cv_[_$as_cr_alnum]*\\)=\\(.*\\)/\\1='\\2'/p" - ;; #( - *) - # `set' quotes correctly as required by POSIX, so do not add quotes. - sed -n "/^[_$as_cr_alnum]*_cv_[_$as_cr_alnum]*=/p" - ;; - esac | - sort -) | - sed ' - /^ac_cv_env_/b end - t clear - :clear - s/^\([^=]*\)=\(.*[{}].*\)$/test "${\1+set}" = set || &/ - t end - s/^\([^=]*\)=\(.*\)$/\1=${\1=\2}/ - :end' >>confcache -if diff "$cache_file" confcache >/dev/null 2>&1; then :; else - if test -w "$cache_file"; then - if test "x$cache_file" != "x/dev/null"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: updating cache $cache_file" >&5 -$as_echo "$as_me: updating cache $cache_file" >&6;} - if test ! -f "$cache_file" || test -h "$cache_file"; then - cat confcache >"$cache_file" - else - case $cache_file in #( - */* | ?:*) - mv -f confcache "$cache_file"$$ && - mv -f "$cache_file"$$ "$cache_file" ;; #( - *) - mv -f confcache "$cache_file" ;; - esac - fi - fi - else - { $as_echo "$as_me:${as_lineno-$LINENO}: not updating unwritable cache $cache_file" >&5 -$as_echo "$as_me: not updating unwritable cache $cache_file" >&6;} - fi -fi -rm -f confcache - -test "x$prefix" = xNONE && prefix=$ac_default_prefix -# Let make expand exec_prefix. -test "x$exec_prefix" = xNONE && exec_prefix='${prefix}' - -DEFS=-DHAVE_CONFIG_H - -ac_libobjs= -ac_ltlibobjs= -U= -for ac_i in : $LIBOBJS; do test "x$ac_i" = x: && continue - # 1. Remove the extension, and $U if already installed. - ac_script='s/\$U\././;s/\.o$//;s/\.obj$//' - ac_i=`$as_echo "$ac_i" | sed "$ac_script"` - # 2. Prepend LIBOBJDIR. When used with automake>=1.10 LIBOBJDIR - # will be set to the directory where LIBOBJS objects are built. - as_fn_append ac_libobjs " \${LIBOBJDIR}$ac_i\$U.$ac_objext" - as_fn_append ac_ltlibobjs " \${LIBOBJDIR}$ac_i"'$U.lo' -done -LIBOBJS=$ac_libobjs - -LTLIBOBJS=$ac_ltlibobjs - - - -: "${CONFIG_STATUS=./config.status}" -ac_write_fail=0 -ac_clean_files_save=$ac_clean_files -ac_clean_files="$ac_clean_files $CONFIG_STATUS" -{ $as_echo "$as_me:${as_lineno-$LINENO}: creating $CONFIG_STATUS" >&5 -$as_echo "$as_me: creating $CONFIG_STATUS" >&6;} -as_write_fail=0 -cat >$CONFIG_STATUS <<_ASEOF || as_write_fail=1 -#! $SHELL -# Generated by $as_me. -# Run this file to recreate the current configuration. -# Compiler output produced by configure, useful for debugging -# configure, is in config.log if it exists. - -debug=false -ac_cs_recheck=false -ac_cs_silent=false - -SHELL=\${CONFIG_SHELL-$SHELL} -export SHELL -_ASEOF -cat >>$CONFIG_STATUS <<\_ASEOF || as_write_fail=1 -## -------------------- ## -## M4sh Initialization. ## -## -------------------- ## - -# Be more Bourne compatible -DUALCASE=1; export DUALCASE # for MKS sh -if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then : - emulate sh - NULLCMD=: - # Pre-4.2 versions of Zsh do word splitting on ${1+"$@"}, which - # is contrary to our usage. Disable this feature. - alias -g '${1+"$@"}'='"$@"' - setopt NO_GLOB_SUBST -else - case `(set -o) 2>/dev/null` in #( - *posix*) : - set -o posix ;; #( - *) : - ;; -esac -fi - - -as_nl=' -' -export as_nl -# Printing a long string crashes Solaris 7 /usr/bin/printf. -as_echo='\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\' -as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo -as_echo=$as_echo$as_echo$as_echo$as_echo$as_echo$as_echo -# Prefer a ksh shell builtin over an external printf program on Solaris, -# but without wasting forks for bash or zsh. -if test -z "$BASH_VERSION$ZSH_VERSION" \ - && (test "X`print -r -- $as_echo`" = "X$as_echo") 2>/dev/null; then - as_echo='print -r --' - as_echo_n='print -rn --' -elif (test "X`printf %s $as_echo`" = "X$as_echo") 2>/dev/null; then - as_echo='printf %s\n' - as_echo_n='printf %s' -else - if test "X`(/usr/ucb/echo -n -n $as_echo) 2>/dev/null`" = "X-n $as_echo"; then - as_echo_body='eval /usr/ucb/echo -n "$1$as_nl"' - as_echo_n='/usr/ucb/echo -n' - else - as_echo_body='eval expr "X$1" : "X\\(.*\\)"' - as_echo_n_body='eval - arg=$1; - case $arg in #( - *"$as_nl"*) - expr "X$arg" : "X\\(.*\\)$as_nl"; - arg=`expr "X$arg" : ".*$as_nl\\(.*\\)"`;; - esac; - expr "X$arg" : "X\\(.*\\)" | tr -d "$as_nl" - ' - export as_echo_n_body - as_echo_n='sh -c $as_echo_n_body as_echo' - fi - export as_echo_body - as_echo='sh -c $as_echo_body as_echo' -fi - -# The user is always right. -if test "${PATH_SEPARATOR+set}" != set; then - PATH_SEPARATOR=: - (PATH='/bin;/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 && { - (PATH='/bin:/bin'; FPATH=$PATH; sh -c :) >/dev/null 2>&1 || - PATH_SEPARATOR=';' - } -fi - - -# IFS -# We need space, tab and new line, in precisely that order. Quoting is -# there to prevent editors from complaining about space-tab. -# (If _AS_PATH_WALK were called with IFS unset, it would disable word -# splitting by setting IFS to empty value.) -IFS=" "" $as_nl" - -# Find who we are. Look in the path if we contain no directory separator. -as_myself= -case $0 in #(( - *[\\/]* ) as_myself=$0 ;; - *) as_save_IFS=$IFS; IFS=$PATH_SEPARATOR -for as_dir in $PATH -do - IFS=$as_save_IFS - test -z "$as_dir" && as_dir=. - test -r "$as_dir/$0" && as_myself=$as_dir/$0 && break - done -IFS=$as_save_IFS - - ;; -esac -# We did not find ourselves, most probably we were run as `sh COMMAND' -# in which case we are not to be found in the path. -if test "x$as_myself" = x; then - as_myself=$0 -fi -if test ! -f "$as_myself"; then - $as_echo "$as_myself: error: cannot find myself; rerun with an absolute file name" >&2 - exit 1 -fi - -# Unset variables that we do not need and which cause bugs (e.g. in -# pre-3.0 UWIN ksh). But do not cause bugs in bash 2.01; the "|| exit 1" -# suppresses any "Segmentation fault" message there. '((' could -# trigger a bug in pdksh 5.2.14. -for as_var in BASH_ENV ENV MAIL MAILPATH -do eval test x\${$as_var+set} = xset \ - && ( (unset $as_var) || exit 1) >/dev/null 2>&1 && unset $as_var || : -done -PS1='$ ' -PS2='> ' -PS4='+ ' - -# NLS nuisances. -LC_ALL=C -export LC_ALL -LANGUAGE=C -export LANGUAGE - -# CDPATH. -(unset CDPATH) >/dev/null 2>&1 && unset CDPATH - - -# as_fn_error STATUS ERROR [LINENO LOG_FD] -# ---------------------------------------- -# Output "`basename $0`: error: ERROR" to stderr. If LINENO and LOG_FD are -# provided, also output the error to LOG_FD, referencing LINENO. Then exit the -# script with STATUS, using 1 if that was 0. -as_fn_error () -{ - as_status=$1; test $as_status -eq 0 && as_status=1 - if test "$4"; then - as_lineno=${as_lineno-"$3"} as_lineno_stack=as_lineno_stack=$as_lineno_stack - $as_echo "$as_me:${as_lineno-$LINENO}: error: $2" >&$4 - fi - $as_echo "$as_me: error: $2" >&2 - as_fn_exit $as_status -} # as_fn_error - - -# as_fn_set_status STATUS -# ----------------------- -# Set $? to STATUS, without forking. -as_fn_set_status () -{ - return $1 -} # as_fn_set_status - -# as_fn_exit STATUS -# ----------------- -# Exit the shell with STATUS, even in a "trap 0" or "set -e" context. -as_fn_exit () -{ - set +e - as_fn_set_status $1 - exit $1 -} # as_fn_exit - -# as_fn_unset VAR -# --------------- -# Portably unset VAR. -as_fn_unset () -{ - { eval $1=; unset $1;} -} -as_unset=as_fn_unset -# as_fn_append VAR VALUE -# ---------------------- -# Append the text in VALUE to the end of the definition contained in VAR. Take -# advantage of any shell optimizations that allow amortized linear growth over -# repeated appends, instead of the typical quadratic growth present in naive -# implementations. -if (eval "as_var=1; as_var+=2; test x\$as_var = x12") 2>/dev/null; then : - eval 'as_fn_append () - { - eval $1+=\$2 - }' -else - as_fn_append () - { - eval $1=\$$1\$2 - } -fi # as_fn_append - -# as_fn_arith ARG... -# ------------------ -# Perform arithmetic evaluation on the ARGs, and store the result in the -# global $as_val. Take advantage of shells that can avoid forks. The arguments -# must be portable across $(()) and expr. -if (eval "test \$(( 1 + 1 )) = 2") 2>/dev/null; then : - eval 'as_fn_arith () - { - as_val=$(( $* )) - }' -else - as_fn_arith () - { - as_val=`expr "$@" || test $? -eq 1` - } -fi # as_fn_arith - - -if expr a : '\(a\)' >/dev/null 2>&1 && - test "X`expr 00001 : '.*\(...\)'`" = X001; then - as_expr=expr -else - as_expr=false -fi - -if (basename -- /) >/dev/null 2>&1 && test "X`basename -- / 2>&1`" = "X/"; then - as_basename=basename -else - as_basename=false -fi - -if (as_dir=`dirname -- /` && test "X$as_dir" = X/) >/dev/null 2>&1; then - as_dirname=dirname -else - as_dirname=false -fi - -as_me=`$as_basename -- "$0" || -$as_expr X/"$0" : '.*/\([^/][^/]*\)/*$' \| \ - X"$0" : 'X\(//\)$' \| \ - X"$0" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X/"$0" | - sed '/^.*\/\([^/][^/]*\)\/*$/{ - s//\1/ - q - } - /^X\/\(\/\/\)$/{ - s//\1/ - q - } - /^X\/\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - -# Avoid depending upon Character Ranges. -as_cr_letters='abcdefghijklmnopqrstuvwxyz' -as_cr_LETTERS='ABCDEFGHIJKLMNOPQRSTUVWXYZ' -as_cr_Letters=$as_cr_letters$as_cr_LETTERS -as_cr_digits='0123456789' -as_cr_alnum=$as_cr_Letters$as_cr_digits - -ECHO_C= ECHO_N= ECHO_T= -case `echo -n x` in #((((( --n*) - case `echo 'xy\c'` in - *c*) ECHO_T=' ';; # ECHO_T is single tab character. - xy) ECHO_C='\c';; - *) echo `echo ksh88 bug on AIX 6.1` > /dev/null - ECHO_T=' ';; - esac;; -*) - ECHO_N='-n';; -esac - -rm -f conf$$ conf$$.exe conf$$.file -if test -d conf$$.dir; then - rm -f conf$$.dir/conf$$.file -else - rm -f conf$$.dir - mkdir conf$$.dir 2>/dev/null -fi -if (echo >conf$$.file) 2>/dev/null; then - if ln -s conf$$.file conf$$ 2>/dev/null; then - as_ln_s='ln -s' - # ... but there are two gotchas: - # 1) On MSYS, both `ln -s file dir' and `ln file dir' fail. - # 2) DJGPP < 2.04 has no symlinks; `ln -s' creates a wrapper executable. - # In both cases, we have to default to `cp -pR'. - ln -s conf$$.file conf$$.dir 2>/dev/null && test ! -f conf$$.exe || - as_ln_s='cp -pR' - elif ln conf$$.file conf$$ 2>/dev/null; then - as_ln_s=ln - else - as_ln_s='cp -pR' - fi -else - as_ln_s='cp -pR' -fi -rm -f conf$$ conf$$.exe conf$$.dir/conf$$.file conf$$.file -rmdir conf$$.dir 2>/dev/null - - -# as_fn_mkdir_p -# ------------- -# Create "$as_dir" as a directory, including parents if necessary. -as_fn_mkdir_p () -{ - - case $as_dir in #( - -*) as_dir=./$as_dir;; - esac - test -d "$as_dir" || eval $as_mkdir_p || { - as_dirs= - while :; do - case $as_dir in #( - *\'*) as_qdir=`$as_echo "$as_dir" | sed "s/'/'\\\\\\\\''/g"`;; #'( - *) as_qdir=$as_dir;; - esac - as_dirs="'$as_qdir' $as_dirs" - as_dir=`$as_dirname -- "$as_dir" || -$as_expr X"$as_dir" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$as_dir" : 'X\(//\)[^/]' \| \ - X"$as_dir" : 'X\(//\)$' \| \ - X"$as_dir" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$as_dir" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - test -d "$as_dir" && break - done - test -z "$as_dirs" || eval "mkdir $as_dirs" - } || test -d "$as_dir" || as_fn_error $? "cannot create directory $as_dir" - - -} # as_fn_mkdir_p -if mkdir -p . 2>/dev/null; then - as_mkdir_p='mkdir -p "$as_dir"' -else - test -d ./-p && rmdir ./-p - as_mkdir_p=false -fi - - -# as_fn_executable_p FILE -# ----------------------- -# Test if FILE is an executable regular file. -as_fn_executable_p () -{ - test -f "$1" && test -x "$1" -} # as_fn_executable_p -as_test_x='test -x' -as_executable_p=as_fn_executable_p - -# Sed expression to map a string onto a valid CPP name. -as_tr_cpp="eval sed 'y%*$as_cr_letters%P$as_cr_LETTERS%;s%[^_$as_cr_alnum]%_%g'" - -# Sed expression to map a string onto a valid variable name. -as_tr_sh="eval sed 'y%*+%pp%;s%[^_$as_cr_alnum]%_%g'" - - -exec 6>&1 -## ----------------------------------- ## -## Main body of $CONFIG_STATUS script. ## -## ----------------------------------- ## -_ASEOF -test $as_write_fail = 0 && chmod +x $CONFIG_STATUS || ac_write_fail=1 - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -# Save the log message, to keep $0 and so on meaningful, and to -# report actual input values of CONFIG_FILES etc. instead of their -# values after options handling. -ac_log=" -This file was extended by Kerberos 5 $as_me 1.15.2, which was -generated by GNU Autoconf 2.69. Invocation command line was - - CONFIG_FILES = $CONFIG_FILES - CONFIG_HEADERS = $CONFIG_HEADERS - CONFIG_LINKS = $CONFIG_LINKS - CONFIG_COMMANDS = $CONFIG_COMMANDS - $ $0 $@ - -on `(hostname || uname -n) 2>/dev/null | sed 1q` -" - -_ACEOF - -case $ac_config_files in *" -"*) set x $ac_config_files; shift; ac_config_files=$*;; -esac - -case $ac_config_headers in *" -"*) set x $ac_config_headers; shift; ac_config_headers=$*;; -esac - - -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -# Files that config.status was made for. -config_files="$ac_config_files" -config_headers="$ac_config_headers" -config_commands="$ac_config_commands" - -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -ac_cs_usage="\ -\`$as_me' instantiates files and other configuration actions -from templates according to the current configuration. Unless the files -and actions are specified as TAGs, all are instantiated by default. - -Usage: $0 [OPTION]... [TAG]... - - -h, --help print this help, then exit - -V, --version print version number and configuration settings, then exit - --config print configuration, then exit - -q, --quiet, --silent - do not print progress messages - -d, --debug don't remove temporary files - --recheck update $as_me by reconfiguring in the same conditions - --file=FILE[:TEMPLATE] - instantiate the configuration file FILE - --header=FILE[:TEMPLATE] - instantiate the configuration header FILE - -Configuration files: -$config_files - -Configuration headers: -$config_headers - -Configuration commands: -$config_commands - -Report bugs to ." - -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" -ac_cs_version="\\ -Kerberos 5 config.status 1.15.2 -configured by $0, generated by GNU Autoconf 2.69, - with options \\"\$ac_cs_config\\" - -Copyright (C) 2012 Free Software Foundation, Inc. -This config.status script is free software; the Free Software Foundation -gives unlimited permission to copy, distribute and modify it." - -ac_pwd='$ac_pwd' -srcdir='$srcdir' -INSTALL='$INSTALL' -AWK='$AWK' -test -n "\$AWK" || AWK=awk -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -# The default lists apply if the user does not specify any file. -ac_need_defaults=: -while test $# != 0 -do - case $1 in - --*=?*) - ac_option=`expr "X$1" : 'X\([^=]*\)='` - ac_optarg=`expr "X$1" : 'X[^=]*=\(.*\)'` - ac_shift=: - ;; - --*=) - ac_option=`expr "X$1" : 'X\([^=]*\)='` - ac_optarg= - ac_shift=: - ;; - *) - ac_option=$1 - ac_optarg=$2 - ac_shift=shift - ;; - esac - - case $ac_option in - # Handling of the options. - -recheck | --recheck | --rechec | --reche | --rech | --rec | --re | --r) - ac_cs_recheck=: ;; - --version | --versio | --versi | --vers | --ver | --ve | --v | -V ) - $as_echo "$ac_cs_version"; exit ;; - --config | --confi | --conf | --con | --co | --c ) - $as_echo "$ac_cs_config"; exit ;; - --debug | --debu | --deb | --de | --d | -d ) - debug=: ;; - --file | --fil | --fi | --f ) - $ac_shift - case $ac_optarg in - *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; - '') as_fn_error $? "missing file argument" ;; - esac - as_fn_append CONFIG_FILES " '$ac_optarg'" - ac_need_defaults=false;; - --header | --heade | --head | --hea ) - $ac_shift - case $ac_optarg in - *\'*) ac_optarg=`$as_echo "$ac_optarg" | sed "s/'/'\\\\\\\\''/g"` ;; - esac - as_fn_append CONFIG_HEADERS " '$ac_optarg'" - ac_need_defaults=false;; - --he | --h) - # Conflict between --help and --header - as_fn_error $? "ambiguous option: \`$1' -Try \`$0 --help' for more information.";; - --help | --hel | -h ) - $as_echo "$ac_cs_usage"; exit ;; - -q | -quiet | --quiet | --quie | --qui | --qu | --q \ - | -silent | --silent | --silen | --sile | --sil | --si | --s) - ac_cs_silent=: ;; - - # This is an error. - -*) as_fn_error $? "unrecognized option: \`$1' -Try \`$0 --help' for more information." ;; - - *) as_fn_append ac_config_targets " $1" - ac_need_defaults=false ;; - - esac - shift -done - -ac_configure_extra_args= - -if $ac_cs_silent; then - exec 6>/dev/null - ac_configure_extra_args="$ac_configure_extra_args --silent" -fi - -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -if \$ac_cs_recheck; then - set X $SHELL '$0' $ac_configure_args \$ac_configure_extra_args --no-create --no-recursion - shift - \$as_echo "running CONFIG_SHELL=$SHELL \$*" >&6 - CONFIG_SHELL='$SHELL' - export CONFIG_SHELL - exec "\$@" -fi - -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -exec 5>>config.log -{ - echo - sed 'h;s/./-/g;s/^.../## /;s/...$/ ##/;p;x;p;x' <<_ASBOX -## Running $as_me. ## -_ASBOX - $as_echo "$ac_log" -} >&5 - -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -# -# INIT-COMMANDS -# -CRYPTO_IMPL=$CRYPTO_IMPL -PRNG_ALG=$PRNG_ALG -PKINIT_CRYPTO_IMPL=$PKINIT_CRYPTO_IMPL - -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - -# Handling of arguments. -for ac_config_target in $ac_config_targets -do - case $ac_config_target in - "plugins/audit/simple/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/audit/simple/Makefile:$srcdir/./config/pre.in:plugins/audit/simple/Makefile.in:plugins/audit/simple/deps:$srcdir/./config/post.in" ;; - "CRYPTO_IMPL") CONFIG_COMMANDS="$CONFIG_COMMANDS CRYPTO_IMPL" ;; - "PRNG_ALG") CONFIG_COMMANDS="$CONFIG_COMMANDS PRNG_ALG" ;; - "PKINIT_CRYPTO_IMPL") CONFIG_COMMANDS="$CONFIG_COMMANDS PKINIT_CRYPTO_IMPL" ;; - "include/autoconf.h") CONFIG_HEADERS="$CONFIG_HEADERS include/autoconf.h" ;; - "kadmin/testing/scripts/env-setup.sh") CONFIG_FILES="$CONFIG_FILES kadmin/testing/scripts/env-setup.sh:kadmin/testing/scripts/env-setup.shin" ;; - "include/gssrpc/types.h") CONFIG_FILES="$CONFIG_FILES include/gssrpc/types.h:include/gssrpc/types.hin" ;; - "plugins/preauth/pkinit/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/preauth/pkinit/Makefile:$srcdir/./config/pre.in:plugins/preauth/pkinit/Makefile.in:plugins/preauth/pkinit/deps:$srcdir/./config/post.in" ;; - "util/et/Makefile") CONFIG_FILES="$CONFIG_FILES util/et/Makefile:$srcdir/./config/pre.in:util/et/Makefile.in:util/et/deps:$srcdir/./config/post.in" ;; - "util/ss/Makefile") CONFIG_FILES="$CONFIG_FILES util/ss/Makefile:$srcdir/./config/pre.in:util/ss/Makefile.in:util/ss/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/ldap/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/ldap/Makefile:$srcdir/./config/pre.in:plugins/kdb/ldap/Makefile.in:plugins/kdb/ldap/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/ldap/ldap_util/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/ldap/ldap_util/Makefile:$srcdir/./config/pre.in:plugins/kdb/ldap/ldap_util/Makefile.in:plugins/kdb/ldap/ldap_util/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/ldap/libkdb_ldap/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/ldap/libkdb_ldap/Makefile:$srcdir/./config/pre.in:plugins/kdb/ldap/libkdb_ldap/Makefile.in:plugins/kdb/ldap/libkdb_ldap/deps:$srcdir/./config/post.in" ;; - "plugins/preauth/securid_sam2/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/preauth/securid_sam2/Makefile:$srcdir/./config/pre.in:plugins/preauth/securid_sam2/Makefile.in:plugins/preauth/securid_sam2/deps:$srcdir/./config/post.in" ;; - "build-tools/krb5-config") CONFIG_FILES="$CONFIG_FILES build-tools/krb5-config" ;; - "build-tools/kadm-server.pc") CONFIG_FILES="$CONFIG_FILES build-tools/kadm-server.pc" ;; - "build-tools/kadm-client.pc") CONFIG_FILES="$CONFIG_FILES build-tools/kadm-client.pc" ;; - "build-tools/kdb.pc") CONFIG_FILES="$CONFIG_FILES build-tools/kdb.pc" ;; - "build-tools/krb5.pc") CONFIG_FILES="$CONFIG_FILES build-tools/krb5.pc" ;; - "build-tools/krb5-gssapi.pc") CONFIG_FILES="$CONFIG_FILES build-tools/krb5-gssapi.pc" ;; - "build-tools/mit-krb5.pc") CONFIG_FILES="$CONFIG_FILES build-tools/mit-krb5.pc" ;; - "build-tools/mit-krb5-gssapi.pc") CONFIG_FILES="$CONFIG_FILES build-tools/mit-krb5-gssapi.pc" ;; - "build-tools/gssrpc.pc") CONFIG_FILES="$CONFIG_FILES build-tools/gssrpc.pc" ;; - "./Makefile") CONFIG_FILES="$CONFIG_FILES ./Makefile:$srcdir/./config/pre.in:./Makefile.in:./deps:$srcdir/./config/post.in" ;; - "util/Makefile") CONFIG_FILES="$CONFIG_FILES util/Makefile:$srcdir/./config/pre.in:util/Makefile.in:util/deps:$srcdir/./config/post.in" ;; - "util/support/Makefile") CONFIG_FILES="$CONFIG_FILES util/support/Makefile:$srcdir/./config/pre.in:util/support/Makefile.in:util/support/deps:$srcdir/./config/post.in" ;; - "util/profile/Makefile") CONFIG_FILES="$CONFIG_FILES util/profile/Makefile:$srcdir/./config/pre.in:util/profile/Makefile.in:util/profile/deps:$srcdir/./config/post.in" ;; - "util/profile/testmod/Makefile") CONFIG_FILES="$CONFIG_FILES util/profile/testmod/Makefile:$srcdir/./config/pre.in:util/profile/testmod/Makefile.in:util/profile/testmod/deps:$srcdir/./config/post.in" ;; - "util/verto/Makefile") CONFIG_FILES="$CONFIG_FILES util/verto/Makefile:$srcdir/./config/pre.in:util/verto/Makefile.in:util/verto/deps:$srcdir/./config/post.in" ;; - "lib/Makefile") CONFIG_FILES="$CONFIG_FILES lib/Makefile:$srcdir/./config/pre.in:lib/Makefile.in:lib/deps:$srcdir/./config/post.in" ;; - "lib/kdb/Makefile") CONFIG_FILES="$CONFIG_FILES lib/kdb/Makefile:$srcdir/./config/pre.in:lib/kdb/Makefile.in:lib/kdb/deps:$srcdir/./config/post.in" ;; - "lib/crypto/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/Makefile:$srcdir/./config/pre.in:lib/crypto/Makefile.in:lib/crypto/deps:$srcdir/./config/post.in" ;; - "lib/crypto/krb/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/krb/Makefile:$srcdir/./config/pre.in:lib/crypto/krb/Makefile.in:lib/crypto/krb/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/Makefile.in:lib/crypto/$CRYPTO_IMPL/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/enc_provider/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/enc_provider/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/enc_provider/Makefile.in:lib/crypto/$CRYPTO_IMPL/enc_provider/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/hash_provider/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/hash_provider/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/hash_provider/Makefile.in:lib/crypto/$CRYPTO_IMPL/hash_provider/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/des/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/des/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/des/Makefile.in:lib/crypto/$CRYPTO_IMPL/des/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/md4/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/md4/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/md4/Makefile.in:lib/crypto/$CRYPTO_IMPL/md4/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/md5/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/md5/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/md5/Makefile.in:lib/crypto/$CRYPTO_IMPL/md5/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/sha1/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/sha1/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/sha1/Makefile.in:lib/crypto/$CRYPTO_IMPL/sha1/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/sha2/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/sha2/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/sha2/Makefile.in:lib/crypto/$CRYPTO_IMPL/sha2/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/aes/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/aes/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/aes/Makefile.in:lib/crypto/$CRYPTO_IMPL/aes/deps:$srcdir/./config/post.in" ;; - "lib/crypto/$CRYPTO_IMPL/camellia/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/$CRYPTO_IMPL/camellia/Makefile:$srcdir/./config/pre.in:lib/crypto/$CRYPTO_IMPL/camellia/Makefile.in:lib/crypto/$CRYPTO_IMPL/camellia/deps:$srcdir/./config/post.in" ;; - "lib/crypto/crypto_tests/Makefile") CONFIG_FILES="$CONFIG_FILES lib/crypto/crypto_tests/Makefile:$srcdir/./config/pre.in:lib/crypto/crypto_tests/Makefile.in:lib/crypto/crypto_tests/deps:$srcdir/./config/post.in" ;; - "lib/krb5/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/Makefile:$srcdir/./config/pre.in:lib/krb5/Makefile.in:lib/krb5/deps:$srcdir/./config/post.in" ;; - "lib/krb5/error_tables/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/error_tables/Makefile:$srcdir/./config/pre.in:lib/krb5/error_tables/Makefile.in:lib/krb5/error_tables/deps:$srcdir/./config/post.in" ;; - "lib/krb5/asn.1/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/asn.1/Makefile:$srcdir/./config/pre.in:lib/krb5/asn.1/Makefile.in:lib/krb5/asn.1/deps:$srcdir/./config/post.in" ;; - "lib/krb5/ccache/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/ccache/Makefile:$srcdir/./config/pre.in:lib/krb5/ccache/Makefile.in:lib/krb5/ccache/deps:$srcdir/./config/post.in" ;; - "lib/krb5/keytab/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/keytab/Makefile:$srcdir/./config/pre.in:lib/krb5/keytab/Makefile.in:lib/krb5/keytab/deps:$srcdir/./config/post.in" ;; - "lib/krb5/krb/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/krb/Makefile:$srcdir/./config/pre.in:lib/krb5/krb/Makefile.in:lib/krb5/krb/deps:$srcdir/./config/post.in" ;; - "lib/krb5/rcache/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/rcache/Makefile:$srcdir/./config/pre.in:lib/krb5/rcache/Makefile.in:lib/krb5/rcache/deps:$srcdir/./config/post.in" ;; - "lib/krb5/os/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/os/Makefile:$srcdir/./config/pre.in:lib/krb5/os/Makefile.in:lib/krb5/os/deps:$srcdir/./config/post.in" ;; - "lib/krb5/unicode/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krb5/unicode/Makefile:$srcdir/./config/pre.in:lib/krb5/unicode/Makefile.in:lib/krb5/unicode/deps:$srcdir/./config/post.in" ;; - "lib/gssapi/Makefile") CONFIG_FILES="$CONFIG_FILES lib/gssapi/Makefile:$srcdir/./config/pre.in:lib/gssapi/Makefile.in:lib/gssapi/deps:$srcdir/./config/post.in" ;; - "lib/gssapi/generic/Makefile") CONFIG_FILES="$CONFIG_FILES lib/gssapi/generic/Makefile:$srcdir/./config/pre.in:lib/gssapi/generic/Makefile.in:lib/gssapi/generic/deps:$srcdir/./config/post.in" ;; - "lib/gssapi/krb5/Makefile") CONFIG_FILES="$CONFIG_FILES lib/gssapi/krb5/Makefile:$srcdir/./config/pre.in:lib/gssapi/krb5/Makefile.in:lib/gssapi/krb5/deps:$srcdir/./config/post.in" ;; - "lib/gssapi/spnego/Makefile") CONFIG_FILES="$CONFIG_FILES lib/gssapi/spnego/Makefile:$srcdir/./config/pre.in:lib/gssapi/spnego/Makefile.in:lib/gssapi/spnego/deps:$srcdir/./config/post.in" ;; - "lib/gssapi/mechglue/Makefile") CONFIG_FILES="$CONFIG_FILES lib/gssapi/mechglue/Makefile:$srcdir/./config/pre.in:lib/gssapi/mechglue/Makefile.in:lib/gssapi/mechglue/deps:$srcdir/./config/post.in" ;; - "lib/rpc/Makefile") CONFIG_FILES="$CONFIG_FILES lib/rpc/Makefile:$srcdir/./config/pre.in:lib/rpc/Makefile.in:lib/rpc/deps:$srcdir/./config/post.in" ;; - "lib/rpc/unit-test/Makefile") CONFIG_FILES="$CONFIG_FILES lib/rpc/unit-test/Makefile:$srcdir/./config/pre.in:lib/rpc/unit-test/Makefile.in:lib/rpc/unit-test/deps:$srcdir/./config/post.in" ;; - "lib/kadm5/Makefile") CONFIG_FILES="$CONFIG_FILES lib/kadm5/Makefile:$srcdir/./config/pre.in:lib/kadm5/Makefile.in:lib/kadm5/deps:$srcdir/./config/post.in" ;; - "lib/kadm5/clnt/Makefile") CONFIG_FILES="$CONFIG_FILES lib/kadm5/clnt/Makefile:$srcdir/./config/pre.in:lib/kadm5/clnt/Makefile.in:lib/kadm5/clnt/deps:$srcdir/./config/post.in" ;; - "lib/kadm5/srv/Makefile") CONFIG_FILES="$CONFIG_FILES lib/kadm5/srv/Makefile:$srcdir/./config/pre.in:lib/kadm5/srv/Makefile.in:lib/kadm5/srv/deps:$srcdir/./config/post.in" ;; - "lib/kadm5/unit-test/Makefile") CONFIG_FILES="$CONFIG_FILES lib/kadm5/unit-test/Makefile:$srcdir/./config/pre.in:lib/kadm5/unit-test/Makefile.in:lib/kadm5/unit-test/deps:$srcdir/./config/post.in" ;; - "lib/krad/Makefile") CONFIG_FILES="$CONFIG_FILES lib/krad/Makefile:$srcdir/./config/pre.in:lib/krad/Makefile.in:lib/krad/deps:$srcdir/./config/post.in" ;; - "lib/apputils/Makefile") CONFIG_FILES="$CONFIG_FILES lib/apputils/Makefile:$srcdir/./config/pre.in:lib/apputils/Makefile.in:lib/apputils/deps:$srcdir/./config/post.in" ;; - "kdc/Makefile") CONFIG_FILES="$CONFIG_FILES kdc/Makefile:$srcdir/./config/pre.in:kdc/Makefile.in:kdc/deps:$srcdir/./config/post.in" ;; - "slave/Makefile") CONFIG_FILES="$CONFIG_FILES slave/Makefile:$srcdir/./config/pre.in:slave/Makefile.in:slave/deps:$srcdir/./config/post.in" ;; - "config-files/Makefile") CONFIG_FILES="$CONFIG_FILES config-files/Makefile:$srcdir/./config/pre.in:config-files/Makefile.in:config-files/deps:$srcdir/./config/post.in" ;; - "build-tools/Makefile") CONFIG_FILES="$CONFIG_FILES build-tools/Makefile:$srcdir/./config/pre.in:build-tools/Makefile.in:build-tools/deps:$srcdir/./config/post.in" ;; - "man/Makefile") CONFIG_FILES="$CONFIG_FILES man/Makefile:$srcdir/./config/pre.in:man/Makefile.in:man/deps:$srcdir/./config/post.in" ;; - "doc/Makefile") CONFIG_FILES="$CONFIG_FILES doc/Makefile:$srcdir/./config/pre.in:doc/Makefile.in:doc/deps:$srcdir/./config/post.in" ;; - "include/Makefile") CONFIG_FILES="$CONFIG_FILES include/Makefile:$srcdir/./config/pre.in:include/Makefile.in:include/deps:$srcdir/./config/post.in" ;; - "plugins/hostrealm/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/hostrealm/test/Makefile:$srcdir/./config/pre.in:plugins/hostrealm/test/Makefile.in:plugins/hostrealm/test/deps:$srcdir/./config/post.in" ;; - "plugins/localauth/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/localauth/test/Makefile:$srcdir/./config/pre.in:plugins/localauth/test/Makefile.in:plugins/localauth/test/deps:$srcdir/./config/post.in" ;; - "plugins/kadm5_hook/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kadm5_hook/test/Makefile:$srcdir/./config/pre.in:plugins/kadm5_hook/test/Makefile.in:plugins/kadm5_hook/test/deps:$srcdir/./config/post.in" ;; - "plugins/pwqual/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/pwqual/test/Makefile:$srcdir/./config/pre.in:plugins/pwqual/test/Makefile.in:plugins/pwqual/test/deps:$srcdir/./config/post.in" ;; - "plugins/audit/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/audit/Makefile:$srcdir/./config/pre.in:plugins/audit/Makefile.in:plugins/audit/deps:$srcdir/./config/post.in" ;; - "plugins/audit/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/audit/test/Makefile:$srcdir/./config/pre.in:plugins/audit/test/Makefile.in:plugins/audit/test/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/db2/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/Makefile.in:plugins/kdb/db2/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/db2/libdb2/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/libdb2/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/Makefile.in:plugins/kdb/db2/libdb2/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/db2/libdb2/hash/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/libdb2/hash/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/hash/Makefile.in:plugins/kdb/db2/libdb2/hash/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/db2/libdb2/btree/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/libdb2/btree/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/btree/Makefile.in:plugins/kdb/db2/libdb2/btree/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/db2/libdb2/db/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/libdb2/db/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/db/Makefile.in:plugins/kdb/db2/libdb2/db/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/db2/libdb2/mpool/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/libdb2/mpool/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/mpool/Makefile.in:plugins/kdb/db2/libdb2/mpool/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/db2/libdb2/recno/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/libdb2/recno/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/recno/Makefile.in:plugins/kdb/db2/libdb2/recno/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/db2/libdb2/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/db2/libdb2/test/Makefile:$srcdir/./config/pre.in:plugins/kdb/db2/libdb2/test/Makefile.in:plugins/kdb/db2/libdb2/test/deps:$srcdir/./config/post.in" ;; - "plugins/kdb/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/kdb/test/Makefile:$srcdir/./config/pre.in:plugins/kdb/test/Makefile.in:plugins/kdb/test/deps:$srcdir/./config/post.in" ;; - "plugins/preauth/otp/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/preauth/otp/Makefile:$srcdir/./config/pre.in:plugins/preauth/otp/Makefile.in:plugins/preauth/otp/deps:$srcdir/./config/post.in" ;; - "plugins/preauth/test/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/preauth/test/Makefile:$srcdir/./config/pre.in:plugins/preauth/test/Makefile.in:plugins/preauth/test/deps:$srcdir/./config/post.in" ;; - "plugins/authdata/greet_client/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/authdata/greet_client/Makefile:$srcdir/./config/pre.in:plugins/authdata/greet_client/Makefile.in:plugins/authdata/greet_client/deps:$srcdir/./config/post.in" ;; - "plugins/authdata/greet_server/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/authdata/greet_server/Makefile:$srcdir/./config/pre.in:plugins/authdata/greet_server/Makefile.in:plugins/authdata/greet_server/deps:$srcdir/./config/post.in" ;; - "plugins/tls/k5tls/Makefile") CONFIG_FILES="$CONFIG_FILES plugins/tls/k5tls/Makefile:$srcdir/./config/pre.in:plugins/tls/k5tls/Makefile.in:plugins/tls/k5tls/deps:$srcdir/./config/post.in" ;; - "clients/Makefile") CONFIG_FILES="$CONFIG_FILES clients/Makefile:$srcdir/./config/pre.in:clients/Makefile.in:clients/deps:$srcdir/./config/post.in" ;; - "clients/klist/Makefile") CONFIG_FILES="$CONFIG_FILES clients/klist/Makefile:$srcdir/./config/pre.in:clients/klist/Makefile.in:clients/klist/deps:$srcdir/./config/post.in" ;; - "clients/kinit/Makefile") CONFIG_FILES="$CONFIG_FILES clients/kinit/Makefile:$srcdir/./config/pre.in:clients/kinit/Makefile.in:clients/kinit/deps:$srcdir/./config/post.in" ;; - "clients/kvno/Makefile") CONFIG_FILES="$CONFIG_FILES clients/kvno/Makefile:$srcdir/./config/pre.in:clients/kvno/Makefile.in:clients/kvno/deps:$srcdir/./config/post.in" ;; - "clients/kdestroy/Makefile") CONFIG_FILES="$CONFIG_FILES clients/kdestroy/Makefile:$srcdir/./config/pre.in:clients/kdestroy/Makefile.in:clients/kdestroy/deps:$srcdir/./config/post.in" ;; - "clients/kpasswd/Makefile") CONFIG_FILES="$CONFIG_FILES clients/kpasswd/Makefile:$srcdir/./config/pre.in:clients/kpasswd/Makefile.in:clients/kpasswd/deps:$srcdir/./config/post.in" ;; - "clients/ksu/Makefile") CONFIG_FILES="$CONFIG_FILES clients/ksu/Makefile:$srcdir/./config/pre.in:clients/ksu/Makefile.in:clients/ksu/deps:$srcdir/./config/post.in" ;; - "clients/kswitch/Makefile") CONFIG_FILES="$CONFIG_FILES clients/kswitch/Makefile:$srcdir/./config/pre.in:clients/kswitch/Makefile.in:clients/kswitch/deps:$srcdir/./config/post.in" ;; - "kadmin/Makefile") CONFIG_FILES="$CONFIG_FILES kadmin/Makefile:$srcdir/./config/pre.in:kadmin/Makefile.in:kadmin/deps:$srcdir/./config/post.in" ;; - "kadmin/cli/Makefile") CONFIG_FILES="$CONFIG_FILES kadmin/cli/Makefile:$srcdir/./config/pre.in:kadmin/cli/Makefile.in:kadmin/cli/deps:$srcdir/./config/post.in" ;; - "kadmin/dbutil/Makefile") CONFIG_FILES="$CONFIG_FILES kadmin/dbutil/Makefile:$srcdir/./config/pre.in:kadmin/dbutil/Makefile.in:kadmin/dbutil/deps:$srcdir/./config/post.in" ;; - "kadmin/ktutil/Makefile") CONFIG_FILES="$CONFIG_FILES kadmin/ktutil/Makefile:$srcdir/./config/pre.in:kadmin/ktutil/Makefile.in:kadmin/ktutil/deps:$srcdir/./config/post.in" ;; - "kadmin/server/Makefile") CONFIG_FILES="$CONFIG_FILES kadmin/server/Makefile:$srcdir/./config/pre.in:kadmin/server/Makefile.in:kadmin/server/deps:$srcdir/./config/post.in" ;; - "kadmin/testing/Makefile") CONFIG_FILES="$CONFIG_FILES kadmin/testing/Makefile:$srcdir/./config/pre.in:kadmin/testing/Makefile.in:kadmin/testing/deps:$srcdir/./config/post.in" ;; - "kadmin/testing/scripts/Makefile") CONFIG_FILES="$CONFIG_FILES kadmin/testing/scripts/Makefile:$srcdir/./config/pre.in:kadmin/testing/scripts/Makefile.in:kadmin/testing/scripts/deps:$srcdir/./config/post.in" ;; - "kadmin/testing/util/Makefile") CONFIG_FILES="$CONFIG_FILES kadmin/testing/util/Makefile:$srcdir/./config/pre.in:kadmin/testing/util/Makefile.in:kadmin/testing/util/deps:$srcdir/./config/post.in" ;; - "appl/Makefile") CONFIG_FILES="$CONFIG_FILES appl/Makefile:$srcdir/./config/pre.in:appl/Makefile.in:appl/deps:$srcdir/./config/post.in" ;; - "appl/sample/Makefile") CONFIG_FILES="$CONFIG_FILES appl/sample/Makefile:$srcdir/./config/pre.in:appl/sample/Makefile.in:appl/sample/deps:$srcdir/./config/post.in" ;; - "appl/sample/sclient/Makefile") CONFIG_FILES="$CONFIG_FILES appl/sample/sclient/Makefile:$srcdir/./config/pre.in:appl/sample/sclient/Makefile.in:appl/sample/sclient/deps:$srcdir/./config/post.in" ;; - "appl/sample/sserver/Makefile") CONFIG_FILES="$CONFIG_FILES appl/sample/sserver/Makefile:$srcdir/./config/pre.in:appl/sample/sserver/Makefile.in:appl/sample/sserver/deps:$srcdir/./config/post.in" ;; - "appl/simple/Makefile") CONFIG_FILES="$CONFIG_FILES appl/simple/Makefile:$srcdir/./config/pre.in:appl/simple/Makefile.in:appl/simple/deps:$srcdir/./config/post.in" ;; - "appl/simple/client/Makefile") CONFIG_FILES="$CONFIG_FILES appl/simple/client/Makefile:$srcdir/./config/pre.in:appl/simple/client/Makefile.in:appl/simple/client/deps:$srcdir/./config/post.in" ;; - "appl/simple/server/Makefile") CONFIG_FILES="$CONFIG_FILES appl/simple/server/Makefile:$srcdir/./config/pre.in:appl/simple/server/Makefile.in:appl/simple/server/deps:$srcdir/./config/post.in" ;; - "appl/gss-sample/Makefile") CONFIG_FILES="$CONFIG_FILES appl/gss-sample/Makefile:$srcdir/./config/pre.in:appl/gss-sample/Makefile.in:appl/gss-sample/deps:$srcdir/./config/post.in" ;; - "appl/user_user/Makefile") CONFIG_FILES="$CONFIG_FILES appl/user_user/Makefile:$srcdir/./config/pre.in:appl/user_user/Makefile.in:appl/user_user/deps:$srcdir/./config/post.in" ;; - "tests/Makefile") CONFIG_FILES="$CONFIG_FILES tests/Makefile:$srcdir/./config/pre.in:tests/Makefile.in:tests/deps:$srcdir/./config/post.in" ;; - "tests/resolve/Makefile") CONFIG_FILES="$CONFIG_FILES tests/resolve/Makefile:$srcdir/./config/pre.in:tests/resolve/Makefile.in:tests/resolve/deps:$srcdir/./config/post.in" ;; - "tests/asn.1/Makefile") CONFIG_FILES="$CONFIG_FILES tests/asn.1/Makefile:$srcdir/./config/pre.in:tests/asn.1/Makefile.in:tests/asn.1/deps:$srcdir/./config/post.in" ;; - "tests/create/Makefile") CONFIG_FILES="$CONFIG_FILES tests/create/Makefile:$srcdir/./config/pre.in:tests/create/Makefile.in:tests/create/deps:$srcdir/./config/post.in" ;; - "tests/hammer/Makefile") CONFIG_FILES="$CONFIG_FILES tests/hammer/Makefile:$srcdir/./config/pre.in:tests/hammer/Makefile.in:tests/hammer/deps:$srcdir/./config/post.in" ;; - "tests/verify/Makefile") CONFIG_FILES="$CONFIG_FILES tests/verify/Makefile:$srcdir/./config/pre.in:tests/verify/Makefile.in:tests/verify/deps:$srcdir/./config/post.in" ;; - "tests/gssapi/Makefile") CONFIG_FILES="$CONFIG_FILES tests/gssapi/Makefile:$srcdir/./config/pre.in:tests/gssapi/Makefile.in:tests/gssapi/deps:$srcdir/./config/post.in" ;; - "tests/dejagnu/Makefile") CONFIG_FILES="$CONFIG_FILES tests/dejagnu/Makefile:$srcdir/./config/pre.in:tests/dejagnu/Makefile.in:tests/dejagnu/deps:$srcdir/./config/post.in" ;; - "tests/threads/Makefile") CONFIG_FILES="$CONFIG_FILES tests/threads/Makefile:$srcdir/./config/pre.in:tests/threads/Makefile.in:tests/threads/deps:$srcdir/./config/post.in" ;; - "tests/shlib/Makefile") CONFIG_FILES="$CONFIG_FILES tests/shlib/Makefile:$srcdir/./config/pre.in:tests/shlib/Makefile.in:tests/shlib/deps:$srcdir/./config/post.in" ;; - "tests/gss-threads/Makefile") CONFIG_FILES="$CONFIG_FILES tests/gss-threads/Makefile:$srcdir/./config/pre.in:tests/gss-threads/Makefile.in:tests/gss-threads/deps:$srcdir/./config/post.in" ;; - "tests/misc/Makefile") CONFIG_FILES="$CONFIG_FILES tests/misc/Makefile:$srcdir/./config/pre.in:tests/misc/Makefile.in:tests/misc/deps:$srcdir/./config/post.in" ;; - "po/Makefile") CONFIG_FILES="$CONFIG_FILES po/Makefile:$srcdir/./config/pre.in:po/Makefile.in:po/deps:$srcdir/./config/post.in" ;; - - *) as_fn_error $? "invalid argument: \`$ac_config_target'" "$LINENO" 5;; - esac -done - - -# If the user did not use the arguments to specify the items to instantiate, -# then the envvar interface is used. Set only those that are not. -# We use the long form for the default assignment because of an extremely -# bizarre bug on SunOS 4.1.3. -if $ac_need_defaults; then - test "${CONFIG_FILES+set}" = set || CONFIG_FILES=$config_files - test "${CONFIG_HEADERS+set}" = set || CONFIG_HEADERS=$config_headers - test "${CONFIG_COMMANDS+set}" = set || CONFIG_COMMANDS=$config_commands -fi - -# Have a temporary directory for convenience. Make it in the build tree -# simply because there is no reason against having it here, and in addition, -# creating and moving files from /tmp can sometimes cause problems. -# Hook for its removal unless debugging. -# Note that there is a small window in which the directory will not be cleaned: -# after its creation but before its name has been assigned to `$tmp'. -$debug || -{ - tmp= ac_tmp= - trap 'exit_status=$? - : "${ac_tmp:=$tmp}" - { test ! -d "$ac_tmp" || rm -fr "$ac_tmp"; } && exit $exit_status -' 0 - trap 'as_fn_exit 1' 1 2 13 15 -} -# Create a (secure) tmp directory for tmp files. - -{ - tmp=`(umask 077 && mktemp -d "./confXXXXXX") 2>/dev/null` && - test -d "$tmp" -} || -{ - tmp=./conf$$-$RANDOM - (umask 077 && mkdir "$tmp") -} || as_fn_error $? "cannot create a temporary directory in ." "$LINENO" 5 -ac_tmp=$tmp - -# Set up the scripts for CONFIG_FILES section. -# No need to generate them if there are no CONFIG_FILES. -# This happens for instance with `./config.status config.h'. -if test -n "$CONFIG_FILES"; then - -if $AWK 'BEGIN { getline <"/dev/null" }' /dev/null; then - ac_cs_awk_getline=: - ac_cs_awk_pipe_init= - ac_cs_awk_read_file=' - while ((getline aline < (F[key])) > 0) - print(aline) - close(F[key])' - ac_cs_awk_pipe_fini= -else - ac_cs_awk_getline=false - ac_cs_awk_pipe_init="print \"cat <<'|#_!!_#|' &&\"" - ac_cs_awk_read_file=' - print "|#_!!_#|" - print "cat " F[key] " &&" - '$ac_cs_awk_pipe_init - # The final `:' finishes the AND list. - ac_cs_awk_pipe_fini='END { print "|#_!!_#|"; print ":" }' -fi -ac_cr=`echo X | tr X '\015'` -# On cygwin, bash can eat \r inside `` if the user requested igncr. -# But we know of no other shell where ac_cr would be empty at this -# point, so we can use a bashism as a fallback. -if test "x$ac_cr" = x; then - eval ac_cr=\$\'\\r\' -fi -ac_cs_awk_cr=`$AWK 'BEGIN { print "a\rb" }' /dev/null` -if test "$ac_cs_awk_cr" = "a${ac_cr}b"; then - ac_cs_awk_cr='\\r' -else - ac_cs_awk_cr=$ac_cr -fi - -echo 'BEGIN {' >"$ac_tmp/subs1.awk" && -_ACEOF - -# Create commands to substitute file output variables. -{ - echo "cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1" && - echo 'cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK &&' && - echo "$ac_subst_files" | sed 's/.*/F["&"]="$&"/' && - echo "_ACAWK" && - echo "_ACEOF" -} >conf$$files.sh && -. ./conf$$files.sh || - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 -rm -f conf$$files.sh - -{ - echo "cat >conf$$subs.awk <<_ACEOF" && - echo "$ac_subst_vars" | sed 's/.*/&!$&$ac_delim/' && - echo "_ACEOF" -} >conf$$subs.sh || - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 -ac_delim_num=`echo "$ac_subst_vars" | grep -c '^'` -ac_delim='%!_!# ' -for ac_last_try in false false false false false :; do - . ./conf$$subs.sh || - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 - - ac_delim_n=`sed -n "s/.*$ac_delim\$/X/p" conf$$subs.awk | grep -c X` - if test $ac_delim_n = $ac_delim_num; then - break - elif $ac_last_try; then - as_fn_error $? "could not make $CONFIG_STATUS" "$LINENO" 5 - else - ac_delim="$ac_delim!$ac_delim _$ac_delim!! " - fi -done -rm -f conf$$subs.sh - -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -cat >>"\$ac_tmp/subs1.awk" <<\\_ACAWK && -_ACEOF -sed -n ' -h -s/^/S["/; s/!.*/"]=/ -p -g -s/^[^!]*!// -:repl -t repl -s/'"$ac_delim"'$// -t delim -:nl -h -s/\(.\{148\}\)..*/\1/ -t more1 -s/["\\]/\\&/g; s/^/"/; s/$/\\n"\\/ -p -n -b repl -:more1 -s/["\\]/\\&/g; s/^/"/; s/$/"\\/ -p -g -s/.\{148\}// -t nl -:delim -h -s/\(.\{148\}\)..*/\1/ -t more2 -s/["\\]/\\&/g; s/^/"/; s/$/"/ -p -b -:more2 -s/["\\]/\\&/g; s/^/"/; s/$/"\\/ -p -g -s/.\{148\}// -t delim -' >$CONFIG_STATUS || ac_write_fail=1 -rm -f conf$$subs.awk -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -_ACAWK -cat >>"\$ac_tmp/subs1.awk" <<_ACAWK && - for (key in S) S_is_set[key] = 1 - FS = "" - \$ac_cs_awk_pipe_init -} -{ - line = $ 0 - nfields = split(line, field, "@") - substed = 0 - len = length(field[1]) - for (i = 2; i < nfields; i++) { - key = field[i] - keylen = length(key) - if (S_is_set[key]) { - value = S[key] - line = substr(line, 1, len) "" value "" substr(line, len + keylen + 3) - len += length(value) + length(field[++i]) - substed = 1 - } else - len += 1 + keylen - } - if (nfields == 3 && !substed) { - key = field[2] - if (F[key] != "" && line ~ /^[ ]*@.*@[ ]*$/) { - \$ac_cs_awk_read_file - next - } - } - print line -} -\$ac_cs_awk_pipe_fini -_ACAWK -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -if sed "s/$ac_cr//" < /dev/null > /dev/null 2>&1; then - sed "s/$ac_cr\$//; s/$ac_cr/$ac_cs_awk_cr/g" -else - cat -fi < "$ac_tmp/subs1.awk" > "$ac_tmp/subs.awk" \ - || as_fn_error $? "could not setup config files machinery" "$LINENO" 5 -_ACEOF - -# VPATH may cause trouble with some makes, so we remove sole $(srcdir), -# ${srcdir} and @srcdir@ entries from VPATH if srcdir is ".", strip leading and -# trailing colons and then remove the whole line if VPATH becomes empty -# (actually we leave an empty line to preserve line numbers). -if test "x$srcdir" = x.; then - ac_vpsub='/^[ ]*VPATH[ ]*=[ ]*/{ -h -s/// -s/^/:/ -s/[ ]*$/:/ -s/:\$(srcdir):/:/g -s/:\${srcdir}:/:/g -s/:@srcdir@:/:/g -s/^:*// -s/:*$// -x -s/\(=[ ]*\).*/\1/ -G -s/\n// -s/^[^=]*=[ ]*$// -}' -fi - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -fi # test -n "$CONFIG_FILES" - -# Set up the scripts for CONFIG_HEADERS section. -# No need to generate them if there are no CONFIG_HEADERS. -# This happens for instance with `./config.status Makefile'. -if test -n "$CONFIG_HEADERS"; then -cat >"$ac_tmp/defines.awk" <<\_ACAWK || -BEGIN { -_ACEOF - -# Transform confdefs.h into an awk script `defines.awk', embedded as -# here-document in config.status, that substitutes the proper values into -# config.h.in to produce config.h. - -# Create a delimiter string that does not exist in confdefs.h, to ease -# handling of long lines. -ac_delim='%!_!# ' -for ac_last_try in false false :; do - ac_tt=`sed -n "/$ac_delim/p" confdefs.h` - if test -z "$ac_tt"; then - break - elif $ac_last_try; then - as_fn_error $? "could not make $CONFIG_HEADERS" "$LINENO" 5 - else - ac_delim="$ac_delim!$ac_delim _$ac_delim!! " - fi -done - -# For the awk script, D is an array of macro values keyed by name, -# likewise P contains macro parameters if any. Preserve backslash -# newline sequences. - -ac_word_re=[_$as_cr_Letters][_$as_cr_alnum]* -sed -n ' -s/.\{148\}/&'"$ac_delim"'/g -t rset -:rset -s/^[ ]*#[ ]*define[ ][ ]*/ / -t def -d -:def -s/\\$// -t bsnl -s/["\\]/\\&/g -s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ -D["\1"]=" \3"/p -s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2"/p -d -:bsnl -s/["\\]/\\&/g -s/^ \('"$ac_word_re"'\)\(([^()]*)\)[ ]*\(.*\)/P["\1"]="\2"\ -D["\1"]=" \3\\\\\\n"\\/p -t cont -s/^ \('"$ac_word_re"'\)[ ]*\(.*\)/D["\1"]=" \2\\\\\\n"\\/p -t cont -d -:cont -n -s/.\{148\}/&'"$ac_delim"'/g -t clear -:clear -s/\\$// -t bsnlc -s/["\\]/\\&/g; s/^/"/; s/$/"/p -d -:bsnlc -s/["\\]/\\&/g; s/^/"/; s/$/\\\\\\n"\\/p -b cont -' >$CONFIG_STATUS || ac_write_fail=1 - -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - for (key in D) D_is_set[key] = 1 - FS = "" -} -/^[\t ]*#[\t ]*(define|undef)[\t ]+$ac_word_re([\t (]|\$)/ { - line = \$ 0 - split(line, arg, " ") - if (arg[1] == "#") { - defundef = arg[2] - mac1 = arg[3] - } else { - defundef = substr(arg[1], 2) - mac1 = arg[2] - } - split(mac1, mac2, "(") #) - macro = mac2[1] - prefix = substr(line, 1, index(line, defundef) - 1) - if (D_is_set[macro]) { - # Preserve the white space surrounding the "#". - print prefix "define", macro P[macro] D[macro] - next - } else { - # Replace #undef with comments. This is necessary, for example, - # in the case of _POSIX_SOURCE, which is predefined and required - # on some systems where configure will not decide to define it. - if (defundef == "undef") { - print "/*", prefix defundef, macro, "*/" - next - } - } -} -{ print } -_ACAWK -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 - as_fn_error $? "could not setup config headers machinery" "$LINENO" 5 -fi # test -n "$CONFIG_HEADERS" - - -eval set X " :F $CONFIG_FILES :H $CONFIG_HEADERS :C $CONFIG_COMMANDS" -shift -for ac_tag -do - case $ac_tag in - :[FHLC]) ac_mode=$ac_tag; continue;; - esac - case $ac_mode$ac_tag in - :[FHL]*:*);; - :L* | :C*:*) as_fn_error $? "invalid tag \`$ac_tag'" "$LINENO" 5;; - :[FH]-) ac_tag=-:-;; - :[FH]*) ac_tag=$ac_tag:$ac_tag.in;; - esac - ac_save_IFS=$IFS - IFS=: - set x $ac_tag - IFS=$ac_save_IFS - shift - ac_file=$1 - shift - - case $ac_mode in - :L) ac_source=$1;; - :[FH]) - ac_file_inputs= - for ac_f - do - case $ac_f in - -) ac_f="$ac_tmp/stdin";; - *) # Look for the file first in the build tree, then in the source tree - # (if the path is not absolute). The absolute path cannot be DOS-style, - # because $ac_f cannot contain `:'. - test -f "$ac_f" || - case $ac_f in - [\\/$]*) false;; - *) test -f "$srcdir/$ac_f" && ac_f="$srcdir/$ac_f";; - esac || - as_fn_error 1 "cannot find input file: \`$ac_f'" "$LINENO" 5;; - esac - case $ac_f in *\'*) ac_f=`$as_echo "$ac_f" | sed "s/'/'\\\\\\\\''/g"`;; esac - as_fn_append ac_file_inputs " '$ac_f'" - done - - # Let's still pretend it is `configure' which instantiates (i.e., don't - # use $as_me), people would be surprised to read: - # /* config.h. Generated by config.status. */ - configure_input='Generated from '` - $as_echo "$*" | sed 's|^[^:]*/||;s|:[^:]*/|, |g' - `' by configure.' - if test x"$ac_file" != x-; then - configure_input="$ac_file. $configure_input" - { $as_echo "$as_me:${as_lineno-$LINENO}: creating $ac_file" >&5 -$as_echo "$as_me: creating $ac_file" >&6;} - fi - # Neutralize special characters interpreted by sed in replacement strings. - case $configure_input in #( - *\&* | *\|* | *\\* ) - ac_sed_conf_input=`$as_echo "$configure_input" | - sed 's/[\\\\&|]/\\\\&/g'`;; #( - *) ac_sed_conf_input=$configure_input;; - esac - - case $ac_tag in - *:-:* | *:-) cat >"$ac_tmp/stdin" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 ;; - esac - ;; - esac - - ac_dir=`$as_dirname -- "$ac_file" || -$as_expr X"$ac_file" : 'X\(.*[^/]\)//*[^/][^/]*/*$' \| \ - X"$ac_file" : 'X\(//\)[^/]' \| \ - X"$ac_file" : 'X\(//\)$' \| \ - X"$ac_file" : 'X\(/\)' \| . 2>/dev/null || -$as_echo X"$ac_file" | - sed '/^X\(.*[^/]\)\/\/*[^/][^/]*\/*$/{ - s//\1/ - q - } - /^X\(\/\/\)[^/].*/{ - s//\1/ - q - } - /^X\(\/\/\)$/{ - s//\1/ - q - } - /^X\(\/\).*/{ - s//\1/ - q - } - s/.*/./; q'` - as_dir="$ac_dir"; as_fn_mkdir_p - ac_builddir=. - -case "$ac_dir" in -.) ac_dir_suffix= ac_top_builddir_sub=. ac_top_build_prefix= ;; -*) - ac_dir_suffix=/`$as_echo "$ac_dir" | sed 's|^\.[\\/]||'` - # A ".." for each directory in $ac_dir_suffix. - ac_top_builddir_sub=`$as_echo "$ac_dir_suffix" | sed 's|/[^\\/]*|/..|g;s|/||'` - case $ac_top_builddir_sub in - "") ac_top_builddir_sub=. ac_top_build_prefix= ;; - *) ac_top_build_prefix=$ac_top_builddir_sub/ ;; - esac ;; -esac -ac_abs_top_builddir=$ac_pwd -ac_abs_builddir=$ac_pwd$ac_dir_suffix -# for backward compatibility: -ac_top_builddir=$ac_top_build_prefix - -case $srcdir in - .) # We are building in place. - ac_srcdir=. - ac_top_srcdir=$ac_top_builddir_sub - ac_abs_top_srcdir=$ac_pwd ;; - [\\/]* | ?:[\\/]* ) # Absolute name. - ac_srcdir=$srcdir$ac_dir_suffix; - ac_top_srcdir=$srcdir - ac_abs_top_srcdir=$srcdir ;; - *) # Relative name. - ac_srcdir=$ac_top_build_prefix$srcdir$ac_dir_suffix - ac_top_srcdir=$ac_top_build_prefix$srcdir - ac_abs_top_srcdir=$ac_pwd/$srcdir ;; -esac -ac_abs_srcdir=$ac_abs_top_srcdir$ac_dir_suffix - - - case $ac_mode in - :F) - # - # CONFIG_FILE - # - - case $INSTALL in - [\\/$]* | ?:[\\/]* ) ac_INSTALL=$INSTALL ;; - *) ac_INSTALL=$ac_top_build_prefix$INSTALL ;; - esac -_ACEOF - -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -# If the template does not know about datarootdir, expand it. -# FIXME: This hack should be removed a few years after 2.60. -ac_datarootdir_hack=; ac_datarootdir_seen= -ac_sed_dataroot=' -/datarootdir/ { - p - q -} -/@datadir@/p -/@docdir@/p -/@infodir@/p -/@localedir@/p -/@mandir@/p' -case `eval "sed -n \"\$ac_sed_dataroot\" $ac_file_inputs"` in -*datarootdir*) ac_datarootdir_seen=yes;; -*@datadir@*|*@docdir@*|*@infodir@*|*@localedir@*|*@mandir@*) - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&5 -$as_echo "$as_me: WARNING: $ac_file_inputs seems to ignore the --datarootdir setting" >&2;} -_ACEOF -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 - ac_datarootdir_hack=' - s&@datadir@&$datadir&g - s&@docdir@&$docdir&g - s&@infodir@&$infodir&g - s&@localedir@&$localedir&g - s&@mandir@&$mandir&g - s&\\\${datarootdir}&$datarootdir&g' ;; -esac -_ACEOF - -# Neutralize VPATH when `$srcdir' = `.'. -# Shell code in configure.ac might set extrasub. -# FIXME: do we really want to maintain this feature? -cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 -ac_sed_extra="$ac_vpsub -$extrasub -_ACEOF -cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 -:t -/@[a-zA-Z_][a-zA-Z_0-9]*@/!b -s|@configure_input@|$ac_sed_conf_input|;t t -s&@top_builddir@&$ac_top_builddir_sub&;t t -s&@top_build_prefix@&$ac_top_build_prefix&;t t -s&@srcdir@&$ac_srcdir&;t t -s&@abs_srcdir@&$ac_abs_srcdir&;t t -s&@top_srcdir@&$ac_top_srcdir&;t t -s&@abs_top_srcdir@&$ac_abs_top_srcdir&;t t -s&@builddir@&$ac_builddir&;t t -s&@abs_builddir@&$ac_abs_builddir&;t t -s&@abs_top_builddir@&$ac_abs_top_builddir&;t t -s&@INSTALL@&$ac_INSTALL&;t t -$ac_datarootdir_hack -" -eval sed \"\$ac_sed_extra\" "$ac_file_inputs" | -if $ac_cs_awk_getline; then - $AWK -f "$ac_tmp/subs.awk" -else - $AWK -f "$ac_tmp/subs.awk" | $SHELL -fi \ - >$ac_tmp/out || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - -test -z "$ac_datarootdir_hack$ac_datarootdir_seen" && - { ac_out=`sed -n '/\${datarootdir}/p' "$ac_tmp/out"`; test -n "$ac_out"; } && - { ac_out=`sed -n '/^[ ]*datarootdir[ ]*:*=/p' \ - "$ac_tmp/out"`; test -z "$ac_out"; } && - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: $ac_file contains a reference to the variable \`datarootdir' -which seems to be undefined. Please make sure it is defined" >&5 -$as_echo "$as_me: WARNING: $ac_file contains a reference to the variable \`datarootdir' -which seems to be undefined. Please make sure it is defined" >&2;} - - rm -f "$ac_tmp/stdin" - case $ac_file in - -) cat "$ac_tmp/out" && rm -f "$ac_tmp/out";; - *) rm -f "$ac_file" && mv "$ac_tmp/out" "$ac_file";; - esac \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - ;; - :H) - # - # CONFIG_HEADER - # - if test x"$ac_file" != x-; then - { - $as_echo "/* $configure_input */" \ - && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" - } >"$ac_tmp/config.h" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - if diff "$ac_file" "$ac_tmp/config.h" >/dev/null 2>&1; then - { $as_echo "$as_me:${as_lineno-$LINENO}: $ac_file is unchanged" >&5 -$as_echo "$as_me: $ac_file is unchanged" >&6;} - else - rm -f "$ac_file" - mv "$ac_tmp/config.h" "$ac_file" \ - || as_fn_error $? "could not create $ac_file" "$LINENO" 5 - fi - else - $as_echo "/* $configure_input */" \ - && eval '$AWK -f "$ac_tmp/defines.awk"' "$ac_file_inputs" \ - || as_fn_error $? "could not create -" "$LINENO" 5 - fi - ;; - - :C) { $as_echo "$as_me:${as_lineno-$LINENO}: executing $ac_file commands" >&5 -$as_echo "$as_me: executing $ac_file commands" >&6;} - ;; - esac - - - case $ac_file$ac_mode in - "include/autoconf.h":H) echo timestamp > include/autoconf.stamp ;; - "build-tools/krb5-config":F) chmod +x build-tools/krb5-config ;; - - esac -done # for ac_tag - - -as_fn_exit 0 -_ACEOF -ac_clean_files=$ac_clean_files_save - -test $ac_write_fail = 0 || - as_fn_error $? "write failure creating $CONFIG_STATUS" "$LINENO" 5 - - -# configure is writing to config.log, and then calls config.status. -# config.status does its own redirection, appending to config.log. -# Unfortunately, on DOS this fails, as config.log is still kept open -# by configure, so config.status won't be able to write to it; its -# output is simply discarded. So we exec the FD to /dev/null, -# effectively closing config.log, so it can be properly (re)opened and -# appended to by config.status. When coming back to configure, we -# need to make the FD available again. -if test "$no_create" != yes; then - ac_cs_success=: - ac_config_status_args= - test "$silent" = yes && - ac_config_status_args="$ac_config_status_args --quiet" - exec 5>/dev/null - $SHELL $CONFIG_STATUS $ac_config_status_args || ac_cs_success=false - exec 5>>config.log - # Use ||, not &&, to avoid exiting from the if with $? = 1, which - # would make configure fail if this is the last instruction. - $ac_cs_success || as_fn_exit 1 -fi -if test -n "$ac_unrecognized_opts" && test "$enable_option_checking" != no; then - { $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: unrecognized options: $ac_unrecognized_opts" >&5 -$as_echo "$as_me: WARNING: unrecognized options: $ac_unrecognized_opts" >&2;} -fi - diff --git a/src/configure.in b/src/configure.in index 037c9f3..61ef738 100644 --- a/src/configure.in +++ b/src/configure.in @@ -22,6 +22,8 @@ AC_SUBST(KRB5_VERSION) AC_REQUIRE_CPP +PKG_PROG_PKG_CONFIG + AC_CHECK_HEADER([stdint.h], [], [AC_MSG_ERROR([stdint.h is required])]) @@ -106,7 +108,7 @@ AC_ARG_ENABLE([athena], KRB5_BUILD_LIBOBJS KRB5_BUILD_LIBRARY KRB5_BUILD_PROGRAM -# for slave +# for kprop AC_TYPE_MODE_T AC_PROG_INSTALL KRB5_AC_NEED_DAEMON @@ -118,21 +120,35 @@ LIBUTIL=-lutil ]) AC_SUBST(LIBUTIL) -AC_CHECK_HEADER(libintl.h, [ - AC_SEARCH_LIBS(dgettext, intl, [ - AC_DEFINE(ENABLE_NLS, 1, - [Define if translation functions should be used.])])]) - -AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt) +# Determine if NLS is desired and supported. po= -if test x"$MSGFMT" != x; then - po=po +AC_ARG_ENABLE([nls], +AC_HELP_STRING([--disable-nls], [disable native language support]), + [], [enable_nls=check]) +if test "$enable_nls" != no; then + AC_CHECK_HEADER(libintl.h, [ + AC_SEARCH_LIBS(dgettext, intl, [ + AC_DEFINE(ENABLE_NLS, 1, + [Define if translation functions should be used.]) + nls_enabled=yes])]) + + AC_CHECK_PROG(MSGFMT,msgfmt,msgfmt) + if test x"$MSGFMT" != x; then + po=po + fi + + # Error out if --enable-nls was explicitly requested but can't be enabled. + if test "$enable_nls" = yes; then + if test "$nls_enabled" != yes -o "x$po" = x; then + AC_MSG_ERROR([NLS support requested but cannot be built]) + fi + fi fi AC_SUBST(po) # for kdc AC_CHECK_HEADERS(sys/sockio.h ifaddrs.h unistd.h fnmatch.h) -AC_CHECK_FUNCS(strftime vsprintf vasprintf vsnprintf strlcpy fnmatch) +AC_CHECK_FUNCS(vsprintf vasprintf vsnprintf strlcpy fnmatch) EXTRA_SUPPORT_SYMS= AC_CHECK_FUNC(strlcpy, @@ -264,51 +280,6 @@ if test "$PRNG_ALG" = fortuna; then AC_DEFINE(FORTUNA,1,[Define if Fortuna PRNG is selected]) fi -# WITH_PKINIT_CRYPTO_IMPL - -PKINIT_CRYPTO_IMPL="$CRYPTO_IMPL" -AC_ARG_WITH([pkinit-crypto-impl], -AC_HELP_STRING([--with-pkinit-crypto-impl=IMPL], [use specified pkinit crypto implementation @<:@openssl@:>@]), -[PKINIT_CRYPTO_IMPL=$withval -AC_MSG_NOTICE(pkinit will use '$withval') -], withval=$PKINIT_CRYPTO_IMPL) -case "$withval" in -builtin|openssl) - AC_CHECK_LIB(crypto, PKCS7_get_signer_info, PKINIT_CRYPTO_IMPL_LIBS=-lcrypto) - PKINIT_CRYPTO_IMPL=openssl - AC_CHECK_LIB(crypto, CMS_get0_content, - [AC_DEFINE([HAVE_OPENSSL_CMS], 1, - [Define if OpenSSL supports cms.])]) - ;; -nss) - if test "${PKINIT_CRYPTO_IMPL_CFLAGS+set}" != set; then - PKINIT_CRYPTO_IMPL_CFLAGS=`pkg-config --cflags nss` - fi - if test "${PKINIT_CRYPTO_IMPL_LIBS+set}" != set; then - PKINIT_CRYPTO_IMPL_LIBS=`pkg-config --libs nss` - fi - AC_DEFINE(PKINIT_CRYPTO_IMPL_NSS,1,[Define if pkinit crypto implementation is NSS]) - save_CFLAGS=$CFLAGS - CFLAGS="$CFLAGS $PKINIT_CRYPTO_IMPL_CFLAGS" - AC_COMPILE_IFELSE([AC_LANG_SOURCE([ -#include -#if NSS_VMAJOR < 3 || (NSS_VMAJOR == 3 && NSS_VMINOR < 12) -#error -#elif NSS_VMAJOR == 3 && NSS_VMINOR == 12 && NSS_VPATCH < 11 -#error -#endif - ])], [], [AC_MSG_ERROR([NSS version 3.12.11 or later required.])]) - CFLAGS=$save_CFLAGS - ;; -*) - AC_MSG_ERROR([Unknown crypto implementation $withval]) - ;; -esac -AC_CONFIG_COMMANDS(PKINIT_CRYPTO_IMPL,,PKINIT_CRYPTO_IMPL=$PKINIT_CRYPTO_IMPL) -AC_SUBST(PKINIT_CRYPTO_IMPL) -AC_SUBST(PKINIT_CRYPTO_IMPL_CFLAGS) -AC_SUBST(PKINIT_CRYPTO_IMPL_LIBS) - # WITH_TLS_IMPL AC_ARG_WITH([tls-impl], @@ -352,6 +323,25 @@ AC_SUBST(TLS_IMPL) AC_SUBST(TLS_IMPL_CFLAGS) AC_SUBST(TLS_IMPL_LIBS) +# The SPAKE preauth plugin currently supports edwards25519 natively, +# and can support three NIST groups using OpenSSL. +HAVE_SPAKE_OPENSSL=no +AC_ARG_WITH([spake-openssl], +AC_HELP_STRING([--with-spake-openssl], + [use OpenSSL for SPAKE preauth @<:@auto@:>@]),,[withval=auto]) +if test "$withval" = auto -o "$withval" = yes; then + AC_CHECK_LIB([crypto],[EC_POINT_new],[have_crypto=true],[have_crypto=false]) + if test "$have_crypto" = true; then + AC_DEFINE(SPAKE_OPENSSL,1,[Define to use OpenSSL for SPAKE preauth]) + SPAKE_OPENSSL_LIBS=-lcrypto + HAVE_SPAKE_OPENSSL=yes + elif test "$withval" = yes; then + AC_MSG_ERROR([OpenSSL libcrypto not found]) + fi +fi +AC_SUBST(HAVE_SPAKE_OPENSSL) +AC_SUBST(SPAKE_OPENSSL_LIBS) + AC_ARG_ENABLE([aesni], AC_HELP_STRING([--disable-aesni],[Do not build with AES-NI support]), , enable_aesni=check) @@ -431,7 +421,7 @@ AC_PROG_LEX AC_C_CONST AC_HEADER_DIRENT AC_FUNC_STRERROR_R -AC_CHECK_FUNCS(strdup setvbuf seteuid setresuid setreuid setegid setresgid setregid setsid flock fchmod chmod strftime strptime geteuid setenv unsetenv getenv gmtime_r localtime_r bswap16 bswap64 mkstemp getusershell access getcwd srand48 srand srandom stat strchr strerror timegm) +AC_CHECK_FUNCS(strdup setvbuf seteuid setresuid setreuid setegid setresgid setregid setsid flock fchmod chmod strptime geteuid setenv unsetenv getenv gmtime_r localtime_r bswap16 bswap64 mkstemp getusershell access getcwd srand48 srand srandom stat strchr strerror timegm) AC_CHECK_FUNC(mkstemp, [MKSTEMP_ST_OBJ= @@ -586,6 +576,10 @@ fi ]) +# PTHREAD_CFLAGS changes which variant of these functions is declared +# on Solaris 11, so use it for these tests. +old_CFLAGS=$CFLAGS +CFLAGS="$CFLAGS $PTHREAD_CFLAGS" AC_CHECK_FUNC(getpwnam_r,ac_cv_func_getpwnam_r=yes,ac_cv_func_getpwnam_r=no) AC_CHECK_FUNC(getpwuid_r,ac_cv_func_getpwuid_r=yes,ac_cv_func_getpwuid_r=no) if test "$ac_cv_func_getpwnam_r" = yes; then @@ -635,6 +629,7 @@ if test "$ac_cv_func_getpwnam_r" = yes; then fi fi fi +CFLAGS=$old_CFLAGS if test "$ac_cv_func_getpwnam_r" = no && test "$ac_cv_func_getpwuid_r" = yes; then # Actually, we could do this check, and the corresponding checks @@ -744,6 +739,9 @@ fi AC_HEADER_TIME AC_CHECK_TYPE(time_t, long) +AC_CHECK_SIZEOF(time_t) +SIZEOF_TIME_T=$ac_cv_sizeof_time_t +AC_SUBST(SIZEOF_TIME_T) # Determine where to put the replay cache. @@ -844,6 +842,10 @@ AC_CHECK_TYPES([struct rt_msghdr], , , [ #include ]) +# Tests for 64-bit edwards25519 code. +AC_CHECK_SIZEOF([size_t]) +AC_CHECK_TYPES([__int128_t, __uint128_t]) + # stuff for util/profile # AC_KRB5_TCL already done @@ -1085,6 +1087,7 @@ fi if test "$k5_cv_openssl_version_okay" = yes && (test "$enable_pkinit" = yes || test "$enable_pkinit" = try); then K5_GEN_MAKEFILE(plugins/preauth/pkinit) PKINIT=yes + AC_CHECK_LIB(crypto, CMS_get0_content, [AC_DEFINE([HAVE_OPENSSL_CMS], 1, [Define if OpenSSL supports cms.])]) elif test "$k5_cv_openssl_version_okay" = no && test "$enable_pkinit" = yes; then AC_MSG_ERROR([Version of OpenSSL is too old; cannot enable PKINIT.]) else @@ -1106,13 +1109,14 @@ fi AC_SUBST(HAVE_RUNTEST) # For Python tests. -AC_CHECK_PROG(PYTHON,python,python) +AC_CHECK_PROG(PYTHON,python3,python3) +if text x"$PYTHON" = x; then + AC_CHECK_PROG(PYTHON,python,python) +fi HAVE_PYTHON=no if test x"$PYTHON" != x; then - # k5test.py requires python 2.4 (for the subprocess module). - # Some code needs python 2.5 (for syntax like conditional expressions). - vercheck="import sys;sys.exit((sys.hexversion < 0x2050000) and 1 or 0)" - if python -c "$vercheck"; then + wantver="(sys.hexversion >= 0x3000000)" + if "$PYTHON" -c "import sys; sys.exit(not $wantver and 1 or 0)"; then HAVE_PYTHON=yes fi fi @@ -1131,6 +1135,7 @@ AC_CHECK_LIB(cmocka, _cmocka_run_group_tests, [HAVE_CMOCKA_LIB=yes]) if test "$HAVE_CMOCKA_LIB" = yes && test "$HAVE_CMOCKA_H" = yes; then HAVE_CMOCKA=yes CMOCKA_LIBS='-lcmocka' + AC_DEFINE([HAVE_CMOCKA],1,[Define if cmocka library is available.]) fi AC_SUBST(HAVE_CMOCKA) AC_SUBST(CMOCKA_LIBS) @@ -1138,9 +1143,7 @@ AC_SUBST(CMOCKA_LIBS) # For URI lookup tests. Requires resolv_wrapper >= 1.1.5 for URI # support. HAVE_RESOLV_WRAPPER=0 -if pkg-config --atleast-version=1.1.5 resolv_wrapper; then - HAVE_RESOLV_WRAPPER=1 -fi +PKG_CHECK_EXISTS([resolv_wrapper >= 1.1.5], [HAVE_RESOLV_WRAPPER=1]) AC_SUBST(HAVE_RESOLV_WRAPPER) # for plugins/kdb/db2 @@ -1213,11 +1216,7 @@ ldap_plugin_dir="" ldap_lib="" if test -n "$OPENLDAP_PLUGIN"; then AC_CHECK_HEADERS(ldap.h lber.h, :, [AC_MSG_ERROR($ac_header not found)]) - AC_CHECK_LIB(ldap, ldap_init, :, [AC_MSG_ERROR(libldap not found or missing ldap_init)]) - old_LIBS="$LIBS" - LIBS="$LIBS -lldap" - AC_CHECK_FUNCS(ldap_initialize ldap_url_parse_nodn ldap_unbind_ext_s ldap_str2dn ldap_explode_dn) - LIBS="$old_LIBS" + AC_CHECK_LIB(ldap, ldap_str2dn, :, [AC_MSG_ERROR(libldap not found or missing ldap_str2dn)]) BER_OKAY=0 AC_CHECK_LIB(ldap, ber_init, [BER_OKAY=1]) @@ -1262,6 +1261,27 @@ AC_CHECK_LIB(aceclnt, SD_Init, [ AC_SUBST(sam2_plugin) CFLAGS=$old_CFLAGS +lmdb_plugin_dir="" +HAVE_LMDB=no +AC_ARG_WITH([lmdb], +AC_HELP_STRING([--with-lmdb], + [compile LMDB database backend module @<:@auto@:>@]),, + [withval=auto]) +if test "$withval" = auto -o "$withval" = yes; then + AC_CHECK_LIB([lmdb],[mdb_env_create],[have_lmdb=true],[have_lmdb=false]) + if test "$have_lmdb" = true; then + LMDB_LIBS=-llmdb + HAVE_LMDB=yes + lmdb_plugin_dir='plugins/kdb/lmdb' + K5_GEN_MAKEFILE(plugins/kdb/lmdb) + elif test "$withval" = yes; then + AC_MSG_ERROR([liblmdb not found]) + fi +fi +AC_SUBST(HAVE_LMDB) +AC_SUBST(LMDB_LIBS) +AC_SUBST(lmdb_plugin_dir) + # Kludge for simple server --- FIXME is this the best way to do this? if test "$ac_cv_lib_socket" = "yes" -a "$ac_cv_lib_nsl" = "yes"; then @@ -1277,32 +1297,32 @@ AC_ARG_WITH([libedit], AC_ARG_WITH([readline], AC_HELP_STRING([--with-readline], [compile with GNU Readline]), [], [with_readline=no]) -AC_MSG_CHECKING([for readline support]) if test "x$with_readline" = xyes; then with_libedit=no fi RL_CFLAGS= RL_LIBS= if test "x$with_libedit" != xno; then - if rl_cflags=`pkg-config --cflags libedit 2>&1`; then - RL_CFLAGS=$rl_cflags - RL_LIBS=`pkg-config --libs libedit` + PKG_CHECK_MODULES(LIBEDIT, libedit, [have_libedit=yes], [have_libedit=no]) + if test "x$have_libedit" = xyes; then + RL_CFLAGS=$LIBEDIT_CFLAGS + RL_LIBS=$LIBEDIT_LIBS AC_DEFINE([HAVE_LIBEDIT], 1, [Define if building with libedit.]) - AC_MSG_RESULT([using libedit]) - elif test "x$with_libedit" = yes; then + AC_MSG_NOTICE([Using libedit for readline support]) + elif test "x$with_libedit" = xyes; then # We were explicitly asked for libedit and couldn't find it. - AC_MSG_ERROR([Could not detect libedit with pkg-config.]) + AC_MSG_ERROR([Could not detect libedit with pkg-config]) else - AC_MSG_RESULT([not using any]) + AC_MSG_NOTICE([Not using any readline support]) fi elif test "x$with_readline" = xyes; then - AC_MSG_RESULT([using GNU Readline]) + AC_MSG_NOTICE([Using GNU Readline]) AC_CHECK_LIB([readline], [main], :, AC_MSG_FAILURE([Cannot find readline library.]), [-lncurses]) AC_DEFINE([HAVE_READLINE], 1, [Define if building with GNU Readline.]) RL_LIBS='-lreadline -lhistory -lncurses' else - AC_MSG_RESULT([not using any]) + AC_MSG_RESULT([Not using any readline support]) fi AC_SUBST([RL_CFLAGS]) AC_SUBST([RL_LIBS]) @@ -1310,25 +1330,21 @@ AC_SUBST([RL_LIBS]) AC_ARG_WITH([system-verto], [AC_HELP_STRING([--with-system-verto], [always use system verto library])], [], [with_system_verto=default]) -VERTO_CFLAGS= -VERTO_LIBS="-lverto" VERTO_VERSION=k5 if test "x$with_system_verto" != xno; then - if verto_cflags=`pkg-config --cflags libverto 2>&1`; then - VERTO_CFLAGS=$verto_cflags - VERTO_LIBS=`pkg-config --libs libverto` + PKG_CHECK_MODULES(VERTO, libverto, [have_sysverto=yes], [have_sysverto=no]) + if test "x$have_sysverto" = xyes; then VERTO_VERSION=sys - else - AC_CHECK_LIB([verto], [verto_set_flags], [VERTO_VERSION=sys], - [if test "x$with_system_verto" = xyes; then - AC_MSG_ERROR([cannot detect system libverto]) - fi]) + elif test "x$with_system_verto" = xyes; then + AC_MSG_ERROR([cannot detect system libverto]) fi fi if test "x$VERTO_VERSION" = xsys; then AC_MSG_NOTICE([Using system libverto]) else - AC_MSG_RESULT([Using built-in libverto]) + VERTO_CFLAGS= + VERTO_LIBS="-lverto" + AC_MSG_NOTICE([Using built-in libverto]) fi AC_SUBST([VERTO_CFLAGS]) AC_SUBST([VERTO_LIBS]) @@ -1342,7 +1358,7 @@ if test "${localedir+set}" != set; then fi AC_SUBST(localedir) -# For KCM lib/krb5/ccache to build KCM Mach RPC support for OS X only. +# For KCM lib/krb5/ccache to build KCM Mach RPC support for macOS only. case $host in *-*-darwin* | *-*-rhapsody*) OSX=osx ;; *) OSX=no ;; @@ -1376,10 +1392,10 @@ dnl brackets in the glob patterns. if test "${DEFCCNAME+set}" != set; then [case $host in *-*-darwin[0-9].* | *-*-darwin10.*) - # Use the normal default for OS X 10.6 (Darwin 10) and prior. + # Use the normal default for macOS 10.6 (Darwin 10) and prior. ;; *-*-darwin*) - # For OS X 10.7 (Darwin 11) and later, the native ccache uses + # For macOS 10.7 (Darwin 11) and later, the native ccache uses # the KCM daemon. DEFCCNAME=KCM: ;; @@ -1392,7 +1408,7 @@ if test "${DEFKTNAME+set}" != set; then DEFKTNAME=FILE:/etc/krb5.keytab fi if test "${DEFCKTNAME+set}" != set; then - adl_RECURSIVE_EVAL($localstatedir, exp_localstatedir) + AX_RECURSIVE_EVAL($localstatedir, exp_localstatedir) DEFCKTNAME=FILE:$exp_localstatedir/krb5/user/%{euid}/client.keytab fi AC_MSG_NOTICE([Default ccache name: $DEFCCNAME]) @@ -1445,11 +1461,13 @@ dnl lib/krb5/ccache/ccapi dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test - kdc slave config-files build-tools man doc include + kdc kprop config-files build-tools man doc include + plugins/certauth/test plugins/hostrealm/test plugins/localauth/test plugins/kadm5_hook/test + plugins/kadm5_auth/test plugins/pwqual/test plugins/audit plugins/audit/test @@ -1462,7 +1480,9 @@ dnl ccapi ccapi/lib ccapi/lib/unix ccapi/server ccapi/server/unix ccapi/test plugins/kdb/db2/libdb2/recno plugins/kdb/db2/libdb2/test plugins/kdb/test + plugins/kdcpolicy/test plugins/preauth/otp + plugins/preauth/spake plugins/preauth/test plugins/authdata/greet_client plugins/authdata/greet_server diff --git a/src/include/Makefile.in b/src/include/Makefile.in index f5b9218..cfa5794 100644 --- a/src/include/Makefile.in +++ b/src/include/Makefile.in @@ -140,15 +140,18 @@ install-headers-unix install: krb5/krb5.h profile.h $(INSTALL_DATA) $(srcdir)/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5.h $(INSTALL_DATA) $(srcdir)/kdb.h $(DESTDIR)$(KRB5_INCDIR)$(S)kdb.h $(INSTALL_DATA) krb5/krb5.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)krb5.h + $(INSTALL_DATA) $(srcdir)/krb5/certauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)certauth_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/ccselect_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)ccselect_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/clpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)clpreauth_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/hostrealm_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)hostrealm_plugin.h + $(INSTALL_DATA) $(srcdir)/krb5/kdcpolicy_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kdcpolicy_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/kdcpreauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kdcpreauth_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/localauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)localauth_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/locate_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)locate_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)plugin.h $(INSTALL_DATA) $(srcdir)/krb5/preauth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)preauth_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/pwqual_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)pwqual_plugin.h + $(INSTALL_DATA) $(srcdir)/krb5/kadm5_auth_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kadm5_auth_plugin.h $(INSTALL_DATA) $(srcdir)/krb5/kadm5_hook_plugin.h $(DESTDIR)$(KRB5_INCDIR)$(S)krb5$(S)kadm5_hook_plugin.h $(INSTALL_DATA) profile.h $(DESTDIR)$(KRB5_INCDIR)$(S)profile.h $(INSTALL_DATA) $(srcdir)/gssapi.h $(DESTDIR)$(KRB5_INCDIR)$(S)gssapi.h diff --git a/src/include/adm_proto.h b/src/include/adm_proto.h index e99a84d..70a3bdf 100644 --- a/src/include/adm_proto.h +++ b/src/include/adm_proto.h @@ -48,6 +48,7 @@ typedef struct ___krb5_key_salt_tuple krb5_key_salt_tuple; /* logger.c */ krb5_error_code krb5_klog_init(krb5_context, char *, char *, krb5_boolean); +void krb5_klog_set_context(krb5_context); void krb5_klog_close(krb5_context); int krb5_klog_syslog(int, const char *, ...) #if !defined(__cplusplus) && (__GNUC__ > 2) diff --git a/src/include/autoconf.h.in b/src/include/autoconf.h.in deleted file mode 100644 index b33c522..0000000 --- a/src/include/autoconf.h.in +++ /dev/null @@ -1,770 +0,0 @@ -/* include/autoconf.h.in. Generated from configure.in by autoheader. */ - - -#ifndef KRB5_AUTOCONF_H -#define KRB5_AUTOCONF_H - - -/* Define if AES-NI support is enabled */ -#undef AESNI - -/* Define if socket can't be bound to 0.0.0.0 */ -#undef BROKEN_STREAMS_SOCKETS - -/* Define if va_list objects can be simply copied by assignment. */ -#undef CAN_COPY_VA_LIST - -/* Define to reduce code size even if it means more cpu usage */ -#undef CONFIG_SMALL - -/* Define if __attribute__((constructor)) works */ -#undef CONSTRUCTOR_ATTR_WORKS - -/* Define to default ccache name */ -#undef DEFCCNAME - -/* Define to default client keytab name */ -#undef DEFCKTNAME - -/* Define to default keytab name */ -#undef DEFKTNAME - -/* Define if library initialization should be delayed until first use */ -#undef DELAY_INITIALIZER - -/* Define if __attribute__((destructor)) works */ -#undef DESTRUCTOR_ATTR_WORKS - -/* Define to disable PKINIT plugin support */ -#undef DISABLE_PKINIT - -/* Define if LDAP KDB support within the Kerberos library (mainly ASN.1 code) - should be enabled. */ -#undef ENABLE_LDAP - -/* Define if translation functions should be used. */ -#undef ENABLE_NLS - -/* Define if thread support enabled */ -#undef ENABLE_THREADS - -/* Define as return type of endrpcent */ -#undef ENDRPCENT_TYPE - -/* Define if Fortuna PRNG is selected */ -#undef FORTUNA - -/* Define to the type of elements in the array set by `getgroups'. Usually - this is either `int' or `gid_t'. */ -#undef GETGROUPS_T - -/* Define if gethostbyname_r returns int rather than struct hostent * */ -#undef GETHOSTBYNAME_R_RETURNS_INT - -/* Type of getpeername second argument. */ -#undef GETPEERNAME_ARG2_TYPE - -/* Type of getpeername second argument. */ -#undef GETPEERNAME_ARG3_TYPE - -/* Define if getpwnam_r exists but takes only 4 arguments (e.g., POSIX draft 6 - implementations like some Solaris releases). */ -#undef GETPWNAM_R_4_ARGS - -/* Define if getpwnam_r returns an int */ -#undef GETPWNAM_R_RETURNS_INT - -/* Define if getpwuid_r exists but takes only 4 arguments (e.g., POSIX draft 6 - implementations like some Solaris releases). */ -#undef GETPWUID_R_4_ARGS - -/* Define if getservbyname_r returns int rather than struct servent * */ -#undef GETSERVBYNAME_R_RETURNS_INT - -/* Type of pointer target for argument 2 to getsockname */ -#undef GETSOCKNAME_ARG2_TYPE - -/* Type of pointer target for argument 3 to getsockname */ -#undef GETSOCKNAME_ARG3_TYPE - -/* Define if gmtime_r returns int instead of struct tm pointer, as on old - HP-UX systems. */ -#undef GMTIME_R_RETURNS_INT - -/* Define if va_copy macro or function is available. */ -#undef HAS_VA_COPY - -/* Define to 1 if you have the `access' function. */ -#undef HAVE_ACCESS - -/* Define to 1 if you have the header file. */ -#undef HAVE_ALLOCA_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_ARPA_INET_H - -/* Define to 1 if you have the `bswap16' function. */ -#undef HAVE_BSWAP16 - -/* Define to 1 if you have the `bswap64' function. */ -#undef HAVE_BSWAP64 - -/* Define to 1 if bswap_16 is available via byteswap.h */ -#undef HAVE_BSWAP_16 - -/* Define to 1 if bswap_64 is available via byteswap.h */ -#undef HAVE_BSWAP_64 - -/* Define if bt_rseq is available, for recursive btree traversal. */ -#undef HAVE_BT_RSEQ - -/* Define to 1 if you have the header file. */ -#undef HAVE_BYTESWAP_H - -/* Define to 1 if you have the `chmod' function. */ -#undef HAVE_CHMOD - -/* Define to 1 if you have the `compile' function. */ -#undef HAVE_COMPILE - -/* Define if com_err has compatible gettext support */ -#undef HAVE_COM_ERR_INTL - -/* Define to 1 if you have the header file. */ -#undef HAVE_CPUID_H - -/* Define to 1 if you have the `daemon' function. */ -#undef HAVE_DAEMON - -/* Define to 1 if you have the declaration of `strerror_r', and to 0 if you - don't. */ -#undef HAVE_DECL_STRERROR_R - -/* Define to 1 if you have the header file, and it defines `DIR'. - */ -#undef HAVE_DIRENT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_DLFCN_H - -/* Define to 1 if you have the `dn_skipname' function. */ -#undef HAVE_DN_SKIPNAME - -/* Define to 1 if you have the header file. */ -#undef HAVE_ENDIAN_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_ERRNO_H - -/* Define to 1 if you have the `fchmod' function. */ -#undef HAVE_FCHMOD - -/* Define to 1 if you have the header file. */ -#undef HAVE_FCNTL_H - -/* Define to 1 if you have the `flock' function. */ -#undef HAVE_FLOCK - -/* Define to 1 if you have the `fnmatch' function. */ -#undef HAVE_FNMATCH - -/* Define to 1 if you have the header file. */ -#undef HAVE_FNMATCH_H - -/* Define if you have the getaddrinfo function */ -#undef HAVE_GETADDRINFO - -/* Define to 1 if you have the `getcwd' function. */ -#undef HAVE_GETCWD - -/* Define to 1 if you have the `getenv' function. */ -#undef HAVE_GETENV - -/* Define to 1 if you have the `geteuid' function. */ -#undef HAVE_GETEUID - -/* Define if gethostbyname_r exists and its return type is known */ -#undef HAVE_GETHOSTBYNAME_R - -/* Define to 1 if you have the `getnameinfo' function. */ -#undef HAVE_GETNAMEINFO - -/* Define if system getopt should be used. */ -#undef HAVE_GETOPT - -/* Define if system getopt_long should be used. */ -#undef HAVE_GETOPT_LONG - -/* Define if getpwnam_r is available and useful. */ -#undef HAVE_GETPWNAM_R - -/* Define if getpwuid_r is available and useful. */ -#undef HAVE_GETPWUID_R - -/* Define if getservbyname_r exists and its return type is known */ -#undef HAVE_GETSERVBYNAME_R - -/* Have the gettimeofday function */ -#undef HAVE_GETTIMEOFDAY - -/* Define to 1 if you have the `getusershell' function. */ -#undef HAVE_GETUSERSHELL - -/* Define to 1 if you have the `gmtime_r' function. */ -#undef HAVE_GMTIME_R - -/* Define to 1 if you have the header file. */ -#undef HAVE_IFADDRS_H - -/* Define to 1 if you have the `inet_ntop' function. */ -#undef HAVE_INET_NTOP - -/* Define to 1 if you have the `inet_pton' function. */ -#undef HAVE_INET_PTON - -/* Define to 1 if the system has the type `int16_t'. */ -#undef HAVE_INT16_T - -/* Define to 1 if the system has the type `int32_t'. */ -#undef HAVE_INT32_T - -/* Define to 1 if the system has the type `int8_t'. */ -#undef HAVE_INT8_T - -/* Define to 1 if you have the header file. */ -#undef HAVE_INTTYPES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_KEYUTILS_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_LBER_H - -/* Define to 1 if you have the `ldap_explode_dn' function. */ -#undef HAVE_LDAP_EXPLODE_DN - -/* Define to 1 if you have the header file. */ -#undef HAVE_LDAP_H - -/* Define to 1 if you have the `ldap_initialize' function. */ -#undef HAVE_LDAP_INITIALIZE - -/* Define to 1 if you have the `ldap_str2dn' function. */ -#undef HAVE_LDAP_STR2DN - -/* Define to 1 if you have the `ldap_unbind_ext_s' function. */ -#undef HAVE_LDAP_UNBIND_EXT_S - -/* Define to 1 if you have the `ldap_url_parse_nodn' function. */ -#undef HAVE_LDAP_URL_PARSE_NODN - -/* Define to 1 if you have the `crypto' library (-lcrypto). */ -#undef HAVE_LIBCRYPTO - -/* Define if building with libedit. */ -#undef HAVE_LIBEDIT - -/* Define to 1 if you have the `nsl' library (-lnsl). */ -#undef HAVE_LIBNSL - -/* Define to 1 if you have the `resolv' library (-lresolv). */ -#undef HAVE_LIBRESOLV - -/* Define to 1 if you have the `socket' library (-lsocket). */ -#undef HAVE_LIBSOCKET - -/* Define if the util library is available */ -#undef HAVE_LIBUTIL - -/* Define to 1 if you have the header file. */ -#undef HAVE_LIMITS_H - -/* Define to 1 if you have the `localtime_r' function. */ -#undef HAVE_LOCALTIME_R - -/* Define to 1 if you have the header file. */ -#undef HAVE_MACHINE_BYTE_ORDER_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_MACHINE_ENDIAN_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_MEMORY_H - -/* Define to 1 if you have the `mkstemp' function. */ -#undef HAVE_MKSTEMP - -/* Define to 1 if you have the header file, and it defines `DIR'. */ -#undef HAVE_NDIR_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETDB_H - -/* Define if netdb.h declares h_errno */ -#undef HAVE_NETDB_H_H_ERRNO - -/* Define to 1 if you have the header file. */ -#undef HAVE_NETINET_IN_H - -/* Define to 1 if you have the `ns_initparse' function. */ -#undef HAVE_NS_INITPARSE - -/* Define to 1 if you have the `ns_name_uncompress' function. */ -#undef HAVE_NS_NAME_UNCOMPRESS - -/* Define if OpenSSL supports cms. */ -#undef HAVE_OPENSSL_CMS - -/* Define to 1 if you have the header file. */ -#undef HAVE_PATHS_H - -/* Define if persistent keyrings are supported */ -#undef HAVE_PERSISTENT_KEYRING - -/* Define to 1 if you have the header file. */ -#undef HAVE_POLL_H - -/* Define if #pragma weak references work */ -#undef HAVE_PRAGMA_WEAK_REF - -/* Define if you have POSIX threads libraries and header files. */ -#undef HAVE_PTHREAD - -/* Define to 1 if you have the `pthread_once' function. */ -#undef HAVE_PTHREAD_ONCE - -/* Define to 1 if you have the `pthread_rwlock_init' function. */ -#undef HAVE_PTHREAD_RWLOCK_INIT - -/* Define if pthread_rwlock_init is provided in the thread library. */ -#undef HAVE_PTHREAD_RWLOCK_INIT_IN_THREAD_LIB - -/* Define to 1 if you have the header file. */ -#undef HAVE_PWD_H - -/* Define if building with GNU Readline. */ -#undef HAVE_READLINE - -/* Define if regcomp exists and functions */ -#undef HAVE_REGCOMP - -/* Define to 1 if you have the `regexec' function. */ -#undef HAVE_REGEXEC - -/* Define to 1 if you have the header file. */ -#undef HAVE_REGEXPR_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_REGEX_H - -/* Define to 1 if you have the `res_nclose' function. */ -#undef HAVE_RES_NCLOSE - -/* Define to 1 if you have the `res_ndestroy' function. */ -#undef HAVE_RES_NDESTROY - -/* Define to 1 if you have the `res_ninit' function. */ -#undef HAVE_RES_NINIT - -/* Define to 1 if you have the `res_nsearch' function. */ -#undef HAVE_RES_NSEARCH - -/* Define to 1 if you have the `res_search' function */ -#undef HAVE_RES_SEARCH - -/* Define to 1 if you have the `re_comp' function. */ -#undef HAVE_RE_COMP - -/* Define to 1 if you have the `re_exec' function. */ -#undef HAVE_RE_EXEC - -/* Define to 1 if you have the header file. */ -#undef HAVE_SASL_SASL_H - -/* Define if struct sockaddr contains sa_len */ -#undef HAVE_SA_LEN - -/* Define to 1 if you have the `setegid' function. */ -#undef HAVE_SETEGID - -/* Define to 1 if you have the `setenv' function. */ -#undef HAVE_SETENV - -/* Define to 1 if you have the `seteuid' function. */ -#undef HAVE_SETEUID - -/* Define if setluid provided in OSF/1 security library */ -#undef HAVE_SETLUID - -/* Define to 1 if you have the `setregid' function. */ -#undef HAVE_SETREGID - -/* Define to 1 if you have the `setresgid' function. */ -#undef HAVE_SETRESGID - -/* Define to 1 if you have the `setresuid' function. */ -#undef HAVE_SETRESUID - -/* Define to 1 if you have the `setreuid' function. */ -#undef HAVE_SETREUID - -/* Define to 1 if you have the `setsid' function. */ -#undef HAVE_SETSID - -/* Define to 1 if you have the `setvbuf' function. */ -#undef HAVE_SETVBUF - -/* Define if there is a socklen_t type. If not, probably use size_t */ -#undef HAVE_SOCKLEN_T - -/* Define to 1 if you have the `srand' function. */ -#undef HAVE_SRAND - -/* Define to 1 if you have the `srand48' function. */ -#undef HAVE_SRAND48 - -/* Define to 1 if you have the `srandom' function. */ -#undef HAVE_SRANDOM - -/* Define to 1 if the system has the type `ssize_t'. */ -#undef HAVE_SSIZE_T - -/* Define to 1 if you have the `stat' function. */ -#undef HAVE_STAT - -/* Define to 1 if you have the header file. */ -#undef HAVE_STDDEF_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STDINT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STDLIB_H - -/* Define to 1 if you have the `step' function. */ -#undef HAVE_STEP - -/* Define to 1 if you have the `strchr' function. */ -#undef HAVE_STRCHR - -/* Define to 1 if you have the `strdup' function. */ -#undef HAVE_STRDUP - -/* Define to 1 if you have the `strerror' function. */ -#undef HAVE_STRERROR - -/* Define to 1 if you have the `strerror_r' function. */ -#undef HAVE_STRERROR_R - -/* Define to 1 if you have the `strftime' function. */ -#undef HAVE_STRFTIME - -/* Define to 1 if you have the header file. */ -#undef HAVE_STRINGS_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_STRING_H - -/* Define to 1 if you have the `strlcpy' function. */ -#undef HAVE_STRLCPY - -/* Define to 1 if you have the `strptime' function. */ -#undef HAVE_STRPTIME - -/* Define to 1 if the system has the type `struct cmsghdr'. */ -#undef HAVE_STRUCT_CMSGHDR - -/* Define if there is a struct if_laddrconf. */ -#undef HAVE_STRUCT_IF_LADDRCONF - -/* Define to 1 if the system has the type `struct in6_pktinfo'. */ -#undef HAVE_STRUCT_IN6_PKTINFO - -/* Define to 1 if the system has the type `struct in_pktinfo'. */ -#undef HAVE_STRUCT_IN_PKTINFO - -/* Define if there is a struct lifconf. */ -#undef HAVE_STRUCT_LIFCONF - -/* Define to 1 if the system has the type `struct rt_msghdr'. */ -#undef HAVE_STRUCT_RT_MSGHDR - -/* Define to 1 if the system has the type `struct sockaddr_storage'. */ -#undef HAVE_STRUCT_SOCKADDR_STORAGE - -/* Define to 1 if `st_mtimensec' is a member of `struct stat'. */ -#undef HAVE_STRUCT_STAT_ST_MTIMENSEC - -/* Define to 1 if `st_mtimespec.tv_nsec' is a member of `struct stat'. */ -#undef HAVE_STRUCT_STAT_ST_MTIMESPEC_TV_NSEC - -/* Define to 1 if `st_mtim.tv_nsec' is a member of `struct stat'. */ -#undef HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_BSWAP_H - -/* Define to 1 if you have the header file, and it defines `DIR'. - */ -#undef HAVE_SYS_DIR_H - -/* Define if sys_errlist in libc */ -#undef HAVE_SYS_ERRLIST - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_FILE_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_FILIO_H - -/* Define to 1 if you have the header file, and it defines `DIR'. - */ -#undef HAVE_SYS_NDIR_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_PARAM_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_SELECT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_SOCKET_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_SOCKIO_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_STAT_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_TIME_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_TYPES_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_SYS_UIO_H - -/* Define if tcl.h found */ -#undef HAVE_TCL_H - -/* Define if tcl/tcl.h found */ -#undef HAVE_TCL_TCL_H - -/* Define to 1 if you have the `timegm' function. */ -#undef HAVE_TIMEGM - -/* Define to 1 if you have the header file. */ -#undef HAVE_TIME_H - -/* Define to 1 if you have the header file. */ -#undef HAVE_UNISTD_H - -/* Define to 1 if you have the `unsetenv' function. */ -#undef HAVE_UNSETENV - -/* Define to 1 if the system has the type `u_char'. */ -#undef HAVE_U_CHAR - -/* Define to 1 if the system has the type `u_int'. */ -#undef HAVE_U_INT - -/* Define to 1 if the system has the type `u_int16_t'. */ -#undef HAVE_U_INT16_T - -/* Define to 1 if the system has the type `u_int32_t'. */ -#undef HAVE_U_INT32_T - -/* Define to 1 if the system has the type `u_int8_t'. */ -#undef HAVE_U_INT8_T - -/* Define to 1 if the system has the type `u_long'. */ -#undef HAVE_U_LONG - -/* Define to 1 if you have the `vasprintf' function. */ -#undef HAVE_VASPRINTF - -/* Define to 1 if you have the `vsnprintf' function. */ -#undef HAVE_VSNPRINTF - -/* Define to 1 if you have the `vsprintf' function. */ -#undef HAVE_VSPRINTF - -/* Define if errno.h declares perror */ -#undef HDR_HAS_PERROR - -/* May need to be defined to enable IPv6 support, for example on IRIX */ -#undef INET6 - -/* Define if MIT Project Athena default configuration should be used */ -#undef KRB5_ATHENA_COMPAT - -/* Define for DNS support of locating realms and KDCs */ -#undef KRB5_DNS_LOOKUP - -/* Define to enable DNS lookups of Kerberos realm names */ -#undef KRB5_DNS_LOOKUP_REALM - -/* Define if the KDC should return only vague error codes to clients */ -#undef KRBCONF_VAGUE_ERRORS - -/* define if the system header files are missing prototype for daemon() */ -#undef NEED_DAEMON_PROTO - -/* Define if in6addr_any is not defined in libc */ -#undef NEED_INSIXADDR_ANY - -/* define if the system header files are missing prototype for - ss_execute_command() */ -#undef NEED_SS_EXECUTE_COMMAND_PROTO - -/* define if the system header files are missing prototype for strptime() */ -#undef NEED_STRPTIME_PROTO - -/* define if the system header files are missing prototype for swab() */ -#undef NEED_SWAB_PROTO - -/* Define if need to declare sys_errlist */ -#undef NEED_SYS_ERRLIST - -/* define if the system header files are missing prototype for vasprintf() */ -#undef NEED_VASPRINTF_PROTO - -/* Define if the KDC should use no lookaside cache */ -#undef NOCACHE - -/* Define if references to pthread routines should be non-weak. */ -#undef NO_WEAK_PTHREADS - -/* Define if lex produes code with yylineno */ -#undef NO_YYLINENO - -/* Define to the address where bug reports for this package should be sent. */ -#undef PACKAGE_BUGREPORT - -/* Define to the full name of this package. */ -#undef PACKAGE_NAME - -/* Define to the full name and version of this package. */ -#undef PACKAGE_STRING - -/* Define to the one symbol short name of this package. */ -#undef PACKAGE_TARNAME - -/* Define to the home page for this package. */ -#undef PACKAGE_URL - -/* Define to the version of this package. */ -#undef PACKAGE_VERSION - -/* Define if pkinit crypto implementation is NSS */ -#undef PKINIT_CRYPTO_IMPL_NSS - -/* Define if setjmp indicates POSIX interface */ -#undef POSIX_SETJMP - -/* Define if POSIX signal handling is used */ -#undef POSIX_SIGNALS - -/* Define if POSIX signal handlers are used */ -#undef POSIX_SIGTYPE - -/* Define if termios.h exists and tcsetattr exists */ -#undef POSIX_TERMIOS - -/* Define to the necessary symbol if this constant uses a non-standard name on - your system. */ -#undef PTHREAD_CREATE_JOINABLE - -/* Define as the return type of signal handlers (`int' or `void'). */ -#undef RETSIGTYPE - -/* Define as return type of setrpcent */ -#undef SETRPCENT_TYPE - -/* Define for static plugin linkage */ -#undef STATIC_PLUGINS - -/* Define to 1 if you have the ANSI C header files. */ -#undef STDC_HEADERS - -/* Define to 1 if strerror_r returns char *. */ -#undef STRERROR_R_CHAR_P - -/* Define if sys_errlist is defined in errno.h */ -#undef SYS_ERRLIST_DECLARED - -/* Define to 1 if you can safely include both and . */ -#undef TIME_WITH_SYS_TIME - -/* Define if no TLS implementation is selected */ -#undef TLS_IMPL_NONE - -/* Define if TLS implementation is OpenSSL */ -#undef TLS_IMPL_OPENSSL - -/* Define if you have dirent.h functionality */ -#undef USE_DIRENT_H - -/* Define if dlopen should be used */ -#undef USE_DLOPEN - -/* Define if the keyring ccache should be enabled */ -#undef USE_KEYRING_CCACHE - -/* Define if link-time options for library finalization will be used */ -#undef USE_LINKER_FINI_OPTION - -/* Define if link-time options for library initialization will be used */ -#undef USE_LINKER_INIT_OPTION - -/* Define if sigprocmask should be used */ -#undef USE_SIGPROCMASK - -/* Define if wait takes int as a argument */ -#undef WAIT_USES_INT - -/* Define to 1 if `lex' declares `yytext' as a `char *' by default, not a - `char[]'. */ -#undef YYTEXT_POINTER - -/* Define to enable extensions in glibc */ -#undef _GNU_SOURCE - -/* Define to enable C11 extensions */ -#undef __STDC_WANT_LIB_EXT1__ - -/* Define to empty if `const' does not conform to ANSI C. */ -#undef const - -/* Define to `int' if doesn't define. */ -#undef gid_t - -/* Define to `__inline__' or `__inline' if that's what the C compiler - calls it, or to nothing if 'inline' is not supported under any name. */ -#ifndef __cplusplus -#undef inline -#endif - -/* Define krb5_sigtype to type of signal handler */ -#undef krb5_sigtype - -/* Define to `int' if does not define. */ -#undef mode_t - -/* Define to `long int' if does not define. */ -#undef off_t - -/* Define to `long' if does not define. */ -#undef time_t - -/* Define to `int' if doesn't define. */ -#undef uid_t - - -#if defined(__GNUC__) && !defined(inline) -/* Silence gcc pedantic warnings about ANSI C. */ -# define inline __inline__ -#endif -#endif /* KRB5_AUTOCONF_H */ - diff --git a/src/include/fake-addrinfo.h b/src/include/fake-addrinfo.h index 03666a0..80ca9f8 100644 --- a/src/include/fake-addrinfo.h +++ b/src/include/fake-addrinfo.h @@ -52,7 +52,7 @@ the data structures and flag values locally. - On Mac OS X, getaddrinfo results aren't cached (though + On macOS, getaddrinfo results aren't cached (though gethostbyname results are), so we need to build a cache here. Now things are getting really messy. Because the cache is in use, we use getservbyname, and throw away thread safety. (Not that the diff --git a/src/include/gssrpc/auth.h b/src/include/gssrpc/auth.h index 0f653fc..8576c51 100644 --- a/src/include/gssrpc/auth.h +++ b/src/include/gssrpc/auth.h @@ -75,12 +75,6 @@ enum auth_stat { }; union des_block { -#if 0 /* XXX nothing uses this, anyway */ - struct { - uint32_t high; - uint32_t low; - } key; -#endif char c[8]; }; typedef union des_block des_block; @@ -207,15 +201,6 @@ extern bool_t xdr_opaque_auth(XDR *, struct opaque_auth *); #define AUTH_GSSAPI 300001 /* GSS-API style */ #define RPCSEC_GSS 6 /* RPCSEC_GSS */ -#if 0 -/* - * BACKWARDS COMPATIBILIY! OpenV*Secure 1.0 had AUTH_GSSAPI == 4. We - * need to accept this value until 1.0 is dead. - */ -/* This conflicts with AUTH_KERB (Solaris). */ -#define AUTH_GSSAPI_COMPAT 4 -#endif - GSSRPC__END_DECLS #endif /* !defined(GSSRPC_AUTH_H) */ diff --git a/src/include/gssrpc/clnt.h b/src/include/gssrpc/clnt.h index 40f7c69..fc6836c 100644 --- a/src/include/gssrpc/clnt.h +++ b/src/include/gssrpc/clnt.h @@ -270,7 +270,7 @@ extern CLIENT *clnt_create(char *, rpcprog_t, rpcvers_t, char *); * struct sockaddr_in *raddr; * rpcprog_t prog; * rpcvers_t version; - * register int *sockp; + * int *sockp; * u_int sendsz; * u_int recvsz; */ diff --git a/src/include/gssrpc/rename.h b/src/include/gssrpc/rename.h index 669a058..df37e95 100644 --- a/src/include/gssrpc/rename.h +++ b/src/include/gssrpc/rename.h @@ -50,10 +50,7 @@ * External names in the RPC API not beginning with "_" get renamed * with the prefix "gssrpc_" via #define, e.g., "foo" -> "gssrpc_foo". * External names in the RPC API beginning with "_" get textually - * rewritten, with "#if 0"-disabled #defines mapping them back to - * their original forms, e.g., "_foo" is rewrittten to "gssrpc__foo" - * in the original files, with an unused "#define gssrpc__foo _foo" - * here. + * rewritten. */ #ifndef GSSRPC_RENAME_H @@ -72,10 +69,6 @@ #define authdes_create gssrpc_authdes_create #define xdr_opaque_auth gssrpc_xdr_opaque_auth -#if 0 -#define gssrpc__null_auth _null_auth -#endif - /* auth_gss.c */ #define auth_debug_gss gssrpc_auth_debug_gss @@ -181,10 +174,6 @@ #define callrpc gssrpc_callrpc #define getrpcport gssrpc_getrpcport -#if 0 -#define gssrpc__rpc_getdtablesize _rpc_getdtablesize -#endif - /* rpc_msg.h */ #define xdr_callmsg gssrpc_xdr_callmsg @@ -193,10 +182,6 @@ #define xdr_accepted_reply gssrpc_xdr_accepted_reply #define xdr_rejected_reply gssrpc_xdr_rejected_reply -#if 0 -#define gssrpc__seterr_reply _seterr_reply -#endif - /* svc.h */ #define svc_register gssrpc_svc_register @@ -244,15 +229,6 @@ #define svcauth_gss_set_svc_name gssrpc_svcauth_gss_set_svc_name #define svcauth_gss_get_principal gssrpc_svcauth_gss_get_principal -#if 0 -#define gssrpc__authenticate _authenticate -#define gssrpc__svcauth_none _svcauth_none -#define gssrpc__svcauth_unix _svcauth_unix -#define gssrpc__svcauth_short _svcauth_short -#define gssrpc__svcauth_gssapi _svcauth_gssapi -#define gssrpc__svcauth_gss _svcauth_gss -#endif - /* svc_auth_gss.c */ #define svc_debug_gss gssrpc_svc_debug_gss diff --git a/src/include/gssrpc/rpc.h b/src/include/gssrpc/rpc.h index 2d94a7f..78727c4 100644 --- a/src/include/gssrpc/rpc.h +++ b/src/include/gssrpc/rpc.h @@ -55,37 +55,12 @@ #include /* protocol for rpc messages */ #include /* protocol for unix style cred */ #include /* RPCSEC_GSS */ -/* - * Uncomment-out the next line if you are building the rpc library with - * DES Authentication (see the README file in the secure_rpc/ directory). - */ -#if 0 -#include protocol for des style cred -#endif /* Server side only remote procedure callee */ #include /* service side authenticator */ #include /* service manager and multiplexer */ /* - * Punt the rpc/netdb.h everywhere because it just makes things much more - * difficult. We don't use the *rpcent functions anyway. - */ -#if 0 -/* - * COMMENT OUT THE NEXT INCLUDE IF RUNNING ON SUN OS OR ON A VERSION - * OF UNIX BASED ON NFSSRC. These systems will already have the structures - * defined by included in . - */ -/* routines for parsing /etc/rpc */ -#if 0 /* netdb.h already included in rpc/types.h */ -#include -#endif - -#include /* structures and routines to parse /etc/rpc */ -#endif - -/* * get the local host's IP address without consulting * name service library functions */ diff --git a/src/include/gssrpc/types.hin b/src/include/gssrpc/types.hin index 022ab4f..4c4120c 100644 --- a/src/include/gssrpc/types.hin +++ b/src/include/gssrpc/types.hin @@ -116,13 +116,6 @@ typedef int32_t rpc_inline_t; #define mem_alloc(bsize) malloc(bsize) #define mem_free(ptr, bsize) free(ptr) -#if 0 -#include /* XXX This should not have to be here. - * I got sick of seeing the warnings for MAXHOSTNAMELEN - * and the two values were different. -- shanzer - */ -#endif - #ifndef INADDR_LOOPBACK #define INADDR_LOOPBACK (uint32_t)0x7F000001 #endif diff --git a/src/include/iprop_hdr.h b/src/include/iprop_hdr.h index 9027c76..435ed7e 100644 --- a/src/include/iprop_hdr.h +++ b/src/include/iprop_hdr.h @@ -32,7 +32,7 @@ extern "C" { enum iprop_role { IPROP_NULL = 0, IPROP_MASTER = 1, - IPROP_SLAVE = 2 + IPROP_REPLICA = 2 }; typedef enum iprop_role iprop_role; diff --git a/src/include/k5-buf.h b/src/include/k5-buf.h index f3207bd..48e2a7d 100644 --- a/src/include/k5-buf.h +++ b/src/include/k5-buf.h @@ -45,7 +45,7 @@ */ /* Buffer type values */ -enum k5buftype { K5BUF_ERROR, K5BUF_FIXED, K5BUF_DYNAMIC }; +enum k5buftype { K5BUF_ERROR, K5BUF_FIXED, K5BUF_DYNAMIC, K5BUF_DYNAMIC_ZAP }; struct k5buf { enum k5buftype buftype; @@ -63,6 +63,10 @@ void k5_buf_init_fixed(struct k5buf *buf, char *data, size_t space); /* Initialize a k5buf using an internally allocated dynamic buffer. */ void k5_buf_init_dynamic(struct k5buf *buf); +/* Initialize a k5buf using an internally allocated dynamic buffer, zeroing + * memory when reallocating or freeing. */ +void k5_buf_init_dynamic_zap(struct k5buf *buf); + /* Add a C string to BUF. */ void k5_buf_add(struct k5buf *buf, const char *data); @@ -76,6 +80,14 @@ void k5_buf_add_fmt(struct k5buf *buf, const char *fmt, ...) #endif ; +/* Add sprintf-style formatted data to BUF, with a va_list. The value of ap is + * undefined after the call. */ +void k5_buf_add_vfmt(struct k5buf *buf, const char *fmt, va_list ap) +#if !defined(__cplusplus) && (__GNUC__ > 2) + __attribute__((__format__(__printf__, 2, 0))) +#endif + ; + /* Extend the length of buf by len and return a pointer to the reserved space, * to be filled in by the caller. Return NULL on error. */ void *k5_buf_get_space(struct k5buf *buf, size_t len); diff --git a/src/include/k5-cmocka.h b/src/include/k5-cmocka.h new file mode 100644 index 0000000..c35b10b --- /dev/null +++ b/src/include/k5-cmocka.h @@ -0,0 +1,16 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/k5-cmocka.h - indirect header file for cmocka test programs */ + +/* + * This header conditionally includes cmocka.h, so that "make depend" can work + * on cmocka test programs when cmocka isn't available. It also includes the + * three system headers required for cmocka.h. + */ + +#include "autoconf.h" +#include +#include +#include +#ifdef HAVE_CMOCKA +#include +#endif diff --git a/src/include/k5-hashtab.h b/src/include/k5-hashtab.h new file mode 100644 index 0000000..dc0ef36 --- /dev/null +++ b/src/include/k5-hashtab.h @@ -0,0 +1,79 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/k5-hash.h - hash table interface definitions */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This file contains declarations for a simple hash table using siphash. Some + * limitations which might need to be addressed in the future: + * + * - The table does not manage caller memory. This limitation could be + * addressed by adding an optional free callback to k5_hashtab_create(), to + * be called by k5_hashtab_free() and k5_hashtab_remove(). + * + * - There is no way to iterate over a hash table. + * + * - k5_hashtab_add() does not check for duplicate entries. + */ + +#ifndef K5_HASH_H +#define K5_HASH_H + +#define K5_HASH_SEED_LEN 16 + +struct k5_hashtab; + +/* + * Create a new hash table in *ht_out. seed must point to random bytes if keys + * might be under the control of an attacker; otherwise it may be NULL. + * initial_buckets controls the initial allocation of hash buckets; pass zero + * to use a default value. The number of hash buckets will be doubled as the + * number of entries increases. Return 0 on success, ENOMEM on failure. + */ +int k5_hashtab_create(const uint8_t seed[K5_HASH_SEED_LEN], + size_t initial_buckets, struct k5_hashtab **ht_out); + +/* Release the memory used by a hash table. Keys and values are the caller's + * responsibility. */ +void k5_hashtab_free(struct k5_hashtab *ht); + +/* Add an entry to a hash table. key and val must remain valid until the entry + * is removed or the hash table is freed. The caller must avoid duplicates. */ +int k5_hashtab_add(struct k5_hashtab *ht, const void *key, size_t klen, + void *val); + +/* Remove an entry from a hash table by key. Does not free key or the + * associated value. Return 1 if the key was found and removed, 0 if not. */ +int k5_hashtab_remove(struct k5_hashtab *ht, const void *key, size_t klen); + +/* Retrieve a value from a hash table by key. */ +void *k5_hashtab_get(struct k5_hashtab *ht, const void *key, size_t klen); + +#endif /* K5_HASH_H */ diff --git a/src/include/k5-hex.h b/src/include/k5-hex.h new file mode 100644 index 0000000..75bd2cb --- /dev/null +++ b/src/include/k5-hex.h @@ -0,0 +1,53 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/k5-hex.h - libkrb5support hex encoding/decoding declarations */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef K5_HEX_H +#define K5_HEX_H + +#include "k5-platform.h" + +/* + * Encode len bytes in hex, placing the result in allocated storage in + * *hex_out. Use uppercase hex digits if uppercase is non-zero. Return 0 on + * success, ENOMEM on error. + */ +int k5_hex_encode(const void *bytes, size_t len, int uppercase, + char **hex_out); + +/* + * Decode hex bytes, placing the result in allocated storage in *bytes_out and + * *len_out. Null-terminate the result (primarily for decoding passwords in + * libkdb_ldap). Return 0 on success, ENOMEM or EINVAL on error. + */ +int k5_hex_decode(const char *hex, uint8_t **bytes_out, size_t *len_out); + +#endif /* K5_HEX_H */ diff --git a/src/include/k5-input.h b/src/include/k5-input.h index d42ebce..9f47fa7 100644 --- a/src/include/k5-input.h +++ b/src/include/k5-input.h @@ -33,7 +33,7 @@ #ifndef K5_INPUT_H #define K5_INPUT_H -#include "k5-int.h" +#include "k5-platform.h" /* * The k5input module defines helpers for safely consuming a fixed-sized block @@ -45,7 +45,7 @@ struct k5input { const unsigned char *ptr; size_t len; - krb5_error_code status; + int32_t status; }; static inline void @@ -59,7 +59,7 @@ k5_input_init(struct k5input *in, const void *ptr, size_t len) /* Only set the status value of in if it hasn't already been set, so status * reflects the first thing to go wrong. */ static inline void -k5_input_set_status(struct k5input *in, krb5_error_code status) +k5_input_set_status(struct k5input *in, int32_t status) { if (!in->status) in->status = status; diff --git a/src/include/k5-int-pkinit.h b/src/include/k5-int-pkinit.h index 7b2f595..4622a62 100644 --- a/src/include/k5-int-pkinit.h +++ b/src/include/k5-int-pkinit.h @@ -42,6 +42,7 @@ typedef struct _krb5_pk_authenticator { krb5_timestamp ctime; krb5_int32 nonce; /* (0..4294967295) */ krb5_checksum paChecksum; + krb5_data *freshnessToken; } krb5_pk_authenticator; /* PKAuthenticator draft9 */ diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 6499173..6522422 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -203,6 +203,7 @@ typedef unsigned char u_char; #define KRB5_CONF_DES_CRC_SESSION_SUPPORTED "des_crc_session_supported" #define KRB5_CONF_DICT_FILE "dict_file" #define KRB5_CONF_DISABLE "disable" +#define KRB5_CONF_DISABLE_ENCRYPTED_TIMESTAMP "disable_encrypted_timestamp" #define KRB5_CONF_DISABLE_LAST_SUCCESS "disable_last_success" #define KRB5_CONF_DISABLE_LOCKOUT "disable_lockout" #define KRB5_CONF_DNS_CANONICALIZE_HOSTNAME "dns_canonicalize_hostname" @@ -212,6 +213,7 @@ typedef unsigned char u_char; #define KRB5_CONF_DNS_URI_LOOKUP "dns_uri_lookup" #define KRB5_CONF_DOMAIN_REALM "domain_realm" #define KRB5_CONF_ENABLE_ONLY "enable_only" +#define KRB5_CONF_ENCRYPTED_CHALLENGE_INDICATOR "encrypted_challenge_indicator" #define KRB5_CONF_ERR_FMT "err_fmt" #define KRB5_CONF_EXTRA_ADDRESSES "extra_addresses" #define KRB5_CONF_FORWARDABLE "forwardable" @@ -224,6 +226,7 @@ typedef unsigned char u_char; #define KRB5_CONF_IPROP_MASTER_ULOGSIZE "iprop_master_ulogsize" #define KRB5_CONF_IPROP_PORT "iprop_port" #define KRB5_CONF_IPROP_RESYNC_TIMEOUT "iprop_resync_timeout" +#define KRB5_CONF_IPROP_REPLICA_POLL "iprop_replica_poll" #define KRB5_CONF_IPROP_SLAVE_POLL "iprop_slave_poll" #define KRB5_CONF_K5LOGIN_AUTHORITATIVE "k5login_authoritative" #define KRB5_CONF_K5LOGIN_DIRECTORY "k5login_directory" @@ -263,13 +266,16 @@ typedef unsigned char u_char; #define KRB5_CONF_LDAP_SERVICE_PASSWORD_FILE "ldap_service_password_file" #define KRB5_CONF_LIBDEFAULTS "libdefaults" #define KRB5_CONF_LOGGING "logging" +#define KRB5_CONF_MAPSIZE "mapsize" #define KRB5_CONF_MASTER_KDC "master_kdc" #define KRB5_CONF_MASTER_KEY_NAME "master_key_name" #define KRB5_CONF_MASTER_KEY_TYPE "master_key_type" #define KRB5_CONF_MAX_LIFE "max_life" +#define KRB5_CONF_MAX_READERS "max_readers" #define KRB5_CONF_MAX_RENEWABLE_LIFE "max_renewable_life" #define KRB5_CONF_MODULE "module" #define KRB5_CONF_NOADDRESSES "noaddresses" +#define KRB5_CONF_NOSYNC "nosync" #define KRB5_CONF_NO_HOST_REFERRAL "no_host_referral" #define KRB5_CONF_PERMITTED_ENCTYPES "permitted_enctypes" #define KRB5_CONF_PLUGINS "plugins" @@ -284,6 +290,9 @@ typedef unsigned char u_char; #define KRB5_CONF_RESTRICT_ANONYMOUS_TO_TGT "restrict_anonymous_to_tgt" #define KRB5_CONF_SAFE_CHECKSUM_TYPE "safe_checksum_type" #define KRB5_CONF_SUPPORTED_ENCTYPES "supported_enctypes" +#define KRB5_CONF_SPAKE_PREAUTH_INDICATOR "spake_preauth_indicator" +#define KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE "spake_preauth_kdc_challenge" +#define KRB5_CONF_SPAKE_PREAUTH_GROUPS "spake_preauth_groups" #define KRB5_CONF_TICKET_LIFETIME "ticket_lifetime" #define KRB5_CONF_UDP_PREFERENCE_LIMIT "udp_preference_limit" #define KRB5_CONF_UNLOCKITER "unlockiter" @@ -633,54 +642,9 @@ krb5int_arcfour_gsscrypt(const krb5_keyblock *keyblock, krb5_keyusage usage, #define K5_SHA256_HASHLEN (256 / 8) -/* Write the SHA-256 hash of in to out. */ +/* Write the SHA-256 hash of in (containing n elements) to out. */ krb5_error_code -k5_sha256(const krb5_data *in, uint8_t out[K5_SHA256_HASHLEN]); - -/* - * Attempt to zero memory in a way that compilers won't optimize out. - * - * This mechanism should work even for heap storage about to be freed, - * or automatic storage right before we return from a function. - * - * Then, even if we leak uninitialized memory someplace, or UNIX - * "core" files get created with world-read access, some of the most - * sensitive data in the process memory will already be safely wiped. - * - * We're not going so far -- yet -- as to try to protect key data that - * may have been written into swap space.... - */ -#ifdef _WIN32 -# define zap(ptr, len) SecureZeroMemory(ptr, len) -#elif defined(__STDC_LIB_EXT1__) -/* - * Use memset_s() which cannot be optimized out. Avoid memset_s(NULL, 0, 0, 0) - * which would cause a runtime constraint violation. - */ -static inline void zap(void *ptr, size_t len) -{ - if (len > 0) - memset_s(ptr, len, 0, len); -} -#elif defined(__GNUC__) || defined(__clang__) -/* - * Use an asm statement which declares a memory clobber to force the memset to - * be carried out. Avoid memset(NULL, 0, 0) which has undefined behavior. - */ -static inline void zap(void *ptr, size_t len) -{ - if (len > 0) - memset(ptr, 0, len); - __asm__ __volatile__("" : : "r" (ptr) : "memory"); -} -#else -/* - * Use a function from libkrb5support to defeat inlining unless link-time - * optimization is used. The function uses a volatile pointer, which prevents - * current compilers from optimizing out the memset. - */ -# define zap(ptr, len) krb5int_zap(ptr, len) -#endif +k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN]); /* Convenience function: zap and free ptr if it is non-NULL. */ static inline void @@ -720,7 +684,7 @@ krb5_error_code krb5int_c_copy_keyblock_contents(krb5_context context, const krb5_keyblock *from, krb5_keyblock *to); -krb5_error_code krb5_crypto_us_timeofday(krb5_int32 *, krb5_int32 *); +krb5_error_code krb5_crypto_us_timeofday(krb5_timestamp *, krb5_int32 *); /* * End "los-proto.h" @@ -1155,7 +1119,10 @@ struct plugin_interface { #define PLUGIN_INTERFACE_AUDIT 7 #define PLUGIN_INTERFACE_TLS 8 #define PLUGIN_INTERFACE_KDCAUTHDATA 9 -#define PLUGIN_NUM_INTERFACES 10 +#define PLUGIN_INTERFACE_CERTAUTH 10 +#define PLUGIN_INTERFACE_KADM5_AUTH 11 +#define PLUGIN_INTERFACE_KDCPOLICY 12 +#define PLUGIN_NUM_INTERFACES 13 /* Retrieve the plugin module of type interface_id and name modname, * storing the result into module. */ @@ -1194,7 +1161,7 @@ k5_plugin_free_context(krb5_context context); struct _kdb5_dal_handle; /* private, in kdb5.h */ typedef struct _kdb5_dal_handle kdb5_dal_handle; struct _kdb_log_context; -typedef struct krb5_preauth_context_st krb5_preauth_context; +typedef struct krb5_preauth_context_st *krb5_preauth_context; struct ccselect_module_handle; struct localauth_module_handle; struct hostrealm_module_handle; @@ -1231,7 +1198,7 @@ struct _krb5_context { struct plugin_dir_handle libkrb5_plugins; /* preauth module stuff */ - krb5_preauth_context *preauth_context; + krb5_preauth_context preauth_context; /* cache module stuff */ struct ccselect_module_handle **ccselect_handles; @@ -1866,16 +1833,13 @@ krb5int_random_string(krb5_context, char *string, unsigned int length); /* To keep happy libraries which are (for now) accessing internal stuff */ /* Make sure to increment by one when changing the struct */ -#define KRB5INT_ACCESS_STRUCT_VERSION 21 +#define KRB5INT_ACCESS_STRUCT_VERSION 22 typedef struct _krb5int_access { krb5_error_code (*auth_con_get_subkey_enctype)(krb5_context, krb5_auth_context, krb5_enctype *); - krb5_error_code (*clean_hostname)(krb5_context, const char *, char *, - size_t); - krb5_error_code (*mandatory_cksumtype)(krb5_context, krb5_enctype, krb5_cksumtype *); krb5_error_code (KRB5_CALLCONV *ser_pack_int64)(int64_t, krb5_octet **, @@ -2112,6 +2076,7 @@ krb5_get_tgs_ktypes(krb5_context, krb5_const_principal, krb5_enctype **); krb5_boolean krb5_is_permitted_enctype(krb5_context, krb5_enctype); krb5_boolean KRB5_CALLCONV krb5int_c_weak_enctype(krb5_enctype); +krb5_error_code k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out); krb5_error_code krb5_kdc_rep_decrypt_proc(krb5_context, const krb5_keyblock *, krb5_const_pointer, krb5_kdc_rep *); @@ -2350,6 +2315,44 @@ k5memdup0(const void *in, size_t len, krb5_error_code *code) return ptr; } +/* Convert a krb5_timestamp to a time_t value, treating the negative range of + * krb5_timestamp as times between 2038 and 2106 (if time_t is 64-bit). */ +static inline time_t +ts2tt(krb5_timestamp timestamp) +{ + return (time_t)(uint32_t)timestamp; +} + +/* Return the delta between two timestamps (a - b) as a signed 32-bit value, + * without relying on undefined behavior. */ +static inline krb5_deltat +ts_delta(krb5_timestamp a, krb5_timestamp b) +{ + return (krb5_deltat)((uint32_t)a - (uint32_t)b); +} + +/* Increment a timestamp by a signed 32-bit interval, without relying on + * undefined behavior. */ +static inline krb5_timestamp +ts_incr(krb5_timestamp ts, krb5_deltat delta) +{ + return (krb5_timestamp)((uint32_t)ts + (uint32_t)delta); +} + +/* Return true if a comes after b. */ +static inline krb5_boolean +ts_after(krb5_timestamp a, krb5_timestamp b) +{ + return (uint32_t)a > (uint32_t)b; +} + +/* Return true if a and b are within d seconds. */ +static inline krb5_boolean +ts_within(krb5_timestamp a, krb5_timestamp b, krb5_deltat d) +{ + return !ts_after(a, ts_incr(b, d)) && !ts_after(b, ts_incr(a, d)); +} + krb5_error_code KRB5_CALLCONV krb5_get_credentials_for_user(krb5_context context, krb5_flags options, krb5_ccache ccache, diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h index 994f463..997b655 100644 --- a/src/include/k5-platform.h +++ b/src/include/k5-platform.h @@ -40,10 +40,12 @@ * + [v]asprintf * + strerror_r * + mkstemp - * + zap (support function; macro is in k5-int.h) + * + zap (support function and macro) * + constant time memory comparison * + path manipulation * + _, N_, dgettext, bindtextdomain (for localization) + * + getopt_long + * + fetching filenames from a directory */ #ifndef K5_PLATFORM_H @@ -71,6 +73,13 @@ #define CAN_COPY_VA_LIST #endif +/* This attribute prevents unused function warnings in gcc and clang. */ +#ifdef __GNUC__ +#define UNUSED __attribute__((__unused__)) +#else +#define UNUSED +#endif + #if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__)) #include #endif @@ -354,19 +363,7 @@ typedef struct { int error; unsigned char did_run; } k5_init_t; -#if !defined(SHARED) && !defined(_WIN32) - -/* - * In this case, we just don't care about finalization. - * - * The code will still define the function, but we won't do anything - * with it. Annoying: This may generate unused-function warnings. - */ - -# define MAKE_FINI_FUNCTION(NAME) \ - static void NAME(void) - -#elif defined(USE_LINKER_FINI_OPTION) || defined(_WIN32) +#if defined(USE_LINKER_FINI_OPTION) || defined(_WIN32) /* If we're told the linker option will be used, it doesn't really matter what compiler we're using. Do it the same way regardless. */ @@ -400,6 +397,15 @@ typedef struct { int error; unsigned char did_run; } k5_init_t; # endif +#elif !defined(SHARED) + +/* + * In this case, we just don't care about finalization. The code will still + * define the function, but we won't do anything with it. + */ +# define MAKE_FINI_FUNCTION(NAME) \ + static void NAME(void) UNUSED + #elif defined(__GNUC__) && defined(DESTRUCTOR_ATTR_WORKS) /* If we're using gcc, if the C++ support works, the compiler should build executables and shared libraries that support the use of @@ -508,7 +514,7 @@ typedef struct { int error; unsigned char did_run; } k5_init_t; Linux: byteswap.h, bswap_16 etc. Solaris 10: none - Mac OS X: machine/endian.h or byte_order.h, NXSwap{Short,Int,LongLong} + macOS: machine/endian.h or byte_order.h, NXSwap{Short,Int,LongLong} NetBSD: sys/bswap.h, bswap16 etc. */ #if defined(HAVE_BYTESWAP_H) && defined(HAVE_BSWAP_16) @@ -520,15 +526,11 @@ typedef struct { int error; unsigned char did_run; } k5_init_t; # endif #elif TARGET_OS_MAC # include -# if 0 /* This causes compiler warnings. */ -# define SWAP16 OSSwapInt16 -# else -# define SWAP16 k5_swap16 +# define SWAP16 k5_swap16 static inline unsigned int k5_swap16 (unsigned int x) { x &= 0xffff; return (x >> 8) | ((x & 0xff) << 8); } -# endif # define SWAP32 OSSwapInt32 # define SWAP64 OSSwapInt64 #elif defined(HAVE_SYS_BSWAP_H) @@ -842,25 +844,6 @@ k5_ntohll (uint64_t val) business. Probably most callers won't check the return status anyways. */ -#if 0 -static inline void -set_cloexec_fd(int fd) -{ -#if defined(F_SETFD) -# ifdef FD_CLOEXEC - (void)fcntl(fd, F_SETFD, FD_CLOEXEC); -# else - (void)fcntl(fd, F_SETFD, 1); -# endif -#endif -} - -static inline void -set_cloexec_file(FILE *f) -{ - return set_cloexec_fd(fileno(f)); -} -#else /* Macros make the Sun compiler happier, and all variants of this do a single evaluation of the argument, and fcntl and fileno should produce reasonable error messages on type mismatches, on any system @@ -875,9 +858,6 @@ set_cloexec_file(FILE *f) # define set_cloexec_fd(FD) ((void)(FD)) #endif #define set_cloexec_file(F) set_cloexec_fd(fileno(F)) -#endif - - /* Since the original ANSI C spec left it undefined whether or how you could copy around a va_list, C 99 added va_copy. @@ -1018,6 +998,51 @@ extern int krb5int_gettimeofday(struct timeval *tp, void *ignore); #define gettimeofday krb5int_gettimeofday #endif +/* + * Attempt to zero memory in a way that compilers won't optimize out. + * + * This mechanism should work even for heap storage about to be freed, + * or automatic storage right before we return from a function. + * + * Then, even if we leak uninitialized memory someplace, or UNIX + * "core" files get created with world-read access, some of the most + * sensitive data in the process memory will already be safely wiped. + * + * We're not going so far -- yet -- as to try to protect key data that + * may have been written into swap space.... + */ +#ifdef _WIN32 +# define zap(ptr, len) SecureZeroMemory(ptr, len) +#elif defined(__STDC_LIB_EXT1__) +/* + * Use memset_s() which cannot be optimized out. Avoid memset_s(NULL, 0, 0, 0) + * which would cause a runtime constraint violation. + */ +static inline void zap(void *ptr, size_t len) +{ + if (len > 0) + memset_s(ptr, len, 0, len); +} +#elif defined(__GNUC__) || defined(__clang__) +/* + * Use an asm statement which declares a memory clobber to force the memset to + * be carried out. Avoid memset(NULL, 0, 0) which has undefined behavior. + */ +static inline void zap(void *ptr, size_t len) +{ + if (len > 0) + memset(ptr, 0, len); + __asm__ __volatile__("" : : "r" (ptr) : "memory"); +} +#else +/* + * Use a function from libkrb5support to defeat inlining unless link-time + * optimization is used. The function uses a volatile pointer, which prevents + * current compilers from optimizing out the memset. + */ +# define zap(ptr, len) krb5int_zap(ptr, len) +#endif + extern void krb5int_zap(void *ptr, size_t len); /* @@ -1065,10 +1090,16 @@ int k5_path_isabs(const char *path); #define N_(s) s #if !defined(HAVE_GETOPT) || !defined(HAVE_UNISTD_H) -extern int k5_opterr; -extern int k5_optind; -extern int k5_optopt; -extern char *k5_optarg; +/* Data objects imported from DLLs must be declared as such on Windows. */ +#if defined(_WIN32) && !defined(K5_GETOPT_C) +#define K5_GETOPT_DECL __declspec(dllimport) +#else +#define K5_GETOPT_DECL +#endif +K5_GETOPT_DECL extern int k5_opterr; +K5_GETOPT_DECL extern int k5_optind; +K5_GETOPT_DECL extern int k5_optopt; +K5_GETOPT_DECL extern char *k5_optarg; #define opterr k5_opterr #define optind k5_optind #define optopt k5_optopt @@ -1099,4 +1130,9 @@ extern int k5_getopt_long(int nargc, char **nargv, char *options, #define getopt_long k5_getopt_long #endif /* HAVE_GETOPT_LONG */ +/* Set *fnames_out to a null-terminated list of filenames within dirname, + * sorted according to strcmp(). Return 0 on success, or ENOENT/ENOMEM. */ +int k5_dir_filenames(const char *dirname, char ***fnames_out); +void k5_free_filenames(char **fnames); + #endif /* K5_PLATFORM_H */ diff --git a/src/include/k5-spake.h b/src/include/k5-spake.h new file mode 100644 index 0000000..ddb5d81 --- /dev/null +++ b/src/include/k5-spake.h @@ -0,0 +1,107 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/k5-spake.h - SPAKE preauth mech declarations */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * The SPAKE preauth mechanism allows long-term client keys to be used for + * preauthentication without exposing them to offline dictionary attacks. The + * negotiated key can also be used for second-factor authentication. This + * header file declares structures and encoder/decoder functions for the + * mechanism's padata messages. + */ + +#ifndef K5_SPAKE_H +#define K5_SPAKE_H + +#include "k5-int.h" + +/* SPAKESecondFactor is contained within a SPAKEChallenge, SPAKEResponse, or + * EncryptedData message and contains a second-factor challenge or response. */ +typedef struct krb5_spake_factor_st { + int32_t type; + krb5_data *data; +} krb5_spake_factor; + +/* SPAKESupport is sent from the client to the KDC to indicate which group the + * client supports. */ +typedef struct krb5_spake_support_st { + int32_t ngroups; + int32_t *groups; +} krb5_spake_support; + +/* SPAKEChallenge is sent from the KDC to the client to communicate its group + * selection, public value, and second-factor challenge options. */ +typedef struct krb5_spake_challenge_st { + int32_t group; + krb5_data pubkey; + krb5_spake_factor **factors; +} krb5_spake_challenge; + +/* SPAKEResponse is sent from the client to the KDC to communicate its public + * value and encrypted second-factor response. */ +typedef struct krb5_spake_response_st { + krb5_data pubkey; + krb5_enc_data factor; +} krb5_spake_response; + +enum krb5_spake_msgtype { + SPAKE_MSGTYPE_UNKNOWN = -1, + SPAKE_MSGTYPE_SUPPORT = 0, + SPAKE_MSGTYPE_CHALLENGE = 1, + SPAKE_MSGTYPE_RESPONSE = 2, + SPAKE_MSGTYPE_ENCDATA = 3 +}; + +/* PA-SPAKE is a choice among the message types which can appear in a PA-SPAKE + * padata element. */ +typedef struct krb5_pa_spake_st { + enum krb5_spake_msgtype choice; + union krb5_spake_message_choices { + krb5_spake_support support; + krb5_spake_challenge challenge; + krb5_spake_response response; + krb5_enc_data encdata; + } u; +} krb5_pa_spake; + +krb5_error_code encode_krb5_spake_factor(const krb5_spake_factor *val, + krb5_data **code_out); +krb5_error_code decode_krb5_spake_factor(const krb5_data *code, + krb5_spake_factor **val_out); +void k5_free_spake_factor(krb5_context context, krb5_spake_factor *val); + +krb5_error_code encode_krb5_pa_spake(const krb5_pa_spake *val, + krb5_data **code_out); +krb5_error_code decode_krb5_pa_spake(const krb5_data *code, + krb5_pa_spake **val_out); +void k5_free_pa_spake(krb5_context context, krb5_pa_spake *val); + +#endif /* K5_SPAKE_H */ diff --git a/src/include/k5-thread.h b/src/include/k5-thread.h index 3e3901d..a310123 100644 --- a/src/include/k5-thread.h +++ b/src/include/k5-thread.h @@ -134,6 +134,10 @@ More to be added, perhaps. */ #include +#ifndef NDEBUG +#include +#include +#endif /* The mutex structure we use, k5_mutex_t, is defined to some OS-specific bits. The use of multiple layers of typedefs are an @@ -363,12 +367,24 @@ static inline int k5_mutex_finish_init(k5_mutex_t *m) static inline void k5_mutex_lock(k5_mutex_t *m) { int r = k5_os_mutex_lock(m); +#ifndef NDEBUG + if (r != 0) { + fprintf(stderr, "k5_mutex_lock: Received error %d (%s)\n", + r, strerror(r)); + } +#endif assert(r == 0); } static inline void k5_mutex_unlock(k5_mutex_t *m) { int r = k5_os_mutex_unlock(m); +#ifndef NDEBUG + if (r != 0) { + fprintf(stderr, "k5_mutex_unlock: Received error %d (%s)\n", + r, strerror(r)); + } +#endif assert(r == 0); } diff --git a/src/include/k5-trace.h b/src/include/k5-trace.h index c75e264..2aa379b 100644 --- a/src/include/k5-trace.h +++ b/src/include/k5-trace.h @@ -75,6 +75,7 @@ * {cksum} const krb5_checksum *, display cksumtype and hex checksum * {princ} krb5_principal, unparse and display * {ptype} krb5_int32, krb5_principal type, display name + * {patype} krb5_preauthtype, a single padata type number * {patypes} krb5_pa_data **, display list of padata type numbers * {etype} krb5_enctype, display shortest name of enctype * {etypes} krb5_enctype *, display list of enctypes @@ -155,6 +156,20 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); TRACE(c, "ccselect choosing default cache {ccache} for server " \ "principal {princ}", cache, server) +#define TRACE_DNS_SRV_ANS(c, host, port, prio, weight) \ + TRACE(c, "SRV answer: {int} {int} {int} \"{str}\"", prio, weight, \ + port, host) +#define TRACE_DNS_SRV_NOTFOUND(c) \ + TRACE(c, "No SRV records found") +#define TRACE_DNS_SRV_SEND(c, domain) \ + TRACE(c, "Sending DNS SRV query for {str}", domain) +#define TRACE_DNS_URI_ANS(c, uri, prio, weight) \ + TRACE(c, "URI answer: {int} {int} \"{str}\"", prio, weight, uri) +#define TRACE_DNS_URI_NOTFOUND(c) \ + TRACE(c, "No URI records found") +#define TRACE_DNS_URI_SEND(c, domain) \ + TRACE(c, "Sending DNS URI query for {str}", domain) + #define TRACE_FAST_ARMOR_CCACHE(c, ccache_name) \ TRACE(c, "FAST armor ccache: {str}", ccache_name) #define TRACE_FAST_ARMOR_CCACHE_KEY(c, keyblock) \ @@ -213,8 +228,19 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); TRACE(c, "Looked up etypes in keytab: {etypes}", etypes) #define TRACE_INIT_CREDS_KEYTAB_LOOKUP_FAILED(c, code) \ TRACE(c, "Couldn't lookup etypes in keytab: {kerr}", code) +#define TRACE_INIT_CREDS_PREAUTH(c) \ + TRACE(c, "Preauthenticating using KDC method data") #define TRACE_INIT_CREDS_PREAUTH_DECRYPT_FAIL(c, code) \ TRACE(c, "Decrypt with preauth AS key failed: {kerr}", code) +#define TRACE_INIT_CREDS_PREAUTH_MORE(c, patype) \ + TRACE(c, "Continuing preauth mech {patype}", patype) +#define TRACE_INIT_CREDS_PREAUTH_NONE(c) \ + TRACE(c, "Sending unauthenticated request") +#define TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(c) \ + TRACE(c, "Attempting optimistic preauth") +#define TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(c, patype, code) \ + TRACE(c, "Recovering from KDC error {int} using preauth mech {patype}", \ + patype, (int)code) #define TRACE_INIT_CREDS_RESTART_FAST(c) \ TRACE(c, "Restarting to upgrade to FAST") #define TRACE_INIT_CREDS_RESTART_PREAUTH_FAILED(c) \ @@ -228,6 +254,13 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); #define TRACE_INIT_CREDS_SERVICE(c, service) \ TRACE(c, "Setting initial creds service to {str}", service) +#define TRACE_KADM5_AUTH_VTINIT_FAIL(c, ret) \ + TRACE(c, "kadm5_auth module failed to init vtable: {kerr}", ret) +#define TRACE_KADM5_AUTH_INIT_FAIL(c, name, ret) \ + TRACE(c, "kadm5_auth module {str} failed to init: {kerr}", ret) +#define TRACE_KADM5_AUTH_INIT_SKIP(c, name) \ + TRACE(c, "kadm5_auth module {str} declined to initialize", name) + #define TRACE_KT_GET_ENTRY(c, keytab, princ, vno, enctype, err) \ TRACE(c, "Retrieving {princ} from {keytab} (vno {int}, enctype {etype}) " \ "with result: {kerr}", princ, keytab, (int) vno, enctype, err) @@ -258,7 +291,7 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); #define TRACE_PREAUTH_CONFLICT(c, name1, name2, patype) \ TRACE(c, "Preauth module {str} conflicts with module {str} for pa " \ - "type {int}", name1, name2, (int) patype) + "type {patype}", name1, name2, patype) #define TRACE_PREAUTH_COOKIE(c, len, data) \ TRACE(c, "Received cookie: {lenstr}", (size_t) len, data) #define TRACE_PREAUTH_ENC_TS_KEY_GAK(c, keyblock) \ @@ -266,12 +299,14 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); #define TRACE_PREAUTH_ENC_TS(c, sec, usec, plain, enc) \ TRACE(c, "Encrypted timestamp (for {long}.{int}): plain {hexdata}, " \ "encrypted {hexdata}", (long) sec, (int) usec, plain, enc) +#define TRACE_PREAUTH_ENC_TS_DISABLED(c) \ + TRACE(c, "Ignoring encrypted timestamp because it is disabled") #define TRACE_PREAUTH_ETYPE_INFO(c, etype, salt, s2kparams) \ TRACE(c, "Selected etype info: etype {etype}, salt \"{data}\", " \ "params \"{data}\"", etype, salt, s2kparams) #define TRACE_PREAUTH_INFO_FAIL(c, patype, code) \ - TRACE(c, "Preauth builtin info function failure, type={int}: {kerr}", \ - (int) patype, code) + TRACE(c, "Preauth builtin info function failure, type={patype}: {kerr}", \ + patype, code) #define TRACE_PREAUTH_INPUT(c, padata) \ TRACE(c, "Processing preauth types: {patypes}", padata) #define TRACE_PREAUTH_OUTPUT(c, padata) \ @@ -282,15 +317,21 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); #define TRACE_PREAUTH_SAM_KEY_GAK(c, keyblock) \ TRACE(c, "AS key obtained for SAM: {keyblock}", keyblock) #define TRACE_PREAUTH_SALT(c, salt, patype) \ - TRACE(c, "Received salt \"{data}\" via padata type {int}", salt, \ - (int) patype) + TRACE(c, "Received salt \"{data}\" via padata type {patype}", salt, \ + patype) #define TRACE_PREAUTH_SKIP(c, name, patype) \ TRACE(c, "Skipping previously used preauth module {str} ({int})", \ name, (int) patype) -#define TRACE_PREAUTH_TRYAGAIN_INPUT(c, padata) \ - TRACE(c, "Preauth tryagain input types: {patypes}", padata) +#define TRACE_PREAUTH_TRYAGAIN_INPUT(c, patype, padata) \ + TRACE(c, "Preauth tryagain input types ({int}): {patypes}", patype, padata) +#define TRACE_PREAUTH_TRYAGAIN(c, name, patype, code) \ + TRACE(c, "Preauth module {str} ({int}) tryagain returned: {kerr}", \ + name, (int)patype, code) #define TRACE_PREAUTH_TRYAGAIN_OUTPUT(c, padata) \ TRACE(c, "Followup preauth for next request: {patypes}", padata) +#define TRACE_PREAUTH_WRONG_CONTEXT(c) \ + TRACE(c, "Wrong context passed to krb5_init_creds_free(); leaking " \ + "modreq objects") #define TRACE_PROFILE_ERR(c,subsection, section, retval) \ TRACE(c, "Bad value of {str} from [{str}] in conf file: {kerr}", \ @@ -326,6 +367,8 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); #define TRACE_SENDTO_KDC(c, len, rlm, master, tcp) \ TRACE(c, "Sending request ({int} bytes) to {data}{str}{str}", len, \ rlm, (master) ? " (master)" : "", (tcp) ? " (tcp only)" : "") +#define TRACE_SENDTO_KDC_K5TLS_LOAD_ERROR(c, ret) \ + TRACE(c, "Error loading k5tls module: {kerr}", ret) #define TRACE_SENDTO_KDC_MASTER(c, master) \ TRACE(c, "Response was{str} from master KDC", (master) ? "" : " not") #define TRACE_SENDTO_KDC_RESOLVING(c, hostname) \ @@ -454,4 +497,9 @@ void krb5int_trace(krb5_context context, const char *fmt, ...); #define TRACE_GET_CRED_VIA_TKT_EXT_RETURN(c, ret) \ TRACE(c, "Got cred; {kerr}", ret) +#define TRACE_KDCPOLICY_VTINIT_FAIL(c, ret) \ + TRACE(c, "KDC policy module failed to init vtable: {kerr}", ret) +#define TRACE_KDCPOLICY_INIT_SKIP(c, name) \ + TRACE(c, "kadm5_auth module {str} declined to initialize", name) + #endif /* K5_TRACE_H */ diff --git a/src/include/k5-utf8.h b/src/include/k5-utf8.h index 22f433c..e2f20d4 100644 --- a/src/include/k5-utf8.h +++ b/src/include/k5-utf8.h @@ -73,57 +73,28 @@ typedef uint16_t krb5_ucs2; typedef uint32_t krb5_ucs4; -#define KRB5_MAX_UTF8_LEN (sizeof(krb5_ucs2) * 3/2) - int krb5int_utf8_to_ucs2(const char *p, krb5_ucs2 *out); size_t krb5int_ucs2_to_utf8(krb5_ucs2 c, char *buf); int krb5int_utf8_to_ucs4(const char *p, krb5_ucs4 *out); size_t krb5int_ucs4_to_utf8(krb5_ucs4 c, char *buf); -int -krb5int_ucs2s_to_utf8s(const krb5_ucs2 *ucs2s, - char **utf8s, - size_t *utf8slen); - -int -krb5int_ucs2cs_to_utf8s(const krb5_ucs2 *ucs2s, - size_t ucs2slen, - char **utf8s, - size_t *utf8slen); - -int -krb5int_ucs2les_to_utf8s(const unsigned char *ucs2les, - char **utf8s, - size_t *utf8slen); - -int -krb5int_ucs2lecs_to_utf8s(const unsigned char *ucs2les, - size_t ucs2leslen, - char **utf8s, - size_t *utf8slen); - -int -krb5int_utf8s_to_ucs2s(const char *utf8s, - krb5_ucs2 **ucs2s, - size_t *ucs2chars); - -int -krb5int_utf8cs_to_ucs2s(const char *utf8s, - size_t utf8slen, - krb5_ucs2 **ucs2s, - size_t *ucs2chars); - -int -krb5int_utf8s_to_ucs2les(const char *utf8s, - unsigned char **ucs2les, - size_t *ucs2leslen); - -int -krb5int_utf8cs_to_ucs2les(const char *utf8s, - size_t utf8slen, - unsigned char **ucs2les, - size_t *ucs2leslen); +/* + * Convert a little-endian UTF-16 string to an allocated null-terminated UTF-8 + * string. nbytes is the length of ucs2bytes in bytes, and must be an even + * number. Return EINVAL on invalid input, ENOMEM on out of memory, or 0 on + * success. + */ +int k5_utf16le_to_utf8(const uint8_t *utf16bytes, size_t nbytes, + char **utf8_out); + +/* + * Convert a UTF-8 string to an allocated little-endian UTF-16 string. The + * resulting length is in bytes and will always be even. Return EINVAL on + * invalid input, ENOMEM on out of memory, or 0 on success. + */ +int k5_utf8_to_utf16le(const char *utf8, uint8_t **utf16_out, + size_t *nbytes_out); /* returns the number of bytes in the UTF-8 string */ size_t krb5int_utf8_bytes(const char *); diff --git a/src/include/kdb.h b/src/include/kdb.h index da04724..9812a35 100644 --- a/src/include/kdb.h +++ b/src/include/kdb.h @@ -69,7 +69,7 @@ /* This version will be incremented when incompatible changes are made to the * KDB API, and will be kept in sync with the libkdb major version. */ -#define KRB5_KDB_API_VERSION 8 +#define KRB5_KDB_API_VERSION 9 /* Salt types */ #define KRB5_KDB_SALTTYPE_NORMAL 0 @@ -695,6 +695,8 @@ krb5_error_code krb5_db_check_policy_tgs(krb5_context kcontext, krb5_pa_data ***e_data); void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code); @@ -865,7 +867,7 @@ krb5_error_code krb5_db_register_keytab(krb5_context context); * This number indicates the date of the last incompatible change to the DAL. * The maj_ver field of the module's vtable structure must match this version. */ -#define KRB5_KDB_DAL_MAJOR_VERSION 6 +#define KRB5_KDB_DAL_MAJOR_VERSION 7 /* * A krb5_context can hold one database object. Modules should use @@ -931,10 +933,10 @@ typedef struct _kdb_vftabl { * * If db_args contains the value "temporary", the module should create an * exclusively locked side copy of the database suitable for loading in a - * propagation from master to slave. This side copy will later be promoted - * with promote_db, allowing complete updates of the DB with no loss in - * read availability. If the module cannot comply with this architecture, - * it should return an error. + * propagation from master to replica. This side copy will later be + * promoted with promote_db, allowing complete updates of the DB with no + * loss in read availability. If the module cannot comply with this + * architecture, it should return an error. */ krb5_error_code (*create)(krb5_context kcontext, char *conf_section, char **db_args); @@ -1016,9 +1018,10 @@ typedef struct _kdb_vftabl { * requested; also set by the admin interface. Determines whether the * module should return in-realm aliases. * - * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set. - * To return an in-realm alias, fill in a different value for - * entries->princ than the one requested. + * A module can return in-realm aliases if KRB5_KDB_FLAG_ALIAS_OK is set, + * or if search_for->type is KRB5_NT_ENTERPRISE_PRINCIPAL. To return an + * in-realm alias, fill in a different value for entries->princ than the + * one requested. * * A module can return out-of-realm referrals if KRB5_KDB_FLAG_CANONICALIZE * is set. For AS request clients (KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY is @@ -1255,14 +1258,15 @@ typedef struct _kdb_vftabl { * * flags: The flags used to look up the client principal. * - * client_princ: For S4U2Proxy TGS requests, the client principal - * requested by the service; for regular TGS requests, the + * client_princ: For S4U2Self and S4U2Proxy TGS requests, the client + * principal requested by the service; for regular TGS requests, the * possibly-canonicalized client principal. * * client: The DB entry of the client. For S4U2Self, this will be the DB * entry for the client principal requested by the service). * - * server: The DB entry of the service principal. + * server: The DB entry of the service principal, or of a cross-realm + * krbtgt principal in case of referral. * * krbtgt: For TGS requests, the DB entry of the server of the ticket in * the PA-TGS-REQ padata; this is usually a local or cross-realm krbtgt @@ -1356,6 +1360,8 @@ typedef struct _kdb_vftabl { * AS request. */ void (*audit_as_req)(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code); diff --git a/src/include/kdb_log.h b/src/include/kdb_log.h index 25b8236..4239575 100644 --- a/src/include/kdb_log.h +++ b/src/include/kdb_log.h @@ -21,9 +21,8 @@ extern "C" { /* * DB macros */ -#define INDEX(ulog, i) (kdb_ent_header_t *)((char *)(ulog) + \ - sizeof(kdb_hlog_t) + \ - (i) * ulog->kdb_block) +#define INDEX(ulog, i) (kdb_ent_header_t *)(void *) \ + ((char *)(ulog) + sizeof(kdb_hlog_t) + (i) * ulog->kdb_block) /* * Current DB version # diff --git a/src/include/krb5/certauth_plugin.h b/src/include/krb5/certauth_plugin.h new file mode 100644 index 0000000..3074790 --- /dev/null +++ b/src/include/krb5/certauth_plugin.h @@ -0,0 +1,128 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/krb5/certauth_plugin.h - certauth plugin header. */ +/* + * Copyright (C) 2017 by Red Hat, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Declarations for certauth plugin module implementors. + * + * The certauth pluggable interface currently has only one supported major + * version, which is 1. Major version 1 has a current minor version number of + * 1. + * + * certauth plugin modules should define a function named + * certauth__initvt, matching the signature: + * + * krb5_error_code + * certauth_modname_initvt(krb5_context context, int maj_ver, int min_ver, + * krb5_plugin_vtable vtable); + * + * The initvt function should: + * + * - Check that the supplied maj_ver number is supported by the module, or + * return KRB5_PLUGIN_VER_NOTSUPP if it is not. + * + * - Cast the vtable pointer as appropriate for maj_ver: + * maj_ver == 1: Cast to krb5_certauth_vtable + * + * - Initialize the methods of the vtable, stopping as appropriate for the + * supplied min_ver. Optional methods may be left uninitialized. + * + * Memory for the vtable is allocated by the caller, not by the module. + */ + +#ifndef KRB5_CERTAUTH_PLUGIN_H +#define KRB5_CERTAUTH_PLUGIN_H + +#include +#include + +/* Abstract module data type. */ +typedef struct krb5_certauth_moddata_st *krb5_certauth_moddata; + +/* A module can optionally include to inspect the client principal + * entry when authorizing a request. */ +struct _krb5_db_entry_new; + +/* + * Optional: Initialize module data. + */ +typedef krb5_error_code +(*krb5_certauth_init_fn)(krb5_context context, + krb5_certauth_moddata *moddata_out); + +/* + * Optional: Clean up the module data. + */ +typedef void +(*krb5_certauth_fini_fn)(krb5_context context, krb5_certauth_moddata moddata); + +/* + * Mandatory: + * Return 0 if the DER-encoded cert is authorized for PKINIT authentication by + * princ; otherwise return one of the following error codes: + * - KRB5KDC_ERR_CLIENT_NAME_MISMATCH - incorrect SAN value + * - KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE - incorrect EKU + * - KRB5KDC_ERR_CERTIFICATE_MISMATCH - other extension error + * - KRB5_PLUGIN_NO_HANDLE - the module has no opinion about cert + * + * - opts is used by built-in modules to receive internal data, and must be + * ignored by other modules. + * - db_entry receives the client principal database entry, and can be ignored + * by modules that do not link with libkdb5. + * - *authinds_out optionally returns a null-terminated list of authentication + * indicator strings upon KRB5_PLUGIN_NO_HANDLE or accepted authorization. + */ +typedef krb5_error_code +(*krb5_certauth_authorize_fn)(krb5_context context, + krb5_certauth_moddata moddata, + const uint8_t *cert, size_t cert_len, + krb5_const_principal princ, const void *opts, + const struct _krb5_db_entry_new *db_entry, + char ***authinds_out); + +/* + * Free indicators allocated by a module. Mandatory if authorize returns + * authentication indicators. + */ +typedef void +(*krb5_certauth_free_indicator_fn)(krb5_context context, + krb5_certauth_moddata moddata, + char **authinds); + +typedef struct krb5_certauth_vtable_st { + const char *name; + krb5_certauth_init_fn init; + krb5_certauth_fini_fn fini; + krb5_certauth_authorize_fn authorize; + krb5_certauth_free_indicator_fn free_ind; +} *krb5_certauth_vtable; + +#endif /* KRB5_CERTAUTH_PLUGIN_H */ diff --git a/src/include/krb5/clpreauth_plugin.h b/src/include/krb5/clpreauth_plugin.h index 0106734..22a5e9b 100644 --- a/src/include/krb5/clpreauth_plugin.h +++ b/src/include/krb5/clpreauth_plugin.h @@ -84,10 +84,9 @@ typedef struct krb5_clpreauth_callbacks_st { int vers; /* - * Get the enctype expected to be used to encrypt the encrypted portion of - * the AS_REP packet. When handling a PREAUTH_REQUIRED error, this - * typically comes from etype-info2. When handling an AS reply, it is - * initialized from the AS reply itself. + * If an AS-REP has been received, return the enctype of the AS-REP + * encrypted part. Otherwise return the enctype chosen from etype-info, or + * the first requested enctype if no etype-info was received. */ krb5_enctype (*get_etype)(krb5_context context, krb5_clpreauth_rock rock); @@ -160,7 +159,21 @@ typedef struct krb5_clpreauth_callbacks_st { krb5_error_code (*set_cc_config)(krb5_context context, krb5_clpreauth_rock rock, const char *key, const char *data); + /* End of version 2 clpreauth callbacks (added in 1.11). */ + + /* + * Prevent further fallbacks to other preauth mechanisms if the KDC replies + * with an error. (The module itself can still respond to errors with its + * tryagain method, or continue after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED + * errors with its process method.) A module should invoke this callback + * from the process method when it generates an authenticated request using + * credentials; often this will be the first or only client message + * generated by the mechanism. + */ + void (*disable_fallback)(krb5_context context, krb5_clpreauth_rock rock); + + /* End of version 3 clpreauth callbacks (added in 1.17). */ } *krb5_clpreauth_callbacks; /* diff --git a/src/include/krb5/kadm5_auth_plugin.h b/src/include/krb5/kadm5_auth_plugin.h new file mode 100644 index 0000000..d514e99 --- /dev/null +++ b/src/include/krb5/kadm5_auth_plugin.h @@ -0,0 +1,306 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Declarations for kadm5_auth plugin module implementors. + * + * The kadm5_auth pluggable interface currently has only one supported major + * version, which is 1. Major version 1 has a current minor version number of + * 1. + * + * kadm5_auth plugin modules should define a function named + * kadm5_auth__initvt, matching the signature: + * + * krb5_error_code + * kadm5_auth_modname_initvt(krb5_context context, int maj_ver, int min_ver, + * krb5_plugin_vtable vtable); + * + * The initvt function should: + * + * - Check that the supplied maj_ver number is supported by the module, or + * return KRB5_PLUGIN_VER_NOTSUPP if it is not. + * + * - Cast the vtable pointer as appropriate for maj_ver: + * maj_ver == 1: Cast to krb5_kadm5_auth_vtable + * + * - Initialize the methods of the vtable, stopping as appropriate for the + * supplied min_ver. Optional methods may be left uninitialized. + * + * Memory for the vtable is allocated by the caller, not by the module. + */ + +#ifndef KRB5_KADM5_AUTH_PLUGIN_H +#define KRB5_KADM5_AUTH_PLUGIN_H + +#include +#include + +/* An abstract type for kadm5_auth module data. */ +typedef struct kadm5_auth_moddata_st *kadm5_auth_moddata; + +/* + * A module can optionally include to inspect principal or + * policy records from requests that add or modify principals or policies. + * Note that fields of principal and policy structures are only valid if the + * corresponding bit is set in the accompanying mask parameter. + */ +struct _kadm5_principal_ent_t; +struct _kadm5_policy_ent_t; + +/* + * A module can optionally generate restrictions when checking permissions for + * adding or modifying a principal entry. Restriction fields will only be + * honored if the corresponding mask bit is set. The operable mask bits are + * defined in and are: + * + * - KADM5_ATTRIBUTES for require_attrs, forbid_attrs + * - KADM5_POLICY for policy + * - KADM5_POLICY_CLR to require that policy be unset + * - KADM5_PRINC_EXPIRE_TIME for princ_lifetime + * - KADM5_PW_EXPIRATION for pw_lifetime + * - KADM5_MAX_LIFE for max_life + * - KADM5_MAX_RLIFE for max_renewable_life + */ +struct kadm5_auth_restrictions { + long mask; + krb5_flags require_attrs; + krb5_flags forbid_attrs; + krb5_deltat princ_lifetime; + krb5_deltat pw_lifetime; + krb5_deltat max_life; + krb5_deltat max_renewable_life; + char *policy; +}; + +/*** Method type declarations ***/ + +/* + * Optional: Initialize module data. acl_file is the realm's configured ACL + * file, or NULL if none was configured. Return 0 on success, + * KRB5_PLUGIN_NO_HANDLE if the module is inoperable (due to configuration, for + * example), and any other error code to abort kadmind startup. Optionally set + * *data_out to a module data object to be passed to future calls. + */ +typedef krb5_error_code +(*kadm5_auth_init_fn)(krb5_context context, const char *acl_file, + kadm5_auth_moddata *data_out); + +/* Optional: Release resources used by module data. */ +typedef void +(*kadm5_auth_fini_fn)(krb5_context context, kadm5_auth_moddata data); + +/* + * Each check method below should return 0 to explicitly authorize the request, + * KRB5_PLUGIN_NO_HANDLE to neither authorize nor deny the request, and any + * other error code (such as EPERM) to explicitly deny the request. If a check + * method is not defined, the module will neither authorize nor deny the + * request. A request succeeds if at least one kadm5_auth module explicitly + * authorizes the request and none of the modules explicitly deny it. + */ + +/* Optional: authorize an add-principal operation, and optionally generate + * restrictions. */ +typedef krb5_error_code +(*kadm5_auth_addprinc_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target, + const struct _kadm5_principal_ent_t *ent, long mask, + struct kadm5_auth_restrictions **rs_out); + +/* Optional: authorize a modify-principal operation, and optionally generate + * restrictions. */ +typedef krb5_error_code +(*kadm5_auth_modprinc_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target, + const struct _kadm5_principal_ent_t *ent, long mask, + struct kadm5_auth_restrictions **rs_out); + +/* Optional: authorize a set-string operation. */ +typedef krb5_error_code +(*kadm5_auth_setstr_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target, + const char *key, const char *value); + +/* Optional: authorize a change-password operation. */ +typedef krb5_error_code +(*kadm5_auth_cpw_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target); + +/* Optional: authorize a randomize-keys operation. */ +typedef krb5_error_code +(*kadm5_auth_chrand_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target); + +/* Optional: authorize a set-key operation. */ +typedef krb5_error_code +(*kadm5_auth_setkey_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target); + +/* Optional: authorize a purgekeys operation. */ +typedef krb5_error_code +(*kadm5_auth_purgekeys_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target); + +/* Optional: authorize a delete-principal operation. */ +typedef krb5_error_code +(*kadm5_auth_delprinc_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target); + +/* Optional: authorize a rename-principal operation. */ +typedef krb5_error_code +(*kadm5_auth_renprinc_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal src, + krb5_const_principal dest); + +/* Optional: authorize a get-principal operation. */ +typedef krb5_error_code +(*kadm5_auth_getprinc_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target); + +/* Optional: authorize a get-strings operation. */ +typedef krb5_error_code +(*kadm5_auth_getstrs_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target); + +/* Optional: authorize an extract-keys operation. */ +typedef krb5_error_code +(*kadm5_auth_extract_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, + krb5_const_principal target); + +/* Optional: authorize a list-principals operation. */ +typedef krb5_error_code +(*kadm5_auth_listprincs_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client); + +/* Optional: authorize an add-policy operation. */ +typedef krb5_error_code +(*kadm5_auth_addpol_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const struct _kadm5_policy_ent_t *ent, long mask); + +/* Optional: authorize a modify-policy operation. */ +typedef krb5_error_code +(*kadm5_auth_modpol_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const struct _kadm5_policy_ent_t *ent, long mask); + +/* Optional: authorize a delete-policy operation. */ +typedef krb5_error_code +(*kadm5_auth_delpol_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy); + +/* Optional: authorize a get-policy operation. client_policy is the client + * principal's policy name, or NULL if it does not have one. */ +typedef krb5_error_code +(*kadm5_auth_getpol_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const char *client_policy); + +/* Optional: authorize a list-policies operation. */ +typedef krb5_error_code +(*kadm5_auth_listpols_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client); + +/* Optional: authorize an iprop operation. */ +typedef krb5_error_code +(*kadm5_auth_iprop_fn)(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client); + +/* + * Optional: receive a notification that the most recent authorized operation + * has ended. If a kadm5_auth module is also a KDB module, it can assume that + * all KDB methods invoked between a kadm5_auth authorization method invocation + * and a kadm5_auth end invocation are performed as part of the authorized + * operation. + * + * The end method may be invoked without a preceding authorization method in + * some cases; the module must be prepared to ignore such calls. + */ +typedef void +(*kadm5_auth_end_fn)(krb5_context context, kadm5_auth_moddata data); + +/* + * Optional: free a restrictions object. This method does not need to be + * defined if the module does not generate restrictions objects, or if it + * returns aliases to restrictions objects contained from within the module + * data. + */ +typedef void +(*kadm5_auth_free_restrictions_fn)(krb5_context context, + kadm5_auth_moddata data, + struct kadm5_auth_restrictions *rs); + +/* kadm5_auth vtable for major version 1. */ +typedef struct kadm5_auth_vtable_st { + const char *name; /* Mandatory: name of module. */ + kadm5_auth_init_fn init; + kadm5_auth_fini_fn fini; + + kadm5_auth_addprinc_fn addprinc; + kadm5_auth_modprinc_fn modprinc; + kadm5_auth_setstr_fn setstr; + kadm5_auth_cpw_fn cpw; + kadm5_auth_chrand_fn chrand; + kadm5_auth_setkey_fn setkey; + kadm5_auth_purgekeys_fn purgekeys; + kadm5_auth_delprinc_fn delprinc; + kadm5_auth_renprinc_fn renprinc; + + kadm5_auth_getprinc_fn getprinc; + kadm5_auth_getstrs_fn getstrs; + kadm5_auth_extract_fn extract; + kadm5_auth_listprincs_fn listprincs; + + kadm5_auth_addpol_fn addpol; + kadm5_auth_modpol_fn modpol; + kadm5_auth_delpol_fn delpol; + kadm5_auth_getpol_fn getpol; + kadm5_auth_listpols_fn listpols; + + kadm5_auth_iprop_fn iprop; + + kadm5_auth_end_fn end; + + kadm5_auth_free_restrictions_fn free_restrictions; + /* Minor version 1 ends here. */ +} *kadm5_auth_vtable; + +#endif /* KRB5_KADM5_AUTH_PLUGIN_H */ diff --git a/src/include/krb5/kdcpolicy_plugin.h b/src/include/krb5/kdcpolicy_plugin.h new file mode 100644 index 0000000..c7592c5 --- /dev/null +++ b/src/include/krb5/kdcpolicy_plugin.h @@ -0,0 +1,128 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/krb5/kdcpolicy_plugin.h - KDC policy plugin interface */ +/* + * Copyright (C) 2017 by Red Hat, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Declarations for kdcpolicy plugin module implementors. + * + * The kdcpolicy pluggable interface currently has only one supported major + * version, which is 1. Major version 1 has a current minor version number of + * 1. + * + * kdcpolicy plugin modules should define a function named + * kdcpolicy__initvt, matching the signature: + * + * krb5_error_code + * kdcpolicy_modname_initvt(krb5_context context, int maj_ver, int min_ver, + * krb5_plugin_vtable vtable); + * + * The initvt function should: + * + * - Check that the supplied maj_ver number is supported by the module, or + * return KRB5_PLUGIN_VER_NOTSUPP if it is not. + * + * - Cast the vtable pointer as appropriate for maj_ver: + * maj_ver == 1: Cast to krb5_kdcpolicy_vtable + * + * - Initialize the methods of the vtable, stopping as appropriate for the + * supplied min_ver. Optional methods may be left uninitialized. + * + * Memory for the vtable is allocated by the caller, not by the module. + */ + +#ifndef KRB5_POLICY_PLUGIN_H +#define KRB5_POLICY_PLUGIN_H + +#include + +/* Abstract module datatype. */ +typedef struct krb5_kdcpolicy_moddata_st *krb5_kdcpolicy_moddata; + +/* A module can optionally include kdb.h to inspect principal entries when + * authorizing requests. */ +struct _krb5_db_entry_new; + +/* + * Optional: Initialize module data. Return 0 on success, + * KRB5_PLUGIN_NO_HANDLE if the module is inoperable (due to configuration, for + * example), and any other error code to abort KDC startup. Optionally set + * *data_out to a module data object to be passed to future calls. + */ +typedef krb5_error_code +(*krb5_kdcpolicy_init_fn)(krb5_context context, + krb5_kdcpolicy_moddata *data_out); + +/* Optional: Clean up module data. */ +typedef krb5_error_code +(*krb5_kdcpolicy_fini_fn)(krb5_context context, + krb5_kdcpolicy_moddata moddata); + +/* + * Optional: return an error code and set status to an appropriate string + * literal to deny an AS request; otherwise return 0. lifetime_out, if set, + * restricts the ticket lifetime. renew_lifetime_out, if set, restricts the + * ticket renewable lifetime. + */ +typedef krb5_error_code +(*krb5_kdcpolicy_check_as_fn)(krb5_context context, + krb5_kdcpolicy_moddata moddata, + const krb5_kdc_req *request, + const struct _krb5_db_entry_new *client, + const struct _krb5_db_entry_new *server, + const char *const *auth_indicators, + const char **status, krb5_deltat *lifetime_out, + krb5_deltat *renew_lifetime_out); + +/* + * Optional: return an error code and set status to an appropriate string + * literal to deny a TGS request; otherwise return 0. lifetime_out, if set, + * restricts the ticket lifetime. renew_lifetime_out, if set, restricts the + * ticket renewable lifetime. + */ +typedef krb5_error_code +(*krb5_kdcpolicy_check_tgs_fn)(krb5_context context, + krb5_kdcpolicy_moddata moddata, + const krb5_kdc_req *request, + const struct _krb5_db_entry_new *server, + const krb5_ticket *ticket, + const char *const *auth_indicators, + const char **status, krb5_deltat *lifetime_out, + krb5_deltat *renew_lifetime_out); + +typedef struct krb5_kdcpolicy_vtable_st { + const char *name; + krb5_kdcpolicy_init_fn init; + krb5_kdcpolicy_fini_fn fini; + krb5_kdcpolicy_check_as_fn check_as; + krb5_kdcpolicy_check_tgs_fn check_tgs; +} *krb5_kdcpolicy_vtable; + +#endif /* KRB5_POLICY_PLUGIN_H */ diff --git a/src/include/krb5/kdcpreauth_plugin.h b/src/include/krb5/kdcpreauth_plugin.h index f455eff..3a47542 100644 --- a/src/include/krb5/kdcpreauth_plugin.h +++ b/src/include/krb5/kdcpreauth_plugin.h @@ -34,7 +34,7 @@ * Declarations for kdcpreauth plugin module implementors. * * The kdcpreauth interface has a single supported major version, which is 1. - * Major version 1 has a current minor version of 3. kdcpreauth modules should + * Major version 1 has a current minor version of 2. kdcpreauth modules should * define a function named kdcpreauth__initvt, matching the * signature: * @@ -221,6 +221,42 @@ typedef struct krb5_kdcpreauth_callbacks_st { /* End of version 3 kdcpreauth callbacks. */ + /* + * Return true if princ matches the principal named in the request or the + * client principal (possibly canonicalized). If princ does not match, + * attempt a database lookup of princ with aliases allowed and compare the + * result to the client principal, returning true if it matches. + * Otherwise, return false. + */ + krb5_boolean (*match_client)(krb5_context context, + krb5_kdcpreauth_rock rock, + krb5_principal princ); + + /* + * Get an alias to the client DB entry principal (possibly canonicalized). + */ + krb5_principal (*client_name)(krb5_context context, + krb5_kdcpreauth_rock rock); + + /* End of version 4 kdcpreauth callbacks. */ + + /* + * Instruct the KDC to send a freshness token in the method data + * accompanying a PREAUTH_REQUIRED or PREAUTH_FAILED error, if the client + * indicated support for freshness tokens. This callback should only be + * invoked from the edata method. + */ + void (*send_freshness_token)(krb5_context context, + krb5_kdcpreauth_rock rock); + + /* Validate a freshness token sent by the client. Return 0 on success, + * KRB5KDC_ERR_PREAUTH_EXPIRED on error. */ + krb5_error_code (*check_freshness_token)(krb5_context context, + krb5_kdcpreauth_rock rock, + const krb5_data *token); + + /* End of version 5 kdcpreauth callbacks. */ + } *krb5_kdcpreauth_callbacks; /* Optional: preauth plugin initialization function. */ diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin index ac22f4c..c40a6cc 100644 --- a/src/include/krb5/krb5.hin +++ b/src/include/krb5/krb5.hin @@ -106,7 +106,7 @@ KRB5INT_BEGIN_DECLS -#if TARGET_OS_MAC +#if defined(TARGET_OS_MAC) && TARGET_OS_MAC # pragma pack(push,2) #endif @@ -181,7 +181,16 @@ typedef krb5_int32 krb5_cryptotype; typedef krb5_int32 krb5_preauthtype; /* This may change, later on */ typedef krb5_int32 krb5_flags; + +/** + * Represents a timestamp in seconds since the POSIX epoch. This legacy type + * is used frequently in the ABI, but cannot represent timestamps after 2038 as + * a positive number. Code which uses this type should cast values of it to + * uint32_t so that negative values are treated as timestamps between 2038 and + * 2106 on platforms with 64-bit time_t. + */ typedef krb5_int32 krb5_timestamp; + typedef krb5_int32 krb5_deltat; /** @@ -1019,8 +1028,12 @@ krb5_c_keyed_checksum_types(krb5_context context, krb5_enctype enctype, #define KRB5_KEYUSAGE_ENC_CHALLENGE_KDC 55 #define KRB5_KEYUSAGE_AS_REQ 56 #define KRB5_KEYUSAGE_CAMMAC 64 +#define KRB5_KEYUSAGE_SPAKE 65 +/* Key usage values 512-1023 are reserved for uses internal to a Kerberos + * implementation. */ #define KRB5_KEYUSAGE_PA_FX_COOKIE 513 /**< Used for encrypted FAST cookies */ +#define KRB5_KEYUSAGE_PA_AS_FRESHNESS 514 /**< Used for freshness tokens */ /** @} */ /* end of KRB5_KEYUSAGE group */ /** @@ -1864,6 +1877,8 @@ krb5_verify_checksum(krb5_context context, krb5_cksumtype ctype, #define KRB5_PADATA_OTP_PIN_CHANGE 144 /**< RFC 6560 section 4.3 */ #define KRB5_PADATA_PKINIT_KX 147 /**< RFC 6112 */ #define KRB5_ENCPADATA_REQ_ENC_PA_REP 149 /**< RFC 6806 */ +#define KRB5_PADATA_AS_FRESHNESS 150 /**< RFC 8070 */ +#define KRB5_PADATA_SPAKE 151 #define KRB5_SAM_USE_SAD_AS_KEY 0x80000000 #define KRB5_SAM_SEND_ENCRYPTED_SAD 0x40000000 @@ -3221,8 +3236,9 @@ krb5_get_credentials_renew(krb5_context context, krb5_flags options, */ krb5_error_code KRB5_CALLCONV krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, - krb5_flags ap_req_options, char *service, char *hostname, - krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf); + krb5_flags ap_req_options, const char *service, + const char *hostname, krb5_data *in_data, krb5_ccache ccache, + krb5_data *outbuf); /** * Create a @c KRB_AP_REQ message using supplied credentials. @@ -3550,7 +3566,7 @@ krb5_parse_name_flags(krb5_context context, const char *name, */ krb5_error_code KRB5_CALLCONV krb5_unparse_name(krb5_context context, krb5_const_principal principal, - register char **name); + char **name); /** * Convert krb5_principal structure to string and length. @@ -4373,7 +4389,7 @@ krb5_kt_add_entry(krb5_context context, krb5_keytab id, krb5_keytab_entry *entry */ krb5_error_code KRB5_CALLCONV_WRONG krb5_principal2salt(krb5_context context, - register krb5_const_principal pr, krb5_data *ret); + krb5_const_principal pr, krb5_data *ret); /* librc.spec--see rcache.h */ /* libcc.spec */ @@ -4714,7 +4730,7 @@ krb5_free_ticket(krb5_context context, krb5_ticket *val); * This function frees the contents of @a val and the structure itself. */ void KRB5_CALLCONV -krb5_free_error(krb5_context context, register krb5_error *val); +krb5_free_error(krb5_context context, krb5_error *val); /** * Free a krb5_creds structure. @@ -4747,7 +4763,7 @@ krb5_free_cred_contents(krb5_context context, krb5_creds *val); * This function frees the contents of @a val and the structure itself. */ void KRB5_CALLCONV -krb5_free_checksum(krb5_context context, register krb5_checksum *val); +krb5_free_checksum(krb5_context context, krb5_checksum *val); /** * Free the contents of a krb5_checksum structure. @@ -4758,7 +4774,7 @@ krb5_free_checksum(krb5_context context, register krb5_checksum *val); * This function frees the contents of @a val, but not the structure itself. */ void KRB5_CALLCONV -krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val); +krb5_free_checksum_contents(krb5_context context, krb5_checksum *val); /** * Free a krb5_keyblock structure. @@ -4769,7 +4785,7 @@ krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val); * This function frees the contents of @a val and the structure itself. */ void KRB5_CALLCONV -krb5_free_keyblock(krb5_context context, register krb5_keyblock *val); +krb5_free_keyblock(krb5_context context, krb5_keyblock *val); /** * Free the contents of a krb5_keyblock structure. @@ -4780,7 +4796,7 @@ krb5_free_keyblock(krb5_context context, register krb5_keyblock *val); * This function frees the contents of @a key, but not the structure itself. */ void KRB5_CALLCONV -krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key); +krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *key); /** * Free a krb5_ap_rep_enc_part structure. @@ -4896,7 +4912,7 @@ krb5_us_timeofday(krb5_context context, * Kerberos error codes */ krb5_error_code KRB5_CALLCONV -krb5_timeofday(krb5_context context, register krb5_timestamp *timeret); +krb5_timeofday(krb5_context context, krb5_timestamp *timeret); /** * Check if a timestamp is within the allowed clock skew of the current time. @@ -5615,8 +5631,9 @@ krb5_rd_cred(krb5_context context, krb5_auth_context auth_context, */ krb5_error_code KRB5_CALLCONV krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, - char *rhost, krb5_principal client, krb5_principal server, - krb5_ccache cc, int forwardable, krb5_data *outbuf); + const char *rhost, krb5_principal client, + krb5_principal server, krb5_ccache cc, int forwardable, + krb5_data *outbuf); /** * Create and initialize an authentication context. @@ -6000,15 +6017,19 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getremoteseqnumber(krb5_context context, krb5_auth_context auth_context, krb5_int32 *seqnumber); -#if KRB5_DEPRECATED -/** @deprecated Not replaced. +/** + * Cause an auth context to use cipher state. * - * RFC 4120 doesn't have anything like the initvector concept; - * only really old protocols may need this API. + * @param [in] context Library context + * @param [in] auth_context Authentication context + * + * Prepare @a auth_context to use cipher state when krb5_mk_priv() or + * krb5_rd_priv() encrypt or decrypt data. + * + * @retval 0 Success; otherwise - Kerberos error codes */ -KRB5_ATTR_DEPRECATED krb5_error_code KRB5_CALLCONV +krb5_error_code KRB5_CALLCONV krb5_auth_con_initivector(krb5_context context, krb5_auth_context auth_context); -#endif /** * Set the replay cache in an auth context. @@ -7296,6 +7317,42 @@ krb5_get_init_creds_password(krb5_context context, krb5_creds *creds, const char *in_tkt_service, krb5_get_init_creds_opt *k5_gic_options); +/** + * Retrieve enctype, salt and s2kparams from KDC + * + * @param [in] context Library context + * @param [in] principal Principal whose information is requested + * @param [in] opt Initial credential options + * @param [out] enctype_out The enctype chosen by KDC + * @param [out] salt_out Salt returned from KDC + * @param [out] s2kparams_out String-to-key parameters returned from KDC + * + * Send an initial ticket request for @a principal and extract the encryption + * type, salt type, and string-to-key parameters from the KDC response. If the + * KDC provides no etype-info, set @a enctype_out to @c ENCTYPE_NULL and set @a + * salt_out and @a s2kparams_out to empty. If the KDC etype-info provides no + * salt, compute the default salt and place it in @a salt_out. If the KDC + * etype-info provides no string-to-key parameters, set @a s2kparams_out to + * empty. + * + * @a opt may be used to specify options which affect the initial request, such + * as request encryption types or a FAST armor cache (see + * krb5_get_init_creds_opt_set_etype_list() and + * krb5_get_init_creds_opt_set_fast_ccache_name()). + * + * Use krb5_free_data_contents() to free @a salt_out and @a s2kparams_out when + * they are no longer needed. + * + * @version New in 1.17 + * + * @retval 0 Success + * @return A Kerberos error code + */ +krb5_error_code KRB5_CALLCONV +krb5_get_etype_info(krb5_context context, krb5_principal principal, + krb5_get_init_creds_opt *opt, krb5_enctype *enctype_out, + krb5_data *salt_out, krb5_data *s2kparams_out); + struct _krb5_init_creds_context; typedef struct _krb5_init_creds_context *krb5_init_creds_context; @@ -7306,6 +7363,9 @@ typedef struct _krb5_init_creds_context *krb5_init_creds_context; * * @param [in] context Library context * @param [in] ctx Initial credentials context + * + * @a context must be the same as the one passed to krb5_init_creds_init() for + * this initial credentials context. */ void KRB5_CALLCONV krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx); @@ -7320,6 +7380,9 @@ krb5_init_creds_free(krb5_context context, krb5_init_creds_context ctx); * krb5_init_creds_init(). On successful return, the credentials can be * retrieved with krb5_init_creds_get_creds(). * + * @a context must be the same as the one passed to krb5_init_creds_init() for + * this initial credentials context. + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -7370,6 +7433,10 @@ krb5_init_creds_get_error(krb5_context context, krb5_init_creds_context ctx, * This function creates a new context for acquiring initial credentials. Use * krb5_init_creds_free() to free @a ctx when it is no longer needed. * + * Any subsequent calls to krb5_init_creds_step(), krb5_init_creds_get(), or + * krb5_init_creds_free() for this initial credentials context must use the + * same @a context argument as the one passed to this function. + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -7419,6 +7486,9 @@ krb5_init_creds_set_keytab(krb5_context context, krb5_init_creds_context ctx, * transmit the next request using TCP rather than UDP. If this function * returns any other error, the initial credential exchange has failed. * + * @a context must be the same as the one passed to krb5_init_creds_init() for + * this initial credentials context. + * * @retval 0 Success; otherwise - Kerberos error codes */ krb5_error_code KRB5_CALLCONV @@ -8229,9 +8299,9 @@ krb5_pac_parse(krb5_context context, const void *ptr, size_t len, * If successful, @a pac is marked as verified. * * @note A checksum mismatch can occur if the PAC was copied from a cross-realm - * TGT by an ignorant KDC; also Apple Mac OS X Server Open Directory (as of - * 10.6) generates PACs with no server checksum at all. One should consider - * not failing the whole authentication because of this reason, but, instead, + * TGT by an ignorant KDC; also macOS Server Open Directory (as of 10.6) + * generates PACs with no server checksum at all. One should consider not + * failing the whole authentication because of this reason, but, instead, * treating the ticket as if it did not contain a PAC or marking the PAC * information as non-verified. * @@ -8243,6 +8313,30 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac, const krb5_keyblock *server, const krb5_keyblock *privsvr); /** + * Verify a PAC, possibly from a specified realm. + * + * @param [in] context Library context + * @param [in] pac PAC handle + * @param [in] authtime Expected timestamp + * @param [in] principal Expected principal name (or NULL) + * @param [in] server Key to validate server checksum (or NULL) + * @param [in] privsvr Key to validate KDC checksum (or NULL) + * @param [in] with_realm If true, expect the realm of @a principal + * + * This function is similar to krb5_pac_verify(), but adds a parameter + * @a with_realm. If @a with_realm is true, the PAC_CLIENT_INFO field is + * expected to include the realm of @a principal as well as the name. This + * flag is necessary to verify PACs in cross-realm S4U2Self referral TGTs. + * + * @version New in 1.17 + */ +krb5_error_code KRB5_CALLCONV +krb5_pac_verify_ext(krb5_context context, const krb5_pac pac, + krb5_timestamp authtime, krb5_const_principal principal, + const krb5_keyblock *server, const krb5_keyblock *privsvr, + krb5_boolean with_realm); + +/** * Sign a PAC. * * @param [in] context Library context @@ -8266,6 +8360,32 @@ krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, const krb5_keyblock *privsvr_key, krb5_data *data); /** + * Sign a PAC, possibly with a specified realm. + * + * @param [in] context Library context + * @param [in] pac PAC handle + * @param [in] authtime Expected timestamp + * @param [in] principal Principal name (or NULL) + * @param [in] server_key Key for server checksum + * @param [in] privsvr_key Key for KDC checksum + * @param [in] with_realm If true, include the realm of @a principal + * @param [out] data Signed PAC encoding + * + * This function is similar to krb5_pac_sign(), but adds a parameter + * @a with_realm. If @a with_realm is true, the PAC_CLIENT_INFO field of the + * signed PAC will include the realm of @a principal as well as the name. This + * flag is necessary to generate PACs for cross-realm S4U2Self referrals. + * + * @version New in 1.17 + */ +krb5_error_code KRB5_CALLCONV +krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, + krb5_const_principal principal, + const krb5_keyblock *server_key, + const krb5_keyblock *privsvr_key, krb5_boolean with_realm, + krb5_data *data); + +/** * Allow the appplication to override the profile's allow_weak_crypto setting. * * @param [in] context Library context @@ -8452,8 +8572,7 @@ void KRB5_CALLCONV krb5_set_kdc_recv_hook(krb5_context context, krb5_post_recv_fn recv_hook, void *data); - -#if TARGET_OS_MAC +#if defined(TARGET_OS_MAC) && TARGET_OS_MAC # pragma pack(pop) #endif diff --git a/src/include/net-server.h b/src/include/net-server.h index 37721e7..e5edcc4 100644 --- a/src/include/net-server.h +++ b/src/include/net-server.h @@ -86,7 +86,7 @@ void loop_free(verto_ctx *ctx); */ typedef void (*loop_respond_fn)(void *arg, krb5_error_code code, krb5_data *response); -void dispatch(void *handle, struct sockaddr *local_addr, +void dispatch(void *handle, const krb5_fulladdr *local_addr, const krb5_fulladdr *remote_addr, krb5_data *request, int is_tcp, verto_ctx *vctx, loop_respond_fn respond, void *arg); krb5_error_code make_toolong_error (void *handle, krb5_data **); diff --git a/src/include/osconf.hin b/src/include/osconf.hin index 98a4674..c24717b 100644 --- a/src/include/osconf.hin +++ b/src/include/osconf.hin @@ -55,8 +55,19 @@ #endif #endif /* _WINDOWS */ +#ifdef _WIN32 +#define DEFAULT_PLUGIN_BASE_DIR "%{LIBDIR}\\plugins" +#else #define DEFAULT_PLUGIN_BASE_DIR "@LIBDIR/krb5/plugins" +#endif + +#if defined(_WIN64) +#define PLUGIN_EXT "64.dll" +#elif defined(_WIN32) +#define PLUGIN_EXT "32.dll" +#else #define PLUGIN_EXT "@DYNOBJEXT" +#endif #define KDC_DIR "@LOCALSTATEDIR/krb5kdc" #define KDC_RUN_DIR "@RUNSTATEDIR/krb5kdc" @@ -111,10 +122,10 @@ #define KRB5_ENV_CCNAME "KRB5CCNAME" /* - * krb5 slave support follows + * krb5 replica support follows */ -#define KPROP_DEFAULT_FILE KDC_DIR "/slave_datatrans" +#define KPROP_DEFAULT_FILE KDC_DIR "/replica_datatrans" #define KPROPD_DEFAULT_FILE KDC_DIR "/from_master" #define KPROPD_DEFAULT_KDB5_UTIL "@SBINDIR/kdb5_util" #define KPROPD_DEFAULT_KPROP "@SBINDIR/kprop" diff --git a/src/include/port-sockets.h b/src/include/port-sockets.h index b3ab9c9..57e5d1d 100644 --- a/src/include/port-sockets.h +++ b/src/include/port-sockets.h @@ -40,8 +40,9 @@ typedef WSABUF sg_buf; */ /* WSASend returns 0 or SOCKET_ERROR. */ #define SOCKET_WRITEV_TEMP DWORD -#define SOCKET_WRITEV(FD, SG, LEN, TMP) \ - (WSASend((FD), (SG), (LEN), &(TMP), 0, 0, 0) ? -1 : (TMP)) +#define SOCKET_WRITEV(FD, SG, LEN, TMP) \ + (WSASend((FD), (SG), (LEN), &(TMP), 0, 0, 0) ? \ + (ssize_t)-1 : (ssize_t)(TMP)) #define SHUTDOWN_READ SD_RECEIVE #define SHUTDOWN_WRITE SD_SEND @@ -158,6 +159,7 @@ typedef int socklen_t; #include /* For struct sockaddr_in and in_addr */ #include /* For inet_ntoa */ #include +#include /* For memset */ #ifndef HAVE_NETDB_H_H_ERRNO extern int h_errno; /* In case it's missing, e.g., HP-UX 10.20. */ @@ -218,15 +220,51 @@ typedef struct iovec sg_buf; #define SOCKET_NFDS(f) ((f)+1) /* select() arg for a single fd */ #define SOCKET_READ read #define SOCKET_WRITE write -#define SOCKET_CONNECT connect +static inline int +socket_connect(int fd, const struct sockaddr *addr, socklen_t addrlen) +{ + int st; +#ifdef SO_NOSIGPIPE + int set = 1; +#endif + + st = connect(fd, addr, addrlen); + if (st == -1) + return st; + +#ifdef SO_NOSIGPIPE + st = setsockopt(fd, SOL_SOCKET, SO_NOSIGPIPE, &set, sizeof(set)); + if (st != 0) + st = -1; +#endif + + return st; +} +#define SOCKET_CONNECT socket_connect #define SOCKET_GETSOCKNAME getsockname #define SOCKET_CLOSE close #define SOCKET_EINTR EINTR #define SOCKET_WRITEV_TEMP int +static inline ssize_t +socket_sendmsg(SOCKET fd, sg_buf *iov, int iovcnt) +{ + struct msghdr msg; + int flags = 0; + +#ifdef MSG_NOSIGNAL + flags |= MSG_NOSIGNAL; +#endif + + memset(&msg, 0, sizeof(msg)); + msg.msg_iov = iov; + msg.msg_iovlen = iovcnt; + + return sendmsg(fd, &msg, flags); +} /* Use TMP to avoid compiler warnings and keep things consistent with * Windows version. */ -#define SOCKET_WRITEV(FD, SG, LEN, TMP) \ - ((TMP) = writev((FD), (SG), (LEN)), (TMP)) +#define SOCKET_WRITEV(FD, SG, LEN, TMP) \ + ((TMP) = socket_sendmsg((FD), (SG), (LEN)), (TMP)) #define SHUTDOWN_READ 0 #define SHUTDOWN_WRITE 1 diff --git a/src/include/socket-utils.h b/src/include/socket-utils.h index 1566636..e1f33aa 100644 --- a/src/include/socket-utils.h +++ b/src/include/socket-utils.h @@ -119,6 +119,17 @@ sa_is_inet(struct sockaddr *sa) return sa->sa_family == AF_INET || sa->sa_family == AF_INET6; } +/* Return true if sa is an IPv4 or IPv6 wildcard address. */ +static inline int +sa_is_wildcard(struct sockaddr *sa) +{ + if (sa->sa_family == AF_INET6) + return IN6_IS_ADDR_UNSPECIFIED(&sa2sin6(sa)->sin6_addr); + else if (sa->sa_family == AF_INET) + return sa2sin(sa)->sin_addr.s_addr == INADDR_ANY; + return 0; +} + /* Return the length of an IPv4 or IPv6 socket structure; abort if it is * neither. */ static inline socklen_t diff --git a/src/include/win-mac.h b/src/include/win-mac.h index 1994388..c3744ed 100644 --- a/src/include/win-mac.h +++ b/src/include/win-mac.h @@ -225,9 +225,7 @@ typedef _W64 int ssize_t; HINSTANCE get_lib_instance(void); -#define GETSOCKNAME_ARG2_TYPE struct sockaddr #define GETSOCKNAME_ARG3_TYPE size_t -#define GETPEERNAME_ARG2_TYPE GETSOCKNAME_ARG2_TYPE #define GETPEERNAME_ARG3_TYPE GETSOCKNAME_ARG3_TYPE #endif /* !RES_ONLY */ diff --git a/src/kadmin/cli/deps b/src/kadmin/cli/deps index a9c997b..a5873fc 100644 --- a/src/kadmin/cli/deps +++ b/src/kadmin/cli/deps @@ -5,14 +5,21 @@ $(OUTPRE)kadmin.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ - $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/krb5.h kadmin.c kadmin.h + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + kadmin.c kadmin.h $(OUTPRE)kadmin_ct.$(OBJEXT): $(COM_ERR_DEPS) $(SS_DEPS) \ kadmin_ct.c $(OUTPRE)ss_wrapper.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ diff --git a/src/kadmin/cli/getdate.y b/src/kadmin/cli/getdate.y index 4f0c56f..4f0fac2 100644 --- a/src/kadmin/cli/getdate.y +++ b/src/kadmin/cli/getdate.y @@ -6,7 +6,7 @@ ** and Jim Berets in August, 1990; ** send any email to Rich. ** -** This grammar has nine shift/reduce conflicts. +** This grammar has four shift/reduce conflicts. ** ** This code is in the public domain and has no copyright. */ @@ -118,7 +118,7 @@ static int getdate_yyerror (char *); #define EPOCH 1970 -#define EPOCH_END 2038 /* assumes 32 bits */ +#define EPOCH_END 2106 /* assumes unsigned 32-bit range */ #define HOUR(x) ((time_t)(x) * 60) #define SECSPERDAY (24L * 60L * 60L) @@ -176,6 +176,10 @@ static time_t yyRelSeconds; %} +/* This would mute the shift/reduce warnings as per header comment; however, + * it relies on bison extensions. */ +/* %expect 4 */ + %union { time_t Number; enum _MERIDIAN Meridian; @@ -686,9 +690,9 @@ RelativeMonth(time_t Start, time_t RelMonth) static int LookupWord(char *buff) { - register char *p; - register char *q; - register const TABLE *tp; + char *p; + char *q; + const TABLE *tp; int i; int abbrev; @@ -783,8 +787,8 @@ LookupWord(char *buff) static int yylex() { - register char c; - register char *p; + char c; + char *p; char buff[20]; int Count; int sign; diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c index c53c677..ed581ee 100644 --- a/src/kadmin/cli/kadmin.c +++ b/src/kadmin/cli/kadmin.c @@ -31,8 +31,7 @@ * library */ /* for "_" macro */ -#include "k5-platform.h" -#include +#include "k5-int.h" #include #include #include @@ -139,15 +138,17 @@ strdur(time_t duration) return out; } -static char * +static const char * strdate(krb5_timestamp when) { struct tm *tm; static char out[40]; + time_t lcltim = ts2tt(when); - time_t lcltim = when; tm = localtime(&lcltim); - strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm); + if (tm == NULL || + strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm) == 0) + strlcpy(out, "(error)", sizeof(out)); return out; } @@ -973,7 +974,7 @@ unlock_princ(kadm5_principal_ent_t princ, long *mask, const char *caller) princ->fail_auth_count = 0; *mask |= KADM5_FAIL_AUTH_COUNT; - /* Record the timestamp of this unlock operation so that slave KDCs will + /* Record the timestamp of this unlock operation so that replica KDCs will * see it, since fail_auth_count is unreplicated. */ retval = krb5_timeofday(context, &now); if (retval) { diff --git a/src/kadmin/cli/strftime.c b/src/kadmin/cli/strftime.c deleted file mode 100644 index 382a209..0000000 --- a/src/kadmin/cli/strftime.c +++ /dev/null @@ -1,465 +0,0 @@ -/* -*- mode: c; c-file-style: "bsd"; indent-tabs-mode: t -*- */ -/* $NetBSD: strftime.c,v 1.8 1999/02/07 17:33:30 augustss Exp $ */ - -/* - * Copyright (c) 1989 The Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -#if 0 -static char *sccsid = "@(#)strftime.c 5.11 (Berkeley) 2/24/91"; -#else -__RCSID("$NetBSD: strftime.c,v 1.8 1999/02/07 17:33:30 augustss Exp $"); -#endif -#endif /* LIBC_SCCS and not lint */ - -#include -#include - -/* begin krb5 hack - replace stuff that would come from netbsd libc */ -#undef _CurrentTimeLocale -#define _CurrentTimeLocale (&dummy_locale_info) - -struct dummy_locale_info_t { - char d_t_fmt[15]; - char t_fmt_ampm[12]; - char t_fmt[9]; - char d_fmt[9]; - char day[7][10]; - char abday[7][4]; - char mon[12][10]; - char abmon[12][4]; - char am_pm[2][3]; -}; -static const struct dummy_locale_info_t dummy_locale_info = { - "%a %b %d %X %Y", /* %c */ - "%I:%M:%S %p", /* %r */ - "%H:%M:%S", /* %X */ - "%m/%d/%y", /* %x */ - { "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", - "Saturday" }, - { "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat" }, - { "January", "February", "March", "April", "May", "June", - "July", "August", "September", "October", "November", "December" }, - { "Jan", "Feb", "Mar", "Apr", "May", "Jun", - "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" }, - { "AM", "PM" }, -}; -#undef TM_YEAR_BASE -#define TM_YEAR_BASE 1900 - -#undef DAYSPERLYEAR -#define DAYSPERLYEAR 366 -#undef DAYSPERNYEAR -#define DAYSPERNYEAR 365 -#undef DAYSPERWEEK -#define DAYSPERWEEK 7 -#undef isleap -#define isleap(N) ((N % 4) == 0 && (N % 100 != 0 || N % 400 == 0)) -#undef tzname -#define tzname my_tzname -static const char *const tzname[2] = { 0, 0 }; -#undef tzset -#define tzset() -#undef __P -#define __P(X) X /* we already require ansi c in this tree */ -/* end krb5 hack */ - -static int _add __P((const char *, char **, const char *)); -static int _conv __P((int, int, int, char **, const char *)); -static int _secs __P((const struct tm *, char **, const char *)); -static size_t _fmt __P((const char *, const struct tm *, char **, - const char *)); - -size_t -strftime(s, maxsize, format, t) - char *s; - size_t maxsize; - const char *format; - const struct tm *t; -{ - char *pt; - - tzset(); - if (maxsize < 1) - return (0); - - pt = s; - if (_fmt(format, t, &pt, s + maxsize)) { - *pt = '\0'; - return (pt - s); - } else - return (0); -} - -#define SUN_WEEK(t) (((t)->tm_yday + 7 - \ - ((t)->tm_wday)) / 7) -#define MON_WEEK(t) (((t)->tm_yday + 7 - \ - ((t)->tm_wday ? (t)->tm_wday - 1 : 6)) / 7) - -static size_t -_fmt(format, t, pt, ptlim) - const char *format; - const struct tm *t; - char **pt; - const char * const ptlim; -{ - for (; *format; ++format) { - if (*format == '%') { - ++format; - if (*format == 'E') { - /* Alternate Era */ - ++format; - } else if (*format == 'O') { - /* Alternate numeric symbols */ - ++format; - } - switch (*format) { - case '\0': - --format; - break; - case 'A': - if (t->tm_wday < 0 || t->tm_wday > 6) - return (0); - if (!_add(_CurrentTimeLocale->day[t->tm_wday], - pt, ptlim)) - return (0); - continue; - - case 'a': - if (t->tm_wday < 0 || t->tm_wday > 6) - return (0); - if (!_add(_CurrentTimeLocale->abday[t->tm_wday], - pt, ptlim)) - return (0); - continue; - case 'B': - if (t->tm_mon < 0 || t->tm_mon > 11) - return (0); - if (!_add(_CurrentTimeLocale->mon[t->tm_mon], - pt, ptlim)) - return (0); - continue; - case 'b': - case 'h': - if (t->tm_mon < 0 || t->tm_mon > 11) - return (0); - if (!_add(_CurrentTimeLocale->abmon[t->tm_mon], - pt, ptlim)) - return (0); - continue; - case 'C': - if (!_conv((t->tm_year + TM_YEAR_BASE) / 100, - 2, '0', pt, ptlim)) - return (0); - continue; - case 'c': - if (!_fmt(_CurrentTimeLocale->d_t_fmt, t, pt, - ptlim)) - return (0); - continue; - case 'D': - if (!_fmt("%m/%d/%y", t, pt, ptlim)) - return (0); - continue; - case 'd': - if (!_conv(t->tm_mday, 2, '0', pt, ptlim)) - return (0); - continue; - case 'e': - if (!_conv(t->tm_mday, 2, ' ', pt, ptlim)) - return (0); - continue; - case 'H': - if (!_conv(t->tm_hour, 2, '0', pt, ptlim)) - return (0); - continue; - case 'I': - if (!_conv(t->tm_hour % 12 ? - t->tm_hour % 12 : 12, 2, '0', pt, ptlim)) - return (0); - continue; - case 'j': - if (!_conv(t->tm_yday + 1, 3, '0', pt, ptlim)) - return (0); - continue; - case 'k': - if (!_conv(t->tm_hour, 2, ' ', pt, ptlim)) - return (0); - continue; - case 'l': - if (!_conv(t->tm_hour % 12 ? - t->tm_hour % 12: 12, 2, ' ', pt, ptlim)) - return (0); - continue; - case 'M': - if (!_conv(t->tm_min, 2, '0', pt, ptlim)) - return (0); - continue; - case 'm': - if (!_conv(t->tm_mon + 1, 2, '0', pt, ptlim)) - return (0); - continue; - case 'n': - if (!_add("\n", pt, ptlim)) - return (0); - continue; - case 'p': - if (!_add(_CurrentTimeLocale->am_pm[t->tm_hour - >= 12], pt, ptlim)) - return (0); - continue; - case 'R': - if (!_fmt("%H:%M", t, pt, ptlim)) - return (0); - continue; - case 'r': - if (!_fmt(_CurrentTimeLocale->t_fmt_ampm, t, pt, - ptlim)) - return (0); - continue; - case 'S': - if (!_conv(t->tm_sec, 2, '0', pt, ptlim)) - return (0); - continue; - case 's': - if (!_secs(t, pt, ptlim)) - return (0); - continue; - case 'T': - if (!_fmt("%H:%M:%S", t, pt, ptlim)) - return (0); - continue; - case 't': - if (!_add("\t", pt, ptlim)) - return (0); - continue; - case 'U': - if (!_conv(SUN_WEEK(t), 2, '0', pt, ptlim)) - return (0); - continue; - case 'u': - if (!_conv(t->tm_wday ? t->tm_wday : 7, 1, '0', - pt, ptlim)) - return (0); - continue; - case 'V': /* ISO 8601 week number */ - case 'G': /* ISO 8601 year (four digits) */ - case 'g': /* ISO 8601 year (two digits) */ -/* -** From Arnold Robbins' strftime version 3.0: "the week number of the -** year (the first Monday as the first day of week 1) as a decimal number -** (01-53)." -** (ado, 1993-05-24) -** -** From "http://www.ft.uni-erlangen.de/~mskuhn/iso-time.html" by Markus Kuhn: -** "Week 01 of a year is per definition the first week which has the -** Thursday in this year, which is equivalent to the week which contains -** the fourth day of January. In other words, the first week of a new year -** is the week which has the majority of its days in the new year. Week 01 -** might also contain days from the previous year and the week before week -** 01 of a year is the last week (52 or 53) of the previous year even if -** it contains days from the new year. A week starts with Monday (day 1) -** and ends with Sunday (day 7). For example, the first week of the year -** 1997 lasts from 1996-12-30 to 1997-01-05..." -** (ado, 1996-01-02) -*/ - { - int year; - int yday; - int wday; - int w; - - year = t->tm_year + TM_YEAR_BASE; - yday = t->tm_yday; - wday = t->tm_wday; - for ( ; ; ) { - int len; - int bot; - int top; - - len = isleap(year) ? - DAYSPERLYEAR : - DAYSPERNYEAR; - /* - ** What yday (-3 ... 3) does - ** the ISO year begin on? - */ - bot = ((yday + 11 - wday) % - DAYSPERWEEK) - 3; - /* - ** What yday does the NEXT - ** ISO year begin on? - */ - top = bot - - (len % DAYSPERWEEK); - if (top < -3) - top += DAYSPERWEEK; - top += len; - if (yday >= top) { - ++year; - w = 1; - break; - } - if (yday >= bot) { - w = 1 + ((yday - bot) / - DAYSPERWEEK); - break; - } - --year; - yday += isleap(year) ? - DAYSPERLYEAR : - DAYSPERNYEAR; - } -#ifdef XPG4_1994_04_09 - if ((w == 52 - && t->tm_mon == TM_JANUARY) - || (w == 1 - && t->tm_mon == TM_DECEMBER)) - w = 53; -#endif /* defined XPG4_1994_04_09 */ - if (*format == 'V') { - if (!_conv(w, 2, '0', - pt, ptlim)) - return (0); - } else if (*format == 'g') { - if (!_conv(year % 100, 2, '0', - pt, ptlim)) - return (0); - } else if (!_conv(year, 4, '0', - pt, ptlim)) - return (0); - } - continue; - case 'W': - if (!_conv(MON_WEEK(t), 2, '0', pt, ptlim)) - return (0); - continue; - case 'w': - if (!_conv(t->tm_wday, 1, '0', pt, ptlim)) - return (0); - continue; - case 'x': - if (!_fmt(_CurrentTimeLocale->d_fmt, t, pt, - ptlim)) - return (0); - continue; - case 'X': - if (!_fmt(_CurrentTimeLocale->t_fmt, t, pt, - ptlim)) - return (0); - continue; - case 'y': - if (!_conv((t->tm_year + TM_YEAR_BASE) % 100, - 2, '0', pt, ptlim)) - return (0); - continue; - case 'Y': - if (!_conv((t->tm_year + TM_YEAR_BASE), 4, '0', - pt, ptlim)) - return (0); - continue; - case 'Z': - if (tzname[t->tm_isdst ? 1 : 0] && - !_add(tzname[t->tm_isdst ? 1 : 0], pt, - ptlim)) - return (0); - continue; - case '%': - /* - * X311J/88-090 (4.12.3.5): if conversion char is - * undefined, behavior is undefined. Print out the - * character itself as printf(3) does. - */ - default: - break; - } - } - if (*pt == ptlim) - return (0); - *(*pt)++ = *format; - } - return (ptlim - *pt); -} - -static int -_secs(t, pt, ptlim) - const struct tm *t; - char **pt; - const char * const ptlim; -{ - char buf[15]; - time_t s; - char *p; - struct tm tmp; - - buf[sizeof (buf) - 1] = '\0'; - /* Make a copy, mktime(3) modifies the tm struct. */ - tmp = *t; - s = mktime(&tmp); - for (p = buf + sizeof(buf) - 2; s > 0 && p > buf; s /= 10) - *p-- = (char)(s % 10 + '0'); - return (_add(++p, pt, ptlim)); -} - -static int -_conv(n, digits, pad, pt, ptlim) - int n, digits; - int pad; - char **pt; - const char * const ptlim; -{ - char buf[10]; - char *p; - - buf[sizeof (buf) - 1] = '\0'; - for (p = buf + sizeof(buf) - 2; n > 0 && p > buf; n /= 10, --digits) - *p-- = n % 10 + '0'; - while (p > buf && digits-- > 0) - *p-- = pad; - return (_add(++p, pt, ptlim)); -} - -static int -_add(str, pt, ptlim) - const char *str; - char **pt; - const char * const ptlim; -{ - - for (;; ++(*pt)) { - if (*pt == ptlim) - return (0); - if ((**pt = *str++) == '\0') - return (1); - } -} diff --git a/src/kadmin/dbutil/deps b/src/kadmin/dbutil/deps index 4dcc336..8b0965a 100644 --- a/src/kadmin/dbutil/deps +++ b/src/kadmin/dbutil/deps @@ -185,14 +185,14 @@ $(OUTPRE)tabdump.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/iprop.h \ $(top_srcdir)/include/iprop_hdr.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/kdb_log.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h kdb5_util.h tabdump.c \ - tdumputil.h + $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + kdb5_util.h tabdump.c tdumputil.h $(OUTPRE)tdumputil.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c index f7889bd..c9574c6 100644 --- a/src/kadmin/dbutil/dump.c +++ b/src/kadmin/dbutil/dump.c @@ -181,34 +181,44 @@ finish_ofile(char *ofile, char **tmpname) } /* Create the .dump_ok file. */ -static int -prep_ok_file(krb5_context context, char *file_name, int *fd) +static krb5_boolean +prep_ok_file(krb5_context context, char *file_name, int *fd_out) { static char ok[] = ".dump_ok"; krb5_error_code retval; - char *file_ok; + char *file_ok = NULL; + int fd = -1; + krb5_boolean success = FALSE; + + *fd_out = -1; if (asprintf(&file_ok, "%s%s", file_name, ok) < 0) { com_err(progname, ENOMEM, _("while allocating dump_ok filename")); - exit_status++; - return 0; + goto cleanup; } - *fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (*fd == -1) { + fd = open(file_ok, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd == -1) { com_err(progname, errno, _("while creating 'ok' file, '%s'"), file_ok); - exit_status++; - free(file_ok); - return 0; + goto cleanup; } - retval = krb5_lock_file(context, *fd, KRB5_LOCKMODE_EXCLUSIVE); + retval = krb5_lock_file(context, fd, KRB5_LOCKMODE_EXCLUSIVE); if (retval) { com_err(progname, retval, _("while locking 'ok' file, '%s'"), file_ok); - free(file_ok); - return 0; + goto cleanup; } + + *fd_out = fd; + fd = -1; + success = TRUE; + +cleanup: free(file_ok); - return 1; + if (fd != -1) + close(fd); + if (!success) + exit_status++; + return success; } /* @@ -370,11 +380,12 @@ k5beta7_common(krb5_context context, krb5_db_entry *entry, fprintf(fp, "princ\t%d\t%lu\t%d\t%d\t%d\t%s\t", (int)entry->len, (unsigned long)strlen(name), counter, (int)entry->n_key_data, (int)entry->e_length, name); - fprintf(fp, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d", entry->attributes, - entry->max_life, entry->max_renewable_life, entry->expiration, - entry->pw_expiration, - omit_nra ? 0 : entry->last_success, - omit_nra ? 0 : entry->last_failed, + fprintf(fp, "%d\t%d\t%d\t%u\t%u\t%u\t%u\t%d", entry->attributes, + entry->max_life, entry->max_renewable_life, + (unsigned int)entry->expiration, + (unsigned int)entry->pw_expiration, + (unsigned int)(omit_nra ? 0 : entry->last_success), + (unsigned int)(omit_nra ? 0 : entry->last_failed), omit_nra ? 0 : entry->fail_auth_count); /* Write out tagged data. */ @@ -688,6 +699,10 @@ process_tl_data(const char *fname, FILE *filep, int lineno, _("cannot read tagged data type and length")); return EINVAL; } + if (i1 < INT16_MIN || i1 > INT16_MAX || u1 > UINT16_MAX) { + load_err(fname, lineno, _("data type or length overflowed")); + return EINVAL; + } tl->tl_data_type = i1; tl->tl_data_length = u1; if (read_octets_or_minus1(filep, tl->tl_data_length, @@ -708,7 +723,7 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, { int retval, nread, i, j; krb5_db_entry *dbentry; - int t1, t2, t3, t4, t5, t6, t7; + int t1, t2, t3, t4; unsigned int u1, u2, u3, u4, u5; char *name = NULL; krb5_key_data *kp = NULL, *kd; @@ -735,6 +750,10 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, goto fail; /* Get memory for and form tagged data linked list */ + if (u3 > UINT16_MAX) { + load_err(fname, *linenop, _("cannot allocate tl_data (too large)")); + goto fail; + } if (alloc_tl_data(u3, &dbentry->tl_data)) goto fail; dbentry->n_tl_data = u3; @@ -764,8 +783,8 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, } /* Get the fixed principal attributes */ - nread = fscanf(filep, "%d\t%d\t%d\t%d\t%d\t%d\t%d\t%d\t", - &t1, &t2, &t3, &t4, &t5, &t6, &t7, &u1); + nread = fscanf(filep, "%d\t%d\t%d\t%u\t%u\t%d\t%d\t%d\t", + &t1, &t2, &t3, &u1, &u2, &u3, &u4, &u5); if (nread != 8) { load_err(fname, *linenop, _("cannot read principal attributes")); goto fail; @@ -773,11 +792,11 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, dbentry->attributes = t1; dbentry->max_life = t2; dbentry->max_renewable_life = t3; - dbentry->expiration = t4; - dbentry->pw_expiration = t5; - dbentry->last_success = t6; - dbentry->last_failed = t7; - dbentry->fail_auth_count = u1; + dbentry->expiration = u1; + dbentry->pw_expiration = u2; + dbentry->last_success = u3; + dbentry->last_failed = u4; + dbentry->fail_auth_count = u5; dbentry->mask = KADM5_LOAD | KADM5_PRINCIPAL | KADM5_ATTRIBUTES | KADM5_MAX_LIFE | KADM5_MAX_RLIFE | KADM5_PRINC_EXPIRE_TIME | KADM5_LAST_SUCCESS | @@ -823,13 +842,17 @@ process_k5beta7_princ(krb5_context context, const char *fname, FILE *filep, load_err(fname, *linenop, _("cannot read key size and version")); goto fail; } + if (t1 > KRB5_KDB_V1_KEY_DATA_ARRAY) { + load_err(fname, *linenop, _("unsupported key_data_ver version")); + goto fail; + } kd->key_data_ver = t1; kd->key_data_kvno = t2; for (j = 0; j < t1; j++) { nread = fscanf(filep, "%d\t%d\t", &t3, &t4); - if (nread != 2) { + if (nread != 2 || t4 < 0) { load_err(fname, *linenop, _("cannot read key type and length")); goto fail; @@ -1214,16 +1237,17 @@ current_dump_sno_in_ulog(krb5_context context, const char *ifile) update_status_t status; dump_version *junk; kdb_last_t last; - char buf[BUFSIZ]; + char buf[BUFSIZ], *r; FILE *f; f = fopen(ifile, "r"); if (f == NULL) return 0; /* aliasing other errors to ENOENT here is OK */ - if (fgets(buf, sizeof(buf), f) == NULL) - return errno ? -1 : 0; + r = fgets(buf, sizeof(buf), f); fclose(f); + if (r == NULL) + return errno ? -1 : 0; if (!parse_iprop_header(buf, &junk, &last)) return 0; @@ -1282,7 +1306,7 @@ dump_db(int argc, char **argv) /* * dump_sno is used to indicate if the serial number should be * populated in the output file to be used later by iprop for - * updating the slave's update log when loading. + * updating the replica's update log when loading. */ dump_sno = TRUE; /* FLAG_OMIT_NRA is set to indicate that non-replicated @@ -1440,7 +1464,8 @@ dump_db(int argc, char **argv) goto error; } - if (dump->dump_policy != NULL) { + /* Don't dump policies if specific principal entries were requested. */ + if (dump->dump_policy != NULL && args.nnames == 0) { ret = krb5_db_iter_policy(util_context, "*", dump->dump_policy, &args); if (ret) { com_err(progname, ret, _("performing %s dump"), dump->name); @@ -1481,7 +1506,7 @@ restore_dump(krb5_context context, char *dumpfile, FILE *f, } /* - * Usage: load_db [-ov] [-b7] [-r13] [-verbose] [-update] [-hash] + * Usage: load_db [-ov] [-b7] [-r13] [-r18] [-verbose] [-update] [-hash] * filename */ void @@ -1636,7 +1661,7 @@ load_db(int argc, char **argv) if (log_ctx != NULL && log_ctx->iproprole && !update) { /* Don't record updates we are making to the temporary DB. We will * reinitialize or update the ulog header after promoting it. */ - log_ctx->iproprole = IPROP_SLAVE; + log_ctx->iproprole = IPROP_REPLICA; if (iprop_load) { /* Parse the iprop header information. */ if (!parse_iprop_header(buf, &load, &last)) diff --git a/src/kadmin/dbutil/kadm5_create.c b/src/kadmin/dbutil/kadm5_create.c index 1745a4d..4f254a3 100644 --- a/src/kadmin/dbutil/kadm5_create.c +++ b/src/kadmin/dbutil/kadm5_create.c @@ -68,28 +68,22 @@ static int add_admin_princs(void *handle, krb5_context context, char *realm); int kadm5_create(kadm5_config_params *params) { int retval; - krb5_context context; - kadm5_config_params lparams; - if ((retval = kadm5_init_krb5_context(&context))) - exit(ERR); - /* * The lock file has to exist before calling kadm5_init, but * params->admin_lockfile may not be set yet... */ - if ((retval = kadm5_get_config_params(context, 1, - params, &lparams))) { + retval = kadm5_get_config_params(util_context, 1, params, &lparams); + if (retval) { com_err(progname, retval, _("while looking up the Kerberos " "configuration")); return 1; } - retval = kadm5_create_magic_princs(&lparams, context); + retval = kadm5_create_magic_princs(&lparams, util_context); - kadm5_free_config_params(context, &lparams); - krb5_free_context(context); + kadm5_free_config_params(util_context, &lparams); return retval; } diff --git a/src/kadmin/dbutil/kdb5_create.c b/src/kadmin/dbutil/kdb5_create.c index 92bb6f6..bc1b919 100644 --- a/src/kadmin/dbutil/kdb5_create.c +++ b/src/kadmin/dbutil/kdb5_create.c @@ -169,13 +169,6 @@ void kdb5_create(argc, argv) case 's': do_stash++; break; - case 'h': - if (!add_db_arg("hash=true")) { - com_err(progname, ENOMEM, - _("while parsing command arguments\n")); - exit(1); - } - break; case 'W': strong_random = 0; break; @@ -308,8 +301,8 @@ void kdb5_create(argc, argv) /* * Since we're creating a new db we shouldn't worry about - * adding the initial principals since any slave might as well - * do full resyncs from this newly created db. + * adding the initial principals since any replica might as + * well do full resyncs from this newly created db. */ log_ctx->iproprole = IPROP_NULL; } diff --git a/src/kadmin/dbutil/kdb5_mkey.c b/src/kadmin/dbutil/kdb5_mkey.c index 7df8cbc..19796c2 100644 --- a/src/kadmin/dbutil/kdb5_mkey.c +++ b/src/kadmin/dbutil/kdb5_mkey.c @@ -40,14 +40,17 @@ extern kadm5_config_params global_params; extern krb5_context util_context; extern time_t get_date(char *); -static char *strdate(krb5_timestamp when) +static const char * +strdate(krb5_timestamp when) { struct tm *tm; static char out[40]; + time_t lcltim = ts2tt(when); - time_t lcltim = when; tm = localtime(&lcltim); - strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm); + if (tm == NULL || + strftime(out, sizeof(out), "%a %b %d %H:%M:%S %Z %Y", tm) == 0) + strlcpy(out, "(error)", sizeof(out)); return out; } @@ -481,7 +484,7 @@ kdb5_use_mkey(int argc, char *argv[]) cur_actkvno != NULL; prev_actkvno = cur_actkvno, cur_actkvno = cur_actkvno->next) { - if (new_actkvno->act_time < cur_actkvno->act_time) { + if (ts_after(cur_actkvno->act_time, new_actkvno->act_time)) { if (prev_actkvno) { prev_actkvno->next = new_actkvno; new_actkvno->next = cur_actkvno; @@ -499,7 +502,7 @@ kdb5_use_mkey(int argc, char *argv[]) } } - if (actkvno_list->act_time > now) { + if (ts_after(actkvno_list->act_time, now)) { com_err(progname, EINVAL, _("there must be one master key currently active")); exit_status++; @@ -1297,7 +1300,7 @@ kdb5_purge_mkeys(int argc, char *argv[]) com_err(progname, retval, _("while updating mkey_aux data for master principal entry")); exit_status++; - return; + goto cleanup_return; } if ((retval = krb5_timeofday(util_context, &now))) { diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c index 000b559..accc959 100644 --- a/src/kadmin/dbutil/kdb5_util.c +++ b/src/kadmin/dbutil/kdb5_util.c @@ -77,10 +77,11 @@ kadm5_config_params global_params; void usage() { fprintf(stderr, - _("Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] " - "[-k mkeytype] [-M mkeyname]\n" - "\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd " - "[cmd_options]\n" + _("Usage: kdb5_util [-r realm] [-d dbname] " + "[-k mkeytype] [-kv mkeyVNO]\n" + "\t [-M mkeyname] [-m] [-sf stashfilename] " + "[-P password]\n" + "\t [-x db_args]* cmd [cmd_options]\n" "\tcreate [-s]\n" "\tdestroy [-f]\n" "\tstash [-f keyfile]\n" @@ -358,44 +359,6 @@ int main(argc, argv) return exit_status; } -#if 0 -/* - * This function is no longer used in kdb5_util (and it would no - * longer work, anyway). - */ -void set_dbname(argc, argv) - int argc; - char *argv[]; -{ - krb5_error_code retval; - - if (argc < 3) { - com_err(argv[0], 0, _("Too few arguments")); - com_err(progname, 0, _("Usage: %s dbpathname realmname"), argv[0]); - exit_status++; - return; - } - if (dbactive) { - if ((retval = krb5_db_fini(util_context)) && retval!= KRB5_KDB_DBNOTINITED) { - com_err(progname, retval, _("while closing previous database")); - exit_status++; - return; - } - if (valid_master_key) { - krb5_free_keyblock_contents(util_context, &master_keyblock); - master_keyblock.contents = NULL; - valid_master_key = 0; - } - krb5_free_principal(util_context, master_princ); - free(mkey_fullname); - dbactive = FALSE; - } - - (void) set_dbname_help(progname, argv[1]); - return; -} -#endif - /* * open_db_and_mkey: Opens the KDC and policy database, and sets the * global master_* variables. Sets dbactive to TRUE if the databases diff --git a/src/kadmin/dbutil/strtok.c b/src/kadmin/dbutil/strtok.c index 0640c74..dee466a 100644 --- a/src/kadmin/dbutil/strtok.c +++ b/src/kadmin/dbutil/strtok.c @@ -51,11 +51,11 @@ char * nstrtok(s, delim) - register char *s; - register const char *delim; + char *s; + const char *delim; { - register const char *spanp; - register int c, sc; + const char *spanp; + int c, sc; char *tok; static char *last; diff --git a/src/kadmin/dbutil/t_tdumputil.py b/src/kadmin/dbutil/t_tdumputil.py index 5d7ac38..47b2aa7 100755 --- a/src/kadmin/dbutil/t_tdumputil.py +++ b/src/kadmin/dbutil/t_tdumputil.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - from k5test import * from subprocess import * @@ -8,8 +6,8 @@ realm = K5Realm(create_kdb=False) def compare(s, expected, msg): if s == expected: return - print 'expected:', repr(expected) - print 'got:', repr(s) + print('expected:', repr(expected)) + print('got:', repr(s)) fail(msg) out = realm.run(['./t_tdumputil', '2', 'field1', 'field2', diff --git a/src/kadmin/dbutil/tabdump.c b/src/kadmin/dbutil/tabdump.c index 69a3482..2f313db 100644 --- a/src/kadmin/dbutil/tabdump.c +++ b/src/kadmin/dbutil/tabdump.c @@ -32,6 +32,7 @@ #include #include "k5-platform.h" /* for asprintf */ +#include "k5-hex.h" #include #include @@ -148,7 +149,7 @@ write_date_iso(struct rec_args *args, krb5_timestamp when) struct tm *tm = NULL; struct rechandle *h = args->rh; - t = when; + t = ts2tt(when); tm = gmtime(&t); if (tm == NULL) { errno = EINVAL; @@ -230,9 +231,7 @@ static int write_data(struct rec_args *args, krb5_data *data) { int ret; - char *p; - size_t i; - struct k5buf buf; + char *hex; struct rechandle *h = args->rh; struct tdopts *opts = args->opts; @@ -241,17 +240,15 @@ write_data(struct rec_args *args, krb5_data *data) return -1; return 0; } - k5_buf_init_dynamic(&buf); - p = data->data; - for (i = 0; i < data->length; i++) - k5_buf_add_fmt(&buf, "%02x", (unsigned char)p[i]); - if (buf.data == NULL) { - errno = ENOMEM; + ret = k5_hex_encode(data->data, data->length, FALSE, &hex); + if (ret) { + errno = ret; return -1; } - ret = writefield(h, "%s", (char *)buf.data); - k5_buf_free(&buf); + + ret = writefield(h, "%s", hex); + free(hex); return ret; } diff --git a/src/kadmin/ktutil/deps b/src/kadmin/ktutil/deps index 4df3999..5863e63 100644 --- a/src/kadmin/ktutil/deps +++ b/src/kadmin/ktutil/deps @@ -18,9 +18,10 @@ $(OUTPRE)ktutil_funcs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h ktutil.h ktutil_funcs.c + $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + ktutil.h ktutil_funcs.c diff --git a/src/kadmin/ktutil/ktutil.c b/src/kadmin/ktutil/ktutil.c index ef16d37..196f207 100644 --- a/src/kadmin/ktutil/ktutil.c +++ b/src/kadmin/ktutil/ktutil.c @@ -140,7 +140,8 @@ void ktutil_add_entry(argc, argv) char *princ = NULL; char *enctype = NULL; krb5_kvno kvno = 0; - int use_pass = 0, use_key = 0, i; + int use_pass = 0, use_key = 0, use_kvno = 0, fetch = 0, i; + char *salt = NULL; for (i = 1; i < argc; i++) { if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-p", 2)) { @@ -149,6 +150,7 @@ void ktutil_add_entry(argc, argv) } if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-k", 2)) { kvno = (krb5_kvno) atoi(argv[++i]); + use_kvno++; continue; } if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-e", 2)) { @@ -163,15 +165,27 @@ void ktutil_add_entry(argc, argv) use_key++; continue; } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-s", 2)) { + salt = argv[++i]; + continue; + } + if ((strlen(argv[i]) == 2) && !strncmp(argv[i], "-f", 2)) + fetch++; } - if (argc != 8 || !(princ && kvno && enctype) || (use_pass+use_key != 1)) { + if (princ == NULL || use_pass + use_key != 1 || !use_kvno || + (fetch && salt != NULL)) { fprintf(stderr, _("usage: %s (-key | -password) -p principal " - "-k kvno -e enctype\n"), argv[0]); + "-k kvno [-e enctype] [-f|-s salt]\n"), argv[0]); + return; + } + if (!fetch && enctype == NULL) { + fprintf(stderr, _("enctype must be specified if not using -f\n")); return; } - retval = ktutil_add(kcontext, &ktlist, princ, kvno, enctype, use_pass); + retval = ktutil_add(kcontext, &ktlist, princ, fetch, kvno, enctype, + use_pass, salt); if (retval) com_err(argv[0], retval, _("while adding new entry")); } @@ -240,7 +254,6 @@ void ktutil_list(argc, argv) time_t tstamp; tstamp = lp->entry->timestamp; - (void) localtime(&tstamp); lp->entry->timestamp = tstamp; fill = ' '; if (!krb5_timestamp_to_sfstring((krb5_timestamp)lp->entry-> diff --git a/src/kadmin/ktutil/ktutil.h b/src/kadmin/ktutil/ktutil.h index c4839ff..ddb754b 100644 --- a/src/kadmin/ktutil/ktutil.h +++ b/src/kadmin/ktutil/ktutil.h @@ -36,9 +36,11 @@ krb5_error_code ktutil_delete (krb5_context, krb5_kt_list *, int); krb5_error_code ktutil_add (krb5_context, krb5_kt_list *, char *, + int, krb5_kvno, char *, - int); + int, + char *); krb5_error_code ktutil_read_keytab (krb5_context, char *, diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c index 20a348c..6d119a2 100644 --- a/src/kadmin/ktutil/ktutil_funcs.c +++ b/src/kadmin/ktutil/ktutil_funcs.c @@ -29,6 +29,7 @@ */ #include "k5-int.h" +#include "k5-hex.h" #include "ktutil.h" #include #include @@ -81,102 +82,136 @@ krb5_error_code ktutil_delete(context, list, idx) } /* + * Determine the enctype, salt, and s2kparams for princ based on the presence + * of the -f flag (fetch), the optionally specified salt string, and the + * optionally specified enctype. If the fetch flag is used, salt_str must not + * be given; if the fetch flag is not used, the enctype must be given. + */ +static krb5_error_code +get_etype_info(krb5_context context, krb5_principal princ, int fetch, + char *salt_str, krb5_enctype *enctype_inout, + krb5_data *salt_out, krb5_data *s2kparams_out) +{ + krb5_error_code retval; + krb5_enctype enctype; + krb5_get_init_creds_opt *opt = NULL; + krb5_data salt; + + *salt_out = empty_data(); + *s2kparams_out = empty_data(); + + if (!fetch) { + /* Use the specified enctype and either the specified or default salt. + * Do not produce s2kparams. */ + assert(*enctype_inout != ENCTYPE_NULL); + if (salt_str != NULL) { + salt = string2data(salt_str); + return krb5int_copy_data_contents(context, &salt, salt_out); + } else { + return krb5_principal2salt(context, princ, salt_out); + } + } + + /* Get etype-info from the KDC. */ + assert(salt_str == NULL); + if (*enctype_inout != ENCTYPE_NULL) { + retval = krb5_get_init_creds_opt_alloc(context, &opt); + if (retval) + return retval; + krb5_get_init_creds_opt_set_etype_list(opt, enctype_inout, 1); + } + retval = krb5_get_etype_info(context, princ, opt, &enctype, salt_out, + s2kparams_out); + krb5_get_init_creds_opt_free(context, opt); + if (retval) + return retval; + if (enctype == ENCTYPE_NULL) + return KRB5KDC_ERR_ETYPE_NOSUPP; + + *enctype_inout = enctype; + return 0; +} + +/* * Create a new keytab entry and add it to the keytab list. * Based on the value of use_pass, either prompt the user for a * password or key. If the keytab list is NULL, allocate a new * one first. */ -krb5_error_code ktutil_add(context, list, princ_str, kvno, - enctype_str, use_pass) +krb5_error_code ktutil_add(context, list, princ_str, fetch, kvno, + enctype_str, use_pass, salt_str) krb5_context context; krb5_kt_list *list; char *princ_str; + int fetch; krb5_kvno kvno; char *enctype_str; int use_pass; + char *salt_str; { - krb5_keytab_entry *entry; - krb5_kt_list lp = NULL, prev = NULL; + krb5_keytab_entry *entry = NULL; + krb5_kt_list lp, *last; krb5_principal princ; - krb5_enctype enctype; + krb5_enctype enctype = ENCTYPE_NULL; krb5_timestamp now; krb5_error_code retval; - krb5_data password, salt; + krb5_data password = empty_data(), salt = empty_data(); + krb5_data params = empty_data(), *s2kparams; krb5_keyblock key; char buf[BUFSIZ]; char promptstr[1024]; - - char *cp; - int i, tmp; + char *princ_full = NULL; + uint8_t *keybytes; + size_t keylen; unsigned int pwsize = BUFSIZ; retval = krb5_parse_name(context, princ_str, &princ); if (retval) - return retval; + goto cleanup; /* now unparse in order to get the default realm appended to princ_str, if no realm was specified */ - retval = krb5_unparse_name(context, princ, &princ_str); + retval = krb5_unparse_name(context, princ, &princ_full); if (retval) - return retval; - retval = krb5_string_to_enctype(enctype_str, &enctype); - if (retval) - return KRB5_BAD_ENCTYPE; + goto cleanup; + if (enctype_str != NULL) { + retval = krb5_string_to_enctype(enctype_str, &enctype); + if (retval) { + retval = KRB5_BAD_ENCTYPE; + goto cleanup; + } + } retval = krb5_timeofday(context, &now); if (retval) - return retval; + goto cleanup; - if (*list) { - /* point lp at the tail of the list */ - for (lp = *list; lp->next; lp = lp->next); - } - entry = (krb5_keytab_entry *) malloc(sizeof(krb5_keytab_entry)); - if (!entry) { - return ENOMEM; - } - memset(entry, 0, sizeof(*entry)); - - if (!lp) { /* if list is empty, start one */ - lp = (krb5_kt_list) malloc(sizeof(*lp)); - if (!lp) { - return ENOMEM; - } - } else { - lp->next = (krb5_kt_list) malloc(sizeof(*lp)); - if (!lp->next) { - return ENOMEM; - } - prev = lp; - lp = lp->next; - } - lp->next = NULL; - lp->entry = entry; + entry = k5alloc(sizeof(*entry), &retval); + if (entry == NULL) + goto cleanup; if (use_pass) { - password.length = pwsize; - password.data = (char *) malloc(pwsize); - if (!password.data) { - retval = ENOMEM; + retval = alloc_data(&password, pwsize); + if (retval) goto cleanup; - } snprintf(promptstr, sizeof(promptstr), _("Password for %.1000s"), - princ_str); + princ_full); retval = krb5_read_password(context, promptstr, NULL, password.data, &password.length); if (retval) goto cleanup; - retval = krb5_principal2salt(context, princ, &salt); + + retval = get_etype_info(context, princ, fetch, salt_str, + &enctype, &salt, ¶ms); if (retval) goto cleanup; - retval = krb5_c_string_to_key(context, enctype, &password, - &salt, &key); + s2kparams = (params.length > 0) ? ¶ms : NULL; + retval = krb5_c_string_to_key_with_params(context, enctype, &password, + &salt, s2kparams, &key); if (retval) goto cleanup; - memset(password.data, 0, password.length); - password.length = 0; - lp->entry->key = key; + entry->key = key; } else { - printf(_("Key for %s (hex): "), princ_str); + printf(_("Key for %s (hex): "), princ_full); fgets(buf, BUFSIZ, stdin); /* * We need to get rid of the trailing '\n' from fgets. @@ -193,38 +228,39 @@ krb5_error_code ktutil_add(context, list, princ_str, kvno, goto cleanup; } - lp->entry->key.enctype = enctype; - lp->entry->key.contents = (krb5_octet *) malloc((strlen(buf) + 1) / 2); - if (!lp->entry->key.contents) { - retval = ENOMEM; - goto cleanup; - } - - i = 0; - for (cp = buf; *cp; cp += 2) { - if (!isxdigit((int) cp[0]) || !isxdigit((int) cp[1])) { + retval = k5_hex_decode(buf, &keybytes, &keylen); + if (retval) { + if (retval == EINVAL) { fprintf(stderr, _("addent: Illegal character in key.\n")); retval = 0; - goto cleanup; } - sscanf(cp, "%02x", &tmp); - lp->entry->key.contents[i++] = (krb5_octet) tmp; + goto cleanup; } - lp->entry->key.length = i; - } - lp->entry->principal = princ; - lp->entry->vno = kvno; - lp->entry->timestamp = now; - if (!*list) - *list = lp; + entry->key.enctype = enctype; + entry->key.contents = keybytes; + entry->key.length = keylen; + } + entry->principal = princ; + entry->vno = kvno; + entry->timestamp = now; - return 0; + /* Add entry to the end of the list (or create a new list if empty). */ + lp = k5alloc(sizeof(*lp), &retval); + if (lp == NULL) + goto cleanup; + lp->next = NULL; + lp->entry = entry; + entry = NULL; + for (last = list; *last != NULL; last = &(*last)->next); + *last = lp; cleanup: - if (prev) - prev->next = NULL; - ktutil_free_kt_list(context, lp); + krb5_kt_free_entry(context, entry); + zapfree(password.data, password.length); + krb5_free_data_contents(context, &salt); + krb5_free_data_contents(context, ¶ms); + krb5_free_unparsed_name(context, princ_full); return retval; } diff --git a/src/kadmin/server/Makefile.in b/src/kadmin/server/Makefile.in index 3a013a4..1e262f6 100644 --- a/src/kadmin/server/Makefile.in +++ b/src/kadmin/server/Makefile.in @@ -4,11 +4,13 @@ KDB_DEP_LIB=$(DL_LIB) $(THREAD_LINKOPTS) LOCALINCLUDES = -I$(top_srcdir)/lib/gssapi/generic \ -I$(top_srcdir)/lib/gssapi/krb5 -I$(BUILDTOP)/lib/gssapi/generic \ - -I$(BUILDTOP)/lib/gssapi/krb5 -I$(top_srcdir)/lib/kadm5/srv + -I$(BUILDTOP)/lib/gssapi/krb5 PROG = kadmind -OBJS = kadm_rpc_svc.o server_stubs.o ovsec_kadmd.o schpw.o misc.o ipropd_svc.o -SRCS = kadm_rpc_svc.c server_stubs.c ovsec_kadmd.c schpw.c misc.c ipropd_svc.c +OBJS = auth.o auth_acl.o auth_self.o kadm_rpc_svc.o server_stubs.o \ + ovsec_kadmd.o schpw.o misc.o ipropd_svc.o +SRCS = auth.o auth_acl.c auth_self.c kadm_rpc_svc.c server_stubs.c \ + ovsec_kadmd.c schpw.c misc.c ipropd_svc.c all: $(PROG) diff --git a/src/kadmin/server/auth.c b/src/kadmin/server/auth.c new file mode 100644 index 0000000..081b20a --- /dev/null +++ b/src/kadmin/server/auth.c @@ -0,0 +1,314 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kadmin/server/auth.c - kadm5_auth pluggable interface consumer */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include +#include +#include "auth.h" + +typedef struct { + struct kadm5_auth_vtable_st vt; + kadm5_auth_moddata data; +} *auth_handle; + +static auth_handle *handles; + +void +auth_fini(krb5_context context) +{ + auth_handle *hp, h; + + if (handles == NULL) + return; + for (hp = handles; *hp != NULL; hp++) { + h = *hp; + if (h->vt.fini != NULL) + h->vt.fini(context, h->data); + free(h); + } + free(handles); + handles = NULL; +} + +krb5_error_code +auth_init(krb5_context context, const char *acl_file) +{ + krb5_error_code ret; + krb5_plugin_initvt_fn *modules = NULL, *mod; + size_t count; + auth_handle h = NULL; + const int intf = PLUGIN_INTERFACE_KADM5_AUTH; + + ret = k5_plugin_register(context, intf, "acl", kadm5_auth_acl_initvt); + if (ret) + goto cleanup; + ret = k5_plugin_register(context, intf, "self", kadm5_auth_self_initvt); + if (ret) + goto cleanup; + ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KADM5_AUTH, &modules); + if (ret) + goto cleanup; + + /* Allocate a large enough list of handles. */ + for (count = 0; modules[count] != NULL; count++); + handles = k5calloc(count + 1, sizeof(*handles), &ret); + if (handles == NULL) + goto cleanup; + + /* For each module, allocate a handle, initialize its vtable, and + * initialize its module data. */ + count = 0; + for (mod = modules; *mod != NULL; mod++) { + h = k5alloc(sizeof(*h), &ret); + if (h == NULL) + goto cleanup; + ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt); + if (ret) { /* Failed vtable init is non-fatal. */ + TRACE_KADM5_AUTH_VTINIT_FAIL(context, ret); + free(h); + h = NULL; + continue; + } + h->data = NULL; + if (h->vt.init != NULL) { + ret = h->vt.init(context, acl_file, &h->data); + if (ret == KRB5_PLUGIN_NO_HANDLE) { + TRACE_KADM5_AUTH_INIT_SKIP(context, h->vt.name); + free(h); + h = NULL; + continue; + } + if (ret) { + TRACE_KADM5_AUTH_INIT_FAIL(context, h->vt.name, ret); + goto cleanup; + } + } + handles[count++] = h; + handles[count] = NULL; + h = NULL; + } + + ret = 0; + +cleanup: + if (ret) + auth_fini(context); + free(h); + k5_plugin_free_modules(context, modules); + return ret; +} + +/* Invoke the appropriate method from h->vt for opcode, passing client and the + * correct subset of p1, p2, s1, s2, polent, and mask for the method. */ +static krb5_error_code +call_module(krb5_context context, auth_handle h, int opcode, + krb5_const_principal client, krb5_const_principal p1, + krb5_const_principal p2, const char *s1, const char *s2, + const kadm5_policy_ent_rec *polent, long mask) +{ + /* addprinc and modprinc are handled through auth_restrict(). */ + assert(opcode != OP_ADDPRINC && opcode != OP_MODPRINC); + + if (opcode == OP_SETSTR && h->vt.setstr != NULL) + return h->vt.setstr(context, h->data, client, p1, s1, s2); + else if (opcode == OP_CPW && h->vt.cpw != NULL) + return h->vt.cpw(context, h->data, client, p1); + else if (opcode == OP_CHRAND && h->vt.chrand != NULL) + return h->vt.chrand(context, h->data, client, p1); + else if (opcode == OP_SETKEY && h->vt.setkey != NULL) + return h->vt.setkey(context, h->data, client, p1); + else if (opcode == OP_PURGEKEYS && h->vt.purgekeys != NULL) + return h->vt.purgekeys(context, h->data, client, p1); + else if (opcode == OP_DELPRINC && h->vt.delprinc != NULL) + return h->vt.delprinc(context, h->data, client, p1); + else if (opcode == OP_RENPRINC && h->vt.renprinc != NULL) + return h->vt.renprinc(context, h->data, client, p1, p2); + else if (opcode == OP_GETPRINC && h->vt.getprinc != NULL) + return h->vt.getprinc(context, h->data, client, p1); + else if (opcode == OP_GETSTRS && h->vt.getstrs != NULL) + return h->vt.getstrs(context, h->data, client, p1); + else if (opcode == OP_EXTRACT && h->vt.extract != NULL) + return h->vt.extract(context, h->data, client, p1); + else if (opcode == OP_LISTPRINCS && h->vt.listprincs != NULL) + return h->vt.listprincs(context, h->data, client); + else if (opcode == OP_ADDPOL && h->vt.addpol != NULL) + return h->vt.addpol(context, h->data, client, s1, polent, mask); + else if (opcode == OP_MODPOL && h->vt.modpol != NULL) + return h->vt.modpol(context, h->data, client, s1, polent, mask); + else if (opcode == OP_DELPOL && h->vt.delpol != NULL) + return h->vt.delpol(context, h->data, client, s1); + else if (opcode == OP_GETPOL && h->vt.getpol != NULL) + return h->vt.getpol(context, h->data, client, s1, s2); + else if (opcode == OP_LISTPOLS && h->vt.listpols != NULL) + return h->vt.listpols(context, h->data, client); + else if (opcode == OP_IPROP && h->vt.iprop != NULL) + return h->vt.iprop(context, h->data, client); + + return KRB5_PLUGIN_NO_HANDLE; +} + +krb5_boolean +auth(krb5_context context, int opcode, krb5_const_principal client, + krb5_const_principal p1, krb5_const_principal p2, const char *s1, + const char *s2, const kadm5_policy_ent_rec *polent, long mask) +{ + krb5_error_code ret; + krb5_boolean authorized = FALSE; + auth_handle *hp, h; + + for (hp = handles; *hp != NULL; hp++) { + h = *hp; + + ret = call_module(context, h, opcode, client, p1, p2, s1, s2, + polent, mask); + if (!ret) + authorized = TRUE; + else if (ret != KRB5_PLUGIN_NO_HANDLE) + return FALSE; + } + + return authorized; +} + +/* Impose restrictions, modifying *ent and *mask. */ +static krb5_error_code +impose_restrictions(krb5_context context, + const struct kadm5_auth_restrictions *rs, + kadm5_principal_ent_t ent, long *mask) +{ + krb5_error_code ret; + krb5_timestamp now; + + if (rs == NULL) + return 0; + if (rs->mask & (KADM5_PRINC_EXPIRE_TIME | KADM5_PW_EXPIRATION)) { + ret = krb5_timeofday(context, &now); + if (ret) + return ret; + } + + if (rs->mask & KADM5_ATTRIBUTES) { + ent->attributes |= rs->require_attrs; + ent->attributes &= rs->forbid_attrs; + *mask |= KADM5_ATTRIBUTES; + } + if (rs->mask & KADM5_POLICY_CLR) { + *mask &= ~KADM5_POLICY; + *mask |= KADM5_POLICY_CLR; + } else if (rs->mask & KADM5_POLICY) { + if (ent->policy != NULL && strcmp(ent->policy, rs->policy) != 0) { + free(ent->policy); + ent->policy = NULL; + } + if (ent->policy == NULL) { + ent->policy = strdup(rs->policy); + if (ent->policy == NULL) + return ENOMEM; + } + *mask |= KADM5_POLICY; + } + if (rs->mask & KADM5_PRINC_EXPIRE_TIME) { + if (!(*mask & KADM5_PRINC_EXPIRE_TIME) || + ts_after(ent->princ_expire_time, ts_incr(now, rs->princ_lifetime))) + ent->princ_expire_time = now + rs->princ_lifetime; + *mask |= KADM5_PRINC_EXPIRE_TIME; + } + if (rs->mask & KADM5_PW_EXPIRATION) { + if (!(*mask & KADM5_PW_EXPIRATION) || + ts_after(ent->pw_expiration, ts_incr(now, rs->pw_lifetime))) + ent->pw_expiration = now + rs->pw_lifetime; + *mask |= KADM5_PW_EXPIRATION; + } + if (rs->mask & KADM5_MAX_LIFE) { + if (!(*mask & KADM5_MAX_LIFE) || ent->max_life > rs->max_life) + ent->max_life = rs->max_life; + *mask |= KADM5_MAX_LIFE; + } + if (rs->mask & KADM5_MAX_RLIFE) { + if (!(*mask & KADM5_MAX_RLIFE) || + ent->max_renewable_life > rs->max_renewable_life) + ent->max_renewable_life = rs->max_renewable_life; + *mask |= KADM5_MAX_RLIFE; + } + return 0; +} + +krb5_boolean +auth_restrict(krb5_context context, int opcode, krb5_const_principal client, + kadm5_principal_ent_t ent, long *mask) +{ + auth_handle *hp, h; + krb5_boolean authorized = FALSE; + krb5_error_code ret, rs_ret; + krb5_const_principal target = ent->principal; + struct kadm5_auth_restrictions *rs; + + assert(opcode == OP_ADDPRINC || opcode == OP_MODPRINC); + for (hp = handles; *hp != NULL; hp++) { + h = *hp; + + ret = KRB5_PLUGIN_NO_HANDLE; + rs = NULL; + if (opcode == OP_ADDPRINC && h->vt.addprinc != NULL) { + ret = h->vt.addprinc(context, h->data, client, target, ent, *mask, + &rs); + } else if (opcode == OP_MODPRINC && h->vt.modprinc != NULL) { + ret = h->vt.modprinc(context, h->data, client, target, ent, *mask, + &rs); + } + if (rs != NULL) { + rs_ret = impose_restrictions(context, rs, ent, mask); + if (h->vt.free_restrictions != NULL) + h->vt.free_restrictions(context, h->data, rs); + if (rs_ret) + return FALSE; + } + if (!ret) + authorized = TRUE; + else if (ret != KRB5_PLUGIN_NO_HANDLE) + return FALSE; + } + + return authorized; +} + +void +auth_end(krb5_context context) +{ + auth_handle *hp, h; + + for (hp = handles; *hp != NULL; hp++) { + h = *hp; + if (h->vt.end != NULL) + h->vt.end(context, h->data); + } +} diff --git a/src/kadmin/server/auth.h b/src/kadmin/server/auth.h new file mode 100644 index 0000000..4d265ad --- /dev/null +++ b/src/kadmin/server/auth.h @@ -0,0 +1,85 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kadmin/server/auth.h - kadmin authorization declarations */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef AUTH_H +#define AUTH_H + +#define OP_ADDPRINC 1 +#define OP_MODPRINC 2 +#define OP_SETSTR 3 +#define OP_CPW 4 +#define OP_CHRAND 5 +#define OP_SETKEY 6 +#define OP_PURGEKEYS 7 +#define OP_DELPRINC 8 +#define OP_RENPRINC 9 +#define OP_GETPRINC 10 +#define OP_GETSTRS 11 +#define OP_EXTRACT 12 +#define OP_LISTPRINCS 13 +#define OP_ADDPOL 14 +#define OP_MODPOL 15 +#define OP_DELPOL 16 +#define OP_GETPOL 17 +#define OP_LISTPOLS 18 +#define OP_IPROP 19 + +/* Initialize all authorization modules. */ +krb5_error_code auth_init(krb5_context context, const char *acl_file); + +/* Release authorization module state. */ +void auth_fini(krb5_context context); + +/* Authorize the operation given by opcode, using the appropriate subset of p1, + * p2, s1, s2, polent, and mask. */ +krb5_boolean auth(krb5_context context, int opcode, + krb5_const_principal client, krb5_const_principal p1, + krb5_const_principal p2, const char *s1, const char *s2, + const kadm5_policy_ent_rec *polent, long mask); + +/* Authorize an add-principal or modify-principal operation, and apply + * restrictions to ent and mask if any modules supply them. */ +krb5_boolean auth_restrict(krb5_context context, int opcode, + krb5_const_principal client, + kadm5_principal_ent_t ent, long *mask); + +/* Notify modules that the most recent authorized operation has ended. */ +void auth_end(krb5_context context); + +/* initvt declarations for built-in modules */ + +krb5_error_code kadm5_auth_acl_initvt(krb5_context context, int maj_ver, + int min_ver, krb5_plugin_vtable vtable); +krb5_error_code kadm5_auth_self_initvt(krb5_context context, int maj_ver, + int min_ver, krb5_plugin_vtable vtable); + +#endif /* AUTH_H */ diff --git a/src/kadmin/server/auth_acl.c b/src/kadmin/server/auth_acl.c new file mode 100644 index 0000000..efe9c69 --- /dev/null +++ b/src/kadmin/server/auth_acl.c @@ -0,0 +1,755 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kadmin/server/auth_acl.c - ACL kadm5_auth module */ +/* + * Copyright 1995-2004, 2007, 2008, 2017 by the Massachusetts Institute of + * Technology. All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include "k5-int.h" +#include +#include +#include +#include "adm_proto.h" +#include +#include "auth.h" + +/* + * Access control bits. + */ +#define ACL_ADD 1 +#define ACL_DELETE 2 +#define ACL_MODIFY 4 +#define ACL_CHANGEPW 8 +/* #define ACL_CHANGE_OWN_PW 16 */ +#define ACL_INQUIRE 32 +#define ACL_EXTRACT 64 +#define ACL_LIST 128 +#define ACL_SETKEY 256 +#define ACL_IPROP 512 + +#define ACL_ALL_MASK (ACL_ADD | \ + ACL_DELETE | \ + ACL_MODIFY | \ + ACL_CHANGEPW | \ + ACL_INQUIRE | \ + ACL_LIST | \ + ACL_IPROP | \ + ACL_SETKEY) + +struct acl_op_table { + char op; + uint32_t mask; +}; + +struct acl_entry { + struct acl_entry *next; + krb5_principal client; + uint32_t op_allowed; + krb5_principal target; + struct kadm5_auth_restrictions *rs; +}; + +static const struct acl_op_table acl_op_table[] = { + { 'a', ACL_ADD }, + { 'd', ACL_DELETE }, + { 'm', ACL_MODIFY }, + { 'c', ACL_CHANGEPW }, + { 'i', ACL_INQUIRE }, + { 'l', ACL_LIST }, + { 'p', ACL_IPROP }, + { 's', ACL_SETKEY }, + { 'x', ACL_ALL_MASK }, + { '*', ACL_ALL_MASK }, + { 'e', ACL_EXTRACT }, + { '\0', 0 } +}; + +struct wildstate { + int nwild; + const krb5_data *backref[9]; +}; + +struct acl_state { + struct acl_entry *list; +}; + +/* + * Get a line from the ACL file. Lines ending with \ are continued on the next + * line. The caller should set *lineno to 1 and *incr to 0 before the first + * call. On successful return, *lineno will be the line number of the line + * read. Return a pointer to the line on success, or NULL on end of file or + * read failure. + */ +static char * +get_line(FILE *fp, const char *fname, int *lineno, int *incr) +{ + const int chunksize = 128; + struct k5buf buf; + size_t old_len; + char *p; + + /* Increment *lineno by the number of newlines from the last line. */ + *lineno += *incr; + *incr = 0; + + k5_buf_init_dynamic(&buf); + for (;;) { + /* Read at least part of a line into the buffer. */ + old_len = buf.len; + p = k5_buf_get_space(&buf, chunksize); + if (p == NULL) + return NULL; + + if (fgets(p, chunksize, fp) == NULL) { + /* We reached the end. Return a final unterminated line, if there + * is one and it's not a comment. */ + k5_buf_truncate(&buf, old_len); + if (buf.len > 0 && *(char *)buf.data != '#') + return buf.data; + k5_buf_free(&buf); + return NULL; + } + + /* Set the buffer length based on the actual amount read. */ + k5_buf_truncate(&buf, old_len + strlen(p)); + + p = buf.data; + if (buf.len > 0 && p[buf.len - 1] == '\n') { + /* We have a complete raw line in the buffer. */ + (*incr)++; + k5_buf_truncate(&buf, buf.len - 1); + if (buf.len > 0 && p[buf.len - 1] == '\\') { + /* This line has a continuation marker; keep reading. */ + k5_buf_truncate(&buf, buf.len - 1); + } else if (buf.len == 0 || *p == '#') { + /* This line is empty or a comment. Start over. */ + *lineno += *incr; + *incr = 0; + k5_buf_truncate(&buf, 0); + } else { + return buf.data; + } + } + } +} + +/* + * Parse a restrictions field. Return NULL on failure. + * + * Allowed restrictions are: + * [+-]flagname (recognized by krb5_flagspec_to_mask) + * flag is forced to indicated value + * -clearpolicy policy is forced clear + * -policy pol policy is forced to be "pol" + * -{expire,pwexpire,maxlife,maxrenewlife} deltat + * associated value will be forced to + * MIN(deltat, requested value) + */ +static struct kadm5_auth_restrictions * +parse_restrictions(const char *str, const char *fname) +{ + char *copy = NULL, *token, *arg, *save; + const char *delims = "\t\n\f\v\r ,"; + krb5_deltat delta; + struct kadm5_auth_restrictions *rs; + + copy = strdup(str); + if (copy == NULL) + return NULL; + + rs = calloc(1, sizeof(*rs)); + if (rs == NULL) { + free(copy); + return NULL; + } + + rs->forbid_attrs = ~(krb5_flags)0; + for (token = strtok_r(copy, delims, &save); token != NULL; + token = strtok_r(NULL, delims, &save)) { + + if (krb5_flagspec_to_mask(token, &rs->require_attrs, + &rs->forbid_attrs) == 0) { + rs->mask |= KADM5_ATTRIBUTES; + continue; + } + + if (strcmp(token, "-clearpolicy") == 0) { + rs->mask |= KADM5_POLICY_CLR; + continue; + } + + /* Everything else needs an argument. */ + arg = strtok_r(NULL, delims, &save); + if (arg == NULL) + goto error; + + if (strcmp(token, "-policy") == 0) { + if (rs->policy != NULL) + goto error; + rs->policy = strdup(arg); + if (rs->policy == NULL) + goto error; + rs->mask |= KADM5_POLICY; + continue; + } + + /* All other arguments must be a deltat. */ + if (krb5_string_to_deltat(arg, &delta) != 0) + goto error; + + if (strcmp(token, "-expire") == 0) { + rs->princ_lifetime = delta; + rs->mask |= KADM5_PRINC_EXPIRE_TIME; + } else if (strcmp(token, "-pwexpire") == 0) { + rs->pw_lifetime = delta; + rs->mask |= KADM5_PW_EXPIRATION; + } else if (strcmp(token, "-maxlife") == 0) { + rs->max_life = delta; + rs->mask |= KADM5_MAX_LIFE; + } else if (strcmp(token, "-maxrenewlife") == 0) { + rs->max_renewable_life = delta; + rs->mask |= KADM5_MAX_RLIFE; + } else { + goto error; + } + } + + free(copy); + return rs; + +error: + krb5_klog_syslog(LOG_ERR, _("%s: invalid restrictions: %s"), fname, str); + free(copy); + free(rs->policy); + free(rs); + return NULL; +} + +static void +free_acl_entry(struct acl_entry *entry) +{ + krb5_free_principal(NULL, entry->client); + krb5_free_principal(NULL, entry->target); + if (entry->rs != NULL) { + free(entry->rs->policy); + free(entry->rs); + } + free(entry); +} + +/* Parse the four fields of an ACL entry and return a structure representing + * it. Log a message and return NULL on error. */ +static struct acl_entry * +parse_entry(krb5_context context, const char *client, const char *ops, + const char *target, const char *rs, const char *line, + const char *fname) +{ + struct acl_entry *entry; + const char *op; + char rop; + int t; + + entry = calloc(1, sizeof(*entry)); + if (entry == NULL) + return NULL; + + for (op = ops; *op; op++) { + rop = isupper((unsigned char)*op) ? tolower((unsigned char)*op) : *op; + for (t = 0; acl_op_table[t].op; t++) { + if (rop == acl_op_table[t].op) { + if (rop == *op) + entry->op_allowed |= acl_op_table[t].mask; + else + entry->op_allowed &= ~acl_op_table[t].mask; + break; + } + } + if (!acl_op_table[t].op) { + krb5_klog_syslog(LOG_ERR, + _("Unrecognized ACL operation '%c' in %s"), + *op, line); + goto error; + } + } + + if (strcmp(client, "*") != 0) { + if (krb5_parse_name(context, client, &entry->client) != 0) { + krb5_klog_syslog(LOG_ERR, _("Cannot parse client principal '%s'"), + client); + goto error; + } + } + + if (target != NULL && strcmp(target, "*") != 0) { + if (krb5_parse_name(context, target, &entry->target) != 0) { + krb5_klog_syslog(LOG_ERR, _("Cannot parse target principal '%s'"), + target); + goto error; + } + } + + if (rs != NULL) { + entry->rs = parse_restrictions(rs, fname); + if (entry->rs == NULL) + goto error; + } + + return entry; + +error: + free_acl_entry(entry); + return NULL; +} + +/* Parse the contents of an ACL line. */ +static struct acl_entry * +parse_line(krb5_context context, const char *line, const char *fname) +{ + struct acl_entry *entry = NULL; + char *copy; + char *client, *client_end, *ops, *ops_end, *target, *target_end, *rs, *end; + const char *ws = "\t\n\f\v\r ,"; + + /* + * Format: + * entry ::= [] + * [ [ + * []]] + */ + + /* Make a copy and remove any trailing whitespace. */ + copy = strdup(line); + if (copy == NULL) + return NULL; + end = copy + strlen(copy); + while (end > copy && isspace(end[-1])) + *--end = '\0'; + + /* Find the beginning and end of each field. The end of restrictions is + * the end of copy. */ + client = copy + strspn(copy, ws); + client_end = client + strcspn(client, ws); + ops = client_end + strspn(client_end, ws); + ops_end = ops + strcspn(ops, ws); + target = ops_end + strspn(ops_end, ws); + target_end = target + strcspn(target, ws); + rs = target_end + strspn(target_end, ws); + + /* Terminate the first three fields. */ + *client_end = *ops_end = *target_end = '\0'; + + /* The last two fields are optional; represent them as NULL if not present. + * The first two fields are required. */ + if (*target == '\0') + target = NULL; + if (*rs == '\0') + rs = NULL; + if (*client != '\0' && *ops != '\0') + entry = parse_entry(context, client, ops, target, rs, line, fname); + free(copy); + return entry; +} + +/* Free all ACL entries. */ +static void +free_acl_entries(struct acl_state *state) +{ + struct acl_entry *entry, *next; + + for (entry = state->list; entry != NULL; entry = next) { + next = entry->next; + free_acl_entry(entry); + } + state->list = NULL; +} + +/* Open and parse the ACL file. */ +static krb5_error_code +load_acl_file(krb5_context context, const char *fname, struct acl_state *state) +{ + krb5_error_code ret; + FILE *fp; + char *line; + struct acl_entry **entry_slot; + int lineno, incr; + + state->list = NULL; + + /* Open the ACL file for reading. */ + fp = fopen(fname, "r"); + if (fp == NULL) { + krb5_klog_syslog(LOG_ERR, _("%s while opening ACL file %s"), + error_message(errno), fname); + ret = errno; + k5_setmsg(context, errno, _("Cannot open %s: %s"), fname, + error_message(ret)); + return ret; + } + + set_cloexec_file(fp); + lineno = 1; + incr = 0; + entry_slot = &state->list; + + /* Get a non-comment line. */ + while ((line = get_line(fp, fname, &lineno, &incr)) != NULL) { + /* Parse it. Fail out on syntax error. */ + *entry_slot = parse_line(context, line, fname); + if (*entry_slot == NULL) { + krb5_klog_syslog(LOG_ERR, + _("%s: syntax error at line %d <%.10s...>"), + fname, lineno, line); + k5_setmsg(context, EINVAL, + _("%s: syntax error at line %d <%.10s...>"), + fname, lineno, line); + free_acl_entries(state); + free(line); + fclose(fp); + return EINVAL; + } + entry_slot = &(*entry_slot)->next; + free(line); + } + + fclose(fp); + return 0; +} + +/* + * See if two data entries match. If e1 is a wildcard (matching a whole + * component only) and targetflag is false, save an alias to e2 into + * ws->backref. If e1 is a back-reference and targetflag is true, compare the + * appropriate entry in ws->backref to e2. If ws is NULL, do not store or + * match back-references. + */ +static krb5_boolean +match_data(const krb5_data *e1, const krb5_data *e2, krb5_boolean targetflag, + struct wildstate *ws) +{ + int n; + + if (data_eq_string(*e1, "*")) { + if (ws != NULL && !targetflag) { + if (ws->nwild < 9) + ws->backref[ws->nwild++] = e2; + } + return TRUE; + } + + if (ws != NULL && targetflag && e1->length == 2 && e1->data[0] == '*' && + e1->data[1] >= '1' && e1->data[1] <= '9') { + n = e1->data[1] - '1'; + if (n >= ws->nwild) + return FALSE; + return data_eq(*e2, *ws->backref[n]); + } else { + return data_eq(*e2, *e1); + } +} + +/* Return true if p1 matches p2. p1 may contain wildcards if targetflag is + * false, or backreferences if it is true. */ +static krb5_boolean +match_princ(krb5_const_principal p1, krb5_const_principal p2, + krb5_boolean targetflag, struct wildstate *ws) +{ + int i; + + /* The principals must be of the same length. */ + if (p1->length != p2->length) + return FALSE; + + /* The realm must match, and does not interact with wildcard state. */ + if (!match_data(&p1->realm, &p2->realm, targetflag, NULL)) + return FALSE; + + /* All components of the principals must match. */ + for (i = 0; i < p1->length; i++) { + if (!match_data(&p1->data[i], &p2->data[i], targetflag, ws)) + return FALSE; + } + + return TRUE; +} + +/* Find an ACL entry matching principal and target_principal. Return NULL if + * none is found. */ +static struct acl_entry * +find_entry(struct acl_state *state, krb5_const_principal client, + krb5_const_principal target) +{ + struct acl_entry *entry; + struct wildstate ws; + + for (entry = state->list; entry != NULL; entry = entry->next) { + memset(&ws, 0, sizeof(ws)); + if (entry->client != NULL) { + if (!match_princ(entry->client, client, FALSE, &ws)) + continue; + } + + if (entry->target != NULL) { + if (target == NULL) + continue; + if (!match_princ(entry->target, target, TRUE, &ws)) + continue; + } + + return entry; + } + + return NULL; +} + +/* Return true if op is permitted for this principal. Set *rs_out (if not + * NULL) according to any restrictions in the ACL entry. */ +static krb5_error_code +acl_check(kadm5_auth_moddata data, uint32_t op, krb5_const_principal client, + krb5_const_principal target, struct kadm5_auth_restrictions **rs_out) +{ + struct acl_entry *entry; + + if (rs_out != NULL) + *rs_out = NULL; + + entry = find_entry((struct acl_state *)data, client, target); + if (entry == NULL) + return KRB5_PLUGIN_NO_HANDLE; + if (!(entry->op_allowed & op)) + return KRB5_PLUGIN_NO_HANDLE; + + if (rs_out != NULL && entry->rs != NULL && entry->rs->mask) + *rs_out = entry->rs; + + return 0; +} + +static krb5_error_code +acl_init(krb5_context context, const char *acl_file, + kadm5_auth_moddata *data_out) +{ + krb5_error_code ret; + struct acl_state *state; + + *data_out = NULL; + if (acl_file == NULL) + return KRB5_PLUGIN_NO_HANDLE; + state = malloc(sizeof(*state)); + state->list = NULL; + ret = load_acl_file(context, acl_file, state); + if (ret) { + free(state); + return ret; + } + *data_out = (kadm5_auth_moddata)state; + return 0; +} + +static void +acl_fini(krb5_context context, kadm5_auth_moddata data) +{ + if (data == NULL) + return; + free_acl_entries((struct acl_state *)data); + free(data); +} + +static krb5_error_code +acl_addprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target, + const struct _kadm5_principal_ent_t *ent, long mask, + struct kadm5_auth_restrictions **rs_out) +{ + return acl_check(data, ACL_ADD, client, target, rs_out); +} + +static krb5_error_code +acl_modprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target, + const struct _kadm5_principal_ent_t *ent, long mask, + struct kadm5_auth_restrictions **rs_out) +{ + return acl_check(data, ACL_MODIFY, client, target, rs_out); +} + +static krb5_error_code +acl_setstr(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target, + const char *key, const char *value) +{ + return acl_check(data, ACL_MODIFY, client, target, NULL); +} + +static krb5_error_code +acl_cpw(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + return acl_check(data, ACL_CHANGEPW, client, target, NULL); +} + +static krb5_error_code +acl_chrand(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + return acl_check(data, ACL_CHANGEPW, client, target, NULL); +} + +static krb5_error_code +acl_setkey(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + return acl_check(data, ACL_SETKEY, client, target, NULL); +} + +static krb5_error_code +acl_purgekeys(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + return acl_check(data, ACL_MODIFY, client, target, NULL); +} + +static krb5_error_code +acl_delprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + return acl_check(data, ACL_DELETE, client, target, NULL); +} + +static krb5_error_code +acl_renprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal src, + krb5_const_principal dest) +{ + struct kadm5_auth_restrictions *rs; + + if (acl_check(data, ACL_DELETE, client, src, NULL) == 0 && + acl_check(data, ACL_ADD, client, dest, &rs) == 0 && rs == NULL) + return 0; + return KRB5_PLUGIN_NO_HANDLE; +} + +static krb5_error_code +acl_getprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + return acl_check(data, ACL_INQUIRE, client, target, NULL); +} + +static krb5_error_code +acl_getstrs(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + return acl_check(data, ACL_INQUIRE, client, target, NULL); +} + +static krb5_error_code +acl_extract(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + return acl_check(data, ACL_EXTRACT, client, target, NULL); +} + +static krb5_error_code +acl_listprincs(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client) +{ + return acl_check(data, ACL_LIST, client, NULL, NULL); +} + +static krb5_error_code +acl_addpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const struct _kadm5_policy_ent_t *ent, long mask) +{ + return acl_check(data, ACL_ADD, client, NULL, NULL); +} + +static krb5_error_code +acl_modpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const struct _kadm5_policy_ent_t *ent, long mask) +{ + return acl_check(data, ACL_MODIFY, client, NULL, NULL); +} + +static krb5_error_code +acl_delpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy) +{ + return acl_check(data, ACL_DELETE, client, NULL, NULL); +} + +static krb5_error_code +acl_getpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const char *client_policy) +{ + return acl_check(data, ACL_INQUIRE, client, NULL, NULL); +} + +static krb5_error_code +acl_listpols(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client) +{ + return acl_check(data, ACL_LIST, client, NULL, NULL); +} + +static krb5_error_code +acl_iprop(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client) +{ + return acl_check(data, ACL_IPROP, client, NULL, NULL); +} + +krb5_error_code +kadm5_auth_acl_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + kadm5_auth_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (kadm5_auth_vtable)vtable; + vt->name = "acl"; + vt->init = acl_init; + vt->fini = acl_fini; + vt->addprinc = acl_addprinc; + vt->modprinc = acl_modprinc; + vt->setstr = acl_setstr; + vt->cpw = acl_cpw; + vt->chrand = acl_chrand; + vt->setkey = acl_setkey; + vt->purgekeys = acl_purgekeys; + vt->delprinc = acl_delprinc; + vt->renprinc = acl_renprinc; + vt->getprinc = acl_getprinc; + vt->getstrs = acl_getstrs; + vt->extract = acl_extract; + vt->listprincs = acl_listprincs; + vt->addpol = acl_addpol; + vt->modpol = acl_modpol; + vt->delpol = acl_delpol; + vt->getpol = acl_getpol; + vt->listpols = acl_listpols; + vt->iprop = acl_iprop; + return 0; +} diff --git a/src/kadmin/server/auth_self.c b/src/kadmin/server/auth_self.c new file mode 100644 index 0000000..253d4bc --- /dev/null +++ b/src/kadmin/server/auth_self.c @@ -0,0 +1,77 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kadmin/server/auth_self.c - self-service kadm5_auth module */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include +#include +#include "auth.h" + +/* Authorize a principal to operate on itself. Applies to cpw, chrand, + * purgekeys, getprinc, and getstrs. */ +static krb5_error_code +self_compare(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + if (krb5_principal_compare(context, client, target)) + return 0; + return KRB5_PLUGIN_NO_HANDLE; +} + +/* Authorize a principal to get the policy record for its own policy. */ +static krb5_error_code +self_getpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const char *client_policy) +{ + if (client_policy != NULL && strcmp(policy, client_policy) == 0) + return 0; + return KRB5_PLUGIN_NO_HANDLE; +} + +krb5_error_code +kadm5_auth_self_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + kadm5_auth_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (kadm5_auth_vtable)vtable; + vt->name = "self"; + vt->cpw = self_compare; + vt->chrand = self_compare; + vt->purgekeys = self_compare; + vt->getprinc = self_compare; + vt->getstrs = self_compare; + vt->getpol = self_getpol; + return 0; +} diff --git a/src/kadmin/server/deps b/src/kadmin/server/deps index 44311af..335123a 100644 --- a/src/kadmin/server/deps +++ b/src/kadmin/server/deps @@ -1,6 +1,44 @@ # # Generated makefile dependencies follow. # +$(OUTPRE)auth_acl.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_auth_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h auth.h auth_acl.c +$(OUTPRE)auth_self.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_auth_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h auth.h auth_self.c $(OUTPRE)kadm_rpc_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/gssrpc/types.h \ @@ -29,28 +67,26 @@ $(OUTPRE)server_stubs.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_acl.h \ - $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ - $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/adm_proto.h \ - $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \ - $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \ - $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \ - $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \ - $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - misc.h server_stubs.c + $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ + $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h auth.h misc.h \ + server_stubs.c $(OUTPRE)ovsec_kadmd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_alloc.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/kadm_rpc.h $(BUILDTOP)/include/kadm5/server_acl.h \ - $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/kadm_rpc.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.h \ $(BUILDTOP)/lib/gssapi/krb5/gssapi_err_krb5.h $(COM_ERR_DEPS) \ $(VERTO_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_gssapi.h \ @@ -71,7 +107,7 @@ $(OUTPRE)ovsec_kadmd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/lib/gssapi/generic/gssapiP_generic.h \ $(top_srcdir)/lib/gssapi/generic/gssapi_ext.h $(top_srcdir)/lib/gssapi/generic/gssapi_generic.h \ $(top_srcdir)/lib/gssapi/krb5/gssapiP_krb5.h $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h \ - misc.h ovsec_kadmd.c + auth.h misc.h ovsec_kadmd.c $(OUTPRE)schpw.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ @@ -97,23 +133,23 @@ $(OUTPRE)misc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/server_acl.h $(BUILDTOP)/include/kadm5/server_internal.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ - $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \ - $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \ - $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \ - $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \ - $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - misc.c misc.h + $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(VERTO_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h auth.h misc.c \ + misc.h $(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ @@ -131,5 +167,5 @@ $(OUTPRE)ipropd_svc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/kdb.h \ $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ - $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h $(top_srcdir)/lib/kadm5/srv/server_acl.h \ + $(top_srcdir)/lib/gssapi/krb5/gssapi_krb5.h auth.h \ ipropd_svc.c misc.h diff --git a/src/kadmin/server/ipropd_svc.c b/src/kadmin/server/ipropd_svc.c index bce668f..dc9984c 100644 --- a/src/kadmin/server/ipropd_svc.c +++ b/src/kadmin/server/ipropd_svc.c @@ -16,7 +16,6 @@ #include #include #include -#include #include #include #include @@ -25,6 +24,7 @@ #include #include #include +#include "auth.h" #include "misc.h" #include "osconf.h" @@ -129,6 +129,20 @@ buf_to_string(gss_buffer_desc *b) return s; } +static krb5_boolean +iprop_acl_check(krb5_context context, const char *client_name) +{ + krb5_principal client_princ; + krb5_boolean result; + + if (krb5_parse_name(context, client_name, &client_princ) != 0) + return FALSE; + result = auth(context, OP_IPROP, client_princ, + NULL, NULL, NULL, NULL, NULL, 0); + krb5_free_principal(context, client_princ); + return result; +} + kdb_incr_result_t * iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp) { @@ -174,11 +188,7 @@ iprop_get_updates_1_svc(kdb_last_t *arg, struct svc_req *rqstp) DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n", whoami, client_name, service_name); - if (!kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_IPROP, - NULL, - NULL)) { + if (!iprop_acl_check(handle->context, client_name)) { ret.ret = UPDATE_PERM_DENIED; DPRINT("%s: PERMISSION DENIED: clprinc=`%s'\n\tsvcprinc=`%s'\n", @@ -301,11 +311,7 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp) DPRINT("%s: clprinc=`%s'\n\tsvcprinc=`%s'\n", whoami, client_name, service_name); - if (!kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_IPROP, - NULL, - NULL)) { + if (!iprop_acl_check(handle->context, client_name)) { ret.ret = UPDATE_PERM_DENIED; DPRINT("%s: Permission denied\n", whoami); @@ -332,8 +338,8 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp) * dump already exists or that dump is not in ipropx format, or the * sno and timestamp in the header of that dump are outside the * ulog. This allows us to share a single global dump with all - * slaves, since it's OK to share an older dump, as long as its sno - * and timestamp are in the ulog (then the slaves can get the + * replicas, since it's OK to share an older dump, as long as its + * sno and timestamp are in the ulog (then the replicas can get the * subsequent updates very iprop). */ if (asprintf(&ubuf, "%s -r %s dump -i%d -c %s", kdb5_util, @@ -345,9 +351,9 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp) } /* - * Fork to dump the db and xfer it to the slave. + * Fork to dump the db and xfer it to the replica. * (the fork allows parent to return quickly and the child - * acts like a callback to the slave). + * acts like a callback to the replica). */ fret = fork(); DPRINT("%s: fork=%d (%d)\n", whoami, fret, getpid()); @@ -412,7 +418,7 @@ ipropx_resync(uint32_t vers, struct svc_req *rqstp) default: /* parent */ ret.ret = UPDATE_OK; - /* not used by slave (sno is retrieved from kdb5_util dump) */ + /* not used by replica (sno is retrieved from kdb5_util dump) */ ret.lastentry.last_sno = 0; ret.lastentry.last_time.seconds = 0; ret.lastentry.last_time.useconds = 0; @@ -527,14 +533,14 @@ fail_name: void krb5_iprop_prog_1(struct svc_req *rqstp, - register SVCXPRT *transp) + SVCXPRT *transp) { union { kdb_last_t iprop_get_updates_1_arg; } argument; - char *result; + void *result; bool_t (*_xdr_argument)(), (*_xdr_result)(); - char *(*local)(/* union XXX *, struct svc_req * */); + void *(*local)(/* union XXX *, struct svc_req * */); char *whoami = "krb5_iprop_prog_1"; if (!check_iprop_rpcsec_auth(rqstp)) { @@ -555,19 +561,19 @@ krb5_iprop_prog_1(struct svc_req *rqstp, case IPROP_GET_UPDATES: _xdr_argument = xdr_kdb_last_t; _xdr_result = xdr_kdb_incr_result_t; - local = (char *(*)()) iprop_get_updates_1_svc; + local = (void *(*)()) iprop_get_updates_1_svc; break; case IPROP_FULL_RESYNC: _xdr_argument = xdr_void; _xdr_result = xdr_kdb_fullresync_result_t; - local = (char *(*)()) iprop_full_resync_1_svc; + local = (void *(*)()) iprop_full_resync_1_svc; break; case IPROP_FULL_RESYNC_EXT: _xdr_argument = xdr_u_int32; _xdr_result = xdr_kdb_fullresync_result_t; - local = (char *(*)()) iprop_full_resync_ext_1_svc; + local = (void *(*)()) iprop_full_resync_ext_1_svc; break; default: @@ -615,32 +621,3 @@ krb5_iprop_prog_1(struct svc_req *rqstp, } } - -#if 0 -/* - * Get the host base service name for the kiprop principal. Returns - * KADM5_OK on success. Caller must free the storage allocated for - * host_service_name. - */ -kadm5_ret_t -kiprop_get_adm_host_srv_name(krb5_context context, - const char *realm, - char **host_service_name) -{ - kadm5_ret_t ret; - char *name; - char *host; - - if (ret = kadm5_get_master(context, realm, &host)) - return (ret); - - if (asprintf(&name, "%s@%s", KIPROP_SVC_NAME, host) < 0) { - free(host); - return (ENOMEM); - } - free(host); - *host_service_name = name; - - return (KADM5_OK); -} -#endif diff --git a/src/kadmin/server/kadm_rpc_svc.c b/src/kadmin/server/kadm_rpc_svc.c index e43ca0d..41fc88a 100644 --- a/src/kadmin/server/kadm_rpc_svc.c +++ b/src/kadmin/server/kadm_rpc_svc.c @@ -38,7 +38,7 @@ static int check_rpcsec_auth(struct svc_req *); void kadm_1(rqstp, transp) struct svc_req *rqstp; - register SVCXPRT *transp; + SVCXPRT *transp; { union { cprinc_arg create_principal_2_arg; diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c index 27a6376..45e1f81 100644 --- a/src/kadmin/server/misc.c +++ b/src/kadmin/server/misc.c @@ -7,96 +7,9 @@ #include #include #include -#include #include "misc.h" +#include "auth.h" #include "net-server.h" - -/* - * Function: chpass_principal_wrapper_3 - * - * Purpose: wrapper to kadm5_chpass_principal that checks to see if - * pw_min_life has been reached. if not it returns an error. - * otherwise it calls kadm5_chpass_principal - * - * Arguments: - * principal (input) krb5_principals whose password we are - * changing - * keepold (input) whether to preserve old keys - * n_ks_tuple (input) the number of key-salt tuples in ks_tuple - * ks_tuple (input) array of tuples indicating the caller's - * requested enctypes/salttypes - * password (input) password we are going to change to. - * 0 on success error code on failure. - * - * Requires: - * kadm5_init to have been run. - * - * Effects: - * calls kadm5_chpass_principal which changes the kdb and the - * the admin db. - * - */ -kadm5_ret_t -chpass_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *password) -{ - kadm5_ret_t ret; - - ret = check_min_life(server_handle, principal, NULL, 0); - if (ret) - return ret; - - return kadm5_chpass_principal_3(server_handle, principal, - keepold, n_ks_tuple, ks_tuple, - password); -} - - -/* - * Function: randkey_principal_wrapper_3 - * - * Purpose: wrapper to kadm5_randkey_principal which checks the - * password's min. life. - * - * Arguments: - * principal (input) krb5_principal whose password we are - * changing - * keepold (input) whether to preserve old keys - * n_ks_tuple (input) the number of key-salt tuples in ks_tuple - * ks_tuple (input) array of tuples indicating the caller's - * requested enctypes/salttypes - * key (output) new random key - * 0, error code on error. - * - * Requires: - * kadm5_init needs to be run - * - * Effects: - * calls kadm5_randkey_principal - * - */ -kadm5_ret_t -randkey_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **keys, int *n_keys) -{ - kadm5_ret_t ret; - - ret = check_min_life(server_handle, principal, NULL, 0); - if (ret) - return ret; - return kadm5_randkey_principal_3(server_handle, principal, - keepold, n_ks_tuple, ks_tuple, - keys, n_keys); -} - kadm5_ret_t schpw_util_wrapper(void *server_handle, krb5_principal client, @@ -107,8 +20,6 @@ schpw_util_wrapper(void *server_handle, { kadm5_ret_t ret; kadm5_server_handle_t handle = server_handle; - krb5_boolean access_granted; - krb5_boolean self; /* * If no target is explicitly provided, then the target principal @@ -117,32 +28,22 @@ schpw_util_wrapper(void *server_handle, if (target == NULL) target = client; - /* - * A principal can always change its own password, as long as it - * has an initial ticket and meets the minimum password lifetime - * requirement. - */ - self = krb5_principal_compare(handle->context, client, target); - if (self) { + /* If the client is changing its own password, require it to use an initial + * ticket, and enforce the policy min_life. */ + if (krb5_principal_compare(handle->context, client, target)) { + if (!initial_flag) { + strlcpy(msg_ret, "Ticket must be derived from a password", + msg_len); + return KADM5_AUTH_INITIAL; + } + ret = check_min_life(server_handle, target, msg_ret, msg_len); if (ret != 0) return ret; - - access_granted = initial_flag; - } else - access_granted = FALSE; - - if (!access_granted && - kadm5int_acl_check_krb(handle->context, client, - ACL_CHANGEPW, target, NULL)) { - /* - * Otherwise, principals with appropriate privileges can change - * any password - */ - access_granted = TRUE; } - if (access_granted) { + if (auth(handle->context, OP_CPW, client, target, + NULL, NULL, NULL, NULL, 0)) { ret = kadm5_chpass_principal_util(server_handle, target, new_pw, ret_pw, @@ -159,7 +60,7 @@ kadm5_ret_t check_min_life(void *server_handle, krb5_principal principal, char *msg_ret, unsigned int msg_len) { - krb5_int32 now; + krb5_timestamp now; kadm5_ret_t ret; kadm5_policy_ent_rec pol; kadm5_principal_ent_rec princ; @@ -184,7 +85,7 @@ check_min_life(void *server_handle, krb5_principal principal, (void) kadm5_free_principal_ent(handle->lhandle, &princ); return (ret == KADM5_UNK_POLICY) ? 0 : ret; } - if((now - princ.last_pwd_change) < pol.pw_min_life && + if(ts_delta(now, princ.last_pwd_change) < pol.pw_min_life && !(princ.attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { if (msg_ret != NULL) { time_t until; @@ -194,6 +95,8 @@ check_min_life(void *server_handle, krb5_principal principal, until = princ.last_pwd_change + pol.pw_min_life; time_string = ctime(&until); + if (time_string == NULL) + time_string = "(error)"; errstr = error_message(CHPASS_UTIL_PASSWORD_TOO_SOON); if (strlen(errstr) + strlen(time_string) < msg_len) { diff --git a/src/kadmin/server/misc.h b/src/kadmin/server/misc.h index ea0fc7d..3a112a0 100644 --- a/src/kadmin/server/misc.h +++ b/src/kadmin/server/misc.h @@ -13,23 +13,6 @@ int setup_gss_names(struct svc_req *, gss_buffer_desc *, gss_buffer_desc *); - -kadm5_ret_t -chpass_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - char *password); - -kadm5_ret_t -randkey_principal_wrapper_3(void *server_handle, - krb5_principal principal, - krb5_boolean keepold, - int n_ks_tuple, - krb5_key_salt_tuple *ks_tuple, - krb5_keyblock **keys, int *n_keys); - kadm5_ret_t schpw_util_wrapper(void *server_handle, krb5_principal client, krb5_principal target, krb5_boolean initial_flag, diff --git a/src/kadmin/server/ovsec_kadmd.c b/src/kadmin/server/ovsec_kadmd.c index a3edd3b..6a6b214 100644 --- a/src/kadmin/server/ovsec_kadmd.c +++ b/src/kadmin/server/ovsec_kadmd.c @@ -51,14 +51,13 @@ #include #include #include -#include #include #include "kdb_kt.h" /* for krb5_ktkdb_set_context */ #include -#include "kadm5/server_internal.h" /* XXX for kadm5_server_handle_t */ #include #include "misc.h" +#include "auth.h" #if defined(NEED_DAEMON_PROTO) int daemon(int, int); @@ -106,7 +105,6 @@ fail_to_start(krb5_error_code code, const char *msg) { const char *errmsg; - fprintf(stderr, "%s: ", progname); if (code) { errmsg = krb5_get_error_message(context, code); fprintf(stderr, _("%s: %s while %s, aborting\n"), progname, errmsg, @@ -138,11 +136,10 @@ write_pid_file(const char *pid_file) /* Set up the main loop. If proponly is set, don't set up ports for kpasswd or * kadmin. May set *ctx_out even on error. */ static krb5_error_code -setup_loop(int proponly, verto_ctx **ctx_out) +setup_loop(kadm5_config_params *params, int proponly, verto_ctx **ctx_out) { krb5_error_code ret; verto_ctx *ctx; - kadm5_server_handle_t handle = global_server_handle; *ctx_out = ctx = loop_init(VERTO_EV_TYPE_SIGNAL); if (ctx == NULL) @@ -151,24 +148,23 @@ setup_loop(int proponly, verto_ctx **ctx_out) if (ret) return ret; if (!proponly) { - ret = loop_add_udp_address(handle->params.kpasswd_port, - handle->params.kpasswd_listen); + ret = loop_add_udp_address(params->kpasswd_port, + params->kpasswd_listen); if (ret) return ret; - ret = loop_add_tcp_address(handle->params.kpasswd_port, - handle->params.kpasswd_listen); + ret = loop_add_tcp_address(params->kpasswd_port, + params->kpasswd_listen); if (ret) return ret; - ret = loop_add_rpc_service(handle->params.kadmind_port, - handle->params.kadmind_listen, + ret = loop_add_rpc_service(params->kadmind_port, + params->kadmind_listen, KADM, KADMVERS, kadm_1); if (ret) return ret; } #ifndef DISABLE_IPROP - if (handle->params.iprop_enabled) { - ret = loop_add_rpc_service(handle->params.iprop_port, - handle->params.iprop_listen, + if (params->iprop_enabled) { + ret = loop_add_rpc_service(params->iprop_port, params->iprop_listen, KRB5_IPROP_PROG, KRB5_IPROP_VERS, krb5_iprop_prog_1); if (ret) @@ -356,6 +352,7 @@ main(int argc, char *argv[]) verto_ctx *vctx; const char *pid_file = NULL; char **db_args = NULL, **tmpargs; + const char *acl_file; int ret, i, db_args_size = 0, strong_random = 1, proponly = 0; setlocale(LC_ALL, ""); @@ -471,8 +468,12 @@ main(int argc, char *argv[]) fail_to_start(0, _("Missing required realm configuration")); if (!(params.mask & KADM5_CONFIG_ACL_FILE)) fail_to_start(0, _("Missing required ACL file configuration")); + if (proponly && !params.iprop_enabled) { + fail_to_start(0, _("-proponly can only be used when " + "iprop_enable is true")); + } - ret = setup_loop(proponly, &vctx); + ret = setup_loop(¶ms, proponly, &vctx); if (ret) fail_to_start(ret, _("initializing network")); @@ -505,7 +506,8 @@ main(int argc, char *argv[]) if (svcauth_gss_set_svc_name(GSS_C_NO_NAME) != TRUE) fail_to_start(0, _("Cannot initialize GSSAPI service name")); - ret = kadm5int_acl_init(context, 0, params.acl_file); + acl_file = (*params.acl_file != '\0') ? params.acl_file : NULL; + ret = auth_init(context, acl_file); if (ret) fail_to_start(ret, _("initializing ACL file")); @@ -550,7 +552,7 @@ main(int argc, char *argv[]) svcauth_gssapi_unset_names(); kadm5_destroy(global_server_handle); loop_free(vctx); - kadm5int_acl_finish(context, 0); + auth_fini(context); (void)gss_release_name(&minor_status, &gss_changepw_name); (void)gss_release_name(&minor_status, &gss_oldchangepw_name); for (i = 0; i < 4; i++) @@ -558,5 +560,5 @@ main(int argc, char *argv[]) krb5_klog_close(context); krb5_free_context(context); - exit(2); + exit(0); } diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c index 900adf7..f7dea39 100644 --- a/src/kadmin/server/schpw.c +++ b/src/kadmin/server/schpw.c @@ -18,8 +18,8 @@ static krb5_error_code process_chpw_request(krb5_context context, void *server_handle, char *realm, - krb5_keytab keytab, const krb5_fulladdr *local_faddr, - const krb5_fulladdr *remote_faddr, krb5_data *req, + krb5_keytab keytab, const krb5_fulladdr *local_addr, + const krb5_fulladdr *remote_addr, krb5_data *req, krb5_data *rep) { krb5_error_code ret; @@ -42,7 +42,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, struct sockaddr_storage ss; socklen_t salen; char addrbuf[100]; - krb5_address *addr = remote_faddr->address; + krb5_address *addr = remote_addr->address; *rep = empty_data(); @@ -205,15 +205,6 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, goto chpwfail; } - /* for cpw, verify that this is an AS_REQ ticket */ - if (vno == 1 && - (ticket->enc_part2->flags & TKT_FLG_INITIAL) == 0) { - numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED; - strlcpy(strresult, "Ticket must be derived from a password", - sizeof(strresult)); - goto chpwfail; - } - /* change the password */ ptr = k5memdup0(clear.data, clear.length, &ret); @@ -237,7 +228,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, sin->sin_family = AF_INET; memcpy(&sin->sin_addr, addr->contents, addr->length); - sin->sin_port = htons(remote_faddr->port); + sin->sin_port = htons(remote_addr->port); salen = sizeof(*sin); break; } @@ -246,7 +237,7 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, sin6->sin6_family = AF_INET6; memcpy(&sin6->sin6_addr, addr->contents, addr->length); - sin6->sin6_port = htons(remote_faddr->port); + sin6->sin6_port = htons(remote_addr->port); salen = sizeof(*sin6); break; } @@ -292,6 +283,9 @@ process_chpw_request(krb5_context context, void *server_handle, char *realm, case KADM5_AUTH_CHANGEPW: numresult = KRB5_KPASSWD_ACCESSDENIED; break; + case KADM5_AUTH_INITIAL: + numresult = KRB5_KPASSWD_INITIAL_FLAG_NEEDED; + break; case KADM5_PASS_Q_TOOSHORT: case KADM5_PASS_REUSE: case KADM5_PASS_Q_CLASS: @@ -326,7 +320,7 @@ chpwfail: if (ap_rep.length) { ret = krb5_auth_con_setaddrs(context, auth_context, - local_faddr->address, NULL); + local_addr->address, NULL); if (ret) { numresult = KRB5_KPASSWD_HARDERROR; strlcpy(strresult, @@ -366,7 +360,7 @@ chpwfail: to mk_error do. */ krberror.error = ret; krberror.error -= ERROR_TABLE_BASE_krb5; - if (krberror.error < 0 || krberror.error > KRB_ERR_MAX) + if (krberror.error > KRB_ERR_MAX) krberror.error = KRB_ERR_GENERIC; krberror.client = NULL; @@ -436,33 +430,22 @@ bailout: /* Dispatch routine for set/change password */ void -dispatch(void *handle, struct sockaddr *local_saddr, - const krb5_fulladdr *remote_faddr, krb5_data *request, int is_tcp, +dispatch(void *handle, const krb5_fulladdr *local_addr, + const krb5_fulladdr *remote_addr, krb5_data *request, int is_tcp, verto_ctx *vctx, loop_respond_fn respond, void *arg) { krb5_error_code ret; krb5_keytab kt = NULL; kadm5_server_handle_t server_handle = (kadm5_server_handle_t)handle; - krb5_fulladdr local_faddr; - krb5_address **local_kaddrs = NULL, local_kaddr_buf; krb5_data *response = NULL; - - if (local_saddr == NULL) { - ret = krb5_os_localaddr(server_handle->context, &local_kaddrs); - if (ret != 0) - goto egress; - - local_faddr.address = local_kaddrs[0]; - local_faddr.port = 0; - } else { - local_faddr.address = &local_kaddr_buf; - init_addr(&local_faddr, local_saddr); - } + const char *emsg; ret = krb5_kt_resolve(server_handle->context, "KDB:", &kt); if (ret != 0) { + emsg = krb5_get_error_message(server_handle->context, ret); krb5_klog_syslog(LOG_ERR, _("chpw: Couldn't open admin keytab %s"), - krb5_get_error_message(server_handle->context, ret)); + emsg); + krb5_free_error_message(server_handle->context, emsg); goto egress; } @@ -474,14 +457,13 @@ dispatch(void *handle, struct sockaddr *local_saddr, handle, server_handle->params.realm, kt, - &local_faddr, - remote_faddr, + local_addr, + remote_addr, request, response); egress: if (ret) krb5_free_data(server_handle->context, response); - krb5_free_addresses(server_handle->context, local_kaddrs); krb5_kt_close(server_handle->context, kt); (*respond)(arg, ret, ret == 0 ? response : NULL); } diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c index 86c1625..cfef97f 100644 --- a/src/kadmin/server/server_stubs.c +++ b/src/kadmin/server/server_stubs.c @@ -12,10 +12,10 @@ #include #include #include -#include #include #include /* krb5_klog_syslog */ #include "misc.h" +#include "auth.h" extern gss_name_t gss_changepw_name; extern gss_name_t gss_oldchangepw_name; @@ -216,19 +216,6 @@ static gss_name_t acceptor_name(gss_ctx_id_t context) return name; } -static int cmp_gss_krb5_name(kadm5_server_handle_t handle, - gss_name_t gss_name, krb5_principal princ) -{ - krb5_principal princ2; - int status; - - if (! gss_to_krb5_name(handle, gss_name, &princ2)) - return 0; - status = krb5_principal_compare(handle->context, princ, princ2); - krb5_free_principal(handle->context, princ2); - return status; -} - static int gss_to_krb5_name(kadm5_server_handle_t handle, gss_name_t gss_name, krb5_principal *princ) { @@ -314,12 +301,76 @@ stub_cleanup(kadm5_server_handle_t handle, char *princ_str, { OM_uint32 minor_stat; + auth_end(handle->context); free_server_handle(handle); free(princ_str); gss_release_buffer(&minor_stat, client_name); gss_release_buffer(&minor_stat, service_name); } +static krb5_boolean +stub_auth(kadm5_server_handle_t handle, int opcode, krb5_const_principal p1, + krb5_const_principal p2, const char *s1, const char *s2) +{ + return auth(handle->context, opcode, handle->current_caller, p1, p2, + s1, s2, NULL, 0); +} + +static krb5_boolean +stub_auth_pol(kadm5_server_handle_t handle, int opcode, const char *policy, + const kadm5_policy_ent_rec *polent, long mask) +{ + return auth(handle->context, opcode, handle->current_caller, NULL, NULL, + policy, NULL, polent, mask); +} + +static krb5_boolean +stub_auth_restrict(kadm5_server_handle_t handle, int opcode, + kadm5_principal_ent_t ent, long *mask) +{ + return auth_restrict(handle->context, opcode, handle->current_caller, + ent, mask); +} + +/* Return true if the client authenticated to kadmin/changepw and princ is not + * the client principal. */ +static krb5_boolean +changepw_not_self(kadm5_server_handle_t handle, struct svc_req *rqstp, + krb5_const_principal princ) +{ + return CHANGEPW_SERVICE(rqstp) && + !krb5_principal_compare(handle->context, handle->current_caller, + princ); +} + +static krb5_boolean +ticket_is_initial(struct svc_req *rqstp) +{ + OM_uint32 status, minor_stat; + krb5_flags flags; + + status = gss_krb5_get_tkt_flags(&minor_stat, rqstp->rq_svccred, &flags); + if (status != GSS_S_COMPLETE) + return 0; + return (flags & TKT_FLG_INITIAL) != 0; +} + +/* If a key change request is for the client's own principal, verify that the + * client used an initial ticket and enforce the policy min_life. */ +static kadm5_ret_t +check_self_keychange(kadm5_server_handle_t handle, struct svc_req *rqstp, + krb5_principal princ) +{ + if (!krb5_principal_compare(handle->context, handle->current_caller, + princ)) + return 0; + + if (!ticket_is_initial(rqstp)) + return KADM5_AUTH_INITIAL; + + return check_min_life(handle, princ, NULL, 0); +} + static int log_unauth( char *op, @@ -387,7 +438,6 @@ create_principal_2_svc(cprinc_arg *arg, generic_ret *ret, gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; kadm5_server_handle_t handle; - restriction_t *rp; const char *errmsg = NULL; ret->code = stub_setup(arg->api_version, rqstp, arg->rec.principal, @@ -396,11 +446,8 @@ create_principal_2_svc(cprinc_arg *arg, generic_ret *ret, if (ret->code) goto exit_func; - if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, - arg->rec.principal, &rp) - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth_restrict(handle, OP_ADDPRINC, &arg->rec, &arg->mask)) { ret->code = KADM5_AUTH_ADD; log_unauth("kadm5_create_principal", prime_arg, &client_name, &service_name, rqstp); @@ -431,7 +478,6 @@ create_principal3_2_svc(cprinc3_arg *arg, generic_ret *ret, gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; kadm5_server_handle_t handle; - restriction_t *rp; const char *errmsg = NULL; ret->code = stub_setup(arg->api_version, rqstp, arg->rec.principal, @@ -440,11 +486,8 @@ create_principal3_2_svc(cprinc3_arg *arg, generic_ret *ret, if (ret->code) goto exit_func; - if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_ADD, - arg->rec.principal, &rp) - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth_restrict(handle, OP_ADDPRINC, &arg->rec, &arg->mask)) { ret->code = KADM5_AUTH_ADD; log_unauth("kadm5_create_principal", prime_arg, &client_name, &service_name, rqstp); @@ -498,9 +541,8 @@ delete_principal_2_svc(dprinc_arg *arg, generic_ret *ret, if (ret->code) goto exit_func; - if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_DELETE, - arg->princ, NULL)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth(handle, OP_DELPRINC, arg->princ, NULL, NULL, NULL)) { ret->code = KADM5_AUTH_DELETE; log_unauth("kadm5_delete_principal", prime_arg, &client_name, &service_name, rqstp); @@ -540,7 +582,6 @@ modify_principal_2_svc(mprinc_arg *arg, generic_ret *ret, gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; kadm5_server_handle_t handle; - restriction_t *rp; const char *errmsg = NULL; ret->code = stub_setup(arg->api_version, rqstp, arg->rec.principal, @@ -549,11 +590,8 @@ modify_principal_2_svc(mprinc_arg *arg, generic_ret *ret, if (ret->code) goto exit_func; - if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, - arg->rec.principal, &rp) - || kadm5int_acl_impose_restrictions(handle->context, - &arg->rec, &arg->mask, rp)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth_restrict(handle, OP_MODPRINC, &arg->rec, &arg->mask)) { ret->code = KADM5_AUTH_MODIFY; log_unauth("kadm5_modify_principal", prime_arg, &client_name, &service_name, rqstp); @@ -592,7 +630,6 @@ rename_principal_2_svc(rprinc_arg *arg, generic_ret *ret, gss_buffer_desc client_name = GSS_C_EMPTY_BUFFER; gss_buffer_desc service_name = GSS_C_EMPTY_BUFFER; kadm5_server_handle_t handle; - restriction_t *rp; const char *errmsg = NULL; size_t tlen1, tlen2, clen, slen; char *tdots1, *tdots2, *cdots, *sdots; @@ -617,29 +654,19 @@ rename_principal_2_svc(rprinc_arg *arg, generic_ret *ret, slen = service_name.length; trunc_name(&slen, &sdots); - ret->code = KADM5_OK; - if (! CHANGEPW_SERVICE(rqstp)) { - if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_DELETE, arg->src, NULL)) + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth(handle, OP_RENPRINC, arg->src, arg->dest, NULL, NULL)) { + ret->code = KADM5_AUTH_INSUFFICIENT; + log_unauth("kadm5_rename_principal", prime_arg1, &client_name, + &service_name, rqstp); + } else { + ret->code = check_lockdown_keys(handle, arg->src); + if (ret->code == KADM5_PROTECT_KEYS) { + log_unauth("kadm5_rename_principal", prime_arg1, &client_name, + &service_name, rqstp); ret->code = KADM5_AUTH_DELETE; - /* any restrictions at all on the ADD kills the RENAME */ - if (!kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_ADD, arg->dest, &rp) || rp) { - if (ret->code == KADM5_AUTH_DELETE) - ret->code = KADM5_AUTH_INSUFFICIENT; - else - ret->code = KADM5_AUTH_ADD; - } - if (ret->code == KADM5_OK) { - ret->code = check_lockdown_keys(handle, arg->src); - if (ret->code == KADM5_PROTECT_KEYS) { - log_unauth("kadm5_rename_principal", prime_arg1, &client_name, - &service_name, rqstp); - ret->code = KADM5_AUTH_DELETE; - } } - } else - ret->code = KADM5_AUTH_INSUFFICIENT; + } if (ret->code != KADM5_OK) { /* okay to cast lengths to int because trunc_name limits max value */ krb5_klog_syslog(LOG_NOTICE, @@ -696,12 +723,8 @@ get_principal_2_svc(gprinc_arg *arg, gprinc_ret *ret, struct svc_req *rqstp) funcname = "kadm5_get_principal"; - if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && - (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_INQUIRE, - arg->princ, - NULL))) { + if (changepw_not_self(handle, rqstp, arg->princ) || + !stub_auth(handle, OP_GETPRINC, arg->princ, NULL, NULL, NULL)) { ret->code = KADM5_AUTH_GET; log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp); @@ -743,11 +766,8 @@ get_princs_2_svc(gprincs_arg *arg, gprincs_ret *ret, struct svc_req *rqstp) if (prime_arg == NULL) prime_arg = "*"; - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_LIST, - NULL, - NULL)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth(handle, OP_LISTPRINCS, NULL, NULL, NULL, NULL)) { ret->code = KADM5_AUTH_LIST; log_unauth("kadm5_get_principals", prime_arg, &client_name, &service_name, rqstp); @@ -793,17 +813,15 @@ chpass_principal_2_svc(chpass_arg *arg, generic_ret *ret, &service_name, rqstp); ret->code = KADM5_AUTH_CHANGEPW; } - } else if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret->code = chpass_principal_wrapper_3(handle, arg->princ, FALSE, 0, - NULL, arg->pass); - } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret->code = kadm5_chpass_principal(handle, arg->princ, arg->pass); - } else { + } else if (changepw_not_self(handle, rqstp, arg->princ) || + !stub_auth(handle, OP_CPW, arg->princ, NULL, NULL, NULL)) { + ret->code = KADM5_AUTH_CHANGEPW; log_unauth("kadm5_chpass_principal", prime_arg, &client_name, &service_name, rqstp); - ret->code = KADM5_AUTH_CHANGEPW; + } else { + ret->code = check_self_keychange(handle, rqstp, arg->princ); + if (!ret->code) + ret->code = kadm5_chpass_principal(handle, arg->princ, arg->pass); } if (ret->code != KADM5_AUTH_CHANGEPW) { @@ -845,20 +863,18 @@ chpass_principal3_2_svc(chpass3_arg *arg, generic_ret *ret, &service_name, rqstp); ret->code = KADM5_AUTH_CHANGEPW; } - } else if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret->code = chpass_principal_wrapper_3(handle, arg->princ, - arg->keepold, arg->n_ks_tuple, - arg->ks_tuple, arg->pass); - } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret->code = kadm5_chpass_principal_3(handle, arg->princ, arg->keepold, - arg->n_ks_tuple, arg->ks_tuple, - arg->pass); - } else { + } else if (changepw_not_self(handle, rqstp, arg->princ) || + !stub_auth(handle, OP_CPW, arg->princ, NULL, NULL, NULL)) { + ret->code = KADM5_AUTH_CHANGEPW; log_unauth("kadm5_chpass_principal", prime_arg, &client_name, &service_name, rqstp); - ret->code = KADM5_AUTH_CHANGEPW; + } else { + ret->code = check_self_keychange(handle, rqstp, arg->princ); + if (!ret->code) { + ret->code = kadm5_chpass_principal_3(handle, arg->princ, + arg->keepold, arg->n_ks_tuple, + arg->ks_tuple, arg->pass); + } } if (ret->code != KADM5_AUTH_CHANGEPW) { @@ -901,8 +917,7 @@ setv4key_principal_2_svc(setv4key_arg *arg, generic_ret *ret, ret->code = KADM5_AUTH_SETKEY; } } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { + stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) { ret->code = kadm5_setv4key_principal(handle, arg->princ, arg->keyblock); } else { @@ -952,8 +967,7 @@ setkey_principal_2_svc(setkey_arg *arg, generic_ret *ret, ret->code = KADM5_AUTH_SETKEY; } } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { + stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) { ret->code = kadm5_setkey_principal(handle, arg->princ, arg->keyblocks, arg->n_keys); } else { @@ -1002,8 +1016,7 @@ setkey_principal3_2_svc(setkey3_arg *arg, generic_ret *ret, ret->code = KADM5_AUTH_SETKEY; } } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { + stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) { ret->code = kadm5_setkey_principal_3(handle, arg->princ, arg->keepold, arg->n_ks_tuple, arg->ks_tuple, arg->keyblocks, arg->n_keys); @@ -1053,8 +1066,7 @@ setkey_principal4_2_svc(setkey4_arg *arg, generic_ret *ret, ret->code = KADM5_AUTH_SETKEY; } } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_SETKEY, arg->princ, NULL)) { + stub_auth(handle, OP_SETKEY, arg->princ, NULL, NULL, NULL)) { ret->code = kadm5_setkey_principal_4(handle, arg->princ, arg->keepold, arg->key_data, arg->n_key_data); } else { @@ -1079,8 +1091,8 @@ exit_func: return TRUE; } -/* Empty out *keys/*nkeys if princ is protected with the lockdown attribute, or - * if we fail to check. */ +/* Empty out *keys / *nkeys if princ is protected with the lockdown + * attribute, or if we fail to check. */ static kadm5_ret_t chrand_check_lockdown(kadm5_server_handle_t handle, krb5_principal princ, krb5_keyblock **keys, int *nkeys) @@ -1119,17 +1131,17 @@ chrand_principal_2_svc(chrand_arg *arg, chrand_ret *ret, struct svc_req *rqstp) funcname = "kadm5_randkey_principal"; - if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret->code = randkey_principal_wrapper_3(handle, arg->princ, FALSE, 0, - NULL, &k, &nkeys); - } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret->code = kadm5_randkey_principal(handle, arg->princ, &k, &nkeys); - } else { + if (changepw_not_self(handle, rqstp, arg->princ) || + !stub_auth(handle, OP_CHRAND, arg->princ, NULL, NULL, NULL)) { + ret->code = KADM5_AUTH_CHANGEPW; log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp); - ret->code = KADM5_AUTH_CHANGEPW; + } else { + ret->code = check_self_keychange(handle, rqstp, arg->princ); + if (!ret->code) { + ret->code = kadm5_randkey_principal(handle, arg->princ, + &k, &nkeys); + } } if (ret->code == KADM5_OK) { @@ -1176,20 +1188,19 @@ chrand_principal3_2_svc(chrand3_arg *arg, chrand_ret *ret, funcname = "kadm5_randkey_principal"; - if (cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ)) { - ret->code = randkey_principal_wrapper_3(handle, arg->princ, - arg->keepold, arg->n_ks_tuple, - arg->ks_tuple, &k, &nkeys); - } else if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_CHANGEPW, arg->princ, NULL)) { - ret->code = kadm5_randkey_principal_3(handle, arg->princ, arg->keepold, - arg->n_ks_tuple, arg->ks_tuple, - &k, &nkeys); - } else { + if (changepw_not_self(handle, rqstp, arg->princ) || + !stub_auth(handle, OP_CHRAND, arg->princ, NULL, NULL, NULL)) { + ret->code = KADM5_AUTH_CHANGEPW; log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp); - ret->code = KADM5_AUTH_CHANGEPW; + } else { + ret->code = check_self_keychange(handle, rqstp, arg->princ); + if (!ret->code) { + ret->code = kadm5_randkey_principal_3(handle, arg->princ, + arg->keepold, + arg->n_ks_tuple, + arg->ks_tuple, &k, &nkeys); + } } if (ret->code == KADM5_OK) { @@ -1233,9 +1244,9 @@ create_policy_2_svc(cpol_arg *arg, generic_ret *ret, struct svc_req *rqstp) prime_arg = arg->rec.policy; - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_ADD, NULL, NULL)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth_pol(handle, OP_ADDPOL, arg->rec.policy, + &arg->rec, arg->mask)) { ret->code = KADM5_AUTH_ADD; log_unauth("kadm5_create_policy", prime_arg, &client_name, &service_name, rqstp); @@ -1275,9 +1286,8 @@ delete_policy_2_svc(dpol_arg *arg, generic_ret *ret, struct svc_req *rqstp) prime_arg = arg->name; - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_DELETE, NULL, NULL)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth(handle, OP_DELPOL, NULL, NULL, arg->name, NULL)) { log_unauth("kadm5_delete_policy", prime_arg, &client_name, &service_name, rqstp); ret->code = KADM5_AUTH_DELETE; @@ -1316,9 +1326,9 @@ modify_policy_2_svc(mpol_arg *arg, generic_ret *ret, struct svc_req *rqstp) prime_arg = arg->rec.policy; - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_MODIFY, NULL, NULL)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth_pol(handle, OP_MODPOL, arg->rec.policy, + &arg->rec, arg->mask)) { log_unauth("kadm5_modify_policy", prime_arg, &client_name, &service_name, rqstp); ret->code = KADM5_AUTH_MODIFY; @@ -1349,7 +1359,9 @@ get_policy_2_svc(gpol_arg *arg, gpol_ret *ret, struct svc_req *rqstp) kadm5_ret_t ret2; kadm5_principal_ent_rec caller_ent; kadm5_server_handle_t handle; - const char *errmsg = NULL; + const char *errmsg = NULL, *cpolicy = NULL; + + memset(&caller_ent, 0, sizeof(caller_ent)); ret->code = stub_setup(arg->api_version, rqstp, NULL, &handle, &ret->api_version, &client_name, &service_name, @@ -1361,31 +1373,20 @@ get_policy_2_svc(gpol_arg *arg, gpol_ret *ret, struct svc_req *rqstp) prime_arg = arg->name; - ret->code = KADM5_AUTH_GET; - if (!CHANGEPW_SERVICE(rqstp) && kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_INQUIRE, NULL, NULL)) - ret->code = KADM5_OK; - else { - ret->code = kadm5_get_principal(handle->lhandle, - handle->current_caller, &caller_ent, - KADM5_PRINCIPAL_NORMAL_MASK); - if (ret->code == KADM5_OK) { - if (caller_ent.aux_attributes & KADM5_POLICY && - strcmp(caller_ent.policy, arg->name) == 0) { - ret->code = KADM5_OK; - } else { - ret->code = KADM5_AUTH_GET; - } - ret2 = kadm5_free_principal_ent(handle->lhandle, - &caller_ent); - ret->code = ret->code ? ret->code : ret2; - } - } + /* Look up the client principal's policy value. */ + ret2 = kadm5_get_principal(handle->lhandle, handle->current_caller, + &caller_ent, KADM5_PRINCIPAL_NORMAL_MASK); + if (ret2 == KADM5_OK && (caller_ent.aux_attributes & KADM5_POLICY)) + cpolicy = caller_ent.policy; - if (ret->code == KADM5_OK) { + ret->code = KADM5_AUTH_GET; + if ((CHANGEPW_SERVICE(rqstp) && + (cpolicy == NULL || strcmp(cpolicy, arg->name) != 0)) || + !stub_auth(handle, OP_GETPOL, NULL, NULL, arg->name, cpolicy)) { + ret->code = KADM5_AUTH_GET; + log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp); + } else { ret->code = kadm5_get_policy(handle, arg->name, &ret->rec); - if (ret->code != 0) errmsg = krb5_get_error_message(handle->context, ret->code); @@ -1394,13 +1395,10 @@ get_policy_2_svc(gpol_arg *arg, gpol_ret *ret, struct svc_req *rqstp) &client_name, &service_name, rqstp); if (errmsg != NULL) krb5_free_error_message(handle->context, errmsg); - - } else { - log_unauth(funcname, prime_arg, - &client_name, &service_name, rqstp); } exit_func: + (void)kadm5_free_principal_ent(handle->lhandle, &caller_ent); stub_cleanup(handle, NULL, &client_name, &service_name); return TRUE; } @@ -1424,9 +1422,8 @@ get_pols_2_svc(gpols_arg *arg, gpols_ret *ret, struct svc_req *rqstp) if (prime_arg == NULL) prime_arg = "*"; - if (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_LIST, NULL, NULL)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth(handle, OP_LISTPOLS, NULL, NULL, NULL, NULL)) { ret->code = KADM5_AUTH_LIST; log_unauth("kadm5_get_policies", prime_arg, &client_name, &service_name, rqstp); @@ -1494,10 +1491,8 @@ purgekeys_2_svc(purgekeys_arg *arg, generic_ret *ret, struct svc_req *rqstp) funcname = "kadm5_purgekeys"; - if (!cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && - (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, - arg->princ, NULL))) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth(handle, OP_PURGEKEYS, arg->princ, NULL, NULL, NULL)) { ret->code = KADM5_AUTH_MODIFY; log_unauth(funcname, prime_arg, &client_name, &service_name, rqstp); } else { @@ -1532,12 +1527,8 @@ get_strings_2_svc(gstrings_arg *arg, gstrings_ret *ret, struct svc_req *rqstp) if (ret->code) goto exit_func; - if (! cmp_gss_krb5_name(handle, rqst2name(rqstp), arg->princ) && - (CHANGEPW_SERVICE(rqstp) || !kadm5int_acl_check(handle->context, - rqst2name(rqstp), - ACL_INQUIRE, - arg->princ, - NULL))) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth(handle, OP_GETSTRS, arg->princ, NULL, NULL, NULL)) { ret->code = KADM5_AUTH_GET; log_unauth("kadm5_get_strings", prime_arg, &client_name, &service_name, rqstp); @@ -1574,9 +1565,9 @@ set_string_2_svc(sstring_arg *arg, generic_ret *ret, struct svc_req *rqstp) if (ret->code) goto exit_func; - if (CHANGEPW_SERVICE(rqstp) - || !kadm5int_acl_check(handle->context, rqst2name(rqstp), ACL_MODIFY, - arg->princ, NULL)) { + if (CHANGEPW_SERVICE(rqstp) || + !stub_auth(handle, OP_SETSTR, arg->princ, NULL, + arg->key, arg->value)) { ret->code = KADM5_AUTH_MODIFY; log_unauth("kadm5_mod_strings", prime_arg, &client_name, &service_name, rqstp); @@ -1665,8 +1656,7 @@ get_principal_keys_2_svc(getpkeys_arg *arg, getpkeys_ret *ret, goto exit_func; if (!(CHANGEPW_SERVICE(rqstp)) && - kadm5int_acl_check(handle->context, rqst2name(rqstp), - ACL_EXTRACT, arg->princ, NULL)) { + stub_auth(handle, OP_EXTRACT, arg->princ, NULL, NULL, NULL)) { ret->code = kadm5_get_principal_keys(handle, arg->princ, arg->kvno, &ret->key_data, &ret->n_key_data); } else { diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c index a4997c6..9dde579 100644 --- a/src/kadmin/testing/util/tcl_kadm5.c +++ b/src/kadmin/testing/util/tcl_kadm5.c @@ -697,13 +697,13 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ, } else Tcl_DStringAppendElement(str, "null"); - sprintf(buf, "%d", princ->princ_expire_time); + sprintf(buf, "%u", (unsigned int)princ->princ_expire_time); Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%d", princ->last_pwd_change); + sprintf(buf, "%u", (unsigned int)princ->last_pwd_change); Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%d", princ->pw_expiration); + sprintf(buf, "%u", (unsigned int)princ->pw_expiration); Tcl_DStringAppendElement(str, buf); sprintf(buf, "%d", princ->max_life); @@ -722,7 +722,7 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ, } else Tcl_DStringAppendElement(str, "null"); - sprintf(buf, "%d", princ->mod_date); + sprintf(buf, "%u", (unsigned int)princ->mod_date); Tcl_DStringAppendElement(str, buf); if (mask & KADM5_ATTRIBUTES) { @@ -758,10 +758,10 @@ static Tcl_DString *unparse_principal_ent(kadm5_principal_ent_t princ, sprintf(buf, "%d", princ->max_renewable_life); Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%d", princ->last_success); + sprintf(buf, "%u", (unsigned int)princ->last_success); Tcl_DStringAppendElement(str, buf); - sprintf(buf, "%d", princ->last_failed); + sprintf(buf, "%u", (unsigned int)princ->last_failed); Tcl_DStringAppendElement(str, buf); sprintf(buf, "%d", princ->fail_auth_count); diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in index 61a3dbc..117a8f5 100644 --- a/src/kdc/Makefile.in +++ b/src/kdc/Makefile.in @@ -85,6 +85,7 @@ check-cmocka: t_replay check-pytests: $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_bigreply.py $(PYTESTFLAGS) install: $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc diff --git a/src/kdc/deps b/src/kdc/deps index b5257c7..9bf1db1 100644 --- a/src/kdc/deps +++ b/src/kdc/deps @@ -171,20 +171,22 @@ $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h extern.h kdc5_err.h \ - kdc_audit.h kdc_util.h main.c realm_data.h reqstate.h + kdc_audit.h kdc_util.h main.c policy.h realm_data.h \ + reqstate.h $(OUTPRE)policy.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpolicy_plugin.h \ $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h extern.h kdc_util.h \ - policy.c realm_data.h reqstate.h + policy.c policy.h realm_data.h reqstate.h $(OUTPRE)extern.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -200,15 +202,16 @@ $(OUTPRE)replay.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-queue.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/net-server.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - extern.h kdc_util.h realm_data.h replay.c reqstate.h + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hashtab.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-queue.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/net-server.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h extern.h kdc_util.h \ + realm_data.h replay.c reqstate.h $(OUTPRE)kdc_authdata.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ @@ -279,8 +282,9 @@ $(OUTPRE)kdc_log.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(OUTPRE)t_replay.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(VERTO_DEPS) \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-cmocka.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-hashtab.h $(top_srcdir)/include/k5-int-pkinit.h \ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-queue.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ diff --git a/src/kdc/dispatch.c b/src/kdc/dispatch.c index 3a169eb..3ed5176 100644 --- a/src/kdc/dispatch.c +++ b/src/kdc/dispatch.c @@ -94,8 +94,8 @@ static void reseed_random(krb5_context kdc_err_context) { krb5_error_code retval; - krb5_int32 now, now_usec; - krb5_int32 usec_difference; + krb5_timestamp now; + krb5_int32 now_usec, usec_difference; krb5_data data; retval = krb5_crypto_us_timeofday(&now, &now_usec); @@ -104,7 +104,7 @@ reseed_random(krb5_context kdc_err_context) if (last_os_random == 0) last_os_random = now; /* Grab random data from OS every hour*/ - if (now-last_os_random >= 60 * 60) { + if (ts_delta(now, last_os_random) >= 60 * 60) { krb5_c_random_os_entropy(kdc_err_context, 0, NULL); last_os_random = now; } @@ -119,12 +119,12 @@ reseed_random(krb5_context kdc_err_context) } void -dispatch(void *cb, struct sockaddr *local_saddr, - const krb5_fulladdr *from, krb5_data *pkt, int is_tcp, +dispatch(void *cb, const krb5_fulladdr *local_addr, + const krb5_fulladdr *remote_addr, krb5_data *pkt, int is_tcp, verto_ctx *vctx, loop_respond_fn respond, void *arg) { krb5_error_code retval; - krb5_kdc_req *as_req; + krb5_kdc_req *req = NULL; krb5_data *response = NULL; struct dispatch_state *state; struct server_handle *handle = cb; @@ -150,8 +150,8 @@ dispatch(void *cb, struct sockaddr *local_saddr, const char *name = 0; char buf[46]; - name = inet_ntop (ADDRTYPE2FAMILY (from->address->addrtype), - from->address->contents, buf, sizeof (buf)); + name = inet_ntop(ADDRTYPE2FAMILY(remote_addr->address->addrtype), + remote_addr->address->contents, buf, sizeof(buf)); if (name == 0) name = "[unknown address type]"; if (response) @@ -176,28 +176,35 @@ dispatch(void *cb, struct sockaddr *local_saddr, /* try TGS_REQ first; they are more common! */ + if (krb5_is_tgs_req(pkt)) + retval = decode_krb5_tgs_req(pkt, &req); + else if (krb5_is_as_req(pkt)) + retval = decode_krb5_as_req(pkt, &req); + else + retval = KRB5KRB_AP_ERR_MSG_TYPE; + if (retval) + goto done; + + state->active_realm = setup_server_realm(handle, req->server); + if (state->active_realm == NULL) { + retval = KRB5KDC_ERR_WRONG_REALM; + goto done; + } + if (krb5_is_tgs_req(pkt)) { - retval = process_tgs_req(handle, pkt, from, &response); + /* process_tgs_req frees the request */ + retval = process_tgs_req(req, pkt, remote_addr, state->active_realm, + &response); + req = NULL; } else if (krb5_is_as_req(pkt)) { - if (!(retval = decode_krb5_as_req(pkt, &as_req))) { - /* - * setup_server_realm() sets up the global realm-specific data - * pointer. - * process_as_req frees the request if it is called - */ - state->active_realm = setup_server_realm(handle, as_req->server); - if (state->active_realm != NULL) { - process_as_req(as_req, pkt, from, state->active_realm, vctx, - finish_dispatch_cache, state); - return; - } else { - retval = KRB5KDC_ERR_WRONG_REALM; - krb5_free_kdc_req(kdc_err_context, as_req); - } - } - } else - retval = KRB5KRB_AP_ERR_MSG_TYPE; + /* process_as_req frees the request and calls finish_dispatch_cache. */ + process_as_req(req, pkt, local_addr, remote_addr, state->active_realm, + vctx, finish_dispatch_cache, state); + return; + } +done: + krb5_free_kdc_req(kdc_err_context, req); finish_dispatch_cache(state, retval, response); } diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c index a4bf91b..588c137 100644 --- a/src/kdc/do_as_req.c +++ b/src/kdc/do_as_req.c @@ -87,7 +87,7 @@ get_key_exp(krb5_db_entry *entry) return entry->pw_expiration; if (entry->pw_expiration == 0) return entry->expiration; - return min(entry->expiration, entry->pw_expiration); + return ts_min(entry->expiration, entry->pw_expiration); } /* @@ -160,7 +160,8 @@ struct as_req_state { struct kdc_request_state *rstate; char *sname, *cname; void *pa_context; - const krb5_fulladdr *from; + const krb5_fulladdr *local_addr; + const krb5_fulladdr *remote_addr; krb5_data **auth_indicators; krb5_error_code preauth_err; @@ -207,6 +208,13 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->ticket_reply.enc_part2 = &state->enc_tkt_reply; + errcode = check_kdcpolicy_as(kdc_context, state->request, state->client, + state->server, state->auth_indicators, + state->kdc_time, &state->enc_tkt_reply.times, + &state->status); + if (errcode) + goto egress; + /* * Find the server key */ @@ -239,10 +247,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->reply.ticket = &state->ticket_reply; state->reply_encpart.session = &state->session_key; if ((errcode = fetch_last_req_info(state->client, - &state->reply_encpart.last_req))) { - state->status = "FETCH_LAST_REQ"; + &state->reply_encpart.last_req))) goto egress; - } state->reply_encpart.nonce = state->request->nonce; state->reply_encpart.key_exp = get_key_exp(state->client); state->reply_encpart.flags = state->enc_tkt_reply.flags; @@ -300,27 +306,21 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = krb5_encrypt_tkt_part(kdc_context, &state->server_keyblock, &state->ticket_reply); - if (errcode) { - state->status = "ENCRYPT_TICKET"; + if (errcode) goto egress; - } errcode = kau_make_tkt_id(kdc_context, &state->ticket_reply, &au_state->tkt_out_id); - if (errcode) { - state->status = "GENERATE_TICKET_ID"; + if (errcode) goto egress; - } state->ticket_reply.enc_part.kvno = server_key->key_data_kvno; errcode = kdc_fast_response_handle_padata(state->rstate, state->request, &state->reply, state->client_keyblock.enctype); - if (errcode) { - state->status = "MAKE_FAST_RESPONSE"; + if (errcode) goto egress; - } /* now encode/encrypt the response */ @@ -328,10 +328,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) errcode = kdc_fast_handle_reply_key(state->rstate, &state->client_keyblock, &as_encrypting_key); - if (errcode) { - state->status = "MAKE_FAST_REPLY_KEY"; + if (errcode) goto egress; - } errcode = return_enc_padata(kdc_context, state->req_pkt, state->request, as_encrypting_key, state->server, &state->reply_encpart, FALSE); @@ -348,10 +346,8 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) &state->reply, &response); if (state->client_key != NULL) state->reply.enc_part.kvno = state->client_key->key_data_kvno; - if (errcode) { - state->status = "ENCODE_KDC_REP"; + if (errcode) goto egress; - } /* these parts are left on as a courtesy from krb5_encode_kdc_rep so we can use them in raw form if needed. But, we don't... */ @@ -359,9 +355,9 @@ finish_process_as_req(struct as_req_state *state, krb5_error_code errcode) state->reply.enc_part.ciphertext.length); free(state->reply.enc_part.ciphertext.data); - log_as_req(kdc_context, state->from, state->request, &state->reply, - state->client, state->cname, state->server, - state->sname, state->authtime, 0, 0, 0); + log_as_req(kdc_context, state->local_addr, state->remote_addr, + state->request, &state->reply, state->client, state->cname, + state->server, state->sname, state->authtime, 0, 0, 0); did_log = 1; egress: @@ -381,8 +377,8 @@ egress: emsg = krb5_get_error_message(kdc_context, errcode); if (state->status) { - log_as_req(kdc_context, - state->from, state->request, &state->reply, state->client, + log_as_req(kdc_context, state->local_addr, state->remote_addr, + state->request, &state->reply, state->client, state->cname, state->server, state->sname, state->authtime, state->status, errcode, emsg); did_log = 1; @@ -492,7 +488,8 @@ finish_preauth(void *arg, krb5_error_code code) /*ARGSUSED*/ void process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, - const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm, + const krb5_fulladdr *local_addr, + const krb5_fulladdr *remote_addr, kdc_realm_t *kdc_active_realm, verto_ctx *vctx, loop_respond_fn respond, void *arg) { krb5_error_code errcode; @@ -511,7 +508,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->arg = arg; state->request = request; state->req_pkt = req_pkt; - state->from = from; + state->local_addr = local_addr; + state->remote_addr = remote_addr; state->active_realm = kdc_active_realm; errcode = kdc_make_rstate(kdc_active_realm, &state->rstate); @@ -522,7 +520,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } /* Initialize audit state. */ - errcode = kau_init_kdc_req(kdc_context, state->request, from, &au_state); + errcode = kau_init_kdc_req(kdc_context, state->request, remote_addr, + &au_state); if (errcode) { (*respond)(arg, errcode, NULL); kdc_free_rstate(state->rstate); @@ -543,7 +542,6 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, if (fetch_asn1_field((unsigned char *) req_pkt->data, 1, 4, &encoded_req_body) != 0) { errcode = ASN1_BAD_ID; - state->status = "FETCH_REQ_BODY"; goto errout; } errcode = kdc_find_fast(&state->request, &encoded_req_body, NULL, NULL, @@ -556,10 +554,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, /* Not a FAST request; copy the encoded request body. */ errcode = krb5_copy_data(kdc_context, &encoded_req_body, &state->inner_body); - if (errcode) { - state->status = "COPY_REQ_BODY"; + if (errcode) goto errout; - } } au_state->request = state->request; state->rock.request = state->request; @@ -567,6 +563,7 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->rock.rstate = state->rstate; state->rock.vctx = vctx; state->rock.auth_indicators = &state->auth_indicators; + state->rock.send_freshness_token = FALSE; if (!state->request->client) { state->status = "NULL_CLIENT"; errcode = KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; @@ -574,10 +571,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if ((errcode = krb5_unparse_name(kdc_context, state->request->client, - &state->cname))) { - state->status = "UNPARSE_CLIENT"; + &state->cname))) goto errout; - } limit_string(state->cname); if (!state->request->server) { @@ -587,10 +582,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if ((errcode = krb5_unparse_name(kdc_context, state->request->server, - &state->sname))) { - state->status = "UNPARSE_SERVER"; + &state->sname))) goto errout; - } limit_string(state->sname); /* @@ -667,21 +660,18 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->status = "GET_LOCAL_TGT"; goto errout; } + state->rock.local_tgt = state->local_tgt; au_state->stage = VALIDATE_POL; - if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) { - state->status = "TIMEOFDAY"; + if ((errcode = krb5_timeofday(kdc_context, &state->kdc_time))) goto errout; - } state->authtime = state->kdc_time; /* for audit_as_request() */ if ((errcode = validate_as_request(kdc_active_realm, state->request, *state->client, *state->server, state->kdc_time, &state->status, &state->e_data))) { - if (!state->status) - state->status = "UNKNOWN_REASON"; errcode += ERROR_TABLE_BASE_krb5; goto errout; } @@ -701,10 +691,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, } if ((errcode = krb5_c_make_random_key(kdc_context, useenctype, - &state->session_key))) { - state->status = "MAKE_RANDOM_KEY"; + &state->session_key))) goto errout; - } /* * Canonicalization is only effective if we are issuing a TGT @@ -785,10 +773,8 @@ process_as_req(krb5_kdc_req *request, krb5_data *req_pkt, state->request->client = NULL; errcode = krb5_copy_principal(kdc_context, krb5_anonymous_principal(), &state->request->client); - if (errcode) { - state->status = "COPY_ANONYMOUS_PRINCIPAL"; + if (errcode) goto errout; - } state->enc_tkt_reply.client = state->request->client; setflag(state->client->attributes, KRB5_KDB_REQUIRES_PRE_AUTH); } @@ -841,6 +827,8 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, kdc_realm_t *kdc_active_realm = rstate->realm_data; size_t count; + errpkt.magic = KV5M_ERROR; + if (e_data_in != NULL) { /* Add a PA-FX-COOKIE to e_data_in. e_data is a shallow copy * containing aliases. */ @@ -854,7 +842,7 @@ prepare_error_as(struct kdc_request_state *rstate, krb5_kdc_req *request, e_data[count] = cookie; } - errpkt.ctime = request->nonce; + errpkt.ctime = 0; errpkt.cusec = 0; retval = krb5_us_timeofday(kdc_context, &errpkt.stime, &errpkt.susec); diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c index 339259f..587342a 100644 --- a/src/kdc/do_tgs_req.c +++ b/src/kdc/do_tgs_req.c @@ -98,12 +98,12 @@ search_sprinc(kdc_realm_t *, krb5_kdc_req *, krb5_flags, /*ARGSUSED*/ krb5_error_code -process_tgs_req(struct server_handle *handle, krb5_data *pkt, - const krb5_fulladdr *from, krb5_data **response) +process_tgs_req(krb5_kdc_req *request, krb5_data *pkt, + const krb5_fulladdr *from, kdc_realm_t *kdc_active_realm, + krb5_data **response) { krb5_keyblock * subkey = 0; krb5_keyblock *header_key = NULL; - krb5_kdc_req *request = 0; krb5_db_entry *server = NULL; krb5_db_entry *stkt_server = NULL; krb5_kdc_rep reply; @@ -113,7 +113,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, krb5_enc_tkt_part enc_tkt_reply; int newtransited = 0; krb5_error_code retval = 0; - krb5_keyblock encrypting_key; + krb5_keyblock server_keyblock, *encrypting_key; krb5_timestamp kdc_time, authtime = 0; krb5_keyblock session_key; krb5_keyblock *reply_key = NULL; @@ -136,7 +136,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, krb5_pa_data *pa_tgs_req; /*points into request*/ krb5_data scratch; krb5_pa_data **e_data = NULL; - kdc_realm_t *kdc_active_realm = NULL; krb5_audit_state *au_state = NULL; krb5_data **auth_indicators = NULL; @@ -144,38 +143,28 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, memset(&reply_encpart, 0, sizeof(reply_encpart)); memset(&ticket_reply, 0, sizeof(ticket_reply)); memset(&enc_tkt_reply, 0, sizeof(enc_tkt_reply)); + memset(&server_keyblock, 0, sizeof(server_keyblock)); session_key.contents = NULL; - retval = decode_krb5_tgs_req(pkt, &request); - if (retval) - return retval; /* Save pointer to client-requested service principal, in case of * errors before a successful call to search_sprinc(). */ sprinc = request->server; if (request->msg_type != KRB5_TGS_REQ) { - krb5_free_kdc_req(handle->kdc_err_context, request); + krb5_free_kdc_req(kdc_context, request); return KRB5_BADMSGTYPE; } - /* - * setup_server_realm() sets up the global realm-specific data pointer. - */ - kdc_active_realm = setup_server_realm(handle, request->server); - if (kdc_active_realm == NULL) { - krb5_free_kdc_req(handle->kdc_err_context, request); - return KRB5KDC_ERR_WRONG_REALM; - } errcode = kdc_make_rstate(kdc_active_realm, &state); if (errcode !=0) { - krb5_free_kdc_req(handle->kdc_err_context, request); + krb5_free_kdc_req(kdc_context, request); return errcode; } /* Initialize audit state. */ errcode = kau_init_kdc_req(kdc_context, request, from, &au_state); if (errcode) { - krb5_free_kdc_req(handle->kdc_err_context, request); + krb5_free_kdc_req(kdc_context, request); return errcode; } /* Seed the audit trail with the request ID and basic information. */ @@ -195,15 +184,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, if (!header_ticket) { errcode = KRB5_NO_TKT_SUPPLIED; /* XXX? */ - status="UNEXPECTED NULL in header_ticket"; goto cleanup; } errcode = kau_make_tkt_id(kdc_context, header_ticket, &au_state->tkt_in_id); - if (errcode) { - status = "GENERATE_TICKET_ID"; + if (errcode) goto cleanup; - } scratch.length = pa_tgs_req->length; scratch.data = (char *) pa_tgs_req->contents; @@ -264,16 +250,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, au_state->stage = VALIDATE_POL; - if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) { - status = "TIME_OF_DAY"; + if ((errcode = krb5_timeofday(kdc_context, &kdc_time))) goto cleanup; - } if ((retval = validate_tgs_request(kdc_active_realm, request, *server, header_ticket, kdc_time, &status, &e_data))) { - if (!status) - status = "UNKNOWN_REASON"; if (retval == KDC_ERR_POLICY || retval == KDC_ERR_BADOPTION) au_state->violation = PROT_CONSTRAINT; errcode = retval + ERROR_TABLE_BASE_krb5; @@ -287,6 +269,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, errcode = kdc_process_s4u2self_req(kdc_active_realm, request, header_enc_tkt->client, + header_ticket->server, + is_referral, server, subkey, header_enc_tkt->session, @@ -306,16 +290,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, if (errcode) goto cleanup; - if (s4u_x509_user != NULL) { + if (s4u_x509_user != NULL) setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION); - if (is_referral) { - /* The requesting server appears to no longer exist, and we found - * a referral instead. Treat this as a server lookup failure. */ - errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; - status = "LOOKING_UP_SERVER"; - goto cleanup; - } - } /* Deal with user-to-user and constrained delegation */ errcode = decrypt_2ndtkt(kdc_active_realm, request, c_flags, @@ -340,7 +316,6 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, retval = kau_make_tkt_id(kdc_context, request->second_ticket[st_idx], &au_state->evid_tkt_id); if (retval) { - status = "GENERATE_TICKET_ID"; errcode = retval; goto cleanup; } @@ -500,12 +475,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, old_starttime = enc_tkt_reply.times.starttime ? enc_tkt_reply.times.starttime : enc_tkt_reply.times.authtime; - old_life = enc_tkt_reply.times.endtime - old_starttime; + old_life = ts_delta(enc_tkt_reply.times.endtime, old_starttime); enc_tkt_reply.times.starttime = kdc_time; enc_tkt_reply.times.endtime = - min(header_ticket->enc_part2->times.renew_till, - kdc_time + old_life); + ts_min(header_ticket->enc_part2->times.renew_till, + ts_incr(kdc_time, old_life)); } else { /* not a renew request */ enc_tkt_reply.times.starttime = kdc_time; @@ -518,6 +493,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, kdc_get_ticket_renewtime(kdc_active_realm, request, header_enc_tkt, client, server, &enc_tkt_reply); + errcode = check_kdcpolicy_tgs(kdc_context, request, server, header_ticket, + auth_indicators, kdc_time, + &enc_tkt_reply.times, &status); + if (errcode) + goto cleanup; + /* * Set authtime to be the same as header or evidence ticket's */ @@ -537,7 +518,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } if (isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) { krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2; - encrypting_key = *(t2enc->session); + encrypting_key = t2enc->session; } else { /* * Find the server key @@ -556,11 +537,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, * (it may be encrypted in the database) */ if ((errcode = krb5_dbe_decrypt_key_data(kdc_context, NULL, - server_key, &encrypting_key, + server_key, &server_keyblock, NULL))) { status = "DECRYPT_SERVER_KEY"; goto cleanup; } + encrypting_key = &server_keyblock; } if (isflagset(c_flags, KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) { @@ -671,7 +653,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, header_server, local_tgt, subkey != NULL ? subkey : header_ticket->enc_part2->session, - &encrypting_key, /* U2U or server key */ + encrypting_key, /* U2U or server key */ header_key, pkt, request, @@ -719,14 +701,10 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, ticket_kvno = server_key->key_data_kvno; } - errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, + errcode = krb5_encrypt_tkt_part(kdc_context, encrypting_key, &ticket_reply); - if (!isflagset(request->kdc_options, KDC_OPT_ENC_TKT_IN_SKEY)) - krb5_free_keyblock_contents(kdc_context, &encrypting_key); - if (errcode) { - status = "ENCRYPT_TICKET"; + if (errcode) goto cleanup; - } ticket_reply.enc_part.kvno = ticket_kvno; /* Start assembling the response */ au_state->stage = ENCR_REP; @@ -740,10 +718,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, s4u_x509_user, &reply, &reply_encpart); - if (errcode) { - status = "MAKE_S4U2SELF_PADATA"; + if (errcode) au_state->status = status; - } kau_s4u2self(kdc_context, errcode ? FALSE : TRUE, au_state); if (errcode) goto cleanup; @@ -775,16 +751,12 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, header_ticket->enc_part2->session->enctype; errcode = kdc_fast_response_handle_padata(state, request, &reply, subkey ? subkey->enctype : header_ticket->enc_part2->session->enctype); - if (errcode !=0 ) { - status = "MAKE_FAST_RESPONSE"; + if (errcode) goto cleanup; - } errcode =kdc_fast_handle_reply_key(state, subkey?subkey:header_ticket->enc_part2->session, &reply_key); - if (errcode) { - status = "MAKE_FAST_REPLY_KEY"; + if (errcode) goto cleanup; - } errcode = return_enc_padata(kdc_context, pkt, request, reply_key, server, &reply_encpart, is_referral && @@ -796,10 +768,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, } errcode = kau_make_tkt_id(kdc_context, &ticket_reply, &au_state->tkt_out_id); - if (errcode) { - status = "GENERATE_TICKET_ID"; + if (errcode) goto cleanup; - } if (kdc_fast_hide_client(state)) reply.client = (krb5_principal)krb5_anonymous_principal(); @@ -807,11 +777,8 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, subkey ? 1 : 0, reply_key, &reply, response); - if (errcode) { - status = "ENCODE_KDC_REP"; - } else { + if (!errcode) status = "ISSUE"; - } memset(ticket_reply.enc_part.ciphertext.data, 0, ticket_reply.enc_part.ciphertext.length); @@ -825,6 +792,7 @@ process_tgs_req(struct server_handle *handle, krb5_data *pkt, cleanup: if (status == NULL) status = "UNKNOWN_REASON"; + krb5_free_keyblock_contents(kdc_context, &server_keyblock); if (reply_key) krb5_free_keyblock(kdc_context, reply_key); if (errcode) @@ -910,7 +878,8 @@ prepare_error_tgs (struct kdc_request_state *state, krb5_data *scratch, *e_data_asn1 = NULL, *fast_edata = NULL; kdc_realm_t *kdc_active_realm = state->realm_data; - errpkt.ctime = request->nonce; + errpkt.magic = KV5M_ERROR; + errpkt.ctime = 0; errpkt.cusec = 0; if ((retval = krb5_us_timeofday(kdc_context, &errpkt.stime, @@ -1053,7 +1022,7 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, retval = get_2ndtkt_enctype(kdc_active_realm, req, &useenctype, status); if (retval != 0) - goto cleanup; + return retval; } if (useenctype == 0) { useenctype = select_session_keytype(kdc_active_realm, server, @@ -1063,17 +1032,10 @@ gen_session_key(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, if (useenctype == 0) { /* unsupported ktype */ *status = "BAD_ENCRYPTION_TYPE"; - retval = KRB5KDC_ERR_ETYPE_NOSUPP; - goto cleanup; - } - retval = krb5_c_make_random_key(kdc_context, useenctype, skey); - if (retval != 0) { - /* random key failed */ - *status = "MAKE_RANDOM_KEY"; - goto cleanup; + return KRB5KDC_ERR_ETYPE_NOSUPP; } -cleanup: - return retval; + + return krb5_c_make_random_key(kdc_context, useenctype, skey); } /* diff --git a/src/kdc/extern.c b/src/kdc/extern.c index fe62749..ff45bf3 100644 --- a/src/kdc/extern.c +++ b/src/kdc/extern.c @@ -37,6 +37,7 @@ kdc_realm_t **kdc_realmlist = (kdc_realm_t **) NULL; int kdc_numrealms = 0; krb5_data empty_string = {0, 0, ""}; -krb5_timestamp kdc_infinity = KRB5_INT32_MAX; /* XXX */ -krb5_keyblock psr_key; krb5_int32 max_dgram_reply_size = MAX_DGRAM_SIZE; + +/* With ts_after(), this is the largest timestamp value. */ +krb5_timestamp kdc_infinity = -1; diff --git a/src/kdc/extern.h b/src/kdc/extern.h index 7dc658f..78b9f30 100644 --- a/src/kdc/extern.h +++ b/src/kdc/extern.h @@ -29,7 +29,6 @@ /* various externs for KDC */ extern krb5_data empty_string; /* an empty string */ extern krb5_timestamp kdc_infinity; /* greater than all other timestamps */ -extern krb5_keyblock psr_key; /* key for predicted sam response */ extern const int kdc_modifies_kdb; extern krb5_int32 max_dgram_reply_size; /* maximum datagram size */ diff --git a/src/kdc/fast_util.c b/src/kdc/fast_util.c index 9df9402..6a3fc11 100644 --- a/src/kdc/fast_util.c +++ b/src/kdc/fast_util.c @@ -451,36 +451,12 @@ kdc_fast_hide_client(struct kdc_request_state *state) return (state->fast_options & KRB5_FAST_OPTION_HIDE_CLIENT_NAMES) != 0; } -/* Allocate a pa-data entry with an uninitialized buffer of size len. */ -static krb5_error_code -alloc_padata(krb5_preauthtype pa_type, size_t len, krb5_pa_data **out) -{ - krb5_pa_data *pa; - uint8_t *buf; - - *out = NULL; - buf = malloc(len); - if (buf == NULL) - return ENOMEM; - pa = malloc(sizeof(*pa)); - if (pa == NULL) { - free(buf); - return ENOMEM; - } - pa->magic = KV5M_PA_DATA; - pa->pa_type = pa_type; - pa->length = len; - pa->contents = buf; - *out = pa; - return 0; -} - /* Create a pa-data entry with the specified type and contents. */ static krb5_error_code make_padata(krb5_preauthtype pa_type, const void *contents, size_t len, krb5_pa_data **out) { - if (alloc_padata(pa_type, len, out) != 0) + if (alloc_pa_data(pa_type, len, out) != 0) return ENOMEM; memcpy((*out)->contents, contents, len); return 0; @@ -607,7 +583,7 @@ kdc_fast_read_cookie(krb5_context context, struct kdc_request_state *state, ret = krb5_timeofday(context, &now); if (ret) goto cleanup; - if (now - COOKIE_LIFETIME > cookie->time) { + if (ts2tt(now) > cookie->time + COOKIE_LIFETIME) { /* Don't accept the cookie contents. Only return an error if the * cookie is relevant to the request. */ if (is_relevant(cookie->data, req->padata)) @@ -700,7 +676,7 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state, ret = krb5_timeofday(context, &now); if (ret) goto cleanup; - cookie.time = now; + cookie.time = ts2tt(now); cookie.data = contents; ret = encode_krb5_secure_cookie(&cookie, &der_cookie); if (ret) @@ -720,7 +696,7 @@ kdc_fast_make_cookie(krb5_context context, struct kdc_request_state *state, goto cleanup; /* Construct the cookie pa-data entry. */ - ret = alloc_padata(KRB5_PADATA_FX_COOKIE, 8 + enc.ciphertext.length, &pa); + ret = alloc_pa_data(KRB5_PADATA_FX_COOKIE, 8 + enc.ciphertext.length, &pa); memcpy(pa->contents, "MIT1", 4); store_32_be(kvno, pa->contents + 4); memcpy(pa->contents + 8, enc.ciphertext.data, enc.ciphertext.length); diff --git a/src/kdc/kdc_audit.c b/src/kdc/kdc_audit.c index c9a7f9f..f40913d 100644 --- a/src/kdc/kdc_audit.c +++ b/src/kdc/kdc_audit.c @@ -146,7 +146,7 @@ kau_make_tkt_id(krb5_context context, { krb5_error_code ret = 0; char *hash = NULL, *ptr; - krb5_checksum cksum; + uint8_t hashbytes[K5_SHA256_HASHLEN]; unsigned int i; *out = NULL; @@ -154,19 +154,18 @@ kau_make_tkt_id(krb5_context context, if (ticket == NULL) return EINVAL; - ret = krb5_c_make_checksum(context, CKSUMTYPE_RSA_MD5, NULL, 0, - &ticket->enc_part.ciphertext, &cksum); + ret = k5_sha256(&ticket->enc_part.ciphertext, 1, hashbytes); if (ret) return ret; - hash = k5alloc(cksum.length * 2 + 1, &ret); - if (hash != NULL) { - for (i = 0, ptr = hash; i < cksum.length; i++, ptr += 2) - snprintf(ptr, 3, "%02X", cksum.contents[i]); - *ptr = '\0'; - *out = hash; - } - krb5_free_checksum_contents(context, &cksum); + hash = k5alloc(sizeof(hashbytes) * 2 + 1, &ret); + if (hash == NULL) + return ret; + + for (i = 0, ptr = hash; i < sizeof(hashbytes); i++, ptr += 2) + snprintf(ptr, 3, "%02X", hashbytes[i]); + *ptr = '\0'; + *out = hash; return 0; } diff --git a/src/kdc/kdc_log.c b/src/kdc/kdc_log.c index 94a2a1c..4eec503 100644 --- a/src/kdc/kdc_log.c +++ b/src/kdc/kdc_log.c @@ -54,7 +54,9 @@ /* Someday, pass local address/port as well. */ /* Currently no info about name canonicalization is logged. */ void -log_as_req(krb5_context context, const krb5_fulladdr *from, +log_as_req(krb5_context context, + const krb5_fulladdr *local_addr, + const krb5_fulladdr *remote_addr, krb5_kdc_req *request, krb5_kdc_rep *reply, krb5_db_entry *client, const char *cname, krb5_db_entry *server, const char *sname, @@ -67,8 +69,8 @@ log_as_req(krb5_context context, const krb5_fulladdr *from, const char *cname2 = cname ? cname : ""; const char *sname2 = sname ? sname : ""; - fromstring = inet_ntop(ADDRTYPE2FAMILY (from->address->addrtype), - from->address->contents, + fromstring = inet_ntop(ADDRTYPE2FAMILY(remote_addr->address->addrtype), + remote_addr->address->contents, fromstringbuf, sizeof(fromstringbuf)); if (!fromstring) fromstring = ""; @@ -79,9 +81,9 @@ log_as_req(krb5_context context, const krb5_fulladdr *from, /* success */ char rep_etypestr[128]; rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), reply); - krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %d, %s, " + krb5_klog_syslog(LOG_INFO, _("AS_REQ (%s) %s: ISSUE: authtime %u, %s, " "%s for %s"), - ktypestr, fromstring, authtime, + ktypestr, fromstring, (unsigned int)authtime, rep_etypestr, cname2, sname2); } else { /* fail */ @@ -89,16 +91,9 @@ log_as_req(krb5_context context, const krb5_fulladdr *from, ktypestr, fromstring, status, cname2, sname2, emsg ? ", " : "", emsg ? emsg : ""); } - krb5_db_audit_as_req(context, request, client, server, authtime, - errcode); -#if 0 - /* Sun (OpenSolaris) version would probably something like this. - The client and server names passed can be null, unlike in the - logging routines used above. Note that a struct in_addr is - used, but the real address could be an IPv6 address. */ - audit_krb5kdc_as_req(some in_addr *, (in_port_t)from->port, 0, - cname, sname, errcode); -#endif + krb5_db_audit_as_req(context, request, + local_addr->address, remote_addr->address, + client, server, authtime, errcode); } /* @@ -156,10 +151,10 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from, name (useful), and doesn't log ktypestr (probably not important). */ if (errcode != KRB5KDC_ERR_SERVER_NOMATCH) { - krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %d, %s%s " + krb5_klog_syslog(LOG_INFO, _("TGS_REQ (%s) %s: %s: authtime %u, %s%s " "%s for %s%s%s"), - ktypestr, fromstring, status, authtime, rep_etypestr, - !errcode ? "," : "", logcname, logsname, + ktypestr, fromstring, status, (unsigned int)authtime, + rep_etypestr, !errcode ? "," : "", logcname, logsname, errcode ? ", " : "", errcode ? emsg : ""); if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION)) krb5_klog_syslog(LOG_INFO, @@ -171,9 +166,9 @@ log_tgs_req(krb5_context ctx, const krb5_fulladdr *from, logaltcname); } else - krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %d, %s for %s, " + krb5_klog_syslog(LOG_INFO, _("TGS_REQ %s: %s: authtime %u, %s for %s, " "2nd tkt client %s"), - fromstring, status, authtime, + fromstring, status, (unsigned int)authtime, logcname, logsname, logaltcname); /* OpenSolaris: audit_krb5kdc_tgs_req(...) or diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c index 605fcb7..caf133c 100644 --- a/src/kdc/kdc_preauth.c +++ b/src/kdc/kdc_preauth.c @@ -87,6 +87,9 @@ #include #include +/* Let freshness tokens be valid for ten minutes. */ +#define FRESHNESS_LIFETIME 600 + typedef struct preauth_system_st { const char *name; int type; @@ -101,108 +104,14 @@ typedef struct preauth_system_st { krb5_kdcpreauth_loop_fn loop; } preauth_system; +static preauth_system *preauth_systems; +static size_t n_preauth_systems; + static krb5_error_code make_etype_info(krb5_context context, krb5_preauthtype pa_type, krb5_principal client, krb5_key_data *client_key, krb5_enctype enctype, krb5_pa_data **pa_out); -static void -get_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type, - krb5_kdcpreauth_edata_respond_fn respond, void *arg); - -static krb5_error_code -return_etype_info(krb5_context, krb5_pa_data *padata, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, krb5_kdcpreauth_callbacks cb, - krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq modreq); - -static krb5_error_code -return_pw_salt(krb5_context, krb5_pa_data *padata, - krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq); - - - -static preauth_system static_preauth_systems[] = { - { - "FAST", - KRB5_PADATA_FX_FAST, - PA_HARDWARE, - NULL, - NULL, - NULL, - NULL, - NULL, - 0 - }, - { - "etype-info", - KRB5_PADATA_ETYPE_INFO, - 0, - NULL, - NULL, - NULL, - get_etype_info, - 0, - return_etype_info - }, - { - "etype-info2", - KRB5_PADATA_ETYPE_INFO2, - 0, - NULL, - NULL, - NULL, - get_etype_info, - 0, - return_etype_info - }, - { - "pw-salt", - KRB5_PADATA_PW_SALT, - PA_PSEUDO, /* Don't include this in the error list */ - NULL, - NULL, - NULL, - 0, - 0, - return_pw_salt - }, - { - "pac-request", - KRB5_PADATA_PAC_REQUEST, - PA_PSEUDO, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL - }, -#if 0 - { - "server-referral", - KRB5_PADATA_SERVER_REFERRAL, - PA_PSEUDO, - 0, - 0, - return_server_referral - }, -#endif -}; - -#define NUM_STATIC_PREAUTH_SYSTEMS (sizeof(static_preauth_systems) / \ - sizeof(*static_preauth_systems)) - -static preauth_system *preauth_systems; -static size_t n_preauth_systems; - /* Get all available kdcpreauth vtables and a count of preauth types they * support. Return an empty list on failure. */ static void @@ -222,6 +131,8 @@ get_plugin_vtables(krb5_context context, "preauth"); k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "otp", "preauth"); + k5_plugin_register_dyn(context, PLUGIN_INTERFACE_KDCPREAUTH, "spake", + "preauth"); k5_plugin_register(context, PLUGIN_INTERFACE_KDCPREAUTH, "encrypted_challenge", kdcpreauth_encrypted_challenge_initvt); @@ -284,7 +195,6 @@ load_preauth_plugins(struct server_handle *handle, krb5_context context, get_plugin_vtables(context, &vtables, &n_tables, &n_systems); /* Allocate the list of static and plugin preauth systems. */ - n_systems += NUM_STATIC_PREAUTH_SYSTEMS; preauth_systems = calloc(n_systems + 1, sizeof(preauth_system)); if (preauth_systems == NULL) goto cleanup; @@ -292,13 +202,8 @@ load_preauth_plugins(struct server_handle *handle, krb5_context context, if (get_realm_names(handle, &realm_names)) goto cleanup; - /* Add the static system to the list first. No static systems require - * initialization, so just make a direct copy. */ - memcpy(preauth_systems, static_preauth_systems, - sizeof(static_preauth_systems)); - /* Add the dynamically-loaded mechanisms to the list. */ - n_systems = NUM_STATIC_PREAUTH_SYSTEMS; + n_systems = 0; for (i = 0; i < n_tables; i++) { /* Try to initialize this module. */ vt = &vtables[i]; @@ -568,8 +473,97 @@ set_cookie(krb5_context context, krb5_kdcpreauth_rock rock, return kdc_fast_set_cookie(rock->rstate, pa_type, data); } +static krb5_boolean +match_client(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_principal princ) +{ + krb5_db_entry *ent; + krb5_boolean match = FALSE; + krb5_principal req_client = rock->request->client; + krb5_principal client = rock->client->princ; + + /* Check for a direct match against the request principal or + * the post-canon client principal. */ + if (krb5_principal_compare_flags(context, princ, req_client, + KRB5_PRINCIPAL_COMPARE_ENTERPRISE) || + krb5_principal_compare(context, princ, client)) + return TRUE; + + if (krb5_db_get_principal(context, princ, KRB5_KDB_FLAG_ALIAS_OK, &ent)) + return FALSE; + match = krb5_principal_compare(context, ent->princ, client); + krb5_db_free_principal(context, ent); + return match; +} + +static krb5_principal +client_name(krb5_context context, krb5_kdcpreauth_rock rock) +{ + return rock->client->princ; +} + +static void +send_freshness_token(krb5_context context, krb5_kdcpreauth_rock rock) +{ + rock->send_freshness_token = TRUE; +} + +static krb5_error_code +check_freshness_token(krb5_context context, krb5_kdcpreauth_rock rock, + const krb5_data *token) +{ + krb5_timestamp token_ts, now; + krb5_key_data *kd; + krb5_keyblock kb; + krb5_kvno token_kvno; + krb5_checksum cksum; + krb5_data d; + uint8_t *token_cksum; + size_t token_cksum_len; + krb5_boolean valid = FALSE; + char ckbuf[4]; + + memset(&kb, 0, sizeof(kb)); + + if (krb5_timeofday(context, &now) != 0) + goto cleanup; + + if (token->length <= 8) + goto cleanup; + token_ts = load_32_be(token->data); + token_kvno = load_32_be(token->data + 4); + token_cksum = (uint8_t *)token->data + 8; + token_cksum_len = token->length - 8; + + /* Check if the token timestamp is too old. */ + if (ts_after(now, ts_incr(token_ts, FRESHNESS_LIFETIME))) + goto cleanup; + + /* Fetch and decrypt the local krbtgt key of the token's kvno. */ + if (krb5_dbe_find_enctype(context, rock->local_tgt, -1, -1, token_kvno, + &kd) != 0) + goto cleanup; + if (krb5_dbe_decrypt_key_data(context, NULL, kd, &kb, NULL) != 0) + goto cleanup; + + /* Verify the token checksum against the current KDC time. The checksum + * must use the mandatory checksum type of the krbtgt key's enctype. */ + store_32_be(token_ts, ckbuf); + d = make_data(ckbuf, sizeof(ckbuf)); + cksum.magic = KV5M_CHECKSUM; + cksum.checksum_type = 0; + cksum.length = token_cksum_len; + cksum.contents = token_cksum; + (void)krb5_c_verify_checksum(context, &kb, KRB5_KEYUSAGE_PA_AS_FRESHNESS, + &d, &cksum, &valid); + +cleanup: + krb5_free_keyblock_contents(context, &kb); + return valid ? 0 : KRB5KDC_ERR_PREAUTH_EXPIRED; +} + static struct krb5_kdcpreauth_callbacks_st callbacks = { - 3, + 5, max_time_skew, client_keys, free_keys, @@ -583,7 +577,11 @@ static struct krb5_kdcpreauth_callbacks_st callbacks = { client_keyblock, add_auth_indicator, get_cookie, - set_cookie + set_cookie, + match_client, + client_name, + send_freshness_token, + check_freshness_token }; static krb5_error_code @@ -591,7 +589,9 @@ find_pa_system(int type, preauth_system **preauth) { preauth_system *ap; - ap = preauth_systems ? preauth_systems : static_preauth_systems; + if (preauth_systems == NULL) + return KRB5_PREAUTH_BAD_TYPE; + ap = preauth_systems; while ((ap->type != -1) && (ap->type != type)) ap++; if (ap->type == -1) @@ -665,17 +665,18 @@ sort_pa_order(krb5_context context, krb5_kdc_req *request, int *pa_order) break; } } + /* If we didn't find one, we have moved all of the key-replacing + * modules, and i is the count of those modules. */ + if (j == n_repliers) + break; } + n_key_replacers = i; if (request->padata != NULL) { /* Now reorder the subset of modules which replace the key, * bubbling those which handle pa_data types provided by the * client ahead of the others. */ - for (i = 0; preauth_systems[pa_order[i]].flags & PA_REPLACES_KEY; i++) { - continue; - } - n_key_replacers = i; for (i = 0; i < n_key_replacers; i++) { if (pa_list_includes(request->padata, preauth_systems[pa_order[i]].type)) @@ -711,19 +712,6 @@ const char *missing_required_preauth(krb5_db_entry *client, krb5_db_entry *server, krb5_enc_tkt_part *enc_tkt_reply) { -#if 0 - /* - * If this is the pwchange service, and the pre-auth bit is set, - * allow it even if the HW preauth would normally be required. - * - * Sandia national labs wanted this for some strange reason... we - * leave it disabled normally. - */ - if (isflagset(server->attributes, KRB5_KDB_PWCHANGE_SERVICE) && - isflagset(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH)) - return 0; -#endif - #ifdef DEBUG krb5_klog_syslog ( LOG_DEBUG, @@ -745,6 +733,154 @@ const char *missing_required_preauth(krb5_db_entry *client, return 0; } +/* Return true if request's enctypes indicate support for etype-info2. */ +static krb5_boolean +requires_info2(const krb5_kdc_req *request) +{ + int i; + + for (i = 0; i < request->nktypes; i++) { + if (enctype_requires_etype_info_2(request->ktype[i])) + return TRUE; + } + return FALSE; +} + +/* Add PA-ETYPE-INFO2 and possibly PA-ETYPE-INFO entries to pa_list as + * appropriate for the request and client principal. */ +static krb5_error_code +add_etype_info(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_pa_data ***pa_list) +{ + krb5_error_code ret; + krb5_pa_data *pa; + + if (rock->client_key == NULL) + return 0; + + if (!requires_info2(rock->request)) { + /* Include PA-ETYPE-INFO only for old clients. */ + ret = make_etype_info(context, KRB5_PADATA_ETYPE_INFO, + rock->client->princ, rock->client_key, + rock->client_keyblock->enctype, &pa); + if (ret) + return ret; + /* add_pa_data_element() claims pa on success or failure. */ + ret = add_pa_data_element(pa_list, pa); + if (ret) + return ret; + } + + /* Always include PA-ETYPE-INFO2. */ + ret = make_etype_info(context, KRB5_PADATA_ETYPE_INFO2, + rock->client->princ, rock->client_key, + rock->client_keyblock->enctype, &pa); + if (ret) + return ret; + /* add_pa_data_element() claims pa on success or failure. */ + return add_pa_data_element(pa_list, pa); +} + +/* Add PW-SALT or AFS3-SALT entries to pa_list as appropriate for the request + * and client principal. */ +static krb5_error_code +add_pw_salt(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_pa_data ***pa_list) +{ + krb5_error_code ret; + krb5_pa_data *pa; + krb5_data *salt = NULL; + krb5_int16 salttype; + + /* Only include this pa-data for old clients. */ + if (rock->client_key == NULL || requires_info2(rock->request)) + return 0; + + ret = krb5_dbe_compute_salt(context, rock->client_key, + rock->request->client, &salttype, &salt); + if (ret) + return 0; + + if (salttype == KRB5_KDB_SALTTYPE_AFS3) { + ret = alloc_pa_data(KRB5_PADATA_AFS3_SALT, salt->length + 1, &pa); + if (ret) + goto cleanup; + memcpy(pa->contents, salt->data, salt->length); + pa->contents[salt->length] = '\0'; + } else { + /* Steal memory from salt to make the pa-data entry. */ + ret = alloc_pa_data(KRB5_PADATA_PW_SALT, 0, &pa); + if (ret) + goto cleanup; + pa->length = salt->length; + pa->contents = (uint8_t *)salt->data; + salt->data = NULL; + } + + /* add_pa_data_element() claims pa on success or failure. */ + ret = add_pa_data_element(pa_list, pa); + +cleanup: + krb5_free_data(context, salt); + return ret; +} + +static krb5_error_code +add_freshness_token(krb5_context context, krb5_kdcpreauth_rock rock, + krb5_pa_data ***pa_list) +{ + krb5_error_code ret; + krb5_timestamp now; + krb5_key_data *kd; + krb5_keyblock kb; + krb5_checksum cksum; + krb5_data d; + krb5_pa_data *pa; + char ckbuf[4]; + + memset(&cksum, 0, sizeof(cksum)); + memset(&kb, 0, sizeof(kb)); + + if (!rock->send_freshness_token) + return 0; + if (krb5int_find_pa_data(context, rock->request->padata, + KRB5_PADATA_AS_FRESHNESS) == NULL) + return 0; + + /* Fetch and decrypt the current local krbtgt key. */ + ret = krb5_dbe_find_enctype(context, rock->local_tgt, -1, -1, 0, &kd); + if (ret) + goto cleanup; + ret = krb5_dbe_decrypt_key_data(context, NULL, kd, &kb, NULL); + if (ret) + goto cleanup; + + /* Compute a checksum over the current KDC time. */ + ret = krb5_timeofday(context, &now); + if (ret) + goto cleanup; + store_32_be(now, ckbuf); + d = make_data(ckbuf, sizeof(ckbuf)); + ret = krb5_c_make_checksum(context, 0, &kb, KRB5_KEYUSAGE_PA_AS_FRESHNESS, + &d, &cksum); + + /* Compose a freshness token from the time, krbtgt kvno, and checksum. */ + ret = alloc_pa_data(KRB5_PADATA_AS_FRESHNESS, 8 + cksum.length, &pa); + if (ret) + goto cleanup; + store_32_be(now, pa->contents); + store_32_be(kd->key_data_kvno, pa->contents + 4); + memcpy(pa->contents + 8, cksum.contents, cksum.length); + + /* add_pa_data_element() claims pa on success or failure. */ + ret = add_pa_data_element(pa_list, pa); + +cleanup: + krb5_free_keyblock_contents(context, &kb); + krb5_free_checksum_contents(context, &cksum); + return ret; +} + struct hint_state { kdc_hint_respond_fn respond; void *arg; @@ -756,7 +892,7 @@ struct hint_state { int hw_only; preauth_system *ap; - krb5_pa_data **pa_data, **pa_cur; + krb5_pa_data **pa_data; krb5_preauthtype pa_type; }; @@ -767,8 +903,13 @@ hint_list_finish(struct hint_state *state, krb5_error_code code) void *oldarg = state->arg; kdc_realm_t *kdc_active_realm = state->realm; + /* Add a freshness token if a preauth module requested it and the client + * request indicates support for it. */ + if (!code) + code = add_freshness_token(kdc_context, state->rock, &state->pa_data); + if (!code) { - if (state->pa_data[0] == 0) { + if (state->pa_data == NULL) { krb5_klog_syslog(LOG_INFO, _("%spreauth required but hint list is empty"), state->hw_only ? "hw" : ""); @@ -789,20 +930,27 @@ hint_list_next(struct hint_state *arg); static void finish_get_edata(void *arg, krb5_error_code code, krb5_pa_data *pa) { + krb5_error_code ret; struct hint_state *state = arg; if (code == 0) { if (pa == NULL) { - /* Include an empty value of the current type. */ - pa = calloc(1, sizeof(*pa)); - pa->magic = KV5M_PA_DATA; - pa->pa_type = state->pa_type; + ret = alloc_pa_data(state->pa_type, 0, &pa); + if (ret) + goto error; } - *state->pa_cur++ = pa; + /* add_pa_data_element() claims pa on success or failure. */ + ret = add_pa_data_element(&state->pa_data, pa); + if (ret) + goto error; } state->ap++; hint_list_next(state); + return; + +error: + hint_list_finish(state, ret); } static void @@ -839,16 +987,16 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, krb5_pa_data ***e_data_out, kdc_hint_respond_fn respond, void *arg) { + kdc_realm_t *kdc_active_realm = rock->rstate->realm_data; struct hint_state *state; + krb5_pa_data *pa; *e_data_out = NULL; /* Allocate our state. */ state = calloc(1, sizeof(*state)); - if (state == NULL) { - (*respond)(arg); - return; - } + if (state == NULL) + goto error; state->hw_only = isflagset(rock->client->attributes, KRB5_KDB_REQUIRES_HW_AUTH); state->respond = respond; @@ -857,17 +1005,27 @@ get_preauth_hint_list(krb5_kdc_req *request, krb5_kdcpreauth_rock rock, state->rock = rock; state->realm = rock->rstate->realm_data; state->e_data_out = e_data_out; + state->pa_data = NULL; + state->ap = preauth_systems; - state->pa_data = calloc(n_preauth_systems + 1, sizeof(krb5_pa_data *)); - if (!state->pa_data) { - free(state); - (*respond)(arg); - return; - } + /* Add an empty PA-FX-FAST element to advertise FAST support. */ + if (alloc_pa_data(KRB5_PADATA_FX_FAST, 0, &pa) != 0) + goto error; + /* add_pa_data_element() claims pa on success or failure. */ + if (add_pa_data_element(&state->pa_data, pa) != 0) + goto error; + + if (add_etype_info(kdc_context, rock, &state->pa_data) != 0) + goto error; - state->pa_cur = state->pa_data; - state->ap = preauth_systems; hint_list_next(state); + return; + +error: + if (state != NULL) + krb5_free_pa_data(kdc_context, state->pa_data); + free(state); + (*respond)(arg); } /* @@ -998,10 +1156,10 @@ filter_preauth_error(krb5_error_code code) static krb5_error_code maybe_add_etype_info2(struct padata_state *state, krb5_error_code code) { + krb5_error_code ret; krb5_context context = state->context; krb5_kdcpreauth_rock rock = state->rock; - krb5_pa_data **list = state->pa_e_data; - size_t count; + krb5_pa_data *pa; /* Only add key information when requesting another preauth round trip. */ if (code != KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED) @@ -1017,18 +1175,14 @@ maybe_add_etype_info2(struct padata_state *state, krb5_error_code code) KRB5_PADATA_FX_COOKIE) != NULL) return 0; - /* Reallocate state->pa_e_data to make room for the etype-info2 element. */ - for (count = 0; list != NULL && list[count] != NULL; count++); - list = realloc(list, (count + 2) * sizeof(*list)); - if (list == NULL) - return ENOMEM; - list[count] = list[count + 1] = NULL; - state->pa_e_data = list; + ret = make_etype_info(context, KRB5_PADATA_ETYPE_INFO2, + rock->client->princ, rock->client_key, + rock->client_keyblock->enctype, &pa); + if (ret) + return ret; - /* Generate an etype-info2 element in the new slot. */ - return make_etype_info(context, KRB5_PADATA_ETYPE_INFO2, - rock->client->princ, rock->client_key, - rock->client_keyblock->enctype, &list[count]); + /* add_pa_data_element() claims pa on success or failure. */ + return add_pa_data_element(&state->pa_e_data, pa); } /* Release state and respond to the AS-REQ processing code with the result of @@ -1237,6 +1391,17 @@ check_padata(krb5_context context, krb5_kdcpreauth_rock rock, next_padata(state); } +/* Return true if k1 and k2 have the same type and contents. */ +static krb5_boolean +keyblock_equal(const krb5_keyblock *k1, const krb5_keyblock *k2) +{ + if (k1->enctype != k2->enctype) + return FALSE; + if (k1->length != k2->length) + return FALSE; + return memcmp(k1->contents, k2->contents, k1->length) == 0; +} + /* * return_padata creates any necessary preauthentication * structures which should be returned by the KDC to the client @@ -1248,17 +1413,20 @@ return_padata(krb5_context context, krb5_kdcpreauth_rock rock, { krb5_error_code retval; krb5_pa_data ** padata; - krb5_pa_data ** send_pa_list; - krb5_pa_data ** send_pa; + krb5_pa_data ** send_pa_list = NULL; + krb5_pa_data * send_pa; krb5_pa_data * pa = 0; krb5_pa_data null_item; preauth_system * ap; - int * pa_order; + int * pa_order = NULL; int * pa_type; int size = 0; krb5_kdcpreauth_modreq *modreq_ptr; krb5_boolean key_modified; krb5_keyblock original_key; + + memset(&original_key, 0, sizeof(original_key)); + if ((!*padata_context) && (make_padata_context(context, padata_context) != 0)) { return KRB5KRB_ERR_GENERIC; @@ -1269,39 +1437,21 @@ return_padata(krb5_context context, krb5_kdcpreauth_rock rock, size++; } - if ((send_pa_list = malloc((size+1) * sizeof(krb5_pa_data *))) == NULL) - return ENOMEM; - if ((pa_order = malloc((size+1) * sizeof(int))) == NULL) { - free(send_pa_list); - return ENOMEM; - } + pa_order = k5calloc(size + 1, sizeof(int), &retval); + if (pa_order == NULL) + goto cleanup; sort_pa_order(context, request, pa_order); retval = krb5_copy_keyblock_contents(context, encrypting_key, &original_key); - if (retval) { - free(send_pa_list); - free(pa_order); - return retval; - } + if (retval) + goto cleanup; key_modified = FALSE; null_item.contents = NULL; null_item.length = 0; - send_pa = send_pa_list; - *send_pa = 0; for (pa_type = pa_order; *pa_type != -1; pa_type++) { ap = &preauth_systems[*pa_type]; - if (!key_modified) - if (original_key.enctype != encrypting_key->enctype) - key_modified = TRUE; - if (!key_modified) - if (original_key.length != encrypting_key->length) - key_modified = TRUE; - if (!key_modified) - if (memcmp(original_key.contents, encrypting_key->contents, - original_key.length) != 0) - key_modified = TRUE; if (key_modified && (ap->flags & PA_REPLACES_KEY)) continue; if (ap->return_padata == 0) @@ -1318,20 +1468,46 @@ return_padata(krb5_context context, krb5_kdcpreauth_rock rock, } } } + send_pa = NULL; retval = ap->return_padata(context, pa, req_pkt, request, reply, - encrypting_key, send_pa, &callbacks, rock, + encrypting_key, &send_pa, &callbacks, rock, ap->moddata, *modreq_ptr); if (retval) goto cleanup; - if (*send_pa) - send_pa++; - *send_pa = 0; + if (send_pa != NULL) { + /* add_pa_data_element() claims send_pa on success or failure. */ + retval = add_pa_data_element(&send_pa_list, send_pa); + if (retval) + goto cleanup; + } + + if (!key_modified && !keyblock_equal(&original_key, encrypting_key)) + key_modified = TRUE; } - retval = 0; + /* + * Add etype-info and pw-salt pa-data as needed. If we replaced the reply + * key, we can't send consistent etype-info; the salt from the client key + * data doesn't correspond to the replaced reply key, and RFC 4120 section + * 5.2.7.5 forbids us from sending etype-info describing the initial reply + * key in an AS-REP if it doesn't have the same enctype as the replaced + * reply key. For all current and forseeable preauth mechs, we can assume + * the client received etype-info2 in an earlier step and already computed + * the initial reply key if it needed it. The client can determine the + * enctype of the replaced reply key from the etype field of the enc-part + * field of the AS-REP. + */ + if (!key_modified) { + retval = add_etype_info(context, rock, &send_pa_list); + if (retval) + goto cleanup; + retval = add_pw_salt(context, rock, &send_pa_list); + if (retval) + goto cleanup; + } - if (send_pa_list[0]) { + if (send_pa_list != NULL) { reply->padata = send_pa_list; send_pa_list = 0; } @@ -1339,8 +1515,7 @@ return_padata(krb5_context context, krb5_kdcpreauth_rock rock, cleanup: krb5_free_keyblock_contents(context, &original_key); free(pa_order); - if (send_pa_list) - krb5_free_pa_data(context, send_pa_list); + krb5_free_pa_data(context, send_pa_list); return (retval); } @@ -1407,9 +1582,8 @@ make_etype_info(krb5_context context, krb5_preauthtype pa_type, krb5_enctype enctype, krb5_pa_data **pa_out) { krb5_error_code retval; - krb5_pa_data *pa = NULL; krb5_etype_info_entry **entry = NULL; - krb5_data *scratch = NULL; + krb5_data *der_etype_info = NULL; int etype_info2 = (pa_type == KRB5_PADATA_ETYPE_INFO2); *pa_out = NULL; @@ -1423,125 +1597,23 @@ make_etype_info(krb5_context context, krb5_preauthtype pa_type, goto cleanup; if (etype_info2) - retval = encode_krb5_etype_info2(entry, &scratch); + retval = encode_krb5_etype_info2(entry, &der_etype_info); else - retval = encode_krb5_etype_info(entry, &scratch); + retval = encode_krb5_etype_info(entry, &der_etype_info); if (retval) goto cleanup; - pa = k5alloc(sizeof(*pa), &retval); - if (pa == NULL) - goto cleanup; - pa->magic = KV5M_PA_DATA; - pa->pa_type = pa_type; - pa->contents = (unsigned char *)scratch->data; - pa->length = scratch->length; - scratch->data = NULL; - *pa_out = pa; - -cleanup: - krb5_free_etype_info(context, entry); - krb5_free_data(context, scratch); - return retval; -} - -/* Return true if request's enctypes indicate support for etype-info2. */ -static krb5_boolean -requires_info2(const krb5_kdc_req *request) -{ - int i; - - for (i = 0; i < request->nktypes; i++) { - if (enctype_requires_etype_info_2(request->ktype[i])) - return TRUE; - } - return FALSE; -} - -/* Generate hint list padata for PA-ETYPE-INFO or PA-ETYPE-INFO2. */ -static void -get_etype_info(krb5_context context, krb5_kdc_req *request, - krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type, - krb5_kdcpreauth_edata_respond_fn respond, void *arg) -{ - krb5_error_code ret; - krb5_pa_data *pa = NULL; - - if (rock->client_key == NULL) { - ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - } else if (pa_type == KRB5_PADATA_ETYPE_INFO && requires_info2(request)) { - ret = KRB5KDC_ERR_PADATA_TYPE_NOSUPP; - } else { - ret = make_etype_info(context, pa_type, rock->client->princ, - rock->client_key, rock->client_keyblock->enctype, - &pa); - } - (*respond)(arg, ret, pa); -} - -/* Generate AS-REP padata for PA-ETYPE-INFO or PA-ETYPE-INFO2. */ -static krb5_error_code -return_etype_info(krb5_context context, krb5_pa_data *padata, - krb5_data *req_pkt, krb5_kdc_req *request, - krb5_kdc_rep *reply, krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa, krb5_kdcpreauth_callbacks cb, - krb5_kdcpreauth_rock rock, krb5_kdcpreauth_moddata moddata, - krb5_kdcpreauth_modreq modreq) -{ - *send_pa = NULL; - if (rock->client_key == NULL) - return 0; - if (padata->pa_type == KRB5_PADATA_ETYPE_INFO && requires_info2(request)) - return 0; - return make_etype_info(context, padata->pa_type, rock->client->princ, - rock->client_key, encrypting_key->enctype, send_pa); -} - -static krb5_error_code -return_pw_salt(krb5_context context, krb5_pa_data *in_padata, - krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdc_rep *reply, - krb5_keyblock *encrypting_key, krb5_pa_data **send_pa, - krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, - krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) -{ - krb5_error_code retval; - krb5_pa_data * padata; - krb5_data * salt = NULL; - krb5_int16 salttype; - krb5_key_data * client_key = rock->client_key; - if (client_key == NULL || requires_info2(request)) - return 0; - - retval = krb5_dbe_compute_salt(context, client_key, request->client, - &salttype, &salt); + /* Steal the data from der_etype_info to create a pa-data element. */ + retval = alloc_pa_data(pa_type, 0, pa_out); if (retval) - return 0; - - padata = k5alloc(sizeof(*padata), &retval); - if (padata == NULL) goto cleanup; - padata->magic = KV5M_PA_DATA; - - if (salttype == KRB5_KDB_SALTTYPE_AFS3) { - padata->contents = k5memdup0(salt->data, salt->length, &retval); - if (padata->contents == NULL) - goto cleanup; - padata->pa_type = KRB5_PADATA_AFS3_SALT; - padata->length = salt->length + 1; - } else { - padata->pa_type = KRB5_PADATA_PW_SALT; - padata->length = salt->length; - padata->contents = (krb5_octet *)salt->data; - salt->data = NULL; - } - - *send_pa = padata; - padata = NULL; + (*pa_out)->contents = (uint8_t *)der_etype_info->data; + (*pa_out)->length = der_etype_info->length; + der_etype_info->data = NULL; cleanup: - free(padata); - krb5_free_data(context, salt); + krb5_free_etype_info(context, entry); + krb5_free_data(context, der_etype_info); return retval; } @@ -1586,18 +1658,20 @@ return_referral_enc_padata( krb5_context context, { krb5_error_code code; krb5_tl_data tl_data; - krb5_pa_data pa_data; + krb5_pa_data *pa; tl_data.tl_data_type = KRB5_TL_SVR_REFERRAL_DATA; code = krb5_dbe_lookup_tl_data(context, server, &tl_data); if (code || tl_data.tl_data_length == 0) return 0; - pa_data.magic = KV5M_PA_DATA; - pa_data.pa_type = KRB5_PADATA_SVR_REFERRAL_INFO; - pa_data.length = tl_data.tl_data_length; - pa_data.contents = tl_data.tl_data_contents; - return add_pa_data_element(context, &pa_data, &reply->enc_padata, TRUE); + code = alloc_pa_data(KRB5_PADATA_SVR_REFERRAL_INFO, tl_data.tl_data_length, + &pa); + if (code) + return code; + memcpy(pa->contents, tl_data.tl_data_contents, tl_data.tl_data_length); + /* add_pa_data_element() claims pa on success or failure. */ + return add_pa_data_element(&reply->enc_padata, pa); } krb5_error_code @@ -1609,7 +1683,6 @@ return_enc_padata(krb5_context context, krb5_data *req_pkt, krb5_error_code code = 0; /* This should be initialized and only used for Win2K compat and other * specific standardized uses such as FAST negotiation. */ - assert(reply_encpart->enc_padata == NULL); if (is_referral) { code = return_referral_enc_padata(context, reply_encpart, server); if (code) @@ -1623,69 +1696,3 @@ return_enc_padata(krb5_context context, krb5_data *req_pkt, cleanup: return code; } - - -#if 0 -static krb5_error_code return_server_referral(krb5_context context, - krb5_pa_data * padata, - krb5_db_entry *client, - krb5_db_entry *server, - krb5_kdc_req *request, - krb5_kdc_rep *reply, - krb5_key_data *client_key, - krb5_keyblock *encrypting_key, - krb5_pa_data **send_pa) -{ - krb5_error_code code; - krb5_tl_data tl_data; - krb5_pa_data *pa_data; - krb5_enc_data enc_data; - krb5_data plain; - krb5_data *enc_pa_data; - - *send_pa = NULL; - - tl_data.tl_data_type = KRB5_TL_SERVER_REFERRAL; - - code = krb5_dbe_lookup_tl_data(context, server, &tl_data); - if (code || tl_data.tl_data_length == 0) - return 0; /* no server referrals to return */ - - plain.length = tl_data.tl_data_length; - plain.data = tl_data.tl_data_contents; - - /* Encrypt ServerReferralData */ - code = krb5_encrypt_helper(context, encrypting_key, - KRB5_KEYUSAGE_PA_SERVER_REFERRAL_DATA, - &plain, &enc_data); - if (code) - return code; - - /* Encode ServerReferralData into PA-SERVER-REFERRAL-DATA */ - code = encode_krb5_enc_data(&enc_data, &enc_pa_data); - if (code) { - krb5_free_data_contents(context, &enc_data.ciphertext); - return code; - } - - krb5_free_data_contents(context, &enc_data.ciphertext); - - /* Return PA-SERVER-REFERRAL-DATA */ - pa_data = (krb5_pa_data *)malloc(sizeof(*pa_data)); - if (pa_data == NULL) { - krb5_free_data(context, enc_pa_data); - return ENOMEM; - } - - pa_data->magic = KV5M_PA_DATA; - pa_data->pa_type = KRB5_PADATA_SVR_REFERRAL_INFO; - pa_data->length = enc_pa_data->length; - pa_data->contents = enc_pa_data->data; - - free(enc_pa_data); /* don't free contents */ - - *send_pa = pa_data; - - return 0; -} -#endif diff --git a/src/kdc/kdc_preauth_ec.c b/src/kdc/kdc_preauth_ec.c index feef368..7e636b3 100644 --- a/src/kdc/kdc_preauth_ec.c +++ b/src/kdc/kdc_preauth_ec.c @@ -56,7 +56,6 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdcpreauth_verify_respond_fn respond, void *arg) { krb5_error_code retval = 0; - krb5_timestamp now; krb5_enc_data *enc = NULL; krb5_data scratch, plain; krb5_keyblock *armor_key = cb->fast_armor(context, rock); @@ -66,6 +65,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_keyblock *kdc_challenge_key; krb5_kdcpreauth_modreq modreq = NULL; int i = 0; + char *ai = NULL, *realmstr = NULL; + krb5_data realm = request->server->realm; plain.data = NULL; @@ -84,6 +85,15 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, if (plain.data == NULL) retval = ENOMEM; } + + /* Check for a configured FAST ec auth indicator. */ + realmstr = k5memdup0(realm.data, realm.length, &retval); + if (realmstr != NULL) + retval = profile_get_string(context->profile, KRB5_CONF_REALMS, + realmstr, + KRB5_CONF_ENCRYPTED_CHALLENGE_INDICATOR, + NULL, &ai); + if (retval == 0) retval = cb->client_keys(context, rock, &client_keys); if (retval == 0) { @@ -113,21 +123,20 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, if (retval == 0) retval = decode_krb5_pa_enc_ts(&plain, &ts); if (retval == 0) - retval = krb5_timeofday(context, &now); + retval = krb5_check_clockskew(context, ts->patimestamp); if (retval == 0) { - if (labs(now-ts->patimestamp) < context->clockskew) { - enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; - /* - * If this fails, we won't generate a reply to the client. That - * may cause the client to fail, but at this point the KDC has - * considered this a success, so the return value is ignored. - */ - if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", - &client_keys[i], "challengelongterm", - &kdc_challenge_key) == 0) - modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key; - } else { /*skew*/ - retval = KRB5KRB_AP_ERR_SKEW; + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; + /* + * If this fails, we won't generate a reply to the client. That may + * cause the client to fail, but at this point the KDC has considered + * this a success, so the return value is ignored. + */ + if (krb5_c_fx_cf2_simple(context, armor_key, "kdcchallengearmor", + &client_keys[i], "challengelongterm", + &kdc_challenge_key) == 0) { + modreq = (krb5_kdcpreauth_modreq)kdc_challenge_key; + if (ai != NULL) + cb->add_auth_indicator(context, rock, ai); } } cb->free_keys(context, rock, client_keys); @@ -137,6 +146,8 @@ ec_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_free_enc_data(context, enc); if (ts) krb5_free_pa_enc_ts(context, ts); + free(realmstr); + free(ai); (*respond)(arg, retval, modreq, NULL, NULL); } diff --git a/src/kdc/kdc_preauth_encts.c b/src/kdc/kdc_preauth_encts.c index e80dc12..25fc784 100644 --- a/src/kdc/kdc_preauth_encts.c +++ b/src/kdc/kdc_preauth_encts.c @@ -58,7 +58,6 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_keyblock key; krb5_key_data * client_key; krb5_int32 start; - krb5_timestamp timenow; scratch.data = (char *)pa->contents; scratch.length = pa->length; @@ -95,14 +94,10 @@ enc_ts_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, if ((retval = decode_krb5_pa_enc_ts(&enc_ts_data, &pa_enc)) != 0) goto cleanup; - if ((retval = krb5_timeofday(context, &timenow)) != 0) + retval = krb5_check_clockskew(context, pa_enc->patimestamp); + if (retval) goto cleanup; - if (labs(timenow - pa_enc->patimestamp) > context->clockskew) { - retval = KRB5KRB_AP_ERR_SKEW; - goto cleanup; - } - setflag(enc_tkt_reply->flags, TKT_FLG_PRE_AUTH); retval = 0; diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c index 30c501c..0155c28 100644 --- a/src/kdc/kdc_util.c +++ b/src/kdc/kdc_util.c @@ -87,8 +87,8 @@ concat_authorization_data(krb5_context context, krb5_authdata **first, krb5_authdata **second, krb5_authdata ***output) { - register int i, j; - register krb5_authdata **ptr, **retdata; + int i, j; + krb5_authdata **ptr, **retdata; /* count up the entries */ i = 0; @@ -638,11 +638,10 @@ check_anon(kdc_realm_t *kdc_active_realm, KDC_OPT_ENC_TKT_IN_SKEY | KDC_OPT_CNAME_IN_ADDL_TKT) int validate_as_request(kdc_realm_t *kdc_active_realm, - register krb5_kdc_req *request, krb5_db_entry client, + krb5_kdc_req *request, krb5_db_entry client, krb5_db_entry server, krb5_timestamp kdc_time, const char **status, krb5_pa_data ***e_data) { - int errcode; krb5_error_code ret; /* @@ -654,7 +653,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, } /* The client must not be expired */ - if (client.expiration && client.expiration < kdc_time) { + if (client.expiration && ts_after(kdc_time, client.expiration)) { *status = "CLIENT EXPIRED"; if (vague_errors) return(KRB_ERR_GENERIC); @@ -664,7 +663,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, /* The client's password must not be expired, unless the server is a KRB5_KDC_PWCHANGE_SERVICE. */ - if (client.pw_expiration && client.pw_expiration < kdc_time && + if (client.pw_expiration && ts_after(kdc_time, client.pw_expiration) && !isflagset(server.attributes, KRB5_KDB_PWCHANGE_SERVICE)) { *status = "CLIENT KEY EXPIRED"; if (vague_errors) @@ -674,7 +673,7 @@ validate_as_request(kdc_realm_t *kdc_active_realm, } /* The server must not be expired */ - if (server.expiration && server.expiration < kdc_time) { + if (server.expiration && ts_after(kdc_time, server.expiration)) { *status = "SERVICE EXPIRED"; return(KDC_ERR_SERVICE_EXP); } @@ -750,12 +749,6 @@ validate_as_request(kdc_realm_t *kdc_active_realm, if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) return errcode_to_protocol(ret); - /* Check against local policy. */ - errcode = against_local_policy_as(request, client, server, - kdc_time, status, e_data); - if (errcode) - return errcode; - return 0; } @@ -1360,9 +1353,9 @@ kdc_make_s4u2self_rep(krb5_context context, krb5_enc_kdc_rep_part *reply_encpart) { krb5_error_code code; - krb5_data *data = NULL; + krb5_data *der_user_id = NULL, *der_s4u_x509_user = NULL; krb5_pa_s4u_x509_user rep_s4u_user; - krb5_pa_data padata; + krb5_pa_data *pa; krb5_enctype enctype; krb5_keyusage usage; @@ -1373,7 +1366,7 @@ kdc_make_s4u2self_rep(krb5_context context, rep_s4u_user.user_id.options = req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE; - code = encode_krb5_s4u_userid(&rep_s4u_user.user_id, &data); + code = encode_krb5_s4u_userid(&rep_s4u_user.user_id, &der_user_id); if (code != 0) goto cleanup; @@ -1384,29 +1377,25 @@ kdc_make_s4u2self_rep(krb5_context context, code = krb5_c_make_checksum(context, req_s4u_user->cksum.checksum_type, tgs_subkey != NULL ? tgs_subkey : tgs_session, - usage, data, - &rep_s4u_user.cksum); + usage, der_user_id, &rep_s4u_user.cksum); if (code != 0) goto cleanup; - krb5_free_data(context, data); - data = NULL; - - code = encode_krb5_pa_s4u_x509_user(&rep_s4u_user, &data); + code = encode_krb5_pa_s4u_x509_user(&rep_s4u_user, &der_s4u_x509_user); if (code != 0) goto cleanup; - padata.magic = KV5M_PA_DATA; - padata.pa_type = KRB5_PADATA_S4U_X509_USER; - padata.length = data->length; - padata.contents = (krb5_octet *)data->data; - - code = add_pa_data_element(context, &padata, &reply->padata, FALSE); + /* Add a padata element, stealing memory from der_s4u_x509_user. */ + code = alloc_pa_data(KRB5_PADATA_S4U_X509_USER, 0, &pa); + if (code != 0) + goto cleanup; + pa->length = der_s4u_x509_user->length; + pa->contents = (uint8_t *)der_s4u_x509_user->data; + der_s4u_x509_user->data = NULL; + /* add_pa_data_element() claims pa on success or failure. */ + code = add_pa_data_element(&reply->padata, pa); if (code != 0) goto cleanup; - - free(data); - data = NULL; if (tgs_subkey != NULL) enctype = tgs_subkey->enctype; @@ -1420,33 +1409,27 @@ kdc_make_s4u2self_rep(krb5_context context, */ if ((req_s4u_user->user_id.options & KRB5_S4U_OPTS_USE_REPLY_KEY_USAGE) && enctype_requires_etype_info_2(enctype) == FALSE) { - padata.length = req_s4u_user->cksum.length + - rep_s4u_user.cksum.length; - padata.contents = malloc(padata.length); - if (padata.contents == NULL) { - code = ENOMEM; + code = alloc_pa_data(KRB5_PADATA_S4U_X509_USER, + req_s4u_user->cksum.length + + rep_s4u_user.cksum.length, &pa); + if (code != 0) goto cleanup; - } + memcpy(pa->contents, + req_s4u_user->cksum.contents, req_s4u_user->cksum.length); + memcpy(&pa->contents[req_s4u_user->cksum.length], + rep_s4u_user.cksum.contents, rep_s4u_user.cksum.length); - memcpy(padata.contents, - req_s4u_user->cksum.contents, - req_s4u_user->cksum.length); - memcpy(&padata.contents[req_s4u_user->cksum.length], - rep_s4u_user.cksum.contents, - rep_s4u_user.cksum.length); - - code = add_pa_data_element(context,&padata, - &reply_encpart->enc_padata, FALSE); - if (code != 0) { - free(padata.contents); + /* add_pa_data_element() claims pa on success or failure. */ + code = add_pa_data_element(&reply_encpart->enc_padata, pa); + if (code != 0) goto cleanup; - } } cleanup: if (rep_s4u_user.cksum.contents != NULL) krb5_free_checksum_contents(context, &rep_s4u_user.cksum); - krb5_free_data(context, data); + krb5_free_data(context, der_user_id); + krb5_free_data(context, der_s4u_x509_user); return code; } @@ -1458,6 +1441,8 @@ krb5_error_code kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, krb5_const_principal client_princ, + krb5_const_principal header_srv_princ, + krb5_boolean issuing_referral, const krb5_db_entry *server, krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, @@ -1467,6 +1452,7 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, const char **status) { krb5_error_code code; + krb5_boolean is_local_tgt; krb5_pa_data *pa_data; int flags; krb5_db_entry *princ; @@ -1561,6 +1547,27 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, } /* + * Valid S4U2Self requests can occur in the following combinations: + * + * (1) local TGT, local user, local server + * (2) cross TGT, local user, issuing referral + * (3) cross TGT, non-local user, issuing referral + * (4) cross TGT, non-local user, local server + * + * The first case is for a single-realm S4U2Self scenario; the second, + * third, and fourth cases are for the initial, intermediate (if any), and + * final cross-realm requests in a multi-realm scenario. + */ + + is_local_tgt = !is_cross_tgs_principal(header_srv_princ); + if (is_local_tgt && issuing_referral) { + /* The requesting server appears to no longer exist, and we found + * a referral instead. Treat this as a server lookup failure. */ + *status = "LOOKING_UP_SERVER"; + return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN; + } + + /* * Do not attempt to lookup principals in foreign realms. */ if (is_local_principal(kdc_active_realm, @@ -1568,6 +1575,13 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, krb5_db_entry no_server; krb5_pa_data **e_data = NULL; + if (!is_local_tgt && !issuing_referral) { + /* A local server should not need a cross-realm TGT to impersonate + * a local principal. */ + *status = "NOT_CROSS_REALM_REQUEST"; + return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN; /* match Windows error */ + } + code = krb5_db_get_principal(kdc_context, (*s4u_x509_user)->user_id.user, KRB5_KDB_FLAG_INCLUDE_PAC, &princ); @@ -1581,6 +1595,11 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, memset(&no_server, 0, sizeof(no_server)); + /* Ignore password expiration and needchange attributes (as Windows + * does), since S4U2Self is not password authentication. */ + princ->pw_expiration = 0; + clear(princ->attributes, KRB5_KDB_REQUIRES_PWCHANGE); + code = validate_as_request(kdc_active_realm, request, *princ, no_server, kdc_time, status, &e_data); if (code) { @@ -1590,6 +1609,14 @@ kdc_process_s4u2self_req(kdc_realm_t *kdc_active_realm, } *princ_ptr = princ; + } else if (is_local_tgt) { + /* + * The server is asking to impersonate a principal from another realm, + * using a local TGT. It should instead ask that principal's realm and + * follow referrals back to us. + */ + *status = "S4U2SELF_CLIENT_NOT_OURS"; + return KRB5KDC_ERR_POLICY; /* match Windows error */ } return 0; @@ -1714,46 +1741,50 @@ enctype_requires_etype_info_2(krb5_enctype enctype) } } -/* XXX where are the generic helper routines for this? */ +/* Allocate a pa-data entry with an uninitialized buffer of size len. */ krb5_error_code -add_pa_data_element(krb5_context context, - krb5_pa_data *padata, - krb5_pa_data ***inout_padata, - krb5_boolean copy) +alloc_pa_data(krb5_preauthtype pa_type, size_t len, krb5_pa_data **out) { - int i; - krb5_pa_data **p; - - if (*inout_padata != NULL) { - for (i = 0; (*inout_padata)[i] != NULL; i++) - ; - } else - i = 0; - - p = realloc(*inout_padata, (i + 2) * sizeof(krb5_pa_data *)); - if (p == NULL) - return ENOMEM; - - *inout_padata = p; + krb5_pa_data *pa; + uint8_t *buf = NULL; - p[i] = (krb5_pa_data *)malloc(sizeof(krb5_pa_data)); - if (p[i] == NULL) + *out = NULL; + if (len > 0) { + buf = malloc(len); + if (buf == NULL) + return ENOMEM; + } + pa = malloc(sizeof(*pa)); + if (pa == NULL) { + free(buf); return ENOMEM; - *(p[i]) = *padata; + } + pa->magic = KV5M_PA_DATA; + pa->pa_type = pa_type; + pa->length = len; + pa->contents = buf; + *out = pa; + return 0; +} - p[i + 1] = NULL; +/* Add pa to list, claiming its memory. Free pa on failure. */ +krb5_error_code +add_pa_data_element(krb5_pa_data ***list, krb5_pa_data *pa) +{ + size_t count; + krb5_pa_data **newlist; - if (copy) { - p[i]->contents = (krb5_octet *)malloc(padata->length); - if (p[i]->contents == NULL) { - free(p[i]); - p[i] = NULL; - return ENOMEM; - } + for (count = 0; *list != NULL && (*list)[count] != NULL; count++); - memcpy(p[i]->contents, padata->contents, padata->length); + newlist = realloc(*list, (count + 2) * sizeof(*newlist)); + if (newlist == NULL) { + free(pa->contents); + free(pa); + return ENOMEM; } - + newlist[count] = pa; + newlist[count + 1] = NULL; + *list = newlist; return 0; } @@ -1766,14 +1797,19 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, krb5_timestamp *out_endtime) { - krb5_timestamp until, life; + krb5_timestamp until; + krb5_deltat life; if (till == 0) till = kdc_infinity; - until = min(till, endtime); + until = ts_min(till, endtime); - life = until - starttime; + /* Determine the requested lifetime, capped at the maximum valid time + * interval. */ + life = ts_delta(until, starttime); + if (ts_after(until, starttime) && life < 0) + life = INT32_MAX; if (client != NULL && client->max_life != 0) life = min(life, client->max_life); @@ -1782,7 +1818,7 @@ kdc_get_ticket_endtime(kdc_realm_t *kdc_active_realm, if (kdc_active_realm->realm_maxlife != 0) life = min(life, kdc_active_realm->realm_maxlife); - *out_endtime = starttime + life; + *out_endtime = ts_incr(starttime, life); } /* @@ -1797,6 +1833,7 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request, { krb5_timestamp rtime, max_rlife; + clear(tkt->flags, TKT_FLG_RENEWABLE); tkt->times.renew_till = 0; /* Don't issue renewable tickets if the client or server don't allow it, @@ -1812,25 +1849,27 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request, if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE)) rtime = request->rtime ? request->rtime : kdc_infinity; else if (isflagset(request->kdc_options, KDC_OPT_RENEWABLE_OK) && - tkt->times.endtime < request->till) + ts_after(request->till, tkt->times.endtime)) rtime = request->till; else return; /* Truncate it to the allowable renewable time. */ if (tgt != NULL) - rtime = min(rtime, tgt->times.renew_till); + rtime = ts_min(rtime, tgt->times.renew_till); max_rlife = min(server->max_renewable_life, realm->realm_maxrlife); if (client != NULL) max_rlife = min(max_rlife, client->max_renewable_life); - rtime = min(rtime, tkt->times.starttime + max_rlife); + rtime = ts_min(rtime, ts_incr(tkt->times.starttime, max_rlife)); - /* Make the ticket renewable if the truncated requested time is larger than - * the ticket end time. */ - if (rtime > tkt->times.endtime) { - setflag(tkt->flags, TKT_FLG_RENEWABLE); - tkt->times.renew_till = rtime; - } + /* If the client only specified renewable-ok, don't issue a renewable + * ticket unless the truncated renew time exceeds the ticket end time. */ + if (!isflagset(request->kdc_options, KDC_OPT_RENEWABLE) && + !ts_after(rtime, tkt->times.endtime)) + return; + + setflag(tkt->flags, TKT_FLG_RENEWABLE); + tkt->times.renew_till = rtime; } /** @@ -1849,38 +1888,47 @@ kdc_handle_protected_negotiation(krb5_context context, { krb5_error_code retval = 0; krb5_checksum checksum; - krb5_data *out = NULL; - krb5_pa_data pa, *pa_in; + krb5_data *der_cksum = NULL; + krb5_pa_data *pa, *pa_in; + + memset(&checksum, 0, sizeof(checksum)); + pa_in = krb5int_find_pa_data(context, request->padata, KRB5_ENCPADATA_REQ_ENC_PA_REP); if (pa_in == NULL) return 0; - pa.magic = KV5M_PA_DATA; - pa.pa_type = KRB5_ENCPADATA_REQ_ENC_PA_REP; - memset(&checksum, 0, sizeof(checksum)); - retval = krb5_c_make_checksum(context,0, reply_key, - KRB5_KEYUSAGE_AS_REQ, req_pkt, &checksum); + + /* Compute and encode a checksum over the AS-REQ. */ + retval = krb5_c_make_checksum(context, 0, reply_key, KRB5_KEYUSAGE_AS_REQ, + req_pkt, &checksum); if (retval != 0) goto cleanup; - retval = encode_krb5_checksum(&checksum, &out); + retval = encode_krb5_checksum(&checksum, &der_cksum); if (retval != 0) goto cleanup; - pa.contents = (krb5_octet *) out->data; - pa.length = out->length; - retval = add_pa_data_element(context, &pa, out_enc_padata, FALSE); + + /* Add a pa-data element to the list, stealing memory from der_cksum. */ + retval = alloc_pa_data(KRB5_ENCPADATA_REQ_ENC_PA_REP, 0, &pa); + if (retval) + goto cleanup; + pa->length = der_cksum->length; + pa->contents = (uint8_t *)der_cksum->data; + der_cksum->data = NULL; + /* add_pa_data_element() claims pa on success or failure. */ + retval = add_pa_data_element(out_enc_padata, pa); if (retval) goto cleanup; - out->data = NULL; - pa.magic = KV5M_PA_DATA; - pa.pa_type = KRB5_PADATA_FX_FAST; - pa.length = 0; - pa.contents = NULL; - retval = add_pa_data_element(context, &pa, out_enc_padata, FALSE); + + /* Add a zero-length PA-FX-FAST element to the list. */ + retval = alloc_pa_data(KRB5_PADATA_FX_FAST, 0, &pa); + if (retval) + goto cleanup; + /* add_pa_data_element() claims pa on success or failure. */ + retval = add_pa_data_element(out_enc_padata, pa); + cleanup: - if (checksum.contents) - krb5_free_checksum_contents(context, &checksum); - if (out != NULL) - krb5_free_data(context, out); + krb5_free_checksum_contents(context, &checksum); + krb5_free_data(context, der_cksum); return retval; } diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h index bcf05fc..6ec645f 100644 --- a/src/kdc/kdc_util.h +++ b/src/kdc/kdc_util.h @@ -140,18 +140,17 @@ cammac_check_kdcver(krb5_context context, krb5_cammac *cammac, /* do_as_req.c */ void process_as_req (krb5_kdc_req *, krb5_data *, - const krb5_fulladdr *, kdc_realm_t *, + const krb5_fulladdr *, const krb5_fulladdr *, kdc_realm_t *, verto_ctx *, loop_respond_fn, void *); /* do_tgs_req.c */ krb5_error_code -process_tgs_req (struct server_handle *, krb5_data *, - const krb5_fulladdr *, - krb5_data ** ); +process_tgs_req (krb5_kdc_req *, krb5_data *, const krb5_fulladdr *, + kdc_realm_t *, krb5_data ** ); /* dispatch.c */ void dispatch (void *, - struct sockaddr *, + const krb5_fulladdr *, const krb5_fulladdr *, krb5_data *, int, @@ -166,17 +165,6 @@ kdc_err(krb5_context call_context, errcode_t code, const char *fmt, ...) #endif ; -/* policy.c */ -int -against_local_policy_as (krb5_kdc_req *, krb5_db_entry, - krb5_db_entry, krb5_timestamp, - const char **, krb5_pa_data ***); - -int -against_local_policy_tgs (krb5_kdc_req *, krb5_db_entry, - krb5_ticket *, const char **, - krb5_pa_data ***); - /* kdc_preauth.c */ krb5_boolean enctype_requires_etype_info_2(krb5_enctype enctype); @@ -214,10 +202,10 @@ void free_padata_context(krb5_context context, void *padata_context); krb5_error_code -add_pa_data_element (krb5_context context, - krb5_pa_data *padata, - krb5_pa_data ***out_padata, - krb5_boolean copy); +alloc_pa_data(krb5_preauthtype pa_type, size_t len, krb5_pa_data **out); + +krb5_error_code +add_pa_data_element(krb5_pa_data ***list, krb5_pa_data *pa); /* kdc_preauth_ec.c */ krb5_error_code @@ -281,6 +269,8 @@ krb5_error_code kdc_process_s4u2self_req (kdc_realm_t *kdc_active_realm, krb5_kdc_req *request, krb5_const_principal client_princ, + krb5_const_principal header_srv_princ, + krb5_boolean issuing_referral, const krb5_db_entry *server, krb5_keyblock *tgs_subkey, krb5_keyblock *tgs_session, @@ -346,7 +336,9 @@ kdc_get_ticket_renewtime(kdc_realm_t *realm, krb5_kdc_req *request, krb5_db_entry *server, krb5_enc_tkt_part *tkt); void -log_as_req(krb5_context context, const krb5_fulladdr *from, +log_as_req(krb5_context context, + const krb5_fulladdr *local_addr, + const krb5_fulladdr *remote_addr, krb5_kdc_req *request, krb5_kdc_rep *reply, krb5_db_entry *client, const char *cname, krb5_db_entry *server, const char *sname, @@ -436,11 +428,13 @@ struct krb5_kdcpreauth_rock_st { krb5_kdc_req *request; krb5_data *inner_body; krb5_db_entry *client; + krb5_db_entry *local_tgt; krb5_key_data *client_key; krb5_keyblock *client_keyblock; struct kdc_request_state *rstate; verto_ctx *vctx; krb5_data ***auth_indicators; + krb5_boolean send_freshness_token; }; #define isflagset(flagfield, flag) (flagfield & (flag)) @@ -452,6 +446,8 @@ struct krb5_kdcpreauth_rock_st { #define max(a, b) ((a) > (b) ? (a) : (b)) #endif +#define ts_min(a, b) (ts_after(a, b) ? (b) : (a)) + #define ADDRTYPE2FAMILY(X) \ ((X) == ADDRTYPE_INET6 ? AF_INET6 : (X) == ADDRTYPE_INET ? AF_INET : -1) diff --git a/src/kdc/main.c b/src/kdc/main.c index ebc852b..408c723 100644 --- a/src/kdc/main.c +++ b/src/kdc/main.c @@ -31,6 +31,7 @@ #include "kdc_util.h" #include "kdc_audit.h" #include "extern.h" +#include "policy.h" #include "kdc5_err.h" #include "kdb_kt.h" #include "net-server.h" @@ -52,8 +53,6 @@ extern int daemon(int, int); static void usage (char *); -static krb5_error_code setup_sam (void); - static void initialize_realms(krb5_context kcontext, int argc, char **argv, int *tcp_listen_backlog_out); @@ -128,14 +127,16 @@ setup_server_realm(struct server_handle *handle, krb5_principal sprinc) return NULL; if (kdc_numrealms > 1) { - if (!(newrealm = find_realm_data(handle, sprinc->realm.data, - (krb5_ui_4) sprinc->realm.length))) - return NULL; - else - return newrealm; + newrealm = find_realm_data(handle, sprinc->realm.data, + sprinc->realm.length); + } else { + newrealm = kdc_realmlist[0]; } - else - return kdc_realmlist[0]; + if (newrealm != NULL) { + krb5_klog_set_context(newrealm->realm_context); + shandle.kdc_err_context = newrealm->realm_context; + } + return newrealm; } static void @@ -160,11 +161,7 @@ finish_realm(kdc_realm_t *rdp) if (rdp->realm_context) { if (rdp->realm_mprinc) krb5_free_principal(rdp->realm_context, rdp->realm_mprinc); - if (rdp->realm_mkey.length && rdp->realm_mkey.contents) { - /* XXX shouldn't memset be zap for safety? */ - memset(rdp->realm_mkey.contents, 0, rdp->realm_mkey.length); - free(rdp->realm_mkey.contents); - } + zapfree(rdp->realm_mkey.contents, rdp->realm_mkey.length); krb5_db_fini(rdp->realm_context); if (rdp->realm_tgsprinc) krb5_free_principal(rdp->realm_context, rdp->realm_tgsprinc); @@ -589,13 +586,6 @@ create_workers(verto_ctx *ctx, int num) exit(0); } -static krb5_error_code -setup_sam(void) -{ - krb5_context ctx = shandle.kdc_err_context; - return krb5_c_make_random_key(ctx, ENCTYPE_DES_CBC_MD5, &psr_key); -} - static void usage(char *name) { @@ -792,19 +782,15 @@ initialize_realms(krb5_context kcontext, int argc, char **argv, pid_file = optarg; break; case 'p': - if (def_udp_listen) - free(def_udp_listen); + free(def_udp_listen); + free(def_tcp_listen); def_udp_listen = strdup(optarg); - if (!def_udp_listen) { + def_tcp_listen = strdup(optarg); + if (def_udp_listen == NULL || def_tcp_listen == NULL) { fprintf(stderr, _(" KDC cannot initialize. Not enough " "memory\n")); exit(1); } -#if 0 /* not yet */ - if (default_tcp_ports) - free(default_tcp_ports); - default_tcp_ports = strdup(optarg); -#endif break; case 'T': time_offset = atoi(optarg); @@ -986,10 +972,9 @@ int main(int argc, char **argv) load_preauth_plugins(&shandle, kcontext, ctx); load_authdata_plugins(kcontext); - - retval = setup_sam(); + retval = load_kdcpolicy_plugins(kcontext); if (retval) { - kdc_err(kcontext, retval, _("while initializing SAM")); + kdc_err(kcontext, retval, _("while loading KDC policy plugin")); finish_realms(); return 1; } @@ -1068,6 +1053,7 @@ int main(int argc, char **argv) krb5_klog_syslog(LOG_INFO, _("shutting down")); unload_preauth_plugins(kcontext); unload_authdata_plugins(kcontext); + unload_kdcpolicy_plugins(kcontext); unload_audit_modules(kcontext); krb5_klog_close(kcontext); finish_realms(); diff --git a/src/kdc/policy.c b/src/kdc/policy.c index 6cba430..26c16f9 100644 --- a/src/kdc/policy.c +++ b/src/kdc/policy.c @@ -1,67 +1,246 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* kdc/policy.c - Policy decision routines for KDC */ /* - * Copyright 1990 by the Massachusetts Institute of Technology. + * Copyright (C) 2017 by Red Hat, Inc. + * All rights reserved. * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. */ #include "k5-int.h" #include "kdc_util.h" #include "extern.h" +#include "policy.h" +#include "adm_proto.h" +#include +#include + +typedef struct kdcpolicy_handle_st { + struct krb5_kdcpolicy_vtable_st vt; + krb5_kdcpolicy_moddata moddata; +} *kdcpolicy_handle; + +static kdcpolicy_handle *handles; + +static void +free_indicators(char **ais) +{ + size_t i; -int -against_local_policy_as(register krb5_kdc_req *request, krb5_db_entry client, - krb5_db_entry server, krb5_timestamp kdc_time, - const char **status, krb5_pa_data ***e_data) + if (ais == NULL) + return; + for (i = 0; ais[i] != NULL; i++) + free(ais[i]); + free(ais); +} + +/* Convert inds to a null-terminated list of C strings. */ +static krb5_error_code +authind_strings(krb5_data *const *inds, char ***strs_out) { -#if 0 - /* An AS request must include the addresses field */ - if (request->addresses == 0) { - *status = "NO ADDRESS"; - return KRB5KDC_ERR_POLICY; + krb5_error_code ret; + char **list = NULL; + size_t i, count; + + *strs_out = NULL; + + for (count = 0; inds != NULL && inds[count] != NULL; count++); + list = k5calloc(count + 1, sizeof(*list), &ret); + if (list == NULL) + goto error; + + for (i = 0; i < count; i++) { + list[i] = k5memdup0(inds[i]->data, inds[i]->length, &ret); + if (list[i] == NULL) + goto error; } -#endif - return 0; /* not against policy */ + *strs_out = list; + return 0; + +error: + free_indicators(list); + return ret; +} + +/* Constrain times->endtime to life and times->renew_till to rlife, relative to + * now. */ +static void +update_ticket_times(krb5_ticket_times *times, krb5_timestamp now, + krb5_deltat life, krb5_deltat rlife) +{ + if (life) + times->endtime = ts_min(ts_incr(now, life), times->endtime); + if (rlife) + times->renew_till = ts_min(ts_incr(now, rlife), times->renew_till); +} + +/* Check an AS request against kdcpolicy modules, updating times with any + * module endtime constraints. Set an appropriate status string on error. */ +krb5_error_code +check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request, + const krb5_db_entry *client, const krb5_db_entry *server, + krb5_data *const *auth_indicators, krb5_timestamp kdc_time, + krb5_ticket_times *times, const char **status) +{ + krb5_deltat life, rlife; + krb5_error_code ret; + kdcpolicy_handle *hp, h; + char **ais = NULL; + + *status = NULL; + + ret = authind_strings(auth_indicators, &ais); + if (ret) + goto done; + + for (hp = handles; *hp != NULL; hp++) { + h = *hp; + if (h->vt.check_as == NULL) + continue; + + ret = h->vt.check_as(context, h->moddata, request, client, server, + (const char **)ais, status, &life, &rlife); + if (ret) + goto done; + + update_ticket_times(times, kdc_time, life, rlife); + } + +done: + free_indicators(ais); + return ret; } /* - * This is where local policy restrictions for the TGS should placed. + * Check the TGS request against the local TGS policy. Accepts an + * authentication indicator for the module policy decisions. Returns 0 and a + * NULL status string on success. */ krb5_error_code -against_local_policy_tgs(register krb5_kdc_req *request, krb5_db_entry server, - krb5_ticket *ticket, const char **status, - krb5_pa_data ***e_data) +check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request, + const krb5_db_entry *server, const krb5_ticket *ticket, + krb5_data *const *auth_indicators, krb5_timestamp kdc_time, + krb5_ticket_times *times, const char **status) { -#if 0 - /* - * For example, if your site wants to disallow ticket forwarding, - * you might do something like this: - */ - - if (isflagset(request->kdc_options, KDC_OPT_FORWARDED)) { - *status = "FORWARD POLICY"; - return KRB5KDC_ERR_POLICY; + krb5_deltat life, rlife; + krb5_error_code ret; + kdcpolicy_handle *hp, h; + char **ais = NULL; + + *status = NULL; + + ret = authind_strings(auth_indicators, &ais); + if (ret) + goto done; + + for (hp = handles; *hp != NULL; hp++) { + h = *hp; + if (h->vt.check_tgs == NULL) + continue; + + ret = h->vt.check_tgs(context, h->moddata, request, server, ticket, + (const char **)ais, status, &life, &rlife); + if (ret) + goto done; + + update_ticket_times(times, kdc_time, life, rlife); } -#endif - return 0; /* not against policy */ +done: + free_indicators(ais); + return ret; +} + +void +unload_kdcpolicy_plugins(krb5_context context) +{ + kdcpolicy_handle *hp, h; + + for (hp = handles; *hp != NULL; hp++) { + h = *hp; + if (h->vt.fini != NULL) + h->vt.fini(context, h->moddata); + free(h); + } + free(handles); + handles = NULL; +} + +krb5_error_code +load_kdcpolicy_plugins(krb5_context context) +{ + krb5_error_code ret; + krb5_plugin_initvt_fn *modules = NULL, *mod; + kdcpolicy_handle h; + size_t count; + + ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_KDCPOLICY, &modules); + if (ret) + goto cleanup; + + for (count = 0; modules[count] != NULL; count++); + handles = k5calloc(count + 1, sizeof(*handles), &ret); + if (handles == NULL) + goto cleanup; + + count = 0; + for (mod = modules; *mod != NULL; mod++) { + h = k5calloc(1, sizeof(*h), &ret); + if (h == NULL) + goto cleanup; + + ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt); + if (ret) { /* Version mismatch. */ + TRACE_KDCPOLICY_VTINIT_FAIL(context, ret); + free(h); + continue; + } + if (h->vt.init != NULL) { + ret = h->vt.init(context, &h->moddata); + if (ret == KRB5_PLUGIN_NO_HANDLE) { + TRACE_KDCPOLICY_INIT_SKIP(context, h->vt.name); + free(h); + continue; + } + if (ret) { + kdc_err(context, ret, _("while loading policy module %s"), + h->vt.name); + free(h); + goto cleanup; + } + } + handles[count++] = h; + } + + ret = 0; + +cleanup: + if (ret) + unload_kdcpolicy_plugins(context); + k5_plugin_free_modules(context, modules); + return ret; } diff --git a/src/kdc/policy.h b/src/kdc/policy.h index 6b000dc..2a57b0a 100644 --- a/src/kdc/policy.h +++ b/src/kdc/policy.h @@ -26,11 +26,22 @@ #ifndef __KRB5_KDC_POLICY__ #define __KRB5_KDC_POLICY__ -extern int against_postdate_policy (krb5_timestamp); +krb5_error_code +load_kdcpolicy_plugins(krb5_context context); -extern int against_flag_policy_as (const krb5_kdc_req *); +void +unload_kdcpolicy_plugins(krb5_context context); -extern int against_flag_policy_tgs (const krb5_kdc_req *, - const krb5_ticket *); +krb5_error_code +check_kdcpolicy_as(krb5_context context, const krb5_kdc_req *request, + const krb5_db_entry *client, const krb5_db_entry *server, + krb5_data *const *auth_indicators, krb5_timestamp kdc_time, + krb5_ticket_times *times, const char **status); + +krb5_error_code +check_kdcpolicy_tgs(krb5_context context, const krb5_kdc_req *request, + const krb5_db_entry *server, const krb5_ticket *ticket, + krb5_data *const *auth_indicators, krb5_timestamp kdc_time, + krb5_ticket_times *times, const char **status); #endif /* __KRB5_KDC_POLICY__ */ diff --git a/src/kdc/replay.c b/src/kdc/replay.c index 8da7ac1..5125bc6 100644 --- a/src/kdc/replay.c +++ b/src/kdc/replay.c @@ -26,23 +26,20 @@ #include "k5-int.h" #include "k5-queue.h" +#include "k5-hashtab.h" #include "kdc_util.h" #include "extern.h" #ifndef NOCACHE struct entry { - K5_LIST_ENTRY(entry) bucket_links; - K5_TAILQ_ENTRY(entry) expire_links; + K5_TAILQ_ENTRY(entry) links; int num_hits; krb5_timestamp timein; krb5_data req_packet; krb5_data reply_packet; }; -#ifndef LOOKASIDE_HASH_SIZE -#define LOOKASIDE_HASH_SIZE 16384 -#endif #ifndef LOOKASIDE_MAX_SIZE #define LOOKASIDE_MAX_SIZE (10 * 1024 * 1024) #endif @@ -50,7 +47,7 @@ struct entry { K5_LIST_HEAD(entry_list, entry); K5_TAILQ_HEAD(entry_queue, entry); -static struct entry_list hash_table[LOOKASIDE_HASH_SIZE]; +static struct k5_hashtab *hash_table; static struct entry_queue expiration_queue; static int hits = 0; @@ -58,49 +55,9 @@ static int calls = 0; static int max_hits_per_entry = 0; static int num_entries = 0; static size_t total_size = 0; -static krb5_ui_4 seed; #define STALE_TIME (2*60) /* two minutes */ -#define STALE(ptr, now) (abs((ptr)->timein - (now)) >= STALE_TIME) - -/* Return x rotated to the left by r bits. */ -static inline krb5_ui_4 -rotl32(krb5_ui_4 x, int r) -{ - return (x << r) | (x >> (32 - r)); -} - -/* - * Return a non-cryptographic hash of data, seeded by seed (the global - * variable), using the MurmurHash3 algorithm by Austin Appleby. Return the - * result modulo LOOKASIDE_HASH_SIZE. - */ -static int -murmurhash3(const krb5_data *data) -{ - const krb5_ui_4 c1 = 0xcc9e2d51, c2 = 0x1b873593; - const unsigned char *start = (unsigned char *)data->data, *endblocks, *p; - int tail_len = (data->length % 4); - krb5_ui_4 h = seed, final; - - endblocks = start + data->length - tail_len; - for (p = start; p < endblocks; p += 4) { - h ^= rotl32(load_32_le(p) * c1, 15) * c2; - h = rotl32(h, 13) * 5 + 0xe6546b64; - } - - final = 0; - final |= (tail_len >= 3) ? p[2] << 16 : 0; - final |= (tail_len >= 2) ? p[1] << 8 : 0; - final |= (tail_len >= 1) ? p[0] : 0; - h ^= rotl32(final * c1, 15) * c2; - - h ^= data->length; - h = (h ^ (h >> 16)) * 0x85ebca6b; - h = (h ^ (h >> 13)) * 0xc2b2ae35; - h ^= h >> 16; - return h % LOOKASIDE_HASH_SIZE; -} +#define STALE(ptr, now) (ts_after(now, ts_incr((ptr)->timein, STALE_TIME))) /* Return the rough memory footprint of an entry containing req and rep. */ static size_t @@ -117,35 +74,40 @@ insert_entry(krb5_context context, krb5_data *req, krb5_data *rep, { krb5_error_code ret; struct entry *entry; - krb5_ui_4 req_hash = murmurhash3(req); size_t esize = entry_size(req, rep); entry = calloc(1, sizeof(*entry)); if (entry == NULL) - return NULL; + goto error; entry->timein = time; ret = krb5int_copy_data_contents(context, req, &entry->req_packet); - if (ret) { - free(entry); - return NULL; - } + if (ret) + goto error; if (rep != NULL) { ret = krb5int_copy_data_contents(context, rep, &entry->reply_packet); - if (ret) { - krb5_free_data_contents(context, &entry->req_packet); - free(entry); - return NULL; - } + if (ret) + goto error; } - K5_TAILQ_INSERT_TAIL(&expiration_queue, entry, expire_links); - K5_LIST_INSERT_HEAD(&hash_table[req_hash], entry, bucket_links); + ret = k5_hashtab_add(hash_table, entry->req_packet.data, + entry->req_packet.length, entry); + if (ret) + goto error; + K5_TAILQ_INSERT_TAIL(&expiration_queue, entry, links); num_entries++; total_size += esize; return entry; + +error: + if (entry != NULL) { + krb5_free_data_contents(context, &entry->req_packet); + krb5_free_data_contents(context, &entry->reply_packet); + free(entry); + } + return NULL; } @@ -155,38 +117,30 @@ discard_entry(krb5_context context, struct entry *entry) { total_size -= entry_size(&entry->req_packet, &entry->reply_packet); num_entries--; - K5_LIST_REMOVE(entry, bucket_links); - K5_TAILQ_REMOVE(&expiration_queue, entry, expire_links); + k5_hashtab_remove(hash_table, entry->req_packet.data, + entry->req_packet.length); + K5_TAILQ_REMOVE(&expiration_queue, entry, links); krb5_free_data_contents(context, &entry->req_packet); krb5_free_data_contents(context, &entry->reply_packet); free(entry); } -/* Return the entry for req_packet, or NULL if we don't have one. */ -static struct entry * -find_entry(krb5_data *req_packet) -{ - krb5_ui_4 hash = murmurhash3(req_packet); - struct entry *e; - - K5_LIST_FOREACH(e, &hash_table[hash], bucket_links) { - if (data_eq(e->req_packet, *req_packet)) - return e; - } - return NULL; -} - /* Initialize the lookaside cache structures and randomize the hash seed. */ krb5_error_code kdc_init_lookaside(krb5_context context) { - krb5_data d = make_data(&seed, sizeof(seed)); - int i; - - for (i = 0; i < LOOKASIDE_HASH_SIZE; i++) - K5_LIST_INIT(&hash_table[i]); + krb5_error_code ret; + uint8_t seed[K5_HASH_SEED_LEN]; + krb5_data d = make_data(seed, sizeof(seed)); + + ret = krb5_c_random_make_octets(context, &d); + if (ret) + return ret; + ret = k5_hashtab_create(seed, 8192, &hash_table); + if (ret) + return ret; K5_TAILQ_INIT(&expiration_queue); - return krb5_c_random_make_octets(context, &d); + return 0; } /* Remove the lookaside cache entry for a packet. */ @@ -195,7 +149,7 @@ kdc_remove_lookaside(krb5_context kcontext, krb5_data *req_packet) { struct entry *e; - e = find_entry(req_packet); + e = k5_hashtab_get(hash_table, req_packet->data, req_packet->length); if (e != NULL) discard_entry(kcontext, e); } @@ -217,7 +171,7 @@ kdc_check_lookaside(krb5_context kcontext, krb5_data *req_packet, *reply_packet_out = NULL; calls++; - e = find_entry(req_packet); + e = k5_hashtab_get(hash_table, req_packet->data, req_packet->length); if (e == NULL) return FALSE; @@ -251,7 +205,7 @@ kdc_insert_lookaside(krb5_context kcontext, krb5_data *req_packet, return; /* Purge stale entries and limit the total size of the entries. */ - K5_TAILQ_FOREACH_SAFE(e, &expiration_queue, expire_links, next) { + K5_TAILQ_FOREACH_SAFE(e, &expiration_queue, links, next) { if (!STALE(e, timenow) && total_size + esize <= LOOKASIDE_MAX_SIZE) break; max_hits_per_entry = max(max_hits_per_entry, e->num_hits); @@ -268,9 +222,10 @@ kdc_free_lookaside(krb5_context kcontext) { struct entry *e, *next; - K5_TAILQ_FOREACH_SAFE(e, &expiration_queue, expire_links, next) { + K5_TAILQ_FOREACH_SAFE(e, &expiration_queue, links, next) { discard_entry(kcontext, e); } + k5_hashtab_free(hash_table); } #endif /* NOCACHE */ diff --git a/src/kdc/t_bigreply.py b/src/kdc/t_bigreply.py new file mode 100644 index 0000000..b630015 --- /dev/null +++ b/src/kdc/t_bigreply.py @@ -0,0 +1,18 @@ +from k5test import * + +# Set the maximum UDP reply size very low, so that all replies go +# through the RESPONSE_TOO_BIG path. +kdc_conf = {'kdcdefaults': {'kdc_max_dgram_reply_size': '10'}} +realm = K5Realm(kdc_conf=kdc_conf, get_creds=False) + +msgs = ('Sending initial UDP request', + 'Received answer', + 'Request or response is too big for UDP; retrying with TCP', + ' to KRBTEST.COM (tcp only)', + 'Initiating TCP connection', + 'Sending TCP request', + 'Terminating TCP connection') +realm.kinit(realm.user_princ, password('user'), expected_trace=msgs) +realm.run([kvno, realm.host_princ], expected_trace=msgs) + +success('Large KDC replies') diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py index 8f7717a..c601c01 100755 --- a/src/kdc/t_emptytgt.py +++ b/src/kdc/t_emptytgt.py @@ -1,8 +1,6 @@ -#!/usr/bin/python from k5test import * realm = K5Realm(create_host=False) -output = realm.run([kvno, 'krbtgt/'], expected_code=1) -if 'not found in Kerberos database' not in output: - fail('TGT lookup for empty realm failed in unexpected way') +realm.run([kvno, 'krbtgt/'], expected_code=1, + expected_msg='not found in Kerberos database') success('Empty tgt lookup.') diff --git a/src/kdc/t_replay.c b/src/kdc/t_replay.c index 1442e0e..57aad88 100644 --- a/src/kdc/t_replay.c +++ b/src/kdc/t_replay.c @@ -36,10 +36,7 @@ #ifndef NOCACHE -#include -#include -#include -#include +#include "k5-cmocka.h" /* For wrapping functions */ #include "k5-int.h" @@ -67,14 +64,9 @@ __wrap_krb5_timeofday(krb5_context context, krb5_timestamp *timeret) cmocka_unit_test_setup_teardown(fn, setup_lookaside, destroy_lookaside) /* - * Helper functions and values + * Helper functions */ -/* Two packet datas that give the same murmur hash using the test seed */ -static char hc_data1[8] = { 0X33, 0X6F, 0X65, 0X58, 0X48, 0XF7, 0X3A, 0XD3 }; -static char hc_data2[8] = { 0X91, 0XB5, 0X4C, 0XD8, 0XAD, 0X92, 0XBF, 0X6B }; -static uint32_t hc_hash = 0x00000F94; - static void time_return(krb5_timestamp time, krb5_error_code err) { @@ -118,7 +110,6 @@ setup_lookaside(void **state) return ret; /* Ensure some vars are all set to initial values */ - seed = SEED; hits = 0; calls = 0; max_hits_per_entry = 0; @@ -136,124 +127,6 @@ destroy_lookaside(void **state) } /* - * rotl32 tests - */ - -static void -test_rotl32_rand_1bit(void **state) -{ - uint32_t result; - - result = rotl32(0x1B8578BA, 1); - assert_true(result == 0x370AF174); -} - -static void -test_rotl32_rand_2bit(void **state) -{ - uint32_t result; - - result = rotl32(0x1B8578BA, 2); - assert_true(result == 0x6E15E2E8); -} - -static void -test_rotl32_rand_3bit(void **state) -{ - uint32_t result; - - result = rotl32(0x1B8578BA, 3); - assert_true(result == 0xDC2BC5D0); -} - -static void -test_rotl32_one(void **state) -{ - uint32_t result; - - result = rotl32(0x00000001, 1); - assert_true(result == 0x00000002); -} - -static void -test_rotl32_zero(void **state) -{ - uint32_t result; - - result = rotl32(0x00000000, 1); - assert_true(result == 0x00000000); -} - -static void -test_rotl32_full(void **state) -{ - uint32_t result; - - result = rotl32(0xFFFFFFFF, 1); - assert_true(result == 0xFFFFFFFF); -} - -/* - * murmurhash3 tests - */ - -static void -test_murmurhash3_string(void **state) -{ - int result; - const krb5_data data = string2data("Don't mind me I'm just some random " - "data waiting to be hashed!"); - - result = murmurhash3(&data); - assert_int_equal(result, 0x000038FB); -} - -static void -test_murmurhash3_single_byte_changed(void **state) -{ - int result; - const krb5_data data = string2data("Don't mind me I'm just some random " - "data waiting to be hashed"); - - result = murmurhash3(&data); - assert_int_equal(result, 0x000007DC); -} - -static void -test_murmurhash3_string2(void **state) -{ - int result; - const krb5_data data = string2data("I'm completely different data " - "waiting for a hash :)"); - - result = murmurhash3(&data); - assert_int_equal(result, 0x000021AD); - -} - -static void -test_murmurhash3_byte(void **state) -{ - int result; - char s = 's'; - const krb5_data data = make_data(&s, sizeof(s)); - - result = murmurhash3(&data); - assert_int_equal(result, 0x000010EE); -} - -static void -test_murmurhash3_zero(void **state) -{ - int result; - char zero = 0; - const krb5_data data = make_data(&zero, sizeof(zero)); - - result = murmurhash3(&data); - assert_int_equal(result, 0x00003DFA); -} - -/* * entry_size tests */ @@ -289,11 +162,10 @@ test_insert_entry(void **state) krb5_context context = *state; krb5_data req = string2data("I'm a test request"); krb5_data rep = string2data("I'm a test response"); - uint32_t req_hash = 0x000011BE; e = insert_entry(context, &req, &rep, 15); - assert_ptr_equal(K5_LIST_FIRST(&hash_table[req_hash]), e); + assert_ptr_equal(k5_hashtab_get(hash_table, req.data, req.length), e); assert_ptr_equal(K5_TAILQ_FIRST(&expiration_queue), e); assert_true(data_eq(e->req_packet, req)); assert_true(data_eq(e->reply_packet, rep)); @@ -306,11 +178,10 @@ test_insert_entry_no_response(void **state) struct entry *e; krb5_context context = *state; krb5_data req = string2data("I'm a test request"); - uint32_t req_hash = 0x000011BE; e = insert_entry(context, &req, NULL, 10); - assert_ptr_equal(K5_LIST_FIRST(&hash_table[req_hash]), e); + assert_ptr_equal(k5_hashtab_get(hash_table, req.data, req.length), e); assert_ptr_equal(K5_TAILQ_FIRST(&expiration_queue), e); assert_true(data_eq(e->req_packet, req)); assert_int_equal(e->reply_packet.length, 0); @@ -324,13 +195,11 @@ test_insert_entry_multiple(void **state) krb5_context context = *state; krb5_data req1 = string2data("I'm a test request"); krb5_data rep1 = string2data("I'm a test response"); - uint32_t req_hash1 = 0x000011BE; krb5_data req2 = string2data("I'm a different test request"); - uint32_t req_hash2 = 0x00003597; e1 = insert_entry(context, &req1, &rep1, 20); - assert_ptr_equal(K5_LIST_FIRST(&hash_table[req_hash1]), e1); + assert_ptr_equal(k5_hashtab_get(hash_table, req1.data, req1.length), e1); assert_ptr_equal(K5_TAILQ_FIRST(&expiration_queue), e1); assert_true(data_eq(e1->req_packet, req1)); assert_true(data_eq(e1->reply_packet, rep1)); @@ -338,39 +207,13 @@ test_insert_entry_multiple(void **state) e2 = insert_entry(context, &req2, NULL, 30); - assert_ptr_equal(K5_LIST_FIRST(&hash_table[req_hash2]), e2); + assert_ptr_equal(k5_hashtab_get(hash_table, req2.data, req2.length), e2); assert_ptr_equal(K5_TAILQ_LAST(&expiration_queue,entry_queue), e2); assert_true(data_eq(e2->req_packet, req2)); assert_int_equal(e2->reply_packet.length, 0); assert_int_equal(e2->timein, 30); } -static void -test_insert_entry_hash_collision(void **state) -{ - struct entry *e1, *e2; - krb5_context context = *state; - krb5_data req1 = make_data(hc_data1, sizeof(hc_data1)); - krb5_data rep1 = string2data("I'm a test response"); - krb5_data req2 = make_data(hc_data2, sizeof(hc_data2)); - - e1 = insert_entry(context, &req1, &rep1, 40); - - assert_ptr_equal(K5_LIST_FIRST(&hash_table[hc_hash]), e1); - assert_ptr_equal(K5_TAILQ_FIRST(&expiration_queue), e1); - assert_true(data_eq(e1->req_packet, req1)); - assert_true(data_eq(e1->reply_packet, rep1)); - assert_int_equal(e1->timein, 40); - - e2 = insert_entry(context, &req2, NULL, 50); - - assert_ptr_equal(K5_LIST_FIRST(&hash_table[hc_hash]), e2); - assert_ptr_equal(K5_TAILQ_LAST(&expiration_queue,entry_queue), e2); - assert_true(data_eq(e2->req_packet, req2)); - assert_int_equal(e2->reply_packet.length, 0); - assert_int_equal(e2->timein, 50); -} - /* * discard_entry tests */ @@ -382,12 +225,11 @@ test_discard_entry(void **state) krb5_context context = *state; krb5_data req = string2data("I'm a test request"); krb5_data rep = string2data("I'm a test response"); - uint32_t req_hash = 0x000011BE; e = insert_entry(context, &req, &rep, 0); discard_entry(context, e); - assert_null(K5_LIST_FIRST(&hash_table[req_hash])); + assert_null(k5_hashtab_get(hash_table, req.data, req.length)); assert_int_equal(num_entries, 0); assert_int_equal(total_size, 0); } @@ -398,103 +240,16 @@ test_discard_entry_no_response(void **state) struct entry *e; krb5_context context = *state; krb5_data req = string2data("I'm a test request"); - uint32_t req_hash = 0x000011BE; e = insert_entry(context, &req, NULL, 0); discard_entry(context, e); - assert_null(K5_LIST_FIRST(&hash_table[req_hash])); - assert_int_equal(num_entries, 0); - assert_int_equal(total_size, 0); -} - -static void -test_discard_entry_hash_collision(void **state) -{ - struct entry *e1, *e2, *e_tmp; - krb5_context context = *state; - krb5_data req1 = make_data(hc_data1, sizeof(hc_data1)); - krb5_data rep1 = string2data("I'm a test response"); - krb5_data req2 = make_data(hc_data2, sizeof(hc_data2)); - krb5_data rep2 = string2data("I'm a test response"); - - e1 = insert_entry(context, &req1, &rep1, 0); - e2 = insert_entry(context, &req2, &rep2, 0); - - discard_entry(context, e1); - - K5_LIST_FOREACH(e_tmp, &hash_table[hc_hash], bucket_links) - assert_ptr_not_equal(e_tmp, e1); - - assert_ptr_equal(K5_LIST_FIRST(&hash_table[hc_hash]), e2); - assert_int_equal(num_entries, 1); - assert_int_equal(total_size, entry_size(&req2, &rep2)); - - discard_entry(context, e2); - - assert_null(K5_LIST_FIRST(&hash_table[hc_hash])); + assert_null(k5_hashtab_get(hash_table, req.data, req.length)); assert_int_equal(num_entries, 0); assert_int_equal(total_size, 0); } /* - * find_entry tests - */ - -static void -test_find_entry(void **state) -{ - struct entry *e, *result; - krb5_context context = *state; - krb5_data req = string2data("I'm a test request"); - krb5_data rep = string2data("I'm a test response"); - - e = insert_entry(context, &req, &rep, 0); - - result = find_entry(&req); - assert_ptr_equal(result, e); -} - -static void -test_find_entry_multiple(void **state) -{ - struct entry *e1, *e2, *result; - krb5_context context = *state; - krb5_data req1 = string2data("I'm a test request"); - krb5_data rep1 = string2data("I'm a test response"); - krb5_data req2 = string2data("I'm a different test request"); - - e1 = insert_entry(context, &req1, &rep1, 0); - e2 = insert_entry(context, &req2, NULL, 0); - - result = find_entry(&req1); - assert_ptr_equal(result, e1); - - result = find_entry(&req2); - assert_ptr_equal(result, e2); -} - -static void -test_find_entry_hash_collision(void **state) -{ - struct entry *e1, *e2, *result; - krb5_context context = *state; - krb5_data req1 = make_data(hc_data1, sizeof(hc_data1)); - krb5_data rep1 = string2data("I'm a test response"); - krb5_data req2 = make_data(hc_data2, sizeof(hc_data2)); - krb5_data rep2 = string2data("I'm a test response"); - - e1 = insert_entry(context, &req1, &rep1, 0); - e2 = insert_entry(context, &req2, &rep2, 0); - - result = find_entry(&req1); - assert_ptr_equal(result, e1); - - result = find_entry(&req2); - assert_ptr_equal(result, e2); -} - -/* * kdc_remove_lookaside tests */ @@ -504,12 +259,11 @@ test_kdc_remove_lookaside(void **state) krb5_context context = *state; krb5_data req = string2data("I'm a test request"); krb5_data rep = string2data("I'm a test response"); - uint32_t req_hash = 0x000011BE; insert_entry(context, &req, &rep, 0); kdc_remove_lookaside(context, &req); - assert_null(K5_LIST_FIRST(&hash_table[req_hash])); + assert_null(k5_hashtab_get(hash_table, req.data, req.length)); assert_int_equal(num_entries, 0); assert_int_equal(total_size, 0); } @@ -534,13 +288,12 @@ test_kdc_remove_lookaside_unknown(void **state) krb5_context context = *state; krb5_data req1 = string2data("I'm a test request"); krb5_data rep1 = string2data("I'm a test response"); - uint32_t req_hash1 = 0x000011BE; krb5_data req2 = string2data("I'm a different test request"); e = insert_entry(context, &req1, &rep1, 0); kdc_remove_lookaside(context, &req2); - assert_ptr_equal(K5_LIST_FIRST(&hash_table[req_hash1]), e); + assert_ptr_equal(k5_hashtab_get(hash_table, req1.data, req1.length), e); assert_int_equal(num_entries, 1); assert_int_equal(total_size, entry_size(&req1, &rep1)); } @@ -552,51 +305,21 @@ test_kdc_remove_lookaside_multiple(void **state) krb5_context context = *state; krb5_data req1 = string2data("I'm a test request"); krb5_data rep1 = string2data("I'm a test response"); - uint32_t req_hash1 = 0x000011BE; krb5_data req2 = string2data("I'm a different test request"); - uint32_t req_hash2 = 0x00003597; e1 = insert_entry(context, &req1, &rep1, 0); insert_entry(context, &req2, NULL, 0); kdc_remove_lookaside(context, &req2); - assert_null(K5_LIST_FIRST(&hash_table[req_hash2])); - assert_ptr_equal(K5_LIST_FIRST(&hash_table[req_hash1]), e1); + assert_null(k5_hashtab_get(hash_table, req2.data, req2.length)); + assert_ptr_equal(k5_hashtab_get(hash_table, req1.data, req1.length), e1); assert_int_equal(num_entries, 1); assert_int_equal(total_size, entry_size(&req1, &rep1)); kdc_remove_lookaside(context, &req1); - assert_null(K5_LIST_FIRST(&hash_table[req_hash1])); - assert_int_equal(num_entries, 0); - assert_int_equal(total_size, 0); -} - -static void -test_kdc_remove_lookaside_hash_collision(void **state) -{ - struct entry *e1, *e2, *e_tmp; - krb5_context context = *state; - krb5_data req1 = make_data(hc_data1, sizeof(hc_data1)); - krb5_data rep1 = string2data("I'm a test response"); - krb5_data req2 = make_data(hc_data2, sizeof(hc_data2)); - - e1 = insert_entry(context, &req1, &rep1, 0); - e2 = insert_entry(context, &req2, NULL, 0); - - kdc_remove_lookaside(context, &req1); - - K5_LIST_FOREACH(e_tmp, &hash_table[hc_hash], bucket_links) - assert_ptr_not_equal(e_tmp, e1); - - assert_ptr_equal(K5_LIST_FIRST(&hash_table[hc_hash]), e2); - assert_int_equal(num_entries, 1); - assert_int_equal(total_size, entry_size(&req2, NULL)); - - kdc_remove_lookaside(context, &req2); - - assert_null(K5_LIST_FIRST(&hash_table[hc_hash])); + assert_null(k5_hashtab_get(hash_table, req1.data, req1.length)); assert_int_equal(num_entries, 0); assert_int_equal(total_size, 0); } @@ -623,6 +346,8 @@ test_kdc_check_lookaside_hit(void **state) assert_true(data_eq(rep, *result_data)); assert_int_equal(hits, 1); assert_int_equal(e->num_hits, 1); + + krb5_free_data(context, result_data); } static void @@ -700,38 +425,7 @@ test_kdc_check_lookaside_hit_multiple(void **state) assert_int_equal(e1->num_hits, 1); assert_int_equal(e2->num_hits, 0); - /* Set result_data so we can verify that it is reset to NULL. */ - result_data = &req1; - result = kdc_check_lookaside(context, &req2, &result_data); - - assert_true(result); - assert_null(result_data); - assert_int_equal(hits, 2); - assert_int_equal(e1->num_hits, 1); - assert_int_equal(e2->num_hits, 1); -} - -static void -test_kdc_check_lookaside_hit_hash_collision(void **state) -{ - struct entry *e1, *e2; - krb5_boolean result; - krb5_data *result_data; - krb5_context context = *state; - krb5_data req1 = make_data(hc_data1, sizeof(hc_data1)); - krb5_data rep1 = string2data("I'm a test response"); - krb5_data req2 = make_data(hc_data2, sizeof(hc_data2)); - - e1 = insert_entry(context, &req1, &rep1, 0); - e2 = insert_entry(context, &req2, NULL, 0); - - result = kdc_check_lookaside(context, &req1, &result_data); - - assert_true(result); - assert_true(data_eq(rep1, *result_data)); - assert_int_equal(hits, 1); - assert_int_equal(e1->num_hits, 1); - assert_int_equal(e2->num_hits, 0); + krb5_free_data(context, result_data); /* Set result_data so we can verify that it is reset to NULL. */ result_data = &req1; @@ -754,13 +448,12 @@ test_kdc_insert_lookaside_single(void **state) krb5_context context = *state; krb5_data req = string2data("I'm a test request"); krb5_data rep = string2data("I'm a test response"); - uint32_t req_hash = 0x000011BE; struct entry *hash_ent, *exp_ent; time_return(0, 0); kdc_insert_lookaside(context, &req, &rep); - hash_ent = K5_LIST_FIRST(&hash_table[req_hash]); + hash_ent = k5_hashtab_get(hash_table, req.data, req.length); assert_non_null(hash_ent); assert_true(data_eq(hash_ent->req_packet, req)); assert_true(data_eq(hash_ent->reply_packet, rep)); @@ -776,13 +469,12 @@ test_kdc_insert_lookaside_no_reply(void **state) { krb5_context context = *state; krb5_data req = string2data("I'm a test request"); - uint32_t req_hash = 0x000011BE; struct entry *hash_ent, *exp_ent; time_return(0, 0); kdc_insert_lookaside(context, &req, NULL); - hash_ent = K5_LIST_FIRST(&hash_table[req_hash]); + hash_ent = k5_hashtab_get(hash_table, req.data, req.length); assert_non_null(hash_ent); assert_true(data_eq(hash_ent->req_packet, req)); assert_int_equal(hash_ent->reply_packet.length, 0); @@ -799,17 +491,15 @@ test_kdc_insert_lookaside_multiple(void **state) krb5_context context = *state; krb5_data req1 = string2data("I'm a test request"); krb5_data rep1 = string2data("I'm a test response"); - uint32_t req_hash1 = 0x000011BE; size_t e1_size = entry_size(&req1, &rep1); krb5_data req2 = string2data("I'm a different test request"); - uint32_t req_hash2 = 0x00003597; size_t e2_size = entry_size(&req2, NULL); struct entry *hash1_ent, *hash2_ent, *exp_first, *exp_last; time_return(0, 0); kdc_insert_lookaside(context, &req1, &rep1); - hash1_ent = K5_LIST_FIRST(&hash_table[req_hash1]); + hash1_ent = k5_hashtab_get(hash_table, req1.data, req1.length); assert_non_null(hash1_ent); assert_true(data_eq(hash1_ent->req_packet, req1)); assert_true(data_eq(hash1_ent->reply_packet, rep1)); @@ -822,7 +512,7 @@ test_kdc_insert_lookaside_multiple(void **state) time_return(0, 0); kdc_insert_lookaside(context, &req2, NULL); - hash2_ent = K5_LIST_FIRST(&hash_table[req_hash2]); + hash2_ent = k5_hashtab_get(hash_table, req2.data, req2.length); assert_non_null(hash2_ent); assert_true(data_eq(hash2_ent->req_packet, req2)); assert_int_equal(hash2_ent->reply_packet.length, 0); @@ -834,61 +524,21 @@ test_kdc_insert_lookaside_multiple(void **state) } static void -test_kdc_insert_lookaside_hash_collision(void **state) -{ - krb5_context context = *state; - krb5_data req1 = make_data(hc_data1, sizeof(hc_data1)); - krb5_data rep1 = string2data("I'm a test response"); - size_t e1_size = entry_size(&req1, &rep1); - krb5_data req2 = make_data(hc_data2, sizeof(hc_data2)); - size_t e2_size = entry_size(&req2, NULL); - struct entry *hash_ent, *exp_first, *exp_last; - - time_return(0, 0); - kdc_insert_lookaside(context, &req1, &rep1); - - hash_ent = K5_LIST_FIRST(&hash_table[hc_hash]); - assert_non_null(hash_ent); - assert_true(data_eq(hash_ent->req_packet, req1)); - assert_true(data_eq(hash_ent->reply_packet, rep1)); - exp_first = K5_TAILQ_FIRST(&expiration_queue); - assert_true(data_eq(exp_first->req_packet, req1)); - assert_true(data_eq(exp_first->reply_packet, rep1)); - assert_int_equal(num_entries, 1); - assert_int_equal(total_size, e1_size); - - time_return(0, 0); - kdc_insert_lookaside(context, &req2, NULL); - - hash_ent = K5_LIST_FIRST(&hash_table[hc_hash]); - assert_non_null(hash_ent); - assert_true(data_eq(hash_ent->req_packet, req2)); - assert_int_equal(hash_ent->reply_packet.length, 0); - exp_last = K5_TAILQ_LAST(&expiration_queue, entry_queue); - assert_true(data_eq(exp_last->req_packet, req2)); - assert_int_equal(exp_last->reply_packet.length, 0); - assert_int_equal(num_entries, 2); - assert_int_equal(total_size, e1_size + e2_size); -} - -static void test_kdc_insert_lookaside_cache_expire(void **state) { struct entry *e; krb5_context context = *state; krb5_data req1 = string2data("I'm a test request"); krb5_data rep1 = string2data("I'm a test response"); - uint32_t req_hash1 = 0x000011BE; size_t e1_size = entry_size(&req1, &rep1); krb5_data req2 = string2data("I'm a different test request"); - uint32_t req_hash2 = 0x00003597; size_t e2_size = entry_size(&req2, NULL); struct entry *hash1_ent, *hash2_ent, *exp_ent; time_return(0, 0); kdc_insert_lookaside(context, &req1, &rep1); - hash1_ent = K5_LIST_FIRST(&hash_table[req_hash1]); + hash1_ent = k5_hashtab_get(hash_table, req1.data, req1.length); assert_non_null(hash1_ent); assert_true(data_eq(hash1_ent->req_packet, req1)); assert_true(data_eq(hash1_ent->reply_packet, rep1)); @@ -899,17 +549,17 @@ test_kdc_insert_lookaside_cache_expire(void **state) assert_int_equal(total_size, e1_size); /* Increase hits on entry */ - e = find_entry(&req1); + e = k5_hashtab_get(hash_table, req1.data, req1.length); assert_non_null(e); e->num_hits = 5; - time_return(STALE_TIME, 0); + time_return(STALE_TIME + 1, 0); kdc_insert_lookaside(context, &req2, NULL); - assert_null(K5_LIST_FIRST(&hash_table[req_hash1])); + assert_null(k5_hashtab_get(hash_table, req1.data, req1.length)); assert_int_equal(max_hits_per_entry, 5); - hash2_ent = K5_LIST_FIRST(&hash_table[req_hash2]); + hash2_ent = k5_hashtab_get(hash_table, req2.data, req2.length); assert_non_null(hash2_ent); assert_true(data_eq(hash2_ent->req_packet, req2)); assert_int_equal(hash2_ent-> reply_packet.length, 0); @@ -925,19 +575,6 @@ int main() int ret; const struct CMUnitTest replay_tests[] = { - /* rotl32 tests */ - cmocka_unit_test(test_rotl32_rand_1bit), - cmocka_unit_test(test_rotl32_rand_2bit), - cmocka_unit_test(test_rotl32_rand_3bit), - cmocka_unit_test(test_rotl32_one), - cmocka_unit_test(test_rotl32_zero), - cmocka_unit_test(test_rotl32_full), - /* murmurhash3 tests */ - replay_unit_test(test_murmurhash3_string), - replay_unit_test(test_murmurhash3_single_byte_changed), - replay_unit_test(test_murmurhash3_string2), - replay_unit_test(test_murmurhash3_byte), - replay_unit_test(test_murmurhash3_zero), /* entry_size tests */ replay_unit_test(test_entry_size_no_response), replay_unit_test(test_entry_size_w_response), @@ -945,33 +582,24 @@ int main() replay_unit_test(test_insert_entry), replay_unit_test(test_insert_entry_no_response), replay_unit_test(test_insert_entry_multiple), - replay_unit_test(test_insert_entry_hash_collision), /* discard_entry tests */ replay_unit_test(test_discard_entry), replay_unit_test(test_discard_entry_no_response), - replay_unit_test(test_discard_entry_hash_collision), - /* find_entry tests */ - replay_unit_test(test_find_entry), - replay_unit_test(test_find_entry_multiple), - replay_unit_test(test_find_entry_hash_collision), /* kdc_remove_lookaside tests */ replay_unit_test(test_kdc_remove_lookaside), replay_unit_test(test_kdc_remove_lookaside_empty_cache), replay_unit_test(test_kdc_remove_lookaside_unknown), replay_unit_test(test_kdc_remove_lookaside_multiple), - replay_unit_test(test_kdc_remove_lookaside_hash_collision), /* kdc_check_lookaside tests */ replay_unit_test(test_kdc_check_lookaside_hit), replay_unit_test(test_kdc_check_lookaside_no_hit), replay_unit_test(test_kdc_check_lookaside_empty), replay_unit_test(test_kdc_check_lookaside_no_response), replay_unit_test(test_kdc_check_lookaside_hit_multiple), - replay_unit_test(test_kdc_check_lookaside_hit_hash_collision), /* kdc_insert_lookaside tests */ replay_unit_test(test_kdc_insert_lookaside_single), replay_unit_test(test_kdc_insert_lookaside_no_reply), replay_unit_test(test_kdc_insert_lookaside_multiple), - replay_unit_test(test_kdc_insert_lookaside_hash_collision), replay_unit_test(test_kdc_insert_lookaside_cache_expire) }; diff --git a/src/kdc/t_workers.py b/src/kdc/t_workers.py index 6dd4f68..8de3f34 100755 --- a/src/kdc/t_workers.py +++ b/src/kdc/t_workers.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * realm = K5Realm(start_kdc=False, create_host=False) diff --git a/src/kdc/tgs_policy.c b/src/kdc/tgs_policy.c index a30cacc..907fcd3 100644 --- a/src/kdc/tgs_policy.c +++ b/src/kdc/tgs_policy.c @@ -146,7 +146,8 @@ check_tgs_svc_deny_all(krb5_kdc_req *req, krb5_db_entry server, *status = "SERVER LOCKED OUT"; return KDC_ERR_S_PRINCIPAL_UNKNOWN; } - if (server.attributes & KRB5_KDB_DISALLOW_SVR) { + if ((server.attributes & KRB5_KDB_DISALLOW_SVR) && + !(req->kdc_options & KDC_OPT_ENC_TKT_IN_SKEY)) { *status = "SERVER NOT ALLOWED"; return KDC_ERR_MUST_USE_USER2USER; } @@ -186,7 +187,7 @@ static int check_tgs_svc_time(krb5_kdc_req *req, krb5_db_entry server, krb5_ticket *tkt, krb5_timestamp kdc_time, const char **status) { - if (server.expiration && server.expiration < kdc_time) { + if (server.expiration && ts_after(kdc_time, server.expiration)) { *status = "SERVICE EXPIRED"; return KDC_ERR_SERVICE_EXP; } @@ -222,7 +223,7 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times, KDC time. */ if (req->kdc_options & KDC_OPT_VALIDATE) { starttime = times->starttime ? times->starttime : times->authtime; - if (starttime > kdc_time) { + if (ts_after(starttime, kdc_time)) { *status = "NOT_YET_VALID"; return KRB_AP_ERR_TKT_NYV; } @@ -231,7 +232,8 @@ check_tgs_times(krb5_kdc_req *req, krb5_ticket_times *times, * Check the renew_till time. The endtime was already * been checked in the initial authentication check. */ - if ((req->kdc_options & KDC_OPT_RENEW) && times->renew_till < kdc_time) { + if ((req->kdc_options & KDC_OPT_RENEW) && + ts_after(kdc_time, times->renew_till)) { *status = "TKT_EXPIRED"; return KRB_AP_ERR_TKT_EXPIRED; } @@ -319,7 +321,7 @@ check_tgs_tgt(kdc_realm_t *kdc_active_realm, krb5_kdc_req *req, int validate_tgs_request(kdc_realm_t *kdc_active_realm, - register krb5_kdc_req *request, krb5_db_entry server, + krb5_kdc_req *request, krb5_db_entry server, krb5_ticket *ticket, krb5_timestamp kdc_time, const char **status, krb5_pa_data ***e_data) { @@ -374,11 +376,5 @@ validate_tgs_request(kdc_realm_t *kdc_active_realm, if (ret && ret != KRB5_PLUGIN_OP_NOTSUPP) return errcode_to_protocol(ret); - /* Check local policy. */ - errcode = against_local_policy_tgs(request, server, ticket, - status, e_data); - if (errcode) - return errcode; - return 0; } diff --git a/src/kprop/Makefile.in b/src/kprop/Makefile.in new file mode 100644 index 0000000..412d72a --- /dev/null +++ b/src/kprop/Makefile.in @@ -0,0 +1,35 @@ +mydir=kprop +BUILDTOP=$(REL).. + +all: kprop kpropd kproplog + +CLIENTSRCS= $(srcdir)/kprop.c $(srcdir)/kprop_util.c +CLIENTOBJS= kprop.o kprop_util.o + +SERVERSRCS= $(srcdir)/kpropd.c $(srcdir)/kpropd_rpc.c $(srcdir)/kprop_util.c +SERVEROBJS= kpropd.o kpropd_rpc.o kprop_util.o + +LOGSRCS= $(srcdir)/kproplog.c +LOGOBJS= kproplog.o + +SRCS= $(CLIENTSRCS) $(SERVERSRCS) $(LOGSRCS) + + +kprop: $(CLIENTOBJS) $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o kprop $(CLIENTOBJS) $(KRB5_BASE_LIBS) @LIBUTIL@ + +kpropd: $(SERVEROBJS) $(KDB5_DEPLIB) $(KADMCLNT_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) + $(CC_LINK) -o kpropd $(SERVEROBJS) $(KDB5_LIB) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS) $(APPUTILS_LIB) @LIBUTIL@ + +kproplog: $(LOGOBJS) + $(CC_LINK) -o kproplog $(LOGOBJS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) + +install: + for f in kprop kpropd kproplog; do \ + $(INSTALL_PROGRAM) $$f \ + $(DESTDIR)$(SERVER_BINDIR)/`echo $$f|sed '$(transform)'`; \ + done + +clean: + $(RM) $(CLIENTOBJS) $(SERVEROBJS) $(LOGOBJS) + $(RM) kprop kpropd kproplog diff --git a/src/kprop/deps b/src/kprop/deps new file mode 100644 index 0000000..c0f558e --- /dev/null +++ b/src/kprop/deps @@ -0,0 +1,74 @@ +# +# Generated makefile dependencies follow. +# +$(OUTPRE)kprop.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/fake-addrinfo.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + kprop.c kprop.h +$(OUTPRE)kprop_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h kprop.h kprop_util.c +$(OUTPRE)kpropd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/fake-addrinfo.h \ + $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \ + $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \ + $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \ + $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \ + $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \ + $(top_srcdir)/include/iprop.h $(top_srcdir)/include/iprop_hdr.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + kprop.h kpropd.c +$(OUTPRE)kpropd_rpc.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssrpc/types.h $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/iprop.h \ + kpropd_rpc.c +$(OUTPRE)kproplog.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/iprop.h \ + $(top_srcdir)/include/iprop_hdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + kproplog.c diff --git a/src/kprop/kprop.c b/src/kprop/kprop.c new file mode 100644 index 0000000..b7fb637 --- /dev/null +++ b/src/kprop/kprop.c @@ -0,0 +1,597 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kprop/kprop.c */ +/* + * Copyright 1990,1991,2008 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include "k5-int.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "com_err.h" +#include "fake-addrinfo.h" +#include "kprop.h" + +#ifndef GETSOCKNAME_ARG3_TYPE +#define GETSOCKNAME_ARG3_TYPE unsigned int +#endif + +static char *kprop_version = KPROP_PROT_VERSION; + +static char *progname = NULL; +static int debug = 0; +static char *srvtab = NULL; +static char *replica_host; +static char *realm = NULL; +static char *def_realm = NULL; +static char *file = KPROP_DEFAULT_FILE; + +/* The Kerberos principal we'll be sending as, initialized in get_tickets. */ +static krb5_principal my_principal; + +static krb5_creds creds; +static krb5_address *sender_addr; +static krb5_address *receiver_addr; +static const char *port = KPROP_SERVICE; +static char *dbpathname; + +static void parse_args(krb5_context context, int argc, char **argv); +static void get_tickets(krb5_context context); +static void usage(void); +static void open_connection(krb5_context context, char *host, int *fd_out); +static void kerberos_authenticate(krb5_context context, + krb5_auth_context *auth_context, int fd, + krb5_principal me, krb5_creds **new_creds); +static int open_database(krb5_context context, char *data_fn, int *size); +static void close_database(krb5_context context, int fd); +static void xmit_database(krb5_context context, + krb5_auth_context auth_context, krb5_creds *my_creds, + int fd, int database_fd, int in_database_size); +static void send_error(krb5_context context, krb5_creds *my_creds, int fd, + char *err_text, krb5_error_code err_code); +static void update_last_prop_file(char *hostname, char *file_name); + +static void usage() +{ + fprintf(stderr, _("\nUsage: %s [-r realm] [-f file] [-d] [-P port] " + "[-s srvtab] replica_host\n\n"), progname); + exit(1); +} + +int +main(int argc, char **argv) +{ + int fd, database_fd, database_size; + krb5_error_code retval; + krb5_context context; + krb5_creds *my_creds; + krb5_auth_context auth_context; + + setlocale(LC_ALL, ""); + retval = krb5_init_context(&context); + if (retval) { + com_err(argv[0], retval, _("while initializing krb5")); + exit(1); + } + parse_args(context, argc, argv); + get_tickets(context); + + database_fd = open_database(context, file, &database_size); + open_connection(context, replica_host, &fd); + kerberos_authenticate(context, &auth_context, fd, my_principal, &my_creds); + xmit_database(context, auth_context, my_creds, fd, database_fd, + database_size); + update_last_prop_file(replica_host, file); + printf(_("Database propagation to %s: SUCCEEDED\n"), replica_host); + krb5_free_cred_contents(context, my_creds); + close_database(context, database_fd); + krb5_free_default_realm(context, def_realm); + exit(0); +} + +static void +parse_args(krb5_context context, int argc, char **argv) +{ + int c; + krb5_error_code ret; + + progname = argv[0]; + while ((c = getopt(argc, argv, "r:f:dP:s:")) != -1) { + switch (c) { + case 'r': + realm = optarg; + break; + case 'f': + file = optarg; + break; + case 'd': + debug++; + break; + case 'P': + port = optarg; + break; + case 's': + srvtab = optarg; + break; + default: + usage(); + } + } + if (argc - optind != 1) + usage(); + replica_host = argv[optind]; + + if (realm == NULL) { + ret = krb5_get_default_realm(context, &def_realm); + if (ret) { + com_err(progname, errno, _("while getting default realm")); + exit(1); + } + realm = def_realm; + } +} + +static void +get_tickets(krb5_context context) +{ + char *server; + krb5_error_code retval; + krb5_keytab keytab = NULL; + krb5_principal server_princ = NULL; + + /* Figure out what tickets we'll be using to send. */ + retval = sn2princ_realm(context, NULL, KPROP_SERVICE_NAME, realm, + &my_principal); + if (retval) { + com_err(progname, errno, _("while setting client principal name")); + exit(1); + } + + /* Construct the principal name for the replica host. */ + memset(&creds, 0, sizeof(creds)); + retval = sn2princ_realm(context, replica_host, KPROP_SERVICE_NAME, realm, + &server_princ); + if (retval) { + com_err(progname, errno, _("while setting server principal name")); + exit(1); + } + retval = krb5_unparse_name_flags(context, server_princ, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &server); + if (retval) { + com_err(progname, retval, _("while unparsing server name")); + exit(1); + } + + if (srvtab != NULL) { + retval = krb5_kt_resolve(context, srvtab, &keytab); + if (retval) { + com_err(progname, retval, _("while resolving keytab")); + exit(1); + } + } + + retval = krb5_get_init_creds_keytab(context, &creds, my_principal, keytab, + 0, server, NULL); + if (retval) { + com_err(progname, retval, _("while getting initial credentials\n")); + exit(1); + } + + if (keytab != NULL) + krb5_kt_close(context, keytab); + krb5_free_unparsed_name(context, server); + krb5_free_principal(context, server_princ); +} + +static void +open_connection(krb5_context context, char *host, int *fd_out) +{ + krb5_error_code retval; + GETSOCKNAME_ARG3_TYPE socket_length; + struct addrinfo hints, *res, *answers; + struct sockaddr *sa; + struct sockaddr_storage my_sin; + int s, error; + + *fd_out = -1; + memset(&hints, 0, sizeof(hints)); + hints.ai_family = PF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_ADDRCONFIG; + error = getaddrinfo(host, port, &hints, &answers); + if (error != 0) { + com_err(progname, 0, "%s: %s", host, gai_strerror(error)); + exit(1); + } + + s = -1; + retval = EINVAL; + for (res = answers; res != NULL; res = res->ai_next) { + s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); + if (s < 0) { + com_err(progname, errno, _("while creating socket")); + exit(1); + } + + if (connect(s, res->ai_addr, res->ai_addrlen) < 0) { + retval = errno; + close(s); + s = -1; + continue; + } + + /* We successfully connect()ed */ + *fd_out = s; + retval = sockaddr2krbaddr(context, res->ai_family, res->ai_addr, + &receiver_addr); + if (retval != 0) { + com_err(progname, retval, _("while converting server address")); + exit(1); + } + + break; + } + + freeaddrinfo(answers); + + if (s == -1) { + com_err(progname, retval, _("while connecting to server")); + exit(1); + } + + /* Set sender_addr. */ + socket_length = sizeof(my_sin); + if (getsockname(s, (struct sockaddr *)&my_sin, &socket_length) < 0) { + com_err(progname, errno, _("while getting local socket address")); + exit(1); + } + sa = (struct sockaddr *)&my_sin; + if (sockaddr2krbaddr(context, sa->sa_family, sa, &sender_addr) != 0) { + com_err(progname, errno, _("while converting local address")); + exit(1); + } +} + +static void +kerberos_authenticate(krb5_context context, krb5_auth_context *auth_context, + int fd, krb5_principal me, krb5_creds **new_creds) +{ + krb5_error_code retval; + krb5_error *error = NULL; + krb5_ap_rep_enc_part *rep_result; + + retval = krb5_auth_con_init(context, auth_context); + if (retval) + exit(1); + + krb5_auth_con_setflags(context, *auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE); + + retval = krb5_auth_con_setaddrs(context, *auth_context, sender_addr, + receiver_addr); + if (retval) { + com_err(progname, retval, _("in krb5_auth_con_setaddrs")); + exit(1); + } + + retval = krb5_sendauth(context, auth_context, &fd, kprop_version, + me, creds.server, AP_OPTS_MUTUAL_REQUIRED, NULL, + &creds, NULL, &error, &rep_result, new_creds); + if (retval) { + com_err(progname, retval, _("while authenticating to server")); + if (error != NULL) { + if (error->error == KRB_ERR_GENERIC) { + if (error->text.data) { + fprintf(stderr, _("Generic remote error: %s\n"), + error->text.data); + } + } else if (error->error) { + com_err(progname, + (krb5_error_code)error->error + ERROR_TABLE_BASE_krb5, + _("signalled from server")); + if (error->text.data) { + fprintf(stderr, _("Error text from server: %s\n"), + error->text.data); + } + } + krb5_free_error(context, error); + } + exit(1); + } + krb5_free_ap_rep_enc_part(context, rep_result); +} + +/* + * Open the Kerberos database dump file. Takes care of locking it + * and making sure that the .ok file is more recent that the database + * dump file itself. + * + * Returns the file descriptor of the database dump file. Also fills + * in the size of the database file. + */ +static int +open_database(krb5_context context, char *data_fn, int *size) +{ + struct stat stbuf, stbuf_ok; + char *data_ok_fn; + int fd, err; + + dbpathname = strdup(data_fn); + if (dbpathname == NULL) { + com_err(progname, ENOMEM, _("allocating database file name '%s'"), + data_fn); + exit(1); + } + fd = open(dbpathname, O_RDONLY); + if (fd < 0) { + com_err(progname, errno, _("while trying to open %s"), dbpathname); + exit(1); + } + + err = krb5_lock_file(context, fd, + KRB5_LOCKMODE_SHARED | KRB5_LOCKMODE_DONTBLOCK); + if (err == EAGAIN || err == EWOULDBLOCK || errno == EACCES) { + com_err(progname, 0, _("database locked")); + exit(1); + } else if (err) { + com_err(progname, err, _("while trying to lock '%s'"), dbpathname); + exit(1); + } + if (fstat(fd, &stbuf)) { + com_err(progname, errno, _("while trying to stat %s"), data_fn); + exit(1); + } + if (asprintf(&data_ok_fn, "%s.dump_ok", data_fn) < 0) { + com_err(progname, ENOMEM, _("while trying to malloc data_ok_fn")); + exit(1); + } + if (stat(data_ok_fn, &stbuf_ok)) { + com_err(progname, errno, _("while trying to stat %s"), data_ok_fn); + free(data_ok_fn); + exit(1); + } + if (stbuf.st_mtime > stbuf_ok.st_mtime) { + com_err(progname, 0, _("'%s' more recent than '%s'."), data_fn, + data_ok_fn); + exit(1); + } + free(data_ok_fn); + *size = stbuf.st_size; + return fd; +} + +static void +close_database(krb5_context context, int fd) +{ + int err; + + err = krb5_lock_file(context, fd, KRB5_LOCKMODE_UNLOCK); + if (err) + com_err(progname, err, _("while unlocking database '%s'"), dbpathname); + free(dbpathname); + close(fd); +} + +/* + * Now we send over the database. We use the following protocol: + * Send over a KRB_SAFE message with the size. Then we send over the + * database in blocks of KPROP_BLKSIZE, encrypted using KRB_PRIV. + * Then we expect to see a KRB_SAFE message with the size sent back. + * + * At any point in the protocol, we may send a KRB_ERROR message; this + * will abort the entire operation. + */ +static void +xmit_database(krb5_context context, krb5_auth_context auth_context, + krb5_creds *my_creds, int fd, int database_fd, + int in_database_size) +{ + krb5_int32 n; + krb5_data inbuf, outbuf; + char buf[KPROP_BUFSIZ]; + krb5_error_code retval; + krb5_error *error; + krb5_ui_4 database_size = in_database_size, send_size, sent_size; + + /* Send over the size. */ + send_size = htonl(database_size); + inbuf.data = (char *)&send_size; + inbuf.length = sizeof(send_size); /* must be 4, really */ + /* KPROP_CKSUMTYPE */ + retval = krb5_mk_safe(context, auth_context, &inbuf, &outbuf, NULL); + if (retval) { + com_err(progname, retval, _("while encoding database size")); + send_error(context, my_creds, fd, _("while encoding database size"), + retval); + exit(1); + } + + retval = krb5_write_message(context, &fd, &outbuf); + if (retval) { + krb5_free_data_contents(context, &outbuf); + com_err(progname, retval, _("while sending database size")); + exit(1); + } + krb5_free_data_contents(context, &outbuf); + + /* Initialize the initial vector. */ + retval = krb5_auth_con_initivector(context, auth_context); + if (retval) { + send_error(context, my_creds, fd, + "failed while initializing i_vector", retval); + com_err(progname, retval, _("while allocating i_vector")); + exit(1); + } + + /* Send over the file, block by block. */ + inbuf.data = buf; + sent_size = 0; + while ((n = read(database_fd, buf, sizeof(buf)))) { + inbuf.length = n; + retval = krb5_mk_priv(context, auth_context, &inbuf, &outbuf, NULL); + if (retval) { + snprintf(buf, sizeof(buf), + "while encoding database block starting at %d", + sent_size); + com_err(progname, retval, "%s", buf); + send_error(context, my_creds, fd, buf, retval); + exit(1); + } + + retval = krb5_write_message(context, &fd, &outbuf); + if (retval) { + krb5_free_data_contents(context, &outbuf); + com_err(progname, retval, + _("while sending database block starting at %d"), + sent_size); + exit(1); + } + krb5_free_data_contents(context, &outbuf); + sent_size += n; + if (debug) + printf("%d bytes sent.\n", sent_size); + } + if (sent_size != database_size) { + com_err(progname, 0, _("Premature EOF found for database file!")); + send_error(context, my_creds, fd, + "Premature EOF found for database file!", + KRB5KRB_ERR_GENERIC); + exit(1); + } + + /* + * OK, we've sent the database; now let's wait for a success + * indication from the remote end. + */ + retval = krb5_read_message(context, &fd, &inbuf); + if (retval) { + com_err(progname, retval, _("while reading response from server")); + exit(1); + } + /* + * If we got an error response back from the server, display + * the error message + */ + if (krb5_is_krb_error(&inbuf)) { + retval = krb5_rd_error(context, &inbuf, &error); + if (retval) { + com_err(progname, retval, + _("while decoding error response from server")); + exit(1); + } + if (error->error == KRB_ERR_GENERIC) { + if (error->text.data) { + fprintf(stderr, _("Generic remote error: %s\n"), + error->text.data); + } + } else if (error->error) { + com_err(progname, + (krb5_error_code)error->error + ERROR_TABLE_BASE_krb5, + _("signalled from server")); + if (error->text.data) { + fprintf(stderr, _("Error text from server: %s\n"), + error->text.data); + } + } + krb5_free_error(context, error); + exit(1); + } + + retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL); + if (retval) { + com_err(progname, retval, + "while decoding final size packet from server"); + exit(1); + } + + memcpy(&send_size, outbuf.data, sizeof(send_size)); + send_size = ntohl(send_size); + if (send_size != database_size) { + com_err(progname, 0, _("Kpropd sent database size %d, expecting %d"), + send_size, database_size); + exit(1); + } + free(inbuf.data); + free(outbuf.data); +} + +static void +send_error(krb5_context context, krb5_creds *my_creds, int fd, char *err_text, + krb5_error_code err_code) +{ + krb5_error error; + const char *text; + krb5_data outbuf; + + memset(&error, 0, sizeof(error)); + krb5_us_timeofday(context, &error.ctime, &error.cusec); + error.server = my_creds->server; + error.client = my_principal; + error.error = err_code - ERROR_TABLE_BASE_krb5; + if (error.error > 127) + error.error = KRB_ERR_GENERIC; + text = (err_text != NULL) ? err_text : error_message(err_code); + error.text.length = strlen(text) + 1; + error.text.data = strdup(text); + if (error.text.data) { + if (!krb5_mk_error(context, &error, &outbuf)) { + (void)krb5_write_message(context, &fd, &outbuf); + krb5_free_data_contents(context, &outbuf); + } + free(error.text.data); + } +} + +static void +update_last_prop_file(char *hostname, char *file_name) +{ + char *file_last_prop; + int fd; + static char last_prop[] = ".last_prop"; + + if (asprintf(&file_last_prop, "%s.%s%s", file_name, hostname, + last_prop) < 0) { + com_err(progname, ENOMEM, + _("while allocating filename for update_last_prop_file")); + return; + } + fd = THREEPARAMOPEN(file_last_prop, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd < 0) { + com_err(progname, errno, _("while creating 'last_prop' file, '%s'"), + file_last_prop); + free(file_last_prop); + return; + } + write(fd, "", 1); + free(file_last_prop); + close(fd); +} diff --git a/src/kprop/kprop.h b/src/kprop/kprop.h new file mode 100644 index 0000000..75331cc --- /dev/null +++ b/src/kprop/kprop.h @@ -0,0 +1,43 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kprop/kprop.h */ +/* + * Copyright 1990,1991 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#define KPROP_SERVICE_NAME "host" +#define TGT_SERVICE_NAME "krbtgt" +#define KPROP_SERVICE "krb5_prop" +#define KPROP_PORT 754 + +#define KPROP_PROT_VERSION "kprop5_01" + +#define KPROP_BUFSIZ 32768 + +/* pathnames are in osconf.h, included via k5-int.h */ + +int sockaddr2krbaddr(krb5_context context, int family, struct sockaddr *sa, + krb5_address **dest); + +krb5_error_code +sn2princ_realm(krb5_context context, const char *hostname, const char *sname, + const char *realm, krb5_principal *princ_out); diff --git a/src/kprop/kprop_util.c b/src/kprop/kprop_util.c new file mode 100644 index 0000000..c32d174 --- /dev/null +++ b/src/kprop/kprop_util.c @@ -0,0 +1,98 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kprop/kprop_util.c */ +/* + * Copyright (C) 2010 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +/* sockaddr2krbaddr() utility function used by kprop and kpropd */ + +#include "k5-int.h" +#include "kprop.h" + +#include +#include + +/* + * Convert an IPv4 or IPv6 socket address to a newly allocated krb5_address. + * There is similar code elsewhere in the tree, so this should possibly become + * a libkrb5 API in the future. + */ +krb5_error_code +sockaddr2krbaddr(krb5_context context, int family, struct sockaddr *sa, + krb5_address **dest) +{ + krb5_address addr; + + addr.magic = KV5M_ADDRESS; + if (family == AF_INET) { + struct sockaddr_in *sa4 = sa2sin(sa); + addr.addrtype = ADDRTYPE_INET; + addr.length = sizeof(sa4->sin_addr); + addr.contents = (krb5_octet *) &sa4->sin_addr; + } else if (family == AF_INET6) { + struct sockaddr_in6 *sa6 = sa2sin6(sa); + if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { + addr.addrtype = ADDRTYPE_INET; + addr.contents = (krb5_octet *) &sa6->sin6_addr + 12; + addr.length = 4; + } else { + addr.addrtype = ADDRTYPE_INET6; + addr.length = sizeof(sa6->sin6_addr); + addr.contents = (krb5_octet *) &sa6->sin6_addr; + } + } else + return KRB5_PROG_ATYPE_NOSUPP; + + return krb5_copy_addr(context, &addr, dest); +} + +/* Construct a host-based principal, similar to krb5_sname_to_principal() but + * with a specified realm. */ +krb5_error_code +sn2princ_realm(krb5_context context, const char *hostname, const char *sname, + const char *realm, krb5_principal *princ_out) +{ + krb5_error_code ret; + char *canonhost, localname[MAXHOSTNAMELEN]; + + *princ_out = NULL; + assert(sname != NULL && realm != NULL); + + /* If hostname is NULL, use the local hostname. */ + if (hostname == NULL) { + if (gethostname(localname, MAXHOSTNAMELEN) != 0) + return SOCKET_ERRNO; + hostname = localname; + } + + ret = krb5_expand_hostname(context, hostname, &canonhost); + if (ret) + return ret; + + ret = krb5_build_principal(context, princ_out, strlen(realm), realm, sname, + canonhost, (char *)NULL); + krb5_free_string(context, canonhost); + if (!ret) + (*princ_out)->type = KRB5_NT_SRV_HST; + return ret; +} diff --git a/src/kprop/kpropd.c b/src/kprop/kpropd.c new file mode 100644 index 0000000..68323dd --- /dev/null +++ b/src/kprop/kpropd.c @@ -0,0 +1,1609 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* kprop/kpropd.c */ +/* + * Copyright (C) 1998 by the FundsXpress, INC. + * + * All rights reserved. + * + * Export of this software from the United States of America may require + * a specific license from the United States Government. It is the + * responsibility of any person or organization contemplating export to + * obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of FundsXpress. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. FundsXpress makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED + * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. + */ + +/* + * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology. + * All Rights Reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + + +#include "k5-int.h" +#include "com_err.h" +#include "fake-addrinfo.h" + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "kprop.h" +#include +#include "iprop.h" +#include +#include + +#ifndef GETSOCKNAME_ARG3_TYPE +#define GETSOCKNAME_ARG3_TYPE unsigned int +#endif +#ifndef GETPEERNAME_ARG3_TYPE +#define GETPEERNAME_ARG3_TYPE unsigned int +#endif + +#if defined(NEED_DAEMON_PROTO) +extern int daemon(int, int); +#endif + +#define SYSLOG_CLASS LOG_DAEMON + +int runonce = 0; + +/* + * This struct simulates the use of _kadm5_server_handle_t + * + * This is a COPY of kadm5_server_handle_t from + * lib/kadm5/clnt/client_internal.h! + */ +typedef struct _kadm5_iprop_handle_t { + krb5_ui_4 magic_number; + krb5_ui_4 struct_version; + krb5_ui_4 api_version; + char *cache_name; + int destroy_cache; + CLIENT *clnt; + krb5_context context; + kadm5_config_params params; + struct _kadm5_iprop_handle_t *lhandle; +} *kadm5_iprop_handle_t; + +static char *kprop_version = KPROP_PROT_VERSION; + +static kadm5_config_params params; + +static char *progname; +static int debug = 0; +static int nodaemon = 0; +static char *srvtab = NULL; +static int standalone = 0; +static const char *pid_file = NULL; + +static pid_t fullprop_child = (pid_t)-1; + +static krb5_principal server; /* This is our server principal name */ +static krb5_principal client; /* This is who we're talking to */ +static krb5_context kpropd_context; +static krb5_auth_context auth_context; +static char *realm = NULL; /* Our realm */ +static char *def_realm = NULL; /* Ref pointer for default realm */ +static char *file = KPROPD_DEFAULT_FILE; +static char *temp_file_name; +static char *kdb5_util = KPROPD_DEFAULT_KDB5_UTIL; +static char *kerb_database = NULL; +static char *acl_file_name = KPROPD_ACL_FILE; + +static krb5_address *sender_addr; +static krb5_address *receiver_addr; +static const char *port = KPROP_SERVICE; + +static char **db_args = NULL; +static int db_args_size = 0; + +static void parse_args(int argc, char **argv); +static void do_standalone(void); +static void doit(int fd); +static krb5_error_code do_iprop(void); +static void kerberos_authenticate(krb5_context context, int fd, + krb5_principal *clientp, krb5_enctype *etype, + struct sockaddr_storage *my_sin); +static krb5_boolean authorized_principal(krb5_context context, + krb5_principal p, + krb5_enctype auth_etype); +static void recv_database(krb5_context context, int fd, int database_fd, + krb5_data *confmsg); +static void load_database(krb5_context context, char *kdb_util, + char *database_file_name); +static void send_error(krb5_context context, int fd, krb5_error_code err_code, + char *err_text); +static void recv_error(krb5_context context, krb5_data *inbuf); +static unsigned int backoff_from_master(int *cnt); +static kadm5_ret_t kadm5_get_kiprop_host_srv_name(krb5_context context, + const char *realm_name, + char **host_service_name); + +static void +usage() +{ + fprintf(stderr, + _("\nUsage: %s [-r realm] [-s srvtab] [-dS] [-f replica_file]\n"), + progname); + fprintf(stderr, _("\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n")); + fprintf(stderr, _("\t[-x db_args]* [-P port] [-a acl_file]\n")); + fprintf(stderr, _("\t[-A admin_server] [--pid-file=pid_file]\n")); + exit(1); +} + +static krb5_error_code +write_pid_file(const char *path) +{ + FILE *fp; + unsigned long pid; + + fp = fopen(path, "w"); + if (fp == NULL) + return errno; + pid = (unsigned long)getpid(); + if (fprintf(fp, "%ld\n", pid) < 0 || fclose(fp) == EOF) + return errno; + return 0; +} + +typedef void (*sig_handler_fn)(int sig); + +static void +signal_wrapper(int sig, sig_handler_fn handler) +{ +#ifdef POSIX_SIGNALS + struct sigaction s_action; + + memset(&s_action, 0, sizeof(s_action)); + sigemptyset(&s_action.sa_mask); + s_action.sa_handler = handler; + sigaction(sig, &s_action, NULL); +#else + signal(sig, handler); +#endif +} + +static void +alarm_handler(int sig) +{ + static char *timeout_msg = "Full propagation timed out\n"; + + write(STDERR_FILENO, timeout_msg, strlen(timeout_msg)); + exit(1); +} + +static void +usr1_handler(int sig) +{ + /* Nothing to do, just let the signal interrupt sleep(). */ +} + +static void +kill_do_standalone(int sig) +{ + if (fullprop_child > 0) { + if (debug) { + fprintf(stderr, _("Killing fullprop child (%d)\n"), + (int)fullprop_child); + } + kill(fullprop_child, sig); + } + /* Make sure our exit status code reflects our having been signaled */ + signal_wrapper(sig, SIG_DFL); + kill(getpid(), sig); +} + +static void +atexit_kill_do_standalone(void) +{ + if (fullprop_child > 0) + kill(fullprop_child, SIGHUP); +} + +int +main(int argc, char **argv) +{ + krb5_error_code retval; + kdb_log_context *log_ctx; + int devnull, sock; + struct stat st; + + setlocale(LC_ALL, ""); + parse_args(argc, argv); + + if (fstat(0, &st) == -1) { + com_err(progname, errno, _("while checking if stdin is a socket")); + exit(1); + } + /* + * Detect whether we're running from inetd; if not then we're in + * standalone mode. + */ + standalone = !S_ISSOCK(st.st_mode); + + log_ctx = kpropd_context->kdblog_context; + + signal_wrapper(SIGPIPE, SIG_IGN); + + if (standalone) { + /* "ready" is a sentinel for the test framework. */ + if (!debug && !nodaemon) { + daemon(0, 0); + } else { + printf(_("ready\n")); + fflush(stdout); + } + if (pid_file != NULL) { + retval = write_pid_file(pid_file); + if (retval) { + syslog(LOG_ERR, _("Could not write pid file %s: %s"), + pid_file, strerror(errno)); + exit(1); + } + } + } else { + /* + * We're an inetd nowait service. Let's not risk anything + * read/write from/to the inetd socket unintentionally. + */ + devnull = open("/dev/null", O_RDWR); + if (devnull == -1) { + syslog(LOG_ERR, _("Could not open /dev/null: %s"), + strerror(errno)); + exit(1); + } + + sock = dup(0); + if (sock == -1) { + syslog(LOG_ERR, _("Could not dup the inetd socket: %s"), + strerror(errno)); + exit(1); + } + + dup2(devnull, STDIN_FILENO); + dup2(devnull, STDOUT_FILENO); + dup2(devnull, STDERR_FILENO); + close(devnull); + doit(sock); + exit(0); + } + + if (log_ctx == NULL || log_ctx->iproprole != IPROP_REPLICA) { + do_standalone(); + /* do_standalone() should never return */ + assert(0); + } + + /* + * This is the iprop case. We'll fork a child to run do_standalone(). The + * parent will run do_iprop(). We try to kill the child if we get killed. + * Catch SIGUSR1, which can be used to interrupt the sleep timer and force + * an iprop request. + */ + signal_wrapper(SIGHUP, kill_do_standalone); + signal_wrapper(SIGINT, kill_do_standalone); + signal_wrapper(SIGQUIT, kill_do_standalone); + signal_wrapper(SIGTERM, kill_do_standalone); + signal_wrapper(SIGSEGV, kill_do_standalone); + signal_wrapper(SIGUSR1, usr1_handler); + atexit(atexit_kill_do_standalone); + fullprop_child = fork(); + switch (fullprop_child) { + case -1: + com_err(progname, errno, _("do_iprop failed.\n")); + break; + case 0: + do_standalone(); + /* do_standalone() should never return */ + /* NOTREACHED */ + break; + default: + retval = do_iprop(); + /* do_iprop() can return due to failures and runonce. */ + kill(fullprop_child, SIGHUP); + wait(NULL); + if (retval) + com_err(progname, retval, _("do_iprop failed.\n")); + else + exit(0); + } + + exit(1); +} + +/* Use getaddrinfo to determine a wildcard listener address, preferring + * IPv6 if available. */ +static int +get_wildcard_addr(struct addrinfo **res) +{ + struct addrinfo hints; + int error; + + memset(&hints, 0, sizeof(hints)); + hints.ai_socktype = SOCK_STREAM; + hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; + hints.ai_family = AF_INET6; + error = getaddrinfo(NULL, port, &hints, res); + if (error == 0) + return 0; + hints.ai_family = AF_INET; + return getaddrinfo(NULL, port, &hints, res); +} + +static void +do_standalone() +{ + struct sockaddr_in frominet; + struct addrinfo *res; + GETPEERNAME_ARG3_TYPE fromlen; + int finet, s, ret, error, val, status; + pid_t child_pid; + pid_t wait_pid; + + error = get_wildcard_addr(&res); + if (error != 0) { + fprintf(stderr, _("getaddrinfo: %s\n"), gai_strerror(error)); + exit(1); + } + + finet = socket(res->ai_family, res->ai_socktype, res->ai_protocol); + if (finet < 0) { + com_err(progname, errno, _("while obtaining socket")); + exit(1); + } + + val = 1; + if (setsockopt(finet, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) + com_err(progname, errno, _("while setting SO_REUSEADDR option")); + +#if defined(IPV6_V6ONLY) + /* Make sure dual-stack support is enabled on IPv6 listener sockets if + * possible. */ + val = 0; + if (res->ai_family == AF_INET6 && + setsockopt(finet, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val)) < 0) + com_err(progname, errno, _("while unsetting IPV6_V6ONLY option")); +#endif + + ret = bind(finet, res->ai_addr, res->ai_addrlen); + if (ret < 0) { + com_err(progname, errno, _("while binding listener socket")); + exit(1); + } + if (listen(finet, 5) < 0) { + com_err(progname, errno, "in listen call"); + exit(1); + } + for (;;) { + memset(&frominet, 0, sizeof(frominet)); + fromlen = sizeof(frominet); + if (debug) + fprintf(stderr, _("waiting for a kprop connection\n")); + s = accept(finet, (struct sockaddr *) &frominet, &fromlen); + + if (s < 0) { + int e = errno; + if (e != EINTR) { + com_err(progname, e, _("while accepting connection")); + } + } + child_pid = fork(); + switch (child_pid) { + case -1: + com_err(progname, errno, _("while forking")); + exit(1); + case 0: + close(finet); + + doit(s); + close(s); + _exit(0); + default: + do { + wait_pid = waitpid(child_pid, &status, 0); + } while (wait_pid == -1 && errno == EINTR); + if (wait_pid == -1) { + /* Something bad happened; panic. */ + if (debug) { + fprintf(stderr, _("waitpid() failed to wait for doit() " + "(%d %s)\n"), errno, strerror(errno)); + } + com_err(progname, errno, + _("while waiting to receive database")); + exit(1); + } + if (debug) { + fprintf(stderr, _("Database load process for full propagation " + "completed.\n")); + } + + close(s); + + /* If we are the fullprop child in iprop mode, notify the parent + * process that it should poll for incremental updates. */ + if (fullprop_child == 0) + kill(getppid(), SIGUSR1); + else if (runonce) + exit(0); + } + } + exit(0); +} + +static void +doit(int fd) +{ + struct sockaddr_storage from; + int on = 1; + GETPEERNAME_ARG3_TYPE fromlen; + krb5_error_code retval; + krb5_data confmsg; + int lock_fd; + mode_t omask; + krb5_enctype etype; + int database_fd; + char host[INET6_ADDRSTRLEN + 1]; + + signal_wrapper(SIGALRM, alarm_handler); + alarm(params.iprop_resync_timeout); + fromlen = sizeof(from); + if (getpeername(fd, (struct sockaddr *)&from, &fromlen) < 0) { +#ifdef ENOTSOCK + if (errno == ENOTSOCK && fd == 0 && !standalone) { + fprintf(stderr, + _("%s: Standard input does not appear to be a network " + "socket.\n" + "\t(Not run from inetd, and missing the -S option?)\n"), + progname); + exit(1); + } +#endif + fprintf(stderr, "%s: ", progname); + perror("getpeername"); + exit(1); + } + if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0) { + com_err(progname, errno, + _("while attempting setsockopt (SO_KEEPALIVE)")); + } + + if (getnameinfo((const struct sockaddr *) &from, fromlen, + host, sizeof(host), NULL, 0, 0) == 0) { + syslog(LOG_INFO, _("Connection from %s"), host); + if (debug) + fprintf(stderr, "Connection from %s\n", host); + } + + /* + * Now do the authentication + */ + kerberos_authenticate(kpropd_context, fd, &client, &etype, &from); + + if (!authorized_principal(kpropd_context, client, etype)) { + char *name; + + retval = krb5_unparse_name(kpropd_context, client, &name); + if (retval) { + com_err(progname, retval, "While unparsing client name"); + exit(1); + } + if (debug) { + fprintf(stderr, + _("Rejected connection from unauthorized principal %s\n"), + name); + } + syslog(LOG_WARNING, + _("Rejected connection from unauthorized principal %s"), + name); + free(name); + exit(1); + } + omask = umask(077); + lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); + (void)umask(omask); + retval = krb5_lock_file(kpropd_context, lock_fd, + KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); + if (retval) { + com_err(progname, retval, _("while trying to lock '%s'"), + temp_file_name); + exit(1); + } + database_fd = open(temp_file_name, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (database_fd < 0) { + com_err(progname, errno, _("while opening database file, '%s'"), + temp_file_name); + exit(1); + } + recv_database(kpropd_context, fd, database_fd, &confmsg); + if (rename(temp_file_name, file)) { + com_err(progname, errno, _("while renaming %s to %s"), + temp_file_name, file); + exit(1); + } + retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_SHARED); + if (retval) { + com_err(progname, retval, _("while downgrading lock on '%s'"), + temp_file_name); + exit(1); + } + load_database(kpropd_context, kdb5_util, file); + retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_UNLOCK); + if (retval) { + com_err(progname, retval, _("while unlocking '%s'"), temp_file_name); + exit(1); + } + close(lock_fd); + + /* + * Send the acknowledgement message generated in + * recv_database, then close the socket. + */ + retval = krb5_write_message(kpropd_context, &fd, &confmsg); + if (retval) { + krb5_free_data_contents(kpropd_context, &confmsg); + com_err(progname, retval, _("while sending # of received bytes")); + exit(1); + } + krb5_free_data_contents(kpropd_context, &confmsg); + if (close(fd) < 0) { + com_err(progname, errno, + _("while trying to close database file")); + exit(1); + } + + exit(0); +} + +/* Default timeout can be changed using clnt_control() */ +static struct timeval full_resync_timeout = { 25, 0 }; + +static kdb_fullresync_result_t * +full_resync(CLIENT *clnt) +{ + static kdb_fullresync_result_t clnt_res; + uint32_t vers = IPROPX_VERSION_1; /* max version we support */ + enum clnt_stat status; + + memset(&clnt_res, 0, sizeof(clnt_res)); + + status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int32, + &vers, (xdrproc_t)xdr_kdb_fullresync_result_t, + &clnt_res, full_resync_timeout); + if (status == RPC_PROCUNAVAIL) { + status = clnt_call(clnt, IPROP_FULL_RESYNC, (xdrproc_t)xdr_void, + &vers, (xdrproc_t)xdr_kdb_fullresync_result_t, + &clnt_res, full_resync_timeout); + } + + return (status == RPC_SUCCESS) ? &clnt_res : NULL; +} + +/* + * Beg for incrementals from the KDC. + * + * Returns 0 on success IFF runonce is true. + * Returns non-zero on failure due to errors. + */ +krb5_error_code +do_iprop() +{ + kadm5_ret_t retval; + krb5_principal iprop_svc_principal; + void *server_handle = NULL; + char *iprop_svc_princstr = NULL, *master_svc_princstr = NULL; + unsigned int pollin, backoff_time; + int backoff_cnt = 0, reinit_cnt = 0; + struct timeval iprop_start, iprop_end; + unsigned long usec; + time_t frrequested = 0, now; + kdb_incr_result_t *incr_ret; + kdb_last_t mylast; + kdb_fullresync_result_t *full_ret; + kadm5_iprop_handle_t handle; + + if (debug) + fprintf(stderr, _("Incremental propagation enabled\n")); + + pollin = params.iprop_poll_time; + if (pollin == 0) + pollin = 10; + + if (master_svc_princstr == NULL) { + retval = kadm5_get_kiprop_host_srv_name(kpropd_context, realm, + &master_svc_princstr); + if (retval) { + com_err(progname, retval, + _("%s: unable to get kiprop host based " + "service name for realm %s\n"), + progname, realm); + return retval; + } + } + + retval = sn2princ_realm(kpropd_context, NULL, KIPROP_SVC_NAME, realm, + &iprop_svc_principal); + if (retval) { + com_err(progname, retval, + _("while trying to construct host service principal")); + return retval; + } + + retval = krb5_unparse_name(kpropd_context, iprop_svc_principal, + &iprop_svc_princstr); + if (retval) { + com_err(progname, retval, + _("while canonicalizing principal name")); + krb5_free_principal(kpropd_context, iprop_svc_principal); + return retval; + } + krb5_free_principal(kpropd_context, iprop_svc_principal); + +reinit: + /* + * Authentication, initialize rpcsec_gss handle etc. + */ + if (debug) { + fprintf(stderr, _("Initializing kadm5 as client %s\n"), + iprop_svc_princstr); + } + retval = kadm5_init_with_skey(kpropd_context, iprop_svc_princstr, + srvtab, + master_svc_princstr, + ¶ms, + KADM5_STRUCT_VERSION, + KADM5_API_VERSION_4, + db_args, + &server_handle); + + if (retval) { + if (debug) + fprintf(stderr, _("kadm5 initialization failed!\n")); + if (retval == KADM5_RPC_ERROR) { + reinit_cnt++; + if (server_handle) + kadm5_destroy(server_handle); + server_handle = NULL; + handle = NULL; + + com_err(progname, retval, _( + "while attempting to connect" + " to master KDC ... retrying")); + backoff_time = backoff_from_master(&reinit_cnt); + if (debug) { + fprintf(stderr, _("Sleeping %d seconds to re-initialize " + "kadm5 (RPC ERROR)\n"), backoff_time); + } + sleep(backoff_time); + goto reinit; + } else { + if (retval == KADM5_BAD_CLIENT_PARAMS || + retval == KADM5_BAD_SERVER_PARAMS) { + com_err(progname, retval, + _("while initializing %s interface"), + progname); + + usage(); + } + reinit_cnt++; + com_err(progname, retval, + _("while initializing %s interface, retrying"), + progname); + backoff_time = backoff_from_master(&reinit_cnt); + if (debug) { + fprintf(stderr, _("Sleeping %d seconds to re-initialize " + "kadm5 (krb5kdc not running?)\n"), + backoff_time); + } + sleep(backoff_time); + goto reinit; + } + } + + if (debug) + fprintf(stderr, _("kadm5 initialization succeeded\n")); + + /* + * Reset re-initialization count to zero now. + */ + reinit_cnt = backoff_time = 0; + + /* + * Reset the handle to the correct type for the RPC call + */ + handle = server_handle; + + for (;;) { + incr_ret = NULL; + full_ret = NULL; + + /* + * Get the most recent ulog entry sno + ts, which + * we package in the request to the master KDC + */ + retval = ulog_get_last(kpropd_context, &mylast); + if (retval) { + com_err(progname, retval, _("reading update log header")); + goto done; + } + + /* + * Loop continuously on an iprop_get_updates_1(), + * so that we can keep probing the master for updates + * or (if needed) do a full resync of the krb5 db. + */ + + if (debug) { + fprintf(stderr, _("Calling iprop_get_updates_1 " + "(sno=%u sec=%u usec=%u)\n"), + (unsigned int)mylast.last_sno, + (unsigned int)mylast.last_time.seconds, + (unsigned int)mylast.last_time.useconds); + } + gettimeofday(&iprop_start, NULL); + incr_ret = iprop_get_updates_1(&mylast, handle->clnt); + if (incr_ret == (kdb_incr_result_t *)NULL) { + clnt_perror(handle->clnt, + _("iprop_get_updates call failed")); + if (server_handle) + kadm5_destroy(server_handle); + server_handle = NULL; + handle = (kadm5_iprop_handle_t)NULL; + if (debug) { + fprintf(stderr, _("Reinitializing iprop because get updates " + "failed\n")); + } + goto reinit; + } + + switch (incr_ret->ret) { + + case UPDATE_FULL_RESYNC_NEEDED: + /* + * If we're already asked for a full resync and we still + * need one and the last one hasn't timed out then just keep + * asking for updates as eventually the resync will finish + * (or, if it times out we'll just try again). Note that + * doit() also applies a timeout to the full resync, thus + * it's OK for us to do the same here. + */ + now = time(NULL); + if (frrequested && + (now - frrequested) < params.iprop_resync_timeout) { + if (debug) + fprintf(stderr, _("Still waiting for full resync\n")); + break; + } else { + frrequested = now; + if (debug) + fprintf(stderr, _("Full resync needed\n")); + syslog(LOG_INFO, _("kpropd: Full resync needed.")); + + full_ret = full_resync(handle->clnt); + if (full_ret == NULL) { + clnt_perror(handle->clnt, + _("iprop_full_resync call failed")); + kadm5_destroy(server_handle); + server_handle = NULL; + handle = NULL; + goto reinit; + } + } + + switch (full_ret->ret) { + case UPDATE_OK: + if (debug) + fprintf(stderr, _("Full resync request granted\n")); + syslog(LOG_INFO, _("Full resync request granted.")); + backoff_cnt = 0; + break; + + case UPDATE_BUSY: + /* + * Exponential backoff + */ + if (debug) + fprintf(stderr, _("Exponential backoff\n")); + backoff_cnt++; + break; + + case UPDATE_PERM_DENIED: + if (debug) + fprintf(stderr, _("Full resync permission denied\n")); + syslog(LOG_ERR, _("Full resync, permission denied.")); + goto error; + + case UPDATE_ERROR: + if (debug) + fprintf(stderr, _("Full resync error from master\n")); + syslog(LOG_ERR, _(" Full resync, " + "error returned from master KDC.")); + goto error; + + default: + backoff_cnt = 0; + if (debug) { + fprintf(stderr, + _("Full resync invalid result from master\n")); + } + syslog(LOG_ERR, _("Full resync, " + "invalid return from master KDC.")); + break; + } + break; + + case UPDATE_OK: + backoff_cnt = 0; + frrequested = 0; + + /* + * ulog_replay() will convert the ulog updates to db + * entries using the kdb conv api and will commit + * the entries to the replica kdc database + */ + if (debug) { + fprintf(stderr, _("Got incremental updates " + "(sno=%u sec=%u usec=%u)\n"), + (unsigned int)incr_ret->lastentry.last_sno, + (unsigned int)incr_ret->lastentry.last_time.seconds, + (unsigned int)incr_ret->lastentry.last_time.useconds); + } + retval = ulog_replay(kpropd_context, incr_ret, db_args); + + if (retval) { + const char *msg = + krb5_get_error_message(kpropd_context, retval); + if (debug) { + fprintf(stderr, _("ulog_replay failed (%s), updates not " + "registered\n"), msg); + } + syslog(LOG_ERR, _("ulog_replay failed (%s), updates " + "not registered."), msg); + krb5_free_error_message(kpropd_context, msg); + break; + } + + gettimeofday(&iprop_end, NULL); + usec = (iprop_end.tv_sec - iprop_start.tv_sec) * 1000000 + + iprop_end.tv_usec - iprop_start.tv_usec; + syslog(LOG_INFO, _("Incremental updates: %d updates / %lu us"), + incr_ret->updates.kdb_ulog_t_len, usec); + if (debug) { + fprintf(stderr, _("Incremental updates: %d updates / " + "%lu us\n"), + incr_ret->updates.kdb_ulog_t_len, usec); + } + break; + + case UPDATE_PERM_DENIED: + if (debug) + fprintf(stderr, _("get_updates permission denied\n")); + syslog(LOG_ERR, _("get_updates, permission denied.")); + goto error; + + case UPDATE_ERROR: + if (debug) + fprintf(stderr, _("get_updates error from master\n")); + syslog(LOG_ERR, _("get_updates, error returned from master KDC.")); + goto error; + + case UPDATE_BUSY: + /* + * Exponential backoff + */ + if (debug) + fprintf(stderr, _("get_updates master busy; backoff\n")); + backoff_cnt++; + break; + + case UPDATE_NIL: + /* + * Master-replica are in sync + */ + if (debug) + fprintf(stderr, _("KDC is synchronized with master.\n")); + backoff_cnt = 0; + frrequested = 0; + break; + + default: + backoff_cnt = 0; + if (debug) + fprintf(stderr, _("get_updates invalid result from master\n")); + syslog(LOG_ERR, _("get_updates, invalid return from master KDC.")); + break; + } + + if (runonce == 1 && incr_ret->ret != UPDATE_FULL_RESYNC_NEEDED) + goto done; + + /* + * Sleep for the specified poll interval (Default is 2 mts), + * or do a binary exponential backoff if we get an + * UPDATE_BUSY signal + */ + if (backoff_cnt > 0) { + backoff_time = backoff_from_master(&backoff_cnt); + if (debug) { + fprintf(stderr, _("Busy signal received " + "from master, backoff for %d secs\n"), + backoff_time); + } + sleep(backoff_time); + } else { + if (debug) { + fprintf(stderr, _("Waiting for %d seconds before checking " + "for updates again\n"), pollin); + } + sleep(pollin); + } + + } + + +error: + if (debug) + fprintf(stderr, _("ERROR returned by master, bailing\n")); + syslog(LOG_ERR, _("ERROR returned by master KDC, bailing.\n")); +done: + free(iprop_svc_princstr); + free(master_svc_princstr); + krb5_free_default_realm(kpropd_context, def_realm); + kadm5_destroy(server_handle); + krb5_db_fini(kpropd_context); + ulog_fini(kpropd_context); + krb5_free_context(kpropd_context); + + return (runonce == 1) ? 0 : 1; +} + + +/* Do exponential backoff, since master KDC is BUSY or down. */ +static unsigned int +backoff_from_master(int *cnt) +{ + unsigned int btime; + + btime = (unsigned int)(2<<(*cnt)); + if (btime > MAX_BACKOFF) { + btime = MAX_BACKOFF; + (*cnt)--; + } + + return btime; +} + +static void +kpropd_com_err_proc(const char *whoami, long code, const char *fmt, + va_list args) +#if !defined(__cplusplus) && (__GNUC__ > 2) + __attribute__((__format__(__printf__, 3, 0))) +#endif + ; + +static void +kpropd_com_err_proc(const char *whoami, long code, const char *fmt, + va_list args) +{ + char error_buf[8096]; + + error_buf[0] = '\0'; + if (fmt) + vsnprintf(error_buf, sizeof(error_buf), fmt, args); + syslog(LOG_ERR, "%s%s%s%s%s", whoami ? whoami : "", whoami ? ": " : "", + code ? error_message(code) : "", code ? " " : "", error_buf); +} + +static void +parse_args(int argc, char **argv) +{ + char **newargs; + int c; + krb5_error_code retval; + enum { PID_FILE = 256 }; + struct option long_options[] = { + { "pid-file", 1, NULL, PID_FILE }, + }; + + memset(¶ms, 0, sizeof(params)); + + /* Since we may modify the KDB with ulog_replay(), we must read the KDC + * profile. */ + retval = krb5int_init_context_kdc(&kpropd_context); + if (retval) { + com_err(argv[0], retval, _("while initializing krb5")); + exit(1); + } + + progname = argv[0]; + while ((c = getopt_long(argc, argv, "A:f:F:p:P:r:s:DdSa:tx:", + long_options, NULL)) != -1) { + switch (c) { + case 'A': + params.mask |= KADM5_CONFIG_ADMIN_SERVER; + params.admin_server = optarg; + break; + case 'f': + file = optarg; + break; + case 'F': + kerb_database = optarg; + break; + case 'p': + kdb5_util = optarg; + break; + case 'P': + port = optarg; + break; + case 'r': + realm = optarg; + break; + case 's': + srvtab = optarg; + break; + case 'D': + nodaemon++; + break; + case 'd': + debug++; + break; + case 'S': + /* Standalone mode is now auto-detected; see main(). */ + break; + case 'a': + acl_file_name = optarg; + break; + case 't': + /* Undocumented option - for testing only. Run the kpropd + * server exactly once. */ + runonce = 1; + break; + case 'x': + newargs = realloc(db_args, (db_args_size + 2) * sizeof(*db_args)); + if (newargs == NULL) { + com_err(argv[0], errno, _("copying db args")); + exit(1); + } + db_args = newargs; + db_args[db_args_size] = optarg; + db_args[db_args_size + 1] = NULL; + db_args_size++; + break; + case PID_FILE: + pid_file = optarg; + break; + default: + usage(); + } + } + if (optind != argc) + usage(); + + openlog("kpropd", LOG_PID | LOG_ODELAY, SYSLOG_CLASS); + if (!debug) + set_com_err_hook(kpropd_com_err_proc); + + if (realm == NULL) { + retval = krb5_get_default_realm(kpropd_context, &def_realm); + if (retval) { + com_err(progname, retval, _("Unable to get default realm")); + exit(1); + } + realm = def_realm; + } else { + retval = krb5_set_default_realm(kpropd_context, realm); + if (retval) { + com_err(progname, retval, _("Unable to set default realm")); + exit(1); + } + } + + /* Construct service name from local hostname. */ + retval = sn2princ_realm(kpropd_context, NULL, KPROP_SERVICE_NAME, realm, + &server); + if (retval) { + com_err(progname, retval, + _("while trying to construct my service name")); + exit(1); + } + + /* Construct the name of the temporary file. */ + if (asprintf(&temp_file_name, "%s.temp", file) < 0) { + com_err(progname, ENOMEM, + _("while allocating filename for temp file")); + exit(1); + } + + params.realm = realm; + params.mask |= KADM5_CONFIG_REALM; + retval = kadm5_get_config_params(kpropd_context, 1, ¶ms, ¶ms); + if (retval) { + com_err(progname, retval, _("while initializing")); + exit(1); + } + if (params.iprop_enabled == TRUE) { + ulog_set_role(kpropd_context, IPROP_REPLICA); + + if (ulog_map(kpropd_context, params.iprop_logfile, + params.iprop_ulogsize)) { + com_err(progname, errno, _("Unable to map log!\n")); + exit(1); + } + } +} + +/* + * Figure out who's calling on the other end of the connection.... + */ +static void +kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp, + krb5_enctype *etype, struct sockaddr_storage *my_sin) +{ + krb5_error_code retval; + krb5_ticket *ticket; + struct sockaddr_storage r_sin; + GETSOCKNAME_ARG3_TYPE sin_length; + krb5_keytab keytab = NULL; + char *name, etypebuf[100]; + + /* Set recv_addr and send_addr. */ + sockaddr2krbaddr(context, my_sin->ss_family, (struct sockaddr *)my_sin, + &sender_addr); + + sin_length = sizeof(r_sin); + if (getsockname(fd, (struct sockaddr *)&r_sin, &sin_length)) { + com_err(progname, errno, _("while getting local socket address")); + exit(1); + } + + sockaddr2krbaddr(context, r_sin.ss_family, (struct sockaddr *)&r_sin, + &receiver_addr); + + if (debug) { + retval = krb5_unparse_name(context, server, &name); + if (retval) { + com_err(progname, retval, _("while unparsing client name")); + exit(1); + } + fprintf(stderr, "krb5_recvauth(%d, %s, %s, ...)\n", fd, kprop_version, + name); + free(name); + } + + retval = krb5_auth_con_init(context, &auth_context); + if (retval) { + syslog(LOG_ERR, _("Error in krb5_auth_con_ini: %s"), + error_message(retval)); + exit(1); + } + + retval = krb5_auth_con_setflags(context, auth_context, + KRB5_AUTH_CONTEXT_DO_SEQUENCE); + if (retval) { + syslog(LOG_ERR, _("Error in krb5_auth_con_setflags: %s"), + error_message(retval)); + exit(1); + } + + retval = krb5_auth_con_setaddrs(context, auth_context, receiver_addr, + sender_addr); + if (retval) { + syslog(LOG_ERR, _("Error in krb5_auth_con_setaddrs: %s"), + error_message(retval)); + exit(1); + } + + if (srvtab != NULL) { + retval = krb5_kt_resolve(context, srvtab, &keytab); + if (retval) { + syslog(LOG_ERR, _("Error in krb5_kt_resolve: %s"), + error_message(retval)); + exit(1); + } + } + + retval = krb5_recvauth(context, &auth_context, &fd, kprop_version, server, + 0, keytab, &ticket); + if (retval) { + syslog(LOG_ERR, _("Error in krb5_recvauth: %s"), + error_message(retval)); + exit(1); + } + + retval = krb5_copy_principal(context, ticket->enc_part2->client, clientp); + if (retval) { + syslog(LOG_ERR, _("Error in krb5_copy_prinicpal: %s"), + error_message(retval)); + exit(1); + } + + *etype = ticket->enc_part.enctype; + + if (debug) { + retval = krb5_unparse_name(context, *clientp, &name); + if (retval) { + com_err(progname, retval, _("while unparsing client name")); + exit(1); + } + + retval = krb5_enctype_to_string(*etype, etypebuf, sizeof(etypebuf)); + if (retval) { + com_err(progname, retval, _("while unparsing ticket etype")); + exit(1); + } + + fprintf(stderr, _("authenticated client: %s (etype == %s)\n"), + name, etypebuf); + free(name); + } + + krb5_free_ticket(context, ticket); +} + +static krb5_boolean +authorized_principal(krb5_context context, krb5_principal p, + krb5_enctype auth_etype) +{ + char *name, *ptr, buf[1024]; + krb5_error_code retval; + FILE *acl_file; + int end; + krb5_enctype acl_etype; + + retval = krb5_unparse_name(context, p, &name); + if (retval) + return FALSE; + + acl_file = fopen(acl_file_name, "r"); + if (acl_file == NULL) + return FALSE; + + while (!feof(acl_file)) { + if (!fgets(buf, sizeof(buf), acl_file)) + break; + end = strlen(buf) - 1; + if (buf[end] == '\n') + buf[end] = '\0'; + if (!strncmp(name, buf, strlen(name))) { + ptr = buf + strlen(name); + + /* If the next character is not whitespace or null, then the match + * is only partial. Continue on to new lines. */ + if (*ptr != '\0' && !isspace((int)*ptr)) + continue; + + /* Otherwise, skip trailing whitespace. */ + for (; *ptr != '\0' && isspace((int)*ptr); ptr++) ; + + /* + * Now, look for an etype string. If there isn't one, return true. + * If there is an invalid string, continue. If there is a valid + * string, return true only if it matches the etype passed in, + * otherwise continue. + */ + if (*ptr != '\0' && + ((retval = krb5_string_to_enctype(ptr, &acl_etype)) || + (acl_etype != auth_etype))) + continue; + + free(name); + fclose(acl_file); + return TRUE; + } + } + free(name); + fclose(acl_file); + return FALSE; +} + +static void +recv_database(krb5_context context, int fd, int database_fd, + krb5_data *confmsg) +{ + krb5_ui_4 database_size, received_size; + int n; + char buf[1024]; + krb5_data inbuf, outbuf; + krb5_error_code retval; + + /* Receive and decode size from client. */ + retval = krb5_read_message(context, &fd, &inbuf); + if (retval) { + send_error(context, fd, retval, "while reading database size"); + com_err(progname, retval, + _("while reading size of database from client")); + exit(1); + } + if (krb5_is_krb_error(&inbuf)) + recv_error(context, &inbuf); + retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL); + if (retval) { + send_error(context, fd, retval, "while decoding database size"); + krb5_free_data_contents(context, &inbuf); + com_err(progname, retval, + _("while decoding database size from client")); + exit(1); + } + memcpy(&database_size, outbuf.data, sizeof(database_size)); + krb5_free_data_contents(context, &inbuf); + krb5_free_data_contents(context, &outbuf); + database_size = ntohl(database_size); + + /* Initialize the initial vector. */ + retval = krb5_auth_con_initivector(context, auth_context); + if (retval) { + send_error(context, fd, retval, + "failed while initializing i_vector"); + com_err(progname, retval, _("while initializing i_vector")); + exit(1); + } + + if (debug) + fprintf(stderr, _("Full propagation transfer started.\n")); + + /* Now start receiving the database from the net. */ + received_size = 0; + while (received_size < database_size) { + retval = krb5_read_message(context, &fd, &inbuf); + if (retval) { + snprintf(buf, sizeof(buf), + "while reading database block starting at offset %d", + received_size); + com_err(progname, retval, "%s", buf); + send_error(context, fd, retval, buf); + exit(1); + } + if (krb5_is_krb_error(&inbuf)) + recv_error(context, &inbuf); + retval = krb5_rd_priv(context, auth_context, &inbuf, &outbuf, NULL); + if (retval) { + snprintf(buf, sizeof(buf), + "while decoding database block starting at offset %d", + received_size); + com_err(progname, retval, "%s", buf); + send_error(context, fd, retval, buf); + krb5_free_data_contents(context, &inbuf); + exit(1); + } + n = write(database_fd, outbuf.data, outbuf.length); + krb5_free_data_contents(context, &inbuf); + krb5_free_data_contents(context, &outbuf); + if (n < 0) { + snprintf(buf, sizeof(buf), + "while writing database block starting at offset %d", + received_size); + send_error(context, fd, errno, buf); + } else if ((unsigned int)n != outbuf.length) { + snprintf(buf, sizeof(buf), + "incomplete write while writing database block starting " + "at \noffset %d (%d written, %d expected)", + received_size, n, outbuf.length); + send_error(context, fd, KRB5KRB_ERR_GENERIC, buf); + } + received_size += outbuf.length; + } + + /* OK, we've seen the entire file. Did we get too many bytes? */ + if (received_size > database_size) { + snprintf(buf, sizeof(buf), + "Received %d bytes, expected %d bytes for database file", + received_size, database_size); + send_error(context, fd, KRB5KRB_ERR_GENERIC, buf); + } + + if (debug) + fprintf(stderr, _("Full propagation transfer finished.\n")); + + /* Create message acknowledging number of bytes received, but + * don't send it until kdb5_util returns successfully. */ + database_size = htonl(database_size); + inbuf.data = (char *)&database_size; + inbuf.length = sizeof(database_size); + retval = krb5_mk_safe(context,auth_context,&inbuf,confmsg,NULL); + if (retval) { + com_err(progname, retval, "while encoding # of receieved bytes"); + send_error(context, fd, retval, "while encoding # of received bytes"); + exit(1); + } +} + + +static void +send_error(krb5_context context, int fd, krb5_error_code err_code, + char *err_text) +{ + krb5_error error; + const char *text; + krb5_data outbuf; + char buf[1024]; + + memset(&error, 0, sizeof(error)); + krb5_us_timeofday(context, &error.stime, &error.susec); + error.server = server; + error.client = client; + + text = (err_text != NULL) ? err_text : error_message(err_code); + + error.error = err_code - ERROR_TABLE_BASE_krb5; + if (error.error > 127) { + error.error = KRB_ERR_GENERIC; + if (err_text) { + snprintf(buf, sizeof(buf), "%s %s", error_message(err_code), + err_text); + text = buf; + } + } + error.text.length = strlen(text) + 1; + error.text.data = strdup(text); + if (error.text.data) { + if (!krb5_mk_error(context, &error, &outbuf)) { + (void)krb5_write_message(context, &fd, &outbuf); + krb5_free_data_contents(context, &outbuf); + } + free(error.text.data); + } +} + +void +recv_error(krb5_context context, krb5_data *inbuf) +{ + krb5_error *error; + krb5_error_code retval; + + retval = krb5_rd_error(context, inbuf, &error); + if (retval) { + com_err(progname, retval, + _("while decoding error packet from client")); + exit(1); + } + if (error->error == KRB_ERR_GENERIC) { + if (error->text.data) + fprintf(stderr, _("Generic remote error: %s\n"), error->text.data); + } else if (error->error) { + com_err(progname, + (krb5_error_code)error->error + ERROR_TABLE_BASE_krb5, + _("signaled from server")); + if (error->text.data) { + fprintf(stderr, _("Error text from client: %s\n"), + error->text.data); + } + } + krb5_free_error(context, error); + exit(1); +} + +static void +load_database(krb5_context context, char *kdb_util, char *database_file_name) +{ + static char *edit_av[10]; + int error_ret, child_pid, count; + + /* has been included, so BSD will be defined on + * BSD systems. */ +#if BSD > 0 && BSD <= 43 +#ifndef WEXITSTATUS +#define WEXITSTATUS(w) (w).w_retcode +#endif + union wait waitb; +#else + int waitb; +#endif + kdb_log_context *log_ctx; + + if (debug) + fprintf(stderr, "calling kdb5_util to load database\n"); + + log_ctx = context->kdblog_context; + + edit_av[0] = kdb_util; + count = 1; + if (realm) { + edit_av[count++] = "-r"; + edit_av[count++] = realm; + } + edit_av[count++] = "load"; + if (kerb_database) { + edit_av[count++] = "-d"; + edit_av[count++] = kerb_database; + } + if (log_ctx && log_ctx->iproprole == IPROP_REPLICA) + edit_av[count++] = "-i"; + edit_av[count++] = database_file_name; + edit_av[count++] = NULL; + + switch (child_pid = fork()) { + case -1: + com_err(progname, errno, _("while trying to fork %s"), kdb_util); + exit(1); + case 0: + execv(kdb_util, edit_av); + com_err(progname, errno, _("while trying to exec %s"), kdb_util); + _exit(1); + /*NOTREACHED*/ + default: + if (debug) + fprintf(stderr, "Load PID is %d\n", child_pid); + if (wait(&waitb) < 0) { + com_err(progname, errno, _("while waiting for %s"), kdb_util); + exit(1); + } + } + + if (!WIFEXITED(waitb)) { + com_err(progname, 0, _("%s load terminated"), kdb_util); + exit(1); + } + + error_ret = WEXITSTATUS(waitb); + if (error_ret) { + com_err(progname, 0, _("%s returned a bad exit status (%d)"), + kdb_util, error_ret); + exit(1); + } + return; +} + +/* + * Get the host base service name for the kiprop principal. Returns + * KADM5_OK on success. Caller must free the storage allocated + * for host_service_name. + */ +static kadm5_ret_t +kadm5_get_kiprop_host_srv_name(krb5_context context, const char *realm_name, + char **host_service_name) +{ + char *name, *host; + + host = params.admin_server; /* XXX */ + if (asprintf(&name, "%s/%s", KADM5_KIPROP_HOST_SERVICE, host) < 0) { + free(host); + return ENOMEM; + } + *host_service_name = name; + + return KADM5_OK; +} diff --git a/src/slave/kpropd_rpc.c b/src/kprop/kpropd_rpc.c similarity index 100% rename from src/slave/kpropd_rpc.c rename to src/kprop/kpropd_rpc.c diff --git a/src/kprop/kproplog.c b/src/kprop/kproplog.c new file mode 100644 index 0000000..5ec97ae --- /dev/null +++ b/src/kprop/kproplog.c @@ -0,0 +1,572 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* + * Copyright 2008 Sun Microsystems, Inc. All rights reserved. + * Use is subject to license terms. + */ + +/* + * This module will parse the update logs on the master or replica servers. + */ + +#include "k5-int.h" +#include "k5-hex.h" +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static char *progname; + +static void +usage() +{ + fprintf(stderr, _("\nUsage: %s [-h] [-v] [-v] [-e num]\n\t%s -R\n\n"), + progname, progname); + exit(1); +} + +/* + * Print the attribute flags of principal in human readable form. + */ +static void +print_flags(unsigned int flags) +{ + unsigned int i; + static char *prflags[] = { + "DISALLOW_POSTDATED", /* 0x00000001 */ + "DISALLOW_FORWARDABLE", /* 0x00000002 */ + "DISALLOW_TGT_BASED", /* 0x00000004 */ + "DISALLOW_RENEWABLE", /* 0x00000008 */ + "DISALLOW_PROXIABLE", /* 0x00000010 */ + "DISALLOW_DUP_SKEY", /* 0x00000020 */ + "DISALLOW_ALL_TIX", /* 0x00000040 */ + "REQUIRES_PRE_AUTH", /* 0x00000080 */ + "REQUIRES_HW_AUTH", /* 0x00000100 */ + "REQUIRES_PWCHANGE", /* 0x00000200 */ + "UNKNOWN_0x00000400", /* 0x00000400 */ + "UNKNOWN_0x00000800", /* 0x00000800 */ + "DISALLOW_SVR", /* 0x00001000 */ + "PWCHANGE_SERVICE", /* 0x00002000 */ + "SUPPORT_DESMD5", /* 0x00004000 */ + "NEW_PRINC", /* 0x00008000 */ + "UNKNOWN_0x00010000", /* 0x00010000 */ + "UNKNOWN_0x00020000", /* 0x00020000 */ + "UNKNOWN_0x00040000", /* 0x00040000 */ + "UNKNOWN_0x00080000", /* 0x00080000 */ + "OK_AS_DELEGATE", /* 0x00100000 */ + "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */ + "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */ + + }; + + for (i = 0; i < sizeof(prflags) / sizeof(*prflags); i++) { + if (flags & (krb5_flags)(1 << i)) + printf("\t\t\t%s\n", prflags[i]); + } +} + +/* ctime() for uint32_t* */ +static const char * +ctime_uint32(uint32_t *time32) +{ + time_t tmp; + const char *r; + + tmp = *time32; + r = ctime(&tmp); + return (r == NULL) ? "(error)" : r; +} + +/* Display time information. */ +static void +print_time(uint32_t *timep) +{ + if (*timep == 0L) + printf("\t\t\tNone\n"); + else + printf("\t\t\t%s", ctime_uint32(timep)); +} + +static void +print_deltat(uint32_t *deltat) +{ + krb5_error_code ret; + static char buf[30]; + + ret = krb5_deltat_to_string(*deltat, buf, sizeof(buf)); + if (ret) + printf("\t\t\t(error)\n"); + else + printf("\t\t\t%s\n", buf); +} + +/* Display string in hex primitive. */ +static void +print_hex(const char *tag, utf8str_t *str) +{ + unsigned int len; + char *hex; + + len = str->utf8str_t_len; + + if (k5_hex_encode(str->utf8str_t_val, len, FALSE, &hex) != 0) + abort(); + printf("\t\t\t%s(%d): 0x%s\n", tag, len, hex); + free(hex); +} + +/* Display string primitive. */ +static void +print_str(const char *tag, utf8str_t *str) +{ + krb5_error_code ret; + char *s; + + s = k5memdup0(str->utf8str_t_val, str->utf8str_t_len, &ret); + if (s == NULL) { + fprintf(stderr, _("\nCouldn't allocate memory")); + exit(1); + } + printf("\t\t\t%s(%d): %s\n", tag, str->utf8str_t_len, s); + free(s); +} + +/* Display data components. */ +static void +print_data(const char *tag, kdbe_data_t *data) +{ + printf("\t\t\tmagic: 0x%x\n", data->k_magic); + print_str(tag, &data->k_data); +} + +/* Display the principal components. */ +static void +print_princ(kdbe_princ_t *princ) +{ + int i, len; + kdbe_data_t *data; + + print_str("realm", &princ->k_realm); + + len = princ->k_components.k_components_len; + data = princ->k_components.k_components_val; + for (i = 0; i < len; i++, data++) + print_data("princ", data); +} + +/* Display individual key. */ +static void +print_key(kdbe_key_t *k) +{ + unsigned int i; + utf8str_t *str; + + printf("\t\t\tver: %d\n", k->k_ver); + printf("\t\t\tkvno: %d\n", k->k_kvno); + + for (i = 0; i < k->k_enctype.k_enctype_len; i++) + printf("\t\t\tenc type: 0x%x\n", k->k_enctype.k_enctype_val[i]); + + str = k->k_contents.k_contents_val; + for (i = 0; i < k->k_contents.k_contents_len; i++, str++) + print_hex("key", str); +} + +/* Display all key data. */ +static void +print_keydata(kdbe_key_t *keys, unsigned int len) +{ + unsigned int i; + + for (i = 0; i < len; i++, keys++) + print_key(keys); +} + +/* Display TL item. */ +static void +print_tl(kdbe_tl_t *tl) +{ + int i, len; + + printf("\t\t\ttype: 0x%x\n", tl->tl_type); + + len = tl->tl_data.tl_data_len; + + printf("\t\t\tvalue(%d): 0x", len); + for (i = 0; i < len; i++) + printf("%02x", (krb5_octet)tl->tl_data.tl_data_val[i]); + printf("\n"); +} + +/* Display TL data items. */ +static void +print_tldata(kdbe_tl_t *tldata, int len) +{ + int i; + + printf("\t\t\titems: %d\n", len); + for (i = 0; i < len; i++, tldata++) + print_tl(tldata); +} + +/* + * Print the individual types if verbose mode was specified. + * If verbose-verbose then print types along with respective values. + */ +static void +print_attr(kdbe_val_t *val, int vverbose) +{ + switch (val->av_type) { + case AT_ATTRFLAGS: + printf(_("\t\tAttribute flags\n")); + if (vverbose) + print_flags(val->kdbe_val_t_u.av_attrflags); + break; + case AT_MAX_LIFE: + printf(_("\t\tMaximum ticket life\n")); + if (vverbose) + print_deltat(&val->kdbe_val_t_u.av_max_life); + break; + case AT_MAX_RENEW_LIFE: + printf(_("\t\tMaximum renewable life\n")); + if (vverbose) + print_deltat(&val->kdbe_val_t_u.av_max_renew_life); + break; + case AT_EXP: + printf(_("\t\tPrincipal expiration\n")); + if (vverbose) + print_time(&val->kdbe_val_t_u.av_exp); + break; + case AT_PW_EXP: + printf(_("\t\tPassword expiration\n")); + if (vverbose) + print_time(&val->kdbe_val_t_u.av_pw_exp); + break; + case AT_LAST_SUCCESS: + printf(_("\t\tLast successful auth\n")); + if (vverbose) + print_time(&val->kdbe_val_t_u.av_last_success); + break; + case AT_LAST_FAILED: + printf(_("\t\tLast failed auth\n")); + if (vverbose) + print_time(&val->kdbe_val_t_u.av_last_failed); + break; + case AT_FAIL_AUTH_COUNT: + printf(_("\t\tFailed passwd attempt\n")); + if (vverbose) + printf("\t\t\t%d\n", val->kdbe_val_t_u.av_fail_auth_count); + break; + case AT_PRINC: + printf(_("\t\tPrincipal\n")); + if (vverbose) + print_princ(&val->kdbe_val_t_u.av_princ); + break; + case AT_KEYDATA: + printf(_("\t\tKey data\n")); + if (vverbose) { + print_keydata(val->kdbe_val_t_u.av_keydata.av_keydata_val, + val->kdbe_val_t_u.av_keydata.av_keydata_len); + } + break; + case AT_TL_DATA: + printf(_("\t\tTL data\n")); + if (vverbose) { + print_tldata(val->kdbe_val_t_u.av_tldata.av_tldata_val, + val->kdbe_val_t_u.av_tldata.av_tldata_len); + } + break; + case AT_LEN: + printf(_("\t\tLength\n")); + if (vverbose) + printf("\t\t\t%d\n", val->kdbe_val_t_u.av_len); + break; + case AT_PW_LAST_CHANGE: + printf(_("\t\tPassword last changed\n")); + if (vverbose) + print_time(&val->kdbe_val_t_u.av_pw_last_change); + break; + case AT_MOD_PRINC: + printf(_("\t\tModifying principal\n")); + if (vverbose) + print_princ(&val->kdbe_val_t_u.av_mod_princ); + break; + case AT_MOD_TIME: + printf(_("\t\tModification time\n")); + if (vverbose) + print_time(&val->kdbe_val_t_u.av_mod_time); + break; + case AT_MOD_WHERE: + printf(_("\t\tModified where\n")); + if (vverbose) + print_str("where", &val->kdbe_val_t_u.av_mod_where); + break; + case AT_PW_POLICY: + printf(_("\t\tPassword policy\n")); + if (vverbose) + print_str("policy", &val->kdbe_val_t_u.av_pw_policy); + break; + case AT_PW_POLICY_SWITCH: + printf(_("\t\tPassword policy switch\n")); + if (vverbose) + printf("\t\t\t%d\n", val->kdbe_val_t_u.av_pw_policy_switch); + break; + case AT_PW_HIST_KVNO: + printf(_("\t\tPassword history KVNO\n")); + if (vverbose) + printf("\t\t\t%d\n", val->kdbe_val_t_u.av_pw_hist_kvno); + break; + case AT_PW_HIST: + printf(_("\t\tPassword history\n")); + if (vverbose) + printf("\t\t\tPW history elided\n"); + break; + } /* switch */ + +} +/* + * Print the update entry information + */ +static void +print_update(kdb_hlog_t *ulog, uint32_t entry, uint32_t ulogentries, + unsigned int verbose) +{ + XDR xdrs; + uint32_t start_sno, i, j, indx; + char *dbprinc; + kdb_ent_header_t *indx_log; + kdb_incr_update_t upd; + + if (entry && (entry < ulog->kdb_num)) + start_sno = ulog->kdb_last_sno - entry; + else + start_sno = ulog->kdb_first_sno - 1; + + for (i = start_sno; i < ulog->kdb_last_sno; i++) { + indx = i % ulogentries; + + indx_log = INDEX(ulog, indx); + + /* + * Check for corrupt update entry + */ + if (indx_log->kdb_umagic != KDB_ULOG_MAGIC) { + fprintf(stderr, _("Corrupt update entry\n\n")); + exit(1); + } + + printf("---\n"); + printf(_("Update Entry\n")); + + printf(_("\tUpdate serial # : %u\n"), indx_log->kdb_entry_sno); + + /* The initial entry after a reset is a dummy entry; skip it. */ + if (indx_log->kdb_entry_size == 0) { + printf(_("\tDummy entry\n")); + continue; + } + + memset(&upd, 0, sizeof(kdb_incr_update_t)); + xdrmem_create(&xdrs, (char *)indx_log->entry_data, + indx_log->kdb_entry_size, XDR_DECODE); + if (!xdr_kdb_incr_update_t(&xdrs, &upd)) { + printf(_("Entry data decode failure\n\n")); + exit(1); + } + + printf(_("\tUpdate operation : ")); + if (upd.kdb_deleted) + printf(_("Delete\n")); + else + printf(_("Add\n")); + + dbprinc = malloc(upd.kdb_princ_name.utf8str_t_len + 1); + if (dbprinc == NULL) { + printf(_("Could not allocate principal name\n\n")); + exit(1); + } + strncpy(dbprinc, upd.kdb_princ_name.utf8str_t_val, + upd.kdb_princ_name.utf8str_t_len); + dbprinc[upd.kdb_princ_name.utf8str_t_len] = 0; + printf(_("\tUpdate principal : %s\n"), dbprinc); + + printf(_("\tUpdate size : %u\n"), indx_log->kdb_entry_size); + printf(_("\tUpdate committed : %s\n"), + indx_log->kdb_commit ? "True" : "False"); + + if (indx_log->kdb_time.seconds == 0L) { + printf(_("\tUpdate time stamp : None\n")); + } else{ + printf(_("\tUpdate time stamp : %s"), + ctime_uint32(&indx_log->kdb_time.seconds)); + } + + printf(_("\tAttributes changed : %d\n"), upd.kdb_update.kdbe_t_len); + + if (verbose) { + for (j = 0; j < upd.kdb_update.kdbe_t_len; j++) + print_attr(&upd.kdb_update.kdbe_t_val[j], verbose > 1 ? 1 : 0); + } + + xdr_free(xdr_kdb_incr_update_t, (char *)&upd); + free(dbprinc); + } +} + +/* Return a read-only mmap of the ulog, or NULL on failure. Assumes fd is + * released on process exit. */ +static kdb_hlog_t * +map_ulog(const char *filename) +{ + int fd; + struct stat st; + kdb_hlog_t *ulog; + + fd = open(filename, O_RDONLY); + if (fd == -1) + return NULL; + if (fstat(fd, &st) < 0) + return NULL; + ulog = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); + return (ulog == MAP_FAILED) ? NULL : ulog; +} + +int +main(int argc, char **argv) +{ + int c; + unsigned int verbose = 0; + bool_t headeronly = FALSE, reset = FALSE; + uint32_t entry = 0; + krb5_context context; + kadm5_config_params params; + kdb_hlog_t *ulog = NULL; + + setlocale(LC_ALL, ""); + + progname = argv[0]; + + while ((c = getopt(argc, argv, "Rvhe:")) != -1) { + switch (c) { + case 'h': + headeronly = TRUE; + break; + case 'e': + entry = atoi(optarg); + break; + case 'R': + reset = TRUE; + break; + case 'v': + verbose++; + break; + default: + usage(); + } + } + + if (krb5_init_context(&context)) { + fprintf(stderr, _("Unable to initialize Kerberos\n\n")); + exit(1); + } + + memset(¶ms, 0, sizeof(params)); + + if (kadm5_get_config_params(context, 1, ¶ms, ¶ms)) { + fprintf(stderr, _("Couldn't read database_name\n\n")); + exit(1); + } + + printf(_("\nKerberos update log (%s)\n"), params.iprop_logfile); + + if (reset) { + if (ulog_map(context, params.iprop_logfile, params.iprop_ulogsize)) { + fprintf(stderr, _("Unable to map log file %s\n\n"), + params.iprop_logfile); + exit(1); + } + if (ulog_init_header(context) != 0) { + fprintf(stderr, _("Couldn't reinitialize ulog file %s\n\n"), + params.iprop_logfile); + exit(1); + } + printf(_("Reinitialized the ulog.\n")); + ulog_fini(context); + goto done; + } + + ulog = map_ulog(params.iprop_logfile); + if (ulog == NULL) { + fprintf(stderr, _("Unable to map log file %s\n\n"), + params.iprop_logfile); + exit(1); + } + + if (ulog->kdb_hmagic != KDB_ULOG_HDR_MAGIC) { + fprintf(stderr, _("Corrupt header log, exiting\n\n")); + exit(1); + } + + printf(_("Update log dump :\n")); + printf(_("\tLog version # : %u\n"), ulog->db_version_num); + printf(_("\tLog state : ")); + switch (ulog->kdb_state) { + case KDB_STABLE: + printf(_("Stable\n")); + break; + case KDB_UNSTABLE: + printf(_("Unstable\n")); + break; + case KDB_CORRUPT: + printf(_("Corrupt\n")); + break; + default: + printf(_("Unknown state: %d\n"), ulog->kdb_state); + break; + } + printf(_("\tEntry block size : %u\n"), ulog->kdb_block); + printf(_("\tNumber of entries : %u\n"), ulog->kdb_num); + + if (ulog->kdb_last_sno == 0) { + printf(_("\tLast serial # : None\n")); + } else { + if (ulog->kdb_first_sno == 0) { + printf(_("\tFirst serial # : None\n")); + } else { + printf(_("\tFirst serial # : ")); + printf("%u\n", ulog->kdb_first_sno); + } + + printf(_("\tLast serial # : ")); + printf("%u\n", ulog->kdb_last_sno); + } + + if (ulog->kdb_last_time.seconds == 0L) { + printf(_("\tLast time stamp : None\n")); + } else { + if (ulog->kdb_first_time.seconds == 0L) { + printf(_("\tFirst time stamp : None\n")); + } else { + printf(_("\tFirst time stamp : %s"), + ctime_uint32(&ulog->kdb_first_time.seconds)); + } + + printf(_("\tLast time stamp : %s\n"), + ctime_uint32(&ulog->kdb_last_time.seconds)); + } + + if (!headeronly && ulog->kdb_num) + print_update(ulog, entry, params.iprop_ulogsize, verbose); + + printf("\n"); + +done: + kadm5_free_config_params(context, ¶ms); + krb5_free_context(context); + return 0; +} diff --git a/src/kprop/replica_update b/src/kprop/replica_update new file mode 100644 index 0000000..a8b4944 --- /dev/null +++ b/src/kprop/replica_update @@ -0,0 +1,30 @@ +#!/bin/sh +# +# Propagate if database (principal.db) has been modified since last dump +# (dumpfile.dump_ok) or if database has been dumped since last successful +# propagation (dumpfile..last_prop) + +KDB_DIR=/usr/local/var/krb5kdc + +KDB_FILE=$KDB_DIR/principal.db +DUMPFILE=$KDB_DIR/replica_datatrans +KDB5_UTIL=/usr/local/sbin/kdb5_util +KPROP=/usr/local/sbin/kprop + +REPLICA=$1 +if [ -z "${REPLICA}" ] +then + echo "Usage $0 replica_server" +fi + +if [ "`ls -t $DUMPFILE.dump_ok $KDB_FILE | sed -n 1p`" = "$KDB_FILE" -o \ + "`ls -t $DUMPFILE.${REPLICA}.last_prop $DUMPFILE.dump_ok | \ + sed -n 1p`" = "$DUMPFILE.dump_ok" ] +then + + date + $KDB5_UTIL dump $DUMPFILE > /dev/null + + $KPROP -d -f $DUMPFILE ${REPLICA} + rm $DUMPFILE +fi diff --git a/src/lib/Makefile.in b/src/lib/Makefile.in index 8a119ab..3b812ed 100644 --- a/src/lib/Makefile.in +++ b/src/lib/Makefile.in @@ -28,11 +28,7 @@ clean-windows:: -##WIN32##!if ("$(CPU)" == "IA64" ) || ("$(CPU)" == "AMD64" ) || ("$(CPU)" == "ALPHA64" ) -##WIN32##SLIBS = $(BUILDTOP)\util\support\$(OUTPRE)k5sprt64.lib -##WIN32##!else -##WIN32##SLIBS = $(BUILDTOP)\util\support\$(OUTPRE)k5sprt32.lib -##WIN32##!endif +##WIN32##SLIBS = $(BUILDTOP)\util\support\$(OUTPRE)k5sprt$(BITS).lib ##WIN32##CLIBS = $(BUILDTOP)\util\et\$(OUTPRE)comerr.lib ##WIN32##PLIBS = $(BUILDTOP)\util\profile\$(OUTPRE)profile.lib ##WIN32##KLIBS = krb5\$(OUTPRE)krb5.lib crypto\$(OUTPRE)crypto.lib \ @@ -100,7 +96,7 @@ clean-windows:: ##WIN32##$(SLIB): $(SDEF) $(SLIBS) $(SGLUE) $(SRES) ##WIN32## link $(WINDLLFLAGS) -def:$(SDEF) -out:$*.dll \ -##WIN32## $(SLIBS) $(SGLUE) $(SRES) $(WINLIBS) $(SCLIB) +##WIN32## $(SLIBS) $(SGLUE) $(SRES) $(WINLIBS) ##WIN32## $(_VC_MANIFEST_EMBED_DLL) ##WIN32##$(SDEF): ..\util\support\libkrb5support.exports ##WIN32## echo EXPORTS > $(SDEF).new @@ -110,7 +106,7 @@ clean-windows:: ##WIN32##$(CLIB): $(CDEF) $(CLIBS) $(CGLUE) $(CRES) $(SLIB) ##WIN32## link $(WINDLLFLAGS) -def:$(CDEF) -out:$*.dll \ -##WIN32## $(CLIBS) $(CGLUE) $(CRES) $(SLIB) $(WINLIBS) $(SCLIB) +##WIN32## $(CLIBS) $(CGLUE) $(CRES) $(SLIB) $(WINLIBS) ##WIN32## $(_VC_MANIFEST_EMBED_DLL) ##WIN32##$(PLIB): $(PDEF) $(PLIBS) $(PGLUE) $(PRES) $(CLIB) $(SLIB) @@ -118,14 +114,14 @@ clean-windows:: ##WIN32## $(PLIBS) $(PGLUE) $(PRES) $(CLIB) $(SLIB) $(WINLIBS) ##WIN32## $(_VC_MANIFEST_EMBED_DLL) -##WIN32##$(KLIB): $(KDEF) $(KLIBS) $(KGLUE) $(KRES) $(CLIB) $(SLIB) $(MITLIBS) $(DNSLIBS) +##WIN32##$(KLIB): $(KDEF) $(KLIBS) $(KGLUE) $(KRES) $(CLIB) $(SLIB) $(MITLIBS) ##WIN32## link $(WINDLLFLAGS) -def:$(KDEF) -out:$*.dll \ -##WIN32## $(KLIBS) $(KGLUE) $(KRES) $(CLIB) $(SLIB) $(MITLIBS) $(DNSLIBS) $(WINLIBS) $(SCLIB) +##WIN32## $(KLIBS) $(KGLUE) $(KRES) $(CLIB) $(SLIB) $(MITLIBS) $(DNSLIBS) $(WINLIBS) ##WIN32## $(_VC_MANIFEST_EMBED_DLL) ##WIN32##$(GLIB): $(GDEF) $(GLIBS) $(GGLUE) $(GRES) $(KLIB) $(CLIB) $(SLIB) ##WIN32## link $(WINDLLFLAGS) -def:$(GDEF) -out:$*.dll \ -##WIN32## $(GLIBS) $(GGLUE) $(GRES) $(KLIB) $(CLIB) $(SLIB) $(WINLIBS) $(SCLIB) +##WIN32## $(GLIBS) $(GGLUE) $(GRES) $(KLIB) $(CLIB) $(SLIB) $(WINLIBS) ##WIN32## $(_VC_MANIFEST_EMBED_DLL) ##WIN32##$(K5_GLUE): win_glue.c diff --git a/src/lib/apputils/net-server.c b/src/lib/apputils/net-server.c index 29ec84a..c685687 100644 --- a/src/lib/apputils/net-server.c +++ b/src/lib/apputils/net-server.c @@ -105,17 +105,6 @@ paddr(struct sockaddr *sa) return buf; } -/* Return true if sa is an IPv4 or IPv6 wildcard address. */ -static int -is_wildcard(struct sockaddr *sa) -{ - if (sa->sa_family == AF_INET6) - return IN6_IS_ADDR_UNSPECIFIED(&sa2sin6(sa)->sin6_addr); - else if (sa->sa_family == AF_INET) - return sa2sin(sa)->sin_addr.s_addr == INADDR_ANY; - return 0; -} - /* KDC data. */ enum conn_type { @@ -142,8 +131,8 @@ struct connection { struct sockaddr_storage addr_s; socklen_t addrlen; char addrbuf[56]; - krb5_fulladdr faddr; - krb5_address kaddr; + krb5_address remote_addr_buf; + krb5_fulladdr remote_addr; /* Incoming data (TCP) */ size_t bufsiz; @@ -451,14 +440,6 @@ loop_add_rpc_service(int default_port, const char *addresses, u_long prognum, #define SOCKET_ERRNO errno #include "foreachaddr.h" -struct socksetup { - verto_ctx *ctx; - void *handle; - const char *prog; - krb5_error_code retval; - int listen_backlog; -}; - static void free_connection(struct connection *conn) { @@ -533,7 +514,7 @@ free_socket(verto_ctx *ctx, verto_ev *ev) static verto_ev * make_event(verto_ctx *ctx, verto_ev_flag flags, verto_callback callback, - int sock, struct connection *conn, int addevent) + int sock, struct connection *conn) { verto_ev *ev; void *tmp; @@ -544,45 +525,44 @@ make_event(verto_ctx *ctx, verto_ev_flag flags, verto_callback callback, return NULL; } - if (addevent) { - if (!ADD(events, ev, tmp)) { - com_err(conn->prog, ENOMEM, _("cannot save event")); - verto_del(ev); - return NULL; - } + if (!ADD(events, ev, tmp)) { + com_err(conn->prog, ENOMEM, _("cannot save event")); + verto_del(ev); + return NULL; } verto_set_private(ev, conn, free_socket); return ev; } -static verto_ev * -add_fd(struct socksetup *data, int sock, enum conn_type conntype, - verto_ev_flag flags, verto_callback callback, int addevent) +static krb5_error_code +add_fd(int sock, enum conn_type conntype, verto_ev_flag flags, void *handle, + const char *prog, verto_ctx *ctx, verto_callback callback, + verto_ev **ev_out) { struct connection *newconn; + *ev_out = NULL; + #ifndef _WIN32 if (sock >= FD_SETSIZE) { - data->retval = EMFILE; /* XXX */ - com_err(data->prog, 0, - _("file descriptor number %d too high"), sock); - return 0; + com_err(prog, 0, _("file descriptor number %d too high"), sock); + return EMFILE; } #endif newconn = malloc(sizeof(*newconn)); if (newconn == NULL) { - data->retval = ENOMEM; - com_err(data->prog, ENOMEM, + com_err(prog, ENOMEM, _("cannot allocate storage for connection info")); - return 0; + return ENOMEM; } memset(newconn, 0, sizeof(*newconn)); - newconn->handle = data->handle; - newconn->prog = data->prog; + newconn->handle = handle; + newconn->prog = prog; newconn->type = conntype; - return make_event(data->ctx, flags, callback, sock, newconn, addevent); + *ev_out = make_event(ctx, flags, callback, sock, newconn); + return 0; } static void process_packet(verto_ctx *ctx, verto_ev *ev); @@ -592,77 +572,62 @@ static void process_tcp_connection_write(verto_ctx *ctx, verto_ev *ev); static void accept_rpc_connection(verto_ctx *ctx, verto_ev *ev); static void process_rpc_connection(verto_ctx *ctx, verto_ev *ev); -static verto_ev * -add_tcp_read_fd(struct socksetup *data, int sock) -{ - return add_fd(data, sock, CONN_TCP, - VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST, - process_tcp_connection_read, 1); -} - /* * Create a socket and bind it to addr. Ensure the socket will work with * select(). Set the socket cloexec, reuseaddr, and if applicable v6-only. - * Does not call listen(). Returns -1 on failure after logging an error. + * Does not call listen(). On failure, log an error and return an error code. */ -static int -create_server_socket(struct socksetup *data, struct sockaddr *addr, int type) +static krb5_error_code +create_server_socket(struct sockaddr *addr, int type, const char *prog, + int *fd_out) { - int sock; + int sock, e; + + *fd_out = -1; sock = socket(addr->sa_family, type, 0); if (sock == -1) { - data->retval = errno; - com_err(data->prog, errno, _("Cannot create TCP server socket on %s"), + e = errno; + com_err(prog, e, _("Cannot create TCP server socket on %s"), paddr(addr)); - return -1; + return e; } set_cloexec_fd(sock); #ifndef _WIN32 /* Windows FD_SETSIZE is a count. */ if (sock >= FD_SETSIZE) { close(sock); - com_err(data->prog, 0, _("TCP socket fd number %d (for %s) too high"), + com_err(prog, 0, _("TCP socket fd number %d (for %s) too high"), sock, paddr(addr)); - return -1; + return EMFILE; } #endif - if (setreuseaddr(sock, 1) < 0) { - com_err(data->prog, errno, - _("Cannot enable SO_REUSEADDR on fd %d"), sock); - } + if (setreuseaddr(sock, 1) < 0) + com_err(prog, errno, _("Cannot enable SO_REUSEADDR on fd %d"), sock); if (addr->sa_family == AF_INET6) { #ifdef IPV6_V6ONLY - if (setv6only(sock, 1)) - com_err(data->prog, errno, - _("setsockopt(%d,IPV6_V6ONLY,1) failed"), sock); - else - com_err(data->prog, 0, _("setsockopt(%d,IPV6_V6ONLY,1) worked"), + if (setv6only(sock, 1)) { + com_err(prog, errno, _("setsockopt(%d,IPV6_V6ONLY,1) failed"), sock); + } else { + com_err(prog, 0, _("setsockopt(%d,IPV6_V6ONLY,1) worked"), sock); + } #else krb5_klog_syslog(LOG_INFO, _("no IPV6_V6ONLY socket option support")); #endif /* IPV6_V6ONLY */ } if (bind(sock, addr, sa_socklen(addr)) == -1) { - data->retval = errno; - com_err(data->prog, errno, _("Cannot bind server socket on %s"), - paddr(addr)); + e = errno; + com_err(prog, e, _("Cannot bind server socket on %s"), paddr(addr)); close(sock); - return -1; + return e; } - return sock; -} - -static verto_ev * -add_rpc_data_fd(struct socksetup *data, int sock) -{ - return add_fd(data, sock, CONN_RPC, - VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST, - process_rpc_connection, 1); + *fd_out = sock; + return 0; } static const int one = 1; @@ -716,12 +681,13 @@ static const enum conn_type bind_conn_types[] = * The conn_type of this socket. */ static krb5_error_code -setup_socket(struct socksetup *data, struct bind_address *ba, - struct sockaddr *sock_address, verto_callback vcb, - enum conn_type ctype) +setup_socket(struct bind_address *ba, struct sockaddr *sock_address, + void *handle, const char *prog, verto_ctx *ctx, + int tcp_listen_backlog, verto_callback vcb, enum conn_type ctype) { krb5_error_code ret; struct connection *conn; + verto_ev_flag flags; verto_ev *ev = NULL; int sock = -1; @@ -729,18 +695,16 @@ setup_socket(struct socksetup *data, struct bind_address *ba, bind_type_names[ba->type], paddr(sock_address)); /* Create the socket. */ - sock = create_server_socket(data, sock_address, bind_socktypes[ba->type]); - if (sock == -1) { - ret = data->retval; + ret = create_server_socket(sock_address, bind_socktypes[ba->type], prog, + &sock); + if (ret) goto cleanup; - } /* Listen for backlogged connections on TCP sockets. (For RPC sockets this * will be done by svc_register().) */ - if (ba->type == TCP && listen(sock, data->listen_backlog) != 0) { + if (ba->type == TCP && listen(sock, tcp_listen_backlog) != 0) { ret = errno; - com_err(data->prog, errno, - _("Cannot listen on %s server socket on %s"), + com_err(prog, errno, _("Cannot listen on %s server socket on %s"), bind_type_names[ba->type], paddr(sock_address)); goto cleanup; } @@ -748,7 +712,7 @@ setup_socket(struct socksetup *data, struct bind_address *ba, /* Set non-blocking I/O for UDP and TCP listener sockets. */ if (ba->type != RPC && setnbio(sock) != 0) { ret = errno; - com_err(data->prog, errno, + com_err(prog, errno, _("cannot set listening %s socket on %s non-blocking"), bind_type_names[ba->type], paddr(sock_address)); goto cleanup; @@ -757,19 +721,18 @@ setup_socket(struct socksetup *data, struct bind_address *ba, /* Turn off the linger option for TCP sockets. */ if (ba->type == TCP && setnolinger(sock) != 0) { ret = errno; - com_err(data->prog, errno, - _("cannot set SO_LINGER on %s socket on %s"), + com_err(prog, errno, _("cannot set SO_LINGER on %s socket on %s"), bind_type_names[ba->type], paddr(sock_address)); goto cleanup; } /* Try to turn on pktinfo for UDP wildcard sockets. */ - if (ba->type == UDP && is_wildcard(sock_address)) { + if (ba->type == UDP && sa_is_wildcard(sock_address)) { krb5_klog_syslog(LOG_DEBUG, _("Setting pktinfo on socket %s"), paddr(sock_address)); ret = set_pktinfo(sock, sock_address->sa_family); if (ret) { - com_err(data->prog, ret, + com_err(prog, ret, _("Cannot request packet info for UDP socket address " "%s port %d"), paddr(sock_address), ba->port); krb5_klog_syslog(LOG_INFO, _("System does not support pktinfo yet " @@ -780,13 +743,11 @@ setup_socket(struct socksetup *data, struct bind_address *ba, } /* Add the socket to the event loop. */ - ev = add_fd(data, sock, ctype, - VERTO_EV_FLAG_IO_READ | - VERTO_EV_FLAG_PERSIST | - VERTO_EV_FLAG_REINITIABLE, vcb, 1); - if (ev == NULL) { + flags = VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST | + VERTO_EV_FLAG_REINITIABLE; + ret = add_fd(sock, ctype, flags, handle, prog, ctx, vcb, &ev); + if (ret) { krb5_klog_syslog(LOG_ERR, _("Error attempting to add verto event")); - ret = data->retval; goto cleanup; } @@ -829,13 +790,10 @@ cleanup: * This function uses getaddrinfo to figure out all the addresses. This will * automatically figure out which socket families that should be used on the * host making it useful even for wildcard addresses. - * - * Arguments: - * - data - * A pointer to the socksetup data. */ static krb5_error_code -setup_addresses(struct socksetup *data) +setup_addresses(verto_ctx *ctx, void *handle, const char *prog, + int tcp_listen_backlog) { /* An bind_type enum map for the verto callback functions. */ static verto_callback *const verto_callbacks[] = { @@ -896,8 +854,8 @@ setup_addresses(struct socksetup *data) /* Set the real port number. */ sa_setport(ai->ai_addr, addr.port); - ret = setup_socket(data, &addr, ai->ai_addr, - verto_callbacks[addr.type], + ret = setup_socket(&addr, ai->ai_addr, handle, prog, ctx, + tcp_listen_backlog, verto_callbacks[addr.type], bind_conn_types[addr.type]); if (ret) { krb5_klog_syslog(LOG_ERR, @@ -929,9 +887,9 @@ krb5_error_code loop_setup_network(verto_ctx *ctx, void *handle, const char *prog, int tcp_listen_backlog) { - struct socksetup setup_data; + krb5_error_code ret; verto_ev *ev; - int i, ret; + int i; /* Check to make sure that at least one address was added to the loop. */ if (bind_addresses.n == 0) @@ -942,15 +900,9 @@ loop_setup_network(verto_ctx *ctx, void *handle, const char *prog, verto_del(ev); events.n = 0; - setup_data.ctx = ctx; - setup_data.handle = handle; - setup_data.prog = prog; - setup_data.retval = 0; - setup_data.listen_backlog = tcp_listen_backlog; - krb5_klog_syslog(LOG_INFO, _("setting up network...")); - ret = setup_addresses(&setup_data); - if (ret != 0) { + ret = setup_addresses(ctx, handle, prog, tcp_listen_backlog); + if (ret) { com_err(prog, ret, _("Error setting up network")); exit(1); } @@ -999,8 +951,10 @@ struct udp_dispatch_state { void *handle; const char *prog; int port_fd; - krb5_address addr; - krb5_fulladdr faddr; + krb5_address remote_addr_buf; + krb5_fulladdr remote_addr; + krb5_address local_addr_buf; + krb5_fulladdr local_addr; socklen_t saddr_len; socklen_t daddr_len; struct sockaddr_storage saddr; @@ -1106,17 +1060,6 @@ process_packet(verto_ctx *ctx, verto_ev *ev) return; } -#if 0 - if (state->daddr_len > 0) { - char addrbuf[100]; - if (getnameinfo(ss2sa(&state->daddr), state->daddr_len, - addrbuf, sizeof(addrbuf), - 0, 0, NI_NUMERICHOST)) - strlcpy(addrbuf, "?", sizeof(addrbuf)); - com_err(conn->prog, 0, _("pktinfo says local addr is %s"), addrbuf); - } -#endif - if (state->daddr_len == 0 && conn->type == CONN_UDP) { /* * An address couldn't be obtained, so the PKTINFO option probably @@ -1132,10 +1075,15 @@ process_packet(verto_ctx *ctx, verto_ev *ev) state->request.length = cc; state->request.data = state->pktbuf; - state->faddr.address = &state->addr; - init_addr(&state->faddr, ss2sa(&state->saddr)); + + state->remote_addr.address = &state->remote_addr_buf; + init_addr(&state->remote_addr, ss2sa(&state->saddr)); + + state->local_addr.address = &state->local_addr_buf; + init_addr(&state->local_addr, ss2sa(&state->daddr)); + /* This address is in net order. */ - dispatch(state->handle, ss2sa(&state->daddr), &state->faddr, + dispatch(state->handle, &state->local_addr, &state->remote_addr, &state->request, 0, ctx, process_packet_response, state); } @@ -1157,11 +1105,6 @@ kill_lru_tcp_or_rpc_connection(void *handle, verto_ev *newev) continue; if (c->type != CONN_TCP && c->type != CONN_RPC) continue; -#if 0 - krb5_klog_syslog(LOG_INFO, "fd %d started at %ld", - verto_get_fd(oldest_ev), - c->start_time); -#endif if (oldest_c == NULL || oldest_c->start_time > c->start_time) { oldest_ev = ev; @@ -1186,9 +1129,9 @@ accept_tcp_connection(verto_ctx *ctx, verto_ev *ev) struct sockaddr_storage addr_s; struct sockaddr *addr = (struct sockaddr *)&addr_s; socklen_t addrlen = sizeof(addr_s); - struct socksetup sockdata; struct connection *newconn, *conn; char tmpbuf[10]; + verto_ev_flag flags; verto_ev *newev; conn = verto_get_private(ev); @@ -1204,13 +1147,9 @@ accept_tcp_connection(verto_ctx *ctx, verto_ev *ev) #endif setnbio(s), setnolinger(s), setkeepalive(s); - sockdata.ctx = ctx; - sockdata.handle = conn->handle; - sockdata.prog = conn->prog; - sockdata.retval = 0; - - newev = add_tcp_read_fd(&sockdata, s); - if (newev == NULL) { + flags = VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST; + if (add_fd(s, CONN_TCP, flags, conn->handle, conn->prog, ctx, + process_tcp_connection_read, &newev) != 0) { close(s); return; } @@ -1231,10 +1170,6 @@ accept_tcp_connection(verto_ctx *ctx, verto_ev *ev) strlcpy(p, tmpbuf, end - p); } } -#if 0 - krb5_klog_syslog(LOG_INFO, "accepted TCP connection on socket %d from %s", - s, newconn->addrbuf); -#endif newconn->addr_s = addr_s; newconn->addrlen = addrlen; @@ -1253,14 +1188,16 @@ accept_tcp_connection(verto_ctx *ctx, verto_ev *ev) return; } newconn->offset = 0; - newconn->faddr.address = &newconn->kaddr; - init_addr(&newconn->faddr, ss2sa(&newconn->addr_s)); + newconn->remote_addr.address = &newconn->remote_addr_buf; + init_addr(&newconn->remote_addr, ss2sa(&newconn->addr_s)); SG_SET(&newconn->sgbuf[0], newconn->lenbuf, 4); SG_SET(&newconn->sgbuf[1], 0, 0); } struct tcp_dispatch_state { struct sockaddr_storage local_saddr; + krb5_address local_addr_buf; + krb5_fulladdr local_addr; struct connection *conn; krb5_data request; verto_ctx *ctx; @@ -1288,7 +1225,7 @@ process_tcp_response(void *arg, krb5_error_code code, krb5_data *response) state->conn->sgnum = 2; ev = make_event(state->ctx, VERTO_EV_FLAG_IO_WRITE | VERTO_EV_FLAG_PERSIST, - process_tcp_connection_write, state->sock, state->conn, 1); + process_tcp_connection_write, state->sock, state->conn); if (ev) { free(state); return; @@ -1381,7 +1318,6 @@ process_tcp_connection_read(verto_ctx *ctx, verto_ev *ev) } else { /* msglen known. */ socklen_t local_saddrlen = sizeof(struct sockaddr_storage); - struct sockaddr *local_saddrp = NULL; len = conn->msglen - (conn->offset - 4); nread = SOCKET_READ(verto_get_fd(ev), @@ -1403,10 +1339,14 @@ process_tcp_connection_read(verto_ctx *ctx, verto_ev *ev) state->request.data = conn->buffer + 4; if (getsockname(verto_get_fd(ev), ss2sa(&state->local_saddr), - &local_saddrlen) == 0) - local_saddrp = ss2sa(&state->local_saddr); - - dispatch(state->conn->handle, local_saddrp, &conn->faddr, + &local_saddrlen) < 0) { + krb5_klog_syslog(LOG_ERR, _("getsockname failed: %s"), + error_message(errno)); + goto kill_tcp_connection; + } + state->local_addr.address = &state->local_addr_buf; + init_addr(&state->local_addr, ss2sa(&state->local_saddr)); + dispatch(state->conn->handle, &state->local_addr, &conn->remote_addr, &state->request, 1, ctx, process_tcp_response, state); } @@ -1489,18 +1429,13 @@ have_event_for_fd(int fd) static void accept_rpc_connection(verto_ctx *ctx, verto_ev *ev) { - struct socksetup sockdata; + verto_ev_flag flags; struct connection *conn; fd_set fds; - register int s; + int s; conn = verto_get_private(ev); - sockdata.ctx = ctx; - sockdata.handle = conn->handle; - sockdata.prog = conn->prog; - sockdata.retval = 0; - /* Service the woken RPC listener descriptor. */ FD_ZERO(&fds); FD_SET(verto_get_fd(ev), &fds); @@ -1519,15 +1454,13 @@ accept_rpc_connection(verto_ctx *ctx, verto_ev *ev) if (!FD_ISSET(s, &svc_fdset) || have_event_for_fd(s)) continue; - newev = add_rpc_data_fd(&sockdata, s); - if (newev == NULL) + flags = VERTO_EV_FLAG_IO_READ | VERTO_EV_FLAG_PERSIST; + if (add_fd(s, CONN_RPC, flags, conn->handle, conn->prog, ctx, + process_rpc_connection, &newev) != 0) continue; newconn = verto_get_private(newev); set_cloexec_fd(s); -#if 0 - setnbio(s), setnolinger(s), setkeepalive(s); -#endif if (getpeername(s, addr, &addrlen) || getnameinfo(addr, addrlen, @@ -1547,10 +1480,6 @@ accept_rpc_connection(verto_ctx *ctx, verto_ev *ev) strlcpy(p, tmpbuf, end - p); } } -#if 0 - krb5_klog_syslog(LOG_INFO, _("accepted RPC connection on socket %d " - "from %s"), s, newconn->addrbuf); -#endif newconn->addr_s = addr_s; newconn->addrlen = addrlen; @@ -1559,8 +1488,8 @@ accept_rpc_connection(verto_ctx *ctx, verto_ev *ev) if (++tcp_or_rpc_data_counter > max_tcp_or_rpc_data_connections) kill_lru_tcp_or_rpc_connection(newconn->handle, newev); - newconn->faddr.address = &newconn->kaddr; - init_addr(&newconn->faddr, ss2sa(&newconn->addr_s)); + newconn->remote_addr.address = &newconn->remote_addr_buf; + init_addr(&newconn->remote_addr, ss2sa(&newconn->addr_s)); } } diff --git a/src/lib/apputils/udppktinfo.c b/src/lib/apputils/udppktinfo.c index bc7ad09..c096c12 100644 --- a/src/lib/apputils/udppktinfo.c +++ b/src/lib/apputils/udppktinfo.c @@ -141,19 +141,17 @@ is_socket_bound_to_wildcard(int sock) { struct sockaddr_storage bound_addr; socklen_t bound_addr_len = sizeof(bound_addr); + struct sockaddr *sa = ss2sa(&bound_addr); - if (getsockname(sock, ss2sa(&bound_addr), &bound_addr_len) < 0) + if (getsockname(sock, sa, &bound_addr_len) < 0) return -1; - switch (ss2sa(&bound_addr)->sa_family) { - case AF_INET: - return ss2sin(&bound_addr)->sin_addr.s_addr == INADDR_ANY; - case AF_INET6: - return IN6_IS_ADDR_UNSPECIFIED(&ss2sin6(&bound_addr)->sin6_addr); - default: + if (!sa_is_inet(sa)) { errno = EINVAL; return -1; } + + return sa_is_wildcard(sa); } #ifdef HAVE_IP_PKTINFO @@ -402,7 +400,7 @@ set_msg_from_ipv6_pktinfo(struct msghdr *msg, struct cmsghdr *cmsgptr, /* * Because of the possibility of asymmetric routing, we * normally don't want to specify an interface. However, - * Mac OS X doesn't like sending from a link-local address + * macOS doesn't like sending from a link-local address * (which can come up in testing at least, if you wind up * with a "foo.local" name) unless we do specify the * interface. diff --git a/src/lib/apputils/udppktinfo.h b/src/lib/apputils/udppktinfo.h index b0c7ea3..ff5759a 100644 --- a/src/lib/apputils/udppktinfo.h +++ b/src/lib/apputils/udppktinfo.h @@ -32,7 +32,7 @@ * This holds whatever additional information might be needed to * properly send back to the client from the correct local address. * - * In this case, we only need one datum so far: On Mac OS X, the + * In this case, we only need one datum so far: On macOS, the * kernel doesn't seem to like sending from link-local addresses * unless we specify the correct interface. */ diff --git a/src/lib/crypto/builtin/des/des_int.h b/src/lib/crypto/builtin/des/des_int.h index 0801cb5..67e40a1 100644 --- a/src/lib/crypto/builtin/des/des_int.h +++ b/src/lib/crypto/builtin/des/des_int.h @@ -74,7 +74,7 @@ #endif /* defined(__MACH__) && defined(__APPLE__) */ /* Macro to add deprecated attribute to DES types and functions */ -/* Currently only defined on Mac OS X 10.5 and later. */ +/* Currently only defined on macOS 10.5 and later. */ #ifndef KRB5INT_DES_DEPRECATED #define KRB5INT_DES_DEPRECATED #endif diff --git a/src/lib/crypto/builtin/des/destest.c b/src/lib/crypto/builtin/des/destest.c index 6eeb070..5211430 100644 --- a/src/lib/crypto/builtin/des/destest.c +++ b/src/lib/crypto/builtin/des/destest.c @@ -52,6 +52,7 @@ /* Test a DES implementation against known inputs & outputs. */ #include "des_int.h" +#include #include void convert (char *, unsigned char []); @@ -66,9 +67,6 @@ main(argc, argv) char *argv[]; { char block1[17], block2[17], block3[17]; -#if 0 - mit_des_cblock key, input, output, output2; -#else /* Force tests of unaligned accesses. */ union { unsigned char c[8*4+3]; long l; } u; unsigned char *ioblocks = u.c; @@ -76,7 +74,6 @@ main(argc, argv) unsigned char *output = ioblocks+10; unsigned char *output2 = ioblocks+19; unsigned char *key = ioblocks+27; -#endif mit_des_key_schedule sched; int num = 0; int retval; @@ -158,9 +155,9 @@ convert(text, cblock) char *text; unsigned char cblock[]; { - register int i; + int i; for (i = 0; i < 8; i++) { - if (text[i*2] < 0 || text[i*2] >= 128) + if (!isascii((unsigned char)text[i * 2])) abort (); if (value[(int) text[i*2]] == -1 || value[(int) text[i*2+1]] == -1) { printf("Bad value byte %d in %s\n", i, text); @@ -188,7 +185,7 @@ des_cblock_print_file(x, fp) FILE *fp; { unsigned char *y = (unsigned char *) x; - register int i = 0; + int i = 0; fprintf(fp," 0x { "); while (i++ < 8) { @@ -211,7 +208,7 @@ des_cblock_print_file(x, fp) */ int mit_des_check_key_parity(key) - register mit_des_cblock key; + mit_des_cblock key; { unsigned int i; @@ -230,7 +227,7 @@ mit_des_check_key_parity(key) void mit_des_fixup_key_parity(key) - register mit_des_cblock key; + mit_des_cblock key; { unsigned int i; for (i=0; i> 1; - new = new << 1; - } - } - *array = new; - array++; - } -} -#endif - static void do_encrypt(in,out) unsigned char *in; diff --git a/src/lib/crypto/builtin/enc_provider/rc4.c b/src/lib/crypto/builtin/enc_provider/rc4.c index 3776f80..df71048 100644 --- a/src/lib/crypto/builtin/enc_provider/rc4.c +++ b/src/lib/crypto/builtin/enc_provider/rc4.c @@ -113,7 +113,7 @@ k5_arcfour_docrypt(krb5_key key, const krb5_data *state, krb5_crypto_iov *data, return KRB5_BAD_MSIZE; if (state != NULL) { - cipher_state = (ArcFourCipherState *)state->data; + cipher_state = (ArcFourCipherState *)(void *)state->data; arcfour_ctx = &cipher_state->ctx; if (cipher_state->initialized == 0) { ret = k5_arcfour_init(arcfour_ctx, key->keyblock.contents, diff --git a/src/lib/crypto/builtin/md4/md4.c b/src/lib/crypto/builtin/md4/md4.c index 27d2ad5..f7c16ca 100644 --- a/src/lib/crypto/builtin/md4/md4.c +++ b/src/lib/crypto/builtin/md4/md4.c @@ -151,7 +151,7 @@ krb5int_MD4Final (krb5_MD4_CTX *mdContext) */ static void Transform (krb5_ui_4 *buf, krb5_ui_4 *in) { - register krb5_ui_4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; + krb5_ui_4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; #if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO) int i; diff --git a/src/lib/crypto/builtin/md5/md5.c b/src/lib/crypto/builtin/md5/md5.c index 4a16906..a5e0c82 100644 --- a/src/lib/crypto/builtin/md5/md5.c +++ b/src/lib/crypto/builtin/md5/md5.c @@ -189,7 +189,7 @@ krb5int_MD5Final (krb5_MD5_CTX *mdContext) */ static void Transform (krb5_ui_4 *buf, krb5_ui_4 *in) { - register krb5_ui_4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; + krb5_ui_4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; #if defined(CONFIG_SMALL) && !defined(CONFIG_SMALL_NO_CRYPTO) diff --git a/src/lib/crypto/builtin/pbkdf2.c b/src/lib/crypto/builtin/pbkdf2.c index d36b32e..8905f26 100644 --- a/src/lib/crypto/builtin/pbkdf2.c +++ b/src/lib/crypto/builtin/pbkdf2.c @@ -102,11 +102,6 @@ F(char *output, char *u_tmp1, char *u_tmp2, krb5_data out; krb5_error_code err; -#if 0 - printf("F(i=%d, count=%lu, pass=%d:%s)\n", i, count, - pass->length, pass->data); -#endif - /* Compute U_1. */ store_32_be(i, ibytes); @@ -114,45 +109,25 @@ F(char *output, char *u_tmp1, char *u_tmp2, memcpy(u_tmp2 + salt->length, ibytes, 4); sdata = make_data(u_tmp2, salt->length + 4); -#if 0 - printd("initial salt", &sdata); -#endif - out = make_data(u_tmp1, hlen); -#if 0 - printf("F: computing hmac #1 (U_1) with %s\n", pdata.contents); -#endif err = hmac(hash, pass, &sdata, &out); if (err) return err; -#if 0 - printd("F: prf return value", &out); -#endif + memcpy(output, u_tmp1, hlen); /* Compute U_2, .. U_c. */ sdata.length = hlen; for (j = 2; j <= count; j++) { -#if 0 - printf("F: computing hmac #%d (U_%d)\n", j, j); -#endif memcpy(u_tmp2, u_tmp1, hlen); err = hmac(hash, pass, &sdata, &out); if (err) return err; -#if 0 - printd("F: prf return value", &out); -#endif + /* And xor them together. */ for (k = 0; k < hlen; k++) output[k] ^= u_tmp1[k]; -#if 0 - printf("F: xor result:\n"); - for (k = 0; k < hlen; k++) - printf(" %02x", 0xff & output[k]); - printf("\n"); -#endif } return 0; } @@ -185,9 +160,6 @@ pbkdf2(const struct krb5_hash_provider *hash, krb5_keyblock *pass, /* Step 3. */ for (i = 1; i <= l; i++) { -#if 0 - int j; -#endif krb5_error_code err; char *out; @@ -205,12 +177,6 @@ pbkdf2(const struct krb5_hash_provider *hash, krb5_keyblock *pass, memcpy(output->data + (i-1) * hlen, utmp3, output->length - (i-1) * hlen); -#if 0 - printf("after F(%d), @%p:\n", i, output->data); - for (j = (i-1) * hlen; j < i * hlen; j++) - printf(" %02x", 0xff & output->data[j]); - printf ("\n"); -#endif } free(utmp1); free(utmp2); diff --git a/src/lib/crypto/builtin/sha1/t_shs.c b/src/lib/crypto/builtin/sha1/t_shs.c index 08157b6..c1d18f5 100644 --- a/src/lib/crypto/builtin/sha1/t_shs.c +++ b/src/lib/crypto/builtin/sha1/t_shs.c @@ -59,10 +59,6 @@ main() { SHS_INFO shsInfo; unsigned int i; -#if 0 - time_t secondCount; - SHS_BYTE data[ 200 ]; -#endif /* Make sure we've got the endianness set right. If the machine is big-endian (up to 64 bits) the following value will be signed, @@ -120,17 +116,6 @@ main() puts( "passed, result= 3232AFFA48628A26653B5AAA44541FD90D690603" ); #endif /* NEW_SHS */ -#if 0 - printf( "\nTesting speed for 100MB data... " ); - shsInit( &shsInfo ); - secondCount = time( NULL ); - for( i = 0; i < 500000U; i++ ) - shsUpdate( &shsInfo, data, 200 ); - secondCount = time( NULL ) - secondCount; - printf( "done. Time = %ld seconds, %ld kbytes/second.\n", \ - secondCount, 100500L / secondCount ); -#endif - puts( "\nAll SHS tests passed" ); exit( 0 ); } diff --git a/src/lib/crypto/builtin/sha2/sha256.c b/src/lib/crypto/builtin/sha2/sha256.c index e34bed5..9a940b3 100644 --- a/src/lib/crypto/builtin/sha2/sha256.c +++ b/src/lib/crypto/builtin/sha2/sha256.c @@ -211,14 +211,14 @@ k5_sha256_update(SHA256_CTX *m, const void *v, size_t len) #if !defined(WORDS_BIGENDIAN) || defined(_CRAY) int i; uint32_t current[16]; - struct x32 *u = (struct x32*)m->save; + struct x32 *u = (struct x32*)(void*)m->save; for(i = 0; i < 8; i++){ current[2*i+0] = swap_uint32_t(u[i].a); current[2*i+1] = swap_uint32_t(u[i].b); } calc(m, current); #else - calc(m, (uint32_t*)m->save); + calc(m, (uint32_t*)(void*)m->save); #endif offset = 0; } @@ -257,12 +257,14 @@ k5_sha256_final(void *res, SHA256_CTX *m) } krb5_error_code -k5_sha256(const krb5_data *in, uint8_t out[K5_SHA256_HASHLEN]) +k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN]) { SHA256_CTX ctx; + size_t i; k5_sha256_init(&ctx); - k5_sha256_update(&ctx, in->data, in->length); + for (i = 0; i < n; i++) + k5_sha256_update(&ctx, in[i].data, in[i].length); k5_sha256_final(out, &ctx); return 0; } diff --git a/src/lib/crypto/builtin/sha2/sha512.c b/src/lib/crypto/builtin/sha2/sha512.c index 8f0ce89..6130655 100644 --- a/src/lib/crypto/builtin/sha2/sha512.c +++ b/src/lib/crypto/builtin/sha2/sha512.c @@ -217,14 +217,14 @@ k5_sha512_update (SHA512_CTX *m, const void *v, size_t len) #if !defined(WORDS_BIGENDIAN) || defined(_CRAY) int i; uint64_t current[16]; - struct x64 *us = (struct x64*)m->save; + struct x64 *us = (struct x64*)(void*)m->save; for(i = 0; i < 8; i++){ current[2*i+0] = swap_uint64_t(us[i].a); current[2*i+1] = swap_uint64_t(us[i].b); } calc(m, current); #else - calc(m, (uint64_t*)m->save); + calc(m, (uint64_t*)(void*)m->save); #endif offset = 0; } diff --git a/src/lib/crypto/crypto_tests/deps b/src/lib/crypto/crypto_tests/deps index bc5422a..5d94a59 100644 --- a/src/lib/crypto/crypto_tests/deps +++ b/src/lib/crypto/crypto_tests/deps @@ -73,12 +73,13 @@ $(OUTPRE)t_hmac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \ $(srcdir)/../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h t_hmac.c + $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + t_hmac.c $(OUTPRE)t_pkcs5.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -143,12 +144,13 @@ $(OUTPRE)t_cksum.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h t_cksum.c + $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + t_cksum.c $(OUTPRE)t_cksums.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -165,12 +167,13 @@ $(OUTPRE)t_crc.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(srcdir)/../builtin/crypto_mod.h $(srcdir)/../builtin/sha2/sha2.h \ $(srcdir)/../krb/crypto_int.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h t_crc.c + $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + t_crc.c $(OUTPRE)t_mddriver.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../builtin/aes/aes.h \ diff --git a/src/lib/crypto/crypto_tests/t_cksum.c b/src/lib/crypto/crypto_tests/t_cksum.c index 2200fe7..0edaeb8 100644 --- a/src/lib/crypto/crypto_tests/t_cksum.c +++ b/src/lib/crypto/crypto_tests/t_cksum.c @@ -27,6 +27,7 @@ /* Test checksum and checksum compatability for rsa-md[4,5]-des. */ #include "k5-int.h" +#include "k5-hex.h" #define MD5_K5BETA_COMPAT #define MD4_K5BETA_COMPAT @@ -50,29 +51,6 @@ print_checksum(char *text, int number, char *message, krb5_checksum *checksum) printf("\n"); } -static void -parse_hexstring(const char *s, krb5_checksum *cksum) -{ - size_t i, len; - unsigned int byte; - unsigned char *cp; - - len = strlen(s); - cp = malloc(len / 2); - cksum->contents = cp; - if (cp == NULL) { - cksum->length = 0; - return; - } - cksum->length = len / 2; - for (i = 0; i + 1 < len; i += 2) { - sscanf(&s[i], "%2x", &byte); - *cp++ = byte; - } - cksum->checksum_type = CKTYPE; - cksum->magic = KV5M_CHECKSUM; -} - /* * Test the checksum verification of Old Style (tm) and correct RSA-MD[4,5]-DES * checksums. @@ -86,6 +64,7 @@ main(argc, argv) char **argv; { int msgindex; + size_t len; krb5_boolean valid; krb5_keyblock keyblock; krb5_key key; @@ -150,12 +129,14 @@ main(argc, argv) free(checksum.contents); /* Verify a known-good checksum for this plaintext. */ - parse_hexstring(argv[msgindex+1], &knowncksum); - if (knowncksum.contents == NULL) { - printf("parse_hexstring failed\n"); - kret = 1; + kret = k5_hex_decode(argv[msgindex + 1], &knowncksum.contents, &len); + if (kret) { + printf("k5_hex_decode failed\n"); break; } + knowncksum.length = len; + knowncksum.checksum_type = CKTYPE; + knowncksum.magic = KV5M_CHECKSUM; kret = krb5_k_verify_checksum(NULL, key, 0, &plaintext, &knowncksum, &valid); if (kret != 0) { diff --git a/src/lib/crypto/crypto_tests/t_cksums.c b/src/lib/crypto/crypto_tests/t_cksums.c index 4b5406e..5afc90e 100644 --- a/src/lib/crypto/crypto_tests/t_cksums.c +++ b/src/lib/crypto/crypto_tests/t_cksums.c @@ -175,15 +175,11 @@ printhex(const char *head, void *data, size_t len) printf("%s", head); for (i = 0; i < len; i++) { -#if 0 /* For convenience when updating test cases. */ - printf("\\x%02X", ((unsigned char*)data)[i]); -#else printf("%02X", ((unsigned char*)data)[i]); if (i % 16 == 15 && i + 1 < len) printf("\n%*s", (int)strlen(head), ""); else if (i + 1 < len) printf(" "); -#endif } printf("\n"); } diff --git a/src/lib/crypto/crypto_tests/t_crc.c b/src/lib/crypto/crypto_tests/t_crc.c index 1907732..8cd1d36 100644 --- a/src/lib/crypto/crypto_tests/t_crc.c +++ b/src/lib/crypto/crypto_tests/t_crc.c @@ -32,6 +32,7 @@ #include #include #include +#include #include "crypto_int.h" #define HEX 1 @@ -106,64 +107,13 @@ struct crc_trial trials[] = { #define NTRIALS (sizeof(trials) / sizeof(trials[0])) -#if 0 -static void -timetest(unsigned int nblk, unsigned int blksiz) -{ - char *block; - unsigned int i; - struct tms before, after; - unsigned long cksum; - - block = malloc(blksiz * nblk); - if (block == NULL) - exit(1); - for (i = 0; i < blksiz * nblk; i++) - block[i] = i % 256; - times(&before); - for (i = 0; i < nblk; i++) { - cksum = 0; - mit_crc32(block + i * blksiz, blksiz, &cksum); - } - - times(&after); - printf("shift-8 implementation, %d blocks of %d bytes:\n", - nblk, blksiz); - printf("\tu=%ld s=%ld cu=%ld cs=%ld\n", - (long)(after.tms_utime - before.tms_utime), - (long)(after.tms_stime - before.tms_stime), - (long)(after.tms_cutime - before.tms_cutime), - (long)(after.tms_cstime - before.tms_cstime)); - free(block); -} -#endif - -static void gethexstr(char *data, size_t *outlen, unsigned char *outbuf, - size_t buflen) -{ - size_t inlen; - char *cp, buf[3]; - long n; - - inlen = strlen(data); - *outlen = 0; - for (cp = data; (size_t) (cp - data) < inlen; cp += 2) { - strncpy(buf, cp, 2); - buf[2] = '\0'; - n = strtol(buf, NULL, 16); - outbuf[(*outlen)++] = n; - if (*outlen > buflen) - break; - } -} - -static void -verify(void) +int +main(void) { unsigned int i; struct crc_trial trial; - unsigned char buf[4]; + uint8_t *bytes; size_t len; unsigned long cksum; char *typestr; @@ -179,9 +129,11 @@ verify(void) break; case HEX: typestr = "HEX"; - gethexstr(trial.data, &len, buf, 4); + if (k5_hex_decode(trial.data, &bytes, &len) != 0) + abort(); cksum = 0; - mit_crc32(buf, len, &cksum); + mit_crc32(bytes, len, &cksum); + free(bytes); break; default: typestr = "BOGUS"; @@ -192,14 +144,5 @@ verify(void) (trial.sum == cksum) ? "OK" : "***BAD***", typestr, trial.data, cksum); } -} - -int -main(void) -{ -#if 0 - timetest(64*1024, 1024); -#endif - verify(); exit(0); } diff --git a/src/lib/crypto/crypto_tests/t_cts.c b/src/lib/crypto/crypto_tests/t_cts.c index 2b022b4..fe50516 100644 --- a/src/lib/crypto/crypto_tests/t_cts.c +++ b/src/lib/crypto/crypto_tests/t_cts.c @@ -44,37 +44,10 @@ const char *whoami; -#if 0 -static void printhex (size_t len, const char *p) -{ - while (len--) - printf ("%02x", 0xff & *p++); -} - -static void printstringhex (const char *p) { printhex (strlen (p), p); } - -static void printdata (krb5_data *d) { printhex (d->length, d->data); } - -static void printkey (krb5_keyblock *k) { printhex (k->length, k->contents); } -#endif - - #define JURISIC "Juri\305\241i\304\207" /* hi Miro */ #define ESZETT "\303\237" #define GCLEF "\360\235\204\236" /* outside BMP, woo hoo! */ -#if 0 -static void -check_error (int r, int line) { - if (r != 0) { - fprintf (stderr, "%s:%d: %s\n", __FILE__, line, - error_message (r)); - exit (1); - } -} -#define CHECK check_error(r, __LINE__) -#endif - static void printd (const char *descr, krb5_data *d) { unsigned int i, j; const int r = 16; diff --git a/src/lib/crypto/crypto_tests/t_decrypt.c b/src/lib/crypto/crypto_tests/t_decrypt.c index 1dbc4dd..4ae0256 100644 --- a/src/lib/crypto/crypto_tests/t_decrypt.c +++ b/src/lib/crypto/crypto_tests/t_decrypt.c @@ -658,15 +658,11 @@ printhex(const char *head, void *data, size_t len) printf("%s", head); for (i = 0; i < len; i++) { -#if 0 /* For convenience when updating test cases. */ - printf("\\x%02X", ((unsigned char*)data)[i]); -#else printf("%02X", ((unsigned char*)data)[i]); if (i % 16 == 15 && i + 1 < len) printf("\n%*s", (int)strlen(head), ""); else if (i + 1 < len) printf(" "); -#endif } printf("\n"); } diff --git a/src/lib/crypto/crypto_tests/t_derive.c b/src/lib/crypto/crypto_tests/t_derive.c index 381ae43..afbf747 100644 --- a/src/lib/crypto/crypto_tests/t_derive.c +++ b/src/lib/crypto/crypto_tests/t_derive.c @@ -273,15 +273,11 @@ printhex(const char *head, void *data, size_t len) printf("%s", head); for (i = 0; i < len; i++) { -#if 0 /* For convenience when updating test cases. */ - printf("\\x%02X", ((unsigned char*)data)[i]); -#else printf("%02X", ((unsigned char*)data)[i]); if (i % 16 == 15 && i + 1 < len) printf("\n%*s", (int)strlen(head), ""); else if (i + 1 < len) printf(" "); -#endif } printf("\n"); } diff --git a/src/lib/crypto/crypto_tests/t_hmac.c b/src/lib/crypto/crypto_tests/t_hmac.c index 8961380..da359cb 100644 --- a/src/lib/crypto/crypto_tests/t_hmac.c +++ b/src/lib/crypto/crypto_tests/t_hmac.c @@ -34,6 +34,7 @@ #include #include +#include #include "crypto_int.h" #define ASIZE(ARRAY) (sizeof(ARRAY)/sizeof(ARRAY[0])) @@ -45,17 +46,6 @@ static void keyToData (krb5_keyblock *k, krb5_data *d) { d->data = (char *) k->contents; } -#if 0 -static void check_error (int r, int line) { - if (r != 0) { - fprintf (stderr, "%s:%d: %s\n", __FILE__, line, - error_message (r)); - exit (1); - } -} -#define CHECK check_error(r, __LINE__) -#endif - static void printd (const char *descr, krb5_data *d) { unsigned int i, j; const int r = 16; @@ -136,12 +126,10 @@ static void test_hmac() { krb5_keyblock key; krb5_data in, out; - char outbuf[20]; - char stroutbuf[80]; + char outbuf[20], *hexdigest; krb5_error_code err; - unsigned int i, j; + unsigned int i; int lose = 0; - struct k5buf buf; /* RFC 2202 test vector. */ static const struct hmac_test md5tests[] = { @@ -151,13 +139,13 @@ static void test_hmac() 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, }, 8, "Hi There", - "0x9294727a3638bb1c13f48ef8158bfc9d" + "9294727a3638bb1c13f48ef8158bfc9d" }, { 4, "Jefe", 28, "what do ya want for nothing?", - "0x750c783e6ab0b503eaa86e310a5db738" + "750c783e6ab0b503eaa86e310a5db738" }, { @@ -172,7 +160,7 @@ static void test_hmac() 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, 0xdd, }, - "0x56be34521d144c88dbb8c733f0e8b3f6" + "56be34521d144c88dbb8c733f0e8b3f6" }, { @@ -188,7 +176,7 @@ static void test_hmac() 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, 0xcd, }, - "0x697eaf0aca3a3aea3a75164746ffaa79" + "697eaf0aca3a3aea3a75164746ffaa79" }, { @@ -197,7 +185,7 @@ static void test_hmac() 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c, 0x0c }, 20, "Test With Truncation", - "0x56461ef2342edc00f9bab995690efd4c" + "56461ef2342edc00f9bab995690efd4c" }, { @@ -212,7 +200,7 @@ static void test_hmac() 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, 0xaa, }, 54, "Test Using Larger Than Block-Size Key - Hash Key First", - "0x6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd" + "6b1ab7fe4bd7bf8f0b62e6ce61b9d0cd" }, { @@ -228,7 +216,7 @@ static void test_hmac() }, 73, "Test Using Larger Than Block-Size Key and Larger Than One Block-Size Data", - "0x6f630fad67cda0ee1fb1f562db3aa53e" + "6f630fad67cda0ee1fb1f562db3aa53e" }, }; @@ -246,19 +234,16 @@ static void test_hmac() exit(1); } - k5_buf_init_fixed(&buf, stroutbuf, sizeof(stroutbuf)); - k5_buf_add(&buf, "0x"); - for (j = 0; j < out.length; j++) - k5_buf_add_fmt(&buf, "%02x", 0xff & outbuf[j]); - if (k5_buf_status(&buf) != 0) + if (k5_hex_encode(out.data, out.length, FALSE, &hexdigest) != 0) abort(); - if (strcmp(stroutbuf, md5tests[i].hexdigest)) { + if (strcmp(hexdigest, md5tests[i].hexdigest)) { printf("*** CHECK FAILED!\n" - "\tReturned: %s.\n" - "\tExpected: %s.\n", stroutbuf, md5tests[i].hexdigest); + "\tReturned: 0x%s.\n" + "\tExpected: 0x%s.\n", hexdigest, md5tests[i].hexdigest); lose++; } else printf("Matches expected result.\n"); + free(hexdigest); } /* Do again with SHA-1 tests.... */ diff --git a/src/lib/crypto/crypto_tests/t_sha2.c b/src/lib/crypto/crypto_tests/t_sha2.c index 12f3286..e6fa584 100644 --- a/src/lib/crypto/crypto_tests/t_sha2.c +++ b/src/lib/crypto/crypto_tests/t_sha2.c @@ -125,7 +125,7 @@ hash_test(const struct krb5_hash_provider *hash, struct test *tests) if (hash == &krb5int_hash_sha256) { /* Try again using k5_sha256(). */ - if (k5_sha256(&iov.data, (uint8_t *)hval.data) != 0) + if (k5_sha256(&iov.data, 1, (uint8_t *)hval.data) != 0) abort(); if (memcmp(hval.data, t->hash, hval.length) != 0) abort(); diff --git a/src/lib/crypto/crypto_tests/t_str2key.c b/src/lib/crypto/crypto_tests/t_str2key.c index 7a78138..27896e6 100644 --- a/src/lib/crypto/crypto_tests/t_str2key.c +++ b/src/lib/crypto/crypto_tests/t_str2key.c @@ -719,15 +719,11 @@ printhex(const char *head, void *data, size_t len) printf("%s", head); for (i = 0; i < len; i++) { -#if 0 /* For convenience when updating test cases. */ - printf("\\x%02X", ((unsigned char*)data)[i]); -#else printf("%02X", ((unsigned char*)data)[i]); if (i % 16 == 15 && i + 1 < len) printf("\n%*s", (int)strlen(head), ""); else if (i + 1 < len) printf(" "); -#endif } printf("\n"); } diff --git a/src/lib/crypto/crypto_tests/vectors.c b/src/lib/crypto/crypto_tests/vectors.c index 482d2de..c1a7657 100644 --- a/src/lib/crypto/crypto_tests/vectors.c +++ b/src/lib/crypto/crypto_tests/vectors.c @@ -448,11 +448,6 @@ int main (int argc, char **argv) { whoami = argv[0]; test_nfold (); -#if 0 - test_mit_des_s2k (); - test_des3_s2k (); - test_dr_dk (); -#endif test_pbkdf2(); return 0; } diff --git a/src/lib/crypto/krb/Makefile.in b/src/lib/crypto/krb/Makefile.in index c5660c5..fc01a2c 100644 --- a/src/lib/crypto/krb/Makefile.in +++ b/src/lib/crypto/krb/Makefile.in @@ -212,7 +212,7 @@ depend: $(SRCS) check-unix: t_fortuna if [ $(PRNG_ALG) = fortuna ]; then \ - $(RUN_TEST) ./t_fortuna > t_fortuna.output; \ + $(RUN_TEST) ./t_fortuna > t_fortuna.output && \ cmp t_fortuna.output $(srcdir)/t_fortuna.expected; \ fi diff --git a/src/lib/crypto/krb/crc32.c b/src/lib/crypto/krb/crc32.c index d3b1b7a..11fe312 100644 --- a/src/lib/crypto/krb/crc32.c +++ b/src/lib/crypto/krb/crc32.c @@ -148,9 +148,9 @@ static u_long const crc_table[256] = { void mit_crc32(krb5_pointer in, size_t in_length, unsigned long *cksum) { - register u_char *data; - register u_long c = *cksum; - register int idx; + u_char *data; + u_long c = *cksum; + int idx; size_t i; data = (u_char *)in; diff --git a/src/lib/crypto/krb/crypto_int.h b/src/lib/crypto/krb/crypto_int.h index d75b49c..e509929 100644 --- a/src/lib/crypto/krb/crypto_int.h +++ b/src/lib/crypto/krb/crypto_int.h @@ -111,6 +111,7 @@ struct krb5_keytypes { prf_func prf; krb5_cksumtype required_ctype; krb5_flags flags; + unsigned int ssf; }; #define ETYPE_WEAK 1 diff --git a/src/lib/crypto/krb/enctype_util.c b/src/lib/crypto/krb/enctype_util.c index 0ed74bd..b1b40e7 100644 --- a/src/lib/crypto/krb/enctype_util.c +++ b/src/lib/crypto/krb/enctype_util.c @@ -131,3 +131,19 @@ krb5_enctype_to_name(krb5_enctype enctype, krb5_boolean shortest, return ENOMEM; return 0; } + +/* The security of a mechanism cannot be summarized with a simple integer + * value, but we provide a per-enctype value for Cyrus SASL's SSF. */ +krb5_error_code +k5_enctype_to_ssf(krb5_enctype enctype, unsigned int *ssf_out) +{ + const struct krb5_keytypes *ktp; + + *ssf_out = 0; + + ktp = find_enctype(enctype); + if (ktp == NULL) + return EINVAL; + *ssf_out = ktp->ssf; + return 0; +} diff --git a/src/lib/crypto/krb/etypes.c b/src/lib/crypto/krb/etypes.c index 0e5e977..53d4a5c 100644 --- a/src/lib/crypto/krb/etypes.c +++ b/src/lib/crypto/krb/etypes.c @@ -42,7 +42,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_des_string_to_key, k5_rand2key_des, krb5int_des_prf, CKSUMTYPE_RSA_MD5_DES, - ETYPE_WEAK }, + ETYPE_WEAK, 56 }, { ENCTYPE_DES_CBC_MD4, "des-cbc-md4", { 0 }, "DES cbc mode with RSA-MD4", &krb5int_enc_des, &krb5int_hash_md4, @@ -51,7 +51,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_des_string_to_key, k5_rand2key_des, krb5int_des_prf, CKSUMTYPE_RSA_MD4_DES, - ETYPE_WEAK }, + ETYPE_WEAK, 56 }, { ENCTYPE_DES_CBC_MD5, "des-cbc-md5", { "des" }, "DES cbc mode with RSA-MD5", &krb5int_enc_des, &krb5int_hash_md5, @@ -60,7 +60,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_des_string_to_key, k5_rand2key_des, krb5int_des_prf, CKSUMTYPE_RSA_MD5_DES, - ETYPE_WEAK }, + ETYPE_WEAK, 56 }, { ENCTYPE_DES_CBC_RAW, "des-cbc-raw", { 0 }, "DES cbc mode raw", &krb5int_enc_des, NULL, @@ -69,7 +69,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_des_string_to_key, k5_rand2key_des, krb5int_des_prf, 0, - ETYPE_WEAK }, + ETYPE_WEAK, 56 }, { ENCTYPE_DES3_CBC_RAW, "des3-cbc-raw", { 0 }, "Triple DES cbc mode raw", &krb5int_enc_des3, NULL, @@ -78,7 +78,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_dk_string_to_key, k5_rand2key_des3, NULL, /*PRF*/ 0, - ETYPE_WEAK }, + ETYPE_WEAK, 112 }, { ENCTYPE_DES3_CBC_SHA1, "des3-cbc-sha1", { "des3-hmac-sha1", "des3-cbc-sha1-kd" }, @@ -89,7 +89,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_dk_string_to_key, k5_rand2key_des3, krb5int_dk_prf, CKSUMTYPE_HMAC_SHA1_DES3, - 0 /*flags*/ }, + 0 /*flags*/, 112 }, { ENCTYPE_DES_HMAC_SHA1, "des-hmac-sha1", { 0 }, "DES with HMAC/sha1", @@ -99,7 +99,10 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_dk_string_to_key, k5_rand2key_des, NULL, /*PRF*/ 0, - ETYPE_WEAK }, + ETYPE_WEAK, 56 }, + + /* rc4-hmac uses a 128-bit key, but due to weaknesses in the RC4 cipher, we + * consider its strength degraded and assign it an SSF value of 64. */ { ENCTYPE_ARCFOUR_HMAC, "arcfour-hmac", { "rc4-hmac", "arcfour-hmac-md5" }, "ArcFour with HMAC/md5", @@ -110,7 +113,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key, k5_rand2key_direct, krb5int_arcfour_prf, CKSUMTYPE_HMAC_MD5_ARCFOUR, - 0 /*flags*/ }, + 0 /*flags*/, 64 }, { ENCTYPE_ARCFOUR_HMAC_EXP, "arcfour-hmac-exp", { "rc4-hmac-exp", "arcfour-hmac-md5-exp" }, "Exportable ArcFour with HMAC/md5", @@ -121,7 +124,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_arcfour_decrypt, krb5int_arcfour_string_to_key, k5_rand2key_direct, krb5int_arcfour_prf, CKSUMTYPE_HMAC_MD5_ARCFOUR, - ETYPE_WEAK + ETYPE_WEAK, 40 }, { ENCTYPE_AES128_CTS_HMAC_SHA1_96, @@ -133,7 +136,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_aes_string_to_key, k5_rand2key_direct, krb5int_dk_prf, CKSUMTYPE_HMAC_SHA1_96_AES128, - 0 /*flags*/ }, + 0 /*flags*/, 128 }, { ENCTYPE_AES256_CTS_HMAC_SHA1_96, "aes256-cts-hmac-sha1-96", { "aes256-cts", "aes256-sha1" }, "AES-256 CTS mode with 96-bit SHA-1 HMAC", @@ -143,7 +146,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_aes_string_to_key, k5_rand2key_direct, krb5int_dk_prf, CKSUMTYPE_HMAC_SHA1_96_AES256, - 0 /*flags*/ }, + 0 /*flags*/, 256 }, { ENCTYPE_CAMELLIA128_CTS_CMAC, "camellia128-cts-cmac", { "camellia128-cts" }, @@ -155,7 +158,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_camellia_string_to_key, k5_rand2key_direct, krb5int_dk_cmac_prf, CKSUMTYPE_CMAC_CAMELLIA128, - 0 /*flags*/ }, + 0 /*flags*/, 128 }, { ENCTYPE_CAMELLIA256_CTS_CMAC, "camellia256-cts-cmac", { "camellia256-cts" }, "Camellia-256 CTS mode with CMAC", @@ -166,7 +169,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_camellia_string_to_key, k5_rand2key_direct, krb5int_dk_cmac_prf, CKSUMTYPE_CMAC_CAMELLIA256, - 0 /*flags */ }, + 0 /*flags */, 256 }, { ENCTYPE_AES128_CTS_HMAC_SHA256_128, "aes128-cts-hmac-sha256-128", { "aes128-sha2" }, @@ -177,7 +180,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_aes2_string_to_key, k5_rand2key_direct, krb5int_aes2_prf, CKSUMTYPE_HMAC_SHA256_128_AES128, - 0 /*flags*/ }, + 0 /*flags*/, 128 }, { ENCTYPE_AES256_CTS_HMAC_SHA384_192, "aes256-cts-hmac-sha384-192", { "aes256-sha2" }, "AES-256 CTS mode with 192-bit SHA-384 HMAC", @@ -187,7 +190,7 @@ const struct krb5_keytypes krb5int_enctypes_list[] = { krb5int_aes2_string_to_key, k5_rand2key_direct, krb5int_aes2_prf, CKSUMTYPE_HMAC_SHA384_192_AES256, - 0 /*flags*/ }, + 0 /*flags*/, 256 }, }; const int krb5int_enctypes_length = diff --git a/src/lib/crypto/krb/keyblocks.c b/src/lib/crypto/krb/keyblocks.c index 98696f5..1126d0a 100644 --- a/src/lib/crypto/krb/keyblocks.c +++ b/src/lib/crypto/krb/keyblocks.c @@ -56,7 +56,7 @@ krb5int_c_init_keyblock(krb5_context context, krb5_enctype enctype, } void -krb5int_c_free_keyblock(krb5_context context, register krb5_keyblock *val) +krb5int_c_free_keyblock(krb5_context context, krb5_keyblock *val) { krb5int_c_free_keyblock_contents(context, val); free(val); diff --git a/src/lib/crypto/krb/nfold.c b/src/lib/crypto/krb/nfold.c index ea02fdd..75bceae 100644 --- a/src/lib/crypto/krb/nfold.c +++ b/src/lib/crypto/krb/nfold.c @@ -98,19 +98,9 @@ krb5int_nfold(unsigned int inbits, const unsigned char *in, unsigned int outbits byte += out[i%outbits]; out[i%outbits] = byte&0xff; -#if 0 - printf("msbit[%d] = %d\tbyte = %02x\tsum = %03x\n", i, msbit, - (((in[((inbits-1)-(msbit>>3))%inbits]<<8)| - (in[((inbits)-(msbit>>3))%inbits])) - >>((msbit&7)+1))&0xff, byte); -#endif - /* keep around the carry bit, if any */ byte >>= 8; -#if 0 - printf("carry=%d\n", byte); -#endif } /* if there's a carry bit left over, add it back in */ diff --git a/src/lib/crypto/krb/s2k_des.c b/src/lib/crypto/krb/s2k_des.c index 31a613b..d5c29be 100644 --- a/src/lib/crypto/krb/s2k_des.c +++ b/src/lib/crypto/krb/s2k_des.c @@ -509,7 +509,7 @@ des_s2k(const krb5_data *pw, const krb5_data *salt, unsigned char *key_out) #define FETCH4(VAR, IDX) VAR = temp.ui[IDX/4] #define PUT4(VAR, IDX) temp.ui[IDX/4] = VAR - copylen = pw->length + (salt ? salt->length : 0); + copylen = pw->length + salt->length; /* Don't need NUL termination, at this point we're treating it as a byte array, not a string. */ copy = malloc(copylen); @@ -517,7 +517,7 @@ des_s2k(const krb5_data *pw, const krb5_data *salt, unsigned char *key_out) return ENOMEM; if (pw->length > 0) memcpy(copy, pw->data, pw->length); - if (salt != NULL && salt->length > 0) + if (salt->length > 0) memcpy(copy + pw->length, salt->data, salt->length); memset(&temp, 0, sizeof(temp)); diff --git a/src/lib/crypto/krb/s2k_pbkdf2.c b/src/lib/crypto/krb/s2k_pbkdf2.c index ec5856c..1fea034 100644 --- a/src/lib/crypto/krb/s2k_pbkdf2.c +++ b/src/lib/crypto/krb/s2k_pbkdf2.c @@ -47,7 +47,7 @@ krb5int_dk_string_to_key(const struct krb5_keytypes *ktp, keybytes = ktp->enc->keybytes; keylength = ktp->enc->keylength; - concatlen = string->length + (salt ? salt->length : 0); + concatlen = string->length + salt->length; concat = k5alloc(concatlen, &ret); if (ret != 0) @@ -63,7 +63,7 @@ krb5int_dk_string_to_key(const struct krb5_keytypes *ktp, if (string->length > 0) memcpy(concat, string->data, string->length); - if (salt != NULL && salt->length > 0) + if (salt->length > 0) memcpy(concat + string->length, salt->data, salt->length); krb5int_nfold(concatlen*8, concat, keybytes*8, foldstring); diff --git a/src/lib/crypto/krb/s2k_rc4.c b/src/lib/crypto/krb/s2k_rc4.c index 7286637..f7e699d 100644 --- a/src/lib/crypto/krb/s2k_rc4.c +++ b/src/lib/crypto/krb/s2k_rc4.c @@ -24,8 +24,8 @@ krb5int_arcfour_string_to_key(const struct krb5_keytypes *ktp, utf8 = k5memdup0(string->data, string->length, &err); if (utf8 == NULL) return err; - err = krb5int_utf8s_to_ucs2les(utf8, ©str, ©strlen); - free(utf8); + err = k5_utf8_to_utf16le(utf8, ©str, ©strlen); + zapfree(utf8, string->length); if (err) return err; diff --git a/src/lib/crypto/krb/string_to_key.c b/src/lib/crypto/krb/string_to_key.c index b55ee75..352a8e8 100644 --- a/src/lib/crypto/krb/string_to_key.c +++ b/src/lib/crypto/krb/string_to_key.c @@ -43,6 +43,7 @@ krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, const krb5_data *params, krb5_keyblock *key) { krb5_error_code ret; + krb5_data empty = empty_data(); const struct krb5_keytypes *ktp; size_t keylength; @@ -51,8 +52,12 @@ krb5_c_string_to_key_with_params(krb5_context context, krb5_enctype enctype, return KRB5_BAD_ENCTYPE; keylength = ktp->enc->keylength; + /* For compatibility with past behavior, treat a null salt as empty. */ + if (salt == NULL) + salt = ∅ + /* Fail gracefully if someone is using the old AFS string-to-key hack. */ - if (salt != NULL && salt->length == SALT_TYPE_AFS_LENGTH) + if (salt->length == SALT_TYPE_AFS_LENGTH) return EINVAL; key->contents = malloc(keylength); diff --git a/src/lib/crypto/krb/t_fortuna.c b/src/lib/crypto/krb/t_fortuna.c index 4f25bee..508ffcf 100644 --- a/src/lib/crypto/krb/t_fortuna.c +++ b/src/lib/crypto/krb/t_fortuna.c @@ -85,7 +85,7 @@ head_tail_test(struct fortuna_state *st) { static unsigned char buffer[1024 * 1024]; unsigned char c; - size_t i, len = sizeof(buffer); + int i, len = sizeof(buffer); int bit, bits[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; double res; diff --git a/src/lib/crypto/libk5crypto.exports b/src/lib/crypto/libk5crypto.exports index 447e456..82eb5f3 100644 --- a/src/lib/crypto/libk5crypto.exports +++ b/src/lib/crypto/libk5crypto.exports @@ -108,3 +108,4 @@ krb5int_nfold k5_allow_weak_pbkdf2iter krb5_c_prfplus krb5_c_derive_prfplus +k5_enctype_to_ssf diff --git a/src/lib/crypto/openssl/sha256.c b/src/lib/crypto/openssl/sha256.c index fa095d4..0edd8b7 100644 --- a/src/lib/crypto/openssl/sha256.c +++ b/src/lib/crypto/openssl/sha256.c @@ -34,16 +34,18 @@ #include krb5_error_code -k5_sha256(const krb5_data *in, uint8_t out[K5_SHA256_HASHLEN]) +k5_sha256(const krb5_data *in, size_t n, uint8_t out[K5_SHA256_HASHLEN]) { EVP_MD_CTX *ctx; + size_t i; int ok; ctx = EVP_MD_CTX_new(); if (ctx == NULL) return ENOMEM; ok = EVP_DigestInit_ex(ctx, EVP_sha256(), NULL); - ok = ok && EVP_DigestUpdate(ctx, in->data, in->length); + for (i = 0; i < n; i++) + ok = ok && EVP_DigestUpdate(ctx, in[i].data, in[i].length); ok = ok && EVP_DigestFinal_ex(ctx, out, NULL); EVP_MD_CTX_free(ctx); return ok ? 0 : ENOMEM; diff --git a/src/lib/gssapi/generic/gssapi.hin b/src/lib/gssapi/generic/gssapi.hin index 59cd93e..5049fbd 100644 --- a/src/lib/gssapi/generic/gssapi.hin +++ b/src/lib/gssapi/generic/gssapi.hin @@ -39,7 +39,7 @@ extern "C" { #endif /* __cplusplus */ -#if TARGET_OS_MAC +#if defined(TARGET_OS_MAC) && TARGET_OS_MAC # pragma pack(push,2) #endif @@ -816,7 +816,7 @@ gss_set_neg_mechs( gss_cred_id_t, /* cred_handle */ const gss_OID_set); /* mech_set */ -#if TARGET_OS_MAC +#if defined(TARGET_OS_MAC) && TARGET_OS_MAC # pragma pack(pop) #endif diff --git a/src/lib/gssapi/generic/gssapi_ext.h b/src/lib/gssapi/generic/gssapi_ext.h index 9ad4421..074a375 100644 --- a/src/lib/gssapi/generic/gssapi_ext.h +++ b/src/lib/gssapi/generic/gssapi_ext.h @@ -169,12 +169,31 @@ OM_uint32 KRB5_CALLCONV gss_set_sec_context_option const gss_OID /*desired_object*/, const gss_buffer_t /*value*/); +/* + * Export import cred extensions from GGF, but using Heimdal's signatures + */ +OM_uint32 KRB5_CALLCONV gss_export_cred + (OM_uint32 * /* minor_status */, + gss_cred_id_t /* cred_handle */, + gss_buffer_t /* token */); + +OM_uint32 KRB5_CALLCONV gss_import_cred + (OM_uint32 * /* minor_status */, + gss_buffer_t /* token */, + gss_cred_id_t * /* cred_handle */); + +/* + * Heimdal extension + */ OM_uint32 KRB5_CALLCONV gss_set_cred_option (OM_uint32 * /*minor_status*/, gss_cred_id_t * /*cred*/, const gss_OID /*desired_object*/, const gss_buffer_t /*value*/); +/* + * Call the given method on the given mechanism + */ OM_uint32 KRB5_CALLCONV gssspi_mech_invoke (OM_uint32 * /*minor_status*/, const gss_OID /*desired_mech*/, @@ -559,20 +578,19 @@ gss_store_cred_into( gss_OID_set *, /* elements_stored */ gss_cred_usage_t *); /* cred_usage_stored */ -OM_uint32 KRB5_CALLCONV -gss_export_cred( - OM_uint32 *, /* minor_status */ - gss_cred_id_t, /* cred_handle */ - gss_buffer_t); /* token */ - -OM_uint32 KRB5_CALLCONV -gss_import_cred( - OM_uint32 *, /* minor_status */ - gss_buffer_t, /* token */ - gss_cred_id_t *); /* cred_handle */ - #ifdef __cplusplus } #endif +/* + * When used with gss_inquire_sec_context_by_oid(), return a buffer set with + * the first member containing an unsigned 32-bit integer in network byte + * order. This is the Security Strength Factor (SSF) associated with the + * secure channel established by the security context. NOTE: This value is + * made available solely as an indication for use by APIs like Cyrus SASL that + * classify the strength of a secure channel via this number. The strength of + * a channel cannot necessarily be represented by a simple number. + */ +GSS_DLLIMP extern gss_OID GSS_C_SEC_CONTEXT_SASL_SSF; + #endif /* GSSAPI_EXT_H_ */ diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c index 5496aa3..fa144c2 100644 --- a/src/lib/gssapi/generic/gssapi_generic.c +++ b/src/lib/gssapi/generic/gssapi_generic.c @@ -157,6 +157,13 @@ static const gss_OID_desc const_oids[] = { {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x19"}, {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x1a"}, {7, (void *)"\x2b\x06\x01\x05\x05\x0d\x1b"}, + + /* + * GSS_SEC_CONTEXT_SASL_SSF_OID 1.2.840.113554.1.2.2.5.15 + * iso(1) member-body(2) United States(840) mit(113554) + * infosys(1) gssapi(2) krb5(2) krb5-gssapi-ext(5) sasl-ssf(15) + */ + {11, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f"}, }; /* Here are the constants which point to the static structure above. @@ -218,6 +225,8 @@ GSS_DLLIMP gss_const_OID GSS_C_MA_PFS = oids+33; GSS_DLLIMP gss_const_OID GSS_C_MA_COMPRESS = oids+34; GSS_DLLIMP gss_const_OID GSS_C_MA_CTX_TRANS = oids+35; +GSS_DLLIMP gss_OID GSS_C_SEC_CONTEXT_SASL_SSF = oids+36; + static gss_OID_set_desc gss_ma_known_attrs_desc = { 27, oids+9 }; gss_OID_set gss_ma_known_attrs = &gss_ma_known_attrs_desc; diff --git a/src/lib/gssapi/generic/util_set.c b/src/lib/gssapi/generic/util_set.c index 8866f52..432a9ee 100644 --- a/src/lib/gssapi/generic/util_set.c +++ b/src/lib/gssapi/generic/util_set.c @@ -40,21 +40,6 @@ int g_set_init(g_set_elt *s) return(0); } -#if 0 -int g_set_destroy(g_set_elt *s) -{ - g_set next; - - while (*s) { - next = (*s)->next; - free(*s); - *s = next; - } - - return(0); -} -#endif - int g_set_entry_add(g_set_elt *s, void *key, void *value) { g_set_elt first; diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index 580d08c..5baa6ce 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -351,8 +351,10 @@ kg_accept_dce(minor_status, context_handle, verifier_cred_handle, if (mech_type) *mech_type = ctx->mech_used; - if (time_rec) - *time_rec = ctx->krb_times.endtime + ctx->k5_context->clockskew - now; + if (time_rec) { + *time_rec = ts_delta(ctx->krb_times.endtime, now) + + ctx->k5_context->clockskew; + } /* Never return GSS_C_DELEG_FLAG since we don't support DCE credential * delegation yet. */ @@ -652,17 +654,6 @@ kg_accept_krb5(minor_status, context_handle, krb5_auth_con_getauthenticator(context, auth_context, &authdat); -#if 0 - /* make sure the necessary parts of the authdat are present */ - - if ((authdat->authenticator->subkey == NULL) || - (authdat->ticket->enc_part2 == NULL)) { - code = KG_NO_SUBKEY; - major_status = GSS_S_FAILURE; - goto fail; - } -#endif - if (authdat->checksum == NULL) { /* * Some SMB client implementations use handcrafted GSSAPI code that @@ -1146,7 +1137,7 @@ kg_accept_krb5(minor_status, context_handle, /* Add the maximum allowable clock skew as a grace period for context * expiration, just as we do for the ticket. */ if (time_rec) - *time_rec = ctx->krb_times.endtime + context->clockskew - now; + *time_rec = ts_delta(ctx->krb_times.endtime, now) + context->clockskew; if (ret_flags) *ret_flags = ctx->gss_flags; diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index 03ee25e..362ba9d 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -550,7 +550,7 @@ set_refresh_time(krb5_context context, krb5_ccache ccache, char buf[128]; krb5_data d; - snprintf(buf, sizeof(buf), "%ld", (long)refresh_time); + snprintf(buf, sizeof(buf), "%u", (unsigned int)ts2tt(refresh_time)); d = string2data(buf); (void)krb5_cc_set_config(context, ccache, NULL, KRB5_CC_CONF_REFRESH_TIME, &d); @@ -566,8 +566,9 @@ kg_cred_time_to_refresh(krb5_context context, krb5_gss_cred_id_rec *cred) if (krb5_timeofday(context, &now)) return FALSE; - if (cred->refresh_time != 0 && now >= cred->refresh_time) { - set_refresh_time(context, cred->ccache, cred->refresh_time + 30); + if (cred->refresh_time != 0 && !ts_after(cred->refresh_time, now)) { + set_refresh_time(context, cred->ccache, + ts_incr(cred->refresh_time, 30)); return TRUE; } return FALSE; @@ -586,7 +587,8 @@ kg_cred_set_initial_refresh(krb5_context context, krb5_gss_cred_id_rec *cred, return; /* Make a note to refresh these when they are halfway to expired. */ - refresh = times->starttime + (times->endtime - times->starttime) / 2; + refresh = ts_incr(times->starttime, + ts_delta(times->endtime, times->starttime) / 2); set_refresh_time(context, cred->ccache, refresh); } @@ -848,7 +850,8 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, GSS_C_NO_NAME); if (GSS_ERROR(ret)) goto error_out; - *time_rec = (cred->expire > now) ? (cred->expire - now) : 0; + *time_rec = ts_after(cred->expire, now) ? + ts_delta(cred->expire, now) : 0; k5_mutex_unlock(&cred->lock); } } diff --git a/src/lib/gssapi/krb5/context_time.c b/src/lib/gssapi/krb5/context_time.c index 4505932..1fdb5a1 100644 --- a/src/lib/gssapi/krb5/context_time.c +++ b/src/lib/gssapi/krb5/context_time.c @@ -51,7 +51,7 @@ krb5_gss_context_time(minor_status, context_handle, time_rec) return(GSS_S_FAILURE); } - lifetime = ctx->krb_times.endtime - now; + lifetime = ts_delta(ctx->krb_times.endtime, now); if (!ctx->initiate) lifetime += ctx->k5_context->clockskew; if (lifetime <= 0) { diff --git a/src/lib/gssapi/krb5/copy_ccache.c b/src/lib/gssapi/krb5/copy_ccache.c index f3d7666..027ed48 100644 --- a/src/lib/gssapi/krb5/copy_ccache.c +++ b/src/lib/gssapi/krb5/copy_ccache.c @@ -8,8 +8,6 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status, const gss_buffer_t value) { krb5_gss_cred_id_t k5creds; - krb5_cc_cursor cursor; - krb5_creds creds; krb5_error_code code; krb5_context context; krb5_ccache out_ccache; @@ -37,7 +35,7 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status, return GSS_S_FAILURE; } - code = krb5_cc_start_seq_get(context, k5creds->ccache, &cursor); + code = krb5_cc_copy_creds(context, k5creds->ccache, out_ccache); if (code) { k5_mutex_unlock(&k5creds->lock); *minor_status = code; @@ -45,12 +43,6 @@ gss_krb5int_copy_ccache(OM_uint32 *minor_status, krb5_free_context(context); return(GSS_S_FAILURE); } - while (!code && !krb5_cc_next_cred(context, k5creds->ccache, &cursor, - &creds)) { - code = krb5_cc_store_cred(context, out_ccache, &creds); - krb5_free_cred_contents(context, &creds); - } - krb5_cc_end_seq_get(context, k5creds->ccache, &cursor); k5_mutex_unlock(&k5creds->lock); *minor_status = code; if (code) diff --git a/src/lib/gssapi/krb5/export_cred.c b/src/lib/gssapi/krb5/export_cred.c index 652b260..8054e4a 100644 --- a/src/lib/gssapi/krb5/export_cred.c +++ b/src/lib/gssapi/krb5/export_cred.c @@ -410,10 +410,11 @@ json_kgcred(krb5_context context, krb5_gss_cred_id_t cred, if (ret) goto cleanup; - ret = k5_json_array_fmt(&array, "ivvbbvvvvbiivs", cred->usage, name, imp, + ret = k5_json_array_fmt(&array, "ivvbbvvvvbLLvs", cred->usage, name, imp, cred->default_identity, cred->iakerb_mech, keytab, rcache, ccache, ckeytab, cred->have_tgt, - cred->expire, cred->refresh_time, etypes, + (long long)ts2tt(cred->expire), + (long long)ts2tt(cred->refresh_time), etypes, cred->password); if (ret) goto cleanup; diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index d7bdef7..e92be88 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -1144,6 +1144,12 @@ gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *, const gss_OID, gss_buffer_set_t *); +#define GET_SEC_CONTEXT_SASL_SSF_OID_LENGTH 11 +#define GET_SEC_CONTEXT_SASL_SSF_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0f" +OM_uint32 +gss_krb5int_sec_context_sasl_ssf(OM_uint32 *, const gss_ctx_id_t, + const gss_OID, gss_buffer_set_t *); + #define GSS_KRB5_IMPORT_CRED_OID_LENGTH 11 #define GSS_KRB5_IMPORT_CRED_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0d" @@ -1425,4 +1431,10 @@ iakerb_gss_pseudo_random(OM_uint32 *minor_status, gss_ctx_id_t context_handle, * the format changes. */ #define CRED_EXPORT_MAGIC "K5C1" +OM_uint32 +gss_krb5int_get_cred_impersonator(OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set); + #endif /* _GSSAPIP_KRB5_H_ */ diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index 99092cc..79b83e0 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -126,6 +126,8 @@ #define NO_CI_FLAGS_X_OID_LENGTH 6 #define NO_CI_FLAGS_X_OID "\x2a\x85\x70\x2b\x0d\x1d" +#define GET_CRED_IMPERSONATOR_OID_LENGTH 11 +#define GET_CRED_IMPERSONATOR_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0e" const gss_OID_desc krb5_gss_oid_array[] = { /* this is the official, rfc-specified OID */ @@ -148,6 +150,10 @@ const gss_OID_desc krb5_gss_oid_array[] = { /* gss_nt_krb5_principal. Object identifier for a krb5_principal. Do not use. */ {10, "\052\206\110\206\367\022\001\002\002\002"}, {NO_CI_FLAGS_X_OID_LENGTH, NO_CI_FLAGS_X_OID}, + /* this is an inquire cred OID */ + {GET_CRED_IMPERSONATOR_OID_LENGTH, GET_CRED_IMPERSONATOR_OID}, + /* GSS_KRB5_NT_ENTERPRISE_NAME */ + {10, "\052\206\110\206\367\022\001\002\002\006"}, { 0, 0 } }; @@ -164,6 +170,8 @@ const gss_OID gss_nt_krb5_principal = &kg_oids[6]; const gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &kg_oids[5]; const gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X = &kg_oids[7]; +const gss_OID GSS_KRB5_GET_CRED_IMPERSONATOR = &kg_oids[8]; +const gss_OID GSS_KRB5_NT_ENTERPRISE_NAME = &kg_oids[9]; static const gss_OID_set_desc oidsets[] = { {1, &kg_oids[0]}, /* RFC OID */ @@ -352,6 +360,10 @@ static struct { { {GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID_LENGTH, GSS_KRB5_EXTRACT_AUTHTIME_FROM_SEC_CONTEXT_OID}, gss_krb5int_extract_authtime_from_sec_context + }, + { + {GET_SEC_CONTEXT_SASL_SSF_OID_LENGTH, GET_SEC_CONTEXT_SASL_SSF_OID}, + gss_krb5int_sec_context_sasl_ssf } }; @@ -400,13 +412,16 @@ krb5_gss_inquire_sec_context_by_oid (OM_uint32 *minor_status, /* * gss_inquire_cred_by_oid() methods */ -#if 0 + static struct { gss_OID_desc oid; OM_uint32 (*func)(OM_uint32 *, const gss_cred_id_t, const gss_OID, gss_buffer_set_t *); } krb5_gss_inquire_cred_by_oid_ops[] = { + { + {GET_CRED_IMPERSONATOR_OID_LENGTH, GET_CRED_IMPERSONATOR_OID}, + gss_krb5int_get_cred_impersonator + } }; -#endif static OM_uint32 KRB5_CALLCONV krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status, @@ -415,9 +430,7 @@ krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status, gss_buffer_set_t *data_set) { OM_uint32 major_status = GSS_S_FAILURE; -#if 0 size_t i; -#endif if (minor_status == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -440,7 +453,6 @@ krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status, if (GSS_ERROR(major_status)) return major_status; -#if 0 for (i = 0; i < sizeof(krb5_gss_inquire_cred_by_oid_ops)/ sizeof(krb5_gss_inquire_cred_by_oid_ops[0]); i++) { if (g_OID_prefix_equal(desired_object, &krb5_gss_inquire_cred_by_oid_ops[i].oid)) { @@ -450,35 +462,18 @@ krb5_gss_inquire_cred_by_oid(OM_uint32 *minor_status, data_set); } } -#endif *minor_status = EINVAL; return GSS_S_UNAVAILABLE; } -/* - * gss_set_sec_context_option() methods - * (Disabled until we have something to populate the array.) - */ -#if 0 -static struct { - gss_OID_desc oid; - OM_uint32 (*func)(OM_uint32 *, gss_ctx_id_t *, const gss_OID, const gss_buffer_t); -} krb5_gss_set_sec_context_option_ops[] = { -}; -#endif - OM_uint32 KRB5_CALLCONV krb5_gss_set_sec_context_option (OM_uint32 *minor_status, gss_ctx_id_t *context_handle, const gss_OID desired_object, const gss_buffer_t value) { -#if 0 - size_t i; -#endif - if (minor_status == NULL) return GSS_S_CALL_INACCESSIBLE_WRITE; @@ -490,18 +485,6 @@ krb5_gss_set_sec_context_option (OM_uint32 *minor_status, if (desired_object == GSS_C_NO_OID) return GSS_S_CALL_INACCESSIBLE_READ; -#if 0 - for (i = 0; i < sizeof(krb5_gss_set_sec_context_option_ops)/ - sizeof(krb5_gss_set_sec_context_option_ops[0]); i++) { - if (g_OID_prefix_equal(desired_object, &krb5_gss_set_sec_context_option_ops[i].oid)) { - return (*krb5_gss_set_sec_context_option_ops[i].func)(minor_status, - context_handle, - desired_object, - value); - } - } -#endif - *minor_status = EINVAL; return GSS_S_UNAVAILABLE; diff --git a/src/lib/gssapi/krb5/gssapi_krb5.h b/src/lib/gssapi/krb5/gssapi_krb5.h index 390b000..84b4159 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.h +++ b/src/lib/gssapi/krb5/gssapi_krb5.h @@ -73,6 +73,11 @@ GSS_DLLIMP extern const gss_OID GSS_KRB5_NT_PRINCIPAL_NAME; * generic(1) string_uid_name(3)}. The recommended symbolic name for * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ +/* Kerberos Enterprise Name Form (see RFC 6806 section 5): */ +GSS_DLLIMP extern const gss_OID GSS_KRB5_NT_ENTERPRISE_NAME; +/* {iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) krb5-enterprise-name(6)}. */ + GSS_DLLIMP extern const gss_OID gss_mech_krb5; GSS_DLLIMP extern const gss_OID gss_mech_krb5_old; GSS_DLLIMP extern const gss_OID gss_mech_krb5_wrong; @@ -96,6 +101,15 @@ GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; */ GSS_DLLIMP extern const gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X; +/* + * This OID can be used with gss_inquire_cred_by_oid(0 to retrieve the + * impersonator name (if any). + * + * iso(1) member-body(2) United States(840) mit(113554) infosys(1) gssapi(2) + * krb5(2) krb5-gssapi-ext(5) get-cred-impersonator(14) + */ +GSS_DLLIMP extern const gss_OID GSS_KRB5_GET_CRED_IMPERSONATOR; + #define gss_krb5_nt_general_name gss_nt_krb5_name #define gss_krb5_nt_principal gss_nt_krb5_principal #define gss_krb5_nt_service_name gss_nt_service_name @@ -169,6 +183,11 @@ OM_uint32 KRB5_CALLCONV gss_krb5_get_tkt_flags( gss_ctx_id_t context_handle, krb5_flags *ticket_flags); +/* + * Copy krb5 creds from cred_handle into out_ccache, which must already be + * initialized. Use gss_store_cred_into() (new in krb5 1.11) instead, if + * possible. + */ OM_uint32 KRB5_CALLCONV gss_krb5_copy_ccache( OM_uint32 *minor_status, gss_cred_id_t cred_handle, diff --git a/src/lib/gssapi/krb5/iakerb.c b/src/lib/gssapi/krb5/iakerb.c index 2dc4d0c..bb1072f 100644 --- a/src/lib/gssapi/krb5/iakerb.c +++ b/src/lib/gssapi/krb5/iakerb.c @@ -494,7 +494,7 @@ iakerb_tkt_creds_ctx(iakerb_ctx_id_t ctx, if (code != 0) goto cleanup; - creds.times.endtime = now + time_req; + creds.times.endtime = ts_incr(now, time_req); } if (cred->name->ad_context != NULL) { @@ -669,7 +669,7 @@ iakerb_get_initial_state(iakerb_ctx_id_t ctx, if (code != 0) goto cleanup; - in_creds.times.endtime = now + time_req; + in_creds.times.endtime = ts_incr(now, time_req); } /* Make an AS request if we have no creds or it's time to refresh them. */ diff --git a/src/lib/gssapi/krb5/import_name.c b/src/lib/gssapi/krb5/import_name.c index 3f5492b..da2ab14 100644 --- a/src/lib/gssapi/krb5/import_name.c +++ b/src/lib/gssapi/krb5/import_name.c @@ -140,6 +140,7 @@ krb5_gss_import_name(minor_status, input_name_buffer, krb5_authdata_context ad_context = NULL; OM_uint32 status = GSS_S_FAILURE; krb5_gss_name_t name; + int flags = 0; *output_name = NULL; *minor_status = 0; @@ -206,7 +207,10 @@ krb5_gss_import_name(minor_status, input_name_buffer, if ((input_name_type == GSS_C_NULL_OID) || g_OID_equal(input_name_type, gss_nt_krb5_name) || g_OID_equal(input_name_type, gss_nt_user_name)) { - stringrep = (char *) tmp; + stringrep = tmp; + } else if (g_OID_equal(input_name_type, GSS_KRB5_NT_ENTERPRISE_NAME)) { + stringrep = tmp; + flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE; #ifndef NO_PASSWORD } else if (g_OID_equal(input_name_type, gss_nt_machine_uid_name)) { uid = *(uid_t *) input_name_buffer->value; @@ -296,7 +300,7 @@ krb5_gss_import_name(minor_status, input_name_buffer, /* At this point, stringrep is set, or if not, code is. */ if (stringrep) { - code = krb5_parse_name(context, (char *)stringrep, &princ); + code = krb5_parse_name_flags(context, stringrep, flags, &princ); if (code) goto cleanup; } else { diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c index 2a7467f..1be1b58 100644 --- a/src/lib/gssapi/krb5/init_sec_context.c +++ b/src/lib/gssapi/krb5/init_sec_context.c @@ -214,7 +214,8 @@ static krb5_error_code get_credentials(context, cred, server, now, * boundaries) because accept_sec_context code is also similarly * non-forgiving. */ - if (!krb5_gss_dbg_client_expcreds && result_creds->times.endtime < now) { + if (!krb5_gss_dbg_client_expcreds && + ts_after(now, result_creds->times.endtime)) { code = KRB5KRB_AP_ERR_TKT_EXPIRED; goto cleanup; } @@ -573,7 +574,7 @@ kg_new_connection( if (time_req == 0 || time_req == GSS_C_INDEFINITE) { ctx->krb_times.endtime = 0; } else { - ctx->krb_times.endtime = now + time_req; + ctx->krb_times.endtime = ts_incr(now, time_req); } if ((code = kg_duplicate_name(context, cred->name, &ctx->here))) @@ -657,7 +658,7 @@ kg_new_connection( if (time_rec) { if ((code = krb5_timeofday(context, &now))) goto cleanup; - *time_rec = ctx->krb_times.endtime - now; + *time_rec = ts_delta(ctx->krb_times.endtime, now); } /* set the other returns */ @@ -871,7 +872,7 @@ mutual_auth( if (time_rec) { if ((code = krb5_timeofday(context, &now))) goto fail; - *time_rec = ctx->krb_times.endtime - now; + *time_rec = ts_delta(ctx->krb_times.endtime, now); } if (ret_flags) diff --git a/src/lib/gssapi/krb5/inq_context.c b/src/lib/gssapi/krb5/inq_context.c index 9024b3c..cac024d 100644 --- a/src/lib/gssapi/krb5/inq_context.c +++ b/src/lib/gssapi/krb5/inq_context.c @@ -120,7 +120,7 @@ krb5_gss_inquire_context(minor_status, context_handle, initiator_name, /* Add the maximum allowable clock skew as a grace period for context * expiration, just as we do for the ticket during authentication. */ - lifetime = ctx->krb_times.endtime - now; + lifetime = ts_delta(ctx->krb_times.endtime, now); if (!ctx->initiate) lifetime += context->clockskew; if (lifetime < 0) @@ -310,3 +310,30 @@ gss_krb5int_extract_authtime_from_sec_context(OM_uint32 *minor_status, return generic_gss_add_buffer_set_member(minor_status, &rep, data_set); } + +OM_uint32 +gss_krb5int_sec_context_sasl_ssf(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + krb5_gss_ctx_id_rec *ctx; + krb5_key key; + krb5_error_code code; + gss_buffer_desc ssfbuf; + unsigned int ssf; + uint8_t buf[4]; + + ctx = (krb5_gss_ctx_id_rec *)context_handle; + key = ctx->have_acceptor_subkey ? ctx->acceptor_subkey : ctx->subkey; + + code = k5_enctype_to_ssf(key->keyblock.enctype, &ssf); + if (code) + return GSS_S_FAILURE; + + store_32_be(ssf, buf); + ssfbuf.value = buf; + ssfbuf.length = sizeof(buf); + + return generic_gss_add_buffer_set_member(minor_status, &ssfbuf, data_set); +} diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c index 4e35a05..a8f2541 100644 --- a/src/lib/gssapi/krb5/inq_cred.c +++ b/src/lib/gssapi/krb5/inq_cred.c @@ -90,7 +90,7 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, krb5_deltat lifetime; krb5_gss_name_t ret_name; krb5_principal princ; - gss_OID_set mechs; + gss_OID_set mechs = GSS_C_NO_OID_SET; OM_uint32 major, tmpmin, ret; ret = GSS_S_FAILURE; @@ -130,8 +130,9 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, goto fail; } - if (cred->expire > 0) { - if ((lifetime = cred->expire - now) < 0) + if (cred->expire != 0) { + lifetime = ts_delta(cred->expire, now); + if (lifetime < 0) lifetime = 0; } else @@ -191,8 +192,10 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret, *cred_usage = cred->usage; k5_mutex_unlock(&cred->lock); - if (mechanisms) + if (mechanisms) { *mechanisms = mechs; + mechs = GSS_C_NO_OID_SET; + } if (cred_handle == GSS_C_NO_CREDENTIAL) krb5_gss_release_cred(minor_status, (gss_cred_id_t *)&cred); @@ -204,6 +207,7 @@ fail: k5_mutex_unlock(&cred->lock); krb5_gss_release_cred(&tmpmin, &defcred); krb5_free_context(context); + (void)generic_gss_release_oid_set(&tmpmin, &mechs); return ret; } @@ -245,3 +249,44 @@ krb5_gss_inquire_cred_by_mech(minor_status, cred_handle, } return(mstat); } + +OM_uint32 +gss_krb5int_get_cred_impersonator(OM_uint32 *minor_status, + const gss_cred_id_t cred_handle, + const gss_OID desired_object, + gss_buffer_set_t *data_set) +{ + krb5_gss_cred_id_t cred = (krb5_gss_cred_id_t)cred_handle; + gss_buffer_desc rep = GSS_C_EMPTY_BUFFER; + krb5_context context = NULL; + char *impersonator = NULL; + krb5_error_code ret; + OM_uint32 major; + + *data_set = GSS_C_NO_BUFFER_SET; + + /* Return an empty buffer set if no impersonator is present */ + if (cred->impersonator == NULL) + return generic_gss_create_empty_buffer_set(minor_status, data_set); + + ret = krb5_gss_init_context(&context); + if (ret) { + *minor_status = ret; + return GSS_S_FAILURE; + } + + ret = krb5_unparse_name(context, cred->impersonator, &impersonator); + if (ret) { + krb5_free_context(context); + *minor_status = ret; + return GSS_S_FAILURE; + } + + rep.value = impersonator; + rep.length = strlen(impersonator); + major = generic_gss_add_buffer_set_member(minor_status, &rep, data_set); + + krb5_free_unparsed_name(context, impersonator); + krb5_free_context(context); + return major; +} diff --git a/src/lib/gssapi/krb5/k5sealv3.c b/src/lib/gssapi/krb5/k5sealv3.c index 1a5c14c..25d9f27 100644 --- a/src/lib/gssapi/krb5/k5sealv3.c +++ b/src/lib/gssapi/krb5/k5sealv3.c @@ -110,6 +110,7 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, krb5_data plain; krb5_enc_data cipher; size_t ec_max; + size_t encrypt_size; /* 300: Adds some slop. */ if (SIZE_MAX - 300 < message->length) @@ -128,7 +129,12 @@ gss_krb5int_make_seal_token_v3 (krb5_context context, return err; /* Get size of ciphertext. */ - bufsize = 16 + krb5_encrypt_size (plain.length, key->keyblock.enctype); + encrypt_size = krb5_encrypt_size(plain.length, key->keyblock.enctype); + if (encrypt_size > SIZE_MAX / 2) { + err = ENOMEM; + goto error; + } + bufsize = 16 + encrypt_size; /* Allocate space for header plus encrypted data. */ outbuf = gssalloc_malloc(bufsize); if (outbuf == NULL) { @@ -301,7 +307,7 @@ gss_krb5int_unseal_token_v3(krb5_context *contextptr, int *conf_state, gss_qop_t *qop_state, int toktype) { krb5_context context = *contextptr; - krb5_data plain; + krb5_data plain = empty_data(); uint64_t seqnum; size_t ec, rrc; int key_usage; diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c index 26a2d33..57720c2 100644 --- a/src/lib/gssapi/krb5/k5unseal.c +++ b/src/lib/gssapi/krb5/k5unseal.c @@ -219,7 +219,7 @@ kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer, plainlen = tmsglen; conflen = kg_confounder_size(context, ctx->enc->keyblock.enctype); - if (tmsglen < conflen) { + if (tmsglen < (size_t)conflen) { if (sealalg != 0xffff) xfree(plain); *minor_status = 0; diff --git a/src/lib/gssapi/krb5/naming_exts.c b/src/lib/gssapi/krb5/naming_exts.c index 0edb4b8..41752d9 100644 --- a/src/lib/gssapi/krb5/naming_exts.c +++ b/src/lib/gssapi/krb5/naming_exts.c @@ -261,8 +261,7 @@ krb5_gss_inquire_name(OM_uint32 *minor_status, krb5_gss_name_t kname; krb5_data *kattrs = NULL; - if (minor_status != NULL) - *minor_status = 0; + *minor_status = 0; if (attrs != NULL) *attrs = GSS_C_NO_BUFFER_SET; @@ -322,8 +321,7 @@ krb5_gss_get_name_attribute(OM_uint32 *minor_status, krb5_data kvalue = empty_data(); krb5_data kdisplay_value = empty_data(); - if (minor_status != NULL) - *minor_status = 0; + *minor_status = 0; code = krb5_gss_init_context(&context); if (code != 0) { @@ -393,8 +391,7 @@ krb5_gss_set_name_attribute(OM_uint32 *minor_status, krb5_data kattr; krb5_data kvalue; - if (minor_status != NULL) - *minor_status = 0; + *minor_status = 0; code = krb5_gss_init_context(&context); if (code != 0) { @@ -443,8 +440,7 @@ krb5_gss_delete_name_attribute(OM_uint32 *minor_status, krb5_gss_name_t kname; krb5_data kattr; - if (minor_status != NULL) - *minor_status = 0; + *minor_status = 0; code = krb5_gss_init_context(&context); if (code != 0) { @@ -490,8 +486,7 @@ krb5_gss_map_name_to_any(OM_uint32 *minor_status, krb5_gss_name_t kname; char *kmodule; - if (minor_status != NULL) - *minor_status = 0; + *minor_status = 0; code = krb5_gss_init_context(&context); if (code != 0) { @@ -542,8 +537,7 @@ krb5_gss_release_any_name_mapping(OM_uint32 *minor_status, krb5_gss_name_t kname; char *kmodule; - if (minor_status != NULL) - *minor_status = 0; + *minor_status = 0; code = krb5_gss_init_context(&context); if (code != 0) { @@ -598,8 +592,7 @@ krb5_gss_export_name_composite(OM_uint32 *minor_status, unsigned char *cp; size_t princlen; - if (minor_status != NULL) - *minor_status = 0; + *minor_status = 0; code = krb5_gss_init_context(&context); if (code != 0) { @@ -671,13 +664,3 @@ cleanup: return kg_map_name_error(minor_status, code); } - -#if 0 -OM_uint32 -krb5_gss_display_name_ext(OM_uint32 *minor_status, - gss_name_t name, - gss_OID display_as_name_type, - gss_buffer_t display_name) -{ -} -#endif diff --git a/src/lib/gssapi/krb5/s4u_gss_glue.c b/src/lib/gssapi/krb5/s4u_gss_glue.c index ff1c310..10848c1 100644 --- a/src/lib/gssapi/krb5/s4u_gss_glue.c +++ b/src/lib/gssapi/krb5/s4u_gss_glue.c @@ -284,7 +284,7 @@ kg_compose_deleg_cred(OM_uint32 *minor_status, if (code != 0) goto cleanup; - *time_rec = cred->expire - now; + *time_rec = ts_delta(cred->expire, now); } major_status = GSS_S_COMPLETE; diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports index 9facb3f..c292cb1 100644 --- a/src/lib/gssapi/libgssapi_krb5.exports +++ b/src/lib/gssapi/libgssapi_krb5.exports @@ -9,7 +9,9 @@ GSS_C_NT_MACHINE_UID_NAME GSS_C_NT_STRING_UID_NAME GSS_C_NT_USER_NAME GSS_KRB5_NT_PRINCIPAL_NAME +GSS_KRB5_NT_ENTERPRISE_NAME GSS_KRB5_CRED_NO_CI_FLAGS_X +GSS_KRB5_GET_CRED_IMPERSONATOR GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO GSS_C_MA_MECH_COMPOSITE @@ -37,6 +39,7 @@ GSS_C_MA_CBINDINGS GSS_C_MA_PFS GSS_C_MA_COMPRESS GSS_C_MA_CTX_TRANS +GSS_C_SEC_CONTEXT_SASL_SSF gss_accept_sec_context gss_acquire_cred gss_acquire_cred_with_password diff --git a/src/lib/gssapi/mechglue/g_acquire_cred.c b/src/lib/gssapi/mechglue/g_acquire_cred.c index 9bd500b..f03ab9e 100644 --- a/src/lib/gssapi/mechglue/g_acquire_cred.c +++ b/src/lib/gssapi/mechglue/g_acquire_cred.c @@ -308,6 +308,92 @@ val_add_cred_args( return (GSS_S_COMPLETE); } +/* Copy a mechanism credential (with the mechanism given by mech_oid) as + * faithfully as possible. */ +static OM_uint32 +copy_mech_cred(OM_uint32 *minor_status, gss_cred_id_t cred_in, + gss_OID mech_oid, gss_cred_id_t *cred_out) +{ + OM_uint32 status, tmpmin; + gss_mechanism mech; + gss_buffer_desc buf; + gss_name_t name; + OM_uint32 life; + gss_cred_usage_t usage; + gss_OID_set_desc oidset; + + mech = gssint_get_mechanism(mech_oid); + if (mech == NULL) + return (GSS_S_BAD_MECH); + if (mech->gss_export_cred != NULL && mech->gss_import_cred != NULL) { + status = mech->gss_export_cred(minor_status, cred_in, &buf); + if (status != GSS_S_COMPLETE) + return (status); + status = mech->gss_import_cred(minor_status, &buf, cred_out); + (void) gss_release_buffer(&tmpmin, &buf); + } else if (mech->gss_inquire_cred != NULL && + mech->gss_acquire_cred != NULL) { + status = mech->gss_inquire_cred(minor_status, cred_in, &name, &life, + &usage, NULL); + if (status != GSS_S_COMPLETE) + return (status); + oidset.count = 1; + oidset.elements = gssint_get_public_oid(mech_oid); + status = mech->gss_acquire_cred(minor_status, name, life, &oidset, + usage, cred_out, NULL, NULL); + gss_release_name(&tmpmin, &name); + } else { + status = GSS_S_UNAVAILABLE; + } + return (status); +} + +/* Copy a union credential from cred_in to *cred_out. */ +static OM_uint32 +copy_union_cred(OM_uint32 *minor_status, gss_cred_id_t cred_in, + gss_union_cred_t *cred_out) +{ + OM_uint32 status, tmpmin; + gss_union_cred_t cred = (gss_union_cred_t)cred_in; + gss_union_cred_t ncred = NULL; + gss_cred_id_t tmpcred; + int i; + + ncred = calloc(1, sizeof (*ncred)); + if (ncred == NULL) + goto oom; + ncred->mechs_array = calloc(cred->count, sizeof (*ncred->mechs_array)); + ncred->cred_array = calloc(cred->count, sizeof (*ncred->cred_array)); + if (ncred->mechs_array == NULL || ncred->cred_array == NULL) + goto oom; + ncred->count = cred->count; + + for (i = 0; i < cred->count; i++) { + /* Copy this element's mechanism OID. */ + ncred->mechs_array[i].elements = malloc(cred->mechs_array[i].length); + if (ncred->mechs_array[i].elements == NULL) + goto oom; + g_OID_copy(&ncred->mechs_array[i], &cred->mechs_array[i]); + + /* Copy this element's mechanism cred. */ + status = copy_mech_cred(minor_status, cred->cred_array[i], + &cred->mechs_array[i], &ncred->cred_array[i]); + if (status != GSS_S_COMPLETE) + goto error; + } + + ncred->loopback = ncred; + *cred_out = ncred; + return GSS_S_COMPLETE; + +oom: + status = GSS_S_FAILURE; + *minor_status = ENOMEM; +error: + tmpcred = (gss_cred_id_t)ncred; + (void) gss_release_cred(&tmpmin, &tmpcred); + return status; +} /* V2 KRB5_CALLCONV */ OM_uint32 KRB5_CALLCONV @@ -359,14 +445,13 @@ gss_add_cred_from(minor_status, input_cred_handle, OM_uint32 status, temp_minor_status; OM_uint32 time_req, time_rec = 0, *time_recp = NULL; gss_union_name_t union_name; - gss_union_cred_t new_union_cred, union_cred; + gss_union_cred_t union_cred; gss_name_t internal_name = GSS_C_NO_NAME; gss_name_t allocated_name = GSS_C_NO_NAME; gss_mechanism mech; - gss_cred_id_t cred = NULL; - gss_OID new_mechs_array = NULL; - gss_cred_id_t * new_cred_array = NULL; - gss_OID_set target_mechs = GSS_C_NO_OID_SET; + gss_cred_id_t cred = NULL, tmpcred; + void *newptr, *oidbuf = NULL; + gss_OID_set_desc target_mechs; gss_OID selected_mech = GSS_C_NO_OID; status = val_add_cred_args(minor_status, @@ -396,34 +481,41 @@ gss_add_cred_from(minor_status, input_cred_handle, return (GSS_S_UNAVAILABLE); if (input_cred_handle == GSS_C_NO_CREDENTIAL) { + /* Create a new credential handle. */ union_cred = malloc(sizeof (gss_union_cred_desc)); if (union_cred == NULL) return (GSS_S_FAILURE); (void) memset(union_cred, 0, sizeof (gss_union_cred_desc)); - } else { + union_cred->loopback = union_cred; + } else if (output_cred_handle == NULL) { + /* Add to the existing handle. */ union_cred = (gss_union_cred_t)input_cred_handle; if (gssint_get_mechanism_cred(union_cred, selected_mech) != GSS_C_NO_CREDENTIAL) return (GSS_S_DUPLICATE_ELEMENT); + } else { + /* Create a new credential handle with the mechanism credentials of the + * input handle plus the acquired mechanism credential. */ + status = copy_union_cred(minor_status, input_cred_handle, &union_cred); + if (status != GSS_S_COMPLETE) + return (status); } - /* for default credentials we will use GSS_C_NO_NAME */ - if (input_cred_handle != GSS_C_NO_CREDENTIAL || - cred_store != GSS_C_NO_CRED_STORE) { - /* may need to create a mechanism specific name */ - if (desired_name) { - union_name = (gss_union_name_t)desired_name; - if (union_name->mech_type && - g_OID_equal(union_name->mech_type, selected_mech)) - internal_name = union_name->mech_name; - else { - if (gssint_import_internal_name(minor_status, selected_mech, - union_name, &allocated_name) != - GSS_S_COMPLETE) - return (GSS_S_BAD_NAME); - internal_name = allocated_name; + /* We may need to create a mechanism specific name. */ + if (desired_name != GSS_C_NO_NAME) { + union_name = (gss_union_name_t)desired_name; + if (union_name->mech_type && + g_OID_equal(union_name->mech_type, selected_mech)) { + internal_name = union_name->mech_name; + } else { + if (gssint_import_internal_name(minor_status, selected_mech, + union_name, &allocated_name) != + GSS_S_COMPLETE) { + status = GSS_S_BAD_NAME; + goto errout; } + internal_name = allocated_name; } } @@ -438,30 +530,28 @@ gss_add_cred_from(minor_status, input_cred_handle, else time_req = 0; - status = gss_create_empty_oid_set(minor_status, &target_mechs); - if (status != GSS_S_COMPLETE) - goto errout; - - status = gss_add_oid_set_member(minor_status, - gssint_get_public_oid(selected_mech), - &target_mechs); - if (status != GSS_S_COMPLETE) + target_mechs.count = 1; + target_mechs.elements = gssint_get_public_oid(selected_mech); + if (target_mechs.elements == NULL) { + status = GSS_S_FAILURE; goto errout; + } if (initiator_time_rec != NULL || acceptor_time_rec != NULL) time_recp = &time_rec; if (mech->gss_acquire_cred_from) { status = mech->gss_acquire_cred_from(minor_status, internal_name, - time_req, target_mechs, + time_req, &target_mechs, cred_usage, cred_store, &cred, NULL, time_recp); } else if (cred_store == GSS_C_NO_CRED_STORE) { status = mech->gss_acquire_cred(minor_status, internal_name, time_req, - target_mechs, cred_usage, &cred, NULL, + &target_mechs, cred_usage, &cred, NULL, time_recp); } else { - return GSS_S_UNAVAILABLE; + status = GSS_S_UNAVAILABLE; + goto errout; } if (status != GSS_S_COMPLETE) { @@ -469,17 +559,23 @@ gss_add_cred_from(minor_status, input_cred_handle, goto errout; } - /* now add the new credential elements */ - new_mechs_array = (gss_OID) - malloc(sizeof (gss_OID_desc) * (union_cred->count+1)); + /* Extend the arrays in the union cred. */ - new_cred_array = (gss_cred_id_t *) - malloc(sizeof (gss_cred_id_t) * (union_cred->count+1)); + newptr = realloc(union_cred->mechs_array, + (union_cred->count + 1) * sizeof (gss_OID_desc)); + if (newptr == NULL) { + status = GSS_S_FAILURE; + goto errout; + } + union_cred->mechs_array = newptr; - if (!new_mechs_array || !new_cred_array) { + newptr = realloc(union_cred->cred_array, + (union_cred->count + 1) * sizeof (gss_cred_id_t)); + if (newptr == NULL) { status = GSS_S_FAILURE; goto errout; } + union_cred->cred_array = newptr; if (acceptor_time_rec) if (cred_usage == GSS_C_ACCEPT || cred_usage == GSS_C_BOTH) @@ -488,49 +584,25 @@ gss_add_cred_from(minor_status, input_cred_handle, if (cred_usage == GSS_C_INITIATE || cred_usage == GSS_C_BOTH) *initiator_time_rec = time_rec; - /* - * OK, expand the mechanism array and the credential array - */ - (void) memcpy(new_mechs_array, union_cred->mechs_array, - sizeof (gss_OID_desc) * union_cred->count); - (void) memcpy(new_cred_array, union_cred->cred_array, - sizeof (gss_cred_id_t) * union_cred->count); - - new_cred_array[union_cred->count] = cred; - if ((new_mechs_array[union_cred->count].elements = - malloc(selected_mech->length)) == NULL) + oidbuf = malloc(selected_mech->length); + if (oidbuf == NULL) goto errout; - - g_OID_copy(&new_mechs_array[union_cred->count], selected_mech); + union_cred->mechs_array[union_cred->count].elements = oidbuf; + g_OID_copy(&union_cred->mechs_array[union_cred->count], selected_mech); if (actual_mechs != NULL) { - status = gssint_make_public_oid_set(minor_status, new_mechs_array, + status = gssint_make_public_oid_set(minor_status, + union_cred->mechs_array, union_cred->count + 1, actual_mechs); - if (GSS_ERROR(status)) { - free(new_mechs_array[union_cred->count].elements); + if (GSS_ERROR(status)) goto errout; - } } - if (output_cred_handle == NULL) { - free(union_cred->mechs_array); - free(union_cred->cred_array); - new_union_cred = union_cred; - } else { - new_union_cred = malloc(sizeof (gss_union_cred_desc)); - if (new_union_cred == NULL) { - free(new_mechs_array[union_cred->count].elements); - goto errout; - } - *new_union_cred = *union_cred; - *output_cred_handle = (gss_cred_id_t)new_union_cred; - } - - new_union_cred->mechs_array = new_mechs_array; - new_union_cred->cred_array = new_cred_array; - new_union_cred->count++; - new_union_cred->loopback = new_union_cred; + union_cred->cred_array[union_cred->count] = cred; + union_cred->count++; + if (output_cred_handle != NULL) + *output_cred_handle = (gss_cred_id_t)union_cred; /* We're done with the internal name. Free it if we allocated it. */ @@ -538,16 +610,10 @@ gss_add_cred_from(minor_status, input_cred_handle, (void) gssint_release_internal_name(&temp_minor_status, selected_mech, &allocated_name); - (void) generic_gss_release_oid_set(&temp_minor_status, &target_mechs); return (GSS_S_COMPLETE); errout: - if (new_mechs_array) - free(new_mechs_array); - if (new_cred_array) - free(new_cred_array); - if (cred != NULL && mech->gss_release_cred) mech->gss_release_cred(&temp_minor_status, &cred); @@ -556,10 +622,12 @@ errout: selected_mech, &allocated_name); - if (input_cred_handle == GSS_C_NO_CREDENTIAL && union_cred) - free(union_cred); + if (output_cred_handle != NULL && union_cred != NULL) { + tmpcred = union_cred; + (void) gss_release_cred(&temp_minor_status, &tmpcred); + } - (void) generic_gss_release_oid_set(&temp_minor_status, &target_mechs); + free(oidbuf); return (status); } diff --git a/src/lib/gssapi/mechglue/g_dup_name.c b/src/lib/gssapi/mechglue/g_dup_name.c index 85306fc..cc824fd 100644 --- a/src/lib/gssapi/mechglue/g_dup_name.c +++ b/src/lib/gssapi/mechglue/g_dup_name.c @@ -126,7 +126,7 @@ allocation_failure: if (dest_union->external_name) { if (dest_union->external_name->value) free(dest_union->external_name->value); - free(dest_union->external_name); + free(dest_union->external_name); } if (dest_union->name_type) (void) generic_gss_release_oid(minor_status, diff --git a/src/lib/gssapi/mechglue/g_export_cred.c b/src/lib/gssapi/mechglue/g_export_cred.c index 8f5fe4a..0c273bf 100644 --- a/src/lib/gssapi/mechglue/g_export_cred.c +++ b/src/lib/gssapi/mechglue/g_export_cred.c @@ -81,7 +81,7 @@ gss_export_cred(OM_uint32 * minor_status, gss_cred_id_t cred_handle, mech_oid = &cred->mechs_array[i]; public_oid = gssint_get_public_oid(mech_oid); mech = gssint_get_mechanism(mech_oid); - if (mech == NULL) { + if (public_oid == GSS_C_NO_OID || mech == NULL) { status = GSS_S_DEFECTIVE_CREDENTIAL; goto error; } diff --git a/src/lib/gssapi/mechglue/g_glue.c b/src/lib/gssapi/mechglue/g_glue.c index 4aa3591..4cd2e8f 100644 --- a/src/lib/gssapi/mechglue/g_glue.c +++ b/src/lib/gssapi/mechglue/g_glue.c @@ -189,7 +189,7 @@ OM_uint32 gssint_get_mech_type_oid(OID, token) gss_buffer_t token; { unsigned char * buffer_ptr; - int length; + size_t buflen, lenbytes, length, oidlen; /* * This routine reads the prefix of "token" in order to determine @@ -223,25 +223,33 @@ OM_uint32 gssint_get_mech_type_oid(OID, token) /* Skip past the APP/Sequnce byte and the token length */ buffer_ptr = (unsigned char *) token->value; + buflen = token->length; - if (*(buffer_ptr++) != 0x60) + if (buflen < 2 || *buffer_ptr++ != 0x60) return (GSS_S_DEFECTIVE_TOKEN); length = *buffer_ptr++; + buflen -= 2; /* check if token length is null */ if (length == 0) return (GSS_S_DEFECTIVE_TOKEN); if (length & 0x80) { - if ((length & 0x7f) > 4) + lenbytes = length & 0x7f; + if (lenbytes > 4 || lenbytes > buflen) return (GSS_S_DEFECTIVE_TOKEN); - buffer_ptr += length & 0x7f; + buffer_ptr += lenbytes; + buflen -= lenbytes; } - if (*(buffer_ptr++) != 0x06) + if (buflen < 2 || *buffer_ptr++ != 0x06) + return (GSS_S_DEFECTIVE_TOKEN); + oidlen = *buffer_ptr++; + buflen -= 2; + if (oidlen > 0x7f || oidlen > buflen) return (GSS_S_DEFECTIVE_TOKEN); - OID->length = (OM_uint32) *(buffer_ptr++); + OID->length = oidlen; OID->elements = (void *) buffer_ptr; return (GSS_S_COMPLETE); } diff --git a/src/lib/gssapi/mechglue/g_initialize.c b/src/lib/gssapi/mechglue/g_initialize.c index 9197666..0ad11c0 100644 --- a/src/lib/gssapi/mechglue/g_initialize.c +++ b/src/lib/gssapi/mechglue/g_initialize.c @@ -391,9 +391,6 @@ build_mechSet(void) g_mechSet.count = count; } -#if 0 - g_mechSetTime = fileInfo.st_mtime; -#endif k5_mutex_unlock(&g_mechSetLock); k5_mutex_unlock(&g_mechListLock); @@ -916,10 +913,6 @@ loadInterMech(gss_mech_info minfo) if (krb5int_open_plugin(minfo->uLibName, &dl, &errinfo) != 0 || errinfo.code != 0) { -#if 0 - (void) syslog(LOG_INFO, "libgss dlopen(%s): %s\n", - aMech->uLibName, dlerror()); -#endif return; } @@ -959,12 +952,6 @@ loadInterMech(gss_mech_info minfo) dl = NULL; cleanup: -#if 0 - if (aMech->mech == NULL) { - (void) syslog(LOG_INFO, "unable to initialize mechanism" - " library [%s]\n", aMech->uLibName); - } -#endif if (dl != NULL) krb5int_close_plugin(dl); k5_clear_error(&errinfo); @@ -1161,10 +1148,6 @@ gssint_get_mechanism(gss_const_OID oid) if (krb5int_open_plugin(aMech->uLibName, &dl, &errinfo) != 0 || errinfo.code != 0) { -#if 0 - (void) syslog(LOG_INFO, "libgss dlopen(%s): %s\n", - aMech->uLibName, dlerror()); -#endif k5_mutex_unlock(&g_mechListLock); return ((gss_mechanism)NULL); } @@ -1180,10 +1163,6 @@ gssint_get_mechanism(gss_const_OID oid) } if (aMech->mech == NULL) { (void) krb5int_close_plugin(dl); -#if 0 - (void) syslog(LOG_INFO, "unable to initialize mechanism" - " library [%s]\n", aMech->uLibName); -#endif k5_mutex_unlock(&g_mechListLock); return ((gss_mechanism)NULL); } @@ -1503,10 +1482,6 @@ addConfigEntry(const char *oidStr, const char *oid, const char *sharedLib, oidBuf.length = strlen(oid); if (generic_gss_str_to_oid(&minor, &oidBuf, &mechOid) != GSS_S_COMPLETE) { -#if 0 - (void) syslog(LOG_INFO, "invalid mechanism oid" - " [%s] in configuration file", oid); -#endif return; } diff --git a/src/lib/gssapi/mechglue/g_inq_cred.c b/src/lib/gssapi/mechglue/g_inq_cred.c index 9111962..4ed7774 100644 --- a/src/lib/gssapi/mechglue/g_inq_cred.c +++ b/src/lib/gssapi/mechglue/g_inq_cred.c @@ -197,11 +197,8 @@ gss_inquire_cred_by_mech(minor_status, cred_handle, mech_type, name, union_cred = (gss_union_cred_t) cred_handle; mech_cred = gssint_get_mechanism_cred(union_cred, selected_mech); - -#if 0 - if (mech_cred == NULL) - return (GSS_S_DEFECTIVE_CREDENTIAL); -#endif + if (cred_handle != GSS_C_NO_CREDENTIAL && mech_cred == GSS_C_NO_CREDENTIAL) + return (GSS_S_NO_CRED); public_mech = gssint_get_public_oid(selected_mech); status = mech->gss_inquire_cred_by_mech(minor_status, diff --git a/src/lib/gssapi/mechglue/mglueP.h b/src/lib/gssapi/mechglue/mglueP.h index 2b5145e..2b00987 100644 --- a/src/lib/gssapi/mechglue/mglueP.h +++ b/src/lib/gssapi/mechglue/mglueP.h @@ -730,11 +730,6 @@ typedef struct gss_mech_config { /********************************************************/ /* Internal mechglue routines */ -#if 0 -int gssint_mechglue_init(void); -void gssint_mechglue_fini(void); -#endif - OM_uint32 gssint_select_mech_type(OM_uint32 *minor, gss_const_OID in_oid, gss_OID *selected_oid); gss_OID gssint_get_public_oid(gss_const_OID internal_oid); diff --git a/src/lib/gssapi32.def b/src/lib/gssapi32.def index 362b9bc..e6b1479 100644 --- a/src/lib/gssapi32.def +++ b/src/lib/gssapi32.def @@ -182,3 +182,8 @@ EXPORTS gss_verify_mic_iov @146 ; Added in 1.14 GSS_KRB5_CRED_NO_CI_FLAGS_X @147 DATA +; Added in 1.16 + GSS_KRB5_GET_CRED_IMPERSONATOR @148 DATA + GSS_C_SEC_CONTEXT_SASL_SSF @149 DATA +; Added in 1.17 + GSS_KRB5_NT_ENTERPRISE_NAME @150 DATA diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c index ec6290e..3f6b536 100644 --- a/src/lib/kadm5/alt_prof.c +++ b/src/lib/kadm5/alt_prof.c @@ -526,8 +526,11 @@ krb5_error_code kadm5_get_config_params(krb5_context context, if (params_in->mask & KADM5_CONFIG_REALM) { lrealm = params.realm = strdup(params_in->realm); - if (params.realm != NULL) - params.mask |= KADM5_CONFIG_REALM; + if (params.realm == NULL) { + ret = ENOMEM; + goto cleanup; + } + params.mask |= KADM5_CONFIG_REALM; } else { ret = krb5_get_default_realm(context, &lrealm); if (ret) @@ -730,6 +733,10 @@ krb5_error_code kadm5_get_config_params(krb5_context context, krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue); if (svalue == NULL) svalue = strdup(KRB5_DEFAULT_SUPPORTED_ENCTYPES); + if (svalue == NULL) { + ret = ENOMEM; + goto cleanup; + } params.keysalts = NULL; params.num_keysalts = 0; @@ -797,7 +804,11 @@ krb5_error_code kadm5_get_config_params(krb5_context context, } GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, - KRB5_CONF_IPROP_SLAVE_POLL, 2 * 60); /* 2m */ + KRB5_CONF_IPROP_REPLICA_POLL, -1); + if (params.iprop_poll_time == -1) { + GET_DELTAT_PARAM(iprop_poll_time, KADM5_CONFIG_POLL_TIME, + KRB5_CONF_IPROP_SLAVE_POLL, 2 * 60); + } *params_out = params; diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c index 408b0eb..9a1d62d 100644 --- a/src/lib/kadm5/chpass_util.c +++ b/src/lib/kadm5/chpass_util.c @@ -4,15 +4,11 @@ */ -#include "autoconf.h" -#include -#include -#include +#include "k5-int.h" #include #include "admin_internal.h" -#include #define string_text error_message @@ -218,10 +214,12 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle, time_t until; char *time_string, *ptr; - until = princ_ent.last_pwd_change + policy_ent.pw_min_life; + until = ts_incr(princ_ent.last_pwd_change, policy_ent.pw_min_life); time_string = ctime(&until); - if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') + if (time_string == NULL) + time_string = "(error)"; + else if (*(ptr = &time_string[strlen(time_string)-1]) == '\n') *ptr = '\0'; snprintf(msg_ret, msg_len, string_text(CHPASS_UTIL_PASSWORD_TOO_SOON), diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c index 4350a9e..6f10db0 100644 --- a/src/lib/kadm5/clnt/client_init.c +++ b/src/lib/kadm5/clnt/client_init.c @@ -161,7 +161,6 @@ init_any(krb5_context context, char *client_name, enum init_type init_type, generic_ret r = { 0, 0 }; initialize_ovk_error_table(); -/* initialize_adb_error_table(); */ initialize_ovku_error_table(); if (! server_handle) { @@ -612,53 +611,8 @@ setup_gss(kadm5_server_handle_t handle, kadm5_config_params *params_in, gssstat = gss_acquire_cred(&minor_stat, gss_client, 0, GSS_C_NULL_OID_SET, GSS_C_INITIATE, &handle->cred, NULL, NULL); - if (gssstat != GSS_S_COMPLETE) { -#if 0 /* for debugging only */ - { - OM_uint32 maj_status, min_status, message_context = 0; - gss_buffer_desc status_string; - do { - maj_status = gss_display_status(&min_status, - gssstat, - GSS_C_GSS_CODE, - GSS_C_NO_OID, - &message_context, - &status_string); - if (maj_status == GSS_S_COMPLETE) { - fprintf(stderr, "MAJ: %.*s\n", - (int) status_string.length, - (char *)status_string.value); - gss_release_buffer(&min_status, &status_string); - } else { - fprintf(stderr, - "MAJ? gss_display_status returns 0x%lx?!\n", - (unsigned long) maj_status); - message_context = 0; - } - } while (message_context != 0); - do { - maj_status = gss_display_status(&min_status, - minor_stat, - GSS_C_MECH_CODE, - GSS_C_NO_OID, - &message_context, - &status_string); - if (maj_status == GSS_S_COMPLETE) { - fprintf(stderr, "MIN: %.*s\n", - (int) status_string.length, - (char *)status_string.value); - gss_release_buffer(&min_status, &status_string); - } else { - fprintf(stderr, - "MIN? gss_display_status returns 0x%lx?!\n", - (unsigned long) maj_status); - message_context = 0; - } - } while (message_context != 0); - } -#endif + if (gssstat != GSS_S_COMPLETE) goto error; - } /* * Do actual creation of RPC auth handle. Implements auth flavor diff --git a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports index 9d1a573..f122b31 100644 --- a/src/lib/kadm5/clnt/libkadm5clnt_mit.exports +++ b/src/lib/kadm5/clnt/libkadm5clnt_mit.exports @@ -62,6 +62,7 @@ krb5_keysalt_iterate krb5_klog_close krb5_klog_init krb5_klog_reopen +krb5_klog_set_context krb5_klog_syslog krb5_string_to_keysalts xdr_chpass3_arg diff --git a/src/lib/kadm5/deps b/src/lib/kadm5/deps index c9f0cbf..3585f08 100644 --- a/src/lib/kadm5/deps +++ b/src/lib/kadm5/deps @@ -42,13 +42,21 @@ chpass_util.so chpass_util.po $(OUTPRE)chpass_util.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ - $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/krb5.h admin_internal.h chpass_util.c + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + admin_internal.h chpass_util.c alt_prof.so alt_prof.po $(OUTPRE)alt_prof.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ diff --git a/src/lib/kadm5/kadm_err.et b/src/lib/kadm5/kadm_err.et index 71b0534..892a6fa 100644 --- a/src/lib/kadm5/kadm_err.et +++ b/src/lib/kadm5/kadm_err.et @@ -66,4 +66,5 @@ error_code KADM5_BAD_KEYSALTS, "Invalid key/salt tuples" error_code KADM5_SETKEY_BAD_KVNO, "Invalid multiple or duplicate kvnos in setkey operation" error_code KADM5_AUTH_EXTRACT, "Operation requires ``extract-keys'' privilege" error_code KADM5_PROTECT_KEYS, "Principal keys are locked down" +error_code KADM5_AUTH_INITIAL, "Operation requires initial ticket" end diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c index ce79fab..c6885ed 100644 --- a/src/lib/kadm5/logger.c +++ b/src/lib/kadm5/logger.c @@ -116,7 +116,6 @@ struct log_entry { } log_file; struct log_syslog { int ls_facility; - int ls_severity; } log_syslog; struct log_device { FILE *ld_filep; @@ -127,7 +126,6 @@ struct log_entry { #define lfu_filep log_union.log_file.lf_filep #define lfu_fname log_union.log_file.lf_fname #define lsu_facility log_union.log_syslog.ls_facility -#define lsu_severity log_union.log_syslog.ls_severity #define ldu_filep log_union.log_device.ld_filep #define ldu_devname log_union.log_device.ld_devname @@ -173,142 +171,39 @@ klog_com_err_proc(const char *whoami, long int code, const char *format, va_list #endif ; +/* + * Write com_err() messages to the configured logging devices. Ignore whoami, + * as krb5_klog_init() already received a whoami value. If code is nonzero, + * log its error message (retrieved using err_context) and the formatted + * message at error severity. If code is zero, log the formatted message at + * informational severity. + */ static void klog_com_err_proc(const char *whoami, long int code, const char *format, va_list ap) { - char outbuf[KRB5_KLOG_MAX_ERRMSG_SIZE]; - int lindex; - const char *actual_format; - int log_pri = -1; - char *cp; - char *syslogp; + struct k5buf buf; + const char *emsg; - if (whoami == NULL || format == NULL) + if (format == NULL) return; - /* Make the header */ - snprintf(outbuf, sizeof(outbuf), "%s: ", whoami); - /* - * Squirrel away address after header for syslog since syslog makes - * a header - */ - syslogp = &outbuf[strlen(outbuf)]; + k5_buf_init_dynamic(&buf); - /* If reporting an error message, separate it. */ if (code) { - const char *emsg; - outbuf[sizeof(outbuf) - 1] = '\0'; - - emsg = krb5_get_error_message (err_context, code); - strncat(outbuf, emsg, sizeof(outbuf) - 1 - strlen(outbuf)); - strncat(outbuf, " - ", sizeof(outbuf) - 1 - strlen(outbuf)); + /* Start with the error message and a separator. */ + emsg = krb5_get_error_message(err_context, code); + k5_buf_add(&buf, emsg); krb5_free_error_message(err_context, emsg); + k5_buf_add(&buf, " - "); } - cp = &outbuf[strlen(outbuf)]; - actual_format = format; - /* - * This is an unpleasant hack. If the first character is less than - * 8, then we assume that it is a priority. - * - * Since it is not guaranteed that there is a direct mapping between - * syslog priorities (e.g. Ultrix and old BSD), we resort to this - * intermediate representation. - */ - if ((((unsigned char) *format) > 0) && (((unsigned char) *format) <= 8)) { - actual_format = (format + 1); - switch ((unsigned char) *format) { - case 1: - log_pri = LOG_EMERG; - break; - case 2: - log_pri = LOG_ALERT; - break; - case 3: - log_pri = LOG_CRIT; - break; - default: - case 4: - log_pri = LOG_ERR; - break; - case 5: - log_pri = LOG_WARNING; - break; - case 6: - log_pri = LOG_NOTICE; - break; - case 7: - log_pri = LOG_INFO; - break; - case 8: - log_pri = LOG_DEBUG; - break; - } - } + /* Add the formatted message. */ + k5_buf_add_vfmt(&buf, format, ap); - /* Now format the actual message */ - vsnprintf(cp, sizeof(outbuf) - (cp - outbuf), actual_format, ap); - - /* - * Now that we have the message formatted, perform the output to each - * logging specification. - */ - for (lindex = 0; lindex < log_control.log_nentries; lindex++) { - /* Omit messages marked as LOG_DEBUG for non-syslog outputs unless we - * are configured to include them. */ - if (log_pri == LOG_DEBUG && !log_control.log_debug && - log_control.log_entries[lindex].log_type != K_LOG_SYSLOG) - continue; + if (k5_buf_status(&buf) == 0) + krb5_klog_syslog(code ? LOG_ERR : LOG_INFO, "%s", (char *)buf.data); - switch (log_control.log_entries[lindex].log_type) { - case K_LOG_FILE: - case K_LOG_STDERR: - /* - * Files/standard error. - */ - if (fprintf(log_control.log_entries[lindex].lfu_filep, "%s\n", - outbuf) < 0) { - /* Attempt to report error */ - fprintf(stderr, log_file_err, whoami, - log_control.log_entries[lindex].lfu_fname); - } - else { - fflush(log_control.log_entries[lindex].lfu_filep); - } - break; - case K_LOG_CONSOLE: - case K_LOG_DEVICE: - /* - * Devices (may need special handling) - */ - if (DEVICE_PRINT(log_control.log_entries[lindex].ldu_filep, - outbuf) < 0) { - /* Attempt to report error */ - fprintf(stderr, log_device_err, whoami, - log_control.log_entries[lindex].ldu_devname); - } - break; - case K_LOG_SYSLOG: - /* - * System log. - */ - /* - * If we have specified a priority through our hackery, then - * use it, otherwise use the default. - */ - if (log_pri >= 0) - log_pri |= log_control.log_entries[lindex].lsu_facility; - else - log_pri = log_control.log_entries[lindex].lsu_facility | - log_control.log_entries[lindex].lsu_severity; - - /* Log the message with our header trimmed off */ - syslog(log_pri, "%s", syslogp); - break; - default: - break; - } - } + k5_buf_free(&buf); } /* @@ -435,9 +330,8 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do else if (!strncasecmp(cp, "SYSLOG", 6)) { error = 0; log_control.log_entries[i].lsu_facility = LOG_AUTH; - log_control.log_entries[i].lsu_severity = LOG_ERR; /* - * Is there a severify specified? + * Is there a severify (which is now ignored) specified? */ if (cp[6] == ':') { /* @@ -451,41 +345,6 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do } /* - * Match a severity. - */ - if (!strcasecmp(&cp[7], "ERR")) { - log_control.log_entries[i].lsu_severity = LOG_ERR; - } - else if (!strcasecmp(&cp[7], "EMERG")) { - log_control.log_entries[i].lsu_severity = - LOG_EMERG; - } - else if (!strcasecmp(&cp[7], "ALERT")) { - log_control.log_entries[i].lsu_severity = - LOG_ALERT; - } - else if (!strcasecmp(&cp[7], "CRIT")) { - log_control.log_entries[i].lsu_severity = LOG_CRIT; - } - else if (!strcasecmp(&cp[7], "WARNING")) { - log_control.log_entries[i].lsu_severity = - LOG_WARNING; - } - else if (!strcasecmp(&cp[7], "NOTICE")) { - log_control.log_entries[i].lsu_severity = - LOG_NOTICE; - } - else if (!strcasecmp(&cp[7], "INFO")) { - log_control.log_entries[i].lsu_severity = LOG_INFO; - } - else if (!strcasecmp(&cp[7], "DEBUG")) { - log_control.log_entries[i].lsu_severity = - LOG_DEBUG; - } - else - error = 1; - - /* * If there is a facility present, then parse that. */ if (cp2) { @@ -638,7 +497,6 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do log_control.log_entries->log_type = K_LOG_SYSLOG; log_control.log_entries->log_2free = (krb5_pointer) NULL; log_facility = log_control.log_entries->lsu_facility = LOG_AUTH; - log_control.log_entries->lsu_severity = LOG_ERR; do_openlog = 1; log_control.log_nentries = 1; } @@ -662,6 +520,13 @@ krb5_klog_init(krb5_context kcontext, char *ename, char *whoami, krb5_boolean do return((log_control.log_nentries) ? 0 : ENOENT); } +/* Reset the context used by the com_err hook to retrieve error messages. */ +void +krb5_klog_set_context(krb5_context kcontext) +{ + err_context = kcontext; +} + /* * krb5_klog_close() - Close the logging context and free all data. */ @@ -771,9 +636,8 @@ klog_vsyslog(int priority, const char *format, va_list arglist) char *syslogp; char *cp; time_t now; -#ifdef HAVE_STRFTIME size_t soff; -#endif /* HAVE_STRFTIME */ + struct tm *tm; /* * Format a syslog-esque message of the format: @@ -786,25 +650,19 @@ klog_vsyslog(int priority, const char *format, va_list arglist) */ cp = outbuf; (void) time(&now); -#ifdef HAVE_STRFTIME + /* * Format the date: mon dd hh:mm:ss */ - soff = strftime(outbuf, sizeof(outbuf), "%b %d %H:%M:%S", localtime(&now)); + tm = localtime(&now); + if (tm == NULL) + return(-1); + soff = strftime(outbuf, sizeof(outbuf), "%b %d %H:%M:%S", tm); if (soff > 0) cp += soff; else return(-1); -#else /* HAVE_STRFTIME */ - /* - * Format the date: - * We ASSUME here that the output of ctime is of the format: - * dow mon dd hh:mm:ss tzs yyyy\n - * 012345678901234567890123456789 - */ - strncpy(outbuf, ctime(&now) + 4, 15); - cp += 15; -#endif /* HAVE_STRFTIME */ + #ifdef VERBOSE_LOGS snprintf(cp, sizeof(outbuf) - (cp-outbuf), " %s %s[%ld](%s): ", log_control.log_hostname ? log_control.log_hostname : "", diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in index f4b5b5b..617d656 100644 --- a/src/lib/kadm5/srv/Makefile.in +++ b/src/lib/kadm5/srv/Makefile.in @@ -32,7 +32,6 @@ SRCS = $(srcdir)/pwqual.c \ $(srcdir)/pwqual_princ.c \ $(srcdir)/svr_policy.c \ $(srcdir)/svr_principal.c \ - $(srcdir)/server_acl.c \ $(srcdir)/server_kdb.c \ $(srcdir)/server_misc.c \ $(srcdir)/server_init.c \ @@ -48,7 +47,6 @@ OBJS = pwqual.$(OBJEXT) \ kadm5_hook.$(OBJEXT) \ svr_policy.$(OBJEXT) \ svr_principal.$(OBJEXT) \ - server_acl.$(OBJEXT) \ server_kdb.$(OBJEXT) \ server_misc.$(OBJEXT) \ server_init.$(OBJEXT) \ @@ -65,7 +63,6 @@ STLIBOBJS = \ kadm5_hook.o \ svr_policy.o \ svr_principal.o \ - server_acl.o \ server_kdb.o \ server_misc.o \ server_init.o \ @@ -73,23 +70,10 @@ STLIBOBJS = \ svr_chpass_util.o \ adb_xdr.o -all-unix: includes all-unix: all-liblinks all-windows: $(OBJS) -generate-files-mac: includes darwin.exports - -includes: server_acl.h - if cmp $(srcdir)/server_acl.h \ - $(BUILDTOP)/include/kadm5/server_acl.h >/dev/null 2>&1; then :; \ - else \ - (set -x; $(RM) $(BUILDTOP)/include/kadm5/server_acl.h; \ - $(CP) $(srcdir)/server_acl.h \ - $(BUILDTOP)/include/kadm5/server_acl.h) ; \ - fi - -clean-unix:: - $(RM) $(BUILDTOP)/include/kadm5/server_acl.h +generate-files-mac: darwin.exports check-windows: @@ -104,8 +88,6 @@ install-unix: (cd $(DESTDIR)$(KRB5_LIBDIR) && $(LN_S) lib$(LIBBASE)$(DEPLIBEXT) \ libkadm5srv$(DEPLIBEXT)) -depend: includes - @lib_frag@ @libobj_frag@ diff --git a/src/lib/kadm5/srv/deps b/src/lib/kadm5/srv/deps index 20df4e9..01080d5 100644 --- a/src/lib/kadm5/srv/deps +++ b/src/lib/kadm5/srv/deps @@ -150,27 +150,6 @@ svr_principal.so svr_principal.po $(OUTPRE)svr_principal.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_hook_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h svr_principal.c -server_acl.so server_acl.po $(OUTPRE)server_acl.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssapi/gssapi_generic.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ - $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/adm_proto.h $(top_srcdir)/include/gssrpc/auth.h \ - $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ - $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ - $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ - $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ - $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - server_acl.c server_acl.h server_kdb.so server_kdb.po $(OUTPRE)server_kdb.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ diff --git a/src/lib/kadm5/srv/libkadm5srv_mit.exports b/src/lib/kadm5/srv/libkadm5srv_mit.exports index aedfdd7..64ad5dd 100644 --- a/src/lib/kadm5/srv/libkadm5srv_mit.exports +++ b/src/lib/kadm5/srv/libkadm5srv_mit.exports @@ -1,10 +1,5 @@ _kadm5_check_handle _kadm5_chpass_principal_util -kadm5int_acl_check -kadm5int_acl_check_krb -kadm5int_acl_finish -kadm5int_acl_impose_restrictions -kadm5int_acl_init hist_princ kadm5_set_use_password_server kadm5_chpass_principal @@ -76,6 +71,7 @@ krb5_keysalt_iterate krb5_klog_close krb5_klog_init krb5_klog_reopen +krb5_klog_set_context krb5_klog_syslog krb5_string_to_keysalts master_db diff --git a/src/lib/kadm5/srv/server_acl.c b/src/lib/kadm5/srv/server_acl.c deleted file mode 100644 index 3c2844d..0000000 --- a/src/lib/kadm5/srv/server_acl.c +++ /dev/null @@ -1,823 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/kadm5/srv/server_acl.c */ -/* - * Copyright 1995-2004, 2007, 2008 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "k5-int.h" -#include -#include -#include -#include -#include -#include "adm_proto.h" -#include "server_acl.h" -#include - -typedef struct _acl_op_table { - char ao_op; - krb5_int32 ao_mask; -} aop_t; - -typedef struct _acl_entry { - struct _acl_entry *ae_next; - char *ae_name; - krb5_boolean ae_name_bad; - krb5_principal ae_principal; - krb5_int32 ae_op_allowed; - char *ae_target; - krb5_boolean ae_target_bad; - krb5_principal ae_target_princ; - char *ae_restriction_string; - /* eg: "-maxlife 3h -service +proxiable" */ - krb5_boolean ae_restriction_bad; - restriction_t *ae_restrictions; -} aent_t; - -static const aop_t acl_op_table[] = { - { 'a', ACL_ADD }, - { 'd', ACL_DELETE }, - { 'm', ACL_MODIFY }, - { 'c', ACL_CHANGEPW }, - { 'i', ACL_INQUIRE }, - { 'l', ACL_LIST }, - { 'p', ACL_IPROP }, - { 's', ACL_SETKEY }, - { 'x', ACL_ALL_MASK }, - { '*', ACL_ALL_MASK }, - { 'e', ACL_EXTRACT }, - { '\0', 0 } -}; - -typedef struct _wildstate { - int nwild; - const krb5_data *backref[9]; -} wildstate_t; - -static aent_t *acl_list_head = (aent_t *) NULL; -static aent_t *acl_list_tail = (aent_t *) NULL; - -static const char *acl_acl_file = (char *) NULL; -static int acl_inited = 0; -static int acl_debug_level = 0; -/* - * This is the catchall entry. If nothing else appropriate is found, or in - * the case where the ACL file is not present, this entry controls what can - * be done. - */ -static const char *acl_catchall_entry = NULL; - -static const char *acl_line2long_msg = N_("%s: line %d too long, truncated"); -static const char *acl_op_bad_msg = N_("Unrecognized ACL operation '%c' in " - "%s"); -static const char *acl_syn_err_msg = N_("%s: syntax error at line %d " - "<%.10s...>"); -static const char *acl_cantopen_msg = N_("%s while opening ACL file %s"); - -/* - * kadm5int_acl_get_line() - Get a line from the ACL file. - * Lines ending with \ are continued on the next line - */ -static char * -kadm5int_acl_get_line(fp, lnp) - FILE *fp; - int *lnp; /* caller should set to 1 before first call */ -{ - int i, domore; - static int line_incr = 0; - static char acl_buf[BUFSIZ]; - - for (domore = 1; domore && !feof(fp); ) { - *lnp += line_incr; - line_incr = 0; - /* Copy in the line, with continuations */ - for (i = 0; ((i < BUFSIZ) && !feof(fp)); i++) { - int byte; - byte = fgetc(fp); - acl_buf[i] = byte; - if (byte == EOF) { - if (i > 0 && acl_buf[i-1] == '\\') - i--; - break; /* it gets nulled-out below */ - } - else if (acl_buf[i] == '\n') { - if (i == 0 || acl_buf[i-1] != '\\') - break; /* empty line or normal end of line */ - else { - i -= 2; /* back up over "\\\n" and continue */ - line_incr++; - } - } - } - /* Check if we exceeded our buffer size */ - if (i == sizeof acl_buf && (i--, !feof(fp))) { - int c1 = acl_buf[i], c2; - - krb5_klog_syslog(LOG_ERR, _(acl_line2long_msg), acl_acl_file, - *lnp); - while ((c2 = fgetc(fp)) != EOF) { - if (c2 == '\n') { - if (c1 != '\\') - break; - line_incr++; - } - c1 = c2; - } - } - acl_buf[i] = '\0'; - if (acl_buf[0] == (char) EOF) /* ptooey */ - acl_buf[0] = '\0'; - else - line_incr++; - if ((acl_buf[0] != '#') && (acl_buf[0] != '\0')) - domore = 0; - } - if (domore || (strlen(acl_buf) == 0)) - return((char *) NULL); - else - return(acl_buf); -} - -/* - * kadm5int_acl_parse_line() - Parse the contents of an ACL line. - */ -static aent_t * -kadm5int_acl_parse_line(lp) - const char *lp; -{ - static char acle_principal[BUFSIZ]; - static char acle_ops[BUFSIZ]; - static char acle_object[BUFSIZ]; - static char acle_restrictions[BUFSIZ]; - aent_t *acle; - char *op; - int t, found, opok, nmatch; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_parse_line(line=%20s)\n", lp)); - /* - * Format is still simple: - * entry ::= [] - * [ [ - * []]] - */ - acle = (aent_t *) NULL; - acle_object[0] = '\0'; - nmatch = sscanf(lp, "%s %s %s %[^\n]", acle_principal, acle_ops, - acle_object, acle_restrictions); - if (nmatch >= 2) { - acle = (aent_t *) malloc(sizeof(aent_t)); - if (acle) { - acle->ae_next = (aent_t *) NULL; - acle->ae_op_allowed = (krb5_int32) 0; - acle->ae_target = - (nmatch >= 3) ? strdup(acle_object) : (char *) NULL; - acle->ae_target_bad = 0; - acle->ae_target_princ = (krb5_principal) NULL; - opok = 1; - for (op=acle_ops; *op; op++) { - char rop; - - rop = (isupper((unsigned char) *op)) ? tolower((unsigned char) *op) : *op; - found = 0; - for (t=0; acl_op_table[t].ao_op; t++) { - if (rop == acl_op_table[t].ao_op) { - found = 1; - if (rop == *op) - acle->ae_op_allowed |= acl_op_table[t].ao_mask; - else - acle->ae_op_allowed &= ~acl_op_table[t].ao_mask; - } - } - if (!found) { - krb5_klog_syslog(LOG_ERR, _(acl_op_bad_msg), *op, lp); - opok = 0; - } - } - if (opok) { - acle->ae_name = strdup(acle_principal); - if (acle->ae_name) { - acle->ae_principal = (krb5_principal) NULL; - acle->ae_name_bad = 0; - DPRINT(DEBUG_ACL, acl_debug_level, - ("A ACL entry %s -> opmask %x\n", - acle->ae_name, acle->ae_op_allowed)); - } - else { - if (acle->ae_target) - free(acle->ae_target); - free(acle); - acle = (aent_t *) NULL; - } - } - else { - if (acle->ae_target) - free(acle->ae_target); - free(acle); - acle = (aent_t *) NULL; - } - - if (acle) { - if ( nmatch >= 4 ) { - char *trailing; - - trailing = &acle_restrictions[strlen(acle_restrictions)-1]; - while ( isspace((int) *trailing) ) - trailing--; - trailing[1] = '\0'; - acle->ae_restriction_string = - strdup(acle_restrictions); - } - else { - acle->ae_restriction_string = (char *) NULL; - } - acle->ae_restriction_bad = 0; - acle->ae_restrictions = (restriction_t *) NULL; - } - } - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_parse_line() = %x\n", (long) acle)); - return(acle); -} - -/* - * kadm5int_acl_parse_restrictions() - Parse optional restrictions field - * - * Allowed restrictions are: - * [+-]flagname (recognized by krb5_flagspec_to_mask) - * flag is forced to indicated value - * -clearpolicy policy is forced clear - * -policy pol policy is forced to be "pol" - * -{expire,pwexpire,maxlife,maxrenewlife} deltat - * associated value will be forced to - * MIN(deltat, requested value) - * - * Returns: 0 on success, or system errors - */ -static krb5_error_code -kadm5int_acl_parse_restrictions(s, rpp) - char *s; - restriction_t **rpp; -{ - char *sp = NULL, *tp, *ap, *save; - static const char *delims = "\t\n\f\v\r ,"; - krb5_deltat dt; - krb5_error_code code; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_parse_restrictions(s=%20s, rpp=0x%08x)\n", s, (long)rpp)); - - *rpp = (restriction_t *) NULL; - code = 0; - if (s) { - if (!(sp = strdup(s)) /* Don't munge the original */ - || !(*rpp = (restriction_t *) malloc(sizeof(restriction_t)))) { - code = ENOMEM; - } else { - memset(*rpp, 0, sizeof(**rpp)); - (*rpp)->forbid_attrs = ~(krb5_flags)0; - for (tp = strtok_r(sp, delims, &save); tp; - tp = strtok_r(NULL, delims, &save)) { - if (!krb5_flagspec_to_mask(tp, &(*rpp)->require_attrs, - &(*rpp)->forbid_attrs)) { - (*rpp)->mask |= KADM5_ATTRIBUTES; - } else if (!strcmp(tp, "-clearpolicy")) { - (*rpp)->mask |= KADM5_POLICY_CLR; - } else { - /* everything else needs an argument ... */ - if (!(ap = strtok_r(NULL, delims, &save))) { - code = EINVAL; - break; - } - if (!strcmp(tp, "-policy")) { - if (!((*rpp)->policy = strdup(ap))) { - code = ENOMEM; - break; - } - (*rpp)->mask |= KADM5_POLICY; - } else { - /* all other arguments must be a deltat ... */ - if (krb5_string_to_deltat(ap, &dt)) { - code = EINVAL; - break; - } - if (!strcmp(tp, "-expire")) { - (*rpp)->princ_lifetime = dt; - (*rpp)->mask |= KADM5_PRINC_EXPIRE_TIME; - } else if (!strcmp(tp, "-pwexpire")) { - (*rpp)->pw_lifetime = dt; - (*rpp)->mask |= KADM5_PW_EXPIRATION; - } else if (!strcmp(tp, "-maxlife")) { - (*rpp)->max_life = dt; - (*rpp)->mask |= KADM5_MAX_LIFE; - } else if (!strcmp(tp, "-maxrenewlife")) { - (*rpp)->max_renewable_life = dt; - (*rpp)->mask |= KADM5_MAX_RLIFE; - } else { - code = EINVAL; - break; - } - } - } - } - if (code) { - krb5_klog_syslog(LOG_ERR, _("%s: invalid restrictions: %s"), - acl_acl_file, s); - } - } - } - if (sp) - free(sp); - if (*rpp && code) { - if ((*rpp)->policy) - free((*rpp)->policy); - free(*rpp); - *rpp = (restriction_t *) NULL; - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_parse_restrictions() = %d, mask=0x%08x\n", - code, (*rpp) ? (*rpp)->mask : 0)); - return code; -} - -/* - * kadm5int_acl_impose_restrictions() - impose restrictions, modifying *recp, *maskp - * - * Returns: 0 on success; - * malloc or timeofday errors - */ -krb5_error_code -kadm5int_acl_impose_restrictions(kcontext, recp, maskp, rp) - krb5_context kcontext; - kadm5_principal_ent_rec *recp; - long *maskp; - restriction_t *rp; -{ - krb5_error_code code; - krb5_int32 now; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_impose_restrictions(..., *maskp=0x%08x, rp=0x%08x)\n", - *maskp, (long)rp)); - if (!rp) - return 0; - if (rp->mask & (KADM5_PRINC_EXPIRE_TIME|KADM5_PW_EXPIRATION)) - if ((code = krb5_timeofday(kcontext, &now))) - return code; - - if (rp->mask & KADM5_ATTRIBUTES) { - recp->attributes |= rp->require_attrs; - recp->attributes &= rp->forbid_attrs; - *maskp |= KADM5_ATTRIBUTES; - } - if (rp->mask & KADM5_POLICY_CLR) { - *maskp &= ~KADM5_POLICY; - *maskp |= KADM5_POLICY_CLR; - } else if (rp->mask & KADM5_POLICY) { - if (recp->policy && strcmp(recp->policy, rp->policy)) { - free(recp->policy); - recp->policy = (char *) NULL; - } - if (!recp->policy) { - recp->policy = strdup(rp->policy); /* XDR will free it */ - if (!recp->policy) - return ENOMEM; - } - *maskp |= KADM5_POLICY; - } - if (rp->mask & KADM5_PRINC_EXPIRE_TIME) { - if (!(*maskp & KADM5_PRINC_EXPIRE_TIME) - || (recp->princ_expire_time > (now + rp->princ_lifetime))) - recp->princ_expire_time = now + rp->princ_lifetime; - *maskp |= KADM5_PRINC_EXPIRE_TIME; - } - if (rp->mask & KADM5_PW_EXPIRATION) { - if (!(*maskp & KADM5_PW_EXPIRATION) - || (recp->pw_expiration > (now + rp->pw_lifetime))) - recp->pw_expiration = now + rp->pw_lifetime; - *maskp |= KADM5_PW_EXPIRATION; - } - if (rp->mask & KADM5_MAX_LIFE) { - if (!(*maskp & KADM5_MAX_LIFE) - || (recp->max_life > rp->max_life)) - recp->max_life = rp->max_life; - *maskp |= KADM5_MAX_LIFE; - } - if (rp->mask & KADM5_MAX_RLIFE) { - if (!(*maskp & KADM5_MAX_RLIFE) - || (recp->max_renewable_life > rp->max_renewable_life)) - recp->max_renewable_life = rp->max_renewable_life; - *maskp |= KADM5_MAX_RLIFE; - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_impose_restrictions() = 0, *maskp=0x%08x\n", *maskp)); - return 0; -} - -/* - * kadm5int_acl_free_entries() - Free all ACL entries. - */ -static void -kadm5int_acl_free_entries() -{ - aent_t *ap; - aent_t *np; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_free_entries()\n")); - for (ap=acl_list_head; ap; ap = np) { - if (ap->ae_name) - free(ap->ae_name); - if (ap->ae_principal) - krb5_free_principal((krb5_context) NULL, ap->ae_principal); - if (ap->ae_target) - free(ap->ae_target); - if (ap->ae_target_princ) - krb5_free_principal((krb5_context) NULL, ap->ae_target_princ); - if (ap->ae_restriction_string) - free(ap->ae_restriction_string); - if (ap->ae_restrictions) { - if (ap->ae_restrictions->policy) - free(ap->ae_restrictions->policy); - free(ap->ae_restrictions); - } - np = ap->ae_next; - free(ap); - } - acl_list_head = acl_list_tail = (aent_t *) NULL; - acl_inited = 0; - DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_free_entries()\n")); -} - -/* - * kadm5int_acl_load_acl_file() - Open and parse the ACL file. - */ -static int -kadm5int_acl_load_acl_file() -{ - FILE *afp; - char *alinep; - aent_t **aentpp; - int alineno; - int retval = 1; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_load_acl_file()\n")); - /* Open the ACL file for read */ - afp = fopen(acl_acl_file, "r"); - if (afp) { - set_cloexec_file(afp); - alineno = 1; - aentpp = &acl_list_head; - - /* Get a non-comment line */ - while ((alinep = kadm5int_acl_get_line(afp, &alineno))) { - /* Parse it */ - *aentpp = kadm5int_acl_parse_line(alinep); - /* If syntax error, then fall out */ - if (!*aentpp) { - krb5_klog_syslog(LOG_ERR, _(acl_syn_err_msg), - acl_acl_file, alineno, alinep); - retval = 0; - break; - } - acl_list_tail = *aentpp; - aentpp = &(*aentpp)->ae_next; - } - - fclose(afp); - - if (acl_catchall_entry) { - *aentpp = kadm5int_acl_parse_line(acl_catchall_entry); - if (*aentpp) { - acl_list_tail = *aentpp; - } - else { - retval = 0; - DPRINT(DEBUG_OPERATION, acl_debug_level, - ("> catchall acl entry (%s) load failed\n", - acl_catchall_entry)); - } - } - } - else { - krb5_klog_syslog(LOG_ERR, _(acl_cantopen_msg), - error_message(errno), acl_acl_file); - if (acl_catchall_entry && - (acl_list_head = kadm5int_acl_parse_line(acl_catchall_entry))) { - acl_list_tail = acl_list_head; - } - else { - retval = 0; - DPRINT(DEBUG_OPERATION, acl_debug_level, - ("> catchall acl entry (%s) load failed\n", - acl_catchall_entry)); - } - } - - if (!retval) { - kadm5int_acl_free_entries(); - } - DPRINT(DEBUG_CALLS, acl_debug_level, - ("X kadm5int_acl_load_acl_file() = %d\n", retval)); - return(retval); -} - -/* - * kadm5int_acl_match_data() - See if two data entries match. - * - * Wildcarding is only supported for a whole component. - */ -static krb5_boolean -kadm5int_acl_match_data(const krb5_data *e1, const krb5_data *e2, - int targetflag, wildstate_t *ws) -{ - krb5_boolean retval; - - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* acl_match_entry(%s, %s)\n", e1->data, e2->data)); - retval = 0; - if (!strncmp(e1->data, "*", e1->length)) { - retval = 1; - if (ws && !targetflag) { - if (ws->nwild >= 9) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many wildcards in ACL entry.\n")); - } - else - ws->backref[ws->nwild++] = e2; - } - } - else if (ws && targetflag && (e1->length == 2) && (e1->data[0] == '*') && - (e1->data[1] >= '1') && (e1->data[1] <= '9')) { - int n = e1->data[1] - '1'; - if (n >= ws->nwild) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Too many backrefs in ACL entry.\n")); - } - else if ((ws->backref[n]->length == e2->length) && - (!strncmp(ws->backref[n]->data, e2->data, e2->length))) - retval = 1; - - } - else { - if ((e1->length == e2->length) && - (!strncmp(e1->data, e2->data, e1->length))) - retval = 1; - } - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_match_entry()=%d\n",retval)); - return(retval); -} - -/* - * kadm5int_acl_find_entry() - Find a matching entry. - */ -static aent_t * -kadm5int_acl_find_entry(krb5_context kcontext, krb5_const_principal principal, - krb5_const_principal dest_princ) -{ - aent_t *entry; - krb5_error_code kret; - int i; - int matchgood; - wildstate_t state; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_find_entry()\n")); - for (entry=acl_list_head; entry; entry = entry->ae_next) { - memset(&state, 0, sizeof(state)); - if (entry->ae_name_bad) - continue; - if (!strcmp(entry->ae_name, "*")) { - DPRINT(DEBUG_ACL, acl_debug_level, ("A wildcard ACL match\n")); - matchgood = 1; - } - else { - if (!entry->ae_principal && !entry->ae_name_bad) { - kret = krb5_parse_name(kcontext, - entry->ae_name, - &entry->ae_principal); - if (kret) - entry->ae_name_bad = 1; - } - if (entry->ae_name_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad ACL entry %s\n", entry->ae_name)); - continue; - } - matchgood = 0; - if (kadm5int_acl_match_data(&entry->ae_principal->realm, - &principal->realm, 0, (wildstate_t *)0) && - (entry->ae_principal->length == principal->length)) { - matchgood = 1; - for (i=0; ilength; i++) { - if (!kadm5int_acl_match_data(&entry->ae_principal->data[i], - &principal->data[i], 0, &state)) { - matchgood = 0; - break; - } - } - } - } - if (!matchgood) - continue; - - /* We've matched the principal. If we have a target, then try it */ - if (entry->ae_target && strcmp(entry->ae_target, "*")) { - if (!entry->ae_target_princ && !entry->ae_target_bad) { - kret = krb5_parse_name(kcontext, entry->ae_target, - &entry->ae_target_princ); - if (kret) - entry->ae_target_bad = 1; - } - if (entry->ae_target_bad) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad target in ACL entry for %s\n", entry->ae_name)); - entry->ae_name_bad = 1; - continue; - } - if (!dest_princ) - matchgood = 0; - else if (entry->ae_target_princ && dest_princ) { - if (kadm5int_acl_match_data(&entry->ae_target_princ->realm, - &dest_princ->realm, 1, (wildstate_t *)0) && - (entry->ae_target_princ->length == dest_princ->length)) { - for (i=0; ilength; i++) { - if (!kadm5int_acl_match_data(&entry->ae_target_princ->data[i], - &dest_princ->data[i], 1, &state)) { - matchgood = 0; - break; - } - } - } - else - matchgood = 0; - } - } - if (!matchgood) - continue; - - if (entry->ae_restriction_string - && !entry->ae_restriction_bad - && !entry->ae_restrictions - && kadm5int_acl_parse_restrictions(entry->ae_restriction_string, - &entry->ae_restrictions)) { - DPRINT(DEBUG_ACL, acl_debug_level, - ("Bad restrictions in ACL entry for %s\n", entry->ae_name)); - entry->ae_restriction_bad = 1; - } - if (entry->ae_restriction_bad) { - entry->ae_name_bad = 1; - continue; - } - break; - } - DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_find_entry()=%x\n",entry)); - return(entry); -} - -/* - * kadm5int_acl_init() - Initialize ACL context. - */ -krb5_error_code -kadm5int_acl_init(kcontext, debug_level, acl_file) - krb5_context kcontext; - int debug_level; - char *acl_file; -{ - krb5_error_code kret; - - kret = 0; - acl_debug_level = debug_level; - DPRINT(DEBUG_CALLS, acl_debug_level, - ("* kadm5int_acl_init(afile=%s)\n", - ((acl_file) ? acl_file : "(null)"))); - acl_acl_file = (acl_file) ? acl_file : (char *) KRB5_DEFAULT_ADMIN_ACL; - acl_inited = kadm5int_acl_load_acl_file(); - - DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_init() = %d\n", kret)); - return(kret); -} - -/* - * kadm5int_acl_finish - Terminate ACL context. - */ -void -kadm5int_acl_finish(kcontext, debug_level) - krb5_context kcontext; - int debug_level; -{ - DPRINT(DEBUG_CALLS, acl_debug_level, ("* kadm5int_acl_finish()\n")); - kadm5int_acl_free_entries(); - DPRINT(DEBUG_CALLS, acl_debug_level, ("X kadm5int_acl_finish()\n")); -} - -/* - * kadm5int_acl_check_krb() - Is this operation permitted for this principal? - */ -krb5_boolean -kadm5int_acl_check_krb(kcontext, caller_princ, opmask, principal, restrictions) - krb5_context kcontext; - krb5_const_principal caller_princ; - krb5_int32 opmask; - krb5_const_principal principal; - restriction_t **restrictions; -{ - krb5_boolean retval; - aent_t *aentry; - - DPRINT(DEBUG_CALLS, acl_debug_level, ("* acl_op_permitted()\n")); - - retval = FALSE; - - aentry = kadm5int_acl_find_entry(kcontext, caller_princ, principal); - if (aentry) { - if ((aentry->ae_op_allowed & opmask) == opmask) { - retval = TRUE; - if (restrictions) { - *restrictions = - (aentry->ae_restrictions && aentry->ae_restrictions->mask) - ? aentry->ae_restrictions - : (restriction_t *) NULL; - } - } - } - - DPRINT(DEBUG_CALLS, acl_debug_level, ("X acl_op_permitted()=%d\n", - retval)); - return retval; -} - -/* - * kadm5int_acl_check() - Is this operation permitted for this principal? - * this code used not to be based on gssapi. In order - * to minimize porting hassles, I've put all the - * gssapi hair in this function. This might not be - * the best medium-term solution. (The best long-term - * solution is, of course, a real authorization service.) - */ -krb5_boolean -kadm5int_acl_check(kcontext, caller, opmask, principal, restrictions) - krb5_context kcontext; - gss_name_t caller; - krb5_int32 opmask; - krb5_principal principal; - restriction_t **restrictions; -{ - krb5_boolean retval; - gss_buffer_desc caller_buf; - gss_OID caller_oid; - OM_uint32 emin; - krb5_error_code code; - krb5_principal caller_princ; - - if (GSS_ERROR(gss_display_name(&emin, caller, &caller_buf, &caller_oid))) - return FALSE; - - code = krb5_parse_name(kcontext, (char *) caller_buf.value, - &caller_princ); - - gss_release_buffer(&emin, &caller_buf); - - if (code != 0) - return FALSE; - - retval = kadm5int_acl_check_krb(kcontext, caller_princ, - opmask, principal, restrictions); - - krb5_free_principal(kcontext, caller_princ); - - return retval; -} - -kadm5_ret_t -kadm5_get_privs(void *server_handle, long *privs) -{ - CHECK_HANDLE(server_handle); - - /* this is impossible to do with the current interface. For now, - return all privs, which will confuse some clients, but not - deny any access to users of "smart" clients which try to cache */ - - *privs = ~0; - - return KADM5_OK; -} diff --git a/src/lib/kadm5/srv/server_acl.h b/src/lib/kadm5/srv/server_acl.h deleted file mode 100644 index d8db2f7..0000000 --- a/src/lib/kadm5/srv/server_acl.h +++ /dev/null @@ -1,100 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* lib/kadm5/srv/server_acl.h */ -/* - * Copyright 1995-2004, 2007, 2008 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifndef SERVER_ACL_H__ -#define SERVER_ACL_H__ - -/* - * Debug definitions. - */ -#define DEBUG_SPROC 1 -#define DEBUG_OPERATION 2 -#define DEBUG_HOST 4 -#define DEBUG_REALM 8 -#define DEBUG_REQUESTS 16 -#define DEBUG_ACL 32 -#define DEBUG_PROTO 64 -#define DEBUG_CALLS 128 -#define DEBUG_NOSLAVES 256 -#ifdef DEBUG -#define DPRINT(l1, cl, al) if ((cl & l1) != 0) printf al -#else /* DEBUG */ -#define DPRINT(l1, cl, al) -#endif /* DEBUG */ - -/* - * Access control bits. - */ -#define ACL_ADD 1 -#define ACL_DELETE 2 -#define ACL_MODIFY 4 -#define ACL_CHANGEPW 8 -/* #define ACL_CHANGE_OWN_PW 16 */ -#define ACL_INQUIRE 32 -#define ACL_EXTRACT 64 -#define ACL_LIST 128 -#define ACL_SETKEY 256 -#define ACL_IPROP 512 -#define ACL_RENAME (ACL_ADD+ACL_DELETE) - -#define ACL_ALL_MASK (ACL_ADD | \ - ACL_DELETE | \ - ACL_MODIFY | \ - ACL_CHANGEPW | \ - ACL_INQUIRE | \ - ACL_LIST | \ - ACL_IPROP | \ - ACL_SETKEY) - -typedef struct _restriction { - long mask; - krb5_flags require_attrs; - krb5_flags forbid_attrs; - krb5_deltat princ_lifetime; - krb5_deltat pw_lifetime; - krb5_deltat max_life; - krb5_deltat max_renewable_life; - long aux_attributes; - char *policy; -} restriction_t; - -krb5_error_code kadm5int_acl_init(krb5_context, int, char *); -void kadm5int_acl_finish(krb5_context, int); -krb5_boolean kadm5int_acl_check(krb5_context, - gss_name_t, - krb5_int32, - krb5_principal, - restriction_t **); -krb5_boolean kadm5int_acl_check_krb(krb5_context, - krb5_const_principal, - krb5_int32, - krb5_const_principal, - restriction_t **); -krb5_error_code kadm5int_acl_impose_restrictions(krb5_context, - kadm5_principal_ent_rec *, - long *, - restriction_t *); -#endif /* SERVER_ACL_H__ */ diff --git a/src/lib/kadm5/srv/server_init.c b/src/lib/kadm5/srv/server_init.c index b3ae4ff..87a7322 100644 --- a/src/lib/kadm5/srv/server_init.c +++ b/src/lib/kadm5/srv/server_init.c @@ -186,7 +186,6 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass, handle->context = context; initialize_ovk_error_table(); -/* initialize_adb_error_table(); */ initialize_ovku_error_table(); handle->magic_number = KADM5_SERVER_HANDLE_MAGIC; @@ -207,16 +206,6 @@ kadm5_ret_t kadm5_init(krb5_context context, char *client_name, char *pass, */ memset(¶ms_local, 0, sizeof(params_local)); -#if 0 /* Now that we look at krb5.conf as well as kdc.conf, we can - expect to see admin_server being set sometimes. */ -#define ILLEGAL_PARAMS (KADM5_CONFIG_ADMIN_SERVER) - if (params_in && (params_in->mask & ILLEGAL_PARAMS)) { - free_db_args(handle); - free(handle); - return KADM5_BAD_SERVER_PARAMS; - } -#endif - ret = kadm5_get_config_params(handle->context, 1, params_in, &handle->params); if (ret) { diff --git a/src/lib/kadm5/srv/server_kdb.c b/src/lib/kadm5/srv/server_kdb.c index 612553b..f4b8aef 100644 --- a/src/lib/kadm5/srv/server_kdb.c +++ b/src/lib/kadm5/srv/server_kdb.c @@ -365,7 +365,7 @@ kdb_put_entry(kadm5_server_handle_t handle, krb5_db_entry *kdb, osa_princ_ent_rec *adb) { krb5_error_code ret; - krb5_int32 now; + krb5_timestamp now; XDR xdrs; krb5_tl_data tl_data; diff --git a/src/lib/kadm5/srv/server_misc.c b/src/lib/kadm5/srv/server_misc.c index b361847..87e97c9 100644 --- a/src/lib/kadm5/srv/server_misc.c +++ b/src/lib/kadm5/srv/server_misc.c @@ -142,3 +142,17 @@ destroy_pwqual(kadm5_server_handle_t handle) k5_pwqual_free_handles(handle->context, handle->qual_handles); handle->qual_handles = NULL; } + +kadm5_ret_t +kadm5_get_privs(void *server_handle, long *privs) +{ + CHECK_HANDLE(server_handle); + + /* this is impossible to do with the current interface. For now, + return all privs, which will confuse some clients, but not + deny any access to users of "smart" clients which try to cache */ + + *privs = ~0; + + return KADM5_OK; +} diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c index 8f4da0e..21c53ec 100644 --- a/src/lib/kadm5/srv/svr_principal.c +++ b/src/lib/kadm5/srv/svr_principal.c @@ -296,7 +296,7 @@ kadm5_create_principal_3(void *server_handle, osa_princ_ent_rec adb; kadm5_policy_ent_rec polent; krb5_boolean have_polent = FALSE; - krb5_int32 now; + krb5_timestamp now; krb5_tl_data *tl_data_tail; unsigned int ret; kadm5_server_handle_t handle = server_handle; @@ -330,6 +330,13 @@ kadm5_create_principal_3(void *server_handle, return KADM5_BAD_MASK; if((mask & ~ALL_PRINC_MASK)) return KADM5_BAD_MASK; + if (mask & KADM5_TL_DATA) { + for (tl_data_tail = entry->tl_data; tl_data_tail != NULL; + tl_data_tail = tl_data_tail->tl_data_next) { + if (tl_data_tail->tl_data_type < 256) + return KADM5_BAD_TL_TYPE; + } + } /* * Check to see if the principal exists @@ -400,7 +407,7 @@ kadm5_create_principal_3(void *server_handle, kdb->pw_expiration = 0; if (have_polent) { if(polent.pw_max_life) - kdb->pw_expiration = now + polent.pw_max_life; + kdb->pw_expiration = ts_incr(now, polent.pw_max_life); else kdb->pw_expiration = 0; } @@ -612,7 +619,7 @@ kadm5_modify_principal(void *server_handle, &(kdb->pw_expiration)); if (ret) goto done; - kdb->pw_expiration += pol.pw_max_life; + kdb->pw_expiration = ts_incr(kdb->pw_expiration, pol.pw_max_life); } else { kdb->pw_expiration = 0; } @@ -1322,11 +1329,11 @@ kadm5_chpass_principal_3(void *server_handle, int n_ks_tuple, krb5_key_salt_tuple *ks_tuple, char *password) { - krb5_int32 now; + krb5_timestamp now; kadm5_policy_ent_rec pol; osa_princ_ent_rec adb; krb5_db_entry *kdb; - int ret, ret2, last_pwd, hist_added; + int ret, ret2, hist_added; krb5_boolean have_pol = FALSE; kadm5_server_handle_t handle = server_handle; osa_pw_hist_ent hist; @@ -1399,24 +1406,6 @@ kadm5_chpass_principal_3(void *server_handle, if ((adb.aux_attributes & KADM5_POLICY)) { /* the policy was loaded before */ - ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd); - if (ret) - goto done; - -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if ((now - last_pwd) < pol.pw_min_life && - !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - ret = check_pw_reuse(handle->context, hist_keyblocks, kdb->n_key_data, kdb->key_data, 1, &hist); @@ -1445,7 +1434,7 @@ kadm5_chpass_principal_3(void *server_handle, } if (pol.pw_max_life) - kdb->pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else kdb->pw_expiration = 0; } else { @@ -1544,9 +1533,9 @@ kadm5_randkey_principal_3(void *server_handle, { krb5_db_entry *kdb; osa_princ_ent_rec adb; - krb5_int32 now; + krb5_timestamp now; kadm5_policy_ent_rec pol; - int ret, last_pwd, n_new_keys; + int ret, n_new_keys; krb5_boolean have_pol = FALSE; kadm5_server_handle_t handle = server_handle; krb5_keyblock *act_mkey; @@ -1575,8 +1564,10 @@ kadm5_randkey_principal_3(void *server_handle, if (krb5_principal_compare(handle->context, principal, hist_princ)) { /* If changing the history entry, the new entry must have exactly one * key. */ - if (keepold) - return KADM5_PROTECT_PRINCIPAL; + if (keepold) { + ret = KADM5_PROTECT_PRINCIPAL; + goto done; + } new_n_ks_tuple = 1; } @@ -1605,26 +1596,8 @@ kadm5_randkey_principal_3(void *server_handle, goto done; } if (have_pol) { - ret = krb5_dbe_lookup_last_pwd_change(handle->context, kdb, &last_pwd); - if (ret) - goto done; - -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if((now - last_pwd) < pol.pw_min_life && - !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - if (pol.pw_max_life) - kdb->pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else kdb->pw_expiration = 0; } else { @@ -1686,14 +1659,11 @@ kadm5_setv4key_principal(void *server_handle, { krb5_db_entry *kdb; osa_princ_ent_rec adb; - krb5_int32 now; + krb5_timestamp now; kadm5_policy_ent_rec pol; krb5_keysalt keysalt; int i, kvno, ret; krb5_boolean have_pol = FALSE; -#if 0 - int last_pwd; -#endif kadm5_server_handle_t handle = server_handle; krb5_key_data tmp_key_data; krb5_keyblock *act_mkey; @@ -1756,25 +1726,8 @@ kadm5_setv4key_principal(void *server_handle, goto done; } if (have_pol) { -#if 0 - /* - * The spec says this check is overridden if the caller has - * modify privilege. The admin server therefore makes this - * check itself (in chpass_principal_wrapper, misc.c). A - * local caller implicitly has all authorization bits. - */ - if (ret = krb5_dbe_lookup_last_pwd_change(handle->context, - kdb, &last_pwd)) - goto done; - if((now - last_pwd) < pol.pw_min_life && - !(kdb->attributes & KRB5_KDB_REQUIRES_PWCHANGE)) { - ret = KADM5_PASS_TOOSOON; - goto done; - } -#endif - if (pol.pw_max_life) - kdb->pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else kdb->pw_expiration = 0; } else { @@ -1891,7 +1844,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, { krb5_db_entry *kdb; osa_princ_ent_rec adb; - krb5_int32 now; + krb5_timestamp now; kadm5_policy_ent_rec pol; krb5_key_data *new_key_data = NULL; int i, j, ret, n_new_key_data = 0; @@ -2027,7 +1980,7 @@ kadm5_setkey_principal_4(void *server_handle, krb5_principal principal, } if (have_pol) { if (pol.pw_max_life) - kdb->pw_expiration = now + pol.pw_max_life; + kdb->pw_expiration = ts_incr(now, pol.pw_max_life); else kdb->pw_expiration = 0; } else { diff --git a/src/lib/kadm5/unit-test/setkey-test.c b/src/lib/kadm5/unit-test/setkey-test.c index 60be9e8..fa2392f 100644 --- a/src/lib/kadm5/unit-test/setkey-test.c +++ b/src/lib/kadm5/unit-test/setkey-test.c @@ -35,15 +35,6 @@ krb5_keyblock *tests[] = { test1, test2, test3, NULL }; -#if 0 -int keyblocks_equal(krb5_keyblock *kb1, krb5_keyblock *kb2) -{ - return (kb1->enctype == kb2->enctype && - kb1->length == kb2->length && - memcmp(kb1->contents, kb2->contents, kb1->length) == 0); -} -#endif - krb5_data tgtname = { 0, KRB5_TGS_NAME_SIZE, @@ -69,7 +60,8 @@ main(int argc, char **argv) char *whoami, *principal, *authprinc, *authpwd; krb5_data pwdata; void *handle; - int ret, i, test, encnum; + int ret, test, encnum; + unsigned int i; whoami = argv[0]; diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in index 5da22df..b77bf49 100644 --- a/src/lib/kdb/Makefile.in +++ b/src/lib/kdb/Makefile.in @@ -5,7 +5,7 @@ LOCALINCLUDES= -I. # Keep LIBMAJOR in sync with KRB5_KDB_API_VERSION in include/kdb.h. LIBBASE=kdb5 -LIBMAJOR=8 +LIBMAJOR=9 LIBMINOR=0 LIBINITFUNC=kdb_init_lock_list LIBFINIFUNC=kdb_fini_lock_list diff --git a/src/lib/kdb/deps b/src/lib/kdb/deps index c2ce27f..152ef7f 100644 --- a/src/lib/kdb/deps +++ b/src/lib/kdb/deps @@ -153,5 +153,6 @@ t_ulog.so t_ulog.po $(OUTPRE)t_ulog.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h t_ulog.c t_sort_key_data.so t_sort_key_data.po $(OUTPRE)t_sort_key_data.$(OBJEXT): \ - $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/kdb.h \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-cmocka.h $(top_srcdir)/include/kdb.h \ $(top_srcdir)/include/krb5.h t_sort_key_data.c diff --git a/src/lib/kdb/iprop.x b/src/lib/kdb/iprop.x index b04a453..8796589 100644 --- a/src/lib/kdb/iprop.x +++ b/src/lib/kdb/iprop.x @@ -12,7 +12,7 @@ * Generated files: * lib/kdb/iprop_xdr.c * include/iprop.h - * slave/kpropd_rpc.c (clnt) + * kprop/kpropd_rpc.c (clnt) * * Derived files: * kadmin/server/ipropd_svc.c @@ -174,7 +174,7 @@ struct kdb_incr_update_t { kdbe_t kdb_update; /* Attributes modified */ bool kdb_deleted; /* Is this update a DELETION ? */ bool kdb_commit; /* Is the entry committed or not ? */ - utf8str_t kdb_kdcs_seen_by<>; /* Names of slaves that have */ + utf8str_t kdb_kdcs_seen_by<>; /* Names of replicass that have */ /* seen this update - for */ /* future use */ opaque kdb_futures<>; /* futures */ diff --git a/src/lib/kdb/iprop_xdr.c b/src/lib/kdb/iprop_xdr.c index 8bf2c89..b866fdf 100644 --- a/src/lib/kdb/iprop_xdr.c +++ b/src/lib/kdb/iprop_xdr.c @@ -12,7 +12,7 @@ static bool_t xdr_int16_t (XDR *xdrs, int16_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_short (xdrs, objp)) return FALSE; @@ -22,7 +22,7 @@ xdr_int16_t (XDR *xdrs, int16_t *objp) static bool_t xdr_int32_t (XDR *xdrs, int32_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_int (xdrs, objp)) return FALSE; @@ -32,7 +32,7 @@ xdr_int32_t (XDR *xdrs, int32_t *objp) static bool_t xdr_uint32_t (XDR *xdrs, uint32_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_u_int (xdrs, objp)) return FALSE; @@ -42,7 +42,7 @@ xdr_uint32_t (XDR *xdrs, uint32_t *objp) bool_t xdr_utf8str_t (XDR *xdrs, utf8str_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_bytes (xdrs, (char **)&objp->utf8str_t_val, (u_int *) &objp->utf8str_t_len, ~0)) return FALSE; @@ -52,7 +52,7 @@ xdr_utf8str_t (XDR *xdrs, utf8str_t *objp) bool_t xdr_kdb_sno_t (XDR *xdrs, kdb_sno_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_uint32_t (xdrs, objp)) return FALSE; @@ -62,7 +62,7 @@ xdr_kdb_sno_t (XDR *xdrs, kdb_sno_t *objp) bool_t xdr_kdbe_time_t (XDR *xdrs, kdbe_time_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_uint32_t (xdrs, &objp->seconds)) return FALSE; @@ -74,7 +74,7 @@ xdr_kdbe_time_t (XDR *xdrs, kdbe_time_t *objp) bool_t xdr_kdbe_key_t (XDR *xdrs, kdbe_key_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_int32_t (xdrs, &objp->k_ver)) return FALSE; @@ -92,7 +92,7 @@ xdr_kdbe_key_t (XDR *xdrs, kdbe_key_t *objp) bool_t xdr_kdbe_data_t (XDR *xdrs, kdbe_data_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_int32_t (xdrs, &objp->k_magic)) return FALSE; @@ -104,7 +104,7 @@ xdr_kdbe_data_t (XDR *xdrs, kdbe_data_t *objp) bool_t xdr_kdbe_princ_t (XDR *xdrs, kdbe_princ_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_utf8str_t (xdrs, &objp->k_realm)) return FALSE; @@ -119,7 +119,7 @@ xdr_kdbe_princ_t (XDR *xdrs, kdbe_princ_t *objp) bool_t xdr_kdbe_tl_t (XDR *xdrs, kdbe_tl_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_int16_t (xdrs, &objp->tl_type)) return FALSE; @@ -131,7 +131,7 @@ xdr_kdbe_tl_t (XDR *xdrs, kdbe_tl_t *objp) bool_t xdr_kdbe_pw_hist_t (XDR *xdrs, kdbe_pw_hist_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_array (xdrs, (char **)&objp->kdbe_pw_hist_t_val, (u_int *) &objp->kdbe_pw_hist_t_len, ~0, sizeof (kdbe_key_t), (xdrproc_t) xdr_kdbe_key_t)) @@ -142,7 +142,7 @@ xdr_kdbe_pw_hist_t (XDR *xdrs, kdbe_pw_hist_t *objp) bool_t xdr_kdbe_attr_type_t (XDR *xdrs, kdbe_attr_type_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_enum (xdrs, (enum_t *) objp)) return FALSE; @@ -152,7 +152,7 @@ xdr_kdbe_attr_type_t (XDR *xdrs, kdbe_attr_type_t *objp) bool_t xdr_kdbe_val_t (XDR *xdrs, kdbe_val_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_kdbe_attr_type_t (xdrs, &objp->av_type)) return FALSE; @@ -251,7 +251,7 @@ xdr_kdbe_val_t (XDR *xdrs, kdbe_val_t *objp) bool_t xdr_kdbe_t (XDR *xdrs, kdbe_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_array (xdrs, (char **)&objp->kdbe_t_val, (u_int *) &objp->kdbe_t_len, ~0, sizeof (kdbe_val_t), (xdrproc_t) xdr_kdbe_val_t)) @@ -262,7 +262,7 @@ xdr_kdbe_t (XDR *xdrs, kdbe_t *objp) bool_t xdr_kdb_incr_update_t (XDR *xdrs, kdb_incr_update_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_utf8str_t (xdrs, &objp->kdb_princ_name)) return FALSE; @@ -287,7 +287,7 @@ xdr_kdb_incr_update_t (XDR *xdrs, kdb_incr_update_t *objp) bool_t xdr_kdb_ulog_t (XDR *xdrs, kdb_ulog_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_array (xdrs, (char **)&objp->kdb_ulog_t_val, (u_int *) &objp->kdb_ulog_t_len, ~0, sizeof (kdb_incr_update_t), (xdrproc_t) xdr_kdb_incr_update_t)) @@ -298,7 +298,7 @@ xdr_kdb_ulog_t (XDR *xdrs, kdb_ulog_t *objp) bool_t xdr_update_status_t (XDR *xdrs, update_status_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_enum (xdrs, (enum_t *) objp)) return FALSE; @@ -308,7 +308,7 @@ xdr_update_status_t (XDR *xdrs, update_status_t *objp) bool_t xdr_kdb_last_t (XDR *xdrs, kdb_last_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_kdb_sno_t (xdrs, &objp->last_sno)) return FALSE; @@ -320,7 +320,7 @@ xdr_kdb_last_t (XDR *xdrs, kdb_last_t *objp) bool_t xdr_kdb_incr_result_t (XDR *xdrs, kdb_incr_result_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_kdb_last_t (xdrs, &objp->lastentry)) return FALSE; @@ -334,7 +334,7 @@ xdr_kdb_incr_result_t (XDR *xdrs, kdb_incr_result_t *objp) bool_t xdr_kdb_fullresync_result_t (XDR *xdrs, kdb_fullresync_result_t *objp) { - register int32_t *buf; + int32_t *buf; if (!xdr_kdb_last_t (xdrs, &objp->lastentry)) return FALSE; diff --git a/src/lib/kdb/kdb5.c b/src/lib/kdb/kdb5.c index 6907257..da53322 100644 --- a/src/lib/kdb/kdb5.c +++ b/src/lib/kdb/kdb5.c @@ -322,12 +322,7 @@ copy_vtable(const kdb_vftabl *in, kdb_vftabl *out) out->audit_as_req = in->audit_as_req; out->refresh_config = in->refresh_config; out->check_allowed_to_delegate = in->check_allowed_to_delegate; - - /* Copy fields for minor version 1 (major version 6). */ - assert(KRB5_KDB_DAL_MAJOR_VERSION == 6); - out->free_principal_e_data = NULL; - if (in->min_ver >= 1) - out->free_principal_e_data = in->free_principal_e_data; + out->free_principal_e_data = in->free_principal_e_data; /* Set defaults for optional fields. */ if (out->fetch_master_key == NULL) @@ -1297,7 +1292,7 @@ find_actkvno(krb5_actkvno_node *list, krb5_timestamp now) * are in the future, we will return the first node; if all are in the * past, we will return the last node. */ - while (list->next != NULL && list->next->act_time <= now) + while (list->next != NULL && !ts_after(list->next->act_time, now)) list = list->next; return list->act_kvno; } @@ -2678,8 +2673,10 @@ krb5_db_check_policy_tgs(krb5_context kcontext, krb5_kdc_req *request, void krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_timestamp authtime, krb5_error_code error_code) + const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_db_entry *client, + krb5_db_entry *server, krb5_timestamp authtime, + krb5_error_code error_code) { krb5_error_code status; kdb_vftabl *v; @@ -2687,7 +2684,8 @@ krb5_db_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, status = get_vftabl(kcontext, &v); if (status || v->audit_as_req == NULL) return; - v->audit_as_req(kcontext, request, client, server, authtime, error_code); + v->audit_as_req(kcontext, request, local_addr, remote_addr, + client, server, authtime, error_code); } void diff --git a/src/lib/kdb/kdb_convert.c b/src/lib/kdb/kdb_convert.c index 8172e9d..7614073 100644 --- a/src/lib/kdb/kdb_convert.c +++ b/src/lib/kdb/kdb_convert.c @@ -228,7 +228,7 @@ conv_princ_2ulog(krb5_principal princ, kdb_incr_update_t *upd, static void set_from_utf8str(krb5_data *d, utf8str_t u) { - if (u.utf8str_t_len > INT_MAX-1 || u.utf8str_t_len >= SIZE_MAX-1) { + if (u.utf8str_t_len > INT_MAX - 1) { d->data = NULL; return; } @@ -419,7 +419,7 @@ ulog_conv_2logentry(krb5_context context, krb5_db_entry *entry, break; case AT_FAIL_AUTH_COUNT: - if (!exclude_nra && entry->fail_auth_count >= (krb5_kvno)0) { + if (!exclude_nra) { ULOG_ENTRY_TYPE(update, ++final).av_type = AT_FAIL_AUTH_COUNT; ULOG_ENTRY(update, final).av_fail_auth_count = @@ -579,7 +579,7 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry, kdb_incr_update_t *update) { krb5_db_entry *ent; - int slave; + int replica; krb5_principal mod_princ = NULL; int i, j, cnt = 0, mod_time = 0, nattrs; krb5_principal dbprinc; @@ -592,8 +592,8 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry, *entry = NULL; - slave = (context->kdblog_context != NULL) && - (context->kdblog_context->iproprole == IPROP_SLAVE); + replica = (context->kdblog_context != NULL) && + (context->kdblog_context->iproprole == IPROP_REPLICA); /* * Store the no. of changed attributes in nattrs @@ -655,17 +655,17 @@ ulog_conv_2dbentry(krb5_context context, krb5_db_entry **entry, break; case AT_LAST_SUCCESS: - if (!slave) + if (!replica) ent->last_success = (krb5_timestamp) u.av_last_success; break; case AT_LAST_FAILED: - if (!slave) + if (!replica) ent->last_failed = (krb5_timestamp) u.av_last_failed; break; case AT_FAIL_AUTH_COUNT: - if (!slave) + if (!replica) ent->fail_auth_count = (krb5_kvno) u.av_fail_auth_count; break; diff --git a/src/lib/kdb/kdb_default.c b/src/lib/kdb/kdb_default.c index 7a75148..a1021f1 100644 --- a/src/lib/kdb/kdb_default.c +++ b/src/lib/kdb/kdb_default.c @@ -282,7 +282,7 @@ krb5_db_def_fetch_mkey_stash(krb5_context context, key->length = keylength; #endif - if (!key->length || ((int) key->length) < 0) { + if (!key->length || key->length > 1024) { retval = KRB5_KDB_BADSTORED_MKEY; goto errout; } diff --git a/src/lib/kdb/kdb_log.c b/src/lib/kdb/kdb_log.c index 766d300..2659a25 100644 --- a/src/lib/kdb/kdb_log.c +++ b/src/lib/kdb/kdb_log.c @@ -34,6 +34,23 @@ static int pagesize = 0; ulog = log_ctx->ulog; \ assert(ulog != NULL) +/* Initialize context->kdblog_context if it does not yet exist, and return it. + * Return NULL on allocation failure. */ +static kdb_log_context * +create_log_context(krb5_context context) +{ + kdb_log_context *log_ctx; + + if (context->kdblog_context != NULL) + return context->kdblog_context; + log_ctx = calloc(1, sizeof(*log_ctx)); + if (log_ctx == NULL) + return NULL; + log_ctx->ulogfd = -1; + context->kdblog_context = log_ctx; + return log_ctx; +} + static inline krb5_boolean time_equal(const kdbe_time_t *a, const kdbe_time_t *b) { @@ -130,7 +147,7 @@ get_sno_status(kdb_log_context *log_ctx, const kdb_last_t *last) } /* Extend update log file. */ -static int +static krb5_error_code extend_file_to(int fd, unsigned int new_size) { off_t current_offset; @@ -140,22 +157,18 @@ extend_file_to(int fd, unsigned int new_size) current_offset = lseek(fd, 0, SEEK_END); if (current_offset < 0) - return -1; - if (new_size > INT_MAX) { - errno = EINVAL; - return -1; - } + return errno; + if (new_size > INT_MAX) + return EINVAL; while (current_offset < (off_t)new_size) { write_size = new_size - current_offset; if (write_size > 512) write_size = 512; wrote_size = write(fd, zero, write_size); if (wrote_size < 0) - return -1; - if (wrote_size == 0) { - errno = EINVAL; - return -1; - } + return errno; + if (wrote_size == 0) + return EINVAL; current_offset += wrote_size; write_size = new_size - current_offset; } @@ -165,7 +178,7 @@ extend_file_to(int fd, unsigned int new_size) /* * Resize the array elements. We reinitialize the update log rather than * unrolling the the log and copying it over to a temporary log for obvious - * performance reasons. Slaves will subsequently do a full resync, but the + * performance reasons. Replicas will subsequently do a full resync, but the * need for resizing should be very small. */ static krb5_error_code @@ -194,10 +207,7 @@ resize(kdb_hlog_t *ulog, uint32_t ulogentries, int ulogfd, sync_header(ulog); /* Expand log considering new block size. */ - if (extend_file_to(ulogfd, new_size) < 0) - return errno; - - return 0; + return extend_file_to(ulogfd, new_size); } /* Set the ulog to contain only a dummy entry with the given serial number and @@ -343,7 +353,7 @@ ulog_add_update(krb5_context context, kdb_incr_update_t *upd) return ret; /* If we have reached the last possible serial number, reinitialize the - * ulog and start over. Slaves will do a full resync. */ + * ulog and start over. Replicas will do a full resync. */ if (ulog->kdb_last_sno == (kdb_sno_t)-1) reset_ulog(log_ctx); @@ -354,7 +364,7 @@ ulog_add_update(krb5_context context, kdb_incr_update_t *upd) return ret; } -/* Used by the slave to update its hash db from the incr update log. */ +/* Used by the replica to update its hash db from the incr update log. */ krb5_error_code ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) { @@ -369,19 +379,10 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) INIT_ULOG(context); - /* Lock the DB before the ulog to avoid deadlock. */ retval = krb5_db_open(context, db_args, KRB5_KDB_OPEN_RW | KRB5_KDB_SRV_TYPE_ADMIN); if (retval) return retval; - retval = krb5_db_lock(context, KRB5_DB_LOCKMODE_EXCLUSIVE); - if (retval) - return retval; - retval = lock_ulog(context, KRB5_LOCKMODE_EXCLUSIVE); - if (retval) { - krb5_db_unlock(context); - return retval; - } no_of_updates = incr_ret->updates.kdb_ulog_t_len; upd = incr_ret->updates.kdb_ulog_t_val; @@ -391,11 +392,7 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) if (!upd->kdb_commit) continue; - /* If (unexpectedly) this update does not follow the last one we - * stored, discard any previous ulog state. */ - if (ulog->kdb_num != 0 && upd->kdb_entry_sno != ulog->kdb_last_sno + 1) - reset_ulog(log_ctx); - + /* Replay this update in the database. */ if (upd->kdb_deleted) { dbprincstr = k5memdup0(upd->kdb_princ_name.utf8str_t_val, upd->kdb_princ_name.utf8str_t_len, &retval); @@ -424,7 +421,18 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) goto cleanup; } + retval = lock_ulog(context, KRB5_LOCKMODE_EXCLUSIVE); + if (retval) + goto cleanup; + + /* If (unexpectedly) this update does not follow the last one we + * stored, discard any previous ulog state. */ + if (ulog->kdb_num != 0 && upd->kdb_entry_sno != ulog->kdb_last_sno + 1) + reset_ulog(log_ctx); + + /* Store this update in the ulog for any downstream KDCs. */ retval = store_update(log_ctx, upd); + unlock_ulog(context); if (retval) goto cleanup; @@ -432,12 +440,10 @@ ulog_replay(krb5_context context, kdb_incr_result_t *incr_ret, char **db_args) } cleanup: + if (retval) + (void)ulog_init_header(context); if (fupd) ulog_free_entries(fupd, no_of_updates); - if (retval) - reset_ulog(log_ctx); - unlock_ulog(context); - krb5_db_unlock(context); return retval; } @@ -458,13 +464,7 @@ ulog_init_header(krb5_context context) return 0; } -/* - * Map the log file to memory for performance and simplicity. - * - * Called by: if iprop_enabled then ulog_map(); - * Assumes that the caller will terminate on ulog_map, hence munmap and - * closing of the fd are implicitly performed by the caller. - */ +/* Map the log file to memory for performance and simplicity. */ krb5_error_code ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) { @@ -473,50 +473,49 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) uint32_t filesize; kdb_log_context *log_ctx; kdb_hlog_t *ulog = NULL; - int ulogfd = -1; + krb5_boolean locked = FALSE; + + log_ctx = create_log_context(context); + if (log_ctx == NULL) + return ENOMEM; if (stat(logname, &st) == -1) { - ulogfd = open(logname, O_RDWR | O_CREAT, 0600); - if (ulogfd == -1) - return errno; + log_ctx->ulogfd = open(logname, O_RDWR | O_CREAT, 0600); + if (log_ctx->ulogfd == -1) { + retval = errno; + goto cleanup; + } filesize = sizeof(kdb_hlog_t) + ulogentries * ULOG_BLOCK; - if (extend_file_to(ulogfd, filesize) < 0) - return errno; + retval = extend_file_to(log_ctx->ulogfd, filesize); + if (retval) + goto cleanup; } else { - ulogfd = open(logname, O_RDWR, 0600); - if (ulogfd == -1) - return errno; + log_ctx->ulogfd = open(logname, O_RDWR, 0600); + if (log_ctx->ulogfd == -1) { + retval = errno; + goto cleanup; + } } - ulog = mmap(0, MAXLOGLEN, PROT_READ | PROT_WRITE, MAP_SHARED, ulogfd, 0); + ulog = mmap(0, MAXLOGLEN, PROT_READ | PROT_WRITE, MAP_SHARED, + log_ctx->ulogfd, 0); if (ulog == MAP_FAILED) { - /* Can't map update log file to memory. */ - close(ulogfd); - return errno; - } - - if (!context->kdblog_context) { - log_ctx = k5alloc(sizeof(kdb_log_context), &retval); - if (log_ctx == NULL) - return retval; - memset(log_ctx, 0, sizeof(*log_ctx)); - context->kdblog_context = log_ctx; - } else { - log_ctx = context->kdblog_context; + retval = errno; + goto cleanup; } log_ctx->ulog = ulog; log_ctx->ulogentries = ulogentries; - log_ctx->ulogfd = ulogfd; retval = lock_ulog(context, KRB5_LOCKMODE_EXCLUSIVE); if (retval) - return retval; + goto cleanup; + locked = TRUE; if (ulog->kdb_hmagic != KDB_ULOG_HDR_MAGIC) { if (ulog->kdb_hmagic != 0) { - unlock_ulog(context); - return KRB5_LOG_CORRUPT; + retval = KRB5_LOG_CORRUPT; + goto cleanup; } reset_ulog(log_ctx); } @@ -532,14 +531,17 @@ ulog_map(krb5_context context, const char *logname, uint32_t ulogentries) if (ulog->kdb_num != ulogentries) { /* Expand the ulog file if it isn't big enough. */ filesize = sizeof(kdb_hlog_t) + ulogentries * ulog->kdb_block; - if (extend_file_to(ulogfd, filesize) < 0) { - unlock_ulog(context); - return errno; - } + retval = extend_file_to(log_ctx->ulogfd, filesize); + if (retval) + goto cleanup; } - unlock_ulog(context); - return 0; +cleanup: + if (locked) + unlock_ulog(context); + if (retval) + ulog_fini(context); + return retval; } /* Get the last set of updates seen, (last+1) to n is returned. */ @@ -617,11 +619,8 @@ cleanup: krb5_error_code ulog_set_role(krb5_context ctx, iprop_role role) { - if (ctx->kdblog_context == NULL) { - ctx->kdblog_context = calloc(1, sizeof(*ctx->kdblog_context)); - if (ctx->kdblog_context == NULL) - return ENOMEM; - } + if (create_log_context(ctx) == NULL) + return ENOMEM; ctx->kdblog_context->iproprole = role; return 0; } @@ -682,6 +681,8 @@ ulog_fini(krb5_context context) return; if (log_ctx->ulog != NULL) munmap(log_ctx->ulog, MAXLOGLEN); + if (log_ctx->ulogfd != -1) + close(log_ctx->ulogfd); free(log_ctx); context->kdblog_context = NULL; } diff --git a/src/lib/kdb/t_sort_key_data.c b/src/lib/kdb/t_sort_key_data.c index d03d507..ffd1a15 100644 --- a/src/lib/kdb/t_sort_key_data.c +++ b/src/lib/kdb/t_sort_key_data.c @@ -30,10 +30,7 @@ * OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include -#include -#include -#include +#include "k5-cmocka.h" #include "kdb.h" #define KEY(kvno) { \ diff --git a/src/lib/kdb/t_stringattr.py b/src/lib/kdb/t_stringattr.py index 085e179..93e2b0c 100755 --- a/src/lib/kdb/t_stringattr.py +++ b/src/lib/kdb/t_stringattr.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * realm = K5Realm(create_kdb=False) diff --git a/src/lib/krad/t_daemon.py b/src/lib/krad/t_daemon.py index dcda005..7668cd7 100755 --- a/src/lib/krad/t_daemon.py +++ b/src/lib/krad/t_daemon.py @@ -1,5 +1,3 @@ -#!/usr/bin/python -# # Copyright 2013 Red Hat, Inc. All rights reserved. # # Redistribution and use in source and binary forms, with or without @@ -25,7 +23,7 @@ # NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS # SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -import StringIO +from io import StringIO import os import sys import signal diff --git a/src/lib/krb5/asn.1/Makefile.in b/src/lib/krb5/asn.1/Makefile.in index e2e6a35..fe29523 100644 --- a/src/lib/krb5/asn.1/Makefile.in +++ b/src/lib/krb5/asn.1/Makefile.in @@ -9,19 +9,16 @@ EHDRDIR=$(BUILDTOP)/include/krb5/asn.1 STLIBOBJS= \ asn1_encode.o\ - asn1buf.o\ asn1_k_encode.o\ ldap_key_seq.o SRCS= \ $(srcdir)/asn1_encode.c\ - $(srcdir)/asn1buf.c\ $(srcdir)/asn1_k_encode.c\ $(srcdir)/ldap_key_seq.c OBJS= \ $(OUTPRE)asn1_encode.$(OBJEXT)\ - $(OUTPRE)asn1buf.$(OBJEXT)\ $(OUTPRE)asn1_k_encode.$(OBJEXT)\ $(OUTPRE)ldap_key_seq.$(OBJEXT) diff --git a/src/lib/krb5/asn.1/README.asn1 b/src/lib/krb5/asn.1/README.asn1 index fcc7b78..dcc48c4 100644 --- a/src/lib/krb5/asn.1/README.asn1 +++ b/src/lib/krb5/asn.1/README.asn1 @@ -109,7 +109,7 @@ DEFUINTTYPE if it is an unsigned type. (For booleans, the distinction is unimportant since all integer types can hold the values 0 and 1.) We don't generally define integer mappings for every typedef name of an integer type. For example, we use the type descriptor int32, which -maps an ASN.1 INTEGER to a krb5_int32, for krb5_enctype values. +maps an ASN.1 INTEGER to an int32_t, for krb5_enctype values. String types are a little more complicated. Our practice is to store strings in a krb5_data structure (rather than a zero-terminated C @@ -126,8 +126,8 @@ detail later) with something like: The first parameter is an identifier you make up. The second and third parameters are the C types of the pointer and integer holding the string; for a krb5_data object, those should be the types in the -example. The pointer type must be char * or unsigned char *. The -fourth and fifth parameters reference primitive encoder and decoder +example. The pointer type must be char * or uint8_t *. The fourth +and fifth parameters reference primitive encoder and decoder functions; these should almost always be the ones in the example, unless the ASN.1 type is BIT STRING. The sixth parameter is the universal tag number of the ASN.1 type, as defined in krbasn1.h. @@ -299,9 +299,9 @@ pointer wrapper for the sequence element type (*not* the element type itself). For example, an array of 32-bit signed integers is defined as: - DEFINTTYPE(int32, krb5_int32); + DEFINTTYPE(int32, int32_t); DEFPTRTYPE(int32_ptr, int32); - DEFCOUNTEDSEQOFTYPE(cseqof_int32, krb5_int32, int32_ptr); + DEFCOUNTEDSEQOFTYPE(cseqof_int32, int32_t, int32_ptr); To use a counted sequence-of type in a sequence, use DEFCOUNTEDTYPE: diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c index a7423b6..a160cf4 100644 --- a/src/lib/krb5/asn.1/asn1_encode.c +++ b/src/lib/krb5/asn.1/asn1_encode.c @@ -26,97 +26,94 @@ #include "asn1_encode.h" +struct asn1buf_st { + uint8_t *ptr; /* Position, moving backwards; may be NULL */ + size_t count; /* Count of bytes written so far */ +}; + /**** Functions for encoding primitive types ****/ -asn1_error_code -k5_asn1_encode_bool(asn1buf *buf, intmax_t val, size_t *len_out) +/* Insert one byte into buf going backwards. */ +static inline void +insert_byte(asn1buf *buf, uint8_t o) { - asn1_octet bval = val ? 0xFF : 0x00; + if (buf->ptr != NULL) { + buf->ptr--; + *buf->ptr = o; + } + buf->count++; +} - *len_out = 1; - return asn1buf_insert_octet(buf, bval); +/* Insert a block of bytes into buf going backwards (but without reversing + * bytes). */ +static inline void +insert_bytes(asn1buf *buf, const void *bytes, size_t len) +{ + if (buf->ptr != NULL) { + memcpy(buf->ptr - len, bytes, len); + buf->ptr -= len; + } + buf->count += len; } -asn1_error_code -k5_asn1_encode_int(asn1buf *buf, intmax_t val, size_t *len_out) +void +k5_asn1_encode_bool(asn1buf *buf, intmax_t val) +{ + insert_byte(buf, val ? 0xFF : 0x00); +} + +void +k5_asn1_encode_int(asn1buf *buf, intmax_t val) { - asn1_error_code ret; - size_t len = 0; long valcopy; int digit; valcopy = val; do { digit = valcopy & 0xFF; - ret = asn1buf_insert_octet(buf, digit); - if (ret) - return ret; - len++; + insert_byte(buf, digit); valcopy = valcopy >> 8; } while (valcopy != 0 && valcopy != ~0); - if (val > 0 && (digit & 0x80) == 0x80) { /* make sure the high bit is */ - ret = asn1buf_insert_octet(buf, 0); /* of the proper signed-ness */ - if (ret) - return ret; - len++; - } else if (val < 0 && (digit & 0x80) != 0x80) { - ret = asn1buf_insert_octet(buf, 0xFF); - if (ret) - return ret; - len++; - } - - - *len_out = len; - return 0; + /* Make sure the high bit is of the proper signed-ness. */ + if (val > 0 && (digit & 0x80) == 0x80) + insert_byte(buf, 0); + else if (val < 0 && (digit & 0x80) != 0x80) + insert_byte(buf, 0xFF); } -asn1_error_code -k5_asn1_encode_uint(asn1buf *buf, uintmax_t val, size_t *len_out) +void +k5_asn1_encode_uint(asn1buf *buf, uintmax_t val) { - asn1_error_code ret; - size_t len = 0; uintmax_t valcopy; int digit; valcopy = val; do { digit = valcopy & 0xFF; - ret = asn1buf_insert_octet(buf, digit); - if (ret) - return ret; - len++; + insert_byte(buf, digit); valcopy = valcopy >> 8; } while (valcopy != 0); - if (digit & 0x80) { /* make sure the high bit is */ - ret = asn1buf_insert_octet(buf, 0); /* of the proper signed-ness */ - if (ret) - return ret; - len++; - } - - *len_out = len; - return 0; + /* Make sure the high bit is of the proper signed-ness. */ + if (digit & 0x80) + insert_byte(buf, 0); } -asn1_error_code -k5_asn1_encode_bytestring(asn1buf *buf, unsigned char *const *val, size_t len, - size_t *len_out) +krb5_error_code +k5_asn1_encode_bytestring(asn1buf *buf, uint8_t *const *val, size_t len) { if (len > 0 && val == NULL) return ASN1_MISSING_FIELD; - *len_out = len; - return asn1buf_insert_octetstring(buf, len, *val); + insert_bytes(buf, *val, len); + return 0; } -asn1_error_code -k5_asn1_encode_generaltime(asn1buf *buf, time_t val, size_t *len_out) +krb5_error_code +k5_asn1_encode_generaltime(asn1buf *buf, time_t val) { struct tm *gtime, gtimebuf; - char s[16]; - unsigned char *sp; + char s[16], *sp; time_t gmt_time = val; int len; @@ -124,7 +121,7 @@ k5_asn1_encode_generaltime(asn1buf *buf, time_t val, size_t *len_out) * Time encoding: YYYYMMDDhhmmssZ */ if (gmt_time == 0) { - sp = (unsigned char *)"19700101000000Z"; + sp = "19700101000000Z"; } else { /* * Sanity check this just to be paranoid, as gmtime can return NULL, @@ -157,29 +154,25 @@ k5_asn1_encode_generaltime(asn1buf *buf, time_t val, size_t *len_out) if (SNPRINTF_OVERFLOW(len, sizeof(s))) /* Shouldn't be possible given above tests. */ return ASN1_BAD_GMTIME; - sp = (unsigned char *)s; + sp = s; } - return k5_asn1_encode_bytestring(buf, &sp, 15, len_out); + insert_bytes(buf, sp, 15); + return 0; } -asn1_error_code -k5_asn1_encode_bitstring(asn1buf *buf, unsigned char *const *val, size_t len, - size_t *len_out) +krb5_error_code +k5_asn1_encode_bitstring(asn1buf *buf, uint8_t *const *val, size_t len) { - asn1_error_code ret; - - ret = asn1buf_insert_octetstring(buf, len, *val); - if (ret) - return ret; - *len_out = len + 1; - return asn1buf_insert_octet(buf, '\0'); + insert_bytes(buf, *val, len); + insert_byte(buf, 0); + return 0; } /**** Functions for decoding primitive types ****/ -asn1_error_code -k5_asn1_decode_bool(const unsigned char *asn1, size_t len, intmax_t *val) +krb5_error_code +k5_asn1_decode_bool(const uint8_t *asn1, size_t len, intmax_t *val) { if (len != 1) return ASN1_BAD_LENGTH; @@ -189,8 +182,8 @@ k5_asn1_decode_bool(const unsigned char *asn1, size_t len, intmax_t *val) /* Decode asn1/len as the contents of a DER integer, placing the signed result * in val. */ -asn1_error_code -k5_asn1_decode_int(const unsigned char *asn1, size_t len, intmax_t *val) +krb5_error_code +k5_asn1_decode_int(const uint8_t *asn1, size_t len, intmax_t *val) { intmax_t n; size_t i; @@ -209,8 +202,8 @@ k5_asn1_decode_int(const unsigned char *asn1, size_t len, intmax_t *val) /* Decode asn1/len as the contents of a DER integer, placing the unsigned * result in val. */ -asn1_error_code -k5_asn1_decode_uint(const unsigned char *asn1, size_t len, uintmax_t *val) +krb5_error_code +k5_asn1_decode_uint(const uint8_t *asn1, size_t len, uintmax_t *val) { uintmax_t n; size_t i; @@ -226,11 +219,11 @@ k5_asn1_decode_uint(const unsigned char *asn1, size_t len, uintmax_t *val) return 0; } -asn1_error_code -k5_asn1_decode_bytestring(const unsigned char *asn1, size_t len, - unsigned char **str_out, size_t *len_out) +krb5_error_code +k5_asn1_decode_bytestring(const uint8_t *asn1, size_t len, + uint8_t **str_out, size_t *len_out) { - unsigned char *str; + uint8_t *str; *str_out = NULL; *len_out = 0; @@ -245,9 +238,8 @@ k5_asn1_decode_bytestring(const unsigned char *asn1, size_t len, return 0; } -asn1_error_code -k5_asn1_decode_generaltime(const unsigned char *asn1, size_t len, - time_t *time_out) +krb5_error_code +k5_asn1_decode_generaltime(const uint8_t *asn1, size_t len, time_t *time_out) { const char *s = (char *)asn1; struct tm ts; @@ -284,11 +276,11 @@ k5_asn1_decode_generaltime(const unsigned char *asn1, size_t len, * number of bits is not a multiple of 8 we effectively round up to the next * multiple of 8. */ -asn1_error_code -k5_asn1_decode_bitstring(const unsigned char *asn1, size_t len, - unsigned char **bits_out, size_t *len_out) +krb5_error_code +k5_asn1_decode_bitstring(const uint8_t *asn1, size_t len, + uint8_t **bits_out, size_t *len_out) { - unsigned char unused, *bits; + uint8_t unused, *bits; *bits_out = NULL; *len_out = 0; @@ -315,68 +307,39 @@ k5_asn1_decode_bitstring(const unsigned char *asn1, size_t len, /* Encode a DER tag into buf with the tag parameters in t and the content * length len. Place the length of the encoded tag in *retlen. */ -static asn1_error_code -make_tag(asn1buf *buf, const taginfo *t, size_t len, size_t *retlen) +static krb5_error_code +make_tag(asn1buf *buf, const taginfo *t, size_t len) { - asn1_error_code ret; asn1_tagnum tag_copy; - size_t sum = 0, length, len_copy; + size_t len_copy, oldcount; if (t->tagnum > ASN1_TAGNUM_MAX) return ASN1_OVERFLOW; /* Encode the length of the content within the tag. */ if (len < 128) { - ret = asn1buf_insert_octet(buf, len & 0x7F); - if (ret) - return ret; - length = 1; + insert_byte(buf, len & 0x7F); } else { - length = 0; - for (len_copy = len; len_copy != 0; len_copy >>= 8) { - ret = asn1buf_insert_octet(buf, len_copy & 0xFF); - if (ret) - return ret; - length++; - } - ret = asn1buf_insert_octet(buf, 0x80 | (length & 0x7F)); - if (ret) - return ret; - length++; + oldcount = buf->count; + for (len_copy = len; len_copy != 0; len_copy >>= 8) + insert_byte(buf, len_copy & 0xFF); + insert_byte(buf, 0x80 | ((buf->count - oldcount) & 0x7F)); } - sum += length; /* Encode the tag and construction bit. */ if (t->tagnum < 31) { - ret = asn1buf_insert_octet(buf, - t->asn1class | t->construction | t->tagnum); - if (ret) - return ret; - length = 1; + insert_byte(buf, t->asn1class | t->construction | t->tagnum); } else { tag_copy = t->tagnum; - length = 0; - ret = asn1buf_insert_octet(buf, tag_copy & 0x7F); - if (ret) - return ret; + insert_byte(buf, tag_copy & 0x7F); tag_copy >>= 7; - length++; - for (; tag_copy != 0; tag_copy >>= 7) { - ret = asn1buf_insert_octet(buf, 0x80 | (tag_copy & 0x7F)); - if (ret) - return ret; - length++; - } + for (; tag_copy != 0; tag_copy >>= 7) + insert_byte(buf, 0x80 | (tag_copy & 0x7F)); - ret = asn1buf_insert_octet(buf, t->asn1class | t->construction | 0x1F); - if (ret) - return ret; - length++; + insert_byte(buf, t->asn1class | t->construction | 0x1F); } - sum += length; - *retlen = sum; return 0; } @@ -390,14 +353,14 @@ make_tag(asn1buf *buf, const taginfo *t, size_t len, size_t *retlen) * really ancient implementations we handle the indefinite length form in tags. * However, we still insist on the primitive form of string types.) */ -static asn1_error_code -get_tag(const unsigned char *asn1, size_t len, taginfo *tag_out, - const unsigned char **contents_out, size_t *clen_out, - const unsigned char **remainder_out, size_t *rlen_out) +static krb5_error_code +get_tag(const uint8_t *asn1, size_t len, taginfo *tag_out, + const uint8_t **contents_out, size_t *clen_out, + const uint8_t **remainder_out, size_t *rlen_out) { - asn1_error_code ret; - unsigned char o; - const unsigned char *c, *p, *tag_start = asn1; + krb5_error_code ret; + uint8_t o; + const uint8_t *c, *p, *tag_start = asn1; size_t clen, llen, i; taginfo t; @@ -505,29 +468,28 @@ get_nullterm_sequence_len(const void *valp, const struct atype_info *seq) } return i; } -static asn1_error_code +static krb5_error_code encode_sequence_of(asn1buf *buf, size_t seqlen, const void *val, - const struct atype_info *eltinfo, size_t *len_out); + const struct atype_info *eltinfo); -static asn1_error_code +static krb5_error_code encode_nullterm_sequence_of(asn1buf *buf, const void *val, - const struct atype_info *type, - int can_be_empty, size_t *len_out) + const struct atype_info *type, int can_be_empty) { size_t len = get_nullterm_sequence_len(val, type); if (!can_be_empty && len == 0) return ASN1_MISSING_FIELD; - return encode_sequence_of(buf, len, val, type, len_out); + return encode_sequence_of(buf, len, val, type); } static intmax_t load_int(const void *val, size_t size) { switch (size) { - case 1: return *(signed char *)val; - case 2: return *(krb5_int16 *)val; - case 4: return *(krb5_int32 *)val; + case 1: return *(int8_t *)val; + case 2: return *(int16_t *)val; + case 4: return *(int32_t *)val; case 8: return *(int64_t *)val; default: abort(); } @@ -537,15 +499,15 @@ static uintmax_t load_uint(const void *val, size_t size) { switch (size) { - case 1: return *(unsigned char *)val; - case 2: return *(krb5_ui_2 *)val; - case 4: return *(krb5_ui_4 *)val; + case 1: return *(uint8_t *)val; + case 2: return *(uint16_t *)val; + case 4: return *(uint32_t *)val; case 8: return *(uint64_t *)val; default: abort(); } } -static asn1_error_code +static krb5_error_code load_count(const void *val, const struct counted_info *counted, size_t *count_out) { @@ -566,24 +528,24 @@ load_count(const void *val, const struct counted_info *counted, return 0; } -static asn1_error_code +static krb5_error_code store_int(intmax_t intval, size_t size, void *val) { switch (size) { case 1: - if ((signed char)intval != intval) + if ((int8_t)intval != intval) return ASN1_OVERFLOW; - *(signed char *)val = intval; + *(int8_t *)val = intval; return 0; case 2: - if ((krb5_int16)intval != intval) + if ((int16_t)intval != intval) return ASN1_OVERFLOW; - *(krb5_int16 *)val = intval; + *(int16_t *)val = intval; return 0; case 4: - if ((krb5_int32)intval != intval) + if ((int32_t)intval != intval) return ASN1_OVERFLOW; - *(krb5_int32 *)val = intval; + *(int32_t *)val = intval; return 0; case 8: if ((int64_t)intval != intval) @@ -595,24 +557,24 @@ store_int(intmax_t intval, size_t size, void *val) } } -static asn1_error_code +static krb5_error_code store_uint(uintmax_t intval, size_t size, void *val) { switch (size) { case 1: - if ((unsigned char)intval != intval) + if ((uint8_t)intval != intval) return ASN1_OVERFLOW; - *(unsigned char *)val = intval; + *(uint8_t *)val = intval; return 0; case 2: - if ((krb5_ui_2)intval != intval) + if ((uint16_t)intval != intval) return ASN1_OVERFLOW; - *(krb5_ui_2 *)val = intval; + *(uint16_t *)val = intval; return 0; case 4: - if ((krb5_ui_4)intval != intval) + if ((uint32_t)intval != intval) return ASN1_OVERFLOW; - *(krb5_ui_4 *)val = intval; + *(uint32_t *)val = intval; return 0; case 8: if ((uint64_t)intval != intval) @@ -626,7 +588,7 @@ store_uint(uintmax_t intval, size_t size, void *val) /* Store a count value in an integer field of a structure. If count is * SIZE_MAX and the target is a signed field, store -1. */ -static asn1_error_code +static krb5_error_code store_count(size_t count, const struct counted_info *counted, void *val) { void *countptr = (char *)val + counted->lenoff; @@ -644,12 +606,11 @@ store_count(size_t count, const struct counted_info *counted, void *val) /* Split a DER encoding into tag and contents. Insert the contents into buf, * then return the length of the contents and the tag. */ -static asn1_error_code -split_der(asn1buf *buf, unsigned char *const *der, size_t len, - taginfo *tag_out, size_t *len_out) +static krb5_error_code +split_der(asn1buf *buf, uint8_t *const *der, size_t len, taginfo *tag_out) { - asn1_error_code ret; - const unsigned char *contents, *remainder; + krb5_error_code ret; + const uint8_t *contents, *remainder; size_t clen, rlen; ret = get_tag(*der, len, tag_out, &contents, &clen, &remainder, &rlen); @@ -657,20 +618,20 @@ split_der(asn1buf *buf, unsigned char *const *der, size_t len, return ret; if (rlen != 0) return ASN1_BAD_LENGTH; - *len_out = clen; - return asn1buf_insert_bytestring(buf, clen, contents); + insert_bytes(buf, contents, clen); + return 0; } /* * Store the DER encoding given by t and asn1/len into the char * or - * unsigned char * pointed to by val. Set *count_out to the length of the + * uint8_t * pointed to by val. Set *count_out to the length of the * DER encoding. */ -static asn1_error_code -store_der(const taginfo *t, const unsigned char *asn1, size_t len, void *val, +static krb5_error_code +store_der(const taginfo *t, const uint8_t *asn1, size_t len, void *val, size_t *count_out) { - unsigned char *der; + uint8_t *der; size_t der_len; *count_out = 0; @@ -679,25 +640,24 @@ store_der(const taginfo *t, const unsigned char *asn1, size_t len, void *val, if (der == NULL) return ENOMEM; memcpy(der, asn1 - t->tag_len, der_len); - *(unsigned char **)val = der; + *(uint8_t **)val = der; *count_out = der_len; return 0; } -static asn1_error_code -encode_sequence(asn1buf *buf, const void *val, const struct seq_info *seq, - size_t *len_out); -static asn1_error_code +static krb5_error_code +encode_sequence(asn1buf *buf, const void *val, const struct seq_info *seq); +static krb5_error_code encode_cntype(asn1buf *buf, const void *val, size_t len, - const struct cntype_info *c, taginfo *tag_out, size_t *len_out); + const struct cntype_info *c, taginfo *tag_out); /* Encode a value (contents only, no outer tag) according to a type, and return * its encoded tag information. */ -static asn1_error_code +static krb5_error_code encode_atype(asn1buf *buf, const void *val, const struct atype_info *a, - taginfo *tag_out, size_t *len_out) + taginfo *tag_out) { - asn1_error_code ret; + krb5_error_code ret; if (val == NULL) return ASN1_MISSING_FIELD; @@ -706,11 +666,11 @@ encode_atype(asn1buf *buf, const void *val, const struct atype_info *a, case atype_fn: { const struct fn_info *fn = a->tinfo; assert(fn->enc != NULL); - return fn->enc(buf, val, tag_out, len_out); + return fn->enc(buf, val, tag_out); } case atype_sequence: assert(a->tinfo != NULL); - ret = encode_sequence(buf, val, a->tinfo, len_out); + ret = encode_sequence(buf, val, a->tinfo); if (ret) return ret; tag_out->asn1class = UNIVERSAL; @@ -720,20 +680,19 @@ encode_atype(asn1buf *buf, const void *val, const struct atype_info *a, case atype_ptr: { const struct ptr_info *ptr = a->tinfo; assert(ptr->basetype != NULL); - return encode_atype(buf, LOADPTR(val, ptr), ptr->basetype, tag_out, - len_out); + return encode_atype(buf, LOADPTR(val, ptr), ptr->basetype, tag_out); } case atype_offset: { const struct offset_info *off = a->tinfo; assert(off->basetype != NULL); return encode_atype(buf, (const char *)val + off->dataoff, - off->basetype, tag_out, len_out); + off->basetype, tag_out); } case atype_optional: { const struct optional_info *opt = a->tinfo; assert(opt->is_present != NULL); if (opt->is_present(val)) - return encode_atype(buf, val, opt->basetype, tag_out, len_out); + return encode_atype(buf, val, opt->basetype, tag_out); else return ASN1_OMITTED; } @@ -745,16 +704,14 @@ encode_atype(asn1buf *buf, const void *val, const struct atype_info *a, ret = load_count(val, counted, &count); if (ret) return ret; - return encode_cntype(buf, dataptr, count, counted->basetype, tag_out, - len_out); + return encode_cntype(buf, dataptr, count, counted->basetype, tag_out); } case atype_nullterm_sequence_of: case atype_nonempty_nullterm_sequence_of: assert(a->tinfo != NULL); ret = encode_nullterm_sequence_of(buf, val, a->tinfo, a->type == - atype_nullterm_sequence_of, - len_out); + atype_nullterm_sequence_of); if (ret) return ret; tag_out->asn1class = UNIVERSAL; @@ -763,15 +720,14 @@ encode_atype(asn1buf *buf, const void *val, const struct atype_info *a, break; case atype_tagged_thing: { const struct tagged_info *tag = a->tinfo; - ret = encode_atype(buf, val, tag->basetype, tag_out, len_out); + size_t oldcount = buf->count; + ret = encode_atype(buf, val, tag->basetype, tag_out); if (ret) return ret; if (!tag->implicit) { - size_t tlen; - ret = make_tag(buf, tag_out, *len_out, &tlen); + ret = make_tag(buf, tag_out, buf->count - oldcount); if (ret) return ret; - *len_out += tlen; tag_out->construction = tag->construction; } tag_out->asn1class = tag->tagtype; @@ -779,34 +735,26 @@ encode_atype(asn1buf *buf, const void *val, const struct atype_info *a, break; } case atype_bool: - ret = k5_asn1_encode_bool(buf, load_int(val, a->size), len_out); - if (ret) - return ret; + k5_asn1_encode_bool(buf, load_int(val, a->size)); tag_out->asn1class = UNIVERSAL; tag_out->construction = PRIMITIVE; tag_out->tagnum = ASN1_BOOLEAN; break; case atype_int: - ret = k5_asn1_encode_int(buf, load_int(val, a->size), len_out); - if (ret) - return ret; + k5_asn1_encode_int(buf, load_int(val, a->size)); tag_out->asn1class = UNIVERSAL; tag_out->construction = PRIMITIVE; tag_out->tagnum = ASN1_INTEGER; break; case atype_uint: - ret = k5_asn1_encode_uint(buf, load_uint(val, a->size), len_out); - if (ret) - return ret; + k5_asn1_encode_uint(buf, load_uint(val, a->size)); tag_out->asn1class = UNIVERSAL; tag_out->construction = PRIMITIVE; tag_out->tagnum = ASN1_INTEGER; break; case atype_int_immediate: { const struct immediate_info *imm = a->tinfo; - ret = k5_asn1_encode_int(buf, imm->val, len_out); - if (ret) - return ret; + k5_asn1_encode_int(buf, imm->val); tag_out->asn1class = UNIVERSAL; tag_out->construction = PRIMITIVE; tag_out->tagnum = ASN1_INTEGER; @@ -821,21 +769,19 @@ encode_atype(asn1buf *buf, const void *val, const struct atype_info *a, return 0; } -static asn1_error_code -encode_atype_and_tag(asn1buf *buf, const void *val, const struct atype_info *a, - size_t *len_out) +static krb5_error_code +encode_atype_and_tag(asn1buf *buf, const void *val, const struct atype_info *a) { taginfo t; - asn1_error_code ret; - size_t clen, tlen; + krb5_error_code ret; + size_t oldcount = buf->count; - ret = encode_atype(buf, val, a, &t, &clen); + ret = encode_atype(buf, val, a, &t); if (ret) return ret; - ret = make_tag(buf, &t, clen, &tlen); + ret = make_tag(buf, &t, buf->count - oldcount); if (ret) return ret; - *len_out = clen + tlen; return 0; } @@ -844,17 +790,17 @@ encode_atype_and_tag(asn1buf *buf, const void *val, const struct atype_info *a, * pointer to the object being encoded, which in most cases is itself a * pointer (but is a union in the cntype_choice case). */ -static asn1_error_code +static krb5_error_code encode_cntype(asn1buf *buf, const void *val, size_t count, - const struct cntype_info *c, taginfo *tag_out, size_t *len_out) + const struct cntype_info *c, taginfo *tag_out) { - asn1_error_code ret; + krb5_error_code ret; switch (c->type) { case cntype_string: { const struct string_info *string = c->tinfo; assert(string->enc != NULL); - ret = string->enc(buf, val, count, len_out); + ret = string->enc(buf, val, count); if (ret) return ret; tag_out->asn1class = UNIVERSAL; @@ -863,13 +809,13 @@ encode_cntype(asn1buf *buf, const void *val, size_t count, break; } case cntype_der: - return split_der(buf, val, count, tag_out, len_out); + return split_der(buf, val, count, tag_out); case cntype_seqof: { const struct atype_info *a = c->tinfo; const struct ptr_info *ptr = a->tinfo; assert(a->type == atype_ptr); val = LOADPTR(val, ptr); - ret = encode_sequence_of(buf, count, val, ptr->basetype, len_out); + ret = encode_sequence_of(buf, count, val, ptr->basetype); if (ret) return ret; tag_out->asn1class = UNIVERSAL; @@ -881,8 +827,7 @@ encode_cntype(asn1buf *buf, const void *val, size_t count, const struct choice_info *choice = c->tinfo; if (count >= choice->n_options) return ASN1_MISSING_FIELD; - return encode_atype(buf, val, choice->options[count], tag_out, - len_out); + return encode_atype(buf, val, choice->options[count], tag_out); } default: @@ -894,42 +839,37 @@ encode_cntype(asn1buf *buf, const void *val, size_t count, return 0; } -static asn1_error_code -encode_sequence(asn1buf *buf, const void *val, const struct seq_info *seq, - size_t *len_out) +static krb5_error_code +encode_sequence(asn1buf *buf, const void *val, const struct seq_info *seq) { - asn1_error_code ret; - size_t i, len, sum = 0; + krb5_error_code ret; + size_t i; for (i = seq->n_fields; i > 0; i--) { - ret = encode_atype_and_tag(buf, val, seq->fields[i - 1], &len); + ret = encode_atype_and_tag(buf, val, seq->fields[i - 1]); if (ret == ASN1_OMITTED) continue; else if (ret != 0) return ret; - sum += len; } - *len_out = sum; return 0; } -static asn1_error_code +static krb5_error_code encode_sequence_of(asn1buf *buf, size_t seqlen, const void *val, - const struct atype_info *eltinfo, size_t *len_out) + const struct atype_info *eltinfo) { - asn1_error_code ret; - size_t sum = 0, i, len; + krb5_error_code ret; + size_t i; const void *eltptr; assert(eltinfo->size != 0); for (i = seqlen; i > 0; i--) { eltptr = (const char *)val + (i - 1) * eltinfo->size; - ret = encode_atype_and_tag(buf, eltptr, eltinfo, &len); + ret = encode_atype_and_tag(buf, eltptr, eltinfo); if (ret) return ret; - sum += len; } - *len_out = sum; return 0; } @@ -1187,27 +1127,27 @@ check_atype_tag(const struct atype_info *a, const taginfo *t) } } -static asn1_error_code -decode_cntype(const taginfo *t, const unsigned char *asn1, size_t len, +static krb5_error_code +decode_cntype(const taginfo *t, const uint8_t *asn1, size_t len, const struct cntype_info *c, void *val, size_t *count_out); -static asn1_error_code -decode_atype_to_ptr(const taginfo *t, const unsigned char *asn1, size_t len, +static krb5_error_code +decode_atype_to_ptr(const taginfo *t, const uint8_t *asn1, size_t len, const struct atype_info *basetype, void **ptr_out); -static asn1_error_code -decode_sequence(const unsigned char *asn1, size_t len, - const struct seq_info *seq, void *val); -static asn1_error_code -decode_sequence_of(const unsigned char *asn1, size_t len, +static krb5_error_code +decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq, + void *val); +static krb5_error_code +decode_sequence_of(const uint8_t *asn1, size_t len, const struct atype_info *elemtype, void **seq_out, size_t *count_out); /* Given the enclosing tag t, decode from asn1/len the contents of the ASN.1 * type specified by a, placing the result into val (caller-allocated). */ -static asn1_error_code -decode_atype(const taginfo *t, const unsigned char *asn1, - size_t len, const struct atype_info *a, void *val) +static krb5_error_code +decode_atype(const taginfo *t, const uint8_t *asn1, size_t len, + const struct atype_info *a, void *val) { - asn1_error_code ret; + krb5_error_code ret; switch (a->type) { case atype_fn: { @@ -1256,7 +1196,7 @@ decode_atype(const taginfo *t, const unsigned char *asn1, const struct tagged_info *tag = a->tinfo; taginfo inner_tag; const taginfo *tp = t; - const unsigned char *rem; + const uint8_t *rem; size_t rlen; if (!tag->implicit) { ret = get_tag(asn1, len, &inner_tag, &asn1, &len, &rem, &rlen); @@ -1318,11 +1258,11 @@ decode_atype(const taginfo *t, const unsigned char *asn1, * If the resulting count should be -1 (for an unknown union distinguisher), * set *count_out to SIZE_MAX. */ -static asn1_error_code -decode_cntype(const taginfo *t, const unsigned char *asn1, size_t len, +static krb5_error_code +decode_cntype(const taginfo *t, const uint8_t *asn1, size_t len, const struct cntype_info *c, void *val, size_t *count_out) { - asn1_error_code ret; + krb5_error_code ret; switch (c->type) { case cntype_string: { @@ -1371,7 +1311,7 @@ decode_cntype(const taginfo *t, const unsigned char *asn1, size_t len, /* Add a null pointer to the end of a sequence. ptr is consumed on success * (to be replaced by *ptr_out), left alone on failure. */ -static asn1_error_code +static krb5_error_code null_terminate(const struct atype_info *eltinfo, void *ptr, size_t count, void **ptr_out) { @@ -1388,12 +1328,11 @@ null_terminate(const struct atype_info *eltinfo, void *ptr, size_t count, return 0; } -static asn1_error_code -decode_atype_to_ptr(const taginfo *t, const unsigned char *asn1, - size_t len, const struct atype_info *a, - void **ptr_out) +static krb5_error_code +decode_atype_to_ptr(const taginfo *t, const uint8_t *asn1, size_t len, + const struct atype_info *a, void **ptr_out) { - asn1_error_code ret; + krb5_error_code ret; void *ptr; size_t count; @@ -1429,7 +1368,7 @@ decode_atype_to_ptr(const taginfo *t, const unsigned char *asn1, /* Initialize a C object when the corresponding ASN.1 type was omitted within a * sequence. If the ASN.1 type is not optional, return ASN1_MISSING_FIELD. */ -static asn1_error_code +static krb5_error_code omit_atype(const struct atype_info *a, void *val) { switch (a->type) @@ -1468,12 +1407,12 @@ omit_atype(const struct atype_info *a, void *val) } /* Decode an ASN.1 sequence into a C object. */ -static asn1_error_code -decode_sequence(const unsigned char *asn1, size_t len, - const struct seq_info *seq, void *val) +static krb5_error_code +decode_sequence(const uint8_t *asn1, size_t len, const struct seq_info *seq, + void *val) { - asn1_error_code ret; - const unsigned char *contents; + krb5_error_code ret; + const uint8_t *contents; size_t i, j, clen; taginfo t; @@ -1525,14 +1464,14 @@ error: return ret; } -static asn1_error_code -decode_sequence_of(const unsigned char *asn1, size_t len, +static krb5_error_code +decode_sequence_of(const uint8_t *asn1, size_t len, const struct atype_info *elemtype, void **seq_out, size_t *count_out) { - asn1_error_code ret; + krb5_error_code ret; void *seq = NULL, *elem, *newseq; - const unsigned char *contents; + const uint8_t *contents; size_t clen, count = 0; taginfo t; @@ -1572,16 +1511,16 @@ error: /* These three entry points are only needed for the kdc_req_body hack and may * go away at some point. Define them here so we can use short names above. */ -asn1_error_code +krb5_error_code k5_asn1_encode_atype(asn1buf *buf, const void *val, const struct atype_info *a, - taginfo *tag_out, size_t *len_out) + taginfo *tag_out) { - return encode_atype(buf, val, a, tag_out, len_out); + return encode_atype(buf, val, a, tag_out); } -asn1_error_code -k5_asn1_decode_atype(const taginfo *t, const unsigned char *asn1, - size_t len, const struct atype_info *a, void *val) +krb5_error_code +k5_asn1_decode_atype(const taginfo *t, const uint8_t *asn1, size_t len, + const struct atype_info *a, void *val) { return decode_atype(t, asn1, len, a, val); } @@ -1590,41 +1529,61 @@ krb5_error_code k5_asn1_full_encode(const void *rep, const struct atype_info *a, krb5_data **code_out) { - size_t len; - asn1_error_code ret; - asn1buf *buf = NULL; + krb5_error_code ret; + asn1buf buf; krb5_data *d; + uint8_t *bytes; *code_out = NULL; if (rep == NULL) return ASN1_MISSING_FIELD; - ret = asn1buf_create(&buf); + + /* Make a first pass over rep to count the encoding size. */ + buf.ptr = NULL; + buf.count = 0; + ret = encode_atype_and_tag(&buf, rep, a); if (ret) return ret; - ret = encode_atype_and_tag(buf, rep, a, &len); - if (ret) - goto cleanup; - ret = asn12krb5_buf(buf, &d); - if (ret) - goto cleanup; - *code_out = d; -cleanup: - asn1buf_destroy(&buf); - return ret; + + /* Allocate space for the encoding. */ + bytes = malloc(buf.count + 1); + if (bytes == NULL) + return ENOMEM; + bytes[buf.count] = 0; + + /* Make a second pass over rep to encode it. buf.ptr moves backwards as we + * encode, and will always exactly return to the base. */ + buf.ptr = bytes + buf.count; + buf.count = 0; + ret = encode_atype_and_tag(&buf, rep, a); + if (ret) { + free(bytes); + return ret; + } + assert(buf.ptr == bytes); + + /* Create the output data object. */ + *code_out = malloc(sizeof(*d)); + if (*code_out == NULL) { + free(bytes); + return ENOMEM; + } + **code_out = make_data(bytes, buf.count); + return 0; } -asn1_error_code +krb5_error_code k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a, void **retrep) { - asn1_error_code ret; - const unsigned char *contents, *remainder; + krb5_error_code ret; + const uint8_t *contents, *remainder; size_t clen, rlen; taginfo t; *retrep = NULL; - ret = get_tag((unsigned char *)code->data, code->length, &t, &contents, + ret = get_tag((uint8_t *)code->data, code->length, &t, &contents, &clen, &remainder, &rlen); if (ret) return ret; diff --git a/src/lib/krb5/asn.1/asn1_encode.h b/src/lib/krb5/asn.1/asn1_encode.h index d95f654..fde875b 100644 --- a/src/lib/krb5/asn.1/asn1_encode.h +++ b/src/lib/krb5/asn.1/asn1_encode.h @@ -29,9 +29,10 @@ #include "k5-int.h" #include "krbasn1.h" -#include "asn1buf.h" #include +typedef struct asn1buf_st asn1buf; + typedef struct { asn1_class asn1class; asn1_construction construction; @@ -45,37 +46,29 @@ typedef struct { /* These functions are referenced by encoder structures. They handle the * encoding of primitive ASN.1 types. */ -asn1_error_code k5_asn1_encode_bool(asn1buf *buf, intmax_t val, - size_t *len_out); -asn1_error_code k5_asn1_encode_int(asn1buf *buf, intmax_t val, - size_t *len_out); -asn1_error_code k5_asn1_encode_uint(asn1buf *buf, uintmax_t val, - size_t *len_out); -asn1_error_code k5_asn1_encode_bytestring(asn1buf *buf, - unsigned char *const *val, - size_t len, size_t *len_out); -asn1_error_code k5_asn1_encode_bitstring(asn1buf *buf, - unsigned char *const *val, - size_t len, size_t *len_out); -asn1_error_code k5_asn1_encode_generaltime(asn1buf *buf, time_t val, - size_t *len_out); +void k5_asn1_encode_bool(asn1buf *buf, intmax_t val); +void k5_asn1_encode_int(asn1buf *buf, intmax_t val); +void k5_asn1_encode_uint(asn1buf *buf, uintmax_t val); +krb5_error_code k5_asn1_encode_bytestring(asn1buf *buf, uint8_t *const *val, + size_t len); +krb5_error_code k5_asn1_encode_bitstring(asn1buf *buf, uint8_t *const *val, + size_t len); +krb5_error_code k5_asn1_encode_generaltime(asn1buf *buf, time_t val); /* These functions are referenced by encoder structures. They handle the * decoding of primitive ASN.1 types. */ -asn1_error_code k5_asn1_decode_bool(const unsigned char *asn1, size_t len, +krb5_error_code k5_asn1_decode_bool(const uint8_t *asn1, size_t len, intmax_t *val); -asn1_error_code k5_asn1_decode_int(const unsigned char *asn1, size_t len, +krb5_error_code k5_asn1_decode_int(const uint8_t *asn1, size_t len, intmax_t *val); -asn1_error_code k5_asn1_decode_uint(const unsigned char *asn1, size_t len, +krb5_error_code k5_asn1_decode_uint(const uint8_t *asn1, size_t len, uintmax_t *val); -asn1_error_code k5_asn1_decode_generaltime(const unsigned char *asn1, - size_t len, time_t *time_out); -asn1_error_code k5_asn1_decode_bytestring(const unsigned char *asn1, - size_t len, unsigned char **str_out, - size_t *len_out); -asn1_error_code k5_asn1_decode_bitstring(const unsigned char *asn1, size_t len, - unsigned char **bits_out, - size_t *len_out); +krb5_error_code k5_asn1_decode_generaltime(const uint8_t *asn1, size_t len, + time_t *time_out); +krb5_error_code k5_asn1_decode_bytestring(const uint8_t *asn1, size_t len, + uint8_t **str_out, size_t *len_out); +krb5_error_code k5_asn1_decode_bitstring(const uint8_t *asn1, size_t len, + uint8_t **bits_out, size_t *len_out); /* * An atype_info structure specifies how to map a C object to an ASN.1 value. @@ -152,9 +145,8 @@ struct atype_info { }; struct fn_info { - asn1_error_code (*enc)(asn1buf *, const void *, taginfo *, size_t *); - asn1_error_code (*dec)(const taginfo *, const unsigned char *, size_t, - void *); + krb5_error_code (*enc)(asn1buf *, const void *, taginfo *); + krb5_error_code (*dec)(const taginfo *, const uint8_t *, size_t, void *); int (*check_tag)(const taginfo *); void (*free_func)(void *); }; @@ -191,7 +183,7 @@ struct tagged_info { struct immediate_info { intmax_t val; - asn1_error_code err; + krb5_error_code err; }; /* A cntype_info structure specifies how to map a C object and count (length or @@ -202,7 +194,7 @@ enum cntype_type { /* * Apply an encoder function (contents only) and wrap it in a universal - * primitive tag. The C object must be a char * or unsigned char *. tinfo + * primitive tag. The C object must be a char * or uint8_t *. tinfo * is a struct string_info *. */ cntype_string, @@ -231,10 +223,8 @@ struct cntype_info { }; struct string_info { - asn1_error_code (*enc)(asn1buf *, unsigned char *const *, size_t, - size_t *); - asn1_error_code (*dec)(const unsigned char *, size_t, unsigned char **, - size_t *); + krb5_error_code (*enc)(asn1buf *, uint8_t *const *, size_t); + krb5_error_code (*dec)(const uint8_t *, size_t, uint8_t **, size_t *); unsigned int tagval : 5; }; @@ -532,22 +522,22 @@ struct seq_info { /* Partially encode the contents of a type and return its tag information. * Used only by kdc_req_body. */ -asn1_error_code +krb5_error_code k5_asn1_encode_atype(asn1buf *buf, const void *val, const struct atype_info *a, - taginfo *tag_out, size_t *len_out); + taginfo *tag_out); /* Decode the tag and contents of a type, storing the result in the * caller-allocated C object val. Used only by kdc_req_body. */ -asn1_error_code -k5_asn1_decode_atype(const taginfo *t, const unsigned char *asn1, - size_t len, const struct atype_info *a, void *val); +krb5_error_code +k5_asn1_decode_atype(const taginfo *t, const uint8_t *asn1, size_t len, + const struct atype_info *a, void *val); /* Returns a completed encoding, with tag and in the correct byte order, in an * allocated krb5_data. */ extern krb5_error_code k5_asn1_full_encode(const void *rep, const struct atype_info *a, krb5_data **code_out); -asn1_error_code +krb5_error_code k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a, void **rep_out); @@ -563,7 +553,7 @@ k5_asn1_full_decode(const krb5_data *code, const struct atype_info *a, krb5_error_code \ FNAME(const krb5_data *code, aux_type_##DESC **rep_out) \ { \ - asn1_error_code ret; \ + krb5_error_code ret; \ void *rep; \ *rep_out = NULL; \ ret = k5_asn1_full_decode(code, &k5_atype_##DESC, &rep); \ diff --git a/src/lib/krb5/asn.1/asn1_k_encode.c b/src/lib/krb5/asn.1/asn1_k_encode.c index a827ca6..65c84be 100644 --- a/src/lib/krb5/asn.1/asn1_k_encode.c +++ b/src/lib/krb5/asn.1/asn1_k_encode.c @@ -25,32 +25,32 @@ */ #include "asn1_encode.h" -#include +#include "k5-spake.h" DEFINT_IMMEDIATE(krb5_version, KVNO, KRB5KDC_ERR_BAD_PVNO); static int int32_not_minus1(const void *p) { - return (*(krb5_int32 *)p != -1); + return *(int32_t *)p != -1; } static void init_int32_minus1(void *p) { - *(krb5_int32 *)p = -1; + *(int32_t *)p = -1; } DEFBOOLTYPE(boolean, krb5_boolean); -DEFINTTYPE(int32, krb5_int32); +DEFINTTYPE(int32, int32_t); DEFPTRTYPE(int32_ptr, int32); -DEFCOUNTEDSEQOFTYPE(cseqof_int32, krb5_int32, int32_ptr); +DEFCOUNTEDSEQOFTYPE(cseqof_int32, int32_t, int32_ptr); DEFOPTIONALZEROTYPE(opt_int32, int32); DEFOPTIONALTYPE(opt_int32_minus1, int32_not_minus1, init_int32_minus1, int32); DEFUINTTYPE(uint, unsigned int); DEFUINTTYPE(octet, krb5_octet); -DEFUINTTYPE(ui_4, krb5_ui_4); +DEFUINTTYPE(uint32, uint32_t); DEFOPTIONALZEROTYPE(opt_uint, uint); static int @@ -64,7 +64,7 @@ DEFCOUNTEDDERTYPE(der, char *, unsigned int); DEFCOUNTEDTYPE(der_data, krb5_data, data, length, der); DEFOPTIONALTYPE(opt_der_data, nonempty_data, NULL, der_data); -DEFCOUNTEDSTRINGTYPE(octetstring, unsigned char *, unsigned int, +DEFCOUNTEDSTRINGTYPE(octetstring, uint8_t *, unsigned int, k5_asn1_encode_bytestring, k5_asn1_decode_bytestring, ASN1_OCTETSTRING); DEFCOUNTEDSTRINGTYPE(s_octetstring, char *, unsigned int, @@ -78,13 +78,13 @@ DEFOPTIONALZEROTYPE(opt_ostring_data_ptr, ostring_data_ptr); DEFCOUNTEDSTRINGTYPE(generalstring, char *, unsigned int, k5_asn1_encode_bytestring, k5_asn1_decode_bytestring, ASN1_GENERALSTRING); -DEFCOUNTEDSTRINGTYPE(u_generalstring, unsigned char *, unsigned int, +DEFCOUNTEDSTRINGTYPE(u_generalstring, uint8_t *, unsigned int, k5_asn1_encode_bytestring, k5_asn1_decode_bytestring, ASN1_GENERALSTRING); DEFCOUNTEDTYPE(gstring_data, krb5_data, data, length, generalstring); DEFOPTIONALTYPE(opt_gstring_data, nonempty_data, NULL, gstring_data); DEFPTRTYPE(gstring_data_ptr, gstring_data); -DEFCOUNTEDSEQOFTYPE(cseqof_gstring_data, krb5_int32, gstring_data_ptr); +DEFCOUNTEDSEQOFTYPE(cseqof_gstring_data, int32_t, gstring_data_ptr); DEFCOUNTEDSTRINGTYPE(utf8string, char *, unsigned int, k5_asn1_encode_bytestring, k5_asn1_decode_bytestring, @@ -116,31 +116,32 @@ DEFPTRTYPE(principal, principal_data); DEFOPTIONALZEROTYPE(opt_principal, principal); /* - * Define the seqno type, which is an ASN.1 integer represented in a krb5_ui_4. + * Define the seqno type, which is an ASN.1 integer represented in a uint32_t. * When decoding, negative 32-bit numbers are accepted for interoperability * with old implementations. */ -static asn1_error_code -encode_seqno(asn1buf *buf, const void *p, taginfo *rettag, size_t *len_out) +static krb5_error_code +encode_seqno(asn1buf *buf, const void *p, taginfo *rettag) { - krb5_ui_4 val = *(krb5_ui_4 *)p; + uint32_t val = *(uint32_t *)p; rettag->asn1class = UNIVERSAL; rettag->construction = PRIMITIVE; rettag->tagnum = ASN1_INTEGER; - return k5_asn1_encode_uint(buf, val, len_out); + k5_asn1_encode_uint(buf, val); + return 0; } -static asn1_error_code -decode_seqno(const taginfo *t, const unsigned char *asn1, size_t len, void *p) +static krb5_error_code +decode_seqno(const taginfo *t, const uint8_t *asn1, size_t len, void *p) { - asn1_error_code ret; + krb5_error_code ret; intmax_t val; ret = k5_asn1_decode_int(asn1, len, &val); if (ret) return ret; - if (val < KRB5_INT32_MIN || val > 0xFFFFFFFF) + if (val < INT32_MIN || val > 0xFFFFFFFF) return ASN1_OVERFLOW; - /* Negative values will cast correctly to krb5_ui_4. */ - *(krb5_ui_4 *)p = val; + /* Negative values will cast correctly to uint32_t. */ + *(uint32_t *)p = val; return 0; } static int @@ -149,27 +150,25 @@ check_seqno(const taginfo *t) return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE && t->tagnum == ASN1_INTEGER); } -DEFFNTYPE(seqno, krb5_ui_4, encode_seqno, decode_seqno, check_seqno, NULL); +DEFFNTYPE(seqno, uint32_t, encode_seqno, decode_seqno, check_seqno, NULL); DEFOPTIONALZEROTYPE(opt_seqno, seqno); /* Define the kerberos_time type, which is an ASN.1 generaltime represented in * a krb5_timestamp. */ -static asn1_error_code -encode_kerberos_time(asn1buf *buf, const void *p, taginfo *rettag, - size_t *len_out) +static krb5_error_code +encode_kerberos_time(asn1buf *buf, const void *p, taginfo *rettag) { - /* Range checking for time_t vs krb5_timestamp? */ - time_t val = *(krb5_timestamp *)p; + time_t val = ts2tt(*(krb5_timestamp *)p); rettag->asn1class = UNIVERSAL; rettag->construction = PRIMITIVE; rettag->tagnum = ASN1_GENERALTIME; - return k5_asn1_encode_generaltime(buf, val, len_out); + return k5_asn1_encode_generaltime(buf, val); } -static asn1_error_code -decode_kerberos_time(const taginfo *t, const unsigned char *asn1, size_t len, +static krb5_error_code +decode_kerberos_time(const taginfo *t, const uint8_t *asn1, size_t len, void *p) { - asn1_error_code ret; + krb5_error_code ret; time_t val; ret = k5_asn1_decode_generaltime(asn1, len, &val); if (ret) @@ -229,25 +228,23 @@ DEFOPTIONALTYPE(opt_encrypted_data, nonempty_enc_data, NULL, encrypted_data); /* Define the krb5_flags type, which is an ASN.1 bit string represented in a * 32-bit integer. */ -static asn1_error_code -encode_krb5_flags(asn1buf *buf, const void *p, taginfo *rettag, - size_t *len_out) +static krb5_error_code +encode_krb5_flags(asn1buf *buf, const void *p, taginfo *rettag) { - unsigned char cbuf[4], *cptr = cbuf; - store_32_be((krb5_ui_4)*(const krb5_flags *)p, cbuf); + uint8_t cbuf[4], *cptr = cbuf; + store_32_be((uint32_t)*(const krb5_flags *)p, cbuf); rettag->asn1class = UNIVERSAL; rettag->construction = PRIMITIVE; rettag->tagnum = ASN1_BITSTRING; - return k5_asn1_encode_bitstring(buf, &cptr, 4, len_out); + return k5_asn1_encode_bitstring(buf, &cptr, 4); } -static asn1_error_code -decode_krb5_flags(const taginfo *t, const unsigned char *asn1, size_t len, - void *val) +static krb5_error_code +decode_krb5_flags(const taginfo *t, const uint8_t *asn1, size_t len, void *val) { - asn1_error_code ret; + krb5_error_code ret; size_t i, blen; krb5_flags f = 0; - unsigned char *bits; + uint8_t *bits; ret = k5_asn1_decode_bitstring(asn1, len, &bits, &blen); if (ret) return ret; @@ -315,34 +312,34 @@ DEFNULLTERMSEQOFTYPE(seqof_checksum, checksum_ptr); DEFPTRTYPE(ptr_seqof_checksum, seqof_checksum); DEFOPTIONALZEROTYPE(opt_checksum_ptr, checksum_ptr); -/* Define the last_req_type type, which is a krb5_int32 with some massaging - * on decode for backward compatibility. */ -static asn1_error_code -encode_lr_type(asn1buf *buf, const void *p, taginfo *rettag, size_t *len_out) +/* Define the last_req_type type, which is an int32_t with some massaging on + * decode for backward compatibility. */ +static krb5_error_code +encode_lr_type(asn1buf *buf, const void *p, taginfo *rettag) { - krb5_int32 val = *(krb5_int32 *)p; + int32_t val = *(int32_t *)p; rettag->asn1class = UNIVERSAL; rettag->construction = PRIMITIVE; rettag->tagnum = ASN1_INTEGER; - return k5_asn1_encode_int(buf, val, len_out); + k5_asn1_encode_int(buf, val); + return 0; } -static asn1_error_code -decode_lr_type(const taginfo *t, const unsigned char *asn1, size_t len, - void *p) +static krb5_error_code +decode_lr_type(const taginfo *t, const uint8_t *asn1, size_t len, void *p) { - asn1_error_code ret; + krb5_error_code ret; intmax_t val; ret = k5_asn1_decode_int(asn1, len, &val); if (ret) return ret; - if (val > KRB5_INT32_MAX || val < KRB5_INT32_MIN) + if (val > INT32_MAX || val < INT32_MIN) return ASN1_OVERFLOW; #ifdef KRB5_GENEROUS_LR_TYPE /* If type is in the 128-255 range, treat it as a negative 8-bit value. */ if (val >= 128 && val <= 255) val -= 256; #endif - *(krb5_int32 *)p = val; + *(int32_t *)p = val; return 0; } static int @@ -351,7 +348,7 @@ check_lr_type(const taginfo *t) return (t->asn1class == UNIVERSAL && t->construction == PRIMITIVE && t->tagnum == ASN1_INTEGER); } -DEFFNTYPE(last_req_type, krb5_int32, encode_lr_type, decode_lr_type, +DEFFNTYPE(last_req_type, int32_t, encode_lr_type, decode_lr_type, check_lr_type, NULL); DEFFIELD(last_req_0, krb5_last_req_entry, lr_type, 0, last_req_type); @@ -474,9 +471,8 @@ static const struct atype_info *kdc_req_hack_fields[] = { &k5_atype_req_body_9, &k5_atype_req_body_10, &k5_atype_req_body_11 }; DEFSEQTYPE(kdc_req_body_hack, kdc_req_hack, kdc_req_hack_fields); -static asn1_error_code -encode_kdc_req_body(asn1buf *buf, const void *p, taginfo *tag_out, - size_t *len_out) +static krb5_error_code +encode_kdc_req_body(asn1buf *buf, const void *p, taginfo *tag_out) { const krb5_kdc_req *val = p; kdc_req_hack h; @@ -490,8 +486,7 @@ encode_kdc_req_body(asn1buf *buf, const void *p, taginfo *tag_out, h.server_realm = val->server->realm; else return ASN1_MISSING_FIELD; - return k5_asn1_encode_atype(buf, &h, &k5_atype_kdc_req_body_hack, tag_out, - len_out); + return k5_asn1_encode_atype(buf, &h, &k5_atype_kdc_req_body_hack, tag_out); } static void free_kdc_req_body(void *val) @@ -504,11 +499,11 @@ free_kdc_req_body(void *val) free(req->authorization_data.ciphertext.data); krb5_free_tickets(NULL, req->second_ticket); } -static asn1_error_code -decode_kdc_req_body(const taginfo *t, const unsigned char *asn1, size_t len, +static krb5_error_code +decode_kdc_req_body(const taginfo *t, const uint8_t *asn1, size_t len, void *val) { - asn1_error_code ret; + krb5_error_code ret; kdc_req_hack h; krb5_kdc_req *b = val; memset(&h, 0, sizeof(h)); @@ -926,7 +921,7 @@ DEFFIELD(error_2, krb5_error, ctime, 2, opt_kerberos_time); DEFFIELD(error_3, krb5_error, cusec, 3, opt_int32); DEFFIELD(error_4, krb5_error, stime, 4, kerberos_time); DEFFIELD(error_5, krb5_error, susec, 5, int32); -DEFFIELD(error_6, krb5_error, error, 6, ui_4); +DEFFIELD(error_6, krb5_error, error, 6, uint32); DEFFIELD(error_7, krb5_error, client, 7, opt_realm_of_principal); DEFFIELD(error_8, krb5_error, client, 8, opt_principal); DEFFIELD(error_9, krb5_error, server, 9, realm_of_principal); @@ -1173,7 +1168,7 @@ krb5_error_code decode_krb5_enc_kdc_rep_part(const krb5_data *code, krb5_enc_kdc_rep_part **rep_out) { - asn1_error_code ret; + krb5_error_code ret; krb5_enc_kdc_rep_part *rep; void *rep_ptr; krb5_msgtype msg_type = KRB5_TGS_REP; @@ -1224,7 +1219,7 @@ krb5_error_code decode_krb5_safe_with_body(const krb5_data *code, krb5_safe **rep_out, krb5_data **body_out) { - asn1_error_code ret; + krb5_error_code ret; void *swb_ptr, *safe_ptr; struct krb5_safe_with_body *swb; krb5_safe *safe; @@ -1291,7 +1286,7 @@ krb5_error_code decode_krb5_setpw_req(const krb5_data *code, krb5_data **password_out, krb5_principal *target_out) { - asn1_error_code ret; + krb5_error_code ret; void *req_ptr; struct krb5_setpw_req *req; krb5_data *data; @@ -1348,7 +1343,7 @@ krb5int_get_authdata_containee_types(krb5_context context, unsigned int *num_out, krb5_authdatatype **types_out) { - asn1_error_code ret; + krb5_error_code ret; struct authdata_types *atypes; void *atypes_ptr; krb5_data d = make_data(authdata->contents, authdata->length); @@ -1443,9 +1438,12 @@ DEFFIELD(pk_authenticator_1, krb5_pk_authenticator, ctime, 1, kerberos_time); DEFFIELD(pk_authenticator_2, krb5_pk_authenticator, nonce, 2, int32); DEFFIELD(pk_authenticator_3, krb5_pk_authenticator, paChecksum, 3, ostring_checksum); +DEFFIELD(pk_authenticator_4, krb5_pk_authenticator, freshnessToken, 4, + opt_ostring_data_ptr); static const struct atype_info *pk_authenticator_fields[] = { &k5_atype_pk_authenticator_0, &k5_atype_pk_authenticator_1, - &k5_atype_pk_authenticator_2, &k5_atype_pk_authenticator_3 + &k5_atype_pk_authenticator_2, &k5_atype_pk_authenticator_3, + &k5_atype_pk_authenticator_4 }; DEFSEQTYPE(pk_authenticator, krb5_pk_authenticator, pk_authenticator_fields); @@ -1815,3 +1813,53 @@ static const struct atype_info *secure_cookie_fields[] = { DEFSEQTYPE(secure_cookie, krb5_secure_cookie, secure_cookie_fields); MAKE_ENCODER(encode_krb5_secure_cookie, secure_cookie); MAKE_DECODER(decode_krb5_secure_cookie, secure_cookie); + +DEFFIELD(spake_factor_0, krb5_spake_factor, type, 0, int32); +DEFFIELD(spake_factor_1, krb5_spake_factor, data, 1, opt_ostring_data_ptr); +static const struct atype_info *spake_factor_fields[] = { + &k5_atype_spake_factor_0, &k5_atype_spake_factor_1 +}; +DEFSEQTYPE(spake_factor, krb5_spake_factor, spake_factor_fields); +DEFPTRTYPE(spake_factor_ptr, spake_factor); +DEFNULLTERMSEQOFTYPE(seqof_spake_factor, spake_factor_ptr); +DEFPTRTYPE(ptr_seqof_spake_factor, seqof_spake_factor); +MAKE_ENCODER(encode_krb5_spake_factor, spake_factor); +MAKE_DECODER(decode_krb5_spake_factor, spake_factor); + +DEFCNFIELD(spake_support_0, krb5_spake_support, groups, ngroups, 0, + cseqof_int32); +static const struct atype_info *spake_support_fields[] = { + &k5_atype_spake_support_0 +}; +DEFSEQTYPE(spake_support, krb5_spake_support, spake_support_fields); + +DEFFIELD(spake_challenge_0, krb5_spake_challenge, group, 0, int32); +DEFFIELD(spake_challenge_1, krb5_spake_challenge, pubkey, 1, ostring_data); +DEFFIELD(spake_challenge_2, krb5_spake_challenge, factors, 2, + ptr_seqof_spake_factor); +static const struct atype_info *spake_challenge_fields[] = { + &k5_atype_spake_challenge_0, &k5_atype_spake_challenge_1, + &k5_atype_spake_challenge_2 +}; +DEFSEQTYPE(spake_challenge, krb5_spake_challenge, spake_challenge_fields); + +DEFFIELD(spake_response_0, krb5_spake_response, pubkey, 0, ostring_data); +DEFFIELD(spake_response_1, krb5_spake_response, factor, 1, encrypted_data); +static const struct atype_info *spake_response_fields[] = { + &k5_atype_spake_response_0, &k5_atype_spake_response_1, +}; +DEFSEQTYPE(spake_response, krb5_spake_response, spake_response_fields); + +DEFCTAGGEDTYPE(pa_spake_0, 0, spake_support); +DEFCTAGGEDTYPE(pa_spake_1, 1, spake_challenge); +DEFCTAGGEDTYPE(pa_spake_2, 2, spake_response); +DEFCTAGGEDTYPE(pa_spake_3, 3, encrypted_data); +static const struct atype_info *pa_spake_alternatives[] = { + &k5_atype_pa_spake_0, &k5_atype_pa_spake_1, &k5_atype_pa_spake_2, + &k5_atype_pa_spake_3 +}; +DEFCHOICETYPE(pa_spake_choice, union krb5_spake_message_choices, + enum krb5_spake_msgtype, pa_spake_alternatives); +DEFCOUNTEDTYPE_SIGNED(pa_spake, krb5_pa_spake, u, choice, pa_spake_choice); +MAKE_ENCODER(encode_krb5_pa_spake, pa_spake); +MAKE_DECODER(decode_krb5_pa_spake, pa_spake); diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c deleted file mode 100644 index b937530..0000000 --- a/src/lib/krb5/asn.1/asn1buf.c +++ /dev/null @@ -1,209 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* Coding Buffer Implementation */ - -/* - * Implementation - * - * Encoding mode - * - * The encoding buffer is filled from bottom (lowest address) to top - * (highest address). This makes it easier to expand the buffer, - * since realloc preserves the existing portion of the buffer. - * - * Note: Since ASN.1 encoding must be done in reverse, this means - * that you can't simply memcpy out the buffer data, since it will be - * backwards. You need to reverse-iterate through it, instead. - * - * ***This decision may have been a mistake. In practice, the - * implementation will probably be tuned such that reallocation is - * rarely necessary. Also, the realloc probably has recopy the - * buffer itself, so we don't really gain that much by avoiding an - * explicit copy of the buffer. --Keep this in mind for future reference. - * - * - * Decoding mode - * - * The decoding buffer is in normal order and is created by wrapping - * an asn1buf around a krb5_data structure. - */ - -/* - * Abstraction Function - * - * Programs should use just pointers to asn1buf's (e.g. asn1buf *mybuf). - * These pointers must always point to a valid, allocated asn1buf - * structure or be NULL. - * - * The contents of the asn1buf represent an octet string. This string - * begins at base and continues to the octet immediately preceding next. - * If next == base or mybuf == NULL, then the asn1buf represents an empty - * octet string. - */ - -/* - * Representation Invariant - * - * Pointers to asn1buf's must always point to a valid, allocated - * asn1buf structure or be NULL. - * - * base points to a valid, allocated octet array or is NULL - * bound, if non-NULL, points to the last valid octet - * next >= base - * next <= bound+2 (i.e. next should be able to step just past the bound, - * but no further. (The bound should move out in response - * to being crossed by next.)) - */ - -#define ASN1BUF_OMIT_INLINE_FUNCS -#include "asn1buf.h" -#include - -#ifdef USE_VALGRIND -#include -#else -#define VALGRIND_CHECK_READABLE(PTR,SIZE) ((void)0) -#endif - -#if !defined(__GNUC__) || defined(CONFIG_SMALL) -/* - * Declare private procedures as static if they're not used for inline - * expansion of other stuff elsewhere. - */ -static unsigned int asn1buf_free(const asn1buf *); -static asn1_error_code asn1buf_ensure_space(asn1buf *, unsigned int); -static asn1_error_code asn1buf_expand(asn1buf *, unsigned int); -#endif - -#define asn1_is_eoc(class, num, indef) \ - ((class) == UNIVERSAL && !(num) && !(indef)) - -asn1_error_code -asn1buf_create(asn1buf **buf) -{ - *buf = (asn1buf*)malloc(sizeof(asn1buf)); - if (*buf == NULL) return ENOMEM; - (*buf)->base = NULL; - (*buf)->bound = NULL; - (*buf)->next = NULL; - return 0; -} - -void -asn1buf_destroy(asn1buf **buf) -{ - if (*buf != NULL) { - free((*buf)->base); - free(*buf); - *buf = NULL; - } -} - -#ifdef asn1buf_insert_octet -#undef asn1buf_insert_octet -#endif -asn1_error_code -asn1buf_insert_octet(asn1buf *buf, const int o) -{ - asn1_error_code retval; - - retval = asn1buf_ensure_space(buf,1U); - if (retval) return retval; - *(buf->next) = (char)o; - (buf->next)++; - return 0; -} - -asn1_error_code -asn1buf_insert_bytestring(asn1buf *buf, const unsigned int len, const void *sv) -{ - asn1_error_code retval; - unsigned int length; - const char *s = sv; - - retval = asn1buf_ensure_space(buf,len); - if (retval) return retval; - VALGRIND_CHECK_READABLE(sv, len); - for (length=1; length<=len; length++,(buf->next)++) - *(buf->next) = (s[len-length]); - return 0; -} - -asn1_error_code -asn12krb5_buf(const asn1buf *buf, krb5_data **code) -{ - unsigned int i; - krb5_data *d; - - *code = NULL; - - d = calloc(1, sizeof(krb5_data)); - if (d == NULL) - return ENOMEM; - d->length = asn1buf_len(buf); - d->data = malloc(d->length + 1); - if (d->data == NULL) { - free(d); - return ENOMEM; - } - for (i=0; i < d->length; i++) - d->data[i] = buf->base[d->length - i - 1]; - d->data[d->length] = '\0'; - d->magic = KV5M_DATA; - *code = d; - return 0; -} - -/****************************************************************/ -/* Private Procedures */ - -static int -asn1buf_size(const asn1buf *buf) -{ - if (buf == NULL || buf->base == NULL) return 0; - return buf->bound - buf->base + 1; -} - -#undef asn1buf_free -unsigned int -asn1buf_free(const asn1buf *buf) -{ - if (buf == NULL || buf->base == NULL) return 0; - else return buf->bound - buf->next + 1; -} - -#undef asn1buf_ensure_space -asn1_error_code -asn1buf_ensure_space(asn1buf *buf, const unsigned int amount) -{ - unsigned int avail = asn1buf_free(buf); - if (avail >= amount) - return 0; - return asn1buf_expand(buf, amount-avail); -} - -asn1_error_code -asn1buf_expand(asn1buf *buf, unsigned int inc) -{ -#define STANDARD_INCREMENT 200 - int next_offset = buf->next - buf->base; - int bound_offset; - if (buf->base == NULL) bound_offset = -1; - else bound_offset = buf->bound - buf->base; - - if (inc < STANDARD_INCREMENT) - inc = STANDARD_INCREMENT; - - buf->base = realloc(buf->base, - (asn1buf_size(buf)+inc) * sizeof(asn1_octet)); - if (buf->base == NULL) return ENOMEM; /* XXX leak */ - buf->bound = (buf->base) + bound_offset + inc; - buf->next = (buf->base) + next_offset; - return 0; -} - -#undef asn1buf_len -int -asn1buf_len(const asn1buf *buf) -{ - return buf->next - buf->base; -} diff --git a/src/lib/krb5/asn.1/asn1buf.h b/src/lib/krb5/asn.1/asn1buf.h deleted file mode 100644 index 0d7138d..0000000 --- a/src/lib/krb5/asn.1/asn1buf.h +++ /dev/null @@ -1,147 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* Coding Buffer Specifications */ -#ifndef __ASN1BUF_H__ -#define __ASN1BUF_H__ - -#include "k5-int.h" -#include "krbasn1.h" - -typedef struct code_buffer_rep { - char *base, *bound, *next; -} asn1buf; - - -/**************** Private Procedures ****************/ - -#if (__GNUC__ >= 2) && !defined(CONFIG_SMALL) -unsigned int asn1buf_free(const asn1buf *buf); -/* - * requires *buf is allocated - * effects Returns the number of unused, allocated octets in *buf. - */ -#define asn1buf_free(buf) \ - (((buf) == NULL || (buf)->base == NULL) \ - ? 0U \ - : (unsigned int)((buf)->bound - (buf)->next + 1)) - - -asn1_error_code asn1buf_ensure_space(asn1buf *buf, const unsigned int amount); -/* - * requires *buf is allocated - * modifies *buf - * effects If buf has less than amount octets of free space, then it is - * expanded to have at least amount octets of free space. - * Returns ENOMEM memory is exhausted. - */ -#define asn1buf_ensure_space(buf,amount) \ - ((asn1buf_free(buf) < (amount)) \ - ? (asn1buf_expand((buf), (amount)-asn1buf_free(buf))) \ - : 0) - -asn1_error_code asn1buf_expand(asn1buf *buf, unsigned int inc); -/* - * requires *buf is allocated - * modifies *buf - * effects Expands *buf by allocating space for inc more octets. - * Returns ENOMEM if memory is exhausted. - */ -#endif - -int asn1buf_len(const asn1buf *buf); -/* - * requires *buf is allocated - * effects Returns the length of the encoding in *buf. - */ -#define asn1buf_len(buf) ((buf)->next - (buf)->base) - -/****** End of private procedures *****/ - -/* - * Overview - * - * The coding buffer is an array of char (to match a krb5_data structure) - * with 3 reference pointers: - * 1) base - The bottom of the octet array. Used for memory management - * operations on the array (e.g. alloc, realloc, free). - * 2) next - Points to the next available octet position in the array. - * During encoding, this is the next free position, and it - * advances as octets are added to the array. - * During decoding, this is the next unread position, and it - * advances as octets are read from the array. - * 3) bound - Points to the top of the array. Used for bounds-checking. - * - * All pointers to encoding buffers should be initalized to NULL. - * - * Operations - * - * asn1buf_create - * asn1buf_wrap_data - * asn1buf_destroy - * asn1buf_insert_octet - * asn1buf_insert_charstring - * asn1buf_remove_octet - * asn1buf_remove_charstring - * asn1buf_unparse - * asn1buf_hex_unparse - * asn12krb5_buf - * asn1buf_remains - * - * (asn1buf_size) - * (asn1buf_free) - * (asn1buf_ensure_space) - * (asn1buf_expand) - * (asn1buf_len) - */ - -asn1_error_code asn1buf_create(asn1buf **buf); -/* - * effects Creates a new encoding buffer pointed to by *buf. - * Returns ENOMEM if the buffer can't be created. - */ - -void asn1buf_destroy(asn1buf **buf); -/* effects Deallocates **buf, sets *buf to NULL. */ - -/* - * requires *buf is allocated - * effects Inserts o into the buffer *buf, expanding the buffer if - * necessary. Returns ENOMEM memory is exhausted. - */ -#if ((__GNUC__ >= 2) && !defined(ASN1BUF_OMIT_INLINE_FUNCS)) && !defined(CONFIG_SMALL) -static inline asn1_error_code -asn1buf_insert_octet(asn1buf *buf, const int o) -{ - asn1_error_code retval; - - retval = asn1buf_ensure_space(buf,1U); - if (retval) return retval; - *(buf->next) = (char)o; - (buf->next)++; - return 0; -} -#else -asn1_error_code asn1buf_insert_octet(asn1buf *buf, const int o); -#endif - -asn1_error_code -asn1buf_insert_bytestring( - asn1buf *buf, - const unsigned int len, - const void *s); -/* - * requires *buf is allocated - * modifies *buf - * effects Inserts the contents of s (an array of length len) - * into the buffer *buf, expanding the buffer if necessary. - * Returns ENOMEM if memory is exhausted. - */ - -#define asn1buf_insert_octetstring asn1buf_insert_bytestring - -asn1_error_code asn12krb5_buf(const asn1buf *buf, krb5_data **code); -/* - * modifies *code - * effects Instantiates **code with the krb5_data representation of **buf. - */ - -#endif diff --git a/src/lib/krb5/asn.1/deps b/src/lib/krb5/asn.1/deps index 47050d6..01d2d23 100644 --- a/src/lib/krb5/asn.1/deps +++ b/src/lib/krb5/asn.1/deps @@ -11,29 +11,19 @@ asn1_encode.so asn1_encode.po $(OUTPRE)asn1_encode.$(OBJEXT): \ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - asn1_encode.c asn1_encode.h asn1buf.h krbasn1.h -asn1buf.so asn1buf.po $(OUTPRE)asn1buf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h asn1buf.c asn1buf.h \ - krbasn1.h + asn1_encode.c asn1_encode.h krbasn1.h asn1_k_encode.so asn1_k_encode.po $(OUTPRE)asn1_k_encode.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - asn1_encode.h asn1_k_encode.c asn1buf.h krbasn1.h + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-spake.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h asn1_encode.h \ + asn1_k_encode.c krbasn1.h ldap_key_seq.so ldap_key_seq.po $(OUTPRE)ldap_key_seq.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -45,4 +35,4 @@ ldap_key_seq.so ldap_key_seq.po $(OUTPRE)ldap_key_seq.$(OBJEXT): \ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h asn1_encode.h \ - asn1buf.h krbasn1.h ldap_key_seq.c + krbasn1.h ldap_key_seq.c diff --git a/src/lib/krb5/asn.1/krbasn1.h b/src/lib/krb5/asn.1/krbasn1.h index 1755784..cfc24ad 100644 --- a/src/lib/krb5/asn.1/krbasn1.h +++ b/src/lib/krb5/asn.1/krbasn1.h @@ -27,7 +27,6 @@ */ #define KRB5_GENEROUS_LR_TYPE -typedef krb5_octet asn1_octet; typedef krb5_error_code asn1_error_code; typedef enum { PRIMITIVE = 0x00, CONSTRUCTED = 0x20 } asn1_construction; diff --git a/src/lib/krb5/asn.1/ldap_key_seq.c b/src/lib/krb5/asn.1/ldap_key_seq.c index 74569d9..9508bc3 100644 --- a/src/lib/krb5/asn.1/ldap_key_seq.c +++ b/src/lib/krb5/asn.1/ldap_key_seq.c @@ -48,12 +48,12 @@ * Imports from asn1_k_encode.c. * XXX Must be manually synchronized for now. */ -IMPORT_TYPE(int32, krb5_int32); +IMPORT_TYPE(int32, int32_t); -DEFINTTYPE(int16, krb5_int16); -DEFINTTYPE(uint16, krb5_ui_2); +DEFINTTYPE(int16, int16_t); +DEFINTTYPE(uint16, uint16_t); -DEFCOUNTEDSTRINGTYPE(ui2_octetstring, unsigned char *, krb5_ui_2, +DEFCOUNTEDSTRINGTYPE(ui2_octetstring, uint8_t *, uint16_t, k5_asn1_encode_bytestring, k5_asn1_decode_bytestring, ASN1_OCTETSTRING); @@ -96,15 +96,12 @@ no_salt(void *p) DEFOPTIONALTYPE(key_data_salt_if_present, is_salt_present, no_salt, krbsalt); DEFCTAGGEDTYPE(key_data_0, 0, key_data_salt_if_present); DEFCTAGGEDTYPE(key_data_1, 1, encryptionkey); -#if 0 /* We don't support this field currently. */ -DEFCTAGGEDTYPE(key_data_2, 2, s2kparams), -#endif static const struct atype_info *key_data_fields[] = { &k5_atype_key_data_0, &k5_atype_key_data_1 }; DEFSEQTYPE(key_data, krb5_key_data, key_data_fields); DEFPTRTYPE(ptr_key_data, key_data); -DEFCOUNTEDSEQOFTYPE(cseqof_key_data, krb5_int16, ptr_key_data); +DEFCOUNTEDSEQOFTYPE(cseqof_key_data, int16_t, ptr_key_data); DEFINT_IMMEDIATE(one, 1, ASN1_BAD_FORMAT); DEFCTAGGEDTYPE(ldap_key_seq_0, 0, one); diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in index 5ac8707..f84cf79 100644 --- a/src/lib/krb5/ccache/Makefile.in +++ b/src/lib/krb5/ccache/Makefile.in @@ -34,6 +34,7 @@ STLIBOBJS= \ ccdefops.o \ ccmarshal.o \ ccselect.o \ + ccselect_hostname.o \ ccselect_k5identity.o \ ccselect_realm.o \ cc_dir.o \ @@ -52,6 +53,7 @@ OBJS= $(OUTPRE)ccbase.$(OBJEXT) \ $(OUTPRE)ccdefops.$(OBJEXT) \ $(OUTPRE)ccmarshal.$(OBJEXT) \ $(OUTPRE)ccselect.$(OBJEXT) \ + $(OUTPRE)ccselect_hostname.$(OBJEXT) \ $(OUTPRE)ccselect_k5identity.$(OBJEXT) \ $(OUTPRE)ccselect_realm.$(OBJEXT) \ $(OUTPRE)cc_dir.$(OBJEXT) \ @@ -70,6 +72,7 @@ SRCS= $(srcdir)/ccbase.c \ $(srcdir)/ccdefops.c \ $(srcdir)/ccmarshal.c \ $(srcdir)/ccselect.c \ + $(srcdir)/ccselect_hostname.c \ $(srcdir)/ccselect_k5identity.c \ $(srcdir)/ccselect_realm.c \ $(srcdir)/cc_dir.c \ diff --git a/src/lib/krb5/ccache/cc-int.h b/src/lib/krb5/ccache/cc-int.h index ee9b5e0..d920367 100644 --- a/src/lib/krb5/ccache/cc-int.h +++ b/src/lib/krb5/ccache/cc-int.h @@ -124,6 +124,10 @@ krb5_error_code krb5int_fcc_new_unique(krb5_context context, char *template, krb5_ccache *id); krb5_error_code +ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); + +krb5_error_code ccselect_realm_initvt(krb5_context context, int maj_ver, int min_ver, krb5_plugin_vtable vtable); diff --git a/src/lib/krb5/ccache/cc_file.c b/src/lib/krb5/ccache/cc_file.c index 6789c09..9263a00 100644 --- a/src/lib/krb5/ccache/cc_file.c +++ b/src/lib/krb5/ccache/cc_file.c @@ -758,7 +758,7 @@ fcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, memset(creds, 0, sizeof(*creds)); k5_cc_mutex_lock(context, &data->lock); - k5_buf_init_dynamic(&buf); + k5_buf_init_dynamic_zap(&buf); ret = krb5_lock_file(context, fileno(fcursor->fp), KRB5_LOCKMODE_SHARED); if (ret) @@ -982,7 +982,7 @@ fcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) goto cleanup; /* Marshal the cred and write it to the file with a single append write. */ - k5_buf_init_dynamic(&buf); + k5_buf_init_dynamic_zap(&buf); k5_marshal_cred(&buf, version, creds); ret = k5_buf_status(&buf); if (ret) diff --git a/src/lib/krb5/ccache/cc_kcm.c b/src/lib/krb5/ccache/cc_kcm.c index a889e67..092ab7d 100644 --- a/src/lib/krb5/ccache/cc_kcm.c +++ b/src/lib/krb5/ccache/cc_kcm.c @@ -32,7 +32,7 @@ /* * This cache type contacts a daemon for each cache operation, using Heimdal's - * KCM protocol. On OS X, the preferred transport is Mach RPC; on other + * KCM protocol. On macOS, the preferred transport is Mach RPC; on other * Unix-like platforms or if the daemon is not available via RPC, Unix domain * sockets are used instead. */ @@ -42,6 +42,7 @@ #include "k5-input.h" #include "cc-int.h" #include "kcm.h" +#include "../os/os-proto.h" #include #include #ifdef __APPLE__ @@ -61,7 +62,7 @@ struct uuid_list { }; struct kcmio { - int fd; + SOCKET fd; #ifdef __APPLE__ mach_port_t mport; #endif @@ -252,7 +253,7 @@ static krb5_error_code kcmio_unix_socket_connect(krb5_context context, struct kcmio *io) { krb5_error_code ret; - int fd = -1; + SOCKET fd = INVALID_SOCKET; struct sockaddr_un addr; char *path = NULL; @@ -267,25 +268,25 @@ kcmio_unix_socket_connect(krb5_context context, struct kcmio *io) } fd = socket(AF_UNIX, SOCK_STREAM, 0); - if (fd == -1) { - ret = errno; + if (fd == INVALID_SOCKET) { + ret = SOCKET_ERRNO; goto cleanup; } memset(&addr, 0, sizeof(addr)); addr.sun_family = AF_UNIX; strlcpy(addr.sun_path, path, sizeof(addr.sun_path)); - if (connect(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { - ret = (errno == ENOENT) ? KRB5_KCM_NO_SERVER : errno; + if (SOCKET_CONNECT(fd, (struct sockaddr *)&addr, sizeof(addr)) != 0) { + ret = (SOCKET_ERRNO == ENOENT) ? KRB5_KCM_NO_SERVER : SOCKET_ERRNO; goto cleanup; } io->fd = fd; - fd = -1; + fd = INVALID_SOCKET; cleanup: - if (fd != -1) - close(fd); + if (fd != INVALID_SOCKET) + closesocket(fd); profile_release_string(path); return ret; } @@ -297,13 +298,36 @@ kcmio_unix_socket_write(krb5_context context, struct kcmio *io, void *request, size_t len) { char lenbytes[4]; + sg_buf sg[2]; + int ret; + krb5_boolean reconnected = FALSE; + SG_SET(&sg[0], lenbytes, sizeof(lenbytes)); + SG_SET(&sg[1], request, len); store_32_be(len, lenbytes); - if (krb5_net_write(context, io->fd, lenbytes, 4) < 0) - return errno; - if (krb5_net_write(context, io->fd, request, len) < 0) - return errno; - return 0; + + for (;;) { + ret = krb5int_net_writev(context, io->fd, sg, 2); + if (ret >= 0) + return 0; + ret = errno; + if (ret != EPIPE || reconnected) + return ret; + + /* + * Try once to reconnect on an EPIPE, in case the server has an idle + * timeout (like sssd does) and we went too long between ccache + * operations. Reconnecting might also help if the server was + * restarted for an upgrade--although the server must be designed to + * always listen for connections on the socket during upgrades, or a + * single reconnect attempt won't be robust. + */ + close(io->fd); + ret = kcmio_unix_socket_connect(context, io); + if (ret) + return ret; + reconnected = TRUE; + } } /* Read a KCM reply: 4-byte big-endian length, 4-byte big-endian status code, @@ -358,9 +382,9 @@ kcmio_connect(krb5_context context, struct kcmio **io_out) io = calloc(1, sizeof(*io)); if (io == NULL) return ENOMEM; - io->fd = -1; + io->fd = INVALID_SOCKET; - /* Try Mach RPC (OS X only), then fall back to Unix domain sockets */ + /* Try Mach RPC (macOS only), then fall back to Unix domain sockets */ ret = kcmio_mach_connect(context, io); if (ret) ret = kcmio_unix_socket_connect(context, io); @@ -384,7 +408,7 @@ kcmio_call(krb5_context context, struct kcmio *io, struct kcmreq *req) if (k5_buf_status(&req->reqbuf) != 0) return ENOMEM; - if (io->fd != -1) { + if (io->fd != INVALID_SOCKET) { ret = kcmio_unix_socket_write(context, io, req->reqbuf.data, req->reqbuf.len); if (ret) @@ -411,8 +435,8 @@ kcmio_close(struct kcmio *io) { if (io != NULL) { kcmio_mach_close(io); - if (io->fd != -1) - close(io->fd); + if (io->fd != INVALID_SOCKET) + closesocket(io->fd); free(io); } } @@ -721,12 +745,18 @@ kcm_get_princ(krb5_context context, krb5_ccache cache, { krb5_error_code ret; struct kcmreq req; + struct kcm_cache_data *data = cache->data; kcmreq_init(&req, KCM_OP_GET_PRINCIPAL, cache); ret = cache_call(context, cache, &req, FALSE); /* Heimdal KCM can respond with code 0 and no principal. */ if (!ret && req.reply.len == 0) ret = KRB5_FCC_NOFILE; + if (ret == KRB5_FCC_NOFILE) { + k5_setmsg(context, ret, _("Credentials cache 'KCM:%s' not found"), + data->residual); + } + if (!ret) ret = k5_unmarshal_princ(req.reply.ptr, req.reply.len, 4, princ_out); kcmreq_free(&req); @@ -966,6 +996,9 @@ kcm_ptcursor_next(krb5_context context, krb5_cc_ptcursor cursor, kcmreq_init(&req, KCM_OP_GET_CACHE_BY_UUID, NULL); k5_buf_add_len(&req.reqbuf, id, KCM_UUID_LEN); ret = kcmio_call(context, data->io, &req); + /* Continue if the cache has been deleted. */ + if (ret == KRB5_CC_END) + continue; if (ret) goto cleanup; ret = kcmreq_get_name(&req, &name); diff --git a/src/lib/krb5/ccache/cc_keyring.c b/src/lib/krb5/ccache/cc_keyring.c index 4fe3f0d..8419f6e 100644 --- a/src/lib/krb5/ccache/cc_keyring.c +++ b/src/lib/krb5/ccache/cc_keyring.c @@ -751,7 +751,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id) for (;;) { if (krcc_next_cred(context, id, &cursor, &creds) != 0) break; - if (creds.times.endtime > endtime) + if (ts_after(creds.times.endtime, endtime)) endtime = creds.times.endtime; krb5_free_cred_contents(context, &creds); } @@ -765,7 +765,7 @@ update_keyring_expiration(krb5_context context, krb5_ccache id) /* Setting the timeout to zero would reset the timeout, so we set it to one * second instead if creds are already expired. */ - timeout = (endtime > now) ? endtime - now : 1; + timeout = ts_after(endtime, now) ? ts_delta(endtime, now) : 1; (void)keyctl_set_timeout(data->cache_id, timeout); } @@ -1295,7 +1295,7 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) goto errout; /* Serialize credential using the file ccache version 4 format. */ - k5_buf_init_dynamic(&buf); + k5_buf_init_dynamic_zap(&buf); k5_marshal_cred(&buf, 4, creds); ret = k5_buf_status(&buf); if (ret) @@ -1316,8 +1316,10 @@ krcc_store(krb5_context context, krb5_ccache id, krb5_creds *creds) if (ret) goto errout; - if (creds->times.endtime > now) - (void)keyctl_set_timeout(cred_key, creds->times.endtime - now); + if (ts_after(creds->times.endtime, now)) { + (void)keyctl_set_timeout(cred_key, + ts_delta(creds->times.endtime, now)); + } update_keyring_expiration(context, id); @@ -1680,8 +1682,8 @@ static void krcc_update_change_time(krcc_data *data) { krb5_timestamp now_time = time(NULL); - data->changetime = (data->changetime >= now_time) ? - data->changetime + 1 : now_time; + data->changetime = ts_after(now_time, data->changetime) ? + now_time : ts_incr(data->changetime, 1); } /* diff --git a/src/lib/krb5/ccache/cc_memory.c b/src/lib/krb5/ccache/cc_memory.c index 0354575..114ef69 100644 --- a/src/lib/krb5/ccache/cc_memory.c +++ b/src/lib/krb5/ccache/cc_memory.c @@ -26,6 +26,7 @@ #include "cc-int.h" #include "../krb/int-proto.h" +#include "k5-hashtab.h" #include static krb5_error_code KRB5_CALLCONV krb5_mcc_close @@ -102,37 +103,72 @@ extern krb5_error_code krb5_change_cache (void); typedef struct _krb5_mcc_link { struct _krb5_mcc_link *next; krb5_creds *creds; -} krb5_mcc_link, *krb5_mcc_cursor; +} krb5_mcc_link; /* Per-cache data header. */ typedef struct _krb5_mcc_data { char *name; k5_cc_mutex lock; krb5_principal prin; - krb5_mcc_cursor link; + krb5_mcc_link *link; krb5_timestamp changetime; /* Time offsets for clock-skewed clients. */ krb5_int32 time_offset; krb5_int32 usec_offset; + int refcount; /* One for the table slot, one per handle */ + int generation; /* Incremented at each initialize */ } krb5_mcc_data; -/* List of memory caches. */ -typedef struct krb5_mcc_list_node { - struct krb5_mcc_list_node *next; - krb5_mcc_data *cache; -} krb5_mcc_list_node; +/* Iterator over credentials in a memory cache. */ +struct mcc_cursor { + int generation; + krb5_mcc_link *next_link; +}; /* Iterator over memory caches. */ struct krb5_mcc_ptcursor_data { - struct krb5_mcc_list_node *cur; + krb5_boolean first; }; k5_cc_mutex krb5int_mcc_mutex = K5_CC_MUTEX_PARTIAL_INITIALIZER; -static krb5_mcc_list_node *mcc_head = 0; +static struct k5_hashtab *mcc_hashtab = NULL; static void update_mcc_change_time(krb5_mcc_data *); -static void krb5_mcc_free (krb5_context context, krb5_ccache id); +/* Ensure that mcc_hashtab is initialized. Call with krb5int_mcc_mutex + * locked. */ +static krb5_error_code +init_table(krb5_context context) +{ + krb5_error_code ret; + uint8_t seed[K5_HASH_SEED_LEN]; + krb5_data d = make_data(seed, sizeof(seed)); + + if (mcc_hashtab != NULL) + return 0; + ret = krb5_c_random_make_octets(context, &d); + if (ret) + return ret; + return k5_hashtab_create(seed, 64, &mcc_hashtab); +} + +/* Remove creds from d, invalidate any existing cursors, and unset the client + * principal. The caller is responsible for locking. */ +static void +empty_mcc_cache(krb5_context context, krb5_mcc_data *d) +{ + krb5_mcc_link *curr, *next; + + for (curr = d->link; curr != NULL; curr = next) { + next = curr->next; + krb5_free_creds(context, curr->creds); + free(curr); + } + d->link = NULL; + d->generation++; + krb5_free_principal(context, d->prin); + d->prin = NULL; +} /* * Modifies: @@ -150,16 +186,12 @@ krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) { krb5_os_context os_ctx = &context->os_context; krb5_error_code ret; - krb5_mcc_data *d; + krb5_mcc_data *d = id->data; - d = (krb5_mcc_data *)id->data; k5_cc_mutex_lock(context, &d->lock); + empty_mcc_cache(context, d); - krb5_mcc_free(context, id); - - d = (krb5_mcc_data *)id->data; - ret = krb5_copy_principal(context, princ, - &d->prin); + ret = krb5_copy_principal(context, princ, &d->prin); update_mcc_change_time(d); if (os_ctx->os_flags & KRB5_OS_TOFFSET_VALID) { @@ -185,61 +217,51 @@ krb5_mcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) krb5_error_code KRB5_CALLCONV krb5_mcc_close(krb5_context context, krb5_ccache id) { - free(id); - return KRB5_OK; -} - -static void -krb5_mcc_free(krb5_context context, krb5_ccache id) -{ - krb5_mcc_cursor curr,next; - krb5_mcc_data *d; + krb5_mcc_data *d = id->data; + int count; - d = (krb5_mcc_data *) id->data; - for (curr = d->link; curr;) { - krb5_free_creds(context, curr->creds); - next = curr->next; - free(curr); - curr = next; + free(id); + k5_cc_mutex_lock(context, &d->lock); + count = --d->refcount; + k5_cc_mutex_unlock(context, &d->lock); + if (count == 0) { + /* This is the last active handle referencing d and d has been removed + * from the table, so we can release it. */ + empty_mcc_cache(context, d); + free(d->name); + k5_cc_mutex_destroy(&d->lock); + free(d); } - d->link = NULL; - krb5_free_principal(context, d->prin); + return KRB5_OK; } /* * Effects: * Destroys the contents of id. id is invalid after call. - * - * Errors: - * system errors (locks related) */ krb5_error_code KRB5_CALLCONV krb5_mcc_destroy(krb5_context context, krb5_ccache id) { - krb5_mcc_list_node **curr, *node; - krb5_mcc_data *d; + krb5_mcc_data *d = id->data; + krb5_boolean removed_from_table = FALSE; + /* Remove this node from the table if it is still present. */ k5_cc_mutex_lock(context, &krb5int_mcc_mutex); - - d = (krb5_mcc_data *)id->data; - for (curr = &mcc_head; *curr; curr = &(*curr)->next) { - if ((*curr)->cache == d) { - node = *curr; - *curr = node->next; - free(node); - break; - } - } + if (k5_hashtab_remove(mcc_hashtab, d->name, strlen(d->name))) + removed_from_table = TRUE; k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); + /* Empty the cache and remove the reference for the table slot. There will + * always be at least one reference left for the handle being destroyed. */ k5_cc_mutex_lock(context, &d->lock); - - krb5_mcc_free(context, id); - free(d->name); + empty_mcc_cache(context, d); + if (removed_from_table) + d->refcount--; k5_cc_mutex_unlock(context, &d->lock); - k5_cc_mutex_destroy(&d->lock); - free(d); - free(id); + + /* Invalidate the handle, possibly removing the last reference to d and + * freeing it. */ + krb5_mcc_close(context, id); krb5_change_cache (); return KRB5_OK; @@ -271,17 +293,17 @@ krb5_mcc_resolve (krb5_context context, krb5_ccache *id, const char *residual) { krb5_os_context os_ctx = &context->os_context; krb5_ccache lid; - krb5_mcc_list_node *ptr; krb5_error_code err; krb5_mcc_data *d; k5_cc_mutex_lock(context, &krb5int_mcc_mutex); - for (ptr = mcc_head; ptr; ptr=ptr->next) - if (!strcmp(ptr->cache->name, residual)) - break; - if (ptr) - d = ptr->cache; - else { + init_table(context); + d = k5_hashtab_get(mcc_hashtab, residual, strlen(residual)); + if (d != NULL) { + k5_cc_mutex_lock(context, &d->lock); + d->refcount++; + k5_cc_mutex_unlock(context, &d->lock); + } else { err = new_mcc_data(residual, &d); if (err) { k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); @@ -326,14 +348,18 @@ krb5_error_code KRB5_CALLCONV krb5_mcc_start_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - krb5_mcc_cursor mcursor; + struct mcc_cursor *mcursor; krb5_mcc_data *d; + mcursor = malloc(sizeof(*mcursor)); + if (mcursor == NULL) + return KRB5_CC_NOMEM; d = id->data; k5_cc_mutex_lock(context, &d->lock); - mcursor = d->link; + mcursor->generation = d->generation; + mcursor->next_link = d->link; k5_cc_mutex_unlock(context, &d->lock); - *cursor = (krb5_cc_cursor) mcursor; + *cursor = mcursor; return KRB5_OK; } @@ -361,23 +387,34 @@ krb5_error_code KRB5_CALLCONV krb5_mcc_next_cred(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor, krb5_creds *creds) { - krb5_mcc_cursor mcursor; + struct mcc_cursor *mcursor; krb5_error_code retval; + krb5_mcc_data *d = id->data; - /* Once the node in the linked list is created, it's never - modified, so we don't need to worry about locking here. (Note - that we don't support _remove_cred.) */ - mcursor = (krb5_mcc_cursor) *cursor; - if (mcursor == NULL) - return KRB5_CC_END; memset(creds, 0, sizeof(krb5_creds)); - if (mcursor->creds) { - retval = k5_copy_creds_contents(context, mcursor->creds, creds); - if (retval) - return retval; + mcursor = *cursor; + if (mcursor->next_link == NULL) + return KRB5_CC_END; + + /* + * Check the cursor generation against the cache generation in case the + * cache has been reinitialized or destroyed, freeing the pointer in the + * cursor. Keep the cache locked while we copy the creds and advance the + * pointer, in case another thread reinitializes the cache after we check + * the generation. + */ + k5_cc_mutex_lock(context, &d->lock); + if (mcursor->generation != d->generation) { + k5_cc_mutex_unlock(context, &d->lock); + return KRB5_CC_END; } - *cursor = (krb5_cc_cursor)mcursor->next; - return KRB5_OK; + + retval = k5_copy_creds_contents(context, mcursor->next_link->creds, creds); + if (retval == 0) + mcursor->next_link = mcursor->next_link->next; + + k5_cc_mutex_unlock(context, &d->lock); + return retval; } /* @@ -396,20 +433,23 @@ krb5_mcc_next_cred(krb5_context context, krb5_ccache id, krb5_error_code KRB5_CALLCONV krb5_mcc_end_seq_get(krb5_context context, krb5_ccache id, krb5_cc_cursor *cursor) { - *cursor = 0L; + free(*cursor); + *cursor = NULL; return KRB5_OK; } -/* Utility routine: Creates the back-end data for a memory cache, and - threads it into the global linked list. - - Call with the global list lock held. */ +/* + * Utility routine: Creates the back-end data for a memory cache, and adds it + * to the global table. Give the new object two references, one for the table + * slot and one for the caller's handle. + * + * Call with the global table lock held. + */ static krb5_error_code new_mcc_data (const char *name, krb5_mcc_data **dataptr) { krb5_error_code err; krb5_mcc_data *d; - krb5_mcc_list_node *n; d = malloc(sizeof(krb5_mcc_data)); if (d == NULL) @@ -432,20 +472,17 @@ new_mcc_data (const char *name, krb5_mcc_data **dataptr) d->changetime = 0; d->time_offset = 0; d->usec_offset = 0; + d->refcount = 2; + d->generation = 0; update_mcc_change_time(d); - n = malloc(sizeof(krb5_mcc_list_node)); - if (n == NULL) { + if (k5_hashtab_add(mcc_hashtab, d->name, strlen(d->name), d) != 0) { free(d->name); k5_cc_mutex_destroy(&d->lock); free(d); return KRB5_CC_NOMEM; } - n->cache = d; - n->next = mcc_head; - mcc_head = n; - *dataptr = d; return 0; } @@ -480,11 +517,10 @@ krb5_mcc_generate_new (krb5_context context, krb5_ccache *id) lid->ops = &krb5_mcc_ops; k5_cc_mutex_lock(context, &krb5int_mcc_mutex); + init_table(context); /* Check for uniqueness with mutex locked to avoid race conditions */ while (1) { - krb5_mcc_list_node *ptr; - err = krb5int_random_string (context, uniquename, sizeof (uniquename)); if (err) { k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); @@ -492,12 +528,9 @@ krb5_mcc_generate_new (krb5_context context, krb5_ccache *id) return err; } - for (ptr = mcc_head; ptr; ptr=ptr->next) { - if (!strcmp(ptr->cache->name, uniquename)) { - break; /* got a match, loop again */ - } - } - if (!ptr) break; /* got to the end without finding a match */ + if (k5_hashtab_get(mcc_hashtab, uniquename, + strlen(uniquename)) == NULL) + break; } err = new_mcc_data(uniquename, &d); @@ -651,9 +684,7 @@ krb5_mcc_ptcursor_new( return ENOMEM; } n->data = cdata; - k5_cc_mutex_lock(context, &krb5int_mcc_mutex); - cdata->cur = mcc_head; - k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); + cdata->first = TRUE; *cursor = n; return 0; } @@ -665,22 +696,19 @@ krb5_mcc_ptcursor_next( krb5_ccache *ccache) { struct krb5_mcc_ptcursor_data *cdata = NULL; + const char *defname; *ccache = NULL; cdata = cursor->data; - if (cdata->cur == NULL) + if (!cdata->first) return 0; + cdata->first = FALSE; - *ccache = malloc(sizeof(**ccache)); - if (*ccache == NULL) - return ENOMEM; + defname = krb5_cc_default_name(context); + if (defname == NULL || strncmp(defname, "MEMORY:", 7) != 0) + return 0; - (*ccache)->ops = &krb5_mcc_ops; - (*ccache)->data = cdata->cur->cache; - k5_cc_mutex_lock(context, &krb5int_mcc_mutex); - cdata->cur = cdata->cur->next; - k5_cc_mutex_unlock(context, &krb5int_mcc_mutex); - return 0; + return krb5_cc_resolve(context, defname, ccache); } static krb5_error_code KRB5_CALLCONV @@ -720,8 +748,8 @@ static void update_mcc_change_time(krb5_mcc_data *d) { krb5_timestamp now_time = time(NULL); - d->changetime = (d->changetime >= now_time) ? - d->changetime + 1 : now_time; + d->changetime = ts_after(now_time, d->changetime) ? + now_time : ts_incr(d->changetime, 1); } static krb5_error_code KRB5_CALLCONV diff --git a/src/lib/krb5/ccache/cc_mslsa.c b/src/lib/krb5/ccache/cc_mslsa.c index c741a50..0d00c86 100644 --- a/src/lib/krb5/ccache/cc_mslsa.c +++ b/src/lib/krb5/ccache/cc_mslsa.c @@ -385,6 +385,8 @@ CacheInfoEx2ToMITCred(KERB_TICKET_CACHE_INFO_EX2 *info, * not a NULL list of addresses. */ creds->addresses = (krb5_address **)malloc(sizeof(krb5_address *)); + if (creds->addresses == NULL) + return FALSE; memset(creds->addresses, 0, sizeof(krb5_address *)); return TRUE; @@ -739,13 +741,14 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, { NTSTATUS Status = 0; NTSTATUS SubStatus = 0; - KERB_SUBMIT_TKT_REQUEST * pSubmitRequest; + KERB_SUBMIT_TKT_REQUEST * pSubmitRequest = NULL; DWORD dwRequestLen; - krb5_auth_context auth_context; + krb5_auth_context auth_context = NULL; krb5_keyblock * keyblock = 0; krb5_replay_data replaydata; krb5_data * krb_cred = 0; krb5_error_code rc; + BOOL rv = FALSE; if (krb5_auth_con_init(context, &auth_context)) { return FALSE; @@ -765,9 +768,13 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, * that an enctype other than NULL be used. */ if (keyblock == NULL) { keyblock = (krb5_keyblock *)malloc(sizeof(krb5_keyblock)); + if (keyblock == NULL) + return FALSE; keyblock->enctype = ENCTYPE_ARCFOUR_HMAC; keyblock->length = 16; keyblock->contents = (krb5_octet *)malloc(16); + if (keyblock->contents == NULL) + goto cleanup; keyblock->contents[0] = 0xde; keyblock->contents[1] = 0xad; keyblock->contents[2] = 0xbe; @@ -787,18 +794,14 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, krb5_auth_con_setsendsubkey(context, auth_context, keyblock); } rc = krb5_mk_1cred(context, auth_context, cred, &krb_cred, &replaydata); - if (rc) { - krb5_auth_con_free(context, auth_context); - if (keyblock) - krb5_free_keyblock(context, keyblock); - if (krb_cred) - krb5_free_data(context, krb_cred); - return FALSE; - } + if (rc) + goto cleanup; dwRequestLen = sizeof(KERB_SUBMIT_TKT_REQUEST) + krb_cred->length + (keyblock ? keyblock->length : 0); pSubmitRequest = (PKERB_SUBMIT_TKT_REQUEST)malloc(dwRequestLen); + if (pSubmitRequest == NULL) + goto cleanup; memset(pSubmitRequest, 0, dwRequestLen); pSubmitRequest->MessageType = KerbSubmitTicketMessage; @@ -822,8 +825,6 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, if (keyblock) memcpy(((CHAR *)pSubmitRequest)+sizeof(KERB_SUBMIT_TKT_REQUEST)+krb_cred->length, keyblock->contents, keyblock->length); - krb5_free_data(context, krb_cred); - Status = LsaCallAuthenticationPackage( LogonHandle, PackageId, pSubmitRequest, @@ -832,15 +833,16 @@ KerbSubmitTicket( HANDLE LogonHandle, ULONG PackageId, NULL, &SubStatus ); + + rv = (!FAILED(Status) && !FAILED(SubStatus)); + +cleanup: free(pSubmitRequest); - if (keyblock) - krb5_free_keyblock(context, keyblock); + krb5_free_keyblock(context, keyblock); + krb5_free_data(context, krb_cred); krb5_auth_con_free(context, auth_context); - if (FAILED(Status) || FAILED(SubStatus)) { - return FALSE; - } - return TRUE; + return rv; } /* @@ -1636,8 +1638,8 @@ krb5_lcc_initialize(krb5_context context, krb5_ccache id, krb5_principal princ) static krb5_error_code KRB5_CALLCONV krb5_lcc_close(krb5_context context, krb5_ccache id) { - register int closeval = KRB5_OK; - register krb5_lcc_data *data; + int closeval = KRB5_OK; + krb5_lcc_data *data; if (id) { data = (krb5_lcc_data *) id->data; @@ -1663,7 +1665,7 @@ krb5_lcc_close(krb5_context context, krb5_ccache id) static krb5_error_code KRB5_CALLCONV krb5_lcc_destroy(krb5_context context, krb5_ccache id) { - register krb5_lcc_data *data; + krb5_lcc_data *data; if (id) { data = (krb5_lcc_data *) id->data; diff --git a/src/lib/krb5/ccache/cc_retr.c b/src/lib/krb5/ccache/cc_retr.c index 1314d24..2c50c9c 100644 --- a/src/lib/krb5/ccache/cc_retr.c +++ b/src/lib/krb5/ccache/cc_retr.c @@ -30,9 +30,6 @@ #define KRB5_OK 0 -#define set(bits) (whichfields & bits) -#define flags_match(a,b) (((a) & (b)) == (a)) - static int times_match_exact(const krb5_ticket_times *t1, const krb5_ticket_times *t2) { @@ -46,11 +43,11 @@ static krb5_boolean times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2) { if (t1->renew_till) { - if (t1->renew_till > t2->renew_till) + if (ts_after(t1->renew_till, t2->renew_till)) return FALSE; /* this one expires too late */ } if (t1->endtime) { - if (t1->endtime > t2->endtime) + if (ts_after(t1->endtime, t2->endtime)) return FALSE; /* this one expires too late */ } /* only care about expiration on a times_match */ @@ -58,30 +55,21 @@ times_match(const krb5_ticket_times *t1, const krb5_ticket_times *t2) } static krb5_boolean -standard_fields_match(krb5_context context, const krb5_creds *mcreds, const krb5_creds *creds) +princs_match(krb5_context context, krb5_flags whichfields, + const krb5_creds *mcreds, const krb5_creds *creds) { - return (krb5_principal_compare(context, mcreds->client,creds->client) - && krb5_principal_compare(context, mcreds->server,creds->server)); -} - -/* only match the server name portion, not the server realm portion */ + krb5_principal_data princ; -static krb5_boolean -srvname_match(krb5_context context, const krb5_creds *mcreds, const krb5_creds *creds) -{ - krb5_boolean retval; - krb5_principal_data p1, p2; - - retval = krb5_principal_compare(context, mcreds->client,creds->client); - if (retval != TRUE) - return retval; - /* - * Hack to ignore the server realm for the purposes of the compare. - */ - p1 = *mcreds->server; - p2 = *creds->server; - p1.realm = p2.realm; - return krb5_principal_compare(context, &p1, &p2); + if (!krb5_principal_compare(context, mcreds->client, creds->client)) + return FALSE; + if (whichfields & KRB5_TC_MATCH_SRV_NAMEONLY) { + /* Ignore the server realm. */ + princ = *mcreds->server; + princ.realm = creds->server->realm; + return krb5_principal_compare(context, &princ, creds->server); + } else { + return krb5_principal_compare(context, mcreds->server, creds->server); + } } static krb5_boolean @@ -162,37 +150,47 @@ pref (krb5_enctype my_ktype, int nktypes, krb5_enctype *ktypes) */ krb5_boolean -krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, krb5_creds *mcreds, krb5_creds *creds) +krb5int_cc_creds_match_request(krb5_context context, krb5_flags whichfields, + krb5_creds *mcreds, krb5_creds *creds) { - if (((set(KRB5_TC_MATCH_SRV_NAMEONLY) && - srvname_match(context, mcreds, creds)) || - standard_fields_match(context, mcreds, creds)) - && - (! set(KRB5_TC_MATCH_IS_SKEY) || - mcreds->is_skey == creds->is_skey) - && - (! set(KRB5_TC_MATCH_FLAGS_EXACT) || - mcreds->ticket_flags == creds->ticket_flags) - && - (! set(KRB5_TC_MATCH_FLAGS) || - flags_match(mcreds->ticket_flags, creds->ticket_flags)) - && - (! set(KRB5_TC_MATCH_TIMES_EXACT) || - times_match_exact(&mcreds->times, &creds->times)) - && - (! set(KRB5_TC_MATCH_TIMES) || - times_match(&mcreds->times, &creds->times)) - && - ( ! set(KRB5_TC_MATCH_AUTHDATA) || - authdata_match(mcreds->authdata, creds->authdata)) - && - (! set(KRB5_TC_MATCH_2ND_TKT) || - data_match (&mcreds->second_ticket, &creds->second_ticket)) - && - ((! set(KRB5_TC_MATCH_KTYPE))|| - (mcreds->keyblock.enctype == creds->keyblock.enctype))) - return TRUE; - return FALSE; + krb5_boolean is_skey; + + if (!princs_match(context, whichfields, mcreds, creds)) + return FALSE; + + /* Only match a user-to-user credential if explicitly asked for, since the + * ticket won't work as a regular service ticket. */ + is_skey = (whichfields & KRB5_TC_MATCH_IS_SKEY) ? mcreds->is_skey : FALSE; + if (creds->is_skey != is_skey) + return FALSE; + + if ((whichfields & KRB5_TC_MATCH_FLAGS_EXACT) && + mcreds->ticket_flags != creds->ticket_flags) + return FALSE; + if ((whichfields & KRB5_TC_MATCH_FLAGS) && + (creds->ticket_flags & mcreds->ticket_flags) != mcreds->ticket_flags) + return FALSE; + + if ((whichfields & KRB5_TC_MATCH_TIMES_EXACT) && + !times_match_exact(&mcreds->times, &creds->times)) + return FALSE; + if ((whichfields & KRB5_TC_MATCH_TIMES) && + !times_match(&mcreds->times, &creds->times)) + return FALSE; + + if ((whichfields & KRB5_TC_MATCH_AUTHDATA) && + !authdata_match(mcreds->authdata, creds->authdata)) + return FALSE; + + if ((whichfields & KRB5_TC_MATCH_2ND_TKT) && + !data_match(&mcreds->second_ticket, &creds->second_ticket)) + return FALSE; + + if ((whichfields & KRB5_TC_MATCH_KTYPE) && + mcreds->keyblock.enctype != creds->keyblock.enctype) + return FALSE; + + return TRUE; } static krb5_error_code @@ -211,7 +209,6 @@ krb5_cc_retrieve_cred_seq (krb5_context context, krb5_ccache id, int pref; } fetched, best; int have_creds = 0; - krb5_flags oflags = 0; #define fetchcreds (fetched.creds) kret = krb5_cc_start_seq_get(context, id, &cursor); diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c index 0256a0a..db69eeb 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc.c +++ b/src/lib/krb5/ccache/ccapi/stdcc.c @@ -1300,14 +1300,6 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_initialize return cc_err_xlate(err); } -#if 0 - /* - * Some implementations don't set the principal name - * correctly, so we force set it to the correct value. - */ - err = cc_set_principal(gCntrlBlock, ccapi_data->NamedCache, - CC_CRED_V5, cName); -#endif krb5_free_unparsed_name(context, cName); cache_changed(); @@ -1432,54 +1424,6 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_next_cred * * - try to find a matching credential in the cache */ -#if 0 -krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve -(krb5_context context, - krb5_ccache id, - krb5_flags whichfields, - krb5_creds *mcreds, - krb5_creds *creds ) -{ - krb5_error_code retval; - krb5_cc_cursor curs = NULL; - krb5_creds *fetchcreds; - - if ((retval = stdcc_setup(context, NULL))) - return retval; - - fetchcreds = (krb5_creds *)malloc(sizeof(krb5_creds)); - if (fetchcreds == NULL) return KRB5_CC_NOMEM; - - /* we're going to use the iterators */ - krb5_stdcc_start_seq_get(context, id, &curs); - - while (!krb5_stdcc_next_cred(context, id, &curs, fetchcreds)) { - /* - * look at each credential for a match - * use this match routine since it takes the - * whichfields and the API doesn't - */ - if (stdccCredsMatch(context, fetchcreds, - mcreds, whichfields)) { - /* we found it, copy and exit */ - *creds = *fetchcreds; - krb5_stdcc_end_seq_get(context, id, &curs); - return 0; - } - /* free copy allocated by next_cred */ - krb5_free_cred_contents(context, fetchcreds); - } - - /* no luck, end get and exit */ - krb5_stdcc_end_seq_get(context, id, &curs); - - /* we're not using this anymore so we should get rid of it! */ - free(fetchcreds); - - return KRB5_CC_NOTFOUND; -} -#else - krb5_error_code KRB5_CALLCONV krb5_stdcc_retrieve(context, id, whichfields, mcreds, creds) krb5_context context; @@ -1492,8 +1436,6 @@ krb5_stdcc_retrieve(context, id, whichfields, mcreds, creds) creds); } -#endif - /* * end seq * diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c index 9f44af3..62d847c 100644 --- a/src/lib/krb5/ccache/ccapi/stdcc_util.c +++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c @@ -16,8 +16,8 @@ #include #endif +#include "k5-int.h" #include "stdcc_util.h" -#include "krb5.h" #ifdef _WIN32 /* it's part of krb5.h everywhere else */ #include "kv5m_err.h" #endif @@ -321,10 +321,10 @@ copy_cc_cred_union_to_krb5_creds (krb5_context in_context, keyblock_contents = NULL; /* copy times */ - out_creds->times.authtime = cv5->authtime + offset_seconds; - out_creds->times.starttime = cv5->starttime + offset_seconds; - out_creds->times.endtime = cv5->endtime + offset_seconds; - out_creds->times.renew_till = cv5->renew_till + offset_seconds; + out_creds->times.authtime = ts_incr(cv5->authtime, offset_seconds); + out_creds->times.starttime = ts_incr(cv5->starttime, offset_seconds); + out_creds->times.endtime = ts_incr(cv5->endtime, offset_seconds); + out_creds->times.renew_till = ts_incr(cv5->renew_till, offset_seconds); out_creds->is_skey = cv5->is_skey; out_creds->ticket_flags = cv5->ticket_flags; @@ -451,11 +451,11 @@ copy_krb5_creds_to_cc_cred_union (krb5_context in_context, cv5->keyblock.data = keyblock_data; keyblock_data = NULL; - cv5->authtime = in_creds->times.authtime - offset_seconds; - cv5->starttime = in_creds->times.starttime - offset_seconds; - cv5->endtime = in_creds->times.endtime - offset_seconds; - cv5->renew_till = in_creds->times.renew_till - offset_seconds; - cv5->is_skey = in_creds->is_skey; + cv5->authtime = ts_incr(in_creds->times.authtime, -offset_seconds); + cv5->starttime = ts_incr(in_creds->times.starttime, -offset_seconds); + cv5->endtime = ts_incr(in_creds->times.endtime, -offset_seconds); + cv5->renew_till = ts_incr(in_creds->times.renew_till, -offset_seconds); + cv5->is_skey = in_creds->is_skey; cv5->ticket_flags = in_creds->ticket_flags; if (in_creds->ticket.data) { @@ -732,10 +732,10 @@ void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest) err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds); if (err) return; #endif - dest->times.authtime = src->authtime + offset_seconds; - dest->times.starttime = src->starttime + offset_seconds; - dest->times.endtime = src->endtime + offset_seconds; - dest->times.renew_till = src->renew_till + offset_seconds; + dest->times.authtime = ts_incr(src->authtime, offset_seconds); + dest->times.starttime = ts_incr(src->starttime, offset_seconds); + dest->times.endtime = ts_incr(src->endtime, offset_seconds); + dest->times.renew_till = ts_incr(src->renew_till, offset_seconds); dest->is_skey = src->is_skey; dest->ticket_flags = src->ticket_flags; @@ -804,10 +804,10 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu) err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds); if (err) return; #endif - c->authtime = creds->times.authtime - offset_seconds; - c->starttime = creds->times.starttime - offset_seconds; - c->endtime = creds->times.endtime - offset_seconds; - c->renew_till = creds->times.renew_till - offset_seconds; + c->authtime = ts_incr(creds->times.authtime, -offset_seconds); + c->starttime = ts_incr(creds->times.starttime, -offset_seconds); + c->endtime = ts_incr(creds->times.endtime, -offset_seconds); + c->renew_till = ts_incr(creds->times.renew_till, -offset_seconds); c->is_skey = creds->is_skey; c->ticket_flags = creds->ticket_flags; @@ -921,15 +921,15 @@ cc_int32 krb5int_free_cc_cred_union (cred_union** creds) */ static krb5_boolean times_match(t1, t2) - register const krb5_ticket_times *t1; - register const krb5_ticket_times *t2; + const krb5_ticket_times *t1; + const krb5_ticket_times *t2; { if (t1->renew_till) { - if (t1->renew_till > t2->renew_till) + if (ts_after(t1->renew_till, t2->renew_till)) return FALSE; /* this one expires too late */ } if (t1->endtime) { - if (t1->endtime > t2->endtime) + if (ts_after(t1->endtime, t2->endtime)) return FALSE; /* this one expires too late */ } /* only care about expiration on a times_match */ @@ -938,7 +938,7 @@ times_match(t1, t2) static krb5_boolean times_match_exact (t1, t2) - register const krb5_ticket_times *t1, *t2; + const krb5_ticket_times *t1, *t2; { return (t1->authtime == t2->authtime && t1->starttime == t2->starttime @@ -949,7 +949,7 @@ times_match_exact (t1, t2) static krb5_boolean standard_fields_match(context, mcreds, creds) krb5_context context; - register const krb5_creds *mcreds, *creds; + const krb5_creds *mcreds, *creds; { return (krb5_principal_compare(context, mcreds->client,creds->client) && krb5_principal_compare(context, mcreds->server,creds->server)); @@ -960,7 +960,7 @@ standard_fields_match(context, mcreds, creds) static krb5_boolean srvname_match(context, mcreds, creds) krb5_context context; - register const krb5_creds *mcreds, *creds; + const krb5_creds *mcreds, *creds; { krb5_boolean retval; krb5_principal_data p1, p2; @@ -1008,7 +1008,7 @@ authdata_match(mdata, data) static krb5_boolean data_match(data1, data2) - register const krb5_data *data1, *data2; + const krb5_data *data1, *data2; { if (!data1) { if (!data2) diff --git a/src/lib/krb5/ccache/ccapi/winccld.h b/src/lib/krb5/ccache/ccapi/winccld.h index 85017ab..df34e33 100644 --- a/src/lib/krb5/ccache/ccapi/winccld.h +++ b/src/lib/krb5/ccache/ccapi/winccld.h @@ -85,24 +85,10 @@ DECL_FUNC_PTR(cc_create); DECL_FUNC_PTR(cc_open); DECL_FUNC_PTR(cc_close); DECL_FUNC_PTR(cc_destroy); -#if 0 /* Not used */ -#ifdef CC_API_VER2 -DECL_FUNC_PTR(cc_seq_fetch_NCs_begin); -DECL_FUNC_PTR(cc_seq_fetch_NCs_next); -DECL_FUNC_PTR(cc_seq_fetch_NCs_end); -#else -DECL_FUNC_PTR(cc_seq_fetch_NCs); -#endif -DECL_FUNC_PTR(cc_get_NC_info); -DECL_FUNC_PTR(cc_free_NC_info); -#endif DECL_FUNC_PTR(cc_get_name); DECL_FUNC_PTR(cc_set_principal); DECL_FUNC_PTR(cc_get_principal); DECL_FUNC_PTR(cc_get_cred_version); -#if 0 /* Not used */ -DECL_FUNC_PTR(cc_lock_request); -#endif DECL_FUNC_PTR(cc_store); DECL_FUNC_PTR(cc_remove_cred); #ifdef CC_API_VER2 @@ -127,18 +113,10 @@ FUNC_INFO krbcc_fi[] = { MAKE_FUNC_INFO(cc_open), MAKE_FUNC_INFO(cc_close), MAKE_FUNC_INFO(cc_destroy), -#if 0 /* Not used */ - MAKE_FUNC_INFO(cc_seq_fetch_NCs), - MAKE_FUNC_INFO(cc_get_NC_info), - MAKE_FUNC_INFO(cc_free_NC_info), -#endif MAKE_FUNC_INFO(cc_get_name), MAKE_FUNC_INFO(cc_set_principal), MAKE_FUNC_INFO(cc_get_principal), MAKE_FUNC_INFO(cc_get_cred_version), -#if 0 /* Not used */ - MAKE_FUNC_INFO(cc_lock_request), -#endif MAKE_FUNC_INFO(cc_store), MAKE_FUNC_INFO(cc_remove_cred), #ifdef CC_API_VER2 @@ -166,24 +144,10 @@ FUNC_INFO krbcc_fi[] = { #define cc_open pcc_open #define cc_close pcc_close #define cc_destroy pcc_destroy -#if 0 /* Not used */ -#ifdef CC_API_VER2 -#define cc_seq_fetch_NCs_begin pcc_seq_fetch_NCs_begin -#define cc_seq_fetch_NCs_next pcc_seq_fetch_NCs_next -#define cc_seq_fetch_NCs_end pcc_seq_fetch_NCs_end -#else -#define cc_seq_fetch_NCs pcc_seq_fetch_NCs -#endif -#define cc_get_NC_info pcc_get_NC_info -#define cc_free_NC_info pcc_free_NC_info -#endif /* End of Not used */ #define cc_get_name pcc_get_name #define cc_set_principal pcc_set_principal #define cc_get_principal pcc_get_principal #define cc_get_cred_version pcc_get_cred_version -#if 0 /* Not used */ -#define cc_lock_request pcc_lock_request -#endif #define cc_store pcc_store #define cc_remove_cred pcc_remove_cred #ifdef CC_API_VER2 diff --git a/src/lib/krb5/ccache/cccursor.c b/src/lib/krb5/ccache/cccursor.c index c31a3f5..506a27c 100644 --- a/src/lib/krb5/ccache/cccursor.c +++ b/src/lib/krb5/ccache/cccursor.c @@ -159,7 +159,7 @@ krb5_cccol_last_change_time(krb5_context context, ret = krb5_cccol_cursor_next(context, c, &ccache); if (ccache) { ret = krb5_cc_last_change_time(context, ccache, &last_time); - if (!ret && last_time > max_change_time) { + if (!ret && ts_after(last_time, max_change_time)) { max_change_time = last_time; } ret = 0; @@ -230,14 +230,37 @@ save_first_error(krb5_context context, krb5_error_code code, k5_save_ctx_error(context, code, errsave); } +/* Return 0 if cache contains any non-config credentials. Return KRB5_CC_END + * if it does not, or another error if we failed to read through it. */ +static krb5_error_code +has_content(krb5_context context, krb5_ccache cache) +{ + krb5_error_code ret; + krb5_boolean found = FALSE; + krb5_cc_cursor cache_cursor; + krb5_creds creds; + + ret = krb5_cc_start_seq_get(context, cache, &cache_cursor); + if (ret) + return ret; + while (!found) { + ret = krb5_cc_next_cred(context, cache, &cache_cursor, &creds); + if (ret) + break; + if (!krb5_is_config_principal(context, creds.server)) + found = TRUE; + krb5_free_cred_contents(context, &creds); + } + krb5_cc_end_seq_get(context, cache, &cache_cursor); + return ret; +} + krb5_error_code KRB5_CALLCONV krb5_cccol_have_content(krb5_context context) { krb5_error_code ret; krb5_cccol_cursor col_cursor; - krb5_cc_cursor cache_cursor; krb5_ccache cache; - krb5_creds creds; krb5_boolean found = FALSE; struct errinfo errsave = EMPTY_ERRINFO; const char *defname; @@ -252,24 +275,10 @@ krb5_cccol_have_content(krb5_context context) save_first_error(context, ret, &errsave); if (ret || cache == NULL) break; - - ret = krb5_cc_start_seq_get(context, cache, &cache_cursor); + ret = has_content(context, cache); save_first_error(context, ret, &errsave); - if (ret) { - krb5_cc_close(context, cache); - continue; - } - while (!found) { - ret = krb5_cc_next_cred(context, cache, &cache_cursor, &creds); - save_first_error(context, ret, &errsave); - if (ret) - break; - - if (!krb5_is_config_principal(context, creds.server)) - found = TRUE; - krb5_free_cred_contents(context, &creds); - } - krb5_cc_end_seq_get(context, cache, &cache_cursor); + if (!ret) + found = TRUE; krb5_cc_close(context, cache); } krb5_cccol_cursor_free(context, &col_cursor); diff --git a/src/lib/krb5/ccache/ccmarshal.c b/src/lib/krb5/ccache/ccmarshal.c index bd6d309..ae634cc 100644 --- a/src/lib/krb5/ccache/ccmarshal.c +++ b/src/lib/krb5/ccache/ccmarshal.c @@ -100,8 +100,8 @@ * second value when reading it. */ -#include "k5-input.h" #include "cc-int.h" +#include "k5-input.h" /* Read a 16-bit integer in host byte order for versions 1 and 2, or in * big-endian byte order for later versions.*/ diff --git a/src/lib/krb5/ccache/ccselect.c b/src/lib/krb5/ccache/ccselect.c index 2f3071a..6c360e1 100644 --- a/src/lib/krb5/ccache/ccselect.c +++ b/src/lib/krb5/ccache/ccselect.c @@ -71,6 +71,11 @@ load_modules(krb5_context context) if (ret != 0) goto cleanup; + ret = k5_plugin_register(context, PLUGIN_INTERFACE_CCSELECT, "hostname", + ccselect_hostname_initvt); + if (ret != 0) + goto cleanup; + ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CCSELECT, &modules); if (ret != 0) goto cleanup; @@ -115,14 +120,6 @@ cleanup: return ret; } -static krb5_error_code -choose(krb5_context context, struct ccselect_module_handle *h, - krb5_principal server, krb5_ccache *cache_out, - krb5_principal *princ_out) -{ - return h->vt.choose(context, h->data, server, cache_out, princ_out); -} - krb5_error_code KRB5_CALLCONV krb5_cc_select(krb5_context context, krb5_principal server, krb5_ccache *cache_out, krb5_principal *princ_out) @@ -132,6 +129,8 @@ krb5_cc_select(krb5_context context, krb5_principal server, struct ccselect_module_handle **hp, *h; krb5_ccache cache; krb5_principal princ; + krb5_principal srvcp = NULL; + char **fbrealms = NULL; *cache_out = NULL; *princ_out = NULL; @@ -139,7 +138,27 @@ krb5_cc_select(krb5_context context, krb5_principal server, if (context->ccselect_handles == NULL) { ret = load_modules(context); if (ret) - return ret; + goto cleanup; + } + + /* Try to use the fallback host realm for the server if there is no + * authoritative realm. */ + if (krb5_is_referral_realm(&server->realm) && + server->type == KRB5_NT_SRV_HST && server->length == 2) { + ret = krb5_get_fallback_host_realm(context, &server->data[1], + &fbrealms); + if (ret) + goto cleanup; + + /* Make a copy with the first fallback realm. */ + ret = krb5_copy_principal(context, server, &srvcp); + if (ret) + goto cleanup; + ret = krb5_set_principal_realm(context, srvcp, fbrealms[0]); + if (ret) + goto cleanup; + + server = srvcp; } /* Consult authoritative modules first, then heuristic ones. */ @@ -149,26 +168,31 @@ krb5_cc_select(krb5_context context, krb5_principal server, h = *hp; if (h->priority != priority) continue; - ret = choose(context, h, server, &cache, &princ); + ret = h->vt.choose(context, h->data, server, &cache, &princ); if (ret == 0) { TRACE_CCSELECT_MODCHOICE(context, h->vt.name, server, cache, princ); *cache_out = cache; *princ_out = princ; - return 0; + goto cleanup; } else if (ret == KRB5_CC_NOTFOUND) { TRACE_CCSELECT_MODNOTFOUND(context, h->vt.name, server, princ); *princ_out = princ; - return ret; + goto cleanup; } else if (ret != KRB5_PLUGIN_NO_HANDLE) { TRACE_CCSELECT_MODFAIL(context, h->vt.name, ret, server); - return ret; + goto cleanup; } } } TRACE_CCSELECT_NOTFOUND(context, server); - return KRB5_CC_NOTFOUND; + ret = KRB5_CC_NOTFOUND; + +cleanup: + krb5_free_principal(context, srvcp); + krb5_free_host_realm(context, fbrealms); + return ret; } void diff --git a/src/lib/krb5/ccache/ccselect_hostname.c b/src/lib/krb5/ccache/ccselect_hostname.c new file mode 100644 index 0000000..475cfab --- /dev/null +++ b/src/lib/krb5/ccache/ccselect_hostname.c @@ -0,0 +1,146 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* lib/krb5/ccache/ccselect_hostname.c - hostname ccselect module */ +/* + * Copyright (C) 2017 by Red Hat, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "cc-int.h" +#include +#include + +/* Swap a and b, using tmp as an intermediate. */ +#define SWAP(a, b, tmp) \ + tmp = a; \ + a = b; \ + b = tmp; + +static krb5_error_code +hostname_init(krb5_context context, krb5_ccselect_moddata *data_out, + int *priority_out) +{ + *data_out = NULL; + *priority_out = KRB5_CCSELECT_PRIORITY_HEURISTIC; + return 0; +} + +static krb5_error_code +hostname_choose(krb5_context context, krb5_ccselect_moddata data, + krb5_principal server, krb5_ccache *ccache_out, + krb5_principal *princ_out) +{ + krb5_error_code ret; + char *p, *host = NULL; + size_t hostlen; + krb5_cccol_cursor col_cursor; + krb5_ccache ccache, tmp_ccache, best_ccache = NULL; + krb5_principal princ, tmp_princ, best_princ = NULL; + krb5_data domain; + + *ccache_out = NULL; + *princ_out = NULL; + + if (server->type != KRB5_NT_SRV_HST || server->length < 2) + return KRB5_PLUGIN_NO_HANDLE; + + /* Compute upper-case hostname. */ + hostlen = server->data[1].length; + host = k5memdup0(server->data[1].data, hostlen, &ret); + if (host == NULL) + return ret; + for (p = host; *p != '\0'; p++) { + if (islower(*p)) + *p = toupper(*p); + } + + /* Scan the collection for a cache with a client principal whose realm is + * the longest tail of the server hostname. */ + ret = krb5_cccol_cursor_new(context, &col_cursor); + if (ret) + goto done; + + for (ret = krb5_cccol_cursor_next(context, col_cursor, &ccache); + ret == 0 && ccache != NULL; + ret = krb5_cccol_cursor_next(context, col_cursor, &ccache)) { + ret = krb5_cc_get_principal(context, ccache, &princ); + if (ret) { + krb5_cc_close(context, ccache); + break; + } + + /* Check for a longer match than we have. */ + domain = make_data(host, hostlen); + while (best_princ == NULL || + best_princ->realm.length < domain.length) { + if (data_eq(princ->realm, domain)) { + SWAP(best_ccache, ccache, tmp_ccache); + SWAP(best_princ, princ, tmp_princ); + break; + } + + /* Try the next parent domain. */ + p = memchr(domain.data, '.', domain.length); + if (p == NULL) + break; + domain = make_data(p + 1, hostlen - (p + 1 - host)); + } + + if (ccache != NULL) + krb5_cc_close(context, ccache); + krb5_free_principal(context, princ); + } + + krb5_cccol_cursor_free(context, &col_cursor); + + if (best_ccache != NULL) { + *ccache_out = best_ccache; + *princ_out = best_princ; + } else { + ret = KRB5_PLUGIN_NO_HANDLE; + } + +done: + free(host); + return ret; +} + +krb5_error_code +ccselect_hostname_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_ccselect_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_ccselect_vtable)vtable; + vt->name = "hostname"; + vt->init = hostname_init; + vt->choose = hostname_choose; + return 0; +} diff --git a/src/lib/krb5/ccache/deps b/src/lib/krb5/ccache/deps index 9cd2e00..d05a3c1 100644 --- a/src/lib/krb5/ccache/deps +++ b/src/lib/krb5/ccache/deps @@ -78,6 +78,17 @@ ccselect.so ccselect.po $(OUTPRE)ccselect.$(OBJEXT): \ $(top_srcdir)/include/krb5/ccselect_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ cc-int.h ccselect.c +ccselect_hostname.so ccselect_hostname.po $(OUTPRE)ccselect_hostname.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/ccselect_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h cc-int.h ccselect_hostname.c ccselect_k5identity.so ccselect_k5identity.po $(OUTPRE)ccselect_k5identity.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -133,13 +144,14 @@ cc_file.so cc_file.po $(OUTPRE)cc_file.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/socket-utils.h cc-int.h cc_file.c cc_kcm.so cc_kcm.po $(OUTPRE)cc_kcm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kcm.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../os/os-proto.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-input.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kcm.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h cc-int.h cc_kcm.c cc_memory.so cc_memory.po $(OUTPRE)cc_memory.$(OBJEXT): \ @@ -147,12 +159,13 @@ cc_memory.so cc_memory.po $(OUTPRE)cc_memory.$(OBJEXT): \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(srcdir)/../krb/int-proto.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h cc-int.h cc_memory.c + $(top_srcdir)/include/k5-hashtab.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + cc-int.h cc_memory.c cc_keyring.so cc_keyring.po $(OUTPRE)cc_keyring.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/krb5/ccache/t_cc.c b/src/lib/krb5/ccache/t_cc.c index 6069cab..cd4569c 100644 --- a/src/lib/krb5/ccache/t_cc.c +++ b/src/lib/krb5/ccache/t_cc.c @@ -386,6 +386,55 @@ test_misc(krb5_context context) krb5_cc_dfl_ops = ops_save; } + +/* + * Regression tests for #8202. Because memory ccaches share objects between + * different handles to the same cache and between iterators and caches, + * historically there have been some bugs when those objects are released. + */ +static void +test_memory_concurrent(krb5_context context) +{ + krb5_error_code kret; + krb5_ccache id1, id2; + krb5_cc_cursor cursor; + krb5_creds creds; + + /* Create two handles to the same memory ccache and destroy them. */ + kret = krb5_cc_resolve(context, "MEMORY:x", &id1); + CHECK(kret, "resolve 1"); + kret = krb5_cc_resolve(context, "MEMORY:x", &id2); + CHECK(kret, "resolve 2"); + kret = krb5_cc_destroy(context, id1); + CHECK(kret, "destroy 1"); + kret = krb5_cc_destroy(context, id2); + CHECK(kret, "destroy 2"); + + kret = init_test_cred(context); + CHECK(kret, "init_creds"); + + /* Reinitialize the cache after creating an iterator for it, and verify + * that the iterator ends gracefully. */ + kret = krb5_cc_resolve(context, "MEMORY:x", &id1); + CHECK(kret, "resolve"); + kret = krb5_cc_initialize(context, id1, test_creds.client); + CHECK(kret, "initialize"); + kret = krb5_cc_store_cred(context, id1, &test_creds); + CHECK(kret, "store"); + kret = krb5_cc_start_seq_get(context, id1, &cursor); + CHECK(kret, "start_seq_get"); + kret = krb5_cc_initialize(context, id1, test_creds.client); + CHECK(kret, "initialize again"); + kret = krb5_cc_next_cred(context, id1, &cursor, &creds); + CHECK_BOOL(kret != KRB5_CC_END, "iterator should end", "next_cred"); + kret = krb5_cc_end_seq_get(context, id1, &cursor); + CHECK(kret, "end_seq_get"); + kret = krb5_cc_destroy(context, id1); + CHECK(kret, "destroy"); + + free_test_cred(context); +} + extern const krb5_cc_ops krb5_mcc_ops; extern const krb5_cc_ops krb5_fcc_ops; @@ -434,6 +483,8 @@ main(void) do_test(context, "MEMORY:"); do_test(context, "FILE:"); + test_memory_concurrent(context); + krb5_free_context(context); return 0; } diff --git a/src/lib/krb5/ccache/t_cccol.py b/src/lib/krb5/ccache/t_cccol.py index f7f1785..7dfe05b 100755 --- a/src/lib/krb5/ccache/t_cccol.py +++ b/src/lib/krb5/ccache/t_cccol.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * realm = K5Realm(create_kdb=False) @@ -81,28 +80,34 @@ def cursor_test(testname, args, expected): 'Expected output:\n\n' + '\n'.join(expected) + '\n\n' + 'Actual output:\n\n' + '\n'.join(outlines)) +mark('FILE cursor') fccname = 'FILE:%s' % realm.ccache cursor_test('file-default', [], [fccname]) cursor_test('file-default2', [realm.ccache], [fccname]) cursor_test('file-default3', [fccname], [fccname]) +mark('DIR cursor') cursor_test('dir', [dccname], [duser, dalice, dbob]) cursor_test('dir-subsidiary', [duser], [duser]) cursor_test('dir-nofile', [dnoent], []) if test_keyring: + mark('KEYRING cursor') cursor_test('keyring', [krccname], [kruser, kralice, krbob]) cursor_test('keyring-subsidiary', [kruser], [kruser]) cursor_test('keyring-noent', [krnoent], []) +mark('MEMORY cursor') mfoo = 'MEMORY:foo' mbar = 'MEMORY:bar' -cursor_test('filemem', [fccname, mfoo, mbar], [fccname, mfoo, mbar]) -cursor_test('dirmem', [dccname, mfoo], [duser, dalice, dbob, mfoo]) +cursor_test('filemem', [fccname, mfoo], [fccname]) +cursor_test('dirmem', [dccname, mfoo], [duser, dalice, dbob]) +cursor_test('mem', [mfoo, mbar], [mfoo]) if test_keyring: - cursor_test('keyringmem', [krccname, mfoo], [kruser, kralice, krbob, mfoo]) + cursor_test('keyringmem', [krccname, mfoo], [kruser, kralice, krbob]) # Test krb5_cccol_have_content. +mark('krb5_cccol_have_content') realm.run(['./t_cccursor', dccname, 'CONTENT']) realm.run(['./t_cccursor', fccname, 'CONTENT']) realm.run(['./t_cccursor', realm.ccache, 'CONTENT']) @@ -112,6 +117,7 @@ if test_keyring: cleanup_keyring('@s', col_ringname) # Make sure FILE doesn't yield a nonexistent default cache. +mark('FILE nonexistent') realm.run([kdestroy]) cursor_test('noexist', [], []) realm.run(['./t_cccursor', fccname, 'CONTENT'], expected_code=1) diff --git a/src/lib/krb5/keytab/kt_file.c b/src/lib/krb5/keytab/kt_file.c index 6a42f26..89cb686 100644 --- a/src/lib/krb5/keytab/kt_file.c +++ b/src/lib/krb5/keytab/kt_file.c @@ -264,9 +264,11 @@ more_recent(const krb5_keytab_entry *k1, const krb5_keytab_entry *k2) * limitations (8-bit kvno storage), pre-1.14 kadmin protocol limitations * (8-bit kvno marshalling), or KDB limitations (16-bit kvno storage). */ - if (k1->timestamp >= k2->timestamp && k1->vno < 128 && k2->vno > 240) + if (!ts_after(k2->timestamp, k1->timestamp) && + k1->vno < 128 && k2->vno > 240) return TRUE; - if (k1->timestamp <= k2->timestamp && k1->vno > 240 && k2->vno < 128) + if (!ts_after(k1->timestamp, k2->timestamp) && + k1->vno > 240 && k2->vno < 128) return FALSE; /* Otherwise do a simple version comparison. */ @@ -357,7 +359,7 @@ krb5_ktfile_get_entry(krb5_context context, krb5_keytab id, } - if (kvno == IGNORE_VNO) { + if (kvno == IGNORE_VNO || new_entry.vno == IGNORE_VNO) { /* If this entry is more recent (or the first match), free the * current and keep the new. Otherwise, free the new. */ if (cur_entry.principal == NULL || @@ -1180,7 +1182,7 @@ krb5_ktfileint_internal_read_entry(krb5_context context, krb5_keytab id, krb5_ke unsigned int u_count, u_princ_size; krb5_int16 enctype; krb5_int16 princ_size; - register int i; + int i; krb5_int32 size; krb5_int32 start_pos, pos; krb5_error_code error; diff --git a/src/lib/krb5/keytab/kt_memory.c b/src/lib/krb5/keytab/kt_memory.c index e89fdcb..8824adf 100644 --- a/src/lib/krb5/keytab/kt_memory.c +++ b/src/lib/krb5/keytab/kt_memory.c @@ -403,7 +403,7 @@ krb5_mkt_get_entry(krb5_context context, krb5_keytab id, continue; } - if (kvno == IGNORE_VNO) { + if (kvno == IGNORE_VNO || entry->vno == IGNORE_VNO) { if (match == NULL) match = entry; else if (entry->vno > match->vno) diff --git a/src/lib/krb5/keytab/kt_srvtab.c b/src/lib/krb5/keytab/kt_srvtab.c index caa0158..bbfaadf 100644 --- a/src/lib/krb5/keytab/kt_srvtab.c +++ b/src/lib/krb5/keytab/kt_srvtab.c @@ -205,7 +205,7 @@ krb5_ktsrvtab_get_entry(krb5_context context, krb5_keytab id, krb5_const_princip while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) { ent.key.enctype = enctype; if (krb5_principal_compare(context, principal, ent.principal)) { - if (kvno == IGNORE_VNO) { + if (kvno == IGNORE_VNO || ent.vno == IGNORE_VNO) { if (!best_entry.principal || (best_entry.vno < ent.vno)) { krb5_kt_free_entry(context, &best_entry); best_entry = ent; diff --git a/src/lib/krb5/keytab/t_keytab.c b/src/lib/krb5/keytab/t_keytab.c index 80a94ea..c845596 100644 --- a/src/lib/krb5/keytab/t_keytab.c +++ b/src/lib/krb5/keytab/t_keytab.c @@ -441,16 +441,3 @@ main(void) return 0; } - - -#if 0 -/* remove and add are functions, so that they can return NOWRITE - if not a writable keytab */ -krb5_error_code KRB5_CALLCONV krb5_kt_remove_entry -(krb5_context, - krb5_keytab, - krb5_keytab_entry * ); - - - -#endif diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in index 0fe02a9..69b9101 100644 --- a/src/lib/krb5/krb/Makefile.in +++ b/src/lib/krb5/krb/Makefile.in @@ -55,6 +55,7 @@ STLIBOBJS= \ gen_subkey.o \ gen_save_subkey.o \ get_creds.o \ + get_etype_info.o \ get_in_tkt.o \ gic_keytab.o \ gic_opt.o \ @@ -167,6 +168,7 @@ OBJS= $(OUTPRE)addr_comp.$(OBJEXT) \ $(OUTPRE)gen_subkey.$(OBJEXT) \ $(OUTPRE)gen_save_subkey.$(OBJEXT) \ $(OUTPRE)get_creds.$(OBJEXT) \ + $(OUTPRE)get_etype_info.$(OBJEXT) \ $(OUTPRE)get_in_tkt.$(OBJEXT) \ $(OUTPRE)gic_keytab.$(OBJEXT) \ $(OUTPRE)gic_opt.$(OBJEXT) \ @@ -279,6 +281,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/gen_subkey.c \ $(srcdir)/gen_save_subkey.c \ $(srcdir)/get_creds.c \ + $(srcdir)/get_etype_info.c \ $(srcdir)/get_in_tkt.c \ $(srcdir)/gic_keytab.c \ $(srcdir)/gic_opt.c \ @@ -353,6 +356,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/t_ser.c \ $(srcdir)/t_deltat.c \ $(srcdir)/t_expand.c \ + $(srcdir)/t_get_etype_info.c \ $(srcdir)/t_pac.c \ $(srcdir)/t_parse_host_string.c \ $(srcdir)/t_princ.c \ @@ -364,6 +368,7 @@ SRCS= $(srcdir)/addr_comp.c \ $(srcdir)/t_in_ccache.c \ $(srcdir)/t_response_items.c \ $(srcdir)/t_sname_match.c \ + $(srcdir)/t_valid_times.c \ $(srcdir)/t_vfy_increds.c # Someday, when we have a "maintainer mode", do this right: @@ -457,9 +462,15 @@ t_response_items: t_response_items.o response_items.o $(KRB5_BASE_DEPLIBS) t_sname_match: t_sname_match.o sname_match.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ t_sname_match.o sname_match.o $(KRB5_BASE_LIBS) +t_valid_times: t_valid_times.o valid_times.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ t_valid_times.o valid_times.o $(KRB5_BASE_LIBS) + +t_get_etype_info: t_get_etype_info.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ t_get_etype_info.o $(KRB5_BASE_LIBS) + TEST_PROGS= t_walk_rtree t_kerb t_ser t_deltat t_expand t_authdata t_pac \ - t_in_ccache t_cc_config t_copy_context \ - t_princ t_etypes t_vfy_increds t_response_items t_sname_match + t_in_ccache t_cc_config t_copy_context t_princ t_etypes t_vfy_increds \ + t_response_items t_sname_match t_valid_times t_get_etype_info check-unix: $(TEST_PROGS) $(RUN_TEST_LOCAL_CONF) ./t_kerb \ @@ -496,11 +507,13 @@ check-unix: $(TEST_PROGS) $(RUN_TEST) ./t_response_items $(RUN_TEST) ./t_copy_context $(RUN_TEST) ./t_sname_match + $(RUN_TEST) ./t_valid_times -check-pytests: t_expire_warn t_vfy_increds +check-pytests: t_expire_warn t_get_etype_info t_vfy_increds $(RUNPYTEST) $(srcdir)/t_expire_warn.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_vfy_increds.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_in_ccache_patypes.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_get_etype_info.py $(PYTESTFLAGS) check-cmocka: t_parse_host_string $(RUN_TEST) ./t_parse_host_string > /dev/null @@ -522,8 +535,11 @@ clean: $(OUTPRE)t_ad_fx_armor$(EXEEXT) $(OUTPRE)t_ad_fx_armor.$(OBJEXT) \ $(OUTPRE)t_vfy_increds$(EXEEXT) $(OUTPRE)t_vfy_increds.$(OBJEXT) \ $(OUTPRE)t_response_items$(EXEEXT) \ - $(OUTPRE)t_response_items.$(OBJEXT) $(OUTPRE)t_sname_match$(EXEEXT) \ - $(OUTPRE)t_sname_match.$(OBJEXT) \ + $(OUTPRE)t_response_items.$(OBJEXT) \ + $(OUTPRE)t_sname_match$(EXEEXT) $(OUTPRE)t_sname_match.$(OBJEXT) \ + $(OUTPRE)t_valid_times$(EXEEXT) $(OUTPRE)t_valid_times.$(OBJEXT) \ + $(OUTPRE)t_get_etype_info$(EXEEXT) \ + $(OUTPRE)t_get_etype_info.$(OBJEXT) \ $(OUTPRE)t_parse_host_string$(EXEEXT) \ $(OUTPRE)t_parse_host_string.$(OBJEXT) diff --git a/src/lib/krb5/krb/addr_order.c b/src/lib/krb5/krb/addr_order.c index e9ea0ba..39c9e1e 100644 --- a/src/lib/krb5/krb/addr_order.c +++ b/src/lib/krb5/krb/addr_order.c @@ -38,7 +38,7 @@ int KRB5_CALLCONV krb5_address_order(krb5_context context, const krb5_address *addr1, const krb5_address *addr2) { int dir; - register int i; + int i; const int minlen = min(addr1->length, addr2->length); if (addr1->addrtype != addr2->addrtype) diff --git a/src/lib/krb5/krb/appdefault.c b/src/lib/krb5/krb/appdefault.c index 73fd260..3f7dc23 100644 --- a/src/lib/krb5/krb/appdefault.c +++ b/src/lib/krb5/krb/appdefault.c @@ -44,6 +44,8 @@ appdefault_get(krb5_context context, const char *appname, const krb5_data *realm krb5_error_code retval; const char * realmstr = realm?realm->data:NULL; + *ret_value = NULL; + if (!context || (context->magic != KV5M_CONTEXT)) return KV5M_CONTEXT; diff --git a/src/lib/krb5/krb/authdata.c b/src/lib/krb5/krb/authdata.c index abb2ab9..7fbcfab 100644 --- a/src/lib/krb5/krb/authdata.c +++ b/src/lib/krb5/krb/authdata.c @@ -546,7 +546,7 @@ static krb5_error_code extract_cammacs(krb5_context kcontext, krb5_authdata **cammacs, const krb5_keyblock *key, krb5_authdata ***ad_out) { - krb5_error_code ret; + krb5_error_code ret = 0; krb5_authdata **list = NULL, **elements = NULL, **new_list; size_t i, n_elements, count = 0; @@ -1299,7 +1299,7 @@ krb5int_copy_authdatum(krb5_context context, void KRB5_CALLCONV krb5_free_authdata(krb5_context context, krb5_authdata **val) { - register krb5_authdata **temp; + krb5_authdata **temp; if (val == NULL) return; diff --git a/src/lib/krb5/krb/authdata.h b/src/lib/krb5/krb/authdata.h index 1e5c084..74d663c 100644 --- a/src/lib/krb5/krb/authdata.h +++ b/src/lib/krb5/krb/authdata.h @@ -90,7 +90,8 @@ krb5_error_code k5_pac_validate_client(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, - krb5_const_principal principal); + krb5_const_principal principal, + krb5_boolean with_realm); krb5_error_code k5_pac_add_buffer(krb5_context context, diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c index c33c67d..9dc3798 100644 --- a/src/lib/krb5/krb/conv_princ.c +++ b/src/lib/krb5/krb/conv_princ.c @@ -130,8 +130,8 @@ static const struct krb_convert sconv_list[] = { * This falls in the "should have been in the ANSI C library" * category. :-) */ -static char *strnchr(register char *s, register int c, - register unsigned int n) +static char * +strnchr(char *s, int c, unsigned int n) { if (n < 1) return 0; @@ -239,8 +239,10 @@ krb5_524_conv_principal(krb5_context context, krb5_const_principal princ, realm[compo->length] = '\0'; } else { tmp_realm_len = strlen(tmp_realm); - if (tmp_realm_len > REALM_SZ - 1) + if (tmp_realm_len > REALM_SZ - 1) { + profile_release_string(tmp_realm); return KRB5_INVALID_PRINCIPAL; + } strncpy(realm, tmp_realm, tmp_realm_len); realm[tmp_realm_len] = '\0'; profile_release_string(tmp_realm); @@ -332,7 +334,7 @@ krb5_425_conv_principal(krb5_context context, const char *name, buf[sizeof(buf) - 1] = '\0'; retval = krb5_get_realm_domain(context, realm, &domain); if (retval) - return retval; + goto cleanup; if (domain) { for (cp = domain; *cp; cp++) if (isupper((unsigned char) (*cp))) @@ -349,6 +351,7 @@ krb5_425_conv_principal(krb5_context context, const char *name, not_service: retval = krb5_build_principal(context, princ, strlen(realm), realm, name, instance, NULL); +cleanup: if (iterator) profile_iterator_free (&iterator); if (full_name) profile_free_list(full_name); if (v4realms) profile_free_list(v4realms); diff --git a/src/lib/krb5/krb/copy_addrs.c b/src/lib/krb5/krb/copy_addrs.c index 494bccf..9c9bc7b 100644 --- a/src/lib/krb5/krb/copy_addrs.c +++ b/src/lib/krb5/krb/copy_addrs.c @@ -51,7 +51,7 @@ krb5_copy_addresses(krb5_context context, krb5_address *const *inaddr, krb5_addr { krb5_error_code retval; krb5_address ** tempaddr; - register unsigned int nelems = 0; + unsigned int nelems = 0; if (!inaddr) { *outaddr = 0; diff --git a/src/lib/krb5/krb/copy_auth.c b/src/lib/krb5/krb/copy_auth.c index 06a0645..ffb7ee9 100644 --- a/src/lib/krb5/krb/copy_auth.c +++ b/src/lib/krb5/krb/copy_auth.c @@ -65,7 +65,7 @@ krb5_merge_authdata(krb5_context context, { krb5_error_code retval; krb5_authdata ** tempauthdat; - register unsigned int nelems = 0, nelems2 = 0; + unsigned int nelems = 0, nelems2 = 0; *outauthdat = NULL; if (!inauthdat1 && !inauthdat2) { diff --git a/src/lib/krb5/krb/copy_princ.c b/src/lib/krb5/krb/copy_princ.c index 0d0e6a0..81b3381 100644 --- a/src/lib/krb5/krb/copy_princ.c +++ b/src/lib/krb5/krb/copy_princ.c @@ -32,7 +32,7 @@ krb5_error_code KRB5_CALLCONV krb5_copy_principal(krb5_context context, krb5_const_principal inprinc, krb5_principal *outprinc) { - register krb5_principal tempprinc; + krb5_principal tempprinc; krb5_int32 i; tempprinc = (krb5_principal)malloc(sizeof(krb5_principal_data)); diff --git a/src/lib/krb5/krb/decrypt_tk.c b/src/lib/krb5/krb/decrypt_tk.c index 51f9e8f..e848554 100644 --- a/src/lib/krb5/krb/decrypt_tk.c +++ b/src/lib/krb5/krb/decrypt_tk.c @@ -36,7 +36,8 @@ */ krb5_error_code KRB5_CALLCONV -krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, register krb5_ticket *ticket) +krb5_decrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, + krb5_ticket *ticket) { krb5_enc_tkt_part *dec_tkt_part; krb5_data scratch; diff --git a/src/lib/krb5/krb/deltat.c b/src/lib/krb5/krb/deltat.c index 2c8b90b..81f1971 100644 --- a/src/lib/krb5/krb/deltat.c +++ b/src/lib/krb5/krb/deltat.c @@ -1,8 +1,8 @@ -/* A Bison parser, made by GNU Bison 3.0.2. */ +/* A Bison parser, made by GNU Bison 3.0.4. */ /* Bison implementation for Yacc-like parsers in C - Copyright (C) 1984, 1989-1990, 2000-2013 Free Software Foundation, Inc. + Copyright (C) 1984, 1989-1990, 2000-2015 Free Software Foundation, Inc. This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -44,7 +44,7 @@ #define YYBISON 1 /* Bison version. */ -#define YYBISON_VERSION "3.0.2" +#define YYBISON_VERSION "3.0.4" /* Skeleton name. */ #define YYSKELETON_NAME "yacc.c" @@ -72,7 +72,6 @@ #ifdef __GNUC__ #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wuninitialized" -#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" #endif #include "k5-int.h" @@ -153,7 +152,7 @@ static int mylex(int *intp, struct param *tmv); static int yyparse(struct param *); -#line 157 "deltat.c" /* yacc.c:339 */ +#line 156 "deltat.c" /* yacc.c:339 */ # ifndef YY_NULLPTR # if defined __cplusplus && 201103L <= __cplusplus @@ -194,14 +193,16 @@ extern int yydebug; /* Value type. */ #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED -typedef union YYSTYPE YYSTYPE; + union YYSTYPE { -#line 129 "x-deltat.y" /* yacc.c:355 */ +#line 128 "x-deltat.y" /* yacc.c:355 */ int val; -#line 204 "deltat.c" /* yacc.c:355 */ +#line 203 "deltat.c" /* yacc.c:355 */ }; + +typedef union YYSTYPE YYSTYPE; # define YYSTYPE_IS_TRIVIAL 1 # define YYSTYPE_IS_DECLARED 1 #endif @@ -214,7 +215,7 @@ int yyparse (struct param *tmv); /* Copy the second part of user declarations. */ -#line 218 "deltat.c" /* yacc.c:358 */ +#line 219 "deltat.c" /* yacc.c:358 */ #ifdef short # undef short @@ -512,9 +513,9 @@ static const yytype_uint8 yytranslate[] = /* YYRLINE[YYN] -- Source line where rule number YYN was defined. */ static const yytype_uint8 yyrline[] = { - 0, 143, 143, 144, 144, 145, 145, 146, 146, 147, - 148, 150, 151, 152, 153, 154, 155, 156, 157, 162, - 163, 166, 167, 170, 171 + 0, 142, 142, 143, 143, 144, 144, 145, 145, 146, + 147, 149, 150, 151, 152, 153, 154, 155, 156, 161, + 162, 165, 166, 169, 170 }; #endif @@ -1310,93 +1311,93 @@ yyreduce: switch (yyn) { case 6: -#line 145 "x-deltat.y" /* yacc.c:1646 */ +#line 144 "x-deltat.y" /* yacc.c:1646 */ { (yyval.val) = - (yyvsp[0].val); } -#line 1316 "deltat.c" /* yacc.c:1646 */ +#line 1317 "deltat.c" /* yacc.c:1646 */ break; case 9: -#line 147 "x-deltat.y" /* yacc.c:1646 */ +#line 146 "x-deltat.y" /* yacc.c:1646 */ { (yyval.val) = (yyvsp[0].val); } -#line 1322 "deltat.c" /* yacc.c:1646 */ +#line 1323 "deltat.c" /* yacc.c:1646 */ break; case 10: -#line 148 "x-deltat.y" /* yacc.c:1646 */ +#line 147 "x-deltat.y" /* yacc.c:1646 */ { YYERROR; } -#line 1328 "deltat.c" /* yacc.c:1646 */ +#line 1329 "deltat.c" /* yacc.c:1646 */ break; case 11: -#line 150 "x-deltat.y" /* yacc.c:1646 */ +#line 149 "x-deltat.y" /* yacc.c:1646 */ { DO ((yyvsp[-2].val), 0, 0, (yyvsp[0].val)); } -#line 1334 "deltat.c" /* yacc.c:1646 */ +#line 1335 "deltat.c" /* yacc.c:1646 */ break; case 12: -#line 151 "x-deltat.y" /* yacc.c:1646 */ +#line 150 "x-deltat.y" /* yacc.c:1646 */ { DO ( 0, (yyvsp[-2].val), 0, (yyvsp[0].val)); } -#line 1340 "deltat.c" /* yacc.c:1646 */ +#line 1341 "deltat.c" /* yacc.c:1646 */ break; case 13: -#line 152 "x-deltat.y" /* yacc.c:1646 */ +#line 151 "x-deltat.y" /* yacc.c:1646 */ { DO ( 0, 0, (yyvsp[-2].val), (yyvsp[0].val)); } -#line 1346 "deltat.c" /* yacc.c:1646 */ +#line 1347 "deltat.c" /* yacc.c:1646 */ break; case 14: -#line 153 "x-deltat.y" /* yacc.c:1646 */ +#line 152 "x-deltat.y" /* yacc.c:1646 */ { DO ( 0, 0, 0, (yyvsp[-1].val)); } -#line 1352 "deltat.c" /* yacc.c:1646 */ +#line 1353 "deltat.c" /* yacc.c:1646 */ break; case 15: -#line 154 "x-deltat.y" /* yacc.c:1646 */ +#line 153 "x-deltat.y" /* yacc.c:1646 */ { DO ((yyvsp[-6].val), (yyvsp[-4].val), (yyvsp[-2].val), (yyvsp[0].val)); } -#line 1358 "deltat.c" /* yacc.c:1646 */ +#line 1359 "deltat.c" /* yacc.c:1646 */ break; case 16: -#line 155 "x-deltat.y" /* yacc.c:1646 */ +#line 154 "x-deltat.y" /* yacc.c:1646 */ { DO ( 0, (yyvsp[-4].val), (yyvsp[-2].val), (yyvsp[0].val)); } -#line 1364 "deltat.c" /* yacc.c:1646 */ +#line 1365 "deltat.c" /* yacc.c:1646 */ break; case 17: -#line 156 "x-deltat.y" /* yacc.c:1646 */ +#line 155 "x-deltat.y" /* yacc.c:1646 */ { DO ( 0, (yyvsp[-2].val), (yyvsp[0].val), 0); } -#line 1370 "deltat.c" /* yacc.c:1646 */ +#line 1371 "deltat.c" /* yacc.c:1646 */ break; case 18: -#line 157 "x-deltat.y" /* yacc.c:1646 */ +#line 156 "x-deltat.y" /* yacc.c:1646 */ { DO ( 0, 0, 0, (yyvsp[0].val)); } -#line 1376 "deltat.c" /* yacc.c:1646 */ +#line 1377 "deltat.c" /* yacc.c:1646 */ break; case 20: -#line 163 "x-deltat.y" /* yacc.c:1646 */ +#line 162 "x-deltat.y" /* yacc.c:1646 */ { if (HOUR_NOT_OK((yyvsp[-2].val))) YYERROR; DO_SUM((yyval.val), (yyvsp[-2].val) * 3600, (yyvsp[0].val)); } -#line 1383 "deltat.c" /* yacc.c:1646 */ +#line 1384 "deltat.c" /* yacc.c:1646 */ break; case 22: -#line 167 "x-deltat.y" /* yacc.c:1646 */ +#line 166 "x-deltat.y" /* yacc.c:1646 */ { if (MIN_NOT_OK((yyvsp[-2].val))) YYERROR; DO_SUM((yyval.val), (yyvsp[-2].val) * 60, (yyvsp[0].val)); } -#line 1390 "deltat.c" /* yacc.c:1646 */ +#line 1391 "deltat.c" /* yacc.c:1646 */ break; case 23: -#line 170 "x-deltat.y" /* yacc.c:1646 */ +#line 169 "x-deltat.y" /* yacc.c:1646 */ { (yyval.val) = 0; } -#line 1396 "deltat.c" /* yacc.c:1646 */ +#line 1397 "deltat.c" /* yacc.c:1646 */ break; -#line 1400 "deltat.c" /* yacc.c:1646 */ +#line 1401 "deltat.c" /* yacc.c:1646 */ default: break; } /* User semantic actions sometimes alter yychar, and that requires @@ -1624,7 +1625,7 @@ yyreturn: #endif return yyresult; } -#line 173 "x-deltat.y" /* yacc.c:1906 */ +#line 172 "x-deltat.y" /* yacc.c:1906 */ #ifdef __GNUC__ diff --git a/src/lib/krb5/krb/deps b/src/lib/krb5/krb/deps index 6919eaf..a4a809b 100644 --- a/src/lib/krb5/krb/deps +++ b/src/lib/krb5/krb/deps @@ -468,6 +468,18 @@ get_creds.so get_creds.po $(OUTPRE)get_creds.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ fast.h get_creds.c int-proto.h +get_etype_info.so get_etype_info.po $(OUTPRE)get_etype_info.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-json.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h fast.h get_etype_info.c \ + init_creds_ctx.h int-proto.h get_in_tkt.so get_in_tkt.po $(OUTPRE)get_in_tkt.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -589,10 +601,11 @@ kfree.so kfree.po $(OUTPRE)kfree.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h kfree.c + $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + kfree.c libdef_parse.so libdef_parse.po $(OUTPRE)libdef_parse.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -774,12 +787,13 @@ preauth_encts.so preauth_encts.po $(OUTPRE)preauth_encts.$(OBJEXT): \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/clpreauth_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h int-proto.h preauth_encts.c + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-json.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/clpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + init_creds_ctx.h int-proto.h preauth_encts.c preauth_otp.so preauth_otp.po $(OUTPRE)preauth_otp.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -1236,8 +1250,15 @@ t_walk_rtree.so t_walk_rtree.po $(OUTPRE)t_walk_rtree.$(OBJEXT): \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ t_walk_rtree.c t_kerb.so t_kerb.po $(OUTPRE)t_kerb.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ - t_kerb.c + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h t_kerb.c t_ser.so t_ser.po $(OUTPRE)t_ser.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -1270,6 +1291,11 @@ t_expand.so t_expand.po $(OUTPRE)t_expand.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ chk_trans.c t_expand.c +t_get_etype_info.so t_get_etype_info.po $(OUTPRE)t_get_etype_info.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + t_get_etype_info.c t_pac.so t_pac.po $(OUTPRE)t_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -1283,14 +1309,14 @@ t_pac.so t_pac.po $(OUTPRE)t_pac.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ t_parse_host_string.so t_parse_host_string.po $(OUTPRE)t_parse_host_string.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - t_parse_host_string.c + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-cmocka.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h t_parse_host_string.c t_princ.so t_princ.po $(OUTPRE)t_princ.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -1389,6 +1415,17 @@ t_sname_match.so t_sname_match.po $(OUTPRE)t_sname_match.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ t_sname_match.c +t_valid_times.so t_valid_times.po $(OUTPRE)t_valid_times.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + int-proto.h t_valid_times.c t_vfy_increds.so t_vfy_increds.po $(OUTPRE)t_vfy_increds.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/krb5/krb/encrypt_tk.c b/src/lib/krb5/krb/encrypt_tk.c index 7fcd0ff..13a774f 100644 --- a/src/lib/krb5/krb/encrypt_tk.c +++ b/src/lib/krb5/krb/encrypt_tk.c @@ -39,11 +39,12 @@ */ krb5_error_code -krb5_encrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, register krb5_ticket *dec_ticket) +krb5_encrypt_tkt_part(krb5_context context, const krb5_keyblock *srv_key, + krb5_ticket *dec_ticket) { krb5_data *scratch; krb5_error_code retval; - register krb5_enc_tkt_part *dec_tkt_part = dec_ticket->enc_part2; + krb5_enc_tkt_part *dec_tkt_part = dec_ticket->enc_part2; /* start by encoding the to-be-encrypted part. */ if ((retval = encode_krb5_enc_tkt_part(dec_tkt_part, &scratch))) { diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c index a217d4c..87f63b6 100644 --- a/src/lib/krb5/krb/fwd_tgt.c +++ b/src/lib/krb5/krb/fwd_tgt.c @@ -37,8 +37,9 @@ /* Get a TGT for use at the remote host */ krb5_error_code KRB5_CALLCONV krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, - char *rhost, krb5_principal client, krb5_principal server, - krb5_ccache cc, int forwardable, krb5_data *outbuf) + const char *rhost, krb5_principal client, + krb5_principal server, krb5_ccache cc, int forwardable, + krb5_data *outbuf) /* Should forwarded TGT also be forwardable? */ { krb5_replay_data replaydata; @@ -48,8 +49,8 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, krb5_creds creds, tgt; krb5_creds *pcreds; krb5_flags kdcoptions; - int close_cc = 0; - int free_rhost = 0; + krb5_ccache defcc = NULL; + char *def_rhost = NULL; krb5_enctype enctype = 0; krb5_keyblock *session_key; krb5_boolean old_use_conf_ktypes = context->use_conf_ktypes; @@ -58,9 +59,9 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, memset(&tgt, 0, sizeof(creds)); if (cc == 0) { - if ((retval = krb5int_cc_default(context, &cc))) + if ((retval = krb5int_cc_default(context, &defcc))) goto errout; - close_cc = 1; + cc = defcc; } retval = krb5_auth_con_getkey (context, auth_context, &session_key); if (retval) @@ -131,11 +132,11 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, goto errout; } - rhost = k5memdup0(server->data[1].data, server->data[1].length, - &retval); - if (rhost == NULL) + def_rhost = k5memdup0(server->data[1].data, server->data[1].length, + &retval); + if (def_rhost == NULL) goto errout; - free_rhost = 1; + rhost = def_rhost; } retval = k5_os_hostaddr(context, rhost, &addrs); @@ -176,10 +177,9 @@ krb5_fwd_tgt_creds(krb5_context context, krb5_auth_context auth_context, errout: if (addrs) krb5_free_addresses(context, addrs); - if (close_cc) - krb5_cc_close(context, cc); - if (free_rhost) - free(rhost); + if (defcc) + krb5_cc_close(context, defcc); + free(def_rhost); krb5_free_cred_contents(context, &creds); krb5_free_cred_contents(context, &tgt); return retval; diff --git a/src/lib/krb5/krb/gc_via_tkt.c b/src/lib/krb5/krb/gc_via_tkt.c index 4c0a1a4..3d0859b 100644 --- a/src/lib/krb5/krb/gc_via_tkt.c +++ b/src/lib/krb5/krb/gc_via_tkt.c @@ -34,7 +34,8 @@ #include "fast.h" static krb5_error_code -kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *address, +kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, + krb5_address *const *address, krb5_boolean is_skey, krb5_data *psectkt, krb5_creds **ppcreds) { krb5_error_code retval; @@ -69,7 +70,7 @@ kdcrep2creds(krb5_context context, krb5_kdc_rep *pkdcrep, krb5_address *const *a (*ppcreds)->magic = KV5M_CREDS; (*ppcreds)->authdata = NULL; /* not used */ - (*ppcreds)->is_skey = psectkt->length != 0; + (*ppcreds)->is_skey = is_skey; if (pkdcrep->enc_part2->caddrs) { if ((retval = krb5_copy_addresses(context, pkdcrep->enc_part2->caddrs, @@ -131,17 +132,6 @@ check_reply_server(krb5_context context, krb5_flags kdcoptions, /* Canonicalization not requested, and not a TGS referral. */ return KRB5_KDCREP_MODIFIED; } -#if 0 - /* - * Is this check needed? find_nxt_kdc() in gc_frm_kdc.c already - * effectively checks this. - */ - if (krb5_realm_compare(context, in_cred->client, in_cred->server) && - data_eq(*in_cred->server->data[1], *in_cred->client->realm)) { - /* Attempted to rewrite local TGS. */ - return KRB5_KDCREP_MODIFIED; - } -#endif return 0; } @@ -185,7 +175,7 @@ krb5int_process_tgs_reply(krb5_context context, krb5_error_code retval; krb5_kdc_rep *dec_rep = NULL; krb5_error *err_reply = NULL; - krb5_boolean s4u2self; + krb5_boolean s4u2self, is_skey; s4u2self = krb5int_find_pa_data(context, in_padata, KRB5_PADATA_S4U_X509_USER) || @@ -287,26 +277,27 @@ krb5int_process_tgs_reply(krb5_context context, retval = KRB5_KDCREP_MODIFIED; if ((in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.endtime > in_cred->times.endtime)) + ts_after(dec_rep->enc_part2->times.endtime, in_cred->times.endtime)) retval = KRB5_KDCREP_MODIFIED; if ((kdcoptions & KDC_OPT_RENEWABLE) && (in_cred->times.renew_till != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.renew_till)) + ts_after(dec_rep->enc_part2->times.renew_till, + in_cred->times.renew_till)) retval = KRB5_KDCREP_MODIFIED; if ((kdcoptions & KDC_OPT_RENEWABLE_OK) && (dec_rep->enc_part2->flags & KDC_OPT_RENEWABLE) && (in_cred->times.endtime != 0) && - (dec_rep->enc_part2->times.renew_till > in_cred->times.endtime)) + ts_after(dec_rep->enc_part2->times.renew_till, in_cred->times.endtime)) retval = KRB5_KDCREP_MODIFIED; if (retval != 0) goto cleanup; if (!in_cred->times.starttime && - !in_clock_skew(dec_rep->enc_part2->times.starttime, - timestamp)) { + !ts_within(dec_rep->enc_part2->times.starttime, timestamp, + context->clockskew)) { retval = KRB5_KDCREP_SKEW; goto cleanup; } @@ -320,7 +311,8 @@ krb5int_process_tgs_reply(krb5_context context, dec_rep->enc_part2->enc_padata = NULL; } - retval = kdcrep2creds(context, dec_rep, address, + is_skey = (kdcoptions & KDC_OPT_ENC_TKT_IN_SKEY); + retval = kdcrep2creds(context, dec_rep, address, is_skey, &in_cred->second_ticket, out_cred); if (retval != 0) goto cleanup; diff --git a/src/lib/krb5/krb/gen_save_subkey.c b/src/lib/krb5/krb/gen_save_subkey.c index 61f36aa..bc2c46d 100644 --- a/src/lib/krb5/krb/gen_save_subkey.c +++ b/src/lib/krb5/krb/gen_save_subkey.c @@ -38,7 +38,8 @@ k5_generate_and_save_subkey(krb5_context context, to guarantee randomness, but to make it less likely that multiple sessions could pick the same subkey. */ struct { - krb5_int32 sec, usec; + krb5_timestamp sec; + krb5_int32 usec; } rnd_data; krb5_data d; krb5_error_code retval; diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c index 110abeb..69900ad 100644 --- a/src/lib/krb5/krb/get_creds.c +++ b/src/lib/krb5/krb/get_creds.c @@ -576,14 +576,6 @@ step_referrals(krb5_context context, krb5_tkt_creds_context ctx) } if (ctx->referral_count == 1) { - /* Cache the referral TGT only if it's from the local realm. - * Make sure to note the associated authdata, if any. */ - code = krb5_copy_authdata(context, ctx->authdata, - &ctx->reply_creds->authdata); - if (code != 0) - return code; - (void) krb5_cc_store_cred(context, ctx->ccache, ctx->reply_creds); - /* The authdata in this TGT will be copied into subsequent TGTs or the * final credentials, so we don't need to request it again. */ krb5_free_authdata(context, ctx->in_creds->authdata); @@ -816,7 +808,7 @@ get_cached_local_tgt(krb5_context context, krb5_tkt_creds_context ctx, return code; /* Check if the TGT is expired before bothering the KDC with it. */ - if (now > tgt->times.endtime) { + if (ts_after(now, tgt->times.endtime)) { krb5_free_creds(context, tgt); return KRB5KRB_AP_ERR_TKT_EXPIRED; } @@ -934,8 +926,9 @@ step_get_tgt(krb5_context context, krb5_tkt_creds_context ctx) /* See where we wound up on the path (or off it). */ path_realm = find_realm_in_path(context, ctx, tgt_realm); if (path_realm != NULL) { - /* We got a realm on the expected path, so we can cache it. */ - (void) krb5_cc_store_cred(context, ctx->ccache, ctx->cur_tgt); + /* Only cache the TGT if we asked for it, to avoid duplicates. */ + if (path_realm == ctx->next_realm) + (void)krb5_cc_store_cred(context, ctx->ccache, ctx->cur_tgt); if (path_realm == ctx->last_realm) { /* We received a TGT for the target realm. */ TRACE_TKT_CREDS_TARGET_TGT(context, ctx->cur_tgt->server); diff --git a/src/lib/krb5/krb/get_etype_info.c b/src/lib/krb5/krb/get_etype_info.c new file mode 100644 index 0000000..3a9589d --- /dev/null +++ b/src/lib/krb5/krb/get_etype_info.c @@ -0,0 +1,180 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* lib/krb5/krb/get_etype_salt_s2kp.c - Retrieve enctype, salt and s2kparams */ +/* + * Copyright (C) 2017 by Cloudera, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "fast.h" +#include "init_creds_ctx.h" + +/* Extract etype info from the error message pkt into icc, if it is a + * PREAUTH_REQUIRED error. Otherwise return the protocol error code. */ +static krb5_error_code +get_from_error(krb5_context context, krb5_data *pkt, + krb5_init_creds_context icc) +{ + krb5_error *error = NULL; + krb5_pa_data **padata = NULL; + krb5_error_code ret; + + ret = decode_krb5_error(pkt, &error); + if (ret) + return ret; + ret = krb5int_fast_process_error(context, icc->fast_state, &error, &padata, + NULL); + if (ret) + goto cleanup; + if (error->error != KDC_ERR_PREAUTH_REQUIRED) { + ret = ERROR_TABLE_BASE_krb5 + error->error; + goto cleanup; + } + ret = k5_get_etype_info(context, icc, padata); + +cleanup: + krb5_free_pa_data(context, padata); + krb5_free_error(context, error); + return ret; +} + +/* Extract etype info from the AS reply pkt into icc. */ +static krb5_error_code +get_from_reply(krb5_context context, krb5_data *pkt, + krb5_init_creds_context icc) +{ + krb5_kdc_rep *asrep = NULL; + krb5_error_code ret; + krb5_keyblock *strengthen_key = NULL; + + ret = decode_krb5_as_rep(pkt, &asrep); + if (ret) + return ret; + ret = krb5int_fast_process_response(context, icc->fast_state, asrep, + &strengthen_key); + if (ret) + goto cleanup; + ret = k5_get_etype_info(context, icc, asrep->padata); + +cleanup: + krb5_free_kdc_rep(context, asrep); + krb5_free_keyblock(context, strengthen_key); + return ret; +} + +krb5_error_code KRB5_CALLCONV +krb5_get_etype_info(krb5_context context, krb5_principal principal, + krb5_get_init_creds_opt *opt, krb5_enctype *enctype_out, + krb5_data *salt_out, krb5_data *s2kparams_out) +{ + krb5_init_creds_context icc = NULL; + krb5_data reply = empty_data(), req = empty_data(), realm = empty_data(); + krb5_data salt = empty_data(), s2kparams = empty_data(); + unsigned int flags; + int master, tcp_only; + krb5_error_code ret; + + *enctype_out = ENCTYPE_NULL; + *salt_out = empty_data(); + *s2kparams_out = empty_data(); + + /* Create an initial creds context and get the initial request packet. */ + ret = krb5_init_creds_init(context, principal, NULL, NULL, 0, opt, &icc); + if (ret) + goto cleanup; + ret = krb5_init_creds_step(context, icc, &reply, &req, &realm, &flags); + if (ret) + goto cleanup; + if (flags != KRB5_INIT_CREDS_STEP_FLAG_CONTINUE) { + ret = KRB5KRB_AP_ERR_MSG_TYPE; + goto cleanup; + } + + /* Send the packet (possibly once with UDP and again with TCP). */ + tcp_only = 0; + for (;;) { + master = 0; + ret = krb5_sendto_kdc(context, &req, &realm, &reply, &master, + tcp_only); + if (ret) + goto cleanup; + + icc->etype = ENCTYPE_NULL; + if (krb5_is_krb_error(&reply)) { + ret = get_from_error(context, &reply, icc); + if (ret) { + if (!tcp_only && ret == KRB5KRB_ERR_RESPONSE_TOO_BIG) { + tcp_only = 1; + krb5_free_data_contents(context, &reply); + continue; + } + goto cleanup; + } + } else if (krb5_is_as_rep(&reply)) { + ret = get_from_reply(context, &reply, icc); + if (ret) + goto cleanup; + } else { + ret = KRB5KRB_AP_ERR_MSG_TYPE; + goto cleanup; + } + break; + } + + /* If we found no etype-info, return successfully with all null values. */ + if (icc->etype == ENCTYPE_NULL) + goto cleanup; + + if (icc->default_salt) + ret = krb5_principal2salt(context, principal, &salt); + else if (icc->salt.length > 0) + ret = krb5int_copy_data_contents(context, &icc->salt, &salt); + if (ret) + goto cleanup; + + if (icc->s2kparams.length > 0) { + ret = krb5int_copy_data_contents(context, &icc->s2kparams, &s2kparams); + if (ret) + goto cleanup; + } + + *salt_out = salt; + *s2kparams_out = s2kparams; + *enctype_out = icc->etype; + salt = empty_data(); + s2kparams = empty_data(); + +cleanup: + krb5_free_data_contents(context, &req); + krb5_free_data_contents(context, &reply); + krb5_free_data_contents(context, &realm); + krb5_free_data_contents(context, &salt); + krb5_free_data_contents(context, &s2kparams); + krb5_init_creds_free(context, icc); + return ret; +} diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c index 54badbb..79dede2 100644 --- a/src/lib/krb5/krb/get_in_tkt.c +++ b/src/lib/krb5/krb/get_in_tkt.c @@ -40,24 +40,6 @@ static krb5_error_code sort_krb5_padata_sequence(krb5_context context, krb5_pa_data **padata); /* - * This function performs 32 bit bounded addition so we can generate - * lifetimes without overflowing krb5_int32 - */ -static krb5_int32 -krb5int_addint32 (krb5_int32 x, krb5_int32 y) -{ - if ((x > 0) && (y > (KRB5_INT32_MAX - x))) { - /* sum will be be greater than KRB5_INT32_MAX */ - return KRB5_INT32_MAX; - } else if ((x < 0) && (y < (KRB5_INT32_MIN - x))) { - /* sum will be less than KRB5_INT32_MIN */ - return KRB5_INT32_MIN; - } - - return x + y; -} - -/* * Decrypt the AS reply in ctx, populating ctx->reply->enc_part2. If * strengthen_key is not null, combine it with the reply key as specified in * RFC 6113 section 5.4.3. Place the key used in *key_out. @@ -267,28 +249,28 @@ verify_as_reply(krb5_context context, (request->from != 0) && (request->from != as_reply->enc_part2->times.starttime)) || ((request->till != 0) && - (as_reply->enc_part2->times.endtime > request->till)) + ts_after(as_reply->enc_part2->times.endtime, request->till)) || ((request->kdc_options & KDC_OPT_RENEWABLE) && (request->rtime != 0) && - (as_reply->enc_part2->times.renew_till > request->rtime)) + ts_after(as_reply->enc_part2->times.renew_till, request->rtime)) || ((request->kdc_options & KDC_OPT_RENEWABLE_OK) && !(request->kdc_options & KDC_OPT_RENEWABLE) && (as_reply->enc_part2->flags & KDC_OPT_RENEWABLE) && (request->till != 0) && - (as_reply->enc_part2->times.renew_till > request->till)) + ts_after(as_reply->enc_part2->times.renew_till, request->till)) ) { return KRB5_KDCREP_MODIFIED; } if (context->library_options & KRB5_LIBOPT_SYNC_KDCTIME) { - time_offset = as_reply->enc_part2->times.authtime - time_now; + time_offset = ts_delta(as_reply->enc_part2->times.authtime, time_now); retval = krb5_set_time_offsets(context, time_offset, 0); if (retval) return retval; } else { if ((request->from == 0) && - (labs(as_reply->enc_part2->times.starttime - time_now) - > context->clockskew)) + !ts_within(as_reply->enc_part2->times.starttime, time_now, + context->clockskew)) return (KRB5_KDCREP_SKEW); } return 0; @@ -583,7 +565,7 @@ krb5_init_creds_free(krb5_context context, k5_response_items_free(ctx->rctx.items); free(ctx->in_tkt_service); zapfree(ctx->gakpw.storage.data, ctx->gakpw.storage.length); - k5_preauth_request_context_fini(context); + k5_preauth_request_context_fini(context, ctx); krb5_free_error(context, ctx->err_reply); krb5_free_pa_data(context, ctx->err_padata); krb5_free_cred_contents(context, &ctx->cred); @@ -593,7 +575,9 @@ krb5_init_creds_free(krb5_context context, krb5_free_data(context, ctx->inner_request_body); krb5_free_data(context, ctx->encoded_previous_request); krb5int_fast_free_state(context, ctx->fast_state); - krb5_free_pa_data(context, ctx->preauth_to_use); + krb5_free_pa_data(context, ctx->optimistic_padata); + krb5_free_pa_data(context, ctx->method_padata); + krb5_free_pa_data(context, ctx->more_padata); krb5_free_data_contents(context, &ctx->salt); krb5_free_data_contents(context, &ctx->s2kparams); krb5_free_keyblock_contents(context, &ctx->as_key); @@ -760,23 +744,6 @@ k5_init_creds_current_time(krb5_context context, krb5_init_creds_context ctx, } } -/* Choose a random nonce for ctx->request. */ -static krb5_error_code -pick_nonce(krb5_context context, krb5_init_creds_context ctx) -{ - krb5_error_code code = 0; - unsigned char random_buf[4]; - krb5_data random_data = make_data(random_buf, 4); - - /* We incorrectly encode this as signed, so make sure we use an unsigned - * value to avoid interoperability issues. */ - code = krb5_c_random_make_octets(context, &random_data); - if (code != 0) - return code; - ctx->request->nonce = 0x7fffffff & load_32_n(random_buf); - return 0; -} - /* Set the timestamps for ctx->request based on the desired lifetimes. */ static krb5_error_code set_request_times(krb5_context context, krb5_init_creds_context ctx) @@ -790,16 +757,16 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx) return code; /* Omit request start time unless the caller explicitly asked for one. */ - from = krb5int_addint32(now, ctx->start_time); + from = ts_incr(now, ctx->start_time); if (ctx->start_time != 0) ctx->request->from = from; - ctx->request->till = krb5int_addint32(from, ctx->tkt_life); + ctx->request->till = ts_incr(from, ctx->tkt_life); if (ctx->renew_life > 0) { /* Don't ask for a smaller renewable time than the lifetime. */ - ctx->request->rtime = krb5int_addint32(from, ctx->renew_life); - if (ctx->request->rtime < ctx->request->till) + ctx->request->rtime = ts_incr(from, ctx->renew_life); + if (ts_after(ctx->request->till, ctx->request->rtime)) ctx->request->rtime = ctx->request->till; ctx->request->kdc_options &= ~KDC_OPT_RENEWABLE_OK; } else { @@ -809,6 +776,49 @@ set_request_times(krb5_context context, krb5_init_creds_context ctx) return 0; } +static void +read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx) +{ + krb5_error_code ret; + krb5_data config; + char *tmp, *p; + krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt); + + ctx->allowed_preauth_type = KRB5_PADATA_NONE; + if (in_ccache == NULL) + return; + memset(&config, 0, sizeof(config)); + if (krb5_cc_get_config(context, in_ccache, ctx->request->server, + KRB5_CC_CONF_PA_TYPE, &config) != 0) + return; + tmp = k5memdup0(config.data, config.length, &ret); + krb5_free_data_contents(context, &config); + if (tmp == NULL) + return; + ctx->allowed_preauth_type = strtol(tmp, &p, 10); + if (p == NULL || *p != '\0') + ctx->allowed_preauth_type = KRB5_PADATA_NONE; + free(tmp); +} + +/* Return true if encrypted timestamp is disabled for realm. */ +static krb5_boolean +encts_disabled(profile_t profile, const krb5_data *realm) +{ + krb5_error_code ret; + char *realmstr; + int bval; + + realmstr = k5memdup0(realm->data, realm->length, &ret); + if (realmstr == NULL) + return FALSE; + ret = profile_get_boolean(profile, KRB5_CONF_REALMS, realmstr, + KRB5_CONF_DISABLE_ENCRYPTED_TIMESTAMP, FALSE, + &bval); + free(realmstr); + return (ret == 0) ? bval : FALSE; +} + /** * Throw away any pre-authentication realm state and begin with a * unauthenticated or optimistically authenticated request. If fast_upgrade is @@ -820,11 +830,15 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, { krb5_error_code code = 0; - krb5_free_pa_data(context, ctx->preauth_to_use); + krb5_free_pa_data(context, ctx->optimistic_padata); + krb5_free_pa_data(context, ctx->method_padata); + krb5_free_pa_data(context, ctx->more_padata); krb5_free_pa_data(context, ctx->err_padata); krb5_free_error(context, ctx->err_reply); - ctx->preauth_to_use = ctx->err_padata = NULL; + ctx->optimistic_padata = ctx->method_padata = ctx->more_padata = NULL; + ctx->err_padata = NULL; ctx->err_reply = NULL; + ctx->selected_preauth_type = KRB5_PADATA_NONE; krb5int_fast_free_state(context, ctx->fast_state); ctx->fast_state = NULL; @@ -834,18 +848,23 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, if (fast_upgrade) ctx->fast_state->fast_state_flags |= KRB5INT_FAST_DO_FAST; - k5_preauth_request_context_fini(context); - k5_preauth_request_context_init(context); + k5_preauth_request_context_fini(context, ctx); + k5_preauth_request_context_init(context, ctx); krb5_free_data(context, ctx->outer_request_body); ctx->outer_request_body = NULL; if (ctx->opt->flags & KRB5_GET_INIT_CREDS_OPT_PREAUTH_LIST) { code = make_preauth_list(context, ctx->opt->preauth_list, ctx->opt->preauth_list_length, - &ctx->preauth_to_use); + &ctx->optimistic_padata); if (code) goto cleanup; } + /* Never set encts_disabled back to false, so it can't be circumvented with + * client realm referrals. */ + if (encts_disabled(context->profile, &ctx->request->client->realm)) + ctx->encts_disabled = TRUE; + krb5_free_principal(context, ctx->request->server); ctx->request->server = NULL; @@ -867,6 +886,11 @@ restart_init_creds_loop(krb5_context context, krb5_init_creds_context ctx, &ctx->outer_request_body); if (code != 0) goto cleanup; + + /* Read the allowed preauth type for this server principal from the input + * ccache, if the application supplied one. */ + read_allowed_preauth_type(context, ctx); + cleanup: return code; } @@ -894,7 +918,7 @@ krb5_init_creds_init(krb5_context context, ctx->request = k5alloc(sizeof(krb5_kdc_req), &code); if (code != 0) goto cleanup; - ctx->enc_pa_rep_permitted = TRUE; + ctx->info_pa_permitted = TRUE; code = krb5_copy_principal(context, client, &ctx->request->client); if (code != 0) goto cleanup; @@ -1172,31 +1196,6 @@ init_creds_validate_reply(krb5_context context, return 0; } -static void -read_allowed_preauth_type(krb5_context context, krb5_init_creds_context ctx) -{ - krb5_error_code ret; - krb5_data config; - char *tmp, *p; - krb5_ccache in_ccache = k5_gic_opt_get_in_ccache(ctx->opt); - - ctx->allowed_preauth_type = KRB5_PADATA_NONE; - if (in_ccache == NULL) - return; - memset(&config, 0, sizeof(config)); - if (krb5_cc_get_config(context, in_ccache, ctx->request->server, - KRB5_CC_CONF_PA_TYPE, &config) != 0) - return; - tmp = k5memdup0(config.data, config.length, &ret); - krb5_free_data_contents(context, &config); - if (tmp == NULL) - return; - ctx->allowed_preauth_type = strtol(tmp, &p, 10); - if (p == NULL || *p != '\0') - ctx->allowed_preauth_type = KRB5_PADATA_NONE; - free(tmp); -} - static krb5_error_code save_selected_preauth_type(krb5_context context, krb5_ccache ccache, krb5_init_creds_context ctx) @@ -1313,6 +1312,9 @@ init_creds_step_request(krb5_context context, krb5_data *out) { krb5_error_code code; + krb5_preauthtype pa_type; + struct errinfo save = EMPTY_ERRINFO; + uint32_t rcode = (ctx->err_reply == NULL) ? 0 : ctx->err_reply->error; if (ctx->loopcount >= MAX_IN_TKT_LOOPS) { code = KRB5_GET_IN_TKT_LOOP; @@ -1320,7 +1322,7 @@ init_creds_step_request(krb5_context context, } /* RFC 6113 requires a new nonce for the inner request on each try. */ - code = pick_nonce(context, ctx); + code = k5_generate_nonce(context, &ctx->request->nonce); if (code != 0) goto cleanup; @@ -1335,11 +1337,6 @@ init_creds_step_request(krb5_context context, if (code) goto cleanup; - /* Read the allowed patype for this server principal from the in_ccache, - * if the application supplied one. */ - read_allowed_preauth_type(context, ctx); - ctx->selected_preauth_type = KRB5_PADATA_NONE; - /* * Read cached preauth configuration data for this server principal from * the in_ccache, if the application supplied one, and delete any that was @@ -1348,32 +1345,66 @@ init_creds_step_request(krb5_context context, read_cc_config_in_data(context, ctx); clear_cc_config_out_data(context, ctx); - if (ctx->err_reply == NULL) { - /* Either our first attempt, or retrying after KDC_ERR_PREAUTH_REQUIRED - * or KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */ - code = k5_preauth(context, ctx, ctx->preauth_to_use, - ctx->preauth_required, &ctx->request->padata, - &ctx->selected_preauth_type); - if (code != 0) - goto cleanup; - } else { - if (ctx->preauth_to_use != NULL) { - /* - * Retry after an error other than PREAUTH_NEEDED, - * using ctx->err_padata to figure out what to change. - */ - code = k5_preauth_tryagain(context, ctx, ctx->preauth_to_use, - &ctx->request->padata); - } else { - /* No preauth supplied, so can't query the plugins. */ - code = KRB5KRB_ERR_GENERIC; + ctx->request->padata = NULL; + if (ctx->optimistic_padata != NULL) { + /* Our first attempt, using an optimistic padata list. */ + TRACE_INIT_CREDS_PREAUTH_OPTIMISTIC(context); + code = k5_preauth(context, ctx, ctx->optimistic_padata, TRUE, + &ctx->request->padata, &ctx->selected_preauth_type); + krb5_free_pa_data(context, ctx->optimistic_padata); + ctx->optimistic_padata = NULL; + if (code) { + /* Make an unauthenticated request. */ + krb5_clear_error_message(context); + code = 0; } - if (code != 0) { - /* couldn't come up with anything better */ + } if (ctx->more_padata != NULL) { + /* Continuing after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED. */ + TRACE_INIT_CREDS_PREAUTH_MORE(context, ctx->selected_preauth_type); + code = k5_preauth(context, ctx, ctx->more_padata, TRUE, + &ctx->request->padata, &pa_type); + } else if (rcode == KDC_ERR_PREAUTH_FAILED) { + /* Report the KDC-side failure code if we can't try another mech. */ + code = KRB5KDC_ERR_PREAUTH_FAILED; + } else if (rcode && rcode != KDC_ERR_PREAUTH_REQUIRED) { + /* Retrying after an error (possibly mechanism-specific), using error + * padata to figure out what to change. */ + TRACE_INIT_CREDS_PREAUTH_TRYAGAIN(context, ctx->err_reply->error, + ctx->selected_preauth_type); + code = k5_preauth_tryagain(context, ctx, ctx->selected_preauth_type, + ctx->err_reply, ctx->err_padata, + &ctx->request->padata); + if (code) { + krb5_clear_error_message(context); code = ctx->err_reply->error + ERROR_TABLE_BASE_krb5; + } + } + /* Don't continue after a keyboard interrupt. */ + if (code == KRB5_LIBOS_PWDINTR) + goto cleanup; + /* Don't continue if fallback is disabled. */ + if (code && ctx->fallback_disabled) + goto cleanup; + if (code) { + /* See if we can try a different preauth mech before giving up. */ + k5_save_ctx_error(context, code, &save); + ctx->selected_preauth_type = KRB5_PADATA_NONE; + } + + if (ctx->request->padata == NULL && ctx->method_padata != NULL) { + /* Retrying after KDC_ERR_PREAUTH_REQUIRED, or trying again with a + * different mechanism after a failure. */ + TRACE_INIT_CREDS_PREAUTH(context); + code = k5_preauth(context, ctx, ctx->method_padata, TRUE, + &ctx->request->padata, &ctx->selected_preauth_type); + if (code) { + if (save.code != 0) + code = k5_restore_ctx_error(context, &save); goto cleanup; } } + if (ctx->request->padata == NULL) + TRACE_INIT_CREDS_PREAUTH_NONE(context); /* Remember when we sent this request (after any preauth delay). */ ctx->request_time = time(NULL); @@ -1382,9 +1413,11 @@ init_creds_step_request(krb5_context context, krb5_free_data(context, ctx->encoded_previous_request); ctx->encoded_previous_request = NULL; } - if (ctx->request->padata) - ctx->sent_nontrivial_preauth = TRUE; - if (ctx->enc_pa_rep_permitted) { + if (ctx->info_pa_permitted) { + code = add_padata(&ctx->request->padata, KRB5_PADATA_AS_FRESHNESS, + NULL, 0); + if (code) + goto cleanup; code = add_padata(&ctx->request->padata, KRB5_ENCPADATA_REQ_ENC_PA_REP, NULL, 0); } @@ -1411,6 +1444,7 @@ init_creds_step_request(krb5_context context, cleanup: krb5_free_pa_data(context, ctx->request->padata); ctx->request->padata = NULL; + k5_clear_error(&save); return code; } @@ -1438,7 +1472,7 @@ note_req_timestamp(krb5_context context, krb5_init_creds_context ctx, if (k5_time_with_offset(0, 0, &now, &usec) != 0) return; - ctx->pa_offset = kdc_time - now; + ctx->pa_offset = ts_delta(kdc_time, now); ctx->pa_offset_usec = kdc_usec - usec; ctx->pa_offset_state = (ctx->fast_state->armor_key != NULL) ? AUTH_OFFSET : UNAUTH_OFFSET; @@ -1463,6 +1497,18 @@ is_referral(krb5_context context, krb5_error *err, krb5_principal client) return !krb5_realm_compare(context, err->client, client); } +/* Transfer error padata to method data in ctx and sort it according to + * configuration. */ +static krb5_error_code +accept_method_data(krb5_context context, krb5_init_creds_context ctx) +{ + krb5_free_pa_data(context, ctx->method_padata); + ctx->method_padata = ctx->err_padata; + ctx->err_padata = NULL; + return sort_krb5_padata_sequence(context, &ctx->request->client->realm, + ctx->method_padata); +} + static krb5_error_code init_creds_step_reply(krb5_context context, krb5_init_creds_context ctx, @@ -1492,8 +1538,9 @@ init_creds_step_reply(krb5_context context, ctx->request->client->type == KRB5_NT_ENTERPRISE_PRINCIPAL; if (ctx->err_reply != NULL) { + krb5_free_pa_data(context, ctx->more_padata); krb5_free_pa_data(context, ctx->err_padata); - ctx->err_padata = NULL; + ctx->more_padata = ctx->err_padata = NULL; code = krb5int_fast_process_error(context, ctx->fast_state, &ctx->err_reply, &ctx->err_padata, &retry); @@ -1508,10 +1555,10 @@ init_creds_step_reply(krb5_context context, ctx->restarted = TRUE; code = restart_init_creds_loop(context, ctx, TRUE); } else if (!ctx->restarted && reply_code == KDC_ERR_PREAUTH_FAILED && - !ctx->sent_nontrivial_preauth) { + ctx->selected_preauth_type == KRB5_PADATA_NONE) { /* The KDC didn't like our informational padata (probably a pre-1.7 * MIT krb5 KDC). Retry without it. */ - ctx->enc_pa_rep_permitted = FALSE; + ctx->info_pa_permitted = FALSE; ctx->restarted = TRUE; code = restart_init_creds_loop(context, ctx, FALSE); } else if (reply_code == KDC_ERR_PREAUTH_EXPIRED) { @@ -1519,23 +1566,24 @@ init_creds_step_reply(krb5_context context, * FAST upgrade. */ ctx->restarted = FALSE; code = restart_init_creds_loop(context, ctx, FALSE); - } else if ((reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED || - reply_code == KDC_ERR_PREAUTH_REQUIRED) && retry) { - /* reset the list of preauth types to try */ - k5_reset_preauth_types_tried(context); - krb5_free_pa_data(context, ctx->preauth_to_use); - ctx->preauth_to_use = ctx->err_padata; - ctx->err_padata = NULL; + } else if (reply_code == KDC_ERR_PREAUTH_REQUIRED && retry) { note_req_timestamp(context, ctx, ctx->err_reply->stime, ctx->err_reply->susec); - /* This will trigger a new call to k5_preauth(). */ - krb5_free_error(context, ctx->err_reply); - ctx->err_reply = NULL; - code = sort_krb5_padata_sequence(context, - &ctx->request->client->realm, - ctx->preauth_to_use); - ctx->preauth_required = TRUE; - + code = accept_method_data(context, ctx); + } else if (reply_code == KDC_ERR_PREAUTH_FAILED && retry) { + note_req_timestamp(context, ctx, ctx->err_reply->stime, + ctx->err_reply->susec); + /* Don't try again with the mechanism that failed. */ + code = k5_preauth_note_failed(ctx, ctx->selected_preauth_type); + if (code) + goto cleanup; + ctx->selected_preauth_type = KRB5_PADATA_NONE; + /* Accept or update method data if the KDC sent it. */ + if (ctx->err_padata != NULL) + code = accept_method_data(context, ctx); + } else if (reply_code == KDC_ERR_MORE_PREAUTH_DATA_REQUIRED && retry) { + ctx->more_padata = ctx->err_padata; + ctx->err_padata = NULL; } else if (canon_flag && is_referral(context, ctx->err_reply, ctx->request->client)) { TRACE_INIT_CREDS_REFERRAL(context, &ctx->err_reply->client->realm); @@ -1548,14 +1596,13 @@ init_creds_step_reply(krb5_context context, goto cleanup; /* Reset per-realm negotiation state. */ ctx->restarted = FALSE; - ctx->sent_nontrivial_preauth = FALSE; - ctx->enc_pa_rep_permitted = TRUE; + ctx->info_pa_permitted = TRUE; code = restart_init_creds_loop(context, ctx, FALSE); } else { - if (retry) { + if (retry && ctx->selected_preauth_type != KRB5_PADATA_NONE) { code = 0; } else { - /* error + no hints = give up */ + /* error + no hints (or no preauth mech) = give up */ code = (krb5_error_code)reply_code + ERROR_TABLE_BASE_krb5; } } @@ -1573,7 +1620,6 @@ init_creds_step_reply(krb5_context context, goto cleanup; /* process any preauth data in the as_reply */ - k5_reset_preauth_types_tried(context); code = krb5int_fast_process_response(context, ctx->fast_state, ctx->reply, &strengthen_key); if (code != 0) @@ -1658,7 +1704,7 @@ init_creds_step_reply(krb5_context context, k5_prependmsg(context, code, _("Failed to store credentials")); } - k5_preauth_request_context_fini(context); + k5_preauth_request_context_fini(context, ctx); /* success */ ctx->complete = TRUE; @@ -1685,7 +1731,7 @@ krb5_init_creds_step(krb5_context context, krb5_data *realm, unsigned int *flags) { - krb5_error_code code = 0, code2; + krb5_error_code code, code2; *flags = 0; @@ -1698,6 +1744,10 @@ krb5_init_creds_step(krb5_context context, if (ctx->complete) return EINVAL; + code = k5_preauth_check_context(context, ctx); + if (code) + return code; + if (in->length != 0) { code = init_creds_step_reply(context, ctx, in); if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG) { @@ -1806,7 +1856,8 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out, krb5_creds *creds) { int i; - krb5_int32 starttime; + krb5_timestamp starttime; + krb5_deltat lifetime; krb5_get_init_creds_opt *opt; krb5_error_code retval; @@ -1838,7 +1889,8 @@ k5_populate_gic_opt(krb5_context context, krb5_get_init_creds_opt **out, if (retval) goto cleanup; if (creds->times.starttime) starttime = creds->times.starttime; - krb5_get_init_creds_opt_set_tkt_life(opt, creds->times.endtime - starttime); + lifetime = ts_delta(creds->times.endtime, starttime); + krb5_get_init_creds_opt_set_tkt_life(opt, lifetime); } *out = opt; return 0; diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c index f20af53..e82f425 100644 --- a/src/lib/krb5/krb/gic_keytab.c +++ b/src/lib/krb5/krb/gic_keytab.c @@ -306,7 +306,7 @@ krb5_get_init_creds_keytab(krb5_context context, if (ret == 0) goto cleanup; - /* If the master is unreachable, return the error from the slave we + /* If the master is unreachable, return the error from the replica we * were able to contact. */ if (ret == KRB5_KDC_UNREACH || ret == KRB5_REALM_CANT_RESOLVE || ret == KRB5_REALM_UNKNOWN) diff --git a/src/lib/krb5/krb/gic_opt.c b/src/lib/krb5/krb/gic_opt.c index 3be44d5..ccbe1a6 100644 --- a/src/lib/krb5/krb/gic_opt.c +++ b/src/lib/krb5/krb/gic_opt.c @@ -12,7 +12,7 @@ #include #endif -/* Match struct packing of krb5_get_init_creds_opt on MacOS X. */ +/* Match struct packing of krb5_get_init_creds_opt on macOS. */ #if TARGET_OS_MAC #pragma pack(push,2) #endif diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c index 6f3a29f..14ce23b 100644 --- a/src/lib/krb5/krb/gic_pwd.c +++ b/src/lib/krb5/krb/gic_pwd.c @@ -211,7 +211,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, if (ret != 0) return; if (!is_last_req && - (pw_exp < now || (pw_exp - now) > 7 * 24 * 60 * 60)) + (ts_after(now, pw_exp) || ts_delta(pw_exp, now) > 7 * 24 * 60 * 60)) return; if (!prompter) @@ -221,7 +221,7 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, if (ret != 0) return; - delta = pw_exp - now; + delta = ts_delta(pw_exp, now); if (delta < 3600) { snprintf(banner, sizeof(banner), _("Warning: Your password will expire in less than one hour " @@ -350,7 +350,7 @@ krb5_get_init_creds_password(krb5_context context, if (ret == 0) goto cleanup; - /* If the master is unreachable, return the error from the slave we + /* If the master is unreachable, return the error from the replica we * were able to contact and reset the use_master flag. */ if (ret == KRB5_KDC_UNREACH || ret == KRB5_REALM_CANT_RESOLVE || ret == KRB5_REALM_UNKNOWN) { diff --git a/src/lib/krb5/krb/init_creds_ctx.h b/src/lib/krb5/krb/init_creds_ctx.h index 38c01c7..7a6219b 100644 --- a/src/lib/krb5/krb/init_creds_ctx.h +++ b/src/lib/krb5/krb/init_creds_ctx.h @@ -6,6 +6,8 @@ #include "k5-json.h" #include "int-proto.h" +typedef struct krb5_preauth_req_context_st *krb5_preauth_req_context; + struct krb5_responder_context_st { k5_response_items *items; }; @@ -48,16 +50,18 @@ struct _krb5_init_creds_context { krb5_data *inner_request_body; /**< For preauth */ krb5_data *encoded_previous_request; struct krb5int_fast_request_state *fast_state; - krb5_pa_data **preauth_to_use; + krb5_pa_data **optimistic_padata; /* from gic options */ + krb5_pa_data **method_padata; /* from PREAUTH_REQUIRED or PREAUTH_FAILED */ + krb5_pa_data **more_padata; /* from MORE_PREAUTH_DATA_REQUIRED */ krb5_boolean default_salt; krb5_data salt; krb5_data s2kparams; krb5_keyblock as_key; krb5_enctype etype; - krb5_boolean enc_pa_rep_permitted; + krb5_boolean info_pa_permitted; krb5_boolean restarted; - krb5_boolean sent_nontrivial_preauth; - krb5_boolean preauth_required; + krb5_boolean fallback_disabled; + krb5_boolean encts_disabled; struct krb5_responder_context_st rctx; krb5_preauthtype selected_preauth_type; krb5_preauthtype allowed_preauth_type; @@ -67,6 +71,7 @@ struct _krb5_init_creds_context { krb5_timestamp pa_offset; krb5_int32 pa_offset_usec; enum { NO_OFFSET = 0, UNAUTH_OFFSET, AUTH_OFFSET } pa_offset_state; + krb5_preauth_req_context preauth_reqctx; }; krb5_error_code diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c index cf226fd..947e504 100644 --- a/src/lib/krb5/krb/init_ctx.c +++ b/src/lib/krb5/krb/init_ctx.c @@ -139,11 +139,13 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, krb5_context ctx = 0; krb5_error_code retval; struct { - krb5_int32 now, now_usec; + krb5_timestamp now; + krb5_int32 now_usec; long pid; } seed_data; krb5_data seed; int tmp; + char *plugin_dir = NULL; /* Verify some assumptions. If the assumptions hold and the compiler is optimizing, this should result in no code being @@ -231,13 +233,6 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, get_integer(ctx, KRB5_CONF_CLOCKSKEW, DEFAULT_CLOCKSKEW, &tmp); ctx->clockskew = tmp; -#if 0 - /* Default ticket lifetime is currently not supported */ - profile_get_integer(ctx->profile, KRB5_CONF_LIBDEFAULTS, "tkt_lifetime", - 0, 10 * 60 * 60, &tmp); - ctx->tkt_lifetime = tmp; -#endif - /* DCE 1.1 and below only support CKSUMTYPE_RSA_MD4 (2) */ /* DCE add kdc_req_checksum_type = 2 to krb5.conf */ get_integer(ctx, KRB5_CONF_KDC_REQ_CHECKSUM_TYPE, CKSUMTYPE_RSA_MD5, @@ -260,8 +255,9 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, retval = profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_PLUGIN_BASE_DIR, 0, - DEFAULT_PLUGIN_BASE_DIR, - &ctx->plugin_base_dir); + DEFAULT_PLUGIN_BASE_DIR, &plugin_dir); + if (!retval) + retval = k5_expand_path_tokens(ctx, plugin_dir, &ctx->plugin_base_dir); if (retval) { TRACE_PROFILE_ERR(ctx, KRB5_CONF_PLUGIN_BASE_DIR, KRB5_CONF_LIBDEFAULTS, retval); @@ -287,9 +283,10 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, (void)profile_get_string(ctx->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_ERR_FMT, NULL, NULL, &ctx->err_fmt); *context_out = ctx; - return 0; + ctx = NULL; cleanup: + profile_release_string(plugin_dir); krb5_free_context(ctx); return retval; } diff --git a/src/lib/krb5/krb/int-proto.h b/src/lib/krb5/krb/int-proto.h index 6da7485..9783548 100644 --- a/src/lib/krb5/krb/int-proto.h +++ b/src/lib/krb5/krb/int-proto.h @@ -83,8 +83,6 @@ krb5int_construct_matching_creds(krb5_context context, krb5_flags options, krb5_creds *in_creds, krb5_creds *mcreds, krb5_flags *fields); -#define in_clock_skew(date, now) (labs((date)-(now)) < context->clockskew) - #define IS_TGS_PRINC(p) ((p)->length == 2 && \ data_eq_string((p)->data[0], KRB5_TGS_NAME)) @@ -102,6 +100,9 @@ krb5_get_cred_via_tkt_ext(krb5_context context, krb5_creds *tkt, krb5_keyblock **out_subkey); krb5_error_code +k5_generate_nonce(krb5_context context, int32_t *out); + +krb5_error_code k5_make_tgs_req(krb5_context context, struct krb5int_fast_request_state *, krb5_creds *tkt, krb5_flags kdcoptions, krb5_address *const *address, krb5_pa_data **in_padata, @@ -187,7 +188,8 @@ k5_preauth(krb5_context context, krb5_init_creds_context ctx, krb5_error_code k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, - krb5_pa_data **in_padata, krb5_pa_data ***padata_out); + krb5_preauthtype pa_type, krb5_error *err, + krb5_pa_data **err_padata, krb5_pa_data ***padata_out); void k5_init_preauth_context(krb5_context context); @@ -195,18 +197,23 @@ k5_init_preauth_context(krb5_context context); void k5_free_preauth_context(krb5_context context); -void -k5_reset_preauth_types_tried(krb5_context context); +krb5_error_code +k5_preauth_note_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type); void k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt, krb5_kdc_req *request); void -k5_preauth_request_context_init(krb5_context context); +k5_preauth_request_context_init(krb5_context context, + krb5_init_creds_context ctx); void -k5_preauth_request_context_fini(krb5_context context); +k5_preauth_request_context_fini(krb5_context context, + krb5_init_creds_context ctx); + +krb5_error_code +k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx); krb5_error_code k5_response_items_new(k5_response_items **ri_out); @@ -327,4 +334,8 @@ k5_gic_opt_shallow_copy(krb5_get_init_creds_opt *opt); int k5_gic_opt_pac_request(krb5_get_init_creds_opt *opt); +krb5_error_code +k5_get_etype_info(krb5_context context, krb5_init_creds_context ctx, + krb5_pa_data **padata); + #endif /* KRB5_INT_FUNC_PROTO__ */ diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c index a631807..ab2409f 100644 --- a/src/lib/krb5/krb/kfree.c +++ b/src/lib/krb5/krb/kfree.c @@ -51,6 +51,7 @@ */ #include "k5-int.h" +#include "k5-spake.h" #include void KRB5_CALLCONV @@ -65,7 +66,7 @@ krb5_free_address(krb5_context context, krb5_address *val) void KRB5_CALLCONV krb5_free_addresses(krb5_context context, krb5_address **val) { - register krb5_address **temp; + krb5_address **temp; if (val == NULL) return; @@ -77,7 +78,7 @@ krb5_free_addresses(krb5_context context, krb5_address **val) } void KRB5_CALLCONV -krb5_free_ap_rep(krb5_context context, register krb5_ap_rep *val) +krb5_free_ap_rep(krb5_context context, krb5_ap_rep *val) { if (val == NULL) return; @@ -86,7 +87,7 @@ krb5_free_ap_rep(krb5_context context, register krb5_ap_rep *val) } void KRB5_CALLCONV -krb5_free_ap_req(krb5_context context, register krb5_ap_req *val) +krb5_free_ap_req(krb5_context context, krb5_ap_req *val) { if (val == NULL) return; @@ -129,7 +130,7 @@ krb5_free_authenticator(krb5_context context, krb5_authenticator *val) } void KRB5_CALLCONV -krb5_free_checksum(krb5_context context, register krb5_checksum *val) +krb5_free_checksum(krb5_context context, krb5_checksum *val) { if (val == NULL) return; @@ -138,7 +139,7 @@ krb5_free_checksum(krb5_context context, register krb5_checksum *val) } void KRB5_CALLCONV -krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val) +krb5_free_checksum_contents(krb5_context context, krb5_checksum *val) { if (val == NULL) return; @@ -147,7 +148,7 @@ krb5_free_checksum_contents(krb5_context context, register krb5_checksum *val) } void KRB5_CALLCONV -krb5_free_cred(krb5_context context, register krb5_cred *val) +krb5_free_cred(krb5_context context, krb5_cred *val) { if (val == NULL) return; @@ -182,9 +183,9 @@ krb5_free_cred_contents(krb5_context context, krb5_creds *val) } void KRB5_CALLCONV -krb5_free_cred_enc_part(krb5_context context, register krb5_cred_enc_part *val) +krb5_free_cred_enc_part(krb5_context context, krb5_cred_enc_part *val) { - register krb5_cred_info **temp; + krb5_cred_info **temp; if (val == NULL) return; @@ -272,7 +273,7 @@ void krb5_free_etype_info(krb5_context context, krb5_etype_info info) void KRB5_CALLCONV -krb5_free_enc_kdc_rep_part(krb5_context context, register krb5_enc_kdc_rep_part *val) +krb5_free_enc_kdc_rep_part(krb5_context context, krb5_enc_kdc_rep_part *val) { if (val == NULL) return; @@ -299,7 +300,7 @@ krb5_free_enc_tkt_part(krb5_context context, krb5_enc_tkt_part *val) void KRB5_CALLCONV -krb5_free_error(krb5_context context, register krb5_error *val) +krb5_free_error(krb5_context context, krb5_error *val) { if (val == NULL) return; @@ -341,13 +342,13 @@ krb5_free_kdc_req(krb5_context context, krb5_kdc_req *val) } void KRB5_CALLCONV -krb5_free_keyblock_contents(krb5_context context, register krb5_keyblock *key) +krb5_free_keyblock_contents(krb5_context context, krb5_keyblock *key) { krb5int_c_free_keyblock_contents (context, key); } void KRB5_CALLCONV -krb5_free_keyblock(krb5_context context, register krb5_keyblock *val) +krb5_free_keyblock(krb5_context context, krb5_keyblock *val) { krb5int_c_free_keyblock (context, val); } @@ -357,7 +358,7 @@ krb5_free_keyblock(krb5_context context, register krb5_keyblock *val) void KRB5_CALLCONV krb5_free_last_req(krb5_context context, krb5_last_req_entry **val) { - register krb5_last_req_entry **temp; + krb5_last_req_entry **temp; if (val == NULL) return; @@ -383,7 +384,7 @@ k5_zapfree_pa_data(krb5_pa_data **val) void KRB5_CALLCONV krb5_free_pa_data(krb5_context context, krb5_pa_data **val) { - register krb5_pa_data **temp; + krb5_pa_data **temp; if (val == NULL) return; @@ -397,7 +398,7 @@ krb5_free_pa_data(krb5_context context, krb5_pa_data **val) void KRB5_CALLCONV krb5_free_principal(krb5_context context, krb5_principal val) { - register krb5_int32 i; + krb5_int32 i; if (!val) return; @@ -413,7 +414,7 @@ krb5_free_principal(krb5_context context, krb5_principal val) } void KRB5_CALLCONV -krb5_free_priv(krb5_context context, register krb5_priv *val) +krb5_free_priv(krb5_context context, krb5_priv *val) { if (val == NULL) return; @@ -422,7 +423,7 @@ krb5_free_priv(krb5_context context, register krb5_priv *val) } void KRB5_CALLCONV -krb5_free_priv_enc_part(krb5_context context, register krb5_priv_enc_part *val) +krb5_free_priv_enc_part(krb5_context context, krb5_priv_enc_part *val) { if (val == NULL) return; @@ -433,7 +434,7 @@ krb5_free_priv_enc_part(krb5_context context, register krb5_priv_enc_part *val) } void KRB5_CALLCONV -krb5_free_safe(krb5_context context, register krb5_safe *val) +krb5_free_safe(krb5_context context, krb5_safe *val) { if (val == NULL) return; @@ -459,7 +460,7 @@ krb5_free_ticket(krb5_context context, krb5_ticket *val) void KRB5_CALLCONV krb5_free_tickets(krb5_context context, krb5_ticket **val) { - register krb5_ticket **temp; + krb5_ticket **temp; if (val == NULL) return; @@ -472,7 +473,7 @@ krb5_free_tickets(krb5_context context, krb5_ticket **val) void KRB5_CALLCONV krb5_free_tgt_creds(krb5_context context, krb5_creds **tgts) { - register krb5_creds **tgtpp; + krb5_creds **tgtpp; if (tgts == NULL) return; for (tgtpp = tgts; *tgtpp; tgtpp++) @@ -890,3 +891,44 @@ k5_free_secure_cookie(krb5_context context, krb5_secure_cookie *val) k5_zapfree_pa_data(val->data); free(val); } + +void +k5_free_spake_factor(krb5_context context, krb5_spake_factor *val) +{ + if (val == NULL) + return; + if (val->data != NULL) + zapfree(val->data->data, val->data->length); + free(val->data); + free(val); +} + +void +k5_free_pa_spake(krb5_context context, krb5_pa_spake *val) +{ + krb5_spake_factor **f; + + if (val == NULL) + return; + switch (val->choice) { + case SPAKE_MSGTYPE_SUPPORT: + free(val->u.support.groups); + break; + case SPAKE_MSGTYPE_CHALLENGE: + krb5_free_data_contents(context, &val->u.challenge.pubkey); + for (f = val->u.challenge.factors; f != NULL && *f != NULL; f++) + k5_free_spake_factor(context, *f); + free(val->u.challenge.factors); + break; + case SPAKE_MSGTYPE_RESPONSE: + krb5_free_data_contents(context, &val->u.response.pubkey); + krb5_free_data_contents(context, &val->u.response.factor.ciphertext); + break; + case SPAKE_MSGTYPE_ENCDATA: + krb5_free_data_contents(context, &val->u.encdata.ciphertext); + break; + default: + break; + } + free(val); +} diff --git a/src/lib/krb5/krb/mk_req.c b/src/lib/krb5/krb/mk_req.c index 542ef6d..162c05b 100644 --- a/src/lib/krb5/krb/mk_req.c +++ b/src/lib/krb5/krb/mk_req.c @@ -48,8 +48,9 @@ krb5_error_code KRB5_CALLCONV krb5_mk_req(krb5_context context, krb5_auth_context *auth_context, - krb5_flags ap_req_options, char *service, char *hostname, - krb5_data *in_data, krb5_ccache ccache, krb5_data *outbuf) + krb5_flags ap_req_options, const char *service, + const char *hostname, krb5_data *in_data, krb5_ccache ccache, + krb5_data *outbuf) { krb5_error_code retval; krb5_principal server; diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c index 9098927..cc74f37 100644 --- a/src/lib/krb5/krb/pac.c +++ b/src/lib/krb5/krb/pac.c @@ -378,7 +378,7 @@ k5_time_to_seconds_since_1970(int64_t ntTime, krb5_timestamp *elapsedSeconds) abstime = ntTime > 0 ? ntTime - NT_TIME_EPOCH : -ntTime; - if (abstime > KRB5_INT32_MAX) + if (abstime > UINT32_MAX) return ERANGE; *elapsedSeconds = abstime; @@ -403,7 +403,8 @@ krb5_error_code k5_pac_validate_client(krb5_context context, const krb5_pac pac, krb5_timestamp authtime, - krb5_const_principal principal) + krb5_const_principal principal, + krb5_boolean with_realm) { krb5_error_code ret; krb5_data client_info; @@ -413,6 +414,7 @@ k5_pac_validate_client(krb5_context context, krb5_ui_2 pac_princname_length; int64_t pac_nt_authtime; krb5_principal pac_principal; + int flags = 0; ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO, &client_info); @@ -436,13 +438,21 @@ k5_pac_validate_client(krb5_context context, pac_princname_length % 2) return ERANGE; - ret = krb5int_ucs2lecs_to_utf8s(p, (size_t)pac_princname_length / 2, - &pac_princname, NULL); + ret = k5_utf16le_to_utf8(p, pac_princname_length, &pac_princname); if (ret != 0) return ret; - ret = krb5_parse_name_flags(context, pac_princname, - KRB5_PRINCIPAL_PARSE_NO_REALM, &pac_principal); + /* Parse the UTF-8 name as an enterprise principal if we are matching + * against one; otherwise parse it as a regular principal. */ + if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL) + flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE; + + if (with_realm) + flags |= KRB5_PRINCIPAL_PARSE_REQUIRE_REALM; + else + flags |= KRB5_PRINCIPAL_PARSE_NO_REALM; + + ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal); if (ret != 0) { free(pac_princname); return ret; @@ -454,6 +464,7 @@ k5_pac_validate_client(krb5_context context, !krb5_principal_compare_flags(context, pac_principal, principal, + with_realm ? 0 : KRB5_PRINCIPAL_COMPARE_IGNORE_REALM)) ret = KRB5KRB_AP_WRONG_PRINC; @@ -619,6 +630,19 @@ krb5_pac_verify(krb5_context context, const krb5_keyblock *server, const krb5_keyblock *privsvr) { + return krb5_pac_verify_ext(context, pac, authtime, principal, server, + privsvr, FALSE); +} + +krb5_error_code KRB5_CALLCONV +krb5_pac_verify_ext(krb5_context context, + const krb5_pac pac, + krb5_timestamp authtime, + krb5_const_principal principal, + const krb5_keyblock *server, + const krb5_keyblock *privsvr, + krb5_boolean with_realm) +{ krb5_error_code ret; if (server != NULL) { @@ -634,7 +658,8 @@ krb5_pac_verify(krb5_context context, } if (principal != NULL) { - ret = k5_pac_validate_client(context, pac, authtime, principal); + ret = k5_pac_validate_client(context, pac, authtime, + principal, with_realm); if (ret != 0) return ret; } @@ -792,8 +817,8 @@ mspac_verify(krb5_context kcontext, * If the above verification failed, don't fail the whole authentication, * just don't mark the PAC as verified. A checksum mismatch can occur if * the PAC was copied from a cross-realm TGT by an ignorant KDC, and Apple - * Mac OS X Server Open Directory (as of 10.6) generates PACs with no - * server checksum at all. + * macOS Server Open Directory (as of 10.6) generates PACs with no server + * checksum at all. */ return 0; } diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c index d40df45..12f0259 100644 --- a/src/lib/krb5/krb/pac_sign.c +++ b/src/lib/krb5/krb/pac_sign.c @@ -33,34 +33,41 @@ static krb5_error_code k5_insert_client_info(krb5_context context, krb5_pac pac, krb5_timestamp authtime, - krb5_const_principal principal) + krb5_const_principal principal, + krb5_boolean with_realm) { krb5_error_code ret; krb5_data client_info; char *princ_name_utf8 = NULL; - unsigned char *princ_name_ucs2 = NULL, *p; - size_t princ_name_ucs2_len = 0; + unsigned char *princ_name_utf16 = NULL, *p; + size_t princ_name_utf16_len = 0; uint64_t nt_authtime; + int flags = 0; /* If we already have a CLIENT_INFO buffer, then just validate it */ if (k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO, &client_info) == 0) { - return k5_pac_validate_client(context, pac, authtime, principal); + return k5_pac_validate_client(context, pac, authtime, principal, + with_realm); } - ret = krb5_unparse_name_flags(context, principal, - KRB5_PRINCIPAL_UNPARSE_NO_REALM, - &princ_name_utf8); + if (!with_realm) { + flags |= KRB5_PRINCIPAL_UNPARSE_NO_REALM; + } else if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL) { + /* Avoid quoting the first @ sign for enterprise name with realm. */ + flags |= KRB5_PRINCIPAL_UNPARSE_DISPLAY; + } + + ret = krb5_unparse_name_flags(context, principal, flags, &princ_name_utf8); if (ret != 0) goto cleanup; - ret = krb5int_utf8s_to_ucs2les(princ_name_utf8, - &princ_name_ucs2, - &princ_name_ucs2_len); + ret = k5_utf8_to_utf16le(princ_name_utf8, &princ_name_utf16, + &princ_name_utf16_len); if (ret != 0) goto cleanup; - client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_ucs2_len; + client_info.length = PAC_CLIENT_INFO_LENGTH + princ_name_utf16_len; client_info.data = NULL; ret = k5_pac_add_buffer(context, pac, KRB5_PAC_CLIENT_INFO, @@ -75,16 +82,16 @@ k5_insert_client_info(krb5_context context, store_64_le(nt_authtime, p); p += 8; - /* copy in number of UCS-2 characters in principal name */ - store_16_le(princ_name_ucs2_len, p); + /* copy in number of UTF-16 bytes in principal name */ + store_16_le(princ_name_utf16_len, p); p += 2; /* copy in principal name */ - memcpy(p, princ_name_ucs2, princ_name_ucs2_len); + memcpy(p, princ_name_utf16, princ_name_utf16_len); cleanup: - if (princ_name_ucs2 != NULL) - free(princ_name_ucs2); + if (princ_name_utf16 != NULL) + free(princ_name_utf16); krb5_free_unparsed_name(context, princ_name_utf8); return ret; @@ -184,6 +191,17 @@ krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, krb5_const_principal principal, const krb5_keyblock *server_key, const krb5_keyblock *privsvr_key, krb5_data *data) { + return krb5_pac_sign_ext(context, pac, authtime, principal, server_key, + privsvr_key, FALSE, data); +} + +krb5_error_code KRB5_CALLCONV +krb5_pac_sign_ext(krb5_context context, krb5_pac pac, krb5_timestamp authtime, + krb5_const_principal principal, + const krb5_keyblock *server_key, + const krb5_keyblock *privsvr_key, krb5_boolean with_realm, + krb5_data *data) +{ krb5_error_code ret; krb5_data server_cksum, privsvr_cksum; krb5_cksumtype server_cksumtype, privsvr_cksumtype; @@ -193,7 +211,8 @@ krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime, data->data = NULL; if (principal != NULL) { - ret = k5_insert_client_info(context, pac, authtime, principal); + ret = k5_insert_client_info(context, pac, authtime, principal, + with_realm); if (ret != 0) return ret; } diff --git a/src/lib/krb5/krb/plugin.c b/src/lib/krb5/krb/plugin.c index 7d64b7c..5761de0 100644 --- a/src/lib/krb5/krb/plugin.c +++ b/src/lib/krb5/krb/plugin.c @@ -57,7 +57,10 @@ const char *interface_names[] = { "hostrealm", "audit", "tls", - "kdcauthdata" + "kdcauthdata", + "certauth", + "kadm5_auth", + "kdcpolicy", }; /* Return the context's interface structure for id, or NULL if invalid. */ @@ -470,14 +473,18 @@ k5_plugin_register_dyn(krb5_context context, int interface_id, { krb5_error_code ret; struct plugin_interface *interface = get_interface(context, interface_id); - char *path; + char *fname, *path; /* Disallow registering plugins after load. */ if (interface == NULL || interface->configured) return EINVAL; - if (asprintf(&path, "%s/%s%s", modsubdir, modname, PLUGIN_EXT) < 0) + if (asprintf(&fname, "%s%s", modname, PLUGIN_EXT) < 0) return ENOMEM; + ret = k5_path_join(modsubdir, fname, &path); + free(fname); + if (ret) + return ret; ret = register_module(context, interface, modname, path, NULL); free(path); return ret; diff --git a/src/lib/krb5/krb/pr_to_salt.c b/src/lib/krb5/krb/pr_to_salt.c index 00d0c73..7bcb627 100644 --- a/src/lib/krb5/krb/pr_to_salt.c +++ b/src/lib/krb5/krb/pr_to_salt.c @@ -34,8 +34,7 @@ principal2salt_internal(krb5_context, krb5_const_principal, * Convert a krb5_principal into the default salt for that principal. */ static krb5_error_code -principal2salt_internal(krb5_context context, - register krb5_const_principal pr, +principal2salt_internal(krb5_context context, krb5_const_principal pr, krb5_data *ret, int use_realm) { unsigned int size = 0, offset=0; @@ -69,15 +68,15 @@ principal2salt_internal(krb5_context context, } krb5_error_code -krb5_principal2salt(krb5_context context, - register krb5_const_principal pr, krb5_data *ret) +krb5_principal2salt(krb5_context context, krb5_const_principal pr, + krb5_data *ret) { return principal2salt_internal(context, pr, ret, 1); } krb5_error_code -krb5_principal2salt_norealm(krb5_context context, - register krb5_const_principal pr, krb5_data *ret) +krb5_principal2salt_norealm(krb5_context context, krb5_const_principal pr, + krb5_data *ret) { return principal2salt_internal(context, pr, ret, 0); } diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c index ca26fb0..a73568c 100644 --- a/src/lib/krb5/krb/preauth2.c +++ b/src/lib/krb5/krb/preauth2.c @@ -46,14 +46,18 @@ typedef struct { struct krb5_clpreauth_vtable_st vt; krb5_clpreauth_moddata data; - krb5_clpreauth_modreq req; } *clpreauth_handle; struct krb5_preauth_context_st { - krb5_preauthtype *tried; clpreauth_handle *handles; }; +struct krb5_preauth_req_context_st { + krb5_context orig_context; + krb5_preauthtype *failed; + krb5_clpreauth_modreq *modreqs; +}; + /* Release the memory used by a list of handles. */ static void free_handles(krb5_context context, clpreauth_handle *handles) @@ -71,21 +75,44 @@ free_handles(krb5_context context, clpreauth_handle *handles) free(handles); } -/* Find the handle in handles which can process pa_type. */ -static clpreauth_handle -find_module(clpreauth_handle *handles, krb5_preauthtype pa_type) +/* Return an index into handles which can process pa_type, or -1 if none is + * found found. */ +static int +search_module_list(clpreauth_handle *handles, krb5_preauthtype pa_type) { - clpreauth_handle *hp, h; - krb5_preauthtype *tp; + clpreauth_handle h; + int i, j; - for (hp = handles; *hp != NULL; hp++) { - h = *hp; - for (tp = h->vt.pa_type_list; *tp != 0; tp++) { - if (*tp == pa_type) - return h; + for (i = 0; handles[i] != NULL; i++) { + h = handles[i]; + for (j = 0; h->vt.pa_type_list[j] != 0; j++) { + if (h->vt.pa_type_list[j] == pa_type) + return i; } } - return FALSE; + return -1; +} + +/* Find the handle which can process pa_type, or NULL if none is found. On + * success, set *modreq_out to the corresponding per-request module data. */ +static clpreauth_handle +find_module(krb5_context context, krb5_init_creds_context ctx, + krb5_preauthtype pa_type, krb5_clpreauth_modreq *modreq_out) +{ + krb5_preauth_context pctx = context->preauth_context; + krb5_preauth_req_context reqctx = ctx->preauth_reqctx; + int i; + + *modreq_out = NULL; + if (pctx == NULL || reqctx == NULL) + return NULL; + + i = search_module_list(pctx->handles, pa_type); + if (i == -1) + return NULL; + + *modreq_out = reqctx->modreqs[i]; + return pctx->handles[i]; } /* Initialize the preauth state for a krb5 context. */ @@ -93,7 +120,8 @@ void k5_init_preauth_context(krb5_context context) { krb5_plugin_initvt_fn *modules = NULL, *mod; - clpreauth_handle *list = NULL, h, h2; + clpreauth_handle *list = NULL, h; + int i; size_t count; krb5_preauthtype *tp; @@ -104,6 +132,8 @@ k5_init_preauth_context(krb5_context context) /* Auto-register built-in modules. */ k5_plugin_register_dyn(context, PLUGIN_INTERFACE_CLPREAUTH, "pkinit", "preauth"); + k5_plugin_register_dyn(context, PLUGIN_INTERFACE_CLPREAUTH, "spake", + "preauth"); k5_plugin_register(context, PLUGIN_INTERFACE_CLPREAUTH, "encrypted_challenge", clpreauth_encrypted_challenge_initvt); @@ -140,9 +170,10 @@ k5_init_preauth_context(krb5_context context) /* Check for a preauth type conflict with an existing module. */ for (tp = h->vt.pa_type_list; *tp != 0; tp++) { - h2 = find_module(list, *tp); - if (h2 != NULL) { - TRACE_PREAUTH_CONFLICT(context, h->vt.name, h2->vt.name, *tp); + i = search_module_list(list, *tp); + if (i != -1) { + TRACE_PREAUTH_CONFLICT(context, h->vt.name, list[i]->vt.name, + *tp); break; } } @@ -161,10 +192,9 @@ k5_init_preauth_context(krb5_context context) list[count] = NULL; /* Place the constructed preauth context into the krb5 context. */ - context->preauth_context = malloc(sizeof(struct krb5_preauth_context_st)); + context->preauth_context = malloc(sizeof(*context->preauth_context)); if (context->preauth_context == NULL) goto cleanup; - context->preauth_context->tried = NULL; context->preauth_context->handles = list; list = NULL; @@ -173,34 +203,34 @@ cleanup: free_handles(context, list); } -/* - * Reset the memory of which preauth types we have already tried, because we - * are entering a new phase of padata processing (such as the padata in an - * AS-REP). - */ -void -k5_reset_preauth_types_tried(krb5_context context) +/* Add pa_type to the list of types which has previously failed. */ +krb5_error_code +k5_preauth_note_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type) { - struct krb5_preauth_context_st *pctx = context->preauth_context; + krb5_preauth_req_context reqctx = ctx->preauth_reqctx; + krb5_preauthtype *newptr; + size_t i; - if (pctx == NULL) - return; - free(pctx->tried); - pctx->tried = NULL; + for (i = 0; reqctx->failed != NULL && reqctx->failed[i] != 0; i++); + newptr = realloc(reqctx->failed, (i + 2) * sizeof(*newptr)); + if (newptr == NULL) + return ENOMEM; + reqctx->failed = newptr; + reqctx->failed[i] = pa_type; + reqctx->failed[i + 1] = 0; + return 0; } - /* Free the per-krb5_context preauth_context. This means clearing any * plugin-specific context which may have been created, and then * freeing the context itself. */ void k5_free_preauth_context(krb5_context context) { - struct krb5_preauth_context_st *pctx = context->preauth_context; + krb5_preauth_context pctx = context->preauth_context; if (pctx == NULL) return; - free(pctx->tried); free_handles(context, pctx->handles); free(pctx); context->preauth_context = NULL; @@ -209,10 +239,13 @@ k5_free_preauth_context(krb5_context context) /* Initialize the per-AS-REQ context. This means calling the client_req_init * function to give the plugin a chance to allocate a per-request context. */ void -k5_preauth_request_context_init(krb5_context context) +k5_preauth_request_context_init(krb5_context context, + krb5_init_creds_context ctx) { - struct krb5_preauth_context_st *pctx = context->preauth_context; - clpreauth_handle *hp, h; + krb5_preauth_context pctx = context->preauth_context; + clpreauth_handle h; + krb5_preauth_req_context reqctx; + size_t count, i; if (pctx == NULL) { k5_init_preauth_context(context); @@ -220,30 +253,63 @@ k5_preauth_request_context_init(krb5_context context) if (pctx == NULL) return; } - k5_reset_preauth_types_tried(context); - for (hp = pctx->handles; *hp != NULL; hp++) { - h = *hp; + + reqctx = calloc(1, sizeof(*reqctx)); + if (reqctx == NULL) + return; + reqctx->orig_context = context; + + /* Create an array of per-request module data objects corresponding to the + * preauth context's array of handles. */ + for (count = 0; pctx->handles[count] != NULL; count++); + reqctx->modreqs = calloc(count, sizeof(*reqctx->modreqs)); + for (i = 0; i < count; i++) { + h = pctx->handles[i]; if (h->vt.request_init != NULL) - h->vt.request_init(context, h->data, &h->req); + h->vt.request_init(context, h->data, &reqctx->modreqs[i]); } + ctx->preauth_reqctx = reqctx; } /* Free the per-AS-REQ context. This means clearing any request-specific * context which the plugin may have created. */ void -k5_preauth_request_context_fini(krb5_context context) +k5_preauth_request_context_fini(krb5_context context, + krb5_init_creds_context ctx) { - struct krb5_preauth_context_st *pctx = context->preauth_context; - clpreauth_handle *hp, h; + krb5_preauth_context pctx = context->preauth_context; + krb5_preauth_req_context reqctx = ctx->preauth_reqctx; + size_t i; + clpreauth_handle h; - if (pctx == NULL) + if (reqctx == NULL) return; - for (hp = pctx->handles; *hp != NULL; hp++) { - h = *hp; - if (h->req != NULL && h->vt.request_fini != NULL) - h->vt.request_fini(context, h->data, h->req); - h->req = NULL; + if (reqctx->orig_context == context && pctx != NULL) { + for (i = 0; pctx->handles[i] != NULL; i++) { + h = pctx->handles[i]; + if (reqctx->modreqs[i] != NULL && h->vt.request_fini != NULL) + h->vt.request_fini(context, h->data, reqctx->modreqs[i]); + } + } else { + TRACE_PREAUTH_WRONG_CONTEXT(context); } + free(reqctx->modreqs); + free(reqctx->failed); + free(reqctx); + ctx->preauth_reqctx = NULL; +} + +krb5_error_code +k5_preauth_check_context(krb5_context context, krb5_init_creds_context ctx) +{ + krb5_preauth_req_context reqctx = ctx->preauth_reqctx; + + if (reqctx != NULL && reqctx->orig_context != context) { + k5_setmsg(context, EINVAL, + _("krb5_init_creds calls must use same library context")); + return EINVAL; + } + return 0; } /* Return 1 if pa_type is a real preauthentication mechanism according to the @@ -259,6 +325,7 @@ clpreauth_is_real(krb5_context context, clpreauth_handle h, static krb5_error_code clpreauth_prep_questions(krb5_context context, clpreauth_handle h, + krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, krb5_kdc_req *req, krb5_data *req_body, @@ -266,35 +333,35 @@ clpreauth_prep_questions(krb5_context context, clpreauth_handle h, { if (h->vt.prep_questions == NULL) return 0; - return h->vt.prep_questions(context, h->data, h->req, opt, cb, rock, req, + return h->vt.prep_questions(context, h->data, modreq, opt, cb, rock, req, req_body, prev_req, pa_data); } static krb5_error_code clpreauth_process(krb5_context context, clpreauth_handle h, - krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb, - krb5_clpreauth_rock rock, krb5_kdc_req *req, - krb5_data *req_body, krb5_data *prev_req, + krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, + krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, + krb5_kdc_req *req, krb5_data *req_body, krb5_data *prev_req, krb5_pa_data *pa_data, krb5_prompter_fct prompter, void *prompter_data, krb5_pa_data ***pa_data_out) { - return h->vt.process(context, h->data, h->req, opt, cb, rock, req, + return h->vt.process(context, h->data, modreq, opt, cb, rock, req, req_body, prev_req, pa_data, prompter, prompter_data, pa_data_out); } static krb5_error_code clpreauth_tryagain(krb5_context context, clpreauth_handle h, - krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb, - krb5_clpreauth_rock rock, krb5_kdc_req *req, - krb5_data *req_body, krb5_data *prev_req, + krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, + krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, + krb5_kdc_req *req, krb5_data *req_body, krb5_data *prev_req, krb5_preauthtype pa_type, krb5_error *error, krb5_pa_data **error_padata, krb5_prompter_fct prompter, void *prompter_data, krb5_pa_data ***pa_data_out) { if (h->vt.tryagain == NULL) return 0; - return h->vt.tryagain(context, h->data, h->req, opt, cb, rock, req, + return h->vt.tryagain(context, h->data, modreq, opt, cb, rock, req, req_body, prev_req, pa_type, error, error_padata, prompter, prompter_data, pa_data_out); } @@ -351,7 +418,11 @@ grow_pa_list(krb5_pa_data ***out_pa_list, int *out_pa_list_size, static krb5_enctype get_etype(krb5_context context, krb5_clpreauth_rock rock) { - return ((krb5_init_creds_context)rock)->etype; + krb5_init_creds_context ctx = (krb5_init_creds_context)rock; + + if (ctx->reply != NULL) + return ctx->reply->enc_part.enctype; + return ctx->etype; } static krb5_keyblock * @@ -420,7 +491,7 @@ responder_get_answer(krb5_context context, krb5_clpreauth_rock rock, krb5_init_creds_context ctx = (krb5_init_creds_context)rock; /* Don't let plugins get the raw password. */ - if (question && strcmp(KRB5_RESPONDER_QUESTION_PASSWORD, question) == 0) + if (strcmp(KRB5_RESPONDER_QUESTION_PASSWORD, question) == 0) return NULL; return k5_response_items_get_answer(ctx->rctx.items, question); } @@ -474,8 +545,14 @@ set_cc_config(krb5_context context, krb5_clpreauth_rock rock, return ret; } +static void +disable_fallback(krb5_context context, krb5_clpreauth_rock rock) +{ + ((krb5_init_creds_context)rock)->fallback_disabled = TRUE; +} + static struct krb5_clpreauth_callbacks_st callbacks = { - 2, + 3, get_etype, fast_armor, get_as_key, @@ -485,7 +562,8 @@ static struct krb5_clpreauth_callbacks_st callbacks = { responder_get_answer, need_as_key, get_cc_config, - set_cc_config + set_cc_config, + disable_fallback }; /* Tweak the request body, for now adding any enctypes which the module claims @@ -495,7 +573,7 @@ void k5_preauth_prepare_request(krb5_context context, krb5_get_init_creds_opt *opt, krb5_kdc_req *req) { - struct krb5_preauth_context_st *pctx = context->preauth_context; + krb5_preauth_context pctx = context->preauth_context; clpreauth_handle *hp, h; krb5_enctype *ep; @@ -548,28 +626,17 @@ pa_type_allowed(krb5_init_creds_context ctx, krb5_preauthtype pa_type) pa_type == ctx->allowed_preauth_type; } -/* - * If pa_type has already been tried as a real preauth type for this - * authentication, return true. Otherwise ass pa_type to the list of tried - * types and return false. - */ +/* Return true if pa_type previously failed during this authentication. */ static krb5_boolean -already_tried(krb5_context context, krb5_preauthtype pa_type) +previously_failed(krb5_init_creds_context ctx, krb5_preauthtype pa_type) { - struct krb5_preauth_context_st *pctx = context->preauth_context; - size_t count; - krb5_preauthtype *newptr; + krb5_preauth_req_context reqctx = ctx->preauth_reqctx; + size_t i; - for (count = 0; pctx->tried != NULL && pctx->tried[count] != 0; count++) { - if (pctx->tried[count] == pa_type) + for (i = 0; reqctx->failed != NULL && reqctx->failed[i] != 0; i++) { + if (reqctx->failed[i] == pa_type) return TRUE; } - newptr = realloc(pctx->tried, (count + 2) * sizeof(*newptr)); - if (newptr == NULL) - return FALSE; - pctx->tried = newptr; - pctx->tried[count] = pa_type; - pctx->tried[count + 1] = ENCTYPE_NULL; return FALSE; } @@ -580,16 +647,13 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, krb5_pa_data ***out_pa_list, int *out_pa_list_size, krb5_preauthtype *out_type) { - struct krb5_preauth_context_st *pctx = context->preauth_context; struct errinfo save = EMPTY_ERRINFO; krb5_pa_data *pa, **pa_ptr, **mod_pa; krb5_error_code ret = 0; + krb5_clpreauth_modreq modreq; clpreauth_handle h; int real, i; - if (pctx == NULL) - return ENOENT; - /* Process all informational padata types, then the first real preauth type * we succeed on. */ for (real = 0; real <= 1; real++) { @@ -598,17 +662,17 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, /* Restrict real mechanisms to the chosen one if we have one. */ if (real && !pa_type_allowed(ctx, pa->pa_type)) continue; - h = find_module(pctx->handles, pa->pa_type); + h = find_module(context, ctx, pa->pa_type, &modreq); if (h == NULL) continue; /* Make sure this type is for the current pass. */ if (clpreauth_is_real(context, h, pa->pa_type) != real) continue; - /* Only try a real mechanism once per authentication. */ - if (real && already_tried(context, pa->pa_type)) + /* Don't try a real mechanism again after failure. */ + if (real && previously_failed(ctx, pa->pa_type)) continue; mod_pa = NULL; - ret = clpreauth_process(context, h, ctx->opt, &callbacks, + ret = clpreauth_process(context, h, modreq, ctx->opt, &callbacks, (krb5_clpreauth_rock)ctx, ctx->request, ctx->inner_request_body, ctx->encoded_previous_request, pa, @@ -625,6 +689,9 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, } free(mod_pa); } + /* Don't continue to try mechanisms after a keyboard interrupt. */ + if (ret == KRB5_LIBOS_PWDINTR) + goto cleanup; if (ret == 0 && real) { /* Stop now and record which real padata type we answered. */ *out_type = pa->pa_type; @@ -633,6 +700,12 @@ process_pa_data(krb5_context context, krb5_init_creds_context ctx, /* Save the first error we get from a real preauth type. */ k5_save_ctx_error(context, ret, &save); } + if (real && ret) { + /* Don't try this mechanism again for this authentication. */ + ret = k5_preauth_note_failed(ctx, pa->pa_type); + if (ret) + goto cleanup; + } } } @@ -709,9 +782,9 @@ get_salt(krb5_context context, krb5_init_creds_context ctx, } /* Set etype info parameters in rock based on padata. */ -static krb5_error_code -get_etype_info(krb5_context context, krb5_init_creds_context ctx, - krb5_pa_data **padata) +krb5_error_code +k5_get_etype_info(krb5_context context, krb5_init_creds_context ctx, + krb5_pa_data **padata) { krb5_error_code ret = 0; krb5_pa_data *pa; @@ -850,45 +923,54 @@ add_s4u_x509_user_padata(krb5_context context, krb5_s4u_userid *userid, } /* - * If one of the modules can adjust its AS_REQ data using the contents of the - * err_reply, return 0. If it's the sort of correction which requires that we - * ask the user another question, we let the calling application deal with it. + * If the module for pa_type can adjust its AS_REQ data using the contents of + * err and err_padata, return 0 with *padata_out set to a padata list for the + * next request. If it's the sort of correction which requires that we ask the + * user another question, we let the calling application deal with it. */ krb5_error_code k5_preauth_tryagain(krb5_context context, krb5_init_creds_context ctx, - krb5_pa_data **in_padata, krb5_pa_data ***padata_out) + krb5_preauthtype pa_type, krb5_error *err, + krb5_pa_data **err_padata, krb5_pa_data ***padata_out) { - struct krb5_preauth_context_st *pctx = context->preauth_context; krb5_error_code ret; krb5_pa_data **mod_pa; + krb5_clpreauth_modreq modreq; clpreauth_handle h; - int i; + int count; *padata_out = NULL; - if (pctx == NULL) - return KRB5KRB_ERR_GENERIC; - TRACE_PREAUTH_TRYAGAIN_INPUT(context, in_padata); + TRACE_PREAUTH_TRYAGAIN_INPUT(context, pa_type, err_padata); - for (i = 0; in_padata[i] != NULL; i++) { - h = find_module(pctx->handles, in_padata[i]->pa_type); - if (h == NULL) - continue; - mod_pa = NULL; - ret = clpreauth_tryagain(context, h, ctx->opt, &callbacks, - (krb5_clpreauth_rock)ctx, ctx->request, - ctx->inner_request_body, - ctx->encoded_previous_request, - in_padata[i]->pa_type, - ctx->err_reply, ctx->err_padata, - ctx->prompter, ctx->prompter_data, &mod_pa); - if (ret == 0 && mod_pa != NULL) { - TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa); - *padata_out = mod_pa; - return 0; - } + h = find_module(context, ctx, pa_type, &modreq); + if (h == NULL) + return KRB5KRB_ERR_GENERIC; + mod_pa = NULL; + ret = clpreauth_tryagain(context, h, modreq, ctx->opt, &callbacks, + (krb5_clpreauth_rock)ctx, ctx->request, + ctx->inner_request_body, + ctx->encoded_previous_request, pa_type, err, + err_padata, ctx->prompter, ctx->prompter_data, + &mod_pa); + TRACE_PREAUTH_TRYAGAIN(context, h->vt.name, pa_type, ret); + if (!ret && mod_pa == NULL) + ret = KRB5KRB_ERR_GENERIC; + if (ret) { + k5_preauth_note_failed(ctx, pa_type); + return ret; } - return KRB5KRB_ERR_GENERIC; + + for (count = 0; mod_pa[count] != NULL; count++); + ret = copy_cookie(context, err_padata, &mod_pa, &count); + if (ret) { + krb5_free_pa_data(context, mod_pa); + return ret; + } + + TRACE_PREAUTH_TRYAGAIN_OUTPUT(context, mod_pa); + *padata_out = mod_pa; + return 0; } /* Compile the set of response items for in_padata by invoke each module's @@ -897,9 +979,9 @@ static krb5_error_code fill_response_items(krb5_context context, krb5_init_creds_context ctx, krb5_pa_data **in_padata) { - struct krb5_preauth_context_st *pctx = context->preauth_context; krb5_error_code ret; krb5_pa_data *pa; + krb5_clpreauth_modreq modreq; clpreauth_handle h; int i; @@ -908,11 +990,11 @@ fill_response_items(krb5_context context, krb5_init_creds_context ctx, pa = in_padata[i]; if (!pa_type_allowed(ctx, pa->pa_type)) continue; - h = find_module(pctx->handles, pa->pa_type); + h = find_module(context, ctx, pa->pa_type, &modreq); if (h == NULL) continue; - ret = clpreauth_prep_questions(context, h, ctx->opt, &callbacks, - (krb5_clpreauth_rock)ctx, + ret = clpreauth_prep_questions(context, h, modreq, ctx->opt, + &callbacks, (krb5_clpreauth_rock)ctx, ctx->request, ctx->inner_request_body, ctx->encoded_previous_request, pa); if (ret) @@ -941,7 +1023,7 @@ k5_preauth(krb5_context context, krb5_init_creds_context ctx, TRACE_PREAUTH_INPUT(context, in_padata); /* Scan the padata list and process etype-info or salt elements. */ - ret = get_etype_info(context, ctx, in_padata); + ret = k5_get_etype_info(context, ctx, in_padata); if (ret) return ret; @@ -1004,7 +1086,7 @@ krb5_preauth_supply_preauth_data(krb5_context context, krb5_get_init_creds_opt *opt, const char *attr, const char *value) { - struct krb5_preauth_context_st *pctx = context->preauth_context; + krb5_preauth_context pctx = context->preauth_context; clpreauth_handle *hp, h; krb5_error_code ret; diff --git a/src/lib/krb5/krb/preauth_ec.c b/src/lib/krb5/krb/preauth_ec.c index c1aa909..75aab77 100644 --- a/src/lib/krb5/krb/preauth_ec.c +++ b/src/lib/krb5/krb/preauth_ec.c @@ -138,6 +138,7 @@ ec_process(krb5_context context, krb5_clpreauth_moddata moddata, encoded_ts->data = NULL; *out_padata = pa; pa = NULL; + cb->disable_fallback(context, rock); } free(pa); krb5_free_data(context, encoded_ts); diff --git a/src/lib/krb5/krb/preauth_encts.c b/src/lib/krb5/krb/preauth_encts.c index cec3842..3457019 100644 --- a/src/lib/krb5/krb/preauth_encts.c +++ b/src/lib/krb5/krb/preauth_encts.c @@ -28,6 +28,7 @@ #include #include #include "int-proto.h" +#include "init_creds_ctx.h" static krb5_error_code encts_prep_questions(krb5_context context, krb5_clpreauth_moddata moddata, @@ -38,7 +39,10 @@ encts_prep_questions(krb5_context context, krb5_clpreauth_moddata moddata, krb5_data *encoded_previous_request, krb5_pa_data *pa_data) { - cb->need_as_key(context, rock); + krb5_init_creds_context ctx = (krb5_init_creds_context)rock; + + if (!ctx->encts_disabled) + cb->need_as_key(context, rock); return 0; } @@ -51,6 +55,7 @@ encts_process(krb5_context context, krb5_clpreauth_moddata moddata, krb5_prompter_fct prompter, void *prompter_data, krb5_pa_data ***out_padata) { + krb5_init_creds_context ctx = (krb5_init_creds_context)rock; krb5_error_code ret; krb5_pa_enc_ts pa_enc; krb5_data *ts = NULL, *enc_ts = NULL; @@ -60,6 +65,13 @@ encts_process(krb5_context context, krb5_clpreauth_moddata moddata, enc_data.ciphertext = empty_data(); + if (ctx->encts_disabled) { + TRACE_PREAUTH_ENC_TS_DISABLED(context); + k5_setmsg(context, KRB5_PREAUTH_FAILED, + _("Encrypted timestamp is disabled")); + return KRB5_PREAUTH_FAILED; + } + ret = cb->get_as_key(context, rock, &as_key); if (ret) goto cleanup; @@ -109,6 +121,8 @@ encts_process(krb5_context context, krb5_clpreauth_moddata moddata, *out_padata = pa; pa = NULL; + cb->disable_fallback(context, rock); + cleanup: krb5_free_data(context, ts); krb5_free_data(context, enc_ts); diff --git a/src/lib/krb5/krb/preauth_otp.c b/src/lib/krb5/krb/preauth_otp.c index 48fcbb5..13e5846 100644 --- a/src/lib/krb5/krb/preauth_otp.c +++ b/src/lib/krb5/krb/preauth_otp.c @@ -1123,6 +1123,10 @@ otp_client_process(krb5_context context, krb5_clpreauth_moddata moddata, /* Encode the request into the pa_data output. */ retval = set_pa_data(req, pa_data_out); + if (retval != 0) + goto error; + cb->disable_fallback(context, rock); + error: krb5_free_data_contents(context, &value); krb5_free_data_contents(context, &pin); diff --git a/src/lib/krb5/krb/preauth_sam2.c b/src/lib/krb5/krb/preauth_sam2.c index c8a3306..4c70021 100644 --- a/src/lib/krb5/krb/preauth_sam2.c +++ b/src/lib/krb5/krb/preauth_sam2.c @@ -410,6 +410,7 @@ sam2_process(krb5_context context, krb5_clpreauth_moddata moddata, sam_padata[1] = NULL; *out_padata = sam_padata; + cb->disable_fallback(context, rock); return(0); } diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 6defbdb..4cd429a 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -441,30 +441,6 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req, #endif /* LEAN_CLIENT */ } -#if 0 -#include -static void -debug_log_authz_data(const char *which, krb5_authdata **a) -{ - if (a) { - syslog(LOG_ERR|LOG_DAEMON, "%s authz data:", which); - while (*a) { - syslog(LOG_ERR|LOG_DAEMON, " ad_type:%d length:%d '%.*s'", - (*a)->ad_type, (*a)->length, (*a)->length, - (char *) (*a)->contents); - a++; - } - syslog(LOG_ERR|LOG_DAEMON, " [end]"); - } else - syslog(LOG_ERR|LOG_DAEMON, "no %s authz data", which); -} -#else -static void -debug_log_authz_data(const char *which, krb5_authdata **a) -{ -} -#endif - static krb5_error_code rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, const krb5_ap_req *req, krb5_const_principal server, @@ -759,8 +735,6 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, &((*auth_context)->key)))) goto cleanup; - debug_log_authz_data("ticket", req->ticket->enc_part2->authorization_data); - /* * If not AP_OPTS_MUTUAL_REQUIRED then and sequence numbers are used * then the default sequence number is the one's complement of the @@ -855,10 +829,9 @@ decrypt_authenticator(krb5_context context, const krb5_ap_req *request, free(scratch.data);} /* now decode the decrypted stuff */ - if (!(retval = decode_krb5_authenticator(&scratch, &local_auth))) { + if (!(retval = decode_krb5_authenticator(&scratch, &local_auth))) *authpp = local_auth; - debug_log_authz_data("authenticator", local_auth->authorization_data); - } + clean_scratch(); return retval; } diff --git a/src/lib/krb5/krb/s4u_creds.c b/src/lib/krb5/krb/s4u_creds.c index ed05b67..614ed41 100644 --- a/src/lib/krb5/krb/s4u_creds.c +++ b/src/lib/krb5/krb/s4u_creds.c @@ -63,8 +63,7 @@ s4u_identify_user(krb5_context context, krb5_creds creds; int use_master = 0; krb5_get_init_creds_opt *opts = NULL; - krb5_principal_data client_data; - krb5_principal client; + krb5_principal_data client; krb5_s4u_userid userid; *canon_user = NULL; @@ -102,22 +101,22 @@ s4u_identify_user(krb5_context context, krb5_get_init_creds_opt_set_canonicalize(opts, 1); krb5_get_init_creds_opt_set_preauth_list(opts, ptypes, 1); - if (in_creds->client != NULL) - client = in_creds->client; - else { - client_data.magic = KV5M_PRINCIPAL; - client_data.realm = in_creds->server->realm; + if (in_creds->client != NULL) { + client = *in_creds->client; + client.realm = in_creds->server->realm; + } else { + client.magic = KV5M_PRINCIPAL; + client.realm = in_creds->server->realm; /* should this be NULL, empty or a fixed string? XXX */ - client_data.data = NULL; - client_data.length = 0; - client_data.type = KRB5_NT_ENTERPRISE_PRINCIPAL; - client = &client_data; + client.data = NULL; + client.length = 0; + client.type = KRB5_NT_ENTERPRISE_PRINCIPAL; } - code = k5_get_init_creds(context, &creds, client, NULL, NULL, 0, NULL, + code = k5_get_init_creds(context, &creds, &client, NULL, NULL, 0, NULL, opts, krb5_get_as_key_noop, &userid, &use_master, NULL); - if (code == 0 || code == KRB5_PREAUTH_FAILED) { + if (!code || code == KRB5_PREAUTH_FAILED || code == KRB5KDC_ERR_KEY_EXP) { *canon_user = userid.user; userid.user = NULL; code = 0; @@ -452,7 +451,9 @@ convert_to_enterprise(krb5_context context, krb5_principal princ, code = krb5_unparse_name(context, princ, &str); if (code != 0) return code; - code = krb5_parse_name_flags(context, str, KRB5_PRINCIPAL_PARSE_ENTERPRISE, + code = krb5_parse_name_flags(context, str, + KRB5_PRINCIPAL_PARSE_ENTERPRISE | + KRB5_PRINCIPAL_PARSE_IGNORE_REALM, eprinc_out); krb5_free_unparsed_name(context, str); return code; diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c index f6fdf68..e43a5cc 100644 --- a/src/lib/krb5/krb/send_tgs.c +++ b/src/lib/krb5/krb/send_tgs.c @@ -28,6 +28,25 @@ #include "int-proto.h" #include "fast.h" +/* Choose a random nonce for an AS or TGS request. */ +krb5_error_code +k5_generate_nonce(krb5_context context, int32_t *out) +{ + krb5_error_code ret; + unsigned char random_buf[4]; + krb5_data random_data = make_data(random_buf, 4); + + *out = 0; + + /* We and Heimdal incorrectly encode nonces as signed, so make sure we use + * a non-negative value to avoid interoperability issues. */ + ret = krb5_c_random_make_octets(context, &random_data); + if (ret) + return ret; + *out = 0x7FFFFFFF & load_32_n(random_buf); + return 0; +} + /* Construct an AP-REQ message for a TGS request. */ static krb5_error_code tgs_construct_ap_req(krb5_context context, krb5_data *checksum_data, @@ -156,10 +175,13 @@ k5_make_tgs_req(krb5_context context, req.till = desired->times.endtime ? desired->times.endtime : tgt->times.endtime; req.rtime = desired->times.renew_till; + ret = k5_generate_nonce(context, &req.nonce); + if (ret) + return ret; + *nonce_out = req.nonce; ret = krb5_timeofday(context, &time_now); if (ret) return ret; - *nonce_out = req.nonce = (krb5_int32)time_now; *timestamp_out = time_now; req.addresses = (krb5_address **)addrs; diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c index f7e6777..149e25d 100644 --- a/src/lib/krb5/krb/sendauth.c +++ b/src/lib/krb5/krb/sendauth.c @@ -131,22 +131,21 @@ krb5_sendauth(krb5_context context, krb5_auth_context *auth_context, This isn't strong cryptographically; the point here is not to guarantee randomness, but to make it less likely that multiple sessions could pick the same subkey. */ - char rnd_data[1024]; + struct sockaddr_storage rnd_data; GETPEERNAME_ARG3_TYPE len2; - krb5_data d; - d.length = sizeof (rnd_data); - d.data = rnd_data; - len2 = sizeof (rnd_data); - if (getpeername (*(int*)fd, (GETPEERNAME_ARG2_TYPE *) rnd_data, - &len2) == 0) { + krb5_data d = make_data(&rnd_data, sizeof(rnd_data)); + + len2 = sizeof(rnd_data); + if (getpeername(*(int *)fd, ss2sa(&rnd_data), &len2) == 0) { d.length = len2; - (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL, &d); + (void)krb5_c_random_add_entropy( + context, KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL, &d); } - len2 = sizeof (rnd_data); - if (getsockname (*(int*)fd, (GETSOCKNAME_ARG2_TYPE *) rnd_data, - &len2) == 0) { + len2 = sizeof(rnd_data); + if (getsockname(*(int *)fd, ss2sa(&rnd_data), &len2) == 0) { d.length = len2; - (void) krb5_c_random_add_entropy (context, KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL, &d); + (void)krb5_c_random_add_entropy( + context, KRB5_C_RANDSOURCE_EXTERNAL_PROTOCOL, &d); } } diff --git a/src/lib/krb5/krb/str_conv.c b/src/lib/krb5/krb/str_conv.c index 3ab7eac..3d05724 100644 --- a/src/lib/krb5/krb/str_conv.c +++ b/src/lib/krb5/krb/str_conv.c @@ -117,12 +117,6 @@ krb5_salttype_to_string(krb5_int32 salttype, char *buffer, size_t buflen) /* (absolute) time conversions */ -#ifndef HAVE_STRFTIME -#undef strftime -#define strftime my_strftime -static size_t strftime (char *, size_t, const char *, const struct tm *); -#endif - #ifdef HAVE_STRPTIME #ifdef NEED_STRPTIME_PROTO extern char *strptime (const char *, const char *, @@ -207,16 +201,13 @@ krb5_error_code KRB5_CALLCONV krb5_timestamp_to_string(krb5_timestamp timestamp, char *buffer, size_t buflen) { size_t ret; - time_t timestamp2 = timestamp; + time_t timestamp2 = ts2tt(timestamp); struct tm tmbuf; const char *fmt = "%c"; /* This is to get around gcc -Wall warning that the year returned might be two digits */ -#ifdef HAVE_LOCALTIME_R - (void) localtime_r(×tamp2, &tmbuf); -#else - memcpy(&tmbuf, localtime(×tamp2), sizeof(tmbuf)); -#endif + if (localtime_r(×tamp2, &tmbuf) == NULL) + return(ENOMEM); ret = strftime(buffer, buflen, fmt, &tmbuf); if (ret == 0 || ret == buflen) return(ENOMEM); @@ -229,7 +220,7 @@ krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen struct tm *tmp; size_t i; size_t ndone; - time_t timestamp2 = timestamp; + time_t timestamp2 = ts2tt(timestamp); struct tm tmbuf; static const char * const sftime_format_table[] = { @@ -246,11 +237,9 @@ krb5_timestamp_to_sfstring(krb5_timestamp timestamp, char *buffer, size_t buflen static const unsigned int sftime_format_table_nents = sizeof(sftime_format_table)/sizeof(sftime_format_table[0]); -#ifdef HAVE_LOCALTIME_R tmp = localtime_r(×tamp2, &tmbuf); -#else - memcpy((tmp = &tmbuf), localtime(×tamp2), sizeof(tmbuf)); -#endif + if (tmp == NULL) + return errno; ndone = 0; for (i=0; i -#include - -static int _add __P((const char *, char **, const char *)); -static int _conv __P((int, int, int, char **, const char *)); -static int _secs __P((const struct tm *, char **, const char *)); -static size_t _fmt __P((const char *, const struct tm *, char **, - const char *)); - -static size_t -strftime(s, maxsize, format, t) - char *s; - size_t maxsize; - const char *format; - const struct tm *t; -{ - char *pt; - - tzset(); - if (maxsize < 1) - return (0); - - pt = s; - if (_fmt(format, t, &pt, s + maxsize)) { - *pt = '\0'; - return (pt - s); - } else - return (0); -} - -#define SUN_WEEK(t) (((t)->tm_yday + 7 - \ - ((t)->tm_wday)) / 7) -#define MON_WEEK(t) (((t)->tm_yday + 7 - \ - ((t)->tm_wday ? (t)->tm_wday - 1 : 6)) / 7) - -static size_t -_fmt(format, t, pt, ptlim) - const char *format; - const struct tm *t; - char **pt; - const char * const ptlim; -{ - for (; *format; ++format) { - if (*format == '%') { - ++format; - if (*format == 'E') { - /* Alternate Era */ - ++format; - } else if (*format == 'O') { - /* Alternate numeric symbols */ - ++format; - } - switch (*format) { - case '\0': - --format; - break; - case 'A': - if (t->tm_wday < 0 || t->tm_wday > 6) - return (0); - if (!_add(_CurrentTimeLocale->day[t->tm_wday], - pt, ptlim)) - return (0); - continue; - - case 'a': - if (t->tm_wday < 0 || t->tm_wday > 6) - return (0); - if (!_add(_CurrentTimeLocale->abday[t->tm_wday], - pt, ptlim)) - return (0); - continue; - case 'B': - if (t->tm_mon < 0 || t->tm_mon > 11) - return (0); - if (!_add(_CurrentTimeLocale->mon[t->tm_mon], - pt, ptlim)) - return (0); - continue; - case 'b': - case 'h': - if (t->tm_mon < 0 || t->tm_mon > 11) - return (0); - if (!_add(_CurrentTimeLocale->abmon[t->tm_mon], - pt, ptlim)) - return (0); - continue; - case 'C': - if (!_conv((t->tm_year + TM_YEAR_BASE) / 100, - 2, '0', pt, ptlim)) - return (0); - continue; - case 'c': - if (!_fmt(_CurrentTimeLocale->d_t_fmt, t, pt, - ptlim)) - return (0); - continue; - case 'D': - if (!_fmt("%m/%d/%y", t, pt, ptlim)) - return (0); - continue; - case 'd': - if (!_conv(t->tm_mday, 2, '0', pt, ptlim)) - return (0); - continue; - case 'e': - if (!_conv(t->tm_mday, 2, ' ', pt, ptlim)) - return (0); - continue; - case 'H': - if (!_conv(t->tm_hour, 2, '0', pt, ptlim)) - return (0); - continue; - case 'I': - if (!_conv(t->tm_hour % 12 ? - t->tm_hour % 12 : 12, 2, '0', pt, ptlim)) - return (0); - continue; - case 'j': - if (!_conv(t->tm_yday + 1, 3, '0', pt, ptlim)) - return (0); - continue; - case 'k': - if (!_conv(t->tm_hour, 2, ' ', pt, ptlim)) - return (0); - continue; - case 'l': - if (!_conv(t->tm_hour % 12 ? - t->tm_hour % 12: 12, 2, ' ', pt, ptlim)) - return (0); - continue; - case 'M': - if (!_conv(t->tm_min, 2, '0', pt, ptlim)) - return (0); - continue; - case 'm': - if (!_conv(t->tm_mon + 1, 2, '0', pt, ptlim)) - return (0); - continue; - case 'n': - if (!_add("\n", pt, ptlim)) - return (0); - continue; - case 'p': - if (!_add(_CurrentTimeLocale->am_pm[t->tm_hour - >= 12], pt, ptlim)) - return (0); - continue; - case 'R': - if (!_fmt("%H:%M", t, pt, ptlim)) - return (0); - continue; - case 'r': - if (!_fmt(_CurrentTimeLocale->t_fmt_ampm, t, pt, - ptlim)) - return (0); - continue; - case 'S': - if (!_conv(t->tm_sec, 2, '0', pt, ptlim)) - return (0); - continue; - case 's': - if (!_secs(t, pt, ptlim)) - return (0); - continue; - case 'T': - if (!_fmt("%H:%M:%S", t, pt, ptlim)) - return (0); - continue; - case 't': - if (!_add("\t", pt, ptlim)) - return (0); - continue; - case 'U': - if (!_conv(SUN_WEEK(t), 2, '0', pt, ptlim)) - return (0); - continue; - case 'u': - if (!_conv(t->tm_wday ? t->tm_wday : 7, 1, '0', - pt, ptlim)) - return (0); - continue; - case 'V': /* ISO 8601 week number */ - case 'G': /* ISO 8601 year (four digits) */ - case 'g': /* ISO 8601 year (two digits) */ -/* -** From Arnold Robbins' strftime version 3.0: "the week number of the -** year (the first Monday as the first day of week 1) as a decimal number -** (01-53)." -** (ado, 1993-05-24) -** -** From "http://www.ft.uni-erlangen.de/~mskuhn/iso-time.html" by Markus Kuhn: -** "Week 01 of a year is per definition the first week which has the -** Thursday in this year, which is equivalent to the week which contains -** the fourth day of January. In other words, the first week of a new year -** is the week which has the majority of its days in the new year. Week 01 -** might also contain days from the previous year and the week before week -** 01 of a year is the last week (52 or 53) of the previous year even if -** it contains days from the new year. A week starts with Monday (day 1) -** and ends with Sunday (day 7). For example, the first week of the year -** 1997 lasts from 1996-12-30 to 1997-01-05..." -** (ado, 1996-01-02) -*/ - { - int year; - int yday; - int wday; - int w; - - year = t->tm_year + TM_YEAR_BASE; - yday = t->tm_yday; - wday = t->tm_wday; - for ( ; ; ) { - int len; - int bot; - int top; - - len = isleap(year) ? - DAYSPERLYEAR : - DAYSPERNYEAR; - /* - ** What yday (-3 ... 3) does - ** the ISO year begin on? - */ - bot = ((yday + 11 - wday) % - DAYSPERWEEK) - 3; - /* - ** What yday does the NEXT - ** ISO year begin on? - */ - top = bot - - (len % DAYSPERWEEK); - if (top < -3) - top += DAYSPERWEEK; - top += len; - if (yday >= top) { - ++year; - w = 1; - break; - } - if (yday >= bot) { - w = 1 + ((yday - bot) / - DAYSPERWEEK); - break; - } - --year; - yday += isleap(year) ? - DAYSPERLYEAR : - DAYSPERNYEAR; - } -#ifdef XPG4_1994_04_09 - if ((w == 52 - && t->tm_mon == TM_JANUARY) - || (w == 1 - && t->tm_mon == TM_DECEMBER)) - w = 53; -#endif /* defined XPG4_1994_04_09 */ - if (*format == 'V') { - if (!_conv(w, 2, '0', - pt, ptlim)) - return (0); - } else if (*format == 'g') { - if (!_conv(year % 100, 2, '0', - pt, ptlim)) - return (0); - } else if (!_conv(year, 4, '0', - pt, ptlim)) - return (0); - } - continue; - case 'W': - if (!_conv(MON_WEEK(t), 2, '0', pt, ptlim)) - return (0); - continue; - case 'w': - if (!_conv(t->tm_wday, 1, '0', pt, ptlim)) - return (0); - continue; - case 'x': - if (!_fmt(_CurrentTimeLocale->d_fmt, t, pt, - ptlim)) - return (0); - continue; - case 'X': - if (!_fmt(_CurrentTimeLocale->t_fmt, t, pt, - ptlim)) - return (0); - continue; - case 'y': - if (!_conv((t->tm_year + TM_YEAR_BASE) % 100, - 2, '0', pt, ptlim)) - return (0); - continue; - case 'Y': - if (!_conv((t->tm_year + TM_YEAR_BASE), 4, '0', - pt, ptlim)) - return (0); - continue; - case 'Z': - if (tzname[t->tm_isdst ? 1 : 0] && - !_add(tzname[t->tm_isdst ? 1 : 0], pt, - ptlim)) - return (0); - continue; - case '%': - /* - * X311J/88-090 (4.12.3.5): if conversion char is - * undefined, behavior is undefined. Print out the - * character itself as printf(3) does. - */ - default: - break; - } - } - if (*pt == ptlim) - return (0); - *(*pt)++ = *format; - } - return (ptlim - *pt); -} - -static int -_secs(t, pt, ptlim) - const struct tm *t; - char **pt; - const char * const ptlim; -{ - char buf[15]; - time_t s; - char *p; - struct tm tmp; - - buf[sizeof (buf) - 1] = '\0'; - /* Make a copy, mktime(3) modifies the tm struct. */ - tmp = *t; - s = mktime(&tmp); - for (p = buf + sizeof(buf) - 2; s > 0 && p > buf; s /= 10) - *p-- = (char)(s % 10 + '0'); - return (_add(++p, pt, ptlim)); -} - -static int -_conv(n, digits, pad, pt, ptlim) - int n, digits; - int pad; - char **pt; - const char * const ptlim; -{ - char buf[10]; - char *p; - - buf[sizeof (buf) - 1] = '\0'; - for (p = buf + sizeof(buf) - 2; n > 0 && p > buf; n /= 10, --digits) - *p-- = n % 10 + '0'; - while (p > buf && digits-- > 0) - *p-- = pad; - return (_add(++p, pt, ptlim)); -} - -static int -_add(str, pt, ptlim) - const char *str; - char **pt; - const char * const ptlim; -{ - - for (;; ++(*pt)) { - if (*pt == ptlim) - return (0); - if ((**pt = *str++) == '\0') - return (1); - } -} diff --git a/src/lib/krb5/krb/t_expire_warn.py b/src/lib/krb5/krb/t_expire_warn.py index e021379..781f272 100755 --- a/src/lib/krb5/krb/t_expire_warn.py +++ b/src/lib/krb5/krb/t_expire_warn.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # Copyright (C) 2010 by the Massachusetts Institute of Technology. # All rights reserved. # @@ -39,15 +37,10 @@ realm.run([kadminl, 'addprinc', '-pw', 'pass', '-pwexpire', '3 days', 'days']) output = realm.run(['./t_expire_warn', 'noexpire', 'pass', '0']) if output: fail('Unexpected output for noexpire') -output = realm.run(['./t_expire_warn', 'minutes', 'pass', '0']) -if ' less than one hour on ' not in output: - fail('Expected warning not seen for minutes') -output = realm.run(['./t_expire_warn', 'hours', 'pass', '0']) -if ' hours on ' not in output: - fail('Expected warning not seen for hours') -output = realm.run(['./t_expire_warn', 'days', 'pass', '0']) -if ' days on ' not in output: - fail('Expected warning not seen for days') +realm.run(['./t_expire_warn', 'minutes', 'pass', '0'], + expected_msg=' less than one hour on ') +realm.run(['./t_expire_warn', 'hours', 'pass', '0'], expected_msg=' hours on ') +realm.run(['./t_expire_warn', 'days', 'pass', '0'], expected_msg=' days on ') # Check for expected expire callback behavior. These tests are # carefully agnostic about whether the KDC supports last_req fields, diff --git a/src/lib/krb5/krb/t_get_etype_info.c b/src/lib/krb5/krb/t_get_etype_info.c new file mode 100644 index 0000000..041c349 --- /dev/null +++ b/src/lib/krb5/krb/t_get_etype_info.c @@ -0,0 +1,110 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* lib/krb5/krb/t_get_etype_info.c - test harness for krb5_get_etype_info() */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-platform.h" +#include "k5-hex.h" +#include + +int +main(int argc, char **argv) +{ + krb5_error_code ret; + krb5_context context; + krb5_principal princ; + krb5_get_init_creds_opt *opt = NULL; + krb5_enctype *etypes = NULL, *newptr, etype; + krb5_data salt, s2kparams; + const char *armor_ccache = NULL, *msg; + char buf[128], *hex; + int c, netypes = 0; + + while ((c = getopt(argc, argv, "e:T:")) != -1) { + switch (c) { + case 'e': + newptr = realloc(etypes, (netypes + 1) * sizeof(*etypes)); + assert(newptr != NULL); + etypes = newptr; + ret = krb5_string_to_enctype(optarg, &etypes[netypes]); + assert(!ret); + netypes++; + break; + case 'T': + armor_ccache = optarg; + break; + } + } + assert(argc == optind + 1); + + ret = krb5_init_context(&context); + assert(!ret); + ret = krb5_parse_name(context, argv[optind], &princ); + assert(!ret); + if (netypes > 0 || armor_ccache != NULL) { + ret = krb5_get_init_creds_opt_alloc(context, &opt); + assert(!ret); + if (netypes > 0) + krb5_get_init_creds_opt_set_etype_list(opt, etypes, netypes); + if (armor_ccache != NULL) { + ret = krb5_get_init_creds_opt_set_fast_ccache_name(context, opt, + armor_ccache); + assert(!ret); + } + } + ret = krb5_get_etype_info(context, princ, opt, &etype, &salt, &s2kparams); + if (ret) { + msg = krb5_get_error_message(context, ret); + fprintf(stderr, "%s\n", msg); + krb5_free_error_message(context, msg); + exit(1); + } else if (etype == ENCTYPE_NULL) { + printf("no etype-info\n"); + } else { + ret = krb5_enctype_to_name(etype, TRUE, buf, sizeof(buf)); + assert(!ret); + printf("etype: %s\n", buf); + printf("salt: %.*s\n", (int)salt.length, salt.data); + if (s2kparams.length > 0) { + ret = k5_hex_encode(s2kparams.data, s2kparams.length, TRUE, &hex); + assert(!ret); + printf("s2kparams: %s\n", hex); + free(hex); + } + } + + krb5_free_data_contents(context, &salt); + krb5_free_data_contents(context, &s2kparams); + krb5_free_principal(context, princ); + krb5_get_init_creds_opt_free(context, opt); + krb5_free_context(context); + free(etypes); + return 0; +} diff --git a/src/lib/krb5/krb/t_get_etype_info.py b/src/lib/krb5/krb/t_get_etype_info.py new file mode 100644 index 0000000..7c400be --- /dev/null +++ b/src/lib/krb5/krb/t_get_etype_info.py @@ -0,0 +1,63 @@ +from k5test import * + +conf = {'libdefaults': {'allow_weak_crypto': 'true'}} +realm = K5Realm(create_host=False, krb5_conf=conf) + +realm.run([kadminl, 'ank', '-pw', 'pw', '+preauth', 'puser']) +realm.run([kadminl, 'ank', '-nokey', 'nokey']) +realm.run([kadminl, 'ank', '-nokey', '+preauth', 'pnokey']) +realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp']) +realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth', + 'pexp']) +realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs']) +realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth', + 'pafs']) + +# Extract the explicit salt values from the database. +out = realm.run([kdb5_util, 'tabdump', 'keyinfo']) +salt_dict = {f[0]: f[5] for f in [l.split('\t') for l in out.splitlines()]} +exp_salt = bytes.fromhex(salt_dict['exp@KRBTEST.COM']).decode('ascii') +pexp_salt = bytes.fromhex(salt_dict['pexp@KRBTEST.COM']).decode('ascii') + +# Test an error reply (other than PREAUTH_REQUIRED). +out = realm.run(['./t_get_etype_info', 'notfound'], expected_code=1, + expected_msg='Client not found in Kerberos database') + +# Test with default salt and no specific options, with and without +# preauth. (Our KDC always sends an explicit salt, so unfortunately +# we aren't really testing client handling of the default salt.) +realm.run(['./t_get_etype_info', 'user'], + expected_msg='etype: aes256-cts\nsalt: KRBTEST.COMuser\n') +realm.run(['./t_get_etype_info', 'puser'], + expected_msg='etype: aes256-cts\nsalt: KRBTEST.COMpuser\n') + +# Test with a specified request enctype. +msg = 'etype: aes128-cts\nsalt: KRBTEST.COMuser\n' +realm.run(['./t_get_etype_info', '-e', 'aes128-cts', 'user'], + expected_msg='etype: aes128-cts\nsalt: KRBTEST.COMuser\n') +realm.run(['./t_get_etype_info', '-e', 'aes128-cts', 'puser'], + expected_msg='etype: aes128-cts\nsalt: KRBTEST.COMpuser\n') + +# Test with FAST. +msg = 'etype: aes256-cts\nsalt: KRBTEST.COMuser\n' +realm.run(['./t_get_etype_info', '-T', realm.ccache, 'user'], + expected_msg='etype: aes256-cts\nsalt: KRBTEST.COMuser\n') +realm.run(['./t_get_etype_info', '-T', realm.ccache, 'puser'], + expected_msg='etype: aes256-cts\nsalt: KRBTEST.COMpuser\n') + +# Test with no available etype-info. +realm.run(['./t_get_etype_info', 'nokey'], expected_code=1, + expected_msg='KDC has no support for encryption type') +realm.run(['./t_get_etype_info', 'pnokey'], expected_msg='no etype-info') + +# Test with explicit salt. +realm.run(['./t_get_etype_info', 'exp'], + expected_msg='etype: aes256-cts\nsalt: ' + exp_salt + '\n') +realm.run(['./t_get_etype_info', 'pexp'], + expected_msg='etype: aes256-cts\nsalt: ' + pexp_salt + '\n') + +msg = 'etype: des-cbc-crc\nsalt: KRBTEST.COM\ns2kparams: 01\n' +realm.run(['./t_get_etype_info', 'afs'], expected_msg=msg) +realm.run(['./t_get_etype_info', 'pafs'], expected_msg=msg) + +success('krb5_get_etype_info() tests') diff --git a/src/lib/krb5/krb/t_in_ccache_patypes.py b/src/lib/krb5/krb/t_in_ccache_patypes.py index c042340..b281268 100755 --- a/src/lib/krb5/krb/t_in_ccache_patypes.py +++ b/src/lib/krb5/krb/t_in_ccache_patypes.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # Copyright (C) 2010,2012 by the Massachusetts Institute of Technology. # All rights reserved. # diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c index 60cfb5b..74ac14d 100644 --- a/src/lib/krb5/krb/t_kerb.c +++ b/src/lib/krb5/krb/t_kerb.c @@ -5,16 +5,8 @@ */ #include "autoconf.h" -#include "krb5.h" -#include -#include -#include -#include +#include "k5-int.h" #include -#include -#include -#include -#include #include "com_err.h" @@ -37,7 +29,7 @@ test_string_to_timestamp(krb5_context ctx, char *ktime) com_err("krb5_string_to_timestamp", retval, 0); return; } - t = (time_t) timestamp; + t = ts2tt(timestamp); printf("Parsed time was %s", ctime(&t)); } diff --git a/src/lib/krb5/krb/t_pac.c b/src/lib/krb5/krb/t_pac.c index 61fb51a..7b756a2 100644 --- a/src/lib/krb5/krb/t_pac.c +++ b/src/lib/krb5/krb/t_pac.c @@ -34,6 +34,8 @@ #include "k5-int.h" +#define U(x) (uint8_t *)x + /* * This PAC and keys are copied (with permission) from Samba torture * regression test suite, they where created by Andrew Bartlet. @@ -85,17 +87,383 @@ static unsigned int type_1_length = 472; static const krb5_keyblock kdc_keyblock = { 0, ENCTYPE_ARCFOUR_HMAC, - 16, (krb5_octet *)"\xB2\x86\x75\x71\x48\xAF\x7F\xD2\x52\xC5\x36\x03\xA1\x50\xB7\xE7" + 16, U("\xB2\x86\x75\x71\x48\xAF\x7F\xD2\x52\xC5\x36\x03\xA1\x50\xB7\xE7") }; static const krb5_keyblock member_keyblock = { 0, ENCTYPE_ARCFOUR_HMAC, - 16, (krb5_octet *)"\xD2\x17\xFA\xEA\xE5\xE6\xB5\xF9\x5C\xCC\x94\x07\x7A\xB8\xA5\xFC" + 16, U("\xD2\x17\xFA\xEA\xE5\xE6\xB5\xF9\x5C\xCC\x94\x07\x7A\xB8\xA5\xFC") }; static time_t authtime = 1120440609; static const char *user = "w2003final$@WIN2K3.THINKER.LOCAL"; +/* The S4U2Self PACs below were collected by debugging krb5-mit code on + * Linux, talking with a Windows 2008 KDC server over the network. */ + +static const unsigned char s4u_pac_regular[] = { + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0xa0, 0x01, 0x00, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0a, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0xf8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, + 0x10, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x06, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x48, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xc9, 0x36, 0xfd, 0x57, + 0x5b, 0x59, 0xd4, 0x01, 0xc9, 0x36, 0xfd, 0x57, + 0x5b, 0x59, 0xd4, 0x01, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0x0a, 0x00, 0x0a, 0x00, + 0x04, 0x00, 0x02, 0x00, 0x0a, 0x00, 0x0a, 0x00, + 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x76, 0x04, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x08, 0x00, + 0x20, 0x00, 0x02, 0x00, 0x08, 0x00, 0x0a, 0x00, + 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x10, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, 0x57, 0x00, 0x44, 0x00, + 0x43, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x41, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, + 0x74, 0xa0, 0x8d, 0x00, 0x3f, 0xa5, 0xc2, 0xe9, + 0x60, 0x91, 0xe1, 0x22, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x89, 0xa1, 0x25, 0xd0, 0x59, 0xd4, 0x01, + 0x0a, 0x00, 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, + 0x38, 0x00, 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x12, 0x00, 0x10, 0x00, 0x10, 0x00, 0x28, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x40, 0x00, 0x61, 0x00, 0x62, 0x00, + 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x41, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, + 0x2e, 0x00, 0x43, 0x00, 0x4f, 0x00, 0x4d, 0x00, + 0x10, 0x00, 0x00, 0x00, 0x88, 0x1d, 0x40, 0x84, + 0x7a, 0x01, 0x7c, 0x80, 0x74, 0xe3, 0x6a, 0x6b, + 0x76, 0xff, 0xff, 0xff, 0x1a, 0x1d, 0x97, 0xd2, + 0x39, 0xf4, 0xb8, 0xb2, 0x53, 0xae, 0x77, 0xdb, + 0x6c, 0x02, 0xd4, 0x3d, 0x00, 0x00, 0x00, 0x00 +}; + +static const unsigned char s4u_pac_enterprise[] = { + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0xa0, 0x01, 0x00, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0a, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x00, 0x00, + 0xf8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, + 0x18, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x06, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x50, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x60, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xc9, 0x36, 0xfd, 0x57, + 0x5b, 0x59, 0xd4, 0x01, 0xc9, 0x36, 0xfd, 0x57, + 0x5b, 0x59, 0xd4, 0x01, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0x0a, 0x00, 0x0a, 0x00, + 0x04, 0x00, 0x02, 0x00, 0x0a, 0x00, 0x0a, 0x00, + 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x76, 0x04, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x08, 0x00, + 0x20, 0x00, 0x02, 0x00, 0x08, 0x00, 0x0a, 0x00, + 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x10, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, 0x57, 0x00, 0x44, 0x00, + 0x43, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x41, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, + 0x74, 0xa0, 0x8d, 0x00, 0x3f, 0xa5, 0xc2, 0xe9, + 0x60, 0x91, 0xe1, 0x22, 0x00, 0x00, 0x00, 0x00, + 0x80, 0xe1, 0x9b, 0xe2, 0xe0, 0x59, 0xd4, 0x01, + 0x12, 0x00, 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, + 0x38, 0x00, 0x75, 0x00, 0x40, 0x00, 0x61, 0x00, + 0x62, 0x00, 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x12, 0x00, 0x10, 0x00, 0x10, 0x00, 0x28, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x40, 0x00, 0x61, 0x00, 0x62, 0x00, + 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x41, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, + 0x2e, 0x00, 0x43, 0x00, 0x4f, 0x00, 0x4d, 0x00, + 0x10, 0x00, 0x00, 0x00, 0xfb, 0xe5, 0x03, 0x12, + 0x13, 0x00, 0x6c, 0x8e, 0x81, 0x97, 0x09, 0xea, + 0x76, 0xff, 0xff, 0xff, 0xba, 0xcd, 0x3a, 0xbc, + 0x67, 0x61, 0x16, 0x9f, 0xb8, 0x96, 0xbc, 0xe1, + 0xbe, 0x34, 0xe1, 0x77, 0x00, 0x00, 0x00, 0x00 +}; + +static const unsigned char s4u_pac_xrealm[] = { + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0xa0, 0x01, 0x00, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0a, 0x00, 0x00, 0x00, 0x26, 0x00, 0x00, 0x00, + 0xf8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, + 0x20, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x06, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x58, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x68, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xc9, 0x36, 0xfd, 0x57, + 0x5b, 0x59, 0xd4, 0x01, 0xc9, 0x36, 0xfd, 0x57, + 0x5b, 0x59, 0xd4, 0x01, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0x0a, 0x00, 0x0a, 0x00, + 0x04, 0x00, 0x02, 0x00, 0x0a, 0x00, 0x0a, 0x00, + 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x76, 0x04, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x08, 0x00, + 0x20, 0x00, 0x02, 0x00, 0x08, 0x00, 0x0a, 0x00, + 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x10, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, 0x57, 0x00, 0x44, 0x00, + 0x43, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x41, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, + 0x74, 0xa0, 0x8d, 0x00, 0x3f, 0xa5, 0xc2, 0xe9, + 0x60, 0x91, 0xe1, 0x22, 0x00, 0x00, 0x00, 0x00, + 0x80, 0xa8, 0x60, 0x1b, 0x2b, 0x5a, 0xd4, 0x01, + 0x1c, 0x00, 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, + 0x38, 0x00, 0x75, 0x00, 0x40, 0x00, 0x41, 0x00, + 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, 0x2e, 0x00, + 0x43, 0x00, 0x4f, 0x00, 0x4d, 0x00, 0x00, 0x00, + 0x12, 0x00, 0x10, 0x00, 0x10, 0x00, 0x28, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x40, 0x00, 0x61, 0x00, 0x62, 0x00, + 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x41, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, + 0x2e, 0x00, 0x43, 0x00, 0x4f, 0x00, 0x4d, 0x00, + 0x10, 0x00, 0x00, 0x00, 0x11, 0x27, 0x3a, 0xa5, + 0x41, 0x84, 0x87, 0xdf, 0xc6, 0xd7, 0x29, 0x26, + 0x76, 0xff, 0xff, 0xff, 0xba, 0x7c, 0x7a, 0x84, + 0xd2, 0x2b, 0x9c, 0x58, 0xed, 0x2f, 0xdf, 0x23, + 0x09, 0x15, 0x05, 0x6b, 0x00, 0x00, 0x00, 0x00 +}; + +static const unsigned char s4u_pac_ent_xrealm[] = { + 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0xa0, 0x01, 0x00, 0x00, + 0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0a, 0x00, 0x00, 0x00, 0x2e, 0x00, 0x00, 0x00, + 0xf8, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x00, 0x00, 0x38, 0x00, 0x00, 0x00, + 0x28, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x06, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, + 0x60, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x07, 0x00, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, + 0x70, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, + 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0xc9, 0x36, 0xfd, 0x57, + 0x5b, 0x59, 0xd4, 0x01, 0xc9, 0x36, 0xfd, 0x57, + 0x5b, 0x59, 0xd4, 0x01, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0x7f, 0x0a, 0x00, 0x0a, 0x00, + 0x04, 0x00, 0x02, 0x00, 0x0a, 0x00, 0x0a, 0x00, + 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x10, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x14, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x18, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x76, 0x04, 0x00, 0x00, 0x01, 0x02, 0x00, 0x00, + 0x01, 0x00, 0x00, 0x00, 0x1c, 0x00, 0x02, 0x00, + 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x08, 0x00, + 0x20, 0x00, 0x02, 0x00, 0x08, 0x00, 0x0a, 0x00, + 0x24, 0x00, 0x02, 0x00, 0x28, 0x00, 0x02, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x10, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, + 0x01, 0x02, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x03, 0x00, 0x00, 0x00, 0x57, 0x00, 0x44, 0x00, + 0x43, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x41, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, + 0x04, 0x00, 0x00, 0x00, 0x01, 0x04, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x05, 0x15, 0x00, 0x00, 0x00, + 0x74, 0xa0, 0x8d, 0x00, 0x3f, 0xa5, 0xc2, 0xe9, + 0x60, 0x91, 0xe1, 0x22, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x87, 0x39, 0x5b, 0x4f, 0x5a, 0xd4, 0x01, + 0x24, 0x00, 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, + 0x38, 0x00, 0x75, 0x00, 0x40, 0x00, 0x61, 0x00, + 0x62, 0x00, 0x63, 0x00, 0x40, 0x00, 0x41, 0x00, + 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, 0x2e, 0x00, + 0x43, 0x00, 0x4f, 0x00, 0x4d, 0x00, 0x00, 0x00, + 0x12, 0x00, 0x10, 0x00, 0x10, 0x00, 0x28, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x77, 0x00, 0x32, 0x00, 0x6b, 0x00, 0x38, 0x00, + 0x75, 0x00, 0x40, 0x00, 0x61, 0x00, 0x62, 0x00, + 0x63, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x41, 0x00, 0x43, 0x00, 0x4d, 0x00, 0x45, 0x00, + 0x2e, 0x00, 0x43, 0x00, 0x4f, 0x00, 0x4d, 0x00, + 0x10, 0x00, 0x00, 0x00, 0xa3, 0x5d, 0xc5, 0xfe, + 0x80, 0x6b, 0x62, 0x0c, 0xb1, 0x2f, 0x43, 0xa2, + 0x76, 0xff, 0xff, 0xff, 0x95, 0x40, 0x76, 0xe4, + 0x0a, 0x0a, 0xb9, 0xe7, 0x93, 0x0f, 0x05, 0xf8, + 0x8a, 0x81, 0x9c, 0x9c, 0x00, 0x00, 0x00, 0x00 +}; + +static const char *s4u_principal = "w2k8u@ACME.COM"; +static const char *s4u_enterprise = "w2k8u@abc@ACME.COM"; + +static const krb5_keyblock s4u_srv_key = { + 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96, + 32, U("\x14\xDF\xB5\xB2\xCD\xB4\x2C\x88\x94\xDA\x2F\xA8\x82\xE9\x72\x9F" + "\x4A\x4D\xC7\x4B\xA0\x2A\x24\x2C\xC6\xA8\xD7\x10\x79\xB9\xAD\x9A") +}; + +static const krb5_keyblock s4u_tgt_srv_key = { + 0, ENCTYPE_AES256_CTS_HMAC_SHA1_96, + 32, U("\x42\x0C\x39\xC5\x1A\x17\x54\x04\x45\x1F\x95\x6B\x8C\x58\xE0\xF4" + "\x1B\xCA\x66\x9A\x64\x47\x95\xCA\x6E\x3A\xD5\x5A\x3B\x91\x8C\x9F") +}; + +static size_t s4u_logon_info_buffer_len = 416; + +struct pac_and_info { + time_t authtime; + krb5_boolean is_enterprise; + krb5_boolean is_xrealm; + const unsigned char *data; + size_t length; +}; + +static const struct pac_and_info s4u_pacs[] = { + { 1538430362, 0, 0, s4u_pac_regular, sizeof(s4u_pac_regular) }, + { 1538437551, 1, 0, s4u_pac_enterprise, sizeof(s4u_pac_enterprise) }, + { 1538469429, 0, 1, s4u_pac_xrealm, sizeof(s4u_pac_xrealm) }, + { 1538484998, 1, 1, s4u_pac_ent_xrealm, sizeof(s4u_pac_ent_xrealm) }, + { 0, 0, 0, NULL, 0 } +}; + #if !defined(__cplusplus) && (__GNUC__ > 2) static void err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) __attribute__((__format__(__printf__, 3, 0))); @@ -121,50 +489,46 @@ err(krb5_context ctx, krb5_error_code code, const char *fmt, ...) exit(1); } -int -main(int argc, char **argv) +static void +check_pac(krb5_context context, int index, const unsigned char *pdata, + size_t plen, time_t auth_time, krb5_principal p, + size_t type_one_buffer_length, krb5_boolean with_realm, + const krb5_keyblock *server_key, const krb5_keyblock *kdc_key) { krb5_error_code ret; - krb5_context context; - krb5_pac pac; + const krb5_keyblock *kdc_sign_key; krb5_data data; - krb5_principal p; - - ret = krb5_init_context(&context); - if (ret) - err(NULL, 0, "krb5_init_contex"); - - krb5_set_default_realm(context, "WIN2K3.THINKER.LOCAL"); + krb5_pac pac; - ret = krb5_parse_name(context, user, &p); - if (ret) - err(context, ret, "krb5_parse_name"); + /* If we don't have the KDC key (S4U cases), just use another key as we'd + * skip the KDC signature when verifying. */ + kdc_sign_key = (kdc_key == NULL) ? &kdc_keyblock : kdc_key; - ret = krb5_pac_parse(context, saved_pac, sizeof(saved_pac), &pac); + ret = krb5_pac_parse(context, pdata, plen, &pac); if (ret) - err(context, ret, "krb5_pac_parse"); + err(context, ret, "[pac: %d] krb5_pac_parse", index); - ret = krb5_pac_verify(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock); + ret = krb5_pac_verify_ext(context, pac, auth_time, p, server_key, kdc_key, + with_realm); if (ret) - err(context, ret, "krb5_pac_verify"); + err(context, ret, "[pac: %d] krb5_pac_verify_ext", index); - ret = krb5_pac_sign(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock, &data); + ret = krb5_pac_sign_ext(context, pac, auth_time, p, server_key, + kdc_sign_key, with_realm, &data); if (ret) - err(context, ret, "krb5_pac_sign"); + err(context, ret, "[pac: %d] krb5_pac_sign_ext", index); krb5_pac_free(context, pac); ret = krb5_pac_parse(context, data.data, data.length, &pac); krb5_free_data_contents(context, &data); if (ret) - err(context, ret, "krb5_pac_parse 2"); + err(context, ret, "[pac: %d] krb5_pac_parse 2", index); - ret = krb5_pac_verify(context, pac, authtime, p, - &member_keyblock, &kdc_keyblock); + ret = krb5_pac_verify_ext(context, pac, auth_time, p, server_key, kdc_key, + with_realm); if (ret) - err(context, ret, "krb5_pac_verify 2"); + err(context, ret, "[pac: %d] krb5_pac_verify_ext 2", index); /* make a copy and try to reproduce it */ { @@ -174,12 +538,12 @@ main(int argc, char **argv) ret = krb5_pac_init(context, &pac2); if (ret) - err(context, ret, "krb5_pac_init"); + err(context, ret, "[pac: %d] krb5_pac_init", index); /* our two user buffer plus the three "system" buffers */ ret = krb5_pac_get_types(context, pac, &len, &list); if (ret) - err(context, ret, "krb5_pac_get_types"); + err(context, ret, "[pac: %d] krb5_pac_get_types", index); for (i = 0; i < len; i++) { /* skip server_cksum, privsvr_cksum, and logon_name */ @@ -188,37 +552,40 @@ main(int argc, char **argv) ret = krb5_pac_get_buffer(context, pac, list[i], &data); if (ret) - err(context, ret, "krb5_pac_get_buffer"); + err(context, ret, "[pac: %d] krb5_pac_get_buffer", index); if (list[i] == 1) { - if (type_1_length != data.length) - err(context, 0, "type 1 have wrong length: %lu", - (unsigned long)data.length); - } else - err(context, 0, "unknown type %lu", (unsigned long)list[i]); + if (type_one_buffer_length != data.length) { + err(context, 0, "[pac: %d] type 1 have wrong length: %lu", + index, (unsigned long)data.length); + } + } else if (list[i] != 12) { + err(context, 0, "[pac: %d] unknown type %lu", + index, (unsigned long)list[i]); + } ret = krb5_pac_add_buffer(context, pac2, list[i], &data); if (ret) - err(context, ret, "krb5_pac_add_buffer"); + err(context, ret, "[pac: %d] krb5_pac_add_buffer", index); krb5_free_data_contents(context, &data); } free(list); - ret = krb5_pac_sign(context, pac2, authtime, p, - &member_keyblock, &kdc_keyblock, &data); + ret = krb5_pac_sign_ext(context, pac2, auth_time, p, server_key, + kdc_sign_key, with_realm, &data); if (ret) - err(context, ret, "krb5_pac_sign 4"); + err(context, ret, "[pac: %d] krb5_pac_sign_ext 4", index); krb5_pac_free(context, pac2); ret = krb5_pac_parse(context, data.data, data.length, &pac2); if (ret) - err(context, ret, "krb5_pac_parse 4"); + err(context, ret, "[pac: %d] krb5_pac_parse 4", index); - ret = krb5_pac_verify(context, pac2, authtime, p, - &member_keyblock, &kdc_keyblock); + ret = krb5_pac_verify_ext(context, pac2, auth_time, p, server_key, + kdc_key, with_realm); if (ret) - err(context, ret, "krb5_pac_verify 4"); + err(context, ret, "[pac: %d] krb5_pac_verify_ext 4", index); krb5_free_data_contents(context, &data); @@ -226,6 +593,58 @@ main(int argc, char **argv) } krb5_pac_free(context, pac); +} + +int +main(int argc, char **argv) +{ + krb5_error_code ret; + krb5_context context; + krb5_pac pac; + krb5_data data; + krb5_principal p; + + ret = krb5_init_context(&context); + if (ret) + err(NULL, 0, "krb5_init_contex"); + + ret = krb5_set_default_realm(context, "WIN2K3.THINKER.LOCAL"); + if (ret) + err(context, ret, "krb5_set_default_realm"); + + ret = krb5_parse_name(context, user, &p); + if (ret) + err(context, ret, "krb5_parse_name"); + + /* Check a pre-saved PAC. */ + check_pac(context, -1, saved_pac, sizeof(saved_pac), authtime, p, + type_1_length, 0, &member_keyblock, &kdc_keyblock); + + /* Check S4U2Self PACs. */ + { + krb5_principal sp; + krb5_principal sep; + const struct pac_and_info *pi; + + ret = krb5_parse_name(context, s4u_principal, &sp); + if (ret) + err(context, ret, "krb5_parse_name"); + + ret = krb5_parse_name_flags(context, s4u_enterprise, + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &sep); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + for (pi = s4u_pacs; pi->data != NULL; pi++) { + check_pac(context, pi - s4u_pacs, pi->data, pi->length, + pi->authtime, pi->is_enterprise ? sep : sp, + s4u_logon_info_buffer_len, pi->is_xrealm, + pi->is_xrealm ? &s4u_tgt_srv_key : &s4u_srv_key, NULL); + } + + krb5_free_principal(context, sp); + krb5_free_principal(context, sep); + } /* * Test empty free @@ -313,6 +732,138 @@ main(int argc, char **argv) free(list); } + { + krb5_principal ep; + + ret = krb5_parse_name_flags(context, user, + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &ep); + if (ret) + err(context, ret, "krb5_parse_name_flags"); + + /* Try to verify as enterprise. */ + ret = krb5_pac_verify(context, pac, authtime, ep, &member_keyblock, + &kdc_keyblock); + if (!ret) + err(context, ret, "krb5_pac_verify should have failed"); + + ret = krb5_pac_sign(context, pac, authtime, ep, &member_keyblock, + &kdc_keyblock, &data); + if (!ret) + err(context, ret, "krb5_pac_sign should have failed"); + + /* Try to verify with realm. */ + ret = krb5_pac_verify_ext(context, pac, authtime, p, &member_keyblock, + &kdc_keyblock, TRUE); + if (!ret) + err(context, ret, "krb5_pac_verify_ext with realm should fail"); + + /* Currently we can't re-sign the PAC with realm (although that could + * be useful), only sign a new one. */ + ret = krb5_pac_sign_ext(context, pac, authtime, p, &member_keyblock, + &kdc_keyblock, TRUE, &data); + if (!ret) + err(context, ret, "krb5_pac_sign_ext with realm should fail"); + + krb5_pac_free(context, pac); + + /* Test enterprise. */ + ret = krb5_pac_init(context, &pac); + if (ret) + err(context, ret, "krb5_pac_init"); + + ret = krb5_pac_sign(context, pac, authtime, ep, &member_keyblock, + &kdc_keyblock, &data); + if (ret) + err(context, ret, "krb5_pac_sign enterprise failed"); + + krb5_pac_free(context, pac); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_free_data_contents(context, &data); + if (ret) + err(context, ret, "krb5_pac_parse failed"); + + ret = krb5_pac_verify(context, pac, authtime, ep, &member_keyblock, + &kdc_keyblock); + if (ret) + err(context, ret, "krb5_pac_verify enterprise failed"); + + ret = krb5_pac_verify(context, pac, authtime, p, &member_keyblock, + &kdc_keyblock); + if (!ret) + err(context, ret, "krb5_pac_verify should have failed"); + + krb5_pac_free(context, pac); + + /* Test with realm. */ + ret = krb5_pac_init(context, &pac); + if (ret) + err(context, ret, "krb5_pac_init"); + + ret = krb5_pac_sign_ext(context, pac, authtime, p, &member_keyblock, + &kdc_keyblock, TRUE, &data); + if (ret) + err(context, ret, "krb5_pac_sign_ext with realm failed"); + + krb5_pac_free(context, pac); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_free_data_contents(context, &data); + if (ret) + err(context, ret, "krb5_pac_parse failed"); + + ret = krb5_pac_verify_ext(context, pac, authtime, p, &member_keyblock, + &kdc_keyblock, TRUE); + if (ret) + err(context, ret, "krb5_pac_verify_ext with realm failed"); + + ret = krb5_pac_verify(context, pac, authtime, p, &member_keyblock, + &kdc_keyblock); + if (!ret) + err(context, ret, "krb5_pac_verify should have failed"); + + krb5_pac_free(context, pac); + + /* Test enterprise with realm. */ + ret = krb5_pac_init(context, &pac); + if (ret) + err(context, ret, "krb5_pac_init"); + + ret = krb5_pac_sign_ext(context, pac, authtime, ep, &member_keyblock, + &kdc_keyblock, TRUE, &data); + if (ret) + err(context, ret, "krb5_pac_sign_ext ent with realm failed"); + + krb5_pac_free(context, pac); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + krb5_free_data_contents(context, &data); + if (ret) + err(context, ret, "krb5_pac_parse failed"); + + ret = krb5_pac_verify_ext(context, pac, authtime, ep, &member_keyblock, + &kdc_keyblock, TRUE); + if (ret) + err(context, ret, "krb5_pac_verify_ext ent with realm failed"); + + ret = krb5_pac_verify(context, pac, authtime, p, &member_keyblock, + &kdc_keyblock); + if (!ret) + err(context, ret, "krb5_pac_verify should have failed"); + + ret = krb5_pac_verify(context, pac, authtime, ep, &member_keyblock, + &kdc_keyblock); + if (!ret) + err(context, ret, "krb5_pac_verify should have failed"); + + ret = krb5_pac_verify_ext(context, pac, authtime, p, &member_keyblock, + &kdc_keyblock, TRUE); + if (!ret) + err(context, ret, "krb5_pac_verify_ext should have failed"); + + krb5_free_principal(context, ep); + } + krb5_pac_free(context, pac); krb5_free_principal(context, p); diff --git a/src/lib/krb5/krb/t_parse_host_string.c b/src/lib/krb5/krb/t_parse_host_string.c index 76dd20f..001b773 100644 --- a/src/lib/krb5/krb/t_parse_host_string.c +++ b/src/lib/krb5/krb/t_parse_host_string.c @@ -31,10 +31,7 @@ */ #include "k5-int.h" -#include -#include -#include -#include +#include "k5-cmocka.h" #include /* Call k5_parse_host_string() and check the result against the expected code, diff --git a/src/lib/krb5/krb/t_ser.c b/src/lib/krb5/krb/t_ser.c index 9cdf5e6..1d6ccea 100644 --- a/src/lib/krb5/krb/t_ser.c +++ b/src/lib/krb5/krb/t_ser.c @@ -151,10 +151,6 @@ ser_data(int verbose, char *msg, krb5_pointer ctx, krb5_magic dtype) krb5_encrypt_block *eblock; eblock = (krb5_encrypt_block *) nctx; -#if 0 - if (eblock->priv && eblock->priv_size) - free(eblock->priv); -#endif if (eblock->key) krb5_free_keyblock(ser_ctx, eblock->key); free(eblock); @@ -450,60 +446,6 @@ ser_rcache_test(krb5_context kcontext, int verbose) return(kret); } -#if 0 -/* - * Serialize krb5_encrypt_block. - */ -static krb5_error_code -ser_eblock_test(kcontext, verbose) - krb5_context kcontext; - int verbose; -{ - krb5_error_code kret; - krb5_encrypt_block eblock; - krb5_keyblock ukeyblock; - krb5_octet keydata[8]; - - memset(&eblock, 0, sizeof(krb5_encrypt_block)); - eblock.magic = KV5M_ENCRYPT_BLOCK; - krb5_use_enctype(kcontext, &eblock, DEFAULT_KDC_ENCTYPE); - if (!(kret = ser_data(verbose, "> NULL eblock", - (krb5_pointer) &eblock, KV5M_ENCRYPT_BLOCK))) { -#if 0 - eblock.priv = (krb5_pointer) stuff; - eblock.priv_size = 8; -#endif - if (!(kret = ser_data(verbose, "> eblock with private data", - (krb5_pointer) &eblock, - KV5M_ENCRYPT_BLOCK))) { - memset(&ukeyblock, 0, sizeof(ukeyblock)); - memset(keydata, 0, sizeof(keydata)); - ukeyblock.enctype = ENCTYPE_DES_CBC_MD5; - ukeyblock.length = sizeof(keydata); - ukeyblock.contents = keydata; - keydata[0] = 0xde; - keydata[1] = 0xad; - keydata[2] = 0xbe; - keydata[3] = 0xef; - keydata[4] = 0xfe; - keydata[5] = 0xed; - keydata[6] = 0xf0; - keydata[7] = 0xd; - eblock.key = &ukeyblock; - if (!(kret = ser_data(verbose, "> eblock with private key", - (krb5_pointer) &eblock, - KV5M_ENCRYPT_BLOCK))) { - if (verbose) - printf("* eblock test succeeded\n"); - } - } - } - if (kret) - printf("* eblock test failed\n"); - return(kret); -} -#endif - /* * Serialize krb5_principal */ @@ -584,7 +526,7 @@ main(int argc, char **argv) do_ptest = 1; do_rtest = 1; do_stest = 1; - while ((option = getopt(argc, argv, "acekprsxvACEKPRSX")) != -1) { + while ((option = getopt(argc, argv, "acekprsxvACKPRSX")) != -1) { switch (option) { case 'a': do_atest = 0; @@ -619,11 +561,6 @@ main(int argc, char **argv) case 'C': do_ctest = 1; break; -#if 0 - case 'E': - do_etest = 1; - break; -#endif case 'K': do_ktest = 1; break; @@ -641,7 +578,7 @@ main(int argc, char **argv) break; default: fprintf(stderr, - "%s: usage is %s [-acekprsxvACEKPRSX]\n", + "%s: usage is %s [-acekprsxvACKPRSX]\n", argv[0], argv[0]); exit(1); break; @@ -682,14 +619,6 @@ main(int argc, char **argv) if (kret) goto fail; } -#if 0 /* code to be tested is currently disabled */ - if (do_etest) { - ch_err = 'e'; - kret = ser_eblock_test(kcontext, verbose); - if (kret) - goto fail; - } -#endif if (do_ptest) { ch_err = 'p'; kret = ser_princ_test(kcontext, verbose); diff --git a/src/lib/krb5/krb/t_valid_times.c b/src/lib/krb5/krb/t_valid_times.c new file mode 100644 index 0000000..e4b5f1b --- /dev/null +++ b/src/lib/krb5/krb/t_valid_times.c @@ -0,0 +1,111 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* lib/krb5/krb/t_valid_times.c - test program for krb5int_validate_times() */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "int-proto.h" + +#define BOUNDARY (uint32_t)INT32_MIN + +int +main() +{ + krb5_error_code ret; + krb5_context context; + krb5_ticket_times times = { 0, 0, 0, 0 }; + + ret = krb5_init_context(&context); + assert(!ret); + + /* Current time is within authtime and end time. */ + ret = krb5_set_debugging_time(context, 1000, 0); + times.authtime = 500; + times.endtime = 1500; + ret = krb5int_validate_times(context, ×); + assert(!ret); + + /* Current time is before starttime, but within clock skew. */ + times.starttime = 1100; + ret = krb5int_validate_times(context, ×); + assert(!ret); + + /* Current time is before starttime by more than clock skew. */ + times.starttime = 1400; + ret = krb5int_validate_times(context, ×); + assert(ret == KRB5KRB_AP_ERR_TKT_NYV); + + /* Current time is after end time, but within clock skew. */ + times.starttime = 500; + times.endtime = 800; + ret = krb5int_validate_times(context, ×); + assert(!ret); + + /* Current time is after end time by more than clock skew. */ + times.endtime = 600; + ret = krb5int_validate_times(context, ×); + assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED); + + /* Current time is within starttime and endtime; current time and + * endtime are across y2038 boundary. */ + ret = krb5_set_debugging_time(context, BOUNDARY - 100, 0); + assert(!ret); + times.starttime = BOUNDARY - 200; + times.endtime = BOUNDARY + 500; + ret = krb5int_validate_times(context, ×); + assert(!ret); + + /* Current time is before starttime, but by less than clock skew. */ + times.starttime = BOUNDARY + 100; + ret = krb5int_validate_times(context, ×); + assert(!ret); + + /* Current time is before starttime by more than clock skew. */ + times.starttime = BOUNDARY + 250; + ret = krb5int_validate_times(context, ×); + assert(ret == KRB5KRB_AP_ERR_TKT_NYV); + + /* Current time is after endtime, but by less than clock skew. */ + ret = krb5_set_debugging_time(context, BOUNDARY + 100, 0); + assert(!ret); + times.starttime = BOUNDARY - 1000; + times.endtime = BOUNDARY - 100; + ret = krb5int_validate_times(context, ×); + assert(!ret); + + /* Current time is after endtime by more than clock skew. */ + times.endtime = BOUNDARY - 300; + ret = krb5int_validate_times(context, ×); + assert(ret == KRB5KRB_AP_ERR_TKT_EXPIRED); + + krb5_free_context(context); + + return 0; +} diff --git a/src/lib/krb5/krb/t_vfy_increds.py b/src/lib/krb5/krb/t_vfy_increds.py index c820cc6..ae422a9 100755 --- a/src/lib/krb5/krb/t_vfy_increds.py +++ b/src/lib/krb5/krb/t_vfy_increds.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # Copyright (C) 2011 by the Massachusetts Institute of Technology. # All rights reserved. # @@ -27,17 +25,20 @@ from k5test import * realm = K5Realm() # Verify the default test realm credentials with the default keytab. +mark('default keytab') realm.run(['./t_vfy_increds']) realm.run(['./t_vfy_increds', '-n']) # Verify after updating the keytab (so the keytab contains an outdated # version 1 key followed by an up-to-date version 2 key). +mark('updated keytab') realm.run([kadminl, 'ktadd', realm.host_princ]) realm.run(['./t_vfy_increds']) realm.run(['./t_vfy_increds', '-n']) # Bump the host key without updating the keytab and make sure that # verification fails as we expect it to. +mark('outdated keytab') realm.run([kadminl, 'change_password', '-randkey', realm.host_princ]) realm.run(['./t_vfy_increds'], expected_code=1) realm.run(['./t_vfy_increds', '-n'], expected_code=1) @@ -47,6 +48,7 @@ realm.run(['./t_vfy_increds', '-n'], expected_code=1) # matches. Verify after updating the keytab with a host service # principal that has hostname that doesn't match the host running the # test. Verify should succeed, with or without nofail. +mark('hostname mismatch') realm.run([kadminl, 'addprinc', '-randkey', 'host/wrong.hostname']) realm.run([kadminl, 'ktadd', 'host/wrong.hostname']) realm.run(['./t_vfy_increds']) @@ -54,6 +56,7 @@ realm.run(['./t_vfy_increds', '-n']) # Remove the keytab and verify again. This should succeed if nofail # is not set, and fail if it is set. +mark('no keytab') os.remove(realm.keytab) realm.run(['./t_vfy_increds']) realm.run(['./t_vfy_increds', '-n'], expected_code=1) @@ -65,6 +68,7 @@ realm.run(['./t_vfy_increds', '-n'], expected_code=1) # set. (An empty keytab file appears as corrupt to keytab calls, # causing a KRB5_KEYTAB_BADVNO error, so any tightening of the # krb5_verify_init_creds semantics needs to take this into account.) +mark('empty keytab') open(realm.keytab, 'w').close() realm.run(['./t_vfy_increds']) realm.run(['./t_vfy_increds', '-n'], expected_code=1) @@ -73,6 +77,7 @@ os.remove(realm.keytab) # Add an NFS service principal to keytab. Verify should ignore it by # default (succeeding unless nofail is set), but should verify with it # when it is specifically requested. +mark('keytab with NFS principal') realm.run([kadminl, 'addprinc', '-randkey', realm.nfs_princ]) realm.run([kadminl, 'ktadd', realm.nfs_princ]) realm.run(['./t_vfy_increds']) @@ -83,6 +88,7 @@ realm.run(['./t_vfy_increds', '-n', realm.nfs_princ]) # Invalidating the NFS keys in the keytab. We should get the same # results with the default principal argument, but verification should # now fail if we request it specifically. +mark('keytab with outdated NFS principal') realm.run([kadminl, 'change_password', '-randkey', realm.nfs_princ]) realm.run(['./t_vfy_increds']) realm.run(['./t_vfy_increds', '-n'], expected_code=1) @@ -91,6 +97,7 @@ realm.run(['./t_vfy_increds', '-n', realm.nfs_princ], expected_code=1) # Spot-check that verify_ap_req_nofail works equivalently to the # programmatic nofail option. +mark('verify_ap_req_nofail') realm.stop() conf = {'libdefaults': {'verify_ap_req_nofail': 'true'}} realm = K5Realm(krb5_conf=conf) diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c index 5bb64d0..aa34b1b 100644 --- a/src/lib/krb5/krb/unparse.c +++ b/src/lib/krb5/krb/unparse.c @@ -122,13 +122,6 @@ copy_component_quoting(char *dest, const krb5_data *src, int flags) *q++ = '\\'; *q++ = 'b'; break; -#if 0 - /* Heimdal escapes spaces in principal names upon unparsing */ - case ' ': - *q++ = '\\'; - *q++ = ' '; - break; -#endif case '\0': *q++ = '\\'; *q++ = '0'; @@ -225,7 +218,8 @@ cleanup: } krb5_error_code KRB5_CALLCONV -krb5_unparse_name(krb5_context context, krb5_const_principal principal, register char **name) +krb5_unparse_name(krb5_context context, krb5_const_principal principal, + char **name) { if (name != NULL) /* name == NULL will return error from _ext */ *name = NULL; diff --git a/src/lib/krb5/krb/valid_times.c b/src/lib/krb5/krb/valid_times.c index d631221..294761a 100644 --- a/src/lib/krb5/krb/valid_times.c +++ b/src/lib/krb5/krb/valid_times.c @@ -47,10 +47,10 @@ krb5int_validate_times(krb5_context context, krb5_ticket_times *times) else starttime = times->authtime; - if (starttime - currenttime > context->clockskew) + if (ts_after(starttime, ts_incr(currenttime, context->clockskew))) return KRB5KRB_AP_ERR_TKT_NYV; /* ticket not yet valid */ - if ((currenttime - times->endtime) > context->clockskew) + if (ts_after(currenttime, ts_incr(times->endtime, context->clockskew))) return KRB5KRB_AP_ERR_TKT_EXPIRED; /* ticket expired */ return 0; diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c index 9786d63..b4878ba 100644 --- a/src/lib/krb5/krb/vfy_increds.c +++ b/src/lib/krb5/krb/vfy_increds.c @@ -120,7 +120,7 @@ get_vfy_cred(krb5_context context, krb5_creds *creds, krb5_principal server, ret = krb5_timeofday(context, &in_creds.times.endtime); if (ret) goto cleanup; - in_creds.times.endtime += 5*60; + in_creds.times.endtime = ts_incr(in_creds.times.endtime, 5 * 60); ret = krb5_get_credentials(context, 0, ccache, &in_creds, &out_creds); if (ret) goto cleanup; diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c index 0566a55..4074fe8 100644 --- a/src/lib/krb5/krb/walk_rtree.c +++ b/src/lib/krb5/krb/walk_rtree.c @@ -133,6 +133,12 @@ k5_client_realm_path(krb5_context context, const krb5_data *client, if (retval) return retval; + /* A capaths value of "." means no intermediates. */ + if (capvals != NULL && capvals[0] != NULL && *capvals[0] == '.') { + profile_free_list(capvals); + capvals = NULL; + } + /* Count capaths (if any) and allocate space. Leave room for the client * realm, server realm, and terminator. */ for (i = 0; capvals != NULL && capvals[i] != NULL; i++); @@ -609,7 +615,7 @@ comtail(struct hstate *c, struct hstate *s, int sep) void krb5_free_realm_tree(krb5_context context, krb5_principal *realms) { - register krb5_principal *nrealms = realms; + krb5_principal *nrealms = realms; if (realms == NULL) return; while (*nrealms) { diff --git a/src/lib/krb5/krb/x-deltat.y b/src/lib/krb5/krb/x-deltat.y index f9cc2bb..da11b88 100644 --- a/src/lib/krb5/krb/x-deltat.y +++ b/src/lib/krb5/krb/x-deltat.y @@ -44,7 +44,6 @@ #ifdef __GNUC__ #pragma GCC diagnostic push #pragma GCC diagnostic ignored "-Wuninitialized" -#pragma GCC diagnostic ignored "-Wmaybe-uninitialized" #endif #include "k5-int.h" diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index ed6cad6..dfdb72d 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -36,6 +36,7 @@ decode_krb5_pa_otp_req decode_krb5_pa_otp_enc_req decode_krb5_pa_pac_req decode_krb5_pa_s4u_x509_user +decode_krb5_pa_spake decode_krb5_padata_sequence decode_krb5_priv decode_krb5_safe @@ -44,6 +45,7 @@ decode_krb5_sam_challenge_2_body decode_krb5_sam_response_2 decode_krb5_secure_cookie decode_krb5_setpw_req +decode_krb5_spake_factor decode_krb5_tgs_rep decode_krb5_tgs_req decode_krb5_ticket @@ -85,6 +87,7 @@ encode_krb5_pa_otp_challenge encode_krb5_pa_otp_req encode_krb5_pa_otp_enc_req encode_krb5_pa_s4u_x509_user +encode_krb5_pa_spake encode_krb5_padata_sequence encode_krb5_pkinit_supp_pub_info encode_krb5_priv @@ -95,6 +98,7 @@ encode_krb5_sam_challenge_2_body encode_krb5_sam_response_2 encode_krb5_secure_cookie encode_krb5_sp80056a_other_info +encode_krb5_spake_factor encode_krb5_tgs_rep encode_krb5_tgs_req encode_krb5_ticket @@ -128,7 +132,9 @@ k5_free_kkdcp_message k5_free_pa_otp_challenge k5_free_pa_otp_req k5_free_secure_cookie +k5_free_pa_spake k5_free_serverlist +k5_free_spake_factor k5_hostrealm_free_context k5_init_trace k5_is_string_numeric @@ -368,6 +374,7 @@ krb5_get_default_config_files krb5_get_default_in_tkt_ktypes krb5_get_default_realm krb5_get_error_message +krb5_get_etype_info krb5_get_fallback_host_realm krb5_get_host_realm krb5_get_in_tkt_with_keytab @@ -480,7 +487,9 @@ krb5_pac_get_types krb5_pac_init krb5_pac_parse krb5_pac_sign +krb5_pac_sign_ext krb5_pac_verify +krb5_pac_verify_ext krb5_parse_name krb5_parse_name_flags krb5_prepend_error_message diff --git a/src/lib/krb5/os/Makefile.in b/src/lib/krb5/os/Makefile.in index efa82e2..91b0486 100644 --- a/src/lib/krb5/os/Makefile.in +++ b/src/lib/krb5/os/Makefile.in @@ -182,7 +182,7 @@ t_locate_kdc: t_locate_kdc.o t_locate_kdc.o: t_locate_kdc.c locate_kdc.c dnssrv.c dnsglue.c $(OUTPRE)t_locate_kdc.exe: $(OUTPRE)t_locate_kdc.obj \ $(KLIB) $(PLIB) $(CLIB) $(SLIB) - link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib $(DNSLIBS) + link $(EXE_LINKOPTS) -out:$@ $** ws2_32.lib t_trace: $(T_TRACE_OBJS) $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o t_trace $(T_TRACE_OBJS) $(KRB5_BASE_LIBS) @@ -225,7 +225,7 @@ check-unix-locate: t_locate_kdc $(RUN_TEST) ./t_locate_kdc $(LOCREALM); \ else \ echo '*** WARNING: skipped t_locate_kdc test: known DNS name not found'; \ - echo 'Skipped t_locate_kdc test: known DNS name found' >> $(SKIPTESTS); \ + echo 'Skipped t_locate_kdc test: known DNS name not found' >> $(SKIPTESTS); \ fi; \ else \ echo '*** WARNING: skipped t_locate_kdc test: OFFLINE'; \ diff --git a/src/lib/krb5/os/accessor.c b/src/lib/krb5/os/accessor.c index df63b14..d77f8c6 100644 --- a/src/lib/krb5/os/accessor.c +++ b/src/lib/krb5/os/accessor.c @@ -30,11 +30,14 @@ /* If this trick gets used elsewhere, move it to k5-platform.h. */ #ifndef DESIGNATED_INITIALIZERS -#define DESIGNATED_INITIALIZERS \ - /* ANSI/ISO C 1999 supports this... */ \ - (__STDC_VERSION__ >= 199901L \ - /* ...as does GCC, since version 2.something. */ \ - || (!defined __cplusplus && __GNUC__ >= 3)) +/* ANSI/ISO C 1999 supports this... */ +#if __STDC_VERSION__ >= 199901L \ + /* ...as does GCC, since version 2.something. */ \ + || (!defined __cplusplus && __GNUC__ >= 3) +#define DESIGNATED_INITIALIZERS 1 +#else +#define DESIGNATED_INITIALIZERS 0 +#endif #endif krb5_error_code KRB5_CALLCONV @@ -53,8 +56,6 @@ krb5int_accessor(krb5int_access *internals, krb5_int32 version) #endif S (auth_con_get_subkey_enctype, krb5_auth_con_get_subkey_enctype), - S (clean_hostname, k5_clean_hostname), - #ifndef LEAN_CLIENT #define SC(FIELD, VAL) S(FIELD, VAL) #else /* disable */ diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c index 871d721..f69f2ea 100644 --- a/src/lib/krb5/os/c_ustime.c +++ b/src/lib/krb5/os/c_ustime.c @@ -29,7 +29,10 @@ k5_mutex_t krb5int_us_time_mutex = K5_MUTEX_PARTIAL_INITIALIZER; -struct time_now { krb5_int32 sec, usec; }; +struct time_now { + krb5_timestamp sec; + krb5_int32 usec; +}; #if defined(_WIN32) @@ -73,7 +76,7 @@ get_time_now(struct time_now *n) static struct time_now last_time; krb5_error_code -krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds) +krb5_crypto_us_timeofday(krb5_timestamp *seconds, krb5_int32 *microseconds) { struct time_now now; krb5_error_code err; @@ -102,17 +105,17 @@ krb5_crypto_us_timeofday(krb5_int32 *seconds, krb5_int32 *microseconds) putting now.sec in the past. But don't just use '<' because we need to properly handle the case where the administrator intentionally adjusted time backwards. */ - if ((now.sec == last_time.sec-1) || - ((now.sec == last_time.sec) && (now.usec <= last_time.usec))) { + if (now.sec == ts_incr(last_time.sec, -1) || + (now.sec == last_time.sec && !ts_after(last_time.usec, now.usec))) { /* Correct 'now' to be exactly one microsecond later than 'last_time'. Note that _because_ we perform this hack, 'now' may be _earlier_ than 'last_time', even though the system time is monotonically increasing. */ now.sec = last_time.sec; - now.usec = ++last_time.usec; + now.usec = ts_incr(last_time.usec, 1); if (now.usec >= 1000000) { - ++now.sec; + now.sec = ts_incr(now.sec, 1); now.usec = 0; } } diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c index e4db570..9f968da 100644 --- a/src/lib/krb5/os/changepw.c +++ b/src/lib/krb5/os/changepw.c @@ -59,13 +59,12 @@ struct sendto_callback_context { static krb5_error_code locate_kpasswd(krb5_context context, const krb5_data *realm, - struct serverlist *serverlist, krb5_boolean no_udp) + struct serverlist *serverlist) { krb5_error_code code; code = k5_locate_server(context, realm, serverlist, locate_service_kpasswd, - no_udp); - + FALSE); if (code == KRB5_REALM_CANT_RESOLVE || code == KRB5_REALM_UNKNOWN) { code = k5_locate_server(context, realm, serverlist, locate_service_kadmin, TRUE); @@ -76,7 +75,7 @@ locate_kpasswd(krb5_context context, const krb5_data *realm, for (i = 0; i < serverlist->nservers; i++) { struct server_entry *s = &serverlist->servers[i]; - if (!no_udp && s->transport == TCP) + if (s->transport == TCP) s->transport = TCP_OR_UDP; if (s->hostname != NULL) s->port = DEFAULT_KPASSWD_PORT; @@ -214,7 +213,6 @@ change_set_password(krb5_context context, krb5_data *result_string) { krb5_data chpw_rep; - krb5_boolean no_udp = FALSE; GETSOCKNAME_ARG3_TYPE addrlen; krb5_error_code code = 0; char *code_string; @@ -246,73 +244,49 @@ change_set_password(krb5_context context, callback_ctx.remote_seq_num = callback_ctx.auth_context->remote_seq_number; callback_ctx.local_seq_num = callback_ctx.auth_context->local_seq_number; - do { - k5_transport_strategy strategy = no_udp ? NO_UDP : UDP_FIRST; + code = locate_kpasswd(callback_ctx.context, &creds->server->realm, &sl); + if (code) + goto cleanup; - code = locate_kpasswd(callback_ctx.context, &creds->server->realm, &sl, - no_udp); - if (code) - break; - - addrlen = sizeof(remote_addr); - - callback_info.data = &callback_ctx; - callback_info.pfn_callback = kpasswd_sendto_msg_callback; - callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup; - krb5_free_data_contents(callback_ctx.context, &chpw_rep); - - code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm, - &sl, strategy, &callback_info, &chpw_rep, - ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL); - if (code) { - /* - * Here we may want to switch to TCP on some errors. - * right? - */ - break; - } + addrlen = sizeof(remote_addr); - code = krb5int_rd_chpw_rep(callback_ctx.context, - callback_ctx.auth_context, - &chpw_rep, &local_result_code, - result_string); + callback_info.data = &callback_ctx; + callback_info.pfn_callback = kpasswd_sendto_msg_callback; + callback_info.pfn_cleanup = kpasswd_sendto_msg_cleanup; + krb5_free_data_contents(callback_ctx.context, &chpw_rep); - if (code) { - if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !no_udp) { - k5_free_serverlist(&sl); - no_udp = 1; - continue; - } + code = k5_sendto(callback_ctx.context, NULL, &creds->server->realm, + &sl, UDP_LAST, &callback_info, &chpw_rep, + ss2sa(&remote_addr), &addrlen, NULL, NULL, NULL); + if (code) + goto cleanup; - break; - } + code = krb5int_rd_chpw_rep(callback_ctx.context, + callback_ctx.auth_context, + &chpw_rep, &local_result_code, + result_string); - if (result_code) - *result_code = local_result_code; - - if (result_code_string) { - code = krb5_chpw_result_code_string(callback_ctx.context, - local_result_code, - &code_string); - if (code) - goto cleanup; - - result_code_string->length = strlen(code_string); - result_code_string->data = malloc(result_code_string->length); - if (result_code_string->data == NULL) { - code = ENOMEM; - goto cleanup; - } - strncpy(result_code_string->data, code_string, result_code_string->length); - } + if (code) + goto cleanup; + + if (result_code) + *result_code = local_result_code; - if (code == KRB5KRB_ERR_RESPONSE_TOO_BIG && !no_udp) { - k5_free_serverlist(&sl); - no_udp = 1; - } else { - break; + if (result_code_string) { + code = krb5_chpw_result_code_string(callback_ctx.context, + local_result_code, + &code_string); + if (code) + goto cleanup; + + result_code_string->length = strlen(code_string); + result_code_string->data = malloc(result_code_string->length); + if (result_code_string->data == NULL) { + code = ENOMEM; + goto cleanup; } - } while (TRUE); + strncpy(result_code_string->data, code_string, result_code_string->length); + } cleanup: if (callback_ctx.auth_context != NULL) diff --git a/src/lib/krb5/os/deps b/src/lib/krb5/os/deps index c09087d..9e4e210 100644 --- a/src/lib/krb5/os/deps +++ b/src/lib/krb5/os/deps @@ -163,7 +163,7 @@ hostrealm_dns.so hostrealm_dns.po $(OUTPRE)hostrealm_dns.$(OBJEXT): \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/hostrealm_plugin.h \ $(top_srcdir)/include/krb5/locate_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - dnsglue.h hostrealm_dns.c os-proto.h + hostrealm_dns.c os-proto.h hostrealm_domain.so hostrealm_domain.po $(OUTPRE)hostrealm_domain.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ @@ -329,8 +329,7 @@ locate_kdc.so locate_kdc.po $(OUTPRE)locate_kdc.$(OBJEXT): \ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/locate_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h dnsglue.h locate_kdc.c \ - os-proto.h + $(top_srcdir)/include/socket-utils.h locate_kdc.c os-proto.h lock_file.so lock_file.po $(OUTPRE)lock_file.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ diff --git a/src/lib/krb5/os/dnsglue.c b/src/lib/krb5/os/dnsglue.c index 1a259b3..59ff929 100644 --- a/src/lib/krb5/os/dnsglue.c +++ b/src/lib/krb5/os/dnsglue.c @@ -24,9 +24,13 @@ * or implied warranty. */ -#include "autoconf.h" +#include "k5-int.h" +#include "os-proto.h" + #ifdef KRB5_DNS_LOOKUP +#ifndef _WIN32 + #include "dnsglue.h" #ifdef __APPLE__ #include @@ -73,7 +77,7 @@ static int initparse(struct krb5int_dns_state *); #if defined(__APPLE__) -/* Use the OS X interfaces dns_open, dns_search, and dns_free. */ +/* Use the macOS interfaces dns_open, dns_search, and dns_free. */ #define DECLARE_HANDLE(h) dns_handle_t h #define INIT_HANDLE(h) ((h = dns_open(NULL)) != NULL) #define SEARCH(h, n, c, t, a, l) dns_search(h, n, c, t, a, l, NULL, NULL) @@ -352,51 +356,105 @@ out: return -1; } -#endif +#endif /* !HAVE_NS_INITPARSE */ +#endif /* not _WIN32 */ + +/* Construct a DNS label of the form "prefix[.name.]". name may be NULL. */ +static char * +txt_lookup_name(const char *prefix, const char *name) +{ + struct k5buf buf; + + k5_buf_init_dynamic(&buf); + + if (name == NULL || name[0] == '\0') { + k5_buf_add(&buf, prefix); + } else { + k5_buf_add_fmt(&buf, "%s.%s", prefix, name); + + /* + * Realm names don't (normally) end with ".", but if the query doesn't + * end with "." and doesn't get an answer as is, the resolv code will + * try appending the local domain. Since the realm names are + * absolutes, let's stop that. + * + * But only if a name has been specified. If we are performing a + * search on the prefix alone then the intention is to allow the local + * domain or domain search lists to be expanded. + */ + + if (buf.len > 0 && ((char *)buf.data)[buf.len - 1] != '.') + k5_buf_add(&buf, "."); + } + + return buf.data; +} /* * Try to look up a TXT record pointing to a Kerberos realm */ +#ifdef _WIN32 + +#include + +krb5_error_code +k5_try_realm_txt_rr(krb5_context context, const char *prefix, const char *name, + char **realm) +{ + krb5_error_code ret = 0; + char *txtname = NULL; + PDNS_RECORD rr = NULL; + DNS_STATUS st; + + *realm = NULL; + + txtname = txt_lookup_name(prefix, name); + if (txtname == NULL) + return ENOMEM; + + st = DnsQuery_UTF8(txtname, DNS_TYPE_TEXT, DNS_QUERY_STANDARD, NULL, + &rr, NULL); + if (st != ERROR_SUCCESS || rr == NULL) { + TRACE_TXT_LOOKUP_NOTFOUND(context, txtname); + ret = KRB5_ERR_HOST_REALM_UNKNOWN; + goto cleanup; + } + + *realm = strdup(rr->Data.TXT.pStringArray[0]); + if (*realm == NULL) + ret = ENOMEM; + TRACE_TXT_LOOKUP_SUCCESS(context, txtname, *realm); + +cleanup: + free(txtname); + if (rr != NULL) + DnsRecordListFree(rr, DnsFreeRecordList); + return ret; +} + +#else /* _WIN32 */ + krb5_error_code k5_try_realm_txt_rr(krb5_context context, const char *prefix, const char *name, char **realm) { krb5_error_code retval = KRB5_ERR_HOST_REALM_UNKNOWN; const unsigned char *p, *base; - char host[MAXDNAME]; + char *txtname = NULL; int ret, rdlen, len; struct krb5int_dns_state *ds = NULL; - struct k5buf buf; /* * Form our query, and send it via DNS */ - k5_buf_init_fixed(&buf, host, sizeof(host)); - if (name == NULL || name[0] == '\0') { - k5_buf_add(&buf, prefix); - } else { - k5_buf_add_fmt(&buf, "%s.%s", prefix, name); - - /* Realm names don't (normally) end with ".", but if the query - doesn't end with "." and doesn't get an answer as is, the - resolv code will try appending the local domain. Since the - realm names are absolutes, let's stop that. - - But only if a name has been specified. If we are performing - a search on the prefix alone then the intention is to allow - the local domain or domain search lists to be expanded. - */ - - if (buf.len > 0 && host[buf.len - 1] != '.') - k5_buf_add(&buf, "."); - } - if (k5_buf_status(&buf) != 0) - return KRB5_ERR_HOST_REALM_UNKNOWN; - ret = krb5int_dns_init(&ds, host, C_IN, T_TXT); + txtname = txt_lookup_name(prefix, name); + if (txtname == NULL) + return ENOMEM; + ret = krb5int_dns_init(&ds, txtname, C_IN, T_TXT); if (ret < 0) { - TRACE_TXT_LOOKUP_NOTFOUND(context, host); + TRACE_TXT_LOOKUP_NOTFOUND(context, txtname); goto errout; } @@ -419,14 +477,13 @@ k5_try_realm_txt_rr(krb5_context context, const char *prefix, const char *name, if ( (*realm)[len-1] == '.' ) (*realm)[len-1] = '\0'; retval = 0; - TRACE_TXT_LOOKUP_SUCCESS(context, host, *realm); + TRACE_TXT_LOOKUP_SUCCESS(context, txtname, *realm); errout: - if (ds != NULL) { - krb5int_dns_fini(ds); - ds = NULL; - } + krb5int_dns_fini(ds); + free(txtname); return retval; } +#endif /* not _WIN32 */ #endif /* KRB5_DNS_LOOKUP */ diff --git a/src/lib/krb5/os/dnsglue.h b/src/lib/krb5/os/dnsglue.h index 27147a6..9e98735 100644 --- a/src/lib/krb5/os/dnsglue.h +++ b/src/lib/krb5/os/dnsglue.h @@ -26,16 +26,17 @@ /* * Glue layer for DNS resolver, to make parsing of replies easier - * whether we are using BIND 4, 8, or 9. + * whether we are using BIND 4, 8, or 9. This header is not used on + * Windows. */ /* * BIND 4 doesn't have the ns_initparse() API, so we need to do some * manual parsing via the HEADER struct. BIND 8 does have * ns_initparse(), but has enums for the various protocol constants - * rather than the BIND 4 macros. BIND 9 (at least on Mac OS X - * Panther) appears to disable res_nsearch() if BIND_8_COMPAT is - * defined (which is necessary to obtain the HEADER struct). + * rather than the BIND 4 macros. BIND 9 (at least on macOS 10.3) + * appears to disable res_nsearch() if BIND_8_COMPAT is defined + * (which is necessary to obtain the HEADER struct). * * We use ns_initparse() if available at all, and never define * BIND_8_COMPAT. If there is no ns_initparse(), we do manual parsing @@ -50,24 +51,16 @@ #include "k5-int.h" #include "os-proto.h" -#ifdef WSHELPER -#include -#else /* WSHELPER */ #include #include #include #include #include -#endif /* WSHELPER */ #if HAVE_SYS_PARAM_H #include /* for MAXHOSTNAMELEN */ #endif -#ifndef MAXHOSTNAMELEN -#define MAXHOSTNAMELEN 64 /* if we can't find it elswhere */ -#endif - #ifndef MAXDNAME #ifdef NS_MAXDNAME @@ -159,23 +152,5 @@ int krb5int_dns_expand(struct krb5int_dns_state *, const unsigned char *, char *, int); void krb5int_dns_fini(struct krb5int_dns_state *); -struct srv_dns_entry { - struct srv_dns_entry *next; - int priority; - int weight; - unsigned short port; - char *host; -}; - -krb5_error_code krb5int_make_srv_query_realm(const krb5_data *realm, - const char *service, - const char *protocol, - struct srv_dns_entry **answers); -void krb5int_free_srv_dns_data(struct srv_dns_entry *); - -krb5_error_code -k5_make_uri_query(const krb5_data *realm, const char *service, - struct srv_dns_entry **answers); - #endif /* KRB5_DNS_LOOKUP */ #endif /* !defined(KRB5_DNSGLUE_H) */ diff --git a/src/lib/krb5/os/dnssrv.c b/src/lib/krb5/os/dnssrv.c index 76f5b63..02ba879 100644 --- a/src/lib/krb5/os/dnssrv.c +++ b/src/lib/krb5/os/dnssrv.c @@ -26,8 +26,8 @@ #include "autoconf.h" #ifdef KRB5_DNS_LOOKUP - -#include "dnsglue.h" +#include "k5-int.h" +#include "os-proto.h" /* * Lookup a KDC via DNS SRV records @@ -45,18 +45,18 @@ krb5int_free_srv_dns_data (struct srv_dns_entry *p) } } -/* Construct a DNS label of the form "service.[protocol.]realm.", placing the - * result into fixed_buf. protocol may be NULL. */ -static krb5_error_code -prepare_lookup_buf(const krb5_data *realm, const char *service, - const char *protocol, char *fixed_buf, size_t bufsize) +/* Construct a DNS label of the form "service.[protocol.]realm.". protocol may + * be NULL. */ +static char * +make_lookup_name(const krb5_data *realm, const char *service, + const char *protocol) { struct k5buf buf; if (memchr(realm->data, 0, realm->length)) - return EINVAL; + return NULL; - k5_buf_init_fixed(&buf, fixed_buf, bufsize); + k5_buf_init_dynamic(&buf); k5_buf_add_fmt(&buf, "%s.", service); if (protocol != NULL) k5_buf_add_fmt(&buf, "%s.", protocol); @@ -72,7 +72,7 @@ prepare_lookup_buf(const krb5_data *realm, const char *service, if (buf.len > 0 && ((char *)buf.data)[buf.len - 1] != '.') k5_buf_add(&buf, "."); - return k5_buf_status(&buf); + return buf.data; } /* Insert new into the list *head, ordering by priority. Weight is not @@ -102,13 +102,84 @@ place_srv_entry(struct srv_dns_entry **head, struct srv_dns_entry *new) } } +#ifdef _WIN32 + +#include + +krb5_error_code +k5_make_uri_query(krb5_context context, const krb5_data *realm, + const char *service, struct srv_dns_entry **answers) +{ + /* Windows does not currently support the URI record type or make it + * possible to query for a record type it does not have support for. */ + *answers = NULL; + return 0; +} + +krb5_error_code +krb5int_make_srv_query_realm(krb5_context context, const krb5_data *realm, + const char *service, const char *protocol, + struct srv_dns_entry **answers) +{ + char *name = NULL; + DNS_STATUS st; + PDNS_RECORD records, rr; + struct srv_dns_entry *head = NULL, *srv = NULL; + + *answers = NULL; + + name = make_lookup_name(realm, service, protocol); + if (name == NULL) + return 0; + + TRACE_DNS_SRV_SEND(context, name); + + st = DnsQuery_UTF8(name, DNS_TYPE_SRV, DNS_QUERY_STANDARD, NULL, &records, + NULL); + if (st != ERROR_SUCCESS) + return 0; + + for (rr = records; rr != NULL; rr = rr->pNext) { + if (rr->wType != DNS_TYPE_SRV) + continue; + + srv = malloc(sizeof(struct srv_dns_entry)); + if (srv == NULL) + goto cleanup; + + srv->priority = rr->Data.SRV.wPriority; + srv->weight = rr->Data.SRV.wWeight; + srv->port = rr->Data.SRV.wPort; + /* Make sure the name looks fully qualified to the resolver. */ + if (asprintf(&srv->host, "%s.", rr->Data.SRV.pNameTarget) < 0) { + free(srv); + goto cleanup; + } + + TRACE_DNS_SRV_ANS(context, srv->host, srv->port, srv->priority, + srv->weight); + place_srv_entry(&head, srv); + } + +cleanup: + free(name); + if (records != NULL) + DnsRecordListFree(records, DnsFreeRecordList); + *answers = head; + return 0; +} + +#else /* _WIN32 */ + +#include "dnsglue.h" + /* Query the URI RR, collecting weight, priority, and target. */ krb5_error_code -k5_make_uri_query(const krb5_data *realm, const char *service, - struct srv_dns_entry **answers) +k5_make_uri_query(krb5_context context, const krb5_data *realm, + const char *service, struct srv_dns_entry **answers) { const unsigned char *p = NULL, *base = NULL; - char host[MAXDNAME]; + char *name = NULL; int size, ret, rdlen; unsigned short priority, weight; struct krb5int_dns_state *ds = NULL; @@ -117,11 +188,13 @@ k5_make_uri_query(const krb5_data *realm, const char *service, *answers = NULL; /* Construct service.realm. */ - ret = prepare_lookup_buf(realm, service, NULL, host, sizeof(host)); - if (ret) + name = make_lookup_name(realm, service, NULL); + if (name == NULL) return 0; - size = krb5int_dns_init(&ds, host, C_IN, T_URI); + TRACE_DNS_URI_SEND(context, name); + + size = krb5int_dns_init(&ds, name, C_IN, T_URI); if (size < 0) goto out; @@ -148,11 +221,13 @@ k5_make_uri_query(const krb5_data *realm, const char *service, goto out; } + TRACE_DNS_URI_ANS(context, uri->host, uri->priority, uri->weight); place_srv_entry(&head, uri); } out: krb5int_dns_fini(ds); + free(name); *answers = head; return 0; } @@ -165,13 +240,12 @@ out: */ krb5_error_code -krb5int_make_srv_query_realm(const krb5_data *realm, - const char *service, - const char *protocol, +krb5int_make_srv_query_realm(krb5_context context, const krb5_data *realm, + const char *service, const char *protocol, struct srv_dns_entry **answers) { const unsigned char *p = NULL, *base = NULL; - char host[MAXDNAME]; + char *name = NULL, host[MAXDNAME]; int size, ret, rdlen, nlen; unsigned short priority, weight, port; struct krb5int_dns_state *ds = NULL; @@ -188,15 +262,13 @@ krb5int_make_srv_query_realm(const krb5_data *realm, * */ - ret = prepare_lookup_buf(realm, service, protocol, host, sizeof(host)); - if (ret) + name = make_lookup_name(realm, service, protocol); + if (name == NULL) return 0; -#ifdef TEST - fprintf(stderr, "sending DNS SRV query for %s\n", host); -#endif + TRACE_DNS_SRV_SEND(context, name); - size = krb5int_dns_init(&ds, host, C_IN, T_SRV); + size = krb5int_dns_init(&ds, name, C_IN, T_SRV); if (size < 0) goto out; @@ -239,12 +311,17 @@ krb5int_make_srv_query_realm(const krb5_data *realm, goto out; } + TRACE_DNS_SRV_ANS(context, srv->host, srv->port, srv->priority, + srv->weight); place_srv_entry(&head, srv); } out: krb5int_dns_fini(ds); + free(name); *answers = head; return 0; } -#endif + +#endif /* not _WIN32 */ +#endif /* KRB5_DNS_LOOKUP */ diff --git a/src/lib/krb5/os/expand_path.c b/src/lib/krb5/os/expand_path.c index a8a14f4..61fb234 100644 --- a/src/lib/krb5/os/expand_path.c +++ b/src/lib/krb5/os/expand_path.c @@ -351,7 +351,7 @@ expand_null(krb5_context context, PTYPE param, const char *postfix, char **ret) return 0; } -static const struct token { +static const struct { const char *tok; PTYPE param; const char *postfix; diff --git a/src/lib/krb5/os/full_ipadr.c b/src/lib/krb5/os/full_ipadr.c index 0863cab..61fc74b 100644 --- a/src/lib/krb5/os/full_ipadr.c +++ b/src/lib/krb5/os/full_ipadr.c @@ -36,8 +36,8 @@ krb5_make_full_ipaddr(krb5_context context, krb5_int32 adr, { unsigned long smushaddr = (unsigned long) adr; /* already in net order */ unsigned short smushport = (unsigned short) port; /* ditto */ - register krb5_address *retaddr; - register krb5_octet *marshal; + krb5_address *retaddr; + krb5_octet *marshal; krb5_addrtype temptype; krb5_int32 templength; diff --git a/src/lib/krb5/os/genaddrs.c b/src/lib/krb5/os/genaddrs.c index 5ef7af5..c818fdb 100644 --- a/src/lib/krb5/os/genaddrs.c +++ b/src/lib/krb5/os/genaddrs.c @@ -79,8 +79,8 @@ krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int ssize = sizeof(struct sockaddr_storage); if ((flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR) || (flags & KRB5_AUTH_CONTEXT_GENERATE_LOCAL_ADDR)) { - if ((retval = getsockname(fd, (GETSOCKNAME_ARG2_TYPE *) &lsaddr, - &ssize))) + retval = getsockname(fd, ss2sa(&lsaddr), &ssize); + if (retval) return retval; if (cvtaddr (&lsaddr, &laddrs)) { @@ -99,8 +99,8 @@ krb5_auth_con_genaddrs(krb5_context context, krb5_auth_context auth_context, int ssize = sizeof(struct sockaddr_storage); if ((flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR) || (flags & KRB5_AUTH_CONTEXT_GENERATE_REMOTE_ADDR)) { - if ((retval = getpeername(fd, (GETPEERNAME_ARG2_TYPE *) &rsaddr, - &ssize))) + retval = getpeername(fd, ss2sa(&rsaddr), &ssize); + if (retval) return errno; if (cvtaddr (&rsaddr, &raddrs)) { diff --git a/src/lib/krb5/os/hostaddr.c b/src/lib/krb5/os/hostaddr.c index 22f6ad6..129a4ad 100644 --- a/src/lib/krb5/os/hostaddr.c +++ b/src/lib/krb5/os/hostaddr.c @@ -34,9 +34,9 @@ k5_os_hostaddr(krb5_context context, const char *name, krb5_address ***ret_addrs) { krb5_error_code retval; - krb5_address **addrs; + krb5_address **addrs = NULL; int i, j, r; - struct addrinfo hints, *ai, *aip; + struct addrinfo hints, *ai = NULL, *aip; if (!name) return KRB5_ERR_BAD_HOSTNAME; @@ -68,9 +68,9 @@ k5_os_hostaddr(krb5_context context, const char *name, } } - addrs = malloc ((i+1) * sizeof(*addrs)); - if (!addrs) - return ENOMEM; + addrs = k5calloc(i + 1, sizeof(*addrs), &retval); + if (addrs == NULL) + goto errout; for (j = 0; j < i + 1; j++) addrs[j] = 0; @@ -83,12 +83,12 @@ k5_os_hostaddr(krb5_context context, const char *name, switch (aip->ai_addr->sa_family) { case AF_INET: addrlen = sizeof (struct in_addr); - ptr = &((struct sockaddr_in *)aip->ai_addr)->sin_addr; + ptr = &sa2sin(aip->ai_addr)->sin_addr; atype = ADDRTYPE_INET; break; case AF_INET6: addrlen = sizeof (struct in6_addr); - ptr = &((struct sockaddr_in6 *)aip->ai_addr)->sin6_addr; + ptr = &sa2sin6(aip->ai_addr)->sin6_addr; atype = ADDRTYPE_INET6; break; default: diff --git a/src/lib/krb5/os/hostrealm.c b/src/lib/krb5/os/hostrealm.c index 78d6c5d..fcab360 100644 --- a/src/lib/krb5/os/hostrealm.c +++ b/src/lib/krb5/os/hostrealm.c @@ -254,13 +254,15 @@ translate_gai_error(int num) /* Get the canonical form of the local host name, using forward * canonicalization only. */ krb5_error_code -krb5int_get_fq_local_hostname(char *buf, size_t bufsize) +krb5int_get_fq_local_hostname(char **hostname_out) { struct addrinfo *ai, hints; + char buf[MAXHOSTNAMELEN]; int err; - buf[0] = '\0'; - if (gethostname(buf, bufsize) == -1) + *hostname_out = NULL; + + if (gethostname(buf, sizeof(buf)) == -1) return SOCKET_ERRNO; memset(&hints, 0, sizeof(hints)); @@ -272,26 +274,26 @@ krb5int_get_fq_local_hostname(char *buf, size_t bufsize) freeaddrinfo(ai); return KRB5_EAI_FAIL; } - if (strlcpy(buf, ai->ai_canonname, bufsize) >= bufsize) - return ENOMEM; + *hostname_out = strdup(ai->ai_canonname); freeaddrinfo(ai); - return 0; + return (*hostname_out == NULL) ? ENOMEM : 0; } -krb5_error_code -k5_clean_hostname(krb5_context context, const char *host, char *cleanname, - size_t lhsize) +static krb5_error_code +clean_hostname(krb5_context context, const char *host, char **cleanname_out) { - char *p; + char *p, *cleanname; krb5_error_code ret; size_t l; - cleanname[0] = '\0'; + *cleanname_out = NULL; + if (host != NULL) { - if (strlcpy(cleanname, host, lhsize) >= lhsize) + cleanname = strdup(host); + if (cleanname == NULL) return ENOMEM; } else { - ret = krb5int_get_fq_local_hostname(cleanname, lhsize); + ret = krb5int_get_fq_local_hostname(&cleanname); if (ret) return ret; } @@ -307,6 +309,7 @@ k5_clean_hostname(krb5_context context, const char *host, char *cleanname, if (l > 0 && cleanname[l - 1] == '.') cleanname[l - 1] = '\0'; + *cleanname_out = cleanname; return 0; } @@ -359,19 +362,19 @@ krb5_get_host_realm(krb5_context context, const char *host, char ***realms_out) { krb5_error_code ret; struct hostrealm_module_handle **hp; - char **realms, cleanname[1024]; + char **realms, *cleanname = NULL; *realms_out = NULL; if (context->hostrealm_handles == NULL) { ret = load_hostrealm_modules(context); if (ret) - return ret; + goto cleanup; } - ret = k5_clean_hostname(context, host, cleanname, sizeof(cleanname)); + ret = clean_hostname(context, host, &cleanname); if (ret) - return ret; + goto cleanup; /* Give each module a chance to determine the host's realms. */ for (hp = context->hostrealm_handles; *hp != NULL; hp++) { @@ -379,15 +382,19 @@ krb5_get_host_realm(krb5_context context, const char *host, char ***realms_out) if (ret == 0) { ret = copy_list(realms, realms_out); free_list(context, *hp, realms); - return ret; + goto cleanup; } else if (ret != KRB5_PLUGIN_NO_HANDLE) { - return ret; + goto cleanup; } } /* Return a list containing the "referral realm" (an empty realm), as a * cue to try referrals. */ - return k5_make_realmlist(KRB5_REFERRAL_REALM, realms_out); + ret = k5_make_realmlist(KRB5_REFERRAL_REALM, realms_out); + +cleanup: + free(cleanname); + return ret; } krb5_error_code KRB5_CALLCONV @@ -396,23 +403,23 @@ krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, { krb5_error_code ret; struct hostrealm_module_handle **hp; - char **realms, *defrealm, *host, cleanname[1024]; + char **realms, *defrealm, *host, *cleanname = NULL; *realms_out = NULL; /* Convert hdata into a string and clean it. */ host = k5memdup0(hdata->data, hdata->length, &ret); if (host == NULL) - return ret; - ret = k5_clean_hostname(context, host, cleanname, sizeof(cleanname)); + goto cleanup; + ret = clean_hostname(context, host, &cleanname); free(host); if (ret) - return ret; + goto cleanup; if (context->hostrealm_handles == NULL) { ret = load_hostrealm_modules(context); if (ret) - return ret; + goto cleanup; } /* Give each module a chance to determine the fallback realms. */ @@ -421,18 +428,21 @@ krb5_get_fallback_host_realm(krb5_context context, krb5_data *hdata, if (ret == 0) { ret = copy_list(realms, realms_out); free_list(context, *hp, realms); - return ret; + goto cleanup; } else if (ret != KRB5_PLUGIN_NO_HANDLE) { - return ret; + goto cleanup; } } /* Return a list containing the default realm. */ ret = krb5_get_default_realm(context, &defrealm); if (ret) - return ret; + goto cleanup; ret = k5_make_realmlist(defrealm, realms_out); krb5_free_default_realm(context, defrealm); + +cleanup: + free(cleanname); return ret; } diff --git a/src/lib/krb5/os/hostrealm_dns.c b/src/lib/krb5/os/hostrealm_dns.c index 7f017a8..a55a12c 100644 --- a/src/lib/krb5/os/hostrealm_dns.c +++ b/src/lib/krb5/os/hostrealm_dns.c @@ -41,7 +41,6 @@ #include #ifdef KRB5_DNS_LOOKUP -#include "dnsglue.h" /* Try a _kerberos TXT lookup for fqdn and each parent domain; return the * resulting realm (caller must free) or NULL. */ @@ -85,19 +84,20 @@ dns_default_realm(krb5_context context, krb5_hostrealm_moddata data, char ***realms_out) { krb5_error_code ret; - char localhost[MAXDNAME + 1], *realm; + char *localhost, *realm; *realms_out = NULL; if (!_krb5_use_dns_realm(context)) return KRB5_PLUGIN_NO_HANDLE; - ret = krb5int_get_fq_local_hostname(localhost, sizeof(localhost)); + ret = krb5int_get_fq_local_hostname(&localhost); if (ret) return ret; /* If we don't find a TXT record for localhost or any parent, look for a * global record. */ realm = txt_lookup(context, localhost); + free(localhost); if (realm == NULL) (void)k5_try_realm_txt_rr(context, "_kerberos", NULL, &realm); diff --git a/src/lib/krb5/os/hostrealm_domain.c b/src/lib/krb5/os/hostrealm_domain.c index 2228df0..c3d31c7 100644 --- a/src/lib/krb5/os/hostrealm_domain.c +++ b/src/lib/krb5/os/hostrealm_domain.c @@ -81,7 +81,7 @@ domain_fallback_realm(krb5_context context, krb5_hostrealm_moddata data, ret = profile_get_integer(context->profile, KRB5_CONF_LIBDEFAULTS, KRB5_CONF_REALM_TRY_DOMAINS, 0, -1, &limit); if (ret) - return ret; + goto cleanup; suffix = uhost; while (limit-- >= 0 && (dot = strchr(suffix, '.')) != NULL) { drealm = string2data((char *)suffix); diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c index 9f77652..92d765f 100644 --- a/src/lib/krb5/os/localaddr.c +++ b/src/lib/krb5/os/localaddr.c @@ -181,11 +181,11 @@ is_loopback_address(struct sockaddr *sa) { switch (sa->sa_family) { case AF_INET: { - struct sockaddr_in *s4 = (struct sockaddr_in *)sa; + struct sockaddr_in *s4 = sa2sin(sa); return s4->sin_addr.s_addr == htonl(INADDR_LOOPBACK); } case AF_INET6: { - struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)sa; + struct sockaddr_in6 *s6 = sa2sin6(sa); return IN6_IS_ADDR_LOOPBACK(&s6->sin6_addr); } default: @@ -239,16 +239,17 @@ printifaddr(struct ifaddrs *ifp) #include static int -addr_eq (const struct sockaddr *s1, const struct sockaddr *s2) +addr_eq (struct sockaddr *s1, struct sockaddr *s2) { if (s1->sa_family != s2->sa_family) return 0; -#define CMPTYPE(T,F) (!memcmp(&((const T*)s1)->F,&((const T*)s2)->F,sizeof(((const T*)s1)->F))) switch (s1->sa_family) { case AF_INET: - return CMPTYPE (struct sockaddr_in, sin_addr); + return !memcmp(&sa2sin(s1)->sin_addr, &sa2sin(s2)->sin_addr, + sizeof(sa2sin(s1)->sin_addr)); case AF_INET6: - return CMPTYPE (struct sockaddr_in6, sin6_addr); + return !memcmp(&sa2sin6(s1)->sin6_addr, &sa2sin6(s2)->sin6_addr, + sizeof(sa2sin6(s1)->sin6_addr)); default: /* Err on side of duplicate listings. */ return 0; @@ -391,20 +392,6 @@ get_linux_ipv6_addrs () a6.s6_addr[i] = addrbyte[i]; if (scope != 0) continue; -#if 0 /* These symbol names are as used by ifconfig, but none of the - system header files export them. Dig up the kernel versions - someday and see if they're exported. */ - switch (scope) { - case 0: - default: - break; - case IPV6_ADDR_LINKLOCAL: - case IPV6_ADDR_SITELOCAL: - case IPV6_ADDR_COMPATv4: - case IPV6_ADDR_LOOPBACK: - continue; - } -#endif nw = calloc (1, sizeof (struct linux_ipv6_addr_list)); if (nw == 0) continue; @@ -861,6 +848,9 @@ get_ifreq_array(char **bufp, size_t *np, int s) int numifs = -1; #endif + *bufp = NULL; + *np = 0; + /* At least on NetBSD, an ifreq can hold an IPv4 address, but isn't big enough for an IPv6 or ethernet address. So add a little more space. */ @@ -937,9 +927,9 @@ foreach_localaddr (/*@null@*/ void *data, #endif { struct ifreq *ifr, ifreq, *ifr2; - int s, code; + int s; char *buf = 0; - size_t size, n, i, j; + size_t n, i, j; int retval = 0; #ifdef LINUX_IPV6_HACK struct linux_ipv6_addr_list *linux_ipv6_addrs = get_linux_ipv6_addrs (); @@ -1183,14 +1173,14 @@ add_addr (void *P_data, struct sockaddr *a) #ifdef HAVE_NETINET_IN_H case AF_INET: address = make_addr (ADDRTYPE_INET, sizeof (struct in_addr), - &((const struct sockaddr_in *) a)->sin_addr); + &sa2sin(a)->sin_addr); if (address == NULL) data->mem_err++; break; case AF_INET6: { - const struct sockaddr_in6 *in = (const struct sockaddr_in6 *) a; + const struct sockaddr_in6 *in = sa2sin6(a); if (IN6_IS_ADDR_LINKLOCAL (&in->sin6_addr)) break; @@ -1327,14 +1317,6 @@ krb5_os_localaddr(krb5_context context, krb5_address ***addr) return get_localaddrs(context, addr, 1); } -#if 0 /* not actually used anywhere currently */ -krb5_error_code -krb5int_local_addresses(krb5_context context, krb5_address ***addr) -{ - return get_localaddrs(context, addr, 0); -} -#endif - static krb5_error_code get_localaddrs (krb5_context context, krb5_address ***addr, int use_profile) { diff --git a/src/lib/krb5/os/localauth_rule.c b/src/lib/krb5/os/localauth_rule.c index 8522108..8be29c4 100644 --- a/src/lib/krb5/os/localauth_rule.c +++ b/src/lib/krb5/os/localauth_rule.c @@ -146,7 +146,7 @@ aname_replacer(const char *string, const char **contextp, char **result) { krb5_error_code ret = 0; const char *cp, *ep, *tp; - char *current, *newstr, *rule = NULL, *repl = NULL; + char *newstr, *rule = NULL, *repl = NULL, *current = NULL; krb5_boolean doglobal; *result = NULL; @@ -192,8 +192,10 @@ aname_replacer(const char *string, const char **contextp, char **result) current = newstr; } *result = current; + current = NULL; cleanup: + free(current); free(repl); free(rule); return ret; diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c index 014ec6e..c32a967 100644 --- a/src/lib/krb5/os/locate_kdc.c +++ b/src/lib/krb5/os/locate_kdc.c @@ -27,17 +27,8 @@ #include "k5-int.h" #include "fake-addrinfo.h" #include "os-proto.h" + #ifdef KRB5_DNS_LOOKUP -#ifdef WSHELPER -#include -#else /* WSHELPER */ -#include -#include -#include -#include -#include -#endif /* WSHELPER */ -#include "dnsglue.h" #define DEFAULT_LOOKUP_KDC 1 #if KRB5_DNS_LOOKUP_REALM @@ -313,14 +304,16 @@ krb5_locate_srv_conf(krb5_context context, const krb5_data *realm, #ifdef KRB5_DNS_LOOKUP static krb5_error_code -locate_srv_dns_1(const krb5_data *realm, const char *service, - const char *protocol, struct serverlist *serverlist) +locate_srv_dns_1(krb5_context context, const krb5_data *realm, + const char *service, const char *protocol, + struct serverlist *serverlist) { struct srv_dns_entry *head = NULL, *entry = NULL; krb5_error_code code = 0; k5_transport transport; - code = krb5int_make_srv_query_realm(realm, service, protocol, &head); + code = krb5int_make_srv_query_realm(context, realm, service, protocol, + &head); if (code) return 0; @@ -598,9 +591,10 @@ parse_uri_fields(const char *uri, k5_transport *transport_out, * and transport type. Problematic entries are skipped. */ static krb5_error_code -locate_uri(const krb5_data *realm, const char *req_service, - struct serverlist *serverlist, k5_transport req_transport, - int default_port, krb5_boolean master_only) +locate_uri(krb5_context context, const krb5_data *realm, + const char *req_service, struct serverlist *serverlist, + k5_transport req_transport, int default_port, + krb5_boolean master_only) { krb5_error_code ret; k5_transport transport, host_trans; @@ -609,7 +603,7 @@ locate_uri(const krb5_data *realm, const char *req_service, const char *host_field, *path; int port, def_port, master; - ret = k5_make_uri_query(realm, req_service, &answers); + ret = k5_make_uri_query(context, realm, req_service, &answers); if (ret || answers == NULL) return ret; @@ -688,10 +682,11 @@ dns_locate_server_uri(krb5_context context, const krb5_data *realm, return 0; } - ret = locate_uri(realm, svcname, serverlist, transport, def_port, + ret = locate_uri(context, realm, svcname, serverlist, transport, def_port, find_master); - if (ret) - Tprintf("dns URI lookup returned error %d\n", ret); + + if (serverlist->nservers == 0) + TRACE_DNS_URI_NOTFOUND(context); return ret; } @@ -729,16 +724,15 @@ dns_locate_server_srv(krb5_context context, const krb5_data *realm, } code = 0; - if (transport == UDP || transport == TCP_OR_UDP) { - code = locate_srv_dns_1(realm, dnsname, "_udp", serverlist); - if (code) - Tprintf("dns udp lookup returned error %d\n", code); - } - if ((transport == TCP || transport == TCP_OR_UDP) && code == 0) { - code = locate_srv_dns_1(realm, dnsname, "_tcp", serverlist); - if (code) - Tprintf("dns tcp lookup returned error %d\n", code); - } + if (transport == UDP || transport == TCP_OR_UDP) + code = locate_srv_dns_1(context, realm, dnsname, "_udp", serverlist); + + if ((transport == TCP || transport == TCP_OR_UDP) && code == 0) + code = locate_srv_dns_1(context, realm, dnsname, "_tcp", serverlist); + + if (serverlist->nservers == 0) + TRACE_DNS_SRV_NOTFOUND(context); + return code; } #endif /* KRB5_DNS_LOOKUP */ diff --git a/src/lib/krb5/os/mk_faddr.c b/src/lib/krb5/os/mk_faddr.c index 2577df3..c7a6ddd 100644 --- a/src/lib/krb5/os/mk_faddr.c +++ b/src/lib/krb5/os/mk_faddr.c @@ -38,7 +38,7 @@ krb5_error_code krb5_make_fulladdr(krb5_context context, krb5_address *kaddr, krb5_address *kport, krb5_address *raddr) { - register krb5_octet * marshal; + krb5_octet *marshal; krb5_int32 tmp32; krb5_int16 tmp16; diff --git a/src/lib/krb5/os/net_read.c b/src/lib/krb5/os/net_read.c index 7e5e954..64a4622 100644 --- a/src/lib/krb5/os/net_read.c +++ b/src/lib/krb5/os/net_read.c @@ -37,7 +37,7 @@ */ int -krb5_net_read(krb5_context context, int fd, register char *buf, register int len) +krb5_net_read(krb5_context context, int fd, char *buf, int len) { int cc, len2 = 0; diff --git a/src/lib/krb5/os/net_write.c b/src/lib/krb5/os/net_write.c index 9290726..cc8c309 100644 --- a/src/lib/krb5/os/net_write.c +++ b/src/lib/krb5/os/net_write.c @@ -47,7 +47,7 @@ krb5_net_write(krb5_context context, int fd, const char *buf, int len) int krb5int_net_writev(krb5_context context, int fd, sg_buf *sgp, int nsg) { - int cc, len = 0; + ssize_t cc, len = 0; SOCKET_WRITEV_TEMP tmp; while (nsg > 0) { diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h index 7cf5a48..634e82d 100644 --- a/src/lib/krb5/os/os-proto.h +++ b/src/lib/krb5/os/os-proto.h @@ -110,6 +110,25 @@ krb5_error_code krb5_make_full_ipaddr(krb5_context, #endif /* HAVE_NETINET_IN_H */ +struct srv_dns_entry { + struct srv_dns_entry *next; + int priority; + int weight; + unsigned short port; + char *host; +}; + +krb5_error_code +krb5int_make_srv_query_realm(krb5_context context, const krb5_data *realm, + const char *service, const char *protocol, + struct srv_dns_entry **answers); + +void krb5int_free_srv_dns_data(struct srv_dns_entry *); + +krb5_error_code +k5_make_uri_query(krb5_context context, const krb5_data *realm, + const char *service, struct srv_dns_entry **answers); + krb5_error_code k5_try_realm_txt_rr(krb5_context context, const char *prefix, const char *name, char **realm); @@ -128,7 +147,7 @@ krb5_error_code k5_sendto(krb5_context context, const krb5_data *message, void *), void *msg_handler_data); -krb5_error_code krb5int_get_fq_local_hostname(char *, size_t); +krb5_error_code krb5int_get_fq_local_hostname(char **); /* The io vector is *not* const here, unlike writev()! */ int krb5int_net_writev (krb5_context, int, sg_buf *, int); @@ -152,7 +171,6 @@ krb5_error_code k5_time_with_offset(krb5_timestamp offset, krb5_timestamp *time_out, krb5_int32 *usec_out); void k5_set_prompt_types(krb5_context, krb5_prompt_type *); -krb5_error_code k5_clean_hostname(krb5_context, const char *, char *, size_t); krb5_boolean k5_is_numeric_address(const char *name); krb5_error_code k5_make_realmlist(const char *realm, char ***realms_out); krb5_error_code k5_kt_client_default_name(krb5_context context, diff --git a/src/lib/krb5/os/port2ip.c b/src/lib/krb5/os/port2ip.c index 905d60f..94c0430 100644 --- a/src/lib/krb5/os/port2ip.c +++ b/src/lib/krb5/os/port2ip.c @@ -34,7 +34,7 @@ krb5_unpack_full_ipaddr(krb5_context context, const krb5_address *inaddr, krb5_i { unsigned long smushaddr; unsigned short smushport; - register krb5_octet *marshal; + krb5_octet *marshal; krb5_addrtype temptype; krb5_ui_4 templength; diff --git a/src/lib/krb5/os/read_pwd.c b/src/lib/krb5/os/read_pwd.c index f26896d..4a5337f 100644 --- a/src/lib/krb5/os/read_pwd.c +++ b/src/lib/krb5/os/read_pwd.c @@ -42,38 +42,37 @@ krb5_read_password(krb5_context context, const char *prompt, const char *prompt2, char *return_pwd, unsigned int *size_return) { - krb5_data reply_data; - krb5_prompt k5prompt; + krb5_data reply_data, verify_data = empty_data(); + krb5_prompt k5prompt, vprompt; krb5_error_code retval; - reply_data.length = *size_return; /* NB: size_return is also an input */ - reply_data.data = return_pwd; + + /* *size_return is the space available in the return buffer on input. */ + reply_data = make_data(return_pwd, *size_return); k5prompt.prompt = (char *)prompt; k5prompt.hidden = 1; k5prompt.reply = &reply_data; - retval = krb5_prompter_posix(NULL, - NULL, NULL, NULL, 1, &k5prompt); - - if ((retval==0) && prompt2) { - krb5_data verify_data; - verify_data.data = malloc(*size_return); - verify_data.length = *size_return; - k5prompt.prompt = (char *)prompt2; - k5prompt.reply = &verify_data; - if (!verify_data.data) - return ENOMEM; - retval = krb5_prompter_posix(NULL, - NULL,NULL, NULL, 1, &k5prompt); - if (retval == 0) { - /* compare */ - if (strncmp(return_pwd, (char *)verify_data.data, *size_return)) - retval = KRB5_LIBOS_BADPWDMATCH; - } - free(verify_data.data); - } + retval = krb5_prompter_posix(NULL, NULL, NULL, NULL, 1, &k5prompt); + if (retval || prompt2 == NULL) + goto done; + + retval = alloc_data(&verify_data, *size_return); + if (retval) + goto done; + vprompt.prompt = (char *)prompt2; + vprompt.hidden = 1; + vprompt.reply = &verify_data; + retval = krb5_prompter_posix(NULL, NULL, NULL, NULL, 1, &vprompt); + if (retval) + goto done; + if (strncmp(return_pwd, verify_data.data, *size_return) != 0) + retval = KRB5_LIBOS_BADPWDMATCH; + +done: + zapfree(verify_data.data, verify_data.length); if (!retval) *size_return = k5prompt.reply->length; else - memset(return_pwd, 0, *size_return); + zap(return_pwd, *size_return); return retval; } #endif diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c index 249a9fd..82523c5 100644 --- a/src/lib/krb5/os/sendto_kdc.c +++ b/src/lib/krb5/os/sendto_kdc.c @@ -151,6 +151,7 @@ static krb5_error_code init_tls_vtable(krb5_context context) { krb5_plugin_initvt_fn initfn; + krb5_error_code ret; if (context->tls != NULL) return 0; @@ -161,8 +162,11 @@ init_tls_vtable(krb5_context context) /* Attempt to load the module; just let it stay nulled out on failure. */ k5_plugin_register_dyn(context, PLUGIN_INTERFACE_TLS, "k5tls", "tls"); - if (k5_plugin_load(context, PLUGIN_INTERFACE_TLS, "k5tls", &initfn) == 0) + ret = k5_plugin_load(context, PLUGIN_INTERFACE_TLS, "k5tls", &initfn); + if (!ret) (*initfn)(context, 0, 0, (krb5_plugin_vtable)context->tls); + else + TRACE_SENDTO_KDC_K5TLS_LOAD_ERROR(context, ret); return 0; } @@ -253,7 +257,7 @@ cm_get_ssflags(struct select_state *selstate, int fd) struct pollfd *pfd = find_pollfd(selstate, fd); /* - * OS X sets POLLHUP without POLLOUT on connection error. Catch this as + * macOS sets POLLHUP without POLLOUT on connection error. Catch this as * well as other error events such as POLLNVAL, but only if POLLIN and * POLLOUT aren't set, as we can get POLLHUP along with POLLIN with TCP * data still to be read. @@ -880,7 +884,8 @@ start_connection(krb5_context context, struct conn_state *state, } /* Start connecting to KDC. */ - e = connect(fd, (struct sockaddr *)&state->addr.saddr, state->addr.len); + e = SOCKET_CONNECT(fd, (struct sockaddr *)&state->addr.saddr, + state->addr.len); if (e != 0) { /* * This is the path that should be followed for non-blocking diff --git a/src/lib/krb5/os/t_discover_uri.py b/src/lib/krb5/os/t_discover_uri.py index 278f983..87bac17 100644 --- a/src/lib/krb5/os/t_discover_uri.py +++ b/src/lib/krb5/os/t_discover_uri.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * entries = ('URI _kerberos.TEST krb5srv::kkdcp:https://kdc1 1 1\n', diff --git a/src/lib/krb5/os/t_locate_kdc.c b/src/lib/krb5/os/t_locate_kdc.c index 6414b8e..7a53c84 100644 --- a/src/lib/krb5/os/t_locate_kdc.c +++ b/src/lib/krb5/os/t_locate_kdc.c @@ -127,7 +127,7 @@ main (int argc, char *argv[]) break; case LOOKUP_DNS: - err = locate_srv_dns_1(&realm, "_kerberos", "_udp", &sl); + err = locate_srv_dns_1(ctx, &realm, "_kerberos", "_udp", &sl); break; case LOOKUP_WHATEVER: diff --git a/src/lib/krb5/os/t_trace.ref b/src/lib/krb5/os/t_trace.ref index ca5818a..bd5d9b6 100644 --- a/src/lib/krb5/os/t_trace.ref +++ b/src/lib/krb5/os/t_trace.ref @@ -38,7 +38,7 @@ int, krb5_principal type: Windows 2000 UPN and SID int, krb5_principal type: NT 4 style name int, krb5_principal type: NT 4 style name and SID int, krb5_principal type: ? -krb5_pa_data **, display list of padata type numbers: 3, 0 +krb5_pa_data **, display list of padata type numbers: PA-PW-SALT (3), 0 krb5_pa_data **, display list of padata type numbers: (empty) krb5_enctype, display shortest name of enctype: des-cbc-crc krb5_enctype *, display list of enctypes: 5, rc4-hmac-exp, 511 diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c index fddb121..82fde92 100644 --- a/src/lib/krb5/os/timeofday.c +++ b/src/lib/krb5/os/timeofday.c @@ -29,7 +29,7 @@ #include krb5_error_code KRB5_CALLCONV -krb5_timeofday(krb5_context context, register krb5_timestamp *timeret) +krb5_timeofday(krb5_context context, krb5_timestamp *timeret) { krb5_os_context os_ctx; time_t tval; @@ -60,7 +60,7 @@ krb5_check_clockskew(krb5_context context, krb5_timestamp date) retval = krb5_timeofday(context, ¤ttime); if (retval) return retval; - if (!(labs((date)-currenttime) < context->clockskew)) + if (!ts_within(date, currenttime, context->clockskew)) return KRB5KRB_AP_ERR_SKEW; return 0; diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c index 456193a..4bbcdde 100644 --- a/src/lib/krb5/os/toffset.c +++ b/src/lib/krb5/os/toffset.c @@ -40,14 +40,15 @@ krb5_error_code KRB5_CALLCONV krb5_set_real_time(krb5_context context, krb5_timestamp seconds, krb5_int32 microseconds) { krb5_os_context os_ctx = &context->os_context; - krb5_int32 sec, usec; + krb5_timestamp sec; + krb5_int32 usec; krb5_error_code retval; retval = krb5_crypto_us_timeofday(&sec, &usec); if (retval) return retval; - os_ctx->time_offset = seconds - sec; + os_ctx->time_offset = ts_delta(seconds, sec); os_ctx->usec_offset = (microseconds > -1) ? microseconds - usec : 0; os_ctx->os_flags = ((os_ctx->os_flags & ~KRB5_OS_TOFFSET_TIME) | diff --git a/src/lib/krb5/os/trace.c b/src/lib/krb5/os/trace.c index 83c8d4d..4fff8f3 100644 --- a/src/lib/krb5/os/trace.c +++ b/src/lib/krb5/os/trace.c @@ -124,6 +124,51 @@ principal_type_string(krb5_int32 type) } static char * +padata_type_string(krb5_preauthtype type) +{ + switch (type) { + case KRB5_PADATA_TGS_REQ: return "PA-TGS-REQ"; + case KRB5_PADATA_ENC_TIMESTAMP: return "PA-ENC-TIMESTAMP"; + case KRB5_PADATA_PW_SALT: return "PA-PW-SALT"; + case KRB5_PADATA_ENC_UNIX_TIME: return "PA-ENC-UNIX-TIME"; + case KRB5_PADATA_ENC_SANDIA_SECURID: return "PA-SANDIA-SECUREID"; + case KRB5_PADATA_SESAME: return "PA-SESAME"; + case KRB5_PADATA_OSF_DCE: return "PA-OSF-DCE"; + case KRB5_CYBERSAFE_SECUREID: return "PA-CYBERSAFE-SECUREID"; + case KRB5_PADATA_AFS3_SALT: return "PA-AFS3-SALT"; + case KRB5_PADATA_ETYPE_INFO: return "PA-ETYPE-INFO"; + case KRB5_PADATA_SAM_CHALLENGE: return "PA-SAM-CHALLENGE"; + case KRB5_PADATA_SAM_RESPONSE: return "PA-SAM-RESPONSE"; + case KRB5_PADATA_PK_AS_REQ_OLD: return "PA-PK-AS-REQ_OLD"; + case KRB5_PADATA_PK_AS_REP_OLD: return "PA-PK-AS-REP_OLD"; + case KRB5_PADATA_PK_AS_REQ: return "PA-PK-AS-REQ"; + case KRB5_PADATA_PK_AS_REP: return "PA-PK-AS-REP"; + case KRB5_PADATA_ETYPE_INFO2: return "PA-ETYPE-INFO2"; + case KRB5_PADATA_SVR_REFERRAL_INFO: return "PA-SVR-REFERRAL-INFO"; + case KRB5_PADATA_SAM_REDIRECT: return "PA-SAM-REDIRECT"; + case KRB5_PADATA_GET_FROM_TYPED_DATA: return "PA-GET-FROM-TYPED-DATA"; + case KRB5_PADATA_SAM_CHALLENGE_2: return "PA-SAM-CHALLENGE2"; + case KRB5_PADATA_SAM_RESPONSE_2: return "PA-SAM-RESPONSE2"; + case KRB5_PADATA_PAC_REQUEST: return "PA-PAC-REQUEST"; + case KRB5_PADATA_FOR_USER: return "PA-FOR_USER"; + case KRB5_PADATA_S4U_X509_USER: return "PA-FOR-X509-USER"; + case KRB5_PADATA_AS_CHECKSUM: return "PA-AS-CHECKSUM"; + case KRB5_PADATA_FX_COOKIE: return "PA-FX-COOKIE"; + case KRB5_PADATA_FX_FAST: return "PA-FX-FAST"; + case KRB5_PADATA_FX_ERROR: return "PA-FX-ERROR"; + case KRB5_PADATA_ENCRYPTED_CHALLENGE: return "PA-ENCRYPTED-CHALLENGE"; + case KRB5_PADATA_OTP_CHALLENGE: return "PA-OTP-CHALLENGE"; + case KRB5_PADATA_OTP_REQUEST: return "PA-OTP-REQUEST"; + case KRB5_PADATA_OTP_PIN_CHANGE: return "PA-OTP-PIN-CHANGE"; + case KRB5_PADATA_PKINIT_KX: return "PA-PKINIT-KX"; + case KRB5_ENCPADATA_REQ_ENC_PA_REP: return "PA-REQ-ENC-PA-REP"; + case KRB5_PADATA_AS_FRESHNESS: return "PA_AS_FRESHNESS"; + case KRB5_PADATA_SPAKE: return "PA-SPAKE"; + default: return NULL; + } +} + +static char * trace_format(krb5_context context, const char *fmt, va_list ap) { struct k5buf buf; @@ -140,6 +185,8 @@ trace_format(krb5_context context, const char *fmt, va_list ap) krb5_key key; const krb5_checksum *cksum; krb5_pa_data **padata; + krb5_preauthtype pa_type; + const char *name; krb5_ccache ccache; krb5_keytab keytab; krb5_creds *creds; @@ -173,7 +220,7 @@ trace_format(krb5_context context, const char *fmt, va_list ap) p = va_arg(ap, const char *); if (p == NULL && len != 0) k5_buf_add(&buf, "(null)"); - else + else if (p != NULL) buf_add_printable_len(&buf, p, len); } else if (strcmp(tmpbuf, "hexlenstr") == 0) { len = va_arg(ap, size_t); @@ -271,10 +318,23 @@ trace_format(krb5_context context, const char *fmt, va_list ap) if (padata == NULL || *padata == NULL) k5_buf_add(&buf, "(empty)"); for (; padata != NULL && *padata != NULL; padata++) { - k5_buf_add_fmt(&buf, "%d", (int)(*padata)->pa_type); + pa_type = (*padata)->pa_type; + name = padata_type_string(pa_type); + if (name != NULL) + k5_buf_add_fmt(&buf, "%s (%d)", name, (int)pa_type); + else + k5_buf_add_fmt(&buf, "%d", (int)pa_type); + if (*(padata + 1) != NULL) k5_buf_add(&buf, ", "); } + } else if (strcmp(tmpbuf, "patype") == 0) { + pa_type = va_arg(ap, krb5_preauthtype); + name = padata_type_string(pa_type); + if (name != NULL) + k5_buf_add_fmt(&buf, "%s (%d)", name, (int)pa_type); + else + k5_buf_add_fmt(&buf, "%d", (int)pa_type); } else if (strcmp(tmpbuf, "etype") == 0) { etype = va_arg(ap, krb5_enctype); if (krb5_enctype_to_name(etype, TRUE, tmpbuf, sizeof(tmpbuf)) == 0) @@ -340,7 +400,8 @@ krb5int_trace(krb5_context context, const char *fmt, ...) va_list ap; krb5_trace_info info; char *str = NULL, *msg = NULL; - krb5_int32 sec, usec; + krb5_timestamp sec; + krb5_int32 usec; if (context == NULL || context->trace_callback == NULL) return; @@ -350,7 +411,7 @@ krb5int_trace(krb5_context context, const char *fmt, ...) goto cleanup; if (krb5_crypto_us_timeofday(&sec, &usec) != 0) goto cleanup; - if (asprintf(&msg, "[%d] %d.%d: %s\n", (int) getpid(), (int) sec, + if (asprintf(&msg, "[%d] %u.%d: %s\n", (int) getpid(), (unsigned int) sec, (int) usec, str) < 0) goto cleanup; info.message = msg; diff --git a/src/lib/krb5/os/ustime.c b/src/lib/krb5/os/ustime.c index 0563576..a80fdf6 100644 --- a/src/lib/krb5/os/ustime.c +++ b/src/lib/krb5/os/ustime.c @@ -40,7 +40,8 @@ krb5_error_code k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec, krb5_timestamp *time_out, krb5_int32 *usec_out) { - krb5_int32 sec, usec; + krb5_timestamp sec; + krb5_int32 usec; krb5_error_code retval; retval = krb5_crypto_us_timeofday(&sec, &usec); @@ -49,13 +50,13 @@ k5_time_with_offset(krb5_timestamp offset, krb5_int32 offset_usec, usec += offset_usec; if (usec > 1000000) { usec -= 1000000; - sec++; + sec = ts_incr(sec, 1); } if (usec < 0) { usec += 1000000; - sec--; + sec = ts_incr(sec, -1); } - sec += offset; + sec = ts_incr(sec, offset); *time_out = sec; *usec_out = usec; diff --git a/src/lib/krb5/rcache/rc_conv.c b/src/lib/krb5/rcache/rc_conv.c index 0e021f5..f2fe528 100644 --- a/src/lib/krb5/rcache/rc_conv.c +++ b/src/lib/krb5/rcache/rc_conv.c @@ -58,7 +58,7 @@ krb5_rc_hash_message(krb5_context context, const krb5_data *message, *out = NULL; /* Calculate the binary checksum. */ - retval = k5_sha256(message, cksum); + retval = k5_sha256(message, 1, cksum); if (retval) return retval; diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c index c4d2c74..1e0cb22 100644 --- a/src/lib/krb5/rcache/rc_dfl.c +++ b/src/lib/krb5/rcache/rc_dfl.c @@ -93,12 +93,11 @@ cmp(krb5_donot_replay *old, krb5_donot_replay *new1, krb5_deltat t) } static int -alive(krb5_int32 mytime, krb5_donot_replay *new1, krb5_deltat t) +alive(krb5_timestamp mytime, krb5_donot_replay *new1, krb5_deltat t) { if (mytime == 0) return CMP_HOHUM; /* who cares? */ - /* I hope we don't have to worry about overflow */ - if (new1->ctime + t < mytime) + if (ts_after(mytime, ts_incr(new1->ctime, t))) return CMP_EXPIRED; return CMP_HOHUM; } @@ -130,7 +129,7 @@ struct authlist static int rc_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep, - krb5_int32 now, krb5_boolean fromfile) + krb5_timestamp now, krb5_boolean fromfile) { struct dfl_data *t = (struct dfl_data *)id->data; unsigned int rephash; @@ -517,7 +516,7 @@ errout: free(rep->server); if (rep->msghash) free(rep->msghash); - rep->client = rep->server = 0; + rep->client = rep->server = rep->msghash = NULL; return retval; } @@ -537,7 +536,7 @@ krb5_rc_dfl_recover_locked(krb5_context context, krb5_rcache id) krb5_error_code retval; long max_size; int expired_entries = 0; - krb5_int32 now; + krb5_timestamp now; if ((retval = krb5_rc_io_open(context, &t->d, t->name))) { return retval; @@ -707,7 +706,7 @@ krb5_rc_dfl_store(krb5_context context, krb5_rcache id, krb5_donot_replay *rep) { krb5_error_code ret; struct dfl_data *t; - krb5_int32 now; + krb5_timestamp now; ret = krb5_timeofday(context, &now); if (ret) @@ -763,7 +762,7 @@ krb5_rc_dfl_expunge_locked(krb5_context context, krb5_rcache id) struct authlist **qt; struct authlist *r; struct authlist *rt; - krb5_int32 now; + krb5_timestamp now; if (krb5_timestamp(context, &now)) now = 0; diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c index b9859fe..35fa14a 100644 --- a/src/lib/krb5/rcache/rc_io.c +++ b/src/lib/krb5/rcache/rc_io.c @@ -117,10 +117,6 @@ krb5_rc_io_mkstemp(krb5_context context, krb5_rc_iostuff *d, char *dir) return 0; } -#if 0 -static krb5_error_code rc_map_errno (int) __attribute__((cold)); -#endif - static krb5_error_code rc_map_errno (krb5_context context, int e, const char *fn, const char *operation) diff --git a/src/lib/krb5/rcache/ser_rc.c b/src/lib/krb5/rcache/ser_rc.c index 556af21..5c537f0 100644 --- a/src/lib/krb5/rcache/ser_rc.c +++ b/src/lib/krb5/rcache/ser_rc.c @@ -72,7 +72,7 @@ krb5_rcache_size(krb5_context kcontext, krb5_pointer arg, size_t *sizep) * krb5_int32 for KV5M_RCACHE */ required = sizeof(krb5_int32) * 3; - if (rcache->ops && rcache->ops->type) + if (rcache->ops) required += (strlen(rcache->ops->type)+1); /* diff --git a/src/lib/krb5/rcache/t_replay.c b/src/lib/krb5/rcache/t_replay.c index db273ec..b99cdf1 100644 --- a/src/lib/krb5/rcache/t_replay.c +++ b/src/lib/krb5/rcache/t_replay.c @@ -110,7 +110,7 @@ store(krb5_context ctx, char *rcspec, char *client, char *server, char *msg, krb5_donot_replay rep; krb5_data d; - if (now_timestamp > 0) + if (now_timestamp != 0) krb5_set_debugging_time(ctx, now_timestamp, now_usec); if ((retval = krb5_rc_resolve_full(ctx, &rc, rcspec))) goto cleanup; @@ -221,13 +221,13 @@ main(int argc, char **argv) msg = (**argv) ? *argv : NULL; argc--; argv++; if (!argc) usage(progname); - timestamp = (krb5_timestamp) atol(*argv); + timestamp = (krb5_timestamp) atoll(*argv); argc--; argv++; if (!argc) usage(progname); usec = (krb5_int32) atol(*argv); argc--; argv++; if (!argc) usage(progname); - now_timestamp = (krb5_timestamp) atol(*argv); + now_timestamp = (krb5_timestamp) atoll(*argv); argc--; argv++; if (!argc) usage(progname); now_usec = (krb5_int32) atol(*argv); @@ -249,7 +249,7 @@ main(int argc, char **argv) rcspec = *argv; argc--; argv++; if (!argc) usage(progname); - now_timestamp = (krb5_timestamp) atol(*argv); + now_timestamp = (krb5_timestamp) atoll(*argv); argc--; argv++; if (!argc) usage(progname); now_usec = (krb5_int32) atol(*argv); diff --git a/src/lib/krb5/unicode/ure/ure.c b/src/lib/krb5/unicode/ure/ure.c index d1cfd8a..23a03d9 100644 --- a/src/lib/krb5/unicode/ure/ure.c +++ b/src/lib/krb5/unicode/ure/ure.c @@ -421,7 +421,7 @@ _ure_prop_list(ucs2_t *pp, unsigned long limit, unsigned long *mask, b->error = _URE_INVALID_PROPERTY; } - if (n != 0) + if (b->error == _URE_OK && n != 0) m |= cclass_flags[n]; /* diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index e5b560d..c350229 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -470,3 +470,20 @@ EXPORTS krb5_get_init_creds_opt_set_pac_request @435 krb5int_trace @436 ; PRIVATE GSSAPI krb5_expand_hostname @437 + +; new in 1.16 + k5_enctype_to_ssf @438 ; PRIVATE GSSAPI + +; new in 1.17 + krb5_get_etype_info @447 + krb5_pac_sign_ext @448 + krb5_pac_verify_ext @449 +; private symbols used by SPAKE client module + profile_get_string @439 ; PRIVATE + profile_release_string @440 ; PRIVATE + k5_sha256 @441 ; PRIVATE + krb5_encrypt_helper @442 ; PRIVATE + encode_krb5_spake_factor @443 ; PRIVATE + encode_krb5_pa_spake @444 ; PRIVATE + decode_krb5_pa_spake @445 ; PRIVATE + k5_free_pa_spake @446 ; PRIVATE diff --git a/src/lib/rpc/auth_gssapi.c b/src/lib/rpc/auth_gssapi.c index ace0be9..568ec6d 100644 --- a/src/lib/rpc/auth_gssapi.c +++ b/src/lib/rpc/auth_gssapi.c @@ -744,14 +744,6 @@ skip_call: } free(AUTH_PRIVATE(auth)->client_handle.value); - -#if 0 - PRINTF(("gssapi_destroy: calling GSSAPI_EXIT\n")); - AUTH_PRIVATE(auth)->established = FALSE; - callstat = clnt_call(AUTH_PRIVATE(auth)->clnt, AUTH_GSSAPI_EXIT, - xdr_void, NULL, xdr_void, NULL, timeout); -#endif - free(auth->ah_private); free(auth); PRINTF(("gssapi_destroy: done\n")); diff --git a/src/lib/rpc/auth_none.c b/src/lib/rpc/auth_none.c index de8d6d0..85ddbf7 100644 --- a/src/lib/rpc/auth_none.c +++ b/src/lib/rpc/auth_none.c @@ -76,9 +76,9 @@ static struct authnone_private { AUTH * authnone_create(void) { - register struct authnone_private *ap = authnone_private; + struct authnone_private *ap = authnone_private; XDR xdr_stream; - register XDR *xdrs; + XDR *xdrs; if (ap == 0) { ap = (struct authnone_private *)calloc(1, sizeof (*ap)); @@ -104,7 +104,7 @@ authnone_create(void) static bool_t authnone_marshal(AUTH *client, XDR *xdrs) { - register struct authnone_private *ap = authnone_private; + struct authnone_private *ap = authnone_private; if (ap == 0) return (0); diff --git a/src/lib/rpc/auth_unix.c b/src/lib/rpc/auth_unix.c index 6cb998d..7853efa 100644 --- a/src/lib/rpc/auth_unix.c +++ b/src/lib/rpc/auth_unix.c @@ -99,15 +99,15 @@ authunix_create( char *machname, int uid, int gid, - register int len, + int len, int *aup_gids) { struct authunix_parms aup; char mymem[MAX_AUTH_BYTES]; struct timeval now; XDR xdrs; - register AUTH *auth; - register struct audata *au; + AUTH *auth; + struct audata *au; /* * Allocate and set up auth handle @@ -175,10 +175,10 @@ authunix_create( AUTH * authunix_create_default(void) { - register int len; + int len; char machname[MAX_MACHINE_NAME + 1]; - register int uid; - register int gid; + int uid; + int gid; GETGROUPS_T gids[NGRPS]; int igids[NGRPS], i; @@ -208,15 +208,15 @@ authunix_nextverf(AUTH *auth) static bool_t authunix_marshal(AUTH *auth, XDR *xdrs) { - register struct audata *au = AUTH_PRIVATE(auth); + struct audata *au = AUTH_PRIVATE(auth); return (XDR_PUTBYTES(xdrs, au->au_marshed, au->au_mpos)); } static bool_t -authunix_validate(register AUTH *auth, struct opaque_auth *verf) +authunix_validate(AUTH *auth, struct opaque_auth *verf) { - register struct audata *au; + struct audata *au; XDR xdrs; if (verf->oa_flavor == AUTH_SHORT) { @@ -242,13 +242,13 @@ authunix_validate(register AUTH *auth, struct opaque_auth *verf) } static bool_t -authunix_refresh(register AUTH *auth, struct rpc_msg *msg) +authunix_refresh(AUTH *auth, struct rpc_msg *msg) { - register struct audata *au = AUTH_PRIVATE(auth); + struct audata *au = AUTH_PRIVATE(auth); struct authunix_parms aup; struct timeval now; XDR xdrs; - register int stat; + int stat; if (auth->ah_cred.oa_base == au->au_origcred.oa_base) { /* there is no hope. Punt */ @@ -284,9 +284,9 @@ done: } static void -authunix_destroy(register AUTH *auth) +authunix_destroy(AUTH *auth) { - register struct audata *au = AUTH_PRIVATE(auth); + struct audata *au = AUTH_PRIVATE(auth); mem_free(au->au_origcred.oa_base, au->au_origcred.oa_length); @@ -306,11 +306,11 @@ authunix_destroy(register AUTH *auth) * sets private data, au_marshed and au_mpos */ static void -marshal_new_auth(register AUTH *auth) +marshal_new_auth(AUTH *auth) { XDR xdr_stream; - register XDR *xdrs = &xdr_stream; - register struct audata *au = AUTH_PRIVATE(auth); + XDR *xdrs = &xdr_stream; + struct audata *au = AUTH_PRIVATE(auth); xdrmem_create(xdrs, au->au_marshed, MAX_AUTH_BYTES, XDR_ENCODE); if ((! xdr_opaque_auth(xdrs, &(auth->ah_cred))) || diff --git a/src/lib/rpc/authunix_prot.c b/src/lib/rpc/authunix_prot.c index 5bc5172..512d5a5 100644 --- a/src/lib/rpc/authunix_prot.c +++ b/src/lib/rpc/authunix_prot.c @@ -50,7 +50,7 @@ static char sccsid[] = "@(#)authunix_prot.c 1.15 87/08/11 Copyr 1984 Sun Micro"; * XDR for unix authentication parameters. */ bool_t -xdr_authunix_parms(register XDR *xdrs, register struct authunix_parms *p) +xdr_authunix_parms(XDR *xdrs, struct authunix_parms *p) { if (xdr_u_int32(xdrs, &(p->aup_time)) diff --git a/src/lib/rpc/clnt_raw.c b/src/lib/rpc/clnt_raw.c index 1d7fc62..515086b 100644 --- a/src/lib/rpc/clnt_raw.c +++ b/src/lib/rpc/clnt_raw.c @@ -140,8 +140,8 @@ clntraw_call( void * resultsp, struct timeval timeout) { - register struct clntraw_private *clp = clntraw_private; - register XDR *xdrs = &clp->xdr_stream; + struct clntraw_private *clp = clntraw_private; + XDR *xdrs = &clp->xdr_stream; struct rpc_msg msg; enum clnt_stat status; struct rpc_err error; @@ -236,8 +236,8 @@ clntraw_freeres( xdrproc_t xdr_res, void *res_ptr) { - register struct clntraw_private *clp = clntraw_private; - register XDR *xdrs = &clp->xdr_stream; + struct clntraw_private *clp = clntraw_private; + XDR *xdrs = &clp->xdr_stream; bool_t rval; if (clp == 0) diff --git a/src/lib/rpc/clnt_simple.c b/src/lib/rpc/clnt_simple.c index 4ec99ed..39186e5 100644 --- a/src/lib/rpc/clnt_simple.c +++ b/src/lib/rpc/clnt_simple.c @@ -70,7 +70,7 @@ callrpc( xdrproc_t outproc, char *out) { - register struct callrpc_private *crp = callrpc_private; + struct callrpc_private *crp = callrpc_private; struct sockaddr_in server_addr; enum clnt_stat clnt_stat; struct hostent *hp; diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c index 02056fd..8776190 100644 --- a/src/lib/rpc/clnt_tcp.c +++ b/src/lib/rpc/clnt_tcp.c @@ -130,7 +130,7 @@ clnttcp_create( u_int recvsz) { CLIENT *h; - register struct ct_data *ct = 0; + struct ct_data *ct = 0; struct timeval now; struct rpc_msg call_msg; @@ -244,7 +244,7 @@ fooy: static enum clnt_stat clnttcp_call( - register CLIENT *h, + CLIENT *h, rpcproc_t proc, xdrproc_t xdr_args, void * args_ptr, @@ -252,12 +252,12 @@ clnttcp_call( void * results_ptr, struct timeval timeout) { - register struct ct_data *ct = (struct ct_data *) h->cl_private; - register XDR *xdrs = &(ct->ct_xdrs); + struct ct_data *ct = h->cl_private; + XDR *xdrs = &ct->ct_xdrs; struct rpc_msg reply_msg; uint32_t x_id; uint32_t *msg_x_id = &ct->ct_u.ct_mcalli; /* yuk */ - register bool_t shipnow; + bool_t shipnow; int refreshes = 2; long procl = proc; @@ -356,8 +356,7 @@ clnttcp_geterr( CLIENT *h, struct rpc_err *errp) { - register struct ct_data *ct = - (struct ct_data *) h->cl_private; + struct ct_data *ct = h->cl_private; *errp = ct->ct_error; } @@ -368,8 +367,8 @@ clnttcp_freeres( xdrproc_t xdr_res, void * res_ptr) { - register struct ct_data *ct = (struct ct_data *)cl->cl_private; - register XDR *xdrs = &(ct->ct_xdrs); + struct ct_data *ct = cl->cl_private; + XDR *xdrs = &ct->ct_xdrs; xdrs->x_op = XDR_FREE; return ((*xdr_res)(xdrs, res_ptr)); @@ -387,7 +386,7 @@ clnttcp_control( int request, void *info) { - register struct ct_data *ct = (struct ct_data *)cl->cl_private; + struct ct_data *ct = cl->cl_private; GETSOCKNAME_ARG3_TYPE len; switch (request) { @@ -417,8 +416,7 @@ clnttcp_control( static void clnttcp_destroy(CLIENT *h) { - register struct ct_data *ct = - (struct ct_data *) h->cl_private; + struct ct_data *ct = h->cl_private; if (ct->ct_closeit) (void)closesocket(ct->ct_sock); @@ -436,9 +434,9 @@ static int readtcp( char *ctptr, caddr_t buf, - register int len) + int len) { - register struct ct_data *ct = (struct ct_data *)(void *)ctptr; + struct ct_data *ct = (void *)ctptr; struct timeval tout; #ifdef FD_SETSIZE fd_set mask; @@ -449,7 +447,7 @@ readtcp( FD_ZERO(&mask); FD_SET(ct->ct_sock, &mask); #else - register int mask = 1 << (ct->ct_sock); + int mask = 1 << (ct->ct_sock); int readfds; if (len == 0) @@ -498,7 +496,7 @@ writetcp( int len) { struct ct_data *ct = (struct ct_data *)(void *)ctptr; - register int i, cnt; + int i, cnt; for (cnt = len; cnt > 0; cnt -= i, buf += i) { if ((i = write(ct->ct_sock, buf, (size_t) cnt)) == -1) { diff --git a/src/lib/rpc/clnt_udp.c b/src/lib/rpc/clnt_udp.c index 7a51916..49b09e0 100644 --- a/src/lib/rpc/clnt_udp.c +++ b/src/lib/rpc/clnt_udp.c @@ -121,12 +121,12 @@ clntudp_bufcreate( rpcprog_t program, rpcvers_t version, struct timeval wait, - register int *sockp, + int *sockp, u_int sendsz, u_int recvsz) { CLIENT *cl; - register struct cu_data *cu = 0; + struct cu_data *cu = 0; struct timeval now; struct rpc_msg call_msg; @@ -196,7 +196,7 @@ clntudp_bufcreate( } if (connect(*sockp, (struct sockaddr *)raddr, sizeof(*raddr)) < 0) goto fooy; - cu->cu_llen = sizeof(cu->cu_laddr); + cu->cu_llen = sizeof(cu->cu_laddr); if (getsockname(*sockp, (struct sockaddr *)&cu->cu_laddr, &cu->cu_llen) < 0) goto fooy; @@ -217,7 +217,7 @@ clntudp_create( rpcprog_t program, rpcvers_t version, struct timeval wait, - register int *sockp) + int *sockp) { return(clntudp_bufcreate(raddr, program, version, wait, sockp, @@ -226,7 +226,7 @@ clntudp_create( static enum clnt_stat clntudp_call( - register CLIENT *cl, /* client handle */ + CLIENT *cl, /* client handle */ rpcproc_t proc, /* procedure number */ xdrproc_t xargs, /* xdr routine for args */ void * argsp, /* pointer to args */ @@ -236,17 +236,17 @@ clntudp_call( * giving up */ ) { - register struct cu_data *cu = (struct cu_data *)cl->cl_private; - register XDR *xdrs; - register int outlen; - register ssize_t inlen; + struct cu_data *cu = (struct cu_data *)cl->cl_private; + XDR *xdrs; + int outlen; + ssize_t inlen; GETSOCKNAME_ARG3_TYPE fromlen; /* Assumes recvfrom uses same type */ #ifdef FD_SETSIZE fd_set readfds; fd_set mask; #else int readfds; - register int mask; + int mask; #endif /* def FD_SETSIZE */ struct sockaddr_in from; struct rpc_msg reply_msg; @@ -416,7 +416,7 @@ clntudp_geterr( CLIENT *cl, struct rpc_err *errp) { - register struct cu_data *cu = (struct cu_data *)cl->cl_private; + struct cu_data *cu = (struct cu_data *)cl->cl_private; *errp = cu->cu_error; } @@ -428,8 +428,8 @@ clntudp_freeres( xdrproc_t xdr_res, void *res_ptr) { - register struct cu_data *cu = (struct cu_data *)cl->cl_private; - register XDR *xdrs = &(cu->cu_outxdrs); + struct cu_data *cu = cl->cl_private; + XDR *xdrs = &cu->cu_outxdrs; xdrs->x_op = XDR_FREE; return ((*xdr_res)(xdrs, res_ptr)); @@ -448,7 +448,7 @@ clntudp_control( int request, void *info) { - register struct cu_data *cu = (struct cu_data *)cl->cl_private; + struct cu_data *cu = cl->cl_private; switch (request) { case CLSET_TIMEOUT: @@ -478,7 +478,7 @@ clntudp_control( static void clntudp_destroy(CLIENT *cl) { - register struct cu_data *cu = (struct cu_data *)cl->cl_private; + struct cu_data *cu = (struct cu_data *)cl->cl_private; if (cu->cu_closeit) (void)closesocket(cu->cu_sock); diff --git a/src/lib/rpc/deps b/src/lib/rpc/deps index 3c5af2f..f57b831 100644 --- a/src/lib/rpc/deps +++ b/src/lib/rpc/deps @@ -180,7 +180,8 @@ pmap_rmt.so pmap_rmt.po $(OUTPRE)pmap_rmt.$(OBJEXT): \ $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \ $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/port-sockets.h pmap_rmt.c + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + pmap_rmt.c rpc_prot.so rpc_prot.po $(OUTPRE)rpc_prot.$(OBJEXT): \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \ diff --git a/src/lib/rpc/getrpcent.c b/src/lib/rpc/getrpcent.c index db03dae..ad6793f 100644 --- a/src/lib/rpc/getrpcent.c +++ b/src/lib/rpc/getrpcent.c @@ -66,7 +66,7 @@ static char RPCDB[] = "/etc/rpc"; static struct rpcdata * get_rpcdata(void) { - register struct rpcdata *d = rpcdata; + struct rpcdata *d = rpcdata; if (d == 0) { d = (struct rpcdata *)calloc(1, sizeof (struct rpcdata)); @@ -76,10 +76,10 @@ get_rpcdata(void) } struct rpcent * -getrpcbynumber(register int number) +getrpcbynumber(int number) { - register struct rpcdata *d = get_rpcdata(); - register struct rpcent *p; + struct rpcdata *d = get_rpcdata(); + struct rpcent *p; int reason; char adrstr[16], *val = NULL; int vallen; @@ -116,7 +116,7 @@ getrpcbyname(const char *name) SETRPCENT_TYPE setrpcent(int f) { - register struct rpcdata *d = _rpcdata(); + struct rpcdata *d = _rpcdata(); if (d == 0) return; @@ -134,7 +134,7 @@ SETRPCENT_TYPE setrpcent(int f) ENDRPCENT_TYPE endrpcent(void) { - register struct rpcdata *d = _rpcdata(); + struct rpcdata *d = _rpcdata(); if (d == 0) return; @@ -155,7 +155,7 @@ getrpcent(void) int reason; char *key = NULL, *val = NULL; int keylen, vallen; - register struct rpcdata *d = _rpcdata(); + struct rpcdata *d = _rpcdata(); if (d == 0) return(NULL); @@ -172,9 +172,9 @@ getrpcent(void) static struct rpcent * interpret(char *val, int len) { - register struct rpcdata *d = _rpcdata(); + struct rpcdata *d = _rpcdata(); char *p; - register char *cp, **q; + char *cp, **q; if (d == 0) return; diff --git a/src/lib/rpc/pmap_clnt.c b/src/lib/rpc/pmap_clnt.c index cda40fb..952a251 100644 --- a/src/lib/rpc/pmap_clnt.c +++ b/src/lib/rpc/pmap_clnt.c @@ -69,7 +69,7 @@ pmap_set( { struct sockaddr_in myaddress; int sock = -1; - register CLIENT *client; + CLIENT *client; struct pmap parms; bool_t rslt; @@ -149,7 +149,7 @@ pmap_unset( { struct sockaddr_in myaddress; int sock = -1; - register CLIENT *client; + CLIENT *client; struct pmap parms; bool_t rslt; diff --git a/src/lib/rpc/pmap_getmaps.c b/src/lib/rpc/pmap_getmaps.c index 7790a3a..b8a9cec 100644 --- a/src/lib/rpc/pmap_getmaps.c +++ b/src/lib/rpc/pmap_getmaps.c @@ -69,7 +69,7 @@ pmap_getmaps(struct sockaddr_in *address) struct pmaplist *head = (struct pmaplist *)NULL; int sock = -1; struct timeval minutetimeout; - register CLIENT *client; + CLIENT *client; minutetimeout.tv_sec = 60; minutetimeout.tv_usec = 0; diff --git a/src/lib/rpc/pmap_getport.c b/src/lib/rpc/pmap_getport.c index 2fdb73c..66635a1 100644 --- a/src/lib/rpc/pmap_getport.c +++ b/src/lib/rpc/pmap_getport.c @@ -68,7 +68,7 @@ pmap_getport( { unsigned short port = 0; int sock = -1; - register CLIENT *client; + CLIENT *client; struct pmap parms; address->sin_port = htons(PMAPPORT); diff --git a/src/lib/rpc/pmap_prot2.c b/src/lib/rpc/pmap_prot2.c index 7fd7d3e..aeccac6 100644 --- a/src/lib/rpc/pmap_prot2.c +++ b/src/lib/rpc/pmap_prot2.c @@ -84,7 +84,7 @@ static char sccsid[] = "@(#)pmap_prot2.c 1.3 87/08/11 Copyr 1984 Sun Micro"; * this sounds like a job for xdr_reference! */ bool_t -xdr_pmaplist(register XDR *xdrs, register struct pmaplist **rp) +xdr_pmaplist(XDR *xdrs, struct pmaplist **rp) { /* * more_elements is pre-computed in case the direction is @@ -92,8 +92,8 @@ xdr_pmaplist(register XDR *xdrs, register struct pmaplist **rp) * xdr_bool when the direction is XDR_DECODE. */ bool_t more_elements; - register int freeing = (xdrs->x_op == XDR_FREE); - register struct pmaplist **next = NULL; + int freeing = (xdrs->x_op == XDR_FREE); + struct pmaplist **next = NULL; while (TRUE) { more_elements = (bool_t)(*rp != NULL); diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c index cd0b309..8c7e30c 100644 --- a/src/lib/rpc/pmap_rmt.c +++ b/src/lib/rpc/pmap_rmt.c @@ -60,6 +60,7 @@ static char sccsid[] = "@(#)pmap_rmt.c 1.21 87/08/27 Copyr 1984 Sun Micro"; #include #define MAX_BROADCAST_SIZE 1400 #include +#include "socket-utils.h" static struct timeval timeout = { 3, 0 }; @@ -88,7 +89,7 @@ pmap_rmtcall( rpcport_t *port_ptr) { SOCKET sock = INVALID_SOCKET; - register CLIENT *client; + CLIENT *client; struct rmtcallargs a; struct rmtcallres r; enum clnt_stat stat; @@ -122,8 +123,8 @@ pmap_rmtcall( */ bool_t xdr_rmtcall_args( - register XDR *xdrs, - register struct rmtcallargs *cap) + XDR *xdrs, + struct rmtcallargs *cap) { u_int lenposition, argposition, position; @@ -153,8 +154,8 @@ xdr_rmtcall_args( */ bool_t xdr_rmtcallres( - register XDR *xdrs, - register struct rmtcallres *crp) + XDR *xdrs, + struct rmtcallres *crp) { caddr_t port_ptr; @@ -208,12 +209,11 @@ getbroadcastnets( if (ioctl(sock, SIOCGIFBRDADDR, (char *)&ifreq) < 0) { addrs[i++].s_addr = INADDR_ANY; } else { - addrs[i++] = ((struct sockaddr_in*) - &ifreq.ifr_addr)->sin_addr; + addrs[i++] = sa2sin(&ifreq.ifr_addr)->sin_addr; } #else /* 4.2 BSD */ struct sockaddr_in *sockin; - sockin = (struct sockaddr_in *)&ifr->ifr_addr; + sockin = sa2sin(&ifr->ifr_addr); addrs[i++] = inet_makeaddr(inet_netof (sockin->sin_addr.s_addr), INADDR_ANY); #endif @@ -237,7 +237,7 @@ clnt_broadcast( enum clnt_stat stat; AUTH *unix_auth = authunix_create_default(); XDR xdr_stream; - register XDR *xdrs = &xdr_stream; + XDR *xdrs = &xdr_stream; int outlen, nets; ssize_t inlen; GETSOCKNAME_ARG3_TYPE fromlen; @@ -248,11 +248,11 @@ clnt_broadcast( fd_set readfds; #else int readfds; - register int mask; + int mask; #endif /* def FD_SETSIZE */ - register int i; + int i; bool_t done = FALSE; - register uint32_t xid; + uint32_t xid; rpcport_t port; struct in_addr addrs[20]; struct sockaddr_in baddr, raddr; /* broadcast and response addresses */ diff --git a/src/lib/rpc/rpc_callmsg.c b/src/lib/rpc/rpc_callmsg.c index 6752524..27d298f 100644 --- a/src/lib/rpc/rpc_callmsg.c +++ b/src/lib/rpc/rpc_callmsg.c @@ -47,10 +47,10 @@ static char sccsid[] = "@(#)rpc_callmsg.c 1.4 87/08/11 Copyr 1984 Sun Micro"; * XDR a call message */ bool_t -xdr_callmsg(register XDR *xdrs, register struct rpc_msg *cmsg) +xdr_callmsg(XDR *xdrs, struct rpc_msg *cmsg) { - register rpc_inline_t *buf; - register struct opaque_auth *oa; + rpc_inline_t *buf; + struct opaque_auth *oa; if (xdrs->x_op == XDR_ENCODE) { if (cmsg->rm_call.cb_cred.oa_length > MAX_AUTH_BYTES) { diff --git a/src/lib/rpc/svc.c b/src/lib/rpc/svc.c index e923ac0..c171ecc 100644 --- a/src/lib/rpc/svc.c +++ b/src/lib/rpc/svc.c @@ -96,7 +96,7 @@ static void svc_do_xprt(SVCXPRT *xprt); void xprt_register(SVCXPRT *xprt) { - register int sock = xprt->xp_sock; + int sock = xprt->xp_sock; #ifdef FD_SETSIZE if (gssrpc_svc_fdset_init == 0) { @@ -130,7 +130,7 @@ xprt_register(SVCXPRT *xprt) void xprt_unregister(SVCXPRT *xprt) { - register int sock = xprt->xp_sock; + int sock = xprt->xp_sock; #ifdef FD_SETSIZE if ((sock < FD_SETSIZE) && (xports[sock] == xprt)) { @@ -166,7 +166,7 @@ svc_register( int protocol) { struct svc_callout *prev; - register struct svc_callout *s; + struct svc_callout *s; if ((s = svc_find(prog, vers, &prev)) != NULL_SVC) { if (s->sc_dispatch == dispatch) @@ -199,7 +199,7 @@ svc_unregister( rpcvers_t vers) { struct svc_callout *prev; - register struct svc_callout *s; + struct svc_callout *s; if ((s = svc_find(prog, vers, &prev)) == NULL_SVC) return; @@ -224,7 +224,7 @@ svc_find( rpcvers_t vers, struct svc_callout **prev) { - register struct svc_callout *s, *p; + struct svc_callout *s, *p; p = NULL_SVC; for (s = svc_head; s != NULL_SVC; s = s->sc_next) { @@ -244,7 +244,7 @@ done: */ bool_t svc_sendreply( - register SVCXPRT *xprt, + SVCXPRT *xprt, xdrproc_t xdr_results, caddr_t xdr_location) { @@ -263,7 +263,7 @@ svc_sendreply( * No procedure error reply */ void -svcerr_noproc(register SVCXPRT *xprt) +svcerr_noproc(SVCXPRT *xprt) { struct rpc_msg rply; @@ -278,7 +278,7 @@ svcerr_noproc(register SVCXPRT *xprt) * Can't decode args error reply */ void -svcerr_decode(register SVCXPRT *xprt) +svcerr_decode(SVCXPRT *xprt) { struct rpc_msg rply; @@ -293,7 +293,7 @@ svcerr_decode(register SVCXPRT *xprt) * Some system error */ void -svcerr_systemerr(register SVCXPRT *xprt) +svcerr_systemerr(SVCXPRT *xprt) { struct rpc_msg rply; @@ -335,7 +335,7 @@ svcerr_weakauth(SVCXPRT *xprt) * Program unavailable error reply */ void -svcerr_noprog(register SVCXPRT *xprt) +svcerr_noprog(SVCXPRT *xprt) { struct rpc_msg rply; @@ -351,7 +351,7 @@ svcerr_noprog(register SVCXPRT *xprt) */ void svcerr_progvers( - register SVCXPRT *xprt, + SVCXPRT *xprt, rpcvers_t low_vers, rpcvers_t high_vers) { @@ -417,8 +417,8 @@ svc_getreqset(FDSET_TYPE *readfds) #ifndef FD_SETSIZE int readfds_local = *readfds; #endif - register SVCXPRT *xprt; - register int sock; + SVCXPRT *xprt; + int sock; #ifdef FD_SETSIZE for (sock = 0; sock <= svc_maxfd; sock++) { @@ -467,7 +467,7 @@ svc_do_xprt(SVCXPRT *xprt) r.rq_clntcred = cookedcred; do { - register struct svc_callout *s; + struct svc_callout *s; enum auth_stat why; if (!SVC_RECV(xprt, &msg)) diff --git a/src/lib/rpc/svc_auth.c b/src/lib/rpc/svc_auth.c index 5fedef7..2df9cf4 100644 --- a/src/lib/rpc/svc_auth.c +++ b/src/lib/rpc/svc_auth.c @@ -47,8 +47,8 @@ * * enum auth_stat * flavorx_auth(rqst, msg) - * register struct svc_req *rqst; - * register struct rpc_msg *msg; + * struct svc_req *rqst; + * struct rpc_msg *msg; * */ @@ -59,9 +59,6 @@ static struct svcauthsw_type { } svcauthsw[] = { {AUTH_GSSAPI, gssrpc__svcauth_gssapi}, /* AUTH_GSSAPI */ {AUTH_NONE, gssrpc__svcauth_none}, /* AUTH_NONE */ -#if 0 - {AUTH_GSSAPI_COMPAT, gssrpc__svcauth_gssapi}, /* AUTH_GSSAPI_COMPAT */ -#endif {AUTH_UNIX, gssrpc__svcauth_unix}, /* AUTH_UNIX */ {AUTH_SHORT, gssrpc__svcauth_short}, /* AUTH_SHORT */ {RPCSEC_GSS, gssrpc__svcauth_gss} /* RPCSEC_GSS */ @@ -85,11 +82,11 @@ static int svcauthnum = sizeof(svcauthsw) / sizeof(struct svcauthsw_type); */ enum auth_stat gssrpc__authenticate( - register struct svc_req *rqst, + struct svc_req *rqst, struct rpc_msg *msg, bool_t *no_dispatch) { - register int cred_flavor, i; + int cred_flavor, i; rqst->rq_cred = msg->rm_call.cb_cred; rqst->rq_xprt->xp_verf.oa_flavor = gssrpc__null_auth.oa_flavor; diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c index f3b3e35..4831b00 100644 --- a/src/lib/rpc/svc_auth_gssapi.c +++ b/src/lib/rpc/svc_auth_gssapi.c @@ -154,8 +154,8 @@ badauth(OM_uint32 maj, OM_uint32 minor, SVCXPRT *xprt) } enum auth_stat gssrpc__svcauth_gssapi( - register struct svc_req *rqst, - register struct rpc_msg *msg, + struct svc_req *rqst, + struct rpc_msg *msg, bool_t *no_dispatch) { XDR xdrs; @@ -869,10 +869,6 @@ done: L_PRINTF(2, ("destroy_client: client %d destroyed\n", client_data->key)); free(client_data); - -#if 0 /*ifdef PURIFY*/ - purify_watch_n(client_data, sizeof(*client_data), "rw"); -#endif } static void dump_db(char *msg) diff --git a/src/lib/rpc/svc_auth_unix.c b/src/lib/rpc/svc_auth_unix.c index a4b87d8..ee3057e 100644 --- a/src/lib/rpc/svc_auth_unix.c +++ b/src/lib/rpc/svc_auth_unix.c @@ -53,14 +53,14 @@ static char sccsid[] = "@(#)svc_auth_unix.c 1.28 88/02/08 Copyr 1984 Sun Micro"; */ enum auth_stat gssrpc__svcauth_unix( - register struct svc_req *rqst, - register struct rpc_msg *msg, + struct svc_req *rqst, + struct rpc_msg *msg, bool_t *dispatch) { - register enum auth_stat stat; + enum auth_stat stat; XDR xdrs; - register struct authunix_parms *aup; - register rpc_inline_t *buf; + struct authunix_parms *aup; + rpc_inline_t *buf; struct area { struct authunix_parms area_aup; char area_machname[MAX_MACHINE_NAME+1]; diff --git a/src/lib/rpc/svc_raw.c b/src/lib/rpc/svc_raw.c index ef5f3d3..dba6c29 100644 --- a/src/lib/rpc/svc_raw.c +++ b/src/lib/rpc/svc_raw.c @@ -74,7 +74,7 @@ static struct xp_ops server_ops = { SVCXPRT * svcraw_create(void) { - register struct svcraw_private *srp = svcraw_private; + struct svcraw_private *srp = svcraw_private; if (srp == 0) { srp = (struct svcraw_private *)calloc(1, sizeof (*srp)); @@ -100,8 +100,8 @@ svcraw_stat(SVCXPRT *xprt) static bool_t svcraw_recv(SVCXPRT *xprt, struct rpc_msg *msg) { - register struct svcraw_private *srp = svcraw_private; - register XDR *xdrs; + struct svcraw_private *srp = svcraw_private; + XDR *xdrs; if (srp == 0) return (0); @@ -116,8 +116,8 @@ svcraw_recv(SVCXPRT *xprt, struct rpc_msg *msg) static bool_t svcraw_reply(SVCXPRT *xprt, struct rpc_msg *msg) { - register struct svcraw_private *srp = svcraw_private; - register XDR *xdrs; + struct svcraw_private *srp = svcraw_private; + XDR *xdrs; if (srp == 0) return (FALSE); @@ -133,7 +133,7 @@ svcraw_reply(SVCXPRT *xprt, struct rpc_msg *msg) static bool_t svcraw_getargs(SVCXPRT *xprt, xdrproc_t xdr_args, void *args_ptr) { - register struct svcraw_private *srp = svcraw_private; + struct svcraw_private *srp = svcraw_private; if (srp == 0) return (FALSE); @@ -147,8 +147,8 @@ svcraw_getargs(SVCXPRT *xprt, xdrproc_t xdr_args, void *args_ptr) static bool_t svcraw_freeargs(SVCXPRT *xprt, xdrproc_t xdr_args, void *args_ptr) { - register struct svcraw_private *srp = svcraw_private; - register XDR *xdrs; + struct svcraw_private *srp = svcraw_private; + XDR *xdrs; if (srp == 0) return (FALSE); diff --git a/src/lib/rpc/svc_tcp.c b/src/lib/rpc/svc_tcp.c index d78cf55..54ce70e 100644 --- a/src/lib/rpc/svc_tcp.c +++ b/src/lib/rpc/svc_tcp.c @@ -141,8 +141,8 @@ svctcp_create( u_int recvsize) { bool_t madesock = FALSE; - register SVCXPRT *xprt; - register struct tcp_rendezvous *r; + SVCXPRT *xprt; + struct tcp_rendezvous *r; struct sockaddr_storage ss; struct sockaddr *sa = (struct sockaddr *)&ss; socklen_t len; @@ -225,8 +225,8 @@ makefd_xprt( u_int sendsize, u_int recvsize) { - register SVCXPRT *xprt; - register struct tcp_conn *cd; + SVCXPRT *xprt; + struct tcp_conn *cd; #ifdef FD_SETSIZE if (fd >= FD_SETSIZE) { @@ -272,7 +272,7 @@ makefd_xprt( static bool_t rendezvous_request( - register SVCXPRT *xprt, + SVCXPRT *xprt, struct rpc_msg *msg) { SOCKET sock; @@ -309,16 +309,16 @@ rendezvous_request( } static enum xprt_stat -rendezvous_stat(register SVCXPRT *xprt) +rendezvous_stat(SVCXPRT *xprt) { return (XPRT_IDLE); } static void -svctcp_destroy(register SVCXPRT *xprt) +svctcp_destroy(SVCXPRT *xprt) { - register struct tcp_conn *cd = (struct tcp_conn *)xprt->xp_p1; + struct tcp_conn *cd = xprt->xp_p1; xprt_unregister(xprt); (void)closesocket(xprt->xp_sock); @@ -352,10 +352,10 @@ static int readtcp( char *xprtptr, caddr_t buf, - register int len) + int len) { - register SVCXPRT *xprt = (SVCXPRT *)(void *)xprtptr; - register int sock = xprt->xp_sock; + SVCXPRT *xprt = (void *)xprtptr; + int sock = xprt->xp_sock; struct timeval tout; #ifdef FD_SETSIZE fd_set mask; @@ -364,7 +364,7 @@ readtcp( FD_ZERO(&mask); FD_SET(sock, &mask); #else - register int mask = 1 << sock; + int mask = 1 << sock; int readfds; #endif /* def FD_SETSIZE */ #ifdef FD_SETSIZE @@ -401,8 +401,8 @@ writetcp( caddr_t buf, int len) { - register SVCXPRT *xprt = (SVCXPRT *)(void *) xprtptr; - register int i, cnt; + SVCXPRT *xprt = (void *)xprtptr; + int i, cnt; for (cnt = len; cnt > 0; cnt -= i, buf += i) { if ((i = write(xprt->xp_sock, buf, (size_t) cnt)) < 0) { @@ -417,8 +417,7 @@ writetcp( static enum xprt_stat svctcp_stat(SVCXPRT *xprt) { - register struct tcp_conn *cd = - (struct tcp_conn *)(xprt->xp_p1); + struct tcp_conn *cd = xprt->xp_p1; if (cd->strm_stat == XPRT_DIED) return (XPRT_DIED); @@ -430,11 +429,10 @@ svctcp_stat(SVCXPRT *xprt) static bool_t svctcp_recv( SVCXPRT *xprt, - register struct rpc_msg *msg) + struct rpc_msg *msg) { - register struct tcp_conn *cd = - (struct tcp_conn *)(xprt->xp_p1); - register XDR *xdrs = &(cd->xdrs); + struct tcp_conn *cd = xprt->xp_p1; + XDR *xdrs = &cd->xdrs; xdrs->x_op = XDR_DECODE; (void)xdrrec_skiprecord(xdrs); @@ -466,8 +464,7 @@ svctcp_freeargs( xdrproc_t xdr_args, void * args_ptr) { - register XDR *xdrs = - &(((struct tcp_conn *)(xprt->xp_p1))->xdrs); + XDR *xdrs = &((struct tcp_conn *)(xprt->xp_p1))->xdrs; xdrs->x_op = XDR_FREE; return ((*xdr_args)(xdrs, args_ptr)); @@ -475,12 +472,11 @@ svctcp_freeargs( static bool_t svctcp_reply( SVCXPRT *xprt, - register struct rpc_msg *msg) + struct rpc_msg *msg) { - register struct tcp_conn *cd = - (struct tcp_conn *)(xprt->xp_p1); - register XDR *xdrs = &(cd->xdrs); - register bool_t stat; + struct tcp_conn *cd = xprt->xp_p1; + XDR *xdrs = &cd->xdrs; + bool_t stat; xdrproc_t xdr_results = NULL; caddr_t xdr_location = 0; diff --git a/src/lib/rpc/svc_udp.c b/src/lib/rpc/svc_udp.c index f70bf01..8ecbdf2 100644 --- a/src/lib/rpc/svc_udp.c +++ b/src/lib/rpc/svc_udp.c @@ -108,13 +108,13 @@ struct svcudp_data { */ SVCXPRT * svcudp_bufcreate( - register int sock, + int sock, u_int sendsz, u_int recvsz) { bool_t madesock = FALSE; - register SVCXPRT *xprt; - register struct svcudp_data *su; + SVCXPRT *xprt; + struct svcudp_data *su; struct sockaddr_storage ss; struct sockaddr *sa = (struct sockaddr *)&ss; socklen_t len; @@ -191,14 +191,14 @@ svcudp_stat(SVCXPRT *xprt) static bool_t svcudp_recv( - register SVCXPRT *xprt, + SVCXPRT *xprt, struct rpc_msg *msg) { struct msghdr dummy; struct iovec dummy_iov[1]; - register struct svcudp_data *su = su_data(xprt); - register XDR *xdrs = &(su->su_xdrs); - register int rlen; + struct svcudp_data *su = su_data(xprt); + XDR *xdrs = &su->su_xdrs; + int rlen; char *reply; uint32_t replylen; socklen_t addrlen; @@ -243,13 +243,13 @@ svcudp_recv( } static bool_t svcudp_reply( - register SVCXPRT *xprt, + SVCXPRT *xprt, struct rpc_msg *msg) { - register struct svcudp_data *su = su_data(xprt); - register XDR *xdrs = &(su->su_xdrs); - register int slen; - register bool_t stat = FALSE; + struct svcudp_data *su = su_data(xprt); + XDR *xdrs = &su->su_xdrs; + int slen; + bool_t stat = FALSE; xdrproc_t xdr_results = NULL; caddr_t xdr_location = 0; @@ -305,16 +305,16 @@ svcudp_freeargs( xdrproc_t xdr_args, void * args_ptr) { - register XDR *xdrs = &(su_data(xprt)->su_xdrs); + XDR *xdrs = &su_data(xprt)->su_xdrs; xdrs->x_op = XDR_FREE; return ((*xdr_args)(xdrs, args_ptr)); } static void -svcudp_destroy(register SVCXPRT *xprt) +svcudp_destroy(SVCXPRT *xprt) { - register struct svcudp_data *su = su_data(xprt); + struct svcudp_data *su = su_data(xprt); xprt_unregister(xprt); if (xprt->xp_sock != INVALID_SOCKET) @@ -446,9 +446,9 @@ cache_set( SVCXPRT *xprt, uint32_t replylen) { - register cache_ptr victim; - register cache_ptr *vicp; - register struct svcudp_data *su = su_data(xprt); + cache_ptr victim; + cache_ptr *vicp; + struct svcudp_data *su = su_data(xprt); struct udp_cache *uc = (struct udp_cache *) su->su_cache; u_int loc; char *newbuf; @@ -479,6 +479,7 @@ cache_set( newbuf = mem_alloc(su->su_iosz); if (newbuf == NULL) { CACHE_PERROR("cache_set: could not allocate new rpc_buffer"); + free(victim); return; } } @@ -514,9 +515,9 @@ cache_get( uint32_t *replylenp) { u_int loc; - register cache_ptr ent; - register struct svcudp_data *su = su_data(xprt); - register struct udp_cache *uc = (struct udp_cache *) su->su_cache; + cache_ptr ent; + struct svcudp_data *su = su_data(xprt); + struct udp_cache *uc = su->su_cache; # define EQADDR(a1, a2) (memcmp((char*)&a1, (char*)&a2, sizeof(a1)) == 0) diff --git a/src/lib/rpc/unit-test/rpc_test_svc.c b/src/lib/rpc/unit-test/rpc_test_svc.c index 88939f0..c54c081 100644 --- a/src/lib/rpc/unit-test/rpc_test_svc.c +++ b/src/lib/rpc/unit-test/rpc_test_svc.c @@ -16,7 +16,7 @@ static int _rpcsvccount = 0; /* Number of requests being serviced */ void rpc_test_prog_1_svc(rqstp, transp) struct svc_req *rqstp; - register SVCXPRT *transp; + SVCXPRT *transp; { union { char *rpc_test_echo_1_arg; diff --git a/src/lib/rpc/unit-test/server.c b/src/lib/rpc/unit-test/server.c index 7451558..13e99bb 100644 --- a/src/lib/rpc/unit-test/server.c +++ b/src/lib/rpc/unit-test/server.c @@ -60,7 +60,7 @@ main(int argc, char **argv) { int c, prot; auth_gssapi_name names[2]; - register SVCXPRT *transp; + SVCXPRT *transp; extern int optind; #ifdef POSIX_SIGNALS struct sigaction sa; diff --git a/src/lib/rpc/xdr.c b/src/lib/rpc/xdr.c index 2b7c17b..8c14ddc 100644 --- a/src/lib/rpc/xdr.c +++ b/src/lib/rpc/xdr.c @@ -212,7 +212,7 @@ xdr_u_long(XDR *xdrs, u_long *ulp) * XDR short integers */ bool_t -xdr_short(register XDR *xdrs, short *sp) +xdr_short(XDR *xdrs, short *sp) { long l; @@ -243,7 +243,7 @@ xdr_short(register XDR *xdrs, short *sp) * XDR unsigned short integers */ bool_t -xdr_u_short(register XDR *xdrs, u_short *usp) +xdr_u_short(XDR *xdrs, u_short *usp) { u_long l; @@ -318,7 +318,7 @@ xdr_u_char(XDR *xdrs, u_char *cp) * XDR booleans */ bool_t -xdr_bool(register XDR *xdrs, bool_t *bp) +xdr_bool(XDR *xdrs, bool_t *bp) { long lb; @@ -384,7 +384,7 @@ xdr_enum(XDR *xdrs, enum_t *ep) bool_t xdr_opaque(XDR *xdrs, caddr_t cp, u_int cnt) { - register u_int rndup; + u_int rndup; static int crud[BYTES_PER_XDR_UNIT]; /* @@ -438,8 +438,8 @@ xdr_bytes( u_int *sizep, u_int maxsize) { - register char *sp = *cpp; /* sp is the actual string pointer */ - register u_int nodesize; + char *sp = *cpp; /* sp is the actual string pointer */ + u_int nodesize; /* * first deal with the length since xdr bytes are counted @@ -563,7 +563,7 @@ xdr_union( xdrproc_t dfault /* default xdr routine */ ) { - register enum_t dscm; + enum_t dscm; /* * we deal with the discriminator; it's an enum @@ -607,7 +607,7 @@ xdr_union( bool_t xdr_string(XDR *xdrs, char **cpp, u_int maxsize) { - register char *sp = *cpp; /* sp is the actual string pointer */ + char *sp = *cpp; /* sp is the actual string pointer */ u_int size; u_int nodesize; diff --git a/src/lib/rpc/xdr_alloc.c b/src/lib/rpc/xdr_alloc.c index 8c58cff..f39210e 100644 --- a/src/lib/rpc/xdr_alloc.c +++ b/src/lib/rpc/xdr_alloc.c @@ -86,14 +86,14 @@ static void xdralloc_destroy(XDR *xdrs) } static bool_t xdralloc_notsup_getlong( - register XDR *xdrs, + XDR *xdrs, long *lp) { return FALSE; } static bool_t xdralloc_putlong( - register XDR *xdrs, + XDR *xdrs, long *lp) { int l = htonl((uint32_t) *lp); /* XXX need bounds checking */ @@ -108,18 +108,18 @@ static bool_t xdralloc_putlong( static bool_t xdralloc_notsup_getbytes( - register XDR *xdrs, + XDR *xdrs, caddr_t addr, - register unsigned int len) + unsigned int len) { return FALSE; } static bool_t xdralloc_putbytes( - register XDR *xdrs, + XDR *xdrs, caddr_t addr, - register unsigned int len) + unsigned int len) { if (DynInsert((DynObject) xdrs->x_private, DynSize((DynObject) xdrs->x_private), @@ -134,7 +134,7 @@ static unsigned int xdralloc_getpos(XDR *xdrs) } static bool_t xdralloc_notsup_setpos( - register XDR *xdrs, + XDR *xdrs, unsigned int lp) { return FALSE; @@ -143,7 +143,7 @@ static bool_t xdralloc_notsup_setpos( static rpc_inline_t *xdralloc_inline( - register XDR *xdrs, + XDR *xdrs, int len) { return (rpc_inline_t *) 0; diff --git a/src/lib/rpc/xdr_array.c b/src/lib/rpc/xdr_array.c index c3d16fb..aeaa7f2 100644 --- a/src/lib/rpc/xdr_array.c +++ b/src/lib/rpc/xdr_array.c @@ -59,7 +59,7 @@ static char sccsid[] = "@(#)xdr_array.c 1.10 87/08/11 Copyr 1984 Sun Micro"; */ bool_t xdr_array( - register XDR *xdrs, + XDR *xdrs, caddr_t *addrp, /* array pointer */ u_int *sizep, /* number of elements */ u_int maxsize, /* max numberof elements */ @@ -67,11 +67,11 @@ xdr_array( xdrproc_t elproc /* xdr routine to handle each element */ ) { - register u_int i; - register caddr_t target = *addrp; - register u_int c; /* the actual element count */ - register bool_t stat = TRUE; - register u_int nodesize; + u_int i; + caddr_t target = *addrp; + u_int c; /* the actual element count */ + bool_t stat = TRUE; + u_int nodesize; /* like strings, arrays are really counted arrays */ if (! xdr_u_int(xdrs, sizep)) { @@ -139,14 +139,14 @@ xdr_array( */ bool_t xdr_vector( - register XDR *xdrs, - register char *basep, - register u_int nelem, - register u_int elemsize, - register xdrproc_t xdr_elem) + XDR *xdrs, + char *basep, + u_int nelem, + u_int elemsize, + xdrproc_t xdr_elem) { - register u_int i; - register char *elptr; + u_int i; + char *elptr; elptr = basep; for (i = 0; i < nelem; i++) { diff --git a/src/lib/rpc/xdr_float.c b/src/lib/rpc/xdr_float.c index 5b6e9ca..82059b7 100644 --- a/src/lib/rpc/xdr_float.c +++ b/src/lib/rpc/xdr_float.c @@ -198,11 +198,11 @@ static struct dbl_limits { bool_t xdr_double(XDR *xdrs, double *dp) { - register int32_t *lp; + int32_t *lp; #if defined(vax) struct ieee_double id; struct vax_double vd; - register struct dbl_limits *lim; + struct dbl_limits *lim; int i; #endif diff --git a/src/lib/rpc/xdr_mem.c b/src/lib/rpc/xdr_mem.c index f3eb047..8d3f120 100644 --- a/src/lib/rpc/xdr_mem.c +++ b/src/lib/rpc/xdr_mem.c @@ -160,8 +160,8 @@ xdrmem_getpos(XDR *xdrs) static bool_t xdrmem_setpos(XDR *xdrs, u_int pos) { - register caddr_t newaddr = xdrs->x_base + pos; - register caddr_t lastaddr = (char *) xdrs->x_private + xdrs->x_handy; + caddr_t newaddr = xdrs->x_base + pos; + caddr_t lastaddr = (char *)xdrs->x_private + xdrs->x_handy; if ((long)newaddr > (long)lastaddr) return (FALSE); diff --git a/src/lib/rpc/xdr_rec.c b/src/lib/rpc/xdr_rec.c index 0587882..28894f3 100644 --- a/src/lib/rpc/xdr_rec.c +++ b/src/lib/rpc/xdr_rec.c @@ -144,8 +144,7 @@ xdrrec_create( int (*writeit)() /* like write, but pass it a tcp_handle, not sock */ ) { - register RECSTREAM *rstrm = - (RECSTREAM *)mem_alloc(sizeof(RECSTREAM)); + RECSTREAM *rstrm = mem_alloc(sizeof(RECSTREAM)); if (rstrm == NULL) { (void)fprintf(stderr, "xdrrec_create: out of memory\n"); @@ -199,8 +198,8 @@ xdrrec_create( static bool_t xdrrec_getlong(XDR *xdrs, long *lp) { - register RECSTREAM *rstrm = (RECSTREAM *)(xdrs->x_private); - register int32_t *buflp = (int32_t *)(void *)(rstrm->in_finger); + RECSTREAM *rstrm = xdrs->x_private; + int32_t *buflp = (void *)(rstrm->in_finger); uint32_t mylong; /* first try the inline, fast case */ @@ -222,8 +221,8 @@ xdrrec_getlong(XDR *xdrs, long *lp) static bool_t xdrrec_putlong(XDR *xdrs, long *lp) { - register RECSTREAM *rstrm = (RECSTREAM *)(xdrs->x_private); - register int32_t *dest_lp = ((int32_t *)(void *)(rstrm->out_finger)); + RECSTREAM *rstrm = xdrs->x_private; + int32_t *dest_lp = (void *)(rstrm->out_finger); if (rstrm->out_boundry - rstrm->out_finger < BYTES_PER_XDR_UNIT) { /* @@ -243,8 +242,8 @@ xdrrec_putlong(XDR *xdrs, long *lp) static bool_t /* must manage buffers, fragments, and records */ xdrrec_getbytes(XDR *xdrs, caddr_t addr, u_int len) { - register RECSTREAM *rstrm = (RECSTREAM *)(xdrs->x_private); - register u_int current; + RECSTREAM *rstrm = xdrs->x_private; + u_int current; while (len > 0) { current = rstrm->fbtbc; @@ -268,8 +267,8 @@ xdrrec_getbytes(XDR *xdrs, caddr_t addr, u_int len) static bool_t xdrrec_putbytes(XDR *xdrs, caddr_t addr, u_int len) { - register RECSTREAM *rstrm = (RECSTREAM *)(xdrs->x_private); - register size_t current; + RECSTREAM *rstrm = xdrs->x_private; + size_t current; while (len > 0) { current = (size_t) ((long)rstrm->out_boundry - @@ -291,8 +290,8 @@ xdrrec_putbytes(XDR *xdrs, caddr_t addr, u_int len) static u_int xdrrec_getpos(XDR *xdrs) { - register RECSTREAM *rstrm = (RECSTREAM *)xdrs->x_private; - register int pos; + RECSTREAM *rstrm = xdrs->x_private; + int pos; switch (xdrs->x_op) { @@ -316,7 +315,7 @@ xdrrec_getpos(XDR *xdrs) static bool_t xdrrec_setpos(XDR *xdrs, u_int pos) { - register RECSTREAM *rstrm = (RECSTREAM *)xdrs->x_private; + RECSTREAM *rstrm = xdrs->x_private; u_int currpos = xdrrec_getpos(xdrs); int delta = currpos - pos; caddr_t newpos; @@ -353,7 +352,7 @@ xdrrec_setpos(XDR *xdrs, u_int pos) static rpc_inline_t * xdrrec_inline(XDR *xdrs, int len) { - register RECSTREAM *rstrm = (RECSTREAM *)xdrs->x_private; + RECSTREAM *rstrm = xdrs->x_private; rpc_inline_t * buf = NULL; if (len < 0) @@ -386,7 +385,7 @@ xdrrec_inline(XDR *xdrs, int len) static void xdrrec_destroy(XDR *xdrs) { - register RECSTREAM *rstrm = (RECSTREAM *)xdrs->x_private; + RECSTREAM *rstrm = xdrs->x_private; mem_free(rstrm->the_buffer, rstrm->sendsize + rstrm->recvsize + BYTES_PER_XDR_UNIT); @@ -405,7 +404,7 @@ xdrrec_destroy(XDR *xdrs) bool_t xdrrec_skiprecord(XDR *xdrs) { - register RECSTREAM *rstrm = (RECSTREAM *)(xdrs->x_private); + RECSTREAM *rstrm = xdrs->x_private; while (rstrm->fbtbc > 0 || (! rstrm->last_frag)) { if (! skip_input_bytes(rstrm, rstrm->fbtbc)) @@ -426,7 +425,7 @@ xdrrec_skiprecord(XDR *xdrs) bool_t xdrrec_eof(XDR *xdrs) { - register RECSTREAM *rstrm = (RECSTREAM *)(xdrs->x_private); + RECSTREAM *rstrm = xdrs->x_private; while (rstrm->fbtbc > 0 || (! rstrm->last_frag)) { if (! skip_input_bytes(rstrm, rstrm->fbtbc)) @@ -449,8 +448,8 @@ xdrrec_eof(XDR *xdrs) bool_t xdrrec_endofrecord(XDR *xdrs, bool_t sendnow) { - register RECSTREAM *rstrm = (RECSTREAM *)(xdrs->x_private); - register uint32_t len; /* fragment length */ + RECSTREAM *rstrm = xdrs->x_private; + uint32_t len; /* fragment length */ if (sendnow || rstrm->frag_sent || ((long)rstrm->out_finger + BYTES_PER_XDR_UNIT >= @@ -473,8 +472,8 @@ xdrrec_endofrecord(XDR *xdrs, bool_t sendnow) static bool_t flush_out(RECSTREAM *rstrm, bool_t eor) { - register uint32_t eormask = (eor == TRUE) ? LAST_FRAG : 0; - register uint32_t len = (u_long)(rstrm->out_finger) - + uint32_t eormask = (eor == TRUE) ? LAST_FRAG : 0; + uint32_t len = (u_long)(rstrm->out_finger) - (u_long)(rstrm->frag_header) - BYTES_PER_XDR_UNIT; *(rstrm->frag_header) = htonl(len | eormask); @@ -490,9 +489,9 @@ flush_out(RECSTREAM *rstrm, bool_t eor) static bool_t /* knows nothing about records! Only about input buffers */ fill_input_buf(RECSTREAM *rstrm) { - register caddr_t where; + caddr_t where; u_int i; - register int len; + int len; where = rstrm->in_base; i = (u_int)((u_long)rstrm->in_boundry % BYTES_PER_XDR_UNIT); @@ -509,7 +508,7 @@ fill_input_buf(RECSTREAM *rstrm) static bool_t /* knows nothing about records! Only about input buffers */ get_input_bytes(RECSTREAM *rstrm, caddr_t addr, int len) { - register size_t current; + size_t current; while (len > 0) { current = (size_t)((long)rstrm->in_boundry - @@ -530,7 +529,7 @@ get_input_bytes(RECSTREAM *rstrm, caddr_t addr, int len) static bool_t /* next four bytes of input stream are treated as a header */ set_input_fragment(rstrm) - register RECSTREAM *rstrm; + RECSTREAM *rstrm; { uint32_t header; @@ -545,7 +544,7 @@ set_input_fragment(rstrm) static bool_t /* consumes input bytes; knows nothing about records! */ skip_input_bytes(RECSTREAM *rstrm, int32_t cnt) { - register int current; + int current; while (cnt > 0) { current = (int)((long)rstrm->in_boundry - diff --git a/src/lib/rpc/xdr_reference.c b/src/lib/rpc/xdr_reference.c index eca4648..eab7d2d 100644 --- a/src/lib/rpc/xdr_reference.c +++ b/src/lib/rpc/xdr_reference.c @@ -66,8 +66,8 @@ xdr_reference( xdrproc_t proc /* xdr routine to handle the object */ ) { - register caddr_t loc = *pp; - register bool_t stat; + caddr_t loc = *pp; + bool_t stat; if (loc == NULL) switch (xdrs->x_op) { diff --git a/src/lib/win_glue.c b/src/lib/win_glue.c index 3d6dd72..e149a12 100644 --- a/src/lib/win_glue.c +++ b/src/lib/win_glue.c @@ -111,10 +111,6 @@ void GetCallingAppVerInfo( char *AppTitle, char *AppVer, char *AppIni, * hey , I bet we don't have a version resource, let's * punt */ -#if 0 - /* let's see what we have? (1813 means no resource) */ - size = GetLastError(); /* WIN32 only */ -#endif *VSflag = FALSE; return; } @@ -291,11 +287,6 @@ krb5_error_code krb5_vercheck() return retval; #endif #ifdef VERSERV -#if 0 - /* Check library ? */ - if (CallVersionServer(APP_TITLE, APP_VER, APP_INI, NULL)) - return KRB5_LIB_EXPIRED; -#endif { #ifdef APP_TITLE if (CallVersionServer(APP_TITLE, APP_VER, APP_INI, NULL)) diff --git a/src/man/Makefile.in b/src/man/Makefile.in index 4bc670b..e3722b1 100644 --- a/src/man/Makefile.in +++ b/src/man/Makefile.in @@ -15,7 +15,7 @@ MANSUBS=k5identity.sub k5login.sub k5srvutil.sub kadm5.acl.sub kadmin.sub \ kadmind.sub kdb5_ldap_util.sub kdb5_util.sub kdc.conf.sub \ kdestroy.sub kinit.sub klist.sub kpasswd.sub kprop.sub kpropd.sub \ kproplog.sub krb5.conf.sub krb5-config.sub krb5kdc.sub ksu.sub \ - kswitch.sub ktutil.sub kvno.sub sclient.sub sserver.sub + kswitch.sub ktutil.sub kvno.sub sclient.sub sserver.sub kerberos.sub docsrc=$(top_srcdir)/../doc @@ -56,9 +56,11 @@ all: $(MANSUBS) clean: rm -rf $(MANSUBS) rst_man -install: install-clientman install-fileman install-adminman install-serverman +install: install-clientman install-fileman install-adminman \ + install-overviewman install-serverman -install-catman: install-clientcat install-filecat install-admincat install-servercat +install-catman: install-clientcat install-filecat install-admincat \ + install-overviewcat install-servercat install-clientman: $(INSTALL_DATA) k5srvutil.sub $(DESTDIR)$(CLIENT_MANDIR)/k5srvutil.1 @@ -85,6 +87,9 @@ install-fileman: $(INSTALL_DATA) kdc.conf.sub $(DESTDIR)$(FILE_MANDIR)/kdc.conf.5 $(INSTALL_DATA) krb5.conf.sub $(DESTDIR)$(FILE_MANDIR)/krb5.conf.5 +install-overviewman: + $(INSTALL_DATA) kerberos.sub $(DESTDIR)$(OVERVIEW_MANDIR)/kerberos.7 + install-adminman: $(INSTALL_DATA) $(srcdir)/kadmin.local.8 \ $(DESTDIR)$(ADMIN_MANDIR)/kadmin.local.8 @@ -127,6 +132,9 @@ install-filecat: $(GROFF_MAN) kdc.conf.sub > $(DESTDIR)$(FILE_CATDIR)/kdc.conf.5 $(GROFF_MAN) krb5.conf.sub > $(DESTDIR)$(FILE_CATDIR)/krb5.conf.5 +install-overviewcat: + $(GROFF_MAN) kerberos.sub > $(DESTDIR)$(OVERVIEW_CATDIR)/kerberos.7 + install-admincat: ($(RM) $(DESTDIR)$(ADMIN_CATDIR)/kadmin.local.8; \ $(LN_S) $(CLIENT_CATDIR)/kadmin.1 \ diff --git a/src/man/README b/src/man/README index 3e81deb..e111900 100644 --- a/src/man/README +++ b/src/man/README @@ -1,4 +1,3 @@ The manual page files in this directory are generated from -reStructuredText format from doc/. Edits made here will not -survive a run of "make rstman" from the doc directory, except for the -files that implement "shadow manpages". +reStructuredText files in doc/. Edits made here will not survive a +rebuild. diff --git a/src/man/k5identity.man b/src/man/k5identity.man index 372374a..039cbe3 100644 --- a/src/man/k5identity.man +++ b/src/man/k5identity.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "K5IDENTITY" "5" " " "1.15.2" "MIT Kerberos" +.TH "K5IDENTITY" "5" " " "1.17" "MIT Kerberos" .SH NAME k5identity \- Kerberos V5 client principal selection rules . @@ -50,19 +50,19 @@ principal is chosen as the client principal. The following fields are recognized: .INDENT 0.0 .TP -.B \fBrealm\fP +\fBrealm\fP If the realm of the server principal is known, it is matched against \fIvalue\fP, which may be a pattern using shell wildcards. For host\-based server principals, the realm will generally only be -known if there is a \fIdomain_realm\fP section in -\fIkrb5.conf(5)\fP with a mapping for the hostname. +known if there is a domain_realm section in +krb5.conf(5) with a mapping for the hostname. .TP -.B \fBservice\fP +\fBservice\fP If the server principal is a host\-based principal, its service component is matched against \fIvalue\fP, which may be a pattern using shell wildcards. .TP -.B \fBhost\fP +\fBhost\fP If the server principal is a host\-based principal, its hostname component is converted to lower case and matched against \fIvalue\fP, which may be a pattern using shell wildcards. @@ -94,10 +94,10 @@ alice/mail@EXAMPLE.COM host=mail.example.com service=imap .UNINDENT .SH SEE ALSO .sp -kerberos(1), \fIkrb5.conf(5)\fP +kerberos(1), krb5.conf(5) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/k5login.man b/src/man/k5login.man index 1f51871..5debeb1 100644 --- a/src/man/k5login.man +++ b/src/man/k5login.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "K5LOGIN" "5" " " "1.15.2" "MIT Kerberos" +.TH "K5LOGIN" "5" " " "1.17" "MIT Kerberos" .SH NAME k5login \- Kerberos V5 acl file for host access . @@ -56,7 +56,7 @@ bob@FOOBAR.ORG This would allow \fBbob\fP to use Kerberos network applications, such as ssh(1), to access \fBalice\fP\(aqs account, using \fBbob\fP\(aqs Kerberos tickets. In a default configuration (with \fBk5login_authoritative\fP set -to true in \fIkrb5.conf(5)\fP), this .k5login file would not let +to true in krb5.conf(5)), this .k5login file would not let \fBalice\fP use those network applications to access her account, since she is not listed! With no .k5login file, or with \fBk5login_authoritative\fP set to false, a default rule would permit the principal \fBalice\fP in the @@ -91,6 +91,6 @@ kerberos(1) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/k5srvutil.man b/src/man/k5srvutil.man index b0b7f99..722132e 100644 --- a/src/man/k5srvutil.man +++ b/src/man/k5srvutil.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "K5SRVUTIL" "1" " " "1.15.2" "MIT Kerberos" +.TH "K5SRVUTIL" "1" " " "1.17" "MIT Kerberos" .SH NAME k5srvutil \- host key table (keytab) manipulation utility . @@ -45,11 +45,11 @@ or to delete non\-current keys from a keytab. \fIoperation\fP must be one of the following: .INDENT 0.0 .TP -.B \fBlist\fP +\fBlist\fP Lists the keys in a keytab, showing version number and principal name. .TP -.B \fBchange\fP +\fBchange\fP Uses the kadmin protocol to update the keys in the Kerberos database to new randomly\-generated keys, and updates the keys in the keytab to match. If a key\(aqs version number doesn\(aqt match the @@ -63,14 +63,14 @@ option. Old keys are retained in the keytab so that existing tickets continue to work, but \fBdelold\fP should be used after such tickets expire, to prevent attacks against the old keys. .TP -.B \fBdelold\fP +\fBdelold\fP Deletes keys that are not the most recent version from the keytab. This operation should be used some time after a change operation to remove old keys, after existing tickets issued for the service have expired. If the \fB\-i\fP flag is given, then k5srvutil will prompt for confirmation for each principal. .TP -.B \fBdelete\fP +\fBdelete\fP Deletes particular keys in the keytab, interactively prompting for each key. .UNINDENT @@ -78,14 +78,18 @@ each key. In all cases, the default keytab is used unless this is overridden by the \fB\-f\fP option. .sp -k5srvutil uses the \fIkadmin(1)\fP program to edit the keytab in +k5srvutil uses the kadmin(1) program to edit the keytab in place. +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkadmin(1)\fP, \fIktutil(1)\fP +kadmin(1), ktutil(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadm5.acl.man b/src/man/kadm5.acl.man index a51bca4..5f1a2ac 100644 --- a/src/man/kadm5.acl.man +++ b/src/man/kadm5.acl.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KADM5.ACL" "5" " " "1.15.2" "MIT Kerberos" +.TH "KADM5.ACL" "5" " " "1.17" "MIT Kerberos" .SH NAME kadm5.acl \- Kerberos ACL file . @@ -32,14 +32,14 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .. .SH DESCRIPTION .sp -The Kerberos \fIkadmind(8)\fP daemon uses an Access Control List +The Kerberos kadmind(8) daemon uses an Access Control List (ACL) file to manage access rights to the Kerberos database. For operations that affect principals, the ACL file also controls which principals can operate on which other principals. .sp The default location of the Kerberos ACL file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP unless this is overridden by the \fIacl_file\fP -variable in \fIkdc.conf(5)\fP\&. +variable in kdc.conf(5)\&. .SH SYNTAX .sp Empty lines and lines starting with the sharp sign (\fB#\fP) are @@ -127,7 +127,7 @@ _ T{ p T} T{ -[Dis]allows the propagation of the principal database (used in \fIincr_db_prop\fP) +[Dis]allows the propagation of the principal database (used in incr_db_prop) T} _ T{ @@ -185,7 +185,7 @@ in which \fB*number\fP matches the corresponding wildcard in .B {+|\-}\fIflagname\fP flag is forced to the indicated value. The permissible flags are the same as those for the \fBdefault_principal_flags\fP -variable in \fIkdc.conf(5)\fP\&. +variable in kdc.conf(5)\&. .TP .B \fI\-clearpolicy\fP policy is forced to be empty. @@ -194,7 +194,7 @@ policy is forced to be empty. policy is forced to be \fIpol\fP\&. .TP .B \-{\fIexpire, pwexpire, maxlife, maxrenewlife\fP} \fItime\fP -(\fIgetdate\fP string) associated value will be forced to +(getdate string) associated value will be forced to MIN(\fItime\fP, requested value). .UNINDENT .UNINDENT @@ -257,12 +257,23 @@ principals. \fBsms@ATHENA.MIT.EDU\fP has all permissions except extracting keys, but any principal that it creates or modifies will not be able to get postdateable tickets or tickets with a life of longer than 9 hours. +.SH MODULE BEHAVIOR +.sp +The ACL file can coexist with other authorization modules in release +1.16 and later, as configured in the kadm5_auth section of +krb5.conf(5)\&. The ACL file will positively authorize +operations according to the rules above, but will never +authoritatively deny an operation, so other modules can authorize +operations in addition to those authorized by the ACL file. +.sp +To operate without an ACL file, set the \fIacl_file\fP variable in +kdc.conf(5) to the empty string with \fBacl_file = ""\fP\&. .SH SEE ALSO .sp -\fIkdc.conf(5)\fP, \fIkadmind(8)\fP +kdc.conf(5), kadmind(8) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadmin.man b/src/man/kadmin.man index 142d63a..8496772 100644 --- a/src/man/kadmin.man +++ b/src/man/kadmin.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KADMIN" "1" " " "1.15.2" "MIT Kerberos" +.TH "KADMIN" "1" " " "1.17" "MIT Kerberos" .SH NAME kadmin \- Kerberos V5 database administration program . @@ -56,7 +56,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] kadmin and kadmin.local are command\-line interfaces to the Kerberos V5 administration system. They provide nearly identical functionalities; the difference is that kadmin.local directly accesses the KDC -database, while kadmin performs operations using \fIkadmind(8)\fP\&. +database, while kadmin performs operations using kadmind(8)\&. Except as explicitly noted otherwise, this man page will use "kadmin" to refer to both versions. kadmin provides for the maintenance of Kerberos principals, password policies, and service key tables @@ -80,30 +80,30 @@ kadmin.local can be run on any host which can access the LDAP server. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Use \fIrealm\fP as the default database realm. .TP -.B \fB\-p\fP \fIprincipal\fP +\fB\-p\fP \fIprincipal\fP Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append \fB/admin\fP to the primary principal name of the default ccache, the value of the \fBUSER\fP environment variable, or the username as obtained with getpwuid, in order of preference. .TP -.B \fB\-k\fP +\fB\-k\fP Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be \fBhost/hostname\fP\&. If there is no keytab specified with the \fB\-t\fP option, then the default keytab will be used. .TP -.B \fB\-t\fP \fIkeytab\fP +\fB\-t\fP \fIkeytab\fP Use \fIkeytab\fP to decrypt the KDC response. This can only be used with the \fB\-k\fP option. .TP -.B \fB\-n\fP +\fB\-n\fP Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure \fBpkinit_anchors\fP in the client\(aqs -\fIkrb5.conf(5)\fP\&. Then use the \fB\-n\fP option with a principal +krb5.conf(5)\&. Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP (an empty principal name followed by the at\-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is @@ -114,46 +114,46 @@ principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. .TP -.B \fB\-c\fP \fIcredentials_cache\fP +\fB\-c\fP \fIcredentials_cache\fP Use \fIcredentials_cache\fP as the credentials cache. The cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP service; it can be acquired with the -\fIkinit(1)\fP program. If this option is not specified, kadmin +kinit(1) program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache. .TP -.B \fB\-w\fP \fIpassword\fP +\fB\-w\fP \fIpassword\fP Use \fIpassword\fP instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list. .TP -.B \fB\-q\fP \fIquery\fP +\fB\-q\fP \fIquery\fP Perform the specified query and then exit. .TP -.B \fB\-d\fP \fIdbname\fP +\fB\-d\fP \fIdbname\fP Specifies the name of the KDC database. This option does not apply to the LDAP database module. .TP -.B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP] +\fB\-s\fP \fIadmin_server\fP[:\fIport\fP] Specifies the admin server which kadmin should contact. .TP -.B \fB\-m\fP +\fB\-m\fP If using kadmin.local, prompt for the database master password instead of reading it from a stash file. .TP -.B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..." +\fB\-e\fP "\fIenc\fP:\fIsalt\fP ..." Sets the keysalt list to be used for any new keys created. See -\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of possible +Keysalt_lists in kdc.conf(5) for a list of possible values. .TP -.B \fB\-O\fP +\fB\-O\fP Force use of old AUTH_GSSAPI authentication flavor. .TP -.B \fB\-N\fP +\fB\-N\fP Prevent fallback to AUTH_GSSAPI authentication flavor. .TP -.B \fB\-x\fP \fIdb_args\fP +\fB\-x\fP \fIdb_args\fP Specifies the database specific arguments. See the next section for supported options. .UNINDENT @@ -188,10 +188,10 @@ Supported options for the DB2 module are: .INDENT 3.5 .INDENT 0.0 .TP -.B \fB\-x dbname=\fP*filename* +\fB\-x dbname=\fP*filename* Specifies the base filename of the DB2 database. .TP -.B \fB\-x lockiter\fP +\fB\-x lockiter\fP Make iteration operations hold the lock for the duration of the entire operation, rather than temporarily releasing the lock while handling each principal. This is the default @@ -199,7 +199,7 @@ behavior, but this option exists to allow command line override of a [dbmodules] setting. First introduced in release 1.13. .TP -.B \fB\-x unlockiter\fP +\fB\-x unlockiter\fP Make iteration operations unlock the database for each principal, instead of holding the lock for the duration of the entire operation. First introduced in release 1.13. @@ -212,39 +212,39 @@ Supported options for the LDAP module are: .INDENT 3.5 .INDENT 0.0 .TP -.B \fB\-x host=\fP\fIldapuri\fP +\fB\-x host=\fP\fIldapuri\fP Specifies the LDAP server to connect to by a LDAP URI. .TP -.B \fB\-x binddn=\fP\fIbind_dn\fP +\fB\-x binddn=\fP\fIbind_dn\fP Specifies the DN used to bind to the LDAP server. .TP -.B \fB\-x bindpwd=\fP\fIpassword\fP +\fB\-x bindpwd=\fP\fIpassword\fP Specifies the password or SASL secret used to bind to the LDAP server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the \fBstashsrvpw\fP command of -\fIkdb5_ldap_util(8)\fP\&. +kdb5_ldap_util(8)\&. .TP -.B \fB\-x sasl_mech=\fP\fImechanism\fP +\fB\-x sasl_mech=\fP\fImechanism\fP Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in release 1.13. .TP -.B \fB\-x sasl_authcid=\fP\fIname\fP +\fB\-x sasl_authcid=\fP\fIname\fP Specifies the authentication name used when binding to the LDAP server with a SASL mechanism, if the mechanism requires one. New in release 1.13. .TP -.B \fB\-x sasl_authzid=\fP\fIname\fP +\fB\-x sasl_authzid=\fP\fIname\fP Specifies the authorization name used when binding to the LDAP server with a SASL mechanism. New in release 1.13. .TP -.B \fB\-x sasl_realm=\fP\fIrealm\fP +\fB\-x sasl_realm=\fP\fIrealm\fP Specifies the realm used when binding to the LDAP server with a SASL mechanism, if the mechanism uses one. New in release 1.13. .TP -.B \fB\-x debug=\fP\fIlevel\fP +\fB\-x debug=\fP\fIlevel\fP sets the OpenLDAP client library debug level. \fIlevel\fP is an integer to be interpreted by the library. Debugging messages are printed to standard error. New in release 1.12. @@ -254,7 +254,7 @@ are printed to standard error. New in release 1.12. .SH COMMANDS .sp When using the remote client, available commands may be restricted -according to the privileges specified in the \fIkadm5.acl(5)\fP file +according to the privileges specified in the kadm5.acl(5) file on the admin server. .SS add_principal .INDENT 0.0 @@ -277,54 +277,55 @@ Aliases: \fBaddprinc\fP, \fBank\fP Options: .INDENT 0.0 .TP -.B \fB\-expire\fP \fIexpdate\fP -(\fIgetdate\fP string) The expiration date of the principal. +\fB\-expire\fP \fIexpdate\fP +(getdate string) The expiration date of the principal. .TP -.B \fB\-pwexpire\fP \fIpwexpdate\fP -(\fIgetdate\fP string) The password expiration date. +\fB\-pwexpire\fP \fIpwexpdate\fP +(getdate string) The password expiration date. .TP -.B \fB\-maxlife\fP \fImaxlife\fP -(\fIduration\fP or \fIgetdate\fP string) The maximum ticket life +\fB\-maxlife\fP \fImaxlife\fP +(duration or getdate string) The maximum ticket life for the principal. .TP -.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP -(\fIduration\fP or \fIgetdate\fP string) The maximum renewable +\fB\-maxrenewlife\fP \fImaxrenewlife\fP +(duration or getdate string) The maximum renewable life of tickets for the principal. .TP -.B \fB\-kvno\fP \fIkvno\fP +\fB\-kvno\fP \fIkvno\fP The initial key version number. .TP -.B \fB\-policy\fP \fIpolicy\fP +\fB\-policy\fP \fIpolicy\fP The password policy used by this principal. If not specified, the policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP is specified). .TP -.B \fB\-clearpolicy\fP +\fB\-clearpolicy\fP Prevents any policy from being assigned when \fB\-policy\fP is not specified. .TP -.B {\-|+}\fBallow_postdated\fP +{\-|+}\fBallow_postdated\fP \fB\-allow_postdated\fP prohibits this principal from obtaining postdated tickets. \fB+allow_postdated\fP clears this flag. .TP -.B {\-|+}\fBallow_forwardable\fP +{\-|+}\fBallow_forwardable\fP \fB\-allow_forwardable\fP prohibits this principal from obtaining forwardable tickets. \fB+allow_forwardable\fP clears this flag. .TP -.B {\-|+}\fBallow_renewable\fP +{\-|+}\fBallow_renewable\fP \fB\-allow_renewable\fP prohibits this principal from obtaining renewable tickets. \fB+allow_renewable\fP clears this flag. .TP -.B {\-|+}\fBallow_proxiable\fP +{\-|+}\fBallow_proxiable\fP \fB\-allow_proxiable\fP prohibits this principal from obtaining proxiable tickets. \fB+allow_proxiable\fP clears this flag. .TP -.B {\-|+}\fBallow_dup_skey\fP +{\-|+}\fBallow_dup_skey\fP \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this -principal by prohibiting this principal from obtaining a session -key for another user. \fB+allow_dup_skey\fP clears this flag. +principal by prohibiting others from obtaining a service ticket +encrypted in this principal\(aqs TGT session key. +\fB+allow_dup_skey\fP clears this flag. .TP -.B {\-|+}\fBrequires_preauth\fP +{\-|+}\fBrequires_preauth\fP \fB+requires_preauth\fP requires this principal to preauthenticate before being allowed to kinit. \fB\-requires_preauth\fP clears this flag. When \fB+requires_preauth\fP is set on a service principal, @@ -332,7 +333,7 @@ the KDC will only issue service tickets for that service principal if the client\(aqs initial authentication was performed using preauthentication. .TP -.B {\-|+}\fBrequires_hwauth\fP +{\-|+}\fBrequires_hwauth\fP \fB+requires_hwauth\fP requires this principal to preauthenticate using a hardware device before being allowed to kinit. \fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is @@ -340,45 +341,47 @@ set on a service principal, the KDC will only issue service tickets for that service principal if the client\(aqs initial authentication was performed using a hardware device to preauthenticate. .TP -.B {\-|+}\fBok_as_delegate\fP +{\-|+}\fBok_as_delegate\fP \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets issued with this principal as the service. Clients may use this flag as a hint that credentials should be delegated when authenticating to the service. \fB\-ok_as_delegate\fP clears this flag. .TP -.B {\-|+}\fBallow_svr\fP +{\-|+}\fBallow_svr\fP \fB\-allow_svr\fP prohibits the issuance of service tickets for this -principal. \fB+allow_svr\fP clears this flag. +principal. In release 1.17 and later, user\-to\-user service +tickets are still allowed unless the \fB\-allow_dup_skey\fP flag is +also set. \fB+allow_svr\fP clears this flag. .TP -.B {\-|+}\fBallow_tgs_req\fP +{\-|+}\fBallow_tgs_req\fP \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for this principal is not permitted. \fB+allow_tgs_req\fP clears this flag. .TP -.B {\-|+}\fBallow_tix\fP +{\-|+}\fBallow_tix\fP \fB\-allow_tix\fP forbids the issuance of any tickets for this principal. \fB+allow_tix\fP clears this flag. .TP -.B {\-|+}\fBneedchange\fP +{\-|+}\fBneedchange\fP \fB+needchange\fP forces a password change on the next initial authentication to this principal. \fB\-needchange\fP clears this flag. .TP -.B {\-|+}\fBpassword_changing_service\fP +{\-|+}\fBpassword_changing_service\fP \fB+password_changing_service\fP marks this principal as a password change service principal. .TP -.B {\-|+}\fBok_to_auth_as_delegate\fP +{\-|+}\fBok_to_auth_as_delegate\fP \fB+ok_to_auth_as_delegate\fP allows this principal to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation. .TP -.B {\-|+}\fBno_auth_data_required\fP +{\-|+}\fBno_auth_data_required\fP \fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from being added to service tickets for the principal. .TP -.B {\-|+}\fBlockdown_keys\fP +{\-|+}\fBlockdown_keys\fP \fB+lockdown_keys\fP prevents keys for this principal from leaving the KDC via kadmind. The chpass and extract operations are denied for a principal with this attribute. The chrand operation is @@ -389,42 +392,42 @@ krbtgt/* or kadmin/* with new principals without the attribute. This attribute can be set via the network protocol, but can only be removed using kadmin.local. .TP -.B \fB\-randkey\fP +\fB\-randkey\fP Sets the key of the principal to a random value. .TP -.B \fB\-nokey\fP +\fB\-nokey\fP Causes the principal to be created with no key. New in release 1.12. .TP -.B \fB\-pw\fP \fIpassword\fP +\fB\-pw\fP \fIpassword\fP Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list. .TP -.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +\fB\-e\fP \fIenc\fP:\fIsalt\fP,... Uses the specified keysalt list for setting the keys of the -principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a +principal. See Keysalt_lists in kdc.conf(5) for a list of possible values. .TP -.B \fB\-x\fP \fIdb_princ_args\fP +\fB\-x\fP \fIdb_princ_args\fP Indicates database\-specific options. The options for the LDAP database module are: .INDENT 7.0 .TP -.B \fB\-x dn=\fP\fIdn\fP +\fB\-x dn=\fP\fIdn\fP Specifies the LDAP object that will contain the Kerberos principal being created. .TP -.B \fB\-x linkdn=\fP\fIdn\fP +\fB\-x linkdn=\fP\fIdn\fP Specifies the LDAP object to which the newly created Kerberos principal object will point. .TP -.B \fB\-x containerdn=\fP\fIcontainer_dn\fP +\fB\-x containerdn=\fP\fIcontainer_dn\fP Specifies the container object under which the Kerberos principal is to be created. .TP -.B \fB\-x tktpolicy=\fP\fIpolicy\fP +\fB\-x tktpolicy=\fP\fIpolicy\fP Associates a ticket policy to the Kerberos principal. .UNINDENT .sp @@ -484,7 +487,7 @@ Alias: \fBmodprinc\fP Options (in addition to the \fBaddprinc\fP options): .INDENT 0.0 .TP -.B \fB\-unlock\fP +\fB\-unlock\fP Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according to its password policy) so that it can successfully authenticate. @@ -535,20 +538,20 @@ Alias: \fBcpw\fP The following options are available: .INDENT 0.0 .TP -.B \fB\-randkey\fP +\fB\-randkey\fP Sets the key of the principal to a random value. .TP -.B \fB\-pw\fP \fIpassword\fP +\fB\-pw\fP \fIpassword\fP Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list. .TP -.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +\fB\-e\fP \fIenc\fP:\fIsalt\fP,... Uses the specified keysalt list for setting the keys of the -principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a +principal. See Keysalt_lists in kdc.conf(5) for a list of possible values. .TP -.B \fB\-keepold\fP +\fB\-keepold\fP Keeps the existing keys in the database. This flag is usually not necessary except perhaps for \fBkrbtgt\fP principals. .UNINDENT @@ -689,22 +692,29 @@ modules. The following string attribute names are recognized by the KDC: .INDENT 0.0 .TP -.B \fBrequire_auth\fP +\fBrequire_auth\fP Specifies an authentication indicator which is required to authenticate to the principal as a service. Multiple indicators can be specified, separated by spaces; in this case any of the specified indicators will be accepted. (New in release 1.14.) .TP -.B \fBsession_enctypes\fP +\fBsession_enctypes\fP Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See -\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of the +Encryption_types in kdc.conf(5) for a list of the accepted values. .TP -.B \fBotp\fP +\fBotp\fP Enables One Time Passwords (OTP) preauthentication for a client \fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array of objects, each having optional \fBtype\fP and \fBusername\fP fields. +.TP +\fBpkinit_cert_match\fP +Specifies a matching expression that defines the certificate +attributes required for the client certificate used by the +principal during PKINIT authentication. The matching expression +is in the same format as those used by the \fBpkinit_cert_match\fP +option in krb5.conf(5)\&. (New in release 1.16.) .UNINDENT .sp This command requires the \fBmodify\fP privilege. @@ -751,29 +761,29 @@ Alias: \fBaddpol\fP The following options are available: .INDENT 0.0 .TP -.B \fB\-maxlife\fP \fItime\fP -(\fIduration\fP or \fIgetdate\fP string) Sets the maximum +\fB\-maxlife\fP \fItime\fP +(duration or getdate string) Sets the maximum lifetime of a password. .TP -.B \fB\-minlife\fP \fItime\fP -(\fIduration\fP or \fIgetdate\fP string) Sets the minimum +\fB\-minlife\fP \fItime\fP +(duration or getdate string) Sets the minimum lifetime of a password. .TP -.B \fB\-minlength\fP \fIlength\fP +\fB\-minlength\fP \fIlength\fP Sets the minimum length of a password. .TP -.B \fB\-minclasses\fP \fInumber\fP +\fB\-minclasses\fP \fInumber\fP Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters. .TP -.B \fB\-history\fP \fInumber\fP +\fB\-history\fP \fInumber\fP Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. .UNINDENT .INDENT 0.0 .TP -.B \fB\-maxfailure\fP \fImaxnumber\fP +\fB\-maxfailure\fP \fImaxnumber\fP Sets the number of authentication failures before the principal is locked. Authentication failures are only tracked for principals which require preauthentication. The counter of failed attempts @@ -782,8 +792,8 @@ resets to 0 after a successful attempt to authenticate. A .UNINDENT .INDENT 0.0 .TP -.B \fB\-failurecountinterval\fP \fIfailuretime\fP -(\fIduration\fP or \fIgetdate\fP string) Sets the allowable time +\fB\-failurecountinterval\fP \fIfailuretime\fP +(duration or getdate string) Sets the allowable time between authentication failures. If an authentication failure happens after \fIfailuretime\fP has elapsed since the previous failure, the number of authentication failures is reset to 1. A @@ -791,18 +801,18 @@ failure, the number of authentication failures is reset to 1. A .UNINDENT .INDENT 0.0 .TP -.B \fB\-lockoutduration\fP \fIlockouttime\fP -(\fIduration\fP or \fIgetdate\fP string) Sets the duration for +\fB\-lockoutduration\fP \fIlockouttime\fP +(duration or getdate string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with \fBmodprinc \-unlock\fP\&. .TP -.B \fB\-allowedkeysalts\fP +\fB\-allowedkeysalts\fP Specifies the key/salt tuples supported for long\-term keys when setting or changing a principal\(aqs password/keys. See -\fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a list of the +Keysalt_lists in kdc.conf(5) for a list of the accepted values, but note that key/salt tuples must be separated with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use a value of \(aq\-\(aq. @@ -962,19 +972,19 @@ With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege. The options are: .INDENT 0.0 .TP -.B \fB\-k[eytab]\fP \fIkeytab\fP +\fB\-k[eytab]\fP \fIkeytab\fP Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is used. .TP -.B \fB\-e\fP \fIenc\fP:\fIsalt\fP,... +\fB\-e\fP \fIenc\fP:\fIsalt\fP,... Uses the specified keysalt list for setting the new keys of the -principal. See \fIKeysalt_lists\fP in \fIkdc.conf(5)\fP for a +principal. See Keysalt_lists in kdc.conf(5) for a list of possible values. .TP -.B \fB\-q\fP +\fB\-q\fP Display less verbose information. .TP -.B \fB\-norandkey\fP +\fB\-norandkey\fP Do not randomize the keys. The keys and their version numbers stay unchanged. This option cannot be specified in combination with the \fB\-e\fP option. @@ -1018,11 +1028,11 @@ kvno match that integer are removed. The options are: .INDENT 0.0 .TP -.B \fB\-k[eytab]\fP \fIkeytab\fP +\fB\-k[eytab]\fP \fIkeytab\fP Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is used. .TP -.B \fB\-q\fP +\fB\-q\fP Display less verbose information. .UNINDENT .sp @@ -1061,12 +1071,16 @@ Aliases: \fBexit\fP, \fBq\fP .sp The kadmin program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkpasswd(1)\fP, \fIkadmind(8)\fP +kpasswd(1), kadmind(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kadmind.man b/src/man/kadmind.man index e73c87b..f8e61a8 100644 --- a/src/man/kadmind.man +++ b/src/man/kadmind.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KADMIND" "8" " " "1.15.2" "MIT Kerberos" +.TH "KADMIND" "8" " " "1.17" "MIT Kerberos" .SH NAME kadmind \- KADM5 administration server . @@ -50,24 +50,24 @@ kadmind starts the Kerberos administration server. kadmind typically runs on the master Kerberos server, which stores the KDC database. If the KDC database uses the LDAP module, the administration server and the KDC server need not run on the same machine. kadmind accepts -remote requests from programs such as \fIkadmin(1)\fP and -\fIkpasswd(1)\fP to administer the information in these database. +remote requests from programs such as kadmin(1) and +kpasswd(1) to administer the information in these database. .sp kadmind requires a number of configuration files to be set up in order for it to work: .INDENT 0.0 .TP -.B \fIkdc.conf(5)\fP +.B kdc.conf(5) The KDC configuration file contains configuration information for the KDC and admin servers. kadmind uses settings in this file to locate the Kerberos database, and is also affected by the \fBacl_file\fP, \fBdict_file\fP, \fBkadmind_port\fP, and iprop\-related settings. .TP -.B \fIkadm5.acl(5)\fP +.B kadm5.acl(5) kadmind\(aqs ACL (access control list) tells it which principals are allowed to perform administration actions. The pathname to the -ACL file can be specified with the \fBacl_file\fP \fIkdc.conf(5)\fP +ACL file can be specified with the \fBacl_file\fP kdc.conf(5) variable; by default, it is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. .UNINDENT .sp @@ -75,76 +75,80 @@ After the server begins running, it puts itself in the background and disassociates itself from its controlling terminal. .sp kadmind can be configured for incremental database propagation. -Incremental propagation allows slave KDC servers to receive principal -and policy updates incrementally instead of receiving full dumps of -the database. This facility can be enabled in the \fIkdc.conf(5)\fP -file with the \fBiprop_enable\fP option. Incremental propagation -requires the principal \fBkiprop/MASTER\e@REALM\fP (where MASTER is the -master KDC\(aqs canonical host name, and REALM the realm name). In -release 1.13, this principal is automatically created and registered -into the datebase. +Incremental propagation allows replica KDC servers to receive +principal and policy updates incrementally instead of receiving full +dumps of the database. This facility can be enabled in the +kdc.conf(5) file with the \fBiprop_enable\fP option. Incremental +propagation requires the principal \fBkiprop/MASTER\e@REALM\fP (where +MASTER is the master KDC\(aqs canonical host name, and REALM the realm +name). In release 1.13, this principal is automatically created and +registered into the datebase. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP specifies the realm that kadmind will serve; if it is not specified, the default realm of the host is used. .TP -.B \fB\-m\fP +\fB\-m\fP causes the master database password to be fetched from the keyboard (before the server puts itself in the background, if not invoked with the \fB\-nofork\fP option) rather than from a file on disk. .TP -.B \fB\-nofork\fP +\fB\-nofork\fP causes the server to remain in the foreground and remain associated to the terminal. In normal operation, you should allow the server to place itself in the background. .TP -.B \fB\-proponly\fP -causes the server to only listen and respond to Kerberos slave +\fB\-proponly\fP +causes the server to only listen and respond to Kerberos replica incremental propagation polling requests. This option can be used -to set up a hierarchical propagation topology where a slave KDC -provides incremental updates to other Kerberos slaves. +to set up a hierarchical propagation topology where a replica KDC +provides incremental updates to other Kerberos replicas. .TP -.B \fB\-port\fP \fIport\-number\fP +\fB\-port\fP \fIport\-number\fP specifies the port on which the administration server listens for connections. The default port is determined by the -\fBkadmind_port\fP configuration variable in \fIkdc.conf(5)\fP\&. +\fBkadmind_port\fP configuration variable in kdc.conf(5)\&. .TP -.B \fB\-P\fP \fIpid_file\fP +\fB\-P\fP \fIpid_file\fP specifies the file to which the PID of kadmind process should be written after it starts up. This file can be used to identify whether kadmind is still running and to allow init scripts to stop the correct process. .TP -.B \fB\-p\fP \fIkdb5_util_path\fP +\fB\-p\fP \fIkdb5_util_path\fP specifies the path to the kdb5_util command to use when dumping the KDB in response to full resync requests when iprop is enabled. .TP -.B \fB\-K\fP \fIkprop_path\fP +\fB\-K\fP \fIkprop_path\fP specifies the path to the kprop command to use to send full dumps -to slaves in response to full resync requests. +to replicas in response to full resync requests. .TP -.B \fB\-k\fP \fIkprop_port\fP -specifies the port by which the kprop process that is spawned by kadmind -connects to the slave kpropd, in order to transfer the dump file during -an iprop full resync request. +\fB\-k\fP \fIkprop_port\fP +specifies the port by which the kprop process that is spawned by +kadmind connects to the replica kpropd, in order to transfer the +dump file during an iprop full resync request. .TP -.B \fB\-F\fP \fIdump_file\fP +\fB\-F\fP \fIdump_file\fP specifies the file path to be used for dumping the KDB in response to full resync requests when iprop is enabled. .TP -.B \fB\-x\fP \fIdb_args\fP -specifies database\-specific arguments. See \fIDatabase Options\fP in \fIkadmin(1)\fP for supported arguments. +\fB\-x\fP \fIdb_args\fP +specifies database\-specific arguments. See Database Options in kadmin(1) for supported arguments. .UNINDENT +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkpasswd(1)\fP, \fIkadmin(1)\fP, \fIkdb5_util(8)\fP, -\fIkdb5_ldap_util(8)\fP, \fIkadm5.acl(5)\fP +kpasswd(1), kadmin(1), kdb5_util(8), +kdb5_ldap_util(8), kadm5.acl(5), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdb5_ldap_util.man b/src/man/kdb5_ldap_util.man index a1fb6d8..b648227 100644 --- a/src/man/kdb5_ldap_util.man +++ b/src/man/kdb5_ldap_util.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KDB5_LDAP_UTIL" "8" " " "1.15.2" "MIT Kerberos" +.TH "KDB5_LDAP_UTIL" "8" " " "1.17" "MIT Kerberos" .SH NAME kdb5_ldap_util \- Kerberos configuration utility . @@ -44,15 +44,15 @@ services and ticket policies. .SH COMMAND-LINE OPTIONS .INDENT 0.0 .TP -.B \fB\-D\fP \fIuser_dn\fP +\fB\-D\fP \fIuser_dn\fP Specifies the Distinguished Name (DN) of the user who has sufficient rights to perform the operation on the LDAP server. .TP -.B \fB\-w\fP \fIpasswd\fP +\fB\-w\fP \fIpasswd\fP Specifies the password of \fIuser_dn\fP\&. This option is not recommended. .TP -.B \fB\-H\fP \fIldapuri\fP +\fB\-H\fP \fIldapuri\fP Specifies the URI of the LDAP server. It is recommended to use \fBldapi://\fP or \fBldaps://\fP to connect to the LDAP server. .UNINDENT @@ -78,60 +78,60 @@ Specifies the URI of the LDAP server. It is recommended to use Creates realm in directory. Options: .INDENT 0.0 .TP -.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +\fB\-subtrees\fP \fIsubtree_dn_list\fP Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\fB:\fP). .TP -.B \fB\-sscope\fP \fIsearch_scope\fP +\fB\-sscope\fP \fIsearch_scope\fP Specifies the scope for searching the principals under the subtree. The possible values are 1 or one (one level), 2 or sub (subtrees). .TP -.B \fB\-containerref\fP \fIcontainer_reference_dn\fP +\fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the container object in which the principals of a realm will be created. If the container reference is not configured for a realm, the principals will be created in the realm container. .TP -.B \fB\-k\fP \fImkeytype\fP +\fB\-k\fP \fImkeytype\fP Specifies the key type of the master key in the database. The default is given by the \fBmaster_key_type\fP variable in -\fIkdc.conf(5)\fP\&. +kdc.conf(5)\&. .TP -.B \fB\-kv\fP \fImkeyVNO\fP +\fB\-kv\fP \fImkeyVNO\fP Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. .TP -.B \fB\-m\fP +\fB\-m\fP Specifies that the master database password should be read from the TTY rather than fetched from a file on the disk. .TP -.B \fB\-P\fP \fIpassword\fP +\fB\-P\fP \fIpassword\fP Specifies the master database password. This option is not recommended. .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP -.B \fB\-sf\fP \fIstashfilename\fP +\fB\-sf\fP \fIstashfilename\fP Specifies the stash file of the master database password. .TP -.B \fB\-s\fP +\fB\-s\fP Specifies that the stash file is to be created. .TP -.B \fB\-maxtktlife\fP \fImax_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum ticket life for +\fB\-maxtktlife\fP \fImax_ticket_life\fP +(getdate string) Specifies maximum ticket life for principals in this realm. .TP -.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum renewable life of +\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(getdate string) Specifies maximum renewable life of tickets for principals in this realm. .TP .B \fIticket_flags\fP Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in -\fIkadmin(1)\fP\&. +kadmin(1)\&. .UNINDENT .sp Example: @@ -169,35 +169,35 @@ Re\-enter KDC database master key to verify: Modifies the attributes of a realm. Options: .INDENT 0.0 .TP -.B \fB\-subtrees\fP \fIsubtree_dn_list\fP +\fB\-subtrees\fP \fIsubtree_dn_list\fP Specifies the list of subtrees containing the principals of a realm. The list contains the DNs of the subtree objects separated by colon (\fB:\fP). This list replaces the existing list. .TP -.B \fB\-sscope\fP \fIsearch_scope\fP +\fB\-sscope\fP \fIsearch_scope\fP Specifies the scope for searching the principals under the subtrees. The possible values are 1 or one (one level), 2 or sub (subtrees). .TP -.B \fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the +\fB\-containerref\fP \fIcontainer_reference_dn\fP Specifies the DN of the container object in which the principals of a realm will be created. .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP -.B \fB\-maxtktlife\fP \fImax_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum ticket life for +\fB\-maxtktlife\fP \fImax_ticket_life\fP +(getdate string) Specifies maximum ticket life for principals in this realm. .TP -.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum renewable life of +\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(getdate string) Specifies maximum renewable life of tickets for principals in this realm. .TP .B \fIticket_flags\fP Specifies global ticket flags for the realm. Allowable flags are documented in the description of the \fBadd_principal\fP command in -\fIkadmin(1)\fP\&. +kadmin(1)\&. .UNINDENT .sp Example: @@ -225,7 +225,7 @@ shell% Displays the attributes of a realm. Options: .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .UNINDENT .sp @@ -259,10 +259,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE Destroys an existing realm. Options: .INDENT 0.0 .TP -.B \fB\-f\fP +\fB\-f\fP If specified, will not prompt the user for confirmation. .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .UNINDENT .sp @@ -323,16 +323,16 @@ file so that KDC and Administration server can use it to authenticate to the LDAP server. Options: .INDENT 0.0 .TP -.B \fB\-f\fP \fIfilename\fP +\fB\-f\fP \fIfilename\fP Specifies the complete path of the service password file. By default, \fB/usr/local/var/service_passwd\fP is used. .TP .B \fIname\fP Specifies the name of the object whose password is to be stored. -If \fIkrb5kdc(8)\fP or \fIkadmind(8)\fP are configured for +If krb5kdc(8) or kadmind(8) are configured for simple binding, this should be the distinguished name it will use as given by the \fBldap_kdc_dn\fP or \fBldap_kadmind_dn\fP -variable in \fIkdc.conf(5)\fP\&. If the KDC or kadmind is +variable in kdc.conf(5)\&. If the KDC or kadmind is configured for SASL binding, this should be the authentication name it will use as given by the \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP variable. @@ -367,22 +367,22 @@ Re\-enter password for "cn=service\-kdc,o=org": Creates a ticket policy in the directory. Options: .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP -.B \fB\-maxtktlife\fP \fImax_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum ticket life for +\fB\-maxtktlife\fP \fImax_ticket_life\fP +(getdate string) Specifies maximum ticket life for principals. .TP -.B \fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP -(\fIgetdate\fP string) Specifies maximum renewable life of +\fB\-maxrenewlife\fP \fImax_renewable_ticket_life\fP +(getdate string) Specifies maximum renewable life of tickets for principals. .TP .B \fIticket_flags\fP Specifies the ticket flags. If this option is not specified, by default, no restriction will be set by the policy. Allowable flags are documented in the description of the \fBadd_principal\fP -command in \fIkadmin(1)\fP\&. +command in kadmin(1)\&. .TP .B \fIpolicy_name\fP Specifies the name of the ticket policy. @@ -479,10 +479,10 @@ Ticket flags: DISALLOW_FORWARDABLE REQUIRES_PWCHANGE Destroys an existing ticket policy. Options: .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .TP -.B \fB\-force\fP +\fB\-force\fP Forces the deletion of the policy object. If not specified, the user will be prompted for confirmation before deleting the policy. .TP @@ -518,7 +518,7 @@ Lists the ticket policies in realm if specified or in the default realm. Options: .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the Kerberos realm of the database. .UNINDENT .sp @@ -538,12 +538,16 @@ userpolicy .fi .UNINDENT .UNINDENT +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkadmin(1)\fP +kadmin(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdb5_util.man b/src/man/kdb5_util.man index a7471a8..5ebc68a 100644 --- a/src/man/kdb5_util.man +++ b/src/man/kdb5_util.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KDB5_UTIL" "8" " " "1.15.2" "MIT Kerberos" +.TH "KDB5_UTIL" "8" " " "1.17" "MIT Kerberos" .SH NAME kdb5_util \- Kerberos database maintenance utility . @@ -36,10 +36,12 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] [\fB\-r\fP \fIrealm\fP] [\fB\-d\fP \fIdbname\fP] [\fB\-k\fP \fImkeytype\fP] -[\fB\-M\fP \fImkeyname\fP] [\fB\-kv\fP \fImkeyVNO\fP] -[\fB\-sf\fP \fIstashfilename\fP] +[\fB\-M\fP \fImkeyname\fP] [\fB\-m\fP] +[\fB\-sf\fP \fIstashfilename\fP] +[\fB\-P\fP \fIpassword\fP] +[\fB\-x\fP \fIdb_args\fP] \fIcommand\fP [\fIcommand_options\fP] .SH DESCRIPTION .sp @@ -58,42 +60,46 @@ commands. .SH COMMAND-LINE OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP specifies the Kerberos realm of the database. .TP -.B \fB\-d\fP \fIdbname\fP +\fB\-d\fP \fIdbname\fP specifies the name under which the principal database is stored; -by default the database is that listed in \fIkdc.conf(5)\fP\&. The +by default the database is that listed in kdc.conf(5)\&. The password policy database and lock files are also derived from this value. .TP -.B \fB\-k\fP \fImkeytype\fP +\fB\-k\fP \fImkeytype\fP specifies the key type of the master key in the database. The default is given by the \fBmaster_key_type\fP variable in -\fIkdc.conf(5)\fP\&. +kdc.conf(5)\&. .TP -.B \fB\-kv\fP \fImkeyVNO\fP +\fB\-kv\fP \fImkeyVNO\fP Specifies the version number of the master key in the database; the default is 1. Note that 0 is not allowed. .TP -.B \fB\-M\fP \fImkeyname\fP +\fB\-M\fP \fImkeyname\fP principal name for the master key in the database. If not specified, the name is determined by the \fBmaster_key_name\fP -variable in \fIkdc.conf(5)\fP\&. +variable in kdc.conf(5)\&. .TP -.B \fB\-m\fP +\fB\-m\fP specifies that the master database password should be read from the keyboard rather than fetched from a file on disk. .TP -.B \fB\-sf\fP \fIstash_file\fP +\fB\-sf\fP \fIstash_file\fP specifies the stash filename of the master database password. If not specified, the filename is determined by the -\fBkey_stash_file\fP variable in \fIkdc.conf(5)\fP\&. +\fBkey_stash_file\fP variable in kdc.conf(5)\&. .TP -.B \fB\-P\fP \fIpassword\fP +\fB\-P\fP \fIpassword\fP specifies the master database password. Using this option may expose the password to other users on the system via the process list. +.TP +\fB\-x\fP \fIdb_args\fP +specifies database\-specific options. See kadmin(1) for +supported options. .UNINDENT .SH COMMANDS .SS create @@ -126,13 +132,14 @@ the \fB\-f\fP argument, does not prompt the user. .sp Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP argument can be used to override the \fIkeyfile\fP specified in -\fIkdc.conf(5)\fP\&. +kdc.conf(5)\&. .SS dump .INDENT 0.0 .INDENT 3.5 -\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-verbose\fP] -[\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] -[\fB\-recurse\fP] [\fIfilename\fP [\fIprincipals\fP\&...]] +\fBdump\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] +[\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP +\fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP +[\fIprincipals\fP\&...]] .UNINDENT .UNINDENT .sp @@ -142,43 +149,43 @@ load_dump version 7". If filename is not specified, or is the string "\-", the dump is sent to standard output. Options: .INDENT 0.0 .TP -.B \fB\-b7\fP +\fB\-b7\fP causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. .TP -.B \fB\-ov\fP +\fB\-ov\fP causes the dump to be in "ovsec_adm_export" format. .TP -.B \fB\-r13\fP +\fB\-r13\fP causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. .TP -.B \fB\-r18\fP +\fB\-r18\fP causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. .TP -.B \fB\-verbose\fP +\fB\-verbose\fP causes the name of each principal and policy to be printed as it is dumped. .TP -.B \fB\-mkey_convert\fP +\fB\-mkey_convert\fP prompts for a new master key. This new master key will be used to re\-encrypt principal key data in the dumpfile. The principal keys themselves will not be changed. .TP -.B \fB\-new_mkey_file\fP \fImkey_file\fP +\fB\-new_mkey_file\fP \fImkey_file\fP the filename of a stash file. The master key in this stash file will be used to re\-encrypt the key data in the dumpfile. The key data in the database will not be changed. .TP -.B \fB\-rev\fP +\fB\-rev\fP dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred. .TP -.B \fB\-recurse\fP +\fB\-recurse\fP causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally, in cases where database corruption has occurred. In cases of such @@ -196,8 +203,8 @@ doing a normal dump instead of a recursive traversal. .SS load .INDENT 0.0 .INDENT 3.5 -\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP] [\fB\-hash\fP] -[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP [\fIdbname\fP] +\fBload\fP [\fB\-b7\fP|\fB\-ov\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP] +[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP .UNINDENT .UNINDENT .sp @@ -212,44 +219,42 @@ database module, the \fB\-update\fP flag is required. Options: .INDENT 0.0 .TP -.B \fB\-b7\fP +\fB\-b7\fP requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4"). This was the dump format produced on releases prior to 1.2.2. .TP -.B \fB\-ov\fP +\fB\-ov\fP requires the database to be in "ovsec_adm_import" format. Must be used with the \fB\-update\fP option. .TP -.B \fB\-r13\fP +\fB\-r13\fP requires the database to be in Kerberos 5 1.3 format ("kdb5_util load_dump version 5"). This was the dump format produced on releases prior to 1.8. .TP -.B \fB\-r18\fP +\fB\-r18\fP requires the database to be in Kerberos 5 1.8 format ("kdb5_util load_dump version 6"). This was the dump format produced on releases prior to 1.11. .TP -.B \fB\-hash\fP -requires the database to be stored as a hash. If this option is -not specified, the database will be stored as a btree. This -option is not recommended, as databases stored in hash format are -known to corrupt data and lose principals. +\fB\-hash\fP +stores the database in hash format, if using the DB2 database +type. If this option is not specified, the database will be +stored in btree format. This option is not recommended, as +databases stored in hash format are known to corrupt data and lose +principals. .TP -.B \fB\-verbose\fP +\fB\-verbose\fP causes the name of each principal and policy to be printed as it is dumped. .TP -.B \fB\-update\fP +\fB\-update\fP records from the dump file are added to or updated in the existing database. Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion. .UNINDENT -.sp -If specified, \fIdbname\fP overrides the value specified on the command -line or the default. .SS ark .INDENT 0.0 .INDENT 3.5 @@ -271,13 +276,13 @@ salt types to be used for the new keys. Adds a new master key to the master key principal, but does not mark it as active. Existing master keys will remain. The \fB\-e\fP option specifies the encryption type of the new master key; see -\fIEncryption_types\fP in \fIkdc.conf(5)\fP for a list of possible +Encryption_types in kdc.conf(5) for a list of possible values. The \fB\-s\fP option stashes the new master key in the stash file, which will be created if it doesn\(aqt already exist. .sp -After a new master key is added, it should be propagated to slave -servers via a manual or periodic invocation of \fIkprop(8)\fP\&. Then, -the stash files on the slave servers should be updated with the +After a new master key is added, it should be propagated to replica +servers via a manual or periodic invocation of kprop(8)\&. Then, +the stash files on the replica servers should be updated with the kdb5_util \fBstash\fP command. Once those steps are complete, the key is ready to be marked active with the kdb5_util \fBuse_mkey\fP command. .SS use_mkey @@ -291,7 +296,7 @@ Sets the activation time of the master key specified by \fImkeyVNO\fP\&. Once a master key becomes active, it will be used to encrypt newly created principal keys. If no \fItime\fP argument is given, the current time is used, causing the specified master key version to become -active immediately. The format for \fItime\fP is \fIgetdate\fP string. +active immediately. The format for \fItime\fP is getdate string. .sp After a new master key becomes active, the kdb5_util \fBupdate_princ_encryption\fP command can be used to update all @@ -305,7 +310,7 @@ principal keys to be encrypted in the new master key. .sp List all master keys, from most recent to earliest, in the master key principal. The output will show the kvno, enctype, and salt type for -each mkey, similar to the output of \fIkadmin(1)\fP \fBgetprinc\fP\&. A +each mkey, similar to the output of kadmin(1) \fBgetprinc\fP\&. A \fB*\fP following an mkey denotes the currently active master key. .SS purge_mkeys .INDENT 0.0 @@ -319,14 +324,14 @@ protect any principals. This command can be used to remove old master keys all principal keys are protected by a newer master key. .INDENT 0.0 .TP -.B \fB\-f\fP +\fB\-f\fP does not prompt for confirmation. .TP -.B \fB\-n\fP +\fB\-n\fP performs a dry run, showing master keys that would be purged, but not actually purging any keys. .TP -.B \fB\-v\fP +\fB\-v\fP gives more verbose output. .UNINDENT .SS update_princ_encryption @@ -367,23 +372,23 @@ below). Options: .INDENT 0.0 .TP -.B \fB\-H\fP +\fB\-H\fP suppress writing the field names in a header line .TP -.B \fB\-c\fP +\fB\-c\fP use comma separated values (CSV) format, with minimal quoting, instead of the default tab\-separated (unquoted, unescaped) format .TP -.B \fB\-e\fP +\fB\-e\fP write empty hexadecimal string fields as empty fields instead of as "\-1". .TP -.B \fB\-n\fP +\fB\-n\fP produce numeric output for fields that normally have symbolic output, such as enctypes and flag names. Also requests output of time stamps as decimal POSIX time_t values. .TP -.B \fB\-o\fP \fIoutfile\fP +\fB\-o\fP \fIoutfile\fP write the dump to the specified output file instead of to standard output .UNINDENT @@ -391,38 +396,38 @@ output Dump types: .INDENT 0.0 .TP -.B \fBkeydata\fP +\fBkeydata\fP principal encryption key information, including actual key data (which is still encrypted in the master key) .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBkeyindex\fP +\fBkeyindex\fP index of this key in the principal\(aqs key list .TP -.B \fBkvno\fP +\fBkvno\fP key version number .TP -.B \fBenctype\fP +\fBenctype\fP encryption type .TP -.B \fBkey\fP +\fBkey\fP key data as a hexadecimal string .TP -.B \fBsalttype\fP +\fBsalttype\fP salt type .TP -.B \fBsalt\fP +\fBsalt\fP salt data as a hexadecimal string .UNINDENT .TP -.B \fBkeyinfo\fP +\fBkeyinfo\fP principal encryption key information (as in \fBkeydata\fP above), excluding actual key data .TP -.B \fBprinc_flags\fP +\fBprinc_flags\fP principal boolean attributes. Flag names print as hexadecimal numbers if the \fB\-n\fP option is specified, and all flag positions are printed regardless of whether or not they are set. If \fB\-n\fP @@ -431,93 +436,93 @@ but only print hexadecimal flag names if the corresponding flag is set. .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBflag\fP +\fBflag\fP flag name .TP -.B \fBvalue\fP +\fBvalue\fP boolean value (0 for clear, or 1 for set) .UNINDENT .TP -.B \fBprinc_lockout\fP +\fBprinc_lockout\fP state information used for tracking repeated password failures .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBlast_success\fP +\fBlast_success\fP time stamp of most recent successful authentication .TP -.B \fBlast_failed\fP +\fBlast_failed\fP time stamp of most recent failed authentication .TP -.B \fBfail_count\fP +\fBfail_count\fP count of failed attempts .UNINDENT .TP -.B \fBprinc_meta\fP +\fBprinc_meta\fP principal metadata .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBmodby\fP +\fBmodby\fP name of last principal to modify this principal .TP -.B \fBmodtime\fP +\fBmodtime\fP timestamp of last modification .TP -.B \fBlastpwd\fP +\fBlastpwd\fP timestamp of last password change .TP -.B \fBpolicy\fP +\fBpolicy\fP policy object name .TP -.B \fBmkvno\fP +\fBmkvno\fP key version number of the master key that encrypts this principal\(aqs key data .TP -.B \fBhist_kvno\fP +\fBhist_kvno\fP key version number of the history key that encrypts the key history data for this principal .UNINDENT .TP -.B \fBprinc_stringattrs\fP +\fBprinc_stringattrs\fP string attributes (key/value pairs) .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBkey\fP +\fBkey\fP attribute name .TP -.B \fBvalue\fP +\fBvalue\fP attribute value .UNINDENT .TP -.B \fBprinc_tktpolicy\fP +\fBprinc_tktpolicy\fP per\-principal ticket policy data, including maximum ticket lifetimes .INDENT 7.0 .TP -.B \fBname\fP +\fBname\fP principal name .TP -.B \fBexpiration\fP +\fBexpiration\fP principal expiration date .TP -.B \fBpw_expiration\fP +\fBpw_expiration\fP password expiration date .TP -.B \fBmax_life\fP +\fBmax_life\fP maximum ticket lifetime .TP -.B \fBmax_renew_life\fP +\fBmax_renew_life\fP maximum renewable ticket lifetime .UNINDENT .UNINDENT @@ -546,12 +551,16 @@ bar@EXAMPLE.COM 1 1 des\-cbc\-crc normal \-1 .fi .UNINDENT .UNINDENT +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkadmin(1)\fP +kadmin(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdc.conf.man b/src/man/kdc.conf.man index d207ebd..ab3ee02 100644 --- a/src/man/kdc.conf.man +++ b/src/man/kdc.conf.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KDC.CONF" "5" " " "1.15.2" "MIT Kerberos" +.TH "KDC.CONF" "5" " " "1.17" "MIT Kerberos" .SH NAME kdc.conf \- Kerberos V5 KDC configuration file . @@ -31,9 +31,9 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .in \\n[rst2man-indent\\n[rst2man-indent-level]]u .. .sp -The kdc.conf file supplements \fIkrb5.conf(5)\fP for programs which -are typically only used on a KDC, such as the \fIkrb5kdc(8)\fP and -\fIkadmind(8)\fP daemons and the \fIkdb5_util(8)\fP program. +The kdc.conf file supplements krb5.conf(5) for programs which +are typically only used on a KDC, such as the krb5kdc(8) and +kadmind(8) daemons and the kdb5_util(8) program. Relations documented here may also be specified in krb5.conf; for the KDC programs mentioned, krb5.conf and kdc.conf will be merged into a single configuration profile. @@ -47,7 +47,7 @@ changes to take effect. .SH STRUCTURE .sp The kdc.conf file is set up in the same format as the -\fIkrb5.conf(5)\fP file. +krb5.conf(5) file. .SH SECTIONS .sp The kdc.conf file may contain the following sections: @@ -88,10 +88,10 @@ _ .TE .SS [kdcdefaults] .sp -With two exceptions, relations in the [kdcdefaults] section specify -default values for realm variables, to be used if the [realms] -subsection does not contain a relation for the tag. See the -\fI\%[realms]\fP section for the definitions of these relations. +Some relations in the [kdcdefaults] section specify default values for +realm variables, to be used if the [realms] subsection does not +contain a relation for the tag. See the \fI\%[realms]\fP section for +the definitions of these relations. .INDENT 0.0 .IP \(bu 2 \fBhost_based_services\fP @@ -108,16 +108,24 @@ subsection does not contain a relation for the tag. See the .IP \(bu 2 \fBrestrict_anonymous_to_tgt\fP .UNINDENT +.sp +The following [kdcdefaults] variables have no per\-realm equivalent: .INDENT 0.0 .TP -.B \fBkdc_max_dgram_reply_size\fP +\fBkdc_max_dgram_reply_size\fP Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes. .TP -.B \fBkdc_tcp_listen_backlog\fP +\fBkdc_tcp_listen_backlog\fP (Integer.) Set the size of the listen queue length for the KDC daemon. The value may be limited by OS settings. The default value is 5. +.TP +\fBspake_preauth_kdc_challenge\fP +(String.) Specifies the group for a SPAKE optimistic challenge. +See the \fBspake_preauth_groups\fP variable in libdefaults +for possible values. The default is not to issue an optimistic +challenge. (New in release 1.17.) .UNINDENT .SS [realms] .sp @@ -142,32 +150,33 @@ to define one parameter for the ATHENA.MIT.EDU realm: The following tags may be specified in a [realms] subsection: .INDENT 0.0 .TP -.B \fBacl_file\fP +\fBacl_file\fP (String.) Location of the access control list file that -\fIkadmind(8)\fP uses to determine which principals are allowed -which permissions on the Kerberos database. The default value is -\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more information on Kerberos ACL -file see \fIkadm5.acl(5)\fP\&. +kadmind(8) uses to determine which principals are allowed +which permissions on the Kerberos database. To operate without an +ACL file, set this relation to the empty string with \fBacl_file = +""\fP\&. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kadm5.acl\fP\&. For more +information on Kerberos ACL file see kadm5.acl(5)\&. .TP -.B \fBdatabase_module\fP +\fBdatabase_module\fP (String.) This relation indicates the name of the configuration section under \fI\%[dbmodules]\fP for database\-specific parameters used by the loadable database library. The default value is the realm name. If this configuration section does not exist, default values will be used for all database parameters. .TP -.B \fBdatabase_name\fP +\fBdatabase_name\fP (String, deprecated.) This relation specifies the location of the Kerberos database for this realm, if the DB2 module is being used and the \fI\%[dbmodules]\fP configuration section does not specify a database name. The default value is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. .TP -.B \fBdefault_principal_expiration\fP -(\fIabstime\fP string.) Specifies the default expiration date of +\fBdefault_principal_expiration\fP +(abstime string.) Specifies the default expiration date of principals created in this realm. The default value is 0, which means no expiration date. .TP -.B \fBdefault_principal_flags\fP +\fBdefault_principal_flags\fP (Flag string.) Specifies the default attributes of principals created in this realm. The format for this string is a comma\-separated list of flags, with \(aq+\(aq before each flag that @@ -179,42 +188,41 @@ disabled. The \fBpostdateable\fP, \fBforwardable\fP, \fBtgt\-based\fP, There are a number of possible flags: .INDENT 7.0 .TP -.B \fBallow\-tickets\fP +\fBallow\-tickets\fP Enabling this flag means that the KDC will issue tickets for this principal. Disabling this flag essentially deactivates the principal within this realm. .TP -.B \fBdup\-skey\fP -Enabling this flag allows the principal to obtain a session -key for another user, permitting user\-to\-user authentication -for this principal. +\fBdup\-skey\fP +Enabling this flag allows the KDC to issue user\-to\-user +service tickets for this principal. .TP -.B \fBforwardable\fP +\fBforwardable\fP Enabling this flag allows the principal to obtain forwardable tickets. .TP -.B \fBhwauth\fP +\fBhwauth\fP If this flag is enabled, then the principal is required to preauthenticate using a hardware device before receiving any tickets. .TP -.B \fBno\-auth\-data\-required\fP +\fBno\-auth\-data\-required\fP Enabling this flag prevents PAC or AD\-SIGNEDPATH data from being added to service tickets for the principal. .TP -.B \fBok\-as\-delegate\fP +\fBok\-as\-delegate\fP If this flag is enabled, it hints the client that credentials can and should be delegated when authenticating to the service. .TP -.B \fBok\-to\-auth\-as\-delegate\fP +\fBok\-to\-auth\-as\-delegate\fP Enabling this flag allows the principal to use S4USelf tickets. .TP -.B \fBpostdateable\fP +\fBpostdateable\fP Enabling this flag allows the principal to obtain postdateable tickets. .TP -.B \fBpreauth\fP +\fBpreauth\fP If this flag is enabled on a client principal, then that principal is required to preauthenticate to the KDC before receiving any tickets. On a service principal, enabling this @@ -222,15 +230,15 @@ flag means that service tickets for this principal will only be issued to clients with a TGT that has the preauthenticated bit set. .TP -.B \fBproxiable\fP +\fBproxiable\fP Enabling this flag allows the principal to obtain proxy tickets. .TP -.B \fBpwchange\fP +\fBpwchange\fP Enabling this flag forces a password change for this principal. .TP -.B \fBpwservice\fP +\fBpwservice\fP If this flag is enabled, it marks this principal as a password change service. This should only be used in special cases, for example, if a user\(aqs password has expired, then the user @@ -238,49 +246,61 @@ has to get tickets for that principal without going through the normal password authentication in order to be able to change the password. .TP -.B \fBrenewable\fP +\fBrenewable\fP Enabling this flag allows the principal to obtain renewable tickets. .TP -.B \fBservice\fP +\fBservice\fP Enabling this flag allows the the KDC to issue service tickets -for this principal. +for this principal. In release 1.17 and later, user\-to\-user +service tickets are still allowed if the \fBdup\-skey\fP flag is +set. .TP -.B \fBtgt\-based\fP +\fBtgt\-based\fP Enabling this flag allows a principal to obtain tickets based on a ticket\-granting\-ticket, rather than repeating the authentication process that was used to obtain the TGT. .UNINDENT .TP -.B \fBdict_file\fP +\fBdict_file\fP (String.) Location of the dictionary file containing strings that are not allowed as passwords. The file should contain one string per line, with no additional whitespace. If none is specified or if there is no policy assigned to the principal, no dictionary checks of passwords will be performed. .TP -.B \fBhost_based_services\fP +\fBencrypted_challenge_indicator\fP +(String.) Specifies the authentication indicator value that the KDC +asserts into tickets obtained using FAST encrypted challenge +pre\-authentication. New in 1.16. +.TP +\fBhost_based_services\fP (Whitespace\- or comma\-separated list.) Lists services which will get host\-based referral processing even if the server principal is not marked as host\-based by the client. .TP -.B \fBiprop_enable\fP +\fBiprop_enable\fP (Boolean value.) Specifies whether incremental database propagation is enabled. The default value is false. .TP -.B \fBiprop_master_ulogsize\fP +\fBiprop_master_ulogsize\fP (Integer.) Specifies the maximum number of log entries to be retained for incremental propagation. The default value is 1000. Prior to release 1.11, the maximum value was 2500. .TP -.B \fBiprop_slave_poll\fP -(Delta time string.) Specifies how often the slave KDC polls for -new updates from the master. The default value is \fB2m\fP (that -is, two minutes). +\fBiprop_replica_poll\fP +(Delta time string.) Specifies how often the replica KDC polls +for new updates from the master. The default value is \fB2m\fP +(that is, two minutes). New in release 1.17. +.TP +\fBiprop_slave_poll\fP +(Delta time string.) The name for \fBiprop_replica_poll\fP prior to +release 1.17. Its value is used as a fallback if +\fBiprop_replica_poll\fP is not specified. .TP -.B \fBiprop_listen\fP +\fBiprop_listen\fP (Whitespace\- or comma\-separated list.) Specifies the iprop RPC -listening addresses and/or ports for the \fIkadmind(8)\fP daemon. +listening addresses and/or ports for the kadmind(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -290,22 +310,22 @@ default (when \fBiprop_enable\fP is true) is to bind to the wildcard address at the port specified in \fBiprop_port\fP\&. New in release 1.15. .TP -.B \fBiprop_port\fP +\fBiprop_port\fP (Port number.) Specifies the port number to be used for incremental propagation. When \fBiprop_enable\fP is true, this -relation is required in the slave configuration file, and this -relation or \fBiprop_listen\fP is required in the master +relation is required in the replica KDC configuration file, and +this relation or \fBiprop_listen\fP is required in the master configuration file, as there is no default port number. Port numbers specified in \fBiprop_listen\fP entries will override this -port number for the \fIkadmind(8)\fP daemon. +port number for the kadmind(8) daemon. .TP -.B \fBiprop_resync_timeout\fP +\fBiprop_resync_timeout\fP (Delta time string.) Specifies the amount of time to wait for a full propagation to complete. This is optional in configuration -files, and is used by slave KDCs only. The default value is 5 +files, and is used by replica KDCs only. The default value is 5 minutes (\fB5m\fP). New in release 1.11. .TP -.B \fBiprop_logfile\fP +\fBiprop_logfile\fP (File name.) Specifies where the update log file for the realm database is to be stored. The default is to use the \fBdatabase_name\fP entry from the realms section of the krb5 config @@ -316,9 +336,9 @@ back end is being used, or the file name is specified in the \fBdatabase_name\fP is used. Determination of the \fBiprop_logfile\fP default value will not use values from the [dbmodules] section.) .TP -.B \fBkadmind_listen\fP +\fBkadmind_listen\fP (Whitespace\- or comma\-separated list.) Specifies the kadmin RPC -listening addresses and/or ports for the \fIkadmind(8)\fP daemon. +listening addresses and/or ports for the kadmind(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -328,19 +348,19 @@ default is to bind to the wildcard address at the port specified in \fBkadmind_port\fP, or the standard kadmin port (749). New in release 1.15. .TP -.B \fBkadmind_port\fP -(Port number.) Specifies the port on which the \fIkadmind(8)\fP +\fBkadmind_port\fP +(Port number.) Specifies the port on which the kadmind(8) daemon is to listen for this realm. Port numbers specified in \fBkadmind_listen\fP entries will override this port number. The assigned port for kadmind is 749, which is used by default. .TP -.B \fBkey_stash_file\fP +\fBkey_stash_file\fP (String.) Specifies the location where the master key has been stored (via kdb5_util stash). The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.k5.REALM\fP, where \fIREALM\fP is the Kerberos realm. .TP -.B \fBkdc_listen\fP +\fBkdc_listen\fP (Whitespace\- or comma\-separated list.) Specifies the UDP -listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +listening addresses and/or ports for the krb5kdc(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -350,16 +370,16 @@ to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. .TP -.B \fBkdc_ports\fP +\fBkdc_ports\fP (Whitespace\- or comma\-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the -\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +krb5kdc(8) daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as \fBkdc_listen\fP if that relation is not defined. .TP -.B \fBkdc_tcp_listen\fP +\fBkdc_tcp_listen\fP (Whitespace\- or comma\-separated list.) Specifies the TCP -listening addresses and/or ports for the \fIkrb5kdc(8)\fP daemon. +listening addresses and/or ports for the krb5kdc(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is @@ -370,16 +390,16 @@ If the KDC daemon fails to bind to any of the specified addresses, it will fail to start. The default is to bind to the wildcard address on the standard port. New in release 1.15. .TP -.B \fBkdc_tcp_ports\fP +\fBkdc_tcp_ports\fP (Whitespace\- or comma\-separated list, deprecated.) Prior to release 1.15, this relation lists the ports for the -\fIkrb5kdc(8)\fP daemon to listen on for UDP requests. In +krb5kdc(8) daemon to listen on for UDP requests. In release 1.15 and later, it has the same meaning as \fBkdc_tcp_listen\fP if that relation is not defined. .TP -.B \fBkpasswd_listen\fP +\fBkpasswd_listen\fP (Comma\-separated list.) Specifies the kpasswd listening addresses -and/or ports for the \fIkadmind(8)\fP daemon. Each entry may be +and/or ports for the kadmind(8) daemon. Each entry may be an interface address, a port number, or an address and port number separated by a colon. If the address contains colons, enclose it in square brackets. If no address is specified, the wildcard @@ -388,51 +408,51 @@ addresses, it will fail to start. The default is to bind to the wildcard address at the port specified in \fBkpasswd_port\fP, or the standard kpasswd port (464). New in release 1.15. .TP -.B \fBkpasswd_port\fP -(Port number.) Specifies the port on which the \fIkadmind(8)\fP +\fBkpasswd_port\fP +(Port number.) Specifies the port on which the kadmind(8) daemon is to listen for password change requests for this realm. Port numbers specified in \fBkpasswd_listen\fP entries will override this port number. The assigned port for password change requests is 464, which is used by default. .TP -.B \fBmaster_key_name\fP +\fBmaster_key_name\fP (String.) Specifies the name of the principal associated with the master key. The default is \fBK/M\fP\&. .TP -.B \fBmaster_key_type\fP +\fBmaster_key_type\fP (Key type string.) Specifies the master key\(aqs key type. The default value for this is \fBaes256\-cts\-hmac\-sha1\-96\fP\&. For a list of all possible values, see \fI\%Encryption types\fP\&. .TP -.B \fBmax_life\fP -(\fIduration\fP string.) Specifies the maximum time period for +\fBmax_life\fP +(duration string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours. .TP -.B \fBmax_renewable_life\fP -(\fIduration\fP string.) Specifies the maximum time period +\fBmax_renewable_life\fP +(duration string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0. .TP -.B \fBno_host_referral\fP +\fBno_host_referral\fP (Whitespace\- or comma\-separated list.) Lists services to block from getting host\-based referral processing, even if the client marks the server principal as host\-based or the service is also listed in \fBhost_based_services\fP\&. \fBno_host_referral = *\fP will disable referral processing altogether. .TP -.B \fBdes_crc_session_supported\fP +\fBdes_crc_session_supported\fP (Boolean value). If set to true, the KDC will assume that service principals support des\-cbc\-crc for session key enctype negotiation -purposes. If \fBallow_weak_crypto\fP in \fIlibdefaults\fP is +purposes. If \fBallow_weak_crypto\fP in libdefaults is false, or if des\-cbc\-crc is not a permitted enctype, then this variable has no effect. Defaults to true. New in release 1.11. .TP -.B \fBreject_bad_transit\fP +\fBreject_bad_transit\fP (Boolean value.) If set to true, the KDC will check the list of transited realms for cross\-realm tickets against the transit path computed from the realm names and the capaths section of its -\fIkrb5.conf(5)\fP file; if the path in the ticket to be issued +krb5.conf(5) file; if the path in the ticket to be issued contains any realms not in the computed path, the ticket will not be issued, and an error will be returned to the client instead. If this value is set to false, such tickets will be issued @@ -449,7 +469,7 @@ only to TGS requests. .sp The default value is true. .TP -.B \fBrestrict_anonymous_to_tgt\fP +\fBrestrict_anonymous_to_tgt\fP (Boolean value.) If set to true, the KDC will reject ticket requests from anonymous principals to service principals other than the realm\(aqs ticket\-granting service. This option allows @@ -457,10 +477,16 @@ anonymous PKINIT to be enabled for use as FAST armor tickets without allowing anonymous authentication to services. The default value is false. New in release 1.9. .TP -.B \fBsupported_enctypes\fP +\fBspake_preauth_indicator\fP +(String.) Specifies an authentication indicator value that the +KDC asserts into tickets obtained using SPAKE pre\-authentication. +The default is not to add any indicators. This option may be +specified multiple times. New in release 1.17. +.TP +\fBsupported_enctypes\fP (List of \fIkey\fP:\fIsalt\fP strings.) Specifies the default key/salt combinations of principals for this realm. Any principals created -through \fIkadmin(1)\fP will have keys of these types. The +through kadmin(1) will have keys of these types. The default value for this tag is \fBaes256\-cts\-hmac\-sha1\-96:normal aes128\-cts\-hmac\-sha1\-96:normal des3\-cbc\-sha1:normal arcfour\-hmac\-md5:normal\fP\&. For lists of possible values, see \fI\%Keysalt lists\fP\&. .UNINDENT @@ -524,16 +550,16 @@ define one database parameter for the ATHENA.MIT.EDU realm: The following tags may be specified in a [dbmodules] subsection: .INDENT 0.0 .TP -.B \fBdatabase_name\fP +\fBdatabase_name\fP This DB2\-specific tag indicates the location of the database in the filesystem. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/principal\fP\&. .TP -.B \fBdb_library\fP +\fBdb_library\fP This tag indicates the name of the loadable database module. The -value should be \fBdb2\fP for the DB2 module and \fBkldap\fP for the -LDAP module. +value should be \fBdb2\fP for the DB2 module, \fBklmdb\fP for the LMDB +module, or \fBkldap\fP for the LDAP module. .TP -.B \fBdisable_last_success\fP +\fBdisable_last_success\fP If set to \fBtrue\fP, suppresses KDC updates to the "Last successful authentication" field of principal entries requiring preauthentication. Setting this flag may improve performance. @@ -541,21 +567,21 @@ preauthentication. Setting this flag may improve performance. update the "Last successful authentication" field.). First introduced in release 1.9. .TP -.B \fBdisable_lockout\fP +\fBdisable_lockout\fP If set to \fBtrue\fP, suppresses KDC updates to the "Last failed authentication" and "Failed password attempts" fields of principal entries requiring preauthentication. Setting this flag may improve performance, but also disables account lockout. First introduced in release 1.9. .TP -.B \fBldap_conns_per_server\fP +\fBldap_conns_per_server\fP This LDAP\-specific tag indicates the number of connections to be maintained per LDAP server. .TP -.B \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP +\fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP These LDAP\-specific tags indicate the default DN for binding to -the LDAP server. The \fIkrb5kdc(8)\fP daemon uses -\fBldap_kdc_dn\fP, while the \fIkadmind(8)\fP daemon and other +the LDAP server. The krb5kdc(8) daemon uses +\fBldap_kdc_dn\fP, while the kadmind(8) daemon and other administrative programs use \fBldap_kadmind_dn\fP\&. The kadmind DN must have the rights to read and write the Kerberos data in the LDAP database. The KDC DN must have the same rights, unless @@ -564,12 +590,12 @@ which case it only needs to have rights to read the Kerberos data. These tags are ignored if a SASL mechanism is set with \fBldap_kdc_sasl_mech\fP or \fBldap_kadmind_sasl_mech\fP\&. .TP -.B \fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP +\fBldap_kdc_sasl_mech\fP and \fBldap_kadmind_sasl_mech\fP These LDAP\-specific tags specify the SASL mechanism (such as \fBEXTERNAL\fP) to use when binding to the LDAP server. New in release 1.13. .TP -.B \fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP +\fBldap_kdc_sasl_authcid\fP and \fBldap_kadmind_sasl_authcid\fP These LDAP\-specific tags specify the SASL authentication identity to use when binding to the LDAP server. Not all SASL mechanisms require an authentication identity. If the SASL mechanism @@ -578,35 +604,53 @@ tags also determine the name within the \fBldap_service_password_file\fP where the secret is stashed. New in release 1.13. .TP -.B \fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP +\fBldap_kdc_sasl_authzid\fP and \fBldap_kadmind_sasl_authzid\fP These LDAP\-specific tags specify the SASL authorization identity to use when binding to the LDAP server. In most circumstances they do not need to be specified. New in release 1.13. .TP -.B \fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP +\fBldap_kdc_sasl_realm\fP and \fBldap_kadmind_sasl_realm\fP These LDAP\-specific tags specify the SASL realm to use when binding to the LDAP server. In most circumstances they do not need to be set. New in release 1.13. .TP -.B \fBldap_kerberos_container_dn\fP +\fBldap_kerberos_container_dn\fP This LDAP\-specific tag indicates the DN of the container object where the realm objects will be located. .TP -.B \fBldap_servers\fP +\fBldap_servers\fP This LDAP\-specific tag indicates the list of LDAP servers that the Kerberos servers can connect to. The list of LDAP servers is whitespace\-separated. The LDAP server is specified by a LDAP URI. It is recommended to use \fBldapi:\fP or \fBldaps:\fP URLs to connect to the LDAP server. .TP -.B \fBldap_service_password_file\fP +\fBldap_service_password_file\fP This LDAP\-specific tag indicates the file containing the stashed passwords (created by \fBkdb5_ldap_util stashsrvpw\fP) for the \fBldap_kdc_dn\fP and \fBldap_kadmind_dn\fP objects, or for the \fBldap_kdc_sasl_authcid\fP or \fBldap_kadmind_sasl_authcid\fP names for SASL authentication. This file must be kept secure. .TP -.B \fBunlockiter\fP +\fBmapsize\fP +This LMDB\-specific tag indicates the maximum size of the two +database environments in megabytes. The default value is 128. +Increase this value to address "Environment mapsize limit reached" +errors. New in release 1.17. +.TP +\fBmax_readers\fP +This LMDB\-specific tag indicates the maximum number of concurrent +reading processes for the databases. The default value is 128. +New in release 1.17. +.TP +\fBnosync\fP +This LMDB\-specific tag can be set to improve the throughput of +kadmind and other administrative agents, at the expense of +durability (recent database changes may not survive a power outage +or other sudden reboot). It does not affect the throughput of the +KDC. The default value is false. New in release 1.17. +.TP +\fBunlockiter\fP If set to \fBtrue\fP, this DB2\-specific tag causes iteration operations to release the database lock while processing each principal. Setting this flag to \fBtrue\fP can prevent extended @@ -618,28 +662,28 @@ The following tag may be specified directly in the [dbmodules] section to control where database modules are loaded from: .INDENT 0.0 .TP -.B \fBdb_module_dir\fP +\fBdb_module_dir\fP This tag controls where the plugin system looks for database modules. The value should be an absolute path. .UNINDENT .SS [logging] .sp -The [logging] section indicates how \fIkrb5kdc(8)\fP and -\fIkadmind(8)\fP perform logging. It may contain the following +The [logging] section indicates how krb5kdc(8) and +kadmind(8) perform logging. It may contain the following relations: .INDENT 0.0 .TP -.B \fBadmin_server\fP -Specifies how \fIkadmind(8)\fP performs logging. +\fBadmin_server\fP +Specifies how kadmind(8) performs logging. .TP -.B \fBkdc\fP -Specifies how \fIkrb5kdc(8)\fP performs logging. +\fBkdc\fP +Specifies how krb5kdc(8) performs logging. .TP -.B \fBdefault\fP +\fBdefault\fP Specifies how either daemon performs logging in the absence of relations specific to the daemon. .TP -.B \fBdebug\fP +\fBdebug\fP (Boolean value.) Specifies whether debugging messages are included in log outputs other than SYSLOG. Debugging messages are always included in the system log output because syslog performs @@ -650,39 +694,35 @@ release 1.15. Logging specifications may have the following forms: .INDENT 0.0 .TP -.B \fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP +\fBFILE=\fP\fIfilename\fP or \fBFILE:\fP\fIfilename\fP This value causes the daemon\(aqs logging messages to go to the \fIfilename\fP\&. If the \fB=\fP form is used, the file is overwritten. If the \fB:\fP form is used, the file is appended to. .TP -.B \fBSTDERR\fP +\fBSTDERR\fP This value causes the daemon\(aqs logging messages to go to its standard error stream. .TP -.B \fBCONSOLE\fP +\fBCONSOLE\fP This value causes the daemon\(aqs logging messages to go to the console, if the system supports it. .TP -.B \fBDEVICE=\fP\fI\fP +\fBDEVICE=\fP\fI\fP This causes the daemon\(aqs logging messages to go to the specified device. .TP -.B \fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]] +\fBSYSLOG\fP[\fB:\fP\fIseverity\fP[\fB:\fP\fIfacility\fP]] This causes the daemon\(aqs logging messages to go to the system log. .sp -The severity argument specifies the default severity of system log -messages. This may be any of the following severities supported -by the syslog(3) call, minus the \fBLOG_\fP prefix: \fBEMERG\fP, -\fBALERT\fP, \fBCRIT\fP, \fBERR\fP, \fBWARNING\fP, \fBNOTICE\fP, \fBINFO\fP, -and \fBDEBUG\fP\&. +For backward compatibility, a severity argument may be specified, +and must be specified in order to specify a facility. This +argument will be ignored. .sp The facility argument specifies the facility under which the messages are logged. This may be any of the following facilities supported by the syslog(3) call minus the LOG_ prefix: \fBKERN\fP, \fBUSER\fP, \fBMAIL\fP, \fBDAEMON\fP, \fBAUTH\fP, \fBLPR\fP, \fBNEWS\fP, -\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP\&. -.sp -If no severity is specified, the default is \fBERR\fP\&. If no +\fBUUCP\fP, \fBCRON\fP, and \fBLOCAL0\fP through \fBLOCAL7\fP\&. If no facility is specified, the default is \fBAUTH\fP\&. .UNINDENT .sp @@ -714,13 +754,13 @@ One Time Password request to a RADIUS server. For each token type, the following tags may be specified: .INDENT 0.0 .TP -.B \fBserver\fP +\fBserver\fP This is the server to send the RADIUS request to. It can be a hostname with optional port, an ip address with optional port, or a Unix domain socket address. The default is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/.socket\fP\&. .TP -.B \fBsecret\fP +\fBsecret\fP This tag indicates a filename (which may be relative to \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP) containing the secret used to encrypt the RADIUS packets. The secret should appear in the first line of the file by itself; @@ -729,22 +769,22 @@ the value of \fBserver\fP is a Unix domain socket address, this tag is optional, and an empty secret will be used if it is not specified. Otherwise, this tag is required. .TP -.B \fBtimeout\fP +\fBtimeout\fP An integer which specifies the time in seconds during which the KDC should attempt to contact the RADIUS server. This tag is the total time across all retries and should be less than the time which an OTP value remains valid for. The default is 5 seconds. .TP -.B \fBretries\fP +\fBretries\fP This tag specifies the number of retries to make to the RADIUS server. The default is 3 retries (4 tries). .TP -.B \fBstrip_realm\fP +\fBstrip_realm\fP If this tag is \fBtrue\fP, the principal without the realm will be passed to the RADIUS server. Otherwise, the realm will be included. The default value is \fBtrue\fP\&. .TP -.B \fBindicator\fP +\fBindicator\fP This tag specifies an authentication indicator to be included in the ticket if this token type is used to authenticate. This option may be specified multiple times. (New in release 1.14.) @@ -830,21 +870,21 @@ generic value in the [kdcdefaults] section: .UNINDENT .sp For information about the syntax of some of these options, see -\fISpecifying PKINIT identity information\fP in -\fIkrb5.conf(5)\fP\&. +Specifying PKINIT identity information in +krb5.conf(5)\&. .INDENT 0.0 .TP -.B \fBpkinit_anchors\fP +\fBpkinit_anchors\fP Specifies the location of trusted anchor (root) certificates which the KDC trusts to sign client certificates. This option is required if pkinit is to be supported by the KDC. This option may be specified multiple times. .TP -.B \fBpkinit_dh_min_bits\fP +\fBpkinit_dh_min_bits\fP Specifies the minimum number of bits the KDC is willing to accept for a client\(aqs Diffie\-Hellman key. The default is 2048. .TP -.B \fBpkinit_allow_upn\fP +\fBpkinit_allow_upn\fP Specifies that the KDC is willing to accept client certificates with the Microsoft UserPrincipalName (UPN) Subject Alternative Name (SAN). This means the KDC accepts the binding of the UPN in @@ -855,52 +895,49 @@ Without this option, the KDC will only accept certificates with the id\-pkinit\-san as defined in \fI\%RFC 4556\fP\&. There is currently no option to disable SAN checking in the KDC. .TP -.B \fBpkinit_eku_checking\fP +\fBpkinit_eku_checking\fP This option specifies what Extended Key Usage (EKU) values the KDC is willing to accept in client certificates. The values recognized in the kdc.conf file are: .INDENT 7.0 .TP -.B \fBkpClientAuth\fP +\fBkpClientAuth\fP This is the default value and specifies that client certificates must have the id\-pkinit\-KPClientAuth EKU as defined in \fI\%RFC 4556\fP\&. .TP -.B \fBscLogin\fP +\fBscLogin\fP If scLogin is specified, client certificates with the Microsoft Smart Card Login EKU (id\-ms\-kp\-sc\-logon) will be accepted. .TP -.B \fBnone\fP +\fBnone\fP If none is specified, then client certificates will not be checked to verify they have an acceptable EKU. The use of this option is not recommended. .UNINDENT .TP -.B \fBpkinit_identity\fP +\fBpkinit_identity\fP Specifies the location of the KDC\(aqs X.509 identity information. This option is required if pkinit is to be supported by the KDC. .TP -.B \fBpkinit_indicator\fP +\fBpkinit_indicator\fP Specifies an authentication indicator to include in the ticket if pkinit is used to authenticate. This option may be specified multiple times. (New in release 1.14.) .TP -.B \fBpkinit_kdc_ocsp\fP -Specifies the location of the KDC\(aqs OCSP. -.TP -.B \fBpkinit_pool\fP +\fBpkinit_pool\fP Specifies the location of intermediate certificates which may be used by the KDC to complete the trust chain between a client\(aqs certificate and a trusted anchor. This option may be specified multiple times. .TP -.B \fBpkinit_revoke\fP +\fBpkinit_revoke\fP Specifies the location of Certificate Revocation List (CRL) information to be used by the KDC when verifying the validity of client certificates. This option may be specified multiple times. .TP -.B \fBpkinit_require_crl_checking\fP +\fBpkinit_require_crl_checking\fP The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, @@ -915,6 +952,11 @@ fails. .sp \fBpkinit_require_crl_checking\fP should be set to true if the policy is such that up\-to\-date CRLs must be present for every CA. +.TP +\fBpkinit_require_freshness\fP +Specifies whether to require clients to include a freshness token +in PKINIT requests. The default value is false. (New in release +1.17.) .UNINDENT .SH ENCRYPTION TYPES .sp @@ -1187,10 +1229,10 @@ Here\(aqs an example of a kdc.conf file: \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP .SH SEE ALSO .sp -\fIkrb5.conf(5)\fP, \fIkrb5kdc(8)\fP, \fIkadm5.acl(5)\fP +krb5.conf(5), krb5kdc(8), kadm5.acl(5) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kdestroy.man b/src/man/kdestroy.man index 7d2e511..745ea5c 100644 --- a/src/man/kdestroy.man +++ b/src/man/kdestroy.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KDESTROY" "1" " " "1.15.2" "MIT Kerberos" +.TH "KDESTROY" "1" " " "1.17" "MIT Kerberos" .SH NAME kdestroy \- destroy Kerberos tickets . @@ -45,15 +45,16 @@ credentials cache is destroyed. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-A\fP +\fB\-A\fP Destroys all caches in the collection, if a cache collection is -available. +available. May be used with the \fB\-c\fP option to specify the +collection to be destroyed. .TP -.B \fB\-q\fP +\fB\-q\fP Run quietly. Normally kdestroy beeps if it fails to destroy the user\(aqs tickets. The \fB\-q\fP flag suppresses this behavior. .TP -.B \fB\-c\fP \fIcache_name\fP +\fB\-c\fP \fIcache_name\fP Use \fIcache_name\fP as the credentials (ticket) cache name and location; if this option is not used, the default cache name and location are used. @@ -61,6 +62,11 @@ location are used. The default credentials cache may vary between systems. If the \fBKRB5CCNAME\fP environment variable is set, its value is used to name the default ticket cache. +.TP +\fB\-p\fP \fIprinc_name\fP +If a cache collection is available, destroy the cache for +\fIprinc_name\fP instead of the primary cache. May be used with the +\fB\-c\fP option to specify the collection to be searched. .UNINDENT .SH NOTE .sp @@ -69,17 +75,8 @@ your .logout file, so that your tickets are destroyed automatically when you log out. .SH ENVIRONMENT .sp -kdestroy uses the following environment variable: -.INDENT 0.0 -.TP -.B \fBKRB5CCNAME\fP -Location of the default Kerberos 5 credentials (ticket) cache, in -the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the -\fBFILE\fP type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type \fBDIR\fP causes caches within the directory -to be present in the collection. -.UNINDENT +See kerberos(7) for a description of Kerberos environment +variables. .SH FILES .INDENT 0.0 .TP @@ -88,10 +85,10 @@ Default location of Kerberos 5 credentials cache .UNINDENT .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIklist(1)\fP +kinit(1), klist(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kerberos.man b/src/man/kerberos.man new file mode 100644 index 0000000..838aae9 --- /dev/null +++ b/src/man/kerberos.man @@ -0,0 +1,202 @@ +.\" Man page generated from reStructuredText. +. +.TH "KERBEROS" "7" " " "1.17" "MIT Kerberos" +.SH NAME +kerberos \- Overview of using Kerberos +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.SH DESCRIPTION +.sp +The Kerberos system authenticates individual users in a network +environment. After authenticating yourself to Kerberos, you can use +Kerberos\-enabled programs without having to present passwords or +certificates to those programs. +.sp +If you receive the following response from kinit(1): +.sp +kinit: Client not found in Kerberos database while getting initial +credentials +.sp +you haven\(aqt been registered as a Kerberos user. See your system +administrator. +.sp +A Kerberos name usually contains three parts. The first is the +\fBprimary\fP, which is usually a user\(aqs or service\(aqs name. The second +is the \fBinstance\fP, which in the case of a user is usually null. +Some users may have privileged instances, however, such as \fBroot\fP or +\fBadmin\fP\&. In the case of a service, the instance is the fully +qualified name of the machine on which it runs; i.e. there can be an +ssh service running on the machine ABC (\fI\%ssh/ABC@REALM\fP), which is +different from the ssh service running on the machine XYZ +(\fI\%ssh/XYZ@REALM\fP). The third part of a Kerberos name is the \fBrealm\fP\&. +The realm corresponds to the Kerberos service providing authentication +for the principal. Realms are conventionally all\-uppercase, and often +match the end of hostnames in the realm (for instance, host01.example.com +might be in realm EXAMPLE.COM). +.sp +When writing a Kerberos name, the principal name is separated from the +instance (if not null) by a slash, and the realm (if not the local +realm) follows, preceded by an "@" sign. The following are examples +of valid Kerberos names: +.INDENT 0.0 +.INDENT 3.5 +.sp +.nf +.ft C +david +jennifer/admin +joeuser@BLEEP.COM +cbrown/root@FUBAR.ORG +.ft P +.fi +.UNINDENT +.UNINDENT +.sp +When you authenticate yourself with Kerberos you get an initial +Kerberos \fBticket\fP\&. (A Kerberos ticket is an encrypted protocol +message that provides authentication.) Kerberos uses this ticket for +network utilities such as ssh. The ticket transactions are done +transparently, so you don\(aqt have to worry about their management. +.sp +Note, however, that tickets expire. Administrators may configure more +privileged tickets, such as those with service or instance of \fBroot\fP +or \fBadmin\fP, to expire in a few minutes, while tickets that carry +more ordinary privileges may be good for several hours or a day. If +your login session extends beyond the time limit, you will have to +re\-authenticate yourself to Kerberos to get new tickets using the +kinit(1) command. +.sp +Some tickets are \fBrenewable\fP beyond their initial lifetime. This +means that \fBkinit \-R\fP can extend their lifetime without requiring +you to re\-authenticate. +.sp +If you wish to delete your local tickets, use the kdestroy(1) +command. +.sp +Kerberos tickets can be forwarded. In order to forward tickets, you +must request \fBforwardable\fP tickets when you kinit. Once you have +forwardable tickets, most Kerberos programs have a command line option +to forward them to the remote host. This can be useful for, e.g., +running kinit on your local machine and then sshing into another to do +work. Note that this should not be done on untrusted machines since +they will then have your tickets. +.SH ENVIRONMENT VARIABLES +.sp +Several environment variables affect the operation of Kerberos\-enabled +programs. These include: +.INDENT 0.0 +.TP +\fBKRB5CCNAME\fP +Default name for the credentials cache file, in the form +\fITYPE\fP:\fIresidual\fP\&. The type of the default cache may determine +the availability of a cache collection. \fBFILE\fP is not a +collection type; \fBKEYRING\fP, \fBDIR\fP, and \fBKCM\fP are. +.sp +If not set, the value of \fBdefault_ccache_name\fP from +configuration files (see \fBKRB5_CONFIG\fP) will be used. If that +is also not set, the default \fItype\fP is \fBFILE\fP, and the +\fIresidual\fP is the path /tmp/krb5cc_*uid*, where \fIuid\fP is the +decimal user ID of the user. +.TP +\fBKRB5_KTNAME\fP +Specifies the location of the default keytab file, in the form +\fITYPE\fP:\fIresidual\fP\&. If no \fItype\fP is present, the \fBFILE\fP type is +assumed and \fIresidual\fP is the pathname of the keytab file. If +unset, \fB@KTNAME@\fP will be used. +.TP +\fBKRB5_CONFIG\fP +Specifies the location of the Kerberos configuration file. The +default is \fB@SYSCONFDIR@\fP\fB/krb5.conf\fP\&. Multiple filenames can +be specified, separated by a colon; all files which are present +will be read. +.TP +\fBKRB5_KDC_PROFILE\fP +Specifies the location of the KDC configuration file, which +contains additional configuration directives for the Key +Distribution Center daemon and associated programs. The default +is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kdc.conf\fP\&. +.TP +\fBKRB5RCACHETYPE\fP +Specifies the default type of replay cache to use for servers. +Valid types include \fBdfl\fP for the normal file type and \fBnone\fP +for no replay cache. The default is \fBdfl\fP\&. +.TP +\fBKRB5RCACHEDIR\fP +Specifies the default directory for replay caches used by servers. +The default is the value of the \fBTMPDIR\fP environment variable, +or \fB/var/tmp\fP if \fBTMPDIR\fP is not set. +.TP +\fBKRB5_TRACE\fP +Specifies a filename to write trace log output to. Trace logs can +help illuminate decisions made internally by the Kerberos +libraries. For example, \fBenv KRB5_TRACE=/dev/stderr kinit\fP +would send tracing information for kinit(1) to +\fB/dev/stderr\fP\&. The default is not to write trace log output +anywhere. +.TP +\fBKRB5_CLIENT_KTNAME\fP +Default client keytab file name. If unset, \fB@CKTNAME@\fP will be +used). +.TP +\fBKPROP_PORT\fP +kprop(8) port to use. Defaults to 754. +.UNINDENT +.sp +Most environment variables are disabled for certain programs, such as +login system programs and setuid programs, which are designed to be +secure when run within an untrusted process environment. +.SH SEE ALSO +.sp +kdestroy(1), kinit(1), klist(1), +kswitch(1), kpasswd(1), ksu(1), +krb5.conf(5), kdc.conf(5), kadmin(1), +kadmind(8), kdb5_util(8), krb5kdc(8) +.SH BUGS +.SH AUTHORS +.nf +Steve Miller, MIT Project Athena/Digital Equipment Corporation +Clifford Neuman, MIT Project Athena +Greg Hudson, MIT Kerberos Consortium +Robbie Harwood, Red Hat, Inc. +.fi +.sp +.SH HISTORY +.sp +The MIT Kerberos 5 implementation was developed at MIT, with +contributions from many outside parties. It is currently maintained +by the MIT Kerberos Consortium. +.SH RESTRICTIONS +.sp +Copyright 1985, 1986, 1989\-1996, 2002, 2011, 2018 Masachusetts +Institute of Technology +.SH AUTHOR +MIT +.SH COPYRIGHT +1985-2019, MIT +.\" Generated by docutils manpage writer. +. diff --git a/src/man/kinit.man b/src/man/kinit.man index 30dbb58..d121cff 100644 --- a/src/man/kinit.man +++ b/src/man/kinit.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KINIT" "1" " " "1.15.2" "MIT Kerberos" +.TH "KINIT" "1" " " "1.17" "MIT Kerberos" .SH NAME kinit \- obtain and cache Kerberos ticket-granting ticket . @@ -63,11 +63,11 @@ choice of principal name. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-V\fP +\fB\-V\fP display verbose output. .TP -.B \fB\-l\fP \fIlifetime\fP -(\fIduration\fP string.) Requests a ticket with the lifetime +\fB\-l\fP \fIlifetime\fP +(duration string.) Requests a ticket with the lifetime \fIlifetime\fP\&. .sp For example, \fBkinit \-l 5:30\fP or \fBkinit \-l 5h30m\fP\&. @@ -77,62 +77,62 @@ If the \fB\-l\fP option is not specified, the default ticket lifetime longer than the maximum ticket lifetime (configured by each site) will not override the configured maximum ticket lifetime. .TP -.B \fB\-s\fP \fIstart_time\fP -(\fIduration\fP string.) Requests a postdated ticket. Postdated +\fB\-s\fP \fIstart_time\fP +(duration string.) Requests a postdated ticket. Postdated tickets are issued with the \fBinvalid\fP flag set, and need to be resubmitted to the KDC for validation before use. .sp \fIstart_time\fP specifies the duration of the delay before the ticket can become valid. .TP -.B \fB\-r\fP \fIrenewable_life\fP -(\fIduration\fP string.) Requests renewable tickets, with a total +\fB\-r\fP \fIrenewable_life\fP +(duration string.) Requests renewable tickets, with a total lifetime of \fIrenewable_life\fP\&. .TP -.B \fB\-f\fP +\fB\-f\fP requests forwardable tickets. .TP -.B \fB\-F\fP +\fB\-F\fP requests non\-forwardable tickets. .TP -.B \fB\-p\fP +\fB\-p\fP requests proxiable tickets. .TP -.B \fB\-P\fP +\fB\-P\fP requests non\-proxiable tickets. .TP -.B \fB\-a\fP +\fB\-a\fP requests tickets restricted to the host\(aqs local address[es]. .TP -.B \fB\-A\fP +\fB\-A\fP requests tickets not restricted by address. .TP -.B \fB\-C\fP +\fB\-C\fP requests canonicalization of the principal name, and allows the KDC to reply with a different client principal from the one requested. .TP -.B \fB\-E\fP +\fB\-E\fP treats the principal name as an enterprise name (implies the \fB\-C\fP option). .TP -.B \fB\-v\fP +\fB\-v\fP requests that the ticket\-granting ticket in the cache (with the \fBinvalid\fP flag set) be passed to the KDC for validation. If the ticket is within its requested time range, the cache is replaced with the validated ticket. .TP -.B \fB\-R\fP +\fB\-R\fP requests renewal of the ticket\-granting ticket. Note that an expired ticket cannot be renewed, even if the ticket is still within its renewable life. .sp Note that renewable tickets that have expired as reported by -\fIklist(1)\fP may sometimes be renewed using this option, +klist(1) may sometimes be renewed using this option, because the KDC applies a grace period to account for client\-KDC -clock skew. See \fIkrb5.conf(5)\fP \fBclockskew\fP setting. +clock skew. See krb5.conf(5) \fBclockskew\fP setting. .TP -.B \fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP] +\fB\-k\fP [\fB\-i\fP | \fB\-t\fP \fIkeytab_file\fP] requests a ticket, obtained from a key in the local host\(aqs keytab. The location of the keytab may be specified with the \fB\-t\fP \fIkeytab_file\fP option, or with the \fB\-i\fP option to specify the use @@ -144,12 +144,12 @@ the KDC database and look up the key directly. This permits an administrator to obtain tickets as any principal that supports authentication based on the key. .TP -.B \fB\-n\fP +\fB\-n\fP Requests anonymous processing. Two types of anonymous principals are supported. .sp For fully anonymous Kerberos, configure pkinit on the KDC and -configure \fBpkinit_anchors\fP in the client\(aqs \fIkrb5.conf(5)\fP\&. +configure \fBpkinit_anchors\fP in the client\(aqs krb5.conf(5)\&. Then use the \fB\-n\fP option with a principal of the form \fB@REALM\fP (an empty principal name followed by the at\-sign and a realm name). If permitted by the KDC, an anonymous ticket will be @@ -177,7 +177,7 @@ preselecting the same methods of authenticating to the KDC. .UNINDENT .INDENT 0.0 .TP -.B \fB\-T\fP \fIarmor_ccache\fP +\fB\-T\fP \fIarmor_ccache\fP Specifies the name of a credentials cache that already contains a ticket. If supported by the KDC, this cache will be used to armor the request, preventing offline dictionary attacks and allowing @@ -185,7 +185,7 @@ the use of additional preauthentication mechanisms. Armoring also makes sure that the response from the KDC is not modified in transit. .TP -.B \fB\-c\fP \fIcache_name\fP +\fB\-c\fP \fIcache_name\fP use \fIcache_name\fP as the Kerberos 5 credentials (ticket) cache location. If this option is not used, the default cache location is used. @@ -199,11 +199,11 @@ principal is selected or a new one is created and becomes the new primary cache. Otherwise, any existing contents of the default cache are destroyed by kinit. .TP -.B \fB\-S\fP \fIservice_name\fP +\fB\-S\fP \fIservice_name\fP specify an alternate service name to use when getting initial tickets. .TP -.B \fB\-X\fP \fIattribute\fP[=\fIvalue\fP] +\fB\-X\fP \fIattribute\fP[=\fIvalue\fP] specify a pre\-authentication \fIattribute\fP and \fIvalue\fP to be interpreted by pre\-authentication modules. The acceptable attribute and value values vary from module to module. This @@ -214,30 +214,24 @@ The following attributes are recognized by the PKINIT pre\-authentication mechanism: .INDENT 7.0 .TP -.B \fBX509_user_identity\fP=\fIvalue\fP +\fBX509_user_identity\fP=\fIvalue\fP specify where to find user\(aqs X509 identity information .TP -.B \fBX509_anchors\fP=\fIvalue\fP +\fBX509_anchors\fP=\fIvalue\fP specify where to find trusted X509 anchor information .TP -.B \fBflag_RSA_PROTOCOL\fP[\fB=yes\fP] +\fBflag_RSA_PROTOCOL\fP[\fB=yes\fP] specify use of RSA, rather than the default Diffie\-Hellman protocol +.TP +\fBdisable_freshness\fP[\fB=yes\fP] +disable sending freshness tokens (for testing purposes only) .UNINDENT .UNINDENT .SH ENVIRONMENT .sp -kinit uses the following environment variables: -.INDENT 0.0 -.TP -.B \fBKRB5CCNAME\fP -Location of the default Kerberos 5 credentials cache, in the form -\fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the \fBFILE\fP -type is assumed. The type of the default cache may determine the -availability of a cache collection; for instance, a default cache -of type \fBDIR\fP causes caches within the directory to be present -in the collection. -.UNINDENT +See kerberos(7) for a description of Kerberos environment +variables. .SH FILES .INDENT 0.0 .TP @@ -249,10 +243,10 @@ default location for the local host\(aqs keytab. .UNINDENT .SH SEE ALSO .sp -\fIklist(1)\fP, \fIkdestroy(1)\fP, kerberos(1) +klist(1), kdestroy(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/klist.man b/src/man/klist.man index a30400c..a45d00b 100644 --- a/src/man/klist.man +++ b/src/man/klist.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KLIST" "1" " " "1.15.2" "MIT Kerberos" +.TH "KLIST" "1" " " "1.17" "MIT Kerberos" .SH NAME klist \- list cached Kerberos tickets . @@ -46,24 +46,24 @@ credentials cache, or the keys held in a keytab file. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-e\fP +\fB\-e\fP Displays the encryption types of the session key and the ticket for each credential in the credential cache, or each key in the keytab file. .TP -.B \fB\-l\fP +\fB\-l\fP If a cache collection is available, displays a table summarizing the caches present in the collection. .TP -.B \fB\-A\fP +\fB\-A\fP If a cache collection is available, displays the contents of all of the caches in the collection. .TP -.B \fB\-c\fP +\fB\-c\fP List tickets held in a credentials cache. This is the default if neither \fB\-c\fP nor \fB\-k\fP is specified. .TP -.B \fB\-f\fP +\fB\-f\fP Shows the flags present in the credentials, using the following abbreviations: .INDENT 7.0 @@ -90,39 +90,39 @@ a anonymous .UNINDENT .UNINDENT .TP -.B \fB\-s\fP +\fB\-s\fP Causes klist to run silently (produce no output). klist will exit with status 1 if the credentials cache cannot be read or is expired, and with status 0 otherwise. .TP -.B \fB\-a\fP +\fB\-a\fP Display list of addresses in credentials. .TP -.B \fB\-n\fP +\fB\-n\fP Show numeric addresses instead of reverse\-resolving addresses. .TP -.B \fB\-C\fP +\fB\-C\fP List configuration data that has been stored in the credentials cache when klist encounters it. By default, configuration data is not listed. .TP -.B \fB\-k\fP +\fB\-k\fP List keys held in a keytab file. .TP -.B \fB\-i\fP +\fB\-i\fP In combination with \fB\-k\fP, defaults to using the default client keytab instead of the default acceptor keytab, if no name is given. .TP -.B \fB\-t\fP +\fB\-t\fP Display the time entry timestamps for each keytab entry in the keytab file. .TP -.B \fB\-K\fP +\fB\-K\fP Display the value of the encryption key in each keytab entry in the keytab file. .TP -.B \fB\-V\fP +\fB\-V\fP Display the Kerberos version number and exit. .UNINDENT .sp @@ -132,17 +132,8 @@ appropriate. If the \fBKRB5CCNAME\fP environment variable is set, its value is used to locate the default ticket cache. .SH ENVIRONMENT .sp -klist uses the following environment variable: -.INDENT 0.0 -.TP -.B \fBKRB5CCNAME\fP -Location of the default Kerberos 5 credentials (ticket) cache, in -the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the -\fBFILE\fP type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type \fBDIR\fP causes caches within the directory -to be present in the collection. -.UNINDENT +See kerberos(7) for a description of Kerberos environment +variables. .SH FILES .INDENT 0.0 .TP @@ -154,10 +145,10 @@ Default location for the local host\(aqs keytab file. .UNINDENT .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIkdestroy(1)\fP +kinit(1), kdestroy(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kpasswd.man b/src/man/kpasswd.man index 97fb719..716c66a 100644 --- a/src/man/kpasswd.man +++ b/src/man/kpasswd.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KPASSWD" "1" " " "1.15.2" "MIT Kerberos" +.TH "KPASSWD" "1" " " "1.17" "MIT Kerberos" .SH NAME kpasswd \- change a user's Kerberos password . @@ -53,12 +53,16 @@ Otherwise, kpasswd uses the principal name from an existing ccache if there is one; if not, the principal is derived from the identity of the user invoking the kpasswd command. .UNINDENT +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkadmin(1)\fP, \fIkadmind(8)\fP +kadmin(1), kadmind(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kprop.man b/src/man/kprop.man index 2b2e18e..f2c213a 100644 --- a/src/man/kprop.man +++ b/src/man/kprop.man @@ -1,8 +1,8 @@ .\" Man page generated from reStructuredText. . -.TH "KPROP" "8" " " "1.15.2" "MIT Kerberos" +.TH "KPROP" "8" " " "1.17" "MIT Kerberos" .SH NAME -kprop \- propagate a Kerberos V5 principal database to a slave server +kprop \- propagate a Kerberos V5 principal database to a replica server . .nr rst2man-indent-level 0 . @@ -38,47 +38,45 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] [\fB\-d\fP] [\fB\-P\fP \fIport\fP] [\fB\-s\fP \fIkeytab\fP] -\fIslave_host\fP +\fIreplica_host\fP .SH DESCRIPTION .sp kprop is used to securely propagate a Kerberos V5 database dump file -from the master Kerberos server to a slave Kerberos server, which is -specified by \fIslave_host\fP\&. The dump file must be created by -\fIkdb5_util(8)\fP\&. +from the master Kerberos server to a replica Kerberos server, which is +specified by \fIreplica_host\fP\&. The dump file must be created by +kdb5_util(8)\&. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the realm of the master server. .TP -.B \fB\-f\fP \fIfile\fP +\fB\-f\fP \fIfile\fP Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is normally -\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/slave_datatrans\fP\&. +\fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/replica_datatrans\fP\&. .TP -.B \fB\-P\fP \fIport\fP -Specifies the port to use to contact the \fIkpropd(8)\fP server +\fB\-P\fP \fIport\fP +Specifies the port to use to contact the kpropd(8) server on the remote host. .TP -.B \fB\-d\fP +\fB\-d\fP Prints debugging information. .TP -.B \fB\-s\fP \fIkeytab\fP +\fB\-s\fP \fIkeytab\fP Specifies the location of the keytab file. .UNINDENT .SH ENVIRONMENT .sp -\fIkprop\fP uses the following environment variable: -.INDENT 0.0 -.IP \(bu 2 -\fBKRB5_CONFIG\fP -.UNINDENT +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkpropd(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP +kpropd(8), kdb5_util(8), krb5kdc(8), +kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kpropd.man b/src/man/kpropd.man index c4a3553..38daa5e 100644 --- a/src/man/kpropd.man +++ b/src/man/kpropd.man @@ -1,8 +1,8 @@ .\" Man page generated from reStructuredText. . -.TH "KPROPD" "8" " " "1.15.2" "MIT Kerberos" +.TH "KPROPD" "8" " " "1.17" "MIT Kerberos" .SH NAME -kpropd \- Kerberos V5 slave KDC update server +kpropd \- Kerberos V5 replica KDC update server . .nr rst2man-indent-level 0 . @@ -36,26 +36,28 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] [\fB\-r\fP \fIrealm\fP] [\fB\-A\fP \fIadmin_server\fP] [\fB\-a\fP \fIacl_file\fP] -[\fB\-f\fP \fIslave_dumpfile\fP] +[\fB\-f\fP \fIreplica_dumpfile\fP] [\fB\-F\fP \fIprincipal_database\fP] [\fB\-p\fP \fIkdb5_util_prog\fP] [\fB\-P\fP \fIport\fP] +[\fB\-\-pid\-file\fP=\fIpid_file\fP] [\fB\-d\fP] [\fB\-t\fP] .SH DESCRIPTION .sp -The \fIkpropd\fP command runs on the slave KDC server. It listens for -update requests made by the \fIkprop(8)\fP program. If incremental +The \fIkpropd\fP command runs on the replica KDC server. It listens for +update requests made by the kprop(8) program. If incremental propagation is enabled, it periodically requests incremental updates from the master KDC. .sp -When the slave receives a kprop request from the master, kpropd +When the replica receives a kprop request from the master, kpropd accepts the dumped KDC database and places it in a file, and then runs -\fIkdb5_util(8)\fP to load the dumped database into the active -database which is used by \fIkrb5kdc(8)\fP\&. This allows the master -Kerberos server to use \fIkprop(8)\fP to propagate its database to -the slave servers. Upon a successful download of the KDC database -file, the slave Kerberos server will have an up\-to\-date KDC database. +kdb5_util(8) to load the dumped database into the active +database which is used by krb5kdc(8)\&. This allows the master +Kerberos server to use kprop(8) to propagate its database to +the replica servers. Upon a successful download of the KDC database +file, the replica Kerberos server will have an up\-to\-date KDC +database. .sp Where incremental propagation is not used, kpropd is commonly invoked out of inetd(8) as a nowait service. This is done by adding a line to @@ -81,56 +83,60 @@ kpropd in standalone mode; this option is now accepted for backward compatibility but does nothing. .sp Incremental propagation may be enabled with the \fBiprop_enable\fP -variable in \fIkdc.conf(5)\fP\&. If incremental propagation is -enabled, the slave periodically polls the master KDC for updates, at -an interval determined by the \fBiprop_slave_poll\fP variable. If the -slave receives updates, kpropd updates its log file with any updates -from the master. \fIkproplog(8)\fP can be used to view a summary of -the update entry log on the slave KDC. If incremental propagation is -enabled, the principal \fBkiprop/slavehostname@REALM\fP (where -\fIslavehostname\fP is the name of the slave KDC host, and \fIREALM\fP is the -name of the Kerberos realm) must be present in the slave\(aqs keytab -file. +variable in kdc.conf(5)\&. If incremental propagation is +enabled, the replica periodically polls the master KDC for updates, at +an interval determined by the \fBiprop_replica_poll\fP variable. If the +replica receives updates, kpropd updates its log file with any updates +from the master. kproplog(8) can be used to view a summary of +the update entry log on the replica KDC. If incremental propagation +is enabled, the principal \fBkiprop/replicahostname@REALM\fP (where +\fIreplicahostname\fP is the name of the replica KDC host, and \fIREALM\fP is +the name of the Kerberos realm) must be present in the replica\(aqs +keytab file. .sp -\fIkproplog(8)\fP can be used to force full replication when iprop is +kproplog(8) can be used to force full replication when iprop is enabled. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-r\fP \fIrealm\fP +\fB\-r\fP \fIrealm\fP Specifies the realm of the master server. .TP -.B \fB\-A\fP \fIadmin_server\fP +\fB\-A\fP \fIadmin_server\fP Specifies the server to be contacted for incremental updates; by default, the master admin server is contacted. .TP -.B \fB\-f\fP \fIfile\fP +\fB\-f\fP \fIfile\fP Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/from_master\fP\&. .TP -.B \fB\-p\fP -Allows the user to specify the pathname to the \fIkdb5_util(8)\fP +\fB\-p\fP +Allows the user to specify the pathname to the kdb5_util(8) program; by default the pathname used is \fB@SBINDIR@\fP\fB/kdb5_util\fP\&. .TP -.B \fB\-d\fP +\fB\-d\fP Turn on debug mode. In this mode, kpropd will not detach itself from the current job and run in the background. Instead, it will run in the foreground and print out debugging messages during the database propagation. .TP -.B \fB\-t\fP +\fB\-t\fP In standalone mode without incremental propagation, exit after one dump file is received. In incremental propagation mode, exit as soon as the database is up to date, or if the master returns an error. .TP -.B \fB\-P\fP +\fB\-P\fP Allow for an alternate port number for kpropd to listen on. This is only useful in combination with the \fB\-S\fP option. .TP -.B \fB\-a\fP \fIacl_file\fP +\fB\-a\fP \fIacl_file\fP Allows the user to specify the path to the kpropd.acl file; by default the path used is \fB@LOCALSTATEDIR@\fP\fB/krb5kdc\fP\fB/kpropd.acl\fP\&. +.TP +\fB\-\-pid\-file\fP=\fIpid_file\fP +In standalone mode, write the process ID of the daemon into +\fIpid_file\fP\&. .UNINDENT .SH ENVIRONMENT .sp @@ -148,14 +154,19 @@ kpropd uses the following environment variables: Access file for kpropd; the default location is \fB/usr/local/var/krb5kdc/kpropd.acl\fP\&. Each entry is a line containing the principal of a host from which the local machine -will allow Kerberos database propagation via \fIkprop(8)\fP\&. +will allow Kerberos database propagation via kprop(8)\&. .UNINDENT +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkprop(8)\fP, \fIkdb5_util(8)\fP, \fIkrb5kdc(8)\fP, inetd(8) +kprop(8), kdb5_util(8), krb5kdc(8), +kerberos(7), inetd(8) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kproplog.man b/src/man/kproplog.man index d61741e..e0804d7 100644 --- a/src/man/kproplog.man +++ b/src/man/kproplog.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KPROPLOG" "8" " " "1.15.2" "MIT Kerberos" +.TH "KPROPLOG" "8" " " "1.17" "MIT Kerberos" .SH NAME kproplog \- display the contents of the Kerberos principal update log . @@ -39,40 +39,40 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] The kproplog command displays the contents of the KDC database update log to standard output. It can be used to keep track of incremental updates to the principal database. The update log file contains the -update log maintained by the \fIkadmind(8)\fP process on the master -KDC server and the \fIkpropd(8)\fP process on the slave KDC servers. -When updates occur, they are logged to this file. Subsequently any -KDC slave configured for incremental updates will request the current -data from the master KDC and update their log file with any updates -returned. +update log maintained by the kadmind(8) process on the master +KDC server and the kpropd(8) process on the replica KDC +servers. When updates occur, they are logged to this file. +Subsequently any KDC replica configured for incremental updates will +request the current data from the master KDC and update their log file +with any updates returned. .sp The kproplog command requires read access to the update log file. It will display update entries only for the KDC it runs on. .sp If no options are specified, kproplog displays a summary of the update log. If invoked on the master, kproplog also displays all of the -update entries. If invoked on a slave KDC server, kproplog displays +update entries. If invoked on a replica KDC server, kproplog displays only a summary of the updates, which includes the serial number of the last update received and the associated time stamp of the last update. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-R\fP -Reset the update log. This forces full resynchronization. If used -on a slave then that slave will request a full resync. If used on -the master then all slaves will request full resyncs. +\fB\-R\fP +Reset the update log. This forces full resynchronization. If +used on a replica then that replica will request a full resync. +If used on the master then all replicas will request full resyncs. .TP -.B \fB\-h\fP +\fB\-h\fP Display a summary of the update log. This information includes the database version number, state of the database, the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry. .TP -.B \fB\-e\fP \fInum\fP +\fB\-e\fP \fInum\fP Display the last \fInum\fP update entries in the log. This is useful when debugging synchronization between KDC servers. .TP -.B \fB\-v\fP +\fB\-v\fP Display individual attributes per update. An example of the output generated for one entry: .INDENT 7.0 @@ -101,17 +101,14 @@ Update Entry .UNINDENT .SH ENVIRONMENT .sp -kproplog uses the following environment variables: -.INDENT 0.0 -.IP \(bu 2 -\fBKRB5_KDC_PROFILE\fP -.UNINDENT +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkpropd(8)\fP +kpropd(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5-config.man b/src/man/krb5-config.man index c524f2a..e667018 100644 --- a/src/man/krb5-config.man +++ b/src/man/krb5-config.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KRB5-CONFIG" "1" " " "1.15.2" "MIT Kerberos" +.TH "KRB5-CONFIG" "1" " " "1.17" "MIT Kerberos" .SH NAME krb5-config \- tool for linking against MIT Kerberos libraries . @@ -41,39 +41,39 @@ and link programs against the installed Kerberos libraries. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-\fP\fB\-help\fP +\fB\-\fP\fB\-help\fP prints a usage message. This is the default behavior when no options are specified. .TP -.B \fB\-\fP\fB\-all\fP +\fB\-\fP\fB\-all\fP prints the version, vendor, prefix, and exec\-prefix. .TP -.B \fB\-\fP\fB\-version\fP +\fB\-\fP\fB\-version\fP prints the version number of the Kerberos installation. .TP -.B \fB\-\fP\fB\-vendor\fP +\fB\-\fP\fB\-vendor\fP prints the name of the vendor of the Kerberos installation. .TP -.B \fB\-\fP\fB\-prefix\fP +\fB\-\fP\fB\-prefix\fP prints the prefix for which the Kerberos installation was built. .TP -.B \fB\-\fP\fB\-exec\-prefix\fP +\fB\-\fP\fB\-exec\-prefix\fP prints the prefix for executables for which the Kerberos installation was built. .TP -.B \fB\-\fP\fB\-defccname\fP +\fB\-\fP\fB\-defccname\fP prints the built\-in default credentials cache location. .TP -.B \fB\-\fP\fB\-defktname\fP +\fB\-\fP\fB\-defktname\fP prints the built\-in default keytab location. .TP -.B \fB\-\fP\fB\-defcktname\fP +\fB\-\fP\fB\-defcktname\fP prints the built\-in default client (initiator) keytab location. .TP -.B \fB\-\fP\fB\-cflags\fP +\fB\-\fP\fB\-cflags\fP prints the compilation flags used to build the Kerberos installation. .TP -.B \fB\-\fP\fB\-libs\fP [\fIlibrary\fP] +\fB\-\fP\fB\-libs\fP [\fIlibrary\fP] prints the compiler options needed to link against \fIlibrary\fP\&. Allowed values for \fIlibrary\fP are: .TS @@ -132,10 +132,10 @@ shell% krb5\-config \-\-libs krb5 .UNINDENT .SH SEE ALSO .sp -kerberos(1), cc(1) +kerberos(7), cc(1) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5.conf.man b/src/man/krb5.conf.man index 6639463..d431dce 100644 --- a/src/man/krb5.conf.man +++ b/src/man/krb5.conf.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KRB5.CONF" "5" " " "1.15.2" "MIT Kerberos" +.TH "KRB5.CONF" "5" " " "1.17" "MIT Kerberos" .SH NAME krb5.conf \- Kerberos configuration file . @@ -46,8 +46,10 @@ underscores will be read. .SH STRUCTURE .sp The krb5.conf file is set up in the style of a Windows INI file. -Sections are headed by the section name, in square brackets. Each -section may contain zero or more relations, of the form: +Lines beginning with \(aq#\(aq or \(aq;\(aq (possibly after initial whitespace) +are ignored as comments. Sections are headed by the section name, in +square brackets. Each section may contain zero or more relations, of +the form: .INDENT 0.0 .INDENT 3.5 .sp @@ -115,7 +117,9 @@ alphanumeric characters, dashes, or underscores. Starting in release 1.15, files with names ending in ".conf" are also included, unless the name begins with ".". Included profile files are syntactically independent of their parents, so each included file must begin with a -section header. +section header. Starting in release 1.17, files are read in +alphanumeric order; in previous releases, they may be read in any +order. .sp The krb5.conf file can specify that configuration should be obtained from a loadable module, rather than the file itself, using the @@ -135,7 +139,7 @@ module MODULEPATH:RESIDUAL \fIMODULEPATH\fP may be relative to the library path of the krb5 installation, or it may be an absolute path. \fIRESIDUAL\fP is provided to the module at initialization time. If krb5.conf uses a module -directive, \fIkdc.conf(5)\fP should also use one if it exists. +directive, kdc.conf(5) should also use one if it exists. .SH SECTIONS .sp The krb5.conf file may contain the following sections: @@ -182,15 +186,15 @@ _ .TE .sp Additionally, krb5.conf may include any of the relations described in -\fIkdc.conf(5)\fP, but it is not a recommended practice. +kdc.conf(5), but it is not a recommended practice. .SS [libdefaults] .sp The libdefaults section may contain any of the following relations: .INDENT 0.0 .TP -.B \fBallow_weak_crypto\fP +\fBallow_weak_crypto\fP If this flag is set to false, then weak encryption types (as noted -in \fIEncryption_types\fP in \fIkdc.conf(5)\fP) will be filtered +in Encryption_types in kdc.conf(5)) will be filtered out of the lists \fBdefault_tgs_enctypes\fP, \fBdefault_tkt_enctypes\fP, and \fBpermitted_enctypes\fP\&. The default value for this tag is false, which may cause authentication @@ -198,7 +202,7 @@ failures in existing Kerberos infrastructures that do not support strong crypto. Users in affected environments should set this tag to true until their infrastructure adopts stronger ciphers. .TP -.B \fBap_req_checksum_type\fP +\fBap_req_checksum_type\fP An integer which specifies the type of AP\-REQ checksum to use in authenticators. This variable should be unset so the appropriate checksum for the encryption key in use will be used. This can be @@ -206,20 +210,20 @@ set if backward compatibility requires a specific checksum type. See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP -.B \fBcanonicalize\fP +\fBcanonicalize\fP If this flag is set to true, initial ticket requests to the KDC will request canonicalization of the client principal name, and answers with different client principals than the requested principal will be accepted. The default value is false. .TP -.B \fBccache_type\fP +\fBccache_type\fP This parameter determines the format of credential cache types -created by \fIkinit(1)\fP or other programs. The default value +created by kinit(1) or other programs. The default value is 4, which represents the most current format. Smaller values can be used for compatibility with very old implementations of Kerberos which interact with credential caches on the same host. .TP -.B \fBclockskew\fP +\fBclockskew\fP Sets the maximum allowable amount of clockskew in seconds that the library will tolerate before assuming that a Kerberos message is invalid. The default value is 300 seconds, or five minutes. @@ -230,35 +234,35 @@ their expiration time can still be used (and renewed if they are renewable tickets) if they have been expired for a shorter duration than the \fBclockskew\fP setting. .TP -.B \fBdefault_ccache_name\fP +\fBdefault_ccache_name\fP This relation specifies the name of the default credential cache. The default is \fB@CCNAME@\fP\&. This relation is subject to parameter expansion (see below). New in release 1.11. .TP -.B \fBdefault_client_keytab_name\fP +\fBdefault_client_keytab_name\fP This relation specifies the name of the default keytab for obtaining client credentials. The default is \fB@CKTNAME@\fP\&. This relation is subject to parameter expansion (see below). New in release 1.11. .TP -.B \fBdefault_keytab_name\fP +\fBdefault_keytab_name\fP This relation specifies the default keytab name to be used by application servers such as sshd. The default is \fB@KTNAME@\fP\&. This relation is subject to parameter expansion (see below). .TP -.B \fBdefault_realm\fP +\fBdefault_realm\fP Identifies the default Kerberos realm for the client. Set its value to your Kerberos realm. If this value is not set, then a realm must be specified with every Kerberos principal when -invoking programs such as \fIkinit(1)\fP\&. +invoking programs such as kinit(1)\&. .TP -.B \fBdefault_tgs_enctypes\fP +\fBdefault_tgs_enctypes\fP Identifies the supported list of session key encryption types that the client should request when making a TGS\-REQ, in order of preference from highest to lowest. The list may be delimited with -commas or whitespace. See \fIEncryption_types\fP in -\fIkdc.conf(5)\fP for a list of the accepted values for this tag. -The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha256\-128 aes256\-cts\-hmac\-sha384\-192 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types +commas or whitespace. See Encryption_types in +kdc.conf(5) for a list of the accepted values for this tag. +The default value is \fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .sp @@ -267,12 +271,12 @@ compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. .TP -.B \fBdefault_tkt_enctypes\fP +\fBdefault_tkt_enctypes\fP Identifies the supported list of session key encryption types that the client should request when making an AS\-REQ, in order of preference from highest to lowest. The format is the same as for default_tgs_enctypes. The default value for this tag is -\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha256\-128 aes256\-cts\-hmac\-sha384\-192 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly +\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .sp @@ -281,14 +285,14 @@ compatibility purposes; stale values of this setting can prevent clients from taking advantage of new stronger enctypes when the libraries are upgraded. .TP -.B \fBdns_canonicalize_hostname\fP +\fBdns_canonicalize_hostname\fP Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canonicalized to fully\-qualified hostnames. The default value is true. .TP -.B \fBdns_lookup_kdc\fP +\fBdns_lookup_kdc\fP Indicate whether DNS SRV records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. (Note that the admin_server @@ -304,30 +308,30 @@ it (besides the initial ticket request, which has no encrypted data), and anything the fake KDC sends will not be trusted without verification using some secret that it won\(aqt know. .TP -.B \fBdns_uri_lookup\fP +\fBdns_uri_lookup\fP Indicate whether DNS URI records should be used to locate the KDCs and other servers for a realm, if they are not listed in the krb5.conf information for the realm. SRV records are used as a fallback if no URI records were found. The default value is true. New in release 1.15. .TP -.B \fBerr_fmt\fP +\fBerr_fmt\fP This relation allows for custom error message formatting. If a value is set, error messages will be formatted by substituting a normal error message for %M and an error code for %C in the value. .TP -.B \fBextra_addresses\fP +\fBextra_addresses\fP This allows a computer to use multiple local addresses, in order to allow Kerberos to work in a network that uses NATs while still using address\-restricted tickets. The addresses should be in a comma\-separated list. This option has no effect if \fBnoaddresses\fP is true. .TP -.B \fBforwardable\fP +\fBforwardable\fP If this flag is true, initial tickets will be forwardable by default, if allowed by the KDC. The default value is false. .TP -.B \fBignore_acceptor_hostname\fP +\fBignore_acceptor_hostname\fP When accepting GSSAPI or krb5 security contexts for host\-based service principals, ignore any hostname passed by the calling application, and allow clients to authenticate to any service @@ -337,15 +341,15 @@ flexibility of server applications on multihomed hosts, but could compromise the security of virtual hosting environments. The default value is false. New in release 1.10. .TP -.B \fBk5login_authoritative\fP +\fBk5login_authoritative\fP If this flag is true, principals must be listed in a local user\(aqs -k5login file to be granted login access, if a \fI\&.k5login(5)\fP +k5login file to be granted login access, if a \&.k5login(5) file exists. If this flag is false, a principal may still be granted login access through other mechanisms even if a k5login file exists but does not list the principal. The default value is true. .TP -.B \fBk5login_directory\fP +\fBk5login_directory\fP If set, the library will look for a local user\(aqs k5login file within the named directory, with a filename corresponding to the local username. If not set, the library will look for k5login @@ -353,25 +357,25 @@ files in the user\(aqs home directory, with the filename .k5login. For security reasons, .k5login files must be owned by the local user or by root. .TP -.B \fBkcm_mach_service\fP -On OS X only, determines the name of the bootstrap service used to +\fBkcm_mach_service\fP +On macOS only, determines the name of the bootstrap service used to contact the KCM daemon for the KCM credential cache type. If the value is \fB\-\fP, Mach RPC will not be used to contact the KCM daemon. The default value is \fBorg.h5l.kcm\fP\&. .TP -.B \fBkcm_socket\fP +\fBkcm_socket\fP Determines the path to the Unix domain socket used to access the KCM daemon for the KCM credential cache type. If the value is \fB\-\fP, Unix domain sockets will not be used to contact the KCM daemon. The default value is \fB/var/run/.heim_org.h5l.kcm\-socket\fP\&. .TP -.B \fBkdc_default_options\fP +\fBkdc_default_options\fP Default KDC options (Xored for multiple values) when requesting initial tickets. By default it is set to 0x00000010 (KDC_OPT_RENEWABLE_OK). .TP -.B \fBkdc_timesync\fP +\fBkdc_timesync\fP Accepted values for this relation are 1 or 0. If it is nonzero, client machines will compute the difference between their time and the time returned by the KDC in the timestamps in the tickets and @@ -380,7 +384,7 @@ requesting service tickets or authenticating to services. This corrective factor is only used by the Kerberos library; it is not used to change the system clock. The default value is 1. .TP -.B \fBkdc_req_checksum_type\fP +\fBkdc_req_checksum_type\fP An integer which specifies the type of checksum to use for the KDC requests, for compatibility with very old KDC implementations. This value is only used for DES keys; other keys use the preferred @@ -447,40 +451,41 @@ T} _ .TE .TP -.B \fBnoaddresses\fP +\fBnoaddresses\fP If this flag is true, requests for initial tickets will not be made with address restrictions set, allowing the tickets to be used across NATs. The default value is true. .TP -.B \fBpermitted_enctypes\fP +\fBpermitted_enctypes\fP Identifies all encryption types that are permitted for use in session key encryption. The default value for this tag is -\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha256\-128 aes256\-cts\-hmac\-sha384\-192 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly +\fBaes256\-cts\-hmac\-sha1\-96 aes128\-cts\-hmac\-sha1\-96 aes256\-cts\-hmac\-sha384\-192 aes128\-cts\-hmac\-sha256\-128 des3\-cbc\-sha1 arcfour\-hmac\-md5 camellia256\-cts\-cmac camellia128\-cts\-cmac des\-cbc\-crc des\-cbc\-md5 des\-cbc\-md4\fP, but single\-DES encryption types will be implicitly removed from this list if the value of \fBallow_weak_crypto\fP is false. .TP -.B \fBplugin_base_dir\fP +\fBplugin_base_dir\fP If set, determines the base directory where krb5 plugins are located. The default value is the \fBkrb5/plugins\fP subdirectory -of the krb5 library directory. +of the krb5 library directory. This relation is subject to +parameter expansion (see below) in release 1.17 and later. .TP -.B \fBpreferred_preauth_types\fP +\fBpreferred_preauth_types\fP This allows you to set the preferred preauthentication types which the client will attempt before others which may be advertised by a KDC. The default value for this setting is "17, 16, 15, 14", which forces libkrb5 to attempt to use PKINIT if it is supported. .TP -.B \fBproxiable\fP +\fBproxiable\fP If this flag is true, initial tickets will be proxiable by default, if allowed by the KDC. The default value is false. .TP -.B \fBrdns\fP +\fBrdns\fP If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicalizing hostnames for use in service principal names. If \fBdns_canonicalize_hostname\fP is set to false, this flag has no effect. The default value is true. .TP -.B \fBrealm_try_domains\fP +\fBrealm_try_domains\fP Indicate whether a host\(aqs domain components should be used to determine the Kerberos realm of the host. The value of this variable is an integer: \-1 means not to search, 0 means to try the @@ -490,11 +495,11 @@ Kerberos realms is used to determine whether a domain is a valid realm, which may involve consulting DNS if \fBdns_lookup_kdc\fP is set. The default is not to search domain components. .TP -.B \fBrenew_lifetime\fP -(\fIduration\fP string.) Sets the default renewable lifetime +\fBrenew_lifetime\fP +(duration string.) Sets the default renewable lifetime for initial ticket requests. The default value is 0. .TP -.B \fBsafe_checksum_type\fP +\fBsafe_checksum_type\fP An integer which specifies the type of checksum to use for the KRB\-SAFE requests. By default it is set to 8 (RSA MD5 DES). For compatibility with applications linked against DCE version 1.1 or @@ -503,11 +508,48 @@ DES instead. This field is ignored when its value is incompatible with the session key type. See the \fBkdc_req_checksum_type\fP configuration option for the possible values and their meanings. .TP -.B \fBticket_lifetime\fP -(\fIduration\fP string.) Sets the default lifetime for initial +\fBspake_preauth_groups\fP +A whitespace or comma\-separated list of words which specifies the +groups allowed for SPAKE preauthentication. The possible values +are: +.TS +center; +|l|l|. +_ +T{ +edwards25519 +T} T{ +Edwards25519 curve (\fI\%RFC 7748\fP) +T} +_ +T{ +P\-256 +T} T{ +NIST P\-256 curve (\fI\%RFC 5480\fP) +T} +_ +T{ +P\-384 +T} T{ +NIST P\-384 curve (\fI\%RFC 5480\fP) +T} +_ +T{ +P\-521 +T} T{ +NIST P\-521 curve (\fI\%RFC 5480\fP) +T} +_ +.TE +.sp +The default value for the client is \fBedwards25519\fP\&. The default +value for the KDC is empty. New in release 1.17. +.TP +\fBticket_lifetime\fP +(duration string.) Sets the default lifetime for initial ticket requests. The default value is 1 day. .TP -.B \fBudp_preference_limit\fP +\fBudp_preference_limit\fP When sending a message to the KDC, the library will try using TCP before UDP if the size of the message is above \fBudp_preference_limit\fP\&. If the message is smaller than @@ -515,7 +557,7 @@ before UDP if the size of the message is above Regardless of the size, both protocols will be tried if the first attempt fails. .TP -.B \fBverify_ap_req_nofail\fP +\fBverify_ap_req_nofail\fP If this flag is true, then an attempt to verify initial credentials will fail if the client machine does not have a keytab. The default value is false. @@ -528,20 +570,20 @@ define the properties of that particular realm. For each realm, the following tags may be specified in the realm\(aqs subsection: .INDENT 0.0 .TP -.B \fBadmin_server\fP +\fBadmin_server\fP Identifies the host where the administration server is running. Typically, this is the master Kerberos server. This tag must be -given a value in order to communicate with the \fIkadmind(8)\fP +given a value in order to communicate with the kadmind(8) server for the realm. .TP -.B \fBauth_to_local\fP +\fBauth_to_local\fP This tag allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated. The possible values are: .INDENT 7.0 .TP -.B \fBRULE:\fP\fIexp\fP +\fBRULE:\fP\fIexp\fP The local name will be formulated from \fIexp\fP\&. .sp The format for \fIexp\fP is \fB[\fP\fIn\fP\fB:\fP\fIstring\fP\fB](\fP\fIregexp\fP\fB)s/\fP\fIpattern\fP\fB/\fP\fIreplacement\fP\fB/g\fP\&. @@ -557,7 +599,7 @@ string. The optional \fBg\fP will cause the substitution to be global over the \fIstring\fP, instead of replacing only the first match in the \fIstring\fP\&. .TP -.B \fBDEFAULT\fP +\fBDEFAULT\fP The principal name will be used as the local user name. If the principal has more than one component or is not in the default realm, this rule is not applicable and the conversion @@ -575,7 +617,7 @@ For example: auth_to_local = RULE:[2:$1](johndoe)s/^.*$/guest/ auth_to_local = RULE:[2:$1;$2](^.*;admin$)s/;admin$// auth_to_local = RULE:[2:$2](^.*;root)s/^.*$/root/ - auto_to_local = DEFAULT + auth_to_local = DEFAULT } .ft P .fi @@ -590,18 +632,28 @@ principal with a second component of \fBroot\fP\&. The exception to these two rules are any principals \fBjohndoe/*\fP, which will always get the local name \fBguest\fP\&. .TP -.B \fBauth_to_local_names\fP +\fBauth_to_local_names\fP This subsection allows you to set explicit mappings from principal names to local user names. The tag is the mapping name, and the value is the corresponding local user name. .TP -.B \fBdefault_domain\fP +\fBdefault_domain\fP This tag specifies the domain used to expand hostnames when translating Kerberos 4 service principals to Kerberos 5 principals (for example, when converting \fBrcmd.hostname\fP to \fBhost/hostname.domain\fP). .TP -.B \fBhttp_anchors\fP +\fBdisable_encrypted_timestamp\fP +If this flag is true, the client will not perform encrypted +timestamp preauthentication if requested by the KDC. Setting this +flag can help to prevent dictionary attacks by active attackers, +if the realm\(aqs KDCs support SPAKE preauthentication or if initial +authentication always uses another mechanism or always uses FAST. +This flag persists across client referrals during initial +authentication. This flag does not prevent the KDC from offering +encrypted timestamp. New in release 1.17. +.TP +\fBhttp_anchors\fP When KDCs and kpasswd servers are accessed through HTTPS proxies, this tag can be used to specify the location of the CA certificate which should be trusted to issue the certificate for a proxy server. If left unspecified, @@ -627,7 +679,7 @@ to a value conforming to one of the previous values. For example, \fBENV:X509_PROXY_CA\fP, where environment variable \fBX509_PROXY_CA\fP has been set to \fBFILE:/tmp/my_proxy.pem\fP\&. .TP -.B \fBkdc\fP +\fBkdc\fP The name or address of a host running a KDC for that realm. An optional port number, separated from the hostname by a colon, may be included. If the name or address contains colons (for example, @@ -637,27 +689,28 @@ be able to communicate with the KDC for each realm, this tag must be given a value in each realm subsection in the configuration file, or there must be DNS SRV records specifying the KDCs. .TP -.B \fBkpasswd_server\fP +\fBkpasswd_server\fP Points to the server where all the password changes are performed. -If there is no such entry, the port 464 on the \fBadmin_server\fP +If there is no such entry, DNS will be queried (unless forbidden +by \fBdns_lookup_kdc\fP). Finally, port 464 on the \fBadmin_server\fP host will be tried. .TP -.B \fBmaster_kdc\fP +\fBmaster_kdc\fP Identifies the master KDC(s). Currently, this tag is used in only one case: If an attempt to get credentials fails because of an invalid password, the client software will attempt to contact the master KDC, in case the user\(aqs password has just been changed, and -the updated database has not been propagated to the slave servers -yet. +the updated database has not been propagated to the replica +servers yet. .TP -.B \fBv4_instance_convert\fP +\fBv4_instance_convert\fP This subsection allows the administrator to configure exceptions to the \fBdefault_domain\fP mapping rule. It contains V4 instances (the tag name) which should be translated to some specific hostname (the tag value) as the second component in a Kerberos V5 principal name. .TP -.B \fBv4_realm\fP +\fBv4_realm\fP This relation is used by the krb524 library routines when converting a V5 principal name to a V4 principal name. It is used when the V4 realm name and the V5 realm name are not the same, but @@ -867,17 +920,17 @@ Each pluggable interface corresponds to a subsection of [plugins]. All subsections support the same tags: .INDENT 0.0 .TP -.B \fBdisable\fP +\fBdisable\fP This tag may have multiple values. If there are values for this tag, then the named modules will be disabled for the pluggable interface. .TP -.B \fBenable_only\fP +\fBenable_only\fP This tag may have multiple values. If there are values for this tag, then only the named modules will be enabled for the pluggable interface. .TP -.B \fBmodule\fP +\fBmodule\fP This tag may have multiple values. Each value is a string of the form \fBmodulename:pathname\fP, which causes the shared object located at \fIpathname\fP to be registered as a dynamic module named @@ -902,13 +955,17 @@ dynamic modules, the following built\-in modules exist (and may be disabled with the disable tag): .INDENT 0.0 .TP -.B \fBk5identity\fP +\fBk5identity\fP Uses a .k5identity file in the user\(aqs home directory to select a client principal .TP -.B \fBrealm\fP +\fBrealm\fP Uses the service realm to guess an appropriate cache from the collection +.TP +\fBhostname\fP +If the service principal is host\-based, uses the service hostname +to guess an appropriate cache from the collection .UNINDENT .SS pwqual interface .sp @@ -917,17 +974,17 @@ interface, which is used to reject weak passwords when passwords are changed. The following built\-in modules exist for this interface: .INDENT 0.0 .TP -.B \fBdict\fP +\fBdict\fP Checks against the realm dictionary file .TP -.B \fBempty\fP +\fBempty\fP Rejects empty passwords .TP -.B \fBhesiod\fP +\fBhesiod\fP Checks against user information stored in Hesiod (only if Kerberos was built with Hesiod support) .TP -.B \fBprinc\fP +\fBprinc\fP Checks against components of the principal name .UNINDENT .SS kadm5_hook interface @@ -937,6 +994,24 @@ principal creation, modification, password changes and deletion. This interface can be used to write a plugin to synchronize MIT Kerberos with another database such as Active Directory. No plugins are built in for this interface. +.SS kadm5_auth interface +.sp +The kadm5_auth section (introduced in release 1.16) controls modules +for the kadmin authorization interface, which determines whether a +client principal is allowed to perform a kadmin operation. The +following built\-in modules exist for this interface: +.INDENT 0.0 +.TP +\fBacl\fP +This module reads the kadm5.acl(5) file, and authorizes +operations which are allowed according to the rules in the file. +.TP +\fBself\fP +This module authorizes self\-service operations including password +changes, creation of new random keys, fetching the client\(aqs +principal record or string attributes, and fetching the policy +record associated with the client principal. +.UNINDENT .SS clpreauth and kdcpreauth interfaces .sp The clpreauth and kdcpreauth interfaces allow plugin modules to @@ -944,13 +1019,13 @@ provide client and KDC preauthentication mechanisms. The following built\-in modules exist for these interfaces: .INDENT 0.0 .TP -.B \fBpkinit\fP +\fBpkinit\fP This module implements the PKINIT preauthentication mechanism. .TP -.B \fBencrypted_challenge\fP +\fBencrypted_challenge\fP This module implements the encrypted challenge FAST factor. .TP -.B \fBencrypted_timestamp\fP +\fBencrypted_timestamp\fP This module implements the encrypted timestamp mechanism. .UNINDENT .SS hostrealm interface @@ -961,17 +1036,17 @@ hostnames to realm names and the choice of default realm. The following built\-in modules exist for this interface: .INDENT 0.0 .TP -.B \fBprofile\fP +\fBprofile\fP This module consults the [domain_realm] section of the profile for authoritative host\-to\-realm mappings, and the \fBdefault_realm\fP variable for the default realm. .TP -.B \fBdns\fP +\fBdns\fP This module looks for DNS records for fallback host\-to\-realm mappings and the default realm. It only operates if the \fBdns_lookup_realm\fP variable is set to true. .TP -.B \fBdomain\fP +\fBdomain\fP This module applies heuristics for fallback host\-to\-realm mappings. It implements the \fBrealm_try_domains\fP variable, and uses the uppercased parent domain of the hostname if that does not @@ -985,31 +1060,55 @@ between Kerberos principals and local system accounts. The following built\-in modules exist for this interface: .INDENT 0.0 .TP -.B \fBdefault\fP +\fBdefault\fP This module implements the \fBDEFAULT\fP type for \fBauth_to_local\fP values. .TP -.B \fBrule\fP +\fBrule\fP This module implements the \fBRULE\fP type for \fBauth_to_local\fP values. .TP -.B \fBnames\fP +\fBnames\fP This module looks for an \fBauth_to_local_names\fP mapping for the principal name. .TP -.B \fBauth_to_local\fP +\fBauth_to_local\fP This module processes \fBauth_to_local\fP values in the default realm\(aqs section, and applies the default method if no \fBauth_to_local\fP values exist. .TP -.B \fBk5login\fP +\fBk5login\fP This module authorizes a principal to a local account according to -the account\(aqs \fI\&.k5login(5)\fP file. +the account\(aqs \&.k5login(5) file. .TP -.B \fBan2ln\fP +\fBan2ln\fP This module authorizes a principal to a local account if the principal name maps to the local account name. .UNINDENT +.SS certauth interface +.sp +The certauth section (introduced in release 1.16) controls modules for +the certificate authorization interface, which determines whether a +certificate is allowed to preauthenticate a user via PKINIT. The +following built\-in modules exist for this interface: +.INDENT 0.0 +.TP +\fBpkinit_san\fP +This module authorizes the certificate if it contains a PKINIT +Subject Alternative Name for the requested client principal, or a +Microsoft UPN SAN matching the principal if \fBpkinit_allow_upn\fP +is set to true for the realm. +.TP +\fBpkinit_eku\fP +This module rejects the certificate if it does not contain an +Extended Key Usage attribute consistent with the +\fBpkinit_eku_checking\fP value for the realm. +.TP +\fBdbmatch\fP +This module authorizes or rejects the certificate according to +whether it matches the \fBpkinit_cert_match\fP string attribute on +the client principal, if that attribute is present. +.UNINDENT .SH PKINIT OPTIONS .sp \fBNOTE:\fP @@ -1074,7 +1173,7 @@ The syntax for specifying Public Key identity, trust, and revocation information for PKINIT is as follows: .INDENT 0.0 .TP -.B \fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] +\fBFILE:\fP\fIfilename\fP[\fB,\fP\fIkeyfilename\fP] This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIfilename\fP @@ -1086,7 +1185,7 @@ private key is expected to be in \fIfilename\fP as well. Otherwise, In \fBpkinit_anchors\fP or \fBpkinit_pool\fP, \fIfilename\fP is assumed to be the name of an OpenSSL\-style ca\-bundle file. .TP -.B \fBDIR:\fP\fIdirname\fP +\fBDIR:\fP\fIdirname\fP This option has context\-specific behavior. .sp In \fBpkinit_identity\fP or \fBpkinit_identities\fP, \fIdirname\fP @@ -1109,11 +1208,11 @@ named \fBhash\-of\-ca\-cert.r#\fP\&. This infrastructure is encouraged, but all files in the directory will be examined and if they contain a revocation list (in PEM format), they will be used. .TP -.B \fBPKCS12:\fP\fIfilename\fP +\fBPKCS12:\fP\fIfilename\fP \fIfilename\fP is the name of a PKCS #12 format file, containing the user\(aqs certificate and private key. .TP -.B \fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] +\fBPKCS11:\fP[\fBmodule_name=\fP]\fImodname\fP[\fB:slotid=\fP\fIslot\-id\fP][\fB:token=\fP\fItoken\-label\fP][\fB:certid=\fP\fIcert\-id\fP][\fB:certlabel=\fP\fIcert\-label\fP] All keyword/values are optional. \fImodname\fP specifies the location of a library implementing PKCS #11. If a value is encountered with no keyword, it is assumed to be the \fImodname\fP\&. If no @@ -1125,7 +1224,7 @@ force the selection of a particular certificate on the device. See the \fBpkinit_cert_match\fP configuration option for more ways to select a particular certificate to use for PKINIT. .TP -.B \fBENV:\fP\fIenvvar\fP +\fBENV:\fP\fIenvvar\fP \fIenvvar\fP specifies the name of an environment variable which has been set to a value conforming to one of the previous values. For example, \fBENV:X509_PROXY\fP, where environment variable @@ -1134,13 +1233,13 @@ example, \fBENV:X509_PROXY\fP, where environment variable .SS PKINIT krb5.conf options .INDENT 0.0 .TP -.B \fBpkinit_anchors\fP +\fBpkinit_anchors\fP Specifies the location of trusted anchor (root) certificates which the client trusts to sign KDC certificates. This option may be specified multiple times. These values from the config file are not used if the user specifies X509_anchors on the command line. .TP -.B \fBpkinit_cert_match\fP +\fBpkinit_cert_match\fP Specifies matching rules that the client certificate must match before it is used to attempt PKINIT authentication. If a user has multiple certificates available (on a smart card, or via other @@ -1225,7 +1324,7 @@ pkinit_cert_match = msScLogin,clientAuthdigitalSignature .UNINDENT .UNINDENT .TP -.B \fBpkinit_eku_checking\fP +\fBpkinit_eku_checking\fP This option specifies what Extended Key Usage value the KDC certificate presented to the client must contain. (Note that if the KDC certificate has the pkinit SubjectAlternativeName encoded @@ -1234,35 +1333,35 @@ issuing CA has certified this as a KDC certificate.) The values recognized in the krb5.conf file are: .INDENT 7.0 .TP -.B \fBkpKDC\fP +\fBkpKDC\fP This is the default value and specifies that the KDC must have the id\-pkinit\-KPKdc EKU as defined in \fI\%RFC 4556\fP\&. .TP -.B \fBkpServerAuth\fP +\fBkpServerAuth\fP If \fBkpServerAuth\fP is specified, a KDC certificate with the id\-kp\-serverAuth EKU will be accepted. This key usage value is used in most commercially issued server certificates. .TP -.B \fBnone\fP +\fBnone\fP If \fBnone\fP is specified, then the KDC certificate will not be checked to verify it has an acceptable EKU. The use of this option is not recommended. .UNINDENT .TP -.B \fBpkinit_dh_min_bits\fP +\fBpkinit_dh_min_bits\fP Specifies the size of the Diffie\-Hellman key the client will attempt to use. The acceptable values are 1024, 2048, and 4096. The default is 2048. .TP -.B \fBpkinit_identities\fP +\fBpkinit_identities\fP Specifies the location(s) to be used to find the user\(aqs X.509 -identity information. This option may be specified multiple -times. Each value is attempted in order until identity -information is found and authentication is attempted. Note that -these values are not used if the user specifies -\fBX509_user_identity\fP on the command line. +identity information. If this option is specified multiple times, +the first valid value is used; this can be used to specify an +environment variable (with \fBENV:\fP\fIenvvar\fP) followed by a +default value. Note that these values are not used if the user +specifies \fBX509_user_identity\fP on the command line. .TP -.B \fBpkinit_kdc_hostname\fP +\fBpkinit_kdc_hostname\fP The presense of this option indicates that the client is willing to accept a KDC certificate with a dNSName SAN (Subject Alternative Name) rather than requiring the id\-pkinit\-san as @@ -1270,13 +1369,13 @@ defined in \fI\%RFC 4556\fP\&. This option may be specified multiple times. Its value should contain the acceptable hostname for the KDC (as contained in its certificate). .TP -.B \fBpkinit_pool\fP +\fBpkinit_pool\fP Specifies the location of intermediate certificates which may be used by the client to complete the trust chain between a KDC certificate and a trusted anchor. This option may be specified multiple times. .TP -.B \fBpkinit_require_crl_checking\fP +\fBpkinit_require_crl_checking\fP The default certificate verification process will always check the available revocation information to see if a certificate has been revoked. If a match is found for the certificate in a CRL, @@ -1292,7 +1391,7 @@ fails. \fBpkinit_require_crl_checking\fP should be set to true if the policy is such that up\-to\-date CRLs must be present for every CA. .TP -.B \fBpkinit_revoke\fP +\fBpkinit_revoke\fP Specifies the location of Certificate Revocation List (CRL) information to be used by the client when verifying the validity of the KDC certificate presented. This option may be specified @@ -1458,6 +1557,6 @@ syslog(3) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/krb5kdc.man b/src/man/krb5kdc.man index efb52b1..8ace966 100644 --- a/src/man/krb5kdc.man +++ b/src/man/krb5kdc.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KRB5KDC" "8" " " "1.15.2" "MIT Kerberos" +.TH "KRB5KDC" "8" " " "1.17" "MIT Kerberos" .SH NAME krb5kdc \- Kerberos V5 KDC . @@ -77,12 +77,12 @@ The \fB\-P\fP \fIpid_file\fP option tells the KDC to write its PID into the KDC is still running and to allow init scripts to stop the correct process. .sp -The \fB\-p\fP \fIportnum\fP option specifies the default UDP port numbers -which the KDC should listen on for Kerberos version 5 requests, as a -comma\-separated list. This value overrides the UDP port numbers -specified in the \fIkdcdefaults\fP section of \fIkdc.conf(5)\fP, but -may be overridden by realm\-specific values. If no value is given from -any source, the default port is 88. +The \fB\-p\fP \fIportnum\fP option specifies the default UDP and TCP port +numbers which the KDC should listen on for Kerberos version 5 +requests, as a comma\-separated list. This value overrides the port +numbers specified in the kdcdefaults section of +kdc.conf(5), but may be overridden by realm\-specific values. +If no value is given from any source, the default port is 88. .sp The \fB\-w\fP \fInumworkers\fP option tells the KDC to fork \fInumworkers\fP processes to listen to the KDC ports and process requests in parallel. @@ -92,18 +92,8 @@ will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or if any other worker process exits. .sp -\fBNOTE:\fP -.INDENT 0.0 -.INDENT 3.5 -On operating systems which do not have \fIpktinfo\fP support, -using worker processes will prevent the KDC from listening -for UDP packets on network interfaces created after the KDC -starts. -.UNINDENT -.UNINDENT -.sp The \fB\-x\fP \fIdb_args\fP option specifies database\-specific arguments. -See \fIDatabase Options\fP in \fIkadmin(1)\fP for +See Database Options in kadmin(1) for supported arguments. .sp The \fB\-T\fP \fIoffset\fP option specifies a time offset, in seconds, which @@ -129,27 +119,22 @@ krb5kdc \-p 2001 \-r REALM1 \-p 2002 \-r REALM2 \-r REALM3 .sp specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3. Additionally, per\-realm parameters may be -specified in the \fIkdc.conf(5)\fP file. The location of this file +specified in the kdc.conf(5) file. The location of this file may be specified by the \fBKRB5_KDC_PROFILE\fP environment variable. Per\-realm parameters specified in this file take precedence over -options specified on the command line. See the \fIkdc.conf(5)\fP +options specified on the command line. See the kdc.conf(5) description for further details. .SH ENVIRONMENT .sp -krb5kdc uses the following environment variables: -.INDENT 0.0 -.IP \(bu 2 -\fBKRB5_CONFIG\fP -.IP \(bu 2 -\fBKRB5_KDC_PROFILE\fP -.UNINDENT +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkdb5_util(8)\fP, \fIkdc.conf(5)\fP, \fIkrb5.conf(5)\fP, -\fIkdb5_ldap_util(8)\fP +kdb5_util(8), kdc.conf(5), krb5.conf(5), +kdb5_ldap_util(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/ksu.man b/src/man/ksu.man index df59e8f..debbf29 100644 --- a/src/man/ksu.man +++ b/src/man/ksu.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KSU" "1" " " "1.15.2" "MIT Kerberos" +.TH "KSU" "1" " " "1.17" "MIT Kerberos" .SH NAME ksu \- Kerberized super-user . @@ -99,7 +99,7 @@ option, see the OPTIONS section. Upon successful authentication, ksu checks whether the target principal is authorized to access the target account. In the target user\(aqs home directory, ksu attempts to access two authorization files: -\fI\&.k5login(5)\fP and .k5users. In the .k5login file each line +\&.k5login(5) and .k5users. In the .k5login file each line contains the name of a principal that is authorized to access the account. .sp @@ -182,7 +182,7 @@ source cache. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-n\fP \fItarget_principal_name\fP +\fB\-n\fP \fItarget_principal_name\fP Specify a Kerberos target principal name. Used in authentication and authorization phases of ksu. .sp @@ -263,33 +263,33 @@ krb5cc_1984.2 .UNINDENT .INDENT 0.0 .TP -.B \fB\-k\fP +\fB\-k\fP Do not delete the target cache upon termination of the target shell or a command (\fB\-e\fP command). Without \fB\-k\fP, ksu deletes the target cache. .TP -.B \fB\-z\fP +\fB\-z\fP Restrict the copy of tickets from the source cache to the target cache to only the tickets where client == the target principal name. Use the \fB\-n\fP option if you want the tickets for other then the default principal. Note that the \fB\-z\fP option is mutually exclusive with the \fB\-Z\fP option. .TP -.B \fB\-Z\fP +\fB\-Z\fP Don\(aqt copy any tickets from the source cache to the target cache. Just create a fresh target cache, where the default principal name of the cache is initialized to the target principal name. Note that the \fB\-Z\fP option is mutually exclusive with the \fB\-z\fP option. .TP -.B \fB\-q\fP +\fB\-q\fP Suppress the printing of status messages. .UNINDENT .sp Ticket granting ticket options: .INDENT 0.0 .TP -.B \fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP +\fB\-l\fP \fIlifetime\fP \fB\-r\fP \fItime\fP \fB\-pf\fP The ticket granting ticket options only apply to the case where there are no appropriate tickets in the cache to authenticate the source user. In this case if ksu is configured to prompt users @@ -297,25 +297,25 @@ for a Kerberos password (\fBGET_TGT_VIA_PASSWD\fP is defined), the ticket granting ticket options that are specified will be used when getting a ticket granting ticket from the Kerberos server. .TP -.B \fB\-l\fP \fIlifetime\fP -(\fIduration\fP string.) Specifies the lifetime to be requested +\fB\-l\fP \fIlifetime\fP +(duration string.) Specifies the lifetime to be requested for the ticket; if this option is not specified, the default ticket lifetime (12 hours) is used instead. .TP -.B \fB\-r\fP \fItime\fP -(\fIduration\fP string.) Specifies that the \fBrenewable\fP option +\fB\-r\fP \fItime\fP +(duration string.) Specifies that the \fBrenewable\fP option should be requested for the ticket, and specifies the desired total lifetime of the ticket. .TP -.B \fB\-p\fP +\fB\-p\fP specifies that the \fBproxiable\fP option should be requested for the ticket. .TP -.B \fB\-f\fP +\fB\-f\fP option specifies that the \fBforwardable\fP option should be requested for the ticket. .TP -.B \fB\-e\fP \fIcommand\fP [\fIargs\fP ...] +\fB\-e\fP \fIcommand\fP [\fIargs\fP ...] ksu proceeds exactly the same as if it was invoked without the \fB\-e\fP option, except instead of executing the target shell, ksu executes the specified command. Example of usage: @@ -379,7 +379,7 @@ then command can be either a full or a relative path leading to the target program. Otherwise, the user must specify either a full path or just the program name. .TP -.B \fB\-a\fP \fIargs\fP +\fB\-a\fP \fIargs\fP Specify arguments to be passed to the target shell. Note that all flags and parameters following \-a will be passed to the shell, thus all options intended for ksu must precede \fB\-a\fP\&. @@ -404,7 +404,7 @@ used as follows: ksu can be compiled with the following four flags: .INDENT 0.0 .TP -.B \fBGET_TGT_VIA_PASSWD\fP +\fBGET_TGT_VIA_PASSWD\fP In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos @@ -412,17 +412,17 @@ server. The danger of configuring ksu with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed. .TP -.B \fBPRINC_LOOK_AHEAD\fP +\fBPRINC_LOOK_AHEAD\fP During the resolution of the default principal name, \fBPRINC_LOOK_AHEAD\fP enables ksu to find principal names in the .k5users file as described in the OPTIONS section (see \fB\-n\fP option). .TP -.B \fBCMD_PATH\fP +\fBCMD_PATH\fP Specifies a list of directories containing programs that users are authorized to execute (via .k5users file). .TP -.B \fBHAVE_GETUSERSHELL\fP +\fBHAVE_GETUSERSHELL\fP If the source user is non\-root, ksu insists that the target user\(aqs shell to be invoked is a "legal shell". \fIgetusershell(3)\fP is called to obtain the names of "legal shells". Note that the @@ -453,9 +453,16 @@ ksu deletes all expired tickets from the source cache. .SH AUTHOR OF KSU .sp GENNADY (ARI) MEDVINSKY +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. +.SH SEE ALSO +.sp +kerberos(7), kinit(1) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kswitch.man b/src/man/kswitch.man index afe046f..149c7bd 100644 --- a/src/man/kswitch.man +++ b/src/man/kswitch.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KSWITCH" "1" " " "1.15.2" "MIT Kerberos" +.TH "KSWITCH" "1" " " "1.17" "MIT Kerberos" .SH NAME kswitch \- switch primary ticket cache . @@ -41,27 +41,18 @@ collection, if a cache collection is available. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-c\fP \fIcachename\fP +\fB\-c\fP \fIcachename\fP Directly specifies the credential cache to be made primary. .TP -.B \fB\-p\fP \fIprincipal\fP +\fB\-p\fP \fIprincipal\fP Causes the cache collection to be searched for a cache containing credentials for \fIprincipal\fP\&. If one is found, that collection is made primary. .UNINDENT .SH ENVIRONMENT .sp -kswitch uses the following environment variables: -.INDENT 0.0 -.TP -.B \fBKRB5CCNAME\fP -Location of the default Kerberos 5 credentials (ticket) cache, in -the form \fItype\fP:\fIresidual\fP\&. If no \fItype\fP prefix is present, the -\fBFILE\fP type is assumed. The type of the default cache may -determine the availability of a cache collection; for instance, a -default cache of type \fBDIR\fP causes caches within the directory -to be present in the collection. -.UNINDENT +See kerberos(7) for a description of Kerberos environment +variables. .SH FILES .INDENT 0.0 .TP @@ -70,10 +61,11 @@ Default location of Kerberos 5 credentials cache .UNINDENT .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIkdestroy(1)\fP, \fIklist(1)\fP), kerberos(1) +kinit(1), kdestroy(1), klist(1), +kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/ktutil.man b/src/man/ktutil.man index 1cbcba2..4e174c0 100644 --- a/src/man/ktutil.man +++ b/src/man/ktutil.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KTUTIL" "1" " " "1.15.2" "MIT Kerberos" +.TH "KTUTIL" "1" " " "1.17" "MIT Kerberos" .SH NAME ktutil \- Kerberos keytab file maintenance utility . @@ -113,11 +113,16 @@ Alias: \fBdelent\fP .INDENT 0.0 .INDENT 3.5 \fBadd_entry\fP {\fB\-key\fP|\fB\-password\fP} \fB\-p\fP \fIprincipal\fP -\fB\-k\fP \fIkvno\fP \fB\-e\fP \fIenctype\fP +\fB\-k\fP \fIkvno\fP [\fB\-e\fP \fIenctype\fP] [\fB\-f\fP|\fB\-s\fP \fIsalt\fP] .UNINDENT .UNINDENT .sp -Add \fIprincipal\fP to keylist using key or password. +Add \fIprincipal\fP to keylist using key or password. If the \fB\-f\fP flag +is specified, salt information will be fetched from the KDC; in this +case the \fB\-e\fP flag may be omitted, or it may be supplied to force a +particular enctype. If the \fB\-f\fP flag is not specified, the \fB\-e\fP +flag must be specified, and the default salt will be used unless +overridden with the \fB\-s\fP option. .sp Alias: \fBaddent\fP .SS list_requests @@ -162,12 +167,16 @@ ktutil: .UNINDENT .UNINDENT .UNINDENT +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkadmin(1)\fP, \fIkdb5_util(8)\fP +kadmin(1), kdb5_util(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/kvno.man b/src/man/kvno.man index 441ebb9..90b878f 100644 --- a/src/man/kvno.man +++ b/src/man/kvno.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "KVNO" "1" " " "1.15.2" "MIT Kerberos" +.TH "KVNO" "1" " " "1.17" "MIT Kerberos" .SH NAME kvno \- print key version numbers of Kerberos principals . @@ -40,6 +40,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] [\fB\-P\fP] [\fB\-S\fP \fIsname\fP] [\fB\-U\fP \fIfor_user\fP] +[\fB\-\-u2u\fP \fIccache\fP] \fIservice1 service2\fP ... .SH DESCRIPTION .sp @@ -48,50 +49,52 @@ and prints out the key version numbers of each. .SH OPTIONS .INDENT 0.0 .TP -.B \fB\-c\fP \fIccache\fP +\fB\-c\fP \fIccache\fP Specifies the name of a credentials cache to use (if not the default) .TP -.B \fB\-e\fP \fIetype\fP +\fB\-e\fP \fIetype\fP Specifies the enctype which will be requested for the session key of all the services named on the command line. This is useful in certain backward compatibility situations. .TP -.B \fB\-q\fP +\fB\-q\fP Suppress printing output when successful. If a service ticket cannot be obtained, an error message will still be printed and kvno will exit with nonzero status. .TP -.B \fB\-h\fP +\fB\-h\fP Prints a usage statement and exits. .TP -.B \fB\-P\fP +\fB\-P\fP Specifies that the \fIservice1 service2\fP ... arguments are to be treated as services for which credentials should be acquired using constrained delegation. This option is only valid when used in conjunction with protocol transition. .TP -.B \fB\-S\fP \fIsname\fP +\fB\-S\fP \fIsname\fP Specifies that the \fIservice1 service2\fP ... arguments are interpreted as hostnames, and the service principals are to be constructed from those hostnames and the service name \fIsname\fP\&. The service hostnames will be canonicalized according to the usual rules for constructing service principals. .TP -.B \fB\-U\fP \fIfor_user\fP +\fB\-U\fP \fIfor_user\fP Specifies that protocol transition (S4U2Self) is to be used to acquire a ticket on behalf of \fIfor_user\fP\&. If constrained delegation is not requested, the service name must match the credentials cache client principal. +.TP +\fB\-\-u2u\fP \fIccache\fP +Requests a user\-to\-user ticket. \fIccache\fP must contain a local +krbtgt ticket for the server principal. The reported version +number will typically be 0, as the resulting ticket is not +encrypted in the server\(aqs long\-term key. .UNINDENT .SH ENVIRONMENT .sp -kvno uses the following environment variable: -.INDENT 0.0 -.TP -.B \fBKRB5CCNAME\fP -Location of the credentials (ticket) cache. -.UNINDENT +See kerberos(7) for a description of Kerberos environment +variables. .SH FILES .INDENT 0.0 .TP @@ -100,10 +103,10 @@ Default location of the credentials cache .UNINDENT .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIkdestroy(1)\fP +kinit(1), kdestroy(1), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/sclient.man b/src/man/sclient.man index 42434a6..0ff40b8 100644 --- a/src/man/sclient.man +++ b/src/man/sclient.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SCLIENT" "1" " " "1.15.2" "MIT Kerberos" +.TH "SCLIENT" "1" " " "1.17" "MIT Kerberos" .SH NAME sclient \- sample Kerberos version 5 client . @@ -36,15 +36,19 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] .SH DESCRIPTION .sp sclient is a sample application, primarily useful for testing -purposes. It contacts a sample server \fIsserver(8)\fP and +purposes. It contacts a sample server sserver(8) and authenticates to it using Kerberos version 5 tickets, then displays the server\(aqs response. +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIkinit(1)\fP, \fIsserver(8)\fP +kinit(1), sserver(8), kerberos(7) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/man/sserver.man b/src/man/sserver.man index 2d975ba..b40eee1 100644 --- a/src/man/sserver.man +++ b/src/man/sserver.man @@ -1,6 +1,6 @@ .\" Man page generated from reStructuredText. . -.TH "SSERVER" "8" " " "1.15.2" "MIT Kerberos" +.TH "SSERVER" "8" " " "1.17" "MIT Kerberos" .SH NAME sserver \- sample Kerberos version 5 server . @@ -38,7 +38,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] [ \fIserver_port\fP ] .SH DESCRIPTION .sp -sserver and \fIsclient(1)\fP are a simple demonstration client/server +sserver and sclient(1) are a simple demonstration client/server application. When sclient connects to sserver, it performs a Kerberos authentication, and then sserver returns to sclient the Kerberos principal which was used for the Kerberos authentication. It makes a @@ -47,7 +47,7 @@ good test that Kerberos has been successfully installed on a machine. The service name used by sserver and sclient is sample. Hence, sserver will require that there be a keytab entry for the service \fBsample/hostname.domain.name@REALM.NAME\fP\&. This keytab is generated -using the \fIkadmin(1)\fP program. The keytab file is usually +using the kadmin(1) program. The keytab file is usually installed as \fB@KTNAME@\fP\&. .sp The \fB\-S\fP option allows for a different keytab than the default. @@ -80,8 +80,8 @@ sample 13135/tcp .UNINDENT .sp When using sclient, you will first have to have an entry in the -Kerberos database, by using \fIkadmin(1)\fP, and then you have to get -Kerberos tickets, by using \fIkinit(1)\fP\&. Also, if you are running +Kerberos database, by using kadmin(1), and then you have to get +Kerberos tickets, by using kinit(1)\&. Also, if you are running the sclient program on a different host than the sserver it will be connecting to, be sure that both hosts have an entry in /etc/services for the sample tcp port, and that the same port number is in both @@ -164,7 +164,7 @@ sclient: Server not found in Kerberos database while using .sp This means that the \fBsample/hostname@LOCAL.REALM\fP service was not defined in the Kerberos database; it should be created using -\fIkadmin(1)\fP, and a keytab file needs to be generated to make +kadmin(1), and a keytab file needs to be generated to make the key for that service principal available for sclient. .IP 5. 3 sclient returns the error: @@ -183,12 +183,16 @@ sendauth rejected, error reply is: This probably means sserver couldn\(aqt find the keytab file. It was probably not installed in the proper directory. .UNINDENT +.SH ENVIRONMENT +.sp +See kerberos(7) for a description of Kerberos environment +variables. .SH SEE ALSO .sp -\fIsclient(1)\fP, services(5), inetd(8) +sclient(1), kerberos(7), services(5), inetd(8) .SH AUTHOR MIT .SH COPYRIGHT -1985-2017, MIT +1985-2019, MIT .\" Generated by docutils manpage writer. . diff --git a/src/patchlevel.h b/src/patchlevel.h index 085f43a..e37e52a 100644 --- a/src/patchlevel.h +++ b/src/patchlevel.h @@ -50,8 +50,8 @@ * organization. */ #define KRB5_MAJOR_RELEASE 1 -#define KRB5_MINOR_RELEASE 15 -#define KRB5_PATCHLEVEL 2 +#define KRB5_MINOR_RELEASE 17 +#define KRB5_PATCHLEVEL 0 /* #undef KRB5_RELTAIL */ -#define KRB5_RELDATE "20170925" -#define KRB5_RELTAG "krb5-1.15.2-final" +/* #undef KRB5_RELDATE */ +#define KRB5_RELTAG "krb5-1.17-final" diff --git a/src/plugins/audit/kdc_j_encode.c b/src/plugins/audit/kdc_j_encode.c index e24f4d8..265e95b 100755 --- a/src/plugins/audit/kdc_j_encode.c +++ b/src/plugins/audit/kdc_j_encode.c @@ -861,22 +861,19 @@ tkt_to_value(krb5_ticket *tkt, k5_json_object obj, ret = int32_to_value(part2->session->enctype, tmp, AU_SESS_ETYPE); if (ret) goto error; - if (&part2->times) { - ret = int32_to_value(part2->times.starttime, tmp, AU_START); - if (ret) - goto error; - ret = int32_to_value(part2->times.endtime, tmp, AU_END); - if (ret) - goto error; - ret = int32_to_value(part2->times.renew_till, tmp, AU_RENEW_TILL); - if (ret) - goto error; - ret = int32_to_value(part2->times.authtime, tmp, AU_AUTHTIME); - if (ret) - goto error; - } - if (&part2->transited && &part2->transited.tr_contents && - part2->transited.tr_contents.length > 0) { + ret = int32_to_value(part2->times.starttime, tmp, AU_START); + if (ret) + goto error; + ret = int32_to_value(part2->times.endtime, tmp, AU_END); + if (ret) + goto error; + ret = int32_to_value(part2->times.renew_till, tmp, AU_RENEW_TILL); + if (ret) + goto error; + ret = int32_to_value(part2->times.authtime, tmp, AU_AUTHTIME); + if (ret) + goto error; + if (part2->transited.tr_contents.length > 0) { ret = data_to_value(&part2->transited.tr_contents, tmp, AU_TR_CONTENTS); if (ret) diff --git a/src/plugins/authdata/greet_server/greet_auth.c b/src/plugins/authdata/greet_server/greet_auth.c index 1f1e9de..7ef8f66 100644 --- a/src/plugins/authdata/greet_server/greet_auth.c +++ b/src/plugins/authdata/greet_server/greet_auth.c @@ -83,10 +83,9 @@ greet_kdc_sign(krb5_context context, if (code == 0) { krb5_free_authdata(context, enc_tkt_reply->authorization_data); enc_tkt_reply->authorization_data = tkt_authdata; - } else { - krb5_free_authdata(context, if_relevant); } + krb5_free_authdata(context, if_relevant); krb5_free_authdata(context, kdc_issued); return code; diff --git a/src/plugins/certauth/test/Makefile.in b/src/plugins/certauth/test/Makefile.in new file mode 100644 index 0000000..d352408 --- /dev/null +++ b/src/plugins/certauth/test/Makefile.in @@ -0,0 +1,20 @@ +mydir=plugins$(S)certauth$(S)test +BUILDTOP=$(REL)..$(S)..$(S).. + +LIBBASE=certauth_test +LIBMAJOR=0 +LIBMINOR=0 +RELDIR=../plugins/certauth/test +SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS) +SHLIB_EXPLIBS=$(KRB5_BASE_LIBS) + +STLIBOBJS=main.o + +SRCS=$(srcdir)/main.c + +all-unix: all-libs +install-unix: +clean-unix:: clean-libs clean-libobjs + +@libnover_frag@ +@libobj_frag@ diff --git a/src/plugins/certauth/test/certauth_test.exports b/src/plugins/certauth/test/certauth_test.exports new file mode 100644 index 0000000..1c8cd24 --- /dev/null +++ b/src/plugins/certauth/test/certauth_test.exports @@ -0,0 +1,2 @@ +certauth_test1_initvt +certauth_test2_initvt diff --git a/src/plugins/certauth/test/deps b/src/plugins/certauth/test/deps new file mode 100644 index 0000000..2974b3b --- /dev/null +++ b/src/plugins/certauth/test/deps @@ -0,0 +1,14 @@ +# +# Generated makefile dependencies follow. +# +main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/certauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + main.c diff --git a/src/plugins/certauth/test/main.c b/src/plugins/certauth/test/main.c new file mode 100644 index 0000000..7764123 --- /dev/null +++ b/src/plugins/certauth/test/main.c @@ -0,0 +1,211 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/certauth/main.c - certauth plugin test modules. */ +/* + * Copyright (C) 2017 by Red Hat, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include "krb5/certauth_plugin.h" + +struct krb5_certauth_moddata_st { + int initialized; +}; + +/* Test module 1 returns OK with an indicator. */ +static krb5_error_code +test1_authorize(krb5_context context, krb5_certauth_moddata moddata, + const uint8_t *cert, size_t cert_len, + krb5_const_principal princ, const void *opts, + const struct _krb5_db_entry_new *db_entry, + char ***authinds_out) +{ + char **ais = NULL; + + ais = calloc(2, sizeof(*ais)); + assert(ais != NULL); + ais[0] = strdup("test1"); + assert(ais[0] != NULL); + *authinds_out = ais; + return KRB5_PLUGIN_NO_HANDLE; +} + +static void +test_free_ind(krb5_context context, krb5_certauth_moddata moddata, + char **authinds) +{ + size_t i; + + if (authinds == NULL) + return; + for (i = 0; authinds[i] != NULL; i++) + free(authinds[i]); + free(authinds); +} + +/* A basic moddata test. */ +static krb5_error_code +test2_init(krb5_context context, krb5_certauth_moddata *moddata_out) +{ + krb5_certauth_moddata mod; + + mod = calloc(1, sizeof(*mod)); + assert(mod != NULL); + mod->initialized = 1; + *moddata_out = mod; + return 0; +} + +static void +test2_fini(krb5_context context, krb5_certauth_moddata moddata) +{ + free(moddata); +} + +/* Return true if cert appears to contain the CN name, based on a search of the + * DER encoding. */ +static krb5_boolean +has_cn(krb5_context context, const uint8_t *cert, size_t cert_len, + const char *name) +{ + krb5_boolean match = FALSE; + uint8_t name_len, cntag[5] = "\x06\x03\x55\x04\x03"; + const uint8_t *c; + struct k5buf buf; + size_t c_left; + + /* Construct a DER search string of the CN AttributeType encoding followed + * by a UTF8String encoding containing name as the AttributeValue. */ + k5_buf_init_dynamic(&buf); + k5_buf_add_len(&buf, cntag, sizeof(cntag)); + k5_buf_add(&buf, "\x0C"); + assert(strlen(name) < 128); + name_len = strlen(name); + k5_buf_add_len(&buf, &name_len, 1); + k5_buf_add_len(&buf, name, name_len); + assert(k5_buf_status(&buf) == 0); + + /* Check for the CN needle in the certificate haystack. */ + c_left = cert_len; + c = memchr(cert, *cntag, c_left); + while (c != NULL) { + c_left = cert_len - (c - cert); + if (buf.len > c_left) + break; + if (memcmp(c, buf.data, buf.len) == 0) { + match = TRUE; + break; + } + assert(c_left >= 1); + c = memchr(c + 1, *cntag, c_left - 1); + } + + k5_buf_free(&buf); + return match; +} + +/* + * Test module 2 returns OK if princ matches the CN part of the subject name, + * and returns indicators of the module name and princ. + */ +static krb5_error_code +test2_authorize(krb5_context context, krb5_certauth_moddata moddata, + const uint8_t *cert, size_t cert_len, + krb5_const_principal princ, const void *opts, + const struct _krb5_db_entry_new *db_entry, + char ***authinds_out) +{ + krb5_error_code ret; + char *name = NULL, **ais = NULL; + + *authinds_out = NULL; + + assert(moddata != NULL && moddata->initialized); + + ret = krb5_unparse_name_flags(context, princ, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, &name); + if (ret) + goto cleanup; + + if (!has_cn(context, cert, cert_len, name)) { + ret = KRB5KDC_ERR_CERTIFICATE_MISMATCH; + goto cleanup; + } + + /* Create an indicator list with the module name and CN. */ + ais = calloc(3, sizeof(*ais)); + assert(ais != NULL); + ais[0] = strdup("test2"); + ais[1] = strdup(name); + assert(ais[0] != NULL && ais[1] != NULL); + *authinds_out = ais; + + ais = NULL; + +cleanup: + krb5_free_unparsed_name(context, name); + return ret; +} + +krb5_error_code +certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); +krb5_error_code +certauth_test1_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_certauth_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_certauth_vtable)vtable; + vt->name = "test1"; + vt->authorize = test1_authorize; + vt->free_ind = test_free_ind; + return 0; +} + +krb5_error_code +certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); +krb5_error_code +certauth_test2_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_certauth_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_certauth_vtable)vtable; + vt->name = "test2"; + vt->authorize = test2_authorize; + vt->init = test2_init; + vt->fini = test2_fini; + vt->free_ind = test_free_ind; + return 0; +} diff --git a/src/plugins/kadm5_auth/test/Makefile.in b/src/plugins/kadm5_auth/test/Makefile.in new file mode 100644 index 0000000..825c4ae --- /dev/null +++ b/src/plugins/kadm5_auth/test/Makefile.in @@ -0,0 +1,20 @@ +mydir=plugins$(S)kadm5_auth$(S)test +BUILDTOP=$(REL)..$(S)..$(S).. + +LIBBASE=kadm5_auth_test +LIBMAJOR=0 +LIBMINOR=0 +RELDIR=../plugins/kadm5_auth/test +SHLIB_EXPDEPS=$(KDB5_DEPLIBS) $(KRB5_BASE_DEPLIBS) +SHLIB_EXPLIBS=$(KDB5_LIBS) $(KRB5_BASE_LIBS) $(LIBS) + +STLIBOBJS=main.o + +SRCS=$(srcdir)/main.c + +all-unix: all-libs +install-unix: +clean-unix:: clean-libs clean-libobjs + +@libnover_frag@ +@libobj_frag@ diff --git a/src/plugins/kadm5_auth/test/deps b/src/plugins/kadm5_auth/test/deps new file mode 100644 index 0000000..a2b74c2 --- /dev/null +++ b/src/plugins/kadm5_auth/test/deps @@ -0,0 +1,22 @@ +# +# Generated makefile dependencies follow. +# +main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kadm5_auth_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h main.c diff --git a/src/plugins/kadm5_auth/test/kadm5_auth_test.exports b/src/plugins/kadm5_auth/test/kadm5_auth_test.exports new file mode 100644 index 0000000..31319af --- /dev/null +++ b/src/plugins/kadm5_auth/test/kadm5_auth_test.exports @@ -0,0 +1,2 @@ +kadm5_auth_welcomer_initvt +kadm5_auth_bouncer_initvt diff --git a/src/plugins/kadm5_auth/test/main.c b/src/plugins/kadm5_auth/test/main.c new file mode 100644 index 0000000..6899f22 --- /dev/null +++ b/src/plugins/kadm5_auth/test/main.c @@ -0,0 +1,305 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/kadm5_auth/test/main.c - test modules for kadm5_auth interface */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This file implements two testing kadm5_auth modules, the welcomer and the + * bouncer. The welcomer implements permissive behavior, while the bouncer + * implements restrictive behavior. + * + * Module data objects and restrictions are adequately tested by the acl + * module, so we do not test them here. Focus instead on the ability to + * examine principal and policy objects and to perform DB operations. + */ + +#include "k5-int.h" +#include +#include + +krb5_error_code +kadm5_auth_welcomer_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); +krb5_error_code +kadm5_auth_bouncer_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); + +/* The welcomer authorizes all getprinc operations, since kadmin uses them as a + * precursor to modprinc. */ +static krb5_error_code +welcomer_getprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + return 0; +} + +/* The welcomer authorizes addprinc operations which set a policy "VIP". */ +static krb5_error_code +welcomer_addprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target, + const struct _kadm5_principal_ent_t *ent, long mask, + struct kadm5_auth_restrictions **rs_out) +{ + if ((mask & KADM5_POLICY) && strcmp(ent->policy, "VIP") == 0) + return 0; + return KRB5_PLUGIN_NO_HANDLE; +} + +/* The bouncer denies addprinc operations which include a maximum lifetime. */ +static krb5_error_code +bouncer_addprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target, + const struct _kadm5_principal_ent_t *ent, long mask, + struct kadm5_auth_restrictions **rs_out) +{ + return (mask & KADM5_MAX_LIFE) ? EPERM : KRB5_PLUGIN_NO_HANDLE; +} + +/* The welcomer authorizes modprinc operations which only set maxrenewlife. */ +static krb5_error_code +welcomer_modprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target, + const struct _kadm5_principal_ent_t *ent, long mask, + struct kadm5_auth_restrictions **rs_out) +{ + return (mask == KADM5_MAX_RLIFE) ? 0 : KRB5_PLUGIN_NO_HANDLE; +} + +/* The bouncer denies modprinc operations if the target principal has an even + * number of components. */ +static krb5_error_code +bouncer_modprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target, + const struct _kadm5_principal_ent_t *ent, long mask, + struct kadm5_auth_restrictions **rs_out) +{ + return (target->length % 2 == 0) ? EPERM : KRB5_PLUGIN_NO_HANDLE; +} + +/* The welcomer authorizes setstr operations for the attribute "note". */ +static krb5_error_code +welcomer_setstr(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target, + const char *key, const char *value) +{ + return (strcmp(key, "note") == 0) ? 0 : KRB5_PLUGIN_NO_HANDLE; +} + +/* The bouncer denies setstr operations if the value is more than 10 bytes. */ +static krb5_error_code +bouncer_setstr(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target, + const char *key, const char *value) +{ + return (strlen(value) > 10) ? EPERM : KRB5_PLUGIN_NO_HANDLE; +} + +/* The welcomer authorizes delprinc operations if the target principal starts + * with "d". */ +static krb5_error_code +welcomer_delprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + if (target->length > 0 && target->data[0].length > 0 && + *target->data[0].data == 'd') + return 0; + return KRB5_PLUGIN_NO_HANDLE; +} + +/* The bouncer denies delprinc operations if the target principal has the + * "nodelete" string attribute. */ +static krb5_error_code +bouncer_delprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal target) +{ + krb5_error_code ret; + krb5_db_entry *ent; + char *val = NULL; + + if (krb5_db_get_principal(context, target, 0, &ent) != 0) + return EPERM; + ret = krb5_dbe_get_string(context, ent, "nodelete", &val); + krb5_db_free_principal(context, ent); + ret = (ret != 0 || val != NULL) ? EPERM : KRB5_PLUGIN_NO_HANDLE; + krb5_dbe_free_string(context, val); + return ret; +} + +/* The welcomer authorizes rename operations if the first components of the + * principals have the same length. */ +static krb5_error_code +welcomer_renprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal src, + krb5_const_principal dest) +{ + if (src->length > 0 && dest->length > 0 && + src->data[0].length == dest->data[0].length) + return 0; + return KRB5_PLUGIN_NO_HANDLE; +} + +/* The bouncer denies rename operations if the source principal starts with + * "a". */ +static krb5_error_code +bouncer_renprinc(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, krb5_const_principal src, + krb5_const_principal dest) +{ + if (src->length > 0 && src->data[0].length > 0 && + *src->data[0].data == 'a') + return EPERM; + return KRB5_PLUGIN_NO_HANDLE; +} + +/* The welcomer authorizes addpol operations which set a minlength of 3. */ +static krb5_error_code +welcomer_addpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const struct _kadm5_policy_ent_t *ent, long mask) +{ + if ((mask & KADM5_PW_MIN_LENGTH) && ent->pw_min_length == 3) + return 0; + return KRB5_PLUGIN_NO_HANDLE; +} + +/* The bouncer denies addpol operations if the name is 3 bytes or less. */ +static krb5_error_code +bouncer_addpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const struct _kadm5_policy_ent_t *ent, long mask) +{ + return (strlen(policy) <= 3) ? EPERM : KRB5_PLUGIN_NO_HANDLE; +} + +/* The welcomer authorizes modpol operations which only change min_life. */ +static krb5_error_code +welcomer_modpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const struct _kadm5_policy_ent_t *ent, long mask) +{ + return (mask == KADM5_PW_MIN_LIFE) ? 0 : KRB5_PLUGIN_NO_HANDLE; +} + +/* The bouncer denies modpol operations which set pw_min_life above 10. */ +static krb5_error_code +bouncer_modpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const struct _kadm5_policy_ent_t *ent, long mask) +{ + if ((mask & KADM5_PW_MIN_LIFE) && ent->pw_min_life > 10) + return EPERM; + return KRB5_PLUGIN_NO_HANDLE; +} + +/* The welcomer authorizes getpol operations if the policy and client principal + * policy have the same length. */ +static krb5_error_code +welcomer_getpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const char *client_policy) +{ + if (client_policy != NULL && strlen(policy) == strlen(client_policy)) + return 0; + return KRB5_PLUGIN_NO_HANDLE; +} + +/* The bouncer denies getpol operations if the policy name begins with 'x'. */ +static krb5_error_code +bouncer_getpol(krb5_context context, kadm5_auth_moddata data, + krb5_const_principal client, const char *policy, + const char *client_policy) +{ + return (*policy == 'x') ? EPERM : KRB5_PLUGIN_NO_HANDLE; +} + +/* The welcomer counts end calls by incrementing the "ends" string attribute on + * the "opcount" principal, if it exists. */ +static void +welcomer_end(krb5_context context, kadm5_auth_moddata data) +{ + krb5_principal princ = NULL; + krb5_db_entry *ent = NULL; + char *val = NULL, buf[10]; + + if (krb5_parse_name(context, "opcount", &princ) != 0) + goto cleanup; + if (krb5_db_get_principal(context, princ, 0, &ent) != 0) + goto cleanup; + if (krb5_dbe_get_string(context, ent, "ends", &val) != 0 || val == NULL) + goto cleanup; + snprintf(buf, sizeof(buf), "%d", atoi(val) + 1); + if (krb5_dbe_set_string(context, ent, "ends", buf) != 0) + goto cleanup; + ent->mask = KADM5_TL_DATA; + krb5_db_put_principal(context, ent); + +cleanup: + krb5_dbe_free_string(context, val); + krb5_db_free_principal(context, ent); + krb5_free_principal(context, princ); +} + +krb5_error_code +kadm5_auth_welcomer_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + kadm5_auth_vtable vt = (kadm5_auth_vtable)vtable; + + vt->name = "welcomer"; + vt->addprinc = welcomer_addprinc; + vt->modprinc = welcomer_modprinc; + vt->setstr = welcomer_setstr; + vt->delprinc = welcomer_delprinc; + vt->renprinc = welcomer_renprinc; + vt->getprinc = welcomer_getprinc; + vt->addpol = welcomer_addpol; + vt->modpol = welcomer_modpol; + vt->getpol = welcomer_getpol; + vt->end = welcomer_end; + return 0; +} + +krb5_error_code +kadm5_auth_bouncer_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + kadm5_auth_vtable vt = (kadm5_auth_vtable)vtable; + + vt->name = "bouncer"; + vt->addprinc = bouncer_addprinc; + vt->modprinc = bouncer_modprinc; + vt->setstr = bouncer_setstr; + vt->delprinc = bouncer_delprinc; + vt->renprinc = bouncer_renprinc; + vt->addpol = bouncer_addpol; + vt->modpol = bouncer_modpol; + vt->getpol = bouncer_getpol; + return 0; +} diff --git a/src/plugins/kdb/db2/db2_exp.c b/src/plugins/kdb/db2/db2_exp.c index 1a41481..4d905db 100644 --- a/src/plugins/kdb/db2/db2_exp.c +++ b/src/plugins/kdb/db2/db2_exp.c @@ -167,9 +167,12 @@ WRAP_K (krb5_db2_check_policy_as, WRAP_VOID (krb5_db2_audit_as_req, (krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, krb5_timestamp authtime, krb5_error_code error_code), - (kcontext, request, client, server, authtime, error_code)); + (kcontext, request, local_addr, remote_addr, client, server, + authtime, error_code)); static krb5_error_code hack_init (void) diff --git a/src/plugins/kdb/db2/kdb_db2.c b/src/plugins/kdb/db2/kdb_db2.c index 4c4036e..5106a5c 100644 --- a/src/plugins/kdb/db2/kdb_db2.c +++ b/src/plugins/kdb/db2/kdb_db2.c @@ -110,11 +110,11 @@ * a bug, since the database may be inconsistant. Note that the * absence of a semaphore file does not prevent another _update_ from * taking place later. Database replacements take place automatically - * only on slave servers; a crash in the middle of an update will be - * fixed by the next slave propagation. A crash in the middle of an - * update on the master would be somewhat more serious, but this would - * likely be noticed by an administrator, who could fix the problem and - * retry the operation. + * only on replica servers; a crash in the middle of an update will be + * fixed by the next propagation. A crash in the middle of an on the + * master would be somewhat more serious, but this would likely be + * noticed by an administrator, who could fix the problem and retry + * the operation. */ /* Evaluate to true if the krb5_context c contains an initialized db2 @@ -1314,13 +1314,6 @@ krb5_db2_delete_policy(krb5_context context, char *policy) return osa_adb_destroy_policy(dbc->policy_db, policy); } -void -krb5_db2_free_policy(krb5_context context, osa_policy_ent_t entry) -{ - osa_free_policy_ent(entry); -} - - /* * Merge non-replicated attributes from src into dst, setting * changed to non-zero if dst was changed. @@ -1558,8 +1551,10 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, void krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_timestamp authtime, krb5_error_code error_code) + const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_db_entry *client, + krb5_db_entry *server, krb5_timestamp authtime, + krb5_error_code error_code) { (void) krb5_db2_lockout_audit(kcontext, client, authtime, error_code); } diff --git a/src/plugins/kdb/db2/kdb_db2.h b/src/plugins/kdb/db2/kdb_db2.h index b1b50c8..349244d 100644 --- a/src/plugins/kdb/db2/kdb_db2.h +++ b/src/plugins/kdb/db2/kdb_db2.h @@ -134,7 +134,10 @@ krb5_db2_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, void krb5_db2_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, + const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_db_entry *client, krb5_db_entry *server, - krb5_timestamp authtime, krb5_error_code error_code); + krb5_timestamp authtime, + krb5_error_code error_code); #endif /* KRB5_KDB_DB2_H */ diff --git a/src/plugins/kdb/db2/libdb2/btree/bt_utils.c b/src/plugins/kdb/db2/libdb2/btree/bt_utils.c index 1a34598..be2f24f 100644 --- a/src/plugins/kdb/db2/libdb2/btree/bt_utils.c +++ b/src/plugins/kdb/db2/libdb2/btree/bt_utils.c @@ -216,8 +216,8 @@ int __bt_defcmp(a, b) const DBT *a, *b; { - register size_t len; - register u_char *p1, *p2; + size_t len; + u_char *p1, *p2; /* * XXX @@ -246,8 +246,8 @@ size_t __bt_defpfx(a, b) const DBT *a, *b; { - register u_char *p1, *p2; - register size_t cnt, len; + u_char *p1, *p2; + size_t cnt, len; cnt = 1; len = MIN(a->size, b->size); diff --git a/src/plugins/kdb/db2/libdb2/hash/hash.c b/src/plugins/kdb/db2/libdb2/hash/hash.c index 76f5d47..862dbb1 100644 --- a/src/plugins/kdb/db2/libdb2/hash/hash.c +++ b/src/plugins/kdb/db2/libdb2/hash/hash.c @@ -103,26 +103,15 @@ __kdb2_hash_open(file, flags, mode, info, dflags) DB *dbp; DBT mpool_key; HTAB *hashp; - int32_t bpages, csize, new_table, save_errno, specified_file; + int32_t bpages, csize, new_table, save_errno; - if ((flags & O_ACCMODE) == O_WRONLY) { + if (!file || (flags & O_ACCMODE) == O_WRONLY) { errno = EINVAL; return (NULL); } if (!(hashp = (HTAB *)calloc(1, sizeof(HTAB)))) return (NULL); hashp->fp = -1; - - /* set this now, before file goes away... */ - specified_file = (file != NULL); - if (!file) { - file = tmpnam(NULL); - /* store the file name so that we can unlink it later */ - hashp->fname = file; -#ifdef DEBUG - fprintf(stderr, "Using file name %s.\n", file); -#endif - } /* * Even if user wants write only, we need to be able to read * the actual file, so we need to open it read/write. But, the @@ -130,7 +119,7 @@ __kdb2_hash_open(file, flags, mode, info, dflags) * we can check accesses. */ hashp->flags = flags; - hashp->save_file = specified_file && (hashp->flags & O_RDWR); + hashp->save_file = hashp->flags & O_RDWR; new_table = 0; if (!file || (flags & O_TRUNC) || @@ -542,8 +531,6 @@ hdestroy(hashp) /* we need to chmod the file to allow it to be deleted... */ chmod(hashp->fname, 0700); unlink(hashp->fname); - /* destroy the temporary name */ - tmpnam(NULL); } free(hashp); diff --git a/src/plugins/kdb/db2/libdb2/recno/rec_search.c b/src/plugins/kdb/db2/libdb2/recno/rec_search.c index 1504262..244d79f 100644 --- a/src/plugins/kdb/db2/libdb2/recno/rec_search.c +++ b/src/plugins/kdb/db2/libdb2/recno/rec_search.c @@ -66,8 +66,8 @@ __rec_search(t, recno, op) recno_t recno; enum SRCHOP op; { - register indx_t idx; - register PAGE *h; + indx_t idx; + PAGE *h; EPGNO *parent; RINTERNAL *r; db_pgno_t pg; diff --git a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c index 8281d0e..088f903 100644 --- a/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c +++ b/src/plugins/kdb/db2/libdb2/test/btree.tests/main.c @@ -710,7 +710,7 @@ load(db, argv) DB *db; char **argv; { - register char *p, *t; + char *p, *t; FILE *fp; DBT data, key; recno_t cnt; diff --git a/src/plugins/kdb/db2/libdb2/test/dbtest.c b/src/plugins/kdb/db2/libdb2/test/dbtest.c index ddb1ab2..5d76b1d 100644 --- a/src/plugins/kdb/db2/libdb2/test/dbtest.c +++ b/src/plugins/kdb/db2/libdb2/test/dbtest.c @@ -383,8 +383,8 @@ void compare(db1, db2) DBT *db1, *db2; { - register size_t len; - register u_char *p1, *p2; + size_t len; + u_char *p1, *p2; if (db1->size != db2->size) { printf("compare failed: key->data len %lu != data len %lu\n", diff --git a/src/plugins/kdb/db2/lockout.c b/src/plugins/kdb/db2/lockout.c index 7d151b5..30fb554 100644 --- a/src/plugins/kdb/db2/lockout.c +++ b/src/plugins/kdb/db2/lockout.c @@ -100,7 +100,7 @@ locked_check_p(krb5_context context, /* If the entry was unlocked since the last failure, it's not locked. */ if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 && - entry->last_failed <= unlock_time) + !ts_after(entry->last_failed, unlock_time)) return FALSE; if (max_fail == 0 || entry->fail_auth_count < max_fail) @@ -109,7 +109,7 @@ locked_check_p(krb5_context context, if (lockout_duration == 0) return TRUE; /* principal permanently locked */ - return (stamp < entry->last_failed + lockout_duration); + return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp); } krb5_error_code @@ -157,10 +157,6 @@ krb5_db2_lockout_audit(krb5_context context, case KRB5KDC_ERR_PREAUTH_FAILED: case KRB5KRB_AP_ERR_BAD_INTEGRITY: break; -#if 0 - case KRB5KDC_ERR_CLIENT_REVOKED: - break; -#endif default: return 0; } @@ -200,13 +196,13 @@ krb5_db2_lockout_audit(krb5_context context, status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) { if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 && - entry->last_failed <= unlock_time) { + !ts_after(entry->last_failed, unlock_time)) { /* Reset fail_auth_count after administrative unlock. */ entry->fail_auth_count = 0; } if (failcnt_interval != 0 && - stamp > entry->last_failed + failcnt_interval) { + ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) { /* Reset fail_auth_count after failcnt_interval. */ entry->fail_auth_count = 0; } diff --git a/src/plugins/kdb/ldap/deps b/src/plugins/kdb/ldap/deps index 6ab0bc1..4066828 100644 --- a/src/plugins/kdb/ldap/deps +++ b/src/plugins/kdb/ldap/deps @@ -3,22 +3,25 @@ # ldap_exp.so ldap_exp.po $(OUTPRE)ldap_exp.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(srcdir)/../../../lib/kdb/kdb5.h $(srcdir)/libkdb_ldap/kdb_ldap.h \ - $(srcdir)/libkdb_ldap/ldap_krbcontainer.h $(srcdir)/libkdb_ldap/ldap_principal.h \ - $(srcdir)/libkdb_ldap/ldap_pwd_policy.h $(srcdir)/libkdb_ldap/ldap_realm.h \ - $(srcdir)/libkdb_ldap/ldap_tkt_policy.h $(srcdir)/libkdb_ldap/princ_xdr.h \ - $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \ - $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \ - $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \ - $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \ - $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h ldap_exp.c + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../../lib/kdb/kdb5.h \ + $(srcdir)/libkdb_ldap/kdb_ldap.h $(srcdir)/libkdb_ldap/ldap_krbcontainer.h \ + $(srcdir)/libkdb_ldap/ldap_principal.h $(srcdir)/libkdb_ldap/ldap_pwd_policy.h \ + $(srcdir)/libkdb_ldap/ldap_realm.h $(srcdir)/libkdb_ldap/ldap_tkt_policy.h \ + $(srcdir)/libkdb_ldap/princ_xdr.h $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + ldap_exp.c diff --git a/src/plugins/kdb/ldap/ldap_util/deps b/src/plugins/kdb/ldap/ldap_util/deps index 75d4dd0..a641fe8 100644 --- a/src/plugins/kdb/ldap/ldap_util/deps +++ b/src/plugins/kdb/ldap/ldap_util/deps @@ -37,8 +37,9 @@ $(OUTPRE)kdb5_ldap_list.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ kdb5_ldap_list.h $(OUTPRE)kdb5_ldap_realm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(srcdir)/../libkdb_ldap/kdb_ldap.h \ $(srcdir)/../libkdb_ldap/ldap_krbcontainer.h $(srcdir)/../libkdb_ldap/ldap_misc.h \ @@ -89,15 +90,15 @@ $(OUTPRE)kdb5_ldap_services.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(srcdir)/../libkdb_ldap/ldap_krbcontainer.h $(srcdir)/../libkdb_ldap/ldap_misc.h \ $(srcdir)/../libkdb_ldap/ldap_realm.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - $(top_srcdir)/lib/kdb/kdb5.h kdb5_ldap_list.h kdb5_ldap_policy.h \ - kdb5_ldap_realm.h kdb5_ldap_services.c kdb5_ldap_services.h \ - kdb5_ldap_util.h + $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \ + kdb5_ldap_list.h kdb5_ldap_policy.h kdb5_ldap_realm.h \ + kdb5_ldap_services.c kdb5_ldap_services.h kdb5_ldap_util.h $(OUTPRE)getdate.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ getdate.c diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c index 022156a..1ed72af 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c @@ -37,6 +37,7 @@ */ #include +#include #include "kdb5_ldap_util.h" #include "kdb5_ldap_list.h" @@ -96,11 +97,10 @@ kdb5_ldap_stash_service_password(int argc, char **argv) char *service_object = NULL; char *file_name = NULL, *tmp_file = NULL; char passwd[MAX_SERVICE_PASSWD_LEN]; - char *str = NULL; + char *str = NULL, *hexpasswd = NULL; char line[MAX_LEN]; FILE *pfile = NULL; krb5_boolean print_usage = FALSE; - krb5_data hexpasswd = {0, 0, NULL}; mode_t old_mode = 0; /* @@ -183,21 +183,12 @@ kdb5_ldap_stash_service_password(int argc, char **argv) } /* Convert the password to hexadecimal */ - { - krb5_data pwd; - - pwd.length = passwd_len; - pwd.data = passwd; - - ret = tohex(pwd, &hexpasswd); - if (ret != 0) { - com_err(me, ret, - _("Failed to convert the password to hexadecimal")); - memset(passwd, 0, passwd_len); - goto cleanup; - } + ret = k5_hex_encode(passwd, passwd_len, FALSE, &hexpasswd); + zap(passwd, passwd_len); + if (ret != 0) { + com_err(me, ret, _("Failed to convert the password to hexadecimal")); + goto cleanup; } - memset(passwd, 0, passwd_len); /* TODO: file lock for the service password file */ @@ -225,7 +216,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) if (str == NULL) { if (feof(pfile)) { /* If the service object dn is not present in the service password file */ - if (fprintf(pfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { + if (fprintf(pfile, "%s#{HEX}%s\n", service_object, hexpasswd) < 0) { com_err(me, errno, _("Failed to write service object password to file")); fclose(pfile); @@ -268,7 +259,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) while (fgets(line, MAX_LEN, pfile) != NULL) { if (((str = strstr(line, service_object)) != NULL) && (line[strlen(service_object)] == '#')) { - if (fprintf(newfile, "%s#{HEX}%s\n", service_object, hexpasswd.data) < 0) { + if (fprintf(newfile, "%s#{HEX}%s\n", service_object, hexpasswd) < 0) { com_err(me, errno, _("Failed to write service object " "password to file")); fclose(newfile); @@ -313,10 +304,7 @@ kdb5_ldap_stash_service_password(int argc, char **argv) cleanup: - if (hexpasswd.length != 0) { - memset(hexpasswd.data, 0, hexpasswd.length); - free(hexpasswd.data); - } + zapfreestr(hexpasswd); if (service_object) free(service_object); diff --git a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h index cf652c5..08af62e 100644 --- a/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h +++ b/src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.h @@ -32,6 +32,4 @@ #define MAX_LEN 1024 #define MAX_SERVICE_PASSWD_LEN 256 -extern int tohex(krb5_data, krb5_data *); - extern void kdb5_ldap_stash_service_password(int argc, char **argv); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/deps b/src/plugins/kdb/ldap/libkdb_ldap/deps index 1ff2855..6a6ab28 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/deps +++ b/src/plugins/kdb/ldap/libkdb_ldap/deps @@ -36,9 +36,11 @@ kdb_ldap_conn.so kdb_ldap_conn.po $(OUTPRE)kdb_ldap_conn.$(OBJEXT): \ ldap_main.h ldap_misc.h ldap_realm.h ldap_service_stash.h ldap_realm.so ldap_realm.po $(OUTPRE)ldap_realm.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ @@ -57,9 +59,11 @@ ldap_realm.so ldap_realm.po $(OUTPRE)ldap_realm.$(OBJEXT): \ ldap_tkt_policy.h princ_xdr.h ldap_create.so ldap_create.po $(OUTPRE)ldap_create.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ @@ -91,9 +95,11 @@ ldap_krbcontainer.so ldap_krbcontainer.po $(OUTPRE)ldap_krbcontainer.$(OBJEXT): ldap_krbcontainer.h ldap_main.h ldap_misc.h ldap_realm.h ldap_principal.so ldap_principal.po $(OUTPRE)ldap_principal.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ @@ -113,7 +119,8 @@ ldap_principal.so ldap_principal.po $(OUTPRE)ldap_principal.$(OBJEXT): \ ldap_principal2.so ldap_principal2.po $(OUTPRE)ldap_principal2.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ @@ -149,7 +156,8 @@ ldap_pwd_policy.so ldap_pwd_policy.po $(OUTPRE)ldap_pwd_policy.$(OBJEXT): \ ldap_misc.so ldap_misc.po $(OUTPRE)ldap_misc.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ @@ -198,7 +206,8 @@ ldap_tkt_policy.so ldap_tkt_policy.po $(OUTPRE)ldap_tkt_policy.$(OBJEXT): \ princ_xdr.so princ_xdr.po $(OUTPRE)princ_xdr.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ - $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/admin_internal.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ + $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/kadm5/server_internal.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ @@ -220,15 +229,16 @@ ldap_service_stash.so ldap_service_stash.po $(OUTPRE)ldap_service_stash.$(OBJEXT $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h $(top_srcdir)/lib/kdb/kdb5.h \ - kdb_ldap.h ldap_handle.h ldap_krbcontainer.h ldap_main.h \ - ldap_misc.h ldap_realm.h ldap_service_stash.c ldap_service_stash.h + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hex.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + $(top_srcdir)/lib/kdb/kdb5.h kdb_ldap.h ldap_handle.h \ + ldap_krbcontainer.h ldap_main.h ldap_misc.h ldap_realm.h \ + ldap_service_stash.c ldap_service_stash.h kdb_xdr.so kdb_xdr.po $(OUTPRE)kdb_xdr.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -245,8 +255,9 @@ ldap_err.so ldap_err.po $(OUTPRE)ldap_err.$(OBJEXT): \ ldap_err.c ldap_err.h lockout.so lockout.po $(OUTPRE)lockout.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c index 7ba8075..4fbf898 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c @@ -277,8 +277,10 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, void krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_timestamp authtime, krb5_error_code error_code) + const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_db_entry *client, + krb5_db_entry *server, krb5_timestamp authtime, + krb5_error_code error_code) { (void) krb5_ldap_lockout_audit(kcontext, client, authtime, error_code); } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h index 06b4775..8b8420f 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.h @@ -141,7 +141,7 @@ extern int set_ldap_error (krb5_context ctx, int st, int op); #define UNSTORE16_INT(ptr, val) (val = load_16_be(ptr)) #define UNSTORE32_INT(ptr, val) (val = load_32_be(ptr)) -#define KDB_TL_USER_INFO 0x7ffe +#define KDB_TL_USER_INFO 0xff #define KDB_TL_PRINCTYPE 0x01 #define KDB_TL_PRINCCOUNT 0x02 @@ -171,7 +171,6 @@ typedef struct _krb5_ldap_server_info krb5_ldap_server_info; typedef struct _krb5_ldap_server_handle { int msgid; LDAP *ldap_handle; - krb5_boolean server_info_update_pending; krb5_ldap_server_info *server_info; struct _krb5_ldap_server_handle *next; } krb5_ldap_server_handle; @@ -282,8 +281,10 @@ krb5_ldap_check_policy_as(krb5_context kcontext, krb5_kdc_req *request, void krb5_ldap_audit_as_req(krb5_context kcontext, krb5_kdc_req *request, - krb5_db_entry *client, krb5_db_entry *server, - krb5_timestamp authtime, krb5_error_code error_code); + const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_db_entry *client, + krb5_db_entry *server, krb5_timestamp authtime, + krb5_error_code error_code); krb5_error_code krb5_ldap_check_allowed_to_delegate(krb5_context context, @@ -300,15 +301,6 @@ krb5_ldap_lock( krb5_context, int ); krb5_error_code krb5_ldap_unlock( krb5_context ); -#ifndef HAVE_LDAP_INITIALIZE -int -ldap_initialize(LDAP **, char *); -#endif -#ifndef HAVE_LDAP_UNBIND_EXT_S -int -ldap_unbind_ext_s(LDAP *, LDAPControl **, LDAPControl **); -#endif - /* lockout.c */ krb5_error_code krb5_ldap_lockout_check_policy(krb5_context context, diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c index d904c99..cee4b7b 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c @@ -193,7 +193,6 @@ initialize_server(krb5_ldap_context *ldap_context, krb5_ldap_server_info *info) return ret; } - server->server_info_update_pending = FALSE; server->next = info->ldap_server_handles; info->ldap_server_handles = server; info->num_conns++; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif new file mode 100644 index 0000000..830277d --- /dev/null +++ b/src/plugins/kdb/ldap/libkdb_ldap/kerberos.openldap.ldif @@ -0,0 +1,68 @@ +# This LDIF version of the Kerberos schema can be loaded into an +# OpenLDAP database. It was originally converted semi-automatically +# from kerberos.schema using slaptest. + +dn: cn=kerberos,cn=schema,cn=config +objectClass: olcSchemaConfig +cn: kerberos +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.1.1 NAME 'krbPrincipalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.1 NAME 'krbCanonicalName' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.3.1 NAME 'krbPrincipalType' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.5.1 NAME 'krbUPEnabled' DESC 'Boolean' SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.6.1 NAME 'krbPrincipalExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.8.1 NAME 'krbTicketFlags' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.9.1 NAME 'krbMaxTicketLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.10.1 NAME 'krbMaxRenewableAge' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.14.1 NAME 'krbRealmReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.15.1 NAME 'krbLdapServers' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.17.1 NAME 'krbKdcServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.18.1 NAME 'krbPwdServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.24.1 NAME 'krbHostServer' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.25.1 NAME 'krbSearchScope' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.26.1 NAME 'krbPrincipalReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.28.1 NAME 'krbPrincNamingAttr' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.29.1 NAME 'krbAdmServers' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.30.1 NAME 'krbMaxPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.31.1 NAME 'krbMinPwdLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.32.1 NAME 'krbPwdMinDiffChars' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.33.1 NAME 'krbPwdMinLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.34.1 NAME 'krbPwdHistoryLength' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.1 NAME 'krbPwdMaxFailure' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.2 NAME 'krbPwdFailureCountInterval' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.3 NAME 'krbPwdLockoutDuration' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.2 NAME 'krbPwdAttributes' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.3 NAME 'krbPwdMaxLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.4 NAME 'krbPwdMaxRenewableLife' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 1.2.840.113554.1.4.1.6.5 NAME 'krbPwdAllowedKeysalts' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.36.1 NAME 'krbPwdPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.37.1 NAME 'krbPasswordExpiration' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.39.1 NAME 'krbPrincipalKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.40.1 NAME 'krbTicketPolicyReference' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.41.1 NAME 'krbSubTrees' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.42.1 NAME 'krbDefaultEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.43.1 NAME 'krbSupportedEncSaltTypes' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.44.1 NAME 'krbPwdHistory' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.45.1 NAME 'krbLastPwdChange' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.5 NAME 'krbLastAdminUnlock' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.46.1 NAME 'krbMKey' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.47.1 NAME 'krbPrincipalAliases' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.48.1 NAME 'krbLastSuccessfulAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.49.1 NAME 'krbLastFailedAuth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.50.1 NAME 'krbLoginFailedCount' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.51.1 NAME 'krbExtraData' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.52.1 NAME 'krbObjectReferences' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113719.1.301.4.53.1 NAME 'krbPrincContainerRef' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 ) +olcAttributeTypes: ( 2.16.840.1.113730.3.8.15.2.1 NAME 'krbPrincipalAuthInd' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) +olcAttributeTypes: ( 1.3.6.1.4.1.5322.21.2.4 NAME 'krbAllowedToDelegateTo' EQUALITY caseExactIA5Match SUBSTR caseExactSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.1.1 NAME 'krbContainer' SUP top STRUCTURAL MUST cn ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.2.1 NAME 'krbRealmContainer' SUP top STRUCTURAL MUST cn MAY ( krbMKey $ krbUPEnabled $ krbSubTrees $ krbSearchScope $ krbLdapServers $ krbSupportedEncSaltTypes $ krbDefaultEncSaltTypes $ krbTicketPolicyReference $ krbKdcServers $ krbPwdServers $ krbAdmServers $ krbPrincNamingAttr $ krbPwdPolicyReference $ krbPrincContainerRef ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.3.1 NAME 'krbService' SUP top ABSTRACT MUST cn MAY ( krbHostServer $ krbRealmReferences ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.4.1 NAME 'krbKdcService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.5.1 NAME 'krbPwdService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.8.1 NAME 'krbPrincipalAux' SUP top AUXILIARY MAY ( krbPrincipalName $ krbCanonicalName $ krbUPEnabled $ krbPrincipalKey $ krbTicketPolicyReference $ krbPrincipalExpiration $ krbPasswordExpiration $ krbPwdPolicyReference $ krbPrincipalType $ krbPwdHistory $ krbLastPwdChange $ krbLastAdminUnlock $ krbPrincipalAliases $ krbLastSuccessfulAuth $ krbLastFailedAuth $ krbLoginFailedCount $ krbExtraData $ krbAllowedToDelegateTo $ krbPrincipalAuthInd ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.9.1 NAME 'krbPrincipal' SUP top STRUCTURAL MUST krbPrincipalName MAY krbObjectReferences ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.11.1 NAME 'krbPrincRefAux' SUP top AUXILIARY MAY krbPrincipalReferences ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.13.1 NAME 'krbAdmService' SUP krbService STRUCTURAL ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.14.1 NAME 'krbPwdPolicy' SUP top STRUCTURAL MUST cn MAY ( krbMaxPwdLife $ krbMinPwdLife $ krbPwdMinDiffChars $ krbPwdMinLength $ krbPwdHistoryLength $ krbPwdMaxFailure $ krbPwdFailureCountInterval $ krbPwdLockoutDuration $ krbPwdAttributes $ krbPwdMaxLife $ krbPwdMaxRenewableLife $ krbPwdAllowedKeysalts ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.16.1 NAME 'krbTicketPolicyAux' SUP top AUXILIARY MAY ( krbTicketFlags $ krbMaxTicketLife $ krbMaxRenewableAge ) ) +olcObjectClasses: ( 2.16.840.1.113719.1.301.6.17.1 NAME 'krbTicketPolicy' SUP top STRUCTURAL MUST cn ) diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c index 77d8f81..2f5d3d9 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_handle.c @@ -30,62 +30,6 @@ #include "ldap_main.h" - -#ifdef ASYNC_BIND - -/* - * Update the server info structure. In case of an asynchronous bind, - * this function is called to check the bind status. A flag - * server_info_upate_pending is refered before calling this function. - * This function sets the server_status to either ON or OFF and - * sets the server_info_udpate_pending to OFF. - * Do not lock the mutex here. The caller should lock it - */ - -static krb5_error_code -krb5_update_server_info(krb5_ldap_server_handle *ldap_server_handle, - krb5_ldap_server_info *server_info) -{ - krb5_error_code st=0; - struct timeval ztime={0, 0}; - LDAPMessage *result=NULL; - - if (ldap_server_handle == NULL || server_info == NULL) - return -1; - - while (st == 0) { - st = ldap_result(ldap_server_handle->ldap_handle, ldap_server_handle->msgid, - LDAP_MSG_ALL, &ztime, &result); - switch (st) { - case -1: - server_info->server_status = OFF; - time(&server_info->downtime); - break; - - case 0: - continue; - break; - - case LDAP_RES_BIND: - if ((st=ldap_result2error(ldap_server_handle->ldap_handle, result, 1)) == LDAP_SUCCESS) { - server_info->server_status = ON; - } else { - server_info->server_status = OFF; - time(&server_info->downtime); - } - ldap_msgfree(result); - break; - default: - ldap_msgfree(result); - continue; - break; - } - } - ldap_server_handle->server_info_update_pending = FALSE; - return 0; -} -#endif - /* * Return ldap server handle from the pool. If the pool is exhausted return NULL. * Do not lock the mutex, caller should lock it @@ -105,18 +49,6 @@ krb5_get_ldap_handle(krb5_ldap_context *ldap_context) ldap_server_handle = ldap_server_info->ldap_server_handles; ldap_server_info->ldap_server_handles = ldap_server_handle->next; break; -#ifdef ASYNC_BIND - if (ldap_server_handle->server_info_update_pending == TRUE) { - krb5_update_server_info(context, ldap_server_handle, - ldap_server_info); - } - - if (ldap_server_info->server_status == ON) { - ldap_server_info->ldap_server_handles = ldap_server_handle->next; - break; - } else - ldap_server_handle = NULL; -#endif } } ++cnt; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c index 32efc4f..5b9d1e9 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c @@ -1231,6 +1231,8 @@ krb5_ldap_policydn_to_name(krb5_context context, const char *policy_dn, kdb5_dal_handle *dal_handle; krb5_ldap_context *ldap_context; const char *realmdn; + char *rdn; + LDAPDN dn; *name_out = NULL; SETUP_CONTEXT(); @@ -1248,46 +1250,22 @@ krb5_ldap_policydn_to_name(krb5_context context, const char *policy_dn, if (policy_dn[plen] != ',' || strcmp(realmdn, policy_dn + plen + 1) != 0) return EINVAL; -#if defined HAVE_LDAP_STR2DN - { - char *rdn; - LDAPDN dn; - - rdn = k5memdup0(policy_dn, plen, &ret); - if (rdn == NULL) - return ret; - ret = ldap_str2dn(rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC); - free(rdn); - if (ret) - return EINVAL; - if (dn[0] == NULL || dn[1] != NULL || - dn[0][0]->la_attr.bv_len != 2 || - strncasecmp(dn[0][0]->la_attr.bv_val, "cn", 2) != 0) { - ret = EINVAL; - } else { - *name_out = k5memdup0(dn[0][0]->la_value.bv_val, - dn[0][0]->la_value.bv_len, &ret); - } - ldap_dnfree(dn); + rdn = k5memdup0(policy_dn, plen, &ret); + if (rdn == NULL) return ret; + ret = ldap_str2dn(rdn, &dn, LDAP_DN_FORMAT_LDAPV3 | LDAP_DN_PEDANTIC); + free(rdn); + if (ret) + return EINVAL; + if (dn[0] == NULL || dn[1] != NULL || dn[0][0]->la_attr.bv_len != 2 || + strncasecmp(dn[0][0]->la_attr.bv_val, "cn", 2) != 0) { + ret = EINVAL; + } else { + *name_out = k5memdup0(dn[0][0]->la_value.bv_val, + dn[0][0]->la_value.bv_len, &ret); } -#elif defined HAVE_LDAP_EXPLODE_DN - { - char **parsed_dn; - - /* 1 = return DN components without type prefix */ - parsed_dn = ldap_explode_dn(policy_dn, 1); - if (parsed_dn == NULL) - return EINVAL; - *name_out = strdup(parsed_dn[0]); - if (*name_out == NULL) - return ENOMEM; - ldap_value_free(parsed_dn); - return 0; - } -#else - return EINVAL; -#endif + ldap_dnfree(dn); + return ret; } /* Compute the policy DN for the given policy name. */ @@ -1699,47 +1677,3 @@ cleanup: free_princ_ent_contents(&princ_ent); return ret; } - -/* Solaris libldap does not provide the following functions which are in - * OpenLDAP. */ -#ifndef HAVE_LDAP_INITIALIZE -int -ldap_initialize(LDAP **ldp, char *url) -{ - int rc = 0; - LDAP *ld = NULL; - LDAPURLDesc *ludp = NULL; - - /* - * For now, we don't use any DN that may be provided. And on Solaris - * (based on Mozilla's LDAP client code), we need the _nodn form to parse - * "ldap://host" without a trailing slash. - * - * Also, this version won't handle an input string which contains multiple - * URLs, unlike the OpenLDAP ldap_initialize. See - * https://bugzilla.mozilla.org/show_bug.cgi?id=353336#c1 . - */ -#ifdef HAVE_LDAP_URL_PARSE_NODN - rc = ldap_url_parse_nodn(url, &ludp); -#else - rc = ldap_url_parse(url, &ludp); -#endif - if (rc == 0) { - ld = ldap_init(ludp->lud_host, ludp->lud_port); - if (ld != NULL) - *ldp = ld; - else - rc = KRB5_KDB_ACCESS_ERROR; - ldap_free_urldesc(ludp); - } - return rc; -} -#endif /* HAVE_LDAP_INITIALIZE */ - -#ifndef HAVE_LDAP_UNBIND_EXT_S -int -ldap_unbind_ext_s(LDAP *ld, LDAPControl **sctrls, LDAPControl **cctrls) -{ - return ldap_unbind_ext(ld, sctrls, cctrls); -} -#endif /* HAVE_LDAP_UNBIND_EXT_S */ diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c index 7ba53f9..ee9c028 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c @@ -628,7 +628,7 @@ update_ldap_mod_auth_ind(krb5_context context, krb5_db_entry *entry, int i = 0; krb5_error_code ret; char *auth_ind = NULL; - char *strval[10] = {}; + char *strval[10] = { 0 }; char *ai, *ai_save = NULL; int sv_num = sizeof(strval) / sizeof(*strval); @@ -651,6 +651,107 @@ cleanup: return ret; } +static krb5_error_code +check_dn_in_container(krb5_context context, const char *dn, + char *const *subtrees, unsigned int ntrees) +{ + unsigned int i; + size_t dnlen = strlen(dn), stlen; + + for (i = 0; i < ntrees; i++) { + if (subtrees[i] == NULL || *subtrees[i] == '\0') + return 0; + stlen = strlen(subtrees[i]); + if (dnlen >= stlen && + strcasecmp(dn + dnlen - stlen, subtrees[i]) == 0 && + (dnlen == stlen || dn[dnlen - stlen - 1] == ',')) + return 0; + } + + k5_setmsg(context, EINVAL, _("DN is out of the realm subtree")); + return EINVAL; +} + +static krb5_error_code +check_dn_exists(krb5_context context, + krb5_ldap_server_handle *ldap_server_handle, + const char *dn, krb5_boolean nonkrb_only) +{ + krb5_error_code st = 0, tempst; + krb5_ldap_context *ldap_context = context->dal_handle->db_context; + LDAP *ld = ldap_server_handle->ldap_handle; + LDAPMessage *result = NULL, *ent; + char *attrs[] = { "krbticketpolicyreference", "krbprincipalname", NULL }; + char **values; + + LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attrs, IGNORE_STATUS); + if (st != LDAP_SUCCESS) + return set_ldap_error(context, st, OP_SEARCH); + + ent = ldap_first_entry(ld, result); + CHECK_NULL(ent); + + values = ldap_get_values(ld, ent, "krbticketpolicyreference"); + if (values != NULL) + ldap_value_free(values); + + values = ldap_get_values(ld, ent, "krbprincipalname"); + if (values != NULL) { + ldap_value_free(values); + if (nonkrb_only) { + st = EINVAL; + k5_setmsg(context, st, _("ldap object is already kerberized")); + goto cleanup; + } + } + +cleanup: + ldap_msgfree(result); + return st; +} + +static krb5_error_code +validate_xargs(krb5_context context, + krb5_ldap_server_handle *ldap_server_handle, + const xargs_t *xargs, const char *standalone_dn, + char *const *subtrees, unsigned int ntrees) +{ + krb5_error_code st; + + if (xargs->dn != NULL) { + /* The supplied dn must be within a realm container. */ + st = check_dn_in_container(context, xargs->dn, subtrees, ntrees); + if (st) + return st; + /* The supplied dn must exist without Kerberos attributes. */ + st = check_dn_exists(context, ldap_server_handle, xargs->dn, TRUE); + if (st) + return st; + } + + if (xargs->linkdn != NULL) { + /* The supplied linkdn must be within a realm container. */ + st = check_dn_in_container(context, xargs->linkdn, subtrees, ntrees); + if (st) + return st; + /* The supplied linkdn must exist. */ + st = check_dn_exists(context, ldap_server_handle, xargs->linkdn, + FALSE); + if (st) + return st; + } + + if (xargs->containerdn != NULL && standalone_dn != NULL) { + /* standalone_dn (likely composed using containerdn) must be within a + * container. */ + st = check_dn_in_container(context, standalone_dn, subtrees, ntrees); + if (st) + return st; + } + + return 0; +} + krb5_error_code krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, char **db_args) @@ -662,12 +763,12 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, LDAPMessage *result=NULL, *ent=NULL; char **subtreelist = NULL; char *user=NULL, *subtree=NULL, *principal_dn=NULL; - char **values=NULL, *strval[10]={NULL}, errbuf[1024]; + char *strval[10]={NULL}, errbuf[1024]; char *filtuser=NULL; struct berval **bersecretkey=NULL; LDAPMod **mods=NULL; krb5_boolean create_standalone=FALSE; - krb5_boolean krb_identity_exists=FALSE, establish_links=FALSE; + krb5_boolean establish_links=FALSE; char *standalone_principal_dn=NULL; krb5_tl_data *tl_data=NULL; krb5_key_data **keys=NULL; @@ -860,24 +961,6 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, * any of the subtrees */ if (xargs.dn_from_kbd == TRUE) { - /* make sure the DN falls in the subtree */ - int dnlen=0, subtreelen=0; - char *dn=NULL; - krb5_boolean outofsubtree=TRUE; - - if (xargs.dn != NULL) { - dn = xargs.dn; - } else if (xargs.linkdn != NULL) { - dn = xargs.linkdn; - } else if (standalone_principal_dn != NULL) { - /* - * Even though the standalone_principal_dn is constructed - * within this function, there is the containerdn input - * from the user that can become part of the it. - */ - dn = standalone_principal_dn; - } - /* Get the current subtree list if we haven't already done so. */ if (subtreelist == NULL) { st = krb5_get_subtree_info(ldap_context, &subtreelist, &ntrees); @@ -885,81 +968,10 @@ krb5_ldap_put_principal(krb5_context context, krb5_db_entry *entry, goto cleanup; } - for (tre=0; tre= subtreelen) && (strcasecmp((dn + dnlen - subtreelen), subtreelist[tre]) == 0)) { - outofsubtree = FALSE; - break; - } - } - } - - if (outofsubtree == TRUE) { - st = EINVAL; - k5_setmsg(context, st, _("DN is out of the realm subtree")); + st = validate_xargs(context, ldap_server_handle, &xargs, + standalone_principal_dn, subtreelist, ntrees); + if (st) goto cleanup; - } - - /* - * dn value will be set either by dn, linkdn or the standalone_principal_dn - * In the first 2 cases, the dn should be existing and in the last case we - * are supposed to create the ldap object. so the below should not be - * executed for the last case. - */ - - if (standalone_principal_dn == NULL) { - /* - * If the ldap object is missing, this results in an error. - */ - - /* - * Search for krbprincipalname attribute here. - * This is to find if a kerberos identity is already present - * on the ldap object, in which case adding a kerberos identity - * on the ldap object should result in an error. - */ - char *attributes[]={"krbticketpolicyreference", "krbprincipalname", NULL}; - - ldap_msgfree(result); - result = NULL; - LDAP_SEARCH_1(dn, LDAP_SCOPE_BASE, 0, attributes, IGNORE_STATUS); - if (st == LDAP_SUCCESS) { - ent = ldap_first_entry(ld, result); - if (ent != NULL) { - if ((values=ldap_get_values(ld, ent, "krbticketpolicyreference")) != NULL) { - ldap_value_free(values); - } - - if ((values=ldap_get_values(ld, ent, "krbprincipalname")) != NULL) { - krb_identity_exists = TRUE; - ldap_value_free(values); - } - } - } else { - st = set_ldap_error(context, st, OP_SEARCH); - goto cleanup; - } - } - } - - /* - * If xargs.dn is set then the request is to add a - * kerberos principal on a ldap object, but if - * there is one already on the ldap object this - * should result in an error. - */ - - if (xargs.dn != NULL && krb_identity_exists == TRUE) { - st = EINVAL; - snprintf(errbuf, sizeof(errbuf), - _("ldap object is already kerberized")); - k5_setmsg(context, st, "%s", errbuf); - goto cleanup; } if (xargs.linkdn != NULL) { @@ -1734,15 +1746,17 @@ getstringtime(krb5_timestamp epochtime) { struct tm tme; char *strtime=NULL; - time_t posixtime = epochtime; - - strtime = calloc (50, 1); - if (strtime == NULL) - return NULL; + time_t posixtime = ts2tt(epochtime); if (gmtime_r(&posixtime, &tme) == NULL) return NULL; - strftime(strtime, 50, "%Y%m%d%H%M%SZ", &tme); + strtime = calloc(50, 1); + if (strtime == NULL) + return NULL; + if (strftime(strtime, 50, "%Y%m%d%H%M%SZ", &tme) == 0) { + free(strtime); + return NULL; + } return strtime; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c index 28dffe0..f6d00be 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c @@ -777,9 +777,6 @@ krb5_ldap_read_realm_params(krb5_context context, char *lrealm, ent = ldap_first_entry (ld, result); if (ent == NULL) { ldap_get_option (ld, LDAP_OPT_ERROR_NUMBER, (void *) &st); -#if 0 - st = translate_ldap_error(st, OP_SEARCH); -#endif goto cleanup; } diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c index 87a2118..cb30f4a 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c @@ -31,16 +31,16 @@ #include "ldap_main.h" #include "kdb_ldap.h" #include "ldap_service_stash.h" +#include #include /* Decode a password of the form {HEX}. */ static krb5_error_code dec_password(krb5_context context, const char *str, char **password_out) { + krb5_error_code ret; + uint8_t *bytes; size_t len; - const unsigned char *p; - unsigned char *password, *q; - unsigned int k; *password_out = NULL; @@ -48,30 +48,15 @@ dec_password(krb5_context context, const char *str, char **password_out) k5_setmsg(context, EINVAL, _("Not a hexadecimal password")); return EINVAL; } - str += 5; - - len = strlen(str); - if (len % 2 != 0) { - k5_setmsg(context, EINVAL, _("Password corrupt")); - return EINVAL; - } - - q = password = malloc(len / 2 + 1); - if (password == NULL) - return ENOMEM; - for (p = (unsigned char *)str; *p != '\0'; p += 2) { - if (!isxdigit(*p) || !isxdigit(p[1])) { - free(password); - k5_setmsg(context, EINVAL, _("Password corrupt")); - return EINVAL; - } - sscanf((char *)p, "%2x", &k); - *q++ = k; + ret = k5_hex_decode(str + 5, &bytes, &len); + if (ret) { + if (ret == EINVAL) + k5_setmsg(context, ret, _("Password corrupt")); + return ret; } - *q = '\0'; - *password_out = (char *)password; + *password_out = (char *)bytes; return 0; } @@ -128,35 +113,3 @@ krb5_ldap_readpassword(krb5_context context, const char *filename, /* Extract the plain password information. */ return dec_password(context, val, password_out); } - -/* Encodes a sequence of bytes in hexadecimal */ - -int -tohex(krb5_data in, krb5_data *ret) -{ - unsigned int i=0; - int err = 0; - - ret->length = 0; - ret->data = NULL; - - ret->data = malloc((unsigned int)in.length * 2 + 1 /*Null termination */); - if (ret->data == NULL) { - err = ENOMEM; - goto cleanup; - } - ret->length = in.length * 2; - ret->data[ret->length] = 0; - - for (i = 0; i < in.length; i++) - snprintf(ret->data + 2 * i, 3, "%02x", in.data[i] & 0xff); - -cleanup: - - if (ret->length == 0) { - free(ret->data); - ret->data = NULL; - } - - return err; -} diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h index dbf6244..03cf9a1 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.h @@ -37,7 +37,4 @@ krb5_error_code krb5_ldap_readpassword(krb5_context context, const char *filename, const char *name, char **password_out); -int -tohex(krb5_data, krb5_data *); - #endif diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c index f5c6ab8..4193b4a 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c @@ -431,7 +431,7 @@ krb5_ldap_list(krb5_context context, char ***list, char *objectclass, { char *filter=NULL, *dn=NULL; krb5_error_code st=0, tempst=0; - int i=0, count=0, filterlen=0; + int count=0, filterlen=0; LDAP *ld=NULL; LDAPMessage *result=NULL,*ent=NULL; kdb5_dal_handle *dal_handle=NULL; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports index 2342f1d..5376d34 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports +++ b/src/plugins/kdb/ldap/libkdb_ldap/libkdb_ldap.exports @@ -1,4 +1,3 @@ -tohex krb5_ldap_open krb5_ldap_close krb5_ldap_db_init diff --git a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c index 0fc56c2..094b890 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/lockout.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/lockout.c @@ -44,7 +44,6 @@ lookup_lockout_policy(krb5_context context, krb5_tl_data tl_data; krb5_error_code code; osa_princ_ent_rec adb; - XDR xdrs; *pw_max_fail = 0; *pw_failcnt_interval = 0; @@ -74,9 +73,7 @@ lookup_lockout_policy(krb5_context context, krb5_db_free_policy(context, policy); } - xdrmem_create(&xdrs, NULL, 0, XDR_FREE); - ldap_xdr_osa_princ_ent_rec(&xdrs, &adb); - xdr_destroy(&xdrs); + ldap_osa_free_princ_ent(&adb); return 0; } @@ -93,7 +90,7 @@ locked_check_p(krb5_context context, /* If the entry was unlocked since the last failure, it's not locked. */ if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 && - entry->last_failed <= unlock_time) + !ts_after(entry->last_failed, unlock_time)) return FALSE; if (max_fail == 0 || entry->fail_auth_count < max_fail) @@ -102,7 +99,7 @@ locked_check_p(krb5_context context, if (lockout_duration == 0) return TRUE; /* principal permanently locked */ - return (stamp < entry->last_failed + lockout_duration); + return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp); } krb5_error_code @@ -196,14 +193,14 @@ krb5_ldap_lockout_audit(krb5_context context, status == KRB5KRB_AP_ERR_BAD_INTEGRITY)) { if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 && - entry->last_failed <= unlock_time) { + !ts_after(entry->last_failed, unlock_time)) { /* Reset fail_auth_count after administrative unlock. */ entry->fail_auth_count = 0; entry->mask |= KADM5_FAIL_AUTH_COUNT; } if (failcnt_interval != 0 && - stamp > entry->last_failed + failcnt_interval) { + ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) { /* Reset fail_auth_count after failcnt_interval */ entry->fail_auth_count = 0; entry->mask |= KADM5_FAIL_AUTH_COUNT; diff --git a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c index 74f0ce1..20c399d 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c +++ b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.c @@ -1,174 +1,10 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ + #include "kdb_ldap.h" #include "ldap_principal.h" #include "princ_xdr.h" #include - -bool_t -ldap_xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp) -{ - unsigned int tmp; - - tmp = (unsigned int) *objp; - - if (!xdr_u_int(xdrs, &tmp)) - return(FALSE); - - *objp = (krb5_ui_2) tmp; - return(TRUE); -} - -bool_t -ldap_xdr_krb5_int16(XDR *xdrs, krb5_int16 *objp) -{ - int tmp; - - tmp = (int) *objp; - - if (!xdr_int(xdrs, &tmp)) - return(FALSE); - - *objp = (krb5_int16) tmp; - return(TRUE); -} - -bool_t -ldap_xdr_nullstring(XDR *xdrs, char **objp) -{ - u_int size; - - if (xdrs->x_op == XDR_ENCODE) { - if (*objp == NULL) - size = 0; - else - size = strlen(*objp) + 1; - } - if (! xdr_u_int(xdrs, &size)) { - return FALSE; - } - switch (xdrs->x_op) { - case XDR_DECODE: - if (size == 0) { - *objp = NULL; - return TRUE; - } else if (*objp == NULL) { - *objp = (char *) mem_alloc(size); - if (*objp == NULL) { - /*errno = ENOMEM;*/ - return FALSE; - } - } - return (xdr_opaque(xdrs, *objp, size)); - - case XDR_ENCODE: - if (size != 0) - return (xdr_opaque(xdrs, *objp, size)); - return TRUE; - - case XDR_FREE: - if (*objp != NULL) - mem_free(*objp, size); - *objp = NULL; - return TRUE; - } - return FALSE; -} - -bool_t -ldap_xdr_krb5_kvno(XDR *xdrs, krb5_kvno *objp) -{ - unsigned char tmp; - - tmp = '\0'; /* for purify, else xdr_u_char performs a umr */ - - if (xdrs->x_op == XDR_ENCODE) - tmp = (unsigned char) *objp; - - if (!xdr_u_char(xdrs, &tmp)) - return (FALSE); - - if (xdrs->x_op == XDR_DECODE) - *objp = (krb5_kvno) tmp; - return (TRUE); -} - -bool_t -ldap_xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp) -{ - unsigned int tmp; - - if (!ldap_xdr_krb5_int16(xdrs, &objp->key_data_ver)) - return(FALSE); - if (!ldap_xdr_krb5_ui_2(xdrs, &objp->key_data_kvno)) - return(FALSE); - if (!ldap_xdr_krb5_int16(xdrs, &objp->key_data_type[0])) - return(FALSE); - if (!ldap_xdr_krb5_int16(xdrs, &objp->key_data_type[1])) - return(FALSE); - if (!ldap_xdr_krb5_ui_2(xdrs, &objp->key_data_length[0])) - return(FALSE); - if (!ldap_xdr_krb5_ui_2(xdrs, &objp->key_data_length[1])) - return(FALSE); - - tmp = (unsigned int) objp->key_data_length[0]; - if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[0], - &tmp, (unsigned int) ~0)) - return FALSE; - - tmp = (unsigned int) objp->key_data_length[1]; - if (!xdr_bytes(xdrs, (char **) &objp->key_data_contents[1], - &tmp, (unsigned int) ~0)) - return FALSE; - - /* don't need to copy tmp out, since key_data_length will be set - by the above encoding. */ - return(TRUE); -} - -bool_t -ldap_xdr_osa_pw_hist_ent(XDR *xdrs, osa_pw_hist_ent *objp) -{ - if (!xdr_array(xdrs, (caddr_t *) &objp->key_data, - (u_int *) &objp->n_key_data, (unsigned int) ~0, - sizeof(krb5_key_data), - ldap_xdr_krb5_key_data)) - return (FALSE); - return (TRUE); -} - -bool_t -ldap_xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp) -{ - switch (xdrs->x_op) { - case XDR_ENCODE: - objp->version = OSA_ADB_PRINC_VERSION_1; - /* fall through */ - case XDR_FREE: - if (!xdr_int(xdrs, &objp->version)) - return FALSE; - break; - case XDR_DECODE: - if (!xdr_int(xdrs, &objp->version)) - return FALSE; - if (objp->version != OSA_ADB_PRINC_VERSION_1) - return FALSE; - break; - } - - if (!ldap_xdr_nullstring(xdrs, &objp->policy)) - return (FALSE); - if (!xdr_long(xdrs, &objp->aux_attributes)) - return (FALSE); - if (!xdr_u_int(xdrs, &objp->old_key_next)) - return (FALSE); - if (!ldap_xdr_krb5_kvno(xdrs, &objp->admin_history_kvno)) - return (FALSE); - if (!xdr_array(xdrs, (caddr_t *) &objp->old_keys, - (unsigned int *) &objp->old_key_len, (unsigned int) ~0, - sizeof(osa_pw_hist_ent), - ldap_xdr_osa_pw_hist_ent)) - return (FALSE); - return (TRUE); -} +#include void ldap_osa_free_princ_ent(osa_princ_ent_t val) @@ -176,7 +12,7 @@ ldap_osa_free_princ_ent(osa_princ_ent_t val) XDR xdrs; xdrmem_create(&xdrs, NULL, 0, XDR_FREE); - ldap_xdr_osa_princ_ent_rec(&xdrs, val); + xdr_osa_princ_ent_rec(&xdrs, val); xdr_destroy(&xdrs); } @@ -187,29 +23,28 @@ krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry) XDR xdrs; xdrmem_create(&xdrs, (caddr_t)tl_data->tl_data_contents, - tl_data->tl_data_length, XDR_DECODE); - if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) { - xdr_destroy(&xdrs); - return(KADM5_XDR_FAILURE); + tl_data->tl_data_length, XDR_DECODE); + if (!xdr_osa_princ_ent_rec(&xdrs, princ_entry)) { + xdr_destroy(&xdrs); + return KADM5_XDR_FAILURE; } xdr_destroy(&xdrs); return 0; - } krb5_error_code krb5_update_tl_kadm_data(krb5_context context, krb5_db_entry *entry, - osa_princ_ent_rec *princ_entry) + osa_princ_ent_rec *princ_entry) { XDR xdrs; krb5_tl_data tl_data; krb5_error_code retval; xdralloc_create(&xdrs, XDR_ENCODE); - if (! ldap_xdr_osa_princ_ent_rec(&xdrs, princ_entry)) { - xdr_destroy(&xdrs); - return KADM5_XDR_FAILURE; + if (!xdr_osa_princ_ent_rec(&xdrs, princ_entry)) { + xdr_destroy(&xdrs); + return KADM5_XDR_FAILURE; } tl_data.tl_data_type = KRB5_TL_KADM_DATA; tl_data.tl_data_length = xdr_getpos(&xdrs); diff --git a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h index b4732c5..29e9b80 100644 --- a/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h +++ b/src/plugins/kdb/ldap/libkdb_ldap/princ_xdr.h @@ -1,59 +1,18 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ + #ifndef _PRINC_XDR_H #define _PRINC_XDR_H 1 -#include #include #include -#include - -#ifdef HAVE_MEMORY_H -#include -#endif - -#define OSA_ADB_PRINC_VERSION_1 0x12345C01 -#define KADM5_XDR_FAILURE (43787575L) - -typedef struct _osa_pw_hist_t { - int n_key_data; - krb5_key_data *key_data; -} osa_pw_hist_ent, *osa_pw_hist_t; - -typedef struct _osa_princ_ent_t { - int version; - char *policy; - long aux_attributes; - unsigned int old_key_len; - unsigned int old_key_next; - krb5_kvno admin_history_kvno; - osa_pw_hist_ent *old_keys; -} osa_princ_ent_rec, *osa_princ_ent_t; - -bool_t -ldap_xdr_krb5_ui_2(XDR *xdrs, krb5_ui_2 *objp); - -bool_t -ldap_xdr_krb5_int16(XDR *xdrs, krb5_int16 *objp); - -bool_t -ldap_xdr_nullstring(XDR *xdrs, char **objp); - -bool_t -ldap_xdr_krb5_kvno(XDR *xdrs, krb5_kvno *objp); - -bool_t -ldap_xdr_krb5_key_data(XDR *xdrs, krb5_key_data *objp); - -bool_t -ldap_xdr_osa_pw_hist_ent(XDR *xdrs, osa_pw_hist_ent *objp); - -bool_t -ldap_xdr_osa_princ_ent_rec(XDR *xdrs, osa_princ_ent_t objp); +#include void ldap_osa_free_princ_ent(osa_princ_ent_t val); krb5_error_code -krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, osa_princ_ent_rec *princ_entry); +krb5_lookup_tl_kadm_data(krb5_tl_data *tl_data, + osa_princ_ent_rec *princ_entry); krb5_error_code krb5_update_tl_kadm_data(krb5_context context, krb5_db_entry *entry, diff --git a/src/plugins/kdb/lmdb/Makefile.in b/src/plugins/kdb/lmdb/Makefile.in new file mode 100644 index 0000000..8e68b17 --- /dev/null +++ b/src/plugins/kdb/lmdb/Makefile.in @@ -0,0 +1,27 @@ +mydir=plugins$(S)kdb$(S)lmdb +BUILDTOP=$(REL)..$(S)..$(S).. +MODULE_INSTALL_DIR = $(KRB5_DB_MODULE_DIR) + +LOCALINCLUDES = -I$(srcdir)/../../../lib/kdb + +LIBBASE=klmdb +LIBMAJOR=0 +LIBMINOR=0 +RELDIR=../plugins/kdb/lmdb +# Depends on libk5crypto and libkrb5 +# Also on gssrpc, for xdr stuff. +SHLIB_EXPDEPS = $(KADMSRV_DEPLIBS) $(KDB5_DEPLIBS) $(KRB5_BASE_DEPLIBS) +SHLIB_EXPLIBS = $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) $(LMDB_LIBS) + +DBDIR = liblmdb + +SRCS=$(srcdir)/kdb_lmdb.c $(srcdir)/lockout.c $(srcdir)/marshal.c + +STLIBOBJS=kdb_lmdb.o lockout.o marshal.o + +all-unix: all-liblinks +install-unix: install-libs +clean-unix:: clean-liblinks clean-libs clean-libobjs + +@libnover_frag@ +@libobj_frag@ diff --git a/src/plugins/kdb/lmdb/deps b/src/plugins/kdb/lmdb/deps new file mode 100644 index 0000000..e4212f7 --- /dev/null +++ b/src/plugins/kdb/lmdb/deps @@ -0,0 +1,53 @@ +# +# Generated makefile dependencies follow. +# +kdb_lmdb.so kdb_lmdb.po $(OUTPRE)kdb_lmdb.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../../lib/kdb/kdb5.h \ + $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \ + $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \ + $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \ + $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \ + $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h kdb_lmdb.c klmdb-int.h +lockout.so lockout.po $(OUTPRE)lockout.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ + $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/admin_internal.h \ + $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ + $(BUILDTOP)/include/kadm5/server_internal.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(srcdir)/../../../lib/kdb/kdb5.h $(top_srcdir)/include/gssrpc/auth.h \ + $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ + $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ + $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ + $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ + $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + klmdb-int.h lockout.c +marshal.so marshal.po $(OUTPRE)marshal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h klmdb-int.h marshal.c diff --git a/src/plugins/kdb/lmdb/kdb_lmdb.c b/src/plugins/kdb/lmdb/kdb_lmdb.c new file mode 100644 index 0000000..bd288e2 --- /dev/null +++ b/src/plugins/kdb/lmdb/kdb_lmdb.c @@ -0,0 +1,1143 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/kdb/lmdb/klmdb.c - KDB module using LMDB */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * Thread-safety note: unlike the other two in-tree KDB modules, this module + * performs no mutex locking to ensure thread safety. As the KDC and kadmind + * are single-threaded, and applications are not allowed to access the same + * krb5_context in multiple threads simultaneously, there is no current need + * for this code to be thread-safe. If a need arises in the future, mutex + * locking should be added around the read_txn and load_txn fields of + * lmdb_context to ensure that only one thread at a time accesses those + * transactions. + */ + +/* + * This KDB module stores principal and policy data using LMDB (Lightning + * Memory-Mapped Database). We use two LMDB environments, the first to hold + * the majority of principal and policy data (suffix ".mdb") in the "principal" + * and "policy" databases, and the second to hold the three non-replicated + * account lockout attributes (suffix ".lockout.mdb") in the "lockout" + * database. The KDC only needs to write to the lockout database. + * + * For iteration we create a read transaction in the main environment for the + * cursor. Because the iteration callback might need to create its own + * transactions for write operations (e.g. for kdb5_util + * update_princ_encryption), we set the MDB_NOTLS flag on the main environment, + * so that a thread can hold multiple transactions. + * + * To mitigate the overhead from MDB_NOTLS, we keep around a read_txn handle + * in the database context for get operations, using mdb_txn_reset() and + * mdb_txn_renew() between calls. + * + * For database loads, kdb5_util calls the create() method with the "temporary" + * db_arg, and then promotes the finished contents at the end with the + * promote_db() method. In this case we create or open the same LMDB + * environments as above, open a write_txn handle for the lifetime of the + * context, and empty out the principal and policy databases. On promote_db() + * we commit the transaction. We do not empty the lockout database and write + * to it non-transactionally during the load so that we don't block writes by + * the KDC; this isn't ideal if the load is aborted, but it shouldn't cause any + * practical issues. + * + * For iprop loads, kdb5_util also includes the "merge_nra" db_arg, signifying + * that the lockout attributes from existing principal entries should be + * preserved. This attribute is noted in the LMDB context, and put_principal + * operations will not write to the lockout database if an existing lockout + * entry is already present for the principal. + */ + +#include "k5-int.h" +#include +#include "kdb5.h" +#include "klmdb-int.h" +#include + +/* The presence of any of these mask bits indicates a change to one of the + * three principal lockout attributes. */ +#define LOCKOUT_MASK (KADM5_LAST_SUCCESS | KADM5_LAST_FAILED | \ + KADM5_FAIL_AUTH_COUNT) + +/* The default map size (for both environments) in megabytes. */ +#define DEFAULT_MAPSIZE 128 + +#ifndef O_CLOEXEC +#define O_CLOEXEC 0 +#endif + +typedef struct { + char *path; + char *lockout_path; + krb5_boolean temporary; /* save changes until promote_db */ + krb5_boolean merge_nra; /* preserve existing lockout attributes */ + krb5_boolean disable_last_success; + krb5_boolean disable_lockout; + krb5_boolean nosync; + size_t mapsize; + unsigned int maxreaders; + + MDB_env *env; + MDB_env *lockout_env; + MDB_dbi princ_db; + MDB_dbi policy_db; + MDB_dbi lockout_db; + + /* Used for get operations; each transaction is short-lived but we save the + * handle between calls to reduce overhead from MDB_NOTLS. */ + MDB_txn *read_txn; + + /* Write transaction for load operations (create() with the "temporary" + * db_arg). */ + MDB_txn *load_txn; +} klmdb_context; + +static krb5_error_code +klerr(krb5_context context, int err, const char *msg) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + + /* Pass through system errors; map MDB errors to a com_err code. */ + ret = (err > 0) ? err : KRB5_KDB_ACCESS_ERROR; + + k5_setmsg(context, ret, _("%s (path: %s): %s"), msg, dbc->path, + mdb_strerror(err)); + return ret; +} + +/* Using db_args and the profile, create a DB context inside context and + * initialize its configurable parameters. */ +static krb5_error_code +configure_context(krb5_context context, const char *conf_section, + char *const *db_args) +{ + krb5_error_code ret; + klmdb_context *dbc; + char *pval = NULL; + const char *path = NULL; + profile_t profile = context->profile; + int i, bval, ival; + + dbc = k5alloc(sizeof(*dbc), &ret); + if (dbc == NULL) + return ret; + context->dal_handle->db_context = dbc; + + for (i = 0; db_args != NULL && db_args[i] != NULL; i++) { + if (strcmp(db_args[i], "temporary") == 0) { + dbc->temporary = TRUE; + } else if (strcmp(db_args[i], "merge_nra") == 0) { + dbc->merge_nra = TRUE; + } else if (strncmp(db_args[i], "dbname=", 7) == 0) { + path = db_args[i] + 7; + } else { + ret = EINVAL; + k5_setmsg(context, ret, _("Unsupported argument \"%s\" for LMDB"), + db_args[i]); + goto cleanup; + } + } + + if (path == NULL) { + /* Check for database_name in the db_module section. */ + ret = profile_get_string(profile, KDB_MODULE_SECTION, conf_section, + KRB5_CONF_DATABASE_NAME, NULL, &pval); + if (!ret && pval == NULL) { + /* For compatibility, check for database_name in the realm. */ + ret = profile_get_string(profile, KDB_REALM_SECTION, + KRB5_DB_GET_REALM(context), + KRB5_CONF_DATABASE_NAME, DEFAULT_KDB_FILE, + &pval); + } + if (ret) + goto cleanup; + path = pval; + } + + if (asprintf(&dbc->path, "%s.mdb", path) < 0) { + dbc->path = NULL; + ret = ENOMEM; + goto cleanup; + } + if (asprintf(&dbc->lockout_path, "%s.lockout.mdb", path) < 0) { + dbc->lockout_path = NULL; + ret = ENOMEM; + goto cleanup; + } + + ret = profile_get_boolean(profile, KDB_MODULE_SECTION, conf_section, + KRB5_CONF_DISABLE_LAST_SUCCESS, FALSE, &bval); + if (ret) + goto cleanup; + dbc->disable_last_success = bval; + + ret = profile_get_boolean(profile, KDB_MODULE_SECTION, conf_section, + KRB5_CONF_DISABLE_LOCKOUT, FALSE, &bval); + if (ret) + goto cleanup; + dbc->disable_lockout = bval; + + ret = profile_get_integer(profile, KDB_MODULE_SECTION, conf_section, + KRB5_CONF_MAPSIZE, DEFAULT_MAPSIZE, &ival); + if (ret) + goto cleanup; + dbc->mapsize = (size_t)ival * 1024 * 1024; + + ret = profile_get_integer(profile, KDB_MODULE_SECTION, conf_section, + KRB5_CONF_MAX_READERS, 0, &ival); + if (ret) + goto cleanup; + dbc->maxreaders = ival; + + ret = profile_get_boolean(profile, KDB_MODULE_SECTION, conf_section, + KRB5_CONF_NOSYNC, FALSE, &bval); + if (ret) + goto cleanup; + dbc->nosync = bval; + +cleanup: + profile_release_string(pval); + return ret; +} + +static krb5_error_code +open_lmdb_env(krb5_context context, klmdb_context *dbc, + krb5_boolean is_lockout, krb5_boolean readonly, + MDB_env **env_out) +{ + krb5_error_code ret; + const char *path = is_lockout ? dbc->lockout_path : dbc->path; + unsigned int flags; + MDB_env *env = NULL; + int err; + + *env_out = NULL; + + err = mdb_env_create(&env); + if (err) + goto lmdb_error; + + /* Use a pair of files instead of a subdirectory. */ + flags = MDB_NOSUBDIR; + + /* + * For the primary database, tie read transaction locktable slots to the + * transaction and not the thread, so read transactions for iteration + * cursors can coexist with short-lived transactions for operations invoked + * by the iteration callback.. + */ + if (!is_lockout) + flags |= MDB_NOTLS; + + if (readonly) + flags |= MDB_RDONLY; + + /* Durability for lockout records is never worth the performance penalty. + * For the primary environment it might be, so we make it configurable. */ + if (is_lockout || dbc->nosync) + flags |= MDB_NOSYNC; + + /* We use one database in the lockout env, two in the primary env. */ + err = mdb_env_set_maxdbs(env, is_lockout ? 1 : 2); + if (err) + goto lmdb_error; + + if (dbc->mapsize) { + err = mdb_env_set_mapsize(env, dbc->mapsize); + if (err) + goto lmdb_error; + } + + if (dbc->maxreaders) { + err = mdb_env_set_maxreaders(env, dbc->maxreaders); + if (err) + goto lmdb_error; + } + + err = mdb_env_open(env, path, flags, S_IRUSR | S_IWUSR); + if (err) + goto lmdb_error; + + *env_out = env; + return 0; + +lmdb_error: + ret = klerr(context, err, _("LMDB environment open failure")); + mdb_env_close(env); + return ret; +} + +/* Read a key from the primary environment, using a saved read transaction from + * the database context. Return KRB5_KDB_NOENTRY if the key is not found. */ +static krb5_error_code +fetch(krb5_context context, MDB_dbi db, MDB_val *key, MDB_val *val_out) +{ + krb5_error_code ret = 0; + klmdb_context *dbc = context->dal_handle->db_context; + int err; + + if (dbc->read_txn == NULL) + err = mdb_txn_begin(dbc->env, NULL, MDB_RDONLY, &dbc->read_txn); + else + err = mdb_txn_renew(dbc->read_txn); + + if (!err) + err = mdb_get(dbc->read_txn, db, key, val_out); + + if (err == MDB_NOTFOUND) + ret = KRB5_KDB_NOENTRY; + else if (err) + ret = klerr(context, err, _("LMDB read failure")); + + mdb_txn_reset(dbc->read_txn); + return ret; +} + +/* If we are using a lockout database, try to fetch the lockout attributes for + * key and set them in entry. */ +static void +fetch_lockout(krb5_context context, MDB_val *key, krb5_db_entry *entry) +{ + klmdb_context *dbc = context->dal_handle->db_context; + MDB_txn *txn = NULL; + MDB_val val; + int err; + + if (dbc->lockout_env == NULL) + return; + err = mdb_txn_begin(dbc->lockout_env, NULL, MDB_RDONLY, &txn); + if (!err) + err = mdb_get(txn, dbc->lockout_db, key, &val); + if (!err && val.mv_size >= LOCKOUT_RECORD_LEN) + klmdb_decode_princ_lockout(context, entry, val.mv_data); + mdb_txn_abort(txn); +} + +/* + * Store a value for key in the specified database within the primary + * environment. Use the saved load transaction if one is present, or a + * temporary write transaction if not. If no_overwrite is true and the key + * already exists, return KRB5_KDB_INUSE. If must_overwrite is true and the + * key does not already exist, return KRB5_KDB_NOENTRY. + */ +static krb5_error_code +put(krb5_context context, MDB_dbi db, char *keystr, uint8_t *bytes, size_t len, + krb5_boolean no_overwrite, krb5_boolean must_overwrite) +{ + klmdb_context *dbc = context->dal_handle->db_context; + unsigned int putflags = no_overwrite ? MDB_NOOVERWRITE : 0; + MDB_txn *temp_txn = NULL, *txn; + MDB_val key = { strlen(keystr), keystr }, val = { len, bytes }, dummy; + int err; + + if (dbc->load_txn != NULL) { + txn = dbc->load_txn; + } else { + err = mdb_txn_begin(dbc->env, NULL, 0, &temp_txn); + if (err) + goto error; + txn = temp_txn; + } + + if (must_overwrite && mdb_get(txn, db, &key, &dummy) == MDB_NOTFOUND) { + mdb_txn_abort(temp_txn); + return KRB5_KDB_NOENTRY; + } + + err = mdb_put(txn, db, &key, &val, putflags); + if (err) + goto error; + + if (temp_txn != NULL) { + err = mdb_txn_commit(temp_txn); + temp_txn = NULL; + if (err) + goto error; + } + + return 0; + +error: + mdb_txn_abort(temp_txn); + if (err == MDB_KEYEXIST) + return KRB5_KDB_INUSE; + else + return klerr(context, err, _("LMDB write failure")); +} + +/* Delete an entry from the specified env and database, using a temporary write + * transaction. Return KRB5_KDB_NOENTRY if the key does not exist. */ +static krb5_error_code +del(krb5_context context, MDB_env *env, MDB_dbi db, char *keystr) +{ + krb5_error_code ret = 0; + MDB_txn *txn = NULL; + MDB_val key = { strlen(keystr), keystr }; + int err; + + err = mdb_txn_begin(env, NULL, 0, &txn); + if (!err) + err = mdb_del(txn, db, &key, NULL); + if (!err) { + err = mdb_txn_commit(txn); + txn = NULL; + } + + if (err == MDB_NOTFOUND) + ret = KRB5_KDB_NOENTRY; + else if (err) + ret = klerr(context, err, _("LMDB delete failure")); + + mdb_txn_abort(txn); + return ret; +} + +/* Zero out and unlink filename. */ +static krb5_error_code +destroy_file(const char *filename) +{ + krb5_error_code ret; + struct stat st; + ssize_t len; + off_t pos; + uint8_t buf[BUFSIZ], zbuf[BUFSIZ] = { 0 }; + int fd; + + fd = open(filename, O_RDWR | O_CLOEXEC, 0); + if (fd < 0) + return errno; + set_cloexec_fd(fd); + if (fstat(fd, &st) == -1) + goto error; + + memset(zbuf, 0, BUFSIZ); + pos = 0; + while (pos < st.st_size) { + len = read(fd, buf, BUFSIZ); + if (len < 0) + goto error; + /* Only rewrite the block if it's not already zeroed, in case the file + * is sparse. */ + if (memcmp(buf, zbuf, len) != 0) { + (void)lseek(fd, pos, SEEK_SET); + len = write(fd, zbuf, len); + if (len < 0) + goto error; + } + pos += len; + } + close(fd); + + if (unlink(filename) != 0) + return errno; + return 0; + +error: + ret = errno; + close(fd); + return ret; +} + +static krb5_error_code +klmdb_lib_init() +{ + return 0; +} + +static krb5_error_code +klmdb_lib_cleanup() +{ + return 0; +} + +static krb5_error_code +klmdb_fini(krb5_context context) +{ + klmdb_context *dbc; + + dbc = context->dal_handle->db_context; + if (dbc == NULL) + return 0; + mdb_txn_abort(dbc->read_txn); + mdb_txn_abort(dbc->load_txn); + mdb_env_close(dbc->env); + mdb_env_close(dbc->lockout_env); + free(dbc->path); + free(dbc->lockout_path); + free(dbc); + context->dal_handle->db_context = NULL; + return 0; +} + +static krb5_error_code +klmdb_open(krb5_context context, char *conf_section, char **db_args, int mode) +{ + krb5_error_code ret; + klmdb_context *dbc; + krb5_boolean readonly; + MDB_txn *txn = NULL; + struct stat st; + int err; + + if (context->dal_handle->db_context != NULL) + return 0; + + ret = configure_context(context, conf_section, db_args); + if (ret) + return ret; + dbc = context->dal_handle->db_context; + + if (stat(dbc->path, &st) != 0) { + ret = ENOENT; + k5_setmsg(context, ret, _("LMDB file %s does not exist"), dbc->path); + goto error; + } + + /* Open the primary environment and databases. The KDC can open this + * environment read-only. */ + readonly = (mode & KRB5_KDB_OPEN_RO) || (mode & KRB5_KDB_SRV_TYPE_KDC); + ret = open_lmdb_env(context, dbc, FALSE, readonly, &dbc->env); + if (ret) + goto error; + err = mdb_txn_begin(dbc->env, NULL, MDB_RDONLY, &txn); + if (err) + goto lmdb_error; + err = mdb_dbi_open(txn, "principal", 0, &dbc->princ_db); + if (err) + goto lmdb_error; + err = mdb_dbi_open(txn, "policy", 0, &dbc->policy_db); + if (err) + goto lmdb_error; + err = mdb_txn_commit(txn); + txn = NULL; + if (err) + goto lmdb_error; + + /* Open the lockout environment and database if we will need it. */ + if (!dbc->disable_last_success || !dbc->disable_lockout) { + readonly = !!(mode & KRB5_KDB_OPEN_RO); + ret = open_lmdb_env(context, dbc, TRUE, readonly, &dbc->lockout_env); + if (ret) + goto error; + err = mdb_txn_begin(dbc->lockout_env, NULL, MDB_RDONLY, &txn); + if (err) + goto lmdb_error; + err = mdb_dbi_open(txn, "lockout", 0, &dbc->lockout_db); + if (err) + goto lmdb_error; + err = mdb_txn_commit(txn); + txn = NULL; + if (err) + goto lmdb_error; + } + + return 0; + +lmdb_error: + ret = klerr(context, err, _("LMDB open failure")); +error: + mdb_txn_abort(txn); + klmdb_fini(context); + return ret; +} + +static krb5_error_code +klmdb_create(krb5_context context, char *conf_section, char **db_args) +{ + krb5_error_code ret; + klmdb_context *dbc; + MDB_txn *txn = NULL; + struct stat st; + int err; + + if (context->dal_handle->db_context != NULL) + return 0; + + ret = configure_context(context, conf_section, db_args); + if (ret) + return ret; + dbc = context->dal_handle->db_context; + + if (!dbc->temporary) { + if (stat(dbc->path, &st) == 0) { + ret = ENOENT; + k5_setmsg(context, ret, _("LMDB file %s already exists"), + dbc->path); + goto error; + } + } + + /* Open (and create if necessary) the LMDB environments. */ + ret = open_lmdb_env(context, dbc, FALSE, FALSE, &dbc->env); + if (ret) + goto error; + ret = open_lmdb_env(context, dbc, TRUE, FALSE, &dbc->lockout_env); + if (ret) + goto error; + + /* Open the primary databases, creating them if they don't exist. */ + err = mdb_txn_begin(dbc->env, NULL, 0, &txn); + if (err) + goto lmdb_error; + err = mdb_dbi_open(txn, "principal", MDB_CREATE, &dbc->princ_db); + if (err) + goto lmdb_error; + err = mdb_dbi_open(txn, "policy", MDB_CREATE, &dbc->policy_db); + if (err) + goto lmdb_error; + err = mdb_txn_commit(txn); + txn = NULL; + if (err) + goto lmdb_error; + + /* Create the lockout database if it doesn't exist. */ + err = mdb_txn_begin(dbc->lockout_env, NULL, 0, &txn); + if (err) + goto lmdb_error; + err = mdb_dbi_open(txn, "lockout", MDB_CREATE, &dbc->lockout_db); + if (err) + goto lmdb_error; + err = mdb_txn_commit(txn); + txn = NULL; + if (err) + goto lmdb_error; + + if (dbc->temporary) { + /* Create a load transaction and empty the primary databases within + * it. */ + err = mdb_txn_begin(dbc->env, NULL, 0, &dbc->load_txn); + if (err) + goto lmdb_error; + err = mdb_drop(dbc->load_txn, dbc->princ_db, 0); + if (err) + goto lmdb_error; + err = mdb_drop(dbc->load_txn, dbc->policy_db, 0); + if (err) + goto lmdb_error; + } + + /* Close the lockout environment if we won't need it. */ + if (dbc->disable_last_success && dbc->disable_lockout) { + mdb_env_close(dbc->lockout_env); + dbc->lockout_env = NULL; + dbc->lockout_db = 0; + } + + return 0; + +lmdb_error: + ret = klerr(context, err, _("LMDB create error")); +error: + mdb_txn_abort(txn); + klmdb_fini(context); + return ret; +} + +/* Unlink the "-lock" extension of path. */ +static krb5_error_code +unlink_lock_file(krb5_context context, const char *path) +{ + char *lock_path; + int st; + + if (asprintf(&lock_path, "%s-lock", path) < 0) + return ENOMEM; + st = unlink(lock_path); + if (st) + k5_prependmsg(context, st, _("Could not unlink %s"), lock_path); + free(lock_path); + return st; +} + +static krb5_error_code +klmdb_destroy(krb5_context context, char *conf_section, char **db_args) +{ + krb5_error_code ret; + klmdb_context *dbc; + + if (context->dal_handle->db_context != NULL) + klmdb_fini(context); + ret = configure_context(context, conf_section, db_args); + if (ret) + goto cleanup; + dbc = context->dal_handle->db_context; + + ret = destroy_file(dbc->path); + if (ret) + goto cleanup; + ret = unlink_lock_file(context, dbc->path); + if (ret) + goto cleanup; + + ret = destroy_file(dbc->lockout_path); + if (ret) + goto cleanup; + ret = unlink_lock_file(context, dbc->lockout_path); + +cleanup: + klmdb_fini(context); + return ret; +} + +static krb5_error_code +klmdb_get_principal(krb5_context context, krb5_const_principal searchfor, + unsigned int flags, krb5_db_entry **entry_out) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + MDB_val key, val; + char *name = NULL; + + *entry_out = NULL; + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + + ret = krb5_unparse_name(context, searchfor, &name); + if (ret) + goto cleanup; + + key.mv_data = name; + key.mv_size = strlen(name); + ret = fetch(context, dbc->princ_db, &key, &val); + if (ret) + goto cleanup; + + ret = klmdb_decode_princ(context, name, strlen(name), + val.mv_data, val.mv_size, entry_out); + if (ret) + goto cleanup; + + fetch_lockout(context, &key, *entry_out); + +cleanup: + krb5_free_unparsed_name(context, name); + return ret; +} + +static krb5_error_code +klmdb_put_principal(krb5_context context, krb5_db_entry *entry, char **db_args) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + MDB_val key, val, dummy; + MDB_txn *txn = NULL; + uint8_t lockout[LOCKOUT_RECORD_LEN], *enc; + size_t len; + char *name = NULL; + int err; + + if (db_args != NULL) { + /* This module does not support DB arguments for put_principal. */ + k5_setmsg(context, EINVAL, _("Unsupported argument \"%s\" for lmdb"), + db_args[0]); + return EINVAL; + } + + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + + ret = krb5_unparse_name(context, entry->princ, &name); + if (ret) + goto cleanup; + + ret = klmdb_encode_princ(context, entry, &enc, &len); + if (ret) + goto cleanup; + ret = put(context, dbc->princ_db, name, enc, len, FALSE, FALSE); + free(enc); + if (ret) + goto cleanup; + + /* + * Write the lockout attributes to the lockout database if we are using + * one. During a load operation, changes to lockout attributes will become + * visible before the load is finished, which is an acceptable compromise + * on load atomicity. + */ + if (dbc->lockout_env != NULL && + (entry->mask & (LOCKOUT_MASK | KADM5_PRINCIPAL))) { + key.mv_data = name; + key.mv_size = strlen(name); + klmdb_encode_princ_lockout(context, entry, lockout); + val.mv_data = lockout; + val.mv_size = sizeof(lockout); + err = mdb_txn_begin(dbc->lockout_env, NULL, 0, &txn); + if (!err && dbc->merge_nra) { + /* During an iprop load, do not change existing lockout entries. */ + if (mdb_get(txn, dbc->lockout_db, &key, &dummy) == 0) + goto cleanup; + } + if (!err) + err = mdb_put(txn, dbc->lockout_db, &key, &val, 0); + if (!err) { + err = mdb_txn_commit(txn); + txn = NULL; + } + if (err) { + ret = klerr(context, err, _("LMDB lockout write failure")); + goto cleanup; + } + } + +cleanup: + mdb_txn_abort(txn); + krb5_free_unparsed_name(context, name); + return ret; +} + +static krb5_error_code +klmdb_delete_principal(krb5_context context, krb5_const_principal searchfor) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + char *name; + + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + + ret = krb5_unparse_name(context, searchfor, &name); + if (ret) + return ret; + + ret = del(context, dbc->env, dbc->princ_db, name); + if (!ret && dbc->lockout_env != NULL) + (void)del(context, dbc->lockout_env, dbc->lockout_db, name); + + krb5_free_unparsed_name(context, name); + return ret; +} + +static krb5_error_code +klmdb_iterate(krb5_context context, char *match_expr, + krb5_error_code (*func)(void *, krb5_db_entry *), void *arg, + krb5_flags iterflags) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + krb5_db_entry *entry; + MDB_txn *txn = NULL; + MDB_cursor *cursor = NULL; + MDB_val key, val; + MDB_cursor_op op = (iterflags & KRB5_DB_ITER_REV) ? MDB_PREV : MDB_NEXT; + int err; + + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + + err = mdb_txn_begin(dbc->env, NULL, MDB_RDONLY, &txn); + if (err) + goto lmdb_error; + err = mdb_cursor_open(txn, dbc->princ_db, &cursor); + if (err) + goto lmdb_error; + for (;;) { + err = mdb_cursor_get(cursor, &key, &val, op); + if (err == MDB_NOTFOUND) + break; + if (err) + goto lmdb_error; + ret = klmdb_decode_princ(context, key.mv_data, key.mv_size, + val.mv_data, val.mv_size, &entry); + if (ret) + goto cleanup; + fetch_lockout(context, &key, entry); + ret = (*func)(arg, entry); + krb5_db_free_principal(context, entry); + if (ret) + goto cleanup; + } + ret = 0; + goto cleanup; + +lmdb_error: + ret = klerr(context, err, _("LMDB principal iteration failure")); +cleanup: + mdb_cursor_close(cursor); + mdb_txn_abort(txn); + return ret; +} + +krb5_error_code +klmdb_get_policy(krb5_context context, char *name, osa_policy_ent_t *policy) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + MDB_val key, val; + + *policy = NULL; + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + + key.mv_data = name; + key.mv_size = strlen(name); + ret = fetch(context, dbc->policy_db, &key, &val); + if (ret) + return ret; + return klmdb_decode_policy(context, name, strlen(name), + val.mv_data, val.mv_size, policy); +} + +static krb5_error_code +klmdb_create_policy(krb5_context context, osa_policy_ent_t policy) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + uint8_t *enc; + size_t len; + + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + + ret = klmdb_encode_policy(context, policy, &enc, &len); + if (ret) + return ret; + ret = put(context, dbc->policy_db, policy->name, enc, len, TRUE, FALSE); + free(enc); + return ret; +} + +static krb5_error_code +klmdb_put_policy(krb5_context context, osa_policy_ent_t policy) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + uint8_t *enc; + size_t len; + + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + + ret = klmdb_encode_policy(context, policy, &enc, &len); + if (ret) + return ret; + ret = put(context, dbc->policy_db, policy->name, enc, len, FALSE, TRUE); + free(enc); + return ret; +} + +static krb5_error_code +klmdb_iter_policy(krb5_context context, char *match_entry, + osa_adb_iter_policy_func func, void *arg) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + osa_policy_ent_t pol; + MDB_txn *txn = NULL; + MDB_cursor *cursor = NULL; + MDB_val key, val; + int err; + + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + + err = mdb_txn_begin(dbc->env, NULL, MDB_RDONLY, &txn); + if (err) + goto lmdb_error; + err = mdb_cursor_open(txn, dbc->policy_db, &cursor); + if (err) + goto lmdb_error; + for (;;) { + err = mdb_cursor_get(cursor, &key, &val, MDB_NEXT); + if (err == MDB_NOTFOUND) + break; + if (err) + goto lmdb_error; + ret = klmdb_decode_policy(context, key.mv_data, key.mv_size, + val.mv_data, val.mv_size, &pol); + if (ret) + goto cleanup; + (*func)(arg, pol); + krb5_db_free_policy(context, pol); + } + ret = 0; + goto cleanup; + +lmdb_error: + ret = klerr(context, err, _("LMDB policy iteration failure")); +cleanup: + mdb_cursor_close(cursor); + mdb_txn_abort(txn); + return ret; +} + +static krb5_error_code +klmdb_delete_policy(krb5_context context, char *policy) +{ + klmdb_context *dbc = context->dal_handle->db_context; + + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + return del(context, dbc->env, dbc->policy_db, policy); +} + +static krb5_error_code +klmdb_promote_db(krb5_context context, char *conf_section, char **db_args) +{ + krb5_error_code ret = 0; + klmdb_context *dbc = context->dal_handle->db_context; + int err; + + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + if (dbc->load_txn == NULL) + return EINVAL; + err = mdb_txn_commit(dbc->load_txn); + dbc->load_txn = NULL; + if (err) + ret = klerr(context, err, _("LMDB transaction commit failure")); + klmdb_fini(context); + return ret; +} + +static krb5_error_code +klmdb_check_policy_as(krb5_context context, krb5_kdc_req *request, + krb5_db_entry *client, krb5_db_entry *server, + krb5_timestamp kdc_time, const char **status, + krb5_pa_data ***e_data) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + + if (dbc->disable_lockout) + return 0; + + ret = klmdb_lockout_check_policy(context, client, kdc_time); + if (ret == KRB5KDC_ERR_CLIENT_REVOKED) + *status = "LOCKED_OUT"; + return ret; +} + +static void +klmdb_audit_as_req(krb5_context context, krb5_kdc_req *request, + const krb5_address *local_addr, + const krb5_address *remote_addr, krb5_db_entry *client, + krb5_db_entry *server, krb5_timestamp authtime, + krb5_error_code status) +{ + klmdb_context *dbc = context->dal_handle->db_context; + + (void)klmdb_lockout_audit(context, client, authtime, status, + dbc->disable_last_success, dbc->disable_lockout); +} + +krb5_error_code +klmdb_update_lockout(krb5_context context, krb5_db_entry *entry, + krb5_timestamp stamp, krb5_boolean zero_fail_count, + krb5_boolean set_last_success, + krb5_boolean set_last_failure) +{ + krb5_error_code ret; + klmdb_context *dbc = context->dal_handle->db_context; + krb5_db_entry dummy = { 0 }; + uint8_t lockout[LOCKOUT_RECORD_LEN]; + MDB_txn *txn = NULL; + MDB_val key, val; + char *name = NULL; + int err; + + if (dbc == NULL) + return KRB5_KDB_DBNOTINITED; + if (dbc->lockout_env == NULL) + return 0; + if (!zero_fail_count && !set_last_success && !set_last_failure) + return 0; + + ret = krb5_unparse_name(context, entry->princ, &name); + if (ret) + goto cleanup; + key.mv_data = name; + key.mv_size = strlen(name); + + err = mdb_txn_begin(dbc->lockout_env, NULL, 0, &txn); + if (err) + goto lmdb_error; + /* Fetch base lockout info within txn so we update transactionally. */ + err = mdb_get(txn, dbc->lockout_db, &key, &val); + if (!err && val.mv_size >= LOCKOUT_RECORD_LEN) { + klmdb_decode_princ_lockout(context, &dummy, val.mv_data); + } else { + dummy.last_success = entry->last_success; + dummy.last_failed = entry->last_failed; + dummy.fail_auth_count = entry->fail_auth_count; + } + + if (zero_fail_count) + dummy.fail_auth_count = 0; + if (set_last_success) + dummy.last_success = stamp; + if (set_last_failure) { + dummy.last_failed = stamp; + dummy.fail_auth_count++; + } + + klmdb_encode_princ_lockout(context, &dummy, lockout); + val.mv_data = lockout; + val.mv_size = sizeof(lockout); + err = mdb_put(txn, dbc->lockout_db, &key, &val, 0); + if (err) + goto lmdb_error; + err = mdb_txn_commit(txn); + txn = NULL; + if (err) + goto lmdb_error; + goto cleanup; + +lmdb_error: + ret = klerr(context, err, _("LMDB lockout update failure")); +cleanup: + krb5_free_unparsed_name(context, name); + mdb_txn_abort(txn); + return 0; +} + +kdb_vftabl PLUGIN_SYMBOL_NAME(krb5_lmdb, kdb_function_table) = { + .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, + .min_ver = 0, + .init_library = klmdb_lib_init, + .fini_library = klmdb_lib_cleanup, + .init_module = klmdb_open, + .fini_module = klmdb_fini, + .create = klmdb_create, + .destroy = klmdb_destroy, + .get_principal = klmdb_get_principal, + .put_principal = klmdb_put_principal, + .delete_principal = klmdb_delete_principal, + .iterate = klmdb_iterate, + .create_policy = klmdb_create_policy, + .get_policy = klmdb_get_policy, + .put_policy = klmdb_put_policy, + .iter_policy = klmdb_iter_policy, + .delete_policy = klmdb_delete_policy, + .promote_db = klmdb_promote_db, + .check_policy_as = klmdb_check_policy_as, + .audit_as_req = klmdb_audit_as_req +}; diff --git a/src/plugins/kdb/lmdb/klmdb-int.h b/src/plugins/kdb/lmdb/klmdb-int.h new file mode 100644 index 0000000..29bceae --- /dev/null +++ b/src/plugins/kdb/lmdb/klmdb-int.h @@ -0,0 +1,78 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/kdb/lmdb/klmdb-int.h - internal declarations for LMDB KDB module */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef LMDB_INT_H +#define LMDB_INT_H + +/* Length of a principal lockout record (three 32-bit fields) */ +#define LOCKOUT_RECORD_LEN 12 + +krb5_error_code klmdb_encode_princ(krb5_context context, + const krb5_db_entry *entry, + uint8_t **enc_out, size_t *len_out); +void klmdb_encode_princ_lockout(krb5_context context, + const krb5_db_entry *entry, + uint8_t buf[LOCKOUT_RECORD_LEN]); +krb5_error_code klmdb_encode_policy(krb5_context context, + const osa_policy_ent_rec *pol, + uint8_t **enc_out, size_t *len_out); + +krb5_error_code klmdb_decode_princ(krb5_context context, + const void *key, size_t key_len, + const void *enc, size_t enc_len, + krb5_db_entry **entry_out); +void klmdb_decode_princ_lockout(krb5_context context, krb5_db_entry *entry, + const uint8_t buf[LOCKOUT_RECORD_LEN]); +krb5_error_code klmdb_decode_policy(krb5_context context, + const void *key, size_t key_len, + const void *enc, size_t enc_len, + osa_policy_ent_t *pol_out); + +krb5_error_code klmdb_lockout_check_policy(krb5_context context, + krb5_db_entry *entry, + krb5_timestamp stamp); +krb5_error_code klmdb_lockout_audit(krb5_context context, krb5_db_entry *entry, + krb5_timestamp stamp, + krb5_error_code status, + krb5_boolean disable_last_success, + krb5_boolean disable_lockout); +krb5_error_code klmdb_update_lockout(krb5_context context, + krb5_db_entry *entry, + krb5_timestamp stamp, + krb5_boolean zero_fail_count, + krb5_boolean set_last_success, + krb5_boolean set_last_failure); + +krb5_error_code klmdb_get_policy(krb5_context context, char *name, + osa_policy_ent_t *policy); + +#endif /* LMDB_INT_H */ diff --git a/src/plugins/kdb/lmdb/klmdb.exports b/src/plugins/kdb/lmdb/klmdb.exports new file mode 100644 index 0000000..f2b7c11 --- /dev/null +++ b/src/plugins/kdb/lmdb/klmdb.exports @@ -0,0 +1 @@ +kdb_function_table diff --git a/src/plugins/kdb/lmdb/lockout.c b/src/plugins/kdb/lmdb/lockout.c new file mode 100644 index 0000000..380d8b3 --- /dev/null +++ b/src/plugins/kdb/lmdb/lockout.c @@ -0,0 +1,180 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/kdb/lmdb/lockout.c */ +/* + * Copyright (C) 2009, 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Export of this software from the United States of America may + * require a specific license from the United States Government. + * It is the responsibility of any person or organization contemplating + * export to obtain such a license before exporting. + * + * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and + * distribute this software and its documentation for any purpose and + * without fee is hereby granted, provided that the above copyright + * notice appear in all copies and that both that copyright notice and + * this permission notice appear in supporting documentation, and that + * the name of M.I.T. not be used in advertising or publicity pertaining + * to distribution of the software without specific, written prior + * permission. Furthermore if you modify this software you must label + * your software as modified software and not distribute it in such a + * fashion that it might be confused with the original M.I.T. software. + * M.I.T. makes no representations about the suitability of + * this software for any purpose. It is provided "as is" without express + * or implied warranty. + */ + +#include "k5-int.h" +#include "kdb.h" +#include +#include "kdb5.h" +#include "klmdb-int.h" + +static krb5_error_code +lookup_lockout_policy(krb5_context context, krb5_db_entry *entry, + krb5_kvno *pw_max_fail, krb5_deltat *pw_failcnt_interval, + krb5_deltat *pw_lockout_duration) +{ + krb5_tl_data tl_data; + krb5_error_code code; + osa_princ_ent_rec adb; + XDR xdrs; + + *pw_max_fail = 0; + *pw_failcnt_interval = 0; + *pw_lockout_duration = 0; + + tl_data.tl_data_type = KRB5_TL_KADM_DATA; + + code = krb5_dbe_lookup_tl_data(context, entry, &tl_data); + if (code != 0 || tl_data.tl_data_length == 0) + return code; + + memset(&adb, 0, sizeof(adb)); + xdrmem_create(&xdrs, (char *)tl_data.tl_data_contents, + tl_data.tl_data_length, XDR_DECODE); + if (!xdr_osa_princ_ent_rec(&xdrs, &adb)) { + xdr_destroy(&xdrs); + return KADM5_XDR_FAILURE; + } + + if (adb.policy != NULL) { + osa_policy_ent_t policy = NULL; + + code = klmdb_get_policy(context, adb.policy, &policy); + if (code == 0) { + *pw_max_fail = policy->pw_max_fail; + *pw_failcnt_interval = policy->pw_failcnt_interval; + *pw_lockout_duration = policy->pw_lockout_duration; + krb5_db_free_policy(context, policy); + } + } + + xdr_destroy(&xdrs); + + xdrmem_create(&xdrs, NULL, 0, XDR_FREE); + xdr_osa_princ_ent_rec(&xdrs, &adb); + xdr_destroy(&xdrs); + + return 0; +} + +/* draft-behera-ldap-password-policy-10.txt 7.1 */ +static krb5_boolean +locked_check_p(krb5_context context, krb5_timestamp stamp, krb5_kvno max_fail, + krb5_timestamp lockout_duration, krb5_db_entry *entry) +{ + krb5_timestamp unlock_time; + + /* If the entry was unlocked since the last failure, it's not locked. */ + if (krb5_dbe_lookup_last_admin_unlock(context, entry, &unlock_time) == 0 && + !ts_after(entry->last_failed, unlock_time)) + return FALSE; + + if (max_fail == 0 || entry->fail_auth_count < max_fail) + return FALSE; + + if (lockout_duration == 0) + return TRUE; /* principal permanently locked */ + + return ts_after(ts_incr(entry->last_failed, lockout_duration), stamp); +} + +krb5_error_code +klmdb_lockout_check_policy(krb5_context context, krb5_db_entry *entry, + krb5_timestamp stamp) +{ + krb5_error_code code; + krb5_kvno max_fail = 0; + krb5_deltat failcnt_interval = 0; + krb5_deltat lockout_duration = 0; + + code = lookup_lockout_policy(context, entry, &max_fail, &failcnt_interval, + &lockout_duration); + if (code != 0) + return code; + + if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) + return KRB5KDC_ERR_CLIENT_REVOKED; + + return 0; +} + +krb5_error_code +klmdb_lockout_audit(krb5_context context, krb5_db_entry *entry, + krb5_timestamp stamp, krb5_error_code status, + krb5_boolean disable_last_success, + krb5_boolean disable_lockout) +{ + krb5_error_code ret; + krb5_kvno max_fail = 0; + krb5_deltat failcnt_interval = 0, lockout_duration = 0; + krb5_boolean zero_fail_count = FALSE; + krb5_boolean set_last_success = FALSE, set_last_failure = FALSE; + krb5_timestamp unlock_time; + + if (status != 0 && status != KRB5KDC_ERR_PREAUTH_FAILED && + status != KRB5KRB_AP_ERR_BAD_INTEGRITY) + return 0; + + if (!disable_lockout) { + ret = lookup_lockout_policy(context, entry, &max_fail, + &failcnt_interval, &lockout_duration); + if (ret) + return ret; + } + + /* + * Don't continue to modify the DB for an already locked account. + * (In most cases, status will be KRB5KDC_ERR_CLIENT_REVOKED, and + * this check is unneeded, but in rare cases, we can fail with an + * integrity error or preauth failure before a policy check.) + */ + if (locked_check_p(context, stamp, max_fail, lockout_duration, entry)) + return 0; + + /* Only mark the authentication as successful if the entry + * required preauthentication; otherwise we have no idea. */ + if (status == 0 && (entry->attributes & KRB5_KDB_REQUIRES_PRE_AUTH)) { + if (!disable_lockout && entry->fail_auth_count != 0) + zero_fail_count = TRUE; + if (!disable_last_success) + set_last_success = TRUE; + } else if (status != 0 && !disable_lockout) { + /* Reset the failure counter after an administrative unlock. */ + if (krb5_dbe_lookup_last_admin_unlock(context, entry, + &unlock_time) == 0 && + !ts_after(entry->last_failed, unlock_time)) + zero_fail_count = TRUE; + + /* Reset the failure counter after failcnt_interval. */ + if (failcnt_interval != 0 && + ts_after(stamp, ts_incr(entry->last_failed, failcnt_interval))) + zero_fail_count = TRUE; + + set_last_failure = TRUE; + } + + return klmdb_update_lockout(context, entry, stamp, zero_fail_count, + set_last_success, set_last_failure); +} diff --git a/src/plugins/kdb/lmdb/marshal.c b/src/plugins/kdb/lmdb/marshal.c new file mode 100644 index 0000000..f49a2cb --- /dev/null +++ b/src/plugins/kdb/lmdb/marshal.c @@ -0,0 +1,339 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* lib/kdb/kdb_xdr.c */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "k5-input.h" +#include +#include "klmdb-int.h" + +static void +put16(struct k5buf *buf, uint16_t num) +{ + uint8_t n[2]; + + store_16_le(num, n); + k5_buf_add_len(buf, n, 2); +} + +static void +put32(struct k5buf *buf, uint32_t num) +{ + uint8_t n[4]; + + store_32_le(num, n); + k5_buf_add_len(buf, n, 4); +} + +static void +put_tl_data(struct k5buf *buf, const krb5_tl_data *tl) +{ + for (; tl != NULL; tl = tl->tl_data_next) { + put16(buf, tl->tl_data_type); + put16(buf, tl->tl_data_length); + k5_buf_add_len(buf, tl->tl_data_contents, tl->tl_data_length); + } +} + +krb5_error_code +klmdb_encode_princ(krb5_context context, const krb5_db_entry *entry, + uint8_t **enc_out, size_t *len_out) +{ + struct k5buf buf; + const krb5_key_data *kd; + int i, j; + + *enc_out = NULL; + *len_out = 0; + + k5_buf_init_dynamic(&buf); + + put32(&buf, entry->attributes); + put32(&buf, entry->max_life); + put32(&buf, entry->max_renewable_life); + put32(&buf, entry->expiration); + put32(&buf, entry->pw_expiration); + put16(&buf, entry->n_tl_data); + put16(&buf, entry->n_key_data); + put_tl_data(&buf, entry->tl_data); + for (i = 0; i < entry->n_key_data; i++) { + kd = &entry->key_data[i]; + put16(&buf, kd->key_data_ver); + put16(&buf, kd->key_data_kvno); + for (j = 0; j < kd->key_data_ver; j++) { + put16(&buf, kd->key_data_type[j]); + put16(&buf, kd->key_data_length[j]); + if (kd->key_data_length[j] > 0) { + k5_buf_add_len(&buf, kd->key_data_contents[j], + kd->key_data_length[j]); + } + } + } + + if (k5_buf_status(&buf) != 0) + return ENOMEM; + + *enc_out = buf.data; + *len_out = buf.len; + return 0; +} + +void +klmdb_encode_princ_lockout(krb5_context context, const krb5_db_entry *entry, + uint8_t buf[LOCKOUT_RECORD_LEN]) +{ + store_32_le(entry->last_success, buf); + store_32_le(entry->last_failed, buf + 4); + store_32_le(entry->fail_auth_count, buf + 8); +} + +krb5_error_code +klmdb_encode_policy(krb5_context context, const osa_policy_ent_rec *pol, + uint8_t **enc_out, size_t *len_out) +{ + struct k5buf buf; + + *enc_out = NULL; + *len_out = 0; + + k5_buf_init_dynamic(&buf); + put32(&buf, pol->pw_min_life); + put32(&buf, pol->pw_max_life); + put32(&buf, pol->pw_min_length); + put32(&buf, pol->pw_min_classes); + put32(&buf, pol->pw_history_num); + put32(&buf, pol->pw_max_fail); + put32(&buf, pol->pw_failcnt_interval); + put32(&buf, pol->pw_lockout_duration); + put32(&buf, pol->attributes); + put32(&buf, pol->max_life); + put32(&buf, pol->max_renewable_life); + + if (pol->allowed_keysalts == NULL) { + put32(&buf, 0); + } else { + put32(&buf, strlen(pol->allowed_keysalts)); + k5_buf_add(&buf, pol->allowed_keysalts); + } + + put16(&buf, pol->n_tl_data); + put_tl_data(&buf, pol->tl_data); + + if (k5_buf_status(&buf) != 0) + return ENOMEM; + + *enc_out = buf.data; + *len_out = buf.len; + return 0; +} + +static krb5_error_code +get_tl_data(struct k5input *in, size_t count, krb5_tl_data **tl) +{ + krb5_error_code ret; + const uint8_t *contents; + size_t i, len; + + for (i = 0; i < count; i++) { + *tl = k5alloc(sizeof(**tl), &ret); + if (*tl == NULL) + return ret; + (*tl)->tl_data_type = k5_input_get_uint16_le(in); + len = (*tl)->tl_data_length = k5_input_get_uint16_le(in); + contents = k5_input_get_bytes(in, len); + if (contents == NULL) + return KRB5_KDB_TRUNCATED_RECORD; + (*tl)->tl_data_contents = k5memdup(contents, len, &ret); + if ((*tl)->tl_data_contents == NULL) + return ret; + tl = &(*tl)->tl_data_next; + } + + return 0; +} + +krb5_error_code +klmdb_decode_princ(krb5_context context, const void *key, size_t key_len, + const void *enc, size_t enc_len, krb5_db_entry **entry_out) +{ + krb5_error_code ret; + struct k5input in; + krb5_db_entry *entry = NULL; + char *princname = NULL; + const uint8_t *contents; + int i, j; + size_t len; + krb5_key_data *kd; + + *entry_out = NULL; + + entry = k5alloc(sizeof(*entry), &ret); + if (entry == NULL) + goto cleanup; + + princname = k5memdup0(key, key_len, &ret); + if (princname == NULL) + goto cleanup; + ret = krb5_parse_name(context, princname, &entry->princ); + if (ret) + goto cleanup; + + k5_input_init(&in, enc, enc_len); + entry->attributes = k5_input_get_uint32_le(&in); + entry->max_life = k5_input_get_uint32_le(&in); + entry->max_renewable_life = k5_input_get_uint32_le(&in); + entry->expiration = k5_input_get_uint32_le(&in); + entry->pw_expiration = k5_input_get_uint32_le(&in); + entry->n_tl_data = k5_input_get_uint16_le(&in); + entry->n_key_data = k5_input_get_uint16_le(&in); + if (entry->n_tl_data < 0 || entry->n_key_data < 0) { + ret = KRB5_KDB_TRUNCATED_RECORD; + goto cleanup; + } + + ret = get_tl_data(&in, entry->n_tl_data, &entry->tl_data); + if (ret) + goto cleanup; + + if (entry->n_key_data > 0) { + entry->key_data = k5calloc(entry->n_key_data, sizeof(*entry->key_data), + &ret); + if (entry->key_data == NULL) + goto cleanup; + } + for (i = 0; i < entry->n_key_data; i++) { + kd = &entry->key_data[i]; + kd->key_data_ver = k5_input_get_uint16_le(&in); + kd->key_data_kvno = k5_input_get_uint16_le(&in); + if (kd->key_data_ver < 0 && + kd->key_data_ver > KRB5_KDB_V1_KEY_DATA_ARRAY) { + ret = KRB5_KDB_BAD_VERSION; + goto cleanup; + } + for (j = 0; j < kd->key_data_ver; j++) { + kd->key_data_type[j] = k5_input_get_uint16_le(&in); + len = kd->key_data_length[j] = k5_input_get_uint16_le(&in); + contents = k5_input_get_bytes(&in, len); + if (contents == NULL) { + ret = KRB5_KDB_TRUNCATED_RECORD; + goto cleanup; + } + if (len > 0) { + kd->key_data_contents[j] = k5memdup(contents, len, &ret); + if (kd->key_data_contents[j] == NULL) + goto cleanup; + } + } + } + + ret = in.status; + if (ret) + goto cleanup; + + entry->len = KRB5_KDB_V1_BASE_LENGTH; + *entry_out = entry; + entry = NULL; + +cleanup: + free(princname); + krb5_db_free_principal(context, entry); + return ret; +} + +void +klmdb_decode_princ_lockout(krb5_context context, krb5_db_entry *entry, + const uint8_t buf[LOCKOUT_RECORD_LEN]) +{ + entry->last_success = load_32_le(buf); + entry->last_failed = load_32_le(buf + 4); + entry->fail_auth_count = load_32_le(buf + 8); +} + +krb5_error_code +klmdb_decode_policy(krb5_context context, const void *key, size_t key_len, + const void *enc, size_t enc_len, osa_policy_ent_t *pol_out) +{ + krb5_error_code ret; + osa_policy_ent_t pol = NULL; + struct k5input in; + const char *str; + size_t len; + + *pol_out = NULL; + pol = k5alloc(sizeof(*pol), &ret); + if (pol == NULL) + goto error; + + pol->name = k5memdup0(key, key_len, &ret); + if (pol->name == NULL) + goto error; + + k5_input_init(&in, enc, enc_len); + pol->pw_min_life = k5_input_get_uint32_le(&in); + pol->pw_max_life = k5_input_get_uint32_le(&in); + pol->pw_min_length = k5_input_get_uint32_le(&in); + pol->pw_min_classes = k5_input_get_uint32_le(&in); + pol->pw_history_num = k5_input_get_uint32_le(&in); + pol->pw_max_fail = k5_input_get_uint32_le(&in); + pol->pw_failcnt_interval = k5_input_get_uint32_le(&in); + pol->pw_lockout_duration = k5_input_get_uint32_le(&in); + pol->attributes = k5_input_get_uint32_le(&in); + pol->max_life = k5_input_get_uint32_le(&in); + pol->max_renewable_life = k5_input_get_uint32_le(&in); + + len = k5_input_get_uint32_le(&in); + if (len > 0) { + str = (char *)k5_input_get_bytes(&in, len); + if (str == NULL) { + ret = KRB5_KDB_TRUNCATED_RECORD; + goto error; + } + pol->allowed_keysalts = k5memdup0(str, len, &ret); + if (pol->allowed_keysalts == NULL) + goto error; + } + + pol->n_tl_data = k5_input_get_uint16_le(&in); + ret = get_tl_data(&in, pol->n_tl_data, &pol->tl_data); + if (ret) + goto error; + + ret = in.status; + if (ret) + goto error; + + *pol_out = pol; + return 0; + +error: + krb5_db_free_policy(context, pol); + return ret; +} diff --git a/src/plugins/kdb/test/kdb_test.c b/src/plugins/kdb/test/kdb_test.c index 776dda3..6df2d58 100644 --- a/src/plugins/kdb/test/kdb_test.c +++ b/src/plugins/kdb/test/kdb_test.c @@ -64,6 +64,9 @@ * Key values are generated using a hash of the kvno, enctype, salt type, and * principal name. This module does not use master key encryption, so it * serves as a partial test of the DAL's ability to avoid that. + * + * For cross realm, just add outbound 'krbtgt/OTHER_REALM' principal to each + * kdc configuration, while for inbound trust the local krbtgt will be used. */ #include "k5-int.h" @@ -297,12 +300,27 @@ test_close(krb5_context context) return 0; } +/* Return the principal name krbtgt/tgs_realm@our_realm. */ +static krb5_principal +tgtname(krb5_context context, const krb5_data *tgs_realm, + const krb5_data *our_realm) +{ + krb5_principal princ; + + check(krb5_build_principal_ext(context, &princ, + our_realm->length, our_realm->data, + KRB5_TGS_NAME_SIZE, KRB5_TGS_NAME, + tgs_realm->length, tgs_realm->data, 0)); + princ->type = KRB5_NT_SRV_INST; + return princ; +} + static krb5_error_code test_get_principal(krb5_context context, krb5_const_principal search_for, unsigned int flags, krb5_db_entry **entry) { krb5_error_code ret; - krb5_principal princ = NULL; + krb5_principal princ = NULL, tgtprinc; krb5_principal_data empty_princ = { KV5M_PRINCIPAL }; testhandle h = context->dal_handle->db_context; char *search_name = NULL, *canon = NULL, *flagstr, **names, **key_strings; @@ -316,7 +334,8 @@ test_get_principal(krb5_context context, krb5_const_principal search_for, &search_name)); canon = get_string(h, "alias", search_name, NULL); if (canon != NULL) { - if (!(flags & KRB5_KDB_FLAG_ALIAS_OK)) { + if (!(flags & KRB5_KDB_FLAG_ALIAS_OK) && + search_for->type != KRB5_NT_ENTERPRISE_PRINCIPAL) { ret = KRB5_KDB_NOENTRY; goto cleanup; } @@ -330,14 +349,25 @@ test_get_principal(krb5_context context, krb5_const_principal search_for, princ = NULL; ret = 0; goto cleanup; + } else if (flags & KRB5_KDB_FLAG_CANONICALIZE) { + /* Generate a server referral by looking up the TGT for the + * canonical name's realm. */ + tgtprinc = tgtname(context, &princ->realm, &search_for->realm); + krb5_free_principal(context, princ); + princ = tgtprinc; + + krb5_free_unparsed_name(context, search_name); + check(krb5_unparse_name_flags(context, princ, + KRB5_PRINCIPAL_UNPARSE_NO_REALM, + &search_name)); + ename = search_name; } else { - /* We could look up a cross-realm TGS entry, but we don't need - * that behavior yet. */ ret = KRB5_KDB_NOENTRY; goto cleanup; } + } else { + ename = canon; } - ename = canon; } else { check(krb5_copy_principal(context, search_for, &princ)); ename = search_name; diff --git a/src/plugins/kdcpolicy/test/Makefile.in b/src/plugins/kdcpolicy/test/Makefile.in new file mode 100644 index 0000000..ea3484e --- /dev/null +++ b/src/plugins/kdcpolicy/test/Makefile.in @@ -0,0 +1,20 @@ +mydir=plugins$(S)kdcpolicy$(S)test +BUILDTOP=$(REL)..$(S)..$(S).. + +LIBBASE=kdcpolicy_test +LIBMAJOR=0 +LIBMINOR=0 +RELDIR=../plugins/kdcpolicy/test +SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS) +SHLIB_EXPLIBS=$(KRB5_BASE_LIBS) + +STLIBOBJS=main.o + +SRCS=$(srcdir)/main.c + +all-unix: all-libs +install-unix: +clean-unix:: clean-libs clean-libobjs + +@libnover_frag@ +@libobj_frag@ diff --git a/src/plugins/kdcpolicy/test/deps b/src/plugins/kdcpolicy/test/deps new file mode 100644 index 0000000..4ecf533 --- /dev/null +++ b/src/plugins/kdcpolicy/test/deps @@ -0,0 +1,14 @@ +# +# Generated makefile dependencies follow. +# +main.so main.po $(OUTPRE)main.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpolicy_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h main.c diff --git a/src/plugins/kdcpolicy/test/kdcpolicy_test.exports b/src/plugins/kdcpolicy/test/kdcpolicy_test.exports new file mode 100644 index 0000000..9682ec7 --- /dev/null +++ b/src/plugins/kdcpolicy/test/kdcpolicy_test.exports @@ -0,0 +1 @@ +kdcpolicy_test_initvt diff --git a/src/plugins/kdcpolicy/test/main.c b/src/plugins/kdcpolicy/test/main.c new file mode 100644 index 0000000..86c8089 --- /dev/null +++ b/src/plugins/kdcpolicy/test/main.c @@ -0,0 +1,111 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* include/krb5/kdcpolicy_plugin.h - KDC policy plugin interface */ +/* + * Copyright (C) 2017 by Red Hat, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "kdb.h" +#include + +static krb5_error_code +output_from_indicator(const char *const *auth_indicators, int divisor, + krb5_deltat *lifetime_out, + krb5_deltat *renew_lifetime_out, + const char **status) +{ + if (auth_indicators[0] == NULL) { + *status = NULL; + return 0; + } + + if (strcmp(auth_indicators[0], "ONE_HOUR") == 0) { + *lifetime_out = 3600 / divisor; + *renew_lifetime_out = *lifetime_out * 2; + return 0; + } else if (strcmp(auth_indicators[0], "SEVEN_HOURS") == 0) { + *lifetime_out = 7 * 3600 / divisor; + *renew_lifetime_out = *lifetime_out * 2; + return 0; + } + + *status = "LOCAL_POLICY"; + return KRB5KDC_ERR_POLICY; +} + +static krb5_error_code +test_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, + const krb5_kdc_req *request, const krb5_db_entry *client, + const krb5_db_entry *server, const char *const *auth_indicators, + const char **status, krb5_deltat *lifetime_out, + krb5_deltat *renew_lifetime_out) +{ + if (request->client != NULL && request->client->length >= 1 && + data_eq_string(request->client->data[0], "fail")) { + *status = "LOCAL_POLICY"; + return KRB5KDC_ERR_POLICY; + } + return output_from_indicator(auth_indicators, 1, lifetime_out, + renew_lifetime_out, status); +} + +static krb5_error_code +test_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, + const krb5_kdc_req *request, const krb5_db_entry *server, + const krb5_ticket *ticket, const char *const *auth_indicators, + const char **status, krb5_deltat *lifetime_out, + krb5_deltat *renew_lifetime_out) +{ + if (request->server != NULL && request->server->length >= 1 && + data_eq_string(request->server->data[0], "fail")) { + *status = "LOCAL_POLICY"; + return KRB5KDC_ERR_POLICY; + } + return output_from_indicator(auth_indicators, 2, lifetime_out, + renew_lifetime_out, status); +} + +krb5_error_code +kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); +krb5_error_code +kdcpolicy_test_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_kdcpolicy_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + + vt = (krb5_kdcpolicy_vtable)vtable; + vt->name = "test"; + vt->check_as = test_check_as; + vt->check_tgs = test_check_tgs; + return 0; +} diff --git a/src/plugins/preauth/otp/main.c b/src/plugins/preauth/otp/main.c index 2649e9a..a1b6816 100644 --- a/src/plugins/preauth/otp/main.c +++ b/src/plugins/preauth/otp/main.c @@ -331,7 +331,8 @@ otp_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, /* Send the request. */ otp_state_verify((otp_state *)moddata, cb->event_context(context, rock), - request->client, config, req, on_response, rs); + cb->client_name(context, rock), config, req, on_response, + rs); cb->free_string(context, rock, config); k5_free_pa_otp_req(context, req); diff --git a/src/plugins/preauth/otp/otp_state.c b/src/plugins/preauth/otp/otp_state.c index 5ba3d91..acdbca9 100644 --- a/src/plugins/preauth/otp/otp_state.c +++ b/src/plugins/preauth/otp/otp_state.c @@ -84,23 +84,23 @@ read_secret_file(const char *secret_file, char **secret) { char buf[MAX_SECRET_LEN]; krb5_error_code retval; - char *filename; + char *filename = NULL; FILE *file; - int i, j; + size_t i, j; *secret = NULL; retval = k5_path_join(KDC_DIR, secret_file, &filename); if (retval != 0) { com_err("otp", retval, "Unable to resolve secret file '%s'", filename); - return retval; + goto cleanup; } file = fopen(filename, "r"); if (file == NULL) { retval = errno; com_err("otp", retval, "Unable to open secret file '%s'", filename); - return retval; + goto cleanup; } if (fgets(buf, sizeof(buf), file) == NULL) @@ -108,7 +108,7 @@ read_secret_file(const char *secret_file, char **secret) fclose(file); if (retval != 0) { com_err("otp", retval, "Unable to read secret file '%s'", filename); - return retval; + goto cleanup; } /* Strip whitespace. */ @@ -116,12 +116,15 @@ read_secret_file(const char *secret_file, char **secret) if (!isspace(buf[i])) break; } - for (j = strlen(buf) - i; j > 0; j--) { + for (j = strlen(buf); j > i; j--) { if (!isspace(buf[j - 1])) break; } *secret = k5memdup0(&buf[i], j - i, &retval); + +cleanup: + free(filename); return retval; } @@ -649,6 +652,7 @@ callback(krb5_error_code retval, const krad_packet *rqst, /* Try the next token. */ request_send(req); + return; error: req->cb(req->data, retval, otp_response_fail, NULL); diff --git a/src/plugins/preauth/pkinit/Makefile.in b/src/plugins/preauth/pkinit/Makefile.in index 3bb88d8..d8b9398 100644 --- a/src/plugins/preauth/pkinit/Makefile.in +++ b/src/plugins/preauth/pkinit/Makefile.in @@ -1,7 +1,6 @@ mydir=plugins$(S)preauth$(S)pkinit BUILDTOP=$(REL)..$(S)..$(S).. MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) -LOCALINCLUDES = $(PKINIT_CRYPTO_IMPL_CFLAGS) LIBBASE=pkinit LIBMAJOR=0 @@ -11,8 +10,7 @@ RELDIR=../plugins/preauth/pkinit SHLIB_EXPDEPS = \ $(TOPLIBD)/libk5crypto$(SHLIBEXT) \ $(TOPLIBD)/libkrb5$(SHLIBEXT) -SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto $(PKINIT_CRYPTO_IMPL_LIBS) $(DL_LIB) $(SUPPORT_LIB) $(LIBS) -DEFINES=-DPKINIT_DYNOBJEXT=\""$(PKINIT_DYNOBJEXT)"\" +SHLIB_EXPLIBS= -lkrb5 -lcom_err -lk5crypto -lcrypto $(DL_LIB) $(SUPPORT_LIB) $(LIBS) STLIBOBJS= \ pkinit_accessor.o \ @@ -23,7 +21,7 @@ STLIBOBJS= \ pkinit_profile.o \ pkinit_identity.o \ pkinit_matching.o \ - pkinit_crypto_$(PKINIT_CRYPTO_IMPL).o + pkinit_crypto_openssl.o SRCS= \ $(srcdir)/pkinit_accessor.c \ @@ -35,7 +33,7 @@ SRCS= \ $(srcdir)/pkinit_profile.c \ $(srcdir)/pkinit_identity.c \ $(srcdir)/pkinit_matching.c \ - $(srcdir)/pkinit_crypto_$(PKINIT_CRYPTO_IMPL).c + $(srcdir)/pkinit_crypto_openssl.c all-unix: all-liblinks install-unix: install-libs diff --git a/src/plugins/preauth/pkinit/deps b/src/plugins/preauth/pkinit/deps index 75276b6..c54aa42 100644 --- a/src/plugins/preauth/pkinit/deps +++ b/src/plugins/preauth/pkinit/deps @@ -20,11 +20,12 @@ pkinit_srv.so pkinit_srv.po $(OUTPRE)pkinit_srv.$(OBJEXT): \ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/clpreauth_plugin.h \ - $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/krb5/preauth_plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h pkcs11.h pkinit.h \ - pkinit_accessor.h pkinit_crypto.h pkinit_srv.c pkinit_trace.h + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/certauth_plugin.h \ + $(top_srcdir)/include/krb5/clpreauth_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ + pkinit_srv.c pkinit_trace.h pkinit_lib.so pkinit_lib.po $(OUTPRE)pkinit_lib.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-int-pkinit.h \ @@ -100,10 +101,15 @@ pkinit_matching.so pkinit_matching.po $(OUTPRE)pkinit_matching.$(OBJEXT): \ pkinit_trace.h pkinit_crypto_openssl.so pkinit_crypto_openssl.po $(OUTPRE)pkinit_crypto_openssl.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-platform.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hex.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/clpreauth_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/krb5/preauth_plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ pkcs11.h pkinit.h pkinit_accessor.h pkinit_crypto.h \ pkinit_crypto_openssl.c pkinit_crypto_openssl.h pkinit_trace.h diff --git a/src/plugins/preauth/pkinit/pkinit.h b/src/plugins/preauth/pkinit/pkinit.h index 876db94..fe2ec0d 100644 --- a/src/plugins/preauth/pkinit/pkinit.h +++ b/src/plugins/preauth/pkinit/pkinit.h @@ -73,9 +73,11 @@ #define KRB5_CONF_PKINIT_IDENTITIES "pkinit_identities" #define KRB5_CONF_PKINIT_IDENTITY "pkinit_identity" #define KRB5_CONF_PKINIT_KDC_HOSTNAME "pkinit_kdc_hostname" +/* pkinit_kdc_ocsp has been removed */ #define KRB5_CONF_PKINIT_KDC_OCSP "pkinit_kdc_ocsp" #define KRB5_CONF_PKINIT_POOL "pkinit_pool" #define KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING "pkinit_require_crl_checking" +#define KRB5_CONF_PKINIT_REQUIRE_FRESHNESS "pkinit_require_freshness" #define KRB5_CONF_PKINIT_REVOKE "pkinit_revoke" /* Make pkiDebug(fmt,...) print, or not. */ @@ -147,6 +149,8 @@ typedef struct _pkinit_plg_opts { int allow_upn; /* allow UPN-SAN instead of pkinit-SAN */ int dh_or_rsa; /* selects DH or RSA based pkinit */ int require_crl_checking; /* require CRL for a CA (default is false) */ + int require_freshness; /* require freshness token (default is false) */ + int disable_freshness; /* disable freshness token on client for testing */ int dh_min_bits; /* minimum DH modulus size allowed */ } pkinit_plg_opts; @@ -161,6 +165,7 @@ typedef struct _pkinit_req_opts { int require_crl_checking; int dh_size; /* initial request DH modulus size (default=1024) */ int require_hostname_match; + int disable_freshness; } pkinit_req_opts; /* @@ -173,7 +178,6 @@ typedef struct _pkinit_identity_opts { char **anchors; char **intermediates; char **crls; - char *ocsp; int idtype; char *cert_filename; char *key_filename; @@ -209,10 +213,12 @@ struct _pkinit_req_context { pkinit_identity_opts *idopts; int do_identity_matching; krb5_preauthtype pa_type; + int rfc4556_kdc; int rfc6112_kdc; int identity_initialized; int identity_prompted; krb5_error_code identity_prompt_retval; + krb5_data *freshness_token; }; typedef struct _pkinit_req_context *pkinit_req_context; @@ -292,6 +298,13 @@ krb5_error_code pkinit_cert_matching pkinit_identity_crypto_context id_cryptoctx, krb5_principal princ); +krb5_error_code pkinit_client_cert_match + (krb5_context context, + pkinit_plg_crypto_context plgctx, + pkinit_req_crypto_context reqctx, + const char *match_rule, + krb5_boolean *matched); + /* * Client's list of identities for which it needs PINs or passwords */ diff --git a/src/plugins/preauth/pkinit/pkinit_clnt.c b/src/plugins/preauth/pkinit/pkinit_clnt.c index e73ad53..58400d5 100644 --- a/src/plugins/preauth/pkinit/pkinit_clnt.c +++ b/src/plugins/preauth/pkinit/pkinit_clnt.c @@ -179,6 +179,7 @@ pa_pkinit_gen_req(krb5_context context, *out_padata = return_pa_data; return_pa_data = NULL; + cb->disable_fallback(context, rock); cleanup: krb5_free_data(context, der_req); @@ -231,6 +232,8 @@ pkinit_as_req_create(krb5_context context, auth_pack.pkAuthenticator.cusec = cusec; auth_pack.pkAuthenticator.nonce = nonce; auth_pack.pkAuthenticator.paChecksum = *cksum; + if (!reqctx->opts->disable_freshness) + auth_pack.pkAuthenticator.freshnessToken = reqctx->freshness_token; auth_pack.clientDHNonce.length = 0; auth_pack.clientPublicValue = &info; auth_pack.supportedKDFs = (krb5_data **)supported_kdf_alg_ids; @@ -504,24 +507,6 @@ verify_kdc_san(krb5_context context, for (hostptr = certhosts; *hostptr != NULL; hostptr++) TRACE_PKINIT_CLIENT_SAN_KDCCERT_DNSNAME(context, *hostptr); } -#if 0 - retval = call_san_checking_plugins(context, plgctx, reqctx, idctx, - princs, hosts, &plugin_decision, - need_eku_checking); - pkiDebug("%s: call_san_checking_plugins() returned retval %d\n", - __FUNCTION__); - if (retval) { - retval = KRB5KDC_ERR_KDC_NAME_MISMATCH; - goto out; - } - pkiDebug("%s: call_san_checking_plugins() returned decision %d and " - "need_eku_checking %d\n", - __FUNCTION__, plugin_decision, *need_eku_checking); - if (plugin_decision != NO_DECISION) { - retval = plugin_decision; - goto out; - } -#endif pkiDebug("%s: Checking pkinit sans\n", __FUNCTION__); for (i = 0; princs != NULL && princs[i] != NULL; i++) { @@ -1017,8 +1002,6 @@ pkinit_client_prep_questions(krb5_context context, } reqctx->identity_initialized = TRUE; - crypto_free_cert_info(context, plgctx->cryptoctx, - reqctx->cryptoctx, reqctx->idctx); if (retval != 0) { pkiDebug("%s: not asking responder question\n", __FUNCTION__); retval = 0; @@ -1162,6 +1145,7 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, pkinit_context plgctx = (pkinit_context)moddata; pkinit_req_context reqctx = (pkinit_req_context)modreq; krb5_keyblock as_key; + krb5_data d; pkiDebug("pkinit_client_process %p %p %p %p\n", context, plgctx, reqctx, request); @@ -1174,16 +1158,29 @@ pkinit_client_process(krb5_context context, krb5_clpreauth_moddata moddata, case KRB5_PADATA_PKINIT_KX: reqctx->rfc6112_kdc = 1; return 0; + case KRB5_PADATA_AS_FRESHNESS: + TRACE_PKINIT_CLIENT_FRESHNESS_TOKEN(context); + krb5_free_data(context, reqctx->freshness_token); + reqctx->freshness_token = NULL; + d = make_data(in_padata->contents, in_padata->length); + return krb5_copy_data(context, &d, &reqctx->freshness_token); case KRB5_PADATA_PK_AS_REQ: + reqctx->rfc4556_kdc = 1; pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n"); processing_request = 1; break; case KRB5_PADATA_PK_AS_REP: + reqctx->rfc4556_kdc = 1; pkiDebug("processing KRB5_PADATA_PK_AS_REP\n"); break; case KRB5_PADATA_PK_AS_REP_OLD: case KRB5_PADATA_PK_AS_REQ_OLD: + /* Don't fall back to draft9 code if the KDC supports RFC 4556. */ + if (reqctx->rfc4556_kdc) { + TRACE_PKINIT_CLIENT_NO_DRAFT9(context); + return KRB5KDC_ERR_PREAUTH_FAILED; + } if (in_padata->length == 0) { pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n"); in_padata->pa_type = KRB5_PADATA_PK_AS_REQ_OLD; @@ -1352,7 +1349,7 @@ cleanup: static int pkinit_client_get_flags(krb5_context kcontext, krb5_preauthtype patype) { - if (patype == KRB5_PADATA_PKINIT_KX) + if (patype == KRB5_PADATA_PKINIT_KX || patype == KRB5_PADATA_AS_FRESHNESS) return PA_INFO; return PA_REAL; } @@ -1369,6 +1366,7 @@ static krb5_preauthtype supported_client_pa_types[] = { KRB5_PADATA_PK_AS_REP_OLD, KRB5_PADATA_PK_AS_REQ_OLD, KRB5_PADATA_PKINIT_KX, + KRB5_PADATA_AS_FRESHNESS, 0 }; @@ -1393,6 +1391,7 @@ pkinit_client_req_init(krb5_context context, reqctx->opts = NULL; reqctx->idctx = NULL; reqctx->idopts = NULL; + reqctx->freshness_token = NULL; retval = pkinit_init_req_opts(&reqctx->opts); if (retval) @@ -1403,6 +1402,7 @@ pkinit_client_req_init(krb5_context context, reqctx->opts->dh_or_rsa = plgctx->opts->dh_or_rsa; reqctx->opts->allow_upn = plgctx->opts->allow_upn; reqctx->opts->require_crl_checking = plgctx->opts->require_crl_checking; + reqctx->opts->disable_freshness = plgctx->opts->disable_freshness; retval = pkinit_init_req_crypto(&reqctx->cryptoctx); if (retval) @@ -1461,6 +1461,8 @@ pkinit_client_req_fini(krb5_context context, krb5_clpreauth_moddata moddata, if (reqctx->idopts != NULL) pkinit_fini_identity_opts(reqctx->idopts); + krb5_free_data(context, reqctx->freshness_token); + free(reqctx); return; } @@ -1573,6 +1575,9 @@ handle_gic_opt(krb5_context context, pkiDebug("Setting flag to use RSA_PROTOCOL\n"); plgctx->opts->dh_or_rsa = RSA_PROTOCOL; } + } else if (strcmp(attr, "disable_freshness") == 0) { + if (strcmp(value, "yes") == 0) + plgctx->opts->disable_freshness = 1; } return 0; } diff --git a/src/plugins/preauth/pkinit/pkinit_crypto.h b/src/plugins/preauth/pkinit/pkinit_crypto.h index b483aff..0acb731 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto.h @@ -59,9 +59,6 @@ enum cms_msg_types { #define IDTYPE_PKCS11 3 #define IDTYPE_ENVVAR 4 #define IDTYPE_PKCS12 5 -#ifdef PKINIT_CRYPTO_IMPL_NSS -#define IDTYPE_NSS 6 -#endif /* * ca/crl types @@ -96,13 +93,12 @@ typedef struct _pkinit_cert_iter_info *pkinit_cert_iter_handle; #define PKINIT_ITER_NO_MORE 0x11111111 /* XXX */ typedef struct _pkinit_cert_matching_data { - pkinit_cert_handle ch; /* cert handle for this certificate */ char *subject_dn; /* rfc2253-style subject name string */ char *issuer_dn; /* rfc2253-style issuer name string */ unsigned int ku_bits; /* key usage information */ unsigned int eku_bits; /* extended key usage information */ - krb5_principal *sans; /* Null-terminated array of subject alternative - name info (pkinit and ms-upn) */ + krb5_principal *sans; /* Null-terminated array of PKINIT SANs */ + char **upns; /* Null-terimnated array of UPN SANs */ } pkinit_cert_matching_data; /* @@ -254,7 +250,7 @@ krb5_error_code crypto_retrieve_cert_sans if non-NULL, a null-terminated array of id-pkinit-san values found in the certificate are returned */ - krb5_principal **upn_sans, /* OUT + char ***upn_sans, /* OUT if non-NULL, a null-terminated array of id-ms-upn-san values found in the certificate are returned */ @@ -320,14 +316,14 @@ krb5_error_code client_create_dh pkinit_identity_crypto_context id_cryptoctx, /* IN */ int dh_size, /* IN specifies the DH modulous, eg 1024, 2048, or 4096 */ - unsigned char **dh_paramas, /* OUT + unsigned char **dh_params_out, /* OUT contains DER encoded DH params */ - unsigned int *dh_params_len, /* OUT - contains length of dh_parmas */ - unsigned char **dh_pubkey, /* OUT + unsigned int *dh_params_len_out, /* OUT + contains length of encoded DH params */ + unsigned char **dh_pubkey_out, /* OUT receives DER encoded DH pub key */ - unsigned int *dh_pubkey_len); /* OUT - receives length of dh_pubkey */ + unsigned int *dh_pubkey_len_out); /* OUT + receives length of DH pub key */ /* * this function completes client's the DH protocol. client @@ -343,10 +339,10 @@ krb5_error_code client_process_dh contains client's DER encoded DH pub key */ unsigned int dh_pubkey_len, /* IN contains length of dh_pubkey */ - unsigned char **dh_session_key, /* OUT + unsigned char **client_key_out, /* OUT receives DH secret key */ - unsigned int *dh_session_key_len); /* OUT - receives length of dh_session_key */ + unsigned int *client_key_len_out); /* OUT + receives length of DH secret key */ /* * this function implements the KDC first part of the DH protocol. @@ -376,14 +372,14 @@ krb5_error_code server_process_dh contains client's DER encoded DH pub key */ unsigned int received_pub_len, /* IN contains length of received_pubkey */ - unsigned char **dh_pubkey, /* OUT + unsigned char **dh_pubkey_out, /* OUT receives KDC's DER encoded DH pub key */ - unsigned int *dh_pubkey_len, /* OUT + unsigned int *dh_pubkey_len_out, /* OUT receives length of dh_pubkey */ - unsigned char **server_key, /* OUT + unsigned char **server_key_out, /* OUT receives DH secret key */ - unsigned int *server_key_len); /* OUT - receives length of server_key */ + unsigned int *server_key_len_out); /* OUT + receives length of DH secret key */ /* * this functions takes in crypto specific representation of @@ -458,68 +454,38 @@ krb5_error_code crypto_free_cert_info /* - * Get number of certificates available after crypto_load_certs() + * Get a null-terminated list of certificate matching data objects for the + * certificates loaded in id_cryptoctx. */ -krb5_error_code crypto_cert_get_count - (krb5_context context, /* IN */ - pkinit_plg_crypto_context plg_cryptoctx, /* IN */ - pkinit_req_crypto_context req_cryptoctx, /* IN */ - pkinit_identity_crypto_context id_cryptoctx, /* IN */ - int *cert_count); /* OUT */ - -/* - * Begin iteration over the certs loaded in crypto_load_certs() - */ -krb5_error_code crypto_cert_iteration_begin - (krb5_context context, /* IN */ - pkinit_plg_crypto_context plg_cryptoctx, /* IN */ - pkinit_req_crypto_context req_cryptoctx, /* IN */ - pkinit_identity_crypto_context id_cryptoctx, /* IN */ - pkinit_cert_iter_handle *iter_handle); /* OUT */ - -/* - * End iteration over the certs loaded in crypto_load_certs() - */ -krb5_error_code crypto_cert_iteration_end - (krb5_context context, /* IN */ - pkinit_cert_iter_handle iter_handle); /* IN */ - -/* - * Get next certificate handle - */ -krb5_error_code crypto_cert_iteration_next - (krb5_context context, /* IN */ - pkinit_cert_iter_handle iter_handle, /* IN */ - pkinit_cert_handle *cert_handle); /* OUT */ - -/* - * Release cert handle - */ -krb5_error_code crypto_cert_release - (krb5_context context, /* IN */ - pkinit_cert_handle cert_handle); /* IN */ +krb5_error_code +crypto_cert_get_matching_data(krb5_context context, + pkinit_plg_crypto_context plg_cryptoctx, + pkinit_req_crypto_context req_cryptoctx, + pkinit_identity_crypto_context id_cryptoctx, + pkinit_cert_matching_data ***md_out); /* - * Get certificate matching information + * Free a matching data object. */ -krb5_error_code crypto_cert_get_matching_data - (krb5_context context, /* IN */ - pkinit_cert_handle cert_handle, /* IN */ - pkinit_cert_matching_data **ret_data); /* OUT */ +void +crypto_cert_free_matching_data(krb5_context context, + pkinit_cert_matching_data *md); /* - * Free certificate information + * Free a list of matching data objects. */ -krb5_error_code crypto_cert_free_matching_data - (krb5_context context, /* IN */ - pkinit_cert_matching_data *data); /* IN */ +void +crypto_cert_free_matching_data_list(krb5_context context, + pkinit_cert_matching_data **matchdata); /* - * Make the given certificate "the chosen one" + * Choose one of the certificates loaded in idctx to use for PKINIT client + * operations. cred_index must be an index into the array of matching objects + * returned by crypto_cert_get_matching_data(). */ -krb5_error_code crypto_cert_select - (krb5_context context, /* IN */ - pkinit_cert_matching_data *data); /* IN */ +krb5_error_code +crypto_cert_select(krb5_context context, pkinit_identity_crypto_context idctx, + size_t cred_index); /* * Select the default certificate as "the chosen one" @@ -664,4 +630,14 @@ extern const size_t krb5_pkinit_sha512_oid_len; */ extern krb5_data const * const supported_kdf_alg_ids[]; +krb5_error_code +crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, + uint8_t **der_out, size_t *der_len); + +krb5_error_code +crypto_req_cert_matching_data(krb5_context context, + pkinit_plg_crypto_context plgctx, + pkinit_req_crypto_context reqctx, + pkinit_cert_matching_data **md_out); + #endif /* _PKINIT_CRYPTO_H */ diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c deleted file mode 100644 index c849f87..0000000 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ /dev/null @@ -1,5800 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright (c) 2006,2007,2010,2011 Red Hat, Inc. - * All Rights Reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * * Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * * Redistributions in binary form must reproduce the above - * copyright notice, this list of conditions and the following - * disclaimer in the documentation and/or other materials provided - * with the distribution. - * - * * Neither the name of Red Hat, Inc., nor the names of its - * contributors may be used to endorse or promote products derived - * from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS - * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER - * OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, - * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, - * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR - * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF - * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include "k5-platform.h" -#include "k5-buf.h" -#include "k5-utf8.h" -#include "krb5.h" - -#include -#include -#include -#include - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -/* Avoid including our local copy of "pkcs11.h" from one of the local headers, - * since the definitions we want to use are going to be the ones that NSS - * provides. */ - -#define PKCS11_H -#include "pkinit.h" -#include "pkinit_crypto.h" - -/* We should probably avoid using the default location for certificate trusts, - * unless we can be sure that the list of trusted roots isn't being shared - * with general-purpose SSL/TLS configuration, even though we're leaning on - * SSL/TLS trust settings. */ -#define DEFAULT_CONFIGDIR "/etc/pki/nssdb" - -/* #define DEBUG_DER "/usr/lib64/nss/unsupported-tools/derdump" */ -/* #define DEBUG_SENSITIVE */ - -/* Define to create a temporary on-disk database when we need to import PKCS12 - * identities. */ -#define PKCS12_HACK - -/* Prefix to mark the nicknames we make up for pkcs12 bundles that don't - * include a friendly name. */ -#define PKCS12_PREFIX "pkinit-pkcs12" - -/* The library name of the NSSPEM module. */ -#define PEM_MODULE "nsspem" - -/* Forward declaration. */ -static krb5_error_code cert_retrieve_cert_sans(krb5_context context, - CERTCertificate *cert, - krb5_principal **pkinit_sans, - krb5_principal **upn_sans, - unsigned char ***kdc_hostname); -static void crypto_update_signer_identity(krb5_context, - pkinit_identity_crypto_context); - -/* DomainParameters: RFC 2459, 7.3.2. */ -struct domain_parameters { - SECItem p, g, q, j; - struct validation_parms *validation_parms; -}; - -/* Plugin and request state. */ -struct _pkinit_plg_crypto_context { - PLArenaPool *pool; - NSSInitContext *ncontext; -}; - -struct _pkinit_req_crypto_context { - PLArenaPool *pool; - SECKEYPrivateKey *client_dh_privkey; /* used by clients */ - SECKEYPublicKey *client_dh_pubkey; /* used by clients */ - struct domain_parameters client_dh_params; /* used by KDCs */ - CERTCertificate *peer_cert; /* the other party */ -}; - -struct _pkinit_identity_crypto_context { - PLArenaPool *pool; - const char *identity; - SECMODModule *pem_module; /* used for FILE: and DIR: */ - struct _pkinit_identity_crypto_module { - char *name; - char *spec; - SECMODModule *module; - } **id_modules; /* used for PKCS11: */ - struct _pkinit_identity_crypto_userdb { - char *name; - PK11SlotInfo *userdb; - } **id_userdbs; /* used for NSS: */ - struct _pkinit_identity_crypto_p12slot { - char *p12name; - PK11SlotInfo *slot; - } id_p12_slot; /* used for PKCS12: */ - struct _pkinit_identity_crypto_file { - char *name; - PK11GenericObject *obj; - CERTCertificate *cert; - } **id_objects; /* used with FILE: and DIR: */ - SECItem **id_crls; - CERTCertList *id_certs, *ca_certs; - CERTCertificate *id_cert; - struct { - krb5_context context; - krb5_prompter_fct prompter; - void *prompter_data; - const char *identity; - } pwcb_args; - krb5_boolean defer_id_prompt; - pkinit_deferred_id *deferred_ids; - krb5_boolean defer_with_dummy_password; -}; - -struct _pkinit_cert_info { /* aka _pkinit_cert_handle */ - PLArenaPool *pool; - struct _pkinit_identity_crypto_context *id_cryptoctx; - CERTCertificate *cert; -}; - -struct _pkinit_cert_iter_info { /* aka _pkinit_cert_iter_handle */ - PLArenaPool *pool; - struct _pkinit_identity_crypto_context *id_cryptoctx; - CERTCertListNode *node; -}; - -/* Protocol elements that we need to encode or decode. */ - -/* DH parameters: draft-ietf-cat-kerberos-pk-init-08.txt, 3.1.2.2. */ -struct dh_parameters { - SECItem p, g, private_value_length; -}; -static const SEC_ASN1Template dh_parameters_template[] = { - { - SEC_ASN1_SEQUENCE, - 0, - NULL, - sizeof(struct dh_parameters), - }, - { - SEC_ASN1_INTEGER, - offsetof(struct dh_parameters, p), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_INTEGER, - offsetof(struct dh_parameters, g), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, - offsetof(struct dh_parameters, private_value_length), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - {0, 0, NULL, 0} -}; - -/* ValidationParms: RFC 2459, 7.3.2. */ -struct validation_parms { - SECItem seed, pgen_counter; -}; -static const SEC_ASN1Template validation_parms_template[] = { - { - SEC_ASN1_SEQUENCE, - 0, - NULL, - sizeof(struct validation_parms), - }, - { - SEC_ASN1_BIT_STRING, - offsetof(struct validation_parms, seed), - &SEC_BitStringTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_INTEGER, - offsetof(struct validation_parms, pgen_counter), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - {0, 0, NULL, 0} -}; - -/* DomainParameters: RFC 2459, 7.3.2. */ -struct domain_parameters; -static const SEC_ASN1Template domain_parameters_template[] = { - { - SEC_ASN1_SEQUENCE, - 0, - NULL, - sizeof(struct domain_parameters), - }, - { - SEC_ASN1_INTEGER, - offsetof(struct domain_parameters, p), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_INTEGER, - offsetof(struct domain_parameters, g), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_INTEGER, - offsetof(struct domain_parameters, q), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_INTEGER | SEC_ASN1_OPTIONAL, - offsetof(struct domain_parameters, j), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_INLINE | SEC_ASN1_POINTER | SEC_ASN1_OPTIONAL, - offsetof(struct domain_parameters, validation_parms), - &validation_parms_template, - sizeof(struct validation_parms *), - }, - {0, 0, NULL, 0} -}; - -/* IssuerAndSerialNumber: RFC 3852, 10.2.4. */ -struct issuer_and_serial_number { - SECItem issuer; - SECItem serial; -}; -static const SEC_ASN1Template issuer_and_serial_number_template[] = { - { - SEC_ASN1_SEQUENCE, - 0, - NULL, - sizeof(struct issuer_and_serial_number), - }, - { - SEC_ASN1_ANY, - offsetof(struct issuer_and_serial_number, issuer), - &SEC_AnyTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_INTEGER, - offsetof(struct issuer_and_serial_number, serial), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - {0, 0, NULL, 0} -}; - -/* KerberosString: RFC 4120, 5.2.1. */ -static const SEC_ASN1Template kerberos_string_template[] = { - { - SEC_ASN1_GENERAL_STRING, - 0, - NULL, - sizeof(SECItem), - } -}; - -/* Realm: RFC 4120, 5.2.2. */ -struct realm { - SECItem name; -}; -static const SEC_ASN1Template realm_template[] = { - { - SEC_ASN1_GENERAL_STRING, - 0, - NULL, - sizeof(SECItem), - } -}; - -/* PrincipalName: RFC 4120, 5.2.2. */ -static const SEC_ASN1Template sequence_of_kerberos_string_template[] = { - { - SEC_ASN1_SEQUENCE_OF, - 0, - &kerberos_string_template, - 0, - } -}; - -struct principal_name { - SECItem name_type; - SECItem **name_string; -}; -static const SEC_ASN1Template principal_name_template[] = { - { - SEC_ASN1_SEQUENCE, - 0, - NULL, - sizeof(struct principal_name), - }, - { - SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - offsetof(struct principal_name, name_type), - &SEC_IntegerTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_CONTEXT_SPECIFIC | 1 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - offsetof(struct principal_name, name_string), - sequence_of_kerberos_string_template, - sizeof(struct SECItem **), - }, - {0, 0, NULL, 0}, -}; - -/* KRB5PrincipalName: RFC 4556, 3.2.2. */ -struct kerberos_principal_name { - SECItem realm; - struct principal_name principal_name; -}; -static const SEC_ASN1Template kerberos_principal_name_template[] = { - { - SEC_ASN1_SEQUENCE, - 0, - NULL, - sizeof(struct kerberos_principal_name), - }, - { - SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - offsetof(struct kerberos_principal_name, realm), - &realm_template, - sizeof(struct realm), - }, - { - SEC_ASN1_CONTEXT_SPECIFIC | 1 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - offsetof(struct kerberos_principal_name, principal_name), - &principal_name_template, - sizeof(struct principal_name), - }, - {0, 0, NULL, 0} -}; - -/* ContentInfo: RFC 3852, 3. */ -struct content_info { - SECItem content_type, content; -}; -static const SEC_ASN1Template content_info_template[] = { - { - SEC_ASN1_SEQUENCE, - 0, - NULL, - sizeof(struct content_info), - }, - { - SEC_ASN1_OBJECT_ID, - offsetof(struct content_info, content_type), - &SEC_ObjectIDTemplate, - sizeof(SECItem), - }, - { - SEC_ASN1_CONTEXT_SPECIFIC | 0 | SEC_ASN1_CONSTRUCTED | SEC_ASN1_EXPLICIT, - offsetof(struct content_info, content), - &SEC_OctetStringTemplate, - sizeof(SECItem), - }, - {0, 0, NULL, 0} -}; - -/* OIDs. */ -static unsigned char oid_pkinit_key_purpose_client_bytes[] = { - 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x04 -}; -static SECItem pkinit_kp_client = { - siDEROID, - oid_pkinit_key_purpose_client_bytes, - 7, -}; -static unsigned char oid_pkinit_key_purpose_kdc_bytes[] = { - 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x05 -}; -static SECItem pkinit_kp_kdc = { - siDEROID, - oid_pkinit_key_purpose_kdc_bytes, - 7, -}; -static unsigned char oid_ms_sc_login_key_purpose_bytes[] = { - 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x02 -}; -static SECItem pkinit_kp_mssclogin = { - siDEROID, - oid_ms_sc_login_key_purpose_bytes, - 10, -}; -static unsigned char oid_pkinit_name_type_principal_bytes[] = { - 0x2b, 0x06, 0x01, 0x05, 0x02, 0x02 -}; -static SECItem pkinit_nt_principal = { - siDEROID, - oid_pkinit_name_type_principal_bytes, - 6, -}; -static unsigned char oid_pkinit_name_type_upn_bytes[] = { - 0x2b, 0x06, 0x01, 0x04, 0x01, 0x82, 0x37, 0x14, 0x02, 0x03 -}; -static SECItem pkinit_nt_upn = { - siDEROID, - oid_pkinit_name_type_upn_bytes, - 10, -}; - -static SECOidTag -get_pkinit_data_auth_data_tag(void) -{ - static unsigned char oid_pkinit_auth_data_bytes[] = { - 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x01 - }; - static SECOidData oid_pkinit_auth_data = { - { - siDEROID, - oid_pkinit_auth_data_bytes, - 7, - }, - SEC_OID_UNKNOWN, - "PKINIT Client Authentication Data", - CKM_INVALID_MECHANISM, - UNSUPPORTED_CERT_EXTENSION, - }; - if (oid_pkinit_auth_data.offset == SEC_OID_UNKNOWN) - oid_pkinit_auth_data.offset = SECOID_AddEntry(&oid_pkinit_auth_data); - return oid_pkinit_auth_data.offset; -} - -static SECOidTag -get_pkinit_data_auth_data9_tag(void) -{ - static unsigned char oid_pkinit_auth_data9_bytes[] = - { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01 }; - static SECOidData oid_pkinit_auth_data9 = { - { - siDEROID, - oid_pkinit_auth_data9_bytes, - 9, - }, - SEC_OID_UNKNOWN, - "PKINIT Client Authentication Data (Draft 9)", - CKM_INVALID_MECHANISM, - UNSUPPORTED_CERT_EXTENSION, - }; - if (oid_pkinit_auth_data9.offset == SEC_OID_UNKNOWN) - oid_pkinit_auth_data9.offset = SECOID_AddEntry(&oid_pkinit_auth_data9); - return oid_pkinit_auth_data9.offset; -} - -static SECOidTag -get_pkinit_data_rkey_data_tag(void) -{ - static unsigned char oid_pkinit_rkey_data_bytes[] = { - 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x03 - }; - static SECOidData oid_pkinit_rkey_data = { - { - siDEROID, - oid_pkinit_rkey_data_bytes, - 7, - }, - SEC_OID_UNKNOWN, - "PKINIT Reply Key Data", - CKM_INVALID_MECHANISM, - UNSUPPORTED_CERT_EXTENSION, - }; - if (oid_pkinit_rkey_data.offset == SEC_OID_UNKNOWN) - oid_pkinit_rkey_data.offset = SECOID_AddEntry(&oid_pkinit_rkey_data); - return oid_pkinit_rkey_data.offset; -} - -static SECOidTag -get_pkinit_data_dhkey_data_tag(void) -{ - static unsigned char oid_pkinit_dhkey_data_bytes[] = { - 0x2b, 0x06, 0x01, 0x05, 0x02, 0x03, 0x02 - }; - static SECOidData oid_pkinit_dhkey_data = { - { - siDEROID, - oid_pkinit_dhkey_data_bytes, - 7, - }, - SEC_OID_UNKNOWN, - "PKINIT DH Reply Key Data", - CKM_INVALID_MECHANISM, - UNSUPPORTED_CERT_EXTENSION, - }; - if (oid_pkinit_dhkey_data.offset == SEC_OID_UNKNOWN) - oid_pkinit_dhkey_data.offset = SECOID_AddEntry(&oid_pkinit_dhkey_data); - return oid_pkinit_dhkey_data.offset; -} - -static SECItem * -get_oid_from_tag(SECOidTag tag) -{ - SECOidData *data; - data = SECOID_FindOIDByTag(tag); - if (data != NULL) - return &data->oid; - else - return NULL; -} - -#ifdef DEBUG_DER -static void -derdump(unsigned char *data, unsigned int length) -{ - FILE *p; - - p = popen(DEBUG_DER, "w"); - if (p != NULL) { - fwrite(data, 1, length, p); - pclose(p); - } -} -#endif -#ifdef DEBUG_CMS -static void -cmsdump(unsigned char *data, unsigned int length) -{ - FILE *p; - - p = popen(DEBUG_CMS, "w"); - if (p != NULL) { - fwrite(data, 1, length, p); - pclose(p); - } -} -#endif - -/* A password-prompt callback for NSS that calls the libkrb5 callback. */ -static char * -crypto_pwfn(const char *what, PRBool is_hardware, CK_FLAGS token_flags, - PRBool retry, void *arg) -{ - int ret; - pkinit_identity_crypto_context id; - krb5_prompt prompt; - krb5_prompt_type prompt_types[2]; - krb5_data reply; - char *text, *answer; - const char *warning, *password; - size_t text_size; - void *data; - - /* We only want to be called once. */ - if (retry) - return NULL; - /* We need our callback arguments. */ - if (arg == NULL) - return NULL; - id = arg; - - /* If we need to warn about the PIN, figure out the text. */ - if (token_flags & CKF_USER_PIN_LOCKED) - warning = "PIN locked"; - else if (token_flags & CKF_USER_PIN_FINAL_TRY) - warning = "PIN final try"; - else if (token_flags & CKF_USER_PIN_COUNT_LOW) - warning = "PIN count low"; - else - warning = NULL; - - /* - * If we have the name of an identity here, then we're either supposed to - * save its name, or attempt to use a password, if one was supplied. - */ - if (id->pwcb_args.identity != NULL) { - if (id->defer_id_prompt) { - /* If we're in the defer-prompts step, just save the identity name - * and "fail". */ - if (!is_hardware) - token_flags = 0; - pkinit_set_deferred_id(&id->deferred_ids, id->pwcb_args.identity, - token_flags, NULL); - if (id->defer_with_dummy_password) { - /* Return a useless result. */ - answer = PR_Malloc(1); - if (answer != NULL) { - *answer = '\0'; - return answer; - } - } - } else { - /* Check if we already have a password for this identity. If so, - * just return a copy of it. */ - password = pkinit_find_deferred_id(id->deferred_ids, - id->pwcb_args.identity); - if (password != NULL) { - /* The result will be freed with PR_Free, so return a copy. */ - text_size = strlen(password) + 1; - answer = PR_Malloc(text_size); - if (answer != NULL) { - memcpy(answer, password, text_size); - pkiDebug("%s: returning %ld-char answer\n", __FUNCTION__, - (long)strlen(answer)); - return answer; - } - } - } - } - - if (id->pwcb_args.prompter == NULL) - return NULL; - - /* Set up the prompt. */ - text_size = strlen(what) + 100; - text = PORT_ArenaZAlloc(id->pool, text_size); - if (text == NULL) { - pkiDebug("out of memory"); - return NULL; - } - if (is_hardware) { - if (warning != NULL) - snprintf(text, text_size, "%s PIN (%s)", what, warning); - else - snprintf(text, text_size, "%s PIN", what); - } else { - snprintf(text, text_size, "%s %s", _("Pass phrase for"), what); - } - memset(&prompt, 0, sizeof(prompt)); - prompt.prompt = text; - prompt.hidden = 1; - prompt.reply = &reply; - reply.length = 256; - data = malloc(reply.length); - reply.data = data; - what = NULL; - answer = NULL; - - /* Call the prompter callback. */ - prompt_types[0] = KRB5_PROMPT_TYPE_PREAUTH; - prompt_types[1] = 0; - (*k5int_set_prompt_types)(id->pwcb_args.context, prompt_types); - fflush(NULL); - ret = (*id->pwcb_args.prompter)(id->pwcb_args.context, - id->pwcb_args.prompter_data, - what, answer, 1, &prompt); - (*k5int_set_prompt_types)(id->pwcb_args.context, NULL); - answer = NULL; - if ((ret == 0) && (reply.data != NULL)) { - /* The result will be freed with PR_Free, so return a copy. */ - answer = PR_Malloc(reply.length + 1); - memcpy(answer, reply.data, reply.length); - answer[reply.length] = '\0'; - answer[strcspn(answer, "\r\n")] = '\0'; -#ifdef DEBUG_SENSITIVE - pkiDebug("%s: returning \"%s\"\n", __FUNCTION__, answer); -#else - pkiDebug("%s: returning %ld-char answer\n", __FUNCTION__, - (long) strlen(answer)); -#endif - } - - if (reply.data == data) - free(reply.data); - - return answer; -} - -/* A password-prompt callback for NSS that calls the libkrb5 callback. */ -static char * -crypto_pwcb(PK11SlotInfo *slot, PRBool retry, void *arg) -{ - pkinit_identity_crypto_context id; - const char *what = NULL; - CK_TOKEN_INFO tinfo; - CK_FLAGS tflags; - - if (PK11_GetTokenInfo(slot, &tinfo) == SECSuccess) - tflags = tinfo.flags; - else - tflags = 0; - if (arg != NULL) { - id = arg; - what = id->pwcb_args.identity; - } - return crypto_pwfn((what != NULL) ? what : PK11_GetTokenName(slot), - PK11_IsHW(slot), tflags, retry, arg); -} - -/* - * Make sure we're using our callback, and set up the callback data. - */ -static void * -crypto_pwcb_prep(pkinit_identity_crypto_context id_cryptoctx, - const char *identity, krb5_context context) -{ - PK11_SetPasswordFunc(crypto_pwcb); - id_cryptoctx->pwcb_args.context = context; - id_cryptoctx->pwcb_args.identity = identity; - return id_cryptoctx; -} - -krb5_error_code -pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx) -{ - PLArenaPool *pool; - pkinit_identity_crypto_context id; - - pkiDebug("%s\n", __FUNCTION__); - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - id = PORT_ArenaZAlloc(pool, sizeof(*id)); - if (id == NULL) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - id->pool = pool; - id->id_certs = CERT_NewCertList(); - id->ca_certs = CERT_NewCertList(); - if ((id->id_certs != NULL) && (id->ca_certs != NULL)) { - *id_cryptoctx = id; - return 0; - } - if (id->ca_certs != NULL) - CERT_DestroyCertList(id->ca_certs); - if (id->id_certs != NULL) - CERT_DestroyCertList(id->id_certs); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; -} - -/* Return the slot which we'll use for holding imported PKCS12 certificates - * and keys. Open the module if we need to, first. */ -static PK11SlotInfo * -crypto_get_p12_slot(struct _pkinit_identity_crypto_context *id) -{ - char *configdir, *spec; - size_t spec_size; - int attempts; - - if (id->id_p12_slot.slot == NULL) { - configdir = DEFAULT_CONFIGDIR; -#ifdef PKCS12_HACK - /* Figure out where to put the temporary userdb. */ - attempts = 0; - while ((attempts < TMP_MAX) && - (spec = tempnam(NULL, "pk12-")) != NULL) { - if (spec != NULL) { - if (mkdir(spec, S_IRWXU) == 0) { - configdir = spec; - break; - } else { - free(spec); - if (errno != EEXIST) - break; - } - attempts++; - } - } -#endif - spec_size = strlen("configDir='' flags=readOnly") + - strlen(configdir) + 1; - spec = PORT_ArenaZAlloc(id->pool, spec_size); - if (spec != NULL) { - if (strcmp(configdir, DEFAULT_CONFIGDIR) != 0) - snprintf(spec, spec_size, "configDir='%s'", configdir); - else - snprintf(spec, spec_size, "configDir='%s' flags=readOnly", - configdir); - id->id_p12_slot.slot = SECMOD_OpenUserDB(spec); - } -#ifdef PKCS12_HACK - if (strcmp(configdir, DEFAULT_CONFIGDIR) != 0) { - DIR *dir; - struct dirent *ent; - char *path; - /* First, initialize the slot. */ - if (id->id_p12_slot.slot != NULL) - if (PK11_NeedUserInit(id->id_p12_slot.slot)) - PK11_InitPin(id->id_p12_slot.slot, "", ""); - /* Scan the directory, deleting all of the contents. */ - dir = opendir(configdir); - if (dir == NULL) - pkiDebug("%s: error removing directory \"%s\": %s\n", - __FUNCTION__, configdir, strerror(errno)); - else { - while ((ent = readdir(dir)) != NULL) { - if ((strcmp(ent->d_name, ".") == 0) || - (strcmp(ent->d_name, "..") == 0)) { - continue; - } - if (k5_path_join(configdir, ent->d_name, &path) == 0) { - remove(path); - free(path); - } - } - closedir(dir); - } - /* Remove the directory itself. */ - rmdir(configdir); - free(configdir); - } - } -#endif - return id->id_p12_slot.slot; -} - -/* Close the slot which we've been using for holding imported PKCS12 - * certificates and keys. */ -static void -crypto_close_p12_slot(struct _pkinit_identity_crypto_context *id) -{ - PK11_FreeSlot(id->id_p12_slot.slot); - id->id_p12_slot.slot = NULL; -} - -void -pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx) -{ - int i; - - pkiDebug("%s\n", __FUNCTION__); - /* The order of cleanup here is intended to ensure that nothing gets - * freed before anything that might have a reference to it. */ - if (id_cryptoctx->deferred_ids != NULL) - pkinit_free_deferred_ids(id_cryptoctx->deferred_ids); - if (id_cryptoctx->id_cert != NULL) - CERT_DestroyCertificate(id_cryptoctx->id_cert); - CERT_DestroyCertList(id_cryptoctx->ca_certs); - CERT_DestroyCertList(id_cryptoctx->id_certs); - if (id_cryptoctx->id_objects != NULL) - for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) { - if (id_cryptoctx->id_objects[i]->cert != NULL) - CERT_DestroyCertificate(id_cryptoctx->id_objects[i]->cert); - PK11_DestroyGenericObject(id_cryptoctx->id_objects[i]->obj); - } - if (id_cryptoctx->id_p12_slot.slot != NULL) - crypto_close_p12_slot(id_cryptoctx); - if (id_cryptoctx->id_userdbs != NULL) - for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++) - PK11_FreeSlot(id_cryptoctx->id_userdbs[i]->userdb); - if (id_cryptoctx->id_modules != NULL) { - for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) { - if (id_cryptoctx->id_modules[i]->module != NULL) - SECMOD_DestroyModule(id_cryptoctx->id_modules[i]->module); - } - } - if (id_cryptoctx->id_crls != NULL) - for (i = 0; id_cryptoctx->id_crls[i] != NULL; i++) - CERT_UncacheCRL(CERT_GetDefaultCertDB(), id_cryptoctx->id_crls[i]); - if (id_cryptoctx->pem_module != NULL) - SECMOD_DestroyModule(id_cryptoctx->pem_module); - PORT_FreeArena(id_cryptoctx->pool, PR_TRUE); -} - -static SECStatus -crypto_register_any(SECOidTag tag) -{ - if (NSS_CMSType_RegisterContentType(tag, - NULL, - 0, - NULL, - NULL, - NULL, - NULL, - NULL, - NULL, NULL, PR_TRUE) != SECSuccess) - return ENOMEM; - return 0; -} - -krb5_error_code -pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx) -{ - PLArenaPool *pool; - SECOidTag tag; - - pkiDebug("%s\n", __FUNCTION__); - pool = PORT_NewArena(sizeof(double)); - if (pool != NULL) { - *plg_cryptoctx = PORT_ArenaZAlloc(pool, sizeof(**plg_cryptoctx)); - if (*plg_cryptoctx != NULL) { - (*plg_cryptoctx)->pool = pool; - (*plg_cryptoctx)->ncontext = NSS_InitContext(DEFAULT_CONFIGDIR, - NULL, - NULL, - NULL, - NULL, - NSS_INIT_READONLY | - NSS_INIT_NOCERTDB | - NSS_INIT_NOMODDB | - NSS_INIT_FORCEOPEN | - NSS_INIT_NOROOTINIT | - NSS_INIT_PK11RELOAD); - if ((*plg_cryptoctx)->ncontext != NULL) { - tag = get_pkinit_data_auth_data9_tag(); - if (crypto_register_any(tag) != SECSuccess) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - tag = get_pkinit_data_auth_data_tag(); - if (crypto_register_any(tag) != SECSuccess) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - tag = get_pkinit_data_rkey_data_tag(); - if (crypto_register_any(tag) != SECSuccess) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - tag = get_pkinit_data_dhkey_data_tag(); - if (crypto_register_any(tag) != SECSuccess) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - return 0; - } - } - PORT_FreeArena(pool, PR_TRUE); - } - return ENOMEM; -} - -void -pkinit_fini_plg_crypto(pkinit_plg_crypto_context plg_cryptoctx) -{ - pkiDebug("%s\n", __FUNCTION__); - if (plg_cryptoctx == NULL) - return; - if (NSS_ShutdownContext(plg_cryptoctx->ncontext) != SECSuccess) - pkiDebug("%s: error shutting down context\n", __FUNCTION__); - PORT_FreeArena(plg_cryptoctx->pool, PR_TRUE); -} - -krb5_error_code -pkinit_init_req_crypto(pkinit_req_crypto_context *req_cryptoctx) -{ - PLArenaPool *pool; - - pkiDebug("%s\n", __FUNCTION__); - pool = PORT_NewArena(sizeof(double)); - if (pool != NULL) { - *req_cryptoctx = PORT_ArenaZAlloc(pool, sizeof(**req_cryptoctx)); - if (*req_cryptoctx != NULL) { - (*req_cryptoctx)->pool = pool; - return 0; - } - PORT_FreeArena(pool, PR_TRUE); - } - return ENOMEM; -} - -void -pkinit_fini_req_crypto(pkinit_req_crypto_context req_cryptoctx) -{ - pkiDebug("%s\n", __FUNCTION__); - if (req_cryptoctx->client_dh_privkey != NULL) - SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey); - if (req_cryptoctx->client_dh_pubkey != NULL) - SECKEY_DestroyPublicKey(req_cryptoctx->client_dh_pubkey); - if (req_cryptoctx->peer_cert != NULL) - CERT_DestroyCertificate(req_cryptoctx->peer_cert); - PORT_FreeArena(req_cryptoctx->pool, PR_TRUE); -} - -/* Duplicate the memory from the SECItem into a malloc()d buffer. */ -static int -secitem_to_buf_len(SECItem *item, unsigned char **out, unsigned int *len) -{ - *out = malloc(item->len); - if (*out == NULL) - return ENOMEM; - memcpy(*out, item->data, item->len); - *len = item->len; - return 0; -} - -/* Encode the raw buffer as an unsigned integer. If the first byte in the - * buffer has its high bit set, we need to prepend a zero byte to make sure it - * isn't treated as a negative value. */ -static int -secitem_to_dh_pubval(SECItem *item, unsigned char **out, unsigned int *len) -{ - PLArenaPool *pool; - SECItem *uval, uinteger; - int i; - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - - if (item->data[0] & 0x80) { - uval = SECITEM_AllocItem(pool, NULL, item->len + 1); - if (uval == NULL) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - uval->data[0] = '\0'; - memcpy(uval->data + 1, item->data, item->len); - } else { - uval = item; - } - - memset(&uinteger, 0, sizeof(uinteger)); - if (SEC_ASN1EncodeItem(pool, &uinteger, uval, - SEC_ASN1_GET(SEC_IntegerTemplate)) != &uinteger) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - i = secitem_to_buf_len(&uinteger, out, len); - - PORT_FreeArena(pool, PR_TRUE); - return i; -} - -/* Decode a DER unsigned integer, and return just the bits that make up that - * integer. */ -static int -secitem_from_dh_pubval(PLArenaPool *pool, - unsigned char *dh_pubkey, unsigned int dh_pubkey_len, - SECItem *bits_out) -{ - SECItem tmp; - - tmp.data = dh_pubkey; - tmp.len = dh_pubkey_len; - memset(bits_out, 0, sizeof(*bits_out)); - if (SEC_ASN1DecodeItem(pool, bits_out, - SEC_ASN1_GET(SEC_IntegerTemplate), - &tmp) != SECSuccess) - return ENOMEM; - return 0; -} - -/* Load the contents of a file into a SECitem. If it looks like a PEM-wrapped - * item, maybe try to undo the base64 encoding. */ -enum secitem_from_file_type { - secitem_from_file_plain, - secitem_from_file_decode -}; -static int -secitem_from_file(PLArenaPool *pool, const char *filename, - enum secitem_from_file_type secitem_from_file_type, - SECItem *item_out) -{ - SECItem tmp, *decoded; - struct stat st; - int fd, i, n; - const char *encoded, *p; - char *what, *q; - - memset(item_out, 0, sizeof(*item_out)); - fd = open(filename, O_RDONLY); - if (fd == -1) - return errno; - if (fstat(fd, &st) == -1) { - i = errno; - close(fd); - return i; - } - memset(&tmp, 0, sizeof(tmp)); - tmp.data = PORT_ArenaZAlloc(pool, st.st_size + 1); - if (tmp.data == NULL) { - close(fd); - return ENOMEM; - } - n = 0; - while (n < st.st_size) { - i = read(fd, tmp.data + n, st.st_size - n); - if (i <= 0) - break; - n += i; - } - close(fd); - if (n < st.st_size) - return ENOMEM; - tmp.data[n] = '\0'; - tmp.len = n; - encoded = (const char *) tmp.data; - if ((secitem_from_file_type == secitem_from_file_decode) && - (tmp.len > 11) && - ((strncmp(encoded, "-----BEGIN ", 11) == 0) || - ((encoded = strstr((char *)tmp.data, "\n-----BEGIN")) != NULL))) { - if (encoded[0] == '\n') - encoded++; - /* find the beginning of the next line */ - p = encoded; - p += strcspn(p, "\r\n"); - p += strspn(p, "\r\n"); - q = NULL; - what = PORT_ArenaZAlloc(pool, p - (encoded + 2) + 1); - if (what != NULL) { - /* construct the matching end-of-item and look for it */ - memcpy(what, "-----END ", 9); - memcpy(what + 9, encoded + 11, p - (encoded + 11)); - what[p - (encoded + 2)] = '\0'; - q = strstr(p, what); - } - if (q != NULL) { - *q = '\0'; - decoded = NSSBase64_DecodeBuffer(pool, NULL, p, q - p); - if (decoded != NULL) - tmp = *decoded; - } - } - *item_out = tmp; - return 0; -} - -static struct oakley_group -{ - int identifier; - int bits; /* shortest prime first, so that a - * sequential search for a set with a - * length that exceeds the minimum will - * find the entry with the shortest - * suitable prime */ - char name[32]; - char prime[4096]; /* large enough to hold that prime */ - long generator; /* note: oakley_parse_group() assumes that this - * number fits into a long */ - char subprime[4096]; /* large enough to hold its subprime - * ((p-1)/2) */ -} oakley_groups[] = { - { - 1, 768, - "Oakley MODP Group 1", - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" - "E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF", - 2, - "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68" - "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E" - "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122" - "F242DABB 312F3F63 7A262174 D31D1B10 7FFFFFFF FFFFFFFF", - }, - { - 2, 1024, - "Oakley MODP Group 2", - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381" - "FFFFFFFF FFFFFFFF", - 2, - "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68" - "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E" - "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122" - "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6" - "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F67329C0" - "FFFFFFFF FFFFFFFF", - }, - { - 5, 1536, - "Oakley MODP Group 5", - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" - "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF", - 2, - "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68" - "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E" - "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122" - "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6" - "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E" - "E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF" - "C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36" - "B3861AA7 255E4C02 78BA3604 6511B993 FFFFFFFF FFFFFFFF", - }, - { - 14, 2048, - "Oakley MODP Group 14", - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" - "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" - "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" - "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" - "15728E5A 8AACAA68 FFFFFFFF FFFFFFFF", - 2, - "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68" - "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E" - "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122" - "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6" - "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E" - "E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF" - "C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36" - "B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D" - "F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964" - "EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288" - "0AB9472D 45565534 7FFFFFFF FFFFFFFF", - }, - { - 15, 3072, - "Oakley MODP Group 15", - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" - "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" - "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" - "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" - "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" - "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" - "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" - "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" - "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" - "43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF", - 2, - "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68" - "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E" - "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122" - "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6" - "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E" - "E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF" - "C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36" - "B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D" - "F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964" - "EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288" - "0AB9472D 45556216 D6998B86 82283D19 D42A90D5 EF8E5D32" - "767DC282 2C6DF785 457538AB AE83063E D9CB87C2 D370F263" - "D5FAD746 6D8499EB 8F464A70 2512B0CE E771E913 0D697735" - "F897FD03 6CC50432 6C3B0139 9F643532 290F958C 0BBD9006" - "5DF08BAB BD30AEB6 3B84C460 5D6CA371 047127D0 3A72D598" - "A1EDADFE 707E8847 25C16890 549D6965 7FFFFFFF FFFFFFFF", - }, - { - 16, 4096, - "Oakley MODP Group 16", - "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" - "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" - "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" - "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" - "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" - "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" - "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" - "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" - "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" - "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" - "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" - "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" - "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" - "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" - "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" - "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" - "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" - "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" - "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" - "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" - "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199" - "FFFFFFFF FFFFFFFF", - 2, - "7FFFFFFF FFFFFFFF E487ED51 10B4611A 62633145 C06E0E68" - "94812704 4533E63A 0105DF53 1D89CD91 28A5043C C71A026E" - "F7CA8CD9 E69D218D 98158536 F92F8A1B A7F09AB6 B6A8E122" - "F242DABB 312F3F63 7A262174 D31BF6B5 85FFAE5B 7A035BF6" - "F71C35FD AD44CFD2 D74F9208 BE258FF3 24943328 F6722D9E" - "E1003E5C 50B1DF82 CC6D241B 0E2AE9CD 348B1FD4 7E9267AF" - "C1B2AE91 EE51D6CB 0E3179AB 1042A95D CF6A9483 B84B4B36" - "B3861AA7 255E4C02 78BA3604 650C10BE 19482F23 171B671D" - "F1CF3B96 0C074301 CD93C1D1 7603D147 DAE2AEF8 37A62964" - "EF15E5FB 4AAC0B8C 1CCAA4BE 754AB572 8AE9130C 4C7D0288" - "0AB9472D 45556216 D6998B86 82283D19 D42A90D5 EF8E5D32" - "767DC282 2C6DF785 457538AB AE83063E D9CB87C2 D370F263" - "D5FAD746 6D8499EB 8F464A70 2512B0CE E771E913 0D697735" - "F897FD03 6CC50432 6C3B0139 9F643532 290F958C 0BBD9006" - "5DF08BAB BD30AEB6 3B84C460 5D6CA371 047127D0 3A72D598" - "A1EDADFE 707E8847 25C16890 54908400 8D391E09 53C3F36B" - "C438CD08 5EDD2D93 4CE1938C 357A711E 0D4A341A 5B0A85ED" - "12C1F4E5 156A2674 6DDDE16D 826F477C 97477E0A 0FDF6553" - "143E2CA3 A735E02E CCD94B27 D04861D1 119DD0C3 28ADF3F6" - "8FB094B8 67716BD7 DC0DEEBB 10B8240E 68034893 EAD82D54" - "C9DA754C 46C7EEE0 C37FDBEE 48536047 A6FA1AE4 9A0318CC" - "FFFFFFFF FFFFFFFF", - } -}; - -/* Convert a string of hexadecimal characters to a binary integer. */ -static SECItem * -hex_to_secitem(const char *hex, SECItem *item) -{ - int count, i; - unsigned int j; - unsigned char c, acc; - - j = 0; - c = hex[0]; - /* If the high bit would be set, prepend a zero byte to keep the result - * from being negative. */ - if ((c == '8') || - (c == '9') || - ((c >= 'a') && (c <= 'f')) || ((c >= 'A') && (c <= 'F'))) { - item->data[j] = 0; - j++; - } - count = 0; - acc = 0; - for (i = 0; hex[i] != '\0'; i++) { - if ((count % 2) == 0) - acc = 0; - c = hex[i]; - if ((c >= '0') && (c <= '9')) - acc = (acc << 4) | (c - '0'); - else if ((c >= 'a') && (c <= 'f')) - acc = (acc << 4) | (c - 'a' + 10); - else if ((c >= 'A') && (c <= 'F')) - acc = (acc << 4) | (c - 'A' + 10); - else - continue; - count++; - if ((count % 2) == 0) { - item->data[j] = acc & 0xff; - acc = 0; - j++; - } - if (j >= item->len) { - /* overrun */ - return NULL; - break; - } - } - if (hex[i] != '\0') /* unused bytes? */ - return NULL; - item->len = j; - return item; -} - -static int -oakley_parse_group(PLArenaPool *pool, struct oakley_group *group, - struct domain_parameters **domain_params_out) -{ - unsigned int bytes; - struct domain_parameters *params; - SECItem *t; - - params = PORT_ArenaZAlloc(pool, sizeof(*params)); - if (params == NULL) - return ENOMEM; - - /* Allocate more memory than we'll probably need. */ - bytes = group->bits; - - /* Encode the prime (p). */ - t = SECITEM_AllocItem(pool, NULL, bytes); - if (t == NULL) - return ENOMEM; - if (hex_to_secitem(group->prime, t) != t) - return ENOMEM; - params->p = *t; - /* Encode the generator. */ - if (SEC_ASN1EncodeInteger(pool, ¶ms->g, - group->generator) != ¶ms->g) - return ENOMEM; - /* Encode the subprime. */ - t = SECITEM_AllocItem(pool, NULL, bytes); - if (t == NULL) - return ENOMEM; - if (hex_to_secitem(group->subprime, t) != t) - return ENOMEM; - params->q = *t; - *domain_params_out = params; - return 0; -} - -static struct domain_parameters * -oakley_get_group(PLArenaPool *pool, int minimum_prime_size) -{ - unsigned int i; - struct domain_parameters *params; - - params = PORT_ArenaZAlloc(pool, sizeof(*params)); - if (params == NULL) - return NULL; - for (i = 0; i < sizeof(oakley_groups) / sizeof(oakley_groups[0]); i++) - if (oakley_groups[i].bits >= minimum_prime_size) - if (oakley_parse_group(pool, &oakley_groups[i], ¶ms) == 0) - return params; - return NULL; -} - -/* Create DH parameters to be sent to the KDC. On success, dh_params should - * contain an encoded DomainParameters structure (per RFC3280, the "parameters" - * in an AlgorithmIdentifier), and dh_pubkey should contain the public value - * we're prepared to send to the KDC, encoded as an integer (per RFC3280, the - * "subjectPublicKey" field of a SubjectPublicKeyInfo -- the integer is wrapped - * up into a bitstring elsewhere). */ -krb5_error_code -client_create_dh(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int dh_size_bits, - unsigned char **dh_params, - unsigned int *dh_params_len, - unsigned char **dh_pubkey, unsigned int *dh_pubkey_len) -{ - PLArenaPool *pool; - PK11SlotInfo *slot; - SECKEYPrivateKey *priv; - SECKEYPublicKey *pub; - SECKEYDHParams dh_param; - struct domain_parameters *params; - SECItem encoded; - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - memset(¶ms, 0, sizeof(params)); - - /* Find suitable domain parameters. */ - params = oakley_get_group(pool, dh_size_bits); - if (params == NULL) { - pkiDebug("%s: error finding suitable parameters\n", __FUNCTION__); - return ENOENT; - } - - /* Set up to generate the public key. */ - memset(&dh_param, 0, sizeof(dh_param)); - dh_param.arena = pool; - dh_param.prime = params->p; - dh_param.base = params->g; - - /* Generate a public value and a private key. */ - slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN, - crypto_pwcb_prep(id_cryptoctx, NULL, context)); - if (slot == NULL) { - PORT_FreeArena(pool, PR_TRUE); - pkiDebug("%s: error selecting slot\n", __FUNCTION__); - return ENOMEM; - } - pub = NULL; - priv = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, - &dh_param, &pub, PR_FALSE, PR_FALSE, - crypto_pwcb_prep(id_cryptoctx, NULL, context)); - - /* Finish building the return values. */ - memset(&encoded, 0, sizeof(encoded)); - if (SEC_ASN1EncodeItem(pool, &encoded, params, - domain_parameters_template) != &encoded) { - PK11_FreeSlot(slot); - PORT_FreeArena(pool, PR_TRUE); - pkiDebug("%s: error encoding parameters\n", __FUNCTION__); - return ENOMEM; - } - - /* Export the return values. */ - if (secitem_to_buf_len(&encoded, dh_params, dh_params_len) != 0) { - PK11_FreeSlot(slot); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - if (secitem_to_dh_pubval(&pub->u.dh.publicValue, dh_pubkey, - dh_pubkey_len) != 0) { - free(*dh_params); - *dh_params = NULL; - PK11_FreeSlot(slot); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Save our private and public keys for reuse later. */ - if (req_cryptoctx->client_dh_privkey != NULL) - SECKEY_DestroyPrivateKey(req_cryptoctx->client_dh_privkey); - req_cryptoctx->client_dh_privkey = priv; - if (req_cryptoctx->client_dh_pubkey != NULL) - SECKEY_DestroyPublicKey(req_cryptoctx->client_dh_pubkey); - req_cryptoctx->client_dh_pubkey = pub; - - PK11_FreeSlot(slot); - PORT_FreeArena(pool, PR_TRUE); - return 0; -} - -/* Combine the KDC's public key value with our copy of the parameters and our - * secret key to generate the session key. */ -krb5_error_code -client_process_dh(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - unsigned char *dh_pubkey, - unsigned int dh_pubkey_len, - unsigned char **dh_session_key, - unsigned int *dh_session_key_len) -{ - PLArenaPool *pool; - PK11SlotInfo *slot; - SECKEYPublicKey *pub, pub2; - PK11SymKey *sym; - SECItem *bits; - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - - /* Rebuild the KDC's public key using our parameters and the supplied - * public value (subjectPublicKey). */ - pub = SECKEY_CopyPublicKey(req_cryptoctx->client_dh_pubkey); - if (pub == NULL) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - pub2 = *pub; - if (secitem_from_dh_pubval(pool, dh_pubkey, dh_pubkey_len, - &pub2.u.dh.publicValue) != 0) { - SECKEY_DestroyPublicKey(pub); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Generate the shared value using our private key and the KDC's - * public key. */ - slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN, - crypto_pwcb_prep(id_cryptoctx, NULL, context)); - if (slot == NULL) { - SECKEY_DestroyPublicKey(pub); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - sym = PK11_PubDerive(req_cryptoctx->client_dh_privkey, &pub2, PR_FALSE, - NULL, NULL, - CKM_DH_PKCS_DERIVE, - CKM_TLS_MASTER_KEY_DERIVE_DH, - CKA_DERIVE, - 0, crypto_pwcb_prep(id_cryptoctx, NULL, context)); - if (sym == NULL) { - PK11_FreeSlot(slot); - SECKEY_DestroyPublicKey(pub); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Export the shared value. */ - if ((PK11_ExtractKeyValue(sym) != SECSuccess) || - ((bits = PK11_GetKeyData(sym)) == NULL) || - (secitem_to_buf_len(bits, dh_session_key, dh_session_key_len) != 0)) { - PK11_FreeSymKey(sym); - PK11_FreeSlot(slot); - SECKEY_DestroyPublicKey(pub); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - PK11_FreeSymKey(sym); - PK11_FreeSlot(slot); - SECKEY_DestroyPublicKey(pub); - PORT_FreeArena(pool, PR_TRUE); - return 0; -} - -/* Given a binary-encoded integer, count the number of bits. */ -static int -get_integer_bits(SECItem *integer) -{ - unsigned int i; - unsigned char c; - int size = 0; - - for (i = 0; i < integer->len; i++) { - c = integer->data[i]; - if (c != 0) { - size = (integer->len - i - 1) * 8; - while (c != 0) { - c >>= 1; - size++; - } - break; - } - } - return size; -} - -/* Verify that the client-supplied parameters include a prime of sufficient - * size. */ -krb5_error_code -server_check_dh(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - krb5_data *dh_params, int minbits) -{ - PLArenaPool *pool; - SECItem item; - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - - item.data = (unsigned char *)dh_params->data; - item.len = dh_params->length; - memset(&req_cryptoctx->client_dh_params, 0, - sizeof(req_cryptoctx->client_dh_params)); - if (SEC_ASN1DecodeItem(req_cryptoctx->pool, - &req_cryptoctx->client_dh_params, - domain_parameters_template, &item) != SECSuccess) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - if (get_integer_bits(&req_cryptoctx->client_dh_params.p) < minbits) { - PORT_FreeArena(pool, PR_TRUE); - return KRB5KDC_ERR_DH_KEY_PARAMETERS_NOT_ACCEPTED; - } - - PORT_FreeArena(pool, PR_TRUE); - return 0; -} - -/* Take apart the client-supplied SubjectPublicKeyInfo, which contains both an - * encoded DomainParameters structure (per RFC3279), and a public value, and - * generate our own private key and public value using the supplied parameters. - * Use our private key and the client's public value to derive the session key, - * and hand our public value and the session key back to our caller. */ -krb5_error_code -server_process_dh(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - unsigned char *received_pubkey, - unsigned int received_pub_len, - unsigned char **dh_pubkey, - unsigned int *dh_pubkey_len, - unsigned char **server_key, - unsigned int *server_key_len) -{ - PLArenaPool *pool; - SECKEYPrivateKey *priv; - SECKEYPublicKey *pub, pub2; - SECKEYDHParams dh_params; - PK11SymKey *sym; - SECItem pubval, *bits; - PK11SlotInfo *slot; - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - - /* Store the client's public value. */ - pubval.data = received_pubkey; - pubval.len = received_pub_len; - - /* Set up DH parameters the using client's domain parameters. */ - memset(&dh_params, 0, sizeof(dh_params)); - dh_params.arena = pool; - dh_params.prime = req_cryptoctx->client_dh_params.p; - dh_params.base = req_cryptoctx->client_dh_params.g; - - /* Generate a public value and a private key using the parameters. */ - slot = PK11_GetBestSlot(CKM_DH_PKCS_KEY_PAIR_GEN, - crypto_pwcb_prep(id_cryptoctx, NULL, context)); - if (slot == NULL) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - pub = NULL; - priv = PK11_GenerateKeyPair(slot, CKM_DH_PKCS_KEY_PAIR_GEN, - &dh_params, &pub, PR_FALSE, PR_FALSE, - crypto_pwcb_prep(id_cryptoctx, NULL, context)); - if (priv == NULL) { - PK11_FreeSlot(slot); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Build the client's public key using the client's parameters and - * public value. */ - pub2 = *pub; - if (SEC_ASN1DecodeItem(pool, &pub2.u.dh.publicValue, - SEC_ASN1_GET(SEC_IntegerTemplate), - &pubval) != SECSuccess) { - SECKEY_DestroyPrivateKey(priv); - SECKEY_DestroyPublicKey(pub); - PK11_FreeSlot(slot); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Generate the shared value using our private key and the client's - * public key. */ - sym = PK11_PubDerive(priv, &pub2, PR_FALSE, - NULL, NULL, - CKM_DH_PKCS_DERIVE, - CKM_TLS_MASTER_KEY_DERIVE_DH, - CKA_DERIVE, - 0, crypto_pwcb_prep(id_cryptoctx, NULL, context)); - if (sym == NULL) { - SECKEY_DestroyPrivateKey(priv); - SECKEY_DestroyPublicKey(pub); - PK11_FreeSlot(slot); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Export the shared value for our use and our public value for - * transmission back to the client. */ - *server_key = NULL; - *dh_pubkey = NULL; - if ((PK11_ExtractKeyValue(sym) != SECSuccess) || - ((bits = PK11_GetKeyData(sym)) == NULL) || - (secitem_to_buf_len(bits, server_key, server_key_len) != 0) || - (secitem_to_dh_pubval(&pub->u.dh.publicValue, - dh_pubkey, dh_pubkey_len) != 0)) { - free(*server_key); - free(*dh_pubkey); - PK11_FreeSymKey(sym); - SECKEY_DestroyPrivateKey(priv); - SECKEY_DestroyPublicKey(pub); - PK11_FreeSlot(slot); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - PK11_FreeSymKey(sym); - SECKEY_DestroyPrivateKey(priv); - SECKEY_DestroyPublicKey(pub); - PK11_FreeSlot(slot); - PORT_FreeArena(pool, PR_TRUE); - return 0; -} - -/* Create the issuer-and-serial portion of an external principal identifier for - * a KDC's cert that we already have. */ -krb5_error_code -create_issuerAndSerial(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - unsigned char **kdcId_buf, unsigned int *kdcId_len) -{ - PLArenaPool *pool; - struct issuer_and_serial_number isn; - SECItem item; - - /* Check if we have a peer cert. If we don't have one, that's okay. */ - if (req_cryptoctx->peer_cert == NULL) - return 0; - - /* Scratch arena. */ - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - - /* Encode the peer's issuer/serial. */ - isn.issuer = req_cryptoctx->peer_cert->derIssuer; - isn.serial = req_cryptoctx->peer_cert->serialNumber; - memset(&item, 0, sizeof(item)); - if (SEC_ASN1EncodeItem(id_cryptoctx->id_cert->arena, &item, &isn, - issuer_and_serial_number_template) != &item) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Export the value. */ - if (secitem_to_buf_len(&item, kdcId_buf, kdcId_len) != 0) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - PORT_FreeArena(pool, PR_TRUE); - return 0; -} - -/* Populate a list of AlgorithmIdentifier structures with the OIDs of the key - * wrap algorithms that we support. */ -static void -free_n_algorithm_identifiers(krb5_algorithm_identifier **ids, int i) -{ - while (i >= 0) { - free(ids[i]->algorithm.data); - free(ids[i]); - i--; - } - free(ids); -} - -krb5_error_code -create_krb5_supportedCMSTypes(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - krb5_algorithm_identifier ***supportedCMSTypes) -{ - SECOidData *oid; - SECOidTag oids[] = { - SEC_OID_CMS_3DES_KEY_WRAP, /* no parameters */ - SEC_OID_AES_128_KEY_WRAP, /* no parameters */ - SEC_OID_AES_192_KEY_WRAP, /* no parameters */ - SEC_OID_AES_256_KEY_WRAP, /* no parameters */ - /* RC2 key wrap requires parameters, so skip it */ - }; - krb5_algorithm_identifier **ids, *id; - unsigned int i; - - ids = malloc(sizeof(id) * ((sizeof(oids) / sizeof(oids[0])) + 1)); - if (ids == NULL) - return ENOMEM; - - for (i = 0; i < (sizeof(oids) / sizeof(oids[0])); i++) { - id = malloc(sizeof(*id)); - if (id == NULL) { - free_n_algorithm_identifiers(ids, i - 1); - return ENOMEM; - } - memset(id, 0, sizeof(*id)); - ids[i] = id; - oid = SECOID_FindOIDByTag(oids[i]); - if (secitem_to_buf_len(&oid->oid, - (unsigned char **)&id->algorithm.data, - &id->algorithm.length) != 0) { - free(ids[i]); - free_n_algorithm_identifiers(ids, i - 1); - return ENOMEM; - } - } - ids[i] = NULL; - *supportedCMSTypes = ids; - return 0; -} - -/* Populate a list of trusted certifiers with the list of the root certificates - * that we trust. */ -static void -free_n_principal_identifiers(krb5_external_principal_identifier **ids, int i) -{ - while (i >= 0) { - free(ids[i]->subjectKeyIdentifier.data); - free(ids[i]->issuerAndSerialNumber.data); - free(ids[i]->subjectName.data); - free(ids[i]); - i--; - } - free(ids); -} - -krb5_error_code -create_krb5_trustedCertifiers(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - krb5_external_principal_identifier *** - trustedCertifiers) -{ - CERTCertListNode *node; - krb5_external_principal_identifier **ids, *id; - unsigned int i, n; - - *trustedCertifiers = NULL; - - /* Count the root certs. */ - n = 0; - if (!CERT_LIST_EMPTY(id_cryptoctx->ca_certs)) { - for (n = 0, node = CERT_LIST_HEAD(id_cryptoctx->ca_certs); - (node != NULL) && - (node->cert != NULL) && - !CERT_LIST_END(node, id_cryptoctx->ca_certs); - node = CERT_LIST_NEXT(node)) { - n++; - } - } - - /* Build the result list. */ - if (n > 0) { - ids = malloc((n + 1) * sizeof(id)); - if (ids == NULL) - return ENOMEM; - node = CERT_LIST_HEAD(id_cryptoctx->ca_certs); - for (i = 0; i < n; i++) { - id = malloc(sizeof(*id)); - if (id == NULL) { - free_n_principal_identifiers(ids, i - 1); - return ENOMEM; - } - memset(id, 0, sizeof(*id)); - /* Use the certificate's subject key ID iff it's - * actually in the certificate. Allocate the memory - * from the heap because it'll be freed by other parts - * of the pkinit module. */ - if ((node->cert->keyIDGenerated ? - secitem_to_buf_len(&node->cert->derSubject, - (unsigned char **) - &id->subjectName.data, - &id->subjectName.length) : - secitem_to_buf_len(&node->cert->subjectKeyID, - (unsigned char **) - &id->subjectKeyIdentifier.data, - &id->subjectKeyIdentifier.length)) != 0) { - /* Free the earlier items. */ - free(ids[i]); - free_n_principal_identifiers(ids, i - 1); - return ENOMEM; - } - ids[i] = id; - node = CERT_LIST_NEXT(node); - } - ids[i] = NULL; - *trustedCertifiers = ids; - } - return 0; -} - -/* Add a certificate to a list if it isn't already in the list. Since the list - * would take ownership of the cert if we added it to the list, if it's already - * in the list, delete this reference to it. */ -static SECStatus -cert_maybe_add_to_list(CERTCertList *list, CERTCertificate *cert) -{ - CERTCertListNode *node; - - for (node = CERT_LIST_HEAD(list); - (node != NULL) && - (node->cert != NULL) && - !CERT_LIST_END(node, list); - node = CERT_LIST_NEXT(node)) { - if (SECITEM_ItemsAreEqual(&node->cert->derCert, &cert->derCert)) { - /* Don't add the duplicate. */ - CERT_DestroyCertificate(cert); - return SECSuccess; - } - } - return CERT_AddCertToListTail(list, cert); -} - -/* Load CA certificates from the slot. */ -static SECStatus -cert_load_ca_certs_from_slot(krb5_context context, - pkinit_identity_crypto_context id, - PK11SlotInfo *slot, - const char *identity) -{ - CERTCertificate *cert; - CERTCertList *list; - CERTCertListNode *node; - CERTCertTrust trust; - SECStatus status; - - /* Log in if the slot requires it. */ - PK11_TokenRefresh(slot); - if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id, identity, context)) && - PK11_NeedLogin(slot)) { - pkiDebug("%s: logging in to token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(slot)); - if (PK11_Authenticate(slot, PR_TRUE, - crypto_pwcb_prep(id, identity, - context)) != SECSuccess) { - pkiDebug("%s: error logging into \"%s\": %s, skipping\n", - __FUNCTION__, PK11_GetTokenName(slot), - PORT_ErrorToName(PORT_GetError())); - return SECFailure; - } - } - /* Get the list of certs from the slot. */ - list = PK11_ListCertsInSlot(slot); - if (list == NULL) { - pkiDebug("%s: nothing found in token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(slot)); - return SECSuccess; - } - if (CERT_LIST_EMPTY(list)) { - CERT_DestroyCertList(list); - pkiDebug("%s: nothing found in token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(slot)); - return SECSuccess; - } - /* Walk the list of certs, and for each one that's a CA, add - * it to our CA cert list. */ - status = SECSuccess; - for (node = CERT_LIST_HEAD(list); - (node != NULL) && - (node->cert != NULL) && - !CERT_LIST_END(node, list); - node = CERT_LIST_NEXT(node)) { -#if 0 - /* Skip it if it's not a root. */ - if (!node->cert->isRoot) { - continue; - } -#endif - /* Skip it if we don't trust it to issue certificates. */ - if (CERT_GetCertTrust(node->cert, &trust) != SECSuccess) - continue; - if ((SEC_GET_TRUST_FLAGS(&trust, trustSSL) & - (CERTDB_TRUSTED_CA | - CERTDB_TRUSTED_CLIENT_CA | CERTDB_NS_TRUSTED_CA)) == 0) - continue; - /* DestroyCertList frees all of the certs in the list, - * so we need to create a copy that we can own. */ - cert = CERT_DupCertificate(node->cert); - /* Add it to the list. */ - if (cert_maybe_add_to_list(id->ca_certs, cert) != SECSuccess) - status = SECFailure; - } - CERT_DestroyCertList(list); - return status; -} - -/* Load certificates for which we have private keys from the slot. */ -static int -cert_load_certs_with_keys_from_slot(krb5_context context, - pkinit_identity_crypto_context - id_cryptoctx, - PK11SlotInfo *slot, - const char *cert_label, - const char *cert_id, - const char *identity) -{ - CERTCertificate *cert; - CERTCertList *clist; - CERTCertListNode *cnode; - SECKEYPrivateKey *key; - int status; - - /* Log in if the slot requires it. */ - PK11_TokenRefresh(slot); - if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id_cryptoctx, identity, - context)) && - PK11_NeedLogin(slot)) { - pkiDebug("%s: logging in to token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(slot)); - if (PK11_Authenticate(slot, PR_TRUE, - crypto_pwcb_prep(id_cryptoctx, identity, - context)) != SECSuccess) { - pkiDebug("%s: error logging into \"%s\": %s, skipping\n", - __FUNCTION__, PK11_GetTokenName(slot), - PORT_ErrorToName(PORT_GetError())); - return id_cryptoctx->defer_id_prompt ? 0 : ENOMEM; - } - } - /* Get the list of certs from the slot. */ - clist = PK11_ListCertsInSlot(slot); - if (clist == NULL) { - pkiDebug("%s: nothing found in token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(slot)); - return 0; - } - if (CERT_LIST_EMPTY(clist)) { - CERT_DestroyCertList(clist); - pkiDebug("%s: nothing found in token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(slot)); - return 0; - } - /* Walk the list of certs, and for each one for which we can - * find the matching private key, add it and the keys to the - * lists. */ - status = 0; - for (cnode = CERT_LIST_HEAD(clist); - (cnode != NULL) && - (cnode->cert != NULL) && - !CERT_LIST_END(cnode, clist); - cnode = CERT_LIST_NEXT(cnode)) { - if (cnode->cert->nickname != NULL) { - if ((cert_label != NULL) && (cert_id != NULL)) { - if ((strcmp(cert_id, cnode->cert->nickname) != 0) && - (strcmp(cert_label, cnode->cert->nickname) != 0)) - continue; - } else if (cert_label != NULL) { - if (strcmp(cert_label, cnode->cert->nickname) != 0) - continue; - } else if (cert_id != NULL) { - if (strcmp(cert_id, cnode->cert->nickname) != 0) - continue; - } - } - key = PK11_FindPrivateKeyFromCert(slot, cnode->cert, - crypto_pwcb_prep(id_cryptoctx, - identity, context)); - if (key == NULL) { - pkiDebug("%s: no key for \"%s\", skipping it\n", - __FUNCTION__, - cnode->cert->nickname ? - cnode->cert->nickname : "(no name)"); - continue; - } - pkiDebug("%s: found \"%s\" and its matching key\n", - __FUNCTION__, - cnode->cert->nickname ? cnode->cert->nickname : "(no name)"); - /* DestroyCertList frees all of the certs in the list, - * so we need to create a copy that it can own. */ - cert = CERT_DupCertificate(cnode->cert); - if (cert_maybe_add_to_list(id_cryptoctx->id_certs, - cert) != SECSuccess) - status = ENOMEM; - /* We don't need this reference to the key. */ - SECKEY_DestroyPrivateKey(key); - } - CERT_DestroyCertList(clist); - return status; -} - -/* - * Reassemble the identity as it was supplied by the user or the library - * configuration. - */ -static char * -reassemble_pkcs11_name(PLArenaPool *pool, pkinit_identity_opts *idopts) -{ - struct k5buf buf; - int n = 0; - char *ret; - - k5_buf_init_dynamic(&buf); - k5_buf_add(&buf, "PKCS11:"); - n = 0; - if (idopts->p11_module_name != NULL) { - k5_buf_add_fmt(&buf, "%smodule_name=%s", n++ ? ":" : "", - idopts->p11_module_name); - } - if (idopts->token_label != NULL) { - k5_buf_add_fmt(&buf, "%stoken=%s", n++ ? ":" : "", - idopts->token_label); - } - if (idopts->cert_label != NULL) { - k5_buf_add_fmt(&buf, "%scertlabel=%s", n++ ? ":" : "", - idopts->cert_label); - } - if (idopts->cert_id_string != NULL) { - k5_buf_add_fmt(&buf, "%scertid=%s", n++ ? ":" : "", - idopts->cert_id_string); - } - if (idopts->slotid != PK_NOSLOT) { - k5_buf_add_fmt(&buf, "%sslotid=%ld", n++ ? ":" : "", - (long)idopts->slotid); - } - if (k5_buf_status(&buf) == 0) - ret = PORT_ArenaStrdup(pool, buf.data); - else - ret = NULL; - k5_buf_free(&buf); - return ret; -} - -/* - * Assemble an identity string that will distinguish this token from any other - * that is accessible through the same module, even if the user didn't specify - * a token name. - */ -static char * -reassemble_pkcs11_identity(PLArenaPool *pool, pkinit_identity_opts *idopts, - long slotid, const char *tokenname) -{ - struct k5buf buf; - int n = 0; - char *ret; - - k5_buf_init_dynamic(&buf); - k5_buf_add(&buf, "PKCS11:"); - n = 0; - if (idopts->p11_module_name != NULL) { - k5_buf_add_fmt(&buf, "%smodule_name=%s", - n++ ? ":" : "", - idopts->p11_module_name); - } - - if (slotid != PK_NOSLOT) - k5_buf_add_fmt(&buf, "%sslotid=%ld", n++ ? ":" : "", slotid); - - if (tokenname != NULL) - k5_buf_add_fmt(&buf, "%stoken=%s", n++ ? ":" : "", tokenname); - - if (k5_buf_status(&buf) == 0) - ret = PORT_ArenaStrdup(pool, buf.data); - else - ret = NULL; - k5_buf_free(&buf); - - return ret; -} - -static SECStatus -crypto_load_pkcs11(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_opts *idopts, - pkinit_identity_crypto_context id_cryptoctx) -{ - struct _pkinit_identity_crypto_module **id_modules, *module; - PK11SlotInfo *slot; - CK_TOKEN_INFO tinfo; - char *spec, *identity; - size_t spec_size; - const char *tokenname; - SECStatus status; - int i, j; - - if (idopts == NULL) - return SECFailure; - - /* If no module is specified, use the default module from pkinit.h. */ - if (idopts->p11_module_name == NULL) { - idopts->p11_module_name = strdup(PKCS11_MODNAME); - if (idopts->p11_module_name == NULL) - return SECFailure; - } - - /* Build the module spec. */ - spec_size = strlen("library=''") + strlen(idopts->p11_module_name) * 2 + 1; - spec = PORT_ArenaZAlloc(id_cryptoctx->pool, spec_size); - if (spec == NULL) - return SECFailure; - strlcpy(spec, "library=\"", spec_size); - j = strlen(spec); - for (i = 0; idopts->p11_module_name[i] != '\0'; i++) { - if (strchr("\"", idopts->p11_module_name[i]) != NULL) - spec[j++] = '\\'; - spec[j++] = idopts->p11_module_name[i]; - } - spec[j++] = '\0'; - strlcat(spec, "\"", spec_size); - - /* Count the number of modules we've already loaded. */ - if (id_cryptoctx->id_modules != NULL) { - for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) - continue; - } else { - i = 0; - } - - /* Allocate a bigger list. */ - id_modules = PORT_ArenaZAlloc(id_cryptoctx->pool, - sizeof(id_modules[0]) * (i + 2)); - if (id_modules == NULL) - return SECFailure; - for (j = 0; j < i; j++) - id_modules[j] = id_cryptoctx->id_modules[j]; - - /* Actually load the module, or just ref an already-loaded copy. */ - module = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(*module)); - if (module == NULL) - return SECFailure; - module->name = reassemble_pkcs11_name(id_cryptoctx->pool, idopts); - if (module->name == NULL) - return SECFailure; - module->spec = spec; - for (j = 0; j < i; j++) { - if (strcmp(module->spec, id_modules[j]->spec) == 0) - break; - } - if (j < i) - module->module = SECMOD_ReferenceModule(id_modules[j]->module); - else - module->module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE); - if (module->module == NULL) { - pkiDebug("%s: error loading PKCS11 module \"%s\"", - __FUNCTION__, idopts->p11_module_name); - return SECFailure; - } - if (!module->module->loaded) { - pkiDebug("%s: error really loading PKCS11 module \"%s\"", - __FUNCTION__, idopts->p11_module_name); - SECMOD_DestroyModule(module->module); - module->module = NULL; - return SECFailure; - } - SECMOD_UpdateSlotList(module->module); - pkiDebug("%s: loaded PKCS11 module \"%s\"\n", __FUNCTION__, - idopts->p11_module_name); - - /* Add us to the list and set the new list. */ - id_modules[j++] = module; - id_modules[j] = NULL; - id_cryptoctx->id_modules = id_modules; - - /* Walk the list of slots in the module. */ - status = SECFailure; - for (i = 0; - (i < module->module->slotCount) && - ((slot = module->module->slots[i]) != NULL); - i++) { - PK11_TokenRefresh(slot); - if (idopts->slotid != PK_NOSLOT) { - if (idopts->slotid != PK11_GetSlotID(slot)) - continue; - } - tokenname = PK11_GetTokenName(slot); - if (tokenname == NULL || strlen(tokenname) == 0) - continue; - /* If we're looking for a specific token, and this isn't it, go on. */ - if (idopts->token_label != NULL) { - if (strcmp(idopts->cert_label, tokenname) != 0) - continue; - } - /* Assemble a useful identity string, in case of an incomplete one. */ - identity = reassemble_pkcs11_identity(id_cryptoctx->pool, idopts, - (long)PK11_GetSlotID(slot), - tokenname); - /* - * Skip past all of the loading-certificates-and-keys logic, pick up - * the token flags, and call it done for now. - */ - if (id_cryptoctx->defer_id_prompt) { - if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id_cryptoctx, identity, - context)) && - PK11_NeedLogin(slot)) { - pkiDebug("%s: reading flags for token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(slot)); - if (PK11_GetTokenInfo(slot, &tinfo) == SECSuccess) { - pkinit_set_deferred_id(&id_cryptoctx->deferred_ids, - identity, tinfo.flags, NULL); - } - } - return SECSuccess; - } - if (!PK11_IsPresent(slot)) - continue; - /* Load private keys and their certs from this token. */ - if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx, - slot, idopts->cert_label, - idopts->cert_id_string, - identity) == 0) - status = SECSuccess; - /* If no label was specified, then we've looked at a token, so we're - * done. */ - if (idopts->token_label == NULL) - break; - } - - return status; -} - -/* Return the slot which we'll use for holding PEM items. Open the module if - * we need to, first. */ -static PK11SlotInfo * -crypto_get_pem_slot(struct _pkinit_identity_crypto_context *id) -{ - PK11SlotInfo *slot; - char *pem_module_name, *spec; - size_t spec_size; - - if (id->pem_module == NULL) { - pem_module_name = PR_GetLibraryName(NULL, PEM_MODULE); - if (pem_module_name == NULL) { - pkiDebug("%s: error determining library name for %s\n", - __FUNCTION__, PEM_MODULE); - return NULL; - } - spec_size = strlen("library=") + strlen(pem_module_name) + 1; - spec = malloc(spec_size); - if (spec == NULL) { - pkiDebug("%s: out of memory building spec for %s\n", - __FUNCTION__, pem_module_name); - PR_FreeLibraryName(pem_module_name); - return NULL; - } - snprintf(spec, spec_size, "library=%s", pem_module_name); - id->pem_module = SECMOD_LoadUserModule(spec, NULL, PR_FALSE); - if (id->pem_module == NULL) - pkiDebug("%s: error loading %s\n", __FUNCTION__, pem_module_name); - else if (!id->pem_module->loaded) - pkiDebug("%s: error really loading %s\n", __FUNCTION__, - pem_module_name); - else - SECMOD_UpdateSlotList(id->pem_module); - free(spec); - PR_FreeLibraryName(pem_module_name); - } - if ((id->pem_module != NULL) && id->pem_module->loaded) { - if (id->pem_module->slotCount != 0) - slot = id->pem_module->slots[0]; - else - slot = NULL; - if (slot == NULL) - pkiDebug("%s: no slots in %s?\n", __FUNCTION__, PEM_MODULE); - } else { - slot = NULL; - } - return slot; -} - -/* Resolve any ambiguities from having a duplicate nickname in the PKCS12 - * bundle and in the database, or the bag not providing a nickname. Note: you - * might expect "arg" to be a wincx, but it's actually a certificate! (Mozilla - * bug #321584, fixed in 3.12, documented by #586163, in 3.13.) */ -static SECItem * -crypto_nickname_c_cb(SECItem *old_nickname, PRBool *cancel, void *arg) -{ - CERTCertificate *leaf; - char *old_name, *new_name, *p; - SECItem *new_nickname, tmp; - size_t new_name_size; - int i; - - leaf = arg; - if (old_nickname != NULL) - pkiDebug("%s: warning: nickname collision on \"%.*s\", " - "generating a new nickname\n", __FUNCTION__, - old_nickname->len, old_nickname->data); - else - pkiDebug("%s: warning: nickname collision, generating a new " - "nickname\n", __FUNCTION__); - new_nickname = NULL; - if (old_nickname == NULL) { - old_name = leaf->subjectName; - new_name_size = strlen(PKCS12_PREFIX ": #1") + strlen(old_name) + 1; - new_name = PR_Malloc(new_name_size); - if (new_name != NULL) { - snprintf(new_name, new_name_size, PKCS12_PREFIX ": %s #1", - old_name); - tmp.data = (unsigned char *) new_name; - tmp.len = strlen(new_name) + 1; - new_nickname = SECITEM_DupItem(&tmp); - PR_Free(new_name); - } - } else { - old_name = (char *) old_nickname->data; - if (strncmp(old_name, PKCS12_PREFIX ": ", - strlen(PKCS12_PREFIX) + 2) == 0) { - p = strrchr(old_name, '#'); - i = (p ? atoi(p + 1) : 0) + 1; - old_name = leaf->subjectName; - new_name_size = strlen(PKCS12_PREFIX ": #") + - strlen(old_name) + 3 * sizeof(i) + 1; - new_name = PR_Malloc(new_name_size); - } else { - old_name = leaf->subjectName; - new_name_size = strlen(PKCS12_PREFIX ": #1") + - strlen(old_name) + 1; - new_name = PR_Malloc(new_name_size); - i = 1; - } - if (new_name != NULL) { - snprintf(new_name, new_name_size, PKCS12_PREFIX ": %s #%d", - old_name, i); - tmp.data = (unsigned char *) new_name; - tmp.len = strlen(new_name) + 1; - new_nickname = SECITEM_DupItem(&tmp); - PR_Free(new_name); - } - } - if (new_nickname == NULL) { - pkiDebug("%s: warning: unable to generate a new nickname\n", - __FUNCTION__); - *cancel = PR_TRUE; - } else { - pkiDebug("%s: generated new nickname \"%.*s\"\n", - __FUNCTION__, new_nickname->len, new_nickname->data); - *cancel = PR_FALSE; - } - return new_nickname; -} - -static char * -reassemble_pkcs12_name(PLArenaPool *pool, const char *filename) -{ - char *tmp, *ret; - - if (asprintf(&tmp, "PKCS12:%s", filename) < 0) - return NULL; - ret = PORT_ArenaStrdup(pool, tmp); - free(tmp); - return ret; -} - -static SECStatus -crypto_load_pkcs12(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - const char *name, - pkinit_identity_crypto_context id_cryptoctx) -{ - PK11SlotInfo *slot; - SEC_PKCS12DecoderContext *ctx; - unsigned char emptypwd[] = { '\0', '\0' }; - SECItem tmp, password; - PRBool retry; - int attempt; - char *identity; - - if ((slot = crypto_get_p12_slot(id_cryptoctx)) == NULL) { - pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "no slot found\n", __FUNCTION__, name); - return SECFailure; - } - if (secitem_from_file(id_cryptoctx->pool, name, - secitem_from_file_decode, &tmp) != 0) { - pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "error reading from file\n", __FUNCTION__, name); - return SECFailure; - } - /* There's a chance we'll need these. */ - SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_40, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_RC2_CBC_128, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_RC4_40, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_RC4_128, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_DES_56, PR_TRUE); - SEC_PKCS12EnableCipher(PKCS12_DES_EDE3_168, PR_TRUE); - /* Pass in the password. */ - memset(&password, 0, sizeof(password)); - password.data = emptypwd; - password.len = 2; - attempt = 0; - ctx = NULL; - identity = reassemble_pkcs12_name(id_cryptoctx->pool, name); - if (identity == NULL) - return SECFailure; - id_cryptoctx->id_p12_slot.p12name = identity; - do { - retry = PR_FALSE; - ctx = SEC_PKCS12DecoderStart(&password, - slot, - crypto_pwcb_prep(id_cryptoctx, identity, - context), - NULL, NULL, NULL, NULL, NULL); - if (ctx == NULL) { - pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "error setting up decoder\n", __FUNCTION__, name); - return SECFailure; - } - if (SEC_PKCS12DecoderUpdate(ctx, tmp.data, tmp.len) != SECSuccess) { - pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "error passing data to decoder\n", __FUNCTION__, name); - SEC_PKCS12DecoderFinish(ctx); - return SECFailure; - } - if (SEC_PKCS12DecoderVerify(ctx) != SECSuccess) { - char *newpass; - krb5_ucs2 *ucs2; - unsigned char *ucs2s; - size_t i, n_ucs2s; - SECErrorCodes err; - - err = PORT_GetError(); - SEC_PKCS12DecoderFinish(ctx); - switch (err) { - case SEC_ERROR_BAD_PASSWORD: - if (id_cryptoctx->defer_id_prompt) { - pkinit_set_deferred_id(&id_cryptoctx->deferred_ids, - identity, 0, NULL); - return SECSuccess; - } - pkiDebug("%s: prompting for password for %s\n", - __FUNCTION__, name); - newpass = crypto_pwfn(name, PR_FALSE, 0, (attempt > 0), - id_cryptoctx); - attempt++; - if (newpass != NULL) { - /* convert to 16-bit big-endian */ - if (krb5int_utf8s_to_ucs2les(newpass, - &ucs2s, &n_ucs2s) == 0) { - PR_Free(newpass); - ucs2 = (krb5_ucs2 *) ucs2s; - for (i = 0; i < n_ucs2s / 2; i++) - ucs2[i] = SWAP16(ucs2[i]); - password.data = (void *) ucs2s; - password.len = n_ucs2s + 2; - PORT_SetError(0); - retry = PR_TRUE; - continue; - } - PR_Free(newpass); - } - break; - default: - break; - } - pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "error verifying data: %d\n", __FUNCTION__, - name, PORT_GetError()); - return SECFailure; - } - } while (retry); - if (SEC_PKCS12DecoderValidateBags(ctx, - crypto_nickname_c_cb) != SECSuccess) { - pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "error validating bags: %d\n", __FUNCTION__, name, - PORT_GetError()); - SEC_PKCS12DecoderFinish(ctx); - if (password.data != emptypwd) - free(password.data); - return SECFailure; - } - if (SEC_PKCS12DecoderImportBags(ctx) != SECSuccess) { - pkiDebug("%s: skipping identity PKCS12 bundle \"%s\": " - "error importing data: %d\n", __FUNCTION__, name, - PORT_GetError()); - SEC_PKCS12DecoderFinish(ctx); - if (password.data != emptypwd) - free(password.data); - return SECFailure; - } - pkiDebug("%s: imported PKCS12 bundle \"%s\"\n", __FUNCTION__, name); - SEC_PKCS12DecoderFinish(ctx); - if (password.data != emptypwd) - free(password.data); - if (cert_load_certs_with_keys_from_slot(context, id_cryptoctx, slot, - NULL, NULL, identity) == 0) - return SECSuccess; - else - return SECFailure; -} - -/* Helper to fill out a CK_ATTRIBUTE. */ -static void -crypto_set_attributes(CK_ATTRIBUTE *attr, - CK_ATTRIBUTE_TYPE type, - void *pValue, CK_ULONG ulValueLen) -{ - memset(attr, 0, sizeof(*attr)); - attr->type = type; - attr->pValue = pValue; - attr->ulValueLen = ulValueLen; -} - -static char * -reassemble_files_name(PLArenaPool *pool, const char *certfile, - const char *keyfile) -{ - char *tmp, *ret; - - if (keyfile != NULL) { - if (asprintf(&tmp, "FILE:%s,%s", certfile, keyfile) < 0) - return NULL; - } else { - if (asprintf(&tmp, "FILE:%s", certfile) < 0) - return NULL; - } - ret = PORT_ArenaStrdup(pool, tmp); - free(tmp); - return ret; -} - -/* Load keys, certs, and/or CRLs from files. */ -static SECStatus -crypto_load_files(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - const char *certfile, - const char *keyfile, - const char *crlfile, - PRBool cert_self, PRBool cert_mark_trusted, - pkinit_identity_crypto_context id_cryptoctx) -{ - PK11SlotInfo *slot; - struct _pkinit_identity_crypto_file *cobj, *kobj, **id_objects; - PRBool permanent; - SECKEYPrivateKey *key; - CK_ATTRIBUTE attrs[4]; - CK_BBOOL cktrue = CK_TRUE, cktrust; - CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY, certclass = CKO_CERTIFICATE; - CERTCertificate *cert; - SECItem tmp, *crl, **crls; - SECStatus status; - int i, j, n_attrs, n_objs, n_crls; - - if ((slot = crypto_get_pem_slot(id_cryptoctx)) == NULL) { - if (certfile != NULL) - pkiDebug("%s: nsspem module not loaded, not loading file \"%s\"\n", - __FUNCTION__, certfile); - if (keyfile != NULL) - pkiDebug("%s: nsspem module not loaded, not loading file \"%s\"\n", - __FUNCTION__, keyfile); - if (crlfile != NULL) - pkiDebug("%s: nsspem module not loaded, not loading file \"%s\"\n", - __FUNCTION__, crlfile); - return SECFailure; - } - if ((certfile == NULL) && (crlfile == NULL)) - return SECFailure; - - /* Load the certificate first to work around RHBZ#859535. */ - cobj = NULL; - if (certfile != NULL) { - n_attrs = 0; - crypto_set_attributes(&attrs[n_attrs++], CKA_CLASS, - &certclass, sizeof(certclass)); - crypto_set_attributes(&attrs[n_attrs++], CKA_TOKEN, - &cktrue, sizeof(cktrue)); - crypto_set_attributes(&attrs[n_attrs++], CKA_LABEL, - (char *) certfile, strlen(certfile) + 1); - cktrust = cert_mark_trusted ? CK_TRUE : CK_FALSE; - crypto_set_attributes(&attrs[n_attrs++], CKA_TRUST, - &cktrust, sizeof(cktrust)); - permanent = PR_FALSE; /* set lifetime to "session" */ - cobj = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(*cobj)); - if (cobj == NULL) - return SECFailure; - cobj->name = reassemble_files_name(id_cryptoctx->pool, - certfile, keyfile); - if (cobj->name == NULL) - return SECFailure; - cobj->obj = PK11_CreateGenericObject(slot, attrs, n_attrs, permanent); - if (cobj->obj == NULL) { - pkiDebug("%s: error loading %scertificate \"%s\": %s\n", - __FUNCTION__, cert_mark_trusted ? "CA " : "", certfile, - PORT_ErrorToName(PORT_GetError())); - status = SECFailure; - } else { - pkiDebug("%s: loaded %scertificate \"%s\"\n", - __FUNCTION__, cert_mark_trusted ? "CA " : "", certfile); - status = SECSuccess; - /* Add it to the list of objects that we're keeping. */ - if (id_cryptoctx->id_objects != NULL) - for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) - continue; - else - i = 0; - id_objects = PORT_ArenaZAlloc(id_cryptoctx->pool, - sizeof(id_objects[0]) * (i + 2)); - if (id_objects != NULL) { - n_objs = i; - for (i = 0; i < n_objs; i++) - id_objects[i] = id_cryptoctx->id_objects[i]; - id_objects[i++] = cobj; - id_objects[i++] = NULL; - id_cryptoctx->id_objects = id_objects; - } - /* Find the certificate that goes with this generic object. */ - memset(&tmp, 0, sizeof(tmp)); - status = PK11_ReadRawAttribute(PK11_TypeGeneric, cobj->obj, - CKA_VALUE, &tmp); - if (status == SECSuccess) { - cobj->cert = CERT_FindCertByDERCert(CERT_GetDefaultCertDB(), - &tmp); - SECITEM_FreeItem(&tmp, PR_FALSE); - } else { - pkiDebug("%s: error locating certificate \"%s\"\n", - __FUNCTION__, certfile); - } - /* Save a reference to the right list. */ - if (cobj->cert != NULL) { - cert = CERT_DupCertificate(cobj->cert); - if (cert == NULL) - return SECFailure; - if (cert_self) { - /* Add to the identity list. */ - if (cert_maybe_add_to_list(id_cryptoctx->id_certs, - cert) != SECSuccess) - status = SECFailure; - } else if (cert_mark_trusted) { - /* Add to the CA list. */ - if (cert_maybe_add_to_list(id_cryptoctx->ca_certs, - cert) != SECSuccess) - status = SECFailure; - } else { - /* Don't just lose the reference. */ - CERT_DestroyCertificate(cert); - } - } - } - } - - /* Now load what should be the corresponding private key. */ - kobj = NULL; - if (status == SECSuccess && keyfile != NULL) { - n_attrs = 0; - crypto_set_attributes(&attrs[n_attrs++], CKA_CLASS, - &keyclass, sizeof(keyclass)); - crypto_set_attributes(&attrs[n_attrs++], CKA_TOKEN, - &cktrue, sizeof(cktrue)); - crypto_set_attributes(&attrs[n_attrs++], CKA_LABEL, - (char *)keyfile, strlen(keyfile) + 1); - permanent = PR_FALSE; /* set lifetime to "session" */ - kobj = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(*kobj)); - if (kobj == NULL) - return SECFailure; - kobj->obj = PK11_CreateGenericObject(slot, attrs, n_attrs, permanent); - if (kobj->obj == NULL) { - pkiDebug("%s: error loading key \"%s\": %s\n", __FUNCTION__, - keyfile, PORT_ErrorToName(PORT_GetError())); - status = SECFailure; - } else { - pkiDebug("%s: loaded key \"%s\"\n", __FUNCTION__, keyfile); - status = SECSuccess; - /* Add it to the list of objects that we're keeping. */ - if (id_cryptoctx->id_objects != NULL) { - for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) - continue; - } else { - i = 0; - } - id_objects = PORT_ArenaZAlloc(id_cryptoctx->pool, - sizeof(id_objects[0]) * (i + 2)); - if (id_objects != NULL) { - n_objs = i; - for (i = 0; i < n_objs; i++) - id_objects[i] = id_cryptoctx->id_objects[i]; - id_objects[i++] = kobj; - id_objects[i++] = NULL; - id_cryptoctx->id_objects = id_objects; - } - } - - /* "Log in" (provide an encryption password) if the PEM slot now - * requires it. */ - PK11_TokenRefresh(slot); - - /* - * Unlike most tokens, this one won't self-destruct if we throw wrong - * passwords at it, but it will cause the module to clear the - * needs-login flag so that we can continue importing PEM items. - */ - if (!PK11_IsLoggedIn(slot, crypto_pwcb_prep(id_cryptoctx, cobj->name, - context)) && - PK11_NeedLogin(slot)) { - pkiDebug("%s: logging in to token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(slot)); - if (PK11_Authenticate(slot, PR_TRUE, - crypto_pwcb_prep(id_cryptoctx, cobj->name, - context)) != SECSuccess) { - pkiDebug("%s: error logging into \"%s\": %s, skipping\n", - __FUNCTION__, PK11_GetTokenName(slot), - PORT_ErrorToName(PORT_GetError())); - status = SECFailure; - PK11_DestroyGenericObject(kobj->obj); - kobj->obj = NULL; - } - } - - /* If we loaded a key and a certificate, see if they match. */ - if (cobj != NULL && cobj->cert != NULL && kobj->obj != NULL) { - key = PK11_FindPrivateKeyFromCert(slot, cobj->cert, - crypto_pwcb_prep(id_cryptoctx, - cobj->name, - context)); - if (key == NULL) { - pkiDebug("%s: no private key found for \"%s\"(%s), " - "even though we just loaded that key?\n", - __FUNCTION__, - cobj->cert->nickname ? - cobj->cert->nickname : "(no name)", - certfile); - status = SECFailure; - } else { - /* We don't need this reference to the key. */ - SECKEY_DestroyPrivateKey(key); - } - } - } - - /* If we succeeded to this point, or more likely didn't do anything - * yet, cache a CRL. */ - if ((status == SECSuccess) && (crlfile != NULL)) { - memset(&tmp, 0, sizeof(tmp)); - if (secitem_from_file(id_cryptoctx->pool, crlfile, - secitem_from_file_decode, &tmp) == 0) { - crl = SECITEM_ArenaDupItem(id_cryptoctx->pool, &tmp); - /* Count the CRLs. */ - if (id_cryptoctx->id_crls != NULL) { - for (i = 0; id_cryptoctx->id_crls[i] != NULL; i++) - continue; - } else { - i = 0; - } - n_crls = i; - /* Allocate a bigger list. */ - crls = PORT_ArenaZAlloc(id_cryptoctx->pool, - sizeof(crls[0]) * (n_crls + 2)); - for (j = 0; j < n_crls; j++) - crls[j] = id_cryptoctx->id_crls[j]; - if (crl != NULL) { - status = CERT_CacheCRL(CERT_GetDefaultCertDB(), crl); - if (status == SECSuccess) { - crls[j++] = crl; - pkiDebug("%s: cached CRL from \"%s\"\n", - __FUNCTION__, crlfile); - } else - pkiDebug("%s: error loading CRL from \"%s\": %d\n", - __FUNCTION__, crlfile, PORT_GetError()); - } - crls[j++] = NULL; - id_cryptoctx->id_crls = crls; - } else - status = SECFailure; - } - return status; -} - -static SECStatus -crypto_load_dir(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - const char *dirname, - PRBool cert_self, PRBool cert_mark_trusted, PRBool load_crl, - pkinit_identity_crypto_context id_cryptoctx) -{ - SECStatus status; - DIR *dir; - struct dirent *ent; - char *key, *certcrl; - const char *suffix = load_crl ? ".crl" : ".crt"; - int i; - - if (crypto_get_pem_slot(id_cryptoctx) == NULL) { - pkiDebug("%s: nsspem module not loaded, " - "not loading directory \"%s\"\n", __FUNCTION__, dirname); - return SECFailure; - } - if (dirname == NULL) - return SECFailure; - dir = opendir(dirname); - if (dir == NULL) { - pkiDebug("%s: error loading directory \"%s\": %s\n", - __FUNCTION__, dirname, strerror(errno)); - return SECFailure; - } - status = SECFailure; - pkiDebug("%s: scanning directory \"%s\"\n", __FUNCTION__, dirname); - while ((ent = readdir(dir)) != NULL) { - i = strlen(ent->d_name); - /* Skip over anything that isn't named ".crt" or - * ".crl", whichever we want at the moment. */ - if ((i < 5) || (strcmp(ent->d_name + i - 4, suffix) != 0)) { - pkiDebug("%s: skipping candidate \"%s/%s\"\n", - __FUNCTION__, dirname, ent->d_name); - continue; - } - /* Construct a path to the file. */ - certcrl = NULL; - if (k5_path_join(dirname, ent->d_name, &certcrl) != 0) { - pkiDebug("%s: error building pathname \"%s %s\"\n", - __FUNCTION__, dirname, ent->d_name); - continue; - } - key = NULL; - if (!load_crl && cert_self) { /* No key. */ - /* Construct the matching key name. */ - if (k5_path_join(dirname, ent->d_name, &key) != 0) { - pkiDebug("%s: error building pathname \"%s %s\"\n", - __FUNCTION__, dirname, ent->d_name); - free(certcrl); - continue; - } - i = strlen(key); - memcpy(key + i - 4, ".key", 5); - } - /* Try loading the key and file as a pair. */ - if (crypto_load_files(context, - plg_cryptoctx, - req_cryptoctx, - load_crl ? NULL : certcrl, - key, - load_crl ? certcrl : NULL, - cert_self, cert_mark_trusted, - id_cryptoctx) == SECSuccess) - status = SECSuccess; - free(certcrl); - free(key); - } - closedir(dir); - return status; -} - -static char * -reassemble_nssdb_name(PLArenaPool *pool, const char *dbdir) -{ - char *tmp, *ret; - - if (asprintf(&tmp, "NSS:%s", dbdir) < 0) - return NULL; - ret = PORT_ArenaStrdup(pool, tmp); - free(tmp); - return ret; -} - -/* Load up a certificate database. */ -static krb5_error_code -crypto_load_nssdb(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - const char *configdir, - pkinit_identity_crypto_context id_cryptoctx) -{ - struct _pkinit_identity_crypto_userdb *userdb, **id_userdbs; - char *p; - size_t spec_size; - int i, j; - - if (configdir == NULL) - return ENOENT; - - /* Build the spec. */ - spec_size = strlen("configDir='' flags=readOnly") + - strlen(configdir) * 2 + 1; - p = PORT_ArenaZAlloc(id_cryptoctx->pool, spec_size); - if (p == NULL) - return ENOMEM; - strlcpy(p, "configDir='", spec_size); - j = strlen(p); - for (i = 0; configdir[i] != '\0'; i++) { - if (configdir[i] == '\'') - p[j++] = '\\'; /* Is this the right way to do - * escaping? */ - p[j++] = configdir[i]; - } - p[j++] = '\0'; - strlcat(p, "' flags=readOnly", spec_size); - - /* Count the number of modules we've already loaded. */ - if (id_cryptoctx->id_userdbs != NULL) { - for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++) - continue; - } else - i = 0; - - /* Allocate a bigger list. */ - id_userdbs = PORT_ArenaZAlloc(id_cryptoctx->pool, - sizeof(id_userdbs[0]) * (i + 2)); - for (j = 0; j < i; j++) - id_userdbs[j] = id_cryptoctx->id_userdbs[j]; - - /* Actually load the module. */ - userdb = PORT_ArenaZAlloc(id_cryptoctx->pool, sizeof(*userdb)); - if (userdb == NULL) - return SECFailure; - userdb->name = reassemble_nssdb_name(id_cryptoctx->pool, configdir); - if (userdb->name == NULL) - return SECFailure; - userdb->userdb = SECMOD_OpenUserDB(p); - if (userdb->userdb == NULL) { - pkiDebug("%s: error loading NSS cert database \"%s\"\n", - __FUNCTION__, configdir); - return ENOENT; - } - pkiDebug("%s: opened NSS database \"%s\"\n", __FUNCTION__, configdir); - - /* Add us to the list and set the new list. */ - id_userdbs[i++] = userdb; - id_userdbs[i++] = NULL; - id_cryptoctx->id_userdbs = id_userdbs; - - /* Load the CAs from the database. */ - cert_load_ca_certs_from_slot(context, id_cryptoctx, userdb->userdb, - userdb->name); - - /* Load the keys from the database. */ - return cert_load_certs_with_keys_from_slot(context, id_cryptoctx, - userdb->userdb, NULL, NULL, - userdb->name); -} - -/* Load up a certificate and associated key. */ -krb5_error_code -crypto_load_certs(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_opts *idopts, - pkinit_identity_crypto_context id_cryptoctx, - krb5_principal princ, - krb5_boolean defer_id_prompts) -{ - SECStatus status; - - id_cryptoctx->defer_id_prompt = defer_id_prompts; - - switch (idopts->idtype) { - case IDTYPE_FILE: - id_cryptoctx->defer_with_dummy_password = TRUE; - status = crypto_load_files(context, - plg_cryptoctx, - req_cryptoctx, - idopts->cert_filename, - idopts->key_filename, - NULL, PR_TRUE, PR_FALSE, id_cryptoctx); - if (status != SECSuccess) { - pkiDebug("%s: error loading files \"%s\" and \"%s\": %s\n", - __FUNCTION__, idopts->cert_filename, - idopts->key_filename, PORT_ErrorToName(PORT_GetError())); - return defer_id_prompts ? 0 : ENOMEM; - } - return 0; - break; - case IDTYPE_NSS: - id_cryptoctx->defer_with_dummy_password = FALSE; - status = crypto_load_nssdb(context, - plg_cryptoctx, - req_cryptoctx, - idopts->cert_filename, id_cryptoctx); - if (status != SECSuccess) { - pkiDebug("%s: error loading NSS certdb \"%s\": %s\n", - __FUNCTION__, idopts->cert_filename, - PORT_ErrorToName(PORT_GetError())); - return ENOMEM; - } - return 0; - break; - case IDTYPE_DIR: - id_cryptoctx->defer_with_dummy_password = TRUE; - status = crypto_load_dir(context, - plg_cryptoctx, - req_cryptoctx, - idopts->cert_filename, - PR_TRUE, PR_FALSE, PR_FALSE, id_cryptoctx); - if (status != SECSuccess) { - pkiDebug("%s: error loading directory \"%s\": %s\n", - __FUNCTION__, idopts->cert_filename, - PORT_ErrorToName(PORT_GetError())); - return defer_id_prompts ? 0 : ENOMEM; - } - return 0; - break; - case IDTYPE_PKCS11: - id_cryptoctx->defer_with_dummy_password = FALSE; - status = crypto_load_pkcs11(context, - plg_cryptoctx, - req_cryptoctx, idopts, id_cryptoctx); - if (status != SECSuccess) { - pkiDebug("%s: error loading module \"%s\": %s\n", - __FUNCTION__, idopts->p11_module_name, - PORT_ErrorToName(PORT_GetError())); - return ENOMEM; - } - return 0; - break; - case IDTYPE_PKCS12: - id_cryptoctx->defer_with_dummy_password = FALSE; - status = crypto_load_pkcs12(context, - plg_cryptoctx, - req_cryptoctx, - idopts->cert_filename, id_cryptoctx); - if (status != SECSuccess) { - pkiDebug("%s: error loading PKCS12 bundle \"%s\"\n", - __FUNCTION__, idopts->cert_filename); - return ENOMEM; - } - return 0; - break; - default: - return EINVAL; - break; - } -} - -/* Drop "self" certificate and keys that we didn't select. */ -krb5_error_code -crypto_free_cert_info(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx) -{ - /* Mimic the OpenSSL-based implementation's check first. */ - if (id_cryptoctx == NULL) - return EINVAL; - - /* Maybe should we nuke the id_certs list here? */ - return 0; -} - -/* Count how many candidate "self" certificates and keys we have. We could as - * easily count the keys. */ -krb5_error_code -crypto_cert_get_count(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int *cert_count) -{ - CERTCertListNode *node; - - *cert_count = 0; - if (!CERT_LIST_EMPTY(id_cryptoctx->id_certs)) - for (node = CERT_LIST_HEAD(id_cryptoctx->id_certs); - (node != NULL) && - (node->cert != NULL) && - !CERT_LIST_END(node, id_cryptoctx->id_certs); - node = CERT_LIST_NEXT(node)) - (*cert_count)++; - pkiDebug("%s: %d candidate key/certificate pairs found\n", - __FUNCTION__, *cert_count); - return 0; -} - -/* Start walking the list of "self" certificates and keys. */ -krb5_error_code -crypto_cert_iteration_begin(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - pkinit_cert_iter_handle *iter_handle) -{ - PLArenaPool *pool; - struct _pkinit_cert_iter_info *handle; - - if (CERT_LIST_EMPTY(id_cryptoctx->id_certs)) - return ENOENT; - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - handle = PORT_ArenaZAlloc(pool, sizeof(*handle)); - if (handle == NULL) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - handle->pool = pool; - handle->id_cryptoctx = id_cryptoctx; - handle->node = CERT_LIST_HEAD(handle->id_cryptoctx->id_certs); - *iter_handle = handle; - return 0; -} - -/* Stop walking the list of "self" certificates and keys. */ -krb5_error_code -crypto_cert_iteration_end(krb5_context context, - pkinit_cert_iter_handle iter_handle) -{ - PORT_FreeArena(iter_handle->pool, PR_TRUE); - return 0; -} - -/* Walk to the first/next "self" certificate and key. The cert_handle we - * produce here has to be useful beyond the life of the iteration handle, so it - * can't be allocated from the iteration handle's memory pool. */ -krb5_error_code -crypto_cert_iteration_next(krb5_context context, - pkinit_cert_iter_handle iter_handle, - pkinit_cert_handle *cert_handle) -{ - PLArenaPool *pool; - - /* Check if we're at the last node. */ - if (CERT_LIST_END(iter_handle->node, - iter_handle->id_cryptoctx->id_certs)) { - /* No more entries. */ - *cert_handle = NULL; - return PKINIT_ITER_NO_MORE; - } - /* Create a pool to hold info about this certificate. */ - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - *cert_handle = PORT_ArenaZAlloc(pool, sizeof(**cert_handle)); - if (*cert_handle == NULL) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - (*cert_handle)->pool = pool; - /* Return a copy of the certificate in this node, and then move on to - * the next one. */ - (*cert_handle)->id_cryptoctx = iter_handle->id_cryptoctx; - (*cert_handle)->cert = CERT_DupCertificate(iter_handle->node->cert); - iter_handle->node = CERT_LIST_NEXT(iter_handle->node); - return 0; -} - -/* Read names, key usage, and extended key usage from the cert. */ -static SECItem * -cert_get_ext_by_tag(CERTCertificate *cert, SECOidTag tag) -{ - SECOidData *oid; - int i; - - oid = SECOID_FindOIDByTag(tag); - for (i = 0; - (cert->extensions != NULL) && (cert->extensions[i] != NULL); - i++) - if (SECITEM_ItemsAreEqual(&cert->extensions[i]->id, &oid->oid)) - return &cert->extensions[i]->value; - return NULL; -} - -/* Check for the presence of a particular key usage in the cert's keyUsage - * extension field. If it's not there, NSS just sets all of the bits, which is - * consistent with what the OpenSSL version of this does. */ -static unsigned int -cert_get_ku_bits(krb5_context context, CERTCertificate *cert) -{ - unsigned int ku = 0; - - if (cert->keyUsage & KU_DIGITAL_SIGNATURE) - ku |= PKINIT_KU_DIGITALSIGNATURE; - if (cert->keyUsage & KU_KEY_ENCIPHERMENT) - ku |= PKINIT_KU_KEYENCIPHERMENT; - return ku; -} - -static unsigned int -cert_get_eku_bits(krb5_context context, CERTCertificate *cert, PRBool kdc) -{ - PLArenaPool *pool; - SECItem *ext, **oids; - SECOidData *clientauth, *serverauth, *email; - int i; - unsigned int eku; - - /* Pull out the extension. */ - ext = cert_get_ext_by_tag(cert, SEC_OID_X509_EXT_KEY_USAGE); - if (ext == NULL) - return 0; - - /* Look up the well-known OIDs. */ - clientauth = SECOID_FindOIDByTag(SEC_OID_EXT_KEY_USAGE_CLIENT_AUTH); - serverauth = SECOID_FindOIDByTag(SEC_OID_EXT_KEY_USAGE_SERVER_AUTH); - email = SECOID_FindOIDByTag(SEC_OID_EXT_KEY_USAGE_EMAIL_PROTECT); - - /* Decode the list of OIDs. */ - pool = PORT_NewArena(sizeof(double)); - oids = NULL; - if (SEC_ASN1DecodeItem(pool, &oids, - SEC_ASN1_GET(SEC_SequenceOfObjectIDTemplate), - ext) != SECSuccess) { - PORT_FreeArena(pool, PR_TRUE); - return 0; - } - eku = 0; - for (i = 0; (oids != NULL) && (oids[i] != NULL); i++) { - if (SECITEM_ItemsAreEqual(oids[i], &email->oid)) - eku |= PKINIT_EKU_EMAILPROTECTION; - if (kdc) { - if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_kdc)) - eku |= PKINIT_EKU_PKINIT; - if (SECITEM_ItemsAreEqual(oids[i], &serverauth->oid)) - eku |= PKINIT_EKU_CLIENTAUTH; - } else { - if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_client)) - eku |= PKINIT_EKU_PKINIT; - if (SECITEM_ItemsAreEqual(oids[i], &clientauth->oid)) - eku |= PKINIT_EKU_CLIENTAUTH; - } - if (SECITEM_ItemsAreEqual(oids[i], &pkinit_kp_mssclogin)) - eku |= PKINIT_EKU_MSSCLOGIN; - } - PORT_FreeArena(pool, PR_TRUE); - return eku; -} - -krb5_error_code -crypto_cert_get_matching_data(krb5_context context, - pkinit_cert_handle cert_handle, - pkinit_cert_matching_data **ret_data) -{ - pkinit_cert_matching_data *md; - - md = malloc(sizeof(*md)); - if (md == NULL) { - return ENOMEM; - } - md->ch = cert_handle; - md->subject_dn = strdup(cert_handle->cert->subjectName); - /* FIXME: string representation varies from OpenSSL's */ - md->issuer_dn = strdup(cert_handle->cert->issuerName); - /* FIXME: string representation varies from OpenSSL's */ - md->ku_bits = cert_get_ku_bits(context, cert_handle->cert); - md->eku_bits = cert_get_eku_bits(context, cert_handle->cert, PR_FALSE); - if (cert_retrieve_cert_sans(context, cert_handle->cert, - &md->sans, &md->sans, NULL) != 0) - md->sans = NULL; - *ret_data = md; - return 0; -} - -/* Free up the data for this certificate. */ -krb5_error_code -crypto_cert_release(krb5_context context, pkinit_cert_handle cert_handle) -{ - CERT_DestroyCertificate(cert_handle->cert); - PORT_FreeArena(cert_handle->pool, PR_TRUE); - return 0; -} - -/* Free names, key usage, and extended key usage from the cert matching data - * structure -- everything except the cert_handle it contains, anyway. */ -krb5_error_code -crypto_cert_free_matching_data(krb5_context context, - pkinit_cert_matching_data *data) -{ - free(data->subject_dn); - free(data->issuer_dn); - free(data); - return 0; -} - -/* Mark the cert tracked in the matching data structure as the one we're going - * to use. */ -krb5_error_code -crypto_cert_select(krb5_context context, pkinit_cert_matching_data *data) -{ - CERTCertificate *cert; - - cert = CERT_DupCertificate(data->ch->cert); - if (data->ch->id_cryptoctx->id_cert != NULL) - CERT_DestroyCertificate(data->ch->id_cryptoctx->id_cert); - data->ch->id_cryptoctx->id_cert = cert; - crypto_update_signer_identity(context, data->ch->id_cryptoctx); - return 0; -} - -/* Try to select the "default" cert, which for now is the only cert, if we only - * have one. */ -krb5_error_code -crypto_cert_select_default(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx) -{ - CERTCertListNode *node; - CERTCertificate *cert; - krb5_principal *sans; - krb5_data *c; - krb5_error_code code; - int result, count, i; - - result = crypto_cert_get_count(context, - plg_cryptoctx, - req_cryptoctx, id_cryptoctx, &count); - if (result != 0) - return result; - if (count == 1) - /* use the only cert */ - cert = (CERT_LIST_HEAD(id_cryptoctx->id_certs))->cert; - else { - pkiDebug("%s: searching for a KDC certificate\n", __FUNCTION__); - /* look for a cert that includes a TGS principal name */ - cert = NULL; - for (node = CERT_LIST_HEAD(id_cryptoctx->id_certs); - (node != NULL) && - (node->cert != NULL) && - !CERT_LIST_END(node, id_cryptoctx->id_certs); - node = CERT_LIST_NEXT(node)) { - sans = NULL; - pkiDebug("%s: checking candidate certificate \"%s\"\n", - __FUNCTION__, node->cert->subjectName); - code = cert_retrieve_cert_sans(context, node->cert, - &sans, NULL, NULL); - if ((code == 0) && (sans != NULL)) { - for (i = 0; sans[i] != NULL; i++) { - c = krb5_princ_component(context, sans[i], 0); - if ((c->length == KRB5_TGS_NAME_SIZE) && - (memcmp(c->data, KRB5_TGS_NAME, - KRB5_TGS_NAME_SIZE) == 0)) { - cert = node->cert; - pkiDebug("%s: selecting %s " - "certificate \"%s\"\n", - __FUNCTION__, - KRB5_TGS_NAME, cert->subjectName); - } - krb5_free_principal(context, sans[i]); - } - free(sans); - sans = NULL; - } - if (cert != NULL) - break; - } - if (cert == NULL) - return ENOENT; - } - if (id_cryptoctx->id_cert != NULL) - CERT_DestroyCertificate(id_cryptoctx->id_cert); - id_cryptoctx->id_cert = CERT_DupCertificate(cert); - crypto_update_signer_identity(context, id_cryptoctx); - return 0; -} - -krb5_error_code -crypto_load_cas_and_crls(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_opts * idopts, - pkinit_identity_crypto_context id_cryptoctx, - int idtype, int catype, char *id) -{ - SECStatus status; - PRBool cert_self, cert_mark_trusted, load_crl; - - /* Figure out what we're doing here. */ - switch (catype) { - case CATYPE_ANCHORS: - /* Screen out source types we can't use. */ - switch (idtype) { - case IDTYPE_FILE: - case IDTYPE_DIR: - case IDTYPE_NSS: - /* We only support these sources. */ - break; - default: - return EINVAL; - break; - } - /* Mark certs we load as trusted roots. */ - cert_self = PR_FALSE; - cert_mark_trusted = PR_TRUE; - load_crl = PR_FALSE; - break; - case CATYPE_INTERMEDIATES: - /* Screen out source types we can't use. */ - switch (idtype) { - case IDTYPE_FILE: - case IDTYPE_DIR: - case IDTYPE_NSS: - /* We only support these sources. */ - break; - default: - return EINVAL; - break; - } - /* Hang on to certs as reference material. */ - cert_self = PR_FALSE; - cert_mark_trusted = PR_FALSE; - load_crl = PR_FALSE; - break; - case CATYPE_CRLS: - /* Screen out source types we can't use. */ - switch (idtype) { - case IDTYPE_FILE: - case IDTYPE_DIR: - /* We only support these sources. */ - break; - default: - return EINVAL; - break; - } - /* No certs, just CRLs. */ - cert_self = PR_FALSE; - cert_mark_trusted = PR_FALSE; - load_crl = PR_TRUE; - break; - default: - return ENOSYS; - break; - } - - switch (idtype) { - case IDTYPE_FILE: - status = crypto_load_files(context, - plg_cryptoctx, - req_cryptoctx, - load_crl ? NULL : id, - NULL, - load_crl ? id : NULL, - cert_self, cert_mark_trusted, id_cryptoctx); - if (status != SECSuccess) { - pkiDebug("%s: error loading file \"%s\"\n", __FUNCTION__, id); - return ENOMEM; - } - return 0; - break; - case IDTYPE_NSS: - status = crypto_load_nssdb(context, - plg_cryptoctx, - req_cryptoctx, id, id_cryptoctx); - if (status != SECSuccess) { - pkiDebug("%s: error loading NSS certdb \"%s\"\n", - __FUNCTION__, idopts->cert_filename); - return ENOMEM; - } - return 0; - break; - case IDTYPE_DIR: - status = crypto_load_dir(context, - plg_cryptoctx, - req_cryptoctx, - id, - cert_self, cert_mark_trusted, load_crl, - id_cryptoctx); - if (status != SECSuccess) { - pkiDebug("%s: error loading directory \"%s\"\n", __FUNCTION__, id); - return ENOMEM; - } - return 0; - break; - default: - return EINVAL; - break; - } -} - -/* Retrieve the client's copy of the KDC's certificate. */ -krb5_error_code -pkinit_get_kdc_cert(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - krb5_principal princ) -{ - /* Nothing to do. */ - return 0; -} - -/* Create typed-data with sets of acceptable DH parameters. */ -krb5_error_code -pkinit_create_td_dh_parameters(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - pkinit_plg_opts *opts, krb5_pa_data ***pa_data) -{ - struct domain_parameters *params; - SECItem tmp, *oid; - krb5_algorithm_identifier id[sizeof(oakley_groups) / - sizeof(oakley_groups[0])]; - krb5_algorithm_identifier *ids[(sizeof(id) / sizeof(id[0])) + 1]; - unsigned int i, j; - krb5_data *data; - krb5_pa_data **typed_data; - krb5_error_code code; - - *pa_data = NULL; - - /* Fetch the algorithm OID. */ - oid = get_oid_from_tag(SEC_OID_X942_DIFFIE_HELMAN_KEY); - if (oid == NULL) - return ENOMEM; - /* Walk the lists of parameters that we know. */ - for (i = 0, j = 0; i < sizeof(id) / sizeof(id[0]); i++) { - if (oakley_groups[i].bits < opts->dh_min_bits) - continue; - /* Encode these parameters for use as algorithm parameters. */ - if (oakley_parse_group(req_cryptoctx->pool, &oakley_groups[i], - ¶ms) != 0) - continue; - memset(¶ms, 0, sizeof(params)); - if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &tmp, - params, - domain_parameters_template) != SECSuccess) - continue; - /* Add it to the list. */ - memset(&id[j], 0, sizeof(id[j])); - id[j].algorithm.data = (char *)oid->data; - id[j].algorithm.length = oid->len; - id[j].parameters.data = (char *)tmp.data; - id[j].parameters.length = tmp.len; - ids[j] = &id[j]; - j++; - } - if (j == 0) - return ENOENT; - ids[j] = NULL; - /* Pass it back up. */ - data = NULL; - code = (*k5int_encode_krb5_td_dh_parameters)(ids, &data); - if (code != 0) - return code; - typed_data = malloc(sizeof(*typed_data) * 2); - if (typed_data == NULL) { - krb5_free_data(context, data); - return ENOMEM; - } - typed_data[0] = malloc(sizeof(**typed_data)); - if (typed_data[0] == NULL) { - free(typed_data); - krb5_free_data(context, data); - return ENOMEM; - } - typed_data[0]->pa_type = TD_DH_PARAMETERS; - typed_data[0]->length = data->length; - typed_data[0]->contents = (unsigned char *) data->data; - typed_data[1] = NULL; - *pa_data = typed_data; - free(data); - return code; -} - -/* Parse typed-data with sets of acceptable DH parameters and return the - * minimum prime size that the KDC will accept. */ -krb5_error_code -pkinit_process_td_dh_params(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - krb5_algorithm_identifier **algId, - int *new_dh_size) -{ - struct domain_parameters params; - SECItem item; - int i, size; - - /* Set an initial reasonable guess if we got no hints that we could - * parse. */ - *new_dh_size = 2048; - for (i = 0; (algId != NULL) && (algId[i] != NULL); i++) { - /* Decode the domain parameters. */ - item.len = algId[i]->parameters.length; - item.data = (unsigned char *)algId[i]->parameters.data; - memset(¶ms, 0, sizeof(params)); - if (SEC_ASN1DecodeItem(req_cryptoctx->pool, ¶ms, - domain_parameters_template, - &item) != SECSuccess) - continue; - /* Count the size of the prime by finding the first non-zero - * byte and working out the size of the integer. */ - size = get_integer_bits(¶ms.p); - /* If this is the first parameter set, or the current parameter - * size is lower than our previous guess, use it. */ - if ((i == 0) || (size < *new_dh_size)) - *new_dh_size = size; - } - return 0; -} - -/* Create typed-data with the client cert that we didn't like. */ -krb5_error_code -pkinit_create_td_invalid_certificate(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context - id_cryptoctx, krb5_pa_data ***pa_data) -{ - CERTCertificate *invalid; - krb5_external_principal_identifier id; - krb5_external_principal_identifier *ids[2]; - struct issuer_and_serial_number isn; - krb5_data *data; - SECItem item; - krb5_pa_data **typed_data; - krb5_error_code code; - - *pa_data = NULL; - - /* We didn't trust the peer's certificate. FIXME: or was it a - * certificate that was somewhere in its certifying chain? */ - if (req_cryptoctx->peer_cert == NULL) - return ENOENT; - invalid = req_cryptoctx->peer_cert; - - /* Fill in the identifier. */ - memset(&id, 0, sizeof(id)); - if (req_cryptoctx->peer_cert->keyIDGenerated) { - isn.issuer = invalid->derIssuer; - isn.serial = invalid->serialNumber; - if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn, - issuer_and_serial_number_template) != &item) - return ENOMEM; - id.issuerAndSerialNumber.data = (char *)item.data; - id.issuerAndSerialNumber.length = item.len; - } else { - item = invalid->subjectKeyID; - id.subjectKeyIdentifier.data = (char *)item.data; - id.subjectKeyIdentifier.length = item.len; - } - ids[0] = &id; - ids[1] = NULL; - - /* Pass it back up. */ - data = NULL; - code = (*k5int_encode_krb5_td_trusted_certifiers)(ids, &data); - if (code != 0) - return code; - typed_data = malloc(sizeof(*typed_data) * 2); - if (typed_data == NULL) { - krb5_free_data(context, data); - return ENOMEM; - } - typed_data[0] = malloc(sizeof(**typed_data)); - if (typed_data[0] == NULL) { - free(typed_data); - krb5_free_data(context, data); - return ENOMEM; - } - typed_data[0]->pa_type = TD_INVALID_CERTIFICATES; - typed_data[0]->length = data->length; - typed_data[0]->contents = (unsigned char *) data->data; - typed_data[1] = NULL; - *pa_data = typed_data; - free(data); - return code; -} - -/* Create typed-data with a list of certifiers that we would accept. */ -krb5_error_code -pkinit_create_td_trusted_certifiers(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context - id_cryptoctx, krb5_pa_data ***pa_data) -{ - krb5_external_principal_identifier **ids; - krb5_external_principal_identifier *id; - struct issuer_and_serial_number isn; - krb5_data *data; - SECItem item; - krb5_pa_data **typed_data; - krb5_error_code code; - int i; - unsigned int trustf; - SECStatus status; - PK11SlotList *slist; - PK11SlotListElement *sle; - CERTCertificate *cert; - CERTCertList *sclist, *clist; - CERTCertListNode *node; - - *pa_data = NULL; - - /* Build the list of trusted roots. */ - clist = CERT_NewCertList(); - if (clist == NULL) - return ENOMEM; - - /* Get the list of tokens. All of them. */ - slist = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, - PR_FALSE, - crypto_pwcb_prep(id_cryptoctx, NULL, context)); - if (slist == NULL) { - CERT_DestroyCertList(clist); - return ENOENT; - } - - /* Walk the list of tokens. */ - i = 0; - status = SECSuccess; - for (sle = slist->head; sle != NULL; sle = sle->next) { - /* Skip over slots we would still need to log in to before using. */ - if (!PK11_IsLoggedIn(sle->slot, - crypto_pwcb_prep(id_cryptoctx, NULL, context)) && - PK11_NeedLogin(sle->slot)) { - pkiDebug("%s: skipping token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(sle->slot)); - continue; - } - /* Get the list of certs, and skip the slot if it doesn't have - * any. */ - sclist = PK11_ListCertsInSlot(sle->slot); - if (sclist == NULL) { - pkiDebug("%s: nothing found in token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(sle->slot)); - continue; - } - if (CERT_LIST_EMPTY(sclist)) { - CERT_DestroyCertList(sclist); - pkiDebug("%s: nothing found in token \"%s\"\n", - __FUNCTION__, PK11_GetTokenName(sle->slot)); - continue; - } - /* Walk the list of certs, and for each one that's a trusted - * root, add it to the list. */ - for (node = CERT_LIST_HEAD(sclist); - (node != NULL) && - (node->cert != NULL) && - !CERT_LIST_END(node, sclist); - node = CERT_LIST_NEXT(node)) { - /* If we have no trust for it, we can't trust it. */ - if (node->cert->trust == NULL) - continue; - /* We need to trust it to issue client certs. */ - trustf = SEC_GET_TRUST_FLAGS(node->cert->trust, trustSSL); - if (!(trustf & CERTDB_TRUSTED_CLIENT_CA)) - continue; - /* DestroyCertList frees all of the certs in the list, - * so we need to create a copy that it can own. */ - cert = CERT_DupCertificate(node->cert); - if (cert_maybe_add_to_list(clist, cert) != SECSuccess) - status = ENOMEM; - else - i++; - } - CERT_DestroyCertList(sclist); - } - PK11_FreeSlotList(slist); - if (status != SECSuccess) { - CERT_DestroyCertList(clist); - return ENOMEM; - } - - /* Allocate some temporary storage. */ - id = PORT_ArenaZAlloc(req_cryptoctx->pool, sizeof(**ids) * i); - ids = PORT_ArenaZAlloc(req_cryptoctx->pool, sizeof(*ids) * (i + 1)); - if ((id == NULL) || (ids == NULL)) { - CERT_DestroyCertList(clist); - return ENOMEM; - } - - /* Fill in the identifiers. */ - i = 0; - for (node = CERT_LIST_HEAD(clist); - (node != NULL) && - (node->cert != NULL) && - !CERT_LIST_END(node, clist); - node = CERT_LIST_NEXT(node)) { - if (node->cert->keyIDGenerated) { - isn.issuer = node->cert->derIssuer; - isn.serial = node->cert->serialNumber; - if (SEC_ASN1EncodeItem(req_cryptoctx->pool, &item, &isn, - issuer_and_serial_number_template) != - &item) { - CERT_DestroyCertList(clist); - return ENOMEM; - } - id[i].issuerAndSerialNumber.data = (char *)item.data; - id[i].issuerAndSerialNumber.length = item.len; - } else { - item = node->cert->subjectKeyID; - id[i].subjectKeyIdentifier.data = (char *)item.data; - id[i].subjectKeyIdentifier.length = item.len; - } - ids[i] = &id[i]; - i++; - } - ids[i] = NULL; - - /* Pass the list back up. */ - data = NULL; - code = (*k5int_encode_krb5_td_trusted_certifiers)(ids, &data); - CERT_DestroyCertList(clist); - if (code != 0) - return code; - typed_data = malloc(sizeof(*typed_data) * 2); - if (typed_data == NULL) { - krb5_free_data(context, data); - return ENOMEM; - } - typed_data[0] = malloc(sizeof(**typed_data)); - if (typed_data[0] == NULL) { - free(typed_data); - krb5_free_data(context, data); - return ENOMEM; - } - typed_data[0]->pa_type = TD_TRUSTED_CERTIFIERS; - typed_data[0]->length = data->length; - typed_data[0]->contents = (unsigned char *) data->data; - typed_data[1] = NULL; - *pa_data = typed_data; - free(data); - return code; -} - -krb5_error_code -pkinit_process_td_trusted_certifiers(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context - id_cryptoctx, - krb5_external_principal_identifier ** - trustedCertifiers, - int td_type) -{ - /* We should select a different client certificate based on the list of - * trusted certifiers, but for now we'll just chicken out. */ - return KRB5KDC_ERR_PREAUTH_FAILED; -} - -/* Check if the encoded issuer/serial matches our (the KDC's) certificate. */ -krb5_error_code -pkinit_check_kdc_pkid(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - unsigned char *pkid_buf, - unsigned int pkid_len, int *valid_kdcPkId) -{ - PLArenaPool *pool; - CERTCertificate *cert; - SECItem pkid; - struct issuer_and_serial_number isn; - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - - /* Verify that we have selected a certificate for our (the KDC's) own - * use. */ - if (id_cryptoctx->id_cert == NULL) - return ENOENT; - cert = id_cryptoctx->id_cert; - - /* Decode the pair. */ - pkid.data = pkid_buf; - pkid.len = pkid_len; - memset(&isn, 0, sizeof(isn)); - if (SEC_ASN1DecodeItem(pool, &isn, issuer_and_serial_number_template, - &pkid) != SECSuccess) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Compare the issuer and serial number. */ - *valid_kdcPkId = SECITEM_ItemsAreEqual(&isn.issuer, - &cert->derIssuer) && - SECITEM_ItemsAreEqual(&isn.serial, &cert->serialNumber); - - /* Clean up. */ - PORT_FreeArena(pool, PR_TRUE); - - return 0; -} - -krb5_error_code -pkinit_identity_set_prompter(pkinit_identity_crypto_context id_cryptoctx, - krb5_prompter_fct prompter, void *prompter_data) -{ - id_cryptoctx->pwcb_args.prompter = prompter; - id_cryptoctx->pwcb_args.prompter_data = prompter_data; - return 0; -} - -/* Convert a DH secret and optional data to a keyblock using the specified - * digest and a big-endian counter of the specified length that starts at the - * specified value. */ -static krb5_error_code -pkinit_octetstring_hkdf(krb5_context context, - SECOidTag hash_alg, - int counter_start, size_t counter_length, - krb5_enctype etype, - unsigned char *dh_key, unsigned int dh_key_len, - char *other_data, unsigned int other_data_len, - krb5_keyblock *krb5key) -{ - PK11Context *ctx; - unsigned int left, length, rnd_len; - unsigned char counter[8], buf[512]; /* the longest digest we support */ - int i; - char *rnd_buf; - size_t kbyte, klength; - krb5_data rnd_data; - krb5_error_code result; - NSSInitContext *ncontext; - - if (counter_length > sizeof(counter)) - return EINVAL; - result = krb5_c_keylengths(context, etype, &kbyte, &klength); - if (result != 0) - return result; - rnd_buf = malloc(dh_key_len); - if (rnd_buf == NULL) - return ENOMEM; - - memset(counter, 0, sizeof(counter)); - for (i = sizeof(counter) - 1; i >= 0; i--) - counter[i] = (counter_start >> (8 * (counter_length - 1 - i))) & 0xff; - rnd_len = kbyte; - left = rnd_len; - ncontext = NSS_InitContext(DEFAULT_CONFIGDIR, - NULL, - NULL, - NULL, - NULL, - NSS_INIT_READONLY | - NSS_INIT_NOCERTDB | - NSS_INIT_NOMODDB | - NSS_INIT_FORCEOPEN | - NSS_INIT_NOROOTINIT | - NSS_INIT_PK11RELOAD); - while (left > 0) { - ctx = PK11_CreateDigestContext(hash_alg); - if (ctx == NULL) { - krb5int_zap(buf, sizeof(buf)); - krb5int_zap(rnd_buf, dh_key_len); - free(rnd_buf); - return ENOMEM; - } - if (PK11_DigestBegin(ctx) != SECSuccess) { - PK11_DestroyContext(ctx, PR_TRUE); - krb5int_zap(buf, sizeof(buf)); - krb5int_zap(rnd_buf, dh_key_len); - free(rnd_buf); - return ENOMEM; - } - if (PK11_DigestOp(ctx, counter, counter_length) != SECSuccess) { - PK11_DestroyContext(ctx, PR_TRUE); - krb5int_zap(buf, sizeof(buf)); - krb5int_zap(rnd_buf, dh_key_len); - free(rnd_buf); - return ENOMEM; - } - if (PK11_DigestOp(ctx, dh_key, dh_key_len) != SECSuccess) { - PK11_DestroyContext(ctx, PR_TRUE); - krb5int_zap(buf, sizeof(buf)); - krb5int_zap(rnd_buf, dh_key_len); - free(rnd_buf); - return ENOMEM; - } - if ((other_data_len > 0) && - (PK11_DigestOp(ctx, (const unsigned char *) other_data, - other_data_len) != SECSuccess)) { - PK11_DestroyContext(ctx, PR_TRUE); - krb5int_zap(buf, sizeof(buf)); - krb5int_zap(rnd_buf, dh_key_len); - free(rnd_buf); - return ENOMEM; - } - if (PK11_DigestFinal(ctx, buf, &length, sizeof(buf)) != SECSuccess) { - PK11_DestroyContext(ctx, PR_TRUE); - krb5int_zap(buf, sizeof(buf)); - krb5int_zap(rnd_buf, dh_key_len); - free(rnd_buf); - return ENOMEM; - } - PK11_DestroyContext(ctx, PR_TRUE); - if (left < length) { - length = left; - } - memcpy(rnd_buf + rnd_len - left, buf, length); - left -= length; - for (i = counter_length - 1; i >= 0; i--) { - counter[i] = ((counter[i] + 1) & 0xff); - if (counter[i] != 0) - break; - } - } - - if (NSS_ShutdownContext(ncontext) != SECSuccess) - pkiDebug("%s: error shutting down context\n", __FUNCTION__); - - krb5key->contents = malloc(klength); - if (krb5key->contents == NULL) { - krb5key->length = 0; - return ENOMEM; - } - krb5key->length = klength; - krb5key->enctype = etype; - - rnd_data.data = rnd_buf; - rnd_data.length = rnd_len; - result = krb5_c_random_to_key(context, etype, &rnd_data, krb5key); - - krb5int_zap(buf, sizeof(buf)); - krb5int_zap(rnd_buf, dh_key_len); - free(rnd_buf); - - return result; -} - -/* Convert a DH secret to a keyblock, RFC4556-style. */ -krb5_error_code -pkinit_octetstring2key(krb5_context context, - krb5_enctype etype, - unsigned char *dh_key, - unsigned int dh_key_len, krb5_keyblock *krb5key) -{ - return pkinit_octetstring_hkdf(context, - SEC_OID_SHA1, 0, 1, etype, - dh_key, dh_key_len, NULL, 0, - krb5key); -} - -/* Return TRUE if the item and the "algorithm" part of the algorithm identifier - * are the same. */ -static PRBool -data_and_ptr_and_length_equal(const krb5_data *data, - const void *ptr, size_t len) -{ - return (data->length == len) && (memcmp(data->data, ptr, len) == 0); -} - -/* Encode the other info used by the agility KDF. Taken almost verbatim from - * parts of the agility KDF in pkinit_crypto_openssl.c */ -static krb5_error_code -encode_agility_kdf_other_info(krb5_context context, - krb5_data *alg_oid, - krb5_const_principal party_u_info, - krb5_const_principal party_v_info, - krb5_enctype enctype, - krb5_data *as_req, - krb5_data *pk_as_rep, - krb5_data **other_info) -{ - krb5_error_code retval = 0; - krb5_sp80056a_other_info other_info_fields; - krb5_pkinit_supp_pub_info supp_pub_info_fields; - krb5_data *supp_pub_info = NULL; - krb5_algorithm_identifier alg_id; - - /* If this is anonymous pkinit, we need to use the anonymous principal for - * party_u_info */ - if (party_u_info && - krb5_principal_compare_any_realm(context, party_u_info, - krb5_anonymous_principal())) - party_u_info = krb5_anonymous_principal(); - - /* Encode the ASN.1 octet string for "SuppPubInfo" */ - supp_pub_info_fields.enctype = enctype; - supp_pub_info_fields.as_req = *as_req; - supp_pub_info_fields.pk_as_rep = *pk_as_rep; - retval = encode_krb5_pkinit_supp_pub_info(&supp_pub_info_fields, - &supp_pub_info); - if (retval != 0) - goto cleanup; - - /* Now encode the ASN.1 octet string for "OtherInfo" */ - memset(&alg_id, 0, sizeof alg_id); - alg_id.algorithm = *alg_oid; /*alias, don't have to free it*/ - - other_info_fields.algorithm_identifier = alg_id; - other_info_fields.party_u_info = (krb5_principal) party_u_info; - other_info_fields.party_v_info = (krb5_principal) party_v_info; - other_info_fields.supp_pub_info = *supp_pub_info; - retval = encode_krb5_sp80056a_other_info(&other_info_fields, other_info); - if (retval != 0) - goto cleanup; - -cleanup: - krb5_free_data(context, supp_pub_info); - - return retval; -} - -/* Convert a DH secret to a keyblock using the key derivation function - * identified by the passed-in algorithm identifier. Return ENOSYS if it's not - * one that we support. */ -krb5_error_code -pkinit_alg_agility_kdf(krb5_context context, - krb5_data *secret, - krb5_data *alg_oid, - krb5_const_principal party_u_info, - krb5_const_principal party_v_info, - krb5_enctype enctype, - krb5_data *as_req, - krb5_data *pk_as_rep, - krb5_keyblock *key_block) -{ - krb5_data *other_info = NULL; - krb5_error_code retval = ENOSYS; - - retval = encode_agility_kdf_other_info(context, - alg_oid, - party_u_info, - party_v_info, - enctype, as_req, pk_as_rep, - &other_info); - if (retval != 0) - return retval; - - if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha512_oid, - krb5_pkinit_sha512_oid_len)) - retval = pkinit_octetstring_hkdf(context, - SEC_OID_SHA512, 1, 4, enctype, - (unsigned char *)secret->data, - secret->length, other_info->data, - other_info->length, key_block); - else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha256_oid, - krb5_pkinit_sha256_oid_len)) - retval = pkinit_octetstring_hkdf(context, - SEC_OID_SHA256, 1, 4, enctype, - (unsigned char *)secret->data, - secret->length, other_info->data, - other_info->length, key_block); - else if (data_and_ptr_and_length_equal(alg_oid, krb5_pkinit_sha1_oid, - krb5_pkinit_sha1_oid_len)) - retval = pkinit_octetstring_hkdf(context, - SEC_OID_SHA1, 1, 4, enctype, - (unsigned char *)secret->data, - secret->length, other_info->data, - other_info->length, key_block); - else - retval = KRB5KDC_ERR_NO_ACCEPTABLE_KDF; - - krb5_free_data(context, other_info); - - return retval; -} - -static int -cert_add_string(unsigned char ***list, int *count, - int len, const unsigned char *value) -{ - unsigned char **tmp; - - tmp = malloc(sizeof(tmp[0]) * (*count + 2)); - if (tmp == NULL) { - return ENOMEM; - } - memcpy(tmp, *list, *count * sizeof(tmp[0])); - tmp[*count] = malloc(len + 1); - if (tmp[*count] == NULL) { - free(tmp); - return ENOMEM; - } - memcpy(tmp[*count], value, len); - tmp[*count][len] = '\0'; - tmp[*count + 1] = NULL; - if (*count != 0) { - free(*list); - } - *list = tmp; - (*count)++; - return 0; -} - -static int -cert_add_princ(krb5_context context, krb5_principal princ, - krb5_principal **sans_inout, int *n_sans_inout) -{ - krb5_principal *tmp; - - tmp = malloc(sizeof(krb5_principal *) * (*n_sans_inout + 2)); - if (tmp == NULL) { - return ENOMEM; - } - memcpy(tmp, *sans_inout, sizeof(tmp[0]) * *n_sans_inout); - if (krb5_copy_principal(context, princ, &tmp[*n_sans_inout]) != 0) { - free(tmp); - return ENOMEM; - } - tmp[*n_sans_inout + 1] = NULL; - if (*n_sans_inout > 0) { - free(*sans_inout); - } - *sans_inout = tmp; - (*n_sans_inout)++; - return 0; -} - -static int -cert_add_upn(PLArenaPool * pool, krb5_context context, SECItem *name, - krb5_principal **sans_inout, int *n_sans_inout) -{ - SECItem decoded; - char *unparsed; - krb5_principal tmp; - int i; - - /* Decode the string. */ - memset(&decoded, 0, sizeof(decoded)); - if (SEC_ASN1DecodeItem(pool, &decoded, - SEC_ASN1_GET(SEC_UTF8StringTemplate), - name) != SECSuccess) { - return ENOMEM; - } - unparsed = malloc(decoded.len + 1); - if (unparsed == NULL) { - return ENOMEM; - } - memcpy(unparsed, decoded.data, decoded.len); - unparsed[decoded.len] = '\0'; - /* Parse the string into a principal name. */ - if (krb5_parse_name(context, unparsed, &tmp) != 0) { - free(unparsed); - return ENOMEM; - } - free(unparsed); - /* Unparse the name back into a string and make sure it matches what - * was in the certificate. */ - if (krb5_unparse_name(context, tmp, &unparsed) != 0) { - krb5_free_principal(context, tmp); - return ENOMEM; - } - if ((strlen(unparsed) != decoded.len) || - (memcmp(unparsed, decoded.data, decoded.len) != 0)) { - krb5_free_unparsed_name(context, unparsed); - krb5_free_principal(context, tmp); - return ENOMEM; - } - /* Add the principal name to the list. */ - i = cert_add_princ(context, tmp, sans_inout, n_sans_inout); - krb5_free_unparsed_name(context, unparsed); - krb5_free_principal(context, tmp); - return i; -} - -static int -cert_add_kpn(PLArenaPool * pool, krb5_context context, SECItem *name, - krb5_principal** sans_inout, int *n_sans_inout) -{ - struct kerberos_principal_name kname; - SECItem **names; - krb5_data *comps; - krb5_principal_data tmp; - unsigned long name_type; - int i, j; - - /* Decode the structure. */ - memset(&kname, 0, sizeof(kname)); - if (SEC_ASN1DecodeItem(pool, &kname, - kerberos_principal_name_template, - name) != SECSuccess) - return ENOMEM; - - /* Recover the name type and count the components. */ - if (SEC_ASN1DecodeInteger(&kname.principal_name.name_type, - &name_type) != SECSuccess) - return ENOMEM; - names = kname.principal_name.name_string; - for (i = 0; (names != NULL) && (names[i] != NULL); i++) - continue; - comps = malloc(sizeof(comps[0]) * i); - - /* Fake up a principal structure. */ - for (j = 0; j < i; j++) { - comps[j].length = names[j]->len; - comps[j].data = (char *) names[j]->data; - } - memset(&tmp, 0, sizeof(tmp)); - tmp.type = name_type; - tmp.realm.length = kname.realm.len; - tmp.realm.data = (char *) kname.realm.data; - tmp.length = i; - tmp.data = comps; - - /* Add the principal name to the list. */ - i = cert_add_princ(context, &tmp, sans_inout, n_sans_inout); - free(comps); - return i; -} - -static const char * -crypto_get_identity_by_slot(krb5_context context, - pkinit_identity_crypto_context id_cryptoctx, - PK11SlotInfo *slot) -{ - PK11SlotInfo *mslot; - struct _pkinit_identity_crypto_userdb *userdb; - struct _pkinit_identity_crypto_module *module; - int i, j; - - mslot = id_cryptoctx->id_p12_slot.slot; - if ((mslot != NULL) && (PK11_GetSlotID(mslot) == PK11_GetSlotID(slot))) - return id_cryptoctx->id_p12_slot.p12name; - for (i = 0; - (id_cryptoctx->id_userdbs != NULL) && - (id_cryptoctx->id_userdbs[i] != NULL); - i++) { - userdb = id_cryptoctx->id_userdbs[i]; - if (PK11_GetSlotID(userdb->userdb) == PK11_GetSlotID(slot)) - return userdb->name; - } - for (i = 0; - (id_cryptoctx->id_modules != NULL) && - (id_cryptoctx->id_modules[i] != NULL); - i++) { - module = id_cryptoctx->id_modules[i]; - for (j = 0; j < module->module->slotCount; j++) { - mslot = module->module->slots[j]; - if (PK11_GetSlotID(mslot) == PK11_GetSlotID(slot)) - return module->name; - } - } - return NULL; -} - -static void -crypto_update_signer_identity(krb5_context context, - pkinit_identity_crypto_context id_cryptoctx) -{ - PK11SlotList *slist; - PK11SlotListElement *sle; - CERTCertificate *cert; - struct _pkinit_identity_crypto_file *obj; - int i; - - id_cryptoctx->identity = NULL; - if (id_cryptoctx->id_cert == NULL) - return; - cert = id_cryptoctx->id_cert; - for (i = 0; - (id_cryptoctx->id_objects != NULL) && - (id_cryptoctx->id_objects[i] != NULL); - i++) { - obj = id_cryptoctx->id_objects[i]; - if ((obj->cert != NULL) && CERT_CompareCerts(obj->cert, cert)) { - id_cryptoctx->identity = obj->name; - return; - } - } - if (cert->slot != NULL) { - id_cryptoctx->identity = crypto_get_identity_by_slot(context, - id_cryptoctx, - cert->slot); - if (id_cryptoctx->identity != NULL) - return; - } - slist = PK11_GetAllSlotsForCert(cert, NULL); - if (slist != NULL) { - for (sle = PK11_GetFirstSafe(slist); - sle != NULL; - sle = PK11_GetNextSafe(slist, sle, PR_FALSE)) { - id_cryptoctx->identity = crypto_get_identity_by_slot(context, - id_cryptoctx, - sle->slot); - if (id_cryptoctx->identity != NULL) { - PK11_FreeSlotList(slist); - return; - } - } - PK11_FreeSlotList(slist); - } -} - -krb5_error_code -crypto_retrieve_signer_identity(krb5_context context, - pkinit_identity_crypto_context id_cryptoctx, - const char **identity) -{ - *identity = id_cryptoctx->identity; - if (*identity == NULL) - return ENOENT; - return 0; -} - -static krb5_error_code -cert_retrieve_cert_sans(krb5_context context, - CERTCertificate *cert, - krb5_principal **pkinit_sans_out, - krb5_principal **upn_sans_out, - unsigned char ***kdc_hostname_out) -{ - PLArenaPool *pool; - CERTGeneralName name; - SECItem *ext, **encoded_names; - int i, n_pkinit_sans, n_upn_sans, n_hostnames; - - /* Pull out the extension. */ - ext = cert_get_ext_by_tag(cert, SEC_OID_X509_SUBJECT_ALT_NAME); - if (ext == NULL) - return ENOENT; - - /* Split up the list of names. */ - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - encoded_names = NULL; - if (SEC_ASN1DecodeItem(pool, &encoded_names, - SEC_ASN1_GET(SEC_SequenceOfAnyTemplate), - ext) != SECSuccess) { - pkiDebug("%s: error decoding subjectAltName extension\n", - __FUNCTION__); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Check each name in turn. */ - for (i = 0, n_pkinit_sans = 0, n_upn_sans = 0, n_hostnames = 0; - (encoded_names != NULL) && (encoded_names[i] != NULL); - i++) { - memset(&name, 0, sizeof(name)); - if (CERT_DecodeGeneralName(pool, encoded_names[i], &name) != &name) { - pkiDebug("%s: error decoding GeneralName value, skipping\n", - __FUNCTION__); - continue; - } - switch (name.type) { - case certDNSName: - /* hostname, easy */ - if ((kdc_hostname_out != NULL) && - (cert_add_string(kdc_hostname_out, &n_hostnames, - name.name.other.len, - name.name.other.data) != 0)) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - break; - case certOtherName: - /* possibly a kerberos principal name */ - if (SECITEM_ItemsAreEqual(&name.name.OthName.oid, - &pkinit_nt_principal)) { - /* Add it to the list. */ - if ((pkinit_sans_out != NULL) && - (cert_add_kpn(pool, context, &name.name.OthName.name, - pkinit_sans_out, &n_pkinit_sans) != 0)) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - /* If both lists are the same, fix the count. */ - if (pkinit_sans_out == upn_sans_out) - n_upn_sans = n_pkinit_sans; - } else - /* possibly a user principal name */ - if (SECITEM_ItemsAreEqual(&name.name.OthName.oid, - &pkinit_nt_upn)) { - /* Add it to the list. */ - if ((upn_sans_out != NULL) && - (cert_add_upn(pool, context, &name.name.OthName.name, - upn_sans_out, &n_upn_sans) != 0)) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - /* If both lists are the same, fix the count. */ - if (upn_sans_out == pkinit_sans_out) - n_pkinit_sans = n_upn_sans; - } - break; - default: - break; - } - } - PORT_FreeArena(pool, PR_TRUE); - - return 0; -} - -krb5_error_code -crypto_retrieve_cert_sans(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - krb5_principal **pkinit_sans, - krb5_principal **upn_sans, - unsigned char ***kdc_hostname) -{ - return cert_retrieve_cert_sans(context, - req_cryptoctx->peer_cert, - pkinit_sans, upn_sans, kdc_hostname); -} - -krb5_error_code -crypto_check_cert_eku(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int checking_kdc_cert, - int allow_secondary_usage, int *eku_valid) -{ - int ku, eku; - - *eku_valid = 0; - - ku = cert_get_ku_bits(context, req_cryptoctx->peer_cert); - if (!(ku & PKINIT_KU_DIGITALSIGNATURE)) { - return 0; - } - - eku = cert_get_eku_bits(context, req_cryptoctx->peer_cert, - checking_kdc_cert ? PR_TRUE : PR_FALSE); - if (checking_kdc_cert) { - if (eku & PKINIT_EKU_PKINIT) { - *eku_valid = 1; - } else if (allow_secondary_usage && (eku & PKINIT_EKU_CLIENTAUTH)) { - *eku_valid = 1; - } - } else { - if (eku & PKINIT_EKU_PKINIT) { - *eku_valid = 1; - } else if (allow_secondary_usage && (eku & PKINIT_EKU_MSSCLOGIN)) { - *eku_valid = 1; - } - } - return 0; -} - -krb5_error_code -cms_contentinfo_create(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int cms_msg_type, - unsigned char *in_data, unsigned int in_length, - unsigned char **out_data, unsigned int *out_data_len) -{ - PLArenaPool *pool; - SECItem *oid, encoded; - SECOidTag encapsulated_tag; - struct content_info cinfo; - - switch (cms_msg_type) { - case CMS_SIGN_DRAFT9: - encapsulated_tag = get_pkinit_data_auth_data9_tag(); - break; - case CMS_SIGN_CLIENT: - encapsulated_tag = get_pkinit_data_auth_data_tag(); - break; - case CMS_SIGN_SERVER: - encapsulated_tag = get_pkinit_data_dhkey_data_tag(); - break; - case CMS_ENVEL_SERVER: - encapsulated_tag = get_pkinit_data_rkey_data_tag(); - break; - default: - return ENOSYS; - break; - } - - oid = get_oid_from_tag(encapsulated_tag); - if (oid == NULL) { - return ENOMEM; - } - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { - return ENOMEM; - } - - memset(&cinfo, 0, sizeof(cinfo)); - cinfo.content_type = *oid; - cinfo.content.data = in_data; - cinfo.content.len = in_length; - - memset(&encoded, 0, sizeof(encoded)); - if (SEC_ASN1EncodeItem(pool, &encoded, &cinfo, - content_info_template) != &encoded) { - PORT_FreeArena(pool, PR_TRUE); - pkiDebug("%s: error encoding data\n", __FUNCTION__); - return ENOMEM; - } - - if (secitem_to_buf_len(&encoded, out_data, out_data_len) != 0) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } -#ifdef DEBUG_DER - derdump(*out_data, *out_data_len); -#endif -#ifdef DEBUG_CMS - cmsdump(*out_data, *out_data_len); -#endif - - PORT_FreeArena(pool, PR_TRUE); - - return 0; -} - -/* Create a signed-data content info, add a signature to it, and return it. */ -enum sdcc_include_certchain { - signeddata_common_create_omit_chain, - signeddata_common_create_with_chain -}; -enum sdcc_include_signed_attrs { - signeddata_common_create_omit_signed_attrs, - signeddata_common_create_with_signed_attrs -}; -static krb5_error_code -crypto_signeddata_common_create(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - NSSCMSMessage *msg, - SECOidTag digest, - enum sdcc_include_certchain certchain_mode, - enum sdcc_include_signed_attrs add_signedattrs, - NSSCMSSignedData **signed_data_out) -{ - NSSCMSSignedData *sdata; - NSSCMSSignerInfo *signer; - NSSCMSCertChainMode chainmode; - - /* Create a signed-data object. */ - sdata = NSS_CMSSignedData_Create(msg); - if (sdata == NULL) - return ENOMEM; - - if (id_cryptoctx->id_cert != NULL) { - /* Create a signer and add it to the signed-data pointer. */ - signer = NSS_CMSSignerInfo_Create(msg, id_cryptoctx->id_cert, digest); - if (signer == NULL) - return ENOMEM; - chainmode = (certchain_mode == signeddata_common_create_with_chain) ? - NSSCMSCM_CertChain : - NSSCMSCM_CertOnly; - if (NSS_CMSSignerInfo_IncludeCerts(signer, - chainmode, - certUsageAnyCA) != SECSuccess) { - pkiDebug("%s: error setting IncludeCerts\n", __FUNCTION__); - return ENOMEM; - } - if (NSS_CMSSignedData_AddSignerInfo(sdata, signer) != SECSuccess) - return ENOMEM; - - if (add_signedattrs == signeddata_common_create_with_signed_attrs) { - /* The presence of any signed attribute means the digest - * becomes a signed attribute, too. */ - if (NSS_CMSSignerInfo_AddSigningTime(signer, - PR_Now()) != SECSuccess) { - pkiDebug("%s: error adding signing time\n", __FUNCTION__); - return ENOMEM; - } - } - } - - *signed_data_out = sdata; - return 0; -} - -/* Create signed-then-enveloped data. */ -krb5_error_code -cms_envelopeddata_create(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - krb5_preauthtype pa_type, - int include_certchain, - unsigned char *key_pack, - unsigned int key_pack_len, - unsigned char **envel_data, - unsigned int *envel_data_len) -{ - NSSCMSMessage *msg; - NSSCMSContentInfo *info; - NSSCMSEnvelopedData *env; - NSSCMSRecipientInfo *recipient; - NSSCMSSignedData *sdata; - PLArenaPool *pool; - SECOidTag encapsulated_tag, digest; - SECItem plain, encoded; - enum sdcc_include_signed_attrs add_signed_attrs; - - switch (pa_type) { - case KRB5_PADATA_PK_AS_REQ_OLD: - case KRB5_PADATA_PK_AS_REP_OLD: - digest = SEC_OID_MD5; - add_signed_attrs = signeddata_common_create_omit_signed_attrs; - encapsulated_tag = get_pkinit_data_rkey_data_tag(); - break; - case KRB5_PADATA_PK_AS_REQ: - case KRB5_PADATA_PK_AS_REP: - digest = SEC_OID_SHA1; - add_signed_attrs = signeddata_common_create_with_signed_attrs; - encapsulated_tag = get_pkinit_data_rkey_data_tag(); - break; - default: - return ENOSYS; - break; - } - - if (id_cryptoctx->id_cert == NULL) { - pkiDebug("%s: no signer identity\n", __FUNCTION__); - return ENOENT; - } - - if (req_cryptoctx->peer_cert == NULL) { - pkiDebug("%s: no recipient identity\n", __FUNCTION__); - return ENOENT; - } - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) { - return ENOMEM; - } - - /* Create the containing message. */ - msg = NSS_CMSMessage_Create(pool); - if (msg == NULL) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Create an enveloped-data pointer and set it as the message's - * contents. */ - env = NSS_CMSEnvelopedData_Create(msg, SEC_OID_DES_EDE3_CBC, 0); - if (env == NULL) { - pkiDebug("%s: error creating enveloped-data\n", __FUNCTION__); - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - info = NSS_CMSMessage_GetContentInfo(msg); - if (info == NULL) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - if (NSS_CMSContentInfo_SetContent_EnvelopedData(msg, info, - env) != SECSuccess) { - pkiDebug("%s: error setting enveloped-data content\n", __FUNCTION__); - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Create a recipient and add it to the enveloped-data pointer. */ - recipient = NSS_CMSRecipientInfo_Create(msg, req_cryptoctx->peer_cert); - if (recipient == NULL) { - pkiDebug("%s: error creating recipient-info\n", __FUNCTION__); - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - if (NSS_CMSEnvelopedData_AddRecipient(env, recipient) != SECSuccess) { - pkiDebug("%s: error adding recipient\n", __FUNCTION__); - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Create a signed-data pointer and set it as the enveloped-data's - * contents. */ - info = NSS_CMSEnvelopedData_GetContentInfo(env); - if (info == NULL) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - sdata = NULL; - if ((crypto_signeddata_common_create(context, - plg_cryptoctx, - req_cryptoctx, - id_cryptoctx, - msg, - digest, - include_certchain ? - signeddata_common_create_with_chain : - signeddata_common_create_omit_chain, - add_signed_attrs, - &sdata) != 0) || (sdata == NULL)) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - if (NSS_CMSContentInfo_SetContent_SignedData(msg, info, - sdata) != SECSuccess) { - pkiDebug("%s: error setting signed-data content\n", __FUNCTION__); - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Set the raw data as the contents for the signed-data. */ - info = NSS_CMSSignedData_GetContentInfo(sdata); - if (info == NULL) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - if (NSS_CMSContentInfo_SetContent(msg, info, encapsulated_tag, - NULL) != SECSuccess) { - pkiDebug("%s: error setting encapsulated content\n", __FUNCTION__); - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Encode and export. */ - memset(&plain, 0, sizeof(plain)); - plain.data = key_pack; - plain.len = key_pack_len; - memset(&encoded, 0, sizeof(encoded)); - if (NSS_CMSDEREncode(msg, &plain, &encoded, pool) != SECSuccess) { - pkiDebug("%s: error encoding enveloped-data\n", __FUNCTION__); - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - if (secitem_to_buf_len(&encoded, envel_data, envel_data_len) != 0) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } -#ifdef DEBUG_DER - derdump(*envel_data, *envel_data_len); -#endif -#ifdef DEBUG_CMS - cmsdump(*envel_data, *envel_data_len); -#endif - - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - - return 0; -} - -/* Check if this cert is marked as a CA which is trusted to issue certs for - * the indicated usage. Return PR_TRUE if it is. */ -static PRBool -crypto_is_cert_trusted(CERTCertificate *cert, SECCertUsage usage) -{ - CERTCertTrust trust; - unsigned int ca_trust; - - if (usage == certUsageSSLClient) - ca_trust = CERTDB_TRUSTED_CLIENT_CA; - else if (usage == certUsageSSLServer) - ca_trust = CERTDB_TRUSTED_CA; - else { - pkiDebug("%s: internal error: needed CA trust unknown\n", __FUNCTION__); - return PR_FALSE; - } - memset(&trust, 0, sizeof(trust)); - if (CERT_GetCertTrust(cert, &trust) != SECSuccess) { - pkiDebug("%s: unable to find trust for \"%s\"\n", __FUNCTION__, - cert->subjectName); - return PR_FALSE; - } - if ((SEC_GET_TRUST_FLAGS(&trust, trustSSL) & ca_trust) != ca_trust) { - pkiDebug("%s: \"%s\" is not a trusted CA\n", __FUNCTION__, - cert->subjectName); - return PR_FALSE; - } - return PR_TRUE; -} - -/* Check if this cert includes an AuthorityInfoAccess extension which points - * to an OCSP responder. Return PR_TRUE if it does. */ -static PRBool -crypto_cert_has_ocsp_responder(CERTCertificate *cert) -{ - CERTAuthInfoAccess **aia; - SECOidData *ocsp; - SECItem encoded_aia; - int i; - - /* Look up the OID for "use an OCSP responder". */ - ocsp = SECOID_FindOIDByTag(SEC_OID_PKIX_OCSP); - if (ocsp == NULL) { - pkiDebug("%s: internal error: OCSP not known\n", __FUNCTION__); - return PR_FALSE; - } - /* Find the AIA extension. */ - memset(&encoded_aia, 0, sizeof(encoded_aia)); - if (CERT_FindCertExtension(cert, SEC_OID_X509_AUTH_INFO_ACCESS, - &encoded_aia) != SECSuccess) { - pkiDebug("%s: no AuthorityInfoAccess extension for \"%s\"\n", - __FUNCTION__, cert->subjectName); - return PR_FALSE; - } - /* Decode the AIA extension. */ - aia = CERT_DecodeAuthInfoAccessExtension(cert->arena, &encoded_aia); - if (aia == NULL) { - pkiDebug("%s: error parsing AuthorityInfoAccess for \"%s\"\n", - __FUNCTION__, cert->subjectName); - return PR_FALSE; - } - /* We're looking for at least one OCSP responder. */ - for (i = 0; (aia[i] != NULL); i++) - if (SECITEM_ItemsAreEqual(&(aia[i]->method), &(ocsp->oid))) { - pkiDebug("%s: found OCSP responder for \"%s\"\n", - __FUNCTION__, cert->subjectName); - return PR_TRUE; - } - return PR_FALSE; -} - -/* In the original implementation, the assumption has been that we'd use any - * CRLs, and if we were missing a CRL for the certificate or any point in its - * issuing chain, we'd raise a failure iff the require_crl_checking flag was - * set. - * - * This is not exactly how NSS does things. When checking the revocation - * status of a particular certificate, NSS will consult a cached copy of a CRL - * issued by the certificate's issuer if one's available. If the CRL shows - * that the certificate is revoked, it returns an error. If it succeeds, - * however, processing continues, and if the certificate contains an AIA - * extension which lists an OCSP responder, the library attempts to contact the - * responder to also give it a chance to tell us that the certificate has been - * revoked. We can control what happens if this connection attempt fails by - * calling CERT_SetOCSPFailureMode(). - * - * We attempt to compensate for this difference in behavior by walking the - * issuing chain ourselves, ensuring that for the certificate and all of its - * issuers, that either we have a CRL on-hand for its issuer, or if OCSP - * checking is allowed, that the certificate contains the location of an OCSP - * responder. We stop only when we reach a trusted CA certificate, as NSS - * does. */ -static int -crypto_check_for_revocation_information(CERTCertificate *cert, - CERTCertDBHandle *certdb, - PRBool allow_ocsp_checking, - SECCertUsage usage) -{ - CERTCertificate *issuer; - CERTSignedCrl *crl; - - issuer = CERT_FindCertIssuer(cert, PR_Now(), usage); - while (issuer != NULL) { - /* Do we have a CRL for this cert's issuer? */ - crl = SEC_FindCrlByName(certdb, &cert->derIssuer, SEC_CRL_TYPE); - if (crl != NULL) { - pkiDebug("%s: have CRL for \"%s\"\n", __FUNCTION__, - cert->issuerName); - } else { - SEC_DestroyCrl(crl); - if (allow_ocsp_checking) { - /* Check if the cert points to an OCSP responder. */ - if (!crypto_cert_has_ocsp_responder(cert)) { - /* No CRL, no OCSP responder. */ - pkiDebug("%s: no OCSP responder for \"%s\"\n", __FUNCTION__, - cert->subjectName); - return -1; - } - } else { - /* No CRL, and OCSP not allowed. */ - pkiDebug("%s: no CRL for issuer \"%s\"\n", __FUNCTION__, - cert->issuerName); - return -1; - } - } - /* Check if this issuer is a trusted CA. If it is, we're done. */ - if (crypto_is_cert_trusted(issuer, usage)) { - pkiDebug("%s: \"%s\" is a trusted CA\n", __FUNCTION__, - issuer->subjectName); - CERT_DestroyCertificate(issuer); - return 0; - } - /* Move on to the next link in the chain. */ - cert = issuer; - issuer = CERT_FindCertIssuer(cert, PR_Now(), usage); - if (issuer == NULL) { - pkiDebug("%s: unable to find issuer for \"%s\"\n", __FUNCTION__, - cert->subjectName); - /* Don't leak the reference to the last intermediate. */ - CERT_DestroyCertificate(cert); - return -1; - } - if (SECITEM_ItemsAreEqual(&cert->derCert, &issuer->derCert)) { - pkiDebug("%s: \"%s\" is self-signed, but not trusted\n", - __FUNCTION__, cert->subjectName); - /* Don't leak the references to the self-signed cert. */ - CERT_DestroyCertificate(issuer); - CERT_DestroyCertificate(cert); - return -1; - } - /* Don't leak the reference to the just-traversed intermediate. */ - CERT_DestroyCertificate(cert); - cert = NULL; - } - return -1; -} - -/* Verify that we have a signed-data content info, that it has one signer, that - * the signer can be trusted, and then check the type of the encapsulated - * content and return that content. */ -static krb5_error_code -crypto_signeddata_common_verify(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int require_crl_checking, - NSSCMSContentInfo *cinfo, - CERTCertDBHandle *certdb, - SECCertUsage usage, - SECOidTag expected_type, - SECOidTag expected_type2, - PLArenaPool *pool, - int cms_msg_type, - SECItem **plain_out, - int *is_signed_out) -{ - NSSCMSSignedData *sdata; - NSSCMSSignerInfo *signer; - NSSCMSMessage *ecmsg; - NSSCMSContentInfo *ecinfo; - CERTCertificate *cert; - SECOidTag encapsulated_tag; - SEC_OcspFailureMode ocsp_failure_mode; - SECOidData *expected, *received; - SECStatus status; - SECItem *edata; - int n_signers; - PRBool allow_ocsp_checking = PR_TRUE; - - *is_signed_out = 0; - - /* Handle cases where we're passed data containing signed-data. */ - if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) == SEC_OID_PKCS7_DATA) { - /* Look at the payload data. */ - edata = NSS_CMSContentInfo_GetContent(cinfo); - if (edata == NULL) { - pkiDebug("%s: no plain-data content\n", __FUNCTION__); - return ENOMEM; - } - /* See if it's content-info. */ - ecmsg = NSS_CMSMessage_CreateFromDER(edata, - NULL, NULL, - crypto_pwcb, - crypto_pwcb_prep(id_cryptoctx, - NULL, context), - NULL, NULL); - if (ecmsg == NULL) { - pkiDebug("%s: plain-data not parsable\n", __FUNCTION__); - return ENOMEM; - } - /* Check if it actually contains signed-data. */ - ecinfo = NSS_CMSMessage_GetContentInfo(ecmsg); - if (ecinfo == NULL) { - pkiDebug("%s: plain-data has no cinfo\n", __FUNCTION__); - NSS_CMSMessage_Destroy(ecmsg); - return ENOMEM; - } - if (NSS_CMSContentInfo_GetContentTypeTag(ecinfo) != - SEC_OID_PKCS7_SIGNED_DATA) { - pkiDebug("%s: plain-data is not sdata\n", __FUNCTION__); - NSS_CMSMessage_Destroy(ecmsg); - return EINVAL; - } - pkiDebug("%s: parsed plain-data (length=%ld) as signed-data\n", - __FUNCTION__, (long) edata->len); - cinfo = ecinfo; - } else - /* Okay, it's a normal signed-data blob. */ - ecmsg = NULL; - - /* Check that we have signed data, that it has exactly one signature, - * and fish out the signer information. */ - if (NSS_CMSContentInfo_GetContentTypeTag(cinfo) != - SEC_OID_PKCS7_SIGNED_DATA) { - pkiDebug("%s: content type mismatch\n", __FUNCTION__); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return EINVAL; - } - sdata = NSS_CMSContentInfo_GetContent(cinfo); - if (sdata == NULL) { - pkiDebug("%s: decoding error? content-info was NULL\n", __FUNCTION__); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return ENOENT; - } - n_signers = NSS_CMSSignedData_SignerInfoCount(sdata); - if (n_signers > 1) { - pkiDebug("%s: wrong number of signers (%d, not 0 or 1)\n", - __FUNCTION__, n_signers); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return ENOENT; - } - if (n_signers < 1) - signer = NULL; - else { - /* Import the bundle's certs and locate the signerInfo. */ - if (NSS_CMSSignedData_ImportCerts(sdata, certdb, usage, - PR_FALSE) != SECSuccess) { - pkiDebug("%s: error importing signer certs\n", __FUNCTION__); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return ENOENT; - } - signer = NSS_CMSSignedData_GetSignerInfo(sdata, 0); - if (signer == NULL) { - pkiDebug("%s: no signers?\n", __FUNCTION__); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return ENOENT; - } - if (!NSS_CMSSignedData_HasDigests(sdata)) { - pkiDebug("%s: no digests?\n", __FUNCTION__); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return ENOENT; - } - if (require_crl_checking && (signer->cert != NULL)) - if (crypto_check_for_revocation_information(signer->cert, certdb, - allow_ocsp_checking, - usage) != 0) { - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return KRB5KDC_ERR_REVOCATION_STATUS_UNAVAILABLE; - } - if (allow_ocsp_checking) { - status = CERT_EnableOCSPChecking(certdb); - if (status != SECSuccess) { - pkiDebug("%s: error enabling OCSP: %s\n", __FUNCTION__, - PR_ErrorToString(status == SECFailure ? - PORT_GetError() : status, - PR_LANGUAGE_I_DEFAULT)); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return ENOMEM; - } - ocsp_failure_mode = require_crl_checking ? - ocspMode_FailureIsVerificationFailure : - ocspMode_FailureIsNotAVerificationFailure; - status = CERT_SetOCSPFailureMode(ocsp_failure_mode); - if (status != SECSuccess) { - pkiDebug("%s: error setting OCSP failure mode: %s\n", - __FUNCTION__, - PR_ErrorToString(status == SECFailure ? - PORT_GetError() : status, - PR_LANGUAGE_I_DEFAULT)); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return ENOMEM; - } - } else { - status = CERT_DisableOCSPChecking(certdb); - if ((status != SECSuccess) && - (PORT_GetError() != SEC_ERROR_OCSP_NOT_ENABLED)) { - pkiDebug("%s: error disabling OCSP: %s\n", __FUNCTION__, - PR_ErrorToString(status == SECFailure ? - PORT_GetError() : status, - PR_LANGUAGE_I_DEFAULT)); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return ENOMEM; - } - } - status = NSS_CMSSignedData_VerifySignerInfo(sdata, 0, certdb, usage); - if (status != SECSuccess) { - pkiDebug("%s: signer verify failed: %s\n", __FUNCTION__, - PR_ErrorToString(status == SECFailure ? - PORT_GetError() : status, - PR_LANGUAGE_I_DEFAULT)); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - switch (cms_msg_type) { - case CMS_SIGN_DRAFT9: - case CMS_SIGN_CLIENT: - switch (PORT_GetError()) { - case SEC_ERROR_REVOKED_CERTIFICATE: - return KRB5KDC_ERR_REVOKED_CERTIFICATE; - case SEC_ERROR_UNKNOWN_ISSUER: - return KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE; - default: - return KRB5KDC_ERR_CLIENT_NOT_TRUSTED; - } - break; - case CMS_SIGN_SERVER: - case CMS_ENVEL_SERVER: - switch (PORT_GetError()) { - case SEC_ERROR_REVOKED_CERTIFICATE: - return KRB5KDC_ERR_REVOKED_CERTIFICATE; - case SEC_ERROR_UNKNOWN_ISSUER: - return KRB5KDC_ERR_CANT_VERIFY_CERTIFICATE; - default: - return KRB5KDC_ERR_KDC_NOT_TRUSTED; - } - break; - default: - return ENOMEM; - } - } - pkiDebug("%s: signer verify passed\n", __FUNCTION__); - *is_signed_out = 1; - } - /* Pull out the payload. */ - ecinfo = NSS_CMSSignedData_GetContentInfo(sdata); - if (ecinfo == NULL) { - pkiDebug("%s: error getting encapsulated content\n", __FUNCTION__); - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return ENOMEM; - } - encapsulated_tag = NSS_CMSContentInfo_GetContentTypeTag(ecinfo); - if ((encapsulated_tag != expected_type) && - ((expected_type2 == SEC_OID_UNKNOWN) || - (encapsulated_tag != expected_type2))) { - pkiDebug("%s: wrong encapsulated content type\n", __FUNCTION__); - expected = SECOID_FindOIDByTag(expected_type); - if (encapsulated_tag != SEC_OID_UNKNOWN) - received = SECOID_FindOIDByTag(encapsulated_tag); - else - received = NULL; - if (expected != NULL) { - if (received != NULL) { - pkiDebug("%s: was expecting \"%s\"(%d), but got \"%s\"(%d)\n", - __FUNCTION__, - expected->desc, expected->offset, - received->desc, received->offset); - } else { - pkiDebug("%s: was expecting \"%s\"(%d), " - "but got unrecognized type (%d)\n", - __FUNCTION__, - expected->desc, expected->offset, encapsulated_tag); - } - } - if (ecmsg != NULL) - NSS_CMSMessage_Destroy(ecmsg); - return EINVAL; - } - *plain_out = NSS_CMSContentInfo_GetContent(ecinfo); - if ((*plain_out != NULL) && ((*plain_out)->len == 0)) - pkiDebug("%s: warning: encapsulated content appears empty\n", - __FUNCTION__); - if (signer != NULL) { - /* Save the peer cert -- we'll need it later. */ - pkiDebug("%s: saving peer certificate\n", __FUNCTION__); - if (req_cryptoctx->peer_cert != NULL) - CERT_DestroyCertificate(req_cryptoctx->peer_cert); - cert = NSS_CMSSignerInfo_GetSigningCertificate(signer, certdb); - req_cryptoctx->peer_cert = CERT_DupCertificate(cert); - } - if (ecmsg != NULL) { - *plain_out = SECITEM_ArenaDupItem(pool, *plain_out); - NSS_CMSMessage_Destroy(ecmsg); - } - return 0; -} - -/* Verify signed-then-enveloped data, and return the data that was signed. */ -krb5_error_code -cms_envelopeddata_verify(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - krb5_preauthtype pa_type, - int require_crl_checking, - unsigned char *envel_data, - unsigned int envel_data_len, - unsigned char **signed_data, - unsigned int *signed_data_len) -{ - NSSCMSMessage *msg; - NSSCMSContentInfo *info; - NSSCMSEnvelopedData *env; - CERTCertDBHandle *certdb; - PLArenaPool *pool; - SECItem *plain, encoded; - SECCertUsage usage; - SECOidTag expected_tag, expected_tag2; - int is_signed, ret; - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - certdb = CERT_GetDefaultCertDB(); - - /* Decode the message. */ -#ifdef DEBUG_DER - derdump(envel_data, envel_data_len); -#endif - encoded.data = envel_data; - encoded.len = envel_data_len; - msg = NSS_CMSMessage_CreateFromDER(&encoded, - NULL, NULL, - crypto_pwcb, - crypto_pwcb_prep(id_cryptoctx, - NULL, context), - NULL, NULL); - if (msg == NULL) - return ENOMEM; - - /* Make sure it's enveloped-data. */ - info = NSS_CMSMessage_GetContentInfo(msg); - if (info == NULL) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - if (NSS_CMSContentInfo_GetContentTypeTag(info) != - SEC_OID_PKCS7_ENVELOPED_DATA) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return EINVAL; - } - - /* Okay, it's enveloped-data. */ - env = NSS_CMSContentInfo_GetContent(info); - - /* Pull out the encapsulated content. It should be signed-data. */ - info = NSS_CMSEnvelopedData_GetContentInfo(env); - if (info == NULL) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Pull out the signed data and verify it. */ - expected_tag = get_pkinit_data_rkey_data_tag(); - expected_tag2 = SEC_OID_PKCS7_DATA; - usage = certUsageSSLServer; - plain = NULL; - is_signed = 0; - ret = crypto_signeddata_common_verify(context, - plg_cryptoctx, - req_cryptoctx, - id_cryptoctx, - require_crl_checking, - info, - certdb, - usage, - expected_tag, - expected_tag2, - pool, - CMS_ENVEL_SERVER, - &plain, - &is_signed); - if ((ret != 0) || (plain == NULL) || !is_signed) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ret ? ret : ENOMEM; - } - /* Export the payload. */ - if (secitem_to_buf_len(plain, signed_data, signed_data_len) != 0) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - - return 0; -} - -krb5_error_code -cms_signeddata_create(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int cms_msg_type, - int include_certchain, - unsigned char *payload, - unsigned int payload_len, - unsigned char **signed_data, - unsigned int *signed_data_len) -{ - NSSCMSMessage *msg; - NSSCMSContentInfo *info; - NSSCMSSignedData *sdata; - PLArenaPool *pool; - SECItem plain, encoded; - SECOidTag digest, encapsulated_tag; - enum sdcc_include_signed_attrs add_signed_attrs; - - switch (cms_msg_type) { - case CMS_SIGN_DRAFT9: - digest = SEC_OID_MD5; - add_signed_attrs = signeddata_common_create_omit_signed_attrs; - encapsulated_tag = get_pkinit_data_auth_data9_tag(); - break; - case CMS_SIGN_CLIENT: - digest = SEC_OID_SHA1; - add_signed_attrs = signeddata_common_create_with_signed_attrs; - encapsulated_tag = get_pkinit_data_auth_data_tag(); - break; - case CMS_SIGN_SERVER: - digest = SEC_OID_SHA1; - add_signed_attrs = signeddata_common_create_with_signed_attrs; - encapsulated_tag = get_pkinit_data_dhkey_data_tag(); - break; - case CMS_ENVEL_SERVER: - default: - return ENOSYS; - break; - } - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - - /* Create the containing message. */ - msg = NSS_CMSMessage_Create(pool); - if (msg == NULL) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Create a signed-data pointer and set it as the message's - * contents. */ - info = NSS_CMSMessage_GetContentInfo(msg); - if (info == NULL) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - sdata = NULL; - if ((crypto_signeddata_common_create(context, - plg_cryptoctx, - req_cryptoctx, - id_cryptoctx, - msg, - digest, - include_certchain ? - signeddata_common_create_with_chain : - signeddata_common_create_omit_chain, - add_signed_attrs, - &sdata) != 0) || (sdata == NULL)) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - if (NSS_CMSContentInfo_SetContent_SignedData(msg, info, - sdata) != SECSuccess) { - pkiDebug("%s: error setting signed-data content\n", __FUNCTION__); - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Set the data as the contents of the signed-data. */ - info = NSS_CMSSignedData_GetContentInfo(sdata); - if (info == NULL) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - if (NSS_CMSContentInfo_SetContent(msg, info, encapsulated_tag, - NULL) != SECSuccess) { - pkiDebug("%s: error setting encapsulated content type\n", - __FUNCTION__); - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Encode and export. */ - memset(&plain, 0, sizeof(plain)); - plain.data = payload; - plain.len = payload_len; - memset(&encoded, 0, sizeof(encoded)); - if (NSS_CMSDEREncode(msg, &plain, &encoded, pool) != SECSuccess) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - pkiDebug("%s: error encoding signed-data: %s\n", __FUNCTION__, - PORT_ErrorToName(PORT_GetError())); - return ENOMEM; - } - if (secitem_to_buf_len(&encoded, signed_data, signed_data_len) != 0) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } -#ifdef DEBUG_DER - derdump(*signed_data, *signed_data_len); -#endif -#ifdef DEBUG_CMS - cmsdump(*signed_data, *signed_data_len); -#endif - - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - - return 0; -} - -krb5_error_code -cms_signeddata_verify(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int cms_msg_type, - int require_crl_checking, - unsigned char *signed_data, - unsigned int signed_data_len, - unsigned char **payload, - unsigned int *payload_len, - unsigned char **authz_data, - unsigned int *authz_data_len, - int *is_signed) -{ - NSSCMSMessage *msg; - NSSCMSContentInfo *info; - CERTCertDBHandle *certdb; - SECCertUsage usage; - SECOidTag expected_tag, expected_tag2; - PLArenaPool *pool; - SECItem *plain, encoded; - struct content_info simple_content_info; - int was_signed, ret; - - switch (cms_msg_type) { - case CMS_SIGN_DRAFT9: - usage = certUsageSSLClient; - expected_tag = get_pkinit_data_auth_data9_tag(); - break; - case CMS_SIGN_CLIENT: - usage = certUsageSSLClient; - expected_tag = get_pkinit_data_auth_data_tag(); - break; - case CMS_SIGN_SERVER: - usage = certUsageSSLServer; - expected_tag = get_pkinit_data_dhkey_data_tag(); - break; - case CMS_ENVEL_SERVER: - default: - return ENOSYS; - break; - } - expected_tag2 = SEC_OID_UNKNOWN; - - pool = PORT_NewArena(sizeof(double)); - if (pool == NULL) - return ENOMEM; - certdb = CERT_GetDefaultCertDB(); - -#ifdef DEBUG_DER - derdump(signed_data, signed_data_len); -#endif - - memset(&encoded, 0, sizeof(encoded)); - encoded.data = signed_data; - encoded.len = signed_data_len; - - /* Take a quick look at what it claims to be. */ - memset(&simple_content_info, 0, sizeof(simple_content_info)); - if (SEC_ASN1DecodeItem(pool, &simple_content_info, - content_info_template, &encoded) == SECSuccess) - /* If it's unsigned data of the right type... */ - if (SECOID_FindOIDTag(&simple_content_info.content_type) == - expected_tag) { - /* Pull out the payload -- it's not wrapped in a - * SignedData. */ - pkiDebug("%s: data is not signed\n", __FUNCTION__); - if (is_signed != NULL) - *is_signed = 0; - if (secitem_to_buf_len(&simple_content_info.content, - payload, payload_len) != 0) { - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - return 0; - } - - /* Decode the message. */ - msg = NSS_CMSMessage_CreateFromDER(&encoded, - NULL, NULL, - crypto_pwcb, - crypto_pwcb_prep(id_cryptoctx, - NULL, context), - NULL, NULL); - if (msg == NULL) - return ENOMEM; - - /* Double-check that it's signed. */ - info = NSS_CMSMessage_GetContentInfo(msg); - if (info == NULL) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - switch (NSS_CMSContentInfo_GetContentTypeTag(info)) { - case SEC_OID_PKCS7_SIGNED_DATA: - /* It's signed: try to verify the signature. */ - pkiDebug("%s: data is probably signed, checking\n", __FUNCTION__); - plain = NULL; - was_signed = 0; - ret = crypto_signeddata_common_verify(context, - plg_cryptoctx, - req_cryptoctx, - id_cryptoctx, - require_crl_checking, - info, - certdb, - usage, - expected_tag, - expected_tag2, - pool, - cms_msg_type, - &plain, - &was_signed); - if ((ret != 0) || (plain == NULL)) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ret ? ret : ENOMEM; - } - if (is_signed != NULL) - *is_signed = was_signed; - break; - case SEC_OID_PKCS7_DATA: - /* It's not signed: try to pull out the payload. */ - pkiDebug("%s: data is not signed\n", __FUNCTION__); - if (is_signed != NULL) - *is_signed = 0; - plain = NSS_CMSContentInfo_GetContent(info); - break; - default: - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - - /* Export the payload. */ - if ((plain == NULL) || - (secitem_to_buf_len(plain, payload, payload_len) != 0)) { - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - return ENOMEM; - } - NSS_CMSMessage_Destroy(msg); - PORT_FreeArena(pool, PR_TRUE); - - return 0; -} - -/* - * Add an item to the pkinit_identity_crypto_context's list of deferred - * identities. - */ -krb5_error_code -crypto_set_deferred_id(krb5_context context, - pkinit_identity_crypto_context id_cryptoctx, - const char *identity, const char *password) -{ - unsigned long ck_flags; - - ck_flags = pkinit_get_deferred_id_flags(id_cryptoctx->deferred_ids, - identity); - return pkinit_set_deferred_id(&id_cryptoctx->deferred_ids, - identity, ck_flags, password); -} - -/* - * Retrieve a read-only copy of the pkinit_identity_crypto_context's list of - * deferred identities, sure to be valid only until the next time someone calls - * either pkinit_set_deferred_id() or crypto_set_deferred_id(). - */ -const pkinit_deferred_id * -crypto_get_deferred_ids(krb5_context context, - pkinit_identity_crypto_context id_cryptoctx) -{ - pkinit_deferred_id *deferred; - const pkinit_deferred_id *ret; - - deferred = id_cryptoctx->deferred_ids; - ret = (const pkinit_deferred_id *)deferred; - return ret; -} diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c index 74fffbf..5ff81d8 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.c @@ -29,8 +29,10 @@ * SUCH DAMAGES. */ +#include "k5-int.h" #include "pkinit_crypto_openssl.h" #include "k5-buf.h" +#include "k5-hex.h" #include #include #include @@ -67,10 +69,6 @@ static krb5_error_code pkinit_decode_data const uint8_t *data, unsigned int data_len, uint8_t **decoded, unsigned int *decoded_len); -static krb5_error_code decode_data -(uint8_t **, unsigned int *, const uint8_t *, unsigned int, EVP_PKEY *pkey, - X509 *cert); - #ifdef DEBUG_DH static void print_dh(DH *, char *); static void print_pubkey(BIGNUM *, char *); @@ -1154,7 +1152,7 @@ cms_signeddata_create(krb5_context context, X509_ALGOR *alg = NULL; ASN1_OCTET_STRING *digest = NULL; unsigned int alg_len = 0, digest_len = 0; - unsigned char *y = NULL, *alg_buf = NULL, *digest_buf = NULL; + unsigned char *y = NULL; X509 *cert = NULL; ASN1_OBJECT *oid = NULL, *oid_copy; @@ -1321,18 +1319,12 @@ cms_signeddata_create(krb5_context context, goto cleanup2; X509_ALGOR_set0(alg, OBJ_nid2obj(NID_sha1), V_ASN1_NULL, NULL); alg_len = i2d_X509_ALGOR(alg, NULL); - alg_buf = malloc(alg_len); - if (alg_buf == NULL) - goto cleanup2; digest = ASN1_OCTET_STRING_new(); if (digest == NULL) goto cleanup2; ASN1_OCTET_STRING_set(digest, md_data2, (int)md_len2); digest_len = i2d_ASN1_OCTET_STRING(digest, NULL); - digest_buf = malloc(digest_len); - if (digest_buf == NULL) - goto cleanup2; digestInfo_len = ASN1_object_size(1, (int)(alg_len + digest_len), V_ASN1_SEQUENCE); @@ -1421,9 +1413,7 @@ cleanup2: #ifndef WITHOUT_PKCS11 if (id_cryptoctx->pkcs11_method == 1 && id_cryptoctx->mech == CKM_RSA_PKCS) { - free(digest_buf); free(digestInfo_buf); - free(alg_buf); if (digest != NULL) ASN1_OCTET_STRING_free(digest); } @@ -2095,17 +2085,26 @@ crypto_retrieve_X509_sans(krb5_context context, pkinit_plg_crypto_context plgctx, pkinit_req_crypto_context reqctx, X509 *cert, - krb5_principal **princs_ret, - krb5_principal **upn_ret, + krb5_principal **princs_ret, char ***upn_ret, unsigned char ***dns_ret) { krb5_error_code retval = EINVAL; char buf[DN_BUF_LEN]; - int p = 0, u = 0, d = 0, l; + int p = 0, u = 0, d = 0, ret = 0, l; krb5_principal *princs = NULL; - krb5_principal *upns = NULL; + char **upns = NULL; unsigned char **dnss = NULL; - unsigned int i, num_found = 0; + unsigned int i, num_found = 0, num_sans = 0; + X509_EXTENSION *ext = NULL; + GENERAL_NAMES *ialt = NULL; + GENERAL_NAME *gen = NULL; + + if (princs_ret != NULL) + *princs_ret = NULL; + if (upn_ret != NULL) + *upn_ret = NULL; + if (dns_ret != NULL) + *dns_ret = NULL; if (princs_ret == NULL && upn_ret == NULL && dns_ret == NULL) { pkiDebug("%s: nowhere to return any values!\n", __FUNCTION__); @@ -2121,143 +2120,130 @@ crypto_retrieve_X509_sans(krb5_context context, buf, sizeof(buf)); pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf); - if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) { - X509_EXTENSION *ext = NULL; - GENERAL_NAMES *ialt = NULL; - GENERAL_NAME *gen = NULL; - int ret = 0; - unsigned int num_sans = 0; + l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1); + if (l < 0) + return 0; - if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { - pkiDebug("%s: found no subject alt name extensions\n", - __FUNCTION__); - goto cleanup; - } - num_sans = sk_GENERAL_NAME_num(ialt); + if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) { + pkiDebug("%s: found no subject alt name extensions\n", __FUNCTION__); + goto cleanup; + } + num_sans = sk_GENERAL_NAME_num(ialt); - pkiDebug("%s: found %d subject alt name extension(s)\n", - __FUNCTION__, num_sans); + pkiDebug("%s: found %d subject alt name extension(s)\n", __FUNCTION__, + num_sans); - /* OK, we're likely returning something. Allocate return values */ - if (princs_ret != NULL) { - princs = calloc(num_sans + 1, sizeof(krb5_principal)); - if (princs == NULL) { - retval = ENOMEM; - goto cleanup; - } + /* OK, we're likely returning something. Allocate return values */ + if (princs_ret != NULL) { + princs = calloc(num_sans + 1, sizeof(krb5_principal)); + if (princs == NULL) { + retval = ENOMEM; + goto cleanup; } - if (upn_ret != NULL) { - upns = calloc(num_sans + 1, sizeof(krb5_principal)); - if (upns == NULL) { - retval = ENOMEM; - goto cleanup; - } + } + if (upn_ret != NULL) { + upns = calloc(num_sans + 1, sizeof(*upns)); + if (upns == NULL) { + retval = ENOMEM; + goto cleanup; } - if (dns_ret != NULL) { - dnss = calloc(num_sans + 1, sizeof(*dnss)); - if (dnss == NULL) { - retval = ENOMEM; - goto cleanup; - } + } + if (dns_ret != NULL) { + dnss = calloc(num_sans + 1, sizeof(*dnss)); + if (dnss == NULL) { + retval = ENOMEM; + goto cleanup; } + } - for (i = 0; i < num_sans; i++) { - krb5_data name = { 0, 0, NULL }; + for (i = 0; i < num_sans; i++) { + krb5_data name = { 0, 0, NULL }; - gen = sk_GENERAL_NAME_value(ialt, i); - switch (gen->type) { - case GEN_OTHERNAME: - name.length = gen->d.otherName->value->value.sequence->length; - name.data = (char *)gen->d.otherName->value->value.sequence->data; - if (princs != NULL - && OBJ_cmp(plgctx->id_pkinit_san, - gen->d.otherName->type_id) == 0) { + gen = sk_GENERAL_NAME_value(ialt, i); + switch (gen->type) { + case GEN_OTHERNAME: + name.length = gen->d.otherName->value->value.sequence->length; + name.data = (char *)gen->d.otherName->value->value.sequence->data; + if (princs != NULL && + OBJ_cmp(plgctx->id_pkinit_san, + gen->d.otherName->type_id) == 0) { #ifdef DEBUG_ASN1 - print_buffer_bin((unsigned char *)name.data, name.length, - "/tmp/pkinit_san"); + print_buffer_bin((unsigned char *)name.data, name.length, + "/tmp/pkinit_san"); #endif - ret = k5int_decode_krb5_principal_name(&name, &princs[p]); - if (ret) { - pkiDebug("%s: failed decoding pkinit san value\n", - __FUNCTION__); - } else { - p++; - num_found++; - } - } else if (upns != NULL - && OBJ_cmp(plgctx->id_ms_san_upn, - gen->d.otherName->type_id) == 0) { - /* Prevent abuse of embedded null characters. */ - if (memchr(name.data, '\0', name.length)) - break; - ret = krb5_parse_name(context, name.data, &upns[u]); - if (ret) { - pkiDebug("%s: failed parsing ms-upn san value\n", - __FUNCTION__); - } else { - u++; - num_found++; - } - } else { - pkiDebug("%s: unrecognized othername oid in SAN\n", + ret = k5int_decode_krb5_principal_name(&name, &princs[p]); + if (ret) { + pkiDebug("%s: failed decoding pkinit san value\n", __FUNCTION__); - continue; + } else { + p++; + num_found++; } + } else if (upns != NULL && + OBJ_cmp(plgctx->id_ms_san_upn, + gen->d.otherName->type_id) == 0) { + /* Prevent abuse of embedded null characters. */ + if (memchr(name.data, '\0', name.length)) + break; + upns[u] = k5memdup0(name.data, name.length, &ret); + if (upns[u] == NULL) + goto cleanup; + } else { + pkiDebug("%s: unrecognized othername oid in SAN\n", + __FUNCTION__); + continue; + } - break; - case GEN_DNS: - if (dnss != NULL) { - /* Prevent abuse of embedded null characters. */ - if (memchr(gen->d.dNSName->data, '\0', - gen->d.dNSName->length)) - break; - pkiDebug("%s: found dns name = %s\n", - __FUNCTION__, gen->d.dNSName->data); - dnss[d] = (unsigned char *) - strdup((char *)gen->d.dNSName->data); - if (dnss[d] == NULL) { - pkiDebug("%s: failed to duplicate dns name\n", - __FUNCTION__); - } else { - d++; - num_found++; - } + break; + case GEN_DNS: + if (dnss != NULL) { + /* Prevent abuse of embedded null characters. */ + if (memchr(gen->d.dNSName->data, '\0', gen->d.dNSName->length)) + break; + pkiDebug("%s: found dns name = %s\n", __FUNCTION__, + gen->d.dNSName->data); + dnss[d] = (unsigned char *) + strdup((char *)gen->d.dNSName->data); + if (dnss[d] == NULL) { + pkiDebug("%s: failed to duplicate dns name\n", + __FUNCTION__); + } else { + d++; + num_found++; } - break; - default: - pkiDebug("%s: SAN type = %d expecting %d\n", - __FUNCTION__, gen->type, GEN_OTHERNAME); } + break; + default: + pkiDebug("%s: SAN type = %d expecting %d\n", __FUNCTION__, + gen->type, GEN_OTHERNAME); } - sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free); } + sk_GENERAL_NAME_pop_free(ialt, GENERAL_NAME_free); retval = 0; - if (princs) + if (princs != NULL && *princs != NULL) { *princs_ret = princs; - if (upns) + princs = NULL; + } + if (upns != NULL && *upns != NULL) { *upn_ret = upns; - if (dnss) + upns = NULL; + } + if (dnss != NULL && *dnss != NULL) { *dns_ret = dnss; + dnss = NULL; + } cleanup: - if (retval) { - if (princs != NULL) { - for (i = 0; princs[i] != NULL; i++) - krb5_free_principal(context, princs[i]); - free(princs); - } - if (upns != NULL) { - for (i = 0; upns[i] != NULL; i++) - krb5_free_principal(context, upns[i]); - free(upns); - } - if (dnss != NULL) { - for (i = 0; dnss[i] != NULL; i++) - free(dnss[i]); - free(dnss); - } - } + for (i = 0; princs != NULL && princs[i] != NULL; i++) + krb5_free_principal(context, princs[i]); + free(princs); + for (i = 0; upns != NULL && upns[i] != NULL; i++) + free(upns[i]); + free(upns); + for (i = 0; dnss != NULL && dnss[i] != NULL; i++) + free(dnss[i]); + free(dnss); return retval; } @@ -2277,8 +2263,7 @@ crypto_retrieve_cert_sans(krb5_context context, pkinit_plg_crypto_context plgctx, pkinit_req_crypto_context reqctx, pkinit_identity_crypto_context idctx, - krb5_principal **princs_ret, - krb5_principal **upn_ret, + krb5_principal **princs_ret, char ***upn_ret, unsigned char ***dns_ret) { krb5_error_code retval = EINVAL; @@ -2313,7 +2298,6 @@ crypto_check_cert_eku(krb5_context context, X509_NAME_oneline(X509_get_subject_name(reqctx->received_cert), buf, sizeof(buf)); - pkiDebug("%s: looking for EKUs in cert = %s\n", __FUNCTION__, buf); if ((i = X509_get_ext_by_NID(reqctx->received_cert, NID_ext_key_usage, -1)) >= 0) { @@ -2347,7 +2331,6 @@ crypto_check_cert_eku(krb5_context context, if (found_eku) { ASN1_BIT_STRING *usage = NULL; - pkiDebug("%s: found acceptable EKU, checking for digitalSignature\n", __FUNCTION__); /* check that digitalSignature KeyUsage is present */ X509_check_ca(reqctx->received_cert); @@ -2356,12 +2339,10 @@ crypto_check_cert_eku(krb5_context context, if (!ku_reject(reqctx->received_cert, X509v3_KU_DIGITAL_SIGNATURE)) { - pkiDebug("%s: found digitalSignature KU\n", - __FUNCTION__); + TRACE_PKINIT_EKU(context); *valid_eku = 1; } else - pkiDebug("%s: didn't find digitalSignature KU\n", - __FUNCTION__); + TRACE_PKINIT_EKU_NO_KU(context); } ASN1_BIT_STRING_free(usage); } @@ -2675,16 +2656,21 @@ client_create_dh(krb5_context context, pkinit_req_crypto_context cryptoctx, pkinit_identity_crypto_context id_cryptoctx, int dh_size, - unsigned char **dh_params, - unsigned int *dh_params_len, - unsigned char **dh_pubkey, - unsigned int *dh_pubkey_len) + unsigned char **dh_params_out, + unsigned int *dh_params_len_out, + unsigned char **dh_pubkey_out, + unsigned int *dh_pubkey_len_out) { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; unsigned char *buf = NULL; int dh_err = 0; ASN1_INTEGER *pub_key = NULL; const BIGNUM *pubkey_bn, *p, *q, *g; + unsigned char *dh_params = NULL, *dh_pubkey = NULL; + unsigned int dh_params_len, dh_pubkey_len; + + *dh_params_out = *dh_pubkey_out = NULL; + *dh_params_len_out = *dh_pubkey_len_out = 0; if (cryptoctx->dh == NULL) { if (dh_size == 1024) @@ -2728,7 +2714,7 @@ client_create_dh(krb5_context context, * however, PKINIT requires RFC3279 encoding and openssl does pkcs#3. */ DH_get0_pqg(cryptoctx->dh, &p, &q, &g); - retval = pkinit_encode_dh_params(p, g, q, dh_params, dh_params_len); + retval = pkinit_encode_dh_params(p, g, q, &dh_params, &dh_params_len); if (retval) goto cleanup; @@ -2743,30 +2729,30 @@ client_create_dh(krb5_context context, retval = ENOMEM; goto cleanup; } - *dh_pubkey_len = i2d_ASN1_INTEGER(pub_key, NULL); - if ((buf = *dh_pubkey = malloc(*dh_pubkey_len)) == NULL) { - retval = ENOMEM; + dh_pubkey_len = i2d_ASN1_INTEGER(pub_key, NULL); + buf = dh_pubkey = malloc(dh_pubkey_len); + if (dh_pubkey == NULL) { + retval = ENOMEM; goto cleanup; } i2d_ASN1_INTEGER(pub_key, &buf); - if (pub_key != NULL) - ASN1_INTEGER_free(pub_key); + *dh_params_out = dh_params; + *dh_params_len_out = dh_params_len; + *dh_pubkey_out = dh_pubkey; + *dh_pubkey_len_out = dh_pubkey_len; + dh_params = dh_pubkey = NULL; retval = 0; - return retval; cleanup: - if (cryptoctx->dh != NULL) + if (retval) { DH_free(cryptoctx->dh); - cryptoctx->dh = NULL; - free(*dh_params); - *dh_params = NULL; - free(*dh_pubkey); - *dh_pubkey = NULL; - if (pub_key != NULL) - ASN1_INTEGER_free(pub_key); - + cryptoctx->dh = NULL; + } + free(dh_params); + free(dh_pubkey); + ASN1_INTEGER_free(pub_key); return retval; } @@ -2777,16 +2763,22 @@ client_process_dh(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, unsigned char *subjectPublicKey_data, unsigned int subjectPublicKey_length, - unsigned char **client_key, - unsigned int *client_key_len) + unsigned char **client_key_out, + unsigned int *client_key_len_out) { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; BIGNUM *server_pub_key = NULL; ASN1_INTEGER *pub_key = NULL; + unsigned char *client_key = NULL; + unsigned int client_key_len; const unsigned char *p = NULL; - *client_key_len = DH_size(cryptoctx->dh); - if ((*client_key = malloc(*client_key_len)) == NULL) { + *client_key_out = NULL; + *client_key_len_out = 0; + + client_key_len = DH_size(cryptoctx->dh); + client_key = malloc(client_key_len); + if (client_key == NULL) { retval = ENOMEM; goto cleanup; } @@ -2797,27 +2789,23 @@ client_process_dh(krb5_context context, if ((server_pub_key = ASN1_INTEGER_to_BN(pub_key, NULL)) == NULL) goto cleanup; - compute_dh(*client_key, *client_key_len, server_pub_key, cryptoctx->dh); + compute_dh(client_key, client_key_len, server_pub_key, cryptoctx->dh); #ifdef DEBUG_DH print_pubkey(server_pub_key, "server's pub_key="); - pkiDebug("client computed key (%d)= ", *client_key_len); - print_buffer(*client_key, *client_key_len); + pkiDebug("client computed key (%d)= ", client_key_len); + print_buffer(client_key, client_key_len); #endif - retval = 0; - if (server_pub_key != NULL) - BN_free(server_pub_key); - if (pub_key != NULL) - ASN1_INTEGER_free(pub_key); + *client_key_out = client_key; + *client_key_len_out = client_key_len; + client_key = NULL; - return retval; + retval = 0; cleanup: - free(*client_key); - *client_key = NULL; - if (pub_key != NULL) - ASN1_INTEGER_free(pub_key); - + BN_free(server_pub_key); + ASN1_INTEGER_free(pub_key); + free(client_key); return retval; } @@ -2923,10 +2911,10 @@ server_process_dh(krb5_context context, pkinit_identity_crypto_context id_cryptoctx, unsigned char *data, unsigned int data_len, - unsigned char **dh_pubkey, - unsigned int *dh_pubkey_len, - unsigned char **server_key, - unsigned int *server_key_len) + unsigned char **dh_pubkey_out, + unsigned int *dh_pubkey_len_out, + unsigned char **server_key_out, + unsigned int *server_key_len_out) { krb5_error_code retval = ENOMEM; DH *dh = NULL, *dh_server = NULL; @@ -2934,9 +2922,11 @@ server_process_dh(krb5_context context, ASN1_INTEGER *pub_key = NULL; BIGNUM *client_pubkey = NULL; const BIGNUM *server_pubkey; + unsigned char *dh_pubkey = NULL, *server_key = NULL; + unsigned int dh_pubkey_len = 0, server_key_len = 0; - *dh_pubkey = *server_key = NULL; - *dh_pubkey_len = *server_key_len = 0; + *dh_pubkey_out = *server_key_out = NULL; + *dh_pubkey_len_out = *server_key_len_out = 0; /* get client's received DH parameters that we saved in server_check_dh */ dh = cryptoctx->dh; @@ -2959,17 +2949,18 @@ server_process_dh(krb5_context context, DH_get0_key(dh_server, &server_pubkey, NULL); /* generate DH session key */ - *server_key_len = DH_size(dh_server); - if ((*server_key = malloc(*server_key_len)) == NULL) + server_key_len = DH_size(dh_server); + server_key = malloc(server_key_len); + if (server_key == NULL) goto cleanup; - compute_dh(*server_key, *server_key_len, client_pubkey, dh_server); + compute_dh(server_key, server_key_len, client_pubkey, dh_server); #ifdef DEBUG_DH print_dh(dh_server, "client&server's DH params\n"); print_pubkey(client_pubkey, "client's pub_key="); print_pubkey(server_pubkey, "server's pub_key="); pkiDebug("server computed key="); - print_buffer(*server_key, *server_key_len); + print_buffer(server_key, server_key_len); #endif /* KDC reply */ @@ -2982,24 +2973,27 @@ server_process_dh(krb5_context context, pub_key = BN_to_ASN1_INTEGER(server_pubkey, NULL); if (pub_key == NULL) goto cleanup; - *dh_pubkey_len = i2d_ASN1_INTEGER(pub_key, NULL); - if ((p = *dh_pubkey = malloc(*dh_pubkey_len)) == NULL) + dh_pubkey_len = i2d_ASN1_INTEGER(pub_key, NULL); + p = dh_pubkey = malloc(dh_pubkey_len); + if (dh_pubkey == NULL) goto cleanup; i2d_ASN1_INTEGER(pub_key, &p); if (pub_key != NULL) ASN1_INTEGER_free(pub_key); - retval = 0; + *dh_pubkey_out = dh_pubkey; + *dh_pubkey_len_out = dh_pubkey_len; + *server_key_out = server_key; + *server_key_len_out = server_key_len; + dh_pubkey = server_key = NULL; - if (dh_server != NULL) - DH_free(dh_server); - return retval; + retval = 0; cleanup: BN_free(client_pubkey); DH_free(dh_server); - free(*dh_pubkey); - free(*server_key); + free(dh_pubkey); + free(server_key); return retval; } @@ -3581,12 +3575,14 @@ openssl_callback(int ok, X509_STORE_CTX * ctx) { #ifdef DEBUG if (!ok) { + X509 *cert = X509_STORE_CTX_get_current_cert(ctx); + int err = X509_STORE_CTX_get_error(ctx); + const char *errmsg = X509_verify_cert_error_string(err); char buf[DN_BUF_LEN]; - X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf, sizeof(buf)); + X509_NAME_oneline(X509_get_subject_name(cert), buf, sizeof(buf)); pkiDebug("cert = %s\n", buf); - pkiDebug("callback function: %d (%s)\n", ctx->error, - X509_verify_cert_error_string(ctx->error)); + pkiDebug("callback function: %d (%s)\n", err, errmsg); } #endif return ok; @@ -3979,12 +3975,34 @@ pkinit_decode_data_fs(krb5_context context, const uint8_t *data, unsigned int data_len, uint8_t **decoded_data, unsigned int *decoded_data_len) { - if (decode_data(decoded_data, decoded_data_len, data, data_len, - id_cryptoctx->my_key, sk_X509_value(id_cryptoctx->my_certs, - id_cryptoctx->cert_index)) <= 0) { - pkiDebug("failed to decode data\n"); + X509 *cert = sk_X509_value(id_cryptoctx->my_certs, + id_cryptoctx->cert_index); + EVP_PKEY *pkey = id_cryptoctx->my_key; + uint8_t *buf; + int buf_len, decrypt_len; + + *decoded_data = NULL; + *decoded_data_len = 0; + + if (cert != NULL && !X509_check_private_key(cert, pkey)) { + pkiDebug("private key does not match certificate\n"); + return KRB5KDC_ERR_PREAUTH_FAILED; + } + + buf_len = EVP_PKEY_size(pkey); + buf = malloc(buf_len + 10); + if (buf == NULL) + return KRB5KDC_ERR_PREAUTH_FAILED; + + decrypt_len = EVP_PKEY_decrypt_old(buf, data, data_len, pkey); + if (decrypt_len <= 0) { + pkiDebug("unable to decrypt received data (len=%d)\n", data_len); + free(buf); return KRB5KDC_ERR_PREAUTH_FAILED; } + + *decoded_data = buf; + *decoded_data_len = decrypt_len; return 0; } @@ -4027,6 +4045,9 @@ pkinit_decode_data_pkcs11(krb5_context context, uint8_t *cp; int r; + *decoded_data = NULL; + *decoded_data_len = 0; + if (pkinit_open_session(context, id_cryptoctx)) { pkiDebug("can't open pkcs11 session\n"); return KRB5KDC_ERR_PREAUTH_FAILED; @@ -4075,6 +4096,9 @@ pkinit_decode_data(krb5_context context, { krb5_error_code retval = KRB5KDC_ERR_PREAUTH_FAILED; + *decoded_data = NULL; + *decoded_data_len = 0; + if (id_cryptoctx->pkcs11_method != 1) retval = pkinit_decode_data_fs(context, id_cryptoctx, data, data_len, decoded_data, decoded_data_len); @@ -4188,41 +4212,6 @@ pkinit_sign_data(krb5_context context, } -static int -decode_data(uint8_t **out_data, unsigned int *out_data_len, - const uint8_t *data, unsigned int data_len, EVP_PKEY *pkey, - X509 *cert) -{ - int retval; - unsigned char *buf = NULL; - int buf_len = 0; - - if (cert && !X509_check_private_key(cert, pkey)) { - pkiDebug("private key does not match certificate\n"); - return 0; - } - - buf_len = EVP_PKEY_size(pkey); - buf = malloc((size_t) buf_len + 10); - if (buf == NULL) - return 0; - -#if OPENSSL_VERSION_NUMBER >= 0x00909000L - retval = EVP_PKEY_decrypt_old(buf, data, (int)data_len, pkey); -#else - retval = EVP_PKEY_decrypt(buf, data, (int)data_len, pkey); -#endif - if (retval <= 0) { - pkiDebug("unable to decrypt received data (len=%d)\n", data_len); - free(buf); - return 0; - } - *out_data = buf; - *out_data_len = retval; - - return 1; -} - static krb5_error_code create_signature(unsigned char **sig, unsigned int *sig_len, unsigned char *data, unsigned int data_len, EVP_PKEY *pkey) @@ -4310,8 +4299,7 @@ pkinit_get_certs_pkcs12(krb5_context context, fp = fopen(idopts->cert_filename, "rb"); if (fp == NULL) { - pkiDebug("Failed to open PKCS12 file '%s', error %d\n", - idopts->cert_filename, errno); + TRACE_PKINIT_PKCS_OPEN_FAIL(context, idopts->cert_filename, errno); goto cleanup; } set_cloexec_file(fp); @@ -4319,8 +4307,7 @@ pkinit_get_certs_pkcs12(krb5_context context, p12 = d2i_PKCS12_fp(fp, NULL); fclose(fp); if (p12 == NULL) { - pkiDebug("Failed to decode PKCS12 file '%s' contents\n", - idopts->cert_filename); + TRACE_PKINIT_PKCS_DECODE_FAIL(context, idopts->cert_filename); goto cleanup; } /* @@ -4338,7 +4325,7 @@ pkinit_get_certs_pkcs12(krb5_context context, char *p12name = reassemble_pkcs12_name(idopts->cert_filename); const char *tmp; - pkiDebug("Initial PKCS12_parse with no password failed\n"); + TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(context); if (id_cryptoctx->defer_id_prompt) { /* Supply the identity name to be passed to the responder. */ @@ -4379,14 +4366,14 @@ pkinit_get_certs_pkcs12(krb5_context context, NULL, NULL, 1, &kprompt); k5int_set_prompt_types(context, 0); if (r) { - pkiDebug("Failed to prompt for PKCS12 password"); + TRACE_PKINIT_PKCS_PROMPT_FAIL(context); goto cleanup; } } ret = PKCS12_parse(p12, rdat.data, &y, &x, NULL); if (ret == 0) { - pkiDebug("Second PKCS12_parse with password failed\n"); + TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(context); goto cleanup; } } @@ -4509,8 +4496,7 @@ pkinit_get_certs_fs(krb5_context context, } if (idopts->key_filename == NULL) { - pkiDebug("%s: failed to get user's private key location\n", - __FUNCTION__); + TRACE_PKINIT_NO_PRIVKEY(context); goto cleanup; } @@ -4538,8 +4524,7 @@ pkinit_get_certs_dir(krb5_context context, char *dirname, *suf; if (idopts->cert_filename == NULL) { - pkiDebug("%s: failed to get user's certificate directory location\n", - __FUNCTION__); + TRACE_PKINIT_NO_CERT(context); return ENOENT; } @@ -4583,8 +4568,7 @@ pkinit_get_certs_dir(krb5_context context, retval = pkinit_load_fs_cert_and_key(context, id_cryptoctx, certname, keyname, i); if (retval == 0) { - pkiDebug("%s: Successfully loaded cert (and key) for %s\n", - __FUNCTION__, dentry->d_name); + TRACE_PKINIT_LOADED_CERT(context, dentry->d_name); i++; } else @@ -4592,8 +4576,7 @@ pkinit_get_certs_dir(krb5_context context, } if (!id_cryptoctx->defer_id_prompt && i == 0) { - pkiDebug("%s: No cert/key pairs found in directory '%s'\n", - __FUNCTION__, idopts->cert_filename); + TRACE_PKINIT_NO_CERT_AND_KEY(context, idopts->cert_filename); retval = ENOENT; goto cleanup; } @@ -4688,18 +4671,13 @@ pkinit_get_certs_pkcs11(krb5_context context, } /* Convert the ascii cert_id string into a binary blob */ if (idopts->cert_id_string != NULL) { - BIGNUM *bn = NULL; - BN_hex2bn(&bn, idopts->cert_id_string); - if (bn == NULL) - return ENOMEM; - id_cryptoctx->cert_id_len = BN_num_bytes(bn); - id_cryptoctx->cert_id = malloc((size_t) id_cryptoctx->cert_id_len); - if (id_cryptoctx->cert_id == NULL) { - BN_free(bn); - return ENOMEM; + r = k5_hex_decode(idopts->cert_id_string, + &id_cryptoctx->cert_id, &id_cryptoctx->cert_id_len); + if (r != 0) { + pkiDebug("Failed to convert certid string [%s]\n", + idopts->cert_id_string); + return r; } - BN_bn2bin(bn, id_cryptoctx->cert_id); - BN_free(bn); } id_cryptoctx->slotid = idopts->slotid; id_cryptoctx->pkcs11_method = 1; @@ -4948,135 +4926,15 @@ cleanup: } /* - * Get number of certificates available after crypto_load_certs() - */ -krb5_error_code -crypto_cert_get_count(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - int *cert_count) -{ - int count; - - if (id_cryptoctx == NULL || id_cryptoctx->creds[0] == NULL) - return EINVAL; - - for (count = 0; - count <= MAX_CREDS_ALLOWED && id_cryptoctx->creds[count] != NULL; - count++); - *cert_count = count; - return 0; -} - - -/* - * Begin iteration over the certs loaded in crypto_load_certs() - */ -krb5_error_code -crypto_cert_iteration_begin(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - pkinit_cert_iter_handle *ih_ret) -{ - struct _pkinit_cert_iter_data *id; - - if (id_cryptoctx == NULL || ih_ret == NULL) - return EINVAL; - if (id_cryptoctx->creds[0] == NULL) /* No cred info available */ - return ENOENT; - - id = calloc(1, sizeof(*id)); - if (id == NULL) - return ENOMEM; - id->magic = ITER_MAGIC; - id->plgctx = plg_cryptoctx, - id->reqctx = req_cryptoctx, - id->idctx = id_cryptoctx; - id->index = 0; - *ih_ret = (pkinit_cert_iter_handle) id; - return 0; -} - -/* - * End iteration over the certs loaded in crypto_load_certs() - */ -krb5_error_code -crypto_cert_iteration_end(krb5_context context, - pkinit_cert_iter_handle ih) -{ - struct _pkinit_cert_iter_data *id = (struct _pkinit_cert_iter_data *)ih; - - if (id == NULL || id->magic != ITER_MAGIC) - return EINVAL; - free(ih); - return 0; -} - -/* - * Get next certificate handle - */ -krb5_error_code -crypto_cert_iteration_next(krb5_context context, - pkinit_cert_iter_handle ih, - pkinit_cert_handle *ch_ret) -{ - struct _pkinit_cert_iter_data *id = (struct _pkinit_cert_iter_data *)ih; - struct _pkinit_cert_data *cd; - pkinit_identity_crypto_context id_cryptoctx; - - if (id == NULL || id->magic != ITER_MAGIC) - return EINVAL; - - if (ch_ret == NULL) - return EINVAL; - - id_cryptoctx = id->idctx; - if (id_cryptoctx == NULL) - return EINVAL; - - if (id_cryptoctx->creds[id->index] == NULL) - return PKINIT_ITER_NO_MORE; - - cd = calloc(1, sizeof(*cd)); - if (cd == NULL) - return ENOMEM; - - cd->magic = CERT_MAGIC; - cd->plgctx = id->plgctx; - cd->reqctx = id->reqctx; - cd->idctx = id->idctx; - cd->index = id->index; - cd->cred = id_cryptoctx->creds[id->index++]; - *ch_ret = (pkinit_cert_handle)cd; - return 0; -} - -/* - * Release cert handle - */ -krb5_error_code -crypto_cert_release(krb5_context context, - pkinit_cert_handle ch) -{ - struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch; - if (cd == NULL || cd->magic != CERT_MAGIC) - return EINVAL; - free(cd); - return 0; -} - -/* * Get certificate Key Usage and Extended Key Usage */ static krb5_error_code -crypto_retieve_X509_key_usage(krb5_context context, - pkinit_plg_crypto_context plgcctx, - pkinit_req_crypto_context reqcctx, - X509 *x, - unsigned int *ret_ku_bits, - unsigned int *ret_eku_bits) +crypto_retrieve_X509_key_usage(krb5_context context, + pkinit_plg_crypto_context plgcctx, + pkinit_req_crypto_context reqcctx, + X509 *x, + unsigned int *ret_ku_bits, + unsigned int *ret_eku_bits) { krb5_error_code retval = 0; int i; @@ -5145,199 +5003,205 @@ out: return retval; } -/* - * Return a string format of an X509_NAME in buf where - * size is an in/out parameter. On input it is the size - * of the buffer, and on output it is the actual length - * of the name. - * If buf is NULL, returns the length req'd to hold name - */ -static char * -X509_NAME_oneline_ex(X509_NAME * a, - char *buf, - unsigned int *size, - unsigned long flag) +static krb5_error_code +rfc2253_name(X509_NAME *name, char **str_out) { - BIO *out = NULL; + BIO *b = NULL; + char *str; - out = BIO_new(BIO_s_mem ()); - if (X509_NAME_print_ex(out, a, 0, flag) > 0) { - if (buf != NULL && (*size) > (unsigned int) BIO_number_written(out)) { - memset(buf, 0, *size); - BIO_read(out, buf, (int) BIO_number_written(out)); - } - else { - *size = BIO_number_written(out); - } - } - BIO_free(out); - return (buf); + *str_out = NULL; + b = BIO_new(BIO_s_mem()); + if (b == NULL) + return ENOMEM; + if (X509_NAME_print_ex(b, name, 0, XN_FLAG_SEP_COMMA_PLUS) < 0) + goto error; + str = calloc(BIO_number_written(b) + 1, 1); + if (str == NULL) + goto error; + BIO_read(b, str, BIO_number_written(b)); + BIO_free(b); + *str_out = str; + return 0; + +error: + BIO_free(b); + return ENOMEM; } /* - * Get certificate information + * Get number of certificates available after crypto_load_certs() */ -krb5_error_code -crypto_cert_get_matching_data(krb5_context context, - pkinit_cert_handle ch, - pkinit_cert_matching_data **ret_md) +static krb5_error_code +crypto_cert_get_count(pkinit_identity_crypto_context id_cryptoctx, + int *cert_count) { - krb5_error_code retval; - pkinit_cert_matching_data *md; - krb5_principal *pkinit_sans =NULL, *upn_sans = NULL; - struct _pkinit_cert_data *cd = (struct _pkinit_cert_data *)ch; - unsigned int i, j; - char buf[DN_BUF_LEN]; - unsigned int bufsize = sizeof(buf); + int count; - if (cd == NULL || cd->magic != CERT_MAGIC) - return EINVAL; - if (ret_md == NULL) + *cert_count = 0; + if (id_cryptoctx == NULL || id_cryptoctx->creds[0] == NULL) return EINVAL; - md = calloc(1, sizeof(*md)); + for (count = 0; + count <= MAX_CREDS_ALLOWED && id_cryptoctx->creds[count] != NULL; + count++); + *cert_count = count; + return 0; +} + +void +crypto_cert_free_matching_data(krb5_context context, + pkinit_cert_matching_data *md) +{ + int i; + if (md == NULL) - return ENOMEM; + return; + free(md->subject_dn); + free(md->issuer_dn); + for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) + krb5_free_principal(context, md->sans[i]); + free(md->sans); + for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) + free(md->upns[i]); + free(md->upns); + free(md); +} - md->ch = ch; +/* + * Free certificate matching data. + */ +void +crypto_cert_free_matching_data_list(krb5_context context, + pkinit_cert_matching_data **list) +{ + int i; - /* get the subject name (in rfc2253 format) */ - X509_NAME_oneline_ex(X509_get_subject_name(cd->cred->cert), - buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS); - md->subject_dn = strdup(buf); - if (md->subject_dn == NULL) { - retval = ENOMEM; - goto cleanup; - } + for (i = 0; list != NULL && list[i] != NULL; i++) + crypto_cert_free_matching_data(context, list[i]); + free(list); +} - /* get the issuer name (in rfc2253 format) */ - X509_NAME_oneline_ex(X509_get_issuer_name(cd->cred->cert), - buf, &bufsize, XN_FLAG_SEP_COMMA_PLUS); - md->issuer_dn = strdup(buf); - if (md->issuer_dn == NULL) { - retval = ENOMEM; - goto cleanup; - } +/* + * Get certificate matching data for cert. + */ +static krb5_error_code +get_matching_data(krb5_context context, + pkinit_plg_crypto_context plg_cryptoctx, + pkinit_req_crypto_context req_cryptoctx, X509 *cert, + pkinit_cert_matching_data **md_out) +{ + krb5_error_code ret = ENOMEM; + pkinit_cert_matching_data *md = NULL; - /* get the san data */ - retval = crypto_retrieve_X509_sans(context, cd->plgctx, cd->reqctx, - cd->cred->cert, &pkinit_sans, - &upn_sans, NULL); - if (retval) + *md_out = NULL; + + md = calloc(1, sizeof(*md)); + if (md == NULL) goto cleanup; - j = 0; - if (pkinit_sans != NULL) { - for (i = 0; pkinit_sans[i] != NULL; i++) - j++; - } - if (upn_sans != NULL) { - for (i = 0; upn_sans[i] != NULL; i++) - j++; - } - if (j != 0) { - md->sans = calloc((size_t)j+1, sizeof(*md->sans)); - if (md->sans == NULL) { - retval = ENOMEM; - goto cleanup; - } - j = 0; - if (pkinit_sans != NULL) { - for (i = 0; pkinit_sans[i] != NULL; i++) - md->sans[j++] = pkinit_sans[i]; - free(pkinit_sans); - } - if (upn_sans != NULL) { - for (i = 0; upn_sans[i] != NULL; i++) - md->sans[j++] = upn_sans[i]; - free(upn_sans); - } - md->sans[j] = NULL; - } else - md->sans = NULL; + ret = rfc2253_name(X509_get_subject_name(cert), &md->subject_dn); + if (ret) + goto cleanup; + ret = rfc2253_name(X509_get_issuer_name(cert), &md->issuer_dn); + if (ret) + goto cleanup; - /* get the KU and EKU data */ + /* Get the SAN data. */ + ret = crypto_retrieve_X509_sans(context, plg_cryptoctx, req_cryptoctx, + cert, &md->sans, &md->upns, NULL); + if (ret) + goto cleanup; - retval = crypto_retieve_X509_key_usage(context, cd->plgctx, cd->reqctx, - cd->cred->cert, - &md->ku_bits, &md->eku_bits); - if (retval) + /* Get the KU and EKU data. */ + ret = crypto_retrieve_X509_key_usage(context, plg_cryptoctx, + req_cryptoctx, cert, &md->ku_bits, + &md->eku_bits); + if (ret) goto cleanup; - *ret_md = md; - retval = 0; + *md_out = md; + md = NULL; + cleanup: - if (retval) { - if (md) - crypto_cert_free_matching_data(context, md); - } - return retval; + crypto_cert_free_matching_data(context, md); + return ret; } -/* - * Free certificate information - */ krb5_error_code -crypto_cert_free_matching_data(krb5_context context, - pkinit_cert_matching_data *md) +crypto_cert_get_matching_data(krb5_context context, + pkinit_plg_crypto_context plg_cryptoctx, + pkinit_req_crypto_context req_cryptoctx, + pkinit_identity_crypto_context id_cryptoctx, + pkinit_cert_matching_data ***md_out) { - krb5_principal p; - int i; + krb5_error_code ret; + pkinit_cert_matching_data **md_list = NULL; + int count, i; - if (md == NULL) - return EINVAL; - if (md->subject_dn) - free(md->subject_dn); - if (md->issuer_dn) - free(md->issuer_dn); - if (md->sans) { - for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) - krb5_free_principal(context, p); - free(md->sans); + ret = crypto_cert_get_count(id_cryptoctx, &count); + if (ret) + goto cleanup; + + md_list = calloc(count + 1, sizeof(*md_list)); + if (md_list == NULL) { + ret = ENOMEM; + goto cleanup; } - free(md); - return 0; + + for (i = 0; i < count; i++) { + ret = get_matching_data(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx->creds[i]->cert, &md_list[i]); + if (ret) { + pkiDebug("%s: crypto_cert_get_matching_data error %d, %s\n", + __FUNCTION__, ret, error_message(ret)); + goto cleanup; + } + } + + *md_out = md_list; + md_list = NULL; + +cleanup: + crypto_cert_free_matching_data_list(context, md_list); + return ret; } /* - * Make this matching certificate "the chosen one" + * Set the certificate in idctx->creds[cred_index] as the selected certificate. */ krb5_error_code -crypto_cert_select(krb5_context context, - pkinit_cert_matching_data *md) +crypto_cert_select(krb5_context context, pkinit_identity_crypto_context idctx, + size_t cred_index) { - struct _pkinit_cert_data *cd; - if (md == NULL) - return EINVAL; + pkinit_cred_info ci = NULL; - cd = (struct _pkinit_cert_data *)md->ch; - if (cd == NULL || cd->magic != CERT_MAGIC) - return EINVAL; + if (cred_index >= MAX_CREDS_ALLOWED || idctx->creds[cred_index] == NULL) + return ENOENT; + ci = idctx->creds[cred_index]; /* copy the selected cert into our id_cryptoctx */ - if (cd->idctx->my_certs != NULL) { - sk_X509_pop_free(cd->idctx->my_certs, X509_free); - } - cd->idctx->my_certs = sk_X509_new_null(); - sk_X509_push(cd->idctx->my_certs, cd->cred->cert); - free(cd->idctx->identity); + if (idctx->my_certs != NULL) + sk_X509_pop_free(idctx->my_certs, X509_free); + idctx->my_certs = sk_X509_new_null(); + sk_X509_push(idctx->my_certs, ci->cert); + free(idctx->identity); /* hang on to the selected credential name */ - if (cd->idctx->creds[cd->index]->name != NULL) - cd->idctx->identity = strdup(cd->idctx->creds[cd->index]->name); + if (ci->name != NULL) + idctx->identity = strdup(ci->name); else - cd->idctx->identity = NULL; - cd->idctx->creds[cd->index]->cert = NULL; /* Don't free it twice */ - cd->idctx->cert_index = 0; + idctx->identity = NULL; - if (cd->idctx->pkcs11_method != 1) { - cd->idctx->my_key = cd->cred->key; - cd->idctx->creds[cd->index]->key = NULL; /* Don't free it twice */ + ci->cert = NULL; /* Don't free it twice */ + idctx->cert_index = 0; + if (idctx->pkcs11_method != 1) { + idctx->my_key = ci->key; + ci->key = NULL; /* Don't free it twice */ } #ifndef WITHOUT_PKCS11 else { - cd->idctx->cert_id = cd->cred->cert_id; - cd->idctx->creds[cd->index]->cert_id = NULL; /* Don't free it twice */ - cd->idctx->cert_id_len = cd->cred->cert_id_len; + idctx->cert_id = ci->cert_id; + ci->cert_id = NULL; /* Don't free it twice */ + idctx->cert_id_len = ci->cert_id_len; } #endif return 0; @@ -5353,19 +5217,14 @@ crypto_cert_select_default(krb5_context context, pkinit_identity_crypto_context id_cryptoctx) { krb5_error_code retval; - int cert_count = 0; + int cert_count; - retval = crypto_cert_get_count(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx, &cert_count); - if (retval) { - pkiDebug("%s: crypto_cert_get_count error %d, %s\n", - __FUNCTION__, retval, error_message(retval)); + retval = crypto_cert_get_count(id_cryptoctx, &cert_count); + if (retval) goto errout; - } + if (cert_count != 1) { - pkiDebug("%s: ERROR: There are %d certs to choose from, " - "but there must be exactly one.\n", - __FUNCTION__, cert_count); + TRACE_PKINIT_NO_DEFAULT_CERT(context, cert_count); retval = EINVAL; goto errout; } @@ -5513,7 +5372,7 @@ load_cas_and_crls(krb5_context context, switch(catype) { case CATYPE_ANCHORS: if (sk_X509_num(ca_certs) == 0) { - pkiDebug("no anchors in file, %s\n", filename); + TRACE_PKINIT_NO_CA_ANCHOR(context, filename); if (id_cryptoctx->trustedCAs == NULL) sk_X509_free(ca_certs); } else { @@ -5523,7 +5382,7 @@ load_cas_and_crls(krb5_context context, break; case CATYPE_INTERMEDIATES: if (sk_X509_num(ca_certs) == 0) { - pkiDebug("no intermediates in file, %s\n", filename); + TRACE_PKINIT_NO_CA_INTERMEDIATE(context, filename); if (id_cryptoctx->intermediateCAs == NULL) sk_X509_free(ca_certs); } else { @@ -5533,7 +5392,7 @@ load_cas_and_crls(krb5_context context, break; case CATYPE_CRLS: if (sk_X509_CRL_num(ca_crls) == 0) { - pkiDebug("no crls in file, %s\n", filename); + TRACE_PKINIT_NO_CRL(context, filename); if (id_cryptoctx->revoked == NULL) sk_X509_CRL_free(ca_crls); } else { @@ -5619,14 +5478,14 @@ crypto_load_cas_and_crls(krb5_context context, int catype, char *id) { - pkiDebug("%s: called with idtype %s and catype %s\n", - __FUNCTION__, idtype2string(idtype), catype2string(catype)); switch (idtype) { case IDTYPE_FILE: + TRACE_PKINIT_LOAD_FROM_FILE(context); return load_cas_and_crls(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, catype, id); break; case IDTYPE_DIR: + TRACE_PKINIT_LOAD_FROM_DIR(context); return load_cas_and_crls_dir(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, catype, id); break; @@ -6170,3 +6029,50 @@ crypto_get_deferred_ids(krb5_context context, ret = (const pkinit_deferred_id *)deferred; return ret; } + +/* Return the received certificate as DER-encoded data. */ +krb5_error_code +crypto_encode_der_cert(krb5_context context, pkinit_req_crypto_context reqctx, + uint8_t **der_out, size_t *der_len) +{ + int len; + unsigned char *der, *p; + + *der_out = NULL; + *der_len = 0; + + if (reqctx->received_cert == NULL) + return EINVAL; + p = NULL; + len = i2d_X509(reqctx->received_cert, NULL); + if (len <= 0) + return EINVAL; + p = der = malloc(len); + if (der == NULL) + return ENOMEM; + if (i2d_X509(reqctx->received_cert, &p) <= 0) { + free(der); + return EINVAL; + } + *der_out = der; + *der_len = len; + return 0; +} + +/* + * Get the certificate matching data from the request certificate. + */ +krb5_error_code +crypto_req_cert_matching_data(krb5_context context, + pkinit_plg_crypto_context plgctx, + pkinit_req_crypto_context reqctx, + pkinit_cert_matching_data **md_out) +{ + *md_out = NULL; + + if (reqctx == NULL || reqctx->received_cert == NULL) + return ENOENT; + + return get_matching_data(context, plgctx, reqctx, reqctx->received_cert, + md_out); +} diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h index 2fe357c..957c3de 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h +++ b/src/plugins/preauth/pkinit/pkinit_crypto_openssl.h @@ -87,8 +87,8 @@ struct _pkinit_identity_crypto_context { void *p11_module; CK_SESSION_HANDLE session; CK_FUNCTION_LIST_PTR p11; - CK_BYTE_PTR cert_id; - int cert_id_len; + uint8_t *cert_id; + size_t cert_id_len; CK_MECHANISM_TYPE mech; #endif krb5_boolean defer_id_prompt; @@ -115,23 +115,4 @@ struct _pkinit_req_crypto_context { DH *dh; }; -#define CERT_MAGIC 0x53534c43 -struct _pkinit_cert_data { - unsigned int magic; - pkinit_plg_crypto_context plgctx; - pkinit_req_crypto_context reqctx; - pkinit_identity_crypto_context idctx; - pkinit_cred_info cred; - unsigned int index; /* Index of this cred in the creds[] array */ -}; - -#define ITER_MAGIC 0x53534c49 -struct _pkinit_cert_iter_data { - unsigned int magic; - pkinit_plg_crypto_context plgctx; - pkinit_req_crypto_context reqctx; - pkinit_identity_crypto_context idctx; - unsigned int index; -}; - #endif /* _PKINIT_CRYPTO_OPENSSL_H */ diff --git a/src/plugins/preauth/pkinit/pkinit_identity.c b/src/plugins/preauth/pkinit/pkinit_identity.c index 177a2ca..8cd3fc6 100644 --- a/src/plugins/preauth/pkinit/pkinit_identity.c +++ b/src/plugins/preauth/pkinit/pkinit_identity.c @@ -93,9 +93,6 @@ idtype2string(int idtype) case IDTYPE_PKCS11: return "PKCS11"; break; case IDTYPE_PKCS12: return "PKCS12"; break; case IDTYPE_ENVVAR: return "ENV"; break; -#ifdef PKINIT_CRYPTO_IMPL_NSS - case IDTYPE_NSS: return "NSS"; break; -#endif default: return "INVALID"; break; } } @@ -125,7 +122,6 @@ pkinit_init_identity_opts(pkinit_identity_opts **idopts) opts->anchors = NULL; opts->intermediates = NULL; opts->crls = NULL; - opts->ocsp = NULL; opts->cert_filename = NULL; opts->key_filename = NULL; @@ -174,12 +170,6 @@ pkinit_dup_identity_opts(pkinit_identity_opts *src_opts, if (retval) goto cleanup; - if (src_opts->ocsp != NULL) { - newopts->ocsp = strdup(src_opts->ocsp); - if (newopts->ocsp == NULL) - goto cleanup; - } - if (src_opts->cert_filename != NULL) { newopts->cert_filename = strdup(src_opts->cert_filename); if (newopts->cert_filename == NULL) @@ -327,29 +317,38 @@ parse_fs_options(krb5_context context, const char *residual) { char *certname, *keyname, *save; + char *cert_filename = NULL, *key_filename = NULL; krb5_error_code retval = ENOMEM; - if (residual == NULL || residual[0] == '\0') - return 0; + if (residual == NULL || residual[0] == '\0' || residual[0] == ',') + return EINVAL; certname = strdup(residual); if (certname == NULL) goto cleanup; certname = strtok_r(certname, ",", &save); + if (certname == NULL) + goto cleanup; keyname = strtok_r(NULL, ",", &save); - idopts->cert_filename = strdup(certname); - if (idopts->cert_filename == NULL) + cert_filename = strdup(certname); + if (cert_filename == NULL) goto cleanup; - idopts->key_filename = strdup(keyname ? keyname : certname); - if (idopts->key_filename == NULL) + key_filename = strdup((keyname != NULL) ? keyname : certname); + if (key_filename == NULL) goto cleanup; + idopts->cert_filename = cert_filename; + idopts->key_filename = key_filename; + cert_filename = key_filename = NULL; retval = 0; + cleanup: free(certname); + free(cert_filename); + free(key_filename); return retval; } @@ -413,10 +412,6 @@ process_option_identity(krb5_context context, idtype = IDTYPE_DIR; } else if (strncmp(value, "ENV:", typelen) == 0) { idtype = IDTYPE_ENVVAR; -#ifdef PKINIT_CRYPTO_IMPL_NSS - } else if (strncmp(value, "NSS:", typelen) == 0) { - idtype = IDTYPE_NSS; -#endif } else { pkiDebug("%s: Unsupported type while processing '%s'\n", __FUNCTION__, value); @@ -453,13 +448,6 @@ process_option_identity(krb5_context context, if (idopts->cert_filename == NULL) retval = ENOMEM; break; -#ifdef PKINIT_CRYPTO_IMPL_NSS - case IDTYPE_NSS: - idopts->cert_filename = strdup(residual); - if (idopts->cert_filename == NULL) - retval = ENOMEM; - break; -#endif default: krb5_set_error_message(context, KRB5_PREAUTH_FAILED, _("Internal error parsing " @@ -496,10 +484,6 @@ process_option_ca_crl(krb5_context context, idtype = IDTYPE_FILE; } else if (strncmp(value, "DIR:", typelen) == 0) { idtype = IDTYPE_DIR; -#ifdef PKINIT_CRYPTO_IMPL_NSS - } else if (strncmp(value, "NSS:", typelen) == 0) { - idtype = IDTYPE_NSS; -#endif } else { return ENOTSUP; } @@ -568,6 +552,9 @@ pkinit_identity_initialize(krb5_context context, idopts, id_cryptoctx, princ, TRUE); if (retval) goto errout; + + crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, + id_cryptoctx); } else { /* We're the anonymous principal. */ retval = 0; @@ -615,7 +602,6 @@ pkinit_identity_prompt(krb5_context context, retval = pkinit_cert_matching(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, princ); if (retval) { - pkiDebug("%s: No matching certificate found\n", __FUNCTION__); crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx); goto errout; @@ -628,8 +614,6 @@ pkinit_identity_prompt(krb5_context context, retval = crypto_cert_select_default(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx); if (retval) { - pkiDebug("%s: Failed while selecting default certificate\n", - __FUNCTION__); crypto_free_cert_info(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx); goto errout; @@ -674,10 +658,6 @@ pkinit_identity_prompt(krb5_context context, if (retval) goto errout; } - if (idopts->ocsp != NULL) { - retval = ENOTSUP; - goto errout; - } errout: return retval; diff --git a/src/plugins/preauth/pkinit/pkinit_lib.c b/src/plugins/preauth/pkinit/pkinit_lib.c index 2f88545..d5858c4 100644 --- a/src/plugins/preauth/pkinit/pkinit_lib.c +++ b/src/plugins/preauth/pkinit/pkinit_lib.c @@ -82,6 +82,8 @@ pkinit_init_plg_opts(pkinit_plg_opts **plgopts) opts->dh_or_rsa = DH_PROTOCOL; opts->allow_upn = 0; opts->require_crl_checking = 0; + opts->require_freshness = 0; + opts->disable_freshness = 0; opts->dh_min_bits = PKINIT_DEFAULT_DH_MIN_BITS; @@ -145,6 +147,7 @@ free_krb5_auth_pack(krb5_auth_pack **in) free((*in)->clientPublicValue); } free((*in)->pkAuthenticator.paChecksum.contents); + krb5_free_data(NULL, (*in)->pkAuthenticator.freshnessToken); if ((*in)->supportedCMSTypes != NULL) free_krb5_algorithm_identifiers(&((*in)->supportedCMSTypes)); if ((*in)->supportedKDFs) { diff --git a/src/plugins/preauth/pkinit/pkinit_matching.c b/src/plugins/preauth/pkinit/pkinit_matching.c index a50c50c..afcce3f 100644 --- a/src/plugins/preauth/pkinit/pkinit_matching.c +++ b/src/plugins/preauth/pkinit/pkinit_matching.c @@ -470,7 +470,6 @@ component_match(krb5_context context, { int match = 0; int i; - krb5_principal p; char *princ_string; switch (rc->kwval_type) { @@ -483,15 +482,18 @@ component_match(krb5_context context, match = regexp_match(context, rc, md->issuer_dn); break; case kw_san: - if (md->sans == NULL) - break; - for (i = 0, p = md->sans[i]; p != NULL; p = md->sans[++i]) { - krb5_unparse_name(context, p, &princ_string); + for (i = 0; md->sans != NULL && md->sans[i] != NULL; i++) { + krb5_unparse_name(context, md->sans[i], &princ_string); match = regexp_match(context, rc, princ_string); krb5_free_unparsed_name(context, princ_string); if (match) break; } + for (i = 0; md->upns != NULL && md->upns[i] != NULL; i++) { + match = regexp_match(context, rc, md->upns[i]); + if (match) + break; + } break; default: pkiDebug("%s: keyword %s, keyword value %s mismatch\n", @@ -544,7 +546,7 @@ check_all_certs(krb5_context context, rule_set *rs, /* rule to check */ pkinit_cert_matching_data **matchdata, int *match_found, - pkinit_cert_matching_data **matching_cert) + size_t *match_index) { krb5_error_code retval; pkinit_cert_matching_data *md; @@ -553,12 +555,12 @@ check_all_certs(krb5_context context, int total_cert_matches = 0; rule_component *rc; int certs_checked = 0; - pkinit_cert_matching_data *save_match = NULL; + size_t save_index = 0; - if (match_found == NULL || matching_cert == NULL) + if (match_found == NULL || match_index == NULL) return EINVAL; - *matching_cert = NULL; + *match_index = 0; *match_found = 0; pkiDebug("%s: matching rule relation is %s with %d components\n", @@ -570,15 +572,6 @@ check_all_certs(krb5_context context, */ for (i = 0, md = matchdata[i]; md != NULL; md = matchdata[++i]) { pkiDebug("%s: subject: '%s'\n", __FUNCTION__, md->subject_dn); -#if 0 - pkiDebug("%s: issuer: '%s'\n", __FUNCTION__, md->subject_dn); - for (j = 0, p = md->sans[j]; p != NULL; p = md->sans[++j]) { - char *san_string; - krb5_unparse_name(context, p, &san_string); - pkiDebug("%s: san: '%s'\n", __FUNCTION__, san_string); - krb5_free_unparsed_name(context, san_string); - } -#endif certs_checked++; for (rc = rs->crs; rc != NULL; rc = rc->next) { comp_match = component_match(context, rc, md); @@ -590,7 +583,7 @@ check_all_certs(krb5_context context, pkiDebug("%s: cert matches rule (OR relation)\n", __FUNCTION__); total_cert_matches++; - save_match = md; + save_index = i; goto nextcert; } if (!comp_match && rs->relation == relation_and) { @@ -602,7 +595,7 @@ check_all_certs(krb5_context context, if (rc == NULL && comp_match) { pkiDebug("%s: cert matches rule (AND relation)\n", __FUNCTION__); total_cert_matches++; - save_match = md; + save_index = i; } nextcert: continue; @@ -611,7 +604,7 @@ check_all_certs(krb5_context context, __FUNCTION__, certs_checked, total_cert_matches); if (total_cert_matches == 1) { *match_found = 1; - *matching_cert = save_match; + *match_index = save_index; } retval = 0; @@ -621,111 +614,6 @@ check_all_certs(krb5_context context, return retval; } -static krb5_error_code -free_all_cert_matching_data(krb5_context context, - pkinit_cert_matching_data **matchdata) -{ - krb5_error_code retval; - pkinit_cert_matching_data *md; - int i; - - if (matchdata == NULL) - return EINVAL; - - for (i = 0, md = matchdata[i]; md != NULL; md = matchdata[++i]) { - pkinit_cert_handle ch = md->ch; - retval = crypto_cert_free_matching_data(context, md); - if (retval) { - pkiDebug("%s: crypto_cert_free_matching_data error %d, %s\n", - __FUNCTION__, retval, error_message(retval)); - goto cleanup; - } - retval = crypto_cert_release(context, ch); - if (retval) { - pkiDebug("%s: crypto_cert_release error %d, %s\n", - __FUNCTION__, retval, error_message(retval)); - goto cleanup; - } - } - free(matchdata); - retval = 0; - -cleanup: - return retval; -} - -static krb5_error_code -obtain_all_cert_matching_data(krb5_context context, - pkinit_plg_crypto_context plg_cryptoctx, - pkinit_req_crypto_context req_cryptoctx, - pkinit_identity_crypto_context id_cryptoctx, - pkinit_cert_matching_data ***all_matching_data) -{ - krb5_error_code retval; - int i, cert_count; - pkinit_cert_iter_handle ih = NULL; - pkinit_cert_handle ch; - pkinit_cert_matching_data **matchdata = NULL; - - retval = crypto_cert_get_count(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx, &cert_count); - if (retval) { - pkiDebug("%s: crypto_cert_get_count error %d, %s\n", - __FUNCTION__, retval, error_message(retval)); - goto cleanup; - } - - pkiDebug("%s: crypto_cert_get_count says there are %d certs\n", - __FUNCTION__, cert_count); - - matchdata = calloc((size_t)cert_count + 1, sizeof(*matchdata)); - if (matchdata == NULL) - return ENOMEM; - - retval = crypto_cert_iteration_begin(context, plg_cryptoctx, req_cryptoctx, - id_cryptoctx, &ih); - if (retval) { - pkiDebug("%s: crypto_cert_iteration_begin returned %d, %s\n", - __FUNCTION__, retval, error_message(retval)); - goto cleanup; - } - - for (i = 0; i < cert_count; i++) { - retval = crypto_cert_iteration_next(context, ih, &ch); - if (retval) { - if (retval == PKINIT_ITER_NO_MORE) - pkiDebug("%s: We thought there were %d certs, but " - "crypto_cert_iteration_next stopped after %d?\n", - __FUNCTION__, cert_count, i); - else - pkiDebug("%s: crypto_cert_iteration_next error %d, %s\n", - __FUNCTION__, retval, error_message(retval)); - goto cleanup; - } - - retval = crypto_cert_get_matching_data(context, ch, &matchdata[i]); - if (retval) { - pkiDebug("%s: crypto_cert_get_matching_data error %d, %s\n", - __FUNCTION__, retval, error_message(retval)); - goto cleanup; - } - - } - - *all_matching_data = matchdata; - retval = 0; -cleanup: - if (ih != NULL) - crypto_cert_iteration_end(context, ih); - if (retval) { - if (matchdata != NULL) - free_all_cert_matching_data(context, matchdata); - } - pkiDebug("%s: returning %d, certinfo %p\n", - __FUNCTION__, retval, *all_matching_data); - return retval; -} - krb5_error_code pkinit_cert_matching(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, @@ -740,7 +628,7 @@ pkinit_cert_matching(krb5_context context, rule_set *rs = NULL; int match_found = 0; pkinit_cert_matching_data **matchdata = NULL; - pkinit_cert_matching_data *the_matching_cert = NULL; + size_t match_index = 0; /* If no matching rules, select the default cert and we're done */ pkinit_libdefault_strings(context, krb5_princ_realm(context, princ), @@ -777,7 +665,7 @@ pkinit_cert_matching(krb5_context context, * until we are done. */ if (matchdata == NULL) { - retval = obtain_all_cert_matching_data(context, plg_cryptoctx, + retval = crypto_cert_get_matching_data(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, &matchdata); if (retval || matchdata == NULL) { @@ -790,7 +678,7 @@ pkinit_cert_matching(krb5_context context, retval = check_all_certs(context, plg_cryptoctx, req_cryptoctx, id_cryptoctx, princ, rs, matchdata, - &match_found, &the_matching_cert); + &match_found, &match_index); if (retval) { pkiDebug("%s: Error %d, checking certs against rule '%s'\n", __FUNCTION__, retval, rules[x]); @@ -803,26 +691,62 @@ pkinit_cert_matching(krb5_context context, } } - if (match_found && the_matching_cert != NULL) { + if (match_found) { pkiDebug("%s: Selecting the matching cert!\n", __FUNCTION__); - retval = crypto_cert_select(context, the_matching_cert); + retval = crypto_cert_select(context, id_cryptoctx, match_index); if (retval) { pkiDebug("%s: crypto_cert_select error %d, %s\n", __FUNCTION__, retval, error_message(retval)); goto cleanup; } } else { + TRACE_PKINIT_NO_MATCHING_CERT(context); retval = ENOENT; /* XXX */ goto cleanup; } retval = 0; + cleanup: - if (rules != NULL) - profile_free_list(rules); - if (rs != NULL) - free_rule_set(context, rs); - if (matchdata != NULL) - free_all_cert_matching_data(context, matchdata); + profile_free_list(rules); + free_rule_set(context, rs); + crypto_cert_free_matching_data_list(context, matchdata); return retval; } + +krb5_error_code +pkinit_client_cert_match(krb5_context context, + pkinit_plg_crypto_context plgctx, + pkinit_req_crypto_context reqctx, + const char *match_rule, + krb5_boolean *matched) +{ + krb5_error_code ret; + pkinit_cert_matching_data *md = NULL; + rule_component *rc = NULL; + int comp_match = 0; + rule_set *rs = NULL; + + *matched = FALSE; + ret = parse_rule_set(context, match_rule, &rs); + if (ret) + goto cleanup; + + ret = crypto_req_cert_matching_data(context, plgctx, reqctx, &md); + if (ret) + goto cleanup; + + for (rc = rs->crs; rc != NULL; rc = rc->next) { + comp_match = component_match(context, rc, md); + if ((comp_match && rs->relation == relation_or) || + (!comp_match && rs->relation == relation_and)) { + break; + } + } + *matched = comp_match; + +cleanup: + free_rule_set(context, rs); + crypto_cert_free_matching_data(context, md); + return ret; +} diff --git a/src/plugins/preauth/pkinit/pkinit_srv.c b/src/plugins/preauth/pkinit/pkinit_srv.c index 295be25..27e6ef4 100644 --- a/src/plugins/preauth/pkinit/pkinit_srv.c +++ b/src/plugins/preauth/pkinit/pkinit_srv.c @@ -31,6 +31,25 @@ #include #include "pkinit.h" +#include "krb5/certauth_plugin.h" + +/* Aliases used by the built-in certauth modules */ +struct certauth_req_opts { + krb5_kdcpreauth_callbacks cb; + krb5_kdcpreauth_rock rock; + pkinit_kdc_context plgctx; + pkinit_kdc_req_context reqctx; +}; + +typedef struct certauth_module_handle_st { + struct krb5_certauth_vtable_st vt; + krb5_certauth_moddata moddata; +} *certauth_handle; + +struct krb5_kdcpreauth_moddata_st { + pkinit_kdc_context *realm_contexts; + certauth_handle *certauth_modules; +}; static krb5_error_code pkinit_init_kdc_req_context(krb5_context, pkinit_kdc_req_context *blob); @@ -51,6 +70,34 @@ pkinit_find_realm_context(krb5_context context, krb5_kdcpreauth_moddata moddata, krb5_principal princ); +static void +free_realm_contexts(krb5_context context, pkinit_kdc_context *realm_contexts) +{ + int i; + + if (realm_contexts == NULL) + return; + for (i = 0; realm_contexts[i] != NULL; i++) + pkinit_server_plugin_fini_realm(context, realm_contexts[i]); + pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts); + free(realm_contexts); +} + +static void +free_certauth_handles(krb5_context context, certauth_handle *list) +{ + int i; + + if (list == NULL) + return; + for (i = 0; list[i] != NULL; i++) { + if (list[i]->vt.fini != NULL) + list[i]->vt.fini(context, list[i]->moddata); + free(list[i]); + } + free(list); +} + static krb5_error_code pkinit_create_edata(krb5_context context, pkinit_plg_crypto_context plg_cryptoctx, @@ -114,6 +161,10 @@ pkinit_server_get_edata(krb5_context context, if (plgctx == NULL) retval = EINVAL; + /* Send a freshness token if the client requested one. */ + if (!retval) + cb->send_freshness_token(context, rock); + (*respond)(arg, retval, NULL); } @@ -121,17 +172,21 @@ static krb5_error_code verify_client_san(krb5_context context, pkinit_kdc_context plgctx, pkinit_kdc_req_context reqctx, - krb5_principal client, + krb5_kdcpreauth_callbacks cb, + krb5_kdcpreauth_rock rock, + krb5_const_principal client, int *valid_san) { krb5_error_code retval; - krb5_principal *princs = NULL; - krb5_principal *upns = NULL; + krb5_principal *princs = NULL, upn; + krb5_boolean match; + char **upns = NULL; int i; #ifdef DEBUG_SAN_INFO char *client_string = NULL, *san_string; #endif + *valid_san = 0; retval = crypto_retrieve_cert_sans(context, plgctx->cryptoctx, reqctx->cryptoctx, plgctx->idctx, &princs, @@ -142,23 +197,12 @@ verify_client_san(krb5_context context, retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; goto out; } - /* XXX Verify this is consistent with client side XXX */ -#if 0 - retval = call_san_checking_plugins(context, plgctx, reqctx, princs, - upns, NULL, &plugin_decision, &ignore); - pkiDebug("%s: call_san_checking_plugins() returned retval %d\n", - __FUNCTION__); - if (retval) { - retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; - goto cleanup; - } - pkiDebug("%s: call_san_checking_plugins() returned decision %d\n", - __FUNCTION__, plugin_decision); - if (plugin_decision != NO_DECISION) { - retval = plugin_decision; + + if (princs == NULL && upns == NULL) { + TRACE_PKINIT_SERVER_NO_SAN(context); + retval = ENOENT; goto out; } -#endif #ifdef DEBUG_SAN_INFO krb5_unparse_name(context, client, &client_string); @@ -171,8 +215,8 @@ verify_client_san(krb5_context context, __FUNCTION__, client_string, san_string); krb5_free_unparsed_name(context, san_string); #endif - if (krb5_principal_compare(context, princs[i], client)) { - pkiDebug("%s: pkinit san match found\n", __FUNCTION__); + if (cb->match_client(context, rock, princs[i])) { + TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(context); *valid_san = 1; retval = 0; goto out; @@ -194,13 +238,19 @@ verify_client_san(krb5_context context, pkiDebug("%s: Checking upn sans\n", __FUNCTION__); for (i = 0; upns[i] != NULL; i++) { #ifdef DEBUG_SAN_INFO - krb5_unparse_name(context, upns[i], &san_string); pkiDebug("%s: Comparing client '%s' to upn san value '%s'\n", - __FUNCTION__, client_string, san_string); - krb5_free_unparsed_name(context, san_string); + __FUNCTION__, client_string, upns[i]); #endif - if (krb5_principal_compare(context, upns[i], client)) { - pkiDebug("%s: upn san match found\n", __FUNCTION__); + retval = krb5_parse_name_flags(context, upns[i], + KRB5_PRINCIPAL_PARSE_ENTERPRISE, &upn); + if (retval) { + TRACE_PKINIT_SERVER_UPN_PARSE_FAIL(context, upns[i], retval); + continue; + } + match = cb->match_client(context, rock, upn); + krb5_free_principal(context, upn); + if (match) { + TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(context); *valid_san = 1; retval = 0; goto out; @@ -225,7 +275,7 @@ out: } if (upns != NULL) { for (i = 0; upns[i] != NULL; i++) - krb5_free_principal(context, upns[i]); + free(upns[i]); free(upns); } #ifdef DEBUG_SAN_INFO @@ -248,7 +298,7 @@ verify_client_eku(krb5_context context, *eku_accepted = 0; if (plgctx->opts->require_eku == 0) { - pkiDebug("%s: configuration requests no EKU checking\n", __FUNCTION__); + TRACE_PKINIT_SERVER_EKU_SKIP(context); *eku_accepted = 1; retval = 0; goto out; @@ -271,6 +321,99 @@ out: return retval; } + +/* Run the received, verified certificate through certauth modules, to verify + * that it is authorized to authenticate as client. */ +static krb5_error_code +authorize_cert(krb5_context context, certauth_handle *certauth_modules, + pkinit_kdc_context plgctx, pkinit_kdc_req_context reqctx, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, + krb5_principal client) +{ + krb5_error_code ret; + certauth_handle h; + struct certauth_req_opts opts; + krb5_boolean accepted = FALSE; + uint8_t *cert; + size_t i, cert_len; + void *db_ent = NULL; + char **ais = NULL, **ai = NULL; + + /* Re-encode the received certificate into DER, which is extra work, but + * avoids creating an X.509 library dependency in the interface. */ + ret = crypto_encode_der_cert(context, reqctx->cryptoctx, &cert, &cert_len); + if (ret) + goto cleanup; + + /* Set options for the builtin module. */ + opts.plgctx = plgctx; + opts.reqctx = reqctx; + opts.cb = cb; + opts.rock = rock; + + db_ent = cb->client_entry(context, rock); + + /* + * Check the certificate against each certauth module. For the certificate + * to be authorized at least one module must return 0, and no module can an + * error code other than KRB5_PLUGIN_NO_HANDLE (pass). Add indicators from + * modules that return 0 or pass. + */ + ret = KRB5_PLUGIN_NO_HANDLE; + for (i = 0; certauth_modules != NULL && certauth_modules[i] != NULL; i++) { + h = certauth_modules[i]; + TRACE_PKINIT_SERVER_CERT_AUTH(context, h->vt.name); + ret = h->vt.authorize(context, h->moddata, cert, cert_len, client, + &opts, db_ent, &ais); + if (ret == 0) + accepted = TRUE; + else if (ret != KRB5_PLUGIN_NO_HANDLE) + goto cleanup; + + if (ais != NULL) { + /* Assert authentication indicators from the module. */ + for (ai = ais; *ai != NULL; ai++) { + ret = cb->add_auth_indicator(context, rock, *ai); + if (ret) + goto cleanup; + } + h->vt.free_ind(context, h->moddata, ais); + ais = NULL; + } + } + + ret = accepted ? 0 : KRB5KDC_ERR_CLIENT_NAME_MISMATCH; + +cleanup: + free(cert); + return ret; +} + +/* Return an error if freshness tokens are required and one was not received. + * Log an appropriate message indicating whether a valid token was received. */ +static krb5_error_code +check_log_freshness(krb5_context context, pkinit_kdc_context plgctx, + krb5_kdc_req *request, krb5_boolean valid_freshness_token) +{ + krb5_error_code ret; + char *name = NULL; + + ret = krb5_unparse_name(context, request->client, &name); + if (ret) + return ret; + if (plgctx->opts->require_freshness && !valid_freshness_token) { + com_err("", 0, _("PKINIT: no freshness token, rejecting auth from %s"), + name); + ret = KRB5KDC_ERR_PREAUTH_FAILED; + } else if (valid_freshness_token) { + com_err("", 0, _("PKINIT: freshness token received from %s"), name); + } else { + com_err("", 0, _("PKINIT: no freshness token received from %s"), name); + } + krb5_free_unparsed_name(context, name); + return ret; +} + static void pkinit_server_verify_padata(krb5_context context, krb5_data *req_pkt, @@ -293,11 +436,11 @@ pkinit_server_verify_padata(krb5_context context, pkinit_kdc_req_context reqctx = NULL; krb5_checksum cksum = {0, 0, 0, NULL}; krb5_data *der_req = NULL; - int valid_eku = 0, valid_san = 0; - krb5_data k5data; + krb5_data k5data, *ftoken; int is_signed = 1; krb5_pa_data **e_data = NULL; krb5_kdcpreauth_modreq modreq = NULL; + krb5_boolean valid_freshness_token = FALSE; char **sp; pkiDebug("pkinit_verify_padata: entered!\n"); @@ -331,7 +474,7 @@ pkinit_server_verify_padata(krb5_context context, switch ((int)data->pa_type) { case KRB5_PADATA_PK_AS_REQ: - pkiDebug("processing KRB5_PADATA_PK_AS_REQ\n"); + TRACE_PKINIT_SERVER_PADATA_VERIFY(context); retval = k5int_decode_krb5_pa_pk_as_req(&k5data, &reqp); if (retval) { pkiDebug("decode_krb5_pa_pk_as_req failed\n"); @@ -354,7 +497,7 @@ pkinit_server_verify_padata(krb5_context context, break; case KRB5_PADATA_PK_AS_REP_OLD: case KRB5_PADATA_PK_AS_REQ_OLD: - pkiDebug("processing KRB5_PADATA_PK_AS_REQ_OLD\n"); + TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(context); retval = k5int_decode_krb5_pa_pk_as_req_draft9(&k5data, &reqp9); if (retval) { pkiDebug("decode_krb5_pa_pk_as_req_draft9 failed\n"); @@ -382,31 +525,15 @@ pkinit_server_verify_padata(krb5_context context, goto cleanup; } if (retval) { - pkiDebug("pkcs7_signeddata_verify failed\n"); + TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(context); goto cleanup; } if (is_signed) { - - retval = verify_client_san(context, plgctx, reqctx, request->client, - &valid_san); - if (retval) - goto cleanup; - if (!valid_san) { - pkiDebug("%s: did not find an acceptable SAN in user " - "certificate\n", __FUNCTION__); - retval = KRB5KDC_ERR_CLIENT_NAME_MISMATCH; - goto cleanup; - } - retval = verify_client_eku(context, plgctx, reqctx, &valid_eku); + retval = authorize_cert(context, moddata->certauth_modules, plgctx, + reqctx, cb, rock, request->client); if (retval) goto cleanup; - if (!valid_eku) { - pkiDebug("%s: did not find an acceptable EKU in user " - "certificate\n", __FUNCTION__); - retval = KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; - goto cleanup; - } } else { /* !is_signed */ if (!krb5_principal_compare(context, request->client, krb5_anonymous_principal())) { @@ -484,6 +611,14 @@ pkinit_server_verify_padata(krb5_context context, goto cleanup; } + ftoken = auth_pack->pkAuthenticator.freshnessToken; + if (ftoken != NULL) { + retval = cb->check_freshness_token(context, rock, ftoken); + if (retval) + goto cleanup; + valid_freshness_token = TRUE; + } + /* check if kdcPkId present and match KDC's subjectIdentifier */ if (reqp->kdcPkId.data != NULL) { int valid_kdcPkId = 0; @@ -526,6 +661,13 @@ pkinit_server_verify_padata(krb5_context context, break; } + if (is_signed) { + retval = check_log_freshness(context, plgctx, request, + valid_freshness_token); + if (retval) + goto cleanup; + } + if (is_signed && plgctx->auth_indicators != NULL) { /* Assert configured authentication indicators. */ for (sp = plgctx->auth_indicators; *sp != NULL; sp++) { @@ -728,7 +870,7 @@ pkinit_server_return_padata(krb5_context context, return ENOENT; } - pkiDebug("pkinit_return_padata: entered!\n"); + TRACE_PKINIT_SERVER_RETURN_PADATA(context); reqctx = (pkinit_kdc_req_context)modreq; if (encrypting_key->contents) { @@ -1150,7 +1292,7 @@ static krb5_error_code pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) { krb5_error_code retval; - char *eku_string = NULL; + char *eku_string = NULL, *ocsp_check = NULL; pkiDebug("%s: entered for realm %s\n", __FUNCTION__, plgctx->realmname); retval = pkinit_kdcdefault_string(context, plgctx->realmname, @@ -1185,7 +1327,15 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) pkinit_kdcdefault_string(context, plgctx->realmname, KRB5_CONF_PKINIT_KDC_OCSP, - &plgctx->idopts->ocsp); + &ocsp_check); + if (ocsp_check != NULL) { + free(ocsp_check); + retval = ENOTSUP; + krb5_set_error_message(context, retval, + _("OCSP is not supported: (realm: %s)"), + plgctx->realmname); + goto errout; + } pkinit_kdcdefault_integer(context, plgctx->realmname, KRB5_CONF_PKINIT_DH_MIN_BITS, @@ -1207,6 +1357,10 @@ pkinit_init_kdc_profile(krb5_context context, pkinit_kdc_context plgctx) KRB5_CONF_PKINIT_REQUIRE_CRL_CHECKING, 0, &plgctx->opts->require_crl_checking); + pkinit_kdcdefault_boolean(context, plgctx->realmname, + KRB5_CONF_PKINIT_REQUIRE_FRESHNESS, + 0, &plgctx->opts->require_freshness); + pkinit_kdcdefault_string(context, plgctx->realmname, KRB5_CONF_PKINIT_EKU_CHECKING, &eku_string); @@ -1243,11 +1397,15 @@ pkinit_find_realm_context(krb5_context context, krb5_principal princ) { int i; - pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata; + pkinit_kdc_context *realm_contexts; if (moddata == NULL) return NULL; + realm_contexts = moddata->realm_contexts; + if (realm_contexts == NULL) + return NULL; + for (i = 0; realm_contexts[i] != NULL; i++) { pkinit_kdc_context p = realm_contexts[i]; @@ -1329,6 +1487,211 @@ errout: return retval; } +static krb5_error_code +pkinit_san_authorize(krb5_context context, krb5_certauth_moddata moddata, + const uint8_t *cert, size_t cert_len, + krb5_const_principal princ, const void *opts, + const struct _krb5_db_entry_new *db_entry, + char ***authinds_out) +{ + krb5_error_code ret; + int valid_san; + const struct certauth_req_opts *req_opts = opts; + + *authinds_out = NULL; + + ret = verify_client_san(context, req_opts->plgctx, req_opts->reqctx, + req_opts->cb, req_opts->rock, princ, &valid_san); + if (ret == ENOENT) + return KRB5_PLUGIN_NO_HANDLE; + else if (ret) + return ret; + + if (!valid_san) { + TRACE_PKINIT_SERVER_SAN_REJECT(context); + return KRB5KDC_ERR_CLIENT_NAME_MISMATCH; + } + + return 0; +} + +static krb5_error_code +pkinit_eku_authorize(krb5_context context, krb5_certauth_moddata moddata, + const uint8_t *cert, size_t cert_len, + krb5_const_principal princ, const void *opts, + const struct _krb5_db_entry_new *db_entry, + char ***authinds_out) +{ + krb5_error_code ret; + int valid_eku; + const struct certauth_req_opts *req_opts = opts; + + *authinds_out = NULL; + + /* Verify the client EKU. */ + ret = verify_client_eku(context, req_opts->plgctx, req_opts->reqctx, + &valid_eku); + if (ret) + return ret; + + if (!valid_eku) { + TRACE_PKINIT_SERVER_EKU_REJECT(context); + return KRB5KDC_ERR_INCONSISTENT_KEY_PURPOSE; + } + + return KRB5_PLUGIN_NO_HANDLE; +} + +static krb5_error_code +certauth_pkinit_san_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_certauth_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_certauth_vtable)vtable; + vt->name = "pkinit_san"; + vt->authorize = pkinit_san_authorize; + return 0; +} + +static krb5_error_code +certauth_pkinit_eku_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_certauth_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_certauth_vtable)vtable; + vt->name = "pkinit_eku"; + vt->authorize = pkinit_eku_authorize; + return 0; +} + +/* + * Do certificate auth based on a match expression in the pkinit_cert_match + * attribute string. An expression should be in the same form as those used + * for the pkinit_cert_match configuration option. + */ +static krb5_error_code +dbmatch_authorize(krb5_context context, krb5_certauth_moddata moddata, + const uint8_t *cert, size_t cert_len, + krb5_const_principal princ, const void *opts, + const struct _krb5_db_entry_new *db_entry, + char ***authinds_out) +{ + krb5_error_code ret; + const struct certauth_req_opts *req_opts = opts; + char *pattern; + krb5_boolean matched; + + *authinds_out = NULL; + + /* Fetch the matching pattern. Pass if it isn't specified. */ + ret = req_opts->cb->get_string(context, req_opts->rock, + "pkinit_cert_match", &pattern); + if (ret) + return ret; + if (pattern == NULL) + return KRB5_PLUGIN_NO_HANDLE; + + /* Check the certificate against the match expression. */ + ret = pkinit_client_cert_match(context, req_opts->plgctx->cryptoctx, + req_opts->reqctx->cryptoctx, pattern, + &matched); + req_opts->cb->free_string(context, req_opts->rock, pattern); + if (ret) + return ret; + return matched ? 0 : KRB5KDC_ERR_CERTIFICATE_MISMATCH; +} + +static krb5_error_code +certauth_dbmatch_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_certauth_vtable vt; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_certauth_vtable)vtable; + vt->name = "dbmatch"; + vt->authorize = dbmatch_authorize; + return 0; +} + +static krb5_error_code +load_certauth_plugins(krb5_context context, certauth_handle **handle_out) +{ + krb5_error_code ret; + krb5_plugin_initvt_fn *modules = NULL, *mod; + certauth_handle *list = NULL, h; + size_t count; + + /* Register the builtin modules. */ + ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH, + "pkinit_san", certauth_pkinit_san_initvt); + if (ret) + goto cleanup; + + ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH, + "pkinit_eku", certauth_pkinit_eku_initvt); + if (ret) + goto cleanup; + + ret = k5_plugin_register(context, PLUGIN_INTERFACE_CERTAUTH, "dbmatch", + certauth_dbmatch_initvt); + if (ret) + goto cleanup; + + ret = k5_plugin_load_all(context, PLUGIN_INTERFACE_CERTAUTH, &modules); + if (ret) + goto cleanup; + + /* Allocate handle list. */ + for (count = 0; modules[count]; count++); + list = k5calloc(count + 1, sizeof(*list), &ret); + if (list == NULL) + goto cleanup; + + /* Initialize each module, ignoring ones that fail. */ + count = 0; + for (mod = modules; *mod != NULL; mod++) { + h = k5calloc(1, sizeof(*h), &ret); + if (h == NULL) + goto cleanup; + + ret = (*mod)(context, 1, 1, (krb5_plugin_vtable)&h->vt); + if (ret) { + TRACE_CERTAUTH_VTINIT_FAIL(context, ret); + free(h); + continue; + } + h->moddata = NULL; + if (h->vt.init != NULL) { + ret = h->vt.init(context, &h->moddata); + if (ret) { + TRACE_CERTAUTH_INIT_FAIL(context, h->vt.name, ret); + free(h); + continue; + } + } + list[count++] = h; + list[count] = NULL; + } + list[count] = NULL; + + ret = 0; + *handle_out = list; + list = NULL; + +cleanup: + k5_plugin_free_modules(context, modules); + free_certauth_handles(context, list); + return ret; +} + static int pkinit_server_plugin_init(krb5_context context, krb5_kdcpreauth_moddata *moddata_out, @@ -1336,6 +1699,8 @@ pkinit_server_plugin_init(krb5_context context, { krb5_error_code retval = ENOMEM; pkinit_kdc_context plgctx, *realm_contexts = NULL; + certauth_handle *certauth_modules = NULL; + krb5_kdcpreauth_moddata moddata; size_t i, j; size_t numrealms; @@ -1352,30 +1717,43 @@ pkinit_server_plugin_init(krb5_context context, return ENOMEM; for (i = 0, j = 0; i < numrealms; i++) { - pkiDebug("%s: processing realm '%s'\n", __FUNCTION__, realmnames[i]); - retval = pkinit_server_plugin_init_realm(context, realmnames[i], &plgctx); - if (retval == 0 && plgctx != NULL) + TRACE_PKINIT_SERVER_INIT_REALM(context, realmnames[i]); + krb5_clear_error_message(context); + retval = pkinit_server_plugin_init_realm(context, realmnames[i], + &plgctx); + if (retval) + TRACE_PKINIT_SERVER_INIT_FAIL(context, realmnames[i], retval); + else realm_contexts[j++] = plgctx; } if (j == 0) { - retval = EINVAL; - krb5_set_error_message(context, retval, - _("No realms configured correctly for pkinit " - "support")); + if (numrealms == 1) { + k5_prependmsg(context, retval, "PKINIT initialization failed"); + } else { + retval = EINVAL; + k5_setmsg(context, retval, + _("No realms configured correctly for pkinit support")); + } goto errout; } - *moddata_out = (krb5_kdcpreauth_moddata)realm_contexts; - retval = 0; - pkiDebug("%s: returning context at %p\n", __FUNCTION__, realm_contexts); + retval = load_certauth_plugins(context, &certauth_modules); + if (retval) + goto errout; -errout: - if (retval) { - pkinit_server_plugin_fini(context, - (krb5_kdcpreauth_moddata)realm_contexts); - } + moddata = k5calloc(1, sizeof(*moddata), &retval); + if (moddata == NULL) + goto errout; + moddata->realm_contexts = realm_contexts; + moddata->certauth_modules = certauth_modules; + *moddata_out = moddata; + pkiDebug("%s: returning context at %p\n", __FUNCTION__, moddata); + return 0; +errout: + free_realm_contexts(context, realm_contexts); + free_certauth_handles(context, certauth_modules); return retval; } @@ -1403,17 +1781,11 @@ static void pkinit_server_plugin_fini(krb5_context context, krb5_kdcpreauth_moddata moddata) { - pkinit_kdc_context *realm_contexts = (pkinit_kdc_context *)moddata; - int i; - - if (realm_contexts == NULL) + if (moddata == NULL) return; - - for (i = 0; realm_contexts[i] != NULL; i++) { - pkinit_server_plugin_fini_realm(context, realm_contexts[i]); - } - pkiDebug("%s: freeing context at %p\n", __FUNCTION__, realm_contexts); - free(realm_contexts); + free_realm_contexts(context, moddata->realm_contexts); + free_certauth_handles(context, moddata->certauth_modules); + free(moddata); } static krb5_error_code diff --git a/src/plugins/preauth/pkinit/pkinit_trace.h b/src/plugins/preauth/pkinit/pkinit_trace.h index b3f5cbb..4da735f 100644 --- a/src/plugins/preauth/pkinit/pkinit_trace.h +++ b/src/plugins/preauth/pkinit/pkinit_trace.h @@ -41,18 +41,22 @@ TRACE(c, "PKINIT client found no acceptable EKU in KDC cert") #define TRACE_PKINIT_CLIENT_EKU_SKIP(c) \ TRACE(c, "PKINIT client skipping EKU check due to configuration") +#define TRACE_PKINIT_CLIENT_FRESHNESS_TOKEN(c) \ + TRACE(c, "PKINIT client received freshness token from KDC") #define TRACE_PKINIT_CLIENT_KDF_ALG(c, kdf, keyblock) \ TRACE(c, "PKINIT client used KDF {hexdata} to compute reply key " \ "{keyblock}", kdf, keyblock) #define TRACE_PKINIT_CLIENT_KDF_OS2K(c, keyblock) \ TRACE(c, "PKINIT client used octetstring2key to compute reply key " \ "{keyblock}", keyblock) +#define TRACE_PKINIT_CLIENT_NO_DRAFT9(c) \ + TRACE(c, "PKINIT client ignoring draft 9 offer from RFC 4556 KDC") #define TRACE_PKINIT_CLIENT_NO_IDENTITY(c) \ TRACE(c, "PKINIT client has no configured identity; giving up") #define TRACE_PKINIT_CLIENT_REP_CHECKSUM_FAIL(c, expected, received) \ TRACE(c, "PKINIT client checksum mismatch: expected {cksum}, " \ "received {cksum}", expected, received) -#define TRACE_PKINIT_CLIENT_REP_DH(c) \ +#define TRACE_PKINIT_CLIENT_REP_DH(c) \ TRACE(c, "PKINIT client verified DH reply") #define TRACE_PKINIT_CLIENT_REP_DH_FAIL(c) \ TRACE(c, "PKINIT client could not verify DH reply") @@ -70,9 +74,9 @@ #define TRACE_PKINIT_CLIENT_REQ_RSA(c) \ TRACE(c, "PKINIT client making RSA request") #define TRACE_PKINIT_CLIENT_SAN_CONFIG_DNSNAME(c, host) \ - TRACE(c, "PKINIT client config accepts KDC dNSName SAN {string}", host) + TRACE(c, "PKINIT client config accepts KDC dNSName SAN {str}", host) #define TRACE_PKINIT_CLIENT_SAN_MATCH_DNSNAME(c, host) \ - TRACE(c, "PKINIT client matched KDC hostname {string} against " \ + TRACE(c, "PKINIT client matched KDC hostname {str} against " \ "dNSName SAN; EKU check still required", host) #define TRACE_PKINIT_CLIENT_SAN_MATCH_NONE(c) \ TRACE(c, "PKINIT client found no acceptable SAN in KDC cert") @@ -82,7 +86,7 @@ #define TRACE_PKINIT_CLIENT_SAN_ERR(c) \ TRACE(c, "PKINIT client failed to decode SANs in KDC cert") #define TRACE_PKINIT_CLIENT_SAN_KDCCERT_DNSNAME(c, host) \ - TRACE(c, "PKINIT client found dNSName SAN in KDC cert: {string}", host) + TRACE(c, "PKINIT client found dNSName SAN in KDC cert: {str}", host) #define TRACE_PKINIT_CLIENT_SAN_KDCCERT_PRINC(c, princ) \ TRACE(c, "PKINIT client found id-pkinit-san in KDC cert: {princ}", princ) #define TRACE_PKINIT_CLIENT_TRYAGAIN(c) \ @@ -91,4 +95,81 @@ #define TRACE_PKINIT_OPENSSL_ERROR(c, msg) \ TRACE(c, "PKINIT OpenSSL error: {str}", msg) +#define TRACE_PKINIT_SERVER_CERT_AUTH(c, modname) \ + TRACE(c, "PKINIT server authorizing cert with module {str}", \ + modname) +#define TRACE_PKINIT_SERVER_EKU_REJECT(c) \ + TRACE(c, "PKINIT server found no acceptable EKU in client cert") +#define TRACE_PKINIT_SERVER_EKU_SKIP(c) \ + TRACE(c, "PKINIT server skipping EKU check due to configuration") +#define TRACE_PKINIT_SERVER_INIT_REALM(c, realm) \ + TRACE(c, "PKINIT server initializing realm {str}", realm) +#define TRACE_PKINIT_SERVER_INIT_FAIL(c, realm, retval) \ + TRACE(c, "PKINIT server initialization failed for realm {str}: {kerr}", \ + realm, retval) +#define TRACE_PKINIT_SERVER_MATCHING_UPN_FOUND(c) \ + TRACE(c, "PKINIT server found a matching UPN SAN in client cert") +#define TRACE_PKINIT_SERVER_MATCHING_SAN_FOUND(c) \ + TRACE(c, "PKINIT server found a matching SAN in client cert") +#define TRACE_PKINIT_SERVER_NO_SAN(c) \ + TRACE(c, "PKINIT server found no SAN in client cert") +#define TRACE_PKINIT_SERVER_PADATA_VERIFY(c) \ + TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ") +#define TRACE_PKINIT_SERVER_PADATA_VERIFY_OLD(c) \ + TRACE(c, "PKINIT server verifying KRB5_PADATA_PK_AS_REQ_OLD") +#define TRACE_PKINIT_SERVER_PADATA_VERIFY_FAIL(c) \ + TRACE(c, "PKINIT server failed to verify PA data") +#define TRACE_PKINIT_SERVER_RETURN_PADATA(c) \ + TRACE(c, "PKINIT server returning PA data") +#define TRACE_PKINIT_SERVER_SAN_REJECT(c) \ + TRACE(c, "PKINIT server found no acceptable SAN in client cert") +#define TRACE_PKINIT_SERVER_UPN_PARSE_FAIL(c, upn, ret) \ + TRACE(c, "PKINIT server could not parse UPN \"{str}\": {kerr}", \ + upn, ret) + +#define TRACE_PKINIT_EKU(c) \ + TRACE(c, "PKINIT found acceptable EKU and digitalSignature KU") +#define TRACE_PKINIT_EKU_NO_KU(c) \ + TRACE(c, "PKINIT found acceptable EKU but no digitalSignature KU") +#define TRACE_PKINIT_LOADED_CERT(c, name) \ + TRACE(c, "PKINIT loaded cert and key for {str}", name) +#define TRACE_PKINIT_LOAD_FROM_FILE(c) \ + TRACE(c, "PKINIT loading CA certs and CRLs from FILE") +#define TRACE_PKINIT_LOAD_FROM_DIR(c) \ + TRACE(c, "PKINIT loading CA certs and CRLs from DIR") +#define TRACE_PKINIT_NO_CA_ANCHOR(c, file) \ + TRACE(c, "PKINIT no anchor CA in file {str}", file) +#define TRACE_PKINIT_NO_CA_INTERMEDIATE(c, file) \ + TRACE(c, "PKINIT no intermediate CA in file {str}", file) +#define TRACE_PKINIT_NO_CERT(c) \ + TRACE(c, "PKINIT no certificate provided") +#define TRACE_PKINIT_NO_CERT_AND_KEY(c, dirname) \ + TRACE(c, "PKINIT no cert and key pair found in directory {str}", \ + dirname) +#define TRACE_PKINIT_NO_CRL(c, file) \ + TRACE(c, "PKINIT no CRL in file {str}", file) +#define TRACE_PKINIT_NO_DEFAULT_CERT(c, count) \ + TRACE(c, "PKINIT error: There are {int} certs, but there must " \ + "be exactly one.", count) +#define TRACE_PKINIT_NO_MATCHING_CERT(c) \ + TRACE(c, "PKINIT no matching certificate found") +#define TRACE_PKINIT_NO_PRIVKEY(c) \ + TRACE(c, "PKINIT no private key provided") +#define TRACE_PKINIT_PKCS_DECODE_FAIL(c, name) \ + TRACE(c, "PKINIT failed to decode PKCS12 file {str} contents", name) +#define TRACE_PKINIT_PKCS_OPEN_FAIL(c, name, err) \ + TRACE(c, "PKINIT failed to open PKCS12 file {str}: err {errno}", \ + name, err) +#define TRACE_PKINIT_PKCS_PARSE_FAIL_FIRST(c) \ + TRACE(c, "PKINIT initial PKCS12_parse with no password failed") +#define TRACE_PKINIT_PKCS_PARSE_FAIL_SECOND(c) \ + TRACE(c, "PKINIT second PKCS12_parse with password failed") +#define TRACE_PKINIT_PKCS_PROMPT_FAIL(c) \ + TRACE(c, "PKINIT failed to prompt for PKCS12 password") + +#define TRACE_CERTAUTH_VTINIT_FAIL(c, ret) \ + TRACE(c, "certauth module failed to init vtable: {kerr}", ret) +#define TRACE_CERTAUTH_INIT_FAIL(c, name, ret) \ + TRACE(c, "certauth module {str} failed to init: {kerr}", name, ret) + #endif /* PKINIT_TRACE_H */ diff --git a/src/plugins/preauth/securid_sam2/grail.c b/src/plugins/preauth/securid_sam2/grail.c index 18d48f9..48b61b0 100644 --- a/src/plugins/preauth/securid_sam2/grail.c +++ b/src/plugins/preauth/securid_sam2/grail.c @@ -213,8 +213,7 @@ verify_grail_data(krb5_context context, krb5_db_entry *client, return KRB5KDC_ERR_PREAUTH_FAILED; ret = krb5_dbe_find_enctype(context, client, - sr2->sam_enc_nonce_or_sad.enctype, - KRB5_KDB_SALTTYPE_NORMAL, + sr2->sam_enc_nonce_or_sad.enctype, -1, sr2->sam_enc_nonce_or_sad.kvno, &client_key_data); if (ret) diff --git a/src/plugins/preauth/securid_sam2/securid2.c b/src/plugins/preauth/securid_sam2/securid2.c index ca99ce3..363e17a 100644 --- a/src/plugins/preauth/securid_sam2/securid2.c +++ b/src/plugins/preauth/securid_sam2/securid2.c @@ -313,8 +313,7 @@ verify_securid_data_2(krb5_context context, krb5_db_entry *client, } retval = krb5_dbe_find_enctype(context, client, - sr2->sam_enc_nonce_or_sad.enctype, - KRB5_KDB_SALTTYPE_NORMAL, + sr2->sam_enc_nonce_or_sad.enctype, -1, sr2->sam_enc_nonce_or_sad.kvno, &client_key_data); if (retval) { diff --git a/src/plugins/preauth/spake/AUTHORS b/src/plugins/preauth/spake/AUTHORS new file mode 100644 index 0000000..31d71c2 --- /dev/null +++ b/src/plugins/preauth/spake/AUTHORS @@ -0,0 +1,16 @@ +# This is the official list of fiat-crypto authors for copyright purposes. +# This file is distinct from the CONTRIBUTORS files. +# See the latter for an explanation. + +# Names should be added to this file as one of +# Organization's name +# Individual's name +# Individual's name +# See CONTRIBUTORS for the meaning of multiple email addresses. + +# Please keep the list sorted. + +Andres Erbsen +Google Inc. +Jade Philipoom +Massachusetts Institute of Technology diff --git a/src/plugins/preauth/spake/Makefile.in b/src/plugins/preauth/spake/Makefile.in new file mode 100644 index 0000000..b51d4d6 --- /dev/null +++ b/src/plugins/preauth/spake/Makefile.in @@ -0,0 +1,60 @@ +mydir=plugins$(S)preauth$(S)spake +BUILDTOP=$(REL)..$(S)..$(S).. +MODULE_INSTALL_DIR = $(KRB5_PA_MODULE_DIR) + +# Like RUN_TEST, but use t_krb5.conf from this directory. +RUN_TEST_LOCAL_CONF=$(RUN_SETUP) KRB5_CONFIG=$(srcdir)/t_krb5.conf LC_ALL=C \ + $(VALGRIND) + +LIBBASE=spake +LIBMAJOR=0 +LIBMINOR=0 +RELDIR=../plugins/preauth/spake +SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS) +SHLIB_EXPLIBS=$(KRB5_BASE_LIBS) $(SPAKE_OPENSSL_LIBS) + +WINLIBS = $(SLIB) $(KLIB) $(CLIB) + +STLIBOBJS=util.o iana.o groups.o openssl.o edwards25519.o \ + spake_client.o spake_kdc.o + +SRCS= \ + $(srcdir)/util.c \ + $(srcdir)/iana.c \ + $(srcdir)/groups.c \ + $(srcdir)/openssl.c \ + $(srcdir)/edwards25519.c \ + $(srcdir)/spake_client.c \ + $(srcdir)/spake_kdc.c + +# Don't include spake_kdc.c in the Windows object list since we don't +# need it. +OBJS= $(OUTPRE)util.$(OBJEXT) \ + $(OUTPRE)iana.$(OBJEXT) \ + $(OUTPRE)groups.$(OBJEXT) \ + $(OUTPRE)openssl.$(OBJEXT) \ + $(OUTPRE)edwards25519.$(OBJEXT) \ + $(OUTPRE)spake_client.$(OBJEXT) + +t_vectors: t_vectors.o $(STLIBOBJS) $(SHLIB_EXPDEPS) + $(CC_LINK) -o $@ t_vectors.o $(STLIBOBJS) $(SHLIB_EXPLIBS) + +all-unix: all-liblinks +install-unix: install-libs +clean-unix:: clean-liblinks clean-libs clean-libobjs + +clean: + $(RM) t_vectors t_vectors.o $(STLIBOBJS) + +check-unix: t_vectors + $(RUN_TEST_LOCAL_CONF) ./t_vectors + +all-windows: $(OUTPRE)$(SPAKELIB).dll +clean-windows:: + $(RM) $(OUTPRE)$(SPAKELIB).dll + +$(OUTPRE)$(SPAKELIB).dll: spake.def $(OBJS) + link /dll $(LOPTS) -def:spake.def -out:$*.dll $(OBJS) $(WINLIBS) + +@libnover_frag@ +@libobj_frag@ diff --git a/src/plugins/preauth/spake/deps b/src/plugins/preauth/spake/deps new file mode 100644 index 0000000..ce636af --- /dev/null +++ b/src/plugins/preauth/spake/deps @@ -0,0 +1,73 @@ +# +# Generated makefile dependencies follow. +# +util.so util.po $(OUTPRE)util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h groups.h iana.h \ + trace.h util.c util.h +iana.so iana.po $(OUTPRE)iana.$(OBJEXT): iana.c iana.h +groups.so groups.po $(OUTPRE)groups.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h groups.c groups.h \ + iana.h trace.h +openssl.so openssl.po $(OUTPRE)openssl.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h groups.h iana.h \ + openssl.c +edwards25519.so edwards25519.po $(OUTPRE)edwards25519.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + edwards25519.c edwards25519_tables.h groups.h iana.h +spake_client.so spake_client.po $(OUTPRE)spake_client.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ + $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-spake.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/clpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ + $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ + groups.h iana.h spake_client.c trace.h util.h +spake_kdc.so spake_kdc.po $(OUTPRE)spake_kdc.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(BUILDTOP)/include/krb5/krb5.h \ + $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ + $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-input.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ + $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/kdcpreauth_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h groups.h iana.h \ + spake_kdc.c trace.h util.h diff --git a/src/plugins/preauth/spake/edwards25519.c b/src/plugins/preauth/spake/edwards25519.c new file mode 100644 index 0000000..c766c28 --- /dev/null +++ b/src/plugins/preauth/spake/edwards25519.c @@ -0,0 +1,2644 @@ +/* -*- mode: c; c-basic-offset: 2; indent-tabs-mode: nil -*- */ +/* This file is adapted from the SPAKE edwards25519 code in BoringSSL. */ +/* + * The MIT License (MIT) + * + * Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS file). + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to + * deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + * sell copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS + * IN THE SOFTWARE. + */ +/* + * Copyright (c) 2015-2016, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +/* + * This code is adapted from the BoringSSL edwards25519 SPAKE2 implementation + * from third_party/fiat and crypto/spake25519.c, with the following + * adaptations: + * + * - The M and N points are the ones from draft-irtf-cfrg-spake2-05. The + * BoringSSL M and N points were determined similarly, but were not + * restricted to members of the generator subgroup, so they use only one hash + * iteration for both points. The intent in BoringSSL had been to multiply w + * by the cofactor so that wM and wN would be in the subgroup, but as that + * step was accidentally omitted, a hack had to be introduced after the fact + * to add multiples of the prime order to the scalar. That hack is not + * present in this code, and the SPAKE preauth spec does not multiply w by + * the cofactor as it is unnecessary if M and N are chosen from the subgroup. + * + * - The SPAKE code is modified to fit the groups.h interface and the SPAKE + * preauth spec. + * + * - The required declarations and code are all here in one file (except for + * the generator point table, which is still in a separate header), so all of + * the functions are declared static. + * + * - BORINGSSL_CURVE25519_64BIT is defined here using preprocessor conditionals + * derived from the BoringSSL headers. + * + * - The field element bounds assertion checks are disabled by default, as they + * slow the code down by roughly a factor of two. The + * OPENSSL_COMPILE_ASSERT() in fe_copy_lt() is changed to a regular assert + * and is also conditionalized. Do a build and "make check" with + * EDWARDS25519_ASSERTS defined when updating this code. + * + * - The copyright comments at the top are formatted the way we do so in other + * source files, for ease of extraction. + * + * - Declarations in for loops conflict with our compiler configuration in + * older versions of gcc, so they are moved outside of the for loop. + * + * - The preprocessor symbol OPENSSL_SMALL is changed to CONFIG_SMALL. + * + * - OPENSSL_memset and OPENSSL_memmove are changed to memset and memmove, in + * each case verifying that they are used with nonzero length arguments. + * + * - CRYPTO_memcmp is changed to k5_bcmp. + * + * - Functions used only by X25519 or Ed25519 interfaces but not SPAKE are + * removed, taking care to check for unused functions in both the 64-bit and + * 32-bit preprocessor branches. ge_p3_dbl() is unused here if CONFIG_SMALL + * is defined, so it is placed inside #ifndef CONFIG_SMALL. + */ + +// Some of this code is taken from the ref10 version of Ed25519 in SUPERCOP +// 20141124 (http://bench.cr.yp.to/supercop.html). That code is released as +// public domain but parts have been replaced with code generated by Fiat +// (https://github.com/mit-plv/fiat-crypto), which is MIT licensed. + +#include "groups.h" +#include "iana.h" + +#ifdef __GNUC__ +#pragma GCC diagnostic ignored "-Wdeclaration-after-statement" +#endif + +#if SIZEOF_SIZE_T >= 8 && defined(HAVE___INT128_T) && defined(HAVE___UINT128_T) +#define BORINGSSL_CURVE25519_64BIT +typedef __int128_t int128_t; +typedef __uint128_t uint128_t; +#endif + +#ifndef EDWARDS25519_ASSERTS +#define assert_fe(f) +#define assert_fe_loose(f) +#define assert_fe_frozen(f) +#endif + +/* From BoringSSL third-party/fiat/internal.h */ + +#if defined(BORINGSSL_CURVE25519_64BIT) +// fe means field element. Here the field is \Z/(2^255-19). An element t, +// entries t[0]...t[4], represents the integer t[0]+2^51 t[1]+2^102 t[2]+2^153 +// t[3]+2^204 t[4]. +// fe limbs are bounded by 1.125*2^51. +// Multiplication and carrying produce fe from fe_loose. +typedef struct fe { uint64_t v[5]; } fe; + +// fe_loose limbs are bounded by 3.375*2^51. +// Addition and subtraction produce fe_loose from (fe, fe). +typedef struct fe_loose { uint64_t v[5]; } fe_loose; +#else +// fe means field element. Here the field is \Z/(2^255-19). An element t, +// entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 +// t[3]+2^102 t[4]+...+2^230 t[9]. +// fe limbs are bounded by 1.125*2^26,1.125*2^25,1.125*2^26,1.125*2^25,etc. +// Multiplication and carrying produce fe from fe_loose. +typedef struct fe { uint32_t v[10]; } fe; + +// fe_loose limbs are bounded by 3.375*2^26,3.375*2^25,3.375*2^26,3.375*2^25,etc. +// Addition and subtraction produce fe_loose from (fe, fe). +typedef struct fe_loose { uint32_t v[10]; } fe_loose; +#endif + +// ge means group element. +// +// Here the group is the set of pairs (x,y) of field elements (see fe.h) +// satisfying -x^2 + y^2 = 1 + d x^2y^2 +// where d = -121665/121666. +// +// Representations: +// ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z +// ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT +// ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T +// ge_precomp (Duif): (y+x,y-x,2dxy) + +typedef struct { + fe X; + fe Y; + fe Z; +} ge_p2; + +typedef struct { + fe X; + fe Y; + fe Z; + fe T; +} ge_p3; + +typedef struct { + fe_loose X; + fe_loose Y; + fe_loose Z; + fe_loose T; +} ge_p1p1; + +typedef struct { + fe_loose yplusx; + fe_loose yminusx; + fe_loose xy2d; +} ge_precomp; + +typedef struct { + fe_loose YplusX; + fe_loose YminusX; + fe_loose Z; + fe_loose T2d; +} ge_cached; + +#include "edwards25519_tables.h" + +/* From BoringSSL third-party/fiat/curve25519.c */ + +static uint64_t load_3(const uint8_t *in) { + uint64_t result; + result = (uint64_t)in[0]; + result |= ((uint64_t)in[1]) << 8; + result |= ((uint64_t)in[2]) << 16; + return result; +} + +static uint64_t load_4(const uint8_t *in) { + uint64_t result; + result = (uint64_t)in[0]; + result |= ((uint64_t)in[1]) << 8; + result |= ((uint64_t)in[2]) << 16; + result |= ((uint64_t)in[3]) << 24; + return result; +} + +#if defined(BORINGSSL_CURVE25519_64BIT) +static uint64_t load_8(const uint8_t *in) { + uint64_t result; + result = (uint64_t)in[0]; + result |= ((uint64_t)in[1]) << 8; + result |= ((uint64_t)in[2]) << 16; + result |= ((uint64_t)in[3]) << 24; + result |= ((uint64_t)in[4]) << 32; + result |= ((uint64_t)in[5]) << 40; + result |= ((uint64_t)in[6]) << 48; + result |= ((uint64_t)in[7]) << 56; + return result; +} + +static uint8_t /*bool*/ addcarryx_u51(uint8_t /*bool*/ c, uint64_t a, + uint64_t b, uint64_t *low) { + // This function extracts 51 bits of result and 1 bit of carry (52 total), so + // a 64-bit intermediate is sufficient. + uint64_t x = a + b + c; + *low = x & ((UINT64_C(1) << 51) - 1); + return (x >> 51) & 1; +} + +static uint8_t /*bool*/ subborrow_u51(uint8_t /*bool*/ c, uint64_t a, + uint64_t b, uint64_t *low) { + // This function extracts 51 bits of result and 1 bit of borrow (52 total), so + // a 64-bit intermediate is sufficient. + uint64_t x = a - b - c; + *low = x & ((UINT64_C(1) << 51) - 1); + return x >> 63; +} + +static uint64_t cmovznz64(uint64_t t, uint64_t z, uint64_t nz) { + t = -!!t; // all set if nonzero, 0 if 0 + return (t&nz) | ((~t)&z); +} + +#else + +static uint8_t /*bool*/ addcarryx_u25(uint8_t /*bool*/ c, uint32_t a, + uint32_t b, uint32_t *low) { + // This function extracts 25 bits of result and 1 bit of carry (26 total), so + // a 32-bit intermediate is sufficient. + uint32_t x = a + b + c; + *low = x & ((1 << 25) - 1); + return (x >> 25) & 1; +} + +static uint8_t /*bool*/ addcarryx_u26(uint8_t /*bool*/ c, uint32_t a, + uint32_t b, uint32_t *low) { + // This function extracts 26 bits of result and 1 bit of carry (27 total), so + // a 32-bit intermediate is sufficient. + uint32_t x = a + b + c; + *low = x & ((1 << 26) - 1); + return (x >> 26) & 1; +} + +static uint8_t /*bool*/ subborrow_u25(uint8_t /*bool*/ c, uint32_t a, + uint32_t b, uint32_t *low) { + // This function extracts 25 bits of result and 1 bit of borrow (26 total), so + // a 32-bit intermediate is sufficient. + uint32_t x = a - b - c; + *low = x & ((1 << 25) - 1); + return x >> 31; +} + +static uint8_t /*bool*/ subborrow_u26(uint8_t /*bool*/ c, uint32_t a, + uint32_t b, uint32_t *low) { + // This function extracts 26 bits of result and 1 bit of borrow (27 total), so + // a 32-bit intermediate is sufficient. + uint32_t x = a - b - c; + *low = x & ((1 << 26) - 1); + return x >> 31; +} + +static uint32_t cmovznz32(uint32_t t, uint32_t z, uint32_t nz) { + t = -!!t; // all set if nonzero, 0 if 0 + return (t&nz) | ((~t)&z); +} + +#endif + + +// Field operations. + +#if defined(BORINGSSL_CURVE25519_64BIT) + +#ifdef EDWARDS25519_ASSERTS +#define assert_fe(f) do { \ + unsigned _assert_fe_i; \ + for (_assert_fe_i = 0; _assert_fe_i< 5; _assert_fe_i++) { \ + assert(f[_assert_fe_i] < 1.125*(UINT64_C(1)<<51)); \ + } \ +} while (0) + +#define assert_fe_loose(f) do { \ + unsigned _assert_fe_i; \ + for (_assert_fe_i = 0; _assert_fe_i< 5; _assert_fe_i++) { \ + assert(f[_assert_fe_i] < 3.375*(UINT64_C(1)<<51)); \ + } \ +} while (0) + +#define assert_fe_frozen(f) do { \ + unsigned _assert_fe_i; \ + for (_assert_fe_i = 0; _assert_fe_i< 5; _assert_fe_i++) { \ + assert(f[_assert_fe_i] < (UINT64_C(1)<<51)); \ + } \ +} while (0) +#endif /* EDWARDS25519_ASSERTS */ + +static void fe_frombytes_impl(uint64_t h[5], const uint8_t *s) { + // Ignores top bit of s. + uint64_t a0 = load_8(s); + uint64_t a1 = load_8(s+8); + uint64_t a2 = load_8(s+16); + uint64_t a3 = load_8(s+24); + // Use 51 bits, 64-51 = 13 left. + h[0] = a0 & ((UINT64_C(1) << 51) - 1); + // (64-51) + 38 = 13 + 38 = 51 + h[1] = (a0 >> 51) | ((a1 & ((UINT64_C(1) << 38) - 1)) << 13); + // (64-38) + 25 = 26 + 25 = 51 + h[2] = (a1 >> 38) | ((a2 & ((UINT64_C(1) << 25) - 1)) << 26); + // (64-25) + 12 = 39 + 12 = 51 + h[3] = (a2 >> 25) | ((a3 & ((UINT64_C(1) << 12) - 1)) << 39); + // (64-12) = 52, ignore top bit + h[4] = (a3 >> 12) & ((UINT64_C(1) << 51) - 1); + assert_fe(h); +} + +static void fe_frombytes(fe *h, const uint8_t *s) { + fe_frombytes_impl(h->v, s); +} + +static void fe_freeze(uint64_t out[5], const uint64_t in1[5]) { + { const uint64_t x7 = in1[4]; + { const uint64_t x8 = in1[3]; + { const uint64_t x6 = in1[2]; + { const uint64_t x4 = in1[1]; + { const uint64_t x2 = in1[0]; + { uint64_t x10; uint8_t/*bool*/ x11 = subborrow_u51(0x0, x2, 0x7ffffffffffed, &x10); + { uint64_t x13; uint8_t/*bool*/ x14 = subborrow_u51(x11, x4, 0x7ffffffffffff, &x13); + { uint64_t x16; uint8_t/*bool*/ x17 = subborrow_u51(x14, x6, 0x7ffffffffffff, &x16); + { uint64_t x19; uint8_t/*bool*/ x20 = subborrow_u51(x17, x8, 0x7ffffffffffff, &x19); + { uint64_t x22; uint8_t/*bool*/ x23 = subborrow_u51(x20, x7, 0x7ffffffffffff, &x22); + { uint64_t x24 = cmovznz64(x23, 0x0, 0xffffffffffffffffL); + { uint64_t x25 = (x24 & 0x7ffffffffffed); + { uint64_t x27; uint8_t/*bool*/ x28 = addcarryx_u51(0x0, x10, x25, &x27); + { uint64_t x29 = (x24 & 0x7ffffffffffff); + { uint64_t x31; uint8_t/*bool*/ x32 = addcarryx_u51(x28, x13, x29, &x31); + { uint64_t x33 = (x24 & 0x7ffffffffffff); + { uint64_t x35; uint8_t/*bool*/ x36 = addcarryx_u51(x32, x16, x33, &x35); + { uint64_t x37 = (x24 & 0x7ffffffffffff); + { uint64_t x39; uint8_t/*bool*/ x40 = addcarryx_u51(x36, x19, x37, &x39); + { uint64_t x41 = (x24 & 0x7ffffffffffff); + { uint64_t x43; addcarryx_u51(x40, x22, x41, &x43); + out[0] = x27; + out[1] = x31; + out[2] = x35; + out[3] = x39; + out[4] = x43; + }}}}}}}}}}}}}}}}}}}}} +} + +static void fe_tobytes(uint8_t s[32], const fe *f) { + assert_fe(f->v); + uint64_t h[5]; + fe_freeze(h, f->v); + assert_fe_frozen(h); + + s[0] = h[0] >> 0; + s[1] = h[0] >> 8; + s[2] = h[0] >> 16; + s[3] = h[0] >> 24; + s[4] = h[0] >> 32; + s[5] = h[0] >> 40; + s[6] = (h[0] >> 48) | (h[1] << 3); + s[7] = h[1] >> 5; + s[8] = h[1] >> 13; + s[9] = h[1] >> 21; + s[10] = h[1] >> 29; + s[11] = h[1] >> 37; + s[12] = (h[1] >> 45) | (h[2] << 6); + s[13] = h[2] >> 2; + s[14] = h[2] >> 10; + s[15] = h[2] >> 18; + s[16] = h[2] >> 26; + s[17] = h[2] >> 34; + s[18] = h[2] >> 42; + s[19] = (h[2] >> 50) | (h[3] << 1); + s[20] = h[3] >> 7; + s[21] = h[3] >> 15; + s[22] = h[3] >> 23; + s[23] = h[3] >> 31; + s[24] = h[3] >> 39; + s[25] = (h[3] >> 47) | (h[4] << 4); + s[26] = h[4] >> 4; + s[27] = h[4] >> 12; + s[28] = h[4] >> 20; + s[29] = h[4] >> 28; + s[30] = h[4] >> 36; + s[31] = h[4] >> 44; +} + +// h = 0 +static void fe_0(fe *h) { + memset(h, 0, sizeof(fe)); +} + +static void fe_loose_0(fe_loose *h) { + memset(h, 0, sizeof(fe_loose)); +} + +// h = 1 +static void fe_1(fe *h) { + memset(h, 0, sizeof(fe)); + h->v[0] = 1; +} + +static void fe_loose_1(fe_loose *h) { + memset(h, 0, sizeof(fe_loose)); + h->v[0] = 1; +} + +static void fe_add_impl(uint64_t out[5], const uint64_t in1[5], const uint64_t in2[5]) { + { const uint64_t x10 = in1[4]; + { const uint64_t x11 = in1[3]; + { const uint64_t x9 = in1[2]; + { const uint64_t x7 = in1[1]; + { const uint64_t x5 = in1[0]; + { const uint64_t x18 = in2[4]; + { const uint64_t x19 = in2[3]; + { const uint64_t x17 = in2[2]; + { const uint64_t x15 = in2[1]; + { const uint64_t x13 = in2[0]; + out[0] = (x5 + x13); + out[1] = (x7 + x15); + out[2] = (x9 + x17); + out[3] = (x11 + x19); + out[4] = (x10 + x18); + }}}}}}}}}} +} + +// h = f + g +// Can overlap h with f or g. +static void fe_add(fe_loose *h, const fe *f, const fe *g) { + assert_fe(f->v); + assert_fe(g->v); + fe_add_impl(h->v, f->v, g->v); + assert_fe_loose(h->v); +} + +static void fe_sub_impl(uint64_t out[5], const uint64_t in1[5], const uint64_t in2[5]) { + { const uint64_t x10 = in1[4]; + { const uint64_t x11 = in1[3]; + { const uint64_t x9 = in1[2]; + { const uint64_t x7 = in1[1]; + { const uint64_t x5 = in1[0]; + { const uint64_t x18 = in2[4]; + { const uint64_t x19 = in2[3]; + { const uint64_t x17 = in2[2]; + { const uint64_t x15 = in2[1]; + { const uint64_t x13 = in2[0]; + out[0] = ((0xfffffffffffda + x5) - x13); + out[1] = ((0xffffffffffffe + x7) - x15); + out[2] = ((0xffffffffffffe + x9) - x17); + out[3] = ((0xffffffffffffe + x11) - x19); + out[4] = ((0xffffffffffffe + x10) - x18); + }}}}}}}}}} +} + +// h = f - g +// Can overlap h with f or g. +static void fe_sub(fe_loose *h, const fe *f, const fe *g) { + assert_fe(f->v); + assert_fe(g->v); + fe_sub_impl(h->v, f->v, g->v); + assert_fe_loose(h->v); +} + +static void fe_carry_impl(uint64_t out[5], const uint64_t in1[5]) { + { const uint64_t x7 = in1[4]; + { const uint64_t x8 = in1[3]; + { const uint64_t x6 = in1[2]; + { const uint64_t x4 = in1[1]; + { const uint64_t x2 = in1[0]; + { uint64_t x9 = (x2 >> 0x33); + { uint64_t x10 = (x2 & 0x7ffffffffffff); + { uint64_t x11 = (x9 + x4); + { uint64_t x12 = (x11 >> 0x33); + { uint64_t x13 = (x11 & 0x7ffffffffffff); + { uint64_t x14 = (x12 + x6); + { uint64_t x15 = (x14 >> 0x33); + { uint64_t x16 = (x14 & 0x7ffffffffffff); + { uint64_t x17 = (x15 + x8); + { uint64_t x18 = (x17 >> 0x33); + { uint64_t x19 = (x17 & 0x7ffffffffffff); + { uint64_t x20 = (x18 + x7); + { uint64_t x21 = (x20 >> 0x33); + { uint64_t x22 = (x20 & 0x7ffffffffffff); + { uint64_t x23 = (x10 + (0x13 * x21)); + { uint64_t x24 = (x23 >> 0x33); + { uint64_t x25 = (x23 & 0x7ffffffffffff); + { uint64_t x26 = (x24 + x13); + { uint64_t x27 = (x26 >> 0x33); + { uint64_t x28 = (x26 & 0x7ffffffffffff); + out[0] = x25; + out[1] = x28; + out[2] = (x27 + x16); + out[3] = x19; + out[4] = x22; + }}}}}}}}}}}}}}}}}}}}}}}}} +} + +static void fe_carry(fe *h, const fe_loose* f) { + assert_fe_loose(f->v); + fe_carry_impl(h->v, f->v); + assert_fe(h->v); +} + +static void fe_mul_impl(uint64_t out[5], const uint64_t in1[5], const uint64_t in2[5]) { + assert_fe_loose(in1); + assert_fe_loose(in2); + { const uint64_t x10 = in1[4]; + { const uint64_t x11 = in1[3]; + { const uint64_t x9 = in1[2]; + { const uint64_t x7 = in1[1]; + { const uint64_t x5 = in1[0]; + { const uint64_t x18 = in2[4]; + { const uint64_t x19 = in2[3]; + { const uint64_t x17 = in2[2]; + { const uint64_t x15 = in2[1]; + { const uint64_t x13 = in2[0]; + { uint128_t x20 = ((uint128_t)x5 * x13); + { uint128_t x21 = (((uint128_t)x5 * x15) + ((uint128_t)x7 * x13)); + { uint128_t x22 = ((((uint128_t)x5 * x17) + ((uint128_t)x9 * x13)) + ((uint128_t)x7 * x15)); + { uint128_t x23 = (((((uint128_t)x5 * x19) + ((uint128_t)x11 * x13)) + ((uint128_t)x7 * x17)) + ((uint128_t)x9 * x15)); + { uint128_t x24 = ((((((uint128_t)x5 * x18) + ((uint128_t)x10 * x13)) + ((uint128_t)x11 * x15)) + ((uint128_t)x7 * x19)) + ((uint128_t)x9 * x17)); + { uint64_t x25 = (x10 * 0x13); + { uint64_t x26 = (x7 * 0x13); + { uint64_t x27 = (x9 * 0x13); + { uint64_t x28 = (x11 * 0x13); + { uint128_t x29 = ((((x20 + ((uint128_t)x25 * x15)) + ((uint128_t)x26 * x18)) + ((uint128_t)x27 * x19)) + ((uint128_t)x28 * x17)); + { uint128_t x30 = (((x21 + ((uint128_t)x25 * x17)) + ((uint128_t)x27 * x18)) + ((uint128_t)x28 * x19)); + { uint128_t x31 = ((x22 + ((uint128_t)x25 * x19)) + ((uint128_t)x28 * x18)); + { uint128_t x32 = (x23 + ((uint128_t)x25 * x18)); + { uint64_t x33 = (uint64_t) (x29 >> 0x33); + { uint64_t x34 = ((uint64_t)x29 & 0x7ffffffffffff); + { uint128_t x35 = (x33 + x30); + { uint64_t x36 = (uint64_t) (x35 >> 0x33); + { uint64_t x37 = ((uint64_t)x35 & 0x7ffffffffffff); + { uint128_t x38 = (x36 + x31); + { uint64_t x39 = (uint64_t) (x38 >> 0x33); + { uint64_t x40 = ((uint64_t)x38 & 0x7ffffffffffff); + { uint128_t x41 = (x39 + x32); + { uint64_t x42 = (uint64_t) (x41 >> 0x33); + { uint64_t x43 = ((uint64_t)x41 & 0x7ffffffffffff); + { uint128_t x44 = (x42 + x24); + { uint64_t x45 = (uint64_t) (x44 >> 0x33); + { uint64_t x46 = ((uint64_t)x44 & 0x7ffffffffffff); + { uint64_t x47 = (x34 + (0x13 * x45)); + { uint64_t x48 = (x47 >> 0x33); + { uint64_t x49 = (x47 & 0x7ffffffffffff); + { uint64_t x50 = (x48 + x37); + { uint64_t x51 = (x50 >> 0x33); + { uint64_t x52 = (x50 & 0x7ffffffffffff); + out[0] = x49; + out[1] = x52; + out[2] = (x51 + x40); + out[3] = x43; + out[4] = x46; + }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + assert_fe(out); +} + +static void fe_mul_ltt(fe_loose *h, const fe *f, const fe *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_llt(fe_loose *h, const fe_loose *f, const fe *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_ttt(fe *h, const fe *f, const fe *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_tlt(fe *h, const fe_loose *f, const fe *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_ttl(fe *h, const fe *f, const fe_loose *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_tll(fe *h, const fe_loose *f, const fe_loose *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_sqr_impl(uint64_t out[5], const uint64_t in1[5]) { + assert_fe_loose(in1); + { const uint64_t x7 = in1[4]; + { const uint64_t x8 = in1[3]; + { const uint64_t x6 = in1[2]; + { const uint64_t x4 = in1[1]; + { const uint64_t x2 = in1[0]; + { uint64_t x9 = (x2 * 0x2); + { uint64_t x10 = (x4 * 0x2); + { uint64_t x11 = ((x6 * 0x2) * 0x13); + { uint64_t x12 = (x7 * 0x13); + { uint64_t x13 = (x12 * 0x2); + { uint128_t x14 = ((((uint128_t)x2 * x2) + ((uint128_t)x13 * x4)) + ((uint128_t)x11 * x8)); + { uint128_t x15 = ((((uint128_t)x9 * x4) + ((uint128_t)x13 * x6)) + ((uint128_t)x8 * (x8 * 0x13))); + { uint128_t x16 = ((((uint128_t)x9 * x6) + ((uint128_t)x4 * x4)) + ((uint128_t)x13 * x8)); + { uint128_t x17 = ((((uint128_t)x9 * x8) + ((uint128_t)x10 * x6)) + ((uint128_t)x7 * x12)); + { uint128_t x18 = ((((uint128_t)x9 * x7) + ((uint128_t)x10 * x8)) + ((uint128_t)x6 * x6)); + { uint64_t x19 = (uint64_t) (x14 >> 0x33); + { uint64_t x20 = ((uint64_t)x14 & 0x7ffffffffffff); + { uint128_t x21 = (x19 + x15); + { uint64_t x22 = (uint64_t) (x21 >> 0x33); + { uint64_t x23 = ((uint64_t)x21 & 0x7ffffffffffff); + { uint128_t x24 = (x22 + x16); + { uint64_t x25 = (uint64_t) (x24 >> 0x33); + { uint64_t x26 = ((uint64_t)x24 & 0x7ffffffffffff); + { uint128_t x27 = (x25 + x17); + { uint64_t x28 = (uint64_t) (x27 >> 0x33); + { uint64_t x29 = ((uint64_t)x27 & 0x7ffffffffffff); + { uint128_t x30 = (x28 + x18); + { uint64_t x31 = (uint64_t) (x30 >> 0x33); + { uint64_t x32 = ((uint64_t)x30 & 0x7ffffffffffff); + { uint64_t x33 = (x20 + (0x13 * x31)); + { uint64_t x34 = (x33 >> 0x33); + { uint64_t x35 = (x33 & 0x7ffffffffffff); + { uint64_t x36 = (x34 + x23); + { uint64_t x37 = (x36 >> 0x33); + { uint64_t x38 = (x36 & 0x7ffffffffffff); + out[0] = x35; + out[1] = x38; + out[2] = (x37 + x26); + out[3] = x29; + out[4] = x32; + }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + assert_fe(out); +} + +static void fe_sq_tl(fe *h, const fe_loose *f) { + fe_sqr_impl(h->v, f->v); +} + +static void fe_sq_tt(fe *h, const fe *f) { + fe_sqr_impl(h->v, f->v); +} + +// Adapted from Fiat-synthesized |fe_sub_impl| with |out| = 0. +static void fe_neg_impl(uint64_t out[5], const uint64_t in2[5]) { + { const uint64_t x10 = 0; + { const uint64_t x11 = 0; + { const uint64_t x9 = 0; + { const uint64_t x7 = 0; + { const uint64_t x5 = 0; + { const uint64_t x18 = in2[4]; + { const uint64_t x19 = in2[3]; + { const uint64_t x17 = in2[2]; + { const uint64_t x15 = in2[1]; + { const uint64_t x13 = in2[0]; + out[0] = ((0xfffffffffffda + x5) - x13); + out[1] = ((0xffffffffffffe + x7) - x15); + out[2] = ((0xffffffffffffe + x9) - x17); + out[3] = ((0xffffffffffffe + x11) - x19); + out[4] = ((0xffffffffffffe + x10) - x18); + }}}}}}}}}} +} + +// h = -f +static void fe_neg(fe_loose *h, const fe *f) { + assert_fe(f->v); + fe_neg_impl(h->v, f->v); + assert_fe_loose(h->v); +} + +// Replace (f,g) with (g,g) if b == 1; +// replace (f,g) with (f,g) if b == 0. +// +// Preconditions: b in {0,1}. +static void fe_cmov(fe_loose *f, const fe_loose *g, uint64_t b) { + unsigned i; + b = 0-b; + for (i = 0; i < 5; i++) { + uint64_t x = f->v[i] ^ g->v[i]; + x &= b; + f->v[i] ^= x; + } +} + +#else + +#ifdef EDWARDS25519_ASSERTS +#define assert_fe(f) do { \ + unsigned _assert_fe_i; \ + for (_assert_fe_i = 0; _assert_fe_i< 10; _assert_fe_i++) { \ + assert(f[_assert_fe_i] < 1.125*(1<<(26-(_assert_fe_i&1)))); \ + } \ +} while (0) + +#define assert_fe_loose(f) do { \ + unsigned _assert_fe_i; \ + for (_assert_fe_i = 0; _assert_fe_i< 10; _assert_fe_i++) { \ + assert(f[_assert_fe_i] < 3.375*(1<<(26-(_assert_fe_i&1)))); \ + } \ +} while (0) + +#define assert_fe_frozen(f) do { \ + unsigned _assert_fe_i; \ + for (_assert_fe_i = 0; _assert_fe_i< 10; _assert_fe_i++) { \ + assert(f[_assert_fe_i] < (1u<<(26-(_assert_fe_i&1)))); \ + } \ +} while (0) +#endif /* EDWARDS25519_ASSERTS */ + +static void fe_frombytes_impl(uint32_t h[10], const uint8_t *s) { + // Ignores top bit of s. + uint32_t a0 = load_4(s); + uint32_t a1 = load_4(s+4); + uint32_t a2 = load_4(s+8); + uint32_t a3 = load_4(s+12); + uint32_t a4 = load_4(s+16); + uint32_t a5 = load_4(s+20); + uint32_t a6 = load_4(s+24); + uint32_t a7 = load_4(s+28); + h[0] = a0&((1<<26)-1); // 26 used, 32-26 left. 26 + h[1] = (a0>>26) | ((a1&((1<<19)-1))<< 6); // (32-26) + 19 = 6+19 = 25 + h[2] = (a1>>19) | ((a2&((1<<13)-1))<<13); // (32-19) + 13 = 13+13 = 26 + h[3] = (a2>>13) | ((a3&((1<< 6)-1))<<19); // (32-13) + 6 = 19+ 6 = 25 + h[4] = (a3>> 6); // (32- 6) = 26 + h[5] = a4&((1<<25)-1); // 25 + h[6] = (a4>>25) | ((a5&((1<<19)-1))<< 7); // (32-25) + 19 = 7+19 = 26 + h[7] = (a5>>19) | ((a6&((1<<12)-1))<<13); // (32-19) + 12 = 13+12 = 25 + h[8] = (a6>>12) | ((a7&((1<< 6)-1))<<20); // (32-12) + 6 = 20+ 6 = 26 + h[9] = (a7>> 6)&((1<<25)-1); // 25 + assert_fe(h); +} + +static void fe_frombytes(fe *h, const uint8_t *s) { + fe_frombytes_impl(h->v, s); +} + +static void fe_freeze(uint32_t out[10], const uint32_t in1[10]) { + { const uint32_t x17 = in1[9]; + { const uint32_t x18 = in1[8]; + { const uint32_t x16 = in1[7]; + { const uint32_t x14 = in1[6]; + { const uint32_t x12 = in1[5]; + { const uint32_t x10 = in1[4]; + { const uint32_t x8 = in1[3]; + { const uint32_t x6 = in1[2]; + { const uint32_t x4 = in1[1]; + { const uint32_t x2 = in1[0]; + { uint32_t x20; uint8_t/*bool*/ x21 = subborrow_u26(0x0, x2, 0x3ffffed, &x20); + { uint32_t x23; uint8_t/*bool*/ x24 = subborrow_u25(x21, x4, 0x1ffffff, &x23); + { uint32_t x26; uint8_t/*bool*/ x27 = subborrow_u26(x24, x6, 0x3ffffff, &x26); + { uint32_t x29; uint8_t/*bool*/ x30 = subborrow_u25(x27, x8, 0x1ffffff, &x29); + { uint32_t x32; uint8_t/*bool*/ x33 = subborrow_u26(x30, x10, 0x3ffffff, &x32); + { uint32_t x35; uint8_t/*bool*/ x36 = subborrow_u25(x33, x12, 0x1ffffff, &x35); + { uint32_t x38; uint8_t/*bool*/ x39 = subborrow_u26(x36, x14, 0x3ffffff, &x38); + { uint32_t x41; uint8_t/*bool*/ x42 = subborrow_u25(x39, x16, 0x1ffffff, &x41); + { uint32_t x44; uint8_t/*bool*/ x45 = subborrow_u26(x42, x18, 0x3ffffff, &x44); + { uint32_t x47; uint8_t/*bool*/ x48 = subborrow_u25(x45, x17, 0x1ffffff, &x47); + { uint32_t x49 = cmovznz32(x48, 0x0, 0xffffffff); + { uint32_t x50 = (x49 & 0x3ffffed); + { uint32_t x52; uint8_t/*bool*/ x53 = addcarryx_u26(0x0, x20, x50, &x52); + { uint32_t x54 = (x49 & 0x1ffffff); + { uint32_t x56; uint8_t/*bool*/ x57 = addcarryx_u25(x53, x23, x54, &x56); + { uint32_t x58 = (x49 & 0x3ffffff); + { uint32_t x60; uint8_t/*bool*/ x61 = addcarryx_u26(x57, x26, x58, &x60); + { uint32_t x62 = (x49 & 0x1ffffff); + { uint32_t x64; uint8_t/*bool*/ x65 = addcarryx_u25(x61, x29, x62, &x64); + { uint32_t x66 = (x49 & 0x3ffffff); + { uint32_t x68; uint8_t/*bool*/ x69 = addcarryx_u26(x65, x32, x66, &x68); + { uint32_t x70 = (x49 & 0x1ffffff); + { uint32_t x72; uint8_t/*bool*/ x73 = addcarryx_u25(x69, x35, x70, &x72); + { uint32_t x74 = (x49 & 0x3ffffff); + { uint32_t x76; uint8_t/*bool*/ x77 = addcarryx_u26(x73, x38, x74, &x76); + { uint32_t x78 = (x49 & 0x1ffffff); + { uint32_t x80; uint8_t/*bool*/ x81 = addcarryx_u25(x77, x41, x78, &x80); + { uint32_t x82 = (x49 & 0x3ffffff); + { uint32_t x84; uint8_t/*bool*/ x85 = addcarryx_u26(x81, x44, x82, &x84); + { uint32_t x86 = (x49 & 0x1ffffff); + { uint32_t x88; addcarryx_u25(x85, x47, x86, &x88); + out[0] = x52; + out[1] = x56; + out[2] = x60; + out[3] = x64; + out[4] = x68; + out[5] = x72; + out[6] = x76; + out[7] = x80; + out[8] = x84; + out[9] = x88; + }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} +} + +static void fe_tobytes(uint8_t s[32], const fe *f) { + assert_fe(f->v); + uint32_t h[10]; + fe_freeze(h, f->v); + assert_fe_frozen(h); + + s[0] = h[0] >> 0; + s[1] = h[0] >> 8; + s[2] = h[0] >> 16; + s[3] = (h[0] >> 24) | (h[1] << 2); + s[4] = h[1] >> 6; + s[5] = h[1] >> 14; + s[6] = (h[1] >> 22) | (h[2] << 3); + s[7] = h[2] >> 5; + s[8] = h[2] >> 13; + s[9] = (h[2] >> 21) | (h[3] << 5); + s[10] = h[3] >> 3; + s[11] = h[3] >> 11; + s[12] = (h[3] >> 19) | (h[4] << 6); + s[13] = h[4] >> 2; + s[14] = h[4] >> 10; + s[15] = h[4] >> 18; + s[16] = h[5] >> 0; + s[17] = h[5] >> 8; + s[18] = h[5] >> 16; + s[19] = (h[5] >> 24) | (h[6] << 1); + s[20] = h[6] >> 7; + s[21] = h[6] >> 15; + s[22] = (h[6] >> 23) | (h[7] << 3); + s[23] = h[7] >> 5; + s[24] = h[7] >> 13; + s[25] = (h[7] >> 21) | (h[8] << 4); + s[26] = h[8] >> 4; + s[27] = h[8] >> 12; + s[28] = (h[8] >> 20) | (h[9] << 6); + s[29] = h[9] >> 2; + s[30] = h[9] >> 10; + s[31] = h[9] >> 18; +} + +// h = 0 +static void fe_0(fe *h) { + memset(h, 0, sizeof(fe)); +} + +static void fe_loose_0(fe_loose *h) { + memset(h, 0, sizeof(fe_loose)); +} + +// h = 1 +static void fe_1(fe *h) { + memset(h, 0, sizeof(fe)); + h->v[0] = 1; +} + +static void fe_loose_1(fe_loose *h) { + memset(h, 0, sizeof(fe_loose)); + h->v[0] = 1; +} + +static void fe_add_impl(uint32_t out[10], const uint32_t in1[10], const uint32_t in2[10]) { + { const uint32_t x20 = in1[9]; + { const uint32_t x21 = in1[8]; + { const uint32_t x19 = in1[7]; + { const uint32_t x17 = in1[6]; + { const uint32_t x15 = in1[5]; + { const uint32_t x13 = in1[4]; + { const uint32_t x11 = in1[3]; + { const uint32_t x9 = in1[2]; + { const uint32_t x7 = in1[1]; + { const uint32_t x5 = in1[0]; + { const uint32_t x38 = in2[9]; + { const uint32_t x39 = in2[8]; + { const uint32_t x37 = in2[7]; + { const uint32_t x35 = in2[6]; + { const uint32_t x33 = in2[5]; + { const uint32_t x31 = in2[4]; + { const uint32_t x29 = in2[3]; + { const uint32_t x27 = in2[2]; + { const uint32_t x25 = in2[1]; + { const uint32_t x23 = in2[0]; + out[0] = (x5 + x23); + out[1] = (x7 + x25); + out[2] = (x9 + x27); + out[3] = (x11 + x29); + out[4] = (x13 + x31); + out[5] = (x15 + x33); + out[6] = (x17 + x35); + out[7] = (x19 + x37); + out[8] = (x21 + x39); + out[9] = (x20 + x38); + }}}}}}}}}}}}}}}}}}}} +} + +// h = f + g +// Can overlap h with f or g. +static void fe_add(fe_loose *h, const fe *f, const fe *g) { + assert_fe(f->v); + assert_fe(g->v); + fe_add_impl(h->v, f->v, g->v); + assert_fe_loose(h->v); +} + +static void fe_sub_impl(uint32_t out[10], const uint32_t in1[10], const uint32_t in2[10]) { + { const uint32_t x20 = in1[9]; + { const uint32_t x21 = in1[8]; + { const uint32_t x19 = in1[7]; + { const uint32_t x17 = in1[6]; + { const uint32_t x15 = in1[5]; + { const uint32_t x13 = in1[4]; + { const uint32_t x11 = in1[3]; + { const uint32_t x9 = in1[2]; + { const uint32_t x7 = in1[1]; + { const uint32_t x5 = in1[0]; + { const uint32_t x38 = in2[9]; + { const uint32_t x39 = in2[8]; + { const uint32_t x37 = in2[7]; + { const uint32_t x35 = in2[6]; + { const uint32_t x33 = in2[5]; + { const uint32_t x31 = in2[4]; + { const uint32_t x29 = in2[3]; + { const uint32_t x27 = in2[2]; + { const uint32_t x25 = in2[1]; + { const uint32_t x23 = in2[0]; + out[0] = ((0x7ffffda + x5) - x23); + out[1] = ((0x3fffffe + x7) - x25); + out[2] = ((0x7fffffe + x9) - x27); + out[3] = ((0x3fffffe + x11) - x29); + out[4] = ((0x7fffffe + x13) - x31); + out[5] = ((0x3fffffe + x15) - x33); + out[6] = ((0x7fffffe + x17) - x35); + out[7] = ((0x3fffffe + x19) - x37); + out[8] = ((0x7fffffe + x21) - x39); + out[9] = ((0x3fffffe + x20) - x38); + }}}}}}}}}}}}}}}}}}}} +} + +// h = f - g +// Can overlap h with f or g. +static void fe_sub(fe_loose *h, const fe *f, const fe *g) { + assert_fe(f->v); + assert_fe(g->v); + fe_sub_impl(h->v, f->v, g->v); + assert_fe_loose(h->v); +} + +static void fe_carry_impl(uint32_t out[10], const uint32_t in1[10]) { + { const uint32_t x17 = in1[9]; + { const uint32_t x18 = in1[8]; + { const uint32_t x16 = in1[7]; + { const uint32_t x14 = in1[6]; + { const uint32_t x12 = in1[5]; + { const uint32_t x10 = in1[4]; + { const uint32_t x8 = in1[3]; + { const uint32_t x6 = in1[2]; + { const uint32_t x4 = in1[1]; + { const uint32_t x2 = in1[0]; + { uint32_t x19 = (x2 >> 0x1a); + { uint32_t x20 = (x2 & 0x3ffffff); + { uint32_t x21 = (x19 + x4); + { uint32_t x22 = (x21 >> 0x19); + { uint32_t x23 = (x21 & 0x1ffffff); + { uint32_t x24 = (x22 + x6); + { uint32_t x25 = (x24 >> 0x1a); + { uint32_t x26 = (x24 & 0x3ffffff); + { uint32_t x27 = (x25 + x8); + { uint32_t x28 = (x27 >> 0x19); + { uint32_t x29 = (x27 & 0x1ffffff); + { uint32_t x30 = (x28 + x10); + { uint32_t x31 = (x30 >> 0x1a); + { uint32_t x32 = (x30 & 0x3ffffff); + { uint32_t x33 = (x31 + x12); + { uint32_t x34 = (x33 >> 0x19); + { uint32_t x35 = (x33 & 0x1ffffff); + { uint32_t x36 = (x34 + x14); + { uint32_t x37 = (x36 >> 0x1a); + { uint32_t x38 = (x36 & 0x3ffffff); + { uint32_t x39 = (x37 + x16); + { uint32_t x40 = (x39 >> 0x19); + { uint32_t x41 = (x39 & 0x1ffffff); + { uint32_t x42 = (x40 + x18); + { uint32_t x43 = (x42 >> 0x1a); + { uint32_t x44 = (x42 & 0x3ffffff); + { uint32_t x45 = (x43 + x17); + { uint32_t x46 = (x45 >> 0x19); + { uint32_t x47 = (x45 & 0x1ffffff); + { uint32_t x48 = (x20 + (0x13 * x46)); + { uint32_t x49 = (x48 >> 0x1a); + { uint32_t x50 = (x48 & 0x3ffffff); + { uint32_t x51 = (x49 + x23); + { uint32_t x52 = (x51 >> 0x19); + { uint32_t x53 = (x51 & 0x1ffffff); + out[0] = x50; + out[1] = x53; + out[2] = (x52 + x26); + out[3] = x29; + out[4] = x32; + out[5] = x35; + out[6] = x38; + out[7] = x41; + out[8] = x44; + out[9] = x47; + }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} +} + +static void fe_carry(fe *h, const fe_loose* f) { + assert_fe_loose(f->v); + fe_carry_impl(h->v, f->v); + assert_fe(h->v); +} + +static void fe_mul_impl(uint32_t out[10], const uint32_t in1[10], const uint32_t in2[10]) { + assert_fe_loose(in1); + assert_fe_loose(in2); + { const uint32_t x20 = in1[9]; + { const uint32_t x21 = in1[8]; + { const uint32_t x19 = in1[7]; + { const uint32_t x17 = in1[6]; + { const uint32_t x15 = in1[5]; + { const uint32_t x13 = in1[4]; + { const uint32_t x11 = in1[3]; + { const uint32_t x9 = in1[2]; + { const uint32_t x7 = in1[1]; + { const uint32_t x5 = in1[0]; + { const uint32_t x38 = in2[9]; + { const uint32_t x39 = in2[8]; + { const uint32_t x37 = in2[7]; + { const uint32_t x35 = in2[6]; + { const uint32_t x33 = in2[5]; + { const uint32_t x31 = in2[4]; + { const uint32_t x29 = in2[3]; + { const uint32_t x27 = in2[2]; + { const uint32_t x25 = in2[1]; + { const uint32_t x23 = in2[0]; + { uint64_t x40 = ((uint64_t)x23 * x5); + { uint64_t x41 = (((uint64_t)x23 * x7) + ((uint64_t)x25 * x5)); + { uint64_t x42 = ((((uint64_t)(0x2 * x25) * x7) + ((uint64_t)x23 * x9)) + ((uint64_t)x27 * x5)); + { uint64_t x43 = (((((uint64_t)x25 * x9) + ((uint64_t)x27 * x7)) + ((uint64_t)x23 * x11)) + ((uint64_t)x29 * x5)); + { uint64_t x44 = (((((uint64_t)x27 * x9) + (0x2 * (((uint64_t)x25 * x11) + ((uint64_t)x29 * x7)))) + ((uint64_t)x23 * x13)) + ((uint64_t)x31 * x5)); + { uint64_t x45 = (((((((uint64_t)x27 * x11) + ((uint64_t)x29 * x9)) + ((uint64_t)x25 * x13)) + ((uint64_t)x31 * x7)) + ((uint64_t)x23 * x15)) + ((uint64_t)x33 * x5)); + { uint64_t x46 = (((((0x2 * ((((uint64_t)x29 * x11) + ((uint64_t)x25 * x15)) + ((uint64_t)x33 * x7))) + ((uint64_t)x27 * x13)) + ((uint64_t)x31 * x9)) + ((uint64_t)x23 * x17)) + ((uint64_t)x35 * x5)); + { uint64_t x47 = (((((((((uint64_t)x29 * x13) + ((uint64_t)x31 * x11)) + ((uint64_t)x27 * x15)) + ((uint64_t)x33 * x9)) + ((uint64_t)x25 * x17)) + ((uint64_t)x35 * x7)) + ((uint64_t)x23 * x19)) + ((uint64_t)x37 * x5)); + { uint64_t x48 = (((((((uint64_t)x31 * x13) + (0x2 * (((((uint64_t)x29 * x15) + ((uint64_t)x33 * x11)) + ((uint64_t)x25 * x19)) + ((uint64_t)x37 * x7)))) + ((uint64_t)x27 * x17)) + ((uint64_t)x35 * x9)) + ((uint64_t)x23 * x21)) + ((uint64_t)x39 * x5)); + { uint64_t x49 = (((((((((((uint64_t)x31 * x15) + ((uint64_t)x33 * x13)) + ((uint64_t)x29 * x17)) + ((uint64_t)x35 * x11)) + ((uint64_t)x27 * x19)) + ((uint64_t)x37 * x9)) + ((uint64_t)x25 * x21)) + ((uint64_t)x39 * x7)) + ((uint64_t)x23 * x20)) + ((uint64_t)x38 * x5)); + { uint64_t x50 = (((((0x2 * ((((((uint64_t)x33 * x15) + ((uint64_t)x29 * x19)) + ((uint64_t)x37 * x11)) + ((uint64_t)x25 * x20)) + ((uint64_t)x38 * x7))) + ((uint64_t)x31 * x17)) + ((uint64_t)x35 * x13)) + ((uint64_t)x27 * x21)) + ((uint64_t)x39 * x9)); + { uint64_t x51 = (((((((((uint64_t)x33 * x17) + ((uint64_t)x35 * x15)) + ((uint64_t)x31 * x19)) + ((uint64_t)x37 * x13)) + ((uint64_t)x29 * x21)) + ((uint64_t)x39 * x11)) + ((uint64_t)x27 * x20)) + ((uint64_t)x38 * x9)); + { uint64_t x52 = (((((uint64_t)x35 * x17) + (0x2 * (((((uint64_t)x33 * x19) + ((uint64_t)x37 * x15)) + ((uint64_t)x29 * x20)) + ((uint64_t)x38 * x11)))) + ((uint64_t)x31 * x21)) + ((uint64_t)x39 * x13)); + { uint64_t x53 = (((((((uint64_t)x35 * x19) + ((uint64_t)x37 * x17)) + ((uint64_t)x33 * x21)) + ((uint64_t)x39 * x15)) + ((uint64_t)x31 * x20)) + ((uint64_t)x38 * x13)); + { uint64_t x54 = (((0x2 * ((((uint64_t)x37 * x19) + ((uint64_t)x33 * x20)) + ((uint64_t)x38 * x15))) + ((uint64_t)x35 * x21)) + ((uint64_t)x39 * x17)); + { uint64_t x55 = (((((uint64_t)x37 * x21) + ((uint64_t)x39 * x19)) + ((uint64_t)x35 * x20)) + ((uint64_t)x38 * x17)); + { uint64_t x56 = (((uint64_t)x39 * x21) + (0x2 * (((uint64_t)x37 * x20) + ((uint64_t)x38 * x19)))); + { uint64_t x57 = (((uint64_t)x39 * x20) + ((uint64_t)x38 * x21)); + { uint64_t x58 = ((uint64_t)(0x2 * x38) * x20); + { uint64_t x59 = (x48 + (x58 << 0x4)); + { uint64_t x60 = (x59 + (x58 << 0x1)); + { uint64_t x61 = (x60 + x58); + { uint64_t x62 = (x47 + (x57 << 0x4)); + { uint64_t x63 = (x62 + (x57 << 0x1)); + { uint64_t x64 = (x63 + x57); + { uint64_t x65 = (x46 + (x56 << 0x4)); + { uint64_t x66 = (x65 + (x56 << 0x1)); + { uint64_t x67 = (x66 + x56); + { uint64_t x68 = (x45 + (x55 << 0x4)); + { uint64_t x69 = (x68 + (x55 << 0x1)); + { uint64_t x70 = (x69 + x55); + { uint64_t x71 = (x44 + (x54 << 0x4)); + { uint64_t x72 = (x71 + (x54 << 0x1)); + { uint64_t x73 = (x72 + x54); + { uint64_t x74 = (x43 + (x53 << 0x4)); + { uint64_t x75 = (x74 + (x53 << 0x1)); + { uint64_t x76 = (x75 + x53); + { uint64_t x77 = (x42 + (x52 << 0x4)); + { uint64_t x78 = (x77 + (x52 << 0x1)); + { uint64_t x79 = (x78 + x52); + { uint64_t x80 = (x41 + (x51 << 0x4)); + { uint64_t x81 = (x80 + (x51 << 0x1)); + { uint64_t x82 = (x81 + x51); + { uint64_t x83 = (x40 + (x50 << 0x4)); + { uint64_t x84 = (x83 + (x50 << 0x1)); + { uint64_t x85 = (x84 + x50); + { uint64_t x86 = (x85 >> 0x1a); + { uint32_t x87 = ((uint32_t)x85 & 0x3ffffff); + { uint64_t x88 = (x86 + x82); + { uint64_t x89 = (x88 >> 0x19); + { uint32_t x90 = ((uint32_t)x88 & 0x1ffffff); + { uint64_t x91 = (x89 + x79); + { uint64_t x92 = (x91 >> 0x1a); + { uint32_t x93 = ((uint32_t)x91 & 0x3ffffff); + { uint64_t x94 = (x92 + x76); + { uint64_t x95 = (x94 >> 0x19); + { uint32_t x96 = ((uint32_t)x94 & 0x1ffffff); + { uint64_t x97 = (x95 + x73); + { uint64_t x98 = (x97 >> 0x1a); + { uint32_t x99 = ((uint32_t)x97 & 0x3ffffff); + { uint64_t x100 = (x98 + x70); + { uint64_t x101 = (x100 >> 0x19); + { uint32_t x102 = ((uint32_t)x100 & 0x1ffffff); + { uint64_t x103 = (x101 + x67); + { uint64_t x104 = (x103 >> 0x1a); + { uint32_t x105 = ((uint32_t)x103 & 0x3ffffff); + { uint64_t x106 = (x104 + x64); + { uint64_t x107 = (x106 >> 0x19); + { uint32_t x108 = ((uint32_t)x106 & 0x1ffffff); + { uint64_t x109 = (x107 + x61); + { uint64_t x110 = (x109 >> 0x1a); + { uint32_t x111 = ((uint32_t)x109 & 0x3ffffff); + { uint64_t x112 = (x110 + x49); + { uint64_t x113 = (x112 >> 0x19); + { uint32_t x114 = ((uint32_t)x112 & 0x1ffffff); + { uint64_t x115 = (x87 + (0x13 * x113)); + { uint32_t x116 = (uint32_t) (x115 >> 0x1a); + { uint32_t x117 = ((uint32_t)x115 & 0x3ffffff); + { uint32_t x118 = (x116 + x90); + { uint32_t x119 = (x118 >> 0x19); + { uint32_t x120 = (x118 & 0x1ffffff); + out[0] = x117; + out[1] = x120; + out[2] = (x119 + x93); + out[3] = x96; + out[4] = x99; + out[5] = x102; + out[6] = x105; + out[7] = x108; + out[8] = x111; + out[9] = x114; + }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + assert_fe(out); +} + +static void fe_mul_ltt(fe_loose *h, const fe *f, const fe *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_llt(fe_loose *h, const fe_loose *f, const fe *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_ttt(fe *h, const fe *f, const fe *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_tlt(fe *h, const fe_loose *f, const fe *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_ttl(fe *h, const fe *f, const fe_loose *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_mul_tll(fe *h, const fe_loose *f, const fe_loose *g) { + fe_mul_impl(h->v, f->v, g->v); +} + +static void fe_sqr_impl(uint32_t out[10], const uint32_t in1[10]) { + assert_fe_loose(in1); + { const uint32_t x17 = in1[9]; + { const uint32_t x18 = in1[8]; + { const uint32_t x16 = in1[7]; + { const uint32_t x14 = in1[6]; + { const uint32_t x12 = in1[5]; + { const uint32_t x10 = in1[4]; + { const uint32_t x8 = in1[3]; + { const uint32_t x6 = in1[2]; + { const uint32_t x4 = in1[1]; + { const uint32_t x2 = in1[0]; + { uint64_t x19 = ((uint64_t)x2 * x2); + { uint64_t x20 = ((uint64_t)(0x2 * x2) * x4); + { uint64_t x21 = (0x2 * (((uint64_t)x4 * x4) + ((uint64_t)x2 * x6))); + { uint64_t x22 = (0x2 * (((uint64_t)x4 * x6) + ((uint64_t)x2 * x8))); + { uint64_t x23 = ((((uint64_t)x6 * x6) + ((uint64_t)(0x4 * x4) * x8)) + ((uint64_t)(0x2 * x2) * x10)); + { uint64_t x24 = (0x2 * ((((uint64_t)x6 * x8) + ((uint64_t)x4 * x10)) + ((uint64_t)x2 * x12))); + { uint64_t x25 = (0x2 * (((((uint64_t)x8 * x8) + ((uint64_t)x6 * x10)) + ((uint64_t)x2 * x14)) + ((uint64_t)(0x2 * x4) * x12))); + { uint64_t x26 = (0x2 * (((((uint64_t)x8 * x10) + ((uint64_t)x6 * x12)) + ((uint64_t)x4 * x14)) + ((uint64_t)x2 * x16))); + { uint64_t x27 = (((uint64_t)x10 * x10) + (0x2 * ((((uint64_t)x6 * x14) + ((uint64_t)x2 * x18)) + (0x2 * (((uint64_t)x4 * x16) + ((uint64_t)x8 * x12)))))); + { uint64_t x28 = (0x2 * ((((((uint64_t)x10 * x12) + ((uint64_t)x8 * x14)) + ((uint64_t)x6 * x16)) + ((uint64_t)x4 * x18)) + ((uint64_t)x2 * x17))); + { uint64_t x29 = (0x2 * (((((uint64_t)x12 * x12) + ((uint64_t)x10 * x14)) + ((uint64_t)x6 * x18)) + (0x2 * (((uint64_t)x8 * x16) + ((uint64_t)x4 * x17))))); + { uint64_t x30 = (0x2 * (((((uint64_t)x12 * x14) + ((uint64_t)x10 * x16)) + ((uint64_t)x8 * x18)) + ((uint64_t)x6 * x17))); + { uint64_t x31 = (((uint64_t)x14 * x14) + (0x2 * (((uint64_t)x10 * x18) + (0x2 * (((uint64_t)x12 * x16) + ((uint64_t)x8 * x17)))))); + { uint64_t x32 = (0x2 * ((((uint64_t)x14 * x16) + ((uint64_t)x12 * x18)) + ((uint64_t)x10 * x17))); + { uint64_t x33 = (0x2 * ((((uint64_t)x16 * x16) + ((uint64_t)x14 * x18)) + ((uint64_t)(0x2 * x12) * x17))); + { uint64_t x34 = (0x2 * (((uint64_t)x16 * x18) + ((uint64_t)x14 * x17))); + { uint64_t x35 = (((uint64_t)x18 * x18) + ((uint64_t)(0x4 * x16) * x17)); + { uint64_t x36 = ((uint64_t)(0x2 * x18) * x17); + { uint64_t x37 = ((uint64_t)(0x2 * x17) * x17); + { uint64_t x38 = (x27 + (x37 << 0x4)); + { uint64_t x39 = (x38 + (x37 << 0x1)); + { uint64_t x40 = (x39 + x37); + { uint64_t x41 = (x26 + (x36 << 0x4)); + { uint64_t x42 = (x41 + (x36 << 0x1)); + { uint64_t x43 = (x42 + x36); + { uint64_t x44 = (x25 + (x35 << 0x4)); + { uint64_t x45 = (x44 + (x35 << 0x1)); + { uint64_t x46 = (x45 + x35); + { uint64_t x47 = (x24 + (x34 << 0x4)); + { uint64_t x48 = (x47 + (x34 << 0x1)); + { uint64_t x49 = (x48 + x34); + { uint64_t x50 = (x23 + (x33 << 0x4)); + { uint64_t x51 = (x50 + (x33 << 0x1)); + { uint64_t x52 = (x51 + x33); + { uint64_t x53 = (x22 + (x32 << 0x4)); + { uint64_t x54 = (x53 + (x32 << 0x1)); + { uint64_t x55 = (x54 + x32); + { uint64_t x56 = (x21 + (x31 << 0x4)); + { uint64_t x57 = (x56 + (x31 << 0x1)); + { uint64_t x58 = (x57 + x31); + { uint64_t x59 = (x20 + (x30 << 0x4)); + { uint64_t x60 = (x59 + (x30 << 0x1)); + { uint64_t x61 = (x60 + x30); + { uint64_t x62 = (x19 + (x29 << 0x4)); + { uint64_t x63 = (x62 + (x29 << 0x1)); + { uint64_t x64 = (x63 + x29); + { uint64_t x65 = (x64 >> 0x1a); + { uint32_t x66 = ((uint32_t)x64 & 0x3ffffff); + { uint64_t x67 = (x65 + x61); + { uint64_t x68 = (x67 >> 0x19); + { uint32_t x69 = ((uint32_t)x67 & 0x1ffffff); + { uint64_t x70 = (x68 + x58); + { uint64_t x71 = (x70 >> 0x1a); + { uint32_t x72 = ((uint32_t)x70 & 0x3ffffff); + { uint64_t x73 = (x71 + x55); + { uint64_t x74 = (x73 >> 0x19); + { uint32_t x75 = ((uint32_t)x73 & 0x1ffffff); + { uint64_t x76 = (x74 + x52); + { uint64_t x77 = (x76 >> 0x1a); + { uint32_t x78 = ((uint32_t)x76 & 0x3ffffff); + { uint64_t x79 = (x77 + x49); + { uint64_t x80 = (x79 >> 0x19); + { uint32_t x81 = ((uint32_t)x79 & 0x1ffffff); + { uint64_t x82 = (x80 + x46); + { uint64_t x83 = (x82 >> 0x1a); + { uint32_t x84 = ((uint32_t)x82 & 0x3ffffff); + { uint64_t x85 = (x83 + x43); + { uint64_t x86 = (x85 >> 0x19); + { uint32_t x87 = ((uint32_t)x85 & 0x1ffffff); + { uint64_t x88 = (x86 + x40); + { uint64_t x89 = (x88 >> 0x1a); + { uint32_t x90 = ((uint32_t)x88 & 0x3ffffff); + { uint64_t x91 = (x89 + x28); + { uint64_t x92 = (x91 >> 0x19); + { uint32_t x93 = ((uint32_t)x91 & 0x1ffffff); + { uint64_t x94 = (x66 + (0x13 * x92)); + { uint32_t x95 = (uint32_t) (x94 >> 0x1a); + { uint32_t x96 = ((uint32_t)x94 & 0x3ffffff); + { uint32_t x97 = (x95 + x69); + { uint32_t x98 = (x97 >> 0x19); + { uint32_t x99 = (x97 & 0x1ffffff); + out[0] = x96; + out[1] = x99; + out[2] = (x98 + x72); + out[3] = x75; + out[4] = x78; + out[5] = x81; + out[6] = x84; + out[7] = x87; + out[8] = x90; + out[9] = x93; + }}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}} + assert_fe(out); +} + +static void fe_sq_tl(fe *h, const fe_loose *f) { + fe_sqr_impl(h->v, f->v); +} + +static void fe_sq_tt(fe *h, const fe *f) { + fe_sqr_impl(h->v, f->v); +} + +// Adapted from Fiat-synthesized |fe_sub_impl| with |out| = 0. +static void fe_neg_impl(uint32_t out[10], const uint32_t in2[10]) { + { const uint32_t x20 = 0; + { const uint32_t x21 = 0; + { const uint32_t x19 = 0; + { const uint32_t x17 = 0; + { const uint32_t x15 = 0; + { const uint32_t x13 = 0; + { const uint32_t x11 = 0; + { const uint32_t x9 = 0; + { const uint32_t x7 = 0; + { const uint32_t x5 = 0; + { const uint32_t x38 = in2[9]; + { const uint32_t x39 = in2[8]; + { const uint32_t x37 = in2[7]; + { const uint32_t x35 = in2[6]; + { const uint32_t x33 = in2[5]; + { const uint32_t x31 = in2[4]; + { const uint32_t x29 = in2[3]; + { const uint32_t x27 = in2[2]; + { const uint32_t x25 = in2[1]; + { const uint32_t x23 = in2[0]; + out[0] = ((0x7ffffda + x5) - x23); + out[1] = ((0x3fffffe + x7) - x25); + out[2] = ((0x7fffffe + x9) - x27); + out[3] = ((0x3fffffe + x11) - x29); + out[4] = ((0x7fffffe + x13) - x31); + out[5] = ((0x3fffffe + x15) - x33); + out[6] = ((0x7fffffe + x17) - x35); + out[7] = ((0x3fffffe + x19) - x37); + out[8] = ((0x7fffffe + x21) - x39); + out[9] = ((0x3fffffe + x20) - x38); + }}}}}}}}}}}}}}}}}}}} +} + +// h = -f +static void fe_neg(fe_loose *h, const fe *f) { + assert_fe(f->v); + fe_neg_impl(h->v, f->v); + assert_fe_loose(h->v); +} + +// Replace (f,g) with (g,g) if b == 1; +// replace (f,g) with (f,g) if b == 0. +// +// Preconditions: b in {0,1}. +static void fe_cmov(fe_loose *f, const fe_loose *g, unsigned b) { + b = 0-b; + unsigned i; + for (i = 0; i < 10; i++) { + uint32_t x = f->v[i] ^ g->v[i]; + x &= b; + f->v[i] ^= x; + } +} + +#endif // BORINGSSL_CURVE25519_64BIT + +// h = f +static void fe_copy(fe *h, const fe *f) { + memmove(h, f, sizeof(fe)); +} + +static void fe_copy_lt(fe_loose *h, const fe *f) { +#ifdef EDWARDS25519_ASSERTS + assert(sizeof(fe_loose) == sizeof(fe)); +#endif + memmove(h, f, sizeof(fe)); +} +#if !defined(CONFIG_SMALL) +static void fe_copy_ll(fe_loose *h, const fe_loose *f) { + memmove(h, f, sizeof(fe_loose)); +} +#endif // !defined(CONFIG_SMALL) + +static void fe_loose_invert(fe *out, const fe_loose *z) { + fe t0; + fe t1; + fe t2; + fe t3; + int i; + + fe_sq_tl(&t0, z); + fe_sq_tt(&t1, &t0); + for (i = 1; i < 2; ++i) { + fe_sq_tt(&t1, &t1); + } + fe_mul_tlt(&t1, z, &t1); + fe_mul_ttt(&t0, &t0, &t1); + fe_sq_tt(&t2, &t0); + fe_mul_ttt(&t1, &t1, &t2); + fe_sq_tt(&t2, &t1); + for (i = 1; i < 5; ++i) { + fe_sq_tt(&t2, &t2); + } + fe_mul_ttt(&t1, &t2, &t1); + fe_sq_tt(&t2, &t1); + for (i = 1; i < 10; ++i) { + fe_sq_tt(&t2, &t2); + } + fe_mul_ttt(&t2, &t2, &t1); + fe_sq_tt(&t3, &t2); + for (i = 1; i < 20; ++i) { + fe_sq_tt(&t3, &t3); + } + fe_mul_ttt(&t2, &t3, &t2); + fe_sq_tt(&t2, &t2); + for (i = 1; i < 10; ++i) { + fe_sq_tt(&t2, &t2); + } + fe_mul_ttt(&t1, &t2, &t1); + fe_sq_tt(&t2, &t1); + for (i = 1; i < 50; ++i) { + fe_sq_tt(&t2, &t2); + } + fe_mul_ttt(&t2, &t2, &t1); + fe_sq_tt(&t3, &t2); + for (i = 1; i < 100; ++i) { + fe_sq_tt(&t3, &t3); + } + fe_mul_ttt(&t2, &t3, &t2); + fe_sq_tt(&t2, &t2); + for (i = 1; i < 50; ++i) { + fe_sq_tt(&t2, &t2); + } + fe_mul_ttt(&t1, &t2, &t1); + fe_sq_tt(&t1, &t1); + for (i = 1; i < 5; ++i) { + fe_sq_tt(&t1, &t1); + } + fe_mul_ttt(out, &t1, &t0); +} + +static void fe_invert(fe *out, const fe *z) { + fe_loose l; + fe_copy_lt(&l, z); + fe_loose_invert(out, &l); +} + +// return 0 if f == 0 +// return 1 if f != 0 +static int fe_isnonzero(const fe_loose *f) { + fe tight; + fe_carry(&tight, f); + uint8_t s[32]; + fe_tobytes(s, &tight); + + static const uint8_t zero[32] = {0}; + return k5_bcmp(s, zero, sizeof(zero)) != 0; +} + +// return 1 if f is in {1,3,5,...,q-2} +// return 0 if f is in {0,2,4,...,q-1} +static int fe_isnegative(const fe *f) { + uint8_t s[32]; + fe_tobytes(s, f); + return s[0] & 1; +} + +static void fe_sq2_tt(fe *h, const fe *f) { + // h = f^2 + fe_sq_tt(h, f); + + // h = h + h + fe_loose tmp; + fe_add(&tmp, h, h); + fe_carry(h, &tmp); +} + +static void fe_pow22523(fe *out, const fe *z) { + fe t0; + fe t1; + fe t2; + int i; + + fe_sq_tt(&t0, z); + fe_sq_tt(&t1, &t0); + for (i = 1; i < 2; ++i) { + fe_sq_tt(&t1, &t1); + } + fe_mul_ttt(&t1, z, &t1); + fe_mul_ttt(&t0, &t0, &t1); + fe_sq_tt(&t0, &t0); + fe_mul_ttt(&t0, &t1, &t0); + fe_sq_tt(&t1, &t0); + for (i = 1; i < 5; ++i) { + fe_sq_tt(&t1, &t1); + } + fe_mul_ttt(&t0, &t1, &t0); + fe_sq_tt(&t1, &t0); + for (i = 1; i < 10; ++i) { + fe_sq_tt(&t1, &t1); + } + fe_mul_ttt(&t1, &t1, &t0); + fe_sq_tt(&t2, &t1); + for (i = 1; i < 20; ++i) { + fe_sq_tt(&t2, &t2); + } + fe_mul_ttt(&t1, &t2, &t1); + fe_sq_tt(&t1, &t1); + for (i = 1; i < 10; ++i) { + fe_sq_tt(&t1, &t1); + } + fe_mul_ttt(&t0, &t1, &t0); + fe_sq_tt(&t1, &t0); + for (i = 1; i < 50; ++i) { + fe_sq_tt(&t1, &t1); + } + fe_mul_ttt(&t1, &t1, &t0); + fe_sq_tt(&t2, &t1); + for (i = 1; i < 100; ++i) { + fe_sq_tt(&t2, &t2); + } + fe_mul_ttt(&t1, &t2, &t1); + fe_sq_tt(&t1, &t1); + for (i = 1; i < 50; ++i) { + fe_sq_tt(&t1, &t1); + } + fe_mul_ttt(&t0, &t1, &t0); + fe_sq_tt(&t0, &t0); + for (i = 1; i < 2; ++i) { + fe_sq_tt(&t0, &t0); + } + fe_mul_ttt(out, &t0, z); +} + + +// Group operations. + +static void x25519_ge_tobytes(uint8_t s[32], const ge_p2 *h) { + fe recip; + fe x; + fe y; + + fe_invert(&recip, &h->Z); + fe_mul_ttt(&x, &h->X, &recip); + fe_mul_ttt(&y, &h->Y, &recip); + fe_tobytes(s, &y); + s[31] ^= fe_isnegative(&x) << 7; +} + +static int x25519_ge_frombytes_vartime(ge_p3 *h, const uint8_t *s) { + fe u; + fe_loose v; + fe v3; + fe vxx; + fe_loose check; + + fe_frombytes(&h->Y, s); + fe_1(&h->Z); + fe_sq_tt(&v3, &h->Y); + fe_mul_ttt(&vxx, &v3, &d); + fe_sub(&v, &v3, &h->Z); // u = y^2-1 + fe_carry(&u, &v); + fe_add(&v, &vxx, &h->Z); // v = dy^2+1 + + fe_sq_tl(&v3, &v); + fe_mul_ttl(&v3, &v3, &v); // v3 = v^3 + fe_sq_tt(&h->X, &v3); + fe_mul_ttl(&h->X, &h->X, &v); + fe_mul_ttt(&h->X, &h->X, &u); // x = uv^7 + + fe_pow22523(&h->X, &h->X); // x = (uv^7)^((q-5)/8) + fe_mul_ttt(&h->X, &h->X, &v3); + fe_mul_ttt(&h->X, &h->X, &u); // x = uv^3(uv^7)^((q-5)/8) + + fe_sq_tt(&vxx, &h->X); + fe_mul_ttl(&vxx, &vxx, &v); + fe_sub(&check, &vxx, &u); + if (fe_isnonzero(&check)) { + fe_add(&check, &vxx, &u); + if (fe_isnonzero(&check)) { + return -1; + } + fe_mul_ttt(&h->X, &h->X, &sqrtm1); + } + + if (fe_isnegative(&h->X) != (s[31] >> 7)) { + fe_loose t; + fe_neg(&t, &h->X); + fe_carry(&h->X, &t); + } + + fe_mul_ttt(&h->T, &h->X, &h->Y); + return 0; +} + +static void ge_p2_0(ge_p2 *h) { + fe_0(&h->X); + fe_1(&h->Y); + fe_1(&h->Z); +} + +static void ge_p3_0(ge_p3 *h) { + fe_0(&h->X); + fe_1(&h->Y); + fe_1(&h->Z); + fe_0(&h->T); +} + +static void ge_cached_0(ge_cached *h) { + fe_loose_1(&h->YplusX); + fe_loose_1(&h->YminusX); + fe_loose_1(&h->Z); + fe_loose_0(&h->T2d); +} + +static void ge_precomp_0(ge_precomp *h) { + fe_loose_1(&h->yplusx); + fe_loose_1(&h->yminusx); + fe_loose_0(&h->xy2d); +} + +// r = p +static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) { + fe_copy(&r->X, &p->X); + fe_copy(&r->Y, &p->Y); + fe_copy(&r->Z, &p->Z); +} + +// r = p +static void x25519_ge_p3_to_cached(ge_cached *r, const ge_p3 *p) { + fe_add(&r->YplusX, &p->Y, &p->X); + fe_sub(&r->YminusX, &p->Y, &p->X); + fe_copy_lt(&r->Z, &p->Z); + fe_mul_ltt(&r->T2d, &p->T, &d2); +} + +// r = p +static void x25519_ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) { + fe_mul_tll(&r->X, &p->X, &p->T); + fe_mul_tll(&r->Y, &p->Y, &p->Z); + fe_mul_tll(&r->Z, &p->Z, &p->T); +} + +// r = p +static void x25519_ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) { + fe_mul_tll(&r->X, &p->X, &p->T); + fe_mul_tll(&r->Y, &p->Y, &p->Z); + fe_mul_tll(&r->Z, &p->Z, &p->T); + fe_mul_tll(&r->T, &p->X, &p->Y); +} + +// r = p +static void ge_p1p1_to_cached(ge_cached *r, const ge_p1p1 *p) { + ge_p3 t; + x25519_ge_p1p1_to_p3(&t, p); + x25519_ge_p3_to_cached(r, &t); +} + +// r = 2 * p +static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) { + fe trX, trZ, trT; + fe t0; + + fe_sq_tt(&trX, &p->X); + fe_sq_tt(&trZ, &p->Y); + fe_sq2_tt(&trT, &p->Z); + fe_add(&r->Y, &p->X, &p->Y); + fe_sq_tl(&t0, &r->Y); + + fe_add(&r->Y, &trZ, &trX); + fe_sub(&r->Z, &trZ, &trX); + fe_carry(&trZ, &r->Y); + fe_sub(&r->X, &t0, &trZ); + fe_carry(&trZ, &r->Z); + fe_sub(&r->T, &trT, &trZ); +} + +#ifndef CONFIG_SMALL +// r = 2 * p +static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) { + ge_p2 q; + ge_p3_to_p2(&q, p); + ge_p2_dbl(r, &q); +} +#endif + +// r = p + q +static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { + fe trY, trZ, trT; + + fe_add(&r->X, &p->Y, &p->X); + fe_sub(&r->Y, &p->Y, &p->X); + fe_mul_tll(&trZ, &r->X, &q->yplusx); + fe_mul_tll(&trY, &r->Y, &q->yminusx); + fe_mul_tlt(&trT, &q->xy2d, &p->T); + fe_add(&r->T, &p->Z, &p->Z); + fe_sub(&r->X, &trZ, &trY); + fe_add(&r->Y, &trZ, &trY); + fe_carry(&trZ, &r->T); + fe_add(&r->Z, &trZ, &trT); + fe_sub(&r->T, &trZ, &trT); +} + +// r = p + q +static void x25519_ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { + fe trX, trY, trZ, trT; + + fe_add(&r->X, &p->Y, &p->X); + fe_sub(&r->Y, &p->Y, &p->X); + fe_mul_tll(&trZ, &r->X, &q->YplusX); + fe_mul_tll(&trY, &r->Y, &q->YminusX); + fe_mul_tlt(&trT, &q->T2d, &p->T); + fe_mul_ttl(&trX, &p->Z, &q->Z); + fe_add(&r->T, &trX, &trX); + fe_sub(&r->X, &trZ, &trY); + fe_add(&r->Y, &trZ, &trY); + fe_carry(&trZ, &r->T); + fe_add(&r->Z, &trZ, &trT); + fe_sub(&r->T, &trZ, &trT); +} + +// r = p - q +static void x25519_ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { + fe trX, trY, trZ, trT; + + fe_add(&r->X, &p->Y, &p->X); + fe_sub(&r->Y, &p->Y, &p->X); + fe_mul_tll(&trZ, &r->X, &q->YminusX); + fe_mul_tll(&trY, &r->Y, &q->YplusX); + fe_mul_tlt(&trT, &q->T2d, &p->T); + fe_mul_ttl(&trX, &p->Z, &q->Z); + fe_add(&r->T, &trX, &trX); + fe_sub(&r->X, &trZ, &trY); + fe_add(&r->Y, &trZ, &trY); + fe_carry(&trZ, &r->T); + fe_sub(&r->Z, &trZ, &trT); + fe_add(&r->T, &trZ, &trT); +} + +static uint8_t equal(signed char b, signed char c) { + uint8_t ub = b; + uint8_t uc = c; + uint8_t x = ub ^ uc; // 0: yes; 1..255: no + uint32_t y = x; // 0: yes; 1..255: no + y -= 1; // 4294967295: yes; 0..254: no + y >>= 31; // 1: yes; 0: no + return y; +} + +static void cmov(ge_precomp *t, const ge_precomp *u, uint8_t b) { + fe_cmov(&t->yplusx, &u->yplusx, b); + fe_cmov(&t->yminusx, &u->yminusx, b); + fe_cmov(&t->xy2d, &u->xy2d, b); +} + +static void x25519_ge_scalarmult_small_precomp( + ge_p3 *h, const uint8_t a[32], const uint8_t precomp_table[15 * 2 * 32]) { + // precomp_table is first expanded into matching |ge_precomp| + // elements. + ge_precomp multiples[15]; + + unsigned i; + for (i = 0; i < 15; i++) { + const uint8_t *bytes = &precomp_table[i*(2 * 32)]; + fe x, y; + fe_frombytes(&x, bytes); + fe_frombytes(&y, bytes + 32); + + ge_precomp *out = &multiples[i]; + fe_add(&out->yplusx, &y, &x); + fe_sub(&out->yminusx, &y, &x); + fe_mul_ltt(&out->xy2d, &x, &y); + fe_mul_llt(&out->xy2d, &out->xy2d, &d2); + } + + // See the comment above |k25519SmallPrecomp| about the structure of the + // precomputed elements. This loop does 64 additions and 64 doublings to + // calculate the result. + ge_p3_0(h); + + for (i = 63; i < 64; i--) { + unsigned j; + signed char index = 0; + + for (j = 0; j < 4; j++) { + const uint8_t bit = 1 & (a[(8 * j) + (i / 8)] >> (i & 7)); + index |= (bit << j); + } + + ge_precomp e; + ge_precomp_0(&e); + + for (j = 1; j < 16; j++) { + cmov(&e, &multiples[j-1], equal(index, j)); + } + + ge_cached cached; + ge_p1p1 r; + x25519_ge_p3_to_cached(&cached, h); + x25519_ge_add(&r, h, &cached); + x25519_ge_p1p1_to_p3(h, &r); + + ge_madd(&r, h, &e); + x25519_ge_p1p1_to_p3(h, &r); + } +} + +#if defined(CONFIG_SMALL) + +static void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t a[32]) { + x25519_ge_scalarmult_small_precomp(h, a, k25519SmallPrecomp); +} + +#else + +static uint8_t negative(signed char b) { + uint32_t x = b; + x >>= 31; // 1: yes; 0: no + return x; +} + +static void table_select(ge_precomp *t, int pos, signed char b) { + ge_precomp minust; + uint8_t bnegative = negative(b); + uint8_t babs = b - ((uint8_t)((-bnegative) & b) << 1); + + ge_precomp_0(t); + cmov(t, &k25519Precomp[pos][0], equal(babs, 1)); + cmov(t, &k25519Precomp[pos][1], equal(babs, 2)); + cmov(t, &k25519Precomp[pos][2], equal(babs, 3)); + cmov(t, &k25519Precomp[pos][3], equal(babs, 4)); + cmov(t, &k25519Precomp[pos][4], equal(babs, 5)); + cmov(t, &k25519Precomp[pos][5], equal(babs, 6)); + cmov(t, &k25519Precomp[pos][6], equal(babs, 7)); + cmov(t, &k25519Precomp[pos][7], equal(babs, 8)); + fe_copy_ll(&minust.yplusx, &t->yminusx); + fe_copy_ll(&minust.yminusx, &t->yplusx); + + // NOTE: the input table is canonical, but types don't encode it + fe tmp; + fe_carry(&tmp, &t->xy2d); + fe_neg(&minust.xy2d, &tmp); + + cmov(t, &minust, bnegative); +} + +// h = a * B +// where a = a[0]+256*a[1]+...+256^31 a[31] +// B is the Ed25519 base point (x,4/5) with x positive. +// +// Preconditions: +// a[31] <= 127 +static void x25519_ge_scalarmult_base(ge_p3 *h, const uint8_t *a) { + signed char e[64]; + signed char carry; + ge_p1p1 r; + ge_p2 s; + ge_precomp t; + int i; + + for (i = 0; i < 32; ++i) { + e[2 * i + 0] = (a[i] >> 0) & 15; + e[2 * i + 1] = (a[i] >> 4) & 15; + } + // each e[i] is between 0 and 15 + // e[63] is between 0 and 7 + + carry = 0; + for (i = 0; i < 63; ++i) { + e[i] += carry; + carry = e[i] + 8; + carry >>= 4; + e[i] -= carry << 4; + } + e[63] += carry; + // each e[i] is between -8 and 8 + + ge_p3_0(h); + for (i = 1; i < 64; i += 2) { + table_select(&t, i / 2, e[i]); + ge_madd(&r, h, &t); + x25519_ge_p1p1_to_p3(h, &r); + } + + ge_p3_dbl(&r, h); + x25519_ge_p1p1_to_p2(&s, &r); + ge_p2_dbl(&r, &s); + x25519_ge_p1p1_to_p2(&s, &r); + ge_p2_dbl(&r, &s); + x25519_ge_p1p1_to_p2(&s, &r); + ge_p2_dbl(&r, &s); + x25519_ge_p1p1_to_p3(h, &r); + + for (i = 0; i < 64; i += 2) { + table_select(&t, i / 2, e[i]); + ge_madd(&r, h, &t); + x25519_ge_p1p1_to_p3(h, &r); + } +} + +#endif + +static void cmov_cached(ge_cached *t, ge_cached *u, uint8_t b) { + fe_cmov(&t->YplusX, &u->YplusX, b); + fe_cmov(&t->YminusX, &u->YminusX, b); + fe_cmov(&t->Z, &u->Z, b); + fe_cmov(&t->T2d, &u->T2d, b); +} + +// r = scalar * A. +// where a = a[0]+256*a[1]+...+256^31 a[31]. +static void x25519_ge_scalarmult(ge_p2 *r, const uint8_t *scalar, + const ge_p3 *A) { + ge_p2 Ai_p2[8]; + ge_cached Ai[16]; + ge_p1p1 t; + + ge_cached_0(&Ai[0]); + x25519_ge_p3_to_cached(&Ai[1], A); + ge_p3_to_p2(&Ai_p2[1], A); + + unsigned i; + for (i = 2; i < 16; i += 2) { + ge_p2_dbl(&t, &Ai_p2[i / 2]); + ge_p1p1_to_cached(&Ai[i], &t); + if (i < 8) { + x25519_ge_p1p1_to_p2(&Ai_p2[i], &t); + } + x25519_ge_add(&t, A, &Ai[i]); + ge_p1p1_to_cached(&Ai[i + 1], &t); + if (i < 7) { + x25519_ge_p1p1_to_p2(&Ai_p2[i + 1], &t); + } + } + + ge_p2_0(r); + ge_p3 u; + + for (i = 0; i < 256; i += 4) { + ge_p2_dbl(&t, r); + x25519_ge_p1p1_to_p2(r, &t); + ge_p2_dbl(&t, r); + x25519_ge_p1p1_to_p2(r, &t); + ge_p2_dbl(&t, r); + x25519_ge_p1p1_to_p2(r, &t); + ge_p2_dbl(&t, r); + x25519_ge_p1p1_to_p3(&u, &t); + + uint8_t index = scalar[31 - i/8]; + index >>= 4 - (i & 4); + index &= 0xf; + + unsigned j; + ge_cached selected; + ge_cached_0(&selected); + for (j = 0; j < 16; j++) { + cmov_cached(&selected, &Ai[j], equal(j, index)); + } + + x25519_ge_add(&t, &u, &selected); + x25519_ge_p1p1_to_p2(r, &t); + } +} + +// The set of scalars is \Z/l +// where l = 2^252 + 27742317777372353535851937790883648493. + +// Input: +// s[0]+256*s[1]+...+256^63*s[63] = s +// +// Output: +// s[0]+256*s[1]+...+256^31*s[31] = s mod l +// where l = 2^252 + 27742317777372353535851937790883648493. +// Overwrites s in place. +static void x25519_sc_reduce(uint8_t s[64]) { + int64_t s0 = 2097151 & load_3(s); + int64_t s1 = 2097151 & (load_4(s + 2) >> 5); + int64_t s2 = 2097151 & (load_3(s + 5) >> 2); + int64_t s3 = 2097151 & (load_4(s + 7) >> 7); + int64_t s4 = 2097151 & (load_4(s + 10) >> 4); + int64_t s5 = 2097151 & (load_3(s + 13) >> 1); + int64_t s6 = 2097151 & (load_4(s + 15) >> 6); + int64_t s7 = 2097151 & (load_3(s + 18) >> 3); + int64_t s8 = 2097151 & load_3(s + 21); + int64_t s9 = 2097151 & (load_4(s + 23) >> 5); + int64_t s10 = 2097151 & (load_3(s + 26) >> 2); + int64_t s11 = 2097151 & (load_4(s + 28) >> 7); + int64_t s12 = 2097151 & (load_4(s + 31) >> 4); + int64_t s13 = 2097151 & (load_3(s + 34) >> 1); + int64_t s14 = 2097151 & (load_4(s + 36) >> 6); + int64_t s15 = 2097151 & (load_3(s + 39) >> 3); + int64_t s16 = 2097151 & load_3(s + 42); + int64_t s17 = 2097151 & (load_4(s + 44) >> 5); + int64_t s18 = 2097151 & (load_3(s + 47) >> 2); + int64_t s19 = 2097151 & (load_4(s + 49) >> 7); + int64_t s20 = 2097151 & (load_4(s + 52) >> 4); + int64_t s21 = 2097151 & (load_3(s + 55) >> 1); + int64_t s22 = 2097151 & (load_4(s + 57) >> 6); + int64_t s23 = (load_4(s + 60) >> 3); + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + int64_t carry12; + int64_t carry13; + int64_t carry14; + int64_t carry15; + int64_t carry16; + + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + s23 = 0; + + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + s22 = 0; + + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + s21 = 0; + + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + s20 = 0; + + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + s19 = 0; + + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + s18 = 0; + + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; + s13 += carry12; + s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; + s15 += carry14; + s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; + s17 += carry16; + s16 -= carry16 << 21; + + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; + s14 += carry13; + s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; + s16 += carry15; + s15 -= carry15 << 21; + + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + s17 = 0; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + s16 = 0; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + s15 = 0; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + s14 = 0; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + s13 = 0; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = (s0 + (1 << 20)) >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + + carry1 = (s1 + (1 << 20)) >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry11 = s11 >> 21; + s12 += carry11; + s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + + s[0] = s0 >> 0; + s[1] = s0 >> 8; + s[2] = (s0 >> 16) | (s1 << 5); + s[3] = s1 >> 3; + s[4] = s1 >> 11; + s[5] = (s1 >> 19) | (s2 << 2); + s[6] = s2 >> 6; + s[7] = (s2 >> 14) | (s3 << 7); + s[8] = s3 >> 1; + s[9] = s3 >> 9; + s[10] = (s3 >> 17) | (s4 << 4); + s[11] = s4 >> 4; + s[12] = s4 >> 12; + s[13] = (s4 >> 20) | (s5 << 1); + s[14] = s5 >> 7; + s[15] = (s5 >> 15) | (s6 << 6); + s[16] = s6 >> 2; + s[17] = s6 >> 10; + s[18] = (s6 >> 18) | (s7 << 3); + s[19] = s7 >> 5; + s[20] = s7 >> 13; + s[21] = s8 >> 0; + s[22] = s8 >> 8; + s[23] = (s8 >> 16) | (s9 << 5); + s[24] = s9 >> 3; + s[25] = s9 >> 11; + s[26] = (s9 >> 19) | (s10 << 2); + s[27] = s10 >> 6; + s[28] = (s10 >> 14) | (s11 << 7); + s[29] = s11 >> 1; + s[30] = s11 >> 9; + s[31] = s11 >> 17; +} + +/* Loosely from BoringSSL crypto/curve25519/spake25519.c */ + +/* + * Here BoringSSL uses different points, not restricted to the generator + * subgroup, while we use the draft-irtf-cfrg-spake2-05 points. The Python + * code is modified to add the subgroup restriction. + */ + +// The following precomputation tables are for the following +// points: +// +// N (found in 7 iterations): +// x: 10742253510813957597047979962966927467575235974254765187031601461055699024931 +// y: 19796686047937480651099107989427797822652529149428697746066532921705571401683 +// encoded: d3bfb518f44f3430f29d0c92af503865a1ed3281dc69b35dd868ba85f886c4ab +// +// M (found in 21 iterations): +// x: 8158688967149231307266666683326742915289288280191350817196911733632187385319 +// y: 21622333750659878624441478467798461427617029906629724657331223068277098105040 +// encoded: d048032c6ea0b6d697ddc2e86bda85a33adac920f1bf18e1b0c6d166a5cecdaf +// +// These points and their precomputation tables are generated with the +// following Python code. + +/* +import hashlib +import ed25519 as E # http://ed25519.cr.yp.to/python/ed25519.py + +SEED_N = 'edwards25519 point generation seed (N)' +SEED_M = 'edwards25519 point generation seed (M)' + +def genpoint(seed): + v = hashlib.sha256(seed).digest() + it = 1 + while True: + try: + x,y = E.decodepoint(v) + if E.scalarmult((x,y), E.l) != [0, 1]: + raise Exception('point has wrong order') + except Exception, e: + print e + it += 1 + v = hashlib.sha256(v).digest() + continue + print "Found in %d iterations:" % it + print " x = %d" % x + print " y = %d" % y + print " Encoded (hex)" + print E.encodepoint((x,y)).encode('hex') + return (x,y) + +def gentable(P): + t = [] + for i in range(1,16): + k = (i >> 3 & 1) * (1 << 192) + \ + (i >> 2 & 1) * (1 << 128) + \ + (i >> 1 & 1) * (1 << 64) + \ + (i & 1) + t.append(E.scalarmult(P, k)) + return ''.join(E.encodeint(x) + E.encodeint(y) for (x,y) in t) + +def printtable(table, name): + print "static const uint8_t %s[15 * 2 * 32] = {" % name, + for i in range(15 * 2 * 32): + if i % 12 == 0: + print "\n ", + print " 0x%02x," % ord(table[i]), + print "\n};" + +if __name__ == "__main__": + print "Searching for N" + N = genpoint(SEED_N) + print "Generating precomputation table for N" + Ntable = gentable(N) + printtable(Ntable, "kSpakeNSmallPrecomp") + + print "Searching for M" + M = genpoint(SEED_M) + print "Generating precomputation table for M" + Mtable = gentable(M) + printtable(Mtable, "kSpakeMSmallPrecomp") +*/ + +static const uint8_t kSpakeNSmallPrecomp[15 * 2 * 32] = { + 0x23, 0xfc, 0x27, 0x6c, 0x55, 0xaf, 0xb3, 0x9c, 0xd8, 0x99, 0x3a, 0x0d, + 0x7f, 0x08, 0xc9, 0xeb, 0x4d, 0x6e, 0x90, 0x99, 0x2f, 0x3c, 0x15, 0x2b, + 0x89, 0x5a, 0x0f, 0xf2, 0x67, 0xe6, 0xbf, 0x17, 0xd3, 0xbf, 0xb5, 0x18, + 0xf4, 0x4f, 0x34, 0x30, 0xf2, 0x9d, 0x0c, 0x92, 0xaf, 0x50, 0x38, 0x65, + 0xa1, 0xed, 0x32, 0x81, 0xdc, 0x69, 0xb3, 0x5d, 0xd8, 0x68, 0xba, 0x85, + 0xf8, 0x86, 0xc4, 0x2b, 0x53, 0x93, 0xb1, 0x99, 0x90, 0x30, 0xca, 0xb0, + 0xbd, 0xea, 0x14, 0x4c, 0x6f, 0x2b, 0x81, 0x1e, 0x23, 0x45, 0xb2, 0x32, + 0x2e, 0x2d, 0xe6, 0xb8, 0x5d, 0xc5, 0x15, 0x91, 0x63, 0x39, 0x18, 0x5b, + 0x62, 0x63, 0x9b, 0xf4, 0x8b, 0xe0, 0x34, 0xa2, 0x95, 0x11, 0x92, 0x68, + 0x54, 0xb7, 0xf3, 0x91, 0xca, 0x22, 0xad, 0x08, 0xd8, 0x9c, 0xa2, 0xf0, + 0xdc, 0x9c, 0x2c, 0x84, 0x32, 0x26, 0xe0, 0x17, 0x89, 0x53, 0x6b, 0xfd, + 0x76, 0x97, 0x25, 0xea, 0x99, 0x94, 0xf8, 0x29, 0x7c, 0xc4, 0x53, 0xc0, + 0x98, 0x9a, 0x20, 0xdc, 0x70, 0x01, 0x50, 0xaa, 0x05, 0xa3, 0x40, 0x50, + 0x66, 0x87, 0x30, 0x19, 0x12, 0xc3, 0xb8, 0x2d, 0x28, 0x8b, 0x7b, 0x48, + 0xf7, 0x7b, 0xab, 0x45, 0x70, 0x2e, 0xbb, 0x85, 0xc1, 0x6c, 0xdd, 0x35, + 0x00, 0x83, 0x20, 0x13, 0x82, 0x08, 0xaa, 0xa3, 0x03, 0x0f, 0xca, 0x27, + 0x3e, 0x8b, 0x52, 0xc2, 0xd7, 0xb1, 0x8c, 0x22, 0xfe, 0x04, 0x4a, 0xf2, + 0xe8, 0xac, 0xee, 0x2e, 0xd7, 0x77, 0x34, 0x49, 0xf2, 0xe9, 0xeb, 0x8c, + 0xa6, 0xc8, 0xc6, 0xcd, 0x8a, 0x8f, 0x7c, 0x5d, 0x51, 0xc8, 0xfa, 0x6f, + 0xb3, 0x93, 0xdb, 0x71, 0xef, 0x3e, 0x6e, 0xa7, 0x85, 0xc7, 0xd4, 0x3e, + 0xa2, 0xe2, 0xc0, 0xaa, 0x17, 0xb3, 0xa4, 0x7c, 0xc2, 0x3f, 0x7c, 0x7a, + 0xdd, 0x26, 0xde, 0x3e, 0xf1, 0x99, 0x06, 0xf7, 0x69, 0x1b, 0xc9, 0x20, + 0x55, 0x4f, 0x86, 0x7a, 0x93, 0x89, 0x68, 0xe9, 0x2b, 0x2d, 0xbc, 0x08, + 0x15, 0x5d, 0x2d, 0x0b, 0x4f, 0x1a, 0xb3, 0xd4, 0x8e, 0x77, 0x79, 0x2a, + 0x25, 0xf9, 0xb6, 0x46, 0xfb, 0x87, 0x02, 0xa6, 0xe0, 0xd3, 0xba, 0x84, + 0xea, 0x3e, 0x58, 0xa5, 0x7f, 0x8f, 0x8c, 0x39, 0x79, 0x28, 0xb5, 0xcf, + 0xe4, 0xca, 0x63, 0xdc, 0xac, 0xed, 0x4b, 0x74, 0x1e, 0x94, 0x85, 0x8c, + 0xe5, 0xf4, 0x76, 0x6f, 0x20, 0x67, 0x8b, 0xd8, 0xd6, 0x4b, 0xe7, 0x2d, + 0xa0, 0xbd, 0xcc, 0x1f, 0xdf, 0x46, 0x9c, 0xa2, 0x49, 0x64, 0xdf, 0x24, + 0x00, 0x11, 0x11, 0x45, 0x62, 0x5c, 0xd7, 0x8a, 0x00, 0x02, 0xf5, 0x9b, + 0x4f, 0x53, 0x42, 0xc5, 0xd5, 0x55, 0x80, 0x73, 0x9a, 0x5b, 0x31, 0x5a, + 0xbd, 0x3a, 0x43, 0xe9, 0x33, 0xe5, 0xaf, 0x1d, 0x92, 0x5e, 0x59, 0x37, + 0xae, 0x57, 0xfa, 0x3b, 0xd2, 0x31, 0xae, 0xa6, 0xf9, 0xc9, 0xc1, 0x82, + 0xa6, 0xa5, 0xed, 0x24, 0x53, 0x4b, 0x38, 0x22, 0xf2, 0x85, 0x8d, 0x13, + 0xa6, 0x5e, 0xd6, 0x57, 0x17, 0xd3, 0x33, 0x38, 0x8d, 0x65, 0xd3, 0xcb, + 0x1a, 0xa2, 0x3a, 0x2b, 0xbb, 0x61, 0x53, 0xd7, 0xff, 0xcd, 0x20, 0xb6, + 0xbb, 0x8c, 0xab, 0x63, 0xef, 0xb8, 0x26, 0x7e, 0x81, 0x65, 0xaf, 0x90, + 0xfc, 0xd2, 0xb6, 0x72, 0xdb, 0xe9, 0x23, 0x78, 0x12, 0x04, 0xc0, 0x03, + 0x82, 0xa8, 0x7a, 0x0f, 0x48, 0x6f, 0x82, 0x7f, 0x81, 0xcd, 0xa7, 0x89, + 0xdd, 0x86, 0xea, 0x5e, 0xa1, 0x50, 0x14, 0x34, 0x17, 0x64, 0x82, 0x0f, + 0xc4, 0x40, 0x20, 0x1d, 0x8f, 0xfe, 0xfa, 0x99, 0xaf, 0x5b, 0xc1, 0x5d, + 0xc8, 0x47, 0x07, 0x54, 0x4a, 0x22, 0x56, 0x57, 0xf1, 0x2c, 0x3b, 0x62, + 0x7f, 0x12, 0x62, 0xaf, 0xfd, 0xf8, 0x04, 0x11, 0xa8, 0x51, 0xf0, 0x46, + 0x5d, 0x79, 0x66, 0xff, 0x8a, 0x06, 0xef, 0x54, 0x64, 0x1b, 0x84, 0x3e, + 0x41, 0xf3, 0xfe, 0x19, 0x51, 0xf7, 0x44, 0x9c, 0x16, 0xd3, 0x7a, 0x09, + 0x59, 0xf5, 0x47, 0x45, 0xd0, 0x31, 0xef, 0x96, 0x2c, 0xc5, 0xc0, 0xd0, + 0x56, 0xef, 0x3f, 0x07, 0x2b, 0xb7, 0x28, 0x49, 0xf5, 0xb1, 0x42, 0x18, + 0xcf, 0x77, 0xd8, 0x2b, 0x71, 0x74, 0x80, 0xba, 0x34, 0x52, 0xce, 0x11, + 0xfe, 0xc4, 0xb9, 0xeb, 0xf9, 0xc4, 0x5e, 0x1f, 0xd3, 0xde, 0x4b, 0x14, + 0xe3, 0x6e, 0xe7, 0xd7, 0x83, 0x59, 0x98, 0xe8, 0x3d, 0x8e, 0xd6, 0x7d, + 0xc0, 0x9a, 0x79, 0xb9, 0x83, 0xf1, 0xc1, 0x00, 0x5d, 0x16, 0x1b, 0x44, + 0xe9, 0x02, 0xce, 0x99, 0x1e, 0x77, 0xef, 0xca, 0xbc, 0xf0, 0x6a, 0xb9, + 0x65, 0x3f, 0x3c, 0xd9, 0xe1, 0x63, 0x0b, 0xbf, 0xaa, 0xa7, 0xe6, 0x6d, + 0x6d, 0x3f, 0x44, 0x29, 0xa3, 0x8b, 0x6d, 0xc4, 0x81, 0xa9, 0xc3, 0x5a, + 0x90, 0x55, 0x72, 0x61, 0x17, 0x22, 0x7f, 0x3e, 0x5f, 0xfc, 0xba, 0xb3, + 0x7a, 0x99, 0x76, 0xe9, 0x20, 0xe5, 0xc5, 0xe8, 0x55, 0x56, 0x0f, 0x7a, + 0x48, 0xe7, 0xbc, 0xe1, 0x13, 0xf4, 0x90, 0xef, 0x97, 0x6c, 0x02, 0x89, + 0x4d, 0x22, 0x48, 0xda, 0xd3, 0x52, 0x45, 0x31, 0x26, 0xcc, 0xe8, 0x9e, + 0x5d, 0xdd, 0x75, 0xe4, 0x1d, 0xbc, 0xb1, 0x08, 0x55, 0xaf, 0x54, 0x70, + 0x0d, 0x0c, 0xf3, 0x50, 0xbc, 0x40, 0x83, 0xee, 0xdc, 0x6d, 0x8b, 0x40, + 0x79, 0x62, 0x18, 0x37, 0xc4, 0x78, 0x02, 0x58, 0x7c, 0x78, 0xd3, 0x54, + 0xed, 0x31, 0xbd, 0x7d, 0x48, 0xcf, 0xb6, 0x11, 0x27, 0x37, 0x9c, 0x86, + 0xf7, 0x2e, 0x00, 0x7a, 0x48, 0x1b, 0xa6, 0x72, 0x70, 0x7b, 0x44, 0x45, + 0xeb, 0x49, 0xbf, 0xbe, 0x09, 0x78, 0x66, 0x71, 0x12, 0x7f, 0x3d, 0x78, + 0x51, 0x24, 0x82, 0xa2, 0xf0, 0x1e, 0x83, 0x81, 0x81, 0x45, 0x53, 0xfd, + 0x5e, 0xf3, 0x03, 0x74, 0xbd, 0x23, 0x35, 0xf6, 0x10, 0xdd, 0x7c, 0x73, + 0x46, 0x32, 0x09, 0x54, 0x99, 0x95, 0x91, 0x25, 0xb8, 0x32, 0x09, 0xd8, + 0x2f, 0x97, 0x50, 0xa3, 0xf5, 0xd6, 0xb1, 0xed, 0x97, 0x51, 0x06, 0x42, + 0x12, 0x0c, 0x69, 0x38, 0x09, 0xa0, 0xd8, 0x19, 0x70, 0xf7, 0x8f, 0x61, + 0x0d, 0x56, 0x43, 0x66, 0x22, 0x8b, 0x0e, 0x0e, 0xf9, 0x81, 0x9f, 0xac, + 0x6f, 0xbf, 0x7d, 0x04, 0x13, 0xf2, 0xe4, 0xeb, 0xfd, 0xbe, 0x4e, 0x56, + 0xda, 0xe0, 0x22, 0x6d, 0x1b, 0x25, 0xc8, 0xa5, 0x9c, 0x05, 0x45, 0x52, + 0x3c, 0x3a, 0xde, 0x6b, 0xac, 0x9b, 0xf8, 0x81, 0x97, 0x21, 0x46, 0xac, + 0x7e, 0x89, 0xf8, 0x49, 0x58, 0xbb, 0x45, 0xac, 0xa2, 0xc4, 0x90, 0x1f, + 0xb2, 0xb4, 0xf8, 0xe0, 0xcd, 0xa1, 0x9d, 0x1c, 0xf2, 0xf1, 0xdf, 0xfb, + 0x88, 0x4e, 0xe5, 0x41, 0xd8, 0x6e, 0xac, 0x07, 0x87, 0x95, 0x35, 0xa6, + 0x12, 0x08, 0x5d, 0x57, 0x5e, 0xaf, 0x71, 0x0f, 0x07, 0x4e, 0x81, 0x77, + 0xf1, 0xef, 0xb5, 0x35, 0x5c, 0xfa, 0xf4, 0x4e, 0x42, 0xdc, 0x19, 0xfe, + 0xe4, 0xd2, 0xb4, 0x27, 0xfb, 0x34, 0x1f, 0xb2, 0x6f, 0xf2, 0x95, 0xcc, + 0xd4, 0x47, 0x63, 0xdc, 0x7e, 0x4f, 0x97, 0x2b, 0x7a, 0xe0, 0x80, 0x31, +}; + +static const uint8_t kSpakeMSmallPrecomp[15 * 2 * 32] = { + 0xe7, 0x45, 0x7e, 0x47, 0x49, 0x69, 0xbd, 0x1b, 0x35, 0x1c, 0x2c, 0x98, + 0x03, 0xf3, 0xb3, 0x37, 0xde, 0x39, 0xa5, 0xda, 0xc0, 0x2e, 0xa4, 0xac, + 0x7d, 0x08, 0x26, 0xfc, 0x80, 0xa7, 0x09, 0x12, 0xd0, 0x48, 0x03, 0x2c, + 0x6e, 0xa0, 0xb6, 0xd6, 0x97, 0xdd, 0xc2, 0xe8, 0x6b, 0xda, 0x85, 0xa3, + 0x3a, 0xda, 0xc9, 0x20, 0xf1, 0xbf, 0x18, 0xe1, 0xb0, 0xc6, 0xd1, 0x66, + 0xa5, 0xce, 0xcd, 0x2f, 0x80, 0xa8, 0x4e, 0xc3, 0x81, 0xae, 0x68, 0x3b, + 0x0d, 0xdb, 0x56, 0x32, 0x2f, 0xa8, 0x97, 0xa0, 0x5c, 0x15, 0xc1, 0xcb, + 0x6f, 0x7a, 0x5f, 0xc5, 0x32, 0xfb, 0x49, 0x17, 0x18, 0xfa, 0x85, 0x08, + 0x85, 0xf1, 0xe3, 0x11, 0x8e, 0x3d, 0x70, 0x20, 0x38, 0x4e, 0x0c, 0x17, + 0xa1, 0xa8, 0x20, 0xd2, 0xb1, 0x1d, 0x05, 0x8d, 0x0f, 0xc9, 0x96, 0x18, + 0x9d, 0x8c, 0x89, 0x8f, 0x46, 0x6a, 0x6c, 0x6e, 0x72, 0x03, 0xb2, 0x75, + 0x87, 0xd8, 0xa9, 0x60, 0x93, 0x2b, 0x8b, 0x66, 0xee, 0xaf, 0xce, 0x98, + 0xcd, 0x6b, 0x7c, 0x6a, 0xbe, 0x19, 0xda, 0x66, 0x7c, 0xda, 0x53, 0xa0, + 0xe3, 0x9a, 0x0e, 0x53, 0x3a, 0x7c, 0x73, 0x4a, 0x37, 0xa6, 0x53, 0x23, + 0x67, 0x31, 0xce, 0x8a, 0xab, 0xee, 0x72, 0x76, 0xc2, 0xb5, 0x54, 0x42, + 0xcf, 0x4b, 0xc7, 0x53, 0x24, 0x59, 0xaf, 0x76, 0x53, 0x10, 0x7e, 0x25, + 0x94, 0x5c, 0x23, 0xa6, 0x5e, 0x05, 0xea, 0x14, 0xad, 0x2b, 0xce, 0x50, + 0x77, 0xb3, 0x7a, 0x88, 0x4c, 0xf7, 0x74, 0x04, 0x35, 0xa4, 0x0c, 0x9e, + 0xee, 0x6a, 0x4c, 0x3c, 0xc1, 0x6a, 0x35, 0x4d, 0x6d, 0x8f, 0x94, 0x95, + 0xe4, 0x10, 0xca, 0x46, 0x4e, 0xfa, 0x38, 0x40, 0xeb, 0x1a, 0x1b, 0x5a, + 0xff, 0x73, 0x4d, 0xe9, 0xf2, 0xbe, 0x89, 0xf5, 0xd1, 0x72, 0xd0, 0x1a, + 0x7b, 0x82, 0x08, 0x19, 0xda, 0x54, 0x44, 0xa5, 0x3d, 0xd8, 0x10, 0x1c, + 0xcf, 0x3b, 0xc7, 0x54, 0xd5, 0x11, 0xd7, 0x2a, 0x69, 0x3f, 0xa6, 0x58, + 0x74, 0xfd, 0x90, 0xb2, 0xf4, 0xc2, 0x0e, 0xf3, 0x19, 0x8f, 0x51, 0x7c, + 0x31, 0x12, 0x79, 0x61, 0x16, 0xb4, 0x2f, 0x2f, 0xd0, 0x88, 0x97, 0xf2, + 0xc3, 0x8c, 0xa6, 0xa3, 0x29, 0xff, 0x7e, 0x12, 0x46, 0x2a, 0x9c, 0x09, + 0x7c, 0x5f, 0x87, 0x07, 0x6b, 0xa1, 0x9a, 0x57, 0x55, 0x8e, 0xb0, 0x56, + 0x5d, 0xc9, 0x4c, 0x5b, 0xae, 0xd3, 0xd0, 0x8e, 0xb8, 0xac, 0xba, 0xe8, + 0x54, 0x45, 0x30, 0x14, 0xf6, 0x59, 0x20, 0xc4, 0x03, 0xb7, 0x7a, 0x5d, + 0x6b, 0x5a, 0xcb, 0x28, 0x60, 0xf8, 0xef, 0x61, 0x60, 0x78, 0x6b, 0xf5, + 0x21, 0x4b, 0x75, 0xc2, 0x77, 0xba, 0x0e, 0x38, 0x98, 0xe0, 0xfb, 0xb7, + 0x5f, 0x75, 0x87, 0x04, 0x0c, 0xb4, 0x5c, 0x09, 0x04, 0x00, 0x38, 0x4e, + 0x4f, 0x7b, 0x73, 0xe5, 0xdb, 0xdb, 0xf1, 0xf4, 0x5c, 0x64, 0x68, 0xfd, + 0xb1, 0x86, 0xe8, 0x89, 0xbe, 0x9c, 0xd4, 0x96, 0x1d, 0xcb, 0xdc, 0x5c, + 0xef, 0xd4, 0x33, 0x28, 0xb9, 0xb6, 0xaf, 0x3b, 0xcf, 0x8d, 0x30, 0xba, + 0xe8, 0x08, 0xcf, 0x84, 0xba, 0x61, 0x10, 0x9b, 0x62, 0xf6, 0x18, 0x79, + 0x66, 0x87, 0x82, 0x7c, 0xaa, 0x71, 0xac, 0xd0, 0xd0, 0x32, 0xb0, 0x54, + 0x03, 0xa4, 0xad, 0x3f, 0x72, 0xca, 0x22, 0xff, 0x01, 0x87, 0x08, 0x36, + 0x61, 0x22, 0xaa, 0x18, 0xab, 0x3a, 0xbc, 0xf2, 0x78, 0x05, 0xe1, 0x99, + 0xa3, 0x59, 0x98, 0xcc, 0x21, 0xc6, 0x2b, 0x51, 0x6d, 0x43, 0x0a, 0x46, + 0x50, 0xae, 0x11, 0x7e, 0xd5, 0x23, 0x56, 0xef, 0x83, 0xc8, 0xbf, 0x42, + 0xf0, 0x45, 0x52, 0x1f, 0x34, 0xbc, 0x2f, 0xb0, 0xf0, 0xce, 0xf0, 0xec, + 0xd0, 0x99, 0x59, 0x2e, 0x1f, 0xab, 0xa8, 0x1e, 0x4b, 0xce, 0x1b, 0x9a, + 0x75, 0xc6, 0xc4, 0x71, 0x86, 0xf0, 0x8d, 0xec, 0xb0, 0x30, 0xb9, 0x62, + 0xb3, 0xb7, 0xdd, 0x96, 0x29, 0xc8, 0xbf, 0xe9, 0xb0, 0x74, 0x78, 0x7b, + 0xf7, 0xea, 0xa3, 0x14, 0x12, 0x56, 0xe0, 0xf3, 0x35, 0x7a, 0x26, 0x4a, + 0x4c, 0xe6, 0xdf, 0x13, 0xb5, 0x52, 0xb0, 0x2a, 0x5f, 0x2e, 0xac, 0x34, + 0xab, 0x5f, 0x1a, 0x01, 0xe4, 0x15, 0x1a, 0xd1, 0xbf, 0xc9, 0x95, 0x0a, + 0xac, 0x1d, 0xe7, 0x53, 0x59, 0x8d, 0xc3, 0x21, 0x78, 0x5e, 0x12, 0x97, + 0x8f, 0x4e, 0x1d, 0xf9, 0xe5, 0xe2, 0xc2, 0xc4, 0xba, 0xfb, 0x50, 0x96, + 0x5b, 0x43, 0xe8, 0xf7, 0x0d, 0x1b, 0x64, 0x58, 0xbe, 0xd3, 0x95, 0x7f, + 0x8e, 0xf1, 0x85, 0x35, 0xba, 0x25, 0x55, 0x2e, 0x02, 0x46, 0x5c, 0xad, + 0x1f, 0xc5, 0x03, 0xcc, 0xd0, 0x43, 0x4c, 0xf2, 0x5e, 0x64, 0x0a, 0x89, + 0xd9, 0xfd, 0x23, 0x7d, 0x4f, 0xbe, 0x2f, 0x0f, 0x1e, 0x12, 0x4a, 0xd9, + 0xf8, 0x82, 0xde, 0x8f, 0x4f, 0x98, 0xb9, 0x90, 0xf6, 0xfa, 0xd1, 0x11, + 0xa6, 0xdc, 0x7e, 0x32, 0x48, 0x6a, 0x8a, 0x14, 0x5e, 0x73, 0xb9, 0x6c, + 0x0e, 0xc2, 0xf9, 0xcc, 0xf0, 0x32, 0xc8, 0xb5, 0x56, 0xaa, 0x5d, 0xd2, + 0x07, 0xf1, 0x6f, 0x33, 0x6f, 0x05, 0x70, 0x49, 0x60, 0x49, 0x23, 0x23, + 0x14, 0x0e, 0x4c, 0x58, 0x92, 0xad, 0xa9, 0x50, 0xb1, 0x59, 0x43, 0x96, + 0x7b, 0xc1, 0x51, 0x45, 0xef, 0x0d, 0xef, 0xd1, 0xe4, 0xd0, 0xce, 0xdf, + 0x6a, 0xbc, 0x1b, 0xbf, 0x7a, 0x87, 0x4e, 0x47, 0x17, 0x9c, 0x34, 0x38, + 0xb0, 0x3c, 0xa1, 0x04, 0xfb, 0xe2, 0x66, 0xce, 0xb6, 0x82, 0xbb, 0xad, + 0xc3, 0x8e, 0x12, 0x35, 0xbc, 0x17, 0xce, 0x01, 0x2d, 0xa3, 0xa6, 0xb9, + 0xfa, 0x84, 0xc2, 0x2f, 0x5a, 0x4a, 0x8c, 0x4c, 0x11, 0x4e, 0xa8, 0x14, + 0xcb, 0xb8, 0x99, 0xaa, 0x2e, 0x8c, 0xa0, 0xc9, 0x5f, 0x62, 0x2a, 0x84, + 0x66, 0x60, 0x0a, 0x7e, 0xdc, 0x93, 0x17, 0x45, 0x19, 0xb3, 0x93, 0x4c, + 0xdc, 0xd0, 0xd5, 0x5c, 0x25, 0xd2, 0xcd, 0x4e, 0x84, 0x4c, 0x73, 0xb3, + 0x90, 0xa4, 0x22, 0x05, 0x2c, 0x7c, 0x39, 0x2b, 0x70, 0xd9, 0x61, 0x76, + 0xb2, 0x03, 0x71, 0xe9, 0x0e, 0xf8, 0x57, 0x85, 0xad, 0xb1, 0x2f, 0x34, + 0xa5, 0x66, 0xb0, 0x0f, 0x75, 0x94, 0x6e, 0x26, 0x79, 0x99, 0xb4, 0xe2, + 0xe2, 0xa3, 0x58, 0xdd, 0xb4, 0xfb, 0x74, 0xf4, 0xa1, 0xca, 0xc3, 0x30, + 0xe7, 0x86, 0xb2, 0xa2, 0x2c, 0x11, 0xc9, 0x58, 0xe3, 0xc1, 0xa6, 0x5f, + 0x86, 0x6a, 0xe7, 0x75, 0xd5, 0xd8, 0x63, 0x95, 0x64, 0x59, 0xbc, 0xb8, + 0xb7, 0xf5, 0x12, 0xe3, 0x03, 0xc6, 0x17, 0xea, 0x4e, 0xcb, 0xee, 0x4c, + 0xae, 0x03, 0xd1, 0x33, 0xd0, 0x39, 0x36, 0x00, 0x0f, 0xf4, 0x9c, 0xbd, + 0x35, 0x96, 0xfd, 0x0d, 0x26, 0xb7, 0x9e, 0xf4, 0x4b, 0x6f, 0x4b, 0xf1, + 0xec, 0x11, 0x00, 0x16, 0x21, 0x1e, 0xd4, 0x43, 0x23, 0x8c, 0x4a, 0xfa, + 0x9e, 0xd4, 0x2b, 0x36, 0x9a, 0x43, 0x1e, 0x58, 0x31, 0xe8, 0x1f, 0x83, + 0x15, 0x20, 0x31, 0x68, 0xfe, 0x27, 0xd3, 0xd8, 0x9b, 0x43, 0x81, 0x8f, + 0x57, 0x32, 0x14, 0xe6, 0x9e, 0xbf, 0xd1, 0xfb, 0xdf, 0xad, 0x7a, 0x52, +}; + +/* left_shift_3 sets |n| to |n|*8, where |n| is represented in little-endian + * order. */ +static void left_shift_3(uint8_t n[32]) { + uint8_t carry = 0; + unsigned i; + + for (i = 0; i < 32; i++) { + const uint8_t next_carry = n[i] >> 5; + n[i] = (n[i] << 3) | carry; + carry = next_carry; + } +} + +static krb5_error_code +builtin_edwards25519_keygen(krb5_context context, groupdata *gdata, + const uint8_t *wbytes, krb5_boolean use_m, + uint8_t *priv_out, uint8_t *pub_out) +{ + uint8_t private[64]; + krb5_data data = make_data(private, 32); + krb5_error_code ret; + + /* Pick x or y uniformly from [0, p*h) divisible by h. */ + ret = krb5_c_random_make_octets(context, &data); + if (ret) + return ret; + memset(private + 32, 0, 32); + x25519_sc_reduce(private); + left_shift_3(private); + + /* Compute X=x*G or Y=y*G. */ + ge_p3 P; + x25519_ge_scalarmult_base(&P, private); + + /* Compute w mod p. */ + uint8_t wreduced[64]; + memcpy(wreduced, wbytes, 32); + memset(wreduced + 32, 0, 32); + x25519_sc_reduce(wreduced); + + /* Compute the mask, w*M or w*N. */ + ge_p3 mask; + x25519_ge_scalarmult_small_precomp(&mask, wreduced, + use_m ? kSpakeMSmallPrecomp : + kSpakeNSmallPrecomp); + + /* Compute the masked point T=w*M+X or S=w*N+Y. */ + ge_cached mask_cached; + x25519_ge_p3_to_cached(&mask_cached, &mask); + ge_p1p1 Pmasked; + x25519_ge_add(&Pmasked, &P, &mask_cached); + + /* Encode T or S into pub_out. */ + ge_p2 Pmasked_proj; + x25519_ge_p1p1_to_p2(&Pmasked_proj, &Pmasked); + x25519_ge_tobytes(pub_out, &Pmasked_proj); + + /* Remember the private key in priv_out. */ + memcpy(priv_out, private, 32); + return 0; +} + +static krb5_error_code +builtin_edwards25519_result(krb5_context context, groupdata *gdata, + const uint8_t *wbytes, const uint8_t *ourpriv, + const uint8_t *theirpub, krb5_boolean use_m, + uint8_t *elem_out) +{ + /* + * Check if the point received from peer is on the curve. This does not + * verify that it is in the generator subgroup, but since our private key is + * a multiple of the cofactor, the shared point will be in the generator + * subgroup even if a rogue peer sends a point which is not. + */ + ge_p3 Qmasked; + if (x25519_ge_frombytes_vartime(&Qmasked, theirpub) != 0) + return EINVAL; + + /* Compute w mod p. */ + uint8_t wreduced[64]; + memcpy(wreduced, wbytes, 32); + memset(wreduced + 32, 0, 32); + x25519_sc_reduce(wreduced); + + /* Compute the peer's mask, w*M or w*N. */ + ge_p3 peers_mask; + x25519_ge_scalarmult_small_precomp(&peers_mask, wreduced, + use_m ? kSpakeMSmallPrecomp : + kSpakeNSmallPrecomp); + + ge_cached peers_mask_cached; + x25519_ge_p3_to_cached(&peers_mask_cached, &peers_mask); + + /* Compute the peer's unmasked point, T-w*M or S-w*N. */ + ge_p1p1 Qcompl; + ge_p3 Qunmasked; + x25519_ge_sub(&Qcompl, &Qmasked, &peers_mask_cached); + x25519_ge_p1p1_to_p3(&Qunmasked, &Qcompl); + + /* Multiply by our private value to compute K=x*(S-w*N) or K=y*(T-w*M). */ + ge_p2 K; + x25519_ge_scalarmult(&K, ourpriv, &Qunmasked); + + /* Encode K into elem_out. */ + x25519_ge_tobytes(elem_out, &K); + return 0; +} + +static krb5_error_code +builtin_sha256(krb5_context context, groupdata *gdata, const krb5_data *dlist, + size_t ndata, uint8_t *result_out) +{ + return k5_sha256(dlist, ndata, result_out); +} + +groupdef builtin_edwards25519 = { + .reg = &spake_iana_edwards25519, + .keygen = builtin_edwards25519_keygen, + .result = builtin_edwards25519_result, + .hash = builtin_sha256 +}; diff --git a/src/plugins/preauth/spake/edwards25519_tables.h b/src/plugins/preauth/spake/edwards25519_tables.h new file mode 100644 index 0000000..c6c5013 --- /dev/null +++ b/src/plugins/preauth/spake/edwards25519_tables.h @@ -0,0 +1,7881 @@ +/* -*- mode: c; c-basic-offset: 2; indent-tabs-mode: nil -*- */ +/* + * The MIT License (MIT) + * + * Copyright (c) 2015-2016 the fiat-crypto authors (see the AUTHORS file). + * + * Permission is hereby granted, free of charge, to any person obtaining a copy + * of this software and associated documentation files (the "Software"), to deal + * in the Software without restriction, including without limitation the rights + * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell + * copies of the Software, and to permit persons to whom the Software is + * furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, + * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE + * SOFTWARE. + */ + +/* From BoringSSL third-party/fiat/curve25519_tables.h */ + +static const fe d = {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 929955233495203, 466365720129213, 1662059464998953, 2033849074728123, + 1442794654840575 +#else + 56195235, 13857412, 51736253, 6949390, 114729, 24766616, 60832955, 30306712, + 48412415, 21499315 +#endif +}}; + +static const fe sqrtm1 = {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1718705420411056, 234908883556509, 2233514472574048, 2117202627021982, + 765476049583133 +#else + 34513072, 25610706, 9377949, 3500415, 12389472, 33281959, 41962654, + 31548777, 326685, 11406482 +#endif +}}; + +static const fe d2 = {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1859910466990425, 932731440258426, 1072319116312658, 1815898335770999, + 633789495995903 +#else + 45281625, 27714825, 36363642, 13898781, 229458, 15978800, 54557047, + 27058993, 29715967, 9444199 +#endif +}}; + +#if defined(CONFIG_SMALL) + +// This block of code replaces the standard base-point table with a much smaller +// one. The standard table is 30,720 bytes while this one is just 960. +// +// This table contains 15 pairs of group elements, (x, y), where each field +// element is serialised with |fe_tobytes|. If |i| is the index of the group +// element then consider i+1 as a four-bit number: (i₀, i₁, i₂, i₃) (where i₀ +// is the most significant bit). The value of the group element is then: +// (i₀×2^192 + i₁×2^128 + i₂×2^64 + i₃)G, where G is the generator. +static const uint8_t k25519SmallPrecomp[15 * 2 * 32] = { + 0x1a, 0xd5, 0x25, 0x8f, 0x60, 0x2d, 0x56, 0xc9, 0xb2, 0xa7, 0x25, 0x95, + 0x60, 0xc7, 0x2c, 0x69, 0x5c, 0xdc, 0xd6, 0xfd, 0x31, 0xe2, 0xa4, 0xc0, + 0xfe, 0x53, 0x6e, 0xcd, 0xd3, 0x36, 0x69, 0x21, 0x58, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, + 0x66, 0x66, 0x66, 0x66, 0x02, 0xa2, 0xed, 0xf4, 0x8f, 0x6b, 0x0b, 0x3e, + 0xeb, 0x35, 0x1a, 0xd5, 0x7e, 0xdb, 0x78, 0x00, 0x96, 0x8a, 0xa0, 0xb4, + 0xcf, 0x60, 0x4b, 0xd4, 0xd5, 0xf9, 0x2d, 0xbf, 0x88, 0xbd, 0x22, 0x62, + 0x13, 0x53, 0xe4, 0x82, 0x57, 0xfa, 0x1e, 0x8f, 0x06, 0x2b, 0x90, 0xba, + 0x08, 0xb6, 0x10, 0x54, 0x4f, 0x7c, 0x1b, 0x26, 0xed, 0xda, 0x6b, 0xdd, + 0x25, 0xd0, 0x4e, 0xea, 0x42, 0xbb, 0x25, 0x03, 0xa2, 0xfb, 0xcc, 0x61, + 0x67, 0x06, 0x70, 0x1a, 0xc4, 0x78, 0x3a, 0xff, 0x32, 0x62, 0xdd, 0x2c, + 0xab, 0x50, 0x19, 0x3b, 0xf2, 0x9b, 0x7d, 0xb8, 0xfd, 0x4f, 0x29, 0x9c, + 0xa7, 0x91, 0xba, 0x0e, 0x46, 0x5e, 0x51, 0xfe, 0x1d, 0xbf, 0xe5, 0xe5, + 0x9b, 0x95, 0x0d, 0x67, 0xf8, 0xd1, 0xb5, 0x5a, 0xa1, 0x93, 0x2c, 0xc3, + 0xde, 0x0e, 0x97, 0x85, 0x2d, 0x7f, 0xea, 0xab, 0x3e, 0x47, 0x30, 0x18, + 0x24, 0xe8, 0xb7, 0x60, 0xae, 0x47, 0x80, 0xfc, 0xe5, 0x23, 0xe7, 0xc2, + 0xc9, 0x85, 0xe6, 0x98, 0xa0, 0x29, 0x4e, 0xe1, 0x84, 0x39, 0x2d, 0x95, + 0x2c, 0xf3, 0x45, 0x3c, 0xff, 0xaf, 0x27, 0x4c, 0x6b, 0xa6, 0xf5, 0x4b, + 0x11, 0xbd, 0xba, 0x5b, 0x9e, 0xc4, 0xa4, 0x51, 0x1e, 0xbe, 0xd0, 0x90, + 0x3a, 0x9c, 0xc2, 0x26, 0xb6, 0x1e, 0xf1, 0x95, 0x7d, 0xc8, 0x6d, 0x52, + 0xe6, 0x99, 0x2c, 0x5f, 0x9a, 0x96, 0x0c, 0x68, 0x29, 0xfd, 0xe2, 0xfb, + 0xe6, 0xbc, 0xec, 0x31, 0x08, 0xec, 0xe6, 0xb0, 0x53, 0x60, 0xc3, 0x8c, + 0xbe, 0xc1, 0xb3, 0x8a, 0x8f, 0xe4, 0x88, 0x2b, 0x55, 0xe5, 0x64, 0x6e, + 0x9b, 0xd0, 0xaf, 0x7b, 0x64, 0x2a, 0x35, 0x25, 0x10, 0x52, 0xc5, 0x9e, + 0x58, 0x11, 0x39, 0x36, 0x45, 0x51, 0xb8, 0x39, 0x93, 0xfc, 0x9d, 0x6a, + 0xbe, 0x58, 0xcb, 0xa4, 0x0f, 0x51, 0x3c, 0x38, 0x05, 0xca, 0xab, 0x43, + 0x63, 0x0e, 0xf3, 0x8b, 0x41, 0xa6, 0xf8, 0x9b, 0x53, 0x70, 0x80, 0x53, + 0x86, 0x5e, 0x8f, 0xe3, 0xc3, 0x0d, 0x18, 0xc8, 0x4b, 0x34, 0x1f, 0xd8, + 0x1d, 0xbc, 0xf2, 0x6d, 0x34, 0x3a, 0xbe, 0xdf, 0xd9, 0xf6, 0xf3, 0x89, + 0xa1, 0xe1, 0x94, 0x9f, 0x5d, 0x4c, 0x5d, 0xe9, 0xa1, 0x49, 0x92, 0xef, + 0x0e, 0x53, 0x81, 0x89, 0x58, 0x87, 0xa6, 0x37, 0xf1, 0xdd, 0x62, 0x60, + 0x63, 0x5a, 0x9d, 0x1b, 0x8c, 0xc6, 0x7d, 0x52, 0xea, 0x70, 0x09, 0x6a, + 0xe1, 0x32, 0xf3, 0x73, 0x21, 0x1f, 0x07, 0x7b, 0x7c, 0x9b, 0x49, 0xd8, + 0xc0, 0xf3, 0x25, 0x72, 0x6f, 0x9d, 0xed, 0x31, 0x67, 0x36, 0x36, 0x54, + 0x40, 0x92, 0x71, 0xe6, 0x11, 0x28, 0x11, 0xad, 0x93, 0x32, 0x85, 0x7b, + 0x3e, 0xb7, 0x3b, 0x49, 0x13, 0x1c, 0x07, 0xb0, 0x2e, 0x93, 0xaa, 0xfd, + 0xfd, 0x28, 0x47, 0x3d, 0x8d, 0xd2, 0xda, 0xc7, 0x44, 0xd6, 0x7a, 0xdb, + 0x26, 0x7d, 0x1d, 0xb8, 0xe1, 0xde, 0x9d, 0x7a, 0x7d, 0x17, 0x7e, 0x1c, + 0x37, 0x04, 0x8d, 0x2d, 0x7c, 0x5e, 0x18, 0x38, 0x1e, 0xaf, 0xc7, 0x1b, + 0x33, 0x48, 0x31, 0x00, 0x59, 0xf6, 0xf2, 0xca, 0x0f, 0x27, 0x1b, 0x63, + 0x12, 0x7e, 0x02, 0x1d, 0x49, 0xc0, 0x5d, 0x79, 0x87, 0xef, 0x5e, 0x7a, + 0x2f, 0x1f, 0x66, 0x55, 0xd8, 0x09, 0xd9, 0x61, 0x38, 0x68, 0xb0, 0x07, + 0xa3, 0xfc, 0xcc, 0x85, 0x10, 0x7f, 0x4c, 0x65, 0x65, 0xb3, 0xfa, 0xfa, + 0xa5, 0x53, 0x6f, 0xdb, 0x74, 0x4c, 0x56, 0x46, 0x03, 0xe2, 0xd5, 0x7a, + 0x29, 0x1c, 0xc6, 0x02, 0xbc, 0x59, 0xf2, 0x04, 0x75, 0x63, 0xc0, 0x84, + 0x2f, 0x60, 0x1c, 0x67, 0x76, 0xfd, 0x63, 0x86, 0xf3, 0xfa, 0xbf, 0xdc, + 0xd2, 0x2d, 0x90, 0x91, 0xbd, 0x33, 0xa9, 0xe5, 0x66, 0x0c, 0xda, 0x42, + 0x27, 0xca, 0xf4, 0x66, 0xc2, 0xec, 0x92, 0x14, 0x57, 0x06, 0x63, 0xd0, + 0x4d, 0x15, 0x06, 0xeb, 0x69, 0x58, 0x4f, 0x77, 0xc5, 0x8b, 0xc7, 0xf0, + 0x8e, 0xed, 0x64, 0xa0, 0xb3, 0x3c, 0x66, 0x71, 0xc6, 0x2d, 0xda, 0x0a, + 0x0d, 0xfe, 0x70, 0x27, 0x64, 0xf8, 0x27, 0xfa, 0xf6, 0x5f, 0x30, 0xa5, + 0x0d, 0x6c, 0xda, 0xf2, 0x62, 0x5e, 0x78, 0x47, 0xd3, 0x66, 0x00, 0x1c, + 0xfd, 0x56, 0x1f, 0x5d, 0x3f, 0x6f, 0xf4, 0x4c, 0xd8, 0xfd, 0x0e, 0x27, + 0xc9, 0x5c, 0x2b, 0xbc, 0xc0, 0xa4, 0xe7, 0x23, 0x29, 0x02, 0x9f, 0x31, + 0xd6, 0xe9, 0xd7, 0x96, 0xf4, 0xe0, 0x5e, 0x0b, 0x0e, 0x13, 0xee, 0x3c, + 0x09, 0xed, 0xf2, 0x3d, 0x76, 0x91, 0xc3, 0xa4, 0x97, 0xae, 0xd4, 0x87, + 0xd0, 0x5d, 0xf6, 0x18, 0x47, 0x1f, 0x1d, 0x67, 0xf2, 0xcf, 0x63, 0xa0, + 0x91, 0x27, 0xf8, 0x93, 0x45, 0x75, 0x23, 0x3f, 0xd1, 0xf1, 0xad, 0x23, + 0xdd, 0x64, 0x93, 0x96, 0x41, 0x70, 0x7f, 0xf7, 0xf5, 0xa9, 0x89, 0xa2, + 0x34, 0xb0, 0x8d, 0x1b, 0xae, 0x19, 0x15, 0x49, 0x58, 0x23, 0x6d, 0x87, + 0x15, 0x4f, 0x81, 0x76, 0xfb, 0x23, 0xb5, 0xea, 0xcf, 0xac, 0x54, 0x8d, + 0x4e, 0x42, 0x2f, 0xeb, 0x0f, 0x63, 0xdb, 0x68, 0x37, 0xa8, 0xcf, 0x8b, + 0xab, 0xf5, 0xa4, 0x6e, 0x96, 0x2a, 0xb2, 0xd6, 0xbe, 0x9e, 0xbd, 0x0d, + 0xb4, 0x42, 0xa9, 0xcf, 0x01, 0x83, 0x8a, 0x17, 0x47, 0x76, 0xc4, 0xc6, + 0x83, 0x04, 0x95, 0x0b, 0xfc, 0x11, 0xc9, 0x62, 0xb8, 0x0c, 0x76, 0x84, + 0xd9, 0xb9, 0x37, 0xfa, 0xfc, 0x7c, 0xc2, 0x6d, 0x58, 0x3e, 0xb3, 0x04, + 0xbb, 0x8c, 0x8f, 0x48, 0xbc, 0x91, 0x27, 0xcc, 0xf9, 0xb7, 0x22, 0x19, + 0x83, 0x2e, 0x09, 0xb5, 0x72, 0xd9, 0x54, 0x1c, 0x4d, 0xa1, 0xea, 0x0b, + 0xf1, 0xc6, 0x08, 0x72, 0x46, 0x87, 0x7a, 0x6e, 0x80, 0x56, 0x0a, 0x8a, + 0xc0, 0xdd, 0x11, 0x6b, 0xd6, 0xdd, 0x47, 0xdf, 0x10, 0xd9, 0xd8, 0xea, + 0x7c, 0xb0, 0x8f, 0x03, 0x00, 0x2e, 0xc1, 0x8f, 0x44, 0xa8, 0xd3, 0x30, + 0x06, 0x89, 0xa2, 0xf9, 0x34, 0xad, 0xdc, 0x03, 0x85, 0xed, 0x51, 0xa7, + 0x82, 0x9c, 0xe7, 0x5d, 0x52, 0x93, 0x0c, 0x32, 0x9a, 0x5b, 0xe1, 0xaa, + 0xca, 0xb8, 0x02, 0x6d, 0x3a, 0xd4, 0xb1, 0x3a, 0xf0, 0x5f, 0xbe, 0xb5, + 0x0d, 0x10, 0x6b, 0x38, 0x32, 0xac, 0x76, 0x80, 0xbd, 0xca, 0x94, 0x71, + 0x7a, 0xf2, 0xc9, 0x35, 0x2a, 0xde, 0x9f, 0x42, 0x49, 0x18, 0x01, 0xab, + 0xbc, 0xef, 0x7c, 0x64, 0x3f, 0x58, 0x3d, 0x92, 0x59, 0xdb, 0x13, 0xdb, + 0x58, 0x6e, 0x0a, 0xe0, 0xb7, 0x91, 0x4a, 0x08, 0x20, 0xd6, 0x2e, 0x3c, + 0x45, 0xc9, 0x8b, 0x17, 0x79, 0xe7, 0xc7, 0x90, 0x99, 0x3a, 0x18, 0x25, +}; + +#else + +// k25519Precomp[i][j] = (j+1)*256^i*B +static const ge_precomp k25519Precomp[32][8] = { + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1288382639258501, 245678601348599, 269427782077623, + 1462984067271730, 137412439391563 +#else + 25967493, 19198397, 29566455, 3660896, 54414519, 4014786, + 27544626, 21800161, 61029707, 2047604 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 62697248952638, 204681361388450, 631292143396476, + 338455783676468, 1213667448819585 +#else + 54563134, 934261, 64385954, 3049989, 66381436, 9406985, + 12720692, 5043384, 19500929, 18085054 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 301289933810280, 1259582250014073, 1422107436869536, + 796239922652654, 1953934009299142 +#else + 58370664, 4489569, 9688441, 18769238, 10184608, 21191052, + 29287918, 11864899, 42594502, 29115885 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1380971894829527, 790832306631236, 2067202295274102, + 1995808275510000, 1566530869037010 +#else + 54292951, 20578084, 45527620, 11784319, 41753206, 30803714, + 55390960, 29739860, 66750418, 23343128 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 463307831301544, 432984605774163, 1610641361907204, + 750899048855000, 1894842303421586 +#else + 45405608, 6903824, 27185491, 6451973, 37531140, 24000426, + 51492312, 11189267, 40279186, 28235350 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 748439484463711, 1033211726465151, 1396005112841647, + 1611506220286469, 1972177495910992 +#else + 26966623, 11152617, 32442495, 15396054, 14353839, 20802097, + 63980037, 24013313, 51636816, 29387734 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1601611775252272, 1720807796594148, 1132070835939856, + 1260455018889551, 2147779492816911 +#else + 15636272, 23865875, 24204772, 25642034, 616976, 16869170, + 27787599, 18782243, 28944399, 32004408 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 316559037616741, 2177824224946892, 1459442586438991, + 1461528397712656, 751590696113597 +#else + 16568933, 4717097, 55552716, 32452109, 15682895, 21747389, + 16354576, 21778470, 7689661, 11199574 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1850748884277385, 1200145853858453, 1068094770532492, + 672251375690438, 1586055907191707 +#else + 30464137, 27578307, 55329429, 17883566, 23220364, 15915852, + 7512774, 10017326, 49359771, 23634074 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 934282339813791, 1846903124198670, 1172395437954843, + 1007037127761661, 1830588347719256 +#else + 50071967, 13921891, 10945806, 27521001, 27105051, 17470053, + 38182653, 15006022, 3284568, 27277892 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1694390458783935, 1735906047636159, 705069562067493, + 648033061693059, 696214010414170 +#else + 23599295, 25248385, 55915199, 25867015, 13236773, 10506355, + 7464579, 9656445, 13059162, 10374397 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1121406372216585, 192876649532226, 190294192191717, + 1994165897297032, 2245000007398739 +#else + 7798537, 16710257, 3033922, 2874086, 28997861, 2835604, + 32406664, 29715387, 66467155, 33453106 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 769950342298419, 132954430919746, 844085933195555, + 974092374476333, 726076285546016 +#else + 10861363, 11473154, 27284546, 1981175, 37044515, 12577860, + 32867885, 14515107, 51670560, 10819379 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 425251763115706, 608463272472562, 442562545713235, + 837766094556764, 374555092627893 +#else + 4708026, 6336745, 20377586, 9066809, 55836755, 6594695, + 41455196, 12483687, 54440373, 5581305 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1086255230780037, 274979815921559, 1960002765731872, + 929474102396301, 1190409889297339 +#else + 19563141, 16186464, 37722007, 4097518, 10237984, 29206317, + 28542349, 13850243, 43430843, 17738489 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1388594989461809, 316767091099457, 394298842192982, + 1230079486801005, 1440737038838979 +#else + 51736881, 20691677, 32573249, 4720197, 40672342, 5875510, + 47920237, 18329612, 57289923, 21468654 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 7380825640100, 146210432690483, 304903576448906, + 1198869323871120, 997689833219095 +#else + 58559652, 109982, 15149363, 2178705, 22900618, 4543417, 3044240, + 17864545, 1762327, 14866737 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1181317918772081, 114573476638901, 262805072233344, + 265712217171332, 294181933805782 +#else + 48909169, 17603008, 56635573, 1707277, 49922944, 3916100, + 38872452, 3959420, 27914454, 4383652 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 665000864555967, 2065379846933859, 370231110385876, + 350988370788628, 1233371373142985 +#else + 5153727, 9909285, 1723747, 30776558, 30523604, 5516873, + 19480852, 5230134, 43156425, 18378665 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2019367628972465, 676711900706637, 110710997811333, + 1108646842542025, 517791959672113 +#else + 36839857, 30090922, 7665485, 10083793, 28475525, 1649722, + 20654025, 16520125, 30598449, 7715701 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 965130719900578, 247011430587952, 526356006571389, + 91986625355052, 2157223321444601 +#else + 28881826, 14381568, 9657904, 3680757, 46927229, 7843315, + 35708204, 1370707, 29794553, 32145132 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2068619540119183, 1966274918058806, 957728544705549, + 729906502578991, 159834893065166 +#else + 14499471, 30824833, 33917750, 29299779, 28494861, 14271267, + 30290735, 10876454, 33954766, 2381725 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2073601412052185, 31021124762708, 264500969797082, + 248034690651703, 1030252227928288 +#else + 59913433, 30899068, 52378708, 462250, 39384538, 3941371, + 60872247, 3696004, 34808032, 15351954 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 551790716293402, 1989538725166328, 801169423371717, + 2052451893578887, 678432056995012 +#else + 27431194, 8222322, 16448760, 29646437, 48401861, 11938354, + 34147463, 30583916, 29551812, 10109425 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1368953770187805, 790347636712921, 437508475667162, + 2142576377050580, 1932081720066286 +#else + 53451805, 20399000, 35825113, 11777097, 21447386, 6519384, + 64730580, 31926875, 10092782, 28790261 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 953638594433374, 1092333936795051, 1419774766716690, + 805677984380077, 859228993502513 +#else + 27939166, 14210322, 4677035, 16277044, 44144402, 21156292, + 34600109, 12005537, 49298737, 12803509 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1200766035879111, 20142053207432, 1465634435977050, + 1645256912097844, 295121984874596 +#else + 17228999, 17892808, 65875336, 300139, 65883994, 21839654, + 30364212, 24516238, 18016356, 4397660 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1735718747031557, 1248237894295956, 1204753118328107, + 976066523550493, 65943769534592 +#else + 56150021, 25864224, 4776340, 18600194, 27850027, 17952220, + 40489757, 14544524, 49631360, 982638 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1060098822528990, 1586825862073490, 212301317240126, + 1975302711403555, 666724059764335 +#else + 29253598, 15796703, 64244882, 23645547, 10057022, 3163536, + 7332899, 29434304, 46061167, 9934962 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1091990273418756, 1572899409348578, 80968014455247, + 306009358661350, 1520450739132526 +#else + 5793284, 16271923, 42977250, 23438027, 29188559, 1206517, + 52360934, 4559894, 36984942, 22656481 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1480517209436112, 1511153322193952, 1244343858991172, + 304788150493241, 369136856496443 +#else + 39464912, 22061425, 16282656, 22517939, 28414020, 18542168, + 24191033, 4541697, 53770555, 5500567 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2151330273626164, 762045184746182, 1688074332551515, + 823046109005759, 907602769079491 +#else + 12650548, 32057319, 9052870, 11355358, 49428827, 25154267, + 49678271, 12264342, 10874051, 13524335 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2047386910586836, 168470092900250, 1552838872594810, + 340951180073789, 360819374702533 +#else + 25556948, 30508442, 714650, 2510400, 23394682, 23139102, + 33119037, 5080568, 44580805, 5376627 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1982622644432056, 2014393600336956, 128909208804214, + 1617792623929191, 105294281913815 +#else + 41020600, 29543379, 50095164, 30016803, 60382070, 1920896, + 44787559, 24106988, 4535767, 1569007 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 980234343912898, 1712256739246056, 588935272190264, + 204298813091998, 841798321043288 +#else + 64853442, 14606629, 45416424, 25514613, 28430648, 8775819, + 36614302, 3044289, 31848280, 12543772 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 197561292938973, 454817274782871, 1963754960082318, + 2113372252160468, 971377527342673 +#else + 45080285, 2943892, 35251351, 6777305, 13784462, 29262229, + 39731668, 31491700, 7718481, 14474653 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 164699448829328, 3127451757672, 1199504971548753, + 1766155447043652, 1899238924683527 +#else + 2385296, 2454213, 44477544, 46602, 62670929, 17874016, 656964, + 26317767, 24316167, 28300865 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 732262946680281, 1674412764227063, 2182456405662809, + 1350894754474250, 558458873295247 +#else + 13741529, 10911568, 33875447, 24950694, 46931033, 32521134, + 33040650, 20129900, 46379407, 8321685 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2103305098582922, 1960809151316468, 715134605001343, + 1454892949167181, 40827143824949 +#else + 21060490, 31341688, 15712756, 29218333, 1639039, 10656336, + 23845965, 21679594, 57124405, 608371 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1239289043050212, 1744654158124578, 758702410031698, + 1796762995074688, 1603056663766 +#else + 53436132, 18466845, 56219170, 25997372, 61071954, 11305546, + 1123968, 26773855, 27229398, 23887 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2232056027107988, 987343914584615, 2115594492994461, + 1819598072792159, 1119305654014850 +#else + 43864724, 33260226, 55364135, 14712570, 37643165, 31524814, + 12797023, 27114124, 65475458, 16678953 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 320153677847348, 939613871605645, 641883205761567, + 1930009789398224, 329165806634126 +#else + 37608244, 4770661, 51054477, 14001337, 7830047, 9564805, + 65600720, 28759386, 49939598, 4904952 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 980930490474130, 1242488692177893, 1251446316964684, + 1086618677993530, 1961430968465772 +#else + 24059538, 14617003, 19037157, 18514524, 19766092, 18648003, + 5169210, 16191880, 2128236, 29227599 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 276821765317453, 1536835591188030, 1305212741412361, + 61473904210175, 2051377036983058 +#else + 50127693, 4124965, 58568254, 22900634, 30336521, 19449185, + 37302527, 916032, 60226322, 30567899 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 833449923882501, 1750270368490475, 1123347002068295, + 185477424765687, 278090826653186 +#else + 44477957, 12419371, 59974635, 26081060, 50629959, 16739174, + 285431, 2763829, 15736322, 4143876 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 794524995833413, 1849907304548286, 53348672473145, + 1272368559505217, 1147304168324779 +#else + 2379333, 11839345, 62998462, 27565766, 11274297, 794957, 212801, + 18959769, 23527083, 17096164 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1504846112759364, 1203096289004681, 562139421471418, + 274333017451844, 1284344053775441 +#else + 33431108, 22423954, 49269897, 17927531, 8909498, 8376530, + 34483524, 4087880, 51919953, 19138217 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 483048732424432, 2116063063343382, 30120189902313, + 292451576741007, 1156379271702225 +#else + 1767664, 7197987, 53903638, 31531796, 54017513, 448825, 5799055, + 4357868, 62334673, 17231393 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 928372153029038, 2147692869914564, 1455665844462196, + 1986737809425946, 185207050258089 +#else + 6721966, 13833823, 43585476, 32003117, 26354292, 21691111, + 23365146, 29604700, 7390889, 2759800 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 137732961814206, 706670923917341, 1387038086865771, + 1965643813686352, 1384777115696347 +#else + 4409022, 2052381, 23373853, 10530217, 7676779, 20668478, + 21302352, 29290375, 1244379, 20634787 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 481144981981577, 2053319313589856, 2065402289827512, + 617954271490316, 1106602634668125 +#else + 62687625, 7169618, 4982368, 30596842, 30256824, 30776892, + 14086412, 9208236, 15886429, 16489664 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 696298019648792, 893299659040895, 1148636718636009, + 26734077349617, 2203955659340681 +#else + 1996056, 10375649, 14346367, 13311202, 60234729, 17116020, + 53415665, 398368, 36502409, 32841498 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 657390353372855, 998499966885562, 991893336905797, + 810470207106761, 343139804608786 +#else + 41801399, 9795879, 64331450, 14878808, 33577029, 14780362, + 13348553, 12076947, 36272402, 5113181 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 791736669492960, 934767652997115, 824656780392914, + 1759463253018643, 361530362383518 +#else + 49338080, 11797795, 31950843, 13929123, 41220562, 12288343, + 36767763, 26218045, 13847710, 5387222 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2022541353055597, 2094700262587466, 1551008075025686, + 242785517418164, 695985404963562 +#else + 48526701, 30138214, 17824842, 31213466, 22744342, 23111821, + 8763060, 3617786, 47508202, 10370990 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1287487199965223, 2215311941380308, 1552928390931986, + 1664859529680196, 1125004975265243 +#else + 20246567, 19185054, 22358228, 33010720, 18507282, 23140436, + 14554436, 24808340, 32232923, 16763880 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 677434665154918, 989582503122485, 1817429540898386, + 1052904935475344, 1143826298169798 +#else + 9648486, 10094563, 26416693, 14745928, 36734546, 27081810, + 11094160, 15689506, 3140038, 17044340 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 367266328308408, 318431188922404, 695629353755355, + 634085657580832, 24581612564426 +#else + 50948792, 5472694, 31895588, 4744994, 8823515, 10365685, + 39884064, 9448612, 38334410, 366294 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 773360688841258, 1815381330538070, 363773437667376, + 539629987070205, 783280434248437 +#else + 19153450, 11523972, 56012374, 27051289, 42461232, 5420646, + 28344573, 8041113, 719605, 11671788 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 180820816194166, 168937968377394, 748416242794470, + 1227281252254508, 1567587861004268 +#else + 8678006, 2694440, 60300850, 2517371, 4964326, 11152271, + 51675948, 18287915, 27000812, 23358879 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 478775558583645, 2062896624554807, 699391259285399, + 358099408427873, 1277310261461761 +#else + 51950941, 7134311, 8639287, 30739555, 59873175, 10421741, + 564065, 5336097, 6750977, 19033406 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1984740906540026, 1079164179400229, 1056021349262661, + 1659958556483663, 1088529069025527 +#else + 11836410, 29574944, 26297893, 16080799, 23455045, 15735944, + 1695823, 24735310, 8169719, 16220347 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 580736401511151, 1842931091388998, 1177201471228238, + 2075460256527244, 1301133425678027 +#else + 48993007, 8653646, 17578566, 27461813, 59083086, 17541668, + 55964556, 30926767, 61118155, 19388398 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1515728832059182, 1575261009617579, 1510246567196186, + 191078022609704, 116661716289141 +#else + 43800366, 22586119, 15213227, 23473218, 36255258, 22504427, + 27884328, 2847284, 2655861, 1738395 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1295295738269652, 1714742313707026, 545583042462581, + 2034411676262552, 1513248090013606 +#else + 39571412, 19301410, 41772562, 25551651, 57738101, 8129820, + 21651608, 30315096, 48021414, 22549153 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 230710545179830, 30821514358353, 760704303452229, + 390668103790604, 573437871383156 +#else + 1533110, 3437855, 23735889, 459276, 29970501, 11335377, + 26030092, 5821408, 10478196, 8544890 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1169380107545646, 263167233745614, 2022901299054448, + 819900753251120, 2023898464874585 +#else + 32173102, 17425121, 24896206, 3921497, 22579056, 30143578, + 19270448, 12217473, 17789017, 30158437 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2102254323485823, 1570832666216754, 34696906544624, + 1993213739807337, 70638552271463 +#else + 36555903, 31326030, 51530034, 23407230, 13243888, 517024, + 15479401, 29701199, 30460519, 1052596 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 894132856735058, 548675863558441, 845349339503395, + 1942269668326667, 1615682209874691 +#else + 55493970, 13323617, 32618793, 8175907, 51878691, 12596686, + 27491595, 28942073, 3179267, 24075541 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1287670217537834, 1222355136884920, 1846481788678694, + 1150426571265110, 1613523400722047 +#else + 31947050, 19187781, 62468280, 18214510, 51982886, 27514722, + 52352086, 17142691, 19072639, 24043372 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 793388516527298, 1315457083650035, 1972286999342417, + 1901825953052455, 338269477222410 +#else + 11685058, 11822410, 3158003, 19601838, 33402193, 29389366, + 5977895, 28339415, 473098, 5040608 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 550201530671806, 778605267108140, 2063911101902983, + 115500557286349, 2041641272971022 +#else + 46817982, 8198641, 39698732, 11602122, 1290375, 30754672, + 28326861, 1721092, 47550222, 30422825 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 717255318455100, 519313764361315, 2080406977303708, + 541981206705521, 774328150311600 +#else + 7881532, 10687937, 7578723, 7738378, 48157852, 31000479, + 21820785, 8076149, 39240368, 11538388 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 261715221532238, 1795354330069993, 1496878026850283, + 499739720521052, 389031152673770 +#else + 47173198, 3899860, 18283497, 26752864, 51380203, 22305220, + 8754524, 7446702, 61432810, 5797015 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1997217696294013, 1717306351628065, 1684313917746180, + 1644426076011410, 1857378133465451 +#else + 55813245, 29760862, 51326753, 25589858, 12708868, 25098233, + 2014098, 24503858, 64739691, 27677090 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1475434724792648, 76931896285979, 1116729029771667, + 2002544139318042, 725547833803938 +#else + 44636488, 21985690, 39426843, 1146374, 18956691, 16640559, + 1192730, 29840233, 15123618, 10811505 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2022306639183567, 726296063571875, 315345054448644, + 1058733329149221, 1448201136060677 +#else + 14352079, 30134717, 48166819, 10822654, 32750596, 4699007, + 67038501, 15776355, 38222085, 21579878 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1710065158525665, 1895094923036397, 123988286168546, + 1145519900776355, 1607510767693874 +#else + 38867681, 25481956, 62129901, 28239114, 29416930, 1847569, + 46454691, 17069576, 4714546, 23953777 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 561605375422540, 1071733543815037, 131496498800990, + 1946868434569999, 828138133964203 +#else + 15200332, 8368572, 19679101, 15970074, 35236190, 1959450, + 24611599, 29010600, 55362987, 12340219 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1548495173745801, 442310529226540, 998072547000384, + 553054358385281, 644824326376171 +#else + 12876937, 23074376, 33134380, 6590940, 60801088, 14872439, + 9613953, 8241152, 15370987, 9608631 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1445526537029440, 2225519789662536, 914628859347385, + 1064754194555068, 1660295614401091 +#else + 62965568, 21540023, 8446280, 33162829, 4407737, 13629032, + 59383996, 15866073, 38898243, 24740332 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1199690223111956, 24028135822341, 66638289244341, + 57626156285975, 565093967979607 +#else + 26660628, 17876777, 8393733, 358047, 59707573, 992987, 43204631, + 858696, 20571223, 8420556 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 876926774220824, 554618976488214, 1012056309841565, + 839961821554611, 1414499340307677 +#else + 14620696, 13067227, 51661590, 8264466, 14106269, 15080814, + 33531827, 12516406, 45534429, 21077682 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 703047626104145, 1266841406201770, 165556500219173, + 486991595001879, 1011325891650656 +#else + 236881, 10476226, 57258, 18877408, 6472997, 2466984, 17258519, + 7256740, 8791136, 15069930 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1622861044480487, 1156394801573634, 1869132565415504, + 327103985777730, 2095342781472284 +#else + 1276391, 24182514, 22949634, 17231625, 43615824, 27852245, + 14711874, 4874229, 36445724, 31223040 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 334886927423922, 489511099221528, 129160865966726, + 1720809113143481, 619700195649254 +#else + 5855666, 4990204, 53397016, 7294283, 59304582, 1924646, + 65685689, 25642053, 34039526, 9234252 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1646545795166119, 1758370782583567, 714746174550637, + 1472693650165135, 898994790308209 +#else + 20590503, 24535444, 31529743, 26201766, 64402029, 10650547, + 31559055, 21944845, 18979185, 13396066 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 333403773039279, 295772542452938, 1693106465353610, + 912330357530760, 471235657950362 +#else + 24474287, 4968103, 22267082, 4407354, 24063882, 25229252, + 48291976, 13594781, 33514650, 7021958 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1811196219982022, 1068969825533602, 289602974833439, + 1988956043611592, 863562343398367 +#else + 55541958, 26988926, 45743778, 15928891, 40950559, 4315420, + 41160136, 29637754, 45628383, 12868081 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 906282429780072, 2108672665779781, 432396390473936, + 150625823801893, 1708930497638539 +#else + 38473832, 13504660, 19988037, 31421671, 21078224, 6443208, + 45662757, 2244499, 54653067, 25465048 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 925664675702328, 21416848568684, 1831436641861340, + 601157008940113, 371818055044496 +#else + 36513336, 13793478, 61256044, 319135, 41385692, 27290532, + 33086545, 8957937, 51875216, 5540520 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1479786007267725, 1738881859066675, 68646196476567, + 2146507056100328, 1247662817535471 +#else + 55478669, 22050529, 58989363, 25911358, 2620055, 1022908, + 43398120, 31985447, 50980335, 18591624 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 52035296774456, 939969390708103, 312023458773250, + 59873523517659, 1231345905848899 +#else + 23152952, 775386, 27395463, 14006635, 57407746, 4649511, + 1689819, 892185, 55595587, 18348483 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 643355106415761, 290186807495774, 2013561737429023, + 319648069511546, 393736678496162 +#else + 9770129, 9586738, 26496094, 4324120, 1556511, 30004408, + 27453818, 4763127, 47929250, 5867133 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 129358342392716, 1932811617704777, 1176749390799681, + 398040349861790, 1170779668090425 +#else + 34343820, 1927589, 31726409, 28801137, 23962433, 17534932, + 27846558, 5931263, 37359161, 17445976 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2051980782668029, 121859921510665, 2048329875753063, + 1235229850149665, 519062146124755 +#else + 27461885, 30576896, 22380809, 1815854, 44075111, 30522493, + 7283489, 18406359, 47582163, 7734628 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1608170971973096, 415809060360428, 1350468408164766, + 2038620059057678, 1026904485989112 +#else + 59098600, 23963614, 55988460, 6196037, 29344158, 20123547, + 7585294, 30377806, 18549496, 15302069 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1837656083115103, 1510134048812070, 906263674192061, + 1821064197805734, 565375124676301 +#else + 34450527, 27383209, 59436070, 22502750, 6258877, 13504381, + 10458790, 27135971, 58236621, 8424745 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 578027192365650, 2034800251375322, 2128954087207123, + 478816193810521, 2196171989962750 +#else + 24687186, 8613276, 36441818, 30320886, 1863891, 31723888, + 19206233, 7134917, 55824382, 32725512 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1633188840273139, 852787172373708, 1548762607215796, + 1266275218902681, 1107218203325133 +#else + 11334899, 24336410, 8025292, 12707519, 17523892, 23078361, + 10243737, 18868971, 62042829, 16498836 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 462189358480054, 1784816734159228, 1611334301651368, + 1303938263943540, 707589560319424 +#else + 8911542, 6887158, 57524604, 26595841, 11145640, 24010752, + 17303924, 19430194, 6536640, 10543906 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1038829280972848, 38176604650029, 753193246598573, + 1136076426528122, 595709990562434 +#else + 38162480, 15479762, 49642029, 568875, 65611181, 11223453, + 64439674, 16928857, 39873154, 8876770 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1408451820859834, 2194984964010833, 2198361797561729, + 1061962440055713, 1645147963442934 +#else + 41365946, 20987567, 51458897, 32707824, 34082177, 32758143, + 33627041, 15824473, 66504438, 24514614 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 4701053362120, 1647641066302348, 1047553002242085, + 1923635013395977, 206970314902065 +#else + 10330056, 70051, 7957388, 24551765, 9764901, 15609756, 27698697, + 28664395, 1657393, 3084098 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1750479161778571, 1362553355169293, 1891721260220598, + 966109370862782, 1024913988299801 +#else + 10477963, 26084172, 12119565, 20303627, 29016246, 28188843, + 31280318, 14396151, 36875289, 15272408 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 212699049131723, 1117950018299775, 1873945661751056, + 1403802921984058, 130896082652698 +#else + 54820555, 3169462, 28813183, 16658753, 25116432, 27923966, + 41934906, 20918293, 42094106, 1950503 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 636808533673210, 1262201711667560, 390951380330599, + 1663420692697294, 561951321757406 +#else + 40928506, 9489186, 11053416, 18808271, 36055143, 5825629, + 58724558, 24786899, 15341278, 8373727 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 520731594438141, 1446301499955692, 273753264629267, + 1565101517999256, 1019411827004672 +#else + 28685821, 7759505, 52730348, 21551571, 35137043, 4079241, + 298136, 23321830, 64230656, 15190419 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 926527492029409, 1191853477411379, 734233225181171, + 184038887541270, 1790426146325343 +#else + 34175969, 13806335, 52771379, 17760000, 43104243, 10940927, + 8669718, 2742393, 41075551, 26679428 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1464651961852572, 1483737295721717, 1519450561335517, + 1161429831763785, 405914998179977 +#else + 65528476, 21825014, 41129205, 22109408, 49696989, 22641577, + 9291593, 17306653, 54954121, 6048604 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 996126634382301, 796204125879525, 127517800546509, + 344155944689303, 615279846169038 +#else + 36803549, 14843443, 1539301, 11864366, 20201677, 1900163, + 13934231, 5128323, 11213262, 9168384 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 738724080975276, 2188666632415296, 1961313708559162, + 1506545807547587, 1151301638969740 +#else + 40828332, 11007846, 19408960, 32613674, 48515898, 29225851, + 62020803, 22449281, 20470156, 17155731 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 622917337413835, 1218989177089035, 1284857712846592, + 970502061709359, 351025208117090 +#else + 43972811, 9282191, 14855179, 18164354, 59746048, 19145871, + 44324911, 14461607, 14042978, 5230683 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2067814584765580, 1677855129927492, 2086109782475197, + 235286517313238, 1416314046739645 +#else + 29969548, 30812838, 50396996, 25001989, 9175485, 31085458, + 21556950, 3506042, 61174973, 21104723 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 586844262630358, 307444381952195, 458399356043426, + 602068024507062, 1028548203415243 +#else + 63964118, 8744660, 19704003, 4581278, 46678178, 6830682, + 45824694, 8971512, 38569675, 15326562 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 678489922928203, 2016657584724032, 90977383049628, + 1026831907234582, 615271492942522 +#else + 47644235, 10110287, 49846336, 30050539, 43608476, 1355668, + 51585814, 15300987, 46594746, 9168259 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 301225714012278, 1094837270268560, 1202288391010439, + 644352775178361, 1647055902137983 +#else + 61755510, 4488612, 43305616, 16314346, 7780487, 17915493, + 38160505, 9601604, 33087103, 24543045 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1210746697896478, 1416608304244708, 686487477217856, + 1245131191434135, 1051238336855737 +#else + 47665694, 18041531, 46311396, 21109108, 37284416, 10229460, + 39664535, 18553900, 61111993, 15664671 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1135604073198207, 1683322080485474, 769147804376683, + 2086688130589414, 900445683120379 +#else + 23294591, 16921819, 44458082, 25083453, 27844203, 11461195, + 13099750, 31094076, 18151675, 13417686 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1971518477615628, 401909519527336, 448627091057375, + 1409486868273821, 1214789035034363 +#else + 42385932, 29377914, 35958184, 5988918, 40250079, 6685064, + 1661597, 21002991, 15271675, 18101767 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1364039144731711, 1897497433586190, 2203097701135459, + 145461396811251, 1349844460790699 +#else + 11433023, 20325767, 8239630, 28274915, 65123427, 32828713, + 48410099, 2167543, 60187563, 20114249 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1045230323257973, 818206601145807, 630513189076103, + 1672046528998132, 807204017562437 +#else + 35672693, 15575145, 30436815, 12192228, 44645511, 9395378, + 57191156, 24915434, 12215109, 12028277 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 439961968385997, 386362664488986, 1382706320807688, + 309894000125359, 2207801346498567 +#else + 14098381, 6555944, 23007258, 5757252, 51681032, 20603929, + 30123439, 4617780, 50208775, 32898803 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1229004686397588, 920643968530863, 123975893911178, + 681423993215777, 1400559197080973 +#else + 63082644, 18313596, 11893167, 13718664, 52299402, 1847384, + 51288865, 10154008, 23973261, 20869958 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2003766096898049, 170074059235165, 1141124258967971, + 1485419893480973, 1573762821028725 +#else + 40577025, 29858441, 65199965, 2534300, 35238307, 17004076, + 18341389, 22134481, 32013173, 23450893 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 729905708611432, 1270323270673202, 123353058984288, + 426460209632942, 2195574535456672 +#else + 41629544, 10876442, 55337778, 18929291, 54739296, 1838103, + 21911214, 6354752, 4425632, 32716610 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1271140255321235, 2044363183174497, 52125387634689, + 1445120246694705, 942541986339084 +#else + 56675475, 18941465, 22229857, 30463385, 53917697, 776728, + 49693489, 21533969, 4725004, 14044970 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1761608437466135, 583360847526804, 1586706389685493, + 2157056599579261, 1170692369685772 +#else + 19268631, 26250011, 1555348, 8692754, 45634805, 23643767, + 6347389, 32142648, 47586572, 17444675 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 871476219910823, 1878769545097794, 2241832391238412, + 548957640601001, 690047440233174 +#else + 42244775, 12986007, 56209986, 27995847, 55796492, 33405905, + 19541417, 8180106, 9282262, 10282508 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 297194732135507, 1366347803776820, 1301185512245601, + 561849853336294, 1533554921345731 +#else + 40903763, 4428546, 58447668, 20360168, 4098401, 19389175, + 15522534, 8372215, 5542595, 22851749 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 999628998628371, 1132836708493400, 2084741674517453, + 469343353015612, 678782988708035 +#else + 56546323, 14895632, 26814552, 16880582, 49628109, 31065071, + 64326972, 6993760, 49014979, 10114654 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2189427607417022, 699801937082607, 412764402319267, + 1478091893643349, 2244675696854460 +#else + 47001790, 32625013, 31422703, 10427861, 59998115, 6150668, + 38017109, 22025285, 25953724, 33448274 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1712292055966563, 204413590624874, 1405738637332841, + 408981300829763, 861082219276721 +#else + 62874467, 25515139, 57989738, 3045999, 2101609, 20947138, + 19390019, 6094296, 63793585, 12831124 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 508561155940631, 966928475686665, 2236717801150132, + 424543858577297, 2089272956986143 +#else + 51110167, 7578151, 5310217, 14408357, 33560244, 33329692, + 31575953, 6326196, 7381791, 31132593 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 221245220129925, 1156020201681217, 491145634799213, + 542422431960839, 828100817819207 +#else + 46206085, 3296810, 24736065, 17226043, 18374253, 7318640, + 6295303, 8082724, 51746375, 12339663 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 153756971240384, 1299874139923977, 393099165260502, + 1058234455773022, 996989038681183 +#else + 27724736, 2291157, 6088201, 19369634, 1792726, 5857634, + 13848414, 15768922, 25091167, 14856294 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 559086812798481, 573177704212711, 1629737083816402, + 1399819713462595, 1646954378266038 +#else + 48242193, 8331042, 24373479, 8541013, 66406866, 24284974, + 12927299, 20858939, 44926390, 24541532 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1887963056288059, 228507035730124, 1468368348640282, + 930557653420194, 613513962454686 +#else + 55685435, 28132841, 11632844, 3405020, 30536730, 21880393, + 39848098, 13866389, 30146206, 9142070 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1224529808187553, 1577022856702685, 2206946542980843, + 625883007765001, 279930793512158 +#else + 3924129, 18246916, 53291741, 23499471, 12291819, 32886066, + 39406089, 9326383, 58871006, 4171293 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1076287717051609, 1114455570543035, 187297059715481, + 250446884292121, 1885187512550540 +#else + 51186905, 16037936, 6713787, 16606682, 45496729, 2790943, + 26396185, 3731949, 345228, 28091483 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 902497362940219, 76749815795675, 1657927525633846, + 1420238379745202, 1340321636548352 +#else + 45781307, 13448258, 25284571, 1143661, 20614966, 24705045, + 2031538, 21163201, 50855680, 19972348 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1129576631190784, 1281994010027327, 996844254743018, + 257876363489249, 1150850742055018 +#else + 31016192, 16832003, 26371391, 19103199, 62081514, 14854136, + 17477601, 3842657, 28012650, 17149012 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 628740660038789, 1943038498527841, 467786347793886, + 1093341428303375, 235413859513003 +#else + 62033029, 9368965, 58546785, 28953529, 51858910, 6970559, + 57918991, 16292056, 58241707, 3507939 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 237425418909360, 469614029179605, 1512389769174935, + 1241726368345357, 441602891065214 +#else + 29439664, 3537914, 23333589, 6997794, 49553303, 22536363, + 51899661, 18503164, 57943934, 6580395 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1736417953058555, 726531315520508, 1833335034432527, + 1629442561574747, 624418919286085 +#else + 54923003, 25874643, 16438268, 10826160, 58412047, 27318820, + 17860443, 24280586, 65013061, 9304566 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1960754663920689, 497040957888962, 1909832851283095, + 1271432136996826, 2219780368020940 +#else + 20714545, 29217521, 29088194, 7406487, 11426967, 28458727, + 14792666, 18945815, 5289420, 33077305 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1537037379417136, 1358865369268262, 2130838645654099, + 828733687040705, 1999987652890901 +#else + 50443312, 22903641, 60948518, 20248671, 9192019, 31751970, + 17271489, 12349094, 26939669, 29802138 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 629042105241814, 1098854999137608, 887281544569320, + 1423102019874777, 7911258951561 +#else + 54218966, 9373457, 31595848, 16374215, 21471720, 13221525, + 39825369, 21205872, 63410057, 117886 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1811562332665373, 1501882019007673, 2213763501088999, + 359573079719636, 36370565049116 +#else + 22263325, 26994382, 3984569, 22379786, 51994855, 32987646, + 28311252, 5358056, 43789084, 541963 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 218907117361280, 1209298913016966, 1944312619096112, + 1130690631451061, 1342327389191701 +#else + 16259200, 3261970, 2309254, 18019958, 50223152, 28972515, + 24134069, 16848603, 53771797, 20002236 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1369976867854704, 1396479602419169, 1765656654398856, + 2203659200586299, 998327836117241 +#else + 9378160, 20414246, 44262881, 20809167, 28198280, 26310334, + 64709179, 32837080, 690425, 14876244 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2230701885562825, 1348173180338974, 2172856128624598, + 1426538746123771, 444193481326151 +#else + 24977353, 33240048, 58884894, 20089345, 28432342, 32378079, + 54040059, 21257083, 44727879, 6618998 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 784210426627951, 918204562375674, 1284546780452985, + 1324534636134684, 1872449409642708 +#else + 65570671, 11685645, 12944378, 13682314, 42719353, 19141238, + 8044828, 19737104, 32239828, 27901670 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 319638829540294, 596282656808406, 2037902696412608, + 1557219121643918, 341938082688094 +#else + 48505798, 4762989, 66182614, 8885303, 38696384, 30367116, + 9781646, 23204373, 32779358, 5095274 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1901860206695915, 2004489122065736, 1625847061568236, + 973529743399879, 2075287685312905 +#else + 34100715, 28339925, 34843976, 29869215, 9460460, 24227009, + 42507207, 14506723, 21639561, 30924196 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1371853944110545, 1042332820512553, 1949855697918254, + 1791195775521505, 37487364849293 +#else + 50707921, 20442216, 25239337, 15531969, 3987758, 29055114, + 65819361, 26690896, 17874573, 558605 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 687200189577855, 1082536651125675, 644224940871546, + 340923196057951, 343581346747396 +#else + 53508735, 10240080, 9171883, 16131053, 46239610, 9599699, + 33499487, 5080151, 2085892, 5119761 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2082717129583892, 27829425539422, 145655066671970, + 1690527209845512, 1865260509673478 +#else + 44903700, 31034903, 50727262, 414690, 42089314, 2170429, + 30634760, 25190818, 35108870, 27794547 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1059729620568824, 2163709103470266, 1440302280256872, + 1769143160546397, 869830310425069 +#else + 60263160, 15791201, 8550074, 32241778, 29928808, 21462176, + 27534429, 26362287, 44757485, 12961481 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1609516219779025, 777277757338817, 2101121130363987, + 550762194946473, 1905542338659364 +#else + 42616785, 23983660, 10368193, 11582341, 43711571, 31309144, + 16533929, 8206996, 36914212, 28394793 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2024821921041576, 426948675450149, 595133284085473, + 471860860885970, 600321679413000 +#else + 55987368, 30172197, 2307365, 6362031, 66973409, 8868176, + 50273234, 7031274, 7589640, 8945490 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 598474602406721, 1468128276358244, 1191923149557635, + 1501376424093216, 1281662691293476 +#else + 34956097, 8917966, 6661220, 21876816, 65916803, 17761038, + 7251488, 22372252, 24099108, 19098262 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1721138489890707, 1264336102277790, 433064545421287, + 1359988423149466, 1561871293409447 +#else + 5019539, 25646962, 4244126, 18840076, 40175591, 6453164, + 47990682, 20265406, 60876967, 23273695 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 719520245587143, 393380711632345, 132350400863381, + 1543271270810729, 1819543295798660 +#else + 10853575, 10721687, 26480089, 5861829, 44113045, 1972174, + 65242217, 22996533, 63745412, 27113307 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 396397949784152, 1811354474471839, 1362679985304303, + 2117033964846756, 498041172552279 +#else + 50106456, 5906789, 221599, 26991285, 7828207, 20305514, + 24362660, 31546264, 53242455, 7421391 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1812471844975748, 1856491995543149, 126579494584102, + 1036244859282620, 1975108050082550 +#else + 8139908, 27007935, 32257645, 27663886, 30375718, 1886181, + 45933756, 15441251, 28826358, 29431403 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 650623932407995, 1137551288410575, 2125223403615539, + 1725658013221271, 2134892965117796 +#else + 6267067, 9695052, 7709135, 16950835, 34239795, 31668296, + 14795159, 25714308, 13746020, 31812384 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 522584000310195, 1241762481390450, 1743702789495384, + 2227404127826575, 1686746002148897 +#else + 28584883, 7787108, 60375922, 18503702, 22846040, 25983196, + 63926927, 33190907, 4771361, 25134474 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 427904865186312, 1703211129693455, 1585368107547509, + 1436984488744336, 761188534613978 +#else + 24949256, 6376279, 39642383, 25379823, 48462709, 23623825, + 33543568, 21412737, 3569626, 11342593 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 318101947455002, 248138407995851, 1481904195303927, + 309278454311197, 1258516760217879 +#else + 26514970, 4740088, 27912651, 3697550, 19331575, 22082093, + 6809885, 4608608, 7325975, 18753361 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1275068538599310, 513726919533379, 349926553492294, + 688428871968420, 1702400196000666 +#else + 55490446, 19000001, 42787651, 7655127, 65739590, 5214311, + 39708324, 10258389, 49462170, 25367739 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1061864036265233, 961611260325381, 321859632700838, + 1045600629959517, 1985130202504038 +#else + 11431185, 15823007, 26570245, 14329124, 18029990, 4796082, + 35662685, 15580663, 9280358, 29580745 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1558816436882417, 1962896332636523, 1337709822062152, + 1501413830776938, 294436165831932 +#else + 66948081, 23228174, 44253547, 29249434, 46247496, 19933429, + 34297962, 22372809, 51563772, 4387440 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 818359826554971, 1862173000996177, 626821592884859, + 573655738872376, 1749691246745455 +#else + 46309467, 12194511, 3937617, 27748540, 39954043, 9340369, + 42594872, 8548136, 20617071, 26072431 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1988022651432119, 1082111498586040, 1834020786104821, + 1454826876423687, 692929915223122 +#else + 66170039, 29623845, 58394552, 16124717, 24603125, 27329039, + 53333511, 21678609, 24345682, 10325460 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2146513703733331, 584788900394667, 464965657279958, + 2183973639356127, 238371159456790 +#else + 47253587, 31985546, 44906155, 8714033, 14007766, 6928528, + 16318175, 32543743, 4766742, 3552007 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1129007025494441, 2197883144413266, 265142755578169, + 971864464758890, 1983715884903702 +#else + 45357481, 16823515, 1351762, 32751011, 63099193, 3950934, + 3217514, 14481909, 10988822, 29559670 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1291366624493075, 381456718189114, 1711482489312444, + 1815233647702022, 892279782992467 +#else + 15564307, 19242862, 3101242, 5684148, 30446780, 25503076, + 12677126, 27049089, 58813011, 13296004 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 444548969917454, 1452286453853356, 2113731441506810, + 645188273895859, 810317625309512 +#else + 57666574, 6624295, 36809900, 21640754, 62437882, 31497052, + 31521203, 9614054, 37108040, 12074673 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2242724082797924, 1373354730327868, 1006520110883049, + 2147330369940688, 1151816104883620 +#else + 4771172, 33419193, 14290748, 20464580, 27992297, 14998318, + 65694928, 31997715, 29832612, 17163397 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1745720200383796, 1911723143175317, 2056329390702074, + 355227174309849, 879232794371100 +#else + 7064884, 26013258, 47946901, 28486894, 48217594, 30641695, + 25825241, 5293297, 39986204, 13101589 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 163723479936298, 115424889803150, 1156016391581227, + 1894942220753364, 1970549419986329 +#else + 64810282, 2439669, 59642254, 1719964, 39841323, 17225986, + 32512468, 28236839, 36752793, 29363474 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 681981452362484, 267208874112496, 1374683991933094, + 638600984916117, 646178654558546 +#else + 37102324, 10162315, 33928688, 3981722, 50626726, 20484387, + 14413973, 9515896, 19568978, 9628812 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 13378654854251, 106237307029567, 1944412051589651, + 1841976767925457, 230702819835573 +#else + 33053803, 199357, 15894591, 1583059, 27380243, 28973997, + 49269969, 27447592, 60817077, 3437739 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 260683893467075, 854060306077237, 913639551980112, + 4704576840123, 280254810808712 +#else + 48129987, 3884492, 19469877, 12726490, 15913552, 13614290, + 44147131, 70103, 7463304, 4176122 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 715374893080287, 1173334812210491, 1806524662079626, + 1894596008000979, 398905715033393 +#else + 39984863, 10659916, 11482427, 17484051, 12771466, 26919315, + 34389459, 28231680, 24216881, 5944158 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 500026409727661, 1596431288195371, 1420380351989370, + 985211561521489, 392444930785633 +#else + 8894125, 7450974, 64444715, 23788679, 39028346, 21165316, + 19345745, 14680796, 11632993, 5847885 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2096421546958141, 1922523000950363, 789831022876840, + 427295144688779, 320923973161730 +#else + 26942781, 31239115, 9129563, 28647825, 26024104, 11769399, + 55590027, 6367193, 57381634, 4782139 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1927770723575450, 1485792977512719, 1850996108474547, + 551696031508956, 2126047405475647 +#else + 19916442, 28726022, 44198159, 22140040, 25606323, 27581991, + 33253852, 8220911, 6358847, 31680575 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2112099158080148, 742570803909715, 6484558077432, + 1951119898618916, 93090382703416 +#else + 801428, 31472730, 16569427, 11065167, 29875704, 96627, 7908388, + 29073952, 53570360, 1387154 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 383905201636970, 859946997631870, 855623867637644, + 1017125780577795, 794250831877809 +#else + 19646058, 5720633, 55692158, 12814208, 11607948, 12749789, + 14147075, 15156355, 45242033, 11835259 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 77571826285752, 999304298101753, 487841111777762, + 1038031143212339, 339066367948762 +#else + 19299512, 1155910, 28703737, 14890794, 2925026, 7269399, + 26121523, 15467869, 40548314, 5052482 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 674994775520533, 266035846330789, 826951213393478, + 1405007746162285, 1781791018620876 +#else + 64091413, 10058205, 1980837, 3964243, 22160966, 12322533, + 60677741, 20936246, 12228556, 26550755 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1001412661522686, 348196197067298, 1666614366723946, + 888424995032760, 580747687801357 +#else + 32944382, 14922211, 44263970, 5188527, 21913450, 24834489, + 4001464, 13238564, 60994061, 8653814 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1939560076207777, 1409892634407635, 552574736069277, + 383854338280405, 190706709864139 +#else + 22865569, 28901697, 27603667, 21009037, 14348957, 8234005, + 24808405, 5719875, 28483275, 2841751 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2177087163428741, 1439255351721944, 1208070840382793, + 2230616362004769, 1396886392021913 +#else + 50687877, 32441126, 66781144, 21446575, 21886281, 18001658, + 65220897, 33238773, 19932057, 20815229 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 676962063230039, 1880275537148808, 2046721011602706, + 888463247083003, 1318301552024067 +#else + 55452759, 10087520, 58243976, 28018288, 47830290, 30498519, + 3999227, 13239134, 62331395, 19644223 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1466980508178206, 617045217998949, 652303580573628, + 757303753529064, 207583137376902 +#else + 1382174, 21859713, 17266789, 9194690, 53784508, 9720080, + 20403944, 11284705, 53095046, 3093229 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1511056752906902, 105403126891277, 493434892772846, + 1091943425335976, 1802717338077427 +#else + 16650902, 22516500, 66044685, 1570628, 58779118, 7352752, + 66806440, 16271224, 43059443, 26862581 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1853982405405128, 1878664056251147, 1528011020803992, + 1019626468153565, 1128438412189035 +#else + 45197768, 27626490, 62497547, 27994275, 35364760, 22769138, + 24123613, 15193618, 45456747, 16815042 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1963939888391106, 293456433791664, 697897559513649, + 985882796904380, 796244541237972 +#else + 57172930, 29264984, 41829040, 4372841, 2087473, 10399484, + 31870908, 14690798, 17361620, 11864968 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 416770998629779, 389655552427054, 1314476859406756, + 1749382513022778, 1161905598739491 +#else + 55801235, 6210371, 13206574, 5806320, 38091172, 19587231, + 54777658, 26067830, 41530403, 17313742 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1428358296490651, 1027115282420478, 304840698058337, + 441410174026628, 1819358356278573 +#else + 14668443, 21284197, 26039038, 15305210, 25515617, 4542480, + 10453892, 6577524, 9145645, 27110552 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 204943430200135, 1554861433819175, 216426658514651, + 264149070665950, 2047097371738319 +#else + 5974855, 3053895, 57675815, 23169240, 35243739, 3225008, + 59136222, 3936127, 61456591, 30504127 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1934415182909034, 1393285083565062, 516409331772960, + 1157690734993892, 121039666594268 +#else + 30625386, 28825032, 41552902, 20761565, 46624288, 7695098, + 17097188, 17250936, 39109084, 1803631 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 662035583584445, 286736105093098, 1131773000510616, + 818494214211439, 472943792054479 +#else + 63555773, 9865098, 61880298, 4272700, 61435032, 16864731, + 14911343, 12196514, 45703375, 7047411 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 665784778135882, 1893179629898606, 808313193813106, + 276797254706413, 1563426179676396 +#else + 20093258, 9920966, 55970670, 28210574, 13161586, 12044805, + 34252013, 4124600, 34765036, 23296865 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 945205108984232, 526277562959295, 1324180513733566, + 1666970227868664, 153547609289173 +#else + 46320040, 14084653, 53577151, 7842146, 19119038, 19731827, + 4752376, 24839792, 45429205, 2288037 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2031433403516252, 203996615228162, 170487168837083, + 981513604791390, 843573964916831 +#else + 40289628, 30270716, 29965058, 3039786, 52635099, 2540456, + 29457502, 14625692, 42289247, 12570231 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1476570093962618, 838514669399805, 1857930577281364, + 2017007352225784, 317085545220047 +#else + 66045306, 22002608, 16920317, 12494842, 1278292, 27685323, + 45948920, 30055751, 55134159, 4724942 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1461557121912842, 1600674043318359, 2157134900399597, + 1670641601940616, 127765583803283 +#else + 17960970, 21778898, 62967895, 23851901, 58232301, 32143814, + 54201480, 24894499, 37532563, 1903855 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1293543509393474, 2143624609202546, 1058361566797508, + 214097127393994, 946888515472729 +#else + 23134274, 19275300, 56426866, 31942495, 20684484, 15770816, + 54119114, 3190295, 26955097, 14109738 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 357067959932916, 1290876214345711, 521245575443703, + 1494975468601005, 800942377643885 +#else + 15308788, 5320727, 36995055, 19235554, 22902007, 7767164, + 29425325, 22276870, 31960941, 11934971 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 566116659100033, 820247422481740, 994464017954148, + 327157611686365, 92591318111744 +#else + 39713153, 8435795, 4109644, 12222639, 42480996, 14818668, + 20638173, 4875028, 10491392, 1379718 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 617256647603209, 1652107761099439, 1857213046645471, + 1085597175214970, 817432759830522 +#else + 53949449, 9197840, 3875503, 24618324, 65725151, 27674630, + 33518458, 16176658, 21432314, 12180697 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 771808161440705, 1323510426395069, 680497615846440, + 851580615547985, 1320806384849017 +#else + 55321537, 11500837, 13787581, 19721842, 44678184, 10140204, + 1465425, 12689540, 56807545, 19681548 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1219260086131915, 647169006596815, 79601124759706, + 2161724213426748, 404861897060198 +#else + 5414091, 18168391, 46101199, 9643569, 12834970, 1186149, + 64485948, 32212200, 26128230, 6032912 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1327968293887866, 1335500852943256, 1401587164534264, + 558137311952440, 1551360549268902 +#else + 40771450, 19788269, 32496024, 19900513, 17847800, 20885276, + 3604024, 8316894, 41233830, 23117073 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 417621685193956, 1429953819744454, 396157358457099, + 1940470778873255, 214000046234152 +#else + 3296484, 6223048, 24680646, 21307972, 44056843, 5903204, + 58246567, 28915267, 12376616, 3188849 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1268047918491973, 2172375426948536, 1533916099229249, + 1761293575457130, 1590622667026765 +#else + 29190469, 18895386, 27549112, 32370916, 3520065, 22857131, + 32049514, 26245319, 50999629, 23702124 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1627072914981959, 2211603081280073, 1912369601616504, + 1191770436221309, 2187309757525860 +#else + 52364359, 24245275, 735817, 32955454, 46701176, 28496527, + 25246077, 17758763, 18640740, 32593455 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1149147819689533, 378692712667677, 828475842424202, + 2218619146419342, 70688125792186 +#else + 60180029, 17123636, 10361373, 5642961, 4910474, 12345252, + 35470478, 33060001, 10530746, 1053335 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1299739417079761, 1438616663452759, 1536729078504412, + 2053896748919838, 1008421032591246 +#else + 37842897, 19367626, 53570647, 21437058, 47651804, 22899047, + 35646494, 30605446, 24018830, 15026644 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2040723824657366, 399555637875075, 632543375452995, + 872649937008051, 1235394727030233 +#else + 44516310, 30409154, 64819587, 5953842, 53668675, 9425630, + 25310643, 13003497, 64794073, 18408815 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2211311599327900, 2139787259888175, 938706616835350, + 12609661139114, 2081897930719789 +#else + 39688860, 32951110, 59064879, 31885314, 41016598, 13987818, + 39811242, 187898, 43942445, 31022696 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1324994503390450, 336982330582631, 1183998925654177, + 1091654665913274, 48727673971319 +#else + 45364466, 19743956, 1844839, 5021428, 56674465, 17642958, + 9716666, 16266922, 62038647, 726098 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1845522914617879, 1222198248335542, 150841072760134, + 1927029069940982, 1189913404498011 +#else + 29370903, 27500434, 7334070, 18212173, 9385286, 2247707, + 53446902, 28714970, 30007387, 17731091 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1079559557592645, 2215338383666441, 1903569501302605, + 49033973033940, 305703433934152 +#else + 66172485, 16086690, 23751945, 33011114, 65941325, 28365395, + 9137108, 730663, 9835848, 4555336 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 94653405416909, 1386121349852999, 1062130477891762, + 36553947479274, 833669648948846 +#else + 43732429, 1410445, 44855111, 20654817, 30867634, 15826977, + 17693930, 544696, 55123566, 12422645 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1432015813136298, 440364795295369, 1395647062821501, + 1976874522764578, 934452372723352 +#else + 31117226, 21338698, 53606025, 6561946, 57231997, 20796761, + 61990178, 29457725, 29120152, 13924425 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1296625309219774, 2068273464883862, 1858621048097805, + 1492281814208508, 2235868981918946 +#else + 49707966, 19321222, 19675798, 30819676, 56101901, 27695611, + 57724924, 22236731, 7240930, 33317044 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1490330266465570, 1858795661361448, 1436241134969763, + 294573218899647, 1208140011028933 +#else + 35747106, 22207651, 52101416, 27698213, 44655523, 21401660, + 1222335, 4389483, 3293637, 18002689 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1282462923712748, 741885683986255, 2027754642827561, + 518989529541027, 1826610009555945 +#else + 50424044, 19110186, 11038543, 11054958, 53307689, 30215898, + 42789283, 7733546, 12796905, 27218610 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1525827120027511, 723686461809551, 1597702369236987, + 244802101764964, 1502833890372311 +#else + 58349431, 22736595, 41689999, 10783768, 36493307, 23807620, + 38855524, 3647835, 3222231, 22393970 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 113622036244513, 1233740067745854, 674109952278496, + 2114345180342965, 166764512856263 +#else + 18606113, 1693100, 41660478, 18384159, 4112352, 10045021, + 23603893, 31506198, 59558087, 2484984 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2041668749310338, 2184405322203901, 1633400637611036, + 2110682505536899, 2048144390084644 +#else + 9255298, 30423235, 54952701, 32550175, 13098012, 24339566, + 16377219, 31451620, 47306788, 30519729 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 503058759232932, 760293024620937, 2027152777219493, + 666858468148475, 1539184379870952 +#else + 44379556, 7496159, 61366665, 11329248, 19991973, 30206930, + 35390715, 9936965, 37011176, 22935634 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1916168475367211, 915626432541343, 883217071712575, + 363427871374304, 1976029821251593 +#else + 21878571, 28553135, 4338335, 13643897, 64071999, 13160959, + 19708896, 5415497, 59748361, 29445138 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 678039535434506, 570587290189340, 1605302676614120, + 2147762562875701, 1706063797091704 +#else + 27736842, 10103576, 12500508, 8502413, 63695848, 23920873, + 10436917, 32004156, 43449720, 25422331 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1439489648586438, 2194580753290951, 832380563557396, + 561521973970522, 584497280718389 +#else + 19492550, 21450067, 37426887, 32701801, 63900692, 12403436, + 30066266, 8367329, 13243957, 8709688 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 187989455492609, 681223515948275, 1933493571072456, + 1872921007304880, 488162364135671 +#else + 12015105, 2801261, 28198131, 10151021, 24818120, 28811299, + 55914672, 27908697, 5150967, 7274186 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1413466089534451, 410844090765630, 1397263346404072, + 408227143123410, 1594561803147811 +#else + 2831347, 21062286, 1478974, 6122054, 23825128, 20820846, + 31097298, 6083058, 31021603, 23760822 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2102170800973153, 719462588665004, 1479649438510153, + 1097529543970028, 1302363283777685 +#else + 64578913, 31324785, 445612, 10720828, 53259337, 22048494, + 43601132, 16354464, 15067285, 19406725 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 942065717847195, 1069313679352961, 2007341951411051, + 70973416446291, 1419433790163706 +#else + 7840923, 14037873, 33744001, 15934015, 66380651, 29911725, + 21403987, 1057586, 47729402, 21151211 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1146565545556377, 1661971299445212, 406681704748893, + 564452436406089, 1109109865829139 +#else + 915865, 17085158, 15608284, 24765302, 42751837, 6060029, + 49737545, 8410996, 59888403, 16527024 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2214421081775077, 1165671861210569, 1890453018796184, + 3556249878661, 442116172656317 +#else + 32922597, 32997445, 20336073, 17369864, 10903704, 28169945, + 16957573, 52992, 23834301, 6588044 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 753830546620811, 1666955059895019, 1530775289309243, + 1119987029104146, 2164156153857580 +#else + 32752011, 11232950, 3381995, 24839566, 22652987, 22810329, + 17159698, 16689107, 46794284, 32248439 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 615171919212796, 1523849404854568, 854560460547503, + 2067097370290715, 1765325848586042 +#else + 62419196, 9166775, 41398568, 22707125, 11576751, 12733943, + 7924251, 30802151, 1976122, 26305405 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1094538949313667, 1796592198908825, 870221004284388, + 2025558921863561, 1699010892802384 +#else + 21251203, 16309901, 64125849, 26771309, 30810596, 12967303, + 156041, 30183180, 12331344, 25317235 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1951351290725195, 1916457206844795, 198025184438026, + 1909076887557595, 1938542290318919 +#else + 8651595, 29077400, 51023227, 28557437, 13002506, 2950805, + 29054427, 28447462, 10008135, 28886531 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1014323197538413, 869150639940606, 1756009942696599, + 1334952557375672, 1544945379082874 +#else + 31486061, 15114593, 52847614, 12951353, 14369431, 26166587, + 16347320, 19892343, 8684154, 23021480 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 764055910920305, 1603590757375439, 146805246592357, + 1843313433854297, 954279890114939 +#else + 19443825, 11385320, 24468943, 23895364, 43189605, 2187568, + 40845657, 27467510, 31316347, 14219878 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 80113526615750, 764536758732259, 1055139345100233, + 469252651759390, 617897512431515 +#else + 38514374, 1193784, 32245219, 11392485, 31092169, 15722801, + 27146014, 6992409, 29126555, 9207390 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 74497112547268, 740094153192149, 1745254631717581, + 727713886503130, 1283034364416928 +#else + 32382916, 1110093, 18477781, 11028262, 39697101, 26006320, + 62128346, 10843781, 59151264, 19118701 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 525892105991110, 1723776830270342, 1476444848991936, + 573789489857760, 133864092632978 +#else + 2814918, 7836403, 27519878, 25686276, 46214848, 22000742, + 45614304, 8550129, 28346258, 1994730 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 542611720192581, 1986812262899321, 1162535242465837, + 481498966143464, 544600533583622 +#else + 47530565, 8085544, 53108345, 29605809, 2785837, 17323125, + 47591912, 7174893, 22628102, 8115180 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 64123227344372, 1239927720647794, 1360722983445904, + 222610813654661, 62429487187991 +#else + 36703732, 955510, 55975026, 18476362, 34661776, 20276352, + 41457285, 3317159, 57165847, 930271 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1793193323953132, 91096687857833, 70945970938921, + 2158587638946380, 1537042406482111 +#else + 51805164, 26720662, 28856489, 1357446, 23421993, 1057177, + 24091212, 32165462, 44343487, 22903716 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1895854577604609, 1394895708949416, 1728548428495944, + 1140864900240149, 563645333603061 +#else + 44357633, 28250434, 54201256, 20785565, 51297352, 25757378, + 52269845, 17000211, 65241845, 8398969 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 141358280486863, 91435889572504, 1087208572552643, + 1829599652522921, 1193307020643647 +#else + 35139535, 2106402, 62372504, 1362500, 12813763, 16200670, + 22981545, 27263159, 18009407, 17781660 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1611230858525381, 950720175540785, 499589887488610, + 2001656988495019, 88977313255908 +#else + 49887941, 24009210, 39324209, 14166834, 29815394, 7444469, + 29551787, 29827013, 19288548, 1325865 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1189080501479658, 2184348804772597, 1040818725742319, + 2018318290311834, 1712060030915354 +#else + 15100138, 17718680, 43184885, 32549333, 40658671, 15509407, + 12376730, 30075286, 33166106, 25511682 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 873966876953756, 1090638350350440, 1708559325189137, + 672344594801910, 1320437969700239 +#else + 20909212, 13023121, 57899112, 16251777, 61330449, 25459517, + 12412150, 10018715, 2213263, 19676059 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1508590048271766, 1131769479776094, 101550868699323, + 428297785557897, 561791648661744 +#else + 32529814, 22479743, 30361438, 16864679, 57972923, 1513225, + 22922121, 6382134, 61341936, 8371347 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 756417570499462, 237882279232602, 2136263418594016, + 1701968045454886, 703713185137472 +#else + 9923462, 11271500, 12616794, 3544722, 37110496, 31832805, + 12891686, 25361300, 40665920, 10486143 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1781187809325462, 1697624151492346, 1381393690939988, + 175194132284669, 1483054666415238 +#else + 44511638, 26541766, 8587002, 25296571, 4084308, 20584370, + 361725, 2610596, 43187334, 22099236 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2175517777364616, 708781536456029, 955668231122942, + 1967557500069555, 2021208005604118 +#else + 5408392, 32417741, 62139741, 10561667, 24145918, 14240566, + 31319731, 29318891, 19985174, 30118346 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1115135966606887, 224217372950782, 915967306279222, + 593866251291540, 561747094208006 +#else + 53114407, 16616820, 14549246, 3341099, 32155958, 13648976, + 49531796, 8849296, 65030, 8370684 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1443163092879439, 391875531646162, 2180847134654632, + 464538543018753, 1594098196837178 +#else + 58787919, 21504805, 31204562, 5839400, 46481576, 32497154, + 47665921, 6922163, 12743482, 23753914 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 850858855888869, 319436476624586, 327807784938441, + 740785849558761, 17128415486016 +#else + 64747493, 12678784, 28815050, 4759974, 43215817, 4884716, + 23783145, 11038569, 18800704, 255233 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2132756334090067, 536247820155645, 48907151276867, + 608473197600695, 1261689545022784 +#else + 61839187, 31780545, 13957885, 7990715, 23132995, 728773, + 13393847, 9066957, 19258688, 18800639 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1525176236978354, 974205476721062, 293436255662638, + 148269621098039, 137961998433963 +#else + 64172210, 22726896, 56676774, 14516792, 63468078, 4372540, + 35173943, 2209389, 65584811, 2055793 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1121075518299410, 2071745529082111, 1265567917414828, + 1648196578317805, 496232102750820 +#else + 580882, 16705327, 5468415, 30871414, 36182444, 18858431, + 59905517, 24560042, 37087844, 7394434 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 122321229299801, 1022922077493685, 2001275453369484, + 2017441881607947, 993205880778002 +#else + 23838809, 1822728, 51370421, 15242726, 8318092, 29821328, + 45436683, 30062226, 62287122, 14799920 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 654925550560074, 1168810995576858, 575655959430926, + 905758704861388, 496774564663534 +#else + 13345610, 9759151, 3371034, 17416641, 16353038, 8577942, + 31129804, 13496856, 58052846, 7402517 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1954109525779738, 2117022646152485, 338102630417180, + 1194140505732026, 107881734943492 +#else + 2286874, 29118501, 47066405, 31546095, 53412636, 5038121, + 11006906, 17794080, 8205060, 1607563 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1714785840001267, 2036500018681589, 1876380234251966, + 2056717182974196, 1645855254384642 +#else + 14414067, 25552300, 3331829, 30346215, 22249150, 27960244, + 18364660, 30647474, 30019586, 24525154 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 106431476499341, 62482972120563, 1513446655109411, + 807258751769522, 538491469114 +#else + 39420813, 1585952, 56333811, 931068, 37988643, 22552112, + 52698034, 12029092, 9944378, 8024 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2002850762893643, 1243624520538135, 1486040410574605, + 2184752338181213, 378495998083531 +#else + 4368715, 29844802, 29874199, 18531449, 46878477, 22143727, + 50994269, 32555346, 58966475, 5640029 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 922510868424903, 1089502620807680, 402544072617374, + 1131446598479839, 1290278588136533 +#else + 10299591, 13746483, 11661824, 16234854, 7630238, 5998374, + 9809887, 16859868, 15219797, 19226649 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1867998812076769, 715425053580701, 39968586461416, + 2173068014586163, 653822651801304 +#else + 27425505, 27835351, 3055005, 10660664, 23458024, 595578, + 51710259, 32381236, 48766680, 9742716 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 162892278589453, 182585796682149, 75093073137630, + 497037941226502, 133871727117371 +#else + 6744077, 2427284, 26042789, 2720740, 66260958, 1118973, + 32324614, 7406442, 12420155, 1994844 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1914596576579670, 1608999621851578, 1987629837704609, + 1519655314857977, 1819193753409464 +#else + 14012502, 28529712, 48724410, 23975962, 40623521, 29617992, + 54075385, 22644628, 24319928, 27108099 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1949315551096831, 1069003344994464, 1939165033499916, + 1548227205730856, 1933767655861407 +#else + 16412671, 29047065, 10772640, 15929391, 50040076, 28895810, + 10555944, 23070383, 37006495, 28815383 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1730519386931635, 1393284965610134, 1597143735726030, + 416032382447158, 1429665248828629 +#else + 22397363, 25786748, 57815702, 20761563, 17166286, 23799296, + 39775798, 6199365, 21880021, 21303672 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 360275475604565, 547835731063078, 215360904187529, + 596646739879007, 332709650425085 +#else + 62825557, 5368522, 35991846, 8163388, 36785801, 3209127, + 16557151, 8890729, 8840445, 4957760 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 47602113726801, 1522314509708010, 437706261372925, + 814035330438027, 335930650933545 +#else + 51661137, 709326, 60189418, 22684253, 37330941, 6522331, + 45388683, 12130071, 52312361, 5005756 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1291597595523886, 1058020588994081, 402837842324045, + 1363323695882781, 2105763393033193 +#else + 64994094, 19246303, 23019041, 15765735, 41839181, 6002751, + 10183197, 20315106, 50713577, 31378319 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 109521982566564, 1715257748585139, 1112231216891516, + 2046641005101484, 134249157157013 +#else + 48083108, 1632004, 13466291, 25559332, 43468412, 16573536, + 35094956, 30497327, 22208661, 2000468 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2156991030936798, 2227544497153325, 1869050094431622, + 754875860479115, 1754242344267058 +#else + 3065054, 32141671, 41510189, 33192999, 49425798, 27851016, + 58944651, 11248526, 63417650, 26140247 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1846089562873800, 98894784984326, 1412430299204844, + 171351226625762, 1100604760929008 +#else + 10379208, 27508878, 8877318, 1473647, 37817580, 21046851, + 16690914, 2553332, 63976176, 16400288 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 84172382130492, 499710970700046, 425749630620778, + 1762872794206857, 612842602127960 +#else + 15716668, 1254266, 48636174, 7446273, 58659946, 6344163, + 45011593, 26268851, 26894936, 9132066 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 868309334532756, 1703010512741873, 1952690008738057, + 4325269926064, 2071083554962116 +#else + 24158868, 12938817, 11085297, 25376834, 39045385, 29097348, + 36532400, 64451, 60291780, 30861549 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 523094549451158, 401938899487815, 1407690589076010, + 2022387426254453, 158660516411257 +#else + 13488534, 7794716, 22236231, 5989356, 25426474, 20976224, + 2350709, 30135921, 62420857, 2364225 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 612867287630009, 448212612103814, 571629077419196, + 1466796750919376, 1728478129663858 +#else + 16335033, 9132434, 25640582, 6678888, 1725628, 8517937, + 55301840, 21856974, 15445874, 25756331 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1723848973783452, 2208822520534681, 1718748322776940, + 1974268454121942, 1194212502258141 +#else + 29004188, 25687351, 28661401, 32914020, 54314860, 25611345, + 31863254, 29418892, 66830813, 17795152 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1254114807944608, 977770684047110, 2010756238954993, + 1783628927194099, 1525962994408256 +#else + 60986784, 18687766, 38493958, 14569918, 56250865, 29962602, + 10343411, 26578142, 37280576, 22738620 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 232464058235826, 1948628555342434, 1835348780427694, + 1031609499437291, 64472106918373 +#else + 27081650, 3463984, 14099042, 29036828, 1616302, 27348828, + 29542635, 15372179, 17293797, 960709 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 767338676040683, 754089548318405, 1523192045639075, + 435746025122062, 512692508440385 +#else + 20263915, 11434237, 61343429, 11236809, 13505955, 22697330, + 50997518, 6493121, 47724353, 7639713 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1255955808701983, 1700487367990941, 1166401238800299, + 1175121994891534, 1190934801395380 +#else + 64278047, 18715199, 25403037, 25339236, 58791851, 17380732, + 18006286, 17510682, 29994676, 17746311 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 349144008168292, 1337012557669162, 1475912332999108, + 1321618454900458, 47611291904320 +#else + 9769828, 5202651, 42951466, 19923039, 39057860, 21992807, + 42495722, 19693649, 35924288, 709463 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 877519947135419, 2172838026132651, 272304391224129, + 1655143327559984, 886229406429814 +#else + 12286395, 13076066, 45333675, 32377809, 42105665, 4057651, + 35090736, 24663557, 16102006, 13205847 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 375806028254706, 214463229793940, 572906353144089, + 572168269875638, 697556386112979 +#else + 13733362, 5599946, 10557076, 3195751, 61550873, 8536969, + 41568694, 8525971, 10151379, 10394400 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1168827102357844, 823864273033637, 2071538752104697, + 788062026895924, 599578340743362 +#else + 4024660, 17416881, 22436261, 12276534, 58009849, 30868332, + 19698228, 11743039, 33806530, 8934413 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1948116082078088, 2054898304487796, 2204939184983900, + 210526805152138, 786593586607626 +#else + 51229064, 29029191, 58528116, 30620370, 14634844, 32856154, + 57659786, 3137093, 55571978, 11721157 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1915320147894736, 156481169009469, 655050471180417, + 592917090415421, 2165897438660879 +#else + 17555920, 28540494, 8268605, 2331751, 44370049, 9761012, + 9319229, 8835153, 57903375, 32274386 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1726336468579724, 1119932070398949, 1929199510967666, + 33918788322959, 1836837863503150 +#else + 66647436, 25724417, 20614117, 16688288, 59594098, 28747312, + 22300303, 505429, 6108462, 27371017 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 829996854845988, 217061778005138, 1686565909803640, + 1346948817219846, 1723823550730181 +#else + 62038564, 12367916, 36445330, 3234472, 32617080, 25131790, + 29880582, 20071101, 40210373, 25686972 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 384301494966394, 687038900403062, 2211195391021739, + 254684538421383, 1245698430589680 +#else + 35133562, 5726538, 26934134, 10237677, 63935147, 32949378, + 24199303, 3795095, 7592688, 18562353 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1247567493562688, 1978182094455847, 183871474792955, + 806570235643435, 288461518067916 +#else + 21594432, 18590204, 17466407, 29477210, 32537083, 2739898, + 6407723, 12018833, 38852812, 4298411 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1449077384734201, 38285445457996, 2136537659177832, + 2146493000841573, 725161151123125 +#else + 46458361, 21592935, 39872588, 570497, 3767144, 31836892, + 13891941, 31985238, 13717173, 10805743 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1201928866368855, 800415690605445, 1703146756828343, + 997278587541744, 1858284414104014 +#else + 52432215, 17910135, 15287173, 11927123, 24177847, 25378864, + 66312432, 14860608, 40169934, 27690595 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 356468809648877, 782373916933152, 1718002439402870, + 1392222252219254, 663171266061951 +#else + 12962541, 5311799, 57048096, 11658279, 18855286, 25600231, + 13286262, 20745728, 62727807, 9882021 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 759628738230460, 1012693474275852, 353780233086498, + 246080061387552, 2030378857679162 +#else + 18512060, 11319350, 46985740, 15090308, 18818594, 5271736, + 44380960, 3666878, 43141434, 30255002 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2040672435071076, 888593182036908, 1298443657189359, + 1804780278521327, 354070726137060 +#else + 60319844, 30408388, 16192428, 13241070, 15898607, 19348318, + 57023983, 26893321, 64705764, 5276064 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1894938527423184, 1463213041477277, 474410505497651, + 247294963033299, 877975941029128 +#else + 30169808, 28236784, 26306205, 21803573, 27814963, 7069267, + 7152851, 3684982, 1449224, 13082861 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 207937160991127, 12966911039119, 820997788283092, + 1010440472205286, 1701372890140810 +#else + 10342807, 3098505, 2119311, 193222, 25702612, 12233820, + 23697382, 15056736, 46092426, 25352431 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 218882774543183, 533427444716285, 1233243976733245, + 435054256891319, 1509568989549904 +#else + 33958735, 3261607, 22745853, 7948688, 19370557, 18376767, + 40936887, 6482813, 56808784, 22494330 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1888838535711826, 1052177758340622, 1213553803324135, + 169182009127332, 463374268115872 +#else + 32869458, 28145887, 25609742, 15678670, 56421095, 18083360, + 26112420, 2521008, 44444576, 6904814 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 299137589460312, 1594371588983567, 868058494039073, + 257771590636681, 1805012993142921 +#else + 29506904, 4457497, 3377935, 23757988, 36598817, 12935079, + 1561737, 3841096, 38105225, 26896789 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1806842755664364, 2098896946025095, 1356630998422878, + 1458279806348064, 347755825962072 +#else + 10340844, 26924055, 48452231, 31276001, 12621150, 20215377, + 30878496, 21730062, 41524312, 5181965 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1402334161391744, 1560083671046299, 1008585416617747, + 1147797150908892, 1420416683642459 +#else + 25940096, 20896407, 17324187, 23247058, 58437395, 15029093, + 24396252, 17103510, 64786011, 21165857 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 665506704253369, 273770475169863, 799236974202630, + 848328990077558, 1811448782807931 +#else + 45343161, 9916822, 65808455, 4079497, 66080518, 11909558, + 1782390, 12641087, 20603771, 26992690 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1468412523962641, 771866649897997, 1931766110147832, + 799561180078482, 524837559150077 +#else + 48226577, 21881051, 24849421, 11501709, 13161720, 28785558, + 1925522, 11914390, 4662781, 7820689 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2223212657821850, 630416247363666, 2144451165500328, + 816911130947791, 1024351058410032 +#else + 12241050, 33128450, 8132690, 9393934, 32846760, 31954812, + 29749455, 12172924, 16136752, 15264020 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1266603897524861, 156378408858100, 1275649024228779, + 447738405888420, 253186462063095 +#else + 56758909, 18873868, 58896884, 2330219, 49446315, 19008651, + 10658212, 6671822, 19012087, 3772772 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2022215964509735, 136144366993649, 1800716593296582, + 1193970603800203, 871675847064218 +#else + 3753511, 30133366, 10617073, 2028709, 14841030, 26832768, + 28718731, 17791548, 20527770, 12988982 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1862751661970328, 851596246739884, 1519315554814041, + 1542798466547449, 1417975335901520 +#else + 52286360, 27757162, 63400876, 12689772, 66209881, 22639565, + 42925817, 22989488, 3299664, 21129479 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1228168094547481, 334133883362894, 587567568420081, + 433612590281181, 603390400373205 +#else + 50331161, 18301130, 57466446, 4978982, 3308785, 8755439, + 6943197, 6461331, 41525717, 8991217 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 121893973206505, 1843345804916664, 1703118377384911, + 497810164760654, 101150811654673 +#else + 49882601, 1816361, 65435576, 27467992, 31783887, 25378441, + 34160718, 7417949, 36866577, 1507264 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 458346255946468, 290909935619344, 1452768413850679, + 550922875254215, 1537286854336538 +#else + 29692644, 6829891, 56610064, 4334895, 20945975, 21647936, + 38221255, 8209390, 14606362, 22907359 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 584322311184395, 380661238802118, 114839394528060, + 655082270500073, 2111856026034852 +#else + 63627275, 8707080, 32188102, 5672294, 22096700, 1711240, + 34088169, 9761486, 4170404, 31469107 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 996965581008991, 2148998626477022, 1012273164934654, + 1073876063914522, 1688031788934939 +#else + 55521375, 14855944, 62981086, 32022574, 40459774, 15084045, + 22186522, 16002000, 52832027, 25153633 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 923487018849600, 2085106799623355, 528082801620136, + 1606206360876188, 735907091712524 +#else + 62297408, 13761028, 35404987, 31070512, 63796392, 7869046, + 59995292, 23934339, 13240844, 10965870 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1697697887804317, 1335343703828273, 831288615207040, + 949416685250051, 288760277392022 +#else + 59366301, 25297669, 52340529, 19898171, 43876480, 12387165, + 4498947, 14147411, 29514390, 4302863 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1419122478109648, 1325574567803701, 602393874111094, + 2107893372601700, 1314159682671307 +#else + 53695440, 21146572, 20757301, 19752600, 14785142, 8976368, + 62047588, 31410058, 17846987, 19582505 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2201150872731804, 2180241023425241, 97663456423163, + 1633405770247824, 848945042443986 +#else + 64864412, 32799703, 62511833, 32488122, 60861691, 1455298, + 45461136, 24339642, 61886162, 12650266 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1173339555550611, 818605084277583, 47521504364289, + 924108720564965, 735423405754506 +#else + 57202067, 17484121, 21134159, 12198166, 40044289, 708125, + 387813, 13770293, 47974538, 10958662 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 830104860549448, 1886653193241086, 1600929509383773, + 1475051275443631, 286679780900937 +#else + 22470984, 12369526, 23446014, 28113323, 45588061, 23855708, + 55336367, 21979976, 42025033, 4271861 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1577111294832995, 1030899169768747, 144900916293530, + 1964672592979567, 568390100955250 +#else + 41939299, 23500789, 47199531, 15361594, 61124506, 2159191, + 75375, 29275903, 34582642, 8469672 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 278388655910247, 487143369099838, 927762205508727, + 181017540174210, 1616886700741287 +#else + 15854951, 4148314, 58214974, 7259001, 11666551, 13824734, + 36577666, 2697371, 24154791, 24093489 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1191033906638969, 940823957346562, 1606870843663445, + 861684761499847, 658674867251089 +#else + 15446137, 17747788, 29759746, 14019369, 30811221, 23944241, + 35526855, 12840103, 24913809, 9815020 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1875032594195546, 1427106132796197, 724736390962158, + 901860512044740, 635268497268760 +#else + 62399578, 27940162, 35267365, 21265538, 52665326, 10799413, + 58005188, 13438768, 18735128, 9466238 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 622869792298357, 1903919278950367, 1922588621661629, + 1520574711600434, 1087100760174640 +#else + 11933045, 9281483, 5081055, 28370608, 64480701, 28648802, + 59381042, 22658328, 44380208, 16199063 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 25465949416618, 1693639527318811, 1526153382657203, + 125943137857169, 145276964043999 +#else + 14576810, 379472, 40322331, 25237195, 37682355, 22741457, + 67006097, 1876698, 30801119, 2164795 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 214739857969358, 920212862967915, 1939901550972269, + 1211862791775221, 85097515720120 +#else + 15995086, 3199873, 13672555, 13712240, 47730029, 28906785, + 54027253, 18058162, 53616056, 1268051 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2006245852772938, 734762734836159, 254642929763427, + 1406213292755966, 239303749517686 +#else + 56818250, 29895392, 63822271, 10948817, 23037027, 3794475, + 63638526, 20954210, 50053494, 3565903 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1619678837192149, 1919424032779215, 1357391272956794, + 1525634040073113, 1310226789796241 +#else + 29210069, 24135095, 61189071, 28601646, 10834810, 20226706, + 50596761, 22733718, 39946641, 19523900 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1040763709762123, 1704449869235352, 605263070456329, + 1998838089036355, 1312142911487502 +#else + 53946955, 15508587, 16663704, 25398282, 38758921, 9019122, + 37925443, 29785008, 2244110, 19552453 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1996723311435669, 1844342766567060, 985455700466044, + 1165924681400960, 311508689870129 +#else + 61955989, 29753495, 57802388, 27482848, 16243068, 14684434, + 41435776, 17373631, 13491505, 4641841 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 43173156290518, 2202883069785309, 1137787467085917, + 1733636061944606, 1394992037553852 +#else + 10813398, 643330, 47920349, 32825515, 30292061, 16954354, + 27548446, 25833190, 14476988, 20787001 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 670078326344559, 555655025059356, 471959386282438, + 2141455487356409, 849015953823125 +#else + 10292079, 9984945, 6481436, 8279905, 59857350, 7032742, + 27282937, 31910173, 39196053, 12651323 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2197214573372804, 794254097241315, 1030190060513737, + 267632515541902, 2040478049202624 +#else + 35923332, 32741048, 22271203, 11835308, 10201545, 15351028, + 17099662, 3988035, 21721536, 30405492 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1812516004670529, 1609256702920783, 1706897079364493, + 258549904773295, 996051247540686 +#else + 10202177, 27008593, 35735631, 23979793, 34958221, 25434748, + 54202543, 3852693, 13216206, 14842320 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1540374301420584, 1764656898914615, 1810104162020396, + 923808779163088, 664390074196579 +#else + 51293224, 22953365, 60569911, 26295436, 60124204, 26972653, + 35608016, 13765823, 39674467, 9900183 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1323460699404750, 1262690757880991, 871777133477900, + 1060078894988977, 1712236889662886 +#else + 14465486, 19721101, 34974879, 18815558, 39665676, 12990491, + 33046193, 15796406, 60056998, 25514317 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1696163952057966, 1391710137550823, 608793846867416, + 1034391509472039, 1780770894075012 +#else + 30924398, 25274812, 6359015, 20738097, 16508376, 9071735, + 41620263, 15413634, 9524356, 26535554 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1367603834210841, 2131988646583224, 890353773628144, + 1908908219165595, 270836895252891 +#else + 12274201, 20378885, 32627640, 31769106, 6736624, 13267305, + 5237659, 28444949, 15663515, 4035784 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 597536315471731, 40375058742586, 1942256403956049, + 1185484645495932, 312666282024145 +#else + 64157555, 8903984, 17349946, 601635, 50676049, 28941875, + 53376124, 17665097, 44850385, 4659090 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1919411405316294, 1234508526402192, 1066863051997083, + 1008444703737597, 1348810787701552 +#else + 50192582, 28601458, 36715152, 18395610, 20774811, 15897498, + 5736189, 15026997, 64930608, 20098846 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2102881477513865, 1570274565945361, 1573617900503708, + 18662635732583, 2232324307922098 +#else + 58249865, 31335375, 28571665, 23398914, 66634396, 23448733, + 63307367, 278094, 23440562, 33264224 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1853931367696942, 8107973870707, 350214504129299, + 775206934582587, 1752317649166792 +#else + 10226222, 27625730, 15139955, 120818, 52241171, 5218602, + 32937275, 11551483, 50536904, 26111567 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1417148368003523, 721357181628282, 505725498207811, + 373232277872983, 261634707184480 +#else + 17932739, 21117156, 43069306, 10749059, 11316803, 7535897, + 22503767, 5561594, 63462240, 3898660 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2186733281493267, 2250694917008620, 1014829812957440, + 479998161452389, 83566193876474 +#else + 7749907, 32584865, 50769132, 33537967, 42090752, 15122142, + 65535333, 7152529, 21831162, 1245233 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1268116367301224, 560157088142809, 802626839600444, + 2210189936605713, 1129993785579988 +#else + 26958440, 18896406, 4314585, 8346991, 61431100, 11960071, + 34519569, 32934396, 36706772, 16838219 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 615183387352312, 917611676109240, 878893615973325, + 978940963313282, 938686890583575 +#else + 54942968, 9166946, 33491384, 13673479, 29787085, 13096535, + 6280834, 14587357, 44770839, 13987524 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 522024729211672, 1045059315315808, 1892245413707790, + 1907891107684253, 2059998109500714 +#else + 42758936, 7778774, 21116000, 15572597, 62275598, 28196653, + 62807965, 28429792, 59639082, 30696363 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1799679152208884, 912132775900387, 25967768040979, + 432130448590461, 274568990261996 +#else + 9681908, 26817309, 35157219, 13591837, 60225043, 386949, + 31622781, 6439245, 52527852, 4091396 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 98698809797682, 2144627600856209, 1907959298569602, + 811491302610148, 1262481774981493 +#else + 58682418, 1470726, 38999185, 31957441, 3978626, 28430809, + 47486180, 12092162, 29077877, 18812444 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1791451399743152, 1713538728337276, 118349997257490, + 1882306388849954, 158235232210248 +#else + 5269168, 26694706, 53878652, 25533716, 25932562, 1763552, + 61502754, 28048550, 47091016, 2357888 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1217809823321928, 2173947284933160, 1986927836272325, + 1388114931125539, 12686131160169 +#else + 32264008, 18146780, 61721128, 32394338, 65017541, 29607531, + 23104803, 20684524, 5727337, 189038 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1650875518872272, 1136263858253897, 1732115601395988, + 734312880662190, 1252904681142109 +#else + 14609104, 24599962, 61108297, 16931650, 52531476, 25810533, + 40363694, 10942114, 41219933, 18669734 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 372986456113865, 525430915458171, 2116279931702135, + 501422713587815, 1907002872974925 +#else + 20513481, 5557931, 51504251, 7829530, 26413943, 31535028, + 45729895, 7471780, 13913677, 28416557 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 803147181835288, 868941437997146, 316299302989663, + 943495589630550, 571224287904572 +#else + 41534488, 11967825, 29233242, 12948236, 60354399, 4713226, + 58167894, 14059179, 12878652, 8511905 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 227742695588364, 1776969298667369, 628602552821802, + 457210915378118, 2041906378111140 +#else + 41452044, 3393630, 64153449, 26478905, 64858154, 9366907, + 36885446, 6812973, 5568676, 30426776 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 815000523470260, 913085688728307, 1052060118271173, + 1345536665214223, 541623413135555 +#else + 11630004, 12144454, 2116339, 13606037, 27378885, 15676917, + 49700111, 20050058, 52713667, 8070817 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1580216071604333, 1877997504342444, 857147161260913, + 703522726778478, 2182763974211603 +#else + 27117677, 23547054, 35826092, 27984343, 1127281, 12772488, + 37262958, 10483305, 55556115, 32525717 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1870080310923419, 71988220958492, 1783225432016732, + 615915287105016, 1035570475990230 +#else + 10637467, 27866368, 5674780, 1072708, 40765276, 26572129, + 65424888, 9177852, 39615702, 15431202 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 730987750830150, 857613889540280, 1083813157271766, + 1002817255970169, 1719228484436074 +#else + 20525126, 10892566, 54366392, 12779442, 37615830, 16150074, + 38868345, 14943141, 52052074, 25618500 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 377616581647602, 1581980403078513, 804044118130621, + 2034382823044191, 643844048472185 +#else + 37084402, 5626925, 66557297, 23573344, 753597, 11981191, + 25244767, 30314666, 63752313, 9594023 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 176957326463017, 1573744060478586, 528642225008045, + 1816109618372371, 1515140189765006 +#else + 43356201, 2636869, 61944954, 23450613, 585133, 7877383, + 11345683, 27062142, 13352334, 22577348 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1888911448245718, 1387110895611080, 1924503794066429, + 1731539523700949, 2230378382645454 +#else + 65177046, 28146973, 3304648, 20669563, 17015805, 28677341, + 37325013, 25801949, 53893326, 33235227 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 443392177002051, 233793396845137, 2199506622312416, + 1011858706515937, 974676837063129 +#else + 20239939, 6607058, 6203985, 3483793, 48721888, 32775202, + 46385121, 15077869, 44358105, 14523816 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1846351103143623, 1949984838808427, 671247021915253, + 1946756846184401, 1929296930380217 +#else + 27406023, 27512775, 27423595, 29057038, 4996213, 10002360, + 38266833, 29008937, 36936121, 28748764 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 849646212452002, 1410198775302919, 73767886183695, + 1641663456615812, 762256272452411 +#else + 11374242, 12660715, 17861383, 21013599, 10935567, 1099227, + 53222788, 24462691, 39381819, 11358503 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 692017667358279, 723305578826727, 1638042139863265, + 748219305990306, 334589200523901 +#else + 54378055, 10311866, 1510375, 10778093, 64989409, 24408729, + 32676002, 11149336, 40985213, 4985767 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 22893968530686, 2235758574399251, 1661465835630252, + 925707319443452, 1203475116966621 +#else + 48012542, 341146, 60911379, 33315398, 15756972, 24757770, + 66125820, 13794113, 47694557, 17933176 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 801299035785166, 1733292596726131, 1664508947088596, + 467749120991922, 1647498584535623 +#else + 6490062, 11940286, 25495923, 25828072, 8668372, 24803116, + 3367602, 6970005, 65417799, 24549641 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 903105258014366, 427141894933047, 561187017169777, + 1884330244401954, 1914145708422219 +#else + 1656478, 13457317, 15370807, 6364910, 13605745, 8362338, + 47934242, 28078708, 50312267, 28522993 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1344191060517578, 1960935031767890, 1518838929955259, + 1781502350597190, 1564784025565682 +#else + 44835530, 20030007, 67044178, 29220208, 48503227, 22632463, + 46537798, 26546453, 67009010, 23317098 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 673723351748086, 1979969272514923, 1175287312495508, + 1187589090978666, 1881897672213940 +#else + 17747446, 10039260, 19368299, 29503841, 46478228, 17513145, + 31992682, 17696456, 37848500, 28042460 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1917185587363432, 1098342571752737, 5935801044414, + 2000527662351839, 1538640296181569 +#else + 31932008, 28568291, 47496481, 16366579, 22023614, 88450, + 11371999, 29810185, 4882241, 22927527 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2495540013192, 678856913479236, 224998292422872, + 219635787698590, 1972465269000940 +#else + 29796488, 37186, 19818052, 10115756, 55279832, 3352735, + 18551198, 3272828, 61917932, 29392022 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 271413961212179, 1353052061471651, 344711291283483, + 2014925838520662, 2006221033113941 +#else + 12501267, 4044383, 58495907, 20162046, 34678811, 5136598, + 47878486, 30024734, 330069, 29895023 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 194583029968109, 514316781467765, 829677956235672, + 1676415686873082, 810104584395840 +#else + 6384877, 2899513, 17807477, 7663917, 64749976, 12363164, + 25366522, 24980540, 66837568, 12071498 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1980510813313589, 1948645276483975, 152063780665900, + 129968026417582, 256984195613935 +#else + 58743349, 29511910, 25133447, 29037077, 60897836, 2265926, + 34339246, 1936674, 61949167, 3829362 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1860190562533102, 1936576191345085, 461100292705964, + 1811043097042830, 957486749306835 +#else + 28425966, 27718999, 66531773, 28857233, 52891308, 6870929, + 7921550, 26986645, 26333139, 14267664 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 796664815624365, 1543160838872951, 1500897791837765, + 1667315977988401, 599303877030711 +#else + 56041645, 11871230, 27385719, 22994888, 62522949, 22365119, + 10004785, 24844944, 45347639, 8930323 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1151480509533204, 2136010406720455, 738796060240027, + 319298003765044, 1150614464349587 +#else + 45911060, 17158396, 25654215, 31829035, 12282011, 11008919, + 1541940, 4757911, 40617363, 17145491 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1731069268103150, 735642447616087, 1364750481334268, + 417232839982871, 927108269127661 +#else + 13537262, 25794942, 46504023, 10961926, 61186044, 20336366, + 53952279, 6217253, 51165165, 13814989 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1017222050227968, 1987716148359, 2234319589635701, + 621282683093392, 2132553131763026 +#else + 49686272, 15157789, 18705543, 29619, 24409717, 33293956, + 27361680, 9257833, 65152338, 31777517 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1567828528453324, 1017807205202360, 565295260895298, + 829541698429100, 307243822276582 +#else + 42063564, 23362465, 15366584, 15166509, 54003778, 8423555, + 37937324, 12361134, 48422886, 4578289 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 249079270936248, 1501514259790706, 947909724204848, + 944551802437487, 552658763982480 +#else + 24579768, 3711570, 1342322, 22374306, 40103728, 14124955, + 44564335, 14074918, 21964432, 8235257 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2089966982947227, 1854140343916181, 2151980759220007, + 2139781292261749, 158070445864917 +#else + 60580251, 31142934, 9442965, 27628844, 12025639, 32067012, + 64127349, 31885225, 13006805, 2355433 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1338766321464554, 1906702607371284, 1519569445519894, + 115384726262267, 1393058953390992 +#else + 50803946, 19949172, 60476436, 28412082, 16974358, 22643349, + 27202043, 1719366, 1141648, 20758196 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1364621558265400, 1512388234908357, 1926731583198686, + 2041482526432505, 920401122333774 +#else + 54244920, 20334445, 58790597, 22536340, 60298718, 28710537, + 13475065, 30420460, 32674894, 13715045 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1884844597333588, 601480070269079, 620203503079537, + 1079527400117915, 1202076693132015 +#else + 11423316, 28086373, 32344215, 8962751, 24989809, 9241752, + 53843611, 16086211, 38367983, 17912338 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 840922919763324, 727955812569642, 1303406629750194, + 522898432152867, 294161410441865 +#else + 65699196, 12530727, 60740138, 10847386, 19531186, 19422272, + 55399715, 7791793, 39862921, 4383346 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 353760790835310, 1598361541848743, 1122905698202299, + 1922533590158905, 419107700666580 +#else + 38137966, 5271446, 65842855, 23817442, 54653627, 16732598, + 62246457, 28647982, 27193556, 6245191 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 359856369838236, 180914355488683, 861726472646627, + 218807937262986, 575626773232501 +#else + 51914908, 5362277, 65324971, 2695833, 4960227, 12840725, + 23061898, 3260492, 22510453, 8577507 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 755467689082474, 909202735047934, 730078068932500, + 936309075711518, 2007798262842972 +#else + 54476394, 11257345, 34415870, 13548176, 66387860, 10879010, + 31168030, 13952092, 37537372, 29918525 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1609384177904073, 362745185608627, 1335318541768201, + 800965770436248, 547877979267412 +#else + 3877321, 23981693, 32416691, 5405324, 56104457, 19897796, + 3759768, 11935320, 5611860, 8164018 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 984339177776787, 815727786505884, 1645154585713747, + 1659074964378553, 1686601651984156 +#else + 50833043, 14667796, 15906460, 12155291, 44997715, 24514713, + 32003001, 24722143, 5773084, 25132323 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1697863093781930, 599794399429786, 1104556219769607, + 830560774794755, 12812858601017 +#else + 43320746, 25300131, 1950874, 8937633, 18686727, 16459170, + 66203139, 12376319, 31632953, 190926 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1168737550514982, 897832437380552, 463140296333799, + 302564600022547, 2008360505135501 +#else + 42515238, 17415546, 58684872, 13378745, 14162407, 6901328, + 58820115, 4508563, 41767309, 29926903 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1856930662813910, 678090852002597, 1920179140755167, + 1259527833759868, 55540971895511 +#else + 8884438, 27670423, 6023973, 10104341, 60227295, 28612898, + 18722940, 18768427, 65436375, 827624 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1158643631044921, 476554103621892, 178447851439725, + 1305025542653569, 103433927680625 +#else + 34388281, 17265135, 34605316, 7101209, 13354605, 2659080, + 65308289, 19446395, 42230385, 1541285 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2176793111709008, 1576725716350391, 2009350167273523, + 2012390194631546, 2125297410909580 +#else + 2901328, 32436745, 3880375, 23495044, 49487923, 29941650, + 45306746, 29986950, 20456844, 31669399 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 825403285195098, 2144208587560784, 1925552004644643, + 1915177840006985, 1015952128947864 +#else + 27019610, 12299467, 53450576, 31951197, 54247203, 28692960, + 47568713, 28538373, 29439640, 15138866 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1807108316634472, 1534392066433717, 347342975407218, + 1153820745616376, 7375003497471 +#else + 21536104, 26928012, 34661045, 22864223, 44700786, 5175813, + 61688824, 17193268, 7779327, 109896 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 983061001799725, 431211889901241, 2201903782961093, + 817393911064341, 2214616493042167 +#else + 30279725, 14648750, 59063993, 6425557, 13639621, 32810923, + 28698389, 12180118, 23177719, 33000357 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 228567918409756, 865093958780220, 358083886450556, + 159617889659320, 1360637926292598 +#else + 26572828, 3405927, 35407164, 12890904, 47843196, 5335865, + 60615096, 2378491, 4439158, 20275085 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 234147501399755, 2229469128637390, 2175289352258889, + 1397401514549353, 1885288963089922 +#else + 44392139, 3489069, 57883598, 33221678, 18875721, 32414337, + 14819433, 20822905, 49391106, 28092994 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1111762412951562, 252849572507389, 1048714233823341, + 146111095601446, 1237505378776770 +#else + 62052362, 16566550, 15953661, 3767752, 56672365, 15627059, + 66287910, 2177224, 8550082, 18440267 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1113790697840279, 1051167139966244, 1045930658550944, + 2011366241542643, 1686166824620755 +#else + 48635543, 16596774, 66727204, 15663610, 22860960, 15585581, + 39264755, 29971692, 43848403, 25125843 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1054097349305049, 1872495070333352, 182121071220717, + 1064378906787311, 100273572924182 +#else + 34628313, 15707274, 58902952, 27902350, 29464557, 2713815, + 44383727, 15860481, 45206294, 1494192 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1306410853171605, 1627717417672447, 50983221088417, + 1109249951172250, 870201789081392 +#else + 47546773, 19467038, 41524991, 24254879, 13127841, 759709, + 21923482, 16529112, 8742704, 12967017 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 104233794644221, 1548919791188248, 2224541913267306, + 2054909377116478, 1043803389015153 +#else + 38643965, 1553204, 32536856, 23080703, 42417258, 33148257, + 58194238, 30620535, 37205105, 15553882 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 216762189468802, 707284285441622, 190678557969733, + 973969342604308, 1403009538434867 +#else + 21877890, 3230008, 9881174, 10539357, 62311749, 2841331, + 11543572, 14513274, 19375923, 20906471 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1279024291038477, 344776835218310, 273722096017199, + 1834200436811442, 634517197663804 +#else + 8832269, 19058947, 13253510, 5137575, 5037871, 4078777, + 24880818, 27331716, 2862652, 9455043 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 343805853118335, 1302216857414201, 566872543223541, + 2051138939539004, 321428858384280 +#else + 29306751, 5123106, 20245049, 19404543, 9592565, 8447059, + 65031740, 30564351, 15511448, 4789663 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 470067171324852, 1618629234173951, 2000092177515639, + 7307679772789, 1117521120249968 +#else + 46429108, 7004546, 8824831, 24119455, 63063159, 29803695, + 61354101, 108892, 23513200, 16652362 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 278151578291475, 1810282338562947, 1771599529530998, + 1383659409671631, 685373414471841 +#else + 33852691, 4144781, 62632835, 26975308, 10770038, 26398890, + 60458447, 20618131, 48789665, 10212859 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 577009397403102, 1791440261786291, 2177643735971638, + 174546149911960, 1412505077782326 +#else + 2756062, 8598110, 7383731, 26694540, 22312758, 32449420, + 21179800, 2600940, 57120566, 21047965 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 893719721537457, 1201282458018197, 1522349501711173, + 58011597740583, 1130406465887139 +#else + 42463153, 13317461, 36659605, 17900503, 21365573, 22684775, + 11344423, 864440, 64609187, 16844368 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 412607348255453, 1280455764199780, 2233277987330768, + 14180080401665, 331584698417165 +#else + 40676061, 6148328, 49924452, 19080277, 18782928, 33278435, + 44547329, 211299, 2719757, 4940997 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 262483770854550, 990511055108216, 526885552771698, + 571664396646158, 354086190278723 +#else + 65784982, 3911312, 60160120, 14759764, 37081714, 7851206, + 21690126, 8518463, 26699843, 5276295 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1820352417585487, 24495617171480, 1547899057533253, + 10041836186225, 480457105094042 +#else + 53958991, 27125364, 9396248, 365013, 24703301, 23065493, + 1321585, 149635, 51656090, 7159368 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2023310314989233, 637905337525881, 2106474638900687, + 557820711084072, 1687858215057826 +#else + 9987761, 30149673, 17507961, 9505530, 9731535, 31388918, + 22356008, 8312176, 22477218, 25151047 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1144168702609745, 604444390410187, 1544541121756138, + 1925315550126027, 626401428894002 +#else + 18155857, 17049442, 19744715, 9006923, 15154154, 23015456, + 24256459, 28689437, 44560690, 9334108 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1922168257351784, 2018674099908659, 1776454117494445, + 956539191509034, 36031129147635 +#else + 2986088, 28642539, 10776627, 30080588, 10620589, 26471229, + 45695018, 14253544, 44521715, 536905 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 544644538748041, 1039872944430374, 876750409130610, + 710657711326551, 1216952687484972 +#else + 4377737, 8115836, 24567078, 15495314, 11625074, 13064599, + 7390551, 10589625, 10838060, 18134008 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 58242421545916, 2035812695641843, 2118491866122923, + 1191684463816273, 46921517454099 +#else + 47766460, 867879, 9277171, 30335973, 52677291, 31567988, + 19295825, 17757482, 6378259, 699185 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 272268252444639, 1374166457774292, 2230115177009552, + 1053149803909880, 1354288411641016 +#else + 7895007, 4057113, 60027092, 20476675, 49222032, 33231305, + 66392824, 15693154, 62063800, 20180469 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1857910905368338, 1754729879288912, 885945464109877, + 1516096106802166, 1602902393369811 +#else + 59371282, 27685029, 52542544, 26147512, 11385653, 13201616, + 31730678, 22591592, 63190227, 23885106 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1193437069800958, 901107149704790, 999672920611411, + 477584824802207, 364239578697845 +#else + 10188286, 17783598, 59772502, 13427542, 22223443, 14896287, + 30743455, 7116568, 45322357, 5427592 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 886299989548838, 1538292895758047, 1590564179491896, + 1944527126709657, 837344427345298 +#else + 696102, 13206899, 27047647, 22922350, 15285304, 23701253, + 10798489, 28975712, 19236242, 12477404 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 754558365378305, 1712186480903618, 1703656826337531, + 750310918489786, 518996040250900 +#else + 55879425, 11243795, 50054594, 25513566, 66320635, 25386464, + 63211194, 11180503, 43939348, 7733643 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1309847803895382, 1462151862813074, 211370866671570, + 1544595152703681, 1027691798954090 +#else + 17800790, 19518253, 40108434, 21787760, 23887826, 3149671, + 23466177, 23016261, 10322026, 15313801 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 803217563745370, 1884799722343599, 1357706345069218, + 2244955901722095, 730869460037413 +#else + 26246234, 11968874, 32263343, 28085704, 6830754, 20231401, + 51314159, 33452449, 42659621, 10890803 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 689299471295966, 1831210565161071, 1375187341585438, + 1106284977546171, 1893781834054269 +#else + 35743198, 10271362, 54448239, 27287163, 16690206, 20491888, + 52126651, 16484930, 25180797, 28219548 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 696351368613042, 1494385251239250, 738037133616932, + 636385507851544, 927483222611406 +#else + 66522290, 10376443, 34522450, 22268075, 19801892, 10997610, + 2276632, 9482883, 316878, 13820577 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1949114198209333, 1104419699537997, 783495707664463, + 1747473107602770, 2002634765788641 +#else + 57226037, 29044064, 64993357, 16457135, 56008783, 11674995, + 30756178, 26039378, 30696929, 29841583 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1607325776830197, 530883941415333, 1451089452727895, + 1581691157083423, 496100432831154 +#else + 32988917, 23951020, 12499365, 7910787, 56491607, 21622917, + 59766047, 23569034, 34759346, 7392472 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1068900648804224, 2006891997072550, 1134049269345549, + 1638760646180091, 2055396084625778 +#else + 58253184, 15927860, 9866406, 29905021, 64711949, 16898650, + 36699387, 24419436, 25112946, 30627788 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2222475519314561, 1870703901472013, 1884051508440561, + 1344072275216753, 1318025677799069 +#else + 64604801, 33117465, 25621773, 27875660, 15085041, 28074555, + 42223985, 20028237, 5537437, 19640113 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 155711679280656, 681100400509288, 389811735211209, + 2135723811340709, 408733211204125 +#else + 55883280, 2320284, 57524584, 10149186, 33664201, 5808647, + 52232613, 31824764, 31234589, 6090599 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 7813206966729, 194444201427550, 2071405409526507, + 1065605076176312, 1645486789731291 +#else + 57475529, 116425, 26083934, 2897444, 60744427, 30866345, 609720, + 15878753, 60138459, 24519663 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 16625790644959, 1647648827778410, 1579910185572704, + 436452271048548, 121070048451050 +#else + 39351007, 247743, 51914090, 24551880, 23288160, 23542496, + 43239268, 6503645, 20650474, 1804084 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1037263028552531, 568385780377829, 297953104144430, + 1558584511931211, 2238221839292471 +#else + 39519059, 15456423, 8972517, 8469608, 15640622, 4439847, + 3121995, 23224719, 27842615, 33352104 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 190565267697443, 672855706028058, 338796554369226, + 337687268493904, 853246848691734 +#else + 51801891, 2839643, 22530074, 10026331, 4602058, 5048462, + 28248656, 5031932, 55733782, 12714368 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1763863028400139, 766498079432444, 1321118624818005, + 69494294452268, 858786744165651 +#else + 20807691, 26283607, 29286140, 11421711, 39232341, 19686201, + 45881388, 1035545, 47375635, 12796919 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1292056768563024, 1456632109855638, 1100631247050184, + 1386133165675321, 1232898350193752 +#else + 12076880, 19253146, 58323862, 21705509, 42096072, 16400683, + 49517369, 20654993, 3480664, 18371617 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 366253102478259, 525676242508811, 1449610995265438, + 1183300845322183, 185960306491545 +#else + 34747315, 5457596, 28548107, 7833186, 7303070, 21600887, + 42745799, 17632556, 33734809, 2771024 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 28315355815982, 460422265558930, 1799675876678724, + 1969256312504498, 1051823843138725 +#else + 45719598, 421931, 26597266, 6860826, 22486084, 26817260, + 49971378, 29344205, 42556581, 15673396 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 156914999361983, 1606148405719949, 1665208410108430, + 317643278692271, 1383783705665320 +#else + 46924223, 2338215, 19788685, 23933476, 63107598, 24813538, + 46837679, 4733253, 3727144, 20619984 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 54684536365732, 2210010038536222, 1194984798155308, + 535239027773705, 1516355079301361 +#else + 6120100, 814863, 55314462, 32931715, 6812204, 17806661, 2019593, + 7975683, 31123697, 22595451 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1484387703771650, 198537510937949, 2186282186359116, + 617687444857508, 647477376402122 +#else + 30069250, 22119100, 30434653, 2958439, 18399564, 32578143, + 12296868, 9204260, 50676426, 9648164 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2147715541830533, 500032538445817, 646380016884826, + 352227855331122, 1488268620408052 +#else + 32705413, 32003455, 30705657, 7451065, 55303258, 9631812, + 3305266, 5248604, 41100532, 22176930 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 159386186465542, 1877626593362941, 618737197060512, + 1026674284330807, 1158121760792685 +#else + 17219846, 2375039, 35537917, 27978816, 47649184, 9219902, + 294711, 15298639, 2662509, 17257359 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1744544377739822, 1964054180355661, 1685781755873170, + 2169740670377448, 1286112621104591 +#else + 65935918, 25995736, 62742093, 29266687, 45762450, 25120105, + 32087528, 32331655, 32247247, 19164571 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 81977249784993, 1667943117713086, 1668983819634866, + 1605016835177615, 1353960708075544 +#else + 14312609, 1221556, 17395390, 24854289, 62163122, 24869796, + 38911119, 23916614, 51081240, 20175586 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1602253788689063, 439542044889886, 2220348297664483, + 657877410752869, 157451572512238 +#else + 65680039, 23875441, 57873182, 6549686, 59725795, 33085767, + 23046501, 9803137, 17597934, 2346211 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1029287186166717, 65860128430192, 525298368814832, + 1491902500801986, 1461064796385400 +#else + 18510781, 15337574, 26171504, 981392, 44867312, 7827555, + 43617730, 22231079, 3059832, 21771562 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 408216988729246, 2121095722306989, 913562102267595, + 1879708920318308, 241061448436731 +#else + 10141598, 6082907, 17829293, 31606789, 9830091, 13613136, + 41552228, 28009845, 33606651, 3592095 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1185483484383269, 1356339572588553, 584932367316448, + 102132779946470, 1792922621116791 +#else + 33114149, 17665080, 40583177, 20211034, 33076704, 8716171, + 1151462, 1521897, 66126199, 26716628 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1966196870701923, 2230044620318636, 1425982460745905, + 261167817826569, 46517743394330 +#else + 34169699, 29298616, 23947180, 33230254, 34035889, 21248794, + 50471177, 3891703, 26353178, 693168 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 107077591595359, 884959942172345, 27306869797400, + 2224911448949390, 964352058245223 +#else + 30374239, 1595580, 50224825, 13186930, 4600344, 406904, 9585294, + 33153764, 31375463, 14369965 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1730194207717538, 431790042319772, 1831515233279467, + 1372080552768581, 1074513929381760 +#else + 52738210, 25781902, 1510300, 6434173, 48324075, 27291703, + 32732229, 20445593, 17901440, 16011505 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1450880638731607, 1019861580989005, 1229729455116861, + 1174945729836143, 826083146840706 +#else + 18171223, 21619806, 54608461, 15197121, 56070717, 18324396, + 47936623, 17508055, 8764034, 12309598 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1899935429242705, 1602068751520477, 940583196550370, + 82431069053859, 1540863155745696 +#else + 5975889, 28311244, 47649501, 23872684, 55567586, 14015781, + 43443107, 1228318, 17544096, 22960650 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2136688454840028, 2099509000964294, 1690800495246475, + 1217643678575476, 828720645084218 +#else + 5811932, 31839139, 3442886, 31285122, 48741515, 25194890, + 49064820, 18144304, 61543482, 12348899 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 765548025667841, 462473984016099, 998061409979798, + 546353034089527, 2212508972466858 +#else + 35709185, 11407554, 25755363, 6891399, 63851926, 14872273, + 42259511, 8141294, 56476330, 32968952 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 46575283771160, 892570971573071, 1281983193144090, + 1491520128287375, 75847005908304 +#else + 54433560, 694025, 62032719, 13300343, 14015258, 19103038, + 57410191, 22225381, 30944592, 1130208 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1801436127943107, 1734436817907890, 1268728090345068, + 167003097070711, 2233597765834956 +#else + 8247747, 26843490, 40546482, 25845122, 52706924, 18905521, + 4652151, 2488540, 23550156, 33283200 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1997562060465113, 1048700225534011, 7615603985628, + 1855310849546841, 2242557647635213 +#else + 17294297, 29765994, 7026747, 15626851, 22990044, 113481, + 2267737, 27646286, 66700045, 33416712 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1161017320376250, 492624580169043, 2169815802355237, + 976496781732542, 1770879511019629 +#else + 16091066, 17300506, 18599251, 7340678, 2137637, 32332775, + 63744702, 14550935, 3260525, 26388161 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1357044908364776, 729130645262438, 1762469072918979, + 1365633616878458, 181282906404941 +#else + 62198760, 20221544, 18550886, 10864893, 50649539, 26262835, + 44079994, 20349526, 54360141, 2701325 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1080413443139865, 1155205815510486, 1848782073549786, + 622566975152580, 124965574467971 +#else + 58534169, 16099414, 4629974, 17213908, 46322650, 27548999, + 57090500, 9276970, 11329923, 1862132 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1184526762066993, 247622751762817, 692129017206356, + 820018689412496, 2188697339828085 +#else + 14763057, 17650824, 36190593, 3689866, 3511892, 10313526, + 45157776, 12219230, 58070901, 32614131 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2020536369003019, 202261491735136, 1053169669150884, + 2056531979272544, 778165514694311 +#else + 8894987, 30108338, 6150752, 3013931, 301220, 15693451, 35127648, + 30644714, 51670695, 11595569 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 237404399610207, 1308324858405118, 1229680749538400, + 720131409105291, 1958958863624906 +#else + 15214943, 3537601, 40870142, 19495559, 4418656, 18323671, + 13947275, 10730794, 53619402, 29190761 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 515583508038846, 17656978857189, 1717918437373989, + 1568052070792483, 46975803123923 +#else + 64570558, 7682792, 32759013, 263109, 37124133, 25598979, + 44776739, 23365796, 977107, 699994 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 281527309158085, 36970532401524, 866906920877543, + 2222282602952734, 1289598729589882 +#else + 54642373, 4195083, 57897332, 550903, 51543527, 12917919, + 19118110, 33114591, 36574330, 19216518 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1278207464902042, 494742455008756, 1262082121427081, + 1577236621659884, 1888786707293291 +#else + 31788442, 19046775, 4799988, 7372237, 8808585, 18806489, + 9408236, 23502657, 12493931, 28145115 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 353042527954210, 1830056151907359, 1111731275799225, + 174960955838824, 404312815582675 +#else + 41428258, 5260743, 47873055, 27269961, 63412921, 16566086, + 27218280, 2607121, 29375955, 6024730 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2064251142068628, 1666421603389706, 1419271365315441, + 468767774902855, 191535130366583 +#else + 842132, 30759739, 62345482, 24831616, 26332017, 21148791, + 11831879, 6985184, 57168503, 2854095 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1716987058588002, 1859366439773457, 1767194234188234, + 64476199777924, 1117233614485261 +#else + 62261602, 25585100, 2516241, 27706719, 9695690, 26333246, + 16512644, 960770, 12121869, 16648078 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 984292135520292, 135138246951259, 2220652137473167, + 1722843421165029, 190482558012909 +#else + 51890212, 14667095, 53772635, 2013716, 30598287, 33090295, + 35603941, 25672367, 20237805, 2838411 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 298845952651262, 1166086588952562, 1179896526238434, + 1347812759398693, 1412945390096208 +#else + 47820798, 4453151, 15298546, 17376044, 22115042, 17581828, + 12544293, 20083975, 1068880, 21054527 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1143239552672925, 906436640714209, 2177000572812152, + 2075299936108548, 325186347798433 +#else + 57549981, 17035596, 33238497, 13506958, 30505848, 32439836, + 58621956, 30924378, 12521377, 4845654 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 721024854374772, 684487861263316, 1373438744094159, + 2193186935276995, 1387043709851261 +#else + 38910324, 10744107, 64150484, 10199663, 7759311, 20465832, + 3409347, 32681032, 60626557, 20668561 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 418098668140962, 715065997721283, 1471916138376055, + 2168570337288357, 937812682637044 +#else + 43547042, 6230155, 46726851, 10655313, 43068279, 21933259, + 10477733, 32314216, 63995636, 13974497 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1043584187226485, 2143395746619356, 2209558562919611, + 482427979307092, 847556718384018 +#else + 12966261, 15550616, 35069916, 31939085, 21025979, 32924988, + 5642324, 7188737, 18895762, 12629579 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1248731221520759, 1465200936117687, 540803492710140, + 52978634680892, 261434490176109 +#else + 14741879, 18607545, 22177207, 21833195, 1279740, 8058600, + 11758140, 789443, 32195181, 3895677 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1057329623869501, 620334067429122, 461700859268034, + 2012481616501857, 297268569108938 +#else + 10758205, 15755439, 62598914, 9243697, 62229442, 6879878, + 64904289, 29988312, 58126794, 4429646 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1055352180870759, 1553151421852298, 1510903185371259, + 1470458349428097, 1226259419062731 +#else + 64654951, 15725972, 46672522, 23143759, 61304955, 22514211, + 59972993, 21911536, 18047435, 18272689 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1492988790301668, 790326625573331, 1190107028409745, + 1389394752159193, 1620408196604194 +#else + 41935844, 22247266, 29759955, 11776784, 44846481, 17733976, + 10993113, 20703595, 49488162, 24145963 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 47000654413729, 1004754424173864, 1868044813557703, + 173236934059409, 588771199737015 +#else + 21987233, 700364, 42603816, 14972007, 59334599, 27836036, + 32155025, 2581431, 37149879, 8773374 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 30498470091663, 1082245510489825, 576771653181956, + 806509986132686, 1317634017056939 +#else + 41540495, 454462, 53896929, 16126714, 25240068, 8594567, + 20656846, 12017935, 59234475, 19634276 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 420308055751555, 1493354863316002, 165206721528088, + 1884845694919786, 2065456951573059 +#else + 6028163, 6263078, 36097058, 22252721, 66289944, 2461771, + 35267690, 28086389, 65387075, 30777706 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1115636332012334, 1854340990964155, 83792697369514, + 1972177451994021, 457455116057587 +#else + 54829870, 16624276, 987579, 27631834, 32908202, 1248608, + 7719845, 29387734, 28408819, 6816612 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1698968457310898, 1435137169051090, 1083661677032510, + 938363267483709, 340103887207182 +#else + 56750770, 25316602, 19549650, 21385210, 22082622, 16147817, + 20613181, 13982702, 56769294, 5067942 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1995325341336574, 911500251774648, 164010755403692, + 855378419194762, 1573601397528842 +#else + 36602878, 29732664, 12074680, 13582412, 47230892, 2443950, + 47389578, 12746131, 5331210, 23448488 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 241719380661528, 310028521317150, 1215881323380194, + 1408214976493624, 2141142156467363 +#else + 30528792, 3601899, 65151774, 4619784, 39747042, 18118043, + 24180792, 20984038, 27679907, 31905504 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1315157046163473, 727368447885818, 1363466668108618, + 1668921439990361, 1398483384337907 +#else + 9402385, 19597367, 32834042, 10838634, 40528714, 20317236, + 26653273, 24868867, 22611443, 20839026 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 75029678299646, 1015388206460473, 1849729037055212, + 1939814616452984, 444404230394954 +#else + 22190590, 1118029, 22736441, 15130463, 36648172, 27563110, + 19189624, 28905490, 4854858, 6622139 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2053597130993710, 2024431685856332, 2233550957004860, + 2012407275509545, 872546993104440 +#else + 58798126, 30600981, 58846284, 30166382, 56707132, 33282502, + 13424425, 29987205, 26404408, 13001963 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1217269667678610, 599909351968693, 1390077048548598, + 1471879360694802, 739586172317596 +#else + 35867026, 18138731, 64114613, 8939345, 11562230, 20713762, + 41044498, 21932711, 51703708, 11020692 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1718318639380794, 1560510726633958, 904462881159922, + 1418028351780052, 94404349451937 +#else + 1866042, 25604943, 59210214, 23253421, 12483314, 13477547, + 3175636, 21130269, 28761761, 1406734 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2132502667405250, 214379346175414, 1502748313768060, + 1960071701057800, 1353971822643138 +#else + 66660290, 31776765, 13018550, 3194501, 57528444, 22392694, + 24760584, 29207344, 25577410, 20175752 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 319394212043702, 2127459436033571, 717646691535162, + 663366796076914, 318459064945314 +#else + 42818486, 4759344, 66418211, 31701615, 2066746, 10693769, + 37513074, 9884935, 57739938, 4745409 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 405989424923593, 1960452633787083, 667349034401665, + 1492674260767112, 1451061489880787 +#else + 57967561, 6049713, 47577803, 29213020, 35848065, 9944275, + 51646856, 22242579, 10931923, 21622501 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 947085906234007, 323284730494107, 1485778563977200, + 728576821512394, 901584347702286 +#else + 50547351, 14112679, 59096219, 4817317, 59068400, 22139825, + 44255434, 10856640, 46638094, 13434653 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1575783124125742, 2126210792434375, 1569430791264065, + 1402582372904727, 1891780248341114 +#else + 22759470, 23480998, 50342599, 31683009, 13637441, 23386341, + 1765143, 20900106, 28445306, 28189722 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 838432205560695, 1997703511451664, 1018791879907867, + 1662001808174331, 78328132957753 +#else + 29875063, 12493613, 2795536, 29768102, 1710619, 15181182, + 56913147, 24765756, 9074233, 1167180 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 739152638255629, 2074935399403557, 505483666745895, + 1611883356514088, 628654635394878 +#else + 40903181, 11014232, 57266213, 30918946, 40200743, 7532293, + 48391976, 24018933, 3843902, 9367684 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1822054032121349, 643057948186973, 7306757352712, + 577249257962099, 284735863382083 +#else + 56139269, 27150720, 9591133, 9582310, 11349256, 108879, + 16235123, 8601684, 66969667, 4242894 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1366558556363930, 1448606567552086, 1478881020944768, + 165803179355898, 1115718458123498 +#else + 22092954, 20363309, 65066070, 21585919, 32186752, 22037044, + 60534522, 2470659, 39691498, 16625500 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 204146226972102, 1630511199034723, 2215235214174763, + 174665910283542, 956127674017216 +#else + 56051142, 3042015, 13770083, 24296510, 584235, 33009577, + 59338006, 2602724, 39757248, 14247412 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1562934578796716, 1070893489712745, 11324610642270, + 958989751581897, 2172552325473805 +#else + 6314156, 23289540, 34336361, 15957556, 56951134, 168749, + 58490057, 14290060, 27108877, 32373552 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1770564423056027, 735523631664565, 1326060113795289, + 1509650369341127, 65892421582684 +#else + 58522267, 26383465, 13241781, 10960156, 34117849, 19759835, + 33547975, 22495543, 39960412, 981873 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 623682558650637, 1337866509471512, 990313350206649, + 1314236615762469, 1164772974270275 +#else + 22833421, 9293594, 34459416, 19935764, 57971897, 14756818, + 44180005, 19583651, 56629059, 17356469 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 223256821462517, 723690150104139, 1000261663630601, + 933280913953265, 254872671543046 +#else + 59340277, 3326785, 38997067, 10783823, 19178761, 14905060, + 22680049, 13906969, 51175174, 3797898 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1969087237026041, 624795725447124, 1335555107635969, + 2069986355593023, 1712100149341902 +#else + 21721337, 29341686, 54902740, 9310181, 63226625, 19901321, + 23740223, 30845200, 20491982, 25512280 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1236103475266979, 1837885883267218, 1026072585230455, + 1025865513954973, 1801964901432134 +#else + 9209251, 18419377, 53852306, 27386633, 66377847, 15289672, + 25947805, 15286587, 30997318, 26851369 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1115241013365517, 1712251818829143, 2148864332502771, + 2096001471438138, 2235017246626125 +#else + 7392013, 16618386, 23946583, 25514540, 53843699, 32020573, + 52911418, 31232855, 17649997, 33304352 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1299268198601632, 2047148477845621, 2165648650132450, + 1612539282026145, 514197911628890 +#else + 57807776, 19360604, 30609525, 30504889, 41933794, 32270679, + 51867297, 24028707, 64875610, 7662145 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 118352772338543, 1067608711804704, 1434796676193498, + 1683240170548391, 230866769907437 +#else + 49550191, 1763593, 33994528, 15908609, 37067994, 21380136, + 7335079, 25082233, 63934189, 3440182 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1850689576796636, 1601590730430274, 1139674615958142, + 1954384401440257, 76039205311 +#else + 47219164, 27577423, 42997570, 23865561, 10799742, 16982475, + 40449, 29122597, 4862399, 1133 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1723387471374172, 997301467038410, 533927635123657, + 20928644693965, 1756575222802513 +#else + 34252636, 25680474, 61686474, 14860949, 50789833, 7956141, + 7258061, 311861, 36513873, 26175010 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2146711623855116, 503278928021499, 625853062251406, + 1109121378393107, 1033853809911861 +#else + 63335436, 31988495, 28985339, 7499440, 24445838, 9325937, + 29727763, 16527196, 18278453, 15405622 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 571005965509422, 2005213373292546, 1016697270349626, + 56607856974274, 914438579435146 +#else + 62726958, 8508651, 47210498, 29880007, 61124410, 15149969, + 53795266, 843522, 45233802, 13626196 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1346698876211176, 2076651707527589, 1084761571110205, + 265334478828406, 1068954492309671 +#else + 2281448, 20067377, 56193445, 30944521, 1879357, 16164207, + 56324982, 3953791, 13340839, 15928663 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1769967932677654, 1695893319756416, 1151863389675920, + 1781042784397689, 400287774418285 +#else + 31727126, 26374577, 48671360, 25270779, 2875792, 17164102, + 41838969, 26539605, 43656557, 5964752 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1851867764003121, 403841933237558, 820549523771987, + 761292590207581, 1743735048551143 +#else + 4100401, 27594980, 49929526, 6017713, 48403027, 12227140, + 40424029, 11344143, 2538215, 25983677 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 410915148140008, 2107072311871739, 1004367461876503, + 99684895396761, 1180818713503224 +#else + 57675240, 6123112, 11159803, 31397824, 30016279, 14966241, + 46633881, 1485420, 66479608, 17595569 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 285945406881439, 648174397347453, 1098403762631981, + 1366547441102991, 1505876883139217 +#else + 40304287, 4260918, 11851389, 9658551, 35091757, 16367491, + 46903439, 20363143, 11659921, 22439314 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 672095903120153, 1675918957959872, 636236529315028, + 1569297300327696, 2164144194785875 +#else + 26180377, 10015009, 36264640, 24973138, 5418196, 9480663, + 2231568, 23384352, 33100371, 32248261 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1902708175321798, 1035343530915438, 1178560808893263, + 301095684058146, 1280977479761118 +#else + 15121094, 28352561, 56718958, 15427820, 39598927, 17561924, + 21670946, 4486675, 61177054, 19088051 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1615357281742403, 404257611616381, 2160201349780978, + 1160947379188955, 1578038619549541 +#else + 16166467, 24070699, 56004733, 6023907, 35182066, 32189508, + 2340059, 17299464, 56373093, 23514607 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2013087639791217, 822734930507457, 1785668418619014, + 1668650702946164, 389450875221715 +#else + 28042865, 29997343, 54982337, 12259705, 63391366, 26608532, + 6766452, 24864833, 18036435, 5803270 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 453918449698368, 106406819929001, 2072540975937135, + 308588860670238, 1304394580755385 +#else + 66291264, 6763911, 11803561, 1585585, 10958447, 30883267, + 23855390, 4598332, 60949433, 19436993 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1295082798350326, 2091844511495996, 1851348972587817, + 3375039684596, 789440738712837 +#else + 36077558, 19298237, 17332028, 31170912, 31312681, 27587249, + 696308, 50292, 47013125, 11763583 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2083069137186154, 848523102004566, 993982213589257, + 1405313299916317, 1532824818698468 +#else + 66514282, 31040148, 34874710, 12643979, 12650761, 14811489, + 665117, 20940800, 47335652, 22840869 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1495961298852430, 1397203457344779, 1774950217066942, + 139302743555696, 66603584342787 +#else + 30464590, 22291560, 62981387, 20819953, 19835326, 26448819, + 42712688, 2075772, 50088707, 992470 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1782411379088302, 1096724939964781, 27593390721418, + 542241850291353, 1540337798439873 +#else + 18357166, 26559999, 7766381, 16342475, 37783946, 411173, + 14578841, 8080033, 55534529, 22952821 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 693543956581437, 171507720360750, 1557908942697227, + 1074697073443438, 1104093109037196 +#else + 19598397, 10334610, 12555054, 2555664, 18821899, 23214652, + 21873262, 16014234, 26224780, 16452269 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 345288228393419, 1099643569747172, 134881908403743, + 1740551994106740, 248212179299770 +#else + 36884939, 5145195, 5944548, 16385966, 3976735, 2009897, + 55731060, 25936245, 46575034, 3698649 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 231429562203065, 1526290236421172, 2021375064026423, + 1520954495658041, 806337791525116 +#else + 14187449, 3448569, 56472628, 22743496, 44444983, 30120835, + 7268409, 22663988, 27394300, 12015369 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1079623667189886, 872403650198613, 766894200588288, + 2163700860774109, 2023464507911816 +#else + 19695742, 16087646, 28032085, 12999827, 6817792, 11427614, + 20244189, 32241655, 53849736, 30151970 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 854645372543796, 1936406001954827, 151460662541253, + 825325739271555, 1554306377287556 +#else + 30860084, 12735208, 65220619, 28854697, 50133957, 2256939, + 58942851, 12298311, 58558340, 23160969 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1497138821904622, 1044820250515590, 1742593886423484, + 1237204112746837, 849047450816987 +#else + 61389038, 22309106, 65198214, 15569034, 26642876, 25966672, + 61319509, 18435777, 62132699, 12651792 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 667962773375330, 1897271816877105, 1399712621683474, + 1143302161683099, 2081798441209593 +#else + 64260450, 9953420, 11531313, 28271553, 26895122, 20857343, + 53990043, 17036529, 9768697, 31021214 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 127147851567005, 1936114012888110, 1704424366552046, + 856674880716312, 716603621335359 +#else + 42389405, 1894650, 66821166, 28850346, 15348718, 25397902, + 32767512, 12765450, 4940095, 10678226 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1072409664800960, 2146937497077528, 1508780108920651, + 935767602384853, 1112800433544068 +#else + 18860224, 15980149, 48121624, 31991861, 40875851, 22482575, + 59264981, 13944023, 42736516, 16582018 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 333549023751292, 280219272863308, 2104176666454852, + 1036466864875785, 536135186520207 +#else + 51604604, 4970267, 37215820, 4175592, 46115652, 31354675, + 55404809, 15444559, 56105103, 7989036 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 373666279883137, 146457241530109, 304116267127857, + 416088749147715, 1258577131183391 +#else + 31490433, 5568061, 64696061, 2182382, 34772017, 4531685, + 35030595, 6200205, 47422751, 18754260 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1186115062588401, 2251609796968486, 1098944457878953, + 1153112761201374, 1791625503417267 +#else + 49800177, 17674491, 35586086, 33551600, 34221481, 16375548, + 8680158, 17182719, 28550067, 26697300 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1870078460219737, 2129630962183380, 852283639691142, + 292865602592851, 401904317342226 +#else + 38981977, 27866340, 16837844, 31733974, 60258182, 12700015, + 37068883, 4364037, 1155602, 5988841 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1361070124828035, 815664541425524, 1026798897364671, + 1951790935390647, 555874891834790 +#else + 21890435, 20281525, 54484852, 12154348, 59276991, 15300495, + 23148983, 29083951, 24618406, 8283181 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1546301003424277, 459094500062839, 1097668518375311, + 1780297770129643, 720763293687608 +#else + 33972757, 23041680, 9975415, 6841041, 35549071, 16356535, + 3070187, 26528504, 1466168, 10740210 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1212405311403990, 1536693382542438, 61028431067459, + 1863929423417129, 1223219538638038 +#else + 65599446, 18066246, 53605478, 22898515, 32799043, 909394, + 53169961, 27774712, 34944214, 18227391 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1294303766540260, 1183557465955093, 882271357233093, + 63854569425375, 2213283684565087 +#else + 3960804, 19286629, 39082773, 17636380, 47704005, 13146867, + 15567327, 951507, 63848543, 32980496 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 339050984211414, 601386726509773, 413735232134068, + 966191255137228, 1839475899458159 +#else + 24740822, 5052253, 37014733, 8961360, 25877428, 6165135, + 42740684, 14397371, 59728495, 27410326 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 235605972169408, 2174055643032978, 1538335001838863, + 1281866796917192, 1815940222628465 +#else + 38220480, 3510802, 39005586, 32395953, 55870735, 22922977, + 51667400, 19101303, 65483377, 27059617 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1632352921721536, 1833328609514701, 2092779091951987, + 1923956201873226, 2210068022482919 +#else + 793280, 24323954, 8836301, 27318725, 39747955, 31184838, + 33152842, 28669181, 57202663, 32932579 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 35271216625062, 1712350667021807, 983664255668860, + 98571260373038, 1232645608559836 +#else + 5666214, 525582, 20782575, 25516013, 42570364, 14657739, + 16099374, 1468826, 60937436, 18367850 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1998172393429622, 1798947921427073, 784387737563581, + 1589352214827263, 1589861734168180 +#else + 62249590, 29775088, 64191105, 26806412, 7778749, 11688288, + 36704511, 23683193, 65549940, 23690785 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1733739258725305, 31715717059538, 201969945218860, + 992093044556990, 1194308773174556 +#else + 10896313, 25834728, 824274, 472601, 47648556, 3009586, 25248958, + 14783338, 36527388, 17796587 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 846415389605137, 746163495539180, 829658752826080, + 592067705956946, 957242537821393 +#else + 10566929, 12612572, 35164652, 11118702, 54475488, 12362878, + 21752402, 8822496, 24003793, 14264025 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1758148849754419, 619249044817679, 168089007997045, + 1371497636330523, 1867101418880350 +#else + 27713843, 26198459, 56100623, 9227529, 27050101, 2504721, + 23886875, 20436907, 13958494, 27821979 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 326633984209635, 261759506071016, 1700682323676193, + 1577907266349064, 1217647663383016 +#else + 43627235, 4867225, 39861736, 3900520, 29838369, 25342141, + 35219464, 23512650, 7340520, 18144364 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1714182387328607, 1477856482074168, 574895689942184, + 2159118410227270, 1555532449716575 +#else + 4646495, 25543308, 44342840, 22021777, 23184552, 8566613, + 31366726, 32173371, 52042079, 23179239 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 853828206885131, 998498946036955, 1835887550391235, + 207627336608048, 258363815956050 +#else + 49838347, 12723031, 50115803, 14878793, 21619651, 27356856, + 27584816, 3093888, 58265170, 3849920 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 141141474651677, 1236728744905256, 643101419899887, + 1646615130509173, 1208239602291765 +#else + 58043933, 2103171, 25561640, 18428694, 61869039, 9582957, + 32477045, 24536477, 5002293, 18004173 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1501663228068911, 1354879465566912, 1444432675498247, + 897812463852601, 855062598754348 +#else + 55051311, 22376525, 21115584, 20189277, 8808711, 21523724, + 16489529, 13378448, 41263148, 12741425 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 714380763546606, 1032824444965790, 1774073483745338, + 1063840874947367, 1738680636537158 +#else + 61162478, 10645102, 36197278, 15390283, 63821882, 26435754, + 24306471, 15852464, 28834118, 25908360 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1640635546696252, 633168953192112, 2212651044092396, + 30590958583852, 368515260889378 +#else + 49773116, 24447374, 42577584, 9434952, 58636780, 32971069, + 54018092, 455840, 20461858, 5491305 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1171650314802029, 1567085444565577, 1453660792008405, + 757914533009261, 1619511342778196 +#else + 13669229, 17458950, 54626889, 23351392, 52539093, 21661233, + 42112877, 11293806, 38520660, 24132599 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 420958967093237, 971103481109486, 2169549185607107, + 1301191633558497, 1661514101014240 +#else + 28497909, 6272777, 34085870, 14470569, 8906179, 32328802, + 18504673, 19389266, 29867744, 24758489 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 907123651818302, 1332556122804146, 1824055253424487, + 1367614217442959, 1982558335973172 +#else + 50901822, 13517195, 39309234, 19856633, 24009063, 27180541, + 60741263, 20379039, 22853428, 29542421 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1121533090144639, 1021251337022187, 110469995947421, + 1511059774758394, 2110035908131662 +#else + 24191359, 16712145, 53177067, 15217830, 14542237, 1646131, + 18603514, 22516545, 12876622, 31441985 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 303213233384524, 2061932261128138, 352862124777736, + 40828818670255, 249879468482660 +#else + 17902668, 4518229, 66697162, 30725184, 26878216, 5258055, + 54248111, 608396, 16031844, 3723494 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 856559257852200, 508517664949010, 1378193767894916, + 1723459126947129, 1962275756614521 +#else + 38476072, 12763727, 46662418, 7577503, 33001348, 20536687, + 17558841, 25681542, 23896953, 29240187 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1445691340537320, 40614383122127, 402104303144865, + 485134269878232, 1659439323587426 +#else + 47103464, 21542479, 31520463, 605201, 2543521, 5991821, + 64163800, 7229063, 57189218, 24727572 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 20057458979482, 1183363722525800, 2140003847237215, + 2053873950687614, 2112017736174909 +#else + 28816026, 298879, 38943848, 17633493, 19000927, 31888542, + 54428030, 30605106, 49057085, 31471516 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2228654250927986, 1483591363415267, 1368661293910956, + 1076511285177291, 526650682059608 +#else + 16000882, 33209536, 3493091, 22107234, 37604268, 20394642, + 12577739, 16041268, 47393624, 7847706 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 709481497028540, 531682216165724, 316963769431931, + 1814315888453765, 258560242424104 +#else + 10151868, 10572098, 27312476, 7922682, 14825339, 4723128, + 34252933, 27035413, 57088296, 3852847 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1053447823660455, 1955135194248683, 1010900954918985, + 1182614026976701, 1240051576966610 +#else + 55678375, 15697595, 45987307, 29133784, 5386313, 15063598, + 16514493, 17622322, 29330898, 18478208 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1957943897155497, 1788667368028035, 137692910029106, + 1039519607062, 826404763313028 +#else + 41609129, 29175637, 51885955, 26653220, 16615730, 2051784, + 3303702, 15490, 39560068, 12314390 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1848942433095597, 1582009882530495, 1849292741020143, + 1068498323302788, 2001402229799484 +#else + 15683501, 27551389, 18109119, 23573784, 15337967, 27556609, + 50391428, 15921865, 16103996, 29823217 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1528282417624269, 2142492439828191, 2179662545816034, + 362568973150328, 1591374675250271 +#else + 43939021, 22773182, 13588191, 31925625, 63310306, 32479502, + 47835256, 5402698, 37293151, 23713330 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 160026679434388, 232341189218716, 2149181472355545, + 598041771119831, 183859001910173 +#else + 23190676, 2384583, 34394524, 3462153, 37205209, 32025299, + 55842007, 8911516, 41903005, 2739712 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2013278155187349, 662660471354454, 793981225706267, + 411706605985744, 804490933124791 +#else + 21374101, 30000182, 33584214, 9874410, 15377179, 11831242, + 33578960, 6134906, 4931255, 11987849 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2051892037280204, 488391251096321, 2230187337030708, + 930221970662692, 679002758255210 +#else + 67101132, 30575573, 50885377, 7277596, 105524, 33232381, + 35628324, 13861387, 37032554, 10117929 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1530723630438670, 875873929577927, 341560134269988, + 449903119530753, 1055551308214179 +#else + 37607694, 22809559, 40945095, 13051538, 41483300, 5089642, + 60783361, 6704078, 12890019, 15728940 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1461835919309432, 1955256480136428, 180866187813063, + 1551979252664528, 557743861963950 +#else + 45136504, 21783052, 66157804, 29135591, 14704839, 2695116, + 903376, 23126293, 12885166, 8311031 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 359179641731115, 1324915145732949, 902828372691474, + 294254275669987, 1887036027752957 +#else + 49592363, 5352193, 10384213, 19742774, 7506450, 13453191, + 26423267, 4384730, 1888765, 28119028 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2043271609454323, 2038225437857464, 1317528426475850, + 1398989128982787, 2027639881006861 +#else + 41291507, 30447119, 53614264, 30371925, 30896458, 19632703, + 34857219, 20846562, 47644429, 30214188 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2072902725256516, 312132452743412, 309930885642209, + 996244312618453, 1590501300352303 +#else + 43500868, 30888657, 66582772, 4651135, 5765089, 4618330, + 6092245, 14845197, 17151279, 23700316 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1397254305160710, 695734355138021, 2233992044438756, + 1776180593969996, 1085588199351115 +#else + 42278406, 20820711, 51942885, 10367249, 37577956, 33289075, + 22825804, 26467153, 50242379, 16176524 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 440567051331029, 254894786356681, 493869224930222, + 1556322069683366, 1567456540319218 +#else + 43525589, 6564960, 20063689, 3798228, 62368686, 7359224, + 2006182, 23191006, 38362610, 23356922 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1950722461391320, 1907845598854797, 1822757481635527, + 2121567704750244, 73811931471221 +#else + 56482264, 29068029, 53788301, 28429114, 3432135, 27161203, + 23632036, 31613822, 32808309, 1099883 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 387139307395758, 2058036430315676, 1220915649965325, + 1794832055328951, 1230009312169328 +#else + 15030958, 5768825, 39657628, 30667132, 60681485, 18193060, + 51830967, 26745081, 2051440, 18328567 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1765973779329517, 659344059446977, 19821901606666, + 1301928341311214, 1116266004075885 +#else + 63746541, 26315059, 7517889, 9824992, 23555850, 295369, 5148398, + 19400244, 44422509, 16633659 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1127572801181483, 1224743760571696, 1276219889847274, + 1529738721702581, 1589819666871853 +#else + 4577067, 16802144, 13249840, 18250104, 19958762, 19017158, + 18559669, 22794883, 8402477, 23690159 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2181229378964934, 2190885205260020, 1511536077659137, + 1246504208580490, 668883326494241 +#else + 38702534, 32502850, 40318708, 32646733, 49896449, 22523642, + 9453450, 18574360, 17983009, 9967138 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 437866655573314, 669026411194768, 81896997980338, + 523874406393178, 245052060935236 +#else + 41346370, 6524721, 26585488, 9969270, 24709298, 1220360, + 65430874, 7806336, 17507396, 3651560 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1975438052228868, 1071801519999806, 594652299224319, + 1877697652668809, 1489635366987285 +#else + 56688388, 29436320, 14584638, 15971087, 51340543, 8861009, + 26556809, 27979875, 48555541, 22197296 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 958592545673770, 233048016518599, 851568750216589, + 567703851596087, 1740300006094761 +#else + 2839082, 14284142, 4029895, 3472686, 14402957, 12689363, + 40466743, 8459446, 61503401, 25932490 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2014540178270324, 192672779514432, 213877182641530, + 2194819933853411, 1716422829364835 +#else + 62269556, 30018987, 9744960, 2871048, 25113978, 3187018, + 41998051, 32705365, 17258083, 25576693 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1540769606609725, 2148289943846077, 1597804156127445, + 1230603716683868, 815423458809453 +#else + 18164541, 22959256, 49953981, 32012014, 19237077, 23809137, + 23357532, 18337424, 26908269, 12150756 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1738560251245018, 1779576754536888, 1783765347671392, + 1880170990446751, 1088225159617541 +#else + 36843994, 25906566, 5112248, 26517760, 65609056, 26580174, + 43167, 28016731, 34806789, 16215818 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 659303913929492, 1956447718227573, 1830568515922666, + 841069049744408, 1669607124206368 +#else + 60209940, 9824393, 54804085, 29153342, 35711722, 27277596, + 32574488, 12532905, 59605792, 24879084 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1143465490433355, 1532194726196059, 1093276745494697, + 481041706116088, 2121405433561163 +#else + 39765323, 17038963, 39957339, 22831480, 946345, 16291093, + 254968, 7168080, 21676107, 31611404 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1686424298744462, 1451806974487153, 266296068846582, + 1834686947542675, 1720762336132256 +#else + 21260942, 25129680, 50276977, 21633609, 43430902, 3968120, + 63456915, 27338965, 63552672, 25641356 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 889217026388959, 1043290623284660, 856125087551909, + 1669272323124636, 1603340330827879 +#else + 16544735, 13250366, 50304436, 15546241, 62525861, 12757257, + 64646556, 24874095, 48201831, 23891632 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1206396181488998, 333158148435054, 1402633492821422, + 1120091191722026, 1945474114550509 +#else + 64693606, 17976703, 18312302, 4964443, 51836334, 20900867, + 26820650, 16690659, 25459437, 28989823 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 766720088232571, 1512222781191002, 1189719893490790, + 2091302129467914, 2141418006894941 +#else + 41964155, 11425019, 28423002, 22533875, 60963942, 17728207, + 9142794, 31162830, 60676445, 31909614 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 419663647306612, 1998875112167987, 1426599870253707, + 1154928355379510, 486538532138187 +#else + 44004212, 6253475, 16964147, 29785560, 41994891, 21257994, + 39651638, 17209773, 6335691, 7249989 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 938160078005954, 1421776319053174, 1941643234741774, + 180002183320818, 1414380336750546 +#else + 36775618, 13979674, 7503222, 21186118, 55152142, 28932738, + 36836594, 2682241, 25993170, 21075909 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 398001940109652, 1577721237663248, 1012748649830402, + 1540516006905144, 1011684812884559 +#else + 4364628, 5930691, 32304656, 23509878, 59054082, 15091130, + 22857016, 22955477, 31820367, 15075278 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1653276489969630, 6081825167624, 1921777941170836, + 1604139841794531, 861211053640641 +#else + 31879134, 24635739, 17258760, 90626, 59067028, 28636722, + 24162787, 23903546, 49138625, 12833044 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 996661541407379, 1455877387952927, 744312806857277, + 139213896196746, 1000282908547789 +#else + 19073683, 14851414, 42705695, 21694263, 7625277, 11091125, + 47489674, 2074448, 57694925, 14905376 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1450817495603008, 1476865707053229, 1030490562252053, + 620966950353376, 1744760161539058 +#else + 24483648, 21618865, 64589997, 22007013, 65555733, 15355505, + 41826784, 9253128, 27628530, 25998952 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 559728410002599, 37056661641185, 2038622963352006, + 1637244893271723, 1026565352238948 +#else + 17597607, 8340603, 19355617, 552187, 26198470, 30377849, + 4593323, 24396850, 52997988, 15297015 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 962165956135846, 1116599660248791, 182090178006815, + 1455605467021751, 196053588803284 +#else + 510886, 14337390, 35323607, 16638631, 6328095, 2713355, + 46891447, 21690211, 8683220, 2921426 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 796863823080135, 1897365583584155, 420466939481601, + 2165972651724672, 932177357788289 +#else + 18606791, 11874196, 27155355, 28272950, 43077121, 6265445, + 41930624, 32275507, 4674689, 13890525 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 877047233620632, 1375632631944375, 643773611882121, + 660022738847877, 19353932331831 +#else + 13609624, 13069022, 39736503, 20498523, 24360585, 9592974, + 14977157, 9835105, 4389687, 288396 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2216943882299338, 394841323190322, 2222656898319671, + 558186553950529, 1077236877025190 +#else + 9922506, 33035038, 13613106, 5883594, 48350519, 33120168, + 54804801, 8317627, 23388070, 16052080 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 801118384953213, 1914330175515892, 574541023311511, + 1471123787903705, 1526158900256288 +#else + 12719997, 11937594, 35138804, 28525742, 26900119, 8561328, + 46953177, 21921452, 52354592, 22741539 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 949617889087234, 2207116611267331, 912920039141287, + 501158539198789, 62362560771472 +#else + 15961858, 14150409, 26716931, 32888600, 44314535, 13603568, + 11829573, 7467844, 38286736, 929274 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1474518386765335, 1760793622169197, 1157399790472736, + 1622864308058898, 165428294422792 +#else + 11038231, 21972036, 39798381, 26237869, 56610336, 17246600, + 43629330, 24182562, 45715720, 2465073 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1961673048027128, 102619413083113, 1051982726768458, + 1603657989805485, 1941613251499678 +#else + 20017144, 29231206, 27915241, 1529148, 12396362, 15675764, + 13817261, 23896366, 2463390, 28932292 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1401939116319266, 335306339903072, 72046196085786, + 862423201496006, 850518754531384 +#else + 50749986, 20890520, 55043680, 4996453, 65852442, 1073571, + 9583558, 12851107, 4003896, 12673717 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1234706593321979, 1083343891215917, 898273974314935, + 1640859118399498, 157578398571149 +#else + 65377275, 18398561, 63845933, 16143081, 19294135, 13385325, + 14741514, 24450706, 7903885, 2348101 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1143483057726416, 1992614991758919, 674268662140796, + 1773370048077526, 674318359920189 +#else + 24536016, 17039225, 12715591, 29692277, 1511292, 10047386, + 63266518, 26425272, 38731325, 10048126 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1835401379538542, 173900035308392, 818247630716732, + 1762100412152786, 1021506399448291 +#else + 54486638, 27349611, 30718824, 2591312, 56491836, 12192839, + 18873298, 26257342, 34811107, 15221631 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1506632088156630, 2127481795522179, 513812919490255, + 140643715928370, 442476620300318 +#else + 40630742, 22450567, 11546243, 31701949, 9180879, 7656409, + 45764914, 2095754, 29769758, 6593415 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2056683376856736, 219094741662735, 2193541883188309, + 1841182310235800, 556477468664293 +#else + 35114656, 30646970, 4176911, 3264766, 12538965, 32686321, + 26312344, 27435754, 30958053, 8292160 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1315019427910827, 1049075855992603, 2066573052986543, + 266904467185534, 2040482348591520 +#else + 31429803, 19595316, 29173531, 15632448, 12174511, 30794338, + 32808830, 3977186, 26143136, 30405556 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 94096246544434, 922482381166992, 24517828745563, + 2139430508542503, 2097139044231004 +#else + 22648882, 1402143, 44308880, 13746058, 7936347, 365344, + 58440231, 31879998, 63350620, 31249806 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 537697207950515, 1399352016347350, 1563663552106345, + 2148749520888918, 549922092988516 +#else + 51616947, 8012312, 64594134, 20851969, 43143017, 23300402, + 65496150, 32018862, 50444388, 8194477 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1747985413252434, 680511052635695, 1809559829982725, + 594274250930054, 201673170745982 +#else + 27338066, 26047012, 59694639, 10140404, 48082437, 26964542, + 27277190, 8855376, 28572286, 3005164 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 323583936109569, 1973572998577657, 1192219029966558, + 79354804385273, 1374043025560347 +#else + 26287105, 4821776, 25476601, 29408529, 63344350, 17765447, + 49100281, 1182478, 41014043, 20474836 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 213277331329947, 416202017849623, 1950535221091783, + 1313441578103244, 2171386783823658 +#else + 59937691, 3178079, 23970071, 6201893, 49913287, 29065239, + 45232588, 19571804, 32208682, 32356184 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 189088804229831, 993969372859110, 895870121536987, + 1547301535298256, 1477373024911350 +#else + 50451143, 2817642, 56822502, 14811297, 6024667, 13349505, + 39793360, 23056589, 39436278, 22014573 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1620578418245010, 541035331188469, 2235785724453865, + 2154865809088198, 1974627268751826 +#else + 15941010, 24148500, 45741813, 8062054, 31876073, 33315803, + 51830470, 32110002, 15397330, 29424239 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1346805451740245, 1350981335690626, 942744349501813, + 2155094562545502, 1012483751693409 +#else + 8934485, 20068965, 43822466, 20131190, 34662773, 14047985, + 31170398, 32113411, 39603297, 15087183 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2107080134091762, 1132567062788208, 1824935377687210, + 769194804343737, 1857941799971888 +#else + 48751602, 31397940, 24524912, 16876564, 15520426, 27193656, + 51606457, 11461895, 16788528, 27685490 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1074666112436467, 249279386739593, 1174337926625354, + 1559013532006480, 1472287775519121 +#else + 65161459, 16013772, 21750665, 3714552, 49707082, 17498998, + 63338576, 23231111, 31322513, 21938797 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1872620123779532, 1892932666768992, 1921559078394978, + 1270573311796160, 1438913646755037 +#else + 21426636, 27904214, 53460576, 28206894, 38296674, 28633461, + 48833472, 18933017, 13040861, 21441484 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 837390187648199, 1012253300223599, 989780015893987, + 1351393287739814, 328627746545550 +#else + 11293895, 12478086, 39972463, 15083749, 37801443, 14748871, + 14555558, 20137329, 1613710, 4896935 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1028328827183114, 1711043289969857, 1350832470374933, + 1923164689604327, 1495656368846911 +#else + 41213962, 15323293, 58619073, 25496531, 25967125, 20128972, + 2825959, 28657387, 43137087, 22287016 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1900828492104143, 430212361082163, 687437570852799, + 832514536673512, 1685641495940794 +#else + 51184079, 28324551, 49665331, 6410663, 3622847, 10243618, + 20615400, 12405433, 43355834, 25118015 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 842632847936398, 605670026766216, 290836444839585, + 163210774892356, 2213815011799645 +#else + 60017550, 12556207, 46917512, 9025186, 50036385, 4333800, + 4378436, 2432030, 23097949, 32988414 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1176336383453996, 1725477294339771, 12700622672454, + 678015708818208, 162724078519879 +#else + 4565804, 17528778, 20084411, 25711615, 1724998, 189254, + 24767264, 10103221, 48596551, 2424777 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1448049969043497, 1789411762943521, 385587766217753, + 90201620913498, 832999441066823 +#else + 366633, 21577626, 8173089, 26664313, 30788633, 5745705, + 59940186, 1344108, 63466311, 12412658 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 516086333293313, 2240508292484616, 1351669528166508, + 1223255565316488, 750235824427138 +#else + 43107073, 7690285, 14929416, 33386175, 34898028, 20141445, + 24162696, 18227928, 63967362, 11179384 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1263624896582495, 1102602401673328, 526302183714372, + 2152015839128799, 1483839308490010 +#else + 18289503, 18829478, 8056944, 16430056, 45379140, 7842513, + 61107423, 32067534, 48424218, 22110928 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 442991718646863, 1599275157036458, 1925389027579192, + 899514691371390, 350263251085160 +#else + 476239, 6601091, 60956074, 23831056, 17503544, 28690532, + 27672958, 13403813, 11052904, 5219329 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1689713572022143, 593854559254373, 978095044791970, + 1985127338729499, 1676069120347625 +#else + 20678527, 25178694, 34436965, 8849122, 62099106, 14574751, + 31186971, 29580702, 9014761, 24975376 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1557207018622683, 340631692799603, 1477725909476187, + 614735951619419, 2033237123746766 +#else + 53464795, 23204192, 51146355, 5075807, 65594203, 22019831, + 34006363, 9160279, 8473550, 30297594 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 968764929340557, 1225534776710944, 662967304013036, + 1155521416178595, 791142883466590 +#else + 24900749, 14435722, 17209120, 18261891, 44516588, 9878982, + 59419555, 17218610, 42540382, 11788947 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1487081286167458, 993039441814934, 1792378982844640, + 698652444999874, 2153908693179754 +#else + 63990690, 22159237, 53306774, 14797440, 9652448, 26708528, + 47071426, 10410732, 42540394, 32095740 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1123181311102823, 685575944875442, 507605465509927, + 1412590462117473, 568017325228626 +#else + 51449703, 16736705, 44641714, 10215877, 58011687, 7563910, + 11871841, 21049238, 48595538, 8464117 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 560258797465417, 2193971151466401, 1824086900849026, + 579056363542056, 1690063960036441 +#else + 43708233, 8348506, 52522913, 32692717, 63158658, 27181012, + 14325288, 8628612, 33313881, 25183915 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1918407319222416, 353767553059963, 1930426334528099, + 1564816146005724, 1861342381708096 +#else + 46921872, 28586496, 22367355, 5271547, 66011747, 28765593, + 42303196, 23317577, 58168128, 27736162 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2131325168777276, 1176636658428908, 1756922641512981, + 1390243617176012, 1966325177038383 +#else + 60160060, 31759219, 34483180, 17533252, 32635413, 26180187, + 15989196, 20716244, 28358191, 29300528 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2063958120364491, 2140267332393533, 699896251574968, + 273268351312140, 375580724713232 +#else + 43547083, 30755372, 34757181, 31892468, 57961144, 10429266, + 50471180, 4072015, 61757200, 5596588 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2024297515263178, 416959329722687, 1079014235017302, + 171612225573183, 1031677520051053 +#else + 38872266, 30164383, 12312895, 6213178, 3117142, 16078565, + 29266239, 2557221, 1768301, 15373193 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2033900009388450, 1744902869870788, 2190580087917640, + 1949474984254121, 231049754293748 +#else + 59865506, 30307471, 62515396, 26001078, 66980936, 32642186, + 66017961, 29049440, 42448372, 3442909 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 343868674606581, 550155864008088, 1450580864229630, + 481603765195050, 896972360018042 +#else + 36898293, 5124042, 14181784, 8197961, 18964734, 21615339, + 22597930, 7176455, 48523386, 13365929 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2151139328380127, 314745882084928, 59756825775204, + 1676664391494651, 2048348075599360 +#else + 59231455, 32054473, 8324672, 4690079, 6261860, 890446, 24538107, + 24984246, 57419264, 30522764 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1528930066340597, 1605003907059576, 1055061081337675, + 1458319101947665, 1234195845213142 +#else + 25008885, 22782833, 62803832, 23916421, 16265035, 15721635, + 683793, 21730648, 15723478, 18390951 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 830430507734812, 1780282976102377, 1425386760709037, + 362399353095425, 2168861579799910 +#else + 57448220, 12374378, 40101865, 26528283, 59384749, 21239917, + 11879681, 5400171, 519526, 32318556 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1155762232730333, 980662895504006, 2053766700883521, + 490966214077606, 510405877041357 +#else + 22258397, 17222199, 59239046, 14613015, 44588609, 30603508, + 46754982, 7315966, 16648397, 7605640 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1683750316716132, 652278688286128, 1221798761193539, + 1897360681476669, 319658166027343 +#else + 59027556, 25089834, 58885552, 9719709, 19259459, 18206220, + 23994941, 28272877, 57640015, 4763277 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 618808732869972, 72755186759744, 2060379135624181, + 1730731526741822, 48862757828238 +#else + 45409620, 9220968, 51378240, 1084136, 41632757, 30702041, + 31088446, 25789909, 55752334, 728111 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1463171970593505, 1143040711767452, 614590986558883, + 1409210575145591, 1882816996436803 +#else + 26047201, 21802961, 60208540, 17032633, 24092067, 9158119, + 62835319, 20998873, 37743427, 28056159 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2230133264691131, 563950955091024, 2042915975426398, + 827314356293472, 672028980152815 +#else + 17510331, 33231575, 5854288, 8403524, 17133918, 30441820, + 38997856, 12327944, 10750447, 10014012 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 264204366029760, 1654686424479449, 2185050199932931, + 2207056159091748, 506015669043634 +#else + 56796096, 3936951, 9156313, 24656749, 16498691, 32559785, + 39627812, 32887699, 3424690, 7540221 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1784446333136569, 1973746527984364, 334856327359575, + 1156769775884610, 1023950124675478 +#else + 30322361, 26590322, 11361004, 29411115, 7433303, 4989748, + 60037442, 17237212, 57864598, 15258045 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2065270940578383, 31477096270353, 306421879113491, + 181958643936686, 1907105536686083 +#else + 13054543, 30774935, 19155473, 469045, 54626067, 4566041, + 5631406, 2711395, 1062915, 28418087 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1496516440779464, 1748485652986458, 872778352227340, + 818358834654919, 97932669284220 +#else + 47868616, 22299832, 37599834, 26054466, 61273100, 13005410, + 61042375, 12194496, 32960380, 1459310 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 471636015770351, 672455402793577, 1804995246884103, + 1842309243470804, 1501862504981682 +#else + 19852015, 7027924, 23669353, 10020366, 8586503, 26896525, + 394196, 27452547, 18638002, 22379495 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1013216974933691, 538921919682598, 1915776722521558, + 1742822441583877, 1886550687916656 +#else + 31395515, 15098109, 26581030, 8030562, 50580950, 28547297, + 9012485, 25970078, 60465776, 28111795 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2094270000643336, 303971879192276, 40801275554748, + 649448917027930, 1818544418535447 +#else + 57916680, 31207054, 65111764, 4529533, 25766844, 607986, + 67095642, 9677542, 34813975, 27098423 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2241737709499165, 549397817447461, 838180519319392, + 1725686958520781, 1705639080897747 +#else + 64664349, 33404494, 29348901, 8186665, 1873760, 12489863, + 36174285, 25714739, 59256019, 25416002 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1216074541925116, 50120933933509, 1565829004133810, + 721728156134580, 349206064666188 +#else + 51872508, 18120922, 7766469, 746860, 26346930, 23332670, + 39775412, 10754587, 57677388, 5203575 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 948617110470858, 346222547451945, 1126511960599975, + 1759386906004538, 493053284802266 +#else + 31834314, 14135496, 66338857, 5159117, 20917671, 16786336, + 59640890, 26216907, 31809242, 7347066 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1454933046815146, 874696014266362, 1467170975468588, + 1432316382418897, 2111710746366763 +#else + 57502122, 21680191, 20414458, 13033986, 13716524, 21862551, + 19797969, 21343177, 15192875, 31466942 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2105387117364450, 1996463405126433, 1303008614294500, + 851908115948209, 1353742049788635 +#else + 54445282, 31372712, 1168161, 29749623, 26747876, 19416341, + 10609329, 12694420, 33473243, 20172328 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 750300956351719, 1487736556065813, 15158817002104, + 1511998221598392, 971739901354129 +#else + 33184999, 11180355, 15832085, 22169002, 65475192, 225883, + 15089336, 22530529, 60973201, 14480052 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1874648163531693, 2124487685930551, 1810030029384882, + 918400043048335, 586348627300650 +#else + 31308717, 27934434, 31030839, 31657333, 15674546, 26971549, + 5496207, 13685227, 27595050, 8737275 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1235084464747900, 1166111146432082, 1745394857881591, + 1405516473883040, 4463504151617 +#else + 46790012, 18404192, 10933842, 17376410, 8335351, 26008410, + 36100512, 20943827, 26498113, 66511 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1663810156463827, 327797390285791, 1341846161759410, + 1964121122800605, 1747470312055380 +#else + 22644435, 24792703, 50437087, 4884561, 64003250, 19995065, + 30540765, 29267685, 53781076, 26039336 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 660005247548233, 2071860029952887, 1358748199950107, + 911703252219107, 1014379923023831 +#else + 39091017, 9834844, 18617207, 30873120, 63706907, 20246925, + 8205539, 13585437, 49981399, 15115438 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2206641276178231, 1690587809721504, 1600173622825126, + 2156096097634421, 1106822408548216 +#else + 23711543, 32881517, 31206560, 25191721, 6164646, 23844445, + 33572981, 32128335, 8236920, 16492939 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1344788193552206, 1949552134239140, 1735915881729557, + 675891104100469, 1834220014427292 +#else + 43198286, 20038905, 40809380, 29050590, 25005589, 25867162, + 19574901, 10071562, 6708380, 27332008 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1920949492387964, 158885288387530, 70308263664033, + 626038464897817, 1468081726101009 +#else + 2101372, 28624378, 19702730, 2367575, 51681697, 1047674, + 5301017, 9328700, 29955601, 21876122 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 622221042073383, 1210146474039168, 1742246422343683, + 1403839361379025, 417189490895736 +#else + 3096359, 9271816, 45488000, 18032587, 52260867, 25961494, + 41216721, 20918836, 57191288, 6216607 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 22727256592983, 168471543384997, 1324340989803650, + 1839310709638189, 504999476432775 +#else + 34493015, 338662, 41913253, 2510421, 37895298, 19734218, + 24822829, 27407865, 40341383, 7525078 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1313240518756327, 1721896294296942, 52263574587266, + 2065069734239232, 804910473424630 +#else + 44042215, 19568808, 16133486, 25658254, 63719298, 778787, + 66198528, 30771936, 47722230, 11994100 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1337466662091884, 1287645354669772, 2018019646776184, + 652181229374245, 898011753211715 +#else + 21691500, 19929806, 66467532, 19187410, 3285880, 30070836, + 42044197, 9718257, 59631427, 13381417 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1969792547910734, 779969968247557, 2011350094423418, + 1823964252907487, 1058949448296945 +#else + 18445390, 29352196, 14979845, 11622458, 65381754, 29971451, + 23111647, 27179185, 28535281, 15779576 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 207343737062002, 1118176942430253, 758894594548164, + 806764629546266, 1157700123092949 +#else + 30098034, 3089662, 57874477, 16662134, 45801924, 11308410, + 53040410, 12021729, 9955285, 17251076 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1273565321399022, 1638509681964574, 759235866488935, + 666015124346707, 897983460943405 +#else + 9734894, 18977602, 59635230, 24415696, 2060391, 11313496, + 48682835, 9924398, 20194861, 13380996 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1717263794012298, 1059601762860786, 1837819172257618, + 1054130665797229, 680893204263559 +#else + 40730762, 25589224, 44941042, 15789296, 49053522, 27385639, + 65123949, 15707770, 26342023, 10146099 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2237039662793603, 2249022333361206, 2058613546633703, + 149454094845279, 2215176649164582 +#else + 41091971, 33334488, 21339190, 33513044, 19745255, 30675732, + 37471583, 2227039, 21612326, 33008704 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 79472182719605, 1851130257050174, 1825744808933107, + 821667333481068, 781795293511946 +#else + 54031477, 1184227, 23562814, 27583990, 46757619, 27205717, + 25764460, 12243797, 46252298, 11649657 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 755822026485370, 152464789723500, 1178207602290608, + 410307889503239, 156581253571278 +#else + 57077370, 11262625, 27384172, 2271902, 26947504, 17556661, + 39943, 6114064, 33514190, 2333242 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1418185496130297, 484520167728613, 1646737281442950, + 1401487684670265, 1349185550126961 +#else + 45675257, 21132610, 8119781, 7219913, 45278342, 24538297, + 60429113, 20883793, 24350577, 20104431 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1495380034400429, 325049476417173, 46346894893933, + 1553408840354856, 828980101835683 +#else + 62992557, 22282898, 43222677, 4843614, 37020525, 690622, + 35572776, 23147595, 8317859, 12352766 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1280337889310282, 2070832742866672, 1640940617225222, + 2098284908289951, 450929509534434 +#else + 18200138, 19078521, 34021104, 30857812, 43406342, 24451920, + 43556767, 31266881, 20712162, 6719373 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 407703353998781, 126572141483652, 286039827513621, + 1999255076709338, 2030511179441770 +#else + 26656189, 6075253, 59250308, 1886071, 38764821, 4262325, + 11117530, 29791222, 26224234, 30256974 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1254958221100483, 1153235960999843, 942907704968834, + 637105404087392, 1149293270147267 +#else + 49939907, 18700334, 63713187, 17184554, 47154818, 14050419, + 21728352, 9493610, 18620611, 17125804 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 894249020470196, 400291701616810, 406878712230981, + 1599128793487393, 1145868722604026 +#else + 53785524, 13325348, 11432106, 5964811, 18609221, 6062965, + 61839393, 23828875, 36407290, 17074774 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1497955250203334, 110116344653260, 1128535642171976, + 1900106496009660, 129792717460909 +#else + 43248326, 22321272, 26961356, 1640861, 34695752, 16816491, + 12248508, 28313793, 13735341, 1934062 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 452487513298665, 1352120549024569, 1173495883910956, + 1999111705922009, 367328130454226 +#else + 25089769, 6742589, 17081145, 20148166, 21909292, 17486451, + 51972569, 29789085, 45830866, 5473615 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1717539401269642, 1475188995688487, 891921989653942, + 836824441505699, 1885988485608364 +#else + 31883658, 25593331, 1083431, 21982029, 22828470, 13290673, + 59983779, 12469655, 29111212, 28103418 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1241784121422547, 187337051947583, 1118481812236193, + 428747751936362, 30358898927325 +#else + 24244947, 18504025, 40845887, 2791539, 52111265, 16666677, + 24367466, 6388839, 56813277, 452382 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2022432361201842, 1088816090685051, 1977843398539868, + 1854834215890724, 564238862029357 +#else + 41468082, 30136590, 5217915, 16224624, 19987036, 29472163, + 42872612, 27639183, 15766061, 8407814 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 938868489100585, 1100285072929025, 1017806255688848, + 1957262154788833, 152787950560442 +#else + 46701865, 13990230, 15495425, 16395525, 5377168, 15166495, + 58191841, 29165478, 59040954, 2276717 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 867319417678923, 620471962942542, 226032203305716, + 342001443957629, 1761675818237336 +#else + 30157899, 12924066, 49396814, 9245752, 19895028, 3368142, + 43281277, 5096218, 22740376, 26251015 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1295072362439987, 931227904689414, 1355731432641687, + 922235735834035, 892227229410209 +#else + 2041139, 19298082, 7783686, 13876377, 41161879, 20201972, + 24051123, 13742383, 51471265, 13295221 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1680989767906154, 535362787031440, 2136691276706570, + 1942228485381244, 1267350086882274 +#else + 33338218, 25048699, 12532112, 7977527, 9106186, 31839181, + 49388668, 28941459, 62657506, 18884987 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 366018233770527, 432660629755596, 126409707644535, + 1973842949591662, 645627343442376 +#else + 47063583, 5454096, 52762316, 6447145, 28862071, 1883651, + 64639598, 29412551, 7770568, 9620597 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 535509430575217, 546885533737322, 1524675609547799, + 2138095752851703, 1260738089896827 +#else + 23208049, 7979712, 33071466, 8149229, 1758231, 22719437, + 30945527, 31860109, 33606523, 18786461 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1159906385590467, 2198530004321610, 714559485023225, + 81880727882151, 1484020820037082 +#else + 1439939, 17283952, 66028874, 32760649, 4625401, 10647766, + 62065063, 1220117, 30494170, 22113633 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1377485731340769, 2046328105512000, 1802058637158797, + 62146136768173, 1356993908853901 +#else + 62071265, 20526136, 64138304, 30492664, 15640973, 26852766, + 40369837, 926049, 65424525, 20220784 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2013612215646735, 1830770575920375, 536135310219832, + 609272325580394, 270684344495013 +#else + 13908495, 30005160, 30919927, 27280607, 45587000, 7989038, + 9021034, 9078865, 3353509, 4033511 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1237542585982777, 2228682050256790, 1385281931622824, + 593183794882890, 493654978552689 +#else + 37445433, 18440821, 32259990, 33209950, 24295848, 20642309, + 23161162, 8839127, 27485041, 7356032 +#endif + }}, + }, + }, + { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 47341488007760, 1891414891220257, 983894663308928, + 176161768286818, 1126261115179708 +#else + 9661008, 705443, 11980065, 28184278, 65480320, 14661172, + 60762722, 2625014, 28431036, 16782598 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1694030170963455, 502038567066200, 1691160065225467, + 949628319562187, 275110186693066 +#else + 43269631, 25243016, 41163352, 7480957, 49427195, 25200248, + 44562891, 14150564, 15970762, 4099461 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1124515748676336, 1661673816593408, 1499640319059718, + 1584929449166988, 558148594103306 +#else + 29262576, 16756590, 26350592, 24760869, 8529670, 22346382, + 13617292, 23617289, 11465738, 8317062 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1784525599998356, 1619698033617383, 2097300287550715, + 258265458103756, 1905684794832758 +#else + 41615764, 26591503, 32500199, 24135381, 44070139, 31252209, + 14898636, 3848455, 20969334, 28396916 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1288941072872766, 931787902039402, 190731008859042, + 2006859954667190, 1005931482221702 +#else + 46724414, 19206718, 48772458, 13884721, 34069410, 2842113, + 45498038, 29904543, 11177094, 14989547 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1465551264822703, 152905080555927, 680334307368453, + 173227184634745, 666407097159852 +#else + 42612143, 21838415, 16959895, 2278463, 12066309, 10137771, + 13515641, 2581286, 38621356, 9930239 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2111017076203943, 1378760485794347, 1248583954016456, + 1352289194864422, 1895180776543896 +#else + 49357223, 31456605, 16544299, 20545132, 51194056, 18605350, + 18345766, 20150679, 16291480, 28240394 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 171348223915638, 662766099800389, 462338943760497, + 466917763340314, 656911292869115 +#else + 33879670, 2553287, 32678213, 9875984, 8534129, 6889387, + 57432090, 6957616, 4368891, 9788741 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 488623681976577, 866497561541722, 1708105560937768, + 1673781214218839, 1506146329818807 +#else + 16660737, 7281060, 56278106, 12911819, 20108584, 25452756, + 45386327, 24941283, 16250551, 22443329 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 160425464456957, 950394373239689, 430497123340934, + 711676555398832, 320964687779005 +#else + 47343357, 2390525, 50557833, 14161979, 1905286, 6414907, + 4689584, 10604807, 36918461, 4782746 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 988979367990485, 1359729327576302, 1301834257246029, + 294141160829308, 29348272277475 +#else + 65754325, 14736940, 59741422, 20261545, 7710541, 19398842, + 57127292, 4383044, 22546403, 437323 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1434382743317910, 100082049942065, 221102347892623, + 186982837860588, 1305765053501834 +#else + 31665558, 21373968, 50922033, 1491338, 48740239, 3294681, + 27343084, 2786261, 36475274, 19457415 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2205916462268190, 499863829790820, 961960554686616, + 158062762756985, 1841471168298305 +#else + 52641566, 32870716, 33734756, 7448551, 19294360, 14334329, + 47418233, 2355318, 47824193, 27440058 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1191737341426592, 1847042034978363, 1382213545049056, + 1039952395710448, 788812858896859 +#else + 15121312, 17758270, 6377019, 27523071, 56310752, 20596586, + 18952176, 15496498, 37728731, 11754227 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1346965964571152, 1291881610839830, 2142916164336056, + 786821641205979, 1571709146321039 +#else + 64471568, 20071356, 8488726, 19250536, 12728760, 31931939, + 7141595, 11724556, 22761615, 23420291 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 787164375951248, 202869205373189, 1356590421032140, + 1431233331032510, 786341368775957 +#else + 16918416, 11729663, 49025285, 3022986, 36093132, 20214772, + 38367678, 21327038, 32851221, 11717399 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 492448143532951, 304105152670757, 1761767168301056, + 233782684697790, 1981295323106089 +#else + 11166615, 7338049, 60386341, 4531519, 37640192, 26252376, + 31474878, 3483633, 65915689, 29523600 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 665807507761866, 1343384868355425, 895831046139653, + 439338948736892, 1986828765695105 +#else + 66923210, 9921304, 31456609, 20017994, 55095045, 13348922, + 33142652, 6546660, 47123585, 29606055 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 756096210874553, 1721699973539149, 258765301727885, + 1390588532210645, 1212530909934781 +#else + 34648249, 11266711, 55911757, 25655328, 31703693, 3855903, + 58571733, 20721383, 36336829, 18068118 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 852891097972275, 1816988871354562, 1543772755726524, + 1174710635522444, 202129090724628 +#else + 49102387, 12709067, 3991746, 27075244, 45617340, 23004006, + 35973516, 17504552, 10928916, 3011958 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1205281565824323, 22430498399418, 992947814485516, + 1392458699738672, 688441466734558 +#else + 60151107, 17960094, 31696058, 334240, 29576716, 14796075, + 36277808, 20749251, 18008030, 10258577 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1050627428414972, 1955849529137135, 2171162376368357, + 91745868298214, 447733118757826 +#else + 44660220, 15655568, 7018479, 29144429, 36794597, 32352840, + 65255398, 1367119, 25127874, 6671743 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1287181461435438, 622722465530711, 880952150571872, + 741035693459198, 311565274989772 +#else + 29701166, 19180498, 56230743, 9279287, 67091296, 13127209, + 21382910, 11042292, 25838796, 4642684 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1003649078149734, 545233927396469, 1849786171789880, + 1318943684880434, 280345687170552 +#else + 46678630, 14955536, 42982517, 8124618, 61739576, 27563961, + 30468146, 19653792, 18423288, 4177476 +#endif + }}, + }, + }, +}; + +#endif // CONFIG_SMALL + +// Bi[i] = (2*i+1)*B +static const ge_precomp Bi[8] = { + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1288382639258501, 245678601348599, 269427782077623, + 1462984067271730, 137412439391563 +#else + 25967493, 19198397, 29566455, 3660896, 54414519, 4014786, 27544626, + 21800161, 61029707, 2047604 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 62697248952638, 204681361388450, 631292143396476, 338455783676468, + 1213667448819585 +#else + 54563134, 934261, 64385954, 3049989, 66381436, 9406985, 12720692, + 5043384, 19500929, 18085054 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 301289933810280, 1259582250014073, 1422107436869536, + 796239922652654, 1953934009299142 +#else + 58370664, 4489569, 9688441, 18769238, 10184608, 21191052, 29287918, + 11864899, 42594502, 29115885 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1601611775252272, 1720807796594148, 1132070835939856, + 1260455018889551, 2147779492816911 +#else + 15636272, 23865875, 24204772, 25642034, 616976, 16869170, 27787599, + 18782243, 28944399, 32004408 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 316559037616741, 2177824224946892, 1459442586438991, + 1461528397712656, 751590696113597 +#else + 16568933, 4717097, 55552716, 32452109, 15682895, 21747389, 16354576, + 21778470, 7689661, 11199574 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1850748884277385, 1200145853858453, 1068094770532492, + 672251375690438, 1586055907191707 +#else + 30464137, 27578307, 55329429, 17883566, 23220364, 15915852, 7512774, + 10017326, 49359771, 23634074 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 769950342298419, 132954430919746, 844085933195555, 974092374476333, + 726076285546016 +#else + 10861363, 11473154, 27284546, 1981175, 37044515, 12577860, 32867885, + 14515107, 51670560, 10819379 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 425251763115706, 608463272472562, 442562545713235, 837766094556764, + 374555092627893 +#else + 4708026, 6336745, 20377586, 9066809, 55836755, 6594695, 41455196, + 12483687, 54440373, 5581305 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1086255230780037, 274979815921559, 1960002765731872, + 929474102396301, 1190409889297339 +#else + 19563141, 16186464, 37722007, 4097518, 10237984, 29206317, 28542349, + 13850243, 43430843, 17738489 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 665000864555967, 2065379846933859, 370231110385876, 350988370788628, + 1233371373142985 +#else + 5153727, 9909285, 1723747, 30776558, 30523604, 5516873, 19480852, + 5230134, 43156425, 18378665 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2019367628972465, 676711900706637, 110710997811333, + 1108646842542025, 517791959672113 +#else + 36839857, 30090922, 7665485, 10083793, 28475525, 1649722, 20654025, + 16520125, 30598449, 7715701 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 965130719900578, 247011430587952, 526356006571389, 91986625355052, + 2157223321444601 +#else + 28881826, 14381568, 9657904, 3680757, 46927229, 7843315, 35708204, + 1370707, 29794553, 32145132 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1802695059465007, 1664899123557221, 593559490740857, + 2160434469266659, 927570450755031 +#else + 44589871, 26862249, 14201701, 24808930, 43598457, 8844725, 18474211, + 32192982, 54046167, 13821876 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1725674970513508, 1933645953859181, 1542344539275782, + 1767788773573747, 1297447965928905 +#else + 60653668, 25714560, 3374701, 28813570, 40010246, 22982724, 31655027, + 26342105, 18853321, 19333481 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1381809363726107, 1430341051343062, 2061843536018959, + 1551778050872521, 2036394857967624 +#else + 4566811, 20590564, 38133974, 21313742, 59506191, 30723862, 58594505, + 23123294, 2207752, 30344648 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1970894096313054, 528066325833207, 1619374932191227, + 2207306624415883, 1169170329061080 +#else + 41954014, 29368610, 29681143, 7868801, 60254203, 24130566, 54671499, + 32891431, 35997400, 17421995 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 2070390218572616, 1458919061857835, 624171843017421, + 1055332792707765, 433987520732508 +#else + 25576264, 30851218, 7349803, 21739588, 16472781, 9300885, 3844789, + 15725684, 171356, 6466918 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 893653801273833, 1168026499324677, 1242553501121234, + 1306366254304474, 1086752658510815 +#else + 23103977, 13316479, 9739013, 17404951, 817874, 18515490, 8965338, + 19466374, 36393951, 16193876 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 213454002618221, 939771523987438, 1159882208056014, 317388369627517, + 621213314200687 +#else + 33587053, 3180712, 64714734, 14003686, 50205390, 17283591, 17238397, + 4729455, 49034351, 9256799 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1971678598905747, 338026507889165, 762398079972271, 655096486107477, + 42299032696322 +#else + 41926547, 29380300, 32336397, 5036987, 45872047, 11360616, 22616405, + 9761698, 47281666, 630304 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 177130678690680, 1754759263300204, 1864311296286618, + 1180675631479880, 1292726903152791 +#else + 53388152, 2639452, 42871404, 26147950, 9494426, 27780403, 60554312, + 17593437, 64659607, 19263131 +#endif + }}, + }, + { + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1913163449625248, 460779200291993, 2193883288642314, + 1008900146920800, 1721983679009502 +#else + 63957664, 28508356, 9282713, 6866145, 35201802, 32691408, 48168288, + 15033783, 25105118, 25659556 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 1070401523076875, 1272492007800961, 1910153608563310, + 2075579521696771, 1191169788841221 +#else + 42782475, 15950225, 35307649, 18961608, 55446126, 28463506, 1573891, + 30928545, 2198789, 17749813 +#endif + }}, + {{ +#if defined(BORINGSSL_CURVE25519_64BIT) + 692896803108118, 500174642072499, 2068223309439677, + 1162190621851337, 1426986007309901 +#else + 64009494, 10324966, 64867251, 7453182, 61661885, 30818928, 53296841, + 17317989, 34647629, 21263748 +#endif + }}, + }, +}; diff --git a/src/plugins/preauth/spake/groups.c b/src/plugins/preauth/spake/groups.c new file mode 100644 index 0000000..a195cc1 --- /dev/null +++ b/src/plugins/preauth/spake/groups.c @@ -0,0 +1,442 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/groups.c - SPAKE group interfaces */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * The SPAKE2 algorithm works as follows: + * + * 1. The parties agree on a group, a base element G, and constant elements M + * and N. In this mechanism, these parameters are determined by the + * registered group number. + * 2. Both parties derive a scalar value w from the initial key. + * 3. The first party (the KDC, in this mechanism) chooses a random secret + * scalar x and sends T=xG+wM. + * 4. The second party (the client, in this mechanism) chooses a random + * secret scalar y and sends S=yG+wN. + * 5. The first party computes K=x(S-wN). + * 6. The second party computes the same value as K=y(T-wM). + * 7. Both parties derive a key from a random oracle whose input incorporates + * the party identities, w, T, S, and K. + * + * We implement the algorithm using a vtable for each group, where the primary + * vtable methods are "keygen" (corresponding to step 3 or 4) and "result" + * (corresponding to step 5 or 6). We use the term "private scalar" to refer + * to x or y, and "public element" to refer to S or T. + */ + +#include "iana.h" +#include "trace.h" +#include "groups.h" + +#define DEFAULT_GROUPS_CLIENT "edwards25519" +#define DEFAULT_GROUPS_KDC "" + +typedef struct groupent_st { + const groupdef *gdef; + groupdata *gdata; +} groupent; + +struct groupstate_st { + krb5_boolean is_kdc; + + /* Permitted and groups, from configuration */ + int32_t *permitted; + size_t npermitted; + + /* Optimistic challenge group, from configuration */ + int32_t challenge_group; + + /* Lazily-initialized list of gdata objects. */ + groupent *data; + size_t ndata; +}; + +extern groupdef builtin_edwards25519; +#ifdef SPAKE_OPENSSL +extern groupdef ossl_P256; +extern groupdef ossl_P384; +extern groupdef ossl_P521; +#endif + +static const groupdef *groupdefs[] = { + &builtin_edwards25519, +#ifdef SPAKE_OPENSSL + &ossl_P256, + &ossl_P384, + &ossl_P521, +#endif + NULL +}; + +/* Find a groupdef structure by group number. Return NULL on failure. */ +static const groupdef * +find_gdef(int32_t group) +{ + size_t i; + + for (i = 0; groupdefs[i] != NULL; i++) { + if (groupdefs[i]->reg->id == group) + return groupdefs[i]; + } + + return NULL; +} + +/* Find a group number by name. Return 0 on failure. */ +static int32_t +find_gnum(const char *name) +{ + size_t i; + + for (i = 0; groupdefs[i] != NULL; i++) { + if (strcasecmp(name, groupdefs[i]->reg->name) == 0) + return groupdefs[i]->reg->id; + } + return 0; +} + +static krb5_boolean +in_grouplist(const int32_t *list, size_t count, int32_t group) +{ + size_t i; + + for (i = 0; i < count; i++) { + if (list[i] == group) + return TRUE; + } + + return FALSE; +} + +/* Retrieve a group data object for group within gstate, lazily initializing it + * if necessary. */ +static krb5_error_code +get_gdata(krb5_context context, groupstate *gstate, const groupdef *gdef, + groupdata **gdata_out) +{ + krb5_error_code ret; + groupent *ent, *newptr; + + *gdata_out = NULL; + + /* Look for an existing entry. */ + for (ent = gstate->data; ent < gstate->data + gstate->ndata; ent++) { + if (ent->gdef == gdef) { + *gdata_out = ent->gdata; + return 0; + } + } + + /* Make a new entry. */ + newptr = realloc(gstate->data, (gstate->ndata + 1) * sizeof(groupent)); + if (newptr == NULL) + return ENOMEM; + gstate->data = newptr; + ent = &gstate->data[gstate->ndata]; + ent->gdef = gdef; + ent->gdata = NULL; + if (gdef->init != NULL) { + ret = gdef->init(context, gdef, &ent->gdata); + if (ret) + return ret; + } + gstate->ndata++; + *gdata_out = ent->gdata; + return 0; +} + +/* Destructively parse str into a list of group numbers. */ +static krb5_error_code +parse_groups(krb5_context context, char *str, int32_t **list_out, + size_t *count_out) +{ + const char *const delim = " \t\r\n,"; + char *token, *save = NULL; + int32_t group, *newptr, *list = NULL; + size_t count = 0; + + *list_out = NULL; + *count_out = 0; + + /* Walk through the words in profstr. */ + for (token = strtok_r(str, delim, &save); token != NULL; + token = strtok_r(NULL, delim, &save)) { + group = find_gnum(token); + if (!group) { + TRACE_SPAKE_UNKNOWN_GROUP(context, token); + continue; + } + if (in_grouplist(list, count, group)) + continue; + newptr = realloc(list, (count + 1) * sizeof(*list)); + if (newptr == NULL) { + free(list); + return ENOMEM; + } + list = newptr; + list[count++] = group; + } + + *list_out = list; + *count_out = count; + return 0; +} + +krb5_error_code +group_init_state(krb5_context context, krb5_boolean is_kdc, + groupstate **gstate_out) +{ + krb5_error_code ret; + groupstate *gstate; + const char *defgroups; + char *profstr1 = NULL, *profstr2 = NULL; + int32_t *permitted = NULL, challenge_group = 0; + size_t npermitted; + + *gstate_out = NULL; + + defgroups = is_kdc ? DEFAULT_GROUPS_KDC : DEFAULT_GROUPS_CLIENT; + ret = profile_get_string(context->profile, KRB5_CONF_LIBDEFAULTS, + KRB5_CONF_SPAKE_PREAUTH_GROUPS, NULL, defgroups, + &profstr1); + if (ret) + goto cleanup; + ret = parse_groups(context, profstr1, &permitted, &npermitted); + if (ret) + goto cleanup; + if (npermitted == 0) { + ret = KRB5_PLUGIN_OP_NOTSUPP; + k5_setmsg(context, ret, _("No SPAKE preauth groups configured")); + goto cleanup; + } + + if (is_kdc) { + /* + * Check for a configured optimistic challenge group. If one is set, + * the KDC will send a challenge in the PREAUTH_REQUIRED method data, + * before receiving the list of supported groups. + */ + ret = profile_get_string(context->profile, KRB5_CONF_KDCDEFAULTS, + KRB5_CONF_SPAKE_PREAUTH_KDC_CHALLENGE, NULL, + NULL, &profstr2); + if (ret) + goto cleanup; + if (profstr2 != NULL) { + challenge_group = find_gnum(profstr2); + if (!in_grouplist(permitted, npermitted, challenge_group)) { + ret = KRB5_PLUGIN_OP_NOTSUPP; + k5_setmsg(context, ret, + _("SPAKE challenge group not a permitted group: %s"), + profstr2); + goto cleanup; + } + } + } + + gstate = k5alloc(sizeof(*gstate), &ret); + if (gstate == NULL) + goto cleanup; + gstate->is_kdc = is_kdc; + gstate->permitted = permitted; + gstate->npermitted = npermitted; + gstate->challenge_group = challenge_group; + permitted = NULL; + gstate->data = NULL; + gstate->ndata = 0; + *gstate_out = gstate; + +cleanup: + profile_release_string(profstr1); + profile_release_string(profstr2); + free(permitted); + return ret; +} + + +void +group_free_state(groupstate *gstate) +{ + groupent *ent; + + for (ent = gstate->data; ent < gstate->data + gstate->ndata; ent++) { + if (ent->gdata != NULL && ent->gdef->fini != NULL) + ent->gdef->fini(ent->gdata); + } + + free(gstate->permitted); + free(gstate->data); + free(gstate); +} + +krb5_boolean +group_is_permitted(groupstate *gstate, int32_t group) +{ + return in_grouplist(gstate->permitted, gstate->npermitted, group); +} + +void +group_get_permitted(groupstate *gstate, int32_t **list_out, int32_t *count_out) +{ + *list_out = gstate->permitted; + *count_out = gstate->npermitted; +} + +krb5_int32 +group_optimistic_challenge(groupstate *gstate) +{ + assert(gstate->is_kdc); + return gstate->challenge_group; +} + +krb5_error_code +group_mult_len(int32_t group, size_t *len_out) +{ + const groupdef *gdef; + + *len_out = 0; + gdef = find_gdef(group); + if (gdef == NULL) + return EINVAL; + *len_out = gdef->reg->mult_len; + return 0; +} + +krb5_error_code +group_keygen(krb5_context context, groupstate *gstate, int32_t group, + const krb5_data *wbytes, krb5_data *priv_out, krb5_data *pub_out) +{ + krb5_error_code ret; + const groupdef *gdef; + groupdata *gdata; + uint8_t *priv = NULL, *pub = NULL; + + *priv_out = empty_data(); + *pub_out = empty_data(); + gdef = find_gdef(group); + if (gdef == NULL || wbytes->length != gdef->reg->mult_len) + return EINVAL; + ret = get_gdata(context, gstate, gdef, &gdata); + if (ret) + return ret; + + priv = k5alloc(gdef->reg->mult_len, &ret); + if (priv == NULL) + goto cleanup; + pub = k5alloc(gdef->reg->elem_len, &ret); + if (pub == NULL) + goto cleanup; + + ret = gdef->keygen(context, gdata, (uint8_t *)wbytes->data, gstate->is_kdc, + priv, pub); + if (ret) + goto cleanup; + + *priv_out = make_data(priv, gdef->reg->mult_len); + *pub_out = make_data(pub, gdef->reg->elem_len); + priv = pub = NULL; + TRACE_SPAKE_KEYGEN(context, pub_out); + +cleanup: + zapfree(priv, gdef->reg->mult_len); + free(pub); + return ret; +} + +krb5_error_code +group_result(krb5_context context, groupstate *gstate, int32_t group, + const krb5_data *wbytes, const krb5_data *ourpriv, + const krb5_data *theirpub, krb5_data *spakeresult_out) +{ + krb5_error_code ret; + const groupdef *gdef; + groupdata *gdata; + uint8_t *spakeresult = NULL; + + *spakeresult_out = empty_data(); + gdef = find_gdef(group); + if (gdef == NULL || wbytes->length != gdef->reg->mult_len) + return EINVAL; + if (ourpriv->length != gdef->reg->mult_len || + theirpub->length != gdef->reg->elem_len) + return EINVAL; + ret = get_gdata(context, gstate, gdef, &gdata); + if (ret) + return ret; + + spakeresult = k5alloc(gdef->reg->elem_len, &ret); + if (spakeresult == NULL) + goto cleanup; + + /* Invert is_kdc here to use the other party's constant. */ + ret = gdef->result(context, gdata, (uint8_t *)wbytes->data, + (uint8_t *)ourpriv->data, (uint8_t *)theirpub->data, + !gstate->is_kdc, spakeresult); + if (ret) + goto cleanup; + + *spakeresult_out = make_data(spakeresult, gdef->reg->elem_len); + spakeresult = NULL; + TRACE_SPAKE_RESULT(context, spakeresult_out); + +cleanup: + zapfree(spakeresult, gdef->reg->elem_len); + return ret; +} + +krb5_error_code +group_hash_len(int32_t group, size_t *len_out) +{ + const groupdef *gdef; + + *len_out = 0; + gdef = find_gdef(group); + if (gdef == NULL) + return EINVAL; + *len_out = gdef->reg->hash_len; + return 0; +} + +krb5_error_code +group_hash(krb5_context context, groupstate *gstate, int32_t group, + const krb5_data *dlist, size_t ndata, uint8_t *result_out) +{ + krb5_error_code ret; + const groupdef *gdef; + groupdata *gdata; + + gdef = find_gdef(group); + if (gdef == NULL) + return EINVAL; + ret = get_gdata(context, gstate, gdef, &gdata); + if (ret) + return ret; + return gdef->hash(context, gdata, dlist, ndata, result_out); +} diff --git a/src/plugins/preauth/spake/groups.h b/src/plugins/preauth/spake/groups.h new file mode 100644 index 0000000..3add694 --- /dev/null +++ b/src/plugins/preauth/spake/groups.h @@ -0,0 +1,148 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/groups.h - SPAKE group interfaces */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef GROUPS_H +#define GROUPS_H + +#include "k5-int.h" +#include "iana.h" + +typedef struct groupstate_st groupstate; +typedef struct groupdata_st groupdata; +typedef struct groupdef_st groupdef; + +struct groupdef_st { + const spake_iana *reg; + + /* + * Optional: create a per-group data object to allow more efficient keygen + * and result computations. Saving a reference to gdef is okay; its + * lifetime will always be longer than the resulting object. + */ + krb5_error_code (*init)(krb5_context context, const groupdef *gdef, + groupdata **gdata_out); + + /* Optional: release a group data object. */ + void (*fini)(groupdata *gdata); + + /* + * Mandatory: generate a random private scalar (x or y) and a public + * element (T or S), using wbytes for the w value. If use_m is true, use + * the M element (generating T); otherwise use the N element (generating + * S). wbytes and priv_out have length reg->mult_len; pub_out has length + * reg->elem_len. priv_out and pub_out are caller-allocated. + */ + krb5_error_code (*keygen)(krb5_context context, groupdata *gdata, + const uint8_t *wbytes, krb5_boolean use_m, + uint8_t *priv_out, uint8_t *pub_out); + + /* + * Mandatory: compute K given a private scalar (x or y) and the other + * party's public element (S or T), using wbytes for the w value. If use_m + * is true, use the M element (computing K from y and T); otherwise use the + * N element (computing K from x and S). wbytes and ourpriv have length + * reg->mult_len; theirpub and elem_out have length reg->elem_len. + * elem_out is caller-allocated. + */ + krb5_error_code (*result)(krb5_context context, groupdata *gdata, + const uint8_t *wbytes, const uint8_t *ourpriv, + const uint8_t *theirpub, krb5_boolean use_m, + uint8_t *elem_out); + + /* + * Mandatory: compute the group's specified hash function over datas (with + * ndata elements), placing the result in result_out. result_out is + * caller-allocated with length reg->hash_len. + */ + krb5_error_code (*hash)(krb5_context context, groupdata *gdata, + const krb5_data *datas, size_t ndata, + uint8_t *result_out); +}; + +/* Initialize an object which holds group configuration and pre-computation + * state for each group. is_kdc is true for KDCs, false for clients. */ +krb5_error_code group_init_state(krb5_context context, krb5_boolean is_kdc, + groupstate **out); + +/* Release resources held by gstate. */ +void group_free_state(groupstate *gstate); + +/* Return true if group is permitted by configuration. */ +krb5_boolean group_is_permitted(groupstate *gstate, int32_t group); + +/* Set *list_out and *count_out to the list of groups permitted by + * configuration. */ +void group_get_permitted(groupstate *gstate, int32_t **list_out, + int32_t *count_out); + +/* Return the KDC optimistic challenge group if one is configured. Valid for + * KDC groupstate objects only. */ +krb5_int32 group_optimistic_challenge(groupstate *gstate); + +/* Set *len_out to the multiplier length for group. */ +krb5_error_code group_mult_len(int32_t group, size_t *len_out); + +/* + * Generate a SPAKE private scalar (x or y) and public element (T or S), given + * an input multiplier wbytes. Use constant M if gstate is a KDC groupstate + * object, N if it is a client object. Allocate storage and place the results + * in *priv_out and *pub_out. + */ +krb5_error_code group_keygen(krb5_context context, groupstate *gstate, + int32_t group, const krb5_data *wbytes, + krb5_data *priv_out, krb5_data *pub_out); + +/* + * Compute the SPAKE result K from our private scalar (x or y) and their public + * key (S or T), deriving the input scalar w from ikey. Use the other party's + * constant, N if gstate is a KDC groupstate object or M if it is a client + * object. Allocate storage and place the result in *spakeresult_out. + */ +krb5_error_code group_result(krb5_context context, groupstate *gstate, + int32_t group, const krb5_data *wbytes, + const krb5_data *ourpriv, + const krb5_data *theirpub, + krb5_data *spakeresult_out); + +/* Set *result_out to the hash output length for group. */ +krb5_error_code group_hash_len(int32_t group, size_t *result_out); + +/* + * Compute the group's specified hash function over dlist (with ndata + * elements). result_out is caller-allocated with enough bytes for the hash + * output as given by group_hash_len(). + */ +krb5_error_code group_hash(krb5_context context, groupstate *gstate, + int32_t group, const krb5_data *dlist, size_t ndata, + uint8_t *result_out); + +#endif /* GROUPS_H */ diff --git a/src/plugins/preauth/spake/iana.c b/src/plugins/preauth/spake/iana.c new file mode 100644 index 0000000..e7901de --- /dev/null +++ b/src/plugins/preauth/spake/iana.c @@ -0,0 +1,108 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/iana.c - SPAKE IANA registry contents */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "iana.h" + +static uint8_t edwards25519_M[] = { + 0xD0, 0x48, 0x03, 0x2C, 0x6E, 0xA0, 0xB6, 0xD6, 0x97, 0xDD, 0xC2, 0xE8, + 0x6B, 0xDA, 0x85, 0xA3, 0x3A, 0xDA, 0xC9, 0x20, 0xF1, 0xBF, 0x18, 0xE1, + 0xB0, 0xC6, 0xD1, 0x66, 0xA5, 0xCE, 0xCD, 0xAF +}; + +static uint8_t edwards25519_N[] = { + 0xD3, 0xBF, 0xB5, 0x18, 0xF4, 0x4F, 0x34, 0x30, 0xF2, 0x9D, 0x0C, 0x92, + 0xAF, 0x50, 0x38, 0x65, 0xA1, 0xED, 0x32, 0x81, 0xDC, 0x69, 0xB3, 0x5D, + 0xD8, 0x68, 0xBA, 0x85, 0xF8, 0x86, 0xC4, 0xAB +}; + +static uint8_t P256_M[] = { + 0x02, 0x88, 0x6E, 0x2F, 0x97, 0xAC, 0xE4, 0x6E, 0x55, 0xBA, 0x9D, 0xD7, + 0x24, 0x25, 0x79, 0xF2, 0x99, 0x3B, 0x64, 0xE1, 0x6E, 0xF3, 0xDC, 0xAB, + 0x95, 0xAF, 0xD4, 0x97, 0x33, 0x3D, 0x8F, 0xA1, 0x2F +}; + +static uint8_t P256_N[] = { + 0x03, 0xD8, 0xBB, 0xD6, 0xC6, 0x39, 0xC6, 0x29, 0x37, 0xB0, 0x4D, 0x99, + 0x7F, 0x38, 0xC3, 0x77, 0x07, 0x19, 0xC6, 0x29, 0xD7, 0x01, 0x4D, 0x49, + 0xA2, 0x4B, 0x4F, 0x98, 0xBA, 0xA1, 0x29, 0x2B, 0x49 +}; + +static uint8_t P384_M[] = { + 0x03, 0x0F, 0xF0, 0x89, 0x5A, 0xE5, 0xEB, 0xF6, 0x18, 0x70, 0x80, 0xA8, + 0x2D, 0x82, 0xB4, 0x2E, 0x27, 0x65, 0xE3, 0xB2, 0xF8, 0x74, 0x9C, 0x7E, + 0x05, 0xEB, 0xA3, 0x66, 0x43, 0x4B, 0x36, 0x3D, 0x3D, 0xC3, 0x6F, 0x15, + 0x31, 0x47, 0x39, 0x07, 0x4D, 0x2E, 0xB8, 0x61, 0x3F, 0xCE, 0xEC, 0x28, + 0x53 +}; + +static uint8_t P384_N[] = { + 0x02, 0xC7, 0x2C, 0xF2, 0xE3, 0x90, 0x85, 0x3A, 0x1C, 0x1C, 0x4A, 0xD8, + 0x16, 0xA6, 0x2F, 0xD1, 0x58, 0x24, 0xF5, 0x60, 0x78, 0x91, 0x8F, 0x43, + 0xF9, 0x22, 0xCA, 0x21, 0x51, 0x8F, 0x9C, 0x54, 0x3B, 0xB2, 0x52, 0xC5, + 0x49, 0x02, 0x14, 0xCF, 0x9A, 0xA3, 0xF0, 0xBA, 0xAB, 0x4B, 0x66, 0x5C, + 0x10 +}; + +static uint8_t P521_M[] = { + 0x02, 0x00, 0x3F, 0x06, 0xF3, 0x81, 0x31, 0xB2, 0xBA, 0x26, 0x00, 0x79, + 0x1E, 0x82, 0x48, 0x8E, 0x8D, 0x20, 0xAB, 0x88, 0x9A, 0xF7, 0x53, 0xA4, + 0x18, 0x06, 0xC5, 0xDB, 0x18, 0xD3, 0x7D, 0x85, 0x60, 0x8C, 0xFA, 0xE0, + 0x6B, 0x82, 0xE4, 0xA7, 0x2C, 0xD7, 0x44, 0xC7, 0x19, 0x19, 0x35, 0x62, + 0xA6, 0x53, 0xEA, 0x1F, 0x11, 0x9E, 0xEF, 0x93, 0x56, 0x90, 0x7E, 0xDC, + 0x9B, 0x56, 0x97, 0x99, 0x62, 0xD7, 0xAA +}; + +static uint8_t P521_N[] = { + 0x02, 0x00, 0xC7, 0x92, 0x4B, 0x9E, 0xC0, 0x17, 0xF3, 0x09, 0x45, 0x62, + 0x89, 0x43, 0x36, 0xA5, 0x3C, 0x50, 0x16, 0x7B, 0xA8, 0xC5, 0x96, 0x38, + 0x76, 0x88, 0x05, 0x42, 0xBC, 0x66, 0x9E, 0x49, 0x4B, 0x25, 0x32, 0xD7, + 0x6C, 0x5B, 0x53, 0xDF, 0xB3, 0x49, 0xFD, 0xF6, 0x91, 0x54, 0xB9, 0xE0, + 0x04, 0x8C, 0x58, 0xA4, 0x2E, 0x8E, 0xD0, 0x4C, 0xEF, 0x05, 0x2A, 0x3B, + 0xC3, 0x49, 0xD9, 0x55, 0x75, 0xCD, 0x25 +}; + +const spake_iana spake_iana_edwards25519 = { + SPAKE_GROUP_EDWARDS25519, "edwards25519", 32, 32, + edwards25519_M, edwards25519_N, 32 +}; + +const spake_iana spake_iana_p256 = { + SPAKE_GROUP_P256, "P-256", 32, 33, P256_M, P256_N, 32 +}; + +const spake_iana spake_iana_p384 = { + SPAKE_GROUP_P384, "P-384", 48, 49, P384_M, P384_N, 48 +}; + +const spake_iana spake_iana_p521 = { + SPAKE_GROUP_P521, "P-521", 66, 67, P521_M, P521_N, 64 +}; diff --git a/src/plugins/preauth/spake/iana.h b/src/plugins/preauth/spake/iana.h new file mode 100644 index 0000000..1d99c4d --- /dev/null +++ b/src/plugins/preauth/spake/iana.h @@ -0,0 +1,65 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/iana.h - SPAKE IANA registry contents */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef IANA_H +#define IANA_H + +#include +#include + +typedef enum { + SPAKE_SF_NONE = 1, +} spake_sf_type; + +typedef enum { + SPAKE_GROUP_EDWARDS25519 = 1, + SPAKE_GROUP_P256 = 2, + SPAKE_GROUP_P384 = 3, + SPAKE_GROUP_P521 = 4, +} spake_group; + +typedef struct { + int32_t id; + const char *name; + size_t mult_len; + size_t elem_len; + const uint8_t *m; + const uint8_t *n; + size_t hash_len; +} spake_iana; + +extern const spake_iana spake_iana_edwards25519; +extern const spake_iana spake_iana_p256; +extern const spake_iana spake_iana_p384; +extern const spake_iana spake_iana_p521; + +#endif /* IANA_H */ diff --git a/src/plugins/preauth/spake/openssl.c b/src/plugins/preauth/spake/openssl.c new file mode 100644 index 0000000..f2e4b53 --- /dev/null +++ b/src/plugins/preauth/spake/openssl.c @@ -0,0 +1,316 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/openssl.c - SPAKE implementations using OpenSSL */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" + +#include "groups.h" +#include "iana.h" + +#ifdef SPAKE_OPENSSL +#include +#include +#include +#include + +/* OpenSSL 1.1 standardizes constructor and destructor names, renaming + * EVP_MD_CTX_create and EVP_MD_CTX_destroy. */ +#if OPENSSL_VERSION_NUMBER < 0x10100000L +#define EVP_MD_CTX_new EVP_MD_CTX_create +#define EVP_MD_CTX_free EVP_MD_CTX_destroy +#endif + +struct groupdata_st { + const groupdef *gdef; + EC_GROUP *group; + BIGNUM *order; + BN_CTX *ctx; + EC_POINT *M; + EC_POINT *N; + const EVP_MD *md; +}; + +static void +ossl_fini(groupdata *gd) +{ + if (gd == NULL) + return; + + EC_GROUP_free(gd->group); + EC_POINT_free(gd->M); + EC_POINT_free(gd->N); + BN_CTX_free(gd->ctx); + BN_free(gd->order); + free(gd); +} + +static krb5_error_code +ossl_init(krb5_context context, const groupdef *gdef, groupdata **gdata_out) +{ + const spake_iana *reg = gdef->reg; + const EVP_MD *md; + groupdata *gd; + int nid; + + switch (reg->id) { + case SPAKE_GROUP_P256: + nid = NID_X9_62_prime256v1; + md = EVP_sha256(); + break; + case SPAKE_GROUP_P384: + nid = NID_secp384r1; + md = EVP_sha384(); + break; + case SPAKE_GROUP_P521: + nid = NID_secp521r1; + md = EVP_sha512(); + break; + default: + return EINVAL; + }; + + gd = calloc(1, sizeof(*gd)); + if (gd == NULL) + return ENOMEM; + gd->gdef = gdef; + + gd->group = EC_GROUP_new_by_curve_name(nid); + if (gd->group == NULL) + goto error; + + gd->ctx = BN_CTX_new(); + if (gd->ctx == NULL) + goto error; + + gd->order = BN_new(); + if (gd->order == NULL) + goto error; + if (!EC_GROUP_get_order(gd->group, gd->order, gd->ctx)) + goto error; + + gd->M = EC_POINT_new(gd->group); + if (gd->M == NULL) + goto error; + if (!EC_POINT_oct2point(gd->group, gd->M, reg->m, reg->elem_len, gd->ctx)) + goto error; + + gd->N = EC_POINT_new(gd->group); + if (gd->N == NULL) + goto error; + if (!EC_POINT_oct2point(gd->group, gd->N, reg->n, reg->elem_len, gd->ctx)) + goto error; + + gd->md = md; + + *gdata_out = gd; + return 0; + +error: + ossl_fini(gd); + return ENOMEM; +} + +/* Convert pseudo-random bytes into a scalar value in constant time. + * Return NULL on failure. */ +static BIGNUM * +unmarshal_w(const groupdata *gdata, const uint8_t *wbytes) +{ + const spake_iana *reg = gdata->gdef->reg; + BIGNUM *w = NULL; + + w = BN_new(); + if (w == NULL) + return NULL; + + BN_set_flags(w, BN_FLG_CONSTTIME); + + if (BN_bin2bn(wbytes, reg->mult_len, w) && + BN_div(NULL, w, w, gdata->order, gdata->ctx)) + return w; + + BN_free(w); + return NULL; +} + +static krb5_error_code +ossl_keygen(krb5_context context, groupdata *gdata, const uint8_t *wbytes, + krb5_boolean use_m, uint8_t *priv_out, uint8_t *pub_out) +{ + const spake_iana *reg = gdata->gdef->reg; + const EC_POINT *constant = use_m ? gdata->M : gdata->N; + krb5_boolean success = FALSE; + EC_POINT *pub = NULL; + BIGNUM *priv = NULL, *w = NULL; + size_t len; + + w = unmarshal_w(gdata, wbytes); + if (w == NULL) + goto cleanup; + + pub = EC_POINT_new(gdata->group); + if (pub == NULL) + goto cleanup; + + priv = BN_new(); + if (priv == NULL) + goto cleanup; + + if (!BN_rand_range(priv, gdata->order)) + goto cleanup; + + /* Compute priv*G + w*constant; EC_POINT_mul() does this in one call. */ + if (!EC_POINT_mul(gdata->group, pub, priv, constant, w, gdata->ctx)) + goto cleanup; + + /* Marshal priv into priv_out. */ + memset(priv_out, 0, reg->mult_len); + BN_bn2bin(priv, &priv_out[reg->mult_len - BN_num_bytes(priv)]); + + /* Marshal pub into pub_out. */ + len = EC_POINT_point2oct(gdata->group, pub, POINT_CONVERSION_COMPRESSED, + pub_out, reg->elem_len, gdata->ctx); + if (len != reg->elem_len) + goto cleanup; + + success = TRUE; + +cleanup: + EC_POINT_free(pub); + BN_clear_free(priv); + BN_clear_free(w); + return success ? 0 : ENOMEM; +} + +static krb5_error_code +ossl_result(krb5_context context, groupdata *gdata, const uint8_t *wbytes, + const uint8_t *ourpriv, const uint8_t *theirpub, + krb5_boolean use_m, uint8_t *elem_out) +{ + const spake_iana *reg = gdata->gdef->reg; + const EC_POINT *constant = use_m ? gdata->M : gdata->N; + krb5_boolean success = FALSE, invalid = FALSE; + EC_POINT *result = NULL, *pub = NULL; + BIGNUM *priv = NULL, *w = NULL; + size_t len; + + w = unmarshal_w(gdata, wbytes); + if (w == NULL) + goto cleanup; + + priv = BN_bin2bn(ourpriv, reg->mult_len, NULL); + if (priv == NULL) + goto cleanup; + + pub = EC_POINT_new(gdata->group); + if (pub == NULL) + goto cleanup; + if (!EC_POINT_oct2point(gdata->group, pub, theirpub, reg->elem_len, + gdata->ctx)) { + invalid = TRUE; + goto cleanup; + } + + /* Compute result = priv*(pub - w*constant), using result to hold the + * intermediate steps. */ + result = EC_POINT_new(gdata->group); + if (result == NULL) + goto cleanup; + if (!EC_POINT_mul(gdata->group, result, NULL, constant, w, gdata->ctx)) + goto cleanup; + if (!EC_POINT_invert(gdata->group, result, gdata->ctx)) + goto cleanup; + if (!EC_POINT_add(gdata->group, result, pub, result, gdata->ctx)) + goto cleanup; + if (!EC_POINT_mul(gdata->group, result, NULL, result, priv, gdata->ctx)) + goto cleanup; + + /* Marshal result into elem_out. */ + len = EC_POINT_point2oct(gdata->group, result, POINT_CONVERSION_COMPRESSED, + elem_out, reg->elem_len, gdata->ctx); + if (len != reg->elem_len) + goto cleanup; + + success = TRUE; + +cleanup: + BN_clear_free(priv); + BN_clear_free(w); + EC_POINT_free(pub); + EC_POINT_clear_free(result); + return invalid ? EINVAL : (success ? 0 : ENOMEM); +} + +static krb5_error_code +ossl_hash(krb5_context context, groupdata *gdata, const krb5_data *dlist, + size_t ndata, uint8_t *result_out) +{ + EVP_MD_CTX *ctx; + size_t i; + int ok; + + ctx = EVP_MD_CTX_new(); + if (ctx == NULL) + return ENOMEM; + ok = EVP_DigestInit_ex(ctx, gdata->md, NULL); + for (i = 0; i < ndata; i++) + ok = ok && EVP_DigestUpdate(ctx, dlist[i].data, dlist[i].length); + ok = ok && EVP_DigestFinal_ex(ctx, result_out, NULL); + EVP_MD_CTX_free(ctx); + return ok ? 0 : ENOMEM; +} + +groupdef ossl_P256 = { + .reg = &spake_iana_p256, + .init = ossl_init, + .fini = ossl_fini, + .keygen = ossl_keygen, + .result = ossl_result, + .hash = ossl_hash, +}; + +groupdef ossl_P384 = { + .reg = &spake_iana_p384, + .init = ossl_init, + .fini = ossl_fini, + .keygen = ossl_keygen, + .result = ossl_result, + .hash = ossl_hash, +}; + +groupdef ossl_P521 = { + .reg = &spake_iana_p521, + .init = ossl_init, + .fini = ossl_fini, + .keygen = ossl_keygen, + .result = ossl_result, + .hash = ossl_hash, +}; +#endif /* SPAKE_OPENSSL */ diff --git a/src/plugins/preauth/spake/spake.def b/src/plugins/preauth/spake/spake.def new file mode 100644 index 0000000..1b2cf4d --- /dev/null +++ b/src/plugins/preauth/spake/spake.def @@ -0,0 +1,3 @@ +EXPORTS + + clpreauth_spake_initvt diff --git a/src/plugins/preauth/spake/spake.exports b/src/plugins/preauth/spake/spake.exports new file mode 100644 index 0000000..81d1002 --- /dev/null +++ b/src/plugins/preauth/spake/spake.exports @@ -0,0 +1,2 @@ +clpreauth_spake_initvt +kdcpreauth_spake_initvt diff --git a/src/plugins/preauth/spake/spake_client.c b/src/plugins/preauth/spake/spake_client.c new file mode 100644 index 0000000..00734a1 --- /dev/null +++ b/src/plugins/preauth/spake/spake_client.c @@ -0,0 +1,388 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/spake_client.c - SPAKE clpreauth module */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "k5-spake.h" +#include "trace.h" +#include "util.h" +#include "iana.h" +#include "groups.h" +#include + +typedef struct reqstate_st { + krb5_pa_spake *msg; /* set in prep_questions, used in process */ + krb5_keyblock *initial_key; + krb5_data *support; + krb5_data thash; + krb5_data spakeresult; +} reqstate; + +/* Return true if SF-NONE is present in factors. */ +static krb5_boolean +contains_sf_none(krb5_spake_factor **factors) +{ + int i; + + for (i = 0; factors != NULL && factors[i] != NULL; i++) { + if (factors[i]->type == SPAKE_SF_NONE) + return TRUE; + } + return FALSE; +} + +static krb5_error_code +spake_init(krb5_context context, krb5_clpreauth_moddata *moddata_out) +{ + krb5_error_code ret; + groupstate *gstate; + + ret = group_init_state(context, FALSE, &gstate); + if (ret) + return ret; + *moddata_out = (krb5_clpreauth_moddata)gstate; + return 0; +} + +static void +spake_fini(krb5_context context, krb5_clpreauth_moddata moddata) +{ + group_free_state((groupstate *)moddata); +} + +static void +spake_request_init(krb5_context context, krb5_clpreauth_moddata moddata, + krb5_clpreauth_modreq *modreq_out) +{ + *modreq_out = calloc(1, sizeof(reqstate)); +} + +static void +spake_request_fini(krb5_context context, krb5_clpreauth_moddata moddata, + krb5_clpreauth_modreq modreq) +{ + reqstate *st = (reqstate *)modreq; + + k5_free_pa_spake(context, st->msg); + krb5_free_keyblock(context, st->initial_key); + krb5_free_data(context, st->support); + krb5_free_data_contents(context, &st->thash); + zapfree(st->spakeresult.data, st->spakeresult.length); + free(st); +} + +static krb5_error_code +spake_prep_questions(krb5_context context, krb5_clpreauth_moddata moddata, + krb5_clpreauth_modreq modreq, + krb5_get_init_creds_opt *opt, krb5_clpreauth_callbacks cb, + krb5_clpreauth_rock rock, krb5_kdc_req *req, + krb5_data *enc_req, krb5_data *enc_prev_req, + krb5_pa_data *pa_data) +{ + krb5_error_code ret; + groupstate *gstate = (groupstate *)moddata; + reqstate *st = (reqstate *)modreq; + krb5_data in_data; + krb5_spake_challenge *ch; + + if (st == NULL) + return ENOMEM; + + /* We don't need to ask any questions to send a support message. */ + if (pa_data->length == 0) + return 0; + + /* Decode the incoming message, replacing any previous one in the request + * state. If we can't decode it, we have no questions to ask. */ + k5_free_pa_spake(context, st->msg); + st->msg = NULL; + in_data = make_data(pa_data->contents, pa_data->length); + ret = decode_krb5_pa_spake(&in_data, &st->msg); + if (ret) + return (ret == ENOMEM) ? ENOMEM : 0; + + if (st->msg->choice == SPAKE_MSGTYPE_CHALLENGE) { + ch = &st->msg->u.challenge; + if (!group_is_permitted(gstate, ch->group)) + return 0; + /* When second factor support is implemented, we should ask questions + * based on the factors in the challenge. */ + if (!contains_sf_none(ch->factors)) + return 0; + /* We will need the AS key to respond to the challenge. */ + cb->need_as_key(context, rock); + } else if (st->msg->choice == SPAKE_MSGTYPE_ENCDATA) { + /* When second factor support is implemented, we should decrypt the + * encdata message and ask questions based on the factor data. */ + } + return 0; +} + +/* + * Output a PA-SPAKE support message indicating which groups we support. This + * may be done for optimistic preauth, in response to an empty message, or in + * response to a challenge using a group we do not support. Save the support + * message in st->support. + */ +static krb5_error_code +send_support(krb5_context context, groupstate *gstate, reqstate *st, + krb5_pa_data ***pa_out) +{ + krb5_error_code ret; + krb5_data *support; + krb5_pa_spake msg; + + msg.choice = SPAKE_MSGTYPE_SUPPORT; + group_get_permitted(gstate, &msg.u.support.groups, &msg.u.support.ngroups); + ret = encode_krb5_pa_spake(&msg, &support); + if (ret) + return ret; + + /* Save the support message for later use in the transcript hash. */ + ret = krb5_copy_data(context, support, &st->support); + if (ret) { + krb5_free_data(context, support); + return ret; + } + + TRACE_SPAKE_SEND_SUPPORT(context); + return convert_to_padata(support, pa_out); +} + +static krb5_error_code +process_challenge(krb5_context context, groupstate *gstate, reqstate *st, + krb5_spake_challenge *ch, const krb5_data *der_msg, + krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, + krb5_prompter_fct prompter, void *prompter_data, + const krb5_data *der_req, krb5_pa_data ***pa_out) +{ + krb5_error_code ret; + krb5_keyblock *k0 = NULL, *k1 = NULL, *as_key; + krb5_spake_factor factor; + krb5_pa_spake msg; + krb5_data *der_factor = NULL, *response; + krb5_data clpriv = empty_data(), clpub = empty_data(); + krb5_data wbytes = empty_data(); + krb5_enc_data enc_factor; + + enc_factor.ciphertext = empty_data(); + + /* Not expected if we processed a challenge and didn't reject it. */ + if (st->initial_key != NULL) + return KRB5KDC_ERR_PREAUTH_FAILED; + + if (!group_is_permitted(gstate, ch->group)) { + TRACE_SPAKE_REJECT_CHALLENGE(context, ch->group); + /* No point in sending a second support message. */ + if (st->support != NULL) + return KRB5KDC_ERR_PREAUTH_FAILED; + return send_support(context, gstate, st, pa_out); + } + + /* Initialize and update the transcript with the concatenation of the + * support message (if we sent one) and the received challenge. */ + ret = update_thash(context, gstate, ch->group, &st->thash, st->support, + der_msg); + if (ret) + return ret; + + TRACE_SPAKE_RECEIVE_CHALLENGE(context, ch->group, &ch->pubkey); + + /* When second factor support is implemented, we should check for a + * supported factor type instead of just checking for SF-NONE. */ + if (!contains_sf_none(ch->factors)) + return KRB5KDC_ERR_PREAUTH_FAILED; + + ret = cb->get_as_key(context, rock, &as_key); + if (ret) + goto cleanup; + ret = krb5_copy_keyblock(context, as_key, &st->initial_key); + if (ret) + goto cleanup; + ret = derive_wbytes(context, ch->group, st->initial_key, &wbytes); + if (ret) + goto cleanup; + ret = group_keygen(context, gstate, ch->group, &wbytes, &clpriv, &clpub); + if (ret) + goto cleanup; + ret = group_result(context, gstate, ch->group, &wbytes, &clpriv, + &ch->pubkey, &st->spakeresult); + if (ret) + goto cleanup; + + ret = update_thash(context, gstate, ch->group, &st->thash, &clpub, NULL); + if (ret) + goto cleanup; + TRACE_SPAKE_CLIENT_THASH(context, &st->thash); + + /* Replace the reply key with K'[0]. */ + ret = derive_key(context, gstate, ch->group, st->initial_key, &wbytes, + &st->spakeresult, &st->thash, der_req, 0, &k0); + if (ret) + goto cleanup; + ret = cb->set_as_key(context, rock, k0); + if (ret) + goto cleanup; + + /* Encrypt a SPAKESecondFactor message with K'[1]. */ + ret = derive_key(context, gstate, ch->group, st->initial_key, &wbytes, + &st->spakeresult, &st->thash, der_req, 1, &k1); + if (ret) + goto cleanup; + /* When second factor support is implemented, we should construct an + * appropriate factor here instead of hardcoding SF-NONE. */ + factor.type = SPAKE_SF_NONE; + factor.data = NULL; + ret = encode_krb5_spake_factor(&factor, &der_factor); + if (ret) + goto cleanup; + ret = krb5_encrypt_helper(context, k1, KRB5_KEYUSAGE_SPAKE, der_factor, + &enc_factor); + if (ret) + goto cleanup; + + /* Encode and output a response message. */ + msg.choice = SPAKE_MSGTYPE_RESPONSE; + msg.u.response.pubkey = clpub; + msg.u.response.factor = enc_factor; + ret = encode_krb5_pa_spake(&msg, &response); + if (ret) + goto cleanup; + TRACE_SPAKE_SEND_RESPONSE(context); + ret = convert_to_padata(response, pa_out); + if (ret) + goto cleanup; + + cb->disable_fallback(context, rock); + +cleanup: + krb5_free_keyblock(context, k0); + krb5_free_keyblock(context, k1); + krb5_free_data_contents(context, &enc_factor.ciphertext); + krb5_free_data_contents(context, &clpub); + zapfree(clpriv.data, clpriv.length); + zapfree(wbytes.data, wbytes.length); + if (der_factor != NULL) { + zapfree(der_factor->data, der_factor->length); + free(der_factor); + } + return ret; +} + +static krb5_error_code +process_encdata(krb5_context context, reqstate *st, krb5_enc_data *enc, + krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, + krb5_prompter_fct prompter, void *prompter_data, + const krb5_data *der_prev_req, const krb5_data *der_req, + krb5_pa_data ***pa_out) +{ + /* Not expected if we haven't sent a response yet. */ + if (st->initial_key == NULL || st->spakeresult.length == 0) + return KRB5KDC_ERR_PREAUTH_FAILED; + + /* + * When second factor support is implemented, we should process encdata + * messages according to the factor type. We should make sure to re-derive + * K'[0] and replace the reply key again, in case the request has changed. + * We should use der_prev_req to derive K'[n] to decrypt factor from the + * KDC. We should use der_req to derive K'[n+1] for the next message to + * send to the KDC. + */ + return KRB5_PLUGIN_OP_NOTSUPP; +} + +static krb5_error_code +spake_process(krb5_context context, krb5_clpreauth_moddata moddata, + krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, + krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, + krb5_kdc_req *req, krb5_data *der_req, krb5_data *der_prev_req, + krb5_pa_data *pa_in, krb5_prompter_fct prompter, + void *prompter_data, krb5_pa_data ***pa_out) +{ + krb5_error_code ret; + groupstate *gstate = (groupstate *)moddata; + reqstate *st = (reqstate *)modreq; + krb5_data in_data; + + if (st == NULL) + return ENOMEM; + + if (pa_in->length == 0) { + /* Not expected if we already sent a support message. */ + if (st->support != NULL) + return KRB5KDC_ERR_PREAUTH_FAILED; + return send_support(context, gstate, st, pa_out); + } + + if (st->msg == NULL) { + /* The message failed to decode in spake_prep_questions(). */ + ret = KRB5KDC_ERR_PREAUTH_FAILED; + } else if (st->msg->choice == SPAKE_MSGTYPE_CHALLENGE) { + in_data = make_data(pa_in->contents, pa_in->length); + ret = process_challenge(context, gstate, st, &st->msg->u.challenge, + &in_data, cb, rock, prompter, prompter_data, + der_req, pa_out); + } else if (st->msg->choice == SPAKE_MSGTYPE_ENCDATA) { + ret = process_encdata(context, st, &st->msg->u.encdata, cb, rock, + prompter, prompter_data, der_prev_req, der_req, + pa_out); + } else { + /* Unexpected message type */ + ret = KRB5KDC_ERR_PREAUTH_FAILED; + } + + return ret; +} + +krb5_error_code +clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); + +krb5_error_code +clpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_clpreauth_vtable vt; + static krb5_preauthtype pa_types[] = { KRB5_PADATA_SPAKE, 0 }; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_clpreauth_vtable)vtable; + vt->name = "spake"; + vt->pa_type_list = pa_types; + vt->init = spake_init; + vt->fini = spake_fini; + vt->request_init = spake_request_init; + vt->request_fini = spake_request_fini; + vt->process = spake_process; + vt->prep_questions = spake_prep_questions; + return 0; +} diff --git a/src/plugins/preauth/spake/spake_kdc.c b/src/plugins/preauth/spake/spake_kdc.c new file mode 100644 index 0000000..59e8840 --- /dev/null +++ b/src/plugins/preauth/spake/spake_kdc.c @@ -0,0 +1,591 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/spake_kdc.c - SPAKE kdcpreauth module */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "k5-input.h" +#include "k5-spake.h" + +#include "groups.h" +#include "trace.h" +#include "iana.h" +#include "util.h" + +#include + +/* + * The SPAKE kdcpreauth module uses a secure cookie containing the following + * concatenated fields (all integer fields are big-endian): + * + * version (16-bit unsigned integer) + * stage (16-bit unsigned integer) + * group (32-bit signed integer) + * SPAKE value (32-bit unsigned length, followed by data) + * Transcript hash (32-bit unsigned length, followed by data) + * Zero or more instances of: + * second-factor number (32-bit signed integer) + * second-factor data (32-bit unsigned length, followed by data) + * + * The only currently supported version is 1. stage is 0 if the cookie was + * sent with a challenge message. stage is n>0 if the cookie was sent with an + * encdata message encrypted in K'[2n]. group indicates the group number used + * in the SPAKE challenge. The SPAKE value is the KDC private key for a + * stage-0 cookie, represented in the scalar marshalling form of the group; for + * other cookies, the SPAKE value is the SPAKE result K, represented in the + * group element marshalling form. The transcript hash is the intermediate + * hash after updating with the support and challenge messages for a stage-0 + * cookie, or the final hash for other cookies. For a stage 0 cookie, there + * may be any number of second-factor records, including none (no record is + * generated for SF-NONE); for other cookies, there must be exactly one + * second-factor record corresponding to the factor type chosen by the client. + */ + +/* From a k5input structure representing the remainder of a secure cookie + * plaintext, parse a four-byte length and data. */ +static void +parse_data(struct k5input *in, krb5_data *out) +{ + out->length = k5_input_get_uint32_be(in); + out->data = (char *)k5_input_get_bytes(in, out->length); + out->magic = KV5M_DATA; +} + +/* Parse a received cookie into its components. The pointers stored in the + * krb5_data outputs are aliases into cookie and should not be freed. */ +static krb5_error_code +parse_cookie(const krb5_data *cookie, int *stage_out, int32_t *group_out, + krb5_data *spake_out, krb5_data *thash_out, + krb5_data *factors_out) +{ + struct k5input in; + int version, stage; + int32_t group; + krb5_data thash, spake, factors; + + *spake_out = *thash_out = *factors_out = empty_data(); + k5_input_init(&in, cookie->data, cookie->length); + + /* Parse and check the version, and read the other integer fields. */ + version = k5_input_get_uint16_be(&in); + if (version != 1) + return KRB5KDC_ERR_PREAUTH_FAILED; + stage = k5_input_get_uint16_be(&in); + group = k5_input_get_uint32_be(&in); + + /* Parse the data fields. The factor data is anything remaining after the + * transcript hash. */ + parse_data(&in, &spake); + parse_data(&in, &thash); + if (in.status) + return in.status; + factors = make_data((char *)in.ptr, in.len); + + *stage_out = stage; + *group_out = group; + *spake_out = spake; + *thash_out = thash; + *factors_out = factors; + return 0; +} + +/* Marshal data into buf as a four-byte length followed by the contents. */ +static void +marshal_data(struct k5buf *buf, const krb5_data *data) +{ + uint8_t lenbuf[4]; + + store_32_be(data->length, lenbuf); + k5_buf_add_len(buf, lenbuf, 4); + k5_buf_add_len(buf, data->data, data->length); +} + +/* Marshal components into a cookie. */ +static krb5_error_code +make_cookie(int stage, int32_t group, const krb5_data *spake, + const krb5_data *thash, krb5_data *cookie_out) +{ + struct k5buf buf; + uint8_t intbuf[4]; + + *cookie_out = empty_data(); + k5_buf_init_dynamic_zap(&buf); + + /* Marshal the version, stage, and group. */ + store_16_be(1, intbuf); + k5_buf_add_len(&buf, intbuf, 2); + store_16_be(stage, intbuf); + k5_buf_add_len(&buf, intbuf, 2); + store_32_be(group, intbuf); + k5_buf_add_len(&buf, intbuf, 4); + + /* Marshal the data fields. */ + marshal_data(&buf, spake); + marshal_data(&buf, thash); + + /* When second factor support is implemented, we should add factor data + * here. */ + + if (buf.data == NULL) + return ENOMEM; + *cookie_out = make_data(buf.data, buf.len); + return 0; +} + +/* Add authentication indicators if any are configured for SPAKE. */ +static krb5_error_code +add_indicators(krb5_context context, const krb5_data *realm, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock) +{ + krb5_error_code ret; + const char *keys[4]; + char *realmstr, **indicators, **ind; + + realmstr = k5memdup0(realm->data, realm->length, &ret); + if (realmstr == NULL) + return ret; + keys[0] = KRB5_CONF_REALMS; + keys[1] = realmstr; + keys[2] = KRB5_CONF_SPAKE_PREAUTH_INDICATOR; + keys[3] = NULL; + ret = profile_get_values(context->profile, keys, &indicators); + free(realmstr); + if (ret == PROF_NO_RELATION) + return 0; + if (ret) + return ret; + + for (ind = indicators; *ind != NULL && !ret; ind++) + ret = cb->add_auth_indicator(context, rock, *ind); + + profile_free_list(indicators); + return ret; +} + +/* Initialize a SPAKE module data object. */ +static krb5_error_code +spake_init(krb5_context context, krb5_kdcpreauth_moddata *moddata_out, + const char **realmnames) +{ + krb5_error_code ret; + groupstate *gstate; + + ret = group_init_state(context, TRUE, &gstate); + if (ret) + return ret; + *moddata_out = (krb5_kdcpreauth_moddata)gstate; + return 0; +} + +/* Release a SPAKE module data object. */ +static void +spake_fini(krb5_context context, krb5_kdcpreauth_moddata moddata) +{ + group_free_state((groupstate *)moddata); +} + +/* + * Generate a SPAKE challenge message for the specified group. Use cb and rock + * to retrieve the initial reply key and to set a stage-0 cookie. Invoke + * either erespond or vrespond with the result. + */ +static void +send_challenge(krb5_context context, groupstate *gstate, int32_t group, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, + const krb5_data *support, + krb5_kdcpreauth_edata_respond_fn erespond, + krb5_kdcpreauth_verify_respond_fn vrespond, void *arg) +{ + krb5_error_code ret; + const krb5_keyblock *ikey; + krb5_pa_data **padata = NULL, *pa; + krb5_data kdcpriv = empty_data(), kdcpub = empty_data(), *der_msg = NULL; + krb5_data thash = empty_data(), cookie = empty_data(); + krb5_data wbytes = empty_data(); + krb5_spake_factor f, *flist[2]; + krb5_pa_spake msg; + + ikey = cb->client_keyblock(context, rock); + if (ikey == NULL) { + ret = KRB5KDC_ERR_ETYPE_NOSUPP; + goto cleanup; + } + + ret = derive_wbytes(context, group, ikey, &wbytes); + if (ret) + goto cleanup; + ret = group_keygen(context, gstate, group, &wbytes, &kdcpriv, &kdcpub); + if (ret) + goto cleanup; + + /* Encode the challenge. When second factor support is implemented, we + * should construct a factor list instead of hardcoding SF-NONE. */ + f.type = SPAKE_SF_NONE; + f.data = NULL; + flist[0] = &f; + flist[1] = NULL; + msg.choice = SPAKE_MSGTYPE_CHALLENGE; + msg.u.challenge.group = group; + msg.u.challenge.pubkey = kdcpub; + msg.u.challenge.factors = flist; + ret = encode_krb5_pa_spake(&msg, &der_msg); + if (ret) + goto cleanup; + + /* Initialize and update the transcript hash with the support message (if + * we received one) and challenge message. */ + ret = update_thash(context, gstate, group, &thash, support, der_msg); + if (ret) + goto cleanup; + + /* Save the group, transcript hash, and private key in a stage-0 cookie. + * When second factor support is implemented, also save factor state. */ + ret = make_cookie(0, group, &kdcpriv, &thash, &cookie); + if (ret) + goto cleanup; + ret = cb->set_cookie(context, rock, KRB5_PADATA_SPAKE, &cookie); + if (ret) + goto cleanup; + + ret = convert_to_padata(der_msg, &padata); + der_msg = NULL; + TRACE_SPAKE_SEND_CHALLENGE(context, group); + +cleanup: + zapfree(wbytes.data, wbytes.length); + zapfree(kdcpriv.data, kdcpriv.length); + zapfree(cookie.data, cookie.length); + krb5_free_data_contents(context, &kdcpub); + krb5_free_data_contents(context, &thash); + krb5_free_data(context, der_msg); + + if (erespond != NULL) { + assert(vrespond == NULL); + /* Grab the first pa-data element from the list, if we made one. */ + pa = (padata == NULL) ? NULL : padata[0]; + free(padata); + (*erespond)(arg, ret, pa); + } else { + assert(vrespond != NULL); + if (!ret) + ret = KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED; + (*vrespond)(arg, ret, NULL, padata, NULL); + } +} + +/* Generate the METHOD-DATA entry indicating support for SPAKE. Include an + * optimistic challenge if configured to do so. */ +static void +spake_edata(krb5_context context, krb5_kdc_req *req, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, krb5_preauthtype pa_type, + krb5_kdcpreauth_edata_respond_fn respond, void *arg) +{ + const krb5_keyblock *ikey; + groupstate *gstate = (groupstate *)moddata; + krb5_data empty = empty_data(); + int32_t group; + + /* SPAKE requires a client key, which cannot be a single-DES key. */ + ikey = cb->client_keyblock(context, rock); + if (ikey == NULL) { + (*respond)(arg, KRB5KDC_ERR_ETYPE_NOSUPP, NULL); + return; + } + + group = group_optimistic_challenge(gstate); + if (group) { + send_challenge(context, gstate, group, cb, rock, &empty, respond, NULL, + arg); + } else { + /* No optimistic challenge configured; send an empty pa-data value. */ + (*respond)(arg, 0, NULL); + } +} + +/* Choose a group from the client's support message and generate a + * challenge. */ +static void +verify_support(krb5_context context, groupstate *gstate, + krb5_spake_support *support, const krb5_data *der_msg, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_verify_respond_fn respond, void *arg) +{ + krb5_error_code ret; + int32_t i, group; + + for (i = 0; i < support->ngroups; i++) { + if (group_is_permitted(gstate, support->groups[i])) + break; + } + if (i == support->ngroups) { + TRACE_SPAKE_REJECT_SUPPORT(context); + ret = KRB5KDC_ERR_PREAUTH_FAILED; + goto error; + } + group = support->groups[i]; + TRACE_SPAKE_RECEIVE_SUPPORT(context, group); + + send_challenge(context, gstate, group, cb, rock, der_msg, NULL, respond, + arg); + return; + +error: + (*respond)(arg, ret, NULL, NULL, NULL); +} + +/* + * From the client's response message, compute the SPAKE result and decrypt the + * factor reply. On success, either mark the reply as pre-authenticated and + * set a reply key in the pre-request module data, or generate an additional + * factor challenge and ask for another round of pre-authentication. + */ +static void +verify_response(krb5_context context, groupstate *gstate, + krb5_spake_response *resp, const krb5_data *realm, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_kdcpreauth_verify_respond_fn respond, void *arg) +{ + krb5_error_code ret; + const krb5_keyblock *ikey; + krb5_keyblock *k1 = NULL, *reply_key = NULL; + krb5_data cookie, thash_in, kdcpriv, factors, *der_req; + krb5_data thash = empty_data(), der_factor = empty_data(); + krb5_data wbytes = empty_data(), spakeresult = empty_data(); + krb5_spake_factor *factor = NULL; + int stage; + int32_t group; + + ikey = cb->client_keyblock(context, rock); + if (ikey == NULL) { + ret = KRB5KDC_ERR_ETYPE_NOSUPP; + goto cleanup; + } + + /* Fetch the stage-0 cookie and parse it. (All of the krb5_data results + * are aliases into memory owned by rock). */ + if (!cb->get_cookie(context, rock, KRB5_PADATA_SPAKE, &cookie)) { + ret = KRB5KDC_ERR_PREAUTH_FAILED; + goto cleanup; + } + ret = parse_cookie(&cookie, &stage, &group, &kdcpriv, &thash_in, &factors); + if (ret) + goto cleanup; + if (stage != 0) { + /* The received cookie wasn't sent with a challenge. */ + ret = KRB5KDC_ERR_PREAUTH_FAILED; + goto cleanup; + } + TRACE_SPAKE_RECEIVE_RESPONSE(context, &resp->pubkey); + + /* Update the transcript hash with the client public key. */ + ret = krb5int_copy_data_contents(context, &thash_in, &thash); + if (ret) + goto cleanup; + ret = update_thash(context, gstate, group, &thash, &resp->pubkey, NULL); + if (ret) + goto cleanup; + TRACE_SPAKE_KDC_THASH(context, &thash); + + ret = derive_wbytes(context, group, ikey, &wbytes); + if (ret) + goto cleanup; + ret = group_result(context, gstate, group, &wbytes, &kdcpriv, + &resp->pubkey, &spakeresult); + if (ret) + goto cleanup; + + /* Decrypt the response factor field using K'[1]. If the decryption + * integrity check fails, the client probably used the wrong password. */ + der_req = cb->request_body(context, rock); + ret = derive_key(context, gstate, group, ikey, &wbytes, &spakeresult, + &thash, der_req, 1, &k1); + if (ret) + goto cleanup; + ret = alloc_data(&der_factor, resp->factor.ciphertext.length); + if (ret) + goto cleanup; + ret = krb5_c_decrypt(context, k1, KRB5_KEYUSAGE_SPAKE, NULL, &resp->factor, + &der_factor); + if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY) + ret = KRB5KDC_ERR_PREAUTH_FAILED; + if (ret) + goto cleanup; + ret = decode_krb5_spake_factor(&der_factor, &factor); + if (ret) + goto cleanup; + + /* + * When second factor support is implemented, we should verify the factor + * data here, and possibly generate an encdata message for another hop. + * This function may need to be split at this point to allow for + * asynchronous verification of the second-factor value. We might also + * need to collect authentication indicators from the second-factor module; + * alternatively the module could have access to cb and rock so that it can + * add indicators itself. + */ + if (factor->type != SPAKE_SF_NONE) { + ret = KRB5KDC_ERR_PREAUTH_FAILED; + goto cleanup; + } + + ret = add_indicators(context, realm, cb, rock); + if (ret) + goto cleanup; + + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; + + ret = derive_key(context, gstate, group, ikey, &wbytes, &spakeresult, + &thash, der_req, 0, &reply_key); + +cleanup: + zapfree(wbytes.data, wbytes.length); + zapfree(der_factor.data, der_factor.length); + zapfree(spakeresult.data, spakeresult.length); + krb5_free_data_contents(context, &thash); + krb5_free_keyblock(context, k1); + k5_free_spake_factor(context, factor); + (*respond)(arg, ret, (krb5_kdcpreauth_modreq)reply_key, NULL, NULL); +} + +/* + * Decrypt and validate an additional second-factor reply. On success, either + * mark the reply as pre-authenticated and set a reply key in the pre-request + * module data, or generate an additional factor challenge and ask for another + * round of pre-authentication. + */ +static void +verify_encdata(krb5_context context, krb5_enc_data *enc, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, + krb5_enc_tkt_part *enc_tkt_reply, + krb5_kdcpreauth_verify_respond_fn respond, void *arg) +{ + /* + * When second factor support is implemented, we should process encdata + * message according to the factor type recorded in the cookie. If the + * second factor exchange finishes successfully, we should set + * TKT_FLG_PRE_AUTH, set the reply key to K'[0], and add any auth + * indicators from configuration (with a call to add_indicators()) or the + * second factor module (unless the module has access to cb and rock and + * can add indicators itself). + */ + (*respond)(arg, KRB5KDC_ERR_PREAUTH_FAILED, NULL, NULL, NULL); +} + +/* + * Respond to a client padata message, either by generating a SPAKE challenge, + * generating an additional second-factor challenge, or marking the reply as + * pre-authenticated and setting an additional reply key in the pre-request + * module data. + */ +static void +spake_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, + krb5_enc_tkt_part *enc_tkt_reply, krb5_pa_data *data, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, + krb5_kdcpreauth_verify_respond_fn respond, void *arg) +{ + krb5_error_code ret; + krb5_pa_spake *pa_spake = NULL; + krb5_data in_data = make_data(data->contents, data->length); + groupstate *gstate = (groupstate *)moddata; + + ret = decode_krb5_pa_spake(&in_data, &pa_spake); + if (ret) { + (*respond)(arg, ret, NULL, NULL, NULL); + } else if (pa_spake->choice == SPAKE_MSGTYPE_SUPPORT) { + verify_support(context, gstate, &pa_spake->u.support, &in_data, cb, + rock, respond, arg); + } else if (pa_spake->choice == SPAKE_MSGTYPE_RESPONSE) { + verify_response(context, gstate, &pa_spake->u.response, + &request->server->realm, cb, rock, enc_tkt_reply, + respond, arg); + } else if (pa_spake->choice == SPAKE_MSGTYPE_ENCDATA) { + verify_encdata(context, &pa_spake->u.encdata, cb, rock, enc_tkt_reply, + respond, arg); + } else { + ret = KRB5KDC_ERR_PREAUTH_FAILED; + k5_setmsg(context, ret, _("Unknown SPAKE request type")); + (*respond)(arg, ret, NULL, NULL, NULL); + } + + k5_free_pa_spake(context, pa_spake); +} + +/* If a key was set in the per-request module data, replace the reply key. Do + * not generate any pa-data to include with the KDC reply. */ +static krb5_error_code +spake_return(krb5_context context, krb5_pa_data *padata, krb5_data *req_pkt, + krb5_kdc_req *request, krb5_kdc_rep *reply, + krb5_keyblock *encrypting_key, krb5_pa_data **send_pa_out, + krb5_kdcpreauth_callbacks cb, krb5_kdcpreauth_rock rock, + krb5_kdcpreauth_moddata moddata, krb5_kdcpreauth_modreq modreq) +{ + krb5_keyblock *reply_key = (krb5_keyblock *)modreq; + + if (reply_key == NULL) + return 0; + krb5_free_keyblock_contents(context, encrypting_key); + return krb5_copy_keyblock_contents(context, reply_key, encrypting_key); +} + +/* Release a per-request module data object. */ +static void +spake_free_modreq(krb5_context context, krb5_kdcpreauth_moddata moddata, + krb5_kdcpreauth_modreq modreq) +{ + krb5_free_keyblock(context, (krb5_keyblock *)modreq); +} + +krb5_error_code +kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable); + +krb5_error_code +kdcpreauth_spake_initvt(krb5_context context, int maj_ver, int min_ver, + krb5_plugin_vtable vtable) +{ + krb5_kdcpreauth_vtable vt; + static krb5_preauthtype pa_types[] = { KRB5_PADATA_SPAKE, 0 }; + + if (maj_ver != 1) + return KRB5_PLUGIN_VER_NOTSUPP; + vt = (krb5_kdcpreauth_vtable)vtable; + vt->name = "spake"; + vt->pa_type_list = pa_types; + vt->init = spake_init; + vt->fini = spake_fini; + vt->edata = spake_edata; + vt->verify = spake_verify; + vt->return_padata = spake_return; + vt->free_modreq = spake_free_modreq; + return 0; +} diff --git a/src/plugins/preauth/spake/t_krb5.conf b/src/plugins/preauth/spake/t_krb5.conf new file mode 100644 index 0000000..65fdaec --- /dev/null +++ b/src/plugins/preauth/spake/t_krb5.conf @@ -0,0 +1,2 @@ +[libdefaults] + spake_preauth_groups = edwards25519 diff --git a/src/plugins/preauth/spake/t_vectors.c b/src/plugins/preauth/spake/t_vectors.c new file mode 100644 index 0000000..2279202 --- /dev/null +++ b/src/plugins/preauth/spake/t_vectors.c @@ -0,0 +1,476 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/t_vectors.c - SPAKE test vector verification */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "k5-hex.h" +#include "groups.h" +#include "iana.h" +#include "util.h" +#include + +struct test { + krb5_enctype enctype; + int32_t group; + const char *ikey; + const char *w; + const char *x; + const char *y; + const char *T; + const char *S; + const char *K; + const char *support; + const char *challenge; + const char *thash; + const char *body; + const char *K0; + const char *K1; + const char *K2; + const char *K3; +} tests[] = { + { ENCTYPE_DES3_CBC_SHA1, SPAKE_GROUP_EDWARDS25519, + /* initial key, w, x, y, T, S, K */ + "850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E", + "686D84730CB8679AE95416C6567C6A63F2C9CEF124F7A3371AE81E11CAD42A37", + "201012D07BFD48DDFA33C4AAC4FB1E229FB0D043CFE65EBFB14399091C71A723", + "500B294797B8B042ACA1BEDC0F5931A4F52C537B3608B2D05CC8A2372F439F25", + "18F511E750C97B592ACD30DB7D9E5FCA660389102E6BF610C1BFBED4616C8362", + "5D10705E0D1E43D5DBF30240CCFBDE4A0230C70D4C79147AB0B317EDAD2F8AE7", + "25BDE0D875F0FEB5755F45BA5E857889D916ECF7476F116AA31DC3E037EC4292", + /* support, challenge, thash, body */ + "A0093007A0053003020101", + "A1363034A003020101A122042018F511E750C97B592ACD30DB7D9E5FCA660389" + "102E6BF610C1BFBED4616C8362A20930073005A003020101", + "EAAA08807D0616026FF51C849EFBF35BA0CE3C5300E7D486DA46351B13D4605B", + "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" + "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" + "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" + "303130313030303030305AA703020100A8053003020110", + /* K'[0], K'[1], K'[2], K'[3] */ + "BAF12FAE7CD958CBF1A29BFBC71F89CE49E03E295D89DAFD", + "64F73DD9C41908206BCEC1F719026B574F9D13463D7A2520", + "0454520B086B152C455829E6BAEFF78A61DFE9E3D04A895D", + "4A92260B25E3EF94C125D5C24C3E5BCED5B37976E67F25C4", + }, + + { ENCTYPE_ARCFOUR_HMAC, SPAKE_GROUP_EDWARDS25519, + /* initial key, w, x, y, T, S, K */ + "8846F7EAEE8FB117AD06BDD830B7586C", + "7C86659D29CF2B2EA93BFE79C3CEFB8850E82215B3EA6FCD896561D48048F49C", + "C8A62E7B626F44CAD807B2D695450697E020D230A738C5CD5691CC781DCE8754", + "18FE7C1512708C7FD06DB270361F04593775BC634CEAF45347E5C11C38AAE017", + "7DB465F1C08C64983A19F560BCE966FE5306C4B447F70A5BCA14612A92DA1D63", + "38F8D4568090148EBC9FD17C241B4CC2769505A7CA6F3F7104417B72B5B5CF54", + "03E75EDD2CD7E7677642DD68736E91700953AC55DC650E3C2A1B3B4ACDB800F8", + /* support, challenge, thash, body */ + "A0093007A0053003020101", + "A1363034A003020101A12204207DB465F1C08C64983A19F560BCE966FE5306C4" + "B447F70A5BCA14612A92DA1D63A20930073005A003020101", + "F4B208458017DE6EF7F6A307D47D87DB6C2AF1D291B726860F68BC08BFEF440A", + "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" + "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" + "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" + "303130313030303030305AA703020100A8053003020117", + /* K'[0], K'[1], K'[2], K'[3] */ + "770B720C82384CBB693E85411EEDECBA", + "621DEEC88E2865837C4D3462BB50A1D5", + "1CC8F6333B9FA3B42662FD9914FBD5BB", + "EDB4032B7FC3806D5211A534DCBC390C", + }, + + { ENCTYPE_AES128_CTS_HMAC_SHA1_96, SPAKE_GROUP_EDWARDS25519, + /* initial key, w, x, y, T, S, K */ + "FCA822951813FB252154C883F5EE1CF4", + "0D591B197B667E083C2F5F98AC891D3C9F99E710E464E62F1FB7C9B67936F3EB", + "50BE049A5A570FA1459FB9F666E6FD80602E4E87790A0E567F12438A2C96C138", + "B877AFE8612B406D96BE85BD9F19D423E95BE96C0E1E0B5824127195C3ED5917", + "9E9311D985C1355E022D7C3C694AD8D6F7AD6D647B68A90B0FE46992818002DA", + "FBE08F7F96CD5D4139E7C9ECCB95E79B8ACE41E270A60198C007DF18525B628E", + "C2F7F99997C585E6B686CEB62DB42F17CC70932DEF3BB4CF009E36F22EA5473D", + /* support, challenge, thash, body */ + "A0093007A0053003020101", + "A1363034A003020101A12204209E9311D985C1355E022D7C3C694AD8D6F7AD6D" + "647B68A90B0FE46992818002DAA20930073005A003020101", + "951285F107C87F0169B9C918A1F51F60CB1A75B9F8BB799A99F53D03ADD94B5F", + "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" + "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" + "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" + "303130313030303030305AA703020100A8053003020111", + /* K'[0], K'[1], K'[2], K'[3] */ + "548022D58A7C47EAE8C49DCCF6BAA407", + "B2C9BA0E13FC8AB3A9D96B51B601CF4A", + "69F0EE5FDB6C237E7FCD38D9F87DF1BD", + "78F91E2240B5EE528A5CC8D7CBEBFBA5", + }, + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, SPAKE_GROUP_EDWARDS25519, + /* initial key, w, x, y, T, S, K */ + "01B897121D933AB44B47EB5494DB15E50EB74530DBDAE9B634D65020FF5D88C1", + "E902341590A1B4BB4D606A1C643CCCB3F2108F1B6AA97B381012B9400C9E3F4E", + "88C6C0A4F0241EF217C9788F02C32D00B72E4310748CD8FB5F94717607E6417D", + "88B859DF58EF5C69BACDFE681C582754EAAB09A74DC29CFF50B328613C232F55", + "6F301AACAE1220E91BE42868C163C5009AEEA1E9D9E28AFCFC339CDA5E7105B5", + "9E2CC32908FC46273279EC75354B4AEAFA70C3D99A4D507175ED70D80B255DDA", + "CF57F58F6E60169D2ECC8F20BB923A8E4C16E5BC95B9E64B5DC870DA7026321B", + /* support, challenge, thash, body */ + "A0093007A0053003020101", + "A1363034A003020101A12204206F301AACAE1220E91BE42868C163C5009AEEA1" + "E9D9E28AFCFC339CDA5E7105B5A20930073005A003020101", + "1C605649D4658B58CBE79A5FAF227ACC16C355C58B7DADE022F90C158FE5ED8E", + "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" + "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" + "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" + "303130313030303030305AA703020100A8053003020112", + /* K'[0], K'[1], K'[2], K'[3] */ + "A9BFA71C95C575756F922871524B65288B3F695573CCC0633E87449568210C23", + "1865A9EE1EF0640EC28AC007391CAC624C42639C714767A974E99AA10003015F", + "E57781513FEFDB978E374E156B0DA0C1A08148F5EB26B8E157AC3C077E28BF49", + "008E6487293C3CC9FABBBCDD8B392D6DCB88222317FD7FE52D12FBC44FA047F1", + }, + +#ifdef SPAKE_OPENSSL + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, SPAKE_GROUP_P256, + /* initial key, w, x, y, T, S, K */ + "01B897121D933AB44B47EB5494DB15E50EB74530DBDAE9B634D65020FF5D88C1", + "EB2984AF18703F94DD5288B8596CD36988D0D4E83BFB2B44DE14D0E95E2090BD", + "935DDD725129FB7C6288E1A5CC45782198A6416D1775336D71EACD0549A3E80E", + "E07405EB215663ABC1F254B8ADC0DA7A16FEBAA011AF923D79FDEF7C42930B33", + "024F62078CEB53840D02612195494D0D0D88DE21FEEB81187C71CBF3D01E71788D", + "021D07DC31266FC7CFD904CE2632111A169B7EC730E5F74A7E79700F86638E13C8", + "0268489D7A9983F2FDE69C6E6A1307E9D252259264F5F2DFC32F58CCA19671E79B", + /* support, challenge, thash, body */ + "A0093007A0053003020102", + "A1373035A003020102A1230421024F62078CEB53840D02612195494D0D0D88DE" + "21FEEB81187C71CBF3D01E71788DA20930073005A003020101", + "20AD3C1A9A90FC037D1963A1C4BFB15AB4484D7B6CF07B12D24984F14652DE60", + "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" + "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" + "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" + "303130313030303030305AA703020100A8053003020112", + /* K'[0], K'[1], K'[2], K'[3] */ + "7D3B906F7BE49932DB22CD3463F032D06C9C078BE4B1D076D201FC6E61EF531E", + "17D74E36F8993841FBB7FEB12FA4F011243D3AE4D2ACE55B39379294BBC4DB2C", + "D192C9044081A2AA6A97A6C69E2724E8E5671C2C9CE073DD439CDBAF96D7DAB0", + "41E5BAD6B67F12C53CE0E2720DD6A9887F877BF9463C2D5209C74C36F8D776B7", + }, + + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, SPAKE_GROUP_P384, + /* initial key, w, x, y, T, S, K */ + "01B897121D933AB44B47EB5494DB15E50EB74530DBDAE9B634D65020FF5D88C1", + "0304CFC55151C6BBE889653DB96DBFE0BA4ACAFC024C1E8840CB3A486F6D80C1" + "6E1B8974016AA4B7FA43042A9B3825B1", + "F323CA74D344749096FD35D0ADF20806E521460637176E84D977E9933C49D76F" + "CFC6E62585940927468FF53D864A7A50", + "5B7C709ACB175A5AFB82860DEABCA8D0B341FACDFF0AC0F1A425799AA905D750" + "7E1EA9C573581A81467437419466E472", + "02A1524603EF14F184696F854229D3397507A66C63F841BA748451056BE07879" + "AC298912387B1C5CDFF6381C264701BE57", + "020D5ADFDB92BC377041CF5837412574C5D13E0F4739208A4F0C859A0A302BC6" + "A533440A245B9D97A0D34AF5016A20053D", + "0264AA8C61DA9600DFB0BEB5E46550D63740E4EF29E73F1A30D543EB43C25499" + "037AD16538586552761B093CF0E37C703A", + /* support, challenge, thash, body */ + "A0093007A0053003020103", + "A1473045A003020103A133043102A1524603EF14F184696F854229D3397507A6" + "6C63F841BA748451056BE07879AC298912387B1C5CDFF6381C264701BE57A209" + "30073005A003020101", + "5AC0D99EF9E5A73998797FE64F074673E3952DEC4C7D1AACCE8B75F64D2B0276" + "A901CB8539B4E8ED69E4DB0CE805B47B", + "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" + "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" + "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" + "303130313030303030305AA703020100A8053003020112", + /* K'[0], K'[1], K'[2], K'[3] */ + "B917D37C16DD1D8567FBE379F64E1EE36CA3FD127AA4E60F97E4AFA3D9E56D91", + "93D40079DAB229B9C79366829F4E7E7282E6A4B943AC7BAC69922D516673F49A", + "BFC4F16F12F683E71589F9A888E232875EF293AC9793DB6C919567CD7B94BCD4", + "3630E2B5B99938E7506733141E8EC344166F6407E5FC2EF107C156E764D1BC20", + }, + + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, SPAKE_GROUP_P521, + /* initial key, w, x, y, T, S, K */ + "01B897121D933AB44B47EB5494DB15E50EB74530DBDAE9B634D65020FF5D88C1", + "DE3A095A2B2386EFF3EB15B735398DA1CAF95BC8425665D82370AFF58B0471F3" + "4A57BCCDDF1EBF0A2965B58A93EE5B45E85D1A5435D1C8C83662999722D54283" + "1F9A", + "017C38701A14B490B6081DFC83524562BE7FBB42E0B20426465E3E37952D30BC" + "AB0ED857010255D44936A1515607964A870C7C879B741D878F9F9CDF5A865306" + "F3F5", + "003E2E2950656FA231E959ACDD984D125E7FA59CEC98126CBC8F3888447911EB" + "CD49428A1C22D5FDB76A19FBEB1D9EDFA3DA6CF55B158B53031D05D51433ADE9" + "B2B4", + "02017D3DE19A3EC53D0174905665EF37947D142535102CD9809C0DFBD0DFE007" + "353D54CF406CE2A59950F2BB540DF6FBE75F8BBBEF811C9BA06CC275ADBD9675" + "6696EC", + "02004D142D87477841F6BA053C8F651F3395AD264B7405CA5911FB9A55ABD454" + "FEF658A5F9ED97D1EFAC68764E9092FA15B9E0050880D78E95FD03ABF5931791" + "6822B5", + "03007C303F62F09282CC849490805BD4457A6793A832CBEB55DF427DB6A31E99" + "B055D5DC99756D24D47B70AD8B6015B0FB8742A718462ED423B90FA3FE631AC1" + "3FA916", + /* support, challenge, thash, body */ + "A0093007A0053003020104", + "A1593057A003020104A145044302017D3DE19A3EC53D0174905665EF37947D14" + "2535102CD9809C0DFBD0DFE007353D54CF406CE2A59950F2BB540DF6FBE75F8B" + "BBEF811C9BA06CC275ADBD96756696ECA20930073005A003020101", + "8D6A89AE4D80CC4E47B6F4E48EA3E57919CC69598D0D3DC7C8BD49B6F1DB1409" + "CA0312944CD964E213ABA98537041102237CFF5B331E5347A0673869B412302E", + "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" + "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" + "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" + "303130313030303030305AA703020100A8053003020112", + /* K'[0], K'[1], K'[2], K'[3] */ + "1EB3D10BEE8FAB483ADCD3EB38F3EBF1F4FEB8DB96ECC035F563CF2E1115D276", + "482B92781CE57F49176E4C94153CC622FE247A7DBE931D1478315F856F085890", + "A2C215126DD3DF280AAB5A27E1E0FB7E594192CBFF8D6D8E1B6F1818D9BB8FAC", + "CC06603DE984324013A01F888DE6D43B410A4DA2DEA53509F30E433C352FB668", + }, +#endif /* SPAKE_OPENSSL */ + + /* Successful optimistic challenge (no support message in transcript) */ + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, SPAKE_GROUP_EDWARDS25519, + /* initial key, w, x, y, T, S, K */ + "01B897121D933AB44B47EB5494DB15E50EB74530DBDAE9B634D65020FF5D88C1", + "E902341590A1B4BB4D606A1C643CCCB3F2108F1B6AA97B381012B9400C9E3F4E", + "70937207344CAFBC53C8A55070E399C584CBAFCE00B836980DD4E7E74FAD2A64", + "785D6801A2490DF028903AC6449B105F2FF0DB895B252953CDC2076649526103", + "83523B35F1565006CBFC4F159885467C2FB9BC6FE23D36CB1DA43D199F1A3118", + "2A8F70F46CEE9030700037B77F22CEC7970DCC238E3E066D9D726BAF183992C6", + "D3C5E4266AA6D1B2873A97CE8AF91C7E4D7A7AC456ACCED7908D34C561AD8FA6", + /* support, challenge, thash, body */ + NULL, + "A1363034A003020101A122042083523B35F1565006CBFC4F159885467C2FB9BC" + "6FE23D36CB1DA43D199F1A3118A20930073005A003020101", + "26F07F9F8965307434D11EA855461D41E0CBABCC0A1BAB48ECEE0C6C1A4292B7", + "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" + "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" + "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" + "303130313030303030305AA703020100A8053003020112", + /* K'[0], K'[1], K'[2], K'[3] */ + "4569EC08B5DE5C3CC19D941725913ACE8D74524B521A341DC746ACD5C3784D92", + "0D96CE1A4AC0F2E280A0CFC31742B06461D83D04AE45433DB2D80478DD882A4C", + "58018C19315A1BA5D5BB9813B58029F0AEC18A6F9CA59E0847DE1C60BC25945C", + "ED7E9BFFD68C54D86FB19CD3C03F317F88A71AD9A5E94C28581D93FC4EC72B6A", + }, + +#ifdef SPAKE_OPENSSL + /* Rejected optimistic challenge (no support message in transcript), + * falling back from edwards25519 to P-521 */ + { ENCTYPE_AES256_CTS_HMAC_SHA1_96, SPAKE_GROUP_P521, + /* initial key, w, x, y, T, S, K */ + "01B897121D933AB44B47EB5494DB15E50EB74530DBDAE9B634D65020FF5D88C1", + "DE3A095A2B2386EFF3EB15B735398DA1CAF95BC8425665D82370AFF58B0471F3" + "4A57BCCDDF1EBF0A2965B58A93EE5B45E85D1A5435D1C8C83662999722D54283" + "1F9A", + "01687B59051BF40048D7C31D5A973D792FA12284B7A447E7F5938B5885CA0BB2" + "C3F0BD30291A55FEA08E143E2E04BDD7D19B753C7C99032F06CAB0D9C2AA8F83" + "7EF7", + "01DED675EBF74FE30C9A53710F577E9CF84F09F6048FE245A4600004884CC167" + "733F9A9E43108FB83BABE8754CD37CBD7025E28BC9FF870F084C7244F536285E" + "25B4", + "02014CB2E5B592ECE5990F0EF30D308C061DE1598BC4272B4A6599BED466FD15" + "21693642ABCF4DBE36CE1A2D13967DE45F6C4F8D0FA8E14428BF03FB96EF5F1E" + "D3E645", + "02016C64995E804416F748FD5FA3AA678CBC7CBB596A4F523132DC8AF7CE84E5" + "41F484A2C74808C6B21DCF7775BAEFA6753398425BECC7B838B210AC5DAA0CB0" + "B710E2", + "0200997F4848AE2E7A98C23D14AC662030743AB37FCCC2A45F1C721114F40BCC" + "80FE6EC6ABA49868F8AEA1AA994D50E81B86D3E4D3C1130C8695B68907C673D9" + "E5886A", + /* support, challenge, thash, body */ + "A0093007A0053003020104", + "A1593057A003020104A145044302014CB2E5B592ECE5990F0EF30D308C061DE1" + "598BC4272B4A6599BED466FD1521693642ABCF4DBE36CE1A2D13967DE45F6C4F" + "8D0FA8E14428BF03FB96EF5F1ED3E645A20930073005A003020101", + "D0EFED5E3E2C39C26034756D92A66FEC3082AD793D0197F3F89AD36026F146A3" + "996E548AA3FC49E2E82F8CAC5D132C505AA475B39E7BE79CDED22C26C41AA777", + "3075A00703050000000000A1143012A003020101A10B30091B07726165627572" + "6EA2101B0E415448454E412E4D49542E454455A3233021A003020102A11A3018" + "1B066B72627467741B0E415448454E412E4D49542E454455A511180F31393730" + "303130313030303030305AA703020100A8053003020112", + /* K'[0], K'[1], K'[2], K'[3] */ + "631FCC8596E7F40E59045950D72AA0B7BAC2810A07B767050E983841CF3A2D4C", + "881464920117074DBC67155A8F3341D1121EF65F78EA0380BFA81A134C1C47B1", + "377B72AC3AF2CAAD582D73AE4682FD56B531EE56706200DD6C38C42B8219837A", + "35AD8E4D580ED3F0D15AD928329773C081BD19F9A56363F3A5F77C7E66108C26", + }, +#endif /* SPAKE_OPENSSL */ +}; + +static krb5_context ctx; + +static void +check(krb5_error_code code) +{ + const char *errmsg; + + if (code) { + errmsg = krb5_get_error_message(ctx, code); + assert(errmsg != NULL); + abort(); + } +} + +static void +check_key_equal(const krb5_keyblock *kb1, const krb5_keyblock *kb2) +{ + assert(kb1->enctype == kb2->enctype); + assert(kb1->length == kb2->length); + assert(memcmp(kb1->contents, kb2->contents, kb1->length) == 0); +} + +static krb5_data * +decode_data(const char *s) +{ + uint8_t *bytes; + size_t len; + krb5_data *d; + + if (k5_hex_decode(s, &bytes, &len) != 0) + abort(); + d = malloc(sizeof(*d)); + assert(d != NULL); + *d = make_data(bytes, len); + return d; +} + +static krb5_keyblock * +decode_keyblock(krb5_enctype enctype, const char *s) +{ + uint8_t *bytes; + size_t len; + krb5_keyblock *kb; + + if (k5_hex_decode(s, &bytes, &len) != 0) + abort(); + kb = malloc(sizeof(*kb)); + kb->magic = KV5M_KEYBLOCK; + kb->enctype = enctype; + kb->length = len; + kb->contents = bytes; + return kb; +} + +static void +run_test(const struct test *t) +{ + groupstate *gstate; + krb5_keyblock *ikey, *K0, *K1, *K2, *K3, *kb; + krb5_data *w, *x, *y, *T, *S, *K, *support, *challenge, *thash; + krb5_data *body, wbytes, result, hash, empty = empty_data(); + + /* Decode hex strings into keyblocks and byte strings. */ + ikey = decode_keyblock(t->enctype, t->ikey); + w = decode_data(t->w); + x = decode_data(t->x); + y = decode_data(t->y); + T = decode_data(t->T); + S = decode_data(t->S); + K = decode_data(t->K); + support = (t->support != NULL) ? decode_data(t->support) : NULL; + challenge = decode_data(t->challenge); + thash = decode_data(t->thash); + body = decode_data(t->body); + K0 = decode_keyblock(t->enctype, t->K0); + K1 = decode_keyblock(t->enctype, t->K1); + K2 = decode_keyblock(t->enctype, t->K2); + K3 = decode_keyblock(t->enctype, t->K3); + + check(derive_wbytes(ctx, t->group, ikey, &wbytes)); + assert(data_eq(*w, wbytes)); + + /* Verify KDC-side result computation. */ + check(group_init_state(ctx, TRUE, &gstate)); + check(group_result(ctx, gstate, t->group, &wbytes, x, S, &result)); + assert(data_eq(*K, result)); + krb5_free_data_contents(ctx, &result); + group_free_state(gstate); + + /* Verify client-side result computation. */ + check(group_init_state(ctx, FALSE, &gstate)); + check(group_result(ctx, gstate, t->group, &wbytes, y, T, &result)); + assert(data_eq(*K, result)); + krb5_free_data_contents(ctx, &result); + + /* Verify transcript hash. */ + hash = empty_data(); + check(update_thash(ctx, gstate, t->group, &hash, support, challenge)); + check(update_thash(ctx, gstate, t->group, &hash, S, &empty)); + assert(data_eq(*thash, hash)); + krb5_free_data_contents(ctx, &hash); + + /* Verify derived keys. */ + check(derive_key(ctx, gstate, t->group, ikey, &wbytes, K, thash, body, 0, + &kb)); + check_key_equal(K0, kb); + krb5_free_keyblock(ctx, kb); + check(derive_key(ctx, gstate, t->group, ikey, &wbytes, K, thash, body, 1, + &kb)); + check_key_equal(K1, kb); + krb5_free_keyblock(ctx, kb); + check(derive_key(ctx, gstate, t->group, ikey, &wbytes, K, thash, body, 2, + &kb)); + check_key_equal(K2, kb); + krb5_free_keyblock(ctx, kb); + check(derive_key(ctx, gstate, t->group, ikey, &wbytes, K, thash, body, 3, + &kb)); + check_key_equal(K3, kb); + krb5_free_keyblock(ctx, kb); + + group_free_state(gstate); + krb5_free_data_contents(ctx, &wbytes); + krb5_free_keyblock(ctx, ikey); + krb5_free_data(ctx, w); + krb5_free_data(ctx, x); + krb5_free_data(ctx, y); + krb5_free_data(ctx, T); + krb5_free_data(ctx, S); + krb5_free_data(ctx, K); + krb5_free_data(ctx, support); + krb5_free_data(ctx, challenge); + krb5_free_data(ctx, thash); + krb5_free_data(ctx, body); + krb5_free_keyblock(ctx, K0); + krb5_free_keyblock(ctx, K1); + krb5_free_keyblock(ctx, K2); + krb5_free_keyblock(ctx, K3); +} + +int +main() +{ + size_t i; + + check(krb5_init_context(&ctx)); + for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) + run_test(&tests[i]); + krb5_free_context(ctx); + return 0; +} diff --git a/src/plugins/preauth/spake/trace.h b/src/plugins/preauth/spake/trace.h new file mode 100644 index 0000000..c6e0108 --- /dev/null +++ b/src/plugins/preauth/spake/trace.h @@ -0,0 +1,74 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/internal.h - SPAKE internal function declarations */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef TRACE_H +#define TRACE_H + +#include "k5-int.h" + +/* + * Possible improvements at the cost of more code: + * - Groups could be displayed by name instead of number + * - We could display the group list when tracing support messages + */ + +#define TRACE_SPAKE_CLIENT_THASH(c, thash) \ + TRACE(c, "SPAKE final transcript hash: {hexdata}", thash) +#define TRACE_SPAKE_DERIVE_KEY(c, n, kb) \ + TRACE(c, "SPAKE derived K'[{int}] = {keyblock}", n, kb) +#define TRACE_SPAKE_KDC_THASH(c, thash) \ + TRACE(c, "SPAKE final transcript hash: {hexdata}", thash) +#define TRACE_SPAKE_KEYGEN(c, pubkey) \ + TRACE(c, "SPAKE key generated with pubkey {hexdata}", pubkey) +#define TRACE_SPAKE_RECEIVE_CHALLENGE(c, group, pubkey) \ + TRACE(c, "SPAKE challenge received with group {int}, pubkey {hexdata}", \ + group, pubkey) +#define TRACE_SPAKE_RECEIVE_RESPONSE(c, pubkey) \ + TRACE(c, "SPAKE response received with pubkey {hexdata}", pubkey) +#define TRACE_SPAKE_RECEIVE_SUPPORT(c, group) \ + TRACE(c, "SPAKE support message received, selected group {int}", group) +#define TRACE_SPAKE_REJECT_CHALLENGE(c, group) \ + TRACE(c, "SPAKE challenge with group {int} rejected", (int)group) +#define TRACE_SPAKE_REJECT_SUPPORT(c) \ + TRACE(c, "SPAKE support message rejected") +#define TRACE_SPAKE_RESULT(c, result) \ + TRACE(c, "SPAKE algorithm result: {hexdata}", result) +#define TRACE_SPAKE_SEND_CHALLENGE(c, group) \ + TRACE(c, "Sending SPAKE challenge with group {int}", group) +#define TRACE_SPAKE_SEND_RESPONSE(c) \ + TRACE(c, "Sending SPAKE response") +#define TRACE_SPAKE_SEND_SUPPORT(c) \ + TRACE(c, "Sending SPAKE support message") +#define TRACE_SPAKE_UNKNOWN_GROUP(c, name) \ + TRACE(c, "Unrecognized SPAKE group name: {str}", name) + +#endif /* TRACE_H */ diff --git a/src/plugins/preauth/spake/util.c b/src/plugins/preauth/spake/util.c new file mode 100644 index 0000000..b72ae67 --- /dev/null +++ b/src/plugins/preauth/spake/util.c @@ -0,0 +1,212 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/util.c - Utility functions for SPAKE preauth module */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "trace.h" +#include "util.h" +#include "groups.h" + +/* Use data to construct a single-element pa-data list of type + * KRB5_PADATA_SPAKE. Claim data's memory on success or failure. */ +krb5_error_code +convert_to_padata(krb5_data *data, krb5_pa_data ***pa_out) +{ + krb5_pa_data *pa = NULL, **list = NULL; + + list = calloc(2, sizeof(*list)); + if (list == NULL) + goto fail; + pa = calloc(1, sizeof(*pa)); + if (pa == NULL) + goto fail; + pa->magic = KV5M_PA_DATA; + pa->pa_type = KRB5_PADATA_SPAKE; + pa->length = data->length; + pa->contents = (uint8_t *)data->data; + list[0] = pa; + list[1] = NULL; + *pa_out = list; + free(data); + return 0; + +fail: + free(list); + free(pa); + free(data->data); + free(data); + return ENOMEM; +} + +/* + * Update the transcript hash thash with its current value and the + * concatenation of data1 and data2, using the hash function for group. Either + * data1 or data2 may be NULL to omit it. Allocate thash if it is empty. + */ +krb5_error_code +update_thash(krb5_context context, groupstate *gstate, int32_t group, + krb5_data *thash, const krb5_data *data1, const krb5_data *data2) +{ + krb5_error_code ret; + size_t hashlen; + krb5_data dlist[3]; + const krb5_data empty = empty_data(); + + if (thash->length == 0) { + /* Initialize the transcript hash to all zeros. */ + ret = group_hash_len(group, &hashlen); + if (ret) + return ret; + ret = alloc_data(thash, hashlen); + if (ret) + return ret; + } + + /* Set up the data array and hash it with the group's hash function. */ + dlist[0] = *thash; + dlist[1] = (data1 != NULL) ? *data1 : empty; + dlist[2] = (data2 != NULL) ? *data2 : empty; + return group_hash(context, gstate, group, dlist, 3, + (uint8_t *)thash->data); +} + +/* Derive a byte vector for the SPAKE w multiplier input from ikey. Place + * result in allocated storage in *wbytes_out. */ +krb5_error_code +derive_wbytes(krb5_context context, int32_t group, const krb5_keyblock *ikey, + krb5_data *wbytes_out) +{ + krb5_error_code ret; + const char prefix[] = "SPAKEsecret"; + size_t mult_len, prefix_len = sizeof(prefix) - 1; + krb5_data prf_input = empty_data(), wbytes = empty_data(); + + *wbytes_out = empty_data(); + + /* Allocate space for a multiplier. */ + ret = group_mult_len(group, &mult_len); + if (ret) + goto cleanup; + ret = alloc_data(&wbytes, mult_len); + if (ret) + goto cleanup; + + /* Compose the PRF input string. */ + ret = alloc_data(&prf_input, prefix_len + 4); + if (ret) + goto cleanup; + memcpy(prf_input.data, prefix, prefix_len); + store_32_be(group, prf_input.data + prefix_len); + + /* Derive the SPAKE input from the initial reply key with PRF+. */ + ret = krb5_c_prfplus(context, ikey, &prf_input, &wbytes); + if (ret) + goto cleanup; + + *wbytes_out = wbytes; + wbytes = empty_data(); + +cleanup: + free(prf_input.data); + zapfree(wbytes.data, wbytes.length); + return ret; +} + +/* + * Derive K'[n] from the group number, the initial key enctype, the initial + * multiplier, the SPAKE result, the transcript hash, and the encoded + * KDC-REQ-BODY. Place the result in allocated storage in *out. + */ +krb5_error_code +derive_key(krb5_context context, groupstate *gstate, int32_t group, + const krb5_keyblock *ikey, const krb5_data *wbytes, + const krb5_data *spakeresult, const krb5_data *thash, + const krb5_data *der_req, uint32_t n, krb5_keyblock **out) +{ + krb5_error_code ret; + krb5_data dlist[9], seed = empty_data(), d; + uint8_t groupnbuf[4], etypenbuf[4], nbuf[4], bcount; + size_t hashlen, seedlen, keylen, nblocks, i; + size_t ndata = sizeof(dlist) / sizeof(*dlist); + krb5_keyblock *hkey = NULL; + + *out = NULL; + + store_32_be(group, groupnbuf); + store_32_be(n, nbuf); + store_32_be(ikey->enctype, etypenbuf); + dlist[0] = string2data("SPAKEkey"); + dlist[1] = make_data(groupnbuf, sizeof(groupnbuf)); + dlist[2] = make_data(etypenbuf, sizeof(etypenbuf)); + dlist[3] = *wbytes; + dlist[4] = *spakeresult; + dlist[5] = *thash; + dlist[6] = *der_req; + dlist[7] = make_data(nbuf, sizeof(nbuf)); + dlist[8] = make_data(&bcount, 1); + + /* Count the number of hash blocks required (should be 1 for all current + * scenarios) and allocate space. */ + ret = group_hash_len(group, &hashlen); + if (ret) + goto cleanup; + ret = krb5_c_keylengths(context, ikey->enctype, &seedlen, &keylen); + if (ret) + goto cleanup; + nblocks = (seedlen + hashlen - 1) / hashlen; + ret = alloc_data(&seed, nblocks * hashlen); + if (ret) + goto cleanup; + + /* Compute and concatenate hash blocks to fill the seed buffer. */ + for (i = 0; i < nblocks; i++) { + bcount = i + 1; + ret = group_hash(context, gstate, group, dlist, ndata, + (uint8_t *)seed.data + i * hashlen); + if (ret) + goto cleanup; + } + + ret = krb5_init_keyblock(context, ikey->enctype, keylen, &hkey); + if (ret) + goto cleanup; + d = make_data(seed.data, seedlen); + ret = krb5_c_random_to_key(context, ikey->enctype, &d, hkey); + if (ret) + goto cleanup; + + ret = krb5_c_fx_cf2_simple(context, ikey, "SPAKE", hkey, "keyderiv", out); + +cleanup: + zapfree(seed.data, seed.length); + krb5_free_keyblock(context, hkey); + return ret; +} diff --git a/src/plugins/preauth/spake/util.h b/src/plugins/preauth/spake/util.h new file mode 100644 index 0000000..3ab2bea --- /dev/null +++ b/src/plugins/preauth/spake/util.h @@ -0,0 +1,56 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/spake/internal.h - SPAKE internal function declarations */ +/* + * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef UTIL_H +#define UTIL_H + +#include "k5-int.h" +#include "groups.h" + +krb5_error_code convert_to_padata(krb5_data *data, krb5_pa_data ***pa_out); + +krb5_error_code update_thash(krb5_context context, groupstate *gstate, + int32_t group, krb5_data *thash, + const krb5_data *data1, const krb5_data *data2); + +krb5_error_code derive_wbytes(krb5_context context, int32_t group, + const krb5_keyblock *ikey, + krb5_data *wbytes_out); + +krb5_error_code derive_key(krb5_context context, groupstate *gstate, + int32_t group, const krb5_keyblock *ikey, + const krb5_data *wbytes, + const krb5_data *spakeresult, + const krb5_data *thash, const krb5_data *der_req, + uint32_t n, krb5_keyblock **out); + +#endif /* UTIL_H */ diff --git a/src/plugins/preauth/test/Makefile.in b/src/plugins/preauth/test/Makefile.in index ac3cb81..77321b6 100644 --- a/src/plugins/preauth/test/Makefile.in +++ b/src/plugins/preauth/test/Makefile.in @@ -9,9 +9,9 @@ RELDIR=../plugins/preauth/test SHLIB_EXPDEPS=$(KRB5_BASE_DEPLIBS) SHLIB_EXPLIBS=$(KRB5_BASE_LIBS) -STLIBOBJS=cltest.o kdctest.o +STLIBOBJS=cltest.o kdctest.o common.o -SRCS= $(srcdir)/cltest.c $(srcdir)/kdctest.c +SRCS= $(srcdir)/cltest.c $(srcdir)/kdctest.c $(srcdir)/common.c all-unix: all-liblinks install-unix: install-libs diff --git a/src/plugins/preauth/test/cltest.c b/src/plugins/preauth/test/cltest.c index 4c31e1c..51b8484 100644 --- a/src/plugins/preauth/test/cltest.c +++ b/src/plugins/preauth/test/cltest.c @@ -1,7 +1,7 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* plugins/preauth/test/cltest.c - Test clpreauth module */ /* - * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * Copyright (C) 2015, 2017 by the Massachusetts Institute of Technology. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -32,7 +32,7 @@ /* * This module is used to test preauth interface features. At this time, the - * clpreauth module does two things: + * clpreauth module does the following: * * - It decrypts a message from the initial KDC pa-data using the reply key and * prints it to stdout. (The unencrypted message "no key" can also be @@ -45,17 +45,31 @@ * it to the server, instructing the kdcpreauth module to assert one or more * space-separated authentication indicators. (This string is sent on both * round trips if a second round trip is requested.) + * + * - If a KDC_ERR_ENCTYPE_NOSUPP error with e-data is received, it prints the + * accompanying error padata and sends a follow-up request containing + * "tryagain". + * + * - If the "fail_optimistic", "fail_2rt", or "fail_tryagain" gic options are + * set, it fails with a recognizable error string at the requested point in + * processing. + * + * - If the "disable_fallback" gic option is set, fallback is disabled when a + * client message is generated. */ #include "k5-int.h" #include - -#define TEST_PA_TYPE -123 +#include "common.h" static krb5_preauthtype pa_types[] = { TEST_PA_TYPE, 0 }; struct client_state { char *indicators; + krb5_boolean fail_optimistic; + krb5_boolean fail_2rt; + krb5_boolean fail_tryagain; + krb5_boolean disable_fallback; }; struct client_request_state { @@ -70,6 +84,8 @@ test_init(krb5_context context, krb5_clpreauth_moddata *moddata_out) st = malloc(sizeof(*st)); assert(st != NULL); st->indicators = NULL; + st->fail_optimistic = st->fail_2rt = st->fail_tryagain = FALSE; + st->disable_fallback = FALSE; *moddata_out = (krb5_clpreauth_moddata)st; return 0; } @@ -114,7 +130,6 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata, struct client_state *st = (struct client_state *)moddata; struct client_request_state *reqst = (struct client_request_state *)modreq; krb5_error_code ret; - krb5_pa_data **list, *pa; krb5_keyblock *k; krb5_enc_data enc; krb5_data plain; @@ -123,20 +138,20 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata, if (pa_data->length == 0) { /* This is an optimistic preauth test. Send a recognizable padata * value so the KDC knows not to expect a cookie. */ - list = k5calloc(2, sizeof(*list), &ret); - assert(!ret); - pa = k5alloc(sizeof(*pa), &ret); - assert(!ret); - pa->pa_type = TEST_PA_TYPE; - pa->contents = (uint8_t *)strdup("optimistic"); - assert(pa->contents != NULL); - pa->length = 10; - list[0] = pa; - list[1] = NULL; - *out_pa_data = list; + if (st->fail_optimistic) { + k5_setmsg(context, KRB5_PREAUTH_FAILED, "induced optimistic fail"); + return KRB5_PREAUTH_FAILED; + } + *out_pa_data = make_pa_list("optimistic", 10); + if (st->disable_fallback) + cb->disable_fallback(context, rock); return 0; } else if (reqst->second_round_trip) { printf("2rt: %.*s\n", pa_data->length, pa_data->contents); + if (st->fail_2rt) { + k5_setmsg(context, KRB5_PREAUTH_FAILED, "induced 2rt fail"); + return KRB5_PREAUTH_FAILED; + } } else if (pa_data->length == 6 && memcmp(pa_data->contents, "no key", 6) == 0) { printf("no key\n"); @@ -157,17 +172,36 @@ test_process(krb5_context context, krb5_clpreauth_moddata moddata, reqst->second_round_trip = TRUE; indstr = (st->indicators != NULL) ? st->indicators : ""; - list = k5calloc(2, sizeof(*list), &ret); - assert(!ret); - pa = k5alloc(sizeof(*pa), &ret); - assert(!ret); - pa->pa_type = TEST_PA_TYPE; - pa->contents = (uint8_t *)strdup(indstr); - assert(pa->contents != NULL); - pa->length = strlen(indstr); - list[0] = pa; - list[1] = NULL; - *out_pa_data = list; + *out_pa_data = make_pa_list(indstr, strlen(indstr)); + if (st->disable_fallback) + cb->disable_fallback(context, rock); + return 0; +} + +static krb5_error_code +test_tryagain(krb5_context context, krb5_clpreauth_moddata moddata, + krb5_clpreauth_modreq modreq, krb5_get_init_creds_opt *opt, + krb5_clpreauth_callbacks cb, krb5_clpreauth_rock rock, + krb5_kdc_req *request, krb5_data *enc_req, krb5_data *enc_prev, + krb5_preauthtype pa_type, krb5_error *error, + krb5_pa_data **padata, krb5_prompter_fct prompter, + void *prompter_data, krb5_pa_data ***padata_out) +{ + struct client_state *st = (struct client_state *)moddata; + int i; + + *padata_out = NULL; + if (st->fail_tryagain) { + k5_setmsg(context, KRB5_PREAUTH_FAILED, "induced tryagain fail"); + return KRB5_PREAUTH_FAILED; + } + if (error->error != KDC_ERR_ENCTYPE_NOSUPP) + return KRB5_PREAUTH_FAILED; + for (i = 0; padata[i] != NULL; i++) { + if (padata[i]->pa_type == TEST_PA_TYPE) + printf("tryagain: %.*s\n", padata[i]->length, padata[i]->contents); + } + *padata_out = make_pa_list("tryagain", 8); return 0; } @@ -181,6 +215,14 @@ test_gic_opt(krb5_context kcontext, krb5_clpreauth_moddata moddata, free(st->indicators); st->indicators = strdup(value); assert(st->indicators != NULL); + } else if (strcmp(attr, "fail_optimistic") == 0) { + st->fail_optimistic = TRUE; + } else if (strcmp(attr, "fail_2rt") == 0) { + st->fail_2rt = TRUE; + } else if (strcmp(attr, "fail_tryagain") == 0) { + st->fail_tryagain = TRUE; + } else if (strcmp(attr, "disable_fallback") == 0) { + st->disable_fallback = TRUE; } return 0; } @@ -205,6 +247,7 @@ clpreauth_test_initvt(krb5_context context, int maj_ver, vt->request_init = test_request_init; vt->request_fini = test_request_fini; vt->process = test_process; + vt->tryagain = test_tryagain; vt->gic_opts = test_gic_opt; return 0; } diff --git a/src/plugins/preauth/test/common.c b/src/plugins/preauth/test/common.c new file mode 100644 index 0000000..4d1f49d --- /dev/null +++ b/src/plugins/preauth/test/common.c @@ -0,0 +1,61 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/test/common.c - common functions for test preauth module */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-int.h" +#include "common.h" + +krb5_pa_data * +make_pa(const char *contents, size_t len) +{ + krb5_error_code ret; + krb5_pa_data *pa; + + pa = calloc(1, sizeof(*pa)); + assert(pa != NULL); + pa->pa_type = TEST_PA_TYPE; + pa->contents = k5memdup(contents, len, &ret); + assert(!ret); + pa->length = len; + return pa; +} + +/* Make a one-element padata list of type TEST_PA_TYPE. */ +krb5_pa_data ** +make_pa_list(const char *contents, size_t len) +{ + krb5_pa_data **list; + + list = calloc(2, sizeof(*list)); + assert(list != NULL); + list[0] = make_pa(contents, len); + return list; +} diff --git a/src/plugins/preauth/test/common.h b/src/plugins/preauth/test/common.h new file mode 100644 index 0000000..b748e08 --- /dev/null +++ b/src/plugins/preauth/test/common.h @@ -0,0 +1,41 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* plugins/preauth/test/common.h - Declarations for test preauth module */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef COMMON_H +#define COMMON_H + +#define TEST_PA_TYPE -123 + +krb5_pa_data *make_pa(const char *contents, size_t len); +krb5_pa_data **make_pa_list(const char *contents, size_t len); + +#endif /* COMMON_H */ diff --git a/src/plugins/preauth/test/deps b/src/plugins/preauth/test/deps index b48f000..b1429e9 100644 --- a/src/plugins/preauth/test/deps +++ b/src/plugins/preauth/test/deps @@ -11,7 +11,7 @@ cltest.so cltest.po $(OUTPRE)cltest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/clpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - cltest.c + cltest.c common.h kdctest.so kdctest.po $(OUTPRE)kdctest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ @@ -22,4 +22,14 @@ kdctest.so kdctest.po $(OUTPRE)kdctest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/kdcpreauth_plugin.h $(top_srcdir)/include/krb5/plugin.h \ $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - kdctest.c + common.h kdctest.c +common.so common.po $(OUTPRE)common.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h common.c common.h diff --git a/src/plugins/preauth/test/kdctest.c b/src/plugins/preauth/test/kdctest.c index 026dc68..66b7796 100644 --- a/src/plugins/preauth/test/kdctest.c +++ b/src/plugins/preauth/test/kdctest.c @@ -1,7 +1,7 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* plugins/preauth/test/kdctest.c - Test kdcpreauth module */ /* - * Copyright (C) 2015 by the Massachusetts Institute of Technology. + * Copyright (C) 2015, 2017 by the Massachusetts Institute of Technology. * All rights reserved. * * Redistribution and use in source and binary forms, with or without @@ -40,10 +40,20 @@ * key; the encrypted message "no attr" is sent if there is no string * attribute.) It also sets a cookie containing "method-data". * - * - It retrieves the "2rt" attribute from the client principal. If set, the - * verify method sends the client a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error - * with the contents of the 2rt attribute as pa-data, and sets a cookie - * containing "more". + * - If the "err" attribute is set on the client principal, the verify method + * returns an KDC_ERR_ETYPE_NOSUPP error on the first try, with the contents + * of the err attribute as pa-data. If the client tries again with the + * padata value "tryagain", the verify method preuthenticates successfully + * with no additional processing. + * + * - If the "failopt" attribute is set on the client principal, the verify + * method returns KDC_ERR_PREAUTH_FAILED on optimistic preauth attempts. + * + * - If the "2rt" attribute is set on client principal, the verify method sends + * the client a KDC_ERR_MORE_PREAUTH_DATA_REQUIRED error with the contents of + * the 2rt attribute as pa-data, and sets a cookie containing "more". If the + * "fail2rt" attribute is set on the client principal, the client's second + * try results in a KDC_ERR_PREAUTH_FAILED error. * * - It receives a space-separated list from the clpreauth module and asserts * each string as an authentication indicator. It always succeeds in @@ -52,6 +62,7 @@ #include "k5-int.h" #include +#include "common.h" #define TEST_PA_TYPE -123 @@ -73,11 +84,6 @@ test_edata(krb5_context context, krb5_kdc_req *req, ret = cb->get_string(context, rock, "teststring", &attr); assert(!ret); - pa = k5alloc(sizeof(*pa), &ret); - assert(!ret); - if (pa == NULL) - abort(); - pa->pa_type = TEST_PA_TYPE; if (k != NULL) { d = string2data((attr != NULL) ? attr : "no attr"); ret = krb5_c_encrypt_length(context, k->enctype, d.length, &enclen); @@ -86,12 +92,10 @@ test_edata(krb5_context context, krb5_kdc_req *req, assert(!ret); ret = krb5_c_encrypt(context, k, 1024, NULL, &d, &enc); assert(!ret); - pa->contents = (uint8_t *)enc.ciphertext.data; - pa->length = enc.ciphertext.length; + pa = make_pa(enc.ciphertext.data, enc.ciphertext.length); + free(enc.ciphertext.data); } else { - pa->contents = (uint8_t *)strdup("no key"); - assert(pa->contents != NULL); - pa->length = 6; + pa = make_pa("no key", 6); } /* Exercise setting a cookie information from the edata method. */ @@ -111,12 +115,19 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, krb5_kdcpreauth_verify_respond_fn respond, void *arg) { krb5_error_code ret; - krb5_boolean second_round_trip = FALSE; - krb5_pa_data **list; + krb5_boolean second_round_trip = FALSE, optimistic = FALSE; + krb5_pa_data **list = NULL; krb5_data cookie_data, d; - char *str, *ind, *attr, *toksave = NULL; + char *str, *ind, *toksave = NULL; + char *attr_err, *attr_2rt, *attr_fail2rt, *attr_failopt; - ret = cb->get_string(context, rock, "2rt", &attr); + ret = cb->get_string(context, rock, "err", &attr_err); + assert(!ret); + ret = cb->get_string(context, rock, "2rt", &attr_2rt); + assert(!ret); + ret = cb->get_string(context, rock, "fail2rt", &attr_fail2rt); + assert(!ret); + ret = cb->get_string(context, rock, "failopt", &attr_failopt); assert(!ret); /* Check the incoming cookie value. */ @@ -124,13 +135,36 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, /* Make sure we are seeing optimistic preauth and not a lost cookie. */ d = make_data(data->contents, data->length); assert(data_eq_string(d, "optimistic")); + optimistic = TRUE; } else if (data_eq_string(cookie_data, "more")) { second_round_trip = TRUE; } else { - assert(data_eq_string(cookie_data, "method-data")); + assert(data_eq_string(cookie_data, "method-data") || + data_eq_string(cookie_data, "err")); } - if (attr == NULL || second_round_trip) { + if (attr_err != NULL) { + d = make_data(data->contents, data->length); + if (data_eq_string(d, "tryagain")) { + /* Authenticate successfully. */ + enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; + } else { + d = string2data("err"); + ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d); + assert(!ret); + ret = KRB5KDC_ERR_ETYPE_NOSUPP; + list = make_pa_list(attr_err, strlen(attr_err)); + } + } else if (attr_2rt != NULL && !second_round_trip) { + d = string2data("more"); + ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d); + assert(!ret); + ret = KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED; + list = make_pa_list(attr_2rt, strlen(attr_2rt)); + } else if ((attr_fail2rt != NULL && second_round_trip) || + (attr_failopt != NULL && optimistic)) { + ret = KRB5KDC_ERR_PREAUTH_FAILED; + } else { /* Parse and assert the indicators. */ str = k5memdup0(data->contents, data->length, &ret); if (ret) @@ -142,21 +176,13 @@ test_verify(krb5_context context, krb5_data *req_pkt, krb5_kdc_req *request, } free(str); enc_tkt_reply->flags |= TKT_FLG_PRE_AUTH; - cb->free_string(context, rock, attr); - (*respond)(arg, 0, NULL, NULL, NULL); - } else { - d = string2data("more"); - ret = cb->set_cookie(context, rock, TEST_PA_TYPE, &d); - list = k5calloc(2, sizeof(*list), &ret); - assert(!ret); - list[0] = k5alloc(sizeof(*list[0]), &ret); - assert(!ret); - list[0]->pa_type = TEST_PA_TYPE; - list[0]->contents = (uint8_t *)attr; - list[0]->length = strlen(attr); - (*respond)(arg, KRB5KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, NULL, list, - NULL); } + + cb->free_string(context, rock, attr_err); + cb->free_string(context, rock, attr_2rt); + cb->free_string(context, rock, attr_fail2rt); + cb->free_string(context, rock, attr_failopt); + (*respond)(arg, ret, NULL, list, NULL); } static krb5_error_code diff --git a/src/po/Makefile.in b/src/po/Makefile.in index fdaf872..6753447 100644 --- a/src/po/Makefile.in +++ b/src/po/Makefile.in @@ -18,7 +18,7 @@ ETSRCS= $(BUILDTOP)/lib/gssapi/generic/gssapi_err_generic.c \ $(BUILDTOP)/lib/krb5/error_tables/kv5m_err.c \ $(BUILDTOP)/lib/krb5/error_tables/krb524_err.c # This is a placeholder until we have an actual translation. -CATALOGS=en_US.mo +CATALOGS=en_US.mo de.mo .SUFFIXES: .po .mo .po.mo: diff --git a/src/po/de.po b/src/po/de.po new file mode 100644 index 0000000..40e31da --- /dev/null +++ b/src/po/de.po @@ -0,0 +1,9301 @@ +# German translation of mit-krb5. +# This file is distributed under the same license as the mit-krb5 package. +# Copyright (C) 1985-2013 by the Massachusetts Institute of Technology. +# Copyright (C) of this file 2014-2016 Chris Leick . +# +msgid "" +msgstr "" +"Project-Id-Version: mit-krb5 13.2\n" +"Report-Msgid-Bugs-To: krbdev@mit.edu\n" +"POT-Creation-Date: 2015-05-06 14:59-0400\n" +"PO-Revision-Date: 2016-04-07 08:15+0200\n" +"Last-Translator: Chris Leick \n" +"Language-Team: German \n" +"Language: de\n" +"MIME-Version: 1.0\n" +"Content-Type: text/plain; charset=UTF-8\n" +"Content-Transfer-Encoding: 8bit\n" +"Plural-Forms: nplurals=2; plural=n != 1;\n" + +#: ../../src/clients/kdestroy/kdestroy.c:62 +#, c-format +msgid "Usage: %s [-A] [-q] [-c cache_name]\n" +msgstr "Aufruf: %s [-A] [-q] [-c Zwischenspeichername]\n" + +#: ../../src/clients/kdestroy/kdestroy.c:63 +#, c-format +msgid "\t-A destroy all credential caches in collection\n" +msgstr "\t-A vernichtet alle Anmeldedatenzwischenspeicher in der Sammlung.\n" + +#: ../../src/clients/kdestroy/kdestroy.c:64 +#, c-format +msgid "\t-q quiet mode\n" +msgstr "\t-q stiller Modus\n" + +#: ../../src/clients/kdestroy/kdestroy.c:65 +#: ../../src/clients/kswitch/kswitch.c:45 +#, c-format +msgid "\t-c specify name of credentials cache\n" +msgstr "\t-c gibt den Namen des Zwischenspeichers für Anmeldedaten an.\n" + +#: ../../src/clients/kdestroy/kdestroy.c:98 +#: ../../src/clients/kinit/kinit.c:383 ../../src/clients/ksu/main.c:284 +#, c-format +msgid "Only one -c option allowed\n" +msgstr "Nur eine »-c«-Option ist erlaubt.\n" + +#: ../../src/clients/kdestroy/kdestroy.c:105 +#: ../../src/clients/kinit/kinit.c:412 ../../src/clients/klist/klist.c:182 +#, c-format +msgid "Kerberos 4 is no longer supported\n" +msgstr "Kerberos 4 wird nicht mehr unterstützt.\n" + +#: ../../src/clients/kdestroy/kdestroy.c:126 +#: ../../src/clients/klist/klist.c:253 ../../src/clients/ksu/main.c:131 +#: ../../src/clients/ksu/main.c:137 ../../src/clients/kswitch/kswitch.c:97 +#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:926 +#: ../../src/slave/kprop.c:102 ../../src/slave/kpropd.c:1052 +msgid "while initializing krb5" +msgstr "beim Initialisieren von Krb5" + +#: ../../src/clients/kdestroy/kdestroy.c:133 +msgid "while listing credential caches" +msgstr "beim Auflisten der Anmeldedatenzwischenspeicher" + +#: ../../src/clients/kdestroy/kdestroy.c:140 +msgid "composing ccache name" +msgstr "Ccache-Name wird zusammengesetzt." + +#: ../../src/clients/kdestroy/kdestroy.c:145 +#, c-format +msgid "while destroying cache %s" +msgstr "beim Zerstören des Zwischenspeichers %s" + +#: ../../src/clients/kdestroy/kdestroy.c:157 +#: ../../src/clients/kswitch/kswitch.c:104 +#, c-format +msgid "while resolving %s" +msgstr "beim Auflösen von %s" + +#: ../../src/clients/kdestroy/kdestroy.c:163 +#: ../../src/clients/kinit/kinit.c:501 ../../src/clients/klist/klist.c:460 +msgid "while getting default ccache" +msgstr "beim Holen des Standard-Ccaches" + +#: ../../src/clients/kdestroy/kdestroy.c:170 ../../src/clients/ksu/main.c:986 +msgid "while destroying cache" +msgstr "beim Zerstören des Zwischenspeichers" + +#: ../../src/clients/kdestroy/kdestroy.c:173 +#, c-format +msgid "Ticket cache NOT destroyed!\n" +msgstr "Ticketzwischenspeicher NICHT vernichtet!\n" + +#: ../../src/clients/kdestroy/kdestroy.c:175 +#, c-format +msgid "Ticket cache %cNOT%c destroyed!\n" +msgstr "Ticketzwischenspeicher %cNICHT%c vernichtet!\n" + +#: ../../src/clients/kinit/kinit.c:213 +#, c-format +msgid "\t-V verbose\n" +msgstr "\t-V detaillierte Ausgabe\n" + +#: ../../src/clients/kinit/kinit.c:214 +#, c-format +msgid "\t-l lifetime\n" +msgstr "\t-l Lebensdauer\n" + +#: ../../src/clients/kinit/kinit.c:215 +#, c-format +msgid "\t-s start time\n" +msgstr "\t-s Startzeit\n" + +#: ../../src/clients/kinit/kinit.c:216 +#, c-format +msgid "\t-r renewable lifetime\n" +msgstr "\t-r verlängerbare Lebensdauer\n" + +#: ../../src/clients/kinit/kinit.c:217 +#, c-format +msgid "\t-f forwardable\n" +msgstr "\t-f weiterleitbar\n" + +#: ../../src/clients/kinit/kinit.c:218 +#, c-format +msgid "\t-F not forwardable\n" +msgstr "\t-F nicht weiterleitbar\n" + +#: ../../src/clients/kinit/kinit.c:219 +#, c-format +msgid "\t-p proxiable\n" +msgstr "\t-p Proxy nutzbar\n" + +#: ../../src/clients/kinit/kinit.c:220 +#, c-format +msgid "\t-P not proxiable\n" +msgstr "\t-P Proxy nicht nutzbar\n" + +#: ../../src/clients/kinit/kinit.c:221 +#, c-format +msgid "\t-n anonymous\n" +msgstr "\t-n anonym\n" + +#: ../../src/clients/kinit/kinit.c:222 +#, c-format +msgid "\t-a include addresses\n" +msgstr "\t-a bezieht Adressen ein.\n" + +#: ../../src/clients/kinit/kinit.c:223 +#, c-format +msgid "\t-A do not include addresses\n" +msgstr "\t-a bezieht Adressen nicht ein.\n" + +#: ../../src/clients/kinit/kinit.c:224 +#, c-format +msgid "\t-v validate\n" +msgstr "\t-v überprüft\n" + +#: ../../src/clients/kinit/kinit.c:225 +#, c-format +msgid "\t-R renew\n" +msgstr "\t-R erneuert\n" + +#: ../../src/clients/kinit/kinit.c:226 +#, c-format +msgid "\t-C canonicalize\n" +msgstr "\t-C bringt in Normalform\n" + +#: ../../src/clients/kinit/kinit.c:227 +#, c-format +msgid "\t-E client is enterprise principal name\n" +msgstr "\t-E Client ist der Principal-Name des Unternehmens\n" + +#: ../../src/clients/kinit/kinit.c:228 +#, c-format +msgid "\t-k use keytab\n" +msgstr "\t-k verwendet Schlüsseltabelle\n" + +#: ../../src/clients/kinit/kinit.c:229 +#, c-format +msgid "\t-i use default client keytab (with -k)\n" +msgstr "\t-i verwendet die Standardschlüsseltabelle des Clients (mit -k).\n" + +#: ../../src/clients/kinit/kinit.c:230 +#, c-format +msgid "\t-t filename of keytab to use\n" +msgstr "\t-t Dateiname der zu verwendenden Schlüsseltabelle\n" + +#: ../../src/clients/kinit/kinit.c:231 +#, c-format +msgid "\t-c Kerberos 5 cache name\n" +msgstr "\t-c Kerberos-5-Zwischenspeichername\n" + +#: ../../src/clients/kinit/kinit.c:232 +#, c-format +msgid "\t-S service\n" +msgstr "\t-S Dienst\n" + +#: ../../src/clients/kinit/kinit.c:233 +#, c-format +msgid "\t-T armor credential cache\n" +msgstr "\t-T gehärteter Anmeldedatenzwischenspeicher\n" + +#: ../../src/clients/kinit/kinit.c:234 +#, c-format +msgid "\t-X [=]\n" +msgstr "\t-X [=]\n" + +#: ../../src/clients/kinit/kinit.c:301 ../../src/clients/kinit/kinit.c:309 +#, c-format +msgid "Bad lifetime value %s\n" +msgstr "falscher Wert für die Lebensdauer %s\n" + +#: ../../src/clients/kinit/kinit.c:343 +#, c-format +msgid "Bad start time value %s\n" +msgstr "falscher Wert für die Startzeit %s\n" + +#: ../../src/clients/kinit/kinit.c:362 +#, c-format +msgid "Only one -t option allowed.\n" +msgstr "Nur eine -t-Option ist erlaubt.\n" + +#: ../../src/clients/kinit/kinit.c:370 +#, c-format +msgid "Only one armor_ccache\n" +msgstr "nur ein gehärteter Ccache\n" + +#: ../../src/clients/kinit/kinit.c:391 +#, c-format +msgid "Only one -I option allowed\n" +msgstr "Nur eine -I-Option ist erlaubt.\n" + +#: ../../src/clients/kinit/kinit.c:401 +msgid "while adding preauth option" +msgstr "beim Hinzufügen der Option »preauth«" + +#: ../../src/clients/kinit/kinit.c:425 +#, c-format +msgid "Only one of -f and -F allowed\n" +msgstr "Nur eine der Optionen -f und -F ist erlaubt.\n" + +#: ../../src/clients/kinit/kinit.c:430 +#, c-format +msgid "Only one of -p and -P allowed\n" +msgstr "Nur eine der Optionen -p und -P ist erlaubt.\n" + +#: ../../src/clients/kinit/kinit.c:435 +#, c-format +msgid "Only one of -a and -A allowed\n" +msgstr "Nur eine der Optionen -a und -A ist erlaubt.\n" + +#: ../../src/clients/kinit/kinit.c:440 +#, c-format +msgid "Only one of -t and -i allowed\n" +msgstr "Nur eine der Optionen -t und-i ist erlaubt.\n" + +#: ../../src/clients/kinit/kinit.c:447 +#, c-format +msgid "keytab specified, forcing -k\n" +msgstr "Schlüsseltabelle angegeben, -k wird erzwungen\n" + +#: ../../src/clients/kinit/kinit.c:451 ../../src/clients/klist/klist.c:221 +#, c-format +msgid "Extra arguments (starting with \"%s\").\n" +msgstr "zusätzliche Argumente (beginnend mit »%s«)\n" + +#: ../../src/clients/kinit/kinit.c:480 +msgid "while initializing Kerberos 5 library" +msgstr "beim Initialisieren der Kerberos-5-Bibliothek" + +#: ../../src/clients/kinit/kinit.c:488 ../../src/clients/kinit/kinit.c:644 +#, c-format +msgid "resolving ccache %s" +msgstr "Ccache %s wird ermittelt" + +#: ../../src/clients/kinit/kinit.c:493 +#, c-format +msgid "Using specified cache: %s\n" +msgstr "Angegebener Zwischenspeicher wird verwendet: %s\n" + +#: ../../src/clients/kinit/kinit.c:515 ../../src/clients/kinit/kinit.c:595 +#: ../../src/clients/kpasswd/kpasswd.c:28 ../../src/clients/ksu/main.c:238 +#, c-format +msgid "when parsing name %s" +msgstr "wenn der Name %s ausgewertet wird" + +#: ../../src/clients/kinit/kinit.c:523 ../../src/kadmin/dbutil/kdb5_util.c:307 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:391 +#: ../../src/slave/kprop.c:203 +msgid "while getting default realm" +msgstr "beim Holen des Standard-Realms" + +#: ../../src/clients/kinit/kinit.c:535 +msgid "while building principal" +msgstr "beim Erstellen des Principals" + +#: ../../src/clients/kinit/kinit.c:543 +msgid "When resolving the default client keytab" +msgstr "beim Auflösen der Standardschlüsseltabelle des Clients" + +#: ../../src/clients/kinit/kinit.c:550 +msgid "When determining client principal name from keytab" +msgstr "beim Bestimmen des Dienst-Principal-Namens anhand der Schlüsseltabelle" + +#: ../../src/clients/kinit/kinit.c:559 +msgid "when creating default server principal name" +msgstr "wenn der Standard-Principal-Name des Servers erstellt wird" + +#: ../../src/clients/kinit/kinit.c:566 +#, c-format +msgid "(principal %s)" +msgstr "(Principal %s)" + +#: ../../src/clients/kinit/kinit.c:569 +msgid "for local services" +msgstr "für lokale Dienste" + +#: ../../src/clients/kinit/kinit.c:590 ../../src/clients/kpasswd/kpasswd.c:42 +#, c-format +msgid "Unable to identify user\n" +msgstr "Benutzer kann nicht identifiziert werden\n" + +#: ../../src/clients/kinit/kinit.c:605 ../../src/clients/kswitch/kswitch.c:116 +#, c-format +msgid "while searching for ccache for %s" +msgstr "beim Suchen nach Ccache für %s" + +#: ../../src/clients/kinit/kinit.c:611 +#, c-format +msgid "Using existing cache: %s\n" +msgstr "Existierender Zwischenspeicher wird verwendet: %s\n" + +#: ../../src/clients/kinit/kinit.c:620 +msgid "while generating new ccache" +msgstr "beim Erstellen von neuem Ccache" + +#: ../../src/clients/kinit/kinit.c:624 +#, c-format +msgid "Using new cache: %s\n" +msgstr "Neuer Zwischenspeicher wird verwendet: %s\n" + +#: ../../src/clients/kinit/kinit.c:636 +#, c-format +msgid "Using default cache: %s\n" +msgstr "Standardzwischenspeicher wird verwendet: %s\n" + +#: ../../src/clients/kinit/kinit.c:649 +#, c-format +msgid "Using specified input cache: %s\n" +msgstr "Angegebener Eingabezwischenspeicher wird verwendet: %s\n" + +#: ../../src/clients/kinit/kinit.c:657 ../../src/clients/ksu/krb_auth_su.c:160 +msgid "when unparsing name" +msgstr "beim Rückgängigmachen der Auswertung des Namens" + +#: ../../src/clients/kinit/kinit.c:661 +#, c-format +msgid "Using principal: %s\n" +msgstr "verwendeter Principal: %s\n" + +#: ../../src/clients/kinit/kinit.c:752 +msgid "getting local addresses" +msgstr "Lokale Adressen werden geholt." + +#: ../../src/clients/kinit/kinit.c:771 +#, c-format +msgid "while setting up KDB keytab for realm %s" +msgstr "beim Einrichten der KDB-Schlüsseltabelle für Realm %s" + +#: ../../src/clients/kinit/kinit.c:780 ../../src/clients/kvno/kvno.c:201 +#, c-format +msgid "resolving keytab %s" +msgstr "Schlüsseltabelle wird ermittelt: %s" + +#: ../../src/clients/kinit/kinit.c:785 +#, c-format +msgid "Using keytab: %s\n" +msgstr "Schlüsseltabelle wird verwendet: %s\n" + +#: ../../src/clients/kinit/kinit.c:789 +msgid "resolving default client keytab" +msgstr "Standardschlüsseltabelle des Clients wird ermittelt." + +#: ../../src/clients/kinit/kinit.c:799 +#, c-format +msgid "while setting '%s'='%s'" +msgstr "beim Setzen von »%s«=»%s«" + +#: ../../src/clients/kinit/kinit.c:804 +#, c-format +msgid "PA Option %s = %s\n" +msgstr "PA-Option %s = %s\n" + +#: ../../src/clients/kinit/kinit.c:849 +msgid "getting initial credentials" +msgstr "Anfängliche Anmeldedaten werden geholt." + +#: ../../src/clients/kinit/kinit.c:852 +msgid "validating credentials" +msgstr "Anmeldedaten werden geprüft." + +#: ../../src/clients/kinit/kinit.c:855 +msgid "renewing credentials" +msgstr "Anmeldedaten werden erneuert." + +#: ../../src/clients/kinit/kinit.c:860 +#, c-format +msgid "%s: Password incorrect while %s\n" +msgstr "%s: Passwort bei %s falsch\n" + +#: ../../src/clients/kinit/kinit.c:863 +#, c-format +msgid "while %s" +msgstr "bei %s" + +#: ../../src/clients/kinit/kinit.c:871 ../../src/slave/kprop.c:224 +#, c-format +msgid "when initializing cache %s" +msgstr "beim Initialisieren des Zwischenspeichers %s" + +#: ../../src/clients/kinit/kinit.c:876 +#, c-format +msgid "Initialized cache\n" +msgstr "initialisierter Zwischenspeicher\n" + +#: ../../src/clients/kinit/kinit.c:880 +msgid "while storing credentials" +msgstr "beim Speichern der Anmeldedaten" + +#: ../../src/clients/kinit/kinit.c:884 +#, c-format +msgid "Stored credentials\n" +msgstr "gespeicherte Anmeldedaten\n" + +#: ../../src/clients/kinit/kinit.c:891 +msgid "while switching to new ccache" +msgstr "beim Wechsel zum neuen Ccache" + +#: ../../src/clients/kinit/kinit.c:946 +#, c-format +msgid "Authenticated to Kerberos v5\n" +msgstr "Authentifiziert für Kerberos v5\n" + +#: ../../src/clients/klist/klist.c:91 +#, c-format +msgid "" +"Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] " +"[name]\n" +msgstr "" +"Aufruf: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-" +"K]] [Name]\n" + +#: ../../src/clients/klist/klist.c:93 +#, c-format +msgid "\t-c specifies credentials cache\n" +msgstr "\t-c gibt den Anmeldedatenzwischenspeicher an\n" + +#: ../../src/clients/klist/klist.c:94 +#, c-format +msgid "\t-k specifies keytab\n" +msgstr "\t-k gibt die Schlüsseltabelle an.\n" + +#: ../../src/clients/klist/klist.c:95 +#, c-format +msgid "\t (Default is credentials cache)\n" +msgstr "\t (Voreinstellung ist Anmeldedatenzwischenspeicher)\n" + +#: ../../src/clients/klist/klist.c:96 +#, c-format +msgid "\t-i uses default client keytab if no name given\n" +msgstr "" +"\t-i verwendet die Standardschlüsseltabelle des Clients, falls kein Name " +"angegeben wurde.\n" + +#: ../../src/clients/klist/klist.c:97 +#, c-format +msgid "\t-l lists credential caches in collection\n" +msgstr "\t-l listet gesammelte Anmeldedatenzwischenspeicher auf.\n" + +#: ../../src/clients/klist/klist.c:98 +#, c-format +msgid "\t-A shows content of all credential caches\n" +msgstr "\t-A zeigt den Inhalt aller Anmeldedatenzwischenspeicher an.\n" + +#: ../../src/clients/klist/klist.c:99 +#, c-format +msgid "\t-e shows the encryption type\n" +msgstr "\t-e zeigt den Verschlüsselungstyp.\n" + +#: ../../src/clients/klist/klist.c:100 +#, c-format +msgid "\t-V shows the Kerberos version and exits\n" +msgstr "\t-V zeigt die Kerberos-Version und wird beendet.\n" + +#: ../../src/clients/klist/klist.c:101 +#, c-format +msgid "\toptions for credential caches:\n" +msgstr "\tOptionen für Anmeldedatenzwischenspeicher:\n" + +#: ../../src/clients/klist/klist.c:102 +#, c-format +msgid "\t\t-d shows the submitted authorization data types\n" +msgstr "\t\t-d zeigt die übertragenen Autorisierungsdatentypen.\n" + +#: ../../src/clients/klist/klist.c:104 +#, c-format +msgid "\t\t-f shows credentials flags\n" +msgstr "t\t-f zeigt die Anmeldedatenschalter.\n" + +#: ../../src/clients/klist/klist.c:105 +#, c-format +msgid "\t\t-s sets exit status based on valid tgt existence\n" +msgstr "" +"\t\t-s setzt den Exit-Status auf Basis der Existenz eines gültigen TGTs.\n" + +#: ../../src/clients/klist/klist.c:107 +#, c-format +msgid "\t\t-a displays the address list\n" +msgstr "\t\t-a zeigt die Adressliste.\n" + +#: ../../src/clients/klist/klist.c:108 +#, c-format +msgid "\t\t\t-n do not reverse-resolve\n" +msgstr "\t\t\t-n löst nicht rückwärts auf.\n" + +#: ../../src/clients/klist/klist.c:109 +#, c-format +msgid "\toptions for keytabs:\n" +msgstr "\tOptionen für Schlüsseltabellen:\n" + +#: ../../src/clients/klist/klist.c:110 +#, c-format +msgid "\t\t-t shows keytab entry timestamps\n" +msgstr "\t\t-t zeigt die Zeitstempel der Schlüsseltabelleneinträge.\n" + +#: ../../src/clients/klist/klist.c:111 +#, c-format +msgid "\t\t-K shows keytab entry keys\n" +msgstr "\t\t-K zeigt die Schlüssel der Schlüsseltabelleneinträge.\n" + +#: ../../src/clients/klist/klist.c:230 +#, c-format +msgid "%s version %s\n" +msgstr "%s Version %s\n" + +#: ../../src/clients/klist/klist.c:282 +msgid "while getting default client keytab" +msgstr "beim Holen der Standardschlüsseltabelle des Clients" + +#: ../../src/clients/klist/klist.c:287 +msgid "while getting default keytab" +msgstr "beim Holen der Standardschlüsseltabelle" + +#: ../../src/clients/klist/klist.c:292 ../../src/kadmin/cli/keytab.c:108 +#, c-format +msgid "while resolving keytab %s" +msgstr "beim Ermitteln der Schlüsseltabelle %s" + +#: ../../src/clients/klist/klist.c:298 ../../src/kadmin/cli/keytab.c:92 +msgid "while getting keytab name" +msgstr "beim Holen des Schlüsseltabellennamens" + +#: ../../src/clients/klist/klist.c:305 ../../src/kadmin/cli/keytab.c:399 +msgid "while starting keytab scan" +msgstr "beim Start des Schlüsseltabellen-Scans" + +#: ../../src/clients/klist/klist.c:326 ../../src/clients/klist/klist.c:500 +#: ../../src/clients/ksu/ccache.c:465 ../../src/kadmin/dbutil/dump.c:550 +msgid "while unparsing principal name" +msgstr "beim Rückgängigmachen des Auswertens des Principal-Namens" + +#: ../../src/clients/klist/klist.c:350 ../../src/kadmin/cli/keytab.c:443 +msgid "while scanning keytab" +msgstr "beim Scannen der Schlüsseltabelle" + +#: ../../src/clients/klist/klist.c:354 ../../src/kadmin/cli/keytab.c:448 +msgid "while ending keytab scan" +msgstr "beim Beenden des Schlüsseltabellen-Scans" + +#: ../../src/clients/klist/klist.c:371 ../../src/clients/klist/klist.c:434 +msgid "while listing ccache collection" +msgstr "beim Aufführen der Ccache-Sammlung" + +#: ../../src/clients/klist/klist.c:411 +msgid "(Expired)" +msgstr "(abgelaufen)" + +#: ../../src/clients/klist/klist.c:466 +#, c-format +msgid "while resolving ccache %s" +msgstr "beim Ermitteln des Ccaches %s" + +#: ../../src/clients/klist/klist.c:504 +#, c-format +msgid "" +"Ticket cache: %s:%s\n" +"Default principal: %s\n" +"\n" +msgstr "" +"Ticketzwischenspeicher: %s:%s\n" +"Standard-Principal: %s\n" +"\n" + +#: ../../src/clients/klist/klist.c:518 +msgid "while starting to retrieve tickets" +msgstr "während das Abfragen der Tickets beginnt" + +#: ../../src/clients/klist/klist.c:539 +msgid "while finishing ticket retrieval" +msgstr "während das Abfragem der Tickets endet" + +#: ../../src/clients/klist/klist.c:545 +msgid "while closing ccache" +msgstr "beim Schließen des Ccaches" + +#: ../../src/clients/klist/klist.c:555 +msgid "while retrieving a ticket" +msgstr "beim Abfragen eines Tickets" + +#: ../../src/clients/klist/klist.c:667 ../../src/clients/ksu/ccache.c:450 +#: ../../src/slave/kpropd.c:1225 ../../src/slave/kpropd.c:1285 +msgid "while unparsing client name" +msgstr "beim Rückgängigmachen des Auswertens des Client-Namens" + +#: ../../src/clients/klist/klist.c:672 ../../src/clients/ksu/ccache.c:455 +#: ../../src/slave/kprop.c:240 +msgid "while unparsing server name" +msgstr "beim Rückgängigmachen des Auswertens des Server-Namens" + +#: ../../src/clients/klist/klist.c:701 ../../src/clients/ksu/ccache.c:480 +#, c-format +msgid "\tfor client %s" +msgstr "\tfür Client %s" + +#: ../../src/clients/klist/klist.c:713 ../../src/clients/ksu/ccache.c:489 +msgid "renew until " +msgstr "erneuern bis " + +#: ../../src/clients/klist/klist.c:730 ../../src/clients/ksu/ccache.c:499 +#, c-format +msgid "Flags: %s" +msgstr "Schalter: %s" + +#: ../../src/clients/klist/klist.c:749 +#, c-format +msgid "Etype (skey, tkt): %s, " +msgstr "Etype (Skey, TKT): %s, " + +#: ../../src/clients/klist/klist.c:766 +#, c-format +msgid "AD types: " +msgstr "AD-Typen" + +#: ../../src/clients/klist/klist.c:783 +#, c-format +msgid "\tAddresses: (none)\n" +msgstr "\tAdressen: (keine)\n" + +#: ../../src/clients/klist/klist.c:785 +#, c-format +msgid "\tAddresses: " +msgstr "\tAdressen: " + +#: ../../src/clients/klist/klist.c:818 +#, c-format +msgid "broken address (type %d length %d)" +msgstr "kaputte Adresse (Typ %d Länge %d)" + +#: ../../src/clients/klist/klist.c:838 +#, c-format +msgid "unknown addrtype %d" +msgstr "unbekannter »addrtype« %d" + +#: ../../src/clients/klist/klist.c:847 +#, c-format +msgid "unprintable address (type %d, error %d %s)" +msgstr "nicht druckbare Adresse (Typ %d Fehler %d %s)" + +#: ../../src/clients/kpasswd/kpasswd.c:12 ../../src/lib/krb5/krb/gic_pwd.c:396 +msgid "Enter new password" +msgstr "Geben Sie ein neues Passwort ein." + +#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:404 +msgid "Enter it again" +msgstr "Geben Sie es erneut ein." + +#: ../../src/clients/kpasswd/kpasswd.c:33 +#, c-format +msgid "Unable to identify user from password file\n" +msgstr "" +"Der Benutzer kann nicht anhand der Passwortdatei identifiziert werden.\n" + +#: ../../src/clients/kpasswd/kpasswd.c:65 +#, c-format +msgid "usage: %s [principal]\n" +msgstr "Aufruf: %s [Principal]\n" + +#: ../../src/clients/kpasswd/kpasswd.c:73 +msgid "initializing kerberos library" +msgstr "Kerberos-Bibliothek wird initialisiert." + +#: ../../src/clients/kpasswd/kpasswd.c:77 +msgid "allocating krb5_get_init_creds_opt" +msgstr "krb5_get_init_creds_opt wird reserviert." + +#: ../../src/clients/kpasswd/kpasswd.c:92 +msgid "opening default ccache" +msgstr "Standard-Ccache wird geöffnet." + +#: ../../src/clients/kpasswd/kpasswd.c:97 +msgid "getting principal from ccache" +msgstr "Principal wird vom Ccache geholt." + +#: ../../src/clients/kpasswd/kpasswd.c:104 +msgid "while setting FAST ccache" +msgstr "beim Setzen des FAST-Ccaches" + +#: ../../src/clients/kpasswd/kpasswd.c:111 +msgid "closing ccache" +msgstr "Ccache wird geschlossen." + +#: ../../src/clients/kpasswd/kpasswd.c:118 +msgid "parsing client name" +msgstr "Client-Name wird ausgewertet." + +#: ../../src/clients/kpasswd/kpasswd.c:135 +msgid "Password incorrect while getting initial ticket" +msgstr "Passwort beim Holen des anfänglichen Tickets falsch" + +#: ../../src/clients/kpasswd/kpasswd.c:137 +msgid "getting initial ticket" +msgstr "Anfängliches Ticket wird geholt." + +#: ../../src/clients/kpasswd/kpasswd.c:144 +msgid "while reading password" +msgstr "beim Lesen des Passworts" + +#: ../../src/clients/kpasswd/kpasswd.c:152 +msgid "changing password" +msgstr "Passwort wird geändert." + +#: ../../src/clients/kpasswd/kpasswd.c:174 +#: ../lib/kadm5/chpass_util_strings.c:30 +#, c-format +msgid "Password changed.\n" +msgstr "Passwort geändert\n" + +#: ../../src/clients/ksu/authorization.c:369 +#, c-format +msgid "" +"Error: bad entry - %s in %s file, must be either full path or just the cmd " +"name\n" +msgstr "" +"Fehler: falscher Eintrag – %s in Datei %s muss entweder ein vollständiger " +"Pfad oder nur ein Befehlsname sein.\n" + +#: ../../src/clients/ksu/authorization.c:377 +#, c-format +msgid "" +"Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH " +"must be defined \n" +msgstr "" +"Fehler: falscher Eintrag – %s in Datei %s. Da %s nur ein Befehlsname ist, " +"muss CMD_PATH definiert sein.\n" + +#: ../../src/clients/ksu/authorization.c:392 +#, c-format +msgid "Error: bad entry - %s in %s file, CMD_PATH contains no paths \n" +msgstr "" +"Fehler: falscher Eintrag – %s in Datei %s. CMD_PATH enthält keine Pfade.\n" + +#: ../../src/clients/ksu/authorization.c:401 +#, c-format +msgid "Error: bad path %s in CMD_PATH for %s must start with '/' \n" +msgstr "Fehler: falscher Pfad %s in CMD_PATH für %s muss mit »/« beginnen\n" + +#: ../../src/clients/ksu/authorization.c:517 +msgid "Error: not found -> " +msgstr "Fehler: nicht gefunden -> " + +#: ../../src/clients/ksu/authorization.c:723 +#, c-format +msgid "home directory name `%s' too long, can't search for .k5login\n" +msgstr "" +"Name des Home-Verzeichnisses »%s« ist zu lang, Suche nach .k5login nicht " +"möglich\n" + +#: ../../src/clients/ksu/ccache.c:368 +#, c-format +msgid "home directory path for %s too long\n" +msgstr "Home-Verzeichnispfad für %s zu lang\n" + +#: ../../src/clients/ksu/ccache.c:461 +msgid "while retrieving principal name" +msgstr "beim Abfragen des Principal-Namens" + +#: ../../src/clients/ksu/krb_auth_su.c:57 +#: ../../src/clients/ksu/krb_auth_su.c:62 ../../src/slave/kprop.c:247 +msgid "while copying client principal" +msgstr "beim Kopieren des Client-Principals" + +#: ../../src/clients/ksu/krb_auth_su.c:69 +msgid "while creating tgt for local realm" +msgstr "beim Erstellen des TGTs für lokalen Realm" + +#: ../../src/clients/ksu/krb_auth_su.c:84 +msgid "while retrieving creds from cache" +msgstr "beim Abfragen der Anmeldedaten aus dem Zwischenspeicher" + +#: ../../src/clients/ksu/krb_auth_su.c:95 +msgid "while switching to target uid" +msgstr "beim Umschalten auf die Ziel-UID" + +#: ../../src/clients/ksu/krb_auth_su.c:100 +#, c-format +msgid "" +"WARNING: Your password may be exposed if you enter it here and are logged \n" +msgstr "" +"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben " +"und\n" + +#: ../../src/clients/ksu/krb_auth_su.c:102 +#, c-format +msgid " in remotely using an unsecure (non-encrypted) channel. \n" +msgstr "" +" in der Ferne mittels eines unsicheren (unverschlüsselten) Kanals\n" +" angemeldet sind.\n" + +#: ../../src/clients/ksu/krb_auth_su.c:114 ../../src/clients/ksu/main.c:464 +msgid "while reclaiming root uid" +msgstr "beim erneuten Beanspruchen der Root-UID" + +#: ../../src/clients/ksu/krb_auth_su.c:121 +#, c-format +msgid "does not have any appropriate tickets in the cache.\n" +msgstr "hat keine geeigneten Tickets im Zwischenspeicher.\n" + +#: ../../src/clients/ksu/krb_auth_su.c:133 +msgid "while verifying ticket for server" +msgstr "beim Prüfen des Tickets für Server" + +#: ../../src/clients/ksu/krb_auth_su.c:167 +msgid "while getting time of day" +msgstr "beim Holen der Tageszeit" + +#: ../../src/clients/ksu/krb_auth_su.c:171 +#, c-format +msgid "Kerberos password for %s: " +msgstr "Kerberos-Passwort für %s: " + +#: ../../src/clients/ksu/krb_auth_su.c:175 +#, c-format +msgid "principal name %s too long for internal buffer space\n" +msgstr "Principal-Name %s für den internen Pufferbereich zu groß\n" + +#: ../../src/clients/ksu/krb_auth_su.c:184 +#, c-format +msgid "while reading password for '%s'\n" +msgstr "beim Lesen des Passworts für »%s«\n" + +#: ../../src/clients/ksu/krb_auth_su.c:191 +#, c-format +msgid "No password given\n" +msgstr "kein Passwort angegeben\n" + +#: ../../src/clients/ksu/krb_auth_su.c:204 +#, c-format +msgid "%s: Password incorrect\n" +msgstr "%s: Passwort falsch\n" + +#: ../../src/clients/ksu/krb_auth_su.c:206 +msgid "while getting initial credentials" +msgstr "beim Holen der Anfangsanmeldedaten" + +#: ../../src/clients/ksu/krb_auth_su.c:226 +#: ../../src/clients/ksu/krb_auth_su.c:240 +#, c-format +msgid " %s while unparsing name\n" +msgstr "%s beim Rückgängigmachen der Namensauswertung\n" + +#: ../../src/clients/ksu/main.c:68 +#, c-format +msgid "" +"Usage: %s [target user] [-n principal] [-c source cachename] [-k] [-D] [-r " +"time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a " +"[args... ] ]\n" +msgstr "" +"Aufruf: %s [Zielbenutzer] [-n Principal] [-c Quellenzwischenspeichername] [-" +"k] [-D] [-r Zeit] [-pf] [-l Lebensdauer] [-zZ] [-q] [-e Befehl [Argumente " +"…] ] [-a [Argumente …] ]\n" + +#: ../../src/clients/ksu/main.c:147 +msgid "" +"program name too long - quitting to avoid triggering system logging bugs" +msgstr "" +"Programmname zu lang – wird beendet, um das Auslösen von " +"Systemprotokollierungsfehlern zu vermeiden" + +#: ../../src/clients/ksu/main.c:173 +msgid "while allocating memory" +msgstr "bei Reservieren von Speicher" + +#: ../../src/clients/ksu/main.c:186 +msgid "while setting euid to source user" +msgstr "beim Setzen der EUID auf dem Quellbenutzer" + +#: ../../src/clients/ksu/main.c:196 ../../src/clients/ksu/main.c:231 +#, c-format +msgid "Bad lifetime value (%s hours?)\n" +msgstr "falscher Wert für Lebensdauer (%s Stunden?)\n" + +#: ../../src/clients/ksu/main.c:208 ../../src/clients/ksu/main.c:292 +msgid "when gathering parameters" +msgstr "beim Zusammenstellen der Parameter" + +#: ../../src/clients/ksu/main.c:251 +#, c-format +msgid "-z option is mutually exclusive with -Z.\n" +msgstr "Die Optionen -z und -Z schließen sich gegenseitig aus.\n" + +#: ../../src/clients/ksu/main.c:259 +#, c-format +msgid "-Z option is mutually exclusive with -z.\n" +msgstr "Die Optionen -Z und -z schließen sich gegenseitig aus.\n" + +#: ../../src/clients/ksu/main.c:272 +#, c-format +msgid "while looking for credentials cache %s" +msgstr "beim Suchen nach dem Anmeldedatenzwischenspeicher %s" + +#: ../../src/clients/ksu/main.c:278 +#, c-format +msgid "malformed credential cache name %s\n" +msgstr "falsch gebildeter Anmeldedatenzwischenspeichername %s\n" + +# ksu ist eine Kerberos-Variante von su +#: ../../src/clients/ksu/main.c:336 +#, c-format +msgid "ksu: who are you?\n" +msgstr "ksu: Wer sind Sie?\n" + +#: ../../src/clients/ksu/main.c:340 +#, c-format +msgid "Your uid doesn't match your passwd entry?!\n" +msgstr "Ihre UID passt nicht zu Ihrem Passworteintrag.\n" + +#: ../../src/clients/ksu/main.c:355 +#, c-format +msgid "ksu: unknown login %s\n" +msgstr "ksu: unbekannter Anmeldename %s\n" + +#: ../../src/clients/ksu/main.c:375 +msgid "while getting source cache" +msgstr "beim Holen des Quellenzwischenspeichers" + +#: ../../src/clients/ksu/main.c:381 ../../src/clients/kvno/kvno.c:194 +msgid "while opening ccache" +msgstr "beim Öffnen des Ccaches" + +#: ../../src/clients/ksu/main.c:389 +msgid "while selecting the best principal" +msgstr "beim Auswählen des besten Principals" + +#: ../../src/clients/ksu/main.c:397 +msgid "while returning to source uid after finding best principal" +msgstr "" +"bei der Rückkehr zur Quell-UID, nachdem der beste Principal gefunden wurde" + +#: ../../src/clients/ksu/main.c:417 +#, c-format +msgid "account %s: authorization failed\n" +msgstr "Konto %s: Autorisierung fehlgeschlagen\n" + +#: ../../src/clients/ksu/main.c:442 +msgid "while parsing temporary name" +msgstr "beim Auswertens des temporären Namens" + +#: ../../src/clients/ksu/main.c:447 +msgid "while creating temporary cache" +msgstr "bei Erstellen des temporären Zwischenspeichers" + +#: ../../src/clients/ksu/main.c:453 ../../src/clients/ksu/main.c:693 +#, c-format +msgid "while copying cache %s to %s" +msgstr "beim Kopieren des Zwischenspeichers %s nach %s" + +#: ../../src/clients/ksu/main.c:471 +#, c-format +msgid "" +"WARNING: Your password may be exposed if you enter it here and are logged\n" +msgstr "" +"WARNUNG: Ihr Passwort könnte offengelegt werden, falls Sie es hier eingeben " +"und\n" + +#: ../../src/clients/ksu/main.c:473 +#, c-format +msgid " in remotely using an unsecure (non-encrypted) channel.\n" +msgstr "" +" in der Ferne über einen unsicheren (unverschlüsselten) Kanal " +"angemeldet\n" +"sind.\n" + +#: ../../src/clients/ksu/main.c:479 +#, c-format +msgid "Goodbye\n" +msgstr "Auf Wiedersehen\n" + +#: ../../src/clients/ksu/main.c:483 +#, c-format +msgid "Could not get a tgt for " +msgstr "Es konnte kein TGT geholt werden für " + +#: ../../src/clients/ksu/main.c:505 +#, c-format +msgid "Authentication failed.\n" +msgstr "Authentifizierung fehlgeschlagen.\n" + +#: ../../src/clients/ksu/main.c:513 +msgid "When unparsing name" +msgstr "beim Rückgängigmachen der Namensauswertung" + +#: ../../src/clients/ksu/main.c:517 +#, c-format +msgid "Authenticated %s\n" +msgstr "Authentifiziert %s\n" + +#: ../../src/clients/ksu/main.c:524 +msgid "while switching to target for authorization check" +msgstr "beim Wechsel des Ziels der Autorisierungsprüfung" + +#: ../../src/clients/ksu/main.c:531 +msgid "while checking authorization" +msgstr "beim Prüfen der Autorisierung" + +#: ../../src/clients/ksu/main.c:537 +msgid "while switching back from target after authorization check" +msgstr "beim Zurückwechsel vom Ziel nach der Autorisierungsprüfung" + +#: ../../src/clients/ksu/main.c:544 +#, c-format +msgid "Account %s: authorization for %s for execution of\n" +msgstr "Konto %s: Autorisierung für %s zum Ausführen von\n" + +#: ../../src/clients/ksu/main.c:546 +#, c-format +msgid " %s successful\n" +msgstr " %s erfolgreich\n" + +#: ../../src/clients/ksu/main.c:552 +#, c-format +msgid "Account %s: authorization for %s successful\n" +msgstr "Konto %s: Autorisierung für %s erfolgreich\n" + +#: ../../src/clients/ksu/main.c:564 +#, c-format +msgid "Account %s: authorization for %s for execution of %s failed\n" +msgstr "Konto %s: Autorisierung für %s zum Ausführen von %s fehlgeschlagen\n" + +#: ../../src/clients/ksu/main.c:572 +#, c-format +msgid "Account %s: authorization of %s failed\n" +msgstr "Konto %s: Autorisierung von %s fehlgeschlagen\n" + +#: ../../src/clients/ksu/main.c:587 +msgid "while calling cc_filter" +msgstr "beim Aufruf von »cc_filter«" + +#: ../../src/clients/ksu/main.c:595 +msgid "while erasing target cache" +msgstr "bei Löschen des Zielzwischenspeichers" + +#: ../../src/clients/ksu/main.c:615 +#, c-format +msgid "ksu: permission denied (shell).\n" +msgstr "ksu: Zugriff verweigert (Shell)\n" + +#: ../../src/clients/ksu/main.c:624 +#, c-format +msgid "ksu: couldn't set environment variable USER\n" +msgstr "ksu: Umgebungsvariable USER kann nicht gesetzt werden\n" + +#: ../../src/clients/ksu/main.c:630 +#, c-format +msgid "ksu: couldn't set environment variable HOME\n" +msgstr "ksu: Umgebungsvariable HOME kann nicht gesetzt werden\n" + +#: ../../src/clients/ksu/main.c:635 +#, c-format +msgid "ksu: couldn't set environment variable SHELL\n" +msgstr "ksu: Umgebungsvariable SHELL kann nicht gesetzt werden\n" + +#: ../../src/clients/ksu/main.c:646 +#, c-format +msgid "ksu: initgroups failed.\n" +msgstr "ksu: »initgroups« fehlgeschlagen\n" + +#: ../../src/clients/ksu/main.c:651 +#, c-format +msgid "Leaving uid as %s (%ld)\n" +msgstr "UID bleibt %s (%ld)\n" + +#: ../../src/clients/ksu/main.c:654 +#, c-format +msgid "Changing uid to %s (%ld)\n" +msgstr "UID wird zu %s (%ld) geändert\n" + +#: ../../src/clients/ksu/main.c:680 +msgid "while getting name of target ccache" +msgstr "beim Holen des Ziel-Ccache-Namens" + +#: ../../src/clients/ksu/main.c:700 +#, c-format +msgid "%s does not have correct permissions for %s, %s aborted" +msgstr "%s hat nicht die korrekten Rechte für %s, %s wird abgebrochen." + +#: ../../src/clients/ksu/main.c:721 +#, c-format +msgid "Internal error: command %s did not get resolved\n" +msgstr "Interner Fehler: Befehl %s wurde nicht aufgelöst\n" + +#: ../../src/clients/ksu/main.c:738 ../../src/clients/ksu/main.c:774 +#, c-format +msgid "while trying to execv %s" +msgstr "beim Versuch von »execv %s«" + +#: ../../src/clients/ksu/main.c:764 +msgid "while calling waitpid" +msgstr "beim Aufruf von »waitpid«" + +#: ../../src/clients/ksu/main.c:769 +msgid "while trying to fork." +msgstr "beim Versuch zu verzweigen." + +#: ../../src/clients/ksu/main.c:791 +msgid "while reading cache name from ccache" +msgstr "beim Lesen des Zwischenspeichernamens aus dem Ccache" + +#: ../../src/clients/ksu/main.c:797 +#, c-format +msgid "ksu: couldn't set environment variable %s\n" +msgstr "ksu: Umgebungsvariable %s kann nicht gesetzt werden\n" + +#: ../../src/clients/ksu/main.c:820 +#, c-format +msgid "while clearing the value of %s" +msgstr "beim Leeren des Werts von %s" + +#: ../../src/clients/ksu/main.c:828 +msgid "while resetting target ccache name" +msgstr "beim Zurücksetzen des Ziel-Ccache-Namens" + +#: ../../src/clients/ksu/main.c:842 +msgid "while determining target ccache name" +msgstr "beim Bestimmen des Ziel-Ccache-Namens" + +#: ../../src/clients/ksu/main.c:881 +msgid "while generating part of the target ccache name" +msgstr "beim Erzeugen eines Teils des Ziel-Ccache-Namens" + +#: ../../src/clients/ksu/main.c:887 +msgid "while allocating memory for the target ccache name" +msgstr "beim Reservieren von Speicher für den Ziel-Ccache-Namen" + +#: ../../src/clients/ksu/main.c:906 +msgid "while creating new target ccache" +msgstr "bei Erstellen von neuem Ziel-Ccache" + +#: ../../src/clients/ksu/main.c:912 +msgid "while initializing target cache" +msgstr "beim Initialisieren des Zielzwischenspeichers" + +#: ../../src/clients/ksu/main.c:952 +#, c-format +msgid "terminal name %s too long\n" +msgstr "Terminal-Name %s ist zu lang.\n" + +#: ../../src/clients/ksu/main.c:980 +msgid "while changing to target uid for destroying ccache" +msgstr "beim Ändern der Ziel-UID für das Zerstören von Ccache" + +#: ../../src/clients/kswitch/kswitch.c:44 +#, c-format +msgid "Usage: %s {-c cache_name | -p principal}\n" +msgstr "Aufruf: %s {-c Zwischenspeichername | -p Principal}\n" + +#: ../../src/clients/kswitch/kswitch.c:46 +#, c-format +msgid "\t-p specify name of principal\n" +msgstr "\t-p gibt den Namen des Principals an.\n" + +#: ../../src/clients/kswitch/kswitch.c:69 +#, c-format +msgid "Only one -c or -p option allowed\n" +msgstr "Nur eine der Optionen -c oder -p ist erlaubt.\n" + +#: ../../src/clients/kswitch/kswitch.c:88 +#, c-format +msgid "One of -c or -p must be specified\n" +msgstr "Entweder -c oder -p muss angegeben werden.\n" + +#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:211 +#: ../../src/clients/kvno/kvno.c:245 ../../src/kadmin/cli/keytab.c:350 +#: ../../src/kadmin/dbutil/kdb5_util.c:576 +#, c-format +msgid "while parsing principal name %s" +msgstr "beim Auswerten des Principal-Namens %s" + +#: ../../src/clients/kswitch/kswitch.c:124 +msgid "while switching to credential cache" +msgstr "beim Wechsel auf den Anmeldedatenzwischenspeicher" + +#: ../../src/clients/kvno/kvno.c:46 +#, c-format +msgid "usage: %s [-C] [-u] [-c ccache] [-e etype]\n" +msgstr "Aufruf: %s [-C] [-u] [-c Ccache] [-e Etype]\n" + +#: ../../src/clients/kvno/kvno.c:47 +#, c-format +msgid "\t[-k keytab] [-S sname] [-U for_user [-P]]\n" +msgstr "\t[-k Schlüsseltabelle] [-S Sname] [-U für_Benutzer [-P]]\n" + +#: ../../src/clients/kvno/kvno.c:48 +#, c-format +msgid "\tservice1 service2 ...\n" +msgstr "\tDienst1 Dienst2 …\n" + +#: ../../src/clients/kvno/kvno.c:103 ../../src/clients/kvno/kvno.c:111 +#, c-format +msgid "Options -u and -S are mutually exclusive\n" +msgstr "Die Optionen -u und -S schließen sich gegenseitig aus.\n" + +#: ../../src/clients/kvno/kvno.c:126 +#, c-format +msgid "Option -P (constrained delegation) requires keytab to be specified\n" +msgstr "" +"Die Option -P (eingeschränkte Abtretung) erfordert zur Angabe eine " +"Schlüsseltabelle.\n" + +#: ../../src/clients/kvno/kvno.c:130 +#, c-format +msgid "" +"Option -P (constrained delegation) requires option -U (protocol transition)\n" +msgstr "" +"Die Option -P (eingeschränkte Abtretung) erfordert die Option -U " +"(Protokollübergang)\n" + +#: ../../src/clients/kvno/kvno.c:175 ../../src/kadmin/cli/kadmin.c:280 +msgid "while initializing krb5 library" +msgstr "beim Initialisieren der Krb5-Bibliothek" + +#: ../../src/clients/kvno/kvno.c:182 +msgid "while converting etype" +msgstr "bei der Etype-Umwandlung" + +#: ../../src/clients/kvno/kvno.c:218 +msgid "while getting client principal name" +msgstr "beim Holen des Client-Principal-Namens" + +#: ../../src/clients/kvno/kvno.c:256 +#, c-format +msgid "while formatting parsed principal name for '%s'" +msgstr "beim Formatieren des ausgewerteten Principal-Namens für »%s«" + +#: ../../src/clients/kvno/kvno.c:267 +msgid "client and server principal names must match" +msgstr "Die Principal-Namen von Client und Server müssen übereinstimmen." + +#: ../../src/clients/kvno/kvno.c:284 +#, c-format +msgid "while getting credentials for %s" +msgstr "beim Holen der Anmeldedaten für %s" + +#: ../../src/clients/kvno/kvno.c:291 +#, c-format +msgid "while decoding ticket for %s" +msgstr "beim Dekodieren des Tickets für %s" + +#: ../../src/clients/kvno/kvno.c:302 +#, c-format +msgid "while decrypting ticket for %s" +msgstr "beim Entschlüsseln des Tickets für %s" + +#: ../../src/clients/kvno/kvno.c:306 +#, c-format +msgid "%s: kvno = %d, keytab entry valid\n" +msgstr "%s: KVNO = %d, Schlüsseltabelleneintrag gültig\n" + +#: ../../src/clients/kvno/kvno.c:324 +#, c-format +msgid "%s: constrained delegation failed" +msgstr "%s: eingeschränkte Abtretung fehlgeschlagen" + +#: ../../src/clients/kvno/kvno.c:330 +#, c-format +msgid "%s: kvno = %d\n" +msgstr "%s: KVNO = %d\n" + +#: ../../src/kadmin/cli/kadmin.c:118 +#, c-format +msgid "" +"Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n" +"\tclnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]]|[-n]\n" +"\tlocal args: [-x db_args]* [-d dbname] [-e \"enc:salt ...\"] [-m]\n" +"where,\n" +"\t[-x db_args]* - any number of database specific arguments.\n" +"\t\t\tLook at each database documentation for supported arguments\n" +msgstr "" +"Aufruf: %s [-r Realm] [-p Principal] [-q Abfrage] [clnt|lokale Argumente]\n" +"\tclnt Argumente: [-s Admin-Server[:Port]] [[-c Ccache]|\n" +"\t[-k [-t Schlüsseltabelle]]]|[-n] lokale Argumente: [-x DB-Argumente]*\n" +"\t[-d Datenbankname] [-e \"enc:Salt …\"] [-m]\n" +"wobei\n" +"\t[-x DB-Argumente]* - eine beliebige Anzahl datenbankspezifischer " +"Argumente\n" +"\tist. Die unterstützten Argumente finden Sie in den jeweiligen " +"\tDatenbankdokumentationen\n" + +#: ../../src/kadmin/cli/kadmin.c:292 ../../src/kadmin/cli/kadmin.c:333 +#, c-format +msgid "%s: Cannot initialize. Not enough memory\n" +msgstr "%s: Zu wenig Speicher zum Initialisieren\n" + +#: ../../src/kadmin/cli/kadmin.c:353 ../../src/kadmin/cli/kadmin.c:804 +#: ../../src/kadmin/cli/kadmin.c:1084 ../../src/kadmin/cli/kadmin.c:1634 +#: ../../src/kadmin/cli/keytab.c:159 ../../src/kadmin/dbutil/kdb5_util.c:591 +#, c-format +msgid "while parsing keysalts %s" +msgstr "beim Auswerten der Schlüssel-Salts %s" + +#: ../../src/kadmin/cli/kadmin.c:376 +#, c-format +msgid "%s: unable to get default realm\n" +msgstr "%s: Standard-Realm kann nicht geholt werden\n" + +#: ../../src/kadmin/cli/kadmin.c:396 +msgid "while opening default credentials cache" +msgstr "beim Öffnen des Standardanmeldedatenzwischenspeichers" + +#: ../../src/kadmin/cli/kadmin.c:402 +#, c-format +msgid "while opening credentials cache %s" +msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s" + +#: ../../src/kadmin/cli/kadmin.c:424 ../../src/kadmin/cli/kadmin.c:479 +#: ../../src/kadmin/cli/kadmin.c:487 ../../src/kadmin/cli/kadmin.c:494 +#, c-format +msgid "%s: out of memory\n" +msgstr "%s: Speicherplatz reicht nicht aus\n" + +#: ../../src/kadmin/cli/kadmin.c:433 ../../src/kadmin/cli/kadmin.c:448 +#: ../../src/slave/kpropd.c:681 +msgid "while canonicalizing principal name" +msgstr "während der Principal-Name in die normale Form gebracht wird" + +#: ../../src/kadmin/cli/kadmin.c:442 +msgid "creating host service principal" +msgstr "Principal des Rechnerdienstes wird erstellt" + +#: ../../src/kadmin/cli/kadmin.c:455 +#, c-format +msgid "%s: unable to canonicalize principal\n" +msgstr "%s: Principal kann nicht in die normale Form gebracht werden\n" + +#: ../../src/kadmin/cli/kadmin.c:499 +#, c-format +msgid "%s: unable to figure out a principal name\n" +msgstr "%s: Es kann kein Principal-Name herausgefunden werden.\n" + +#: ../../src/kadmin/cli/kadmin.c:507 +msgid "while setting up logging" +msgstr "beim Einrichten der Protokollierung" + +#: ../../src/kadmin/cli/kadmin.c:516 +#, c-format +msgid "Authenticating as principal %s with existing credentials.\n" +msgstr "Authentifizierung als Principal %s mit existierenden Anmeldedaten\n" + +#: ../../src/kadmin/cli/kadmin.c:522 +#, c-format +msgid "Authenticating as principal %s with password; anonymous requested.\n" +msgstr "" +"Authentifizierung als Principal %s mit Passwort; Anonymität erwünscht\n" + +#: ../../src/kadmin/cli/kadmin.c:529 +#, c-format +msgid "Authenticating as principal %s with keytab %s.\n" +msgstr "Authentifizierung als Principal %s mit Schlüsseltabelle %s\n" + +#: ../../src/kadmin/cli/kadmin.c:532 +#, c-format +msgid "Authenticating as principal %s with default keytab.\n" +msgstr "Authentifizierung als Principal %s mit Standardschlüsseltabelle\n" + +#: ../../src/kadmin/cli/kadmin.c:538 +#, c-format +msgid "Authenticating as principal %s with password.\n" +msgstr "Authentifizierung als Principal %s mit Passwort\n" + +#: ../../src/kadmin/cli/kadmin.c:546 ../../src/slave/kpropd.c:728 +#, c-format +msgid "while initializing %s interface" +msgstr "beim Initialisieren der Schnittstelle %s" + +#: ../../src/kadmin/cli/kadmin.c:560 +#, c-format +msgid "while closing ccache %s" +msgstr "beim Schließen von Ccache %s" + +#: ../../src/kadmin/cli/kadmin.c:566 +msgid "while mapping update log" +msgstr "beim Abbilden des Aktualisierungsprotokolls" + +#: ../../src/kadmin/cli/kadmin.c:581 +msgid "while unlocking locked database" +msgstr "beim Entsperren der Datenbank" + +#: ../../src/kadmin/cli/kadmin.c:590 +msgid "Administration credentials NOT DESTROYED.\n" +msgstr "Verwaltungsanmeldedaten NICHT VERNICHTET\n" + +#: ../../src/kadmin/cli/kadmin.c:639 +#, c-format +msgid "usage: delete_principal [-force] principal\n" +msgstr "Aufruf: delete_principal [-force] Principal\n" + +#: ../../src/kadmin/cli/kadmin.c:644 ../../src/kadmin/cli/kadmin.c:819 +msgid "while parsing principal name" +msgstr "beim Auswerten des Principal-Namens" + +#: ../../src/kadmin/cli/kadmin.c:650 ../../src/kadmin/cli/kadmin.c:825 +#: ../../src/kadmin/cli/kadmin.c:1217 ../../src/kadmin/cli/kadmin.c:1339 +#: ../../src/kadmin/cli/kadmin.c:1409 ../../src/kadmin/cli/kadmin.c:1858 +#: ../../src/kadmin/cli/kadmin.c:1902 ../../src/kadmin/cli/kadmin.c:1948 +#: ../../src/kadmin/cli/kadmin.c:1988 +msgid "while canonicalizing principal" +msgstr "während der Principal in die normale Form gebracht wird" + +#: ../../src/kadmin/cli/kadmin.c:654 +#, c-format +msgid "Are you sure you want to delete the principal \"%s\"? (yes/no): " +msgstr "" +"Sind Sie sicher, dass Sie den Principal »%s« löschen möchten? (yes/no): " + +#: ../../src/kadmin/cli/kadmin.c:658 +#, c-format +msgid "Principal \"%s\" not deleted\n" +msgstr "Principal »%s« nicht gelöscht\n" + +#: ../../src/kadmin/cli/kadmin.c:665 +#, c-format +msgid "while deleting principal \"%s\"" +msgstr "beim Löschen von Principal »%s«" + +#: ../../src/kadmin/cli/kadmin.c:668 +#, c-format +msgid "Principal \"%s\" deleted.\n" +msgstr "Principal »%s« gelöscht\n" + +#: ../../src/kadmin/cli/kadmin.c:669 +#, c-format +msgid "" +"Make sure that you have removed this principal from all ACLs before " +"reusing.\n" +msgstr "" +"Stellen Sie sicher, dass Sie diesen Principal aus allen ACLs entfernt haben, " +"bevor Sie ihn erneut benutzen.\n" + +#: ../../src/kadmin/cli/kadmin.c:686 +#, c-format +msgid "usage: rename_principal [-force] old_principal new_principal\n" +msgstr "Aufruf: rename_principal [-force] alter_Principal neuer_Principal\n" + +#: ../../src/kadmin/cli/kadmin.c:693 +msgid "while parsing old principal name" +msgstr "beim Auswerten des alten Principal-Namens" + +#: ../../src/kadmin/cli/kadmin.c:699 +msgid "while parsing new principal name" +msgstr "beim Auswerten des neuen Principal-Namens" + +#: ../../src/kadmin/cli/kadmin.c:705 +msgid "while canonicalizing old principal" +msgstr "während der alte Principal in die normale Form gebracht wird" + +#: ../../src/kadmin/cli/kadmin.c:711 +msgid "while canonicalizing new principal" +msgstr "während der neue Principal in die normale Form gebracht wird" + +#: ../../src/kadmin/cli/kadmin.c:715 +#, c-format +msgid "" +"Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): " +msgstr "" +"Sind Sie sicher, dass Sie den Principal »%s« in »%s« umbenennen möchten? " +"(yes/no): " + +#: ../../src/kadmin/cli/kadmin.c:719 +#, c-format +msgid "Principal \"%s\" not renamed\n" +msgstr "Principal »%s« wurde nicht umbenannt.\n" + +#: ../../src/kadmin/cli/kadmin.c:726 +#, c-format +msgid "while renaming principal \"%s\" to \"%s\"" +msgstr "beim Umbenennen von Principal »%s« in »%s«" + +#: ../../src/kadmin/cli/kadmin.c:730 +#, c-format +msgid "Principal \"%s\" renamed to \"%s\".\n" +msgstr "Principal »%s« wurde in »%s« umbenannt.\n" + +#: ../../src/kadmin/cli/kadmin.c:731 +#, c-format +msgid "" +"Make sure that you have removed the old principal from all ACLs before " +"reusing.\n" +msgstr "" +"Stellen Sie sicher, dass Sie den alten Principal aus allen ACLs entfernt " +"haben, bevor Sie ihn erneut benutzen.\n" + +#: ../../src/kadmin/cli/kadmin.c:746 +#, c-format +msgid "" +"usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] " +"principal\n" +msgstr "" +"Aufruf: change_password [-randkey] [-keepold] [-e Schlüssel-Salt-Liste] [-pw " +"Passwort] Principal\n" + +#: ../../src/kadmin/cli/kadmin.c:772 +msgid "change_password: missing db argument" +msgstr "change_password: fehlendes Datenbankargument" + +#: ../../src/kadmin/cli/kadmin.c:778 +#, c-format +msgid "change_password: Not enough memory\n" +msgstr "change_password: zu wenig Speicher\n" + +#: ../../src/kadmin/cli/kadmin.c:786 +msgid "change_password: missing password arg" +msgstr "change_password: fehlendes Passwortargument" + +#: ../../src/kadmin/cli/kadmin.c:797 +msgid "change_password: missing keysaltlist arg" +msgstr "change_password: fehlendes Schlüssel-Salt-Listenargument" + +#: ../../src/kadmin/cli/kadmin.c:813 +msgid "missing principal name" +msgstr "fehlender Principal-Name" + +#: ../../src/kadmin/cli/kadmin.c:837 ../../src/kadmin/cli/kadmin.c:874 +#, c-format +msgid "while changing password for \"%s\"." +msgstr "beim Ändern des Passworts von »%s«." + +#: ../../src/kadmin/cli/kadmin.c:840 ../../src/kadmin/cli/kadmin.c:877 +#, c-format +msgid "Password for \"%s\" changed.\n" +msgstr "Passwort von »%s« geändert\n" + +#: ../../src/kadmin/cli/kadmin.c:846 ../../src/kadmin/cli/kadmin.c:1290 +#, c-format +msgid "while randomizing key for \"%s\"." +msgstr "beim Erzeugen eines zufälligen Schlüssels für »%s«." + +#: ../../src/kadmin/cli/kadmin.c:849 +#, c-format +msgid "Key for \"%s\" randomized.\n" +msgstr "Es wurde ein zufälliger Schlüssel für %s erzeugt\n" + +#: ../../src/kadmin/cli/kadmin.c:854 ../../src/kadmin/cli/kadmin.c:1250 +#, c-format +msgid "Enter password for principal \"%s\"" +msgstr "Geben Sie das Passwort für Principal »%s« ein." + +#: ../../src/kadmin/cli/kadmin.c:856 ../../src/kadmin/cli/kadmin.c:1252 +#, c-format +msgid "Re-enter password for principal \"%s\"" +msgstr "Geben Sie das Passwort für Principal »%s« erneut ein." + +#: ../../src/kadmin/cli/kadmin.c:861 ../../src/kadmin/cli/kadmin.c:1256 +#, c-format +msgid "while reading password for \"%s\"." +msgstr "beim Lesen des Passworts von »%s«." + +#: ../../src/kadmin/cli/kadmin.c:915 +#, c-format +msgid "Not enough memory\n" +msgstr "Speicher reicht nicht aus\n" + +#: ../../src/kadmin/cli/kadmin.c:945 ../../src/kadmin/dbutil/kdb5_util.c:623 +msgid "while getting time" +msgstr "beim Holen der Zeit" + +#: ../../src/kadmin/cli/kadmin.c:994 ../../src/kadmin/cli/kadmin.c:1007 +#: ../../src/kadmin/cli/kadmin.c:1020 ../../src/kadmin/cli/kadmin.c:1033 +#: ../../src/kadmin/cli/kadmin.c:1546 ../../src/kadmin/cli/kadmin.c:1558 +#: ../../src/kadmin/cli/kadmin.c:1601 ../../src/kadmin/cli/kadmin.c:1618 +#, c-format +msgid "Invalid date specification \"%s\".\n" +msgstr "ungültige Datumsangabe »%s«\n" + +#: ../../src/kadmin/cli/kadmin.c:1118 ../../src/kadmin/cli/kadmin.c:1333 +#: ../../src/kadmin/cli/kadmin.c:1404 ../../src/kadmin/cli/kadmin.c:1852 +#: ../../src/kadmin/cli/kadmin.c:1896 ../../src/kadmin/cli/kadmin.c:1942 +#: ../../src/kadmin/cli/kadmin.c:1982 +msgid "while parsing principal" +msgstr "beim Auswerten des Principals" + +#: ../../src/kadmin/cli/kadmin.c:1127 +#, c-format +msgid "usage: add_principal [options] principal\n" +msgstr "Aufruf: add_principal [Optionen] Principal\n" + +#: ../../src/kadmin/cli/kadmin.c:1128 ../../src/kadmin/cli/kadmin.c:1155 +#: ../../src/kadmin/cli/kadmin.c:1657 +#, c-format +msgid "\toptions are:\n" +msgstr "\tEs gibt folgende Optionen:\n" + +#: ../../src/kadmin/cli/kadmin.c:1130 +#, c-format +msgid "" +"\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire " +"pwexpdate] [-maxlife maxtixlife]\n" +"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" +"\t\t[-pw password] [-maxrenewlife maxrenewlife]\n" +"\t\t[-e keysaltlist]\n" +"\t\t[{+|-}attribute]\n" +msgstr "" +"\t\t[-randkey|-nokey] [-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-" +"pwexpire Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n" +"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n" +"\t\t[-pw Passwort] [-maxrenewlife maximale_Dauer_bis_zum_Erneuern]\n" +"\t\t[-e Schlüssel-Salt-Liste]\n" +"\t\t[{+|-}Attribut]\n" + +#: ../../src/kadmin/cli/kadmin.c:1136 +#, c-format +msgid "\tattributes are:\n" +msgstr "\tEs gibt folgende Attribute:\n" + +#: ../../src/kadmin/cli/kadmin.c:1138 ../../src/kadmin/cli/kadmin.c:1164 +#, c-format +msgid "" +"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n" +"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n" +"\t\trequires_hwauth needchange allow_svr password_changing_service\n" +"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" +"\n" +"where,\n" +"\t[-x db_princ_args]* - any number of database specific arguments.\n" +"\t\t\tLook at each database documentation for supported arguments\n" +msgstr "" +"\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n" +"\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n" +"\t\trequires_hwauth needchange allow_svr password_changing_service\n" +"\t\tok_as_delegate ok_to_auth_as_delegate no_auth_data_required\n" +"\n" +"wobei\n" +"\t[-x DB-Principal-Argumente]* - eine beliebige Zahl\n" +"\tdatenbankspezifischer Argumente ist.\n" +"\t\t\tDie unterstützten Argumente finden Sie in der jeweiligen\n" +"Datenbankdokumentation.\n" + +#: ../../src/kadmin/cli/kadmin.c:1154 +#, c-format +msgid "usage: modify_principal [options] principal\n" +msgstr "Aufruf: modify_principal [Optionen] Principal\n" + +#: ../../src/kadmin/cli/kadmin.c:1157 +#, c-format +msgid "" +"\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife " +"maxtixlife]\n" +"\t\t[-kvno kvno] [-policy policy] [-clearpolicy]\n" +"\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n" +msgstr "" +"\t\t[-x DB-Principal-Argumente]* [-expire Ablaufdatum] [-pwexpire " +"Passwortablaufdatum] [-maxlife maximale_Ticketlebensdauer]\n" +"\t\t[-kvno KVNO] [-policy Richtlinie] [-clearpolicy]\n" +"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern] [-unlock] [{+|-}" +"Attribut]\n" + +#: ../../src/kadmin/cli/kadmin.c:1224 ../../src/kadmin/cli/kadmin.c:1362 +#, c-format +msgid "WARNING: policy \"%s\" does not exist\n" +msgstr "WARNUNG: Richtlinie »%s« existiert nicht.\n" + +#: ../../src/kadmin/cli/kadmin.c:1230 +#, c-format +msgid "NOTICE: no policy specified for %s; assigning \"default\"\n" +msgstr "" +"HINWEIS: Für %s wurde keine Richtlinie angegeben, es wird »default« " +"zugewiesen\n" + +#: ../../src/kadmin/cli/kadmin.c:1235 +#, c-format +msgid "WARNING: no policy specified for %s; defaulting to no policy\n" +msgstr "" +"WARNUNG: Für %s wurde keine Richtlinie angegeben, es wird die Vorgabe " +"»keine\n" +"Richtlinie« verwandt.\n" + +#: ../../src/kadmin/cli/kadmin.c:1276 +#, c-format +msgid "Admin server does not support -nokey while creating \"%s\"\n" +msgstr "" +"Der Administrationsrechner unterstützt beim Erstellen von »%s« kein -nokey\n" + +#: ../../src/kadmin/cli/kadmin.c:1298 +#, c-format +msgid "while clearing DISALLOW_ALL_TIX for \"%s\"." +msgstr "beim Löschen von DISALLOW_ALL_TIX für »%s«." + +#: ../../src/kadmin/cli/kadmin.c:1345 +#, c-format +msgid "while getting \"%s\"." +msgstr "beim Holen von »%s«." + +#: ../../src/kadmin/cli/kadmin.c:1371 +#, c-format +msgid "while modifying \"%s\"." +msgstr "beim Ändern von »%s«." + +#: ../../src/kadmin/cli/kadmin.c:1375 +#, c-format +msgid "Principal \"%s\" modified.\n" +msgstr "Principal »%s« wurde geändert.\n" + +#: ../../src/kadmin/cli/kadmin.c:1396 +#, c-format +msgid "usage: get_principal [-terse] principal\n" +msgstr "Aufruf: get_principal [-terse] Principal\n" + +#: ../../src/kadmin/cli/kadmin.c:1415 +#, c-format +msgid "while retrieving \"%s\"." +msgstr "beim Abfragen von »%s«." + +#: ../../src/kadmin/cli/kadmin.c:1420 ../../src/kadmin/cli/kadmin.c:1425 +msgid "while unparsing principal" +msgstr "beim Rückgängigmachen der Auswertung des Principals" + +#: ../../src/kadmin/cli/kadmin.c:1429 +#, c-format +msgid "Principal: %s\n" +msgstr "Principal: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1430 +#, c-format +msgid "Expiration date: %s\n" +msgstr "Ablaufdatum: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1431 ../../src/kadmin/cli/kadmin.c:1433 +#: ../../src/kadmin/cli/kadmin.c:1444 +msgid "[never]" +msgstr "[niemals]" + +#: ../../src/kadmin/cli/kadmin.c:1432 +#, c-format +msgid "Last password change: %s\n" +msgstr "Letzte Passwortänderung: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1434 +#, c-format +msgid "Password expiration date: %s\n" +msgstr "Passwortablaufdatum: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1436 ../../src/kadmin/cli/kadmin.c:1478 +msgid "[none]" +msgstr "[keins]" + +#: ../../src/kadmin/cli/kadmin.c:1437 +#, c-format +msgid "Maximum ticket life: %s\n" +msgstr "maximale Ticketlebensdauer: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1438 +#, c-format +msgid "Maximum renewable life: %s\n" +msgstr "maximale verlängerbare Lebensdauer: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1440 +#, c-format +msgid "Last modified: %s (%s)\n" +msgstr "zuletzt geändert: %s (%s)\n" + +#: ../../src/kadmin/cli/kadmin.c:1442 +#, c-format +msgid "Last successful authentication: %s\n" +msgstr "letzte erfolgreiche Authentifizierung: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1448 +#, c-format +msgid "Failed password attempts: %d\n" +msgstr "Fehlgeschlagene Anmeldeversuche: %d\n" + +#: ../../src/kadmin/cli/kadmin.c:1450 +#, c-format +msgid "Number of keys: %d\n" +msgstr "Anzahl der Schlüssel: %d\n" + +#: ../../src/kadmin/cli/kadmin.c:1457 +#, c-format +msgid "" +msgstr "" + +#: ../../src/kadmin/cli/kadmin.c:1464 +#, c-format +msgid "" +msgstr "" + +#: ../../src/kadmin/cli/kadmin.c:1470 +#, c-format +msgid "MKey: vno %d\n" +msgstr "MKey: vno %d\n" + +#: ../../src/kadmin/cli/kadmin.c:1472 +#, c-format +msgid "Attributes:" +msgstr "Attribute:" + +#: ../../src/kadmin/cli/kadmin.c:1480 +msgid " [does not exist]" +msgstr " [existiert nicht]" + +#: ../../src/kadmin/cli/kadmin.c:1481 +#, c-format +msgid "Policy: %s%s\n" +msgstr "Richtlinie: %s%s\n" + +#: ../../src/kadmin/cli/kadmin.c:1517 +#, c-format +msgid "usage: get_principals [expression]\n" +msgstr "Aufruf: get_principals [Ausdruck]\n" + +#: ../../src/kadmin/cli/kadmin.c:1522 ../../src/kadmin/cli/kadmin.c:1794 +msgid "while retrieving list." +msgstr "beim Abfragen der Liste." + +#: ../../src/kadmin/cli/kadmin.c:1647 +#, c-format +msgid "%s: parser lost count!\n" +msgstr "%s: Auswertungsprogramm verlor Anzahl!\n" + +#: ../../src/kadmin/cli/kadmin.c:1656 +#, c-format +msgid "usage; %s [options] policy\n" +msgstr "Aufruf: %s [Optionen] Richtlinie\n" + +#: ../../src/kadmin/cli/kadmin.c:1659 +#, c-format +msgid "" +"\t\t[-maxlife time] [-minlife time] [-minlength length]\n" +"\t\t[-minclasses number] [-history number]\n" +"\t\t[-maxfailure number] [-failurecountinterval time]\n" +"\t\t[-allowedkeysalts keysalts]\n" +msgstr "" +"\t\t[-maxlife Zeit] [-minlife Zeit] [-minlength Länge]\n" +"\t\t[-minclasses Anzahl] [-history Nummer]\n" +"\t\t[-maxfailure Anzahl] [-failurecountinterval Zeit]\n" +"\t\t[-allowedkeysalts Schlüssel-Salts]\n" + +#: ../../src/kadmin/cli/kadmin.c:1663 +#, c-format +msgid "\t\t[-lockoutduration time]\n" +msgstr "\t\t[-lockoutduration Dauer]\n" + +#: ../../src/kadmin/cli/kadmin.c:1682 +#, c-format +msgid "while creating policy \"%s\"." +msgstr "beim Erstellen der Richtlinie »%s«" + +#: ../../src/kadmin/cli/kadmin.c:1703 +#, c-format +msgid "while modifying policy \"%s\"." +msgstr "beim Ändern der Richtlinie »%s«" + +#: ../../src/kadmin/cli/kadmin.c:1715 +#, c-format +msgid "usage: delete_policy [-force] policy\n" +msgstr "Aufruf: delete_policy [-force] Richtlinie\n" + +#: ../../src/kadmin/cli/kadmin.c:1719 +#, c-format +msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): " +msgstr "" +"Sind Sie sicher, dass Sie die Richtlinie »%s« löschen möchten? (yes/no): " + +#: ../../src/kadmin/cli/kadmin.c:1723 +#, c-format +msgid "Policy \"%s\" not deleted.\n" +msgstr "Richtlinie »%s« nicht gelöscht\n" + +#: ../../src/kadmin/cli/kadmin.c:1729 +#, c-format +msgid "while deleting policy \"%s\"" +msgstr "bei Löschen der Richtlinie »%s«" + +#: ../../src/kadmin/cli/kadmin.c:1741 +#, c-format +msgid "usage: get_policy [-terse] policy\n" +msgstr "Aufruf: get_policy [-terse] Richtlinie\n" + +#: ../../src/kadmin/cli/kadmin.c:1746 +#, c-format +msgid "while retrieving policy \"%s\"." +msgstr "beim Abfragen der Richtlinie »%s«." + +#: ../../src/kadmin/cli/kadmin.c:1751 +#, c-format +msgid "Policy: %s\n" +msgstr "Richtlinie: »%s«\n" + +#: ../../src/kadmin/cli/kadmin.c:1752 +#, c-format +msgid "Maximum password life: %ld\n" +msgstr "maximale Passwortlebensdauer: %ld\n" + +#: ../../src/kadmin/cli/kadmin.c:1753 +#, c-format +msgid "Minimum password life: %ld\n" +msgstr "minimale Passwortlebensdauer: %ld\n" + +#: ../../src/kadmin/cli/kadmin.c:1754 +#, c-format +msgid "Minimum password length: %ld\n" +msgstr "minimale Passwortlänge: %ld\n" + +#: ../../src/kadmin/cli/kadmin.c:1755 +#, c-format +msgid "Minimum number of password character classes: %ld\n" +msgstr "minimale Anzahl von Passwortzeichenklassen: %ld\n" + +#: ../../src/kadmin/cli/kadmin.c:1757 +#, c-format +msgid "Number of old keys kept: %ld\n" +msgstr "Anzahl aufbewahrter alter Schlüssel: %ld\n" + +#: ../../src/kadmin/cli/kadmin.c:1758 +#, c-format +msgid "Maximum password failures before lockout: %lu\n" +msgstr "maximale Anzahl falscher Passworteingaben vor dem Sperren: %lu\n" + +#: ../../src/kadmin/cli/kadmin.c:1760 +#, c-format +msgid "Password failure count reset interval: %s\n" +msgstr "Rücksetzintervall für zu viele falsch eingebene Passwörter: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1762 +#, c-format +msgid "Password lockout duration: %s\n" +msgstr "Passwortsperrdauer: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1765 +#, c-format +msgid "Allowed key/salt types: %s\n" +msgstr "erlaubte Schlüssel-/Salt-Typen: %s\n" + +#: ../../src/kadmin/cli/kadmin.c:1789 +#, c-format +msgid "usage: get_policies [expression]\n" +msgstr "Aufruf: get_policies [Ausdruck]\n" + +#: ../../src/kadmin/cli/kadmin.c:1811 +#, c-format +msgid "usage: get_privs\n" +msgstr "Aufruf: get_privs\n" + +#: ../../src/kadmin/cli/kadmin.c:1816 +msgid "while retrieving privileges" +msgstr "beim Abfragen von Rechten" + +#: ../../src/kadmin/cli/kadmin.c:1819 +#, c-format +msgid "current privileges:" +msgstr "aktuelle Rechte:" + +#: ../../src/kadmin/cli/kadmin.c:1845 +#, c-format +msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n" +msgstr "" +"Aufruf: purgekeys [-all|-keepkvno älteste_KVNO_die_behalten_wird] Principal\n" + +#: ../../src/kadmin/cli/kadmin.c:1865 +#, c-format +msgid "while purging keys for principal \"%s\"" +msgstr "beim vollständigen Löschen der Schlüssel für Principal »%s«" + +#: ../../src/kadmin/cli/kadmin.c:1870 +#, c-format +msgid "All keys for principal \"%s\" removed.\n" +msgstr "Alle Schlüssel für Principal »%s« wurden entfernt.\n" + +#: ../../src/kadmin/cli/kadmin.c:1872 +#, c-format +msgid "Old keys for principal \"%s\" purged.\n" +msgstr "Alte Schlüssel für Principal »%s« wurden entfernt.\n" + +#: ../../src/kadmin/cli/kadmin.c:1889 +#, c-format +msgid "usage: get_strings principal\n" +msgstr "Aufruf: get_strings Principal\n" + +#: ../../src/kadmin/cli/kadmin.c:1909 +#, c-format +msgid "while getting attributes for principal \"%s\"" +msgstr "beim Holen von Attributen für Principal »%s«" + +#: ../../src/kadmin/cli/kadmin.c:1914 +#, c-format +msgid "(No string attributes.)\n" +msgstr "(keine Zeichenkettenattribute)\n" + +#: ../../src/kadmin/cli/kadmin.c:1933 +#, c-format +msgid "usage: set_string principal key value\n" +msgstr "Aufruf: set_string Principal Schlüssel Wert\n" + +#: ../../src/kadmin/cli/kadmin.c:1955 +#, c-format +msgid "while setting attribute on principal \"%s\"" +msgstr "beim Setzen eines Attributes für Principal »%s«" + +#: ../../src/kadmin/cli/kadmin.c:1959 +#, c-format +msgid "Attribute set for principal \"%s\".\n" +msgstr "Attribute für Principal »%s« wurden gesetzt.\n" + +#: ../../src/kadmin/cli/kadmin.c:1974 +#, c-format +msgid "usage: del_string principal key\n" +msgstr "Aufruf: del_string Principal Schlüssel\n" + +#: ../../src/kadmin/cli/kadmin.c:1995 +#, c-format +msgid "while deleting attribute from principal \"%s\"" +msgstr "beim Löschen eines Attributs von Principal »%s«" + +#: ../../src/kadmin/cli/kadmin.c:1999 +#, c-format +msgid "Attribute removed from principal \"%s\".\n" +msgstr "Attribut von Principal »%s« wurde gelöscht.\n" + +#: ../../src/kadmin/cli/keytab.c:56 +#, c-format +msgid "" +"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] " +"[principal | -glob princ-exp] [...]\n" +msgstr "" +"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] [-" +"norandkey] [Principal | -glob Principal-Ausdruck] […]\n" + +#: ../../src/kadmin/cli/keytab.c:59 +#, c-format +msgid "" +"Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [principal | -glob " +"princ-exp] [...]\n" +msgstr "" +"Aufruf: ktadd [-k[eytab] Schlüsseltabelle] [-q] [-e Schlüssel-Salt-Liste] " +"[Principal | -glob Principal-Ausdruck] […]\n" + +#: ../../src/kadmin/cli/keytab.c:67 +#, c-format +msgid "" +"Usage: ktremove [-k[eytab] keytab] [-q] principal [kvno|\"all\"|\"old\"]\n" +msgstr "" +"Aufruf: ktremove [-k[eytab] Schlüsseltabelle] [-q] Principal " +"[kvno|»all«|»old«]\n" + +#: ../../src/kadmin/cli/keytab.c:81 ../../src/kadmin/cli/keytab.c:102 +msgid "while creating keytab name" +msgstr "beim Erstellen des Schlüsseltabellennamens" + +#: ../../src/kadmin/cli/keytab.c:86 +msgid "while opening default keytab" +msgstr "beim Öffnen der Standardschlüsseltabelle" + +#: ../../src/kadmin/cli/keytab.c:147 +#, c-format +msgid "-norandkey option only valid for kadmin.local\n" +msgstr "Die Option »-norandkey« ist nur für »kadmin.local« gültig.\n" + +#: ../../src/kadmin/cli/keytab.c:176 +#, c-format +msgid "cannot specify keysaltlist when not changing key\n" +msgstr "" +"Schlüssel-Salt-Liste kann nicht angegeben werden, wenn der Schlüssel nicht " +"geändert wird\n" + +#: ../../src/kadmin/cli/keytab.c:192 +#, c-format +msgid "while expanding expression \"%s\"." +msgstr "beim Expandieren des Ausdrucks »%s«." + +#: ../../src/kadmin/cli/keytab.c:211 ../../src/kadmin/cli/keytab.c:251 +msgid "while closing keytab" +msgstr "beim Schließen der Schlüsseltabelle" + +#: ../../src/kadmin/cli/keytab.c:275 +#, c-format +msgid "while parsing -add principal name %s" +msgstr "beim Auswerten von »-add Principal-Name %s«" + +#: ../../src/kadmin/cli/keytab.c:289 +#, c-format +msgid "%s: Principal %s does not exist.\n" +msgstr "%s: Principal %s existiert nicht.\n" + +#: ../../src/kadmin/cli/keytab.c:292 +#, c-format +msgid "while changing %s's key" +msgstr "beim Ändern des Schlüssels von %s" + +#: ../../src/kadmin/cli/keytab.c:299 +msgid "while retrieving principal" +msgstr "beim Abfragen des Principals" + +#: ../../src/kadmin/cli/keytab.c:311 +msgid "while adding key to keytab" +msgstr "beim Hinzufügen des Schlüssels zur Schlüsseltabelle" + +#: ../../src/kadmin/cli/keytab.c:317 +#, c-format +msgid "" +"Entry for principal %s with kvno %d, encryption type %s added to keytab %s.\n" +msgstr "" +"Der Eintrag für Principal %s mit KVNO %d und Verschlüsselungstyp %s wurde " +"der Schlüsseltabelle %s hinzugefügt.\n" + +#: ../../src/kadmin/cli/keytab.c:326 +msgid "while freeing principal entry" +msgstr "beim Freigeben des Principal-Eintrags" + +#: ../../src/kadmin/cli/keytab.c:373 +#, c-format +msgid "%s: Keytab %s does not exist.\n" +msgstr "%s: Schlüsseltabelle %s existiert nicht.\n" + +#: ../../src/kadmin/cli/keytab.c:377 +#, c-format +msgid "%s: No entry for principal %s exists in keytab %s\n" +msgstr "" +"%s: Für Principal %s existiert kein Eintrag in der Schlüsseltabelle %s.\n" + +#: ../../src/kadmin/cli/keytab.c:381 +#, c-format +msgid "%s: No entry for principal %s with kvno %d exists in keytab %s\n" +msgstr "" +"%s: Für den Principal %s mit der KVNO %d existiert kein Eintrag in der " +"Schlüsseltabelle %s.\n" + +#: ../../src/kadmin/cli/keytab.c:387 +msgid "while retrieving highest kvno from keytab" +msgstr "beim Abfragen der höchsten KVNO der Schlüsseltabelle" + +#: ../../src/kadmin/cli/keytab.c:420 +msgid "while temporarily ending keytab scan" +msgstr "beim Unterbrechen des Schlüsseltabellen-Scans" + +#: ../../src/kadmin/cli/keytab.c:425 +msgid "while deleting entry from keytab" +msgstr "beim Löschen eines Eintrags aus der Schlüsseltabelle" + +#: ../../src/kadmin/cli/keytab.c:430 +msgid "while restarting keytab scan" +msgstr "bei der Wiederaufnahme des Schlüsseltabellen-Scans" + +#: ../../src/kadmin/cli/keytab.c:436 +#, c-format +msgid "Entry for principal %s with kvno %d removed from keytab %s.\n" +msgstr "" +"Der Eintrag für Principal %s mit KVNO %d wurde aus der Schlüsseltabelle %s " +"entfernt.\n" + +#: ../../src/kadmin/cli/keytab.c:458 +#, c-format +msgid "%s: There is only one entry for principal %s in keytab %s\n" +msgstr "" +"%s: Es gibt nur einen Eintrag für Principal %s in der Schlüsseltabelle %s.\n" + +#: ../../src/kadmin/cli/ss_wrapper.c:49 ../../src/kadmin/ktutil/ktutil.c:58 +msgid "creating invocation" +msgstr "Aufruf wird erstellt" + +#: ../../src/kadmin/dbutil/dump.c:165 +msgid "while allocating temporary filename dump" +msgstr "beim Reservieren des temporären Dateinamenspeicherauszugs" + +#: ../../src/kadmin/dbutil/dump.c:176 +msgid "while renaming dump file into place" +msgstr "während das Umbenennen der Auszugsdateien Gestalt annimmt" + +#: ../../src/kadmin/dbutil/dump.c:192 +msgid "while allocating dump_ok filename" +msgstr "beim Reservieren des »dump_ok«-Dateinamens" + +#: ../../src/kadmin/dbutil/dump.c:199 +#, c-format +msgid "while creating 'ok' file, '%s'" +msgstr "beim Erstellen der Datei »ok«, »%s«" + +#: ../../src/kadmin/dbutil/dump.c:206 +#, c-format +msgid "while locking 'ok' file, '%s'" +msgstr "beim Sperren der Datei »ok«, »%s«" + +#: ../../src/kadmin/dbutil/dump.c:248 ../../src/kadmin/dbutil/dump.c:277 +#, c-format +msgid "%s: regular expression error: %s\n" +msgstr "%s: Fehler im regulären Ausdruck: %s\n" + +#: ../../src/kadmin/dbutil/dump.c:260 +#, c-format +msgid "%s: regular expression match error: %s\n" +msgstr "%s: Fehler beim Abgleich mit regulärem Ausdruck: %s\n" + +#: ../../src/kadmin/dbutil/dump.c:361 +#, c-format +msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n" +msgstr "" +"%s: Unstimmigkeit in der markierten Datenliste für %s (%d gezählt, %d " +"gespeichert)\n" + +#: ../../src/kadmin/dbutil/dump.c:519 +#, c-format +msgid "" +"Warning! Multiple DES-CBC-CRC keys for principal %s; skipping duplicates.\n" +msgstr "" +"Warnung! Mehrere DES-CBC-CRC-Schlüssel für Principal %s, Duplikate werden " +"übersprungen.\n" + +#: ../../src/kadmin/dbutil/dump.c:530 +#, c-format +msgid "" +"Warning! No DES-CBC-CRC key for principal %s, cannot generate OV-compatible " +"record; skipping\n" +msgstr "" +"Warnung! Kein DES-CBC-CRC-Schlüssel für Principal %s, es kann kein OV-" +"kompatibler Datensatz erzeugt werden, wird übersprungen\n" + +#: ../../src/kadmin/dbutil/dump.c:558 +#, c-format +msgid "while converting %s to new master key" +msgstr "beim Umwandeln von %s in den neuen Hauptschlüssel" + +#: ../../src/kadmin/dbutil/dump.c:579 +#, c-format +msgid "%s(%d): %s\n" +msgstr "%s(%d): %s\n" + +#: ../../src/kadmin/dbutil/dump.c:622 +#, c-format +msgid "%s(%d): ignoring trash at end of line: " +msgstr "%s(%d): Müll am Zeilenende wird ignoriert: " + +#: ../../src/kadmin/dbutil/dump.c:685 +msgid "cannot read tagged data type and length" +msgstr "Markierter Datentyp und Länge können nicht gelesen werden." + +#: ../../src/kadmin/dbutil/dump.c:692 +msgid "cannot read tagged data contents" +msgstr "Inhalt der markierten Daten kann nicht gelesen werden." + +#: ../../src/kadmin/dbutil/dump.c:726 +msgid "cannot match size tokens" +msgstr "Größenmerkmale können nicht zugeordnet werden." + +#: ../../src/kadmin/dbutil/dump.c:755 +msgid "cannot read name string" +msgstr "Namenszeichenkette kann nicht gelesen werden." + +#: ../../src/kadmin/dbutil/dump.c:760 +#, c-format +msgid "while parsing name %s" +msgstr "beim Auswerten des Namens %s" + +#: ../../src/kadmin/dbutil/dump.c:768 +msgid "cannot read principal attributes" +msgstr "Principal-Attribute können nicht gelesen werden." + +#: ../../src/kadmin/dbutil/dump.c:821 +msgid "cannot read key size and version" +msgstr "Schlüssellänge und -version können nicht gelesen werden." + +#: ../../src/kadmin/dbutil/dump.c:832 +msgid "cannot read key type and length" +msgstr "Schlüsseltyp und -länge können nicht gelesen werden." + +#: ../../src/kadmin/dbutil/dump.c:838 +msgid "cannot read key data" +msgstr "Schlüsseldaten können nicht gelesen werden." + +#: ../../src/kadmin/dbutil/dump.c:848 +msgid "cannot read extra data" +msgstr "Zusätzliche Daten können nicht gelesen werden." + +#: ../../src/kadmin/dbutil/dump.c:857 +#, c-format +msgid "while storing %s" +msgstr "beim Speichern von %s" + +#: ../../src/kadmin/dbutil/dump.c:896 ../../src/kadmin/dbutil/dump.c:935 +#: ../../src/kadmin/dbutil/dump.c:981 +#, c-format +msgid "cannot parse policy (%d read)\n" +msgstr "Richtlinie kann nicht ausgewertet werden (%d gelesen)\n" + +#: ../../src/kadmin/dbutil/dump.c:904 ../../src/kadmin/dbutil/dump.c:943 +#: ../../src/kadmin/dbutil/dump.c:1001 +msgid "while creating policy" +msgstr "beim Erstellen der Richtlinie" + +#: ../../src/kadmin/dbutil/dump.c:908 +#, c-format +msgid "created policy %s\n" +msgstr "erstellte Richtlinie %s\n" + +#: ../../src/kadmin/dbutil/dump.c:1038 +#, c-format +msgid "unknown record type \"%s\"\n" +msgstr "unbekannter Datensatztyp »%s«\n" + +#: ../../src/kadmin/dbutil/dump.c:1167 +#, c-format +msgid "%s: Unknown iprop dump version %d\n" +msgstr "%s: unbekannte Iprop-Auszugsversion %d\n" + +#: ../../src/kadmin/dbutil/dump.c:1270 ../../src/kadmin/dbutil/dump.c:1498 +#, c-format +msgid "Iprop not enabled\n" +msgstr "Iprop nicht aktiviert\n" + +#: ../../src/kadmin/dbutil/dump.c:1308 +msgid "Conditional dump is an undocumented option for use only for iprop dumps" +msgstr "" +"Bedingter Auszug ist eine nicht dokumentierte Option, die nur für Iprop-" +"Auszüge benutzt wird." + +#: ../../src/kadmin/dbutil/dump.c:1321 +msgid "Database not currently opened!" +msgstr "Die Datenbank ist zur Zeit nicht geöffnet!" + +#: ../../src/kadmin/dbutil/dump.c:1335 +#: ../../src/kadmin/dbutil/kdb5_stash.c:116 +#: ../../src/kadmin/dbutil/kdb5_util.c:479 +msgid "while reading master key" +msgstr "beim Lesen des Hauptschlüssels" + +#: ../../src/kadmin/dbutil/dump.c:1341 +msgid "while verifying master key" +msgstr "beim Prüfen des Hauptschlüssels" + +#: ../../src/kadmin/dbutil/dump.c:1360 ../../src/kadmin/dbutil/dump.c:1370 +msgid "while reading new master key" +msgstr "beim Lesen des neuen Hauptschlüssels" + +#: ../../src/kadmin/dbutil/dump.c:1364 +#, c-format +msgid "Please enter new master key....\n" +msgstr "Bitte geben Sie den neuen Hauptschlüssel ein …\n" + +#: ../../src/kadmin/dbutil/dump.c:1388 +#, c-format +msgid "while opening %s for writing" +msgstr "beim Öffnen von %s zum Schreiben" + +#: ../../src/kadmin/dbutil/dump.c:1403 +msgid "while reading update log header" +msgstr "beim Lesen der Aktualisierungsprotokollkopfzeilen" + +#: ../../src/kadmin/dbutil/dump.c:1418 ../../src/kadmin/dbutil/dump.c:1425 +#, c-format +msgid "performing %s dump" +msgstr "Auszug von %s wird durchgeführt" + +#: ../../src/kadmin/dbutil/dump.c:1455 +#, c-format +msgid "%s: error processing line %d of %s\n" +msgstr "%s: Fehler beim Verarbeiten von Zeile %d von %s\n" + +#: ../../src/kadmin/dbutil/dump.c:1507 +msgid "while parsing options" +msgstr "beim Auswerten der Optionen" + +#: ../../src/kadmin/dbutil/dump.c:1522 +#, c-format +msgid "while opening %s" +msgstr "beim Öffnen von %s" + +#: ../../src/kadmin/dbutil/dump.c:1527 ../../src/kadmin/dbutil/dump.c:1626 +msgid "standard input" +msgstr "Standardeingabe" + +#: ../../src/kadmin/dbutil/dump.c:1532 +#, c-format +msgid "%s: can't read dump header in %s\n" +msgstr "%s: Kopfzeilen des Auszugs in %s können nicht gelesen werden.\n" + +#: ../../src/kadmin/dbutil/dump.c:1540 ../../src/kadmin/dbutil/dump.c:1557 +#, c-format +msgid "%s: dump header bad in %s\n" +msgstr "%s: falsche Kopfzeilen des Auszugs in %s\n" + +#: ../../src/kadmin/dbutil/dump.c:1566 +#, c-format +msgid "Could not open iprop ulog\n" +msgstr "Iprop-Ulog kann nicht geöffnet werden.\n" + +#: ../../src/kadmin/dbutil/dump.c:1571 +#, c-format +msgid "%s: dump version %s can only be loaded with the -update flag\n" +msgstr "" +"%s: Die Auszugsversion %s kann nur mit dem Schalter -update geladen werden.\n" + +#: ../../src/kadmin/dbutil/dump.c:1580 ../../src/kadmin/dbutil/dump.c:1585 +msgid "computing parameters for database" +msgstr "Parameter für die Datenbank werden berechnet." + +#: ../../src/kadmin/dbutil/dump.c:1591 +msgid "while creating database" +msgstr "beim Erstellen der Datenbank" + +#: ../../src/kadmin/dbutil/dump.c:1600 +msgid "while opening database" +msgstr "beim Öffnen der Datenbank" + +#: ../../src/kadmin/dbutil/dump.c:1610 +msgid "while permanently locking database" +msgstr "beim dauerhaften Sperren der Datenbank" + +#: ../../src/kadmin/dbutil/dump.c:1628 +#, c-format +msgid "%s: %s restore failed\n" +msgstr "%s: Wiederherstellen von %s fehlgeschlagen\n" + +#: ../../src/kadmin/dbutil/dump.c:1633 +msgid "while unlocking database" +msgstr "beim Aufheben der Datenbanksperre" + +#: ../../src/kadmin/dbutil/dump.c:1643 ../../src/kadmin/dbutil/dump.c:1662 +msgid "while reinitializing update log" +msgstr "beim erneuten Initialisieren des Aktualisierungsprotokolls" + +#: ../../src/kadmin/dbutil/dump.c:1653 +msgid "while making newly loaded database live" +msgstr "beim Aktivieren der neu geladenen Datenbank" + +#: ../../src/kadmin/dbutil/dump.c:1669 +msgid "while writing update log header" +msgstr "beim Schreiben der Aktualisierungsprotokollkopfzeilen" + +#: ../../src/kadmin/dbutil/dump.c:1683 +#, c-format +msgid "while deleting bad database %s" +msgstr "beim Löschen der falschen Datenbank %s" + +#: ../../src/kadmin/dbutil/kadm5_create.c:84 +msgid "while looking up the Kerberos configuration" +msgstr "beim Nachschlagen der Kerberos-Konfiguration" + +#: ../../src/kadmin/dbutil/kadm5_create.c:111 +msgid "while initializing the Kerberos admin interface" +msgstr "beim Initialisieren der Kerberos-Administrationsoberfläche" + +#: ../../src/kadmin/dbutil/kadm5_create.c:169 +#, c-format +msgid "getaddrinfo(%s): Cannot determine canonical hostname.\n" +msgstr "" +"getaddrinfo(%s): Die Normalform des Rechnernamens kann nicht bestimmt " +"werden.\n" + +#: ../../src/kadmin/dbutil/kadm5_create.c:190 +#: ../../src/kadmin/dbutil/kadm5_create.c:196 +#, c-format +msgid "Out of memory\n" +msgstr "Speicherplatz reicht nicht aus.\n" + +#: ../../src/kadmin/dbutil/kadm5_create.c:270 +msgid "while appending realm to principal" +msgstr "beim Anhängen des Realms an den Principal" + +#: ../../src/kadmin/dbutil/kadm5_create.c:275 +msgid "while parsing admin principal name" +msgstr "beim Auswerten des Principal-Namens des Administrators" + +#: ../../src/kadmin/dbutil/kadm5_create.c:286 +#, c-format +msgid "while creating principal %s" +msgstr "beim Erstellen des Principals %s" + +#: ../../src/kadmin/dbutil/kdb5_create.c:175 +#: ../../src/kadmin/dbutil/kdb5_util.c:241 +#: ../../src/kadmin/dbutil/kdb5_util.c:248 +msgid "while parsing command arguments\n" +msgstr "beim Auswerten der Befehlsargumente\n" + +#: ../../src/kadmin/dbutil/kdb5_create.c:198 +#, c-format +msgid "Loading random data\n" +msgstr "Zufällige Daten werden geladen.\n" + +#: ../../src/kadmin/dbutil/kdb5_create.c:201 +msgid "Loading random data" +msgstr "Zufällige Daten werden geladen." + +#: ../../src/kadmin/dbutil/kdb5_create.c:211 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:242 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:435 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:591 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1149 +#: ../../src/kadmin/dbutil/kdb5_util.c:423 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:606 +msgid "while setting up master key name" +msgstr "beim Einrichten des Hauptschlüsselnamens" + +#: ../../src/kadmin/dbutil/kdb5_create.c:222 +#, c-format +msgid "" +"Initializing database '%s' for realm '%s',\n" +"master key name '%s'\n" +msgstr "" +"Datenbank »%s« für Realm »%s« wird initialisiert,\n" +"Hauptschlüsselname »%s«\n" + +#: ../../src/kadmin/dbutil/kdb5_create.c:227 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:516 +#, c-format +msgid "You will be prompted for the database Master Password.\n" +msgstr "Sie werden nach dem Master-Passwort der Datenbank gefragt.\n" + +#: ../../src/kadmin/dbutil/kdb5_create.c:228 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:260 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:517 +#, c-format +msgid "It is important that you NOT FORGET this password.\n" +msgstr "Es ist wichtig, dass Sie dieses Passwort NICHT VERGESSEN.\n" + +#: ../../src/kadmin/dbutil/kdb5_create.c:234 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:266 +msgid "while creating new master key" +msgstr "beim Erstellen des neuen Hauptschlüssels" + +#: ../../src/kadmin/dbutil/kdb5_create.c:242 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:527 +msgid "while reading master key from keyboard" +msgstr "beim Lesen des Hauptschlüssels von der Tastatur" + +#: ../../src/kadmin/dbutil/kdb5_create.c:252 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:285 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:618 +msgid "while calculating master key salt" +msgstr "beim Berechnen des Hauptschlüssel-Salts" + +#: ../../src/kadmin/dbutil/kdb5_create.c:260 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:294 +#: ../../src/kadmin/dbutil/kdb5_util.c:465 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:630 +msgid "while transforming master key from password" +msgstr "beim Umwandeln des Hauptschlüssels vom Passwort" + +#: ../../src/kadmin/dbutil/kdb5_create.c:270 +msgid "while initializing random key generator" +msgstr "beim Initialisieren des Zufallsschlüsselgenerators" + +#: ../../src/kadmin/dbutil/kdb5_create.c:275 +#, c-format +msgid "while creating database '%s'" +msgstr "beim Erstellen der Datenbank »%s«" + +#: ../../src/kadmin/dbutil/kdb5_create.c:293 +msgid "while creating update log" +msgstr "beim Erstellen des Aktualisierungsprotokolls" + +#: ../../src/kadmin/dbutil/kdb5_create.c:304 +msgid "while initializing update log" +msgstr "beim Initialisieren des Aktualisierungsprotokolls" + +#: ../../src/kadmin/dbutil/kdb5_create.c:320 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:642 +msgid "while adding entries to the database" +msgstr "beim Hinzufügen von Einträgen in die Datenbank" + +#: ../../src/kadmin/dbutil/kdb5_create.c:348 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:339 +#: ../../src/kadmin/dbutil/kdb5_stash.c:133 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:667 +msgid "while storing key" +msgstr "beim Speichern des Schlüssels" + +#: ../../src/kadmin/dbutil/kdb5_create.c:349 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:340 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:668 +#, c-format +msgid "Warning: couldn't stash master key.\n" +msgstr "Warnung: Hauptschlüssel kann nicht gelagert werden.\n" + +#: ../../src/kadmin/dbutil/kdb5_destroy.c:57 +msgid "while initializing krb5_context" +msgstr "beim Initialisieren von »krb5_context«" + +#: ../../src/kadmin/dbutil/kdb5_destroy.c:63 +#: ../../src/kadmin/dbutil/kdb5_util.c:259 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:291 +msgid "while setting default realm name" +msgstr "beim Einstellen des Standard-Realm-Namens" + +#: ../../src/kadmin/dbutil/kdb5_destroy.c:83 +#, c-format +msgid "Deleting KDC database stored in '%s', are you sure?\n" +msgstr "" +"Die in »%s« gespeicherte KDC-Datenbank wird gelöscht. Sind Sie sicher?\n" + +#: ../../src/kadmin/dbutil/kdb5_destroy.c:85 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1166 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1482 +#, c-format +msgid "(type 'yes' to confirm)? " +msgstr "(Geben Sie als Bestätigung »yes« ein)? " + +#: ../../src/kadmin/dbutil/kdb5_destroy.c:92 +#, c-format +msgid "OK, deleting database '%s'...\n" +msgstr "OK, Datenbank »%s« wird gelöscht …\n" + +#: ../../src/kadmin/dbutil/kdb5_destroy.c:97 +#, c-format +msgid "deleting database '%s'" +msgstr "Datenbank »%s« wird gelöscht." + +#: ../../src/kadmin/dbutil/kdb5_destroy.c:106 +#, c-format +msgid "** Database '%s' destroyed.\n" +msgstr "** Datenbank »%s« vernichtet\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:218 +#, c-format +msgid "%s is an invalid enctype" +msgstr "%s ist ein ungültiger Verschlüsselungstyp" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:250 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:443 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:599 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:986 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1157 +#, c-format +msgid "while getting master key principal %s" +msgstr "beim Holen des Hauptschlüssels von Principal %s" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:256 +#, c-format +msgid "Creating new master key for master key principal '%s'\n" +msgstr "" +"Es wird ein neuer Hauptschlüssel für den Hauptschlüssel-Principal »%s« " +"erstellt.\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:259 +#, c-format +msgid "You will be prompted for a new database Master Password.\n" +msgstr "Sie werden nach einem neuen Datenbank-Master-Passwort gefragt.\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:275 +msgid "while reading new master key from keyboard" +msgstr "beim Lesen des neuen Hauptschlüssels von der Tastatur" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:304 +msgid "adding new master key to master principal" +msgstr "dem Haupt-Principal wird ein neuer Hauptschlüssel hinzugefügt" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:310 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:402 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:843 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1356 +msgid "while getting current time" +msgstr "beim Holen der aktuellen Zeit" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:317 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:544 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1363 +msgid "while updating the master key principal modification time" +msgstr "beim Aktulisieren der Änderungszeit des Hauptschlüssel-Principals" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:325 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:553 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1374 +msgid "while adding master key entry to the database" +msgstr "beim Hinzufügen des Hauptschlüsseleintrags zur Datenbank" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:383 +msgid "0 is an invalid KVNO value" +msgstr "0 ist kein gültiger KVNO-Wert" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:394 +#, c-format +msgid "%d is an invalid KVNO value" +msgstr "%d ist kein gültiger KVNO-Wert" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:410 +#, c-format +msgid "could not parse date-time string '%s'" +msgstr "»date-time«-Zeichenkette »%s« konnte nicht ausgewertet werden" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:452 +msgid "while looking up active version of master key" +msgstr "beim Nachschlagen der aktiven Version des Hauptschlüssels" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:491 +msgid "while adding new master key" +msgstr "beim Hinzufügen eines neuen Hauptschlüssels" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:529 +msgid "there must be one master key currently active" +msgstr "ein Hauptschlüssel muss derzeit aktiv sein" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:537 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1342 +msgid "while updating actkvno data for master principal entry" +msgstr "beim Aktualisieren der Actkvno-Daten für den Haupt-Principal-Eintrag" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:581 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:948 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1116 +msgid "master keylist not initialized" +msgstr "Hauptschlüsselliste ist nicht initialisiert" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:607 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:994 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1254 +msgid "while looking up active kvno list" +msgstr "beim Nachschlagen der Liste aktiver KVNOs" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:615 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1002 +msgid "while looking up active master key" +msgstr "beim Nachschlagen des aktiven Hauptschlüssels" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:627 +msgid "while getting enctype description" +msgstr "beim Holen des Verschlüsselungsbeschreibung" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:644 +#, c-format +msgid "KVNO: %d, Enctype: %s, Active on: %s *\n" +msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s *\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:649 +#, c-format +msgid "KVNO: %d, Enctype: %s, Active on: %s\n" +msgstr "KVNO: %d, Verschlüsselungstyp: %s, aktiviert auf: %s\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:653 +#, c-format +msgid "KVNO: %d, Enctype: %s, No activate time set\n" +msgstr "KVNO: %d, Verschlüsselungstyp: %s, keine Aktivierungszeit gesetzt\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:658 +msgid "asprintf could not allocate enough memory to hold output" +msgstr "" +"Asprintf konnte nicht genug Speicher reservieren, um die Ausgabe " +"bereitzuhalten" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:793 +msgid "getting string representation of principal name" +msgstr "Principal-Name wird im Klartext geholt" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:817 +#, c-format +msgid "determining master key used for principal '%s'" +msgstr "Hauptschlüssel, der für Principal »%s« benutzt wird, wird bestimmt" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:823 +#, c-format +msgid "would skip: %s\n" +msgstr "würde übersprungen: %s\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:825 +#, c-format +msgid "skipping: %s\n" +msgstr "wird übersprungen: %s\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:831 +#, c-format +msgid "would update: %s\n" +msgstr "würde aktualisiert: %s\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:835 +#, c-format +msgid "updating: %s\n" +msgstr "wird aktualisiert: %s\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:839 +#, c-format +msgid "error re-encrypting key for principal '%s'" +msgstr "Fehler beim erneuten Verschlüsseln des Schlüssels für Principal »%s«" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:850 +#, c-format +msgid "while updating principal '%s' modification time" +msgstr "beim Aktualisieren der Änderungszeit von Principal »%s«" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:857 +#, c-format +msgid "while updating principal '%s' key data in the database" +msgstr "" +"beim Aktualisieren der Schlüsseldaten von Principal »%s« in der Datenbank" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:889 +#, c-format +msgid "" +"\n" +"(type 'yes' to confirm)? " +msgstr "" +"\n" +"(Geben Sie als Bestätigung »yes« ein) " + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:942 +msgid "while formatting master principal name" +msgstr "beim Formatieren des Haupt-Principal-Namens" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:959 +#, c-format +msgid "converting glob pattern '%s' to regular expression" +msgstr "Platzhalter »%s« wird in einen regulären Ausdruck umgewandelt" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:977 +#, c-format +msgid "error compiling converted regexp '%s'" +msgstr "Fehler beim Kompilieren des umgewandelten regulären Ausdrucks »%s«" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1010 +#, c-format +msgid "Re-encrypt all keys not using master key vno %u?" +msgstr "" +"Sollen alle Schlüssel neu verschlüsselt werden, die nicht die Hauptschlüssel-" +"VNO %u verwenden?" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1012 +#, c-format +msgid "OK, doing nothing.\n" +msgstr "Ok, es wird nichts getan.\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1018 +#, c-format +msgid "Principals whose keys WOULD BE re-encrypted to master key vno %u:\n" +msgstr "" +"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt " +"WÜRDEN:\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1021 +#, c-format +msgid "" +"Principals whose keys are being re-encrypted to master key vno %u if " +"necessary:\n" +msgstr "" +"Principals, deren Schlüssel mit dem Hauptschlüssel VNO %u neu verschlüsselt " +"werden, falls nötig:\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1037 +msgid "trying to process principal database" +msgstr "es wird versucht, die Principal-Datenbank zu verarbeiten" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1042 +#, c-format +msgid "%u principals processed: %u would be updated, %u already current\n" +msgstr "" +"%u Principals verarbeitet: %u würden aktualisiert, %u bereits aktuell\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1046 +#, c-format +msgid "%u principals processed: %u updated, %u already current\n" +msgstr "%u Principals verarbeitet: %u aktualisiert, %u bereits aktuell\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1164 +#, c-format +msgid "" +"Will purge all unused master keys stored in the '%s' principal, are you " +"sure?\n" +msgstr "" +"Sind Sie sicher, dass alle nicht verwendeten Hauptschlüssel, die für " +"Principal »%s« gespeichert sind, vollständig entfernt werden sollen?\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1175 +#, c-format +msgid "OK, purging unused master keys from '%s'...\n" +msgstr "" +"Ok, die nicht verwendeten Hauptschlüssel von »%s« werden vollständig " +"entfernt …\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1183 +#, c-format +msgid "There is only one master key which can not be purged.\n" +msgstr "" +"Es gibt nur einen einzigen Hauptschlüssel, der nicht vollständig entfernt " +"werden kann.\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1192 +msgid "while allocating args.kvnos" +msgstr "beim Reservieren von »args.kvnos«" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1208 +msgid "while finding master keys in use" +msgstr "bei der Suche nach den gerade verwendeten Hauptschlüsseln" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1217 +#, c-format +msgid "Would purge the following master key(s) from %s:\n" +msgstr "" +"Der/Die folgende(n) Hauptschlüssel würden/würde von %s vollständig " +"entfernt:\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1220 +#, c-format +msgid "Purging the following master key(s) from %s:\n" +msgstr "" +"Der/Die folgende(n) Hauptschlüssel werden/wird von %s vollständig entfernt:\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1232 +msgid "master key stash file needs updating, command aborting" +msgstr "" +"Ablagedatei des Hauptschlüssels erfordert Aktualisierung, Befehl abgebrochen" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1238 +#, c-format +msgid "KVNO: %d\n" +msgstr "KVNO: %d\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1243 +#, c-format +msgid "All keys in use, nothing purged.\n" +msgstr "Alle Schlüssel sind in Gebrauch, keiner wurde vollständig entfernt.\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1248 +#, c-format +msgid "%d key(s) would be purged.\n" +msgstr "%d Schlüssel würde(n) vollständig entfernt.\n" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1261 +msgid "while looking up mkey aux data list" +msgstr "beim Nachschlagen der Mkey-Aux-Datenliste" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1269 +msgid "while allocating key_data" +msgstr "beim Reservieren von »key_data«" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1350 +msgid "while updating mkey_aux data for master principal entry" +msgstr "beim Aktualisieren der Mkey-Aux-Daten für den Haupt-Principal-Eintrag" + +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1378 +#, c-format +msgid "%d key(s) purged.\n" +msgstr "%d Schlüssel vollständig entfernt\n" + +#: ../../src/kadmin/dbutil/kdb5_stash.c:97 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:538 +#, c-format +msgid "while setting up enctype %d" +msgstr "beim Einrichten des Verschlüsselungstyps %d" + +#: ../../src/kadmin/dbutil/kdb5_stash.c:123 +msgid "while getting master key list" +msgstr "beim Holen der Hauptschlüsselliste" + +#: ../../src/kadmin/dbutil/kdb5_stash.c:127 +#, c-format +msgid "Using existing stashed keys to update stash file.\n" +msgstr "" +"Zur Aktualisierung der Ablagedatei werden existierende gelagert Schlüssel " +"verwendet.\n" + +#: ../../src/kadmin/dbutil/kdb5_util.c:80 +#, c-format +msgid "" +"Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M " +"mkeyname]\n" +"\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n" +"\tcreate [-s]\n" +"\tdestroy [-f]\n" +"\tstash [-f keyfile]\n" +"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" +"\t [-mkey_convert] [-new_mkey_file mkey_file]\n" +"\t [-rev] [-recurse] [filename [princs...]]\n" +"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] filename\n" +"\tark [-e etype_list] principal\n" +"\tadd_mkey [-e etype] [-s]\n" +"\tuse_mkey kvno [time]\n" +"\tlist_mkeys\n" +msgstr "" +"Aufruf: kdb5_util [-x Datenbankargumente]* [-r Realm] [-d Datenbankname] [-k " +"Mkeytype] [-M Mkeyname]\n" +"\t [-kv MkeyVNO] [-sf Ablagedateiname] [-m] Befehl [Befehlsoptionen]\n" +"\tcreate [-s]\n" +"\tdestroy [-f]\n" +"\tstash [-f Schlüsseldatei]\n" +"\tdump [-old|-ov|-b6|-b7|-r13|-r18] [-verbose]\n" +"\t [-mkey_convert] [-new_mkey_file mkey-Datei]\n" +"\t [-rev] [-recurse] [Dateiname [Principals …]]\n" +"\tload [-old|-ov|-b6|-b7|-r13|-r18] [-verbose] [-update] Dateiname\n" +"\tark [-e Etype-Liste] Principal\n" +"\tadd_mkey [-e Etype] [-s]\n" +"\tuse_mkey kvno [Zeit]\n" +"\tlist_mkeys\n" + +#: ../../src/kadmin/dbutil/kdb5_util.c:98 +#, c-format +msgid "" +"\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n" +"\tpurge_mkeys [-f] [-n] [-v]\n" +"\n" +"where,\n" +"\t[-x db_args]* - any number of database specific arguments.\n" +"\t\t\tLook at each database documentation for supported arguments\n" +msgstr "" +"\tupdate_princ_encryption [-f] [-n] [-v] [Principal-Muster]\n" +"\tpurge_mkeys [-f] [-n] [-v]\n" +"\n" +"dabei sind\n" +"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " +"Argumente.\n" +"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " +"der jeweiligen Datenbank.\n" + +#: ../../src/kadmin/dbutil/kdb5_util.c:211 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:260 +msgid "while initializing Kerberos code" +msgstr "beim Initialisieren von Kerberos-Code" + +#: ../../src/kadmin/dbutil/kdb5_util.c:217 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:267 +msgid "while creating sub-command arguments" +msgstr "beim Erstellen von Unterbefehlsargumenten" + +#: ../../src/kadmin/dbutil/kdb5_util.c:235 +msgid "while parsing command arguments" +msgstr "beim Auswerten von Befehlsargumenten" + +#: ../../src/kadmin/dbutil/kdb5_util.c:264 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:298 +#, c-format +msgid ": %s is an invalid enctype" +msgstr ": %s ist kein gültiger Verschlüsselungstyp" + +#: ../../src/kadmin/dbutil/kdb5_util.c:272 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:307 +#, c-format +msgid ": %s is an invalid mkeyVNO" +msgstr ": %s ist kein gültiger MkeyVNO" + +# FIXME s/retreiving/retrieving/ +#: ../../src/kadmin/dbutil/kdb5_util.c:317 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:431 +msgid "while retreiving configuration parameters" +msgstr "beim Abfragen der Konfigurationsparameter" + +#: ../../src/kadmin/dbutil/kdb5_util.c:368 +msgid "Too few arguments" +msgstr "zu wenige Argumente" + +#: ../../src/kadmin/dbutil/kdb5_util.c:369 +#, c-format +msgid "Usage: %s dbpathname realmname" +msgstr "Aufruf: %s Datenbankpfadname Realm-Name" + +#: ../../src/kadmin/dbutil/kdb5_util.c:375 +msgid "while closing previous database" +msgstr "beim Schließen der vorherigen Datenbank" + +#: ../../src/kadmin/dbutil/kdb5_util.c:412 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:877 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1497 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:564 +msgid "while initializing database" +msgstr "beim Initialisieren der Datenbank" + +#: ../../src/kadmin/dbutil/kdb5_util.c:429 +msgid "while retrieving master entry" +msgstr "beim Abfragen des Haupteintrags" + +#: ../../src/kadmin/dbutil/kdb5_util.c:448 +msgid "while calculated master key salt" +msgstr "beim Berechnen des Hauptschlüssel-Salts" + +#: ../../src/kadmin/dbutil/kdb5_util.c:480 +msgid "Warning: proceeding without master key" +msgstr "Warnung: Es wird ohne Hauptschlüssel fortgefahren" + +#: ../../src/kadmin/dbutil/kdb5_util.c:498 +msgid "while seeding random number generator" +msgstr "beim Erzeugen des Startwerts des Zufallszahlengenerators" + +#: ../../src/kadmin/dbutil/kdb5_util.c:508 +#, c-format +msgid "%s: Could not map log\n" +msgstr "%s: Protokolldatei konnte nicht abgebildet werden\n" + +#: ../../src/kadmin/dbutil/kdb5_util.c:535 +msgid "while closing database" +msgstr "beim Schließen der Datenbank" + +#: ../../src/kadmin/dbutil/kdb5_util.c:582 +#, c-format +msgid "while fetching principal %s" +msgstr "beim Abrufen von Principal %s" + +#: ../../src/kadmin/dbutil/kdb5_util.c:605 +msgid "while finding mkey" +msgstr "beim Suchen nach Mkey" + +#: ../../src/kadmin/dbutil/kdb5_util.c:630 +msgid "while setting changetime" +msgstr "beim Setzen der Änderungszeit der Datei" + +#: ../../src/kadmin/dbutil/kdb5_util.c:638 +#, c-format +msgid "while saving principal %s" +msgstr "beim Speichern von Principal %s" + +#: ../../src/kadmin/dbutil/kdb5_util.c:642 +#, c-format +msgid "%s changed\n" +msgstr "%s geändert\n" + +#: ../../src/kadmin/ktutil/ktutil.c:73 +#, c-format +msgid "%s: invalid arguments\n" +msgstr "%s: ungültige Argumente\n" + +#: ../../src/kadmin/ktutil/ktutil.c:78 +msgid "while freeing ktlist" +msgstr "beim Freigeben von »ktlist«" + +#: ../../src/kadmin/ktutil/ktutil.c:89 +#, c-format +msgid "%s: must specify keytab to read\n" +msgstr "" +"%s: Die Schlüsseltabelle, die gelesen werden soll, muss angegeben werden.\n" + +#: ../../src/kadmin/ktutil/ktutil.c:94 +#, c-format +msgid "while reading keytab \"%s\"" +msgstr "beim Lesen der Schlüsseltabelle »%s«" + +#: ../../src/kadmin/ktutil/ktutil.c:104 +#, c-format +msgid "%s: must specify the srvtab to read\n" +msgstr "%s: Die zu lesende Dienstschlüsseltabelle muss angegeben werden.\n" + +#: ../../src/kadmin/ktutil/ktutil.c:109 +#, c-format +msgid "while reading srvtab \"%s\"" +msgstr "beim Lesen der Dienstschlüsseltabelle »%s«" + +#: ../../src/kadmin/ktutil/ktutil.c:119 +#, c-format +msgid "%s: must specify keytab to write\n" +msgstr "%s: Die zu schreibende Schlüsseltabelle muss angegeben werden.\n" + +#: ../../src/kadmin/ktutil/ktutil.c:124 +#, c-format +msgid "while writing keytab \"%s\"" +msgstr "beim Schreiben der Schlüsseltabelle »%s«" + +#: ../../src/kadmin/ktutil/ktutil.c:131 +#, c-format +msgid "%s: writing srvtabs is no longer supported\n" +msgstr "" +"%s: Schreiben der Dienstschlüsseltabelle wird nicht länger unterstützt\n" + +#: ../../src/kadmin/ktutil/ktutil.c:169 +#, c-format +msgid "usage: %s (-key | -password) -p principal -k kvno -e enctype\n" +msgstr "" +"Aufruf: %s (-key | -password) -p Principal -k KVNO -e Verschlüsselungstyp\n" + +#: ../../src/kadmin/ktutil/ktutil.c:176 +msgid "while adding new entry" +msgstr "beim Hinzufügen eines neuen Eintrags" + +#: ../../src/kadmin/ktutil/ktutil.c:186 +#, c-format +msgid "%s: must specify entry to delete\n" +msgstr "%s: zu löschender Eintrag muss angegeben werden\n" + +#: ../../src/kadmin/ktutil/ktutil.c:191 +#, c-format +msgid "while deleting entry %d" +msgstr "beim Löschen von Eintrag %d" + +#: ../../src/kadmin/ktutil/ktutil.c:219 +#, c-format +msgid "%s: usage: %s [-t] [-k] [-e]\n" +msgstr "%s: Aufruf: %s [-t] [-k] [-e]\n" + +#: ../../src/kadmin/ktutil/ktutil.c:259 +msgid "While converting enctype to string" +msgstr "beim Umwandeln des Verschlüsselungstyps in eine Zeichenkette" + +#: ../../src/kadmin/ktutil/ktutil_funcs.c:162 +#, c-format +msgid "Password for %.1000s" +msgstr "Passwort für %.1000s" + +#: ../../src/kadmin/ktutil/ktutil_funcs.c:179 +#, c-format +msgid "Key for %s (hex): " +msgstr "Schlüssel für %s (hexadezimal): " + +#: ../../src/kadmin/ktutil/ktutil_funcs.c:191 +#, c-format +msgid "addent: Error reading key.\n" +msgstr "addent: Fehler beim Lesen des Schlüssels\n" + +#: ../../src/kadmin/ktutil/ktutil_funcs.c:206 +#, c-format +msgid "addent: Illegal character in key.\n" +msgstr "addent: unerlaubtes Zeichen im Schlüssel\n" + +#: ../../src/kadmin/server/ipropd_svc.c:48 +#, c-format +msgid "Unauthorized request: %s, client=%s, service=%s, addr=%s" +msgstr "unberechtigte Anfrage: %s, Client=%s, Dienst=%s, Adresse=%s" + +#: ../../src/kadmin/server/ipropd_svc.c:49 +#: ../../src/kadmin/server/ipropd_svc.c:212 +#, c-format +msgid "Request: %s, %s, %s, client=%s, service=%s, addr=%s" +msgstr "Anfrage: %s, %s, %s, Client=%s, Dienst=%s, Adresse=%s" + +#: ../../src/kadmin/server/ipropd_svc.c:146 +#: ../../src/kadmin/server/ipropd_svc.c:271 +#, c-format +msgid "%s: server handle is NULL" +msgstr "%s: Server-Identifikator ist NULL" + +#: ../../src/kadmin/server/ipropd_svc.c:156 +#: ../../src/kadmin/server/ipropd_svc.c:284 +#, c-format +msgid "%s: setup_gss_names failed" +msgstr "%s: setup_gss_names fehlgeschlagen" + +#: ../../src/kadmin/server/ipropd_svc.c:166 +#: ../../src/kadmin/server/ipropd_svc.c:295 +#, c-format +msgid "%s: out of memory recording principal names" +msgstr "%s: Speicher reicht nicht zur Aufzeichnung der Principal-Namen aus" + +#: ../../src/kadmin/server/ipropd_svc.c:195 +#, c-format +msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=%lu" +msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=%lu" + +#: ../../src/kadmin/server/ipropd_svc.c:201 +#, c-format +msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=N/A" +msgstr "%s; eingehende Seriennummer=%lu; ausgehende Seriennummer=N/A" + +#: ../../src/kadmin/server/ipropd_svc.c:320 +#, c-format +msgid "%s: getclhoststr failed" +msgstr "%s: getclhoststr fehlgeschlagen" + +#: ../../src/kadmin/server/ipropd_svc.c:342 +#, c-format +msgid "%s: cannot construct kdb5 util dump string too long; out of memory" +msgstr "" +"Ausgabenzeichenkette des KDB5-Hilfswerkzeugs nicht konstruierbar, da zu " +"lang; Speicher reicht nicht aus.%s: Die Ausgabezeichenkette des KDB5-" +"Hilfswerkzeugs kann nicht erstellt werden, weil sie zu lang ist. Der " +"Speicherplatz reicht nicht aus." + +#: ../../src/kadmin/server/ipropd_svc.c:362 +#, c-format +msgid "%s: fork failed: %s" +msgstr "%s: Verzweigen fehlgeschlagen: %s" + +#: ../../src/kadmin/server/ipropd_svc.c:374 +#, c-format +msgid "%s: popen failed: %s" +msgstr "%s: popen fehlgeschlagen: %s" + +#: ../../src/kadmin/server/ipropd_svc.c:388 +#, c-format +msgid "%s: pclose(popen) failed: %s" +msgstr "%s: pclose(popen) fehlgeschlagen: %s" + +#: ../../src/kadmin/server/ipropd_svc.c:405 +#, c-format +msgid "%s: exec failed: %s" +msgstr "%s: exec fehlgeschlagen: %s" + +#: ../../src/kadmin/server/ipropd_svc.c:421 +#, c-format +msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s" +msgstr "" +"Anfrage: %s, hervorgebrachter Neusynchronisationsprozess %d, Client=%s, " +"Dienst=%s, Adresse=%s" + +#: ../../src/kadmin/server/ipropd_svc.c:485 +#: ../../src/kadmin/server/kadm_rpc_svc.c:275 +#, c-format +msgid "check_rpcsec_auth: failed inquire_context, stat=%u" +msgstr "check_rpcsec_auth: inquire_context fehlgeschlagen, Stat=%u" + +#: ../../src/kadmin/server/ipropd_svc.c:515 +#: ../../src/kadmin/server/kadm_rpc_svc.c:304 +#, c-format +msgid "bad service principal %.*s%s" +msgstr "falscher Dienst-Principal %.*s%s" + +#: ../../src/kadmin/server/ipropd_svc.c:538 +#, c-format +msgid "authentication attempt failed: %s, RPC authentication flavor %d" +msgstr "" +"Authentifizierungsversuche gescheitert: %s, PRC-Authentifizierungsvariante %d" + +#: ../../src/kadmin/server/ipropd_svc.c:572 +#, c-format +msgid "RPC unknown request: %d (%s)" +msgstr "unbekannte PRC-Anfrage: %d (%s)" + +#: ../../src/kadmin/server/ipropd_svc.c:580 +#, c-format +msgid "RPC svc_getargs failed (%s)" +msgstr "RPC-»svc_getargs« fehlgeschlagen (%s)" + +#: ../../src/kadmin/server/ipropd_svc.c:590 +#, c-format +msgid "RPC svc_sendreply failed (%s)" +msgstr "RPC-»svc_sendreply« fehlgeschlagen (%s)" + +#: ../../src/kadmin/server/ipropd_svc.c:596 +#, c-format +msgid "RPC svc_freeargs failed (%s)" +msgstr "RPC-»svc_freeargs« fehlgeschlagen (%s)" + +#: ../../src/kadmin/server/kadm_rpc_svc.c:325 +#, c-format +msgid "gss_to_krb5_name: failed display_name status %d" +msgstr "gss_to_krb5_name: display_name fehlgeschlagen, Status %d" + +#: ../../src/kadmin/server/ovsec_kadmd.c:86 +#, c-format +msgid "" +"Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] [-port port-number]\n" +"\t\t[-proponly] [-p path-to-kdb5_util] [-F dump-file]\n" +"\t\t[-K path-to-kprop] [-P pid_file]\n" +"\n" +"where,\n" +"\t[-x db_args]* - any number of database specific arguments.\n" +"\t\t\tLook at each database documentation for supported arguments\n" +msgstr "" +"Aufruf: kadmind [-x Datenbankargumente]* [-r Realm] [-m] [-nofork]\n" +"\t\t[-port Portummer] [-p Pfad_zum_KDB5-Hilfswerkzeug] [-F Auszugsdatei]\n" +"\t\t[-K Pfad_zu_Kprop] [-P PID-Datei]\n" +"\n" +"dabei sind\n" +"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " +"Argumente.\n" +"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " +"der jeweiligen Datenbank.\n" + +#: ../../src/kadmin/server/ovsec_kadmd.c:111 +#, c-format +msgid "%s: %s while %s, aborting\n" +msgstr "%s: %s bei %s, wird abgebrochen\n" + +#: ../../src/kadmin/server/ovsec_kadmd.c:113 +#, c-format +msgid "%s while %s, aborting\n" +msgstr "%s bei %s, wird abgebrochen\n" + +#: ../../src/kadmin/server/ovsec_kadmd.c:115 +#, c-format +msgid "%s: %s, aborting\n" +msgstr "%s: %s, wird abgebrochen\n" + +#: ../../src/kadmin/server/ovsec_kadmd.c:116 +#, c-format +msgid "%s, aborting" +msgstr "%s, wird abgebrochen" + +#: ../../src/kadmin/server/ovsec_kadmd.c:282 +#, c-format +msgid "" +"WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s" +"%s, addr = %s" +msgstr "" +"WARNUNG! Gefälschte/verstümmelte Anfrage: %s, geforderter Client = %.*s%s, " +"Server = %.*s%s, Adresse = %s" + +#: ../../src/kadmin/server/ovsec_kadmd.c:288 +#, c-format +msgid "" +"WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s" +"%s, addr = %s" +msgstr "" +"WARNUNG! Gefälschte/verstümmelte Anfrage: %d, Client = %.*s%s, Server = " +"%.*s%s, Adresse = %s" + +#: ../../src/kadmin/server/ovsec_kadmd.c:302 +#, c-format +msgid "Miscellaneous RPC error: %s, %s" +msgstr "sonstiger PRC-Fehler: %s, %s" + +#: ../../src/kadmin/server/ovsec_kadmd.c:318 +#, c-format +msgid "%s Cannot decode status %d" +msgstr "%s: Status %d kann nicht dekodiert werden" + +#: ../../src/kadmin/server/ovsec_kadmd.c:336 +#, c-format +msgid "Authentication attempt failed: %s, GSS-API error strings are:" +msgstr "Authentifizierungsversuch fehlgeschlagen: %s, GSS-API-Fehlermeldungen:" + +#: ../../src/kadmin/server/ovsec_kadmd.c:341 +msgid " GSS-API error strings complete." +msgstr " GSS-API-Fehlermeldungen vollständig" + +#: ../../src/kadmin/server/ovsec_kadmd.c:378 +#, c-format +msgid "%s: cannot initialize. Not enough memory\n" +msgstr "%s: kann nicht initialisiert werden: Speicher reicht nicht aus.\n" + +#: ../../src/kadmin/server/ovsec_kadmd.c:445 +#, c-format +msgid "%s: %s while initializing context, aborting\n" +msgstr "%s: %s beim Initialisieren des Kontextes, wird abgebrochen\n" + +#: ../../src/kadmin/server/ovsec_kadmd.c:456 +msgid "initializing" +msgstr "wird initialisiert" + +#: ../../src/kadmin/server/ovsec_kadmd.c:460 +msgid "getting config parameters" +msgstr "beim Holen der Konfigurationsparameter" + +#: ../../src/kadmin/server/ovsec_kadmd.c:462 +msgid "Missing required realm configuration" +msgstr "erforderliche Realm-Konfiguration fehlt" + +#: ../../src/kadmin/server/ovsec_kadmd.c:464 +msgid "Missing required ACL file configuration" +msgstr "erforderliche ACL-Dateikonfiguration fehlt" + +#: ../../src/kadmin/server/ovsec_kadmd.c:468 +msgid "initializing network" +msgstr "Netzwerk wird initialisiert" + +#: ../../src/kadmin/server/ovsec_kadmd.c:473 +msgid "Cannot build GSSAPI auth names" +msgstr "GSS-API-Authentifizierungsnamen können nicht gebildet werden." + +#: ../../src/kadmin/server/ovsec_kadmd.c:477 +msgid "Cannot set up KDB keytab" +msgstr "Die KDB-Schlüsseltabelle kann nicht eingerichtet werden." + +#: ../../src/kadmin/server/ovsec_kadmd.c:480 +msgid "Cannot set GSSAPI authentication names" +msgstr "GSS-API-Authentifizierungsnamen können nicht gesetzt werden." + +#: ../../src/kadmin/server/ovsec_kadmd.c:497 +msgid "Cannot initialize GSSAPI service name" +msgstr "GSSAPI-Dienstname kann nicht initialisiert werden" + +#: ../../src/kadmin/server/ovsec_kadmd.c:501 +msgid "initializing ACL file" +msgstr "ACL-Datei wird initialisiert" + +#: ../../src/kadmin/server/ovsec_kadmd.c:504 +msgid "spawning daemon process" +msgstr "Daemon-Prozess wird erzeugt" + +#: ../../src/kadmin/server/ovsec_kadmd.c:508 +msgid "creating PID file" +msgstr "PID-Datei wird erstellt" + +#: ../../src/kadmin/server/ovsec_kadmd.c:511 +msgid "Seeding random number generator" +msgstr "Startwert des Zufallszahlengenerators wird erzeugt" + +#: ../../src/kadmin/server/ovsec_kadmd.c:514 +msgid "getting random seed" +msgstr "Zufallsstartwert wird geholt" + +#: ../../src/kadmin/server/ovsec_kadmd.c:521 +msgid "mapping update log" +msgstr "Aktualisierungsprotokoll wird abgebildet" + +#: ../../src/kadmin/server/ovsec_kadmd.c:525 +#, c-format +msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n" +msgstr "%s: IPROP-Dienst wird erstellt (PROG=%d, VERS=%d)\n" + +#: ../../src/kadmin/server/ovsec_kadmd.c:530 +msgid "starting" +msgstr "startet" + +#: ../../src/kadmin/server/ovsec_kadmd.c:532 ../../src/kdc/main.c:1061 +#, c-format +msgid "%s: starting...\n" +msgstr "%s: startet …\n" + +#: ../../src/kadmin/server/ovsec_kadmd.c:535 +msgid "finished, exiting" +msgstr "fertig, wird beendet" + +#: ../../src/kadmin/server/schpw.c:282 +#, c-format +msgid "setpw request from %s by %.*s%s for %.*s%s: %s" +msgstr "»setpw«-Anfrage von %s durch %.*s%s für %.*s%s: %s" + +#: ../../src/kadmin/server/schpw.c:287 +#, c-format +msgid "chpw request from %s for %.*s%s: %s" +msgstr "»chpw«-Anfrage von %s für %.*s%s: %s" + +#: ../../src/kadmin/server/schpw.c:464 +#, c-format +msgid "chpw: Couldn't open admin keytab %s" +msgstr "chpw«: Administratorschlüsseltabelle %s konnte nicht geöffnet werden" + +#: ../../src/kadmin/server/server_stubs.c:293 +#, c-format +msgid "" +"Unauthorized request: %s, %.*s%s, client=%.*s%s, service=%.*s%s, addr=%s" +msgstr "" +"Unauthorisierte Anfrage: %s, %.*s%s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s" + +#: ../../src/kadmin/server/server_stubs.c:314 +#: ../../src/kadmin/server/server_stubs.c:649 +#: ../../src/kadmin/server/server_stubs.c:1792 +msgid "success" +msgstr "erfolgreich" + +#: ../../src/kadmin/server/server_stubs.c:324 +#, c-format +msgid "Request: %s, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s" +msgstr "Anfrage: %s, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s" + +#: ../../src/kadmin/server/server_stubs.c:628 +#, c-format +msgid "" +"Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, client=%.*s" +"%s, service=%.*s%s, addr=%s" +msgstr "" +"Unauthorisierte Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, Client=" +"%.*s%s, Dienst=%.*s%s, Adresse=%s" + +#: ../../src/kadmin/server/server_stubs.c:644 +#, c-format +msgid "" +"Request: kadm5_rename_principal, %.*s%s to %.*s%s, %s, client=%.*s%s, " +"service=%.*s%s, addr=%s" +msgstr "" +"Anfrage: kadm5_rename_principal, %.*s%s bis %.*s%s, %s, Client=%.*s%s, " +"Dienst=%.*s%s, Adresse=%s" + +#: ../../src/kadmin/server/server_stubs.c:1788 +#, c-format +msgid "" +"Request: kadm5_init, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s, " +"vers=%d, flavor=%d" +msgstr "" +"Anfrage: kadm5_init, %.*s%s, %s, Client=%.*s%s, Dienst=%.*s%s, Adresse=%s, " +"Version=%d, Variante=%d" + +#: ../../src/kdc/do_as_req.c:273 +#, c-format +msgid "AS_REQ : handle_authdata (%d)" +msgstr "AS_REQ: handle_authdata (%d)" + +#: ../../src/kdc/do_tgs_req.c:593 +#, c-format +msgid "TGS_REQ : handle_authdata (%d)" +msgstr "TGS_REQ: handle_authdata (%d)" + +#: ../../src/kdc/do_tgs_req.c:655 +msgid "not checking transit path" +msgstr "Übergangspfad wird nicht geprüft" + +#: ../../src/kdc/fast_util.c:62 +#, c-format +msgid "%s while handling ap-request armor" +msgstr "%s bei der Handhabung des »ap-request«-Schutzes" + +#: ../../src/kdc/fast_util.c:71 +msgid "ap-request armor for something other than the local TGS" +msgstr "»ap-request«-Schutz für etwas anderes als den lokalen TGS" + +#: ../../src/kdc/fast_util.c:80 +msgid "ap-request armor without subkey" +msgstr "»ap-request«-Schutz ohne Unterschlüssel" + +#: ../../src/kdc/fast_util.c:162 +msgid "Ap-request armor not permitted with TGS" +msgstr "»ap-request«-Schutz nicht mit TGS gestattet" + +#: ../../src/kdc/fast_util.c:169 +#, c-format +msgid "Unknown FAST armor type %d" +msgstr "unbekanntet FAST-Schutztyp %d" + +#: ../../src/kdc/fast_util.c:183 +msgid "No armor key but FAST armored request present" +msgstr "Es gibt keinen Schutzschlüssel aber eine FAST-geschützte Anfrage" + +#: ../../src/kdc/fast_util.c:219 +msgid "FAST req_checksum invalid; request modified" +msgstr "FAST-»req_checksum« ungültig; Anfrage geändert" + +#: ../../src/kdc/fast_util.c:225 +msgid "Unkeyed checksum used in fast_req" +msgstr "in fast_req wurde eine Prüfsumme ohne Schlüssel benutzt" + +#: ../../src/kdc/kdc_audit.c:110 +#, c-format +msgid "audit plugin %s failed to open. error=%i" +msgstr "Öffnen der Audit-Erweiterung %s fehlgeschlagen. Fehler=%i" + +#: ../../src/kdc/kdc_authdata.c:292 ../../src/kdc/kdc_authdata.c:328 +#, c-format +msgid "authdata %s failed to initialize: %s" +msgstr "Initialisieren von »authdata« %s fehlgeschlagen: %s" + +#: ../../src/kdc/kdc_authdata.c:779 +#, c-format +msgid "authdata (%s) handling failure: %s" +msgstr "Handhabung von »authdata« %s fehlgeschlagen: %s" + +#: ../../src/kdc/kdc_log.c:82 +#, c-format +msgid "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s" +msgstr "AS_REQ (%s) %s: PROBLEM: Authentifizierungszeit %d, %s, %s für %s" + +#: ../../src/kdc/kdc_log.c:88 +#, c-format +msgid "AS_REQ (%s) %s: %s: %s for %s%s%s" +msgstr "AS_REQ (%s) %s: %s: %s für %s%s%s" + +#: ../../src/kdc/kdc_log.c:159 +#, c-format +msgid "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s" +msgstr "TGS_REQ (%s) %s: %s: Authentifizierungszeit %d, %s%s %s für %s%s%s" + +#: ../../src/kdc/kdc_log.c:166 +#, c-format +msgid "... PROTOCOL-TRANSITION s4u-client=%s" +msgstr "… PROTOKOLLÜBERGANG s4u-client=%s" + +#: ../../src/kdc/kdc_log.c:170 +#, c-format +msgid "... CONSTRAINED-DELEGATION s4u-client=%s" +msgstr "… EINHESCHRÄNKTE DELEGIERUNG s4u-client=%s" + +#: ../../src/kdc/kdc_log.c:174 +#, c-format +msgid "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s" +msgstr "TGS_REQ %s: %s: Authentifizierungszeit %d, %s für %s, 2. TKT-Client %s" + +#: ../../src/kdc/kdc_log.c:208 +#, c-format +msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'" +msgstr "falscher Realm-Übergangspfad von »%s« zu »%s« über »%.*s%s«" + +#: ../../src/kdc/kdc_log.c:214 +#, c-format +msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s" +msgstr "" +"unerwarteter Fehler bei der Prüfung des Übergangs von »%s« zu »%s« über »%.*s" +"%s«: %s" + +#: ../../src/kdc/kdc_log.c:232 +msgid "TGS_REQ: issuing alternate TGT" +msgstr "TGS_REQ: alternativer TGT wird erstellt" + +#: ../../src/kdc/kdc_log.c:235 +#, c-format +msgid "TGS_REQ: issuing TGT %s" +msgstr "TGS_REQ: TGT %s wird erstellt" + +#: ../../src/kdc/kdc_preauth.c:328 +#, c-format +msgid "preauth %s failed to initialize: %s" +msgstr "Initialisieren von »preauth« %s fehlgeschlagen: %s" + +#: ../../src/kdc/kdc_preauth.c:339 +#, c-format +msgid "preauth %s failed to setup loop: %s" +msgstr "Einrichten der Schleife von »preauth« %s fehlgeschlagen: %s" + +#: ../../src/kdc/kdc_preauth.c:760 +#, c-format +msgid "%spreauth required but hint list is empty" +msgstr "%spreauth benötigt, aber Hinweisliste ist leer" + +#: ../../src/kdc/kdc_preauth_ec.c:75 +msgid "Encrypted Challenge used outside of FAST tunnel" +msgstr "verschlüsselte Aufforderung wurde außerhalb des FAST-Tunnels verwendet" + +#: ../../src/kdc/kdc_preauth_ec.c:110 +msgid "Incorrect password in encrypted challenge" +msgstr "falsches Passwort in verschlüsselter Aufforderung" + +#: ../../src/kdc/kdc_util.c:236 +msgid "TGS_REQ: SESSION KEY or MUTUAL" +msgstr "TGS_REQ: SITZUNGSSCHLÜSSEL oder BEIDERSEITIG" + +#: ../../src/kdc/kdc_util.c:314 +msgid "PROCESS_TGS: failed lineage check" +msgstr "PROCESS_TGS: Abstammungsprüfung fehlgeschlagen" + +#: ../../src/kdc/kdc_util.c:468 +#, c-format +msgid "TGS_REQ: UNKNOWN SERVER: server='%s'" +msgstr "TGS_REQ: UNBEKANNTER SERVER: Server=»%s«" + +#: ../../src/kdc/main.c:231 +#, c-format +msgid "while getting context for realm %s" +msgstr "beim Holen des Kontextes für Realm %s" + +#: ../../src/kdc/main.c:329 +#, c-format +msgid "while setting default realm to %s" +msgstr "beim Setzen des Standard-Realms auf %s" + +#: ../../src/kdc/main.c:337 +#, c-format +msgid "while initializing database for realm %s" +msgstr "beim Initialisieren der Datenbank für Realm %s" + +#: ../../src/kdc/main.c:346 +#, c-format +msgid "while setting up master key name %s for realm %s" +msgstr "beim Einrichten des Hauptschlüsselnamens %s für Realm %s" + +#: ../../src/kdc/main.c:359 +#, c-format +msgid "while fetching master key %s for realm %s" +msgstr "beim Abholen des Hauptschlüssels %s für Realm %s" + +#: ../../src/kdc/main.c:367 +#, c-format +msgid "while fetching master keys list for realm %s" +msgstr "beim Abholen der Hauptschlüsselliste für Realm %s" + +#: ../../src/kdc/main.c:376 +#, c-format +msgid "while resolving kdb keytab for realm %s" +msgstr "beim Ermitteln der KDB-Schlüsseltabelle für Realm %s" + +#: ../../src/kdc/main.c:385 +#, c-format +msgid "while building TGS name for realm %s" +msgstr "beim Bilden des TGS-Namens für Realm %s" + +#: ../../src/kdc/main.c:503 +#, c-format +msgid "creating %d worker processes" +msgstr "%d Arbeitsprozesse werden erzeugt" + +#: ../../src/kdc/main.c:513 +msgid "Unable to reinitialize main loop" +msgstr "Hauptschleife konnte nicht neu initialisiert werden" + +#: ../../src/kdc/main.c:518 +#, c-format +msgid "Unable to initialize signal handlers in pid %d" +msgstr "" +"Signalbehandlungsprogramme in PID %d konnten nicht initialisiert werden" + +#: ../../src/kdc/main.c:548 +#, c-format +msgid "worker %ld exited with status %d" +msgstr "Arbeitsprozess %ld endete mit Status %d" + +#: ../../src/kdc/main.c:572 +#, c-format +msgid "signal %d received in supervisor" +msgstr "Überwachungsprogramm empfing Signal %d" + +#: ../../src/kdc/main.c:591 +#, c-format +msgid "" +"usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n" +"\t\t[-R replaycachename] [-m] [-k masterenctype]\n" +"\t\t[-M masterkeyname] [-p port] [-P pid_file]\n" +"\t\t[-n] [-w numworkers] [/]\n" +"\n" +"where,\n" +"\t[-x db_args]* - Any number of database specific arguments.\n" +"\t\t\tLook at each database module documentation for \t\t\tsupported " +"arguments\n" +msgstr "" +"Aufruf: %s [-x Datenbankargumente]* [-d Datenbankpfadname]\n" +"\t\t[-r Datenbank-Realm-Name] [-m] [-k Hauptverschlüsselungstyp]\n" +"\t\t[-M Hauptschlüsselname] [-p Port] [-P PID-Datei]\n" +"\t\t[-n] [-w Arbeitsprozessanzahl] [/]\n" +"\n" +"dabei sind\n" +"\t[-x Datenbankargumente]* - eine beliebige Anzahl datenbankspezifischer " +"Argumente.\n" +"\t\t\tWelche Argumente unterstützt werden, finden Sie in der Dokumentation " +"der jeweiligen Datenbank.\n" + +#: ../../src/kdc/main.c:653 ../../src/kdc/main.c:660 ../../src/kdc/main.c:774 +#, c-format +msgid " KDC cannot initialize. Not enough memory\n" +msgstr "KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n" + +#: ../../src/kdc/main.c:679 ../../src/kdc/main.c:722 ../../src/kdc/main.c:733 +#, c-format +msgid "%s: KDC cannot initialize. Not enough memory\n" +msgstr "%s: KDC kann nicht initialisiert werden. Speicher reicht nicht aus\n" + +#: ../../src/kdc/main.c:699 ../../src/kdc/main.c:816 +#, c-format +msgid "%s: cannot initialize realm %s - see log file for details\n" +msgstr "" +"%s: Realm %s kann nicht initialisiert werden - Einzelheiten finden Sie in " +"der Protokolldatei\n" + +#: ../../src/kdc/main.c:710 +#, c-format +msgid "%s: cannot initialize realm %s. Not enough memory\n" +msgstr "" +"%s: Realm %s kann nicht initialisiert werden. Speicher reicht nicht aus\n" + +#: ../../src/kdc/main.c:761 +#, c-format +msgid "invalid enctype %s" +msgstr "ungültiger Verschlüsselungstyp %s" + +#: ../../src/kdc/main.c:804 +msgid "while attempting to retrieve default realm" +msgstr "beim Versuch, den Standard-Realm abzufragen" + +#: ../../src/kdc/main.c:806 +#, c-format +msgid "%s: %s, attempting to retrieve default realm\n" +msgstr "%s: %s, es wird versucht, den Standard-Realm abzufragen\n" + +#: ../../src/kdc/main.c:912 +#, c-format +msgid "%s: cannot get memory for realm list\n" +msgstr "%s: Speicher für die Realm-Liste kann nicht erlangt werden\n" + +# http://www.oreilly.de/german/freebooks/linuxdrive2ger/getcache.html +#: ../../src/kdc/main.c:947 +msgid "while initializing lookaside cache" +msgstr "beim Initialisieren des Lookaside-Zwischenspeichers" + +#: ../../src/kdc/main.c:955 +msgid "while creating main loop" +msgstr "beim Erzeugen der Hauptschleife" + +# SAM=Security Accounts Manager +#: ../../src/kdc/main.c:965 +msgid "while initializing SAM" +msgstr "beim Initialisieren des SAMs" + +#: ../../src/kdc/main.c:1011 +msgid "while initializing routing socket" +msgstr "beim Initialisieren des Routing-Sockets" + +#: ../../src/kdc/main.c:1017 +msgid "while initializing signal handlers" +msgstr "beim Initialisieren des Signalbehandlungsprogramms" + +#: ../../src/kdc/main.c:1024 +msgid "while initializing network" +msgstr "beim Initialisieren des Netzwerks" + +#: ../../src/kdc/main.c:1029 +msgid "while detaching from tty" +msgstr "beim Lösen vom Terminal" + +#: ../../src/kdc/main.c:1036 +msgid "while creating PID file" +msgstr "beim Erstellen der PID-Datei" + +#: ../../src/kdc/main.c:1045 +msgid "creating worker processes" +msgstr "Arbeitsprozesse werden erzeugt" + +#: ../../src/kdc/main.c:1055 +msgid "while loading audit plugin module(s)" +msgstr "beim Laden des/der Auditerweiterungsmoduls/Auditerweiterungsmodule" + +#: ../../src/kdc/main.c:1059 +msgid "commencing operation" +msgstr "Aktion wird begonnen" + +#: ../../src/kdc/main.c:1067 +msgid "shutting down" +msgstr "wird heruntergefahren" + +#: ../../src/lib/apputils/net-server.c:258 +msgid "Got signal to request exit" +msgstr "Signal zur Anfrage des Beendens empfangen" + +#: ../../src/lib/apputils/net-server.c:272 +msgid "Got signal to reset" +msgstr "Signal zum Zurücksetzen empfangen" + +#: ../../src/lib/apputils/net-server.c:429 +#, c-format +msgid "closing down fd %d" +msgstr "Dateideskriptor %d wird geschlossen" + +#: ../../src/lib/apputils/net-server.c:443 +#, c-format +msgid "descriptor %d closed but still in svc_fdset" +msgstr "Deskriptor %d geschlossen, aber immer noch in »svc_fdset«" + +#: ../../src/lib/apputils/net-server.c:469 +msgid "cannot create io event" +msgstr "E/A-Ereignis kann nicht erzeugt werden" + +#: ../../src/lib/apputils/net-server.c:475 +msgid "cannot save event" +msgstr "Ereignis kann nicht gesichert werden" + +#: ../../src/lib/apputils/net-server.c:495 +#, c-format +msgid "file descriptor number %d too high" +msgstr "Dateideskriptornummer %d zu hoch" + +#: ../../src/lib/apputils/net-server.c:503 +msgid "cannot allocate storage for connection info" +msgstr "Speicher für Verbindungsinformation kann nicht reserviert werden" + +#: ../../src/lib/apputils/net-server.c:562 +#, c-format +msgid "Cannot create TCP server socket on %s" +msgstr "Auf %s kann kein TCP-Server-Socket erstellt werden." + +#: ../../src/lib/apputils/net-server.c:571 +#, c-format +msgid "TCP socket fd number %d (for %s) too high" +msgstr "TCP-Socket-Deskriptornummer %d (für %s) zu hoch" + +#: ../../src/lib/apputils/net-server.c:579 +#, c-format +msgid "Cannot enable SO_REUSEADDR on fd %d" +msgstr "SO_REUSEADDR kann nicht für Dateideskriptor %d aktiviert werden" + +#: ../../src/lib/apputils/net-server.c:586 +#, c-format +msgid "setsockopt(%d,IPV6_V6ONLY,1) failed" +msgstr "setsockopt(%d,IPV6_V6ONLY,1) fehlgeschlagen" + +#: ../../src/lib/apputils/net-server.c:588 +#, c-format +msgid "setsockopt(%d,IPV6_V6ONLY,1) worked" +msgstr "setsockopt(%d,IPV6_V6ONLY,1) funktioniert" + +#: ../../src/lib/apputils/net-server.c:591 +msgid "no IPV6_V6ONLY socket option support" +msgstr "keine Socket-Option für IPV6_V6ONLY unterstützt" + +#: ../../src/lib/apputils/net-server.c:597 +#, c-format +msgid "Cannot bind server socket on %s" +msgstr "Server-Socket kann nicht an %s gebunden werden" + +#: ../../src/lib/apputils/net-server.c:624 +#, c-format +msgid "Cannot create RPC service: %s; continuing" +msgstr "RPC-Dienst kann nicht erstellt werden: %s; es wird fortgefahren" + +#: ../../src/lib/apputils/net-server.c:633 +#, c-format +msgid "Cannot register RPC service: %s; continuing" +msgstr "RPC-Dienst kann nicht registriert werden: %s; es wird fortgefahren" + +#: ../../src/lib/apputils/net-server.c:682 +#, c-format +msgid "Cannot listen on TCP server socket on %s" +msgstr "" +"Auf dem TCP-Server-Socket kann nicht auf eine Verbindung gewartet werden auf " +"%s." + +#: ../../src/lib/apputils/net-server.c:688 +#, c-format +msgid "cannot set listening tcp socket on %s non-blocking" +msgstr "" +"Das auf eine Verbindung wartende TCP-Socket kann nicht auf nicht-" +"blockierendes %s gesetzt werden." + +#: ../../src/lib/apputils/net-server.c:695 +#, c-format +msgid "disabling SO_LINGER on TCP socket on %s" +msgstr "SO_LINGER auf dem TCP-Socket auf %s wird deaktiviert" + +#: ../../src/lib/apputils/net-server.c:743 +#: ../../src/lib/apputils/net-server.c:752 +#, c-format +msgid "listening on fd %d: tcp %s" +msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: TCP %s" + +#: ../../src/lib/apputils/net-server.c:757 +msgid "assuming IPv6 socket accepts IPv4" +msgstr "es wird davon ausgegangen, dass das IPv6-Socket IPv4 akzeptiert" + +#: ../../src/lib/apputils/net-server.c:791 +#: ../../src/lib/apputils/net-server.c:804 +#, c-format +msgid "listening on fd %d: rpc %s" +msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: RPC %s" + +#: ../../src/lib/apputils/net-server.c:883 +#, c-format +msgid "Cannot request packet info for udp socket address %s port %d" +msgstr "" +"Paketinformation für UDP-Socket-Adresse %s, Port %d, kann nicht abgefragt " +"werden" + +#: ../../src/lib/apputils/net-server.c:889 +#, c-format +msgid "listening on fd %d: udp %s%s" +msgstr "auf Dateideskriptor %d wird auf eine Verbindung gewartet: UDP %s%s" + +#: ../../src/lib/apputils/net-server.c:918 +msgid "Failed to reconfigure network, exiting" +msgstr "Neukonfiguration des Netzwerks fehlgeschlagen, wird beendet" + +#: ../../src/lib/apputils/net-server.c:979 +#, c-format +msgid "" +"unhandled routing message type %d, will reconfigure just for the fun of it" +msgstr "" +"nicht behandelter Routing-Meldungstyp %d, es wird es nur zum Spaß neu " +"konfiguriert" + +#: ../../src/lib/apputils/net-server.c:1013 +#, c-format +msgid "short read (%d/%d) from routing socket" +msgstr "ungenügende Daten (%d/%d) vom Routing-Socket gelesen" + +#: ../../src/lib/apputils/net-server.c:1023 +#, c-format +msgid "read %d from routing socket but msglen is %d" +msgstr "%d vom Routing-Socket gelesen, Nachrichtenlänge ist jedoch %d" + +#: ../../src/lib/apputils/net-server.c:1055 +#, c-format +msgid "couldn't set up routing socket: %s" +msgstr "Routing-Socket konnte nicht eingerichtet werden: %s" + +#: ../../src/lib/apputils/net-server.c:1058 +#, c-format +msgid "routing socket is fd %d" +msgstr "Das Routing-Socket hat den Dateideskriptor %d." + +#: ../../src/lib/apputils/net-server.c:1084 +msgid "setting up network..." +msgstr "Netzwerk wird eingerichtet …" + +#: ../../src/lib/apputils/net-server.c:1101 +#, c-format +msgid "set up %d sockets" +msgstr "%d Sockets werden eingerichtet" + +#: ../../src/lib/apputils/net-server.c:1103 +msgid "no sockets set up?" +msgstr "keine Sockets eingerichtet?" + +#: ../../src/lib/apputils/net-server.c:1351 +#: ../../src/lib/apputils/net-server.c:1405 +msgid "while dispatching (udp)" +msgstr "beim Versenden (UDP)" + +#: ../../src/lib/apputils/net-server.c:1380 +#, c-format +msgid "while sending reply to %s/%s from %s" +msgstr "beim Senden der Antwort zu %s/%s von %s" + +#: ../../src/lib/apputils/net-server.c:1385 +#, c-format +msgid "short reply write %d vs %d\n" +msgstr "ungenügende Ausgabe der Antwort %d gegenüber %d\n" + +#: ../../src/lib/apputils/net-server.c:1430 +msgid "while receiving from network" +msgstr "beim Empfangen vom Netzwerk" + +#: ../../src/lib/apputils/net-server.c:1446 +#, c-format +msgid "pktinfo says local addr is %s" +msgstr "Pktinfo sagt, die lokale Adresse sei %s" + +#: ../../src/lib/apputils/net-server.c:1479 +msgid "too many connections" +msgstr "zu viele Verbindungen" + +#: ../../src/lib/apputils/net-server.c:1502 +#, c-format +msgid "dropping %s fd %d from %s" +msgstr "%s Dateideskriptor %d von %s wird verworfen" + +#: ../../src/lib/apputils/net-server.c:1580 +#, c-format +msgid "allocating buffer for new TCP session from %s" +msgstr "Puffer für neue TCP-Sitzung von %s wird reserviert" + +#: ../../src/lib/apputils/net-server.c:1610 +msgid "while dispatching (tcp)" +msgstr "beim Versenden (TCP)" + +#: ../../src/lib/apputils/net-server.c:1642 +msgid "error allocating tcp dispatch private!" +msgstr "Fehler beim Reservieren zum nicht öffentlichen TCP-Versand!" + +#: ../../src/lib/apputils/net-server.c:1689 +#, c-format +msgid "TCP client %s wants %lu bytes, cap is %lu" +msgstr "TCP-Client %s will %lu Byte, Cap ist %lu" + +#: ../../src/lib/apputils/net-server.c:1697 +#, c-format +msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s" +msgstr "Fehler beim Erzeugen des KRB_ERR_FIELD_TOOLONG-Fehlers! %s" + +#: ../../src/lib/apputils/net-server.c:1876 +#, c-format +msgid "accepted RPC connection on socket %d from %s" +msgstr "akzeptierte PRC-Verbindung auf Socket %d von %s" + +# pseudo random function +#: ../../src/lib/crypto/krb/cf2.c:114 +#, c-format +msgid "Enctype %d has no PRF" +msgstr "Verschlüsselungstyp %d hat keine PRF" + +#: ../../src/lib/crypto/krb/prng_fortuna.c:428 +msgid "Random number generator could not be seeded" +msgstr "Zufallszahlengenerator konnte kein Startwert zugewiesen werden" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:43 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:165 +msgid "A required input parameter could not be read" +msgstr "Ein benötigter Eingabeparameter konnte nicht gelesen werden." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:44 +msgid "A required input parameter could not be written" +msgstr "Ein benötigter Eingabeparameter konnte nicht geschrieben werden." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:45 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:175 +msgid "A parameter was malformed" +msgstr "Ein Parameter hatte eine falsche Form" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:48 +msgid "calling error" +msgstr "Aufruffehler" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:59 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:195 +msgid "An unsupported mechanism was requested" +msgstr "Ein nicht unterstützter Mechanismus wurde angefordert." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:60 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:199 +msgid "An invalid name was supplied" +msgstr "Ein ungültiger Name wurde übergeben." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:61 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:203 +msgid "A supplied name was of an unsupported type" +msgstr "Ein übergebener Name hatte einen nicht unterstützten Typ." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:62 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:208 +msgid "Incorrect channel bindings were supplied" +msgstr "Falsche Kanalbindungen wurden übergeben." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:63 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:179 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:274 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:334 +msgid "An invalid status code was supplied" +msgstr "Ein ungültiger Statuscode wurde übergeben." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:64 +msgid "A token had an invalid signature" +msgstr "Ein Merkmal hatte eine ungültige Signatur." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:65 +msgid "No credentials were supplied" +msgstr "Es wurden keine Anmeldedaten übergeben." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:66 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:223 +msgid "No context has been established" +msgstr "Es wurde keine Kontext etabliert." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:67 +msgid "A token was invalid" +msgstr "Ein Merkmal war ungültig." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:68 +msgid "A credential was invalid" +msgstr "Eine der Anmeldedaten war ungültig." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:69 +msgid "The referenced credentials have expired" +msgstr "Die referenzierten Anmeldedaten sind abgelaufen." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:70 +msgid "The context has expired" +msgstr "Der Kontext ist abgelaufen." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:71 +msgid "Miscellaneous failure" +msgstr "sonstiger Fehlschlag" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:72 +msgid "The quality-of-protection requested could not be provided" +msgstr "" +"Die angeforderte Qualität des Schutzes konnte nicht bereitgestellt werden." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:73 +msgid "The operation is forbidden by the local security policy" +msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:74 +msgid "The operation or option is not available" +msgstr "Die Aktion oder Option ist nicht verfügbar." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:77 +msgid "routine error" +msgstr "Fehler in einer Routine" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:89 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:311 +msgid "The routine must be called again to complete its function" +msgstr "" +"Die Routine muss erneut aufgerufen werden, um ihre Funktion zu " +"vervollständigen." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:90 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:316 +msgid "The token was a duplicate of an earlier token" +msgstr "Das Merkmal war ein Zweitexemplar eines früheren Merkmals." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:91 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:321 +msgid "The token's validity period has expired" +msgstr "Die Gültigkeitsperiode des Merkmals ist abgelaufen." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:92 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:325 +msgid "A later token has already been processed" +msgstr "Es wurde bereits ein neueres Merkmal verarbeitet." + +#: ../../src/lib/gssapi/generic/disp_major_status.c:95 +msgid "supplementary info code" +msgstr "zusätzlicher Informationscode" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:106 +#: ../lib/krb5/error_tables/krb5_err.c:23 +msgid "No error" +msgstr "kein Fehler" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:107 +#, c-format +msgid "Unknown %s (field = %d)" +msgstr "%s unbekannt (Feld = %d)" + +#: ../../src/lib/gssapi/krb5/acquire_cred.c:165 +#, c-format +msgid "No key table entry found matching %s" +msgstr "Es wurde kein zu %s passender Schlüsseltabelleneintrag gefunden." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:161 +msgid "The routine completed successfully" +msgstr "Die Routine wurde erfolgreich abgeschlossen" + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:170 +msgid "A required output parameter could not be written" +msgstr "Ein erforderlicher Ausgabeparameter konnte nicht geschrieben werden." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:212 +msgid "A token had an invalid Message Integrity Check (MIC)" +msgstr "" +"Ein Merkmal hatte eine ungültige Meldungsintegritätsprüfung (Message " +"Integrity Check/MIC)." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:217 +msgid "" +"No credentials were supplied, or the credentials were unavailable or " +"inaccessible" +msgstr "" +"Es wurden keine Anmeldedaten übergeben oder die Anmeldedaten waren nicht " +"verfügbar bzw. ein Zugriff darauf nicht möglich." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:227 +msgid "Invalid token was supplied" +msgstr "Es wurde ein ungültiges Token übergeben." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:231 +msgid "Invalid credential was supplied" +msgstr "ungültige Anmeldedaten wurden übergeben" + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:235 +msgid "The referenced credential has expired" +msgstr "Die referenzierten Anmeldedaten sind abgelaufen." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:239 +msgid "The referenced context has expired" +msgstr "Der referenzierte Kontext ist abgelaufen." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:243 +msgid "Unspecified GSS failure. Minor code may provide more information" +msgstr "" +"nicht spezifizierter GSS-Fehlschlag. Möglicherweise stellt der " +"untergeordnete Code weitere Informationen bereit." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:248 +msgid "The quality-of-protection (QOP) requested could not be provided" +msgstr "" +"Die Qualität des Schutzes (quality-of-protection/QOP) konnte nicht " +"bereitgestellt werden." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:253 +msgid "The operation is forbidden by local security policy" +msgstr "Die Aktion wird durch die lokale Sicherheitsrichtinie verboten." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:258 +msgid "The operation or option is not available or unsupported" +msgstr "" +"Die Aktion oder Option ist nicht verfügbar oder wird nicht unterstützt." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:263 +msgid "The requested credential element already exists" +msgstr "Das angeforderte Anmeldedatenelement existiert bereits." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:268 +msgid "The provided name was not mechanism specific (MN)" +msgstr "Der bereitgestellte Name war nicht mechanismusspezifisch (MN)." + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:329 +msgid "An expected per-message token was not received" +msgstr "Ein erwartetes nachrichtenspezifisches Token wurde nicht empfangen." + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1860 +msgid "SPNEGO cannot find mechanisms to negotiate" +msgstr "SPNEGO kann keine Mechanismen zum Aushandeln finden." + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1865 +msgid "SPNEGO failed to acquire creds" +msgstr "SPNEGO ist beim Beschaffen von Anmeldedaten gescheitert" + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1870 +msgid "SPNEGO acceptor did not select a mechanism" +msgstr "SPNEGO-Abnehmer hat keinen Mechanismus ausgewählt" + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1875 +msgid "SPNEGO failed to negotiate a mechanism" +msgstr "SPNEGO ist beim Aushandeln eines Mechanismus gescheitert." + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1880 +msgid "SPNEGO acceptor did not return a valid token" +msgstr "SPNEGO-Abnehmer hat kein gültiges Token zurückgeliefert" + +#: ../../src/lib/kadm5/alt_prof.c:854 +#, c-format +msgid "Cannot resolve address of admin server \"%s\" for realm \"%s\"" +msgstr "" +"Adresse des Admin-Servers »%s« für Realm »%s« kann nicht ermittelt werden" + +#: ../../src/lib/kadm5/logger.c:56 +#, c-format +msgid "%s: cannot parse <%s>\n" +msgstr "%s: <%s> kann nicht ausgewertet werden\n" + +#: ../../src/lib/kadm5/logger.c:57 +#, c-format +msgid "%s: warning - logging entry syntax error\n" +msgstr "%s: Warnung – Syntaxfehler bei Protokolleintrag\n" + +#: ../../src/lib/kadm5/logger.c:58 +#, c-format +msgid "%s: error writing to %s\n" +msgstr "%s: Fehler beim Schreiben auf %s\n" + +#: ../../src/lib/kadm5/logger.c:59 +#, c-format +msgid "%s: error writing to %s device\n" +msgstr "%s: Fehler beim Schreiben auf Gerät %s\n" + +#: ../../src/lib/kadm5/logger.c:61 +msgid "EMERGENCY" +msgstr "NOTFALL" + +#: ../../src/lib/kadm5/logger.c:62 +msgid "ALERT" +msgstr "ALARM" + +#: ../../src/lib/kadm5/logger.c:63 +msgid "CRITICAL" +msgstr "KRITISCH" + +#: ../../src/lib/kadm5/logger.c:64 +msgid "Error" +msgstr "Fehler" + +#: ../../src/lib/kadm5/logger.c:65 +msgid "Warning" +msgstr "Warnung" + +#: ../../src/lib/kadm5/logger.c:66 +msgid "Notice" +msgstr "Hinweis" + +#: ../../src/lib/kadm5/logger.c:67 +msgid "info" +msgstr "Information" + +#: ../../src/lib/kadm5/logger.c:68 +msgid "debug" +msgstr "Fehlersuchmeldung" + +#: ../../src/lib/kadm5/logger.c:967 +#, c-format +msgid "Couldn't open log file %s: %s\n" +msgstr "Protokolldatei %s konnte nicht geöffnet werden: %s\n" + +#: ../../src/lib/kadm5/srv/kadm5_hook.c:119 +#, c-format +msgid "kadm5_hook %s failed postcommit %s: %s" +msgstr "»kadm5_hook« %s ist beim Nach-Commit %s gescheitert: %s" + +#: ../../src/lib/kadm5/srv/pwqual_dict.c:106 +msgid "No dictionary file specified, continuing without one." +msgstr "keine Wörterbuchdatei angegeben, es wird ohne fortgefahren" + +#: ../../src/lib/kadm5/srv/pwqual_dict.c:113 +#, c-format +msgid "WARNING! Cannot find dictionary file %s, continuing without one." +msgstr "" +"WARNUNG! Wörterbuchdatei %s kann nicht gefunden werden, es wird ohne " +"fortgefahren" + +#: ../../src/lib/kadm5/srv/pwqual_empty.c:42 +msgid "Empty passwords are not allowed" +msgstr "Leere Passwörter sind nicht erlaubt." + +#: ../../src/lib/kadm5/srv/pwqual_hesiod.c:114 +msgid "Password may not match user information." +msgstr "Das Passwort darf keinen Anwenderdaten entsprechen." + +#: ../../src/lib/kadm5/srv/pwqual_princ.c:54 +msgid "Password may not match principal name" +msgstr "Das Passwort darf nicht mit dem Principal-Namen übereinstimmen." + +#: ../../src/lib/kadm5/srv/server_acl.c:89 +#, c-format +msgid "%s: line %d too long, truncated" +msgstr "%s: Zeile %d zu lang, wurde gekürzt" + +#: ../../src/lib/kadm5/srv/server_acl.c:90 +#, c-format +msgid "Unrecognized ACL operation '%c' in %s" +msgstr "unbekannte ACL-Aktion »%c« in %s" + +#: ../../src/lib/kadm5/srv/server_acl.c:92 +#, c-format +msgid "%s: syntax error at line %d <%10s...>" +msgstr "%s: Syntaxfehler in Zeile %d <%10s …>" + +#: ../../src/lib/kadm5/srv/server_acl.c:94 +#, c-format +msgid "%s while opening ACL file %s" +msgstr "%s beim Öffnen der ACL-Datei %s" + +#: ../../src/lib/kadm5/srv/server_acl.c:353 +#, c-format +msgid "%s: invalid restrictions: %s" +msgstr "%s: ungültige Beschränkung: %s" + +#: ../../src/lib/kadm5/srv/server_kdb.c:192 +msgid "History entry contains no key data" +msgstr "Chronikeintrag enthält keine Schlüsseldaten" + +#: ../../src/lib/kadm5/srv/server_misc.c:128 +#, c-format +msgid "password quality module %s rejected password for %s: %s" +msgstr "" +"Das Modul %s für Passwortqualität hat das Passwort für %s abgelehnt: %s" + +#: ../../src/lib/kadm5/str_conv.c:80 +msgid "Not Postdateable" +msgstr "nicht vordatierbar" + +#: ../../src/lib/kadm5/str_conv.c:81 +msgid "Not Forwardable" +msgstr "nicht weiterleitbar" + +#: ../../src/lib/kadm5/str_conv.c:82 +msgid "No TGT-based requests" +msgstr "keine TGT-basierten Anfragen" + +#: ../../src/lib/kadm5/str_conv.c:83 +msgid "Not renewable" +msgstr "nicht erneuerbar" + +#: ../../src/lib/kadm5/str_conv.c:84 +msgid "Not proxiable" +msgstr "Proxy nicht nutzbar" + +#: ../../src/lib/kadm5/str_conv.c:85 +msgid "No DUP_SKEY requests" +msgstr "keine DUP_SKEY-Anfragen" + +#: ../../src/lib/kadm5/str_conv.c:86 +msgid "All Tickets Disallowed" +msgstr "keine Tickets erlaubt" + +#: ../../src/lib/kadm5/str_conv.c:87 +msgid "Preauthentication required" +msgstr "Vorauthentifizierung erforderlich" + +#: ../../src/lib/kadm5/str_conv.c:88 +msgid "HW authentication required" +msgstr "HW-Authentifizierung erforderlich" + +#: ../../src/lib/kadm5/str_conv.c:89 +msgid "OK as Delegate" +msgstr "OK als Vertreter" + +#: ../../src/lib/kadm5/str_conv.c:90 +msgid "Password Change required" +msgstr "Passwortänderung erforderlich" + +#: ../../src/lib/kadm5/str_conv.c:91 +msgid "Service Disabled" +msgstr "Dienst deaktiviert" + +#: ../../src/lib/kadm5/str_conv.c:92 +msgid "Password Changing Service" +msgstr "Passwortänderungsdienst" + +#: ../../src/lib/kadm5/str_conv.c:93 +msgid "RSA-MD5 supported" +msgstr "RSA-MD5 unterstützt" + +#: ../../src/lib/kadm5/str_conv.c:94 +msgid "Protocol transition with delegation allowed" +msgstr "Protokollübergang mit Vertretung erlaubt" + +#: ../../src/lib/kadm5/str_conv.c:95 +msgid "No authorization data required" +msgstr "keine Autorisierungsdaten erforderlich" + +#: ../../src/lib/kdb/kdb5.c:219 +msgid "No default realm set; cannot initialize KDB" +msgstr "kein Standard-Realm gesetzt; KDB kann nicht initialisiert werden" + +#: ../../src/lib/kdb/kdb5.c:324 ../../src/lib/kdb/kdb5.c:406 +#, c-format +msgid "Unable to find requested database type: %s" +msgstr "angeforderter Datenbanktyp kann nicht gefunden werden. %s" + +#: ../../src/lib/kdb/kdb5.c:416 +#, c-format +msgid "plugin symbol 'kdb_function_table' lookup failed: %s" +msgstr "" +"Nachschlagen des Erweiterungssymbols »kdb_function_table« fehlgeschlagen: %s" + +#: ../../src/lib/kdb/kdb5.c:426 +#, c-format +msgid "" +"Unable to load requested database module '%s': plugin symbol " +"'kdb_function_table' not found" +msgstr "" +"angefordertes Datenbankmodul »%s« kann nicht geladen werden: " +"Erweiterungssymbol »kdb_function_table« nicht gefunden" + +#: ../../src/lib/kdb/kdb5.c:1650 +#, c-format +msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n" +msgstr "Ungültige Versionsnummer für KRB5_TL_MKEY_AUX %d\n" + +#: ../../src/lib/kdb/kdb5.c:1819 +#, c-format +msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n" +msgstr "Ungültige Versionsnummer für KRB5_TL_ACTKVNO %d\n" + +#: ../../src/lib/kdb/kdb_default.c:164 +#, c-format +msgid "keyfile (%s) is not a regular file: %s" +msgstr "Schlüsseldatei (%s) ist keine normale Datei: %s" + +#: ../../src/lib/kdb/kdb_default.c:177 +msgid "Could not create temp keytab file name." +msgstr "Temporärer Schlüsseltabellendateiname konnte nicht erstellt werden." + +#: ../../src/lib/kdb/kdb_default.c:202 +#, c-format +msgid "Temporary stash file already exists: %s." +msgstr "Temporäre Ablagedatei existiert bereits: %s." + +#: ../../src/lib/kdb/kdb_default.c:230 +#, c-format +msgid "rename of temporary keyfile (%s) to (%s) failed: %s" +msgstr "" +"Umbenennen von temporärer Schlüsseldatei (%s) in (%s) fehlgeschlagen: %s" + +#: ../../src/lib/kdb/kdb_default.c:419 +#, c-format +msgid "Can not fetch master key (error: %s)." +msgstr "Hauptschlüssel kann nicht abgeholt werden (Fehler: %s)" + +#: ../../src/lib/kdb/kdb_default.c:482 +msgid "Unable to decrypt latest master key with the provided master key\n" +msgstr "" +"Letzter Hauptschlüssel kann nicht mit dem bereitgestellten Hauptschlüssel " +"entschlüsselt werden.\n" + +#: ../../src/lib/kdb/kdb_log.c:83 +msgid "could not sync ulog header to disk" +msgstr "Ulog-Kopfzeilen konnten nicht auf die Platte synchronisiert werden" + +#: ../../src/lib/krb5/ccache/cc_dir.c:122 +#, c-format +msgid "Subsidiary cache path %s has no parent directory" +msgstr "" +"Ergänzender Zwischenspeicherpfad %s hat kein übergeordnetes Verzeichnis." + +#: ../../src/lib/krb5/ccache/cc_dir.c:128 +#, c-format +msgid "Subsidiary cache path %s filename does not begin with \"tkt\"" +msgstr "" +"Dateiname des ergänzenden Zwischenspeicherpfads %s beginnt nicht mit »tkt«" + +#: ../../src/lib/krb5/ccache/cc_dir.c:169 +#, c-format +msgid "%s contains invalid filename" +msgstr "%s enthält einen ungültigen Dateinamen." + +#: ../../src/lib/krb5/ccache/cc_dir.c:229 +#, c-format +msgid "Credential cache directory %s does not exist" +msgstr "Anmeldedatenzwischenspeicherverzeichnis %s existiert nicht." + +#: ../../src/lib/krb5/ccache/cc_dir.c:235 +#, c-format +msgid "Credential cache directory %s exists but is not a directory" +msgstr "" +"Anmeldedatenzwischenspeicherverzeichnis %s existiert, ist jedoch kein " +"Verzeichnis" + +#: ../../src/lib/krb5/ccache/cc_dir.c:400 +msgid "" +"Can't create new subsidiary cache because default cache is not a directory " +"collection" +msgstr "" +"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der " +"Standardzwischenspeicher keine Ansammlung von Verzeichnissen ist." + +#: ../../src/lib/krb5/ccache/cc_file.c:569 +#, c-format +msgid "Credentials cache file '%s' not found" +msgstr "Anmeldedatenzwischenspeicherdatei »%s« nicht gefunden" + +#: ../../src/lib/krb5/ccache/cc_file.c:1575 +#, c-format +msgid "Credentials cache I/O operation failed (%s)" +msgstr "Anmeldedatenzwischenspeicher-E/A-Aktion fehlgeschlagen (%s)" + +#: ../../src/lib/krb5/ccache/cc_keyring.c:1151 +msgid "" +"Can't create new subsidiary cache because default cache is already a " +"subsidiary" +msgstr "" +"Der neue ergänzende Zwischenspeicher kann nicht erstellt werden, da der " +"Standardzwischenspeicher bereits eine Ergänzung ist." + +#: ../../src/lib/krb5/ccache/cc_keyring.c:1219 +#, c-format +msgid "Credentials cache keyring '%s' not found" +msgstr "Schlüsselbund %s des Anmeldedatenzwischenspeichers nicht gefunden" + +#: ../../src/lib/krb5/ccache/cccursor.c:212 +#, c-format +msgid "Can't find client principal %s in cache collection" +msgstr "" +"Client-Principal %s kann nicht in der Zwischenspeicheransammlung gefunden " +"werden" + +#: ../../src/lib/krb5/ccache/cccursor.c:253 +msgid "No Kerberos credentials available" +msgstr "keine Kerberos-Anmeldedaten verfügbar" + +#: ../../src/lib/krb5/keytab/kt_file.c:398 +#, c-format +msgid "No key table entry found for %s" +msgstr "Für %s wurde kein Schlüsseltabelleneintrag gefunden." + +#: ../../src/lib/krb5/keytab/kt_file.c:815 +#: ../../src/lib/krb5/keytab/kt_file.c:848 +msgid "Cannot change keytab with keytab iterators active" +msgstr "" +"Schlüsseltabelle mit aktiven Schlüsseltabelleniteratoren kann nicht geändert " +"werden" + +#: ../../src/lib/krb5/keytab/kt_file.c:1047 +#, c-format +msgid "Key table file '%s' not found" +msgstr "Schlüsseltabellendatei »%s« nicht gefunden" + +#: ../../src/lib/krb5/keytab/ktfns.c:127 +#, c-format +msgid "Keytab %s is nonexistent or empty" +msgstr "Schlüsseltabelle %s existiert nicht oder ist leer" + +#: ../../src/lib/krb5/krb/chpw.c:251 +msgid "Malformed request error" +msgstr "Fehler wegen Anfrage in falscher Form" + +#: ../../src/lib/krb5/krb/chpw.c:254 ../lib/krb5/error_tables/kdb5_err.c:58 +msgid "Server error" +msgstr "Serverfehler" + +#: ../../src/lib/krb5/krb/chpw.c:257 +msgid "Authentication error" +msgstr "Authentifizierungsfehler" + +#: ../../src/lib/krb5/krb/chpw.c:260 +msgid "Password change rejected" +msgstr "Passwortänderung abgelehnt" + +#: ../../src/lib/krb5/krb/chpw.c:263 +msgid "Access denied" +msgstr "Zugriff verweigert" + +#: ../../src/lib/krb5/krb/chpw.c:266 +msgid "Wrong protocol version" +msgstr "falsche Protokollversion" + +#: ../../src/lib/krb5/krb/chpw.c:269 +msgid "Initial password required" +msgstr "Erstpasswort erforderlich" + +#: ../../src/lib/krb5/krb/chpw.c:272 +msgid "Success" +msgstr "Erfolg" + +#: ../../src/lib/krb5/krb/chpw.c:275 ../lib/krb5/error_tables/krb5_err.c:257 +msgid "Password change failed" +msgstr "Ändern des Passworts fehlgeschlagen" + +#: ../../src/lib/krb5/krb/chpw.c:433 +msgid "" +"The password must include numbers or symbols. Don't include any part of " +"your name in the password." +msgstr "" +"Das Passwort muss Zahlen oder Symbole enthalten. Fügen Sie keinen Teil Ihres " +"Namens in das Passwort ein." + +#: ../../src/lib/krb5/krb/chpw.c:439 +#, c-format +msgid "The password must contain at least %d character." +msgid_plural "The password must contain at least %d characters." +msgstr[0] "Das Passwort muss mindestens %d Zeichen enthalten." +msgstr[1] "Das Passwort muss mindestens %d Zeichen enthalten." + +#: ../../src/lib/krb5/krb/chpw.c:448 +#, c-format +msgid "The password must be different from the previous password." +msgid_plural "The password must be different from the previous %d passwords." +msgstr[0] "Das Passwort muss sich vom vorhergehenden Passwort unterscheiden." +msgstr[1] "" +"Das Passwort muss sich von den vorhergehenden %d Passwörtern unterscheiden." + +#: ../../src/lib/krb5/krb/chpw.c:460 +#, c-format +msgid "The password can only be changed once a day." +msgid_plural "The password can only be changed every %d days." +msgstr[0] "Das Passwort kann nur einmal täglich geändert werden." +msgstr[1] "Das Passwort kann nur alle %d Tage geändert werden." + +#: ../../src/lib/krb5/krb/chpw.c:506 +msgid "Try a more complex password, or contact your administrator." +msgstr "" +"Versuchen Sie es mit einem etwas komplexeren Passwort oder wenden Sie sich " +"an Ihren Administrator." + +#: ../../src/lib/krb5/krb/fast.c:217 +#, c-format +msgid "%s constructing AP-REQ armor" +msgstr "%s-Konstruktion von AP-REQ-Schutz" + +#: ../../src/lib/krb5/krb/fast.c:399 +#, c-format +msgid "%s while decrypting FAST reply" +msgstr "%s beim Entschlüsseln der FAST-Antwort" + +#: ../../src/lib/krb5/krb/fast.c:408 +msgid "nonce modified in FAST response: KDC response modified" +msgstr "" +"Nummer für einmaligen Gebrauch in der FAST-Anwort geändert: KDC-Anwort " +"geändert" + +#: ../../src/lib/krb5/krb/fast.c:474 +msgid "Expecting FX_ERROR pa-data inside FAST container" +msgstr "Innerhalb des FAST-Containers wird »FX_ERROR pa-data« erwartet." + +#: ../../src/lib/krb5/krb/fast.c:545 +msgid "FAST response missing finish message in KDC reply" +msgstr "Der FAST-Anwort fehlt die Beendigungsnachricht in der KDC-Anwort" + +#: ../../src/lib/krb5/krb/fast.c:558 +msgid "Ticket modified in KDC reply" +msgstr "Ticket in der KDC-Antwort verändert" + +#: ../../src/lib/krb5/krb/gc_via_tkt.c:208 +#, c-format +msgid "KDC returned error string: %.*s" +msgstr "KDC gab eine Fehlermeldung zurück: %.*s" + +#: ../../src/lib/krb5/krb/gc_via_tkt.c:217 +#, c-format +msgid "Server %s not found in Kerberos database" +msgstr "Server %s wurde nicht in der Kerberos-Datenbank gefunden" + +#: ../../src/lib/krb5/krb/get_in_tkt.c:133 +msgid "Reply has wrong form of session key for anonymous request" +msgstr "" +"Antwort hat die falsche Form des Sitzungschlüssels für eine anonyme Anfrage" + +#: ../../src/lib/krb5/krb/get_in_tkt.c:1628 +#, c-format +msgid "%s while storing credentials" +msgstr "%s beim Speichern der Anmeldedaten" + +#: ../../src/lib/krb5/krb/get_in_tkt.c:1715 +#, c-format +msgid "Client '%s' not found in Kerberos database" +msgstr "Client »%s« wurde nicht in der Kerberos-Datenbank gefunden" + +#: ../../src/lib/krb5/krb/gic_keytab.c:207 +#, c-format +msgid "Keytab contains no suitable keys for %s" +msgstr "Schlüsseltabelle enthält keine passenden Schlüssel für %s" + +#: ../../src/lib/krb5/krb/gic_pwd.c:75 +#, c-format +msgid "Password for %s" +msgstr "Passwort für %s" + +#: ../../src/lib/krb5/krb/gic_pwd.c:227 +#, c-format +msgid "Warning: Your password will expire in less than one hour on %s" +msgstr "" +"Warnung: Ihr Passwort auf %s wird in weniger als einer Stunde ablaufen." + +# FIXME in German impossible; plural without »s« +#: ../../src/lib/krb5/krb/gic_pwd.c:231 +#, c-format +msgid "Warning: Your password will expire in %d hour%s on %s" +msgstr "Warnung: Ihr Passwort wird in %d Stunden%s am %s ablaufen." + +#: ../../src/lib/krb5/krb/gic_pwd.c:235 +#, c-format +msgid "Warning: Your password will expire in %d days on %s" +msgstr "Warnung: Ihr Passwort wird in %d Tagen am %s ablaufen." + +#: ../../src/lib/krb5/krb/gic_pwd.c:409 +msgid "Password expired. You must change it now." +msgstr "Passwort abgelaufen. Sie müssen es nun ändern." + +#: ../../src/lib/krb5/krb/gic_pwd.c:428 ../../src/lib/krb5/krb/gic_pwd.c:432 +#, c-format +msgid "%s. Please try again." +msgstr "%s. Bitte versuchen Sie es erneut." + +#: ../../src/lib/krb5/krb/gic_pwd.c:471 +#, c-format +msgid "%.*s%s%s. Please try again.\n" +msgstr "%.*s%s%s. Bitte versuchen Sie es erneut.\n" + +#: ../../src/lib/krb5/krb/parse.c:203 +#, c-format +msgid "Principal %s is missing required realm" +msgstr "Principal %s fehlt erforderlicher Realm" + +#: ../../src/lib/krb5/krb/parse.c:215 +#, c-format +msgid "Principal %s has realm present" +msgstr "Für Principal %s ist Realm vorhanden" + +#: ../../src/lib/krb5/krb/plugin.c:165 +#, c-format +msgid "Invalid module specifier %s" +msgstr "ungültiger Modulbezeichner %s" + +#: ../../src/lib/krb5/krb/plugin.c:402 +#, c-format +msgid "Could not find %s plugin module named '%s'" +msgstr "Das Erweiterungsmodul %s namens »%s« konnte nicht gefunden werden." + +#: ../../src/lib/krb5/krb/preauth2.c:1018 +msgid "Unable to initialize preauth context" +msgstr "Vorauthentifizierungskontext konnte nicht initialisiert werden." + +#: ../../src/lib/krb5/krb/preauth2.c:1032 +#, c-format +msgid "Preauth module %s: %s" +msgstr "Vorauthentifizierungsmodul %s: %s" + +#: ../../src/lib/krb5/krb/preauth_otp.c:510 +msgid "Please choose from the following:\n" +msgstr "Bitte wählen Sie aus dem Folgenden aus:\n" + +#: ../../src/lib/krb5/krb/preauth_otp.c:511 +msgid "Vendor:" +msgstr "Anbieter:" + +#: ../../src/lib/krb5/krb/preauth_otp.c:523 +msgid "Enter #" +msgstr "Geben Sie # ein" + +#: ../../src/lib/krb5/krb/preauth_otp.c:559 +msgid "OTP Challenge:" +msgstr "Anforderung des Einwegpassworts:" + +#: ../../src/lib/krb5/krb/preauth_otp.c:588 +msgid "OTP Token PIN" +msgstr "Einwegpasswort-Token-PIN" + +#: ../../src/lib/krb5/krb/preauth_otp.c:702 +msgid "OTP value doesn't match any token formats" +msgstr "Wert des Einwegpassworts entspricht keinem Token-Format" + +#: ../../src/lib/krb5/krb/preauth_otp.c:769 +msgid "Enter OTP Token Value" +msgstr "Geben Sie den Wert des Einwegpasswort-Tokens an" + +#: ../../src/lib/krb5/krb/preauth_otp.c:914 +msgid "No supported tokens" +msgstr "keine unterstützten Token" + +#: ../../src/lib/krb5/krb/preauth_sam2.c:49 +msgid "Challenge for Enigma Logic mechanism" +msgstr "Anforderung für Enigma-Logic-Mechanismus" + +#: ../../src/lib/krb5/krb/preauth_sam2.c:53 +msgid "Challenge for Digital Pathways mechanism" +msgstr "Anforderung für Digital-Pathway-Mechanismus" + +#: ../../src/lib/krb5/krb/preauth_sam2.c:57 +msgid "Challenge for Activcard mechanism" +msgstr "Anforderung für Activcard-Mechanismus" + +#: ../../src/lib/krb5/krb/preauth_sam2.c:60 +msgid "Challenge for Enhanced S/Key mechanism" +msgstr "Anforderung für erweiterten S/Key-Mechanismus" + +#: ../../src/lib/krb5/krb/preauth_sam2.c:63 +msgid "Challenge for Traditional S/Key mechanism" +msgstr "Anforderung für traditionellen S/Key-Mechanismus" + +#: ../../src/lib/krb5/krb/preauth_sam2.c:66 +#: ../../src/lib/krb5/krb/preauth_sam2.c:69 +msgid "Challenge for Security Dynamics mechanism" +msgstr "Anforderung für Security-Dynamics-Mechanismus" + +#: ../../src/lib/krb5/krb/preauth_sam2.c:72 +msgid "Challenge from authentication server" +msgstr "Anforderung vom Authentifizierungsserver" + +#: ../../src/lib/krb5/krb/preauth_sam2.c:166 +msgid "SAM Authentication" +msgstr "SAM-Authentifizierung" + +#: ../../src/lib/krb5/krb/rd_req_dec.c:145 +#, c-format +msgid "Cannot find key for %s kvno %d in keytab" +msgstr "" +"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden" + +#: ../../src/lib/krb5/krb/rd_req_dec.c:150 +#, c-format +msgid "Cannot find key for %s kvno %d in keytab (request ticket server %s)" +msgstr "" +"Schlüssel für %s-KNVO %d kann nicht in der Schlüsseltabelle gefunden werden " +"(angefragter Ticketserver %s)" + +#: ../../src/lib/krb5/krb/rd_req_dec.c:175 +#, c-format +msgid "Cannot decrypt ticket for %s using keytab key for %s" +msgstr "" +"Ticket für %s kann nicht mittels des Schlüsseltabellenschlüssels für %s " +"entschlüsselt werden" + +#: ../../src/lib/krb5/krb/rd_req_dec.c:197 +#, c-format +msgid "Server principal %s does not match request ticket server %s" +msgstr "Server-Principal %s passt nicht zum abgefragten Ticketserver %s" + +#: ../../src/lib/krb5/krb/rd_req_dec.c:226 +msgid "No keys in keytab" +msgstr "keine Schlüssel in der Schlüsseltabelle" + +#: ../../src/lib/krb5/krb/rd_req_dec.c:229 +#, c-format +msgid "Server principal %s does not match any keys in keytab" +msgstr "" +"Server-Principal %s hat keinen passenden Schlüssel in der Schlüsseltabelle" + +#: ../../src/lib/krb5/krb/rd_req_dec.c:236 +#, c-format +msgid "" +"Request ticket server %s found in keytab but does not match server principal " +"%s" +msgstr "" +"abgefragter Ticketserver %s wurde in der Schlüsseltabelle gefunden, er passte " +"jedoch nicht zu Server-Principal %s" + +#: ../../src/lib/krb5/krb/rd_req_dec.c:241 +#, c-format +msgid "Request ticket server %s not found in keytab (ticket kvno %d)" +msgstr "" +"Abgefragter Ticketserver %s wurde nicht in der Schlüsseltabelle gefunden " +"(Ticket KVNO %d)." + +#: ../../src/lib/krb5/krb/rd_req_dec.c:247 +#, c-format +msgid "" +"Request ticket server %s kvno %d not found in keytab; ticket is likely out " +"of date" +msgstr "" +"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle " +"gefunden; Ticket ist wahrscheinlich abgelaufen." + +#: ../../src/lib/krb5/krb/rd_req_dec.c:252 +#, c-format +msgid "" +"Request ticket server %s kvno %d not found in keytab; keytab is likely out " +"of date" +msgstr "" +"Abgefragter Ticketserver %s KVNO %d wurde nicht in der Schlüsseltabelle " +"gefunden; Schlüsseltabelle ist wahrscheinlich nicht mehr aktuell." + +#: ../../src/lib/krb5/krb/rd_req_dec.c:261 +#, c-format +msgid "" +"Request ticket server %s kvno %d found in keytab but not with enctype %s" +msgstr "" +"Abgefragter Ticketserver %s KVNO %d wurde in der Schlüsseltabelle gefunden, " +"jedoch nicht mit Verschlüsselungstyp %s." + +#: ../../src/lib/krb5/krb/rd_req_dec.c:266 +#, c-format +msgid "" +"Request ticket server %s kvno %d enctype %s found in keytab but cannot " +"decrypt ticket" +msgstr "" +"Abgefragter Ticketserver %s KVNO %d mit Verschlüsselungstyp %s in der " +"Schlüsseltabelle gefunden, Ticket kann jedoch nicht entschlüsselt werden." + +#: ../../src/lib/krb5/krb/rd_req_dec.c:897 +#, c-format +msgid "Encryption type %s not permitted" +msgstr "Verschlüsselungstyp %s nicht erlaubt" + +#: ../../src/lib/krb5/os/expand_path.c:316 +#, c-format +msgid "Can't find username for uid %lu" +msgstr "Zu UID %lu kann kein Benutzername gefunden werden." + +#: ../../src/lib/krb5/os/expand_path.c:405 +#: ../../src/lib/krb5/os/expand_path.c:421 +msgid "Invalid token" +msgstr "ungültiges Token" + +#: ../../src/lib/krb5/os/expand_path.c:506 +msgid "variable missing }" +msgstr "Variable fehlt }" + +#: ../../src/lib/krb5/os/locate_kdc.c:660 +#, c-format +msgid "Cannot find KDC for realm \"%.*s\"" +msgstr "KDC für Realm »%.*s« kann nicht gefunden werden" + +#: ../../src/lib/krb5/os/sendto_kdc.c:475 +#, c-format +msgid "Cannot contact any KDC for realm '%.*s'" +msgstr "für Realm »%.*s« kann nicht KDC kontaktiert werden" + +#: ../../src/lib/krb5/rcache/rc_io.c:106 +#, c-format +msgid "Cannot fstat replay cache file %s: %s" +msgstr "»fstat« für Antwortzwischenspeicherdatei %s nicht möglich: %s" + +#: ../../src/lib/krb5/rcache/rc_io.c:112 +#, c-format +msgid "" +"Insecure mkstemp() file mode for replay cache file %s; try running this " +"program with umask 077" +msgstr "" +"unsicherer mkstemp()-Dateimodus für Antwortzwischenspeicherdatei %s; " +"versuchen Sie, dieses Programm mit der Umask 077 auszuführen" + +#: ../../src/lib/krb5/rcache/rc_io.c:144 +#, c-format +msgid "Cannot %s replay cache file %s: %s" +msgstr "%s der Wiederholungszwischenspeicherdatei %s nicht möglich: %s" + +#: ../../src/lib/krb5/rcache/rc_io.c:149 +#, c-format +msgid "Cannot %s replay cache: %s" +msgstr "%s des Wiederholungszwischenspeichers nicht möglich: %s" + +#: ../../src/lib/krb5/rcache/rc_io.c:272 +#, c-format +msgid "Insecure file mode for replay cache file %s" +msgstr "unsicherer Dateimodus für Wiederholungszwischenspeicherdatei %s" + +#: ../../src/lib/krb5/rcache/rc_io.c:278 +#, c-format +msgid "rcache not owned by %d" +msgstr "Rcache gehört nicht %d" + +#: ../../src/lib/krb5/rcache/rc_io.c:402 ../../src/lib/krb5/rcache/rc_io.c:406 +#: ../../src/lib/krb5/rcache/rc_io.c:411 +#, c-format +msgid "Can't write to replay cache: %s" +msgstr "" +"in Wiederholungszwischenspeicherdatei kann nicht geschrieben werden: %s" + +#: ../../src/lib/krb5/rcache/rc_io.c:432 +#, c-format +msgid "Cannot sync replay cache file: %s" +msgstr "" +"Wiederholungszwischenspeicherdatei kann nicht synchronisiert werden: %s" + +#: ../../src/lib/krb5/rcache/rc_io.c:451 +#, c-format +msgid "Can't read from replay cache: %s" +msgstr "aus dem Wiederholungszwischenspeicher kann nicht gelesen werden: %s" + +#: ../../src/lib/krb5/rcache/rc_io.c:482 ../../src/lib/krb5/rcache/rc_io.c:488 +#: ../../src/lib/krb5/rcache/rc_io.c:493 +#, c-format +msgid "Can't destroy replay cache: %s" +msgstr "Wiederholungszwischenspeicher kann nicht vernichtet werden: %s" + +#: ../../src/plugins/kdb/db2/kdb_db2.c:245 +#: ../../src/plugins/kdb/db2/kdb_db2.c:830 +#, c-format +msgid "Unsupported argument \"%s\" for db2" +msgstr "nicht unterstütztes Argument »%s« für DB2" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:69 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:887 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1088 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1507 +msgid "while reading kerberos container information" +msgstr "beim Lesen der Kerberos-Container-Information" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:129 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:143 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:504 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:518 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:151 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:166 +msgid "while providing time specification" +msgstr "beim Bereitstellen der Zeitspezifikation" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:268 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:304 +msgid "while creating policy object" +msgstr "beim Erstellen des Richtlinienobjekts" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:279 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1515 +msgid "while reading realm information" +msgstr "beim Lesen der Realm-Information" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:348 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:407 +msgid "while destroying policy object" +msgstr "beim Zerstören des Richtlinienobjekts" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:358 +#, c-format +msgid "This will delete the policy object '%s', are you sure?\n" +msgstr "Dies wird das Richtlinienobjekt »%s« löschen, sind Sie sicher?\n" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:473 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:663 +msgid "while modifying policy object" +msgstr "beim Ändern des Richtlinienobjekts" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:487 +#, c-format +msgid "while reading information of policy '%s'" +msgstr "beim Lesen der Information der Richtlinie »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:692 +msgid "while viewing policy" +msgstr "beim Betrachten der Richtlinie" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:701 +#, c-format +msgid "while viewing policy '%s'" +msgstr "beim Betrachten der Richtlinie »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:835 +msgid "while listing policy objects" +msgstr "beim Auflisten der Richtlinienobjekte" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:453 +#, c-format +msgid "for subtree while creating realm '%s'" +msgstr "für einen Teilbaum beim Erstellen von Realm »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:465 +#, c-format +msgid "for container reference while creating realm '%s'" +msgstr "für Container-Bezug beim Erstellen von Realm »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:489 +#, c-format +msgid "invalid search scope while creating realm '%s'" +msgstr "ungültiger Suchbereich beim Erstellen von Realm »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:504 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:823 +#, c-format +msgid "'%s' is an invalid option\n" +msgstr "»%s« ist keine gültige Option\n" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:512 +#, c-format +msgid "Initializing database for realm '%s'\n" +msgstr "Datenbank für Realm »%s« wird initialisiert\n" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:536 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:696 +#, c-format +msgid "while creating realm '%s'" +msgstr "beim Erstellen von Realm »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:556 +#, c-format +msgid "Enter DN of Kerberos container: " +msgstr "Geben Sie die den DN des Kerberos-Containers ein: " + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:591 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:894 +#, c-format +msgid "while reading information of realm '%s'" +msgstr "beim Lesen der Information von Realm »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:733 +msgid "while reading Kerberos container information" +msgstr "beim Lesen der Kerberos-Container-Information" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:774 +#, c-format +msgid "for subtree while modifying realm '%s'" +msgstr "für einen Teilbaum beim Ändern von Realm »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:785 +#, c-format +msgid "for container reference while modifying realm '%s'" +msgstr "für Container-Bezug beim Ändern von Realm »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:812 +#, c-format +msgid "specified for search scope while modifying information of realm '%s'" +msgstr "" +"angegeben für Suchbereich, während die Information für Realm »%s« geändert " +"wird" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:851 +#, c-format +msgid "while modifying information of realm '%s'" +msgstr "beim Ändern der Information von Realm »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:940 +msgid "Realm Name" +msgstr "Realm-Name" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:943 +msgid "Subtree" +msgstr "Teilbaum" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:946 +msgid "Principal Container Reference" +msgstr "Principal-Container-Bezug" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:953 +msgid "SearchScope" +msgstr "Suchbereich" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:951 +msgid "Invalid !" +msgstr "ungültig!" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:958 +msgid "KDC Services" +msgstr "KDC-Dienste" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:973 +msgid "Admin Services" +msgstr "Administratordienste" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:988 +msgid "Passwd Services" +msgstr "Passwortdienste" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1004 +msgid "Maximum Ticket Life" +msgstr "maximale Ticketlebensdauer" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1009 +msgid "Maximum Renewable Life" +msgstr "maximale verlängerbare Lebensdauer" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1016 +msgid "Ticket flags" +msgstr "Ticket-Flags" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1095 +msgid "while listing realms" +msgstr "beim Auflisten der Realms" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1439 +msgid "while adding entries to database" +msgstr "beim Hinzufügen von Einträgen zur Datenbank" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1480 +#, c-format +msgid "Deleting KDC database of '%s', are you sure?\n" +msgstr "" +"Sind Sie sicher, dass die KDC-Datenbank von »%s« gelöscht werden soll?\n" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1491 +#, c-format +msgid "OK, deleting database of '%s'...\n" +msgstr "OK, die Datenbank von »%s« wird gelöscht …\n" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1524 +#, c-format +msgid "deleting database of '%s'" +msgstr "Die Datenbank von »%s« wird gelöscht." + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1529 +#, c-format +msgid "** Database of '%s' destroyed.\n" +msgstr "** Datenbank von »%s« vernichtet\n" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:81 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:88 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:96 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:104 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:120 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:148 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:227 +msgid "while setting service object password" +msgstr "beim Setzen des Passworts für das Dienstobjekt" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:140 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:477 +#, c-format +msgid "Password for \"%s\"" +msgstr "Passwort für »%s«" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:143 +#, c-format +msgid "Re-enter password for \"%s\"" +msgstr "Geben Sie das Passwort für »%s« erneut ein." + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:154 +#, c-format +msgid "%s: Invalid password\n" +msgstr "%s: ungültiges Passwort\n" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:170 +msgid "Failed to convert the password to hexadecimal" +msgstr "Das Umwandeln des Passworts in Dezimalschreibweise ist fehlgeschlagen." + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:183 +#, c-format +msgid "Failed to open file %s: %s" +msgstr "Datei %s konnte nicht geöffnet werden: %s" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:205 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:247 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:256 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:283 +msgid "Failed to write service object password to file" +msgstr "" +"Schreiben des Passworts für das Dienstobjekt in eine Datei fehlgeschlagen" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:211 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:268 +msgid "Error reading service object password file" +msgstr "Fehler beim Lesen der Passwortdatei für das Dienstobjekt" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:236 +#, c-format +msgid "Error creating file %s" +msgstr "Fehler beim Erstellen der Datei %s" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:105 +#, c-format +msgid "" +"Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" +"\tcmd [cmd_options]\n" +"create [-subtrees subtree_dn_list] [-sscope search_scope] [-" +"containerref container_reference_dn]\n" +"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" +"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" +"\t\t[ticket_flags] [-r realm]\n" +"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-" +"containerref container_reference_dn]\n" +"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" +"\t\t[ticket_flags] [-r realm]\n" +"view [-r realm]\n" +"destroy [-f] [-r realm]\n" +"list\n" +"stashsrvpw [-f filename] service_dn\n" +"create_policy [-r realm] [-maxtktlife max_ticket_life]\n" +"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" +"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" +"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" +"view_policy [-r realm] policy\n" +"destroy_policy [-r realm] [-force] policy\n" +"list_policy [-r realm]\n" +msgstr "" +"Aufruf: kdb5_ldap_util [-D Benutzer-DN [-w Passwort]] [-H LDAP-URI]\n" +"\tcmd [Befehlsoptionen]\n" +"create [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-" +"containerref Container-Bezug-DN]\n" +"\t\t[-m|-P Passwort|-sf Ablagedateiname] [-k mkeytype] [-kv mkeyVNO] [-s]\n" +"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n" +"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" +"\t\t[Ticket_Flags] [-r Realm]\n" +"modify [-subtrees DN-Liste_Teilbäume] [-sscope Suchbereich] [-" +"containerref Container-Bezug-DN]\n" +"\t\t[-maxtktlife maximale_Ticketlebensdauer]\n" +"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" +"\t\t[Ticket_Flags] [-r Realm]\n" +"view [-r Realm]\n" +"destroy [-f] [-r Realm]\n" +"list\n" +"stashsrvpw [-f Dateiname] Dienst-DN\n" +"create_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n" +"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" +"\t\t[Ticket_Flags] Richtlinie\n" +"modify_policy [-r Realm] [-maxtktlife maximale_Ticketlebensdauer]\n" +"\t\t[-maxrenewlife maximale_Dauer_bis_zum_Erneuern_des_Tickets]\n" +"\t\t[Ticket_Flags] Richtlinie\n" +"view_policy [-r Realm] Richtlinie\n" +"destroy_policy [-r Realm] [-force] Richtlinie\n" +"list_policy [-r Realm]\n" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:325 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:333 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:341 +msgid "while reading ldap parameters" +msgstr "beim Lesen der LDAP-Parameter" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:439 +msgid "while initializing error handling" +msgstr "beim Initialisieren der Fehlerbehandlung" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:447 +msgid "while initializing ldap handle" +msgstr "beim Initialisieren des LDAP-Identifikators" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:461 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:470 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:483 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:525 +msgid "while retrieving ldap configuration" +msgstr "beim Abfragen der LDAP-Konfiguration" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:500 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:507 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:516 +msgid "while initializing server list" +msgstr "beim Initialisieren der Serverliste" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:547 +msgid "while setting up lib handle" +msgstr "ein Einrichten der BibliotheksIdentifikators" + +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:556 +msgid "while reading ldap configuration" +msgstr "beim Lesen der LDAP-Konfiguration" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:68 +msgid "Unable to read Kerberos container" +msgstr "Kerberos-Container kann nicht gelesen werden" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:74 +msgid "Unable to read Realm" +msgstr "Realm kann nicht gelesen werden" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:215 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:73 +msgid "Error processing LDAP DB params:" +msgstr "Fehler beim Verarbeiten der LDAP-Datenbankparameter:" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:222 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:80 +msgid "Error reading LDAP server params:" +msgstr "Fehler beim Lesen der LDAP-Server-Parameters:" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:64 +msgid "LDAP bind dn value missing" +msgstr "LDAP-Bindungs-DN-Wert fehlt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:69 +msgid "LDAP bind password value missing" +msgstr "LDAP-Bindungs-Passwortwert fehlt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:77 +msgid "Error reading password from stash: " +msgstr "Fehler beim Lesen des Passworts aus der Ablage: " + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:85 +msgid "Service password length is zero" +msgstr "Länge des Dienstpassworts ist Null" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:145 +#, c-format +msgid "Cannot bind to LDAP server '%s' with SASL mechanism '%s': %s" +msgstr "" +"mit LDAP-Server »%s« kann keine Verbindung mit SASL-Mechanismus »%s« " +"hergestellt werden: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:158 +#, c-format +msgid "Cannot bind to LDAP server '%s' as '%s': %s" +msgstr "" +"mit LDAP-Server »%s« kann keine Verbindung als »%s« hergestellt werden: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:183 +#, c-format +msgid "Cannot create LDAP handle for '%s': %s" +msgstr "LDAP-Identifikator für »%s« kann nicht erstellt werden: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:131 +msgid "could not complete roll-back, error deleting Kerberos Container" +msgstr "" +"Zurücksetzen kann nicht abgeschlossen werden, Fehler beim Löschen des " +"Kerberos-Containers" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:56 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:67 +msgid "Error reading kerberos container location from krb5.conf" +msgstr "" +"Fehler beim Lesen des Kerberos-Container-Speicherorts aus der »krb5.conf«." + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:75 +msgid "Kerberos container location not specified" +msgstr "Kerberos-Container-Speicherort nicht angegeben" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:55 +#, c-format +msgid "Error reading '%s' attribute: %s" +msgstr "Fehler beim Lesen des Attributs »%s«: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:218 +msgid "KDB module requires -update argument" +msgstr "KDB-Modul benötigt Argument »-update«" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:224 +#, c-format +msgid "'%s' value missing" +msgstr "Wert »%s« fehlt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:282 +#, c-format +msgid "unknown option '%s'" +msgstr "unbekannte Option »%s«" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:342 +msgid "Minimum connections required per server is 2" +msgstr "Die benötigte Mindestanzahl von Verbindungen pro Server ist zwei" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:159 +msgid "Default realm not set" +msgstr "Standard-Realm nicht gesetzt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:262 +msgid "DN information missing" +msgstr "DN-Information fehlt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:108 +msgid "Principal does not belong to realm" +msgstr "Principal gehört nicht zum Realm" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:278 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:287 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:295 +#, c-format +msgid "%s option not supported" +msgstr "Option %s wird nicht unterstützt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:302 +#, c-format +msgid "unknown option: %s" +msgstr "unbekannte Option: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:309 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:316 +#, c-format +msgid "%s option value missing" +msgstr "Wert der Option %s fehlt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:542 +msgid "Principal does not belong to the default realm" +msgstr "Principal gehört nicht zum Standard-Realm" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:610 +#, c-format +msgid "" +"operation can not continue, more than one entry with principal name \"%s\" " +"found" +msgstr "" +"Die Aktion kann nicht fortfahren, da mehr als ein Principal namens »%s« " +"gefunden wurde." + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:673 +#, c-format +msgid "'%s' not found: " +msgstr "»%s« nicht gefunden: " + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:751 +msgid "DN is out of the realm subtree" +msgstr "DN liegt außerhalb ders Teilbaums des Realms" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:807 +#, c-format +msgid "ldap object is already kerberized" +msgstr "LDAP-Objekt ist bereits an Kerberos angepasst" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:827 +#, c-format +msgid "" +"link information can not be set/updated as the kerberos principal belongs to " +"an ldap object" +msgstr "" +"Verweisinformation kann nicht eingerichtet/aktualisiert werden, da der " +"Kerberos-Principal zu einem LDAP-Objekt gehört." + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:842 +#, c-format +msgid "Failed getting object references" +msgstr "Holen von Objektbezügen fehlgeschlagen" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:849 +#, c-format +msgid "kerberos principal is already linked to a ldap object" +msgstr "Kerberos-Principal ist bereits mit einem LDAP-Objekt verknüpft" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1167 +msgid "ticket policy object value: " +msgstr "Wert des Ticket-Richtlinienobjekts: " + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1215 +#, c-format +msgid "Principal delete failed (trying to replace entry): %s" +msgstr "" +"Löschen des Principals fehlgeschlagen (es wird versucht, den Eintrag zu " +"ersetzen): %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1225 +#, c-format +msgid "Principal add failed: %s" +msgstr "Hinzufügen des Principals fehlgeschlagen: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1263 +#, c-format +msgid "User modification failed: %s" +msgstr "Änderung des Benutzers fehlgeschlagen: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1336 +msgid "Error reading ticket policy. " +msgstr "Fehler beim Lesen der Ticket-Richtlinie" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1402 +#, c-format +msgid "unable to decode stored principal key data (%s)" +msgstr "" +"Die gespeicherten Schlüsseldaten des Principals (%s) konnten nicht " +"dekodiert werden." + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:223 +msgid "Realm information not available" +msgstr "Realm-Information nicht verfügbar" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:294 +msgid "Error reading ticket policy: " +msgstr "Fehler beim Lesen der Ticket-Richtlinie:" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:307 +#, c-format +msgid "Realm Delete FAILED: %s" +msgstr "Löschen des Realms FEHLGESCHLAGEN: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:387 +msgid "subtree value: " +msgstr "Wert des Teilbaums: " + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:404 +msgid "container reference value: " +msgstr "Wert des Container-Bezugs: " + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:487 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:550 +msgid "Kerberos Container information is missing" +msgstr "Kerberos-Container-Information fehlt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:499 +msgid "Invalid Kerberos container DN" +msgstr "ungültiger Kerberos-Container-DN" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:515 +#, c-format +msgid "Kerberos Container create FAILED: %s" +msgstr "Erstellen des Kerberos-Containers FEHLGESCHLAGEN: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:558 +#, c-format +msgid "Kerberos Container delete FAILED: %s" +msgstr "Löschen des Kerberos-Containers FEHLGESCHLAGEN: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:634 +msgid "realm object value: " +msgstr "Wert des Realm-Objekts: " + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:48 +msgid "Not a hexadecimal password" +msgstr "kein hexadezimales Passwort" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:55 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:66 +msgid "Password corrupt" +msgstr "Passwort beschädigt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:93 +#, c-format +msgid "Cannot open LDAP password file '%s': %s" +msgstr "LDAP-Passwortdatei »%s« kann nicht geöffnet werden: %s" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:123 +#, c-format +msgid "Bind DN entry '%s' missing in LDAP password file '%s'" +msgstr "Bind-DN-Eintrag »%s« fehlt in der LDAP-Passwortdatei »%s«" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:56 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:132 +msgid "Ticket Policy Name missing" +msgstr "Ticket-Richtlinienname fehlt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:144 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:221 +msgid "ticket policy object: " +msgstr "Ticket-Richtlinienobjekt: " + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:209 +msgid "Ticket Policy Object information missing" +msgstr "Ticket-Richtlinienobjekt-Information fehlt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:300 +msgid "Ticket Policy Object DN missing" +msgstr "DN des Ticket-Richtlinienobjekts fehlt" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:327 +msgid "Delete Failed: One or more Principals associated with the Ticket Policy" +msgstr "" +"Löschen fehlgeschlagen: Ein oder mehrere Principals gehören zur Ticket-" +"Richtlinie." + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:435 +msgid "Error reading container object: " +msgstr "Fehler beim Lesen des Container-Objekts: " + +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:652 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4153 +msgid "Pass phrase for" +msgstr "Passphrase für" + +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1081 +#, c-format +msgid "Cannot create cert chain: %s" +msgstr "Zertifikatskette kann nicht erstellt werden: %s" + +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1408 +msgid "Invalid pkinit packet: octet string expected" +msgstr "ungültiges Pkinit-Paket: Achtbit-Zeichenkette erwartet" + +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1427 +msgid "wrong oid\n" +msgstr "falsche OID\n" + +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5994 +#, c-format +msgid "unknown code 0x%x" +msgstr "unbekannter Code 0x%x" + +#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:424 +#, c-format +msgid "Unsupported type while processing '%s'\n" +msgstr "nicht unterstützter Typ bei der Verarbeitung von »%s«\n" + +#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:465 +msgid "Internal error parsing X509_user_identity\n" +msgstr "interner Fehler beim Auswerten von »X509_user_identity«\n" + +#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:560 +msgid "No user identity options specified" +msgstr "keine Optionen der Nutzeridentität angegeben" + +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:414 +msgid "Pkinit request not signed, but client not anonymous." +msgstr "Pkinit-Anfrage nicht signiert, Client ist jedoch nicht anonym" + +# DH = Diffie-Hellman +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:447 +msgid "Anonymous pkinit without DH public value not supported." +msgstr "Anonymes Pkinit wird nicht ohne öffentlichen DH-Wert unterstützt." + +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1147 +#, c-format +msgid "No pkinit_identity supplied for realm %s" +msgstr "Für Realm %s wird keine »pkinit_identity« bereitgestellt." + +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1158 +#, c-format +msgid "No pkinit_anchors supplied for realm %s" +msgstr "Für Realm %s werden keine »pkinit_anchors« bereitgestellt." + +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1346 +msgid "No realms configured correctly for pkinit support" +msgstr "Für Pkinit-Unterstützung wurden keine Realms korrekt konfiguriert." + +#: ../../src/slave/kprop.c:85 +#, c-format +msgid "" +"\n" +"Usage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host\n" +"\n" +msgstr "" +"\n" +"Aufruf: %s [-r Realm] [-f Datei] [-d] [-P Port] [-s Dienstschlüsseltabelle] " +"untergeordneter_Rechner\n" +"\n" + +#: ../../src/slave/kprop.c:114 +#, c-format +msgid "Database propagation to %s: SUCCEEDED\n" +msgstr "Datenbankverbreitung auf %s: ERFOLGREICH\n" + +#: ../../src/slave/kprop.c:187 +msgid "while setting client principal name" +msgstr "beim Setzen des Client-Principal-Namens" + +#: ../../src/slave/kprop.c:194 ../../src/slave/kprop.c:209 +msgid "while setting client principal realm" +msgstr "beim Setzen des Client-Principal-Realms" + +#: ../../src/slave/kprop.c:217 +#, c-format +msgid "while opening credential cache %s" +msgstr "beim Öffnen des Anmeldedatenzwischenspeichers %s" + +#: ../../src/slave/kprop.c:233 +msgid "while setting server principal name" +msgstr "beim Setzen des Server-Principal-Namens" + +#: ../../src/slave/kprop.c:255 +msgid "while resolving keytab" +msgstr "beim Ermitteln der Schlüsseltabelle" + +#: ../../src/slave/kprop.c:264 +msgid "while getting initial credentials\n" +msgstr "beim Holen der Anfangsanmeldedaten\n" + +#: ../../src/slave/kprop.c:301 +msgid "while creating socket" +msgstr "beim Erstellen eines Sockets" + +#: ../../src/slave/kprop.c:317 +msgid "while converting server address" +msgstr "beim Umwandeln der Server-Adresse" + +#: ../../src/slave/kprop.c:327 +msgid "while connecting to server" +msgstr "beim Verbinden mit dem Server" + +#: ../../src/slave/kprop.c:334 ../../src/slave/kpropd.c:1215 +msgid "while getting local socket address" +msgstr "beim Holen der lokalen Socket-Adresse" + +#: ../../src/slave/kprop.c:339 +msgid "while converting local address" +msgstr "beim Umwandeln der lokalen Socket-Adresse" + +#: ../../src/slave/kprop.c:362 +msgid "in krb5_auth_con_setaddrs" +msgstr "in »krb5_auth_con_setaddrs«" + +#: ../../src/slave/kprop.c:370 +msgid "while authenticating to server" +msgstr "beim Authentifizieren am Server" + +#: ../../src/slave/kprop.c:374 ../../src/slave/kprop.c:573 +#: ../../src/slave/kpropd.c:1521 +#, c-format +msgid "Generic remote error: %s\n" +msgstr "allgemeiner ferner Fehler: %s\n" + +#: ../../src/slave/kprop.c:380 ../../src/slave/kprop.c:579 +msgid "signalled from server" +msgstr "signalisiert vom Server" + +#: ../../src/slave/kprop.c:382 ../../src/slave/kprop.c:581 +#, c-format +msgid "Error text from server: %s\n" +msgstr "Fehlermeldung vom Server: %s\n" + +#: ../../src/slave/kprop.c:410 +#, c-format +msgid "allocating database file name '%s'" +msgstr "Datenbankdateiname »%s« wird reserviert" + +#: ../../src/slave/kprop.c:416 +#, c-format +msgid "while trying to open %s" +msgstr "beim Versuch, %s zu öffnen" + +#: ../../src/slave/kprop.c:423 +msgid "database locked" +msgstr "Datenbank gesperrt" + +#: ../../src/slave/kprop.c:426 ../../src/slave/kpropd.c:525 +#, c-format +msgid "while trying to lock '%s'" +msgstr "beim Versuch, »%s« zu sperren" + +#: ../../src/slave/kprop.c:430 ../../src/slave/kprop.c:438 +#, c-format +msgid "while trying to stat %s" +msgstr "beim Versuch, »stat« für %s auszuführen" + +#: ../../src/slave/kprop.c:434 +msgid "while trying to malloc data_ok_fn" +msgstr "beim Versuch, Speicher für »data_ok_fn« zu reservieren" + +#: ../../src/slave/kprop.c:443 +#, c-format +msgid "'%s' more recent than '%s'." +msgstr "»%s« ist aktueller als »%s«." + +#: ../../src/slave/kprop.c:459 +#, c-format +msgid "while unlocking database '%s'" +msgstr "beim Entsperren von Datenbank »%s«" + +#: ../../src/slave/kprop.c:492 ../../src/slave/kprop.c:493 +msgid "while encoding database size" +msgstr "beim Aufbereiten der Datenbankgröße" + +#: ../../src/slave/kprop.c:501 +msgid "while sending database size" +msgstr "beim Senden der Datenbankgröße" + +#: ../../src/slave/kprop.c:511 +msgid "while allocating i_vector" +msgstr "beim Reservieren von »i_vector«" + +#: ../../src/slave/kprop.c:534 +#, c-format +msgid "while sending database block starting at %d" +msgstr "beim Senden des Datenbankblocks, der bei %d beginnt" + +#: ../../src/slave/kprop.c:544 +msgid "Premature EOF found for database file!" +msgstr "vorzeitiges EOF für Datenbankdatei gefunden!" + +#: ../../src/slave/kprop.c:557 +msgid "while reading response from server" +msgstr "beim Lesen der Antwort vom Servers" + +#: ../../src/slave/kprop.c:568 +msgid "while decoding error response from server" +msgstr "beim Aufschlüsseln der Fehlerantwort vom Server" + +#: ../../src/slave/kprop.c:599 +#, c-format +msgid "Kpropd sent database size %d, expecting %d" +msgstr "Kpropd sendet Datenbankgröße %d, erwartet wurde %d" + +#: ../../src/slave/kprop.c:643 +msgid "while allocating filename for update_last_prop_file" +msgstr "beim Reservieren des Dateinamens für »update_last_prop_file«" + +#: ../../src/slave/kprop.c:648 +#, c-format +msgid "while creating 'last_prop' file, '%s'" +msgstr "beim Erstellen der Datei »last_prop«, »%s«" + +#: ../../src/slave/kpropd.c:170 +#, c-format +msgid "" +"\n" +"Usage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n" +msgstr "" +"\n" +"Aufruf: %s [-r Realm] [-s Dienstschlüsseltabelle] [-dS] [-f " +"untergeordnete_Datei]\n" + +#: ../../src/slave/kpropd.c:172 +#, c-format +msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n" +msgstr "\t[-F Kerberos-Datenbankdatei ] [-p KDB5-Hilfswerkzeugpfadname]\n" + +#: ../../src/slave/kpropd.c:173 +#, c-format +msgid "\t[-x db_args]* [-P port] [-a acl_file]\n" +msgstr "\t[-x Datenbankargumente]* [-P Port] [-a ACL-Datei]\n" + +#: ../../src/slave/kpropd.c:174 +#, c-format +msgid "\t[-A admin_server]\n" +msgstr "\t[-A Serveradministrator]\n" + +#: ../../src/slave/kpropd.c:215 +#, c-format +msgid "Killing fullprop child (%d)\n" +msgstr "Beenden des Fullprop-Kindprozesses (%d) wird erzwungen\n" + +#: ../../src/slave/kpropd.c:244 +msgid "while checking if stdin is a socket" +msgstr "beim Prüfen, ob die Standardeingabe ein Socket ist" + +#: ../../src/slave/kpropd.c:262 +#, c-format +msgid "ready\n" +msgstr "bereit\n" + +#: ../../src/slave/kpropd.c:272 +#, c-format +msgid "Could not open /dev/null: %s" +msgstr "/dev/null konnte nicht geöffnet werden: %s" + +#: ../../src/slave/kpropd.c:279 +#, c-format +msgid "Could not dup the inetd socket: %s" +msgstr "Das Inetd-Socket konnte nicht dupliziert werden: %s" + +#: ../../src/slave/kpropd.c:314 ../../src/slave/kpropd.c:327 +msgid "do_iprop failed.\n" +msgstr "»do_iprop« fehlgeschlagen\n" + +#: ../../src/slave/kpropd.c:366 +#, c-format +msgid "getaddrinfo: %s\n" +msgstr "getaddrinfo: %s\n" + +#: ../../src/slave/kpropd.c:372 +msgid "while obtaining socket" +msgstr "beim Erlangen des Sockets" + +#: ../../src/slave/kpropd.c:378 +msgid "while setting SO_REUSEADDR option" +msgstr "beim Setzen der Option SO_REUSEADDR" + +#: ../../src/slave/kpropd.c:386 +msgid "while unsetting IPV6_V6ONLY option" +msgstr "beim Entfernen der Option IPV6_V6ONLY" + +#: ../../src/slave/kpropd.c:391 +msgid "while binding listener socket" +msgstr "beim Anbinden an das auf Verbindung wartende Socket" + +#: ../../src/slave/kpropd.c:402 +#, c-format +msgid "waiting for a kprop connection\n" +msgstr "warten auf Kprop-Verbindung\n" + +#: ../../src/slave/kpropd.c:408 +msgid "while accepting connection" +msgstr "beim Akzeptieren der Verbindung" + +#: ../../src/slave/kpropd.c:414 +msgid "while forking" +msgstr "beim Erzeugen eines Kindprozesses" + +#: ../../src/slave/kpropd.c:429 +#, c-format +msgid "waitpid() failed to wait for doit() (%d %s)\n" +msgstr "waitpid() schlug beim Warten auf doit() fehl (%d %s)\n" + +#: ../../src/slave/kpropd.c:433 +msgid "while waiting to receive database" +msgstr "beim Warten auf den Erhalt der Datenbank" + +#: ../../src/slave/kpropd.c:437 +#, c-format +msgid "Database load process for full propagation completed.\n" +msgstr "" +"Der Datenbankladeprozess für eine vollständige Verbreitung ist " +"abgeschlossen.\n" + +#: ../../src/slave/kpropd.c:471 +#, c-format +msgid "" +"%s: Standard input does not appear to be a network socket.\n" +"\t(Not run from inetd, and missing the -S option?)\n" +msgstr "" +"%s: Bei der Standardeingabe scheint es sich nicht um ein Netzwerk-Socket zu\n" +"\thandeln (läuft nicht aus Inetd und die Option -S fehlt?).\n" + +#: ../../src/slave/kpropd.c:485 +msgid "while attempting setsockopt (SO_KEEPALIVE)" +msgstr "beim Versuch, »setsockopt« auszuführen (SO_KEEPALIVE)" + +#: ../../src/slave/kpropd.c:490 +#, c-format +msgid "Connection from %s" +msgstr "Verbindung von %s" + +#: ../../src/slave/kpropd.c:510 +#, c-format +msgid "Rejected connection from unauthorized principal %s\n" +msgstr "Zurückgewiesene Verbindung von nicht autorisiertem Principal %s\n" + +#: ../../src/slave/kpropd.c:514 +#, c-format +msgid "Rejected connection from unauthorized principal %s" +msgstr "Zurückgewiesene Verbindung von nicht authorisiertem Principal %s" + +#: ../../src/slave/kpropd.c:531 +#, c-format +msgid "while opening database file, '%s'" +msgstr "beim Öffnen der Datenbankdatei, »%s«" + +#: ../../src/slave/kpropd.c:537 +#, c-format +msgid "while renaming %s to %s" +msgstr "beim Umbenennen von %s in %s" + +#: ../../src/slave/kpropd.c:543 +#, c-format +msgid "while downgrading lock on '%s'" +msgstr "beim Downgrade der Sperre auf »%s«" + +#: ../../src/slave/kpropd.c:550 +#, c-format +msgid "while unlocking '%s'" +msgstr "beim Aufheben der Sperre »%s«" + +#: ../../src/slave/kpropd.c:562 +msgid "while sending # of received bytes" +msgstr "beim Senden n empfangener Byte" + +#: ../../src/slave/kpropd.c:568 +msgid "while trying to close database file" +msgstr "beim Versuch, die Datenbankdatei zu schließen" + +#: ../../src/slave/kpropd.c:624 +#, c-format +msgid "Incremental propagation enabled\n" +msgstr "inkrementelle Verbreitung aktiviert\n" + +#: ../../src/slave/kpropd.c:634 +msgid "Unable to get default realm" +msgstr "Standard-Realm kann nicht geholt werden" + +#: ../../src/slave/kpropd.c:647 +#, c-format +msgid "%s: unable to get kiprop host based service name for realm %s\n" +msgstr "" +"%s: Kiprop-rechnerbasierter Dienstname für Realm %s kann nicht geholt " +"werden\n" + +#: ../../src/slave/kpropd.c:658 +msgid "while trying to construct host service principal" +msgstr "beim Versuch, den Rechnerdienst-Principal zu erstellen" + +#: ../../src/slave/kpropd.c:672 +msgid "while determining local service principal name" +msgstr "beim Bestimmen des lokalen Dienst-Principal-Namens" + +#: ../../src/slave/kpropd.c:692 +#, c-format +msgid "Initializing kadm5 as client %s\n" +msgstr "Kadm5 wird als Client %s initialisiert\n" + +#: ../../src/slave/kpropd.c:706 +#, c-format +msgid "kadm5 initialization failed!\n" +msgstr "Initialisierung von Kadm5 fehlgeschlagen!\n" + +#: ../../src/slave/kpropd.c:715 +msgid "while attempting to connect to master KDC ... retrying" +msgstr "" +"beim Versuch, eine Verbindung zum Master-KDC aufzubauen … wird erneut " +"versucht" + +#: ../../src/slave/kpropd.c:719 +#, c-format +msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n" +msgstr "" +"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (RPC-FEHLER).\n" + +#: ../../src/slave/kpropd.c:735 +#, c-format +msgid "while initializing %s interface, retrying" +msgstr "beim Initialisieren der Schnittstelle %s, wird erneut versucht" + +#: ../../src/slave/kpropd.c:739 +#, c-format +msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n" +msgstr "" +"Um Kadm5 neu zu initialisieren, wird %d Sekunden gewartet (läuft Krb5kdc " +"nicht?).\n" + +#: ../../src/slave/kpropd.c:749 +#, c-format +msgid "kadm5 initialization succeeded\n" +msgstr "Initialisieren von Kadm5 erfolgreich\n" + +#: ../../src/slave/kpropd.c:771 +msgid "reading update log header" +msgstr "Aktualisierungsprotokollkopfzeilen werden gelesen" + +#: ../../src/slave/kpropd.c:782 +#, c-format +msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n" +msgstr "»iprop_get_updates_1()« wird aufgerufen (sno=%u sec=%u usec=%u)\n" + +#: ../../src/slave/kpropd.c:792 +msgid "iprop_get_updates call failed" +msgstr "Aufruf von »iprop_get_updates« fehlgeschlagen" + +#: ../../src/slave/kpropd.c:798 +#, c-format +msgid "Reinitializing iprop because get updates failed\n" +msgstr "" +"Iprop wird neu initialisiert, da Aktualisierungen fehlgeschlagen sind\n" + +#: ../../src/slave/kpropd.c:819 +#, c-format +msgid "Still waiting for full resync\n" +msgstr "" +"Es wird immer noch auf das vollständige erneute Synchronisieren gewartet.\n" + +#: ../../src/slave/kpropd.c:824 +#, c-format +msgid "Full resync needed\n" +msgstr "erneutes vollständiges Synchronisieren erforderlich\n" + +#: ../../src/slave/kpropd.c:825 +msgid "kpropd: Full resync needed." +msgstr "Kpropd: erneutes vollständiges Synchronisieren erforderlich" + +#: ../../src/slave/kpropd.c:830 +msgid "iprop_full_resync call failed" +msgstr "Aufruf von »iprop_full_resync« fehlgeschlagen" + +#: ../../src/slave/kpropd.c:841 +#, c-format +msgid "Full resync request granted\n" +msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt\n" + +#: ../../src/slave/kpropd.c:842 +msgid "Full resync request granted." +msgstr "Anfrage nach vollständigem erneuten Synchronisieren genehmigt" + +# FIXME s/backoff/back-off/ +#: ../../src/slave/kpropd.c:851 +#, c-format +msgid "Exponential backoff\n" +msgstr "exponentieller Wartezyklus\n" + +#: ../../src/slave/kpropd.c:857 +#, c-format +msgid "Full resync permission denied\n" +msgstr "vollständiges erneutes Synchronisieren nicht gestattet\n" + +#: ../../src/slave/kpropd.c:858 +msgid "Full resync, permission denied." +msgstr "vollständiges erneutes Synchronisieren, nicht gestattet" + +#: ../../src/slave/kpropd.c:863 +#, c-format +msgid "Full resync error from master\n" +msgstr "Fehler beim vollständigen erneuten Synchronisieren vom Master\n" + +#: ../../src/slave/kpropd.c:864 +msgid " Full resync, error returned from master KDC." +msgstr "" +"vollständiges erneutes Synchronisieren, das Master-KDC gab einen Fehler " +"zurück" + +#: ../../src/slave/kpropd.c:872 +#, c-format +msgid "Full resync invalid result from master\n" +msgstr "" +"Beim vollständigen erneuten Synchronisieren gab der Master ein ungültiges " +"Ergebnis zurück.\n" + +#: ../../src/slave/kpropd.c:874 +msgid "Full resync, invalid return from master KDC." +msgstr "" +"vollständiges erneutes Synchronisieren, ungültiger Rückgabewert vom Master-" +"KDC" + +#: ../../src/slave/kpropd.c:890 +#, c-format +msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n" +msgstr "" +"inkrementelle Aktualisierungen erhalten (sno=%u sec=%u usec=%u)\n" + +#: ../../src/slave/kpropd.c:902 +#, c-format +msgid "ulog_replay failed (%s), updates not registered\n" +msgstr "" +"»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert\n" + +#: ../../src/slave/kpropd.c:905 +#, c-format +msgid "ulog_replay failed (%s), updates not registered." +msgstr "»ulog_replay« fehlgeschlagen (%s), Aktualisierungen nicht registriert" + +#: ../../src/slave/kpropd.c:914 +#, c-format +msgid "Incremental updates: %d updates / %lu us" +msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us" + +#: ../../src/slave/kpropd.c:917 +#, c-format +msgid "Incremental updates: %d updates / %lu us\n" +msgstr "inkrementelle Aktualisierungen: %d Aktualisierungen / %lu us\n" + +#: ../../src/slave/kpropd.c:925 +#, c-format +msgid "get_updates permission denied\n" +msgstr "Zugriff bei »get_updates« verweigert\n" + +#: ../../src/slave/kpropd.c:926 +msgid "get_updates, permission denied." +msgstr "»get_updates«, Zugriff verweigert" + +#: ../../src/slave/kpropd.c:931 +#, c-format +msgid "get_updates error from master\n" +msgstr "»get_updates«-Fehler vom Master\n" + +#: ../../src/slave/kpropd.c:932 +msgid "get_updates, error returned from master KDC." +msgstr "Vom Master-KDC wurde ein »get_updates«-Fehler zurückgegeben." + +# FIXME s/backoff/back-off/ +#: ../../src/slave/kpropd.c:940 +#, c-format +msgid "get_updates master busy; backoff\n" +msgstr "»get_updates«-Master ausgelastet; hält sich zurück\n" + +#: ../../src/slave/kpropd.c:949 +#, c-format +msgid "KDC is synchronized with master.\n" +msgstr "KDC wurde mit dem Master synchronisiert.\n" + +#: ../../src/slave/kpropd.c:957 +#, c-format +msgid "get_updates invalid result from master\n" +msgstr "ungültiges »get_updates«-Ergebnis vom Master\n" + +#: ../../src/slave/kpropd.c:958 +msgid "get_updates, invalid return from master KDC." +msgstr "»get_updates«, ungültiger Rückgabewert vom Master-KDC" + +# FIXME s/backoff/back-off/ +#: ../../src/slave/kpropd.c:973 +#, c-format +msgid "Busy signal received from master, backoff for %d secs\n" +msgstr "" +"Vom Master wurde ein Signal empfangen, dass er ausgelastet ist, " +"Zurückhaltung für %d Sekunden\n" + +#: ../../src/slave/kpropd.c:980 +#, c-format +msgid "Waiting for %d seconds before checking for updates again\n" +msgstr "" +"vor der erneuten Prufung auf Aktualisierungen wird %d Sekunden gewartet\n" + +#: ../../src/slave/kpropd.c:991 +#, c-format +msgid "ERROR returned by master, bailing\n" +msgstr "FEHLER vom Master zurückgegeben, Ausstieg\n" + +#: ../../src/slave/kpropd.c:992 +msgid "ERROR returned by master KDC, bailing.\n" +msgstr "FEHLER vom Master-KDC zurückgegeben, Ausstieg\n" + +#: ../../src/slave/kpropd.c:1134 +msgid "copying db args" +msgstr "Datenbankargumente werden kopiert" + +#: ../../src/slave/kpropd.c:1161 +msgid "while trying to construct my service name" +msgstr "beim Versuch, meinen Dienstnamen zu erstellen" + +#: ../../src/slave/kpropd.c:1167 +msgid "while constructing my service realm" +msgstr "beim Erstellen meines Dienst-Realms" + +#: ../../src/slave/kpropd.c:1175 +msgid "while allocating filename for temp file" +msgstr "beim Reservieren des Dateinamens für die temporäre Datei" + +#: ../../src/slave/kpropd.c:1181 +msgid "while initializing" +msgstr "bei der Initialisierung" + +#: ../../src/slave/kpropd.c:1189 +msgid "Unable to map log!\n" +msgstr "Protokoll kann nicht abgebildet werden!\n" + +#: ../../src/slave/kpropd.c:1235 +#, c-format +msgid "Error in krb5_auth_con_ini: %s" +msgstr "Fehler in »krb5_auth_con_ini«: %s" + +#: ../../src/slave/kpropd.c:1243 +#, c-format +msgid "Error in krb5_auth_con_setflags: %s" +msgstr "Fehler in »krb5_auth_con_setflags«: %s" + +#: ../../src/slave/kpropd.c:1251 +#, c-format +msgid "Error in krb5_auth_con_setaddrs: %s" +msgstr "Fehler in »krb5_auth_con_setaddrs«: %s" + +#: ../../src/slave/kpropd.c:1259 +#, c-format +msgid "Error in krb5_kt_resolve: %s" +msgstr "Fehler in »krb5_kt_resolve«: %s" + +#: ../../src/slave/kpropd.c:1268 +#, c-format +msgid "Error in krb5_recvauth: %s" +msgstr "Fehler in »krb5_recvauth«: %s" + +#: ../../src/slave/kpropd.c:1275 +#, c-format +msgid "Error in krb5_copy_prinicpal: %s" +msgstr "Fehler in »krb5_copy_prinicpal«: %s" + +#: ../../src/slave/kpropd.c:1291 +msgid "while unparsing ticket etype" +msgstr "beim Rückgängigmachen der Auswertung des »etype«s des Tickets" + +#: ../../src/slave/kpropd.c:1295 +#, c-format +msgid "authenticated client: %s (etype == %s)\n" +msgstr "Authentifizierter Client: %s (etype == %s)\n" + +#: ../../src/slave/kpropd.c:1374 +msgid "while reading size of database from client" +msgstr "beim Lesen der Datenbankgröße vom Client" + +#: ../../src/slave/kpropd.c:1384 +msgid "while decoding database size from client" +msgstr "beim Dekodieren der Datenbankgröße vom Client" + +#: ../../src/slave/kpropd.c:1397 +msgid "while initializing i_vector" +msgstr "beim Initialisieren von »i_vector«" + +#: ../../src/slave/kpropd.c:1402 +#, c-format +msgid "Full propagation transfer started.\n" +msgstr "vollständige Verbreitungsübertragung gestartet\n" + +#: ../../src/slave/kpropd.c:1455 +#, c-format +msgid "Full propagation transfer finished.\n" +msgstr "vollständige Verbreitungsübertragung beendet\n" + +#: ../../src/slave/kpropd.c:1516 +msgid "while decoding error packet from client" +msgstr "beim Dekodieren des Fehlerpakets vom Client" + +#: ../../src/slave/kpropd.c:1525 +msgid "signaled from server" +msgstr "signalisiert vom Server" + +#: ../../src/slave/kpropd.c:1527 +#, c-format +msgid "Error text from client: %s\n" +msgstr "Fehlermeldung vom Client: %s\n" + +#: ../../src/slave/kpropd.c:1576 +#, c-format +msgid "while trying to fork %s" +msgstr "beim Versuch, einen Kindprozess von %s zu erzeugen" + +#: ../../src/slave/kpropd.c:1580 +#, c-format +msgid "while trying to exec %s" +msgstr "beim Versuch, %s auszuführen" + +#: ../../src/slave/kpropd.c:1587 +#, c-format +msgid "while waiting for %s" +msgstr "beim Warten auf %s" + +#: ../../src/slave/kpropd.c:1593 +#, c-format +msgid "%s load terminated" +msgstr "Laden von %s beendet" + +#: ../../src/slave/kpropd.c:1599 +#, c-format +msgid "%s returned a bad exit status (%d)" +msgstr "%s gab einen falschen Exit-Status (%d) zurück" + +#: ../../src/slave/kproplog.c:27 +#, c-format +msgid "" +"\n" +"Usage: %s [-h] [-v] [-v] [-e num]\n" +"\t%s -R\n" +"\n" +msgstr "" +"\n" +"Aufruf: %s [-h] [-v] [-v] [-e Zahl]\n" +"\t%s -R\n" +"\n" + +#: ../../src/slave/kproplog.c:129 +#, c-format +msgid "" +"\n" +"Couldn't allocate memory" +msgstr "" +"\n" +"Speicher konnte nicht reserviert werden" + +#: ../../src/slave/kproplog.c:223 +#, c-format +msgid "\t\tAttribute flags\n" +msgstr "\t\tAttributschalter\n" + +#: ../../src/slave/kproplog.c:228 +#, c-format +msgid "\t\tMaximum ticket life\n" +msgstr "\t\tmaximale Ticketlebensdauer\n" + +#: ../../src/slave/kproplog.c:233 +#, c-format +msgid "\t\tMaximum renewable life\n" +msgstr "\t\tmaximale verlängerbare Lebensdauer\n" + +#: ../../src/slave/kproplog.c:238 +#, c-format +msgid "\t\tPrincipal expiration\n" +msgstr "\t\tAblauf des Principals\n" + +#: ../../src/slave/kproplog.c:243 +#, c-format +msgid "\t\tPassword expiration\n" +msgstr "\t\tAblauf des Passworts\n" + +#: ../../src/slave/kproplog.c:248 +#, c-format +msgid "\t\tLast successful auth\n" +msgstr "\t\tletzte erfolgreiche Authentifizierung\n" + +#: ../../src/slave/kproplog.c:253 +#, c-format +msgid "\t\tLast failed auth\n" +msgstr "\t\tletzte fehlgeschlagene Authentifizierung\n" + +#: ../../src/slave/kproplog.c:258 +#, c-format +msgid "\t\tFailed passwd attempt\n" +msgstr "\t\tfehlgeschlagener Passwortversuch\n" + +#: ../../src/slave/kproplog.c:263 +#, c-format +msgid "\t\tPrincipal\n" +msgstr "\t\tPrincipal\n" + +#: ../../src/slave/kproplog.c:268 +#, c-format +msgid "\t\tKey data\n" +msgstr "\t\tSchlüsseldaten\n" + +#: ../../src/slave/kproplog.c:275 +#, c-format +msgid "\t\tTL data\n" +msgstr "\t\tTL-Daten\n" + +#: ../../src/slave/kproplog.c:282 +#, c-format +msgid "\t\tLength\n" +msgstr "\t\tLänge\n" + +#: ../../src/slave/kproplog.c:287 +#, c-format +msgid "\t\tPassword last changed\n" +msgstr "\t\tletzte Passwortänderung\n" + +#: ../../src/slave/kproplog.c:292 +#, c-format +msgid "\t\tModifying principal\n" +msgstr "\t\ttPrincipal wird geändert\n" + +#: ../../src/slave/kproplog.c:297 +#, c-format +msgid "\t\tModification time\n" +msgstr "\t\tÄnderungszeit\n" + +#: ../../src/slave/kproplog.c:302 +#, c-format +msgid "\t\tModified where\n" +msgstr "\t\tGeändert wobei\n" + +#: ../../src/slave/kproplog.c:307 +#, c-format +msgid "\t\tPassword policy\n" +msgstr "\t\tPasswortrichtlinie\n" + +#: ../../src/slave/kproplog.c:312 +#, c-format +msgid "\t\tPassword policy switch\n" +msgstr "\t\tPasswortrichtlinienumschalter\n" + +#: ../../src/slave/kproplog.c:317 +#, c-format +msgid "\t\tPassword history KVNO\n" +msgstr "\t\tPasswortchronik KVNO\n" + +#: ../../src/slave/kproplog.c:322 +#, c-format +msgid "\t\tPassword history\n" +msgstr "\t\tPasswortchronik\n" + +#: ../../src/slave/kproplog.c:356 +#, c-format +msgid "" +"Corrupt update entry\n" +"\n" +msgstr "" +"beschädigter Aktualisierungseintrag\n" +"\n" + +#: ../../src/slave/kproplog.c:364 +#, c-format +msgid "" +"Entry data decode failure\n" +"\n" +msgstr "" +"Dekodieren der eingetragenen Daten fehlgeschlagen\n" +"\n" + +#: ../../src/slave/kproplog.c:369 +#, c-format +msgid "Update Entry\n" +msgstr "Aktualisierungseintrag\n" + +#: ../../src/slave/kproplog.c:371 +#, c-format +msgid "\tUpdate serial # : %u\n" +msgstr "\tAktualisierung der Seriennummer: %u\n" + +#: ../../src/slave/kproplog.c:373 +#, c-format +msgid "\tUpdate operation : " +msgstr "\tAktualisierungsaktion: " + +#: ../../src/slave/kproplog.c:375 +#, c-format +msgid "Delete\n" +msgstr "Löschen\n" + +#: ../../src/slave/kproplog.c:377 +#, c-format +msgid "Add\n" +msgstr "Hinzufügen\n" + +#: ../../src/slave/kproplog.c:381 +#, c-format +msgid "" +"Could not allocate principal name\n" +"\n" +msgstr "" +"Der Principal-Name konnte nicht reserviert werden.\n" +"\n" + +#: ../../src/slave/kproplog.c:387 +#, c-format +msgid "\tUpdate principal : %s\n" +msgstr "\tAktualisierung des Principals: %s\n" + +#: ../../src/slave/kproplog.c:389 +#, c-format +msgid "\tUpdate size : %u\n" +msgstr "\tGröße der Aktualisierung: %u\n" + +#: ../../src/slave/kproplog.c:390 +#, c-format +msgid "\tUpdate committed : %s\n" +msgstr "\tAktualisierung übergeben: %s\n" + +#: ../../src/slave/kproplog.c:394 +#, c-format +msgid "\tUpdate time stamp : None\n" +msgstr "\tZeitstempel der Aktualisierung: keiner\n" + +#: ../../src/slave/kproplog.c:396 +#, c-format +msgid "\tUpdate time stamp : %s" +msgstr "\tZeitstempel der Aktualisierung: %s" + +#: ../../src/slave/kproplog.c:400 +#, c-format +msgid "\tAttributes changed : %d\n" +msgstr "\tgeänderte Attribute: %d\n" + +#: ../../src/slave/kproplog.c:465 +#, c-format +msgid "" +"Unable to initialize Kerberos\n" +"\n" +msgstr "" +"Kerberos kann nicht initialisiert werden\n" +"\n" + +#: ../../src/slave/kproplog.c:472 +#, c-format +msgid "" +"Couldn't read database_name\n" +"\n" +msgstr "" +"»database_name« kann nicht gelesen werden\n" +"\n" + +#: ../../src/slave/kproplog.c:476 +#, c-format +msgid "" +"\n" +"Kerberos update log (%s)\n" +msgstr "" +"\n" +"Kerberos-Aktualisierungsprotokoll (%s)\n" + +#: ../../src/slave/kproplog.c:480 ../../src/slave/kproplog.c:495 +#, c-format +msgid "" +"Unable to map log file %s\n" +"\n" +msgstr "" +"Protokolldatei %s kann nicht abgebildet werden\n" +"\n" + +#: ../../src/slave/kproplog.c:485 +#, c-format +msgid "" +"Couldn't reinitialize ulog file %s\n" +"\n" +msgstr "" +"Ulog-Datei %s konnte nicht neu initialisiert werden\n" +"\n" + +#: ../../src/slave/kproplog.c:489 +#, c-format +msgid "Reinitialized the ulog.\n" +msgstr "Das Ulog wurde neu initialisiert.\n" + +#: ../../src/slave/kproplog.c:501 +#, c-format +msgid "" +"Corrupt header log, exiting\n" +"\n" +msgstr "" +"beschädigtes Kopfzeilenprotokoll, wird beendet\n" +"\n" + +#: ../../src/slave/kproplog.c:505 +#, c-format +msgid "Update log dump :\n" +msgstr "Aktualisierungsprotokollauszug :\n" + +#: ../../src/slave/kproplog.c:506 +#, c-format +msgid "\tLog version # : %u\n" +msgstr "\tProtokollversion #: %u\n" + +#: ../../src/slave/kproplog.c:507 +#, c-format +msgid "\tLog state : " +msgstr "\tProtokollstatus: " + +#: ../../src/slave/kproplog.c:510 +#, c-format +msgid "Stable\n" +msgstr "stabil\n" + +#: ../../src/slave/kproplog.c:513 +#, c-format +msgid "Unstable\n" +msgstr "instabil\n" + +#: ../../src/slave/kproplog.c:516 +#, c-format +msgid "Corrupt\n" +msgstr "beschädigt\n" + +#: ../../src/slave/kproplog.c:519 +#, c-format +msgid "Unknown state: %d\n" +msgstr "unbekannter Status: %d\n" + +#: ../../src/slave/kproplog.c:522 +#, c-format +msgid "\tEntry block size : %u\n" +msgstr "\tBlockgrößeneintrag: %u\n" + +#: ../../src/slave/kproplog.c:523 +#, c-format +msgid "\tNumber of entries : %u\n" +msgstr "\tAnzahl der Einträge: %u\n" + +#: ../../src/slave/kproplog.c:526 +#, c-format +msgid "\tLast serial # : None\n" +msgstr "\tletzte Seriennummer: keine\n" + +#: ../../src/slave/kproplog.c:529 +#, c-format +msgid "\tFirst serial # : None\n" +msgstr "\terste Seriennummer: keine\n" + +#: ../../src/slave/kproplog.c:531 +#, c-format +msgid "\tFirst serial # : " +msgstr "\terste Seriennummer: " + +#: ../../src/slave/kproplog.c:535 +#, c-format +msgid "\tLast serial # : " +msgstr "\tletzte Seriennummer: " + +#: ../../src/slave/kproplog.c:540 +#, c-format +msgid "\tLast time stamp : None\n" +msgstr "\tletzter Zeitstempel: keiner\n" + +#: ../../src/slave/kproplog.c:543 +#, c-format +msgid "\tFirst time stamp : None\n" +msgstr "\terster Zeitstempel: keiner\n" + +#: ../../src/slave/kproplog.c:545 +#, c-format +msgid "\tFirst time stamp : %s" +msgstr "\terster Zeitstempel: %s" + +#: ../../src/slave/kproplog.c:549 +#, c-format +msgid "\tLast time stamp : %s\n" +msgstr "\tletzter Zeitstempel: %s\n" + +#: ../../src/util/support/errors.c:77 +msgid "Kerberos library initialization failure" +msgstr "Initialisieren der Kerberos-Bibliothek fehlgeschlagen" + +#: ../../src/util/support/errors.c:93 +#, c-format +msgid "error %ld" +msgstr "Fehler %ld" + +#: ../../src/util/support/plugins.c:186 +#, c-format +msgid "unable to find plugin [%s]: %s" +msgstr "Erweiterung [%s] konnte nicht gefunden werden: %s" + +#: ../../src/util/support/plugins.c:274 +msgid "unknown failure" +msgstr "unbekannter Fehlschlag" + +#: ../../src/util/support/plugins.c:277 +#, c-format +msgid "unable to load plugin [%s]: %s" +msgstr "Erweiterung [%s] konnte nicht geladen werden: %s" + +#: ../../src/util/support/plugins.c:300 +#, c-format +msgid "unable to load DLL [%s]" +msgstr "DLL [%s] konnte nicht geladen werden" + +#: ../../src/util/support/plugins.c:316 +#, c-format +msgid "plugin unavailable: %s" +msgstr "Erweiterung nicht verfügbar: %s" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:23 +msgid "No @ in SERVICE-NAME name string" +msgstr "keine @ in der Namenszeichenkette SERVICE-NAME" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:24 +msgid "STRING-UID-NAME contains nondigits" +msgstr "STRING-UID-NAME enthält etwas anderes als Ziffern" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:25 +msgid "UID does not resolve to username" +msgstr "UID lässt sich nicht zu Benutzernamen ermitteln" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:26 +msgid "Validation error" +msgstr "Überprüfungsfehler" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:27 +msgid "Couldn't allocate gss_buffer_t data" +msgstr "»gss_buffer_t«-Daten konnten reserviert werden" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:28 +msgid "Message context invalid" +msgstr "Nachrichtenkontext ungültig" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:29 +msgid "Buffer is the wrong size" +msgstr "Puffer hat die falsche Größe" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:30 +msgid "Credential usage type is unknown" +msgstr "Typ des Anmeldedatenaufrufs ist unbekannt" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:31 +msgid "Unknown quality of protection specified" +msgstr "unbekannte Schutzqualität angegeben" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:32 +msgid "Local host name could not be determined" +msgstr "lokaler Rechnername konnte nicht bestimmt werden" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:33 +msgid "Hostname in SERVICE-NAME string could not be canonicalized" +msgstr "" +"Rechnername in der Zeichenkette »SERVICE-NAME« konnte nicht in Normalform " +"gebracht werden" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:34 +msgid "Mechanism is incorrect" +msgstr "Mechanismus ist nicht korrekt" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:35 +msgid "Token header is malformed or corrupt" +msgstr "Token-Kopfzeilen haben die falsche Form oder sind beschädigt" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:36 +msgid "Packet was replayed in wrong direction" +msgstr "Paket wurde in falscher Richtung erneut abgespielt" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:37 +msgid "Token is missing data" +msgstr "dem Token fehlen Daten" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:38 +msgid "Token was reflected" +msgstr "Token wurde zurückgeworfen" + +#: ../lib/gssapi/generic/gssapi_err_generic.c:39 +msgid "Received token ID does not match expected token ID" +msgstr "Die empfangene Token-Kennung passt nicht zur erwarteten Token-Kennung." + +#: ../lib/gssapi/generic/gssapi_err_generic.c:40 +msgid "The given credential's usage does not match the requested usage" +msgstr "" +"Die Verwendung der angegebenen Anmeldedaten passt nicht zur angeforderten " +"Verwendung." + +#: ../lib/gssapi/generic/gssapi_err_generic.c:41 +msgid "Storing of acceptor credentials is not supported by the mechanism" +msgstr "" +"Das Speichern von Abnehmeranmeldedaten wird nicht durch den Mechanismus " +"unterstützt." + +#: ../lib/gssapi/generic/gssapi_err_generic.c:42 +msgid "Storing of non-default credentials is not supported by the mechanism" +msgstr "" +"Das Speichern von Nichtstandardanmeldedaten wird nicht durch den Mechanismus " +"unterstützt." + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:23 +msgid "Principal in credential cache does not match desired name" +msgstr "" +"Principal im Anmeldedatenzwischenspeicher entspricht nicht dem gewünschten " +"Namen" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:24 +msgid "No principal in keytab matches desired name" +msgstr "Kein Principal in der Schlüsseltabelle passt zum gewünschten Namen." + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:25 +msgid "Credential cache has no TGT" +msgstr "Anmeldedatenzwischenspeicher hat kein TGT" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:26 +msgid "Authenticator has no subkey" +msgstr "Schlüsselziffer hat keinen Unterschlüssel" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:27 +msgid "Context is already fully established" +msgstr "Kontext wurde bereits vollständig eingerichtet" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:28 +msgid "Unknown signature type in token" +msgstr "unbekannter Signaturtyp im Token" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:29 +msgid "Invalid field length in token" +msgstr "falsche Feldlänge im Token" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:30 +msgid "Attempt to use incomplete security context" +msgstr "" +"Es wurde versucht, einen unvollständigen Sicherheitskontext zu verwenden." + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:31 +msgid "Bad magic number for krb5_gss_ctx_id_t" +msgstr "falsche magische Zahl für »krb5_gss_ctx_id_t«" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:32 +msgid "Bad magic number for krb5_gss_cred_id_t" +msgstr "falsche magische Zahl für »krb5_gss_cred_id_t«" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:33 +msgid "Bad magic number for krb5_gss_enc_desc" +msgstr "falsche magische Zahl für »krb5_gss_enc_desc«" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:34 +msgid "Sequence number in token is corrupt" +msgstr "Sequnznummer im Token ist beschädigt" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:35 +msgid "Credential cache is empty" +msgstr "Anmeldedatenzwischenspeicher ist leer" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:36 +msgid "Acceptor and Initiator share no checksum types" +msgstr "Abnehmer und Initiator haben keinen gemeinsamen Prüfsummentyp" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:37 +msgid "Requested lucid context version not supported" +msgstr "angeforderte »lucid«-Kontextversion nicht unterstützt" + +# PRF = Pseudo Random Function +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:38 +msgid "PRF input too long" +msgstr "PRF-Eingabe zu lang" + +#: ../lib/gssapi/krb5/gssapi_err_krb5.c:39 +msgid "Bad magic number for iakerb_ctx_id_t" +msgstr "falsche magische Zahl für »iakerb_ctx_id_t«" + +#: ../lib/kadm5/chpass_util_strings.c:23 +msgid "while getting policy info." +msgstr "beim Holen der Richtlinieninformation." + +#: ../lib/kadm5/chpass_util_strings.c:24 +msgid "while getting principal info." +msgstr "beim Holen der Principal-Information." + +#: ../lib/kadm5/chpass_util_strings.c:25 +msgid "New passwords do not match - password not changed.\n" +msgstr "neue Passwörter stimmen nicht überein – Passwort nicht geändert\n" + +#: ../lib/kadm5/chpass_util_strings.c:26 +msgid "New password" +msgstr "neues Passwort" + +#: ../lib/kadm5/chpass_util_strings.c:27 +msgid "New password (again)" +msgstr "neues Passwort (erneut)" + +#: ../lib/kadm5/chpass_util_strings.c:28 +msgid "" +"You must type a password. Passwords must be at least one character long.\n" +msgstr "" +"Sie müssen ein Passwort eingeben. Passwörter müssen mindestens ein Zeichen " +"lang sein.\n" + +#: ../lib/kadm5/chpass_util_strings.c:29 +msgid "yet no policy set! Contact your system security administrator." +msgstr "" +"noch keine Richtlinie gesetzt! Kontaktieren Sie Ihren " +"Systemsicherheitsadministrator" + +#: ../lib/kadm5/chpass_util_strings.c:31 +msgid "" +"New password was found in a dictionary of possible passwords and\n" +"therefore may be easily guessed. Please choose another password.\n" +"See the kpasswd man page for help in choosing a good password." +msgstr "" +"Das neue Passwort wurde in einem Wörterbuch mit möglichen Passwörtern " +"gefunden\n" +"und kann daher leicht erraten werden. Bitte wählen Sie ein anderes " +"Passwort.\n" +"Hilfe bei der Wahl guter Passwörter finden Sie in der Handbuchseite von\n" +"»kpasswd«." + +#: ../lib/kadm5/chpass_util_strings.c:32 +msgid "Password not changed." +msgstr "Passwort nicht geändert" + +#: ../lib/kadm5/chpass_util_strings.c:33 +#, c-format +msgid "" +"New password is too short.\n" +"Please choose a password which is at least %d characters long." +msgstr "" +"Das neue Passwort ist zu kurz.\n" +"Bitte wählen Sie ein Passwort, das mindestens %d Zeichen lang ist." + +#: ../lib/kadm5/chpass_util_strings.c:34 +#, c-format +msgid "" +"New password does not have enough character classes.\n" +"The character classes are:\n" +"\t- lower-case letters,\n" +"\t- upper-case letters,\n" +"\t- digits,\n" +"\t- punctuation, and\n" +"\t- all other characters (e.g., control characters).\n" +"Please choose a password with at least %d character classes." +msgstr "" +"Das neue Passwort besteht aus zu wenigen Zeichenklassen.\n" +"Die Zeichenklassen sind:\n" +"\t- Kleinbuchstaben,\n" +"\t- Großbuchstaben,\n" +"\t- Ziffern,\n" +"\t- Satzzeichen und\n" +"\t- alle anderen Zeichen (z.B. Steuerzeichen).\n" +"Bitte wählen Sie ein Passwort mit mindestens %d Zeichenklassen." + +#: ../lib/kadm5/chpass_util_strings.c:35 +#, c-format +msgid "" +"Password cannot be changed because it was changed too recently.\n" +"Please wait until %s before you change it.\n" +"If you need to change your password before then, contact your system\n" +"security administrator." +msgstr "" +"Das Passwort kann nicht geändert werden, da es erst vor kurzem geändert " +"wurde.\n" +"Bitte warten Sie bis %s, ehe Sie es ändern.\n" +"Falls Sie es vorher ändern müssen, kontaktieren Sie Ihren\n" +"Systemsicherheitsadministrator." + +#: ../lib/kadm5/chpass_util_strings.c:36 +msgid "New password was used previously. Please choose a different password." +msgstr "" +"Das neue Passwort wurde zuvor schon benutzt. Bitte wählen Sie ein anderes " +"Passwort." + +#: ../lib/kadm5/chpass_util_strings.c:37 +msgid "while trying to change password." +msgstr "beim Versuch, das Passwort zu ändern." + +#: ../lib/kadm5/chpass_util_strings.c:38 +msgid "while reading new password." +msgstr "beim Lesen des neuen Passworts." + +#: ../lib/kadm5/kadm_err.c:23 +msgid "Operation failed for unspecified reason" +msgstr "Aktion aus nicht näher beschriebenem Grund fehlgeschlagen" + +#: ../lib/kadm5/kadm_err.c:24 +msgid "Operation requires ``get'' privilege" +msgstr "Aktion erfordert »get«-Recht" + +#: ../lib/kadm5/kadm_err.c:25 +msgid "Operation requires ``add'' privilege" +msgstr "Aktion erfordert »add«-Recht" + +#: ../lib/kadm5/kadm_err.c:26 +msgid "Operation requires ``modify'' privilege" +msgstr "Aktion erfordert »modify«-Recht" + +#: ../lib/kadm5/kadm_err.c:27 +msgid "Operation requires ``delete'' privilege" +msgstr "Aktion erfordert »delete«-Recht" + +#: ../lib/kadm5/kadm_err.c:28 +msgid "Insufficient authorization for operation" +msgstr "unzureichende Berechtigung für diese Aktion" + +#: ../lib/kadm5/kadm_err.c:29 ../lib/kdb/adb_err.c:29 +msgid "Database inconsistency detected" +msgstr "Datenbankinkonsistenz entdeckt" + +#: ../lib/kadm5/kadm_err.c:30 ../lib/kdb/adb_err.c:24 +msgid "Principal or policy already exists" +msgstr "Principal oder Richtlinie existiert bereits" + +#: ../lib/kadm5/kadm_err.c:31 +msgid "Communication failure with server" +msgstr "Kommunikation mit dem Server fehlgeschlagen" + +#: ../lib/kadm5/kadm_err.c:32 +msgid "No administration server found for realm" +msgstr "kein Administrationsserver für den Realm gefunden" + +#: ../lib/kadm5/kadm_err.c:33 +msgid "Password history principal key version mismatch" +msgstr "Die Passwortchronikschlüssel des Principals passen nicht zusammen." + +#: ../lib/kadm5/kadm_err.c:34 +msgid "Connection to server not initialized" +msgstr "Verbindung zum Server nicht initialisiert" + +#: ../lib/kadm5/kadm_err.c:35 +msgid "Principal does not exist" +msgstr "Principal existiert nicht" + +#: ../lib/kadm5/kadm_err.c:36 +msgid "Policy does not exist" +msgstr "Richtlinie existiert nicht" + +#: ../lib/kadm5/kadm_err.c:37 +msgid "Invalid field mask for operation" +msgstr "ungültige Feldmaske für Aktion" + +#: ../lib/kadm5/kadm_err.c:38 +msgid "Invalid number of character classes" +msgstr "ungültige Anzahl von Zeichenklassen" + +#: ../lib/kadm5/kadm_err.c:39 +msgid "Invalid password length" +msgstr "ungültige Passwortlänge" + +#: ../lib/kadm5/kadm_err.c:40 +msgid "Illegal policy name" +msgstr "unzulässiger Richtlinienname" + +#: ../lib/kadm5/kadm_err.c:41 +msgid "Illegal principal name" +msgstr "unzulässiger Principal-Name" + +# FIXME s/auxillary/auxilary/ +#: ../lib/kadm5/kadm_err.c:42 +msgid "Invalid auxillary attributes" +msgstr "ungültige Zusatzattribute" + +#: ../lib/kadm5/kadm_err.c:43 +msgid "Invalid password history count" +msgstr "ungültige Passwortchronikanzahl" + +#: ../lib/kadm5/kadm_err.c:44 +msgid "Password minimum life is greater than password maximum life" +msgstr "Die minimale Lebensdauer des Passworts ist größer als die maximale." + +#: ../lib/kadm5/kadm_err.c:45 +msgid "Password is too short" +msgstr "Das Passwort ist zu kurz." + +#: ../lib/kadm5/kadm_err.c:46 +msgid "Password does not contain enough character classes" +msgstr "Das Passwort enthält nicht genug Zeichenklassen." + +#: ../lib/kadm5/kadm_err.c:47 +msgid "Password is in the password dictionary" +msgstr "Das Passwort steht im Passwortwörterbuch." + +#: ../lib/kadm5/kadm_err.c:48 +msgid "Cannot reuse password" +msgstr "Das Passwort kann nicht erneut verwendet werden." + +#: ../lib/kadm5/kadm_err.c:49 +msgid "Current password's minimum life has not expired" +msgstr "Die aktuell minimale Lebensdauer des Passworts ist nicht abgelaufen." + +#: ../lib/kadm5/kadm_err.c:50 ../lib/krb5/error_tables/kdb5_err.c:67 +msgid "Policy is in use" +msgstr "Richtlinie ist in Benutzung" + +#: ../lib/kadm5/kadm_err.c:51 +msgid "Connection to server already initialized" +msgstr "Verbindung zum Server ist bereits initialisiert" + +#: ../lib/kadm5/kadm_err.c:52 +msgid "Incorrect password" +msgstr "falsches Passwort" + +#: ../lib/kadm5/kadm_err.c:53 +msgid "Cannot change protected principal" +msgstr "geschützter Principal kann nicht geändert werden" + +#: ../lib/kadm5/kadm_err.c:54 +msgid "Programmer error! Bad Admin server handle" +msgstr "Fehler des Programmierers! Falscher Admin-Server-Identifikator" + +#: ../lib/kadm5/kadm_err.c:55 +msgid "Programmer error! Bad API structure version" +msgstr "Fehler des Programmierers! Falsche API-Strukturversion" + +#: ../lib/kadm5/kadm_err.c:56 +msgid "" +"API structure version specified by application is no longer supported (to " +"fix, recompile application against current KADM5 API header files and " +"libraries)" +msgstr "" +"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " +"unterstützt. (Kompilieren Sie die Anwendung mit den aktuellen KADM5-API-" +"Header-Dateien und -Bibliotheken, um dies zu beheben.)" + +#: ../lib/kadm5/kadm_err.c:57 +msgid "" +"API structure version specified by application is unknown to libraries (to " +"fix, obtain current KADM5 API header files and libraries and recompile " +"application)" +msgstr "" +"Die von der Anwendung angegebene Version der API-Struktur ist den " +"Bibliotheken unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-" +"Dateien und -Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu " +"beheben.)" + +#: ../lib/kadm5/kadm_err.c:58 +msgid "Programmer error! Bad API version" +msgstr "Fehler des Programmierers! Falsche API-Version" + +#: ../lib/kadm5/kadm_err.c:59 +msgid "" +"API version specified by application is no longer supported by libraries (to " +"fix, update application to adhere to current API version and recompile)" +msgstr "" +"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " +"von den Bibliotheken unterstützt. (Aktualisieren Sie die Anwendung, dass sie " +"zu der aktuellen API-Version passt, und kompilieren Sie sie, um dies zu " +"beheben.)" + +#: ../lib/kadm5/kadm_err.c:60 +msgid "" +"API version specified by application is no longer supported by server (to " +"fix, update application to adhere to current API version and recompile)" +msgstr "" +"Die von der Anwendung angegebene Version der API-Struktur wird nicht länger " +"vom Server unterstützt. (Aktualisieren Sie die Anwendung, dass sie zu der " +"aktuellen API-Version passt, und kompilieren Sie sie, um dies zu beheben.)" + +#: ../lib/kadm5/kadm_err.c:61 +msgid "" +"API version specified by application is unknown to libraries (to fix, obtain " +"current KADM5 API header files and libraries and recompile application)" +msgstr "" +"Die von der Anwendung angegebenene API-Version ist den Bibliotheken " +"unbekannt. (Besorgen Sie sich die aktuellen KADM5-API-Header-Dateien und -" +"Bibliotheken und kompilieren Sie die Anwendung neu, um dies zu beheben.)" + +#: ../lib/kadm5/kadm_err.c:62 +msgid "" +"API version specified by application is unknown to server (to fix, obtain " +"and install newest KADM5 Admin Server)" +msgstr "" +"Die von der Anwendung angegebene API-Version ist dem Server unbekannt. " +"(Besorgen und installieren Sie sich den neuesten KADM5-Admin-Server, um dies " +"zu beheben.)" + +#: ../lib/kadm5/kadm_err.c:63 +msgid "Database error! Required KADM5 principal missing" +msgstr "Datenbankfehler! Erforderlicher KADM5-Principal fehlt" + +#: ../lib/kadm5/kadm_err.c:64 +msgid "The salt type of the specified principal does not support renaming" +msgstr "Der Salt-Typ des angegebenen Principals unterstützt kein Umbenennen." + +#: ../lib/kadm5/kadm_err.c:65 +msgid "Illegal configuration parameter for remote KADM5 client" +msgstr "widerrechtlicher Konfigurationsparameter für fernen KADM5-Client" + +#: ../lib/kadm5/kadm_err.c:66 +msgid "Illegal configuration parameter for local KADM5 client" +msgstr "widerrechtlicher Konfigurationsparameter für lokalen KADM5-Client" + +#: ../lib/kadm5/kadm_err.c:67 +msgid "Operation requires ``list'' privilege" +msgstr "Aktion erfordert das »list«-Recht" + +#: ../lib/kadm5/kadm_err.c:68 +msgid "Operation requires ``change-password'' privilege" +msgstr "Aktion erfordert das »change-password«-Recht" + +#: ../lib/kadm5/kadm_err.c:69 +msgid "GSS-API (or Kerberos) error" +msgstr "GSS-API- (oder Kerberos-) Fehler" + +#: ../lib/kadm5/kadm_err.c:70 +msgid "Programmer error! Illegal tagged data list type" +msgstr "" +"Fehler des Programmierers! Widerrechlicher Listentyp für gekennzeichnete " +"Daten" + +#: ../lib/kadm5/kadm_err.c:71 +msgid "Required parameters in kdc.conf missing" +msgstr "erforderliche Parameter in »kdc.conf« fehlen" + +#: ../lib/kadm5/kadm_err.c:72 +msgid "Bad krb5 admin server hostname" +msgstr "falscher Rechnername des KRB5-Admin-Servers" + +#: ../lib/kadm5/kadm_err.c:73 +msgid "Operation requires ``set-key'' privilege" +msgstr "Aktion erfordert das »set-key«-Recht" + +#: ../lib/kadm5/kadm_err.c:74 +msgid "Multiple values for single or folded enctype" +msgstr "" +"mehrere Werte für einzelnen Verschlüsselungstyp oder Verschlüsselungstyp mit " +"Salt" + +#: ../lib/kadm5/kadm_err.c:75 +msgid "Invalid enctype for setv4key" +msgstr "widerrechtlicher Verschlüsselungstyp für Setv4key" + +#: ../lib/kadm5/kadm_err.c:76 +msgid "Mismatched enctypes for setkey3" +msgstr "nicht zusammenpassende Verschlüsselungstypen für Setkey3" + +#: ../lib/kadm5/kadm_err.c:77 +msgid "Missing parameters in krb5.conf required for kadmin client" +msgstr "für Kadmin-Client benötigte Parameter fehlen in »krb5.conf«" + +#: ../lib/kadm5/kadm_err.c:78 ../lib/kdb/adb_err.c:30 +msgid "XDR encoding error" +msgstr "XDR-Verschlüsselungsfehler" + +#: ../lib/kadm5/kadm_err.c:79 +msgid "Cannot resolve network address for admin server in requested realm" +msgstr "" +"Die Netzwerkadresse für den Admin-Server im angeforderten Realm kann nicht " +"aufgelöst werden." + +#: ../lib/kadm5/kadm_err.c:80 +msgid "Unspecified password quality failure" +msgstr "nicht näher angegebener Passwortqualitätsfehlschlag" + +#: ../lib/kadm5/kadm_err.c:81 +msgid "Invalid key/salt tuples" +msgstr "ungültige Schlüssel-/Salt-Tupel" + +#: ../lib/kdb/adb_err.c:23 +msgid "No Error" +msgstr "kein Fehler" + +#: ../lib/kdb/adb_err.c:25 +msgid "Principal or policy does not exist" +msgstr "Principal oder Richtlinie existiert nicht" + +#: ../lib/kdb/adb_err.c:26 +msgid "Database not initialized" +msgstr "Datenbank nicht initialisiert" + +#: ../lib/kdb/adb_err.c:27 +msgid "Invalid policy name" +msgstr "ungültiger Richtlinienname" + +#: ../lib/kdb/adb_err.c:28 +msgid "Invalid principal name" +msgstr "ungültiger Principal-Name" + +#: ../lib/kdb/adb_err.c:31 +msgid "Failure!" +msgstr "Fehlschlag!" + +#: ../lib/kdb/adb_err.c:32 +msgid "Bad lock mode" +msgstr "falscher Sperrmodus" + +#: ../lib/kdb/adb_err.c:33 +msgid "Cannot lock database" +msgstr "Datenbank kann nicht gesperrt werden" + +#: ../lib/kdb/adb_err.c:34 +msgid "Database not locked" +msgstr "Datenbank nicht gesperrt" + +#: ../lib/kdb/adb_err.c:35 +msgid "KADM5 administration database lock file missing" +msgstr "Sperrdatei der KADM5-Verwaltungsdatenbank fehlt" + +#: ../lib/kdb/adb_err.c:36 +msgid "Insufficient permission to lock file" +msgstr "keine ausreichenden Rechte zum Sperren der Datei" + +#: ../lib/krb5/error_tables/k5e1_err.c:23 +msgid "Plugin does not support interface version" +msgstr "Erweiterung unterstützt nicht die Schnittstellenversion" + +#: ../lib/krb5/error_tables/k5e1_err.c:24 +msgid "Invalid module specifier" +msgstr "ungültige Modulangabe" + +#: ../lib/krb5/error_tables/k5e1_err.c:25 +msgid "Plugin module name not found" +msgstr "Erweiterungsmodulname nicht gefunden" + +#: ../lib/krb5/error_tables/k5e1_err.c:26 +msgid "The KDC should discard this request" +msgstr "Das KDC sollte diese Anfrage verwerfen" + +#: ../lib/krb5/error_tables/k5e1_err.c:27 +msgid "Can't create new subsidiary cache" +msgstr "Der neue ergänzende Zwischenspeicher kann nicht erzeugt werden" + +#: ../lib/krb5/error_tables/k5e1_err.c:28 +msgid "Invalid keyring anchor name" +msgstr "ungültiger Schlüsselbundverankerungsname" + +#: ../lib/krb5/error_tables/k5e1_err.c:29 +msgid "Unknown keyring collection version" +msgstr "unbekannte Schlüsselbundsammlungsversion" + +#: ../lib/krb5/error_tables/k5e1_err.c:30 +msgid "Invalid UID in persistent keyring name" +msgstr "ungültige UID im beständigen Schlüsselbundnamen" + +#: ../lib/krb5/error_tables/k5e1_err.c:31 +msgid "Malformed reply from KCM daemon" +msgstr "Antwort des KCM-Daemons hat die falsche Form" + +#: ../lib/krb5/error_tables/k5e1_err.c:32 +msgid "Mach RPC error communicating with KCM daemon" +msgstr "Mach-RPC-Fehler beim der Kommunikation mit dem KCM-Daemon" + +#: ../lib/krb5/error_tables/k5e1_err.c:33 +msgid "KCM daemon reply too big" +msgstr "Antwort des KCM-Daemons zu groß" + +#: ../lib/krb5/error_tables/k5e1_err.c:34 +msgid "No KCM server found" +msgstr "Kein KCM-Server gefunden" + +#: ../lib/krb5/error_tables/krb5_err.c:24 +msgid "Client's entry in database has expired" +msgstr "Eintrag des Clients in der Datenbank ist abgelaufen" + +#: ../lib/krb5/error_tables/krb5_err.c:25 +msgid "Server's entry in database has expired" +msgstr "Eintrag des Servers in der Datenbank ist abgelaufen" + +#: ../lib/krb5/error_tables/krb5_err.c:26 +msgid "Requested protocol version not supported" +msgstr "angeforderte Protokollversion nicht unterstützt" + +#: ../lib/krb5/error_tables/krb5_err.c:27 +msgid "Client's key is encrypted in an old master key" +msgstr "" +"Der Schlüssel des Clients wurde mit einem alten Hauptschlüssel verschlüsselt." + +#: ../lib/krb5/error_tables/krb5_err.c:28 +msgid "Server's key is encrypted in an old master key" +msgstr "" +"Der Schlüssel des Servers wurde mit einem alten Hauptschlüssel verschlüsselt." + +#: ../lib/krb5/error_tables/krb5_err.c:29 +msgid "Client not found in Kerberos database" +msgstr "Client nicht in der Kerberos-Datenbank gefunden" + +#: ../lib/krb5/error_tables/krb5_err.c:30 +msgid "Server not found in Kerberos database" +msgstr "Server nicht in der Kerberos-Datenbank gefunden" + +#: ../lib/krb5/error_tables/krb5_err.c:31 +msgid "Principal has multiple entries in Kerberos database" +msgstr "Principal hat in der Kerberos-Datenbank mehrere Einträge" + +#: ../lib/krb5/error_tables/krb5_err.c:32 +msgid "Client or server has a null key" +msgstr "Client oder Server hat einen Nullschlüssel" + +#: ../lib/krb5/error_tables/krb5_err.c:33 +msgid "Ticket is ineligible for postdating" +msgstr "Ticket ist zum Vordatieren ungeeignet" + +#: ../lib/krb5/error_tables/krb5_err.c:34 +msgid "Requested effective lifetime is negative or too short" +msgstr "Die angeforderte effektive Lebensdauer ist negativ oder zu kurz." + +#: ../lib/krb5/error_tables/krb5_err.c:35 +msgid "KDC policy rejects request" +msgstr "KDC-Richtlinie weist die Anfrage zurück" + +#: ../lib/krb5/error_tables/krb5_err.c:36 +msgid "KDC can't fulfill requested option" +msgstr "KDC kann erforderliche Option nicht erfüllen" + +#: ../lib/krb5/error_tables/krb5_err.c:37 +msgid "KDC has no support for encryption type" +msgstr "KDC unterstützt diesen Verschlüsselungstyp nicht" + +#: ../lib/krb5/error_tables/krb5_err.c:38 +msgid "KDC has no support for checksum type" +msgstr "KDC unterstützt diesen Prüfsummentyp nicht" + +#: ../lib/krb5/error_tables/krb5_err.c:39 +msgid "KDC has no support for padata type" +msgstr "KDC unterstützt diesen Padata-Typ nicht" + +#: ../lib/krb5/error_tables/krb5_err.c:40 +msgid "KDC has no support for transited type" +msgstr "KDC unterstützt diesen Übergangstyp nicht" + +#: ../lib/krb5/error_tables/krb5_err.c:41 +msgid "Clients credentials have been revoked" +msgstr "Anmeldedaten des Clients wurden widerrufen" + +#: ../lib/krb5/error_tables/krb5_err.c:42 +msgid "Credentials for server have been revoked" +msgstr "Anmeldedaten für den Server wurden widerrufen" + +#: ../lib/krb5/error_tables/krb5_err.c:43 +msgid "TGT has been revoked" +msgstr "TGT wurde widerrufen" + +#: ../lib/krb5/error_tables/krb5_err.c:44 +msgid "Client not yet valid - try again later" +msgstr "Client noch nicht gültig – versuchen Sie es später noch einmal" + +#: ../lib/krb5/error_tables/krb5_err.c:45 +msgid "Server not yet valid - try again later" +msgstr "Server noch nicht gültig – versuchen Sie es später noch einmal" + +#: ../lib/krb5/error_tables/krb5_err.c:46 +msgid "Password has expired" +msgstr "Passwort ist abgelaufen" + +#: ../lib/krb5/error_tables/krb5_err.c:47 +msgid "Preauthentication failed" +msgstr "Vorauthentifizierung fehlgeschlagen" + +#: ../lib/krb5/error_tables/krb5_err.c:48 +msgid "Additional pre-authentication required" +msgstr "zusätzlich Vorauthentifizierung erforderlich" + +#: ../lib/krb5/error_tables/krb5_err.c:49 +msgid "Requested server and ticket don't match" +msgstr "abgefragter Server und Ticket passen nicht zusammen" + +#: ../lib/krb5/error_tables/krb5_err.c:50 +msgid "Server principal valid for user2user only" +msgstr "Der Server-Principal ist nur für »user2user« gültig" + +#: ../lib/krb5/error_tables/krb5_err.c:51 +msgid "KDC policy rejects transited path" +msgstr "KDC-Richtlinie verwirft durchgereichten Pfad" + +#: ../lib/krb5/error_tables/krb5_err.c:52 +msgid "A service is not available that is required to process the request" +msgstr "" +"Ein Dienst, der zum Verarbeiten der Abfrage erforderlich ist, ist nicht " +"verfügbar." + +#: ../lib/krb5/error_tables/krb5_err.c:53 +msgid "KRB5 error code 30" +msgstr "KRB5-Fehlercode 30" + +#: ../lib/krb5/error_tables/krb5_err.c:54 +msgid "Decrypt integrity check failed" +msgstr "Entschlüsselungsintegritätsprüfung fehlgeschlagen" + +#: ../lib/krb5/error_tables/krb5_err.c:55 +msgid "Ticket expired" +msgstr "Ticket abgelaufen" + +#: ../lib/krb5/error_tables/krb5_err.c:56 +msgid "Ticket not yet valid" +msgstr "Ticket noch nicht gültig" + +#: ../lib/krb5/error_tables/krb5_err.c:57 +msgid "Request is a replay" +msgstr "Anfrage ist eine Wiederholung" + +#: ../lib/krb5/error_tables/krb5_err.c:58 +msgid "The ticket isn't for us" +msgstr "Das Ticket ist nicht für uns." + +#: ../lib/krb5/error_tables/krb5_err.c:59 +msgid "Ticket/authenticator don't match" +msgstr "Ticket/Schlüsselziffer passen nicht zueinander" + +#: ../lib/krb5/error_tables/krb5_err.c:60 +msgid "Clock skew too great" +msgstr "Uhrzeitabweichung zu groß" + +#: ../lib/krb5/error_tables/krb5_err.c:61 +msgid "Incorrect net address" +msgstr "falsche Netzwerkadresse" + +#: ../lib/krb5/error_tables/krb5_err.c:62 +msgid "Protocol version mismatch" +msgstr "Protokollversion passt nicht" + +#: ../lib/krb5/error_tables/krb5_err.c:63 +msgid "Invalid message type" +msgstr "ungültiger Nachrichtentyp" + +#: ../lib/krb5/error_tables/krb5_err.c:64 +msgid "Message stream modified" +msgstr "Nachrichtendatenstrom geändert" + +#: ../lib/krb5/error_tables/krb5_err.c:65 +msgid "Message out of order" +msgstr "Nachricht nicht in Ordnung" + +#: ../lib/krb5/error_tables/krb5_err.c:66 +msgid "Illegal cross-realm ticket" +msgstr "Widerrechliches Realm-übergreifendes Ticket" + +#: ../lib/krb5/error_tables/krb5_err.c:67 +msgid "Key version is not available" +msgstr "Schlüsselversion ist nicht verfügbar" + +#: ../lib/krb5/error_tables/krb5_err.c:68 +msgid "Service key not available" +msgstr "Dienstschlüssel nicht verfügbar" + +#: ../lib/krb5/error_tables/krb5_err.c:69 +#: ../lib/krb5/error_tables/krb5_err.c:181 +msgid "Mutual authentication failed" +msgstr "gegenseitige Authentifizierung fehlgeschlagen" + +#: ../lib/krb5/error_tables/krb5_err.c:70 +msgid "Incorrect message direction" +msgstr "falsche Nachrichtenrichtung" + +#: ../lib/krb5/error_tables/krb5_err.c:71 +msgid "Alternative authentication method required" +msgstr "alternative Authentifizierungsmethode erforderlich" + +#: ../lib/krb5/error_tables/krb5_err.c:72 +msgid "Incorrect sequence number in message" +msgstr "falsche Sequenznummer in der Nachricht" + +#: ../lib/krb5/error_tables/krb5_err.c:73 +msgid "Inappropriate type of checksum in message" +msgstr "ungeeigneter Prüfsummentyp in der Nachricht" + +#: ../lib/krb5/error_tables/krb5_err.c:74 +msgid "Policy rejects transited path" +msgstr "Richtlinie verwirft durchgereichten Pfad" + +#: ../lib/krb5/error_tables/krb5_err.c:75 +msgid "Response too big for UDP, retry with TCP" +msgstr "Antwort für UDP zu groß, erneuter Versuch mit TCP" + +#: ../lib/krb5/error_tables/krb5_err.c:76 +msgid "KRB5 error code 53" +msgstr "KRB5-Fehlercode 53" + +#: ../lib/krb5/error_tables/krb5_err.c:77 +msgid "KRB5 error code 54" +msgstr "KRB5-Fehlercode 54" + +#: ../lib/krb5/error_tables/krb5_err.c:78 +msgid "KRB5 error code 55" +msgstr "KRB5-Fehlercode 55" + +#: ../lib/krb5/error_tables/krb5_err.c:79 +msgid "KRB5 error code 56" +msgstr "KRB5-Fehlercode 56" + +#: ../lib/krb5/error_tables/krb5_err.c:80 +msgid "KRB5 error code 57" +msgstr "KRB5-Fehlercode 57" + +#: ../lib/krb5/error_tables/krb5_err.c:81 +msgid "KRB5 error code 58" +msgstr "KRB5-Fehlercode 58" + +#: ../lib/krb5/error_tables/krb5_err.c:82 +msgid "KRB5 error code 59" +msgstr "KRB5-Fehlercode 59" + +#: ../lib/krb5/error_tables/krb5_err.c:83 +msgid "Generic error (see e-text)" +msgstr "allgemeiner Fehler (siehe E-Text)" + +#: ../lib/krb5/error_tables/krb5_err.c:84 +msgid "Field is too long for this implementation" +msgstr "Feld ist für diese Implementierung zu lang" + +#: ../lib/krb5/error_tables/krb5_err.c:85 +msgid "Client not trusted" +msgstr "Client nicht vertrauenswürdig" + +#: ../lib/krb5/error_tables/krb5_err.c:86 +msgid "KDC not trusted" +msgstr "KDC nicht vertrauenswürdig" + +#: ../lib/krb5/error_tables/krb5_err.c:87 +msgid "Invalid signature" +msgstr "ungültige Signatur" + +#: ../lib/krb5/error_tables/krb5_err.c:88 +msgid "Key parameters not accepted" +msgstr "Schlüsselparameter nicht akzeptiert" + +#: ../lib/krb5/error_tables/krb5_err.c:89 +msgid "Certificate mismatch" +msgstr "Zertifikat passt nicht" + +#: ../lib/krb5/error_tables/krb5_err.c:90 +msgid "No ticket granting ticket" +msgstr "kein ticketgewährendes Ticket" + +#: ../lib/krb5/error_tables/krb5_err.c:91 +msgid "Realm not local to KDC" +msgstr "Realm für KDC nicht lokal" + +#: ../lib/krb5/error_tables/krb5_err.c:92 +msgid "User to user required" +msgstr "Benutzer-zu-Benutzer erforderlich" + +#: ../lib/krb5/error_tables/krb5_err.c:93 +msgid "Can't verify certificate" +msgstr "Zertifikat kann nicht überprüft werden" + +#: ../lib/krb5/error_tables/krb5_err.c:94 +msgid "Invalid certificate" +msgstr "ungültiges Zertifikat" + +#: ../lib/krb5/error_tables/krb5_err.c:95 +msgid "Revoked certificate" +msgstr "widerrufenes Zertifikat" + +#: ../lib/krb5/error_tables/krb5_err.c:96 +msgid "Revocation status unknown" +msgstr "Widerrufsstatus unbekannt" + +#: ../lib/krb5/error_tables/krb5_err.c:97 +msgid "Revocation status unavailable" +msgstr "Widerrufsstatus nicht verfügbar" + +#: ../lib/krb5/error_tables/krb5_err.c:98 +msgid "Client name mismatch" +msgstr "Client-Name passt nicht" + +#: ../lib/krb5/error_tables/krb5_err.c:99 +msgid "KDC name mismatch" +msgstr "KDC-Name passt nicht" + +#: ../lib/krb5/error_tables/krb5_err.c:100 +msgid "Inconsistent key purpose" +msgstr "inkonstistenter Schlüsselzweck" + +#: ../lib/krb5/error_tables/krb5_err.c:101 +msgid "Digest in certificate not accepted" +msgstr "Kurzfassung im Zertifikat nicht akzeptiert" + +#: ../lib/krb5/error_tables/krb5_err.c:102 +msgid "Checksum must be included" +msgstr "Prüfsumme muss enthalten sein" + +#: ../lib/krb5/error_tables/krb5_err.c:103 +msgid "Digest in signed-data not accepted" +msgstr "Kurzfassung in signierten Daten nicht akzeptiert" + +#: ../lib/krb5/error_tables/krb5_err.c:104 +msgid "Public key encryption not supported" +msgstr "Asymetrische Verschlüsselung nicht unterstützt" + +#: ../lib/krb5/error_tables/krb5_err.c:105 +msgid "KRB5 error code 82" +msgstr "KRB5-Fehlercode 82" + +#: ../lib/krb5/error_tables/krb5_err.c:106 +msgid "KRB5 error code 83" +msgstr "KRB5-Fehlercode 83" + +#: ../lib/krb5/error_tables/krb5_err.c:107 +msgid "KRB5 error code 84" +msgstr "KRB5-Fehlercode 84" + +#: ../lib/krb5/error_tables/krb5_err.c:108 +msgid "The IAKERB proxy could not find a KDC" +msgstr "Der IAKERB-Proxy konnte kein KDC finden." + +#: ../lib/krb5/error_tables/krb5_err.c:109 +msgid "The KDC did not respond to the IAKERB proxy" +msgstr "Das KDC anwortete dem IAKERB-Proxy nicht." + +#: ../lib/krb5/error_tables/krb5_err.c:110 +msgid "KRB5 error code 87" +msgstr "KRB5-Fehlercode 87" + +#: ../lib/krb5/error_tables/krb5_err.c:111 +msgid "KRB5 error code 88" +msgstr "KRB5-Fehlercode 88" + +#: ../lib/krb5/error_tables/krb5_err.c:112 +msgid "KRB5 error code 89" +msgstr "KRB5-Fehlercode 89" + +#: ../lib/krb5/error_tables/krb5_err.c:113 +msgid "KRB5 error code 90" +msgstr "KRB5-Fehlercode 90" + +#: ../lib/krb5/error_tables/krb5_err.c:114 +msgid "KRB5 error code 91" +msgstr "KRB5-Fehlercode 91" + +#: ../lib/krb5/error_tables/krb5_err.c:115 +msgid "KRB5 error code 92" +msgstr "KRB5-Fehlercode 92" + +#: ../lib/krb5/error_tables/krb5_err.c:116 +msgid "An unsupported critical FAST option was requested" +msgstr "Es wurde eine nicht unterstützte kritische FAST-Aktion angefordert." + +#: ../lib/krb5/error_tables/krb5_err.c:117 +msgid "KRB5 error code 94" +msgstr "KRB5-Fehlercode 94" + +#: ../lib/krb5/error_tables/krb5_err.c:118 +msgid "KRB5 error code 95" +msgstr "KRB5-Fehlercode 95" + +#: ../lib/krb5/error_tables/krb5_err.c:119 +msgid "KRB5 error code 96" +msgstr "KRB5-Fehlercode 96" + +#: ../lib/krb5/error_tables/krb5_err.c:120 +msgid "KRB5 error code 97" +msgstr "KRB5-Fehlercode 97" + +#: ../lib/krb5/error_tables/krb5_err.c:121 +msgid "KRB5 error code 98" +msgstr "KRB5-Fehlercode 98" + +#: ../lib/krb5/error_tables/krb5_err.c:122 +msgid "KRB5 error code 99" +msgstr "KRB5-Fehlercode 99" + +#: ../lib/krb5/error_tables/krb5_err.c:123 +msgid "No acceptable KDF offered" +msgstr "kein akzeptables KDF angeboten" + +#: ../lib/krb5/error_tables/krb5_err.c:124 +msgid "KRB5 error code 101" +msgstr "KRB5-Fehlercode 101" + +#: ../lib/krb5/error_tables/krb5_err.c:125 +msgid "KRB5 error code 102" +msgstr "KRB5-Fehlercode 102" + +#: ../lib/krb5/error_tables/krb5_err.c:126 +msgid "KRB5 error code 103" +msgstr "KRB5-Fehlercode 103" + +#: ../lib/krb5/error_tables/krb5_err.c:127 +msgid "KRB5 error code 104" +msgstr "KRB5-Fehlercode 104" + +#: ../lib/krb5/error_tables/krb5_err.c:128 +msgid "KRB5 error code 105" +msgstr "KRB5-Fehlercode 105" + +#: ../lib/krb5/error_tables/krb5_err.c:129 +msgid "KRB5 error code 106" +msgstr "KRB5-Fehlercode 106" + +#: ../lib/krb5/error_tables/krb5_err.c:130 +msgid "KRB5 error code 107" +msgstr "KRB5-Fehlercode 107" + +#: ../lib/krb5/error_tables/krb5_err.c:131 +msgid "KRB5 error code 108" +msgstr "KRB5-Fehlercode 108" + +#: ../lib/krb5/error_tables/krb5_err.c:132 +msgid "KRB5 error code 109" +msgstr "KRB5-Fehlercode 109" + +#: ../lib/krb5/error_tables/krb5_err.c:133 +msgid "KRB5 error code 110" +msgstr "KRB5-Fehlercode 110" + +#: ../lib/krb5/error_tables/krb5_err.c:134 +msgid "KRB5 error code 111" +msgstr "KRB5-Fehlercode 111" + +#: ../lib/krb5/error_tables/krb5_err.c:135 +msgid "KRB5 error code 112" +msgstr "KRB5-Fehlercode 112" + +#: ../lib/krb5/error_tables/krb5_err.c:136 +msgid "KRB5 error code 113" +msgstr "KRB5-Fehlercode 113" + +#: ../lib/krb5/error_tables/krb5_err.c:137 +msgid "KRB5 error code 114" +msgstr "KRB5-Fehlercode 114" + +#: ../lib/krb5/error_tables/krb5_err.c:138 +msgid "KRB5 error code 115" +msgstr "KRB5-Fehlercode 115" + +#: ../lib/krb5/error_tables/krb5_err.c:139 +msgid "KRB5 error code 116" +msgstr "KRB5-Fehlercode 116" + +#: ../lib/krb5/error_tables/krb5_err.c:140 +msgid "KRB5 error code 117" +msgstr "KRB5-Fehlercode 117" + +#: ../lib/krb5/error_tables/krb5_err.c:141 +msgid "KRB5 error code 118" +msgstr "KRB5-Fehlercode 118" + +#: ../lib/krb5/error_tables/krb5_err.c:142 +msgid "KRB5 error code 119" +msgstr "KRB5-Fehlercode 119" + +#: ../lib/krb5/error_tables/krb5_err.c:143 +msgid "KRB5 error code 120" +msgstr "KRB5-Fehlercode 120" + +#: ../lib/krb5/error_tables/krb5_err.c:144 +msgid "KRB5 error code 121" +msgstr "KRB5-Fehlercode 121" + +#: ../lib/krb5/error_tables/krb5_err.c:145 +msgid "KRB5 error code 122" +msgstr "KRB5-Fehlercode 122" + +#: ../lib/krb5/error_tables/krb5_err.c:146 +msgid "KRB5 error code 123" +msgstr "KRB5-Fehlercode 123" + +#: ../lib/krb5/error_tables/krb5_err.c:147 +msgid "KRB5 error code 124" +msgstr "KRB5-Fehlercode 124" + +#: ../lib/krb5/error_tables/krb5_err.c:148 +msgid "KRB5 error code 125" +msgstr "KRB5-Fehlercode 125" + +#: ../lib/krb5/error_tables/krb5_err.c:149 +msgid "KRB5 error code 126" +msgstr "KRB5-Fehlercode 126" + +#: ../lib/krb5/error_tables/krb5_err.c:150 +msgid "KRB5 error code 127" +msgstr "KRB5-Fehlercode 127" + +#: ../lib/krb5/error_tables/krb5_err.c:151 +#: ../lib/krb5/error_tables/kdb5_err.c:23 +msgid "$Id$" +msgstr "$Id$" + +#: ../lib/krb5/error_tables/krb5_err.c:152 +msgid "Invalid flag for file lock mode" +msgstr "ungültiger Schalter für den Datei-Sperrmodus" + +#: ../lib/krb5/error_tables/krb5_err.c:153 +msgid "Cannot read password" +msgstr "Passwort kann nicht gelesen werden" + +#: ../lib/krb5/error_tables/krb5_err.c:154 +msgid "Password mismatch" +msgstr "Passwort stimmt nicht überein" + +#: ../lib/krb5/error_tables/krb5_err.c:155 +msgid "Password read interrupted" +msgstr "Lesen des Passworts unterbrochen" + +#: ../lib/krb5/error_tables/krb5_err.c:156 +msgid "Illegal character in component name" +msgstr "ungültiges Zeichen in Komponentenname" + +#: ../lib/krb5/error_tables/krb5_err.c:157 +msgid "Malformed representation of principal" +msgstr "Darstellung des Principals in falscher Form" + +#: ../lib/krb5/error_tables/krb5_err.c:158 +msgid "Can't open/find Kerberos configuration file" +msgstr "Kerberos-Konfigurationsdatei kann nicht geöffnet/gefunden werden" + +#: ../lib/krb5/error_tables/krb5_err.c:159 +msgid "Improper format of Kerberos configuration file" +msgstr "Format der Kerberos-Konfigurationsdatei ist ungeeignet" + +#: ../lib/krb5/error_tables/krb5_err.c:160 +msgid "Insufficient space to return complete information" +msgstr "Platz reicht nicht zur Rückgabe aller Informationen aus" + +#: ../lib/krb5/error_tables/krb5_err.c:161 +msgid "Invalid message type specified for encoding" +msgstr "der zum Kodieren angegebene Nachrichtentyp ist ungültig" + +#: ../lib/krb5/error_tables/krb5_err.c:162 +msgid "Credential cache name malformed" +msgstr "falsche Form des Anmeldedatenzwischenspeichernamens" + +#: ../lib/krb5/error_tables/krb5_err.c:163 +msgid "Unknown credential cache type" +msgstr "unbekannter Anmeldedatenzwischenspeichertyp" + +#: ../lib/krb5/error_tables/krb5_err.c:164 +msgid "Matching credential not found" +msgstr "keine passenden Anmeldedaten gefunden" + +#: ../lib/krb5/error_tables/krb5_err.c:165 +msgid "End of credential cache reached" +msgstr "Ende des Anmeldedatenzwischenspeichers erreicht" + +#: ../lib/krb5/error_tables/krb5_err.c:166 +msgid "Request did not supply a ticket" +msgstr "Anfrage lieferte kein Ticket" + +#: ../lib/krb5/error_tables/krb5_err.c:167 +msgid "Wrong principal in request" +msgstr "falscher Principal in der Anfrage" + +#: ../lib/krb5/error_tables/krb5_err.c:168 +msgid "Ticket has invalid flag set" +msgstr "Das Ticket hat einen falsch gesetzten Schalter." + +#: ../lib/krb5/error_tables/krb5_err.c:169 +msgid "Requested principal and ticket don't match" +msgstr "angeforderter Principal und Ticket passen nicht zusammen" + +#: ../lib/krb5/error_tables/krb5_err.c:170 +msgid "KDC reply did not match expectations" +msgstr "KDC-Antwort entsprach nicht den Erwartungen" + +#: ../lib/krb5/error_tables/krb5_err.c:171 +msgid "Clock skew too great in KDC reply" +msgstr "Zeitversatz in der KDC-Antwort zu groß" + +#: ../lib/krb5/error_tables/krb5_err.c:172 +msgid "Client/server realm mismatch in initial ticket request" +msgstr "" +"Client-/Server-Realm passen in der anfänglichen Ticketanfrage nicht zusammen." + +#: ../lib/krb5/error_tables/krb5_err.c:173 +msgid "Program lacks support for encryption type" +msgstr "" +"Dem Programm fehlt es an der Unterstützung für den Verschlüsselungstyp." + +#: ../lib/krb5/error_tables/krb5_err.c:174 +msgid "Program lacks support for key type" +msgstr "Dem Programm fehlt es an der Unterstützung für den Schlüsseltyp." + +#: ../lib/krb5/error_tables/krb5_err.c:175 +msgid "Requested encryption type not used in message" +msgstr "" +"Der angeforderte Verschlüsselungstyp wird in der Nachricht nicht verwendet." + +#: ../lib/krb5/error_tables/krb5_err.c:176 +msgid "Program lacks support for checksum type" +msgstr "Dem Programm fehlt es an der Unterstützung für den Prüfsummentyp." + +#: ../lib/krb5/error_tables/krb5_err.c:177 +msgid "Cannot find KDC for requested realm" +msgstr "KDC für angeforderten Realm kann nicht gefunden werden" + +#: ../lib/krb5/error_tables/krb5_err.c:178 +msgid "Kerberos service unknown" +msgstr "Kerberos-Dienst unbekannt" + +#: ../lib/krb5/error_tables/krb5_err.c:179 +msgid "Cannot contact any KDC for requested realm" +msgstr "Für den angeforderten Realm kann kein KDC kontaktiert werden." + +#: ../lib/krb5/error_tables/krb5_err.c:180 +msgid "No local name found for principal name" +msgstr "Für den Principal-Namen wurde kein lokaler Name gefunden." + +#: ../lib/krb5/error_tables/krb5_err.c:182 +msgid "Replay cache type is already registered" +msgstr "Wiederholungszwischenspeichertyp ist bereits registriert" + +#: ../lib/krb5/error_tables/krb5_err.c:183 +msgid "No more memory to allocate (in replay cache code)" +msgstr "" +"kein Speicher mehr zu reservieren (im Wiederholungszwischenspeichercode)" + +#: ../lib/krb5/error_tables/krb5_err.c:184 +msgid "Replay cache type is unknown" +msgstr "Wiederholungszwischenspeichertyp ist unbekannt" + +#: ../lib/krb5/error_tables/krb5_err.c:185 +msgid "Generic unknown RC error" +msgstr "allgemeiner unbekannter Wiederholungszwischenspeicherfehler" + +#: ../lib/krb5/error_tables/krb5_err.c:186 +msgid "Message is a replay" +msgstr "Nachricht ist eine Wiederholung" + +#: ../lib/krb5/error_tables/krb5_err.c:187 +msgid "Replay cache I/O operation failed" +msgstr "Wiederholungszwischenspeicher-E/A-Aktion fehlgeschlagen" + +#: ../lib/krb5/error_tables/krb5_err.c:188 +msgid "Replay cache type does not support non-volatile storage" +msgstr "" +"Wiederholungszwischenspeichertyp unterstützt keinen beständigen Speicher" + +#: ../lib/krb5/error_tables/krb5_err.c:189 +msgid "Replay cache name parse/format error" +msgstr "Auswerte-/Formatfehler im Wiederholungszwischenspeichernamens" + +#: ../lib/krb5/error_tables/krb5_err.c:190 +msgid "End-of-file on replay cache I/O" +msgstr "Dateiende bei der E/A des Wiederholungszwischenspeichers" + +#: ../lib/krb5/error_tables/krb5_err.c:191 +msgid "No more memory to allocate (in replay cache I/O code)" +msgstr "" +"kein weiterer Speicher reservierbar (im Wiederholungszwischenspeicher-E/A-" +"Code)" + +#: ../lib/krb5/error_tables/krb5_err.c:192 +msgid "Permission denied in replay cache code" +msgstr "Zugriff im Wiederholungszwischenspeichercode verweigert" + +#: ../lib/krb5/error_tables/krb5_err.c:193 +msgid "I/O error in replay cache i/o code" +msgstr "E/A-Fehler im Wiederholungszwischenspeicher-E/A-Code" + +#: ../lib/krb5/error_tables/krb5_err.c:194 +msgid "Generic unknown RC/IO error" +msgstr "allgemeiner unbekannter Wiederholungszwischenspeicher-/E/A-Fehler" + +#: ../lib/krb5/error_tables/krb5_err.c:195 +msgid "Insufficient system space to store replay information" +msgstr "" +"Platz im System reicht nicht zum Speichern der Wiederholungsinformationen" + +#: ../lib/krb5/error_tables/krb5_err.c:196 +msgid "Can't open/find realm translation file" +msgstr "Realm-Übersetzungsdatei kann nicht geöffnet/gefunden werden" + +#: ../lib/krb5/error_tables/krb5_err.c:197 +msgid "Improper format of realm translation file" +msgstr "Format der Realm-Übersetzungsdatei ist ungeeignet" + +#: ../lib/krb5/error_tables/krb5_err.c:198 +msgid "Can't open/find lname translation database" +msgstr "die Lname-Übersetzungsdatenbank kann nicht geöffnet/gefunden werden" + +#: ../lib/krb5/error_tables/krb5_err.c:199 +msgid "No translation available for requested principal" +msgstr "Für den angeforderten Principal ist keine Übersetzung verfügbar." + +#: ../lib/krb5/error_tables/krb5_err.c:200 +msgid "Improper format of translation database entry" +msgstr "Format des Eintrags der Übersetzungsdatenbank ist ungeeignet" + +#: ../lib/krb5/error_tables/krb5_err.c:201 +msgid "Cryptosystem internal error" +msgstr "interner Fehler des Verschlüsselungssystems" + +#: ../lib/krb5/error_tables/krb5_err.c:202 +msgid "Key table name malformed" +msgstr "falsche Form des Schlüsseltabellennamens" + +#: ../lib/krb5/error_tables/krb5_err.c:203 +msgid "Unknown Key table type" +msgstr "unbekannter Schlüsseltabellentyp" + +#: ../lib/krb5/error_tables/krb5_err.c:204 +msgid "Key table entry not found" +msgstr "Schlüsseltabelleneintrag nicht gefunden" + +#: ../lib/krb5/error_tables/krb5_err.c:205 +msgid "End of key table reached" +msgstr "Ende der Schlüsseltabelle erreicht" + +#: ../lib/krb5/error_tables/krb5_err.c:206 +msgid "Cannot write to specified key table" +msgstr "in angegebene Schlüsseltabelle kann nicht geschrieben werden" + +#: ../lib/krb5/error_tables/krb5_err.c:207 +msgid "Error writing to key table" +msgstr "Fehler beim Schreiben in Schlüsseltabelle" + +#: ../lib/krb5/error_tables/krb5_err.c:208 +msgid "Cannot find ticket for requested realm" +msgstr "Ticket für angeforderten Realm kann nicht gefunden werden" + +#: ../lib/krb5/error_tables/krb5_err.c:209 +msgid "DES key has bad parity" +msgstr "DES-Schlüssel hat falsche Parität" + +#: ../lib/krb5/error_tables/krb5_err.c:210 +msgid "DES key is a weak key" +msgstr "DES-Schlüssel ist schwach" + +#: ../lib/krb5/error_tables/krb5_err.c:211 +msgid "Bad encryption type" +msgstr "falscher Verschlüsselungstyp" + +#: ../lib/krb5/error_tables/krb5_err.c:212 +msgid "Key size is incompatible with encryption type" +msgstr "Schlüssellänge ist nicht mit dem Verschlüsselungstyp kompatibel" + +#: ../lib/krb5/error_tables/krb5_err.c:213 +msgid "Message size is incompatible with encryption type" +msgstr "Nachrichtengröße ist nicht mit Verschlüsselungstyp kompatibel" + +#: ../lib/krb5/error_tables/krb5_err.c:214 +msgid "Credentials cache type is already registered." +msgstr "Anmeldedatenzwischenspeichertyp ist bereits registriert" + +#: ../lib/krb5/error_tables/krb5_err.c:215 +msgid "Key table type is already registered." +msgstr "Schlüsseltabellentyp ist bereits registriert" + +#: ../lib/krb5/error_tables/krb5_err.c:216 +msgid "Credentials cache I/O operation failed XXX" +msgstr "E/A-Aktion für Anmeldedatenzwischenspeicher fehlgeschlagen XXX" + +#: ../lib/krb5/error_tables/krb5_err.c:217 +msgid "Credentials cache permissions incorrect" +msgstr "Anmeldedatenzwischenspeicherrechte nicht korrekt" + +#: ../lib/krb5/error_tables/krb5_err.c:218 +msgid "No credentials cache found" +msgstr "kein Anmeldedatenzwischenspeicher gefunden" + +#: ../lib/krb5/error_tables/krb5_err.c:219 +msgid "Internal credentials cache error" +msgstr "interner Anmeldedatenzwischenspeicherfehler" + +#: ../lib/krb5/error_tables/krb5_err.c:220 +msgid "Error writing to credentials cache" +msgstr "Fehler beim Schreiben in den Anmeldedatenzwischenspeicher" + +#: ../lib/krb5/error_tables/krb5_err.c:221 +msgid "No more memory to allocate (in credentials cache code)" +msgstr "" +"kein weiterer Speicher zu reservieren (im Anmeldedatenzwischenspeichercode)" + +#: ../lib/krb5/error_tables/krb5_err.c:222 +msgid "Bad format in credentials cache" +msgstr "falsches Format im Anmeldedatenzwischenspeicher" + +#: ../lib/krb5/error_tables/krb5_err.c:223 +msgid "No credentials found with supported encryption types" +msgstr "keine Anmeldedaten mit unterstützten Verschlüsselungstypen gefunden" + +#: ../lib/krb5/error_tables/krb5_err.c:224 +msgid "Invalid KDC option combination (library internal error)" +msgstr "ungültige Kombination von KDC-Optionen (interner Bibliotheksfehler)" + +#: ../lib/krb5/error_tables/krb5_err.c:225 +msgid "Request missing second ticket" +msgstr "Der Anfrage fehlt das zweite Ticket." + +#: ../lib/krb5/error_tables/krb5_err.c:226 +msgid "No credentials supplied to library routine" +msgstr "der Bibliotheks-Routine wurden keine Anmeldedaten geliefert" + +#: ../lib/krb5/error_tables/krb5_err.c:227 +msgid "Bad sendauth version was sent" +msgstr "Es wurde eine falsche Sendauth-Version verschickt" + +#: ../lib/krb5/error_tables/krb5_err.c:228 +msgid "Bad application version was sent (via sendauth)" +msgstr "Es wurde eine falsche Anwendungsversion (über Sendauth) verschickt" + +#: ../lib/krb5/error_tables/krb5_err.c:229 +msgid "Bad response (during sendauth exchange)" +msgstr "falsche Antwort (beim Sendauth-Austausch)" + +#: ../lib/krb5/error_tables/krb5_err.c:230 +msgid "Server rejected authentication (during sendauth exchange)" +msgstr "Server wies Authentifizierung (beim Sendauth-Austausch) zurück" + +#: ../lib/krb5/error_tables/krb5_err.c:231 +msgid "Unsupported preauthentication type" +msgstr "nicht unterstützter Vorauthentifizierungstyp" + +#: ../lib/krb5/error_tables/krb5_err.c:232 +msgid "Required preauthentication key not supplied" +msgstr "erforderlicher Vorauthentifizierungsschlüssel nicht bereitgestellt" + +#: ../lib/krb5/error_tables/krb5_err.c:233 +msgid "Generic preauthentication failure" +msgstr "allgemeiner Fehlschlag der Vorauthentifizierung" + +#: ../lib/krb5/error_tables/krb5_err.c:234 +msgid "Unsupported replay cache format version number" +msgstr "" +"nicht unterstütztes Versionsnummernformat des Wiederholungszwischenspeichers" + +#: ../lib/krb5/error_tables/krb5_err.c:235 +msgid "Unsupported credentials cache format version number" +msgstr "" +"nicht unterstütztes Versionsnummernformat des Anmeldedatenzwischenspeichers" + +#: ../lib/krb5/error_tables/krb5_err.c:236 +msgid "Unsupported key table format version number" +msgstr "nicht unterstütztes Versionsnummernformat der Schlüsseltabelle" + +#: ../lib/krb5/error_tables/krb5_err.c:237 +msgid "Program lacks support for address type" +msgstr "Dem Programm fehlt es an der Unterstützung des Adresstyps." + +#: ../lib/krb5/error_tables/krb5_err.c:238 +msgid "Message replay detection requires rcache parameter" +msgstr "Erkennung der Antwortnachricht erfordert den Parameter »rcache«" + +#: ../lib/krb5/error_tables/krb5_err.c:239 +msgid "Hostname cannot be canonicalized" +msgstr "Rechnername kann nicht in Normalform gebracht werden" + +#: ../lib/krb5/error_tables/krb5_err.c:240 +msgid "Cannot determine realm for host" +msgstr "Realm für Rechner kann nicht bestimmt werden" + +#: ../lib/krb5/error_tables/krb5_err.c:241 +msgid "Conversion to service principal undefined for name type" +msgstr "Umwandlung in Dienst-Principal für Namenstyp nicht definiert" + +#: ../lib/krb5/error_tables/krb5_err.c:242 +msgid "Initial Ticket response appears to be Version 4 error" +msgstr "anfängliche Ticket-Antwort scheint ein Fehler der Version 4 zu sein" + +#: ../lib/krb5/error_tables/krb5_err.c:243 +msgid "Cannot resolve network address for KDC in requested realm" +msgstr "" +"Netzwerkadresse für KDC im angeforderten Realm kann nicht aufgelöst werden" + +#: ../lib/krb5/error_tables/krb5_err.c:244 +msgid "Requesting ticket can't get forwardable tickets" +msgstr "anforderndes Ticket kann keine weiterleitbaren Tickets holen" + +#: ../lib/krb5/error_tables/krb5_err.c:245 +msgid "Bad principal name while trying to forward credentials" +msgstr "falscher Principal beim Versuch, Anmeldedaten weiterzuleiten" + +#: ../lib/krb5/error_tables/krb5_err.c:246 +msgid "Looping detected inside krb5_get_in_tkt" +msgstr "Schleife innerhalb von »krb5_get_in_tkt« entdeckt" + +#: ../lib/krb5/error_tables/krb5_err.c:247 +msgid "Configuration file does not specify default realm" +msgstr "Konfigurationsdatei gibt keinen Standard-Realm an" + +#: ../lib/krb5/error_tables/krb5_err.c:248 +msgid "Bad SAM flags in obtain_sam_padata" +msgstr "falsche SAM-Schalter in »obtain_sam_padata«" + +#: ../lib/krb5/error_tables/krb5_err.c:249 +msgid "Invalid encryption type in SAM challenge" +msgstr "ungültiger Verschlüsselungstyp in der SAM-Aufforderung" + +#: ../lib/krb5/error_tables/krb5_err.c:250 +msgid "Missing checksum in SAM challenge" +msgstr "fehlende Prüfsumme in der SAM-Aufforderung" + +#: ../lib/krb5/error_tables/krb5_err.c:251 +msgid "Bad checksum in SAM challenge" +msgstr "falsche Prüfsumme in der SAM-Aufforderung" + +#: ../lib/krb5/error_tables/krb5_err.c:252 +msgid "Keytab name too long" +msgstr "Schlüsseltabellennamen zu lang" + +#: ../lib/krb5/error_tables/krb5_err.c:253 +msgid "Key version number for principal in key table is incorrect" +msgstr "" +"Schlüsselversionsnummer des Principals in der Schlüsseltabelle ist nicht " +"korrekt" + +#: ../lib/krb5/error_tables/krb5_err.c:254 +msgid "This application has expired" +msgstr "Diese Anwendung ist abgelaufen." + +#: ../lib/krb5/error_tables/krb5_err.c:255 +msgid "This Krb5 library has expired" +msgstr "Diese Krb5-Bibliothek ist abgelaufen." + +#: ../lib/krb5/error_tables/krb5_err.c:256 +msgid "New password cannot be zero length" +msgstr "Das neue Passwort kann nicht die Länge Null haben." + +#: ../lib/krb5/error_tables/krb5_err.c:258 +msgid "Bad format in keytab" +msgstr "falsches Format in der Schlüsseltabelle" + +#: ../lib/krb5/error_tables/krb5_err.c:259 +msgid "Encryption type not permitted" +msgstr "Verschlüsselungstyp nicht erlaubt" + +#: ../lib/krb5/error_tables/krb5_err.c:260 +msgid "No supported encryption types (config file error?)" +msgstr "" +"keine unterstützten Verschlüsselungstypen (Fehler in der " +"Konfigurationsdatei?)" + +#: ../lib/krb5/error_tables/krb5_err.c:261 +msgid "Program called an obsolete, deleted function" +msgstr "Das Programm rief eine veraltete, gelöschte Funktion auf." + +#: ../lib/krb5/error_tables/krb5_err.c:262 +msgid "unknown getaddrinfo failure" +msgstr "unbekannter Getaddrinfo-Fehlschlag" + +#: ../lib/krb5/error_tables/krb5_err.c:263 +msgid "no data available for host/domain name" +msgstr "keine Daten für Rechner/Domain-Namen verfügbar" + +#: ../lib/krb5/error_tables/krb5_err.c:264 +msgid "host/domain name not found" +msgstr "Rechner/Domain-Name nicht gefunden" + +#: ../lib/krb5/error_tables/krb5_err.c:265 +msgid "service name unknown" +msgstr "Dienstname unbekannt" + +#: ../lib/krb5/error_tables/krb5_err.c:266 +msgid "Cannot determine realm for numeric host address" +msgstr "Realm für numerische Rechneradresse kann nicht bestimmt werden" + +#: ../lib/krb5/error_tables/krb5_err.c:267 +msgid "Invalid key generation parameters from KDC" +msgstr "ungültige Parameter zum Erzeugen von Schlüsseln vom KDC" + +#: ../lib/krb5/error_tables/krb5_err.c:268 +msgid "service not available" +msgstr "Dienst nicht verfügbar" + +#: ../lib/krb5/error_tables/krb5_err.c:269 +msgid "Ccache function not supported: read-only ccache type" +msgstr "Ccache-Funktion nicht unterstützt: Ccache-Typ nur lesbar" + +#: ../lib/krb5/error_tables/krb5_err.c:270 +msgid "Ccache function not supported: not implemented" +msgstr "Ccache-Funktion nicht unterstützt: nicht implementiert" + +#: ../lib/krb5/error_tables/krb5_err.c:271 +msgid "Invalid format of Kerberos lifetime or clock skew string" +msgstr "" +"ungültiges Format der Kerberos-Lebensdauer oder der Zeitversatzzeichenkette" + +#: ../lib/krb5/error_tables/krb5_err.c:272 +msgid "Supplied data not handled by this plugin" +msgstr "" +"Die bereitgestellten Daten werden nicht von dieser Erweiterung behandelt." + +#: ../lib/krb5/error_tables/krb5_err.c:273 +msgid "Plugin does not support the operation" +msgstr "Erweiterung unterstützt diese Aktion nicht" + +#: ../lib/krb5/error_tables/krb5_err.c:274 +msgid "Invalid UTF-8 string" +msgstr "ungültige UTF-8-Zeichenkette" + +#: ../lib/krb5/error_tables/krb5_err.c:275 +msgid "FAST protected pre-authentication required but not supported by KDC" +msgstr "" +"FAST-geschützte Vorauthentifizierung erforderlich, aber nicht vom KDC " +"unterstützt" + +#: ../lib/krb5/error_tables/krb5_err.c:276 +msgid "Auth context must contain local address" +msgstr "Authentifizierungskontext muss lokale Adresse enthalten" + +#: ../lib/krb5/error_tables/krb5_err.c:277 +msgid "Auth context must contain remote address" +msgstr "Authentifizierungskontext muss ferne Adresse enthalten" + +#: ../lib/krb5/error_tables/krb5_err.c:278 +msgid "Tracing unsupported" +msgstr "Verfolgung nicht unterstützt" + +#: ../lib/krb5/error_tables/kdb5_err.c:24 +msgid "Entry already exists in database" +msgstr "Eintrag existiert bereits in der Datenbank" + +#: ../lib/krb5/error_tables/kdb5_err.c:25 +msgid "Database store error" +msgstr "Datenbank-Speicherfehler" + +#: ../lib/krb5/error_tables/kdb5_err.c:26 +msgid "Database read error" +msgstr "Datenbank-Lesefehler" + +#: ../lib/krb5/error_tables/kdb5_err.c:27 +msgid "Insufficient access to perform requested operation" +msgstr "Zugriffsrechte reichen nicht zur Durchführung der angeforderten Aktion" + +#: ../lib/krb5/error_tables/kdb5_err.c:28 +msgid "No such entry in the database" +msgstr "kein derartiger Eintrag in der Datenbank" + +#: ../lib/krb5/error_tables/kdb5_err.c:29 +msgid "Illegal use of wildcard" +msgstr "ungültige Verwendung eines Platzhalters" + +#: ../lib/krb5/error_tables/kdb5_err.c:30 +msgid "Database is locked or in use--try again later" +msgstr "" +"Datenbank ist gesperrt oder wird gerade benutzt – versuchen Sie es später " +"wieder" + +#: ../lib/krb5/error_tables/kdb5_err.c:31 +msgid "Database was modified during read" +msgstr "Datenbank wurde während des Lesens geändert" + +#: ../lib/krb5/error_tables/kdb5_err.c:32 +msgid "Database record is incomplete or corrupted" +msgstr "Datensatz ist unvollständig oder beschädigt" + +#: ../lib/krb5/error_tables/kdb5_err.c:33 +msgid "Attempt to lock database twice" +msgstr "Es wurde zweimal versucht, die Datenbank zu sperren." + +#: ../lib/krb5/error_tables/kdb5_err.c:34 +msgid "Attempt to unlock database when not locked" +msgstr "" +"Es wurde versucht, die Datenbank zu entsperren, obwohl sie nicht gesperrt " +"ist." + +#: ../lib/krb5/error_tables/kdb5_err.c:35 +msgid "Invalid kdb lock mode" +msgstr "ungültiger KDB-Sperrmodus" + +#: ../lib/krb5/error_tables/kdb5_err.c:36 +msgid "Database has not been initialized" +msgstr "Datenbank wurde nicht initialisiert" + +#: ../lib/krb5/error_tables/kdb5_err.c:37 +msgid "Database has already been initialized" +msgstr "Datenbank wurde bereits initialisiert" + +#: ../lib/krb5/error_tables/kdb5_err.c:38 +msgid "Bad direction for converting keys" +msgstr "falsche Richtung zum Umwandeln von Schlüsseln" + +#: ../lib/krb5/error_tables/kdb5_err.c:39 +msgid "Cannot find master key record in database" +msgstr "Hauptschlüsseldatensatz kann nicht in der Datenbank gefunden werden" + +#: ../lib/krb5/error_tables/kdb5_err.c:40 +msgid "Master key does not match database" +msgstr "Hauptschlüssel passt nicht zur Datenbank" + +#: ../lib/krb5/error_tables/kdb5_err.c:41 +msgid "Key size in database is invalid" +msgstr "Die Schlüssellänge in der Datenbank ist ungültig," + +#: ../lib/krb5/error_tables/kdb5_err.c:42 +msgid "Cannot find/read stored master key" +msgstr "Der gespeicherte Hauptschlüssel kann nicht gefunden/gelesen werden." + +#: ../lib/krb5/error_tables/kdb5_err.c:43 +msgid "Stored master key is corrupted" +msgstr "Der gespeicherte Hauptschlüssel ist beschädigt." + +#: ../lib/krb5/error_tables/kdb5_err.c:44 +msgid "Cannot find active master key" +msgstr "Der aktive Hauptschlüssel kann nicht gefunden werden." + +#: ../lib/krb5/error_tables/kdb5_err.c:45 +msgid "KVNO of new master key does not match expected value" +msgstr "KVNO des neuen Hauptschlüssels passt nicht zum erwarteten Wert" + +#: ../lib/krb5/error_tables/kdb5_err.c:46 +msgid "Stored master key is not current" +msgstr "gespeicherter Hauptschlüssel ist nicht aktuell" + +#: ../lib/krb5/error_tables/kdb5_err.c:47 +msgid "Insufficient access to lock database" +msgstr "keine ausreichenden Zugriffsrechte zum Sperren der Datenbank" + +#: ../lib/krb5/error_tables/kdb5_err.c:48 +msgid "Database format error" +msgstr "fehlerhaftes Datenbankformat" + +#: ../lib/krb5/error_tables/kdb5_err.c:49 +msgid "Unsupported version in database entry" +msgstr "nicht unterstützte Version im Datenbankeintrag" + +#: ../lib/krb5/error_tables/kdb5_err.c:50 +msgid "Unsupported salt type" +msgstr "nicht unterstützter Salt-Typ" + +#: ../lib/krb5/error_tables/kdb5_err.c:51 +msgid "Unsupported encryption type" +msgstr "nicht unterstützter Verschlüsselungstyp" + +#: ../lib/krb5/error_tables/kdb5_err.c:52 +msgid "Bad database creation flags" +msgstr "falsche Schalter zum Erstellen der Datenbank" + +#: ../lib/krb5/error_tables/kdb5_err.c:53 +msgid "No matching key in entry having a permitted enctype" +msgstr "" +"kein passender Schlüssel in einem Eintrag mit erlaubtem Verschlüsselungstyp" + +#: ../lib/krb5/error_tables/kdb5_err.c:54 +msgid "No matching key in entry" +msgstr "kein passender Schlüssel im Eintrag" + +#: ../lib/krb5/error_tables/kdb5_err.c:55 +msgid "Unable to find requested database type" +msgstr "angeforderter Datenbanktyp kann nicht gefunden werden" + +#: ../lib/krb5/error_tables/kdb5_err.c:56 +msgid "Database type not supported" +msgstr "Datenbanktyp nicht unterstützt" + +#: ../lib/krb5/error_tables/kdb5_err.c:57 +msgid "Database library failed to initialize" +msgstr "Initialisieren der Datenbankbibliothek fehlgeschlagen" + +#: ../lib/krb5/error_tables/kdb5_err.c:59 +msgid "Unable to access Kerberos database" +msgstr "auf die Kerberos-Datenbank kann nicht zugegriffen werden" + +#: ../lib/krb5/error_tables/kdb5_err.c:60 +msgid "Kerberos database internal error" +msgstr "interner Kerberos-Datenbankfehler" + +#: ../lib/krb5/error_tables/kdb5_err.c:61 +msgid "Kerberos database constraints violated" +msgstr "Kerberos-Datenbankbeschränkungen verletzt" + +#: ../lib/krb5/error_tables/kdb5_err.c:62 +msgid "Update log conversion error" +msgstr "Fehler beim Umwandeln des Aktualisierungsprotokolls" + +#: ../lib/krb5/error_tables/kdb5_err.c:63 +msgid "Update log is unstable" +msgstr "Aktualisierungsprotokoll ist instabil" + +#: ../lib/krb5/error_tables/kdb5_err.c:64 +msgid "Update log is corrupt" +msgstr "Aktualisierungsprotokoll ist beschädigt" + +#: ../lib/krb5/error_tables/kdb5_err.c:65 +msgid "Generic update log error" +msgstr "allgemeiner Aktualisierungsprotokollfehler" + +#: ../lib/krb5/error_tables/kdb5_err.c:66 +msgid "Database module does not match KDC version" +msgstr "Datenbankmodul passt nicht zur KDC-Version" + +#: ../lib/krb5/error_tables/kdb5_err.c:68 +msgid "Too much string mapping data" +msgstr "zu viele zeichenkettenabbildenden Daten" + +#: ../lib/krb5/error_tables/asn1_err.c:23 +msgid "ASN.1 failed call to system time library" +msgstr "ASN.1 beim Aufruf der Systemzeitbibliothek gescheitert" + +#: ../lib/krb5/error_tables/asn1_err.c:24 +msgid "ASN.1 structure is missing a required field" +msgstr "ein erforderliches Feld fehlt in der ASN.1-Struktur" + +#: ../lib/krb5/error_tables/asn1_err.c:25 +msgid "ASN.1 unexpected field number" +msgstr "ASN.1 unerwartete Feldnummer" + +#: ../lib/krb5/error_tables/asn1_err.c:26 +msgid "ASN.1 type numbers are inconsistent" +msgstr "ASN.1-Typnummern sind inkonsistent" + +#: ../lib/krb5/error_tables/asn1_err.c:27 +msgid "ASN.1 value too large" +msgstr "ASN.1-Wert zu groß" + +#: ../lib/krb5/error_tables/asn1_err.c:28 +msgid "ASN.1 encoding ended unexpectedly" +msgstr "ASN.1-Kodierung endete unerwartet" + +#: ../lib/krb5/error_tables/asn1_err.c:29 +msgid "ASN.1 identifier doesn't match expected value" +msgstr "ASN.1-Bezeichner passt nicht zum erwarteten Wert" + +#: ../lib/krb5/error_tables/asn1_err.c:30 +msgid "ASN.1 length doesn't match expected value" +msgstr "Länge von ASN.1 passt nicht zum erwarteten Wert" + +#: ../lib/krb5/error_tables/asn1_err.c:31 +msgid "ASN.1 badly-formatted encoding" +msgstr "fehlerhaft formatierte ASN.1-Kodierung" + +#: ../lib/krb5/error_tables/asn1_err.c:32 +msgid "ASN.1 parse error" +msgstr "ASN.1-Auswertungsfehler" + +#: ../lib/krb5/error_tables/asn1_err.c:33 +msgid "ASN.1 bad return from gmtime" +msgstr "ASN.1 falscher Rückgabewert von Gmtime" + +#: ../lib/krb5/error_tables/asn1_err.c:34 +msgid "ASN.1 non-constructed indefinite encoding" +msgstr "nicht konstruierte unbestimmte ASN.1-Kodierung" + +#: ../lib/krb5/error_tables/asn1_err.c:35 +msgid "ASN.1 missing expected EOC" +msgstr "ASN.1 fehlt erwartetes EOC" + +#: ../lib/krb5/error_tables/asn1_err.c:36 +msgid "ASN.1 object omitted in sequence" +msgstr "ASN.1-Objekt in Sequenz ausgelassen" + +#: ../lib/krb5/error_tables/kv5m_err.c:23 +msgid "Kerberos V5 magic number table" +msgstr "Tabelle magischer Zahlen von Kerberos V5" + +#: ../lib/krb5/error_tables/kv5m_err.c:24 +msgid "Bad magic number for krb5_principal structure" +msgstr "falsche magische Zahl für Krb5_principal-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:25 +msgid "Bad magic number for krb5_data structure" +msgstr "falsche magische Zahl für Krb5_data-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:26 +msgid "Bad magic number for krb5_keyblock structure" +msgstr "falsche magische Zahl für Krb5_krb5_keyblock-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:27 +msgid "Bad magic number for krb5_checksum structure" +msgstr "falsche magische Zahl für Krb5_krb5_checksum-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:28 +msgid "Bad magic number for krb5_encrypt_block structure" +msgstr "falsche magische Zahl für Krb5_encrypt_bloc-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:29 +msgid "Bad magic number for krb5_enc_data structure" +msgstr "falsche magische Zahl für Krb5_enc_data-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:30 +msgid "Bad magic number for krb5_cryptosystem_entry structure" +msgstr "falsche magische Zahl für Krb5_cryptosystem_entry-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:31 +msgid "Bad magic number for krb5_cs_table_entry structure" +msgstr "falsche magische Zahl für Krb5_cs_table_entry-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:32 +msgid "Bad magic number for krb5_checksum_entry structure" +msgstr "falsche magische Zahl für Krb5_checksum_entry-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:33 +msgid "Bad magic number for krb5_authdata structure" +msgstr "falsche magische Zahl für Krb5_authdata-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:34 +msgid "Bad magic number for krb5_transited structure" +msgstr "falsche magische Zahl für Krb5_transited-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:35 +msgid "Bad magic number for krb5_enc_tkt_part structure" +msgstr "falsche magische Zahl für Krb5_enc_tkt_part-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:36 +msgid "Bad magic number for krb5_ticket structure" +msgstr "falsche magische Zahl für Krb5_ticket-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:37 +msgid "Bad magic number for krb5_authenticator structure" +msgstr "falsche magische Zahl für Krb5_authenticator-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:38 +msgid "Bad magic number for krb5_tkt_authent structure" +msgstr "falsche magische Zahl für Krb5_tkt_authent-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:39 +msgid "Bad magic number for krb5_creds structure" +msgstr "falsche magische Zahl für Krb5_creds-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:40 +msgid "Bad magic number for krb5_last_req_entry structure" +msgstr "falsche magische Zahl für Krb5_last_req_entry-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:41 +msgid "Bad magic number for krb5_pa_data structure" +msgstr "falsche magische Zahl für Krb5_pa_data-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:42 +msgid "Bad magic number for krb5_kdc_req structure" +msgstr "falsche magische Zahl für Krb5_kdc_req-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:43 +msgid "Bad magic number for krb5_enc_kdc_rep_part structure" +msgstr "falsche magische Zahl für Krb5_enc_kdc_rep_part-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:44 +msgid "Bad magic number for krb5_kdc_rep structure" +msgstr "falsche magische Zahl für Krb5_kdc_rep-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:45 +msgid "Bad magic number for krb5_error structure" +msgstr "falsche magische Zahl für Krb5_error-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:46 +msgid "Bad magic number for krb5_ap_req structure" +msgstr "falsche magische Zahl für Krb5_ap_req-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:47 +msgid "Bad magic number for krb5_ap_rep structure" +msgstr "falsche magische Zahl für Krb5_ap_rep-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:48 +msgid "Bad magic number for krb5_ap_rep_enc_part structure" +msgstr "falsche magische Zahl für Krb5_ap_rep_enc_part-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:49 +msgid "Bad magic number for krb5_response structure" +msgstr "falsche magische Zahl für Krb5_response-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:50 +msgid "Bad magic number for krb5_safe structure" +msgstr "falsche magische Zahl für Krb5_safe-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:51 +msgid "Bad magic number for krb5_priv structure" +msgstr "falsche magische Zahl für Krb5_priv-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:52 +msgid "Bad magic number for krb5_priv_enc_part structure" +msgstr "falsche magische Zahl für Krb5_priv_enc_part-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:53 +msgid "Bad magic number for krb5_cred structure" +msgstr "falsche magische Zahl für Krb5_cred-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:54 +msgid "Bad magic number for krb5_cred_info structure" +msgstr "falsche magische Zahl für Krb5_cred_info-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:55 +msgid "Bad magic number for krb5_cred_enc_part structure" +msgstr "falsche magische Zahl für Krb5_cred_enc_part-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:56 +msgid "Bad magic number for krb5_pwd_data structure" +msgstr "falsche magische Zahl für Krb5_pwd_data-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:57 +msgid "Bad magic number for krb5_address structure" +msgstr "falsche magische Zahl für Krb5_address-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:58 +msgid "Bad magic number for krb5_keytab_entry structure" +msgstr "falsche magische Zahl für Krb5_keytab_entry-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:59 +msgid "Bad magic number for krb5_context structure" +msgstr "falsche magische Zahl für Krb5_context-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:60 +msgid "Bad magic number for krb5_os_context structure" +msgstr "falsche magische Zahl für Krb5_os_context-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:61 +msgid "Bad magic number for krb5_alt_method structure" +msgstr "falsche magische Zahl für Krb5_alt_method-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:62 +msgid "Bad magic number for krb5_etype_info_entry structure" +msgstr "falsche magische Zahl für Krb5_etype_info_entry-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:63 +msgid "Bad magic number for krb5_db_context structure" +msgstr "falsche magische Zahl für Krb5_db_context-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:64 +msgid "Bad magic number for krb5_auth_context structure" +msgstr "falsche magische Zahl für Krb5_auth_context-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:65 +msgid "Bad magic number for krb5_keytab structure" +msgstr "falsche magische Zahl für Krb5_keytab-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:66 +msgid "Bad magic number for krb5_rcache structure" +msgstr "falsche magische Zahl für Krb5_rcache-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:67 +msgid "Bad magic number for krb5_ccache structure" +msgstr "falsche magische Zahl für Krb5_ccache-Struktur" + +#: ../lib/krb5/error_tables/kv5m_err.c:68 +msgid "Bad magic number for krb5_preauth_ops" +msgstr "falsche magische Zahl für Krb5_preauth_ops" + +#: ../lib/krb5/error_tables/kv5m_err.c:69 +msgid "Bad magic number for krb5_sam_challenge" +msgstr "falsche magische Zahl für Krb5_sam_challenge" + +#: ../lib/krb5/error_tables/kv5m_err.c:70 +msgid "Bad magic number for krb5_sam_challenge_2" +msgstr "falsche magische Zahl für Krb5_sam_challenge_2" + +#: ../lib/krb5/error_tables/kv5m_err.c:71 +msgid "Bad magic number for krb5_sam_key" +msgstr "falsche magische Zahl für Krb5_sam_key" + +#: ../lib/krb5/error_tables/kv5m_err.c:72 +#: ../lib/krb5/error_tables/kv5m_err.c:73 +msgid "Bad magic number for krb5_enc_sam_response_enc" +msgstr "falsche magische Zahl für Krb5_enc_sam_response_enc" + +#: ../lib/krb5/error_tables/kv5m_err.c:74 +msgid "Bad magic number for krb5_sam_response" +msgstr "falsche magische Zahl für Krb5_sam_response" + +#: ../lib/krb5/error_tables/kv5m_err.c:75 +msgid "Bad magic number for krb5_sam_response 2" +msgstr "falsche magische Zahl für Krb5_sam_response 2" + +#: ../lib/krb5/error_tables/kv5m_err.c:76 +msgid "Bad magic number for krb5_predicted_sam_response" +msgstr "falsche magische Zahl für Krb5_predicted_sam_response" + +#: ../lib/krb5/error_tables/kv5m_err.c:77 +msgid "Bad magic number for passwd_phrase_element" +msgstr "falsche magische Zahl für Passwd_phrase_element" + +#: ../lib/krb5/error_tables/kv5m_err.c:78 +msgid "Bad magic number for GSSAPI OID" +msgstr "falsche magische Zahl für GSSAPI OID" + +#: ../lib/krb5/error_tables/kv5m_err.c:79 +msgid "Bad magic number for GSSAPI QUEUE" +msgstr "falsche magische Zahl für GSSAPI QUEUE" + +#: ../lib/krb5/error_tables/kv5m_err.c:80 +msgid "Bad magic number for fast armored request" +msgstr "falsche magische Zahl für per FAST geschützte Anfrage" + +#: ../lib/krb5/error_tables/kv5m_err.c:81 +msgid "Bad magic number for FAST request" +msgstr "falsche magische Zahl für FAST-Anfrage" + +#: ../lib/krb5/error_tables/kv5m_err.c:82 +msgid "Bad magic number for FAST response" +msgstr "falsche magische Zahl für FAST-Antwort" + +#: ../lib/krb5/error_tables/kv5m_err.c:83 +msgid "Bad magic number for krb5_authdata_context" +msgstr "falsche magische Zahl für Krb5_authdata_context" + +#: ../lib/krb5/error_tables/krb524_err.c:23 +msgid "Cannot convert V5 keyblock" +msgstr "V5-Schlüsselblock kann nicht umgewandelt werden" + +#: ../lib/krb5/error_tables/krb524_err.c:24 +msgid "Cannot convert V5 address information" +msgstr "V5-Adressinformationen können nicht umgewandelt werden" + +#: ../lib/krb5/error_tables/krb524_err.c:25 +msgid "Cannot convert V5 principal" +msgstr "V5-Principal kann nicht umgewandelt werden" + +#: ../lib/krb5/error_tables/krb524_err.c:26 +msgid "V5 realm name longer than V4 maximum" +msgstr "V5-Realm-Name ist länger als die V4-Maximallänge" + +#: ../lib/krb5/error_tables/krb524_err.c:27 +msgid "Kerberos V4 error" +msgstr "Kerberos-V4-Fehler" + +#: ../lib/krb5/error_tables/krb524_err.c:28 +msgid "Encoding too large" +msgstr "Kodierung zu lang" + +#: ../lib/krb5/error_tables/krb524_err.c:29 +msgid "Decoding out of data" +msgstr "Dekodieren außerhalb der Daten" + +#: ../lib/krb5/error_tables/krb524_err.c:30 +msgid "Service not responding" +msgstr "Dienst antwortet nicht" + +#: ../lib/krb5/error_tables/krb524_err.c:31 +msgid "Kerberos version 4 support is disabled" +msgstr "Kerberos 4 Unterstützung ist deaktiviert" + +#~ msgid "while creating server %s principal name" +#~ msgstr "beim Erstellen des Principal-Namens für Server %s" + +# KDC = Key Distribution Center +#~ msgid "while getting credentials from kdc" +#~ msgstr "beim Holen der Anmeldedaten vom KDC" + +# FIXME s/Retrieving/retrieving/ +#~ msgid "while Retrieving credentials" +#~ msgstr "beim Abfragen der Anmeldedaten" + +#~ msgid "while copying principal" +#~ msgstr "beim Kopieren des Principals" + +#~ msgid "%s does not have correct permissions for %s\n" +#~ msgstr "%s hat nicht die erforderlichen Zugriffsrechte für %s\n" + +#~ msgid "no salt\n" +#~ msgstr "kein Salt\n" + +#~ msgid "%s: Couldn't grab lock\n" +#~ msgstr "%s: Es konnte keine Sperre erlangt werden.\n" + +#~ msgid "%s: Loads disallowed when iprop is enabled and a ulog is present\n" +#~ msgstr "" +#~ "%s: Wenn Iprop aktiviert und Ulog vorhanden ist, ist Laden nicht " +#~ "möglich.\n" + +#~ msgid "trying to lock database" +#~ msgstr "es wird versucht, die Datenbank zu sperren" + +#~ msgid "GSS-API error %s: %s\n" +#~ msgstr "GSS-API-Fehler %s: %s\n" + +#~ msgid "Couldn't create KRB5 Name NameType OID\n" +#~ msgstr "KRB5 Name NameType OID konnte nicht erstellt werden.\n" + +#~ msgid "%s: %s while initializing, aborting" +#~ msgstr "%s: %s beim Initialisieren, wird abgebrochen" + +#~ msgid "" +#~ "%s: Missing required configuration values (%lx) while initializing, " +#~ "aborting" +#~ msgstr "" +#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte " +#~ "(%lx), wird abgebrochen" + +#~ msgid "" +#~ "%s: Missing required configuration values (%lx) while initializing, " +#~ "aborting\n" +#~ msgstr "" +#~ "%s: Beim Initialisieren fehlen die erforderlichen Konfigurationswerte " +#~ "(%lx), wird abgebrochen\n" + +#~ msgid "%s: could not initialize loop, aborting" +#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen" + +#~ msgid "%s: could not initialize loop, aborting\n" +#~ msgstr "%s: Schleife konnte nicht initialisiert werden, wird abgebrochen\n" + +#~ msgid "%s: %s while initializing signal handlers, aborting" +#~ msgstr "" +#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird " +#~ "abgebrochen" + +#~ msgid "%s: %s while initializing signal handlers, aborting\n" +#~ msgstr "" +#~ "%s: %s beim Initialisieren des Signalbehandlungsprogramms, wird " +#~ "abgebrochen\n" + +#~ msgid "%s: %s while initializing network, aborting" +#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen" + +#~ msgid "%s: %s while initializing network, aborting\n" +#~ msgstr "%s: %s beim Initialisieren des Netzwerks, wird abgebrochen\n" + +#~ msgid "Cannot build GSS-API authentication names, failing." +#~ msgstr "" +#~ "GSS-API-Authentifizierungsnamen können nicht gebildet werden, " +#~ "fehlgeschlagen" + +#~ msgid "Can't set kdb keytab's internal context." +#~ msgstr "" +#~ "Der interne Kontext von KDBs Schlüsseltabelle kann nicht gesetzt werden." + +#~ msgid "Can't register kdb keytab." +#~ msgstr "Die KDB-Schlüsseltabelle kann nicht registriert werden." + +#~ msgid "Can't register acceptor keytab." +#~ msgstr "Die Empfängerschlüsseltabelle kann nicht registriert werden." + +#~ msgid "" +#~ "Cannot set GSS-API authentication names (keytab not present?), failing." +#~ msgstr "" +#~ "GSS-API-Authentifizierungsnamen können nicht gesetzt werden " +#~ "(Schlüsseltabelle nicht vorhanden?), fehlgeschlagen" + +#~ msgid "Cannot initialize acl file: %s" +#~ msgstr "ACL-Datei kann nicht initialisiert werden: %s" + +#~ msgid "%s: Cannot initialize acl file: %s\n" +#~ msgstr "%s: ACL-Datei kann nicht initialisiert werden: %s\n" + +#~ msgid "Cannot detach from tty: %s" +#~ msgstr "kann nicht vom Terminal gelöst werden: %s" + +#~ msgid "Cannot create PID file %s: %s" +#~ msgstr "PID-Datei %s kann nicht erstellt werden: %s" + +#~ msgid "%s: %s while mapping update log (`%s.ulog')\n" +#~ msgstr "%s: %s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)\n" + +#~ msgid "%s while mapping update log (`%s.ulog')" +#~ msgstr "%s beim Abbilden des Aktualisierungsprotokolls (»%s.ulog«)" + +#~ msgid "%s: Cannot create IProp RPC service (PROG=%d, VERS=%d)\n" +#~ msgstr "" +#~ "%s: IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d)\n" + +#~ msgid "Cannot create IProp RPC service (PROG=%d, VERS=%d), failing." +#~ msgstr "" +#~ "IProp-RPC-Dienst kann nicht erstellt werden (PROG=%d, VERS=%d), " +#~ "fehlgeschlagen" + +#~ msgid "%s while getting IProp svc name, failing" +#~ msgstr "%s beim Holen des IProp-Dienstnamens, fehlgeschlagen" + +#~ msgid "%s: %s while getting IProp svc name, failing\n" +#~ msgstr "%s: %s beim Holen des IProp-Dienstnamens, fehlgeschlagen\n" + +#~ msgid "Unable to set RPCSEC_GSS service name (`%s'), failing." +#~ msgstr "" +#~ "der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, fehlgeschlagen" + +#~ msgid "%s: Unable to set RPCSEC_GSS service name (`%s'), failing.\n" +#~ msgstr "" +#~ "%s: der RPCSEC_GSS-Dienstname (»%s«) kann nicht gesetzt werden, " +#~ "fehlgeschlagen\n" + +#~ msgid "GSS-API authentication error %.*s: recursive failure!" +#~ msgstr "GSS-API-Authentifizierungsfehler %.*s: rekursiver Fehlschlag!" + +#~ msgid "skipping unrecognized local address family %d" +#~ msgstr "nicht erkannte lokale Adressfamilie %d wird übersprungen" + +#~ msgid "got routing msg type %d(%s) v%d" +#~ msgstr "Routing-Meldungstyp %d(%s) v%d erhalten" + +#~ msgid "Could not create temp stash file: %s" +#~ msgstr "Temporäre Ablagedatei konnte nicht erstellt werden: %s" + +#~ msgid "ulog_sync_header: could not sync to disk" +#~ msgstr "ulog_sync_header: kann nicht auf Platte sychronisiert werden" + +#~ msgid "%s: attempt to convert non-extended krb5_get_init_creds_opt" +#~ msgstr "" +#~ "%s: Es wird versucht, nicht erweiterte »krb5_get_init_creds_opt« " +#~ "umzuwandeln" + +#~ msgid "krb5_sname_to_principal, while adding entries to the database" +#~ msgstr "" +#~ "»krb5_sname_to_principal« beim Hinzufügen von Einträgen zur Datenbank" + +#~ msgid "krb5_copy_principal, while adding entries to the database" +#~ msgstr "»krb5_copy_principal« beim Hinzufügen von Einträgen zur Datenbank" + +#~ msgid "" +#~ "Unable to check if SASL EXTERNAL mechanism is supported by LDAP server. " +#~ "Proceeding anyway ..." +#~ msgstr "" +#~ "Es konnte nicht geprüft werden, ob der Mechanismus SASL EXTERNAL vom LDAP-" +#~ "Server unterstützt wird. Es wird trotzdem fortgesetzt …" + +#~ msgid "" +#~ "SASL EXTERNAL mechanism not supported by LDAP server. Can't perform " +#~ "certificate-based bind." +#~ msgstr "" +#~ "Der Mechanismus SASL EXTERNAL wird nicht vom LDAP-Server unterstützt. Es " +#~ "kann keine zertifikatbasierte Verbindung hergestellt werden." + +#~ msgid "Error reading 'ldap_servers' attribute" +#~ msgstr "Fehler beim Lesen des Attributs »ldap_servers«" + +#~ msgid "Stash file entry corrupt" +#~ msgstr "Eintrag in der Ablagedatei beschädigt" + +#~ msgid "while setting server principal realm" +#~ msgstr "beim Setzen des Server-Principal-Realms" + +#~ msgid "while getting initial ticket\n" +#~ msgstr "beim Holen eines Anfangs-Tickets\n" + +#~ msgid "while destroying ticket cache" +#~ msgstr "beim Zerstören des Ticket-Zwischenspeichers" + +#~ msgid "while closing default ccache" +#~ msgstr "beim Schließen des Standard-Ccaches" diff --git a/src/po/mit-krb5.pot b/src/po/mit-krb5.pot index 446d325..7305ade 100644 --- a/src/po/mit-krb5.pot +++ b/src/po/mit-krb5.pot @@ -1,14 +1,14 @@ # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR MIT -# This file is distributed under the same license as the PACKAGE package. +# This file is distributed under the same license as the mit-krb5 package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" -"Project-Id-Version: mit-krb5 1.15.2\n" +"Project-Id-Version: mit-krb5 1.17\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2017-09-25 12:24-0400\n" +"POT-Creation-Date: 2019-01-08 11:00-0500\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -18,544 +18,575 @@ msgstr "" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=INTEGER; plural=EXPRESSION;\n" -#: ../../src/clients/kdestroy/kdestroy.c:56 +#: ../../src/clients/kdestroy/kdestroy.c:52 #, c-format -msgid "Usage: %s [-A] [-q] [-c cache_name]\n" +msgid "Usage: %s [-A] [-q] [-c cache_name] [-p princ_name]\n" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:57 +#: ../../src/clients/kdestroy/kdestroy.c:54 #, c-format msgid "\t-A destroy all credential caches in collection\n" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:58 +#: ../../src/clients/kdestroy/kdestroy.c:55 #, c-format msgid "\t-q quiet mode\n" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:59 -#: ../../src/clients/kswitch/kswitch.c:45 +#: ../../src/clients/kdestroy/kdestroy.c:56 +#: ../../src/clients/kswitch/kswitch.c:42 #, c-format msgid "\t-c specify name of credentials cache\n" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:73 -#: ../../src/clients/kdestroy/kdestroy.c:151 +#: ../../src/clients/kdestroy/kdestroy.c:57 +#, c-format +msgid "\t-p specify principal name within collection\n" +msgstr "" + +#: ../../src/clients/kdestroy/kdestroy.c:71 +#: ../../src/clients/kdestroy/kdestroy.c:165 msgid "while listing credential caches" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:80 +#: ../../src/clients/kdestroy/kdestroy.c:78 #, c-format msgid "Other credential caches present, use -A to destroy all\n" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:116 -#: ../../src/clients/kinit/kinit.c:358 ../../src/clients/ksu/main.c:285 +#: ../../src/clients/kdestroy/kdestroy.c:110 +#: ../../src/clients/kinit/kinit.c:346 ../../src/clients/ksu/main.c:288 #, c-format msgid "Only one -c option allowed\n" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:123 -#: ../../src/clients/kinit/kinit.c:387 ../../src/clients/klist/klist.c:178 +#: ../../src/clients/kdestroy/kdestroy.c:118 +#, c-format +msgid "Only one -p option allowed\n" +msgstr "" + +#: ../../src/clients/kdestroy/kdestroy.c:125 +#: ../../src/clients/kinit/kinit.c:374 ../../src/clients/klist/klist.c:176 #, c-format msgid "Kerberos 4 is no longer supported\n" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:144 -#: ../../src/clients/klist/klist.c:249 ../../src/clients/ksu/main.c:131 -#: ../../src/clients/ksu/main.c:137 ../../src/clients/kswitch/kswitch.c:97 -#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:953 -#: ../../src/slave/kprop.c:102 ../../src/slave/kpropd.c:1031 +#: ../../src/clients/kdestroy/kdestroy.c:138 +#, c-format +msgid "-A option is exclusive with -p option\n" +msgstr "" + +#: ../../src/clients/kdestroy/kdestroy.c:150 +#: ../../src/clients/klist/klist.c:239 ../../src/clients/ksu/main.c:134 +#: ../../src/clients/ksu/main.c:140 ../../src/clients/kswitch/kswitch.c:94 +#: ../../src/kadmin/ktutil/ktutil.c:52 ../../src/kdc/main.c:939 +#: ../../src/kprop/kprop.c:102 ../../src/kprop/kpropd.c:1058 msgid "while initializing krb5" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:158 +#: ../../src/clients/kdestroy/kdestroy.c:157 +#: ../../src/clients/klist/klist.c:246 +msgid "while setting default cache name" +msgstr "" + +#: ../../src/clients/kdestroy/kdestroy.c:172 msgid "composing ccache name" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:163 +#: ../../src/clients/kdestroy/kdestroy.c:177 #, c-format msgid "while destroying cache %s" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:176 -#: ../../src/clients/kswitch/kswitch.c:104 +#: ../../src/clients/kdestroy/kdestroy.c:190 +#: ../../src/clients/kswitch/kswitch.c:107 ../../src/clients/kvno/kvno.c:189 +#: ../../src/clients/kvno/kvno.c:373 ../../src/kadmin/cli/keytab.c:373 +#: ../../src/kadmin/dbutil/kdb5_util.c:547 #, c-format -msgid "while resolving %s" +msgid "while parsing principal name %s" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:182 -#: ../../src/clients/kinit/kinit.c:485 ../../src/clients/klist/klist.c:457 -msgid "while getting default ccache" +#: ../../src/clients/kdestroy/kdestroy.c:196 +#, c-format +msgid "while finding cache for %s" +msgstr "" + +#: ../../src/clients/kdestroy/kdestroy.c:204 +#: ../../src/clients/klist/klist.c:460 +msgid "while resolving ccache" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:189 ../../src/clients/ksu/main.c:977 +#: ../../src/clients/kdestroy/kdestroy.c:211 ../../src/clients/ksu/main.c:990 msgid "while destroying cache" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:192 +#: ../../src/clients/kdestroy/kdestroy.c:214 #, c-format msgid "Ticket cache NOT destroyed!\n" msgstr "" -#: ../../src/clients/kdestroy/kdestroy.c:194 +#: ../../src/clients/kdestroy/kdestroy.c:216 #, c-format msgid "Ticket cache %cNOT%c destroyed!\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:176 +#: ../../src/clients/kinit/kinit.c:170 #, c-format msgid "\t-V verbose\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:177 +#: ../../src/clients/kinit/kinit.c:171 #, c-format msgid "\t-l lifetime\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:178 +#: ../../src/clients/kinit/kinit.c:172 #, c-format msgid "\t-s start time\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:179 +#: ../../src/clients/kinit/kinit.c:173 #, c-format msgid "\t-r renewable lifetime\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:180 +#: ../../src/clients/kinit/kinit.c:174 #, c-format msgid "\t-f forwardable\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:181 +#: ../../src/clients/kinit/kinit.c:175 #, c-format msgid "\t-F not forwardable\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:182 +#: ../../src/clients/kinit/kinit.c:176 #, c-format msgid "\t-p proxiable\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:183 +#: ../../src/clients/kinit/kinit.c:177 #, c-format msgid "\t-P not proxiable\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:184 +#: ../../src/clients/kinit/kinit.c:178 #, c-format msgid "\t-n anonymous\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:185 +#: ../../src/clients/kinit/kinit.c:179 #, c-format msgid "\t-a include addresses\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:186 +#: ../../src/clients/kinit/kinit.c:180 #, c-format msgid "\t-A do not include addresses\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:187 +#: ../../src/clients/kinit/kinit.c:181 #, c-format msgid "\t-v validate\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:188 +#: ../../src/clients/kinit/kinit.c:182 #, c-format msgid "\t-R renew\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:189 +#: ../../src/clients/kinit/kinit.c:183 #, c-format msgid "\t-C canonicalize\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:190 +#: ../../src/clients/kinit/kinit.c:184 #, c-format msgid "\t-E client is enterprise principal name\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:191 +#: ../../src/clients/kinit/kinit.c:185 #, c-format msgid "\t-k use keytab\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:192 +#: ../../src/clients/kinit/kinit.c:186 #, c-format msgid "\t-i use default client keytab (with -k)\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:193 +#: ../../src/clients/kinit/kinit.c:187 #, c-format msgid "\t-t filename of keytab to use\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:194 +#: ../../src/clients/kinit/kinit.c:188 #, c-format msgid "\t-c Kerberos 5 cache name\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:195 +#: ../../src/clients/kinit/kinit.c:189 #, c-format msgid "\t-S service\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:196 +#: ../../src/clients/kinit/kinit.c:190 #, c-format msgid "\t-T armor credential cache\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:197 +#: ../../src/clients/kinit/kinit.c:191 #, c-format msgid "\t-X [=]\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:276 ../../src/clients/kinit/kinit.c:284 +#: ../../src/clients/kinit/kinit.c:264 ../../src/clients/kinit/kinit.c:272 #, c-format msgid "Bad lifetime value %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:318 +#: ../../src/clients/kinit/kinit.c:306 #, c-format msgid "Bad start time value %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:337 +#: ../../src/clients/kinit/kinit.c:324 #, c-format msgid "Only one -t option allowed.\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:345 +#: ../../src/clients/kinit/kinit.c:332 #, c-format msgid "Only one armor_ccache\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:366 +#: ../../src/clients/kinit/kinit.c:354 #, c-format msgid "Only one -I option allowed\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:376 +#: ../../src/clients/kinit/kinit.c:363 msgid "while adding preauth option" msgstr "" -#: ../../src/clients/kinit/kinit.c:403 +#: ../../src/clients/kinit/kinit.c:389 #, c-format msgid "Only one of -f and -F allowed\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:408 +#: ../../src/clients/kinit/kinit.c:393 #, c-format msgid "Only one of -p and -P allowed\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:413 +#: ../../src/clients/kinit/kinit.c:397 #, c-format msgid "Only one of --request-pac and --no-request-pac allowed\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:419 +#: ../../src/clients/kinit/kinit.c:402 #, c-format msgid "Only one of -a and -A allowed\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:424 +#: ../../src/clients/kinit/kinit.c:406 #, c-format msgid "Only one of -t and -i allowed\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:431 +#: ../../src/clients/kinit/kinit.c:412 #, c-format msgid "keytab specified, forcing -k\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:435 ../../src/clients/klist/klist.c:217 +#: ../../src/clients/kinit/kinit.c:415 ../../src/clients/klist/klist.c:214 #, c-format msgid "Extra arguments (starting with \"%s\").\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:464 +#: ../../src/clients/kinit/kinit.c:441 msgid "while initializing Kerberos 5 library" msgstr "" -#: ../../src/clients/kinit/kinit.c:472 ../../src/clients/kinit/kinit.c:628 +#: ../../src/clients/kinit/kinit.c:449 ../../src/clients/kinit/kinit.c:603 #, c-format msgid "resolving ccache %s" msgstr "" -#: ../../src/clients/kinit/kinit.c:477 +#: ../../src/clients/kinit/kinit.c:454 #, c-format msgid "Using specified cache: %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:499 ../../src/clients/kinit/kinit.c:579 -#: ../../src/clients/kpasswd/kpasswd.c:28 ../../src/clients/ksu/main.c:238 +#: ../../src/clients/kinit/kinit.c:462 +msgid "while getting default ccache" +msgstr "" + +#: ../../src/clients/kinit/kinit.c:476 ../../src/clients/kinit/kinit.c:555 +#: ../../src/clients/kpasswd/kpasswd.c:30 ../../src/clients/ksu/main.c:241 #, c-format msgid "when parsing name %s" msgstr "" -#: ../../src/clients/kinit/kinit.c:507 ../../src/kadmin/dbutil/kdb5_util.c:310 +#: ../../src/clients/kinit/kinit.c:484 ../../src/kadmin/dbutil/kdb5_util.c:311 +#: ../../src/kprop/kprop.c:156 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:391 -#: ../../src/slave/kprop.c:178 msgid "while getting default realm" msgstr "" -#: ../../src/clients/kinit/kinit.c:519 +#: ../../src/clients/kinit/kinit.c:495 msgid "while building principal" msgstr "" -#: ../../src/clients/kinit/kinit.c:527 +#: ../../src/clients/kinit/kinit.c:503 msgid "When resolving the default client keytab" msgstr "" -#: ../../src/clients/kinit/kinit.c:534 +#: ../../src/clients/kinit/kinit.c:510 msgid "When determining client principal name from keytab" msgstr "" -#: ../../src/clients/kinit/kinit.c:543 +#: ../../src/clients/kinit/kinit.c:519 msgid "when creating default server principal name" msgstr "" -#: ../../src/clients/kinit/kinit.c:550 +#: ../../src/clients/kinit/kinit.c:526 #, c-format msgid "(principal %s)" msgstr "" -#: ../../src/clients/kinit/kinit.c:553 +#: ../../src/clients/kinit/kinit.c:529 msgid "for local services" msgstr "" -#: ../../src/clients/kinit/kinit.c:574 ../../src/clients/kpasswd/kpasswd.c:42 +#: ../../src/clients/kinit/kinit.c:550 ../../src/clients/kpasswd/kpasswd.c:42 #, c-format msgid "Unable to identify user\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:589 ../../src/clients/kswitch/kswitch.c:116 +#: ../../src/clients/kinit/kinit.c:564 ../../src/clients/kswitch/kswitch.c:113 #, c-format msgid "while searching for ccache for %s" msgstr "" -#: ../../src/clients/kinit/kinit.c:595 +#: ../../src/clients/kinit/kinit.c:570 #, c-format msgid "Using existing cache: %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:604 +#: ../../src/clients/kinit/kinit.c:579 msgid "while generating new ccache" msgstr "" -#: ../../src/clients/kinit/kinit.c:608 +#: ../../src/clients/kinit/kinit.c:583 #, c-format msgid "Using new cache: %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:620 +#: ../../src/clients/kinit/kinit.c:595 #, c-format msgid "Using default cache: %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:633 +#: ../../src/clients/kinit/kinit.c:608 #, c-format msgid "Using specified input cache: %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:641 ../../src/clients/ksu/krb_auth_su.c:160 +#: ../../src/clients/kinit/kinit.c:615 ../../src/clients/ksu/krb_auth_su.c:160 msgid "when unparsing name" msgstr "" -#: ../../src/clients/kinit/kinit.c:645 +#: ../../src/clients/kinit/kinit.c:619 #, c-format msgid "Using principal: %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:746 +#: ../../src/clients/kinit/kinit.c:700 msgid "getting local addresses" msgstr "" -#: ../../src/clients/kinit/kinit.c:769 +#: ../../src/clients/kinit/kinit.c:724 #, c-format msgid "while setting up KDB keytab for realm %s" msgstr "" -#: ../../src/clients/kinit/kinit.c:778 ../../src/clients/kvno/kvno.c:197 +#: ../../src/clients/kinit/kinit.c:733 ../../src/clients/kvno/kvno.c:363 #, c-format msgid "resolving keytab %s" msgstr "" -#: ../../src/clients/kinit/kinit.c:783 +#: ../../src/clients/kinit/kinit.c:738 #, c-format msgid "Using keytab: %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:787 +#: ../../src/clients/kinit/kinit.c:742 msgid "resolving default client keytab" msgstr "" -#: ../../src/clients/kinit/kinit.c:797 +#: ../../src/clients/kinit/kinit.c:752 #, c-format msgid "while setting '%s'='%s'" msgstr "" -#: ../../src/clients/kinit/kinit.c:802 +#: ../../src/clients/kinit/kinit.c:757 #, c-format msgid "PA Option %s = %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:847 +#: ../../src/clients/kinit/kinit.c:798 msgid "getting initial credentials" msgstr "" -#: ../../src/clients/kinit/kinit.c:850 +#: ../../src/clients/kinit/kinit.c:801 msgid "validating credentials" msgstr "" -#: ../../src/clients/kinit/kinit.c:853 +#: ../../src/clients/kinit/kinit.c:804 msgid "renewing credentials" msgstr "" -#: ../../src/clients/kinit/kinit.c:861 +#: ../../src/clients/kinit/kinit.c:812 #, c-format msgid "%s: Password incorrect while %s\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:864 +#: ../../src/clients/kinit/kinit.c:815 #, c-format msgid "while %s" msgstr "" -#: ../../src/clients/kinit/kinit.c:873 +#: ../../src/clients/kinit/kinit.c:824 #, c-format msgid "when initializing cache %s" msgstr "" -#: ../../src/clients/kinit/kinit.c:878 +#: ../../src/clients/kinit/kinit.c:829 #, c-format msgid "Initialized cache\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:882 +#: ../../src/clients/kinit/kinit.c:833 msgid "while storing credentials" msgstr "" -#: ../../src/clients/kinit/kinit.c:886 +#: ../../src/clients/kinit/kinit.c:837 #, c-format msgid "Stored credentials\n" msgstr "" -#: ../../src/clients/kinit/kinit.c:893 +#: ../../src/clients/kinit/kinit.c:843 msgid "while switching to new ccache" msgstr "" -#: ../../src/clients/kinit/kinit.c:951 +#: ../../src/clients/kinit/kinit.c:898 #, c-format msgid "Authenticated to Kerberos v5\n" msgstr "" -#: ../../src/clients/klist/klist.c:87 +#: ../../src/clients/klist/klist.c:85 #, c-format msgid "" "Usage: %s [-e] [-V] [[-c] [-l] [-A] [-d] [-f] [-s] [-a [-n]]] [-k [-t] [-K]] " "[name]\n" msgstr "" -#: ../../src/clients/klist/klist.c:89 +#: ../../src/clients/klist/klist.c:87 #, c-format msgid "\t-c specifies credentials cache\n" msgstr "" -#: ../../src/clients/klist/klist.c:90 +#: ../../src/clients/klist/klist.c:88 #, c-format msgid "\t-k specifies keytab\n" msgstr "" -#: ../../src/clients/klist/klist.c:91 +#: ../../src/clients/klist/klist.c:89 #, c-format msgid "\t (Default is credentials cache)\n" msgstr "" -#: ../../src/clients/klist/klist.c:92 +#: ../../src/clients/klist/klist.c:90 #, c-format msgid "\t-i uses default client keytab if no name given\n" msgstr "" -#: ../../src/clients/klist/klist.c:93 +#: ../../src/clients/klist/klist.c:91 #, c-format msgid "\t-l lists credential caches in collection\n" msgstr "" -#: ../../src/clients/klist/klist.c:94 +#: ../../src/clients/klist/klist.c:92 #, c-format msgid "\t-A shows content of all credential caches\n" msgstr "" -#: ../../src/clients/klist/klist.c:95 +#: ../../src/clients/klist/klist.c:93 #, c-format msgid "\t-e shows the encryption type\n" msgstr "" -#: ../../src/clients/klist/klist.c:96 +#: ../../src/clients/klist/klist.c:94 #, c-format msgid "\t-V shows the Kerberos version and exits\n" msgstr "" -#: ../../src/clients/klist/klist.c:97 +#: ../../src/clients/klist/klist.c:95 #, c-format msgid "\toptions for credential caches:\n" msgstr "" -#: ../../src/clients/klist/klist.c:98 +#: ../../src/clients/klist/klist.c:96 #, c-format msgid "\t\t-d shows the submitted authorization data types\n" msgstr "" -#: ../../src/clients/klist/klist.c:100 +#: ../../src/clients/klist/klist.c:98 #, c-format msgid "\t\t-f shows credentials flags\n" msgstr "" -#: ../../src/clients/klist/klist.c:101 +#: ../../src/clients/klist/klist.c:99 #, c-format msgid "\t\t-s sets exit status based on valid tgt existence\n" msgstr "" -#: ../../src/clients/klist/klist.c:103 +#: ../../src/clients/klist/klist.c:101 #, c-format msgid "\t\t-a displays the address list\n" msgstr "" -#: ../../src/clients/klist/klist.c:104 +#: ../../src/clients/klist/klist.c:102 #, c-format msgid "\t\t\t-n do not reverse-resolve\n" msgstr "" -#: ../../src/clients/klist/klist.c:105 +#: ../../src/clients/klist/klist.c:103 #, c-format msgid "\toptions for keytabs:\n" msgstr "" -#: ../../src/clients/klist/klist.c:106 +#: ../../src/clients/klist/klist.c:104 #, c-format msgid "\t\t-t shows keytab entry timestamps\n" msgstr "" -#: ../../src/clients/klist/klist.c:107 +#: ../../src/clients/klist/klist.c:105 #, c-format msgid "\t\t-K shows keytab entry keys\n" msgstr "" -#: ../../src/clients/klist/klist.c:226 +#: ../../src/clients/klist/klist.c:223 #, c-format msgid "%s version %s\n" msgstr "" -#: ../../src/clients/klist/klist.c:278 +#: ../../src/clients/klist/klist.c:276 msgid "while getting default client keytab" msgstr "" -#: ../../src/clients/klist/klist.c:283 +#: ../../src/clients/klist/klist.c:282 msgid "while getting default keytab" msgstr "" @@ -564,42 +595,37 @@ msgstr "" msgid "while resolving keytab %s" msgstr "" -#: ../../src/clients/klist/klist.c:294 ../../src/kadmin/cli/keytab.c:87 +#: ../../src/clients/klist/klist.c:295 ../../src/kadmin/cli/keytab.c:87 msgid "while getting keytab name" msgstr "" -#: ../../src/clients/klist/klist.c:301 ../../src/kadmin/cli/keytab.c:422 +#: ../../src/clients/klist/klist.c:303 ../../src/kadmin/cli/keytab.c:422 msgid "while starting keytab scan" msgstr "" -#: ../../src/clients/klist/klist.c:322 ../../src/clients/klist/klist.c:485 -#: ../../src/clients/ksu/ccache.c:465 ../../src/kadmin/dbutil/dump.c:553 -#: ../../src/kadmin/dbutil/tabdump.c:552 +#: ../../src/clients/klist/klist.c:326 ../../src/clients/klist/klist.c:482 +#: ../../src/clients/ksu/ccache.c:455 ../../src/kadmin/dbutil/dump.c:564 +#: ../../src/kadmin/dbutil/tabdump.c:549 msgid "while unparsing principal name" msgstr "" -#: ../../src/clients/klist/klist.c:347 ../../src/kadmin/cli/keytab.c:466 +#: ../../src/clients/klist/klist.c:348 ../../src/kadmin/cli/keytab.c:466 msgid "while scanning keytab" msgstr "" -#: ../../src/clients/klist/klist.c:351 ../../src/kadmin/cli/keytab.c:471 +#: ../../src/clients/klist/klist.c:353 ../../src/kadmin/cli/keytab.c:471 msgid "while ending keytab scan" msgstr "" -#: ../../src/clients/klist/klist.c:368 ../../src/clients/klist/klist.c:430 +#: ../../src/clients/klist/klist.c:370 ../../src/clients/klist/klist.c:433 msgid "while listing ccache collection" msgstr "" -#: ../../src/clients/klist/klist.c:407 +#: ../../src/clients/klist/klist.c:409 msgid "(Expired)" msgstr "" -#: ../../src/clients/klist/klist.c:463 -#, c-format -msgid "while resolving ccache %s" -msgstr "" - -#: ../../src/clients/klist/klist.c:489 +#: ../../src/clients/klist/klist.c:486 #, c-format msgid "" "Ticket cache: %s:%s\n" @@ -607,100 +633,100 @@ msgid "" "\n" msgstr "" -#: ../../src/clients/klist/klist.c:500 +#: ../../src/clients/klist/klist.c:498 msgid "while starting to retrieve tickets" msgstr "" -#: ../../src/clients/klist/klist.c:513 +#: ../../src/clients/klist/klist.c:512 msgid "while finishing ticket retrieval" msgstr "" -#: ../../src/clients/klist/klist.c:518 +#: ../../src/clients/klist/klist.c:517 msgid "while retrieving a ticket" msgstr "" -#: ../../src/clients/klist/klist.c:677 ../../src/clients/ksu/ccache.c:450 -#: ../../src/slave/kpropd.c:1214 ../../src/slave/kpropd.c:1274 +#: ../../src/clients/klist/klist.c:665 ../../src/clients/ksu/ccache.c:440 +#: ../../src/kprop/kpropd.c:1209 ../../src/kprop/kpropd.c:1269 msgid "while unparsing client name" msgstr "" -#: ../../src/clients/klist/klist.c:682 ../../src/clients/ksu/ccache.c:455 -#: ../../src/slave/kprop.c:212 +#: ../../src/clients/klist/klist.c:670 ../../src/clients/ksu/ccache.c:445 +#: ../../src/kprop/kprop.c:190 msgid "while unparsing server name" msgstr "" -#: ../../src/clients/klist/klist.c:711 ../../src/clients/ksu/ccache.c:480 +#: ../../src/clients/klist/klist.c:700 ../../src/clients/ksu/ccache.c:470 #, c-format msgid "\tfor client %s" msgstr "" -#: ../../src/clients/klist/klist.c:723 ../../src/clients/ksu/ccache.c:489 +#: ../../src/clients/klist/klist.c:712 ../../src/clients/ksu/ccache.c:479 msgid "renew until " msgstr "" -#: ../../src/clients/klist/klist.c:740 ../../src/clients/ksu/ccache.c:499 +#: ../../src/clients/klist/klist.c:729 ../../src/clients/ksu/ccache.c:489 #, c-format msgid "Flags: %s" msgstr "" -#: ../../src/clients/klist/klist.c:759 +#: ../../src/clients/klist/klist.c:748 #, c-format msgid "Etype (skey, tkt): %s, " msgstr "" -#: ../../src/clients/klist/klist.c:776 +#: ../../src/clients/klist/klist.c:764 #, c-format msgid "AD types: " msgstr "" -#: ../../src/clients/klist/klist.c:793 +#: ../../src/clients/klist/klist.c:780 #, c-format msgid "\tAddresses: (none)\n" msgstr "" -#: ../../src/clients/klist/klist.c:795 +#: ../../src/clients/klist/klist.c:782 #, c-format msgid "\tAddresses: " msgstr "" -#: ../../src/clients/klist/klist.c:828 +#: ../../src/clients/klist/klist.c:816 ../../src/clients/klist/klist.c:826 #, c-format msgid "broken address (type %d length %d)" msgstr "" -#: ../../src/clients/klist/klist.c:848 +#: ../../src/clients/klist/klist.c:835 #, c-format msgid "unknown addrtype %d" msgstr "" -#: ../../src/clients/klist/klist.c:857 +#: ../../src/clients/klist/klist.c:844 #, c-format msgid "unprintable address (type %d, error %d %s)" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:12 ../../src/lib/krb5/krb/gic_pwd.c:395 +#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:395 msgid "Enter new password" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:13 ../../src/lib/krb5/krb/gic_pwd.c:403 +#: ../../src/clients/kpasswd/kpasswd.c:14 ../../src/lib/krb5/krb/gic_pwd.c:403 msgid "Enter it again" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:33 +#: ../../src/clients/kpasswd/kpasswd.c:34 #, c-format msgid "Unable to identify user from password file\n" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:65 +#: ../../src/clients/kpasswd/kpasswd.c:63 #, c-format msgid "usage: %s [principal]\n" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:73 +#: ../../src/clients/kpasswd/kpasswd.c:71 msgid "initializing kerberos library" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:77 +#: ../../src/clients/kpasswd/kpasswd.c:76 msgid "allocating krb5_get_init_creds_opt" msgstr "" @@ -712,31 +738,31 @@ msgstr "" msgid "getting principal from ccache" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:104 +#: ../../src/clients/kpasswd/kpasswd.c:102 msgid "while setting FAST ccache" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:111 +#: ../../src/clients/kpasswd/kpasswd.c:108 msgid "closing ccache" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:118 +#: ../../src/clients/kpasswd/kpasswd.c:116 msgid "parsing client name" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:135 +#: ../../src/clients/kpasswd/kpasswd.c:134 msgid "Password incorrect while getting initial ticket" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:137 +#: ../../src/clients/kpasswd/kpasswd.c:136 msgid "getting initial ticket" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:144 +#: ../../src/clients/kpasswd/kpasswd.c:146 msgid "while reading password" msgstr "" -#: ../../src/clients/kpasswd/kpasswd.c:152 +#: ../../src/clients/kpasswd/kpasswd.c:154 msgid "changing password" msgstr "" @@ -746,45 +772,45 @@ msgstr "" msgid "Password changed.\n" msgstr "" -#: ../../src/clients/ksu/authorization.c:369 +#: ../../src/clients/ksu/authorization.c:352 #, c-format msgid "" "Error: bad entry - %s in %s file, must be either full path or just the cmd " "name\n" msgstr "" -#: ../../src/clients/ksu/authorization.c:377 +#: ../../src/clients/ksu/authorization.c:360 #, c-format msgid "" "Error: bad entry - %s in %s file, since %s is just the cmd name, CMD_PATH " "must be defined \n" msgstr "" -#: ../../src/clients/ksu/authorization.c:392 +#: ../../src/clients/ksu/authorization.c:375 #, c-format msgid "Error: bad entry - %s in %s file, CMD_PATH contains no paths \n" msgstr "" -#: ../../src/clients/ksu/authorization.c:401 +#: ../../src/clients/ksu/authorization.c:384 #, c-format msgid "Error: bad path %s in CMD_PATH for %s must start with '/' \n" msgstr "" -#: ../../src/clients/ksu/authorization.c:517 +#: ../../src/clients/ksu/authorization.c:500 msgid "Error: not found -> " msgstr "" -#: ../../src/clients/ksu/authorization.c:723 +#: ../../src/clients/ksu/authorization.c:706 #, c-format msgid "home directory name `%s' too long, can't search for .k5login\n" msgstr "" -#: ../../src/clients/ksu/ccache.c:368 +#: ../../src/clients/ksu/ccache.c:358 #, c-format msgid "home directory path for %s too long\n" msgstr "" -#: ../../src/clients/ksu/ccache.c:461 +#: ../../src/clients/ksu/ccache.c:451 msgid "while retrieving principal name" msgstr "" @@ -816,7 +842,7 @@ msgstr "" msgid " in remotely using an unsecure (non-encrypted) channel. \n" msgstr "" -#: ../../src/clients/ksu/krb_auth_su.c:114 ../../src/clients/ksu/main.c:460 +#: ../../src/clients/ksu/krb_auth_su.c:114 ../../src/clients/ksu/main.c:473 msgid "while reclaiming root uid" msgstr "" @@ -875,395 +901,403 @@ msgid "" "[-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n" msgstr "" -#: ../../src/clients/ksu/main.c:147 +#: ../../src/clients/ksu/main.c:150 msgid "" "program name too long - quitting to avoid triggering system logging bugs" msgstr "" -#: ../../src/clients/ksu/main.c:173 +#: ../../src/clients/ksu/main.c:176 msgid "while allocating memory" msgstr "" -#: ../../src/clients/ksu/main.c:186 +#: ../../src/clients/ksu/main.c:189 msgid "while setting euid to source user" msgstr "" -#: ../../src/clients/ksu/main.c:196 ../../src/clients/ksu/main.c:231 +#: ../../src/clients/ksu/main.c:199 ../../src/clients/ksu/main.c:234 #, c-format msgid "Bad lifetime value (%s hours?)\n" msgstr "" -#: ../../src/clients/ksu/main.c:208 ../../src/clients/ksu/main.c:293 +#: ../../src/clients/ksu/main.c:211 ../../src/clients/ksu/main.c:296 msgid "when gathering parameters" msgstr "" -#: ../../src/clients/ksu/main.c:252 +#: ../../src/clients/ksu/main.c:255 #, c-format msgid "-z option is mutually exclusive with -Z.\n" msgstr "" -#: ../../src/clients/ksu/main.c:260 +#: ../../src/clients/ksu/main.c:263 #, c-format msgid "-Z option is mutually exclusive with -z.\n" msgstr "" -#: ../../src/clients/ksu/main.c:273 +#: ../../src/clients/ksu/main.c:276 #, c-format msgid "while looking for credentials cache %s" msgstr "" -#: ../../src/clients/ksu/main.c:279 +#: ../../src/clients/ksu/main.c:282 #, c-format msgid "malformed credential cache name %s\n" msgstr "" -#: ../../src/clients/ksu/main.c:337 +#: ../../src/clients/ksu/main.c:340 #, c-format msgid "ksu: who are you?\n" msgstr "" -#: ../../src/clients/ksu/main.c:341 +#: ../../src/clients/ksu/main.c:344 #, c-format msgid "Your uid doesn't match your passwd entry?!\n" msgstr "" -#: ../../src/clients/ksu/main.c:356 +#: ../../src/clients/ksu/main.c:359 #, c-format msgid "ksu: unknown login %s\n" msgstr "" -#: ../../src/clients/ksu/main.c:376 +#: ../../src/clients/ksu/main.c:379 msgid "while getting source cache" msgstr "" -#: ../../src/clients/ksu/main.c:385 +#: ../../src/clients/ksu/main.c:388 msgid "while selecting the best principal" msgstr "" -#: ../../src/clients/ksu/main.c:393 +#: ../../src/clients/ksu/main.c:396 msgid "while returning to source uid after finding best principal" msgstr "" -#: ../../src/clients/ksu/main.c:413 +#: ../../src/clients/ksu/main.c:416 #, c-format msgid "account %s: authorization failed\n" msgstr "" -#: ../../src/clients/ksu/main.c:438 +#: ../../src/clients/ksu/main.c:451 msgid "while parsing temporary name" msgstr "" -#: ../../src/clients/ksu/main.c:443 +#: ../../src/clients/ksu/main.c:456 msgid "while creating temporary cache" msgstr "" -#: ../../src/clients/ksu/main.c:449 ../../src/clients/ksu/main.c:689 +#: ../../src/clients/ksu/main.c:462 ../../src/clients/ksu/main.c:702 #, c-format msgid "while copying cache %s to %s" msgstr "" -#: ../../src/clients/ksu/main.c:467 +#: ../../src/clients/ksu/main.c:480 #, c-format msgid "" "WARNING: Your password may be exposed if you enter it here and are logged\n" msgstr "" -#: ../../src/clients/ksu/main.c:469 +#: ../../src/clients/ksu/main.c:482 #, c-format msgid " in remotely using an unsecure (non-encrypted) channel.\n" msgstr "" -#: ../../src/clients/ksu/main.c:475 +#: ../../src/clients/ksu/main.c:488 #, c-format msgid "Goodbye\n" msgstr "" -#: ../../src/clients/ksu/main.c:479 +#: ../../src/clients/ksu/main.c:492 #, c-format msgid "Could not get a tgt for " msgstr "" -#: ../../src/clients/ksu/main.c:501 +#: ../../src/clients/ksu/main.c:514 #, c-format msgid "Authentication failed.\n" msgstr "" -#: ../../src/clients/ksu/main.c:509 +#: ../../src/clients/ksu/main.c:522 msgid "When unparsing name" msgstr "" -#: ../../src/clients/ksu/main.c:513 +#: ../../src/clients/ksu/main.c:526 #, c-format msgid "Authenticated %s\n" msgstr "" -#: ../../src/clients/ksu/main.c:520 +#: ../../src/clients/ksu/main.c:533 msgid "while switching to target for authorization check" msgstr "" -#: ../../src/clients/ksu/main.c:527 +#: ../../src/clients/ksu/main.c:540 msgid "while checking authorization" msgstr "" -#: ../../src/clients/ksu/main.c:533 +#: ../../src/clients/ksu/main.c:546 msgid "while switching back from target after authorization check" msgstr "" -#: ../../src/clients/ksu/main.c:540 +#: ../../src/clients/ksu/main.c:553 #, c-format msgid "Account %s: authorization for %s for execution of\n" msgstr "" -#: ../../src/clients/ksu/main.c:542 +#: ../../src/clients/ksu/main.c:555 #, c-format msgid " %s successful\n" msgstr "" -#: ../../src/clients/ksu/main.c:548 +#: ../../src/clients/ksu/main.c:561 #, c-format msgid "Account %s: authorization for %s successful\n" msgstr "" -#: ../../src/clients/ksu/main.c:560 +#: ../../src/clients/ksu/main.c:573 #, c-format msgid "Account %s: authorization for %s for execution of %s failed\n" msgstr "" -#: ../../src/clients/ksu/main.c:568 +#: ../../src/clients/ksu/main.c:581 #, c-format msgid "Account %s: authorization of %s failed\n" msgstr "" -#: ../../src/clients/ksu/main.c:583 +#: ../../src/clients/ksu/main.c:596 msgid "while calling cc_filter" msgstr "" -#: ../../src/clients/ksu/main.c:591 +#: ../../src/clients/ksu/main.c:604 msgid "while erasing target cache" msgstr "" -#: ../../src/clients/ksu/main.c:611 +#: ../../src/clients/ksu/main.c:624 #, c-format msgid "ksu: permission denied (shell).\n" msgstr "" -#: ../../src/clients/ksu/main.c:620 +#: ../../src/clients/ksu/main.c:633 #, c-format msgid "ksu: couldn't set environment variable USER\n" msgstr "" -#: ../../src/clients/ksu/main.c:626 +#: ../../src/clients/ksu/main.c:639 #, c-format msgid "ksu: couldn't set environment variable HOME\n" msgstr "" -#: ../../src/clients/ksu/main.c:631 +#: ../../src/clients/ksu/main.c:644 #, c-format msgid "ksu: couldn't set environment variable SHELL\n" msgstr "" -#: ../../src/clients/ksu/main.c:642 +#: ../../src/clients/ksu/main.c:655 #, c-format msgid "ksu: initgroups failed.\n" msgstr "" -#: ../../src/clients/ksu/main.c:647 +#: ../../src/clients/ksu/main.c:660 #, c-format msgid "Leaving uid as %s (%ld)\n" msgstr "" -#: ../../src/clients/ksu/main.c:650 +#: ../../src/clients/ksu/main.c:663 #, c-format msgid "Changing uid to %s (%ld)\n" msgstr "" -#: ../../src/clients/ksu/main.c:676 +#: ../../src/clients/ksu/main.c:689 msgid "while getting name of target ccache" msgstr "" -#: ../../src/clients/ksu/main.c:696 +#: ../../src/clients/ksu/main.c:709 #, c-format msgid "%s does not have correct permissions for %s, %s aborted" msgstr "" -#: ../../src/clients/ksu/main.c:717 +#: ../../src/clients/ksu/main.c:730 #, c-format msgid "Internal error: command %s did not get resolved\n" msgstr "" -#: ../../src/clients/ksu/main.c:734 ../../src/clients/ksu/main.c:770 +#: ../../src/clients/ksu/main.c:747 ../../src/clients/ksu/main.c:783 #, c-format msgid "while trying to execv %s" msgstr "" -#: ../../src/clients/ksu/main.c:760 +#: ../../src/clients/ksu/main.c:773 msgid "while calling waitpid" msgstr "" -#: ../../src/clients/ksu/main.c:765 +#: ../../src/clients/ksu/main.c:778 msgid "while trying to fork." msgstr "" -#: ../../src/clients/ksu/main.c:787 +#: ../../src/clients/ksu/main.c:800 msgid "while reading cache name from ccache" msgstr "" -#: ../../src/clients/ksu/main.c:793 +#: ../../src/clients/ksu/main.c:806 #, c-format msgid "ksu: couldn't set environment variable %s\n" msgstr "" -#: ../../src/clients/ksu/main.c:819 +#: ../../src/clients/ksu/main.c:832 msgid "while resetting target ccache name" msgstr "" -#: ../../src/clients/ksu/main.c:833 +#: ../../src/clients/ksu/main.c:846 msgid "while determining target ccache name" msgstr "" -#: ../../src/clients/ksu/main.c:872 +#: ../../src/clients/ksu/main.c:885 msgid "while generating part of the target ccache name" msgstr "" -#: ../../src/clients/ksu/main.c:878 +#: ../../src/clients/ksu/main.c:891 msgid "while allocating memory for the target ccache name" msgstr "" -#: ../../src/clients/ksu/main.c:897 +#: ../../src/clients/ksu/main.c:910 msgid "while creating new target ccache" msgstr "" -#: ../../src/clients/ksu/main.c:903 +#: ../../src/clients/ksu/main.c:916 msgid "while initializing target cache" msgstr "" -#: ../../src/clients/ksu/main.c:943 +#: ../../src/clients/ksu/main.c:956 #, c-format msgid "terminal name %s too long\n" msgstr "" -#: ../../src/clients/ksu/main.c:971 +#: ../../src/clients/ksu/main.c:984 msgid "while changing to target uid for destroying ccache" msgstr "" -#: ../../src/clients/kswitch/kswitch.c:44 +#: ../../src/clients/kswitch/kswitch.c:41 #, c-format msgid "Usage: %s {-c cache_name | -p principal}\n" msgstr "" -#: ../../src/clients/kswitch/kswitch.c:46 +#: ../../src/clients/kswitch/kswitch.c:43 #, c-format msgid "\t-p specify name of principal\n" msgstr "" -#: ../../src/clients/kswitch/kswitch.c:69 +#: ../../src/clients/kswitch/kswitch.c:66 #, c-format msgid "Only one -c or -p option allowed\n" msgstr "" -#: ../../src/clients/kswitch/kswitch.c:88 +#: ../../src/clients/kswitch/kswitch.c:85 #, c-format msgid "One of -c or -p must be specified\n" msgstr "" -#: ../../src/clients/kswitch/kswitch.c:110 ../../src/clients/kvno/kvno.c:207 -#: ../../src/clients/kvno/kvno.c:241 ../../src/kadmin/cli/keytab.c:373 -#: ../../src/kadmin/dbutil/kdb5_util.c:584 +#: ../../src/clients/kswitch/kswitch.c:101 #, c-format -msgid "while parsing principal name %s" +msgid "while resolving %s" msgstr "" -#: ../../src/clients/kswitch/kswitch.c:125 +#: ../../src/clients/kswitch/kswitch.c:122 msgid "while switching to credential cache" msgstr "" -#: ../../src/clients/kvno/kvno.c:42 +#: ../../src/clients/kvno/kvno.c:41 #, c-format msgid "usage: %s [-C] [-u] [-c ccache] [-e etype]\n" msgstr "" -#: ../../src/clients/kvno/kvno.c:43 +#: ../../src/clients/kvno/kvno.c:42 #, c-format msgid "\t[-k keytab] [-S sname] [-U for_user [-P]]\n" msgstr "" -#: ../../src/clients/kvno/kvno.c:44 +#: ../../src/clients/kvno/kvno.c:43 #, c-format -msgid "\tservice1 service2 ...\n" +msgid "\t[--u2u ccache] service1 service2 ...\n" msgstr "" -#: ../../src/clients/kvno/kvno.c:99 ../../src/clients/kvno/kvno.c:107 +#: ../../src/clients/kvno/kvno.c:102 ../../src/clients/kvno/kvno.c:110 #, c-format msgid "Options -u and -S are mutually exclusive\n" msgstr "" -#: ../../src/clients/kvno/kvno.c:122 +#: ../../src/clients/kvno/kvno.c:127 +#, c-format +msgid "Options --u2u and -P are mutually exclusive\n" +msgstr "" + +#: ../../src/clients/kvno/kvno.c:133 #, c-format msgid "Option -P (constrained delegation) requires keytab to be specified\n" msgstr "" -#: ../../src/clients/kvno/kvno.c:126 +#: ../../src/clients/kvno/kvno.c:137 #, c-format msgid "" "Option -P (constrained delegation) requires option -U (protocol transition)\n" msgstr "" -#: ../../src/clients/kvno/kvno.c:171 ../../src/kadmin/cli/kadmin.c:310 -msgid "while initializing krb5 library" -msgstr "" - -#: ../../src/clients/kvno/kvno.c:178 -msgid "while converting etype" -msgstr "" - -#: ../../src/clients/kvno/kvno.c:190 -msgid "while opening ccache" -msgstr "" - -#: ../../src/clients/kvno/kvno.c:214 -msgid "while getting client principal name" -msgstr "" - -#: ../../src/clients/kvno/kvno.c:252 +#: ../../src/clients/kvno/kvno.c:197 #, c-format msgid "while formatting parsed principal name for '%s'" msgstr "" -#: ../../src/clients/kvno/kvno.c:263 +#: ../../src/clients/kvno/kvno.c:211 msgid "client and server principal names must match" msgstr "" -#: ../../src/clients/kvno/kvno.c:280 +#: ../../src/clients/kvno/kvno.c:227 #, c-format msgid "while getting credentials for %s" msgstr "" -#: ../../src/clients/kvno/kvno.c:287 +#: ../../src/clients/kvno/kvno.c:234 #, c-format msgid "while decoding ticket for %s" msgstr "" -#: ../../src/clients/kvno/kvno.c:298 +#: ../../src/clients/kvno/kvno.c:245 #, c-format msgid "while decrypting ticket for %s" msgstr "" -#: ../../src/clients/kvno/kvno.c:302 +#: ../../src/clients/kvno/kvno.c:249 #, c-format msgid "%s: kvno = %d, keytab entry valid\n" msgstr "" -#: ../../src/clients/kvno/kvno.c:320 +#: ../../src/clients/kvno/kvno.c:263 #, c-format msgid "%s: constrained delegation failed" msgstr "" -#: ../../src/clients/kvno/kvno.c:326 +#: ../../src/clients/kvno/kvno.c:270 #, c-format msgid "%s: kvno = %d\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:104 +#: ../../src/clients/kvno/kvno.c:337 ../../src/kadmin/cli/kadmin.c:311 +msgid "while initializing krb5 library" +msgstr "" + +#: ../../src/clients/kvno/kvno.c:344 +msgid "while converting etype" +msgstr "" + +#: ../../src/clients/kvno/kvno.c:356 +msgid "while opening ccache" +msgstr "" + +#: ../../src/clients/kvno/kvno.c:381 +#, c-format +msgid "while getting user-to-user ticket from %s" +msgstr "" + +#: ../../src/clients/kvno/kvno.c:390 +msgid "while getting client principal name" +msgstr "" + +#: ../../src/kadmin/cli/kadmin.c:103 #, c-format msgid "" "Usage: %s [-r realm] [-p principal] [-q query] [clnt|local args]\n" @@ -1274,298 +1308,298 @@ msgid "" "\t\t\tLook at each database documentation for supported arguments\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:163 +#: ../../src/kadmin/cli/kadmin.c:164 #, c-format msgid "Invalid date specification \"%s\".\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:191 +#: ../../src/kadmin/cli/kadmin.c:192 #, c-format msgid "Interval specification \"%s\" is in the past.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:321 ../../src/kadmin/cli/kadmin.c:360 +#: ../../src/kadmin/cli/kadmin.c:322 ../../src/kadmin/cli/kadmin.c:361 #, c-format msgid "%s: Cannot initialize. Not enough memory\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:379 ../../src/kadmin/cli/kadmin.c:839 -#: ../../src/kadmin/cli/kadmin.c:1104 ../../src/kadmin/cli/kadmin.c:1619 -#: ../../src/kadmin/cli/keytab.c:148 ../../src/kadmin/dbutil/kdb5_util.c:599 +#: ../../src/kadmin/cli/kadmin.c:380 ../../src/kadmin/cli/kadmin.c:840 +#: ../../src/kadmin/cli/kadmin.c:1105 ../../src/kadmin/cli/kadmin.c:1620 +#: ../../src/kadmin/cli/keytab.c:148 ../../src/kadmin/dbutil/kdb5_util.c:562 #, c-format msgid "while parsing keysalts %s" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:402 +#: ../../src/kadmin/cli/kadmin.c:403 #, c-format msgid "%s: -q is exclusive with command-line query" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:410 +#: ../../src/kadmin/cli/kadmin.c:411 #, c-format msgid "%s: unable to get default realm\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:430 +#: ../../src/kadmin/cli/kadmin.c:431 msgid "while opening default credentials cache" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:436 +#: ../../src/kadmin/cli/kadmin.c:437 #, c-format msgid "while opening credentials cache %s" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:458 ../../src/kadmin/cli/kadmin.c:512 -#: ../../src/kadmin/cli/kadmin.c:520 ../../src/kadmin/cli/kadmin.c:527 +#: ../../src/kadmin/cli/kadmin.c:459 ../../src/kadmin/cli/kadmin.c:513 +#: ../../src/kadmin/cli/kadmin.c:521 ../../src/kadmin/cli/kadmin.c:528 #, c-format msgid "%s: out of memory\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:467 ../../src/kadmin/cli/kadmin.c:482 -#: ../../src/slave/kpropd.c:658 +#: ../../src/kadmin/cli/kadmin.c:468 ../../src/kadmin/cli/kadmin.c:483 +#: ../../src/kprop/kpropd.c:680 msgid "while canonicalizing principal name" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:476 +#: ../../src/kadmin/cli/kadmin.c:477 msgid "creating host service principal" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:489 +#: ../../src/kadmin/cli/kadmin.c:490 #, c-format msgid "%s: unable to canonicalize principal\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:532 +#: ../../src/kadmin/cli/kadmin.c:533 #, c-format msgid "%s: unable to figure out a principal name\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:539 +#: ../../src/kadmin/cli/kadmin.c:540 msgid "while setting up logging" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:548 +#: ../../src/kadmin/cli/kadmin.c:549 #, c-format msgid "Authenticating as principal %s with existing credentials.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:554 +#: ../../src/kadmin/cli/kadmin.c:555 #, c-format msgid "Authenticating as principal %s with password; anonymous requested.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:561 +#: ../../src/kadmin/cli/kadmin.c:562 #, c-format msgid "Authenticating as principal %s with keytab %s.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:564 +#: ../../src/kadmin/cli/kadmin.c:565 #, c-format msgid "Authenticating as principal %s with default keytab.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:571 +#: ../../src/kadmin/cli/kadmin.c:572 #, c-format msgid "Authenticating as principal %s with password.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:579 ../../src/slave/kpropd.c:705 +#: ../../src/kadmin/cli/kadmin.c:580 ../../src/kprop/kpropd.c:727 #, c-format msgid "while initializing %s interface" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:594 +#: ../../src/kadmin/cli/kadmin.c:595 #, c-format msgid "while closing ccache %s" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:600 +#: ../../src/kadmin/cli/kadmin.c:601 msgid "while mapping update log" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:616 +#: ../../src/kadmin/cli/kadmin.c:617 msgid "while unlocking locked database" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:625 +#: ../../src/kadmin/cli/kadmin.c:626 msgid "Administration credentials NOT DESTROYED.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:674 +#: ../../src/kadmin/cli/kadmin.c:675 msgid "usage: delete_principal [-force] principal\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:679 ../../src/kadmin/cli/kadmin.c:854 +#: ../../src/kadmin/cli/kadmin.c:680 ../../src/kadmin/cli/kadmin.c:855 msgid "while parsing principal name" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:685 ../../src/kadmin/cli/kadmin.c:860 -#: ../../src/kadmin/cli/kadmin.c:1213 ../../src/kadmin/cli/kadmin.c:1338 -#: ../../src/kadmin/cli/kadmin.c:1408 ../../src/kadmin/cli/kadmin.c:1842 -#: ../../src/kadmin/cli/kadmin.c:1886 ../../src/kadmin/cli/kadmin.c:1932 -#: ../../src/kadmin/cli/kadmin.c:1972 +#: ../../src/kadmin/cli/kadmin.c:686 ../../src/kadmin/cli/kadmin.c:861 +#: ../../src/kadmin/cli/kadmin.c:1214 ../../src/kadmin/cli/kadmin.c:1339 +#: ../../src/kadmin/cli/kadmin.c:1409 ../../src/kadmin/cli/kadmin.c:1843 +#: ../../src/kadmin/cli/kadmin.c:1887 ../../src/kadmin/cli/kadmin.c:1933 +#: ../../src/kadmin/cli/kadmin.c:1973 msgid "while canonicalizing principal" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:689 +#: ../../src/kadmin/cli/kadmin.c:690 #, c-format msgid "Are you sure you want to delete the principal \"%s\"? (yes/no): " msgstr "" -#: ../../src/kadmin/cli/kadmin.c:693 +#: ../../src/kadmin/cli/kadmin.c:694 #, c-format msgid "Principal \"%s\" not deleted\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:700 +#: ../../src/kadmin/cli/kadmin.c:701 #, c-format msgid "while deleting principal \"%s\"" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:703 +#: ../../src/kadmin/cli/kadmin.c:704 #, c-format msgid "Principal \"%s\" deleted.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:704 +#: ../../src/kadmin/cli/kadmin.c:705 msgid "" "Make sure that you have removed this principal from all ACLs before " "reusing.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:721 +#: ../../src/kadmin/cli/kadmin.c:722 msgid "usage: rename_principal [-force] old_principal new_principal\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:728 +#: ../../src/kadmin/cli/kadmin.c:729 msgid "while parsing old principal name" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:734 +#: ../../src/kadmin/cli/kadmin.c:735 msgid "while parsing new principal name" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:740 +#: ../../src/kadmin/cli/kadmin.c:741 msgid "while canonicalizing old principal" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:746 +#: ../../src/kadmin/cli/kadmin.c:747 msgid "while canonicalizing new principal" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:750 +#: ../../src/kadmin/cli/kadmin.c:751 #, c-format msgid "" "Are you sure you want to rename the principal \"%s\" to \"%s\"? (yes/no): " msgstr "" -#: ../../src/kadmin/cli/kadmin.c:754 +#: ../../src/kadmin/cli/kadmin.c:755 #, c-format msgid "Principal \"%s\" not renamed\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:761 +#: ../../src/kadmin/cli/kadmin.c:762 #, c-format msgid "while renaming principal \"%s\" to \"%s\"" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:765 +#: ../../src/kadmin/cli/kadmin.c:766 #, c-format msgid "Principal \"%s\" renamed to \"%s\".\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:766 +#: ../../src/kadmin/cli/kadmin.c:767 msgid "" "Make sure that you have removed the old principal from all ACLs before " "reusing.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:781 +#: ../../src/kadmin/cli/kadmin.c:782 msgid "" "usage: change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] " "principal\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:807 +#: ../../src/kadmin/cli/kadmin.c:808 msgid "change_password: missing db argument" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:813 +#: ../../src/kadmin/cli/kadmin.c:814 msgid "change_password: Not enough memory\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:821 +#: ../../src/kadmin/cli/kadmin.c:822 msgid "change_password: missing password arg" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:832 +#: ../../src/kadmin/cli/kadmin.c:833 msgid "change_password: missing keysaltlist arg" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:848 +#: ../../src/kadmin/cli/kadmin.c:849 msgid "missing principal name" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:872 ../../src/kadmin/cli/kadmin.c:909 +#: ../../src/kadmin/cli/kadmin.c:873 ../../src/kadmin/cli/kadmin.c:910 #, c-format msgid "while changing password for \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:875 ../../src/kadmin/cli/kadmin.c:912 +#: ../../src/kadmin/cli/kadmin.c:876 ../../src/kadmin/cli/kadmin.c:913 #, c-format msgid "Password for \"%s\" changed.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:881 ../../src/kadmin/cli/kadmin.c:1289 +#: ../../src/kadmin/cli/kadmin.c:882 ../../src/kadmin/cli/kadmin.c:1290 #, c-format msgid "while randomizing key for \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:884 +#: ../../src/kadmin/cli/kadmin.c:885 #, c-format msgid "Key for \"%s\" randomized.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:889 ../../src/kadmin/cli/kadmin.c:1249 +#: ../../src/kadmin/cli/kadmin.c:890 ../../src/kadmin/cli/kadmin.c:1250 #, c-format msgid "Enter password for principal \"%s\"" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:891 ../../src/kadmin/cli/kadmin.c:1251 +#: ../../src/kadmin/cli/kadmin.c:892 ../../src/kadmin/cli/kadmin.c:1252 #, c-format msgid "Re-enter password for principal \"%s\"" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:896 ../../src/kadmin/cli/kadmin.c:1255 +#: ../../src/kadmin/cli/kadmin.c:897 ../../src/kadmin/cli/kadmin.c:1256 #, c-format msgid "while reading password for \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:950 +#: ../../src/kadmin/cli/kadmin.c:951 msgid "Not enough memory\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:980 ../../src/kadmin/dbutil/kdb5_util.c:631 +#: ../../src/kadmin/cli/kadmin.c:981 ../../src/kadmin/dbutil/kdb5_util.c:594 msgid "while getting time" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1121 ../../src/kadmin/cli/kadmin.c:1332 -#: ../../src/kadmin/cli/kadmin.c:1403 ../../src/kadmin/cli/kadmin.c:1836 -#: ../../src/kadmin/cli/kadmin.c:1880 ../../src/kadmin/cli/kadmin.c:1926 -#: ../../src/kadmin/cli/kadmin.c:1966 +#: ../../src/kadmin/cli/kadmin.c:1122 ../../src/kadmin/cli/kadmin.c:1333 +#: ../../src/kadmin/cli/kadmin.c:1404 ../../src/kadmin/cli/kadmin.c:1837 +#: ../../src/kadmin/cli/kadmin.c:1881 ../../src/kadmin/cli/kadmin.c:1927 +#: ../../src/kadmin/cli/kadmin.c:1967 msgid "while parsing principal" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1130 +#: ../../src/kadmin/cli/kadmin.c:1131 msgid "usage: add_principal [options] principal\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1131 ../../src/kadmin/cli/kadmin.c:1155 -#: ../../src/kadmin/cli/kadmin.c:1642 +#: ../../src/kadmin/cli/kadmin.c:1132 ../../src/kadmin/cli/kadmin.c:1156 +#: ../../src/kadmin/cli/kadmin.c:1643 msgid "\toptions are:\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1132 +#: ../../src/kadmin/cli/kadmin.c:1133 msgid "" "\t\t[-randkey|-nokey] [-x db_princ_args]* [-expire expdate] [-pwexpire " "pwexpdate] [-maxlife maxtixlife]\n" @@ -1575,11 +1609,11 @@ msgid "" "\t\t[{+|-}attribute]\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1137 ../../src/kadmin/cli/kadmin.c:1160 +#: ../../src/kadmin/cli/kadmin.c:1138 ../../src/kadmin/cli/kadmin.c:1161 msgid "\tattributes are:\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1138 ../../src/kadmin/cli/kadmin.c:1161 +#: ../../src/kadmin/cli/kadmin.c:1139 ../../src/kadmin/cli/kadmin.c:1162 msgid "" "\t\tallow_postdated allow_forwardable allow_tgs_req allow_renewable\n" "\t\tallow_proxiable allow_dup_skey allow_tix requires_preauth\n" @@ -1592,11 +1626,11 @@ msgid "" "\t\t\tLook at each database documentation for supported arguments\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1154 +#: ../../src/kadmin/cli/kadmin.c:1155 msgid "usage: modify_principal [options] principal\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1156 +#: ../../src/kadmin/cli/kadmin.c:1157 msgid "" "\t\t[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife " "maxtixlife]\n" @@ -1604,170 +1638,170 @@ msgid "" "\t\t[-maxrenewlife maxrenewlife] [-unlock] [{+|-}attribute]\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1220 ../../src/kadmin/cli/kadmin.c:1361 +#: ../../src/kadmin/cli/kadmin.c:1221 ../../src/kadmin/cli/kadmin.c:1362 #, c-format msgid "WARNING: policy \"%s\" does not exist\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1227 +#: ../../src/kadmin/cli/kadmin.c:1228 #, c-format msgid "NOTICE: no policy specified for %s; assigning \"default\"\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1233 +#: ../../src/kadmin/cli/kadmin.c:1234 #, c-format msgid "WARNING: no policy specified for %s; defaulting to no policy\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1275 +#: ../../src/kadmin/cli/kadmin.c:1276 #, c-format msgid "Admin server does not support -nokey while creating \"%s\"\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1297 +#: ../../src/kadmin/cli/kadmin.c:1298 #, c-format msgid "while clearing DISALLOW_ALL_TIX for \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1344 +#: ../../src/kadmin/cli/kadmin.c:1345 #, c-format msgid "while getting \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1370 +#: ../../src/kadmin/cli/kadmin.c:1371 #, c-format msgid "while modifying \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1374 +#: ../../src/kadmin/cli/kadmin.c:1375 #, c-format msgid "Principal \"%s\" modified.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1395 +#: ../../src/kadmin/cli/kadmin.c:1396 msgid "usage: get_principal [-terse] principal\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1414 +#: ../../src/kadmin/cli/kadmin.c:1415 #, c-format msgid "while retrieving \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1419 ../../src/kadmin/cli/kadmin.c:1424 +#: ../../src/kadmin/cli/kadmin.c:1420 ../../src/kadmin/cli/kadmin.c:1425 msgid "while unparsing principal" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1428 +#: ../../src/kadmin/cli/kadmin.c:1429 #, c-format msgid "Principal: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1429 +#: ../../src/kadmin/cli/kadmin.c:1430 #, c-format msgid "Expiration date: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1430 ../../src/kadmin/cli/kadmin.c:1432 -#: ../../src/kadmin/cli/kadmin.c:1435 ../../src/kadmin/cli/kadmin.c:1443 +#: ../../src/kadmin/cli/kadmin.c:1431 ../../src/kadmin/cli/kadmin.c:1433 +#: ../../src/kadmin/cli/kadmin.c:1436 ../../src/kadmin/cli/kadmin.c:1444 msgid "[never]" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1431 +#: ../../src/kadmin/cli/kadmin.c:1432 #, c-format msgid "Last password change: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1433 +#: ../../src/kadmin/cli/kadmin.c:1434 #, c-format msgid "Password expiration date: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1436 +#: ../../src/kadmin/cli/kadmin.c:1437 #, c-format msgid "Maximum ticket life: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1437 +#: ../../src/kadmin/cli/kadmin.c:1438 #, c-format msgid "Maximum renewable life: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1439 +#: ../../src/kadmin/cli/kadmin.c:1440 #, c-format msgid "Last modified: %s (%s)\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1441 +#: ../../src/kadmin/cli/kadmin.c:1442 #, c-format msgid "Last successful authentication: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1447 +#: ../../src/kadmin/cli/kadmin.c:1448 #, c-format msgid "Failed password attempts: %d\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1449 +#: ../../src/kadmin/cli/kadmin.c:1450 #, c-format msgid "Number of keys: %d\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1456 +#: ../../src/kadmin/cli/kadmin.c:1457 #, c-format msgid "" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1463 +#: ../../src/kadmin/cli/kadmin.c:1464 #, c-format msgid "" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1469 +#: ../../src/kadmin/cli/kadmin.c:1470 #, c-format msgid "MKey: vno %d\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1471 +#: ../../src/kadmin/cli/kadmin.c:1472 #, c-format msgid "Attributes:" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1474 +#: ../../src/kadmin/cli/kadmin.c:1475 msgid "while printing flags" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1483 +#: ../../src/kadmin/cli/kadmin.c:1484 msgid "[none]" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1485 +#: ../../src/kadmin/cli/kadmin.c:1486 msgid " [does not exist]" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1486 +#: ../../src/kadmin/cli/kadmin.c:1487 #, c-format msgid "Policy: %s%s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1522 +#: ../../src/kadmin/cli/kadmin.c:1523 msgid "usage: get_principals [expression]\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1527 ../../src/kadmin/cli/kadmin.c:1778 +#: ../../src/kadmin/cli/kadmin.c:1528 ../../src/kadmin/cli/kadmin.c:1779 msgid "while retrieving list." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1632 +#: ../../src/kadmin/cli/kadmin.c:1633 #, c-format msgid "%s: parser lost count!\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1641 +#: ../../src/kadmin/cli/kadmin.c:1642 #, c-format msgid "usage; %s [options] policy\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1643 +#: ../../src/kadmin/cli/kadmin.c:1644 msgid "" "\t\t[-maxlife time] [-minlife time] [-minlength length]\n" "\t\t[-minclasses number] [-history number]\n" @@ -1775,172 +1809,172 @@ msgid "" "\t\t[-allowedkeysalts keysalts]\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1647 +#: ../../src/kadmin/cli/kadmin.c:1648 msgid "\t\t[-lockoutduration time]\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1666 +#: ../../src/kadmin/cli/kadmin.c:1667 #, c-format msgid "while creating policy \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1687 +#: ../../src/kadmin/cli/kadmin.c:1688 #, c-format msgid "while modifying policy \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1699 +#: ../../src/kadmin/cli/kadmin.c:1700 msgid "usage: delete_policy [-force] policy\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1703 +#: ../../src/kadmin/cli/kadmin.c:1704 #, c-format msgid "Are you sure you want to delete the policy \"%s\"? (yes/no): " msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1707 +#: ../../src/kadmin/cli/kadmin.c:1708 #, c-format msgid "Policy \"%s\" not deleted.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1713 +#: ../../src/kadmin/cli/kadmin.c:1714 #, c-format msgid "while deleting policy \"%s\"" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1725 +#: ../../src/kadmin/cli/kadmin.c:1726 msgid "usage: get_policy [-terse] policy\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1730 +#: ../../src/kadmin/cli/kadmin.c:1731 #, c-format msgid "while retrieving policy \"%s\"." msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1735 +#: ../../src/kadmin/cli/kadmin.c:1736 #, c-format msgid "Policy: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1736 +#: ../../src/kadmin/cli/kadmin.c:1737 #, c-format msgid "Maximum password life: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1737 +#: ../../src/kadmin/cli/kadmin.c:1738 #, c-format msgid "Minimum password life: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1738 +#: ../../src/kadmin/cli/kadmin.c:1739 #, c-format msgid "Minimum password length: %ld\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1739 +#: ../../src/kadmin/cli/kadmin.c:1740 #, c-format msgid "Minimum number of password character classes: %ld\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1741 +#: ../../src/kadmin/cli/kadmin.c:1742 #, c-format msgid "Number of old keys kept: %ld\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1742 +#: ../../src/kadmin/cli/kadmin.c:1743 #, c-format msgid "Maximum password failures before lockout: %lu\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1744 +#: ../../src/kadmin/cli/kadmin.c:1745 #, c-format msgid "Password failure count reset interval: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1746 +#: ../../src/kadmin/cli/kadmin.c:1747 #, c-format msgid "Password lockout duration: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1749 +#: ../../src/kadmin/cli/kadmin.c:1750 #, c-format msgid "Allowed key/salt types: %s\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1773 +#: ../../src/kadmin/cli/kadmin.c:1774 msgid "usage: get_policies [expression]\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1795 +#: ../../src/kadmin/cli/kadmin.c:1796 msgid "usage: get_privs\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1800 +#: ../../src/kadmin/cli/kadmin.c:1801 msgid "while retrieving privileges" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1803 +#: ../../src/kadmin/cli/kadmin.c:1804 #, c-format msgid "current privileges:" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1829 +#: ../../src/kadmin/cli/kadmin.c:1830 msgid "usage: purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1849 +#: ../../src/kadmin/cli/kadmin.c:1850 #, c-format msgid "while purging keys for principal \"%s\"" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1854 +#: ../../src/kadmin/cli/kadmin.c:1855 #, c-format msgid "All keys for principal \"%s\" removed.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1856 +#: ../../src/kadmin/cli/kadmin.c:1857 #, c-format msgid "Old keys for principal \"%s\" purged.\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1873 +#: ../../src/kadmin/cli/kadmin.c:1874 msgid "usage: get_strings principal\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1893 +#: ../../src/kadmin/cli/kadmin.c:1894 #, c-format msgid "while getting attributes for principal \"%s\"" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1898 +#: ../../src/kadmin/cli/kadmin.c:1899 #, c-format msgid "(No string attributes.)\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1917 +#: ../../src/kadmin/cli/kadmin.c:1918 msgid "usage: set_string principal key value\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1939 +#: ../../src/kadmin/cli/kadmin.c:1940 #, c-format msgid "while setting attribute on principal \"%s\"" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1943 +#: ../../src/kadmin/cli/kadmin.c:1944 #, c-format msgid "Attribute set for principal \"%s\".\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1958 +#: ../../src/kadmin/cli/kadmin.c:1959 msgid "usage: del_string principal key\n" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1979 +#: ../../src/kadmin/cli/kadmin.c:1980 #, c-format msgid "while deleting attribute from principal \"%s\"" msgstr "" -#: ../../src/kadmin/cli/kadmin.c:1983 +#: ../../src/kadmin/cli/kadmin.c:1984 #, c-format msgid "Attribute removed from principal \"%s\".\n" msgstr "" @@ -2058,387 +2092,392 @@ msgstr "" msgid "while renaming dump file into place" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:192 +#: ../../src/kadmin/dbutil/dump.c:196 msgid "while allocating dump_ok filename" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:199 +#: ../../src/kadmin/dbutil/dump.c:202 #, c-format msgid "while creating 'ok' file, '%s'" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:206 +#: ../../src/kadmin/dbutil/dump.c:207 #, c-format msgid "while locking 'ok' file, '%s'" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:250 ../../src/kadmin/dbutil/dump.c:279 +#: ../../src/kadmin/dbutil/dump.c:260 ../../src/kadmin/dbutil/dump.c:289 #, c-format msgid "%s: regular expression error: %s\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:262 +#: ../../src/kadmin/dbutil/dump.c:272 #, c-format msgid "%s: regular expression match error: %s\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:363 +#: ../../src/kadmin/dbutil/dump.c:373 #, c-format msgid "%s: tagged data list inconsistency for %s (counted %d, stored %d)\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:521 +#: ../../src/kadmin/dbutil/dump.c:532 #, c-format msgid "" "Warning! Multiple DES-CBC-CRC keys for principal %s; skipping duplicates.\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:532 +#: ../../src/kadmin/dbutil/dump.c:543 #, c-format msgid "" "Warning! No DES-CBC-CRC key for principal %s, cannot generate OV-compatible " "record; skipping\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:561 +#: ../../src/kadmin/dbutil/dump.c:572 #, c-format msgid "while converting %s to new master key" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:582 +#: ../../src/kadmin/dbutil/dump.c:593 #, c-format msgid "%s(%d): %s\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:625 +#: ../../src/kadmin/dbutil/dump.c:636 #, c-format msgid "%s(%d): ignoring trash at end of line: " msgstr "" -#: ../../src/kadmin/dbutil/dump.c:688 +#: ../../src/kadmin/dbutil/dump.c:699 msgid "cannot read tagged data type and length" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:695 +#: ../../src/kadmin/dbutil/dump.c:703 +msgid "data type or length overflowed" +msgstr "" + +#: ../../src/kadmin/dbutil/dump.c:710 msgid "cannot read tagged data contents" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:728 +#: ../../src/kadmin/dbutil/dump.c:743 msgid "cannot match size tokens" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:757 +#: ../../src/kadmin/dbutil/dump.c:754 +msgid "cannot allocate tl_data (too large)" +msgstr "" + +#: ../../src/kadmin/dbutil/dump.c:776 msgid "cannot read name string" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:762 +#: ../../src/kadmin/dbutil/dump.c:781 #, c-format msgid "while parsing name %s" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:770 +#: ../../src/kadmin/dbutil/dump.c:789 msgid "cannot read principal attributes" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:823 +#: ../../src/kadmin/dbutil/dump.c:842 msgid "cannot read key size and version" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:834 +#: ../../src/kadmin/dbutil/dump.c:846 +msgid "unsupported key_data_ver version" +msgstr "" + +#: ../../src/kadmin/dbutil/dump.c:857 msgid "cannot read key type and length" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:840 +#: ../../src/kadmin/dbutil/dump.c:863 msgid "cannot read key data" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:850 +#: ../../src/kadmin/dbutil/dump.c:873 msgid "cannot read extra data" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:859 +#: ../../src/kadmin/dbutil/dump.c:882 #, c-format msgid "while storing %s" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:898 ../../src/kadmin/dbutil/dump.c:937 -#: ../../src/kadmin/dbutil/dump.c:983 ../../src/kadmin/dbutil/dump.c:1002 +#: ../../src/kadmin/dbutil/dump.c:921 ../../src/kadmin/dbutil/dump.c:960 +#: ../../src/kadmin/dbutil/dump.c:1006 ../../src/kadmin/dbutil/dump.c:1025 #, c-format msgid "cannot parse policy (%d read)\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:906 ../../src/kadmin/dbutil/dump.c:945 -#: ../../src/kadmin/dbutil/dump.c:1023 +#: ../../src/kadmin/dbutil/dump.c:929 ../../src/kadmin/dbutil/dump.c:968 +#: ../../src/kadmin/dbutil/dump.c:1046 msgid "while creating policy" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:910 +#: ../../src/kadmin/dbutil/dump.c:933 #, c-format msgid "created policy %s\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1060 +#: ../../src/kadmin/dbutil/dump.c:1083 #, c-format msgid "unknown record type \"%s\"\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1189 +#: ../../src/kadmin/dbutil/dump.c:1212 #, c-format msgid "%s: Unknown iprop dump version %d\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1292 ../../src/kadmin/dbutil/dump.c:1519 +#: ../../src/kadmin/dbutil/dump.c:1316 ../../src/kadmin/dbutil/dump.c:1544 #, c-format msgid "Iprop not enabled\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1329 +#: ../../src/kadmin/dbutil/dump.c:1353 msgid "Conditional dump is an undocumented option for use only for iprop dumps" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1342 +#: ../../src/kadmin/dbutil/dump.c:1366 msgid "Database not currently opened!" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1356 -#: ../../src/kadmin/dbutil/kdb5_stash.c:116 -#: ../../src/kadmin/dbutil/kdb5_util.c:485 +#: ../../src/kadmin/dbutil/dump.c:1380 ../../src/kadmin/dbutil/kdb5_stash.c:116 +#: ../../src/kadmin/dbutil/kdb5_util.c:448 msgid "while reading master key" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1362 +#: ../../src/kadmin/dbutil/dump.c:1386 msgid "while verifying master key" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1381 ../../src/kadmin/dbutil/dump.c:1391 +#: ../../src/kadmin/dbutil/dump.c:1405 ../../src/kadmin/dbutil/dump.c:1415 msgid "while reading new master key" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1385 +#: ../../src/kadmin/dbutil/dump.c:1409 #, c-format msgid "Please enter new master key....\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1409 +#: ../../src/kadmin/dbutil/dump.c:1433 #, c-format msgid "while opening %s for writing" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1424 +#: ../../src/kadmin/dbutil/dump.c:1448 msgid "while reading update log header" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1439 ../../src/kadmin/dbutil/dump.c:1446 +#: ../../src/kadmin/dbutil/dump.c:1463 ../../src/kadmin/dbutil/dump.c:1471 #, c-format msgid "performing %s dump" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1476 +#: ../../src/kadmin/dbutil/dump.c:1501 #, c-format msgid "%s: error processing line %d of %s\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1528 +#: ../../src/kadmin/dbutil/dump.c:1553 msgid "while parsing options" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1543 +#: ../../src/kadmin/dbutil/dump.c:1568 #, c-format msgid "while opening %s" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1548 ../../src/kadmin/dbutil/dump.c:1647 +#: ../../src/kadmin/dbutil/dump.c:1573 ../../src/kadmin/dbutil/dump.c:1672 msgid "standard input" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1553 +#: ../../src/kadmin/dbutil/dump.c:1578 #, c-format msgid "%s: can't read dump header in %s\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1561 ../../src/kadmin/dbutil/dump.c:1578 +#: ../../src/kadmin/dbutil/dump.c:1586 ../../src/kadmin/dbutil/dump.c:1603 #, c-format msgid "%s: dump header bad in %s\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1587 +#: ../../src/kadmin/dbutil/dump.c:1612 #, c-format msgid "Could not open iprop ulog\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1592 +#: ../../src/kadmin/dbutil/dump.c:1617 #, c-format msgid "%s: dump version %s can only be loaded with the -update flag\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1601 ../../src/kadmin/dbutil/dump.c:1606 +#: ../../src/kadmin/dbutil/dump.c:1626 ../../src/kadmin/dbutil/dump.c:1631 msgid "computing parameters for database" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1612 +#: ../../src/kadmin/dbutil/dump.c:1637 msgid "while creating database" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1621 +#: ../../src/kadmin/dbutil/dump.c:1646 msgid "while opening database" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1631 +#: ../../src/kadmin/dbutil/dump.c:1656 msgid "while permanently locking database" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1649 +#: ../../src/kadmin/dbutil/dump.c:1674 #, c-format msgid "%s: %s restore failed\n" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1654 +#: ../../src/kadmin/dbutil/dump.c:1679 msgid "while unlocking database" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1664 ../../src/kadmin/dbutil/dump.c:1683 +#: ../../src/kadmin/dbutil/dump.c:1689 ../../src/kadmin/dbutil/dump.c:1708 msgid "while reinitializing update log" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1674 +#: ../../src/kadmin/dbutil/dump.c:1699 msgid "while making newly loaded database live" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1690 +#: ../../src/kadmin/dbutil/dump.c:1715 msgid "while writing update log header" msgstr "" -#: ../../src/kadmin/dbutil/dump.c:1704 +#: ../../src/kadmin/dbutil/dump.c:1729 #, c-format msgid "while deleting bad database %s" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:84 +#: ../../src/kadmin/dbutil/kadm5_create.c:79 msgid "while looking up the Kerberos configuration" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:111 +#: ../../src/kadmin/dbutil/kadm5_create.c:105 msgid "while initializing the Kerberos admin interface" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:158 +#: ../../src/kadmin/dbutil/kadm5_create.c:152 msgid "while canonicalizing local hostname" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:163 -#: ../../src/kadmin/dbutil/kadm5_create.c:168 +#: ../../src/kadmin/dbutil/kadm5_create.c:157 +#: ../../src/kadmin/dbutil/kadm5_create.c:162 #, c-format msgid "Out of memory\n" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:244 +#: ../../src/kadmin/dbutil/kadm5_create.c:238 msgid "while appending realm to principal" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:249 +#: ../../src/kadmin/dbutil/kadm5_create.c:243 msgid "while parsing admin principal name" msgstr "" -#: ../../src/kadmin/dbutil/kadm5_create.c:260 +#: ../../src/kadmin/dbutil/kadm5_create.c:254 #, c-format msgid "while creating principal %s" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:175 -#: ../../src/kadmin/dbutil/kdb5_util.c:244 -#: ../../src/kadmin/dbutil/kdb5_util.c:251 -msgid "while parsing command arguments\n" -msgstr "" - -#: ../../src/kadmin/dbutil/kdb5_create.c:198 +#: ../../src/kadmin/dbutil/kdb5_create.c:191 #, c-format msgid "Loading random data\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:201 +#: ../../src/kadmin/dbutil/kdb5_create.c:194 msgid "Loading random data" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:211 -#: ../../src/kadmin/dbutil/kdb5_util.c:429 +#: ../../src/kadmin/dbutil/kdb5_create.c:204 +#: ../../src/kadmin/dbutil/kdb5_util.c:392 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:608 msgid "while setting up master key name" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:222 +#: ../../src/kadmin/dbutil/kdb5_create.c:215 #, c-format msgid "" "Initializing database '%s' for realm '%s',\n" "master key name '%s'\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:227 +#: ../../src/kadmin/dbutil/kdb5_create.c:220 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:517 #, c-format msgid "You will be prompted for the database Master Password.\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:228 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:252 +#: ../../src/kadmin/dbutil/kdb5_create.c:221 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:255 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:518 #, c-format msgid "It is important that you NOT FORGET this password.\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:234 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:258 +#: ../../src/kadmin/dbutil/kdb5_create.c:227 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:261 msgid "while creating new master key" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:242 +#: ../../src/kadmin/dbutil/kdb5_create.c:235 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:528 msgid "while reading master key from keyboard" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:252 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:277 +#: ../../src/kadmin/dbutil/kdb5_create.c:245 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:280 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:620 msgid "while calculating master key salt" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:260 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:286 -#: ../../src/kadmin/dbutil/kdb5_util.c:471 +#: ../../src/kadmin/dbutil/kdb5_create.c:253 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:289 +#: ../../src/kadmin/dbutil/kdb5_util.c:434 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:632 msgid "while transforming master key from password" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:270 +#: ../../src/kadmin/dbutil/kdb5_create.c:263 msgid "while initializing random key generator" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:275 +#: ../../src/kadmin/dbutil/kdb5_create.c:268 #, c-format msgid "while creating database '%s'" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:293 +#: ../../src/kadmin/dbutil/kdb5_create.c:286 msgid "while creating update log" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:304 +#: ../../src/kadmin/dbutil/kdb5_create.c:297 msgid "while initializing update log" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:319 +#: ../../src/kadmin/dbutil/kdb5_create.c:312 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:644 msgid "while adding entries to the database" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:347 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:330 +#: ../../src/kadmin/dbutil/kdb5_create.c:340 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:333 #: ../../src/kadmin/dbutil/kdb5_stash.c:133 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:669 msgid "while storing key" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_create.c:348 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:331 +#: ../../src/kadmin/dbutil/kdb5_create.c:341 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:334 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:670 #, c-format msgid "Warning: couldn't stash master key.\n" @@ -2450,7 +2489,7 @@ msgid "Deleting KDC database stored in '%s', are you sure?\n" msgstr "" #: ../../src/kadmin/dbutil/kdb5_destroy.c:71 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1108 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1111 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:360 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1476 #, c-format @@ -2472,292 +2511,292 @@ msgstr "" msgid "** Database '%s' destroyed.\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:220 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:223 #, c-format msgid "%s is an invalid enctype" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:242 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:418 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:561 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:938 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1099 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:245 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:421 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:564 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:941 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1102 #, c-format msgid "while getting master key principal %s" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:248 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:251 #, c-format msgid "Creating new master key for master key principal '%s'\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:251 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:254 #, c-format msgid "You will be prompted for a new database Master Password.\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:267 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:270 msgid "while reading new master key from keyboard" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:296 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:299 msgid "adding new master key to master principal" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:302 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:387 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:803 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1304 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:305 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:390 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:806 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1307 msgid "while getting current time" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:309 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:519 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1311 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:312 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:522 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1314 msgid "while updating the master key principal modification time" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:316 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:527 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1321 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:319 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:530 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1324 msgid "while adding master key entry to the database" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:368 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:371 msgid "0 is an invalid KVNO value" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:379 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:382 #, c-format msgid "%d is an invalid KVNO value" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:395 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:398 #, c-format msgid "could not parse date-time string '%s'" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:427 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:430 msgid "while looking up active version of master key" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:466 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:469 msgid "while adding new master key" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:504 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:507 msgid "there must be one master key currently active" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:512 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1290 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:515 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1293 msgid "while updating actkvno data for master principal entry" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:553 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:900 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1069 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:556 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:903 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1072 msgid "master keylist not initialized" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:569 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:946 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1196 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:572 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:949 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1199 msgid "while looking up active kvno list" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:577 -#: ../../src/kadmin/dbutil/kdb5_mkey.c:954 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:580 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:957 msgid "while looking up active master key" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:589 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:592 msgid "while getting enctype description" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:606 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:609 #, c-format msgid "KVNO: %d, Enctype: %s, Active on: %s *\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:611 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:614 #, c-format msgid "KVNO: %d, Enctype: %s, Active on: %s\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:615 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:618 #, c-format msgid "KVNO: %d, Enctype: %s, No activate time set\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:620 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:623 msgid "asprintf could not allocate enough memory to hold output" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:753 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:756 msgid "getting string representation of principal name" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:777 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:780 #, c-format msgid "determining master key used for principal '%s'" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:783 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:786 #, c-format msgid "would skip: %s\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:785 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:788 #, c-format msgid "skipping: %s\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:791 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:794 #, c-format msgid "would update: %s\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:795 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:798 #, c-format msgid "updating: %s\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:799 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:802 #, c-format msgid "error re-encrypting key for principal '%s'" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:810 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:813 #, c-format msgid "while updating principal '%s' modification time" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:817 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:820 #, c-format msgid "while updating principal '%s' key data in the database" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:849 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:852 #, c-format msgid "" "\n" "(type 'yes' to confirm)? " msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:911 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:914 #, c-format msgid "converting glob pattern '%s' to regular expression" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:929 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:932 #, c-format msgid "error compiling converted regexp '%s'" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:962 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:965 #, c-format msgid "Re-encrypt all keys not using master key vno %u?" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:964 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:967 #, c-format msgid "OK, doing nothing.\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:970 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:973 #, c-format msgid "Principals whose keys WOULD BE re-encrypted to master key vno %u:\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:973 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:976 #, c-format msgid "" "Principals whose keys are being re-encrypted to master key vno %u if " "necessary:\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:989 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:992 msgid "trying to process principal database" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:993 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:996 #, c-format msgid "%u principals processed: %u would be updated, %u already current\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:997 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1000 #, c-format msgid "%u principals processed: %u updated, %u already current\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1106 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1109 #, c-format msgid "" "Will purge all unused master keys stored in the '%s' principal, are you " "sure?\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1117 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1120 #, c-format msgid "OK, purging unused master keys from '%s'...\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1125 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1128 #, c-format msgid "There is only one master key which can not be purged.\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1134 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1137 msgid "while allocating args.kvnos" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1150 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1153 msgid "while finding master keys in use" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1159 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1162 #, c-format msgid "Would purge the following master key(s) from %s:\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1162 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1165 #, c-format msgid "Purging the following master key(s) from %s:\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1174 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1177 msgid "master key stash file needs updating, command aborting" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1180 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1183 #, c-format msgid "KVNO: %d\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1185 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1188 #, c-format msgid "All keys in use, nothing purged.\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1190 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1193 #, c-format msgid "%d key(s) would be purged.\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1203 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1206 msgid "while looking up mkey aux data list" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1211 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1214 msgid "while allocating key_data" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1298 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1301 msgid "while updating mkey_aux data for master principal entry" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_mkey.c:1325 +#: ../../src/kadmin/dbutil/kdb5_mkey.c:1328 #, c-format msgid "%d key(s) purged.\n" msgstr "" @@ -2780,9 +2819,9 @@ msgstr "" #: ../../src/kadmin/dbutil/kdb5_util.c:80 #, c-format msgid "" -"Usage: kdb5_util [-x db_args]* [-r realm] [-d dbname] [-k mkeytype] [-M " -"mkeyname]\n" -"\t [-kv mkeyVNO] [-sf stashfilename] [-m] cmd [cmd_options]\n" +"Usage: kdb5_util [-r realm] [-d dbname] [-k mkeytype] [-kv mkeyVNO]\n" +"\t [-M mkeyname] [-m] [-sf stashfilename] [-P password]\n" +"\t [-x db_args]* cmd [cmd_options]\n" "\tcreate [-s]\n" "\tdestroy [-f]\n" "\tstash [-f keyfile]\n" @@ -2796,7 +2835,7 @@ msgid "" "\tlist_mkeys\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:98 +#: ../../src/kadmin/dbutil/kdb5_util.c:99 #, c-format msgid "" "\tupdate_princ_encryption [-f] [-n] [-v] [princ-pattern]\n" @@ -2808,116 +2847,108 @@ msgid "" "\t\t\tLook at each database documentation for supported arguments\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:214 +#: ../../src/kadmin/dbutil/kdb5_util.c:215 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:260 msgid "while initializing Kerberos code" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:220 +#: ../../src/kadmin/dbutil/kdb5_util.c:221 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:267 msgid "while creating sub-command arguments" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:238 +#: ../../src/kadmin/dbutil/kdb5_util.c:239 msgid "while parsing command arguments" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:262 +#: ../../src/kadmin/dbutil/kdb5_util.c:245 +#: ../../src/kadmin/dbutil/kdb5_util.c:252 +msgid "while parsing command arguments\n" +msgstr "" + +#: ../../src/kadmin/dbutil/kdb5_util.c:263 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:291 msgid "while setting default realm name" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:267 +#: ../../src/kadmin/dbutil/kdb5_util.c:268 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:298 #, c-format msgid ": %s is an invalid enctype" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:275 +#: ../../src/kadmin/dbutil/kdb5_util.c:276 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:307 #, c-format msgid ": %s is an invalid mkeyVNO" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:320 +#: ../../src/kadmin/dbutil/kdb5_util.c:321 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:431 msgid "while retreiving configuration parameters" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:373 -msgid "Too few arguments" -msgstr "" - -#: ../../src/kadmin/dbutil/kdb5_util.c:374 -#, c-format -msgid "Usage: %s dbpathname realmname" -msgstr "" - -#: ../../src/kadmin/dbutil/kdb5_util.c:380 -msgid "while closing previous database" -msgstr "" - -#: ../../src/kadmin/dbutil/kdb5_util.c:418 +#: ../../src/kadmin/dbutil/kdb5_util.c:381 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:883 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1491 #: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:564 msgid "while initializing database" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:435 +#: ../../src/kadmin/dbutil/kdb5_util.c:398 msgid "while retrieving master entry" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:454 +#: ../../src/kadmin/dbutil/kdb5_util.c:417 msgid "while calculated master key salt" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:486 +#: ../../src/kadmin/dbutil/kdb5_util.c:449 msgid "Warning: proceeding without master key" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:504 +#: ../../src/kadmin/dbutil/kdb5_util.c:467 msgid "while seeding random number generator" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:514 +#: ../../src/kadmin/dbutil/kdb5_util.c:477 #, c-format msgid "%s: Could not map log\n" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:543 +#: ../../src/kadmin/dbutil/kdb5_util.c:506 msgid "while closing database" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:590 +#: ../../src/kadmin/dbutil/kdb5_util.c:553 #, c-format msgid "while fetching principal %s" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:613 +#: ../../src/kadmin/dbutil/kdb5_util.c:576 msgid "while finding mkey" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:638 +#: ../../src/kadmin/dbutil/kdb5_util.c:601 msgid "while setting changetime" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:646 +#: ../../src/kadmin/dbutil/kdb5_util.c:609 #, c-format msgid "while saving principal %s" msgstr "" -#: ../../src/kadmin/dbutil/kdb5_util.c:650 +#: ../../src/kadmin/dbutil/kdb5_util.c:613 #, c-format msgid "%s changed\n" msgstr "" -#: ../../src/kadmin/dbutil/tabdump.c:576 +#: ../../src/kadmin/dbutil/tabdump.c:573 #, c-format msgid "opening %s for writing" msgstr "" -#: ../../src/kadmin/dbutil/tabdump.c:662 +#: ../../src/kadmin/dbutil/tabdump.c:659 msgid "performing tabular dump" msgstr "" @@ -2965,161 +2996,203 @@ msgstr "" msgid "%s: writing srvtabs is no longer supported\n" msgstr "" -#: ../../src/kadmin/ktutil/ktutil.c:169 +#: ../../src/kadmin/ktutil/ktutil.c:178 #, c-format -msgid "usage: %s (-key | -password) -p principal -k kvno -e enctype\n" +msgid "" +"usage: %s (-key | -password) -p principal -k kvno [-e enctype] [-f|-s salt]\n" +msgstr "" + +#: ../../src/kadmin/ktutil/ktutil.c:183 +#, c-format +msgid "enctype must be specified if not using -f\n" msgstr "" -#: ../../src/kadmin/ktutil/ktutil.c:176 +#: ../../src/kadmin/ktutil/ktutil.c:190 msgid "while adding new entry" msgstr "" -#: ../../src/kadmin/ktutil/ktutil.c:186 +#: ../../src/kadmin/ktutil/ktutil.c:200 #, c-format msgid "%s: must specify entry to delete\n" msgstr "" -#: ../../src/kadmin/ktutil/ktutil.c:191 +#: ../../src/kadmin/ktutil/ktutil.c:205 #, c-format msgid "while deleting entry %d" msgstr "" -#: ../../src/kadmin/ktutil/ktutil.c:219 +#: ../../src/kadmin/ktutil/ktutil.c:233 #, c-format msgid "%s: usage: %s [-t] [-k] [-e]\n" msgstr "" -#: ../../src/kadmin/ktutil/ktutil.c:259 +#: ../../src/kadmin/ktutil/ktutil.c:272 msgid "While converting enctype to string" msgstr "" -#: ../../src/kadmin/ktutil/ktutil_funcs.c:162 +#: ../../src/kadmin/ktutil/ktutil_funcs.c:196 #, c-format msgid "Password for %.1000s" msgstr "" -#: ../../src/kadmin/ktutil/ktutil_funcs.c:179 +#: ../../src/kadmin/ktutil/ktutil_funcs.c:214 #, c-format msgid "Key for %s (hex): " msgstr "" -#: ../../src/kadmin/ktutil/ktutil_funcs.c:191 +#: ../../src/kadmin/ktutil/ktutil_funcs.c:226 #, c-format msgid "addent: Error reading key.\n" msgstr "" -#: ../../src/kadmin/ktutil/ktutil_funcs.c:206 +#: ../../src/kadmin/ktutil/ktutil_funcs.c:234 #, c-format msgid "addent: Illegal character in key.\n" msgstr "" +#: ../../src/kadmin/server/auth_acl.c:240 +#, c-format +msgid "%s: invalid restrictions: %s" +msgstr "" + +#: ../../src/kadmin/server/auth_acl.c:288 +#, c-format +msgid "Unrecognized ACL operation '%c' in %s" +msgstr "" + +#: ../../src/kadmin/server/auth_acl.c:296 +#, c-format +msgid "Cannot parse client principal '%s'" +msgstr "" + +#: ../../src/kadmin/server/auth_acl.c:304 +#, c-format +msgid "Cannot parse target principal '%s'" +msgstr "" + +#: ../../src/kadmin/server/auth_acl.c:400 +#, c-format +msgid "%s while opening ACL file %s" +msgstr "" + +#: ../../src/kadmin/server/auth_acl.c:403 +#, c-format +msgid "Cannot open %s: %s" +msgstr "" + +#: ../../src/kadmin/server/auth_acl.c:419 +#: ../../src/kadmin/server/auth_acl.c:422 +#, c-format +msgid "%s: syntax error at line %d <%.10s...>" +msgstr "" + #: ../../src/kadmin/server/ipropd_svc.c:49 #, c-format msgid "Unauthorized request: %s, client=%s, service=%s, addr=%s" msgstr "" #: ../../src/kadmin/server/ipropd_svc.c:50 -#: ../../src/kadmin/server/ipropd_svc.c:214 +#: ../../src/kadmin/server/ipropd_svc.c:224 #, c-format msgid "Request: %s, %s, %s, client=%s, service=%s, addr=%s" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:150 -#: ../../src/kadmin/server/ipropd_svc.c:273 +#: ../../src/kadmin/server/ipropd_svc.c:164 +#: ../../src/kadmin/server/ipropd_svc.c:283 #, c-format msgid "%s: server handle is NULL" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:160 -#: ../../src/kadmin/server/ipropd_svc.c:286 +#: ../../src/kadmin/server/ipropd_svc.c:174 +#: ../../src/kadmin/server/ipropd_svc.c:296 #, c-format msgid "%s: setup_gss_names failed" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:168 -#: ../../src/kadmin/server/ipropd_svc.c:295 +#: ../../src/kadmin/server/ipropd_svc.c:182 +#: ../../src/kadmin/server/ipropd_svc.c:305 #, c-format msgid "%s: out of memory recording principal names" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:197 +#: ../../src/kadmin/server/ipropd_svc.c:207 #, c-format msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=%lu" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:203 +#: ../../src/kadmin/server/ipropd_svc.c:213 #, c-format msgid "%s; Incoming SerialNo=%lu; Outgoing SerialNo=N/A" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:320 +#: ../../src/kadmin/server/ipropd_svc.c:326 #, c-format msgid "%s: getclhoststr failed" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:342 +#: ../../src/kadmin/server/ipropd_svc.c:348 #, c-format msgid "%s: cannot construct kdb5 util dump string too long; out of memory" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:362 +#: ../../src/kadmin/server/ipropd_svc.c:368 #, c-format msgid "%s: fork failed: %s" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:374 +#: ../../src/kadmin/server/ipropd_svc.c:380 #, c-format msgid "%s: popen failed: %s" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:388 +#: ../../src/kadmin/server/ipropd_svc.c:394 #, c-format msgid "%s: pclose(popen) failed: %s" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:408 +#: ../../src/kadmin/server/ipropd_svc.c:414 #, c-format msgid "%s: exec failed: %s" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:424 +#: ../../src/kadmin/server/ipropd_svc.c:430 #, c-format msgid "Request: %s, spawned resync process %d, client=%s, service=%s, addr=%s" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:488 +#: ../../src/kadmin/server/ipropd_svc.c:494 #: ../../src/kadmin/server/kadm_rpc_svc.c:306 #, c-format msgid "check_rpcsec_auth: failed inquire_context, stat=%u" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:518 +#: ../../src/kadmin/server/ipropd_svc.c:524 #: ../../src/kadmin/server/kadm_rpc_svc.c:335 #, c-format msgid "bad service principal %.*s%s" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:541 +#: ../../src/kadmin/server/ipropd_svc.c:547 #, c-format msgid "authentication attempt failed: %s, RPC authentication flavor %d" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:575 +#: ../../src/kadmin/server/ipropd_svc.c:581 #, c-format msgid "RPC unknown request: %d (%s)" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:583 +#: ../../src/kadmin/server/ipropd_svc.c:589 #, c-format msgid "RPC svc_getargs failed (%s)" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:593 +#: ../../src/kadmin/server/ipropd_svc.c:599 #, c-format msgid "RPC svc_sendreply failed (%s)" msgstr "" -#: ../../src/kadmin/server/ipropd_svc.c:599 +#: ../../src/kadmin/server/ipropd_svc.c:605 #, c-format msgid "RPC svc_freeargs failed (%s)" msgstr "" @@ -3129,7 +3202,7 @@ msgstr "" msgid "gss_to_krb5_name: failed display_name status %d" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:87 +#: ../../src/kadmin/server/ovsec_kadmd.c:86 #, c-format msgid "" "Usage: kadmind [-x db_args]* [-r realm] [-m] [-nofork] [-port port-number]\n" @@ -3141,210 +3214,214 @@ msgid "" "\t\t\tLook at each database documentation for supported arguments\n" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:112 +#: ../../src/kadmin/server/ovsec_kadmd.c:110 #, c-format msgid "%s: %s while %s, aborting\n" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:114 +#: ../../src/kadmin/server/ovsec_kadmd.c:112 #, c-format msgid "%s while %s, aborting\n" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:116 +#: ../../src/kadmin/server/ovsec_kadmd.c:114 #, c-format msgid "%s: %s, aborting\n" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:117 +#: ../../src/kadmin/server/ovsec_kadmd.c:115 #, c-format msgid "%s, aborting" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:286 +#: ../../src/kadmin/server/ovsec_kadmd.c:282 #, c-format msgid "" "WARNING! Forged/garbled request: %s, claimed client = %.*s%s, server = %.*s" "%s, addr = %s" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:292 +#: ../../src/kadmin/server/ovsec_kadmd.c:288 #, c-format msgid "" "WARNING! Forged/garbled request: %d, claimed client = %.*s%s, server = %.*s" "%s, addr = %s" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:306 +#: ../../src/kadmin/server/ovsec_kadmd.c:302 #, c-format msgid "Miscellaneous RPC error: %s, %s" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:322 +#: ../../src/kadmin/server/ovsec_kadmd.c:318 #, c-format msgid "%s Cannot decode status %d" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:340 +#: ../../src/kadmin/server/ovsec_kadmd.c:336 #, c-format msgid "Authentication attempt failed: %s, GSS-API error strings are:" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:345 +#: ../../src/kadmin/server/ovsec_kadmd.c:341 msgid " GSS-API error strings complete." msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:382 +#: ../../src/kadmin/server/ovsec_kadmd.c:379 #, c-format msgid "%s: cannot initialize. Not enough memory\n" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:454 +#: ../../src/kadmin/server/ovsec_kadmd.c:451 #, c-format msgid "%s: %s while initializing context, aborting\n" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:465 +#: ../../src/kadmin/server/ovsec_kadmd.c:462 msgid "initializing" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:469 +#: ../../src/kadmin/server/ovsec_kadmd.c:466 msgid "getting config parameters" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:471 +#: ../../src/kadmin/server/ovsec_kadmd.c:468 msgid "Missing required realm configuration" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:473 +#: ../../src/kadmin/server/ovsec_kadmd.c:470 msgid "Missing required ACL file configuration" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:477 +#: ../../src/kadmin/server/ovsec_kadmd.c:472 +msgid "-proponly can only be used when iprop_enable is true" +msgstr "" + +#: ../../src/kadmin/server/ovsec_kadmd.c:478 msgid "initializing network" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:482 +#: ../../src/kadmin/server/ovsec_kadmd.c:483 msgid "Cannot build GSSAPI auth names" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:486 +#: ../../src/kadmin/server/ovsec_kadmd.c:487 msgid "Cannot set up KDB keytab" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:489 +#: ../../src/kadmin/server/ovsec_kadmd.c:490 msgid "Cannot set GSSAPI authentication names" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:506 +#: ../../src/kadmin/server/ovsec_kadmd.c:507 msgid "Cannot initialize GSSAPI service name" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:510 +#: ../../src/kadmin/server/ovsec_kadmd.c:512 msgid "initializing ACL file" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:513 +#: ../../src/kadmin/server/ovsec_kadmd.c:515 msgid "spawning daemon process" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:517 +#: ../../src/kadmin/server/ovsec_kadmd.c:519 msgid "creating PID file" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:520 +#: ../../src/kadmin/server/ovsec_kadmd.c:522 msgid "Seeding random number generator" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:523 +#: ../../src/kadmin/server/ovsec_kadmd.c:525 msgid "getting random seed" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:530 +#: ../../src/kadmin/server/ovsec_kadmd.c:532 msgid "mapping update log" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:534 +#: ../../src/kadmin/server/ovsec_kadmd.c:536 #, c-format msgid "%s: create IPROP svc (PROG=%d, VERS=%d)\n" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:542 +#: ../../src/kadmin/server/ovsec_kadmd.c:544 msgid "starting" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:544 ../../src/kdc/main.c:1062 +#: ../../src/kadmin/server/ovsec_kadmd.c:546 ../../src/kdc/main.c:1047 #, c-format msgid "%s: starting...\n" msgstr "" -#: ../../src/kadmin/server/ovsec_kadmd.c:547 +#: ../../src/kadmin/server/ovsec_kadmd.c:549 msgid "finished, exiting" msgstr "" -#: ../../src/kadmin/server/schpw.c:282 +#: ../../src/kadmin/server/schpw.c:273 #, c-format msgid "setpw request from %s by %.*s%s for %.*s%s: %s" msgstr "" -#: ../../src/kadmin/server/schpw.c:287 +#: ../../src/kadmin/server/schpw.c:278 #, c-format msgid "chpw request from %s for %.*s%s: %s" msgstr "" -#: ../../src/kadmin/server/schpw.c:464 +#: ../../src/kadmin/server/schpw.c:446 #, c-format msgid "chpw: Couldn't open admin keytab %s" msgstr "" -#: ../../src/kadmin/server/server_stubs.c:343 +#: ../../src/kadmin/server/server_stubs.c:394 #, c-format msgid "" "Unauthorized request: %s, %.*s%s, client=%.*s%s, service=%.*s%s, addr=%s" msgstr "" -#: ../../src/kadmin/server/server_stubs.c:364 -#: ../../src/kadmin/server/server_stubs.c:666 -#: ../../src/kadmin/server/server_stubs.c:1627 +#: ../../src/kadmin/server/server_stubs.c:415 +#: ../../src/kadmin/server/server_stubs.c:693 +#: ../../src/kadmin/server/server_stubs.c:1618 msgid "success" msgstr "" -#: ../../src/kadmin/server/server_stubs.c:374 +#: ../../src/kadmin/server/server_stubs.c:425 #, c-format msgid "Request: %s, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s" msgstr "" -#: ../../src/kadmin/server/server_stubs.c:646 +#: ../../src/kadmin/server/server_stubs.c:673 #, c-format msgid "" "Unauthorized request: kadm5_rename_principal, %.*s%s to %.*s%s, client=%.*s" "%s, service=%.*s%s, addr=%s" msgstr "" -#: ../../src/kadmin/server/server_stubs.c:661 +#: ../../src/kadmin/server/server_stubs.c:688 #, c-format msgid "" "Request: kadm5_rename_principal, %.*s%s to %.*s%s, %s, client=%.*s%s, " "service=%.*s%s, addr=%s" msgstr "" -#: ../../src/kadmin/server/server_stubs.c:1623 +#: ../../src/kadmin/server/server_stubs.c:1614 #, c-format msgid "" "Request: kadm5_init, %.*s%s, %s, client=%.*s%s, service=%.*s%s, addr=%s, " "vers=%d, flavor=%d" msgstr "" -#: ../../src/kdc/do_as_req.c:295 +#: ../../src/kdc/do_as_req.c:301 #, c-format msgid "AS_REQ : handle_authdata (%d)" msgstr "" -#: ../../src/kdc/do_tgs_req.c:661 +#: ../../src/kdc/do_tgs_req.c:643 msgid "not checking transit path" msgstr "" -#: ../../src/kdc/do_tgs_req.c:684 +#: ../../src/kdc/do_tgs_req.c:666 #, c-format msgid "TGS_REQ : handle_authdata (%d)" msgstr "" @@ -3393,75 +3470,75 @@ msgstr "" msgid "while loading authdata module %s" msgstr "" -#: ../../src/kdc/kdc_log.c:82 +#: ../../src/kdc/kdc_log.c:84 #, c-format -msgid "AS_REQ (%s) %s: ISSUE: authtime %d, %s, %s for %s" +msgid "AS_REQ (%s) %s: ISSUE: authtime %u, %s, %s for %s" msgstr "" -#: ../../src/kdc/kdc_log.c:88 +#: ../../src/kdc/kdc_log.c:90 #, c-format msgid "AS_REQ (%s) %s: %s: %s for %s%s%s" msgstr "" -#: ../../src/kdc/kdc_log.c:159 +#: ../../src/kdc/kdc_log.c:154 #, c-format -msgid "TGS_REQ (%s) %s: %s: authtime %d, %s%s %s for %s%s%s" +msgid "TGS_REQ (%s) %s: %s: authtime %u, %s%s %s for %s%s%s" msgstr "" -#: ../../src/kdc/kdc_log.c:166 +#: ../../src/kdc/kdc_log.c:161 #, c-format msgid "... PROTOCOL-TRANSITION s4u-client=%s" msgstr "" -#: ../../src/kdc/kdc_log.c:170 +#: ../../src/kdc/kdc_log.c:165 #, c-format msgid "... CONSTRAINED-DELEGATION s4u-client=%s" msgstr "" -#: ../../src/kdc/kdc_log.c:174 +#: ../../src/kdc/kdc_log.c:169 #, c-format -msgid "TGS_REQ %s: %s: authtime %d, %s for %s, 2nd tkt client %s" +msgid "TGS_REQ %s: %s: authtime %u, %s for %s, 2nd tkt client %s" msgstr "" -#: ../../src/kdc/kdc_log.c:208 +#: ../../src/kdc/kdc_log.c:203 #, c-format msgid "bad realm transit path from '%s' to '%s' via '%.*s%s'" msgstr "" -#: ../../src/kdc/kdc_log.c:214 +#: ../../src/kdc/kdc_log.c:209 #, c-format msgid "unexpected error checking transit from '%s' to '%s' via '%.*s%s': %s" msgstr "" -#: ../../src/kdc/kdc_log.c:232 +#: ../../src/kdc/kdc_log.c:227 msgid "TGS_REQ: issuing alternate TGT" msgstr "" -#: ../../src/kdc/kdc_log.c:235 +#: ../../src/kdc/kdc_log.c:230 #, c-format msgid "TGS_REQ: issuing TGT %s" msgstr "" -#: ../../src/kdc/kdc_preauth.c:310 +#: ../../src/kdc/kdc_preauth.c:215 #, c-format msgid "preauth %s failed to initialize: %s" msgstr "" -#: ../../src/kdc/kdc_preauth.c:321 +#: ../../src/kdc/kdc_preauth.c:226 #, c-format msgid "preauth %s failed to setup loop: %s" msgstr "" -#: ../../src/kdc/kdc_preauth.c:773 +#: ../../src/kdc/kdc_preauth.c:914 #, c-format msgid "%spreauth required but hint list is empty" msgstr "" -#: ../../src/kdc/kdc_preauth_ec.c:75 +#: ../../src/kdc/kdc_preauth_ec.c:76 msgid "Encrypted Challenge used outside of FAST tunnel" msgstr "" -#: ../../src/kdc/kdc_preauth_ec.c:110 +#: ../../src/kdc/kdc_preauth_ec.c:120 msgid "Incorrect password in encrypted challenge" msgstr "" @@ -3478,76 +3555,76 @@ msgstr "" msgid "TGS_REQ: UNKNOWN SERVER: server='%s'" msgstr "" -#: ../../src/kdc/kdc_util.c:805 +#: ../../src/kdc/kdc_util.c:798 #, c-format msgid "Required auth indicators not present in ticket: %s" msgstr "" -#: ../../src/kdc/main.c:233 +#: ../../src/kdc/main.c:230 #, c-format msgid "while getting context for realm %s" msgstr "" -#: ../../src/kdc/main.c:341 +#: ../../src/kdc/main.c:338 #, c-format msgid "while setting default realm to %s" msgstr "" -#: ../../src/kdc/main.c:349 +#: ../../src/kdc/main.c:346 #, c-format msgid "while initializing database for realm %s" msgstr "" -#: ../../src/kdc/main.c:358 +#: ../../src/kdc/main.c:355 #, c-format msgid "while setting up master key name %s for realm %s" msgstr "" -#: ../../src/kdc/main.c:371 +#: ../../src/kdc/main.c:368 #, c-format msgid "while fetching master key %s for realm %s" msgstr "" -#: ../../src/kdc/main.c:379 +#: ../../src/kdc/main.c:376 #, c-format msgid "while fetching master keys list for realm %s" msgstr "" -#: ../../src/kdc/main.c:388 +#: ../../src/kdc/main.c:385 #, c-format msgid "while resolving kdb keytab for realm %s" msgstr "" -#: ../../src/kdc/main.c:397 +#: ../../src/kdc/main.c:394 #, c-format msgid "while building TGS name for realm %s" msgstr "" -#: ../../src/kdc/main.c:515 +#: ../../src/kdc/main.c:512 #, c-format msgid "creating %d worker processes" msgstr "" -#: ../../src/kdc/main.c:525 +#: ../../src/kdc/main.c:522 msgid "Unable to reinitialize main loop" msgstr "" -#: ../../src/kdc/main.c:530 +#: ../../src/kdc/main.c:527 #, c-format msgid "Unable to initialize signal handlers in pid %d" msgstr "" -#: ../../src/kdc/main.c:560 +#: ../../src/kdc/main.c:557 #, c-format msgid "worker %ld exited with status %d" msgstr "" -#: ../../src/kdc/main.c:584 +#: ../../src/kdc/main.c:581 #, c-format msgid "signal %d received in supervisor" msgstr "" -#: ../../src/kdc/main.c:603 +#: ../../src/kdc/main.c:593 #, c-format msgid "" "usage: %s [-x db_args]* [-d dbpathname] [-r dbrealmname]\n" @@ -3561,2908 +3638,3005 @@ msgid "" "arguments\n" msgstr "" -#: ../../src/kdc/main.c:678 ../../src/kdc/main.c:685 ../../src/kdc/main.c:799 +#: ../../src/kdc/main.c:668 ../../src/kdc/main.c:675 ../../src/kdc/main.c:790 #, c-format msgid " KDC cannot initialize. Not enough memory\n" msgstr "" -#: ../../src/kdc/main.c:704 ../../src/kdc/main.c:747 ../../src/kdc/main.c:758 +#: ../../src/kdc/main.c:694 ../../src/kdc/main.c:737 ../../src/kdc/main.c:748 #, c-format msgid "%s: KDC cannot initialize. Not enough memory\n" msgstr "" -#: ../../src/kdc/main.c:724 ../../src/kdc/main.c:841 +#: ../../src/kdc/main.c:714 ../../src/kdc/main.c:827 #, c-format msgid "%s: cannot initialize realm %s - see log file for details\n" msgstr "" -#: ../../src/kdc/main.c:735 +#: ../../src/kdc/main.c:725 #, c-format msgid "%s: cannot initialize realm %s. Not enough memory\n" msgstr "" -#: ../../src/kdc/main.c:786 +#: ../../src/kdc/main.c:776 #, c-format msgid "invalid enctype %s" msgstr "" -#: ../../src/kdc/main.c:829 +#: ../../src/kdc/main.c:815 msgid "while attempting to retrieve default realm" msgstr "" -#: ../../src/kdc/main.c:831 +#: ../../src/kdc/main.c:817 #, c-format msgid "%s: %s, attempting to retrieve default realm\n" msgstr "" -#: ../../src/kdc/main.c:939 +#: ../../src/kdc/main.c:925 #, c-format msgid "%s: cannot get memory for realm list\n" msgstr "" -#: ../../src/kdc/main.c:974 +#: ../../src/kdc/main.c:960 msgid "while initializing lookaside cache" msgstr "" -#: ../../src/kdc/main.c:982 +#: ../../src/kdc/main.c:968 msgid "while creating main loop" msgstr "" -#: ../../src/kdc/main.c:992 -msgid "while initializing SAM" +#: ../../src/kdc/main.c:977 +msgid "while loading KDC policy plugin" msgstr "" -#: ../../src/kdc/main.c:1017 +#: ../../src/kdc/main.c:1002 msgid "while initializing signal handlers" msgstr "" -#: ../../src/kdc/main.c:1025 +#: ../../src/kdc/main.c:1010 msgid "while initializing network" msgstr "" -#: ../../src/kdc/main.c:1030 +#: ../../src/kdc/main.c:1015 msgid "while detaching from tty" msgstr "" -#: ../../src/kdc/main.c:1037 +#: ../../src/kdc/main.c:1022 msgid "while creating PID file" msgstr "" -#: ../../src/kdc/main.c:1046 +#: ../../src/kdc/main.c:1031 msgid "creating worker processes" msgstr "" -#: ../../src/kdc/main.c:1056 +#: ../../src/kdc/main.c:1041 msgid "while loading audit plugin module(s)" msgstr "" -#: ../../src/kdc/main.c:1060 +#: ../../src/kdc/main.c:1045 msgid "commencing operation" msgstr "" -#: ../../src/kdc/main.c:1068 +#: ../../src/kdc/main.c:1053 msgid "shutting down" msgstr "" -#: ../../src/lib/apputils/net-server.c:232 -msgid "Got signal to request exit" -msgstr "" - -#: ../../src/lib/apputils/net-server.c:246 -msgid "Got signal to reset" +#: ../../src/kdc/policy.c:230 +#, c-format +msgid "while loading policy module %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:312 +#: ../../src/kprop/kprop.c:85 #, c-format -msgid "Invalid port %d" +msgid "" +"\n" +"Usage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] replica_host\n" +"\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:325 +#: ../../src/kprop/kprop.c:114 #, c-format -msgid "Removing address %s since wildcard address is being added" +msgid "Database propagation to %s: SUCCEEDED\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:332 -msgid "Address already added to server" +#: ../../src/kprop/kprop.c:175 +msgid "while setting client principal name" msgstr "" -#: ../../src/lib/apputils/net-server.c:503 -#, c-format -msgid "closing down fd %d" +#: ../../src/kprop/kprop.c:184 +msgid "while setting server principal name" msgstr "" -#: ../../src/lib/apputils/net-server.c:517 -#, c-format -msgid "descriptor %d closed but still in svc_fdset" +#: ../../src/kprop/kprop.c:197 +msgid "while resolving keytab" msgstr "" -#: ../../src/lib/apputils/net-server.c:543 -msgid "cannot create io event" +#: ../../src/kprop/kprop.c:205 +msgid "while getting initial credentials\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:549 -msgid "cannot save event" +#: ../../src/kprop/kprop.c:241 +msgid "while creating socket" msgstr "" -#: ../../src/lib/apputils/net-server.c:569 -#, c-format -msgid "file descriptor number %d too high" +#: ../../src/kprop/kprop.c:257 +msgid "while converting server address" msgstr "" -#: ../../src/lib/apputils/net-server.c:577 -msgid "cannot allocate storage for connection info" +#: ../../src/kprop/kprop.c:267 +msgid "while connecting to server" msgstr "" -#: ../../src/lib/apputils/net-server.c:616 -#, c-format -msgid "Cannot create TCP server socket on %s" +#: ../../src/kprop/kprop.c:274 ../../src/kprop/kpropd.c:1199 +msgid "while getting local socket address" msgstr "" -#: ../../src/lib/apputils/net-server.c:625 -#, c-format -msgid "TCP socket fd number %d (for %s) too high" +#: ../../src/kprop/kprop.c:279 +msgid "while converting local address" msgstr "" -#: ../../src/lib/apputils/net-server.c:633 -#, c-format -msgid "Cannot enable SO_REUSEADDR on fd %d" +#: ../../src/kprop/kprop.c:302 +msgid "in krb5_auth_con_setaddrs" msgstr "" -#: ../../src/lib/apputils/net-server.c:640 -#, c-format -msgid "setsockopt(%d,IPV6_V6ONLY,1) failed" +#: ../../src/kprop/kprop.c:310 +msgid "while authenticating to server" msgstr "" -#: ../../src/lib/apputils/net-server.c:642 +#: ../../src/kprop/kprop.c:314 ../../src/kprop/kprop.c:513 +#: ../../src/kprop/kpropd.c:1505 #, c-format -msgid "setsockopt(%d,IPV6_V6ONLY,1) worked" +msgid "Generic remote error: %s\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:645 -msgid "no IPV6_V6ONLY socket option support" +#: ../../src/kprop/kprop.c:320 ../../src/kprop/kprop.c:519 +msgid "signalled from server" msgstr "" -#: ../../src/lib/apputils/net-server.c:651 +#: ../../src/kprop/kprop.c:322 ../../src/kprop/kprop.c:521 #, c-format -msgid "Cannot bind server socket on %s" +msgid "Error text from server: %s\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:728 +#: ../../src/kprop/kprop.c:350 #, c-format -msgid "Setting up %s socket for address %s" +msgid "allocating database file name '%s'" msgstr "" -#: ../../src/lib/apputils/net-server.c:743 +#: ../../src/kprop/kprop.c:356 #, c-format -msgid "Cannot listen on %s server socket on %s" +msgid "while trying to open %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:752 -#, c-format -msgid "cannot set listening %s socket on %s non-blocking" +#: ../../src/kprop/kprop.c:363 +msgid "database locked" msgstr "" -#: ../../src/lib/apputils/net-server.c:761 +#: ../../src/kprop/kprop.c:366 ../../src/kprop/kpropd.c:552 #, c-format -msgid "cannot set SO_LINGER on %s socket on %s" +msgid "while trying to lock '%s'" msgstr "" -#: ../../src/lib/apputils/net-server.c:768 +#: ../../src/kprop/kprop.c:370 ../../src/kprop/kprop.c:378 #, c-format -msgid "Setting pktinfo on socket %s" +msgid "while trying to stat %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:773 -#, c-format -msgid "Cannot request packet info for UDP socket address %s port %d" +#: ../../src/kprop/kprop.c:374 +msgid "while trying to malloc data_ok_fn" msgstr "" -#: ../../src/lib/apputils/net-server.c:775 -msgid "" -"System does not support pktinfo yet binding to a wildcard address. Packets " -"are not guaranteed to return on the received address." +#: ../../src/kprop/kprop.c:383 +#, c-format +msgid "'%s' more recent than '%s'." msgstr "" -#: ../../src/lib/apputils/net-server.c:788 -msgid "Error attempting to add verto event" +#: ../../src/kprop/kprop.c:399 +#, c-format +msgid "while unlocking database '%s'" msgstr "" -#: ../../src/lib/apputils/net-server.c:798 -#, c-format -msgid "Cannot create RPC service: %s" +#: ../../src/kprop/kprop.c:432 ../../src/kprop/kprop.c:433 +msgid "while encoding database size" msgstr "" -#: ../../src/lib/apputils/net-server.c:808 -#, c-format -msgid "Cannot register RPC service: %s" +#: ../../src/kprop/kprop.c:441 +msgid "while sending database size" msgstr "" -#: ../../src/lib/apputils/net-server.c:855 -msgid "No addresses added to the net server" +#: ../../src/kprop/kprop.c:451 +msgid "while allocating i_vector" msgstr "" -#: ../../src/lib/apputils/net-server.c:874 +#: ../../src/kprop/kprop.c:474 #, c-format -msgid "Failed getting address info (for %s): %s" +msgid "while sending database block starting at %d" msgstr "" -#: ../../src/lib/apputils/net-server.c:904 -#, c-format -msgid "Failed setting up a %s socket (for %s)" +#: ../../src/kprop/kprop.c:484 +msgid "Premature EOF found for database file!" msgstr "" -#: ../../src/lib/apputils/net-server.c:951 -msgid "setting up network..." +#: ../../src/kprop/kprop.c:497 +msgid "while reading response from server" msgstr "" -#: ../../src/lib/apputils/net-server.c:954 -msgid "Error setting up network" +#: ../../src/kprop/kprop.c:508 +msgid "while decoding error response from server" msgstr "" -#: ../../src/lib/apputils/net-server.c:957 +#: ../../src/kprop/kprop.c:539 #, c-format -msgid "set up %d sockets" +msgid "Kpropd sent database size %d, expecting %d" msgstr "" -#: ../../src/lib/apputils/net-server.c:960 -msgid "no sockets set up?" +#: ../../src/kprop/kprop.c:584 +msgid "while allocating filename for update_last_prop_file" msgstr "" -#: ../../src/lib/apputils/net-server.c:1021 -#: ../../src/lib/apputils/net-server.c:1075 -msgid "while dispatching (udp)" +#: ../../src/kprop/kprop.c:589 +#, c-format +msgid "while creating 'last_prop' file, '%s'" msgstr "" -#: ../../src/lib/apputils/net-server.c:1050 +#: ../../src/kprop/kpropd.c:171 #, c-format -msgid "while sending reply to %s/%s from %s" +msgid "" +"\n" +"Usage: %s [-r realm] [-s srvtab] [-dS] [-f replica_file]\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:1055 +#: ../../src/kprop/kpropd.c:173 #, c-format -msgid "short reply write %d vs %d\n" +msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:1100 -msgid "while receiving from network" +#: ../../src/kprop/kpropd.c:174 +#, c-format +msgid "\t[-x db_args]* [-P port] [-a acl_file]\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:1116 +#: ../../src/kprop/kpropd.c:175 #, c-format -msgid "pktinfo says local addr is %s" +msgid "\t[-A admin_server] [--pid-file=pid_file]\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:1149 -msgid "too many connections" +#: ../../src/kprop/kpropd.c:231 +#, c-format +msgid "Killing fullprop child (%d)\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:1172 -#, c-format -msgid "dropping %s fd %d from %s" +#: ../../src/kprop/kpropd.c:260 +msgid "while checking if stdin is a socket" msgstr "" -#: ../../src/lib/apputils/net-server.c:1250 +#: ../../src/kprop/kpropd.c:278 #, c-format -msgid "allocating buffer for new TCP session from %s" +msgid "ready\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:1280 -msgid "while dispatching (tcp)" +#: ../../src/kprop/kpropd.c:284 +#, c-format +msgid "Could not write pid file %s: %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:1312 -msgid "error allocating tcp dispatch private!" +#: ../../src/kprop/kpropd.c:296 +#, c-format +msgid "Could not open /dev/null: %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:1359 +#: ../../src/kprop/kpropd.c:303 #, c-format -msgid "TCP client %s wants %lu bytes, cap is %lu" +msgid "Could not dup the inetd socket: %s" msgstr "" -#: ../../src/lib/apputils/net-server.c:1367 -#, c-format -msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s" +#: ../../src/kprop/kpropd.c:338 ../../src/kprop/kpropd.c:351 +msgid "do_iprop failed.\n" msgstr "" -#: ../../src/lib/apputils/net-server.c:1551 +#: ../../src/kprop/kpropd.c:390 #, c-format -msgid "accepted RPC connection on socket %d from %s" +msgid "getaddrinfo: %s\n" msgstr "" -#: ../../src/lib/crypto/krb/prng_fortuna.c:428 -msgid "Random number generator could not be seeded" +#: ../../src/kprop/kpropd.c:396 +msgid "while obtaining socket" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:43 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:165 -msgid "A required input parameter could not be read" +#: ../../src/kprop/kpropd.c:402 +msgid "while setting SO_REUSEADDR option" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:44 -msgid "A required input parameter could not be written" +#: ../../src/kprop/kpropd.c:410 +msgid "while unsetting IPV6_V6ONLY option" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:45 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:175 -msgid "A parameter was malformed" +#: ../../src/kprop/kpropd.c:415 +msgid "while binding listener socket" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:48 -msgid "calling error" +#: ../../src/kprop/kpropd.c:426 +#, c-format +msgid "waiting for a kprop connection\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:59 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:195 -msgid "An unsupported mechanism was requested" +#: ../../src/kprop/kpropd.c:432 +msgid "while accepting connection" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:60 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:199 -msgid "An invalid name was supplied" +#: ../../src/kprop/kpropd.c:438 +msgid "while forking" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:61 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:203 -msgid "A supplied name was of an unsupported type" +#: ../../src/kprop/kpropd.c:453 +#, c-format +msgid "waitpid() failed to wait for doit() (%d %s)\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:62 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:208 -msgid "Incorrect channel bindings were supplied" +#: ../../src/kprop/kpropd.c:457 +msgid "while waiting to receive database" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:63 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:179 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:274 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:334 -msgid "An invalid status code was supplied" +#: ../../src/kprop/kpropd.c:461 +#, c-format +msgid "Database load process for full propagation completed.\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:64 -msgid "A token had an invalid signature" +#: ../../src/kprop/kpropd.c:499 +#, c-format +msgid "" +"%s: Standard input does not appear to be a network socket.\n" +"\t(Not run from inetd, and missing the -S option?)\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:65 -msgid "No credentials were supplied" +#: ../../src/kprop/kpropd.c:512 +msgid "while attempting setsockopt (SO_KEEPALIVE)" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:66 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:223 -msgid "No context has been established" +#: ../../src/kprop/kpropd.c:517 +#, c-format +msgid "Connection from %s" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:67 -msgid "A token was invalid" +#: ../../src/kprop/kpropd.c:537 +#, c-format +msgid "Rejected connection from unauthorized principal %s\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:68 -msgid "A credential was invalid" +#: ../../src/kprop/kpropd.c:541 +#, c-format +msgid "Rejected connection from unauthorized principal %s" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:69 -msgid "The referenced credentials have expired" +#: ../../src/kprop/kpropd.c:558 +#, c-format +msgid "while opening database file, '%s'" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:70 -msgid "The context has expired" +#: ../../src/kprop/kpropd.c:564 +#, c-format +msgid "while renaming %s to %s" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:71 -msgid "Miscellaneous failure" +#: ../../src/kprop/kpropd.c:570 +#, c-format +msgid "while downgrading lock on '%s'" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:72 -msgid "The quality-of-protection requested could not be provided" +#: ../../src/kprop/kpropd.c:577 +#, c-format +msgid "while unlocking '%s'" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:73 -msgid "The operation is forbidden by the local security policy" +#: ../../src/kprop/kpropd.c:589 +msgid "while sending # of received bytes" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:74 -msgid "The operation or option is not available" +#: ../../src/kprop/kpropd.c:595 +msgid "while trying to close database file" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:77 -msgid "routine error" +#: ../../src/kprop/kpropd.c:650 +#, c-format +msgid "Incremental propagation enabled\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:89 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:311 -msgid "The routine must be called again to complete its function" +#: ../../src/kprop/kpropd.c:661 +#, c-format +msgid "%s: unable to get kiprop host based service name for realm %s\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:90 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:316 -msgid "The token was a duplicate of an earlier token" +#: ../../src/kprop/kpropd.c:672 +msgid "while trying to construct host service principal" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:91 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:321 -msgid "The token's validity period has expired" +#: ../../src/kprop/kpropd.c:691 +#, c-format +msgid "Initializing kadm5 as client %s\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:92 -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:325 -msgid "A later token has already been processed" +#: ../../src/kprop/kpropd.c:705 +#, c-format +msgid "kadm5 initialization failed!\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:95 -msgid "supplementary info code" +#: ../../src/kprop/kpropd.c:714 +msgid "while attempting to connect to master KDC ... retrying" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:106 -#: ../lib/krb5/error_tables/krb5_err.c:23 -msgid "No error" +#: ../../src/kprop/kpropd.c:718 +#, c-format +msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n" msgstr "" -#: ../../src/lib/gssapi/generic/disp_major_status.c:107 +#: ../../src/kprop/kpropd.c:734 #, c-format -msgid "Unknown %s (field = %d)" +msgid "while initializing %s interface, retrying" msgstr "" -#: ../../src/lib/gssapi/krb5/acquire_cred.c:165 +#: ../../src/kprop/kpropd.c:738 #, c-format -msgid "No key table entry found matching %s" +msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:161 -msgid "The routine completed successfully" +#: ../../src/kprop/kpropd.c:748 +#, c-format +msgid "kadm5 initialization succeeded\n" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:170 -msgid "A required output parameter could not be written" +#: ../../src/kprop/kpropd.c:770 +msgid "reading update log header" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:212 -msgid "A token had an invalid Message Integrity Check (MIC)" +#: ../../src/kprop/kpropd.c:781 +#, c-format +msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:217 -msgid "" -"No credentials were supplied, or the credentials were unavailable or " -"inaccessible" +#: ../../src/kprop/kpropd.c:791 +msgid "iprop_get_updates call failed" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:227 -msgid "Invalid token was supplied" +#: ../../src/kprop/kpropd.c:797 +#, c-format +msgid "Reinitializing iprop because get updates failed\n" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:231 -msgid "Invalid credential was supplied" +#: ../../src/kprop/kpropd.c:818 +#, c-format +msgid "Still waiting for full resync\n" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:235 -msgid "The referenced credential has expired" +#: ../../src/kprop/kpropd.c:823 +#, c-format +msgid "Full resync needed\n" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:239 -msgid "The referenced context has expired" +#: ../../src/kprop/kpropd.c:824 +msgid "kpropd: Full resync needed." msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:243 -msgid "Unspecified GSS failure. Minor code may provide more information" +#: ../../src/kprop/kpropd.c:829 +msgid "iprop_full_resync call failed" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:248 -msgid "The quality-of-protection (QOP) requested could not be provided" +#: ../../src/kprop/kpropd.c:840 +#, c-format +msgid "Full resync request granted\n" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:253 -msgid "The operation is forbidden by local security policy" +#: ../../src/kprop/kpropd.c:841 +msgid "Full resync request granted." msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:258 -msgid "The operation or option is not available or unsupported" +#: ../../src/kprop/kpropd.c:850 +#, c-format +msgid "Exponential backoff\n" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:263 -msgid "The requested credential element already exists" +#: ../../src/kprop/kpropd.c:856 +#, c-format +msgid "Full resync permission denied\n" msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:268 -msgid "The provided name was not mechanism specific (MN)" +#: ../../src/kprop/kpropd.c:857 +msgid "Full resync, permission denied." msgstr "" -#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:329 -msgid "An expected per-message token was not received" +#: ../../src/kprop/kpropd.c:862 +#, c-format +msgid "Full resync error from master\n" msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1813 -msgid "SPNEGO cannot find mechanisms to negotiate" +#: ../../src/kprop/kpropd.c:863 +msgid " Full resync, error returned from master KDC." msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1818 -msgid "SPNEGO failed to acquire creds" +#: ../../src/kprop/kpropd.c:871 +#, c-format +msgid "Full resync invalid result from master\n" msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1823 -msgid "SPNEGO acceptor did not select a mechanism" +#: ../../src/kprop/kpropd.c:873 +msgid "Full resync, invalid return from master KDC." msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1828 -msgid "SPNEGO failed to negotiate a mechanism" +#: ../../src/kprop/kpropd.c:889 +#, c-format +msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n" msgstr "" -#: ../../src/lib/gssapi/spnego/spnego_mech.c:1833 -msgid "SPNEGO acceptor did not return a valid token" +#: ../../src/kprop/kpropd.c:901 +#, c-format +msgid "ulog_replay failed (%s), updates not registered\n" msgstr "" -#: ../../src/lib/kadm5/logger.c:54 +#: ../../src/kprop/kpropd.c:904 #, c-format -msgid "%s: cannot parse <%s>\n" +msgid "ulog_replay failed (%s), updates not registered." msgstr "" -#: ../../src/lib/kadm5/logger.c:55 +#: ../../src/kprop/kpropd.c:913 #, c-format -msgid "%s: warning - logging entry syntax error\n" +msgid "Incremental updates: %d updates / %lu us" msgstr "" -#: ../../src/lib/kadm5/logger.c:56 +#: ../../src/kprop/kpropd.c:916 #, c-format -msgid "%s: error writing to %s\n" +msgid "Incremental updates: %d updates / %lu us\n" msgstr "" -#: ../../src/lib/kadm5/logger.c:57 +#: ../../src/kprop/kpropd.c:924 #, c-format -msgid "%s: error writing to %s device\n" +msgid "get_updates permission denied\n" msgstr "" -#: ../../src/lib/kadm5/logger.c:59 -msgid "EMERGENCY" +#: ../../src/kprop/kpropd.c:925 +msgid "get_updates, permission denied." msgstr "" -#: ../../src/lib/kadm5/logger.c:60 -msgid "ALERT" +#: ../../src/kprop/kpropd.c:930 +#, c-format +msgid "get_updates error from master\n" msgstr "" -#: ../../src/lib/kadm5/logger.c:61 -msgid "CRITICAL" +#: ../../src/kprop/kpropd.c:931 +msgid "get_updates, error returned from master KDC." msgstr "" -#: ../../src/lib/kadm5/logger.c:62 -msgid "Error" +#: ../../src/kprop/kpropd.c:939 +#, c-format +msgid "get_updates master busy; backoff\n" msgstr "" -#: ../../src/lib/kadm5/logger.c:63 -msgid "Warning" +#: ../../src/kprop/kpropd.c:948 +#, c-format +msgid "KDC is synchronized with master.\n" msgstr "" -#: ../../src/lib/kadm5/logger.c:64 -msgid "Notice" +#: ../../src/kprop/kpropd.c:956 +#, c-format +msgid "get_updates invalid result from master\n" msgstr "" -#: ../../src/lib/kadm5/logger.c:65 -msgid "info" +#: ../../src/kprop/kpropd.c:957 +msgid "get_updates, invalid return from master KDC." msgstr "" -#: ../../src/lib/kadm5/logger.c:66 -msgid "debug" +#: ../../src/kprop/kpropd.c:972 +#, c-format +msgid "Busy signal received from master, backoff for %d secs\n" msgstr "" -#: ../../src/lib/kadm5/logger.c:926 +#: ../../src/kprop/kpropd.c:979 #, c-format -msgid "Couldn't open log file %s: %s\n" +msgid "Waiting for %d seconds before checking for updates again\n" msgstr "" -#: ../../src/lib/kadm5/srv/kadm5_hook.c:120 +#: ../../src/kprop/kpropd.c:990 #, c-format -msgid "kadm5_hook %s failed postcommit %s: %s" +msgid "ERROR returned by master, bailing\n" msgstr "" -#: ../../src/lib/kadm5/srv/pwqual_dict.c:106 -msgid "No dictionary file specified, continuing without one." +#: ../../src/kprop/kpropd.c:991 +msgid "ERROR returned by master KDC, bailing.\n" msgstr "" -#: ../../src/lib/kadm5/srv/pwqual_dict.c:113 -#, c-format -msgid "WARNING! Cannot find dictionary file %s, continuing without one." +#: ../../src/kprop/kpropd.c:1108 +msgid "copying db args" msgstr "" -#: ../../src/lib/kadm5/srv/pwqual_empty.c:42 -msgid "Empty passwords are not allowed" +#: ../../src/kprop/kpropd.c:1133 +msgid "Unable to get default realm" msgstr "" -#: ../../src/lib/kadm5/srv/pwqual_hesiod.c:114 -msgid "Password may not match user information." +#: ../../src/kprop/kpropd.c:1140 +msgid "Unable to set default realm" msgstr "" -#: ../../src/lib/kadm5/srv/pwqual_princ.c:54 -msgid "Password may not match principal name" +#: ../../src/kprop/kpropd.c:1150 +msgid "while trying to construct my service name" msgstr "" -#: ../../src/lib/kadm5/srv/server_acl.c:90 -#, c-format -msgid "%s: line %d too long, truncated" +#: ../../src/kprop/kpropd.c:1157 +msgid "while allocating filename for temp file" msgstr "" -#: ../../src/lib/kadm5/srv/server_acl.c:91 -#, c-format -msgid "Unrecognized ACL operation '%c' in %s" +#: ../../src/kprop/kpropd.c:1165 +msgid "while initializing" msgstr "" -#: ../../src/lib/kadm5/srv/server_acl.c:93 -#, c-format -msgid "%s: syntax error at line %d <%.10s...>" +#: ../../src/kprop/kpropd.c:1173 +msgid "Unable to map log!\n" msgstr "" -#: ../../src/lib/kadm5/srv/server_acl.c:95 +#: ../../src/kprop/kpropd.c:1219 #, c-format -msgid "%s while opening ACL file %s" +msgid "Error in krb5_auth_con_ini: %s" msgstr "" -#: ../../src/lib/kadm5/srv/server_acl.c:345 +#: ../../src/kprop/kpropd.c:1227 #, c-format -msgid "%s: invalid restrictions: %s" +msgid "Error in krb5_auth_con_setflags: %s" msgstr "" -#: ../../src/lib/kadm5/srv/server_kdb.c:195 -msgid "History entry contains no key data" +#: ../../src/kprop/kpropd.c:1235 +#, c-format +msgid "Error in krb5_auth_con_setaddrs: %s" msgstr "" -#: ../../src/lib/kadm5/srv/server_misc.c:128 +#: ../../src/kprop/kpropd.c:1243 #, c-format -msgid "password quality module %s rejected password for %s: %s" +msgid "Error in krb5_kt_resolve: %s" msgstr "" -#: ../../src/lib/kdb/kdb5.c:216 -msgid "No default realm set; cannot initialize KDB" +#: ../../src/kprop/kpropd.c:1252 +#, c-format +msgid "Error in krb5_recvauth: %s" msgstr "" -#: ../../src/lib/kdb/kdb5.c:373 +#: ../../src/kprop/kpropd.c:1259 #, c-format -msgid "Unable to find requested database type: %s" +msgid "Error in krb5_copy_prinicpal: %s" msgstr "" -#: ../../src/lib/kdb/kdb5.c:453 ../lib/krb5/error_tables/kdb5_err.c:55 -msgid "Unable to find requested database type" +#: ../../src/kprop/kpropd.c:1275 +msgid "while unparsing ticket etype" msgstr "" -#: ../../src/lib/kdb/kdb5.c:461 -msgid "plugin symbol 'kdb_function_table' lookup failed" +#: ../../src/kprop/kpropd.c:1279 +#, c-format +msgid "authenticated client: %s (etype == %s)\n" msgstr "" -#: ../../src/lib/kdb/kdb5.c:469 -#, c-format -msgid "" -"Unable to load requested database module '%s': plugin symbol " -"'kdb_function_table' not found" +#: ../../src/kprop/kpropd.c:1358 +msgid "while reading size of database from client" msgstr "" -#: ../../src/lib/kdb/kdb5.c:607 -msgid "Cannot initialize database library" +#: ../../src/kprop/kpropd.c:1368 +msgid "while decoding database size from client" msgstr "" -#: ../../src/lib/kdb/kdb5.c:1767 -#, c-format -msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n" +#: ../../src/kprop/kpropd.c:1381 +msgid "while initializing i_vector" msgstr "" -#: ../../src/lib/kdb/kdb5.c:1939 +#: ../../src/kprop/kpropd.c:1386 #, c-format -msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n" +msgid "Full propagation transfer started.\n" msgstr "" -#: ../../src/lib/kdb/kdb_default.c:164 +#: ../../src/kprop/kpropd.c:1439 #, c-format -msgid "keyfile (%s) is not a regular file: %s" +msgid "Full propagation transfer finished.\n" msgstr "" -#: ../../src/lib/kdb/kdb_default.c:177 -msgid "Could not create temp keytab file name." +#: ../../src/kprop/kpropd.c:1500 +msgid "while decoding error packet from client" msgstr "" -#: ../../src/lib/kdb/kdb_default.c:202 +#: ../../src/kprop/kpropd.c:1509 +msgid "signaled from server" +msgstr "" + +#: ../../src/kprop/kpropd.c:1511 #, c-format -msgid "Temporary stash file already exists: %s." +msgid "Error text from client: %s\n" msgstr "" -#: ../../src/lib/kdb/kdb_default.c:230 +#: ../../src/kprop/kpropd.c:1560 #, c-format -msgid "rename of temporary keyfile (%s) to (%s) failed: %s" +msgid "while trying to fork %s" msgstr "" -#: ../../src/lib/kdb/kdb_default.c:415 +#: ../../src/kprop/kpropd.c:1564 #, c-format -msgid "Can not fetch master key (error: %s)." +msgid "while trying to exec %s" msgstr "" -#: ../../src/lib/kdb/kdb_default.c:483 -msgid "Unable to decrypt latest master key with the provided master key\n" +#: ../../src/kprop/kpropd.c:1571 +#, c-format +msgid "while waiting for %s" msgstr "" -#: ../../src/lib/kdb/kdb_log.c:70 -msgid "could not sync ulog update to disk" +#: ../../src/kprop/kpropd.c:1577 +#, c-format +msgid "%s load terminated" msgstr "" -#: ../../src/lib/kdb/kdb_log.c:84 -msgid "could not sync ulog header to disk" +#: ../../src/kprop/kpropd.c:1583 +#, c-format +msgid "%s returned a bad exit status (%d)" msgstr "" -#: ../../src/lib/krb5/ccache/cc_dir.c:122 +#: ../../src/kprop/kproplog.c:28 #, c-format -msgid "Subsidiary cache path %s has no parent directory" +msgid "" +"\n" +"Usage: %s [-h] [-v] [-v] [-e num]\n" +"\t%s -R\n" +"\n" msgstr "" -#: ../../src/lib/krb5/ccache/cc_dir.c:128 +#: ../../src/kprop/kproplog.c:132 #, c-format -msgid "Subsidiary cache path %s filename does not begin with \"tkt\"" +msgid "" +"\n" +"Couldn't allocate memory" msgstr "" -#: ../../src/lib/krb5/ccache/cc_dir.c:169 +#: ../../src/kprop/kproplog.c:226 #, c-format -msgid "%s contains invalid filename" +msgid "\t\tAttribute flags\n" msgstr "" -#: ../../src/lib/krb5/ccache/cc_dir.c:229 +#: ../../src/kprop/kproplog.c:231 #, c-format -msgid "Credential cache directory %s does not exist" +msgid "\t\tMaximum ticket life\n" msgstr "" -#: ../../src/lib/krb5/ccache/cc_dir.c:235 +#: ../../src/kprop/kproplog.c:236 #, c-format -msgid "Credential cache directory %s exists but is not a directory" +msgid "\t\tMaximum renewable life\n" msgstr "" -#: ../../src/lib/krb5/ccache/cc_dir.c:400 -msgid "" -"Can't create new subsidiary cache because default cache is not a directory " -"collection" +#: ../../src/kprop/kproplog.c:241 +#, c-format +msgid "\t\tPrincipal expiration\n" msgstr "" -#: ../../src/lib/krb5/ccache/cc_keyring.c:1151 -msgid "" -"Can't create new subsidiary cache because default cache is already a " -"subsidiary" +#: ../../src/kprop/kproplog.c:246 +#, c-format +msgid "\t\tPassword expiration\n" msgstr "" -#: ../../src/lib/krb5/ccache/cc_keyring.c:1219 +#: ../../src/kprop/kproplog.c:251 #, c-format -msgid "Credentials cache keyring '%s' not found" +msgid "\t\tLast successful auth\n" msgstr "" -#: ../../src/lib/krb5/ccache/cccursor.c:213 +#: ../../src/kprop/kproplog.c:256 #, c-format -msgid "Can't find client principal %s in cache collection" +msgid "\t\tLast failed auth\n" msgstr "" -#: ../../src/lib/krb5/ccache/cccursor.c:284 -msgid "No Kerberos credentials available" +#: ../../src/kprop/kproplog.c:261 +#, c-format +msgid "\t\tFailed passwd attempt\n" msgstr "" -#: ../../src/lib/krb5/ccache/cccursor.c:290 +#: ../../src/kprop/kproplog.c:266 #, c-format -msgid "No Kerberos credentials available (default cache: %s)" +msgid "\t\tPrincipal\n" msgstr "" -#: ../../src/lib/krb5/keytab/kt_file.c:404 +#: ../../src/kprop/kproplog.c:271 #, c-format -msgid "No key table entry found for %s" +msgid "\t\tKey data\n" msgstr "" -#: ../../src/lib/krb5/keytab/kt_file.c:821 -#: ../../src/lib/krb5/keytab/kt_file.c:854 -msgid "Cannot change keytab with keytab iterators active" +#: ../../src/kprop/kproplog.c:278 +#, c-format +msgid "\t\tTL data\n" msgstr "" -#: ../../src/lib/krb5/keytab/kt_file.c:1044 +#: ../../src/kprop/kproplog.c:285 #, c-format -msgid "Key table file '%s' not found" +msgid "\t\tLength\n" msgstr "" -#: ../../src/lib/krb5/keytab/ktfns.c:127 +#: ../../src/kprop/kproplog.c:290 #, c-format -msgid "Keytab %s is nonexistent or empty" +msgid "\t\tPassword last changed\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:250 -msgid "Malformed request error" +#: ../../src/kprop/kproplog.c:295 +#, c-format +msgid "\t\tModifying principal\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:253 ../lib/krb5/error_tables/kdb5_err.c:58 -msgid "Server error" +#: ../../src/kprop/kproplog.c:300 +#, c-format +msgid "\t\tModification time\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:256 -msgid "Authentication error" +#: ../../src/kprop/kproplog.c:305 +#, c-format +msgid "\t\tModified where\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:259 -msgid "Password change rejected" +#: ../../src/kprop/kproplog.c:310 +#, c-format +msgid "\t\tPassword policy\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:262 -msgid "Access denied" +#: ../../src/kprop/kproplog.c:315 +#, c-format +msgid "\t\tPassword policy switch\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:265 -msgid "Wrong protocol version" +#: ../../src/kprop/kproplog.c:320 +#, c-format +msgid "\t\tPassword history KVNO\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:268 -msgid "Initial password required" +#: ../../src/kprop/kproplog.c:325 +#, c-format +msgid "\t\tPassword history\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:271 -msgid "Success" +#: ../../src/kprop/kproplog.c:359 +#, c-format +msgid "" +"Corrupt update entry\n" +"\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:274 ../lib/krb5/error_tables/krb5_err.c:257 -msgid "Password change failed" +#: ../../src/kprop/kproplog.c:364 +#, c-format +msgid "Update Entry\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:431 +#: ../../src/kprop/kproplog.c:366 +#, c-format +msgid "\tUpdate serial # : %u\n" +msgstr "" + +#: ../../src/kprop/kproplog.c:370 +#, c-format +msgid "\tDummy entry\n" +msgstr "" + +#: ../../src/kprop/kproplog.c:378 +#, c-format msgid "" -"The password must include numbers or symbols. Don't include any part of " -"your name in the password." +"Entry data decode failure\n" +"\n" msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:437 +#: ../../src/kprop/kproplog.c:382 #, c-format -msgid "The password must contain at least %d character." -msgid_plural "The password must contain at least %d characters." -msgstr[0] "" -msgstr[1] "" +msgid "\tUpdate operation : " +msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:446 +#: ../../src/kprop/kproplog.c:384 #, c-format -msgid "The password must be different from the previous password." -msgid_plural "The password must be different from the previous %d passwords." -msgstr[0] "" -msgstr[1] "" +msgid "Delete\n" +msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:458 +#: ../../src/kprop/kproplog.c:386 #, c-format -msgid "The password can only be changed once a day." -msgid_plural "The password can only be changed every %d days." -msgstr[0] "" -msgstr[1] "" +msgid "Add\n" +msgstr "" -#: ../../src/lib/krb5/krb/chpw.c:504 -msgid "Try a more complex password, or contact your administrator." +#: ../../src/kprop/kproplog.c:390 +#, c-format +msgid "" +"Could not allocate principal name\n" +"\n" msgstr "" -#: ../../src/lib/krb5/krb/fast.c:216 -msgid "Error constructing AP-REQ armor" +#: ../../src/kprop/kproplog.c:396 +#, c-format +msgid "\tUpdate principal : %s\n" msgstr "" -#: ../../src/lib/krb5/krb/fast.c:394 -msgid "Failed to decrypt FAST reply" +#: ../../src/kprop/kproplog.c:398 +#, c-format +msgid "\tUpdate size : %u\n" msgstr "" -#: ../../src/lib/krb5/krb/fast.c:400 -msgid "nonce modified in FAST response: KDC response modified" +#: ../../src/kprop/kproplog.c:399 +#, c-format +msgid "\tUpdate committed : %s\n" msgstr "" -#: ../../src/lib/krb5/krb/fast.c:466 -msgid "Expecting FX_ERROR pa-data inside FAST container" +#: ../../src/kprop/kproplog.c:403 +#, c-format +msgid "\tUpdate time stamp : None\n" msgstr "" -#: ../../src/lib/krb5/krb/fast.c:537 -msgid "FAST response missing finish message in KDC reply" +#: ../../src/kprop/kproplog.c:405 +#, c-format +msgid "\tUpdate time stamp : %s" msgstr "" -#: ../../src/lib/krb5/krb/fast.c:550 -msgid "Ticket modified in KDC reply" +#: ../../src/kprop/kproplog.c:409 +#, c-format +msgid "\tAttributes changed : %d\n" msgstr "" -#: ../../src/lib/krb5/krb/gc_via_tkt.c:208 +#: ../../src/kprop/kproplog.c:474 #, c-format -msgid "KDC returned error string: %.*s" +msgid "" +"Unable to initialize Kerberos\n" +"\n" msgstr "" -#: ../../src/lib/krb5/krb/gc_via_tkt.c:217 +#: ../../src/kprop/kproplog.c:481 #, c-format -msgid "Server %s not found in Kerberos database" +msgid "" +"Couldn't read database_name\n" +"\n" msgstr "" -#: ../../src/lib/krb5/krb/get_in_tkt.c:220 -msgid "Reply has wrong form of session key for anonymous request" +#: ../../src/kprop/kproplog.c:485 +#, c-format +msgid "" +"\n" +"Kerberos update log (%s)\n" msgstr "" -#: ../../src/lib/krb5/krb/get_in_tkt.c:1658 -msgid "Failed to store credentials" +#: ../../src/kprop/kproplog.c:489 ../../src/kprop/kproplog.c:505 +#, c-format +msgid "" +"Unable to map log file %s\n" +"\n" msgstr "" -#: ../../src/lib/krb5/krb/get_in_tkt.c:1743 +#: ../../src/kprop/kproplog.c:494 #, c-format -msgid "Client '%s' not found in Kerberos database" +msgid "" +"Couldn't reinitialize ulog file %s\n" +"\n" msgstr "" -#: ../../src/lib/krb5/krb/gic_keytab.c:207 +#: ../../src/kprop/kproplog.c:498 #, c-format -msgid "Keytab contains no suitable keys for %s" +msgid "Reinitialized the ulog.\n" msgstr "" -#: ../../src/lib/krb5/krb/gic_pwd.c:75 +#: ../../src/kprop/kproplog.c:511 #, c-format -msgid "Password for %s" +msgid "" +"Corrupt header log, exiting\n" +"\n" msgstr "" -#: ../../src/lib/krb5/krb/gic_pwd.c:227 +#: ../../src/kprop/kproplog.c:515 #, c-format -msgid "Warning: Your password will expire in less than one hour on %s" +msgid "Update log dump :\n" msgstr "" -#: ../../src/lib/krb5/krb/gic_pwd.c:231 +#: ../../src/kprop/kproplog.c:516 #, c-format -msgid "Warning: Your password will expire in %d hour%s on %s" +msgid "\tLog version # : %u\n" msgstr "" -#: ../../src/lib/krb5/krb/gic_pwd.c:235 +#: ../../src/kprop/kproplog.c:517 #, c-format -msgid "Warning: Your password will expire in %d days on %s" +msgid "\tLog state : " msgstr "" -#: ../../src/lib/krb5/krb/gic_pwd.c:408 -msgid "Password expired. You must change it now." +#: ../../src/kprop/kproplog.c:520 +#, c-format +msgid "Stable\n" msgstr "" -#: ../../src/lib/krb5/krb/gic_pwd.c:427 ../../src/lib/krb5/krb/gic_pwd.c:431 +#: ../../src/kprop/kproplog.c:523 #, c-format -msgid "%s. Please try again." +msgid "Unstable\n" msgstr "" -#: ../../src/lib/krb5/krb/gic_pwd.c:472 +#: ../../src/kprop/kproplog.c:526 #, c-format -msgid "%.*s%s%s. Please try again.\n" +msgid "Corrupt\n" msgstr "" -#: ../../src/lib/krb5/krb/parse.c:203 +#: ../../src/kprop/kproplog.c:529 #, c-format -msgid "Principal %s is missing required realm" +msgid "Unknown state: %d\n" msgstr "" -#: ../../src/lib/krb5/krb/parse.c:215 +#: ../../src/kprop/kproplog.c:532 #, c-format -msgid "Principal %s has realm present" +msgid "\tEntry block size : %u\n" msgstr "" -#: ../../src/lib/krb5/krb/plugin.c:166 +#: ../../src/kprop/kproplog.c:533 #, c-format -msgid "Invalid module specifier %s" +msgid "\tNumber of entries : %u\n" msgstr "" -#: ../../src/lib/krb5/krb/plugin.c:403 +#: ../../src/kprop/kproplog.c:536 #, c-format -msgid "Could not find %s plugin module named '%s'" +msgid "\tLast serial # : None\n" msgstr "" -#: ../../src/lib/krb5/krb/preauth2.c:644 -msgid "Pre-authentication failed" +#: ../../src/kprop/kproplog.c:539 +#, c-format +msgid "\tFirst serial # : None\n" msgstr "" -#: ../../src/lib/krb5/krb/preauth2.c:1016 -msgid "Unable to initialize preauth context" +#: ../../src/kprop/kproplog.c:541 +#, c-format +msgid "\tFirst serial # : " msgstr "" -#: ../../src/lib/krb5/krb/preauth2.c:1029 +#: ../../src/kprop/kproplog.c:545 #, c-format -msgid "Preauth module %s" +msgid "\tLast serial # : " msgstr "" -#: ../../src/lib/krb5/krb/preauth_otp.c:515 -msgid "Please choose from the following:\n" +#: ../../src/kprop/kproplog.c:550 +#, c-format +msgid "\tLast time stamp : None\n" msgstr "" -#: ../../src/lib/krb5/krb/preauth_otp.c:516 -msgid "Vendor:" +#: ../../src/kprop/kproplog.c:553 +#, c-format +msgid "\tFirst time stamp : None\n" msgstr "" -#: ../../src/lib/krb5/krb/preauth_otp.c:528 -msgid "Enter #" +#: ../../src/kprop/kproplog.c:555 +#, c-format +msgid "\tFirst time stamp : %s" msgstr "" -#: ../../src/lib/krb5/krb/preauth_otp.c:564 -msgid "OTP Challenge:" +#: ../../src/kprop/kproplog.c:559 +#, c-format +msgid "\tLast time stamp : %s\n" msgstr "" -#: ../../src/lib/krb5/krb/preauth_otp.c:593 -msgid "OTP Token PIN" +#: ../../src/lib/apputils/net-server.c:221 +msgid "Got signal to request exit" msgstr "" -#: ../../src/lib/krb5/krb/preauth_otp.c:707 -msgid "OTP value doesn't match any token formats" +#: ../../src/lib/apputils/net-server.c:235 +msgid "Got signal to reset" msgstr "" -#: ../../src/lib/krb5/krb/preauth_otp.c:774 -msgid "Enter OTP Token Value" +#: ../../src/lib/apputils/net-server.c:301 +#, c-format +msgid "Invalid port %d" msgstr "" -#: ../../src/lib/krb5/krb/preauth_otp.c:920 -msgid "No supported tokens" +#: ../../src/lib/apputils/net-server.c:314 +#, c-format +msgid "Removing address %s since wildcard address is being added" msgstr "" -#: ../../src/lib/krb5/krb/preauth_sam2.c:49 -msgid "Challenge for Enigma Logic mechanism" +#: ../../src/lib/apputils/net-server.c:321 +msgid "Address already added to server" msgstr "" -#: ../../src/lib/krb5/krb/preauth_sam2.c:53 -msgid "Challenge for Digital Pathways mechanism" +#: ../../src/lib/apputils/net-server.c:484 +#, c-format +msgid "closing down fd %d" msgstr "" -#: ../../src/lib/krb5/krb/preauth_sam2.c:57 -msgid "Challenge for Activcard mechanism" +#: ../../src/lib/apputils/net-server.c:498 +#, c-format +msgid "descriptor %d closed but still in svc_fdset" msgstr "" -#: ../../src/lib/krb5/krb/preauth_sam2.c:60 -msgid "Challenge for Enhanced S/Key mechanism" +#: ../../src/lib/apputils/net-server.c:524 +msgid "cannot create io event" msgstr "" -#: ../../src/lib/krb5/krb/preauth_sam2.c:63 -msgid "Challenge for Traditional S/Key mechanism" +#: ../../src/lib/apputils/net-server.c:529 +msgid "cannot save event" msgstr "" -#: ../../src/lib/krb5/krb/preauth_sam2.c:66 -#: ../../src/lib/krb5/krb/preauth_sam2.c:69 -msgid "Challenge for Security Dynamics mechanism" +#: ../../src/lib/apputils/net-server.c:549 +#, c-format +msgid "file descriptor number %d too high" msgstr "" -#: ../../src/lib/krb5/krb/preauth_sam2.c:72 -msgid "Challenge from authentication server" +#: ../../src/lib/apputils/net-server.c:556 +msgid "cannot allocate storage for connection info" msgstr "" -#: ../../src/lib/krb5/krb/preauth_sam2.c:166 -msgid "SAM Authentication" +#: ../../src/lib/apputils/net-server.c:591 +#, c-format +msgid "Cannot create TCP server socket on %s" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:145 +#: ../../src/lib/apputils/net-server.c:600 #, c-format -msgid "Cannot find key for %s kvno %d in keytab" +msgid "TCP socket fd number %d (for %s) too high" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:150 +#: ../../src/lib/apputils/net-server.c:607 #, c-format -msgid "Cannot find key for %s kvno %d in keytab (request ticket server %s)" +msgid "Cannot enable SO_REUSEADDR on fd %d" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:175 +#: ../../src/lib/apputils/net-server.c:612 #, c-format -msgid "Cannot decrypt ticket for %s using keytab key for %s" +msgid "setsockopt(%d,IPV6_V6ONLY,1) failed" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:197 +#: ../../src/lib/apputils/net-server.c:615 #, c-format -msgid "Server principal %s does not match request ticket server %s" +msgid "setsockopt(%d,IPV6_V6ONLY,1) worked" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:226 -msgid "No keys in keytab" +#: ../../src/lib/apputils/net-server.c:618 +msgid "no IPV6_V6ONLY socket option support" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:229 +#: ../../src/lib/apputils/net-server.c:624 #, c-format -msgid "Server principal %s does not match any keys in keytab" +msgid "Cannot bind server socket on %s" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:236 +#: ../../src/lib/apputils/net-server.c:694 #, c-format -msgid "" -"Request ticket server %s found in keytab but does not match server principal " -"%s" +msgid "Setting up %s socket for address %s" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:241 +#: ../../src/lib/apputils/net-server.c:707 #, c-format -msgid "Request ticket server %s not found in keytab (ticket kvno %d)" +msgid "Cannot listen on %s server socket on %s" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:247 +#: ../../src/lib/apputils/net-server.c:716 #, c-format -msgid "" -"Request ticket server %s kvno %d not found in keytab; ticket is likely out " -"of date" +msgid "cannot set listening %s socket on %s non-blocking" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:252 +#: ../../src/lib/apputils/net-server.c:724 #, c-format -msgid "" -"Request ticket server %s kvno %d not found in keytab; keytab is likely out " -"of date" +msgid "cannot set SO_LINGER on %s socket on %s" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:261 +#: ../../src/lib/apputils/net-server.c:731 #, c-format -msgid "" -"Request ticket server %s kvno %d found in keytab but not with enctype %s" +msgid "Setting pktinfo on socket %s" msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:266 +#: ../../src/lib/apputils/net-server.c:736 #, c-format +msgid "Cannot request packet info for UDP socket address %s port %d" +msgstr "" + +#: ../../src/lib/apputils/net-server.c:738 msgid "" -"Request ticket server %s kvno %d enctype %s found in keytab but cannot " -"decrypt ticket" +"System does not support pktinfo yet binding to a wildcard address. Packets " +"are not guaranteed to return on the received address." msgstr "" -#: ../../src/lib/krb5/krb/rd_req_dec.c:898 -#, c-format -msgid "Encryption type %s not permitted" +#: ../../src/lib/apputils/net-server.c:750 +msgid "Error attempting to add verto event" msgstr "" -#: ../../src/lib/krb5/os/expand_path.c:316 +#: ../../src/lib/apputils/net-server.c:759 #, c-format -msgid "Can't find username for uid %lu" +msgid "Cannot create RPC service: %s" msgstr "" -#: ../../src/lib/krb5/os/expand_path.c:405 -#: ../../src/lib/krb5/os/expand_path.c:421 -msgid "Invalid token" +#: ../../src/lib/apputils/net-server.c:769 +#, c-format +msgid "Cannot register RPC service: %s" msgstr "" -#: ../../src/lib/krb5/os/expand_path.c:506 -msgid "variable missing }" +#: ../../src/lib/apputils/net-server.c:813 +msgid "No addresses added to the net server" msgstr "" -#: ../../src/lib/krb5/os/locate_kdc.c:819 +#: ../../src/lib/apputils/net-server.c:832 #, c-format -msgid "Cannot find KDC for realm \"%.*s\"" +msgid "Failed getting address info (for %s): %s" msgstr "" -#: ../../src/lib/krb5/os/sendto_kdc.c:515 +#: ../../src/lib/apputils/net-server.c:862 #, c-format -msgid "Cannot contact any KDC for realm '%.*s'" +msgid "Failed setting up a %s socket (for %s)" msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:106 -#, c-format -msgid "Cannot fstat replay cache file %s: %s" +#: ../../src/lib/apputils/net-server.c:903 +msgid "setting up network..." msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:112 -#, c-format -msgid "" -"Insecure mkstemp() file mode for replay cache file %s; try running this " -"program with umask 077" +#: ../../src/lib/apputils/net-server.c:906 +msgid "Error setting up network" msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:144 +#: ../../src/lib/apputils/net-server.c:909 #, c-format -msgid "Cannot %s replay cache file %s: %s" +msgid "set up %d sockets" msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:149 -#, c-format -msgid "Cannot %s replay cache: %s" +#: ../../src/lib/apputils/net-server.c:912 +msgid "no sockets set up?" msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:272 -#, c-format -msgid "Insecure file mode for replay cache file %s" +#: ../../src/lib/apputils/net-server.c:975 +#: ../../src/lib/apputils/net-server.c:1029 +msgid "while dispatching (udp)" msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:278 +#: ../../src/lib/apputils/net-server.c:1004 #, c-format -msgid "rcache not owned by %d" +msgid "while sending reply to %s/%s from %s" msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:402 ../../src/lib/krb5/rcache/rc_io.c:406 -#: ../../src/lib/krb5/rcache/rc_io.c:411 +#: ../../src/lib/apputils/net-server.c:1009 #, c-format -msgid "Can't write to replay cache: %s" +msgid "short reply write %d vs %d\n" +msgstr "" + +#: ../../src/lib/apputils/net-server.c:1054 +msgid "while receiving from network" msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:432 +#: ../../src/lib/apputils/net-server.c:1097 +msgid "too many connections" +msgstr "" + +#: ../../src/lib/apputils/net-server.c:1115 #, c-format -msgid "Cannot sync replay cache file: %s" +msgid "dropping %s fd %d from %s" msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:451 +#: ../../src/lib/apputils/net-server.c:1185 #, c-format -msgid "Can't read from replay cache: %s" +msgid "allocating buffer for new TCP session from %s" +msgstr "" + +#: ../../src/lib/apputils/net-server.c:1217 +msgid "while dispatching (tcp)" +msgstr "" + +#: ../../src/lib/apputils/net-server.c:1249 +msgid "error allocating tcp dispatch private!" msgstr "" -#: ../../src/lib/krb5/rcache/rc_io.c:482 ../../src/lib/krb5/rcache/rc_io.c:488 -#: ../../src/lib/krb5/rcache/rc_io.c:493 +#: ../../src/lib/apputils/net-server.c:1296 #, c-format -msgid "Can't destroy replay cache: %s" +msgid "TCP client %s wants %lu bytes, cap is %lu" msgstr "" -#: ../../src/plugins/kdb/db2/kdb_db2.c:245 -#: ../../src/plugins/kdb/db2/kdb_db2.c:819 +#: ../../src/lib/apputils/net-server.c:1304 #, c-format -msgid "Unsupported argument \"%s\" for db2" +msgid "error constructing KRB_ERR_FIELD_TOOLONG error! %s" msgstr "" -#: ../../src/plugins/kdb/db2/kdb_db2.c:387 +#: ../../src/lib/apputils/net-server.c:1343 #, c-format -msgid "Cannot open DB2 database '%s'" +msgid "getsockname failed: %s" msgstr "" -#: ../../src/plugins/kdb/db2/kdb_db2.c:989 -msgid "Recursive iteration is not supported for hash databases" +#: ../../src/lib/crypto/krb/prng_fortuna.c:428 +msgid "Random number generator could not be seeded" msgstr "" -#: ../../src/plugins/kdb/db2/kdb_db2.c:996 -msgid "Recursive iteration not supported in this version of libdb" +#: ../../src/lib/gssapi/generic/disp_major_status.c:43 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:165 +msgid "A required input parameter could not be read" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:69 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:893 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1094 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1501 -msgid "while reading kerberos container information" +#: ../../src/lib/gssapi/generic/disp_major_status.c:44 +msgid "A required input parameter could not be written" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:129 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:143 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:504 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:518 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:151 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:166 -msgid "while providing time specification" +#: ../../src/lib/gssapi/generic/disp_major_status.c:45 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:175 +msgid "A parameter was malformed" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:268 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:304 -msgid "while creating policy object" +#: ../../src/lib/gssapi/generic/disp_major_status.c:48 +msgid "calling error" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:279 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1509 -msgid "while reading realm information" +#: ../../src/lib/gssapi/generic/disp_major_status.c:59 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:195 +msgid "An unsupported mechanism was requested" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:348 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:407 -msgid "while destroying policy object" +#: ../../src/lib/gssapi/generic/disp_major_status.c:60 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:199 +msgid "An invalid name was supplied" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:358 -#, c-format -msgid "This will delete the policy object '%s', are you sure?\n" +#: ../../src/lib/gssapi/generic/disp_major_status.c:61 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:203 +msgid "A supplied name was of an unsupported type" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:473 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:663 -msgid "while modifying policy object" +#: ../../src/lib/gssapi/generic/disp_major_status.c:62 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:208 +msgid "Incorrect channel bindings were supplied" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:487 -#, c-format -msgid "while reading information of policy '%s'" +#: ../../src/lib/gssapi/generic/disp_major_status.c:63 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:179 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:274 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:334 +msgid "An invalid status code was supplied" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:692 -msgid "while viewing policy" +#: ../../src/lib/gssapi/generic/disp_major_status.c:64 +msgid "A token had an invalid signature" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:701 -#, c-format -msgid "while viewing policy '%s'" +#: ../../src/lib/gssapi/generic/disp_major_status.c:65 +msgid "No credentials were supplied" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:835 -msgid "while listing policy objects" +#: ../../src/lib/gssapi/generic/disp_major_status.c:66 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:223 +msgid "No context has been established" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:453 -#, c-format -msgid "for subtree while creating realm '%s'" +#: ../../src/lib/gssapi/generic/disp_major_status.c:67 +msgid "A token was invalid" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:465 -#, c-format -msgid "for container reference while creating realm '%s'" +#: ../../src/lib/gssapi/generic/disp_major_status.c:68 +msgid "A credential was invalid" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:490 -#, c-format -msgid "invalid search scope while creating realm '%s'" +#: ../../src/lib/gssapi/generic/disp_major_status.c:69 +msgid "The referenced credentials have expired" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:505 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:829 -#, c-format -msgid "'%s' is an invalid option\n" +#: ../../src/lib/gssapi/generic/disp_major_status.c:70 +msgid "The context has expired" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:513 -#, c-format -msgid "Initializing database for realm '%s'\n" +#: ../../src/lib/gssapi/generic/disp_major_status.c:71 +msgid "Miscellaneous failure" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:537 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:698 -#, c-format -msgid "while creating realm '%s'" +#: ../../src/lib/gssapi/generic/disp_major_status.c:72 +msgid "The quality-of-protection requested could not be provided" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:557 -#, c-format -msgid "Enter DN of Kerberos container: " +#: ../../src/lib/gssapi/generic/disp_major_status.c:73 +msgid "The operation is forbidden by the local security policy" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:592 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:900 -#, c-format -msgid "while reading information of realm '%s'" +#: ../../src/lib/gssapi/generic/disp_major_status.c:74 +msgid "The operation or option is not available" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:736 -msgid "while reading Kerberos container information" +#: ../../src/lib/gssapi/generic/disp_major_status.c:77 +msgid "routine error" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:779 -#, c-format -msgid "for subtree while modifying realm '%s'" +#: ../../src/lib/gssapi/generic/disp_major_status.c:89 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:311 +msgid "The routine must be called again to complete its function" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:790 -#, c-format -msgid "for container reference while modifying realm '%s'" +#: ../../src/lib/gssapi/generic/disp_major_status.c:90 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:316 +msgid "The token was a duplicate of an earlier token" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:818 +#: ../../src/lib/gssapi/generic/disp_major_status.c:91 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:321 +msgid "The token's validity period has expired" +msgstr "" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:92 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:325 +msgid "A later token has already been processed" +msgstr "" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:95 +msgid "supplementary info code" +msgstr "" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:106 +#: ../lib/krb5/error_tables/krb5_err.c:23 +msgid "No error" +msgstr "" + +#: ../../src/lib/gssapi/generic/disp_major_status.c:107 #, c-format -msgid "specified for search scope while modifying information of realm '%s'" +msgid "Unknown %s (field = %d)" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:857 +#: ../../src/lib/gssapi/krb5/acquire_cred.c:165 #, c-format -msgid "while modifying information of realm '%s'" +msgid "No key table entry found matching %s" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:946 -msgid "Realm Name" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:161 +msgid "The routine completed successfully" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:949 -msgid "Subtree" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:170 +msgid "A required output parameter could not be written" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:952 -msgid "Principal Container Reference" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:212 +msgid "A token had an invalid Message Integrity Check (MIC)" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:957 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:959 -msgid "SearchScope" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:217 +msgid "" +"No credentials were supplied, or the credentials were unavailable or " +"inaccessible" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:957 -msgid "Invalid !" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:227 +msgid "Invalid token was supplied" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:964 -msgid "KDC Services" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:231 +msgid "Invalid credential was supplied" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:979 -msgid "Admin Services" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:235 +msgid "The referenced credential has expired" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:994 -msgid "Passwd Services" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:239 +msgid "The referenced context has expired" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1010 -msgid "Maximum Ticket Life" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:243 +msgid "Unspecified GSS failure. Minor code may provide more information" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1015 -msgid "Maximum Renewable Life" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:248 +msgid "The quality-of-protection (QOP) requested could not be provided" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1022 -msgid "Ticket flags" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:253 +msgid "The operation is forbidden by local security policy" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1101 -msgid "while listing realms" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:258 +msgid "The operation or option is not available or unsupported" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1433 -msgid "while adding entries to database" +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:263 +msgid "The requested credential element already exists" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1474 +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:268 +msgid "The provided name was not mechanism specific (MN)" +msgstr "" + +#: ../../src/lib/gssapi/mechglue/g_dsp_status.c:329 +msgid "An expected per-message token was not received" +msgstr "" + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1813 +msgid "SPNEGO cannot find mechanisms to negotiate" +msgstr "" + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1818 +msgid "SPNEGO failed to acquire creds" +msgstr "" + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1823 +msgid "SPNEGO acceptor did not select a mechanism" +msgstr "" + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1828 +msgid "SPNEGO failed to negotiate a mechanism" +msgstr "" + +#: ../../src/lib/gssapi/spnego/spnego_mech.c:1833 +msgid "SPNEGO acceptor did not return a valid token" +msgstr "" + +#: ../../src/lib/kadm5/logger.c:54 #, c-format -msgid "Deleting KDC database of '%s', are you sure?\n" +msgid "%s: cannot parse <%s>\n" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1485 +#: ../../src/lib/kadm5/logger.c:55 #, c-format -msgid "OK, deleting database of '%s'...\n" +msgid "%s: warning - logging entry syntax error\n" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1518 +#: ../../src/lib/kadm5/logger.c:56 #, c-format -msgid "deleting database of '%s'" +msgid "%s: error writing to %s\n" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1523 +#: ../../src/lib/kadm5/logger.c:57 #, c-format -msgid "** Database of '%s' destroyed.\n" +msgid "%s: error writing to %s device\n" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:78 -msgid "ldap_service_password_file not configured" +#: ../../src/lib/kadm5/logger.c:59 +msgid "EMERGENCY" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:124 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:131 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:139 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:145 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:173 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:252 -msgid "while setting service object password" +#: ../../src/lib/kadm5/logger.c:60 +msgid "ALERT" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:152 -msgid "while getting service password filename" +#: ../../src/lib/kadm5/logger.c:61 +msgid "CRITICAL" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:165 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:477 -#, c-format -msgid "Password for \"%s\"" +#: ../../src/lib/kadm5/logger.c:62 +msgid "Error" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:168 +#: ../../src/lib/kadm5/logger.c:63 +msgid "Warning" +msgstr "" + +#: ../../src/lib/kadm5/logger.c:64 +msgid "Notice" +msgstr "" + +#: ../../src/lib/kadm5/logger.c:65 +msgid "info" +msgstr "" + +#: ../../src/lib/kadm5/logger.c:66 +msgid "debug" +msgstr "" + +#: ../../src/lib/kadm5/logger.c:784 #, c-format -msgid "Re-enter password for \"%s\"" +msgid "Couldn't open log file %s: %s\n" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:179 +#: ../../src/lib/kadm5/srv/kadm5_hook.c:120 #, c-format -msgid "%s: Invalid password\n" +msgid "kadm5_hook %s failed postcommit %s: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:195 -msgid "Failed to convert the password to hexadecimal" +#: ../../src/lib/kadm5/srv/pwqual_dict.c:106 +msgid "No dictionary file specified, continuing without one." msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:208 +#: ../../src/lib/kadm5/srv/pwqual_dict.c:113 #, c-format -msgid "Failed to open file %s: %s" +msgid "WARNING! Cannot find dictionary file %s, continuing without one." msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:230 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:272 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:281 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:308 -msgid "Failed to write service object password to file" +#: ../../src/lib/kadm5/srv/pwqual_empty.c:42 +msgid "Empty passwords are not allowed" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:236 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:293 -msgid "Error reading service object password file" +#: ../../src/lib/kadm5/srv/pwqual_hesiod.c:114 +msgid "Password may not match user information." msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:261 -#, c-format -msgid "Error creating file %s" +#: ../../src/lib/kadm5/srv/pwqual_princ.c:54 +msgid "Password may not match principal name" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:105 +#: ../../src/lib/kadm5/srv/server_kdb.c:195 +msgid "History entry contains no key data" +msgstr "" + +#: ../../src/lib/kadm5/srv/server_misc.c:128 #, c-format -msgid "" -"Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" -"\tcmd [cmd_options]\n" -"create [-subtrees subtree_dn_list] [-sscope search_scope] [-" -"containerref container_reference_dn]\n" -"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" -"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" -"\t\t[ticket_flags] [-r realm]\n" -"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-" -"containerref container_reference_dn]\n" -"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" -"\t\t[ticket_flags] [-r realm]\n" -"view [-r realm]\n" -"destroy [-f] [-r realm]\n" -"list\n" -"stashsrvpw [-f filename] service_dn\n" -"create_policy [-r realm] [-maxtktlife max_ticket_life]\n" -"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" -"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" -"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" -"view_policy [-r realm] policy\n" -"destroy_policy [-r realm] [-force] policy\n" -"list_policy [-r realm]\n" +msgid "password quality module %s rejected password for %s: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:325 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:333 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:341 -msgid "while reading ldap parameters" +#: ../../src/lib/kdb/kdb5.c:216 +msgid "No default realm set; cannot initialize KDB" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:439 -msgid "while initializing error handling" +#: ../../src/lib/kdb/kdb5.c:368 +#, c-format +msgid "Unable to find requested database type: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:447 -msgid "while initializing ldap handle" +#: ../../src/lib/kdb/kdb5.c:448 ../lib/krb5/error_tables/kdb5_err.c:55 +msgid "Unable to find requested database type" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:461 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:470 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:483 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:525 -msgid "while retrieving ldap configuration" +#: ../../src/lib/kdb/kdb5.c:456 +msgid "plugin symbol 'kdb_function_table' lookup failed" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:500 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:507 -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:516 -msgid "while initializing server list" +#: ../../src/lib/kdb/kdb5.c:464 +#, c-format +msgid "" +"Unable to load requested database module '%s': plugin symbol " +"'kdb_function_table' not found" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:547 -msgid "while setting up lib handle" +#: ../../src/lib/kdb/kdb5.c:602 +msgid "Cannot initialize database library" msgstr "" -#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:556 -msgid "while reading ldap configuration" +#: ../../src/lib/kdb/kdb5.c:1762 +#, c-format +msgid "Illegal version number for KRB5_TL_MKEY_AUX %d\n" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:68 -msgid "Unable to read Kerberos container" +#: ../../src/lib/kdb/kdb5.c:1934 +#, c-format +msgid "Illegal version number for KRB5_TL_ACTKVNO %d\n" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:73 -msgid "Unable to read Realm" +#: ../../src/lib/kdb/kdb_default.c:164 +#, c-format +msgid "keyfile (%s) is not a regular file: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:214 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:73 -msgid "Error processing LDAP DB params" +#: ../../src/lib/kdb/kdb_default.c:177 +msgid "Could not create temp keytab file name." msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:220 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:79 -msgid "Error reading LDAP server params" +#: ../../src/lib/kdb/kdb_default.c:202 +#, c-format +msgid "Temporary stash file already exists: %s." msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:64 -msgid "LDAP bind dn value missing" +#: ../../src/lib/kdb/kdb_default.c:230 +#, c-format +msgid "rename of temporary keyfile (%s) to (%s) failed: %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:69 -msgid "LDAP bind password value missing" +#: ../../src/lib/kdb/kdb_default.c:415 +#, c-format +msgid "Can not fetch master key (error: %s)." msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:78 -msgid "Error reading password from stash" +#: ../../src/lib/kdb/kdb_default.c:483 +msgid "Unable to decrypt latest master key with the provided master key\n" +msgstr "" + +#: ../../src/lib/kdb/kdb_log.c:87 +msgid "could not sync ulog update to disk" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:85 -msgid "Service password length is zero" +#: ../../src/lib/kdb/kdb_log.c:101 +msgid "could not sync ulog header to disk" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:145 +#: ../../src/lib/krb5/ccache/cc_dir.c:122 #, c-format -msgid "Cannot bind to LDAP server '%s' with SASL mechanism '%s': %s" +msgid "Subsidiary cache path %s has no parent directory" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:158 +#: ../../src/lib/krb5/ccache/cc_dir.c:128 #, c-format -msgid "Cannot bind to LDAP server '%s' as '%s': %s" +msgid "Subsidiary cache path %s filename does not begin with \"tkt\"" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:183 +#: ../../src/lib/krb5/ccache/cc_dir.c:169 #, c-format -msgid "Cannot create LDAP handle for '%s': %s" +msgid "%s contains invalid filename" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:129 -msgid "could not complete roll-back, error deleting Kerberos Container" +#: ../../src/lib/krb5/ccache/cc_dir.c:229 +#, c-format +msgid "Credential cache directory %s does not exist" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:56 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:67 -msgid "Error reading kerberos container location from krb5.conf" +#: ../../src/lib/krb5/ccache/cc_dir.c:235 +#, c-format +msgid "Credential cache directory %s exists but is not a directory" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:75 -msgid "Kerberos container location not specified" +#: ../../src/lib/krb5/ccache/cc_dir.c:400 +msgid "" +"Can't create new subsidiary cache because default cache is not a directory " +"collection" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:56 +#: ../../src/lib/krb5/ccache/cc_kcm.c:756 #, c-format -msgid "Error reading '%s' attribute: %s" +msgid "Credentials cache 'KCM:%s' not found" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:219 -msgid "KDB module requires -update argument" +#: ../../src/lib/krb5/ccache/cc_keyring.c:1151 +msgid "" +"Can't create new subsidiary cache because default cache is already a " +"subsidiary" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:225 +#: ../../src/lib/krb5/ccache/cc_keyring.c:1219 #, c-format -msgid "'%s' value missing" +msgid "Credentials cache keyring '%s' not found" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:283 +#: ../../src/lib/krb5/ccache/cccursor.c:213 #, c-format -msgid "unknown option '%s'" +msgid "Can't find client principal %s in cache collection" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:343 -msgid "Minimum connections required per server is 2" +#: ../../src/lib/krb5/ccache/cccursor.c:293 +msgid "No Kerberos credentials available" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:159 -msgid "Default realm not set" +#: ../../src/lib/krb5/ccache/cccursor.c:299 +#, c-format +msgid "No Kerberos credentials available (default cache: %s)" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:261 -msgid "DN information missing" +#: ../../src/lib/krb5/keytab/kt_file.c:406 +#, c-format +msgid "No key table entry found for %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:473 -msgid "dn information missing" +#: ../../src/lib/krb5/keytab/kt_file.c:823 +#: ../../src/lib/krb5/keytab/kt_file.c:856 +msgid "Cannot change keytab with keytab iterators active" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:137 -msgid "Principal does not belong to realm" +#: ../../src/lib/krb5/keytab/kt_file.c:1046 +#, c-format +msgid "Key table file '%s' not found" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:308 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:317 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:325 +#: ../../src/lib/krb5/keytab/ktfns.c:127 #, c-format -msgid "%s option not supported" +msgid "Keytab %s is nonexistent or empty" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:332 -#, c-format -msgid "unknown option: %s" +#: ../../src/lib/krb5/krb/chpw.c:250 +msgid "Malformed request error" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:339 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:346 -#, c-format -msgid "%s option value missing" +#: ../../src/lib/krb5/krb/chpw.c:253 ../lib/krb5/error_tables/kdb5_err.c:58 +msgid "Server error" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:696 -msgid "Principal does not belong to the default realm" +#: ../../src/lib/krb5/krb/chpw.c:256 +msgid "Authentication error" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:764 -#, c-format -msgid "" -"operation can not continue, more than one entry with principal name \"%s\" " -"found" +#: ../../src/lib/krb5/krb/chpw.c:259 +msgid "Password change rejected" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:827 -#, c-format -msgid "'%s' not found" +#: ../../src/lib/krb5/krb/chpw.c:262 +msgid "Access denied" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:904 -msgid "DN is out of the realm subtree" +#: ../../src/lib/krb5/krb/chpw.c:265 +msgid "Wrong protocol version" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:960 -#, c-format -msgid "ldap object is already kerberized" +#: ../../src/lib/krb5/krb/chpw.c:268 +msgid "Initial password required" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:980 -#, c-format +#: ../../src/lib/krb5/krb/chpw.c:271 +msgid "Success" +msgstr "" + +#: ../../src/lib/krb5/krb/chpw.c:274 ../lib/krb5/error_tables/krb5_err.c:257 +msgid "Password change failed" +msgstr "" + +#: ../../src/lib/krb5/krb/chpw.c:431 msgid "" -"link information can not be set/updated as the kerberos principal belongs to " -"an ldap object" +"The password must include numbers or symbols. Don't include any part of " +"your name in the password." msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:995 +#: ../../src/lib/krb5/krb/chpw.c:437 #, c-format -msgid "Failed getting object references" -msgstr "" +msgid "The password must contain at least %d character." +msgid_plural "The password must contain at least %d characters." +msgstr[0] "" +msgstr[1] "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1002 +#: ../../src/lib/krb5/krb/chpw.c:446 #, c-format -msgid "kerberos principal is already linked to a ldap object" -msgstr "" +msgid "The password must be different from the previous password." +msgid_plural "The password must be different from the previous %d passwords." +msgstr[0] "" +msgstr[1] "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1340 -msgid "ticket policy object value: " +#: ../../src/lib/krb5/krb/chpw.c:458 +#, c-format +msgid "The password can only be changed once a day." +msgid_plural "The password can only be changed every %d days." +msgstr[0] "" +msgstr[1] "" + +#: ../../src/lib/krb5/krb/chpw.c:504 +msgid "Try a more complex password, or contact your administrator." msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1388 -#, c-format -msgid "Principal delete failed (trying to replace entry): %s" +#: ../../src/lib/krb5/krb/fast.c:216 +msgid "Error constructing AP-REQ armor" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1398 -#, c-format -msgid "Principal add failed: %s" +#: ../../src/lib/krb5/krb/fast.c:394 +msgid "Failed to decrypt FAST reply" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1436 -#, c-format -msgid "User modification failed: %s" +#: ../../src/lib/krb5/krb/fast.c:400 +msgid "nonce modified in FAST response: KDC response modified" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1509 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:294 -msgid "Error reading ticket policy" +#: ../../src/lib/krb5/krb/fast.c:466 +msgid "Expecting FX_ERROR pa-data inside FAST container" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1639 -msgid "unable to decode stored principal key data" +#: ../../src/lib/krb5/krb/fast.c:537 +msgid "FAST response missing finish message in KDC reply" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1697 -msgid "unable to decode stored principal pw history" +#: ../../src/lib/krb5/krb/fast.c:550 +msgid "Ticket modified in KDC reply" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:223 -msgid "Realm information not available" +#: ../../src/lib/krb5/krb/gc_via_tkt.c:198 +#, c-format +msgid "KDC returned error string: %.*s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:306 +#: ../../src/lib/krb5/krb/gc_via_tkt.c:207 #, c-format -msgid "Realm Delete FAILED: %s" +msgid "Server %s not found in Kerberos database" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:386 -msgid "subtree value: " +#: ../../src/lib/krb5/krb/get_in_tkt.c:202 +msgid "Reply has wrong form of session key for anonymous request" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:403 -msgid "container reference value: " +#: ../../src/lib/krb5/krb/get_in_tkt.c:1704 +msgid "Failed to store credentials" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:486 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:549 -msgid "Kerberos Container information is missing" +#: ../../src/lib/krb5/krb/get_in_tkt.c:1793 +#, c-format +msgid "Client '%s' not found in Kerberos database" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:498 -msgid "Invalid Kerberos container DN" +#: ../../src/lib/krb5/krb/gic_keytab.c:207 +#, c-format +msgid "Keytab contains no suitable keys for %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:514 +#: ../../src/lib/krb5/krb/gic_pwd.c:75 #, c-format -msgid "Kerberos Container create FAILED: %s" +msgid "Password for %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:557 +#: ../../src/lib/krb5/krb/gic_pwd.c:227 #, c-format -msgid "Kerberos Container delete FAILED: %s" +msgid "Warning: Your password will expire in less than one hour on %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:633 -msgid "realm object value: " +#: ../../src/lib/krb5/krb/gic_pwd.c:231 +#, c-format +msgid "Warning: Your password will expire in %d hour%s on %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:48 -msgid "Not a hexadecimal password" +#: ../../src/lib/krb5/krb/gic_pwd.c:235 +#, c-format +msgid "Warning: Your password will expire in %d days on %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:55 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:66 -msgid "Password corrupt" +#: ../../src/lib/krb5/krb/gic_pwd.c:408 +msgid "Password expired. You must change it now." msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:93 +#: ../../src/lib/krb5/krb/gic_pwd.c:427 ../../src/lib/krb5/krb/gic_pwd.c:431 #, c-format -msgid "Cannot open LDAP password file '%s': %s" +msgid "%s. Please try again." msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:123 +#: ../../src/lib/krb5/krb/gic_pwd.c:472 #, c-format -msgid "Bind DN entry '%s' missing in LDAP password file '%s'" +msgid "%.*s%s%s. Please try again.\n" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:66 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:142 -msgid "Ticket Policy Name missing" +#: ../../src/lib/krb5/krb/parse.c:203 +#, c-format +msgid "Principal %s is missing required realm" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:154 -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:231 -msgid "ticket policy object: " +#: ../../src/lib/krb5/krb/parse.c:215 +#, c-format +msgid "Principal %s has realm present" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:219 -msgid "Ticket Policy Object information missing" +#: ../../src/lib/krb5/krb/plugin.c:169 +#, c-format +msgid "Invalid module specifier %s" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:311 -msgid "Ticket Policy Object DN missing" +#: ../../src/lib/krb5/krb/plugin.c:406 +#, c-format +msgid "Could not find %s plugin module named '%s'" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:338 -msgid "Delete Failed: One or more Principals associated with the Ticket Policy" +#: ../../src/lib/krb5/krb/preauth2.c:309 +msgid "krb5_init_creds calls must use same library context" msgstr "" -#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:447 -msgid "Error reading container object" +#: ../../src/lib/krb5/krb/preauth2.c:717 +msgid "Pre-authentication failed" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_nss.c:667 -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:775 -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4337 -msgid "Pass phrase for" +#: ../../src/lib/krb5/krb/preauth2.c:1098 +msgid "Unable to initialize preauth context" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:502 +#: ../../src/lib/krb5/krb/preauth2.c:1111 #, c-format -msgid "%s: %s" +msgid "Preauth module %s" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:532 -#, c-format -msgid "%s (depth %d): %s" +#: ../../src/lib/krb5/krb/preauth_encts.c:71 +msgid "Encrypted timestamp is disabled" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1105 -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1115 -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1388 -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1398 -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1941 -msgid "Failed to DER encode PKCS7" +#: ../../src/lib/krb5/krb/preauth_otp.c:515 +msgid "Please choose from the following:\n" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1206 -msgid "Failed to verify own certificate" +#: ../../src/lib/krb5/krb/preauth_otp.c:516 +msgid "Vendor:" +msgstr "" + +#: ../../src/lib/krb5/krb/preauth_otp.c:528 +msgid "Enter #" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1372 -msgid "Failed to add digest attribute" +#: ../../src/lib/krb5/krb/preauth_otp.c:564 +msgid "OTP Challenge:" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1502 -msgid "Failed to decode CMS message" +#: ../../src/lib/krb5/krb/preauth_otp.c:593 +msgid "OTP Token PIN" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1520 -msgid "Invalid pkinit packet: octet string expected" +#: ../../src/lib/krb5/krb/preauth_otp.c:707 +msgid "OTP value doesn't match any token formats" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1538 -msgid "wrong oid\n" +#: ../../src/lib/krb5/krb/preauth_otp.c:774 +msgid "Enter OTP Token Value" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1690 -msgid "Failed to verify received certificate" +#: ../../src/lib/krb5/krb/preauth_otp.c:920 +msgid "No supported tokens" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1728 -msgid "Failed to verify CMS message" +#: ../../src/lib/krb5/krb/preauth_sam2.c:49 +msgid "Challenge for Enigma Logic mechanism" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1916 -msgid "Failed to encrypt PKCS7 object" +#: ../../src/lib/krb5/krb/preauth_sam2.c:53 +msgid "Challenge for Digital Pathways mechanism" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1991 -msgid "Failed to decode PKCS7" +#: ../../src/lib/krb5/krb/preauth_sam2.c:57 +msgid "Challenge for Activcard mechanism" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:2008 -msgid "Failed to decrypt PKCS7 message" +#: ../../src/lib/krb5/krb/preauth_sam2.c:60 +msgid "Challenge for Enhanced S/Key mechanism" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4457 -#, c-format -msgid "Cannot read certificate file '%s'" +#: ../../src/lib/krb5/krb/preauth_sam2.c:63 +msgid "Challenge for Traditional S/Key mechanism" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4464 -#, c-format -msgid "Cannot read key file '%s'" +#: ../../src/lib/krb5/krb/preauth_sam2.c:66 +#: ../../src/lib/krb5/krb/preauth_sam2.c:69 +msgid "Challenge for Security Dynamics mechanism" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5454 -#, c-format -msgid "Cannot open file '%s'" +#: ../../src/lib/krb5/krb/preauth_sam2.c:72 +msgid "Challenge from authentication server" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5461 -#, c-format -msgid "Cannot read file '%s'" +#: ../../src/lib/krb5/krb/preauth_sam2.c:166 +msgid "SAM Authentication" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:6136 +#: ../../src/lib/krb5/krb/rd_req_dec.c:145 #, c-format -msgid "unknown code 0x%x" +msgid "Cannot find key for %s kvno %d in keytab" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:424 +#: ../../src/lib/krb5/krb/rd_req_dec.c:150 #, c-format -msgid "Unsupported type while processing '%s'\n" -msgstr "" - -#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:465 -msgid "Internal error parsing X509_user_identity\n" +msgid "Cannot find key for %s kvno %d in keytab (request ticket server %s)" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:560 -msgid "No user identity options specified" +#: ../../src/lib/krb5/krb/rd_req_dec.c:175 +#, c-format +msgid "Cannot decrypt ticket for %s using keytab key for %s" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:415 -msgid "Pkinit request not signed, but client not anonymous." +#: ../../src/lib/krb5/krb/rd_req_dec.c:197 +#, c-format +msgid "Server principal %s does not match request ticket server %s" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:453 -msgid "Anonymous pkinit without DH public value not supported." +#: ../../src/lib/krb5/krb/rd_req_dec.c:226 +msgid "No keys in keytab" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1162 +#: ../../src/lib/krb5/krb/rd_req_dec.c:229 #, c-format -msgid "No pkinit_identity supplied for realm %s" +msgid "Server principal %s does not match any keys in keytab" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1173 +#: ../../src/lib/krb5/krb/rd_req_dec.c:236 #, c-format -msgid "No pkinit_anchors supplied for realm %s" +msgid "" +"Request ticket server %s found in keytab but does not match server principal " +"%s" msgstr "" -#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1364 -msgid "No realms configured correctly for pkinit support" +#: ../../src/lib/krb5/krb/rd_req_dec.c:241 +#, c-format +msgid "Request ticket server %s not found in keytab (ticket kvno %d)" msgstr "" -#: ../../src/slave/kprop.c:85 +#: ../../src/lib/krb5/krb/rd_req_dec.c:247 #, c-format msgid "" -"\n" -"Usage: %s [-r realm] [-f file] [-d] [-P port] [-s srvtab] slave_host\n" -"\n" +"Request ticket server %s kvno %d not found in keytab; ticket is likely out " +"of date" msgstr "" -#: ../../src/slave/kprop.c:114 +#: ../../src/lib/krb5/krb/rd_req_dec.c:252 #, c-format -msgid "Database propagation to %s: SUCCEEDED\n" -msgstr "" - -#: ../../src/slave/kprop.c:197 -msgid "while setting client principal name" -msgstr "" - -#: ../../src/slave/kprop.c:206 -msgid "while setting server principal name" +msgid "" +"Request ticket server %s kvno %d not found in keytab; keytab is likely out " +"of date" msgstr "" -#: ../../src/slave/kprop.c:219 -msgid "while resolving keytab" +#: ../../src/lib/krb5/krb/rd_req_dec.c:261 +#, c-format +msgid "" +"Request ticket server %s kvno %d found in keytab but not with enctype %s" msgstr "" -#: ../../src/slave/kprop.c:227 -msgid "while getting initial credentials\n" +#: ../../src/lib/krb5/krb/rd_req_dec.c:266 +#, c-format +msgid "" +"Request ticket server %s kvno %d enctype %s found in keytab but cannot " +"decrypt ticket" msgstr "" -#: ../../src/slave/kprop.c:263 -msgid "while creating socket" +#: ../../src/lib/krb5/krb/rd_req_dec.c:871 +#, c-format +msgid "Encryption type %s not permitted" msgstr "" -#: ../../src/slave/kprop.c:279 -msgid "while converting server address" +#: ../../src/lib/krb5/os/expand_path.c:316 +#, c-format +msgid "Can't find username for uid %lu" msgstr "" -#: ../../src/slave/kprop.c:289 -msgid "while connecting to server" +#: ../../src/lib/krb5/os/expand_path.c:405 +#: ../../src/lib/krb5/os/expand_path.c:421 +msgid "Invalid token" msgstr "" -#: ../../src/slave/kprop.c:296 ../../src/slave/kpropd.c:1204 -msgid "while getting local socket address" +#: ../../src/lib/krb5/os/expand_path.c:506 +msgid "variable missing }" msgstr "" -#: ../../src/slave/kprop.c:301 -msgid "while converting local address" +#: ../../src/lib/krb5/os/locate_kdc.c:813 +#, c-format +msgid "Cannot find KDC for realm \"%.*s\"" msgstr "" -#: ../../src/slave/kprop.c:324 -msgid "in krb5_auth_con_setaddrs" +#: ../../src/lib/krb5/os/sendto_kdc.c:519 +#, c-format +msgid "Cannot contact any KDC for realm '%.*s'" msgstr "" -#: ../../src/slave/kprop.c:332 -msgid "while authenticating to server" +#: ../../src/lib/krb5/rcache/rc_io.c:106 +#, c-format +msgid "Cannot fstat replay cache file %s: %s" msgstr "" -#: ../../src/slave/kprop.c:336 ../../src/slave/kprop.c:535 -#: ../../src/slave/kpropd.c:1510 +#: ../../src/lib/krb5/rcache/rc_io.c:112 #, c-format -msgid "Generic remote error: %s\n" +msgid "" +"Insecure mkstemp() file mode for replay cache file %s; try running this " +"program with umask 077" msgstr "" -#: ../../src/slave/kprop.c:342 ../../src/slave/kprop.c:541 -msgid "signalled from server" +#: ../../src/lib/krb5/rcache/rc_io.c:140 +#, c-format +msgid "Cannot %s replay cache file %s: %s" msgstr "" -#: ../../src/slave/kprop.c:344 ../../src/slave/kprop.c:543 +#: ../../src/lib/krb5/rcache/rc_io.c:145 #, c-format -msgid "Error text from server: %s\n" +msgid "Cannot %s replay cache: %s" msgstr "" -#: ../../src/slave/kprop.c:372 +#: ../../src/lib/krb5/rcache/rc_io.c:268 #, c-format -msgid "allocating database file name '%s'" +msgid "Insecure file mode for replay cache file %s" msgstr "" -#: ../../src/slave/kprop.c:378 +#: ../../src/lib/krb5/rcache/rc_io.c:274 #, c-format -msgid "while trying to open %s" +msgid "rcache not owned by %d" msgstr "" -#: ../../src/slave/kprop.c:385 -msgid "database locked" +#: ../../src/lib/krb5/rcache/rc_io.c:398 ../../src/lib/krb5/rcache/rc_io.c:402 +#: ../../src/lib/krb5/rcache/rc_io.c:407 +#, c-format +msgid "Can't write to replay cache: %s" msgstr "" -#: ../../src/slave/kprop.c:388 ../../src/slave/kpropd.c:529 +#: ../../src/lib/krb5/rcache/rc_io.c:428 #, c-format -msgid "while trying to lock '%s'" +msgid "Cannot sync replay cache file: %s" msgstr "" -#: ../../src/slave/kprop.c:392 ../../src/slave/kprop.c:400 +#: ../../src/lib/krb5/rcache/rc_io.c:447 #, c-format -msgid "while trying to stat %s" +msgid "Can't read from replay cache: %s" msgstr "" -#: ../../src/slave/kprop.c:396 -msgid "while trying to malloc data_ok_fn" +#: ../../src/lib/krb5/rcache/rc_io.c:478 ../../src/lib/krb5/rcache/rc_io.c:484 +#: ../../src/lib/krb5/rcache/rc_io.c:489 +#, c-format +msgid "Can't destroy replay cache: %s" msgstr "" -#: ../../src/slave/kprop.c:405 +#: ../../src/plugins/kdb/db2/kdb_db2.c:245 +#: ../../src/plugins/kdb/db2/kdb_db2.c:819 #, c-format -msgid "'%s' more recent than '%s'." +msgid "Unsupported argument \"%s\" for db2" msgstr "" -#: ../../src/slave/kprop.c:421 +#: ../../src/plugins/kdb/db2/kdb_db2.c:387 #, c-format -msgid "while unlocking database '%s'" +msgid "Cannot open DB2 database '%s'" msgstr "" -#: ../../src/slave/kprop.c:454 ../../src/slave/kprop.c:455 -msgid "while encoding database size" +#: ../../src/plugins/kdb/db2/kdb_db2.c:989 +msgid "Recursive iteration is not supported for hash databases" msgstr "" -#: ../../src/slave/kprop.c:463 -msgid "while sending database size" +#: ../../src/plugins/kdb/db2/kdb_db2.c:996 +msgid "Recursive iteration not supported in this version of libdb" msgstr "" -#: ../../src/slave/kprop.c:473 -msgid "while allocating i_vector" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:69 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:893 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1094 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1501 +msgid "while reading kerberos container information" msgstr "" -#: ../../src/slave/kprop.c:496 -#, c-format -msgid "while sending database block starting at %d" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:129 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:143 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:504 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:518 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:151 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:166 +msgid "while providing time specification" msgstr "" -#: ../../src/slave/kprop.c:506 -msgid "Premature EOF found for database file!" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:268 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:304 +msgid "while creating policy object" msgstr "" -#: ../../src/slave/kprop.c:519 -msgid "while reading response from server" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:279 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1509 +msgid "while reading realm information" msgstr "" -#: ../../src/slave/kprop.c:530 -msgid "while decoding error response from server" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:348 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:407 +msgid "while destroying policy object" msgstr "" -#: ../../src/slave/kprop.c:561 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:358 #, c-format -msgid "Kpropd sent database size %d, expecting %d" +msgid "This will delete the policy object '%s', are you sure?\n" msgstr "" -#: ../../src/slave/kprop.c:606 -msgid "while allocating filename for update_last_prop_file" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:473 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:663 +msgid "while modifying policy object" msgstr "" -#: ../../src/slave/kprop.c:611 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:487 #, c-format -msgid "while creating 'last_prop' file, '%s'" +msgid "while reading information of policy '%s'" msgstr "" -#: ../../src/slave/kpropd.c:170 -#, c-format -msgid "" -"\n" -"Usage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:692 +msgid "while viewing policy" msgstr "" -#: ../../src/slave/kpropd.c:172 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:701 #, c-format -msgid "\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n" +msgid "while viewing policy '%s'" msgstr "" -#: ../../src/slave/kpropd.c:173 -#, c-format -msgid "\t[-x db_args]* [-P port] [-a acl_file]\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_policy.c:835 +msgid "while listing policy objects" msgstr "" -#: ../../src/slave/kpropd.c:174 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:453 #, c-format -msgid "\t[-A admin_server]\n" +msgid "for subtree while creating realm '%s'" msgstr "" -#: ../../src/slave/kpropd.c:215 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:465 #, c-format -msgid "Killing fullprop child (%d)\n" -msgstr "" - -#: ../../src/slave/kpropd.c:244 -msgid "while checking if stdin is a socket" +msgid "for container reference while creating realm '%s'" msgstr "" -#: ../../src/slave/kpropd.c:262 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:490 #, c-format -msgid "ready\n" +msgid "invalid search scope while creating realm '%s'" msgstr "" -#: ../../src/slave/kpropd.c:272 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:505 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:829 #, c-format -msgid "Could not open /dev/null: %s" +msgid "'%s' is an invalid option\n" msgstr "" -#: ../../src/slave/kpropd.c:279 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:513 #, c-format -msgid "Could not dup the inetd socket: %s" -msgstr "" - -#: ../../src/slave/kpropd.c:314 ../../src/slave/kpropd.c:327 -msgid "do_iprop failed.\n" +msgid "Initializing database for realm '%s'\n" msgstr "" -#: ../../src/slave/kpropd.c:366 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:537 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:698 #, c-format -msgid "getaddrinfo: %s\n" -msgstr "" - -#: ../../src/slave/kpropd.c:372 -msgid "while obtaining socket" +msgid "while creating realm '%s'" msgstr "" -#: ../../src/slave/kpropd.c:378 -msgid "while setting SO_REUSEADDR option" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:557 +#, c-format +msgid "Enter DN of Kerberos container: " msgstr "" -#: ../../src/slave/kpropd.c:386 -msgid "while unsetting IPV6_V6ONLY option" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:592 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:900 +#, c-format +msgid "while reading information of realm '%s'" msgstr "" -#: ../../src/slave/kpropd.c:391 -msgid "while binding listener socket" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:736 +msgid "while reading Kerberos container information" msgstr "" -#: ../../src/slave/kpropd.c:402 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:779 #, c-format -msgid "waiting for a kprop connection\n" +msgid "for subtree while modifying realm '%s'" msgstr "" -#: ../../src/slave/kpropd.c:408 -msgid "while accepting connection" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:790 +#, c-format +msgid "for container reference while modifying realm '%s'" msgstr "" -#: ../../src/slave/kpropd.c:414 -msgid "while forking" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:818 +#, c-format +msgid "specified for search scope while modifying information of realm '%s'" msgstr "" -#: ../../src/slave/kpropd.c:429 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:857 #, c-format -msgid "waitpid() failed to wait for doit() (%d %s)\n" +msgid "while modifying information of realm '%s'" msgstr "" -#: ../../src/slave/kpropd.c:433 -msgid "while waiting to receive database" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:946 +msgid "Realm Name" msgstr "" -#: ../../src/slave/kpropd.c:437 -#, c-format -msgid "Database load process for full propagation completed.\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:949 +msgid "Subtree" msgstr "" -#: ../../src/slave/kpropd.c:475 -#, c-format -msgid "" -"%s: Standard input does not appear to be a network socket.\n" -"\t(Not run from inetd, and missing the -S option?)\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:952 +msgid "Principal Container Reference" msgstr "" -#: ../../src/slave/kpropd.c:489 -msgid "while attempting setsockopt (SO_KEEPALIVE)" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:957 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:959 +msgid "SearchScope" msgstr "" -#: ../../src/slave/kpropd.c:494 -#, c-format -msgid "Connection from %s" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:957 +msgid "Invalid !" msgstr "" -#: ../../src/slave/kpropd.c:514 -#, c-format -msgid "Rejected connection from unauthorized principal %s\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:964 +msgid "KDC Services" msgstr "" -#: ../../src/slave/kpropd.c:518 -#, c-format -msgid "Rejected connection from unauthorized principal %s" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:979 +msgid "Admin Services" msgstr "" -#: ../../src/slave/kpropd.c:535 -#, c-format -msgid "while opening database file, '%s'" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:994 +msgid "Passwd Services" msgstr "" -#: ../../src/slave/kpropd.c:541 -#, c-format -msgid "while renaming %s to %s" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1010 +msgid "Maximum Ticket Life" msgstr "" -#: ../../src/slave/kpropd.c:547 -#, c-format -msgid "while downgrading lock on '%s'" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1015 +msgid "Maximum Renewable Life" msgstr "" -#: ../../src/slave/kpropd.c:554 -#, c-format -msgid "while unlocking '%s'" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1022 +msgid "Ticket flags" msgstr "" -#: ../../src/slave/kpropd.c:566 -msgid "while sending # of received bytes" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1101 +msgid "while listing realms" msgstr "" -#: ../../src/slave/kpropd.c:572 -msgid "while trying to close database file" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1433 +msgid "while adding entries to database" msgstr "" -#: ../../src/slave/kpropd.c:628 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1474 #, c-format -msgid "Incremental propagation enabled\n" +msgid "Deleting KDC database of '%s', are you sure?\n" msgstr "" -#: ../../src/slave/kpropd.c:639 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1485 #, c-format -msgid "%s: unable to get kiprop host based service name for realm %s\n" +msgid "OK, deleting database of '%s'...\n" msgstr "" -#: ../../src/slave/kpropd.c:650 -msgid "while trying to construct host service principal" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1518 +#, c-format +msgid "deleting database of '%s'" msgstr "" -#: ../../src/slave/kpropd.c:669 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_realm.c:1523 #, c-format -msgid "Initializing kadm5 as client %s\n" +msgid "** Database of '%s' destroyed.\n" msgstr "" -#: ../../src/slave/kpropd.c:683 -#, c-format -msgid "kadm5 initialization failed!\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:79 +msgid "ldap_service_password_file not configured" msgstr "" -#: ../../src/slave/kpropd.c:692 -msgid "while attempting to connect to master KDC ... retrying" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:124 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:131 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:139 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:145 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:173 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:243 +msgid "while setting service object password" msgstr "" -#: ../../src/slave/kpropd.c:696 -#, c-format -msgid "Sleeping %d seconds to re-initialize kadm5 (RPC ERROR)\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:152 +msgid "while getting service password filename" msgstr "" -#: ../../src/slave/kpropd.c:712 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:165 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:477 #, c-format -msgid "while initializing %s interface, retrying" +msgid "Password for \"%s\"" msgstr "" -#: ../../src/slave/kpropd.c:716 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:168 #, c-format -msgid "Sleeping %d seconds to re-initialize kadm5 (krb5kdc not running?)\n" +msgid "Re-enter password for \"%s\"" msgstr "" -#: ../../src/slave/kpropd.c:726 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:179 #, c-format -msgid "kadm5 initialization succeeded\n" +msgid "%s: Invalid password\n" msgstr "" -#: ../../src/slave/kpropd.c:748 -msgid "reading update log header" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:189 +msgid "Failed to convert the password to hexadecimal" msgstr "" -#: ../../src/slave/kpropd.c:759 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:199 #, c-format -msgid "Calling iprop_get_updates_1 (sno=%u sec=%u usec=%u)\n" +msgid "Failed to open file %s: %s" msgstr "" -#: ../../src/slave/kpropd.c:769 -msgid "iprop_get_updates call failed" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:221 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:263 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:272 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:299 +msgid "Failed to write service object password to file" msgstr "" -#: ../../src/slave/kpropd.c:775 -#, c-format -msgid "Reinitializing iprop because get updates failed\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:227 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:284 +msgid "Error reading service object password file" msgstr "" -#: ../../src/slave/kpropd.c:796 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_services.c:252 #, c-format -msgid "Still waiting for full resync\n" +msgid "Error creating file %s" msgstr "" -#: ../../src/slave/kpropd.c:801 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:105 #, c-format -msgid "Full resync needed\n" +msgid "" +"Usage: kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldapuri]\n" +"\tcmd [cmd_options]\n" +"create [-subtrees subtree_dn_list] [-sscope search_scope] [-" +"containerref container_reference_dn]\n" +"\t\t[-m|-P password|-sf stashfilename] [-k mkeytype] [-kv mkeyVNO] [-s]\n" +"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" +"\t\t[ticket_flags] [-r realm]\n" +"modify [-subtrees subtree_dn_list] [-sscope search_scope] [-" +"containerref container_reference_dn]\n" +"\t\t[-maxtktlife max_ticket_life] [-maxrenewlife max_renewable_ticket_life]\n" +"\t\t[ticket_flags] [-r realm]\n" +"view [-r realm]\n" +"destroy [-f] [-r realm]\n" +"list\n" +"stashsrvpw [-f filename] service_dn\n" +"create_policy [-r realm] [-maxtktlife max_ticket_life]\n" +"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" +"modify_policy [-r realm] [-maxtktlife max_ticket_life]\n" +"\t\t[-maxrenewlife max_renewable_ticket_life] [ticket_flags] policy\n" +"view_policy [-r realm] policy\n" +"destroy_policy [-r realm] [-force] policy\n" +"list_policy [-r realm]\n" msgstr "" -#: ../../src/slave/kpropd.c:802 -msgid "kpropd: Full resync needed." +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:325 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:333 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:341 +msgid "while reading ldap parameters" msgstr "" -#: ../../src/slave/kpropd.c:807 -msgid "iprop_full_resync call failed" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:439 +msgid "while initializing error handling" msgstr "" -#: ../../src/slave/kpropd.c:818 -#, c-format -msgid "Full resync request granted\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:447 +msgid "while initializing ldap handle" msgstr "" -#: ../../src/slave/kpropd.c:819 -msgid "Full resync request granted." +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:461 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:470 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:483 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:525 +msgid "while retrieving ldap configuration" msgstr "" -#: ../../src/slave/kpropd.c:828 -#, c-format -msgid "Exponential backoff\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:500 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:507 +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:516 +msgid "while initializing server list" msgstr "" -#: ../../src/slave/kpropd.c:834 -#, c-format -msgid "Full resync permission denied\n" +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:547 +msgid "while setting up lib handle" msgstr "" -#: ../../src/slave/kpropd.c:835 -msgid "Full resync, permission denied." +#: ../../src/plugins/kdb/ldap/ldap_util/kdb5_ldap_util.c:556 +msgid "while reading ldap configuration" msgstr "" -#: ../../src/slave/kpropd.c:840 -#, c-format -msgid "Full resync error from master\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:68 +msgid "Unable to read Kerberos container" msgstr "" -#: ../../src/slave/kpropd.c:841 -msgid " Full resync, error returned from master KDC." +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:73 +msgid "Unable to read Realm" msgstr "" -#: ../../src/slave/kpropd.c:849 -#, c-format -msgid "Full resync invalid result from master\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:214 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:73 +msgid "Error processing LDAP DB params" msgstr "" -#: ../../src/slave/kpropd.c:851 -msgid "Full resync, invalid return from master KDC." +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap.c:220 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:79 +msgid "Error reading LDAP server params" msgstr "" -#: ../../src/slave/kpropd.c:867 -#, c-format -msgid "Got incremental updates (sno=%u sec=%u usec=%u)\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:64 +msgid "LDAP bind dn value missing" msgstr "" -#: ../../src/slave/kpropd.c:879 -#, c-format -msgid "ulog_replay failed (%s), updates not registered\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:69 +msgid "LDAP bind password value missing" msgstr "" -#: ../../src/slave/kpropd.c:882 -#, c-format -msgid "ulog_replay failed (%s), updates not registered." +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:78 +msgid "Error reading password from stash" +msgstr "" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:85 +msgid "Service password length is zero" msgstr "" -#: ../../src/slave/kpropd.c:891 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:145 #, c-format -msgid "Incremental updates: %d updates / %lu us" +msgid "Cannot bind to LDAP server '%s' with SASL mechanism '%s': %s" msgstr "" -#: ../../src/slave/kpropd.c:894 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:158 #, c-format -msgid "Incremental updates: %d updates / %lu us\n" +msgid "Cannot bind to LDAP server '%s' as '%s': %s" msgstr "" -#: ../../src/slave/kpropd.c:902 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/kdb_ldap_conn.c:183 #, c-format -msgid "get_updates permission denied\n" +msgid "Cannot create LDAP handle for '%s': %s" msgstr "" -#: ../../src/slave/kpropd.c:903 -msgid "get_updates, permission denied." +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_create.c:129 +msgid "could not complete roll-back, error deleting Kerberos Container" msgstr "" -#: ../../src/slave/kpropd.c:908 -#, c-format -msgid "get_updates error from master\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:56 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:67 +msgid "Error reading kerberos container location from krb5.conf" msgstr "" -#: ../../src/slave/kpropd.c:909 -msgid "get_updates, error returned from master KDC." +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_krbcontainer.c:75 +msgid "Kerberos container location not specified" msgstr "" -#: ../../src/slave/kpropd.c:917 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:56 #, c-format -msgid "get_updates master busy; backoff\n" +msgid "Error reading '%s' attribute: %s" +msgstr "" + +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:219 +msgid "KDB module requires -update argument" msgstr "" -#: ../../src/slave/kpropd.c:926 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:225 #, c-format -msgid "KDC is synchronized with master.\n" +msgid "'%s' value missing" msgstr "" -#: ../../src/slave/kpropd.c:934 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:283 #, c-format -msgid "get_updates invalid result from master\n" +msgid "unknown option '%s'" msgstr "" -#: ../../src/slave/kpropd.c:935 -msgid "get_updates, invalid return from master KDC." +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_misc.c:343 +msgid "Minimum connections required per server is 2" msgstr "" -#: ../../src/slave/kpropd.c:950 -#, c-format -msgid "Busy signal received from master, backoff for %d secs\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:159 +msgid "Default realm not set" msgstr "" -#: ../../src/slave/kpropd.c:957 -#, c-format -msgid "Waiting for %d seconds before checking for updates again\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:261 +msgid "DN information missing" msgstr "" -#: ../../src/slave/kpropd.c:968 -#, c-format -msgid "ERROR returned by master, bailing\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal.c:473 +msgid "dn information missing" msgstr "" -#: ../../src/slave/kpropd.c:969 -msgid "ERROR returned by master KDC, bailing.\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:137 +msgid "Principal does not belong to realm" msgstr "" -#: ../../src/slave/kpropd.c:1113 -msgid "copying db args" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:308 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:317 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:325 +#, c-format +msgid "%s option not supported" msgstr "" -#: ../../src/slave/kpropd.c:1138 -msgid "Unable to get default realm" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:332 +#, c-format +msgid "unknown option: %s" msgstr "" -#: ../../src/slave/kpropd.c:1145 -msgid "Unable to set default realm" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:339 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:346 +#, c-format +msgid "%s option value missing" msgstr "" -#: ../../src/slave/kpropd.c:1155 -msgid "while trying to construct my service name" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:671 +msgid "DN is out of the realm subtree" msgstr "" -#: ../../src/slave/kpropd.c:1162 -msgid "while allocating filename for temp file" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:703 +msgid "ldap object is already kerberized" msgstr "" -#: ../../src/slave/kpropd.c:1170 -msgid "while initializing" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:797 +msgid "Principal does not belong to the default realm" msgstr "" -#: ../../src/slave/kpropd.c:1178 -msgid "Unable to map log!\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:865 +#, c-format +msgid "" +"operation can not continue, more than one entry with principal name \"%s\" " +"found" msgstr "" -#: ../../src/slave/kpropd.c:1224 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:928 #, c-format -msgid "Error in krb5_auth_con_ini: %s" +msgid "'%s' not found" msgstr "" -#: ../../src/slave/kpropd.c:1232 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:992 #, c-format -msgid "Error in krb5_auth_con_setflags: %s" +msgid "" +"link information can not be set/updated as the kerberos principal belongs to " +"an ldap object" msgstr "" -#: ../../src/slave/kpropd.c:1240 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1007 #, c-format -msgid "Error in krb5_auth_con_setaddrs: %s" +msgid "Failed getting object references" msgstr "" -#: ../../src/slave/kpropd.c:1248 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1014 #, c-format -msgid "Error in krb5_kt_resolve: %s" +msgid "kerberos principal is already linked to a ldap object" msgstr "" -#: ../../src/slave/kpropd.c:1257 -#, c-format -msgid "Error in krb5_recvauth: %s" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1352 +msgid "ticket policy object value: " msgstr "" -#: ../../src/slave/kpropd.c:1264 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1400 #, c-format -msgid "Error in krb5_copy_prinicpal: %s" +msgid "Principal delete failed (trying to replace entry): %s" msgstr "" -#: ../../src/slave/kpropd.c:1280 -msgid "while unparsing ticket etype" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1410 +#, c-format +msgid "Principal add failed: %s" msgstr "" -#: ../../src/slave/kpropd.c:1284 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1448 #, c-format -msgid "authenticated client: %s (etype == %s)\n" +msgid "User modification failed: %s" msgstr "" -#: ../../src/slave/kpropd.c:1363 -msgid "while reading size of database from client" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1521 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:294 +msgid "Error reading ticket policy" msgstr "" -#: ../../src/slave/kpropd.c:1373 -msgid "while decoding database size from client" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1651 +msgid "unable to decode stored principal key data" msgstr "" -#: ../../src/slave/kpropd.c:1386 -msgid "while initializing i_vector" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c:1709 +msgid "unable to decode stored principal pw history" msgstr "" -#: ../../src/slave/kpropd.c:1391 -#, c-format -msgid "Full propagation transfer started.\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:223 +msgid "Realm information not available" msgstr "" -#: ../../src/slave/kpropd.c:1444 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:306 #, c-format -msgid "Full propagation transfer finished.\n" -msgstr "" - -#: ../../src/slave/kpropd.c:1505 -msgid "while decoding error packet from client" +msgid "Realm Delete FAILED: %s" msgstr "" -#: ../../src/slave/kpropd.c:1514 -msgid "signaled from server" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:386 +msgid "subtree value: " msgstr "" -#: ../../src/slave/kpropd.c:1516 -#, c-format -msgid "Error text from client: %s\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:403 +msgid "container reference value: " msgstr "" -#: ../../src/slave/kpropd.c:1565 -#, c-format -msgid "while trying to fork %s" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:486 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:549 +msgid "Kerberos Container information is missing" msgstr "" -#: ../../src/slave/kpropd.c:1569 -#, c-format -msgid "while trying to exec %s" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:498 +msgid "Invalid Kerberos container DN" msgstr "" -#: ../../src/slave/kpropd.c:1576 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:514 #, c-format -msgid "while waiting for %s" +msgid "Kerberos Container create FAILED: %s" msgstr "" -#: ../../src/slave/kpropd.c:1582 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:557 #, c-format -msgid "%s load terminated" +msgid "Kerberos Container delete FAILED: %s" msgstr "" -#: ../../src/slave/kpropd.c:1588 -#, c-format -msgid "%s returned a bad exit status (%d)" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_realm.c:633 +msgid "realm object value: " msgstr "" -#: ../../src/slave/kproplog.c:27 -#, c-format -msgid "" -"\n" -"Usage: %s [-h] [-v] [-v] [-e num]\n" -"\t%s -R\n" -"\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:48 +msgid "Not a hexadecimal password" msgstr "" -#: ../../src/slave/kproplog.c:129 -#, c-format -msgid "" -"\n" -"Couldn't allocate memory" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:55 +msgid "Password corrupt" msgstr "" -#: ../../src/slave/kproplog.c:223 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:78 #, c-format -msgid "\t\tAttribute flags\n" +msgid "Cannot open LDAP password file '%s': %s" msgstr "" -#: ../../src/slave/kproplog.c:228 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_service_stash.c:108 #, c-format -msgid "\t\tMaximum ticket life\n" +msgid "Bind DN entry '%s' missing in LDAP password file '%s'" msgstr "" -#: ../../src/slave/kproplog.c:233 -#, c-format -msgid "\t\tMaximum renewable life\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:66 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:142 +msgid "Ticket Policy Name missing" msgstr "" -#: ../../src/slave/kproplog.c:238 -#, c-format -msgid "\t\tPrincipal expiration\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:154 +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:231 +msgid "ticket policy object: " msgstr "" -#: ../../src/slave/kproplog.c:243 -#, c-format -msgid "\t\tPassword expiration\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:219 +msgid "Ticket Policy Object information missing" msgstr "" -#: ../../src/slave/kproplog.c:248 -#, c-format -msgid "\t\tLast successful auth\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:311 +msgid "Ticket Policy Object DN missing" msgstr "" -#: ../../src/slave/kproplog.c:253 -#, c-format -msgid "\t\tLast failed auth\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:338 +msgid "Delete Failed: One or more Principals associated with the Ticket Policy" msgstr "" -#: ../../src/slave/kproplog.c:258 -#, c-format -msgid "\t\tFailed passwd attempt\n" +#: ../../src/plugins/kdb/ldap/libkdb_ldap/ldap_tkt_policy.c:447 +msgid "Error reading container object" msgstr "" -#: ../../src/slave/kproplog.c:263 +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:132 #, c-format -msgid "\t\tPrincipal\n" +msgid "%s (path: %s): %s" msgstr "" -#: ../../src/slave/kproplog.c:268 +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:164 #, c-format -msgid "\t\tKey data\n" +msgid "Unsupported argument \"%s\" for LMDB" msgstr "" -#: ../../src/slave/kproplog.c:275 -#, c-format -msgid "\t\tTL data\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:294 +msgid "LMDB environment open failure" msgstr "" -#: ../../src/slave/kproplog.c:282 -#, c-format -msgid "\t\tLength\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:319 +msgid "LMDB read failure" msgstr "" -#: ../../src/slave/kproplog.c:287 -#, c-format -msgid "\t\tPassword last changed\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:394 +msgid "LMDB write failure" msgstr "" -#: ../../src/slave/kproplog.c:292 -#, c-format -msgid "\t\tModifying principal\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:418 +msgid "LMDB delete failure" msgstr "" -#: ../../src/slave/kproplog.c:297 +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:521 #, c-format -msgid "\t\tModification time\n" +msgid "LMDB file %s does not exist" msgstr "" -#: ../../src/slave/kproplog.c:302 -#, c-format -msgid "\t\tModified where\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:566 +msgid "LMDB open failure" msgstr "" -#: ../../src/slave/kproplog.c:307 +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:593 #, c-format -msgid "\t\tPassword policy\n" +msgid "LMDB file %s already exists" msgstr "" -#: ../../src/slave/kproplog.c:312 -#, c-format -msgid "\t\tPassword policy switch\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:658 +msgid "LMDB create error" msgstr "" -#: ../../src/slave/kproplog.c:317 +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:676 #, c-format -msgid "\t\tPassword history KVNO\n" +msgid "Could not unlink %s" msgstr "" -#: ../../src/slave/kproplog.c:322 +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:760 #, c-format -msgid "\t\tPassword history\n" +msgid "Unsupported argument \"%s\" for lmdb" msgstr "" -#: ../../src/slave/kproplog.c:356 -#, c-format -msgid "" -"Corrupt update entry\n" -"\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:806 +msgid "LMDB lockout write failure" msgstr "" -#: ../../src/slave/kproplog.c:361 -#, c-format -msgid "Update Entry\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:882 +msgid "LMDB principal iteration failure" msgstr "" -#: ../../src/slave/kproplog.c:363 -#, c-format -msgid "\tUpdate serial # : %u\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:985 +msgid "LMDB policy iteration failure" msgstr "" -#: ../../src/slave/kproplog.c:367 -#, c-format -msgid "\tDummy entry\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:1016 +msgid "LMDB transaction commit failure" msgstr "" -#: ../../src/slave/kproplog.c:375 -#, c-format -msgid "" -"Entry data decode failure\n" -"\n" +#: ../../src/plugins/kdb/lmdb/kdb_lmdb.c:1115 +msgid "LMDB lockout update failure" msgstr "" -#: ../../src/slave/kproplog.c:379 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:500 #, c-format -msgid "\tUpdate operation : " +msgid "%s: %s" msgstr "" -#: ../../src/slave/kproplog.c:381 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:530 #, c-format -msgid "Delete\n" +msgid "%s (depth %d): %s" msgstr "" -#: ../../src/slave/kproplog.c:383 -#, c-format -msgid "Add\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:773 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4324 +msgid "Pass phrase for" msgstr "" -#: ../../src/slave/kproplog.c:387 -#, c-format -msgid "" -"Could not allocate principal name\n" -"\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1103 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1113 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1380 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1390 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1931 +msgid "Failed to DER encode PKCS7" msgstr "" -#: ../../src/slave/kproplog.c:393 -#, c-format -msgid "\tUpdate principal : %s\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1204 +msgid "Failed to verify own certificate" msgstr "" -#: ../../src/slave/kproplog.c:395 -#, c-format -msgid "\tUpdate size : %u\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1364 +msgid "Failed to add digest attribute" msgstr "" -#: ../../src/slave/kproplog.c:396 -#, c-format -msgid "\tUpdate committed : %s\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1492 +msgid "Failed to decode CMS message" msgstr "" -#: ../../src/slave/kproplog.c:400 -#, c-format -msgid "\tUpdate time stamp : None\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1510 +msgid "Invalid pkinit packet: octet string expected" msgstr "" -#: ../../src/slave/kproplog.c:402 -#, c-format -msgid "\tUpdate time stamp : %s" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1528 +msgid "wrong oid\n" msgstr "" -#: ../../src/slave/kproplog.c:406 -#, c-format -msgid "\tAttributes changed : %d\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1680 +msgid "Failed to verify received certificate" msgstr "" -#: ../../src/slave/kproplog.c:471 -#, c-format -msgid "" -"Unable to initialize Kerberos\n" -"\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1718 +msgid "Failed to verify CMS message" msgstr "" -#: ../../src/slave/kproplog.c:478 -#, c-format -msgid "" -"Couldn't read database_name\n" -"\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1906 +msgid "Failed to encrypt PKCS7 object" msgstr "" -#: ../../src/slave/kproplog.c:482 -#, c-format -msgid "" -"\n" -"Kerberos update log (%s)\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1981 +msgid "Failed to decode PKCS7" msgstr "" -#: ../../src/slave/kproplog.c:486 ../../src/slave/kproplog.c:501 -#, c-format -msgid "" -"Unable to map log file %s\n" -"\n" +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:1998 +msgid "Failed to decrypt PKCS7 message" msgstr "" -#: ../../src/slave/kproplog.c:491 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4444 #, c-format -msgid "" -"Couldn't reinitialize ulog file %s\n" -"\n" +msgid "Cannot read certificate file '%s'" msgstr "" -#: ../../src/slave/kproplog.c:495 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:4451 #, c-format -msgid "Reinitialized the ulog.\n" +msgid "Cannot read key file '%s'" msgstr "" -#: ../../src/slave/kproplog.c:507 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5313 #, c-format -msgid "" -"Corrupt header log, exiting\n" -"\n" +msgid "Cannot open file '%s'" msgstr "" -#: ../../src/slave/kproplog.c:511 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5320 #, c-format -msgid "Update log dump :\n" +msgid "Cannot read file '%s'" msgstr "" -#: ../../src/slave/kproplog.c:512 +#: ../../src/plugins/preauth/pkinit/pkinit_crypto_openssl.c:5995 #, c-format -msgid "\tLog version # : %u\n" +msgid "unknown code 0x%x" msgstr "" -#: ../../src/slave/kproplog.c:513 +#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:419 #, c-format -msgid "\tLog state : " +msgid "Unsupported type while processing '%s'\n" msgstr "" -#: ../../src/slave/kproplog.c:516 -#, c-format -msgid "Stable\n" +#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:453 +msgid "Internal error parsing X509_user_identity\n" msgstr "" -#: ../../src/slave/kproplog.c:519 -#, c-format -msgid "Unstable\n" +#: ../../src/plugins/preauth/pkinit/pkinit_identity.c:544 +msgid "No user identity options specified" msgstr "" -#: ../../src/slave/kproplog.c:522 +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:405 #, c-format -msgid "Corrupt\n" +msgid "PKINIT: no freshness token, rejecting auth from %s" msgstr "" -#: ../../src/slave/kproplog.c:525 +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:409 #, c-format -msgid "Unknown state: %d\n" +msgid "PKINIT: freshness token received from %s" msgstr "" -#: ../../src/slave/kproplog.c:528 +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:411 #, c-format -msgid "\tEntry block size : %u\n" +msgid "PKINIT: no freshness token received from %s" msgstr "" -#: ../../src/slave/kproplog.c:529 -#, c-format -msgid "\tNumber of entries : %u\n" +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:542 +msgid "Pkinit request not signed, but client not anonymous." msgstr "" -#: ../../src/slave/kproplog.c:532 -#, c-format -msgid "\tLast serial # : None\n" +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:580 +msgid "Anonymous pkinit without DH public value not supported." msgstr "" -#: ../../src/slave/kproplog.c:535 +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1304 #, c-format -msgid "\tFirst serial # : None\n" +msgid "No pkinit_identity supplied for realm %s" msgstr "" -#: ../../src/slave/kproplog.c:537 +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1315 #, c-format -msgid "\tFirst serial # : " +msgid "No pkinit_anchors supplied for realm %s" msgstr "" -#: ../../src/slave/kproplog.c:541 +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1335 #, c-format -msgid "\tLast serial # : " +msgid "OCSP is not supported: (realm: %s)" msgstr "" -#: ../../src/slave/kproplog.c:546 -#, c-format -msgid "\tLast time stamp : None\n" +#: ../../src/plugins/preauth/pkinit/pkinit_srv.c:1736 +msgid "No realms configured correctly for pkinit support" msgstr "" -#: ../../src/slave/kproplog.c:549 -#, c-format -msgid "\tFirst time stamp : None\n" +#: ../../src/plugins/preauth/spake/groups.c:237 +msgid "No SPAKE preauth groups configured" msgstr "" -#: ../../src/slave/kproplog.c:551 +#: ../../src/plugins/preauth/spake/groups.c:257 #, c-format -msgid "\tFirst time stamp : %s" +msgid "SPAKE challenge group not a permitted group: %s" msgstr "" -#: ../../src/slave/kproplog.c:555 -#, c-format -msgid "\tLast time stamp : %s\n" +#: ../../src/plugins/preauth/spake/spake_kdc.c:536 +msgid "Unknown SPAKE request type" msgstr "" #: ../../src/util/support/errors.c:77 @@ -6989,6 +7163,10 @@ msgstr "" msgid "Principal keys are locked down" msgstr "" +#: ../lib/kadm5/kadm_err.c:85 +msgid "Operation requires initial ticket" +msgstr "" + #: ../lib/kdb/adb_err.c:23 msgid "No Error" msgstr "" diff --git a/src/prototype/prototype.c b/src/prototype/prototype.c index 72eddab..a4d2a1c 100644 --- a/src/prototype/prototype.c +++ b/src/prototype/prototype.c @@ -1,7 +1,7 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* prototype/prototype.c - <<< One-line description of file >>> */ /* - * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * Copyright (C) 2019 by the Massachusetts Institute of Technology. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/src/prototype/prototype.h b/src/prototype/prototype.h index 385106d..b4fb359 100644 --- a/src/prototype/prototype.h +++ b/src/prototype/prototype.h @@ -1,7 +1,7 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* prototype/prototype.h - <<< One-line description of file >>> */ /* - * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * Copyright (C) 2019 by the Massachusetts Institute of Technology. * All rights reserved. * * Redistribution and use in source and binary forms, with or without diff --git a/src/slave/Makefile.in b/src/slave/Makefile.in deleted file mode 100644 index f75a1f1..0000000 --- a/src/slave/Makefile.in +++ /dev/null @@ -1,35 +0,0 @@ -mydir=slave -BUILDTOP=$(REL).. - -all: kprop kpropd kproplog - -CLIENTSRCS= $(srcdir)/kprop.c $(srcdir)/kprop_util.c -CLIENTOBJS= kprop.o kprop_util.o - -SERVERSRCS= $(srcdir)/kpropd.c $(srcdir)/kpropd_rpc.c $(srcdir)/kprop_util.c -SERVEROBJS= kpropd.o kpropd_rpc.o kprop_util.o - -LOGSRCS= $(srcdir)/kproplog.c -LOGOBJS= kproplog.o - -SRCS= $(CLIENTSRCS) $(SERVERSRCS) $(LOGSRCS) - - -kprop: $(CLIENTOBJS) $(KRB5_BASE_DEPLIBS) - $(CC_LINK) -o kprop $(CLIENTOBJS) $(KRB5_BASE_LIBS) @LIBUTIL@ - -kpropd: $(SERVEROBJS) $(KDB5_DEPLIB) $(KADMCLNT_DEPLIBS) $(KRB5_BASE_DEPLIBS) $(APPUTILS_DEPLIB) - $(CC_LINK) -o kpropd $(SERVEROBJS) $(KDB5_LIB) $(KADMCLNT_LIBS) $(KRB5_BASE_LIBS) $(APPUTILS_LIB) @LIBUTIL@ - -kproplog: $(LOGOBJS) - $(CC_LINK) -o kproplog $(LOGOBJS) $(KADMSRV_LIBS) $(KRB5_BASE_LIBS) - -install: - for f in kprop kpropd kproplog; do \ - $(INSTALL_PROGRAM) $$f \ - $(DESTDIR)$(SERVER_BINDIR)/`echo $$f|sed '$(transform)'`; \ - done - -clean: - $(RM) $(CLIENTOBJS) $(SERVEROBJS) $(LOGOBJS) - $(RM) kprop kpropd kproplog diff --git a/src/slave/deps b/src/slave/deps deleted file mode 100644 index c3677a5..0000000 --- a/src/slave/deps +++ /dev/null @@ -1,73 +0,0 @@ -# -# Generated makefile dependencies follow. -# -$(OUTPRE)kprop.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/fake-addrinfo.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - kprop.c kprop.h -$(OUTPRE)kprop_util.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h kprop.h kprop_util.c -$(OUTPRE)kpropd.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/fake-addrinfo.h \ - $(top_srcdir)/include/gssrpc/auth.h $(top_srcdir)/include/gssrpc/auth_gss.h \ - $(top_srcdir)/include/gssrpc/auth_unix.h $(top_srcdir)/include/gssrpc/clnt.h \ - $(top_srcdir)/include/gssrpc/rename.h $(top_srcdir)/include/gssrpc/rpc.h \ - $(top_srcdir)/include/gssrpc/rpc_msg.h $(top_srcdir)/include/gssrpc/svc.h \ - $(top_srcdir)/include/gssrpc/svc_auth.h $(top_srcdir)/include/gssrpc/xdr.h \ - $(top_srcdir)/include/iprop.h $(top_srcdir)/include/iprop_hdr.h \ - $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ - $(top_srcdir)/include/kdb_log.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - kprop.h kpropd.c -$(OUTPRE)kpropd_rpc.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ - $(BUILDTOP)/include/gssrpc/types.h $(top_srcdir)/include/gssrpc/auth.h \ - $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ - $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ - $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ - $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ - $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/iprop.h \ - kpropd_rpc.c -$(OUTPRE)kproplog.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ - $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssrpc/types.h \ - $(BUILDTOP)/include/kadm5/admin.h $(BUILDTOP)/include/kadm5/chpass_util_strings.h \ - $(BUILDTOP)/include/kadm5/kadm_err.h $(BUILDTOP)/include/krb5/krb5.h \ - $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/gssrpc/auth.h \ - $(top_srcdir)/include/gssrpc/auth_gss.h $(top_srcdir)/include/gssrpc/auth_unix.h \ - $(top_srcdir)/include/gssrpc/clnt.h $(top_srcdir)/include/gssrpc/rename.h \ - $(top_srcdir)/include/gssrpc/rpc.h $(top_srcdir)/include/gssrpc/rpc_msg.h \ - $(top_srcdir)/include/gssrpc/svc.h $(top_srcdir)/include/gssrpc/svc_auth.h \ - $(top_srcdir)/include/gssrpc/xdr.h $(top_srcdir)/include/iprop.h \ - $(top_srcdir)/include/iprop_hdr.h $(top_srcdir)/include/k5-buf.h \ - $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ - $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ - $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/kdb_log.h \ - $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ - $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ - $(top_srcdir)/include/socket-utils.h kproplog.c diff --git a/src/slave/kprop.c b/src/slave/kprop.c deleted file mode 100644 index 5bff5de..0000000 --- a/src/slave/kprop.c +++ /dev/null @@ -1,619 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* slave/kprop.c */ -/* - * Copyright 1990,1991,2008 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#include "k5-int.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "com_err.h" -#include "fake-addrinfo.h" -#include "kprop.h" - -#ifndef GETSOCKNAME_ARG3_TYPE -#define GETSOCKNAME_ARG3_TYPE unsigned int -#endif - -static char *kprop_version = KPROP_PROT_VERSION; - -static char *progname = NULL; -static int debug = 0; -static char *srvtab = NULL; -static char *slave_host; -static char *realm = NULL; -static char *def_realm = NULL; -static char *file = KPROP_DEFAULT_FILE; - -/* The Kerberos principal we'll be sending as, initialized in get_tickets. */ -static krb5_principal my_principal; - -static krb5_creds creds; -static krb5_address *sender_addr; -static krb5_address *receiver_addr; -static const char *port = KPROP_SERVICE; -static char *dbpathname; - -static void parse_args(krb5_context context, int argc, char **argv); -static void get_tickets(krb5_context context); -static void usage(void); -static void open_connection(krb5_context context, char *host, int *fd_out); -static void kerberos_authenticate(krb5_context context, - krb5_auth_context *auth_context, int fd, - krb5_principal me, krb5_creds **new_creds); -static int open_database(krb5_context context, char *data_fn, int *size); -static void close_database(krb5_context context, int fd); -static void xmit_database(krb5_context context, - krb5_auth_context auth_context, krb5_creds *my_creds, - int fd, int database_fd, int in_database_size); -static void send_error(krb5_context context, krb5_creds *my_creds, int fd, - char *err_text, krb5_error_code err_code); -static void update_last_prop_file(char *hostname, char *file_name); - -static void usage() -{ - fprintf(stderr, _("\nUsage: %s [-r realm] [-f file] [-d] [-P port] " - "[-s srvtab] slave_host\n\n"), progname); - exit(1); -} - -int -main(int argc, char **argv) -{ - int fd, database_fd, database_size; - krb5_error_code retval; - krb5_context context; - krb5_creds *my_creds; - krb5_auth_context auth_context; - - setlocale(LC_ALL, ""); - retval = krb5_init_context(&context); - if (retval) { - com_err(argv[0], retval, _("while initializing krb5")); - exit(1); - } - parse_args(context, argc, argv); - get_tickets(context); - - database_fd = open_database(context, file, &database_size); - open_connection(context, slave_host, &fd); - kerberos_authenticate(context, &auth_context, fd, my_principal, &my_creds); - xmit_database(context, auth_context, my_creds, fd, database_fd, - database_size); - update_last_prop_file(slave_host, file); - printf(_("Database propagation to %s: SUCCEEDED\n"), slave_host); - krb5_free_cred_contents(context, my_creds); - close_database(context, database_fd); - krb5_free_default_realm(context, def_realm); - exit(0); -} - -static void -parse_args(krb5_context context, int argc, char **argv) -{ - char *word, ch; - krb5_error_code ret; - - progname = *argv++; - while (--argc && (word = *argv++) != NULL) { - if (*word != '-') { - if (slave_host != NULL) - usage(); - else - slave_host = word; - continue; - } - word++; - while (word != NULL && (ch = *word++) != '\0') { - switch (ch) { - case 'r': - realm = (*word != '\0') ? word : *argv++; - if (realm == NULL) - usage(); - word = NULL; - break; - case 'f': - file = (*word != '\0') ? word : *argv++; - if (file == NULL) - usage(); - word = NULL; - break; - case 'd': - debug++; - break; - case 'P': - port = (*word != '\0') ? word : *argv++; - if (port == NULL) - usage(); - word = NULL; - break; - case 's': - srvtab = (*word != '\0') ? word : *argv++; - if (srvtab == NULL) - usage(); - word = NULL; - break; - default: - usage(); - } - - } - } - if (slave_host == NULL) - usage(); - - if (realm == NULL) { - ret = krb5_get_default_realm(context, &def_realm); - if (ret) { - com_err(progname, errno, _("while getting default realm")); - exit(1); - } - realm = def_realm; - } -} - -static void -get_tickets(krb5_context context) -{ - char *server; - krb5_error_code retval; - krb5_keytab keytab = NULL; - krb5_principal server_princ = NULL; - - /* Figure out what tickets we'll be using to send. */ - retval = sn2princ_realm(context, NULL, KPROP_SERVICE_NAME, realm, - &my_principal); - if (retval) { - com_err(progname, errno, _("while setting client principal name")); - exit(1); - } - - /* Construct the principal name for the slave host. */ - memset(&creds, 0, sizeof(creds)); - retval = sn2princ_realm(context, slave_host, KPROP_SERVICE_NAME, realm, - &server_princ); - if (retval) { - com_err(progname, errno, _("while setting server principal name")); - exit(1); - } - retval = krb5_unparse_name_flags(context, server_princ, - KRB5_PRINCIPAL_UNPARSE_NO_REALM, &server); - if (retval) { - com_err(progname, retval, _("while unparsing server name")); - exit(1); - } - - if (srvtab != NULL) { - retval = krb5_kt_resolve(context, srvtab, &keytab); - if (retval) { - com_err(progname, retval, _("while resolving keytab")); - exit(1); - } - } - - retval = krb5_get_init_creds_keytab(context, &creds, my_principal, keytab, - 0, server, NULL); - if (retval) { - com_err(progname, retval, _("while getting initial credentials\n")); - exit(1); - } - - if (keytab != NULL) - krb5_kt_close(context, keytab); - krb5_free_unparsed_name(context, server); - krb5_free_principal(context, server_princ); -} - -static void -open_connection(krb5_context context, char *host, int *fd_out) -{ - krb5_error_code retval; - GETSOCKNAME_ARG3_TYPE socket_length; - struct addrinfo hints, *res, *answers; - struct sockaddr *sa; - struct sockaddr_storage my_sin; - int s, error; - - *fd_out = -1; - memset(&hints, 0, sizeof(hints)); - hints.ai_family = PF_UNSPEC; - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = AI_ADDRCONFIG; - error = getaddrinfo(host, port, &hints, &answers); - if (error != 0) { - com_err(progname, 0, "%s: %s", host, gai_strerror(error)); - exit(1); - } - - s = -1; - retval = EINVAL; - for (res = answers; res != NULL; res = res->ai_next) { - s = socket(res->ai_family, res->ai_socktype, res->ai_protocol); - if (s < 0) { - com_err(progname, errno, _("while creating socket")); - exit(1); - } - - if (connect(s, res->ai_addr, res->ai_addrlen) < 0) { - retval = errno; - close(s); - s = -1; - continue; - } - - /* We successfully connect()ed */ - *fd_out = s; - retval = sockaddr2krbaddr(context, res->ai_family, res->ai_addr, - &receiver_addr); - if (retval != 0) { - com_err(progname, retval, _("while converting server address")); - exit(1); - } - - break; - } - - freeaddrinfo(answers); - - if (s == -1) { - com_err(progname, retval, _("while connecting to server")); - exit(1); - } - - /* Set sender_addr. */ - socket_length = sizeof(my_sin); - if (getsockname(s, (struct sockaddr *)&my_sin, &socket_length) < 0) { - com_err(progname, errno, _("while getting local socket address")); - exit(1); - } - sa = (struct sockaddr *)&my_sin; - if (sockaddr2krbaddr(context, sa->sa_family, sa, &sender_addr) != 0) { - com_err(progname, errno, _("while converting local address")); - exit(1); - } -} - -static void -kerberos_authenticate(krb5_context context, krb5_auth_context *auth_context, - int fd, krb5_principal me, krb5_creds **new_creds) -{ - krb5_error_code retval; - krb5_error *error = NULL; - krb5_ap_rep_enc_part *rep_result; - - retval = krb5_auth_con_init(context, auth_context); - if (retval) - exit(1); - - krb5_auth_con_setflags(context, *auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - - retval = krb5_auth_con_setaddrs(context, *auth_context, sender_addr, - receiver_addr); - if (retval) { - com_err(progname, retval, _("in krb5_auth_con_setaddrs")); - exit(1); - } - - retval = krb5_sendauth(context, auth_context, &fd, kprop_version, - me, creds.server, AP_OPTS_MUTUAL_REQUIRED, NULL, - &creds, NULL, &error, &rep_result, new_creds); - if (retval) { - com_err(progname, retval, _("while authenticating to server")); - if (error != NULL) { - if (error->error == KRB_ERR_GENERIC) { - if (error->text.data) { - fprintf(stderr, _("Generic remote error: %s\n"), - error->text.data); - } - } else if (error->error) { - com_err(progname, - (krb5_error_code)error->error + ERROR_TABLE_BASE_krb5, - _("signalled from server")); - if (error->text.data) { - fprintf(stderr, _("Error text from server: %s\n"), - error->text.data); - } - } - krb5_free_error(context, error); - } - exit(1); - } - krb5_free_ap_rep_enc_part(context, rep_result); -} - -/* - * Open the Kerberos database dump file. Takes care of locking it - * and making sure that the .ok file is more recent that the database - * dump file itself. - * - * Returns the file descriptor of the database dump file. Also fills - * in the size of the database file. - */ -static int -open_database(krb5_context context, char *data_fn, int *size) -{ - struct stat stbuf, stbuf_ok; - char *data_ok_fn; - int fd, err; - - dbpathname = strdup(data_fn); - if (dbpathname == NULL) { - com_err(progname, ENOMEM, _("allocating database file name '%s'"), - data_fn); - exit(1); - } - fd = open(dbpathname, O_RDONLY); - if (fd < 0) { - com_err(progname, errno, _("while trying to open %s"), dbpathname); - exit(1); - } - - err = krb5_lock_file(context, fd, - KRB5_LOCKMODE_SHARED | KRB5_LOCKMODE_DONTBLOCK); - if (err == EAGAIN || err == EWOULDBLOCK || errno == EACCES) { - com_err(progname, 0, _("database locked")); - exit(1); - } else if (err) { - com_err(progname, err, _("while trying to lock '%s'"), dbpathname); - exit(1); - } - if (fstat(fd, &stbuf)) { - com_err(progname, errno, _("while trying to stat %s"), data_fn); - exit(1); - } - if (asprintf(&data_ok_fn, "%s.dump_ok", data_fn) < 0) { - com_err(progname, ENOMEM, _("while trying to malloc data_ok_fn")); - exit(1); - } - if (stat(data_ok_fn, &stbuf_ok)) { - com_err(progname, errno, _("while trying to stat %s"), data_ok_fn); - free(data_ok_fn); - exit(1); - } - if (stbuf.st_mtime > stbuf_ok.st_mtime) { - com_err(progname, 0, _("'%s' more recent than '%s'."), data_fn, - data_ok_fn); - exit(1); - } - free(data_ok_fn); - *size = stbuf.st_size; - return fd; -} - -static void -close_database(krb5_context context, int fd) -{ - int err; - - err = krb5_lock_file(context, fd, KRB5_LOCKMODE_UNLOCK); - if (err) - com_err(progname, err, _("while unlocking database '%s'"), dbpathname); - free(dbpathname); - close(fd); -} - -/* - * Now we send over the database. We use the following protocol: - * Send over a KRB_SAFE message with the size. Then we send over the - * database in blocks of KPROP_BLKSIZE, encrypted using KRB_PRIV. - * Then we expect to see a KRB_SAFE message with the size sent back. - * - * At any point in the protocol, we may send a KRB_ERROR message; this - * will abort the entire operation. - */ -static void -xmit_database(krb5_context context, krb5_auth_context auth_context, - krb5_creds *my_creds, int fd, int database_fd, - int in_database_size) -{ - krb5_int32 n; - krb5_data inbuf, outbuf; - char buf[KPROP_BUFSIZ]; - krb5_error_code retval; - krb5_error *error; - krb5_ui_4 database_size = in_database_size, send_size, sent_size; - - /* Send over the size. */ - send_size = htonl(database_size); - inbuf.data = (char *)&send_size; - inbuf.length = sizeof(send_size); /* must be 4, really */ - /* KPROP_CKSUMTYPE */ - retval = krb5_mk_safe(context, auth_context, &inbuf, &outbuf, NULL); - if (retval) { - com_err(progname, retval, _("while encoding database size")); - send_error(context, my_creds, fd, _("while encoding database size"), - retval); - exit(1); - } - - retval = krb5_write_message(context, &fd, &outbuf); - if (retval) { - krb5_free_data_contents(context, &outbuf); - com_err(progname, retval, _("while sending database size")); - exit(1); - } - krb5_free_data_contents(context, &outbuf); - - /* Initialize the initial vector. */ - retval = krb5_auth_con_initivector(context, auth_context); - if (retval) { - send_error(context, my_creds, fd, - "failed while initializing i_vector", retval); - com_err(progname, retval, _("while allocating i_vector")); - exit(1); - } - - /* Send over the file, block by block. */ - inbuf.data = buf; - sent_size = 0; - while ((n = read(database_fd, buf, sizeof(buf)))) { - inbuf.length = n; - retval = krb5_mk_priv(context, auth_context, &inbuf, &outbuf, NULL); - if (retval) { - snprintf(buf, sizeof(buf), - "while encoding database block starting at %d", - sent_size); - com_err(progname, retval, "%s", buf); - send_error(context, my_creds, fd, buf, retval); - exit(1); - } - - retval = krb5_write_message(context, &fd, &outbuf); - if (retval) { - krb5_free_data_contents(context, &outbuf); - com_err(progname, retval, - _("while sending database block starting at %d"), - sent_size); - exit(1); - } - krb5_free_data_contents(context, &outbuf); - sent_size += n; - if (debug) - printf("%d bytes sent.\n", sent_size); - } - if (sent_size != database_size) { - com_err(progname, 0, _("Premature EOF found for database file!")); - send_error(context, my_creds, fd, - "Premature EOF found for database file!", - KRB5KRB_ERR_GENERIC); - exit(1); - } - - /* - * OK, we've sent the database; now let's wait for a success - * indication from the remote end. - */ - retval = krb5_read_message(context, &fd, &inbuf); - if (retval) { - com_err(progname, retval, _("while reading response from server")); - exit(1); - } - /* - * If we got an error response back from the server, display - * the error message - */ - if (krb5_is_krb_error(&inbuf)) { - retval = krb5_rd_error(context, &inbuf, &error); - if (retval) { - com_err(progname, retval, - _("while decoding error response from server")); - exit(1); - } - if (error->error == KRB_ERR_GENERIC) { - if (error->text.data) { - fprintf(stderr, _("Generic remote error: %s\n"), - error->text.data); - } - } else if (error->error) { - com_err(progname, - (krb5_error_code)error->error + ERROR_TABLE_BASE_krb5, - _("signalled from server")); - if (error->text.data) { - fprintf(stderr, _("Error text from server: %s\n"), - error->text.data); - } - } - krb5_free_error(context, error); - exit(1); - } - - retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL); - if (retval) { - com_err(progname, retval, - "while decoding final size packet from server"); - exit(1); - } - - memcpy(&send_size, outbuf.data, sizeof(send_size)); - send_size = ntohl(send_size); - if (send_size != database_size) { - com_err(progname, 0, _("Kpropd sent database size %d, expecting %d"), - send_size, database_size); - exit(1); - } - free(inbuf.data); - free(outbuf.data); -} - -static void -send_error(krb5_context context, krb5_creds *my_creds, int fd, char *err_text, - krb5_error_code err_code) -{ - krb5_error error; - const char *text; - krb5_data outbuf; - - memset(&error, 0, sizeof(error)); - krb5_us_timeofday(context, &error.ctime, &error.cusec); - error.server = my_creds->server; - error.client = my_principal; - error.error = err_code - ERROR_TABLE_BASE_krb5; - if (error.error > 127) - error.error = KRB_ERR_GENERIC; - text = (err_text != NULL) ? err_text : error_message(err_code); - error.text.length = strlen(text) + 1; - error.text.data = strdup(text); - if (error.text.data) { - if (!krb5_mk_error(context, &error, &outbuf)) { - (void)krb5_write_message(context, &fd, &outbuf); - krb5_free_data_contents(context, &outbuf); - } - free(error.text.data); - } -} - -static void -update_last_prop_file(char *hostname, char *file_name) -{ - char *file_last_prop; - int fd; - static char last_prop[] = ".last_prop"; - - if (asprintf(&file_last_prop, "%s.%s%s", file_name, hostname, - last_prop) < 0) { - com_err(progname, ENOMEM, - _("while allocating filename for update_last_prop_file")); - return; - } - fd = THREEPARAMOPEN(file_last_prop, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (fd < 0) { - com_err(progname, errno, _("while creating 'last_prop' file, '%s'"), - file_last_prop); - free(file_last_prop); - return; - } - write(fd, "", 1); - free(file_last_prop); - close(fd); -} diff --git a/src/slave/kprop.h b/src/slave/kprop.h deleted file mode 100644 index dbbda43..0000000 --- a/src/slave/kprop.h +++ /dev/null @@ -1,43 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* slave/kprop.h */ -/* - * Copyright 1990,1991 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#define KPROP_SERVICE_NAME "host" -#define TGT_SERVICE_NAME "krbtgt" -#define KPROP_SERVICE "krb5_prop" -#define KPROP_PORT 754 - -#define KPROP_PROT_VERSION "kprop5_01" - -#define KPROP_BUFSIZ 32768 - -/* pathnames are in osconf.h, included via k5-int.h */ - -int sockaddr2krbaddr(krb5_context context, int family, struct sockaddr *sa, - krb5_address **dest); - -krb5_error_code -sn2princ_realm(krb5_context context, const char *hostname, const char *sname, - const char *realm, krb5_principal *princ_out); diff --git a/src/slave/kprop_util.c b/src/slave/kprop_util.c deleted file mode 100644 index f182554..0000000 --- a/src/slave/kprop_util.c +++ /dev/null @@ -1,98 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* slave/kprop_util.c */ -/* - * Copyright (C) 2010 by the Massachusetts Institute of Technology. - * All rights reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -/* sockaddr2krbaddr() utility function used by kprop and kpropd */ - -#include "k5-int.h" -#include "kprop.h" - -#include -#include - -/* - * Convert an IPv4 or IPv6 socket address to a newly allocated krb5_address. - * There is similar code elsewhere in the tree, so this should possibly become - * a libkrb5 API in the future. - */ -krb5_error_code -sockaddr2krbaddr(krb5_context context, int family, struct sockaddr *sa, - krb5_address **dest) -{ - krb5_address addr; - - addr.magic = KV5M_ADDRESS; - if (family == AF_INET) { - struct sockaddr_in *sa4 = (struct sockaddr_in *) sa; - addr.addrtype = ADDRTYPE_INET; - addr.length = sizeof(sa4->sin_addr); - addr.contents = (krb5_octet *) &sa4->sin_addr; - } else if (family == AF_INET6) { - struct sockaddr_in6 *sa6 = (struct sockaddr_in6 *) sa; - if (IN6_IS_ADDR_V4MAPPED(&sa6->sin6_addr)) { - addr.addrtype = ADDRTYPE_INET; - addr.contents = (krb5_octet *) &sa6->sin6_addr + 12; - addr.length = 4; - } else { - addr.addrtype = ADDRTYPE_INET6; - addr.length = sizeof(sa6->sin6_addr); - addr.contents = (krb5_octet *) &sa6->sin6_addr; - } - } else - return KRB5_PROG_ATYPE_NOSUPP; - - return krb5_copy_addr(context, &addr, dest); -} - -/* Construct a host-based principal, similar to krb5_sname_to_principal() but - * with a specified realm. */ -krb5_error_code -sn2princ_realm(krb5_context context, const char *hostname, const char *sname, - const char *realm, krb5_principal *princ_out) -{ - krb5_error_code ret; - char *canonhost, localname[MAXHOSTNAMELEN]; - - *princ_out = NULL; - assert(sname != NULL && realm != NULL); - - /* If hostname is NULL, use the local hostname. */ - if (hostname == NULL) { - if (gethostname(localname, MAXHOSTNAMELEN) != 0) - return SOCKET_ERRNO; - hostname = localname; - } - - ret = krb5_expand_hostname(context, hostname, &canonhost); - if (ret) - return ret; - - ret = krb5_build_principal(context, princ_out, strlen(realm), realm, sname, - canonhost, (char *)NULL); - krb5_free_string(context, canonhost); - if (!ret) - (*princ_out)->type = KRB5_NT_SRV_HST; - return ret; -} diff --git a/src/slave/kpropd.c b/src/slave/kpropd.c deleted file mode 100644 index 056c31a..0000000 --- a/src/slave/kpropd.c +++ /dev/null @@ -1,1614 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* slave/kpropd.c */ -/* - * Copyright (C) 1998 by the FundsXpress, INC. - * - * All rights reserved. - * - * Export of this software from the United States of America may require - * a specific license from the United States Government. It is the - * responsibility of any person or organization contemplating export to - * obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of FundsXpress. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. FundsXpress makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - * - * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR - * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED - * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE. - */ - -/* - * Copyright 1990,1991,2007 by the Massachusetts Institute of Technology. - * All Rights Reserved. - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - - -#include "k5-int.h" -#include "com_err.h" -#include "fake-addrinfo.h" - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#include "kprop.h" -#include -#include "iprop.h" -#include -#include - -#ifndef GETSOCKNAME_ARG3_TYPE -#define GETSOCKNAME_ARG3_TYPE unsigned int -#endif -#ifndef GETPEERNAME_ARG3_TYPE -#define GETPEERNAME_ARG3_TYPE unsigned int -#endif - -#if defined(NEED_DAEMON_PROTO) -extern int daemon(int, int); -#endif - -#define SYSLOG_CLASS LOG_DAEMON - -int runonce = 0; - -/* - * This struct simulates the use of _kadm5_server_handle_t - * - * This is a COPY of kadm5_server_handle_t from - * lib/kadm5/clnt/client_internal.h! - */ -typedef struct _kadm5_iprop_handle_t { - krb5_ui_4 magic_number; - krb5_ui_4 struct_version; - krb5_ui_4 api_version; - char *cache_name; - int destroy_cache; - CLIENT *clnt; - krb5_context context; - kadm5_config_params params; - struct _kadm5_iprop_handle_t *lhandle; -} *kadm5_iprop_handle_t; - -static char *kprop_version = KPROP_PROT_VERSION; - -static kadm5_config_params params; - -static char *progname; -static int debug = 0; -static int nodaemon = 0; -static char *srvtab = NULL; -static int standalone = 0; - -static pid_t fullprop_child = (pid_t)-1; - -static krb5_principal server; /* This is our server principal name */ -static krb5_principal client; /* This is who we're talking to */ -static krb5_context kpropd_context; -static krb5_auth_context auth_context; -static char *realm = NULL; /* Our realm */ -static char *def_realm = NULL; /* Ref pointer for default realm */ -static char *file = KPROPD_DEFAULT_FILE; -static char *temp_file_name; -static char *kdb5_util = KPROPD_DEFAULT_KDB5_UTIL; -static char *kerb_database = NULL; -static char *acl_file_name = KPROPD_ACL_FILE; - -static krb5_address *sender_addr; -static krb5_address *receiver_addr; -static const char *port = KPROP_SERVICE; - -static char **db_args = NULL; -static int db_args_size = 0; - -static void parse_args(char **argv); -static void do_standalone(void); -static void doit(int fd); -static krb5_error_code do_iprop(void); -static void kerberos_authenticate(krb5_context context, int fd, - krb5_principal *clientp, krb5_enctype *etype, - struct sockaddr_storage *my_sin); -static krb5_boolean authorized_principal(krb5_context context, - krb5_principal p, - krb5_enctype auth_etype); -static void recv_database(krb5_context context, int fd, int database_fd, - krb5_data *confmsg); -static void load_database(krb5_context context, char *kdb_util, - char *database_file_name); -static void send_error(krb5_context context, int fd, krb5_error_code err_code, - char *err_text); -static void recv_error(krb5_context context, krb5_data *inbuf); -static unsigned int backoff_from_master(int *cnt); -static kadm5_ret_t kadm5_get_kiprop_host_srv_name(krb5_context context, - const char *realm_name, - char **host_service_name); - -static void -usage() -{ - fprintf(stderr, - _("\nUsage: %s [-r realm] [-s srvtab] [-dS] [-f slave_file]\n"), - progname); - fprintf(stderr, _("\t[-F kerberos_db_file ] [-p kdb5_util_pathname]\n")); - fprintf(stderr, _("\t[-x db_args]* [-P port] [-a acl_file]\n")); - fprintf(stderr, _("\t[-A admin_server]\n")); - exit(1); -} - -typedef void (*sig_handler_fn)(int sig); - -static void -signal_wrapper(int sig, sig_handler_fn handler) -{ -#ifdef POSIX_SIGNALS - struct sigaction s_action; - - memset(&s_action, 0, sizeof(s_action)); - sigemptyset(&s_action.sa_mask); - s_action.sa_handler = handler; - sigaction(sig, &s_action, NULL); -#else - signal(sig, handler); -#endif -} - -static void -alarm_handler(int sig) -{ - static char *timeout_msg = "Full propagation timed out\n"; - - write(STDERR_FILENO, timeout_msg, strlen(timeout_msg)); - exit(1); -} - -static void -usr1_handler(int sig) -{ - /* Nothing to do, just let the signal interrupt sleep(). */ -} - -static void -kill_do_standalone(int sig) -{ - if (fullprop_child > 0) { - if (debug) { - fprintf(stderr, _("Killing fullprop child (%d)\n"), - (int)fullprop_child); - } - kill(fullprop_child, sig); - } - /* Make sure our exit status code reflects our having been signaled */ - signal_wrapper(sig, SIG_DFL); - kill(getpid(), sig); -} - -static void -atexit_kill_do_standalone(void) -{ - if (fullprop_child > 0) - kill(fullprop_child, SIGHUP); -} - -int -main(int argc, char **argv) -{ - krb5_error_code retval; - kdb_log_context *log_ctx; - int devnull, sock; - struct stat st; - - setlocale(LC_ALL, ""); - parse_args(argv); - - if (fstat(0, &st) == -1) { - com_err(progname, errno, _("while checking if stdin is a socket")); - exit(1); - } - /* - * Detect whether we're running from inetd; if not then we're in - * standalone mode. - */ - standalone = !S_ISSOCK(st.st_mode); - - log_ctx = kpropd_context->kdblog_context; - - signal_wrapper(SIGPIPE, SIG_IGN); - - if (standalone) { - /* "ready" is a sentinel for the test framework. */ - if (!debug && !nodaemon) { - daemon(0, 0); - } else { - printf(_("ready\n")); - fflush(stdout); - } - } else { - /* - * We're an inetd nowait service. Let's not risk anything - * read/write from/to the inetd socket unintentionally. - */ - devnull = open("/dev/null", O_RDWR); - if (devnull == -1) { - syslog(LOG_ERR, _("Could not open /dev/null: %s"), - strerror(errno)); - exit(1); - } - - sock = dup(0); - if (sock == -1) { - syslog(LOG_ERR, _("Could not dup the inetd socket: %s"), - strerror(errno)); - exit(1); - } - - dup2(devnull, STDIN_FILENO); - dup2(devnull, STDOUT_FILENO); - dup2(devnull, STDERR_FILENO); - close(devnull); - doit(sock); - exit(0); - } - - if (log_ctx == NULL || log_ctx->iproprole != IPROP_SLAVE) { - do_standalone(); - /* do_standalone() should never return */ - assert(0); - } - - /* - * This is the iprop case. We'll fork a child to run do_standalone(). The - * parent will run do_iprop(). We try to kill the child if we get killed. - * Catch SIGUSR1, which can be used to interrupt the sleep timer and force - * an iprop request. - */ - signal_wrapper(SIGHUP, kill_do_standalone); - signal_wrapper(SIGINT, kill_do_standalone); - signal_wrapper(SIGQUIT, kill_do_standalone); - signal_wrapper(SIGTERM, kill_do_standalone); - signal_wrapper(SIGSEGV, kill_do_standalone); - signal_wrapper(SIGUSR1, usr1_handler); - atexit(atexit_kill_do_standalone); - fullprop_child = fork(); - switch (fullprop_child) { - case -1: - com_err(progname, errno, _("do_iprop failed.\n")); - break; - case 0: - do_standalone(); - /* do_standalone() should never return */ - /* NOTREACHED */ - break; - default: - retval = do_iprop(); - /* do_iprop() can return due to failures and runonce. */ - kill(fullprop_child, SIGHUP); - wait(NULL); - if (retval) - com_err(progname, retval, _("do_iprop failed.\n")); - else - exit(0); - } - - exit(1); -} - -/* Use getaddrinfo to determine a wildcard listener address, preferring - * IPv6 if available. */ -static int -get_wildcard_addr(struct addrinfo **res) -{ - struct addrinfo hints; - int error; - - memset(&hints, 0, sizeof(hints)); - hints.ai_socktype = SOCK_STREAM; - hints.ai_flags = AI_PASSIVE | AI_ADDRCONFIG; - hints.ai_family = AF_INET6; - error = getaddrinfo(NULL, port, &hints, res); - if (error == 0) - return 0; - hints.ai_family = AF_INET; - return getaddrinfo(NULL, port, &hints, res); -} - -static void -do_standalone() -{ - struct sockaddr_in frominet; - struct addrinfo *res; - GETPEERNAME_ARG3_TYPE fromlen; - int finet, s, ret, error, val, status; - pid_t child_pid; - pid_t wait_pid; - - error = get_wildcard_addr(&res); - if (error != 0) { - fprintf(stderr, _("getaddrinfo: %s\n"), gai_strerror(error)); - exit(1); - } - - finet = socket(res->ai_family, res->ai_socktype, res->ai_protocol); - if (finet < 0) { - com_err(progname, errno, _("while obtaining socket")); - exit(1); - } - - val = 1; - if (setsockopt(finet, SOL_SOCKET, SO_REUSEADDR, &val, sizeof(val)) < 0) - com_err(progname, errno, _("while setting SO_REUSEADDR option")); - -#if defined(IPV6_V6ONLY) - /* Make sure dual-stack support is enabled on IPv6 listener sockets if - * possible. */ - val = 0; - if (res->ai_family == AF_INET6 && - setsockopt(finet, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val)) < 0) - com_err(progname, errno, _("while unsetting IPV6_V6ONLY option")); -#endif - - ret = bind(finet, res->ai_addr, res->ai_addrlen); - if (ret < 0) { - com_err(progname, errno, _("while binding listener socket")); - exit(1); - } - if (listen(finet, 5) < 0) { - com_err(progname, errno, "in listen call"); - exit(1); - } - for (;;) { - memset(&frominet, 0, sizeof(frominet)); - fromlen = sizeof(frominet); - if (debug) - fprintf(stderr, _("waiting for a kprop connection\n")); - s = accept(finet, (struct sockaddr *) &frominet, &fromlen); - - if (s < 0) { - int e = errno; - if (e != EINTR) { - com_err(progname, e, _("while accepting connection")); - } - } - child_pid = fork(); - switch (child_pid) { - case -1: - com_err(progname, errno, _("while forking")); - exit(1); - case 0: - close(finet); - - doit(s); - close(s); - _exit(0); - default: - do { - wait_pid = waitpid(child_pid, &status, 0); - } while (wait_pid == -1 && errno == EINTR); - if (wait_pid == -1) { - /* Something bad happened; panic. */ - if (debug) { - fprintf(stderr, _("waitpid() failed to wait for doit() " - "(%d %s)\n"), errno, strerror(errno)); - } - com_err(progname, errno, - _("while waiting to receive database")); - exit(1); - } - if (debug) { - fprintf(stderr, _("Database load process for full propagation " - "completed.\n")); - } - - close(s); - - /* If we are the fullprop child in iprop mode, notify the parent - * process that it should poll for incremental updates. */ - if (fullprop_child == 0) - kill(getppid(), SIGUSR1); - else if (runonce) - exit(0); - } - } - exit(0); -} - -static void -doit(int fd) -{ - struct sockaddr_storage from; - int on = 1; - GETPEERNAME_ARG3_TYPE fromlen; - krb5_error_code retval; - krb5_data confmsg; - int lock_fd; - mode_t omask; - krb5_enctype etype; - int database_fd; - char host[INET6_ADDRSTRLEN + 1]; - - signal_wrapper(SIGALRM, alarm_handler); - alarm(params.iprop_resync_timeout); - fromlen = sizeof(from); - if (getpeername(fd, (struct sockaddr *)&from, &fromlen) < 0) { -#ifdef ENOTSOCK - if (errno == ENOTSOCK && fd == 0 && !standalone) { - fprintf(stderr, - _("%s: Standard input does not appear to be a network " - "socket.\n" - "\t(Not run from inetd, and missing the -S option?)\n"), - progname); - exit(1); - } -#endif - fprintf(stderr, "%s: ", progname); - perror("getpeername"); - exit(1); - } - if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, (caddr_t) &on, - sizeof(on)) < 0) { - com_err(progname, errno, - _("while attempting setsockopt (SO_KEEPALIVE)")); - } - - if (getnameinfo((const struct sockaddr *) &from, fromlen, - host, sizeof(host), NULL, 0, 0) == 0) { - syslog(LOG_INFO, _("Connection from %s"), host); - if (debug) - fprintf(stderr, "Connection from %s\n", host); - } - - /* - * Now do the authentication - */ - kerberos_authenticate(kpropd_context, fd, &client, &etype, &from); - - if (!authorized_principal(kpropd_context, client, etype)) { - char *name; - - retval = krb5_unparse_name(kpropd_context, client, &name); - if (retval) { - com_err(progname, retval, "While unparsing client name"); - exit(1); - } - if (debug) { - fprintf(stderr, - _("Rejected connection from unauthorized principal %s\n"), - name); - } - syslog(LOG_WARNING, - _("Rejected connection from unauthorized principal %s"), - name); - free(name); - exit(1); - } - omask = umask(077); - lock_fd = open(temp_file_name, O_RDWR | O_CREAT, 0600); - (void)umask(omask); - retval = krb5_lock_file(kpropd_context, lock_fd, - KRB5_LOCKMODE_EXCLUSIVE | KRB5_LOCKMODE_DONTBLOCK); - if (retval) { - com_err(progname, retval, _("while trying to lock '%s'"), - temp_file_name); - exit(1); - } - database_fd = open(temp_file_name, O_WRONLY | O_CREAT | O_TRUNC, 0600); - if (database_fd < 0) { - com_err(progname, errno, _("while opening database file, '%s'"), - temp_file_name); - exit(1); - } - recv_database(kpropd_context, fd, database_fd, &confmsg); - if (rename(temp_file_name, file)) { - com_err(progname, errno, _("while renaming %s to %s"), - temp_file_name, file); - exit(1); - } - retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_SHARED); - if (retval) { - com_err(progname, retval, _("while downgrading lock on '%s'"), - temp_file_name); - exit(1); - } - load_database(kpropd_context, kdb5_util, file); - retval = krb5_lock_file(kpropd_context, lock_fd, KRB5_LOCKMODE_UNLOCK); - if (retval) { - com_err(progname, retval, _("while unlocking '%s'"), temp_file_name); - exit(1); - } - close(lock_fd); - - /* - * Send the acknowledgement message generated in - * recv_database, then close the socket. - */ - retval = krb5_write_message(kpropd_context, &fd, &confmsg); - if (retval) { - krb5_free_data_contents(kpropd_context, &confmsg); - com_err(progname, retval, _("while sending # of received bytes")); - exit(1); - } - krb5_free_data_contents(kpropd_context, &confmsg); - if (close(fd) < 0) { - com_err(progname, errno, - _("while trying to close database file")); - exit(1); - } - - exit(0); -} - -/* Default timeout can be changed using clnt_control() */ -static struct timeval full_resync_timeout = { 25, 0 }; - -static kdb_fullresync_result_t * -full_resync(CLIENT *clnt) -{ - static kdb_fullresync_result_t clnt_res; - uint32_t vers = IPROPX_VERSION_1; /* max version we support */ - enum clnt_stat status; - - memset(&clnt_res, 0, sizeof(clnt_res)); - - status = clnt_call(clnt, IPROP_FULL_RESYNC_EXT, (xdrproc_t)xdr_u_int32, - (caddr_t)&vers, (xdrproc_t)xdr_kdb_fullresync_result_t, - (caddr_t)&clnt_res, full_resync_timeout); - if (status == RPC_PROCUNAVAIL) { - status = clnt_call(clnt, IPROP_FULL_RESYNC, (xdrproc_t)xdr_void, - (caddr_t *)&vers, - (xdrproc_t)xdr_kdb_fullresync_result_t, - (caddr_t)&clnt_res, full_resync_timeout); - } - - return (status == RPC_SUCCESS) ? &clnt_res : NULL; -} - -/* - * Beg for incrementals from the KDC. - * - * Returns 0 on success IFF runonce is true. - * Returns non-zero on failure due to errors. - */ -krb5_error_code -do_iprop() -{ - kadm5_ret_t retval; - krb5_principal iprop_svc_principal; - void *server_handle = NULL; - char *iprop_svc_princstr = NULL, *master_svc_princstr = NULL; - unsigned int pollin, backoff_time; - int backoff_cnt = 0, reinit_cnt = 0; - struct timeval iprop_start, iprop_end; - unsigned long usec; - time_t frrequested = 0, now; - kdb_incr_result_t *incr_ret; - kdb_last_t mylast; - kdb_fullresync_result_t *full_ret; - kadm5_iprop_handle_t handle; - - if (debug) - fprintf(stderr, _("Incremental propagation enabled\n")); - - pollin = params.iprop_poll_time; - if (pollin == 0) - pollin = 10; - - if (master_svc_princstr == NULL) { - retval = kadm5_get_kiprop_host_srv_name(kpropd_context, realm, - &master_svc_princstr); - if (retval) { - com_err(progname, retval, - _("%s: unable to get kiprop host based " - "service name for realm %s\n"), - progname, realm); - return retval; - } - } - - retval = sn2princ_realm(kpropd_context, NULL, KIPROP_SVC_NAME, realm, - &iprop_svc_principal); - if (retval) { - com_err(progname, retval, - _("while trying to construct host service principal")); - return retval; - } - - retval = krb5_unparse_name(kpropd_context, iprop_svc_principal, - &iprop_svc_princstr); - if (retval) { - com_err(progname, retval, - _("while canonicalizing principal name")); - krb5_free_principal(kpropd_context, iprop_svc_principal); - return retval; - } - krb5_free_principal(kpropd_context, iprop_svc_principal); - -reinit: - /* - * Authentication, initialize rpcsec_gss handle etc. - */ - if (debug) { - fprintf(stderr, _("Initializing kadm5 as client %s\n"), - iprop_svc_princstr); - } - retval = kadm5_init_with_skey(kpropd_context, iprop_svc_princstr, - srvtab, - master_svc_princstr, - ¶ms, - KADM5_STRUCT_VERSION, - KADM5_API_VERSION_4, - db_args, - &server_handle); - - if (retval) { - if (debug) - fprintf(stderr, _("kadm5 initialization failed!\n")); - if (retval == KADM5_RPC_ERROR) { - reinit_cnt++; - if (server_handle) - kadm5_destroy(server_handle); - server_handle = NULL; - handle = NULL; - - com_err(progname, retval, _( - "while attempting to connect" - " to master KDC ... retrying")); - backoff_time = backoff_from_master(&reinit_cnt); - if (debug) { - fprintf(stderr, _("Sleeping %d seconds to re-initialize " - "kadm5 (RPC ERROR)\n"), backoff_time); - } - sleep(backoff_time); - goto reinit; - } else { - if (retval == KADM5_BAD_CLIENT_PARAMS || - retval == KADM5_BAD_SERVER_PARAMS) { - com_err(progname, retval, - _("while initializing %s interface"), - progname); - - usage(); - } - reinit_cnt++; - com_err(progname, retval, - _("while initializing %s interface, retrying"), - progname); - backoff_time = backoff_from_master(&reinit_cnt); - if (debug) { - fprintf(stderr, _("Sleeping %d seconds to re-initialize " - "kadm5 (krb5kdc not running?)\n"), - backoff_time); - } - sleep(backoff_time); - goto reinit; - } - } - - if (debug) - fprintf(stderr, _("kadm5 initialization succeeded\n")); - - /* - * Reset re-initialization count to zero now. - */ - reinit_cnt = backoff_time = 0; - - /* - * Reset the handle to the correct type for the RPC call - */ - handle = server_handle; - - for (;;) { - incr_ret = NULL; - full_ret = NULL; - - /* - * Get the most recent ulog entry sno + ts, which - * we package in the request to the master KDC - */ - retval = ulog_get_last(kpropd_context, &mylast); - if (retval) { - com_err(progname, retval, _("reading update log header")); - goto done; - } - - /* - * Loop continuously on an iprop_get_updates_1(), - * so that we can keep probing the master for updates - * or (if needed) do a full resync of the krb5 db. - */ - - if (debug) { - fprintf(stderr, _("Calling iprop_get_updates_1 " - "(sno=%u sec=%u usec=%u)\n"), - (unsigned int)mylast.last_sno, - (unsigned int)mylast.last_time.seconds, - (unsigned int)mylast.last_time.useconds); - } - gettimeofday(&iprop_start, NULL); - incr_ret = iprop_get_updates_1(&mylast, handle->clnt); - if (incr_ret == (kdb_incr_result_t *)NULL) { - clnt_perror(handle->clnt, - _("iprop_get_updates call failed")); - if (server_handle) - kadm5_destroy(server_handle); - server_handle = NULL; - handle = (kadm5_iprop_handle_t)NULL; - if (debug) { - fprintf(stderr, _("Reinitializing iprop because get updates " - "failed\n")); - } - goto reinit; - } - - switch (incr_ret->ret) { - - case UPDATE_FULL_RESYNC_NEEDED: - /* - * If we're already asked for a full resync and we still - * need one and the last one hasn't timed out then just keep - * asking for updates as eventually the resync will finish - * (or, if it times out we'll just try again). Note that - * doit() also applies a timeout to the full resync, thus - * it's OK for us to do the same here. - */ - now = time(NULL); - if (frrequested && - (now - frrequested) < params.iprop_resync_timeout) { - if (debug) - fprintf(stderr, _("Still waiting for full resync\n")); - break; - } else { - frrequested = now; - if (debug) - fprintf(stderr, _("Full resync needed\n")); - syslog(LOG_INFO, _("kpropd: Full resync needed.")); - - full_ret = full_resync(handle->clnt); - if (full_ret == NULL) { - clnt_perror(handle->clnt, - _("iprop_full_resync call failed")); - kadm5_destroy(server_handle); - server_handle = NULL; - handle = NULL; - goto reinit; - } - } - - switch (full_ret->ret) { - case UPDATE_OK: - if (debug) - fprintf(stderr, _("Full resync request granted\n")); - syslog(LOG_INFO, _("Full resync request granted.")); - backoff_cnt = 0; - break; - - case UPDATE_BUSY: - /* - * Exponential backoff - */ - if (debug) - fprintf(stderr, _("Exponential backoff\n")); - backoff_cnt++; - break; - - case UPDATE_PERM_DENIED: - if (debug) - fprintf(stderr, _("Full resync permission denied\n")); - syslog(LOG_ERR, _("Full resync, permission denied.")); - goto error; - - case UPDATE_ERROR: - if (debug) - fprintf(stderr, _("Full resync error from master\n")); - syslog(LOG_ERR, _(" Full resync, " - "error returned from master KDC.")); - goto error; - - default: - backoff_cnt = 0; - if (debug) { - fprintf(stderr, - _("Full resync invalid result from master\n")); - } - syslog(LOG_ERR, _("Full resync, " - "invalid return from master KDC.")); - break; - } - break; - - case UPDATE_OK: - backoff_cnt = 0; - frrequested = 0; - - /* - * ulog_replay() will convert the ulog updates to db - * entries using the kdb conv api and will commit - * the entries to the slave kdc database - */ - if (debug) { - fprintf(stderr, _("Got incremental updates " - "(sno=%u sec=%u usec=%u)\n"), - (unsigned int)incr_ret->lastentry.last_sno, - (unsigned int)incr_ret->lastentry.last_time.seconds, - (unsigned int)incr_ret->lastentry.last_time.useconds); - } - retval = ulog_replay(kpropd_context, incr_ret, db_args); - - if (retval) { - const char *msg = - krb5_get_error_message(kpropd_context, retval); - if (debug) { - fprintf(stderr, _("ulog_replay failed (%s), updates not " - "registered\n"), msg); - } - syslog(LOG_ERR, _("ulog_replay failed (%s), updates " - "not registered."), msg); - krb5_free_error_message(kpropd_context, msg); - break; - } - - gettimeofday(&iprop_end, NULL); - usec = (iprop_end.tv_sec - iprop_start.tv_sec) * 1000000 + - iprop_end.tv_usec - iprop_start.tv_usec; - syslog(LOG_INFO, _("Incremental updates: %d updates / %lu us"), - incr_ret->updates.kdb_ulog_t_len, usec); - if (debug) { - fprintf(stderr, _("Incremental updates: %d updates / " - "%lu us\n"), - incr_ret->updates.kdb_ulog_t_len, usec); - } - break; - - case UPDATE_PERM_DENIED: - if (debug) - fprintf(stderr, _("get_updates permission denied\n")); - syslog(LOG_ERR, _("get_updates, permission denied.")); - goto error; - - case UPDATE_ERROR: - if (debug) - fprintf(stderr, _("get_updates error from master\n")); - syslog(LOG_ERR, _("get_updates, error returned from master KDC.")); - goto error; - - case UPDATE_BUSY: - /* - * Exponential backoff - */ - if (debug) - fprintf(stderr, _("get_updates master busy; backoff\n")); - backoff_cnt++; - break; - - case UPDATE_NIL: - /* - * Master-slave are in sync - */ - if (debug) - fprintf(stderr, _("KDC is synchronized with master.\n")); - backoff_cnt = 0; - frrequested = 0; - break; - - default: - backoff_cnt = 0; - if (debug) - fprintf(stderr, _("get_updates invalid result from master\n")); - syslog(LOG_ERR, _("get_updates, invalid return from master KDC.")); - break; - } - - if (runonce == 1 && incr_ret->ret != UPDATE_FULL_RESYNC_NEEDED) - goto done; - - /* - * Sleep for the specified poll interval (Default is 2 mts), - * or do a binary exponential backoff if we get an - * UPDATE_BUSY signal - */ - if (backoff_cnt > 0) { - backoff_time = backoff_from_master(&backoff_cnt); - if (debug) { - fprintf(stderr, _("Busy signal received " - "from master, backoff for %d secs\n"), - backoff_time); - } - sleep(backoff_time); - } else { - if (debug) { - fprintf(stderr, _("Waiting for %d seconds before checking " - "for updates again\n"), pollin); - } - sleep(pollin); - } - - } - - -error: - if (debug) - fprintf(stderr, _("ERROR returned by master, bailing\n")); - syslog(LOG_ERR, _("ERROR returned by master KDC, bailing.\n")); -done: - free(iprop_svc_princstr); - free(master_svc_princstr); - krb5_free_default_realm(kpropd_context, def_realm); - kadm5_destroy(server_handle); - krb5_db_fini(kpropd_context); - ulog_fini(kpropd_context); - krb5_free_context(kpropd_context); - - return (runonce == 1) ? 0 : 1; -} - - -/* Do exponential backoff, since master KDC is BUSY or down. */ -static unsigned int -backoff_from_master(int *cnt) -{ - unsigned int btime; - - btime = (unsigned int)(2<<(*cnt)); - if (btime > MAX_BACKOFF) { - btime = MAX_BACKOFF; - (*cnt)--; - } - - return btime; -} - -static void -kpropd_com_err_proc(const char *whoami, long code, const char *fmt, - va_list args) -#if !defined(__cplusplus) && (__GNUC__ > 2) - __attribute__((__format__(__printf__, 3, 0))) -#endif - ; - -static void -kpropd_com_err_proc(const char *whoami, long code, const char *fmt, - va_list args) -{ - char error_buf[8096]; - - error_buf[0] = '\0'; - if (fmt) - vsnprintf(error_buf, sizeof(error_buf), fmt, args); - syslog(LOG_ERR, "%s%s%s%s%s", whoami ? whoami : "", whoami ? ": " : "", - code ? error_message(code) : "", code ? " " : "", error_buf); -} - -static void -parse_args(char **argv) -{ - char **newargs, *word, ch; - krb5_error_code retval; - - memset(¶ms, 0, sizeof(params)); - - /* Since we may modify the KDB with ulog_replay(), we must read the KDC - * profile. */ - retval = krb5int_init_context_kdc(&kpropd_context); - if (retval) { - com_err(argv[0], retval, _("while initializing krb5")); - exit(1); - } - - progname = *argv++; - while ((word = *argv++) != NULL) { - /* We don't take any arguments, only options */ - if (*word != '-') - usage(); - - word++; - while (word != NULL && (ch = *word++) != '\0') { - switch (ch) { - case 'A': - params.mask |= KADM5_CONFIG_ADMIN_SERVER; - params.admin_server = (*word != '\0') ? word : *argv++; - if (params.admin_server == NULL) - usage(); - word = NULL; - break; - case 'f': - file = (*word != '\0') ? word : *argv++; - if (file == NULL) - usage(); - word = NULL; - break; - case 'F': - kerb_database = (*word != '\0') ? word : *argv++; - if (kerb_database == NULL) - usage(); - word = NULL; - break; - case 'p': - kdb5_util = (*word != '\0') ? word : *argv++; - if (kdb5_util == NULL) - usage(); - word = NULL; - break; - case 'P': - port = (*word != '\0') ? word : *argv++; - if (port == NULL) - usage(); - word = NULL; - break; - case 'r': - realm = (*word != '\0') ? word : *argv++; - if (realm == NULL) - usage(); - word = NULL; - break; - case 's': - srvtab = (*word != '\0') ? word : *argv++; - if (srvtab == NULL) - usage(); - word = NULL; - break; - case 'D': - nodaemon++; - break; - case 'd': - debug++; - break; - case 'S': - /* Standalone mode is now auto-detected; see main(). */ - break; - case 'a': - acl_file_name = (*word != '\0') ? word : *argv++; - if (acl_file_name == NULL) - usage(); - word = NULL; - break; - - case 't': - /* Undocumented option - for testing only. Run the kpropd - * server exactly once. */ - runonce = 1; - break; - - case 'x': - newargs = realloc(db_args, - (db_args_size + 2) * sizeof(*db_args)); - if (newargs == NULL) { - com_err(argv[0], errno, _("copying db args")); - exit(1); - } - db_args = newargs; - db_args[db_args_size] = (*word != '\0') ? word : *argv++; - if (db_args[db_args_size] == NULL) - usage(); - word = NULL; - db_args[db_args_size + 1] = NULL; - db_args_size++; - break; - - default: - usage(); - } - } - } - - openlog("kpropd", LOG_PID | LOG_ODELAY, SYSLOG_CLASS); - if (!debug) - set_com_err_hook(kpropd_com_err_proc); - - if (realm == NULL) { - retval = krb5_get_default_realm(kpropd_context, &def_realm); - if (retval) { - com_err(progname, retval, _("Unable to get default realm")); - exit(1); - } - realm = def_realm; - } else { - retval = krb5_set_default_realm(kpropd_context, realm); - if (retval) { - com_err(progname, retval, _("Unable to set default realm")); - exit(1); - } - } - - /* Construct service name from local hostname. */ - retval = sn2princ_realm(kpropd_context, NULL, KPROP_SERVICE_NAME, realm, - &server); - if (retval) { - com_err(progname, retval, - _("while trying to construct my service name")); - exit(1); - } - - /* Construct the name of the temporary file. */ - if (asprintf(&temp_file_name, "%s.temp", file) < 0) { - com_err(progname, ENOMEM, - _("while allocating filename for temp file")); - exit(1); - } - - params.realm = realm; - params.mask |= KADM5_CONFIG_REALM; - retval = kadm5_get_config_params(kpropd_context, 1, ¶ms, ¶ms); - if (retval) { - com_err(progname, retval, _("while initializing")); - exit(1); - } - if (params.iprop_enabled == TRUE) { - ulog_set_role(kpropd_context, IPROP_SLAVE); - - if (ulog_map(kpropd_context, params.iprop_logfile, - params.iprop_ulogsize)) { - com_err(progname, errno, _("Unable to map log!\n")); - exit(1); - } - } -} - -/* - * Figure out who's calling on the other end of the connection.... - */ -static void -kerberos_authenticate(krb5_context context, int fd, krb5_principal *clientp, - krb5_enctype *etype, struct sockaddr_storage *my_sin) -{ - krb5_error_code retval; - krb5_ticket *ticket; - struct sockaddr_storage r_sin; - GETSOCKNAME_ARG3_TYPE sin_length; - krb5_keytab keytab = NULL; - char *name, etypebuf[100]; - - /* Set recv_addr and send_addr. */ - sockaddr2krbaddr(context, my_sin->ss_family, (struct sockaddr *)my_sin, - &sender_addr); - - sin_length = sizeof(r_sin); - if (getsockname(fd, (struct sockaddr *)&r_sin, &sin_length)) { - com_err(progname, errno, _("while getting local socket address")); - exit(1); - } - - sockaddr2krbaddr(context, r_sin.ss_family, (struct sockaddr *)&r_sin, - &receiver_addr); - - if (debug) { - retval = krb5_unparse_name(context, server, &name); - if (retval) { - com_err(progname, retval, _("while unparsing client name")); - exit(1); - } - fprintf(stderr, "krb5_recvauth(%d, %s, %s, ...)\n", fd, kprop_version, - name); - free(name); - } - - retval = krb5_auth_con_init(context, &auth_context); - if (retval) { - syslog(LOG_ERR, _("Error in krb5_auth_con_ini: %s"), - error_message(retval)); - exit(1); - } - - retval = krb5_auth_con_setflags(context, auth_context, - KRB5_AUTH_CONTEXT_DO_SEQUENCE); - if (retval) { - syslog(LOG_ERR, _("Error in krb5_auth_con_setflags: %s"), - error_message(retval)); - exit(1); - } - - retval = krb5_auth_con_setaddrs(context, auth_context, receiver_addr, - sender_addr); - if (retval) { - syslog(LOG_ERR, _("Error in krb5_auth_con_setaddrs: %s"), - error_message(retval)); - exit(1); - } - - if (srvtab != NULL) { - retval = krb5_kt_resolve(context, srvtab, &keytab); - if (retval) { - syslog(LOG_ERR, _("Error in krb5_kt_resolve: %s"), - error_message(retval)); - exit(1); - } - } - - retval = krb5_recvauth(context, &auth_context, &fd, kprop_version, server, - 0, keytab, &ticket); - if (retval) { - syslog(LOG_ERR, _("Error in krb5_recvauth: %s"), - error_message(retval)); - exit(1); - } - - retval = krb5_copy_principal(context, ticket->enc_part2->client, clientp); - if (retval) { - syslog(LOG_ERR, _("Error in krb5_copy_prinicpal: %s"), - error_message(retval)); - exit(1); - } - - *etype = ticket->enc_part.enctype; - - if (debug) { - retval = krb5_unparse_name(context, *clientp, &name); - if (retval) { - com_err(progname, retval, _("while unparsing client name")); - exit(1); - } - - retval = krb5_enctype_to_string(*etype, etypebuf, sizeof(etypebuf)); - if (retval) { - com_err(progname, retval, _("while unparsing ticket etype")); - exit(1); - } - - fprintf(stderr, _("authenticated client: %s (etype == %s)\n"), - name, etypebuf); - free(name); - } - - krb5_free_ticket(context, ticket); -} - -static krb5_boolean -authorized_principal(krb5_context context, krb5_principal p, - krb5_enctype auth_etype) -{ - char *name, *ptr, buf[1024]; - krb5_error_code retval; - FILE *acl_file; - int end; - krb5_enctype acl_etype; - - retval = krb5_unparse_name(context, p, &name); - if (retval) - return FALSE; - - acl_file = fopen(acl_file_name, "r"); - if (acl_file == NULL) - return FALSE; - - while (!feof(acl_file)) { - if (!fgets(buf, sizeof(buf), acl_file)) - break; - end = strlen(buf) - 1; - if (buf[end] == '\n') - buf[end] = '\0'; - if (!strncmp(name, buf, strlen(name))) { - ptr = buf + strlen(name); - - /* If the next character is not whitespace or null, then the match - * is only partial. Continue on to new lines. */ - if (*ptr != '\0' && !isspace((int)*ptr)) - continue; - - /* Otherwise, skip trailing whitespace. */ - for (; *ptr != '\0' && isspace((int)*ptr); ptr++) ; - - /* - * Now, look for an etype string. If there isn't one, return true. - * If there is an invalid string, continue. If there is a valid - * string, return true only if it matches the etype passed in, - * otherwise continue. - */ - if (*ptr != '\0' && - ((retval = krb5_string_to_enctype(ptr, &acl_etype)) || - (acl_etype != auth_etype))) - continue; - - free(name); - fclose(acl_file); - return TRUE; - } - } - free(name); - fclose(acl_file); - return FALSE; -} - -static void -recv_database(krb5_context context, int fd, int database_fd, - krb5_data *confmsg) -{ - krb5_ui_4 database_size, received_size; - int n; - char buf[1024]; - krb5_data inbuf, outbuf; - krb5_error_code retval; - - /* Receive and decode size from client. */ - retval = krb5_read_message(context, &fd, &inbuf); - if (retval) { - send_error(context, fd, retval, "while reading database size"); - com_err(progname, retval, - _("while reading size of database from client")); - exit(1); - } - if (krb5_is_krb_error(&inbuf)) - recv_error(context, &inbuf); - retval = krb5_rd_safe(context,auth_context,&inbuf,&outbuf,NULL); - if (retval) { - send_error(context, fd, retval, "while decoding database size"); - krb5_free_data_contents(context, &inbuf); - com_err(progname, retval, - _("while decoding database size from client")); - exit(1); - } - memcpy(&database_size, outbuf.data, sizeof(database_size)); - krb5_free_data_contents(context, &inbuf); - krb5_free_data_contents(context, &outbuf); - database_size = ntohl(database_size); - - /* Initialize the initial vector. */ - retval = krb5_auth_con_initivector(context, auth_context); - if (retval) { - send_error(context, fd, retval, - "failed while initializing i_vector"); - com_err(progname, retval, _("while initializing i_vector")); - exit(1); - } - - if (debug) - fprintf(stderr, _("Full propagation transfer started.\n")); - - /* Now start receiving the database from the net. */ - received_size = 0; - while (received_size < database_size) { - retval = krb5_read_message(context, &fd, &inbuf); - if (retval) { - snprintf(buf, sizeof(buf), - "while reading database block starting at offset %d", - received_size); - com_err(progname, retval, "%s", buf); - send_error(context, fd, retval, buf); - exit(1); - } - if (krb5_is_krb_error(&inbuf)) - recv_error(context, &inbuf); - retval = krb5_rd_priv(context, auth_context, &inbuf, &outbuf, NULL); - if (retval) { - snprintf(buf, sizeof(buf), - "while decoding database block starting at offset %d", - received_size); - com_err(progname, retval, "%s", buf); - send_error(context, fd, retval, buf); - krb5_free_data_contents(context, &inbuf); - exit(1); - } - n = write(database_fd, outbuf.data, outbuf.length); - krb5_free_data_contents(context, &inbuf); - krb5_free_data_contents(context, &outbuf); - if (n < 0) { - snprintf(buf, sizeof(buf), - "while writing database block starting at offset %d", - received_size); - send_error(context, fd, errno, buf); - } else if ((unsigned int)n != outbuf.length) { - snprintf(buf, sizeof(buf), - "incomplete write while writing database block starting " - "at \noffset %d (%d written, %d expected)", - received_size, n, outbuf.length); - send_error(context, fd, KRB5KRB_ERR_GENERIC, buf); - } - received_size += outbuf.length; - } - - /* OK, we've seen the entire file. Did we get too many bytes? */ - if (received_size > database_size) { - snprintf(buf, sizeof(buf), - "Received %d bytes, expected %d bytes for database file", - received_size, database_size); - send_error(context, fd, KRB5KRB_ERR_GENERIC, buf); - } - - if (debug) - fprintf(stderr, _("Full propagation transfer finished.\n")); - - /* Create message acknowledging number of bytes received, but - * don't send it until kdb5_util returns successfully. */ - database_size = htonl(database_size); - inbuf.data = (char *)&database_size; - inbuf.length = sizeof(database_size); - retval = krb5_mk_safe(context,auth_context,&inbuf,confmsg,NULL); - if (retval) { - com_err(progname, retval, "while encoding # of receieved bytes"); - send_error(context, fd, retval, "while encoding # of received bytes"); - exit(1); - } -} - - -static void -send_error(krb5_context context, int fd, krb5_error_code err_code, - char *err_text) -{ - krb5_error error; - const char *text; - krb5_data outbuf; - char buf[1024]; - - memset(&error, 0, sizeof(error)); - krb5_us_timeofday(context, &error.stime, &error.susec); - error.server = server; - error.client = client; - - text = (err_text != NULL) ? err_text : error_message(err_code); - - error.error = err_code - ERROR_TABLE_BASE_krb5; - if (error.error > 127) { - error.error = KRB_ERR_GENERIC; - if (err_text) { - snprintf(buf, sizeof(buf), "%s %s", error_message(err_code), - err_text); - text = buf; - } - } - error.text.length = strlen(text) + 1; - error.text.data = strdup(text); - if (error.text.data) { - if (!krb5_mk_error(context, &error, &outbuf)) { - (void)krb5_write_message(context, &fd, &outbuf); - krb5_free_data_contents(context, &outbuf); - } - free(error.text.data); - } -} - -void -recv_error(krb5_context context, krb5_data *inbuf) -{ - krb5_error *error; - krb5_error_code retval; - - retval = krb5_rd_error(context, inbuf, &error); - if (retval) { - com_err(progname, retval, - _("while decoding error packet from client")); - exit(1); - } - if (error->error == KRB_ERR_GENERIC) { - if (error->text.data) - fprintf(stderr, _("Generic remote error: %s\n"), error->text.data); - } else if (error->error) { - com_err(progname, - (krb5_error_code)error->error + ERROR_TABLE_BASE_krb5, - _("signaled from server")); - if (error->text.data) { - fprintf(stderr, _("Error text from client: %s\n"), - error->text.data); - } - } - krb5_free_error(context, error); - exit(1); -} - -static void -load_database(krb5_context context, char *kdb_util, char *database_file_name) -{ - static char *edit_av[10]; - int error_ret, child_pid, count; - - /* has been included, so BSD will be defined on - * BSD systems. */ -#if BSD > 0 && BSD <= 43 -#ifndef WEXITSTATUS -#define WEXITSTATUS(w) (w).w_retcode -#endif - union wait waitb; -#else - int waitb; -#endif - kdb_log_context *log_ctx; - - if (debug) - fprintf(stderr, "calling kdb5_util to load database\n"); - - log_ctx = context->kdblog_context; - - edit_av[0] = kdb_util; - count = 1; - if (realm) { - edit_av[count++] = "-r"; - edit_av[count++] = realm; - } - edit_av[count++] = "load"; - if (kerb_database) { - edit_av[count++] = "-d"; - edit_av[count++] = kerb_database; - } - if (log_ctx && log_ctx->iproprole == IPROP_SLAVE) - edit_av[count++] = "-i"; - edit_av[count++] = database_file_name; - edit_av[count++] = NULL; - - switch (child_pid = fork()) { - case -1: - com_err(progname, errno, _("while trying to fork %s"), kdb_util); - exit(1); - case 0: - execv(kdb_util, edit_av); - com_err(progname, errno, _("while trying to exec %s"), kdb_util); - _exit(1); - /*NOTREACHED*/ - default: - if (debug) - fprintf(stderr, "Load PID is %d\n", child_pid); - if (wait(&waitb) < 0) { - com_err(progname, errno, _("while waiting for %s"), kdb_util); - exit(1); - } - } - - if (!WIFEXITED(waitb)) { - com_err(progname, 0, _("%s load terminated"), kdb_util); - exit(1); - } - - error_ret = WEXITSTATUS(waitb); - if (error_ret) { - com_err(progname, 0, _("%s returned a bad exit status (%d)"), - kdb_util, error_ret); - exit(1); - } - return; -} - -/* - * Get the host base service name for the kiprop principal. Returns - * KADM5_OK on success. Caller must free the storage allocated - * for host_service_name. - */ -static kadm5_ret_t -kadm5_get_kiprop_host_srv_name(krb5_context context, const char *realm_name, - char **host_service_name) -{ - char *name, *host; - - host = params.admin_server; /* XXX */ - if (asprintf(&name, "%s/%s", KADM5_KIPROP_HOST_SERVICE, host) < 0) { - free(host); - return ENOMEM; - } - *host_service_name = name; - - return KADM5_OK; -} diff --git a/src/slave/kproplog.c b/src/slave/kproplog.c deleted file mode 100644 index 4f19eeb..0000000 --- a/src/slave/kproplog.c +++ /dev/null @@ -1,567 +0,0 @@ -/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ -/* - * Copyright 2008 Sun Microsystems, Inc. All rights reserved. - * Use is subject to license terms. - */ - -/* - * This module will parse the update logs on the master or slave servers. - */ - -#include "k5-int.h" -#include -#include -#include -#include -#include -#include -#include -#include -#include - -static char *progname; - -static void -usage() -{ - fprintf(stderr, _("\nUsage: %s [-h] [-v] [-v] [-e num]\n\t%s -R\n\n"), - progname, progname); - exit(1); -} - -/* - * Print the attribute flags of principal in human readable form. - */ -static void -print_flags(unsigned int flags) -{ - unsigned int i; - static char *prflags[] = { - "DISALLOW_POSTDATED", /* 0x00000001 */ - "DISALLOW_FORWARDABLE", /* 0x00000002 */ - "DISALLOW_TGT_BASED", /* 0x00000004 */ - "DISALLOW_RENEWABLE", /* 0x00000008 */ - "DISALLOW_PROXIABLE", /* 0x00000010 */ - "DISALLOW_DUP_SKEY", /* 0x00000020 */ - "DISALLOW_ALL_TIX", /* 0x00000040 */ - "REQUIRES_PRE_AUTH", /* 0x00000080 */ - "REQUIRES_HW_AUTH", /* 0x00000100 */ - "REQUIRES_PWCHANGE", /* 0x00000200 */ - "UNKNOWN_0x00000400", /* 0x00000400 */ - "UNKNOWN_0x00000800", /* 0x00000800 */ - "DISALLOW_SVR", /* 0x00001000 */ - "PWCHANGE_SERVICE", /* 0x00002000 */ - "SUPPORT_DESMD5", /* 0x00004000 */ - "NEW_PRINC", /* 0x00008000 */ - "UNKNOWN_0x00010000", /* 0x00010000 */ - "UNKNOWN_0x00020000", /* 0x00020000 */ - "UNKNOWN_0x00040000", /* 0x00040000 */ - "UNKNOWN_0x00080000", /* 0x00080000 */ - "OK_AS_DELEGATE", /* 0x00100000 */ - "OK_TO_AUTH_AS_DELEGATE", /* 0x00200000 */ - "NO_AUTH_DATA_REQUIRED", /* 0x00400000 */ - - }; - - for (i = 0; i < sizeof(prflags) / sizeof(*prflags); i++) { - if (flags & (krb5_flags)(1 << i)) - printf("\t\t\t%s\n", prflags[i]); - } -} - -/* ctime() for uint32_t* */ -static char * -ctime_uint32(uint32_t *time32) -{ - time_t tmp; - - tmp = *time32; - return ctime(&tmp); -} - -/* Display time information. */ -static void -print_time(uint32_t *timep) -{ - if (*timep == 0L) - printf("\t\t\tNone\n"); - else - printf("\t\t\t%s", ctime_uint32(timep)); -} - -static void -print_deltat(uint32_t *deltat) -{ - krb5_error_code ret; - static char buf[30]; - - ret = krb5_deltat_to_string(*deltat, buf, sizeof(buf)); - if (ret) - printf("\t\t\t(error)\n"); - else - printf("\t\t\t%s\n", buf); -} - -/* Display string in hex primitive. */ -static void -print_hex(const char *tag, utf8str_t *str) -{ - unsigned int i; - unsigned int len; - - len = str->utf8str_t_len; - - printf("\t\t\t%s(%d): 0x", tag, len); - for (i = 0; i < len; i++) - printf("%02x", (krb5_octet)str->utf8str_t_val[i]); - printf("\n"); -} - -/* Display string primitive. */ -static void -print_str(const char *tag, utf8str_t *str) -{ - krb5_error_code ret; - char *s; - - s = k5memdup0(str->utf8str_t_val, str->utf8str_t_len, &ret); - if (s == NULL) { - fprintf(stderr, _("\nCouldn't allocate memory")); - exit(1); - } - printf("\t\t\t%s(%d): %s\n", tag, str->utf8str_t_len, s); - free(s); -} - -/* Display data components. */ -static void -print_data(const char *tag, kdbe_data_t *data) -{ - printf("\t\t\tmagic: 0x%x\n", data->k_magic); - print_str(tag, &data->k_data); -} - -/* Display the principal components. */ -static void -print_princ(kdbe_princ_t *princ) -{ - int i, len; - kdbe_data_t *data; - - print_str("realm", &princ->k_realm); - - len = princ->k_components.k_components_len; - data = princ->k_components.k_components_val; - for (i = 0; i < len; i++, data++) - print_data("princ", data); -} - -/* Display individual key. */ -static void -print_key(kdbe_key_t *k) -{ - unsigned int i; - utf8str_t *str; - - printf("\t\t\tver: %d\n", k->k_ver); - printf("\t\t\tkvno: %d\n", k->k_kvno); - - for (i = 0; i < k->k_enctype.k_enctype_len; i++) - printf("\t\t\tenc type: 0x%x\n", k->k_enctype.k_enctype_val[i]); - - str = k->k_contents.k_contents_val; - for (i = 0; i < k->k_contents.k_contents_len; i++, str++) - print_hex("key", str); -} - -/* Display all key data. */ -static void -print_keydata(kdbe_key_t *keys, unsigned int len) -{ - unsigned int i; - - for (i = 0; i < len; i++, keys++) - print_key(keys); -} - -/* Display TL item. */ -static void -print_tl(kdbe_tl_t *tl) -{ - int i, len; - - printf("\t\t\ttype: 0x%x\n", tl->tl_type); - - len = tl->tl_data.tl_data_len; - - printf("\t\t\tvalue(%d): 0x", len); - for (i = 0; i < len; i++) - printf("%02x", (krb5_octet)tl->tl_data.tl_data_val[i]); - printf("\n"); -} - -/* Display TL data items. */ -static void -print_tldata(kdbe_tl_t *tldata, int len) -{ - int i; - - printf("\t\t\titems: %d\n", len); - for (i = 0; i < len; i++, tldata++) - print_tl(tldata); -} - -/* - * Print the individual types if verbose mode was specified. - * If verbose-verbose then print types along with respective values. - */ -static void -print_attr(kdbe_val_t *val, int vverbose) -{ - switch (val->av_type) { - case AT_ATTRFLAGS: - printf(_("\t\tAttribute flags\n")); - if (vverbose) - print_flags(val->kdbe_val_t_u.av_attrflags); - break; - case AT_MAX_LIFE: - printf(_("\t\tMaximum ticket life\n")); - if (vverbose) - print_deltat(&val->kdbe_val_t_u.av_max_life); - break; - case AT_MAX_RENEW_LIFE: - printf(_("\t\tMaximum renewable life\n")); - if (vverbose) - print_deltat(&val->kdbe_val_t_u.av_max_renew_life); - break; - case AT_EXP: - printf(_("\t\tPrincipal expiration\n")); - if (vverbose) - print_time(&val->kdbe_val_t_u.av_exp); - break; - case AT_PW_EXP: - printf(_("\t\tPassword expiration\n")); - if (vverbose) - print_time(&val->kdbe_val_t_u.av_pw_exp); - break; - case AT_LAST_SUCCESS: - printf(_("\t\tLast successful auth\n")); - if (vverbose) - print_time(&val->kdbe_val_t_u.av_last_success); - break; - case AT_LAST_FAILED: - printf(_("\t\tLast failed auth\n")); - if (vverbose) - print_time(&val->kdbe_val_t_u.av_last_failed); - break; - case AT_FAIL_AUTH_COUNT: - printf(_("\t\tFailed passwd attempt\n")); - if (vverbose) - printf("\t\t\t%d\n", val->kdbe_val_t_u.av_fail_auth_count); - break; - case AT_PRINC: - printf(_("\t\tPrincipal\n")); - if (vverbose) - print_princ(&val->kdbe_val_t_u.av_princ); - break; - case AT_KEYDATA: - printf(_("\t\tKey data\n")); - if (vverbose) { - print_keydata(val->kdbe_val_t_u.av_keydata.av_keydata_val, - val->kdbe_val_t_u.av_keydata.av_keydata_len); - } - break; - case AT_TL_DATA: - printf(_("\t\tTL data\n")); - if (vverbose) { - print_tldata(val->kdbe_val_t_u.av_tldata.av_tldata_val, - val->kdbe_val_t_u.av_tldata.av_tldata_len); - } - break; - case AT_LEN: - printf(_("\t\tLength\n")); - if (vverbose) - printf("\t\t\t%d\n", val->kdbe_val_t_u.av_len); - break; - case AT_PW_LAST_CHANGE: - printf(_("\t\tPassword last changed\n")); - if (vverbose) - print_time(&val->kdbe_val_t_u.av_pw_last_change); - break; - case AT_MOD_PRINC: - printf(_("\t\tModifying principal\n")); - if (vverbose) - print_princ(&val->kdbe_val_t_u.av_mod_princ); - break; - case AT_MOD_TIME: - printf(_("\t\tModification time\n")); - if (vverbose) - print_time(&val->kdbe_val_t_u.av_mod_time); - break; - case AT_MOD_WHERE: - printf(_("\t\tModified where\n")); - if (vverbose) - print_str("where", &val->kdbe_val_t_u.av_mod_where); - break; - case AT_PW_POLICY: - printf(_("\t\tPassword policy\n")); - if (vverbose) - print_str("policy", &val->kdbe_val_t_u.av_pw_policy); - break; - case AT_PW_POLICY_SWITCH: - printf(_("\t\tPassword policy switch\n")); - if (vverbose) - printf("\t\t\t%d\n", val->kdbe_val_t_u.av_pw_policy_switch); - break; - case AT_PW_HIST_KVNO: - printf(_("\t\tPassword history KVNO\n")); - if (vverbose) - printf("\t\t\t%d\n", val->kdbe_val_t_u.av_pw_hist_kvno); - break; - case AT_PW_HIST: - printf(_("\t\tPassword history\n")); - if (vverbose) - printf("\t\t\tPW history elided\n"); - break; - } /* switch */ - -} -/* - * Print the update entry information - */ -static void -print_update(kdb_hlog_t *ulog, uint32_t entry, uint32_t ulogentries, - unsigned int verbose) -{ - XDR xdrs; - uint32_t start_sno, i, j, indx; - char *dbprinc; - kdb_ent_header_t *indx_log; - kdb_incr_update_t upd; - - if (entry && (entry < ulog->kdb_num)) - start_sno = ulog->kdb_last_sno - entry; - else - start_sno = ulog->kdb_first_sno - 1; - - for (i = start_sno; i < ulog->kdb_last_sno; i++) { - indx = i % ulogentries; - - indx_log = INDEX(ulog, indx); - - /* - * Check for corrupt update entry - */ - if (indx_log->kdb_umagic != KDB_ULOG_MAGIC) { - fprintf(stderr, _("Corrupt update entry\n\n")); - exit(1); - } - - printf("---\n"); - printf(_("Update Entry\n")); - - printf(_("\tUpdate serial # : %u\n"), indx_log->kdb_entry_sno); - - /* The initial entry after a reset is a dummy entry; skip it. */ - if (indx_log->kdb_entry_size == 0) { - printf(_("\tDummy entry\n")); - continue; - } - - memset(&upd, 0, sizeof(kdb_incr_update_t)); - xdrmem_create(&xdrs, (char *)indx_log->entry_data, - indx_log->kdb_entry_size, XDR_DECODE); - if (!xdr_kdb_incr_update_t(&xdrs, &upd)) { - printf(_("Entry data decode failure\n\n")); - exit(1); - } - - printf(_("\tUpdate operation : ")); - if (upd.kdb_deleted) - printf(_("Delete\n")); - else - printf(_("Add\n")); - - dbprinc = malloc(upd.kdb_princ_name.utf8str_t_len + 1); - if (dbprinc == NULL) { - printf(_("Could not allocate principal name\n\n")); - exit(1); - } - strncpy(dbprinc, upd.kdb_princ_name.utf8str_t_val, - upd.kdb_princ_name.utf8str_t_len); - dbprinc[upd.kdb_princ_name.utf8str_t_len] = 0; - printf(_("\tUpdate principal : %s\n"), dbprinc); - - printf(_("\tUpdate size : %u\n"), indx_log->kdb_entry_size); - printf(_("\tUpdate committed : %s\n"), - indx_log->kdb_commit ? "True" : "False"); - - if (indx_log->kdb_time.seconds == 0L) { - printf(_("\tUpdate time stamp : None\n")); - } else{ - printf(_("\tUpdate time stamp : %s"), - ctime_uint32(&indx_log->kdb_time.seconds)); - } - - printf(_("\tAttributes changed : %d\n"), upd.kdb_update.kdbe_t_len); - - if (verbose) { - for (j = 0; j < upd.kdb_update.kdbe_t_len; j++) - print_attr(&upd.kdb_update.kdbe_t_val[j], verbose > 1 ? 1 : 0); - } - - xdr_free(xdr_kdb_incr_update_t, (char *)&upd); - free(dbprinc); - } -} - -/* Return a read-only mmap of the ulog, or NULL on failure. Assumes fd is - * released on process exit. */ -static kdb_hlog_t * -map_ulog(const char *filename) -{ - int fd; - struct stat st; - kdb_hlog_t *ulog; - - fd = open(filename, O_RDONLY); - if (fd == -1) - return NULL; - if (fstat(fd, &st) < 0) - return NULL; - ulog = mmap(0, st.st_size, PROT_READ, MAP_PRIVATE, fd, 0); - return (ulog == MAP_FAILED) ? NULL : ulog; -} - -int -main(int argc, char **argv) -{ - int c; - unsigned int verbose = 0; - bool_t headeronly = FALSE, reset = FALSE; - uint32_t entry = 0; - krb5_context context; - kadm5_config_params params; - kdb_hlog_t *ulog = NULL; - - setlocale(LC_ALL, ""); - - progname = argv[0]; - - while ((c = getopt(argc, argv, "Rvhe:")) != -1) { - switch (c) { - case 'h': - headeronly = TRUE; - break; - case 'e': - entry = atoi(optarg); - break; - case 'R': - reset = TRUE; - break; - case 'v': - verbose++; - break; - default: - usage(); - } - } - - if (krb5_init_context(&context)) { - fprintf(stderr, _("Unable to initialize Kerberos\n\n")); - exit(1); - } - - memset(¶ms, 0, sizeof(params)); - - if (kadm5_get_config_params(context, 1, ¶ms, ¶ms)) { - fprintf(stderr, _("Couldn't read database_name\n\n")); - exit(1); - } - - printf(_("\nKerberos update log (%s)\n"), params.iprop_logfile); - - if (reset) { - if (ulog_map(context, params.iprop_logfile, params.iprop_ulogsize)) { - fprintf(stderr, _("Unable to map log file %s\n\n"), - params.iprop_logfile); - exit(1); - } - if (ulog_init_header(context) != 0) { - fprintf(stderr, _("Couldn't reinitialize ulog file %s\n\n"), - params.iprop_logfile); - exit(1); - } - printf(_("Reinitialized the ulog.\n")); - exit(0); - } - - ulog = map_ulog(params.iprop_logfile); - if (ulog == NULL) { - fprintf(stderr, _("Unable to map log file %s\n\n"), - params.iprop_logfile); - exit(1); - } - - if (ulog->kdb_hmagic != KDB_ULOG_HDR_MAGIC) { - fprintf(stderr, _("Corrupt header log, exiting\n\n")); - exit(1); - } - - printf(_("Update log dump :\n")); - printf(_("\tLog version # : %u\n"), ulog->db_version_num); - printf(_("\tLog state : ")); - switch (ulog->kdb_state) { - case KDB_STABLE: - printf(_("Stable\n")); - break; - case KDB_UNSTABLE: - printf(_("Unstable\n")); - break; - case KDB_CORRUPT: - printf(_("Corrupt\n")); - break; - default: - printf(_("Unknown state: %d\n"), ulog->kdb_state); - break; - } - printf(_("\tEntry block size : %u\n"), ulog->kdb_block); - printf(_("\tNumber of entries : %u\n"), ulog->kdb_num); - - if (ulog->kdb_last_sno == 0) { - printf(_("\tLast serial # : None\n")); - } else { - if (ulog->kdb_first_sno == 0) { - printf(_("\tFirst serial # : None\n")); - } else { - printf(_("\tFirst serial # : ")); - printf("%u\n", ulog->kdb_first_sno); - } - - printf(_("\tLast serial # : ")); - printf("%u\n", ulog->kdb_last_sno); - } - - if (ulog->kdb_last_time.seconds == 0L) { - printf(_("\tLast time stamp : None\n")); - } else { - if (ulog->kdb_first_time.seconds == 0L) { - printf(_("\tFirst time stamp : None\n")); - } else { - printf(_("\tFirst time stamp : %s"), - ctime_uint32(&ulog->kdb_first_time.seconds)); - } - - printf(_("\tLast time stamp : %s\n"), - ctime_uint32(&ulog->kdb_last_time.seconds)); - } - - if (!headeronly && ulog->kdb_num) - print_update(ulog, entry, params.iprop_ulogsize, verbose); - - printf("\n"); - - kadm5_free_config_params(context, ¶ms); - krb5_free_context(context); - return 0; -} diff --git a/src/slave/kslave_update b/src/slave/kslave_update deleted file mode 100644 index 4497072..0000000 --- a/src/slave/kslave_update +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/sh -# -# Propagate if database (principal.db) has been modified since last dump -# (dumpfile.dump_ok) or if database has been dumped since last successful -# propagation (dumpfile..last_prop) - -KDB_DIR=/usr/local/var/krb5kdc - -KDB_FILE=$KDB_DIR/principal.db -DUMPFILE=$KDB_DIR/slave_datatrans -KDB5_UTIL=/usr/local/sbin/kdb5_util -KPROP=/usr/local/sbin/kprop - -SLAVE=$1 -if [ -z "${SLAVE}" ] -then - echo "Usage $0 slave_server" -fi - -if [ "`ls -t $DUMPFILE.dump_ok $KDB_FILE | sed -n 1p`" = "$KDB_FILE" -o \ - "`ls -t $DUMPFILE.${SLAVE}.last_prop $DUMPFILE.dump_ok | \ - sed -n 1p`" = "$DUMPFILE.dump_ok" ] -then - - date - $KDB5_UTIL dump $DUMPFILE > /dev/null - - $KPROP -d -f $DUMPFILE ${SLAVE} - rm $DUMPFILE -fi diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in index b554691..e27617e 100644 --- a/src/tests/Makefile.in +++ b/src/tests/Makefile.in @@ -6,12 +6,12 @@ SUBDIRS = resolve asn.1 create hammer verify gssapi dejagnu shlib \ RUN_DB_TEST = $(RUN_SETUP) KRB5_KDC_PROFILE=kdc.conf KRB5_CONFIG=krb5.conf \ LC_ALL=C $(VALGRIND) -OBJS= adata.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o icred.o \ - kdbtest.o localauth.o plugorder.o rdreq.o responder.o s2p.o \ - s4u2proxy.o unlockiter.o +OBJS= adata.o etinfo.o forward.o gcred.o hist.o hooks.o hrealm.o \ + icinterleave.o icred.o kdbtest.o localauth.o plugorder.o rdreq.o \ + responder.o s2p.o s4u2proxy.o unlockiter.o EXTRADEPSRCS= adata.c etinfo.c forward.c gcred.c hist.c hooks.c hrealm.c \ - icred.c kdbtest.c localauth.c plugorder.c rdreq.o responder.c s2p.c \ - s4u2proxy.c unlockiter.c + icinterleave.c icred.c kdbtest.c localauth.c plugorder.c rdreq.o \ + responder.c s2p.c s4u2proxy.c unlockiter.c TEST_DB = ./testdb TEST_REALM = FOO.TEST.REALM @@ -44,6 +44,9 @@ hooks: hooks.o $(KRB5_BASE_DEPLIBS) hrealm: hrealm.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ hrealm.o $(KRB5_BASE_LIBS) +icinterleave: icinterleave.o $(KRB5_BASE_DEPLIBS) + $(CC_LINK) -o $@ icinterleave.o $(KRB5_BASE_LIBS) + icred: icred.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o $@ icred.o $(KRB5_BASE_LIBS) @@ -115,8 +118,9 @@ kdb_check: kdc.conf krb5.conf $(RUN_DB_TEST) ../kadmin/dbutil/kdb5_util $(KADMIN_OPTS) destroy -f $(RM) $(TEST_DB)* stash_file -check-pytests: adata etinfo forward gcred hist hooks hrealm icred kdbtest -check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter +check-pytests: adata etinfo forward gcred hist hooks hrealm icinterleave icred +check-pytests: kdbtest localauth plugorder rdreq responder s2p s4u2proxy +check-pytests: unlockiter $(RUNPYTEST) $(srcdir)/t_general.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_hooks.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_dump.py $(PYTESTFLAGS) @@ -126,8 +130,10 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter $(RUNPYTEST) $(srcdir)/t_changepw.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_pkinit.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_otp.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_spake.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_localauth.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kadm5_hook.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_kadm5_auth.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_pwqual.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_hostrealm.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_kdb_locking.py $(PYTESTFLAGS) @@ -167,10 +173,15 @@ check-pytests: localauth plugorder rdreq responder s2p s4u2proxy unlockiter $(RUNPYTEST) $(srcdir)/t_preauth.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_princflags.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_tabdump.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_certauth.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_y2038.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_kdcpolicy.py $(PYTESTFLAGS) + $(RUNPYTEST) $(srcdir)/t_u2u.py $(PYTESTFLAGS) clean: - $(RM) adata etinfo forward gcred hist hooks hrealm icred kdbtest - $(RM) localauth plugorder rdreq responder s2p s4u2proxy unlockiter + $(RM) adata etinfo forward gcred hist hooks hrealm icinterleave icred + $(RM) kdbtest localauth plugorder rdreq responder s2p s4u2proxy + $(RM) unlockiter $(RM) krb5.conf kdc.conf $(RM) -rf kdc_realm/sandbox ldap $(RM) au.log diff --git a/src/tests/asn.1/Makefile.in b/src/tests/asn.1/Makefile.in index fec4e10..eabe0bd 100644 --- a/src/tests/asn.1/Makefile.in +++ b/src/tests/asn.1/Makefile.in @@ -9,12 +9,10 @@ SRCS= $(srcdir)/krb5_encode_test.c $(srcdir)/krb5_decode_test.c \ ASN1SRCS= $(srcdir)/krb5.asn1 $(srcdir)/pkix.asn1 $(srcdir)/otp.asn1 \ $(srcdir)/pkinit.asn1 $(srcdir)/pkinit-agility.asn1 \ - $(srcdir)/cammac.asn1 + $(srcdir)/cammac.asn1 $(srcdir)/spake.asn1 all: krb5_encode_test krb5_decode_test krb5_decode_leak t_trval -LOCALINCLUDES = -I$(srcdir)/../../lib/krb5/asn.1 - ENCOBJS = krb5_encode_test.o ktest.o ktest_equal.o utility.o trval.o krb5_encode_test: $(ENCOBJS) $(KRB5_BASE_DEPLIBS) diff --git a/src/tests/asn.1/deps b/src/tests/asn.1/deps index 3d45bb5..0b44f44 100644 --- a/src/tests/asn.1/deps +++ b/src/tests/asn.1/deps @@ -3,67 +3,67 @@ # $(OUTPRE)krb5_encode_test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/asn.1/asn1buf.h \ - $(srcdir)/../../lib/krb5/asn.1/krbasn1.h $(top_srcdir)/include/k5-buf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - debug.h krb5_encode_test.c ktest.h utility.h + $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h debug.h krb5_encode_test.c \ + ktest.h utility.h $(OUTPRE)krb5_decode_test.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/asn.1/asn1buf.h \ - $(srcdir)/../../lib/krb5/asn.1/krbasn1.h $(top_srcdir)/include/k5-buf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - debug.h krb5_decode_test.c ktest.h ktest_equal.h utility.h + $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h debug.h krb5_decode_test.c \ + ktest.h ktest_equal.h utility.h $(OUTPRE)krb5_decode_leak.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/asn.1/asn1buf.h \ - $(srcdir)/../../lib/krb5/asn.1/krbasn1.h $(top_srcdir)/include/k5-buf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - debug.h krb5_decode_leak.c ktest.h utility.h + $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h debug.h krb5_decode_leak.c \ + ktest.h utility.h $(OUTPRE)ktest.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/asn.1/asn1buf.h \ - $(srcdir)/../../lib/krb5/asn.1/krbasn1.h $(top_srcdir)/include/k5-buf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - ktest.c ktest.h utility.h + $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h ktest.c ktest.h \ + utility.h $(OUTPRE)ktest_equal.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ - $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ - $(top_srcdir)/include/kdb.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - ktest_equal.c ktest_equal.h + $(top_srcdir)/include/k5-spake.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/kdb.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h ktest_equal.c \ + ktest_equal.h $(OUTPRE)utility.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ - $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(srcdir)/../../lib/krb5/asn.1/asn1buf.h \ - $(srcdir)/../../lib/krb5/asn.1/krbasn1.h $(top_srcdir)/include/k5-buf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ diff --git a/src/tests/asn.1/krb5_decode_leak.c b/src/tests/asn.1/krb5_decode_leak.c index 22601c7..77fd3ee 100644 --- a/src/tests/asn.1/krb5_decode_leak.c +++ b/src/tests/asn.1/krb5_decode_leak.c @@ -633,18 +633,6 @@ main(int argc, char **argv) krb5_free_ad_kdcissued); ktest_empty_ad_kdcissued(&kdci); } -#if 0 - /****************************************************************/ - /* encode_krb5_ad_signedpath_data */ - { - krb5_ad_signedpath_data spd, *tmp; - ktest_make_sample_ad_signedpath_data(&spd); - leak_test(spd, encode_krb5_ad_signedpath_data, - decode_krb5_ad_signedpath_data, - NULL); - ktest_empty_ad_signedpath_data(&spd); - } -#endif /****************************************************************/ /* encode_krb5_ad_signedpath */ { diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c index f17f9b1..ee70fa4 100644 --- a/src/tests/asn.1/krb5_decode_test.c +++ b/src/tests/asn.1/krb5_decode_test.c @@ -25,6 +25,7 @@ */ #include "k5-int.h" +#include "k5-spake.h" #include "ktest.h" #include "com_err.h" #include "utility.h" @@ -1107,6 +1108,42 @@ int main(argc, argv) ktest_empty_secure_cookie(&ref); } + /****************************************************************/ + /* decode_krb5_spake_factor */ + { + setup(krb5_spake_factor,ktest_make_minimal_spake_factor); + decode_run("spake_factor","(optionals NULL)","30 05 A0 03 02 01 01",decode_krb5_spake_factor,ktest_equal_spake_factor,k5_free_spake_factor); + ktest_empty_spake_factor(&ref); + } + { + setup(krb5_spake_factor,ktest_make_maximal_spake_factor); + decode_run("spake_factor","","30 0E A0 03 02 01 02 A1 07 04 05 66 64 61 74 61",decode_krb5_spake_factor,ktest_equal_spake_factor,k5_free_spake_factor); + ktest_empty_spake_factor(&ref); + } + + /****************************************************************/ + /* decode_krb5_pa_spake */ + { + setup(krb5_pa_spake,ktest_make_support_pa_spake); + decode_run("pa_spake","(support)","A0 0C 30 0A A0 08 30 06 02 01 01 02 01 02",decode_krb5_pa_spake,ktest_equal_pa_spake,k5_free_pa_spake); + ktest_empty_pa_spake(&ref); + } + { + setup(krb5_pa_spake,ktest_make_challenge_pa_spake); + decode_run("pa_spake","(challenge)","A1 2D 30 2B A0 03 02 01 01 A1 09 04 07 54 20 76 61 6C 75 65 A2 19 30 17 30 05 A0 03 02 01 01 30 0E A0 03 02 01 02 A1 07 04 05 66 64 61 74 61",decode_krb5_pa_spake,ktest_equal_pa_spake,k5_free_pa_spake); + ktest_empty_pa_spake(&ref); + } + { + setup(krb5_pa_spake,ktest_make_response_pa_spake); + decode_run("pa_spake","(response)","A2 34 30 32 A0 09 04 07 53 20 76 61 6C 75 65 A1 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_pa_spake,ktest_equal_pa_spake,k5_free_pa_spake); + ktest_empty_pa_spake(&ref); + } + { + setup(krb5_pa_spake,ktest_make_encdata_pa_spake); + decode_run("pa_spake","(encdata)","A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_pa_spake,ktest_equal_pa_spake,k5_free_pa_spake); + ktest_empty_pa_spake(&ref); + } + #ifndef DISABLE_PKINIT /****************************************************************/ diff --git a/src/tests/asn.1/krb5_encode_test.c b/src/tests/asn.1/krb5_encode_test.c index f5710b6..3efbfb4 100644 --- a/src/tests/asn.1/krb5_encode_test.c +++ b/src/tests/asn.1/krb5_encode_test.c @@ -759,6 +759,35 @@ main(argc, argv) encode_run(cookie, "secure_cookie", "", encode_krb5_secure_cookie); ktest_empty_secure_cookie(&cookie); } + /****************************************************************/ + /* encode_krb5_spake_factor */ + { + krb5_spake_factor factor; + ktest_make_minimal_spake_factor(&factor); + encode_run(factor, "spake_factor", "(optionals NULL)", + encode_krb5_spake_factor); + ktest_empty_spake_factor(&factor); + ktest_make_maximal_spake_factor(&factor); + encode_run(factor, "spake_factor", "", encode_krb5_spake_factor); + ktest_empty_spake_factor(&factor); + } + /****************************************************************/ + /* encode_krb5_pa_spake */ + { + krb5_pa_spake pa_spake; + ktest_make_support_pa_spake(&pa_spake); + encode_run(pa_spake, "pa_spake", "(support)", encode_krb5_pa_spake); + ktest_empty_pa_spake(&pa_spake); + ktest_make_challenge_pa_spake(&pa_spake); + encode_run(pa_spake, "pa_spake", "(challenge)", encode_krb5_pa_spake); + ktest_empty_pa_spake(&pa_spake); + ktest_make_response_pa_spake(&pa_spake); + encode_run(pa_spake, "pa_spake", "(response)", encode_krb5_pa_spake); + ktest_empty_pa_spake(&pa_spake); + ktest_make_encdata_pa_spake(&pa_spake); + encode_run(pa_spake, "pa_spake", "(encdata)", encode_krb5_pa_spake); + ktest_empty_pa_spake(&pa_spake); + } #ifndef DISABLE_PKINIT /****************************************************************/ /* encode_krb5_pa_pk_as_req */ diff --git a/src/tests/asn.1/ktest.c b/src/tests/asn.1/ktest.c index 43084cb..5bfdc5b 100644 --- a/src/tests/asn.1/ktest.c +++ b/src/tests/asn.1/ktest.c @@ -725,6 +725,8 @@ ktest_make_sample_pk_authenticator(krb5_pk_authenticator *p) ktest_make_sample_checksum(&p->paChecksum); /* We don't encode the checksum type, only the contents. */ p->paChecksum.checksum_type = 0; + p->freshnessToken = ealloc(sizeof(krb5_data)); + ktest_make_sample_data(p->freshnessToken); } static void @@ -1016,6 +1018,66 @@ ktest_make_sample_secure_cookie(krb5_secure_cookie *p) p->time = SAMPLE_TIME; } +void +ktest_make_minimal_spake_factor(krb5_spake_factor *p) +{ + p->type = 1; + p->data = NULL; +} + +void +ktest_make_maximal_spake_factor(krb5_spake_factor *p) +{ + p->type = 2; + p->data = ealloc(sizeof(*p->data)); + krb5_data_parse(p->data, "fdata"); +} + +void +ktest_make_support_pa_spake(krb5_pa_spake *p) +{ + krb5_spake_support *s = &p->u.support; + + s->ngroups = 2; + s->groups = ealloc(s->ngroups * sizeof(*s->groups)); + s->groups[0] = 1; + s->groups[1] = 2; + p->choice = SPAKE_MSGTYPE_SUPPORT; +} + +void +ktest_make_challenge_pa_spake(krb5_pa_spake *p) +{ + krb5_spake_challenge *c = &p->u.challenge; + + c->group = 1; + krb5_data_parse(&c->pubkey, "T value"); + c->factors = ealloc(3 * sizeof(*c->factors)); + c->factors[0] = ealloc(sizeof(*c->factors[0])); + ktest_make_minimal_spake_factor(c->factors[0]); + c->factors[1] = ealloc(sizeof(*c->factors[1])); + ktest_make_maximal_spake_factor(c->factors[1]); + c->factors[2] = NULL; + p->choice = SPAKE_MSGTYPE_CHALLENGE; +} + +void +ktest_make_response_pa_spake(krb5_pa_spake *p) +{ + krb5_spake_response *r = &p->u.response; + + krb5_data_parse(&r->pubkey, "S value"); + ktest_make_sample_enc_data(&r->factor); + p->choice = SPAKE_MSGTYPE_RESPONSE; +} + +void +ktest_make_encdata_pa_spake(krb5_pa_spake *p) +{ + ktest_make_sample_enc_data(&p->u.encdata); + p->choice = SPAKE_MSGTYPE_ENCDATA; +} + /****************************************************************/ /* destructors */ @@ -1651,6 +1713,8 @@ ktest_empty_pk_authenticator(krb5_pk_authenticator *p) { ktest_empty_checksum(&p->paChecksum); p->paChecksum.contents = NULL; + krb5_free_data(NULL, p->freshnessToken); + p->freshnessToken = NULL; } static void @@ -1854,3 +1918,40 @@ ktest_empty_secure_cookie(krb5_secure_cookie *p) { ktest_empty_pa_data_array(p->data); } + +void +ktest_empty_spake_factor(krb5_spake_factor *p) +{ + krb5_free_data(NULL, p->data); + p->data = NULL; +} + +void +ktest_empty_pa_spake(krb5_pa_spake *p) +{ + krb5_spake_factor **f; + + switch (p->choice) { + case SPAKE_MSGTYPE_SUPPORT: + free(p->u.support.groups); + break; + case SPAKE_MSGTYPE_CHALLENGE: + ktest_empty_data(&p->u.challenge.pubkey); + for (f = p->u.challenge.factors; *f != NULL; f++) { + ktest_empty_spake_factor(*f); + free(*f); + } + free(p->u.challenge.factors); + break; + case SPAKE_MSGTYPE_RESPONSE: + ktest_empty_data(&p->u.response.pubkey); + ktest_destroy_enc_data(&p->u.response.factor); + break; + case SPAKE_MSGTYPE_ENCDATA: + ktest_destroy_enc_data(&p->u.encdata); + break; + default: + break; + } + p->choice = SPAKE_MSGTYPE_UNKNOWN; +} diff --git a/src/tests/asn.1/ktest.h b/src/tests/asn.1/ktest.h index 493303c..1413cfa 100644 --- a/src/tests/asn.1/ktest.h +++ b/src/tests/asn.1/ktest.h @@ -28,6 +28,7 @@ #define __KTEST_H__ #include "k5-int.h" +#include "k5-spake.h" #include "kdb.h" #define SAMPLE_USEC 123456 @@ -124,6 +125,12 @@ void ktest_make_sample_kkdcp_message(krb5_kkdcp_message *p); void ktest_make_minimal_cammac(krb5_cammac *p); void ktest_make_maximal_cammac(krb5_cammac *p); void ktest_make_sample_secure_cookie(krb5_secure_cookie *p); +void ktest_make_minimal_spake_factor(krb5_spake_factor *p); +void ktest_make_maximal_spake_factor(krb5_spake_factor *p); +void ktest_make_support_pa_spake(krb5_pa_spake *p); +void ktest_make_challenge_pa_spake(krb5_pa_spake *p); +void ktest_make_response_pa_spake(krb5_pa_spake *p); +void ktest_make_encdata_pa_spake(krb5_pa_spake *p); /*----------------------------------------------------------------------*/ @@ -209,6 +216,8 @@ void ktest_empty_ldap_seqof_key_data(krb5_context, ldap_seqof_key_data *p); void ktest_empty_kkdcp_message(krb5_kkdcp_message *p); void ktest_empty_cammac(krb5_cammac *p); void ktest_empty_secure_cookie(krb5_secure_cookie *p); +void ktest_empty_spake_factor(krb5_spake_factor *p); +void ktest_empty_pa_spake(krb5_pa_spake *p); extern krb5_context test_context; extern char *sample_principal_name; diff --git a/src/tests/asn.1/ktest_equal.c b/src/tests/asn.1/ktest_equal.c index e8bb889..714cc43 100644 --- a/src/tests/asn.1/ktest_equal.c +++ b/src/tests/asn.1/ktest_equal.c @@ -853,6 +853,13 @@ ktest_equal_sequence_of_otp_tokeninfo(krb5_otp_tokeninfo **ref, array_compare(ktest_equal_otp_tokeninfo); } +int +ktest_equal_sequence_of_spake_factor(krb5_spake_factor **ref, + krb5_spake_factor **var) +{ + array_compare(ktest_equal_spake_factor); +} + #ifndef DISABLE_PKINIT static int @@ -1094,3 +1101,45 @@ ktest_equal_secure_cookie(krb5_secure_cookie *ref, krb5_secure_cookie *var) p = p && ref->time == ref->time; return p; } + +int +ktest_equal_spake_factor(krb5_spake_factor *ref, krb5_spake_factor *var) +{ + int p = TRUE; + if (ref == var) return TRUE; + else if (ref == NULL || var == NULL) return FALSE; + p = p && scalar_equal(type); + p = p && ptr_equal(data,ktest_equal_data); + return p; +} + +int +ktest_equal_pa_spake(krb5_pa_spake *ref, krb5_pa_spake *var) +{ + int p = TRUE; + if (ref == var) return TRUE; + else if (ref == NULL || var == NULL) return FALSE; + else if (ref->choice != var->choice) return FALSE; + switch (ref->choice) { + case SPAKE_MSGTYPE_SUPPORT: + p = p && scalar_equal(u.support.ngroups); + p = p && (memcmp(ref->u.support.groups,var->u.support.groups, + ref->u.support.ngroups * sizeof(int32_t)) == 0); + break; + case SPAKE_MSGTYPE_CHALLENGE: + p = p && struct_equal(u.challenge.pubkey,ktest_equal_data); + p = p && ptr_equal(u.challenge.factors, + ktest_equal_sequence_of_spake_factor); + break; + case SPAKE_MSGTYPE_RESPONSE: + p = p && struct_equal(u.response.pubkey,ktest_equal_data); + p = p && struct_equal(u.response.factor,ktest_equal_enc_data); + break; + case SPAKE_MSGTYPE_ENCDATA: + p = p && struct_equal(u.encdata,ktest_equal_enc_data); + break; + default: + break; + } + return p; +} diff --git a/src/tests/asn.1/ktest_equal.h b/src/tests/asn.1/ktest_equal.h index c7b5d74..cfa82ac 100644 --- a/src/tests/asn.1/ktest_equal.h +++ b/src/tests/asn.1/ktest_equal.h @@ -28,6 +28,7 @@ #define __KTEST_EQUAL_H__ #include "k5-int.h" +#include "k5-spake.h" #include "kdb.h" /* int ktest_equal_structure(krb5_structure *ref, *var) */ @@ -97,6 +98,8 @@ ktest_equal_sequence_of_algorithm_identifier(krb5_algorithm_identifier **ref, krb5_algorithm_identifier **var); int ktest_equal_sequence_of_otp_tokeninfo(krb5_otp_tokeninfo **ref, krb5_otp_tokeninfo **var); +int ktest_equal_sequence_of_spake_factor(krb5_spake_factor **ref, + krb5_spake_factor **var); len_array(ktest_equal_array_of_enctype,krb5_enctype); len_array(ktest_equal_array_of_data,krb5_data); @@ -152,4 +155,7 @@ int ktest_equal_cammac(krb5_cammac *ref, krb5_cammac *var); int ktest_equal_secure_cookie(krb5_secure_cookie *ref, krb5_secure_cookie *var); +generic(ktest_equal_spake_factor, krb5_spake_factor); +generic(ktest_equal_pa_spake, krb5_pa_spake); + #endif diff --git a/src/tests/asn.1/make-vectors.c b/src/tests/asn.1/make-vectors.c index 3cb8a45..2fc8546 100644 --- a/src/tests/asn.1/make-vectors.c +++ b/src/tests/asn.1/make-vectors.c @@ -40,6 +40,8 @@ #include #include #include +#include +#include static unsigned char buf[8192]; static size_t buf_pos; @@ -168,6 +170,36 @@ static struct other_verifiers overfs = { { verifiers, 2, 2 } }; static AD_CAMMAC_t cammac_2 = { { { (void *)adlist_2, 2, 2 } }, &vmac_1, &vmac_2, &overfs }; +/* SPAKESecondFactor */ +static SPAKESecondFactor_t factor_1 = { 1, NULL }; +static OCTET_STRING_t factor_data = { "fdata", 5 }; +static SPAKESecondFactor_t factor_2 = { 2, &factor_data }; + +/* PA-SPAKE (support) */ +static Int32_t group_1 = 1, group_2 = 2, *groups[] = { &group_1, &group_2 }; +static PA_SPAKE_t pa_spake_1 = { PA_SPAKE_PR_support, + { .support = { { groups, 2, 2 } } } }; + +/* PA-SPAKE (challenge) */ +static SPAKESecondFactor_t *factors[2] = { &factor_1, &factor_2 }; +static PA_SPAKE_t pa_spake_2 = { PA_SPAKE_PR_challenge, + { .challenge = { 1, { "T value", 7 }, + { factors, 2, 2 } } } }; + +/* PA-SPAKE (response) */ +UInt32_t enctype_5 = 5; +static PA_SPAKE_t pa_spake_3 = { PA_SPAKE_PR_response, + { .response = { { "S value", 7 }, + { 0, &enctype_5, + { "krbASN.1 test message", + 21 } } } } }; + +/* PA-SPAKE (encdata) */ +static PA_SPAKE_t pa_spake_4 = { PA_SPAKE_PR_encdata, + { .encdata = { 0, &enctype_5, + { "krbASN.1 test message", + 21 } } } }; + static int consume(const void *data, size_t size, void *dummy) { @@ -272,6 +304,30 @@ main() der_encode(&asn_DEF_AD_CAMMAC, &cammac_2, consume, NULL); printbuf(); + printf("\nMinimal SPAKESecondFactor:\n"); + der_encode(&asn_DEF_SPAKESecondFactor, &factor_1, consume, NULL); + printbuf(); + + printf("\nMaximal SPAKESecondFactor:\n"); + der_encode(&asn_DEF_SPAKESecondFactor, &factor_2, consume, NULL); + printbuf(); + + printf("\nPA-SPAKE (support):\n"); + der_encode(&asn_DEF_PA_SPAKE, &pa_spake_1, consume, NULL); + printbuf(); + + printf("\nPA-SPAKE (challenge):\n"); + der_encode(&asn_DEF_PA_SPAKE, &pa_spake_2, consume, NULL); + printbuf(); + + printf("\nPA-SPAKE (response):\n"); + der_encode(&asn_DEF_PA_SPAKE, &pa_spake_3, consume, NULL); + printbuf(); + + printf("\nPA-SPAKE (encdata):\n"); + der_encode(&asn_DEF_PA_SPAKE, &pa_spake_4, consume, NULL); + printbuf(); + printf("\n"); return 0; } diff --git a/src/tests/asn.1/pkinit_encode.out b/src/tests/asn.1/pkinit_encode.out index 463128d..3b0f719 100644 --- a/src/tests/asn.1/pkinit_encode.out +++ b/src/tests/asn.1/pkinit_encode.out @@ -4,7 +4,7 @@ encode_krb5_pa_pk_as_rep(dhInfo): A0 28 30 26 80 08 6B 72 62 35 64 61 74 61 A1 0 encode_krb5_pa_pk_as_rep(encKeyPack): 81 08 6B 72 62 35 64 61 74 61 encode_krb5_pa_pk_as_rep_draft9(dhSignedData): 80 08 6B 72 62 35 64 61 74 61 encode_krb5_pa_pk_as_rep_draft9(encKeyPack): 81 08 6B 72 62 35 64 61 74 61 -encode_krb5_auth_pack: 30 81 93 A0 29 30 27 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61 +encode_krb5_auth_pack: 30 81 9F A0 35 30 33 A0 05 02 03 01 E2 40 A1 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A2 03 02 01 2A A3 06 04 04 31 32 33 34 A4 0A 04 08 6B 72 62 35 64 61 74 61 A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 A2 24 30 22 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 30 0B 06 09 2A 86 48 86 F7 12 01 02 02 A3 0A 04 08 6B 72 62 35 64 61 74 61 A4 10 30 0E 30 0C A0 0A 06 08 6B 72 62 35 64 61 74 61 encode_krb5_auth_pack_draft9: 30 75 A0 4F 30 4D A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 05 02 03 01 E2 40 A3 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A A4 03 02 01 2A A1 22 30 20 30 13 06 09 2A 86 48 86 F7 12 01 02 02 04 06 70 61 72 61 6D 73 03 09 00 6B 72 62 35 64 61 74 61 encode_krb5_kdc_dh_key_info: 30 25 A0 0B 03 09 00 6B 72 62 35 64 61 74 61 A1 03 02 01 2A A2 11 18 0F 31 39 39 34 30 36 31 30 30 36 30 33 31 37 5A encode_krb5_reply_key_pack: 30 26 A0 13 30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A1 0F 30 0D A0 03 02 01 01 A1 06 04 04 31 32 33 34 diff --git a/src/tests/asn.1/pkinit_trval.out b/src/tests/asn.1/pkinit_trval.out index 58d8706..f9edbe1 100644 --- a/src/tests/asn.1/pkinit_trval.out +++ b/src/tests/asn.1/pkinit_trval.out @@ -57,6 +57,7 @@ encode_krb5_auth_pack: . . [1] [Generalized Time] "19940610060317Z" . . [2] [Integer] 42 . . [3] [Octet String] "1234" +. . [4] [Octet String] "krb5data" . [1] [Sequence/Sequence Of] . . [Sequence/Sequence Of] . . . [Object Identifier] <9> diff --git a/src/tests/asn.1/reference_encode.out b/src/tests/asn.1/reference_encode.out index 824e079..a76deea 100644 --- a/src/tests/asn.1/reference_encode.out +++ b/src/tests/asn.1/reference_encode.out @@ -72,3 +72,9 @@ encode_krb5_kkdcp_message: 30 82 01 FC A0 82 01 EC 04 82 01 E8 6A 82 01 E4 30 82 encode_krb5_cammac(optionals NULL): 30 12 A0 10 30 0E 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31 encode_krb5_cammac: 30 81 F2 A0 1E 30 1C 30 0C A0 03 02 01 01 A1 05 04 03 61 64 31 30 0C A0 03 02 01 02 A1 05 04 03 61 64 32 A1 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 6B 64 63 A2 3D 30 3B A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 13 30 11 A0 03 02 01 01 A1 0A 04 08 63 6B 73 75 6D 73 76 63 A3 52 30 50 30 13 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 31 30 39 A0 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A1 03 02 01 05 A2 03 02 01 10 A3 11 30 0F A0 03 02 01 01 A1 08 04 06 63 6B 73 75 6D 32 encode_krb5_secure_cookie: 30 2C 02 04 2D F8 02 25 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 +encode_krb5_spake_factor(optionals NULL): 30 05 A0 03 02 01 01 +encode_krb5_spake_factor: 30 0E A0 03 02 01 02 A1 07 04 05 66 64 61 74 61 +encode_krb5_pa_spake(support): A0 0C 30 0A A0 08 30 06 02 01 01 02 01 02 +encode_krb5_pa_spake(challenge): A1 2D 30 2B A0 03 02 01 01 A1 09 04 07 54 20 76 61 6C 75 65 A2 19 30 17 30 05 A0 03 02 01 01 30 0E A0 03 02 01 02 A1 07 04 05 66 64 61 74 61 +encode_krb5_pa_spake(response): A2 34 30 32 A0 09 04 07 53 20 76 61 6C 75 65 A1 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 +encode_krb5_pa_spake(encdata): A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 diff --git a/src/tests/asn.1/spake.asn1 b/src/tests/asn.1/spake.asn1 new file mode 100644 index 0000000..50718d8 --- /dev/null +++ b/src/tests/asn.1/spake.asn1 @@ -0,0 +1,44 @@ +KerberosV5SPAKE { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) spake(8) +} DEFINITIONS EXPLICIT TAGS ::= BEGIN + +IMPORTS + EncryptedData, Int32 + FROM KerberosV5Spec2 { iso(1) identified-organization(3) + dod(6) internet(1) security(5) kerberosV5(2) modules(4) + krb5spec2(2) }; + -- as defined in RFC 4120. + +SPAKESupport ::= SEQUENCE { + groups [0] SEQUENCE (SIZE(1..MAX)) OF Int32, + ... +} + +SPAKEChallenge ::= SEQUENCE { + group [0] Int32, + pubkey [1] OCTET STRING, + factors [2] SEQUENCE (SIZE(1..MAX)) OF SPAKESecondFactor, + ... +} + +SPAKESecondFactor ::= SEQUENCE { + type [0] Int32, + data [1] OCTET STRING OPTIONAL +} + +SPAKEResponse ::= SEQUENCE { + pubkey [0] OCTET STRING, + factor [1] EncryptedData, -- SPAKESecondFactor + ... +} + +PA-SPAKE ::= CHOICE { + support [0] SPAKESupport, + challenge [1] SPAKEChallenge, + response [2] SPAKEResponse, + encdata [3] EncryptedData, + ... +} + +END diff --git a/src/tests/asn.1/trval_reference.out b/src/tests/asn.1/trval_reference.out index c27a042..e5c7159 100644 --- a/src/tests/asn.1/trval_reference.out +++ b/src/tests/asn.1/trval_reference.out @@ -1584,3 +1584,53 @@ encode_krb5_secure_cookie: . . [Sequence/Sequence Of] . . . [1] [Integer] 13 . . . [2] [Octet String] "pa-data" + +encode_krb5_spake_factor(optionals NULL): + +[Sequence/Sequence Of] +. [0] [Integer] 1 + +encode_krb5_spake_factor: + +[Sequence/Sequence Of] +. [0] [Integer] 2 +. [1] [Octet String] "fdata" + +encode_krb5_pa_spake(support): + +[CONT 0] +. [Sequence/Sequence Of] +. . [0] [Sequence/Sequence Of] +. . . [Integer] 1 +. . . [Integer] 2 + +encode_krb5_pa_spake(challenge): + +[CONT 1] +. [Sequence/Sequence Of] +. . [0] [Integer] 1 +. . [1] [Octet String] "T value" +. . [2] [Sequence/Sequence Of] +. . . [Sequence/Sequence Of] +. . . . [0] [Integer] 1 +. . . [Sequence/Sequence Of] +. . . . [0] [Integer] 2 +. . . . [1] [Octet String] "fdata" + +encode_krb5_pa_spake(response): + +[CONT 2] +. [Sequence/Sequence Of] +. . [0] [Octet String] "S value" +. . [1] [Sequence/Sequence Of] +. . . [0] [Integer] 0 +. . . [1] [Integer] 5 +. . . [2] [Octet String] "krbASN.1 test message" + +encode_krb5_pa_spake(encdata): + +[CONT 3] +. [Sequence/Sequence Of] +. . [0] [Integer] 0 +. . [1] [Integer] 5 +. . [2] [Octet String] "krbASN.1 test message" diff --git a/src/tests/asn.1/utility.c b/src/tests/asn.1/utility.c index db1a9c0..b1eb902 100644 --- a/src/tests/asn.1/utility.c +++ b/src/tests/asn.1/utility.c @@ -95,7 +95,7 @@ krb5_data_parse(krb5_data *d, const char *s) memcpy(d->data, s, d->length); } -asn1_error_code +krb5_error_code krb5_data_hex_parse(krb5_data *d, const char *s) { int lo; @@ -130,33 +130,6 @@ krb5_data_hex_parse(krb5_data *d, const char *s) return 0; } -#if 0 -void -asn1buf_print(const asn1buf *buf) -{ - asn1buf bufcopy; - char *s=NULL; - int length; - int i; - - bufcopy.base = bufcopy.next = buf->next; - bufcopy.bound = buf->bound; - length = asn1buf_len(&bufcopy); - - s = calloc(3*length, sizeof(char)); - if (s == NULL) return; - for (i=0; i>4); - s[3*i+1] = hexchar((bufcopy.base)[i]&0x0F); - s[3*i+2] = ' '; - } - s[3*length-1] = '\0'; - - printf("%s\n",s); - free(s); -} -#endif - void init_access(const char *progname) { diff --git a/src/tests/asn.1/utility.h b/src/tests/asn.1/utility.h index f1cd458..e14507a 100644 --- a/src/tests/asn.1/utility.h +++ b/src/tests/asn.1/utility.h @@ -28,8 +28,6 @@ #define __UTILITY_H__ #include "k5-int.h" -#include "krbasn1.h" -#include "asn1buf.h" /* Aborts on failure. ealloc returns zero-filled memory. */ void *ealloc(size_t size); @@ -48,13 +46,11 @@ void asn1_krb5_data_unparse(const krb5_data *code, char **s); void krb5_data_parse(krb5_data *d, const char *s); /* effects Parses character string *s into krb5_data *d. */ -asn1_error_code krb5_data_hex_parse(krb5_data *d, const char *s); +krb5_error_code krb5_data_hex_parse(krb5_data *d, const char *s); /* requires *s is the string representation of a sequence of hexadecimal octets. (e.g. "02 01 00") effects Parses *s into krb5_data *d. */ -void asn1buf_print(const asn1buf *buf); - extern krb5int_access acc; extern void init_access(const char *progname); diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c index 622f549..7c06666 100644 --- a/src/tests/create/kdb5_mkdums.c +++ b/src/tests/create/kdb5_mkdums.c @@ -247,7 +247,7 @@ add_princ(context, str_newprinc) { /* Add mod princ to db entry */ - krb5_int32 now; + krb5_timestamp now; retval = krb5_timeofday(context, &now); if (retval) { diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index 2d1686c..d7b2965 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -32,26 +32,6 @@ set tgt_support_desmd5 0 # request a des-cbc-md4 session key. Since only des-cbc-crc is in the # KDC's permitted_enctypes list, the TGT will be unusable. -# KLUDGE for tracking down leaking ptys -if 0 { - rename spawn oldspawn - rename wait oldwait - proc spawn { args } { - upvar 1 spawn_id spawn_id - verbose "spawn: args=$args" - set pid [eval oldspawn $args] - verbose "spawn: pid=$pid spawn_id=$spawn_id" - return $pid - } - proc wait { args } { - upvar 1 spawn_id spawn_id - verbose "wait: args=$args" - set ret [eval oldwait $args] - verbose "wait: $ret" - return $ret - } -} - if { [string length $VALGRIND] } { rename spawn valgrind_aux_spawn proc spawn { args } { @@ -182,7 +162,7 @@ set passes { {permitted_enctypes(client)=aes256-cts-hmac-sha1-96} {permitted_enctypes(server)=aes256-cts-hmac-sha1-96} {allow_weak_crypto(kdc)=false} - {allow_weak_crypto(slave)=false} + {allow_weak_crypto(replica)=false} {allow_weak_crypto(client)=false} {allow_weak_crypto(server)=false} {master_key_type=aes256-cts-hmac-sha1-96} @@ -194,19 +174,19 @@ set passes { des3_krbtgt=0 {supported_enctypes=aes256-sha2:normal} {permitted_enctypes(kdc)=aes256-sha2} - {permitted_enctypes(slave)=aes256-sha2} + {permitted_enctypes(replica)=aes256-sha2} {permitted_enctypes(client)=aes256-sha2} {permitted_enctypes(server)=aes256-sha2} {default_tgs_enctypes(kdc)=aes256-sha2} - {default_tgs_enctypes(slave)=aes256-sha2} + {default_tgs_enctypes(replica)=aes256-sha2} {default_tgs_enctypes(client)=aes256-sha2} {default_tgs_enctypes(server)=aes256-sha2} {default_tkt_enctypes(kdc)=aes256-sha2} - {default_tkt_enctypes(slave)=aes256-sha2} + {default_tkt_enctypes(replica)=aes256-sha2} {default_tkt_enctypes(client)=aes256-sha2} {default_tkt_enctypes(server)=aes256-sha2} {allow_weak_crypto(kdc)=false} - {allow_weak_crypto(slave)=false} + {allow_weak_crypto(replica)=false} {allow_weak_crypto(client)=false} {allow_weak_crypto(server)=false} {master_key_type=aes256-sha2} @@ -218,19 +198,19 @@ set passes { des3_krbtgt=0 {supported_enctypes=camellia256-cts:normal} {permitted_enctypes(kdc)=camellia256-cts} - {permitted_enctypes(slave)=camellia256-cts} + {permitted_enctypes(replica)=camellia256-cts} {permitted_enctypes(client)=camellia256-cts} {permitted_enctypes(server)=camellia256-cts} {default_tgs_enctypes(kdc)=camellia256-cts} - {default_tgs_enctypes(slave)=camellia256-cts} + {default_tgs_enctypes(replica)=camellia256-cts} {default_tgs_enctypes(client)=camellia256-cts} {default_tgs_enctypes(server)=camellia256-cts} {default_tkt_enctypes(kdc)=camellia256-cts} - {default_tkt_enctypes(slave)=camellia256-cts} + {default_tkt_enctypes(replica)=camellia256-cts} {default_tkt_enctypes(client)=camellia256-cts} {default_tkt_enctypes(server)=camellia256-cts} {allow_weak_crypto(kdc)=false} - {allow_weak_crypto(slave)=false} + {allow_weak_crypto(replica)=false} {allow_weak_crypto(client)=false} {allow_weak_crypto(server)=false} {master_key_type=camellia256-cts} @@ -279,7 +259,7 @@ set passes { mode=udp des3_krbtgt=0 {allow_weak_crypto(kdc)=false} - {allow_weak_crypto(slave)=false} + {allow_weak_crypto(replica)=false} {allow_weak_crypto(client)=false} {allow_weak_crypto(server)=false} {dummy=[verbose -log "all default enctypes"]} @@ -447,18 +427,19 @@ if ![info exists KEY] { # Clear away any files left over from a previous run. # We can't use them now because we don't know the right KEY. # krb5.conf might change if running tests on another host -file delete $tmppwd/krb5.conf $tmppwd/kdc.conf $tmppwd/slave.conf \ +file delete $tmppwd/krb5.conf $tmppwd/kdc.conf $tmppwd/replica.conf \ $tmppwd/krb5.client.conf $tmppwd/krb5.server.conf \ - $tmppwd/krb5.kdc.conf $tmppwd/krb5.slave.conf + $tmppwd/krb5.kdc.conf $tmppwd/krb5.replica.conf proc delete_db {} { global tmppwd - # Master and slave db files + # Master and replica db files file delete $tmppwd/kdc-db $tmppwd/kdc-db.ok $tmppwd/kdc-db.kadm5 \ - $tmppwd/kdc-db.kadm5.lock \ + $tmppwd/kdc-db.kadm5.lock $tmppwd/kdc-db.mdb $tmppwd/kdc-db.mdb-lock \ + $tmppwd/kdc-db.lockout.mdb $tmppwd/kdc-db.lockout.mdb-lock \ $tmppwd/kdc-db.ulog \ - $tmppwd/slave-db $tmppwd/slave-db.ok $tmppwd/slave-db.kadm5 $tmppwd/slave-db.kadm5.lock \ - $tmppwd/slave-db~ $tmppwd/slave-db~.ok $tmppwd/slave-db~.kadm5 $tmppwd/slave-db~.kadm5.lock + $tmppwd/replica-db $tmppwd/replica-db.ok $tmppwd/replica-db.kadm5 $tmppwd/replica-db.kadm5.lock \ + $tmppwd/replica-db~ $tmppwd/replica-db~.ok $tmppwd/replica-db~.kadm5 $tmppwd/replica-db~.kadm5.lock # Creating a new database means we need a new srvtab. file delete $tmppwd/srvtab $tmppwd/cpw_srvtab } @@ -505,10 +486,10 @@ foreach i { {KDESTROY $objdir/../../clients/kdestroy/kdestroy} {RESOLVE $objdir/../resolve/resolve} {T_INETD $objdir/t_inetd} - {KPROPLOG $objdir/../../slave/kproplog} + {KPROPLOG $objdir/../../kprop/kproplog} {KPASSWD $objdir/../../clients/kpasswd/kpasswd} - {KPROPD $objdir/../../slave/kpropd} - {KPROP $objdir/../../slave/kprop} + {KPROPD $objdir/../../kprop/kpropd} + {KPROP $objdir/../../kprop/kprop} } { set varname [lindex $i 0] if ![info exists $varname] { @@ -799,7 +780,7 @@ proc setup_kerberos_files { } { setup_krb5_conf client setup_krb5_conf server setup_krb5_conf kdc - setup_krb5_conf slave + setup_krb5_conf replica # Create a kdc.conf file. if { ![file exists $tmppwd/kdc.conf] \ @@ -848,11 +829,11 @@ proc setup_kerberos_files { } { close $conffile } - # Create a config file for the slave KDC (kpropd only, no normal + # Create a config file for the replica KDC (kpropd only, no normal # KDC processes). - if { ![file exists $tmppwd/slave.conf] \ + if { ![file exists $tmppwd/replica.conf] \ || $last_passname_conf != $multipass_name } { - set conffile [open $tmppwd/slave.conf w] + set conffile [open $tmppwd/replica.conf w] puts $conffile "\[kdcdefaults\]" puts $conffile " kdc_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" puts $conffile " kdc_tcp_listen = $portbase,[expr 1 + $portbase],[expr 2 + $portbase]" @@ -861,8 +842,8 @@ proc setup_kerberos_files { } { puts $conffile " $REALMNAME = \{" # Testing with a colon in the name exercises default handling # for pathnames. - puts $conffile " key_stash_file = $tmppwd/slave-stash" - puts $conffile " acl_file = $tmppwd/slave-acl" + puts $conffile " key_stash_file = $tmppwd/replica-stash" + puts $conffile " acl_file = $tmppwd/replica-acl" puts $conffile " kadmind_port = [expr 4 + $portbase]" puts $conffile " kpasswd_port = [expr 5 + $portbase]" puts $conffile " max_life = 1:00:00" @@ -887,7 +868,7 @@ proc setup_kerberos_files { } { if { $ulog != 0 } { puts $conffile " iprop_enable = true" puts $conffile " iprop_port = [expr 9 + $portbase]" - puts $conffile " iprop_logfile = $tmppwd/slave-db.ulog" + puts $conffile " iprop_logfile = $tmppwd/replica-db.ulog" } else { puts $conffile "# no ulog" } @@ -915,8 +896,9 @@ proc setup_kerberos_files { } { proc reset_kerberos_files { } { global tmppwd - file delete $tmppwd/kdc.conf $tmppwd/slave.conf $tmppwd/krb5.client.conf \ - $tmppwd/krb5.server.conf $tmppwd/krb5.kdc.conf + file delete $tmppwd/kdc.conf $tmppwd/replica.conf \ + $tmppwd/krb5.client.conf $tmppwd/krb5.server.conf \ + $tmppwd/krb5.kdc.conf setup_kerberos_files } @@ -933,6 +915,7 @@ proc setup_krb5_conf { {type client} } { global mode global portbase global srcdir + global env set pkinit_certs [findfile "[pwd]/$srcdir/pkinit-certs" "[pwd]/$srcdir/pkinit-certs" "$srcdir/pkinit-certs"] # Create a krb5.conf file. @@ -980,7 +963,7 @@ proc setup_krb5_conf { {type client} } { puts $conffile " kdc = $hostname:[expr 1 + $portbase]" puts $conffile " admin_server = $hostname:[expr 4 + $portbase]" puts $conffile " kpasswd_server = $hostname:[expr 5 + $portbase]" - puts $conffile " database_module = foo_db2" + puts $conffile " database_module = db" puts $conffile " \}" puts $conffile "" puts $conffile "\[domain_realm\]" @@ -993,8 +976,13 @@ proc setup_krb5_conf { {type client} } { puts $conffile "" puts $conffile "\[dbmodules\]" puts $conffile " db_module_dir = $tmppwd/../../../plugins/kdb" - puts $conffile " foo_db2 = {" - puts $conffile " db_library = db2" + puts $conffile " db = {" + if [info exists env(K5TEST_LMDB)] { + puts $conffile " db_library = klmdb" + puts $conffile " nosync = true" + } else { + puts $conffile " db_library = db2" + } puts $conffile " database_name = $tmppwd/$type-db" puts $conffile " }" close $conffile @@ -1068,7 +1056,7 @@ proc setup_kerberos_env { {type client} } { client - server { catch {unset env(KRB5_KDC_PROFILE)} } kdc { set env(KRB5_KDC_PROFILE) $tmppwd/kdc.conf } - slave { set env(KRB5_KDC_PROFILE) $tmppwd/slave.conf } + replica { set env(KRB5_KDC_PROFILE) $tmppwd/replica.conf } default { error "unknown config file type $type" } } if [info exists env(KRB5_KDC_PROFILE)] { @@ -1414,11 +1402,11 @@ proc setup_kerberos_db { standalone } { return 1 } -# setup_slave_db -# Initialize the slave Kerberos database. Returns 1 on success, 0 on +# setup_replica_db +# Initialize the replica Kerberos database. Returns 1 on success, 0 on # failure. -proc setup_slave_db { } { +proc setup_replica_db { } { global REALMNAME global KDB5_UTIL global KADMIN_LOCAL @@ -1429,7 +1417,7 @@ proc setup_slave_db { } { set failall 0 envstack_push - if { ![setup_kerberos_files] || ![setup_kerberos_env slave] } { + if { ![setup_kerberos_files] || ![setup_kerberos_env replica] } { set failall 1 } @@ -1445,7 +1433,7 @@ proc setup_slave_db { } { } } - set test "slave kdb5_util create " + set test "replica kdb5_util create " set body { if $failall { break @@ -1457,11 +1445,11 @@ proc setup_slave_db { } { expect "Enter KDC database master key:" - set test "slave kdb5_util create (verify)" + set test "replica kdb5_util create (verify)" send "masterkey$KEY\r" expect "Re-enter KDC database master key to verify:" - set test "slave kdb5_util create" + set test "replica kdb5_util create" send "masterkey$KEY\r" expect { -re "\[Cc\]ouldn't" { @@ -1484,7 +1472,7 @@ proc setup_slave_db { } { } # Stash the master key in a file. - set test "slave kdb5_util stash" + set test "replica kdb5_util stash" set body { if $failall { break @@ -1510,7 +1498,7 @@ proc setup_slave_db { } { if !$failall { # create the admin database lock file - catch "exec touch $tmppwd/slave-adb.lock" + catch "exec touch $tmppwd/replica-adb.lock" } return [expr !$failall] @@ -1521,11 +1509,11 @@ proc start_kpropd {} { global spawn_id envstack_push - setup_kerberos_env slave - spawn $KPROPD -S -d -t -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-slave-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl + setup_kerberos_env replica + spawn $KPROPD -S -d -t -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-replica-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl set kpropd_pid [exp_pid] set kpropd_spawn_id $spawn_id -# send_user [list $KPROPD -S -d -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-slave-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl]\n +# send_user [list $KPROPD -S -d -P [expr 10 + $portbase] -s $tmppwd/srvtab -f $tmppwd/incoming-replica-datatrans -p $KDB5_UTIL -a $tmppwd/kpropd-acl]\n # spawn_shell envstack_pop } diff --git a/src/tests/dejagnu/krb-standalone/kprop.exp b/src/tests/dejagnu/krb-standalone/kprop.exp index cc1a26a..2221a65 100644 --- a/src/tests/dejagnu/krb-standalone/kprop.exp +++ b/src/tests/dejagnu/krb-standalone/kprop.exp @@ -5,19 +5,24 @@ # the rest of the tests inside a proc, so that we can easily kill the # processes when the procedure ends. -proc setup_slave {} { - global tmppwd hostname REALMNAME - file delete $tmppwd/slave-stash $tmppwd/slave-acl - file copy -force $tmppwd/stash:foo $tmppwd/slave-stash - file copy -force $tmppwd/acl $tmppwd/slave-acl +proc setup_replica {} { + global tmppwd hostname REALMNAME env + file delete $tmppwd/replica-stash $tmppwd/replica-acl + file copy -force $tmppwd/stash:foo $tmppwd/replica-stash + file copy -force $tmppwd/acl $tmppwd/replica-acl if ![file exists $tmppwd/kpropdacl] { set aclfile [open $tmppwd/kpropd-acl w] puts $aclfile "host/$hostname@$REALMNAME" close $aclfile } - file copy -force $tmppwd/adb.lock $tmppwd/slave-adb.lock - foreach suffix { {} .kadm5 .kadm5.lock .ok } { - file copy -force $tmppwd/kdc-db$suffix $tmppwd/slave-db$suffix + file copy -force $tmppwd/adb.lock $tmppwd/replica-adb.lock + if [info exists env(K5TEST_LMDB)] { + set suffixes { .mdb .mdb-lock .lockout.mdb .lockout.mdb-lock } + } else { + set suffixes { {} .kadm5 .kadm5.lock .ok } + } + foreach suffix $suffixes { + file copy -force $tmppwd/kdc-db$suffix $tmppwd/replica-db$suffix } } @@ -59,7 +64,7 @@ proc doit { } { if ![setup_kerberos_db 0] { return } - setup_slave + setup_replica if ![start_kerberos_daemons 0] { return } @@ -74,7 +79,7 @@ proc doit { } { # Get kprop server up and running. envstack_push - setup_kerberos_env slave + setup_kerberos_env replica start_kpropd envstack_pop @@ -86,7 +91,7 @@ proc doit { } { # Dump master database. envstack_push setup_kerberos_env kdc - spawn $KDB5_UTIL dump $tmppwd/slave_datatrans + spawn $KDB5_UTIL dump $tmppwd/replica_datatrans expect eof if ![check_exit_status "kprop (kdb5_util dump)"] { return } @@ -94,7 +99,7 @@ proc doit { } { sleep 1 # Try a propagation. - spawn $KPROP -f $tmppwd/slave_datatrans -P [expr 10 + $portbase] -s $tmppwd/srvtab $hostname + spawn $KPROP -f $tmppwd/replica_datatrans -P [expr 10 + $portbase] -s $tmppwd/srvtab $hostname expect eof set kprop_exit [check_exit_status "kprop (exit status)"] # log output for debugging @@ -102,14 +107,14 @@ proc doit { } { if !$kprop_exit { return } # Examine new database. - setup_kerberos_env slave + setup_kerberos_env replica spawn $KADMIN_LOCAL -r $REALMNAME -q listprincs expect { wakawaka@ { expect eof } eof { - fail "kprop (updated slave data)" + fail "kprop (updated replica data)" return } timeout { diff --git a/src/tests/dejagnu/pkinit-certs/ca.pem b/src/tests/dejagnu/pkinit-certs/ca.pem index 55fe02c..f7421ba 100644 --- a/src/tests/dejagnu/pkinit-certs/ca.pem +++ b/src/tests/dejagnu/pkinit-certs/ca.pem @@ -1,29 +1,29 @@ -----BEGIN CERTIFICATE----- -MIIE5TCCA82gAwIBAgIJANsFDWp1HgAaMA0GCSqGSIb3DQEBBQUAMIGnMQswCQYD -VQQGEwJVUzEWMBQGA1UECBMNTWFzc2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJp -ZGdlMQwwCgYDVQQKEwNNSVQxKTAnBgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJi -ZXJvcyB0ZXN0IENBMTMwMQYDVQQDFCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8g -bm90IHVzZSBvdGhlcndpc2UwHhcNMTAwMTA2MTQ1MTI3WhcNMjMwOTE1MTQ1MTI3 -WjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNV -BAcTCUNhbWJyaWRnZTEMMAoGA1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQ -a2luaXQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3Vp -dGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlMIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn -ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K -ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7 -5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc -5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW -riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4IBEDCCAQwwHQYDVR0O -BBYEFFn82RUKgTvkFn0cgwyCQpNeWCxYMIHcBgNVHSMEgdQwgdGAFFn82RUKgTvk -Fn0cgwyCQpNeWCxYoYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECBMNTWFz -c2FjaHVzZXR0czESMBAGA1UEBxMJQ2FtYnJpZGdlMQwwCgYDVQQKEwNNSVQxKTAn -BgNVBAsTIEluc2VjdXJlIFBraW5pdCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQD -FCpwa2luaXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCCQDb -BQ1qdR4AGjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBVL2Q6Xubs -gm881cAy6esku17/BSTZur7hCLHTGof1ZKNcCXALjmwNYNC3tl6owqpX8CSdBdsD -Bw/Vs9p3mqnaVEoZc8uW8zS6LoAQbcqiYdQHdEXMh3ec8uvAfmdlQsIsm5Ux8q8L -NM6bKnUOqOFOHme+RC4FGOLb8JqnnuQdwyIZaUyQP6hXbw4zyDphfgo1ZlZn20xh -I555kPfAZKEi/d3WY0oN4k+sfCs9tWRNjmqZfKkH1OqRpjCFGG0b0vY77MFRMuPz -YtN2iD3plgla7KkUMljp9th/Z8Ok79uA1TNLYKzoBjlAX0vToxfa8rrSNo1dHFKT -e5Tj7+29DE4I +MIIE5TCCA82gAwIBAgIBATANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG +A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz +dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowgacxCzAJ +BgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1i +cmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtl +cmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBk +byBub3QgdXNlIG90aGVyd2lzZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC +ggEBAL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qId +S8f7Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4r +rN5WZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevps +h+LPXsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpU +OCXopDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKO +Ka4Y2U5zy3++t6pd3oGlWCr96D0CAwEAAaOCARgwggEUMB0GA1UdDgQWBBSvEuBX +VNKtIomCkLcxpsKp9Ag9qzCB1AYDVR0jBIHMMIHJgBSvEuBXVNKtIomCkLcxpsKp +9Ag9q6GBraSBqjCBpzELMAkGA1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0 +dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoGA1UECgwDTUlUMSkwJwYDVQQLDCBJ +bnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVzdCBDQTEzMDEGA1UEAwwqcGtpbml0 +IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ugb3RoZXJ3aXNlggEBMAsGA1UdDwQE +AwIB/jAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQArUoCjqxsY +/m3nx/5BQSkBAL4T5RgWIX+L4y4GXloYYlafpw+SxRq0QffFm5fpCJBnMd21MbPl +k/YA+oq0/76cKyQmJ6h/Wl4KHCKKMmvGuhCEXzmrevk/EJ8lJXNdPfbBueAuLeyU +7X9tO8i9fJ59AZ9YWD9d//puOF+8xeHPxJIxHcR2jHpUOJPtm4yVu1LreHiJJTu4 +Xotp9yMpJu/uJM3aBKVS5N/5JreraLj9N6N8nZ/7nEw9Dj1zzGHcHCcqtcxz1oOH +Zbg5Jo8HhVhIHxKdKLvwEk60P+lkGFIE+IUmhWfcbbprTGs7VhxREwxaWyCapCOk +qlhbJdEcjHr2 -----END CERTIFICATE----- diff --git a/src/tests/dejagnu/pkinit-certs/generic.p12 b/src/tests/dejagnu/pkinit-certs/generic.p12 new file mode 100644 index 0000000000000000000000000000000000000000..238baa56bc7b4ec4a4cd66861d9a54888ae6baf8 GIT binary patch literal 2477 zcmV;e2~zejf(fYt0Ru3C32z1oDuzgg_YDCD0ic2jU<85*Trh$OSTKSF4+aS;hDe6@ z4FLxRpn?PdFoFa80s#Opf&=vi2`Yw2hW8Bt2LUh~1_~;MNQU6Cwj5&?-ITdyp+x|XE-*3B|L8H?6tR9A4HUV zXKXC4=L{;GYOU0TZ%YIlTM6d!F~cR^uf!*<@U_-l*QqJ>xt(al?+>_BvzoP^gL1N$ z`F-->tkpYWJQUWTg*!blr__$E(F`vAa6$tp#&2s#wO{Z+x9Qj#E{tn`2{H zg{vzUo0|{iV-+Q+#HBbV5=@9HX*$|bj>(CQqEHI)oQ(#V>5%ee;p0M7*Ncmla{Oaw`~Lk01PKR0)2+7#ypOR zE<@*23b5&ny_nUSu&QRYf<9ZS$K+zIxKS{-TDjaw zil6-nf!Sd?4znmK)|t(Kh;^hMN(xELd?H&?xwpdgxQuGz&lqkC*bt7YYcgZyhS`(_ zV#Eei3)wjY67{AC<7Jdb$1DrskBFGeZl1_X_JSlij;_AeG&Ze&pK!02Uol4a zAU3nTn}n!jf3MeflZTds*L87yad1DS(dZEx?R=EV`~wYbzuJ+gyipE3%clL}xH|uh z*0lFO@p4PYUlRKizgu%`-6@}1$(>d}Hi|tilS_mz$63&pG)DTS?u#a3%DdCMr6nS= zuqM$zP9u98I!aB)2ukr=BA^QLRczSH^0a)!b6RMWsc6m2lXG@=*;qxzKpg}Q;PWP$ zSPdG{kzh|I5&?lP;`r@Y6C5-O-aNIi>snK{0uoVguzqbh?|wC|;ZdY*FoFd^1_>&L zNQUi7=~UOR zVu`0Rq`j%-S6Ff=&?TzqMFSM&gz}ICHc9bAOg}ADuoHHkw?kNR=9F1w*lYN{EG@Q( z^&Z!5aJ#r-f4w{9{l_?xms3iieP1I%l~D*(t;Nk1aGOf}qn#GuBv85jI+6|9D>yt8 z=`CiI1xSM|6#z}e8mUO30BVUlR!<3__7-RBW%t*-clA6mka`9Ep#J89G6;43;kLxp z*-|yA&X1<^zP0+5jK3^7X7_8Ji!05N16zPQD?*Vmuu}Oqin+2p?#8~7bHAc6s#bFC zBNktoPt|Xx$KKi92&|HGRDq~8=dk}B3c`50V14okG{eS4V-1zL#^Hl>} zDnU~+pT_`PO~9}`Jv`1wS!fR(ZMPa4i`@TU5bt()(#ACb9{Y+&=*3 z?16YQJcXXtc1SY}^F0^kPKKB2!~3O%n-3mC^{G$p0l|354kxz5D%&q&VtpxbBv{)* zpMNnNpUwwe>D5nKequv57A`7WDkH{;SWnT$m6mFQM_4sCy6`Q6+R>fF3xV>`&)a%y zB1l^2YMSpWB_)PDnwNbAr1q&CK9%#FU7a%regezQN#m#I@aB>MWA)qZGWrv>>pVj~&d(I8p??>w1k}$4P^X zAWnN%6sS3RRKSDNfisfVQl0_dGxCM!+1Yl>tFQeHvTap~MEH7XV84MrcTfkph~OhN z{o=b|+k%aoLEyQSSSCuJgEO`uIb&{+Z)uzyj^e7-ow^S5`Lr4TK3IX)>y>`8oiIWy zH0hllKCxMqW=7K+*+}M2uMG#-iv4KGvA+{{p>ck6qZXw*_yoH?4r-2LxGhvU$-SJ& z%}Cbjx7lK8OxbcYY6+T8eDcs^;Xvdw>6;}lnp8q zOI2Bf

+yF}Y41&9t?C1#$YRn~NWY8C%6yHl*AOeW|@!q&2^AvuxK!KnnF`7+J)np zj6bGtii!U}#abz=^y{$*-&7lSX?~Xs2w?6rihtbpW0dcnT=iZgshJw14vAdMlwyD6 z|23bFWaw<;jHGdx+WL{QTwvP`6=BXmumW|@H&izw=M#i7|4o2kT^B@DwWN<09-mt* zH_scbs?(Qg+gx};zbY90=8VD210!z1E&|~fxwzSLg-MMc62*ZwTWl5YDkMj->^Hv+ zEh;f3Fe3&DDuzgg_YDCF6)_eB6ofmTa$1pK4AutIB1uG5% r0vZJX1QbFHUUX|Bgz^@{lOae~ZgSk8C3^%24n#rsPDd1M0s;sCf8Be; literal 0 HcmV?d00001 diff --git a/src/tests/dejagnu/pkinit-certs/generic.pem b/src/tests/dejagnu/pkinit-certs/generic.pem new file mode 100644 index 0000000..706c2f3 --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/generic.pem @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDZjCCAk4CAQcwDQYJKoZIhvcNAQELBQAwgacxCzAJBgNVBAYTAlVTMRYwFAYD +VQQIDA1NYXNzYWNodXNldHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoM +A01JVDEpMCcGA1UECwwgSW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0Ex +MzAxBgNVBAMMKnBraW5pdCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVy +d2lzZTAeFw0xNzA4MjUxODMyMTFaFw0yODA4MDcxODMyMTFaMEoxCzAJBgNVBAYT +AlVTMRYwFAYDVQQIDA1NYXNzYWNodXNldHRzMRQwEgYDVQQKDAtLUkJURVNULkNP +TTENMAsGA1UEAwwEdXNlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AL8HFT/+Uia/TcSFIJJd7Z7ZFvMOYLhEkCyqRhW1ggDp0xrIAoh/fyxq4qIdS8f7 +Aurf39kzyS9NtDD2snKwfoLaZpunIXNLCujrlrqdhKsZdtl8aYLmjIhTLu4rrN5W +ZIRQULbkLiuqc6ZFOjOZxkR0NkC/CyfQTJO5a2TaMrweLswmY0k5KlAoevpsh+LP +XsLC66sqgYuWDD8c1Z9GlI8dW2abRPt+WUKskEgHqYJrCkjvPIZgS7UDAzpUOCXo +pDDr/qQ9dnAYzt98r/pCx621/2R4JttZbdsXQDbQaHhV69iJqACqZB0lLyKOKa4Y +2U5zy3++t6pd3oGlWCr96D0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAAniIG+xJ +6rXbrH2kt40GE58fFzrIlzhG4VzncNnpFitvPEMzN0kMa5LBX5/zSYiMawQBQ7C0 +FpCjz+n82VVW8iabCNoqUUNwOP7ZYmsoraHT9klSak/mLfAXOyOG3DUV9jntivnl +HUIiDO7Pf6GnVVROio9psQEVOX1+W1uq9Vs79+F5GI/s0QR9dG0qXvdJ0h5UdVee +8LVXQOi3cQKyBOwECwt0HA0pJwwcD6w9e8Y2NYTeOTamWGQVEV3NlcvtdSVuDJ8y +lTke2YbEKyHdcsQ1vrDHtdyfEmJcgO5c9EL5ptYJB7Yv1QiwWJOhLdT13IBYvOtO +ebOF6zAD73Bpkw== +-----END CERTIFICATE----- diff --git a/src/tests/dejagnu/pkinit-certs/kdc.pem b/src/tests/dejagnu/pkinit-certs/kdc.pem index 5575ab5..4eb811d 100644 --- a/src/tests/dejagnu/pkinit-certs/kdc.pem +++ b/src/tests/dejagnu/pkinit-certs/kdc.pem @@ -1,25 +1,29 @@ -----BEGIN CERTIFICATE----- -MIIEMjCCAxqgAwIBAgIBAjANBgkqhkiG9w0BAQUFADCBpzELMAkGA1UEBhMCVVMx -FjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcTCUNhbWJyaWRnZTEMMAoG -A1UEChMDTUlUMSkwJwYDVQQLEyBJbnNlY3VyZSBQa2luaXQgS2VyYmVyb3MgdGVz -dCBDQTEzMDEGA1UEAxQqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug -b3RoZXJ3aXNlMB4XDTEwMDEwNjE0NTgwOFoXDTIzMDkxNTE0NTgwOFowSjELMAkG -A1UEBhMCVVMxFjAUBgNVBAgTDU1hc3NhY2h1c2V0dHMxFTATBgNVBAoTDEtSQlRF -U1QuQ09NIDEMMAoGA1UECxMDS0RDMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB -CgKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmnZejPSKdN -MyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6KueerevR3 -pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY75NbXGIE4 -88iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc5dBSqBwV -cjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOWriIRmsqq -81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABo4HEMIHBMAkGA1UdEwQCMAAwCwYD -VR0PBAQDAgPoMBIGA1UdJQQLMAkGBysGAQUCAwUwHQYDVR0OBBYEFFn82RUKgTvk -Fn0cgwyCQpNeWCxYMB8GA1UdIwQYMBaAFFn82RUKgTvkFn0cgwyCQpNeWCxYMAkG -A1UdEgQCMAAwSAYDVR0RBEEwP6A9BgYrBgEFAgKgMzAxoA0bC0tSQlRFU1QuQ09N -oSAwHqADAgEBoRcwFRsGa3JidGd0GwtLUkJURVNULkNPTTANBgkqhkiG9w0BAQUF -AAOCAQEAP0byILHLWPyGlv/1HN34DfIpLdVkgGar2yceMtZ2v/7UjeA5PlZc8DFM -20bTq/vIN0eWDTPLI57e+MzQTMxs2UHsic4su0m5DG0cvQTsBXRK51CW/qUF+4n0 -qSEORULiDF6LNoo8akoLukNBhzBh+aqYt4aB46hhsmDmNZTDP1CXsNGHQI9/L52l -oqpUGx8tBpKIFos95PSajXrQn2u66rSMMi4aawitM2igurHPDMbC+XvEYMtXpOS5 -3PEzXEYiSV3TWLTzIE9ytswHeZyHCbp7XHx0LVZFxzqtIe4qmwJJOGhlbH21Izr4 -feF5h5e2ZrOVREY4cKkJmJhEwsqBVA== +MIIE4TCCA8mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG +A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz +dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMFoXDTI4MDgwNzE4MzIxMFowSTELMAkG +A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF +U1QuQ09NMQwwCgYDVQQDDANLREMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK +AoIBAQC/BxU//lImv03EhSCSXe2e2RbzDmC4RJAsqkYVtYIA6dMayAKIf38sauKi +HUvH+wLq39/ZM8kvTbQw9rJysH6C2mabpyFzSwro65a6nYSrGXbZfGmC5oyIUy7u +K6zeVmSEUFC25C4rqnOmRTozmcZEdDZAvwsn0EyTuWtk2jK8Hi7MJmNJOSpQKHr6 +bIfiz17CwuurKoGLlgw/HNWfRpSPHVtmm0T7fllCrJBIB6mCawpI7zyGYEu1AwM6 +VDgl6KQw6/6kPXZwGM7ffK/6Qsettf9keCbbWW3bF0A20Gh4VevYiagAqmQdJS8i +jimuGNlOc8t/vreqXd6BpVgq/eg9AgMBAAGjggFzMIIBbzAdBgNVHQ4EFgQUrxLg +V1TSrSKJgpC3MabCqfQIPaswgdQGA1UdIwSBzDCByYAUrxLgV1TSrSKJgpC3MabC +qfQIPauhga2kgaowgacxCzAJBgNVBAYTAlVTMRYwFAYDVQQIDA1NYXNzYWNodXNl +dHRzMRIwEAYDVQQHDAlDYW1icmlkZ2UxDDAKBgNVBAoMA01JVDEpMCcGA1UECwwg +SW5zZWN1cmUgUEtJTklUIEtlcmJlcm9zIHRlc3QgQ0ExMzAxBgNVBAMMKnBraW5p +dCB0ZXN0IHN1aXRlIENBOyBkbyBub3QgdXNlIG90aGVyd2lzZYIBATALBgNVHQ8E +BAMCA+gwDAYDVR0TAQH/BAIwADBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgDRsL +S1JCVEVTVC5DT02hIDAeoAMCAQGhFzAVGwZrcmJ0Z3QbC0tSQlRFU1QuQ09NMBIG +A1UdJQQLMAkGBysGAQUCAwUwDQYJKoZIhvcNAQELBQADggEBAFMX7ZTpNPdzFwkE +hrab7fSDeoG+mN0yorY8e5Evx6sE7pXOtHgHIjQY2Ys0lk2mhbsIKptL/R6jTxWR +rbmU6jFNFeJgn5ba3NWdhlUiZ8WKe2knp6uc9ZDIK007XaKA4rRoHlJ3vHXoF+ga +JFOYwRzCtAlmsOCQ0UetoC3Ju6Y6NhCXIE8f81dsh6RMADoQT0n/fcLY/JtbbLXK +ANTIWHm0oSX9wvOU/yZkYGuwcPd91cc6Mea8f3J8D/OiatMZXc3719extmeR6Cv6 +aba31kv9wtbxVuxkR7HhjlJhzhqfzfIp3tNREaIxPb/qKGWBOjwxGRqSUkdEqMvD +GjaSlyc= -----END CERTIFICATE----- diff --git a/src/tests/dejagnu/pkinit-certs/make-certs.sh b/src/tests/dejagnu/pkinit-certs/make-certs.sh index b82ef6f..387311a 100755 --- a/src/tests/dejagnu/pkinit-certs/make-certs.sh +++ b/src/tests/dejagnu/pkinit-certs/make-certs.sh @@ -4,7 +4,9 @@ NAMETYPE=1 KEYSIZE=2048 DAYS=4000 REALM=KRBTEST.COM +LOWREALM=krbtest.com KRB5_PRINCIPAL_SAN=1.3.6.1.5.2.2 +KRB5_UPN_SAN=1.3.6.1.4.1.311.20.2.3 PKINIT_KDC_EKU=1.3.6.1.5.2.3.5 PKINIT_CLIENT_EKU=1.3.6.1.5.2.3.4 TLS_SERVER_EKU=1.3.6.1.5.5.7.3.1 @@ -85,10 +87,34 @@ keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement basicConstraints = critical,CA:FALSE subjectAltName = otherName:$KRB5_PRINCIPAL_SAN;SEQUENCE:krb5princ_client extendedKeyUsage = $CLIENT_EKU_LIST + +[exts_upn_client] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement +basicConstraints = critical,CA:FALSE +subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$LOWREALM +extendedKeyUsage = $CLIENT_EKU_LIST + +[exts_upn2_client] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement +basicConstraints = critical,CA:FALSE +subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user +extendedKeyUsage = $CLIENT_EKU_LIST + +[exts_upn3_client] +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = nonRepudiation,digitalSignature,keyEncipherment,keyAgreement +basicConstraints = critical,CA:FALSE +subjectAltName = otherName:$KRB5_UPN_SAN;UTF8:user@$REALM +extendedKeyUsage = $CLIENT_EKU_LIST EOF # Generate a private key. -openssl genrsa $KEYSIZE -nodes > privkey.pem +openssl genrsa $KEYSIZE > privkey.pem openssl rsa -in privkey.pem -out privkey-enc.pem -des3 -passout pass:encrypted # Generate a "CA" certificate. @@ -96,15 +122,14 @@ SUBJECT=ca openssl req -config openssl.cnf -new -x509 -extensions exts_ca \ -set_serial 1 -days $DAYS -key privkey.pem -out ca.pem # Generate a KDC certificate. -SUBJECT=kdc openssl req -config openssl.cnf -new -subj /CN=kdc \ - -key privkey.pem -out kdc.csr +SUBJECT=kdc openssl req -config openssl.cnf -new -key privkey.pem -out kdc.csr SUBJECT=kdc openssl x509 -extfile openssl.cnf -extensions exts_kdc \ -set_serial 2 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ -out kdc.pem -in kdc.csr # Generate a client certificate and PKCS#12 bundles. -SUBJECT=user openssl req -config openssl.cnf -new -subj /CN=user \ - -key privkey.pem -out user.csr +SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \ + -out user.csr SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_client \ -set_serial 3 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ -out user.pem -in user.csr @@ -113,5 +138,39 @@ openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user.p12 \ openssl pkcs12 -export -in user.pem -inkey privkey.pem -out user-enc.p12 \ -passout pass:encrypted +# Generate a client certificate and PKCS#12 bundles with a UPN SAN. +SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \ + -out user-upn.csr +SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn_client \ + -set_serial 4 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ + -out user-upn.pem -in user-upn.csr +openssl pkcs12 -export -in user-upn.pem -inkey privkey.pem -out user-upn.p12 \ + -passout pass: + +SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \ + -out user-upn2.csr +SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn2_client \ + -set_serial 5 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ + -out user-upn2.pem -in user-upn2.csr +openssl pkcs12 -export -in user-upn2.pem -inkey privkey.pem \ + -out user-upn2.p12 -passout pass: + +SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \ + -out user-upn3.csr +SUBJECT=user openssl x509 -extfile openssl.cnf -extensions exts_upn3_client \ + -set_serial 6 -days $DAYS -req -CA ca.pem -CAkey privkey.pem \ + -out user-upn3.pem -in user-upn3.csr +openssl pkcs12 -export -in user-upn3.pem -inkey privkey.pem \ + -out user-upn3.p12 -passout pass: + +# Generate a client certificate and PKCS#12 bundle with no PKINIT extensions. +SUBJECT=user openssl req -config openssl.cnf -new -key privkey.pem \ + -out generic.csr +SUBJECT=user openssl x509 -set_serial 7 -days $DAYS -req -CA ca.pem \ + -CAkey privkey.pem -out generic.pem -in generic.csr +openssl pkcs12 -export -in generic.pem -inkey privkey.pem -out generic.p12 \ + -passout pass: + # Clean up. -rm -f openssl.cnf kdc.csr user.csr +rm -f openssl.cnf kdc.csr user.csr user-upn.csr user-upn2.csr user-upn3.csr +rm -f generic.csr diff --git a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem index 9f7816f..ee35e5c 100644 --- a/src/tests/dejagnu/pkinit-certs/privkey-enc.pem +++ b/src/tests/dejagnu/pkinit-certs/privkey-enc.pem @@ -1,30 +1,30 @@ -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED -DEK-Info: DES-EDE3-CBC,91CA660D6286E453 +DEK-Info: DES-EDE3-CBC,7DF54DB740F92845 -DpJ5bo/AN37NcxTNv0Z4d5YomWqyryqYhuA43FlzWWKubld4Gp+owAv5BUd4VLx7 -Efq23ODfuiuh5zna/ZXnY+9m8RHS5AxDd2Kr1s/fVsn+m2Lw9qS69DLjxTjEuDLU -AwmVADqQUbvocZEt0Byn9oY4ku2lGOY/ax7tZ1WegLInnoCqT2xGC6TLw7Gwr3mX -z6xFB2Yv4PbvVU8y4V+ka0p5manxptYkrbAkC+vrC4LPUACdbonmpeXUxAfVV9hL -EMzY74IqY2QS1xFMhbLh2HunfjjC3HZ1wXMf1/LtLl1nnodiOk5o+MTLEHO+npaO -rJn2z3V/eQsr93M8/K5ONQcPAKZGOCmNpNQUj1UHnUHEubhpI+nqRYe3vqem5GaH -8gn+uc1/N6c/Bs037iSLWvkgk8mvHgH/26JobZ8qg9yYgVUl3AIVkkGwLGhE5+Kn -593/p4E5Mb6ttv3ZJ4f3Mz/1b84guhTENY67zxnQEGnpEjfRKoEN1vmHi6mIuWld -rrUCJ/x1Yvy2tN9eyuTNsGCcfvPeY22RrKgl7Wi0EIvBlLPKBQxqXOA7Mi9Acapd -+n5pW2Ka2FABSifZ36owa7SJEJ0GLMtdHmZPirolgIjOZVOMbSj2UuR/kXVZjZUM -LcRcVI1z8NgKF3RKs653HqkphcyRQMMQrL/A38t+v0zFA2P3HPoNWcD+BfKg0H37 -bHPjXdlvAD5yiFXKb1XN99utW5G/qCq5CdzAirm7drxR0bs4ZIV4SwTulvWLW644 -RYes8x7WKg3WUxtair++c1eTwTPhMLz/SxERYXxSUqpxJiRgYTQhwwbE22P6FCWT -H9pso5IMi6AJp35CGaYHi78NPLWVmrxgkkv2uBoDFd/iIQTac60aG/F86aozQD7V -DmHINEcsN3lVUmHinoNTcIfc5EZVEbLQIBhy3XI0UDxWuLnchVlU3ad1OKqknbbi -Ik3lmeLz07JFbpCcMk+xDlQsZYbxcRzyRh0NsWvHXuG77Hbcrnk3ndxT8wADsfOn -foXf1/R/gf7PDmte3nFlpEcJCHyeY1haIqgk4WsnUUKP56O75cGF1ylkaBrDPlLw -WaN2Li537ALo6TyB0jspdCzPqIRt8Gr4muoX0tqFjSfKaWmRb3Y7i6jbVrh8d6KV -xqLse0Vkaip4Lgf/VUWOTvlfHz9nLD0xR6OUPeQ3jxGdhLxmcYec1oRj1aVMlp6f -PyC6TN+NlPEtv6KWWB9OMc420DGOWllvS5+zsm7Ff7/5TkXlWmlhfhrkyQVy8NOe -/3ygPbpSfCFjJMwdbEX+ic/Qjk04f3CluP3FYiIG/Pd6ny6rclrhPHg08X6+sciU -Rj7QtoFpVsDvde2QO0depdoysAG1j1a+sas2lYNPG8hdzbPe20xIJCmF0fWfdxOy -BxxtKzpq46S8xKLfxAMvKrZNuZy5xhs3JMUjpxTIam7ZiQXd752LdzGx2s4CII6d -mkeQ/d32TDACAxyEK8es4Mcm3IoCAq/NjIU/ICwGDeOmfDUpsV2TMrg+aKMKcwUE -UK4bMXercw7Cs0C3o6mdCTFrTtsihHNTrbb7yyN83XK76niSc+LREbuJ8T0vp1Yh +3I3F5dJkYmjX49YRQub+AzWPOJock699vQZV3oxcAabcZWtLVbQ75QBXXBPEtm3j +LAqb3gRxfETHNHsSIEwGtN3rYre1UdKs3Bu9ROQNTvlbCwRdss3JA1kGhJu2o5bu +hf5sjpfR+ivf2prJ4whfhb4+efCHE0Ll669V33D2kbPKX0VCokkRmxsIoVtHd2qu +d1HM/EkjxrOy/GHZ+93mkSeWC4hz56VL5ApGOV4wHuphdvKy121mU0mjtQRKF2El +N7DtM9/AIAkLPx5wxrTJXuELd+BBDPbRMwmvgqCX1m8sJLJT2fBzVKRKWexowp7T +d3j9hT+kMiWCTgd4vJ+i/KPkK460Cy9PzFrzCtWut4jh6rZ+F9Tdp1g4Np0ygWAg +q9tV4RC7ylW0DeseRTXTLuohngfu0h7mXuhutr1Xmq+SoRuhBllZyexV4jJMc1kZ +2nv9RJ+h7mCAQbLSVvWCZpngfK2IcZhi4hfNiiQ/wqc6rE3eaBIR9E60kaCeBpWB +rxZm4VHOrwJw0GsaCRLQez1F65Ulk4TA+7TYJWnW/MGrvBptuBamwxk28Ts6eOee +RVwb/AdY4QBVJKKT+/e3Lfy409evmdTAA2N+tbYzALC1cH4ex4sO0BifaLmKo3t1 +fC2FLna4P9F17bbjcS1lSWVJKodofUEt4H03X7LaMhwe+sLRuKBIoTH2nLPHLIYg +B8NO1yFiJPFL0a8fi9kG8JJlCPkASQC5vcYg6BE40b7h7T4qw0HmkuH3i6TX6bsG +nQlryJ2BfQM+IT3MTEh/T1iHPZcTwFLPF9HMnZ/ydL/nM2kElF6YfMClFvuDGULQ +zmsvG4D/ndSisapJQeoevAwtCHybh8/3cy8CoAjBE9C1JlHOvP2+64rzvFVUAKfa +z5aZQQJKcdXcKcM8u8PgEyCN5x5tBqWQjSHR904k25KRkePAh8SoiSDuNQPwtzbB +RHesvkaSXuUaN7q1+oJzeQvzO8i79ud0Diu5y2KePrlB4HBSWCuWmvz9U+WvGBiw +KpEUAp/YpkqB1as4IUBDNjV1Y77cyUZ+/8EkPgAvB9wltCCAyQ5xi1h70cDJdabj +swabRD5JV1JLalFMDrOeOPZh1heaTNHXV8f7m8rMVeYVzVTM1JoQLlvKxcc3LVfN +9RLn/vTN7Ox//+385UiozC/PAo/Cep6Z1Wz+cwsd62HH0LVimVt2mrmHRKY983cw +U6cZyhvcTB5UOdJdhwbHfnxQipWRu//XRYY/yVdB6W2J4Gzh//adJfKOmHd8+cB+ +y8Q1yZP3diTGkhyY9pkXS7Gv2Q9mcXlMJtoyb7rqBIL/osVTKdsZn7Cj6ZYB6ftF ++hKQKNs/bKXYs3PF09UOInfUf57pENSr1AQBQceAisAsr8znRYsFlpqZ5L8G6um7 +XBneZ1RBj41wheB8g3kL6hj2UrXrE2rxDAw175a3BaxP/Wc2JgGcBWyJTVcZ35Ab +f24UNlrfcJdgEFETEiy12WY2VaqJCSY3J6YSimHDbffX+ku8QgU1shZf9z8K1l1A +OJQzbjlxPZT/k4cfw/Xi0rHdgWGcmL7tKLkTcrG/AixdEoI9KCSlQGSksI8CfFmj -----END RSA PRIVATE KEY----- diff --git a/src/tests/dejagnu/pkinit-certs/privkey.pem b/src/tests/dejagnu/pkinit-certs/privkey.pem index 1825dec..548e5a8 100644 --- a/src/tests/dejagnu/pkinit-certs/privkey.pem +++ b/src/tests/dejagnu/pkinit-certs/privkey.pem @@ -1,27 +1,27 @@ -----BEGIN RSA PRIVATE KEY----- -MIIEpQIBAAKCAQEAnYLMe58ny00MgskJP7tZ3PIQRpQkXGLJZKI0HfntCRbIuvmn -ZejPSKdNMyejzRIyjdw1FDJUAnpXYcic3TD5817G5H63UrllAGuy+lhQWNzE6c6K -ueerevR3pMaqHXonaflVasUu5e2AAWVnFbz4x04uLlQejqPwm5sR1xTeLUnVfSY7 -5NbXGIE488iDV0wW8nqGoVWn/TsRd+7KuQUIkJpt8+V6Jk6hPIcPqe6h7mXNGsgc -5dBSqBwVcjU9DbeT4xxxEmgQdLt7qdNwV1ZPLQnTQpogNrT5uf3oSbOTsyM02GOW -riIRmsqq81sfMrpviTRRDwoqTUEhoCSor0UmcwIDAQABAoIBAQCSMh5Tu9S2yUwM -dEZmZiGxhuf+anAZZAOjqT4QeLI/Fmu3yBNM7rq+p7JrAabyp6pOq46EsXXyWtWS -SB742wWUk2quGMNVQAj0TAJyhNgGstr+XJu8k8BBPnlycobhF0lP/oH+uQifl0KR -iSoWLjEG5JTOoXs/UAD6nQMBDDhv9TweEwSyIY9jq1J5Q3wVXm/Nr/FJ/8O53guJ -/TQeo6dtdx6x2+oxKkeWinfxmy2nSoEZd0eb3WUNPZswijO7QgSJolOo83VNqFcn -lj8hYT41zUM4chple8kGnuSV4ql4a1w/52dSTLKJbgukIqvxeDtKNost344eQqkS -Lwcc+NO5AoGBAM0bR8TmFlbP4RJAEOOilXTYgP6Ttd1r1mRXGi3DRPyv4EWGT7WW -MmBHsqU6Mqz+fcoD/AIy1BBdenhaYrrwyCSvitJpoHPjqzOJDX33wUcrnYeincQ3 -PVzpF41O45vTmm692DSJ8t/uR8DhGpCzf/kxuA9ixvdKgMPgBHYeb5zlAoGBAMSY -KZvgwbtlRR25CGaUgOCHtW76puaPcyxEeCbJEKkJO1vZDAf8vi1zXOM4e/gorKHm -349ZrBQfFCrvtZG//KvI12MpjBs0Z/ijSCwS4EkYJaSH+Hm+1ygLdArwWEFkNncL -qQ+Wme1OUoDiAAxRiBKUxUF/pAQqn7X+0MGa2th3AoGBAJ8kRaFu7XJaRUZF01Ts -d4571kqxDXFKFMUyGCvd0Q9G33rSZdJ9QYUW3HP7HgrAQ5WVVdnW2lgAT+BGMUjf -PkvIsKvmLQr+YX3RH1jX/W1dWBM/h64RNll6uj14Mn5bxv2Z68GIL5y0Y5QylMwl -mmwdubSmbb6+Xf6dOJj1sKBJAoGBAJwP0tAMHp6daL2Mmk+cSaZz9KJx1bYnYB1f -CSZ47IHTc0yZQ0S/7VR1ROKXf0njOA+aEBRi8ghTF5ZyDefyySixWdI9NByQgIzP -Sca7AVLlGVTAH4694VzHosngO59FZzsfhYh7XBwW1cW8Ip+kxWlCskgphFFOaNR3 -wM5AGMRHAoGAJELs9VYPRJd7h4dPUa2RqfVPlYkcMwvoLYykY0wE5mjoNaJkQbUr -W5aKhidh4h48fImt2rpB6OYSofYC4yu3VDEr/Kl2nSb8UPE5qEd1pvmdkHSxMNkh -M2diIqot6s2v20lE/6UCqLXonlquRK1MAlyfPw9yZHP9meCvlBsYZXc= +MIIEpAIBAAKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgC +iH9/LGrioh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22Xxp +guaMiFMu7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZj +STkqUCh6+myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88 +hmBLtQMDOlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2Imo +AKpkHSUvIo4prhjZTnPLf763ql3egaVYKv3oPQIDAQABAoIBAEe7ACa8d9qm4SvX +FYkAjjakq/JuxrDKxhyPf6utMXjoVGXtDs50matzI1DekVMxlUHe+O5VfMkvc2cj +a5SXY5n9KqRuGKhzWFBoDnxao7Of5zn5dqE5szGJksjKS6pdZHcutXBHtHKfGbgo +rJctuf6AaNLdKfI0TFz4NjRznrN2NyFQGhXzPpq34Qm3Rg91hVlU3A8FYjE7ez6b +vlJBsbKqnvzxEQMWTk0z0bWC79zE1ElH3Hpwfwb2cG7H4EXf0j6N5k2zODg7C45I +xWtlES+OpZqdDH6mKFBQojU375j6rb2plZGkTA+qxX9GvG7GsF5aOM6Wkge7SUeT +NUY2lB0CgYEA83u0TtxCMye1p+ykZwQdcEKR+l4aSjNsM2V2s8Zy4eZseR7f5fgZ +71ggIpzK9pjT55OiYJOwsEkZAPB0gBgiEcqJgow52w3Hg8sUU5LBEahUpx3Qm64W +64WNIOL9oVXYQu1S/yJ3iWPMQcH1xIlDtPPC1LH+yHyEOnGe4szIeccCgYEAyNkN +K2JEbbfK7Wsh3/MOtx5KCkzJzFClTSQZ55IxRUf+myauljKt+kI99jYV6eoicAJv +SMHQeYurLtSkhuyptAHUqo5xgH0HZ7cE7LV1nfam2p588Yg21nIId9XLDPK4AvCx +Phz1oznaiGMu4jB7esozuW4FKxB1kRmUikM8bdsCgYEA23jMRLFhsr6+jclPP9SD +vKck8mtUg0Hq7EEvSEk/UMTlTiA4bhC/P/FNtiVjBfkoOXvoR+mYwK6DLUeRm80l +GKhaXySLGhtHllK91b9Y7NOwypqjaVD5M/9EATraqEy7DUjjITsuSNd+TF/LawbX +0wpOum5fXNRwVEYKlCFHLA0CgYApr3LeSDzvkK/batrTAj1RoEW5sYpIj4xfYFjI +CT2UpYagaPzfS5F0WX9GtJ8Dt4aCPN8f+KnuMCDNTXEAV+o45BBhfcLs6gY5bnDl +OBw7NtAWm8JO1viatXwwcvz7qPysD4yZ2aTZxc4ndH5sj6dxKrpliAIml/nuraJ4 +t8+49QKBgQCxJ7ZDlM9J0quVivSui5aoZ7iLEiu6GSZ5yF1HSNXY69OnqQK3UxMl +aERCn/cKqtquJQK3v1IE6k6uAaoM7PXDVKqKSH0Z1Jpqciqjg+J/i7Vym6oCdjer +6zt6P7Q13f9X9uUlZBnNrT9jk5WjR9pSpxAc0vU78VKa0lZMZ3bROg== -----END RSA PRIVATE KEY----- diff --git a/src/tests/dejagnu/pkinit-certs/user-enc.p12 b/src/tests/dejagnu/pkinit-certs/user-enc.p12 index 107480c6d2564a2e60655f29a9984f3009c35a11..b2648ceaa04be6a560966a414a7bbc8ac022c20e 100644 GIT binary patch delta 2772 zcmV;_3M=*17nK%3FoFva0s#Xsf(q9L2`Yw2hW8Bt2LYgh3djV43dAsi3cxUe1$PDs zDuzgg_YDCD2B3lkXfT2WWC8&IFoFeLkw6`P2mbZY1y08z0s;sCfPw`uFvXr<26wL= z{44vddZVg}5IQrGK0xEKanogD{Q=ZKB>F46PNJ>-JfM)s5y6vP@@4(RV$)av@Ze{R zVTPLJW}tf7aau1KsUI^ji%>1k9jesUe{hVRuH%B8q?U6yMVb~u(( zf4mN1#e%@?oCc$bshq$y^Q9!UNJUepQ{_I`;QMdKgut=+ce=ZgGs zanPlK%rY-gQ#cK5X6R*>NZ1x=6_^bkP!uBi;?1=1OPqtHDd`d|7()4zYNGIevs5#s zyPLgB!XTpYiVcL-LgKDt(`TK?cr+Nxh_x~9CjYZMKYt-`j?vOZAfPaZOZu#Lv2*n9 zT2P>O9F+L>!#%@0x+F9*R}CrN;z~uQe-B84=(rakG@gDg0}FGHD`?>OFy7f`czikk zr$FTbL$bDeThx>?pA>&EB1AZUl)Tl=CpHiOii4kj_LOW*33R7NhTfcT!Hh9m<4cj; zE={{Ef?#Y}Q&RQHMcz=8up8V{+_r}nUXJdz1@%tuKmLY8YR6EZ`4Fx$Kbf2{M+7^S zXcIJ<{w|IozVcwg27#6bjRY%vW9TDL?`aN4a>hunqVK%k2a7bpP)Rf4-yLr0eV1O>PNu%VCb7Je^Qvcy*5#`yZ2qfx^e5`Dzz~VM(dU!l^y6A0@wFfP`PQzSP zBnudV{?Q{9y<9k?r(5KJS5%e*LEWp2;=;7UyN zCoxpRK+s=p6zA&DxD)+X@m7XPbTTCQG^L(m4JM>XH8D4jt!ZWrs zI|TEU%OCDahfTLta>z&W?7(?;-D@U?fryWzQpbO==p~>&4!@tyAJT^9u21b8Nr{a!e!hX#H0tf&Ef&|FB zP6&>-_wdr>>RT-@?wr7-~X=WK+bn45B#f=$jlCIHZbx;UfM z1oeD`(VkZC*y7w0i(XR=H3O5%umz#^3+}2x^|&HZXpL-{x<~nxDo)lpRcuBKUs<%h zI$&rWeF=XFjdG797^p@tdk(IV?f6c5g5;CGQSQU_@r#u>e;a2O=uR#B+D5bt?jH+C zwr0Lm7u$JKPKTOXpPYFJz4*>9iQBF$fz&$ei`+38-lnUb#zVt+jqgibJp4g#fu+ti zLWcWK!I`5AsTZB{cQ-vl>+XYar(I`NKn5~MaVme!VAD2YGnw@z%zTHIS-{~s))h#$rf`3})Ky46oe-xkX}Nh&Wvx{3vu~71K*R7!as=<9t9*>O+mWy z!Nh;6py{8w9{e-wJ+_OoSQ~|v*Z~w)2J3$PGpQP81-((9EInUL?=WU7Gi8>4-kAzAuo@>%RO!zwQO^^x0y_W96Mh3k%5d3PDg zVP*6R*vvLaB{0waP}wPTMvpto`E#Fs+P8mRzI5Iw@)~x%+hB$qk0Nje@UU+iz___e zUgB42PpLGI}azw)wy#?fKUiYm$EVV&KqWBit6F?$eOiG*LjV6_rPoJ74CI={4R zCiPgHldStmA)*4PVXGqy4RdYpL~5uSJ#{>BO7TPLm*BL|XEv4!+Zkv;7U>)eAbWqK z+?NHs|G9s-zP558>TN6`zQO;_x;!$bQ38 z`{XaUgE|7j^T&zMa_(Q3TJxqRAahZSD_OnNM}T8ucL5K98t?~!hOojoC&K$GQe(LZ zvwzk)VOf24Xmcyx{yT`he;eip6qA1#D<1D_WB|7p1wfyWqVs-cM#~_)iyL)LE#G1t zG63L*weiJMcAKo}lwtg_6DA#4$=RyXeE&QCBy>~*d&6(+Zgh;YLN&mDYx}ckr_N=N z)qZ92PCC4SI`q9i85@AjCfi-mR-ZHz%)#?{i5~1uNuu8q z*qDDSjzI2B+IvQi>-P@YF=6@26 z^xQBD^1P!6~bf(u(4wC@l#v@4Nd>cpY^L7?@GF(oh~1_>&LNQU0g$6*WuPSm z)&=BgN#*52!DdM7rK>Tl7p9;qj%3GuXDxAAtu*4h zC~9=k?MXWaO9t8Iz|oL*2?Un2l9AE|a$=h6Ph7myik>RjLzPAKR~3exF~gXi7EvqW zE~9J)1$c|Nk0{8hA?+9+)H9)`@X_yoFgT(r4IA^^MTMj{Qg_G_Ecp5%>Z9~6aEq$I zqZ#8v{eFLJh^yhFyaXX+Wj){=eEmUmy`7~T2J1-8fxBIne8Km2YT>L%0ByK93;aq*c}2&1oN%Xv@sK}hC3l=wcLZg~cO)e4BA z9A-09@Eafd$`l!^yiLb`C@H8+r5iaEM;12amg^s3a2XC}sPdDEl<$~&v&Pt^O1_1E zQLtxqpx7ZB63jv2o#cE0mya%atND;ON*P9$5}aRRDv>sZ{ey&Aj(@1u1CJ9R>^DKP z^ixMkvsI@5PQIVZ3yi;x99d6)uZU8`4H|tVT|k0A07DTdxKdUroElL%G2hIaX>&z- zGBw+$uCgJ}c49uynU1`N7tso{NI`B)cx`w%*LIVJ;lKpsWLl6f9RZbB1vefXcRoxN zf`j3p2&6|(LpTdfF`pzIs5HmQw0{t!f-w%I3Vn3;v*=k3Q$aN;z%(z;Q~Gd!!I0h)kqAw}+m z)+NTjby%K`)VatpY0W8Hew#n^$E=RUK7nr1>4 z>iwtm%PM>6uO=PfP>m?)-Gb0cP_7gNctp${p3IyR4R=HRqM7Ltg{E|SIaOHhlurhABd(0~x?Wl|2L82IQ(SU$e^JtfBDf7?-BFe^(x+A2}Ar^U?gLKFd_=+-4d3FF@XI)g-zh z-YtUJqo^N$Ly5y6L8u>qux4^IlnY>!6%dVBhAqwN2zEP8eon_hpqFqKTTU&#sK5}O zR_G2^6daRk?y%axch8{tVp@I}&7l#{P0Os;!v}UV1h?=i&-X=pfo-qbS+T++W?ZX%Us-H|5<*D)EJXiAg3Bf>mv`pr~(2A00e>r$U;JEGF6`VoCJzVa0|EX z?r-cm#ze}S%!%psUL4|O7o)w?aL6CUL2C;@kcy;3mXmu9k5552^YysVU|y}Dt4Tre zPV>~Ox;FGPu3FhmY0ynI1FpBTH20$$M^SakV6_70&$J`Hks;hNehz)Le^GJSJ=_GN zH*39XikMG#7>%AiDZORRkOLt30;%lzH4I}kR@``X%@4PRBKiA11Q+_vN>vOuEud{H z&<_ysqjijW)wp?Ok%G6mho{!?zW9O6j+^7LBvOZo|k^lr?BV+&1Np*EvfVARsB<$IWpEwLanuBXis{e8Dk%c%<_`_Vrl+ zeqkeQsAX_5vbkPxufliV&E|2DwZd zb0a{R1$ot?e^yQpL#pUx?VWYRLnMsW%7--ugt4*a$I(}Hbu=0C{2_Z-8}s81q&aI9 zJV$jFX1!0#)!Qr);z4f0ALns&37-$Ja!$6RBT&!xakOnxj9v0?HEOIy+(jna|HALOL6>+lrjgECvKHr!Gf67D>%p^v_`gSa$$4e+m*4;}Ckz#l?vNJZm2-dM=-bp!>L=k|AGKa`?vcIahAIZmTnuxhxl{YICp3 zbH$qBcKtQZ8KAYVKc9+^HbatsPu{fE0zFaZHYW(`rDO+*{EDYApMIT5Q32n4CqAZ* z3o$&+QaVdGHLs9Cc0+|GA=Q3D8!`&+u~`8Oe;^^E@Vz;0#P`PM6$qBdZ)?J)lMoT) zz)rs=&q(e@F^-GlakAu9)f*&p!LhhDMXuDwQi)vur?~mo6w(T M3X5P3IRXL*0PAOtl>h($ diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.p12 b/src/tests/dejagnu/pkinit-certs/user-upn.p12 new file mode 100644 index 0000000000000000000000000000000000000000..6daa5b378b83e9d4134ae48f8d1ebef715bf6cf5 GIT binary patch literal 2829 zcmV+o3-a_Zf(r=(0Ru3C3eN@!Duzgg_YDCD0ic2kzyyK{yfA_axG;hRZw3h}hDe6@ z4FLxRpn?TpFoFeK0s#Opf(2Cu2`Yw2hW8Bt2LUh~1_~;MNQUN0s;sCfPw`mhHnOw*nNFkP%C^((bX1%Zo`3HJ)quvhC}6b0RY6uy#t5i*K}$N zh};-;7T=r_V|Z0%+mm0e*PiOYeaAAu2SMDk7w(w1F9*dsAF(8`Clf-_zuoxXi|(-S zmwzg*Q7fh;5`5me2`G zT}33BIrtwbrAtxQU_u1LtK|{6gpV~{xkE5ejT2ihN^~x-hZKe}PsA-74%;xY%1B^HDt0=soP3^{EKJ)&_b-pf zV8cwL_(1dml;Sji;sm=;-v+HkA11xZBSO?WT>Mq#IX9Q(lbnzc-IFtMapDKhPV&DVle)|qkKy!c-q^L+Az<#w zX-2>?=tB?7VYffIM6$}a6Kgfi`l9;8)kBm>CA_bAt&oDDSBt;8>YJ9#(w%XM6^L%O z=wtff3z#ex`RsWBR0kT75}CAZ)&2w7ueub3a#4fUx78Pl4UE=`AdyO-Bk(i@@FZ$jbcl z4D`#{qivoo@^VWi^8*wNhWHBcM9aZ^hO!59Z!na}k}61}C|dqCeZzOBk4C*LcK$Me zqy0}?H22^^RdJ=i>)izIU+caHn$AdqnrQlye+yjHVauRy-|J4u6<7{TTLNDLr4%Jx z7%xd*F1-K)($19puY4lT#N$*#%oI5N9l~$Holz3v>H8AW=DHZP*Q){{$NlfdMSFO9 zy+TK62K+CJwcHulMox+Yv161FkG8U)tYegv5U)MDDs{~5)Zy8Vq?3WlAu12>GQzgO z?@8nsdpQehBOL@59{6^=S;}q79F2ApC(yr#ek0i2V3^nQ*yuV(RINBnl@%v2D7Ex* zmKu;qz_lRRfAx6YrQjz3=xAv!9@<_=4JtLy#>SSsX&w~{@sd$D?fVGCkk=yMAi_(gcw~VJ;|J3AU zk`);%Zg&6=cfM%r$Q?RW!0hdBllOO0TK$e}^K!@?FoFd^1_>&LNQU z_cG|%KJEen2ml0v1jwWxLtMKj7WLHxeyL68p9+yDW;pgVlP+UmQ2gSce(INm ztjsbGxMNEBsrAL|$t+Swub5X!u#c!x6Ku&p0j~W>F>f{_ePAde#=SNS#X0&z^HzqJ zYAyDwxNt&TfKJc%3yAgfrUZA4_&$b8o8XaNZw=|8qYljvN6gHeh`LuNoduPEs??HCmW_kLKB+z^3^ko zB8kLg`2?Mv*C=(}174E^T|HVijgl>z!W<6;;&M@6iN4j8POvVqyjx6)DjobfK~6<~ z7%khYK+C)Vt%gi|i_?biit2s2uv55r%l3^)y{QgM0n47#GM?V8yuWzby!KEkrhFym zqOuTJ&>V+IYgax^a$3Jm!Ds$e8m3_*(Z;rW?)>jlQ2>R>8r(TL7S#axd}jY0uHPht zY!`0iDwn8m$$7RUu?D43VM7dT_}$vJ98^$5zR3>_e1(y9S8Bicj1QDP;vH{gn;~-C znUTt+ZRqY=i)>%D+kXjwz-rK~zdIyl$eU-{?UJxAcgH8|epkkQX zRPYNxML#!2v_coRS@u*!nP9v9u-YI-sn#;4 zQv~2TB;?nmr$P;k{>SdRWBr&hE%C;j@b3;&Gxg7mQDkp&%T|eQU@wJ#I4C#k?FYIvI^o`I=XxCT(8>poBQ{j@VEiL)kvK)?wwD{f zRcgm0^N0*D_0`$aH`=jPdXzm(Xb5WLZ9C`4eZ@w^s*Y;@+Sfg5c-~$~1Wu2E(fZ>~ zQ#_Q|P6fYvzj&H`8zWti#e~IIMdj#`3Sqfcx8;AIgGW%xbDWGrw3lGk1omd8B&Mm3 z;Dr#_GZttp5VUmR|CUe>6ukzB#gF1lZcSD+Dd3Qk??+H2ip-R$eyUR4^`2MH; z-S5l}Xst4(OaZ9=8{q4Rbz&hg7>c&>RSgW`Xj?}J-UUPY8f7(HIC6UZllL5$3UFPS0s;sCt58&` literal 0 HcmV?d00001 diff --git a/src/tests/dejagnu/pkinit-certs/user-upn.pem b/src/tests/dejagnu/pkinit-certs/user-upn.pem new file mode 100644 index 0000000..21960ea --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/user-upn.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIExTCCA62gAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG +A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz +dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG +A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF +U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri +oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu +7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6 ++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD +OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv +Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S +4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm +wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz +ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM +IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu +aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P +BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM +EHVzZXJAa3JidGVzdC5jb20wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B +AQsFAAOCAQEAceeR7lFXkEEjcMGK/mvNOT5zXcq27ipYuV5HBgGGNLqiawc7NTxF +ocyZf9HujNOMvBNblTml2GJQ9wmyQesVTGgJFTGORS2sFizICq19jISxrv44cdeF +X/KQxNmnviClkL9jfA/6oKU0uSpvUAUet3MmDuo8O7ebVXVEmQdvLrhP9ycHGq8u +qG+5qjN4dpf/ejtCCMGGZdUdPxPosoXJzf17hpyt8/YQohKG2igLSy1O68tuHTXb +L4yiB52JQdnJfOU1a+vUSk425zMI00MU1aLcDxcjI64kxYBpWflDqn9Ky0N6vA1i +OoBZgRFeQSELxUp7SUsK4xO2gPM2w0zzvQ== +-----END CERTIFICATE----- diff --git a/src/tests/dejagnu/pkinit-certs/user-upn2.p12 b/src/tests/dejagnu/pkinit-certs/user-upn2.p12 new file mode 100644 index 0000000000000000000000000000000000000000..8f4c6b2d05d14b7d5fd4f161fe8c34d065c2e5e6 GIT binary patch literal 2813 zcmY+^c{CJ^8U}E~3}!I0^-Y$+7)uH>7?KcK23ay0ktIY~vej6^U_P=oM3htp5ej1u zS+mQ&?@P8uc3+k-x9^;L?|1JX?|IL8o^zf*e<%{g7AU0*qN&`x9SJaGTR){VDIR0mWllyTHIV$p^k1&PhIk-UFnqe6I z7SwAq*(O$`6HD`{R&6i`YrtBt4)Y?|hzp|wrwr*>v%EsJ=U<|!Wr80pGTqSY!t-kD zLsqW-F=)ro2H-sdqY7sHWEK!IBoX-qL_DkhdtaK zZDlIGr76V9vzjeM4k&)rNf4Ww-?}?qVl8UziGE~*Ts#8)b4Mgv7FB%VgN;O-jE#>k{FGPWdNAYtwj`modcu#q&`80%VM1o* zR=#iTb7v%!8LM2a*_rX5e2=BxBnwZoZ=6pgZh3rxf3C!7Ng5yOrqAl{;$#tDTYPU5 z$eR;E%Uggm8CSKrecsdy_%k+VFkK8ab7ujYEXHm&@BU;K!HbvtVLBQU|*beHP zv5AL{LCLpx12#4ful|}dT#e}q+@L6nJnY>xf-5*7Wfxw-aHR0z6AKk{&QNNE6Zr#9 zOW#6yj(N}d{m2Weey-n`E(#xXVP8k22<1p-pDg*f2AY~2k0-a3U;E4IhC95{q|MRT zea^JCni0PHsPBZSb<919u3B~dPCK|A)xV>G{oX?gHjcYS#ZD=XlA1T?hI~p07aXHl z+RO@+dG4Bc>Y|81*m?8u3D#P3HLM#cb_yxOE(0N|h-BRRJ zuT!$Bm)G{^2q8ulF-Fl@RDhwkfHNf8FwB|y6v!WSVjyM(-dg^HP#O+7< ziidw@M221UoX^GcLq`p@IABu6wO=nsy%nFVSq{Ws9_nSA@wUAT_e*v;)G6S}ZwP-s zZ(qAIV;&mgKhnKBejOTdX&aRW*>YuHnHvT)ZO`O?Ybq}zXDHrt8jZ7`e=W|(xsJK4 z(S#HcS2A=p>?y6%twnUZ5A*l9cbno;dgJ+}F7cIG&7lzk)Ac)X4h0m#^1j!EsS(7? zzdUp1PQi^pHELSQ%`5Fj?$vFUO{Ff{$XIj777ta7H{PcFS@;lSXa74(KyEb3RAsr2A{&Y3HOR^QtZWggdG0^FP+Yy3H*r`S30mlHWxi zh>5EUn$L*iZEnplw$#N*xINk98*`&#c-yTRz6rD_&v#~rU@vl}HgbE{tP}IYhD)Yx z|5|5XmC9huyI4vk7nN5kfR!f`kz@<^M>gkHxKX3@D`CC3I;Sk4J^V1rQO zrzf`s?+>}rBKQNhQY?opK|uP2OZ_0aJ1jOkluzyPef|#PPcoQmuC02X-ZNCFDQ(S5UndEoT6ZwW0iisbR)soZ|_t6cdt;EwVq0y=r^#e1X?QQpN zQyFTKaroa4`J8QpxiFZ1T|1d=U@3nYkd`qswqst7I$I%nG?_S?wuNi zMDKxJaRU&~pk;8;X>Cj>(y-u{@W%2~>Z=k&;6x|yipO;PolcB?K?1Jc}#(y=m%r4`AD`^oHRrD(VoU1_`P^L0>^h<(i3!$t%%W~-D@*0&qeMeV<=AD zbtyOFWsft4L#g!Ljng1?=C%slXfT@{XC||)hs0QJhy7=4GqOB#DTJ>6qw=-(vvH36 zK2GcOrs=x0W8<1kuOjim_JL28Dx-5vE9u{bd;we#5&f5gB17wAIRvP!%c=fMEYj6? ze(r49=0U-*y8nZ^R~$j(FwJ{8WUj)PeSmVq9^HfUjxPNQH#<4G9eAR>kY$l(@M@Eu zAj*nrTHM@Zg5e1~PFoeF6K5oGF|s%{J7uN-(u;)hHIAGdNOiW3+PiZj0@C8@0pnrD zqI#fQX^(AkA^y21h1e+*`Mg@z`R>8NS8J@xIMX$|`Hmg?#}4wpmSdbqo6VEZnW^l_ z5l8L4?G(-k1YFYQCvX; z(BSHx3{MRYKM>1$re64)@CtB=UE9B;)Y#sdDp=$&NOlo8=k%ekbo6?1Y*#p9d7rmr6 z#m}T=clwcsJTtE_VEJJU9)##A-Ec_NKteM8Dsi9+o}q~`8R}1AaCoFdX+(Obj=k66 zi3m4(0plRUo7o1BeeT(M?h-a7gqXt{Ut2ugyjM%L02_+-rAMMV8SUq)5CSdSaNCh9 zC2x`4vg`JKZufCLu!)K^_KV>mSF}mwYL) z!=*ZNSeaFaLhe82eoAqTy$gmhLYv)Y^}m^R8=<{I`E<9J7QDilh+uLAa#~1=;v6F3 z2e^riz}SX*}!sUNA>FEe?U5oTozi&nK?leynBx$clR7r@$RZYbdtPDhdMPqy&6 zaX%C9RG<+6TJ+d1nz9vLd&9XV10y_ns>?yG7smCy9+B2l*7I`UBo-Y%l7`=0j{l}Q z>W*$?!$f zGE-k>W2@TwnYysHVh+dRppR7U(<500M@0Tx6*-B)Ty2Jv8{x(iOum9jed#F}q3f)q zBGZn6>2MN?p6NMl$s6f{RX+>rLMItke-I(HBtuJQ`ra(yJZ-A4{i zStRefxK*q)@#+O1^7o`Xe*8za*VJRLSVn?+oUM^MS{x+p7T8CJb(U>m~+f@wDd>}Xqb^%CfPXo2P-WTEe-=} z17JYSf8quth9T&miV=rlaQzcG)6vrWdA9#Fv`8UF(7zX0Xc>`g0HD@1`|MvD(Moi5 zK$F{cc_p_WMvrf10ybuc*!4^ESIqw5R| z)%Zd(L!l9?lc;DY%J&=kmm3g!Zf-eAxc4YRoZ7_>Rmw3#9oM)T&wh~yl?WBEfS<` z;!dSw1R^?LNzo$4Mec*x@*?5QXU=cgoTKfga|@!9E0V9Wx`XQ;!MNb7y%ORdW=yly z@$TanX19u8hxmo*o~Hlm^2WF3d4B?MpjIB5%EQ)3hs;q6$>l$Fv|5g_NY5>aiBNtH z?2>Y@lZ!8s>mEo`vLfkz3rjAXbxfvH!4doEg_ocKHS`Lnb$djOzU8)g96NXYy$Zi-1J=n7^CoG@R29+p3UAuxv$^xSG3q_be&Eh} zEoY|lFLzx3QbM>!6=8&clDFue4DV`vMZ*QhuYj7Y*w0Ymu|KFfp;P8XTbEqk%qF-+~^X|4i=_vWiM<5wHN_O1D^;ClV$Q&J1=z1+|V$!UqSn5{3>{rBF>tke~> zj^yp;Keu?BhO!nSYjHJ2TkcjBJY#QKzeSIKf4x3C3r@jziE?!JnxG)ff{S>K$_=%! zgqO{3oA-pW`b*CDNb?-*^H1>+Pc~G(wG+{&ipPD_h)&L1**+fkxpfrJ3AiRTS|7FK zMK?2voms!z!a10jHqx!^$aqt)(oqngF(H$L6*~vJ$G1T&!Fr;m+(gYv`&+4V&N}fM zl1%ZH&k)y2IZ+bU7#>#9%OcVY8_>2Vb}WWsW#3yBx-~B!rab5^%vD?JK0&~{cTSob z7Jl6=AT8sQnN+>EI77K=W(BWs{Peh}s#9JIbe?zw!l^qd9ZtL(GBQ)0ccVmpQ>vSM zo0+das}b&NljKP9k4?BC4u{lp%CA~wtc4_Ht0yg{jxe@oVHaMSZ6l;9w~XekN0l~Y zA^M7pR`gyS!u+!?SvH3L-8XTn&UryoPWGL4C3J6$>06$ri0p}ST`-KIJT^H0X61=P zjnzj`-`!aSvDu)}@8FV)jTR>bouv+cVAcH}SpSfF9)Mv`_!GvT@czqsM7OW>#Q$TMo_g$dfY!s(uj zwimD|F=yHAG_|3fSg0p(swo!TL89^|yU;vJG620GbbJ-%;U_Ua>*MopEs4G{YI5<& z74O=jhSCAHmRN#TZ5|uz5xAvU614k+Qr~jT%?~w8tn8?IZdOEzrG6NIu6Jw}VaU3i z@8+=8ei^w%de|qwg%0?yuN~$zxL|8&xh~@m>LE5= zdF{8(?uhSqsJxO%d=d%r;F}F=L$RxCRr(6|C%rYw$Q{a_PL|+NBMbZT2dIpWCb;-p zDpyo(75wnbkUH;TX`i8!6Rs$yi4gqNx3c0E8|! z+>5FG+&$J=AmAAs?>SrUfQ7KV2(Dg+3CpEi&QQvkoYsnx+#SG$%MUw#Sq9e?+q|~+ z2syW%z56CLX&J3REW(X&H`=0cB@$d2x?;&mrABCNc@{GJ+c}2zNVn&Hl}&U{*yJak zY8Wd9B-+y8WfN!I`Axxd>;#R{n7!A^>X9Ghn`6<`@NOS3DT=oC%lo^2W@a4RetW}X)yHY^g1!4PYay|V zgvc!4KnFOzM`9JUvTpkhL$zGu)&@({IDTYXGj*Xf;fq(&S02x1O4@T|^``K;82Y~S zd~Cez`e$c_%$dH?kf=+-H|%w-jMSg2`|rsV_6+BQ98IE&T12m+cHc^>62o$5z>3?_ z2lE`tukJ+0w2qZUlhHVBtF=V|BaJ4%5*$boJ*6c|RcBeOFDWKLc3oc5GvDRW1dzh0 z;MhyIaSnu6_o4X=kPsB2DucJxL4EjonenEecS-i1ApWC-JrArvv1M8NOMrpk#X)54 zNrGf^OMuKRvEQ-}sGEL<@85_5+mV1A<07s-p|+asDCG zErKh6h1EE|Usy#SRNz&uqo-R!K=9tC=UX-}E*diMAS{IoCAp@<>O77!d95LKQ#2$C zc9cNSpsvde#R`A(3Q2%z_7`Q6w&7M%Ey~I&vBT4Qfb;e0ia)bkH6lP~(A6kM@@aQ( z&e=un50$=q=a>?lpllpc(;~{IJGC_z?(O8uA|dS3M;VL37QBZ8H8s5cuj)L%fc+nn7@{H#akQ-FtGy7s~0j046W8)g=bM$tqyB^Xlj zzdADWDDeWo!ll&lBGRW&*XPSWhzjCk=9YL%q!Lmb$;`+g%SKNJVW0tkMNy~150`#< dAU#BaYO97WjHjd;0D#k}T@0*)fbV}R`7iEsB-;Q0 literal 0 HcmV?d00001 diff --git a/src/tests/dejagnu/pkinit-certs/user-upn3.pem b/src/tests/dejagnu/pkinit-certs/user-upn3.pem new file mode 100644 index 0000000..754114f --- /dev/null +++ b/src/tests/dejagnu/pkinit-certs/user-upn3.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIExTCCA62gAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +FjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxEjAQBgNVBAcMCUNhbWJyaWRnZTEMMAoG +A1UECgwDTUlUMSkwJwYDVQQLDCBJbnNlY3VyZSBQS0lOSVQgS2VyYmVyb3MgdGVz +dCBDQTEzMDEGA1UEAwwqcGtpbml0IHRlc3Qgc3VpdGUgQ0E7IGRvIG5vdCB1c2Ug +b3RoZXJ3aXNlMB4XDTE3MDgyNTE4MzIxMVoXDTI4MDgwNzE4MzIxMVowSjELMAkG +A1UEBhMCVVMxFjAUBgNVBAgMDU1hc3NhY2h1c2V0dHMxFDASBgNVBAoMC0tSQlRF +U1QuQ09NMQ0wCwYDVQQDDAR1c2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB +CgKCAQEAvwcVP/5SJr9NxIUgkl3tntkW8w5guESQLKpGFbWCAOnTGsgCiH9/LGri +oh1Lx/sC6t/f2TPJL020MPaycrB+gtpmm6chc0sK6OuWup2Eqxl22XxpguaMiFMu +7ius3lZkhFBQtuQuK6pzpkU6M5nGRHQ2QL8LJ9BMk7lrZNoyvB4uzCZjSTkqUCh6 ++myH4s9ewsLrqyqBi5YMPxzVn0aUjx1bZptE+35ZQqyQSAepgmsKSO88hmBLtQMD +OlQ4JeikMOv+pD12cBjO33yv+kLHrbX/ZHgm21lt2xdANtBoeFXr2ImoAKpkHSUv +Io4prhjZTnPLf763ql3egaVYKv3oPQIDAQABo4IBVjCCAVIwHQYDVR0OBBYEFK8S +4FdU0q0iiYKQtzGmwqn0CD2rMIHUBgNVHSMEgcwwgcmAFK8S4FdU0q0iiYKQtzGm +wqn0CD2roYGtpIGqMIGnMQswCQYDVQQGEwJVUzEWMBQGA1UECAwNTWFzc2FjaHVz +ZXR0czESMBAGA1UEBwwJQ2FtYnJpZGdlMQwwCgYDVQQKDANNSVQxKTAnBgNVBAsM +IEluc2VjdXJlIFBLSU5JVCBLZXJiZXJvcyB0ZXN0IENBMTMwMQYDVQQDDCpwa2lu +aXQgdGVzdCBzdWl0ZSBDQTsgZG8gbm90IHVzZSBvdGhlcndpc2WCAQEwCwYDVR0P +BAQDAgPoMAwGA1UdEwEB/wQCMAAwKwYDVR0RBCQwIqAgBgorBgEEAYI3FAIDoBIM +EHVzZXJAS1JCVEVTVC5DT00wEgYDVR0lBAswCQYHKwYBBQIDBDANBgkqhkiG9w0B +AQsFAAOCAQEAurL26+vQNYFbJNAFJ3yHOt1nwAVO4/OlCtgqzOAq0nBs35HY10Qe +y8eRcxrLmm4O/Wy+Rwre2v3pIP0AclvIytDzEm6K3Pgj4yJfUUM3VhnSOlXQP6UG +D9Z9pVxNiDeykj5/SzxwOQAmJbPcMx9aRwP9wOLMwUxi5sKHQlL9YUTC1hffhuYY +Yccc2dHWd5IyaKaLp9yBVXQryNdVTBYrGA2ZqcwETmcXqU/wCo/Rmf10Ra1sj88X +VfTb4Sr0j9RaSKeXRZgbEu6kz9i2WK70dcDke08xRv4xVfrlbXrfIS+Va9WYKxrf +Xb0XCkKp32Q0EHqapeJrCcuQtnDMGvncTQ== +-----END CERTIFICATE----- diff --git a/src/tests/dejagnu/pkinit-certs/user.p12 b/src/tests/dejagnu/pkinit-certs/user.p12 index a7c2baddf67f5a8c6ad97b661f6ff285ecd5bf37..e9c044c5b1d0d950ee2520770de2f8f64200cbf6 100644 GIT binary patch delta 2825 zcmV+k3-7~5_Y z{ZO6+j7HG-XWu?E7(+W6Ud%310-w`1(sg_+Ts<_U%N3y@U^vQW3Q)A*sA2pxy<%T% zW}-7-*JoZt^^%oiLs|9so@TC>q%g%OTd(F_bZfNQzYPhw<$ z0cp2k%Sl^Xlo>ne`T7_IsZ|JR6+8CHr1O7&*rI-FeUu5m0&6bp$=eDPGV+tX~tfO!wbP&4I%j)_Ywq%vufJckIF zHeA*Bgu8#wcHZ0Y0^D zoF!Zh99x;-K7707>SyxY6=S2?91C>ckQjXWF*E92&Jt*plZ&6lPdyw8@fvXZv-1QL zY2NGS%>Yx8iV^VinsM0%Jo@W@$p1mN zom_Cnu$2mVpX>6_Rr2xI9zSY;_+`k7o=)G~0ih1qli-qV%%v@^BV7o~UpkqVj7PmPMH{mf`-a@^YBL41QKuNXdtrh`F^VvN z?ig~fDld1ytdj`}K{FRL$48s3$E3=FQmC_-{0K&dJuFy?0+rrop}gIH_09OqWyR>2 zi+9vFY%yQ&hkhHxZ*(=l?_%4I81-#NQ$0uoFyiua^vF;GJG;K>P**Jc#X+^ zIec%5s;?2F*~MM=LI$wLqg;@)SG%FSb&KhwB!iQMB$qWc;X6TpmkG}r-<3&yLvKlG zz~PPJKU*o#d$&Gb);P>aL+61j2PO)g#&e7KrQvZlb+X>!q*6(`^IkX4uFMpRIOjXS z8ZDL$cuPl@4$apR@d9_F@ekSBrZ0Baz)(KPg3E>bQDRSHBS>po~L!uXMAtt!`6m%{q#_Ao8`MeTxcuC5{06B}OpxHUww> zAF2)_SnEtoKzY>O464NCX2VWmWgQ)RK@djZIY$WFUcXC!rV}yb-X0u_b-b*a`uKyI zVgP~!q4Pl007!3X!d8NYQ1xWgWjx)Ou)x~i7;Un@U-hF8(uVtvuNeD#=3iJikjQfT z-biL?90dAey0`EG2|UEN;(*Mi)J9%!CroPAIao3~b7MaYe&71%5q7!11hF+JSvS#{ z3IW0?Rp@|!(I7{j$%o{~oCG&v%t+32Hr? zh5rgGeqojHn;AJ;cv$Q?1K-|F<{XCBaJ#fl-J&pp1wjT0Duzgg_YDCD0ic2fG6aGJ zE--=xDlmctCI$;ChDe6@4FL=a0Ro_c1nw|`1nMx8x&{${>j@^CgT&Fp0s;sC1cC&} zAT8>df+_%OY|mv9%Fgv%AFR3{rn%e{Q6nwJpi*|F@7}rDd{SJdT?XX~P9U1hsjDXxNrb#`7oX}cT zeQkqbZ9s;9g8ZtKuh6-pN*0MvT5n#5(0z?b)q&?ZQs%aqe@}3=O-+*g*4F*h?YvJt z%s(D~Xqc1;<>&DQd>WORPA%esgs~n^JXHJ&cGxS`vd3FD;H%pYt4CN>s6fPAf9HDM zY${Q>d!5dnF^J9|G9Cst+UxzDM8%k-SF)SA7i^fBTew^zV_Ku{uWUH(kGm;q_=MfX|$8!Ob;N zY)KAP#ac++?5o-(){Hu=qQ=8#zTpLm#C7#d*STIXCYuJ=KQLtL(l&I~d31q7iih!r zpt$=rocH-C#LfmE&bR_SOw8c41&WS7B!9Ta%ZAc}@j_{EIG`pf=T|)rl+eZHo4fLV zdp*+zE3^g|!~nSU5zH;?d#y`R(>7-;-7AK485lWIF;tuYZ%zS1V1_J9OmZS_aB}~* zy$cVH#Q`eBRJq!xr{YhX1VH~-qM2lbS9F`OBLF3SRTMKJIuTpo!@l!ot>mP&D24g{ z>t~Bpv6qP&SpQuvQ2Kr-7v=ptf~u+3Mg>Vf~RVkZT!RNbykyq%~_2% zDewHe*7R`lRZyO6S|-iP2dq|sZF)OhR6!JIIGW7`M=wRp*|KyZWIdd(YStonpN74kp)s4lhCsEW^U2S48b~(z zS%I*62RE`bBwDA?pbxW<_v~w4?`5JP9<;k|Kf?aIhaMvXK0Y* zfQ1_@nA`$?2+Cx^s&Mfn(yRrNoeTDeE~XFPv256T_AS}a++B|OPw*3;sDh9^;ZqI+ z&z2{B1LxF>aWj_TZbjR~fq^k^lkRp#=gNGw7v-RkoM3`!OXjBL)d7hDe6@4FL%i zF%|?A6KcU>=9m8i(~0~%g^<#F^^X=4piNB bF7+h{k|cl&Kvx6^n23o_c3k<>0s;sCm*7r5 delta 3072 zcmV+b4FB_$7N8hFFoFym0s#Xsf(zmX2`Yw2hW8Bt2LYgh3)2LG3(qiu3(GKq244mV zDuzgg_YDCD2B3llP%wf9OacJ_FoFg}kw6`P!$C#iY;oVd0s;sCfPw}X{k^@yX8+%9 zwBJ}5flvw?@^UAz@E_15;f|7 z%=`IEmu8Fm{;M@9J1*`p_pIcRPLK(+FMWn?4Ww%T0x^GtUpOaX{(}d=6zfxU*O_P_ z;{8-Vz=+PJ*fq5Q5}1P|h8#+LByXQ+P>3e*vahmych~z9*bcGZU>fX`OHPSi?VqiC zB=Rqvb+r)J90J&GI+Fao+TB6@Z9^%48aMh$*5ZZ;bg}FUG;4;3aF(v8Mc%?$$0qwd zc3^N%>ETq(6vTI$`2w_1OaX?h#=Tof#*z5MeSw0*v$CMQcQ$S>moyee?d|Ygd zOSrQGiK>X-ozcDa;*JHQLCC}?$LH>?!Yi#hRsnX1OX z*EB3%Xa}bdITw;zI$pm5MeS#lApv12PFz^)>i>;Kq;rwfsX%C~f|;W&4uX`4^{hYr=Sv0%nHrgoVxp@+Oa2pz6_!d%FIr;pRDqUYfO{2<~UWQ(O#?)HAW1rbVG%r zq9bBAoA9db8X#}@U%8%J7?%N|4`BO{Kf`A)Bo>s1w3U?&wtbya#nq(}in*aOqVWwL z54v^FBkaQkJ{{9QU=Swu92Ip%GvLLOIDd7VZmIBi##hu?f(v78%UHjEu7or)#XQ(K z6nwxUcCasL?i8)8F(v3tkFjU0@B||ae%?*I6IKzV$B;Xlklq^f`Sg6cXaqJHeeaB= zR|Kl&E3F1db<1&_nuDc1V^iiCJ{=(AE^+aqY5NBcI$5;qni~17mHn5(Ds))Qj>(fB z!cAhp`uQ=F+SOD%%+Ha38w{~j zo9@HR2C2O8b?-H5VC5*x&5I%i_u7WWj~_7^J#l4mNU^ZX$|TykZ>kn^P>m*4do=8) z-lvs7RD7|XX;o@sWC$=qUP|t9tI!D(6aWp9r+d%S@i=hsUzZGj4`0ajob3mf39g=O z%sLUXQul@047pG(XAo^Bzg#aTGeIP9XG%lsySCBt^BD;L!P?o>8|72>-F%bY1Wq+- zQ&co>uVf4#KdH09JZl->qdH!j&5obWpC252k*~RRm`++aA zb)ix=M5o zkDSS^SpDZ46j6?8FSSEt!hzU2{_KAgGG#C6JOuiZ$dBlrIHJI>a!|_ci}n~u6wfBn z1&}v(3R~EJEM#g)ZxZO$;#Uy*l%8e6KIeQxo6!Ev!p)g^jmB_%6GXqkLS>=3J;!BiP~zMs^7_ZV@z2e~h;XLQo=1(w3< zKSrEW)`6L0#?Y=Y^OVjAPol3~Y2-UA_>BjuU<55l@tHF|>M7Zh5YYg$$Med8J1xt2 zLP*MiFoFeS1_>&LNQUQ6J*E3t0>aCid|=?nFOo@xF7nMEwFSqGFL=q6+5@%_ zt-z3k=H;LP>M5^($OYSZJ{(r}tFwIj zvW>%k6&+&B`~)0-Gg;CuKJ}d10CU^>UaG3Eag)cBnkgpw6c$vz5a->`qeYY{qOzjV z$lM&d7YnfSl+TL;$Z%XYD8P&u6+OPseP8BbQ`Co+4qNH^w^HP@t~i7h`yya}!u<oz#o;ZUj=Hp z(TV68ifC2(4C2=wv3r~1104(jA4cs9gd=F=kJAOeb?#j`oJ0bKe65FiHPEx{!4^2M zz^<`>c3WJhEzhxX)l8^flHtnoU_1>9oCV*rdmGdTgN`7ewco2nZuA--|EL=EaG4Nn zpF~eT3tG2-f{+uROTHXdk{V0)X{9@F4mpkfDP7mjH8Tej5p$_wAOlRUsVV8eC0hd` zl4Cv#L%OnpO;^-jK=n`BoqWJ#I2zzYA;sz+Y;icw<{th3N}p#_Xrp8*rEd6NEX=4@Qp-i%c1jGY-l^{T#gMCnLtFM}iUj!H}kK_5;CTggujzqx``SqC!?Fq@kO^ab0Yk*7|TX+l3@A8Z-brb&{t zZX^wVHoyg=NeF)1EnnZ8*NrQU!QHwFx6a1u4+j8i75XaX{V` zTejP79{ii}hnRQ)sO)7qj>Pd@U}lVl&(b}Ag$oc4za4|Y2`)pu(3@Q{oocgpL9XPg z&ARc&g{ZqR#9lsFPr=r@2fK*A|lb4n3k%R8?I#c2D z;=TTZZ*j*ygj57wLl>LICIh&x-2VrAPjpHqNvA6BWcuW0J`V>k zX2DR;M<%0M5rj)YL!vo}Lr8*yNjn|jEon4LP>F3;n-~NKB>zj8a%?p*fZm_SEdJB6 zP-Yt1+4};5@fwomsJaS~^N?NR6BXot?2jw}Jgj_7AnKjnZoO5nIY`wuDf(}pQfmod zE}t2${x!MEq*UT6S13ie-bH%m!2V*Ai?V#!PB*W9mXC+U>&7FB$YbjRT!@-#?o3x& ziB>ytwV(g|m}&0NES6Y|(~D_kcv$pTt6{{O5=Tjd*U#!Tli@}SuFK6QcZ9`%x3jAa z9wib(pG>woZhqj$pub privkey.pem +openssl genrsa $KEYSIZE > privkey.pem # Generate a "CA" certificate. SUBJECT=signer openssl req -config openssl.cnf -new -x509 -extensions exts_ca \ diff --git a/src/tests/deps b/src/tests/deps index 7518050..a7f1515 100644 --- a/src/tests/deps +++ b/src/tests/deps @@ -80,8 +80,20 @@ $(OUTPRE)hrealm.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ $(top_srcdir)/include/socket-utils.h hrealm.c -$(OUTPRE)icred.$(OBJEXT): $(BUILDTOP)/include/krb5/krb5.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h icred.c +$(OUTPRE)icinterleave.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(BUILDTOP)/include/osconf.h \ + $(BUILDTOP)/include/profile.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-err.h $(top_srcdir)/include/k5-gmt_mktime.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h icinterleave.c +$(OUTPRE)icred.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/krb5.h \ + icred.c $(OUTPRE)kdbtest.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssrpc/types.h $(BUILDTOP)/include/kadm5/admin.h \ $(BUILDTOP)/include/kadm5/chpass_util_strings.h $(BUILDTOP)/include/kadm5/kadm_err.h \ diff --git a/src/tests/gssapi/Makefile.in b/src/tests/gssapi/Makefile.in index 6c14642..a7b8da4 100644 --- a/src/tests/gssapi/Makefile.in +++ b/src/tests/gssapi/Makefile.in @@ -9,41 +9,43 @@ LOCALINCLUDES = -I$(srcdir)/../../lib/gssapi/mechglue \ -I../../lib/gssapi/generic SRCS= $(srcdir)/ccinit.c $(srcdir)/ccrefresh.c $(srcdir)/common.c \ - $(srcdir)/t_accname.c $(srcdir)/t_ccselect.c $(srcdir)/t_ciflags.c \ - $(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c $(srcdir)/t_err.c \ - $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \ + $(srcdir)/t_accname.c $(srcdir)/t_add_cred.c $(srcdir)/t_ccselect.c \ + $(srcdir)/t_ciflags.c $(srcdir)/t_credstore.c $(srcdir)/t_enctypes.c \ + $(srcdir)/t_err.c $(srcdir)/t_export_cred.c $(srcdir)/t_export_name.c \ $(srcdir)/t_gssexts.c $(srcdir)/t_imp_cred.c $(srcdir)/t_imp_name.c \ $(srcdir)/t_invalid.c $(srcdir)/t_inq_cred.c $(srcdir)/t_inq_ctx.c \ $(srcdir)/t_inq_mechs_name.c $(srcdir)/t_iov.c \ - $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c $(srcdir)/t_pcontok.c \ - $(srcdir)/t_prf.c $(srcdir)/t_s4u.c $(srcdir)/t_s4u2proxy_krb5.c \ - $(srcdir)/t_saslname.c $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c + $(srcdir)/t_lifetime.c $(srcdir)/t_namingexts.c $(srcdir)/t_oid.c \ + $(srcdir)/t_pcontok.c $(srcdir)/t_prf.c $(srcdir)/t_s4u.c \ + $(srcdir)/t_s4u2proxy_krb5.c $(srcdir)/t_saslname.c \ + $(srcdir)/t_spnego.c $(srcdir)/t_srcattrs.c -OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_ccselect.o t_ciflags.o \ - t_credstore.o t_enctypes.o t_err.o t_export_cred.o t_export_name.o \ - t_gssexts.o t_imp_cred.o t_imp_name.o t_invalid.o t_inq_cred.o \ - t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_namingexts.o t_oid.o \ - t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o t_saslname.o \ - t_spnego.o t_srcattrs.o +OBJS= ccinit.o ccrefresh.o common.o t_accname.o t_add_cred.o t_ccselect.o \ + t_ciflags.o t_credstore.o t_enctypes.o t_err.o t_export_cred.o \ + t_export_name.o t_gssexts.o t_imp_cred.o t_imp_name.o t_invalid.o \ + t_inq_cred.o t_inq_ctx.o t_inq_mechs_name.o t_iov.o t_lifetime.o \ + t_namingexts.o t_oid.o t_pcontok.o t_prf.o t_s4u.o t_s4u2proxy_krb5.o \ + t_saslname.o t_spnego.o t_srcattrs.o COMMON_DEPS= common.o $(GSS_DEPLIBS) $(KRB5_BASE_DEPLIBS) COMMON_LIBS= common.o $(GSS_LIBS) $(KRB5_BASE_LIBS) -all: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore t_enctypes \ - t_err t_export_cred t_export_name t_gssexts t_imp_cred t_imp_name \ - t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_namingexts \ - t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego \ - t_srcattrs +all: ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags t_credstore \ + t_enctypes t_err t_export_cred t_export_name t_gssexts t_imp_cred \ + t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov \ + t_lifetime t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 \ + t_saslname t_spnego t_srcattrs check-unix: t_oid $(RUN_TEST) ./t_invalid $(RUN_TEST) ./t_oid $(RUN_TEST) ./t_prf + $(RUN_TEST) ./t_imp_name -check-pytests: ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore \ - t_enctypes t_err t_export_cred t_export_name t_imp_cred t_inq_cred \ - t_inq_ctx t_inq_mechs_name t_iov t_pcontok t_s4u t_s4u2proxy_krb5 \ - t_spnego t_srcattrs +check-pytests: ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags \ + t_credstore t_enctypes t_err t_export_cred t_export_name t_imp_cred \ + t_inq_cred t_inq_ctx t_inq_mechs_name t_iov t_lifetime t_pcontok \ + t_s4u t_s4u2proxy_krb5 t_spnego t_srcattrs $(RUNPYTEST) $(srcdir)/t_gssapi.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_ccselect.py $(PYTESTFLAGS) $(RUNPYTEST) $(srcdir)/t_client_keytab.py $(PYTESTFLAGS) @@ -58,6 +60,8 @@ ccrefresh: ccrefresh.o $(KRB5_BASE_DEPLIBS) $(CC_LINK) -o ccrefresh ccrefresh.o $(KRB5_BASE_LIBS) t_accname: t_accname.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_accname.o $(COMMON_LIBS) +t_add_cred: t_add_cred.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_add_cred.o $(COMMON_LIBS) t_ccselect: t_ccselect.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_ccselect.o $(COMMON_LIBS) t_ciflags: t_ciflags.o $(COMMON_DEPS) @@ -88,6 +92,8 @@ t_inq_mechs_name: t_inq_mechs_name.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_inq_mechs_name.o $(COMMON_LIBS) t_iov: t_iov.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_iov.o $(COMMON_LIBS) +t_lifetime: t_lifetime.o $(COMMON_DEPS) + $(CC_LINK) -o $@ t_lifetime.o $(COMMON_LIBS) t_namingexts: t_namingexts.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_namingexts.o $(COMMON_LIBS) t_pcontok: t_pcontok.o $(COMMON_DEPS) @@ -108,8 +114,8 @@ t_srcattrs: t_srcattrs.o $(COMMON_DEPS) $(CC_LINK) -o $@ t_srcattrs.o $(COMMON_LIBS) clean: - $(RM) ccinit ccrefresh t_accname t_ccselect t_ciflags t_credstore - $(RM) t_enctypes t_err t_export_cred t_export_name t_gssexts t_imp_cred - $(RM) t_imp_name t_invalid t_inq_cred t_inq_ctx t_inq_mechs_name t_iov - $(RM) t_namingexts t_oid t_pcontok t_prf t_s4u t_s4u2proxy_krb5 - $(RM) t_saslname t_spnego t_srcattrs + $(RM) ccinit ccrefresh t_accname t_add_cred t_ccselect t_ciflags + $(RM) t_credstore t_enctypes t_err t_export_cred t_export_name + $(RM) t_gssexts t_imp_cred t_imp_name t_invalid t_inq_cred t_inq_ctx + $(RM) t_inq_mechs_name t_iov t_lifetime t_namingexts t_oid t_pcontok + $(RM) t_prf t_s4u t_s4u2proxy_krb5 t_saslname t_spnego t_srcattrs diff --git a/src/tests/gssapi/common.c b/src/tests/gssapi/common.c index 0de36d3..83e9d9b 100644 --- a/src/tests/gssapi/common.c +++ b/src/tests/gssapi/common.c @@ -97,10 +97,12 @@ import_name(const char *str) nametype = GSS_C_NT_USER_NAME; else if (*str == 'p') nametype = (gss_OID)GSS_KRB5_NT_PRINCIPAL_NAME; + else if (*str == 'e') + nametype = (gss_OID)GSS_KRB5_NT_ENTERPRISE_NAME; else if (*str == 'h') nametype = GSS_C_NT_HOSTBASED_SERVICE; if (nametype == NULL || str[1] != ':') - errout("names must begin with u: or p: or h:"); + errout("names must begin with u: or p: or e: or h:"); buf.value = (char *)str + 2; buf.length = strlen(str) - 2; major = gss_import_name(&minor, &buf, nametype, &name); diff --git a/src/tests/gssapi/deps b/src/tests/gssapi/deps index be3cefb..c8905c9 100644 --- a/src/tests/gssapi/deps +++ b/src/tests/gssapi/deps @@ -29,6 +29,10 @@ $(OUTPRE)t_accname.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ common.h t_accname.c +$(OUTPRE)t_add_cred.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ + common.h t_add_cred.c $(OUTPRE)t_ccselect.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ @@ -45,7 +49,8 @@ $(OUTPRE)t_enctypes.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(BUILDTOP)/include/gssapi/gssapi.h $(BUILDTOP)/include/gssapi/gssapi_ext.h \ $(BUILDTOP)/include/gssapi/gssapi_krb5.h $(BUILDTOP)/include/krb5/krb5.h \ $(BUILDTOP)/include/osconf.h $(BUILDTOP)/include/profile.h \ - $(COM_ERR_DEPS) $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ + $(COM_ERR_DEPS) $(srcdir)/../../lib/gssapi/generic/gssapi_ext.h \ + $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ @@ -113,6 +118,10 @@ $(OUTPRE)t_iov.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ common.h t_iov.c +$(OUTPRE)t_lifetime.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ + $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ + $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ + common.h t_lifetime.c $(OUTPRE)t_namingexts.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ @@ -144,13 +153,13 @@ $(OUTPRE)t_prf.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(srcdir)/../../lib/gssapi/krb5/gssapiP_krb5.h $(srcdir)/../../lib/gssapi/krb5/gssapi_krb5.h \ $(srcdir)/../../lib/gssapi/mechglue/mechglue.h $(srcdir)/../../lib/gssapi/mechglue/mglueP.h \ $(top_srcdir)/include/k5-buf.h $(top_srcdir)/include/k5-err.h \ - $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-int-pkinit.h \ - $(top_srcdir)/include/k5-int.h $(top_srcdir)/include/k5-platform.h \ - $(top_srcdir)/include/k5-plugin.h $(top_srcdir)/include/k5-thread.h \ - $(top_srcdir)/include/k5-trace.h $(top_srcdir)/include/krb5.h \ - $(top_srcdir)/include/krb5/authdata_plugin.h $(top_srcdir)/include/krb5/plugin.h \ - $(top_srcdir)/include/port-sockets.h $(top_srcdir)/include/socket-utils.h \ - common.h t_prf.c + $(top_srcdir)/include/k5-gmt_mktime.h $(top_srcdir)/include/k5-hex.h \ + $(top_srcdir)/include/k5-int-pkinit.h $(top_srcdir)/include/k5-int.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-plugin.h \ + $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-trace.h \ + $(top_srcdir)/include/krb5.h $(top_srcdir)/include/krb5/authdata_plugin.h \ + $(top_srcdir)/include/krb5/plugin.h $(top_srcdir)/include/port-sockets.h \ + $(top_srcdir)/include/socket-utils.h common.h t_prf.c $(OUTPRE)t_s4u.$(OBJEXT): $(BUILDTOP)/include/gssapi/gssapi.h \ $(BUILDTOP)/include/gssapi/gssapi_ext.h $(BUILDTOP)/include/gssapi/gssapi_krb5.h \ $(BUILDTOP)/include/krb5/krb5.h $(COM_ERR_DEPS) $(top_srcdir)/include/krb5.h \ diff --git a/src/tests/gssapi/t_add_cred.c b/src/tests/gssapi/t_add_cred.c new file mode 100644 index 0000000..b1142b6 --- /dev/null +++ b/src/tests/gssapi/t_add_cred.c @@ -0,0 +1,137 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/gssapi/t_add_cred.c - gss_add_cred() tests */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This program tests the mechglue behavior of gss_add_cred(). It relies on a + * krb5 keytab and credentials being present so that initiator and acceptor + * credentials can be acquired, but does not use them to initiate or accept any + * requests. + */ + +#include +#include + +#include "common.h" + +int +main() +{ + OM_uint32 minor, major; + gss_cred_id_t cred1, cred2; + gss_cred_usage_t usage; + gss_name_t name; + + /* Check that we get the expected error if we pass neither an input nor an + * output cred handle. */ + major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, + &mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE, + GSS_C_INDEFINITE, NULL, NULL, NULL, NULL); + assert(major == (GSS_S_CALL_INACCESSIBLE_WRITE | GSS_S_NO_CRED)); + + /* Regression test for #8737: make sure that desired_name is honored when + * creating a credential by passing in a non-matching name. */ + name = import_name("p:does/not/match@WRONG_REALM"); + major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, name, &mech_krb5, + GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, + &cred1, NULL, NULL, NULL); + assert(major == GSS_S_CRED_UNAVAIL); + gss_release_name(&minor, &name); + + /* Create cred1 with a krb5 initiator cred by passing an output handle but + * no input handle. */ + major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, + &mech_krb5, GSS_C_INITIATE, GSS_C_INDEFINITE, + GSS_C_INDEFINITE, &cred1, NULL, NULL, NULL); + assert(major == GSS_S_COMPLETE); + + /* Verify that cred1 has the expected mechanism creds. */ + major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL, + NULL, &usage); + assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE); + major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL, + NULL, &usage); + assert(major == GSS_S_NO_CRED); + + /* Check that we get the expected error if we try to add another krb5 mech + * cred to cred1. */ + major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_krb5, + GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, + NULL, NULL, NULL, NULL); + assert(major == GSS_S_DUPLICATE_ELEMENT); + + /* Add an IAKERB acceptor mech cred to cred1. */ + major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_iakerb, + GSS_C_ACCEPT, GSS_C_INDEFINITE, GSS_C_INDEFINITE, + NULL, NULL, NULL, NULL); + assert(major == GSS_S_COMPLETE); + + /* Verify cred1 mechanism creds. */ + major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL, + NULL, &usage); + assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE); + major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL, + NULL, &usage); + assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT); + + /* Start over with another new cred. */ + gss_release_cred(&minor, &cred1); + major = gss_add_cred(&minor, GSS_C_NO_CREDENTIAL, GSS_C_NO_NAME, + &mech_krb5, GSS_C_ACCEPT, GSS_C_INDEFINITE, + GSS_C_INDEFINITE, &cred1, NULL, NULL, NULL); + assert(major == GSS_S_COMPLETE); + + /* Create an expanded cred by passing both an output handle and an input + * handle. */ + major = gss_add_cred(&minor, cred1, GSS_C_NO_NAME, &mech_iakerb, + GSS_C_INITIATE, GSS_C_INDEFINITE, GSS_C_INDEFINITE, + &cred2, NULL, NULL, NULL); + assert(major == GSS_S_COMPLETE); + + /* Verify mechanism creds in cred1 and cred2. */ + major = gss_inquire_cred_by_mech(&minor, cred1, &mech_krb5, NULL, NULL, + NULL, &usage); + assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT); + major = gss_inquire_cred_by_mech(&minor, cred1, &mech_iakerb, NULL, NULL, + NULL, &usage); + assert(major == GSS_S_NO_CRED); + major = gss_inquire_cred_by_mech(&minor, cred2, &mech_krb5, NULL, NULL, + NULL, &usage); + assert(major == GSS_S_COMPLETE && usage == GSS_C_ACCEPT); + major = gss_inquire_cred_by_mech(&minor, cred2, &mech_iakerb, NULL, NULL, + NULL, &usage); + assert(major == GSS_S_COMPLETE && usage == GSS_C_INITIATE); + + gss_release_cred(&minor, &cred1); + gss_release_cred(&minor, &cred2); + + return 0; +} diff --git a/src/tests/gssapi/t_authind.py b/src/tests/gssapi/t_authind.py index 316bc40..af1741a 100644 --- a/src/tests/gssapi/t_authind.py +++ b/src/tests/gssapi/t_authind.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Test authentication indicators. Load the test preauth module so we @@ -24,9 +23,8 @@ if ('Attribute auth-indicators Authenticated Complete') not in out: if '73757065727374726f6e67' not in out: fail('Expected auth indicator not seen in name attributes') -out = realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1) -if 'gss_init_sec_context: KDC policy rejects request' not in out: - fail('Expected error message not seen for indicator mismatch') +msg = 'gss_init_sec_context: KDC policy rejects request' +realm.run(['./t_srcattrs', 'p:service/2'], expected_code=1, expected_msg=msg) realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=one two']) out = realm.run(['./t_srcattrs', 'p:service/2']) @@ -35,4 +33,19 @@ if '6f6e65' not in out or '74776f' not in out: fail('Expected auth indicator not seen in name attributes') realm.stop() + +# Test the FAST encrypted challenge auth indicator. +kdcconf = {'realms': {'$realm': {'encrypted_challenge_indicator': 'fast'}}} +realm = K5Realm(kdc_conf=kdcconf) +realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ]) +realm.run([kadminl, 'xst', realm.host_princ]) +realm.kinit(realm.user_princ, password('user')) +realm.kinit(realm.user_princ, password('user'), ['-T', realm.ccache]) +out = realm.run(['./t_srcattrs', 'p:' + realm.host_princ]) +if ('Attribute auth-indicators Authenticated Complete') not in out: + fail('Expected attribute type not seen') +if '66617374' not in out: + fail('Expected auth indicator not seen in name attributes') + +realm.stop() success('GSSAPI auth indicator tests') diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py index 6be6b4e..9ca6655 100755 --- a/src/tests/gssapi/t_ccselect.py +++ b/src/tests/gssapi/t_ccselect.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # Copyright (C) 2011 by the Massachusetts Institute of Technology. # All rights reserved. @@ -24,19 +22,30 @@ from k5test import * -# Create two independent realms (no cross-realm TGTs). -r1 = K5Realm(create_user=False) -r2 = K5Realm(create_user=False, realm='KRBTEST2.COM', portbase=62000, - testdir=os.path.join(r1.testdir, 'r2')) +# Create two independent realms (no cross-realm TGTs). For the +# fallback realm tests we need to control the precise server hostname, +# so turn off DNS canonicalization. +conf = {'libdefaults': {'dns_canonicalize_hostname': 'false'}} +r1 = K5Realm(create_user=False, krb5_conf=conf) +r2 = K5Realm(create_user=False, krb5_conf=conf, realm='KRBTEST2.COM', + portbase=62000, testdir=os.path.join(r1.testdir, 'r2')) host1 = 'p:' + r1.host_princ host2 = 'p:' + r2.host_princ - -# gsserver specifies the target as a GSS name. The resulting -# principal will have the host-based type, but the realm won't be -# known before the client cache is selected (since k5test realms have -# no domain-realm mapping by default). -gssserver = 'h:host@' + hostname +foo = 'foo.krbtest.com' +foo2 = 'foo.krbtest2.com' +foobar = "foo.bar.krbtest.com" + +# These strings specify the target as a GSS name. The resulting +# principal will have the host-based type, with the referral realm +# (since k5test realms have no domain-realm mapping by default). +# krb5_cc_select() will use the fallback realm, which is either the +# uppercased parent domain, or the default realm if the hostname is a +# single component. +gssserver = 'h:host@' + foo +gssserver2 = 'h:host@' + foo2 +gssserver_bar = 'h:host@' + foobar +gsslocal = 'h:host@localhost' # refserver specifies the target as a principal in the referral realm. # The principal won't be treated as a host principal by the @@ -45,9 +54,8 @@ refserver = 'p:host/' + hostname + '@' # Verify that we can't get initiator creds with no credentials in the # collection. -output = r1.run(['./t_ccselect', host1, '-'], expected_code=1) -if 'No Kerberos credentials available' not in output: - fail('Expected error not seen in output when no credentials available') +r1.run(['./t_ccselect', host1, '-'], expected_code=1, + expected_msg='No Kerberos credentials available') # Make a directory collection and use it for client commands in both realms. ccdir = os.path.join(r1.testdir, 'cc') @@ -67,6 +75,18 @@ r1.addprinc(alice, password('alice')) r1.addprinc(bob, password('bob')) r2.addprinc(zaphod, password('zaphod')) +# Create host principals and keytabs for fallback realm tests. +r1.addprinc('host/localhost') +r2.addprinc('host/localhost') +r1.addprinc('host/' + foo) +r2.addprinc('host/' + foo2) +r1.addprinc('host/' + foobar) +r1.extract_keytab('host/localhost', r1.keytab) +r2.extract_keytab('host/localhost', r2.keytab) +r1.extract_keytab('host/' + foo, r1.keytab) +r2.extract_keytab('host/' + foo2, r2.keytab) +r1.extract_keytab('host/' + foobar, r1.keytab) + # Get tickets for one user in each realm (zaphod will be primary). r1.kinit(alice, password('alice')) r2.kinit(zaphod, password('zaphod')) @@ -94,10 +114,29 @@ if output != (zaphod + '\n'): fail('zaphod not chosen as default initiator name for server in r1') # Check that primary cache is used if server realm is unknown. -output = r2.run(['./t_ccselect', gssserver]) +output = r2.run(['./t_ccselect', refserver]) if output != (zaphod + '\n'): fail('zaphod not chosen via primary cache for unknown server realm') -r1.run(['./t_ccselect', gssserver], expected_code=1) +r1.run(['./t_ccselect', gssserver2], expected_code=1) +# Check ccache selection using a fallback realm. +output = r1.run(['./t_ccselect', gssserver]) +if output != (alice + '\n'): + fail('alice not chosen via parent domain fallback') +output = r2.run(['./t_ccselect', gssserver2]) +if output != (zaphod + '\n'): + fail('zaphod not chosen via parent domain fallback') +# Check ccache selection using a fallback realm (default realm). +output = r1.run(['./t_ccselect', gsslocal]) +if output != (alice + '\n'): + fail('alice not chosen via default realm fallback') +output = r2.run(['./t_ccselect', gsslocal]) +if output != (zaphod + '\n'): + fail('zaphod not chosen via default realm fallback') + +# Check that realm ccselect fallback works correctly +r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice) +r2.kinit(zaphod, password('zaphod')) +r1.run(['./t_ccselect', gssserver_bar], expected_msg=alice) # Get a second cred in r1 (bob will be primary). r1.kinit(bob, password('bob')) @@ -105,20 +144,19 @@ r1.kinit(bob, password('bob')) # Try some cache selections using .k5identity. k5id = open(os.path.join(r1.testdir, '.k5identity'), 'w') k5id.write('%s realm=%s\n' % (alice, r1.realm)) -k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname)) +k5id.write('%s service=ho*t host=localhost\n' % zaphod) k5id.write('noprinc service=bogus') k5id.close() output = r1.run(['./t_ccselect', host1]) if output != (alice + '\n'): fail('alice not chosen via .k5identity realm line.') -output = r2.run(['./t_ccselect', gssserver]) +output = r2.run(['./t_ccselect', gsslocal]) if output != (zaphod + '\n'): fail('zaphod not chosen via .k5identity service/host line.') output = r1.run(['./t_ccselect', refserver]) if output != (bob + '\n'): fail('bob not chosen via primary cache when no .k5identity line matches.') -output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1) -if 'Can\'t find client principal noprinc' not in output: - fail('Expected error not seen when k5identity selects bad principal.') +r1.run(['./t_ccselect', 'h:bogus@' + foo2], expected_code=1, + expected_msg="Can't find client principal noprinc") success('GSSAPI credential selection tests') diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py index 4c8747a..e474a27 100755 --- a/src/tests/gssapi/t_client_keytab.py +++ b/src/tests/gssapi/t_client_keytab.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Set up a basic realm and a client keytab containing two user principals. @@ -15,9 +14,7 @@ realm.extract_keytab(realm.user_princ, realm.client_keytab) realm.extract_keytab(bob, realm.client_keytab) # Test 1: no name/cache specified, pick first principal from client keytab -out = realm.run(['./t_ccselect', phost]) -if realm.user_princ not in out: - fail('Authenticated as wrong principal') +realm.run(['./t_ccselect', phost], expected_msg=realm.user_princ) realm.run([kdestroy]) # Test 2: no name/cache specified, pick principal from k5identity @@ -25,36 +22,27 @@ k5idname = os.path.join(realm.testdir, '.k5identity') k5id = open(k5idname, 'w') k5id.write('%s service=host host=%s\n' % (bob, hostname)) k5id.close() -out = realm.run(['./t_ccselect', gssserver]) -if bob not in out: - fail('Authenticated as wrong principal') +realm.run(['./t_ccselect', gssserver], expected_msg=bob) os.remove(k5idname) realm.run([kdestroy]) # Test 3: no name/cache specified, default ccache has name but no creds realm.run(['./ccinit', realm.ccache, bob]) -out = realm.run(['./t_ccselect', phost]) -if bob not in out: - fail('Authenticated as wrong principal') +realm.run(['./t_ccselect', phost], expected_msg=bob) # Leave tickets for next test. # Test 4: name specified, non-collectable default cache doesn't match -out = realm.run(['./t_ccselect', phost, puser], expected_code=1) -if 'Principal in credential cache does not match desired name' not in out: - fail('Expected error not seen') +msg = 'Principal in credential cache does not match desired name' +realm.run(['./t_ccselect', phost, puser], expected_code=1, expected_msg=msg) realm.run([kdestroy]) # Test 5: name specified, nonexistent default cache -out = realm.run(['./t_ccselect', phost, pbob]) -if bob not in out: - fail('Authenticated as wrong principal') +realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) # Leave tickets for next test. # Test 6: name specified, matches default cache, time to refresh realm.run(['./ccrefresh', realm.ccache, '1']) -out = realm.run(['./t_ccselect', phost, pbob]) -if bob not in out: - fail('Authenticated as wrong principal') +realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) out = realm.run(['./ccrefresh', realm.ccache]) if int(out) < 1000: fail('Credentials apparently not refreshed') @@ -67,9 +55,8 @@ realm.run([kdestroy]) # Test 8: ccache specified with name but no creds; name not in client keytab realm.run(['./ccinit', realm.ccache, realm.host_princ]) -out = realm.run(['./t_imp_cred', phost], expected_code=1) -if 'Credential cache is empty' not in out: - fail('Expected error not seen') +realm.run(['./t_imp_cred', phost], expected_code=1, + expected_msg='Credential cache is empty') realm.run([kdestroy]) # Test 9: ccache specified with name but no creds; name in client keytab @@ -104,16 +91,12 @@ realm.env['KRB5CCNAME'] = ccname # Test 12: name specified, matching cache in collection with no creds bobcache = os.path.join(ccdir, 'tktbob') realm.run(['./ccinit', bobcache, bob]) -out = realm.run(['./t_ccselect', phost, pbob]) -if bob not in out: - fail('Authenticated as wrong principal') +realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) # Leave tickets for next test. # Test 13: name specified, matching cache in collection, time to refresh realm.run(['./ccrefresh', bobcache, '1']) -out = realm.run(['./t_ccselect', phost, pbob]) -if bob not in out: - fail('Authenticated as wrong principal') +realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) out = realm.run(['./ccrefresh', bobcache]) if int(out) < 1000: fail('Credentials apparently not refreshed') @@ -121,22 +104,15 @@ realm.run([kdestroy, '-A']) # Test 14: name specified, collection has default for different principal realm.kinit(realm.user_princ, password('user')) -out = realm.run(['./t_ccselect', phost, pbob]) -if bob not in out: - fail('Authenticated as wrong principal') -out = realm.run([klist]) -if 'Default principal: %s\n' % realm.user_princ not in out: - fail('Default cache overwritten by acquire_cred') +realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) +msg = 'Default principal: %s\n' % realm.user_princ +realm.run([klist], expected_msg=msg) realm.run([kdestroy, '-A']) # Test 15: name specified, collection has no default cache -out = realm.run(['./t_ccselect', phost, pbob]) -if bob not in out: - fail('Authenticated as wrong principal') +realm.run(['./t_ccselect', phost, pbob], expected_msg=bob) # Make sure the tickets we acquired didn't become the default -out = realm.run([klist], expected_code=1) -if 'No credentials cache found' not in out: - fail('Expected error not seen') +realm.run([klist], expected_code=1, expected_msg='No credentials cache found') realm.run([kdestroy, '-A']) # Test 16: default client keytab cannot be resolved, but valid @@ -145,8 +121,7 @@ conf = {'libdefaults': {'default_client_keytab_name': '%{'}} bad_cktname = realm.special_env('bad_cktname', False, krb5_conf=conf) del bad_cktname['KRB5_CLIENT_KTNAME'] realm.kinit(realm.user_princ, password('user')) -out = realm.run(['./t_ccselect', phost], env=bad_cktname) -if realm.user_princ not in out: - fail('Expected principal not seen for bad client keytab name') +realm.run(['./t_ccselect', phost], env=bad_cktname, + expected_msg=realm.user_princ) success('Client keytab tests') diff --git a/src/tests/gssapi/t_enctypes.c b/src/tests/gssapi/t_enctypes.c index a2ad18f..3fd31e2 100644 --- a/src/tests/gssapi/t_enctypes.c +++ b/src/tests/gssapi/t_enctypes.c @@ -32,6 +32,7 @@ #include "k5-int.h" #include "common.h" +#include "gssapi_ext.h" /* * This test program establishes contexts with the krb5 mech, the default @@ -86,6 +87,9 @@ main(int argc, char *argv[]) gss_krb5_lucid_context_v1_t *ilucid, *alucid; gss_krb5_rfc1964_keydata_t *i1964, *a1964; gss_krb5_cfx_keydata_t *icfx, *acfx; + gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET; + gss_OID ssf_oid = GSS_C_SEC_CONTEXT_SASL_SSF; + unsigned int ssf; size_t count; void *lptr; int c; @@ -139,6 +143,16 @@ main(int argc, char *argv[]) establish_contexts(&mech_krb5, icred, acred, tname, flags, &ictx, &actx, NULL, NULL, NULL); + /* Query the SSF value and range-check the result. */ + major = gss_inquire_sec_context_by_oid(&minor, ictx, ssf_oid, &bufset); + check_gsserr("gss_inquire_sec_context_by_oid(ssf)", major, minor); + if (bufset->elements[0].length != 4) + errout("SSF buffer has unexpected length"); + ssf = load_32_be(bufset->elements[0].value); + if (ssf < 56 || ssf > 256) + errout("SSF value not within acceptable range (56-256)"); + (void)gss_release_buffer_set(&minor, &bufset); + /* Export to lucid contexts. */ major = gss_krb5_export_lucid_sec_context(&minor, &ictx, 1, &lptr); check_gsserr("gss_export_lucid_sec_context(initiator)", major, minor); diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py index 862f229..ee43ff0 100755 --- a/src/tests/gssapi/t_enctypes.py +++ b/src/tests/gssapi/t_enctypes.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Define some convenience abbreviations for enctypes we will see in @@ -58,9 +57,7 @@ def test(msg, ienc, aenc, tktenc='', tktsession='', proto='', isubkey='', # and check that it fails with the expected error message. def test_err(msg, ienc, aenc, expected_err): shutil.copyfile(os.path.join(realm.testdir, 'save'), realm.ccache) - out = realm.run(cmdline(ienc, aenc), expected_code=1) - if expected_err not in out: - fail(msg) + realm.run(cmdline(ienc, aenc), expected_code=1, expected_msg=expected_err) # By default, all of the key enctypes should be aes256. diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py index 6988359..89167bc 100755 --- a/src/tests/gssapi/t_export_cred.py +++ b/src/tests/gssapi/t_export_cred.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Test gss_export_cred and gss_import_cred for initiator creds, @@ -23,9 +22,7 @@ def ccache_restore(realm): def check(realm, args): ccache_restore(realm) realm.run(['./t_export_cred'] + args) - output = realm.run([klist, '-f']) - if 'Flags: Ff' not in output: - fail('Forwarded tickets not found in ccache after t_export_cred') + realm.run([klist, '-f'], expected_msg='Flags: Ff') # Check a given set of arguments with no specified mech and with krb5 # and SPNEGO as the specified mech. diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index e23c936..8428e82 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Test krb5 negotiation under SPNEGO for all enctype configurations. Also @@ -9,9 +8,11 @@ for realm in multipass_realms(): realm.run(['./t_iov', '-s', 'p:' + realm.host_princ]) realm.run(['./t_pcontok', 'p:' + realm.host_princ]) -### Test acceptor name behavior. - +# Test gss_add_cred(). realm = K5Realm() +realm.run(['./t_add_cred']) + +### Test acceptor name behavior. # Create some host-based principals and put most of them into the # keytab. Rename one principal so that the keytab name matches the @@ -28,57 +29,40 @@ realm.run([kadminl, 'renprinc', 'service1/abraham', 'service1/andrew']) # Test with no acceptor name, including client/keytab principal # mismatch (non-fatal) and missing keytab entry (fatal). -output = realm.run(['./t_accname', 'p:service1/andrew']) -if 'service1/abraham' not in output: - fail('Expected service1/abraham in t_accname output') -output = realm.run(['./t_accname', 'p:service1/barack']) -if 'service1/barack' not in output: - fail('Expected service1/barack in t_accname output') -output = realm.run(['./t_accname', 'p:service2/calvin']) -if 'service2/calvin' not in output: - fail('Expected service1/barack in t_accname output') -output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1) -if ' not found in keytab' not in output: - fail('Expected error message not seen in t_accname output') +realm.run(['./t_accname', 'p:service1/andrew'], + expected_msg='service1/abraham') +realm.run(['./t_accname', 'p:service1/barack'], expected_msg='service1/barack') +realm.run(['./t_accname', 'p:service2/calvin'], expected_msg='service2/calvin') +realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1, + expected_msg=' not found in keytab') # Test with acceptor name containing service only, including # client/keytab hostname mismatch (non-fatal) and service name # mismatch (fatal). -output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service1']) -if 'service1/abraham' not in output: - fail('Expected service1/abraham in t_accname output') -output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], - expected_code=1) -if ' not found in keytab' not in output: - fail('Expected error message not seen in t_accname output') -output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2']) -if 'service2/calvin' not in output: - fail('Expected service2/calvin in t_accname output') -output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], - expected_code=1) -if ' found in keytab but does not match server principal' not in output: - fail('Expected error message not seen in t_accname output') +realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'], + expected_msg='service1/abraham') +realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], expected_code=1, + expected_msg=' not found in keytab') +realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'], + expected_msg='service2/calvin') +realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1, + expected_msg=' found in keytab but does not match server principal') # Test with acceptor name containing service and host. Use the # client's un-canonicalized hostname as acceptor input to mirror what # many servers do. -output = realm.run(['./t_accname', 'p:' + realm.host_princ, - 'h:host@%s' % socket.gethostname()]) -if realm.host_princ not in output: - fail('Expected %s in t_accname output' % realm.host_princ) -output = realm.run(['./t_accname', 'p:host/-nomatch-', - 'h:host@%s' % socket.gethostname()], - expected_code=1) -if ' not found in keytab' not in output: - fail('Expected error message not seen in t_accname output') +realm.run(['./t_accname', 'p:' + realm.host_princ, + 'h:host@%s' % socket.gethostname()], expected_msg=realm.host_princ) +realm.run(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()], expected_code=1, + expected_msg=' not found in keytab') # Test krb5_gss_import_cred. realm.run(['./t_imp_cred', 'p:service1/barack']) realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) -output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1) -if ' not found in keytab' not in output: - fail('Expected error message not seen in t_imp_cred output') +realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1, + expected_msg=' not found in keytab') # Test credential store extension. tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache') @@ -116,10 +100,8 @@ ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}} realm = K5Realm(krb5_conf=ignore_conf) realm.run([kadminl, 'addprinc', '-randkey', 'host/-nomatch-']) realm.run([kadminl, 'xst', 'host/-nomatch-']) -output = realm.run(['./t_accname', 'p:host/-nomatch-', - 'h:host@%s' % socket.gethostname()]) -if 'host/-nomatch-' not in output: - fail('Expected host/-nomatch- in t_accname output') +realm.run(['./t_accname', 'p:host/-nomatch-', + 'h:host@%s' % socket.gethostname()], expected_msg='host/-nomatch-') realm.stop() @@ -141,41 +123,25 @@ r3.stop() realm = K5Realm() # Test deferred resolution of the default ccache for initiator creds. -output = realm.run(['./t_inq_cred']) -if realm.user_princ not in output: - fail('Expected %s in t_inq_cred output' % realm.user_princ) -output = realm.run(['./t_inq_cred', '-k']) -if realm.user_princ not in output: - fail('Expected %s in t_inq_cred output' % realm.user_princ) -output = realm.run(['./t_inq_cred', '-s']) -if realm.user_princ not in output: - fail('Expected %s in t_inq_cred output' % realm.user_princ) +realm.run(['./t_inq_cred'], expected_msg=realm.user_princ) +realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ) +realm.run(['./t_inq_cred', '-s'], expected_msg=realm.user_princ) # Test picking a name from the keytab for acceptor creds. -output = realm.run(['./t_inq_cred', '-a']) -if realm.host_princ not in output: - fail('Expected %s in t_inq_cred output' % realm.host_princ) -output = realm.run(['./t_inq_cred', '-k', '-a']) -if realm.host_princ not in output: - fail('Expected %s in t_inq_cred output' % realm.host_princ) -output = realm.run(['./t_inq_cred', '-s', '-a']) -if realm.host_princ not in output: - fail('Expected %s in t_inq_cred output' % realm.host_princ) +realm.run(['./t_inq_cred', '-a'], expected_msg=realm.host_princ) +realm.run(['./t_inq_cred', '-k', '-a'], expected_msg=realm.host_princ) +realm.run(['./t_inq_cred', '-s', '-a'], expected_msg=realm.host_princ) # Test client keytab initiation (non-deferred) with a specified name. realm.extract_keytab(realm.user_princ, realm.client_keytab) os.remove(realm.ccache) -output = realm.run(['./t_inq_cred', '-k']) -if realm.user_princ not in output: - fail('Expected %s in t_inq_cred output' % realm.user_princ) +realm.run(['./t_inq_cred', '-k'], expected_msg=realm.user_princ) # Test deferred client keytab initiation and GSS_C_BOTH cred usage. os.remove(realm.client_keytab) os.remove(realm.ccache) shutil.copyfile(realm.keytab, realm.client_keytab) -output = realm.run(['./t_inq_cred', '-k', '-b']) -if realm.host_princ not in output: - fail('Expected %s in t_inq_cred output' % realm.host_princ) +realm.run(['./t_inq_cred', '-k', '-b'], expected_msg=realm.host_princ) # Test gss_export_name behavior. out = realm.run(['./t_export_name', 'u:x']) @@ -220,4 +186,37 @@ realm.run(['./t_ciflags', 'p:' + realm.host_princ]) # contexts. realm.run(['./t_inq_ctx', 'user', password('user'), 'p:%s' % realm.host_princ]) +if runenv.sizeof_time_t <= 4: + skip_rest('y2038 GSSAPI tests', 'platform has 32-bit time_t') + +# Test lifetime results, using a realm with a large maximum lifetime +# so that we can test ticket end dates after y2038. +realm.stop() +conf = {'realms': {'$realm': {'max_life': '9000d'}}} +realm = K5Realm(kdc_conf=conf, get_creds=False) + +# Check a lifetime string result against an expected number value (or None). +# Allow some variance due to time elapsed during the tests. +def check_lifetime(msg, val, expected): + if expected is None and val != 'indefinite': + fail('%s: expected indefinite, got %s' % (msg, val)) + if expected is not None and val == 'indefinite': + fail('%s: expected %d, got indefinite' % (msg, expected)) + if expected is not None and abs(int(val) - expected) > 100: + fail('%s: expected %d, got %s' % (msg, expected, val)) + +realm.kinit(realm.user_princ, password('user'), flags=['-l', '8500d']) +out = realm.run(['./t_lifetime', 'p:' + realm.host_princ, str(8000 * 86400)]) +ln = out.split('\n') +check_lifetime('icred gss_acquire_cred', ln[0], 8500 * 86400) +check_lifetime('icred gss_inquire_cred', ln[1], 8500 * 86400) +check_lifetime('acred gss_acquire_cred', ln[2], None) +check_lifetime('acred gss_inquire_cred', ln[3], None) +check_lifetime('ictx gss_init_sec_context', ln[4], 8000 * 86400) +check_lifetime('ictx gss_inquire_context', ln[5], 8000 * 86400) +check_lifetime('ictx gss_context_time', ln[6], 8000 * 86400) +check_lifetime('actx gss_accept_sec_context', ln[7], 8000 * 86400 + 300) +check_lifetime('actx gss_inquire_context', ln[8], 8000 * 86400 + 300) +check_lifetime('actx gss_context_time', ln[9], 8000 * 86400 + 300) + success('GSSAPI tests') diff --git a/src/tests/gssapi/t_imp_name.c b/src/tests/gssapi/t_imp_name.c index 4fcd61b..3d73dc8 100644 --- a/src/tests/gssapi/t_imp_name.c +++ b/src/tests/gssapi/t_imp_name.c @@ -29,13 +29,37 @@ */ #include +#include #include "common.h" -int -main(int argc, char **argv) +static const char * +oid_str(char type) +{ + switch (type) { + case 'p': /* GSS_KRB5_NT_PRINCIPAL_NAME */ + return "{ 1 2 840 113554 1 2 2 1 }"; + case 'e': /* GSS_KRB5_NT_ENTERPRISE_NAME */ + return "{ 1 2 840 113554 1 2 2 6 }"; + case 'h': /* GSS_C_NT_HOSTBASED_SERVICE */ + return "{ 1 2 840 113554 1 2 1 4 }"; + } + return "no_oid"; +} + +/* Return true if buf has the same contents as str, plus a zero byte if + * indicated by buf_includes_nullterm. */ +static int +buf_eq_str(gss_buffer_t buf, const char *str, int buf_includes_nullterm) +{ + size_t len = strlen(str) + (buf_includes_nullterm ? 1 : 0); + + return (buf->length == len && memcmp(buf->value, str, len) == 0); +} + +static void +test_import_name(const char *name) { - const char *name = "host@dcl.mit.edu"; OM_uint32 major, minor; gss_name_t gss_name; gss_buffer_desc buf; @@ -45,14 +69,24 @@ main(int argc, char **argv) major = gss_display_name(&minor, gss_name, &buf, &name_oid); check_gsserr("gss_display_name", major, minor); - printf("name is: %.*s\n", (int)buf.length, (char *)buf.value); + if (!buf_eq_str(&buf, name + 2, 0)) + errout("wrong name string"); (void)gss_release_buffer(&minor, &buf); major = gss_oid_to_str(&minor, name_oid, &buf); check_gsserr("gss_oid_to_str", major, minor); - printf("name type is: %.*s\n", (int)buf.length, (char *)buf.value); + if (!buf_eq_str(&buf, oid_str(*name), 1)) + errout("wrong name type"); (void)gss_release_buffer(&minor, &buf); (void)gss_release_name(&minor, &gss_name); +} + +int +main(int argc, char **argv) +{ + test_import_name("p:user@MIT.EDU"); + test_import_name("e:enterprise@mit.edu@MIT.EDU"); + test_import_name("h:HOST@dc1.mit.edu"); return 0; } diff --git a/src/tests/gssapi/t_invalid.c b/src/tests/gssapi/t_invalid.c index 5c8ddac..2a332a8 100644 --- a/src/tests/gssapi/t_invalid.c +++ b/src/tests/gssapi/t_invalid.c @@ -31,8 +31,8 @@ */ /* - * This file contains regression tests for some GSSAPI krb5 invalid per-message - * token vulnerabilities. + * This file contains regression tests for some GSSAPI invalid token + * vulnerabilities. * * 1. A pre-CFX wrap or MIC token processed with a CFX-only context causes a * null pointer dereference. (The token must use SEAL_ALG_NONE or it will @@ -54,10 +54,13 @@ * causes an integer underflow when computing the original message length, * leading to an allocation error. * + * 5. In the mechglue, truncated encapsulation in the initial context token can + * cause input buffer overruns in gss_accept_sec_context(). + * * Vulnerabilities #1 and #2 also apply to IOV unwrap, although tokens with - * fewer than 16 bytes after the ASN.1 header will be rejected. Vulnerability - * #2 can only be robustly detected using a memory-checking environment such as - * valgrind. + * fewer than 16 bytes after the ASN.1 header will be rejected. + * Vulnerabilities #2 and #5 can only be robustly detected using a + * memory-checking environment such as valgrind. */ #include "k5-int.h" @@ -406,6 +409,48 @@ test_bad_pad(gss_ctx_id_t ctx, const struct test *test) (void)gss_release_buffer(&minor, &out); } +static void +try_accept(void *value, size_t len) +{ + OM_uint32 minor; + gss_buffer_desc in, out; + gss_ctx_id_t ctx = GSS_C_NO_CONTEXT; + + /* Copy the provided value to make input overruns more obvious. */ + in.value = malloc(len); + if (in.value == NULL) + abort(); + memcpy(in.value, value, len); + in.length = len; + (void)gss_accept_sec_context(&minor, &ctx, GSS_C_NO_CREDENTIAL, &in, + GSS_C_NO_CHANNEL_BINDINGS, NULL, NULL, + &out, NULL, NULL, NULL); + gss_release_buffer(&minor, &out); + gss_delete_sec_context(&minor, &ctx, GSS_C_NO_BUFFER); + free(in.value); +} + +/* Accept contexts using superficially valid but truncated encapsulations. */ +static void +test_short_encapsulation() +{ + /* Include just the initial application tag, to see if we overrun reading + * the sequence length. */ + try_accept("\x60", 1); + + /* Indicate four additional sequence length bytes, to see if we overrun + * reading them (or skipping them and reading the next byte). */ + try_accept("\x60\x84", 2); + + /* Include an object identifier tag but no length, to see if we overrun + * reading the length. */ + try_accept("\x60\x40\x06", 3); + + /* Include an object identifier tag with a length matching the krb5 mech, + * but no OID bytes, to see if we overrun comparing against mechs. */ + try_accept("\x60\x40\x06\x09", 4); +} + int main(int argc, char **argv) { @@ -425,5 +470,7 @@ main(int argc, char **argv) free_fake_context(ctx); } + test_short_encapsulation(); + return 0; } diff --git a/src/tests/gssapi/t_lifetime.c b/src/tests/gssapi/t_lifetime.c new file mode 100644 index 0000000..8dcf186 --- /dev/null +++ b/src/tests/gssapi/t_lifetime.c @@ -0,0 +1,140 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/gssapi/t_lifetime.c - display cred and context lifetimes */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include "common.h" + +/* + * Using the default credential, exercise the GSS functions which accept or + * produce lifetimes. Display the following results, one per line, as ASCII + * integers or the string "indefinite": + * + * initiator cred lifetime according to gss_acquire_cred() + * initiator cred lifetime according to gss_inquire_cred() + * acceptor cred lifetime according to gss_acquire_cred() + * acceptor cred lifetime according to gss_inquire_cred() + * initiator context lifetime according to gss_init_sec_context() + * initiator context lifetime according to gss_inquire_context() + * initiator context lifetime according to gss_context_time() + * acceptor context lifetime according to gss_init_sec_context() + * acceptor context lifetime according to gss_inquire_context() + * acceptor context lifetime according to gss_context_time() + */ + +static void +display_time(OM_uint32 tval) +{ + if (tval == GSS_C_INDEFINITE) + puts("indefinite"); + else + printf("%u\n", (unsigned int)tval); +} + +int +main(int argc, char *argv[]) +{ + OM_uint32 minor, major; + gss_cred_id_t icred, acred; + gss_name_t tname; + gss_ctx_id_t ictx = GSS_C_NO_CONTEXT, actx = GSS_C_NO_CONTEXT; + gss_buffer_desc itok = GSS_C_EMPTY_BUFFER, atok = GSS_C_EMPTY_BUFFER; + OM_uint32 time_req = GSS_C_INDEFINITE, time_rec; + + if (argc < 2 || argc > 3) { + fprintf(stderr, "Usage: %s targetname [time_req]\n", argv[0]); + return 1; + } + tname = import_name(argv[1]); + if (argc >= 3) + time_req = atoll(argv[2]); + + /* Get initiator cred and display its lifetime according to + * gss_acquire_cred and gss_inquire_cred. */ + major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5, + GSS_C_INITIATE, &icred, NULL, &time_rec); + check_gsserr("gss_acquire_cred(initiate)", major, minor); + display_time(time_rec); + major = gss_inquire_cred(&minor, icred, NULL, &time_rec, NULL, NULL); + check_gsserr("gss_inquire_cred(initiate)", major, minor); + display_time(time_rec); + + /* Get acceptor cred and display its lifetime according to gss_acquire_cred + * and gss_inquire_cred. */ + major = gss_acquire_cred(&minor, GSS_C_NO_NAME, time_req, &mechset_krb5, + GSS_C_ACCEPT, &acred, NULL, &time_rec); + check_gsserr("gss_acquire_cred(accept)", major, minor); + display_time(time_rec); + major = gss_inquire_cred(&minor, acred, NULL, &time_rec, NULL, NULL); + check_gsserr("gss_inquire_cred(accept)", major, minor); + display_time(time_rec); + + /* Make an initiator context and display its lifetime according to + * gss_init_sec_context, gss_inquire_context, and gss_context_time. */ + major = gss_init_sec_context(&minor, icred, &ictx, tname, &mech_krb5, 0, + time_req, GSS_C_NO_CHANNEL_BINDINGS, &atok, + NULL, &itok, NULL, &time_rec); + check_gsserr("gss_init_sec_context", major, minor); + assert(major == GSS_S_COMPLETE); + display_time(time_rec); + major = gss_inquire_context(&minor, ictx, NULL, NULL, &time_rec, NULL, + NULL, NULL, NULL); + check_gsserr("gss_inquire_context(initiate)", major, minor); + display_time(time_rec); + major = gss_context_time(&minor, ictx, &time_rec); + check_gsserr("gss_context_time(initiate)", major, minor); + display_time(time_rec); + + major = gss_accept_sec_context(&minor, &actx, acred, &itok, + GSS_C_NO_CHANNEL_BINDINGS, NULL, + NULL, &atok, NULL, &time_rec, NULL); + check_gsserr("gss_accept_sec_context", major, minor); + assert(major == GSS_S_COMPLETE); + display_time(time_rec); + major = gss_inquire_context(&minor, actx, NULL, NULL, &time_rec, NULL, + NULL, NULL, NULL); + check_gsserr("gss_inquire_context(accept)", major, minor); + display_time(time_rec); + major = gss_context_time(&minor, actx, &time_rec); + check_gsserr("gss_context_time(accept)", major, minor); + display_time(time_rec); + + (void)gss_release_buffer(&minor, &itok); + (void)gss_release_buffer(&minor, &atok); + (void)gss_release_name(&minor, &tname); + (void)gss_release_cred(&minor, &icred); + (void)gss_release_cred(&minor, &acred); + (void)gss_delete_sec_context(&minor, &ictx, NULL); + (void)gss_delete_sec_context(&minor, &actx, NULL); + return 0; +} diff --git a/src/tests/gssapi/t_oid.c b/src/tests/gssapi/t_oid.c index 417f7b9..1c9d394 100644 --- a/src/tests/gssapi/t_oid.c +++ b/src/tests/gssapi/t_oid.c @@ -59,6 +59,9 @@ static struct { /* GSS_KRB5_NT_PRINCIPAL_NAME */ { "{ 1 2 840 113554 1 2 2 1 }", " {01 2 840 113554 1 2 2 1 } ", { 10, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x01" } }, + /* GSS_KRB5_NT_ENTERPRISE_NAME */ + { "{ 1 2 840 113554 1 2 2 6 }", " {1.2.840.113554.1.2.2.6} ", + { 10, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x06" } }, /* gss_krb5_nt_principal */ { "{ 1 2 840 113554 1 2 2 2 }", "{1.2.840.113554.1.2.2.2}", { 10, "\x2A\x86\x48\x86\xF7\x12\x01\x02\x02\x02" } }, diff --git a/src/tests/gssapi/t_prf.c b/src/tests/gssapi/t_prf.c index 2c8c851..6a698ce 100644 --- a/src/tests/gssapi/t_prf.c +++ b/src/tests/gssapi/t_prf.c @@ -24,6 +24,7 @@ */ #include "k5-int.h" +#include "k5-hex.h" #include "common.h" #include "mglueP.h" #include "gssapiP_krb5.h" @@ -109,12 +110,14 @@ static struct { static size_t fromhex(const char *hexstr, unsigned char *out) { - const char *p; - size_t count; + uint8_t *bytes; + size_t len; - for (p = hexstr, count = 0; *p != '\0'; p += 2, count++) - sscanf(p, "%2hhx", &out[count]); - return count; + if (k5_hex_decode(hexstr, &bytes, &len) != 0) + abort(); + memcpy(out, bytes, len); + free(bytes); + return len; } int diff --git a/src/tests/gssapi/t_s4u.c b/src/tests/gssapi/t_s4u.c index 5bc1e44..0400f8f 100644 --- a/src/tests/gssapi/t_s4u.c +++ b/src/tests/gssapi/t_s4u.c @@ -242,6 +242,7 @@ main(int argc, char *argv[]) gss_cred_id_t delegated_cred_handle = GSS_C_NO_CREDENTIAL; gss_name_t user = GSS_C_NO_NAME, target = GSS_C_NO_NAME; gss_OID_set mechs; + gss_buffer_set_t bufset = GSS_C_NO_BUFFER_SET; if (argc < 2 || argc > 5) { fprintf(stderr, "Usage: %s [--spnego] [user] " @@ -305,6 +306,25 @@ main(int argc, char *argv[]) fprintf(stderr, "\n"); } + if (delegated_cred_handle != GSS_C_NO_CREDENTIAL) { + /* Inquire impersonator status. */ + major = gss_inquire_cred_by_oid(&minor, user_cred_handle, + GSS_KRB5_GET_CRED_IMPERSONATOR, + &bufset); + check_gsserr("gss_inquire_cred_by_oid", major, minor); + if (bufset->count == 0) + errout("gss_inquire_cred_by_oid(user) returned NO impersonator"); + (void)gss_release_buffer_set(&minor, &bufset); + + major = gss_inquire_cred_by_oid(&minor, impersonator_cred_handle, + GSS_KRB5_GET_CRED_IMPERSONATOR, + &bufset); + check_gsserr("gss_inquire_cred_by_oid", major, minor); + if (bufset->count != 0) + errout("gss_inquire_cred_by_oid(svc) returned an impersonator"); + (void)gss_release_buffer_set(&minor, &bufset); + } + (void)gss_release_name(&minor, &user); (void)gss_release_name(&minor, &target); (void)gss_release_cred(&minor, &delegated_cred_handle); diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index 7366e39..164fec8 100755 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * realm = K5Realm(create_host=False, get_creds=False) @@ -20,6 +19,14 @@ pservice2 = 'p:' + service2 # Get forwardable creds for service1 in the default cache. realm.kinit(service1, None, ['-f', '-k']) +# Try S4U2Self for user with a restricted password. +realm.run([kadminl, 'modprinc', '+needchange', realm.user_princ]) +realm.run(['./t_s4u', 'e:user', '-']) +realm.run([kadminl, 'modprinc', '-needchange', + '-pwexpire', '1/1/2000', realm.user_princ]) +realm.run(['./t_s4u', 'e:user', '-']) +realm.run([kadminl, 'modprinc', '-pwexpire', 'never', realm.user_princ]) + # Try krb5 -> S4U2Proxy with forwardable user creds. This should fail # at the S4U2Proxy step since the DB2 back end currently has no # support for allowing it. @@ -42,10 +49,8 @@ if ('auth1: ' + realm.user_princ not in output or # result in no delegated credential being created by # accept_sec_context. realm.kinit(realm.user_princ, password('user'), ['-c', usercache]) -output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1, - pservice1, pservice2]) -if 'no credential delegated' not in output: - fail('krb5 -> no delegated cred') +realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1, + pservice1, pservice2], expected_msg='no credential delegated') # Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because # service/1 isn't allowed to get a forwardable S4U2Self ticket. @@ -61,17 +66,15 @@ if ('Warning: no delegated cred handle' not in output or # Correct that problem and try again. As above, the S4U2Proxy step # won't actually succeed since we don't support that in DB2. realm.run([kadminl, 'modprinc', '+ok_to_auth_as_delegate', service1]) -output = realm.run(['./t_s4u', puser, pservice2], expected_code=1) -if 'NOT_ALLOWED_TO_DELEGATE' not in output: - fail('s4u2self') +realm.run(['./t_s4u', puser, pservice2], expected_code=1, + expected_msg='NOT_ALLOWED_TO_DELEGATE') # Again with SPNEGO. This uses SPNEGO for the initial authentication, # but still uses krb5 for S4U2Proxy--the delegated cred is returned as # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred # directly rather than saving and reacquiring it. -output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1) -if 'NOT_ALLOWED_TO_DELEGATE' not in output: - fail('s4u2self') +realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1, + expected_msg='NOT_ALLOWED_TO_DELEGATE') realm.stop() @@ -144,19 +147,71 @@ if 'auth1: user@' not in out or 'auth2: user@' not in out: realm.stop() -# Exercise cross-realm S4U2Self. The query in the foreign realm will -# fail, but we can check that the right server principal was used. -r1, r2 = cross_realms(2, create_user=False) -r1.run([kinit, '-k', r1.host_princ]) -out = r1.run(['./t_s4u', 'p:' + r2.host_princ], expected_code=1) -if 'Server not found in Kerberos database' not in out: - fail('cross-realm s4u2self (t_s4u output)') +mark('S4U2Self with various enctypes') +for realm in multipass_realms(create_host=False, get_creds=False): + service1 = 'service/1@%s' % realm.realm + realm.addprinc(service1) + realm.extract_keytab(service1, realm.keytab) + realm.kinit(service1, None, ['-k']) + realm.run(['./t_s4u', 'e:user', '-']) + +# Test cross realm S4U2Self using server referrals. +mark('cross-realm S4U2Self') +testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'}, + 'krbtgt/UREALM': {'keys': 'aes128-cts'}, + 'user': {'keys': 'aes128-cts', 'flags': '+preauth'}} +kdcconf1 = {'realms': {'$realm': {'database_module': 'test'}}, + 'dbmodules': {'test': {'db_library': 'test', + 'princs': testprincs, + 'alias': {'enterprise@abc': '@UREALM'}}}} +kdcconf2 = {'realms': {'$realm': {'database_module': 'test'}}, + 'dbmodules': {'test': {'db_library': 'test', + 'princs': testprincs, + 'alias': {'user@SREALM': '@SREALM', + 'enterprise@abc': 'user'}}}} +r1, r2 = cross_realms(2, xtgts=(), + args=({'realm': 'SREALM', 'kdc_conf': kdcconf1}, + {'realm': 'UREALM', 'kdc_conf': kdcconf2}), + create_kdb=False) + +r1.start_kdc() +r2.start_kdc() +r1.extract_keytab(r1.user_princ, r1.keytab) +r1.kinit(r1.user_princ, None, ['-k', '-t', r1.keytab]) + +# Include a regression test for #8741 by unsetting the default realm. +remove_default = {'libdefaults': {'default_realm': None}} +no_default = r1.special_env('no_default', False, krb5_conf=remove_default) +msgs = ('Getting credentials user@UREALM -> user@SREALM', + '/Matching credential not found', + 'Getting credentials user@SREALM -> krbtgt/UREALM@SREALM', + 'Received creds for desired service krbtgt/UREALM@SREALM', + 'via TGT krbtgt/UREALM@SREALM after requesting user\\@SREALM@UREALM', + 'krbtgt/SREALM@UREALM differs from requested user\\@SREALM@UREALM', + 'via TGT krbtgt/SREALM@UREALM after requesting user@SREALM', + 'TGS reply is for user@UREALM -> user@SREALM') +r1.run(['./t_s4u', 'p:' + r2.user_princ, '-', r1.keytab], env=no_default, + expected_trace=msgs) + +# Test realm identification of enterprise principal names ([MS-S4U] +# 3.1.5.1.1.1). Attach a bogus realm to the enterprise name to verify +# that we start at the server realm. +mark('cross-realm S4U2Self with enterprise name') +msgs = ('Getting initial credentials for enterprise\\@abc@SREALM', + 'Processing preauth types: PA-FOR-X509-USER (130)', + 'Sending unauthenticated request', + '/Realm not local to KDC', + 'Following referral to realm UREALM', + 'Processing preauth types: PA-FOR-X509-USER (130)', + 'Sending unauthenticated request', + '/Additional pre-authentication required', + '/Generic preauthentication failure', + 'Getting credentials enterprise\\@abc@UREALM -> user@SREALM', + 'TGS reply is for enterprise\@abc@UREALM -> user@SREALM') +r1.run(['./t_s4u', 'e:enterprise@abc@NOREALM', '-', r1.keytab], + expected_trace=msgs) + r1.stop() r2.stop() -with open(os.path.join(r2.testdir, 'kdc.log')) as f: - kdclog = f.read() -exp_princ = r1.host_princ.replace('/', '\\/').replace('@', '\\@') -if ('for %s@%s, Server not found' % (exp_princ, r2.realm)) not in kdclog: - fail('cross-realm s4u2self (kdc log)') success('S4U test cases') diff --git a/src/tests/hammer/kdc5_hammer.c b/src/tests/hammer/kdc5_hammer.c index 0934f33..086c21d 100644 --- a/src/tests/hammer/kdc5_hammer.c +++ b/src/tests/hammer/kdc5_hammer.c @@ -283,6 +283,8 @@ get_server_key(context, server, enctype, key) krb5_data salt; krb5_data pwd; + *key = NULL; + if ((retval = krb5_principal2salt(context, server, &salt))) return retval; @@ -294,8 +296,11 @@ get_server_key(context, server, enctype, key) if ((*key = (krb5_keyblock *)malloc(sizeof(krb5_keyblock)))) { krb5_use_enctype(context, &eblock, enctype); - if ((retval = krb5_string_to_key(context, &eblock, *key, &pwd, &salt))) + retval = krb5_string_to_key(context, &eblock, *key, &pwd, &salt); + if (retval) { free(*key); + *key = NULL; + } } else retval = ENOMEM; @@ -436,12 +441,11 @@ int get_tgt (context, p_client_str, p_client, ccache) { char *cache_name = NULL; /* -f option */ long lifetime = KRB5_DEFAULT_LIFE; /* -l option */ - int options = KRB5_DEFAULT_OPTIONS; krb5_error_code code; krb5_creds my_creds; krb5_timestamp start; - krb5_principal tgt_server; float dt; + krb5_get_init_creds_opt *options; if (!brief) fprintf(stderr, "\tgetting TGT for %s\n", p_client_str); @@ -458,22 +462,6 @@ int get_tgt (context, p_client_str, p_client, ccache) return(-1); } - - if ((code = krb5_build_principal_ext(context, &tgt_server, - krb5_princ_realm(context, *p_client)->length, - krb5_princ_realm(context, *p_client)->data, - tgtname.length, - tgtname.data, - krb5_princ_realm(context, *p_client)->length, - krb5_princ_realm(context, *p_client)->data, - 0))) { - com_err(prog, code, "when setting up tgt principal"); - return(-1); - } - - my_creds.client = *p_client; - my_creds.server = tgt_server; - code = krb5_cc_initialize (context, ccache, *p_client); if (code != 0) { com_err (prog, code, "when initializing cache %s", @@ -481,17 +469,26 @@ int get_tgt (context, p_client_str, p_client, ccache) return(-1); } - my_creds.times.starttime = 0; /* start timer when request - gets to KDC */ - my_creds.times.endtime = start + lifetime; - my_creds.times.renew_till = 0; - if (do_timer) swatch_on(); - code = krb5_get_in_tkt_with_password(context, options, 0, - NULL, patype, p_client_str, ccache, - &my_creds, 0); + code = krb5_get_init_creds_opt_alloc(context, &options); + if (code != 0) { + com_err(prog, code, "when allocating init cred options"); + return(-1); + } + + krb5_get_init_creds_opt_set_tkt_life(options, lifetime); + + code = krb5_get_init_creds_opt_set_out_ccache(context, options, ccache); + if (code != 0) { + com_err(prog, code, "when setting init cred output ccache"); + return(-1); + } + + code = krb5_get_init_creds_password(context, &my_creds, *p_client, + p_client_str, NULL, NULL, 0, NULL, + options); if (do_timer) { dt = swatch_eltime(); in_tkt_times.ht_cumulative += dt; @@ -501,8 +498,7 @@ int get_tgt (context, p_client_str, p_client, ccache) if (dt < in_tkt_times.ht_min) in_tkt_times.ht_min = dt; } - my_creds.server = my_creds.client = 0; - krb5_free_principal(context, tgt_server); + krb5_get_init_creds_opt_free(context, options); krb5_free_cred_contents(context, &my_creds); if (code != 0) { com_err (prog, code, "while getting initial credentials"); diff --git a/src/tests/icinterleave.c b/src/tests/icinterleave.c new file mode 100644 index 0000000..a1bdd35 --- /dev/null +++ b/src/tests/icinterleave.c @@ -0,0 +1,128 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* tests/icinterleave.c - interleaved init_creds_step test harness */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This test harness performs multiple initial creds operations using + * krb5_init_creds_step(), interleaving the operations to test the scoping of + * the preauth state. All principals must have the same password (or not + * require a password). + */ + +#include "k5-int.h" + +static krb5_context ctx; + +static void +check(krb5_error_code code) +{ + const char *errmsg; + + if (code) { + errmsg = krb5_get_error_message(ctx, code); + fprintf(stderr, "%s\n", errmsg); + krb5_free_error_message(ctx, errmsg); + exit(1); + } +} + +int +main(int argc, char **argv) +{ + const char *password; + char **princstrs; + krb5_principal client; + krb5_init_creds_context *iccs; + krb5_data req, *reps, realm; + krb5_boolean any_left; + int i, nclients, master; + unsigned int flags; + + if (argc < 3) { + fprintf(stderr, "Usage: icinterleave password princ1 princ2 ...\n"); + exit(1); + } + password = argv[1]; + princstrs = argv + 2; + nclients = argc - 2; + + check(krb5_init_context(&ctx)); + + /* Create an initial creds context for each client principal. */ + iccs = calloc(nclients, sizeof(*iccs)); + assert(iccs != NULL); + for (i = 0; i < nclients; i++) { + check(krb5_parse_name(ctx, princstrs[i], &client)); + check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, + &iccs[i])); + check(krb5_init_creds_set_password(ctx, iccs[i], password)); + krb5_free_principal(ctx, client); + } + + reps = calloc(nclients, sizeof(*reps)); + assert(reps != NULL); + + any_left = TRUE; + while (any_left) { + any_left = FALSE; + for (i = 0; i < nclients; i++) { + if (iccs[i] == NULL) + continue; + any_left = TRUE; + + printf("step %d\n", i + 1); + + req = empty_data(); + realm = empty_data(); + check(krb5_init_creds_step(ctx, iccs[i], &reps[i], &req, &realm, + &flags)); + if (!(flags & KRB5_INIT_CREDS_STEP_FLAG_CONTINUE)) { + printf("finish %d\n", i + 1); + krb5_init_creds_free(ctx, iccs[i]); + iccs[i] = NULL; + continue; + } + + master = 0; + krb5_free_data_contents(ctx, &reps[i]); + check(krb5_sendto_kdc(ctx, &req, &realm, &reps[i], &master, 0)); + krb5_free_data_contents(ctx, &req); + krb5_free_data_contents(ctx, &realm); + } + } + + for (i = 0; i < nclients; i++) + krb5_free_data_contents(ctx, &reps[i]); + free(reps); + free(iccs); + krb5_free_context(ctx); + return 0; +} diff --git a/src/tests/icred.c b/src/tests/icred.c index 071f91c..55f929c 100644 --- a/src/tests/icred.c +++ b/src/tests/icred.c @@ -35,8 +35,8 @@ * it is very simplistic, but it can be extended as needed. */ +#include "k5-platform.h" #include -#include static krb5_context ctx; @@ -59,29 +59,64 @@ main(int argc, char **argv) const char *princstr, *password; krb5_principal client; krb5_init_creds_context icc; + krb5_get_init_creds_opt *opt; krb5_creds creds; + krb5_boolean stepwise = FALSE; + krb5_preauthtype ptypes[64]; + int c, nptypes = 0; + char *val; - if (argc != 3) { - fprintf(stderr, "Usage: icred princname password\n"); - exit(1); + check(krb5_init_context(&ctx)); + check(krb5_get_init_creds_opt_alloc(ctx, &opt)); + + while ((c = getopt(argc, argv, "so:X:")) != -1) { + switch (c) { + case 's': + stepwise = TRUE; + break; + case 'o': + assert(nptypes < 64); + ptypes[nptypes++] = atoi(optarg); + break; + case 'X': + val = strchr(optarg, '='); + if (val != NULL) + *val++ = '\0'; + else + val = "yes"; + check(krb5_get_init_creds_opt_set_pa(ctx, opt, optarg, val)); + break; + default: + abort(); + } } - princstr = argv[1]; - password = argv[2]; - check(krb5_init_context(&ctx)); + argc -= optind; + argv += optind; + if (argc != 2) + abort(); + princstr = argv[0]; + password = argv[1]; + check(krb5_parse_name(ctx, princstr, &client)); - /* Try once with the traditional interface. */ - check(krb5_get_init_creds_password(ctx, &creds, client, password, NULL, - NULL, 0, NULL, NULL)); - krb5_free_cred_contents(ctx, &creds); + if (nptypes > 0) + krb5_get_init_creds_opt_set_preauth_list(opt, ptypes, nptypes); - /* Try again with the step interface. */ - check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, &icc)); - check(krb5_init_creds_set_password(ctx, icc, password)); - check(krb5_init_creds_get(ctx, icc)); - krb5_init_creds_free(ctx, icc); + if (stepwise) { + /* Use the stepwise interface. */ + check(krb5_init_creds_init(ctx, client, NULL, NULL, 0, NULL, &icc)); + check(krb5_init_creds_set_password(ctx, icc, password)); + check(krb5_init_creds_get(ctx, icc)); + krb5_init_creds_free(ctx, icc); + } else { + /* Use the traditional one-shot interface. */ + check(krb5_get_init_creds_password(ctx, &creds, client, password, NULL, + NULL, 0, NULL, opt)); + krb5_free_cred_contents(ctx, &creds); + } + krb5_get_init_creds_opt_free(ctx, opt); krb5_free_principal(ctx, client); krb5_free_context(ctx); return 0; diff --git a/src/tests/jsonwalker.py b/src/tests/jsonwalker.py index 265c69c..1880363 100644 --- a/src/tests/jsonwalker.py +++ b/src/tests/jsonwalker.py @@ -1,12 +1,5 @@ -#!/usr/bin/python - import sys -try: - import cjson -except ImportError: - print "Warning: skipping audit log verification because the cjson module" \ - " is unavailable" - sys.exit(0) +import json from collections import defaultdict from optparse import OptionParser @@ -24,10 +17,10 @@ class Parser(object): result = self.parse(logs) if len(result) != len(self.defaults): diff = set(self.defaults.keys()).difference(result.keys()) - print 'Test failed.' - print 'The following attributes were not set:' + print('Test failed.') + print('The following attributes were not set:') for it in diff: - print it + print(it) sys.exit(1) def flatten(self, defaults): @@ -44,7 +37,7 @@ class Parser(object): result = dict() for path,value in self._walk(defaults): if path in result: - print 'Warning: attribute path %s already exists' % path + print('Warning: attribute path %s already exists' % path) result[path] = value return result @@ -62,7 +55,7 @@ class Parser(object): if v is not None: dv = self.DEFAULTS[type(v)] else: - print 'Warning: attribute %s is set to None' % a + print('Warning: attribute %s is set to None' % a) continue # by now we have default value if v != dv: @@ -74,7 +67,7 @@ class Parser(object): """ Generator that works through dictionary. """ - for a,v in adict.iteritems(): + for a,v in adict.items(): if isinstance(v,dict): for (attrpath,u) in self._walk(v): yield (a+'.'+attrpath,u) @@ -95,17 +88,16 @@ if __name__ == '__main__': with open(options.filename, 'r') as f: content = list() for l in f: - content.append(cjson.decode(l.rstrip())) + content.append(json.loads(l.rstrip())) f.close() else: - print 'Input file in jason format is required' + print('Input file in JSON format is required') exit() defaults = None if options.defaults is not None: with open(options.defaults, 'r') as f: - defaults = cjson.decode(f.read()) - f.close() + defaults = json.load(f) # run test p = Parser(defaults) diff --git a/src/tests/kdbtest.c b/src/tests/kdbtest.c index 3f63cfb..3f61f3e 100644 --- a/src/tests/kdbtest.c +++ b/src/tests/kdbtest.c @@ -243,8 +243,9 @@ check_entry(krb5_db_entry *ent) static void sim_preauth(krb5_timestamp authtime, krb5_boolean ok, krb5_db_entry **entp) { - /* Both back ends ignore the request parameter for now. */ - krb5_db_audit_as_req(ctx, NULL, *entp, *entp, authtime, + /* Both back ends ignore the request, local_addr, and remote_addr + * parameters for now. */ + krb5_db_audit_as_req(ctx, NULL, NULL, NULL, *entp, *entp, authtime, ok ? 0 : KRB5KDC_ERR_PREAUTH_FAILED); krb5_db_free_principal(ctx, *entp); CHECK(krb5_db_get_principal(ctx, &sample_princ, 0, entp)); diff --git a/src/tests/responder.c b/src/tests/responder.c index 21aae65..82f870e 100644 --- a/src/tests/responder.c +++ b/src/tests/responder.c @@ -226,7 +226,7 @@ responder(krb5_context ctx, void *rawdata, krb5_responder_context rctx) if (chl != NULL && chl->identities != NULL && chl->identities[0] != NULL) { - if (strncmp(chl->identities[0]->identity, "PKCS12:", 5) == 0) + if (strncmp(chl->identities[0]->identity, "PKCS12:", 7) == 0) krb5_responder_pkinit_set_answer(ctx, rctx, "foo", "bar"); } krb5_responder_pkinit_challenge_free(ctx, rctx, chl); diff --git a/src/tests/shlib/t_loader.c b/src/tests/shlib/t_loader.c index 869be80..29481a7 100644 --- a/src/tests/shlib/t_loader.c +++ b/src/tests/shlib/t_loader.c @@ -186,18 +186,6 @@ int main() (void) setvbuf(stdout, 0, _IONBF, 0); -#if 0 - /* Simplest test: Load, then unload out of order. */ - celib = do_open("com_err", "3.0", 0); - k5lib = do_open("krb5", "3.2", 0); - gsslib = do_open("gssapi_krb5", "2.2", 0); - celib2 = do_open("com_err", "3.0", 0); - do_close(celib); - do_close(k5lib); - do_close(celib2); - do_close(gsslib); -#endif - celib = do_open("com_err", "3.0", 0); k5lib = do_open("krb5", "3.2", 0); gsslib = do_open("gssapi_krb5", "2.2", 0); diff --git a/src/tests/t_audit.py b/src/tests/t_audit.py index 69c9251..0f880ed 100755 --- a/src/tests/t_audit.py +++ b/src/tests/t_audit.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * conf = {'plugins': {'audit': { @@ -14,18 +13,15 @@ realm.run([kvno, 'target']) # Make S4U2Self and S4U2Proxy requests so they will be audited. The # S4U2Proxy request is expected to fail. -out = realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'], - expected_code=1) -if 'NOT_ALLOWED_TO_DELEGATE' not in out: - fail('Unexpected error for S4U2Proxy') +realm.run([kvno, '-k', realm.keytab, '-U', 'user', '-P', 'target'], + expected_code=1, expected_msg='NOT_ALLOWED_TO_DELEGATE') # Make a U2U request so it will be audited. uuserver = os.path.join(buildtop, 'appl', 'user_user', 'uuserver') uuclient = os.path.join(buildtop, 'appl', 'user_user', 'uuclient') port_arg = str(realm.server_port()) realm.start_server([uuserver, port_arg], 'Server started') -output = realm.run([uuclient, hostname, 'testing message', port_arg]) -if 'Hello' not in output: - fail('U2U request failed unexpectedly') +realm.run([uuclient, hostname, 'testing message', port_arg], + expected_msg='Hello') success('Audit tests') diff --git a/src/tests/t_authdata.py b/src/tests/t_authdata.py index 3352502..d98974b 100644 --- a/src/tests/t_authdata.py +++ b/src/tests/t_authdata.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Load the sample KDC authdata module. @@ -10,12 +9,14 @@ realm = K5Realm(krb5_conf=conf) # With no requested authdata, we expect to see SIGNTICKET (512) in an # if-relevant container and the greet authdata in a kdc-issued # container. +mark('baseline authdata') out = realm.run(['./adata', realm.host_princ]) if '?512: ' not in out or '^-42: Hello' not in out: fail('expected authdata not seen for basic request') # Requested authdata is copied into the ticket, with KDC-only types # filtered out. (128 is win2k-pac, which should be filtered.) +mark('request authdata') out = realm.run(['./adata', realm.host_princ, '-5', 'test1', '?-6', 'test2', '128', 'fakepac', '?128', 'ifrelfakepac', '^-8', 'fakekdcissued', '?^-8', 'ifrelfakekdcissued']) @@ -24,13 +25,13 @@ if ' -5: test1' not in out or '?-6: test2' not in out: if 'fake' in out: fail('KDC-only authdata not filtered for request with authdata') -out = realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'], - expected_code=1) -if 'KDC policy rejects request' not in out: - fail('Wrong error seen for mandatory-for-kdc failure') +mark('AD-MANDATORY-FOR-KDC') +realm.run(['./adata', realm.host_princ, '!-1', 'mandatoryforkdc'], + expected_code=1, expected_msg='KDC policy rejects request') # The no_auth_data_required server flag should suppress SIGNTICKET, # but not module or request authdata. +mark('no_auth_data_required server flag') realm.run([kadminl, 'ank', '-randkey', '+no_auth_data_required', 'noauth']) realm.extract_keytab('noauth', realm.keytab) out = realm.run(['./adata', 'noauth', '-2', 'test']) @@ -41,6 +42,7 @@ if '512: ' in out: # Cross-realm TGT requests should also suppress SIGNTICKET, but not # module or request authdata. +mark('cross-realm') realm.addprinc('krbtgt/XREALM') realm.extract_keytab('krbtgt/XREALM', realm.keytab) out = realm.run(['./adata', 'krbtgt/XREALM', '-3', 'test']) @@ -69,6 +71,7 @@ else: # SIGNTICKET and module authdata should be suppressed for # anonymous tickets, but not request authdata. + mark('anonymous') out = realm.run(['./adata', realm.host_princ, '-4', 'test']) if ' -4: test' not in out: fail('expected authdata not seen for anonymous request') @@ -88,6 +91,7 @@ realm, realm2 = cross_realms(2, args=({'realm': 'LOCAL'}, realm.run([kadminl, 'modprinc', '+requires_preauth', '-maxrenewlife', '2 days', realm.user_princ]) realm.run([kadminl, 'modprinc', '-maxrenewlife', '2 days', realm.host_princ]) +realm.run([kadminl, 'modprinc', '-maxrenewlife', '2 days', realm.krbtgt_princ]) realm.extract_keytab(realm.krbtgt_princ, realm.keytab) realm.extract_keytab(realm.host_princ, realm.keytab) realm.extract_keytab('krbtgt/FOREIGN', realm.keytab) @@ -96,50 +100,45 @@ realm2.extract_keytab(realm2.host_princ, realm.keytab) realm2.extract_keytab('krbtgt/LOCAL', realm.keytab) # AS request to local-realm service +mark('AS-REQ to local service auth indicator') realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl', '-r', '2d', '-S', realm.host_princ]) -out = realm.run(['./adata', realm.host_princ]) -if '+97: [indcl]' not in out: - fail('auth-indicator not seen for AS req to service') +realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]') # Ticket modification request +mark('ticket modification auth indicator') realm.kinit(realm.user_princ, None, ['-R', '-S', realm.host_princ]) -out = realm.run(['./adata', realm.host_princ]) -if '+97: [indcl]' not in out: - fail('auth-indicator not seen for ticket modification request') +realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]') # AS request to cross TGT +mark('AS-REQ to cross TGT auth indicator') realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl', '-S', 'krbtgt/FOREIGN']) -out = realm.run(['./adata', 'krbtgt/FOREIGN']) -if '+97: [indcl]' not in out: - fail('auth-indicator not seen for AS req to cross-realm TGT') +realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]') # Multiple indicators +mark('AS multiple indicators') realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl indcl2 indcl3']) -out = realm.run(['./adata', realm.krbtgt_princ]) -if '+97: [indcl, indcl2, indcl3]' not in out: - fail('multiple auth-indicators not seen for normal AS req') +realm.run(['./adata', realm.krbtgt_princ], + expected_msg='+97: [indcl, indcl2, indcl3]') # AS request to local TGT (resulting creds are used for TGS tests) +mark('AS-REQ to local TGT auth indicator') realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=indcl']) -out = realm.run(['./adata', realm.krbtgt_princ]) -if '+97: [indcl]' not in out: - fail('auth-indicator not seen for normal AS req') +realm.run(['./adata', realm.krbtgt_princ], expected_msg='+97: [indcl]') # Local TGS request for local realm service -out = realm.run(['./adata', realm.host_princ]) -if '+97: [indcl]' not in out: - fail('auth-indicator not seen for local TGS req') +mark('TGS-REQ to local service auth indicator') +realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]') # Local TGS request for cross TGT service -out = realm.run(['./adata', 'krbtgt/FOREIGN']) -if '+97: [indcl]' not in out: - fail('auth-indicator not seen for TGS req to cross-realm TGT') +mark('TGS-REQ to cross TGT auth indicator') +realm.run(['./adata', 'krbtgt/FOREIGN'], expected_msg='+97: [indcl]') # We don't yet have support for passing auth indicators across realms, # so just verify that indicators don't survive cross-realm requests. +mark('TGS-REQ to foreign service auth indicator') out = realm.run(['./adata', realm2.krbtgt_princ]) if '97:' in out: fail('auth-indicator seen in cross TGT request to local TGT') @@ -151,17 +150,16 @@ if '97:' in out: fail('auth-indicator seen in cross TGT request to service') # Test that the CAMMAC signature still works during a krbtgt rollover. +mark('CAMMAC signature across krbtgt rollover') realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.krbtgt_princ]) -out = realm.run(['./adata', realm.host_princ]) -if '+97: [indcl]' not in out: - fail('auth-indicator not seen for local TGS req after krbtgt rotation') +realm.run(['./adata', realm.host_princ], expected_msg='+97: [indcl]') # Test indicator enforcement. +mark('auth indicator enforcement') realm.addprinc('restricted') realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'superstrong']) -out = realm.run([kvno, 'restricted'], expected_code=1) -if 'KDC policy rejects request' not in out: - fail('expected error not seen for auth indicator enforcement') +realm.run([kvno, 'restricted'], expected_code=1, + expected_msg='KDC policy rejects request') realm.run([kadminl, 'setstr', 'restricted', 'require_auth', 'indcl']) realm.run([kvno, 'restricted']) realm.kinit(realm.user_princ, password('user'), ['-X', 'indicators=ind1 ind2']) @@ -172,12 +170,21 @@ realm.run([kvno, 'restricted']) # Regression test for one manifestation of #8139: ensure that # forwarded TGTs obtained across a TGT re-key still work when the # preferred krbtgt enctype changes. +mark('#8139 regression test') realm.kinit(realm.user_princ, password('user'), ['-f']) realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'des3-cbc-sha1', realm.krbtgt_princ]) realm.run(['./forward']) realm.run([kvno, realm.host_princ]) +# Repeat the above test using a renewed TGT. +mark('#8139 regression test (renewed TGT)') +realm.kinit(realm.user_princ, password('user'), ['-r', '2d']) +realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes128-cts', + realm.krbtgt_princ]) +realm.kinit(realm.user_princ, None, ['-R']) +realm.run([kvno, realm.host_princ]) + realm.stop() realm2.stop() @@ -205,6 +212,7 @@ realm.extract_keytab('noauthdata', realm.keytab) realm.start_kdc() # S4U2Self (should have no indicators since client did not authenticate) +mark('S4U2Self (no auth indicators expected)') realm.kinit('service/1', None, ['-k', '-f', '-X', 'indicators=inds1']) realm.run([kvno, '-U', 'user', 'service/1']) out = realm.run(['./adata', '-p', realm.user_princ, 'service/1']) @@ -212,6 +220,7 @@ if '97:' in out: fail('auth-indicator present in S4U2Self response') # S4U2Proxy (indicators should come from evidence ticket, not TGT) +mark('S4U2Proxy (auth indicators from evidence ticket expected)') realm.kinit(realm.user_princ, None, ['-k', '-f', '-X', 'indicators=indcl', '-S', 'service/1', '-c', usercache]) realm.run(['./s4u2proxy', usercache, 'service/2']) @@ -221,29 +230,29 @@ if '+97: [indcl]' not in out or '[inds1]' in out: # Test that KDB module authdata is included in an AS request, by # default or with an explicit PAC request. +mark('AS-REQ KDB module authdata') realm.kinit(realm.user_princ, None, ['-k']) -out = realm.run(['./adata', realm.krbtgt_princ]) -if '-456: db-authdata-test' not in out: - fail('DB authdata not seen in default AS request') +realm.run(['./adata', realm.krbtgt_princ], + expected_msg='-456: db-authdata-test') realm.kinit(realm.user_princ, None, ['-k', '--request-pac']) -out = realm.run(['./adata', realm.krbtgt_princ]) -if '-456: db-authdata-test' not in out: - fail('DB authdata not seen with --request-pac') +realm.run(['./adata', realm.krbtgt_princ], + expected_msg='-456: db-authdata-test') # Test that KDB module authdata is suppressed in an AS request by a # negative PAC request. +mark('AS-REQ KDB module authdata client supression') realm.kinit(realm.user_princ, None, ['-k', '--no-request-pac']) out = realm.run(['./adata', realm.krbtgt_princ]) if '-456: db-authdata-test' in out: fail('DB authdata not suppressed by --no-request-pac') # Test that KDB authdata is included in a TGS request by default. -out = realm.run(['./adata', 'service/1']) -if '-456: db-authdata-test' not in out: - fail('DB authdata not seen in TGS request') +mark('TGS-REQ KDB authdata') +realm.run(['./adata', 'service/1'], expected_msg='-456: db-authdata-test') # Test that KDB authdata is suppressed in a TGS request by the # +no_auth_data_required flag. +mark('TGS-REQ KDB authdata service suppression') out = realm.run(['./adata', 'noauthdata']) if '-456: db-authdata-test' in out: fail('DB authdata not suppressed by +no_auth_data_required') diff --git a/src/tests/t_bogus_kdc_req.py b/src/tests/t_bogus_kdc_req.py index b6208ca..a101c0e 100755 --- a/src/tests/t_bogus_kdc_req.py +++ b/src/tests/t_bogus_kdc_req.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - import base64 import socket from k5test import * diff --git a/src/tests/t_ccache.py b/src/tests/t_ccache.py index 47d9631..fcf1a61 100755 --- a/src/tests/t_ccache.py +++ b/src/tests/t_ccache.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # Copyright (C) 2011 by the Massachusetts Institute of Technology. # All rights reserved. @@ -34,18 +32,17 @@ if not test_keyring: skipped('keyring ccache tests', 'keyring support not built') # Test kdestroy and klist of a non-existent ccache. +mark('no ccache') realm.run([kdestroy]) -output = realm.run([klist], expected_code=1) -if 'No credentials cache found' not in output: - fail('Expected error message not seen in klist output') +realm.run([klist], expected_code=1, expected_msg='No credentials cache found') # Test kinit with an inaccessible ccache. -out = realm.run([kinit, '-c', 'testdir/xx/yy', realm.user_princ], - input=(password('user') + '\n'), expected_code=1) -if 'Failed to store credentials' not in out: - fail('Expected error message not seen in kinit output') +mark('inaccessible ccache') +realm.kinit(realm.user_princ, password('user'), flags=['-c', 'testdir/xx/yy'], + expected_code=1, expected_msg='Failed to store credentials') # Test klist -s with a single ccache. +mark('klist -s single ccache') realm.run([klist, '-s'], expected_code=1) realm.kinit(realm.user_princ, password('user')) realm.run([klist, '-s']) @@ -59,15 +56,17 @@ realm.run([klist, '-s'], expected_code=1) realm.addprinc('alice', password('alice')) realm.addprinc('bob', password('bob')) realm.addprinc('carol', password('carol')) +realm.addprinc('doug', password('doug')) def collection_test(realm, ccname): + cctype = ccname.partition(':')[0] + oldccname = realm.env['KRB5CCNAME'] realm.env['KRB5CCNAME'] = ccname + mark('%s collection, single cache' % cctype) realm.run([klist, '-A', '-s'], expected_code=1) realm.kinit('alice', password('alice')) - output = realm.run([klist]) - if 'Default principal: alice@' not in output: - fail('Initial kinit failed to get credentials for alice.') + realm.run([klist], expected_msg='Default principal: alice@') realm.run([klist, '-A', '-s']) realm.run([kdestroy]) output = realm.run([klist], expected_code=1) @@ -78,6 +77,7 @@ def collection_test(realm, ccname): fail('Initial kdestroy failed to empty cache collection.') realm.run([klist, '-A', '-s'], expected_code=1) + mark('%s collection, multiple caches' % cctype) realm.kinit('alice', password('alice')) realm.kinit('carol', password('carol')) output = realm.run([klist, '-l']) @@ -87,26 +87,38 @@ def collection_test(realm, ccname): output = realm.run([klist, '-l']) if '---\nalice@' not in output or output.count('\n') != 4: fail('klist -l did not show expected output after re-kinit for alice.') + realm.kinit('doug', password('doug')) realm.kinit('bob', password('bob')) - output = realm.run([klist, '-A']) + output = realm.run([klist, '-A', ccname]) if 'bob@' not in output.splitlines()[1] or 'alice@' not in output or \ - 'carol' not in output or output.count('Default principal:') != 3: - fail('klist -A did not show expected output after kinit for bob.') + 'carol@' not in output or 'doug@' not in output or \ + output.count('Default principal:') != 4: + fail('klist -A did not show expected output after kinit doug+bob.') realm.run([kswitch, '-p', 'carol']) output = realm.run([klist, '-l']) - if '---\ncarol@' not in output or output.count('\n') != 5: + if '---\ncarol@' not in output or output.count('\n') != 6: fail('klist -l did not show expected output after kswitch to carol.') - realm.run([kdestroy]) - output = realm.run([klist, '-l']) - if 'carol@' in output or 'bob@' not in output or output.count('\n') != 4: + + # Switch to specifying the collection name on the command line + # (only works with klist/kdestroy for now, not kinit/kswitch). + realm.env['KRB5CCNAME'] = oldccname + + mark('%s collection, command-line specifier' % cctype) + realm.run([kdestroy, '-c', ccname]) + output = realm.run([klist, '-l', ccname]) + if 'carol@' in output or 'bob@' not in output or output.count('\n') != 5: fail('kdestroy failed to remove only primary ccache.') - realm.run([klist, '-s'], expected_code=1) - realm.run([klist, '-A', '-s']) - realm.run([kdestroy, '-A']) - output = realm.run([klist, '-l'], expected_code=1) + realm.run([klist, '-s', ccname], expected_code=1) + realm.run([klist, '-A', '-s', ccname]) + realm.run([kdestroy, '-p', 'alice', '-c', ccname]) + output = realm.run([klist, '-l', ccname]) + if 'alice@' in output or 'bob@' not in output or output.count('\n') != 4: + fail('kdestroy -p failed to remove alice') + realm.run([kdestroy, '-A', '-c', ccname]) + output = realm.run([klist, '-l', ccname], expected_code=1) if not output.endswith('---\n') or output.count('\n') != 2: fail('kdestroy -a failed to empty cache collection.') - realm.run([klist, '-A', '-s'], expected_code=1) + realm.run([klist, '-A', '-s', ccname], expected_code=1) collection_test(realm, 'DIR:' + os.path.join(realm.testdir, 'cc')) @@ -127,41 +139,37 @@ if test_keyring: cleanup_keyring('@s', col_ringname) # Test legacy keyring cache linkage. + mark('legacy keyring cache linkage') realm.env['KRB5CCNAME'] = 'KEYRING:' + cname realm.run([kdestroy, '-A']) realm.kinit(realm.user_princ, password('user')) - out = realm.run([klist, '-l']) - if 'KEYRING:legacy:' + cname + ':' + cname not in out: - fail('Wrong initial primary name in keyring legacy collection') + msg = 'KEYRING:legacy:' + cname + ':' + cname + realm.run([klist, '-l'], expected_msg=msg) # Make sure this cache is linked to the session keyring. id = realm.run([keyctl, 'search', '@s', 'keyring', cname]) - out = realm.run([keyctl, 'list', id.strip()]) - if 'user: __krb5_princ__' not in out: - fail('Legacy cache not linked into session keyring') + realm.run([keyctl, 'list', id.strip()], + expected_msg='user: __krb5_princ__') # Remove the collection keyring. When the collection is # reinitialized, the legacy cache should reappear inside it # automatically as the primary cache. cleanup_keyring('@s', col_ringname) - out = realm.run([klist]) - if realm.user_princ not in out: - fail('Cannot see legacy cache after removing collection') + realm.run([klist], expected_msg=realm.user_princ) coll_id = realm.run([keyctl, 'search', '@s', 'keyring', '_krb_' + cname]) - out = realm.run([keyctl, 'list', coll_id.strip()]) - if (id.strip() + ':') not in out: - fail('Legacy cache did not reappear in collection after klist') + msg = id.strip() + ':' + realm.run([keyctl, 'list', coll_id.strip()], expected_msg=msg) # Destroy the cache and check that it is unlinked from the session keyring. realm.run([kdestroy]) realm.run([keyctl, 'search', '@s', 'keyring', cname], expected_code=1) cleanup_keyring('@s', col_ringname) # Test parameter expansion in default_ccache_name +mark('default_ccache_name parameter expansion') realm.stop() conf = {'libdefaults': {'default_ccache_name': 'testdir/%{null}abc%{uid}'}} realm = K5Realm(krb5_conf=conf, create_kdb=False) del realm.env['KRB5CCNAME'] uidstr = str(os.getuid()) -out = realm.run([klist], expected_code=1) -if 'testdir/abc%s' % uidstr not in out: - fail('Wrong ccache in klist') +msg = 'testdir/abc%s' % uidstr +realm.run([klist], expected_code=1, expected_msg=msg) success('Credential cache tests') diff --git a/src/tests/t_certauth.py b/src/tests/t_certauth.py new file mode 100644 index 0000000..9c70945 --- /dev/null +++ b/src/tests/t_certauth.py @@ -0,0 +1,46 @@ +from k5test import * + +# Skip this test if pkinit wasn't built. +if not os.path.exists(os.path.join(plugins, 'preauth', 'pkinit.so')): + skip_rest('certauth tests', 'PKINIT module not built') + +certs = os.path.join(srctop, 'tests', 'dejagnu', 'pkinit-certs') +ca_pem = os.path.join(certs, 'ca.pem') +kdc_pem = os.path.join(certs, 'kdc.pem') +privkey_pem = os.path.join(certs, 'privkey.pem') +user_pem = os.path.join(certs, 'user.pem') + +modpath = os.path.join(buildtop, 'plugins', 'certauth', 'test', + 'certauth_test.so') +pkinit_krb5_conf = {'realms': {'$realm': { + 'pkinit_anchors': 'FILE:%s' % ca_pem}}, + 'plugins': {'certauth': {'module': ['test1:' + modpath, + 'test2:' + modpath], + 'enable_only': ['test1', 'test2']}}} +pkinit_kdc_conf = {'realms': {'$realm': { + 'default_principal_flags': '+preauth', + 'pkinit_eku_checking': 'none', + 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem), + 'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}} + +file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem) + +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, + get_creds=False) + +# Let the test module match user to CN=user, with indicators. +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity]) +realm.klist(realm.user_princ) +realm.run([kvno, realm.host_princ]) +realm.run(['./adata', realm.host_princ], + expected_msg='+97: [test1, test2, user, indpkinit1, indpkinit2]') + +# Let the test module mismatch with user2 to CN=user. +realm.addprinc("user2@KRBTEST.COM") +out = realm.kinit("user2@KRBTEST.COM", + flags=['-X', 'X509_user_identity=%s' % file_identity], + expected_code=1, + expected_msg='kinit: Certificate mismatch') + +success("certauth tests") diff --git a/src/tests/t_changepw.py b/src/tests/t_changepw.py index 37fe4fc..211cda6 100755 --- a/src/tests/t_changepw.py +++ b/src/tests/t_changepw.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # This file is intended to cover any password-changing mechanism. For diff --git a/src/tests/t_crossrealm.py b/src/tests/t_crossrealm.py index 0d967b8..73259c3 100755 --- a/src/tests/t_crossrealm.py +++ b/src/tests/t_crossrealm.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # Copyright (C) 2011 by the Massachusetts Institute of Technology. # All rights reserved. # @@ -25,9 +23,7 @@ from k5test import * def test_kvno(r, princ, test, env=None): - output = r.run([kvno, princ], env=env) - if princ not in output: - fail('%s: principal %s not in kvno output' % (test, princ)) + r.run([kvno, princ], env=env, expected_msg=princ) def stop(*realms): @@ -35,20 +31,52 @@ def stop(*realms): r.stop() +# Verify that the princs appear as the service principals in the klist +# output for the realm r, in order. +def check_klist(r, princs): + out = r.run([klist]) + count = 0 + seen_header = False + for l in out.split('\n'): + if l.startswith('Valid starting'): + seen_header = True + continue + if not seen_header or l == '': + continue + if count >= len(princs): + fail('too many entries in klist output') + svcprinc = l.split()[4] + if svcprinc != princs[count]: + fail('saw service princ %s in klist output, expected %s' % + (svcprinc, princs[count])) + count += 1 + if count != len(princs): + fail('not enough entries in klist output') + + +def tgt(r1, r2): + return 'krbtgt/%s@%s' % (r1.realm, r2.realm) + + # Basic two-realm test with cross TGTs in both directions. +mark('two realms') r1, r2 = cross_realms(2) test_kvno(r1, r2.host_princ, 'basic r1->r2') +check_klist(r1, (tgt(r1, r1), tgt(r2, r1), r2.host_princ)) test_kvno(r2, r1.host_princ, 'basic r2->r1') +check_klist(r2, (tgt(r2, r2), tgt(r1, r2), r1.host_princ)) stop(r1, r2) # Test the KDC domain walk for hierarchically arranged realms. The # client in A.X will ask for a cross TGT to B.X, but A.X's KDC only # has a TGT for the intermediate realm X, so it will return that # instead. The client will use that to get a TGT for B.X. +mark('hierarchical realms') r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), args=({'realm': 'A.X'}, {'realm': 'X'}, {'realm': 'B.X'})) test_kvno(r1, r3.host_princ, 'KDC domain walk') +check_klist(r1, (tgt(r1, r1), r3.host_princ)) stop(r1, r2, r3) # Test client capaths. The client in A will ask for a cross TGT to D, @@ -56,6 +84,7 @@ stop(r1, r2, r3) # The client will walk its A->D capaths to get TGTs for B, then C, # then D. The KDCs for C and D need capaths settings to avoid failing # transited checks, including a capaths for A->C. +mark('client capaths') capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}}} r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), args=({'realm': 'A'}, @@ -64,11 +93,14 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), {'realm': 'D', 'krb5_conf': capaths})) r1client = r1.special_env('client', False, krb5_conf=capaths) test_kvno(r1, r4.host_princ, 'client capaths', r1client) +check_klist(r1, (tgt(r1, r1), tgt(r2, r1), tgt(r3, r2), tgt(r4, r3), + r4.host_princ)) stop(r1, r2, r3, r4) # Test KDC capaths. The KDCs for A and B have appropriate capaths # settings to determine intermediate TGTs to return, but the client # has no idea. +mark('kdc capaths') capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}} r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), args=({'realm': 'A', 'krb5_conf': capaths}, @@ -76,32 +108,46 @@ r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), {'realm': 'C', 'krb5_conf': capaths}, {'realm': 'D', 'krb5_conf': capaths})) test_kvno(r1, r4.host_princ, 'KDC capaths') +check_klist(r1, (tgt(r1, r1), tgt(r4, r3), r4.host_princ)) stop(r1, r2, r3, r4) +# A capaths value of '.' should enforce direct cross-realm, with no +# intermediate. +mark('direct cross-realm enforcement') +capaths = {'capaths': {'A.X': {'B.X': '.'}}} +r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), + args=({'realm': 'A.X', 'krb5_conf': capaths}, + {'realm': 'X'}, {'realm': 'B.X'})) +r1.run([kvno, r3.host_princ], expected_code=1, + expected_msg='Server krbtgt/B.X@A.X not found in Kerberos database') +stop(r1, r2, r3) + # Test transited error. The KDC for C does not recognize B as an # intermediate realm for A->C, so it refuses to issue a service # ticket. +mark('transited error (three realms)') capaths = {'capaths': {'A': {'C': 'B'}}} r1, r2, r3 = cross_realms(3, xtgts=((0,1), (1,2)), args=({'realm': 'A', 'krb5_conf': capaths}, {'realm': 'B'}, {'realm': 'C'})) -output = r1.run([kvno, r3.host_princ], expected_code=1) -if 'KDC policy rejects request' not in output: - fail('transited 1: Expected error message not in output') +r1.run([kvno, r3.host_princ], expected_code=1, + expected_msg='KDC policy rejects request') +check_klist(r1, (tgt(r1, r1), tgt(r3, r2))) stop(r1, r2, r3) # Test a different kind of transited error. The KDC for D does not # recognize B as an intermediate realm for A->C, so it refuses to # verify the krbtgt/C@B ticket in the TGS AP-REQ. +mark('transited error (four realms)') capaths = {'capaths': {'A': {'D': ['B', 'C'], 'C': 'B'}, 'B': {'D': 'C'}}} r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), args=({'realm': 'A', 'krb5_conf': capaths}, {'realm': 'B', 'krb5_conf': capaths}, {'realm': 'C', 'krb5_conf': capaths}, {'realm': 'D'})) -output = r1.run([kvno, r4.host_princ], expected_code=1) -if 'Illegal cross-realm ticket' not in output: - fail('transited 2: Expected error message not in output') +r1.run([kvno, r4.host_princ], expected_code=1, + expected_msg='Illegal cross-realm ticket') +check_klist(r1, (tgt(r1, r1), tgt(r4, r3))) stop(r1, r2, r3, r4) success('Cross-realm tests') diff --git a/src/tests/t_cve-2012-1014.py b/src/tests/t_cve-2012-1014.py index e02162d..8447e0e 100755 --- a/src/tests/t_cve-2012-1014.py +++ b/src/tests/t_cve-2012-1014.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - import base64 import socket from k5test import * @@ -22,7 +20,7 @@ x2 = base64.b16decode('A44F304DA007030500FEDCBA90A10E30' + '01') for x in range(11, 128): - s.sendto(''.join([x1, chr(x), x2]), a) + s.sendto(x1 + bytes([x]) + x2, a) # Make sure kinit still works. diff --git a/src/tests/t_cve-2012-1015.py b/src/tests/t_cve-2012-1015.py index e00c4dc..ae5678c 100755 --- a/src/tests/t_cve-2012-1015.py +++ b/src/tests/t_cve-2012-1015.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - import base64 import socket from k5test import * @@ -29,7 +27,7 @@ x1 = base64.b16decode('6A81A030819DA103020105A20302010A' + x2 = base64.b16decode('A8083006020106020112') for x in range(0, 128): - s.sendto(''.join([x1, chr(x), x2]), a) + s.sendto(x1 + bytes([x]) + x2, a) # Make sure kinit still works. diff --git a/src/tests/t_cve-2013-1416.py b/src/tests/t_cve-2013-1416.py index 94fb6d5..8c4391a 100755 --- a/src/tests/t_cve-2013-1416.py +++ b/src/tests/t_cve-2013-1416.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - from k5test import * realm = K5Realm() diff --git a/src/tests/t_cve-2013-1417.py b/src/tests/t_cve-2013-1417.py index c26930a..ce47d21 100755 --- a/src/tests/t_cve-2013-1417.py +++ b/src/tests/t_cve-2013-1417.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - from k5test import * realm = K5Realm(realm='TEST') diff --git a/src/tests/t_dump.py b/src/tests/t_dump.py index 5d3a437..d803d56 100755 --- a/src/tests/t_dump.py +++ b/src/tests/t_dump.py @@ -1,110 +1,102 @@ -#!/usr/bin/python from k5test import * from filecmp import cmp -# Make sure we can dump and load an ordinary database, and that -# principals and policies survive a dump/load cycle. - -realm = K5Realm(start_kdc=False) -realm.run([kadminl, 'addpol', 'fred']) - -# Create a dump file. -dumpfile = os.path.join(realm.testdir, 'dump') -realm.run([kdb5_util, 'dump', dumpfile]) - -# Write additional policy records to the dump. Use the 1.8 format for -# one of them, to test retroactive compatibility (for issue #8213). -f = open('testdir/dump', 'a') -f.write('policy compat 0 0 3 4 5 0 ' - '0 0 0\n') -f.write('policy barney 0 0 1 1 1 0 ' - '0 0 0 0 0 0 - 1 ' - '2 28 ' - 'fd100f5064625f6372656174696f6e404b5242544553542e434f4d00\n') -f.close() - -# Destroy and load the database; check that the policies exist. -# Spot-check principal and policy fields. -realm.run([kdb5_util, 'destroy', '-f']) -realm.run([kdb5_util, 'load', dumpfile]) -out = realm.run([kadminl, 'getprincs']) -if realm.user_princ not in out or realm.host_princ not in out: - fail('Missing principal after load') -out = realm.run([kadminl, 'getprinc', realm.user_princ]) -if 'Expiration date: [never]' not in out or 'MKey: vno 1' not in out: - fail('Principal has wrong value after load') -out = realm.run([kadminl, 'getpols']) -if 'fred\n' not in out or 'barney\n' not in out: - fail('Missing policy after load') -out = realm.run([kadminl, 'getpol', 'compat']) -if 'Number of old keys kept: 5' not in out: - fail('Policy (1.8 format) has wrong value after load') -out = realm.run([kadminl, 'getpol', 'barney']) -if 'Number of old keys kept: 1' not in out: - fail('Policy has wrong value after load') - -# Dump/load again, and make sure everything is still there. -realm.run([kdb5_util, 'dump', dumpfile]) -realm.run([kdb5_util, 'load', dumpfile]) -out = realm.run([kadminl, 'getprincs']) -if realm.user_princ not in out or realm.host_princ not in out: - fail('Missing principal after load') -out = realm.run([kadminl, 'getpols']) -if 'compat\n' not in out or 'fred\n' not in out or 'barney\n' not in out: - fail('Missing policy after second load') - -srcdumpdir = os.path.join(srctop, 'tests', 'dumpfiles') -srcdump = os.path.join(srcdumpdir, 'dump') -srcdump_r18 = os.path.join(srcdumpdir, 'dump.r18') -srcdump_r13 = os.path.join(srcdumpdir, 'dump.r13') -srcdump_b7 = os.path.join(srcdumpdir, 'dump.b7') -srcdump_ov = os.path.join(srcdumpdir, 'dump.ov') - -# Load a dump file from the source directory. -realm.run([kdb5_util, 'destroy', '-f']) -realm.run([kdb5_util, 'load', srcdump]) -realm.run([kdb5_util, 'stash', '-P', 'master']) - def dump_compare(realm, opt, srcfile): + mark('dump comparison against %s' % os.path.basename(srcfile)) realm.run([kdb5_util, 'dump'] + opt + [dumpfile]) if not cmp(srcfile, dumpfile, False): fail('Dump output does not match %s' % srcfile) -# Dump the resulting DB in each non-iprop format and compare with -# expected outputs. -dump_compare(realm, [], srcdump) -dump_compare(realm, ['-r18'], srcdump_r18) -dump_compare(realm, ['-r13'], srcdump_r13) -dump_compare(realm, ['-b7'], srcdump_b7) -dump_compare(realm, ['-ov'], srcdump_ov) def load_dump_check_compare(realm, opt, srcfile): + mark('load check from %s' % os.path.basename(srcfile)) realm.run([kdb5_util, 'destroy', '-f']) realm.run([kdb5_util, 'load'] + opt + [srcfile]) + realm.run([kadminl, 'getprincs'], expected_msg='user@') + realm.run([kadminl, 'getprinc', 'nokeys'], + expected_msg='Number of keys: 0') + realm.run([kadminl, 'getpols'], expected_msg='testpol') + dump_compare(realm, opt, srcfile) + + +for realm in multidb_realms(start_kdc=False): + + # Make sure we can dump and load an ordinary database, and that + # principals and policies survive a dump/load cycle. + + realm.run([kadminl, 'addpol', 'fred']) + + # Create a dump file. + dumpfile = os.path.join(realm.testdir, 'dump') + realm.run([kdb5_util, 'dump', dumpfile]) + + # Write additional policy records to the dump. Use the 1.8 format for + # one of them, to test retroactive compatibility (for issue #8213). + f = open('testdir/dump', 'a') + f.write('policy\tcompat\t0\t0\t3\t4\t5\t0\t0\t0\t0\n') + f.write('policy\tbarney\t0\t0\t1\t1\t1\t0\t0\t0\t0\t0\t0\t0\t-\t1\t2\t28\t' + 'fd100f5064625f6372656174696f6e404b5242544553542e434f4d00\n') + f.close() + + # Destroy and load the database; check that the policies exist. + # Spot-check principal and policy fields. + mark('reload after dump') + realm.run([kdb5_util, 'destroy', '-f']) + realm.run([kdb5_util, 'load', dumpfile]) out = realm.run([kadminl, 'getprincs']) - if 'user@' not in out: - fail('Loaded dumpfile missing user principal') - out = realm.run([kadminl, 'getprinc', 'nokeys']) - if 'Number of keys: 0' not in out: - fail('Loading dumpfile did not process zero-key principal') + if realm.user_princ not in out or realm.host_princ not in out: + fail('Missing principal after load') + out = realm.run([kadminl, 'getprinc', realm.user_princ]) + if 'Expiration date: [never]' not in out or 'MKey: vno 1' not in out: + fail('Principal has wrong value after load') out = realm.run([kadminl, 'getpols']) - if 'testpol' not in out: - fail('Loaded dumpfile missing test policy') - dump_compare(realm, opt, srcfile) + if 'fred\n' not in out or 'barney\n' not in out: + fail('Missing policy after load') + realm.run([kadminl, 'getpol', 'compat'], + expected_msg='Number of old keys kept: 5') + realm.run([kadminl, 'getpol', 'barney'], + expected_msg='Number of old keys kept: 1') + + # Dump/load again, and make sure everything is still there. + mark('second reload') + realm.run([kdb5_util, 'dump', dumpfile]) + realm.run([kdb5_util, 'load', dumpfile]) + out = realm.run([kadminl, 'getprincs']) + if realm.user_princ not in out or realm.host_princ not in out: + fail('Missing principal after load') + out = realm.run([kadminl, 'getpols']) + if 'compat\n' not in out or 'fred\n' not in out or 'barney\n' not in out: + fail('Missing policy after second load') + + srcdumpdir = os.path.join(srctop, 'tests', 'dumpfiles') + srcdump = os.path.join(srcdumpdir, 'dump') + srcdump_r18 = os.path.join(srcdumpdir, 'dump.r18') + srcdump_r13 = os.path.join(srcdumpdir, 'dump.r13') + srcdump_b7 = os.path.join(srcdumpdir, 'dump.b7') + srcdump_ov = os.path.join(srcdumpdir, 'dump.ov') + + # Load a dump file from the source directory. + realm.run([kdb5_util, 'destroy', '-f']) + realm.run([kdb5_util, 'load', srcdump]) + realm.run([kdb5_util, 'stash', '-P', 'master']) + + # Dump the resulting DB in each non-iprop format and compare with + # expected outputs. + dump_compare(realm, [], srcdump) + dump_compare(realm, ['-r18'], srcdump_r18) + dump_compare(realm, ['-r13'], srcdump_r13) + dump_compare(realm, ['-b7'], srcdump_b7) + dump_compare(realm, ['-ov'], srcdump_ov) + + # Load each format of dump, check it, re-dump it, and compare. + load_dump_check_compare(realm, ['-r18'], srcdump_r18) + load_dump_check_compare(realm, ['-r13'], srcdump_r13) + load_dump_check_compare(realm, ['-b7'], srcdump_b7) -# Load each format of dump, check it, re-dump it, and compare. -load_dump_check_compare(realm, ['-r18'], srcdump_r18) -load_dump_check_compare(realm, ['-r13'], srcdump_r13) -load_dump_check_compare(realm, ['-b7'], srcdump_b7) - -# Loading the last (-b7 format) dump won't have loaded the -# per-principal kadm data. Load that incrementally with -ov. -out = realm.run([kadminl, 'getprinc', 'user']) -if 'Policy: [none]' not in out: - fail('Loaded b7 dump unexpectedly contains user policy reference') -realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov]) -out = realm.run([kadminl, 'getprinc', 'user']) -if 'Policy: testpol' not in out: - fail('Loading ov dump did not add user policy reference') + # Loading the last (-b7 format) dump won't have loaded the + # per-principal kadm data. Load that incrementally with -ov. + realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: [none]') + realm.run([kdb5_util, 'load', '-update', '-ov', srcdump_ov]) + realm.run([kadminl, 'getprinc', 'user'], expected_msg='Policy: testpol') success('Dump/load tests') diff --git a/src/tests/t_errmsg.py b/src/tests/t_errmsg.py index c9ae663..4aacf4e 100755 --- a/src/tests/t_errmsg.py +++ b/src/tests/t_errmsg.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * realm = K5Realm(create_kdb=False) diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py index b2eb0f7..2026e78 100644 --- a/src/tests/t_etype_info.py +++ b/src/tests/t_etype_info.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac des-cbc-crc:afs3' @@ -16,6 +15,7 @@ realm.run([kadminl, 'addprinc', '-nokey', '+requires_preauth', 'nokeyuser']) # Run the test harness for the given principal and request enctype # list. Compare the output to the expected lines, ignoring order. def test_etinfo(princ, enctypes, expected_lines): + mark('etinfo test: %s %s' % (princ.partition('@')[0], enctypes)) lines = realm.run(['./etinfo', princ, enctypes]).splitlines() if sorted(lines) != sorted(expected_lines): fail('Unexpected output for princ %s, etypes %s' % (princ, enctypes)) @@ -75,6 +75,7 @@ test_etinfo('nokeyuser', 'des3', []) # Verify that etype-info2 is included in a MORE_PREAUTH_DATA_REQUIRED # error if the client does optimistic preauth. +mark('MORE_PREAUTH_DATA_REQUIRED test') realm.stop() testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so') conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth}, diff --git a/src/tests/t_general.py b/src/tests/t_general.py index 6d523fe..043f751 100755 --- a/src/tests/t_general.py +++ b/src/tests/t_general.py @@ -1,18 +1,19 @@ -#!/usr/bin/python from k5test import * for realm in multipass_realms(create_host=False): # Check that kinit fails appropriately with the wrong password. - output = realm.run([kinit, realm.user_princ], input='wrong\n', - expected_code=1) - if 'Password incorrect while getting initial credentials' not in output: - fail('Expected error message not seen in kinit output') + mark('kinit wrong password failure') + msg = 'Password incorrect while getting initial credentials' + realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1, + expected_msg=msg) # Check that we can kinit as a different principal. + mark('kinit with specified principal') realm.kinit(realm.admin_princ, password('admin')) realm.klist(realm.admin_princ) # Test FAST kinit. + mark('FAST kinit') fastpw = password('fast') realm.run([kadminl, 'ank', '-pw', fastpw, '+requires_preauth', 'user/fast']) @@ -26,42 +27,38 @@ for realm in multipass_realms(create_host=False): # Test that we can get initial creds with an empty password via the # API. We have to disable the "empty" pwqual module to create a # principal with an empty password. (Regression test for #7642.) +mark('initial creds with empty password') conf={'plugins': {'pwqual': {'disable': 'empty'}}} realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf) realm.run([kadminl, 'addprinc', '-pw', '', 'user']) realm.run(['./icred', 'user', '']) +realm.run(['./icred', '-s', 'user', '']) realm.stop() realm = K5Realm(create_host=False) # Regression test for #8454 (responder callback isn't used when # preauth is not required). +mark('#8454 regression test') realm.run(['./responder', '-r', 'password=%s' % password('user'), realm.user_princ]) # Test that WRONG_REALM responses aren't treated as referrals unless # they contain a crealm field pointing to a different realm. # (Regression test for #8060.) -out = realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1) -if 'not found in Kerberos database' not in out: - fail('Expected error message not seen in kinit -C output') +mark('#8060 regression test') +realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1, + expected_msg='not found in Kerberos database') # Spot-check KRB5_TRACE output -tracefile = os.path.join(realm.testdir, 'trace') -realm.run(['env', 'KRB5_TRACE=' + tracefile, kinit, realm.user_princ], - input=(password('user') + "\n")) -f = open(tracefile, 'r') -trace = f.read() -f.close() -expected = ('Sending initial UDP request', - 'Received answer', - 'Selected etype info', - 'AS key obtained', - 'Decrypted AS reply', - 'FAST negotiation: available', - 'Storing user@KRBTEST.COM') -for e in expected: - if e not in trace: - fail('Expected output not in kinit trace log') +mark('KRB5_TRACE spot check') +expected_trace = ('Sending initial UDP request', + 'Received answer', + 'Selected etype info', + 'AS key obtained', + 'Decrypted AS reply', + 'FAST negotiation: available', + 'Storing user@KRBTEST.COM') +realm.kinit(realm.user_princ, password('user'), expected_trace=expected_trace) success('FAST kinit, trace logging') diff --git a/src/tests/t_hooks.py b/src/tests/t_hooks.py index 58dff3a..4fd3822 100755 --- a/src/tests/t_hooks.py +++ b/src/tests/t_hooks.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Test that KDC send and recv hooks work correctly. diff --git a/src/tests/t_hostrealm.py b/src/tests/t_hostrealm.py index 76b282d..7cec3b8 100755 --- a/src/tests/t_hostrealm.py +++ b/src/tests/t_hostrealm.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * plugin = os.path.join(buildtop, "plugins", "hostrealm", "test", @@ -20,9 +19,8 @@ def test(realm, args, expected_realms, msg, env=None): fail(msg) def test_error(realm, args, expected_error, msg, env=None): - out = realm.run(['./hrealm'] + args, env=env, expected_code=1) - if expected_error not in out: - fail(msg) + realm.run(['./hrealm'] + args, env=env, expected_code=1, + expected_msg=expected_error) def testh(realm, host, expected_realms, msg, env=None): test(realm, ['-h', host], expected_realms, msg, env=env) @@ -43,6 +41,7 @@ def testd_error(realm, expected_error, msg, env=None): # The test2 module returns a fatal error on hosts beginning with 'z', # and an answer on hosts begining with 'a'. +mark('test2 module') testh_error(realm, 'zoo', 'service not available', 'host_realm test2 z') testh(realm, 'abacus', ['a'], 'host_realm test2 a') @@ -50,6 +49,7 @@ testh(realm, 'abacus', ['a'], 'host_realm test2 a') # 'X', due to [domain_realms]. There is also an entry for hostnames # ending in '1', but hostnames which appear to be IP or IPv6 addresses # should instead fall through to test1. +mark('profile module') testh(realm, 'x', ['MATCH'], 'host_realm profile x') testh(realm, '.x', ['DOTMATCH'], 'host_realm profile .x') testh(realm, 'b.x', ['DOTMATCH'], 'host_realm profile b.x') @@ -61,9 +61,11 @@ testh(realm, 'b:c.x', ['b:c', 'x'], 'host_realm profile b:c.x') testh(realm, 'X.', ['MATCH'], 'host_realm profile X.') # The test1 module returns a list of the hostname components. +mark('test1 module') testh(realm, 'b.c.d', ['b', 'c', 'd'], 'host_realm test1') # If no module returns a result, we should get the referral realm. +mark('no result') testh(realm, '', [''], 'host_realm referral realm') ### @@ -77,10 +79,12 @@ def try_env(realm, testname, n): # The domain module will answer with the uppercased parent domain, # with no special configuration. +mark('fallback: domain module') testf(realm, 'a.b.c', ['B.C'], 'fallback_realm domain a.b.c') # With realm_try_domains = 0, the hostname itself will be looked up as # a realm and returned if found. +mark('fallback: realm_try_domains = 0') try0 = try_env(realm, 'try0', 0) testf(realm, 'krbtest.com', ['KRBTEST.COM'], 'fallback_realm try0', env=try0) testf(realm, 'a.b.krbtest.com', ['B.KRBTEST.COM'], @@ -89,6 +93,7 @@ testf(realm, 'a.b.c', ['B.C'], 'fallback_realm try0 nomatch', env=try0) # With realm_try_domains = 2, the parent and grandparent will be # checked as well, but it stops there. +mark('fallback: realm_try_domains = 2') try2 = try_env(realm, 'try2', 2) testf(realm, 'krbtest.com', ['KRBTEST.COM'], 'fallback_realm try2', env=try2) testf(realm, 'a.b.krbtest.com', ['KRBTEST.COM'], @@ -98,10 +103,12 @@ testf(realm, 'a.b.c.krbtest.com', ['B.C.KRBTEST.COM'], # The test1 module answers with a list of components. Use an IPv4 # address to bypass the domain module. +mark('fallback: test1 module') testf(realm, '1.2.3.4', ['1', '2', '3', '4'], 'fallback_realm test1') # If no module answers, the default realm is returned. The test2 # module returns an error when we try to look that up. +mark('fallback: default realm') testf_error(realm, '', 'service not available', 'fallback_realm default') ### @@ -109,10 +116,12 @@ testf_error(realm, '', 'service not available', 'fallback_realm default') ### # The test2 module returns an error. +mark('default_realm: test2 module') testd_error(realm, 'service not available', 'default_realm test2') # The profile module returns the default realm from the profile. # Disable test2 to expose this behavior. +mark('default_realm: profile module') disable_conf = {'plugins': {'hostrealm': {'disable': 'test2'}}} notest2 = realm.special_env('notest2', False, krb5_conf=disable_conf) testd(realm, 'KRBTEST.COM', 'default_realm profile', env=notest2) @@ -120,8 +129,11 @@ testd(realm, 'KRBTEST.COM', 'default_realm profile', env=notest2) # The test1 module returns a list of two realms, of which we can only # see the first. Remove the profile default_realm setting to expose # this behavior. +mark('default_realm: test1 module') remove_default = {'libdefaults': {'default_realm': None}} -nodefault_conf = dict(disable_conf.items() + remove_default.items()) +# Python 3.5+: nodefault_conf = {**disable_conf, **remove_default} +nodefault_conf = dict(list(disable_conf.items()) + + list(remove_default.items())) nodefault = realm.special_env('nodefault', False, krb5_conf=nodefault_conf) testd(realm, 'one', 'default_realm test1', env=nodefault) diff --git a/src/tests/t_iprop.py b/src/tests/t_iprop.py index e64fdd2..46cb075 100755 --- a/src/tests/t_iprop.py +++ b/src/tests/t_iprop.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - import os import re @@ -109,366 +107,376 @@ def check_ulog(num, first, last, entries, env=None): if eprinc != None: fail('Expected princ %s in update entry %d' % (eprinc, ser)) -# slave1 will receive updates from master, and slave2 will receive -# updates from slave1. Because of the awkward way iprop and kprop +# replica1 will receive updates from master, and replica2 will receive +# updates from replica1. Because of the awkward way iprop and kprop # port configuration currently works, we need separate config files -# for the slave and master sides of slave1, but they use the same DB -# and ulog file. +# for the replica and master sides of replica1, but they use the same +# DB and ulog file. conf = {'realms': {'$realm': {'iprop_enable': 'true', 'iprop_logfile': '$testdir/db.ulog'}}} -conf_slave1 = {'realms': {'$realm': {'iprop_slave_poll': '600', - 'iprop_logfile': '$testdir/ulog.slave1'}}, - 'dbmodules': {'db': {'database_name': '$testdir/db.slave1'}}} -conf_slave1m = {'realms': {'$realm': {'iprop_logfile': '$testdir/ulog.slave1', - 'iprop_port': '$port8'}}, - 'dbmodules': {'db': {'database_name': '$testdir/db.slave1'}}} -conf_slave2 = {'realms': {'$realm': {'iprop_slave_poll': '600', - 'iprop_logfile': '$testdir/ulog.slave2', - 'iprop_port': '$port8'}}, - 'dbmodules': {'db': {'database_name': '$testdir/db.slave2'}}} +conf_rep1 = {'realms': {'$realm': {'iprop_replica_poll': '600', + 'iprop_logfile': '$testdir/ulog.replica1'}}, + 'dbmodules': {'db': {'database_name': '$testdir/db.replica1'}}} +conf_rep1m = {'realms': {'$realm': {'iprop_logfile': '$testdir/ulog.replica1', + 'iprop_port': '$port8'}}, + 'dbmodules': {'db': {'database_name': '$testdir/db.replica1'}}} +conf_rep2 = {'realms': {'$realm': {'iprop_replica_poll': '600', + 'iprop_logfile': '$testdir/ulog.replica2', + 'iprop_port': '$port8'}}, + 'dbmodules': {'db': {'database_name': '$testdir/db.replica2'}}} conf_foo = {'libdefaults': {'default_realm': 'FOO'}, 'domain_realm': {hostname: 'FOO'}} - -realm = K5Realm(kdc_conf=conf, create_user=False, start_kadmind=True) -slave1 = realm.special_env('slave1', True, kdc_conf=conf_slave1) -slave1m = realm.special_env('slave1m', True, krb5_conf=conf_foo, - kdc_conf=conf_slave1m) -slave2 = realm.special_env('slave2', True, kdc_conf=conf_slave2) - -# A default_realm and domain_realm that do not match the KDC's realm. -# The FOO realm iprop_logfile setting is needed to run kproplog during -# a slave3 test, since kproplog has no realm option. -conf_slave3 = {'realms': {'$realm': {'iprop_slave_poll': '600', - 'iprop_logfile': '$testdir/ulog.slave3', - 'iprop_port': '$port8'}, - 'FOO': {'iprop_logfile': '$testdir/ulog.slave3'}}, - 'dbmodules': {'db': {'database_name': '$testdir/db.slave3'}}} -slave3 = realm.special_env('slave3', True, krb5_conf=conf_foo, - kdc_conf=conf_slave3) - -# A default realm and a domain realm map that differ. -krb5_conf_slave4 = {'domain_realm': {hostname: 'FOO'}} -conf_slave4 = {'realms': {'$realm': {'iprop_slave_poll': '600', - 'iprop_logfile': '$testdir/ulog.slave4', - 'iprop_port': '$port8'}}, - 'dbmodules': {'db': {'database_name': '$testdir/db.slave4'}}} -slave4 = realm.special_env('slave4', True, krb5_conf=krb5_conf_slave4, - kdc_conf=conf_slave4) - -# Define some principal names. pr3 is long enough to cause internal -# reallocs, but not long enough to grow the basic ulog entry size. -pr1 = 'wakawaka@' + realm.realm -pr2 = 'w@' + realm.realm -c = 'chocolate-flavored-school-bus' -cs = c + '/' -pr3 = (cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c + - '@' + realm.realm) - -# Create the kpropd ACL file. -acl_file = os.path.join(realm.testdir, 'kpropd-acl') -acl = open(acl_file, 'w') -acl.write(realm.host_princ + '\n') -acl.close() - -ulog = os.path.join(realm.testdir, 'db.ulog') -if not os.path.exists(ulog): - fail('update log not created: ' + ulog) - -# Create the principal used to authenticate kpropd to kadmind. -kiprop_princ = 'kiprop/' + hostname -realm.extract_keytab(kiprop_princ, realm.keytab) - -# Create the initial slave databases. -dumpfile = os.path.join(realm.testdir, 'dump') -realm.run([kdb5_util, 'dump', dumpfile]) -realm.run([kdb5_util, 'load', dumpfile], slave1) -realm.run([kdb5_util, 'load', dumpfile], slave2) -realm.run([kdb5_util, '-r', realm.realm, 'load', dumpfile], slave3) -realm.run([kdb5_util, 'load', dumpfile], slave4) - -# Reinitialize the master ulog so we know exactly what to expect in -# it. -realm.run([kproplog, '-R']) -check_ulog(1, 1, 1, [None]) - -# Make some changes to the master DB. -realm.addprinc(pr1) -realm.addprinc(pr3) -realm.addprinc(pr2) -realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) -realm.run([kadminl, 'modprinc', '+allow_tix', pr2]) -check_ulog(6, 1, 6, [None, pr1, pr3, pr2, pr2, pr2]) - -# Start kpropd for slave1 and get a full dump from master. -kpropd1 = realm.start_kpropd(slave1, ['-d']) -wait_for_prop(kpropd1, True, 1, 6) -out = realm.run([kadminl, 'listprincs'], env=slave1) -if pr1 not in out or pr2 not in out or pr3 not in out: - fail('slave1 does not have all principals from master') -check_ulog(1, 6, 6, [None], slave1) - -# Make a change and check that it propagates incrementally. -realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) -check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, False, 6, 7) -check_ulog(2, 6, 7, [None, pr2], slave1) -out = realm.run([kadminl, 'getprinc', pr2], env=slave1) -if 'Attributes: DISALLOW_ALL_TIX' not in out: - fail('slave1 does not have modification from master') - -# Start kadmind -proponly for slave1. (Use the slave1m environment -# which defines iprop_port to $port8.) -slave1_out_dump_path = os.path.join(realm.testdir, 'dump.slave1.out') -slave2_in_dump_path = os.path.join(realm.testdir, 'dump.slave2.in') -slave2_kprop_port = str(realm.portbase + 9) -realm.start_server([kadmind, '-r', realm.realm, '-nofork', '-proponly', '-W', - '-p', kdb5_util, '-K', kprop, '-k', slave2_kprop_port, - '-F', slave1_out_dump_path], 'starting...', slave1m) - -# Test similar default_realm and domain_realm map settings with -r realm. -slave3_in_dump_path = os.path.join(realm.testdir, 'dump.slave3.in') -kpropd3 = realm.start_server([kpropd, '-d', '-D', '-r', realm.realm, '-P', - slave2_kprop_port, '-f', slave3_in_dump_path, - '-p', kdb5_util, '-a', acl_file, '-A', hostname], - 'ready', slave3) -wait_for_prop(kpropd3, True, 1, 7) -out = realm.run([kadminl, '-r', realm.realm, 'listprincs'], env=slave3) -if pr1 not in out or pr2 not in out or pr3 not in out: - fail('slave3 does not have all principals from slave1') -check_ulog(1, 7, 7, [None], env=slave3) - -# Test an incremental propagation for the kpropd -r case. -realm.run([kadminl, 'modprinc', '-maxlife', '20 minutes', pr1]) -check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, False, 7, 8) -check_ulog(3, 6, 8, [None, pr2, pr1], slave1) -out = realm.run([kadminl, 'getprinc', pr1], env=slave1) -if 'Maximum ticket life: 0 days 00:20:00' not in out: - fail('slave1 does not have modification from master') -kpropd3.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd3, False, 7, 8) -check_ulog(2, 7, 8, [None, pr1], slave3) -out = realm.run([kadminl, '-r', realm.realm, 'getprinc', pr1], env=slave3) -if 'Maximum ticket life: 0 days 00:20:00' not in out: - fail('slave3 does not have modification from slave1') -stop_daemon(kpropd3) - -# Test dissimilar default_realm and domain_realm map settings (no -r realm). -slave4_in_dump_path = os.path.join(realm.testdir, 'dump.slave4.in') -kpropd4 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port, - '-f', slave4_in_dump_path, '-p', kdb5_util, - '-a', acl_file, '-A', hostname], 'ready', slave4) -wait_for_prop(kpropd4, True, 1, 8) -out = realm.run([kadminl, 'listprincs'], env=slave4) -if pr1 not in out or pr2 not in out or pr3 not in out: - fail('slave4 does not have all principals from slave1') -stop_daemon(kpropd4) - -# Start kpropd for slave2. The -A option isn't needed since we're -# talking to the same host as master (we specify it anyway to exercise -# the code), but slave2 defines iprop_port to $port8 so it will talk -# to slave1. Get a full dump from slave1. -kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', slave2_kprop_port, - '-f', slave2_in_dump_path, '-p', kdb5_util, - '-a', acl_file, '-A', hostname], 'ready', slave2) -wait_for_prop(kpropd2, True, 1, 8) -check_ulog(2, 7, 8, [None, pr1], slave2) -out = realm.run([kadminl, 'listprincs'], env=slave1) -if pr1 not in out or pr2 not in out or pr3 not in out: - fail('slave2 does not have all principals from slave1') - -# Make another change and check that it propagates incrementally to -# both slaves. -realm.run([kadminl, 'modprinc', '-maxrenewlife', '22 hours', pr1]) -check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, False, 8, 9) -check_ulog(4, 6, 9, [None, pr2, pr1, pr1], slave1) -out = realm.run([kadminl, 'getprinc', pr1], env=slave1) -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: - fail('slave1 does not have modification from master') -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, False, 8, 9) -check_ulog(3, 7, 9, [None, pr1, pr1], slave2) -out = realm.run([kadminl, 'getprinc', pr1], env=slave2) -if 'Maximum renewable life: 0 days 22:00:00\n' not in out: - fail('slave2 does not have modification from slave1') - -# Reset the ulog on slave1 to force a full resync from master. The -# resync will use the old dump file and then propagate changes. -# slave2 should still be in sync with slave1 after the resync, so make -# sure it doesn't take a full resync. -realm.run([kproplog, '-R'], slave1) -check_ulog(1, 1, 1, [None], slave1) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, True, 1, 9) -check_ulog(4, 6, 9, [None, pr2, pr1, pr1], slave1) -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, False, 9, 9) -check_ulog(3, 7, 9, [None, pr1, pr1], slave2) - -# Make another change and check that it propagates incrementally to -# both slaves. -realm.run([kadminl, 'modprinc', '+allow_tix', pr2]) -check_ulog(10, 1, 10, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1, pr2]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, False, 9, 10) -check_ulog(5, 6, 10, [None, pr2, pr1, pr1, pr2], slave1) -out = realm.run([kadminl, 'getprinc', pr2], env=slave1) -if 'Attributes:\n' not in out: - fail('slave1 does not have modification from master') -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, False, 9, 10) -check_ulog(4, 7, 10, [None, pr1, pr1, pr2], slave2) -out = realm.run([kadminl, 'getprinc', pr2], env=slave2) -if 'Attributes:\n' not in out: - fail('slave2 does not have modification from slave1') - -# Create a policy and check that it propagates via full resync. -realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol']) -check_ulog(1, 1, 1, [None]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, True, 10, 1) -check_ulog(1, 1, 1, [None], slave1) -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) -if 'Minimum number of password character classes: 2' not in out: - fail('slave1 does not have policy from master') -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, True, 10, 1) -check_ulog(1, 1, 1, [None], slave2) -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) -if 'Minimum number of password character classes: 2' not in out: - fail('slave2 does not have policy from slave1') - -# Modify the policy and test that it also propagates via full resync. -realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol']) -check_ulog(1, 1, 1, [None]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, True, 1, 1) -check_ulog(1, 1, 1, [None], slave1) -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) -if 'Minimum password length: 17' not in out: - fail('slave1 does not have policy change from master') -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, True, 1, 1) -check_ulog(1, 1, 1, [None], slave2) -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2) -if 'Minimum password length: 17' not in out: - fail('slave2 does not have policy change from slave1') - -# Delete the policy and test that it propagates via full resync. -realm.run([kadminl, 'delpol', 'testpol']) -check_ulog(1, 1, 1, [None]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, True, 1, 1) -check_ulog(1, 1, 1, [None], slave1) -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1, expected_code=1) -if 'Policy does not exist' not in out: - fail('slave1 did not get policy deletion from master') -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, True, 1, 1) -check_ulog(1, 1, 1, [None], slave2) -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave2, expected_code=1) -if 'Policy does not exist' not in out: - fail('slave2 did not get policy deletion from slave1') - -# Modify a principal on the master and test that it propagates incrementally. -realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1]) -check_ulog(2, 1, 2, [None, pr1]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, False, 1, 2) -check_ulog(2, 1, 2, [None, pr1], slave1) -out = realm.run([kadminl, 'getprinc', pr1], env=slave1) -if 'Maximum ticket life: 0 days 00:10:00' not in out: - fail('slave1 does not have modification from master') -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, False, 1, 2) -check_ulog(2, 1, 2, [None, pr1], slave2) -out = realm.run([kadminl, 'getprinc', pr1], env=slave2) -if 'Maximum ticket life: 0 days 00:10:00' not in out: - fail('slave2 does not have modification from slave1') - -# Delete a principal and test that it propagates incrementally. -realm.run([kadminl, 'delprinc', pr3]) -check_ulog(3, 1, 3, [None, pr1, pr3]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, False, 2, 3) -check_ulog(3, 1, 3, [None, pr1, pr3], slave1) -out = realm.run([kadminl, 'getprinc', pr3], env=slave1, expected_code=1) -if 'Principal does not exist' not in out: - fail('slave1 does not have principal deletion from master') -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, False, 2, 3) -check_ulog(3, 1, 3, [None, pr1, pr3], slave2) -out = realm.run([kadminl, 'getprinc', pr3], env=slave2, expected_code=1) -if 'Principal does not exist' not in out: - fail('slave2 does not have principal deletion from slave1') - -# Rename a principal and test that it propagates incrementally. -renpr = "quacked@" + realm.realm -realm.run([kadminl, 'renprinc', pr1, renpr]) -check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, False, 3, 6) -check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], slave1) -out = realm.run([kadminl, 'getprinc', pr1], env=slave1, expected_code=1) -if 'Principal does not exist' not in out: - fail('slave1 does not have principal deletion from master') -realm.run([kadminl, 'getprinc', renpr], env=slave1) -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, False, 3, 6) -check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], slave2) -out = realm.run([kadminl, 'getprinc', pr1], env=slave2, expected_code=1) -if 'Principal does not exist' not in out: - fail('slave2 does not have principal deletion from master') -realm.run([kadminl, 'getprinc', renpr], env=slave2) - -pr1 = renpr - -# Reset the ulog on the master to force a full resync. -realm.run([kproplog, '-R']) -check_ulog(1, 1, 1, [None]) -kpropd1.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd1, True, 6, 1) -check_ulog(1, 1, 1, [None], slave1) -kpropd2.send_signal(signal.SIGUSR1) -wait_for_prop(kpropd2, True, 6, 1) -check_ulog(1, 1, 1, [None], slave2) - -# Stop the kprop daemons so we can test kpropd -t. -stop_daemon(kpropd1) -stop_daemon(kpropd2) - -# Test the case where no updates are needed. -out = realm.run_kpropd_once(slave1, ['-d']) -if 'KDC is synchronized' not in out: - fail('Expected synchronized from kpropd -t') -check_ulog(1, 1, 1, [None], slave1) - -# Make a change on the master and fetch it incrementally. -realm.run([kadminl, 'modprinc', '-maxlife', '5 minutes', pr1]) -check_ulog(2, 1, 2, [None, pr1]) -out = realm.run_kpropd_once(slave1, ['-d']) -if 'Got incremental updates (sno=2 ' not in out: - fail('Expected full dump and synchronized from kpropd -t') -check_ulog(2, 1, 2, [None, pr1], slave1) -out = realm.run([kadminl, 'getprinc', pr1], env=slave1) -if 'Maximum ticket life: 0 days 00:05:00' not in out: - fail('slave1 does not have modification from master after kpropd -t') - -# Propagate a policy change via full resync. -realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol']) -check_ulog(1, 1, 1, [None]) -out = realm.run_kpropd_once(slave1, ['-d']) -if ('Full propagation transfer finished' not in out or - 'KDC is synchronized' not in out): - fail('Expected full dump and synchronized from kpropd -t') -check_ulog(1, 1, 1, [None], slave1) -out = realm.run([kadminl, 'getpol', 'testpol'], env=slave1) -if 'Minimum number of password character classes: 3' not in out: - fail('slave1 does not have policy from master after kpropd -t') +conf_rep3 = {'realms': {'$realm': {'iprop_replica_poll': '600', + 'iprop_logfile': '$testdir/ulog.replica3', + 'iprop_port': '$port8'}, + 'FOO': {'iprop_logfile': '$testdir/ulog.replica3'}}, + 'dbmodules': {'db': {'database_name': '$testdir/db.replica3'}}} + +krb5_conf_rep4 = {'domain_realm': {hostname: 'FOO'}} +conf_rep4 = {'realms': {'$realm': {'iprop_replica_poll': '600', + 'iprop_logfile': '$testdir/ulog.replica4', + 'iprop_port': '$port8'}}, + 'dbmodules': {'db': {'database_name': '$testdir/db.replica4'}}} + +for realm in multidb_realms(kdc_conf=conf, create_user=False, + start_kadmind=True): + replica1 = realm.special_env('replica1', True, kdc_conf=conf_rep1) + replica1m = realm.special_env('replica1m', True, krb5_conf=conf_foo, + kdc_conf=conf_rep1m) + replica2 = realm.special_env('replica2', True, kdc_conf=conf_rep2) + + # A default_realm and domain_realm that do not match the KDC's + # realm. The FOO realm iprop_logfile setting is needed to run + # kproplog during a replica3 test, since kproplog has no realm + # option. + replica3 = realm.special_env('replica3', True, krb5_conf=conf_foo, + kdc_conf=conf_rep3) + + # A default realm and a domain realm map that differ. + replica4 = realm.special_env('replica4', True, krb5_conf=krb5_conf_rep4, + kdc_conf=conf_rep4) + + # Define some principal names. pr3 is long enough to cause internal + # reallocs, but not long enough to grow the basic ulog entry size. + pr1 = 'wakawaka@' + realm.realm + pr2 = 'w@' + realm.realm + c = 'chocolate-flavored-school-bus' + cs = c + '/' + pr3 = (cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + cs + c + + '@' + realm.realm) + + # Create the kpropd ACL file. + acl_file = os.path.join(realm.testdir, 'kpropd-acl') + acl = open(acl_file, 'w') + acl.write(realm.host_princ + '\n') + acl.close() + + ulog = os.path.join(realm.testdir, 'db.ulog') + if not os.path.exists(ulog): + fail('update log not created: ' + ulog) + + # Create the principal used to authenticate kpropd to kadmind. + kiprop_princ = 'kiprop/' + hostname + realm.extract_keytab(kiprop_princ, realm.keytab) + + # Create the initial replica databases. + dumpfile = os.path.join(realm.testdir, 'dump') + realm.run([kdb5_util, 'dump', dumpfile]) + realm.run([kdb5_util, 'load', dumpfile], replica1) + realm.run([kdb5_util, 'load', dumpfile], replica2) + realm.run([kdb5_util, '-r', realm.realm, 'load', dumpfile], replica3) + realm.run([kdb5_util, 'load', dumpfile], replica4) + + # Reinitialize the master ulog so we know exactly what to expect in + # it. + realm.run([kproplog, '-R']) + check_ulog(1, 1, 1, [None]) + + # Make some changes to the master DB. + realm.addprinc(pr1) + realm.addprinc(pr3) + realm.addprinc(pr2) + realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) + realm.run([kadminl, 'modprinc', '+allow_tix', pr2]) + check_ulog(6, 1, 6, [None, pr1, pr3, pr2, pr2, pr2]) + + # Start kpropd for replica1 and get a full dump from master. + mark('propagate M->1 full') + kpropd1 = realm.start_kpropd(replica1, ['-d']) + wait_for_prop(kpropd1, True, 1, 6) + out = realm.run([kadminl, 'listprincs'], env=replica1) + if pr1 not in out or pr2 not in out or pr3 not in out: + fail('replica1 does not have all principals from master') + check_ulog(1, 6, 6, [None], replica1) + + # Make a change and check that it propagates incrementally. + mark('propagate M->1 incremental') + realm.run([kadminl, 'modprinc', '-allow_tix', pr2]) + check_ulog(7, 1, 7, [None, pr1, pr3, pr2, pr2, pr2, pr2]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, False, 6, 7) + check_ulog(2, 6, 7, [None, pr2], replica1) + realm.run([kadminl, 'getprinc', pr2], env=replica1, + expected_msg='Attributes: DISALLOW_ALL_TIX') + + # Start kadmind -proponly for replica1. (Use the replica1m + # environment which defines iprop_port to $port8.) + replica1_out_dump_path = os.path.join(realm.testdir, 'dump.replica1.out') + replica2_in_dump_path = os.path.join(realm.testdir, 'dump.replica2.in') + replica2_kprop_port = str(realm.portbase + 9) + kadmind_proponly = realm.start_server([kadmind, '-r', realm.realm, + '-nofork', '-proponly', + '-W', '-p', kdb5_util, + '-K', kprop, '-k', + replica2_kprop_port, + '-F', replica1_out_dump_path], + 'starting...', replica1m) + + # Test similar default_realm and domain_realm map settings with -r realm. + mark('propagate 1->3 full') + replica3_in_dump_path = os.path.join(realm.testdir, 'dump.replica3.in') + kpropd3 = realm.start_server([kpropd, '-d', '-D', '-r', realm.realm, '-P', + replica2_kprop_port, '-f', + replica3_in_dump_path, '-p', kdb5_util, '-a', + acl_file, '-A', hostname], 'ready', replica3) + wait_for_prop(kpropd3, True, 1, 7) + out = realm.run([kadminl, '-r', realm.realm, 'listprincs'], env=replica3) + if pr1 not in out or pr2 not in out or pr3 not in out: + fail('replica3 does not have all principals from replica1') + check_ulog(1, 7, 7, [None], env=replica3) + + # Test an incremental propagation for the kpropd -r case. + mark('propagate M->1->3 incremental') + realm.run([kadminl, 'modprinc', '-maxlife', '20 minutes', pr1]) + check_ulog(8, 1, 8, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, False, 7, 8) + check_ulog(3, 6, 8, [None, pr2, pr1], replica1) + realm.run([kadminl, 'getprinc', pr1], env=replica1, + expected_msg='Maximum ticket life: 0 days 00:20:00') + kpropd3.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd3, False, 7, 8) + check_ulog(2, 7, 8, [None, pr1], replica3) + realm.run([kadminl, '-r', realm.realm, 'getprinc', pr1], env=replica3, + expected_msg='Maximum ticket life: 0 days 00:20:00') + stop_daemon(kpropd3) + + # Test dissimilar default_realm and domain_realm map settings (no + # -r realm). + mark('propagate 1->4 full') + replica4_in_dump_path = os.path.join(realm.testdir, 'dump.replica4.in') + kpropd4 = realm.start_server([kpropd, '-d', '-D', '-P', + replica2_kprop_port, '-f', + replica4_in_dump_path, '-p', kdb5_util, + '-a', acl_file, '-A', hostname], 'ready', + replica4) + wait_for_prop(kpropd4, True, 1, 8) + out = realm.run([kadminl, 'listprincs'], env=replica4) + if pr1 not in out or pr2 not in out or pr3 not in out: + fail('replica4 does not have all principals from replica1') + stop_daemon(kpropd4) + + # Start kpropd for replica2. The -A option isn't needed since + # we're talking to the same host as master (we specify it anyway + # to exercise the code), but replica2 defines iprop_port to $port8 + # so it will talk to replica1. Get a full dump from replica1. + mark('propagate 1->2 full') + kpropd2 = realm.start_server([kpropd, '-d', '-D', '-P', + replica2_kprop_port, '-f', + replica2_in_dump_path, '-p', kdb5_util, + '-a', acl_file, '-A', hostname], 'ready', + replica2) + wait_for_prop(kpropd2, True, 1, 8) + check_ulog(2, 7, 8, [None, pr1], replica2) + out = realm.run([kadminl, 'listprincs'], env=replica1) + if pr1 not in out or pr2 not in out or pr3 not in out: + fail('replica2 does not have all principals from replica1') + + # Make another change and check that it propagates incrementally + # to both replicas. + mark('propagate M->1->2 incremental') + realm.run([kadminl, 'modprinc', '-maxrenewlife', '22 hours', pr1]) + check_ulog(9, 1, 9, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, False, 8, 9) + check_ulog(4, 6, 9, [None, pr2, pr1, pr1], replica1) + realm.run([kadminl, 'getprinc', pr1], env=replica1, + expected_msg='Maximum renewable life: 0 days 22:00:00\n') + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, False, 8, 9) + check_ulog(3, 7, 9, [None, pr1, pr1], replica2) + realm.run([kadminl, 'getprinc', pr1], env=replica2, + expected_msg='Maximum renewable life: 0 days 22:00:00\n') + + # Reset the ulog on replica1 to force a full resync from master. + # The resync will use the old dump file and then propagate + # changes. replica2 should still be in sync with replica1 after + # the resync, so make sure it doesn't take a full resync. + mark('propagate M->1->2 full') + realm.run([kproplog, '-R'], replica1) + check_ulog(1, 1, 1, [None], replica1) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, True, 1, 9) + check_ulog(4, 6, 9, [None, pr2, pr1, pr1], replica1) + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, False, 9, 9) + check_ulog(3, 7, 9, [None, pr1, pr1], replica2) + + # Make another change and check that it propagates incrementally to + # both replicas. + mark('propagate M->1->2 incremental (after reset)') + realm.run([kadminl, 'modprinc', '+allow_tix', pr2]) + check_ulog(10, 1, 10, [None, pr1, pr3, pr2, pr2, pr2, pr2, pr1, pr1, pr2]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, False, 9, 10) + check_ulog(5, 6, 10, [None, pr2, pr1, pr1, pr2], replica1) + realm.run([kadminl, 'getprinc', pr2], env=replica1, + expected_msg='Attributes:\n') + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, False, 9, 10) + check_ulog(4, 7, 10, [None, pr1, pr1, pr2], replica2) + realm.run([kadminl, 'getprinc', pr2], env=replica2, + expected_msg='Attributes:\n') + + # Create a policy and check that it propagates via full resync. + mark('propagate M->1->2 full (new policy)') + realm.run([kadminl, 'addpol', '-minclasses', '2', 'testpol']) + check_ulog(1, 1, 1, [None]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, True, 10, 1) + check_ulog(1, 1, 1, [None], replica1) + realm.run([kadminl, 'getpol', 'testpol'], env=replica1, + expected_msg='Minimum number of password character classes: 2') + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, True, 10, 1) + check_ulog(1, 1, 1, [None], replica2) + realm.run([kadminl, 'getpol', 'testpol'], env=replica2, + expected_msg='Minimum number of password character classes: 2') + + # Modify the policy and test that it also propagates via full resync. + mark('propagate M->1->2 full (policy change)') + realm.run([kadminl, 'modpol', '-minlength', '17', 'testpol']) + check_ulog(1, 1, 1, [None]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, True, 1, 1) + check_ulog(1, 1, 1, [None], replica1) + realm.run([kadminl, 'getpol', 'testpol'], env=replica1, + expected_msg='Minimum password length: 17') + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, True, 1, 1) + check_ulog(1, 1, 1, [None], replica2) + realm.run([kadminl, 'getpol', 'testpol'], env=replica2, + expected_msg='Minimum password length: 17') + + # Delete the policy and test that it propagates via full resync. + mark('propgate M->1->2 full (policy delete)') + realm.run([kadminl, 'delpol', 'testpol']) + check_ulog(1, 1, 1, [None]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, True, 1, 1) + check_ulog(1, 1, 1, [None], replica1) + realm.run([kadminl, 'getpol', 'testpol'], env=replica1, expected_code=1, + expected_msg='Policy does not exist') + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, True, 1, 1) + check_ulog(1, 1, 1, [None], replica2) + realm.run([kadminl, 'getpol', 'testpol'], env=replica2, expected_code=1, + expected_msg='Policy does not exist') + + # Modify a principal on the master and test that it propagates + # incrementally. + mark('propagate M->1->2 incremental (after policy changes)') + realm.run([kadminl, 'modprinc', '-maxlife', '10 minutes', pr1]) + check_ulog(2, 1, 2, [None, pr1]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, False, 1, 2) + check_ulog(2, 1, 2, [None, pr1], replica1) + realm.run([kadminl, 'getprinc', pr1], env=replica1, + expected_msg='Maximum ticket life: 0 days 00:10:00') + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, False, 1, 2) + check_ulog(2, 1, 2, [None, pr1], replica2) + realm.run([kadminl, 'getprinc', pr1], env=replica2, + expected_msg='Maximum ticket life: 0 days 00:10:00') + + # Delete a principal and test that it propagates incrementally. + mark('propagate M->1->2 incremental (princ delete)') + realm.run([kadminl, 'delprinc', pr3]) + check_ulog(3, 1, 3, [None, pr1, pr3]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, False, 2, 3) + check_ulog(3, 1, 3, [None, pr1, pr3], replica1) + realm.run([kadminl, 'getprinc', pr3], env=replica1, expected_code=1, + expected_msg='Principal does not exist') + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, False, 2, 3) + check_ulog(3, 1, 3, [None, pr1, pr3], replica2) + realm.run([kadminl, 'getprinc', pr3], env=replica2, expected_code=1, + expected_msg='Principal does not exist') + + # Rename a principal and test that it propagates incrementally. + mark('propagate M->1->2 incremental (princ rename)') + renpr = "quacked@" + realm.realm + realm.run([kadminl, 'renprinc', pr1, renpr]) + check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, False, 3, 6) + check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], replica1) + realm.run([kadminl, 'getprinc', pr1], env=replica1, expected_code=1, + expected_msg='Principal does not exist') + realm.run([kadminl, 'getprinc', renpr], env=replica1) + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, False, 3, 6) + check_ulog(6, 1, 6, [None, pr1, pr3, renpr, pr1, renpr], replica2) + realm.run([kadminl, 'getprinc', pr1], env=replica2, expected_code=1, + expected_msg='Principal does not exist') + realm.run([kadminl, 'getprinc', renpr], env=replica2) + + pr1 = renpr + + # Reset the ulog on the master to force a full resync. + mark('propagate M->1->2 full (ulog reset)') + realm.run([kproplog, '-R']) + check_ulog(1, 1, 1, [None]) + kpropd1.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd1, True, 6, 1) + check_ulog(1, 1, 1, [None], replica1) + kpropd2.send_signal(signal.SIGUSR1) + wait_for_prop(kpropd2, True, 6, 1) + check_ulog(1, 1, 1, [None], replica2) + + # Stop the kprop daemons so we can test kpropd -t. + realm.stop_kpropd(kpropd1) + stop_daemon(kpropd2) + stop_daemon(kadmind_proponly) + mark('kpropd -t') + + # Test the case where no updates are needed. + out = realm.run_kpropd_once(replica1, ['-d']) + if 'KDC is synchronized' not in out: + fail('Expected synchronized from kpropd -t') + check_ulog(1, 1, 1, [None], replica1) + + # Make a change on the master and fetch it incrementally. + realm.run([kadminl, 'modprinc', '-maxlife', '5 minutes', pr1]) + check_ulog(2, 1, 2, [None, pr1]) + out = realm.run_kpropd_once(replica1, ['-d']) + if 'Got incremental updates (sno=2 ' not in out: + fail('Expected full dump and synchronized from kpropd -t') + check_ulog(2, 1, 2, [None, pr1], replica1) + realm.run([kadminl, 'getprinc', pr1], env=replica1, + expected_msg='Maximum ticket life: 0 days 00:05:00') + + # Propagate a policy change via full resync. + realm.run([kadminl, 'addpol', '-minclasses', '3', 'testpol']) + check_ulog(1, 1, 1, [None]) + out = realm.run_kpropd_once(replica1, ['-d']) + if ('Full propagation transfer finished' not in out or + 'KDC is synchronized' not in out): + fail('Expected full dump and synchronized from kpropd -t') + check_ulog(1, 1, 1, [None], replica1) + realm.run([kadminl, 'getpol', 'testpol'], env=replica1, + expected_msg='Minimum number of password character classes: 3') success('iprop tests') diff --git a/src/tests/t_kadm5_auth.py b/src/tests/t_kadm5_auth.py new file mode 100644 index 0000000..6e0f42b --- /dev/null +++ b/src/tests/t_kadm5_auth.py @@ -0,0 +1,80 @@ +from k5test import * + +# Create a realm with the welcomer and bouncer kadm5_auth test modules +# in place of the builtin modules. +modpath = os.path.join(buildtop, 'plugins', 'kadm5_auth', 'test', + 'kadm5_auth_test.so') +conf = {'plugins': {'kadm5_auth': {'module': ['welcomer:' + modpath, + 'bouncer:' + modpath], + 'enable_only': ['welcomer', 'bouncer']}}} +realm = K5Realm(krb5_conf=conf, create_host=False) +realm.start_kadmind() +realm.prep_kadmin() + +# addprinc: welcomer accepts with policy VIP, bouncer denies maxlife. +realm.run_kadmin(['addprinc', '-randkey', 'princ'], expected_code=1) +realm.run_kadmin(['addprinc', '-randkey', '-policy', 'VIP', 'princ']) +realm.run_kadmin(['addprinc', '-randkey', '-policy', 'VIP', '-maxlife', '3', + 'princ'], expected_code=1) + +# modprinc: welcomer accepts with only maxrenewlife, bouncer denies +# with even-component target principal. +realm.run_kadmin(['modprinc', '-maxlife', '3', 'princ'], expected_code=1) +realm.run_kadmin(['modprinc', '-maxrenewlife', '3', 'princ']) +realm.run_kadmin(['modprinc', '-maxrenewlife', '3', 'user/admin'], + expected_code=1) + +# setstr: welcomer accepts with key 'note', bouncer denies with value +# length > 10. +realm.run_kadmin(['setstr', 'princ', 'somekey', 'someval'], expected_code=1) +realm.run_kadmin(['setstr', 'princ', 'note', 'abc']) +realm.run_kadmin(['setstr', 'princ', 'note', 'abcdefghijkl'], expected_code=1) + +# delprinc: welcomer accepts with target principal beginning with 'd', +# bouncer denies with "nodelete" string attribute. +realm.run_kadmin(['delprinc', 'user'], expected_code=1) +realm.run([kadminl, 'addprinc', '-randkey', 'deltest']) +realm.run_kadmin(['delprinc', 'deltest']) +realm.run([kadminl, 'addprinc', '-randkey', 'deltest']) +realm.run([kadminl, 'setstr', 'deltest', 'nodelete', 'yes']) +realm.run_kadmin(['delprinc', 'deltest'], expected_code=1) + +# renprinc: welcomer accepts with same-length first components, bouncer +# refuses with source principal beginning with 'a'. +realm.run_kadmin(['renprinc', 'princ', 'xyz'], expected_code=1) +realm.run_kadmin(['renprinc', 'princ', 'abcde']) +realm.run_kadmin(['renprinc', 'abcde', 'fghij'], expected_code=1) + +# addpol: welcomer accepts with minlength 3, bouncer denies with name +# length <= 3. +realm.run_kadmin(['addpol', 'testpol'], expected_code=1) +realm.run_kadmin(['addpol', '-minlength', '3', 'testpol']) +realm.run_kadmin(['addpol', '-minlength', '3', 'abc'], expected_code=1) + +# modpol: welcomer accepts changes to minlife, bouncer denies with +# minlife > 10. +realm.run_kadmin(['modpol', '-minlength', '4', 'testpol'], expected_code=1) +realm.run_kadmin(['modpol', '-minlife', '8', 'testpol']) +realm.run_kadmin(['modpol', '-minlife', '11', 'testpol'], expected_code=1) + +# getpol: welcomer accepts if policy and client policy have same length, +# bouncer denies if policy name begins with 'x'. +realm.run([kadminl, 'addpol', 'aaaa']) +realm.run([kadminl, 'addpol', 'bbbb']) +realm.run([kadminl, 'addpol', 'xxxx']) +realm.run([kadminl, 'modprinc', '-policy', 'aaaa', 'user/admin']) +realm.run_kadmin(['getpol', 'testpol'], expected_code=1) +realm.run_kadmin(['getpol', 'bbbb']) +realm.run_kadmin(['getpol', 'xxxx'], expected_code=1) + +# end: welcomer counts operations using "ends" string attribute on +# "opcount" principal. kadmind is dumb and invokes the end method for +# every RPC operation including init, so we expect four calls to the +# end operation. +realm.run([kadminl, 'addprinc', '-nokey', 'opcount']) +realm.run([kadminl, 'setstr', 'opcount', 'ends', '0']) +realm.run_kadmin(['getprinc', 'user']) +realm.run_kadmin(['getpol', 'bbbb']) +realm.run([kadminl, 'getstrs', 'opcount'], expected_msg='ends: 4') + +success('kadm5_auth pluggable interface tests') diff --git a/src/tests/t_kadm5_hook.py b/src/tests/t_kadm5_hook.py index 708e328..32fab78 100755 --- a/src/tests/t_kadm5_hook.py +++ b/src/tests/t_kadm5_hook.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * plugin = os.path.join(buildtop, "plugins", "kadm5_hook", "test", @@ -7,12 +6,10 @@ plugin = os.path.join(buildtop, "plugins", "kadm5_hook", "test", hook_krb5_conf = {'plugins': {'kadm5_hook': { 'module': 'test:' + plugin}}} realm = K5Realm(krb5_conf=hook_krb5_conf, create_user=False, create_host=False) -output = realm.run([kadminl, 'addprinc', '-randkey', 'test']) -if "create: stage precommit" not in output: - fail('kadm5_hook test output not found') +realm.run([kadminl, 'addprinc', '-randkey', 'test'], + expected_msg='create: stage precommit') -output = realm.run([kadminl, 'renprinc', 'test', 'test2']) -if "rename: stage precommit" not in output: - fail('kadm5_hook test output not found') +realm.run([kadminl, 'renprinc', 'test', 'test2'], + expected_msg='rename: stage precommit') success('kadm5_hook') diff --git a/src/tests/t_kadmin_acl.py b/src/tests/t_kadmin_acl.py index 188929a..86eb597 100755 --- a/src/tests/t_kadmin_acl.py +++ b/src/tests/t_kadmin_acl.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * import os @@ -84,231 +83,192 @@ realm.addprinc('selected', 'oldpw') realm.addprinc('unselected', 'oldpw') for pw in (['-pw', 'newpw'], ['-randkey']): for ks in ([], ['-e', 'aes256-cts']): + mark('cpw: %s %s' % (repr(pw), repr(ks))) args = pw + ks kadmin_as(all_changepw, ['cpw'] + args + ['unselected']) kadmin_as(some_changepw, ['cpw'] + args + ['selected']) - out = kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1) - if 'Operation requires ``change-password\'\' privilege' not in out: - fail('cpw failure (no perms)') - out = kadmin_as(some_changepw, ['cpw'] + args + ['unselected'], - expected_code=1) - if 'Operation requires ``change-password\'\' privilege' not in out: - fail('cpw failure (target)') - out = kadmin_as(none, ['cpw'] + args + ['none']) + msg = "Operation requires ``change-password'' privilege" + kadmin_as(none, ['cpw'] + args + ['selected'], expected_code=1, + expected_msg=msg) + kadmin_as(some_changepw, ['cpw'] + args + ['unselected'], + expected_code=1, expected_msg=msg) + kadmin_as(none, ['cpw'] + args + ['none']) realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none']) - out = kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1) - if 'Current password\'s minimum life has not expired' not in out: - fail('cpw failure (minimum life)') + msg = "Current password's minimum life has not expired" + kadmin_as(none, ['cpw'] + args + ['none'], expected_code=1, + expected_msg=msg) realm.run([kadminl, 'modprinc', '-clearpolicy', 'none']) realm.run([kadminl, 'delprinc', 'selected']) realm.run([kadminl, 'delprinc', 'unselected']) +mark('addpol') kadmin_as(all_add, ['addpol', 'policy']) realm.run([kadminl, 'delpol', 'policy']) -out = kadmin_as(none, ['addpol', 'policy'], expected_code=1) -if 'Operation requires ``add\'\' privilege' not in out: - fail('addpol failure (no perms)') +kadmin_as(none, ['addpol', 'policy'], expected_code=1, + expected_msg="Operation requires ``add'' privilege") # addprinc can generate two different RPC calls depending on options. for ks in ([], ['-e', 'aes256-cts']): + mark('addprinc: %s' % repr(ks)) args = ['-pw', 'pw'] + ks kadmin_as(all_add, ['addprinc'] + args + ['unselected']) realm.run([kadminl, 'delprinc', 'unselected']) kadmin_as(some_add, ['addprinc'] + args + ['selected']) realm.run([kadminl, 'delprinc', 'selected']) kadmin_as(restricted_add, ['addprinc'] + args + ['unselected']) - out = realm.run([kadminl, 'getprinc', 'unselected']) - if 'REQUIRES_PRE_AUTH' not in out: - fail('addprinc success (restrictions) -- restriction check') + realm.run([kadminl, 'getprinc', 'unselected'], + expected_msg='REQUIRES_PRE_AUTH') realm.run([kadminl, 'delprinc', 'unselected']) - out = kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1) - if 'Operation requires ``add\'\' privilege' not in out: - fail('addprinc failure (no perms)') - out = kadmin_as(some_add, ['addprinc'] + args + ['unselected'], - expected_code=1) - if 'Operation requires ``add\'\' privilege' not in out: - fail('addprinc failure (target)') + kadmin_as(none, ['addprinc'] + args + ['selected'], expected_code=1, + expected_msg="Operation requires ``add'' privilege") + kadmin_as(some_add, ['addprinc'] + args + ['unselected'], expected_code=1, + expected_msg="Operation requires ``add'' privilege") +mark('delprinc') realm.addprinc('unselected', 'pw') kadmin_as(all_delete, ['delprinc', 'unselected']) realm.addprinc('selected', 'pw') kadmin_as(some_delete, ['delprinc', 'selected']) realm.addprinc('unselected', 'pw') -out = kadmin_as(none, ['delprinc', 'unselected'], expected_code=1) -if 'Operation requires ``delete\'\' privilege' not in out: - fail('delprinc failure (no perms)') -out = kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1) -if 'Operation requires ``delete\'\' privilege' not in out: - fail('delprinc failure (no target)') +kadmin_as(none, ['delprinc', 'unselected'], expected_code=1, + expected_msg="Operation requires ``delete'' privilege") +kadmin_as(some_delete, ['delprinc', 'unselected'], expected_code=1, + expected_msg="Operation requires ``delete'' privilege") realm.run([kadminl, 'delprinc', 'unselected']) -out = kadmin_as(all_inquire, ['getpol', 'minlife']) -if 'Policy: minlife' not in out: - fail('getpol success (acl)') -out = kadmin_as(none, ['getpol', 'minlife'], expected_code=1) -if 'Operation requires ``get\'\' privilege' not in out: - fail('getpol failure (no perms)') +mark('getpol') +kadmin_as(all_inquire, ['getpol', 'minlife'], expected_msg='Policy: minlife') +kadmin_as(none, ['getpol', 'minlife'], expected_code=1, + expected_msg="Operation requires ``get'' privilege") realm.run([kadminl, 'modprinc', '-policy', 'minlife', 'none']) -out = kadmin_as(none, ['getpol', 'minlife']) -if 'Policy: minlife' not in out: - fail('getpol success (self policy exemption)') +kadmin_as(none, ['getpol', 'minlife'], expected_msg='Policy: minlife') realm.run([kadminl, 'modprinc', '-clearpolicy', 'none']) +mark('getprinc') realm.addprinc('selected', 'pw') realm.addprinc('unselected', 'pw') -out = kadmin_as(all_inquire, ['getprinc', 'unselected']) -if 'Principal: unselected@KRBTEST.COM' not in out: - fail('getprinc success (acl)') -out = kadmin_as(some_inquire, ['getprinc', 'selected']) -if 'Principal: selected@KRBTEST.COM' not in out: - fail('getprinc success (target)') -out = kadmin_as(none, ['getprinc', 'selected'], expected_code=1) -if 'Operation requires ``get\'\' privilege' not in out: - fail('getprinc failure (no perms)') -out = kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1) -if 'Operation requires ``get\'\' privilege' not in out: - fail('getprinc failure (target)') -out = kadmin_as(none, ['getprinc', 'none']) -if 'Principal: none@KRBTEST.COM' not in out: - fail('getprinc success (self exemption)') +kadmin_as(all_inquire, ['getprinc', 'unselected'], + expected_msg='Principal: unselected@KRBTEST.COM') +kadmin_as(some_inquire, ['getprinc', 'selected'], + expected_msg='Principal: selected@KRBTEST.COM') +kadmin_as(none, ['getprinc', 'selected'], expected_code=1, + expected_msg="Operation requires ``get'' privilege") +kadmin_as(some_inquire, ['getprinc', 'unselected'], expected_code=1, + expected_msg="Operation requires ``get'' privilege") +kadmin_as(none, ['getprinc', 'none'], + expected_msg='Principal: none@KRBTEST.COM') realm.run([kadminl, 'delprinc', 'selected']) realm.run([kadminl, 'delprinc', 'unselected']) -out = kadmin_as(all_list, ['listprincs']) -if 'K/M@KRBTEST.COM' not in out: - fail('listprincs success (acl)') -out = kadmin_as(none, ['listprincs'], expected_code=1) -if 'Operation requires ``list\'\' privilege' not in out: - fail('listprincs failure (no perms)') +mark('listprincs') +kadmin_as(all_list, ['listprincs'], expected_msg='K/M@KRBTEST.COM') +kadmin_as(none, ['listprincs'], expected_code=1, + expected_msg="Operation requires ``list'' privilege") +mark('getstrs') realm.addprinc('selected', 'pw') realm.addprinc('unselected', 'pw') realm.run([kadminl, 'setstr', 'selected', 'key', 'value']) realm.run([kadminl, 'setstr', 'unselected', 'key', 'value']) -out = kadmin_as(all_inquire, ['getstrs', 'unselected']) -if 'key: value' not in out: - fail('getstrs success (acl)') -out = kadmin_as(some_inquire, ['getstrs', 'selected']) -if 'key: value' not in out: - fail('getstrs success (target)') -out = kadmin_as(none, ['getstrs', 'selected'], expected_code=1) -if 'Operation requires ``get\'\' privilege' not in out: - fail('getstrs failure (no perms)') -out = kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1) -if 'Operation requires ``get\'\' privilege' not in out: - fail('getstrs failure (target)') -out = kadmin_as(none, ['getstrs', 'none']) -if '(No string attributes.)' not in out: - fail('getstrs success (self exemption)') +kadmin_as(all_inquire, ['getstrs', 'unselected'], expected_msg='key: value') +kadmin_as(some_inquire, ['getstrs', 'selected'], expected_msg='key: value') +kadmin_as(none, ['getstrs', 'selected'], expected_code=1, + expected_msg="Operation requires ``get'' privilege") +kadmin_as(some_inquire, ['getstrs', 'unselected'], expected_code=1, + expected_msg="Operation requires ``get'' privilege") +kadmin_as(none, ['getstrs', 'none'], expected_msg='(No string attributes.)') realm.run([kadminl, 'delprinc', 'selected']) realm.run([kadminl, 'delprinc', 'unselected']) +mark('modpol') out = kadmin_as(all_modify, ['modpol', '-maxlife', '1 hour', 'policy'], expected_code=1) if 'Operation requires' in out: fail('modpol success (acl)') -out = kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'], - expected_code=1) -if 'Operation requires ``modify\'\' privilege' not in out: - fail('modpol failure (no perms)') +kadmin_as(none, ['modpol', '-maxlife', '1 hour', 'policy'], expected_code=1, + expected_msg="Operation requires ``modify'' privilege") +mark('modprinc') realm.addprinc('selected', 'pw') realm.addprinc('unselected', 'pw') kadmin_as(all_modify, ['modprinc', '-maxlife', '1 hour', 'unselected']) kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'selected']) kadmin_as(restricted_modify, ['modprinc', '-maxlife', '1 hour', 'unselected']) -out = realm.run([kadminl, 'getprinc', 'unselected']) -if 'REQUIRES_PRE_AUTH' not in out: - fail('addprinc success (restrictions) -- restriction check') -out = kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'], - expected_code=1) -if 'Operation requires ``modify\'\' privilege' not in out: - fail('addprinc failure (no perms)') -out = kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'], - expected_code=1) -if 'Operation requires' not in out: - fail('modprinc failure (target)') +realm.run([kadminl, 'getprinc', 'unselected'], + expected_msg='REQUIRES_PRE_AUTH') +kadmin_as(all_inquire, ['modprinc', '-maxlife', '1 hour', 'selected'], + expected_code=1, + expected_msg="Operation requires ``modify'' privilege") +kadmin_as(some_modify, ['modprinc', '-maxlife', '1 hour', 'unselected'], + expected_code=1, expected_msg='Operation requires') realm.run([kadminl, 'delprinc', 'selected']) realm.run([kadminl, 'delprinc', 'unselected']) +mark('purgekeys') realm.addprinc('selected', 'pw') realm.addprinc('unselected', 'pw') kadmin_as(all_modify, ['purgekeys', 'unselected']) kadmin_as(some_modify, ['purgekeys', 'selected']) -out = kadmin_as(none, ['purgekeys', 'selected'], expected_code=1) -if 'Operation requires ``modify\'\' privilege' not in out: - fail('purgekeys failure (no perms)') -out = kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1) -if 'Operation requires ``modify\'\' privilege' not in out: - fail('purgekeys failure (target)') +kadmin_as(none, ['purgekeys', 'selected'], expected_code=1, + expected_msg="Operation requires ``modify'' privilege") +kadmin_as(some_modify, ['purgekeys', 'unselected'], expected_code=1, + expected_msg="Operation requires ``modify'' privilege") kadmin_as(none, ['purgekeys', 'none']) realm.run([kadminl, 'delprinc', 'selected']) realm.run([kadminl, 'delprinc', 'unselected']) +mark('renprinc') realm.addprinc('from', 'pw') kadmin_as(all_rename, ['renprinc', 'from', 'to']) realm.run([kadminl, 'renprinc', 'to', 'from']) kadmin_as(some_rename, ['renprinc', 'from', 'to']) realm.run([kadminl, 'renprinc', 'to', 'from']) -out = kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1) -if 'Operation requires ``delete\'\' privilege' not in out: - fail('renprinc failure (no delete perms)') -out = kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1) -if 'Operation requires ``add\'\' privilege' not in out: - fail('renprinc failure (no add perms)') -out = kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1) -if 'Operation requires ``add\'\' privilege' not in out: - fail('renprinc failure (new target)') +kadmin_as(all_add, ['renprinc', 'from', 'to'], expected_code=1, + expected_msg="Insufficient authorization for operation") +kadmin_as(all_delete, ['renprinc', 'from', 'to'], expected_code=1, + expected_msg="Insufficient authorization for operation") +kadmin_as(some_rename, ['renprinc', 'from', 'notto'], expected_code=1, + expected_msg="Insufficient authorization for operation") realm.run([kadminl, 'renprinc', 'from', 'notfrom']) -out = kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1) -if 'Operation requires ``delete\'\' privilege' not in out: - fail('renprinc failure (old target)') -out = kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'], - expected_code=1) -if 'Operation requires ``add\'\' privilege' not in out: - fail('renprinc failure (restrictions)') +kadmin_as(some_rename, ['renprinc', 'notfrom', 'to'], expected_code=1, + expected_msg="Insufficient authorization for operation") +kadmin_as(restricted_rename, ['renprinc', 'notfrom', 'to'], expected_code=1, + expected_msg="Insufficient authorization for operation") realm.run([kadminl, 'delprinc', 'notfrom']) +mark('setstr') realm.addprinc('selected', 'pw') realm.addprinc('unselected', 'pw') kadmin_as(all_modify, ['setstr', 'unselected', 'key', 'value']) kadmin_as(some_modify, ['setstr', 'selected', 'key', 'value']) -out = kadmin_as(none, ['setstr', 'selected', 'key', 'value'], expected_code=1) -if 'Operation requires ``modify\'\' privilege' not in out: - fail('addprinc failure (no perms)') -out = kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'], - expected_code=1) -if 'Operation requires' not in out: - fail('modprinc failure (target)') +kadmin_as(none, ['setstr', 'selected', 'key', 'value'], expected_code=1, + expected_msg="Operation requires ``modify'' privilege") +kadmin_as(some_modify, ['setstr', 'unselected', 'key', 'value'], + expected_code=1, expected_msg='Operation requires') realm.run([kadminl, 'delprinc', 'selected']) realm.run([kadminl, 'delprinc', 'unselected']) +mark('addprinc/delprinc (wildcard)') kadmin_as(admin, ['addprinc', '-pw', 'pw', 'anytarget']) realm.run([kadminl, 'delprinc', 'anytarget']) kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card']) realm.run([kadminl, 'delprinc', 'wild/card']) -out = kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'], - expected_code=1) -if 'Operation requires' not in out: - fail('addprinc failure (target wildcard extra component)') +kadmin_as(wctarget, ['addprinc', '-pw', 'pw', 'wild/card/extra'], + expected_code=1, expected_msg='Operation requires') realm.addprinc('admin/user', 'pw') kadmin_as(admin, ['delprinc', 'admin/user']) -out = kadmin_as(admin, ['delprinc', 'none'], expected_code=1) -if 'Operation requires' not in out: - fail('delprinc failure (wildcard backreferences not matched)') +kadmin_as(admin, ['delprinc', 'none'], expected_code=1, + expected_msg='Operation requires') realm.addprinc('four/one/three', 'pw') kadmin_as(onetwothreefour, ['delprinc', 'four/one/three']) +mark('addprinc (restrictions)') kadmin_as(restrictions, ['addprinc', '-pw', 'pw', 'type1']) -out = realm.run([kadminl, 'getprinc', 'type1']) -if 'Policy: minlife' not in out: - fail('restriction (policy)') +realm.run([kadminl, 'getprinc', 'type1'], expected_msg='Policy: minlife') realm.run([kadminl, 'delprinc', 'type1']) kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-policy', 'minlife', 'type2']) -out = realm.run([kadminl, 'getprinc', 'type2']) -if 'Policy: [none]' not in out: - fail('restriction (clearpolicy)') +realm.run([kadminl, 'getprinc', 'type2'], expected_msg='Policy: [none]') realm.run([kadminl, 'delprinc', 'type2']) kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxlife', '1 minute', 'type3']) @@ -319,43 +279,53 @@ if ('Maximum ticket life: 0 days 00:01:00' not in out or realm.run([kadminl, 'delprinc', 'type3']) kadmin_as(restrictions, ['addprinc', '-pw', 'pw', '-maxrenewlife', '1 day', 'type3']) -out = realm.run([kadminl, 'getprinc', 'type3']) -if 'Maximum renewable life: 0 days 02:00:00' not in out: - fail('restriction (maxrenewlife high)') +realm.run([kadminl, 'getprinc', 'type3'], + expected_msg='Maximum renewable life: 0 days 02:00:00') +mark('extract') realm.run([kadminl, 'addprinc', '-pw', 'pw', 'extractkeys']) -out = kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'], - expected_code=1) -if 'Operation requires ``extract-keys\'\' privilege' not in out: - fail('extractkeys failure (all_wildcard)') +kadmin_as(all_wildcard, ['ktadd', '-norandkey', 'extractkeys'], + expected_code=1, + expected_msg="Operation requires ``extract-keys'' privilege") kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys']) realm.kinit('extractkeys', flags=['-k']) os.remove(realm.keytab) +mark('lockdown_keys') kadmin_as(all_modify, ['modprinc', '+lockdown_keys', 'extractkeys']) -out = kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'], - expected_code=1) -if 'Operation requires ``change-password\'\' privilege' not in out: - fail('extractkeys failure (all_changepw)') +kadmin_as(all_changepw, ['cpw', '-pw', 'newpw', 'extractkeys'], + expected_code=1, + expected_msg="Operation requires ``change-password'' privilege") kadmin_as(all_changepw, ['cpw', '-randkey', 'extractkeys']) -out = kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'], - expected_code=1) -if 'Operation requires ``extract-keys\'\' privilege' not in out: - fail('extractkeys failure (all_extract)') -out = kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1) -if 'Operation requires ``delete\'\' privilege' not in out: - fail('extractkeys failure (all_delete)') -out = kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'], - expected_code=1) -if 'Operation requires ``delete\'\' privilege' not in out: - fail('extractkeys failure (all_rename)') -out = kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'], - expected_code=1) -if 'Operation requires ``modify\'\' privilege' not in out: - fail('extractkeys failure (all_modify)') +kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys'], expected_code=1, + expected_msg="Operation requires ``extract-keys'' privilege") +kadmin_as(all_delete, ['delprinc', 'extractkeys'], expected_code=1, + expected_msg="Operation requires ``delete'' privilege") +kadmin_as(all_rename, ['renprinc', 'extractkeys', 'renamedprinc'], + expected_code=1, + expected_msg="Operation requires ``delete'' privilege") +kadmin_as(all_modify, ['modprinc', '-lockdown_keys', 'extractkeys'], + expected_code=1, + expected_msg="Operation requires ``modify'' privilege") realm.run([kadminl, 'modprinc', '-lockdown_keys', 'extractkeys']) kadmin_as(all_extract, ['ktadd', '-norandkey', 'extractkeys']) realm.kinit('extractkeys', flags=['-k']) os.remove(realm.keytab) +# Verify that self-service key changes require an initial ticket. +mark('self-service initial ticket') +realm.run([kadminl, 'cpw', '-pw', password('none'), 'none']) +realm.run([kadminl, 'modprinc', '+allow_tgs_req', 'kadmin/admin']) +realm.kinit('none', password('none')) +realm.run([kvno, 'kadmin/admin']) +msg = 'Operation requires initial ticket' +realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw', 'none'], + expected_code=1, expected_msg=msg) +realm.run([kadmin, '-c', realm.ccache, 'cpw', '-pw', 'newpw', + '-e', 'aes256-cts', 'none'], expected_code=1, expected_msg=msg) +realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', 'none'], + expected_code=1, expected_msg=msg) +realm.run([kadmin, '-c', realm.ccache, 'cpw', '-randkey', '-e', 'aes256-cts', + 'none'], expected_code=1, expected_msg=msg) + success('kadmin ACL enforcement') diff --git a/src/tests/t_kadmin_parsing.py b/src/tests/t_kadmin_parsing.py index 92d72d2..bebb014 100644 --- a/src/tests/t_kadmin_parsing.py +++ b/src/tests/t_kadmin_parsing.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # This file contains tests for kadmin command parsing. Principal @@ -57,33 +56,27 @@ realm = K5Realm(create_host=False, get_creds=False) realm.run([kadminl, 'addpol', 'pol']) for instr, outstr in intervals: realm.run([kadminl, 'modprinc', '-maxlife', instr, realm.user_princ]) - out = realm.run([kadminl, 'getprinc', realm.user_princ]) - if 'Maximum ticket life: ' + outstr + '\n' not in out: - fail('princ maxlife: ' + instr) + msg = 'Maximum ticket life: ' + outstr + '\n' + realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg) realm.run([kadminl, 'modprinc', '-maxrenewlife', instr, realm.user_princ]) - out = realm.run([kadminl, 'getprinc', realm.user_princ]) - if 'Maximum renewable life: ' + outstr + '\n' not in out: - fail('princ maxrenewlife: ' + instr) + msg = 'Maximum renewable life: ' + outstr + '\n' + realm.run([kadminl, 'getprinc', realm.user_princ], expected_msg=msg) realm.run([kadminl, 'modpol', '-maxlife', instr, 'pol']) - out = realm.run([kadminl, 'getpol', 'pol']) - if 'Maximum password life: ' + outstr + '\n' not in out: - fail('pol maxlife: ' + instr) + msg = 'Maximum password life: ' + outstr + '\n' + realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg) realm.run([kadminl, 'modpol', '-minlife', instr, 'pol']) - out = realm.run([kadminl, 'getpol', 'pol']) - if 'Minimum password life: ' + outstr + '\n' not in out: - fail('pol maxlife: ' + instr) + msg = 'Minimum password life: ' + outstr + '\n' + realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg) realm.run([kadminl, 'modpol', '-failurecountinterval', instr, 'pol']) - out = realm.run([kadminl, 'getpol', 'pol']) - if 'Password failure count reset interval: ' + outstr + '\n' not in out: - fail('pol maxlife: ' + instr) + msg = 'Password failure count reset interval: ' + outstr + '\n' + realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg) realm.run([kadminl, 'modpol', '-lockoutduration', instr, 'pol']) - out = realm.run([kadminl, 'getpol', 'pol']) - if 'Password lockout duration: ' + outstr + '\n' not in out: - fail('pol maxlife: ' + instr) + msg = 'Password lockout duration: ' + outstr + '\n' + realm.run([kadminl, 'getpol', 'pol'], expected_msg=msg) success('kadmin command parsing tests') diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 185225a..7a082a5 100755 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -1,11 +1,9 @@ -#!/usr/bin/python from k5test import * import time -from itertools import imap -# Run kdbtest against the BDB module. -realm = K5Realm(create_kdb=False) -realm.run(['./kdbtest']) +# Run kdbtest against the non-LDAP KDB modules. +for realm in multidb_realms(create_kdb=False): + realm.run(['./kdbtest']) # Set up an OpenLDAP test server if we can. @@ -16,22 +14,27 @@ if (not os.path.exists(os.path.join(plugins, 'kdb', 'kldap.so')) and if 'SLAPD' not in os.environ and not which('slapd'): skip_rest('LDAP KDB tests', 'slapd not found') +slapadd = which('slapadd') +if not slapadd: + skip_rest('LDAP KDB tests', 'slapadd not found') + ldapdir = os.path.abspath('ldap') dbdir = os.path.join(ldapdir, 'ldap') -slapd_conf = os.path.join(ldapdir, 'slapd.conf') +slapd_conf = os.path.join(ldapdir, 'slapd.d') slapd_out = os.path.join(ldapdir, 'slapd.out') slapd_pidfile = os.path.join(ldapdir, 'pid') ldap_pwfile = os.path.join(ldapdir, 'pw') ldap_sock = os.path.join(ldapdir, 'sock') ldap_uri = 'ldapi://%s/' % ldap_sock.replace(os.path.sep, '%2F') schema = os.path.join(srctop, 'plugins', 'kdb', 'ldap', 'libkdb_ldap', - 'kerberos.schema') + 'kerberos.openldap.ldif') top_dn = 'cn=krb5' admin_dn = 'cn=admin,cn=krb5' admin_pw = 'admin' shutil.rmtree(ldapdir, True) os.mkdir(ldapdir) +os.mkdir(slapd_conf) os.mkdir(dbdir) if 'SLAPD' in os.environ: @@ -44,32 +47,61 @@ else: slapd = os.path.join(ldapdir, 'slapd') shutil.copy(system_slapd, slapd) -# Find the core schema file if we can. +def slap_add(ldif): + proc = subprocess.Popen([slapadd, '-b', 'cn=config', '-F', slapd_conf], + stdin=subprocess.PIPE, stdout=subprocess.PIPE, + stderr=subprocess.STDOUT, universal_newlines=True) + (out, dummy) = proc.communicate(ldif) + output(out) + return proc.wait() + + +# Configure the pid file and some authorization rules we will need for +# SASL testing. +if slap_add('dn: cn=config\n' + 'objectClass: olcGlobal\n' + 'olcPidFile: %s\n' + 'olcAuthzRegexp: ' + '".*uidNumber=%d,cn=peercred,cn=external,cn=auth" "%s"\n' + 'olcAuthzRegexp: "uid=digestuser,cn=digest-md5,cn=auth" "%s"\n' % + (slapd_pidfile, os.geteuid(), admin_dn, admin_dn)) != 0: + skip_rest('LDAP KDB tests', 'slapd basic configuration failed') + +# Find a working writable database type, trying mdb (added in OpenLDAP +# 2.4.27) and bdb (deprecated and sometimes not built due to licensing +# incompatibilities). +for dbtype in ('mdb', 'bdb'): + # Try to load the module. This could fail if OpenLDAP is built + # without module support, so ignore errors. + slap_add('dn: cn=module,cn=config\n' + 'objectClass: olcModuleList\n' + 'olcModuleLoad: back_%s\n' % dbtype) + + dbclass = 'olc%sConfig' % dbtype.capitalize() + if slap_add('dn: olcDatabase=%s,cn=config\n' + 'objectClass: olcDatabaseConfig\n' + 'objectClass: %s\n' + 'olcSuffix: %s\n' + 'olcRootDN: %s\n' + 'olcRootPW: %s\n' + 'olcDbDirectory: %s\n' % + (dbtype, dbclass, top_dn, admin_dn, admin_pw, dbdir)) == 0: + break +else: + skip_rest('LDAP KDB tests', 'could not find working slapd db type') + +if slap_add('include: file://%s\n' % schema) != 0: + skip_rest('LDAP KDB tests', 'failed to load Kerberos schema') + +# Load the core schema if we can. ldap_homes = ['/etc/ldap', '/etc/openldap', '/usr/local/etc/openldap', '/usr/local/etc/ldap'] -local_schema_path = '/schema/core.schema' -core_schema = next((i for i in imap(lambda x:x+local_schema_path, ldap_homes) +local_schema_path = '/schema/core.ldif' +core_schema = next((i for i in map(lambda x:x+local_schema_path, ldap_homes) if os.path.isfile(i)), None) - -# Make a slapd config file. This is deprecated in OpenLDAP 2.3 and -# later, but it's easier than using LDIF and slapadd. Include some -# authz-regexp entries for SASL authentication tests. Load the core -# schema if we found it, for use in the DIGEST-MD5 test. -file = open(slapd_conf, 'w') -file.write('pidfile %s\n' % slapd_pidfile) -file.write('include %s\n' % schema) if core_schema: - file.write('include %s\n' % core_schema) -file.write('moduleload back_bdb\n') -file.write('database bdb\n') -file.write('suffix %s\n' % top_dn) -file.write('rootdn %s\n' % admin_dn) -file.write('rootpw %s\n' % admin_pw) -file.write('directory %s\n' % dbdir) -file.write('authz-regexp .*uidNumber=%d,cn=peercred,cn=external,cn=auth %s\n' % - (os.geteuid(), admin_dn)) -file.write('authz-regexp uid=digestuser,cn=digest-md5,cn=auth %s\n' % admin_dn) -file.close() + if slap_add('include: file://%s\n' % core_schema) != 0: + core_schema = None slapd_pid = -1 def kill_slapd(): @@ -80,8 +112,8 @@ def kill_slapd(): atexit.register(kill_slapd) out = open(slapd_out, 'w') -subprocess.call([slapd, '-h', ldap_uri, '-f', slapd_conf], stdout=out, - stderr=out) +subprocess.call([slapd, '-h', ldap_uri, '-F', slapd_conf], stdout=out, + stderr=out, universal_newlines=True) out.close() pidf = open(slapd_pidfile, 'r') slapd_pid = int(pidf.read()) @@ -125,7 +157,7 @@ def ldap_search(args): proc = subprocess.Popen([ldapsearch, '-H', ldap_uri, '-b', top_dn, '-D', admin_dn, '-w', admin_pw, args], stdin=subprocess.PIPE, stdout=subprocess.PIPE, - stderr=subprocess.STDOUT) + stderr=subprocess.STDOUT, universal_newlines=True) (out, dummy) = proc.communicate() return out @@ -133,7 +165,7 @@ def ldap_modify(ldif, args=[]): proc = subprocess.Popen([ldapmodify, '-H', ldap_uri, '-D', admin_dn, '-x', '-w', admin_pw] + args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, - stderr=subprocess.STDOUT) + stderr=subprocess.STDOUT, universal_newlines=True) (out, dummy) = proc.communicate(ldif) output(out) @@ -167,47 +199,47 @@ if out != 'KRBTEST.COM\n': # because we're sticking a krbPrincipalAux objectclass onto a subtree # krbContainer, but it works and it avoids having to load core.schema # in the test LDAP server. -out = realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'], - expected_code=1) -if 'DN is out of the realm subtree' not in out: - fail('Unexpected kadmin.local output for out-of-realm dn') +mark('LDAP specified dn') +realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=krb5', 'princ1'], + expected_code=1, expected_msg='DN is out of the realm subtree') +# Check that the DN container check is a hierarchy test, not a simple +# suffix match (CVE-2018-5730). We expect this operation to fail +# either way (because "xcn" isn't a valid DN tag) but the container +# check should happen before the DN is parsed. +realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=xcn=t1,cn=krb5', 'princ1'], + expected_code=1, expected_msg='DN is out of the realm subtree') realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'princ1']) -out = realm.run([kadminl, 'getprinc', 'princ1']) -if 'Principal: princ1' not in out: - fail('Unexpected kadmin.local output after creating princ1') -out = realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', - 'again'], expected_code=1) -if 'ldap object is already kerberized' not in out: - fail('Unexpected kadmin.local output trying to re-kerberize DN') +realm.run([kadminl, 'getprinc', 'princ1'], expected_msg='Principal: princ1') +realm.run([kadminl, 'ank', '-randkey', '-x', 'dn=cn=t2,cn=krb5', 'again'], + expected_code=1, expected_msg='ldap object is already kerberized') # Check that we can't set linkdn on a non-standalone object. -out = realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'], - expected_code=1) -if 'link information can not be set' not in out: - fail('Unexpected kadmin.local output trying to set linkdn on princ1') +realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t1,cn=krb5', 'princ1'], + expected_code=1, expected_msg='link information can not be set') # Create a principal with a specified linkdn. -out = realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'], - expected_code=1) -if 'DN is out of the realm subtree' not in out: - fail('Unexpected kadmin.local output for out-of-realm linkdn') +mark('LDAP specified linkdn') +realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=krb5', 'princ2'], + expected_code=1, expected_msg='DN is out of the realm subtree') realm.run([kadminl, 'ank', '-randkey', '-x', 'linkdn=cn=t1,cn=krb5', 'princ2']) # Check that we can't reset linkdn. -out = realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'], - expected_code=1) -if 'kerberos principal is already linked' not in out: - fail('Unexpected kadmin.local output for re-specified linkdn') +realm.run([kadminl, 'modprinc', '-x', 'linkdn=cn=t2,cn=krb5', 'princ2'], + expected_code=1, expected_msg='kerberos principal is already linked') # Create a principal with a specified containerdn. -out = realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', - 'princ3'], expected_code=1) -if 'DN is out of the realm subtree' not in out: - fail('Unexpected kadmin.local output for out-of-realm containerdn') +mark('LDAP specified containerdn') +realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', 'princ3'], + expected_code=1, expected_msg='DN is out of the realm subtree') realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=t1,cn=krb5', 'princ3']) -out = realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', - 'princ3'], expected_code=1) -if 'containerdn option not supported' not in out: - fail('Unexpected kadmin.local output trying to reset containerdn') +realm.run([kadminl, 'modprinc', '-x', 'containerdn=cn=t2,cn=krb5', 'princ3'], + expected_code=1, expected_msg='containerdn option not supported') +# Verify that containerdn is checked when linkdn is also supplied +# (CVE-2018-5730). +realm.run([kadminl, 'ank', '-randkey', '-x', 'containerdn=cn=krb5', + '-x', 'linkdn=cn=t2,cn=krb5', 'princ4'], expected_code=1, + expected_msg='DN is out of the realm subtree') + +mark('LDAP ticket policy') # Create and modify a ticket policy. kldaputil(['create_policy', '-maxtktlife', '3hour', '-maxrenewlife', '6hour', @@ -255,9 +287,8 @@ if out: kldaputil(['create_policy', 'tktpol2']) # Try to create a password policy conflicting with a ticket policy. -out = realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1) -if 'Already exists while creating policy "tktpol2"' not in out: - fail('Expected error not seen in kadmin.local output') +realm.run([kadminl, 'addpol', 'tktpol2'], expected_code=1, + expected_msg='Already exists while creating policy "tktpol2"') # Try to create a ticket policy conflicting with a password policy. realm.run([kadminl, 'addpol', 'pwpol']) @@ -266,19 +297,17 @@ if 'Already exists while creating policy object' not in out: fail('Expected error not seen in kdb5_ldap_util output') # Try to use a password policy as a ticket policy. -out = realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'], - expected_code=1) -if 'Object class violation' not in out: - fail('Expected error not seem in kadmin.local output') +realm.run([kadminl, 'modprinc', '-x', 'tktpolicy=pwpol', 'princ4'], + expected_code=1, expected_msg='Object class violation') # Use a ticket policy as a password policy (CVE-2014-5353). This # works with a warning; use kadmin.local -q so the warning is shown. -out = realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4']) -if 'WARNING: policy "tktpol2" does not exist' not in out: - fail('Expected error not seen in kadmin.local output') +realm.run([kadminl, '-q', 'modprinc -policy tktpol2 princ4'], + expected_msg='WARNING: policy "tktpol2" does not exist') # Do some basic tests with a KDC against the LDAP module, exercising the # db_args processing code. +mark('LDAP KDC operation') realm.start_kdc(['-x', 'nconns=3', '-x', 'host=' + ldap_uri, '-x', 'binddn=' + admin_dn, '-x', 'bindpwd=' + admin_pw]) realm.addprinc(realm.user_princ, password('user')) @@ -288,6 +317,8 @@ realm.kinit(realm.user_princ, password('user')) realm.run([kvno, realm.host_princ]) realm.klist(realm.user_princ, realm.host_princ) +mark('LDAP auth indicator') + # Test auth indicator support realm.addprinc('authind', password('authind')) realm.run([kadminl, 'setstr', 'authind', 'require_auth', 'otp radius']) @@ -298,9 +329,10 @@ if 'krbPrincipalAuthInd: otp' not in out: if 'krbPrincipalAuthInd: radius' not in out: fail('Expected krbPrincipalAuthInd value not in output') -out = realm.run([kadminl, 'getstrs', 'authind']) -if 'require_auth: otp radius' not in out: - fail('Expected auth indicators value not in output') +realm.run([kadminl, 'getstrs', 'authind'], + expected_msg='require_auth: otp radius') + +mark('LDAP service principal aliases') # Test service principal aliases. realm.addprinc('canon', password('canon')) @@ -311,14 +343,11 @@ ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n' '-\n' 'add: krbCanonicalName\n' 'krbCanonicalName: canon@KRBTEST.COM\n') -out = realm.run([kadminl, 'getprinc', 'alias']) -if 'Principal: canon@KRBTEST.COM\n' not in out: - fail('Could not fetch canon through alias') -out = realm.run([kadminl, 'getprinc', 'canon']) -if 'Principal: canon@KRBTEST.COM\n' not in out: - fail('Could not fetch canon through canon') -realm.run([kvno, 'alias']) -realm.run([kvno, 'canon']) +realm.run([kadminl, 'getprinc', 'alias'], + expected_msg='Principal: canon@KRBTEST.COM\n') +realm.run([kadminl, 'getprinc', 'canon'], + expected_msg='Principal: canon@KRBTEST.COM\n') +realm.run([kvno, 'alias', 'canon']) out = realm.run([klist]) if 'alias@KRBTEST.COM\n' not in out or 'canon@KRBTEST.COM' not in out: fail('After fetching alias and canon, klist is missing one or both') @@ -334,9 +363,8 @@ ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,' '-\n' 'add: krbCanonicalName\n' 'krbCanonicalName: krbtgt/KRBTEST.COM@KRBTEST.COM\n') -out = realm.run([kadminl, 'getprinc', 'tgtalias']) -if 'Principal: krbtgt/KRBTEST.COM@KRBTEST.COM' not in out: - fail('Could not fetch krbtgt through tgtalias') +realm.run([kadminl, 'getprinc', 'tgtalias'], + expected_msg='Principal: krbtgt/KRBTEST.COM@KRBTEST.COM') realm.kinit(realm.user_princ, password('user')) realm.run([kvno, 'tgtalias']) realm.klist(realm.user_princ, 'tgtalias@KRBTEST.COM') @@ -352,9 +380,8 @@ realm.klist(realm.user_princ, 'alias@KRBTEST.COM') # Test client principal aliases, with and without preauth. realm.kinit('canon', password('canon')) -out = realm.kinit('alias', password('canon'), expected_code=1) -if 'not found in Kerberos database' not in out: - fail('Wrong error message for kinit to alias without -C flag') +realm.kinit('alias', password('canon'), expected_code=1, + expected_msg='not found in Kerberos database') realm.kinit('alias', password('canon'), ['-C']) realm.run([kvno, 'alias']) realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM') @@ -362,6 +389,8 @@ realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon']) realm.kinit('canon', password('canon')) realm.kinit('alias', password('canon'), ['-C']) +mark('LDAP password history') + # Test password history. def test_pwhist(nhist): def cpw(n, **kwargs): @@ -401,6 +430,7 @@ def get_princ(princ): out = realm.run([kadminl, 'getprinc', princ]) return dict(map(str.strip, x.split(":", 1)) for x in out.splitlines()) +mark('LDAP principal renaming') realm.addprinc("rename", password('rename')) renameprinc = get_princ("rename") realm.run([kadminl, '-p', 'fake@KRBTEST.COM', 'renprinc', 'rename', 'renamed']) @@ -409,51 +439,54 @@ if renameprinc['Last modified'] == renamedprinc['Last modified']: fail('Last modified data not updated when principal was renamed') # Regression test for #7980 (fencepost when dividing keys up by kvno). +mark('#7980 regression test') realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts', 'kvnoprinc']) realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts,aes128-cts', 'kvnoprinc']) -out = realm.run([kadminl, 'getprinc', 'kvnoprinc']) -if 'Number of keys: 4' not in out: - fail('After cpw -keepold, wrong number of keys') +realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 4') realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts,aes128-cts', 'kvnoprinc']) -out = realm.run([kadminl, 'getprinc', 'kvnoprinc']) -if 'Number of keys: 6' not in out: - fail('After cpw -keepold, wrong number of keys') +realm.run([kadminl, 'getprinc', 'kvnoprinc'], expected_msg='Number of keys: 6') # Regression test for #8041 (NULL dereference on keyless principals). +mark('#8041 regression test') realm.run([kadminl, 'addprinc', '-nokey', 'keylessprinc']) -out = realm.run([kadminl, 'getprinc', 'keylessprinc']) -if 'Number of keys: 0' not in out: - fail('Failed to create a principal with no keys') +realm.run([kadminl, 'getprinc', 'keylessprinc'], + expected_msg='Number of keys: 0') realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,aes128-cts', 'keylessprinc']) realm.run([kadminl, 'cpw', '-randkey', '-keepold', '-e', 'aes256-cts,aes128-cts', 'keylessprinc']) -out = realm.run([kadminl, 'getprinc', 'keylessprinc']) -if 'Number of keys: 4' not in out: - fail('Failed to add keys to keylessprinc') +realm.run([kadminl, 'getprinc', 'keylessprinc'], + expected_msg='Number of keys: 4') realm.run([kadminl, 'purgekeys', '-all', 'keylessprinc']) -out = realm.run([kadminl, 'getprinc', 'keylessprinc']) -if 'Number of keys: 0' not in out: - fail('After purgekeys -all, keys remain') +realm.run([kadminl, 'getprinc', 'keylessprinc'], + expected_msg='Number of keys: 0') # Test for 8354 (old password history entries when -keepold is used) +mark('#8354 regression test') realm.run([kadminl, 'addpol', '-history', '2', 'keepoldpasspol']) realm.run([kadminl, 'addprinc', '-policy', 'keepoldpasspol', '-pw', 'aaaa', 'keepoldpassprinc']) for p in ('bbbb', 'cccc', 'aaaa'): realm.run([kadminl, 'cpw', '-keepold', '-pw', p, 'keepoldpassprinc']) +if runenv.sizeof_time_t <= 4: + skipped('y2038 LDAP test', 'platform has 32-bit time_t') +else: + # Test storage of timestamps after y2038. + realm.run([kadminl, 'modprinc', '-pwexpire', '2040-02-03', 'user']) + realm.run([kadminl, 'getprinc', 'user'], expected_msg=' 2040\n') + realm.stop() # Briefly test dump and load. +mark('LDAP dump and load') dumpfile = os.path.join(realm.testdir, 'dump') realm.run([kdb5_util, 'dump', dumpfile]) -out = realm.run([kdb5_util, 'load', dumpfile], expected_code=1) -if 'KDB module requires -update argument' not in out: - fail('Unexpected error from kdb5_util load without -update') +realm.run([kdb5_util, 'load', dumpfile], expected_code=1, + expected_msg='KDB module requires -update argument') realm.run([kdb5_util, 'load', '-update', dumpfile]) # Destroy the realm. @@ -470,6 +503,7 @@ if runenv.have_sasl != 'yes': # Test SASL EXTERNAL auth. Remove the DNs and service password file # from the DB module config. +mark('LDAP SASL EXTERNAL auth') os.remove(ldap_pwfile) dbmod = conf['dbmodules']['ldap'] dbmod['ldap_kdc_sasl_mech'] = dbmod['ldap_kadmind_sasl_mech'] = 'EXTERNAL' @@ -486,6 +520,7 @@ realm.run([kdb5_ldap_util, 'destroy', '-f']) # Test SASL DIGEST-MD5 auth. We need to set a clear-text password for # the admin DN, so create a person entry (requires the core schema). # Restore the service password file in the config and set authcids. +mark('LDAP SASL DIGEST-MD5 auth') ldap_add('cn=admin,cn=krb5', 'person', ['sn: dummy', 'userPassword: admin']) dbmod['ldap_kdc_sasl_mech'] = dbmod['ldap_kadmind_sasl_mech'] = 'DIGEST-MD5' @@ -501,14 +536,10 @@ realm.addprinc(realm.user_princ, password('user')) realm.kinit(realm.user_princ, password('user')) realm.stop() # Exercise DB options, which should cause binding to fail. -out = realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'], - expected_code=1) -if 'Cannot bind to LDAP server' not in out: - fail('Expected error not seen in kadmin.local output') -out = realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'], - expected_code=1) -if 'Cannot bind to LDAP server' not in out: - fail('Expected error not seen in kadmin.local output') +realm.run([kadminl, '-x', 'sasl_authcid=ab', 'getprinc', 'user'], + expected_code=1, expected_msg='Cannot bind to LDAP server') +realm.run([kadminl, '-x', 'bindpwd=wrong', 'getprinc', 'user'], + expected_code=1, expected_msg='Cannot bind to LDAP server') realm.run([kdb5_ldap_util, 'destroy', '-f']) # We could still use tests to exercise: diff --git a/src/tests/t_kdb_locking.py b/src/tests/t_kdb_locking.py index e8d86e0..9ae42a8 100755 --- a/src/tests/t_kdb_locking.py +++ b/src/tests/t_kdb_locking.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # This is a regression test for # https://bugzilla.redhat.com/show_bug.cgi?id=586032 . # @@ -13,7 +11,7 @@ import os from k5test import * p = 'foo' -realm = K5Realm(create_user=False) +realm = K5Realm(create_user=False, bdb_only=True) realm.addprinc(p, p) kadm5_lock = os.path.join(realm.testdir, 'db.kadm5.lock') @@ -21,9 +19,8 @@ if not os.path.exists(kadm5_lock): fail('kadm5 lock file not created: ' + kadm5_lock) os.unlink(kadm5_lock) -output = realm.kinit(p, p, [], expected_code=1) -if 'A service is not available' not in output: - fail('krb5kdc should have returned service not available error') +realm.kinit(p, p, [], expected_code=1, + expected_msg='A service is not available') f = open(kadm5_lock, 'w') f.close() diff --git a/src/tests/t_kdc_log.py b/src/tests/t_kdc_log.py index 8ddb769..1b14828 100755 --- a/src/tests/t_kdc_log.py +++ b/src/tests/t_kdc_log.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - from k5test import * # Make a TGS request with an expired ticket. diff --git a/src/tests/t_kdcpolicy.py b/src/tests/t_kdcpolicy.py new file mode 100644 index 0000000..a44adfd --- /dev/null +++ b/src/tests/t_kdcpolicy.py @@ -0,0 +1,61 @@ +from k5test import * +from datetime import datetime +import re + +testpreauth = os.path.join(buildtop, 'plugins', 'preauth', 'test', 'test.so') +testpolicy = os.path.join(buildtop, 'plugins', 'kdcpolicy', 'test', + 'kdcpolicy_test.so') +krb5_conf = {'plugins': {'kdcpreauth': {'module': 'test:' + testpreauth}, + 'clpreauth': {'module': 'test:' + testpreauth}, + 'kdcpolicy': {'module': 'test:' + testpolicy}}} +kdc_conf = {'realms': {'$realm': {'default_principal_flags': '+preauth', + 'max_renewable_life': '1d'}}} +realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf) + +realm.run([kadminl, 'addprinc', '-pw', password('fail'), 'fail']) + +def verify_time(out, target_time): + times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out) + times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times] + divisor = 1 + while len(times) > 0: + starttime = times.pop(0) + endtime = times.pop(0) + renewtime = times.pop(0) + + if str((endtime - starttime) * divisor) != target_time: + fail('unexpected lifetime value') + if str((renewtime - endtime) * divisor) != target_time: + fail('unexpected renewable value') + + # Service tickets should have half the lifetime of initial + # tickets. + divisor = 2 + +rflags = ['-r', '1d', '-l', '12h'] + +# Test AS+TGS success path. +realm.kinit(realm.user_princ, password('user'), + rflags + ['-X', 'indicators=SEVEN_HOURS']) +realm.run([kvno, realm.host_princ]) +realm.run(['./adata', realm.host_princ], expected_msg='+97: [SEVEN_HOURS]') +out = realm.run([klist, '-e', realm.ccache]) +verify_time(out, '7:00:00') + +# Test AS+TGS success path with different values. +realm.kinit(realm.user_princ, password('user'), + rflags + ['-X', 'indicators=ONE_HOUR']) +realm.run([kvno, realm.host_princ]) +realm.run(['./adata', realm.host_princ], expected_msg='+97: [ONE_HOUR]') +out = realm.run([klist, '-e', realm.ccache]) +verify_time(out, '1:00:00') + +# Test TGS failure path (using previous creds). +realm.run([kvno, 'fail@%s' % realm.realm], expected_code=1, + expected_msg='KDC policy rejects request') + +# Test AS failure path. +realm.kinit('fail@%s' % realm.realm, password('fail'), + expected_code=1, expected_msg='KDC policy rejects request') + +success('kdcpolicy tests') diff --git a/src/tests/t_keydata.py b/src/tests/t_keydata.py index 686e543..b37233b 100755 --- a/src/tests/t_keydata.py +++ b/src/tests/t_keydata.py @@ -1,31 +1,22 @@ -#!/usr/bin/python from k5test import * realm = K5Realm(create_user=False, create_host=False) # Create a principal with no keys. realm.run([kadminl, 'addprinc', '-nokey', 'user']) -out = realm.run([kadminl, 'getprinc', 'user']) -if 'Number of keys: 0' not in out: - fail('getprinc (addprinc -nokey)') +realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0') # Change its password and check the resulting kvno. realm.run([kadminl, 'cpw', '-pw', 'password', 'user']) -out = realm.run([kadminl, 'getprinc', 'user']) -if 'vno 1' not in out: - fail('getprinc (cpw -pw)') +realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1') # Delete all of its keys. realm.run([kadminl, 'purgekeys', '-all', 'user']) -out = realm.run([kadminl, 'getprinc', 'user']) -if 'Number of keys: 0' not in out: - fail('getprinc (purgekeys)') +realm.run([kadminl, 'getprinc', 'user'], expected_msg='Number of keys: 0') # Randomize its keys and check the resulting kvno. realm.run([kadminl, 'cpw', '-randkey', 'user']) -out = realm.run([kadminl, 'getprinc', 'user']) -if 'vno 1' not in out: - fail('getprinc (cpw -randkey)') +realm.run([kadminl, 'getprinc', 'user'], expected_msg='vno 1') # Return true if patype appears to have been received in a hint list # from a KDC error message, based on the trace file fname. diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py index 35d0b61..7c8d828 100755 --- a/src/tests/t_keyrollover.py +++ b/src/tests/t_keyrollover.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * rollover_krb5_conf = {'libdefaults': {'allow_weak_crypto': 'true'}} @@ -23,25 +22,17 @@ realm.run([kvno, princ1]) realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) # Make sure an old TGT fails after purging old TGS key. realm.run([kvno, princ2], expected_code=1) -output = realm.run([klist, '-e']) - -expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ +msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): des-cbc-crc, des-cbc-crc' % \ (realm.realm, realm.realm) - -if expected not in output: - fail('keyrollover: expected TGS enctype not found') +realm.run([klist, '-e'], expected_msg=msg) # Check that new key actually works. realm.kinit(realm.user_princ, password('user')) realm.run([kvno, realm.host_princ]) -output = realm.run([klist, '-e']) - -expected = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ +msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ 'aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96' % \ (realm.realm, realm.realm) - -if expected not in output: - fail('keyrollover: expected TGS enctype not found after change') +realm.run([klist, '-e'], expected_msg=msg) # Test that the KDC only accepts the first enctype for a kvno, for a # local-realm TGS request. To set this up, we abuse an edge-case diff --git a/src/tests/t_keytab.py b/src/tests/t_keytab.py index a06e6c2..72e09da 100755 --- a/src/tests/t_keytab.py +++ b/src/tests/t_keytab.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * for realm in multipass_realms(create_user=False): @@ -8,17 +7,19 @@ for realm in multipass_realms(create_user=False): realm = K5Realm(get_creds=False, start_kadmind=True) # Test kinit with a partial keytab. +mark('partial keytab') pkeytab = realm.keytab + '.partial' realm.run([ktutil], input=('rkt %s\ndelent 1\nwkt %s\n' % (realm.keytab, pkeytab))) realm.kinit(realm.host_princ, flags=['-k', '-t', pkeytab]) # Test kinit with no keys for client in keytab. -output = realm.kinit(realm.user_princ, flags=['-k'], expected_code=1) -if 'no suitable keys' not in output: - fail('Expected error not seen in kinit output') +mark('no keys for client') +realm.kinit(realm.user_princ, flags=['-k'], expected_code=1, + expected_msg='no suitable keys') # Test kinit and klist with client keytab defaults. +mark('client keytab') realm.extract_keytab(realm.user_princ, realm.client_keytab); realm.run([kinit, '-k', '-i']) realm.klist(realm.user_princ) @@ -30,18 +31,18 @@ if realm.client_keytab not in out or realm.user_princ not in out: fail('Expected output not seen from klist -k -i') # Test implicit request for keytab (-i or -t without -k) +mark('implicit -k') realm.run([kdestroy]) -output = realm.kinit(realm.host_princ, flags=['-t', realm.keytab]) -if 'keytab specified, forcing -k' not in output: - fail('Expected output not seen from kinit -t keytab') +realm.kinit(realm.host_princ, flags=['-t', realm.keytab], + expected_msg='keytab specified, forcing -k') realm.klist(realm.host_princ) realm.run([kdestroy]) -output = realm.kinit(realm.user_princ, flags=['-i']) -if 'keytab specified, forcing -k' not in output: - fail('Expected output not seen from kinit -i') +realm.kinit(realm.user_princ, flags=['-i'], + expected_msg='keytab specified, forcing -k') realm.klist(realm.user_princ) # Test extracting keys with multiple key versions present. +mark('multi-kvno extract') os.remove(realm.keytab) realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.host_princ]) out = realm.run([kadminl, 'ktadd', '-norandkey', realm.host_princ]) @@ -52,6 +53,7 @@ if ' 1 host/' not in out or ' 2 host/' not in out: fail('Expected output not seen from klist -k -e') # Test again using kadmin over the network. +mark('multi-kvno extract (via kadmin)') realm.prep_kadmin() os.remove(realm.keytab) out = realm.run_kadmin(['ktadd', '-norandkey', realm.host_princ]) @@ -70,13 +72,12 @@ def test_key_rotate(realm, princ, expected_kvno): realm.run_kadmin(['ktadd', '-k', realm.keytab, princ]) realm.run([kadminl, 'ktrem', princ, 'old']) realm.kinit(princ, flags=['-k']) - out = realm.run([klist, '-k']) - if ('%d %s' % (expected_kvno, princ)) not in out: - fail('kvno %d not listed in keytab' % expected_kvno) - out = realm.run_kadmin(['getprinc', princ]) - if ('Key: vno %d,' % expected_kvno) not in out: - fail('vno %d not seen in getprinc output' % expected_kvno) + msg = '%d %s' % (expected_kvno, princ) + out = realm.run([klist, '-k'], expected_msg=msg) + msg = 'Key: vno %d,' % expected_kvno + out = realm.run_kadmin(['getprinc', princ], expected_msg=msg) +mark('key rotation across boundaries') princ = 'foo/bar@%s' % realm.realm realm.addprinc(princ) os.remove(realm.keytab) @@ -94,46 +95,46 @@ test_key_rotate(realm, princ, 65535) test_key_rotate(realm, princ, 1) test_key_rotate(realm, princ, 2) +mark('32-bit kvno') + # Test that klist -k can read a keytab entry without a 32-bit kvno and # reports the 8-bit key version. -record = '\x00\x01' # principal component count -record += '\x00\x0bKRBTEST.COM' # realm -record += '\x00\x04user' # principal component -record += '\x00\x00\x00\x01' # name type (NT-PRINCIPAL) -record += '\x54\xf7\x4d\x35' # timestamp -record += '\x02' # key version -record += '\x00\x12' # enctype -record += '\x00\x20' # key length -record += '\x00' * 32 # key bytes -f = open(realm.keytab, 'w') -f.write('\x05\x02\x00\x00\x00' + chr(len(record))) +record = b'\x00\x01' # principal component count +record += b'\x00\x0bKRBTEST.COM' # realm +record += b'\x00\x04user' # principal component +record += b'\x00\x00\x00\x01' # name type (NT-PRINCIPAL) +record += b'\x54\xf7\x4d\x35' # timestamp +record += b'\x02' # key version +record += b'\x00\x12' # enctype +record += b'\x00\x20' # key length +record += b'\x00' * 32 # key bytes +f = open(realm.keytab, 'wb') +f.write(b'\x05\x02\x00\x00\x00' + bytes([len(record)])) f.write(record) f.close() -out = realm.run([klist, '-k']) -if (' 2 %s' % realm.user_princ) not in out: - fail('Expected entry not seen in klist -k output') +msg = ' 2 %s' % realm.user_princ +out = realm.run([klist, '-k'], expected_msg=msg) # Make sure zero-fill isn't treated as a 32-bit kvno. -f = open(realm.keytab, 'w') -f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4)) +f = open(realm.keytab, 'wb') +f.write(b'\x05\x02\x00\x00\x00' + bytes([len(record) + 4])) f.write(record) -f.write('\x00\x00\x00\x00') +f.write(b'\x00\x00\x00\x00') f.close() -out = realm.run([klist, '-k']) -if (' 2 %s' % realm.user_princ) not in out: - fail('Expected entry not seen in klist -k output') +msg = ' 2 %s' % realm.user_princ +out = realm.run([klist, '-k'], expected_msg=msg) # Make sure a hand-crafted 32-bit kvno is recognized. -f = open(realm.keytab, 'w') -f.write('\x05\x02\x00\x00\x00' + chr(len(record) + 4)) +f = open(realm.keytab, 'wb') +f.write(b'\x05\x02\x00\x00\x00' + bytes([len(record) + 4])) f.write(record) -f.write('\x00\x00\x00\x03') +f.write(b'\x00\x00\x00\x03') f.close() -out = realm.run([klist, '-k']) -if (' 3 %s' % realm.user_princ) not in out: - fail('Expected entry not seen in klist -k output') +msg = ' 3 %s' % realm.user_princ +out = realm.run([klist, '-k'], expected_msg=msg) # Test parameter expansion in profile variables +mark('parameter expansion') realm.stop() conf = {'libdefaults': { 'default_keytab_name': 'testdir/%{null}abc%{uid}', @@ -142,11 +143,52 @@ realm = K5Realm(krb5_conf=conf, create_kdb=False) del realm.env['KRB5_KTNAME'] del realm.env['KRB5_CLIENT_KTNAME'] uidstr = str(os.getuid()) -out = realm.run([klist, '-k'], expected_code=1) -if 'FILE:testdir/abc%s' % uidstr not in out: - fail('Wrong keytab in klist -k output') -out = realm.run([klist, '-ki'], expected_code=1) -if 'FILE:testdir/xyz%s' % uidstr not in out: - fail('Wrong keytab in klist -ki output') +msg = 'FILE:testdir/abc%s' % uidstr +out = realm.run([klist, '-k'], expected_code=1, expected_msg=msg) +msg = 'FILE:testdir/xyz%s' % uidstr +out = realm.run([klist, '-ki'], expected_code=1, expected_msg=msg) + +conf = {'libdefaults': {'allow_weak_crypto': 'true'}} +realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf) + +realm.run([kadminl, 'ank', '-pw', 'pw', 'default']) +realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', 'exp']) +realm.run([kadminl, 'ank', '-e', 'aes256-cts:special', '-pw', 'pw', '+preauth', + 'pexp']) +realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', 'afs']) +realm.run([kadminl, 'ank', '-e', 'des-cbc-crc:afs3', '-pw', 'pw', '+preauth', + 'pafs']) + +# Extract one of the explicit salt values from the database. +out = realm.run([kdb5_util, 'tabdump', 'keyinfo']) +salt_dict = {f[0]: f[5] for f in [l.split('\t') for l in out.splitlines()]} +exp_salt = bytes.fromhex(salt_dict['exp@KRBTEST.COM']).decode('ascii') + +# Create a keytab using ktutil addent with the specified options and +# password "pw". Test that we can use it to get initial tickets. +# Remove the keytab afterwards. +def test_addent(realm, princ, opts): + realm.run([ktutil], input=('addent -password -p %s -k 1 %s\npw\nwkt %s\n' % + (princ, opts, realm.keytab))) + realm.kinit(princ, flags=['-k']) + os.remove(realm.keytab) + +mark('ktutil addent') + +# Test with default salt. +test_addent(realm, 'default', '-e aes128-cts') +test_addent(realm, 'default', '-e aes256-cts') +# Test with a salt specified to ktutil addent. +test_addent(realm, 'exp', '-e aes256-cts -s %s' % exp_salt) + +# Test etype-info fetching. +test_addent(realm, 'default', '-f') +test_addent(realm, 'default', '-f -e aes128-cts') +test_addent(realm, 'exp', '-f') +test_addent(realm, 'pexp', '-f') +test_addent(realm, 'afs', '-f') +test_addent(realm, 'pafs', '-f') + +success('Keytab-related tests') success('Keytab-related tests') diff --git a/src/tests/t_kprop.py b/src/tests/t_kprop.py index 02cdfee..c33e4fe 100755 --- a/src/tests/t_kprop.py +++ b/src/tests/t_kprop.py @@ -1,7 +1,6 @@ -#!/usr/bin/python from k5test import * -conf_slave = {'dbmodules': {'db': {'database_name': '$testdir/db.slave'}}} +conf_replica = {'dbmodules': {'db': {'database_name': '$testdir/db.replica'}}} def setup_acl(realm): acl_file = os.path.join(realm.testdir, 'kpropd-acl') @@ -22,76 +21,71 @@ def check_output(kpropd): # kprop/kpropd are the only users of krb5_auth_con_initivector, so run # this test over all enctypes to exercise mkpriv cipher state. for realm in multipass_realms(create_user=False): - slave = realm.special_env('slave', True, kdc_conf=conf_slave) + replica = realm.special_env('replica', True, kdc_conf=conf_replica) # Set up the kpropd acl file. setup_acl(realm) - # Create the slave db. + # Create the replica db. dumpfile = os.path.join(realm.testdir, 'dump') realm.run([kdb5_util, 'dump', dumpfile]) - realm.run([kdb5_util, 'load', dumpfile], slave) - realm.run([kdb5_util, 'stash', '-P', 'master'], slave) + realm.run([kdb5_util, 'load', dumpfile], replica) + realm.run([kdb5_util, 'stash', '-P', 'master'], replica) # Make some changes to the master db. realm.addprinc('wakawaka') # Start kpropd. - kpropd = realm.start_kpropd(slave, ['-d']) + kpropd = realm.start_kpropd(replica, ['-d']) realm.run([kdb5_util, 'dump', dumpfile]) realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname]) check_output(kpropd) - out = realm.run([kadminl, 'listprincs'], slave) - if 'wakawaka' not in out: - fail('Slave does not have all principals from master') + realm.run([kadminl, 'listprincs'], replica, expected_msg='wakawaka') # default_realm tests follow. # default_realm and domain_realm different than realm.realm (test -r argument). -conf_slave2 = {'dbmodules': {'db': {'database_name': '$testdir/db.slave2'}}} -krb5_conf_slave2 = {'libdefaults': {'default_realm': 'FOO'}, - 'domain_realm': {hostname: 'FOO'}} +conf_rep2 = {'dbmodules': {'db': {'database_name': '$testdir/db.replica2'}}} +krb5_conf_rep2 = {'libdefaults': {'default_realm': 'FOO'}, + 'domain_realm': {hostname: 'FOO'}} # default_realm and domain_realm map differ. -conf_slave3 = {'dbmodules': {'db': {'database_name': '$testdir/db.slave3'}}} -krb5_conf_slave3 = {'domain_realm': {hostname: 'BAR'}} +conf_rep3 = {'dbmodules': {'db': {'database_name': '$testdir/db.replica3'}}} +krb5_conf_rep3 = {'domain_realm': {hostname: 'BAR'}} realm = K5Realm(create_user=False) -slave2 = realm.special_env('slave2', True, kdc_conf=conf_slave2, - krb5_conf=krb5_conf_slave2) -slave3 = realm.special_env('slave3', True, kdc_conf=conf_slave3, - krb5_conf=krb5_conf_slave3) +replica2 = realm.special_env('replica2', True, kdc_conf=conf_rep2, + krb5_conf=krb5_conf_rep2) +replica3 = realm.special_env('replica3', True, kdc_conf=conf_rep3, + krb5_conf=krb5_conf_rep3) setup_acl(realm) -# Create the slave db. +# Create the replica db. dumpfile = os.path.join(realm.testdir, 'dump') realm.run([kdb5_util, 'dump', dumpfile]) -realm.run([kdb5_util, '-r', realm.realm, 'load', dumpfile], slave2) -realm.run([kdb5_util, 'load', dumpfile], slave3) +realm.run([kdb5_util, '-r', realm.realm, 'load', dumpfile], replica2) +realm.run([kdb5_util, 'load', dumpfile], replica3) # Make some changes to the master db. realm.addprinc('wakawaka') # Test override of default_realm with -r realm argument. -kpropd = realm.start_kpropd(slave2, ['-r', realm.realm, '-d']) +kpropd = realm.start_kpropd(replica2, ['-r', realm.realm, '-d']) realm.run([kdb5_util, 'dump', dumpfile]) realm.run([kprop, '-r', realm.realm, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname]) check_output(kpropd) -out = realm.run([kadminl, '-r', realm.realm, 'listprincs'], slave2) -if 'wakawaka' not in out: - fail('Slave does not have all principals from master') +realm.run([kadminl, '-r', realm.realm, 'listprincs'], replica2, + expected_msg='wakawaka') stop_daemon(kpropd) # Test default_realm and domain_realm mismatch. -kpropd = realm.start_kpropd(slave3, ['-d']) +kpropd = realm.start_kpropd(replica3, ['-d']) realm.run([kdb5_util, 'dump', dumpfile]) realm.run([kprop, '-f', dumpfile, '-P', str(realm.kprop_port()), hostname]) check_output(kpropd) -out = realm.run([kadminl, 'listprincs'], slave3) -if 'wakawaka' not in out: - fail('Slave does not have all principals from master') +realm.run([kadminl, 'listprincs'], replica3, expected_msg='wakawaka') success('kprop tests') diff --git a/src/tests/t_localauth.py b/src/tests/t_localauth.py index 4590485..33390c4 100755 --- a/src/tests/t_localauth.py +++ b/src/tests/t_localauth.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Unfortunately, we can't reliably test the k5login module. We can control @@ -14,9 +13,8 @@ def test_an2ln(env, aname, result, msg): fail(msg) def test_an2ln_err(env, aname, err, msg): - out = realm.run(['./localauth', aname], env=env, expected_code=1) - if err not in out: - fail(msg) + realm.run(['./localauth', aname], env=env, expected_code=1, + expected_msg=err) def test_userok(env, aname, lname, ok, msg): out = realm.run(['./localauth', aname, lname], env=env) @@ -27,6 +25,7 @@ def test_userok(env, aname, lname, ok, msg): # The default an2ln method works only in the default realm, and works # for a single-component principal or a two-component principal where # the second component is the default realm. +mark('default') test_an2ln(None, 'user@KRBTEST.COM', 'user', 'default rule 1') test_an2ln(None, 'user/KRBTEST.COM@KRBTEST.COM', 'user', 'default rule 2') test_an2ln_err(None, 'user/KRBTEST.COM/x@KRBTEST.COM', 'No translation', @@ -36,6 +35,7 @@ test_an2ln_err(None, 'user/X@KRBTEST.COM', 'No translation', test_an2ln_err(None, 'user@X', 'No translation', 'default rule realm mismatch') # auth_to_local_names matches ignore the realm but are case-sensitive. +mark('auth_to_local_names') conf_names1 = {'realms': {'$realm': {'auth_to_local_names': {'user': 'abcd'}}}} names1 = realm.special_env('names1', False, conf_names1) test_an2ln(names1, 'user@KRBTEST.COM', 'abcd', 'auth_to_local_names match') @@ -55,10 +55,12 @@ def a2l_realm(name, values): return realm.special_env(name, False, conf) # Test explicit use of default method. +mark('explicit default') auth1 = a2l_realm('auth1', 'DEFAULT') test_an2ln(auth1, 'user@KRBTEST.COM', 'user', 'default rule') # Test some invalid auth_to_local values. +mark('auth_to_local invalid') auth2 = a2l_realm('auth2', 'RULE') test_an2ln_err(auth2, 'user@X', 'Improper format', 'null rule') auth3 = a2l_realm('auth3', 'UNRECOGNIZED:stuff') @@ -66,6 +68,7 @@ test_an2ln_err(auth3, 'user@X', 'Improper format', 'null rule') # An empty rule has the default selection string (unparsed principal # without realm) and no match or substitutions. +mark('rule (empty)') rule1 = a2l_realm('rule1', 'RULE:') test_an2ln(rule1, 'user@KRBTEST.COM', 'user', 'empty rule') test_an2ln(rule1, 'user@X', 'user', 'empty rule (foreign realm)') @@ -73,23 +76,27 @@ test_an2ln(rule1, 'a/b/c@X', 'a/b/c', 'empty rule (multi-component)') # Test explicit selection string. Also test that the default method # is suppressed when auth_to_local values are present. +mark('rule (selection string)') rule2 = a2l_realm('rule2', 'RULE:[2:$$0.$$2.$$1]') test_an2ln(rule2, 'aaron/burr@REALM', 'REALM.burr.aaron', 'selection string') test_an2ln_err(rule2, 'user@KRBTEST.COM', 'No translation', 'suppress default') # Test match string. +mark('rule (match string)') rule3 = a2l_realm('rule3', 'RULE:(.*tail)') test_an2ln(rule3, 'withtail@X', 'withtail', 'rule match 1') test_an2ln(rule3, 'x/withtail@X', 'x/withtail', 'rule match 2') test_an2ln_err(rule3, 'tails@X', 'No translation', 'rule anchor mismatch') # Test substitutions. +mark('rule (substitutions)') rule4 = a2l_realm('rule4', 'RULE:s/birds/bees/') test_an2ln(rule4, 'thebirdsbirdsbirds@X', 'thebeesbirdsbirds', 'subst 1') rule5 = a2l_realm('rule4', 'RULE:s/birds/bees/g s/bees/birds/') test_an2ln(rule4, 'the/birdsbirdsbirds@x', 'the/birdsbeesbees', 'subst 2') # Test a bunch of auth_to_local values and rule features in combination. +mark('rule (combo)') combo = a2l_realm('combo', ['RULE:[1:$$1-$$0](fred.*)s/-/ /g', 'DEFAULT', 'RULE:[3:$$1](z.*z)']) @@ -101,11 +108,14 @@ test_an2ln(combo, 'zazz/b/c@X', 'zazz', 'combo 5') test_an2ln_err(combo, 'a/b@KRBTEST.COM', 'No translation', 'combo 6') # Test the an2ln userok method with the combo environment. +mark('userok (an2ln)') test_userok(combo, 'fred@X', 'fred X', True, 'combo userok 1') test_userok(combo, 'user@KRBTEST.COM', 'user', True, 'combo userok 2') test_userok(combo, 'user@KRBTEST.COM', 'X', False, 'combo userok 3') test_userok(combo, 'a/b@KRBTEST.COM', 'a/b', False, 'combo userok 4') +mark('test modules') + # Register the two test modules and set up some auth_to_local and # auth_to_local_names entries. modpath = os.path.join(buildtop, 'plugins', 'localauth', 'test', diff --git a/src/tests/t_mkey.py b/src/tests/t_mkey.py index c53b71b..99273c9 100755 --- a/src/tests/t_mkey.py +++ b/src/tests/t_mkey.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * import random import re @@ -92,9 +91,8 @@ def check_stash(*expected): # Verify that the user principal has the expected mkvno. def check_mkvno(princ, expected_mkvno): - out = realm.run([kadminl, 'getprinc', princ]) - if ('MKey: vno %d\n' % expected_mkvno) not in out: - fail('Unexpected mkvno in user DB entry') + msg = 'MKey: vno %d\n' % expected_mkvno + realm.run([kadminl, 'getprinc', princ], expected_msg=msg) # Change the password using either kadmin.local or kadmin, then check @@ -151,18 +149,19 @@ def update_princ_encryption(dry_run, expected_mkvno, expected_updated, # Check the initial state of the realm. +mark('initial state') check_mkey_list((1, defetype, True, True)) check_master_dbent(1, (1, defetype)) check_stash((1, defetype)) check_mkvno(realm.user_princ, 1) # Check that stash will fail if a temp stash file is already present. +mark('temp stash collision') collisionfile = os.path.join(realm.testdir, 'stash_tmp') f = open(collisionfile, 'w') f.close() -output = realm.run([kdb5_util, 'stash'], expected_code=1) -if 'Temporary stash file already exists' not in output: - fail('Did not detect temp stash file collision') +realm.run([kdb5_util, 'stash'], expected_code=1, + expected_msg='Temporary stash file already exists') os.unlink(collisionfile) # Add a new master key with no options. Verify that: @@ -172,6 +171,7 @@ os.unlink(collisionfile) # encrypt that entry. # 3. The stash file is not modified (since we did not pass -s). # 4. The old key is used for password changes. +mark('add_mkey (second master key)') add_mkey([]) check_mkey_list((2, defetype, False, False), (1, defetype, True, True)) check_master_dbent(2, (2, defetype), (1, defetype)) @@ -179,24 +179,25 @@ change_password_check_mkvno(True, realm.user_princ, 'abcd', 1) change_password_check_mkvno(False, realm.user_princ, 'user', 1) # Verify that use_mkey won't make all master keys inactive. -out = realm.run([kdb5_util, 'use_mkey', '1', 'now+1day'], expected_code=1) -if 'there must be one master key currently active' not in out: - fail('Unexpected error from use_mkey making all mkeys inactive') +mark('use_mkey (no active keys)') +realm.run([kdb5_util, 'use_mkey', '1', 'now+1day'], expected_code=1, + expected_msg='there must be one master key currently active') check_mkey_list((2, defetype, False, False), (1, defetype, True, True)) # Make the new master key active. Verify that: # 1. The new key has an activation time in list_mkeys and is active. # 2. The new key is used for password changes. # 3. The running KDC can access the new key. +mark('use_mkey') realm.run([kdb5_util, 'use_mkey', '2', 'now-1day']) check_mkey_list((2, defetype, True, True), (1, defetype, True, False)) change_password_check_mkvno(True, realm.user_princ, 'abcd', 2) change_password_check_mkvno(False, realm.user_princ, 'user', 2) # Check purge_mkeys behavior with both master keys still in use. -out = realm.run([kdb5_util, 'purge_mkeys', '-f', '-v']) -if 'All keys in use, nothing purged.' not in out: - fail('Unexpected output from purge_mkeys with both mkeys in use') +mark('purge_mkeys (nothing to purge)') +realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'], + expected_msg='All keys in use, nothing purged.') # Do an update_princ_encryption dry run and for real. Verify that: # 1. The target master key is 2 (the active mkvno). @@ -208,6 +209,7 @@ if 'All keys in use, nothing purged.' not in out: # 4. The old stashed master key is sufficient to access the DB (via # MKEY_AUX tl-data which keeps the current master key encrypted in # each of the old master keys). +mark('update_princ_encryption') update_princ_encryption(True, 2, nprincs - 2, 1) check_mkvno(realm.admin_princ, 1) update_princ_encryption(False, 2, nprincs - 2, 1) @@ -218,6 +220,7 @@ realm.kinit(realm.user_princ, 'user') # Update all principals back to mkvno 1 and to mkvno 2 again, to # verify that update_princ_encryption targets the active master key. +mark('update_princ_encryption (back and forth)') realm.run([kdb5_util, 'use_mkey', '2', 'now+1day']) update_princ_encryption(False, 1, nprincs - 1, 0) check_mkvno(realm.user_princ, 1) @@ -226,12 +229,13 @@ update_princ_encryption(False, 2, nprincs - 1, 0) check_mkvno(realm.user_princ, 2) # Test the safety check for purging with an outdated stash file. -out = realm.run([kdb5_util, 'purge_mkeys', '-f'], expected_code=1) -if 'stash file needs updating' not in out: - fail('Unexpected error from purge_mkeys safety check') +mark('purge_mkeys (outdated stash file)') +realm.run([kdb5_util, 'purge_mkeys', '-f'], expected_code=1, + expected_msg='stash file needs updating') # Update the master stash file and check it. Save a copy of the old # one for a later test. +mark('update stash file') shutil.copy(stash_file, stash_file + '.old') realm.run([kdb5_util, 'stash']) check_stash((2, defetype), (1, defetype)) @@ -243,6 +247,7 @@ check_stash((2, defetype), (1, defetype)) # 4. If the stash file is updated, it no longer contains mkvno 1. # 5. use_mkey now gives an error if we refer to mkvno 1. # 6. A second purge_mkeys gives the right message. +mark('purge_mkeys') out = realm.run([kdb5_util, 'purge_mkeys', '-v', '-n', '-f']) if 'KVNO: 1' not in out or '1 key(s) would be purged' not in out: fail('Unexpected output from purge_mkeys dry-run') @@ -253,24 +258,22 @@ check_mkey_list((2, defetype, True, True)) check_master_dbent(2, (2, defetype)) os.rename(stash_file, stash_file + '.save') os.rename(stash_file + '.old', stash_file) -out = realm.run([kadminl, 'getprinc', 'user'], expected_code=1) -if 'Unable to decrypt latest master key' not in out: - fail('Unexpected error from kadmin.local with old stash file') +realm.run([kadminl, 'getprinc', 'user'], expected_code=1, + expected_msg='Unable to decrypt latest master key') os.rename(stash_file + '.save', stash_file) realm.run([kdb5_util, 'stash']) check_stash((2, defetype)) -out = realm.run([kdb5_util, 'use_mkey', '1'], expected_code=1) -if '1 is an invalid KVNO value' not in out: - fail('Unexpected error from use_mkey with invalid kvno') -out = realm.run([kdb5_util, 'purge_mkeys', '-f', '-v']) -if 'There is only one master key which can not be purged.' not in out: - fail('Unexpected output from purge_mkeys with one mkey') +realm.run([kdb5_util, 'use_mkey', '1'], expected_code=1, + expected_msg='1 is an invalid KVNO value') +realm.run([kdb5_util, 'purge_mkeys', '-f', '-v'], + expected_msg='There is only one master key which can not be purged.') # Add a third master key with a specified enctype. Verify that: # 1. The new master key receives the correct number. # 2. The enctype argument is respected. # 3. The new master key is stashed (by itself, at the moment). # 4. We can roll over to the new master key and use it. +mark('add_mkey and update_princ_encryption (third master key)') add_mkey(['-s', '-e', aes128]) check_mkey_list((3, aes128, False, False), (2, defetype, True, True)) check_master_dbent(3, (3, aes128), (2, defetype)) @@ -282,6 +285,7 @@ check_mkvno(realm.user_princ, 3) # Regression test for #7994 (randkey does not update principal mkvno) # and #7995 (-keepold does not re-encrypt old keys). +mark('#7994 and #7995 regression test') add_mkey(['-s']) realm.run([kdb5_util, 'use_mkey', '4', 'now-1day']) realm.run([kadminl, 'cpw', '-randkey', '-keepold', realm.user_princ]) @@ -303,12 +307,13 @@ realm.stop() # created prior to master key rollover support. Verify that: # 1. We can access the database using the old-format stash file. # 2. list_mkeys displays the same list as for a post-1.7 KDB. +mark('pre-1.7 stash file') dumpfile = os.path.join(srctop, 'tests', 'dumpfiles', 'dump.16') os.remove(stash_file) -f = open(stash_file, 'w') +f = open(stash_file, 'wb') f.write(struct.pack('=HL24s', 16, 24, - '\xF8\x3E\xFB\xBA\x6D\x80\xD9\x54\xE5\x5D\xF2\xE0' - '\x94\xAD\x6D\x86\xB5\x16\x37\xEC\x7C\x8A\xBC\x86')) + b'\xF8\x3E\xFB\xBA\x6D\x80\xD9\x54\xE5\x5D\xF2\xE0' + b'\x94\xAD\x6D\x86\xB5\x16\x37\xEC\x7C\x8A\xBC\x86')) f.close() realm.run([kdb5_util, 'load', dumpfile]) nprincs = len(realm.run([kadminl, 'listprincs']).splitlines()) @@ -320,6 +325,7 @@ check_mkey_list((1, des3, True, True)) # 2. update_princ_encryption still targets mkvno 1. # 3. libkadm5 still uses mkvno 1 for key changes. # 4. use_mkey creates the same list as for a post-1.7 KDB. +mark('rollover from pre-1.7 KDB') add_mkey([]) check_mkey_list((2, defetype, False, False), (1, des3, True, True)) update_princ_encryption(False, 1, 0, nprincs - 1) @@ -330,9 +336,9 @@ check_mkey_list((2, defetype, True, True), (1, des3, True, False)) # Regression test for #8395. Purge the master key and verify that a # master key fetch does not segfault. +mark('#8395 regression test') realm.run([kadminl, 'purgekeys', '-all', 'K/M']) -out = realm.run([kadminl, 'getprinc', realm.user_princ], expected_code=1) -if 'Cannot find master key record in database' not in out: - fail('Unexpected output from failed master key fetch') +realm.run([kadminl, 'getprinc', realm.user_princ], expected_code=1, + expected_msg='Cannot find master key record in database') success('Master key rollover tests') diff --git a/src/tests/t_otp.py b/src/tests/t_otp.py index f098374..0160fcd 100755 --- a/src/tests/t_otp.py +++ b/src/tests/t_otp.py @@ -1,5 +1,3 @@ -#!/usr/bin/python -# # Author: Nathaniel McCallum # # Copyright (c) 2013 Red Hat, Inc. @@ -31,8 +29,8 @@ # from k5test import * -from Queue import Empty -import StringIO +from queue import Empty +from io import StringIO import struct try: @@ -122,7 +120,8 @@ class UnixRadiusDaemon(RadiusDaemon): sock.listen(1) return (sock, addr) - def recvRequest(self, (sock, addr)): + def recvRequest(self, sock_and_addr): + sock, addr = sock_and_addr conn = sock.accept()[0] sock.close() os.remove(addr) @@ -149,17 +148,23 @@ def verify(daemon, queue, reply, usernm, passwd): assert data['pass'] == [passwd] daemon.join() -def otpconfig(toktype, username=None, indicators=None): - val = '[{"type": "%s"' % toktype +# Compose a single token configuration. +def otpconfig_1(toktype, username=None, indicators=None): + val = '{"type": "%s"' % toktype if username is not None: val += ', "username": "%s"' % username if indicators is not None: qind = ['"%s"' % s for s in indicators] jsonlist = '[' + ', '.join(qind) + ']' val += ', "indicators":' + jsonlist - val += '}]' + val += '}' return val +# Compose a token configuration list suitable for the "otp" string +# attribute. +def otpconfig(toktype, username=None, indicators=None): + return '[' + otpconfig_1(toktype, username, indicators) + ']' + prefix = "/tmp/%d" % os.getpid() secret_file = prefix + ".secret" socket_file = prefix + ".socket" @@ -183,6 +188,7 @@ flags = ['-T', realm.ccache] server_addr = '127.0.0.1:' + str(realm.portbase + 9) ## Test UDP fail / custom username +mark('UDP fail / custom username') daemon = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept', queue)) daemon.start() queue.get() @@ -192,6 +198,7 @@ realm.kinit(realm.user_princ, 'reject', flags=flags, expected_code=1) verify(daemon, queue, False, 'custom', 'reject') ## Test UDP success / standard username +mark('UDP success / standard username') daemon = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept', queue)) daemon.start() queue.get() @@ -199,11 +206,11 @@ realm.run([kadminl, 'setstr', realm.user_princ, 'otp', otpconfig('udp')]) realm.kinit(realm.user_princ, 'accept', flags=flags) verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept') realm.extract_keytab(realm.krbtgt_princ, realm.keytab) -out = realm.run(['./adata', realm.krbtgt_princ]) -if '+97: [indotp1, indotp2]' not in out: - fail('auth indicators not seen in OTP ticket') +realm.run(['./adata', realm.krbtgt_princ], + expected_msg='+97: [indotp1, indotp2]') # Repeat with an indicators override in the string attribute. +mark('auth indicator override') daemon = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept', queue)) daemon.start() queue.get() @@ -212,9 +219,8 @@ realm.run([kadminl, 'setstr', realm.user_princ, 'otp', oconf]) realm.kinit(realm.user_princ, 'accept', flags=flags) verify(daemon, queue, True, realm.user_princ.split('@')[0], 'accept') realm.extract_keytab(realm.krbtgt_princ, realm.keytab) -out = realm.run(['./adata', realm.krbtgt_princ]) -if '+97: [indtok1, indtok2]' not in out: - fail('auth indicators not seen in OTP ticket') +realm.run(['./adata', realm.krbtgt_princ], + expected_msg='+97: [indtok1, indtok2]') # Detect upstream pyrad bug # https://github.com/wichert/pyrad/pull/18 @@ -225,6 +231,7 @@ except AssertionError: skip_rest('OTP UNIX domain socket tests', 'pyrad assertion bug detected') ## Test Unix fail / custom username +mark('Unix socket fail / custom username') daemon = UnixRadiusDaemon(args=(socket_file, '', 'accept', queue)) daemon.start() queue.get() @@ -234,6 +241,7 @@ realm.kinit(realm.user_princ, 'reject', flags=flags, expected_code=1) verify(daemon, queue, False, 'custom', 'reject') ## Test Unix success / standard username +mark('Unix socket success / standard username') daemon = UnixRadiusDaemon(args=(socket_file, '', 'accept', queue)) daemon.start() queue.get() @@ -241,4 +249,20 @@ realm.run([kadminl, 'setstr', realm.user_princ, 'otp', otpconfig('unix')]) realm.kinit(realm.user_princ, 'accept', flags=flags) verify(daemon, queue, True, realm.user_princ, 'accept') +## Regression test for #8708: test with the standard username and two +## tokens configured, with the first rejecting and the second +## accepting. With the bug, the KDC incorrectly rejects the request +## and then performs invalid memory accesses, most likely crashing. +daemon1 = UDPRadiusDaemon(args=(server_addr, secret_file, 'accept1', queue)) +daemon2 = UnixRadiusDaemon(args=(socket_file, '', 'accept2', queue)) +daemon1.start() +queue.get() +daemon2.start() +queue.get() +oconf = '[' + otpconfig_1('udp') + ', ' + otpconfig_1('unix') + ']' +realm.run([kadminl, 'setstr', realm.user_princ, 'otp', oconf]) +realm.kinit(realm.user_princ, 'accept2', flags=flags) +verify(daemon1, queue, False, realm.user_princ.split('@')[0], 'accept2') +verify(daemon2, queue, True, realm.user_princ, 'accept2') + success('OTP tests') diff --git a/src/tests/t_pkinit.py b/src/tests/t_pkinit.py index 526473b..1dadb1b 100755 --- a/src/tests/t_pkinit.py +++ b/src/tests/t_pkinit.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Skip this test if pkinit wasn't built. @@ -23,6 +22,10 @@ privkey_pem = os.path.join(certs, 'privkey.pem') privkey_enc_pem = os.path.join(certs, 'privkey-enc.pem') user_p12 = os.path.join(certs, 'user.p12') user_enc_p12 = os.path.join(certs, 'user-enc.p12') +user_upn_p12 = os.path.join(certs, 'user-upn.p12') +user_upn2_p12 = os.path.join(certs, 'user-upn2.p12') +user_upn3_p12 = os.path.join(certs, 'user-upn3.p12') +generic_p12 = os.path.join(certs, 'generic.p12') path = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs') path_enc = os.path.join(os.getcwd(), 'testdir', 'tmp-pkinit-certs-enc') @@ -35,6 +38,22 @@ pkinit_kdc_conf = {'realms': {'$realm': { 'pkinit_indicator': ['indpkinit1', 'indpkinit2']}}} restrictive_kdc_conf = {'realms': {'$realm': { 'restrict_anonymous_to_tgt': 'true' }}} +freshness_kdc_conf = {'realms': {'$realm': { + 'pkinit_require_freshness': 'true'}}} + +testprincs = {'krbtgt/KRBTEST.COM': {'keys': 'aes128-cts'}, + 'user': {'keys': 'aes128-cts', 'flags': '+preauth'}, + 'user2': {'keys': 'aes128-cts', 'flags': '+preauth'}} +alias_kdc_conf = {'realms': {'$realm': { + 'default_principal_flags': '+preauth', + 'pkinit_eku_checking': 'none', + 'pkinit_allow_upn': 'true', + 'pkinit_identity': 'FILE:%s,%s' % (kdc_pem, privkey_pem), + 'database_module': 'test'}}, + 'dbmodules': {'test': { + 'db_library': 'test', + 'alias': {'user@krbtest.com': 'user'}, + 'princs': testprincs}}} file_identity = 'FILE:%s,%s' % (user_pem, privkey_pem) file_enc_identity = 'FILE:%s,%s' % (user_pem, privkey_enc_pem) @@ -45,25 +64,72 @@ dir_file_identity = 'FILE:%s,%s' % (os.path.join(path, 'user.crt'), dir_file_enc_identity = 'FILE:%s,%s' % (os.path.join(path_enc, 'user.crt'), os.path.join(path_enc, 'user.key')) p12_identity = 'PKCS12:%s' % user_p12 +p12_upn_identity = 'PKCS12:%s' % user_upn_p12 +p12_upn2_identity = 'PKCS12:%s' % user_upn2_p12 +p12_upn3_identity = 'PKCS12:%s' % user_upn3_p12 +p12_generic_identity = 'PKCS12:%s' % generic_p12 p12_enc_identity = 'PKCS12:%s' % user_enc_p12 p11_identity = 'PKCS11:soft-pkcs11.so' p11_token_identity = ('PKCS11:module_name=soft-pkcs11.so:' 'slotid=1:token=SoftToken (token)') +# Start a realm with the test kdb module for the following UPN SAN tests. +realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=alias_kdc_conf, + create_kdb=False) +realm.start_kdc() + +mark('UPN SANs') + +# Compatibility check: cert contains UPN "user", which matches the +# request principal user@KRBTEST.COM if parsed as a normal principal. +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_upn2_identity]) + +# Compatibility check: cert contains UPN "user@KRBTEST.COM", which matches +# the request principal user@KRBTEST.COM if parsed as a normal principal. +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_upn3_identity]) + +# Cert contains UPN "user@krbtest.com" which is aliased to the request +# principal. +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_upn_identity]) + +# Test an id-pkinit-san match to a post-canonical principal. +realm.kinit('user@krbtest.com', + flags=['-E', '-X', 'X509_user_identity=%s' % p12_identity]) + +# Test a UPN match to a post-canonical principal. (This only works +# for the cert with the UPN containing just "user", as we don't allow +# UPN reparsing when comparing to the canonicalized client principal.) +realm.kinit('user@krbtest.com', + flags=['-E', '-X', 'X509_user_identity=%s' % p12_upn2_identity]) + +# Test a mismatch. +msg = 'kinit: Client name mismatch while getting initial credentials' +realm.run([kinit, '-X', 'X509_user_identity=%s' % p12_upn2_identity, 'user2'], + expected_code=1, expected_msg=msg) +realm.stop() + realm = K5Realm(krb5_conf=pkinit_krb5_conf, kdc_conf=pkinit_kdc_conf, get_creds=False) # Sanity check - password-based preauth should still work. +mark('password preauth sanity check') realm.run(['./responder', '-r', 'password=%s' % password('user'), realm.user_princ]) realm.kinit(realm.user_princ, password=password('user')) realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) +# Having tested password preauth, remove the keys for better error +# reporting. +realm.run([kadminl, 'purgekeys', '-all', realm.user_princ]) + # Test anonymous PKINIT. -out = realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1) -if 'not found in Kerberos database' not in out: - fail('Wrong error for anonymous PKINIT without anonymous enabled') +mark('anonymous') +realm.kinit('@%s' % realm.realm, flags=['-n'], expected_code=1, + expected_msg='not found in Kerberos database') realm.addprinc('WELLKNOWN/ANONYMOUS') realm.kinit('@%s' % realm.realm, flags=['-n']) realm.klist('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS') @@ -73,53 +139,107 @@ if '97:' in out: fail('auth indicators seen in anonymous PKINIT ticket') # Test anonymous kadmin. +mark('anonymous kadmin') f = open(os.path.join(realm.testdir, 'acl'), 'a') f.write('WELLKNOWN/ANONYMOUS@WELLKNOWN:ANONYMOUS a *') f.close() realm.start_kadmind() realm.run([kadmin, '-n', 'addprinc', '-pw', 'test', 'testadd']) -out = realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1) -if "Operation requires ``get'' privilege" not in out: - fail('Anonymous kadmin has too much privilege') +realm.run([kadmin, '-n', 'getprinc', 'testadd'], expected_code=1, + expected_msg="Operation requires ``get'' privilege") realm.stop_kadmind() # Test with anonymous restricted; FAST should work but kvno should fail. +mark('anonymous restricted') r_env = realm.special_env('restrict', True, kdc_conf=restrictive_kdc_conf) realm.stop_kdc() realm.start_kdc(env=r_env) realm.kinit('@%s' % realm.realm, flags=['-n']) realm.kinit('@%s' % realm.realm, flags=['-n', '-T', realm.ccache]) -out = realm.run([kvno, realm.host_princ], expected_code=1) -if 'KDC policy rejects request' not in out: - fail('Wrong error for restricted anonymous PKINIT') +realm.run([kvno, realm.host_princ], expected_code=1, + expected_msg='KDC policy rejects request') # Regression test for #8458: S4U2Self requests crash the KDC if # anonymous is restricted. +mark('#8458 regression test') realm.kinit(realm.host_princ, flags=['-k']) realm.run([kvno, '-U', 'user', realm.host_princ]) -# Go back to a normal KDC and disable anonymous PKINIT. +# Go back to the normal KDC environment. realm.stop_kdc() realm.start_kdc() -realm.run([kadminl, 'delprinc', 'WELLKNOWN/ANONYMOUS']) # Run the basic test - PKINIT with FILE: identity, with no password on the key. -realm.run(['./responder', '-x', 'pkinit=', - '-X', 'X509_user_identity=%s' % file_identity, realm.user_princ]) +mark('FILE identity, no password') +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'PKINIT client received freshness token from KDC', + 'PKINIT loading CA certs and CRLs from FILE', + 'PKINIT client making DH request', + ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)', + 'PKINIT client verified DH reply', + 'PKINIT client found id-pkinit-san in KDC cert', + 'PKINIT client matched KDC principal krbtgt/') realm.kinit(realm.user_princ, - flags=['-X', 'X509_user_identity=%s' % file_identity]) + flags=['-X', 'X509_user_identity=%s' % file_identity], + expected_trace=msgs) realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # Try again using RSA instead of DH. +mark('FILE identity, no password, RSA') realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % file_identity, - '-X', 'flag_RSA_PROTOCOL=yes']) + '-X', 'flag_RSA_PROTOCOL=yes'], + expected_trace=('PKINIT client making RSA request', + 'PKINIT client verified RSA reply')) realm.klist(realm.user_princ) +# Test a DH parameter renegotiation by temporarily setting a 4096-bit +# minimum on the KDC. (Preauth type 16 is PKINIT PA_PK_AS_REQ; +# 109 is PKINIT TD_DH_PARAMETERS; 133 is FAST PA-FX-COOKIE.) +mark('DH parameter renegotiation') +minbits_kdc_conf = {'realms': {'$realm': {'pkinit_dh_min_bits': '4096'}}} +minbits_env = realm.special_env('restrict', True, kdc_conf=minbits_kdc_conf) +realm.stop_kdc() +realm.start_kdc(env=minbits_env) +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Preauth module pkinit (16) (real) returned: 0/Success', + ' preauth for next request: PA-FX-COOKIE (133), PA-PK-AS-REQ (16)', + '/Key parameters not accepted', + 'Preauth tryagain input types (16): 109, PA-FX-COOKIE (133)', + 'trying again with KDC-provided parameters', + 'Preauth module pkinit (16) tryagain returned: 0/Success', + ' preauth for next request: PA-PK-AS-REQ (16), PA-FX-COOKIE (133)') +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity], + expected_trace=msgs) + +# Test enforcement of required freshness tokens. (We can leave +# freshness tokens required after this test.) +mark('freshness token enforcement') +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity, + '-X', 'disable_freshness=yes']) +f_env = realm.special_env('freshness', True, kdc_conf=freshness_kdc_conf) +realm.stop_kdc() +realm.start_kdc(env=f_env) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % file_identity, + '-X', 'disable_freshness=yes'], + expected_code=1, expected_msg='Preauthentication failed') +# Anonymous should never require a freshness token. +realm.kinit('@%s' % realm.realm, flags=['-n', '-X', 'disable_freshness=yes']) + # Run the basic test - PKINIT with FILE: identity, with a password on the key, # supplied by the prompter. # Expect failure if the responder does nothing, and we have no prompter. +mark('FILE identity, password on key (prompter)') realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity, '-X', 'X509_user_identity=%s' % file_enc_identity, realm.user_princ], expected_code=2) @@ -128,13 +248,13 @@ realm.kinit(realm.user_princ, password='encrypted') realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) -out = realm.run(['./adata', realm.host_princ]) -if '+97: [indpkinit1, indpkinit2]' not in out: - fail('auth indicators not seen in PKINIT ticket') +realm.run(['./adata', realm.host_princ], + expected_msg='+97: [indpkinit1, indpkinit2]') # Run the basic test - PKINIT with FILE: identity, with a password on the key, # supplied by the responder. # Supply the response in raw form. +mark('FILE identity, password on key (responder)') realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % file_enc_identity, '-r', 'pkinit={"%s": "encrypted"}' % file_enc_identity, '-X', 'X509_user_identity=%s' % file_enc_identity, @@ -146,14 +266,13 @@ realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # PKINIT with DIR: identity, with no password on the key. +mark('DIR identity, no password') os.mkdir(path) os.mkdir(path_enc) shutil.copy(privkey_pem, os.path.join(path, 'user.key')) shutil.copy(privkey_enc_pem, os.path.join(path_enc, 'user.key')) shutil.copy(user_pem, os.path.join(path, 'user.crt')) shutil.copy(user_pem, os.path.join(path_enc, 'user.crt')) -realm.run(['./responder', '-x', 'pkinit=', '-X', - 'X509_user_identity=%s' % dir_identity, realm.user_princ]) realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % dir_identity]) realm.klist(realm.user_princ) @@ -162,6 +281,7 @@ realm.run([kvno, realm.host_princ]) # PKINIT with DIR: identity, with a password on the key, supplied by the # prompter. # Expect failure if the responder does nothing, and we have no prompter. +mark('DIR identity, password on key (prompter)') realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity, '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ], expected_code=2) @@ -174,6 +294,7 @@ realm.run([kvno, realm.host_princ]) # PKINIT with DIR: identity, with a password on the key, supplied by the # responder. # Supply the response in raw form. +mark('DIR identity, password on key (responder)') realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % dir_file_enc_identity, '-r', 'pkinit={"%s": "encrypted"}' % dir_file_enc_identity, '-X', 'X509_user_identity=%s' % dir_enc_identity, realm.user_princ]) @@ -185,8 +306,7 @@ realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # PKINIT with PKCS12: identity, with no password on the bundle. -realm.run(['./responder', '-x', 'pkinit=', - '-X', 'X509_user_identity=%s' % p12_identity, realm.user_princ]) +mark('PKCS12 identity, no password') realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % p12_identity]) realm.klist(realm.user_princ) @@ -195,6 +315,7 @@ realm.run([kvno, realm.host_princ]) # PKINIT with PKCS12: identity, with a password on the bundle, supplied by the # prompter. # Expect failure if the responder does nothing, and we have no prompter. +mark('PKCS12 identity, password on bundle (prompter)') realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity, '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ], expected_code=2) @@ -207,6 +328,7 @@ realm.run([kvno, realm.host_princ]) # PKINIT with PKCS12: identity, with a password on the bundle, supplied by the # responder. # Supply the response in raw form. +mark('PKCS12 identity, password on bundle (responder)') realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p12_enc_identity, '-r', 'pkinit={"%s": "encrypted"}' % p12_enc_identity, '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.user_princ]) @@ -217,6 +339,65 @@ realm.run(['./responder', '-X', 'X509_user_identity=%s' % p12_enc_identity, realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) +mark('pkinit_cert_match rules') + +# Match a single rule. +rule = '^user@KRBTEST.COM$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist(realm.user_princ) + +# Regression test for #8670: match a UPN SAN with a single rule. +rule = '^user@krbtest.com$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_upn_identity]) +realm.klist(realm.user_princ) + +# Match a combined rule (default prefix is &&). +rule = 'CN=user$digitalSignature,keyEncipherment' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist(realm.user_princ) + +# Fail an && rule. +rule = '&&O=OTHER.COM^user@KRBTEST.COM$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +msg = 'kinit: Certificate mismatch while getting initial credentials' +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity], + expected_code=1, expected_msg=msg) + +# Pass an || rule. +rule = '||O=KRBTEST.COM^otheruser@KRBTEST.COM$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity]) +realm.klist(realm.user_princ) + +# Fail an || rule. +rule = '||O=OTHER.COM^otheruser@KRBTEST.COM$' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +msg = 'kinit: Certificate mismatch while getting initial credentials' +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_identity], + expected_code=1, expected_msg=msg) + +# Authorize a client cert with no PKINIT extensions using subject and +# issuer. (Relies on EKU checking being turned off.) +rule = '&&CN=user$O=MIT,' +realm.run([kadminl, 'setstr', realm.user_princ, 'pkinit_cert_match', rule]) +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p12_generic_identity]) +realm.klist(realm.user_princ) + +# Regression test for #8726: null deref when parsing a FILE residual +# beginning with a comma. +realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=,'], + expected_code=1, expected_msg='Preauthentication failed while') + if not have_soft_pkcs11: skip_rest('PKINIT PKCS11 tests', 'soft-pkcs11.so not found') @@ -224,18 +405,18 @@ softpkcs11rc = os.path.join(os.getcwd(), 'testdir', 'soft-pkcs11.rc') realm.env['SOFTPKCS11RC'] = softpkcs11rc # PKINIT with PKCS11: identity, with no need for a PIN. +mark('PKCS11 identity, no PIN') conf = open(softpkcs11rc, 'w') conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, privkey_pem)) conf.close() # Expect to succeed without having to supply any more information. -realm.run(['./responder', '-x', 'pkinit=', - '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ]) realm.kinit(realm.user_princ, flags=['-X', 'X509_user_identity=%s' % p11_identity]) realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) # PKINIT with PKCS11: identity, with a PIN supplied by the prompter. +mark('PKCS11 identity, with PIN (prompter)') os.remove(softpkcs11rc) conf = open(softpkcs11rc, 'w') conf.write("%s\t%s\t%s\t%s\n" % ('user', 'user token', user_pem, @@ -251,8 +432,18 @@ realm.kinit(realm.user_princ, realm.klist(realm.user_princ) realm.run([kvno, realm.host_princ]) +# Supply the wrong PIN, and verify that we ignore the draft9 padata offer +# in the KDC method data after RFC 4556 PKINIT fails. +mark('PKCS11 identity, wrong PIN') +expected_trace = ('PKINIT client has no configured identity; giving up', + 'PKINIT client ignoring draft 9 offer from RFC 4556 KDC') +realm.kinit(realm.user_princ, + flags=['-X', 'X509_user_identity=%s' % p11_identity], + password='wrong', expected_code=1, expected_trace=expected_trace) + # PKINIT with PKCS11: identity, with a PIN supplied by the responder. # Supply the response in raw form. +mark('PKCS11 identity, with PIN (responder)') realm.run(['./responder', '-x', 'pkinit={"%s": 0}' % p11_token_identity, '-r', 'pkinit={"%s": "encrypted"}' % p11_token_identity, '-X', 'X509_user_identity=%s' % p11_identity, realm.user_princ]) diff --git a/src/tests/t_policy.py b/src/tests/t_policy.py index bfec96a..5a0c06b 100755 --- a/src/tests/t_policy.py +++ b/src/tests/t_policy.py @@ -1,41 +1,35 @@ -#!/usr/bin/python from k5test import * import re realm = K5Realm(create_host=False, start_kadmind=True) # Test password quality enforcement. +mark('password quality') realm.run([kadminl, 'addpol', '-minlength', '6', '-minclasses', '2', 'pwpol']) realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'pwpol', 'pwuser']) -out = realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1) -if 'Password is too short' not in out: - fail('short password') -out = realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'], - expected_code=1) -if 'Password does not contain enough character classes' not in out: - fail('insufficient character classes') +realm.run([kadminl, 'cpw', '-pw', 'sh0rt', 'pwuser'], expected_code=1, + expected_msg='Password is too short') +realm.run([kadminl, 'cpw', '-pw', 'longenough', 'pwuser'], expected_code=1, + expected_msg='Password does not contain enough character classes') realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser']) # Test some password history enforcement. Even with no history value, # the current password should be denied. -out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], - expected_code=1) -if 'Cannot reuse password' not in out: - fail('reuse of current password') +mark('password history') +realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1, + expected_msg='Cannot reuse password') realm.run([kadminl, 'modpol', '-history', '2', 'pwpol']) realm.run([kadminl, 'cpw', '-pw', 'an0therpw', 'pwuser']) -out = realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], - expected_code=1) -if 'Cannot reuse password' not in out: - fail('reuse of old password') +realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser'], expected_code=1, + expected_msg='Cannot reuse password') realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser']) realm.run([kadminl, 'cpw', '-pw', 'l0ngenough', 'pwuser']) # Test references to nonexistent policies. +mark('nonexistent policy references') realm.run([kadminl, 'addprinc', '-randkey', '-policy', 'newpol', 'newuser']) -out = realm.run([kadminl, 'getprinc', 'newuser']) -if 'Policy: newpol [does not exist]\n' not in out: - fail('getprinc output for principal referencing nonexistent policy') +realm.run([kadminl, 'getprinc', 'newuser'], + expected_msg='Policy: newpol [does not exist]\n') realm.run([kadminl, 'modprinc', '-policy', 'newpol', 'pwuser']) # pwuser should allow reuse of the current password since newpol doesn't exist. realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser']) @@ -44,66 +38,57 @@ realm.run([kadmin, '-p', 'pwuser', '-w', '3rdpassword', 'cpw', '-pw', '3rdpassword', 'pwuser']) # Create newpol and verify that it is enforced. +mark('create referenced policy') realm.run([kadminl, 'addpol', '-minlength', '3', 'newpol']) -out = realm.run([kadminl, 'getprinc', 'pwuser']) -if 'Policy: newpol\n' not in out: - fail('getprinc after creating policy (pwuser)') -out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1) -if 'Password is too short' not in out: - fail('short password after creating policy (pwuser)') -out = realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'], - expected_code=1) -if 'Cannot reuse password' not in out: - fail('reuse of current password after creating policy') +realm.run([kadminl, 'getprinc', 'pwuser'], expected_msg='Policy: newpol\n') +realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser'], expected_code=1, + expected_msg='Password is too short') +realm.run([kadminl, 'cpw', '-pw', '3rdpassword', 'pwuser'], expected_code=1, + expected_msg='Cannot reuse password') -out = realm.run([kadminl, 'getprinc', 'newuser']) -if 'Policy: newpol\n' not in out: - fail('getprinc after creating policy (newuser)') -out = realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1) -if 'Password is too short' not in out: - fail('short password after creating policy (newuser)') +realm.run([kadminl, 'getprinc', 'newuser'], expected_msg='Policy: newpol\n') +realm.run([kadminl, 'cpw', '-pw', 'aa', 'newuser'], expected_code=1, + expected_msg='Password is too short') # Delete the policy and verify that it is no longer enforced. +mark('delete referenced policy') realm.run([kadminl, 'delpol', 'newpol']) -out = realm.run([kadminl, 'getpol', 'newpol'], expected_code=1) -if 'Policy does not exist' not in out: - fail('deletion of referenced policy') +realm.run([kadminl, 'getpol', 'newpol'], expected_code=1, + expected_msg='Policy does not exist') realm.run([kadminl, 'cpw', '-pw', 'aa', 'pwuser']) # Test basic password lockout support. - -realm.run([kadminl, 'addpol', '-maxfailure', '2', '-failurecountinterval', - '5m', 'lockout']) -realm.run([kadminl, 'modprinc', '+requires_preauth', '-policy', 'lockout', - 'user']) - -# kinit twice with the wrong password. -output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) -if 'Password incorrect while getting initial credentials' not in output: - fail('Expected error message not seen in kinit output') -output = realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1) -if 'Password incorrect while getting initial credentials' not in output: - fail('Expected error message not seen in kinit output') - -# Now the account should be locked out. -output = realm.run([kinit, realm.user_princ], expected_code=1) -if 'Client\'s credentials have been revoked while getting initial credentials' \ - not in output: - fail('Expected lockout error message not seen in kinit output') - -# Check that modprinc -unlock allows a further attempt. -realm.run([kadminl, 'modprinc', '-unlock', 'user']) -realm.kinit(realm.user_princ, password('user')) - -# Make sure a nonexistent policy reference doesn't prevent authentication. -realm.run([kadminl, 'delpol', 'lockout']) -realm.kinit(realm.user_princ, password('user')) +mark('password lockout') +realm.stop() +for realm in multidb_realms(create_host=False): + realm.run([kadminl, 'addpol', '-maxfailure', '2', '-failurecountinterval', + '5m', 'lockout']) + realm.run([kadminl, 'modprinc', '+requires_preauth', '-policy', 'lockout', + 'user']) + + # kinit twice with the wrong password. + msg = 'Password incorrect while getting initial credentials' + realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1, + expected_msg=msg) + realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1, + expected_msg=msg) + + # Now the account should be locked out. + msg = 'credentials have been revoked while getting initial credentials' + realm.run([kinit, realm.user_princ], expected_code=1, expected_msg=msg) + + # Check that modprinc -unlock allows a further attempt. + realm.run([kadminl, 'modprinc', '-unlock', 'user']) + realm.kinit(realm.user_princ, password('user')) + + # Make sure a nonexistent policy reference doesn't prevent authentication. + realm.run([kadminl, 'delpol', 'lockout']) + realm.kinit(realm.user_princ, password('user')) # Regression test for issue #7099: databases created prior to krb5 1.3 have # multiple history keys, and kadmin prior to 1.7 didn't necessarily use the # first one to create history entries. - -realm.stop() +mark('#7099 regression test') realm = K5Realm(start_kdc=False) # Create a history principal with two keys. realm.run(['./hist', 'make']) @@ -113,12 +98,11 @@ realm.run([kadminl, 'cpw', '-pw', 'pw2', 'user']) # Swap the keys, simulating older kadmin having chosen the second entry. realm.run(['./hist', 'swap']) # Make sure we can read the history entry. -out = realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], - expected_code=1) -if 'Cannot reuse password' not in out: - fail('Expected error not seen in output') +realm.run([kadminl, 'cpw', '-pw', password('user'), 'user'], expected_code=1, + expected_msg='Cannot reuse password') # Test key/salt constraints. +mark('allowedkeysalts') realm.stop() krb5_conf1 = {'libdefaults': {'supported_enctypes': 'aes256-cts'}} @@ -142,9 +126,8 @@ realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts', 'server']) # Test modpol. realm.run([kadminl, 'modpol', '-allowedkeysalts', 'aes256-cts,rc4-hmac', 'ak']) -out = realm.run([kadminl, 'getpol', 'ak']) -if not 'Allowed key/salt types: aes256-cts,rc4-hmac' in out: - fail('getpol does not implement allowedkeysalts?') +realm.run([kadminl, 'getpol', 'ak'], + expected_msg='Allowed key/salt types: aes256-cts,rc4-hmac') # Test subsets and full set. realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac', 'server']) @@ -153,19 +136,14 @@ realm.run([kadminl, 'cpw', '-randkey', '-e', 'aes256-cts,rc4-hmac', 'server']) realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts', 'server']) # Check that the order we got is the one from the policy. -out = realm.run([kadminl, 'getprinc', '-terse', 'server']) -if not '2\t1\t6\t18\t0\t1\t6\t23\t0' in out: - fail('allowed_keysalts policy did not preserve order') +realm.run([kadminl, 'getprinc', '-terse', 'server'], + expected_msg='2\t1\t6\t18\t0\t1\t6\t23\t0') # Test partially intersecting sets. -out = realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts', - 'server'], expected_code=1) -if not 'Invalid key/salt tuples' in out: - fail('allowed_keysalts policy not applied properly') -out = realm.run([kadminl, 'cpw', '-randkey', '-e', - 'rc4-hmac,aes256-cts,aes128-cts', 'server'], expected_code=1) -if not 'Invalid key/salt tuples' in out: - fail('allowed_keysalts policy not applied properly') +realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes128-cts', 'server'], + expected_code=1, expected_msg='Invalid key/salt tuples') +realm.run([kadminl, 'cpw', '-randkey', '-e', 'rc4-hmac,aes256-cts,aes128-cts', + 'server'], expected_code=1, expected_msg='Invalid key/salt tuples') # Test reset of allowedkeysalts. realm.run([kadminl, 'modpol', '-allowedkeysalts', '-', 'ak']) diff --git a/src/tests/t_preauth.py b/src/tests/t_preauth.py index 0ef8bbc..d95eed5 100644 --- a/src/tests/t_preauth.py +++ b/src/tests/t_preauth.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Test that the kdcpreauth client_keyblock() callback matches the key @@ -10,18 +9,257 @@ realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) realm.run([kadminl, 'modprinc', '+requires_preauth', realm.user_princ]) realm.run([kadminl, 'setstr', realm.user_princ, 'teststring', 'testval']) realm.run([kadminl, 'addprinc', '-nokey', '+requires_preauth', 'nokeyuser']) -out = realm.run([kinit, realm.user_princ], input=password('user')+'\n') -if 'testval' not in out: - fail('Decrypted string attribute not in kinit output') -out = realm.run([kinit, 'nokeyuser'], input=password('user')+'\n', - expected_code=1) -if 'no key' not in out: - fail('Expected "no key" message not in kinit output') - -# Exercise KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies. +realm.kinit(realm.user_princ, password('user'), expected_msg='testval') +realm.kinit('nokeyuser', password('user'), expected_code=1, + expected_msg='no key') + +# Preauth type -123 is the test preauth module type; 133 is FAST +# PA-FX-COOKIE; 2 is encrypted timestamp. + +# Test normal preauth flow. +mark('normal') +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + 'Decrypted AS reply') +realm.run(['./icred', realm.user_princ, password('user')], + expected_msg='testval', expected_trace=msgs) + +# Test successful optimistic preauth. +mark('optimistic') +expected_trace = ('Attempting optimistic preauth', + 'Processing preauth types: -123', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: -123', + 'Decrypted AS reply') +realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')], + expected_trace=expected_trace) + +# Test optimistic preauth failing on client, falling back to encrypted +# timestamp. +mark('optimistic (client failure)') +msgs = ('Attempting optimistic preauth', + 'Processing preauth types: -123', + '/induced optimistic fail', + 'Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Encrypted timestamp (for ', + 'module encrypted_timestamp (2) (real) returned: 0/Success', + 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', + 'Decrypted AS reply') +realm.run(['./icred', '-o', '-123', '-X', 'fail_optimistic', realm.user_princ, + password('user')], expected_trace=msgs) + +# Test optimistic preauth failing on KDC, falling back to encrypted +# timestamp. +mark('optimistic (KDC failure)') +realm.run([kadminl, 'setstr', realm.user_princ, 'failopt', 'yes']) +msgs = ('Attempting optimistic preauth', + 'Processing preauth types: -123', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: -123', + '/Preauthentication failed', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Encrypted timestamp (for ', + 'module encrypted_timestamp (2) (real) returned: 0/Success', + 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', + 'Decrypted AS reply') +realm.run(['./icred', '-o', '-123', realm.user_princ, password('user')], + expected_trace=msgs) +# Leave failopt set for the next test. + +# Test optimistic preauth failing on KDC, stopping because the test +# module disabled fallback. +mark('optimistic (KDC failure, no fallback)') +msgs = ('Attempting optimistic preauth', + 'Processing preauth types: -123', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: -123', + '/Preauthentication failed') +realm.run(['./icred', '-X', 'disable_fallback', '-o', '-123', realm.user_princ, + password('user')], expected_code=1, + expected_msg='Preauthentication failed', expected_trace=msgs) +realm.run([kadminl, 'delstr', realm.user_princ, 'failopt']) + +# Test KDC_ERR_MORE_PREAUTH_DATA_REQUIRED and secure cookies. +mark('second round-trip') realm.run([kadminl, 'setstr', realm.user_princ, '2rt', 'secondtrip']) -out = realm.run([kinit, realm.user_princ], input=password('user')+'\n') -if '2rt: secondtrip' not in out: - fail('multi round-trip cookie test') +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/More preauthentication data is required', + 'Continuing preauth mech -123', + 'Processing preauth types: -123, PA-FX-COOKIE (133)', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + 'Decrypted AS reply') +realm.run(['./icred', realm.user_princ, password('user')], + expected_msg='2rt: secondtrip', expected_trace=msgs) + +# Test client-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, +# falling back to encrypted timestamp. +mark('second round-trip (client failure)') +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/More preauthentication data is required', + 'Continuing preauth mech -123', + 'Processing preauth types: -123, PA-FX-COOKIE (133)', + '/induced 2rt fail', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Encrypted timestamp (for ', + 'module encrypted_timestamp (2) (real) returned: 0/Success', + 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', + 'Decrypted AS reply') +realm.run(['./icred', '-X', 'fail_2rt', realm.user_princ, password('user')], + expected_msg='2rt: secondtrip', expected_trace=msgs) + +# Test client-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, +# stopping because the test module disabled fallback. +mark('second round-trip (client failure, no fallback)') +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/More preauthentication data is required', + 'Continuing preauth mech -123', + 'Processing preauth types: -123, PA-FX-COOKIE (133)', + '/induced 2rt fail') +realm.run(['./icred', '-X', 'fail_2rt', '-X', 'disable_fallback', + realm.user_princ, password('user')], expected_code=1, + expected_msg='Pre-authentication failed: induced 2rt fail', + expected_trace=msgs) + +# Test KDC-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, +# falling back to encrypted timestamp. +mark('second round-trip (KDC failure)') +realm.run([kadminl, 'setstr', realm.user_princ, 'fail2rt', 'yes']) +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/More preauthentication data is required', + 'Continuing preauth mech -123', + 'Processing preauth types: -123, PA-FX-COOKIE (133)', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/Preauthentication failed', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Encrypted timestamp (for ', + 'module encrypted_timestamp (2) (real) returned: 0/Success', + 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', + 'Decrypted AS reply') +realm.run(['./icred', realm.user_princ, password('user')], + expected_msg='2rt: secondtrip', expected_trace=msgs) +# Leave fail2rt set for the next test. + +# Test KDC-side failure after KDC_ERR_MORE_PREAUTH_DATA_REQUIRED, +# stopping because the test module disabled fallback. +mark('second round-trip (KDC failure, no fallback)') +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/More preauthentication data is required', + 'Continuing preauth mech -123', + 'Processing preauth types: -123, PA-FX-COOKIE (133)', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/Preauthentication failed') +realm.run(['./icred', '-X', 'disable_fallback', + realm.user_princ, password('user')], expected_code=1, + expected_msg='Preauthentication failed', expected_trace=msgs) +realm.run([kadminl, 'delstr', realm.user_princ, 'fail2rt']) + +# Test tryagain flow by inducing a KDC_ERR_ENCTYPE_NOSUPP error on the KDC. +mark('tryagain') +realm.run([kadminl, 'setstr', realm.user_princ, 'err', 'testagain']) +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/KDC has no support for encryption type', + 'Recovering from KDC error 14 using preauth mech -123', + 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)', + 'Preauth module test (-123) tryagain returned: 0/Success', + 'Followup preauth for next request: -123, PA-FX-COOKIE (133)', + 'Decrypted AS reply') +realm.run(['./icred', realm.user_princ, password('user')], + expected_msg='tryagain: testagain', expected_trace=msgs) + +# Test a client-side tryagain failure, falling back to encrypted +# timestamp. +mark('tryagain (client failure)') +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/KDC has no support for encryption type', + 'Recovering from KDC error 14 using preauth mech -123', + 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)', + '/induced tryagain fail', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Encrypted timestamp (for ', + 'module encrypted_timestamp (2) (real) returned: 0/Success', + 'preauth for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', + 'Decrypted AS reply') +realm.run(['./icred', '-X', 'fail_tryagain', realm.user_princ, + password('user')], expected_trace=msgs) + +# Test a client-side tryagain failure, stopping because the test +# module disabled fallback. +mark('tryagain (client failure, no fallback)') +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Preauthenticating using KDC method data', + 'Processing preauth types:', + 'Preauth module test (-123) (real) returned: 0/Success', + 'Produced preauth for next request: PA-FX-COOKIE (133), -123', + '/KDC has no support for encryption type', + 'Recovering from KDC error 14 using preauth mech -123', + 'Preauth tryagain input types (-123): -123, PA-FX-COOKIE (133)', + '/induced tryagain fail') +realm.run(['./icred', '-X', 'fail_tryagain', '-X', 'disable_fallback', + realm.user_princ, password('user')], expected_code=1, + expected_msg='KDC has no support for encryption type', + expected_trace=msgs) + +# Test that multiple stepwise initial creds operations can be +# performed with the same krb5_context, with proper tracking of +# clpreauth module request handles. +mark('interleaved') +realm.run([kadminl, 'addprinc', '-pw', 'pw', 'u1']) +realm.run([kadminl, 'addprinc', '+requires_preauth', '-pw', 'pw', 'u2']) +realm.run([kadminl, 'addprinc', '+requires_preauth', '-pw', 'pw', 'u3']) +realm.run([kadminl, 'setstr', 'u2', '2rt', 'extra']) +out = realm.run(['./icinterleave', 'pw', 'u1', 'u2', 'u3']) +if out != ('step 1\nstep 2\nstep 3\nstep 1\nfinish 1\nstep 2\nno attr\n' + 'step 3\nno attr\nstep 2\n2rt: extra\nstep 3\nfinish 3\nstep 2\n' + 'finish 2\n'): + fail('unexpected output from icinterleave') success('Pre-authentication framework tests') diff --git a/src/tests/t_princflags.py b/src/tests/t_princflags.py index 6378ef9..aa36602 100755 --- a/src/tests/t_princflags.py +++ b/src/tests/t_princflags.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * from princflags import * import re diff --git a/src/tests/t_proxy.py b/src/tests/t_proxy.py index 4e86fce..ef855dd 100755 --- a/src/tests/t_proxy.py +++ b/src/tests/t_proxy.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Skip this test if we're missing proxy functionality or parts of the proxy. @@ -62,10 +61,12 @@ def start_proxy(realm, keycertpem): conf.write('kpasswd = kpasswd://localhost:%d\n' % (realm.portbase + 2)) conf.close() realm.env['KDCPROXY_CONFIG'] = proxy_conf_path - cmd = [proxy_exec_path, str(realm.server_port()), keycertpem] + cmd = [sys.executable, proxy_exec_path, str(realm.server_port()), + keycertpem] return realm.start_server(cmd, sentinel='proxy server ready') # Fail: untrusted issuer and hostname doesn't match. +mark('untrusted issuer, hostname mismatch') output("running pass 1: issuer not trusted and hostname doesn't match\n") realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, create_host=False) @@ -75,6 +76,7 @@ stop_daemon(proxy) realm.stop() # Fail: untrusted issuer, host name matches subject. +mark('untrusted issuer, hostname subject match') output("running pass 2: subject matches, issuer not trusted\n") realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, create_host=False) @@ -84,6 +86,7 @@ stop_daemon(proxy) realm.stop() # Fail: untrusted issuer, host name matches subjectAltName. +mark('untrusted issuer, hostname SAN match') output("running pass 3: subjectAltName matches, issuer not trusted\n") realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, create_host=False) @@ -93,6 +96,7 @@ stop_daemon(proxy) realm.stop() # Fail: untrusted issuer, certificate signature is bad. +mark('untrusted issuer, bad signature') output("running pass 4: subject matches, issuer not trusted\n") realm = K5Realm(krb5_conf=unanchored_krb5_conf, get_creds=False, create_host=False) @@ -102,6 +106,7 @@ stop_daemon(proxy) realm.stop() # Fail: trusted issuer but hostname doesn't match. +mark('trusted issuer, hostname mismatch') output("running pass 5: issuer trusted but hostname doesn't match\n") realm = K5Realm(krb5_conf=anchored_name_krb5_conf, get_creds=False, create_host=False) @@ -111,6 +116,7 @@ stop_daemon(proxy) realm.stop() # Succeed: trusted issuer and host name matches subject. +mark('trusted issuer, hostname subject match') output("running pass 6: issuer trusted, subject matches\n") realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True, get_creds=False) @@ -122,6 +128,7 @@ stop_daemon(proxy) realm.stop() # Succeed: trusted issuer and host name matches subjectAltName. +mark('trusted issuer, hostname SAN match') output("running pass 7: issuer trusted, subjectAltName matches\n") realm = K5Realm(krb5_conf=anchored_name_krb5_conf, start_kadmind=True, get_creds=False) @@ -133,6 +140,7 @@ stop_daemon(proxy) realm.stop() # Fail: certificate signature is bad. +mark('bad signature') output("running pass 8: issuer trusted and subjectAltName matches, sig bad\n") realm = K5Realm(krb5_conf=anchored_name_krb5_conf, get_creds=False, @@ -143,6 +151,7 @@ stop_daemon(proxy) realm.stop() # Fail: trusted issuer but IP doesn't match. +mark('trusted issuer, IP mismatch') output("running pass 9: issuer trusted but no name matches IP\n") realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False, create_host=False) @@ -152,6 +161,7 @@ stop_daemon(proxy) realm.stop() # Fail: trusted issuer, but subject does not match. +mark('trusted issuer, IP mismatch (hostname in subject)') output("running pass 10: issuer trusted, but subject does not match IP\n") realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False, create_host=False) @@ -161,6 +171,7 @@ stop_daemon(proxy) realm.stop() # Succeed: trusted issuer and host name matches subjectAltName. +mark('trusted issuer, IP SAN match') output("running pass 11: issuer trusted, subjectAltName matches IP\n") realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, start_kadmind=True, get_creds=False) @@ -172,6 +183,7 @@ stop_daemon(proxy) realm.stop() # Fail: certificate signature is bad. +mark('bad signature (IP hostname)') output("running pass 12: issuer trusted, names don't match, signature bad\n") realm = K5Realm(krb5_conf=anchored_ipv4_krb5_conf, get_creds=False, create_host=False) @@ -182,6 +194,7 @@ realm.stop() # Succeed: trusted issuer and host name matches subject, using kadmin # configuration to find kpasswdd. +mark('trusted issuer, hostname subject match (kadmin)') output("running pass 13: issuer trusted, subject matches\n") realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True, get_creds=False, create_host=False) @@ -192,6 +205,7 @@ realm.stop() # Succeed: trusted issuer and host name matches subjectAltName, using # kadmin configuration to find kpasswdd. +mark('trusted issuer, hostname SAN match (kadmin)') output("running pass 14: issuer trusted, subjectAltName matches\n") realm = K5Realm(krb5_conf=anchored_kadmin_krb5_conf, start_kadmind=True, get_creds=False, create_host=False) @@ -202,6 +216,7 @@ realm.stop() # Succeed: trusted issuer and host name matches subjectAltName (give or take # case). +mark('trusted issuer, hostname SAN case-insensitive match') output("running pass 15: issuer trusted, subjectAltName case-insensitive\n") realm = K5Realm(krb5_conf=anchored_upcasename_krb5_conf, start_kadmind=True, get_creds=False, create_host=False) diff --git a/src/tests/t_pwqual.py b/src/tests/t_pwqual.py index 0d1d387..58d610d 100755 --- a/src/tests/t_pwqual.py +++ b/src/tests/t_pwqual.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * plugin = os.path.join(buildtop, "plugins", "pwqual", "test", "pwqual_test.so") @@ -17,34 +16,33 @@ f.close() realm.run([kadminl, 'addpol', 'pol']) +mark('pwqual modules') + # The built-in "empty" module rejects empty passwords even without a policy. -out = realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1) -if 'Empty passwords are not allowed' not in out: - fail('Expected error not seen for empty password') +realm.run([kadminl, 'addprinc', '-pw', '', 'p1'], expected_code=1, + expected_msg='Empty passwords are not allowed') # The built-in "dict" module rejects dictionary words, but only with a policy. realm.run([kadminl, 'addprinc', '-pw', 'birds', 'p2']) -out = realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'], - expected_code=1) -if 'Password is in the password dictionary' not in out: - fail('Expected error not seen from dictionary password') +realm.run([kadminl, 'addprinc', '-pw', 'birds', '-policy', 'pol', 'p3'], + expected_code=1, + expected_msg='Password is in the password dictionary') # The built-in "princ" module rejects principal components, only with a policy. realm.run([kadminl, 'addprinc', '-pw', 'p4', 'p4']) -out = realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'], - expected_code=1) -if 'Password may not match principal name' not in out: - fail('Expected error not seen from principal component') +realm.run([kadminl, 'addprinc', '-pw', 'p5', '-policy', 'pol', 'p5'], + expected_code=1, + expected_msg='Password may not match principal name') # The dynamic "combo" module rejects pairs of dictionary words. -out = realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'], - expected_code=1) -if 'Password may not be a pair of dictionary words' not in out: - fail('Expected error not seen from combo module') +realm.run([kadminl, 'addprinc', '-pw', 'birdsoranges', 'p6'], expected_code=1, + expected_msg='Password may not be a pair of dictionary words') # These plugin ordering tests aren't specifically related to the # password quality interface, but are convenient to put here. +mark('plugin module order') + def test_order(realm, testname, conf, expected): conf = {'plugins': {'pwqual': conf}} env = realm.special_env(testname, False, krb5_conf=conf) diff --git a/src/tests/t_rdreq.py b/src/tests/t_rdreq.py index f67c348..7b120b1 100755 --- a/src/tests/t_rdreq.py +++ b/src/tests/t_rdreq.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * conf = {'realms': {'$realm': {'supported_enctypes': 'aes256-cts aes128-cts'}}} @@ -25,46 +24,54 @@ def test(tserver, server, expected): # No keytab present. +mark('no keytab') nokeytab_err = "45 Key table file '%s' not found" % realm.keytab test(princ1, None, nokeytab_err) test(princ1, princ1, nokeytab_err) test(princ1, matchprinc, nokeytab_err) # Keytab present, successful decryption. +mark('success') realm.extract_keytab(princ1, realm.keytab) test(princ1, None, '0 success') test(princ1, princ1, '0 success') test(princ1, matchprinc, '0 success') # Explicit server principal not found in keytab. +mark('explicit server not found') test(princ2, princ2, '45 No key table entry found for host/2@KRBTEST.COM') # Matching server principal does not match any entries in keytab (with # and without ticket server present in keytab). +mark('matching server') nomatch_err = '45 Server principal x/@ does not match any keys in keytab' test(princ1, nomatchprinc, nomatch_err) test(princ2, nomatchprinc, nomatch_err) # Ticket server does not match explicit server principal (with and # without ticket server present in keytab). +mark('ticket server mismatch') test(princ1, princ2, '45 No key table entry found for host/2@KRBTEST.COM') test(princ2, princ1, '35 Cannot decrypt ticket for host/2@KRBTEST.COM using keytab key for ' 'host/1@KRBTEST.COM') # Ticket server not found in keytab during iteration. +mark('ticket server not found') test(princ2, None, '35 Request ticket server host/2@KRBTEST.COM not found in keytab ' '(ticket kvno 1)') # Ticket server found in keytab but is not matched by server principal # (but other principals in keytab do match). +mark('ticket server mismatch (matching)') realm.extract_keytab(princ3, realm.keytab) test(princ3, matchprinc, '35 Request ticket server HTTP/3@KRBTEST.COM found in keytab but does ' 'not match server principal host/@') # Service ticket is out of date. +mark('outdated service ticket') os.remove(realm.keytab) realm.run([kadminl, 'ktadd', princ1]) test(princ1, None, @@ -74,11 +81,13 @@ test(princ1, princ1, '44 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab') # kvno mismatch due to ticket principal mismatch with explicit server. +mark('ticket server mismatch (kvno)') test(princ2, princ1, '35 Cannot find key for host/1@KRBTEST.COM kvno 1 in keytab (request ' 'ticket server host/2@KRBTEST.COM)') # Keytab is out of date. +mark('outdated keytab') realm.run([kadminl, 'cpw', '-randkey', princ1]) realm.kinit(realm.user_princ, password('user')) test(princ1, None, @@ -88,6 +97,7 @@ test(princ1, princ1, '44 Cannot find key for host/1@KRBTEST.COM kvno 3 in keytab') # Ticket server and kvno found but not with ticket enctype. +mark('missing enctype') os.remove(realm.keytab) realm.extract_keytab(princ1, realm.keytab) pkeytab = realm.keytab + '.partial' @@ -105,6 +115,7 @@ test(princ1, None, test(princ1, princ1, '45 No key table entry found for host/1@KRBTEST.COM') # Ticket server, kvno, and enctype matched, but key does not work. +mark('wrong key') realm.run([kadminl, 'cpw', '-randkey', princ1]) realm.run([kadminl, 'modprinc', '-kvno', '3', princ1]) os.remove(realm.keytab) @@ -118,6 +129,7 @@ test(princ1, princ1, # Test that aliases work. The ticket server (princ4) isn't present in # keytab, but there is a usable princ1 entry with the same key. +mark('aliases') realm.run([kadminl, 'renprinc', princ1, princ4]) test(princ4, None, '0 success') test(princ4, princ1, '0 success') diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py index 559fbd5..2b6ed5d 100755 --- a/src/tests/t_referral.py +++ b/src/tests/t_referral.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Create a pair of realms, where KRBTEST1.COM can authenticate to @@ -17,15 +16,18 @@ os.rename(realm.ccache, savefile) # Get credentials and check that we got a referral to REFREALM. def testref(realm, nametype): shutil.copyfile(savefile, realm.ccache) - realm.run(['./gcred', nametype, 'a/x.d']) - realm.klist(realm.user_princ, 'a/x.d@REFREALM') + realm.run(['./gcred', nametype, 'a/x.d@']) + out = realm.run([klist]).split('\n') + if len(out) != 8: + fail('unexpected number of lines in klist output') + if out[5].split()[4] != 'a/x.d@' or out[6].split()[4] != 'a/x.d@REFREALM': + fail('unexpected service principals in klist output') # Get credentials and check that we get an error, not a referral. def testfail(realm, nametype): shutil.copyfile(savefile, realm.ccache) - out = realm.run(['./gcred', nametype, 'a/x.d'], expected_code=1) - if 'not found in Kerberos database' not in out: - fail('unexpected error') + realm.run(['./gcred', nametype, 'a/x.d@'], expected_code=1, + expected_msg='not found in Kerberos database') # Create a modified KDC environment and restart the KDC. def restart_kdc(realm, kdc_conf): @@ -36,6 +38,7 @@ def restart_kdc(realm, kdc_conf): # With no KDC configuration besides [domain_realm], we should get a # referral for a NT-SRV-HST or NT-SRV-INST server name, but not an # NT-UNKNOWN or NT-PRINCIPAL server name. +mark('[domain-realm] only') testref(realm, 'srv-hst') testref(realm, 'srv-inst') testfail(realm, 'principal') @@ -47,6 +50,7 @@ testfail(realm, 'unknown') # section, with the realm values supplementing the kdcdefaults values. # NT-SRV-HST server names should be unaffected by host_based_services, # and NT-PRINCIPAL server names shouldn't get a referral regardless. +mark('host_based_services') restart_kdc(realm, {'kdcdefaults': {'host_based_services': '*'}}) testref(realm, 'unknown') testfail(realm, 'principal') @@ -66,6 +70,7 @@ testref(realm, 'srv-hst') # With no_host_referrals matching the first server name component, we # should not get a referral even for NT-SRV-HOST server names +mark('no_host_referral') restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*'}}) testfail(realm, 'srv-hst') restart_kdc(realm, {'kdcdefaults': {'no_host_referral': ['b', 'a,c']}}) @@ -92,6 +97,7 @@ refrealm.stop() # Regression test for #7483: a KDC should not return a host referral # to its own realm. +mark('#7483 regression test') drealm = {'domain_realm': {'d': 'KRBTEST.COM'}} realm = K5Realm(kdc_conf=drealm, create_host=False) tracefile = os.path.join(realm.testdir, 'trace') @@ -107,6 +113,7 @@ realm.stop() # Test client referrals. Use the test KDB module for KRBTEST1.COM to # simulate referrals since our built-in modules do not support them. # No cross-realm TGTs are necessary. +mark('client referrals') kdcconf = {'realms': {'$realm': {'database_module': 'test'}}, 'dbmodules': {'test': {'db_library': 'test', 'alias': {'user': '@KRBTEST2.COM', @@ -116,12 +123,24 @@ r1, r2 = cross_realms(2, xtgts=(), create_host=False) r2.addprinc('abc\@XYZ', 'pw') r1.start_kdc() -out = r1.kinit('user', expected_code=1) -if 'not found in Kerberos database' not in out: - fail('Expected error not seen for referral without canonicalize flag') +r1.kinit('user', expected_code=1, + expected_msg='not found in Kerberos database') r1.kinit('user', password('user'), ['-C']) r1.klist('user@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM') r1.kinit('abc@XYZ', 'pw', ['-E']) r1.klist('abc\@XYZ@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM') +# Test that disable_encrypted_timestamp persists across client +# referrals. (This test relies on SPAKE not being enabled by default +# on the KDC.) +r2.run([kadminl, 'modprinc', '+preauth', 'user']) +msgs = ('Encrypted timestamp (for ') +r1.kinit('user', password('user'), ['-C'], expected_trace=msgs) +dconf = {'realms': {'$realm': {'disable_encrypted_timestamp': 'true'}}} +denv = r1.special_env('disable_encts', False, krb5_conf=dconf) +msgs = ('Ignoring encrypted timestamp because it is disabled', + '/Encrypted timestamp is disabled') +r1.kinit('user', None, ['-C'], env=denv, expected_code=1, expected_trace=msgs, + expected_msg='Encrypted timestamp is disabled') + success('KDC host referral tests') diff --git a/src/tests/t_renew.py b/src/tests/t_renew.py index a5f0d4b..f1bdccf 100755 --- a/src/tests/t_renew.py +++ b/src/tests/t_renew.py @@ -1,28 +1,57 @@ -#!/usr/bin/python from k5test import * +from datetime import datetime +import re conf = {'realms': {'$realm': {'max_life': '20h', 'max_renewable_life': '20h'}}} realm = K5Realm(create_host=False, get_creds=False, kdc_conf=conf) -def test(testname, life, rlife, expect_renewable, env=None): +def test(testname, life, rlife, exp_life, exp_rlife, env=None): global realm flags = ['-l', life] if rlife is not None: flags += ['-r', rlife] realm.kinit(realm.user_princ, password('user'), flags=flags, env=env) - out = realm.run([klist]) + out = realm.run([klist, '-f']) + if ('Default principal: %s\n' % realm.user_princ) not in out: fail('%s: did not get tickets' % testname) - renewable = 'renew until' in out - if renewable and not expect_renewable: - fail('%s: tickets unexpectedly renewable' % testname) - elif not renewable and expect_renewable: - fail('%s: tickets unexpectedly non-renewable' % testname) + + # Extract flags and check the renewable flag against expectations. + flags = re.findall(r'Flags: ([a-zA-Z]*)', out)[0] + if exp_rlife is None and 'R' in flags: + fail('%s: ticket unexpectedly renewable' % testname) + if exp_rlife is not None and 'R' not in flags: + fail('%s: ticket unexpectedly non-renewable' % testname) + + # Extract the start time, end time, and renewable end time if present. + times = re.findall(r'\d\d/\d\d/\d\d \d\d:\d\d:\d\d', out) + times = [datetime.strptime(t, '%m/%d/%y %H:%M:%S') for t in times] + starttime = times[0] + endtime = times[1] + rtime = times[2] if len(times) >= 3 else None + + # Check the ticket lifetime against expectations. If the lifetime + # was determined by the request, there may be a small error + # because KDC requests contain an end time rather than a lifetime. + life = (endtime - starttime).seconds + if abs(life - exp_life) > 5: + fail('%s: expected life %d, got %d' % (testname, exp_life, life)) + + # Check the ticket renewable lifetime against expectations. + if exp_rlife is None and rtime is not None: + fail('%s: ticket has unexpected renew_till' % testname) + if exp_rlife is not None and rtime is None: + fail('%s: ticket is renewable but has no renew_till' % testname) + if rtime is not None: + rlife = (rtime - starttime).seconds + if abs(rlife - exp_rlife) > 5: + fail('%s: expected rlife %d, got %d' (testname, exp_rlife, rlife)) # Get renewable tickets. -test('simple', '1h', '2h', True) +test('simple', '1h', '2h', 3600, 7200) # Renew twice, to test that renewed tickets are renewable. +mark('renew twice') realm.kinit(realm.user_princ, flags=['-R']) realm.kinit(realm.user_princ, flags=['-R']) realm.klist(realm.user_princ) @@ -31,49 +60,58 @@ realm.klist(realm.user_princ) realm.run([kvno, realm.user_princ]) # Make sure we can't renew non-renewable tickets. -test('non-renewable', '1h', '1h', False) -out = realm.kinit(realm.user_princ, flags=['-R'], expected_code=1) -if "KDC can't fulfill requested option" not in out: - fail('expected error not seen renewing non-renewable ticket') +mark('non-renewable') +test('non-renewable', '1h', None, 3600, None) +realm.kinit(realm.user_princ, flags=['-R'], expected_code=1, + expected_msg="KDC can't fulfill requested option") # Test that -allow_renewable on the client principal works. +mark('allow_renewable (client)') realm.run([kadminl, 'modprinc', '-allow_renewable', 'user']) -test('disallowed client', '1h', '2h', False) +test('disallowed client', '1h', '2h', 3600, None) realm.run([kadminl, 'modprinc', '+allow_renewable', 'user']) # Test that -allow_renewable on the server principal works. +mark('allow_renewable (server)') realm.run([kadminl, 'modprinc', '-allow_renewable', realm.krbtgt_princ]) -test('disallowed server', '1h', '2h', False) +test('disallowed server', '1h', '2h', 3600, None) realm.run([kadminl, 'modprinc', '+allow_renewable', realm.krbtgt_princ]) -# Test that non-renewable tickets are issued if renew_till < till. -test('short', '2h', '1h', False) +# Test that trivially renewable tickets are issued if renew_till <= +# till. (Our client code bumps up the requested renewable life to the +# requested life.) +mark('trivially renewable') +test('short', '2h', '1h', 7200, 7200) # Test that renewable tickets are issued if till > max life by # default, but not if we configure away the RENEWABLE-OK option. +mark('renewable-ok') no_opts_conf = {'libdefaults': {'kdc_default_options': '0'}} no_opts = realm.special_env('no_opts', False, krb5_conf=no_opts_conf) realm.run([kadminl, 'modprinc', '-maxlife', '10 hours', 'user']) -test('long', '15h', None, True) -test('long noopts', '15h', None, False, env=no_opts) +test('long', '15h', None, 10 * 3600, 15 * 3600) +test('long noopts', '15h', None, 10 * 3600, None, env=no_opts) realm.run([kadminl, 'modprinc', '-maxlife', '20 hours', 'user']) # Test maximum renewable life on the client principal. +mark('maxrenewlife (client)') realm.run([kadminl, 'modprinc', '-maxrenewlife', '5 hours', 'user']) -test('maxrenewlife client yes', '4h', '5h', True) -test('maxrenewlife client no', '6h', '10h', False) +test('maxrenewlife client 1', '4h', '5h', 4 * 3600, 5 * 3600) +test('maxrenewlife client 2', '6h', '10h', 6 * 3600, 5 * 3600) # Test maximum renewable life on the server principal. +mark('maxrenewlife (server)') realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours', realm.krbtgt_princ]) -test('maxrenewlife server yes', '2h', '3h', True) -test('maxrenewlife server no', '4h', '8h', False) +test('maxrenewlife server 1', '2h', '3h', 2 * 3600, 3 * 3600) +test('maxrenewlife server 2', '4h', '8h', 4 * 3600, 3 * 3600) # Test realm maximum life. +mark('realm maximum life') realm.run([kadminl, 'modprinc', '-maxrenewlife', '40 hours', 'user']) realm.run([kadminl, 'modprinc', '-maxrenewlife', '40 hours', realm.krbtgt_princ]) -test('maxrenewlife realm yes', '10h', '20h', True) -test('maxrenewlife realm no', '21h', '40h', False) +test('maxrenewlife realm 1', '10h', '20h', 10 * 3600, 20 * 3600) +test('maxrenewlife realm 2', '21h', '40h', 20 * 3600, 20 * 3600) success('Renewing credentials') diff --git a/src/tests/t_renprinc.py b/src/tests/t_renprinc.py index cc78083..46cbed4 100755 --- a/src/tests/t_renprinc.py +++ b/src/tests/t_renprinc.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # Copyright (C) 2011 by the Massachusetts Institute of Technology. # All rights reserved. diff --git a/src/tests/t_salt.py b/src/tests/t_salt.py index e923c92..278911a 100755 --- a/src/tests/t_salt.py +++ b/src/tests/t_salt.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * import re @@ -62,13 +61,11 @@ for ks in dup_kstypes: # fails. def test_reject_afs3(realm, etype): query = 'ank -e ' + etype + ':afs3 -pw password princ1' - out = realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password', - 'princ1'], expected_code=1) - if 'Invalid key generation parameters from KDC' not in out: - fail('Allowed afs3 salt for ' + etype) - out = realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1) - if 'Principal does not exist' not in out: - fail('Created principal with afs3 salt and enctype ' + etype) + realm.run([kadminl, 'ank', '-e', etype + ':afs3', '-pw', 'password', + 'princ1'], expected_code=1, + expected_msg='Invalid key generation parameters from KDC') + realm.run([kadminl, 'getprinc', 'princ1'], expected_code=1, + expected_msg='Principal does not exist') # Verify that the afs3 salt is rejected for arcfour and pbkdf2 enctypes. # We do not currently do any verification on the key-generation parameters diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py index 732c306..4480923 100755 --- a/src/tests/t_sesskeynego.py +++ b/src/tests/t_sesskeynego.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * import re diff --git a/src/tests/t_skew.py b/src/tests/t_skew.py index b729710..ed40ede 100755 --- a/src/tests/t_skew.py +++ b/src/tests/t_skew.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * # Create a realm with the KDC one hour in the past. @@ -7,6 +6,7 @@ realm.start_kdc(['-T', '-3600']) # kinit (no preauth) should work, and should set a clock skew allowing # kvno to work, with or without FAST. +mark('kdc_timesync enabled, no preauth') realm.kinit(realm.user_princ, password('user')) realm.run([kvno, realm.host_princ]) realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache]) @@ -14,6 +14,7 @@ realm.run([kvno, realm.host_princ]) realm.run([kdestroy]) # kinit (with preauth) should work, with or without FAST. +mark('kdc_timesync enabled, with preauth') realm.run([kadminl, 'modprinc', '+requires_preauth', 'user']) realm.kinit(realm.user_princ, password('user')) realm.run([kvno, realm.host_princ]) @@ -37,22 +38,18 @@ realm.kinit(realm.user_princ, password('user'), # kinit should detect too much skew in the KDC response. kinit with # FAST should fail from the KDC since the armor AP-REQ won't be valid. -out = realm.kinit(realm.user_princ, password('user'), expected_code=1) -if 'Clock skew too great in KDC reply' not in out: - fail('Expected error message not seen in kinit skew case') -out = realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], - expected_code=1) -if 'Clock skew too great while' not in out: - fail('Expected error message not seen in kinit FAST skew case') +mark('KDC timesync disabled, no preauth') +realm.kinit(realm.user_princ, password('user'), expected_code=1, + expected_msg='Clock skew too great in KDC reply') +realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1, + expected_msg='Clock skew too great while') # kinit (with preauth) should fail from the KDC, with or without FAST. +mark('KDC timesync disabled, with preauth') realm.run([kadminl, 'modprinc', '+requires_preauth', 'user']) -out = realm.kinit(realm.user_princ, password('user'), expected_code=1) -if 'Clock skew too great while' not in out: - fail('Expected error message not seen in kinit skew case (preauth)') -out = realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], - expected_code=1) -if 'Clock skew too great while' not in out: - fail('Expected error message not seen in kinit FAST skew case (preauth)') +realm.kinit(realm.user_princ, password('user'), expected_code=1, + expected_msg='Clock skew too great while') +realm.kinit(realm.user_princ, None, flags=['-T', fast_cache], expected_code=1, + expected_msg='Clock skew too great while') success('Clock skew tests') diff --git a/src/tests/t_sn2princ.py b/src/tests/t_sn2princ.py index 19a0d2f..1ffda51 100755 --- a/src/tests/t_sn2princ.py +++ b/src/tests/t_sn2princ.py @@ -1,4 +1,3 @@ -#!/usr/bin/python from k5test import * offline = (len(args) > 0 and args[0] != "no") @@ -40,6 +39,7 @@ def testu(host, princhost, princrealm): # With the unknown principal type, we do not canonicalize or downcase, # but we do remove a trailing period and look up the realm. +mark('unknown type') testu('ptr-mismatch.kerberos.org', 'ptr-mismatch.kerberos.org', 'R1') testu('Example.COM', 'Example.COM', 'R2') testu('abcde', 'abcde', '') @@ -47,6 +47,7 @@ testu('abcde', 'abcde', '') # A ':port' or ':instance' trailer should be ignored for realm lookup. # If there is more than one colon in the name, we assume it's an IPv6 # address and don't treat it as having a trailer. +mark('port trailer') testu('example.com.:123', 'example.com.:123', 'R2') testu('Example.COM:xyZ', 'Example.COM:xyZ', 'R2') testu('example.com.::123', 'example.com.::123', '') @@ -54,6 +55,7 @@ testu('example.com.::123', 'example.com.::123', '') # With dns_canonicalize_hostname=false, we downcase and remove # trailing dots but do not canonicalize the hostname. Trailers do not # get downcased. +mark('dns_canonicalize_host=false') testnc('ptr-mismatch.kerberos.org', 'ptr-mismatch.kerberos.org', 'R1') testnc('Example.COM', 'example.com', 'R2') testnc('abcde', 'abcde', '') @@ -80,6 +82,7 @@ if canonname.lower() != fname: '%s forward resolves to %s, not %s' % (oname, canonname, fname)) # Test forward-only canonicalization (rdns=false). +mark('rdns=false') testnr(oname, fname, 'R1') testnr(oname + ':123', fname + ':123', 'R1') testnr(oname + ':xyZ', fname + ':xyZ', 'R1') @@ -96,6 +99,7 @@ if rname == fname: 'which should be different from %s' % (oname, rname, fname)) # Test default canonicalization (forward and reverse lookup). +mark('default') test(oname, rname, 'R3') test(oname + ':123', rname + ':123', 'R3') test(oname + ':xyZ', rname + ':xyZ', 'R3') diff --git a/src/tests/t_spake.py b/src/tests/t_spake.py new file mode 100644 index 0000000..f0afefb --- /dev/null +++ b/src/tests/t_spake.py @@ -0,0 +1,149 @@ +from k5test import * + +# The name and number of each supported SPAKE group. +builtin_groups = ((1, 'edwards25519'),) +openssl_groups = ((2, 'P-256'), (3, 'P-384'), (4, 'P-521')) +if runenv.have_spake_openssl == 'yes': + groups = builtin_groups + openssl_groups +else: + groups = builtin_groups + +for gnum, gname in groups: + mark('group %s' % gname) + conf = {'libdefaults': {'spake_preauth_groups': gname}} + for realm in multipass_realms(create_user=False, create_host=False, + krb5_conf=conf): + realm.run([kadminl, 'addprinc', '+preauth', '-pw', 'pw', 'user']) + + # Test a basic SPAKE preauth scenario with no optimizations. + msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Selected etype info:', + 'Sending SPAKE support message', + 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)', + '/More preauthentication data is required', + 'Continuing preauth mech PA-SPAKE (151)', + 'SPAKE challenge received with group ' + str(gnum), + 'Sending SPAKE response', + 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)', + 'AS key determined by preauth:', + 'Decrypted AS reply') + realm.kinit('user', 'pw', expected_trace=msgs) + + # Test an unsuccessful authentication. + msgs = ('/Additional pre-authentication required', + 'Selected etype info:', + 'Sending SPAKE support message', + 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)', + '/More preauthentication data is required', + 'Continuing preauth mech PA-SPAKE (151)', + 'SPAKE challenge received with group ' + str(gnum), + 'Sending SPAKE response', + '/Preauthentication failed') + realm.kinit('user', 'wrongpw', expected_code=1, expected_trace=msgs) + +conf = {'libdefaults': {'spake_preauth_groups': 'edwards25519'}} +kdcconf = {'realms': {'$realm': {'spake_preauth_indicator': 'indspake'}}} +realm = K5Realm(create_user=False, krb5_conf=conf, kdc_conf=kdcconf) +realm.run([kadminl, 'addprinc', '+preauth', '-pw', 'pw', 'user']) + +# Test with FAST. +mark('FAST') +msgs = ('Using FAST due to armor ccache negotiation', + 'FAST armor key:', + 'Sending unauthenticated request', + '/Additional pre-authentication required', + 'Decoding FAST response', + 'Selected etype info:', + 'Sending SPAKE support message', + 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)', + '/More preauthentication data is required', + 'Continuing preauth mech PA-SPAKE (151)', + 'SPAKE challenge received with group 1', + 'Sending SPAKE response', + 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)', + 'AS key determined by preauth:', + 'FAST reply key:') +realm.kinit(realm.host_princ, flags=['-k']) +realm.kinit('user', 'pw', flags=['-T', realm.ccache], expected_trace=msgs) + +# Test optimistic client preauth (151 is PA-SPAKE). +mark('client optimistic') +msgs = ('Attempting optimistic preauth', + 'Processing preauth types: PA-SPAKE (151)', + 'Sending SPAKE support message', + 'for next request: PA-SPAKE (151)', + '/More preauthentication data is required', + 'Selected etype info:', + 'SPAKE challenge received with group 1', + 'Sending SPAKE response', + 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)', + 'AS key determined by preauth:', + 'Decrypted AS reply') +realm.run(['./icred', '-o', '151', 'user', 'pw'], expected_trace=msgs) + +# Test KDC optimistic challenge (accepted by client). +mark('KDC optimistic') +oconf = {'kdcdefaults': {'spake_preauth_kdc_challenge': 'edwards25519'}} +oenv = realm.special_env('ochal', True, krb5_conf=oconf) +realm.stop_kdc() +realm.start_kdc(env=oenv) +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Selected etype info:', + 'SPAKE challenge received with group 1', + 'Sending SPAKE response', + 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)', + 'AS key determined by preauth:', + 'Decrypted AS reply') +realm.kinit('user', 'pw', expected_trace=msgs) + +if runenv.have_spake_openssl != 'yes': + skip_rest('SPAKE fallback tests', 'SPAKE not built using OpenSSL') + +# Test optimistic client preauth falling back to encrypted timestamp +# because the KDC doesn't support any of the client groups. +mark('client optimistic (fallback)') +p256conf={'libdefaults': {'spake_preauth_groups': 'P-256'}} +p256env = realm.special_env('p256', False, krb5_conf=p256conf) +msgs = ('Attempting optimistic preauth', + 'Processing preauth types: PA-SPAKE (151)', + 'Sending SPAKE support message', + 'for next request: PA-SPAKE (151)', + '/Preauthentication failed', + 'Selected etype info:', + 'Encrypted timestamp ', + 'for next request: PA-FX-COOKIE (133), PA-ENC-TIMESTAMP (2)', + 'AS key determined by preauth:', + 'Decrypted AS reply') +realm.run(['./icred', '-o', '151', 'user', 'pw'], env=p256env, + expected_trace=msgs) + +# Test KDC optimistic challenge (rejected by client). +mark('KDC optimistic (rejected)') +rconf = {'libdefaults': {'spake_preauth_groups': 'P-384,edwards25519'}, + 'kdcdefaults': {'spake_preauth_kdc_challenge': 'P-384'}} +renv = realm.special_env('ochal', True, krb5_conf=rconf) +realm.stop_kdc() +realm.start_kdc(env=renv) +msgs = ('Sending unauthenticated request', + '/Additional pre-authentication required', + 'Selected etype info:', + 'SPAKE challenge with group 3 rejected', + 'Sending SPAKE support message', + 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)', + '/More preauthentication data is required', + 'Continuing preauth mech PA-SPAKE (151)', + 'SPAKE challenge received with group 1', + 'Sending SPAKE response', + 'for next request: PA-FX-COOKIE (133), PA-SPAKE (151)', + 'AS key determined by preauth:', + 'Decrypted AS reply') +realm.kinit('user', 'pw', expected_trace=msgs) + +# Check that the auth indicator for SPAKE is properly included by the KDC. +mark('auth indicator') +realm.run([kvno, realm.host_princ]) +realm.run(['./adata', realm.host_princ], expected_msg='+97: [indspake]') + +success('SPAKE pre-authentication tests') diff --git a/src/tests/t_stringattr.py b/src/tests/t_stringattr.py index 281c872..c2dc348 100755 --- a/src/tests/t_stringattr.py +++ b/src/tests/t_stringattr.py @@ -1,5 +1,3 @@ -#!/usr/bin/python - # Copyright (C) 2011 by the Massachusetts Institute of Technology. # All rights reserved. @@ -28,9 +26,7 @@ realm = K5Realm(start_kadmind=True, create_host=False, get_creds=False) realm.prep_kadmin() -out = realm.run_kadmin(['getstrs', 'user']) -if '(No string attributes.)' not in out: - fail('Empty attribute query') +realm.run_kadmin(['getstrs', 'user'], expected_msg='(No string attributes.)') realm.run_kadmin(['setstr', 'user', 'attr1', 'value1']) realm.run_kadmin(['setstr', 'user', 'attr2', 'value2']) diff --git a/src/tests/t_tabdump.py b/src/tests/t_tabdump.py index 066e484..49531bf 100755 --- a/src/tests/t_tabdump.py +++ b/src/tests/t_tabdump.py @@ -1,11 +1,10 @@ -#!/usr/bin/python from k5test import * import csv -import StringIO +from io import StringIO def tab_csv(s): - io = StringIO.StringIO(s) + io = StringIO(s) return list(csv.DictReader(io, dialect=csv.excel_tab)) diff --git a/src/tests/t_u2u.py b/src/tests/t_u2u.py new file mode 100644 index 0000000..1ca6ac8 --- /dev/null +++ b/src/tests/t_u2u.py @@ -0,0 +1,35 @@ +from k5test import * + +realm = K5Realm(create_host=False) + +# Create a second user principal and get tickets for it. +u2u_ccache = 'FILE:' + os.path.join(realm.testdir, 'ccu2u') +realm.addprinc('alice', password('alice')) +realm.kinit('alice', password('alice'), ['-c', u2u_ccache]) + +# Verify that -allow_dup_skey denies u2u requests. +realm.run([kadminl, 'modprinc', '-allow_dup_skey', 'alice']) +realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_code=1, + expected_msg='KDC policy rejects request') +realm.run([kadminl, 'modprinc', '+allow_dup_skey', 'alice']) + +# Verify that -allow_svr denies regular TGS requests, but allows +# user-to-user TGS requests. +realm.run([kadminl, 'modprinc', '-allow_svr', 'alice']) +realm.run([kvno, 'alice'], expected_code=1, + expected_msg='Server principal valid for user2user only') +realm.run([kvno, '--u2u', u2u_ccache, 'alice'], expected_msg='kvno = 0') +realm.run([kadminl, 'modprinc', '+allow_svr', 'alice']) + +# Verify that normal lookups ignore the user-to-user ticket. +realm.run([kvno, 'alice'], expected_msg='kvno = 1') +out = realm.run([klist]) +if out.count('alice@KRBTEST.COM') != 2: + fail('expected two alice tickets after regular kvno') + +# Try u2u against the client user. +realm.run([kvno, '--u2u', realm.ccache, realm.user_princ]) + +realm.run([klist]) + +success('user-to-user tests') diff --git a/src/tests/t_unlockiter.py b/src/tests/t_unlockiter.py index 2a438e9..fb18abc 100755 --- a/src/tests/t_unlockiter.py +++ b/src/tests/t_unlockiter.py @@ -1,9 +1,9 @@ -#!/usr/bin/python from k5test import * # Default KDB iteration is locked. Expect write lock failure unless # unlocked iteration is explicitly requested. -realm = K5Realm(create_user=False, create_host=False, start_kdc=False) +realm = K5Realm(create_user=False, create_host=False, start_kdc=False, + bdb_only=True) realm.run(['./unlockiter'], expected_code=1) realm.run(['./unlockiter', '-u']) realm.run(['./unlockiter', '-l'], expected_code=1) @@ -11,6 +11,7 @@ realm.run(['./unlockiter', '-l'], expected_code=1) # Set default to unlocked iteration. Only explicitly requested locked # iteration should block the write lock. realm = K5Realm(create_user=False, create_host=False, start_kdc=False, + bdb_only=True, krb5_conf={'dbmodules': {'db': {'unlockiter': 'true'}}}) realm.run(['./unlockiter']) realm.run(['./unlockiter', '-u']) diff --git a/src/tests/t_y2038.py b/src/tests/t_y2038.py new file mode 100644 index 0000000..2eaa191 --- /dev/null +++ b/src/tests/t_y2038.py @@ -0,0 +1,79 @@ +from k5test import * + +# These tests will become much less important after the y2038 boundary +# has elapsed, and may start exhibiting problems around the year 2075. + +if runenv.sizeof_time_t <= 4: + skip_rest('y2038 timestamp tests', 'platform has 32-bit time_t') + +# Start a KDC running roughly 21 years in the future, after the y2038 +# boundary. Set long maximum lifetimes for later tests. +conf = {'realms': {'$realm': {'max_life': '9000d', + 'max_renewable_life': '9000d'}}} +realm = K5Realm(start_kdc=False, kdc_conf=conf) +realm.start_kdc(['-T', '662256000']) + +# kinit without preauth should succeed with clock skew correction, but +# will result in an expired ticket, because we sent an absolute end +# time and didn't get a chance to correct it.. +mark('kinit, no preauth') +realm.kinit(realm.user_princ, password('user')) +realm.run([kvno, realm.host_princ], expected_code=1, + expected_msg='Ticket expired') + +# kinit with preauth should succeed and result in a valid ticket, as +# we get a chance to correct the end time based on the KDC time. Try +# with encrypted timestamp and encrypted challenge. +mark('kinit, with preauth') +realm.run([kadminl, 'modprinc', '+requires_preauth', 'user']) +realm.kinit(realm.user_princ, password('user')) +realm.run([kvno, realm.host_princ]) +realm.kinit(realm.user_princ, password('user'), flags=['-T', realm.ccache]) +realm.run([kvno, realm.host_princ]) + +# Test that expiration warning works after y2038, by setting a +# password expiration time ten minutes after the KDC time. +mark('expiration warning') +realm.run([kadminl, 'modprinc', '-pwexpire', '662256600 seconds', 'user']) +out = realm.kinit(realm.user_princ, password('user')) +if 'will expire in less than one hour' not in out: + fail('password expiration message') +year = int(out.split()[-1]) +if year < 2038 or year > 9999: + fail('password expiration year') + +realm.stop_kdc() +realm.start_kdc() +realm.start_kadmind() +realm.prep_kadmin() + +# Test getdate parsing of absolute timestamps after 2038 and +# marshalling over the kadmin protocol. The local time zone will +# affect the display time by a little bit, so just look for the year. +mark('kadmin marshalling') +realm.run_kadmin(['modprinc', '-pwexpire', '2040-02-03', realm.host_princ]) +realm.run_kadmin(['getprinc', realm.host_princ], expected_msg=' 2040\n') + +# Get a ticket whose lifetime crosses the y2038 boundary and +# range-check the expiration year as reported by klist. +mark('ticket lifetime across y2038') +realm.kinit(realm.user_princ, password('user'), + flags=['-l', '8000d', '-r', '8500d']) +realm.run([kvno, realm.host_princ]) +out = realm.run([klist]) +if int(out.split('\n')[4].split()[2].split('/')[2]) < 39: + fail('unexpected tgt expiration year') +if int(out.split('\n')[5].split()[2].split('/')[2]) < 40: + fail('unexpected tgt rtill year') +if int(out.split('\n')[6].split()[2].split('/')[2]) < 39: + fail('unexpected service ticket expiration year') +if int(out.split('\n')[7].split()[2].split('/')[2]) < 40: + fail('unexpected service ticket rtill year') +realm.kinit(realm.user_princ, None, ['-R']) +out = realm.run([klist]) +if int(out.split('\n')[4].split()[2].split('/')[2]) < 39: + fail('unexpected renewed tgt expiration year') +if int(out.split('\n')[5].split()[2].split('/')[2]) < 40: + fail('unexpected renewed tgt rtill year') + +success('y2038 tests') diff --git a/src/tests/threads/t_rcache.c b/src/tests/threads/t_rcache.c index d6187f0..9d9b1ac 100644 --- a/src/tests/threads/t_rcache.c +++ b/src/tests/threads/t_rcache.c @@ -106,7 +106,6 @@ static void try_one (struct tinfo *t) static void *run_a_loop (void *x) { struct tinfo t = { 0 }; -/* int chr = "ABCDEFGHIJKLMNOPQRSTUVWXYZ_"[(*(int*)x) % 27]; */ t.now = time(0); t.idx = *(int *)x; @@ -117,12 +116,7 @@ static void *run_a_loop (void *x) t.now = time(0); try_one(&t); t.total++; -#if 0 - printf("%c", chr); - fflush(stdout); -#endif } -/* printf("thread %u total %u\n", (unsigned) ((int *)x-ip), t.total);*/ *(int*)x = t.total; return 0; } diff --git a/src/util/Makefile.in b/src/util/Makefile.in index 2611581..b80ffbe 100644 --- a/src/util/Makefile.in +++ b/src/util/Makefile.in @@ -6,7 +6,7 @@ mydir=util SUBDIRS=support $(MAYBE_ET_@COM_ERR_VERSION@) $(MAYBE_SS_@SS_VERSION@) \ profile $(MAYBE_VERTO_@VERTO_VERSION@) ##WIN32##!endif -WINSUBDIRS=windows support et profile wshelper +WINSUBDIRS=windows support et profile BUILDTOP=$(REL).. MAYBE_ET_k5 = et @@ -26,3 +26,4 @@ install: clean-unix:: $(RM) *.pyc + $(RM) -r __pycache__ diff --git a/src/util/def-check.pl b/src/util/def-check.pl index a807e6e..ccdf8ef 100644 --- a/src/util/def-check.pl +++ b/src/util/def-check.pl @@ -62,7 +62,7 @@ while (! $h->eof()) { next LINE; } s/#.*$//; - if (/^} *$/) { + if (/^\} *$/) { next LINE; } # strip comments @@ -86,18 +86,18 @@ while (! $h->eof()) { if (/^[ \t]*$/) { next LINE; } - if (/^ *extern "C" {/) { + if (/^ *extern "C" \{/) { next LINE; } s/KRB5_ATTR_DEPRECATED//; # elide struct definitions Struct1: - if (/{[^}]*}/) { - s/{[^}]*}/ /g; + if (/\{[^}]*\}/) { + s/\{[^}]*\}/ /g; goto Struct1; } # multi-line defs - if (/{/) { + if (/\{/) { $_ .= "\n"; $len1 = length; $_ .= $h->getline(); diff --git a/src/util/depfix.pl b/src/util/depfix.pl index c8df54c..9982fa0 100644 --- a/src/util/depfix.pl +++ b/src/util/depfix.pl @@ -147,7 +147,7 @@ sub do_subs_2 { s;com_err.h ;\$(COM_ERR_DEPS) ;g; } if ($thisdir eq "lib/krb5/ccache") { - # These files are only used (and kcmrpc.h only generated) on OS X. + # These files are only used (and kcmrpc.h only generated) on macOS. # There are conditional dependencies in Makefile.in. s;kcmrpc.h ;;g; s;kcmrpc_types.h ;;g; diff --git a/src/util/k5test.py b/src/util/k5test.py index c3d0263..3aec1ef 100644 --- a/src/util/k5test.py +++ b/src/util/k5test.py @@ -118,6 +118,9 @@ keyword arguments: * get_creds=False: Don't get user credentials. +* bdb_only=True: Use the DB2 KDB module even if K5TEST_LMDB is set in + the environment. + Scripts may use the following functions and variables: * fail(message): Display message (plus leading marker and trailing @@ -141,6 +144,11 @@ Scripts may use the following functions and variables: added newline) in testlog, and write it to stdout if running verbosely. +* mark(message): Place a divider message in the test output, to make + it easier to determine what part of the test script a command + invocation belongs to. The last mark message will also be displayed + if a command invocation fails. Do not include a newline in message. + * which(progname): Return the location of progname in the executable path, or None if it is not found. @@ -160,6 +168,12 @@ Scripts may use the following functions and variables: honored. If keywords contains krb5_conf and/or kdc_conf fragments, they will be merged with the default and per-pass specifications. +* multidb_realms(**keywords): Yields a realm for multiple DB modules. + Currently DB2 and LMDB are included. Ideally LDAP would be + included, but setting up a test LDAP server currently requires a + one-second delay, so all LDAP tests are currently confined to + t_kdb.py. keywords may contain any K5Realm initializer. + * cross_realms(num, xtgts=None, args=None, **keywords): This function returns a list of num realms, where each realm's configuration knows how to contact all of the realms. By default, each realm will @@ -223,8 +237,11 @@ Scripts may use the following realm methods and attributes: command-line debugging options. Fail if the command does not return 0. Log the command output appropriately, and return it as a single multi-line string. Keyword arguments can contain input='string' to - send an input string to the command, and expected_code=N to expect a - return code other than 0. + send an input string to the command, expected_code=N to expect a + return code other than 0, expected_msg=MSG to expect a substring in + the command output, and expected_trace=('a', 'b', ...) to expect an + ordered series of line substrings in the command's KRB5_TRACE + output. * realm.kprop_port(): Returns a port number based on realm.portbase intended for use by kprop and kpropd. @@ -305,13 +322,13 @@ Scripts may use the following realm methods and attributes: or similar methods. * realm.start_kpropd(env, args=[]): Start a kpropd process. Pass an - environment created with realm.special_env() for the slave. If args - is given, it contains a list of additional kpropd arguments. + environment created with realm.special_env() for the replica. If + args is given, it contains a list of additional kpropd arguments. Returns a handle to the kpropd process. * realm.run_kpropd_once(env, args=[]): Run kpropd once, using the -t flag. Pass an environment created with realm.special_env() for the - slave. If args is given, it contains a list of additional kpropd + replica. If args is given, it contains a list of additional kpropd arguments. Returns the kpropd output. * realm.realm: The realm's name. @@ -372,14 +389,18 @@ import imp def fail(msg): """Print a message and exit with failure.""" global _current_pass - print "*** Failure:", msg + print("*** Failure:", msg) + if _last_mark: + print("*** Last mark: %s" % _last_mark) if _last_cmd: - print "*** Last command (#%d): %s" % (_cmd_index - 1, _last_cmd) + print("*** Last command (#%d): %s" % (_cmd_index - 1, _last_cmd)) if _last_cmd_output: - print "*** Output of last command:" + print("*** Output of last command:") sys.stdout.write(_last_cmd_output) if _current_pass: - print "*** Failed in test pass:", _current_pass + print("*** Failed in test pass:", _current_pass) + if _current_db: + print("*** Failed with db:", _current_db) sys.exit(1) @@ -389,6 +410,12 @@ def success(msg): _success = True +def mark(msg): + global _last_mark + output('\n====== %s ======\n' % msg) + _last_mark = msg + + def skipped(whatmsg, whymsg): output('*** Skipping: %s: %s\n' % (whatmsg, whymsg), force_verbose=True) f = open(os.path.join(buildtop, 'skiptests'), 'a') @@ -441,6 +468,7 @@ def _onexit(): if _debug or _stop_before or _stop_after or _shell_before or _shell_after: # Wait before killing daemons in case one is being debugged. sys.stdout.write('*** Press return to kill daemons and exit script: ') + sys.stdout.flush() sys.stdin.readline() for proc in _daemons: os.kill(proc.pid, signal.SIGTERM) @@ -449,15 +477,16 @@ def _onexit(): if not verbose: testlogfile = os.path.join(os.getcwd(), 'testlog') utildir = os.path.join(srctop, 'util') - print 'For details, see: %s' % testlogfile - print 'Or re-run this test script with the -v flag:' - print ' cd %s' % os.getcwd() - print ' PYTHONPATH=%s %s %s -v' % \ - (utildir, sys.executable, sys.argv[0]) - print - print 'Use --debug=NUM to run a command under a debugger. Use' - print '--stop-after=NUM to stop after a daemon is started in order to' - print 'attach to it with a debugger. Use --help to see other options.' + print('For details, see: %s' % testlogfile) + print('Or re-run this test script with the -v flag:') + print(' cd %s' % os.getcwd()) + print(' PYTHONPATH=%s %s %s -v' % + (utildir, sys.executable, sys.argv[0])) + print() + print('Use --debug=NUM to run a command under a debugger. Use') + print('--stop-after=NUM to stop after a daemon is started in order to') + print('attach to it with a debugger. Use --help to see other') + print('options.') def _onsigint(signum, frame): @@ -507,8 +536,8 @@ def _get_hostname(): hostname = socket.gethostname() try: ai = socket.getaddrinfo(hostname, None, 0, 0, 0, socket.AI_CANONNAME) - except socket.gaierror, (error, errstr): - fail('Local hostname "%s" does not resolve: %s.' % (hostname, errstr)) + except socket.gaierror as e: + fail('Local hostname "%s" does not resolve: %s.' % (hostname, e[1])) (family, socktype, proto, canonname, sockaddr) = ai[0] try: name = socket.getnameinfo(sockaddr, socket.NI_NAMEREQD) @@ -578,7 +607,7 @@ def _match_cmdnum(cmdnum, ind): def _build_env(): global buildtop, runenv env = os.environ.copy() - for (k, v) in runenv.env.iteritems(): + for (k, v) in runenv.env.items(): if v.find('./') == 0: env[k] = os.path.join(buildtop, v) else: @@ -641,16 +670,38 @@ def _valgrind(args): def _stop_or_shell(stop, shell, env, ind): if (_match_cmdnum(stop, ind)): sys.stdout.write('*** [%d] Waiting for return: ' % ind) + sys.stdout.flush() sys.stdin.readline() if (_match_cmdnum(shell, ind)): output('*** [%d] Spawning shell\n' % ind, True) subprocess.call(os.getenv('SHELL'), env=env) -def _run_cmd(args, env, input=None, expected_code=0): +# Read tracefile and look for the expected strings in successive lines. +def _check_trace(tracefile, expected): + output('*** Trace output for previous command:\n') + i = 0 + with open(tracefile, 'r') as f: + for line in f: + output(line) + if i < len(expected) and expected[i] in line: + i += 1 + if i < len(expected): + fail('Expected string not found in trace output: ' + expected[i]) + + +def _run_cmd(args, env, input=None, expected_code=0, expected_msg=None, + expected_trace=None): global null_input, _cmd_index, _last_cmd, _last_cmd_output, _debug global _stop_before, _stop_after, _shell_before, _shell_after + if expected_trace is not None: + tracefile = 'testtrace' + if os.path.exists(tracefile): + os.remove(tracefile) + env = env.copy() + env['KRB5_TRACE'] = tracefile + if (_match_cmdnum(_debug, _cmd_index)): return _debug_cmd(args, env, input) @@ -667,7 +718,8 @@ def _run_cmd(args, env, input=None, expected_code=0): # Run the command and log the result, folding stderr into stdout. proc = subprocess.Popen(args, stdin=infile, stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, env=env) + stderr=subprocess.STDOUT, env=env, + universal_newlines=True) (outdata, dummy_errdata) = proc.communicate(input) _last_cmd_output = outdata code = proc.returncode @@ -679,6 +731,13 @@ def _run_cmd(args, env, input=None, expected_code=0): # Check the return code and return the output. if code != expected_code: fail('%s failed with code %d.' % (args[0], code)) + + if expected_msg is not None and expected_msg not in outdata: + fail('Expected string not found in command output: ' + expected_msg) + + if expected_trace is not None: + _check_trace(tracefile, expected_trace) + return outdata @@ -690,10 +749,10 @@ def _debug_cmd(args, env, input): (_cmd_index, _shell_equiv(args)), True) if input: print - print '*** Enter the following input when appropriate:' - print - print input - print + print('*** Enter the following input when appropriate:') + print() + print(input) + print() code = subprocess.call(args, env=env) output('*** [%d] Completed in debugger with return code %d\n' % (_cmd_index, code)) @@ -721,7 +780,8 @@ def _start_daemon(args, env, sentinel): # Start the daemon and look for the sentinel in stdout or stderr. proc = subprocess.Popen(args, stdin=null_input, stdout=subprocess.PIPE, - stderr=subprocess.STDOUT, env=env) + stderr=subprocess.STDOUT, env=env, + universal_newlines=True) _last_cmd_output = '' while True: line = proc.stdout.readline() @@ -766,8 +826,9 @@ class K5Realm(object): krb5_conf=None, kdc_conf=None, create_kdb=True, krbtgt_keysalt=None, create_user=True, get_creds=True, create_host=True, start_kdc=True, start_kadmind=False, - start_kpropd=False): + start_kpropd=False, bdb_only=False): global hostname, _default_krb5_conf, _default_kdc_conf + global _lmdb_kdc_conf, _current_db self.realm = realm self.testdir = os.path.join(os.getcwd(), testdir) @@ -782,7 +843,11 @@ class K5Realm(object): self.ccache = os.path.join(self.testdir, 'ccache') self.kadmin_ccache = os.path.join(self.testdir, 'kadmin_ccache') self._krb5_conf = _cfg_merge(_default_krb5_conf, krb5_conf) - self._kdc_conf = _cfg_merge(_default_kdc_conf, kdc_conf) + base_kdc_conf = _default_kdc_conf + if (os.getenv('K5TEST_LMDB') is not None and + not bdb_only and not _current_db): + base_kdc_conf = _cfg_merge(base_kdc_conf, _lmdb_kdc_conf) + self._kdc_conf = _cfg_merge(base_kdc_conf, kdc_conf) self._kdc_proc = None self._kadmind_proc = None self._kpropd_procs = [] @@ -954,16 +1019,20 @@ class K5Realm(object): self._kadmind_proc = None def _kpropd_args(self): - slavedump_path = os.path.join(self.testdir, 'incoming-slave-datatrans') + datatrans_path = os.path.join(self.testdir, 'incoming-datatrans') kpropdacl_path = os.path.join(self.testdir, 'kpropd-acl') return [kpropd, '-D', '-P', str(self.kprop_port()), - '-f', slavedump_path, '-p', kdb5_util, '-a', kpropdacl_path] + '-f', datatrans_path, '-p', kdb5_util, '-a', kpropdacl_path] def start_kpropd(self, env, args=[]): proc = _start_daemon(self._kpropd_args() + args, env, 'ready') self._kpropd_procs.append(proc) return proc + def stop_kpropd(self, proc): + stop_daemon(proc) + self._kpropd_procs.remove(proc) + def run_kpropd_once(self, env, args=[]): return self.run(self._kpropd_args() + ['-t'] + args, env=env) @@ -1058,6 +1127,20 @@ def multipass_realms(**keywords): _current_pass = None +def multidb_realms(**keywords): + global _current_db, _dbpasses + caller_kdc_conf = keywords.get('kdc_conf') + for p in _dbpasses: + (name, kdc_conf) = p + output('*** Using DB type %s\n' % name) + keywords['kdc_conf'] = _cfg_merge(kdc_conf, caller_kdc_conf) + _current_db = name + realm = K5Realm(**keywords) + yield realm + realm.stop() + _current_db = None + + def cross_realms(num, xtgts=None, args=None, **keywords): # Build keyword args for each realm. realm_args = [] @@ -1154,6 +1237,10 @@ _default_kdc_conf = { 'default': 'FILE:$testdir/others.log'}} +_lmdb_kdc_conf = {'dbmodules': {'db': {'db_library': 'klmdb', + 'nosync': 'true'}}} + + # A pass is a tuple of: name, krbtgt_keysalt, krb5_conf, kdc_conf. _passes = [ # No special settings; exercises AES256. @@ -1238,12 +1325,14 @@ _passes = [ _success = False _current_pass = None +_current_db = None _daemons = [] _parse_args() atexit.register(_onexit) signal.signal(signal.SIGINT, _onsigint) _outfile = open('testlog', 'w') _cmd_index = 1 +_last_mark = None _last_cmd = None _last_cmd_output = None buildtop = _find_buildtop() @@ -1253,6 +1342,11 @@ runenv = _import_runenv() hostname = _get_hostname() null_input = open(os.devnull, 'r') +# A DB pass is a tuple of: name, kdc_conf. +_dbpasses = [('db2', None)] +if runenv.have_lmdb == 'yes': + _dbpasses.append(('lmdb', _lmdb_kdc_conf)) + krb5kdc = os.path.join(buildtop, 'kdc', 'krb5kdc') kadmind = os.path.join(buildtop, 'kadmin', 'server', 'kadmind') kadmin = os.path.join(buildtop, 'kadmin', 'cli', 'kadmin') @@ -1268,6 +1362,6 @@ kvno = os.path.join(buildtop, 'clients', 'kvno', 'kvno') kdestroy = os.path.join(buildtop, 'clients', 'kdestroy', 'kdestroy') kpasswd = os.path.join(buildtop, 'clients', 'kpasswd', 'kpasswd') t_inetd = os.path.join(buildtop, 'tests', 'dejagnu', 't_inetd') -kproplog = os.path.join(buildtop, 'slave', 'kproplog') -kpropd = os.path.join(buildtop, 'slave', 'kpropd') -kprop = os.path.join(buildtop, 'slave', 'kprop') +kproplog = os.path.join(buildtop, 'kprop', 'kproplog') +kpropd = os.path.join(buildtop, 'kprop', 'kpropd') +kprop = os.path.join(buildtop, 'kprop', 'kprop') diff --git a/src/util/paste-kdcproxy.py b/src/util/paste-kdcproxy.py index 1e56b89..30467fd 100755 --- a/src/util/paste-kdcproxy.py +++ b/src/util/paste-kdcproxy.py @@ -1,4 +1,3 @@ -#!/usr/bin/python import kdcproxy from paste import httpserver import os diff --git a/src/util/princflags.py b/src/util/princflags.py index f568dd2..f645e86 100644 --- a/src/util/princflags.py +++ b/src/util/princflags.py @@ -1,5 +1,4 @@ import re -import string # Module for translating KDB principal flags between string and # integer forms. @@ -81,7 +80,7 @@ _prefixlen = len(_prefix) _flagnames = {} # Translation table to map hyphens to underscores -_squash = string.maketrans('-', '_') +_squash = str.maketrans('-', '_') # Combined input-to-flag lookup table, to be filled in by # _setup_tables() @@ -176,7 +175,7 @@ def flagnum2str(n): # Return a list of flag names from a flag word. def flags2namelist(flags): a = [] - for n in xrange(32): + for n in range(32): if flags & (1 << n): a.append(flagnum2str(n)) return a @@ -225,21 +224,21 @@ def speclist2mask(s): # Print C table of input flag specifiers for lib/kadm5/str_conv.c. def _print_ftbl(): - print 'static const struct flag_table_row ftbl[] = {' - a = sorted(pflags.items(), key=lambda (k, v): (v.flag, -v.invert, k)) + print('static const struct flag_table_row ftbl[] = {') + a = sorted(pflags.items(), key=lambda k, v: (v.flag, -v.invert, k)) for k, v in a: s1 = ' {"%s",' % k s2 = '%-31s KRB5_KDB_%s,' % (s1, v.flagname()) - print '%-63s %d},' % (s2, 1 if v.invert else 0) + print('%-63s %d},' % (s2, 1 if v.invert else 0)) - print '};' - print '#define NFTBL (sizeof(ftbl) / sizeof(ftbl[0]))' + print('};') + print('#define NFTBL (sizeof(ftbl) / sizeof(ftbl[0]))') # Print C table of output flag names for lib/kadm5/str_conv.c. def _print_outflags(): - print 'static const char *outflags[] = {' - for i in xrange(32): + print('static const char *outflags[] = {') + for i in range(32): flag = 1 << i if flag > max(_flagnames.keys()): break @@ -247,10 +246,10 @@ def _print_outflags(): s = ' "%s",' % _flagnames[flag] except KeyError: s = ' NULL,' - print '%-32s/* 0x%08x */' % (s, flag) + print('%-32s/* 0x%08x */' % (s, flag)) - print '};' - print '#define NOUTFLAGS (sizeof(outflags) / sizeof(outflags[0]))' + print('};') + print('#define NOUTFLAGS (sizeof(outflags) / sizeof(outflags[0]))') # Print out C tables to insert into lib/kadm5/str_conv.c. diff --git a/src/util/profile/prof_file.c b/src/util/profile/prof_file.c index 907c119..24e41fb 100644 --- a/src/util/profile/prof_file.c +++ b/src/util/profile/prof_file.c @@ -78,39 +78,6 @@ void profile_library_finalizer(void) static void profile_free_file_data(prf_data_t); -#if 0 - -#define scan_shared_trees_locked() \ - { \ - prf_data_t d; \ - k5_mutex_assert_locked(&g_shared_trees_mutex); \ - for (d = g_shared_trees; d; d = d->next) { \ - assert(d->magic == PROF_MAGIC_FILE_DATA); \ - assert((d->flags & PROFILE_FILE_SHARED) != 0); \ - assert(d->filespec[0] != 0); \ - assert(d->fslen <= 1000); /* XXX */ \ - assert(d->filespec[d->fslen] == 0); \ - assert(d->fslen = strlen(d->filespec)); \ - assert(d->root != NULL); \ - } \ - } - -#define scan_shared_trees_unlocked() \ - { \ - int r; \ - r = k5_mutex_lock(&g_shared_trees_mutex); \ - assert (r == 0); \ - scan_shared_trees_locked(); \ - k5_mutex_unlock(&g_shared_trees_mutex); \ - } - -#else - -#define scan_shared_trees_locked() { ; } -#define scan_shared_trees_unlocked() { ; } - -#endif - static int rw_access(const_profile_filespec_t filespec) { #ifdef HAVE_ACCESS @@ -208,8 +175,6 @@ errcode_t profile_open_file(const_profile_filespec_t filespec, if (retval) return retval; - scan_shared_trees_unlocked(); - prf = malloc(sizeof(struct _prf_file_t)); if (!prf) return ENOMEM; @@ -243,7 +208,6 @@ errcode_t profile_open_file(const_profile_filespec_t filespec, } k5_mutex_lock(&g_shared_trees_mutex); - scan_shared_trees_locked(); for (data = g_shared_trees; data; data = data->next) { if (!strcmp(data->filespec, expanded_filename) /* Check that current uid has read access. */ @@ -263,7 +227,6 @@ errcode_t profile_open_file(const_profile_filespec_t filespec, } prf->data = data; *ret_prof = prf; - scan_shared_trees_unlocked(); return 0; } k5_mutex_unlock(&g_shared_trees_mutex); @@ -290,11 +253,9 @@ errcode_t profile_open_file(const_profile_filespec_t filespec, } k5_mutex_lock(&g_shared_trees_mutex); - scan_shared_trees_locked(); data->flags |= PROFILE_FILE_SHARED; data->next = g_shared_trees; g_shared_trees = data; - scan_shared_trees_locked(); k5_mutex_unlock(&g_shared_trees_mutex); *ret_prof = prf; @@ -312,6 +273,9 @@ errcode_t profile_update_file_data_locked(prf_data_t data, char **ret_modspec) FILE *f; int isdir = 0; + if ((data->flags & PROFILE_FILE_NO_RELOAD) && data->root != NULL) + return 0; + #ifdef HAVE_STAT now = time(0); if (now == data->last_stat && data->root != NULL) { @@ -339,6 +303,10 @@ errcode_t profile_update_file_data_locked(prf_data_t data, char **ret_modspec) profile_free_node(data->root); data->root = 0; } + + /* Only try to reload regular files, not devices such as pipes. */ + if ((st.st_mode & S_IFMT) != S_IFREG) + data->flags |= PROFILE_FILE_NO_RELOAD; #else /* * If we don't have the stat() call, assume that our in-core @@ -362,7 +330,7 @@ errcode_t profile_update_file_data_locked(prf_data_t data, char **ret_modspec) } data->upd_serial++; - data->flags &= PROFILE_FILE_SHARED; /* FIXME same as '=' operator */ + data->flags &= ~PROFILE_FILE_DIRTY; if (isdir) { retval = profile_process_directory(data->filespec, &data->root); @@ -536,11 +504,9 @@ void profile_dereference_data(prf_data_t data) } void profile_dereference_data_locked(prf_data_t data) { - scan_shared_trees_locked(); data->refcount--; if (data->refcount == 0) profile_free_file_data(data); - scan_shared_trees_locked(); } void profile_lock_global() @@ -561,7 +527,6 @@ void profile_free_file(prf_file_t prf) /* Call with mutex locked! */ static void profile_free_file_data(prf_data_t data) { - scan_shared_trees_locked(); if (data->flags & PROFILE_FILE_SHARED) { /* Remove from linked list. */ if (g_shared_trees == data) @@ -585,7 +550,6 @@ static void profile_free_file_data(prf_data_t data) data->magic = 0; k5_mutex_destroy(&data->lock); free(data); - scan_shared_trees_locked(); } errcode_t profile_close_file(prf_file_t prf) diff --git a/src/util/profile/prof_int.h b/src/util/profile/prof_int.h index 73f7fad..b42fd7b 100644 --- a/src/util/profile/prof_int.h +++ b/src/util/profile/prof_int.h @@ -72,11 +72,8 @@ typedef struct _prf_file_t *prf_file_t; /* * The profile flags - * - * Deprecated use of read/write profile flag. - * Check whether file is writable lazily so we don't call access as often. */ -#define PROFILE_FILE_DEPRECATED_RW 0x0001 +#define PROFILE_FILE_NO_RELOAD 0x0001 #define PROFILE_FILE_DIRTY 0x0002 #define PROFILE_FILE_SHARED 0x0004 diff --git a/src/util/profile/prof_parse.c b/src/util/profile/prof_parse.c index 1baceea..531e4a0 100644 --- a/src/util/profile/prof_parse.c +++ b/src/util/profile/prof_parse.c @@ -246,59 +246,22 @@ static int valid_name(const char *filename) * Include files within dirname. Only files with names ending in ".conf", or * consisting entirely of alphanumeric characters, dashes, and underscores are * included. This restriction avoids including editor backup files, .rpmsave - * files, and the like. + * files, and the like. Files are processed in alphanumeric order. */ static errcode_t parse_include_dir(const char *dirname, struct profile_node *root_section) { -#ifdef _WIN32 - char *wildcard = NULL, *pathname; - WIN32_FIND_DATA ffd; - HANDLE handle; errcode_t retval = 0; + char **fnames, *pathname; + int i; - if (asprintf(&wildcard, "%s\\*", dirname) < 0) - return ENOMEM; - - handle = FindFirstFile(wildcard, &ffd); - if (handle == INVALID_HANDLE_VALUE) { - retval = PROF_FAIL_INCLUDE_DIR; - goto cleanup; - } - - do { - if (!valid_name(ffd.cFileName)) - continue; - if (asprintf(&pathname, "%s\\%s", dirname, ffd.cFileName) < 0) { - retval = ENOMEM; - break; - } - retval = parse_include_file(pathname, root_section); - free(pathname); - if (retval) - break; - } while (FindNextFile(handle, &ffd) != 0); - - FindClose(handle); - -cleanup: - free(wildcard); - return retval; - -#else /* not _WIN32 */ - - DIR *dir; - char *pathname; - errcode_t retval = 0; - struct dirent *ent; - - dir = opendir(dirname); - if (dir == NULL) + if (k5_dir_filenames(dirname, &fnames) != 0) return PROF_FAIL_INCLUDE_DIR; - while ((ent = readdir(dir)) != NULL) { - if (!valid_name(ent->d_name)) + + for (i = 0; fnames != NULL && fnames[i] != NULL; i++) { + if (!valid_name(fnames[i])) continue; - if (asprintf(&pathname, "%s/%s", dirname, ent->d_name) < 0) { + if (asprintf(&pathname, "%s/%s", dirname, fnames[i]) < 0) { retval = ENOMEM; break; } @@ -307,9 +270,8 @@ cleanup: if (retval) break; } - closedir(dir); + k5_free_filenames(fnames); return retval; -#endif /* not _WIN32 */ } static errcode_t parse_line(char *line, struct parse_state *state, diff --git a/src/util/profile/prof_test1 b/src/util/profile/prof_test1 index 7e30fc1..fc67571 100644 --- a/src/util/profile/prof_test1 +++ b/src/util/profile/prof_test1 @@ -341,6 +341,28 @@ proc test9 {} { puts "OK: test9: profile_flush_to_file with no changes" } +proc test10 {} { + global wd verbose + + # Regression test for #7863: multiply-specified subsections should + # be merged. + set p [profile_init_path $wd/test2.ini] + set x [profile_get_values $p {{test section 2} child_section2 child}] + if $verbose { puts "Read $x from profile" } + if ![string equal $x "slick harry {john\tb } ron"] { + puts stderr "Error: test10: Did not get expected merged children." + exit 1 + } + + set x [profile_get_string $p {test section 2} child_section2 chores] + if $verbose { puts "Read $x from profile" } + if ![string equal $x "cleaning"] { + puts stderr "Error: test10: Did not find expected chores." + exit 1 + } + profile_release $p +} + test1 test2 test3 @@ -350,5 +372,6 @@ test6 test7 test8 test9 +test10 exit 0 diff --git a/src/util/profile/prof_tree.c b/src/util/profile/prof_tree.c index 081f688..38aadc4 100644 --- a/src/util/profile/prof_tree.c +++ b/src/util/profile/prof_tree.c @@ -9,7 +9,7 @@ * * Each node may represent either a relation or a section header. * - * A section header must have its value field set to 0, and may a one + * A section header must have its value field be null, and may have one * or more child nodes, pointed to by first_child. * * A relation has as its value a pointer to allocated memory @@ -159,15 +159,22 @@ errcode_t profile_add_node(struct profile_node *section, const char *name, return PROF_ADD_NOT_SECTION; /* - * Find the place to insert the new node. We look for the - * place *after* the last match of the node name, since + * Find the place to insert the new node. If we are adding a subsection + * and already have a subsection with that name, merge them. Otherwise, + * we look for the place *after* the last match of the node name, since * order matters. */ for (p=section->first_child, last = 0; p; last = p, p = p->next) { int cmp; cmp = strcmp(p->name, name); - if (cmp > 0) + if (cmp > 0) { break; + } else if (value == NULL && cmp == 0 && + p->value == NULL && p->deleted != 1) { + /* Found duplicate subsection, so don't make a new one. */ + *ret_node = p; + return 0; + } } retval = profile_create_node(name, value, &new); if (retval) diff --git a/src/util/profile/profile_tcl.c b/src/util/profile/profile_tcl.c index cac4627..de61bae 100644 --- a/src/util/profile/profile_tcl.c +++ b/src/util/profile/profile_tcl.c @@ -544,14 +544,14 @@ SWIG_MangledTypeQueryModule(swig_module_info *start, swig_module_info *iter = start; do { if (iter->size) { - register size_t l = 0; - register size_t r = iter->size - 1; + size_t l = 0; + size_t r = iter->size - 1; do { /* since l+r >= 0, we can (>> 1) instead (/ 2) */ - register size_t i = (l + r) >> 1; + size_t i = (l + r) >> 1; const char *iname = iter->types[i]->name; if (iname) { - register int compare = strcmp(name, iname); + int compare = strcmp(name, iname); if (compare == 0) { return iter->types[i]; } else if (compare < 0) { @@ -595,7 +595,7 @@ SWIG_TypeQueryModule(swig_module_info *start, of the str field (the human readable name) */ swig_module_info *iter = start; do { - register size_t i = 0; + size_t i = 0; for (; i < iter->size; ++i) { if (iter->types[i]->str && (SWIG_TypeEquiv(iter->types[i]->str, name))) return iter->types[i]; @@ -614,10 +614,10 @@ SWIG_TypeQueryModule(swig_module_info *start, SWIGRUNTIME char * SWIG_PackData(char *c, void *ptr, size_t sz) { static const char hex[17] = "0123456789abcdef"; - register const unsigned char *u = (unsigned char *) ptr; - register const unsigned char *eu = u + sz; + const unsigned char *u = (unsigned char *) ptr; + const unsigned char *eu = u + sz; for (; u != eu; ++u) { - register unsigned char uu = *u; + unsigned char uu = *u; *(c++) = hex[(uu & 0xf0) >> 4]; *(c++) = hex[uu & 0xf]; } @@ -629,11 +629,11 @@ SWIG_PackData(char *c, void *ptr, size_t sz) { */ SWIGRUNTIME const char * SWIG_UnpackData(const char *c, void *ptr, size_t sz) { - register unsigned char *u = (unsigned char *) ptr; - register const unsigned char *eu = u + sz; + unsigned char *u = (unsigned char *) ptr; + const unsigned char *eu = u + sz; for (; u != eu; ++u) { - register char d = *(c++); - register unsigned char uu; + char d = *(c++); + unsigned char uu; if ((d >= '0') && (d <= '9')) uu = ((d - '0') << 4); else if ((d >= 'a') && (d <= 'f')) @@ -2234,6 +2234,7 @@ _wrap_profile_get_string(ClientData clientData SWIGUNUSED, Tcl_Interp *interp, i char *s = (arg6 && *arg6) ? *arg6 : ""; Tcl_ListObjAppendElement(interp, Tcl_GetObjResult(interp), Tcl_NewStringObj(s, strlen(s))); + profile_release_string(s); } if (alloc2 == SWIG_NEWOBJ) free((char*)buf2); if (alloc3 == SWIG_NEWOBJ) free((char*)buf3); @@ -3102,8 +3103,6 @@ SWIG_InitializeModule(void *clientdata) { swig_module_info *module_head, *iter; int found, init; - clientdata = clientdata; - /* check to see if the circular list has been setup, if not, set it up */ if (swig_module.next==0) { /* Initialize the swig_module */ diff --git a/src/util/profile/test.ini b/src/util/profile/test.ini index 23ca896..6622df1 100644 --- a/src/util/profile/test.ini +++ b/src/util/profile/test.ini @@ -10,6 +10,12 @@ this is a comment. Everything up to the first square brace is ignored. } child_section2 = foo +[test section 2] + child_section2 = { + child = ron + chores = cleaning + } + [realms] ATHENA.MIT.EDU = { server = KERBEROS.MIT.EDU:88 diff --git a/src/util/ss/cmd_tbl.lex.l b/src/util/ss/cmd_tbl.lex.l index b47085e..af01328 100644 --- a/src/util/ss/cmd_tbl.lex.l +++ b/src/util/ss/cmd_tbl.lex.l @@ -65,7 +65,7 @@ static l_end() static l_quoted_string() { - register char *p; + char *p; yylval.dynstr = strdup(yytext+1); if (p=strrchr(yylval.dynstr, '"')) *p='\0'; diff --git a/src/util/ss/data.c b/src/util/ss/data.c index 1a56dc7..e0b0995 100644 --- a/src/util/ss/data.c +++ b/src/util/ss/data.c @@ -10,8 +10,5 @@ #include "ss_internal.h" #include "copyright.h" -const static char copyright[] = - "Copyright 1987, 1988, 1989 by the Massachusetts Institute of Technology"; - ss_data **_ss_table = (ss_data **)NULL; char *_ss_pager_name = (char *)NULL; diff --git a/src/util/ss/deps b/src/util/ss/deps index f30420f..7705e25 100644 --- a/src/util/ss/deps +++ b/src/util/ss/deps @@ -63,7 +63,7 @@ utils.so utils.po $(OUTPRE)utils.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ ss_internal.h utils.c options.so options.po $(OUTPRE)options.$(OBJEXT): $(BUILDTOP)/include/ss/ss_err.h \ $(COM_ERR_DEPS) copyright.h options.c ss.h -cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.h +cmd_tbl.lex.o: cmd_tbl.lex.c ct.tab.o: $(BUILDTOP)/include/ss/ss_err.h $(COM_ERR_DEPS) \ ct.tab.c ss.h ss_err.so ss_err.po $(OUTPRE)ss_err.$(OBJEXT): $(COM_ERR_DEPS) \ diff --git a/src/util/ss/error.c b/src/util/ss/error.c index 6d5f69a..b5768a6 100644 --- a/src/util/ss/error.c +++ b/src/util/ss/error.c @@ -36,7 +36,7 @@ char * ss_name(sci_idx) int sci_idx; { - register ss_data *infop; + ss_data *infop; infop = ss_info(sci_idx); if (infop->current_request == (char const *)NULL) { @@ -52,7 +52,7 @@ char * ss_name(sci_idx) void ss_error (int sci_idx, long code, const char * fmt, ...) { - register char *whoami; + char *whoami; va_list pvar; va_start (pvar, fmt); whoami = ss_name (sci_idx); diff --git a/src/util/ss/execute_cmd.c b/src/util/ss/execute_cmd.c index 6c3855c..c06ee56 100644 --- a/src/util/ss/execute_cmd.c +++ b/src/util/ss/execute_cmd.c @@ -53,14 +53,14 @@ */ static int check_request_table (rqtbl, argc, argv, sci_idx) - register ss_request_table *rqtbl; + ss_request_table *rqtbl; int argc; char *argv[]; int sci_idx; { - register ss_request_entry *request; - register ss_data *info; - register char const * const * name; + ss_request_entry *request; + ss_data *info; + char const *const *name; char *string = argv[0]; int i; @@ -106,8 +106,8 @@ static int really_execute_command (sci_idx, argc, argv) int argc; char **argv[]; { - register ss_request_table **rqtbl; - register ss_data *info; + ss_request_table **rqtbl; + ss_data *info; info = ss_info(sci_idx); @@ -137,9 +137,9 @@ static int really_execute_command (sci_idx, argc, argv) int ss_execute_command(sci_idx, argv) int sci_idx; - register char *argv[]; + char *argv[]; { - register unsigned int i, argc; + unsigned int i, argc; char **argp; int ret; @@ -147,6 +147,8 @@ ss_execute_command(sci_idx, argv) for (argp = argv; *argp; argp++) argc++; argp = (char **)malloc((argc+1)*sizeof(char *)); + if (argp == NULL) + return(ENOMEM); for (i = 0; i <= argc; i++) argp[i] = argv[i]; ret = really_execute_command(sci_idx, argc, &argp); diff --git a/src/util/ss/help.c b/src/util/ss/help.c index 4463ad4..6d333c9 100644 --- a/src/util/ss/help.c +++ b/src/util/ss/help.c @@ -25,8 +25,8 @@ void ss_help (argc, argv, sci_idx, info_ptr) char const *request_name; int code; int fd, child; - register int idx; - register ss_data *info; + int idx; + ss_data *info; request_name = ss_current_request(sci_idx, &code); if (code != 0) { @@ -102,10 +102,10 @@ got_it: char *info_dir; int *code_ptr; { - register ss_data *info; + ss_data *info; DIR *d; int n_dirs; - register char **dirs; + char **dirs; info = ss_info(sci_idx); if ((info_dir == NULL) || (*info_dir == '\0')) { @@ -138,8 +138,8 @@ got_it: char *info_dir; int *code_ptr; { - register char **i_d; - register char **info_dirs; + char **i_d; + char **info_dirs; info_dirs = ss_info(sci_idx)->info_dirs; for (i_d = info_dirs; *i_d; i_d++) { diff --git a/src/util/ss/invocation.c b/src/util/ss/invocation.c index d9c4ea5..378bc3e 100644 --- a/src/util/ss/invocation.c +++ b/src/util/ss/invocation.c @@ -43,9 +43,9 @@ int ss_create_invocation(subsystem_name, version_string, info_ptr, ss_request_table *request_table_ptr; int *code_ptr; { - register int sci_idx; - register ss_data *new_table; - register ss_data **table, **tmp; + int sci_idx; + ss_data *new_table; + ss_data **table, **tmp; *code_ptr = 0; table = _ss_table; @@ -118,7 +118,7 @@ void ss_delete_invocation(sci_idx) int sci_idx; { - register ss_data *t; + ss_data *t; int ignored_code; t = ss_info(sci_idx); diff --git a/src/util/ss/list_rqs.c b/src/util/ss/list_rqs.c index d5b3c87..fe5f149 100644 --- a/src/util/ss/list_rqs.c +++ b/src/util/ss/list_rqs.c @@ -31,10 +31,10 @@ ss_list_requests(argc, argv, sci_idx, info_ptr) char *info_ptr; #endif { - register ss_request_entry *entry; - register char const * const *name; - register int spacing; - register ss_request_table **table; + ss_request_entry *entry; + char const *const *name; + int spacing; + ss_request_table **table; char buffer[BUFSIZ]; FILE *output; @@ -90,7 +90,7 @@ ss_list_requests(argc, argv, sci_idx, info_ptr) continue; buffer[sizeof(buffer) - 1] = '\0'; for (name = entry->command_names; *name; name++) { - register int len = strlen(*name); + int len = strlen(*name); strncat(buffer, *name, sizeof(buffer) - 1 - strlen(buffer)); spacing += len + 2; if (name[1]) { diff --git a/src/util/ss/listen.c b/src/util/ss/listen.c index 75b9044..879ebcf 100644 --- a/src/util/ss/listen.c +++ b/src/util/ss/listen.c @@ -33,6 +33,9 @@ static char *readline(const char *prompt) struct termios termbuf; char input[BUFSIZ]; + /* Make sure we don't buffer anything beyond the line read. */ + setvbuf(stdin, 0, _IONBF, 0); + if (tcgetattr(STDIN_FILENO, &termbuf) == 0) { termbuf.c_lflag |= ICANON|ISIG|ECHO; tcsetattr(STDIN_FILENO, TCSANOW, &termbuf); @@ -61,8 +64,8 @@ static RETSIGTYPE listen_int_handler(signo) int ss_listen (sci_idx) int sci_idx; { - register char *cp; - register ss_data *info; + char *cp; + ss_data *info; char *input; int code; jmp_buf old_jmpb; @@ -71,7 +74,7 @@ int ss_listen (sci_idx) struct sigaction isig, csig, nsig, osig; sigset_t nmask, omask; #else - register RETSIGTYPE (*sig_cont)(); + RETSIGTYPE (*sig_cont)(); RETSIGTYPE (*sig_int)(), (*old_sig_cont)(); int mask; #endif @@ -136,7 +139,7 @@ int ss_listen (sci_idx) code = ss_execute_line (sci_idx, input); if (code == SS_ET_COMMAND_NOT_FOUND) { - register char *c = input; + char *c = input; while (*c == ' ' || *c == '\t') c++; cp = strchr (c, ' '); diff --git a/src/util/ss/options.c b/src/util/ss/options.c index c3452f9..807f8e6 100644 --- a/src/util/ss/options.c +++ b/src/util/ss/options.c @@ -23,9 +23,9 @@ static struct option options[] = { long flag_val(string) - register char *string; + char *string; { - register struct option *opt; + struct option *opt; for (opt = options; opt->text; opt++) if (!strcmp(opt->text, string)) return(opt->value); diff --git a/src/util/ss/pager.c b/src/util/ss/pager.c index ae023b5..3e47ed3 100644 --- a/src/util/ss/pager.c +++ b/src/util/ss/pager.c @@ -102,7 +102,7 @@ void ss_page_stdin() { /* minimal recovery if pager program isn't found */ char buf[80]; - register int n; + int n; while ((n = read(0, buf, 80)) > 0) write(1, buf, (unsigned) n); } diff --git a/src/util/ss/parse.c b/src/util/ss/parse.c index 456b147..78a831b 100644 --- a/src/util/ss/parse.c +++ b/src/util/ss/parse.c @@ -55,13 +55,13 @@ enum parse_mode { WHITESPACE, TOKEN, QUOTED_STRING }; char **ss_parse (sci_idx, line_ptr, argc_ptr) int sci_idx; - register char *line_ptr; + char *line_ptr; int *argc_ptr; { - register char **argv, *cp; + char **argv, *cp; char **newargv; - register int argc; - register enum parse_mode parse_mode; + int argc; + enum parse_mode parse_mode; argv = (char **) malloc (sizeof(char *)); if (argv == (char **)NULL) { diff --git a/src/util/ss/request_tbl.c b/src/util/ss/request_tbl.c index 7721a5f..03cde1b 100644 --- a/src/util/ss/request_tbl.c +++ b/src/util/ss/request_tbl.c @@ -17,8 +17,8 @@ ss_add_request_table(sci_idx, rqtbl_ptr, position, code_ptr) int position; /* 1 -> becomes second... */ int *code_ptr; { - register ss_data *info; - register int i, size; + ss_data *info; + int i, size; info = ss_info(sci_idx); for (size=0; info->rqt_tables[size] != (ssrt *)NULL; size++) @@ -49,8 +49,8 @@ ss_delete_request_table(sci_idx, rqtbl_ptr, code_ptr) ssrt *rqtbl_ptr; int *code_ptr; { - register ss_data *info; - register ssrt **rt1, **rt2; + ss_data *info; + ssrt **rt1, **rt2; *code_ptr = SS_ET_TABLE_NOT_FOUND; info = ss_info(sci_idx); diff --git a/src/util/ss/requests.c b/src/util/ss/requests.c index 3e62f97..aa6752f 100644 --- a/src/util/ss/requests.c +++ b/src/util/ss/requests.c @@ -16,7 +16,7 @@ */ DECLARE(ss_self_identify) { - register ss_data *info = ss_info(sci_idx); + ss_data *info = ss_info(sci_idx); printf("%s version %s\n", info->subsystem_name, info->subsystem_version); } diff --git a/src/util/ss/utils.c b/src/util/ss/utils.c index 3b1f658..675de7c 100644 --- a/src/util/ss/utils.c +++ b/src/util/ss/utils.c @@ -78,7 +78,7 @@ gensym(name) /* concatenate three strings and return the result */ char *str_concat3(a, b, c) - register char *a, *b, *c; + char *a, *b, *c; { char *result; @@ -88,9 +88,9 @@ char *str_concat3(a, b, c) /* return copy of string enclosed in double-quotes */ char *quote(string) - register char *string; + char *string; { - register char *result; + char *result; asprintf(&result, "\"%s\"", string); return(result); @@ -99,10 +99,10 @@ char *quote(string) #ifndef HAVE_STRDUP /* make duplicate of string and return pointer */ char *strdup(s) - register char *s; + char *s; { - register int len = strlen(s) + 1; - register char *new; + int len = strlen(s) + 1; + char *new; new = malloc(len); strncpy(new, s, len); return(new); diff --git a/src/util/support/Makefile.in b/src/util/support/Makefile.in index 6239e41..db7b030 100644 --- a/src/util/support/Makefile.in +++ b/src/util/support/Makefile.in @@ -81,8 +81,11 @@ STLIBOBJS= \ path.o \ base64.o \ json.o \ + hex.o \ + hashtab.o \ bcmp.o \ strerror_r.o \ + dir_filenames.o \ $(GETTIMEOFDAY_ST_OBJ) \ $(IPC_ST_OBJ) \ $(STRLCPY_ST_OBJ) \ @@ -106,8 +109,11 @@ LIBOBJS= \ $(OUTPRE)path.$(OBJEXT) \ $(OUTPRE)base64.$(OBJEXT) \ $(OUTPRE)json.$(OBJEXT) \ + $(OUTPRE)hex.$(OBJEXT) \ + $(OUTPRE)hashtab.$(OBJEXT) \ $(OUTPRE)bcmp.$(OBJEXT) \ $(OUTPRE)strerror_r.$(OBJEXT) \ + $(OUTPRE)dir_filenames.$(OBJEXT) \ $(GETTIMEOFDAY_OBJ) \ $(IPC_OBJ) \ $(STRLCPY_OBJ) \ @@ -136,13 +142,19 @@ SRCS=\ $(srcdir)/t_unal.c \ $(srcdir)/t_path.c \ $(srcdir)/t_json.c \ + $(srcdir)/t_hex.c \ + $(srcdir)/t_hashtab.c \ $(srcdir)/zap.c \ $(srcdir)/path.c \ $(srcdir)/base64.c \ $(srcdir)/json.c \ + $(srcdir)/hex.c \ + $(srcdir)/hashtab.c \ $(srcdir)/bcmp.c \ $(srcdir)/strerror_r.c \ + $(srcdir)/dir_filenames.c \ $(srcdir)/t_utf8.c \ + $(srcdir)/t_utf16.c \ $(srcdir)/getopt.c \ $(srcdir)/getopt_long.c @@ -172,8 +184,9 @@ SHLIB_EXPORT_FILE=libkrb5support.exports EXTRA_SUPPORT_SYMS= @EXTRA_SUPPORT_SYMS@ ##DOS##EXTRA_SUPPORT_SYMS= krb5int_mkstemp krb5int_strlcpy krb5int_strlcat \ -##DOS## k5_optind k5_optarg k5_opterr k5_optopt k5_getopt k5_getopt_long \ +##DOS## k5_getopt k5_getopt_long \ ##DOS## krb5int_vasprintf krb5int_asprintf krb5int_gettimeofday $(IPC_SYMS) +##DOS##DATA_SUPPORT_SYMS= k5_opterr k5_optind k5_optopt k5_optarg ##DOS##!if 0 libkrb5support.exports: $(srcdir)/libkrb5support-fixed.exports Makefile @@ -186,10 +199,11 @@ libkrb5support.exports: $(srcdir)/libkrb5support-fixed.exports Makefile ##DOS##libkrb5support.exports: libkrb5support-fixed.exports Makefile ##DOS## $(CP) libkrb5support-fixed.exports new-exports ##DOS## for %%x in ($(EXTRA_SUPPORT_SYMS) .) do if not %%x==. echo %%x >> new-exports +##DOS## for %%x in ($(DATA_SUPPORT_SYMS) .) do if not %x==. echo %%x DATA >> new-exports ##DOS## $(RM) libkrb5support.exports ##DOS## $(MV) new-exports libkrb5support.exports -T_K5BUF_OBJS= t_k5buf.o k5buf.o $(PRINTF_ST_OBJ) +T_K5BUF_OBJS= t_k5buf.o k5buf.o zap.o $(PRINTF_ST_OBJ) t_k5buf: $(T_K5BUF_OBJS) $(CC_LINK) -o t_k5buf $(T_K5BUF_OBJS) @@ -209,18 +223,30 @@ path_win.o: $(srcdir)/path.c t_base64: t_base64.o base64.o $(CC_LINK) -o $@ t_base64.o base64.o -T_JSON_OBJS= t_json.o json.o base64.o k5buf.o $(PRINTF_ST_OBJ) +T_JSON_OBJS= t_json.o json.o base64.o k5buf.o zap.o $(PRINTF_ST_OBJ) t_json: $(T_JSON_OBJS) $(CC_LINK) -o $@ $(T_JSON_OBJS) +t_hex: t_hex.o hex.o + $(CC_LINK) -o $@ t_hex.o hex.o + +t_hashtab: t_hashtab.o + $(CC_LINK) -o $@ t_hashtab.o + t_unal: t_unal.o $(CC_LINK) -o t_unal t_unal.o t_utf8: t_utf8.o utf8.o $(CC_LINK) -o t_utf8 t_utf8.o utf8.o -TEST_PROGS= t_k5buf t_path t_path_win t_base64 t_json t_unal t_utf8 +T_UTF16_OBJS= t_utf16.o utf8_conv.o utf8.o k5buf.o zap.o $(PRINTF_ST_OBJ) + +t_utf16: $(T_UTF16_OBJS) + $(CC_LINK) -o $@ $(T_UTF16_OBJS) + +TEST_PROGS= t_k5buf t_path t_path_win t_base64 t_json t_hex t_hashtab t_unal \ + t_utf8 t_utf16 check-unix: $(TEST_PROGS) ./t_k5buf @@ -228,13 +254,17 @@ check-unix: $(TEST_PROGS) ./t_path_win ./t_base64 ./t_json + ./t_hex + ./t_hashtab ./t_unal ./t_utf8 + ./t_utf16 clean: $(RM) t_k5buf.o t_k5buf t_unal.o t_unal path_win.o path_win $(RM) t_path_win.o t_path_win t_path.o t_path t_base64.o t_base64 - $(RM) t_json.o t_json libkrb5support.exports t_utf8.o t_utf8 + $(RM) t_json.o t_json t_hex.o t_hex t_hashtab.o t_hashtab + $(RM) t_utf8.o t_utf8 t_utf16.o t_utf16 libkrb5support.exports @lib_frag@ @libobj_frag@ diff --git a/src/util/support/cache-addrinfo.h b/src/util/support/cache-addrinfo.h index a1b7fb2..40752ab 100644 --- a/src/util/support/cache-addrinfo.h +++ b/src/util/support/cache-addrinfo.h @@ -52,12 +52,12 @@ * the data structures and flag values locally. * * - * On Mac OS X, getaddrinfo results aren't cached (though - * gethostbyname results are), so we need to build a cache here. Now - * things are getting really messy. Because the cache is in use, we - * use getservbyname, and throw away thread safety. (Not that the - * cache is thread safe, but when we get locking support, that'll be - * dealt with.) This code needs tearing down and rebuilding, soon. + * On macOS, getaddrinfo results aren't cached (though gethostbyname + * results are), so we need to build a cache here. Now things are + * getting really messy. Because the cache is in use, we use + * getservbyname, and throw away thread safety. (Not that the cache + * is thread safe, but when we get locking support, that'll be dealt + * with.) This code needs tearing down and rebuilding, soon. * * * Note that recent Windows developers' code has an interesting hack: diff --git a/src/util/support/deps b/src/util/support/deps index 4dff014..1fc042b 100644 --- a/src/util/support/deps +++ b/src/util/support/deps @@ -33,7 +33,8 @@ utf8.so utf8.po $(OUTPRE)utf8.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ $(top_srcdir)/include/k5-utf8.h supp-int.h utf8.c utf8_conv.so utf8_conv.po $(OUTPRE)utf8_conv.$(OBJEXT): \ - $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/k5-platform.h \ + $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/k5-buf.h \ + $(top_srcdir)/include/k5-input.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-thread.h $(top_srcdir)/include/k5-utf8.h \ supp-int.h utf8_conv.c gettimeofday.so gettimeofday.po $(OUTPRE)gettimeofday.$(OBJEXT): \ @@ -62,6 +63,13 @@ t_path.so t_path.po $(OUTPRE)t_path.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ t_path.c t_json.so t_json.po $(OUTPRE)t_json.$(OBJEXT): $(top_srcdir)/include/k5-json.h \ t_json.c +t_hex.so t_hex.po $(OUTPRE)t_hex.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-thread.h t_hex.c +t_hashtab.so t_hashtab.po $(OUTPRE)t_hashtab.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/k5-hashtab.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-queue.h \ + $(top_srcdir)/include/k5-thread.h hashtab.c t_hashtab.c zap.so zap.po $(OUTPRE)zap.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ zap.c @@ -75,15 +83,28 @@ json.so json.po $(OUTPRE)json.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/k5-base64.h $(top_srcdir)/include/k5-buf.h \ $(top_srcdir)/include/k5-json.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-thread.h json.c +hex.so hex.po $(OUTPRE)hex.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(top_srcdir)/include/k5-hex.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-thread.h hex.c +hashtab.so hashtab.po $(OUTPRE)hashtab.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(top_srcdir)/include/k5-hashtab.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-queue.h $(top_srcdir)/include/k5-thread.h \ + hashtab.c bcmp.so bcmp.po $(OUTPRE)bcmp.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ bcmp.c strerror_r.so strerror_r.po $(OUTPRE)strerror_r.$(OBJEXT): \ $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/k5-platform.h \ $(top_srcdir)/include/k5-thread.h strerror_r.c +dir_filenames.so dir_filenames.po $(OUTPRE)dir_filenames.$(OBJEXT): \ + $(BUILDTOP)/include/autoconf.h $(top_srcdir)/include/k5-platform.h \ + $(top_srcdir)/include/k5-thread.h dir_filenames.c t_utf8.so t_utf8.po $(OUTPRE)t_utf8.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ $(top_srcdir)/include/k5-utf8.h t_utf8.c +t_utf16.so t_utf16.po $(OUTPRE)t_utf16.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ + $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ + $(top_srcdir)/include/k5-utf8.h t_utf16.c getopt.so getopt.po $(OUTPRE)getopt.$(OBJEXT): $(BUILDTOP)/include/autoconf.h \ $(top_srcdir)/include/k5-platform.h $(top_srcdir)/include/k5-thread.h \ getopt.c diff --git a/src/util/support/dir_filenames.c b/src/util/support/dir_filenames.c new file mode 100644 index 0000000..9312b02 --- /dev/null +++ b/src/util/support/dir_filenames.c @@ -0,0 +1,135 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* util/support/dir_filenames.c - fetch filenames in a directory */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-platform.h" + +void +k5_free_filenames(char **fnames) +{ + char **fn; + + for (fn = fnames; fn != NULL && *fn != NULL; fn++) + free(*fn); + free(fnames); +} + +/* Resize the filename list and add a name. */ +static int +add_filename(char ***fnames, int *n_fnames, const char *name) +{ + char **newlist; + + newlist = realloc(*fnames, (*n_fnames + 2) * sizeof(*newlist)); + if (newlist == NULL) + return ENOMEM; + *fnames = newlist; + newlist[*n_fnames] = strdup(name); + if (newlist[*n_fnames] == NULL) + return ENOMEM; + (*n_fnames)++; + newlist[*n_fnames] = NULL; + return 0; +} + +static int +compare_with_strcmp(const void *a, const void *b) +{ + return strcmp(*(char **)a, *(char **)b); +} + +#ifdef _WIN32 + +int +k5_dir_filenames(const char *dirname, char ***fnames_out) +{ + char *wildcard; + WIN32_FIND_DATA ffd; + HANDLE handle; + char **fnames = NULL; + int n_fnames = 0; + + *fnames_out = NULL; + + if (asprintf(&wildcard, "%s\\*", dirname) < 0) + return ENOMEM; + handle = FindFirstFile(wildcard, &ffd); + free(wildcard); + if (handle == INVALID_HANDLE_VALUE) + return ENOENT; + + do { + if (add_filename(&fnames, &n_fnames, &ffd.cFileName) != 0) { + k5_free_filenames(fnames); + FindClose(handle); + return ENOMEM; + } + } while (FindNextFile(handle, &ffd) != 0); + + FindClose(handle); + qsort(fnames, n_fnames, sizeof(*fnames), compare_with_strcmp); + *fnames_out = fnames; + return 0; +} + +#else /* _WIN32 */ + +#include + +int +k5_dir_filenames(const char *dirname, char ***fnames_out) +{ + DIR *dir; + struct dirent *ent; + char **fnames = NULL; + int n_fnames = 0; + + *fnames_out = NULL; + + dir = opendir(dirname); + if (dir == NULL) + return ENOENT; + + while ((ent = readdir(dir)) != NULL) { + if (add_filename(&fnames, &n_fnames, ent->d_name) != 0) { + k5_free_filenames(fnames); + closedir(dir); + return ENOMEM; + } + } + + closedir(dir); + qsort(fnames, n_fnames, sizeof(*fnames), compare_with_strcmp); + *fnames_out = fnames; + return 0; +} + +#endif /* not _WIN32 */ diff --git a/src/util/support/fake-addrinfo.c b/src/util/support/fake-addrinfo.c index df1cc1d..0fb35cf 100644 --- a/src/util/support/fake-addrinfo.c +++ b/src/util/support/fake-addrinfo.c @@ -52,7 +52,7 @@ * the data structures and flag values locally. * * - * On Mac OS X, getaddrinfo results aren't cached (though + * On macOS, getaddrinfo results aren't cached (though * gethostbyname results are), so we need to build a cache here. Now * things are getting really messy. Because the cache is in use, we * use getservbyname, and throw away thread safety. (Not that the @@ -331,18 +331,6 @@ system_freeaddrinfo (struct addrinfo *ai) freeaddrinfo(ai); } -/* Note: Implementations written to RFC 2133 use size_t, while RFC - 2553 implementations use socklen_t, for the second parameter. - - Mac OS X (10.2) and AIX 4.3.3 appear to be in the RFC 2133 camp, - but we don't have an autoconf test for that right now. */ -static inline int -system_getnameinfo (const struct sockaddr *sa, socklen_t salen, - char *host, size_t hostlen, char *serv, size_t servlen, - int flags) -{ - return getnameinfo(sa, salen, host, hostlen, serv, servlen, flags); -} #endif #if !defined (HAVE_GETADDRINFO) || defined(WRAP_GETADDRINFO) || defined(FAI_CACHE) @@ -697,7 +685,7 @@ static inline int fai_add_hosts_by_name (const char *name, sometimes associates it with the specified service, sometimes not. - But on Mac OS X (10.3, 10.4) they've "extended" getaddrinfo + But on macOS (10.3, 10.4) they've "extended" getaddrinfo to make SRV RR queries. (Please, somebody, show me something in the specs that actually supports this? RFC 3493 says nothing about it, but it does say getaddrinfo is @@ -900,16 +888,10 @@ fake_getaddrinfo (const char *name, const char *serv, If it's not set, don't accept such names. */ if (flags & AI_NUMERICHOST) { struct in_addr addr4; -#if 0 - ret = inet_aton (name, &addr4); - if (ret) - return EAI_NONAME; -#else addr4.s_addr = inet_addr (name); if (addr4.s_addr == 0xffffffff || addr4.s_addr == -1) /* 255.255.255.255 or parse error, both bad */ return EAI_NONAME; -#endif ret = fai_add_entry (&res, &addr4, port, &template); } else { ret = fai_add_hosts_by_name (name, &template, port, flags, diff --git a/src/util/support/getopt.c b/src/util/support/getopt.c index 44cda68..ae8cb10 100644 --- a/src/util/support/getopt.c +++ b/src/util/support/getopt.c @@ -39,6 +39,8 @@ static char sccsid[] = "@(#)getopt.c 8.3 (Berkeley) 4/27/95"; #endif +#define K5_GETOPT_C + #include #include #include diff --git a/src/util/support/gmt_mktime.c b/src/util/support/gmt_mktime.c index 32fef43..ac7752f 100644 --- a/src/util/support/gmt_mktime.c +++ b/src/util/support/gmt_mktime.c @@ -78,21 +78,20 @@ static const int days_in_month[12] = { static time_t gmt_mktime(struct tm *t) { - time_t accum; + uint32_t accum; #define assert_time(cnd) if(!(cnd)) return (time_t) -1 /* - * For 32-bit signed time_t centered on 1/1/1970, the range is: - * time 0x80000000 -> Fri Dec 13 16:45:52 1901 - * time 0x7fffffff -> Mon Jan 18 22:14:07 2038 + * For 32-bit unsigned time values starting on 1/1/1970, the range is: + * time 0x00000000 -> Thu Jan 1 00:00:00 1970 + * time 0xffffffff -> Sun Feb 7 06:28:15 2106 * - * So years 1901 and 2038 are allowable, but we can't encode all - * dates in those years, and we're not doing overflow/underflow - * checking for such cases. + * We can't encode all dates in 2106, and we're not doing overflow checking + * for such cases. */ - assert_time(t->tm_year>=1); - assert_time(t->tm_year<=138); + assert_time(t->tm_year>=70); + assert_time(t->tm_year<=206); assert_time(t->tm_mon>=0); assert_time(t->tm_mon<=11); diff --git a/src/util/support/hashtab.c b/src/util/support/hashtab.c new file mode 100644 index 0000000..e04e491 --- /dev/null +++ b/src/util/support/hashtab.c @@ -0,0 +1,243 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* util/support/hash.c - hash table implementation */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include "k5-platform.h" +#include "k5-hashtab.h" +#include "k5-queue.h" + +struct entry { + const void *key; + size_t klen; + void *val; + K5_SLIST_ENTRY(entry) next; +}; + +struct k5_hashtab { + uint64_t k0; + uint64_t k1; + size_t nbuckets; + size_t nentries; + K5_SLIST_HEAD(bucket_list, entry) *buckets; +}; + +/* Return x rotated to the left by r bits. */ +static inline uint64_t +rotl64(uint64_t x, int r) +{ + return (x << r) | (x >> (64 - r)); +} + +static inline void +sipround(uint64_t *v0, uint64_t *v1, uint64_t *v2, uint64_t *v3) +{ + *v0 += *v1; + *v2 += *v3; + *v1 = rotl64(*v1, 13) ^ *v0; + *v3 = rotl64(*v3, 16) ^ *v2; + *v0 = rotl64(*v0, 32); + *v2 += *v1; + *v0 += *v3; + *v1 = rotl64(*v1, 17) ^ *v2; + *v3 = rotl64(*v3, 21) ^ *v0; + *v2 = rotl64(*v2, 32); +} + +/* SipHash-2-4 from https://131002.net/siphash/siphash.pdf (Jean-Philippe + * Aumasson and Daniel J. Bernstein) */ +static uint64_t +siphash24(const uint8_t *data, size_t len, uint64_t k0, uint64_t k1) +{ + uint64_t v0 = k0 ^ 0x736F6D6570736575; + uint64_t v1 = k1 ^ 0x646F72616E646F6D; + uint64_t v2 = k0 ^ 0x6C7967656E657261; + uint64_t v3 = k1 ^ 0x7465646279746573; + uint64_t mi; + const uint8_t *p, *end = data + (len - len % 8); + uint8_t last[8] = { 0 }; + + /* Process each full 8-byte chunk of data. */ + for (p = data; p < end; p += 8) { + mi = load_64_le(p); + v3 ^= mi; + sipround(&v0, &v1, &v2, &v3); + sipround(&v0, &v1, &v2, &v3); + v0 ^= mi; + } + + /* Process the last 0-7 bytes followed by the length mod 256. */ + memcpy(last, end, len % 8); + last[7] = len & 0xFF; + mi = load_64_le(last); + v3 ^= mi; + sipround(&v0, &v1, &v2, &v3); + sipround(&v0, &v1, &v2, &v3); + v0 ^= mi; + + /* Finalize. */ + v2 ^= 0xFF; + sipround(&v0, &v1, &v2, &v3); + sipround(&v0, &v1, &v2, &v3); + sipround(&v0, &v1, &v2, &v3); + sipround(&v0, &v1, &v2, &v3); + return v0 ^ v1 ^ v2 ^ v3; +} + +int +k5_hashtab_create(const uint8_t seed[K5_HASH_SEED_LEN], size_t initial_buckets, + struct k5_hashtab **ht_out) +{ + struct k5_hashtab *ht; + + *ht_out = NULL; + + ht = malloc(sizeof(*ht)); + if (ht == NULL) + return ENOMEM; + + if (seed != NULL) { + ht->k0 = load_64_le(seed); + ht->k1 = load_64_le(seed + 8); + } else { + ht->k0 = ht->k1 = 0; + } + ht->nbuckets = (initial_buckets > 0) ? initial_buckets : 64; + ht->nentries = 0; + ht->buckets = calloc(ht->nbuckets, sizeof(*ht->buckets)); + if (ht->buckets == NULL) { + free(ht); + return ENOMEM; + } + + *ht_out = ht; + return 0; +} + +void +k5_hashtab_free(struct k5_hashtab *ht) +{ + size_t i; + struct entry *ent; + + for (i = 0; i < ht->nbuckets; i++) { + while (!K5_SLIST_EMPTY(&ht->buckets[i])) { + ent = K5_SLIST_FIRST(&ht->buckets[i]); + K5_SLIST_REMOVE_HEAD(&ht->buckets[i], next); + free(ent); + } + } + free(ht->buckets); + free(ht); +} + +static int +resize_table(struct k5_hashtab *ht) +{ + size_t i, j, newsize = ht->nbuckets * 2; + struct bucket_list *newbuckets; + struct entry *ent; + + newbuckets = calloc(newsize, sizeof(*newbuckets)); + if (newbuckets == NULL) + return ENOMEM; + + /* Rehash all the entries into the new buckets. */ + for (i = 0; i < ht->nbuckets; i++) { + while (!K5_SLIST_EMPTY(&ht->buckets[i])) { + ent = K5_SLIST_FIRST(&ht->buckets[i]); + j = siphash24(ent->key, ent->klen, ht->k0, ht->k1) % newsize; + K5_SLIST_REMOVE_HEAD(&ht->buckets[i], next); + K5_SLIST_INSERT_HEAD(&newbuckets[j], ent, next); + } + } + + free(ht->buckets); + ht->buckets = newbuckets; + ht->nbuckets = newsize; + return 0; +} + +int +k5_hashtab_add(struct k5_hashtab *ht, const void *key, size_t klen, void *val) +{ + size_t i; + struct entry *ent; + + if (ht->nentries == ht->nbuckets) { + if (resize_table(ht) != 0) + return ENOMEM; + } + + ent = malloc(sizeof(*ent)); + if (ent == NULL) + return ENOMEM; + ent->key = key; + ent->klen = klen; + ent->val = val; + + i = siphash24(key, klen, ht->k0, ht->k1) % ht->nbuckets; + K5_SLIST_INSERT_HEAD(&ht->buckets[i], ent, next); + + ht->nentries++; + return 0; +} + +int +k5_hashtab_remove(struct k5_hashtab *ht, const void *key, size_t klen) +{ + size_t i; + struct entry *ent; + + i = siphash24(key, klen, ht->k0, ht->k1) % ht->nbuckets; + K5_SLIST_FOREACH(ent, &ht->buckets[i], next) { + if (ent->klen == klen && memcmp(ent->key, key, klen) == 0) { + K5_SLIST_REMOVE(&ht->buckets[i], ent, entry, next); + free(ent); + ht->nentries--; + return 1; + } + } + return 0; +} + +void * +k5_hashtab_get(struct k5_hashtab *ht, const void *key, size_t klen) +{ + size_t i; + struct entry *ent; + + i = siphash24(key, klen, ht->k0, ht->k1) % ht->nbuckets; + K5_SLIST_FOREACH(ent, &ht->buckets[i], next) { + if (ent->klen == klen && memcmp(ent->key, key, klen) == 0) + return ent->val; + } + return NULL; +} diff --git a/src/util/support/hex.c b/src/util/support/hex.c new file mode 100644 index 0000000..cbd30d7 --- /dev/null +++ b/src/util/support/hex.c @@ -0,0 +1,116 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* util/support/hex.c - hex encoding/decoding implementation */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include + +static inline char +hex_digit(uint8_t bval, int uppercase) +{ + assert(bval <= 0xF); + if (bval < 10) + return '0' + bval; + else if (uppercase) + return 'A' + (bval - 10); + else + return 'a' + (bval - 10); +} + +int +k5_hex_encode(const void *bytes, size_t len, int uppercase, char **hex_out) +{ + size_t i; + const uint8_t *p = bytes; + char *hex; + + *hex_out = NULL; + + hex = malloc(len * 2 + 1); + if (hex == NULL) + return ENOMEM; + + for (i = 0; i < len; i++) { + hex[i * 2] = hex_digit(p[i] >> 4, uppercase); + hex[i * 2 + 1] = hex_digit(p[i] & 0xF, uppercase); + } + hex[len * 2] = '\0'; + + *hex_out = hex; + return 0; +} + +/* Decode a hex digit. Return 0-15 on success, -1 on invalid input. */ +static inline int +decode_hexchar(unsigned char c) +{ + if (isdigit(c)) + return c - '0'; + if (c >= 'A' && c <= 'F') + return c - 'A' + 10; + if (c >= 'a' && c <= 'f') + return c - 'a' + 10; + return -1; +} + +int +k5_hex_decode(const char *hex, uint8_t **bytes_out, size_t *len_out) +{ + size_t hexlen, i; + int h1, h2; + uint8_t *bytes; + + *bytes_out = NULL; + *len_out = 0; + + hexlen = strlen(hex); + if (hexlen % 2 != 0) + return EINVAL; + bytes = malloc(hexlen / 2 + 1); + if (bytes == NULL) + return ENOMEM; + + for (i = 0; i < hexlen / 2; i++) { + h1 = decode_hexchar(hex[i * 2]); + h2 = decode_hexchar(hex[i * 2 + 1]); + if (h1 == -1 || h2 == -1) { + free(bytes); + return EINVAL; + } + bytes[i] = h1 * 16 + h2; + } + bytes[i] = 0; + + *bytes_out = bytes; + *len_out = hexlen / 2; + return 0; +} diff --git a/src/util/support/k5buf.c b/src/util/support/k5buf.c index f619f6a..b2b5e5b 100644 --- a/src/util/support/k5buf.c +++ b/src/util/support/k5buf.c @@ -37,7 +37,7 @@ /* * Structure invariants: * - * buftype is K5BUF_FIXED, K5BUF_DYNAMIC, or K5BUF_ERROR + * buftype is K5BUF_FIXED, K5BUF_DYNAMIC, K5BUF_DYNAMIC_ZAP, or K5BUF_ERROR * if buftype is K5BUF_ERROR, the other fields are NULL or 0 * if buftype is not K5BUF_ERROR: * space > 0 @@ -77,22 +77,35 @@ ensure_space(struct k5buf *buf, size_t len) return 1; if (buf->buftype == K5BUF_FIXED) /* Can't resize a fixed buffer. */ goto error_exit; - assert(buf->buftype == K5BUF_DYNAMIC); + assert(buf->buftype == K5BUF_DYNAMIC || buf->buftype == K5BUF_DYNAMIC_ZAP); new_space = buf->space * 2; while (new_space - buf->len - 1 < len) { if (new_space > SIZE_MAX / 2) goto error_exit; new_space *= 2; } - new_data = realloc(buf->data, new_space); - if (new_data == NULL) - goto error_exit; + if (buf->buftype == K5BUF_DYNAMIC_ZAP) { + /* realloc() could leave behind a partial copy of sensitive data. */ + new_data = malloc(new_space); + if (new_data == NULL) + goto error_exit; + memcpy(new_data, buf->data, buf->len); + new_data[buf->len] = '\0'; + zap(buf->data, buf->len); + free(buf->data); + } else { + new_data = realloc(buf->data, new_space); + if (new_data == NULL) + goto error_exit; + } buf->data = new_data; buf->space = new_space; return 1; error_exit: - if (buf->buftype == K5BUF_DYNAMIC) + if (buf->buftype == K5BUF_DYNAMIC_ZAP) + zap(buf->data, buf->len); + if (buf->buftype == K5BUF_DYNAMIC_ZAP || buf->buftype == K5BUF_DYNAMIC) free(buf->data); set_error(buf); return 0; @@ -124,6 +137,14 @@ k5_buf_init_dynamic(struct k5buf *buf) } void +k5_buf_init_dynamic_zap(struct k5buf *buf) +{ + k5_buf_init_dynamic(buf); + if (buf->buftype == K5BUF_DYNAMIC) + buf->buftype = K5BUF_DYNAMIC_ZAP; +} + +void k5_buf_add(struct k5buf *buf, const char *data) { k5_buf_add_len(buf, data, strlen(data)); @@ -141,9 +162,9 @@ k5_buf_add_len(struct k5buf *buf, const void *data, size_t len) } void -k5_buf_add_fmt(struct k5buf *buf, const char *fmt, ...) +k5_buf_add_vfmt(struct k5buf *buf, const char *fmt, va_list ap) { - va_list ap; + va_list apcopy; int r; size_t remaining; char *tmp; @@ -154,9 +175,7 @@ k5_buf_add_fmt(struct k5buf *buf, const char *fmt, ...) if (buf->buftype == K5BUF_FIXED) { /* Format the data directly into the fixed buffer. */ - va_start(ap, fmt); r = vsnprintf(endptr(buf), remaining, fmt, ap); - va_end(ap); if (SNPRINTF_OVERFLOW(r, remaining)) set_error(buf); else @@ -165,10 +184,10 @@ k5_buf_add_fmt(struct k5buf *buf, const char *fmt, ...) } /* Optimistically format the data directly into the dynamic buffer. */ - assert(buf->buftype == K5BUF_DYNAMIC); - va_start(ap, fmt); - r = vsnprintf(endptr(buf), remaining, fmt, ap); - va_end(ap); + assert(buf->buftype == K5BUF_DYNAMIC || buf->buftype == K5BUF_DYNAMIC_ZAP); + va_copy(apcopy, ap); + r = vsnprintf(endptr(buf), remaining, fmt, apcopy); + va_end(apcopy); if (!SNPRINTF_OVERFLOW(r, remaining)) { buf->len += (unsigned int) r; return; @@ -179,9 +198,7 @@ k5_buf_add_fmt(struct k5buf *buf, const char *fmt, ...) if (!ensure_space(buf, r)) return; remaining = buf->space - buf->len; - va_start(ap, fmt); r = vsnprintf(endptr(buf), remaining, fmt, ap); - va_end(ap); if (SNPRINTF_OVERFLOW(r, remaining)) /* Shouldn't ever happen. */ k5_buf_free(buf); else @@ -191,9 +208,7 @@ k5_buf_add_fmt(struct k5buf *buf, const char *fmt, ...) /* It's a pre-C99 snprintf implementation, or something else went wrong. * Fall back to asprintf. */ - va_start(ap, fmt); r = vasprintf(&tmp, fmt, ap); - va_end(ap); if (r < 0) { k5_buf_free(buf); return; @@ -203,9 +218,21 @@ k5_buf_add_fmt(struct k5buf *buf, const char *fmt, ...) memcpy(endptr(buf), tmp, r + 1); buf->len += r; } + if (buf->buftype == K5BUF_DYNAMIC_ZAP) + zap(tmp, strlen(tmp)); free(tmp); } +void +k5_buf_add_fmt(struct k5buf *buf, const char *fmt, ...) +{ + va_list ap; + + va_start(ap, fmt); + k5_buf_add_vfmt(buf, fmt, ap); + va_end(ap); +} + void * k5_buf_get_space(struct k5buf *buf, size_t len) { @@ -237,7 +264,9 @@ k5_buf_free(struct k5buf *buf) { if (buf->buftype == K5BUF_ERROR) return; - assert(buf->buftype == K5BUF_DYNAMIC); + assert(buf->buftype == K5BUF_DYNAMIC || buf->buftype == K5BUF_DYNAMIC_ZAP); + if (buf->buftype == K5BUF_DYNAMIC_ZAP) + zap(buf->data, buf->len); free(buf->data); set_error(buf); } diff --git a/src/util/support/libkrb5support-fixed.exports b/src/util/support/libkrb5support-fixed.exports index d5d4177..ff46656 100644 --- a/src/util/support/libkrb5support-fixed.exports +++ b/src/util/support/libkrb5support-fixed.exports @@ -3,9 +3,11 @@ k5_base64_encode k5_bcmp k5_buf_init_fixed k5_buf_init_dynamic +k5_buf_init_dynamic_zap k5_buf_add k5_buf_add_len k5_buf_add_fmt +k5_buf_add_vfmt k5_buf_get_space k5_buf_truncate k5_buf_status @@ -16,6 +18,13 @@ k5_get_error k5_free_error k5_clear_error k5_set_error_info_callout_fn +k5_hashtab_add +k5_hashtab_create +k5_hashtab_free +k5_hashtab_get +k5_hashtab_remove +k5_hex_decode +k5_hex_encode k5_json_array_add k5_json_array_create k5_json_array_fmt @@ -52,6 +61,10 @@ k5_path_isabs k5_path_join k5_path_split k5_strerror_r +k5_utf8_to_utf16le +k5_utf16le_to_utf8 +k5_dir_filenames +k5_free_filenames krb5int_key_register krb5int_key_delete krb5int_getspecific @@ -77,9 +90,6 @@ krb5int_mutex_free krb5int_mutex_lock krb5int_mutex_unlock krb5int_gmt_mktime -krb5int_utf8cs_to_ucs2les -krb5int_utf8s_to_ucs2les -krb5int_ucs2lecs_to_utf8s krb5int_ucs4_to_utf8 krb5int_utf8_to_ucs4 krb5int_utf8_lentab diff --git a/src/util/support/mkstemp.c b/src/util/support/mkstemp.c index 9ef586a..285757f 100644 --- a/src/util/support/mkstemp.c +++ b/src/util/support/mkstemp.c @@ -75,9 +75,9 @@ int mkstemp(path) static int _gettemp(path, doopen) char *path; - register int *doopen; + int *doopen; { - register char *start, *trv; + char *start, *trv; struct stat sbuf; u_int pid; diff --git a/src/util/support/strerror_r.c b/src/util/support/strerror_r.c index e1ca565..090e179 100644 --- a/src/util/support/strerror_r.c +++ b/src/util/support/strerror_r.c @@ -46,6 +46,7 @@ k5_strerror_r(int errnum, char *buf, size_t buflen) errno = st; return -1; } + return 0; } #elif !defined(HAVE_STRERROR_R) diff --git a/src/util/support/t_hashtab.c b/src/util/support/t_hashtab.c new file mode 100644 index 0000000..f51abc4 --- /dev/null +++ b/src/util/support/t_hashtab.c @@ -0,0 +1,176 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* util/support/t_hash.c - tests for hash table code */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* hash.c has no linker dependencies, so we can simply include its source code + * to test its static functions and look inside its structures. */ +#include "hashtab.c" + +/* These match the sip64 test vectors in the reference C implementation of + * siphash at https://github.com/veorq/SipHash */ +const uint64_t vectors[64] = { + 0x726FDB47DD0E0E31, + 0x74F839C593DC67FD, + 0x0D6C8009D9A94F5A, + 0x85676696D7FB7E2D, + 0xCF2794E0277187B7, + 0x18765564CD99A68D, + 0xCBC9466E58FEE3CE, + 0xAB0200F58B01D137, + 0x93F5F5799A932462, + 0x9E0082DF0BA9E4B0, + 0x7A5DBBC594DDB9F3, + 0xF4B32F46226BADA7, + 0x751E8FBC860EE5FB, + 0x14EA5627C0843D90, + 0xF723CA908E7AF2EE, + 0xA129CA6149BE45E5, + 0x3F2ACC7F57C29BDB, + 0x699AE9F52CBE4794, + 0x4BC1B3F0968DD39C, + 0xBB6DC91DA77961BD, + 0xBED65CF21AA2EE98, + 0xD0F2CBB02E3B67C7, + 0x93536795E3A33E88, + 0xA80C038CCD5CCEC8, + 0xB8AD50C6F649AF94, + 0xBCE192DE8A85B8EA, + 0x17D835B85BBB15F3, + 0x2F2E6163076BCFAD, + 0xDE4DAAACA71DC9A5, + 0xA6A2506687956571, + 0xAD87A3535C49EF28, + 0x32D892FAD841C342, + 0x7127512F72F27CCE, + 0xA7F32346F95978E3, + 0x12E0B01ABB051238, + 0x15E034D40FA197AE, + 0x314DFFBE0815A3B4, + 0x027990F029623981, + 0xCADCD4E59EF40C4D, + 0x9ABFD8766A33735C, + 0x0E3EA96B5304A7D0, + 0xAD0C42D6FC585992, + 0x187306C89BC215A9, + 0xD4A60ABCF3792B95, + 0xF935451DE4F21DF2, + 0xA9538F0419755787, + 0xDB9ACDDFF56CA510, + 0xD06C98CD5C0975EB, + 0xE612A3CB9ECBA951, + 0xC766E62CFCADAF96, + 0xEE64435A9752FE72, + 0xA192D576B245165A, + 0x0A8787BF8ECB74B2, + 0x81B3E73D20B49B6F, + 0x7FA8220BA3B2ECEA, + 0x245731C13CA42499, + 0xB78DBFAF3A8D83BD, + 0xEA1AD565322A1A0B, + 0x60E61C23A3795013, + 0x6606D7E446282B93, + 0x6CA4ECB15C5F91E1, + 0x9F626DA15C9625F3, + 0xE51B38608EF25F57, + 0x958A324CEB064572 +}; + +static void +test_siphash() +{ + uint8_t seq[64]; + uint64_t k0, k1, hval; + size_t i; + + for (i = 0; i < sizeof(seq); i++) + seq[i] = i; + k0 = load_64_le(seq); + k1 = load_64_le(seq + 8); + + for (i = 0; i < sizeof(seq); i++) { + hval = siphash24(seq, i, k0, k1); + assert(hval == vectors[i]); + } +} + +static void +test_hashtab() +{ + int st; + struct k5_hashtab *ht; + size_t i; + char zeros[100] = { 0 }; + + st = k5_hashtab_create(NULL, 4, &ht); + assert(st == 0 && ht != NULL && ht->nentries == 0); + + st = k5_hashtab_add(ht, "abc", 3, &st); + assert(st == 0 && ht->nentries == 1); + assert(k5_hashtab_get(ht, "abc", 3) == &st); + assert(k5_hashtab_get(ht, "bcde", 4) == NULL); + + st = k5_hashtab_add(ht, "bcde", 4, &ht); + assert(st == 0 && ht->nentries == 2); + assert(k5_hashtab_get(ht, "abc", 3) == &st); + assert(k5_hashtab_get(ht, "bcde", 4) == &ht); + + k5_hashtab_remove(ht, "abc", 3); + assert(ht->nentries == 1); + assert(k5_hashtab_get(ht, "abc", 3) == NULL); + assert(k5_hashtab_get(ht, "bcde", 4) == &ht); + + k5_hashtab_remove(ht, "bcde", 4); + assert(ht->nentries == 0); + assert(k5_hashtab_get(ht, "abc", 3) == NULL); + assert(k5_hashtab_get(ht, "bcde", 4) == NULL); + + for (i = 0; i < sizeof(zeros); i++) { + st = k5_hashtab_add(ht, zeros, i, zeros + i); + assert(st == 0 && ht->nentries == i + 1 && ht->nbuckets >= i + 1); + } + for (i = 0; i < sizeof(zeros); i++) { + assert(k5_hashtab_get(ht, zeros, i) == zeros + i); + k5_hashtab_remove(ht, zeros, i); + assert(ht->nentries == sizeof(zeros) - i - 1); + if (i > 0) + assert(k5_hashtab_get(ht, zeros, i - 1) == NULL); + } + + k5_hashtab_free(ht); +} + +int +main() +{ + test_siphash(); + test_hashtab(); + return 0; +} diff --git a/src/util/support/t_hex.c b/src/util/support/t_hex.c new file mode 100644 index 0000000..a586a1b --- /dev/null +++ b/src/util/support/t_hex.c @@ -0,0 +1,169 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* util/support/t_hex.c - Test hex encoding and decoding */ +/* + * Copyright (C) 2018 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include + +struct { + const char *hex; + const char *binary; + size_t binary_len; + int uppercase; +} tests[] = { + /* Invalid hex strings */ + { "1" }, + { "123" }, + { "0/" }, + { "/0" }, + { "0:" }, + { ":0" }, + { "0@" }, + { "@0" }, + { "0G" }, + { "G0" }, + { "0`" }, + { "`0" }, + { "0g" }, + { "g0" }, + { " 00 " }, + { "0\x01" }, + + { "", "", 0 }, + { "00", "\x00", 1 }, + { "01", "\x01", 1 }, + { "10", "\x10", 1 }, + { "01ff", "\x01\xFF", 2 }, + { "A0B0C0", "\xA0\xB0\xC0", 3, 1 }, + { "1a2b3c4d5e6f", "\x1A\x2B\x3C\x4D\x5E\x6F", 6 }, + { "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF" + "\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF\xFF", 32 }, + + /* All byte values, lowercase */ + { "0001020304050607", "\x00\x01\x02\x03\x04\x05\x06\x07", 8 }, + { "08090a0b0c0d0e0f", "\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 8 }, + { "1011121314151617", "\x10\x11\x12\x13\x14\x15\x16\x17", 8 }, + { "18191a1b1c1d1e1f", "\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F", 8 }, + { "2021222324252627", "\x20\x21\x22\x23\x24\x25\x26\x27", 8 }, + { "28292a2b2c2d2e2f", "\x28\x29\x2A\x2B\x2C\x2D\x2E\x2F", 8 }, + { "3031323334353637", "\x30\x31\x32\x33\x34\x35\x36\x37", 8 }, + { "38393a3b3c3d3e3f", "\x38\x39\x3A\x3B\x3C\x3D\x3E\x3F", 8 }, + { "4041424344454647", "\x40\x41\x42\x43\x44\x45\x46\x47", 8 }, + { "48494a4b4c4d4e4f", "\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F", 8 }, + { "5051525354555657", "\x50\x51\x52\x53\x54\x55\x56\x57", 8 }, + { "58595a5b5c5d5e5f", "\x58\x59\x5A\x5B\x5C\x5D\x5E\x5F", 8 }, + { "6061626364656667", "\x60\x61\x62\x63\x64\x65\x66\x67", 8 }, + { "68696a6b6c6d6e6f", "\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F", 8 }, + { "7071727374757677", "\x70\x71\x72\x73\x74\x75\x76\x77", 8 }, + { "78797a7b7c7d7e7f", "\x78\x79\x7A\x7B\x7C\x7D\x7E\x7F", 8 }, + { "8081828384858687", "\x80\x81\x82\x83\x84\x85\x86\x87", 8 }, + { "88898a8b8c8d8e8f", "\x88\x89\x8A\x8B\x8C\x8D\x8E\x8F", 8 }, + { "9091929394959697", "\x90\x91\x92\x93\x94\x95\x96\x97", 8 }, + { "98999a9b9c9d9e9f", "\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F", 8 }, + { "a0a1a2a3a4a5a6a7", "\xA0\xA1\xA2\xA3\xA4\xA5\xA6\xA7", 8 }, + { "a8a9aaabacadaeaf", "\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF", 8 }, + { "b0b1b2b3b4b5b6b7", "\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7", 8 }, + { "b8b9babbbcbdbebf", "\xB8\xB9\xBA\xBB\xBC\xBD\xBE\xBF", 8 }, + { "c0c1c2c3c4c5c6c7", "\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7", 8 }, + { "c8c9cacbcccdcecf", "\xC8\xC9\xCA\xCB\xCC\xCD\xCE\xCF", 8 }, + { "d0d1d2d3d4d5d6d7", "\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7", 8 }, + { "d8d9dadbdcdddedf", "\xD8\xD9\xDA\xDB\xDC\xDD\xDE\xDF", 8 }, + { "e0e1e2e3e4e5e6e7", "\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7", 8 }, + { "e8e9eaebecedeeef", "\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF", 8 }, + { "f0f1f2f3f4f5f6f7", "\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7", 8 }, + { "f8f9fafbfcfdfeff", "\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 8 }, + + /* All byte values, uppercase */ + { "0001020304050607", "\x00\x01\x02\x03\x04\x05\x06\x07", 8, 1 }, + { "08090A0B0C0D0E0F", "\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 8, 1 }, + { "1011121314151617", "\x10\x11\x12\x13\x14\x15\x16\x17", 8, 1 }, + { "18191A1B1C1D1E1F", "\x18\x19\x1A\x1B\x1C\x1D\x1E\x1F", 8, 1 }, + { "2021222324252627", "\x20\x21\x22\x23\x24\x25\x26\x27", 8, 1 }, + { "28292A2B2C2D2E2F", "\x28\x29\x2A\x2B\x2C\x2D\x2E\x2F", 8, 1 }, + { "3031323334353637", "\x30\x31\x32\x33\x34\x35\x36\x37", 8, 1 }, + { "38393A3B3C3D3E3F", "\x38\x39\x3A\x3B\x3C\x3D\x3E\x3F", 8, 1 }, + { "4041424344454647", "\x40\x41\x42\x43\x44\x45\x46\x47", 8, 1 }, + { "48494A4B4C4D4E4F", "\x48\x49\x4A\x4B\x4C\x4D\x4E\x4F", 8, 1 }, + { "5051525354555657", "\x50\x51\x52\x53\x54\x55\x56\x57", 8, 1 }, + { "58595A5B5C5D5E5F", "\x58\x59\x5A\x5B\x5C\x5D\x5E\x5F", 8, 1 }, + { "6061626364656667", "\x60\x61\x62\x63\x64\x65\x66\x67", 8, 1 }, + { "68696A6B6C6D6E6F", "\x68\x69\x6A\x6B\x6C\x6D\x6E\x6F", 8, 1 }, + { "7071727374757677", "\x70\x71\x72\x73\x74\x75\x76\x77", 8, 1 }, + { "78797A7B7C7D7E7F", "\x78\x79\x7A\x7B\x7C\x7D\x7E\x7F", 8, 1 }, + { "8081828384858687", "\x80\x81\x82\x83\x84\x85\x86\x87", 8, 1 }, + { "88898A8B8C8D8E8F", "\x88\x89\x8A\x8B\x8C\x8D\x8E\x8F", 8, 1 }, + { "9091929394959697", "\x90\x91\x92\x93\x94\x95\x96\x97", 8, 1 }, + { "98999A9B9C9D9E9F", "\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F", 8, 1 }, + { "A0A1A2A3A4A5A6A7", "\xA0\xA1\xA2\xA3\xA4\xA5\xA6\xA7", 8, 1 }, + { "A8A9AAABACADAEAF", "\xA8\xA9\xAA\xAB\xAC\xAD\xAE\xAF", 8, 1 }, + { "B0B1B2B3B4B5B6B7", "\xB0\xB1\xB2\xB3\xB4\xB5\xB6\xB7", 8, 1 }, + { "B8B9BABBBCBDBEBF", "\xB8\xB9\xBA\xBB\xBC\xBD\xBE\xBF", 8, 1 }, + { "C0C1C2C3C4C5C6C7", "\xC0\xC1\xC2\xC3\xC4\xC5\xC6\xC7", 8, 1 }, + { "C8C9CACBCCCDCECF", "\xC8\xC9\xCA\xCB\xCC\xCD\xCE\xCF", 8, 1 }, + { "D0D1D2D3D4D5D6D7", "\xD0\xD1\xD2\xD3\xD4\xD5\xD6\xD7", 8, 1 }, + { "D8D9DADBDCDDDEDF", "\xD8\xD9\xDA\xDB\xDC\xDD\xDE\xDF", 8, 1 }, + { "E0E1E2E3E4E5E6E7", "\xE0\xE1\xE2\xE3\xE4\xE5\xE6\xE7", 8, 1 }, + { "E8E9EAEBECEDEEEF", "\xE8\xE9\xEA\xEB\xEC\xED\xEE\xEF", 8, 1 }, + { "F0F1F2F3F4F5F6F7", "\xF0\xF1\xF2\xF3\xF4\xF5\xF6\xF7", 8, 1 }, + { "F8F9FAFBFCFDFEFF", "\xF8\xF9\xFA\xFB\xFC\xFD\xFE\xFF", 8, 1 }, +}; + +int main() +{ + size_t i; + char *hex; + int ret; + uint8_t *bytes; + size_t len; + + for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) { + if (tests[i].binary == NULL) { + ret = k5_hex_decode(tests[i].hex, &bytes, &len); + assert(ret == EINVAL && bytes == NULL && len == 0); + continue; + } + + ret = k5_hex_decode(tests[i].hex, &bytes, &len); + assert(ret == 0); + assert(len == tests[i].binary_len); + assert(memcmp(bytes, tests[i].binary, len) == 0); + assert(bytes[len] == 0); + free(bytes); + + ret = k5_hex_encode((uint8_t *)tests[i].binary, tests[i].binary_len, + tests[i].uppercase, &hex); + assert(ret == 0); + assert(strcmp(tests[i].hex, hex) == 0); + free(hex); + } + return 0; +} diff --git a/src/util/support/t_path.c b/src/util/support/t_path.c index 2ac91d8..111c27a 100644 --- a/src/util/support/t_path.c +++ b/src/util/support/t_path.c @@ -136,12 +136,16 @@ main(void) edirname = split_tests[i].posix_dirname; ebasename = split_tests[i].posix_basename; #endif - assert(k5_path_split(ipath, NULL, NULL) == 0); - assert(k5_path_split(ipath, &dirname, NULL) == 0); + if (k5_path_split(ipath, NULL, NULL) != 0) + abort(); + if (k5_path_split(ipath, &dirname, NULL) != 0) + abort(); free(dirname); - assert(k5_path_split(ipath, NULL, &basename) == 0); + if (k5_path_split(ipath, NULL, &basename) != 0) + abort(); free(basename); - assert(k5_path_split(ipath, &dirname, &basename) == 0); + if (k5_path_split(ipath, &dirname, &basename) != 0) + abort(); if (strcmp(dirname, edirname) != 0) { fprintf(stderr, "Split test %d: dirname %s != expected %s\n", (int)i, dirname, edirname); @@ -164,7 +168,8 @@ main(void) #else ejoined = join_tests[i].posix_result; #endif - assert(k5_path_join(path1, path2, &joined) == 0); + if (k5_path_join(path1, path2, &joined) != 0) + abort(); if (strcmp(joined, ejoined) != 0) { fprintf(stderr, "Join test %d: %s != expected %s\n", (int)i, joined, ejoined); diff --git a/src/util/support/t_utf16.c b/src/util/support/t_utf16.c new file mode 100644 index 0000000..bc3390a --- /dev/null +++ b/src/util/support/t_utf16.c @@ -0,0 +1,117 @@ +/* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ +/* util/support/t_utf16.c - test UTF-16 conversion functions */ +/* + * Copyright (C) 2017 by the Massachusetts Institute of Technology. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * * Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in + * the documentation and/or other materials provided with the + * distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS + * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE + * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This program tests conversions between UTF-8 and little-endian UTF-16, with + * an eye mainly towards covering UTF-16 edge cases and UTF-8 decoding results + * which we detect as invalid in utf8_conv.c. t_utf8.c covers more UTF-8 edge + * cases. + */ + +#include +#include + +#include "k5-platform.h" +#include "k5-utf8.h" + +struct test { + const char *utf8; + const char *utf16; + size_t utf16len; +} tests[] = { + { "", "", 0 }, + { "abcd", "a\0b\0c\0d\0", 8 }, + /* From RFC 2781 (tests code point 0x12345 and some ASCII) */ + { "\xF0\x92\x8D\x85=Ra", "\x08\xD8\x45\xDF=\0R\0a\0", 10 }, + /* Lowest and highest Supplementary Plane code points */ + { "\xF0\x90\x80\x80 \xF4\x8F\xBF\xBF", + "\x00\xD8\x00\xDC \0\xFF\xDB\xFF\xDF", 10 }, + /* Basic Multilingual Plane code points near and above surrogate range */ + { "\xED\x9F\xBF", "\xFF\xD7", 2 }, + { "\xEE\x80\x80 \xEE\xBF\xBF", "\x00\xE0 \0\xFF\xEF", 6 }, + /* Invalid UTF-8: decodes to value in surrogate pair range */ + { "\xED\xA0\x80", NULL, 0 }, /* 0xD800 */ + { "\xED\xAF\xBF", NULL, 0 }, /* 0xDBFF */ + { "\xED\xB0\x80", NULL, 0 }, /* 0xDC00 */ + { "\xED\xBF\xBF", NULL, 0 }, /* 0xDFFF */ + /* Invalid UTF-8: decodes to value above Unicode range */ + { "\xF4\x90\x80\x80", NULL, 0 }, + { "\xF4\xBF\xBF\xBF", NULL, 0 }, + { "\xF5\x80\x80\x80", NULL, 0 }, /* thrown out early due to first byte */ + /* Invalid UTF-16: odd numbers of UTF-16 bytes */ + { NULL, "\x00", 1 }, + { NULL, "\x01\x00\x02", 3 }, + /* Invalid UTF-16: high surrogate without a following low surrogate */ + { NULL, "\x00\xD8\x00\x00", 4 }, + { NULL, "\x00\xD8\xFF\xDB", 4 }, + { NULL, "\xFF\xDB", 2 }, + /* Invalid UTF-16: low surrogate without a preceding high surrogate */ + { NULL, "\x61\x00\x00\xDC", 4 }, + { NULL, "\xFF\xDF\xFF\xDB", 4 }, +}; + +int +main(int argc, char **argv) +{ + int ret; + struct test *t; + size_t i, utf16len; + uint8_t *utf16; + char *utf8; + + for (i = 0; i < sizeof(tests) / sizeof(*tests); i++) { + t = &tests[i]; + if (t->utf8 != NULL) { + ret = k5_utf8_to_utf16le(t->utf8, &utf16, &utf16len); + if (t->utf16 == NULL) { + assert(ret == EINVAL); + } else { + assert(ret == 0); + assert(t->utf16len == utf16len); + assert(memcmp(t->utf16, utf16, utf16len) == 0); + free(utf16); + } + } + + if (t->utf16 != NULL) { + ret = k5_utf16le_to_utf8((uint8_t *)t->utf16, t->utf16len, &utf8); + if (t->utf8 == NULL) { + assert(ret == EINVAL); + } else { + assert(ret == 0); + assert(strcmp(t->utf8, utf8) == 0); + free(utf8); + } + } + } + return 0; +} diff --git a/src/util/support/threads.c b/src/util/support/threads.c index bb8e287..be7e4c2 100644 --- a/src/util/support/threads.c +++ b/src/util/support/threads.c @@ -237,7 +237,6 @@ void *k5_getspecific (k5_key_t keynum) if (err) return NULL; - assert(keynum >= 0 && keynum < K5_KEY_MAX); assert(destructors_set[keynum] == 1); #ifndef ENABLE_THREADS @@ -271,7 +270,6 @@ int k5_setspecific (k5_key_t keynum, void *value) if (err) return err; - assert(keynum >= 0 && keynum < K5_KEY_MAX); assert(destructors_set[keynum] == 1); #ifndef ENABLE_THREADS @@ -334,8 +332,6 @@ int k5_key_register (k5_key_t keynum, void (*destructor)(void *)) if (err) return err; - assert(keynum >= 0 && keynum < K5_KEY_MAX); - #ifndef ENABLE_THREADS assert(destructors_set[keynum] == 0); @@ -365,8 +361,6 @@ int k5_key_register (k5_key_t keynum, void (*destructor)(void *)) int k5_key_delete (k5_key_t keynum) { - assert(keynum >= 0 && keynum < K5_KEY_MAX); - #ifndef ENABLE_THREADS assert(destructors_set[keynum] == 1); diff --git a/src/util/support/utf8.c b/src/util/support/utf8.c index e42c0c7..ea88181 100644 --- a/src/util/support/utf8.c +++ b/src/util/support/utf8.c @@ -205,7 +205,7 @@ int krb5int_utf8_to_ucs2(const char *p, krb5_ucs2 *out) return 0; } -/* conv UCS-2 to UTF-8, not used */ +/* conv UCS-4 to UTF-8 */ size_t krb5int_ucs4_to_utf8(krb5_ucs4 c, char *buf) { size_t len = 0; @@ -404,28 +404,6 @@ int krb5int_utf8_isalnum(const char * p) return KRB5_ALNUM(c); } - -#if 0 -int krb5int_utf8_islower(const char * p) -{ - unsigned c = * (const unsigned char *) p; - - if (!KRB5_ASCII(c)) - return 0; - - return KRB5_LOWER(c); -} - -int krb5int_utf8_isupper(const char * p) -{ - unsigned c = * (const unsigned char *) p; - - if (!KRB5_ASCII(c)) - return 0; - - return KRB5_UPPER(c); -} -#endif #endif diff --git a/src/util/support/utf8_conv.c b/src/util/support/utf8_conv.c index 80ca90b..08cef41 100644 --- a/src/util/support/utf8_conv.c +++ b/src/util/support/utf8_conv.c @@ -1,7 +1,7 @@ /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */ /* util/support/utf8_conv.c */ /* - * Copyright 2008 by the Massachusetts Institute of Technology. + * Copyright 2008, 2017 by the Massachusetts Institute of Technology. * All Rights Reserved. * * Export of this software from the United States of America may @@ -47,411 +47,158 @@ * THE PERPETRATOR TO CRIMINAL AND CIVIL LIABILITY. */ -/* This work is part of OpenLDAP Software . */ +/* This work is based on OpenLDAP Software . */ /* - * UTF-8 Conversion Routines - * - * These routines convert between Wide Character and UTF-8, - * or between MultiByte and UTF-8 encodings. - * - * Both single character and string versions of the functions are provided. - * All functions return -1 if the character or string cannot be converted. + * These routines convert between UTF-16 and UTF-8. UTF-16 encodes a Unicode + * character in either two or four bytes. Characters in the Basic Multilingual + * Plane (hex 0..D7FF and E000..FFFF) are encoded as-is in two bytes. + * Characters in the Supplementary Planes (10000..10FFFF) are split into a high + * surrogate and a low surrogate, each containing ten bits of the character + * value, and encoded in four bytes. */ #include "k5-platform.h" #include "k5-utf8.h" +#include "k5-buf.h" +#include "k5-input.h" #include "supp-int.h" static unsigned char mask[] = { 0, 0x7f, 0x1f, 0x0f, 0x07, 0x03, 0x01 }; -static ssize_t -k5_utf8s_to_ucs2s(krb5_ucs2 *ucs2str, - const char *utf8str, - size_t count, - int little_endian) -{ - size_t ucs2len = 0; - size_t utflen, i; - krb5_ucs2 ch; - - /* If input ptr is NULL or empty... */ - if (utf8str == NULL || *utf8str == '\0') { - if (ucs2str != NULL) - *ucs2str = 0; - - return 0; - } - - /* Examine next UTF-8 character. */ - while (ucs2len < count && *utf8str != '\0') { - /* Get UTF-8 sequence length from 1st byte */ - utflen = KRB5_UTF8_CHARLEN2(utf8str, utflen); - - if (utflen == 0 || utflen > KRB5_MAX_UTF8_LEN) - return -1; - - /* First byte minus length tag */ - ch = (krb5_ucs2)(utf8str[0] & mask[utflen]); - - for (i = 1; i < utflen; i++) { - /* Subsequent bytes must start with 10 */ - if ((utf8str[i] & 0xc0) != 0x80) - return -1; - - ch <<= 6; /* 6 bits of data in each subsequent byte */ - ch |= (krb5_ucs2)(utf8str[i] & 0x3f); - } - - if (ucs2str != NULL) { -#ifdef K5_BE -#ifndef SWAP16 -#define SWAP16(X) ((((X) << 8) | ((X) >> 8)) & 0xFFFF) -#endif - if (little_endian) - ucs2str[ucs2len] = SWAP16(ch); - else -#endif - ucs2str[ucs2len] = ch; - } - - utf8str += utflen; /* Move to next UTF-8 character */ - ucs2len++; /* Count number of wide chars stored/required */ - } - - if (ucs2str != NULL && ucs2len < count) { - /* Add null terminator if there's room in the buffer. */ - ucs2str[ucs2len] = 0; - } - - return ucs2len; -} - -int -krb5int_utf8s_to_ucs2s(const char *utf8s, - krb5_ucs2 **ucs2s, - size_t *ucs2chars) -{ - ssize_t len; - size_t chars; +/* A high surrogate is ten bits masked with 0xD800. */ +#define IS_HIGH_SURROGATE(c) ((c) >= 0xD800 && (c) <= 0xDBFF) - chars = krb5int_utf8_chars(utf8s); - *ucs2s = (krb5_ucs2 *)malloc((chars + 1) * sizeof(krb5_ucs2)); - if (*ucs2s == NULL) { - return ENOMEM; - } +/* A low surrogate is ten bits masked with 0xDC00. */ +#define IS_LOW_SURROGATE(c) ((c) >= 0xDC00 && (c) <= 0xDFFF) - len = k5_utf8s_to_ucs2s(*ucs2s, utf8s, chars + 1, 0); - if (len < 0) { - free(*ucs2s); - *ucs2s = NULL; - return EINVAL; - } +/* A valid Unicode code point is in the range 0..10FFFF and is not a surrogate + * value. */ +#define IS_SURROGATE(c) ((c) >= 0xD800 && (c) <= 0xDFFF) +#define IS_VALID_UNICODE(c) ((c) <= 0x10FFFF && !IS_SURROGATE(c)) - if (ucs2chars != NULL) { - *ucs2chars = chars; - } +/* A Basic Multilingual Plane character is in the range 0..FFFF and is not a + * surrogate value. */ +#define IS_BMP(c) ((c) <= 0xFFFF && !IS_SURROGATE(c)) - return 0; -} +/* Characters in the Supplementary Planes have a base value subtracted from + * their code points to form a 20-bit value; ten bits go in each surrogate. */ +#define BASE 0x10000 +#define HIGH_SURROGATE(c) (0xD800 | (((c) - BASE) >> 10)) +#define LOW_SURROGATE(c) (0xDC00 | (((c) - BASE) & 0x3FF)) +#define COMPOSE(c1, c2) (BASE + ((((c1) & 0x3FF) << 10) | ((c2) & 0x3FF))) int -krb5int_utf8cs_to_ucs2s(const char *utf8s, - size_t utf8slen, - krb5_ucs2 **ucs2s, - size_t *ucs2chars) +k5_utf8_to_utf16le(const char *utf8, uint8_t **utf16_out, size_t *nbytes_out) { - ssize_t len; - size_t chars; - - chars = krb5int_utf8c_chars(utf8s, utf8slen); - *ucs2s = (krb5_ucs2 *)malloc((chars + 1) * sizeof(krb5_ucs2)); - if (*ucs2s == NULL) { - return ENOMEM; - } - - len = k5_utf8s_to_ucs2s(*ucs2s, utf8s, chars, 0); - if (len < 0) { - free(*ucs2s); - *ucs2s = NULL; - return EINVAL; - } - (*ucs2s)[chars] = 0; - - if (ucs2chars != NULL) { - *ucs2chars = chars; - } - - return 0; -} - -int -krb5int_utf8s_to_ucs2les(const char *utf8s, - unsigned char **ucs2les, - size_t *ucs2leslen) -{ - ssize_t len; - size_t chars; - - chars = krb5int_utf8_chars(utf8s); - - *ucs2les = (unsigned char *)malloc((chars + 1) * sizeof(krb5_ucs2)); - if (*ucs2les == NULL) { - return ENOMEM; - } - - len = k5_utf8s_to_ucs2s((krb5_ucs2 *)*ucs2les, utf8s, chars + 1, 1); - if (len < 0) { - free(*ucs2les); - *ucs2les = NULL; - return EINVAL; - } - - if (ucs2leslen != NULL) { - *ucs2leslen = chars * sizeof(krb5_ucs2); - } - - return 0; -} - -int -krb5int_utf8cs_to_ucs2les(const char *utf8s, - size_t utf8slen, - unsigned char **ucs2les, - size_t *ucs2leslen) -{ - ssize_t len; - size_t chars; - krb5_ucs2 *ucs2s; - - *ucs2les = NULL; - - chars = krb5int_utf8c_chars(utf8s, utf8slen); - ucs2s = malloc((chars + 1) * sizeof(krb5_ucs2)); - if (ucs2s == NULL) - return ENOMEM; - - len = k5_utf8s_to_ucs2s(ucs2s, utf8s, chars, 1); - if (len < 0) { - free(ucs2s); - return EINVAL; - } - ucs2s[chars] = 0; - - *ucs2les = (unsigned char *)ucs2s; - if (ucs2leslen != NULL) { - *ucs2leslen = chars * sizeof(krb5_ucs2); - } + struct k5buf buf; + krb5_ucs4 ch; + size_t chlen, i; + uint8_t *p; - return 0; -} + *utf16_out = NULL; + *nbytes_out = 0; -/*----------------------------------------------------------------------------- - Convert a wide char string to a UTF-8 string. - No more than 'count' bytes will be written to the output buffer. - Return the # of bytes written to the output buffer, excl null terminator. + /* UTF-16 conversion is used for RC4 string-to-key, so treat this data as + * sensitive. */ + k5_buf_init_dynamic_zap(&buf); - ucs2len is -1 if the UCS-2 string is NUL terminated, otherwise it is the - length of the UCS-2 string in characters -*/ -static ssize_t -k5_ucs2s_to_utf8s(char *utf8str, const krb5_ucs2 *ucs2str, - size_t count, ssize_t ucs2len, int little_endian) -{ - int len = 0; - int n; - char *p = utf8str; - krb5_ucs2 empty = 0, ch; + /* Examine next UTF-8 character. */ + while (*utf8 != '\0') { + /* Get UTF-8 sequence length from first byte. */ + chlen = KRB5_UTF8_CHARLEN2(utf8, chlen); + if (chlen == 0) + goto invalid; - if (ucs2str == NULL) /* Treat input ptr NULL as an empty string */ - ucs2str = ∅ + /* First byte minus length tag */ + ch = (krb5_ucs4)(utf8[0] & mask[chlen]); - if (utf8str == NULL) /* Just compute size of output, excl null */ - { - while (ucs2len == -1 ? *ucs2str : --ucs2len >= 0) { - /* Get UTF-8 size of next wide char */ - ch = *ucs2str++; -#ifdef K5_BE - if (little_endian) - ch = SWAP16(ch); -#endif + for (i = 1; i < chlen; i++) { + /* Subsequent bytes must start with 10. */ + if ((utf8[i] & 0xc0) != 0x80) + goto invalid; - n = krb5int_ucs2_to_utf8(ch, NULL); - if (n < 1 || n > INT_MAX - len) - return -1; - len += n; + /* 6 bits of data in each subsequent byte */ + ch <<= 6; + ch |= (krb5_ucs4)(utf8[i] & 0x3f); + } + if (!IS_VALID_UNICODE(ch)) + goto invalid; + + /* Characters in the basic multilingual plane are encoded using two + * bytes; other characters are encoded using four bytes. */ + p = k5_buf_get_space(&buf, IS_BMP(ch) ? 2 : 4); + if (p == NULL) + return ENOMEM; + if (IS_BMP(ch)) { + store_16_le(ch, p); + } else { + /* 0x10000 is subtracted from ch; then the high ten bits plus + * 0xD800 and the low ten bits plus 0xDC00 are the surrogates. */ + store_16_le(HIGH_SURROGATE(ch), p); + store_16_le(LOW_SURROGATE(ch), p + 2); } - return len; - } - - /* Do the actual conversion. */ - - n = 1; /* In case of empty ucs2str */ - while (ucs2len == -1 ? *ucs2str != 0 : --ucs2len >= 0) { - ch = *ucs2str++; -#ifdef K5_BE - if (little_endian) - ch = SWAP16(ch); -#endif - - n = krb5int_ucs2_to_utf8(ch, p); - - if (n < 1) - break; - - p += n; - count -= n; /* Space left in output buffer */ - } - - /* If not enough room for last character, pad remainder with null - so that return value = original count, indicating buffer full. */ - if (n == 0) { - while (count--) - *p++ = 0; - } - /* Add a null terminator if there's room. */ - else if (count) - *p = 0; - - if (n == -1) /* Conversion encountered invalid wide char. */ - return -1; - - /* Return the number of bytes written to output buffer, excl null. */ - return (p - utf8str); -} - -int -krb5int_ucs2s_to_utf8s(const krb5_ucs2 *ucs2s, - char **utf8s, - size_t *utf8slen) -{ - ssize_t len; - - len = k5_ucs2s_to_utf8s(NULL, ucs2s, 0, -1, 0); - if (len < 0) { - return EINVAL; - } - - *utf8s = (char *)malloc((size_t)len + 1); - if (*utf8s == NULL) { - return ENOMEM; - } - - len = k5_ucs2s_to_utf8s(*utf8s, ucs2s, (size_t)len + 1, -1, 0); - if (len < 0) { - free(*utf8s); - *utf8s = NULL; - return EINVAL; - } - - if (utf8slen != NULL) { - *utf8slen = len; + /* Move to next UTF-8 character. */ + utf8 += chlen; } + *utf16_out = buf.data; + *nbytes_out = buf.len; return 0; -} -int -krb5int_ucs2les_to_utf8s(const unsigned char *ucs2les, - char **utf8s, - size_t *utf8slen) -{ - ssize_t len; - - len = k5_ucs2s_to_utf8s(NULL, (krb5_ucs2 *)ucs2les, 0, -1, 1); - if (len < 0) - return EINVAL; - - *utf8s = (char *)malloc((size_t)len + 1); - if (*utf8s == NULL) { - return ENOMEM; - } - - len = k5_ucs2s_to_utf8s(*utf8s, (krb5_ucs2 *)ucs2les, (size_t)len + 1, -1, 1); - if (len < 0) { - free(*utf8s); - *utf8s = NULL; - return EINVAL; - } - - if (utf8slen != NULL) { - *utf8slen = len; - } - - return 0; +invalid: + k5_buf_free(&buf); + return EINVAL; } int -krb5int_ucs2cs_to_utf8s(const krb5_ucs2 *ucs2s, - size_t ucs2slen, - char **utf8s, - size_t *utf8slen) +k5_utf16le_to_utf8(const uint8_t *utf16bytes, size_t nbytes, char **utf8_out) { - ssize_t len; + struct k5buf buf; + struct k5input in; + uint16_t ch1, ch2; + krb5_ucs4 ch; + size_t chlen; + void *p; - if (ucs2slen > SSIZE_MAX) - return ERANGE; + *utf8_out = NULL; - len = k5_ucs2s_to_utf8s(NULL, (krb5_ucs2 *)ucs2s, 0, - (ssize_t)ucs2slen, 0); - if (len < 0) + if (nbytes % 2 != 0) return EINVAL; - *utf8s = (char *)malloc((size_t)len + 1); - if (*utf8s == NULL) { - return ENOMEM; - } + k5_buf_init_dynamic(&buf); + k5_input_init(&in, utf16bytes, nbytes); + while (!in.status && in.len > 0) { + /* Get the next character or high surrogate. A low surrogate without a + * preceding high surrogate is invalid. */ + ch1 = k5_input_get_uint16_le(&in); + if (IS_LOW_SURROGATE(ch1)) + goto invalid; + if (IS_HIGH_SURROGATE(ch1)) { + /* Get the low surrogate and combine the pair. */ + ch2 = k5_input_get_uint16_le(&in); + if (!IS_LOW_SURROGATE(ch2)) + goto invalid; + ch = COMPOSE(ch1, ch2); + } else { + ch = ch1; + } - len = k5_ucs2s_to_utf8s(*utf8s, (krb5_ucs2 *)ucs2s, (size_t)len, - (ssize_t)ucs2slen, 0); - if (len < 0) { - free(*utf8s); - *utf8s = NULL; - return EINVAL; + chlen = krb5int_ucs4_to_utf8(ch, NULL); + p = k5_buf_get_space(&buf, chlen); + if (p == NULL) + return ENOMEM; + (void)krb5int_ucs4_to_utf8(ch, p); } - (*utf8s)[len] = '\0'; - if (utf8slen != NULL) { - *utf8slen = len; - } + if (in.status) + goto invalid; + *utf8_out = buf.data; return 0; -} - -int -krb5int_ucs2lecs_to_utf8s(const unsigned char *ucs2les, - size_t ucs2leslen, - char **utf8s, - size_t *utf8slen) -{ - ssize_t len; - if (ucs2leslen > SSIZE_MAX) - return ERANGE; - - len = k5_ucs2s_to_utf8s(NULL, (krb5_ucs2 *)ucs2les, 0, - (ssize_t)ucs2leslen, 1); - if (len < 0) - return EINVAL; - - *utf8s = (char *)malloc((size_t)len + 1); - if (*utf8s == NULL) { - return ENOMEM; - } - - len = k5_ucs2s_to_utf8s(*utf8s, (krb5_ucs2 *)ucs2les, (size_t)len, - (ssize_t)ucs2leslen, 1); - if (len < 0) { - free(*utf8s); - *utf8s = NULL; - return EINVAL; - } - (*utf8s)[len] = '\0'; - - if (utf8slen != NULL) { - *utf8slen = len; - } - - return 0; +invalid: + k5_buf_free(&buf); + return EINVAL; } diff --git a/src/util/support/zap.c b/src/util/support/zap.c index ed31630..2f6cdd7 100644 --- a/src/util/support/zap.c +++ b/src/util/support/zap.c @@ -25,8 +25,8 @@ */ /* - * krb5int_zap() is used by zap() (a static inline function defined in - * k5-int.h) on non-Windows, non-gcc compilers, in order to prevent the + * krb5int_zap() is used by zap() (a macro or static inline function defined in + * k5-platform.h) on non-Windows, non-gcc compilers, in order to prevent the * compiler from inlining and optimizing out the memset() call. */ diff --git a/src/util/testrealm.py b/src/util/testrealm.py index fba3ae0..ce32432 100644 --- a/src/util/testrealm.py +++ b/src/util/testrealm.py @@ -42,7 +42,7 @@ progpaths = [ os.path.join('clients', 'ksu'), os.path.join('clients', 'kvno'), os.path.join('clients', 'kswitch'), - 'slave' + 'kprop' ] # Add program directories to the beginning of PATH. diff --git a/src/util/verto/README b/src/util/verto/README index 6de645f..a3dab83 100644 --- a/src/util/verto/README +++ b/src/util/verto/README @@ -36,5 +36,5 @@ BUILTIN_MODULE define. The libverto and libev upstream project pages are at: - https://fedorahosted.org/libverto/ + https://github.com/latchset/libverto/ http://software.schmorp.de/pkg/libev.html diff --git a/src/util/verto/libverto.exports b/src/util/verto/libverto.exports index ecba76a..3745d50 100644 --- a/src/util/verto/libverto.exports +++ b/src/util/verto/libverto.exports @@ -4,6 +4,7 @@ verto_add_io verto_add_signal verto_add_timeout verto_break +verto_cleanup verto_convert_module verto_default verto_del diff --git a/src/util/verto/verto-k5ev.c b/src/util/verto/verto-k5ev.c index 74fa368..a390af7 100644 --- a/src/util/verto/verto-k5ev.c +++ b/src/util/verto/verto-k5ev.c @@ -36,12 +36,29 @@ #include #include #include "rename.h" + +/* Ignore some warnings generated by the libev code, which the libev maintainer + * isn't interested in avoiding. */ +#ifdef __GNUC__ +#pragma GCC diagnostic ignored "-Wunused-value" +#pragma GCC diagnostic ignored "-Wcomment" +#pragma GCC diagnostic ignored "-Wunused-result" +#ifdef __clang__ +#pragma GCC diagnostic ignored "-Wbitwise-op-parentheses" +#endif +#endif + #define EV_API_STATIC 1 #define EV_STANDALONE 1 /* Avoid using clock_gettime, which would create a dependency on librt. */ #define EV_USE_MONOTONIC 0 #define EV_USE_REALTIME 0 -#define EV_FEATURES 0x5f /* Everything but back ends */ +#define EV_FEATURES 0x4f /* No back ends or optional watchers */ +/* Enable the optional watcher types we use. */ +#define EV_IDLE_ENABLE 1 +#define EV_SIGNAL_ENABLE 1 +#define EV_CHILD_ENABLE 1 +/* Enable the back ends we want. */ #ifdef HAVE_POLL_H #define EV_USE_POLL 1 #endif @@ -97,6 +114,11 @@ libev_callback(EV_P_ ev_watcher *w, int revents) { verto_ev_flag state = VERTO_EV_FLAG_NONE; +#if EV_MULTIPLICITY + /* Match the check in ev.h, which doesn't mark this unused */ + (void) EV_A; +#endif + if (verto_get_type(w->data)== VERTO_EV_TYPE_CHILD) verto_set_proc_status(w->data, ((ev_child*) w)->rstatus); diff --git a/src/util/verto/verto-libev.c b/src/util/verto/verto-libev.c index 9c7c324..99256a2 100644 --- a/src/util/verto/verto-libev.c +++ b/src/util/verto/verto-libev.c @@ -80,6 +80,11 @@ libev_callback(EV_P_ ev_watcher *w, int revents) { verto_ev_flag state = VERTO_EV_FLAG_NONE; +#if EV_MULTIPLICITY + /* Match the check in ev.h, which doesn't mark this unused */ + (void) EV_A; +#endif + if (verto_get_type(w->data)== VERTO_EV_TYPE_CHILD) verto_set_proc_status(w->data, ((ev_child*) w)->rstatus); diff --git a/src/util/verto/verto.c b/src/util/verto/verto.c index 44ea437..71eaffa 100644 --- a/src/util/verto/verto.c +++ b/src/util/verto/verto.c @@ -22,8 +22,6 @@ * SOFTWARE. */ -#define _GNU_SOURCE /* For asprintf() */ - #include #include #include @@ -45,6 +43,8 @@ #define _str(s) # s #define __str(s) _str(s) +#define MUTABLE(flags) (flags & _VERTO_EV_FLAG_MUTABLE_MASK) + /* Remove flags we can emulate */ #define make_actual(flags) ((flags) & ~(VERTO_EV_FLAG_PERSIST|VERTO_EV_FLAG_IO_CLOSE_FD)) @@ -103,7 +103,7 @@ struct module_record { /* * This symbol can be used when embedding verto.c in a library along with a * built-in private module, to preload the module instead of dynamically - * linking it in later. Define to verto_module_table_. + * linking it in later. Define to . */ extern verto_module MODTABLE(BUILTIN_MODULE); static module_record builtin_record = { @@ -119,12 +119,43 @@ static int resize_cb_hierarchical; #ifdef HAVE_PTHREAD static pthread_mutex_t loaded_modules_mutex = PTHREAD_MUTEX_INITIALIZER; -#define mutex_lock(x) pthread_mutex_lock(x) -#define mutex_unlock(x) pthread_mutex_unlock(x) -#else + +#ifndef NDEBUG +#define mutex_lock(x) { \ + int c = pthread_mutex_lock(x); \ + if (c != 0) { \ + fprintf(stderr, "pthread_mutex_lock returned %d (%s) in %s", \ + c, strerror(c), __FUNCTION__); \ + } \ + assert(c == 0); \ + } +#define mutex_unlock(x) { \ + int c = pthread_mutex_unlock(x); \ + if (c != 0) { \ + fprintf(stderr, "pthread_mutex_unlock returned %d (%s) in %s", \ + c, strerror(c), __FUNCTION__); \ + } \ + assert(c == 0); \ + } +#define mutex_destroy(x) { \ + int c = pthread_mutex_destroy(x); \ + if (c != 0) { \ + fprintf(stderr, "pthread_mutex_destroy returned %d (%s) in %s", \ + c, strerror(c), __FUNCTION__); \ + } \ + assert(c == 0); \ + } +#else /* NDEBUG */ +#define mutex_lock pthread_mutex_lock +#define mutex_unlock pthread_mutex_unlock +#define mutex_destroy pthread_mutex_destroy +#endif /* NDEBUG */ + +#else /* HAVE_PTHREAD */ #define mutex_lock(x) #define mutex_unlock(x) -#endif +#define mutex_destroy(x) +#endif /* HAVE_PTHREAD */ #define vfree(mem) vresize(mem, 0) static void * @@ -132,34 +163,35 @@ vresize(void *mem, size_t size) { if (!resize_cb) resize_cb = &realloc; + if (size == 0 && resize_cb == &realloc) { + /* Avoid memleak as realloc(X, 0) can return a free-able pointer. */ + free(mem); + return NULL; + } return (*resize_cb)(mem, size); } #ifndef BUILTIN_MODULE -static int -int_vasprintf(char **strp, const char *fmt, va_list ap) { - va_list apc; - int size = 0; - - va_copy(apc, ap); - size = vsnprintf(NULL, 0, fmt, apc); - va_end(apc); +static char * +string_aconcat(const char *first, const char *second, const char *third) { + char *ret; + size_t len; - if (size <= 0 || !(*strp = malloc(size + 1))) - return -1; + len = strlen(first) + strlen(second); + if (third) + len += strlen(third); - return vsnprintf(*strp, size + 1, fmt, ap); -} + ret = malloc(len + 1); + if (!ret) + return NULL; -static int -int_asprintf(char **strp, const char *fmt, ...) { - va_list ap; - int size = 0; + strncpy(ret, first, strlen(first)); + strncpy(ret + strlen(first), second, strlen(second)); + if (third) + strncpy(ret + strlen(first) + strlen(second), third, strlen(third)); - va_start(ap, fmt); - size = int_vasprintf(strp, fmt, ap); - va_end(ap); - return size; + ret[len] = '\0'; + return ret; } static char * @@ -185,8 +217,7 @@ int_get_table_name_from_filename(const char *filename) if (tmp) { if (strchr(tmp+1, '.')) { *strchr(tmp+1, '.') = '\0'; - if (int_asprintf(&tmp, "%s%s", __str(VERTO_MODULE_TABLE()), tmp + 1) < 0) - tmp = NULL; + tmp = string_aconcat(__str(VERTO_MODULE_TABLE()), tmp + 1, NULL); } else tmp = NULL; } @@ -217,7 +248,7 @@ shouldload(void *symb, void *misc, char **err) if (table->symb && data->reqsym && !module_symbol_is_present(NULL, table->symb)) { if (err) - int_asprintf(err, "Symbol not found: %s!", table->symb); + *err = string_aconcat("Symbol not found: ", table->symb, "!"); return 0; } @@ -265,6 +296,7 @@ do_load_file(const char *filename, int reqsym, verto_ev_type reqtypes, tblname = int_get_table_name_from_filename(filename); if (!tblname) { free(tblname); + free(tmp->filename); vfree(tmp); return 0; } @@ -278,6 +310,7 @@ do_load_file(const char *filename, int reqsym, verto_ev_type reqtypes, free(error); module_close(tmp->dll); free(tblname); + free(tmp->filename); vfree(tmp); return 0; } @@ -324,7 +357,8 @@ do_load_dir(const char *dirname, const char *prefix, const char *suffix, if (flen < slen || strcmp(ent->d_name + flen - slen, suffix)) continue; - if (int_asprintf(&tmp, "%s/%s", dirname, ent->d_name) < 0) + tmp = string_aconcat(dirname, "/", ent->d_name); + if (!tmp) continue; success = do_load_file(tmp, reqsym, reqtypes, record); @@ -401,8 +435,8 @@ load_module(const char *impl, verto_ev_type reqtypes, module_record **record) success = do_load_file(impl, 0, reqtypes, record); if (!success) { /* Try to do a load by the name */ - tmp = NULL; - if (int_asprintf(&tmp, "%s%s%s", prefix, impl, suffix) > 0) { + tmp = string_aconcat(prefix, impl, suffix); + if (tmp) { success = do_load_file(tmp, 0, reqtypes, record); free(tmp); } @@ -494,6 +528,8 @@ remove_ev(verto_ev **origin, verto_ev *item) static void signal_ignore(verto_ctx *ctx, verto_ev *ev) { + (void) ctx; + (void) ev; } verto_ctx * @@ -566,6 +602,25 @@ verto_free(verto_ctx *ctx) } void +verto_cleanup(void) +{ + module_record *record; + + mutex_lock(&loaded_modules_mutex); + + for (record = loaded_modules; record; record = record->next) { + module_close(record->dll); + free(record->filename); + } + + vfree(loaded_modules); + loaded_modules = NULL; + + mutex_unlock(&loaded_modules_mutex); + mutex_destroy(&loaded_modules_mutex); +} + +void verto_run(verto_ctx *ctx) { if (!ctx) @@ -752,8 +807,12 @@ verto_set_flags(verto_ev *ev, verto_ev_flag flags) if (!ev) return; + /* No modification is needed, so do nothing. */ + if (MUTABLE(ev->flags) == MUTABLE(flags)) + return; + ev->flags &= ~_VERTO_EV_FLAG_MUTABLE_MASK; - ev->flags |= flags & _VERTO_EV_FLAG_MUTABLE_MASK; + ev->flags |= MUTABLE(flags); /* If setting flags isn't supported, just rebuild the event */ if (!ev->ctx->module->funcs->ctx_set_flags) { @@ -765,7 +824,7 @@ verto_set_flags(verto_ev *ev, verto_ev_flag flags) } ev->actual &= ~_VERTO_EV_FLAG_MUTABLE_MASK; - ev->actual |= flags & _VERTO_EV_FLAG_MUTABLE_MASK; + ev->actual |= MUTABLE(flags); ev->ctx->module->funcs->ctx_set_flags(ev->ctx->ctx, ev, ev->ev); } @@ -861,7 +920,7 @@ verto_convert_module(const verto_module *module, int deflt, verto_mod_ctx *mctx) module_record *mr; if (!module) - goto error; + return NULL; if (deflt) { mutex_lock(&loaded_modules_mutex); diff --git a/src/util/verto/verto.h b/src/util/verto/verto.h index 5540367..55c5836 100644 --- a/src/util/verto/verto.h +++ b/src/util/verto/verto.h @@ -33,6 +33,7 @@ typedef HANDLE verto_proc; typedef DWORD verto_proc_status; #else +#include typedef pid_t verto_proc; typedef int verto_proc_status; #endif @@ -195,7 +196,8 @@ verto_set_default(const char *impl, verto_ev_type reqtypes); * @see verto_add_idle() * @see verto_add_signal() * @see verto_add_child() - * @param resize The allocator to use (behaves like realloc()) + * @param resize The allocator to use (behaves like realloc(); + * resize(ptr, 0) must free memory at ptr.) * @param hierarchical Zero if the allocator is not hierarchical */ int @@ -216,6 +218,19 @@ void verto_free(verto_ctx *ctx); /** + * Frees global state. + * + * Remove and free all allocated global state. Call only when no further + * contexts exist and all threads have exited. + * + * @see verto_new() + * @see verto_free() + * @see verto_default() + */ +void +verto_cleanup(void); + +/** * Run the verto_ctx forever, or at least until verto_break() is called. * * @see verto_break() @@ -444,7 +459,8 @@ verto_get_flags(const verto_ev *ev); * Sets the flags associated with the given verto_ev. * * See _VERTO_EV_FLAG_MUTABLE_MASK for the flags that can be changed - * with this function. All others will be ignored. + * with this function. All others will be ignored. If the flags specified + * are the same as the flags the event already has, this function is a no-op. * * @see verto_add_io() * @see verto_add_timeout() diff --git a/src/util/windows/Makefile.in b/src/util/windows/Makefile.in index bf0892f..3dfcde2 100644 --- a/src/util/windows/Makefile.in +++ b/src/util/windows/Makefile.in @@ -3,7 +3,7 @@ BUILDTOP = ..\.. all-windows: $(OUTPRE)libecho.exe $(OUTPRE)libecho.exe: $(OUTPRE)libecho.obj - link -out:$@ $** $(SCLIB) + link -out:$@ $** $(_VC_MANIFEST_EMBED_EXE) install-windows: diff --git a/src/util/wshelper/Makefile.in b/src/util/wshelper/Makefile.in deleted file mode 100644 index 75a9698..0000000 --- a/src/util/wshelper/Makefile.in +++ /dev/null @@ -1,64 +0,0 @@ -BUILDTOP=..\.. - -DLL_NAME=wshelp32 -DEF_FILE=wshelp32.def - -# Use 64-bit DLL_NAME and DEF_FILE on 64-bit platforms -!if ("$(CPU)" == "IA64") || ("$(CPU)" == "AMD64") || ("$(CPU)" == "ALPHA64") -DLL_NAME=wshelp64 -DEF_FILE=wshelp64.def -!endif - - -OBJS= $(OUTPRE)dllmain.$(OBJEXT) \ - $(OUTPRE)gethna.$(OBJEXT) \ - $(OUTPRE)hesiod.$(OBJEXT) \ - $(OUTPRE)hesmailh.$(OBJEXT) \ - $(OUTPRE)hespwnam.$(OBJEXT) \ - $(OUTPRE)hesservb.$(OBJEXT) \ - $(OUTPRE)inetaton.$(OBJEXT) \ - $(OUTPRE)res_comp.$(OBJEXT) \ - $(OUTPRE)res_init.$(OBJEXT) \ - $(OUTPRE)res_quer.$(OBJEXT) - -RESFILE = $(OUTPRE)resource.res -XOBJS = $(RESFILE) - -RCFLAGS = -I$(BUILDTOP)\include -I$(BUILDTOP)\windows\include -I$(BUILDTOP) -DWSHELPER_LIB - -###From another project inside K 1.9: -###VERSIONRC = $(BUILDTOP)\windows\version.rc -###RCFLAGS=$(CPPFLAGS) -I$(top_srcdir) -D_WIN32 -DRES_ONLY - - -# Set NODEBUG if building release instead of debug - -LOCALINCLUDES = -I$(BUILDTOP)\include -I$(BUILDTOP)\windows\include - -WINLIBS = advapi32.lib user32.lib ws2_32.lib dnsapi.lib - -WINDLLFLAGS = /nologo /dll /incremental:no /release $(LOPTS) - -DEFINES = -!ifdef NODEBUG -DEFINES = $(DEFINES) -!else -DEFINES = $(DEFINES) -DDBG -!endif - -all-windows: -all-windows: $(OUTPRE)$(DLL_NAME).dll - -clean-windows:: - $(RM) $(OUTPRE)$(DLL_NAME).dll - -$(OUTPRE)$(DLL_NAME).dll: $(DEF_FILE) $(OBJS) $(XOBJS) - link $(WINDLLFLAGS) -def:$(DEF_FILE) -out:$*.dll \ - $(OBJS) $(XOBJS) $(WINLIBS) $(SCLIB) - $(_VC_MANIFEST_EMBED_DLL) - -$(OUTPRE)dllmain.$(OBJEXT): pwd.h -$(OUTPRE)hespwnam.$(OBJEXT): pwd.h -$(OUTPRE)dllmain.$(OBJEXT): wsh-int.h -$(OUTPRE)res_init.$(OBJEXT): wsh-int.h -$(RESFILE): resource.rc ../../windows/version.rc ../../windows/kerberos.ver diff --git a/src/util/wshelper/dllmain.c b/src/util/wshelper/dllmain.c deleted file mode 100644 index 5ae0016..0000000 --- a/src/util/wshelper/dllmain.c +++ /dev/null @@ -1,264 +0,0 @@ -#define WIN32_LEAN_AND_MEAN -#include -#include -#include "wsh-int.h" -#include -#include "hesiod.h" -#include "pwd.h" - - -DWORD dwHesIndex; // for hes_to_bind -DWORD dwHesMailIndex; // for hes_getmailhost -DWORD dwHesServIndex; // for hes_getservbyname -DWORD dwHesPwNamIndex; // for hes_getpwnam; -DWORD dwHesPwUidIndex; // for hes_getpwuid -DWORD dwGhnIndex; // for rgethostbyname -DWORD dwGhaIndex; // for rgethostbyaddr - -#define LISTSIZE 15 - -void FreeThreadLocalMemory(); -void AllocateThreadLocalMemory(); -void FreePasswdStruct(LPVOID lpvData); -void FreeHostentStruct(LPVOID lpvData); - -BOOL -WINAPI -DllMain( - HINSTANCE hinstDLL, // handle to DLL module - DWORD fdwReason, // reason for calling function - LPVOID lpvReserved // reserved -) -{ - switch(fdwReason) - { - case DLL_PROCESS_ATTACH: - if ((dwHesIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) - return FALSE; - if ((dwHesMailIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) - return FALSE; - if ((dwHesServIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) - return FALSE; - if ((dwHesPwNamIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) - return FALSE; - if ((dwHesPwUidIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) - return FALSE; - if ((dwHesPwUidIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) - return FALSE; - if ((dwGhnIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) - return FALSE; - if ((dwGhaIndex = TlsAlloc()) == TLS_OUT_OF_INDEXES) - return FALSE; - res_init_startup(); - case DLL_THREAD_ATTACH: - // Initialize the TLS index for this thread. - AllocateThreadLocalMemory(); - break; - - case DLL_THREAD_DETACH: - - // Release the allocated memory for this thread. - FreeThreadLocalMemory(); - break; - - - case DLL_PROCESS_DETACH: - // Release the TLS index. - FreeThreadLocalMemory(); - TlsFree(dwHesIndex); - TlsFree(dwHesMailIndex); - TlsFree(dwHesServIndex); - TlsFree(dwHesPwNamIndex); - TlsFree(dwHesPwUidIndex); - TlsFree(dwGhnIndex); - TlsFree(dwGhaIndex); - - res_init_cleanup(); - break; - } - return TRUE; -} - -void AllocateThreadLocalMemory() -{ - LPVOID lpvData; - - lpvData = (LPVOID) LocalAlloc(LPTR, DNS_MAX_NAME_BUFFER_LENGTH); - if (lpvData != NULL) - TlsSetValue(dwHesIndex, lpvData); - - lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct hes_postoffice)); - if (lpvData != NULL) - TlsSetValue(dwHesMailIndex, lpvData); - - lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct servent)); - if (lpvData != NULL) - TlsSetValue(dwHesServIndex, lpvData); - - lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct passwd)); - if (lpvData != NULL) - TlsSetValue(dwHesPwNamIndex, lpvData); - - lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct passwd)); - if (lpvData != NULL) - TlsSetValue(dwHesPwUidIndex, lpvData); - - lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct hostent)); - if (lpvData != NULL) - TlsSetValue(dwGhnIndex, lpvData); - - lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct hostent)); - if (lpvData != NULL) - TlsSetValue(dwGhaIndex, lpvData); - -} -void FreeThreadLocalMemory() -{ - LPVOID lpvData; - int i; - - lpvData = TlsGetValue(dwHesIndex); - if (lpvData != NULL) - LocalFree((HLOCAL) lpvData); - - // free hes_postoffice - lpvData = TlsGetValue(dwHesMailIndex); - if (lpvData) - { - struct hes_postoffice* p = (struct hes_postoffice*) lpvData; - if (p->po_type) - { - LocalFree(p->po_type); - p->po_type = NULL; - } - if (p->po_host) - { - LocalFree(p->po_host); - p->po_host = NULL; - } - if (p->po_name) - { - LocalFree(p->po_name); - p->po_name = NULL; - } - LocalFree((HLOCAL) lpvData); - } - - // free servent - lpvData = TlsGetValue(dwHesServIndex); - if (lpvData) - { - struct servent* s = (struct servent*) lpvData; - if (s->s_name) - { - LocalFree(s->s_name); - s->s_name = NULL; - } - if (s->s_proto) - { - LocalFree(s->s_proto); - s->s_proto = NULL; - } - if (s->s_aliases) - { - for (i = 0; is_aliases[i]) - { - LocalFree(s->s_aliases[i]); - s->s_aliases[i] = NULL; - } - } - LocalFree(s->s_aliases); - } - LocalFree((HLOCAL) lpvData); - } - - // free struct passwd - lpvData = TlsGetValue(dwHesPwNamIndex); - FreePasswdStruct(lpvData); - - lpvData = TlsGetValue(dwHesPwUidIndex); - FreePasswdStruct(lpvData); - - // free struct hostent - lpvData = TlsGetValue(dwGhnIndex); - FreeHostentStruct(lpvData); - - lpvData = TlsGetValue(dwGhaIndex); - FreeHostentStruct(lpvData); - -} - - -void FreeHostentStruct(LPVOID lpvData) -{ - if (lpvData) - { - int i = 0; - struct hostent* host = (struct hostent*) lpvData; - if (host->h_name) - LocalFree(host->h_name); - if (host->h_aliases) - { - while(host->h_aliases[i]) - { - LocalFree(host->h_aliases[i]); - host->h_aliases[i] = NULL; - i++; - } - LocalFree(host->h_aliases); - } - if (host->h_addr_list) - { - i = 0; - while (host->h_addr_list[i]) - { - LocalFree(host->h_addr_list[i]); - host->h_addr_list[i] = NULL; - i++; - } - LocalFree(host->h_addr_list); - } - LocalFree((HLOCAL) lpvData); - } -} - -void FreePasswdStruct(LPVOID lpvData) -{ - if (lpvData) - { - struct passwd* p = (struct passwd*) lpvData; - if (p->pw_name) - { - LocalFree(p->pw_name); - p->pw_name = NULL; - } - if (p->pw_passwd) - { - LocalFree(p->pw_passwd); - p->pw_passwd = NULL; - } - if (p->pw_comment) - { - LocalFree(p->pw_comment); - p->pw_comment = NULL; - } - if (p->pw_gecos) - { - LocalFree(p->pw_gecos); - p->pw_gecos = NULL; - } - if (p->pw_dir) - { - LocalFree(p->pw_dir); - p->pw_dir = NULL; - } - if (p->pw_shell) - { - LocalFree(p->pw_shell); - p->pw_shell = NULL; - } - LocalFree((HLOCAL) lpvData); - } -} diff --git a/src/util/wshelper/gethna.c b/src/util/wshelper/gethna.c deleted file mode 100644 index 8914c32..0000000 --- a/src/util/wshelper/gethna.c +++ /dev/null @@ -1,477 +0,0 @@ -/* -* @doc RESOLVE -* -* @module gethna.c | -* -* This file contains the function definitions for: -* rgethostbyname, -* rgethostbyaddr, -* rdn_expand, -* gethinfobyname, -* getmxbyname, -* getrecordbyname, -* rrhost, -* rgetservbyname, -* and some other internal functions called by these functions. -* -* -* WSHelper DNS/Hesiod Library for WINSOCK -* -*/ - -/* - * Copyright (c) 1985, 1988 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)gethostnamadr.c 6.48 (Berkeley) 1/10/93"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include -#include -#include -#include -#include - -#ifdef _WIN32 -#include -#endif - -#define MAXALIASES 35 -#define MAXADDRS 35 - -extern DWORD dwGhnIndex; -extern DWORD dwGhaIndex; - -unsigned long WINAPI inet_aton(register const char *, struct in_addr *); - - -#ifdef _DEBUG -#ifndef DEBUG -#define DEBUG -#endif -#endif - - -extern int WINAPI hes_error( void ); -DNS_STATUS doquery(const char* queryname, struct hostent* host); - -/* - query the dns name space for a host given the host name - \param[in] name Pointer to the null-terminated name of the host to resolve. It can be a fully qualified host name such as x.mit.edu - or it can be a simple host name such as x. If it is a simple host name, the default domain name is - appended to do the search. - \retval a pointer to the structure hostent. a structure allocated by the library. The hostent structure contains - the results of a successful search for the host specified in the name parameter. The caller must never - attempt to modify this structure or to free any of its components. Furthermore, only one copy of this - structure is allocated per call per thread, so the application should copy any information it needs before - issuing another rgethostbyname. - NULL if the search has failed - -*/ -struct hostent * -WINAPI -rgethostbyname(char *name) -{ - struct hostent* host; - DNS_STATUS status; - const char *cp; - char queryname[DNS_MAX_NAME_BUFFER_LENGTH ]; -#ifdef DEBUG - char debstr[80]; -#endif - char** domain; - struct in_addr host_addr; - - host = (struct hostent*)(TlsGetValue(dwGhnIndex)); - if (host == NULL) { - LPVOID lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct hostent)); - if (lpvData != NULL) { - TlsSetValue(dwGhnIndex, lpvData); - host = (struct hostent*)lpvData; - } else - return NULL; - } - - if (host->h_name == NULL) - host->h_name = LocalAlloc(LPTR, DNS_MAX_LABEL_BUFFER_LENGTH); - if (host->h_aliases == NULL) - host->h_aliases = LocalAlloc(LPTR, 1*sizeof(LPSTR)); - if (host->h_addr_list == NULL) - { - host->h_addr_list = LocalAlloc(LPTR, 2*sizeof(LPSTR)); - host->h_addr_list[0] = LocalAlloc(LPTR, DNS_MAX_LABEL_BUFFER_LENGTH); - } - - - /* - * disallow names consisting only of digits/dots, unless - * they end in a dot. - */ - if (isdigit(name[0])) { - for (cp = name;; ++cp) { - if (!*cp) { - if (*--cp == '.') - break; - /* - * All-numeric, no dot at the end. - * Fake up a hostent as if we'd actually - * done a lookup. - */ - if (!inet_aton(name, &host_addr)) { - return((struct hostent *) NULL); - } - strcpy(host->h_name, name); - host->h_aliases[0] = NULL; - host->h_addrtype = AF_INET; - host->h_length = sizeof(u_long); - memcpy(host->h_addr_list[0], &host_addr, sizeof(host_addr)); - host->h_addr_list[1] = NULL; - return (host); - } - if (!isdigit(*cp) && *cp != '.') - break; - } - } - - strcpy(queryname, name); - - if ((_res.options & RES_INIT) == 0 && res_init() == -1) - return NULL; - if (strchr(name, '.') == NULL) - { - if (_res.options & RES_DEFNAMES) - { - for (domain = _res.dnsrch; *domain; domain++) { - strcpy(queryname, name); - strcat(queryname, "."); - strcat(queryname, *domain); - status = doquery(queryname, host); - if (status == 0) - break; - } - } - } - else { - status = doquery(queryname, host); - } - - if (status) { -#ifdef DEBUG - if (_res.options & RES_DEBUG) - { - wsprintf(debstr, "res_query failed\n"); - OutputDebugString(debstr); - } -#endif - return NULL; - } - return host; -} - - -/* - an internal function used by rgethostbyname that does the actual DnsQuery call and populates the hostent - structure. - - \param[in] Name of the owner of the record set being queried - \param[in, out] populated hostent structure - - \retval DNS_STATUS value returned by DnsQuery - -*/ -DNS_STATUS doquery(const char* queryname, struct hostent* host) -{ - DNS_STATUS status; - PDNS_RECORD pDnsRecord, pDnsIter; - DNS_FREE_TYPE freetype ; - struct in_addr host_addr; - char querynamecp[DNS_MAX_NAME_BUFFER_LENGTH]; - size_t len; - - freetype = DnsFreeRecordListDeep; - strcpy(querynamecp, queryname); - status = DnsQuery_A(queryname, //pointer to OwnerName - DNS_TYPE_A, //Type of the record to be queried - DNS_QUERY_STANDARD, - NULL, //contains DNS server IP address - &pDnsRecord, //Resource record comprising the response - NULL); //reserved for future use - - if (status) - return status; - - /* If the query name includes a trailing separator in order to prevent - * a local domain search, remove the separator during the file name - * comparisons. */ - len = strlen(querynamecp); - if (querynamecp[len-1] == '.') - querynamecp[len-1] = '\0'; - - for (pDnsIter = pDnsRecord; pDnsIter; pDnsIter=pDnsIter->pNext) { - /* if we get an A record, keep it */ - if (pDnsIter->wType == DNS_TYPE_A && stricmp(querynamecp, pDnsIter->pName)==0) - break; - - /* if we get a CNAME, look for a corresponding A record */ - if (pDnsIter->wType == DNS_TYPE_CNAME && stricmp(queryname, pDnsIter->pName)==0) { - strcpy(querynamecp, pDnsIter->Data.CNAME.pNameHost); - } - } - if (pDnsIter == NULL) - return DNS_ERROR_RCODE_NAME_ERROR; - - strcpy(host->h_name, pDnsIter->pName); - host->h_addrtype = AF_INET; - host->h_length = sizeof(u_long); - host->h_aliases[0] = NULL; - host_addr.S_un.S_addr = (pDnsIter->Data.A.IpAddress); - memcpy(host->h_addr_list[0], (char*)&host_addr, sizeof(pDnsIter->Data.A.IpAddress)); - host->h_addr_list[1] = NULL; - DnsRecordListFree(pDnsRecord, freetype); - - return 0; -} - - -/* - retrieves the host information corresponding to a network address in the DNS database - \param[in] addr Pointer to an address in network byte order - \param[in] len Length of the address, in bytes - \param[in] type Type of the address, such as the AF_INET address family type (defined as TCP, - UDP, and other associated Internet protocols). Address family types and their corresponding - values are defined in the Winsock2.h header file. - \retval returns a pointer to the hostent structure that contains the name and address corresponding - to the given network address. The structure is allocated by the library. The caller must never - attempt to modify this structure or to free any of its components. Furthermore, only one copy of this - structure is allocated per call per thread, so the application should copy any information it needs before - issuing another rgethostbyaddr. - NULL if the search has failed - -*/ - -struct hostent * -WINAPI -rgethostbyaddr(const char *addr, int len, int type) -{ - DNS_STATUS status; - struct hostent* host; -#ifdef DEBUG - char debstr[80]; -#endif - - PDNS_RECORD pDnsRecord; - DNS_FREE_TYPE freetype ; - char qbuf[BUFSIZ]; - - if (type != AF_INET) - return ((struct hostent *) NULL); - - wsprintf(qbuf, "%u.%u.%u.%u.in-addr.arpa", - ((unsigned)addr[3] & 0xff), - ((unsigned)addr[2] & 0xff), - ((unsigned)addr[1] & 0xff), - ((unsigned)addr[0] & 0xff)); - - - freetype = DnsFreeRecordListDeep; - - - status = DnsQuery_A(qbuf, //pointer to OwnerName - DNS_TYPE_PTR, //Type of the record to be queried - DNS_QUERY_STANDARD, - NULL, //contains DNS server IP address - &pDnsRecord, //Resource record comprising the response - NULL); //reserved for future use - - if (status) { -#ifdef DEBUG - if (_res.options & RES_DEBUG) - { - wsprintf(debstr, "res_query failed\n"); - OutputDebugString(debstr); - } -#endif - - return NULL; - } - - host = (struct hostent*)(TlsGetValue(dwGhaIndex)); - if (host == NULL) { - LPVOID lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct hostent)); - if (lpvData != NULL) { - TlsSetValue(dwGhaIndex, lpvData); - host = (struct hostent*)lpvData; - } else - return NULL; - } - - if (host->h_name == NULL) - host->h_name = LocalAlloc(LPTR, DNS_MAX_LABEL_BUFFER_LENGTH); - if (host->h_aliases == NULL) - host->h_aliases = LocalAlloc(LPTR, 1*sizeof(LPSTR)); - if (host->h_addr_list == NULL) - { - host->h_addr_list = LocalAlloc(LPTR, 2*sizeof(LPSTR)); - host->h_addr_list[0] = LocalAlloc(LPTR, DNS_MAX_LABEL_BUFFER_LENGTH); - } - - strcpy(host->h_name, pDnsRecord->Data.Ptr.pNameHost); - host->h_addrtype = type; - host->h_length = len; - host->h_aliases[0] = NULL; - memcpy(host->h_addr_list[0], addr, sizeof(unsigned long)); - host->h_addr_list[1] = NULL; - DnsRecordListFree(pDnsRecord, freetype); - - return host; - -} - - -/* - - @doc MISC - - @func LPSTR WINAPI | gethinfobyname | Given the name - of a host query the nameservers for the T_HINFO information - associated with the host. unsupported - - @parm LPSTR | name | pointer to the name of the host that the query is about. - - @rdesc NULL or a pointer to the T_HINFO. - - -*/ - -LPSTR -WINAPI -gethinfobyname(LPSTR name) -{ - return NULL; - -} - - -/* - - @func struct mxent * WINAPI | getmxbyname | This - function will query the nameservers for the MX records associated - with the given hostname. Note that the return is a pointer to the - mxent structure so an application making this call can iterate - through the different records returned and can also reference the - preference information associated with each hostname returned. unsupported - - @parm LPSTR | name | The name of the host for which we want MX records. - - @rdesc NULL or a pointer to a mxent structure. - - */ - -struct mxent * -WINAPI -getmxbyname(LPSTR name) -{ - return NULL; -} - - -/* - - @func LPSTR WINAPI | getrecordbyname | This function - will query the nameservers about the given hostname for and DNS - record type that the application wishes to query. unsupported - - @parm LPSTR | name | a pointer to the hostname - - @parm int | rectype | a DNS record type, e.g. T_MX, T_HINFO, ... - - @rdesc The return is NULL or a pointer to a string containing the - data returned. It is up to the calling application to parse the - string appropriately for the rectype queried. - -*/ - -LPSTR -WINAPI -getrecordbyname(LPSTR name, int rectype) -{ - return NULL; -} - - -/* - - @func DWORD WINAPI | rrhost | This function emulates the - rhost function that was part of Excelan / Novell's LAN WorkPlace TCP/IP API. - Given a pointer to an IP hostname it will return the IP address as a 32 bit - integer. - - - @parm LPSTR | lpHost | a pointer to the hostname. - - @rdesc 0 or the IP address as a 32 bit integer. - -*/ - -DWORD WINAPI rrhost( LPSTR lpHost ) -{ - return (DWORD) 0; -} - - -/* - retrieves service information corresponding to a service name and protocol. - - \param[in] name Pointer to a null-terminated service name. - \param[in] proto pointer to a null-terminated protocol name. getservbyname should match both - the name and the proto. - - \retval a pointer to the servent structure containing the name(s) and service number that match the name and proto - parameters. The structure is allocated by the library. The caller must never - attempt to modify this structure or to free any of its components. Furthermore, only one copy of this - structure is allocated per call per thread, so the application should copy any information it needs before - issuing another rgetservbyname. - NULL if the search has failed - -*/ - -struct servent * WINAPI rgetservbyname(LPCSTR name, LPCSTR proto) -{ - struct servent * WINAPI hes_getservbyname(LPCSTR name, LPCSTR proto); - struct servent *tmpent; - - tmpent = hes_getservbyname(name, proto); - return (!hes_error()) ? tmpent : getservbyname(name, proto); -} diff --git a/src/util/wshelper/hesiod.c b/src/util/wshelper/hesiod.c deleted file mode 100644 index b448849..0000000 --- a/src/util/wshelper/hesiod.c +++ /dev/null @@ -1,359 +0,0 @@ -/* - @doc HESIOD - - @module hesiod.c | - - This module contains the defintions for the exported functions: - hes_to_bind - hes_resolve - hes_error - hes_free - as well as the internal function hes_init. The hes_init function - is the one that determines what the Hesiod servers are for your - site and will parse the configuration files, if any are - present. - - WSHelper DNS/Hesiod Library for WINSOCK - -*/ - -/* This file is part of the Hesiod library. - * - * The BIND 4.8.1 implementation of T_TXT is incorrect; BIND 4.8.1 declares - * it as a NULL terminated string. The RFC defines T_TXT to be a length - * byte followed by arbitrary changes. - * - * Because of this incorrect declaration in BIND 4.8.1, when this bug is fixed, - * T_TXT requests between machines running different versions of BIND will - * not be compatible (nor is there any way of adding compatibility). - * - * Copyright 1988 by the Massachusetts Institute of Technology. See the - * file for copying and distribution information. - */ - -#define index(str, c) strchr(str,c) -#include -#include -#include - -#include -#include -#include -#include -#include -#include - -#include "resource.h" - - -#define USE_HS_QUERY /* undefine this if your higher-level name servers */ - /* don't know class HS */ - -char HesConfigFile[_MAX_PATH]; -static char Hes_LHS[256]; -static char Hes_RHS[256]; -static int Hes_Errno = HES_ER_UNINIT; - -extern DWORD dwHesIndex; - - - -/* - - @func int | hes_init | - - This function is not exported. It takes no arguments. However it is - important to understand how this works. It sets the global variables - Hes_LHS and Hes_RHS which are used to form the Hesiod - queries. Understanding how this works and setting up the correct - configuration will determine if the Hesiod queries will work at your - site. Settings can be configured by makgin source code changes and - rebuilding the DLL, editing resources in the DLL, using a - configuration file, or setting an environment variable. - - The function first tries to open the HesConfigFile and set the - Hes_RHS and Hes_LHS variables from this. If there is no config file - then the function tries to load a string resource from the DLL to - set the LHS and RHS. If the string resources cannot be loaded then - the LHS and RHS will be set by the values of DEF_LHS and DEF_RHS, - these are defined in hesiod.h. Note that the string resources are by - default set to these same values since the RC files include hesiod.h - - Finally if the user sets the environment variable HES_DOMAIN the RHS - will be overridden by the value of the HES_DOMAIN value. - - Note that LoadString requires us to first find the module handle of - the DLL. We have to use the internal module name as defined in the - DEF file. If you change the library name within the DEF file you - also need to change the appropriate string in hesiod.c - -*/ -int hes_init( void ) -{ - register FILE *fp; - register char *key; - register char *cp; - char buf[MAXDNAME+7]; - HMODULE hModWSHelp; - - - Hes_Errno = HES_ER_UNINIT; - Hes_LHS[0] = '\0'; - Hes_RHS[0] = '\0'; - - // Note: these must match the DEF file entries -#if defined(_WIN64) - hModWSHelp = GetModuleHandle( "WSHELP64" ); -#else - hModWSHelp = GetModuleHandle( "WSHELP32" ); -#endif - - if(!LoadString( hModWSHelp, IDS_DEF_HES_CONFIG_FILE, - HesConfigFile, sizeof(HesConfigFile) )){ - strcpy( HesConfigFile, HESIOD_CONF); - } - - if ((fp = fopen(HesConfigFile, "r")) == NULL) { - /* use defaults compiled in */ - /* no file or no access uses defaults */ - /* but poorly formed file returns error */ - - if(!LoadString( hModWSHelp, IDS_DEF_HES_RHS, Hes_RHS, sizeof(Hes_RHS) )){ - strcpy( Hes_RHS, DEF_RHS); - } - - if(!LoadString( hModWSHelp, IDS_DEF_HES_LHS, Hes_LHS, sizeof(Hes_LHS) )){ - strcpy( Hes_LHS, DEF_LHS); - } - } else { - while(fgets((LPSTR) buf, MAXDNAME+7, fp) != NULL) { - cp = (LPSTR) buf; - if (*cp == '#' || *cp == '\n'){ - continue; - } - while(*cp == ' ' || *cp == '\t'){ - cp++; - } - key = cp; - while(*cp != ' ' && *cp != '\t' && *cp != '='){ - cp++; - } - *cp++ = '\0'; - if (strcmp(key, "lhs") == 0){ - strncpy(&Hes_LHS[0], cp, (strlen(cp)-1)); - } else if (strcmp(key, "rhs") == 0){ - strncpy(&Hes_RHS[0], cp, (strlen(cp)-1)); - } else { - continue; - } - while(*cp == ' ' || *cp == '\t' || *cp == '='){ - cp++; - } - if (*cp != '.') { - Hes_Errno = HES_ER_CONFIG; - fclose(fp); - return(Hes_Errno); - } - // len = strlen(cp); - // *cpp = calloc((unsigned int) len, sizeof(char)); - // (void) strncpy(*cpp, cp, len-1); - } - fclose(fp); - } - /* see if the RHS is overridden by environment variable */ - if ((cp = getenv("HES_DOMAIN")) != NULL){ - // Hes_RHS = strcpy(malloc(strlen(cp)+1),cp); - strcpy(Hes_RHS,cp); - } - /* the LHS may be null, the RHS must not be null */ - if (Hes_RHS == NULL) - Hes_Errno = HES_ER_CONFIG; - else - Hes_Errno = HES_ER_OK; - return(Hes_Errno); -} - - -/* - hes_to_bind function use the LHS and RHS values and - binds them with the parameters so that a well formed DNS query may - be performed. - - \param[in] HesiodName The Hesiod name such as a username or service name - \param[in] HesiodNameType The Hesiod name type such as pobox, passwd, or sloc - - \retval Returns NULL if there was an error. Otherwise the pointer to a string containing a valid query is returned. - -*/ -char * -WINAPI -hes_to_bind(LPSTR HesiodName, - LPSTR HesiodNameType) -{ - register char *cp, **cpp; - char* bindname; - LPVOID lpvData; - char *RHS; - - cp = NULL; - cpp = NULL; - - bindname = (LPSTR)(TlsGetValue(dwHesIndex)); - if (bindname == NULL) - { - lpvData = LocalAlloc(LPTR, DNS_MAX_NAME_BUFFER_LENGTH); - if (lpvData != NULL) - { - TlsSetValue(dwHesIndex, lpvData); - bindname = (LPSTR)lpvData; - } - else - return NULL; - } - if (Hes_Errno == HES_ER_UNINIT || Hes_Errno == HES_ER_CONFIG) - (void) hes_init(); - if (Hes_Errno == HES_ER_CONFIG) - return(NULL); - if (cp = index(HesiodName,'@')) { - if (index(++cp,'.')) - RHS = cp; - else - if (cpp = hes_resolve(cp, "rhs-extension")) - RHS = *cpp; - else { - Hes_Errno = HES_ER_NOTFOUND; - return(NULL); - } - (void) strcpy(bindname,HesiodName); - (*index(bindname,'@')) = '\0'; - } else { - RHS = Hes_RHS; - (void) strcpy(bindname, HesiodName); - } - (void) strcat(bindname, "."); - (void) strcat(bindname, HesiodNameType); - if (Hes_LHS) { - if (Hes_LHS[0] != '.') - (void) strcat(bindname,"."); - (void) strcat(bindname, Hes_LHS); - } - if (RHS[0] != '.') - (void) strcat(bindname,"."); - (void) strcat(bindname, RHS); - - if(cpp != NULL ) - hes_free(cpp); - - return(bindname); -} - - -/* - This function calls hes_to_bind to form a valid hesiod query, then queries the dns database. - defined in hesiod.c - - \param[in] HesiodName The Hesiod name such as a username or service name - \param[in] HesiodNameType The Hesiod name type such as pobox, passwd, or sloc - - \retval returns a NULL terminated vector of strings (a la argv), - one for each resource record containing Hesiod data, or NULL if - there is any error. If there is an error call hes_error() to get - further information. You will need to call hes_free to free the result - -*/ -char ** -WINAPI -hes_resolve(LPSTR HesiodName, LPSTR HesiodNameType) -{ - register char *cp; - LPSTR* retvec; - DNS_STATUS status; - - PDNS_RECORD pDnsRecord; - PDNS_RECORD pR; - DNS_FREE_TYPE freetype ; - int i = 0; - freetype = DnsFreeRecordListDeep; - - - cp = hes_to_bind(HesiodName, HesiodNameType); - if (cp == NULL) return(NULL); - errno = 0; - - - status = DnsQuery_A(cp, //pointer to OwnerName - DNS_TYPE_TEXT, //Type of the record to be queried - DNS_QUERY_STANDARD, // Bypasses the resolver cache on the lookup. - NULL, //contains DNS server IP address - &pDnsRecord, //Resource record comprising the response - NULL); //reserved for future use - - if (status) { - errno = status; - Hes_Errno = HES_ER_NOTFOUND; - return NULL; - } - - pR = pDnsRecord; - while (pR) - { - if (pR->wType == DNS_TYPE_TEXT) - i++; - pR = pR->pNext; - } - i++; - retvec = LocalAlloc(LPTR, i*sizeof(LPSTR)); - pR = pDnsRecord; - i = 0; - while (pR) - { - if (pR->wType == DNS_TYPE_TEXT){ - SIZE_T l = strlen(((pR->Data).Txt.pStringArray)[0]); - retvec[i] = LocalAlloc(LPTR, l+1); - strcpy(retvec[i], ((pR->Data).Txt.pStringArray)[0]); - i++; - } - pR = pR->pNext; - } - retvec[i] = NULL; - DnsRecordListFree(pDnsRecord, freetype); - return retvec; - -} - - -/* - The function hes_error may be called to determine the - source of the error. It does not take an argument. - - \retval return one of the HES_ER_* codes defined in hesiod.h. -*/ - -int -WINAPI -hes_error(void) -{ - return(Hes_Errno); -} - - -/* - - The function hes_free should be called to free up memeory returned by - hes_resolve - - \param[in] hesinfo a NULL terminiated array of strings returned by hes_resolve - - -*/ -void -WINAPI -hes_free(LPSTR* info) -{ - int i= 0; - for (; info[i]; i++) - { - LocalFree(info[i]); - } - LocalFree(info); -} \ No newline at end of file diff --git a/src/util/wshelper/hesmailh.c b/src/util/wshelper/hesmailh.c deleted file mode 100644 index 32791e8..0000000 --- a/src/util/wshelper/hesmailh.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * @doc HESIOD - * - * @module hesmailh.c | - * - * This file contains hes_postoffice, which retrieves post-office information - * for a user. - * - * For copying and distribution information, see the file - * mit-copyright.h - * - * Original version by Steve Dyer, IBM/Project Athena. - * - * WSHelper DNS/Hesiod Library for WINSOCK - */ - -#include -#include -#include /*s*/ - -#include - - -#define LINESIZE 80 - -extern DWORD dwHesMailIndex; - - -/* - This call is used to obtain a user's type of mail account and the location of that - account. E.g. POP PO10.MIT.EDU or IMAP IMAP-TEST.MIT.EDU - - defined in hesmailh.c - - \param[in] user The username to be used when querying for the Hesiod Name Type POBOX. - - \retval NULL if there was an error or if there was no entry for the - username. Otherwise a pointer to a hes_postoffice structure is - returned. The caller must never attempt to modify this structure or to free - any of its components. Furthermore, only one copy of this structure is allocated per call per thread, so the application should copy any information it needs before - issuing another getmailhost call - -*/ -struct hes_postoffice * -WINAPI -hes_getmailhost(LPSTR user) -{ - struct hes_postoffice* ret; - char linebuf[LINESIZE]; - char *p, *tmp; - char **cp; - - - cp = hes_resolve(user, "pobox"); - if (cp == NULL) return(NULL); - - ret = (struct hes_postoffice*)(TlsGetValue(dwHesMailIndex)); - if (ret == NULL) { - LPVOID lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct hes_postoffice)); - if (lpvData != NULL) { - TlsSetValue(dwHesMailIndex, lpvData); - ret = (struct hes_postoffice*)lpvData; - } else - return NULL; - } - if (!ret->po_type) - ret->po_type = LocalAlloc(LPTR, LINESIZE); - if (!ret->po_host) - ret->po_host = LocalAlloc(LPTR, LINESIZE); - if (!ret->po_name) - ret->po_name = LocalAlloc(LPTR, LINESIZE); - strcpy(linebuf, *cp); - - p = linebuf; - tmp = linebuf; - while(!isspace(*p)) p++; - *p++ = '\0'; - strcpy(ret->po_type, tmp); - tmp = p; - while(!isspace(*p)) p++; - *p++ = '\0'; - strcpy(ret->po_host, tmp); - strcpy(ret->po_name, p); - if (cp) - hes_free(cp); - return(ret); -} diff --git a/src/util/wshelper/hespwnam.c b/src/util/wshelper/hespwnam.c deleted file mode 100644 index 55ddf01..0000000 --- a/src/util/wshelper/hespwnam.c +++ /dev/null @@ -1,196 +0,0 @@ -/* - * @doc HESIOD - * - * @module hespwnam.c | - * - * This file contains hes_getpwnam, for retrieving passwd information about - * a user. - * - * For copying and distribution information, see the file - * mit-copyright.h - * - * Original version by Steve Dyer, IBM/Project Athena. - * - * WSHelper DNS/Hesiod Library for WINSOCK - * - * - */ - -/* This file contains hes_getpwnam, for retrieving passwd information about - * a user. - * - * For copying and distribution information, see the file - * - * Original version by Steve Dyer, IBM/Project Athena. - * - */ - -#include -#include /*s*/ - -#include - -#include -#include - -#include "pwd.h" - -extern DWORD dwHesPwNamIndex; -extern DWORD dwHesPwUidIndex; - -#define MAX_PW_BUFFER_LENGTH 64 - -static char * -_NextPWField(char *ptr); - -struct passwd * GetPasswdStruct(struct passwd* pw, char* buf); - - - - -/* - Given a UID this function will return the pwd information, eg username, uid, - gid, fullname, office location, phone number, home directory, and default shell - - defined in hespwnam.c - \param uid The user ID - \retval NULL if there was an error or a pointer to the passwd structure. The caller must - never attempt to modify this structure or to free any of its components. - Furthermore, only one copy of this structure is allocated per call per thread, so the application should copy any information it needs before - issuing another hes_getpwuid call -*/ -struct passwd * -WINAPI -hes_getpwuid(int uid) -{ - char **pp; - struct passwd* pw = NULL; - char buf[256]; - - char nam[8]; - sprintf(nam, "%d", uid); - - pp = hes_resolve(nam, "uid"); - if (pp == NULL || *pp == NULL) - return(NULL); - - pw = (struct passwd*)(TlsGetValue(dwHesPwUidIndex)); - if (pw == NULL) { - LPVOID lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct passwd)); - if (lpvData != NULL) { - TlsSetValue(dwHesPwUidIndex, lpvData); - pw = (struct passwd*)lpvData; - } else - return NULL; - } - - strcpy(buf, pp[0]); - hes_free(pp); - return GetPasswdStruct(pw, buf); -} - - -/* - Given a username this function will return the pwd information, eg - username, uid, gid, fullname, office location, phone number, home - directory, and default shell - - defined in hespwnam.c - - \param nam a pointer to the username - - \retval NULL if there was an error or a pointer to the passwd structure. The caller must - never attempt to modify this structure or to free any of its components. - Furthermore, only one copy of this structure is allocated per call per thread, so the application should copy any information it needs before - issuing another hes_getpwnam call - -*/ -struct passwd * -WINAPI -hes_getpwnam(char *nam) -{ - - char **pp; - struct passwd* pw = NULL; - char buf[256]; - - pp = hes_resolve(nam, "passwd"); - if (pp == NULL || *pp == NULL) - return(NULL); - - pw = (struct passwd*)(TlsGetValue(dwHesPwNamIndex)); - if (pw == NULL) { - LPVOID lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct passwd)); - if (lpvData != NULL) { - TlsSetValue(dwHesPwNamIndex, lpvData); - pw = (struct passwd*)lpvData; - } else - return NULL; - } - - strcpy(buf, pp[0]); - hes_free(pp); - return GetPasswdStruct(pw, buf); -} - - -struct passwd* GetPasswdStruct(struct passwd* pw, char* buf) -{ - char* temp; - char* p; - - if (pw->pw_name == NULL) - pw->pw_name = LocalAlloc(LPTR, MAX_PW_BUFFER_LENGTH); - if (pw->pw_passwd == NULL) - pw->pw_passwd = LocalAlloc(LPTR, MAX_PW_BUFFER_LENGTH); - if (pw->pw_comment == NULL) - pw->pw_comment = LocalAlloc(LPTR, MAX_PW_BUFFER_LENGTH); - if (pw->pw_gecos == NULL) - pw->pw_gecos = LocalAlloc(LPTR, MAX_PW_BUFFER_LENGTH); - if (pw->pw_dir == NULL) - pw->pw_dir = LocalAlloc(LPTR, MAX_PW_BUFFER_LENGTH); - if (pw->pw_shell == NULL) - pw->pw_shell = LocalAlloc(LPTR, MAX_PW_BUFFER_LENGTH); - /* choose only the first response (only 1 expected) */ - p = buf; - temp = p; - p = _NextPWField(p); - strcpy(pw->pw_name, temp); - temp = p; - p = _NextPWField(p); - strcpy(pw->pw_passwd, temp); - pw->pw_uid = atoi(p); - p = _NextPWField(p); - pw->pw_gid = atoi(p); - pw->pw_quota = 0; - strcpy(pw->pw_comment, ""); - p = _NextPWField(p); - temp = p; - p = _NextPWField(p); - strcpy(pw->pw_gecos, temp); - temp = p; - p = _NextPWField(p); - strcpy(pw->pw_dir, temp); - temp = p; - while (*p && *p != '\n') - p++; - *p = '\0'; - strcpy(pw->pw_shell, temp); - return pw; - - -} - -/* Move the pointer forward to the next colon-separated field in the - * password entry. - */ - -static char * -_NextPWField(char *ptr) -{ - while (*ptr && *ptr != '\n' && *ptr != ':') - ptr++; - if (*ptr) - *ptr++ = '\0'; - return(ptr); -} diff --git a/src/util/wshelper/hesservb.c b/src/util/wshelper/hesservb.c deleted file mode 100644 index 01db3a4..0000000 --- a/src/util/wshelper/hesservb.c +++ /dev/null @@ -1,137 +0,0 @@ -/* - * @doc HESIOD - * - * @module hesservb.c | - * - * - * Contains the definition for hes_getservbyname, - * - * WSHelper DNS/Hesiod Library for WINSOCK - * - */ - -/* - * Copyright (c) 1983 Regents of the University of California. - * All rights reserved. The Berkeley software License Agreement - * specifies the terms and conditions for redistribution. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)getservbyname.c 5.3 (Berkeley) 5/19/86"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include -#include - -#include - -#include -#include - -#define cistrcmp stricmp - -#define LISTSIZE 15 - - -/* - This function will query a Hesiod server for a servent structure given - a service name and protocol. This is a replacement for the Winsock - getservbyname function which normally just uses a local services - file. This allows a site to use a centralized database for adding new - services. - - defined in hesservb.c - - \param[in] name pointer to the official name of the service, eg "POP3". - \param[in] proto pointer to the protocol to use when contacting the service, e.g. "TCP" - - \retval NULL if there was an error or a pointer to a servent structure. The caller must - never attempt to modify this structure or to free any of its components. - Furthermore, only one copy of this structure is allocated per call per thread, so the application should copy any information it needs before - issuing another hes_getservbyname call - -*/ - -extern DWORD dwHesServIndex; -struct servent * -WINAPI -hes_getservbyname(char *name, char *proto) -{ - struct servent *p; - register char **cp; - register char** hesinfo; - register int i = 0; - - char buf[DNS_MAX_NAME_BUFFER_LENGTH]; - char* l; - - hesinfo = hes_resolve(name, "service"); - cp = hesinfo; - if (cp == NULL) - return(NULL); - p = (struct servent*)(TlsGetValue(dwHesServIndex)); - if (p == NULL) { - LPVOID lpvData = (LPVOID) LocalAlloc(LPTR, sizeof(struct servent)); - if (lpvData != NULL) { - TlsSetValue(dwHesServIndex, lpvData); - p = (struct servent*)lpvData; - } else - return NULL; - } - if (!p->s_name) - p->s_name = LocalAlloc(LPTR, DNS_MAX_LABEL_BUFFER_LENGTH); - if (!p->s_proto) - p->s_proto = LocalAlloc(LPTR, DNS_MAX_LABEL_BUFFER_LENGTH); - if (!p->s_aliases) - p->s_aliases = LocalAlloc(LPTR, LISTSIZE*sizeof(LPSTR)); - - for (;*cp; cp++) { - register char *servicename, *protoname, *port; - strcpy(buf, *cp); - l = buf; - while(*l && (*l == ' ' || *l == '\t')) l++; - servicename = l; - while(*l && *l != ' ' && *l != '\t' && *l != ';') l++; - if (*l == '\0') continue; /* malformed entry */ - *l++ = '\0'; - while(*l && (*l == ' ' || *l == '\t')) l++; - protoname = l; - while(*l && *l != ' ' && *l != ';') l++; - if (*l == '\0') continue; /* malformed entry */ - *l++ = '\0'; - if (cistrcmp(proto, protoname)) continue; /* wrong port */ - while(*l && (*l == ' ' || *l == '\t' || *l == ';')) l++; - if (*l == '\0') continue; /* malformed entry */ - port = l; - while(*l && (*l != ' ' && *l != '\t' && *l != ';')) l++; - if (*l) *l++ = '\0'; - if (*l != '\0') { - do { - char* tmp = l; - while(*l && !isspace(*l)) l++; - if (*l) *l++ = 0; - if (p->s_aliases[i]) - p->s_aliases[i] = LocalAlloc(LPTR, strlen(tmp)); - strcpy(p->s_aliases[i], tmp); - i++; - } while(*l); - } - p->s_aliases[i] = NULL; - for (; is_aliases[i]){ - LocalFree(p->s_aliases[i]); - p->s_aliases[i] = NULL; - } - } - strcpy(p->s_name, servicename); - p->s_port = htons((u_short)atoi(port)); - strcpy(p->s_proto, protoname); - if (hesinfo) - hes_free(hesinfo); - return (p); - } - return(NULL); -} diff --git a/src/util/wshelper/inetaton.c b/src/util/wshelper/inetaton.c deleted file mode 100644 index bc7bd09..0000000 --- a/src/util/wshelper/inetaton.c +++ /dev/null @@ -1,153 +0,0 @@ -/* - * - * @doc RESOLVE - * - * @module inetaton.c | - * - * from the BIND 4.9.x inetaddr.c - * - * Contains implementation of inet_aton - - * WSHelper DNS/Hesiod Library for WINSOCK - * - */ - -/* - * Copyright (c) 1983, 1990 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)inet_addr.c 5.11 (Berkeley) 12/9/91"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include - - -/* - converts a string containing an (Ipv4) Internet Protocol dotted address into a proper address for the in_addr structure - - \param[in] cp Null-terminated character string representing a number expressed in the - Internet standard ".'' (dotted) notation. - \param[in, out] addr pointer to the in_addr structure. The s_addr memeber will be populated - - - \retval Returns 1 if the address is valid, 0 if not. - - */ -unsigned long -WINAPI -inet_aton(register const char *cp, struct in_addr *addr) -{ - register u_long val, base; - ULONG_PTR n; - register char c; - u_long parts[4], *pp = parts; - - for (;;) { - /* - * Collect number up to ``.''. - * Values are specified as for C: - * 0x=hex, 0=octal, other=decimal. - */ - val = 0; base = 10; - if (*cp == '0') { - if (*++cp == 'x' || *cp == 'X') - base = 16, cp++; - else - base = 8; - } - while ((c = *cp) != '\0') { - if (isascii(c) && isdigit(c)) { - val = (val * base) + (c - '0'); - cp++; - continue; - } - if (base == 16 && isascii(c) && isxdigit(c)) { - val = (val << 4) + - (c + 10 - (islower(c) ? 'a' : 'A')); - cp++; - continue; - } - break; - } - if (*cp == '.') { - /* - * Internet format: - * a.b.c.d - * a.b.c (with c treated as 16-bits) - * a.b (with b treated as 24 bits) - */ - if (pp >= parts + 3 || val > 0xff) - return (0); - *pp++ = val, cp++; - } else - break; - } - /* - * Check for trailing characters. - */ - if (*cp && (!isascii(*cp) || !isspace(*cp))) - return (0); - /* - * Concoct the address according to - * the number of parts specified. - */ - n = pp - parts + 1; - switch (n) { - - case 1: /* a -- 32 bits */ - break; - - case 2: /* a.b -- 8.24 bits */ - if (val > 0xffffff) - return (0); - val |= parts[0] << 24; - break; - - case 3: /* a.b.c -- 8.8.16 bits */ - if (val > 0xffff) - return (0); - val |= (parts[0] << 24) | (parts[1] << 16); - break; - - case 4: /* a.b.c.d -- 8.8.8.8 bits */ - if (val > 0xff) - return (0); - val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8); - break; - } - if (addr) - addr->s_addr = htonl(val); - return (1); -} diff --git a/src/util/wshelper/pwd.h b/src/util/wshelper/pwd.h deleted file mode 100644 index 6954fd7..0000000 --- a/src/util/wshelper/pwd.h +++ /dev/null @@ -1,15 +0,0 @@ -/* pwd.h 4.1 83/05/03 */ - -struct passwd { /* see getpwent(3) */ - char *pw_name; - char *pw_passwd; - int pw_uid; - int pw_gid; - int pw_quota; - char *pw_comment; - char *pw_gecos; - char *pw_dir; - char *pw_shell; -}; - -struct passwd *getpwent(), *getpwuid(), *getpwnam(); diff --git a/src/util/wshelper/res_comp.c b/src/util/wshelper/res_comp.c deleted file mode 100644 index 36cd773..0000000 --- a/src/util/wshelper/res_comp.c +++ /dev/null @@ -1,361 +0,0 @@ -/* - * - * @doc RESOLVE - * - * @module res_comp.c | - * - * Contains the implementations for dn_comp and rdn_expand as well as - * some other functions used internally by these two functions. - * - * WSHelper DNS/Hesiod Library for WINSOCK - * - */ - -/* - * Copyright (c) 1985 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)res_comp.c 6.22 (Berkeley) 3/19/91"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include -#include - - -static dn_find(); - -/* - replacement for dn_expand called rdn_expand. Older versions of - the DLL used to this as dn_expand but this has caused some - conflict with more recent versions of the MSDEV - libraries. rdn_expand() expands the compressed domain name comp_dn to - a full domain name. Expanded names are converted to upper case. - - \param[in] msg msg is a pointer to the beginning of the message - \param[in] eomorig - \param[in] comp_dn the compressed domain name. - \param[in, out] expn_dn a pointer to the result buffer - \param[in] length size of the result in expn_dn - - \retval the size of compressed name is returned or -1 if there was an error. -*/ - - - -int WINAPI -rdn_expand(const u_char *msg, const u_char *eomorig, - const u_char *comp_dn, u_char *exp_dn, int length) -{ - register u_char *cp, *dn; - register int n, c; - u_char *eom; - INT_PTR len = -1; - int checked = 0; - - dn = exp_dn; - cp = (u_char *)comp_dn; - eom = exp_dn + length; - /* - * fetch next label in domain name - */ - while (n = *cp++) { - /* - * Check for indirection - */ - switch (n & INDIR_MASK) { - case 0: - if (dn != exp_dn) { - if (dn >= eom) - return (-1); - *dn++ = '.'; - } - if (dn+n >= eom) - return (-1); - checked += n + 1; - while (--n >= 0) { - if ((c = *cp++) == '.') { - if (dn + n + 2 >= eom) - return (-1); - *dn++ = '\\'; - } - *dn++ = c; - if (cp >= eomorig) /* out of range */ - return(-1); - } - break; - - case INDIR_MASK: - if (len < 0) - len = cp - comp_dn + 1; - cp = (u_char *)msg + (((n & 0x3f) << 8) | (*cp & 0xff)); - if (cp < msg || cp >= eomorig) /* out of range */ - return(-1); - checked += 2; - /* - * Check for loops in the compressed name; - * if we've looked at the whole message, - * there must be a loop. - */ - if (checked >= eomorig - msg) - return (-1); - break; - - default: - return (-1); /* flag error */ - } - } - *dn = '\0'; - if (len < 0) - len = cp - comp_dn; - return (int)(len); -} - - -/* - Compress domain name 'exp_dn' into 'comp_dn' - \param[in] exp_dn name to compress - \param[in, out] comp_dn result of the compression - \paramp[in] length the size of the array pointed to by 'comp_dn'. - \param[in, out] dnptrs a list of pointers to previous compressed names. dnptrs[0] - is a pointer to the beginning of the message. The list ends with NULL. - \param[in] lastdnptr a pointer to the end of the arrary pointed to by 'dnptrs'. Side effect - is to update the list of pointers for labels inserted into the - message as we compress the name. If 'dnptr' is NULL, we don't try to - compress names. If 'lastdnptr' is NULL, we don't update the list. - \retval Return the size of the compressed name or -1 - */ -int WINAPI -dn_comp(const u_char *exp_dn, u_char *comp_dn, int length, - u_char **dnptrs, u_char **lastdnptr) -{ - register u_char *cp, *dn; - register int c, l; - u_char **cpp, **lpp, *sp, *eob; - u_char *msg; - - dn = (u_char *)exp_dn; - cp = comp_dn; - eob = cp + length; - if (dnptrs != NULL) { - if ((msg = *dnptrs++) != NULL) { - for (cpp = dnptrs; *cpp != NULL; cpp++) - ; - lpp = cpp; /* end of list to search */ - } - } else - msg = NULL; - for (c = *dn++; c != '\0'; ) { - /* look to see if we can use pointers */ - if (msg != NULL) { - if ((l = dn_find(dn-1, msg, dnptrs, lpp)) >= 0) { - if (cp+1 >= eob) - return (-1); - *cp++ = (l >> 8) | INDIR_MASK; - *cp++ = l % 256; - return (int)(cp - comp_dn); - } - /* not found, save it */ - if (lastdnptr != NULL && cpp < lastdnptr-1) { - *cpp++ = cp; - *cpp = NULL; - } - } - sp = cp++; /* save ptr to length byte */ - do { - if (c == '.') { - c = *dn++; - break; - } - if (c == '\\') { - if ((c = *dn++) == '\0') - break; - } - if (cp >= eob) { - if (msg != NULL) - *lpp = NULL; - return (-1); - } - *cp++ = c; - } while ((c = *dn++) != '\0'); - /* catch trailing '.'s but not '..' */ - if ((l =(int)( cp - sp - 1)) == 0 && c == '\0') { - cp--; - break; - } - if (l <= 0 || l > MAXLABEL) { - if (msg != NULL) - *lpp = NULL; - return (-1); - } - *sp = l; - } - if (cp >= eob) { - if (msg != NULL) - *lpp = NULL; - return (-1); - } - *cp++ = '\0'; - return (int)(cp - comp_dn); -} - -/* - * Skip over a compressed domain name. Return the size or -1. - */ -__dn_skipname(const u_char *comp_dn, const u_char *eom) -{ - register u_char *cp; - register int n; - - cp = (u_char *)comp_dn; - while (cp < eom && (n = *cp++)) { - /* - * check for indirection - */ - switch (n & INDIR_MASK) { - case 0: /* normal case, n == len */ - cp += n; - continue; - default: /* illegal type */ - return (-1); - case INDIR_MASK: /* indirection */ - cp++; - } - break; - } - return (int)(cp - comp_dn); -} - -/* - * Search for expanded name from a list of previously compressed names. - * Return the offset from msg if found or -1. - * dnptrs is the pointer to the first name on the list, - * not the pointer to the start of the message. - */ -static -dn_find(u_char *exp_dn, u_char *msg, u_char **dnptrs, u_char **lastdnptr) -{ - register u_char *dn, *cp, **cpp; - register int n; - u_char *sp; - - for (cpp = dnptrs; cpp < lastdnptr; cpp++) { - dn = exp_dn; - sp = cp = *cpp; - while (n = *cp++) { - /* - * check for indirection - */ - switch (n & INDIR_MASK) { - case 0: /* normal case, n == len */ - while (--n >= 0) { - if (*dn == '.') - goto next; - if (*dn == '\\') - dn++; - if (*dn++ != *cp++) - goto next; - } - if ((n = *dn++) == '\0' && *cp == '\0') - return (int)(sp - msg); - if (n == '.') - continue; - goto next; - - default: /* illegal type */ - return (-1); - - case INDIR_MASK: /* indirection */ - cp = msg + (((n & 0x3f) << 8) | *cp); - } - } - if (*dn == '\0') - return (int)(sp - msg); - next: ; - } - return (-1); -} - -/* - * Routines to insert/extract short/long's. Must account for byte - * order and non-alignment problems. This code at least has the - * advantage of being portable. - * - * used by sendmail. - */ - -u_short -_getshort(u_char *msgp) -{ - register u_char *p = (u_char *) msgp; -#ifdef vax - /* - * vax compiler doesn't put shorts in registers - */ - register u_long u; -#else - register u_short u; -#endif - - u = *p++ << 8; - return ((u_short)(u | *p)); -} - -u_long -_getlong(u_char *msgp) -{ - register u_char *p = (u_char *) msgp; - register u_long u; - - u = *p++; u <<= 8; - u |= *p++; u <<= 8; - u |= *p++; u <<= 8; - return (u | *p); -} - -void -__putshort(register u_short s, register u_char *msgp) -{ - msgp[1] = LOBYTE(s); - msgp[0] = HIBYTE(s); -} - -void -__putlong(register u_long l, register u_char *msgp) -{ - msgp[3] = LOBYTE(LOWORD(l)); - msgp[2] = HIBYTE(LOWORD(l)); - msgp[1] = LOBYTE(HIWORD(l)); - msgp[0] = HIBYTE(HIWORD(l)); -} diff --git a/src/util/wshelper/res_init.c b/src/util/wshelper/res_init.c deleted file mode 100644 index 743b0c7..0000000 --- a/src/util/wshelper/res_init.c +++ /dev/null @@ -1,814 +0,0 @@ -/* - * @doc RESOLVE - * - * @module res_init.c | - * - * Contains the implementation for res_init, res_getopts, res_setopts - * and supplementary internal functions. If you are adding support for a - * new TCP/IP stack of resolver configuration information this is where - * it will go. - * @xref - * - * WSHelper DNS/Hesiod Library for WINSOCK - * - */ - -/*- - * Copyright (c) 1985, 1989 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)res_init.c 6.15 (Berkeley) 2/24/91"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include -#include -#include -#include -#include //DNS api's - -#include - - -#include - -#include "resource.h" - -char debstr[80]; - -#define index strchr - -#ifndef MAKELONG -#define MAKELONG(a, b) ((LONG)(((WORD)(a)) | ((DWORD)((WORD)(b))) << 16)) -#endif - -#define TCPIP_PATH "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" -#define HKEY_MIT_PRIVATE HKEY_CLASSES_ROOT -#define WSH_MIT_PRIVATE_DOMAIN_SUBKEY TCPIP_PATH"\\Domain" -#define WSH_MIT_PRIVATE_NAMESERVER_SUBKEY TCPIP_PATH"\\NameServer" - -DWORD WhichOS( DWORD *check); - -static int const getRegKeyEx(const HKEY key, const char *subkey, const char *value, char *buf, unsigned int len); - -int WINAPI wsh_getdomainname(char* name, int size); - -static HMODULE this_module(); - - -/* - * Resolver state default settings - */ -// @struct _res | a structure of this type holds the state information for the -// resolver options -struct state _res = { - RES_TIMEOUT, /* @field retransmition time interval */ - 4, /* @field number of times to retransmit */ - RES_DEFAULT, /* @field options flags */ - 1, /* @field number of name servers */ -}; - -#ifndef _MSC_VER - -#define _upcase(c) (((c) <= 'Z' && (c) >= 'A') ? (c) + 'a' - 'A' : (c)) -#define _chricmp(a, b) (_upcase(a) - _upcase(b)) - -int -#ifdef __cplusplus -inline -#endif -_strnicmp( register const char *a, register const char *b, register size_t n) -{ - register int cmp = 0; /* equal */ - while( n-- && !(cmp = _chricmp(*a, *b)) && (a++, *b++) /* *a == *b anyways */ ); - return cmp; -}; - -#endif - - -/* - This function retrieves the default domain name and search order. It will look to see if an - environment variable LOCALDOMAIN is defined. Otherwise, the domain associated with the local host - is used. Otherwise, it will try to find the domain name from the registry - - \retval The return value is 0 if the operation was successful. - Otherwise the value -1 is returned. - -*/ -int -WINAPI -res_init() -{ - register char *cp, **pp; - - register int n; - - int haveenv = 0; /* have an environment variable for local domain */ - int havedomain = 0; /* 0 or 1 do we have a value for the domain */ - - LONG result1 = -1995; - -#define WSH_SPACES " \t,;=" - - _res.nsaddr.sin_addr.s_addr = INADDR_ANY; - _res.nsaddr.sin_family = AF_INET; - _res.nsaddr.sin_port = htons(NAMESERVER_PORT); - _res.nscount = 1; - - - /* Allow user to override the local domain definition */ - if ((cp = getenv("LOCALDOMAIN")) != NULL) { - strncpy(_res.defdname, cp, sizeof(_res.defdname)); - haveenv++; - havedomain++; - }; - - if (!havedomain) { - if (!wsh_getdomainname(_res.defdname, sizeof(_res.defdname))) - havedomain++; - } - - - - if( 0 != havedomain){ - // return early, we've done our job - /* find components of local domain that might be searched */ - - pp = _res.dnsrch; - *pp++ = _res.defdname; - for (cp = _res.defdname, n = 0; *cp; cp++) - if (*cp == '.') - n++; - cp = _res.defdname; - for (; n >= LOCALDOMAINPARTS && pp < _res.dnsrch + MAXDFLSRCH; - n--) { - cp = index(cp, '.'); - *pp++ = ++cp; - } - *pp++ = 0; - } - - _res.options |= RES_INIT; - return(0); -} - - -/* - res_setopts -- unsupported -*/ - -void -WINAPI -res_setopts(long opts) -{ -} - - - -/* - res_getopts -- unsupported -*/ - -long -WINAPI -res_getopts() -{ - return -1; -} - -/* --------------------------------------------------------------------------*/ -/* Excerpt from IPTYPES.H */ -#define MAX_HOSTNAME_LEN 128 // arb. -#define MAX_DOMAIN_NAME_LEN 128 // arb. -#define MAX_SCOPE_ID_LEN 256 // arb. - - - -/* - - @doc MISC - - @func DWORD | WhichOS | This function will attempt to - determine which Operating System and subsystem is being used by the - application. It should function under Win16, Windows NT amd Windows - 95 at least. It does call WSAStartup() and WSACleanup(). This - function does have side effects on some global variables. See the - comments below. - - @parm DWORD *| check | a pointer to a DWORD, a value indicating - which operating system and/or subsystem is being used will be stored - in this parameter upon return. - - @rdesc a NULL will indicate that we could not determine what OS is - being used. The high word contains: - - - @flag MS_OS_WIN (1) | The application is running under Windows or WFWG - @flag MS_OS_95 (2) | The application is running under Windows 95 - @flag MS_OS_NT (3) | The application is running under Windows NT - @flag MS_OS_2000 (4) | The application is running under Windows 2000 - @flag MS_OS_XP (5) | The application is running under Windows XP - @flag MS_OS_2003 (6) | The application is running under Windows 2003 - @flag MS_OS_NT_UNKNOWN (7) | The application is running under Windows NT family beyond 2003 - @flag MS_OS_UNKNOWN (0) | It looks like Windows but not any version that - we know of. - - these are defined in mitwhich.h - -The low word contains one of the following, which is derived from the winsock implementation: - - @flag MS_NT_32 (1) | The MS 32 bit Winsock stack for NT is being used - @flag MS_NT_16 (2) | The MS 16 bit Winsock stack under NT is being used - @flag MS_95_32 (3) | The MS 32 bit Winsock stack under 95 is being used - @flag MS_95_16 (4) | The MS 16 bit Winsock stack under 95 is being used - @flag NOVELL_LWP_16 (5) | The Novell 16 Winsock stack is being used - @flag UNKNOWN_16_UNDER_32 (-2) | We don't know the stack. - @flag UNKNOWN_16_UNDER_16 (-3) | We don't know the stack. - @flag UNKNOWN_32_UNDER_32 (-4) | We don't know the stack. - @flag UNKNOWN_32_UNDER_16 (-5) | We don't know the stack. - -*/ -DWORD -WhichOS( - DWORD *check - ) -{ - WORD wVersionRequested; - WSADATA wsaData; // should be a global? - int err; - - int checkStack = 0; - int checkOS = 0; - static DWORD dwCheck = 0xFFFFFFFF; - - if ( dwCheck != 0xFFFFFFFF ) { - if ( check ) - *check = dwCheck; - return dwCheck; - } - - // first get the information from WSAStartup because it may give - // more consistent information than Microsoft APIs. - - wVersionRequested = 0x0101; - - err = WSAStartup( wVersionRequested, &wsaData ); - - if( err != 0 ){ - MessageBox( NULL, - "It looks like a useable winsock.dll\n" - "could not be located by the wshelp*.dll\n" - "Please check your system configuration.", - "Problem in wshelper.dll", MB_OK ); - check = 0; - return(0); - } - - WSACleanup(); - - if( _res.options & RES_DEBUG ){ - wsprintf( debstr, wsaData.szDescription ); - OutputDebugString( debstr ); - } - - if( (0 == checkStack) && (0 == stricmp( wsaData.szDescription, NT_32 ))){ - // OK we appear to be running under NT in the 32 bit subsystem - // so we must be a 32 bit application. - // This also implies that we can get the TCPIP parameters out - // of the NT registry. - checkStack = MS_NT_32; - } - - if( (0 == checkStack) && (0 == stricmp( wsaData.szDescription, NT_16 ))){ - // this implies we're running under NT in the 16 bit subsystem - // so we must be a 16 bit application - // This means we have to go through some strange gyrations to read the - // TCPIP parameters out of the NT 32 bit registry. - checkStack = MS_NT_16; - checkOS = MS_OS_NT; - } - - if( (0 == checkStack) && (0 == stricmp( wsaData.szDescription, W95_32 ))){ - // get the TCPIP parameters out of the Win95 registry - checkStack = MS_95_32; - checkOS = MS_OS_95; // ?? - } - - if( (0 == checkStack) && (0 == stricmp( wsaData.szDescription, W95_16 ))){ - // go through the pain of getting the TCPIP parameters out of the Win95 - // 32 bit registry - checkStack = MS_95_16; - checkOS = MS_OS_95; - } - - if( (0 == checkStack) && (0 == stricmp( wsaData.szDescription, LWP_16 ))){ - // get the information out of the %NDIR%\TCP\RESOLV.CFG file - checkStack = NOVELL_LWP_16; - checkOS = MS_OS_WIN; - } - - if( 0 == checkStack ){ - // at this time we don't easily know how to support this stack - checkStack = STACK_UNKNOWN; - } - -#if !defined(_WIN32) - // Note, if this is the 32 bit DLL we can't use the following - // functions to determine the OS because they are - // obsolete. However, we should be able to use them in the 16 bit - // DLL. - { - DWORD dwVersion = 0; - DWORD dwFlags = 0; - - dwFlags = GetWinFlags(); - if( _res.options & RES_DEBUG ){ - wsprintf( debstr, "dwFlags = %x ", dwFlags ); - OutputDebugString( debstr ); - } - - dwVersion = GetVersion(); - - if( _res.options & RES_DEBUG ){ - wsprintf( debstr, "dwVersion = %8lx ", dwVersion ); - OutputDebugString( debstr ); - } - - if( 95 == (DWORD)(HIBYTE(LOWORD(dwVersion))) ){ - // OK, we're a 16 bit app running on 95? - checkOS = MS_OS_95; - } - - if( dwFlags & 0x4000 ){ - // This means that this is a 16 bit application running - // under WOW layer on NT. - - // So, we're going to get the TCPIP parameters out of the - // 32 bit registry, but we don't know which set of - // registry entries yet. - - // Since we see these version numbers and we're under WOW - // we must be under NT 4.0 but we don't necessarily know - // the stack - checkOS = MS_OS_NT; - } - - - if( checkOS == 0 ){ - // We are a 16 bit application running on a 16 bit operating system - checkOS = MS_OS_WIN; // assumption, but we're not under 95 and not under NT, it looks like - if( checkStack == STACK_UNKNOWN ){ - checkStack = UNKNOWN_16_UNDER_16; - } - } - } -#endif // !_WIN32 - -#if defined(_WIN32) - // This must be a 32 bit application so we are either under NT, - // Win95, or WIN32s - { - OSVERSIONINFO osvi; - - memset( &osvi, 0, sizeof(OSVERSIONINFO)); - osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); - GetVersionEx( &osvi ); - - if( osvi.dwPlatformId == VER_PLATFORM_WIN32s ){ - if( checkStack == STACK_UNKNOWN ){ - checkStack = UNKNOWN_16_UNDER_16; - } - checkOS = MS_OS_WIN; - wsprintf( debstr, "Microsoft Win32s %d.%d (Build %d)\n", - osvi.dwMajorVersion, - osvi.dwMinorVersion, - osvi.dwBuildNumber & 0xFFFF ); - } - - if( osvi.dwPlatformId == VER_PLATFORM_WIN32_WINDOWS ){ - if( checkStack == STACK_UNKNOWN ){ - checkStack = UNKNOWN_32_UNDER_32; - } - checkOS = MS_OS_95; - wsprintf( debstr, "Microsoft Windows 95 %d.%d (Build %d)\n", - osvi.dwMajorVersion, - osvi.dwMinorVersion, - osvi.dwBuildNumber & 0xFFFF ); - } - - if( osvi.dwPlatformId == VER_PLATFORM_WIN32_NT ){ - if( checkStack == STACK_UNKNOWN ){ - checkStack = UNKNOWN_32_UNDER_32; - } - if ( osvi.dwMajorVersion <= 4 ) - checkOS = MS_OS_NT; - else if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0 ) - checkOS = MS_OS_2000; - else if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1 ) - checkOS = MS_OS_XP; - else if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 2 ) - checkOS = MS_OS_2003; - else - checkOS = MS_OS_NT_UNKNOWN; - wsprintf( debstr, "Microsoft Windows NT family %d.%d (Build %d)\n", - osvi.dwMajorVersion, - osvi.dwMinorVersion, - osvi.dwBuildNumber & 0xFFFF ); - } - - if( _res.options & RES_DEBUG ){ - OutputDebugString( debstr ); - } - } - -#endif // _WIN32 - - // At this point we should know the OS. - // We should also know the subsystem but not always the stack. - - dwCheck = MAKELONG(checkOS, checkStack); - if ( check ) - *check = dwCheck; - return( dwCheck ); -} - - -static -BOOL -get_nt5_adapter_param( - char* param, - WORD skip, - char* buf, - unsigned int len - ) -{ - static char linkage[BUFSIZ*4]; - char* p; - char* q; - HKEY hAdapters; - - char* DEVICE_STR = "\\Device\\"; - SIZE_T DEVICE_LEN = strlen(DEVICE_STR); - -#define TCPIP_PATH_ADAPTERS "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces" -#define TCPIP_PATH_LINKAGE "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Linkage" - - if (!getRegKeyEx(HKEY_LOCAL_MACHINE, TCPIP_PATH_LINKAGE, "Bind", linkage, sizeof(linkage))) - return FALSE; - - p = linkage; - - RegOpenKeyEx(HKEY_LOCAL_MACHINE, TCPIP_PATH_ADAPTERS, 0, - KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS, - &hAdapters); - - while (*p) { - q = strstr(p, DEVICE_STR); - if (!q) { - while (*p) p++; - p++; - continue; - } - q += DEVICE_LEN; - p = q; - while (*p) p++; - p++; - buf[0] = '\0'; - if (getRegKeyEx(hAdapters, q, param, buf, len) && !buf[0]) { - if (!skip) { - RegCloseKey(hAdapters); - return TRUE; - } - else - skip--; - } - } - RegCloseKey(hAdapters); - - // Bottom out by looking at default parameters - { - char Tcpip_path[_MAX_PATH]; - - if(!LoadString(this_module(), IDS_TCPIP_PATH_NT, - Tcpip_path, sizeof(Tcpip_path))) - strcpy(Tcpip_path, NT_TCP_PATH); - return getRegKeyEx(HKEY_LOCAL_MACHINE, Tcpip_path, param, buf, len); - } - return FALSE; -} - - - -static -BOOL -_getdomainname( - char* name, - int size - ) -{ - char buf[BUFSIZ]; - - char* dhcp_param = "DhcpDomain"; - char* param = "Domain"; - BOOL ok = FALSE; - char* rbuf; - unsigned int rlen; - - if (!name || (size <= 0)) - return FALSE; - - rbuf = (size >= sizeof(buf))?name:buf; - rlen = (size >= sizeof(buf))?size:sizeof(buf); - - - ok = get_nt5_adapter_param(dhcp_param, 0, rbuf, rlen); - if (!ok || !rbuf[0]) - ok = get_nt5_adapter_param(param, 0, rbuf, rlen); - - if (ok && rbuf[0]) { - if (size < (lstrlen(rbuf) + 1)) - return FALSE; - if (rbuf != name) - strncpy(name, rbuf, size); - return TRUE; - } - return FALSE; -} - -/* - Gets the base part of the hostname - defined in wshelper\res_init.c - - \param[in, out] name pointer to a buffer that receives a null-terminated string containing the computer name - \param[in] size specifies the size of the buffer, in chars (must be large - enough to hold NULL-terminated host name) - - \retval return 0 ifsuccess, -1 on error. - -*/ -int WINAPI -wsh_gethostname(char* name, int size) -{ - if (name){ - // Get and display the name of the computer. - - if( GetComputerName(name, &size) ) - { - while (*name && (*name != '.')) - { - *name = tolower(*name); - name++; - } - if (*name == '.') *name = 0; - return 0; - } - } - return -1; -} - -/* - Gets the machine's domain name - - \param[in, out] name pointer to a buffer that receives a null-terminated string containing the domain name - \param[in] size specifies the size of the buffer, in chars (must be large - enough to hold NULL-terminated domain name) - - \retval return 0 ifsuccess, -1 on error. - - -*/ -int WINAPI -wsh_getdomainname(char* name, int size) -{ - DNS_STATUS status; - - PDNS_RECORD pDnsRecord; - DNS_FREE_TYPE freetype ; - - DWORD length; - char hostName[BUFSIZ]; - - length = BUFSIZ; - freetype = DnsFreeRecordListDeep; - - - // Get and display the name of the computer. - - if( GetComputerName(hostName, &length) ) - { - - status = DnsQuery_A(hostName, //pointer to OwnerName - DNS_TYPE_A, //Type of the record to be queried - DNS_QUERY_BYPASS_CACHE|DNS_QUERY_NO_LOCAL_NAME, // Bypasses the resolver cache on the lookup. - NULL, //contains DNS server IP address - &pDnsRecord, //Resource record comprising the response - NULL); //reserved for future use - - if (status) - return -1; - else - { - char* cp; - cp = index(pDnsRecord->pName, '.'); - if (cp) - { - cp++; - strncpy(name, cp, size); - name[size-1] = '\0'; - DnsRecordListFree(pDnsRecord, freetype); - return(0); - } - DnsRecordListFree(pDnsRecord, freetype); - - } - } - - /* try to get local domain from the registry */ - if (_getdomainname(name, size)) - return 0; - else - return -1; -} - - - - - - - - -// @func int | getRegKeyEx | This function is only used when the library is -// running under a known 32-bit Microsoft Operating -// system - -// @parm const HKEY | key | Specifies a a currently open key or any -// of the following predefined reserved handle values: -// HKEY_CLASSES_ROOT -// KEY_CURRENT_USER -// HKEY_LOCAL_MACHINE -// HKEY_USERS -// -// @parm const char * | subkey | Specifies a pointer to a null-terminated -// string containing the name of the subkey to open. If this parameter is NULL -// or a pointer to an empty string, the function will open a new handle -// of the key identified by the key parameter. -// -// @parm const char * | value | Specifiea a pointer to a null-terminated -// string containing the name of the value to be queried. -// -// @parm char * | buf | Specifies a pointer to a buffer that recieves the -// key's data. This parameter can be NULL if the data is not required. -// -// @parm unsigned int | len | Specifies the size of buffer 'buf'. -// -// @rdesc Returns an int that can mean: -// -// FALSE - if the subkey cannot be queried or possibly opened. -// TRUE - if the subkey can be queried but it is not of type: REG_EXPAND_SZ -// If the subkey can be queried, and its type is REG_EXPAND_SZ, and it can -// be expanded the return value is the number of characters stored in the -// buf parameter. If the number of characters is greater than the size of the -// of the destination buffer, the return value should be the size of the -// buffer required to hold the value. - -static -int const -getRegKeyEx( - const HKEY key, - const char *subkey, - const char *value, - char *buf, - unsigned int len - ) -{ - HKEY hkTcpipParameters; - LONG err; - DWORD type, cb; - char *env_buf; - - - if (RegOpenKey(key, subkey, &hkTcpipParameters) == ERROR_SUCCESS) { - cb = len; - err = RegQueryValueEx(hkTcpipParameters, value, 0, &type, buf, &cb); - RegCloseKey(hkTcpipParameters); - if( err == ERROR_SUCCESS ){ - if( type == REG_EXPAND_SZ ){ - if( env_buf = malloc( cb ) ){ - err = ExpandEnvironmentStrings( strcpy( env_buf, buf ), buf, len ); - free( env_buf ); - return err; - } else { - return FALSE; - } - } - return TRUE; // subkey could be queried but it was not of type REG_EXPAND_SZ - } else { - return FALSE; // subkey exists but could not be queried - } - } - else - -// #endif // WIN32 - - return FALSE; // subkey could not be opened -} - -#ifdef __cplusplus -inline -#endif - -#include "wsh-int.h" - -static -HMODULE -this_module() -{ - static HMODULE hModWSHelp = 0; - if (!hModWSHelp) - { - // Note: these must match the DEF file entries -#if defined(_WIN64) - hModWSHelp = GetModuleHandle( "WSHELP64" ); -#else - hModWSHelp = GetModuleHandle( "WSHELP32" ); -#endif - } - return hModWSHelp; -} - -static -int -try_registry( - HKEY hBaseKey, - const char * name, - DWORD * value - ) -{ - HKEY hKey; - LONG err; - DWORD size; - - err = RegOpenKeyEx(hBaseKey, - "Software\\MIT\\WsHelper", - 0, - KEY_QUERY_VALUE, - &hKey); - if (err) - return 0; - size = sizeof(value); - err = RegQueryValueEx(hKey, name, 0, 0, value, &size); - RegCloseKey(hKey); - return !err; -} - -void -res_init_startup() -{ - DWORD debug_on = 0; - - - if (try_registry(HKEY_CURRENT_USER, "DebugOn", &debug_on) || - try_registry(HKEY_LOCAL_MACHINE, "DebugOn", &debug_on)) - { - if (debug_on) - _res.options |= RES_DEBUG; - } -} - -void -res_init_cleanup() -{ - -} diff --git a/src/util/wshelper/res_quer.c b/src/util/wshelper/res_quer.c deleted file mode 100644 index 7836ed9..0000000 --- a/src/util/wshelper/res_quer.c +++ /dev/null @@ -1,561 +0,0 @@ -/* - * - * @doc RESOLVE - * - * - * @module res_quer.c | Contains the implementation of res_query, - * res_search, and res_querydomain - * - * WSHelper DNS/Hesiod Library for WINSOCK - * - */ - -/* - * Copyright (c) 1988 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#if defined(LIBC_SCCS) && !defined(lint) -static char sccsid[] = "@(#)res_query.c 5.11 (Berkeley) 3/6/91"; -#endif /* LIBC_SCCS and not lint */ - -#include -#include -#include -#include -#include -#include -#include -#include - -#define MAX_MSG_SIZE 0x8000 - -#define strcasecmp stricmp - -#ifdef _DEBUG -#define DEBUG -#endif -int -__hostalias(register const char *name, char* abuf); -DNS_STATUS do_res_search(const char *name, int qclass, int type, u_char *retanswer, int retanswerlen, int* anslen); -void __putshort(register u_short, register u_char *); -void __putlong(register u_long, u_char *); -int build_rr(char* p, PDNS_RECORD ptr, int qclass); -int put_qname(char* p, char* qname); - - - -/* - a generic query interface to the DNS name space. The query is performed with the dnsapi and - the answer buffer is populated based on the returned RR set. - - \param[in] name domain name - \param[in] qclass class of query(such as DNS_CLASS_INTERNET, DNS_CLASS_CSNET, DNS_CLASS_CHAOS, - DNS_CLASS_HESIOD. Defined in windns.h) - \param[in] type type of query(such as DNS_TYPE_A, DNS_TYPE_NS, DNS_TYPE_MX, DNS_TYPE_SRV. Defined in - windns.h) - \param[in] answer buffer to put answer in - \param[in] anslen size of the answer buffer. compare the anslen with the return value, if the return - value is bigger than anslen, it means the answer buffer doesn't contain the complete - response. You will need to call this function again with a bigger answer buffer if - you care about the complete response - - \retval return the size of the response on success, -1 on error - - - */ -int WINAPI -res_search(const char *name, int qclass, int type, u_char *answer, int anslen) - /* domain name, class and type of query, buffer to put answer, size of answer */ -{ - char debstr[80]; - int n = 0; - DNS_STATUS status; - char queryname[DNS_MAX_NAME_BUFFER_LENGTH ]; - register const char *cp; - int len = 0; - - char** domain; - - status = -1; - memset(answer, 0, anslen); - memset(queryname, 0, sizeof(queryname)); - - if ((_res.options & RES_INIT) == 0 && res_init() == -1) - return (-1); - - for (cp = name, n = 0; *cp; cp++) - if (*cp == '.') - n++; - - if (n == 0 && !__hostalias(name, queryname) && strlen(queryname)>0) - { - status = do_res_search(queryname, qclass, type, answer, anslen, &len); - if (status == 0) - return len; - } - - if ((n == 0 && _res.options & RES_DEFNAMES)) - // (n != 0 && *--cp != '.' && _res.options & RES_DNSRCH)) - { - for (domain = _res.dnsrch; *domain; domain++) { - strcpy(queryname, name); - strcat(queryname, "."); - strcat(queryname, *domain); - status = do_res_search(queryname, qclass, type, answer, anslen, &len); - if (status == 0) - return len; - } - } - - - strcpy(queryname, name); - status = do_res_search(queryname, qclass, type, answer, anslen, &len); - - - if (status) - { -#ifdef DEBUG - if (_res.options & RES_DEBUG) - { - wsprintf(debstr, "res_query failed\n"); - OutputDebugString(debstr); - } -#endif - return -1; - } - return len; -} - -int -put_qname(char* cp, char* qname) -{ - char* p; - char* temp; - INT_PTR n = 0; - INT_PTR i = 0; - temp = qname; - while (p = strchr(temp, '.')) - { - n = p - temp; - if (n == 0) - { - temp++; - break; - } - cp[0] = (int)n; - cp++; - i++; - strncpy(cp, temp, n); - temp = p+1; - cp = cp + n; - i = i + n; - } - n = strlen(temp); - if (n > 0) - { - cp[0] = (int)n; - cp++; - i++; - strcpy(cp, temp); - cp = cp+n; - } - cp[0] = 0; - i = i+n+1; - return (int)i; -} - -DNS_STATUS -do_res_search(const char *queryname, int qclass, int type, u_char *retanswer, int retanswerlen, int* anslen) -{ - PDNS_RECORD pDnsRecord; - PDNS_RECORD ptr; - DNS_STATUS status; - DNS_FREE_TYPE freetype ; - HEADER *hp; - char *cp; - int n; - int i; - u_char answer[MAX_MSG_SIZE]; - DWORD options = DNS_QUERY_STANDARD; - freetype = DnsFreeRecordListDeep; - - memset(answer, 0, MAX_MSG_SIZE); - if (!(_res.options & RES_RECURSE)) - options = options | DNS_QUERY_NO_RECURSION; - if (_res.options & RES_USEVC) - options = options | DNS_QUERY_USE_TCP_ONLY; - if (_res.options & RES_IGNTC) - options = options | DNS_QUERY_ACCEPT_TRUNCATED_RESPONSE; - - status = DnsQuery_A(queryname, //pointer to OwnerName - type, //Type of the record to be queried - options, - NULL, //contains DNS server IP address - &pDnsRecord, //Resource record comprising the response - NULL); //reserved for future use - - if (status) - return status; - - - hp = (HEADER *) answer; - cp = answer + sizeof(HEADER); - - // populating the header - hp->id = htons(++_res.id); // query id - hp->qr = 1; // 0 for query 1 for response - hp->opcode = 0; // standard query - hp->aa = 1; // authoritative answer - hp->tc = 0; // no truncation - hp->rd = (_res.options & RES_RECURSE) != 0; // resursion desired - hp->ra = 1; // recursion available - hp->pr = (_res.options & RES_PRIMARY) != 0; // primary server required - hp->rcode = NOERROR; - hp->qdcount = htons(1); // number of question entries - i = put_qname(cp, (char*)queryname); - cp = cp + i; - __putshort(type, (u_char *)cp); - cp += sizeof(u_short); - __putshort(qclass, (u_char *)cp); - cp += sizeof(u_short); - - // get the answer - for (n = 0, ptr = pDnsRecord; ptr; ptr = ptr->pNext) - { - if ((ptr->Flags).S.Section == DNSREC_ANSWER || - (type == DNS_TYPE_PTR && (ptr->Flags).S.Section==DNSREC_QUESTION)) - { - i = build_rr(cp, ptr, qclass); - cp = cp + i; - //strcpy(cp, pDnsRecord->pName); - //cp += strlen(pDnsRecord->pName); - //cp++; - - n++; - } - } - hp->ancount = htons(n); - - // get the authority - for (n = 0, ptr = pDnsRecord; ptr; ptr = ptr->pNext) - { - if ((ptr->Flags).S.Section == DNSREC_AUTHORITY ) - { - i = build_rr(cp, ptr, qclass); - cp = cp + i; - - n++; - } - } - hp->nscount = htons(n); - - // get the additional resource - for (n = 0, ptr = pDnsRecord; ptr; ptr = ptr->pNext) - { - if ((ptr->Flags).S.Section == DNSREC_ADDITIONAL) - { - i = build_rr(cp, ptr, qclass); - cp = cp + i; - - n++; - } - - } - hp->arcount = htons(n); - - *anslen = (int)(cp - answer); - if (*anslen > retanswerlen) - memcpy(retanswer, answer, retanswerlen); // partial copy - else - memcpy(retanswer, answer, *anslen); - DnsRecordListFree(pDnsRecord, freetype); - return status; -} - -int -build_rr(char* p, PDNS_RECORD ptr, int qclass) -{ - int i = 0; - int n = 0; - char* cp = p; - char* temp = NULL; - unsigned int index = 0; - - i = put_qname(cp, ptr->pName); - cp = p + i; - - __putshort(ptr->wType, (u_char *)cp); - i += sizeof(u_short); - cp = p + i; - __putshort(qclass, (u_char *)cp); - i += sizeof(u_short); - cp = p + i; - __putlong(ptr->dwTtl, (u_char*)cp); - i += sizeof(u_long); - cp = p + i; - switch (ptr->wType) - { - case DNS_TYPE_A: - __putshort(sizeof(ptr->Data.A), (u_char*)cp); //RDLENGTH - i += sizeof(u_short); - cp = p + i; - memcpy(cp, &(ptr->Data.A), sizeof(ptr->Data.A)); - i += sizeof(ptr->Data.A); - break; - case DNS_TYPE_NS: - case DNS_TYPE_MD: - case DNS_TYPE_MF: - case DNS_TYPE_CNAME: - case DNS_TYPE_MB: - case DNS_TYPE_MG: - case DNS_TYPE_MR: - case DNS_TYPE_PTR: - temp = cp; // hold the spot for RD length - i += sizeof(u_short); - cp = p+i; - n = put_qname(cp, ptr->Data.Ptr.pNameHost); - i += n; - __putshort(n, (u_char*)temp); //set RDLENGTH - break; - case DNS_TYPE_TEXT: - case DNS_TYPE_HINFO: - case DNS_TYPE_ISDN: - case DNS_TYPE_X25: - temp = cp; // hold the spot for RDLENGTH - i += sizeof(u_short); - cp = p + i; - n = 0; - for (index = 0; index < ptr->Data.Txt.dwStringCount; index++) - { - *cp = (int)(strlen(ptr->Data.Txt.pStringArray[index])); - n += *cp; - n++; - strcpy(++cp, ptr->Data.Txt.pStringArray[index]); - } - i += n; - __putshort(n,(u_char*)temp); // set RDLENGTH - break; - case DNS_TYPE_SRV: - temp = cp; // hold the spot for RDLENGTH - i += sizeof(u_short); - cp = p + i; - // priority - __putshort(ptr->Data.Srv.wPriority, (u_char*)cp); - i += sizeof(u_short); - cp = p + i; - //weight - __putshort(ptr->Data.Srv.wWeight, (u_char*)cp); - i += sizeof(u_short); - cp = p + i; - //port - __putshort(ptr->Data.Srv.wPort, (u_char*)cp); - i += sizeof(u_short); - cp = p + i; - - n = put_qname(cp, ptr->Data.Srv.pNameTarget); - i+=n; - __putshort((u_short)(n + sizeof(u_short)*3),(u_char*)temp); - - break; - case DNS_TYPE_MX: - case DNS_TYPE_AFSDB: - case DNS_TYPE_RT: - temp = cp; // hold the spot for RDLENGTH - i += sizeof(u_short); - cp = p + i; - __putshort(ptr->Data.Mx.wPreference, (u_char*)cp); // put wPreference - i += sizeof(u_short); - cp = p + i; - n = put_qname(cp, ptr->Data.Mx.pNameExchange); - i+=n; - __putshort((u_short)(n+sizeof(u_short)),(u_char*)temp); - break; - case DNS_TYPE_SOA: - temp = cp; // hold the spot for RDLENGTH - i += sizeof(u_short); - cp = p + i; - // primary server name - n = put_qname(cp, ptr->Data.Soa.pNamePrimaryServer); - i+= n; - cp = p + i; - //the person responsible for this zone. - n += put_qname(cp, ptr->Data.Soa.pNameAdministrator); - i += n; - cp = p + i; - //SERIAL - __putlong(ptr->Data.Soa.dwSerialNo, cp); - n += sizeof(u_long); - i += sizeof(u_long); - cp = p + i; - //refresh - __putlong(ptr->Data.Soa.dwRefresh, cp); - n += sizeof(u_long); - i += sizeof(u_long); - cp = p + i; - //retry - __putlong(ptr->Data.Soa.dwRetry, cp); - n += sizeof(u_long); - i += sizeof(u_long); - cp = p + i; - // expire - __putlong(ptr->Data.Soa.dwExpire, cp); - n += sizeof(u_long); - i += sizeof(u_long); - cp = p + i; - // minimum TTL - __putlong(ptr->Data.Soa.dwDefaultTtl, cp); - n += sizeof(u_long); - i += sizeof(u_long); - // set RDLength - __putshort(n,(u_char*)temp); - break; - case DNS_TYPE_NULL: - __putshort((short)ptr->Data.Null.dwByteCount, (u_char*)cp); //RDLENGTH - i += sizeof(u_short); - cp = p + i; - memcpy(cp, ptr->Data.Null.Data, ptr->Data.Null.dwByteCount); - i += ptr->Data.Null.dwByteCount; - break; - case DNS_TYPE_WKS: // needs more work - temp = cp; // hold the spot for RDLENGTH - i += sizeof(u_short); - cp = p + i; - // address - memcpy(cp, &(ptr->Data.Wks.IpAddress), sizeof(ptr->Data.Wks.IpAddress)); - n = sizeof(ptr->Data.Wks.IpAddress); - i += sizeof(ptr->Data.Wks.IpAddress); - cp = p + i; - // protocol - *cp = ptr->Data.Wks.chProtocol; - i++; - n++; - cp = p + i; - //bit mask - memcpy(cp, &(ptr->Data.Wks.BitMask), sizeof(ptr->Data.Wks.BitMask)); - n+=sizeof(ptr->Data.Wks.BitMask); - i += n; - // set RDLength - __putshort(n,(u_char*)temp); - break; - case DNS_TYPE_MINFO: - case DNS_TYPE_RP: - temp = cp; // hold the spot for RDLENGTH - i += sizeof(u_short); - cp = p + i; - // pNameMailbox - n = put_qname(cp, ptr->Data.Minfo.pNameMailbox); - i+= n; - cp = p + i; - // pNameErrorsMailbox; - n += put_qname(cp, ptr->Data.Minfo.pNameMailbox); - i += n; - // set RDLength - __putshort(n,(u_char*)temp); - break; - case DNS_TYPE_AAAA: - __putshort(sizeof(ptr->Data.AAAA), (u_char*)cp); //RDLENGTH - i += sizeof(u_short); - cp = p + i; - memcpy(cp, &(ptr->Data.AAAA), sizeof(ptr->Data.AAAA)); - i += sizeof(ptr->Data.AAAA); - - break; - } - return i; -} - - -int -__hostalias(register const char *name, char* abuf) -{ - register char *C1, *C2; - FILE *fp; - char *file; -// char *getenv(), *strcpy(), *strncpy(); // pbh XXX 11/1/96 - char buf[BUFSIZ]; - - - file = getenv("HOSTALIASES"); - if (file == NULL || (fp = fopen(file, "r")) == NULL) - return -1; - buf[sizeof(buf) - 1] = '\0'; - while (fgets(buf, sizeof(buf), fp)) { - for (C1 = buf; *C1 && !isspace(*C1); ++C1); - if (!*C1) - break; - *C1 = '\0'; - if (!strcasecmp(buf, name)) { - while (isspace(*++C1)); - if (!*C1) - break; - for (C2 = C1 + 1; *C2 && !isspace(*C2); ++C2); - abuf[sizeof(abuf) - 1] = *C2 = '\0'; - (void)strncpy(abuf, C1, sizeof(abuf) - 1); - fclose(fp); - return 0; - } - } - fclose(fp); - return -1; -} - -int WINAPI -res_mkquery(int op, const char *dname, - int qclass, int type, - const char *data, int datalen, - const struct rrec *newrr, - char *buf, int buflen) -{ - return -1; -} - -int WINAPI -res_querydomain(const char *name, - const char *domain, - int qclass, int type, - u_char *answer, int anslen) -{ - return -1; -} - -int WINAPI -res_send(const char *msg, int msglen, - char *answer, int anslen) -{ - return -1; -} - -int WINAPI -res_query(char *name, int qclass, int type, u_char *answer, int anslen) -{ - return -1; -} diff --git a/src/util/wshelper/resource.h b/src/util/wshelper/resource.h deleted file mode 100644 index cc5f082..0000000 --- a/src/util/wshelper/resource.h +++ /dev/null @@ -1,29 +0,0 @@ -//{{NO_DEPENDENCIES}} -// Microsoft Developer Studio generated include file. -// Used by resource.rc -// -#define IDS_DEF_HES_RHS 1 -#define IDS_DEF_HES_LHS 2 -#define IDS_DEF_HES_CONFIG_FILE 3 -#define IDS_DEF_RESCONF_PATH 4 -#define IDS_DEF_DNS1 5 -#define IDS_DEF_DNS2 6 -#define IDS_DEF_DNS3 7 -#define IDS_TCPIP_PATH_NT 8 -#define IDS_TCPIP_PATH_95 9 -#define IDS_NT_DOMAIN_KEY 10 -#define IDS_NT_NS_KEY 11 -#define IDS_W95_DOMAIN_KEY 12 -#define IDS_W95_NS_KEY 13 -#define IDS_TCPIP_PATH_NT_TRANSIENT 14 - -// Next default values for new objects -// -#ifdef APSTUDIO_INVOKED -#ifndef APSTUDIO_READONLY_SYMBOLS -#define _APS_NEXT_RESOURCE_VALUE 101 -#define _APS_NEXT_COMMAND_VALUE 40001 -#define _APS_NEXT_CONTROL_VALUE 1000 -#define _APS_NEXT_SYMED_VALUE 101 -#endif -#endif diff --git a/src/util/wshelper/resource.rc b/src/util/wshelper/resource.rc deleted file mode 100644 index f9086f4..0000000 --- a/src/util/wshelper/resource.rc +++ /dev/null @@ -1,64 +0,0 @@ -//Microsoft Developer Studio generated resource script. -// -#include "resource.h" - -#define APSTUDIO_READONLY_SYMBOLS -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 2 resource. -// -#include - -///////////////////////////////////////////////////////////////////////////// -#undef APSTUDIO_READONLY_SYMBOLS - -///////////////////////////////////////////////////////////////////////////// -// English (U.S.) resources - -#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) -#ifdef _WIN32 -LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US -#pragma code_page(1252) -#endif //_WIN32 - -#ifdef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// TEXTINCLUDE -// - -1 TEXTINCLUDE DISCARDABLE -BEGIN - "resource.h\0" -END - -2 TEXTINCLUDE DISCARDABLE -BEGIN - "#include \r\n" - "\0" -END - -3 TEXTINCLUDE DISCARDABLE -BEGIN - "#include ""..\\..\\windows\\version.rc""\r\n" - "#include ""string.rc""\r\n" - "\0" -END - -#endif // APSTUDIO_INVOKED - -#endif // English (U.S.) resources -///////////////////////////////////////////////////////////////////////////// - - - -#ifndef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 3 resource. -// -#include "..\..\windows\version.rc" -#include "string.rc" - -///////////////////////////////////////////////////////////////////////////// -#endif // not APSTUDIO_INVOKED diff --git a/src/util/wshelper/string.rc b/src/util/wshelper/string.rc deleted file mode 100644 index 6916dbc..0000000 --- a/src/util/wshelper/string.rc +++ /dev/null @@ -1,29 +0,0 @@ -#ifdef APSTUDIO_INVOKED -#error this file is not editable by App Studio -#endif // APSTUDIO_INVOKED - -#include -#include - -////////////////////////////////////////////////////////////////////////////// -// -// String Table -// - -STRINGTABLE DISCARDABLE -BEGIN - IDS_DEF_HES_RHS DEF_RHS - IDS_DEF_HES_LHS DEF_LHS - IDS_DEF_HES_CONFIG_FILE HESIOD_CONF - IDS_DEF_RESCONF_PATH _PATH_RESCONF - IDS_DEF_DNS1 DNS1 - IDS_DEF_DNS2 DNS2 - IDS_DEF_DNS3 DNS3 - IDS_TCPIP_PATH_NT NT_TCP_PATH - IDS_TCPIP_PATH_95 W95_TCP_PATH - IDS_NT_DOMAIN_KEY NT_DOMAIN_KEY - IDS_NT_NS_KEY NT_NS_KEY - IDS_W95_DOMAIN_KEY W95_DOMAIN_KEY - IDS_W95_NS_KEY W95_NS_KEY - IDS_TCPIP_PATH_NT_TRANSIENT NT_TCP_PATH_TRANS -END diff --git a/src/util/wshelper/ver.rc.inc b/src/util/wshelper/ver.rc.inc deleted file mode 100644 index f927fb1..0000000 --- a/src/util/wshelper/ver.rc.inc +++ /dev/null @@ -1,57 +0,0 @@ -#ifdef RC_INVOKED - -VS_VERSION_INFO VERSIONINFO -FILEVERSION VER_FILEVERSION -PRODUCTVERSION VER_PRODUCTVERSION -FILEFLAGSMASK VER_FILEFLAGSMASK -FILEFLAGS VER_FILEFLAGS -FILEOS VER_FILEOS -FILETYPE VER_FILETYPE -FILESUBTYPE VER_FILESUBTYPE -BEGIN - BLOCK "VarFileInfo" - BEGIN - VALUE "Translation", 0x0409, 0x04B0 - END - - BLOCK "StringFileInfo" - BEGIN - BLOCK "040904B0" /* LANG_ENGLISH/SUBLANG_ENGLISH_US, Unicode CP */ - BEGIN -#if defined(VER_EXTRA_LABEL) && defined(VER_EXTRA_VALUE) - VALUE VER_EXTRA_LABEL, VER_EXTRA_VALUE -#endif -#ifdef VER_COMMENT - VALUE "Comment", VER_COMMENT -#endif -#ifdef VER_USERNAME - VALUE "Built By", VER_USERNAME -#endif -#ifdef VER_HOSTNAME - VALUE "Build Host", VER_HOSTNAME -#endif -#ifdef VER_DATE - VALUE "Build Time", VER_DATE -#endif -#ifdef VER_VENDOR - VALUE "Modified by Vendor", VER_VENDOR -#endif - VALUE "CompanyName", VER_COMPANYNAME_STR - VALUE "FileDescription", VER_FILEDESCRIPTION_STR EXPORT_TAG - VALUE "FileVersion", VER_FILEVERSION_STR - VALUE "InternalName", VER_INTERNALNAME_STR - VALUE "LegalCopyright", VER_LEGALCOPYRIGHT_STR -#ifdef VER_LEGALTRADEMARK_STR - VALUE "LegalTrademark", VER_LEGALTRADEMARK_STR -#endif - VALUE "OriginalFilename",VER_ORIGINALFILENAME_STR - VALUE "ProductName", VER_PRODUCTNAME_STR - VALUE "ProductVersion", VER_PRODUCTVERSION_STR -#ifdef VER_SPECIALBUILD - VALUE "SpecialBuild", VER_SPECIALBUILD -#endif - END - END -END - -#endif diff --git a/src/util/wshelper/wsh-int.h b/src/util/wshelper/wsh-int.h deleted file mode 100644 index 04b1cfe..0000000 --- a/src/util/wshelper/wsh-int.h +++ /dev/null @@ -1,5 +0,0 @@ -void res_init_startup(); -void res_init_cleanup(); - -void __putshort(register u_short s, register u_char *msgp); -void __putlong(register u_long l, register u_char *msgp); diff --git a/src/util/wshelper/wshelp32.def b/src/util/wshelper/wshelp32.def deleted file mode 100644 index b0a5aea..0000000 --- a/src/util/wshelper/wshelp32.def +++ /dev/null @@ -1,33 +0,0 @@ -LIBRARY WSHELP32 - -HEAPSIZE 1024 -EXPORTS -; WEP @1 RESIDENTNAME - res_init @2 - res_query @3 - res_search @4 - res_querydomain @5 - res_mkquery @6 - res_send @7 - dn_comp @8 - rdn_expand @9 - rgethostbyname @10 - rgethostbyaddr @11 - hes_to_bind @12 - hes_resolve @13 - hes_error @14 - hes_getmailhost @15 - hes_getservbyname @16 - hes_getpwnam @17 - res_getopts @18 - res_setopts @19 - inet_aton @20 - gethinfobyname @21 - getmxbyname @22 - getrecordbyname @23 - rrhost @24 - rgetservbyname @25 - hes_getpwuid @26 - wsh_gethostname - wsh_getdomainname - hes_free diff --git a/src/util/wshelper/wshelp64.def b/src/util/wshelper/wshelp64.def deleted file mode 100644 index e28dd16..0000000 --- a/src/util/wshelper/wshelp64.def +++ /dev/null @@ -1,33 +0,0 @@ -LIBRARY WSHELP64 - -HEAPSIZE 1024 -EXPORTS -; WEP @1 RESIDENTNAME - res_init @2 - res_query @3 - res_search @4 - res_querydomain @5 - res_mkquery @6 - res_send @7 - dn_comp @8 - rdn_expand @9 - rgethostbyname @10 - rgethostbyaddr @11 - hes_to_bind @12 - hes_resolve @13 - hes_error @14 - hes_getmailhost @15 - hes_getservbyname @16 - hes_getpwnam @17 - res_getopts @18 - res_setopts @19 - inet_aton @20 - gethinfobyname @21 - getmxbyname @22 - getrecordbyname @23 - rrhost @24 - rgetservbyname @25 - hes_getpwuid @26 - wsh_gethostname - wsh_getdomainname - hes_free diff --git a/src/util/wshelper/wshelper.def b/src/util/wshelper/wshelper.def deleted file mode 100644 index 5b67a3d..0000000 --- a/src/util/wshelper/wshelper.def +++ /dev/null @@ -1,42 +0,0 @@ -LIBRARY WSHELPER - -DESCRIPTION 'WINSOCK DNS/Hesiod Resolver Library' -EXETYPE WINDOWS -CODE LOADONCALL MOVEABLE DISCARDABLE -DATA LOADONCALL PRELOAD FIXED SINGLE -HEAPSIZE 1024 -SEGMENTS _TEXT PRELOAD FIXED -EXPORTS - WEP @1 RESIDENTNAME - res_init @2 - res_query @3 - res_search @4 - res_querydomain @5 - res_mkquery @6 - res_send @7 - dn_comp @8 - rdn_expand @9 - rgethostbyname @10 - rgethostbyaddr @11 - hes_to_bind @12 - hes_resolve @13 - hes_error @14 - hes_getmailhost @15 - hes_getservbyname @16 - hes_getpwnam @17 - res_getopts @18 - res_setopts @19 - inet_aton @20 - gethinfobyname @21 - getmxbyname @22 - getrecordbyname @23 - rrhost @24 - rgetservbyname @25 - hes_getpwuid @26 - - -IMPORTS - kernel.LoadLibraryEx32W - kernel.FreeLibrary32W - kernel._CallProcEx32W - kernel.GetProcAddress32W diff --git a/src/windows/Makefile.in b/src/windows/Makefile.in index b3011f6..bfc27b6 100644 --- a/src/windows/Makefile.in +++ b/src/windows/Makefile.in @@ -3,4 +3,4 @@ NO_OUTPRE=1 !ifndef NO_LEASH LEASH=leash !endif -SUBDIRS= lib leashdll $(LEASH) cns ms2mit kfwlogon +SUBDIRS= lib leashdll $(LEASH) ms2mit kfwlogon diff --git a/src/windows/README b/src/windows/README index 02f149c..381d254 100644 --- a/src/windows/README +++ b/src/windows/README @@ -6,61 +6,70 @@ The MIT Kerberos for Windows distribution contains additional components not present in the Unix krb5 distribution, most notably the MIT Kerberos Ticket Manager application. -To build Kerberos 5 on Windows, you will need the Windows SDK (XP SP3 -or later), VisualStudio (2010 Professional SP1), a version of Perl, and some -common Unix utilities such as sed/awk/cp/cat installed in the -command-line path. To build an MSI installer, you will additionally -need the Windows Installer XML (WiX) toolkit, and to ensure that -the HTML Help Compiler (hhc.exe) and the WiX tools are in your command-line -path. WiX version 3.5 is verified to work with this codebase; WiX 3.7 -and newer are incompatible with this codebase. Visual Studio 2012 and -the Windows SDK 8 introduce some changes which alter the Kerberos build -procedure slightly (noted where appropriate). - -The Unix utilities can be obtained via the Utilities and SDK for UNIX-based -Aplications, which may be enabled as a Windows feature and then the -components installed. Note that the Windows nmake will not find the -SUA awk utility in the path unless it is named awk.exe; the permissions -on the utility may need correcting if awk.exe is created as a copy of -the original awk. - -There is a version of perl available through the SUA, but it is not -sufficient to build krb5. An external perl such as Strawberry Perl -or ActiveState Perl is necessary. +To build Kerberos 5 on Windows, you will need the following: + +* A version of Visual Studio (at least 2013) which includes the + Microsoft Foundation Classes libraries. These instructions will + work for Visual Studio 2017 Community or Professional, both of which + include the MFC libraries if the "Visual C++ MFC" checkbox is + selected after enabling the "Desktop development with C++" workload. + If you do not plan to build the graphical ticket manager + application, the MFC libraries are not required. + +* A version of Perl. + +* Some common Unix utilities such as sed/awk/cp/cat installed in the + command-line path. + +* To build an MSI installer, the Windows Installer XML (WiX) toolkit, + and to ensure that the HTML Help Compiler (hhc.exe) and the WiX + tools are in your command-line path. WiX version 3.11.1 is verified + to work with this codebase. + +A simple way to get the necessary Unix utilities is to install Git +BASH from https://gitforwindows.org and configure it to add the Unix +utilities to the command-line path. In some versions of Windows (not +the most current versions), the Unix utilities can alternatively be +obtained via the Utilities and SDK for UNIX-based Aplications, which +may be enabled as a Windows feature and then the components installed. +Note that the Windows nmake will not find the SUA awk utility in the +path unless it is named awk.exe; the permissions on the utility may +need correcting if awk.exe is created as a copy of the original awk. + +Git BASH contains a version of Perl, which will work to build krb5 if +the newlines in the source tree are not translated to native newlines. +Strawberry Perl will work regardless of whether newlines are +translated. If both Git BASH and Strawberry Perl are installed, you +may need to adjust the command line path to ensure that the preferred +Perl appears first. The krb5 source tree may be obtained either directly on the Windows -machine with a native git client cloning the krb5 public mirror -at https://github.com/krb5/krb5.git or on a separate (Unix) machine -and copied over, such as from a VM host onto a Windows VM. -The kerbsrc.zip method is no longer supported. - -After the Windows SDK is installed, you should be able to invoke an -SDK command prompt via the start menu (All Programs -> Microsoft -Windows SDK vX.Y -> Windows SDK X.Y Command Prompt). Within this -window, you can change the build target using the setenv command; run -"setenv /?" or see the Windows SDK documentation for details. At the -current time, Kerberos 5 can only be built for the x64 target if the -host platform is also 64-bit, because it compiles and runs programs -during the build. The Windows SDK version 8 does not provide an SDK -command prompt; the "Developer Command Prompt for VS2012" or "Visual Studio -Command Prompt" must be used instead. Accordingly, there is no setenv script -to configure the build environment for different target architectures; the -"vcvarsall.bat" script provided by Visual Studio serves this function. +machine with a native git client cloning the krb5 public mirror at +https://github.com/krb5/krb5.git or on a separate (Unix) machine and +copied over, such as from a VM host onto a Windows VM. If you are +checking out the sources with git and are using the Git BASH Perl, +make sure to set git's core.autocrlf variable to "input" or "false" to +avoid translating newlines. + +After Visual Studio is installed, you should be able to invoke 32-bit +and 64-bit command prompts via the start menu (Visual Studio 2017 -> +x86 Native Tools Command Prompt and x64 Native Tools Command Prompt). +At the current time, Kerberos 5 can only be built for the x64 target +if the host platform is also 64-bit, because it compiles and runs +programs during the build. IMPORTANT NOTE: By default, the sources are built with debug information and linked against the debug version of the Microsoft C Runtime library, which is not found on most Windows systems unless -they have development tools, and requires a separate license to distribute. -To build a release version, you need to define NODEBUG either in the -environment or the nmake command-line and use setenv to enter a release -build environment with "setenv /release" (when using Windows SDK versions -lower than 8). Debug information in the compiled binaries and libraries -may be retained by defining DEBUG_SYMBOL in the environment or on the nmake -command line. +they have development tools, and requires a separate license to +distribute. To build a release version, you need to define NODEBUG +either in the environment or the nmake command-line. Debug +information in the compiled binaries and libraries may be retained by +defining DEBUG_SYMBOL in the environment or on the nmake command line. -Building the code and installer ------------------------- +Building the code and installer: +------------------------------- First, make sure you have sed, (g)awk, cat, and cp. You must also define KRB_INSTALL_DIR either in the environment or @@ -70,28 +79,40 @@ near your build tree. The directory must exist before nmake install is run. The 64-bit installer provides 32-bit libraries, so a 32-bit build and install must be performed before the 64-bit build. - 1) set CPU=i386 # Get 32-bit target in environment - 2) set KRB_INSTALL_DIR=\path\to\dir # Where bin/include/lib lives - 3) setenv /x86 [/release] # Tell nmake to target 32-bit - (with Visual Studio 2012, use "vcvarsall.bat x86") - 4) cd xxx/src # Go to where the source lives - 5) nmake -f Makefile.in prep-windows # Create Makefile for Windows - 6) nmake [NODEBUG=1] # Build the sources - 7) nmake install [NODEBUG=1] # Copy headers, libs, executables - 8) cd windows\installer\wix # Go to where the installer source is - 9) nmake # Build the installer -10) rename kfw.msi kfw32.msi # Save the 32-bit installer -11) set CPU=AMD64 # Proceed to the 64-bit build -12) setenv /x64 [/release] # Must set both CPU and nmake env - ("vcvarsall.bat amd64" for Visual Studio 2012) -13) cd ..\..\.. # Back to the sources -14) nmake clean # Clean up the 32-bit objects -15) nmake [NODEBUG=1] # Build the sources for 64-bit -16) nmake install [NODEBUG=1] # Copy 64-bit lib/executables -17) cd windows\installer\wix # Back to the installer source -18) nmake clean # Remove 32-bit leavings -19) nmake # Build the 64-bit installer -20) rename kfw.msi kfw64.msi # And name it usefully +To skip building the graphical ticket manager, run "set NO_LEASH=1" +before building, and do not build the installers. + +In a 32-bit command shell: + + 1) set KRB_INSTALL_DIR=\path\to\dir # Where bin/include/lib lives + 2) cd xxx\src # Go to where source lives + 3) nmake -f Makefile.in prep-windows # Create Makefile for Windows + 4) nmake [NODEBUG=1] # Build the sources + 5) nmake install [NODEBUG=1] # Copy headers, libs, executables + 6) cd windows\installer\wix # Go to where the installer source is + 7) nmake [NODEBUG=1] # Build the installer + 8) rename kfw.msi kfw32.msi # Save the 32-bit installer + +In a 64-bit command shell: + + 9) set PATH=%PATH%;"%WindowsSdkVerBinPath%"\x86 # To get uicc.exe +10) set KRB_INSTALL_DIR=\path\to\dir # Where bin/include/lib lives +11) cd xxx\src # Go to where source lives +12) nmake clean # Clean up the 32-bit objects +13) nmake [NODEBUG=1] # Build the sources for 64-bit +14) nmake install [NODEBUG=1] # Copy 64-bit lib/executables +15) cd windows\installer\wix # Back to the installer source +16) nmake clean # Remove 32-bit leavings +17) nmake [NODEBUG=1] # Build the 64-bit installer +18) rename kfw.msi kfw64.msi # And name it usefully + +Step 9 may be skipped if uicc is already in the command-line path (try +running "uicc" to see if you get a usage message or a not-found +error), or if you are not building the graphical ticket manager. + +Visual Studio 2013 and 2015 provide only a single command prompt. +Within this prompt, use "vcvarsall.bat x86" and "vcvarsall.bat amd64" +to switch to 32-bit and 64-bit mode. Running Kerberos 5 Apps: diff --git a/src/windows/build/BKWconfig.xml b/src/windows/build/BKWconfig.xml deleted file mode 100644 index c787bef..0000000 --- a/src/windows/build/BKWconfig.xml +++ /dev/null @@ -1,172 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/src/windows/build/Logger.pm b/src/windows/build/Logger.pm deleted file mode 100644 index c7f904a..0000000 --- a/src/windows/build/Logger.pm +++ /dev/null @@ -1,87 +0,0 @@ -package Logger; - -use strict; -use IO::File; -use FindBin; - -my $bStarted = 0; - -sub new { - my $class = shift; - my $file = shift; - my $append = shift; - $file || die "Usage: \$foo = new Logger filename [append]\n"; - my $self = {}; - bless $self, $class; - $self->{FILE} = $file; - $self->{APPEND} = $append?'-a':''; - return $self; -} - -sub start { - my $self = shift; - - return 1 if $self->{PIPE}; - - STDOUT->flush; - STDERR->flush; - - my $fh_out = new IO::File; - my $fh_err = new IO::File; - my $fh_pipe = new IO::File; - - $self->{OUT} = $fh_out; - $self->{ERR} = $fh_err; - $self->{PIPE} = $fh_pipe; - - $fh_out->open(">&STDOUT") || die; - $fh_err->open(">&STDERR") || die; - $fh_pipe->open("|$^X $FindBin::Bin/tee.pl $self->{APPEND} $self->{FILE}") || die; - - STDOUT->fdopen(fileno $fh_pipe, "w") || die; - STDERR->fdopen(fileno $fh_pipe, "w") || die; - - STDOUT->autoflush(1); - STDERR->autoflush(1); - - $SIG{__DIE__} = sub { - print STDERR $_[0]; - $self->stop; - die "\n"; - }; - - $bStarted = 1; - return 1; -} - -# 20070314 kpkoch: -# There appears to be a bug in ActivePerl where Logger's games with streams -# and the SIG DIE handler cause eval to throw exceptions. By deleting the DIE handler, -# subsequent evals do not fail. -sub no_die_handler { - delete $SIG{__DIE__}; - } - -sub stop { - my $self = shift; - - return 0 if !$self->{PIPE}; - - STDOUT->close; - STDERR->close; - $self->{PIPE}->close; - STDOUT->fdopen(fileno $self->{OUT}, "w"); - STDERR->fdopen(fileno $self->{ERR}, "w"); - delete $self->{OUT}; - delete $self->{ERR}; - delete $self->{PIPE}; - $bStarted = 0; - return 1; -} - -sub DESTROY { - my $self = shift; - $self->stop if ($bStarted); - } - -1; diff --git a/src/windows/build/bkw-automation.html b/src/windows/build/bkw-automation.html deleted file mode 100644 index 9592f49..0000000 --- a/src/windows/build/bkw-automation.html +++ /dev/null @@ -1,367 +0,0 @@ - - - lore-bkw-automation - Confluence - - - - - - - - -

-
The - Kerberos for Windows (KfW) build is automated.  A script will fetch the - sources from a repository and then build, sign and package all the KfW - distribution components. -
-
This - description consists of -
- -

Setting Up the Build Environment

-

KfW is built on a Windows PC, in the default Windows shell (cmd.exe). These - components must be installed:

-
    -
  • - Visual Studio 2003
    - Versions of Visual Studio before or after 2003 are not supported. -
  • - A recent release of the - - - Microsoft Platform SDK -   -
  • - - - ActiveState Perl 5.8 or more recent
    - Build 631 is known to work. -
  • - - - Doxygen -
  • - sed, awk, cat, rm and find
    - These can be obtained from the - - Cygwin - distribution. -
    -
    - find must be in C:\tools\cygwin\bin, so install Cygwin in C:\tools\cygwin. -
    -
    - The cygwin awk is a link and the MS shell doesn't deal well with that.  C - opy c:\tools\cygwin\bin\gawk to c:\tools\cygwin\bin\awk. -
  • - - Wix -
  • - - - NSIS
-

Environment variables

-

- All the components above must be in PATH. Installing ActivePerl puts perl in - the PATH. Doxygen, Cygwin, hhc, wix and nsis need to be added.

-

perl must be installed so that .pl files are automatically executed with perl. - The ActivePerl installation will do this for you.

-

In the INCLUDE path, the Microsoft Platform SDK must come before the Microsoft - Visual C++ include files. In the PATH path, the Platform SDK bin area must come before the Visual Studio VC\bin area. Using a Platform SDK Build Environment window will - set this up the right way.  Make sure to use a Platform SDK Windows XP Build Environment shell.

-

If you make your path modifications permanent via Control Panel / System / - Advanced / Environment Variables:  If you use a Platform SDK Build - Environment window, it appears that you need to put your PATH components in the - System PATH, not the User PATH.

-

Visual Studio installs hhc in C:\Program Files\HTML Help Workshop.

-

nmake must be in PATH. If you use a Platform SDK build environment window, it is - already done for you.

-

Running the Script

-

- The build is a perl script controlled by command line switches and an XML - configuration file. The config file is required. Settings in the config file - can be overridden by optional command line switches. 

-

There are options for controlling most steps of the build process.  The - steps are

-
    -
  • - Verifying the environment -
  • - Fetching the sources from repositories -
  • - Building the sources -
  • - Setting up the packaging environment -
  • - Building the installers -
  • - Building the rest of the components -
    • -
-

The usage message shows the switches that control these steps:

-

C:\Projects\KfW>perl bkw.pl /?
- Usage: bkw.pl [options] NMAKE-options

-

  Options are case insensitive. -

-

  Options:  -
-   /help /?          - usage information (what you now see). -
-   /config /f path   Path to config file. Default is - bkwconfig.xml. -
-   /src /s dir       Source directory to use. - Should contain -
-     -                 - pismere/athena. If cvstag or svntag is null, -
-       -               - the directory should be prepopulated. -
-   /out /o dir       Directory to be created - where build results will go -
-   /repository checkout | co \ What repository action to take. -
-      /r       - update   | up \ Options are to checkout, update, export
-               export   - | ex \ or take no action [skip]. 
-               - skip
-   /username /u name username used to access svn if checking out. -
-   /cvstag /c tag    use -r <tag> - in cvs -command
  /svnbranch /b tag use -/branches/<tag> instead of /trunk.
  /svntag /t tag    use -/tags/<tag> instead of /trunk.
  /debug -/d         Do debug make instead of -release make.
  -/[no]make         -Control the make -step.
  -/clean            Build -clean target.
  -/[no]package      Control the packaging step.
  -/[no]sign         Control -signing -of executable files.
  /verbose -/v       Debug mode - verbose output.
  /logfile /l path  Where to write output. -Default is bkw.pl.log.
  - /nolog            Don't - save output. -

-

  Other: -
-     NMAKE-options any options you want to pass to NMAKE, which - can be: -
-                   - (note: /nologo is always used)
-                   NODEBUG=1

-

NMAKE-options any options you want to pass to NMAKE, which can be:
- (note: /nologo is always used)
- [ nmake options follow ]

-


- Notes on the script steps:

-

Verifying the environment:  -
- The script tests for each program that it needs and warns if the program isn't - found.

-

Fetching sources from repositories:  -
- If building from a source distribution kit, this section does not apply.

-

CVSROOT and SVNURL must be specified in the configuration file.

-

A source zip file can only be produced if checking out fresh sources from a - repository. 

-

If checking out, the entire pismere directory will be deleted.  A warning - message requires that you confirm this action.

-

Building the sources:
- /DEBUG controls whether a debug or release build is done.  /CLEAN will - build the CLEAN target.

-

Setting up the packaging environment :
- The pre-package steps gathers up build results and puts them in a - staging area.  -

-

If /SIGN is specified, .exes, .dlls - and .cpls are signed.  The signing command - template is in the configuration file.

-

Building the installers:
- The staging area is copied into a fresh area for - each of the installers.  The installer results are copied back to the - staging area.

-

Building the rest of the components:
- Zip files are built in temporary areas and copied to outdir.  - The installers and assorted files are copied from staging - to outdir.  If /SIGN is specified, the - installers will be signed.

-

 

-

Script Internal Details

-

Copy Lists

-

CopyLists are used in many places.  For example, files to be put into - a .zip are copied to a fresh directory which is then zipped up.  There is - an optional Configuration section and a required Files section. 

-

The configuration section defines the roots of the from and to paths and can - optionally define path substitutions.  -

-

The to and from paths are forced by the script rather than being set in the - config file.  Comments in the copyfile xml indicate this.

-

Lengthy copy lists can be kept in separate files and included with the Include - directive.  Example:

-

<Include path="sdkfiles.xml" />

-

Substitution tags

-

Filenames in copylists can contain variable 'tags' that are replaced before the - file is copied.  Some configuration files contain substitution tags which - customize the configuration.  The supported tags are

-

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
%VERSION_MAJOR%KfW Version from pismere/athena/include/kerberos.ver.
%VERSION_MINOR%KfW Version from pismere/athena/include/kerberos.ver.
%VERSION_PATCH%KfW Version from pismere/athena/include/kerberos.ver.
%filestem%Defined as kfw-%VERSION_MAJOR%-%VERSION_MINOR%-%VERSION_PATCH%.
%debug%'dbg.'  Only substituted during a debug build. 
%release%'rel.'  Only substituted during a release build.  -
%bldtype%Always substituted, to 'dbg' or 'rel,' depending on the type of build.
%-DEBUG%'-DEBUG' during a debug build; otherwise empty.
%BUILDDIR%SRCDIR\pismere.  Used in site-local installer configuration files.
%TARGETDIR%SRCDIR\pismere\staging.  Used in site-local installer configuration files.
%CONFIGDIR-WIX%SRCDIR\pismere\staging\sample.  Used in site-local installer configuration - files.
%CONFIGDIR-NSI%SRCDIR\pismere\staging.  Used in site-local installer configuration files.
-

-

The overall build configuration specifies a debug or release build.  Debug - and release results are put in different places.  Files whose location - depend on the build type can use %bldtype% in their names.  The script - will substitute %bldtype% with either dbg or rel, depending on the build - type. 

-
-
-

Example

- -

Here is a copylist entry.  Each segment of the file's path that comes - from a different place is in a different color.

-

Release build.  Config file: -

-

- - - - - - - - - - - - - -
<BKW_Config>
<Config>
<src value ="C:\bkw" /> -
-

-

Copylist comments:

-

<!-- File from paths are relative to - \pismere\athena -->
<!-- File to paths are relative to \ - pismere\staging - --> -

-

When the script processes this copylist, it will force the from and to paths as - indicated.

-

This line -

-

<File name="comerr32.dll" from="..\target\bin\i386\%bldtype%\" - to="\bin\i386" />

-

will result in C:\bkw\pismere\athena\..\target\bin\i386\rel\comerr32.dll

-

being copied to C:\bkw\pismere\staging\bin\i386\comerr32.dll.

-

Other possible attributes in a copylist entry:

-
    -
  • - notrequired -
  • - newname="filename" -
    • -
-

By default, copylist entries are required and the script will die if they aren't - present. To ignore missing files, add notrequired.

-

To rename the file, set the newname attribute.

-

Remaining Work / Bug List

-

Implement RETAIL, OFFICIAL, PRERELEASE, PRIVATE, SPECIAL.

-

Figure out what MIT_ONLY, BUILD_KFW, DEBUG_SYMBOL should be.

-

TARGET, APPVER.

-

NODEBUG=1.  Set if release build.

-

Troubleshooting -

-

Can't clean directory; can't delete file or directory
- Make sure a file in the named directory isn't open in another application.

-

Can't find kerberos.ver
- You skipped the repository step and are trying to build in an empty directory.

-

Directories don't exist or can't be created
- This can be a symptom of the Platform SDK bin area not being before the Visual Studio bin areas, such that the version of nmake running is version 8.x.
- [This explanation courtesy of Jeff Altman]:
- nmake V8 appears to favor executables over shell commands. As a result, using 'mkdir' instead of 'md' in Makefiles, as a command for creating directory trees, fails when the Cygwin mkdir.exe is present in the PATH. Changing the

-

MKDIR=mkdir
- RMDIR=rmdir

-

macros in the Makefiles to

-

MKDIR=md
- RMDIR=rd

-

should make the shell versions execute in all cases.

-
- - diff --git a/src/windows/build/bkw.pl b/src/windows/build/bkw.pl deleted file mode 100644 index f23c9be..0000000 --- a/src/windows/build/bkw.pl +++ /dev/null @@ -1,700 +0,0 @@ -#!perl -w - -#use strict; -use FindBin; -use File::Spec; -use File::Basename; -use lib "$FindBin::Bin/build/lib"; -use Getopt::Long; -use Cwd; -use XML::Simple; -use Data::Dumper; -use Archive::Zip; -use Logger; -require "copyfiles.pl"; -require "prunefiles.pl"; -require "signfiles.pl"; -require "zipXML.pl"; - -my $BAIL; -$0 = fileparse($0); -my $OPT = {foo => 'bar'}; -my $MAKE = 'NMAKE'; -our $config; - -sub get_info { - my $cmd = shift || die; - my $which = $^X.' which.pl'; - my $full = `$which $cmd`; - return 0 if ($? / 256); - chomp($full); - $full = "\"".$full."\""; - return { cmd => $cmd, full => $full}; - } - -sub usage { - print < in cvs command - /svnbranch /b tag use /branches/ instead of /trunk. - /svntag /t tag use /tags/ instead of /trunk. - /debug /d Do debug make instead of release make. - /[no]make Control the make step. - /clean Build clean target. - /[no]package Control the packaging step. - /[no]sign Control signing of executable files. - /verbose /v Debug mode - verbose output. - /logfile /l path Where to write output. Default is bkw.pl.log. - /nolog Don't save output. - Other: - NMAKE-options any options you want to pass to NMAKE, which can be: - (note: /nologo is always used) - -USAGE - system("$MAKE /?"); - } - -sub handler { - my $sig = shift; - my $bailmsg = "Bailing out due to SIG$sig!\n"; - my $warnmsg = <{config}) {$OPT->{config} = "bkwconfig.xml";} - my $configfile = $OPT->{config}; - print "Info -- Reading configuration from $configfile.\n"; - my $xml = new XML::Simple(); - $config = $xml->XMLin($configfile); ## Read in configuration file. - - # Set up convenience variables: - local $odr = $config->{Config}; ## Options, directories, repository, environment. - - # Build argument description from Config section of the XML, - # to parse the rest of the arguments: - local @xmlargs; - while (($sw, $val) = each %$odr) { - local $arg = $sw; - if (exists $val->{abbr}) {$arg .= "|$val->{abbr}";} - if (exists $val->{value}) { ## Can't do both negations and string values. - $arg .= ":s"; - } - else { - if (! ($val->{def} =~ /A/)) {$arg .= "!";} - } - push @xmlargs, $arg; - } - - if (!GetOptions($OPT, @xmlargs)) {$OPT->{help} = 1;} - - if ( $OPT->{help} ) { - usage(); - exit(0); - } - - delete $OPT->{foo}; - -##++ Validate required conditions: - - # List of programs which must be in PATH:' - # 'cvs', 'svn', 'hhc', 'makensis', 'plink', 'filever' - my @required_list = ('sed', 'awk', 'which', 'cat', 'rm', 'doxygen', - 'candle', 'light', 'nmake'); - my $requirements_met = 1; - my $first_missing = 0; - my $error_list = ""; - foreach my $required (@required_list) { - if (!get_info($required)) { - $requirements_met = 0; - if (!$first_missing) { - $first_missing = 1; - $error_list = "Fatal -- Environment problem! The following program(s) are not in PATH:\n"; - } - $error_list .= "$required\n"; - } - } - if (!$requirements_met) { - print $error_list; - print "Info -- Update PATH or install the programs and try again.\n"; - exit(0); - } - -##-- Validate required conditions. - - use Time::gmtime; - $ENV{DATE} = gmctime()." GMT"; - our $originalDir = `cd`; - $originalDir =~ s/\n//g; - -##++ Assemble configuration from config file and command line: - - my $bOutputCleaned = 0; - # Scan the configuration for switch definitions: - while (($sw, $val) = each %$odr) { - next if (! exists $val->{def}); ## ?? Should always exist. - - # Set/clear environment variables: - if ($val->{env}) { - if ($val->{def}) {$ENV{$sw} = (exists $val->{value}) ? $val->{value} : 1; } - else { - delete $ENV{$sw}; - undef $sw; - } - } - - # If the switch is in the command line, override the stored value: - if (exists $OPT->{$sw}) { - if (exists $val->{value}) { - $val->{value} = $OPT->{$sw}; - $val->{def} = 1; - } - else { - $val->{def} = $OPT->{$sw}; ## If -NO, value will be zero. - } - } - # If the switch can be negated, test that, too: - if ( ! ($val->{def} =~ /A/)) { - local $nosw = "no".$sw; - if (exists $OPT->{$nosw}) { ## -NO ? - if ($val->{env}) { - if (!$val->{def}) { - print "Deleting environment variable $sw\n"; - delete $ENV{$sw}; - undef $sw; - } - } - } - } - - # For any switch definition with fixed values ("options"), validate: - if (exists $val->{options}) { - local $bValid = 0; - # options can be like value1|syn1 value2|syn2|syn3 - foreach $option (split(/ /, $val->{options})) { - local $bFirst = 1; - local $sFirst; - foreach $opt (split(/\|/, $option)) { - # opt will be like value2, syn2, syn3 - if ($bFirst) { - $sFirst = $opt; ## Remember the full name of the option. - $bFirst = 0; - } - if ($val->{value} =~ /$opt/i) { - $val->{value} = $sFirst; ## Save the full name. - $bValid = 1; - } - } - } - if (! $bValid) { - print "Fatal -- invalid $sw value $val->{value}. Possible values are $val->{options}.\n"; - usage(); - die; - } - } - } - - # Set up convenience variables: - our $verbose = $odr->{verbose}->{def}; - our $vverbose = $odr->{vverbose}->{def}; - our $clean = $clean->{clean}->{def}; - local $src = $odr->{src}->{value}; - local $out = $odr->{out}->{value}; - - if ($clean && $odr->{package}->{def}) { - print "Info -- /clean forces /nopackage.\n"; - $odr->{package}->{def} = 0; - } - - if ($vverbose) {print "Debug -- Config: ".Dumper($config);} - - # Test the unix find command: - # List of directories where it might be: - my @find_dirs = ('c:\\cygwin\\bin', 'c:\\tools\\cygwin\\bin'); - if (exists $odr->{unixfind}->{value}) { ## Was an additional place to look specified? - push (@find_dirs, $odr->{unixfind}->{value}); - } - my $bFindFound = 0; - foreach my $dir (@find_dirs) { - if (-d $dir) { - local $savedPATH = $ENV{PATH}; - $ENV{PATH} = $dir.";".$savedPATH; - if (-e "a.tmp") {!system("rm a.tmp") or die "Fatal -- Couldn't clean temporary file a.tmp.";} - !system("find . -maxdepth 0 -name a.tmp > b.tmp 2>&1") or die "Fatal -- find test failed."; - local $filesize = -s "b.tmp"; - $ENV{PATH} = $savedPATH; - if ($filesize <= 0) { - $bFindFound = 1; - $odr->{unixfind}->{value} = $dir; - last; - } - } - } - if (! $bFindFound) { - print "Fatal -- unix find command not found in \n"; - map {print " $_ "} @find_dirs; - print "\n"; - die; - } - - # Don't allow /svntag and /svnbranch simultaneously: - if ( (length $odr->{svntag}->{value} > 0) && - (length $odr->{svnbranch}->{value} > 0) ) { - die "Fatal -- Can't specify both /SVNTAG and /SVNBRANCH."; - } - - # /logfile and /nolog interact: - if ($odr->{nolog}->{def}) {$odr->{logfile}->{def} = 0;} - -##-- Assemble configuration from config file and command line. - - local $rverb = $odr->{repository}->{value}; - if ( (($rverb =~ /checkout/) || ($rverb =~ /export/)) && $clean) { - print "Warning -- Because sources are being checked out, make clean will not be run.\n"; - $clean = $odr->{clean}->{def} = 0; - } - - my $wd = $src; - - if (! ($rverb =~ /skip/)) { - local $len = 0; - if (exists $odr->{username}->{value}) { - $len = length $odr->{username}->{value}; - } - if ($len < 1) { - die "Fatal -- you won't get far accessing the repository without specifying a username."; - } - } - - # (------------------------------------------------) - if ( (-d $wd) && ( ($rverb =~ /export/) || ($rverb =~ /checkout/) ) ) { - print "\n\nHEADS UP!!\n\n"; - print "/REPOSITORY ".uc($rverb)." will cause everything under $wd to be deleted.\n"; - print "If this is not what you intended, here's your chance to bail out!\n\n\n"; - print "Are you sure you want to remove everything under $wd? "; - my $char = getc; - if (! ($char =~ /y/i)) {die "Info -- operation aborted by user."} - !system("rm -rf $wd/*") or die "Fatal -- Couldn't clean $wd."; - !system("rmdir $wd") or die "Fatal -- Couldn't remove $wd."; - } - -# Begin logging: - my $l; - if ($odr->{logfile}->{def}) { - print "Info -- logging to $odr->{logfile}->{value}.\n"; - $l = new Logger $odr->{logfile}->{value}; - $l->start; - $l->no_die_handler; ## Needed so XML::Simple won't throw exceptions. - } - - print "Command line options:\n"; - while ($v = each %$OPT) {print "$v: $OPT->{$v}\n";} - - print "Executing $cmdline\n"; - local $argvsize = @ARGV; - local $nmakeargs = ""; - if ($argvsize > 0) { - map {$nmakeargs .= " $_ "} @ARGV; - print "Arguments for NMAKE: $nmakeargs\n"; - } - - print "Info -- Using unix find in $odr->{unixfind}->{value}\n" if ($verbose); - -##++ Begin repository action: - if ($rverb =~ /skip/) {print "Info -- *** Skipping repository access.\n" if ($verbose);} - else { - if ($verbose) {print "Info -- *** Begin fetching sources.\n";} - local $cvspath = "$src"; - if (! -d $cvspath) { ## xcopy will create the entire path for us. - !system("echo foo > a.tmp") or die "Fatal -- Couldn't create temporary file in ".`cd`; - !system("echo F | xcopy a.tmp $cvspath\\a.tmp") or die "Fatal -- Couldn't xcopy to $cvspath."; - !system("rm a.tmp") or die "Fatal -- Couldn't remove temporary file."; - !system("rm $cvspath\\a.tmp") or die "Fatal -- Couldn't remove temporary file."; - } - - # Set up cvs environment variables: - $ENV{CVSROOT} = $odr->{CVSROOT}->{value}; - local $krb5dir = "$wd\\athena\\auth\\krb5"; - - local $cvscmdroot = "cvs $rverb"; - if (length $odr->{cvstag}->{value} > 0) { - $cvscmdroot .= " -r $odr->{cvstag}->{value}"; - } - - if (($rverb =~ /checkout/) || ($rverb =~ /export/)) { - chdir($src) or die "Fatal -- couldn't chdir to $src\n"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - my @cvsmodules = ( - 'krb', - 'pismere/athena/util/lib/delaydlls', - 'pismere/athena/util/lib/getopt', - 'pismere/athena/util/guiwrap' - ); - foreach my $module (@cvsmodules) { - local $cvscmd = $cvscmdroot." ".$module; - if ($verbose) {print "Info -- cvs command: $cvscmd\n";} - !system("$cvscmd") or die "Fatal -- command \"$cvscmd\" failed; return code $?\n"; - } - } - else { ## Update. - chdir($wd) or die "Fatal -- couldn't chdir to $wd\n"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - if ($verbose) {print "Info -- cvs command: $cvscmdroot\n";} - !system($cvscmdroot) or die "Fatal -- command \"$cvscmdroot\" failed; return code $?\n"; - } - - # Set up svn environment variable: - $ENV{SVN_SSH} = "plink.exe"; - # If the directory structure doesn't exist, many cd commands will fail. - if (! -d $krb5dir) { ## xcopy will create the entire path for us. - !system("echo foo > a.tmp") or die "Fatal -- Couldn't create temporary file in ".`cd`; - !system("echo F | xcopy a.tmp $krb5dir\\a.tmp") or die "Fatal -- Couldn't xcopy to $krb5dir."; - !system("rm a.tmp") or die "Fatal -- Couldn't remove temporary file."; - !system("rm $krb5dir\\a.tmp") or die "Fatal -- Couldn't remove temporary file."; - } - - chdir($krb5dir) or die "Fatal -- Couldn't chdir to $krb5dir"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - my $svncmd = "svn $rverb "; - if (($rverb =~ /checkout/) || ($rverb =~ /export/)) { # Append the rest of the checkout/export command: - chdir(".."); - if ($rverb =~ /export/) { - ## svn export will fail if the destination directory exists - rmdir "krb5"; - } - $svncmd .= "svn+ssh://".$odr->{username}->{value}."@".$odr->{SVNURL}->{value}."/krb5/"; - if (length $odr->{svntag}->{value} > 0) { - $svncmd .= "tags/$odr->{svntag}->{value}"; - } - elsif (length $odr->{svnbranch}->{value} > 0) { - $svncmd .= "branches/$odr->{svnbranch}->{value}"; - } - else { - $svncmd .= "trunk"; - } - - $svncmd .= " krb5"; - - } - if ($verbose) {print "Info -- svn command: $svncmd\n";} - !system($svncmd) or die "Fatal -- command \"$svncmd\" failed; return code $?\n"; - if ($verbose) {print "Info -- *** End fetching sources.\n";} - } -##-- End repository action. - - ##++ Read in the version information to be able to update the - # site-local files in the install build areas. - # ** Do this now (after repository update and before first zip) - # because making zip files requires some configuration data be set up. - local $version_path = $config->{Stages}->{Package}->{Config}->{Paths}->{Versions}->{path}; - open(DAT, "$src/$version_path") or die "Could not open $src/$version_path."; - @raw = ; - close DAT; - foreach $line (@raw) { - chomp $line; - if ($line =~ /#define/) { # Process #define lines: - $line =~ s/#define//; # Remove #define token - $line =~ s/^\s+//; # and leading & trailing whitespace - $line =~ s/\s+$//; - local @qr = split("\"", $line); # Try splitting with quotes - if (exists $qr[1]) { - $qr[0] =~ s/^\s+//; # Clean up whitespace - $qr[0] =~ s/\s+$//; - $config->{Versions}->{$qr[0]} = $qr[1]; # Save string - } - else { # No quotes, so - local @ar = split(" ", $line); # split with space - $ar[0] =~ s/^\s+//; # Clean up whitespace - $ar[0] =~ s/\s+$//; - $config->{Versions}->{$ar[0]} = $ar[1]; # and save numeric value - } - } - } - - # Check that the versions we will need for site-local have been defined: - my @required_versions = ('VER_PROD_MAJOR', 'VER_PROD_MINOR', 'VER_PROD_REV', - 'VER_PROD_MAJOR_STR', 'VER_PROD_MINOR_STR', 'VER_PROD_REV_STR', - 'VER_PRODUCTNAME_STR'); - $requirements_met = 1; - $first_missing = 0; - $error_list = ""; - foreach my $required (@required_versions) { - if (! exists $config->{Versions}->{$required}) { - $requirements_met = 0; - if (!$first_missing) { - $first_missing = 1; - $error_list = "Fatal -- The following version(s) are not defined in $src/$version_path.\n"; - } - $error_list .= "$required\n"; - } - } - if (!$requirements_met) { - print $error_list; - exit(0); - } - - # Apply any of these tags to filestem: - my $filestem = $config->{Stages}->{PostPackage}->{Config}->{FileStem}->{name}; - $filestem =~ s/%VERSION_MAJOR%/$config->{Versions}->{'VER_PROD_MAJOR_STR'}/; - $filestem =~ s/%VERSION_MINOR%/$config->{Versions}->{'VER_PROD_MINOR_STR'}/; - $filestem =~ s/%VERSION_PATCH%/$config->{Versions}->{'VER_PROD_REV_STR'}/; - $config->{Stages}->{PostPackage}->{Config}->{FileStem}->{name} = $filestem; - ##-- Read in the version information & set config info. - -##++ Repository action, part 2: - if (($rverb =~ /checkout/) || ($rverb =~ /export/)) { - if (! $bOutputCleaned) { ## In case somebody cleaned $out before us. - if (-d $out) {!system("rm -rf $out/*") or die "Fatal -- Couldn't clean $out."} ## Clean output directory. - else {mkdir($out);} - $bOutputCleaned = 1; - } - zipXML($config->{Stages}->{FetchSources}, $config); ## Make zips. - } -##-- End repository action, part 2. - -##++ Make action: - if ( ($odr->{make}->{def}) ) { - if ($verbose) {print "Info -- *** Begin preparing for build.\n";} - - chdir("$wd") or die "Fatal -- couldn't chdir to $wd\n"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - - my ($path, $destpath); - - # Copy athena\scripts\site\graft\krb5\Makefile.src to athena\auth\krb5: - $path = "scripts\\site\\graft\\krb5\\Makefile.src"; - if (!-e $path) {die "Fatal -- Expected file $wd\\$path not found.";} - $destpath = "athena\\auth\\krb5\\Makefile.src"; - !system("echo F | xcopy /D $wd\\$path $wd\\$destpath /Y > NUL") or die "Fatal -- Copy of $wd\\$path to $wd\\$destpath failed."; - print "Info -- copied $wd\\$path to $wd\\$destpath\n" if ($verbose);; - - # Add DEBUG_SYMBOL to .../wshelper/Makefile.src: - $path = "athena\\wshelper\\wshelper\\Makefile.src"; - if (!-e $path) {die "Fatal -- Expected file $wd\\$path not found.";} - if (system("grep DEBUG_SYMBOL $path > NUL") != 0) { - !system ("echo DEBUG_SYMBOL=1 >> $wd\\$path") or die "Fatal -- Append line to file failed.\n"; - print "Info -- Added DEBUG_SYMBOL to $wd\\$path\n" if ($verbose); - } - - # Prune any unwanted directories before the build: - pruneFiles($config->{Stages}->{Make}, $config); - - if ($verbose) {print "Info -- *** End preparing for build.\n";} - - my ($buildtarget, $buildtext); - if ($clean) { - $buildtarget = "clean" ; - $buildtext = " clean." - } - else { - $buildtarget = "" ; - $buildtext = "." - } - - chdir("$wd\\athena") or die "Fatal -- couldn't chdir to source directory $wd\\athena\n"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - local $dbgswitch = ($odr->{debug}->{def}) ? " " : "NODEBUG=1"; - !system("perl ../scripts/build.pl --softdirs --nolog $buildtarget $dbgswitch BUILD_KFW=1 BUILD_OFFICIAL=1 DEBUG_SYMBOL=1 $nmakeargs") - or die "Fatal -- build $buildtarget failed."; - - chdir("$wd") or die "Fatal -- couldn't chdir to $wd."; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - if ($clean) { - if (-d "staging") { - !system("rm -rf staging") or die "Fatal -- Couldn't remove $wd\\staging."; - } - } - - if ($verbose) {print "Info -- *** End build".$buildtext."\n";} - } ## End make conditional. - else {print "Info -- *** Skipping build.\n" if ($verbose);} -##-- Make action. - -##++ Package action: - if (! $odr->{package}->{def}) { ## If /clean, nopackage will be set. - print "Info -- *** Skipping packaging.\n"; - if ((-d $out) && ! $bOutputCleaned) { - print "Warning -- *** Output directory $out will not be cleaned.\n"; - } - } - else { - if ($verbose) {print "Info -- *** Begin prepackage.\n";} - - if (! $bOutputCleaned) { ## In case somebody cleaned $out before us. - if (-d $out) {!system("rm -rf $out/*") or die "Fatal -- Couldn't clean $out."} ## Clean output directory. - else {mkdir($out);} - $bOutputCleaned = 1; - } - - # The build results are copied to a staging area, where the packager expects to find them. - # We put the staging area in the fixed area .../pismere/staging. - #my $prepackage = $config->{Stages}->{PrePackage}; - #my $staging = "$wd\\staging"; - #chdir($wd) or die "Fatal -- couldn't chdir to $wd\n"; - #print "Info -- chdir to ".`cd`."\n" if ($verbose); - #if (-d "staging") { - # !system("rm -rf $staging/*") or die "Fatal -- Couldn't clean $staging."; - # } - #else { - # mkdir($staging) or die "Fatal -- Couldn't create $staging."; - # } - - # Force Where From and To are relative to: - #$prepackage->{CopyList}->{Config}->{From}->{root} = "$wd\\athena"; - #$prepackage->{CopyList}->{Config}->{To}->{root} = "$wd\\staging"; - #copyFiles($prepackage->{CopyList}, $config); ## Copy any files [this step takes a while] - - # Sign files: - #chdir($staging) or die "Fatal -- couldn't chdir to $staging\n"; - #print "Info -- chdir to ".`cd`."\n" if ($verbose); - #if ($odr->{sign}->{def}) { - # signFiles($config->{Stages}->{PostPackage}->{Config}->{Signing}, $config); - # } - - # Create working directories for building the installers: - if (-d "$wd\\buildwix") {!system("rm -rf $wd\\buildwix/*") or die "Fatal -- Couldn't clean $wd\\buildwix."} - !system("echo D | xcopy /s $wd\\windows\\installer\\wix\\*.* $wd\\buildwix") or die "Fatal -- Couldn't create $wd\\buildwix."; - #if (-d "$wd\\buildnsi") {!system("rm -rf $wd\\buildnsi/*") or die "Fatal -- Couldn't clean $wd\\buildnsi."} - #!system("echo D | xcopy /s $wd\\staging\\install\\nsis\\*.* $wd\\buildnsi") or die "Fatal -- Couldn't create $wd\\buildnsi."; - - chdir("$wd\\windows\\installer\\wix") or die "Fatal -- Couldn't cd to $wd\\windows\\installer\\wix"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - # Correct errors in files.wxi: - #!system("sed 's/WorkingDirectory=\"\\[dirbin\\]\"/WorkingDirectory=\"dirbin\"/g' files.wxi > a.tmp") or die "Fatal -- Couldn't modify files.wxi."; - #!system("mv a.tmp files.wxi") or die "Fatal -- Couldn't update files.wxi."; - - # Make sed script to run on the site-local configuration files: - local $tmpfile = "site-local.sed" ; - if (-e $tmpfile) {system("del $tmpfile");} - # Basic substitutions: - local $dblback_wd = $wd; - $dblback_wd =~ s/\\/\\\\/g; - !system("echo s/%BUILDDIR%/$dblback_wd/ >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - local $dblback_staging = "$wd\\staging"; - $dblback_staging =~ s/\\/\\\\/g; - !system("echo s/%TARGETDIR%/$dblback_staging/ >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - local $dblback_sample = "$wd\\staging\\sample"; - $dblback_sample =~ s/\\/\\\\/g; - !system("echo s/%CONFIGDIR-WIX%/$dblback_sample/ >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - !system("echo s/%CONFIGDIR-NSI%/$dblback_staging/ >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - !system("echo s/%VERSION_MAJOR%/$config->{Versions}->{'VER_PROD_MAJOR_STR'}/ >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - !system("echo s/%VERSION_MINOR%/$config->{Versions}->{'VER_PROD_MINOR_STR'}/ >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - !system("echo s/%VERSION_PATCH%/$config->{Versions}->{'VER_PROD_REV_STR'}/ >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - # Strip out some defines so they can be replaced: [used for site-local.nsi] - !system("echo /\^!define\.\*RELEASE\.\*\$/d >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - !system("echo /\^!define\.\*DEBUG\.\*\$/d >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - !system("echo /\^!define\.\*BETA\.\*\$/d >> $tmpfile") or die "Fatal -- Couldn't modify $tmpfile."; - - # Run the script on site-local.wxi: - !system("sed -f $tmpfile site-local-tagged.wxi > $wd\\buildwix\\site-local.wxi") or die "Fatal -- Couldn't modify site-local.wxi."; - - # Now update site-local.nsi: - #chdir "..\\nsis"; - #print "Info -- chdir to ".`cd`."\n" if ($verbose); - #!system("sed -f ..\\wix\\$tmpfile site-local-tagged.nsi > b.tmp") or die "Fatal -- Couldn't modify site-local.wxi."; - # Add DEBUG or RELEASE: - #if ($odr->{debug}->{def}) { ## debug build - # !system("echo !define DEBUG >> b.tmp") or die "Fatal -- Couldn't modify b.tmp."; - # } - #else { ## release build - # !system("echo !define RELEASE >> b.tmp") or die "Fatal -- Couldn't modify b.tmp."; - # } - # Add BETA if present: - #if (exists $config->{Versions}->{'BETA_STR'}) { - # !system("echo !define BETA $config->{Versions}->{'BETA_STR'} >> b.tmp") or die "Fatal -- Couldn't modify b.tmp."; - # } - #!system("mv -f b.tmp $wd\\buildnsi\\site-local.nsi") or die "Fatal -- Couldn't replace site-local.nsi."; - - # Run the script on nsi-includes-tagged.nsi: - #!system("sed -f ..\\wix\\$tmpfile nsi-includes-tagged.nsi > $wd\\buildnsi\\nsi-includes.nsi") or die "Fatal -- Couldn't modify nsi-includes.nsi."; - #!system("rm ..\\wix\\$tmpfile") or die "Fatal -- Couldn't remove $tmpfile."; - - #if ($verbose) {print "Info -- *** End prepackage.\n";} - - #if ($verbose) {print "Info -- *** Begin package.\n";} - # Make the msi: - chdir("$wd\\buildwix") or die "Fatal -- Couldn't cd to $wd\\buildwix"; - print "Info -- *** Make .msi:\n" if ($verbose); - print "Info -- chdir to ".`cd`."\n" if ($verbose); - !system("$MAKE") or die "Error -- msi installer build failed."; - - #chdir("$wd\\buildnsi") or die "Fatal -- Couldn't cd to $wd\\buildnsi"; - #print "Info -- *** Make NSIS:\n" if ($verbose); - #print "Info -- chdir to ".`cd`."\n" if ($verbose); - #!system("cl.exe killer.cpp advapi32.lib") or die "Error -- nsis killer.exe not built."; - #!system("rename killer.exe Killer.exe") or die "Error -- Couldn't rename killer.exe"; - #!system("makensis kfw.nsi") or die "Error -- executable installer build failed."; - -# Begin packaging extra items: - chdir($wd) or die "Fatal -- Couldn't cd to $wd"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - - zipXML($config->{Stages}->{PostPackage}, $config); ## Make zips. - - $config->{Stages}->{PostPackage}->{CopyList}->{Config} = $config->{Stages}->{PostPackage}->{Config}; ## Use the post package config. - $config->{Stages}->{PostPackage}->{CopyList}->{Config}->{From}->{root} = "$src\\pismere"; - $config->{Stages}->{PostPackage}->{CopyList}->{Config}->{To}->{root} = $out; - copyFiles($config->{Stages}->{PostPackage}->{CopyList}, $config); ## Copy any files - - !system("rm -rf $wd\\buildwix") or die "Fatal -- Couldn't remove $wd\\buildwix."; - !system("rm -rf $wd\\buildnsi") or die "Fatal -- Couldn't remove $wd\\buildnsi."; - - chdir($out) or die "Fatal -- Couldn't cd to $out"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - if ($odr->{sign}->{def}) { - signFiles($config->{Stages}->{PostPackage}->{Config}->{Signing}, $config); - } - - if ($verbose) {print "Info -- *** End package.\n";} - } -##-- Package action. - - system("rm -rf $src/a.tmp"); ## Clean up junk. - system("rm -rf $out/a.tmp"); ## Clean up junk. - system("rm -rf $out/ziptemp"); ## Clean up junk. - -# End logging: - if ($odr->{logfile}->{def}) {$l->stop;} - - return 0; - } ## End subroutine main. - -$SIG{'INT'} = \&handler; -$SIG{'QUIT'} = \&handler; - -exit(main()); diff --git a/src/windows/build/bootstrap.xml b/src/windows/build/bootstrap.xml deleted file mode 100644 index 7cff6f5..0000000 --- a/src/windows/build/bootstrap.xml +++ /dev/null @@ -1,19 +0,0 @@ - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/src/windows/build/commandandcontrol.pl b/src/windows/build/commandandcontrol.pl deleted file mode 100644 index 305b966..0000000 --- a/src/windows/build/commandandcontrol.pl +++ /dev/null @@ -1,170 +0,0 @@ -#!perl -w - -#use strict; - -sub commandandcontrol { - local ($configdefault, $bIgnoreCmdlineConfig) = @_; - local $OPT = {foo => 'bar'}; - - Getopt::Long::Configure('no_bundling', 'no_auto_abbrev', - 'no_getopt_compat', 'require_order', - 'ignore_case', 'pass_through', - 'prefix_pattern=(--|-|\+|\/)' - ); - GetOptions($OPT, - 'help|h|?', - 'cvstag|c:s', - 'svntag|s:s', - 'svnbranch|b:s', - 'src|r:s', - 'out|o:s', - 'debug|d', - 'nodebug', - 'config|f=s', - 'logfile|l:s', - 'nolog', - 'repository:s', - 'username|u:s', - 'verbose|v', - 'vverbose', - 'make!', - 'clean', - 'package!', - 'sign!', - ); - - if ( $OPT->{help} ) { - usage(); - exit(0); - } - - delete $OPT->{foo}; - - local $argvsize = @ARGV; - if ($argvsize > 0) { - print "Error -- invalid argument: $ARGV[0]\n"; - usage(); - die; - } - # The first time C&C is called, it is OK to override the default (./bkwconfig.xml) - # with a value from the command line. - # The second time C&C is called, the repository has been updated and C&C will be passed - # /pismere/athena/auth/krb5/windows/build/bkwconfig.xml. That value MUST be used. - if ($bIgnoreCmdlineConfig) {$OPT->{config} = $configdefault;} - elsif (! exists $OPT->{config}) {$OPT->{config} = $configdefault;} - - my $configfile = $OPT->{config}; - my $bOutputCleaned = 0; - - print "Info -- Reading configuration from $configfile.\n"; - - # Get configuration file: - local $xml = new XML::Simple(); - my $config = $xml->XMLin($configfile); - # Set up convenience variables: - local $odr = $config->{Config}; ## Options, directories, repository, environment. - -#while ($v = each %$OPT) {print "$v: $OPT->{$v}\n";} - - # Scan the configuration for switch definitions: - while (($sw, $val) = each %$odr) { - next if (! exists $val->{def}); ## ?? Should always exist. - - # Set/clear environment variables: - if ($val->{env}) { - if ($val->{def}) {$ENV{$sw} = (exists $val->{value}) ? $val->{value} : 1; } - else {delete $ENV{$sw}; } - } - - # If the switch is in the command line, override the stored value: - if (exists $OPT->{$sw}) { - if (exists $val->{value}) { - $val->{value} = $OPT->{$sw}; - $val->{def} = 1; - } - else { - $val->{def} = $OPT->{$sw}; ## If no, value will be zero. - } - } - # If the switch can be negated, test that, too: - if ( ! ($val->{def} =~ /A/)) { - local $nosw = "no".$sw; - if (exists $OPT->{$nosw}) { - $val->{def} = 0; - } - } - - # For any switch definition with fixed values ("options"), validate: - if (exists $val->{options}) { - local $bValid = 0; - # options can be like value1|syn1 value2|syn2|syn3 - foreach $option (split(/ /, $val->{options})) { - local $bFirst = 1; - local $sFirst; - foreach $opt (split(/\|/, $option)) { - # opt will be like value2, syn2, syn3 - if ($bFirst) { - $sFirst = $opt; ## Remember the full name of the option. - $bFirst = 0; - } - if ($val->{value} =~ /$opt/i) { - $val->{value} = $sFirst; ## Save the full name. - $bValid = 1; - } - } - } - if (! $bValid) { - print "Fatal -- invalid $sw value $val->{value}. Possible values are $val->{options}.\n"; - usage(); - die; - } - } - } - - # Don't allow /svntag and /svnbranch simultaneously: - if ( (length $odr->{svntag}->{value} > 0) && - (length $odr->{svnbranch}->{value} > 0) ) { - die "Fatal -- Can't specify both /SVNTAG and /SVNBRANCH."; - } - - return $config; - } - - -sub usage { - print < in cvs command - /svnbranch /b tag use /branches/ instead of /trunk. - /svntag /s tag use /tags/ instead of /trunk. - /debug /d Do debug make instead of release make. - /[no]make Control the make step. - /clean Build clean target. - /[no]package Control the packaging step. - /[no]sign Control signing of executable files. - /verbose /v Debug mode - verbose output. - /logfile /l path Where to write output. Default is bkw.pl.log. - /nolog Don't save output. - Other: - NMAKE-options any options you want to pass to NMAKE, which can be: - (note: /nologo is always used) - -USAGE - system("$MAKE /?"); - } - -return 1; \ No newline at end of file diff --git a/src/windows/build/copyfiles.pl b/src/windows/build/copyfiles.pl deleted file mode 100644 index 9f9ccdd..0000000 --- a/src/windows/build/copyfiles.pl +++ /dev/null @@ -1,137 +0,0 @@ -#!perl -w - -#use strict; -use XML::Simple; -use Data::Dumper; - -sub copyFiles { - local ($xml, $config) = @_; - local @odr = $config->{Config}; - local @files = $xml->{Files}; - # Check for includes: - if (exists $xml->{Files}->{Include}->{path}) { - my $includepath = $xml->{Files}->{Include}->{path}; - print "Info -- Including files from $includepath\n"; - my $savedDir = `cd`; - $savedDir =~ s/\n//g; - chdir $originalDir; ## Includes are relative to where we were invoked. - print "Info -- chdir to ".`cd`."\n" if ($verbose); - my $tmp = new XML::Simple; - my $includeXML = $tmp->XMLin($includepath); - chdir $savedDir; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - - local $i = 0; - while ($includeXML->{File}[$i]) { ## Copy File entries from includeXML. - $files[0]->{File}[++$#{$files[0]->{File}}] = $includeXML->{File}[$i]; - $i++; - } - delete $files->{Include}; - } - ##++ Set up path substitution variables for use inside the copy loop: - # A path can contain a variable part, which will be handled here. If the variable part is - # the Always or BuildDependent tag, then the variable will be changed to the - # build-type-dependent PathFragment. - # If the variable part is the IgnoreTag, then the file will not be copied. - # If the variable part is %filestem%, it will be replaced with Config->FileStem->name. - my ($PathFragment, $BuildDependentTag, $IgnoreTag, $FileStemFragment, $fromRoot, $toRoot); - my $bPathTags = (exists $xml->{Config}->{DebugArea}) && (exists $xml->{Config}->{ReleaseArea}); - my $bFileStem = (exists $xml->{Config}->{FileStem}); - - if ($odr->{debug}->{def}) { ## Debug build tags: - $PathFragment = $xml->{Config}->{DebugArea}->{value}; - $BuildDependentTag = $xml->{Config}->{DebugTag}->{value}; - $IgnoreTag = $xml->{Config}->{ReleaseTag}->{value}; - } - else { ## Release build tags: - $PathFragment = $xml->{Config}->{ReleaseArea}->{value}; - $BuildDependentTag = $xml->{Config}->{ReleaseTag}->{value}; - $IgnoreTag = $xml->{Config}->{DebugTag}->{value}; - } - my $AlwaysTag = $xml->{Config}->{AlwaysTag}->{value}; - $FileStemFragment = $xml->{Config}->{FileStem}->{name}; - $fromRoot = $xml->{Config}->{From}->{root}; - $toRoot = $xml->{Config}->{To}->{root}; - ##-- Set up path substitution variables for use inside the copy loop. - # For each file in the file list: - # Substitute any variable parts of the path name. - # Handle wildcards - # Copy - - local $i = 0; - my $bOldDot = 1; - my $bDot = 0; - while ($files[0]->{File}[$i]) { - - my ($name, $newname, $from, $to, $file); - $file = $files[0]->{File}->[$i]; - $name = $file->{name}; - if (exists $file->{newname}) {$newname = $file->{newname};} - else {$newname = $name;} - if ($name && (! exists $file->{ignore})) { ## Ignore or process this entry? - $from = "$fromRoot\\$file->{from}\\$name"; - $to = "$toRoot\\$file->{to}\\$newname"; - # Copy this file? Check for ignore tag [debug-only in release mode or vice versa]. - if ( $bPathTags || $bFileStem || (index($from.$to, $IgnoreTag) <0) ) { - if ($bPathTags) { ## Apply PathTag substitutions: - $from =~ s/$AlwaysTag/$PathFragment/g; - $to =~ s/$AlwaysTag/$PathFragment/g; - $from =~ s/$BuildDependentTag/$PathFragment/g; - $to =~ s/$BuildDependentTag/$PathFragment/g; - } - if ($bFileStem) { ## FileStem substitution? - $from =~ s/%filestem%/$FileStemFragment/g; - $to =~ s/%filestem%/$FileStemFragment/g; - } - # %-DEBUG% substitution: - local $DebugFragment = ($odr->{debug}->{def}) ? "-DEBUG" : ""; - $from =~ s/%\-DEBUG%/$DebugFragment/g; - $to =~ s/%\-DEBUG%/$DebugFragment/g; - $to =~ s/\*.*//; ## Truncate to path before any wildcard - - my $bCopyOK = 1; - my $fromcheck = $from; - my $bRequired = ! (exists $file->{notrequired}); - if ($name =~ /\*/) { ## Wildcard case - $fromcheck =~ s/\*.*//; - if ($bRequired && (! -d $fromcheck)) { - if ($bDot) {print "\n";} - die "Fatal -- Can't find $fromcheck"; - } - $bCopyOK = !system("echo D | xcopy /D /F /Y /S $from $to > a.tmp 2>NUL"); - } - else { ## Specific file case - if ($bRequired && (! -e $fromcheck)) { - if ($bDot) {print "\n";} - die "Fatal -- Can't find $fromcheck"; - } - $bCopyOK = !system("echo F | xcopy /D /F /Y $from $to > a.tmp 2>NUL"); - } - - if ($bCopyOK) { ## xcopy OK - show progress - # To show progress when files aren't copied, print a string of dots. - open(MYINPUTFILE, "; - foreach $line (@lines) { - $bDot = ($line =~ /^0/); - } - close(MYINPUTFILE); - if (!$bDot && $bOldDot) {print "\n";} - if ($bDot) {print "."; STDOUT->flush;} - else {print "$from copied to $to\n";} - $bOldDot = $bDot; - } - else { ## xcopy failed - if (!exists $file->{notrequired}) { - if ($bDot) {print "\n";} - die "Fatal -- Copy of $from to $to failed"; - } - } ## End xcopy succeed or fail - } ## End not dummy entry nor ignored - } - $i++; - } - if ($bDot) {print "\n";} - } - -return 1; diff --git a/src/windows/build/copyfiles.xml b/src/windows/build/copyfiles.xml deleted file mode 100644 index 4b24e1f..0000000 --- a/src/windows/build/copyfiles.xml +++ /dev/null @@ -1,156 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/src/windows/build/corebinaryfiles.xml b/src/windows/build/corebinaryfiles.xml deleted file mode 100644 index 9fcf8aa..0000000 --- a/src/windows/build/corebinaryfiles.xml +++ /dev/null @@ -1,85 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/src/windows/build/css/main-action(1).css b/src/windows/build/css/main-action(1).css deleted file mode 100644 index 2a1cfc0..0000000 --- a/src/windows/build/css/main-action(1).css +++ /dev/null @@ -1,54 +0,0 @@ -.sidebar { - BACKGROUND-COLOR: #f0f0f0 -} -#logodiv { - PADDING-RIGHT: 15px; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px; TEXT-ALIGN: center -} -#menu { - WIDTH: 150px -} -.leftnav H1 { - PADDING-RIGHT: 4px; BORDER-TOP: white 1px solid; PADDING-LEFT: 4px; FONT-WEIGHT: bold; FONT-SIZE: 11px; PADDING-BOTTOM: 4px; MARGIN: 0px; PADDING-TOP: 4px; BORDER-BOTTOM: #ccc 1px solid -} -.leftnav H5 { - PADDING-RIGHT: 0px; BORDER-TOP: white 1px solid; PADDING-LEFT: 0px; FONT-WEIGHT: bold; FONT-SIZE: 11px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; BORDER-BOTTOM: #ccc 1px solid -} -.leftnav H5 A { - BORDER-TOP-WIDTH: 0px; PADDING-RIGHT: 5px; DISPLAY: block; PADDING-LEFT: 5px; BORDER-LEFT-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; PADDING-BOTTOM: 5px; PADDING-TOP: 5px; BORDER-RIGHT-WIDTH: 0px; TEXT-DECORATION: none -} -.leftnav H5 A:hover { - BORDER-TOP-WIDTH: 0px; DISPLAY: block; BORDER-LEFT-WIDTH: 0px; BORDER-BOTTOM-WIDTH: 0px; BACKGROUND-COLOR: white; BORDER-RIGHT-WIDTH: 0px; TEXT-DECORATION: none -} -.leftnav UL { - PADDING-RIGHT: 0px; DISPLAY: inline; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; LIST-STYLE-TYPE: none -} -.leftnav LI { - PADDING-RIGHT: 0px; DISPLAY: inline; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px -} -.leftnav LI A { - PADDING-RIGHT: 2px; DISPLAY: block; PADDING-LEFT: 5px; PADDING-BOTTOM: 2px; MARGIN: 0px; COLOR: white; PADDING-TOP: 2px; TEXT-DECORATION: none -} -.leftnav LI A.current { - COLOR: white; BACKGROUND-COLOR: #003366 -} -.leftnav LI A:active { - COLOR: white -} -.leftnav LI A:visited { - COLOR: white -} -.leftnav LI A:hover { - COLOR: white; BACKGROUND-COLOR: #003366 -} -.leftnav LI.current { - BACKGROUND-COLOR: #487bb7 -} -.leftnav LI.current A { - COLOR: #3c78b5 -} -#PageContent { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; BACKGROUND-COLOR: #fff; TEXT-ALIGN: left -} -H1 { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-WEIGHT: bold; FONT-SIZE: 22px; BORDER-BOTTOM-WIDTH: 0px; PADDING-BOTTOM: 0px; MARGIN: 27px 0px 4px; COLOR: #660000; PADDING-TOP: 0px; FONT-FAMILY: Arial, sans-serif; BACKGROUND-COLOR: #fff -} diff --git a/src/windows/build/css/main-action.css b/src/windows/build/css/main-action.css deleted file mode 100644 index e08c50e..0000000 --- a/src/windows/build/css/main-action.css +++ /dev/null @@ -1,1032 +0,0 @@ -BODY { - FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #000000; LINE-HEIGHT: 16px; FONT-FAMILY: Verdana, arial, sans-serif -} -P { - FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #000000; LINE-HEIGHT: 16px; FONT-FAMILY: Verdana, arial, sans-serif -} -TD { - FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #000000; LINE-HEIGHT: 16px; FONT-FAMILY: Verdana, arial, sans-serif -} -TABLE { - FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #000000; LINE-HEIGHT: 16px; FONT-FAMILY: Verdana, arial, sans-serif -} -TR { - FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #000000; LINE-HEIGHT: 16px; FONT-FAMILY: Verdana, arial, sans-serif -} -.bodytext { - FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #000000; LINE-HEIGHT: 16px; FONT-FAMILY: Verdana, arial, sans-serif -} -.stepfield { - FONT-WEIGHT: normal; FONT-SIZE: 11px; COLOR: #000000; LINE-HEIGHT: 16px; FONT-FAMILY: Verdana, arial, sans-serif -} -#PageContent { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 20px; MARGIN: 0px; PADDING-TOP: 0px; BACKGROUND-COLOR: #fff; TEXT-ALIGN: left -} -BODY { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; PADDING-TOP: 0px; BACKGROUND-COLOR: #ffffff; TEXT-ALIGN: center -} -.monospaceInput { - FONT: 12px monospace -} -.wiki-content P { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 16px 0px; PADDING-TOP: 0px -} -.commentblock P { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 16px 0px; PADDING-TOP: 0px -} -.wiki-content-preview { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 5px; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; BORDER-LEFT: #3c78b5 1px solid; PADDING-TOP: 5px -} -UL { - MARGIN-TOP: 2px; MARGIN-BOTTOM: 2px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px -} -OL { - MARGIN-TOP: 2px; MARGIN-BOTTOM: 2px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px -} -PRE { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 5px 5px 5px 15px; PADDING-TOP: 0px; TEXT-ALIGN: left -} -.helpheading { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; FONT-WEIGHT: bold; PADDING-BOTTOM: 4px; MARGIN: 10px 0px 0px; PADDING-TOP: 4px; BORDER-BOTTOM: #3c78b5 1px solid; BACKGROUND-COLOR: #d0d9bd -} -.helpcontent { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; PADDING-BOTTOM: 20px; PADDING-TOP: 4px; BACKGROUND-COLOR: #f5f7f1 -} -.code { - BORDER-RIGHT: #3c78b5 1px dashed; BORDER-TOP: #3c78b5 1px dashed; FONT-SIZE: 11px; MARGIN: 10px; BORDER-LEFT: #3c78b5 1px dashed; LINE-HEIGHT: 13px; BORDER-BOTTOM: #3c78b5 1px dashed; FONT-FAMILY: Courier -} -.focusedComment { - BACKGROUND: #ffffce -} -.commentBox { - BORDER-RIGHT: #bbb 1px solid; PADDING-RIGHT: 10px; BORDER-TOP: #bbb 1px solid; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; MARGIN: 5px 0px; BORDER-LEFT: #bbb 1px solid; PADDING-TOP: 10px; BORDER-BOTTOM: #bbb 1px solid -} -.focusedComment { - BORDER-RIGHT: #bbb 1px solid; PADDING-RIGHT: 10px; BORDER-TOP: #bbb 1px solid; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; MARGIN: 5px 0px; BORDER-LEFT: #bbb 1px solid; PADDING-TOP: 10px; BORDER-BOTTOM: #bbb 1px solid -} -.codeHeader { - PADDING-RIGHT: 3px; PADDING-LEFT: 3px; PADDING-BOTTOM: 3px; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 1px dashed; BACKGROUND-COLOR: #eeefcc; TEXT-ALIGN: center -} -.codeContent { - PADDING-RIGHT: 3px; PADDING-LEFT: 3px; PADDING-BOTTOM: 3px; PADDING-TOP: 3px; BACKGROUND-COLOR: #eeefcc; TEXT-ALIGN: left -} -.preformatted { - BORDER-RIGHT: #3c78b5 1px dashed; BORDER-TOP: #3c78b5 1px dashed; FONT-SIZE: 11px; MARGIN: 10px; BORDER-LEFT: #3c78b5 1px dashed; LINE-HEIGHT: 13px; BORDER-BOTTOM: #3c78b5 1px dashed; FONT-FAMILY: Courier -} -.preformattedHeader { - PADDING-RIGHT: 3px; PADDING-LEFT: 3px; PADDING-BOTTOM: 3px; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 1px dashed; BACKGROUND-COLOR: #eeefcc; TEXT-ALIGN: center -} -.preformattedContent { - PADDING-RIGHT: 3px; PADDING-LEFT: 3px; PADDING-BOTTOM: 3px; PADDING-TOP: 3px; BACKGROUND-COLOR: #eeefcc -} -.panel { - BORDER-RIGHT: #3c78b5 1px dashed; BORDER-TOP: #3c78b5 1px dashed; MARGIN: 0px 10px 10px; BORDER-LEFT: #3c78b5 1px dashed; BORDER-BOTTOM: #3c78b5 1px dashed -} -.panelHeader { - PADDING-RIGHT: 3px; PADDING-LEFT: 3px; PADDING-BOTTOM: 3px; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 1px dashed; BACKGROUND-COLOR: #eeefcc; TEXT-ALIGN: center -} -.panelContent { - PADDING-RIGHT: 5px; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; PADDING-TOP: 5px; BACKGROUND-COLOR: #eeefcc -} -.anonymousAlert { - BORDER-RIGHT: red 1px dashed; PADDING-RIGHT: 5px; BORDER-TOP: red 1px dashed; PADDING-LEFT: 5px; FONT-SIZE: 11px; PADDING-BOTTOM: 10px; MARGIN: 4px; BORDER-LEFT: red 1px dashed; LINE-HEIGHT: 13px; PADDING-TOP: 10px; BORDER-BOTTOM: red 1px dashed; BACKGROUND-COLOR: #eeefcc -} -.lockAlert { - BORDER-RIGHT: red 1px dashed; PADDING-RIGHT: 5px; BORDER-TOP: red 1px dashed; PADDING-LEFT: 5px; FONT-SIZE: 11px; PADDING-BOTTOM: 10px; MARGIN: 4px; BORDER-LEFT: red 1px dashed; WIDTH: 50%; LINE-HEIGHT: 13px; PADDING-TOP: 10px; BORDER-BOTTOM: red 1px dashed; BACKGROUND-COLOR: #eeefcc -} -.code-keyword { - COLOR: #000091 -} -.code-object { - COLOR: #910091 -} -.code-quote { - COLOR: #009100 -} -.code-comment { - COLOR: #808080 -} -.code-xml .code-keyword { - FONT-WEIGHT: bold -} -.code-tag { - COLOR: #000091 -} -.breadcrumbs { - BORDER-RIGHT: #3c78b5 0px solid; PADDING-RIGHT: 0px; BORDER-TOP: #3c78b5 1px solid; PADDING-LEFT: 0px; FONT-SIZE: 11px; PADDING-BOTTOM: 3px; BORDER-LEFT: #3c78b5 0px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 1px solid; BACKGROUND-COLOR: #eeefcc -} -.navmenu { - BORDER-RIGHT: #ccc 1px solid; BORDER-TOP: #ccc 1px solid; BORDER-LEFT: #ccc 1px solid; BORDER-BOTTOM: #ccc 1px solid -} -.menuheading { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; FONT-WEIGHT: bold; PADDING-BOTTOM: 2px; PADDING-TOP: 4px; BORDER-BOTTOM: #3c78b5 1px solid; BACKGROUND-COLOR: #eeefcc -} -.menuitems { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; PADDING-BOTTOM: 20px; PADDING-TOP: 4px -} -.rightpanel { - BORDER-LEFT: #ccc 1px solid; BORDER-BOTTOM: #ccc 1px solid -} -#helpheading { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; FONT-WEIGHT: bold; PADDING-BOTTOM: 4px; MARGIN: 0px; PADDING-TOP: 4px; BORDER-BOTTOM: #3c78b5 1px solid; BACKGROUND-COLOR: #d0d9bd; TEXT-ALIGN: left -} -#helpcontent { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; PADDING-BOTTOM: 4px; PADDING-TOP: 4px; BACKGROUND-COLOR: #f5f7f1 -} -.helptab-unselected { - PADDING-RIGHT: 5px; PADDING-LEFT: 5px; FONT-WEIGHT: bold; PADDING-BOTTOM: 5px; PADDING-TOP: 5px; BACKGROUND-COLOR: #f5f7f1 -} -.helptab-selected { - PADDING-RIGHT: 5px; PADDING-LEFT: 5px; FONT-WEIGHT: bold; PADDING-BOTTOM: 5px; PADDING-TOP: 5px; BACKGROUND-COLOR: #d0d9bd -} -.helptabs { - PADDING-RIGHT: 5px; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; MARGIN: 0px; PADDING-TOP: 5px; BACKGROUND-COLOR: #f5f7f1 -} -.infopanel-heading { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-WEIGHT: bold; PADDING-BOTTOM: 2px; PADDING-TOP: 4px -} -.pagebody { - -} -.pageheader { - PADDING-RIGHT: 5px; PADDING-LEFT: 0px; PADDING-BOTTOM: 5px; PADDING-TOP: 5px; BORDER-BOTTOM: #3c78b5 1px solid -} -.pagetitle { - FONT-WEIGHT: bold; FONT-SIZE: 22px; COLOR: #003366; FONT-FAMILY: Arial, sans-serif -} -.newpagetitle { - COLOR: #ccc! important -} -.steptitle { - FONT-WEIGHT: bold; FONT-SIZE: 18px; MARGIN-BOTTOM: 7px; COLOR: #003366; FONT-FAMILY: Arial, sans-serif -} -.substeptitle { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; FONT-WEIGHT: bold; FONT-SIZE: 12px; PADDING-BOTTOM: 1px; MARGIN: 2px 4px 4px; COLOR: #003366; PADDING-TOP: 2px; FONT-FAMILY: Arial, sans-serif -} -.stepdesc { - MARGIN-TOP: 7px; FONT-WEIGHT: normal; FONT-SIZE: 11px; MARGIN-BOTTOM: 7px; COLOR: #666666; LINE-HEIGHT: 16px; FONT-FAMILY: Verdana, arial, sans-serif -} -.steplabel { - FONT-WEIGHT: bold; FLOAT: left; WIDTH: 15%; COLOR: black; MARGIN-RIGHT: 4px; TEXT-ALIGN: right -} -.stepfield { - PADDING-RIGHT: 5px; PADDING-LEFT: 5px; BACKGROUND: #eeefcc; PADDING-BOTTOM: 5px; PADDING-TOP: 5px -} -.submitButtons { - MARGIN-TOP: 5px; TEXT-ALIGN: right -} -.formtitle { - FONT-WEIGHT: bold; FONT-SIZE: 12px; COLOR: #003366; FONT-FAMILY: Arial, sans-serif -} -.sectionbottom { - BORDER-BOTTOM: #3c78b5 1px solid -} -.topRow { - BORDER-TOP: #3c78b5 2px solid -} -.tabletitle { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-WEIGHT: bold; FONT-SIZE: 14px; PADDING-BOTTOM: 2px; MARGIN: 8px 4px 2px 0px; COLOR: #003366; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 2px solid; FONT-FAMILY: Arial, sans-serif -} -.pagesubheading { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 10px; PADDING-BOTTOM: 5px; COLOR: #666666; PADDING-TOP: 0px -} -HR { - -} -A:link { - COLOR: #003366 -} -A:visited { - COLOR: #003366 -} -A:active { - COLOR: #003366 -} -A:hover { - COLOR: #003366 -} -H1 A:link { - TEXT-DECORATION: none -} -H1 A:visited { - TEXT-DECORATION: none -} -H1 A:active { - TEXT-DECORATION: none -} -H1 A:hover { - BORDER-BOTTOM: #003366 1px dotted -} -UNKNOWN { - MARGIN-TOP: 3px -} -.logocell { - PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px -} -INPUT { - FONT-SIZE: 11px; COLOR: #000000; FONT-FAMILY: verdana, geneva, arial, sans-serif -} -TEXTAREA { - FONT-SIZE: 11px; COLOR: #333333; FONT-FAMILY: verdana, geneva, arial, sans-serif -} -TEXTAREA.editor { - FONT-SIZE: 11px; COLOR: #333333; FONT-FAMILY: verdana, geneva, arial, sans-serif -} -.spacenametitle-printable { - MARGIN: 0px; FONT: 100 20px/25px Impact, Arial, Helvetica; COLOR: #999999 -} -.spacenametitle-printable A { - COLOR: #999999; TEXT-DECORATION: none -} -.spacenametitle-printable A:visited { - COLOR: #999999; TEXT-DECORATION: none -} -.blogDate { - FONT-WEIGHT: bold; COLOR: black; TEXT-DECORATION: none -} -.blogSurtitle { - BORDER-RIGHT: #ddd 1px solid; PADDING-RIGHT: 3px; BORDER-TOP: #ddd 1px solid; PADDING-LEFT: 3px; BACKGROUND: #eeefcc; PADDING-BOTTOM: 3px; MARGIN: 1px 1px 10px; BORDER-LEFT: #ddd 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #ddd 1px solid -} -.blogHeading { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-WEIGHT: bold; FONT-SIZE: 20px; PADDING-BOTTOM: 0px; MARGIN: 0px; LINE-HEIGHT: normal; PADDING-TOP: 0px -} -.blogHeading A { - COLOR: black; TEXT-DECORATION: none -} -.endsection { - MARGIN-TOP: 10px; COLOR: #666666; align: right -} -.endsectionleftnav { - MARGIN-TOP: 10px; COLOR: #666666; align: right -} -H1 { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: bold; FONT-SIZE: 24px; PADDING-BOTTOM: 2px; MARGIN: 36px 0px 4px; COLOR: #003366; LINE-HEIGHT: normal; PADDING-TOP: 2px; BORDER-BOTTOM: #3c78b5 1px solid; BACKGROUND-COLOR: #eeefcc -} -H2 { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: bold; FONT-SIZE: 18px; PADDING-BOTTOM: 2px; MARGIN: 27px 0px 4px; LINE-HEIGHT: normal; PADDING-TOP: 2px; BORDER-BOTTOM: #3c78b5 1px solid; BACKGROUND-COLOR: #eeefcc -} -H3 { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: bold; FONT-SIZE: 14px; PADDING-BOTTOM: 2px; MARGIN: 21px 0px 4px; LINE-HEIGHT: normal; PADDING-TOP: 2px; BACKGROUND-COLOR: #eeefcc -} -H4 { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: bold; FONT-SIZE: 12px; PADDING-BOTTOM: 2px; MARGIN: 18px 0px 4px; LINE-HEIGHT: normal; PADDING-TOP: 2px; BACKGROUND-COLOR: #eeefcc -} -H4.search { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; FONT-WEIGHT: normal; FONT-SIZE: 12px; PADDING-BOTTOM: 4px; MARGIN: 18px 0px 4px; LINE-HEIGHT: normal; PADDING-TOP: 4px; BACKGROUND-COLOR: #eeefcc -} -H5 { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: bold; FONT-SIZE: 10px; PADDING-BOTTOM: 2px; MARGIN: 14px 0px 4px; LINE-HEIGHT: normal; PADDING-TOP: 2px; BACKGROUND-COLOR: #eeefcc -} -H6 { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: bold; FONT-SIZE: 8px; PADDING-BOTTOM: 2px; MARGIN: 14px 0px 4px; LINE-HEIGHT: normal; PADDING-TOP: 2px; BACKGROUND-COLOR: #eeefcc -} -.smallfont { - FONT-SIZE: 10px -} -.descfont { - FONT-SIZE: 10px; COLOR: #666666 -} -.smallerfont { - FONT-SIZE: 9px -} -.smalltext { - FONT-SIZE: 10px; COLOR: #666666 -} -.smalltext A { - COLOR: #666666 -} -.smalltext-blue { - FONT-SIZE: 10px; COLOR: #3c78b5 -} -.surtitle { - FONT-SIZE: 14px; MARGIN-BOTTOM: 5px; MARGIN-LEFT: 1px; COLOR: #666666 -} -.navItemOver { - FONT-WEIGHT: bold; FONT-SIZE: 10px; CURSOR: pointer; COLOR: #ffffff; BACKGROUND-COLOR: #003366; voice-family: inherit -} -.navItemOver A { - COLOR: #ffffff; BACKGROUND-COLOR: #003366; TEXT-DECORATION: none -} -.navItemOver A:visited { - COLOR: #ffffff; BACKGROUND-COLOR: #003366; TEXT-DECORATION: none -} -.navItemOver A:hover { - COLOR: #ffffff; BACKGROUND-COLOR: #003366; TEXT-DECORATION: none -} -.navItem { - FONT-WEIGHT: bold; FONT-SIZE: 10px; COLOR: #ffffff; BACKGROUND-COLOR: #3c78b5 -} -.navItem A { - COLOR: #ffffff; TEXT-DECORATION: none -} -.navItem A:hover { - COLOR: #ffffff; TEXT-DECORATION: none -} -.navItem A:visited { - COLOR: #ffffff; TEXT-DECORATION: none -} -DIV.padded { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; PADDING-BOTTOM: 4px; PADDING-TOP: 4px -} -DIV.thickPadded { - PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px -} -H3.macrolibrariestitle { - MARGIN: 0px -} -DIV.centered { - MARGIN: 10px; TEXT-ALIGN: center -} -DIV.centered TABLE { - MARGIN: 0px auto; TEXT-ALIGN: left -} -.tableview TABLE { - MARGIN: 0px -} -.tableview TH { - PADDING-RIGHT: 0px; PADDING-LEFT: 5px; FONT-SIZE: 12px; PADDING-BOTTOM: 0px; COLOR: #003366; PADDING-TOP: 5px; BORDER-BOTTOM: #3c78b5 2px solid; TEXT-ALIGN: left -} -.tableview TD { - BORDER-RIGHT: #ccc 0px solid; PADDING-RIGHT: 10px; BORDER-TOP: #ccc 0px solid; PADDING-LEFT: 5px; PADDING-BOTTOM: 4px; MARGIN: 0px; BORDER-LEFT: #ccc 0px solid; PADDING-TOP: 4px; BORDER-BOTTOM: #ccc 1px solid; TEXT-ALIGN: left -} -.grid { - MARGIN: 2px 0px 5px; BORDER-COLLAPSE: collapse -} -.grid TH { - BORDER-RIGHT: #ccc 1px solid; PADDING-RIGHT: 4px; BORDER-TOP: #ccc 1px solid; PADDING-LEFT: 4px; BACKGROUND: #eeefcc; PADDING-BOTTOM: 2px; BORDER-LEFT: #ccc 1px solid; PADDING-TOP: 2px; BORDER-BOTTOM: #ccc 1px solid; TEXT-ALIGN: center -} -.grid TD { - BORDER-RIGHT: #ccc 1px solid; PADDING-RIGHT: 4px; BORDER-TOP: #ccc 1px solid; PADDING-LEFT: 4px; PADDING-BOTTOM: 3px; BORDER-LEFT: #ccc 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #ccc 1px solid -} -.gridHover { - BACKGROUND-COLOR: #f9f9f9 -} -TD.infocell { - BACKGROUND-COLOR: #eeefcc -} -.label { - FONT-WEIGHT: bold; COLOR: #003366 -} -LABEL { - FONT-WEIGHT: bold; COLOR: #003366 -} -.error { - BACKGROUND-COLOR: #fcc -} -.errorBox { - BORDER-RIGHT: #c00 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #c00 1px solid; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; MARGIN: 5px; BORDER-LEFT: #c00 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #c00 1px solid; BACKGROUND-COLOR: #fcc -} -.errorMessage { - COLOR: #c00 -} -.success { - BACKGROUND-COLOR: #dfd -} -.successBox { - BORDER-RIGHT: #090 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #090 1px solid; MARGIN-TOP: 5px; PADDING-LEFT: 5px; MARGIN-BOTTOM: 5px; PADDING-BOTTOM: 5px; BORDER-LEFT: #090 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #090 1px solid; BACKGROUND-COLOR: #dfd -} -BLOCKQUOTE { - PADDING-RIGHT: 10px; PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: #3c78b5 1px solid; MARGIN-RIGHT: 0px -} -TABLE.confluenceTable { - MARGIN: 5px; BORDER-COLLAPSE: collapse -} -TABLE.confluenceTable TD.confluenceTd { - BORDER-RIGHT: #ccc 1px solid; PADDING-RIGHT: 4px; BORDER-TOP: #ccc 1px solid; PADDING-LEFT: 4px; PADDING-BOTTOM: 3px; BORDER-LEFT: #ccc 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #ccc 1px solid -} -TABLE.confluenceTable TH.confluenceTh { - BORDER-RIGHT: #ccc 1px solid; PADDING-RIGHT: 4px; BORDER-TOP: #ccc 1px solid; PADDING-LEFT: 4px; PADDING-BOTTOM: 3px; BORDER-LEFT: #ccc 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #ccc 1px solid; BACKGROUND-COLOR: #eeefcc; TEXT-ALIGN: center -} -TD.confluenceTd { - BORDER-RIGHT: #ccc 1px solid; PADDING-RIGHT: 4px; BORDER-TOP: #ccc 1px solid; PADDING-LEFT: 4px; PADDING-BOTTOM: 3px; BORDER-LEFT: #ccc 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #ccc 1px solid -} -TH.confluenceTh { - BORDER-RIGHT: #ccc 1px solid; PADDING-RIGHT: 4px; BORDER-TOP: #ccc 1px solid; PADDING-LEFT: 4px; PADDING-BOTTOM: 3px; BORDER-LEFT: #ccc 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #ccc 1px solid; BACKGROUND-COLOR: #eeefcc; TEXT-ALIGN: center -} -DIV.small { - FONT-SIZE: 9px -} -H1.pagename { - MARGIN-TOP: 0px -} -IMG.inline { - -} -.loginform { - BORDER-RIGHT: #ccc 1px solid; BORDER-TOP: #ccc 1px solid; MARGIN: 5px; BORDER-LEFT: #ccc 1px solid; BORDER-BOTTOM: #ccc 1px solid -} -.previewnote { - FONT-SIZE: 11px; COLOR: red; TEXT-ALIGN: center -} -.previewcontent { - BACKGROUND: #e0e0e0 -} -.messagecontent { - BACKGROUND: #e0e0e0 -} -.conflictnote { - -} -.createlink { - COLOR: maroon -} -A.createlink { - COLOR: maroon -} -.templateparameter { - FONT-SIZE: 9px; COLOR: darkblue -} -.diffadded { - PADDING-RIGHT: 1px; PADDING-LEFT: 4px; BACKGROUND: #ddffdd; PADDING-BOTTOM: 1px; BORDER-LEFT: darkgreen 4px solid; PADDING-TOP: 1px -} -.diffdeleted { - PADDING-RIGHT: 1px; PADDING-LEFT: 4px; BACKGROUND: #ffdddd; PADDING-BOTTOM: 1px; BORDER-LEFT: darkred 4px solid; COLOR: #999; PADDING-TOP: 1px -} -.diffnochange { - PADDING-RIGHT: 1px; PADDING-LEFT: 4px; PADDING-BOTTOM: 1px; BORDER-LEFT: lightgrey 4px solid; PADDING-TOP: 1px -} -.differror { - BACKGROUND: brown -} -.diff { - FONT-SIZE: 12px; LINE-HEIGHT: 14px; FONT-FAMILY: lucida console, courier new, fixed-width -} -.diffaddedchars { - FONT-WEIGHT: bolder; BACKGROUND-COLOR: #99ff99 -} -.diffremovedchars { - FONT-WEIGHT: bolder; BACKGROUND-COLOR: #ff9999; TEXT-DECORATION: line-through -} -.greybackground { - BACKGROUND: #eeefcc -} -.greybox { - BORDER-RIGHT: #ddd 1px solid; PADDING-RIGHT: 3px; BORDER-TOP: #ddd 1px solid; PADDING-LEFT: 3px; PADDING-BOTTOM: 3px; MARGIN: 1px 1px 10px; BORDER-LEFT: #ddd 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #ddd 1px solid -} -.borderedGreyBox { - BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 10px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; BORDER-LEFT: #cccccc 1px solid; PADDING-TOP: 10px; BORDER-BOTTOM: #cccccc 1px solid; BACKGROUND-COLOR: #eeefcc -} -.greyboxfilled { - BORDER-RIGHT: #ddd 1px solid; PADDING-RIGHT: 3px; BORDER-TOP: #ddd 1px solid; PADDING-LEFT: 3px; BACKGROUND: #eeefcc; PADDING-BOTTOM: 3px; MARGIN: 1px 1px 10px; BORDER-LEFT: #ddd 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #ddd 1px solid -} -.navBackgroundBox { - PADDING-RIGHT: 5px; PADDING-LEFT: 5px; FONT-WEIGHT: bold; FONT-SIZE: 22px; BACKGROUND: #3c78b5; PADDING-BOTTOM: 5px; COLOR: white; PADDING-TOP: 5px; FONT-FAMILY: Arial, sans-serif; TEXT-DECORATION: none -} -.previewBoxTop { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #3c78b5 1px solid; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; MARGIN: 5px 0px 0px; BORDER-LEFT: #3c78b5 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #3c78b5 0px solid; BACKGROUND-COLOR: #eeefcc; TEXT-ALIGN: center -} -.previewContent { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 10px; BORDER-TOP: #3c78b5 0px solid; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; MARGIN: 0px; BORDER-LEFT: #3c78b5 1px solid; PADDING-TOP: 10px; BORDER-BOTTOM: #3c78b5 0px solid; BACKGROUND-COLOR: #fff -} -.previewBoxBottom { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #3c78b5 0px solid; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; MARGIN: 0px 0px 5px; BORDER-LEFT: #3c78b5 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #3c78b5 1px solid; BACKGROUND-COLOR: #eeefcc; TEXT-ALIGN: center -} -.functionbox { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 3px; BORDER-TOP: #3c78b5 1px solid; PADDING-LEFT: 3px; PADDING-BOTTOM: 3px; MARGIN: 1px 1px 10px; BORDER-LEFT: #3c78b5 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 1px solid; BACKGROUND-COLOR: #eeefcc -} -.functionbox-greyborder { - BORDER-RIGHT: #ddd 1px solid; PADDING-RIGHT: 3px; BORDER-TOP: #ddd 1px solid; PADDING-LEFT: 3px; PADDING-BOTTOM: 3px; MARGIN: 1px 1px 10px; BORDER-LEFT: #ddd 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #ddd 1px solid; BACKGROUND-COLOR: #eeefcc -} -.search-highlight { - BACKGROUND-COLOR: #ffffcc -} -.rowNormal { - BACKGROUND-COLOR: #ffffff -} -.rowAlternate { - BACKGROUND-COLOR: #f7f7f7 -} -.rowAlternateNoBottomColor { - BACKGROUND-COLOR: #f7f7f7 -} -.rowAlternateNoBottomNoColor { - -} -.rowAlternateNoBottomColor TD { - BORDER-BOTTOM-WIDTH: 0px -} -.rowAlternateNoBottomNoColor TD { - BORDER-BOTTOM-WIDTH: 0px -} -.rowHighlight { - BACKGROUND-COLOR: #eeefcc -} -TD.greenbar { - BORDER-RIGHT: #9c9c9c 1px solid; PADDING-RIGHT: 0px; BORDER-TOP: #9c9c9c 1px solid; PADDING-LEFT: 0px; FONT-SIZE: 2px; BACKGROUND: #00df00; PADDING-BOTTOM: 0px; BORDER-LEFT: #9c9c9c 1px solid; PADDING-TOP: 0px; BORDER-BOTTOM: #9c9c9c 1px solid -} -TD.redbar { - BORDER-RIGHT: #9c9c9c 1px solid; PADDING-RIGHT: 0px; BORDER-TOP: #9c9c9c 1px solid; PADDING-LEFT: 0px; FONT-SIZE: 2px; BACKGROUND: #df0000; PADDING-BOTTOM: 0px; BORDER-LEFT: #9c9c9c 1px solid; PADDING-TOP: 0px; BORDER-BOTTOM: #9c9c9c 1px solid -} -TD.darkredbar { - BORDER-RIGHT: #9c9c9c 1px solid; PADDING-RIGHT: 0px; BORDER-TOP: #9c9c9c 1px solid; PADDING-LEFT: 0px; FONT-SIZE: 2px; BACKGROUND: #af0000; PADDING-BOTTOM: 0px; BORDER-LEFT: #9c9c9c 1px solid; PADDING-TOP: 0px; BORDER-BOTTOM: #9c9c9c 1px solid -} -TR.testpassed { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 2px; BACKGROUND: #ddffdd; PADDING-BOTTOM: 0px; PADDING-TOP: 0px -} -TR.testfailed { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; FONT-SIZE: 2px; BACKGROUND: #ffdddd; PADDING-BOTTOM: 0px; PADDING-TOP: 0px -} -.toolbar { - MARGIN: 0px; BORDER-COLLAPSE: collapse -} -.toolbar TD { - BORDER-RIGHT: #ccc 1px solid; PADDING-RIGHT: 2px; BORDER-TOP: #ccc 1px solid; PADDING-LEFT: 2px; PADDING-BOTTOM: 2px; BORDER-LEFT: #ccc 1px solid; COLOR: #ccc; PADDING-TOP: 2px; BORDER-BOTTOM: #ccc 1px solid -} -TD.noformatting { - BORDER-RIGHT: 0px; PADDING-RIGHT: 0px; BORDER-TOP: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; BORDER-LEFT: 0px; PADDING-TOP: 0px; BORDER-BOTTOM: 0px; TEXT-ALIGN: center -} -.commentblock { - MARGIN: 12px 0px -} -.license-eval { - BORDER-TOP: #bbbbbb 1px solid; FONT-SIZE: 10px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; TEXT-ALIGN: center -} -.license-none { - BORDER-TOP: #bbbbbb 1px solid; FONT-SIZE: 10px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; TEXT-ALIGN: center -} -.license-nonprofit { - BORDER-TOP: #bbbbbb 1px solid; FONT-SIZE: 10px; FONT-FAMILY: Verdana, Arial, Helvetica, sans-serif; TEXT-ALIGN: center -} -.license-eval { - BACKGROUND-COLOR: #ffcccc -} -.license-none { - BACKGROUND-COLOR: #ffcccc -} -.license-eval B { - COLOR: #990000 -} -.license-none B { - COLOR: #990000 -} -.license-nonprofit { - BACKGROUND-COLOR: #ffffff -} -.bottomshadow { - BACKGROUND-IMAGE: url(/confluence/images/border/border_bottom.gif); BACKGROUND-REPEAT: repeat-x; HEIGHT: 12px -} -.navmenu .operations LI { - PADDING-LEFT: 0px; MARGIN-LEFT: 0px; LIST-STYLE-TYPE: none -} -.navmenu .operations UL { - PADDING-LEFT: 0px; MARGIN-LEFT: 0px; LIST-STYLE-TYPE: none -} -.navmenu .operations UL { - MARGIN-BOTTOM: 9px -} -.navmenu .label { - -} -.toolbar DIV { - DISPLAY: none -} -.toolbar .label { - DISPLAY: none -} -.toolbar .operations { - DISPLAY: block -} -.toolbar .operations UL { - DISPLAY: inline; PADDING-LEFT: 0px; MARGIN-LEFT: 10px; LIST-STYLE-TYPE: none -} -.toolbar .operations LI { - DISPLAY: inline; LIST-STYLE-TYPE: none -} -#foldertab { - PADDING-RIGHT: 0px; PADDING-LEFT: 8px; PADDING-BOTTOM: 3px; FONT: bold 11px Verdana, sans-serif; MARGIN-LEFT: 0px; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 1px solid -} -#foldertab LI { - DISPLAY: inline; MARGIN: 0px; LIST-STYLE-TYPE: none -} -#foldertab LI A { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 0.5em; BORDER-TOP: #3c78b5 1px solid; PADDING-LEFT: 0.5em; BACKGROUND: #3c78b5; PADDING-BOTTOM: 3px; MARGIN-LEFT: 3px; BORDER-LEFT: #3c78b5 1px solid; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 1px; TEXT-DECORATION: none -} -#foldertab LI A:link { - COLOR: #ffffff -} -#foldertab LI A:visited { - COLOR: #ffffff -} -#foldertab LI A:hover { - BORDER-LEFT-COLOR: #003366; BACKGROUND: #003366; BORDER-BOTTOM-COLOR: #003366; COLOR: #ffffff; BORDER-TOP-COLOR: #003366; BORDER-RIGHT-COLOR: #003366 -} -#foldertab LI A.current { - BACKGROUND: white; COLOR: black; BORDER-BOTTOM: white 1px solid -} -#foldertab LI A.current:link { - COLOR: black -} -#foldertab LI A.current:visited { - COLOR: black -} -#foldertab LI A.current:hover { - BACKGROUND: white; COLOR: black; BORDER-BOTTOM: white 1px solid -} -UL#squaretab { - PADDING-LEFT: 0px; FONT: bold 8px Verdana, sans-serif; MARGIN-LEFT: 0px; WHITE-SPACE: nowrap -} -#squaretab LI { - DISPLAY: inline; LIST-STYLE-TYPE: none -} -#squaretab A { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 6px; BORDER-TOP: #3c78b5 1px solid; PADDING-LEFT: 6px; PADDING-BOTTOM: 2px; BORDER-LEFT: #3c78b5 1px solid; PADDING-TOP: 2px; BORDER-BOTTOM: #3c78b5 1px solid -} -#squaretab A:link { - COLOR: #fff; BACKGROUND-COLOR: #3c78b5; TEXT-DECORATION: none -} -#squaretab A:visited { - COLOR: #fff; BACKGROUND-COLOR: #3c78b5; TEXT-DECORATION: none -} -#squaretab A:hover { - BORDER-LEFT-COLOR: #003366; BORDER-BOTTOM-COLOR: #003366; COLOR: #ffffff; BORDER-TOP-COLOR: #003366; BACKGROUND-COLOR: #003366; TEXT-DECORATION: none; BORDER-RIGHT-COLOR: #003366 -} -#squaretab LI A#current { - BACKGROUND: white; COLOR: black -} -.blogcalendar { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: normal; FONT-SIZE: x-small; PADDING-BOTTOM: 2px; LINE-HEIGHT: 140%; PADDING-TOP: 2px; FONT-FAMILY: verdana, arial, sans-serif -} -TABLE.blogcalendar { - BORDER-RIGHT: #3c78b5 1px solid; BORDER-TOP: #3c78b5 1px solid; BORDER-LEFT: #3c78b5 1px solid; BORDER-BOTTOM: #3c78b5 1px solid -} -.blogcalendar TH.calendarhead { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: bold; FONT-SIZE: x-small; PADDING-BOTTOM: 2px; TEXT-TRANSFORM: uppercase; COLOR: #ffffff; PADDING-TOP: 2px; LETTER-SPACING: 0.3em; BACKGROUND-COLOR: #3c78b5 -} -A.calendarhead { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: bold; FONT-SIZE: x-small; PADDING-BOTTOM: 2px; TEXT-TRANSFORM: uppercase; COLOR: #ffffff; PADDING-TOP: 2px; LETTER-SPACING: 0.3em; BACKGROUND-COLOR: #3c78b5 -} -.calendarhead:visited { - COLOR: white -} -.calendarhead:active { - COLOR: white -} -.calendarhead:hover { - COLOR: white -} -.blogcalendar TH { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-WEIGHT: bold; FONT-SIZE: x-small; PADDING-BOTTOM: 2px; PADDING-TOP: 2px; BACKGROUND-COLOR: #eeefcc -} -.blogcalendar TD { - FONT-WEIGHT: normal; FONT-SIZE: x-small -} -.searchGroup { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; BACKGROUND: #eeefcc; PADDING-BOTTOM: 10px; PADDING-TOP: 0px -} -.searchGroupHeading { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; FONT-WEIGHT: bold; FONT-SIZE: 10px; PADDING-BOTTOM: 1px; COLOR: #ffffff; PADDING-TOP: 2px; BACKGROUND-COLOR: #3c78b5 -} -.searchItem { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; PADDING-BOTTOM: 1px; PADDING-TOP: 1px -} -.searchItemSelected { - PADDING-RIGHT: 4px; PADDING-LEFT: 4px; FONT-WEIGHT: bold; BACKGROUND: #ddd; PADDING-BOTTOM: 1px; PADDING-TOP: 1px -} -.permissionHeading { - BORDER-RIGHT: 0px solid; BORDER-TOP: 0px solid; FONT-SIZE: 16px; BORDER-LEFT: 0px solid; BORDER-BOTTOM: #bbb 1px solid; TEXT-ALIGN: left -} -.permissionTab { - BORDER-RIGHT: 0px solid; BORDER-TOP: 0px solid; FONT-SIZE: 10px; BACKGROUND: #3c78b5; BORDER-LEFT: 1px solid; COLOR: #ffffff; BORDER-BOTTOM: 0px solid -} -.permissionSuperTab { - BORDER-RIGHT: 0px solid; BORDER-TOP: 0px solid; BACKGROUND: #003366; BORDER-LEFT: 1px solid; COLOR: #ffffff; BORDER-BOTTOM: 0px solid -} -.permissionCell { - BORDER-RIGHT: 0px solid; BORDER-TOP: 0px solid; BORDER-LEFT: #bbb 1px solid; BORDER-BOTTOM: 0px solid -} -.warningPanel { - BORDER-RIGHT: #f0c000 1px solid; PADDING-RIGHT: 8px; BORDER-TOP: #f0c000 1px solid; PADDING-LEFT: 8px; BACKGROUND: #ffffce; PADDING-BOTTOM: 8px; MARGIN: 10px; BORDER-LEFT: #f0c000 1px solid; PADDING-TOP: 8px; BORDER-BOTTOM: #f0c000 1px solid -} -.alertPanel { - BORDER-RIGHT: #c00 1px solid; PADDING-RIGHT: 8px; BORDER-TOP: #c00 1px solid; PADDING-LEFT: 8px; BACKGROUND: #ffcccc; PADDING-BOTTOM: 8px; MARGIN: 10px; BORDER-LEFT: #c00 1px solid; PADDING-TOP: 8px; BORDER-BOTTOM: #c00 1px solid -} -.infoPanel { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 8px; BORDER-TOP: #3c78b5 1px solid; PADDING-LEFT: 8px; BACKGROUND: #d8e4f1; PADDING-BOTTOM: 8px; MARGIN: 10px; BORDER-LEFT: #3c78b5 1px solid; PADDING-TOP: 8px; BORDER-BOTTOM: #3c78b5 1px solid -} -.optionPadded { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; PADDING-BOTTOM: 2px; PADDING-TOP: 2px -} -.optionSelected { - BORDER-RIGHT: #ddd 1px solid; PADDING-RIGHT: 2px; BORDER-TOP: #ddd 1px solid; PADDING-LEFT: 2px; PADDING-BOTTOM: 2px; MARGIN: -1px; BORDER-LEFT: #ddd 1px solid; PADDING-TOP: 2px; BORDER-BOTTOM: #ddd 1px solid; BACKGROUND-COLOR: #ffffcc -} -.optionSelected A { - FONT-WEIGHT: bold; COLOR: black; TEXT-DECORATION: none -} -.noteMacro { - BORDER-RIGHT: #f0c000 1px solid; BORDER-TOP: #f0c000 1px solid; MARGIN-TOP: 5px; MARGIN-BOTTOM: 5px; BORDER-LEFT: #f0c000 1px solid; BORDER-BOTTOM: #f0c000 1px solid; BACKGROUND-COLOR: #ffffce; TEXT-ALIGN: left -} -.warningMacro { - BORDER-RIGHT: #c00 1px solid; BORDER-TOP: #c00 1px solid; MARGIN-TOP: 5px; MARGIN-BOTTOM: 5px; BORDER-LEFT: #c00 1px solid; BORDER-BOTTOM: #c00 1px solid; BACKGROUND-COLOR: #fcc; TEXT-ALIGN: left -} -.infoMacro { - BORDER-RIGHT: #3c78b5 1px solid; BORDER-TOP: #3c78b5 1px solid; MARGIN-TOP: 5px; MARGIN-BOTTOM: 5px; BORDER-LEFT: #3c78b5 1px solid; BORDER-BOTTOM: #3c78b5 1px solid; BACKGROUND-COLOR: #d8e4f1; TEXT-ALIGN: left -} -.tipMacro { - BORDER-RIGHT: #090 1px solid; BORDER-TOP: #090 1px solid; MARGIN-TOP: 5px; MARGIN-BOTTOM: 5px; BORDER-LEFT: #090 1px solid; BORDER-BOTTOM: #090 1px solid; BACKGROUND-COLOR: #dfd; TEXT-ALIGN: left -} -.informationMacroPadding { - PADDING-RIGHT: 0px; PADDING-LEFT: 5px; PADDING-BOTTOM: 0px; PADDING-TOP: 5px -} -TABLE.infoMacro TD { - BORDER-TOP-STYLE: none; BORDER-RIGHT-STYLE: none; BORDER-LEFT-STYLE: none; BORDER-BOTTOM-STYLE: none -} -TABLE.warningMacro TD { - BORDER-TOP-STYLE: none; BORDER-RIGHT-STYLE: none; BORDER-LEFT-STYLE: none; BORDER-BOTTOM-STYLE: none -} -TABLE.tipMacro TD { - BORDER-TOP-STYLE: none; BORDER-RIGHT-STYLE: none; BORDER-LEFT-STYLE: none; BORDER-BOTTOM-STYLE: none -} -TABLE.noteMacro TD { - BORDER-TOP-STYLE: none; BORDER-RIGHT-STYLE: none; BORDER-LEFT-STYLE: none; BORDER-BOTTOM-STYLE: none -} -TABLE.sectionMacro TD { - BORDER-TOP-STYLE: none; BORDER-RIGHT-STYLE: none; BORDER-LEFT-STYLE: none; BORDER-BOTTOM-STYLE: none -} -TABLE.sectionMacroWithBorder TD.columnMacro { - BORDER-RIGHT: #cccccc 1px dashed; BORDER-TOP: #cccccc 1px dashed; BORDER-LEFT: #cccccc 1px dashed; BORDER-BOTTOM: #cccccc 1px dashed -} -.pagecontent { - PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px; TEXT-ALIGN: left -} -.topBarDiv A:link { - COLOR: #ffffff -} -.topBarDiv A:visited { - COLOR: #ffffff -} -.topBarDiv A:active { - COLOR: #ffffff -} -.topBarDiv A:hover { - COLOR: #ffffff -} -.topBarDiv { - COLOR: #ffffff -} -.topBar { - BACKGROUND-COLOR: #003366 -} -.greyLinks A:link { - COLOR: #666666; TEXT-DECORATION: underline -} -.greyLinks A:visited { - COLOR: #666666; TEXT-DECORATION: underline -} -.greyLinks A:active { - COLOR: #666666; TEXT-DECORATION: underline -} -.greyLinks A:hover { - COLOR: #666666; TEXT-DECORATION: underline -} -.greyLinks { - PADDING-RIGHT: 10px; DISPLAY: block; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; COLOR: #666666; PADDING-TOP: 10px -} -.logoSpaceLink { - COLOR: #999999; TEXT-DECORATION: none -} -.logoSpaceLink A:link { - COLOR: #999999; TEXT-DECORATION: none -} -.logoSpaceLink A:visited { - COLOR: #999999; TEXT-DECORATION: none -} -.logoSpaceLink A:active { - COLOR: #999999; TEXT-DECORATION: none -} -.logoSpaceLink A:hover { - COLOR: #003366; TEXT-DECORATION: none -} -.basicPanelContainer { - BORDER-RIGHT: #3c78b5 1px solid; BORDER-TOP: #3c78b5 1px solid; MARGIN-TOP: 2px; MARGIN-BOTTOM: 8px; BORDER-LEFT: #3c78b5 1px solid; WIDTH: 100%; BORDER-BOTTOM: #3c78b5 1px solid -} -.basicPanelTitle { - PADDING-RIGHT: 5px; PADDING-LEFT: 5px; FONT-WEIGHT: bold; PADDING-BOTTOM: 5px; MARGIN: 0px; COLOR: black; PADDING-TOP: 5px; BACKGROUND-COLOR: #eeefcc -} -.basicPanelBody { - PADDING-RIGHT: 5px; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; MARGIN: 0px; PADDING-TOP: 5px -} -.separatorLinks A:link { - COLOR: white -} -.separatorLinks A:visited { - COLOR: white -} -.separatorLinks A:active { - COLOR: white -} -.greynavbar { - BORDER-TOP: #3c78b5 1px solid; MARGIN-TOP: 2px; BACKGROUND-COLOR: #eeefcc -} -DIV.headerField { - FLOAT: left; WIDTH: auto; HEIGHT: 100% -} -.headerFloat { - MARGIN-LEFT: auto; WIDTH: 50% -} -.headerFloatLeft { - FLOAT: left; MARGIN-BOTTOM: 10px; MARGIN-RIGHT: 20px -} -#headerRow { - PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-BOTTOM: 10px; PADDING-TOP: 10px -} -DIV.license-personal { - COLOR: #ffffff; BACKGROUND-COLOR: #003366 -} -DIV.license-personal A { - COLOR: #ffffff -} -.greyFormBox { - BORDER-RIGHT: #cccccc 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #cccccc 1px solid; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; BORDER-LEFT: #cccccc 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #cccccc 1px solid -} -.marginlessForm { - MARGIN: 0px -} -.openPageHighlight { - BORDER-RIGHT: #ddd 1px solid; PADDING-RIGHT: 2px; BORDER-TOP: #ddd 1px solid; PADDING-LEFT: 2px; PADDING-BOTTOM: 2px; BORDER-LEFT: #ddd 1px solid; PADDING-TOP: 2px; BORDER-BOTTOM: #ddd 1px solid; BACKGROUND-COLOR: #ffffcc -} -.editPageInsertLinks { - FONT-WEIGHT: bold; FONT-SIZE: 10px; COLOR: #666666 -} -.editPageInsertLinks A { - FONT-WEIGHT: bold; FONT-SIZE: 10px; COLOR: #666666 -} -.top10 A { - FONT-WEIGHT: bold; FONT-SIZE: 2em; COLOR: #003366 -} -.top25 A { - FONT-WEIGHT: bold; FONT-SIZE: 1.6em; COLOR: #003366 -} -.top50 A { - FONT-SIZE: 1.4em; COLOR: #003366 -} -.top100 A { - FONT-SIZE: 1.2em; COLOR: #003366 -} -.heatmap { - MARGIN: 0px auto; WIDTH: 95%; LIST-STYLE-TYPE: none -} -.heatmap A { - TEXT-DECORATION: none -} -.heatmap A:hover { - TEXT-DECORATION: underline -} -.heatmap LI { - DISPLAY: inline -} -.minitab { - PADDING-RIGHT: 0px; MARGIN-TOP: 1px; PADDING-LEFT: 8px; FLOAT: none; MARGIN-BOTTOM: 0px; PADDING-BOTTOM: 3px; FONT: bold 9px Verdana, sans-serif; MARGIN-LEFT: 0px; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 1px solid; TEXT-DECORATION: none -} -.selectedminitab { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 0.5em; BORDER-TOP: #3c78b5 1px solid; MARGIN-TOP: 1px; PADDING-LEFT: 0.5em; BACKGROUND: white; PADDING-BOTTOM: 3px; MARGIN-LEFT: 3px; BORDER-LEFT: #3c78b5 1px solid; COLOR: #000000; PADDING-TOP: 3px; BORDER-BOTTOM: white 1px solid; TEXT-DECORATION: none -} -.unselectedminitab { - BORDER-RIGHT: #3c78b5 1px solid; PADDING-RIGHT: 0.5em; BORDER-TOP: #3c78b5 1px solid; MARGIN-TOP: 1px; PADDING-LEFT: 0.5em; BACKGROUND: #3c78b5; PADDING-BOTTOM: 3px; MARGIN-LEFT: 3px; BORDER-LEFT: #3c78b5 1px solid; COLOR: #ffffff; PADDING-TOP: 3px; BORDER-BOTTOM: #3c78b5 1px; TEXT-DECORATION: none -} -A.unselectedminitab:hover { - BORDER-LEFT-COLOR: #003366; BACKGROUND: #003366; BORDER-BOTTOM-COLOR: #003366; COLOR: #ffffff; BORDER-TOP-COLOR: #003366; BORDER-RIGHT-COLOR: #003366 -} -A.unselectedminitab:link { - COLOR: white -} -A.unselectedminitab:visited { - COLOR: white -} -A.selectedminitab:link { - COLOR: black -} -A.selectedminitab:visited { - COLOR: black -} -.linkerror { - BACKGROUND-COLOR: #fcc -} -A.labelOperationLink:link { - TEXT-DECORATION: underline -} -A.labelOperationLink:active { - TEXT-DECORATION: underline -} -A.labelOperationLink:visited { - TEXT-DECORATION: underline -} -A.labelOperationLink:hover { - TEXT-DECORATION: underline -} -A.newLabel:link { - BACKGROUND-COLOR: #ddffdd -} -A.newLabel:active { - BACKGROUND-COLOR: #ddffdd -} -A.newLabel:visited { - BACKGROUND-COLOR: #ddffdd -} -A.newLabel:hover { - BACKGROUND-COLOR: #ddffdd -} -UL.square { - LIST-STYLE-TYPE: square -} -.inline-control-link { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-SIZE: 9px; BACKGROUND: #ffc; PADDING-BOTTOM: 2px; TEXT-TRANSFORM: uppercase; COLOR: #666; PADDING-TOP: 2px; TEXT-DECORATION: none -} -.inline-control-link A:link { - TEXT-DECORATION: none -} -.inline-control-link A:active { - TEXT-DECORATION: none -} -.inline-control-link A:visited { - TEXT-DECORATION: none -} -.inline-control-link A:hover { - TEXT-DECORATION: none -} -.inline-control-link { - PADDING-RIGHT: 2px; PADDING-LEFT: 2px; FONT-SIZE: 9px; BACKGROUND: #ffc; PADDING-BOTTOM: 2px; TEXT-TRANSFORM: uppercase; CURSOR: pointer; COLOR: #666; PADDING-TOP: 2px; TEXT-DECORATION: none -} -DIV.auto_complete { - BACKGROUND: #fff; WIDTH: 350px -} -DIV.auto_complete UL { - BORDER-RIGHT: #888 1px solid; PADDING-RIGHT: 0px; BORDER-TOP: #888 1px solid; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; BORDER-LEFT: #888 1px solid; WIDTH: 100%; PADDING-TOP: 0px; BORDER-BOTTOM: #888 1px solid; LIST-STYLE-TYPE: none -} -DIV.auto_complete UL LI { - PADDING-RIGHT: 3px; PADDING-LEFT: 3px; PADDING-BOTTOM: 3px; MARGIN: 0px; PADDING-TOP: 3px -} -DIV.auto_complete UL LI.selected { - BACKGROUND-COLOR: #ffb -} -DIV.auto_complete UL STRONG.highlight { - PADDING-RIGHT: 0px; PADDING-LEFT: 0px; PADDING-BOTTOM: 0px; MARGIN: 0px; COLOR: #800; PADDING-TOP: 0px -} -.toogleFormDiv { - BORDER-RIGHT: #a7a6aa 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #a7a6aa 1px solid; MARGIN-TOP: 5px; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; BORDER-LEFT: #a7a6aa 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #a7a6aa 1px solid; BACKGROUND-COLOR: white -} -.toogleInfoDiv { - BORDER-RIGHT: #a7a6aa 1px solid; PADDING-RIGHT: 5px; BORDER-TOP: #a7a6aa 1px solid; MARGIN-TOP: 10px; DISPLAY: none; PADDING-LEFT: 5px; PADDING-BOTTOM: 5px; BORDER-LEFT: #a7a6aa 1px solid; PADDING-TOP: 5px; BORDER-BOTTOM: #a7a6aa 1px solid; BACKGROUND-COLOR: white -} -.inputSection { - MARGIN-BOTTOM: 20px -} -#editBox { - BACKGROUND-COLOR: #eeefcc -} -.leftnav LI A { - PADDING-RIGHT: 2px; BORDER-TOP: #3c78b5 1px solid; DISPLAY: block; PADDING-LEFT: 5px; PADDING-BOTTOM: 2px; MARGIN: 0px; COLOR: white; PADDING-TOP: 2px; BACKGROUND-COLOR: #3c78b5; TEXT-DECORATION: none -} -.leftnav LI A:active { - COLOR: white -} -.leftnav LI A:visited { - COLOR: white -} -.leftnav LI A:hover { - COLOR: white; BACKGROUND-COLOR: #003366 -} -.replaced { - BACKGROUND-COLOR: #33cc66 -} -.topPadding { - MARGIN-TOP: 20px -} -.form-block { - PADDING-RIGHT: 6px; PADDING-LEFT: 6px; PADDING-BOTTOM: 6px; PADDING-TOP: 6px -} -.form-error-block { - PADDING-RIGHT: 12px; BORDER-TOP: #eeefcc 1px solid; PADDING-LEFT: 12px; BACKGROUND: #fcc; MARGIN-BOTTOM: 6px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; BORDER-BOTTOM: #eeefcc 1px solid -} -.form-element-large { - FONT-WEIGHT: bold; FONT-SIZE: 16px; COLOR: #003366; FONT-FAMILY: Arial, sans-serif -} -.form-element-small { - FONT-WEIGHT: bold; FONT-SIZE: 12px; COLOR: #003366; FONT-FAMILY: Arial, sans-serif -} -.form-header { - PADDING-RIGHT: 12px; BORDER-TOP: #eeefcc 1px solid; PADDING-LEFT: 12px; BACKGROUND: lightyellow; MARGIN-BOTTOM: 6px; PADDING-BOTTOM: 0px; PADDING-TOP: 0px; BORDER-BOTTOM: #eeefcc 1px solid -} -.form-header P { - MARGIN: 12px 0px; LINE-HEIGHT: normal -} -.form-block P { - MARGIN: 12px 0px; LINE-HEIGHT: normal -} -.form-error-block P { - MARGIN: 12px 0px; LINE-HEIGHT: normal -} -.form-example { - FONT-SIZE: 11px; COLOR: #888 -} -.form-divider { - MARGIN-BOTTOM: 6px; BORDER-BOTTOM: #ccc 1px solid -} -.form-buttons { - PADDING-RIGHT: 10px; BORDER-TOP: #ccc 1px solid; MARGIN-TOP: 6px; PADDING-LEFT: 10px; BACKGROUND: #eeefcc; PADDING-BOTTOM: 10px; PADDING-TOP: 10px; BORDER-BOTTOM: #ccc 1px solid; TEXT-ALIGN: center -} -.form-buttons INPUT { - WIDTH: 100px -} -.form-block .error { - PADDING-RIGHT: 6px; PADDING-LEFT: 6px; MARGIN-BOTTOM: 6px; PADDING-BOTTOM: 6px; PADDING-TOP: 6px -} diff --git a/src/windows/build/makeZip.pl b/src/windows/build/makeZip.pl deleted file mode 100644 index 30f0cf1..0000000 --- a/src/windows/build/makeZip.pl +++ /dev/null @@ -1,84 +0,0 @@ -#!perl -w - -#use strict; - -require "prunefiles.pl"; - -use Data::Dumper; - -sub makeZip { - local ($zip, $config) = @_; - - local $odr = $config->{Config}; ## Options, directories, repository, environment. - local $src = $odr->{src}->{value}; - local $out = $odr->{out}->{value}; - local $zipname = $zip->{filename}; - local $filestem = $config->{Stages}->{PostPackage}->{Config}->{FileStem}->{name}; - $zipname =~ s/%filestem%/$filestem/g; - if (exists $zip->{Requires}) { - local $bMakeIt = 1; - local $rverb = $odr->{repository}->{value}; - local $j = 0; - while ($zip->{Requires}->{Switch}[$j]) { ## Check Require switches - local $switch = $zip->{Requires}->{Switch}[$j]; - if (exists $switch->{name}) { ## Ignore dummy entry - # We handle REPOSITORY and CLEAN switches: - if ($switch->{name} =~ /REPOSITORY/i) { - $bMakeIt &&= ($switch->{value} =~ /$rverb/i); ## Repository verb must match requirement - } - elsif ($switch->{name} =~ /CLEAN/i) { ## Clean must be specified - $bMakeIt &&= $clean; - } - else {print "Error -- Unsupported switch $switch->{name} in Requires in ".Dumper($zip); - $bMakeIt = 0; - } - } - $j++; - } - if ( !$bMakeIt ) { - if (exists $zip->{Requires}->{ErrorMsg}) { - print "Error -- $zip->{Requires}->{ErrorMsg}->{text}\n"; - } - else { - print "Error -- requirements not met for building $zipname.\n"; - } - return 0; - } - } - - local $ziptemp = "$out\\ziptemp"; - chdir "$out"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - system("rm -rf $ziptemp") if (-d $ziptemp); - die "Fatal -- Couldn't remove $ziptemp" if (-d $ziptemp); - mkdir($ziptemp); - # Set up the zip's config section: - $zip->{Config} = $config->{Stages}->{PostPackage}->{Config}; - # Add to the copylist's config section. Don't copy Postpackage->Config, - # because the CopyList's Config might contain substitution tags. - $zip->{CopyList}->{Config}->{FileStem}->{name} = $config->{Stages}->{PostPackage}->{Config}->{FileStem}->{name}; - $zip->{CopyList}->{Config}->{From}->{root} = "$src\\pismere"; ## Add zip-specific config settings. - $zip->{CopyList}->{Config}->{To}->{root} = $ziptemp; - copyFiles($zip->{CopyList}, $config); - # Drop down into /ziptemp so the path to the added file won't include : - chdir $ziptemp; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - - # Prune any unwanted files or directories from the directory we're about to zip: - pruneFiles($zip, $config); - - local $zipfile = Archive::Zip->new(); - local $topdir = $zip->{topdir}; - $topdir =~ s/%filestem%/$filestem/g; - $zipfile->addTree('.', $topdir); - if (-e $zipname) {!system("rm -f $zipname") or die "Error -- Couldn't remove $zipname.";} - $zipfile->writeToFileNamed($zipname); - chdir("$out"); - print "Info -- chdir to ".`cd`."\n" if ($verbose); - # move .zip from /ziptemp to . - !system("mv -f ziptemp/$zipname .") or die "Error -- Couldn't move $zipname to .."; - system("rm -rf ziptemp") if (-d "ziptemp"); ## Clean up any temp directory. - print "Info -- created $out\\$zipname.\n" if ($verbose); - } - -return 1; \ No newline at end of file diff --git a/src/windows/build/pruneFiles.pl b/src/windows/build/pruneFiles.pl deleted file mode 100644 index 0bb5176..0000000 --- a/src/windows/build/pruneFiles.pl +++ /dev/null @@ -1,36 +0,0 @@ -#!perl -w - -#use strict; -use Data::Dumper; - -sub pruneFiles { - local ($xml, $config) = @_; - local $prunes = $xml->{Prunes}; - if (! $prunes) {return 0;} - - # Use Unix find instead of Windows find. Save PATH so we can restore it when we're done: - local $savedPATH = $ENV{PATH}; - $ENV{PATH} = $config->{Config}->{unixfind}->{value}.";".$savedPATH; - print "Info -- Processing prunes in ".`cd`."\n" if ($verbose); - local $pru = $prunes->{Prune}; - local $files = "( "; - local $bFirst = 1; - while (($key, $val) = each %$pru) { - local $flags = $val->{flags}; - $flags = "" if (!$flags); - if (!$bFirst) {$files .= " -or ";} - $bFirst = 0; - $files .= "-".$flags."name $key"; - print "Info -- Looking for filenames matching $key\n" if ($verbose); - } - $files .= " )"; - local $list = `find . $files`; - if (length($list) > 1) { - print "Info -- Pruning $list\n" if ($verbose); - ! system("rm -rf $list") or die "Unable to prune $list"; - } - - $ENV{PATH} = $savedPATH; - } - -return 1; diff --git a/src/windows/build/repository1.pl b/src/windows/build/repository1.pl deleted file mode 100644 index 2f4ee21..0000000 --- a/src/windows/build/repository1.pl +++ /dev/null @@ -1,90 +0,0 @@ -#!perl -w - -#use strict; - -sub repository1 { - local ($config) = @_; - local $odr = $config->{Config}; ## Options, directories, repository, environment. - local $src = $odr->{src}->{value}; - local $rverb = $odr->{repository}->{value}; - local $wd = $src."\\pismere"; - - if ($rverb =~ /skip/) {print "Info -- *** Skipping repository access.\n" if ($verbose);} - else { - if ($verbose) {print "Info -- *** Begin fetching sources.\n";} - local $cvspath = "$src"; - if (! -d $cvspath) { ## xcopy will create the entire path for us. - !system("echo foo > a.tmp") or die "Fatal -- Couldn't create temporary file in ".`cd`; - !system("echo F | xcopy a.tmp $cvspath\\a.tmp") or die "Fatal -- Couldn't xcopy to $cvspath."; - !system("rm a.tmp") or die "Fatal -- Couldn't remove temporary file."; - !system("rm $cvspath\\a.tmp") or die "Fatal -- Couldn't remove temporary file."; - } - - # Set up cvs environment variables: - $ENV{CVSROOT} = $odr->{CVSROOT}->{value}; - local $krb5dir = "$wd\\athena\\auth\\krb5"; - - local $cvscmdroot = "cvs $rverb"; - if (length $odr->{cvstag}->{value} > 0) { - $cvscmdroot .= " -r $odr->{cvstag}->{value}"; - } - - if ($rverb =~ /checkout/) { - chdir($src) or die "Fatal -- couldn't chdir to $src\n"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - my @cvsmodules = ( - 'krb', - 'pismere/athena/util/lib/delaydlls', - 'pismere/athena/util/lib/getopt', - 'pismere/athena/util/guiwrap' - ); - - foreach my $module (@cvsmodules) { - local $cvscmd = $cvscmdroot." ".$module; - if ($verbose) {print "Info -- cvs command: $cvscmd\n";} - !system($cvscmd) or die "Fatal -- command \"$cvscmd\" failed; return code $?\n"; - } - } - else { ## Update. - chdir($wd) or die "Fatal -- couldn't chdir to $wd\n"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - if ($verbose) {print "Info -- cvs command: $cvscmdroot\n";} - !system($cvscmdroot) or die "Fatal -- command \"$cvscmdroot\" failed; return code $?\n"; - } - - # Set up svn environment variable: - $ENV{SVN_SSH} = "plink.exe"; - # If the directory structure doesn't exist, many cd commands will fail. - if (! -d $krb5dir) { ## xcopy will create the entire path for us. - !system("echo foo > a.tmp") or die "Fatal -- Couldn't create temporary file in ".`cd`; - !system("echo F | xcopy a.tmp $krb5dir\\a.tmp") or die "Fatal -- Couldn't xcopy to $krb5dir."; - !system("rm a.tmp") or die "Fatal -- Couldn't remove temporary file."; - !system("rm $krb5dir\\a.tmp") or die "Fatal -- Couldn't remove temporary file."; - } - - chdir($krb5dir) or die "Fatal -- Couldn't chdir to $krb5dir"; - print "Info -- chdir to ".`cd`."\n" if ($verbose); - my $svncmd = "svn $rverb "; - if ($rverb =~ /checkout/) { # Append the rest of the checkout command: - chdir(".."); - $svncmd .= "svn+ssh://".$odr->{username}->{value}."@".$odr->{SVNURL}->{value}."/krb5/"; - if (length $odr->{svntag}->{value} > 0) { - $svncmd .= "tags/$odr->{svntag}->{value}"; - } - elsif (length $odr->{svnbranch}->{value} > 0) { - $svncmd .= "branches/$odr->{svnbranch}->{value}"; - } - else { - $svncmd .= "trunk"; - } - - $svncmd .= " krb5"; - - } - if ($verbose) {print "Info -- svn command: $svncmd\n";} - !system($svncmd) or die "Fatal -- command \"$svncmd\" failed; return code $?\n"; - if ($verbose) {print "Info -- *** End fetching sources.\n";} - } - } - -return 1; \ No newline at end of file diff --git a/src/windows/build/sdkfiles.xml b/src/windows/build/sdkfiles.xml deleted file mode 100644 index c938107..0000000 --- a/src/windows/build/sdkfiles.xml +++ /dev/null @@ -1,23 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/src/windows/build/signFiles.pl b/src/windows/build/signFiles.pl deleted file mode 100644 index ea093b1..0000000 --- a/src/windows/build/signFiles.pl +++ /dev/null @@ -1,27 +0,0 @@ -#!perl -w - -#use strict; -use Data::Dumper; - -sub signFiles { - local ($signing, $config) = @_; - local $exprs = $signing->{FilePatterns}->{value}; - local $template = $signing->{CommandTemplate}->{value}; - # Use Unix find instead of Windows find. Save PATH so we can restore it when we're done: - local $savedPATH= $ENV{PATH}; - $ENV{PATH} = $config->{Config}->{unixfind}->{value}.";".$savedPATH; - foreach $expr (split(" ", $exprs)) { ## exprs is something like "*.exe *.dll" - local $cmd = "find . -iname \"$expr\""; - local $list = `$cmd`; ## $list is files matching *.exe, for example. - foreach $target (split("\n", $list)) { - $target =~ s|/|\\|g; ## Flip path separators from unix-style to windows-style. - local $template2 = $template; - $template2 =~ s/%filename%/$target/; - print "Info -- Signing $target\n" if ($verbose); - !system("$template2") or die "Fatal -- Error signing $target."; - } - } - $ENV{PATH} = $savedPATH; - } - -return 1; \ No newline at end of file diff --git a/src/windows/build/site-local.sed b/src/windows/build/site-local.sed deleted file mode 100644 index 191d200..0000000 --- a/src/windows/build/site-local.sed +++ /dev/null @@ -1,2 +0,0 @@ -s/// -s/// \ No newline at end of file diff --git a/src/windows/build/tee.pl b/src/windows/build/tee.pl deleted file mode 100644 index 2c33370..0000000 --- a/src/windows/build/tee.pl +++ /dev/null @@ -1,79 +0,0 @@ -# Usage 'tee filename' -# Make sure that when using this as a perl pipe you -# print a EOF char! -# (This may be a bug in perl 4 for NT) -# -# Use it like: -# open(PIPE, "|$^X tee.pl foo.log") || die "Can't pipe"; -# open(STDOUT, ">&PIPE") || die "Can't dup pipe to stdout"; -# open(STDERR, ">&PIPE") || die "Can't dup pipe to stderr"; - -use IO::File; - -#$SIG{'INT'} = \&handler; -#$SIG{'QUIT'} = \&handler; - -$SIG{'INT'} = 'IGNORE'; -$SIG{'QUIT'} = \&handler; - -my $fh = new IO::File; - -my $arg = shift; -my $file; -my $access = ">"; - -while ($arg) { - if ($arg =~ /-a/) { - $access = ">>"; - } elsif ($arg =~ /-i/) { - $SIG{'INT'} = 'IGNORE'; - $SIG{'QUIT'} = 'IGNORE'; - } else { - $file = $arg; - last; - } - $arg = shift; -} - -STDOUT->autoflush(1); - -if ($file) { - $fh->open($access.$file) || die "Could not open $file\n"; - $fh->autoflush(1); -} - -while (<>) { - $_ = &logtime.$_; - print $_; - print $fh $_ if $file; -} - -sub logtime { - my ($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = localtime(time); - $mon = $mon + 1; - $year %= 100; - sprintf ("[%02d/%02d/%02d %02d:%02d:%02d] ", - $year, $mon, $mday, - $hour, $min, $sec); -} - -sub handler { - my $sig = shift; - my $bailmsg = &logtime."Bailing out due to SIG$sig!\n"; - my $warnmsg = <{help} || !$f) { - usage(); - exit(0) if $OPT->{help}; - exit(1); - } - - my $p = $OPT->{path} || $ENV{PATH}; - my $s = $Config{path_sep}; - my @d = split(/$s/, $p); - my @e = split(/$s/, lc($ENV{PATHEXT} || '.bat;.exe;.com')); - my @f = ($f, map { $f.$_; } @e); - my $found = 0; - foreach my $d (@d) { - print "(Searching $d)\n" if $OPT->{debug}; - foreach my $f (@f) { - my $df = $d.'\\'.$f; # cannot use $File::Spec->catfile due to UNC. - print "(Checking for $df)\n" if $OPT->{debug}; - if (-f $df) { - exit(0) if $OPT->{quiet}; - print "$df\n"; - exit(0) if !$OPT->{all}; - $found = 1; - } - } - } - print "Could not find $f\n" if !$found && !$OPT->{quiet}; - exit($found?0:1); -} - -sub usage -{ - print <{Zips}; - if (! $zipsXML) {return 0;} - - local $i = 0; - while ($zipsXML->{Zip}[$i]) { - local $zip = $zipsXML->{Zip}[$i]; - makeZip($zip, $config) if (exists $zip->{name}); ## Ignore dummy entry. - $i++; - } ## End zip in xml. - } - -return 1; diff --git a/src/windows/cns/Makefile.in b/src/windows/cns/Makefile.in deleted file mode 100644 index 9742122..0000000 --- a/src/windows/cns/Makefile.in +++ /dev/null @@ -1,76 +0,0 @@ -# Makefile for the Kerberos for Windows ticket manager -# Works for both k4 and k5 releases. -# -NAME = krb5 -OBJS = $(OUTPRE)cns.obj $(OUTPRE)tktlist.obj $(OUTPRE)password.obj $(OUTPRE)options.obj - -##### Options -# Set NODEBUG if building release instead of debug -!IF ! defined(KVERSION) -KVERSION = 5 -!endif -KRB = KRB$(KVERSION) - -!if $(KVERSION) == 4 -BUILDTOP = .. -LIBDIR = $(BUILDTOP)\lib\krb -KLIB = $(LIBDIR)\kerberos.lib -RESFILE = $(OUTPRE)cnsres4.res -XOBJS = $(RESFILE) -LOCALINCLUDES = /I$(BUILDTOP) /I$(BUILDTOP)\include -!endif - -!if $(KVERSION) == 5 -BUILDTOP =..\.. -LIBDIR = $(BUILDTOP)\lib -RESFILE = $(OUTPRE)cnsres5.res -XOBJS = $(RESFILE) $(OUTPRE)kpasswd.obj $(OUTPRE)cns_reg.obj -LOCALINCLUDES = /I$(BUILDTOP) /I$(BUILDTOP)\include /I$(BUILDTOP)\include\krb5 -!endif - -##### C Compiler -#CC = cl -!ifdef NODEBUG -DEFINES = /D$(KRB)=1 -!else -DEFINES = /D$(KRB)=1 /DDEBUG -!endif - -##### RC Compiler -#RC = rc -RFLAGS = /D$(KRB)=1 $(LOCALINCLUDES) -RCFLAGS = $(RFLAGS) -DKRB5_APP - -##### CVSRES -- .res -> .obj converter -CVTRES = cvtres - -##### Linker -LINK = link -LIBS = $(KLIB) $(CLIB) $(WLIB) ../lib/$(OUTPRE)libwin.lib -SYSLIBS = kernel32.lib ws2_32.lib user32.lib gdi32.lib advapi32.lib -LFLAGS = /nologo $(LOPTS) - -all: Makefile $(OUTPRE)$(NAME).exe - -$(OUTPRE)$(NAME).exe: $(NAME).def $(OBJS) $(XOBJS) $(LIBS) - $(LINK) $(LFLAGS) /map:$*.map /out:$@ $(OBJS) $(XOBJS) \ - $(LIBS) $(SYSLIBS) $(SCLIB) - $(_VC_MANIFEST_EMBED_EXE) - -install: - $(CP) $(OUTPRE)$(NAME).exe $(DESTDIR) - $(CP) krb5.hlp $(DESTDIR) - -clean: - $(RM) $(OUTPRE)*.exe - $(RM) $(OUTPRE)*.res - $(RM) $(OUTPRE)*.map - -$(OBJS): cns.h tktlist.h - -$(RESFILE): cns.h ..\version.rc - -$(RESFILE): clock00.ico clock05.ico clock10.ico clock15.ico clock20.ico \ - clock25.ico clock30.ico clock35.ico clock40.ico clock45.ico \ - clock50.ico clock55.ico clock60.ico clockexp.ico clocktkt.ico \ - cns.ico diff --git a/src/windows/cns/clock00.ico b/src/windows/cns/clock00.ico deleted file mode 100644 index 1c2e424c83feaba846167809f124ed859e27099b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmd5)%MHRX41Fm`+z=z=ggCMRY{jXn*XT6OCS2Ko6PV|wrA=u;NEPBG{yZmf;>dtQ z2Jbg8Tryxw>pdM}?|}6J*jbEnq&O_80f}2`KUEdLiK>c*nl3^J5D_kDJ)vqIg~LLo z{s3iz_9-uXbuyIC^%*!*B>BGO!}ko&U;Fvv!@K)F)Z5ni3(FoD2T-!nad5}675Y`S(rPO@Z9u6N?@uGZlCRE zCr%t0P>7)Q93r;}SkP)shq6+@YyvDLMr;X%DK%i+lG^uG4)8~wJ3~zuMNz;Q!-TDW zSSudEPeP*pK(a>KtGw|z5y`sz2%IIndKmCH_VYuY4D+SGzI?6cF5aKV22Yo4z|S3T z`}~FF41@(pAHZe|aLUr~A=dhH&fynnj3d2fjh=)&YYm6mpilYhu^nPAjp> Z?XgGhKbTPIHuk9x>2Zv=k{aLM>j_+x5QYE% diff --git a/src/windows/cns/clock10.ico b/src/windows/cns/clock10.ico deleted file mode 100644 index 15e00b24af94ea279af062fb5c16dc81b395919d..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmd5)%MpSw5PhICxjB}=$?<3djy7O9PHvJmumfp=R3cY9;H2>_A0ZlU==jLn-M0xF zmRTS|j3ik?aEpNzeUdOBHW9Fx0c**TdoseD7BJ0`I`&NgaG@v~N6Qe_S{P%v;pzqF zBqI4pO3WW1YtenmhgMpUz4j;2c&n%2*H>D3_bFXny!(~Thgwy>uJk}R2mAAE@SNwP zx~uyO&lv~6D()}(;jK!(3Aid%CdE|3}LN>F@_tiS#VAw zl8>as`~h;0?kXQzX+i$lpFji0pq|oMF|4n&dee2FwbFrBb*O7S&~4%VJR7_e#i;J? z@e9uxhy%zTzb>!3_K?Vv;}^Gr=nwi&_2mi1aye?4SUD~{0ZwN?N;Om-l85Yxh`GX$P|>; zkvxf{MS(zu9f~4{$aM!i(-s9C$}s~Dd*DU(h&Lj`6E)ys$lz<$0bJ<1XsGGJdk^Ov z55lkzf_MZ!*%I{+q)swkqF3D5a>lC}*ZIckd~2+Z?=|o3 zFCH&8#k0YtZCCl&$0ICfU|E3b2E48#-#F8GoU&^9Cn4xL=kSXp6Un4mV^6G*^1qIuW#563hDp= diff --git a/src/windows/cns/clock25.ico b/src/windows/cns/clock25.ico deleted file mode 100644 index fc163fa23d4967135acb93dc84874f5076de5890..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmd5)I}(C05PhIC=^T$h<`aZ!TI(0 zzOJw#KMQ1ev$}tWUod-M+JLM9_MZT|ESo;WTEEZP{9+wBF?i+}#8hNoY-*xh0Tpjv kJvzRT@5G5X6UUBaUUb7fWNRFza(82Mbx4iO^7Z$61JPd!1ONa4 diff --git a/src/windows/cns/clock30.ico b/src/windows/cns/clock30.ico deleted file mode 100644 index 3dfd8458d2804c5ffd5d0308e5555abab1339773..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmd5)I}XAy41Fy~*$_v_gc!L29EpiY3^dn(BlHsON$AQAx-~pEtx7@*3m}~M^I|)( zBLfLiXuX8cEd^H8TGJqH5@0a{)^bMPkrT`*0qa9rI}`=LjiT_1k|xTsgte9q*KRl` z7MV+qMEn7rNtZm&`%<2;GKPEb6VxiirVg<(Du`F6j_^LhS%hEbv!F0OdcS_G*EcrA zzv;LChhJ#Uz&HU}18hIRoU&~E5$D1==kN=4%7a1jjsc8W&T^>9C7l&3uTJDE`Ow+N ZPWM=R64UscKA-7RG}VXn$XmYtUw0}w2KfL0 diff --git a/src/windows/cns/clock35.ico b/src/windows/cns/clock35.ico deleted file mode 100644 index b508e881d648eaf8094e965adf35afc1e6dc4697..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmd5)OAdlC5Phf#JL3^p8JFHbkK{@c7t(9gBX|k8h~Ux_*q!wa1z`y8)HrlLZ$9k| z86d(0NwR>@Z2~N*lY|Co9Rc$xuo546OO7z31WZV&Z7p(u2YDV8B~27X0b>jUzCQ3? zEHXcFiTDGu_FPljinS+=<22xoPg{BY(BxCn}f->Hq)$ diff --git a/src/windows/cns/clock40.ico b/src/windows/cns/clock40.ico deleted file mode 100644 index d7e64a398494b2f9fd6bfda0ce5f8b19ea02e8eb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmd5)I}XAy41EQpY=|4s2{Cd5I1&?)7-+7MN?d?Tw0B@dbmateBRn@PZTNIT2si#b z+i~p5K!gF}cmkoz0GLt7F%8lp0>(pNEcBa%$o#}5;t%LhQ`5=|R$B8Mns}-f5f?P&$;|Uwep~q ztkHr#Ys#*tJ79kX3fjjjaH1}@WcrIuttBp)v77~+@!V7U(;PA*t1Q34egEqYV}k{Q diff --git a/src/windows/cns/clock45.ico b/src/windows/cns/clock45.ico deleted file mode 100644 index e35b2008dfb46e3ec83fc7051b684677430a7f89..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmc(eO-{ow5QSe#rLZeU$O?7Ijuk4W;2f;5#De4+<_Nt+auT}j3GlAwvz^q5NGc>G znAm=PwF@H|gO6 zWPkseaQiA9&>voU@&}Gj7af@EF-U6fScD zmFD@(?Iy&pGmrVQzl}Wm2adzkew06)yHUM16`t*_weMVVxDRx~2mN2*();6OEWh(L Q@BfN<{j>id#9GSp1(5Foj{pDw diff --git a/src/windows/cns/clock50.ico b/src/windows/cns/clock50.ico deleted file mode 100644 index b1eaa1c82952b060a1823219067081c461c56392..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmd5)OK!qI41J-MyrY#^bcM*O>asVWH|Z5vVTlEqYos?Qmq<=hww!?3b^4qkOu{EC zgzAhx&-Qri$Uue>^86V_yAkk8o#!-2?-?+D0N%_;{vc;~qy$_{Y3#nJ03K9TRFpJP z*EO7T420$&1hdHe%w^&q(B?pGD`!|#c{azmsCemNufB_!t7#F}%$wE=HVW*cq2%W*bTJ9kGiT`d$_BOmQ8tNW~Hf zb|UHb4Duv#<0PxkYH7cr@tEK2Hd_vPny1-hc=SI)a|bRHP#=NSEtp$YUoPT(zUN$i zr9lM{CEtkPn$>r`20r#-g5^)pi*IWB-@h0e&Fuh3s}=!|^j?*Ho-GMoLK diff --git a/src/windows/cns/clock60.ico b/src/windows/cns/clock60.ico deleted file mode 100644 index 0e9d6ebd14d4696ef4fcc7220127e16f899af2c2..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmd5)I}XAy41EQpY`_sZAvV~U5FCk#NDQ>+;0RozJqa@>ARFO1fhH}bLINS&`15Sn zjw1sJdPvhTgw8!+LY<~GNb>|3_JOJR$ZK+f0VR<86ld2(0q~$GyrQIuvMiD3IRn-m zSSuEppSVQ)0Uhu3xXKe&TJs#MxYEj~8aCR*nAuuI`G(j845_yXcqBLrSg}Fle-;1l z!f`)sRINX|#rO3W5A`|Vfn3egzz_c~G=o#PAvIv(yKXSMppUwy}I5?dfxzVT>t|B diff --git a/src/windows/cns/clockexp.ico b/src/windows/cns/clockexp.ico deleted file mode 100644 index 6a22b90b94bc5b1569fb5d467a99ab7bcb29d4ea..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmc&yy-LJD5dLxsAsnc0kW^yn3&`5tgWL0;7VfDTWWw)TA=VLTYuNo z06)~VKWOQqX&Mwo!Ha(Tq3^|`@+ToNegc_Gr?n1W`^%EJ}^3Gg*4ZhFThJCu;7G4rn1F^TS?IEgoO<`OgPm#B8L%| z>>ZMW@%1A%V=*)GiAX?)IVT+ElUmYZm)W+5C_91E-}X{{R30 diff --git a/src/windows/cns/clocktkt.ico b/src/windows/cns/clocktkt.ico deleted file mode 100644 index dc4d246f4af8b968c21d4a4e646ee8b278971f02..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmd5)Jqp4w7=5i`AxQNInZ(gWT)l=4;t{$DF7_yya{{;a7RAlc(Xm^6U+PZ_S`h?& z$@}uXd@pGe0t5)5^$>zn2#h#t&4ic)K->YwGDptI09{5Ptt>uoh74dwmQ@2IQ{;J$ zG)-A>zQZ}mNH&?0@NbB04F>pJ8>@^`q_JF&Ew!?+icJn1-83yX?fnK`(@!W*v0HGt z5p89^&;Q4-tb%-CQ$s@iTks9ML3IqBX_&! z-95`k8Ja-TGUXqrP4Sd;2qn;#v?Yafm`>VGJEeIm1$Tg!Oba-W>Cl-rkc5PnBvwDa z=h^3OCCjo6?hC0_{_eB;?6c4Fdw%cF-mZ^-W%-Fu{OJ|Xs9D=vRiipNy;!xR>N6a_ z(Vj0;%Hde*PEJoxOZ7E?!-ee^hy(xnsY#VPvA9X(=gH1)jmQ&WH{D_@>gAJ{DV62= zyj!PI&o$5@DWB_7>Nux=wLz&5QC@O`xjS86Le+Cg{n?Z&Y2UO-DJgCH=WkYOALmz4 zFWcFaOh;{^{Z*6$l&H4)!A(jD`7cn)mM*t&zWyyreT{NDDZk3NqW?R&cqioplzB>_ zXRgi8`#?gcjCwIP*LVuWv+uTd*wT)$`bN{z_H0Ybf!Y1odVAmOQu==k^Pb($>~rB% zdb_9Lck|!7=g~|Dl6*TCLdy404s0~%$0+68_G3#sAKRbM^Cd)J=}M1r{*G5UtDSyl zz0(u;vFFE8TXxcO#)D!pm@4=a&Q7mbcCtaakc%8Q^c?q)TPV6?Memljwmp%w==Z|0 zbpu|^O`)@|;OB#>NM9MXS4O!qnp|<(q}B_A$jKIRcYASU&qtHbOo+bfd|&4&=s&`N)7<@{T%V!QswXqlcbbEY-RjmNTcLREc6| z3>_#Iol3dvh1ciY$gB6Jn}<4INOR*(CN5w?3Kz|S>l?=d~eE0`f#QS%*w6A zLCK|xDOT;6u3vS$!-dG)Y=mow%1yfdL_(CE=L}+cOoP;v&6FG`J6VX#m}4mU1pGug z`GQ*vCPW@xj?;@hh6xW(uM1~Xfg0aavaSioO4yl8-d0KKV(oIWHAM}IdB@JVHpXBv zpAxH9XyI|KT|8CDd7VyxuF5^0o0~)ly(xVYbKWP4AnFy2YfXR?p7A^7FhJoD$~baD zn+yI7Mi2JaCEnKd&YX;em-v#VU_<#E8M z0JP^AtHY?K9U}3My6?4ZQuxJ56FMR{a?<)B;^9V^75a^j%1 zy7~DH+&$)b`XU|rM%%1Kc!$e{(5sE4rD?Av!{7|??Ne@;mym!fwTIT3x7D4form@N zZCcnuB38%XVs(jyBardVx|^FQ96}3pOCP}(G>>ZC8In+*j&1c@Or?X3p$49x3#(=E zfoM@2%FMV}?R3yknHiU^i=9dL5Dfx{UPIjVSWt;Y z4-27Fa((D6aT8LM>Z#4Y%- zfdH;+KA1KU&Q1i+I74CK5b8Ps=aOsCTft`C$O#F(2*U)P`sGSg(Z194Ax7>x5cKL;K-rlGC)M^p)wF+M3G7g}CZ;SZ=$d560Rj zgD75W`R3!ea~|da5A2``ZxdCl)z(L_BEn@!;v#AtdLB+XjI9EX7eYe4C_8NAPRT^H z=#YI<>ytWIFKB7AN@c7d@)!Y6ZF;e)QtQUZNHPfNCYd0OEqOl1B2gEWcRKt^vAC8g zjRcG;!x^>EvPfxpZIa^XVrWhDGn%QkqBD6kQu8Q)0Mp}?cAXr{wArV63w%P4c9Ho& zG)$YlHk!~oSixEnR*{_+v^vQ-u0^NJR806{L%}H>CsL}7xo68RjoK6gy$XkG496F0ac_k#uW^ z68;O7QWxRID|f*dL?HpsSfw?3$uEwa+Lp+U3^80It+N|4?~acL`9iU4 zyfWs7T|p?)Kh2P}wuU^~b{&;e5xR&SB*9{2M%`2=UOa#6%3&CVza zd^O!jQ!|B{D#HmK^QS_h5=NBrSv3Qgsgh7=6&~MjHNK{5^(BqdQ7{=}?HadAVx%1h z>3`zU4MipmBp8*&edaMu>B)Dx9kEn+)Io@-PaqLaBpxqOoxC^hR*Gn`tc*HEpCt@4 z^MGJMrXjh*_9}+!ACk-_AX}Z$pGis!j0~&loKD13PgBKzc!ymve?r~3bI2_g@^x2V zV_QUiIvxaVXy^v*+BkZ5-3PQCtW*xq@(cCYG;5`-yPv(HH%csdEdg=t?r>~#SDrlG zE(s(2vNkQ54;e^^rpJ>A{GBrvwI&rlQ+izMHBqBl(mjJ~dX!pz?sQcAJP}g3th4x| z|~qw2hFmF)P=pFR6&3vZk`hM`Em`rYJP)QOU29MLt1_ zFe?)E$VjV5Gcgo9M{G{gA??)dyljqSgP+Nt=5Y2kgSB^#X61oaV)secS|B!$CXGQv zNqS_0s+`(5DK*e&9#vTq`|RVNEY^_rh+-W{T6WIF)%qE)gqo&`&!R^n!{Q>${?C6Q?t>9lKoZMRMq6VTZd>t$KIxb;lUqE89glSKdtU2z8LM+G>iGO03ky+ z;nfgQ5*A77%d|x%<~9>~4Lj4prXXGedr!I`+@xcMjn0V<@qmvN?Wt)-O%^jX568y% zy1hFt&Ph(&yW4dnnSni+3ypLys98~U-9juM1Ev$`nwcvyL;h6B{j*Q}!C zxw3Y%lH9U146(%|NatAn;;pTFswFW@s*tM`-P9A%gx@x=6u&MZGY+egVBr0dhqH-? zfJfUC7b^2ilg3Pi3&{Z7sfiP2>A;{>BuTeY9@6)WCh7$@;l5lI->jb#XfEiSMfVg{ zS;~~my2B_%5L%AjUVm^>dpd%nmf7gM77o}4E7p}88ss5YauF-256?i%z(uc0Vj!Zw zT0NMgrvrm|oI)FkCYrvquhfzft*qUx?Mj|TKu^Ni`ZH_$c+XB}-ngf&Wxlv5#-k}V z+QM?Gf{U?QYv*szlZe95tDL?aJ4bs42eQ2b*^#!@^xb)|{@&s31HIW>Hgd!1 zf2QE}c^>-r&vS9BRhg|h7C4s7+JUoK>YdGPGbyp{Y=C5ZTUFDD{!^;98nxb<%KE+Z z2_|>iarEyf=}~k=dJL)9T5}t6Byn%6b(UMT?ak_cRw_B?k1ot@Rx>@ZQ!>u}vud_A zp7~qQ*0IV&G>a8eKy3VSXiq|wHwwEBGt%Lq*~1I zqUP~%s`-qoj`p#uoRq&vDNL%irZY0mY12$S#d%DT)Mtfy@c4#Low)7Ot&4uYbBKQ$_6}(u_dZuzZ^Ak)HuX@6L-n@ym+88paE*Rd5t^uTW|m*baKYUf_WWSWV||0&Bo^zynj@KJYkr0z3(x z0u7h)HUMY`8+jSy2Cxad8GIW&52iuaL*N}?7(5KV z03HKRf~UYYz|-Kn;92k-_&)e4cm-U_OCXnl8^LC97*xTpf&0Km!7=a|@DMlwo&o;> z{u8_gPJ%aFt<;5}8*Br+z-|zM82k?S82Be3GI~Y*_~qoEoWA(7uAQ^6Lgxm1IDd&% zYl$1#Yb`(@jQnN%e+J(H-vvJeFM$?bW?2L-2Umbja6RY-+dvlV0Uj6!hrkp#3O)ip z2R;v;08fH%fp3FX!E4}Z-Yt^%i#CHZQ2)yLd)s57C&Ph;O2)|F5&yp&+ycbci;oxI zE-qS_}g`$0=@vQ6<-SO0`CTD2|flKz=!?{ z`0g99Kd=)YnZrNkK?(opgD3GxPk}FkMEE~3bf0tabKahe_b+DjIg6ypd;`sQ?VM+% zNx?wdmMpz-I-_8lglTxsK!4#+8OS`6w!bjtJuM-}B1N_m$LvgWw4u z{#ksp_+|0Q;*Z4_iysyrEdEz~ulU`QW^yx&gpo5V&;IO3bM=|rKIgUnvC5YWWj|+u ziXgQN!mr6*6sJ@8DKSjqm&7iKTN1M*UP-KyI3+Pc;)BEni3<`FBpygCkT@VQK>WY> ze)0R_^TpqbufGcaZhig9d3gMP>DsG?&ZICWueZH;0W{)@H>gYTAsN-LaKr=yRG|C$ z=?2P{0eNm!RPq*Vi~8jzQs|~ND$|{zW{q0B({uI91~({u|B74H%EPKz?YTEc7wc4m zZnv)9Zj*$72DNN5vwSkM;xMZWX^V&GP>s56N4@QvmAU|0S~DwtpjO^mYq?rA>6WYO zEpL>5niO499>_?4t5x&tR-1*!W@UP7R5^Uq8r7m(rDk%Iv}#FOHLJb%N;^j_((Ro3 zm~WAGi;{MDLDi~TwAWkQEG=4-77g^oD6>b~B5f9@N5lKJt8LvcOn-uM<&NYhwjthM zoCw|WB+FhuMizE+)XBk&dI1VA&@ZSuSzh6w&kGYCixfq9?On5EI*ElwX3V((DqEb;*A{9J04h@R?X@XrJL}6_0_Z) z&RnB-Z8eDX!*4xl^a|$&C)RZTo^msex~O)2*c;~;Z+;M`jR}#W&m=NP8t;@L3k42n z2QHO4;DHGs8H}tPWz{Gv##bO%n1O5@T!I;az zdT<*U0y!`RJ_zmye+>Q}{5!x&s1;<0Zw4b^FIb8OO_P<#zCrIB;rsM-lRj?N`xd=l zr1!0QzgX`t(0hCY_mUv8$!uf>LbXsT)Cpxml~5$q2qi*=jBYj>vQf=uDn;6&zp^1z zHWF4gawj&#%65U?lb|M>NT@}xP?#y(Qq^*;o*DZFeay@pnVHlxGxja|n3-{mCt=Ub z*k7QJnHk4sW}S5`q+Mv+7@Gf|#Kbv^qgY(r)y z+TWtTgIFYsd1mIYU#z&DnYFV|W(GrK#V-+ER$h1kELPYgd7$J1vL?HjURQ8$%eH}@ zorA;8*}m+q-qzv4?SngecMZ{*=G;*-^*1JZEIb#E3tuq{mA>|F&OZ$92e=XJm!~J- z82BvsBKRg)Ne64egHZD*cpRJnEr{=Oum=Ig;A7xn&<+0%fD!{nAO=T32Xx&AszB%% zWo8xN!QPT@Ja9x_#T)B55u&_fPCfhDp(2A`#=DG9sD+U4!jBmFuV}_ zIrutw7Q6^r$zCr5UEpnCFUW(#;0SmGJPu9(dFpT#d=y?TLbm^X_}O}1#8(*0`M^QH z^EKjyxeD*ERB!FMW&ggufgOYUM)vRUqPyduyx%@&b~f+lbB8UPojdmQ?e7^F(H|D< zPkwpm+A-L((B12jcf;A+&!=SP>~1A`$Llwf{C--~sIzW}>P>g=9CCK?({uQCeo?-0 zx7xoy+t;5R?BCA|9{jfBPN|(kLp{4T?;hb`M$1{JxUyMWQ>N*t>Q;>tvc|%r=`Euc zXYOo}^E(?%Aewd8IiHH7wOfYqc8~1YG0=D>>Yhyq+N#SYK2DR6cc#0T$uHcT)IFB> z;!x|yhG+ZKij^OtGRw=&k;BIq&M+_j`D!V(4QixX8VibQ$r@?0E#zwib@4@V+;ay% zD#;xk`v%sk{oBpo7DYGb}dKkH+%4$%Jsdw4SQZ}{f zw`uOou4dBrGRW@Vu;lz^($S@@7wPq?<-qjx;80(WaxQooI)||hX=fOc?wMmdQnMP- zvo0xD^S+PSk87StO{@wW`^mjcO@sReR`(4Kh#-=!BN<=hB2+NgOV?R4ZKGMG5G3iq zwxP@tAy8~1a#5s~OeT}9h zlfAvtPUdmS!diI^a!t1*`>q}LeoNmk^b7}Mfh>T!@+Fryqd#V$DB{FuL z-D=A9)QeqWizN*|)nl7pUNZ*pU@ooi0K(0+jf3mjPBzyb#rIIzHh1r985 zV1WY*99ZDM>yZOI)8PwB`yUrNTQ;+1>b47~xsIP2yhHwXN8KhlmZg@g>!g%lxTKU{ cxuleB?k7Kdw?m8n59`nQ=AV9c@V{~VU%s&Km;e9( diff --git a/src/windows/cns/cns-help.hlp b/src/windows/cns/cns-help.hlp deleted file mode 100644 index a9a00244d5d852052e8944c7d8eb88571904bca4..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 11944 zcmeG>3vd(HwP#ndt}OYpvSbSo;I-@+gN?BKTT@dgtgZ^%Q-F>xs>C>{JEb-95mgy91WD07VB8M89?`^Tm=k2s zqe3jEMx{e?RFp-d5PSeqSkxOO-Dt8y>QOGLCT4-iD-o?P>E~7@LDIySB#X_A1!Af! zt7(Z>x?`%wLRzTMqQYKib|hmOsEN4HE4GLrC*!Ja%#EFp6iKOu#997f2pNJbU*P9D zIVC3|x_QzS5p@alJ5@2Ii(00&G1w|@sEYW+s&^pDD5;kr>~jUwn5wiV2V8nU)sli{SU71Q zl9Gj7(DmtHjfO}dsYwZeaWa~uM5Ls!PY&5bdO=q<*IU9^yG1vsh8j@|WCFd?9n3;e zXphkca(@(KnD3 zQ_4P9O1X=@r zj7^s@JE2c?q*%}_oG!{S@Q<$=UtK+ZQfOv?p1{iQ6S+zJ#>sb?QpWo5c*#WiX0BeFBo$a^G2|;)yBF)$W zZ;wEz^|pqNg-uQH7A3dd);OnQ4kU(P+WUtT48^s%387mA4rezpB`U6h27=h4C5t+m zZh@asxT8HZHwf$P6zpglnwK5>w~P+s!x9*l!2h8H9>Tdd(fJvyk6|^ic3cmm01*$& zLsHhgEl=~`bZmRd-}E2vjoN0L>fHRzty^2}yf|me(GB0)aBTg9PuVvXrt`kzNjFYC zHMo1k=}oU~UNUQY`IN?K&5<&la{=)Fy2gT9e`#INT~ddifU`7i-%zM0Lf-&;vF^eO zvZVwW+j5wlY{maY%D48vxZ8=xWl zfA^aWj_VU-Tb=kNU|}ITySdci(Z%FkYoCk&`nMtKYzow3Wq(g0+VKblXh9gR(hh&2 z*o^PvkJ(0NGD&wJz;A-gLkwgP#8}v$VW7YNU6`?OdT)k>4Rdn2cfYb`&EcG`iT1A? z-ZZjnW^2twraaW&e>Hzb@o^yY$?c@FLxrRi(TRryLFg4ESqRH^v2kV=;i+{ZRmxW2b*xjsZ4e(6@x7$c*NE3C?iL<%3cqTFeqp+GQt3&;vs{?k* z(9QsC&l=JybFFpAFHA&=)CCfPzoGg@*S3SEYfG{6>oRZkTP_ct%Ts25=Td+_x9+l5 z?F_xNX5G^_I~JUKV|V8#U6v2H<4I-=xt|n+K~5Eu(v)tOlQw(rj<> zgwS*2YYLXYjxPqjT~ZKYMvY%H-PbwQ$Q}025p9I`sY*nAnPGCjF^-!rrki>1#TQ)t18*^eP*l+M?*T32adRE)%(X zTL}Yg&MNO$GMJpx+`NSCQWY|oiV z7hMI6^I;C_F@IthtaXbWBZ0H9B-!Cw48b>^ci|93Lh znTTMB4L^?u4+AskQY@F4IhZxG0T(^(B(VElHE^-Us=hGqg!lMFdRb`un| z#cL2>sz9I0GNZ>rh^!BgV9Jo>FM`PFcJJ}Yu++d@UeSeYb_5&A@&%%p_LE2i!Cn8(-&)GYy zuaP3MuaU&>^jsh#|Kr6$|IVPlvSfwZ=p*oD zmxE0Hb&qWsyNGSK)@gqhBjN_O$F`CU7EIw@yFjK{3pDZfFqJJZmid|d0rn`#4-7i1 zfLwC&>z;YNterc!wqQSB6X$Ct?k}qNtu@KXzhl0J9Bg7(uWylB*vOo3WILy_PY`B( z3Axkb&)=7CMK#QGLbbQF!;a_Fo47v{ruaNzeB-#H9#o4pR-ciEmoOT8wptV&6C zdl^||Ckbid4@&eJOJ|nwI@7J>hO$mK@Fnh@L}55G);@Wur8S~%N+jPa+GnfR#W9v+ zJKVP_q>Quf8^@3F!Wxv&W)zSqx|0s{tN}#sXU6|&QQ^o(?)%Uk+Ee6m2nTJ)$*w^X zI7!afYzH5#-NL}KGvv2caG%ENA7AY~o*&N&-@WFK_Dh5*AmGD8sLt3(Am1X{E#mh{ zRq5D@+1x?$;;;N`NZ@VzXglMqXF3np+vCIuepgLV(b@buJgV(wYhBY%z$|-dEEN{C z3OnPSH85*F=dG-$_QPxB_!y6*#iL})+a-pDEiBlxc&%s8&*0K=d-SdH-pf+-r?wF% zvKKI8YitGfqoi><+eO|ZofF8a*J01#sEZYQJS2Z7|e`I9yb5k<_KNmaG-oO-BoMO0_aM@K#BDPWu-KIHg!&iCo)Rw25IVvR86-v9sna zL>qa4xGh=V=gM|uF@!K9YtS@TJi>#U8NnR39wl{AF(w>J$p+bD+u|DVG}fsjtcDof zmE|mJ=<6y_dVgM|Doa0deaijl&o$2!&cEUnJ*$L!3Ursfv{z`6rD%@h33sm3&Bs(V z-@TDxtd2awt$x9u?^~I&rdDlVIFx*p;iBl4LM0|jLw55rF4pv_)Lf_ynRbKiJUo|+ zk+kO?DiS*?1eJzKTVjeNlW`reUD)nCa;s-of8MVCa|;-1o!68%wjp|8#3^!xtBmhz3?<_|{qI;{~yJ!0Eh^y9W1Vd3c0#GO24o5Qt^ z4JP6tXQET|^%KUH=k%R-759<`lBpt)WJ&S8ggZx|PIShFGJ8>%CZiN_{dNQJX=GugN&iXWn`E+w1er6?r|k=H|cJ zxIK5*PB)}&$7{ye?ZP6RKx6qqGyZwnzvLErXhsd2a;tv03c1_WF2KL?G zoR`YGb9~B?X!ce<<$QajV~Kq~sXIaM&i4Cum9g*jHZOax=-@Oxmh$9HBx^$>ZKny| z1SUl0%uRHqxJEEpeIFSbTB(nknYmKBLYn57yFxo0r-CuabLL7ZOqT&Jgiw@>)b#sQGNu%=J)5Y64bj1)t)NL8cIBt3u4Yy`rqv6u_Wq7bVtN zB`28)fCn(l=c!ESFgnU?=0{Xzx;^(7Sx@{pYZ_t0{W+J3FD}ZXl9kT-nIm^QHRAhI zY;|s~HxkIn*$CYUwL-Y5&F!D6He`H}@!@oB)9laIgN;tjNxus}l zw4>gqh|hn4OIvm`ITQ0Q=FHog{c*;c>C^E{LLxivwyN5s61sWR7%0PNp9l`E_#%?% z=9xbZ+JRz|Y1a$*(?L#}n^%PRr&LbMka$xZvG%O0_7^Ik7;{#D{aAqxqGL|r=0YX2 zvOU#Mcy7h$+)lFa7o)wo%bi_#rJWY4vVRirWo6|hlw1e-SF#L!!ii{(A_Qz?>_?9| zito#r`Bc?dIA*`c`sn>*D)Gj9cI}y2Ma&pKJ%)~g2r14ly_Bu1zKv@jhiUPqG;WqbI^Ow-ZcC6;Cu7H_@uZD2ex68xa{<-CW zwA{ma4&_yDbEZDbdl%1lmC$L7+|4}QZjH5A&Wbo{ZTIl&}5HcpUfHhmO1N(UgDmj`y zVOfl|jRN#wPb^!WSSU(tIGC>edmYpNuFJqM}ELpNcSb zMEIIx;L(sa(G8<1zknxTMCp!Qzkp(3^k*o2IKfu_2GpFa>_&o_tz)l>zamPJ9?|?# z6_U+Y5v>n9)eK?gk0j$q9sKAdGhhI1Z6n6w%ZazFp~YRWuuP~DvkW~iIPTf`r=B{1NzuXPc-z&l1B2E);xVP4c@Ni z<&8AGloss',`IDH_Glossary')") -; - - -[FILES] -; The files section is where you specify to the Help Compiler which -; Rich Text Format (.RTF) (your help source) files will be used in the -; Help system. RoboHELP generates and maintains the main .RTF -; file for your Help System. If you desire to have multiple .RTF files, -; simply add the additonal names to the [FILES] section. - -KERBNET.RTF -[ALIAS] -; The Alias section allows you to set up aliases for context strings -; in your help system. -; -; Brief example: -; -; IDH_UserID = IDH_RoboGenerated_Id -; IDH_WMP_MenuID = IDH_RoboGenerated_Id -; IDH_Any = IDH_AnyOther - -[MAP] -; -; The Map Section is where the C language #defines are translated -; or mapped into the Help System Context Strings. Standard C syntax -; can be employed. The .HH file is meant to be #include(d) into your -; Windows application source code. -; - -[BITMAPS] -; -; The [BITMAPS] section is where you list any Bitmaps which have -; been placed by reference in the Help System. See the Help compiler -; documentation for more information about placing bitmaps. -; -; The [BITMAPS] section is not really required under Windows 3.1, -; with the advent of the BMROOT item in the [OPTIONS] section. -; -;FOO1.BMP -;FOO2.BMP -;C:\FOO\FOO3.BMP -;And So On - -[WINDOWS] -; Windows Help can display help in one of 5 secondary windows. -; Before using a secondary window, the window must be defined -; in this section: -; -;Gloss = "Glossary",(100,100,350,350),0,(255,255,255),(255,255,255) -main=,,0,, - -[BAGGAGE] -; -; The Baggage section allows the user to include files which -; will be placed in the internal file system for WinHelp. -; Using files from Baggage is a little faster for CDROM, since -; the CDROM drive table does not need to be read from disk. -; -; Baggage files are referred to as regular bitmaps, except -; that you prefix the filename with '!'. -; -; For Instance: -; {bmc !bitmap.bmp} instead of {bmc bitmap.bmp} -; diff --git a/src/windows/cns/cns.c b/src/windows/cns/cns.c deleted file mode 100644 index 8e40a80..0000000 --- a/src/windows/cns/cns.c +++ /dev/null @@ -1,2196 +0,0 @@ -/* windows/cns/cns.c */ -/* - * Copyright 1994 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -/* - * Main routine of the Kerberos user interface. Also handles - * all dialog level management functions. - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#include "cns.h" -#include "tktlist.h" -#include "cns_reg.h" - -#include "../lib/gic.h" - -enum { /* Actions after login */ - LOGIN_AND_EXIT, - LOGIN_AND_MINIMIZE, - LOGIN_AND_RUN, -}; - -/* - * Globals - */ -static HICON kwin_icons[MAX_ICONS]; /* Icons depicting time */ -HFONT hfontdialog = NULL; /* Font in which the dialog is drawn. */ -static HFONT hfonticon = NULL; /* Font for icon label */ -HINSTANCE hinstance; -static int dlgncmdshow; /* ncmdshow from WinMain */ -#if 0 -static UINT wm_kerberos_changed; /* message for cache changing */ -#endif -static int action; /* After login actions */ -static UINT kwin_timer_id; /* Timer being used for update */ -BOOL alert; /* Actions on ticket expiration */ -BOOL beep; -static BOOL alerted; /* TRUE when user already alerted */ -BOOL isblocking = FALSE; /* TRUE when blocked in WinSock */ -static DWORD blocking_end_time; /* Ending count for blocking timeout */ -static FARPROC hook_instance; /* handle for blocking hook function */ - -char confname[FILENAME_MAX]; /* krb5.conf (or krb.conf for krb4) */ - -#ifdef KRB5 -char ccname[FILENAME_MAX]; /* ccache file location */ -BOOL forwardable; /* TRUE to get forwardable tickets */ -BOOL noaddresses; -krb5_context k5_context; -krb5_ccache k5_ccache; -#endif - -/* - * Function: Called during blocking operations. Implement a timeout - * if nothing occurs within the specified time, cancel the blocking - * operation. Also permit the user to press escape in order to - * cancel the blocking operation. - * - * Returns: TRUE if we got and dispatched a message, FALSE otherwise. - */ -BOOL CALLBACK -blocking_hook_proc(void) -{ - MSG msg; - BOOL rc; - - if (GetTickCount() > blocking_end_time) { - WSACancelBlockingCall(); - return FALSE; - } - - rc = (BOOL)PeekMessage(&msg, NULL, 0, 0, PM_REMOVE); - if (!rc) - return FALSE; - - if (msg.message == WM_KEYDOWN && msg.wParam == VK_ESCAPE) { - WSACancelBlockingCall(); - blocking_end_time = msg.time - 1; - return FALSE; - } - - TranslateMessage(&msg); - DispatchMessage(&msg); - - return TRUE; -} - - -/* - * Function: Set up a blocking hook function. - * - * Parameters: - * timeout - # of seconds to block for before cancelling. - */ -void -start_blocking_hook(int timeout) -{ - FARPROC proc; - - if (isblocking) - return; - - isblocking = TRUE; - blocking_end_time = GetTickCount() + (1000 * timeout); -#ifdef _WIN32 - proc = WSASetBlockingHook(blocking_hook_proc); -#else - hook_instance = MakeProcInstance(blocking_hook_proc, hinstance); - proc = WSASetBlockingHook(hook_instance); -#endif - assert(proc != NULL); -} - - -/* - * Function: End the blocking hook fuction set up above. - */ -void -end_blocking_hook(void) -{ -#ifndef _WIN32 - FreeProcInstance(hook_instance); -#endif - WSAUnhookBlockingHook(); - isblocking = FALSE; -} - - -/* - * Function: Centers the specified window on the screen. - * - * Parameters: - * hwnd - the window to center on the screen. - */ -void -center_dialog(HWND hwnd) -{ - int scrwidth, scrheight; - int dlgwidth, dlgheight; - RECT r; - HDC hdc; - - if (hwnd == NULL) - return; - - GetWindowRect(hwnd, &r); - dlgwidth = r.right - r.left; - dlgheight = r.bottom - r.top ; - hdc = GetDC(NULL); - scrwidth = GetDeviceCaps(hdc, HORZRES); - scrheight = GetDeviceCaps(hdc, VERTRES); - ReleaseDC(NULL, hdc); - r.left = (scrwidth - dlgwidth) / 2; - r.top = (scrheight - dlgheight) / 2; - MoveWindow(hwnd, r.left, r.top, dlgwidth, dlgheight, TRUE); -} - - -/* - * Function: Positions the kwin dialog either to the saved location - * or the center of the screen if no saved location. - * - * Parameters: - * hwnd - the window to center on the screen. - */ -static void -position_dialog(HWND hwnd) -{ - int scrwidth, scrheight; - HDC hdc; - int x, y, cx, cy; - - if (hwnd == NULL) - return; - - hdc = GetDC(NULL); - scrwidth = GetDeviceCaps(hdc, HORZRES); - scrheight = GetDeviceCaps(hdc, VERTRES); - ReleaseDC(NULL, hdc); - x = cns_res.x; - y = cns_res.y; - cx = cns_res.cx; - cy = cns_res.cy; - - if (x > scrwidth || - y > scrheight || - x + cx <= 0 || - y + cy <= 0) - center_dialog(hwnd); - else - MoveWindow(hwnd, x, y, cx, cy, TRUE); -} - - -/* - * Function: Set font of all dialog items. - * - * Parameters: - * hwnd - the dialog to set the font of - */ -void -set_dialog_font(HWND hwnd, HFONT hfont) -{ - hwnd = GetWindow(hwnd, GW_CHILD); - - while (hwnd != NULL) { - SetWindowFont(hwnd, hfont, 0); - hwnd = GetWindow(hwnd, GW_HWNDNEXT); - } -} - - -/* - * Function: Trim leading and trailing white space from a string. - * - * Parameters: - * s - the string to trim. - */ -void -trim(char *s) -{ - int l; - int i; - - for (i = 0 ; s[i] ; i++) - if (s[i] != ' ' && s[i] != '\t') - break; - - l = strlen(&s[i]); - memmove(s, &s[i], l + 1); - - for (l--; l >= 0; l--) { - if (s[l] != ' ' && s[l] != '\t') - break; - } - s[l + 1] = 0; -} - - -/* - * Function: This routine figures out the current time epoch and - * returns the conversion factor. It exists because Microloss - * screwed the pooch on the time() and _ftime() calls in its release - * 7.0 libraries. They changed the epoch to Dec 31, 1899! - */ -time_t -kwin_get_epoch(void) -{ - static struct tm jan_1_70 = {0, 0, 0, 1, 0, 70}; - time_t epoch = 0; - - epoch = -mktime(&jan_1_70); /* Seconds til 1970 localtime */ - epoch += _timezone; /* Seconds til 1970 GMT */ - - return epoch; -} - - -/* - * Function: Save the credentials for later restoration. - * - * Parameters: - * c - Returned pointer to saved credential cache. - * - * pname - Returned as principal name of session. - * - * pinstance - Returned as principal instance of session. - * - * ncred - Returned number of credentials saved. - */ -static void -push_credentials(CREDENTIALS **cp, char *pname, char *pinstance, int *ncred) -{ -#ifdef KRB4 - int i; - char service[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - CREDENTIALS *c; - - if (krb_get_tf_fullname(NULL, pname, pinstance, NULL) != KSUCCESS) { - pname[0] = 0; - - pinstance[0] = 0; - } - - *ncred = krb_get_num_cred(); - if (*ncred <= 0) - return; - - c= malloc(*ncred * sizeof(CREDENTIALS)); - assert(c != NULL); - if (c == NULL) { - *ncred = 0; - - return; - } - - for (i = 0; i < *ncred; i++) { - krb_get_nth_cred(service, instance, realm, i + 1); - krb_get_cred(service, instance, realm, &c[i]); - } - - *cp = c; -#endif - -#ifdef KRB5 /* FIXME */ - return; -#endif -} - - -/* - * Function: Restore the saved credentials. - * - * c - Pointer to saved credential cache. - * - * pname - Principal name of session. - * - * pinstance - Principal instance of session. - * - * ncred - Number of credentials saved. - */ -static void -pop_credentials(CREDENTIALS *c, char *pname, char *pinstance, int ncred) -{ -#ifdef KRB4 - int i; - - if (pname[0]) - in_tkt(pname, pinstance); - else - dest_tkt(); - - if (ncred <= 0) - return; - - for (i = 0; i < ncred; i++) { - krb_save_credentials(c[i].service, c[i].instance, c[i].realm, - c[i].session, c[i].lifetime, c[i].kvno, - &(c[i].ticket_st), - c[i].issue_date); - } - - free(c); -#endif -#ifdef KRB5 /* FIXME */ - return; -#endif -} - - -/* - * Function: Save most recent login triplets for placement on the - * bottom of the file menu. - * - * Parameters: - * hwnd - the handle of the window containing the menu to edit. - * - * name - A login name to save in the recent login list - * - * instance - An instance to save in the recent login list - * - * realm - A realm to save in the recent login list - */ -static void -kwin_push_login(HWND hwnd, char *name, char *instance, char *realm) -{ - HMENU hmenu; - int i; - int id; - int ctitems; - char fullname[MAX_K_NAME_SZ + 3]; - char menuitem[MAX_K_NAME_SZ + 3]; - BOOL rc; - - fullname[sizeof(fullname) - 1] = '\0'; - strncpy(fullname, "&x ", sizeof(fullname) - 1); - strncat(fullname, name, sizeof(fullname) - 1 - strlen(fullname)); - strncat(fullname, ".", sizeof(fullname) - 1 - strlen(fullname)); - strncat(fullname, instance, sizeof(fullname) - 1 - strlen(fullname)); - strncat(fullname, "@", sizeof(fullname) - 1 - strlen(fullname)); - strncat(fullname, realm, sizeof(fullname) - 1 - strlen(fullname)); - - hmenu = GetMenu(hwnd); - assert(hmenu != NULL); - - hmenu = GetSubMenu(hmenu, 0); - assert(hmenu != NULL); - - ctitems = GetMenuItemCount(hmenu); - assert(ctitems >= FILE_MENU_ITEMS); - - if (ctitems == FILE_MENU_ITEMS) { - rc = AppendMenu(hmenu, MF_SEPARATOR, 0, NULL); - assert(rc); - - ctitems++; - } - - for (i = FILE_MENU_ITEMS + 1; i < ctitems; i++) { - GetMenuString(hmenu, i, menuitem, sizeof(menuitem), MF_BYPOSITION); - - if (strcmp(&fullname[3], &menuitem[3]) == 0) { - rc = RemoveMenu(hmenu, i, MF_BYPOSITION); - assert(rc); - - ctitems--; - - break; - } - } - - rc = InsertMenu(hmenu, FILE_MENU_ITEMS + 1, MF_BYPOSITION, 1, fullname); - assert(rc); - - ctitems++; - if (ctitems - FILE_MENU_ITEMS - 1 > FILE_MENU_MAX_LOGINS) { - RemoveMenu(hmenu, ctitems - 1, MF_BYPOSITION); - - ctitems--; - } - - id = 0; - for (i = FILE_MENU_ITEMS + 1; i < ctitems; i++) { - GetMenuString(hmenu, i, menuitem, sizeof(menuitem), MF_BYPOSITION); - - rc = RemoveMenu(hmenu, i, MF_BYPOSITION); - assert(rc); - - menuitem[1] = '1' + id; - rc = InsertMenu(hmenu, i, MF_BYPOSITION, IDM_FIRST_LOGIN + id, menuitem); - assert(rc); - - id++; - } -} - - -/* - * Function: Initialize the logins on the file menu form the KERBEROS.INI - * file. - * - * Parameters: - * hwnd - handle of the dialog containing the file menu. - */ -static void -kwin_init_file_menu(HWND hwnd) -{ - HMENU hmenu; - int i; - char menuitem[MAX_K_NAME_SZ + 3]; - int id; - BOOL rc; - - hmenu = GetMenu(hwnd); - assert(hmenu != NULL); - - hmenu = GetSubMenu(hmenu, 0); - assert(hmenu != NULL); - - id = 0; - for (i = 0; i < FILE_MENU_MAX_LOGINS; i++) { - strcpy(menuitem + 3, cns_res.logins[i]); - - if (!menuitem[3]) - continue; - - menuitem[0] = '&'; - menuitem[1] = '1' + id; - menuitem[2] = ' '; - - if (id == 0) { - rc = AppendMenu(hmenu, MF_SEPARATOR, 0, NULL); - assert(rc); - } - AppendMenu(hmenu, MF_STRING, IDM_FIRST_LOGIN + id, menuitem); - - id++; - } -} - - -/* - * Function: Save the items on the file menu in the KERBEROS.INI file. - * - * Parameters: - * hwnd - handle of the dialog containing the file menu. - */ -static void -kwin_save_file_menu(HWND hwnd) -{ - HMENU hmenu; - int i; - int id; - int ctitems; - char menuitem[MAX_K_NAME_SZ + 3]; - - hmenu = GetMenu(hwnd); - assert(hmenu != NULL); - - hmenu = GetSubMenu(hmenu, 0); - assert(hmenu != NULL); - - ctitems = GetMenuItemCount(hmenu); - assert(ctitems >= FILE_MENU_ITEMS); - - id = 0; - for (i = FILE_MENU_ITEMS + 1; i < ctitems; i++) { - GetMenuString(hmenu, i, menuitem, sizeof(menuitem), MF_BYPOSITION); - - strcpy(cns_res.logins[id], menuitem + 3); - - id++; - } -} - - - -/* - * Function: Given an expiration time, choose an appropriate - * icon to display. - * - * Parameters: - * expiration time of expiration in time() compatible units - * - * Returns: Handle of icon to display - */ -HICON -kwin_get_icon(time_t expiration) -{ - int ixicon; - time_t dt; - - dt = expiration - time(NULL); - dt = dt / 60; /* convert to minutes */ - if (dt <= 0) - ixicon = IDI_EXPIRED - IDI_FIRST_CLOCK; - else if (dt > 60) - ixicon = IDI_TICKET - IDI_FIRST_CLOCK; - else - ixicon = (int)(dt / 5); - - return kwin_icons[ixicon]; -} - - -/* - * Function: Intialize name fields in the Kerberos dialog. - * - * Parameters: - * hwnd - the window recieving the message. - * - * fullname - the full kerberos name to initialize with - */ -void -kwin_init_name(HWND hwnd, char *fullname) -{ - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - int krc; -#ifdef KRB5 - krb5_error_code code; - char *ptr; -#endif - - if (fullname == NULL || fullname[0] == 0) { -#ifdef KRB4 - strcpy(name, krb_get_default_user()); - strcpy(instance, cns_res.instance); - krc = krb_get_lrealm(realm, 1); - if (krc != KSUCCESS) - realm[0] = 0; - strcpy(realm, cns_res.realm); -#endif /* KRB4 */ - -#ifdef KRB5 - strcpy(name, cns_res.name); - - *realm = '\0'; - code = krb5_get_default_realm(k5_context, &ptr); - if (!code) { - strcpy(realm, ptr); - /* free(ptr); XXX */ - } - strcpy(realm, cns_res.realm); -#endif /* KRB5 */ - - } else { -#ifdef KRB4 - kname_parse(name, instance, realm, fullname); - SetDlgItemText(hwnd, IDD_LOGIN_INSTANCE, instance); -#endif - -#ifdef KRB5 - krc = k5_kname_parse(name, realm, fullname); - *instance = '\0'; -#endif - } - - SetDlgItemText(hwnd, IDD_LOGIN_NAME, name); - SetDlgItemText(hwnd, IDD_LOGIN_REALM, realm); -} - - -/* - * Function: Set the focus to the name control if no name - * exists, the realm control if no realm exists or the - * password control. Uses PostMessage not SetFocus. - * - * Parameters: - * hwnd - the Window handle of the parent. - */ -void -kwin_set_default_focus(HWND hwnd) -{ - char name[ANAME_SZ]; - char realm[REALM_SZ]; - HWND hwnditem; - - GetDlgItemText(hwnd, IDD_LOGIN_NAME, name, sizeof(name)); - - trim(name); - if (strlen(name) <= 0) - hwnditem = GetDlgItem(hwnd, IDD_LOGIN_NAME); - else { - GetDlgItemText(hwnd, IDD_LOGIN_REALM, realm, sizeof(realm)); - trim(realm); - - if (strlen(realm) <= 0) - hwnditem = GetDlgItem(hwnd, IDD_LOGIN_REALM); - else - hwnditem = GetDlgItem(hwnd, IDD_LOGIN_PASSWORD); - } - - PostMessage(hwnd, WM_NEXTDLGCTL, (WPARAM)hwnditem, MAKELONG(1, 0)); -} - - -/* - * Function: Save the values which live in the KERBEROS.INI file. - * - * Parameters: - * hwnd - the window handle of the dialog containing fields to - * be saved - */ -static void -kwin_save_name(HWND hwnd) -{ - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - - GetDlgItemText(hwnd, IDD_LOGIN_NAME, name, sizeof(name)); - trim(name); - -#ifdef KRB4 - krb_set_default_user(name); - GetDlgItemText(hwnd, IDD_LOGIN_INSTANCE, instance, sizeof(instance)); - trim(instance); - strcpy(cns_res.instance, instance); -#endif - -#ifdef KRB5 - strcpy(cns_res.name, name); - *instance = '\0'; -#endif - - GetDlgItemText(hwnd, IDD_LOGIN_REALM, realm, sizeof(realm)); - trim(realm); - strcpy(cns_res.realm, realm); - - kwin_push_login(hwnd, name, instance, realm); -} - - -/* - * Function: Process WM_INITDIALOG messages. Set the fonts - * for all items on the dialog and populate the ticket list. - * Also set the default values for user, instance and realm. - * - * Returns: TRUE if we didn't set the focus here, - * FALSE if we did. - */ -static BOOL -kwin_initdialog(HWND hwnd, HWND hwndFocus, LPARAM lParam) -{ - LOGFONT lf; - HDC hdc; - char name[ANAME_SZ]; - - position_dialog(hwnd); - ticket_init_list(GetDlgItem(hwnd, IDD_TICKET_LIST)); - kwin_init_file_menu(hwnd); - kwin_init_name(hwnd, (char *)lParam); - hdc = GetDC(NULL); - assert(hdc != NULL); - - memset(&lf, 0, sizeof(lf)); - lf.lfHeight = -MulDiv(9, GetDeviceCaps(hdc, LOGPIXELSY), 72); - strcpy(lf.lfFaceName, "Arial"); - hfontdialog = CreateFontIndirect(&lf); - assert(hfontdialog != NULL); - - if (hfontdialog == NULL) { - ReleaseDC(NULL, hdc); - - return TRUE; - } - - lf.lfHeight = -MulDiv(8, GetDeviceCaps(hdc, LOGPIXELSY), 72); - hfonticon = CreateFontIndirect(&lf); - assert(hfonticon != NULL); - - if (hfonticon == NULL) { - ReleaseDC(NULL, hdc); - - return TRUE; - } - - ReleaseDC(NULL, hdc); - - set_dialog_font(hwnd, hfontdialog); - GetDlgItemText(hwnd, IDD_LOGIN_NAME, name, sizeof(name)); - trim(name); - - if (strlen(name) > 0) - SetFocus(GetDlgItem(hwnd, IDD_LOGIN_PASSWORD)); - else - SetFocus(GetDlgItem(hwnd, IDD_LOGIN_NAME)); - - ShowWindow(hwnd, dlgncmdshow); - - kwin_timer_id = SetTimer(hwnd, 1, KWIN_UPDATE_PERIOD, NULL); - assert(kwin_timer_id != 0); - - return FALSE; -} - - -/* - * Function: Process WM_DESTROY messages. Delete the font - * created for use by the controls. - */ -static void -kwin_destroy(HWND hwnd) -{ - RECT r; - - ticket_destroy(GetDlgItem(hwnd, IDD_TICKET_LIST)); - - if (hfontdialog != NULL) - DeleteObject(hfontdialog); - - if (hfonticon != NULL) - DeleteObject(hfonticon); - - kwin_save_file_menu(hwnd); - GetWindowRect(hwnd, &r); - cns_res.x = r.left; - cns_res.y = r.top; - cns_res.cx = r.right - r.left; - cns_res.cy = r.bottom - r.top; - - KillTimer(hwnd, kwin_timer_id); -} - - -/* - * Function: Retrievs item WindowRect in hwnd client - * coordiate system. - * - * Parameters: - * hwnditem - the item to retrieve - * - * item - dialog in which into which to translate - * - * r - rectangle returned - */ -static void -windowrect(HWND hwnditem, HWND hwnd, RECT *r) -{ - GetWindowRect(hwnditem, r); - ScreenToClient(hwnd, (LPPOINT)&(r->left)); - ScreenToClient(hwnd, (LPPOINT)&(r->right)); -} - - -/* - * Function: Process WM_SIZE messages. Resize the - * list and position the buttons attractively. - */ -static void -kwin_size(HWND hwnd, UINT state, int cxdlg, int cydlg) -{ -#define listgap 8 - RECT r; - RECT rdlg; - int hmargin, vmargin; - HWND hwnditem; - int cx, cy; - int i; - int titlebottom; - int editbottom; - int listbottom; - int gap; - int left; - int titleleft[IDD_MAX_TITLE - IDD_MIN_TITLE + 1]; - - if (state == SIZE_MINIMIZED) - return; - - GetClientRect(hwnd, &rdlg); - - /* - * The ticket list title - */ - hwnditem = GetDlgItem(hwnd, IDD_TICKET_LIST_TITLE); - - if (hwnditem == NULL) - return; - - windowrect(hwnditem, hwnd, &r); - hmargin = r.left; - vmargin = r.top; - cx = cxdlg - 2 * hmargin; - cy = r.bottom - r.top; - MoveWindow(hwnditem, r.left, r.top, cx, cy, TRUE); - - /* - * The buttons - */ - cx = 0; - - for (i = IDD_MIN_BUTTON; i <= IDD_MAX_BUTTON; i++) { - hwnditem = GetDlgItem(hwnd, i); - windowrect(hwnditem, hwnd, &r); - if (i == IDD_MIN_BUTTON) - hmargin = r.left; - - cx += r.right - r.left; - } - - gap = (cxdlg - 2 * hmargin - cx) / (IDD_MAX_BUTTON - IDD_MIN_BUTTON); - left = hmargin; - for (i = IDD_MIN_BUTTON; i <= IDD_MAX_BUTTON; i++) { - hwnditem = GetDlgItem(hwnd, i); - windowrect(hwnditem, hwnd, &r); - editbottom = -r.top; - cx = r.right - r.left; - cy = r.bottom - r.top; - r.top = rdlg.bottom - vmargin - cy; - MoveWindow(hwnditem, left, r.top, cx, cy, TRUE); - - left += cx + gap; - } - - /* - * Edit fields: stretch boxes, keeping the gap between boxes equal to - * what it was on entry. - */ - editbottom += r.top; - - hwnditem = GetDlgItem(hwnd, IDD_MIN_EDIT); - windowrect(hwnditem, hwnd, &r); - gap = r.right; - hmargin = r.left; - editbottom += r.bottom; - titlebottom = -r.top; - - hwnditem = GetDlgItem(hwnd, IDD_MIN_EDIT + 1); - windowrect(hwnditem, hwnd, &r); - gap = r.left - gap; - - cx = cxdlg - 2 * hmargin - (IDD_MAX_EDIT - IDD_MIN_EDIT) * gap; - cx = cx / (IDD_MAX_EDIT - IDD_MIN_EDIT + 1); - left = hmargin; - - for (i = IDD_MIN_EDIT; i <= IDD_MAX_EDIT; i++) { - hwnditem = GetDlgItem(hwnd, i); - windowrect(hwnditem, hwnd, &r); - cy = r.bottom - r.top; - r.top = editbottom - cy; - MoveWindow(hwnditem, left, r.top, cx, cy, TRUE); - titleleft[i-IDD_MIN_EDIT] = left; - - left += cx + gap; - } - - /* - * Edit field titles - */ - titlebottom += r.top; - windowrect(GetDlgItem(hwnd, IDD_MIN_TITLE), hwnd, &r); - titlebottom += r.bottom; - listbottom = -r.top; - - for (i = IDD_MIN_TITLE; i <= IDD_MAX_TITLE; i++) { - hwnditem = GetDlgItem(hwnd, i); - windowrect(hwnditem, hwnd, &r); - cx = r.right - r.left; - cy = r.bottom - r.top; - r.top = titlebottom - cy; - MoveWindow(hwnditem, titleleft[i-IDD_MIN_TITLE], r.top, cx, cy, TRUE); - } - - /* - * The list - */ - listbottom = r.top - listgap; - hwnditem = GetDlgItem(hwnd, IDD_TICKET_LIST); - windowrect(hwnditem, hwnd, &r); - hmargin = r.left; - cx = cxdlg - 2 * hmargin; - cy = listbottom - r.top; - MoveWindow(hwnditem, r.left, r.top, cx, cy, TRUE); -} - - -/* - * Function: Process WM_GETMINMAXINFO messages - */ -static void -kwin_getminmaxinfo(HWND hwnd, LPMINMAXINFO lpmmi) -{ - lpmmi->ptMinTrackSize.x = - (KWIN_MIN_WIDTH * LOWORD(GetDialogBaseUnits())) / 4; - - lpmmi->ptMinTrackSize.y = - (KWIN_MIN_HEIGHT * HIWORD(GetDialogBaseUnits())) / 8; -} - - -/* - * Function: Process WM_TIMER messages - */ -static void -kwin_timer(HWND hwnd, UINT timer_id) -{ - HWND hwndfocus; - time_t t; - time_t expiration; - BOOL expired; -#ifdef KRB4 - CREDENTIALS c; - int ncred; - int i; - char service[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; -#endif -#ifdef KRB5 - krb5_error_code code; - krb5_cc_cursor cursor; - krb5_creds cred; - int n; - char *s; -#endif - - if (timer_id != 1) { - FORWARD_WM_TIMER(hwnd, timer_id, DefDlgProc); - return; - } - - expired = FALSE; - ticket_init_list(GetDlgItem(hwnd, IDD_TICKET_LIST)); - - if (alerted) { - if (IsIconic(hwnd)) - InvalidateRect(hwnd, NULL, TRUE); - - return; - } - -#ifdef KRB4 - ncred = krb_get_num_cred(); - for (i = 1; i <= ncred; i++) { - krb_get_nth_cred(service, instance, realm, i); - - if (_stricmp(service, "krbtgt") == 0) { - /* Warn if ticket will expire w/i TIME_BUFFER seconds */ - krb_get_cred(service, instance, realm, &c); - expiration = c.issue_date + (long)c.lifetime * 5L * 60L; - t = TIME_BUFFER + time(NULL); - - if (t >= expiration) { - expired = TRUE; - /* Don't alert because of stale tickets */ - if (t >= expiration + KWIN_UPDATE_PERIOD / 1000) { - alerted = TRUE; - - if (IsIconic(hwnd)) - InvalidateRect(hwnd, NULL, TRUE); - return; - } - break; - } - } - } -#endif - -#ifdef KRB5 - code = krb5_cc_start_seq_get(k5_context, k5_ccache, &cursor); - - while (code == 0) { - code = krb5_cc_next_cred(k5_context, k5_ccache, &cursor, &cred); - if (code) - break; - n = krb5_princ_component(k5_context, cred.server, 0)->length; - s = krb5_princ_component(k5_context, cred.server, 0)->data; - if (n != KRB5_TGS_NAME_SIZE) - continue; - if (memcmp(KRB5_TGS_NAME, s, KRB5_TGS_NAME_SIZE)) - continue; - - /* Warn if ticket will expire w/i TIME_BUFFER seconds */ - expiration = cred.times.endtime; - t = TIME_BUFFER + time(NULL); - - if (t >= expiration) { - expired = TRUE; - /* Don't alert because of stale tickets */ - if (t >= expiration + KWIN_UPDATE_PERIOD / 1000) { - alerted = TRUE; - - if (IsIconic(hwnd)) - InvalidateRect(hwnd, NULL, TRUE); - return; - } - break; - } - } - if (code == 0 || code == KRB5_CC_END) - krb5_cc_end_seq_get(k5_context, k5_ccache, &cursor); - -#endif - - if (!expired) { - if (IsIconic(hwnd)) - InvalidateRect(hwnd, NULL, TRUE); - - return; - } - - alerted = TRUE; - - if (beep) - MessageBeep(MB_ICONEXCLAMATION); - - if (alert) { - if (IsIconic(hwnd)) { - hwndfocus = GetFocus(); - ShowWindow(hwnd, SW_RESTORE); - SetWindowPos(hwnd, HWND_TOP, 0, 0, 0, 0, - SWP_NOACTIVATE | SWP_SHOWWINDOW | SWP_NOMOVE | SWP_NOSIZE); - SetFocus(hwndfocus); - } - - SetWindowPos(hwnd, HWND_TOP, 0, 0, 0, 0, - SWP_NOACTIVATE | SWP_SHOWWINDOW | SWP_NOMOVE | SWP_NOSIZE); - - return; - } - - if (IsIconic(hwnd)) - InvalidateRect(hwnd, NULL, TRUE); -} - -/* - * Function: Process WM_COMMAND messages - */ -static void -kwin_command(HWND hwnd, int cid, HWND hwndCtl, UINT codeNotify) -{ - char name[ANAME_SZ]; - char realm[REALM_SZ]; - char password[MAX_KPW_LEN]; - HCURSOR hcursor; - BOOL blogin; - HMENU hmenu; - char menuitem[MAX_K_NAME_SZ + 3]; - char copyright[128]; - int id; -#ifdef KRB4 - char instance[INST_SZ]; - int lifetime; - int krc; -#endif -#ifdef KRB5 - long lifetime; - krb5_error_code code; - krb5_principal principal; - krb5_creds creds; - krb5_get_init_creds_opt opts; - gic_data gd; -#endif - -#ifdef KRB4 - EnableWindow(GetDlgItem(hwnd, IDD_TICKET_DELETE), krb_get_num_cred() > 0); -#endif - -#ifdef KRB5 - EnableWindow(GetDlgItem(hwnd, IDD_TICKET_DELETE), k5_get_num_cred(1) > 0); -#endif - - GetDlgItemText(hwnd, IDD_LOGIN_NAME, name, sizeof(name)); - trim(name); - blogin = strlen(name) > 0; - - if (blogin) { - GetDlgItemText(hwnd, IDD_LOGIN_REALM, realm, sizeof(realm)); - trim(realm); - blogin = strlen(realm) > 0; - } - - if (blogin) { - GetDlgItemText(hwnd, IDD_LOGIN_PASSWORD, password, sizeof(password)); - blogin = strlen(password) > 0; - } - - EnableWindow(GetDlgItem(hwnd, IDD_LOGIN), blogin); - id = (blogin) ? IDD_LOGIN : IDD_PASSWORD_CR2; - SendMessage(hwnd, DM_SETDEFID, id, 0); - - if (codeNotify != BN_CLICKED && codeNotify != 0 && codeNotify != 1) - return; /* FALSE */ - - /* - * Check to see if this item is in a list of the ``recent hosts'' sort - * of list, under the FILE menu. - */ - if (cid >= IDM_FIRST_LOGIN && cid < IDM_FIRST_LOGIN + FILE_MENU_MAX_LOGINS) { - hmenu = GetMenu(hwnd); - assert(hmenu != NULL); - - hmenu = GetSubMenu(hmenu, 0); - assert(hmenu != NULL); - - if (!GetMenuString(hmenu, cid, menuitem, sizeof(menuitem), MF_BYCOMMAND)) - return; /* TRUE */ - - if (menuitem[0]) - kwin_init_name(hwnd, &menuitem[3]); - - return; /* TRUE */ - } - - switch (cid) { - case IDM_EXIT: - if (isblocking) - WSACancelBlockingCall(); - WinHelp(hwnd, KERBEROS_HLP, HELP_QUIT, 0); - PostQuitMessage(0); - - return; /* TRUE */ - - case IDD_PASSWORD_CR2: /* Make CR == TAB */ - id = GetDlgCtrlID(GetFocus()); - assert(id != 0); - - if (id == IDD_MAX_EDIT) - PostMessage(hwnd, WM_NEXTDLGCTL, - (WPARAM)GetDlgItem(hwnd, IDD_MIN_EDIT), MAKELONG(1, 0)); - else - PostMessage(hwnd, WM_NEXTDLGCTL, 0, 0); - - return; /* TRUE */ - - case IDD_LOGIN: - if (isblocking) - return; /* TRUE */ - - GetDlgItemText(hwnd, IDD_LOGIN_NAME, name, sizeof(name)); - trim(name); - GetDlgItemText(hwnd, IDD_LOGIN_REALM, realm, sizeof(realm)); - trim(realm); - GetDlgItemText(hwnd, IDD_LOGIN_PASSWORD, password, sizeof(password)); - SetDlgItemText(hwnd, IDD_LOGIN_PASSWORD, ""); /* nuke the password */ - trim(password); - -#ifdef KRB4 - GetDlgItemText(hwnd, IDD_LOGIN_INSTANCE, instance, sizeof(instance)); - trim(instance); -#endif - - hcursor = SetCursor(LoadCursor(NULL, IDC_WAIT)); - lifetime = cns_res.lifetime; - start_blocking_hook(BLOCK_MAX_SEC); - -#ifdef KRB4 - lifetime = (lifetime + 4) / 5; - krc = krb_get_pw_in_tkt(name, instance, realm, "krbtgt", realm, - lifetime, password); -#endif - -#ifdef KRB5 - principal = NULL; - - /* - * convert the name + realm into a krb5 principal string and parse it into a principal - */ - sprintf(menuitem, "%s@%s", name, realm); - code = krb5_parse_name(k5_context, menuitem, &principal); - if (code) - goto errorpoint; - - /* - * set the various ticket options. First, initialize the structure, then set the ticket - * to be forwardable if desired, and set the lifetime. - */ - krb5_get_init_creds_opt_init(&opts); - krb5_get_init_creds_opt_set_forwardable(&opts, forwardable); - krb5_get_init_creds_opt_set_tkt_life(&opts, lifetime * 60); - if (noaddresses) { - krb5_get_init_creds_opt_set_address_list(&opts, NULL); - } - - /* - * get the initial creds using the password and the options we set above - */ - gd.hinstance = hinstance; - gd.hwnd = hwnd; - gd.id = ID_VARDLG; - code = krb5_get_init_creds_password(k5_context, &creds, principal, password, - gic_prompter, &gd, 0, NULL, &opts); - if (code) - goto errorpoint; - - /* - * initialize the credential cache - */ - code = krb5_cc_initialize(k5_context, k5_ccache, principal); - if (code) - goto errorpoint; - - /* - * insert the principal into the cache - */ - code = krb5_cc_store_cred(k5_context, k5_ccache, &creds); - - errorpoint: - - if (principal) - krb5_free_principal(k5_context, principal); - - end_blocking_hook(); - SetCursor(hcursor); - kwin_set_default_focus(hwnd); - - if (code) { - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) - MessageBox(hwnd, "Password incorrect", NULL, - MB_OK | MB_ICONEXCLAMATION); - else - com_err(NULL, code, "while logging in"); - } -#endif /* KRB5 */ - -#ifdef KRB4 - if (krc != KSUCCESS) { - MessageBox(hwnd, krb_get_err_text(krc), "", - MB_OK | MB_ICONEXCLAMATION); - - return; /* TRUE */ - } -#endif - - kwin_save_name(hwnd); - alerted = FALSE; - - switch (action) { - case LOGIN_AND_EXIT: - SendMessage(hwnd, WM_COMMAND, GET_WM_COMMAND_MPS(IDM_EXIT, 0, 0)); - break; - - case LOGIN_AND_MINIMIZE: - ShowWindow(hwnd, SW_MINIMIZE); - break; - } - - return; /* TRUE */ - - case IDD_TICKET_DELETE: - if (isblocking) - return; /* TRUE */ - -#ifdef KRB4 - krc = dest_tkt(); - if (krc != KSUCCESS) - MessageBox(hwnd, krb_get_err_text(krc), "", - MB_OK | MB_ICONEXCLAMATION); -#endif - -#ifdef KRB5 - code = k5_dest_tkt(); -#endif - - kwin_set_default_focus(hwnd); - alerted = FALSE; - - return; /* TRUE */ - - case IDD_CHANGE_PASSWORD: - if (isblocking) - return; /* TRUE */ - password_dialog(hwnd); - kwin_set_default_focus(hwnd); - - return; /* TRUE */ - - case IDM_OPTIONS: - if (isblocking) - return; /* TRUE */ - opts_dialog(hwnd); - - return; /* TRUE */ - - case IDM_HELP_INDEX: - WinHelp(hwnd, KERBEROS_HLP, HELP_INDEX, 0); - - return; /* TRUE */ - - case IDM_ABOUT: - ticket_init_list(GetDlgItem(hwnd, IDD_TICKET_LIST)); - if (isblocking) - return; /* TRUE */ - -#ifdef KRB4 - strcpy(copyright, " Kerberos 4 for Windows "); -#endif -#ifdef KRB5 - strcpy(copyright, " Kerberos V5 for Windows "); -#endif -#ifdef _WIN32 - strncat(copyright, "32-bit\n", sizeof(copyright) - 1 - strlen(copyright)); -#else - strncat(copyright, "16-bit\n", sizeof(copyright) - 1 - strlen(copyright)); -#endif - strncat(copyright, "\n Version 1.12\n\n", - sizeof(copyright) - 1 - strlen(copyright)); -#ifdef ORGANIZATION - strncat(copyright, " For information, contact:\n", - sizeof(copyright) - 1 - strlen(copyright)); - strncat(copyright, ORGANIZATION, sizeof(copyright) - 1 - strlen(copyright)); -#endif - MessageBox(hwnd, copyright, KWIN_DIALOG_NAME, MB_OK); - - return; /* TRUE */ - } - - return; /* FALSE */ -} - - -/* - * Function: Process WM_SYSCOMMAND messages by setting - * the focus to the password or name on restore. - */ -static void -kwin_syscommand(HWND hwnd, UINT cmd, int x, int y) -{ - if (cmd == SC_RESTORE) - kwin_set_default_focus(hwnd); - - if (cmd == SC_CLOSE) { - SendMessage(hwnd, WM_COMMAND, GET_WM_COMMAND_MPS(IDM_EXIT, 0, 0)); - return; - } - - FORWARD_WM_SYSCOMMAND(hwnd, cmd, x, y, DefDlgProc); -} - - -/* - * Function: Process WM_PAINT messages by displaying an - * informative icon when we are iconic. - */ -static void -kwin_paint(HWND hwnd) -{ - HDC hdc; - PAINTSTRUCT ps; - HICON hicon; - time_t expiration = 0; - time_t dt; - char buf[20]; - RECT r; -#ifdef KRB4 - int i; - int ncred; - char service[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - CREDENTIALS c; -#endif -#ifdef KRB5 - krb5_error_code code; - krb5_cc_cursor cursor; - krb5_creds c; - int n; - char *service; -#endif - - if (!IsIconic(hwnd)) { - FORWARD_WM_PAINT(hwnd, DefDlgProc); - return; - } - -#ifdef KRB4 - ncred = krb_get_num_cred(); - - for (i = 1; i <= ncred; i++) { - krb_get_nth_cred(service, instance, realm, i); - krb_get_cred(service, instance, realm, &c); - if (_stricmp(c.service, "krbtgt") == 0) { - expiration = c.issue_date - kwin_get_epoch() - + (long)c.lifetime * 5L * 60L; - break; - } - } -#endif - -#ifdef KRB5 - code = krb5_cc_start_seq_get(k5_context, k5_ccache, &cursor); - - while (code == 0) { - code = krb5_cc_next_cred(k5_context, k5_ccache, &cursor, &c); - if (code) - break; - n = krb5_princ_component(k5_context, c.server, 0)->length; - service = krb5_princ_component(k5_context, c.server, 0)->data; - if (n != KRB5_TGS_NAME_SIZE) - continue; - if (memcmp(KRB5_TGS_NAME, service, KRB5_TGS_NAME_SIZE)) - continue; - expiration = c.times.endtime; - break; - - } - if (code == 0 || code == KRB5_CC_END) - krb5_cc_end_seq_get(k5_context, k5_ccache, &cursor); -#endif - - hdc = BeginPaint(hwnd, &ps); - GetClientRect(hwnd, &r); - DefWindowProc(hwnd, WM_ICONERASEBKGND, (WPARAM)hdc, 0); - - if (expiration == 0) { - strcpy(buf, KWIN_DIALOG_NAME); - hicon = LoadIcon(hinstance, MAKEINTRESOURCE(IDI_KWIN)); - } - else { - hicon = kwin_get_icon(expiration); - dt = (expiration - time(NULL)) / 60; - - if (dt <= 0) - sprintf(buf, "%s - %s", KWIN_DIALOG_NAME, "Expired"); - else if (dt < 60) { - dt %= 60; - sprintf(buf, "%s - %ld min", KWIN_DIALOG_NAME, dt); - } - else { - dt /= 60; - sprintf(buf, "%s - %ld hr", KWIN_DIALOG_NAME, dt); - } - - buf[sizeof(buf) - 1] = '\0'; - if (dt > 1) - strncat(buf, "s", sizeof(buf) - 1 - strlen(buf)); - } - - DrawIcon(hdc, r.left, r.top, hicon); - EndPaint(hwnd, &ps); - SetWindowText(hwnd, buf); -} - - -/* - * Function: Window procedure for the Kerberos control panel dialog. - */ -LRESULT CALLBACK -kwin_wnd_proc(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) -{ - -#if 0 - if (message == wm_kerberos_changed) { /* Message from the ccache */ - n = ticket_init_list(GetDlgItem(hwnd, IDD_TICKET_LIST)); - EnableWindow(GetDlgItem(hwnd, IDD_TICKET_DELETE), n > 0); - - return 0; - } -#endif - - switch (message) { - HANDLE_MSG(hwnd, WM_GETMINMAXINFO, kwin_getminmaxinfo); - - HANDLE_MSG(hwnd, WM_DESTROY, kwin_destroy); - - HANDLE_MSG(hwnd, WM_MEASUREITEM, ticket_measureitem); - - HANDLE_MSG(hwnd, WM_DRAWITEM, ticket_drawitem); - - case WM_SETCURSOR: - if (isblocking) { - SetCursor(LoadCursor(NULL, IDC_WAIT)); - return TRUE; - } - break; - - HANDLE_MSG(hwnd, WM_SIZE, kwin_size); - - HANDLE_MSG(hwnd, WM_SYSCOMMAND, kwin_syscommand); - - HANDLE_MSG(hwnd, WM_TIMER, kwin_timer); - - HANDLE_MSG(hwnd, WM_PAINT, kwin_paint); - - case WM_ERASEBKGND: - if (!IsIconic(hwnd)) - break; - return 0; - - case WM_KWIN_SETNAME: - kwin_init_name(hwnd, (char *)lParam); - } - - return DefDlgProc(hwnd, message, wParam, lParam); -} - - -/* - * Function: Dialog procedure called by the dialog manager - * to process dialog specific messages. - */ -static BOOL CALLBACK -kwin_dlg_proc(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) -{ - switch (message) { - HANDLE_MSG(hwnd, WM_INITDIALOG, kwin_initdialog); - - HANDLE_MSG(hwnd, WM_COMMAND, kwin_command); - } - - return FALSE; -} - - -/* - * Function: Initialize the kwin dialog class. - * - * Parameters: - * hinstance - the instance to initialize - * - * Returns: TRUE if dialog class registration is sucessfully, false otherwise. - */ -static BOOL -kwin_init(HINSTANCE hinstance) -{ - WNDCLASS class; - ATOM rc; - - class.style = CS_HREDRAW | CS_VREDRAW; - class.lpfnWndProc = (WNDPROC)kwin_wnd_proc; - class.cbClsExtra = 0; - class.cbWndExtra = DLGWINDOWEXTRA; - class.hInstance = hinstance; - class.hIcon = NULL; - /* LoadIcon(hinstance, MAKEINTRESOURCE(IDI_KWIN)); */ - class.hCursor = NULL; - class.hbrBackground = NULL; - class.lpszMenuName = NULL; - class.lpszClassName = KWIN_DIALOG_CLASS; - - rc = RegisterClass(&class); - assert(rc); - - return rc; -} - - -/* - * Function: Initialize the KWIN application. This routine should - * only be called if no previous instance of the application - * exists. Currently it only registers a class for the kwin - * dialog type. - * - * Parameters: - * hinstance - the instance to initialize - * - * Returns: TRUE if initialized sucessfully, false otherwise. - */ -static BOOL -init_application(HINSTANCE hinstance) -{ - BOOL rc; - -#if 0 -#ifdef KRB4 - wm_kerberos_changed = krb_get_notification_message(); -#endif - -#ifdef KRB5 - wm_kerberos_changed = krb5_get_notification_message(); -#endif -#endif - - rc = kwin_init(hinstance); - - return rc; -} - - -/* - * Function: Quits the KWIN application. This routine should - * be called when the last application instance exits. - * - * Parameters: - * hinstance - the instance which is quitting. - * - * Returns: TRUE if initialized sucessfully, false otherwise. - */ -static BOOL -quit_application(HINSTANCE hinstance) -{ - return TRUE; -} - - -/* - * Function: Initialize the current instance of the KWIN application. - * - * Parameters: - * hinstance - the instance to initialize - * - * ncmdshow - show flag to indicate wheather to come up minimized - * or not. - * - * Returns: TRUE if initialized sucessfully, false otherwise. - */ -static BOOL -init_instance(HINSTANCE hinstance, int ncmdshow) -{ - WORD versionrequested; - WSADATA wsadata; - int rc; - int i; - - versionrequested = 0x0101; /* We need version 1.1 */ - rc = WSAStartup(versionrequested, &wsadata); - if (rc != 0) { - MessageBox(NULL, "Couldn't initialize Winsock library", "", - MB_OK | MB_ICONSTOP); - - return FALSE; - } - - if (versionrequested != wsadata.wVersion) { - WSACleanup(); - MessageBox(NULL, "Winsock version 1.1 not available", "", - MB_OK | MB_ICONSTOP); - - return FALSE; - } - -#ifdef KRB5 - { - krb5_error_code code; - - code = krb5_init_context(&k5_context); - if (!code) { -#if 0 /* Not needed under windows */ - krb5_init_ets(k5_context); -#endif - code = k5_init_ccache(&k5_ccache); - } - if (code) { - com_err(NULL, code, "while initializing program"); - return FALSE; - } - k5_name_from_ccache(k5_ccache); - } -#endif - - cns_load_registry(); - - /* - * Set up expiration action - */ - alert = cns_res.alert; - beep = cns_res.beep; - - /* - * ticket options - */ - forwardable = cns_res.forwardable; - noaddresses = cns_res.noaddresses; - - /* - * Load clock icons - */ - for (i = IDI_FIRST_CLOCK; i <= IDI_LAST_CLOCK; i++) - kwin_icons[i - IDI_FIRST_CLOCK] = LoadIcon(hinstance, MAKEINTRESOURCE(i)); - -#ifdef KRB4 - krb_start_session(NULL); -#endif - - return TRUE; -} - - -/* - * Function: Quits the current instance of the KWIN application. - * - * Parameters: - * hinstance - the instance to quit. - * - * Returns: TRUE if termination was sucessfully, false otherwise. - */ -static BOOL -quit_instance(HINSTANCE hinstance) -{ - int i; - -#ifdef KRB4 - krb_end_session(NULL); -#endif - -#ifdef KRB5 /* FIXME */ - krb5_cc_close(k5_context, k5_ccache); -#endif - - WSACleanup(); - - /* - * Unload clock icons - */ - for (i = IDI_FIRST_CLOCK; i <= IDI_LAST_CLOCK; i++) - DestroyIcon(kwin_icons[i - IDI_FIRST_CLOCK]); - - return TRUE; -} - - -/* - * Function: Main routine called on program invocation. - * - * Parameters: - * hinstance - the current instance - * - * hprevinstance - previous instance if one exists or NULL. - * - * cmdline - the command line string passed by Windows. - * - * ncmdshow - show flag to indicate wheather to come up minimized - * or not. - * - * Returns: TRUE if initialized sucessfully, false otherwise. - */ -int PASCAL -WinMain(HINSTANCE hinst, HINSTANCE hprevinstance, LPSTR cmdline, int ncmdshow) -{ - DLGPROC dlgproc; - HWND hwnd; - HACCEL haccel; - MSG msg; - char *p; - char buf[MAX_K_NAME_SZ + 9]; - char name[MAX_K_NAME_SZ]; - - strcpy(buf, cmdline); - action = LOGIN_AND_RUN; - name[0] = 0; - p = strtok(buf, " ,"); - - while (p != NULL) { - if (_stricmp(p, "/exit") == 0) - action = LOGIN_AND_EXIT; - else if (_stricmp(p, "/minimize") == 0) - action = LOGIN_AND_MINIMIZE; - else - strcpy(name, p); - - p = strtok(NULL, " ,"); - } - - dlgncmdshow = ncmdshow; - hinstance = hinst; - -#ifndef _WIN32 - /* - * If a previous instance of this application exits, bring it - * to the front and exit. - * - * This code is not compiled for WIN32, since hprevinstance will always - * be NULL. - */ - if (hprevinstance != NULL) { - hwnd = FindWindow(KWIN_DIALOG_CLASS, NULL); - - if (IsWindow(hwnd) && IsWindowVisible(hwnd)) { - if (GetWindowWord(hwnd, GWW_HINSTANCE) == hprevinstance) { - if (name[0]) - SendMessage(hwnd, WM_KWIN_SETNAME, 0, (LONG)name); - - ShowWindow(hwnd, ncmdshow); - SetWindowPos(hwnd, HWND_TOP, 0, 0, 0, 0, - SWP_SHOWWINDOW | SWP_NOMOVE | SWP_NOSIZE); - - return FALSE; - } - } - } - - if (hprevinstance == NULL) -#endif /* _WIN32 */ - - if (!init_application(hinstance)) - return FALSE; - - if (!init_instance(hinstance, ncmdshow)) - return FALSE; - -#ifdef _WIN32 - dlgproc = kwin_dlg_proc; -#else - dlgproc = (FARPROC)MakeProcInstance(kwin_dlg_proc, hinstance); - assert(dlgproc != NULL); - - if (dlgproc == NULL) - return 1; -#endif - - hwnd = CreateDialogParam(hinstance, MAKEINTRESOURCE(ID_KWIN), - HWND_DESKTOP, dlgproc, (LONG)name); - assert(hwnd != NULL); - - if (hwnd == NULL) - return 1; - haccel = LoadAccelerators(hinstance, MAKEINTRESOURCE(IDA_KWIN)); - assert(hwnd != NULL); - - while (GetMessage(&msg, NULL, 0, 0)) { - if (!TranslateAccelerator(hwnd, haccel, &msg) && - !IsDialogMessage(hwnd, &msg)) { - TranslateMessage(&msg); - DispatchMessage(&msg); - } - } - - DestroyWindow(hwnd); - -#ifndef _WIN32 - FreeProcInstance((FARPROC)dlgproc); -#endif - - cns_save_registry(); - - return 0; -} - - -#if 0 - -#define WM_ASYNC_COMPLETED (WM_USER + 1) -#define GETHOSTBYNAME_CLASS "krb_gethostbyname" -static HTASK htaskasync; /* Asynchronos call in progress */ -static BOOL iscompleted; /* True when async call is completed */ - -/* - * This routine is called to cancel a blocking hook call within - * the Kerberos library. The need for this routine arises due - * to bugs which exist in existing WINSOCK implementations. We - * blocking gethostbyname with WSAASyncGetHostByName. In order - * to cancel such an operation, this routine must be called. - * Applications may call this routine in addition to calls to - * WSACancelBlockingCall to get any sucy Async calls canceled. - * Return values are as they would be for WSACancelAsyncRequest. - */ -int -krb_cancel_blocking_call(void) -{ - if (htaskasync == NULL) - return 0; - iscompleted = TRUE; - - return WSACancelAsyncRequest(htask); -} - - -/* - * Window proceedure for temporary Windows created in - * krb_gethostbyname. Fields completion messages. - */ -LRESULT CALLBACK -krb_gethostbyname_wnd_proc(HWND hwnd, UINT message, - WPARAM wParam, LPARAM lParam) -{ - if (message == WM_ASYNC_COMPLETED) { - iscompleted = TRUE; - return 0; - } - - return DefWindowProc(hwnd, message, wParam, lParam); -} - - -/* - * The WINSOCK routine gethostbyname has a bug in both FTP and NetManage - * implementations which causes the blocking hook, if any, not to be - * called. This routine attempts to work around the problem by using - * the async routines to emulate the functionality of the synchronous - * routines - */ -struct hostent *PASCAL -krb_gethostbyname( - const char *name) -{ - HWND hwnd; - char buf[MAXGETHOSTSTRUCT]; - BOOL FARPROC blockinghook; - WNDCLASS wc; - static BOOL isregistered; - - blockinghook = WSASetBlockingHook(NULL); - WSASetBlockingHook(blockinghook); - - if (blockinghook == NULL) - return gethostbyname(name); - - if (RegisterWndClass() == NULL) - return gethostbyname(name); - - if (!isregistered) { - wc.style = 0; - wc.lpfnWndProc = gethostbyname_wnd_proc; - wc.cbClsExtra = 0; - wc.cbWndExtra = 0; - wc.hInstance = hlibinstance; - wc.hIcon = NULL; - wc.hCursor = NULL; - wc.hbrBackground = NULL; - wc.lpszMenuName = NULL; - wc.lpszClassName = GETHOSTBYNAME_CLASS; - - if (!RegisterClass(&wc)) - return gethostbyname(name); - - isregistered = TRUE; - } - - hwnd = CreateWindow(GETHOSTBYNAME_CLASS, "", WS_OVERLAPPED, - -100, -100, 0, 0, HWND_DESKTOP, NULL, hlibinstance, NULL); - if (hwnd == NULL) - return gethostbyname(name); - - htaskasync = - WSAAsyncGetHostByName(hwnd, WM_ASYNC_COMPLETED, name, buf, sizeof(buf)); - b = blockinghook(NULL); -} - -#endif /* if 0 */ - -#ifdef KRB5 - -/* - * Function: destroys all tickets in a k5 ccache - * - * Returns: K5 error code (0 == success) - */ -krb5_error_code -k5_dest_tkt(void) -{ - krb5_error_code code; - krb5_principal princ; - - if (code = krb5_cc_get_principal(k5_context, k5_ccache, &princ)) { - com_err(NULL, code, "while retrieving principal name"); - return code; - } - - code = krb5_cc_initialize(k5_context, k5_ccache, princ); - if (code != 0) { - com_err(NULL, code, "when re-initializing cache"); - krb5_free_principal(k5_context, princ); - return code; - } - - krb5_free_principal(k5_context, princ); - - return code; -} - -/* - * - * k5_get_num_cred - * - * Returns: number of creds in the credential cache, -1 on error - * - */ -int -k5_get_num_cred(int verbose) -{ - krb5_error_code code; - krb5_cc_cursor cursor; - krb5_creds c; - int ncreds = 0; - - if (code = krb5_cc_start_seq_get(k5_context, k5_ccache, &cursor)) { - if (code == KRB5_FCC_NOFILE) - return 0; - if (verbose) - com_err(NULL, code, "while starting to retrieve tickets."); - return -1; - } - - while (1) { /* Loop and get creds */ - code = krb5_cc_next_cred(k5_context, k5_ccache, &cursor, &c); - if (code) - break; - ++ncreds; - } - - if (code != KRB5_CC_END) { /* Error while looping??? */ - if (verbose) - com_err(NULL, code, "while retrieving a ticket."); - return -1; - } - - if (code = krb5_cc_end_seq_get(k5_context, k5_ccache, &cursor)) { - if (verbose) - com_err(NULL, code, "while closing ccache."); - } - - return ncreds; -} - -static int -k5_get_num_cred2() -{ - krb5_error_code code; - krb5_cc_cursor cursor; - krb5_creds c; - int ncreds = 0; - - code = krb5_cc_start_seq_get(k5_context, k5_ccache, &cursor); - if (code == KRB5_FCC_NOFILE) - return 0; - - while (1) { - code = krb5_cc_next_cred(k5_context, k5_ccache, &cursor, &c); - if (code) - break; - ++ncreds; - } - - if (code == KRB5_CC_END) - krb5_cc_end_seq_get(k5_context, k5_ccache, &cursor); - - return ncreds; -} - - -/* - * Function: Parses fullname into name and realm - * - * Parameters: - * name - buffer filled with name of user - * realm - buffer filled with realm of user - * fullname - string in form name.instance@realm - * - * Returns: 0 - */ -int -k5_kname_parse(char *name, char *realm, char *fullname) -{ - char *ptr; /* For parsing */ - - ptr = strchr(fullname, '@'); /* Name, realm separator */ - - if (ptr != NULL) /* Get realm */ - strcpy(realm, ptr + 1); - else - *realm = '\0'; - - if (ptr != NULL) { /* Get the name */ - strncpy(name, fullname, ptr - fullname); - name[ptr - fullname] = '\0'; - } else - strcpy(name, fullname); - - ptr = strchr(name, '.'); /* K4 compatability */ - if (ptr != NULL) - *ptr = '\0'; - - return 0; -} - - -/* - * Function: Initializes ccache and catches illegal caches such as - * bad format or no permissions. - * - * Parameters: - * ccache - credential cache structure to use - * - * Returns: krb5_error_code - */ -krb5_error_code -k5_init_ccache(krb5_ccache *ccache) -{ - krb5_error_code code; - krb5_principal princ; - FILE *fp; - - code = krb5_cc_default(k5_context, ccache); /* Initialize the ccache */ - if (code) - return code; - - code = krb5_cc_get_principal(k5_context, *ccache, &princ); - if (code == KRB5_FCC_NOFILE) { /* Doesn't exist yet */ - fp = fopen(krb5_cc_get_name(k5_context, *ccache), "w"); - if (fp == NULL) /* Can't open it */ - return KRB5_FCC_PERM; - fclose (fp); - } - - if (code) { /* Bad, delete and try again */ - remove(krb5_cc_get_name(k5_context, *ccache)); - code = krb5_cc_get_principal(k5_context, *ccache, &princ); - if (code == KRB5_FCC_NOFILE) /* Doesn't exist yet */ - return 0; - if (code) - return code; - } - - /* krb5_free_principal(k5_context, princ); */ - - return 0; -} - - -/* - * - * Function: Reads the name and realm out of the ccache. - * - * Parameters: - * ccache - credentials cache to get info from - * - * name - buffer to hold user name - * - * realm - buffer to hold the realm - * - * - * Returns: TRUE if read names, FALSE if not - * - */ -int -k5_name_from_ccache(krb5_ccache k5_ccache) -{ - krb5_error_code code; - krb5_principal princ; - char name[ANAME_SZ]; - char realm[REALM_SZ]; - char *defname; - - if (code = krb5_cc_get_principal(k5_context, k5_ccache, &princ)) - return FALSE; - - code = krb5_unparse_name(k5_context, princ, &defname); - if (code) { - return FALSE; - } - - k5_kname_parse(name, realm, defname); /* Extract the components */ - strcpy(cns_res.name, name); - strcpy(cns_res.realm, realm); - - return TRUE; -} -#endif /* KRB5 */ diff --git a/src/windows/cns/cns.h b/src/windows/cns/cns.h deleted file mode 100644 index cdd6da3..0000000 --- a/src/windows/cns/cns.h +++ /dev/null @@ -1,249 +0,0 @@ -/* - * cns.h - * - * Public Domain -- written by Cygnus Support. - */ - -/* Only one time, please */ -#ifndef KWIN_DEFS -#define KWIN_DEFS - -#if !defined(KRB4) && !defined(KRB5) -#define KRB5 -#endif - -#ifndef RC_INVOKED - -#ifdef KRB4 -#include "mit-copyright.h" -#include "krb.h" -#include "kadm.h" -#include "org.h" -#endif - -#ifdef KRB5 -#include "winsock.h" -#include "krb5.h" -#include "krbini.h" -#include "com_err.h" - -#define DEFAULT_TKT_LIFE 120 /* In 5 minute units */ -#define ANAME_SZ 40 -#define REALM_SZ 40 -#define SNAME_SZ 40 -#define INST_SZ 40 -#define MAX_KPW_LEN 128 -/* include space for '.' and '@' */ -#define MAX_K_NAME_SZ (ANAME_SZ + INST_SZ + REALM_SZ + 2) -#ifdef CYGNUS -#define ORGANIZATION "Cygnus Solutions\n(800)CYGNUS-1\nhttp://www.cygnus.com\ninfo@cygnus.com" -#endif -#define CREDENTIALS char -#endif - -/* - * Constants - */ -#define BLOCK_MAX_SEC 30 /* Blocking timeout duration */ -#define KWIN_UPDATE_PERIOD 30000 /* Every 30 seconds update the screen */ -#define TIME_BUFFER 300 /* Pop-up time buffer in seconds */ -#define WM_KWIN_SETNAME (WM_USER+100) /* Sets the name fields in the dialog */ - -#endif /* RC_INVOKED */ - -/* - * Menu items - */ -#define FILE_MENU_ITEMS 3 -#define FILE_MENU_MAX_LOGINS 5 -#define IDM_KWIN 1000 -#define IDM_OPTIONS 1001 -#define IDM_EXIT 1002 -#define IDM_FIRST_LOGIN 1003 - -#define IDM_HELP_INDEX 1020 -#define IDM_ABOUT 1021 - -/* - * Accelerator - */ -#define IDA_KWIN 2000 - -/* - * Dialog and dialog item ids - */ -#define KWIN_DIALOG_CLASS "KERBEROS" /* class for kerberos dialog */ -#define KWIN_DIALOG_NAME "Krb5" /* name for kerberos dialog */ - -#define ID_KWIN 100 /* the main kerberos dialog */ -#define IDD_KWIN_FIRST 101 -#define IDD_TICKET_LIST_TITLE 101 -#define IDD_TICKET_LIST 102 - -#ifdef KRB4 - -#define IDD_MIN_TITLE 103 -#define IDD_LOGIN_NAME_TITLE 103 -#define IDD_LOGIN_INSTANCE_TITLE 104 -#define IDD_LOGIN_REALM_TITLE 105 -#define IDD_LOGIN_PASSWORD_TITLE 106 -#define IDD_MAX_TITLE 106 - -#define IDD_MIN_EDIT 107 -#define IDD_LOGIN_NAME 107 -#define IDD_LOGIN_INSTANCE 108 -#define IDD_LOGIN_REALM 109 -#define IDD_LOGIN_PASSWORD 110 -#define IDD_MAX_EDIT 110 - -#endif - -#ifdef KRB5 - -#define IDD_MIN_TITLE 103 -#define IDD_LOGIN_NAME_TITLE 103 -#define IDD_LOGIN_PASSWORD_TITLE 104 -#define IDD_LOGIN_REALM_TITLE 105 -#define IDD_MAX_TITLE 105 - -#define IDD_MIN_EDIT 107 -#define IDD_LOGIN_NAME 107 -#define IDD_LOGIN_PASSWORD 108 -#define IDD_LOGIN_REALM 109 -#define IDD_MAX_EDIT 109 - -#endif - -#define IDD_MIN_BUTTON 111 -#define IDD_CHANGE_PASSWORD 111 -#define IDD_TICKET_DELETE 112 -#define IDD_LOGIN 113 -#define IDD_MAX_BUTTON 113 -#define IDD_PASSWORD_CR2 114 /* For better cr handling */ - -#define IDD_KWIN_LAST 114 - - -#define ID_PASSWORD 200 -#define IDD_PASSWORD_NAME 204 -#define IDD_PASSWORD_INSTANCE 205 -#define IDD_PASSWORD_REALM 206 -#define IDD_OLD_PASSWORD 207 -#define IDD_NEW_PASSWORD1 208 -#define IDD_NEW_PASSWORD2 209 -#define IDD_PASSWORD_CR 210 - - -#define ID_OPTS 300 -#define IDD_CONF 301 -#define IDD_REALMS 302 -#define IDD_LIFETIME 303 -#define IDD_CCACHE 304 -#define IDD_ACTIONS 310 -#define IDD_BEEP 311 -#define IDD_ALERT 312 -#define IDD_TKOPT 320 -#define IDD_FORWARDABLE 321 -#define IDD_NOADDRESSES 322 - -/* - * the entire range (400 through 499) is reserved for the blasted variable - * dialog box thingie. - */ -#define ID_VARDLG 400 - -/* - * Dialog dimensions - */ -#define KWIN_MIN_WIDTH 180 -#define KWIN_MIN_HEIGHT 110 - -/* - * Icons - */ -#define IDI_KWIN 1 /* The program icon */ - -#define ICON_WIDTH 30 /* Width used with icons */ -#define ICON_HEIGHT 20 /* Height used with icons */ - -#define IDI_FIRST_CLOCK 2 -#define IDI_0_MIN 2 /* < 5 minutes left */ -#define IDI_5_MIN 3 -#define IDI_10_MIN 4 -#define IDI_15_MIN 5 -#define IDI_20_MIN 6 -#define IDI_25_MIN 7 -#define IDI_30_MIN 8 -#define IDI_35_MIN 9 -#define IDI_40_MIN 10 -#define IDI_45_MIN 11 -#define IDI_50_MIN 12 -#define IDI_55_MIN 13 -#define IDI_60_MIN 14 -#define IDI_EXPIRED 15 -#define IDI_TICKET 16 -#define IDI_LAST_CLOCK 16 -#define MAX_ICONS (IDI_LAST_CLOCK - IDI_FIRST_CLOCK + 1) - -#ifndef RC_INVOKED - -extern BOOL isblocking; -extern HFONT hfontdialog; -extern HINSTANCE hinstance; -extern BOOL alert; -extern BOOL beep; - -extern char confname[FILENAME_MAX]; - -#ifdef KRB5 -extern krb5_context k5_context; -extern krb5_ccache k5_ccache; -extern char ccname[FILENAME_MAX]; -extern BOOL forwardable; -extern BOOL noaddresses; -#endif - -/* - * Prototypes - */ - -/* in cns.c */ - -void kwin_init_name(HWND, char *); -void kwin_set_default_focus(HWND); -time_t kwin_get_epoch(void); - -/* in options.c */ -BOOL opts_initdialog(HWND, HWND, LPARAM); -void opts_command(HWND, int, HWND, UINT); -BOOL CALLBACK opts_dlg_proc(HWND, UINT, WPARAM, LPARAM); -BOOL opts_dialog(HWND); - -/* in password.c */ -BOOL change_password(HWND, char *, char *, char *, char *, char *); -void password_command(HWND, int, HWND, UINT); -BOOL password_initdialog(HWND, HWND, LPARAM); -BOOL CALLBACK password_dlg_proc(HWND, UINT, WPARAM, LPARAM); -BOOL password_dialog(HWND); - -#ifdef KRB5 -krb5_error_code k5_dest_tkt(void); -int k5_get_num_cred(int); -int k5_kname_parse(char *, char *, char *); -krb5_error_code k5_init_ccache(krb5_ccache *); -int k5_name_from_ccache(krb5_ccache); -krb5_error_code k5_change_password(HWND, krb5_context, char *, char *, char *, - char *, char **); - -#endif /* KRB5 */ - -HICON kwin_get_icon(time_t); -void trim(char *); -void start_blocking_hook(int); -void end_blocking_hook(void); -void center_dialog(HWND); -void set_dialog_font(HWND, HFONT); - -#endif /* RC_INVOKED */ - -#endif diff --git a/src/windows/cns/cns.ico b/src/windows/cns/cns.ico deleted file mode 100644 index 645efa5ba049b95732ee60341a4603a7bd1df9cb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1086 zcmc&yv5wO~6da#XY$@VQj}Wd-lvmM)ub@P(Tp^Us?z|F(x7&gb;1{l-J0#puLQfGY zL`AmCN-=rN?%Kl930=uc=DnTq+qdgUfCLvP%M19pPJk=cvV0WyPs%T;J@Xpzf=KxB zp+df!MC7hGD`^EhRKW9(z&Ea6v-h1vB73B6r`Ctf*T+Zs@Z`6=c{QwddnBI@D(#Md zj7U!-l7JQ%J+?r5O_aPk!EX%SA;j37Hb;@&VKeSe6ierF{i|AOzC5emyZ{?JF^di}3;){qO-cQHMxnB?Bv}o}>c~Mm~Q>oyo&s-7; z!!WRq9(hZ7>rj}z#XO7Rz0uGkA6XMi$RULXTST2DJ8ziwdC_DGLYmvqIwex2rzw;q zw`UE7H8AqG!RDm2a|-?-45jtN4GDBEE*@Et7mhom_xD>>TEvDeR#UjFbKl^F^-Z%~ zUDj0`l-b*?Z|dqtJ2{b-uHc7SHB|7;B?#8_1uom=w2;&?wsB(cwvlI tt9crSIOnkB#u)NA-RIoVwFNJX0xJJx3hzlZ6IQiY|6>`9VESMG^FQ(KGx`7k diff --git a/src/windows/cns/cns_reg.c b/src/windows/cns/cns_reg.c deleted file mode 100644 index 357e5d6..0000000 --- a/src/windows/cns/cns_reg.c +++ /dev/null @@ -1,230 +0,0 @@ -/* - * Copyright (c) 1997 Cygnus Solutions - * - * Author: Michael Graff - */ - -#include -#include -#include -#include - -#include "cns.h" -#include "cns_reg.h" - -#include "../lib/registry.h" - -cns_reg_t cns_res; /* yes, a global. Sue me. */ - -/* - * function to load all the data we will want from the registry. If the - * registry data cannot be found this function will initialize a default - * environment. - */ -void -cns_load_registry(void) -{ - char tmp[1024]; - DWORD tdw; - char *ts; - HKEY key; - int i; - - /* - * Set up reasonable default values. These will all be overwritten if - * the registry is successfully opened. - */ - cns_res.name[0] = '\0'; - cns_res.realm[0] = '\0'; - cns_res.x = 0; - cns_res.y = 0; - cns_res.cx = 0; - cns_res.cy = 0; - - cns_res.alert = 0; - cns_res.beep = 0; - cns_res.lifetime = DEFAULT_TKT_LIFE * 5; - cns_res.forwardable = 1; - cns_res.noaddresses = 0; - - for (i = 1 ; i < FILE_MENU_MAX_LOGINS ; i++) - cns_res.logins[i][0] = '\0'; - - /* - * by default, allow the user to override the config file location and NOT the - * cred cache name. - */ - cns_res.conf_override = 1; - cns_res.cc_override = 0; - - { - char *s; - s = krb5_cc_default_name(k5_context); - - strcpy(cns_res.def_ccname, s); - } - - cns_res.def_confname[0] = '\0'; - - /* - * If the system has these keys in the registry, do not allow the user to - * override the config file and ccache locations. - */ - key = registry_open(HKEY_LOCAL_MACHINE, KERBNET_BASE, KEY_READ); - if (key != INVALID_HANDLE_VALUE) { - if (registry_string_get(key, KERBNET_HOME, &ts) == 0) { - cns_res.conf_override = 0; - cns_res.def_confname[sizeof(cns_res.def_confname) - 1]; - strncpy(cns_res.def_confname, ts, - sizeof(cns_res.def_confname) - 1); - strncat(cns_res.def_confname, "\\etc\\krb5.conf", - sizeof(cns_res.def_confname) - 1 - - strlen(cns_res.def_confname)); - free(ts); - } - - if (registry_string_get(key, "ccname", &ts) == 0) { - cns_res.cc_override = 0; - strcpy(cns_res.def_ccname, ts); - free(ts); - } - } - - /* - * Try to open the registry. If we succeed, read the last used values from there. If we - * do not get the registry open simply return. - */ - key = registry_open(HKEY_CURRENT_USER, KERBNET_CNS_BASE, KEY_ALL_ACCESS); - - if (key == INVALID_HANDLE_VALUE) - return; - - if (registry_dword_get(key, "x", &tdw) == 0) - cns_res.x = tdw; - - if (registry_dword_get(key, "y", &tdw) == 0) - cns_res.y = tdw; - - if (registry_dword_get(key, "cx", &tdw) == 0) - cns_res.cx = tdw; - - if (registry_dword_get(key, "cy", &tdw) == 0) - cns_res.cy = tdw; - - if (registry_dword_get(key, "lifetime", &tdw) == 0) - cns_res.lifetime = tdw; - - if (registry_dword_get(key, "forwardable", &tdw) == 0) - cns_res.forwardable = tdw; - - if (registry_dword_get(key, "noaddresses", &tdw) == 0) - cns_res.noaddresses = tdw; - - if (registry_dword_get(key, "alert", &tdw) == 0) - cns_res.alert = tdw; - - if (registry_dword_get(key, "beep", &tdw) == 0) - cns_res.beep = tdw; - - if (registry_string_get(key, "name", &ts) == 0) { - strcpy(cns_res.name, ts); - free(ts); - } - - if (registry_string_get(key, "realm", &ts) == 0) { - strcpy(cns_res.realm, ts); - free(ts); - } - - if (cns_res.conf_override && (registry_string_get(key, "confname", &ts) == 0)) { - strcpy(cns_res.confname, ts); - free(ts); - } else - strcpy(cns_res.confname, cns_res.def_confname); - - if (cns_res.cc_override && (registry_string_get(key, "ccname", &ts) == 0)) { - strcpy(cns_res.ccname, ts); - free(ts); - } else - strcpy(cns_res.ccname, cns_res.def_ccname); - - for (i = 0 ; i < FILE_MENU_MAX_LOGINS ; i++) { - sprintf(tmp, "login_%02d", i); - if (registry_string_get(key, tmp, &ts) == 0) { - strcpy(cns_res.logins[i], ts); - free(ts); - } - } - - registry_close(key); -} - -/* - * save all the registry data, creating the keys if needed. - */ -void -cns_save_registry(void) -{ - char tmp[1024]; - HKEY key; - int i; - - /* - * First, create the heirachy... This is gross, but functional - */ - key = registry_key_create(HKEY_CURRENT_USER, CYGNUS_SOLUTIONS, KEY_WRITE); - if (key == INVALID_HANDLE_VALUE) - return; - - key = registry_key_create(HKEY_CURRENT_USER, KERBNET_SANS_VERSION, KEY_WRITE); - if (key == INVALID_HANDLE_VALUE) - return; - registry_close(key); - - key = registry_key_create(HKEY_CURRENT_USER, KERBNET_BASE, KEY_WRITE); - if (key == INVALID_HANDLE_VALUE) - return; - registry_close(key); - - key = registry_key_create(HKEY_CURRENT_USER, KERBNET_CNS_BASE, KEY_WRITE); - if (key == INVALID_HANDLE_VALUE) - return; - - registry_dword_set(key, "x", cns_res.x); - registry_dword_set(key, "y", cns_res.y); - registry_dword_set(key, "cx", cns_res.cx); - registry_dword_set(key, "cy", cns_res.cy); - - registry_dword_set(key, "alert", cns_res.alert); - registry_dword_set(key, "beep", cns_res.beep); - registry_dword_set(key, "lifetime", cns_res.lifetime); - registry_dword_set(key, "forwardable", cns_res.forwardable); - registry_dword_set(key, "noaddresses", cns_res.noaddresses); - - registry_string_set(key, "name", cns_res.name); - registry_string_set(key, "realm", cns_res.realm); - - if (cns_res.conf_override) - { - if (strcmp(cns_res.confname, cns_res.def_confname)) - registry_string_set(key, "confname", cns_res.confname); - else - registry_value_delete(key, "confname"); - } - - if (cns_res.cc_override) - { - if (strcmp(cns_res.ccname, cns_res.def_ccname)) - registry_string_set(key, "ccname", cns_res.ccname); - else - registry_value_delete(key, "ccname"); - } - - for (i = 0 ; i < FILE_MENU_MAX_LOGINS ; i++) - if (cns_res.logins[i][0] != '\0') { - sprintf(tmp, "login_%02d", i); - registry_string_set(key, tmp, cns_res.logins[i]); - } - - registry_close(key); -} diff --git a/src/windows/cns/cns_reg.h b/src/windows/cns/cns_reg.h deleted file mode 100644 index 9ebed4f..0000000 --- a/src/windows/cns/cns_reg.h +++ /dev/null @@ -1,33 +0,0 @@ -/* - * Copyright (c) 1997 Cygnus Solutions - * - * Author: Michael Graff - */ - -#include - -typedef struct cns_reg { - DWORD x; /* default dialog size */ - DWORD y; - DWORD cx; - DWORD cy; - DWORD lifetime; /* ticket lifetime */ - DWORD beep; /* beep on expire/warning? */ - DWORD alert; /* alert (deiconify) when tix expired? */ - DWORD forwardable; /* get forwardable tickets? */ - DWORD conf_override; /* allow changing of confname */ - DWORD cc_override; /* allow changing of ccname */ - DWORD noaddresses; /* Don't require address in tickets */ - char name[MAX_K_NAME_SZ]; /* last user used */ - char realm[MAX_K_NAME_SZ]; /* last realm used */ - char confname[FILENAME_MAX]; - char ccname[FILENAME_MAX]; - char def_confname[FILENAME_MAX]; - char def_ccname[FILENAME_MAX]; - char logins[FILE_MENU_MAX_LOGINS][MAX_K_NAME_SZ]; -} cns_reg_t; - -extern cns_reg_t cns_res; - -void cns_load_registry(void); -void cns_save_registry(void); diff --git a/src/windows/cns/cnsres4.rc b/src/windows/cns/cnsres4.rc deleted file mode 100644 index 77e21e0..0000000 --- a/src/windows/cns/cnsres4.rc +++ /dev/null @@ -1,108 +0,0 @@ -#include - -#define KRB4 -#include "cns.h" - -IDI_KWIN ICON PRELOAD cns.ico -IDI_0_MIN ICON PRELOAD clock00.ico -IDI_5_MIN ICON PRELOAD clock05.ico -IDI_10_MIN ICON PRELOAD clock10.ico -IDI_15_MIN ICON PRELOAD clock15.ico -IDI_20_MIN ICON PRELOAD clock20.ico -IDI_25_MIN ICON PRELOAD clock25.ico -IDI_30_MIN ICON PRELOAD clock30.ico -IDI_35_MIN ICON PRELOAD clock35.ico -IDI_40_MIN ICON PRELOAD clock40.ico -IDI_45_MIN ICON PRELOAD clock45.ico -IDI_50_MIN ICON PRELOAD clock50.ico -IDI_55_MIN ICON PRELOAD clock55.ico -IDI_60_MIN ICON PRELOAD clock60.ico -IDI_EXPIRED ICON PRELOAD clockexp.ico -IDI_TICKET ICON PRELOAD clocktkt.ico - -IDM_KWIN MENU PRELOAD -BEGIN - POPUP "&File" - BEGIN - MENUITEM "&Options...", IDM_OPTIONS - MENUITEM SEPARATOR - MENUITEM "E&xit", IDM_EXIT - END - - POPUP "&Help" - BEGIN - MENUITEM "&Index\tF1", IDM_HELP_INDEX - MENUITEM SEPARATOR - MENUITEM "&About Kerberos...", IDM_ABOUT - END -END - -IDA_KWIN ACCELERATORS PRELOAD -BEGIN - VK_F1, IDM_HELP_INDEX, VIRTKEY -END - -ID_KWIN DIALOG PRELOAD MOVEABLE DISCARDABLE 0, 0, 276, 114 -STYLE WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME | WS_MINIMIZEBOX -CLASS KWIN_DIALOG_CLASS -CAPTION KWIN_DIALOG_NAME -MENU IDM_KWIN -FONT 8, "Arial" -BEGIN - CONTROL " Start Time End Time Ticket", IDD_TICKET_LIST_TITLE, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 16, 7, 240, 8 - CONTROL "", IDD_TICKET_LIST, "LISTBOX", LBS_NOTIFY | LBS_DISABLENOSCROLL | LBS_OWNERDRAWFIXED | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_VSCROLL, 8, 18, 261, 52 - CONTROL "&Name", IDD_LOGIN_NAME_TITLE, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 6, 69, 27, 8 - CONTROL "&Instance", IDD_LOGIN_INSTANCE_TITLE, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 73, 69, 36, 8 - CONTROL "&Realm", IDD_LOGIN_REALM_TITLE, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 140, 69, 26, 8 - CONTROL "&Password", IDD_LOGIN_PASSWORD_TITLE, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 207, 69, 36, 8 - CONTROL "", IDD_LOGIN_NAME, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 6, 79, 62, 12 - CONTROL "", IDD_LOGIN_INSTANCE, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 73, 79, 62, 12 - CONTROL "", IDD_LOGIN_REALM, "EDIT", ES_LEFT | ES_AUTOHSCROLL | ES_UPPERCASE | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 140, 79, 62, 12 - CONTROL "", IDD_LOGIN_PASSWORD, "EDIT", ES_LEFT | ES_AUTOHSCROLL | ES_PASSWORD | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 207, 79, 62, 12 - - CONTROL "&Change Password...", IDD_CHANGE_PASSWORD, "BUTTON", BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 6, 96, 74, 14 - CONTROL "&Delete", IDD_TICKET_DELETE, "BUTTON", BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 122, 96, 52, 14 - CONTROL "&Login", IDD_LOGIN, "BUTTON", BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 216, 96, 52, 14 - CONTROL "", IDD_PASSWORD_CR2, "BUTTON", BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE, 5000, 5000, 0, 0 -END - -ID_PASSWORD DIALOG 96, 50, 143, 129 -STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Change Password" -FONT 8, "Arial" -BEGIN - CONTROL "&Name:", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 5, 9, 53, 8 - CONTROL "", IDD_PASSWORD_NAME, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_GROUP | WS_TABSTOP, 61, 6, 76, 12 - CONTROL "&Instance:", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 5, 26, 53, 8 - CONTROL "", IDD_PASSWORD_INSTANCE, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 61, 23, 76, 12 - CONTROL "&Realm:", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 5, 43, 53, 8 - CONTROL "", IDD_PASSWORD_REALM, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 61, 40, 76, 12 - CONTROL "&Old Password:", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 5, 60, 53, 8 - CONTROL "", IDD_OLD_PASSWORD, "EDIT", ES_LEFT | ES_AUTOHSCROLL | ES_PASSWORD | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 61, 57, 76, 12 - CONTROL "&New Password:", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 5, 77, 53, 8 - CONTROL "", IDD_NEW_PASSWORD1, "EDIT", ES_LEFT | ES_AUTOHSCROLL | ES_PASSWORD | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 61, 74, 76, 12 - CONTROL "&New Password:", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 5, 94, 53, 8 - CONTROL "", IDD_NEW_PASSWORD2, "EDIT", ES_LEFT | ES_AUTOHSCROLL | ES_PASSWORD | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 61, 91, 76, 12 - CONTROL "", IDD_PASSWORD_CR, "BUTTON", BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE, 5000, 5000, 0, 0 - CONTROL "OK", IDOK, "BUTTON", BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_GROUP | WS_TABSTOP, 13, 110, 52, 14 - CONTROL "Cancel", IDCANCEL, "BUTTON", BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 77, 110, 52, 14 -END - -ID_OPTS DIALOG 97, 52, 148, 107 -STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Kerberos Options" -FONT 8, "Arial" -BEGIN - CONTROL "&Conf file:", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 5, 9, 40, 8 - CONTROL "", IDD_CONF, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 60, 6, 82, 12 - CONTROL "&Realms file:", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 5, 26, 40, 8 - CONTROL "", IDD_REALMS, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 60, 23, 82, 12 - CONTROL "&Ticket lifetime:", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 5, 43, 53, 8 - CONTROL "", IDD_LIFETIME, "EDIT", ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 60, 40, 20, 12 - CONTROL "minutes", -1, "STATIC", SS_LEFT | WS_CHILD | WS_VISIBLE, 85, 43, 46, 8 - CONTROL "Action when login expires", 209, "BUTTON", BS_GROUPBOX | WS_CHILD | WS_VISIBLE | WS_GROUP, 5, 56, 138, 23 - CONTROL "&Alert ", IDD_ALERT, "BUTTON", BS_AUTOCHECKBOX | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 31, 65, 28, 12 - CONTROL "&Beep", IDD_BEEP, "BUTTON", BS_AUTOCHECKBOX | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 80, 65, 39, 12 - CONTROL "OK", IDOK, "BUTTON", BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 17, 87, 52, 14 - CONTROL "Cancel", IDCANCEL, "BUTTON", BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 81, 87, 52, 14 -END diff --git a/src/windows/cns/cnsres5.rc b/src/windows/cns/cnsres5.rc deleted file mode 100644 index d398078..0000000 --- a/src/windows/cns/cnsres5.rc +++ /dev/null @@ -1,215 +0,0 @@ -//Microsoft Developer Studio generated resource script. -// - -#define APSTUDIO_READONLY_SYMBOLS -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 2 resource. -// -#define APSTUDIO_HIDDEN_SYMBOLS -#include "windows.h" -#undef APSTUDIO_HIDDEN_SYMBOLS -#include "cns.h" - -///////////////////////////////////////////////////////////////////////////// -#undef APSTUDIO_READONLY_SYMBOLS - -///////////////////////////////////////////////////////////////////////////// -// English (U.S.) resources - -#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) -#ifdef _WIN32 -LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US -#pragma code_page(1252) -#endif //_WIN32 - -///////////////////////////////////////////////////////////////////////////// -// -// Icon -// - -// Icon with lowest ID value placed first to ensure application icon -// remains consistent on all systems. -IDI_KWIN ICON PRELOAD DISCARDABLE "cns.ico" -IDI_0_MIN ICON PRELOAD DISCARDABLE "clock00.ico" -IDI_5_MIN ICON PRELOAD DISCARDABLE "clock05.ico" -IDI_10_MIN ICON PRELOAD DISCARDABLE "clock10.ico" -IDI_15_MIN ICON PRELOAD DISCARDABLE "clock15.ico" -IDI_20_MIN ICON PRELOAD DISCARDABLE "clock20.ico" -IDI_25_MIN ICON PRELOAD DISCARDABLE "clock25.ico" -IDI_30_MIN ICON PRELOAD DISCARDABLE "clock30.ico" -IDI_35_MIN ICON PRELOAD DISCARDABLE "clock35.ico" -IDI_40_MIN ICON PRELOAD DISCARDABLE "clock40.ico" -IDI_45_MIN ICON PRELOAD DISCARDABLE "clock45.ico" -IDI_50_MIN ICON PRELOAD DISCARDABLE "clock50.ico" -IDI_55_MIN ICON PRELOAD DISCARDABLE "clock55.ico" -IDI_60_MIN ICON PRELOAD DISCARDABLE "clock60.ico" -IDI_EXPIRED ICON PRELOAD DISCARDABLE "clockexp.ico" -IDI_TICKET ICON PRELOAD DISCARDABLE "clocktkt.ico" - -///////////////////////////////////////////////////////////////////////////// -// -// Menu -// - -IDM_KWIN MENU PRELOAD DISCARDABLE -BEGIN - POPUP "&File" - BEGIN - MENUITEM "&Options...", IDM_OPTIONS - MENUITEM SEPARATOR - MENUITEM "E&xit", IDM_EXIT - END - POPUP "&Help" - BEGIN - MENUITEM "&Index\tF1", IDM_HELP_INDEX - MENUITEM SEPARATOR - MENUITEM "&About Kerberos...", IDM_ABOUT - END -END - - -///////////////////////////////////////////////////////////////////////////// -// -// Accelerator -// - -IDA_KWIN ACCELERATORS PRELOAD MOVEABLE PURE -BEGIN - VK_F1, IDM_HELP_INDEX, VIRTKEY -END - - -///////////////////////////////////////////////////////////////////////////// -// -// Dialog -// - -ID_KWIN DIALOG PRELOAD DISCARDABLE 0, 0, 336, 115 -STYLE WS_MINIMIZEBOX | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME -#ifdef CYGNUS -CAPTION "KerbNet" -#else -CAPTION "Kerberos" -#endif -MENU IDM_KWIN -CLASS "KERBEROS" -FONT 8, "Arial" -BEGIN - CONTROL " Start Time End Time Ticket", - IDD_TICKET_LIST_TITLE,"Static",SS_LEFTNOWORDWRAP | - WS_GROUP,16,7,311,8 - LISTBOX IDD_TICKET_LIST,8,18,319,52,LBS_OWNERDRAWFIXED | - LBS_DISABLENOSCROLL | WS_VSCROLL - LTEXT "&Name",IDD_LOGIN_NAME_TITLE,6,69,27,8 - LTEXT "&Password",IDD_LOGIN_PASSWORD_TITLE,125,69,42,8 - LTEXT "&Realm",IDD_LOGIN_REALM_TITLE,239,69,26,8 - EDITTEXT IDD_LOGIN_NAME,6,79,84,12,ES_AUTOHSCROLL - EDITTEXT IDD_LOGIN_PASSWORD,126,78,84,12,ES_PASSWORD | - ES_AUTOHSCROLL - EDITTEXT IDD_LOGIN_REALM,239,79,84,12,ES_AUTOHSCROLL - PUSHBUTTON "&Change Password...",IDD_CHANGE_PASSWORD,6,96,84,14 - PUSHBUTTON "&Delete",IDD_TICKET_DELETE,141,96,52,14 - DEFPUSHBUTTON "&Login",IDD_LOGIN,271,96,52,14 - PUSHBUTTON "",IDD_PASSWORD_CR2,5000,5000,6,6,NOT WS_TABSTOP -END - -ID_PASSWORD DIALOG DISCARDABLE 96, 50, 143, 112 -STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Change Password" -FONT 8, "Arial" -BEGIN - LTEXT "&Name:",-1,5,9,53,8,NOT WS_GROUP - EDITTEXT IDD_PASSWORD_NAME,61,6,76,12,ES_AUTOHSCROLL | WS_GROUP - LTEXT "&Realm:",-1,5,26,53,8,NOT WS_GROUP - EDITTEXT IDD_PASSWORD_REALM,61,23,76,12,ES_AUTOHSCROLL - LTEXT "&Old Password:",-1,5,43,53,8,NOT WS_GROUP - EDITTEXT IDD_OLD_PASSWORD,61,40,76,12,ES_PASSWORD | - ES_AUTOHSCROLL - LTEXT "&New Password:",-1,5,60,53,8,NOT WS_GROUP - EDITTEXT IDD_NEW_PASSWORD1,61,57,76,12,ES_PASSWORD | - ES_AUTOHSCROLL - LTEXT "&New Password:",-1,5,77,53,8,NOT WS_GROUP - EDITTEXT IDD_NEW_PASSWORD2,61,74,76,12,ES_PASSWORD | - ES_AUTOHSCROLL - PUSHBUTTON "",IDD_PASSWORD_CR,5000,5000,0,0,NOT WS_TABSTOP - DEFPUSHBUTTON "OK",IDOK,13,93,52,14,WS_GROUP - PUSHBUTTON "Cancel",IDCANCEL,77,93,52,14 -END - -ID_OPTS DIALOG DISCARDABLE 97, 52, 169, 138 -STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -#ifdef CYGNUS -CAPTION "KerbNet Options" -#else -CAPTION "Kerberos Options" -#endif -FONT 8, "Arial" -BEGIN - LTEXT "&Config file:",-1,5,9,40,8,NOT WS_GROUP - EDITTEXT IDD_CONF,70,6,92,12,ES_AUTOHSCROLL - LTEXT "Cre&dential cache:",-1,5,26,58,8,NOT WS_GROUP - EDITTEXT IDD_CCACHE,70,23,92,12,ES_AUTOHSCROLL - LTEXT "&Ticket lifetime:",-1,5,43,53,8,NOT WS_GROUP - EDITTEXT IDD_LIFETIME,70,40,32,12,ES_AUTOHSCROLL - LTEXT "minutes",-1,109,42,46,8,NOT WS_GROUP - GROUPBOX "Action when login expires",IDD_ACTIONS,5,56,158,23, - WS_GROUP - CONTROL "&Alert ",IDD_ALERT,"Button",BS_AUTOCHECKBOX | - WS_TABSTOP,41,65,28,12 - CONTROL "&Beep",IDD_BEEP,"Button",BS_AUTOCHECKBOX | WS_TABSTOP, - 95,65,39,12 - GROUPBOX "Ticket options",IDD_TKOPT,5,86,158,23,WS_GROUP - CONTROL "&Forwardable",IDD_FORWARDABLE,"Button",BS_AUTOCHECKBOX | - WS_TABSTOP,25,95,65,12 - CONTROL "&NoAddresses",IDD_NOADDRESSES,"Button",BS_AUTOCHECKBOX | - WS_TABSTOP,90,95,65,12 - DEFPUSHBUTTON "OK",IDOK,19,117,52,14 - PUSHBUTTON "Cancel",IDCANCEL,95,117,52,14 -END - - -#ifdef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// TEXTINCLUDE -// - -1 TEXTINCLUDE DISCARDABLE -BEGIN - -END - -2 TEXTINCLUDE DISCARDABLE -BEGIN - "#define APSTUDIO_HIDDEN_SYMBOLS\r\n" - "#include ""windows.h""\r\n" - "#undef APSTUDIO_HIDDEN_SYMBOLS\r\n" - "#include ""cns.h""\r\n" - "\0" -END - -3 TEXTINCLUDE DISCARDABLE -BEGIN - "\r\n" - "\0" -END - -#endif // APSTUDIO_INVOKED - -#endif // English (U.S.) resources -///////////////////////////////////////////////////////////////////////////// - - - -#ifndef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 3 resource. -// - - -///////////////////////////////////////////////////////////////////////////// -#endif // not APSTUDIO_INVOKED - -#include "..\version.rc" diff --git a/src/windows/cns/debug.c b/src/windows/cns/debug.c deleted file mode 100644 index 052bf4e..0000000 --- a/src/windows/cns/debug.c +++ /dev/null @@ -1,90 +0,0 @@ -#ifdef DEBUG - -#include -#include -#include -#include - -void -OutputHeading(const char *explanation) -{ - _RPT1(_CRT_WARN, - "\n\n%s:\n*********************************\n", explanation ); -} - -/* - * The following macros set and clear, respectively, given bits - * of the C runtime library debug flag, as specified by a bitmask. - */ -#define SET_CRT_DEBUG_FIELD(a) \ - _CrtSetDbgFlag((a) | _CrtSetDbgFlag(_CRTDBG_REPORT_FLAG)) -#define CLEAR_CRT_DEBUG_FIELD(a) \ - _CrtSetDbgFlag(~(a) & _CrtSetDbgFlag(_CRTDBG_REPORT_FLAG)) - -_CrtMemState s1; -_CrtMemState s2; -_CrtMemState s3; -static _CrtMemState *ss1 = NULL; -static _CrtMemState *ss2 = NULL; - -void debug_init(); - -void -debug_check() -{ - _CrtMemState *temp; - - OutputHeading("Checking memory..."); - - if (ss1 == NULL) { - debug_init(); - ss1 = &s1; - ss2 = &s2; - } - - _CrtCheckMemory(); - - /* _CrtMemDumpAllObjectsSince( NULL ); */ - - _CrtMemCheckpoint( &s2 ); - - if ( _CrtMemDifference( &s3, &s1, &s2 ) ) - _CrtMemDumpStatistics( &s3 ); - - /* _CrtDumpMemoryLeaks(); */ - - /* - * swap the snapshots around - */ - temp = ss1; - ss1 = ss2; - ss2 = temp; -} - -void -debug_init() -{ - /* Send all reports to STDOUT */ - _CrtSetReportMode( _CRT_WARN, _CRTDBG_MODE_FILE ); - _CrtSetReportFile( _CRT_WARN, _CRTDBG_FILE_STDOUT ); - _CrtSetReportMode( _CRT_ERROR, _CRTDBG_MODE_FILE ); - _CrtSetReportFile( _CRT_ERROR, _CRTDBG_FILE_STDOUT ); - _CrtSetReportMode( _CRT_ASSERT, _CRTDBG_MODE_FILE ); - _CrtSetReportFile( _CRT_ASSERT, _CRTDBG_FILE_STDOUT ); - - _CrtMemCheckpoint( &s1 ); - - /* - * Set the debug-heap flag so that freed blocks are kept on the - * linked list, to catch any inadvertent use of freed memory - */ - SET_CRT_DEBUG_FIELD( _CRTDBG_DELAY_FREE_MEM_DF ); - - - /* - * Set the debug-heap flag so that memory leaks are reported when - * the process terminates. Then, exit. - */ - SET_CRT_DEBUG_FIELD( _CRTDBG_LEAK_CHECK_DF ); -} -#endif /* DEBUG */ diff --git a/src/windows/cns/heap.c b/src/windows/cns/heap.c deleted file mode 100644 index 46d39df..0000000 --- a/src/windows/cns/heap.c +++ /dev/null @@ -1,33 +0,0 @@ -#include -#include - -void heapdump( void ) -{ - _HEAPINFO hinfo; - int heapstatus; - hinfo._pentry = NULL; - while( ( heapstatus = _heapwalk( &hinfo ) ) == _HEAPOK ) - { printf( "%6s block at %Fp of size %4.4X\n", - ( hinfo._useflag == _USEDENTRY ? "USED" : "FREE" ), - hinfo._pentry, hinfo._size ); - } - - switch( heapstatus ) - { - case _HEAPEMPTY: - printf( "OK - empty heap\n" ); - break; - case _HEAPEND: - printf( "OK - end of heap\n" ); - break; - case _HEAPBADPTR: - printf( "ERROR - bad pointer to heap\n" ); - break; - case _HEAPBADBEGIN: - printf( "ERROR - bad start of heap\n" ); - break; - case _HEAPBADNODE: - printf( "ERROR - bad node in heap\n" ); - break; - } -} diff --git a/src/windows/cns/kerbnet.doc b/src/windows/cns/kerbnet.doc deleted file mode 100644 index 161b3c31eabb25652b3a0009cadf4f8f354c03cb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 22528 zcmeI4dyrgJoySklBbkIWB!Psda2R5kNrnlaQ6Nz!nVFDbl9}0=hG;Pw?sVUoY17@e z>D!%2Th=bJZj}KlW(7U&pnUd`MuBW+d2F%E1vtzU!3#rs^NIIYF0;&Em4bN^$E@| zaM#O~(ws}((PPJsN%i@F(}m*=#DQlXm{#fMmb8fceED!kvr?BK?2)TnMZJ9HETvN1 zpZDle>cu8nMCFU!N*(6%sSQfqNqNp?ws*WdgQ^#!`d3n}rv1{(m6Fo6f7g{t?c!Qf zFUKn>S&q7b_UBQiC{b;-`JGA$`R}HbBVICvnxXz*DF?5xKSCZbbjJsq2CK7r!K-mZr$-3)8qZdRQLA_r0 z28FU;D2K_^w67-bBv7Dw(`4loo@2X=2@w zU#3$@@5&Z3!AxlG>~?o{b7yySM<-LIphEv}Ita>h^>1i1$4D~1UkXB<%BJ`D<Ss`hl4^TO#)4Y_5+d|=4S`v>(zu&=9O_LA@A^0nbc<*L@nTt&US zLdNzidSN&dlrpteBT+@HAyXD~ItP2~>^p*~Y=Qfgayck;Cxw?8Kj)VlSrIX`E8e%y zG^};jdP^=0y0lj=`}v~Lt8z^;1%F0IW9XS|E~mXpImmlddAVHG&FK}Y+TWKAZD%V( zOH_K=D@;X1xpf{#Os{PaTe4k})~V@iXy=?j1E+MQh!8SaFBeP++q<>y$LvZG59b#7 z%SyV&_n1g)!f}GsuS~4nI#tuhAeYf@&9ym(bD5Y}jou26YwgN2*|guK15{G__+EM% zUGry5C)T`66an7rVA5y;obauCDVBnwUqUF8$O)y*7LH@|@L*ly$>e*3icWhnQW)s4 z=%=%jRWn}QeFf-3Pzbw3`$JSFZKQi(TQ=u+9n``gqm&1RZM%bbH8G4_kVZZ52oZrb z2Bw3;WOk~8Maf-=tlJz8w0>*1%rNUv>5`wp&!Pg*o@TBNtD0_#$a$HuJCifhKJ=8t z>I*@+?rZU$6(r;3{8CwzN7h#iibc_}Y*|!J{IF5CLS_TKCw$-BWWa*eHfIt3zGAlI z*Jd)(boZiZCL|)1X1r2HJU<@OojOmOtozCa*Ig%>5nOn%F$NClTy|nlX<}n{24%=s z!ZLK~Fv$CmNw7h83^_%wJdG(L@0jzm{C+tZ)JBb5UQM!AU$REW>?}1U&>fXR2BwQ9 z7*#o_^M0YyDc*pp4D3pmgOcc)XSwf`Pu3`cH1QAzRIHf$C4Hc`Cia8#N?g`#7-3uy zGY(i28T6~V59d_M;x0w^dQl>1>=^9p?PSjC?)cr^_U>+OY8+6dfZ^lC5T5S9zNWom z2&dCtCG?erYfC96#G! zC4M1Ysum?&!i#c{4p2+70T1_YgiY<Xb9 zTH#oX@N!V)hfpEP6g4TAyh7;Vop4qr&&mV^Zb~ijn-%A(T^NR08MiJj>uGN<4FZke z&_r({K-J()wxsi30eaEcGIMMXW_;vg1(Elv;zn@Jb=4J-iVw|XAS)=~mSR*J&n=Rr z3%WQIz;(k1+a@Gnit}Keky3Uq20aDmqI=L=!S8#aE|KXW44b3WZ&$*KiNAIXQG8EN z5=PLbO4-L}&rFMpa8sFi)1It0AK)BFHnIgWB*}v8)FDf+iU*krf{aN=Ls>gZ!dsR? zaiRoY4^C$MqFA z5U9+HH_K%>ENoz8uuPoQr)>O8fEmw7iQ|Rcgan8Kphzt)d0e*pXMjSR`{p<#k7)lFN0n zq%p#XVTDx-Ba4`p*A^+kvJ9<}eul@Zt>}#SH^ZX<0%QSnG2xeUSvH@s(Sic$iwU!t zKs3yFR-?Qn|E3Do60wTyN7ks5ToXsk?uv@3g4j@S!oZP~YBT8%1ilc{vvo&*|44W5 z@J``hI>;9#g@y)~`s>M3kayyVR43}YK}@qgfP|YyUPpprk5ZQ}_7kRwMA1^r?u9TC zHLa`S0nxyNVs{5fP7aDxQqz9YvD(Qyt{-{gR2J8Vm0|v(LuFm66v9n9+wFH-DxzWC zblfh)OxcYDLlU4X?#u9>bqavk+msR?H*kv zxi*f2Eo9`;Ek$-KK`<(c`xL&(NCn-a#Zuu>N0bHG=8~fhFjPxnN7fsr_K;rmD$)tiE5qGk$CD`9q}LjK2OY_P&cXfdbw<- z?&@o73)$mL20;=H-C$fBXCJKlfaFb;%Dx7_5M^fWaf^+}@t9<5oWi+Xf!O!!$f>kG zKH+zXfGjj5|3(%lkEiQ9D%_uJsa)KM_)Jzo9>I20Qln^(kAJ~K(mn5!OjJ>~hBd-2 ziDV|>ck6QD&G{`G`ew1y8n0c?-6?t46p1VvT1IgJ%qId7v!lpn{h?es7bi8)Xdg&9 zF$}neJSprauFRr7QAB;!#MQ=`tdtB*H<6@eCrMbHcM!I)lAXAA6Aa_A&-l3$qj8No z*@)XbwN|CuB?h&NblQzNwmbVExS2r6c3JXHuRf8D*v2qO?%-#X|3TJ3WBig3WG$+; zw8%&&NffG=xb@+rX*nySN5yjE>Rz*TlQ@$d$i|G^k>tvHMoUOuSR`2s%NCi~Zq{j9 zcEJgyZrDvlql;luK0!BqUbR z^V-Orz|gJHPFU6%CykW~7orL1X^0b>Hv4;{Pf=KnCH)28s;${rvF2jc=Dv((xL{(F z87ZuivgU1mX*DP)IgW0tKV+%xg6(F+CKGVLJ%n*PBuj&2`q54CjkW2Sh!uD!VP33B zl%1s;;rM2MZ@0~~k*wB=q4vyzfa1b*t+z2k*>z&{5oharj8{ zs!QoG_cs@GpXYmk!Fg_Oaw@YaO(N^atexnMQm;2AkEf*JLE5a}fk0D3GsBg}uVa#f zuc+Ck^6_8IY?`P{g$-0W>RpV70#{Yj)4>y}Hd$la6w5jN_yvw&&Uwt&H1SzXMSKpa z*i>_7awaiqlk@kRj7OMjd`nq;8BxtewN<$9UgC|SNzfR#{Q8$JF=7W?jE=P%HQ^-I z$X3K!9Op&tqvTlgT@SV` zeyDBn=kIU*!u_pZR4VrdJ@~>|B|sBs1}&f!ECP$cCU6}Hz)j#D@Hlt^d>cFso&`Sz zN5Of#N$?hMKDYpAa3N?17l8rrUN8*~flq_Sz*FF#z_Va=t5WBJPH-D9pxg~U3myf3 z4ZaC}0$u=Wu~KhsQ>q8t0B!*v1^0rBmnd~P=m*=u0Js(mf*oKd7y`rKkHLQMICu(t zAC#9W^+B*7JOsW0o&&d^qSVL09pK~OPH-2v8yo;X20sJ0o(lcocJMK92lzO+6Wj%M zo(6BhZ==6o|4P;Vxw@bKO3m}nwfb4TQN5~urkbw*uxfdKV&W9lG%jb&oHdW|-o%YE z{{e6xIENP>&Ij$_V(^6(N<9KvR&o!_fZM^xPKUo>?JC-V4$uiUgF$cuSjyn1fMp;F z2EqHl9`Fcw6g&q09Q+sfHE25%+4C~SncysNHh2NFoUPPKumx-dy`T>qIEVKwz&+p- zVB%b*(jWtT@OAJl@Lli>cozH*_%Zke_$5g2(nk|Wf>XgdupV3kwu9Ti?ciQ;2>d(uQ`~!FzJOiEwFM!i{r)W926v+EU+ksQm*-P~sp?~2xnH*@UB&_{w@&7Bp zRX}{b_;~T{;?s`-g+D$QTn)YlZWW&lF2MI{@VEHiC%|(2?FujsJ_XwFpWDDSpaQ-K z9tM}-KfA%F!TsPi{Nw{*eG***`|*npf>ZH3r-2Y0wM#$p8jIK2J(~7=cJ^6|sL5-c zXuf{)-NRgyr!0H>v4n!*@*-wJO-sS?6x#DuU-W@!PWTZ9^iqy@XdFFhrx~bTn~H%JPpJz zi%%AREWTL$u=wC>fcReVyW(@j--@plKPx^q;>+tSj#viGI?Al~{@*HpZ7KU*6e@un z6DR=xE)iZztdck-F-qc-#3qRg5)&4mZ)1VP0f_}~%0C z)cabLx1^;@C3+Inbg3oVeb0P@d>Ou){>yJsD?+tuM6KSZTGe$QPBYLt)nr<)tGB+K ztdRc8rxPot6RY;I*O0dOiw@On+IH02zKtvrirNyZeyUb)uC-jFT1?9|^_ILT+Df2e zNXqvoWV|)1wXxMkJQw%vXw52($6BivnO1A-W4%LKEs9#Ts_Q>2?X+5K+Ua^b-g<3g z^I=CL2UKmQMSH!)71E+DYSF|<%+fg9mC|NOd^Y@WyV}z8!m-a#uI`JzJsIIG#;KB5 zoMxw6D91EYtE0mS^#T+wHLt1a6yMG>=4la+MGCgXI>j4?yvWLHoIDbb-`oQx z(9aCG3_hN$L#&tZs@@7PNi_uafXBcS;6K0;*47XH2xPzvcmzBSz6G8JNf>iBSP$L> zMnD?OfZM=*;1Td`@FRe$P^-uj-v-9O^of9BfuNLE#O{oG5qTXkAts)C&BkY86x(BZvdgA zp9S6kQZQx@cpkLDwxuv_CD;${0>6=K`2Ka6_FW*qbvX@IcY<+n3-~1XDrmvrG}r*H z2KRyoz%Rif^4W92dawnIf-IN;w}A)2H^IMwp82RDEos4AnxG&u|j&lpiPF1qw@~w@0X<3u(AKGxo zdbW?~9elxEx|Z*)-@a3gkEaF(Q^SMfyx_~%FW!vWJ~Gm~W8=;-PL6BYaEWhgI9d`d z2UU-1o>DCdT)sULgz)z?$@P1hY&dJ^^{Ow$UArT}d^^Xk>lM$cP5(D zST#Qp>QpP*scYpoSbL*JMCumRn^<<%^~)qD zw)tvmbK9gqrnW*mL`3`(BG@v+{1)}6YQ5Zyj%7w^jC`nB(|kQCM}{<4-1hKj-#f-r z{X0i?Y)SQxyNHfsPAzvo`Ql49^K&@*p6GB+tZ}oxalZ$9gMNMYy2%y|5q*l%E0Z6K zhLbXx{7&*>F>c8mC2QpoE&F|PA|N>)38UnWCf}4Sl=R7DproxP?<7q!`w~(dldF7|y~CQr&aUjfL+&0p>@zX*1}48Bn6MBzAgF?$Km)JK_C6_w{# z=t4*ANHp&n>Wf|1PFtF`tvQFCqSIfYLvFUT&|wWH?~BNFJrapixAdk4aN!^U5>4A7J&9h9^=}R$0yq^9!SN`QqM%|*1!?XTRBS*0zo(shrnsd?1=l<-|FT6B7z5L<3+SK}s z|LVJ!Quk$UNW78zhk*3FABg_`9S}SCN5G>2^#dTW?599%_6U%tJ!jBa;@YLrSeq$f zfq5n-dS2vOV%>)*CEk6MQexggN{M^-QA+Il9Hl&G`4XkEDJDOkYl(>`BvOedFO+*U zHG|2ytmA}@HFdRivz!Y(qrpTV8?Ww6P*&t{bB~oUV+n1SM`KCbxJ+A5@Vu|iA6>!9 zppk+0bZtB-}Ta?#{O8e*pTS4 zL`kuS5g>MVBM`fr24Z(bAojEmh`rnl#I8OH;`So8*;}0|R6=#X*zr3zTYFy5xm=6B z$T)Jiav1~47^2U!+M9HYj@O+eFAT82fdvjMaA1K03mjPBzyb#rIIzHh1r985;7z~* zp6T#&N%ucf=_@y~XXX(Yb83WM3zxd@CiTd^07b9J4?9;s4a6 S#UH}{bH4S*pB?-@&i@YzaoD5) diff --git a/src/windows/cns/kerbnet.hlp b/src/windows/cns/kerbnet.hlp deleted file mode 100644 index c25fafcd5b5d4e139a611ab196bd7202605625b7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16334 zcmeG@YjjlA)%)JLnRAoL<4z_o7|7hrKpq4`AiNAwC*;vUAPgaZB0_Fv?qsga+&kQR zCm|GZNI`ijD*7Rn7O1aUN=0e4w6f4@tB49pDXrEjVn5ru`0%mBQrmp{+>n5-w(I*A z-;efNIcuGpbM`rB-+lHy`*HT3T({H)c{YGPEbFcVuw(nLEMO@u8#A^-l0pztOhr?r zs9y@j6jfp%1d=XGhLkXq5m_~rpj0S8hdg~&LqnhgqOu(C&{lNt3DeAho}d(jh#Zs* zxvrL<*HBjhvL1|pq;|@|s1k%_b#rFdX=+$dIum-m7}V5VrlhDw4w#ETG=jPu>JX$T z7$GSf)5ZD+E$Jgd(tgN*w02#KK}713o8)L5BAQ_;s-k9$h1h%I{a{Mb z=nMZP&Tt57PL&F*oxA zh)F#$kPSoXlw%1nOjU}>Ei#y@Y<6q#SIKE_85s^#EjHS=0vtFB3HA@<7gazcH=IU=FP%io`v6LyP0L8-W^eb zk#4087Ahrd_b6r$^yFv>7Id3n$WaJ;%f^;fRFwJ0RZsKR2H#|~_E=Dh_k@LS6m^1Z z&Ir#?6_ah*!>Dq%s$naK(bQ;s>al)Wc()-*xrIR4H9wuhTRbv)NaL$ z+@K{uAIAX{W96omu^ezKCsKj}7+OD57 zyEXu2!?DwdBd~iIwwf1CZ)A|1U4oKvv>DN7#PHmJ zfG@IoYDiuI4Fr4hZkX5BFdKeD+ii0KGwNUyPn&JC`d{%+kt4zbUsn^P!yX`bj5u?OpTA`eWN}sQG5`#QMpN!BK|b1P~|G zWjlQnd{q-&MOF9;c!!$q%L>&*s1RU3)<>~I)K-Lq-NmO);P7uMG^3>&(;}N-15|NX zIMglEb*o~C zAHdp_{-b9xWFh0n1BVc$o$?MwS``;h;=ygfPg_YzByEuc&O>=gIXy zo>Q6K0N+|y>VF_Rz_>|ewdnWF(mECOTJQ#36;!~kHN_LG-QzE>ryd|HivpkTu8kU? z*-5ixnsR9@ZtfLMJp+sj$O-Z(2}%htwU|VGR6ZK*X#$s|_V~#(d4*z(5l=9Zu!im( ztHqwVl%vg*38Cb{-Hpq8r+qZ9w)$C5HDj-MOZZ-UT?GBsu`+pI_&yxF2YembdaIKu z9LJQ06p*4?ClUGl!@dU9l=UUd;_;qEJ$I^e&bvHu3vK8K-OsqR=yRd#CD)v2 zNL?;4@GasqyOp4vv=g_6{^g@gJ(FG{w8-6!V*d2Ag-kR`wjO4D0(#YQfoob^7qqyn z*D&Q_#UG8zA<};PTn9I&`5Q&VlsOkAY^{?|QZW_j7y#B-^fjmaq+b(r`he^k~@a)H>Ygt!)uPjWjj$ontZeT>B3<$9EfMZ97|Y6A??<;+=+6~FD$2VbC#~y zjLOlv;85*>mhLLELd^n;CiE=UtFfUbm&FfXwua6=&qEB+rpDv78NX;7h0>$7q|BGpn6*$7GdH zxXb)-l+=YdMGvu>-a}r@xQ%)KnUtU9o+7UJnS@y@HrE}M9^j77-Mv4jmoOR8QCWG} z&_$+`u>|5MgB}tkr^#BVVr&s9Zv4clv~q^*v#lTQtF*@+H5leI=F=ZD?|hx}GnwQB zpWh^An&hX~3HFi65u;A#SPn7uNM8fwM-Q^JpUdkgXQ?{6oho>0o+y{C2}e>heik~EpUBw4`N z@=f9{Vgd$XMifG82~#H|OeJ~^UeS0i|L6p`5#4Wfgdt^dh1}PPJERG!OoF*$T+(Y} zwrG!?IA(Ac))Jo^N=&loM2g_Ud)%9hPwGh1USoWF@$N~Q{V_>J&)v?Nz~@&rY29)c ze)YI>H7QrME$36@bniAKE&Wb$(kI-Zg~hqW>@7AvADZ!I*M%2Xd*@qR$o_MZM-J4J zh?e&uX?oS32E-MXyGd0{RMdniALD%8_DBV^+g~KUpyb>pxMSLJcABOKLU>zGvX9;h z!~MkFscE5lzRGUgE7Wp6yxr-=Mm1@LkaPy>LIF80s}rHKi9d3fEW_)!`Ca?wQEW*y z7uWEX-g8%r_Y2}Hvn%RsVXa~8&8d=Cm^H9Q;yUCWO$~Ju(QPU*xfGPxX2tB9aJ6%p zF2A)u#Y@Z^^RLEln28ned*h+NqhZ-_Sc~eGilcQ%EMrDbiw(zx7M$;5+hiSL20a3K zbU8f`7ru_NTvCM{#AM~t6q135F({)c$n_q)d#m^g)@3(PFA58H(k{b(h1F^u^WNFW`@mo&nx>mM?R3* zMGM%6iNF+*o2PoS4rDRIQnNB0P?7KB+alT+?gR2UImUR%tHnazr@3#ix$}m(Ut^a& z#!b`Zw&jU~oG~SJ-pwSoNO`-+c!66@q(3p8!__Wws#fs3_7GKM$OwMI4z4*^pvB^j zVQ=!&4EdWiwx77JPo|C%xC133Q$K7KvS%BWsBy@iarCx|`~$Hish4G#y}h@7e$LL*9wOS`y=98MSjB<@;OY})y$&VX%XU>1zu<6w1TWEf3ak% zbWS-|!~4RCj$M+@Gx;@JYg&Z%{PGGfj47_+lw*2`Y(G_GGOR26v3)yp_WcSzem5=j zdFcmTO6VM4K+@+jg_TY&`v|F@#I}<&aWaOicnKcg^`puAa!A%5#{FwMc&N(06CY3F znE-mA#!w$m^d>z^Hr}27>@{P~lB#aKGiAA>;ic?7%J?Wb_(oBrwxgMVLkZ^zv%)T%?%U{msd#ZvRPwlny*WW zDxuV(^oL!I8LqIV)n~c3FbtPTgq3Ta@@Bc0ClV`mwt|Oh-z==w_w1#TWy#Z@D2PfB z^@RJVow6Eq!qr(QUI|P2X46@e8~c*@D8Wu$COe8h|GH-r9eDw(h4N~A1GS0g#0kkw z4Xexc^^JW!ZCthR*2$CP;er$6GRuwIBYe91({xnc_GWJPN4aTarhQn(>K4BCLsvT~ zkIBRBJ*{_(gL2`s~=TdNCXqc(g7O#^10|b3v(r`|*JU z+u@V*pXBfIXmoHLR=NP_0>t_bh?PmlACu$S6*Xen#L^>n&P!j!rktk%0D zNnA?V`PVGA^tsQ&o^y0$CSsvDfv!RF;HFpM-n><>o?AZg>7(Z&8%Ej^`b%Qn^29@I zX82D2#hmGxvoZLXF~|OJnEzcaOK!Fo5Ld^RLXKr~x`f#m0 zHEow2>{UkmfE+9t@#x=DD-ug8a*y+qjBsLI=2fc$L9SM`TLH(?QPx)R3*bcpN!omo zB4Dri(pGt#V0{!i;a+-NO!7G0Dt7z#@pKZKbgOe1)|-9danEn*NETwDORP2H@$WT- ztY^+gg{|+EeUc-P70aYhA3r&(Y@|Z!`_72x`D%tsJ(pTIv3b&xdTyHXMj?hnN&Ox6 zar1A_SvhPU@%>pC9V{#r3ss{%txJB^pLUeEqtac>R=v$bp3KsJVFlGk#0>b}{ z)w(a;!PdU=@Dw7f^~S}0fgu|YRU0|9-97tj$zyZBAz;HZ?x1&#;Mqmkfk(4WVcTdO$F^T7dP!3Qr z%_18Y16VXr(#O*tTYwMiEK*Q91<}SJWIY0IrBD_+$#{YRtd zgO5PBoWamF9^{-aH<2F{n$23H*kmtFpe&|t1eW<&XVC`r-Dsr_|I65?l@{v!5A^9@ z+NbmA-+?-?ZeXnw=TXfANPtxaV(@@5c#KgsPM{z1tEE2%PtW{L)@3mcvr-q6Ql@+n z*JU6~WFe5l`5lQ)1Do`fL6x>B>#-$H!Z!WNn3OW{!b*qm%rx)!ogmjlqFjnP@9Ujiz@WwQ0Au?UXSypG<3lknKlUVnNA`;-Hid5gxd zJr&y+*1&bxp&qY^DVL6@Y(y}(gYg)I`VmSKF_%Hb0lGyLS#cq~Rd-Wz>T&9P8pioY z6Pj?sP#NODzbpsFp(GbmX|~h_KWpXRqx4eB?uflVWk+WXN;=h5|3nI?s`?+v6V+{0 z(5OZb+b#+>ReYC#mKvCVN^cN!QJ7QFh!4UBRKf1cfing)Q6K8P!Ktm5Uhw2z2Eu(= zfjA6*YO2_X5e0~&weL@ShcF&34-$u(A5ry)G@Gs~9T*M46?LfoWL+%9^mZ9&IAf>` zabSo8LmU|5zz_%i%{lN@cj50{F7Q4H*L@FCalF3?zJuzIoe>y>U}aY#0nnOc1DvVqvZ zBsz5UB(XE0ET*wXnl)J5+|W9`rJ=2&wXM;LxLy$g`V)*RLcm=q0`!Kii~^b$yrM0j zUv^~(XjtirD4_YKD?)&-=9M9ETqy!8Jbood83`CFLmU|5zz_%i-*e!9=`OrtzvM2= zsBcGloss',`IDH_Glossary')") -; - - -[FILES] -; The files section is where you specify to the Help Compiler which -; Rich Text Format (.RTF) (your help source) files will be used in the -; Help system. RoboHELP generates and maintains the main .RTF -; file for your Help System. If you desire to have multiple .RTF files, -; simply add the additonal names to the [FILES] section. - -KERBNET.RTF -[ALIAS] -; The Alias section allows you to set up aliases for context strings -; in your help system. -; -; Brief example: -; -; IDH_UserID = IDH_RoboGenerated_Id -; IDH_WMP_MenuID = IDH_RoboGenerated_Id -; IDH_Any = IDH_AnyOther - -[MAP] -; -; The Map Section is where the C language #defines are translated -; or mapped into the Help System Context Strings. Standard C syntax -; can be employed. The .HH file is meant to be #include(d) into your -; Windows application source code. -; - -[BITMAPS] -; -; The [BITMAPS] section is where you list any Bitmaps which have -; been placed by reference in the Help System. See the Help compiler -; documentation for more information about placing bitmaps. -; -; The [BITMAPS] section is not really required under Windows 3.1, -; with the advent of the BMROOT item in the [OPTIONS] section. -; -;FOO1.BMP -;FOO2.BMP -;C:\FOO\FOO3.BMP -;And So On - -[WINDOWS] -; Windows Help can display help in one of 5 secondary windows. -; Before using a secondary window, the window must be defined -; in this section: -; -;Gloss = "Glossary",(100,100,350,350),0,(255,255,255),(255,255,255) -main=,,0,, - -[BAGGAGE] -; -; The Baggage section allows the user to include files which -; will be placed in the internal file system for WinHelp. -; Using files from Baggage is a little faster for CDROM, since -; the CDROM drive table does not need to be read from disk. -; -; Baggage files are referred to as regular bitmaps, except -; that you prefix the filename with '!'. -; -; For Instance: -; {bmc !bitmap.bmp} instead of {bmc bitmap.bmp} -; diff --git a/src/windows/cns/kpasswd.c b/src/windows/cns/kpasswd.c deleted file mode 100644 index 09991c3..0000000 --- a/src/windows/cns/kpasswd.c +++ /dev/null @@ -1,90 +0,0 @@ -/* - * Copyright (c) 1997 Cygnus Solutions. - * - * Author: Michael Graff - */ - -#include -#include -#include - -#include "krb5.h" -#include "com_err.h" - -#include "cns.h" - -#include "../lib/gic.h" - -/* - * k5_change_password - * - * Use the new functions to change the password. - */ -krb5_error_code -k5_change_password(HWND hwnd, krb5_context context, char *user, char *realm, - char *opasswd, char *npasswd, char **text) -{ - krb5_error_code ret; - krb5_data result_string; - krb5_data result_code_string; - int result_code; - krb5_get_init_creds_opt opts; - krb5_creds creds; - krb5_principal princ; - char *name; - gic_data gd; - - *text = NULL; - - name = malloc(strlen(user) + strlen(realm) + 2); - if (name == NULL) { - *text = "Failed to allocate memory while changing password"; - return 1; - } - sprintf(name, "%s@%s", user, realm); - - ret = krb5_parse_name(context, name, &princ); - free(name); - if (ret) { - *text = "while parsing name"; - return ret; - } - - krb5_get_init_creds_opt_init(&opts); - krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60); - krb5_get_init_creds_opt_set_renew_life(&opts, 0); - krb5_get_init_creds_opt_set_forwardable(&opts, 0); - krb5_get_init_creds_opt_set_proxiable(&opts, 0); - - gd.hinstance = hinstance; - gd.hwnd = hwnd; - gd.id = ID_VARDLG; - - ret = krb5_get_init_creds_password(context, &creds, princ, opasswd, gic_prompter, - &gd, 0, "kadmin/changepw", &opts); - if (ret) { - *text = "while getting creds"; - return ret; - } - - ret = krb5_change_password(context, &creds, npasswd, &result_code, &result_code_string, - &result_string); - if (ret) { - *text = "while changing password"; - return ret; - } - - if (result_code) { - *text = malloc(result_code_string.length + result_string.length + 3); - if (*text == NULL) - return -1; - - sprintf(*text, "%.*s%s%.*s", - result_code_string.length, result_code_string.data, - (result_string.length ? ": " : ""), - result_string.length, - result_string.data ? result_string.data : ""); - } - - return 0; -} diff --git a/src/windows/cns/krb5.def b/src/windows/cns/krb5.def deleted file mode 100644 index 6a88ffb..0000000 --- a/src/windows/cns/krb5.def +++ /dev/null @@ -1,9 +0,0 @@ -NAME KRB5 -DESCRIPTION 'KRB5 - Credentials Manager' -EXETYPE WINDOWS -STUB 'WINSTUB.EXE' -SEGMENTS _TEXT CLASS 'CODE' PRELOAD -CODE DISCARDABLE -DATA PRELOAD MULTIPLE MOVEABLE -HEAPSIZE 20480 -STACKSIZE 20480 diff --git a/src/windows/cns/krbini.h b/src/windows/cns/krbini.h deleted file mode 100644 index c6113d1..0000000 --- a/src/windows/cns/krbini.h +++ /dev/null @@ -1,37 +0,0 @@ -/* Kerberos changed window message */ -#define WM_KERBEROS_CHANGED "Kerberos Changed" - -/* Kerberos Windows initialization file */ -#define KERBEROS_INI "kerberos.ini" -#ifdef CYGNUS -#define KERBEROS_HLP "kerbnet.hlp" -#else -#define KERBEROS_HLP "krb5.hlp" -#endif -#define INI_DEFAULTS "Defaults" -#define INI_USER "User" /* Default user */ -#define INI_INSTANCE "Instance" /* Default instance */ -#define INI_REALM "Realm" /* Default realm */ -#define INI_POSITION "Position" -#define INI_OPTIONS "Options" -#define INI_DURATION "Duration" /* Ticket duration in minutes */ -#define INI_EXPIRATION "Expiration" /* Action on expiration (alert or beep) */ -#define INI_ALERT "Alert" -#define INI_BEEP "Beep" -#define INI_FILES "Files" -#ifdef KRB4 -#define INI_KRB_CONF "krb.conf" /* Location of krb.conf file */ -#define DEF_KRB_CONF "krb.conf" /* Default name for krb.conf file */ -#endif /* KRB4 */ -#ifdef KRB5 -#define INI_KRB5_CONF "krb5.ini" /* From k5-config.h */ -#define INI_KRB_CONF INI_KRB5_CONF /* Location of krb.conf file */ -#define DEF_KRB_CONF INI_KRB5_CONF /* Default name for krb.conf file */ -#define INI_TICKETOPTS "TicketOptions" /* Ticket options */ -#define INI_FORWARDABLE "Forwardable" /* get forwardable tickets */ -#define INI_KRB_CCACHE "krb5cc" /* From k5-config.h */ -#endif /* KRB5 */ -#define INI_KRB_REALMS "krb.realms" /* Location of krb.realms file */ -#define DEF_KRB_REALMS "krb.realms" /* Default name for krb.realms file */ -#define INI_RECENT_LOGINS "Recent Logins" -#define INI_LOGIN "Login" diff --git a/src/windows/cns/options.c b/src/windows/cns/options.c deleted file mode 100644 index 0992f1a..0000000 --- a/src/windows/cns/options.c +++ /dev/null @@ -1,232 +0,0 @@ -/* - * Copyright 1994 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -/* - * functions to tweak the options dialog - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#include "cns.h" -#include "tktlist.h" -#include "cns_reg.h" - -/* - * Function: Process WM_INITDIALOG messages for the options dialog. - * Set up all initial dialog values from the KERBEROS_INI file. - * - * Returns: TRUE if we didn't set the focus here, - * FALSE if we did. - */ -BOOL -opts_initdialog(HWND hwnd, HWND hwndFocus, LPARAM lParam) -{ - center_dialog(hwnd); - set_dialog_font(hwnd, hfontdialog); - - /* krb.conf file */ - strcpy(confname, cns_res.confname); -#ifndef _WIN32 - _strupr(confname); -#endif - SetDlgItemText(hwnd, IDD_CONF, confname); - - if (cns_res.conf_override == 0) - EnableWindow(GetDlgItem(hwnd, IDD_CONF), 0); - else - EnableWindow(GetDlgItem(hwnd, IDD_CONF), 1); - - /* Credential cache file */ - strcpy(ccname, cns_res.ccname); -#ifndef _WIN32 - _strupr(ccname); -#endif - SetDlgItemText(hwnd, IDD_CCACHE, ccname); - - if (cns_res.cc_override == 0) - EnableWindow(GetDlgItem(hwnd, IDD_CCACHE), 0); - else - EnableWindow(GetDlgItem(hwnd, IDD_CCACHE), 1); - - /* Ticket duration */ - SetDlgItemInt(hwnd, IDD_LIFETIME, cns_res.lifetime, FALSE); - - /* Expiration action */ - alert = cns_res.alert; - SendDlgItemMessage(hwnd, IDD_ALERT, BM_SETCHECK, alert, 0); - - beep = cns_res.beep; - SendDlgItemMessage(hwnd, IDD_BEEP, BM_SETCHECK, beep, 0); - - forwardable = cns_res.forwardable; - SendDlgItemMessage(hwnd, IDD_FORWARDABLE, BM_SETCHECK, forwardable, 0); - - noaddresses = cns_res.noaddresses; - SendDlgItemMessage(hwnd, IDD_NOADDRESSES, BM_SETCHECK, noaddresses, 0); - - return TRUE; -} - - -/* - * Function: Process WM_COMMAND messages for the options dialog. - */ -void -opts_command(HWND hwnd, int cid, HWND hwndCtl, UINT codeNotify) -{ - char newname[FILENAME_MAX]; - BOOL b; - int lifetime; - - switch (cid) { - case IDOK: - - /* Ticket duration */ - lifetime = GetDlgItemInt(hwnd, IDD_LIFETIME, &b, FALSE); - - if (!b) { - MessageBox(hwnd, "Lifetime must be a number!", "", - MB_OK | MB_ICONEXCLAMATION); - return; /* TRUE */ - } - - cns_res.lifetime = lifetime; - - if (cns_res.conf_override) { - /* krb.conf file */ - GetDlgItemText(hwnd, IDD_CONF, newname, sizeof(newname)); - trim(newname); - if (newname[0] == '\0') - strcpy(newname, cns_res.def_confname); - if (_stricmp(newname, confname)) { /* file name changed */ - MessageBox(NULL, - "Change to configuration file location requires a restart" - "of KerbNet.\n" - "Please exit this application and restart it for the change to take" - "effect", - "", MB_OK | MB_ICONEXCLAMATION); - } - strcpy(confname, newname); - } - - /* Credential cache file */ - GetDlgItemText(hwnd, IDD_CCACHE, newname, sizeof(newname)); - trim(newname); - - if (newname[0] == '\0') - strcpy(newname, cns_res.def_ccname); - - if (_stricmp(ccname, newname)) { /* Did we change ccache file? */ - krb5_error_code code; - krb5_ccache cctemp; - - code = k5_init_ccache(&cctemp); - if (code) { /* Problem opening new one? */ - com_err(NULL, code, - "while changing ccache.\r\nRestoring old ccache."); - } else { - strcpy(ccname, newname); - strcpy(cns_res.ccname, newname); - - code = krb5_cc_close(k5_context, k5_ccache); - k5_ccache = cctemp; /* Copy new into old */ - if (k5_name_from_ccache(k5_ccache)) { - kwin_init_name(GetParent(hwnd), ""); - kwin_set_default_focus(GetParent(hwnd)); - } - ticket_init_list(GetDlgItem (GetParent(hwnd), - IDD_TICKET_LIST)); - } - } - - /* - * get values for the clickboxes - */ - alert = SendDlgItemMessage(hwnd, IDD_ALERT, BM_GETCHECK, 0, 0); - cns_res.alert = alert; - - beep = SendDlgItemMessage(hwnd, IDD_BEEP, BM_GETCHECK, 0, 0); - cns_res.beep = beep; - - forwardable = SendDlgItemMessage(hwnd, IDD_FORWARDABLE, BM_GETCHECK, 0, 0); - cns_res.forwardable = forwardable; - - noaddresses = SendDlgItemMessage(hwnd, IDD_NOADDRESSES, BM_GETCHECK, 0, 0); - cns_res.noaddresses = noaddresses; - - EndDialog(hwnd, IDOK); - - return; /* TRUE */ - - case IDCANCEL: - EndDialog(hwnd, IDCANCEL); - - return; /* TRUE */ - } - - return; /* FALSE */ -} - - -/* - * Function: Process dialog specific messages for the opts dialog. - */ -BOOL CALLBACK -opts_dlg_proc(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) -{ - switch (message) { - HANDLE_MSG(hwnd, WM_INITDIALOG, opts_initdialog); - - HANDLE_MSG(hwnd, WM_COMMAND, opts_command); - } - - return FALSE; -} - - -/* - * Function: Display and process the options dialog. - * - * Parameters: - * hwnd - the parent window for the dialog - * - * Returns: TRUE if the dialog completed successfully, FALSE otherwise. - */ -BOOL -opts_dialog(HWND hwnd) -{ - DLGPROC dlgproc; - int rc; - -#ifdef _WIN32 - dlgproc = opts_dlg_proc; -#else - dlgproc = (FARPROC)MakeProcInstance(opts_dlg_proc, hinstance); - assert(dlgproc != NULL); - - if (dlgproc == NULL) - return FALSE; -#endif - - rc = DialogBox(hinstance, MAKEINTRESOURCE(ID_OPTS), hwnd, dlgproc); - assert(rc != -1); - -#ifndef _WIN32 - FreeProcInstance((FARPROC)dlgproc); -#endif - - return rc == IDOK; -} diff --git a/src/windows/cns/password.c b/src/windows/cns/password.c deleted file mode 100644 index b986659..0000000 --- a/src/windows/cns/password.c +++ /dev/null @@ -1,323 +0,0 @@ -/* - * Copyright 1994 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -/* - * functions to tweak the options dialog - */ - -#include -#include - -#include -#include -#include -#include -#include -#include -#include - -#include "cns.h" - -/* - * Function: Changes the password. - * - * Parameters: - * hwnd - the current window from which command was invoked. - * - * name - name of user to change password for - * - * instance - instance of user to change password for - * - * realm - realm in which to change password - * - * oldpw - the old password - * - * newpw - the new password to change to - * - * Returns: TRUE if change took place, FALSE otherwise. - */ -BOOL -change_password(HWND hwnd, char *name, char *instance, char *realm, - char *oldpw, char *newpw) -{ -#ifdef KRB4 - des_cblock new_key; - char *ret_st; - int krc; - char *p; - CREDENTIALS *c; - int ncred; - char pname[ANAME_SZ]; - char pinstance[INST_SZ]; - - push_credentials(&c, pname, pinstance, &ncred); - krc = krb_get_pw_in_tkt(name, instance, realm, PWSERV_NAME, KADM_SINST, - 1, oldpw); - - if (krc != KSUCCESS) { - if (krc == INTK_BADPW) - p = "Old password is incorrect"; - else - p = krb_get_err_text(krc); - pop_credentials(c, pname, pinstance, ncred); - MessageBox(hwnd, p, "", MB_OK | MB_ICONEXCLAMATION); - - return FALSE; - } - - krc = kadm_init_link(PWSERV_NAME, KRB_MASTER, realm); - - if (krc != KSUCCESS) { - pop_credentials(c, pname, pinstance, ncred); - MessageBox(hwnd, kadm_get_err_text(krc), "", MB_OK | MB_ICONEXCLAMATION); - - return FALSE; - } - - des_string_to_key(newpw, new_key); - krc = kadm_change_pw2(new_key, newpw, &ret_st); - pop_credentials(c, pname, pinstance, ncred); - - if (ret_st != NULL) - free(ret_st); - - if (krc != KSUCCESS) { - MessageBox(hwnd, kadm_get_err_text(krc), "", MB_OK | MB_ICONEXCLAMATION); - - return FALSE; - } - - return TRUE; -#endif /* KRB4 */ - -#ifdef KRB5 - char *msg; /* Message string */ - krb5_error_code code; /* Return value */ - code = k5_change_password(hwnd, k5_context, name, realm, oldpw, newpw, &msg); - - if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY) - MessageBox(NULL, "Password incorrect", NULL, MB_ICONEXCLAMATION); - else if (code == -1) - MessageBox(NULL, (msg ? msg : "Cannot change password"), NULL, - MB_ICONEXCLAMATION); - else if (code != 0) - com_err(NULL, code, (msg ? msg : "while changing password.")); - else - MessageBox(NULL, (msg ? msg : "Password changed"), "Kerberos", MB_OK | MB_APPLMODAL); - - return (code == 0); - -#endif /* KRB5 */ -} -/* - * Function: Process WM_COMMAND messages for the password dialog. - */ -void -password_command(HWND hwnd, int cid, HWND hwndCtl, UINT codeNotify) -{ - char name[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - char oldpw[MAX_KPW_LEN]; - char newpw1[MAX_KPW_LEN]; - char newpw2[MAX_KPW_LEN]; - HCURSOR hcursor; - BOOL b; - int id; - - if (codeNotify != BN_CLICKED) { - GetDlgItemText(hwnd, IDD_PASSWORD_NAME, name, sizeof(name)); - trim(name); - GetDlgItemText(hwnd, IDD_PASSWORD_REALM, realm, sizeof(realm)); - trim(realm); - GetDlgItemText(hwnd, IDD_OLD_PASSWORD, oldpw, sizeof(oldpw)); - GetDlgItemText(hwnd, IDD_NEW_PASSWORD1, newpw1, sizeof(newpw1)); - GetDlgItemText(hwnd, IDD_NEW_PASSWORD2, newpw2, sizeof(newpw2)); - b = strlen(name) && strlen(realm) && strlen(oldpw) && - strlen(newpw1) && strlen(newpw2); - EnableWindow(GetDlgItem(hwnd, IDOK), b); - id = (b) ? IDOK : IDD_PASSWORD_CR; - SendMessage(hwnd, DM_SETDEFID, id, 0); - - return; /* FALSE */ - } - - switch (cid) { - case IDOK: - if (isblocking) - return; /* TRUE */ - - GetDlgItemText(hwnd, IDD_PASSWORD_NAME, name, sizeof(name)); - trim(name); - GetDlgItemText(hwnd, IDD_PASSWORD_INSTANCE, instance, sizeof(instance)); - trim(instance); - GetDlgItemText(hwnd, IDD_PASSWORD_REALM, realm, sizeof(realm)); - trim(realm); - GetDlgItemText(hwnd, IDD_OLD_PASSWORD, oldpw, sizeof(oldpw)); - GetDlgItemText(hwnd, IDD_NEW_PASSWORD1, newpw1, sizeof(newpw1)); - GetDlgItemText(hwnd, IDD_NEW_PASSWORD2, newpw2, sizeof(newpw2)); - - if (strcmp(newpw1, newpw2) != 0) { - MessageBox(hwnd, "The two passwords you entered don't match!", "", - MB_OK | MB_ICONEXCLAMATION); - SetDlgItemText(hwnd, IDD_NEW_PASSWORD1, ""); - SetDlgItemText(hwnd, IDD_NEW_PASSWORD2, ""); - PostMessage(hwnd, WM_NEXTDLGCTL, - (WPARAM)GetDlgItem(hwnd, IDD_NEW_PASSWORD1), MAKELONG(1, 0)); - - return; /* TRUE */ - } - - hcursor = SetCursor(LoadCursor(NULL, IDC_WAIT)); - start_blocking_hook(BLOCK_MAX_SEC); - - if (change_password(hwnd, name, instance, realm, oldpw, newpw1)) - EndDialog(hwnd, IDOK); - else - PostMessage(hwnd, WM_NEXTDLGCTL, - (WPARAM)GetDlgItem(hwnd, IDD_OLD_PASSWORD), MAKELONG(1, 0)); - - end_blocking_hook(); - SetCursor(hcursor); - - return; /* TRUE */ - - case IDCANCEL: - if (isblocking) - WSACancelBlockingCall(); - EndDialog(hwnd, IDCANCEL); - - return; /* TRUE */ - - case IDD_PASSWORD_CR: - id = GetDlgCtrlID(GetFocus()); - assert(id != 0); - - if (id == IDD_NEW_PASSWORD2) - PostMessage(hwnd, WM_NEXTDLGCTL, - (WPARAM)GetDlgItem(hwnd, IDD_PASSWORD_NAME), MAKELONG(1, 0)); - else - PostMessage(hwnd, WM_NEXTDLGCTL, 0, 0); - - return; /* TRUE */ - - } - - return; /* FALSE */ -} - - -/* - * Function: Process WM_INITDIALOG messages for the password dialog. - * Set up all initial dialog values from the parent dialog. - * - * Returns: TRUE if we didn't set the focus here, - * FALSE if we did. - */ -BOOL -password_initdialog(HWND hwnd, HWND hwndFocus, LPARAM lParam) -{ - char name[ANAME_SZ]; - char realm[REALM_SZ]; - HWND hwndparent; - int id; -#ifdef KRB4 - char instance[INST_SZ]; -#endif - - center_dialog(hwnd); - set_dialog_font(hwnd, hfontdialog); - - hwndparent = GetParent(hwnd); - assert(hwndparent != NULL); - - GetDlgItemText(hwndparent, IDD_LOGIN_NAME, name, sizeof(name)); - trim(name); - SetDlgItemText(hwnd, IDD_PASSWORD_NAME, name); - -#ifdef KRB4 - GetDlgItemText(hwndparent, IDD_LOGIN_INSTANCE, instance, sizeof(instance)); - trim(instance); - SetDlgItemText(hwnd, IDD_PASSWORD_INSTANCE, instance); -#endif - - GetDlgItemText(hwndparent, IDD_LOGIN_REALM, realm, sizeof(realm)); - trim(realm); - SetDlgItemText(hwnd, IDD_PASSWORD_REALM, realm); - - if (strlen(name) == 0) - id = IDD_PASSWORD_NAME; - else if (strlen(realm) == 0) - id = IDD_PASSWORD_REALM; - else - id = IDD_OLD_PASSWORD; - - SetFocus(GetDlgItem(hwnd, id)); - - return FALSE; -} - - -/* - * Function: Process dialog specific messages for the password dialog. - */ -BOOL CALLBACK -password_dlg_proc(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) -{ - switch (message) { - - HANDLE_MSG(hwnd, WM_INITDIALOG, password_initdialog); - - HANDLE_MSG(hwnd, WM_COMMAND, password_command); - - case WM_SETCURSOR: - if (isblocking) { - SetCursor(LoadCursor(NULL, IDC_WAIT)); - SetWindowLongPtr(hwnd, DWLP_MSGRESULT, TRUE); - - return TRUE; - } - break; - } - - return FALSE; -} - - -/* - * Function: Display and process the password dialog. - * - * Parameters: - * hwnd - the parent window for the dialog - * - * Returns: TRUE if the dialog completed successfully, FALSE otherwise. - */ -BOOL -password_dialog(HWND hwnd) -{ - DLGPROC dlgproc; - int rc; - -#ifdef _WIN32 - dlgproc = password_dlg_proc; -#else - dlgproc = (FARPROC)MakeProcInstance(password_dlg_proc, hinstance); - assert(dlgproc != NULL); - - if (dlgproc == NULL) - return FALSE; -#endif - - rc = DialogBox(hinstance, MAKEINTRESOURCE(ID_PASSWORD), hwnd, dlgproc); - assert(rc != -1); - -#ifndef _WIN32 - FreeProcInstance((FARPROC)dlgproc); -#endif - - return rc == IDOK; -} diff --git a/src/windows/cns/tktlist.c b/src/windows/cns/tktlist.c deleted file mode 100644 index f2805f5..0000000 --- a/src/windows/cns/tktlist.c +++ /dev/null @@ -1,432 +0,0 @@ -/* windows/cns/tktlist.c */ -/* - * Copyright 1994 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -/* Handle all actions of the Kerberos ticket list. */ - -#if !defined(KRB5) && !defined(KRB4) -#define KRB5 1 -#endif - -#include -#include - -#include -#include -#include -#include -#include - -#ifdef KRB4 -#include "mit-copyright.h" -#include "kerberos.h" -#endif - -#ifdef KRB5 -#include "winsock.h" -#include "krb5.h" -#include "com_err.h" -#endif - -#include "cns.h" -#include "tktlist.h" - -/* - * Ticket information for a list line - */ -typedef struct { - BOOL ticket; /* TRUE if this is a real ticket */ - time_t issue_time; /* time_t of issue */ - long lifetime; /* Lifetime for ticket in 5 minute intervals */ - char buf[0]; /* String to display */ -} TICKETINFO, *LPTICKETINFO; - -/* - * Function: Returns a standard ctime date with day of week and year - * removed. - * - * Parameters: - * t - time_t date to convert - * - * Returns: A pointer to the adjusted time value. - */ -static char * -short_date (time_t t) -{ - static char buf[26 - 4]; - char *p; - - p = ctime(&t); - assert(p != NULL); - - strcpy (buf, p + 4); - buf[12] = '\0'; - - return buf; -} - - -/*+ - * Function: Initializes and populates the ticket list with all existing - * Kerberos tickets. - * - * Parameters: - * hwnd - the window handle of the ticket window. - * - * Returns: Number of elements in the list or -1 on error - */ -int -ticket_init_list (HWND hwnd) -{ - int ncred; - LRESULT rc; - int l; - LPTICKETINFO lpinfo; - char buf[26+2 + 26+2 + ANAME_SZ+1 + INST_SZ+1 + REALM_SZ + 22]; -#ifdef KRB4 - int i; - time_t expiration; - char service[ANAME_SZ]; - char instance[INST_SZ]; - char realm[REALM_SZ]; - CREDENTIALS c; -#endif -#ifdef KRB5 - krb5_cc_cursor cursor; - krb5_error_code code; - krb5_creds c; - char *sname; /* Name of the service */ - char *flags_string(krb5_creds *cred); -#endif - - SetWindowRedraw(hwnd, FALSE); - - rc = ListBox_GetCount(hwnd); - assert(rc != LB_ERR); - - if (rc > 0) - ticket_destroy(hwnd); - - while (--rc >= 0) - ListBox_DeleteString(hwnd, rc); - -#ifdef KRB4 - ncred = krb_get_num_cred(); - for (i = 1; i <= ncred; i++) { - krb_get_nth_cred(service, instance, realm, i); - krb_get_cred(service, instance, realm, &c); - strcpy(buf, " "); - strncat(buf, short_date(c.issue_date - kwin_get_epoch()), - sizeof(buf) - 1 - strlen(buf)); - expiration = c.issue_date - kwin_get_epoch() + (long) c.lifetime * 5L * 60L; - strncat(buf, " ", sizeof(buf) - 1 - strlen(buf)); - strncat(buf, short_date(expiration), sizeof(buf) - 1 - strlen(buf)); - strncat(buf, " ", sizeof(buf) - 1 - strlen(buf)); - l = strlen(buf); - sprintf(&buf[l], "%s%s%s%s%s (%d)", - c.service, (c.instance[0] ? "." : ""), c.instance, - (c.realm[0] ? "@" : ""), c.realm, c.kvno); - l = strlen(buf); - - lpinfo = (LPTICKETINFO) malloc(sizeof(TICKETINFO) + l + 1); - assert(lpinfo != NULL); - - if (lpinfo == NULL) - return -1; - - lpinfo->ticket = TRUE; - lpinfo->issue_time = c.issue_date - kwin_get_epoch(); /* back to system time */ - lpinfo->lifetime = (long) c.lifetime * 5L * 60L; - strcpy(lpinfo->buf, buf); - - rc = ListBox_AddItemData(hwnd, lpinfo); - assert(rc >= 0); - - if (rc < 0) - return -1; - } - -#endif - -#ifdef KRB5 - - ncred = 0; - if (code = krb5_cc_start_seq_get(k5_context, k5_ccache, &cursor)) { - if (code != KRB5_FCC_NOFILE) { - return -1; - } - } else { - while (1) { - code = krb5_cc_next_cred(k5_context, k5_ccache, &cursor, &c); - if (code != 0) - break; - - ncred++; - strcpy (buf, " "); - strncat(buf, short_date (c.times.starttime - kwin_get_epoch()), - sizeof(buf) - 1 - strlen(buf)); - strncat(buf, " ", sizeof(buf) - 1 - strlen(buf)); - strncat(buf, short_date (c.times.endtime - kwin_get_epoch()), - sizeof(buf) - 1 - strlen(buf)); - strncat(buf, " ", sizeof(buf) - 1 - strlen(buf)); - - /* Add ticket service name and realm */ - code = krb5_unparse_name (k5_context, c.server, &sname); - if (code) { - com_err (NULL, code, "while unparsing server name"); - break; - } - strncat (buf, sname, sizeof(buf) - 1 - strlen(buf)); - - strncat (buf, flags_string (&c), sizeof(buf) - 1 - strlen(buf)); /* Add flag info */ - - l = strlen(buf); - lpinfo = (LPTICKETINFO) malloc(sizeof(TICKETINFO) + l + 1); - assert(lpinfo != NULL); - - if (lpinfo == NULL) - return -1; - - lpinfo->ticket = TRUE; - lpinfo->issue_time = c.times.starttime - kwin_get_epoch(); - lpinfo->lifetime = c.times.endtime - c.times.starttime; - strcpy(lpinfo->buf, buf); - - rc = ListBox_AddItemData(hwnd, lpinfo); - assert(rc >= 0); - - if (rc < 0) - return -1; - } - if (code == KRB5_CC_END) { /* End of ccache */ - if (code = krb5_cc_end_seq_get(k5_context, k5_ccache, &cursor)) { - return -1; - } - } else { - return -1; - } - } -#endif - - if (ncred <= 0) { - strcpy(buf, " No Tickets"); - lpinfo = (LPTICKETINFO) malloc(sizeof(TICKETINFO) + strlen(buf) + 1); - assert(lpinfo != NULL); - - if (lpinfo == NULL) - return -1; - - lpinfo->ticket = FALSE; - strcpy (lpinfo->buf, buf); - rc = ListBox_AddItemData(hwnd, lpinfo); - assert(rc >= 0); - } - - SetWindowRedraw(hwnd, TRUE); - - return ncred; -} - - -/* - * Function: Destroy the ticket list. Make sure to delete all - * ticket entries created during ticket initialization. - * - * Parameters: - * hwnd - the window handle of the ticket window. - */ -void -ticket_destroy ( - HWND hwnd) -{ - int i; - int n; - LRESULT rc; - - n = ListBox_GetCount(hwnd); - - for (i = 0; i < n; i++) { - rc = ListBox_GetItemData(hwnd, i); - assert(rc != LB_ERR); - - if (rc != LB_ERR) - free ((void *) rc); - } -} - - -/* - * Function: Respond to the WM_MEASUREITEM message for the ticket list - * by setting each list item up at 1/4 inch hight. - */ -void -ticket_measureitem(HWND hwnd, MEASUREITEMSTRUCT *lpmi) -{ - int logpixelsy; - HDC hdc; - - if (lpmi->CtlID != IDD_TICKET_LIST) - return; - - hdc = GetDC(HWND_DESKTOP); - logpixelsy = GetDeviceCaps(hdc, LOGPIXELSY); - ReleaseDC(HWND_DESKTOP, hdc); - lpmi->itemHeight = logpixelsy / 4; /* 1/4 inch */ -} - - -/* - * Function: Respond to the WM_DRAWITEM message for the ticket list - * by displaying a single list item. - */ -void -ticket_drawitem(HWND hwnd, const DRAWITEMSTRUCT *lpdi) -{ - BOOL rc; - COLORREF bkcolor; - HBRUSH hbrush; - UINT textheight; - UINT alignment; - int left, top; - BOOL b; - LPTICKETINFO lpinfo; - HICON hicon; -#if 0 - COLORREF textcolor; - COLORREF orgbkcolor; - COLORREF orgtextcolor; -#endif - SIZE Size; - - if (lpdi->CtlID != IDD_TICKET_LIST) - return; - - lpinfo = (LPTICKETINFO) lpdi->itemData; - - if (lpdi->itemAction == ODA_FOCUS) - return; - -#if 0 - if (lpdi->itemState & ODS_SELECTED) { - textcolor = GetSysColor(COLOR_HIGHLIGHTTEXT); - bkcolor = GetSysColor(COLOR_HIGHLIGHT); - - orgtextcolor = SetTextColor(lpdi->hDC, textcolor); - assert(textcolor != 0x80000000); - - orgbkcolor = SetBkColor(lpdi->hDC, bkcolor); - assert(bkcolor != 0x80000000); - } - else -#endif - - bkcolor = GetBkColor(lpdi->hDC); - hbrush = CreateSolidBrush(bkcolor); - assert(hbrush != NULL); - - FillRect(lpdi->hDC, &(lpdi->rcItem), hbrush); - DeleteObject(hbrush); - - /* - * Display the appropriate icon - */ - if (lpinfo->ticket) { - hicon = kwin_get_icon(lpinfo->issue_time + lpinfo->lifetime); - left = lpdi->rcItem.left - (32 - ICON_WIDTH) / 2; - top = lpdi->rcItem.top; - top += (lpdi->rcItem.bottom - lpdi->rcItem.top - 32) / 2; - - b = DrawIcon(lpdi->hDC, left, top, hicon); - assert(b); - } - - /* - * Display centered string - */ -#ifdef _WIN32 - GetTextExtentPoint32(lpdi->hDC, "X", 1, &Size); -#else - GetTextExtentPoint(lpdi->hDC, "X", 1, &Size); -#endif - - textheight = Size.cy; - - alignment = SetTextAlign(lpdi->hDC, TA_TOP | TA_LEFT); - - if (lpinfo->ticket) - left = lpdi->rcItem.left + ICON_WIDTH; - else - left = lpdi->rcItem.left; - - top = lpdi->rcItem.top; - top += (lpdi->rcItem.bottom - lpdi->rcItem.top - textheight) / 2; - rc = TextOut(lpdi->hDC, left, top, (LPSTR) lpinfo->buf, - strlen((LPSTR) lpinfo->buf)); - assert(rc); - - alignment = SetTextAlign(lpdi->hDC, alignment); - -#if 0 - if (lpdi->itemState & ODS_SELECTED) { - textcolor = SetTextColor(lpdi->hDC, orgtextcolor); - assert(textcolor != 0x80000000); - - bkcolor = SetBkColor(lpdi->hDC, orgbkcolor); - assert(bkcolor != 0x80000000); - } - -#endif -} - - -#ifdef KRB5 - -/* - * - * Flags_string - * - * Return buffer with the current flags for the credential - * - */ -char * -flags_string(krb5_creds *cred) { - static char buf[32]; - int i = 0; - - buf[i++] = ' '; - buf[i++] = '('; - if (cred->ticket_flags & TKT_FLG_FORWARDABLE) - buf[i++] = 'F'; - if (cred->ticket_flags & TKT_FLG_FORWARDED) - buf[i++] = 'f'; - if (cred->ticket_flags & TKT_FLG_PROXIABLE) - buf[i++] = 'P'; - if (cred->ticket_flags & TKT_FLG_PROXY) - buf[i++] = 'p'; - if (cred->ticket_flags & TKT_FLG_MAY_POSTDATE) - buf[i++] = 'D'; - if (cred->ticket_flags & TKT_FLG_POSTDATED) - buf[i++] = 'd'; - if (cred->ticket_flags & TKT_FLG_INVALID) - buf[i++] = 'i'; - if (cred->ticket_flags & TKT_FLG_RENEWABLE) - buf[i++] = 'R'; - if (cred->ticket_flags & TKT_FLG_INITIAL) - buf[i++] = 'I'; - if (cred->ticket_flags & TKT_FLG_HW_AUTH) - buf[i++] = 'H'; - if (cred->ticket_flags & TKT_FLG_PRE_AUTH) - buf[i++] = 'A'; - - buf[i++] = ')'; - buf[i] = '\0'; - if (i <= 3) - buf[0] = '\0'; - return(buf); -} - -#endif /* KRB5 */ diff --git a/src/windows/cns/tktlist.h b/src/windows/cns/tktlist.h deleted file mode 100644 index 96d6ff8..0000000 --- a/src/windows/cns/tktlist.h +++ /dev/null @@ -1,26 +0,0 @@ -/* windows/cns/tktlist.h */ -/* - * Copyright 1994 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - */ - -/* Handle all actions of the Kerberos ticket list. */ - -/* Only one time, please */ -#ifndef TKTLIST_DEFS -#define TKTLIST_DEFS - -/* - * Prototypes - */ -BOOL ticket_init_list(HWND); - -void ticket_destroy(HWND); - -void ticket_measureitem(HWND, MEASUREITEMSTRUCT *); - -void ticket_drawitem(HWND, const DRAWITEMSTRUCT *); - -#endif diff --git a/src/windows/include/arpa/nameser.h b/src/windows/include/arpa/nameser.h deleted file mode 100644 index f9ddafc..0000000 --- a/src/windows/include/arpa/nameser.h +++ /dev/null @@ -1,263 +0,0 @@ -/* - * @doc - * @module nameser.h | - * Copyright (c) 1983, 1989 Regents of the University of California. - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)nameser.h 5.25 (Berkeley) 4/3/91 - */ - -#ifndef _NAMESER_H_ -#define _NAMESER_H_ - -/* - * Define constants based on rfc883 - */ -#define PACKETSZ 512 /* maximum packet size */ -#define MAXDNAME 256 /* maximum domain name */ -#define MAXCDNAME 255 /* maximum compressed domain name */ -#define MAXLABEL 63 /* maximum length of domain label */ - /* Number of bytes of fixed size data in query structure */ -#define QFIXEDSZ 4 - /* number of bytes of fixed size data in resource record */ -#define RRFIXEDSZ 10 - -#if !defined(MAXHOSTNAME) -#define MAXHOSTNAME MAXCDNAME -#endif - -/* - * Internet nameserver port number - */ -#define NAMESERVER_PORT 53 - -/* - * Currently defined opcodes - */ -#define QUERY 0x0 /* standard query */ -#define IQUERY 0x1 /* inverse query */ -#define STATUS 0x2 /* nameserver status query */ -/*#define xxx 0x3 /* 0x3 reserved */ - /* non standard */ -#define UPDATEA 0x9 /* add resource record */ -#define UPDATED 0xa /* delete a specific resource record */ -#define UPDATEDA 0xb /* delete all nemed resource record */ -#define UPDATEM 0xc /* modify a specific resource record */ -#define UPDATEMA 0xd /* modify all named resource record */ - -#define ZONEINIT 0xe /* initial zone transfer */ -#define ZONEREF 0xf /* incremental zone referesh */ - -/* - * Currently defined response codes - */ -#define NOERROR 0 /* no error */ -#define FORMERR 1 /* format error */ -#define SERVFAIL 2 /* server failure */ -#define NXDOMAIN 3 /* non existent domain */ -#define NOTIMP 4 /* not implemented */ -#define REFUSED 5 /* query refused */ - /* non standard */ -#define NOCHANGE 0xf /* update failed to change db */ - -/* - * Type values for resources and queries - */ -#define T_A 1 /* host address */ -#define T_NS 2 /* authoritative server */ -#define T_MD 3 /* mail destination */ -#define T_MF 4 /* mail forwarder */ -#define T_CNAME 5 /* connonical name */ -#define T_SOA 6 /* start of authority zone */ -#define T_MB 7 /* mailbox domain name */ -#define T_MG 8 /* mail group member */ -#define T_MR 9 /* mail rename name */ -#define T_NULL 10 /* null resource record */ -#define T_WKS 11 /* well known service */ -#define T_PTR 12 /* domain name pointer */ -#define T_HINFO 13 /* host information */ -#define T_MINFO 14 /* mailbox information */ -#define T_MX 15 /* mail routing information */ -#define T_TXT 16 /* text strings */ - /* non standard */ -#define T_UINFO 100 /* user (finger) information */ -#define T_UID 101 /* user ID */ -#define T_GID 102 /* group ID */ -#define T_UNSPEC 103 /* Unspecified format (binary data) */ - /* Query type values which do not appear in resource records */ -#define T_AXFR 252 /* transfer zone of authority */ -#define T_MAILB 253 /* transfer mailbox records */ -#define T_MAILA 254 /* transfer mail agent records */ -#define T_ANY 255 /* wildcard match */ - -/* - * Values for class field - */ - -#define C_IN 1 /* the arpa internet */ -#define C_CHAOS 3 /* for chaos net at MIT */ -#define C_HS 4 /* for Hesiod name server at MIT */ - /* Query class values which do not appear in resource records */ -#define C_ANY 255 /* wildcard match */ - -/* - * Status return codes for T_UNSPEC conversion routines - */ -#define CONV_SUCCESS 0 -#define CONV_OVERFLOW -1 -#define CONV_BADFMT -2 -#define CONV_BADCKSUM -3 -#define CONV_BADBUFLEN -4 - -#ifndef BYTE_ORDER -#define LITTLE_ENDIAN 1234 /* least-significant byte first (vax) */ -#define BIG_ENDIAN 4321 /* most-significant byte first (IBM, net) */ -#define PDP_ENDIAN 3412 /* LSB first in word, MSW first in long (pdp) */ - -#if defined(vax) || defined(ns32000) || defined(sun386) || defined(MIPSEL) || \ - defined(BIT_ZERO_ON_RIGHT) -#define BYTE_ORDER LITTLE_ENDIAN - -#endif -#if defined(sel) || defined(pyr) || defined(mc68000) || defined(sparc) || \ - defined(is68k) || defined(tahoe) || defined(ibm032) || defined(ibm370) || \ - defined(MIPSEB) || defined (BIT_ZERO_ON_LEFT) -#define BYTE_ORDER BIG_ENDIAN -#endif -#endif /* BYTE_ORDER */ - -#ifndef BYTE_ORDER - /* you must determine what the correct bit order is for your compiler */ - #define BYTE_ORDER LITTLE_ENDIAN /* for Intel x86 series */ -#endif -/* - * Structure for query header, the order of the fields is machine and - * compiler dependent, in our case, the bits within a byte are assignd - * least significant first, while the order of transmition is most - * significant first. This requires a somewhat confusing rearrangement. - */ - -#if defined (_WINDLL) || (_WIN32) -/* define UNIX types */ -#include -#endif - -typedef struct { - u_short id; /* query identification number */ -#if BYTE_ORDER == BIG_ENDIAN - /* fields in third byte */ - u_char qr:1; /* response flag */ - u_char opcode:4; /* purpose of message */ - u_char aa:1; /* authoritive answer */ - u_char tc:1; /* truncated message */ - u_char rd:1; /* recursion desired */ - /* fields in fourth byte */ - u_char ra:1; /* recursion available */ - u_char pr:1; /* primary server required (non standard) */ - u_char unused:2; /* unused bits */ - u_char rcode:4; /* response code */ -#endif -#if BYTE_ORDER == LITTLE_ENDIAN || BYTE_ORDER == PDP_ENDIAN - /* fields in third byte */ - u_char rd:1; /* recursion desired */ - u_char tc:1; /* truncated message */ - u_char aa:1; /* authoritive answer */ - u_char opcode:4; /* purpose of message */ - u_char qr:1; /* response flag */ - /* fields in fourth byte */ - u_char rcode:4; /* response code */ - u_char unused:2; /* unused bits */ - u_char pr:1; /* primary server required (non standard) */ - u_char ra:1; /* recursion available */ -#endif - /* remaining bytes */ - u_short qdcount; /* number of question entries */ - u_short ancount; /* number of answer entries */ - u_short nscount; /* number of authority entries */ - u_short arcount; /* number of resource entries */ -} HEADER; - -/* - * Defines for handling compressed domain names - */ -#define INDIR_MASK 0xc0 - -/* - * Structure for passing resource records around. - */ -struct rrec { - short r_zone; /* zone number */ - short r_class; /* class number */ - short r_type; /* type number */ - u_long r_ttl; /* time to live */ - int r_size; /* size of data area */ - char *r_data; /* pointer to data */ -}; - -extern u_short _getshort(); -extern u_long _getlong(); - -/* - * Inline versions of get/put short/long. - * Pointer is advanced; we assume that both arguments - * are lvalues and will already be in registers. - * cp MUST be u_char *. - */ -#define GETSHORT(s, cp) { \ - (s) = *(cp)++ << 8; \ - (s) |= *(cp)++; \ -} - -#define GETLONG(l, cp) { \ - (l) = *(cp)++ << 8; \ - (l) |= *(cp)++; (l) <<= 8; \ - (l) |= *(cp)++; (l) <<= 8; \ - (l) |= *(cp)++; \ -} - - -#define PUTSHORT(s, cp) { \ - *(cp)++ = (s) >> 8; \ - *(cp)++ = (s); \ -} - -/* - * Warning: PUTLONG destroys its first argument. - */ -#define PUTLONG(l, cp) { \ - (cp)[3] = l; \ - (cp)[2] = (l >>= 8); \ - (cp)[1] = (l >>= 8); \ - (cp)[0] = l >> 8; \ - (cp) += sizeof(u_long); \ -} - -#endif /* !_NAMESER_H_ */ diff --git a/src/windows/include/hesiod.h b/src/windows/include/hesiod.h deleted file mode 100644 index 3005929..0000000 --- a/src/windows/include/hesiod.h +++ /dev/null @@ -1,217 +0,0 @@ -/*! \file hesiod.h - * WSHelper DNS/Hesiod Library - * - * This file contains the function declaration for: \n - * hes_to_bind() \n - * hes_resolve() \n - * hes_error() \n - * hes_free() \n - * hes_getmailhost() \n - * hes_getservbyname() \n - * hes_getpwnam() \n - * hes_getpwuid() \n -*/ - -#ifndef _HESIOD_ -#define _HESIOD_ - - -#include - -/*! \def HESIOD_CONF - * name of the hesiod configuration file. We will look at the file to determine the RHS AND LHS value before using the default. - * Here is a sample hesiod.cfg file: \n - * lhs .ns \n - * rhs .ATHENA.MIT.EDU \n - */ -#define HESIOD_CONF "c:\\net\\tcp\\hesiod.cfg" - -/*! \def DEF_RHS - * default RHS value is the hesiod configuration file is not present - */ -#define DEF_RHS ".Athena.MIT.EDU" - -/*! \def DEF_LHS - * default LHS value is the hesiod configuration file is not present - */ -#define DEF_LHS ".ns" - -/*! \def HES_ER_UNINIT - * HES error code: uninitialized - */ -#define HES_ER_UNINIT -1 - -/*! \def HES_ER_OK - * HES error code: no error - */ -#define HES_ER_OK 0 - -/*! \def HES_ER_NOTFOUND - * HES error code: Hesiod name not found by server - */ -#define HES_ER_NOTFOUND 1 - -/*! \def HES_ER_CONFIG - * HES error code: local problem (no config file?) - */ -#define HES_ER_CONFIG 2 - -/*! \def HES_ER_NET - * HES error code: network problem - */ -#define HES_ER_NET 3 - - -#ifdef __cplusplus -extern "C" { -#endif - -/*! \fn LPSTR WINAPI hes_to_bind(LPSTR HesiodName, LPSTR HesiodNameType) - * hes_to_bind function use the LHS and RHS values and - * binds them with the parameters so that a well formed DNS query may - * be performed. - * - * defined in hesiod.c - * - * \param[in] HesiodName The Hesiod name such as a username or service name - * \param[in] HesiodNameType The Hesiod name type such as pobox, passwd, or sloc - * \retval Returns NULL if there was an error. Otherwise the pointer to a string containing a valid query is returned. - * - */ -LPSTR WINAPI -hes_to_bind( - LPSTR HesiodName, - LPSTR HesiodNameType - ); - - -/*! \fn LPSTR * WINAPI hes_resolve(LPSTR HesiodName, LPSTR HesiodNameType) - * This function calls hes_to_bind to form a valid hesiod query, then queries the dns database. - * - * defined in hesiod.c - * - * \param[in] HesiodName The Hesiod name such as a username or service name - * \param[in] HesiodNameType The Hesiod name type such as pobox, passwd, or sloc - * \retval returns a NULL terminated vector of strings (a la argv), - * one for each resource record containing Hesiod data, or NULL if - * there is any error. If there is an error call hes_error() to get - * further information. You will need to call hes_free to free the result - * - */ - -LPSTR * WINAPI -hes_resolve( - LPSTR HesiodName, - LPSTR HesiodNameType - ); - -/*! \fn int WINAPI hes_error(void) - * The function hes_error may be called to determine the - * source of the error. It does not take an argument. - * - * defined in hesiod.c - * - * \retval return one of the HES_ER_* codes defined in hesiod.h. - */ - -int WINAPI -hes_error( - void - ); - - -/*! \fn void WINAPI hes_free(LPSTR* hesinfo) - * The function hes_free should be called to free up memeory returned by hes_resolve - * - * defined in hesiod.c - * - * \param[in] hesinfo a NULL terminiated array of strings returned by hes_resolve - */ -void WINAPI -hes_free( - LPSTR* hesinfo - ); - - -/*! \struct hes_postoffice - * For use in getting post-office information. - */ -struct hes_postoffice { - /*! The post office type, e.g. POP, IMAP */ - LPSTR po_type; - /*! The post office host, e.g. PO10.MIT.EDU */ - LPSTR po_host; - /*! The account name on the post office, e.g. tom */ - LPSTR po_name; -}; - -/*! \fn struct hes_postoffice * WINAPI hes_getmailhost(LPSTR user) - * This call is used to obtain a user's type of mail account and the location of that - * account. E.g. POP PO10.MIT.EDU or IMAP IMAP-TEST.MIT.EDU - * - * defined in hesmailh.c - * - * \param[in] user The username to be used when querying for the Hesiod Name Type POBOX. - * \retval NULL if there was an error or if there was no entry for the - * username. Otherwise a pointer to a hes_postoffice structure is - * returned. The caller must never attempt to modify this structure or to free - * any of its components. Furthermore, only one copy of this structure is allocated per call per thread, so the application should copy any information it needs before - * issuing another getmailhost call - */ -struct hes_postoffice * WINAPI hes_getmailhost(LPSTR user); - -/*! \fn struct servent * WINAPI hes_getservbyname(LPSTR name, LPSTR proto) - * This function will query a Hesiod server for a servent structure given - * a service name and protocol. This is a replacement for the Winsock - * getservbyname function which normally just uses a local services - * file. This allows a site to use a centralized database for adding new - * services. - * - * defined in hesservb.c - * - * \param[in] name pointer to the official name of the service, eg "POP3". - * \param[in] proto pointer to the protocol to use when contacting the service, e.g. "TCP" - * \retval NULL if there was an error or a pointer to a servent structure. The caller must - * never attempt to modify this structure or to free any of its components. - * Furthermore, only one copy of this structure is allocated per call per thread, so the application should copy any information it needs before - * issuing another hes_getservbyname call - * - */ -struct servent * WINAPI hes_getservbyname(LPSTR name, - LPSTR proto); - -/*! \fn struct passwd * WINAPI hes_getpwnam(LPSTR nam) - * Given a username this function will return the pwd information, eg - * username, uid, gid, fullname, office location, phone number, home - * directory, and default shell - * - * defined in hespwnam.c - * - * \param nam a pointer to the username - * \retval NULL if there was an error or a pointer to the passwd structure. The caller must - * never attempt to modify this structure or to free any of its components. - * Furthermore, only one copy of this structure is allocated per call per thread, so the application should copy any information it needs before - * issuing another hes_getpwnam call - * - */ -struct passwd * WINAPI hes_getpwnam(LPSTR nam); - -/*! struct passwd * WINAPI hes_getpwuid(int uid) - * Given a UID this function will return the pwd information, eg username, uid, - * gid, fullname, office location, phone number, home directory, and default shell - * - * defined in hespwnam.c - * - * \param uid The user ID - * \retval NULL if there was an error or a pointer to the passwd structure. The caller must - * never attempt to modify this structure or to free any of its components. - * Furthermore, only one copy of this structure is allocated per call per thread, so the application should copy any information it needs before - * issuing another hes_getpwuid call - */ -struct passwd * WINAPI hes_getpwuid(int uid); - -#ifdef __cplusplus -} -#endif - -#endif /* _HESIOD_ */ diff --git a/src/windows/include/leashwin.h b/src/windows/include/leashwin.h index 9577365..08b9c7d 100644 --- a/src/windows/include/leashwin.h +++ b/src/windows/include/leashwin.h @@ -2,9 +2,6 @@ #define __LEASHWIN__ ////Is this sufficient? -#ifndef NO_KRB4 -#include -#else #include #define ANAME_SZ 40 #define REALM_SZ 40 @@ -12,7 +9,6 @@ #define INST_SZ 40 /* include space for '.' and '@' */ #define MAX_K_NAME_SZ (ANAME_SZ + INST_SZ + REALM_SZ + 2) -#endif #define DLGTYPE_PASSWD 0 #define DLGTYPE_CHPASSWD 1 @@ -111,9 +107,9 @@ struct TicketList { TicketList *next; char *service; char *encTypes; - krb5_timestamp issued; - krb5_timestamp valid_until; - krb5_timestamp renew_until; + time_t issued; + time_t valid_until; + time_t renew_until; unsigned long flags; }; @@ -124,9 +120,9 @@ struct TICKETINFO { char *ccache_name; TicketList *ticket_list; int btickets; /* Do we have tickets? */ - long issued; /* The issue time */ - long valid_until; /* */ - long renew_until; /* The Renew time (k5 only) */ + time_t issued; /* The issue time */ + time_t valid_until; /* */ + time_t renew_until; /* The Renew time (k5 only) */ unsigned long flags; }; @@ -185,9 +181,6 @@ DWORD Leash_reset_default_proxiable(); DWORD Leash_get_default_publicip(); DWORD Leash_set_default_publicip(DWORD ipv4addr); DWORD Leash_reset_default_publicip(); -DWORD Leash_get_default_use_krb4(); -DWORD Leash_set_default_use_krb4(DWORD onoff); -DWORD Leash_reset_default_use_krb4(); DWORD Leash_get_hide_kinit_options(); DWORD Leash_set_hide_kinit_options(DWORD onoff); DWORD Leash_reset_hide_kinit_options(); @@ -203,9 +196,6 @@ DWORD Leash_reset_default_renew_min(); DWORD Leash_get_default_renew_max(); DWORD Leash_set_default_renew_max(DWORD minutes); DWORD Leash_reset_default_renew_max(); -DWORD Leash_get_lock_file_locations(); -DWORD Leash_set_lock_file_locations(DWORD onoff); -DWORD Leash_reset_lock_file_locations(); DWORD Leash_get_default_uppercaserealm(); DWORD Leash_set_default_uppercaserealm(DWORD onoff); DWORD Leash_reset_default_uppercaserealm(); diff --git a/src/windows/include/loadfuncs-krb5.h b/src/windows/include/loadfuncs-krb5.h index a906788..39a3504 100644 --- a/src/windows/include/loadfuncs-krb5.h +++ b/src/windows/include/loadfuncs-krb5.h @@ -106,29 +106,6 @@ TYPEDEF_FUNC( krb5_free_ap_rep, (krb5_context, krb5_ap_rep * ) ); - -/* Removed around the time of krb5_rc_* change... */ -#if 0 -TYPEDEF_FUNC( - void, - KRB5_CALLCONV, - krb5_free_safe, - (krb5_context, krb5_safe * ) - ); -TYPEDEF_FUNC( - void, - KRB5_CALLCONV, - krb5_free_priv, - (krb5_context, krb5_priv * ) - ); -TYPEDEF_FUNC( - void, - KRB5_CALLCONV, - krb5_free_priv_enc_part, - (krb5_context, krb5_priv_enc_part * ) - ); -#endif - TYPEDEF_FUNC( void, KRB5_CALLCONV, diff --git a/src/windows/include/loadfuncs-leash.h b/src/windows/include/loadfuncs-leash.h index 38b1dec..6e7bdbc 100644 --- a/src/windows/include/loadfuncs-leash.h +++ b/src/windows/include/loadfuncs-leash.h @@ -207,24 +207,6 @@ TYPEDEF_FUNC( TYPEDEF_FUNC( DWORD, CALLCONV_C, - Leash_get_default_use_krb4, - (void) - ); -TYPEDEF_FUNC( - DWORD, - CALLCONV_C, - Leash_set_default_use_krb4, - (DWORD) - ); -TYPEDEF_FUNC( - DWORD, - CALLCONV_C, - Leash_reset_default_use_krb4, - (void) - ); -TYPEDEF_FUNC( - DWORD, - CALLCONV_C, Leash_get_default_life_min, (void) ); @@ -315,24 +297,6 @@ TYPEDEF_FUNC( TYPEDEF_FUNC( DWORD, CALLCONV_C, - Leash_get_lock_file_locations, - (void) - ); -TYPEDEF_FUNC( - DWORD, - CALLCONV_C, - Leash_set_lock_file_locations, - (DWORD) - ); -TYPEDEF_FUNC( - DWORD, - CALLCONV_C, - Leash_reset_lock_file_locations, - (void) - ); -TYPEDEF_FUNC( - DWORD, - CALLCONV_C, Leash_get_default_uppercaserealm, (void) ); diff --git a/src/windows/include/mitwhich.h b/src/windows/include/mitwhich.h deleted file mode 100644 index 47ee5da..0000000 --- a/src/windows/include/mitwhich.h +++ /dev/null @@ -1,84 +0,0 @@ -/*! \file mitwhich.h - * some defines so that we can figure out which MS OS and subsystem an - * application is running under. Also support for finding out which - * TCP/IP stack is being used. This is useful when you need to find out - * about the domain or the nameservers. - */ - -#if !defined( __MIT_WHICH_H ) -#define __MIT_WHICH_H - -// these should become resources and loaded at run time -#define NT_32 "Winsock 2.0" -#define NT_16 "Windows NT 16-bit Windows Sockets" -#define W95_32 "Microsoft Windows Sockets Version 1.1." -#define W95_16 "Microsoft Windows Sockets Version 1.1." -#define LWP_16 "Novell Winsock version 1.1" -// Note that these are currently in wshelper.h and should be somewhere else -#define MS_NT_32 1 -#define MS_NT_16 2 -#define MS_95_32 3 -#define MS_95_16 4 -#define NOVELL_LWP_16 5 - -#define MS_OS_WIN 1 -#define MS_OS_95 2 -#define MS_OS_NT 4 -#define MS_OS_2000 12 -#define MS_OS_XP 28 -#define MS_OS_2003 60 -#define MS_OS_NT_UNKNOWN 124 -#define MS_OS_UNKNOWN 0 - -#define STACK_UNKNOWN 0 -#define UNKNOWN_16_UNDER_32 -2 -#define UNKNOWN_16_UNDER_16 -3 -#define UNKNOWN_32_UNDER_32 -4 -#define UNKNOWN_32_UNDER_16 -5 - - -/* - @comm these are the current MIT DNS servers, the wshelper and - wshelp32 DLLs will do their best to find the correct DNS servers - for the local machine however, if all else fails these will be used - as a last resort. Site administrators outside of the MIT domain - should change these defaults to their own defaults either by - editing this file and recompiling or by editing the string tables - of the binaries. Don't use App Studio to edit the .RC files. -\n - #define DNS1 "18.70.0.160" \n - #define DNS2 "18.71.0.151" \n - #define DNS3 "18.72.0.3" \n -\n - #define DEFAULT_DOMAIN "mit.edu" \n -*/ - -#define DNS1 "18.70.0.160" -#define DNS2 "18.71.0.151" -#define DNS3 "18.72.0.3" - -#define DEFAULT_DOMAIN "mit.edu" - - -#ifndef _PATH_RESCONF -#if !defined(WINDOWS) && !defined(_WINDOWS) && !defined(_WIN32) -#define _PATH_RESCONF "/etc/resolv.conf" -#else -#define _PATH_RESCONF "c:/net/tcp/resolv.cfg" -#endif -#endif - - -/* Microsoft TCP/IP registry values that we care about */ -#define NT_TCP_PATH "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters" -#define NT_TCP_PATH_TRANS "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Transient" -#define W95_TCP_PATH "SYSTEM\\CurrentControlSet\\Services\\VxD\\MSTCP" - -#define NT_DOMAIN_KEY "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Domain" -#define NT_NS_KEY "SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\NameServer" - -#define W95_DOMAIN_KEY "SYSTEM\\CurrentControlSet\\Services\\VxD\\MSTCP\\Domain" -#define W95_NS_KEY "SYSTEM\\CurrentControlSet\\Services\\VxD\\MSTCP\\NameServer" - - -#endif // __MIT_WHICH_H diff --git a/src/windows/include/resolv.h b/src/windows/include/resolv.h deleted file mode 100644 index 9297959..0000000 --- a/src/windows/include/resolv.h +++ /dev/null @@ -1,284 +0,0 @@ -/*! \file resolv.h - * WSHelper DNS/Hesiod Library header - * This file contains the function declaration for:\n - * res_init() \n - * res_search() \n - * dn_comp() \n - * rdn_expand() \n \n - * and unsupported functions: \n - * res_setopts() \n - * res_getopts() \n - * res_querydomain() \n - * res_mkquery() \n - * res_send() \n -*/ - -#ifndef _RESOLV_H_ -#define _RESOLV_H_ - -#include -#ifndef MAXDNAME -#include -#endif - -/*! \def MAXNS - * max # name servers we'll track - */ -#define MAXNS 3 - -/*! \def MAXDFLSRCH - * # default domain levels to try - */ -#define MAXDFLSRCH 3 - -/*! \def MAXDNSRCH - * max # domains in search path - */ -#define MAXDNSRCH 6 - -/*! \def LOCALDOMAINPARTS - * min levels in name that is "local" - */ -#define LOCALDOMAINPARTS 2 - -/*! \def RES_TIMEOUT - * min. seconds between retries - */ -#define RES_TIMEOUT 5 - -/*! \def MAXMXRECS - * number of records in the preference array in the MX record - */ -#define MAXMXRECS 8 - -/*! \struct mxent - * structure to hold the MX record - */ -struct mxent { - /*! number of records in the preference field */ - int numrecs; - /*! holds a 16 bit integer which specifies the preference given to this RR */ - u_short pref[MAXMXRECS]; - /*! a host willing to act as a mail exchange */ - char ** hostname; -}; - - -/*! \struct state - * This structure holds the state for the resolver query - */ -struct state { - /*! retransmition time interval */ - int retrans; - /*! number of times to retransmit */ - int retry; - /*! field option flags - see below. */ - long options; - /*! field number of name servers */ - int nscount; - /*! address of name server */ - struct sockaddr_in nsaddr_list[MAXNS]; -#define nsaddr nsaddr_list[0] - /*! current packet id */ - u_short id; - /*! field default domain */ - char defdname[MAXDNAME]; - /*! field components of domain to search */ - char *dnsrch[MAXDNSRCH+1]; -}; - -/*! \def RES_INIT - * resolver option: address initialized - */ -#define RES_INIT 0x0001 - -/*! \def RES_DEBUG - * resolver option: print debug messages - */ -#define RES_DEBUG 0x0002 - -/*! \def RES_AAONLY - * resolver option: authoritative answers only - */ -#define RES_AAONLY 0x0004 - -/*! \def RES_USEVC - * resolver option: use virtual circuit - */ -#define RES_USEVC 0x0008 - -/*! \def RES_PRIMARY - * resolver option: query primary server only - */ -#define RES_PRIMARY 0x0010 - -/*! \def RES_IGNTC - * resolver option: ignore trucation errors - */ -#define RES_IGNTC 0x0020 - -/*! \def RES_RECURSE - * resolver option: recursion desired - */ -#define RES_RECURSE 0x0040 - -/*! \def RES_DEFNAMES - * resolver option: use default domain name - */ -#define RES_DEFNAMES 0x0080 - -/*! \def RES_STAYOPEN - * resolver option: Keep TCP socket ope - */ -#define RES_STAYOPEN 0x0100 - -/*! \def RES_DNSRCH - * resolver option: search up local domain tree - */ -#define RES_DNSRCH 0x0200 - -/*! \def RES_DEFAULT - * resolver option: Default RES options (RES_RECURSE + RES_DEFNAMES + RES_DNSRCH) - */ -#define RES_DEFAULT (RES_RECURSE | RES_DEFNAMES | RES_DNSRCH) - -extern struct state _res; - -#include - -/* Private routines shared between libc/net, named, nslookup and others. */ -#define fp_query __fp_query -#define hostalias __hostalias -#define putlong __putlong -#define putshort __putshort -#define p_class __p_class -#define p_time __p_time -#define p_type __p_type - - -#ifdef __cplusplus -extern "C" { -#endif - -/*! \fn int WINAPI res_init() - * \brief retrieves the default domain name and search order. It will look to see if an environment variable LOCALDOMAIN is defined. Otherwise, - * the domain associated with the local host is used. Otherwise, it will try to find the domain name from the registry - * - * defined in res_init.c - * - * \retval The return value is 0 if the operation was successful. Otherwise the value -1 is returned. - */ -int WINAPI res_init(); - - -/*! \fn int WINAPI res_search(const char* name, int qclass, int type, u_char* answer, int anslen) - * \brief a generic query interface to the DNS name space. The query is performed with the dnsapi and - * the answer buffer is populated based on the returned RR set. - * - * defined in res_quer.c - - * \param[in] name domain name - * \param[in] qclass class of query(such as DNS_CLASS_INTERNET, DNS_CLASS_CSNET, DNS_CLASS_CHAOS, - * DNS_CLASS_HESIOD. Defined in windns.h) - * \param[in] type type of query(such as DNS_TYPE_A, DNS_TYPE_NS, DNS_TYPE_MX, DNS_TYPE_SRV. Defined in - * windns.h) - * \param[in] answer buffer to put answer in - * \param[in] anslen size of the answer buffer. compare the anslen with the return value, if the return - * value is bigger than anslen, it means the answer buffer doesn't contain the complete - * response. You will need to call this function again with a bigger answer buffer if - * you care about the complete response - * - * \retval return the size of the response on success, -1 on error - * - */ -int WINAPI res_search(const char *name, - int qclass, int type, - u_char *answer, int anslen); - -/*! \fn int WINAPI dn_comp(const u_char* exp_dn, u_char* comp_dn, int length, u_char** dnptrs, u_char** lastdnptr) - * \brief Compress domain name 'exp_dn' into 'comp_dn' - * - * defined in res_comp.c - * - * \param[in] exp_dn name to compress - * \param[in, out] comp_dn result of the compression - * \param[in] length the size of the array pointed to by 'comp_dn'. - * \param[in, out] dnptrs a list of pointers to previous compressed names. dnptrs[0] - * is a pointer to the beginning of the message. The list ends with NULL. - * \param[in] lastdnptr a pointer to the end of the arrary pointed to by 'dnptrs'. Side effect - * is to update the list of pointers for labels inserted into the - * message as we compress the name. If 'dnptr' is NULL, we don't try to - * compress names. If 'lastdnptr' is NULL, we don't update the list. - * \retval Return the size of the compressed name or -1 - */ -int WINAPI dn_comp(const u_char *exp_dn, - u_char *comp_dn, - int length, u_char **dnptrs, - u_char * *lastdnptr); - -/*! \fn int WINAPI rdn_expand(const u_char *msg, const u_char *eomorig, const u_char *comp_dn, u_char *exp_dn, - int length); - * \brief replacement for dn_expand called rdn_expand. Older versions of the DLL used to this as dn_expand - * but this has caused some conflict with more recent versions of the MSDEV libraries. rdn_expand() - * expands the compressed domain name comp_dn to a full domain name. Expanded names are converted to upper case. - * - * defined in res_comp.c - * - * \param[in] msg msg is a pointer to the beginning of the message - * \param[in] eomorig - * \param[in] comp_dn the compressed domain name. - * \param[in, out] exp_dn a pointer to the result buffer - * \param[in] length size of the result in expn_dn - * \retval the size of compressed name is returned or -1 if there was an error. -*/ -int WINAPI rdn_expand(const u_char *msg, - const u_char *eomorig, - const u_char *comp_dn, - u_char *exp_dn, - int length); -/* Microsoft includes an implementation of dn_expand() in winsock */ -/* Make sure we do not use it. jaltman@columbia.edu */ -#define dn_expand(a,b,c,d,e) rdn_expand(a,b,c,d,e) - - -/*! \fn void WINAPI res_setopts(long opts) - * unsupported -*/ -void WINAPI res_setopts(long opts); - -/*! \fn long WINAPI res_getopts(void) - * unsupported -*/ -long WINAPI res_getopts(void); - -/*! \fn int WINAPI res_mkquery(int op, const char *dname, int qclass, int type, const char *data, int datalen, - * const struct rrec *newrr, char *buf, int buflen) - * unsupported - */ -int WINAPI res_mkquery(int op, const char *dname, - int qclass, int type, - const char *data, int datalen, - const struct rrec *newrr, - char *buf, int buflen); - -/*! \fn int WINAPI res_send(const char *msg, int msglen, char *answer, int anslen) - * unsupported -*/ -int WINAPI res_send(const char *msg, int msglen, - char *answer, int anslen); - -/*! \fn int WINAPI res_querydomain(const char *name, const char *domain, int qclass, int type, - u_char *answer, int anslen); -* unsupported -*/ -int WINAPI res_querydomain(const char *name, - const char *domain, - int qclass, int type, - u_char *answer, int anslen); - - -#ifdef __cplusplus -} -#endif - -#endif /* !_RESOLV_H_ */ diff --git a/src/windows/include/wshelper.h b/src/windows/include/wshelper.h deleted file mode 100644 index 1bd31f0..0000000 --- a/src/windows/include/wshelper.h +++ /dev/null @@ -1,148 +0,0 @@ -/*! \file wshelper.h - * WSHelper DNS/Hesiod Library - * - * This file contains the function declaration for: \n - * rgethostbyname() \n - * rgethostbyaddr() \n - * rgetservbyname() \n - * inet_aton() \n - * wsh_gethostname() \n - * wsh_getdomainname() \n \n - * and unsupported functions: \n - * gethinfobyname() \n - * getmxbyname() \n - * getrecordbyname() \n - * rrhost() \n - */ - -#ifndef _WSHELPER_ -#define _WSHELPER_ - -#include -#include -#include -#include - -#ifdef __cplusplus -extern "C" { -#endif -/*! \fn struct hostent * WINAPI rgethostbyname(char *name) - * retrieves host information corresponding to a host name in the DNS database - * - * defined in gethna.c - * - * \param[in] name Pointer to the null-terminated name of the host to resolve. It can be a fully qualified host name such as x.mit.edu - * or it can be a simple host name such as x. If it is a simple host name, the default domain name is - * appended to do the search. - * \retval a pointer to the structure hostent. a structure allocated by the library. The hostent structure contains - * the results of a successful search for the host specified in the name parameter. The caller must never - * attempt to modify this structure or to free any of its components. Furthermore, only one copy of this - * structure is allocated per call per thread, so the application should copy any information it needs before - * issuing another rgethostbyname. - * NULL if the search has failed - * -*/ -struct hostent * WINAPI rgethostbyname(char *name); - -/*! \fn struct hostent * WINAPI rgethostbyaddr(char *addr, int len, int type) - * retrieves the host information corresponding to a network address in the DNS database - * - * defined in gethna.c - * - * \param[in] addr Pointer to an address in network byte order - * \param[in] len Length of the address, in bytes - * \param[in] type Type of the address, such as the AF_INET address family type (defined as TCP, - * UDP, and other associated Internet protocols). Address family types and their corresponding - * values are defined in the Winsock2.h header file. - * \retval returns a pointer to the hostent structure that contains the name and address corresponding - * to the given network address. The structure is allocated by the library. The caller must never - * attempt to modify this structure or to free any of its components. Furthermore, only one copy of this - * structure is allocated per call per thread, so the application should copy any information it needs before - * issuing another rgethostbyaddr. - * NULL if the search has failed - * -*/ -struct hostent * WINAPI rgethostbyaddr(char *addr, int len, int type); - -/*! \fn struct servent * WINAPI rgetservbyname(LPSTR name, LPSTR proto) - * retrieves service information corresponding to a service name and protocol. - * - * defined in gethna.c - * - * \param[in] name Pointer to a null-terminated service name. - * \param[in] proto pointer to a null-terminated protocol name. getservbyname should match both - * the name and the proto. - * \retval a pointer to the servent structure containing the name(s) and service number that match the name and proto - * parameters. The structure is allocated by the library. The caller must never - * attempt to modify this structure or to free any of its components. Furthermore, only one copy of this - * structure is allocated per call per thread, so the application should copy any information it needs before - * issuing another rgetservbyname. - * NULL if the search has failed - * - */ -struct servent * WINAPI rgetservbyname(LPSTR name, LPSTR proto); - -/*! \fn LPSTR WINAPI gethinfobyname(LPSTR name) - * unsupported - */ -LPSTR WINAPI gethinfobyname(LPSTR name); - -/*! \fn LPSTR WINAPI getmxbyname(LPSTR name) - * unsupported - */ -LPSTR WINAPI getmxbyname(LPSTR name); - -/*! \fn LPSTR WINAPI getrecordbyname(LPSTR name, int rectype) - * unsupported - */ -LPSTR WINAPI getrecordbyname(LPSTR name, int rectype); - -/*! \fn DWORD WINAPI rrhost( LPSTR lpHost ) - * unsupported - */ -DWORD WINAPI rrhost( LPSTR lpHost ); - -/*! \fn unsigned long WINAPI inet_aton(register const char *cp, struct in_addr *addr) - * converts a string containing an (Ipv4) Internet Protocol dotted address into a proper address for the in_addr structure - * - * defined in inetaton.c - * - * \param[in] cp Null-terminated character string representing a number expressed in the - * Internet standard ".'' (dotted) notation. - * \param[in, out] addr pointer to the in_addr structure. The s_addr memeber will be populated - * \retval Returns 1 if the address is valid, 0 if not. - */ -unsigned long WINAPI inet_aton(register const char *cp, struct in_addr *addr); - - -/*! \fn int WINAPI wsh_gethostname(char* name, int size) - * Gets the base part of the hostname - * - * defined in res_init.c - * - * \param[in, out] name pointer to a buffer that receives a null-terminated string containing the computer name - * \param[in] size specifies the size of the buffer, in chars (must be large - * enough to hold NULL-terminated host name) - * \retval return 0 ifsuccess, -1 on error. -*/ -int WINAPI wsh_gethostname(char* name, int size); - -/*! \fn int WINAPI wsh_getdomainname(char* name, int size) - * Gets the machine's domain name - * - * defined in res_init.c - * - * \param[in, out] name pointer to a buffer that receives a null-terminated string containing the domain name - * \param[in] size specifies the size of the buffer, in chars (must be large - * enough to hold NULL-terminated domain name) - * - * \retval return 0 ifsuccess, -1 on error. - */ -int WINAPI wsh_getdomainname(char* name, int size); - - -#ifdef __cplusplus -} -#endif - -#endif /* _WSHELPER_ */ diff --git a/src/windows/installer/nsis/KfWConfigPage.ini b/src/windows/installer/nsis/KfWConfigPage.ini deleted file mode 100644 index abc0ed6..0000000 --- a/src/windows/installer/nsis/KfWConfigPage.ini +++ /dev/null @@ -1,59 +0,0 @@ -[Settings] -NumFields=7 - -[Field 1] -Type=label -Text=The Kerberos Client may utilize configuration files to assist in contacting KDCs. Where do you want to get these files? -Left=0 -Right=-1 -Top=0 -Bottom=20 - -[Field 2] -Type=RadioButton -Text=Use existing configuration files from a previous installation. -Left=10 -Right=-1 -Top=25 -Bottom=35 - -[Field 3] -Type=RadioButton -Text=Use packaged configuration files. -Left=10 -Right=-1 -Top=40 -Bottom=50 - -[Field 4] -type=RadioButton -Text=Download from web path: -State=0 -Left=10 -Right=-1 -Top=55 -Bottom=65 - -[Field 5] -type=Text -State= -Left=20 -Right=-1 -Top=70 -Bottom=80 - -[Field 6] -type=radioButton -text=Select a directory -Left=10 -Right=-1 -Top=85 -Bottom=95 - -[Field 7] -type=DirRequest -Flags=PATH_MUST_EXIST -Left=20 -Right=-40 -Top=100 -Bottom=110 diff --git a/src/windows/installer/nsis/KfWConfigPage2.ini b/src/windows/installer/nsis/KfWConfigPage2.ini deleted file mode 100644 index 353bf17..0000000 --- a/src/windows/installer/nsis/KfWConfigPage2.ini +++ /dev/null @@ -1,20 +0,0 @@ -[Settings] -NumFields=3 - -[Field 1] -Type=label -Text=The Network Identity Manager maybe installed with the following optional functionality. Please check those items you wish activated. -Left=0 -Right=-1 -Top=0 -Bottom=20 - -[Field 2] -Type=CheckBox -Text=Autostart the Network Identity Manager each time you login to Windows. -State=1 -Left=10 -Right=-1 -Top=25 -Bottom=35 - diff --git a/src/windows/installer/nsis/kfw-fixed.nsi b/src/windows/installer/nsis/kfw-fixed.nsi deleted file mode 100644 index cef8b60..0000000 --- a/src/windows/installer/nsis/kfw-fixed.nsi +++ /dev/null @@ -1,1907 +0,0 @@ -;----------------------------------------------------------------- -; KfW defines and functionality -; Copyright (c) 2004,2005,2006,2007 Massachusetts Institute of Technology -; Copyright (c) 2006,2007 Secure Endpoints Inc. - -!define KFW_VERSION "${KFW_MAJORVERSION}.${KFW_MINORVERSION}.${KFW_PATCHLEVEL}" - -!define PROGRAM_NAME "Kerberos for Windows" -!ifdef RELEASE -!ifndef DEBUG ; !DEBUG on v2.0b4 -Name "MIT ${PROGRAM_NAME} ${KFW_VERSION}" -!else ; DEBUG on v2.0b4 -Name "MIT ${PROGRAM_NAME} ${KFW_VERSION} Checked/Debug" -!endif ; End DEBUG/!DEBUG -!else -!ifdef BETA -!ifndef DEBUG ; !DEBUG on v2.0b4 -Name "MIT ${PROGRAM_NAME} ${KFW_VERSION} Beta ${BETA}" -!else ; DEBUG on v2.0b4 -Name "MIT ${PROGRAM_NAME} ${KFW_VERSION} Beta ${BETA} Checked/Debug" -!endif ; End DEBUG/!DEBUG -!else -!ifndef DEBUG ; !DEBUG on v2.0b4 -Name "MIT ${PROGRAM_NAME} ${KFW_VERSION} ${__DATE__} ${__TIME__}" -!else ; DEBUG on v2.0b4 -Name "MIT ${PROGRAM_NAME} ${KFW_VERSION} ${__DATE__} ${__TIME__} Checked/Debug" -!endif ; End DEBUG/!DEBUG -!endif -!endif -VIProductVersion "${KFW_MAJORVERSION}.${KFW_MINORVERSION}.${KFW_PATCHLEVEL}.00" -VIAddVersionKey "ProductName" "${PROGRAM_NAME}" -VIAddVersionKey "CompanyName" "Massachusetts Institute of Technology" -VIAddVersionKey "FileVersion" ${VIProductVersion} -VIAddVersionKey "ProductVersion" "${KFW_MAJORVERSION}.${KFW_MINORVERSION}.${KFW_PATCHLEVEL}.0" -VIAddVersionKey "FileDescription" "MIT Kerberos for Windows Installer" -VIAddVersionKey "LegalCopyright" "(C)2004,2005,2006,2007" -!ifdef DEBUG -VIAddVersionKey "PrivateBuild" "Checked/Debug" -!endif ; End DEBUG - - -;-------------------------------- -;Configuration - - ;General - SetCompressor lzma -!ifndef DEBUG - OutFile "MITKerberosForWindows.exe" -!else - OutFile "MITKerberosForWindows-DEBUG.exe" -!endif - SilentInstall normal - ShowInstDetails show - XPStyle on - !define MUI_ICON "kfw.ico" - !define MUI_UNICON "kfw.ico" - !define KFW_COMPANY_NAME "Massachusetts Institute of Technology" - !define KFW_PRODUCT_NAME "${PROGRAM_NAME}" - !define KFW_REGKEY_ROOT "Software\MIT\Kerberos\" - !define NIM_REGKEY_ROOT "Software\MIT\NetIDMgr\" - CRCCheck force - !define REPLACEDLL_NOREGISTER - - ;Folder selection page - InstallDir "$PROGRAMFILES\MIT\Kerberos" ; Install to shorter path - - ;Remember install folder - InstallDirRegKey HKLM "${KFW_REGKEY_ROOT}" "" - - ;Remember the installer language - !define MUI_LANGDLL_REGISTRY_ROOT "HKLM" - !define MUI_LANGDLL_REGISTRY_KEY "${KFW_REGKEY_ROOT}" - !define MUI_LANGDLL_REGISTRY_VALUENAME "Installer Language" - - ;Where are the files? - !define KFW_BIN_DIR "${KFW_TARGETDIR}\bin\i386" - !define KFW_DOC_DIR "${KFW_TARGETDIR}\doc" - !define KFW_INC_DIR "${KFW_TARGETDIR}\inc" - !define KFW_LIB_DIR "${KFW_TARGETDIR}\lib\i386" - !define KFW_SAMPLE_DIR "${KFW_TARGETDIR}\sample" - !define KFW_INSTALL_DIR "${KFW_TARGETDIR}\install" - !define SYSTEMDIR "$%SystemRoot%\System32" - - -;-------------------------------- -;Modern UI Configuration - - !define MUI_LICENSEPAGE - !define MUI_CUSTOMPAGECOMMANDS - !define MUI_WELCOMEPAGE - !define MUI_COMPONENTSPAGE - !define MUI_COMPONENTSPAGE_SMALLDESC - !define MUI_DIRECTORYPAGE - - !define MUI_ABORTWARNING - !define MUI_FINISHPAGE - - !define MUI_UNINSTALLER - !define MUI_UNCONFIRMPAGE - - - !insertmacro MUI_PAGE_WELCOME - !insertmacro MUI_PAGE_LICENSE "Licenses.rtf" - !insertmacro MUI_PAGE_COMPONENTS - !insertmacro MUI_PAGE_DIRECTORY - Page custom KFWPageGetConfigFiles - Page custom KFWPageGetStartupConfig - !insertmacro MUI_PAGE_INSTFILES - !insertmacro MUI_PAGE_FINISH - -;-------------------------------- -;Languages - - !insertmacro MUI_LANGUAGE "English" - -;-------------------------------- -;Language Strings - - ;Descriptions - LangString DESC_SecCopyUI ${LANG_ENGLISH} "${PROGRAM_NAME}: English" - - LangString DESC_secClient ${LANG_ENGLISH} "Client: Allows you to utilize MIT Kerberos from your Windows PC." - - LangString DESC_secDebug ${LANG_ENGLISH} "Debug Symbols: Used for debugging problems with MIT Kerberos for Windows" - - LangString DESC_secSDK ${LANG_ENGLISH} "SDK: Allows you to build MIT Kerberos aware applications." - - LangString DESC_secDocs ${LANG_ENGLISH} "Documentation: Release Notes and User Manuals." - -; Popup error messages - LangString RealmNameError ${LANG_ENGLISH} "You must specify a realm name for your client to use." - - LangString ConfigFileError ${LANG_ENGLISH} "You must specify a valid configuration file location from which files can be copied during the install" - - LangString URLError ${LANG_ENGLISH} "You must specify a URL if you choose the option to download the config files." - -; Upgrade/re-install strings - LangString UPGRADE_CLIENT ${LANG_ENGLISH} "Upgrade Kerberos Client" - LangString REINSTALL_CLIENT ${LANG_ENGLISH} "Re-install Kerberos Client" - LangString DOWNGRADE_CLIENT ${LANG_ENGLISH} "Downgrade Kerberos Client" - - LangString UPGRADE_SDK ${LANG_ENGLISH} "Upgrade Kerberos SDK" - LangString REINSTALL_SDK ${LANG_ENGLISH} "Re-install Kerberos SDK" - LangString DOWNGRADE_SDK ${LANG_ENGLISH} "Downgrade Kerberos SDK" - - LangString UPGRADE_DOCS ${LANG_ENGLISH} "Upgrade Kerberos Documentation" - LangString REINSTALL_DOCS ${LANG_ENGLISH} "Re-install Kerberos Documentation" - LangString DOWNGRADE_DOCS ${LANG_ENGLISH} "Downgrade Kerberos Documentation" - - ReserveFile "${KFW_CONFIG_DIR}\sample\krb.con" - ReserveFile "${KFW_CONFIG_DIR}\sample\krbrealm.con" - ReserveFile "${KFW_CONFIG_DIR}\sample\krb5.ini" - !insertmacro MUI_RESERVEFILE_INSTALLOPTIONS ;InstallOptions plug-in - !insertmacro MUI_RESERVEFILE_LANGDLL ;Language selection dialog - -;-------------------------------- -;Reserve Files - - ;Things that need to be extracted on first (keep these lines before any File command!) - ;Only useful for BZIP2 compression - !insertmacro MUI_RESERVEFILE_LANGDLL - -;-------------------------------- -; Load Macros -!include "utils.nsi" - -;-------------------------------- -;Installer Sections - -;---------------------- -; Kerberos for Windows CLIENT -Section "KfW Client" secClient - - SetShellVarContext all - ; Stop any running services or we can't replace the files - ; Stop the running processes - GetTempFileName $R0 - File /oname=$R0 "Killer.exe" - nsExec::Exec '$R0 netidmgr.exe' - nsExec::Exec '$R0 leash32.exe' - nsExec::Exec '$R0 krbcc32s.exe' - nsExec::Exec '$R0 k95.exe' - nsExec::Exec '$R0 k95g.exe' - nsExec::Exec '$R0 krb5.exe' - nsExec::Exec '$R0 gss.exe' - nsExec::Exec '$R0 afscreds.exe' - - RMDir /r "$INSTDIR\bin" - - ; Do client components - SetOutPath "$INSTDIR\bin" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\comerr32.dll" "$INSTDIR\bin\comerr32.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\gss.exe" "$INSTDIR\bin\gss.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\gss-client.exe" "$INSTDIR\bin\gss-client.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\gss-server.exe" "$INSTDIR\bin\gss-server.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\gssapi32.dll" "$INSTDIR\bin\gssapi32.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\k524init.exe" "$INSTDIR\bin\k524init.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kclnt32.dll" "$INSTDIR\bin\kclnt32.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kdestroy.exe" "$INSTDIR\bin\kdestroy.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kinit.exe" "$INSTDIR\bin\kinit.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\klist.exe" "$INSTDIR\bin\klist.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kpasswd.exe" "$INSTDIR\bin\kpasswd.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kvno.exe" "$INSTDIR\bin\kvno.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\krb5_32.dll" "$INSTDIR\bin\krb5_32.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\k5sprt32.dll" "$INSTDIR\bin\k5sprt32.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\krb524.dll" "$INSTDIR\bin\krb524.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\krbcc32.dll" "$INSTDIR\bin\krbcc32.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\krbcc32s.exe" "$INSTDIR\bin\krbcc32s.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\krbv4w32.dll" "$INSTDIR\bin\krbv4w32.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\netidmgr.chm" "$INSTDIR\bin\netidmgr.chm" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\krb4cred.dll" "$INSTDIR\bin\krb4cred.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\krb5cred.dll" "$INSTDIR\bin\krb5cred.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\krb4cred_en_us.dll" "$INSTDIR\bin\krb4cred_en_us.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\krb5cred_en_us.dll" "$INSTDIR\bin\krb5cred_en_us.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\leashw32.dll" "$INSTDIR\bin\leashw32.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\ms2mit.exe" "$INSTDIR\bin\ms2mit.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\mit2ms.exe" "$INSTDIR\bin\mit2ms.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kcpytkt.exe" "$INSTDIR\bin\kcpytkt.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kdeltkt.exe" "$INSTDIR\bin\kdeltkt.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\wshelp32.dll" "$INSTDIR\bin\wshelp32.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\xpprof32.dll" "$INSTDIR\bin\xpprof32.dll" "$INSTDIR" - - Call GetWindowsVersion - Pop $R0 - StrCmp $R0 "2000" nid_inst2000 - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\netidmgr.exe" "$INSTDIR\bin\netidmgr.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\nidmgr32.dll" "$INSTDIR\bin\nidmgr32.dll" "$INSTDIR" - goto nid_done -nid_inst2000: - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\W2K\netidmgr.exe" "$INSTDIR\bin\netidmgr.exe" "$INSTDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\W2K\nidmgr32.dll" "$INSTDIR\bin\nidmgr32.dll" "$INSTDIR" -nid_done: - -!ifdef DEBUG -!IFDEF CL_1400 - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcr80d.dll" "$INSTDIR\bin\msvcr80d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp80d.dll" "$INSTDIR\bin\msvcp80d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\mfc80d.dll" "$INSTDIR\bin\mfc80d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80CHS.DLL" "$INSTDIR\bin\MFC80CHS.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80CHT.DLL" "$INSTDIR\bin\MFC80CHT.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80DEU.DLL" "$INSTDIR\bin\MFC80DEU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80ENU.DLL" "$INSTDIR\bin\MFC80ENU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80ESP.DLL" "$INSTDIR\bin\MFC80ESP.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80FRA.DLL" "$INSTDIR\bin\MFC80FRA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80ITA.DLL" "$INSTDIR\bin\MFC80ITA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80JPN.DLL" "$INSTDIR\bin\MFC80JPN.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80KOR.DLL" "$INSTDIR\bin\MFC80KOR.DLL" "$INSTDIR" -!ELSE -!IFDEF CL_1310 - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcr71d.dll" "$INSTDIR\bin\msvcr71d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp71d.dll" "$INSTDIR\bin\msvcp71d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\mfc71d.dll" "$INSTDIR\bin\mfc71d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71CHS.DLL" "$INSTDIR\bin\MFC71CHS.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71CHT.DLL" "$INSTDIR\bin\MFC71CHT.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71DEU.DLL" "$INSTDIR\bin\MFC71DEU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71ENU.DLL" "$INSTDIR\bin\MFC71ENU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71ESP.DLL" "$INSTDIR\bin\MFC71ESP.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71FRA.DLL" "$INSTDIR\bin\MFC71FRA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71ITA.DLL" "$INSTDIR\bin\MFC71ITA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71JPN.DLL" "$INSTDIR\bin\MFC71JPN.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71KOR.DLL" "$INSTDIR\bin\MFC71KOR.DLL" "$INSTDIR" -!ELSE -!IFDEF CL_1300 - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcr70d.dll" "$INSTDIR\bin\msvcr70d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp70d.dll" "$INSTDIR\bin\msvcp70d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\mfc70d.dll" "$INSTDIR\bin\mfc70d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70CHS.DLL" "$INSTDIR\bin\MFC70CHS.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70CHT.DLL" "$INSTDIR\bin\MFC70CHT.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70DEU.DLL" "$INSTDIR\bin\MFC70DEU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70ENU.DLL" "$INSTDIR\bin\MFC70ENU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70ESP.DLL" "$INSTDIR\bin\MFC70ESP.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70FRA.DLL" "$INSTDIR\bin\MFC70FRA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70ITA.DLL" "$INSTDIR\bin\MFC70ITA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70JPN.DLL" "$INSTDIR\bin\MFC70JPN.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70KOR.DLL" "$INSTDIR\bin\MFC70KOR.DLL" "$INSTDIR" -!ELSE - !insertmacro ReplaceDLL "${SYSTEMDIR}\mfc42d.dll" "$INSTDIR\bin\mfc42d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp60d.dll" "$INSTDIR\bin\msvcp60d.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcrtd.dll" "$INSTDIR\bin\msvcrtd.dll" "$INSTDIR" -!ENDIF -!ENDIF -!ENDIF -!ELSE -!IFDEF CL_1400 - !insertmacro ReplaceDLL "${SYSTEMDIR}\mfc80.dll" "$INSTDIR\bin\mfc80.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcr80.dll" "$INSTDIR\bin\msvcr80.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp80.dll" "$INSTDIR\bin\msvcp80.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80CHS.DLL" "$INSTDIR\bin\MFC80CHS.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80CHT.DLL" "$INSTDIR\bin\MFC80CHT.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80DEU.DLL" "$INSTDIR\bin\MFC80DEU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80ENU.DLL" "$INSTDIR\bin\MFC80ENU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80ESP.DLL" "$INSTDIR\bin\MFC80ESP.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80FRA.DLL" "$INSTDIR\bin\MFC80FRA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80ITA.DLL" "$INSTDIR\bin\MFC80ITA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80JPN.DLL" "$INSTDIR\bin\MFC80JPN.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC80KOR.DLL" "$INSTDIR\bin\MFC80KOR.DLL" "$INSTDIR" -!ELSE -!IFDEF CL_1310 - !insertmacro ReplaceDLL "${SYSTEMDIR}\mfc71.dll" "$INSTDIR\bin\mfc71.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcr71.dll" "$INSTDIR\bin\msvcr71.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp71.dll" "$INSTDIR\bin\msvcp71.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71CHS.DLL" "$INSTDIR\bin\MFC71CHS.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71CHT.DLL" "$INSTDIR\bin\MFC71CHT.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71DEU.DLL" "$INSTDIR\bin\MFC71DEU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71ENU.DLL" "$INSTDIR\bin\MFC71ENU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71ESP.DLL" "$INSTDIR\bin\MFC71ESP.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71FRA.DLL" "$INSTDIR\bin\MFC71FRA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71ITA.DLL" "$INSTDIR\bin\MFC71ITA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71JPN.DLL" "$INSTDIR\bin\MFC71JPN.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC71KOR.DLL" "$INSTDIR\bin\MFC71KOR.DLL" "$INSTDIR" -!ELSE -!IFDEF CL_1300 - !insertmacro ReplaceDLL "${SYSTEMDIR}\mfc70.dll" "$INSTDIR\bin\mfc70.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcr70.dll" "$INSTDIR\bin\msvcr70.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp70.dll" "$INSTDIR\bin\msvcp70.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70CHS.DLL" "$INSTDIR\bin\MFC70CHS.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70CHT.DLL" "$INSTDIR\bin\MFC70CHT.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70DEU.DLL" "$INSTDIR\bin\MFC70DEU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70ENU.DLL" "$INSTDIR\bin\MFC70ENU.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70ESP.DLL" "$INSTDIR\bin\MFC70ESP.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70FRA.DLL" "$INSTDIR\bin\MFC70FRA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70ITA.DLL" "$INSTDIR\bin\MFC70ITA.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70JPN.DLL" "$INSTDIR\bin\MFC70JPN.DLL" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\MFC70KOR.DLL" "$INSTDIR\bin\MFC70KOR.DLL" "$INSTDIR" -!ELSE - !insertmacro ReplaceDLL "${SYSTEMDIR}\mfc42.dll" "$INSTDIR\bin\mfc42.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcp60.dll" "$INSTDIR\bin\msvcp60.dll" "$INSTDIR" - !insertmacro ReplaceDLL "${SYSTEMDIR}\msvcrt.dll" "$INSTDIR\bin\msvcrt.dll" "$INSTDIR" -!ENDIF -!ENDIF -!ENDIF -!ENDIF - !insertmacro ReplaceDLL "${SYSTEMDIR}\psapi.dll" "$INSTDIR\bin\psapi.dll" "$INSTDIR" - - ; Do WINDOWSDIR components - ;SetOutPath "$WINDOWSDIR" -!ifdef DEBUG -!endif - - ; Do Windows SYSDIR (Control panel) - SetOutPath "$SYSDIR" - !insertmacro ReplaceDLL "${KFW_BIN_DIR}\kfwlogon.dll" "$SYSDIR\kfwlogon.dll" "$INSTDIR" - File "${KFW_BIN_DIR}\kfwcpcc.exe" - - ; Get Kerberos config files - Call kfw.GetConfigFiles - - Call KFWCommon.Install - - ; KfW Reg entries - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" "VersionString" ${KFW_VERSION} - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" "Title" "KfW" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" "Description" "${PROGRAM_NAME}" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" "PathName" "$INSTDIR" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" "Software Type" "Authentication" - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" "MajorVersion" ${KFW_MAJORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" "MinorVersion" ${KFW_MINORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" "PatchLevel" ${KFW_PATCHLEVEL} - - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "VersionString" ${KFW_VERSION} - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "Title" "KfW" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "Description" "${PROGRAM_NAME}" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "PathName" "$INSTDIR" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "Software Type" "Authentication" - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "MajorVersion" ${KFW_MAJORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "MinorVersion" ${KFW_MINORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "PatchLevel" ${KFW_PATCHLEVEL} - - ; Daemon entries - WriteRegStr HKLM "SYSTEM\CurrentControlSet\Services\MIT Kerberos" "" "" - WriteRegStr HKLM "SYSTEM\CurrentControlSet\Services\MIT Kerberos\NetworkProvider" "ProviderPath" "$SYSDIR\kfwlogon.dll" - WriteRegStr HKLM "SYSTEM\CurrentControlSet\Services\MIT Kerberos\NetworkProvider" "AuthentProviderPath" "$SYSDIR\kfwlogon.dll" - WriteRegDWORD HKLM "SYSTEM\CurrentControlSet\Services\MIT Kerberos\NetworkProvider" "Class" 2 - WriteRegDWORD HKLM "SYSTEM\CurrentControlSet\Services\MIT Kerberos\NetworkProvider" "VerboseLogging" 10 - - ; Must also add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\HwOrder - ; and HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order - ; to also include the service name. - Call AddProvider - ReadINIStr $R0 $1 "Field 7" "State" - WriteRegStr HKLM "SYSTEM\CurrentControlSet\Services\MIT Kerberos\NetworkProvider" "Name" "MIT Kerberos" - - ; WinLogon Event Notification - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\MIT_KFW" "Asynchronous" 0 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\MIT_KFW" "Impersonate" 0 - WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\MIT_KFW" "DLLName" "kfwlogon.dll" - WriteRegStr HKLM "Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\MIT_KFW" "Logon" "KFW_Logon_Event" - - ; NetIdMgr Reg entries - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Modules\MITKrb5" "ImagePath" "$INSTDIR\bin\krb5cred.dll" - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Modules\MITKrb5" "PluginList" "Krb5Cred,Krb5Ident" - - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred" "Module" "MITKrb5" - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred" "Description" "Kerberos v5 Credentials Provider" - WriteRegDWORD HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred" "Type" 1 - WriteRegDWORD HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Cred" "Flags" 0 - - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Ident" "Module" "MITKrb5" - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Ident" "Description" "Kerberos v5 Identity Provider" - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Ident" "Dependencies" "Krb5Cred" - WriteRegDWORD HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Ident" "Type" 2 - WriteRegDWORD HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb5Ident" "Flags" 0 - - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Modules\MITKrb4" "ImagePath" "$INSTDIR\bin\krb4cred.dll" - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Modules\MITKrb4" "PluginList" "Krb4Cred" - - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb4Cred" "Module" "MITKrb4" - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb4Cred" "Description" "Kerberos v4 Credentials Provider" - WriteRegStr HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb4Cred" "Dependencies" "Krb5Cred" - WriteRegDWORD HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb4Cred" "Type" 1 - WriteRegDWORD HKLM "Software\MIT\NetIDMgr\PluginManager\Plugins\Krb4Cred" "Flags" 0 - - ;Write start menu entries - CreateDirectory "$SMPROGRAMS\${PROGRAM_NAME}" - SetOutPath "$INSTDIR\bin" - CreateShortCut "$SMPROGRAMS\${PROGRAM_NAME}\Uninstall ${PROGRAM_NAME}.lnk" "$INSTDIR\Uninstall.exe" - - ReadINIStr $R0 $1 "Field 2" "State" ; startup - - CreateShortCut "$SMPROGRAMS\${PROGRAM_NAME}\Network Identity Manager.lnk" "$INSTDIR\bin\netidmgr.exe" "" "$INSTDIR\bin\netidmgr.exe" - -startshort: - StrCmp $R0 "0" nostart - CreateShortCut "$SMSTARTUP\Network Identity Manager.lnk" "$INSTDIR\bin\netidmgr.exe" "" "$INSTDIR\bin\netidmgr.exe" 0 SW_SHOWMINIMIZED - goto checkconflicts - -nostart: - Delete "$SMSTARTUP\Network Identity Manager.lnk" - -checkconflicts: - Call GetSystemPath - Push "krb5_32.dll" - Call SearchPath - Pop $R0 - StrCmp $R0 "" addpath - - Push $R0 - Call GetParent - Pop $R0 - StrCmp $R0 "$INSTDIR\bin" addpath - MessageBox MB_OK|MB_ICONINFORMATION|MB_TOPMOST "A previous installation of MIT Kerberos for Windows binaries has been found in folder $R0. This may interfere with the use of the current installation." - -addpath: - ; Add kfw bin to path - Push "$INSTDIR\bin" - Call AddToSystemPath - - Call GetWindowsVersion - Pop $R0 - StrCmp $R0 "2003" addAllowTgtKey - StrCmp $R0 "2000" addAllowTgtKey - StrCmp $R0 "XP" addAllowTgtKey - goto skipAllowTgtKey - -addAllowTgtKey: - ReadRegDWORD $R0 HKLM "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" "AllowTGTSessionKey" - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "AllowTGTSessionKeyBackup" $R0 - WriteRegDWORD HKLM "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" "AllowTGTSessionKey" "1" - ReadRegDWORD $R0 HKLM "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos" "AllowTGTSessionKey" - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "AllowTGTSessionKeyBackup2" $R0 - WriteRegDWORD HKLM "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos" "AllowTGTSessionKey" "1" -skipAllowTgtKey: - - ; The following are keys added for Terminal Server compatibility - ; http://support.microsoft.com/default.aspx?scid=kb;EN-US;186499 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\netidmgr" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kinit" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\klist" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kdestroy" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\gss" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\gss-client" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\gss-server" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\k524init" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kpasswd" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kvno" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\ms2mit" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\mit2ms" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\mit2ms" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kcpytkt" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kdeltkt" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\k95" "Flags" 0x408 - WriteRegDWORD HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\k95g" "Flags" 0x408 - -SectionEnd - -Section "Debug Symbols" secDebug - - SetOutPath "$INSTDIR\bin" - File "${KFW_BIN_DIR}\comerr32.pdb" - File "${KFW_BIN_DIR}\gss.pdb" - File "${KFW_BIN_DIR}\gss-client.pdb" - File "${KFW_BIN_DIR}\gss-server.pdb" - File "${KFW_BIN_DIR}\gssapi32.pdb" - File "${KFW_BIN_DIR}\k524init.pdb" - File "${KFW_BIN_DIR}\kclnt32.pdb" - File "${KFW_BIN_DIR}\kdestroy.pdb" - File "${KFW_BIN_DIR}\kinit.pdb" - File "${KFW_BIN_DIR}\klist.pdb" - File "${KFW_BIN_DIR}\kpasswd.pdb" - File "${KFW_BIN_DIR}\kvno.pdb" - File "${KFW_BIN_DIR}\krb5_32.pdb" - File "${KFW_BIN_DIR}\k5sprt32.pdb" - File "${KFW_BIN_DIR}\krb524.pdb" - File "${KFW_BIN_DIR}\krbcc32.pdb" - File "${KFW_BIN_DIR}\krbcc32s.pdb" - File "${KFW_BIN_DIR}\krbv4w32.pdb" - File "${KFW_BIN_DIR}\leashw32.pdb" - File "${KFW_BIN_DIR}\krb4cred.pdb" - File "${KFW_BIN_DIR}\krb5cred.pdb" - File "${KFW_BIN_DIR}\ms2mit.pdb" - File "${KFW_BIN_DIR}\mit2ms.pdb" - File "${KFW_BIN_DIR}\kcpytkt.pdb" - File "${KFW_BIN_DIR}\kdeltkt.pdb" - File "${KFW_BIN_DIR}\wshelp32.pdb" - File "${KFW_BIN_DIR}\xpprof32.pdb" - - Call GetWindowsVersion - Pop $R0 - StrCmp $R0 "2000" nidpdb_inst2000 - File "${KFW_BIN_DIR}\netidmgr.pdb" - File "${KFW_BIN_DIR}\nidmgr32.pdb" - goto nidpdb_done -nidpdb_inst2000: - File "${KFW_BIN_DIR}\W2K\netidmgr.pdb" - File "${KFW_BIN_DIR}\W2K\nidmgr32.pdb" -nidpdb_done: - -!IFDEF DEBUG -!IFDEF CL_1400 - File "${SYSTEMDIR}\msvcr80d.pdb" - File "${SYSTEMDIR}\msvcp80d.pdb" - File "${SYSTEMDIR}\mfc80d.pdb" -!ELSE -!IFDEF CL_1310 - File "${SYSTEMDIR}\msvcr71d.pdb" - File "${SYSTEMDIR}\msvcp71d.pdb" - File "${SYSTEMDIR}\mfc71d.pdb" -!ELSE -!IFDEF CL_1300 - File "${SYSTEMDIR}\msvcr70d.pdb" - File "${SYSTEMDIR}\msvcp70d.pdb" - File "${SYSTEMDIR}\mfc70d.pdb" -!ELSE - File "${SYSTEMDIR}\mfc42d.pdb" - File "${SYSTEMDIR}\msvcp60d.pdb" - File "${SYSTEMDIR}\msvcrtd.pdb" -!ENDIF -!ENDIF -!ENDIF -!ENDIF - - SetOutPath "$SYSDIR" - File "${KFW_BIN_DIR}\kfwlogon.pdb" - File "${KFW_BIN_DIR}\kfwcpcc.pdb" - -SectionEnd - -;---------------------- -; Kerberos for Windows SDK -Section "KfW SDK" secSDK - - RMDir /r "$INSTDIR\inc" - RMDir /r "$INSTDIR\lib" - RMDir /r "$INSTDIR\install" - RMDir /r "$INSTDIR\sample" - - SetOutPath "$INSTDIR\doc" - File /r "${KFW_DOC_DIR}\netiddev.chm" - - SetOutPath "$INSTDIR\inc\kclient" - File /r "${KFW_INC_DIR}\kclient\*" - - SetOutPath "$INSTDIR\inc\krb4" - File /r "${KFW_INC_DIR}\krb4\*" - - SetOutPath "$INSTDIR\inc\krb5" - File /r "${KFW_INC_DIR}\krb5\*" - - SetOutPath "$INSTDIR\inc\krbcc" - File /r "${KFW_INC_DIR}\krbcc\*" - - SetOutPath "$INSTDIR\inc\leash" - File /r "${KFW_INC_DIR}\leash\*" - - SetOutPath "$INSTDIR\inc\loadfuncs" - File /r "${KFW_INC_DIR}\loadfuncs\*" - - SetOutPath "$INSTDIR\inc\netidmgr" - File /r "${KFW_INC_DIR}\netidmgr\*" - - SetOutPath "$INSTDIR\inc\wshelper" - File /r "${KFW_INC_DIR}\wshelper\*" - - SetOutPath "$INSTDIR\lib\i386" - File /r "${KFW_LIB_DIR}\*" - - SetOutPath "$INSTDIR\install" - File /r "${KFW_INSTALL_DIR}\*" - - SetOutPath "$INSTDIR\sample" - File /r "${KFW_SAMPLE_DIR}\*" - - CreateShortCut "$SMPROGRAMS\${PROGRAM_NAME}\Network Identity Developer Documentation.lnk" "$INSTDIR\bin\netiddev.chm" - - Call KFWCommon.Install - - ; KfW Reg entries - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" "VersionString" ${KFW_VERSION} - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" "Title" "KfW" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" "Description" "${PROGRAM_NAME}" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" "PathName" "$INSTDIR" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" "Software Type" "Authentication" - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" "MajorVersion" ${KFW_MAJORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" "MinorVersion" ${KFW_MINORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" "PatchLevel" ${KFW_PATCHLEVEL} - - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" "VersionString" ${KFW_VERSION} - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" "Title" "KfW" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" "Description" "${PROGRAM_NAME}" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" "PathName" "$INSTDIR" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" "Software Type" "Authentication" - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" "MajorVersion" ${KFW_MAJORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" "MinorVersion" ${KFW_MINORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" "PatchLevel" ${KFW_PATCHLEVEL} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\SDK\${KFW_VERSION}" "PatchLevel" ${KFW_PATCHLEVEL} - -SectionEnd - -;---------------------- -; Kerberos for Windows Documentation -Section "KfW Documentation" secDocs - - RMDir /r "$INSTDIR\doc" - - SetOutPath "$INSTDIR\doc" - File "${KFW_DOC_DIR}\relnotes.html" - File "${KFW_DOC_DIR}\netidmgr_userdoc.pdf" - - Call KFWCommon.Install - - ; KfW Reg entries - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" "VersionString" ${KFW_VERSION} - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" "Title" "KfW" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" "Description" "${PROGRAM_NAME}" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" "PathName" "$INSTDIR" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" "Software Type" "Authentication" - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" "MajorVersion" ${KFW_MAJORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" "MinorVersion" ${KFW_MINORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" "PatchLevel" ${KFW_PATCHLEVEL} - - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" "VersionString" ${KFW_VERSION} - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" "Title" "KfW" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" "Description" "${PROGRAM_NAME}" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" "PathName" "$INSTDIR" - WriteRegStr HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" "Software Type" "Authentication" - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" "MajorVersion" ${KFW_MAJORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" "MinorVersion" ${KFW_MINORVERSION} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" "PatchLevel" ${KFW_PATCHLEVEL} - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\Documentation\${KFW_VERSION}" "PatchLevel" ${KFW_PATCHLEVEL} - - ;Write start menu entries - CreateDirectory "$SMPROGRAMS\${PROGRAM_NAME}" - SetOutPath "$INSTDIR\doc" - CreateShortCut "$SMPROGRAMS\${PROGRAM_NAME}\Release Notes.lnk" "$INSTDIR\doc\relnotes.html" - CreateShortCut "$SMPROGRAMS\${PROGRAM_NAME}\Network Identity Manager User Documentation.lnk" "$INSTDIR\doc\netidmgr_userdoc.pdf" - CreateShortCut "$SMPROGRAMS\${PROGRAM_NAME}\Network Identity Manager Documentation.lnk" "$INSTDIR\bin\netidmgr.chm" -SectionEnd - -;Display the Finish header -;Insert this macro after the sections if you are not using a finish page -;!insertmacro MUI_SECTIONS_FINISHHEADER - -;-------------------------------- -;Installer Functions - -Function .onInit - !insertmacro MUI_LANGDLL_DISPLAY - - ; Set the default install options - Push $0 - - Call IsUserAdmin - Pop $R0 - StrCmp $R0 "true" checkVer - - MessageBox MB_OK|MB_ICONSTOP|MB_TOPMOST "You must be an administrator of this machine to install this software." - Abort - -checkVer: - ; Check Version of Windows. Do not install onto Windows 95 - Call GetWindowsVersion - Pop $R0 - StrCmp $R0 "95" wrongVersion - StrCmp $R0 "98" wrongVersion - StrCmp $R0 "ME" wrongVersion - StrCmp $R0 "NT 4.0" wrongVersion - goto checkIPHLPAPI - -wrongVersion: - MessageBox MB_OK|MB_ICONSTOP|MB_TOPMOST "MIT ${PROGRAM_NAME} requires Microsoft Windows 2000 or higher." - Abort - -checkIPHLPAPI: - ClearErrors - ReadEnvStr $R0 "WinDir" - GetDLLVersion "$R0\System32\iphlpapi.dll" $R1 $R2 - IfErrors +1 +3 - GetDLLVersion "$R0\System\iphlpapi.dll" $R1 $R2 - IfErrors iphlperror - IntOp $R3 $R2 / 0x00010000 - IntCmpU $R3 1952 iphlpwarning checkprevious checkprevious - -iphlperror: - MessageBox MB_OK|MB_ICONSTOP|MB_TOPMOST "MIT ${PROGRAM_NAME} requires Internet Explorer version 5.01 or higher. IPHLPAPI.DLL is missing." - Abort - -iphlpwarning: - MessageBox MB_OK|MB_ICONINFORMATION|MB_TOPMOST "IPHLPAPI.DLL must be upgraded. Please install Internet Explorer 5.01 or higher." - -checkprevious: - ClearErrors - ReadRegStr $R0 HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\${PROGRAM_NAME}" \ - "DisplayVersion" - IfErrors testWIX - StrCmp $R0 "${KFW_VERSION}" contInstall - - MessageBox MB_OKCANCEL|MB_ICONEXCLAMATION \ - "${PROGRAM_NAME} is already installed. $\n$\nClick `OK` to remove the \ - previous version or `Cancel` to cancel this upgrade or downgrade." \ - IDOK uninstNSIS - Abort - -;Run the uninstaller -uninstNSIS: - ReadRegStr $R0 HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\${PROGRAM_NAME}" \ - "UninstallString" - ClearErrors - ExecWait '$R0 _?=$INSTDIR' ;Do not copy the uninstaller to a temp file - - IfErrors no_remove_uninstaller - ;You can either use Delete /REBOOTOK in the uninstaller or add some code - ;here to remove the uninstaller. Use a registry key to check - ;whether the user has chosen to uninstall. If you are using an uninstaller - ;components page, make sure all sections are uninstalled. - - Push $R1 - Call RestartRequired - Pop $R1 - StrCmp $R1 "1" Restart DoNotRestart - -testWIX: - ClearErrors - ReadRegStr $R0 HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\{FD5B1F41-81BB-4BBC-9F7E-4B971660AE1A}" \ - "DisplayVersion" - IfErrors testSWRT - - MessageBox MB_OKCANCEL|MB_ICONEXCLAMATION \ - "${PROGRAM_NAME} is already installed. $\n$\nClick `OK` to remove the \ - previous version or `Cancel` to cancel this installation." \ - IDOK uninstMSI1 - Abort - -;Run the uninstaller -uninstMSI1: - Call GetWindowsVersion - Pop $R0 - StrCmp $R0 "2000" uninstMSI1_2000 - - ClearErrors - ExecWait 'MSIEXEC /x{FD5B1F41-81BB-4BBC-9F7E-4B971660AE1A} /passive /promptrestart' - - IfErrors no_remove_uninstaller - ;You can either use Delete /REBOOTOK in the uninstaller or add some code - ;here to remove the uninstaller. Use a registry key to check - ;whether the user has chosen to uninstall. If you are using an uninstaller - ;components page, make sure all sections are uninstalled. - - Push $R1 - Call RestartRequired - Pop $R1 - StrCmp $R1 "1" Restart DoNotRestart - -uninstMSI1_2000: - ClearErrors - ExecWait 'MSIEXEC /x{FD5B1F41-81BB-4BBC-9F7E-4B971660AE1A}' - - IfErrors no_remove_uninstaller - ;You can either use Delete /REBOOTOK in the uninstaller or add some code - ;here to remove the uninstaller. Use a registry key to check - ;whether the user has chosen to uninstall. If you are using an uninstaller - ;components page, make sure all sections are uninstalled. - - Push $R1 - Call RestartRequired - Pop $R1 - StrCmp $R1 "1" Restart DoNotRestart - -testSWRT: - ClearErrors - ReadRegStr $R0 HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\{61211594-AAA1-4A98-A299-757326763CC7}" \ - "DisplayVersion" - IfErrors testPismere - - MessageBox MB_OKCANCEL|MB_ICONEXCLAMATION \ - "${PROGRAM_NAME} is already installed. $\n$\nClick `OK` to remove the \ - previous version or `Cancel` to cancel this installation." \ - IDOK uninstMSI2 - Abort - -;Run the uninstaller -uninstMSI2: - Call GetWindowsVersion - Pop $R0 - StrCmp $R0 "2000" uninstMSI2_2000 - - ClearErrors - ExecWait 'MSIEXEC /x{61211594-AAA1-4A98-A299-757326763CC7} /passive /promptrestart' - - IfErrors no_remove_uninstaller - ;You can either use Delete /REBOOTOK in the uninstaller or add some code - ;here to remove the uninstaller. Use a registry key to check - ;whether the user has chosen to uninstall. If you are using an uninstaller - ;components page, make sure all sections are uninstalled. - - Push $R1 - Call RestartRequired - Pop $R1 - StrCmp $R1 "1" Restart DoNotRestart - -uninstMSI2_2000: - ClearErrors - ExecWait 'MSIEXEC /x{61211594-AAA1-4A98-A299-757326763CC7}' - - IfErrors no_remove_uninstaller - ;You can either use Delete /REBOOTOK in the uninstaller or add some code - ;here to remove the uninstaller. Use a registry key to check - ;whether the user has chosen to uninstall. If you are using an uninstaller - ;components page, make sure all sections are uninstalled. - - Push $R1 - Call RestartRequired - Pop $R1 - StrCmp $R1 "1" Restart DoNotRestart - -testPismere: - ClearErrors - ReadRegStr $R0 HKLM \ - "Software\Microsoft\Windows\CurrentVersion\Uninstall\{83977767-388D-4DF8-BB08-3BF2401635BD}" \ - "DisplayVersion" - IfErrors contInstall - - MessageBox MB_OKCANCEL|MB_ICONEXCLAMATION \ - "${PROGRAM_NAME} is already installed. $\n$\nClick `OK` to remove the \ - previous version or `Cancel` to cancel this installation." \ - IDOK uninstPismere - Abort - -;Run the uninstaller -uninstPismere: - Call GetWindowsVersion - Pop $R0 - StrCmp $R0 "2000" uninstPismere_2000 - - ClearErrors - ExecWait 'MSIEXEC /x{83977767-388D-4DF8-BB08-3BF2401635BD} /passive /promptrestart' - - IfErrors no_remove_uninstaller - ;You can either use Delete /REBOOTOK in the uninstaller or add some code - ;here to remove the uninstaller. Use a registry key to check - ;whether the user has chosen to uninstall. If you are using an uninstaller - ;components page, make sure all sections are uninstalled. - - Push $R1 - Call RestartRequired - Pop $R1 - StrCmp $R1 "1" Restart DoNotRestart - -uninstPismere_2000: - ClearErrors - ExecWait 'MSIEXEC /x{83977767-388D-4DF8-BB08-3BF2401635BD}' - - IfErrors no_remove_uninstaller - ;You can either use Delete /REBOOTOK in the uninstaller or add some code - ;here to remove the uninstaller. Use a registry key to check - ;whether the user has chosen to uninstall. If you are using an uninstaller - ;components page, make sure all sections are uninstalled. - - Push $R1 - Call RestartRequired - Pop $R1 - StrCmp $R1 "1" Restart DoNotRestart - - -Restart: - MessageBox MB_OK|MB_ICONSTOP|MB_TOPMOST "Please reboot and then restart the installer." - Abort - MessageBox MB_OK|MB_ICONSTOP|MB_TOPMOST "Abort failed" - -DoNotRestart: -no_remove_uninstaller: - -contInstall: - ; Never install debug symbols unless explicitly selected, except in DEBUG mode -!IFNDEF DEBUG - SectionGetFlags ${secDebug} $0 - IntOp $0 $0 & ${SECTION_OFF} - SectionSetFlags ${secDebug} $0 -!ELSE - SectionGetFlags ${secDebug} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secDebug} $0 -!ENDIF - - ; Our logic should be like this. - ; 1) If no KfW components are installed, we do a clean install with default options. (Client/Docs) - ; 2) If existing modules are installed, we keep them selected - ; 3) If it is an upgrade, we set the text accordingly, else we mark it as a re-install - ; TODO: Downgrade? - Call IsAnyKfWInstalled - Pop $R0 - StrCmp $R0 "0" DefaultOptions - - Call ShouldClientInstall - Pop $R2 - - StrCmp $R2 "0" NoClient - StrCmp $R2 "1" ReinstallClient - StrCmp $R2 "2" UpgradeClient - StrCmp $R2 "3" DowngradeClient - - SectionGetFlags ${secClient} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secClient} $0 - ;# !insertmacro SelectSection ${secClient} - goto skipClient -NoClient: - ;StrCpy $1 ${secClient} ; Gotta remember which section we are at now... - SectionGetFlags ${secClient} $0 - IntOp $0 $0 & ${SECTION_OFF} - SectionSetFlags ${secClient} $0 - goto skipClient -UpgradeClient: - SectionGetFlags ${secClient} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secClient} $0 - SectionSetText ${secClient} $(UPGRADE_CLIENT) - goto skipClient -ReinstallClient: - SectionGetFlags ${secClient} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secClient} $0 - SectionSetText ${secClient} $(REINSTALL_CLIENT) - goto skipClient -DowngradeClient: - SectionGetFlags ${secClient} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secClient} $0 - SectionSetText ${secClient} $(DOWNGRADE_CLIENT) - goto skipClient - - -skipClient: - - Call ShouldSDKInstall - Pop $R2 - StrCmp $R2 "0" NoSDK - StrCmp $R2 "1" ReinstallSDK - StrCmp $R2 "2" UpgradeSDK - StrCmp $R2 "3" DowngradeSDK - - SectionGetFlags ${secSDK} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secSDK} $0 - ;# !insertmacro UnselectSection ${secSDK} - goto skipSDK - -UpgradeSDK: - SectionGetFlags ${secSDK} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secSDK} $0 - SectionSetText ${secSDK} $(UPGRADE_SDK) - goto skipSDK - -ReinstallSDK: - SectionGetFlags ${secSDK} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secSDK} $0 - SectionSetText ${secSDK} $(REINSTALL_SDK) - goto skipSDK - -DowngradeSDK: - SectionGetFlags ${secSDK} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secSDK} $0 - SectionSetText ${secSDK} $(DOWNGRADE_SDK) - goto skipSDK - -NoSDK: - SectionGetFlags ${secSDK} $0 - IntOp $0 $0 & ${SECTION_OFF} - SectionSetFlags ${secSDK} $0 - ;# !insertmacro UnselectSection ${secSDK} - goto skipSDK - -skipSDK: - - Call ShouldDocumentationInstall - Pop $R2 - StrCmp $R2 "0" NoDocumentation - StrCmp $R2 "1" ReinstallDocumentation - StrCmp $R2 "2" UpgradeDocumentation - StrCmp $R2 "3" DowngradeDocumentation - - SectionGetFlags ${secDocs} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secDocs} $0 - ;# !insertmacro UnselectSection ${secDocs} - goto skipDocumentation - -UpgradeDocumentation: - SectionGetFlags ${secDocs} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secDocs} $0 - SectionSetText ${secDocs} $(UPGRADE_DOCS) - goto skipDocumentation - -ReinstallDocumentation: - SectionGetFlags ${secDocs} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secDocs} $0 - SectionSetText ${secDocs} $(REINSTALL_DOCS) - goto skipDocumentation - -DowngradeDocumentation: - SectionGetFlags ${secDocs} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secDocs} $0 - SectionSetText ${secDocs} $(DOWNGRADE_DOCS) - goto skipDocumentation - -NoDocumentation: - SectionGetFlags ${secDocs} $0 - IntOp $0 $0 & ${SECTION_OFF} - SectionSetFlags ${secDocs} $0 - ;# !insertmacro UnselectSection ${secDocs} - goto skipDocumentation - -skipDocumentation: - goto end - -DefaultOptions: - ; Client Selected - SectionGetFlags ${secClient} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secClient} $0 - - ; SDK NOT selected - SectionGetFlags ${secSDK} $0 - IntOp $0 $0 & ${SECTION_OFF} - SectionSetFlags ${secSDK} $0 - - ; Documentation selected - SectionGetFlags ${secDocs} $0 - IntOp $0 $0 | ${SF_SELECTED} - SectionSetFlags ${secDocs} $0 - goto end - -end: - Pop $0 - - Push $R0 - - ; See if we can set a default installation path... - ReadRegStr $R0 HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" "PathName" - StrCmp $R0 "" TrySDK - StrCpy $INSTDIR $R0 - goto Nope - -TrySDK: - ReadRegStr $R0 HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" "PathName" - StrCmp $R0 "" TryDocs - StrCpy $INSTDIR $R0 - goto Nope - -TryDocs: - ReadRegStr $R0 HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" "PathName" - StrCmp $R0 "" TryRoot - StrCpy $INSTDIR $R0 - goto Nope - -TryRoot: - ReadRegStr $R0 HKLM "${KFW_REGKEY_ROOT}" "InstallDir" - StrCmp $R0 "" Nope - StrCpy $INSTDIR $R0 - -Nope: - Pop $R0 - - GetTempFilename $0 - File /oname=$0 KfWConfigPage.ini - GetTempFilename $1 - File /oname=$1 KfWConfigPage2.ini - -FunctionEnd - - -;-------------------------------- -; These are our cleanup functions -Function .onInstFailed -Delete $0 -Delete $1 -FunctionEnd - -Function .onInstSuccess -Delete $0 -Delete $1 -FunctionEnd - - -;-------------------------------- -;Descriptions - - !insertmacro MUI_FUNCTION_DESCRIPTION_BEGIN - !insertmacro MUI_DESCRIPTION_TEXT ${secClient} $(DESC_secClient) - !insertmacro MUI_DESCRIPTION_TEXT ${secSDK} $(DESC_secSDK) - !insertmacro MUI_DESCRIPTION_TEXT ${secDocs} $(DESC_secDocs) - !insertmacro MUI_DESCRIPTION_TEXT ${secDebug} $(DESC_secDebug) - !insertmacro MUI_FUNCTION_DESCRIPTION_END - -;-------------------------------- -;Uninstaller Section - -Section "Uninstall" - ; Make sure the user REALLY wants to do this, unless they did a silent uninstall, in which case...let them! - IfSilent StartRemove ; New in v2.0b4 - MessageBox MB_YESNO "Are you sure you want to remove MIT ${PROGRAM_NAME} from this machine?" IDYES StartRemove - abort - -StartRemove: - - SetShellVarContext all - ; Stop the running processes - GetTempFileName $R0 - File /oname=$R0 "Killer.exe" - nsExec::Exec '$R0 netidmgr.exe' - nsExec::Exec '$R0 krbcc32s.exe' - - Push "$INSTDIR\bin" - Call un.RemoveFromSystemPath - - ; Delete documentation - Delete "$INSTDIR\doc\relnotes.html" - Delete "$INSTDIR\doc\netidmgr_userdoc.pdf" - Delete "$INSTDIR\doc\netiddev.chm" - - Delete /REBOOTOK "$INSTDIR\bin\comerr32.dll" - Delete /REBOOTOK "$INSTDIR\bin\gss.exe" - Delete /REBOOTOK "$INSTDIR\bin\gss-client.exe" - Delete /REBOOTOK "$INSTDIR\bin\gss-server.exe" - Delete /REBOOTOK "$INSTDIR\bin\gssapi32.dll" - Delete /REBOOTOK "$INSTDIR\bin\k524init.exe" - Delete /REBOOTOK "$INSTDIR\bin\kclnt32.dll" - Delete /REBOOTOK "$INSTDIR\bin\kdestroy.exe" - Delete /REBOOTOK "$INSTDIR\bin\kinit.exe" - Delete /REBOOTOK "$INSTDIR\bin\klist.exe" - Delete /REBOOTOK "$INSTDIR\bin\kpasswd.exe" - Delete /REBOOTOK "$INSTDIR\bin\kvno.exe" - Delete /REBOOTOK "$INSTDIR\bin\krb5_32.dll" - Delete /REBOOTOK "$INSTDIR\bin\k5sprt32.dll" - Delete /REBOOTOK "$INSTDIR\bin\krb524.dll" - Delete /REBOOTOK "$INSTDIR\bin\krbcc32.dll" - Delete /REBOOTOK "$INSTDIR\bin\krbcc32s.exe" - Delete /REBOOTOK "$INSTDIR\bin\krbv4w32.dll" - Delete /REBOOTOK "$INSTDIR\bin\netidmgr.exe" - Delete /REBOOTOK "$INSTDIR\bin\netidmgr.chm" - Delete /REBOOTOK "$INSTDIR\bin\nidmgr32.dll" - Delete /REBOOTOK "$INSTDIR\bin\krb4cred.dll" - Delete /REBOOTOK "$INSTDIR\bin\krb5cred.dll" - Delete /REBOOTOK "$INSTDIR\bin\krb4cred_en_us.dll" - Delete /REBOOTOK "$INSTDIR\bin\krb5cred_en_us.dll" - Delete /REBOOTOK "$INSTDIR\bin\leashw32.dll" - Delete /REBOOTOK "$INSTDIR\bin\ms2mit.exe" - Delete /REBOOTOK "$INSTDIR\bin\mit2ms.exe" - Delete /REBOOTOK "$INSTDIR\bin\kcpytkt.exe" - Delete /REBOOTOK "$INSTDIR\bin\kdeltkt.exe" - Delete /REBOOTOK "$INSTDIR\bin\wshelp32.dll" - Delete /REBOOTOK "$INSTDIR\bin\xpprof32.dll" - Delete /REBOOTOK "$SYSDIR\bin\kfwlogon.dll" - Delete /REBOOTOK "$SYSDIR\bin\kfwcpcc.exe" - - Delete /REBOOTOK "$INSTDIR\bin\comerr32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\gss.pdb" - Delete /REBOOTOK "$INSTDIR\bin\gss-client.pdb" - Delete /REBOOTOK "$INSTDIR\bin\gss-server.pdb" - Delete /REBOOTOK "$INSTDIR\bin\gssapi32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\k524init.pdb" - Delete /REBOOTOK "$INSTDIR\bin\kclnt32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\kdestroy.pdb" - Delete /REBOOTOK "$INSTDIR\bin\kinit.pdb" - Delete /REBOOTOK "$INSTDIR\bin\klist.pdb" - Delete /REBOOTOK "$INSTDIR\bin\kpasswd.pdb" - Delete /REBOOTOK "$INSTDIR\bin\kvno.pdb" - Delete /REBOOTOK "$INSTDIR\bin\krb5_32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\k5sprt32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\krb524.pdb" - Delete /REBOOTOK "$INSTDIR\bin\krbcc32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\krbcc32s.pdb" - Delete /REBOOTOK "$INSTDIR\bin\krbv4w32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\netidmgr.pdb" - Delete /REBOOTOK "$INSTDIR\bin\nidmgr32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\krb4cred.pdb" - Delete /REBOOTOK "$INSTDIR\bin\krb5cred.pdb" - Delete /REBOOTOK "$INSTDIR\bin\leashw32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\ms2mit.pdb" - Delete /REBOOTOK "$INSTDIR\bin\mit2ms.pdb" - Delete /REBOOTOK "$INSTDIR\bin\kcpytkt.pdb" - Delete /REBOOTOK "$INSTDIR\bin\kdeltkt.pdb" - Delete /REBOOTOK "$INSTDIR\bin\wshelp32.pdb" - Delete /REBOOTOK "$INSTDIR\bin\xpprof32.pdb" - Delete /REBOOTOK "$SYSDIR\bin\kfwlogon.pdb" - Delete /REBOOTOK "$SYSDIR\bin\kfwcpcc.pdb" - -!IFDEF DEBUG -!IFDEF CL_1400 - Delete /REBOOTOK "$INSTDIR\bin\msvcr80d.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcr80d.pdb" - Delete /REBOOTOK "$INSTDIR\bin\msvcp80d.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcp80d.pdb" - Delete /REBOOTOK "$INSTDIR\bin\mfc80d.dll" - Delete /REBOOTOK "$INSTDIR\bin\mfc80d.pdb" -!ELSE -!IFDEF CL_1310 - Delete /REBOOTOK "$INSTDIR\bin\msvcr71d.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcr71d.pdb" - Delete /REBOOTOK "$INSTDIR\bin\msvcp71d.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcp71d.pdb" - Delete /REBOOTOK "$INSTDIR\bin\mfc71d.dll" - Delete /REBOOTOK "$INSTDIR\bin\mfc71d.pdb" -!ELSE -!IFDEF CL_1300 - Delete /REBOOTOK "$INSTDIR\bin\msvcr70d.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcr70d.pdb" - Delete /REBOOTOK "$INSTDIR\bin\msvcp70d.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcp70d.pdb" - Delete /REBOOTOK "$INSTDIR\bin\mfc70d.dll" - Delete /REBOOTOK "$INSTDIR\bin\mfc70d.pdb" -!ELSE - Delete /REBOOTOK "$INSTDIR\bin\mfc42d.dll" - Delete /REBOOTOK "$INSTDIR\bin\mfc42d.pdb" - Delete /REBOOTOK "$INSTDIR\bin\msvcp60d.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcp60d.pdb" - Delete /REBOOTOK "$INSTDIR\bin\msvcrtd.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcrtd.pdb" -!ENDIF -!ENDIF -!ENDIF -!ELSE -!IFDEF CL_1400 - Delete /REBOOTOK "$INSTDIR\bin\mfc80.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcr80.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcp80.dll" - Delete /REBOOTOK "$INSTDIR\bin\MFC80CHS.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC80CHT.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC80DEU.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC80ENU.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC80ESP.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC80FRA.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC80ITA.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC80JPN.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC80KOR.DLL" -!ELSE -!IFDEF CL_1310 - Delete /REBOOTOK "$INSTDIR\bin\mfc71.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcr71.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcp71.dll" - Delete /REBOOTOK "$INSTDIR\bin\MFC71CHS.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC71CHT.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC71DEU.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC71ENU.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC71ESP.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC71FRA.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC71ITA.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC71JPN.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC71KOR.DLL" -!ELSE -!IFDEF CL_1300 - Delete /REBOOTOK "$INSTDIR\bin\mfc70.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcr70.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcp70.dll" - Delete /REBOOTOK "$INSTDIR\bin\MFC70CHS.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC70CHT.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC70DEU.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC70ENU.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC70ESP.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC70FRA.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC70ITA.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC70JPN.DLL" - Delete /REBOOTOK "$INSTDIR\bin\MFC70KOR.DLL" -!ELSE - Delete /REBOOTOK "$INSTDIR\bin\mfc42.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcp60.dll" - Delete /REBOOTOK "$INSTDIR\bin\msvcrt.dll" -!ENDIF -!ENDIF -!ENDIF -!ENDIF - Delete /REBOOTOK "$INSTDIR\bin\psapi.dll" - - RMDir "$INSTDIR\bin" - RmDir "$INSTDIR\doc" - RmDir "$INSTDIR\lib" - RmDir "$INSTDIR\inc" - RmDir "$INSTDIR\install" - RMDir "$INSTDIR" - - Delete "$SMPROGRAMS\${PROGRAM_NAME}\Uninstall ${PROGRAM_NAME}.lnk" - Delete "$SMPROGRAMS\${PROGRAM_NAME}\Network Identity Manager.lnk" - Delete "$SMPROGRAMS\${PROGRAM_NAME}\Release Notes.lnk" - Delete "$SMPROGRAMS\${PROGRAM_NAME}\Network Identity Manager User Documentation.lnk" - Delete "$SMPROGRAMS\${PROGRAM_NAME}\Network Identity Developer Documentation.lnk" - RmDir "$SMPROGRAMS\${PROGRAM_NAME}" - Delete "$SMSTARTUP\Network Identity Manager.lnk" - - IfSilent SkipAsk -; IfFileExists "$WINDIR\krb5.ini" CellExists SkipDelAsk -; RealmExists: - MessageBox MB_YESNO "Would you like to keep your configuration files?" IDYES SkipDel - SkipAsk: - Delete "$WINDIR\krb5.ini" - Delete "$WINDIR\krb.con" - Delete "$WINDIR\krbrealm.con" - - SkipDel: - Delete "$INSTDIR\Uninstall.exe" - - ; Restore previous value of AllowTGTSessionKey - ReadRegDWORD $R0 HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "AllowTGTSessionKeyBackup" - WriteRegDWORD HKLM "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters" "AllowTGTSessionKey" $R0 - ReadRegDWORD $R0 HKLM "${KFW_REGKEY_ROOT}\Client\${KFW_VERSION}" "AllowTGTSessionKeyBackup2" - WriteRegDWORD HKLM "SYSTEM\CurrentControlSet\Control\Lsa\Kerberos" "AllowTGTSessionKey" $R0 - - ; The following are keys added for Terminal Server compatibility - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\netidmgr" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kinit" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\klist" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kdestroy" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\gss" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\gss-client" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\gss-server" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\k524init" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kpasswd" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kvno" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\ms2mit" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\mit2ms" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kcpytkt" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\kdeltkt" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\k95" - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\k95g" - - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\Client\CurrentVersion" - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\Client" - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\Documentation\CurrentVersion" - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\Documentation" - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\SDK\CurrentVersion" - DeleteRegKey HKLM "${KFW_REGKEY_ROOT}\SDK" - DeleteRegKey /ifempty HKLM "${KFW_REGKEY_ROOT}" - DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${PROGRAM_NAME}" - - ; NIM Registry Keys - DeleteRegKey HKLM "${NIM_REGKEY_ROOT}\PluginManager\Modules\MITKrb5" - DeleteRegKey HKLM "${NIM_REGKEY_ROOT}\PluginManager\Modules\MITKrb4" - DeleteRegKey HKLM "${NIM_REGKEY_ROOT}\PluginManager\Plugins\Krb5Cred" - DeleteRegKey HKLM "${NIM_REGKEY_ROOT}\PluginManager\Plugins\Krb5Ident" - DeleteRegKey HKLM "${NIM_REGKEY_ROOT}\PluginManager\Plugins\Krb4Cred" - DeleteRegKey /ifempty HKLM "${NIM_REGKEY_ROOT}\PluginManager\Modules" - DeleteRegKey /ifempty HKLM "${NIM_REGKEY_ROOT}\PluginManager\Plugins" - DeleteRegKey /ifempty HKLM "${NIM_REGKEY_ROOT}\PluginManager" - DeleteRegKey /ifempty HKLM "${NIM_REGKEY_ROOT}" - - ; WinLogon Event Notification - DeleteRegKey HKLM "Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MIT_KFW" - DeleteRegKey HKLM "SYSTEM\CurrentControlSet\Services\MIT Kerberos" - - RMDir "$INSTDIR" - -SectionEnd - -;-------------------------------- -;Uninstaller Functions - -Function un.onInit - - ;Get language from registry - ReadRegStr $LANGUAGE ${MUI_LANGDLL_REGISTRY_ROOT} "${MUI_LANGDLL_REGISTRY_KEY}" "${MUI_LANGDLL_REGISTRY_VALUENAME}" - -FunctionEnd - -Function un.onUninstSuccess - - MessageBox MB_OK "Please reboot your machine to complete uninstallation of the software" - -FunctionEnd - -;------------------------------ -; Get the Configurations files from the Internet - -Function kfw.GetConfigFiles - -;Check if we should download Config Files -ReadINIStr $R0 $0 "Field 4" "State" -StrCmp $R0 "1" DoDownload - -;Do nothing if we're keeping the existing file -ReadINIStr $R0 $0 "Field 2" "State" -StrCmp $R0 "1" done - -ReadINIStr $R0 $0 "Field 3" "State" -StrCmp $R0 "1" UsePackaged - -; If none of these, grab file from other location -goto CheckOther - -DoDownload: - ReadINIStr $R0 $0 "Field 5" "State" - NSISdl::download "$R0/krb5.ini" "$WINDIR\krb5.ini" - NSISdl::download "$R0/krb.con" "$WINDIR\krb.con" - NSISdl::download "$R0/krbrealm.con" "$WINDIR\krbrealm.con" - Pop $R0 ;Get the return value - StrCmp $R0 "success" done - MessageBox MB_OK|MB_ICONSTOP "Download failed: $R0" - goto done - -UsePackaged: - SetOutPath "$WINDIR" - File "${KFW_CONFIG_DIR}\sample\krb5.ini" - File "${KFW_CONFIG_DIR}\sample\krb.con" - File "${KFW_CONFIG_DIR}\sample\krbrealm.con" - goto done - -CheckOther: - ReadINIStr $R0 $0 "Field 7" "State" - StrCmp $R0 "" done - CopyFiles "$R0\krb5.ini" "$WINDIR\krb5.ini" - CopyFiles "$R0\krb.con" "$WINDIR\krb.con" - CopyFiles "$R0\krbrealm.con" "$WINDIR\krbrealm.con" - -done: - -FunctionEnd - - - -;------------------------------- -;Do the page to get the Config files - -Function KFWPageGetConfigFiles - ; Skip this page if we are not installing the client - SectionGetFlags ${secClient} $R0 - IntOp $R0 $R0 & ${SF_SELECTED} - StrCmp $R0 "0" Skip - - ; Set the install options here - -startOver: - WriteINIStr $0 "Field 2" "Flags" "DISABLED" - WriteINIStr $0 "Field 3" "State" "1" - WriteINIStr $0 "Field 4" "State" "0" - WriteINIStr $0 "Field 6" "State" "0" - WriteINIStr $0 "Field 3" "Text" "Use packaged configuration files for the ${SAMPLE_CONFIG_REALM} realm." - WriteINIStr $0 "Field 5" "State" "${HTTP_CONFIG_URL}" - - ; If there is an existing krb5.ini file, allow the user to choose it and make it default - IfFileExists "$WINDIR\krb5.ini" +1 notpresent - WriteINIStr $0 "Field 2" "Flags" "ENABLED" - WriteINIStr $0 "Field 2" "State" "1" - WriteINIStr $0 "Field 3" "State" "0" - - notpresent: - - !insertmacro MUI_HEADER_TEXT "Kerberos Configuration" "Please choose a method for installing the Kerberos Configuration files:" - InstallOptions::dialog $0 - Pop $R1 - StrCmp $R1 "cancel" exit - StrCmp $R1 "back" done - StrCmp $R1 "success" done -exit: Quit -done: - - ; Check that if a file is set, a valid filename is entered... - ReadINIStr $R0 $0 "Field 6" "State" - StrCmp $R0 "1" CheckFileName - - ;Check if a URL is specified, one *IS* specified - ReadINIStr $R0 $0 "Field 4" "State" - StrCmp $R0 "1" CheckURL Skip - - CheckURL: - ReadINIStr $R0 $0 "Field 5" "State" - StrCmp $R0 "" +1 Skip - MessageBox MB_OK|MB_ICONSTOP $(URLError) - WriteINIStr $0 "Field 4" "State" "0" - goto startOver - - CheckFileName: - ReadINIStr $R0 $0 "Field 7" "State" - IfFileExists "$R0\krb5.ini" Skip - - MessageBox MB_OK|MB_ICONSTOP $(ConfigFileError) - WriteINIStr $0 "Field 6" "State" "0" - goto startOver - - Skip: - -FunctionEnd - - -;------------------------------- -;Do the page to get the Startup Configuration - -Function KFWPageGetStartupConfig - ; Skip this page if we are not installing the client - SectionGetFlags ${secClient} $R0 - IntOp $R0 $R0 & ${SF_SELECTED} - StrCmp $R0 "0" Skip - - ; Set the install options here - - !insertmacro MUI_HEADER_TEXT "Network Identity Manager Setup" "Please select Network Identity ticket manager setup options:" - InstallOptions::dialog $1 - Pop $R1 - StrCmp $R1 "cancel" exit - StrCmp $R1 "back" done - StrCmp $R1 "success" done -exit: - Quit -done: -skip: - -FunctionEnd - - -;------------- -; Common install routines for each module -Function KFWCommon.Install - - WriteRegStr HKLM "${KFW_REGKEY_ROOT}" "InstallDir" $INSTDIR - - WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${PROGRAM_NAME}" "DisplayName" "${PROGRAM_NAME}" - WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${PROGRAM_NAME}" "UninstallString" "$INSTDIR\uninstall.exe" -!ifndef DEBUG - WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${PROGRAM_NAME}" "DisplayVersion" "${KFW_VERSION}" -!else - WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${PROGRAM_NAME}" "DisplayVersion" "${KFW_VERSION} Checked/Debug" -!endif - WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\${PROGRAM_NAME}" "URLInfoAbout" "http://web.mit.edu/kerberos/" - -!ifdef DEBUG - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\CurrentVersion" "Debug" 1 - WriteRegDWORD HKLM "${KFW_REGKEY_ROOT}\${KFW_VERSION}" "Debug" 1 -!else - ; Delete the DEBUG string - DeleteRegValue HKLM "${KFW_REGKEY_ROOT}\CurrentVersion" "Debug" - DeleteRegValue HKLM "${KFW_REGKEY_ROOT}\${KFW_VERSION}" "Debug" -!endif - - WriteUninstaller "$INSTDIR\Uninstall.exe" -FunctionEnd - - -;------------------------------- -; Check if the client should be checked for default install -Function ShouldClientInstall - Push $R0 - StrCpy $R2 "Client" - Call GetInstalledVersion - Pop $R0 - - StrCmp $R0 "" NotInstalled - ; Now we see if it's an older or newer version - - Call GetInstalledVersionMajor - Pop $R0 - IntCmpU $R0 ${KFW_MAJORVERSION} +1 Upgrade Downgrade - - Call GetInstalledVersionMinor - Pop $R0 - IntCmpU $R0 ${KFW_MINORVERSION} +1 Upgrade Downgrade - - Call GetInstalledVersionPatch - Pop $R0 - IntCmpU $R0 ${KFW_PATCHLEVEL} Reinstall Upgrade Downgrade - -Reinstall: - StrCpy $R0 "1" - Exch $R0 - goto end - -Upgrade: - StrCpy $R0 "2" - Exch $R0 - goto end - -Downgrade: - StrCpy $R0 "3" - Exch $R0 - goto end - -NotInstalled: - StrCpy $R0 "0" - Exch $R0 -end: -FunctionEnd - -;------------------------------- -; Check how the Documentation options should be set -Function ShouldDocumentationInstall - Push $R0 - StrCpy $R2 "Documentation" - Call GetInstalledVersion - Pop $R0 - - StrCmp $R0 "" NotInstalled - ; Now we see if it's an older or newer version - - Call GetInstalledVersionMajor - Pop $R0 - IntCmpU $R0 ${KFW_MAJORVERSION} +1 Upgrade Downgrade - - Call GetInstalledVersionMinor - Pop $R0 - IntCmpU $R0 ${KFW_MINORVERSION} +1 Upgrade Downgrade - - Call GetInstalledVersionPatch - Pop $R0 - IntCmpU $R0 ${KFW_PATCHLEVEL} Reinstall Upgrade Downgrade - -Reinstall: - StrCpy $R0 "1" - Exch $R0 - goto end - -Upgrade: - StrCpy $R0 "2" - Exch $R0 - goto end - -Downgrade: - StrCpy $R0 "3" - Exch $R0 - goto end - - -NotInstalled: - StrCpy $R0 "0" - Exch $R0 -end: -FunctionEnd - - -;------------------------------- -; Check how the SDK options should be set -Function ShouldSDKInstall - Push $R0 - StrCpy $R2 "SDK" - Call GetInstalledVersion - Pop $R0 - - StrCmp $R0 "" NotInstalled - ; Now we see if it's an older or newer version - - Call GetInstalledVersionMajor - Pop $R0 - IntCmpU $R0 ${KFW_MAJORVERSION} +1 Upgrade Downgrade - - Call GetInstalledVersionMinor - Pop $R0 - IntCmpU $R0 ${KFW_MINORVERSION} +1 Upgrade Downgrade - - Call GetInstalledVersionPatch - Pop $R0 - IntCmpU $R0 ${KFW_PATCHLEVEL} Reinstall Upgrade Downgrade - -Reinstall: - StrCpy $R0 "1" - Exch $R0 - goto end - -Upgrade: - StrCpy $R0 "2" - Exch $R0 - goto end - -Downgrade: - StrCpy $R0 "3" - Exch $R0 - goto end - - -NotInstalled: - StrCpy $R0 "0" - Exch $R0 -end: -FunctionEnd - -; See if KfW SDK is installed -; Returns: "1" if it is, 0 if it is not (on the stack) -Function IsSDKInstalled - Push $R0 - StrCpy $R2 "SDK" - Call GetInstalledVersion - Pop $R0 - - StrCmp $R0 "" NotInstalled - - StrCpy $R0 "1" - Exch $R0 - goto end - -NotInstalled: - StrCpy $R0 "0" - Exch $R0 -end: -FunctionEnd - - -; See if KfW Client is installed -; Returns: "1" if it is, 0 if it is not (on the stack) -Function IsClientInstalled - Push $R0 - StrCpy $R2 "Client" - Call GetInstalledVersion - Pop $R0 - - StrCmp $R0 "" NotInstalled - - StrCpy $R0 "1" - Exch $R0 - goto end - -NotInstalled: - StrCpy $R0 "0" - Exch $R0 -end: -FunctionEnd - - - -; See if KfW Documentation is installed -; Returns: "1" if it is, 0 if it is not (on the stack) -Function IsDocumentationInstalled - Push $R0 - StrCpy $R2 "Documentation" - Call GetInstalledVersion - Pop $R0 - - StrCmp $R0 "" NotInstalled - - StrCpy $R0 "1" - Exch $R0 - goto end - -NotInstalled: - StrCpy $R0 "0" - Exch $R0 -end: -FunctionEnd - - - -;Check to see if any KfW component is installed -;Returns: Value on stack: "1" if it is, "0" if it is not -Function IsAnyKfWInstalled - Push $R0 - Push $R1 - Push $R2 - Call IsClientInstalled - Pop $R0 - Call IsSDKInstalled - Pop $R1 - Call IsDocumentationInstalled - Pop $R2 - ; Now we must see if ANY of the $Rn values are 1 - StrCmp $R0 "1" SomethingInstalled - StrCmp $R1 "1" SomethingInstalled - StrCmp $R2 "1" SomethingInstalled - ;Nothing installed - StrCpy $R0 "0" - goto end -SomethingInstalled: - StrCpy $R0 "1" -end: - Pop $R2 - Pop $R1 - Exch $R0 -FunctionEnd - -;-------------------------------- -;Handle what must and what must not be installed -Function .onSelChange - ; If they install the SDK, they MUST install the client - SectionGetFlags ${secSDK} $R0 - IntOp $R0 $R0 & ${SF_SELECTED} - StrCmp $R0 "1" MakeClientSelected - goto end - -MakeClientSelected: - SectionGetFlags ${secClient} $R0 - IntOp $R0 $R0 | ${SF_SELECTED} - SectionSetFlags ${secClient} $R0 - -end: -FunctionEnd - -Function AddProvider - Push $R0 - Push $R1 - ReadRegStr $R0 HKLM "SYSTEM\CurrentControlSet\Control\NetworkProvider\HWOrder" "ProviderOrder" - Push $R0 - StrCpy $R0 "MIT Kerberos" - Push $R0 - Call StrStr - Pop $R0 - StrCmp $R0 "" DoOther +1 - ReadRegStr $R1 HKLM "SYSTEM\CurrentControlSet\Control\NetworkProvider\HWOrder" "ProviderOrder" - StrCpy $R0 "$R1,MIT Kerberos" - WriteRegStr HKLM "SYSTEM\CurrentControlSet\Control\NetworkProvider\HWOrder" "ProviderOrder" $R0 -DoOther: - ReadRegStr $R0 HKLM "SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" "ProviderOrder" - Push $R0 - StrCpy $R0 "MIT Kerberos" - Push $R0 - Call StrStr - Pop $R0 - StrCmp $R0 "" +1 End - ReadRegStr $R1 HKLM "SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" "ProviderOrder" - StrCpy $R0 "$R1,MIT Kerberos" - WriteRegStr HKLM "SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" "ProviderOrder" $R0 -End: - Pop $R1 - Pop $R0 -FunctionEnd - -Function un.RemoveProvider - Push $R0 - StrCpy $R0 "MIT Kerberos" - Push $R0 - StrCpy $R0 "SYSTEM\CurrentControlSet\Control\NetworkProvider\HWOrder" - Call un.RemoveFromProvider - StrCpy $R0 "MIT Kerberos" - Push $R0 - StrCpy $R0 "SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" - Call un.RemoveFromProvider - Pop $R0 -FunctionEnd - -Function un.RemoveFromProvider - Exch $0 - Push $1 - Push $2 - Push $3 - Push $4 - Push $5 - Push $6 - - ReadRegStr $1 HKLM "$R0" "ProviderOrder" - StrCpy $5 $1 1 -1 # copy last char - StrCmp $5 "," +2 # if last char != , - StrCpy $1 "$1," # append , - Push $1 - Push "$0," - Call un.StrStr ; Find `$0,` in $1 - Pop $2 ; pos of our dir - StrCmp $2 "" unRemoveFromPath_done - ; else, it is in path - # $0 - path to add - # $1 - path var - StrLen $3 "$0," - StrLen $4 $2 - StrCpy $5 $1 -$4 # $5 is now the part before the path to remove - StrCpy $6 $2 "" $3 # $6 is now the part after the path to remove - StrCpy $3 $5$6 - - StrCpy $5 $3 1 -1 # copy last char - StrCmp $5 "," 0 +2 # if last char == , - StrCpy $3 $3 -1 # remove last char - - WriteRegStr HKLM "$R0" "ProviderOrder" $3 - - unRemoveFromPath_done: - Pop $6 - Pop $5 - Pop $4 - Pop $3 - Pop $2 - Pop $1 - Pop $0 -FunctionEnd diff --git a/src/windows/installer/nsis/kfw.ico b/src/windows/installer/nsis/kfw.ico deleted file mode 100644 index 8dcb29e7a66f097ad2f67b181bb352fb2421d3d9..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 25214 zcmeHv30#j^+yBYFjGZJTQT8NcoseWF*)w)Rk%UUfPQwf{F_{S=BZO3v3hgEBixz2< zHkGuHZN~NgUia_!i<#$r=6T-F`@H}6{rvyWJ#*aM=RV8#T<1F1b*}4N_fH5V(Ol^0 zw8g!VSl>hlXCZ{Ty6m~Mfe@dN*S4+fxv!EC#mxoE3zTmruC^AUbxSTUe{Lp(Ul%Sf zdtTpIh-Dgz^6KKMrVvqm6y@=Za+Wg{<<-UdMnWhr6QVCLpbN1AiE;h;Lbdv9FaL#q z_R9a*D}UIFjF6BJLHr*7ko*slKaebg-~P>Y#MXA}-((`g&e73Ph<5eex3Q9yvPHg? zQoDAFIz3Q|FI!aD`-l7^vV2t7hkQjtJx&~vTC%mZbv*LNd|Q5jd^<<+xqKS}LRr48 zW82U9d+4n#S3r4NyS++^=9>}c;|1s2ItqDyQ;^^tGVEmK9l0l5N_LJX9ML{{;D78K z_et3eF-FI~%~z7L9UZ0eTuWYlq%8l0l+SNL3AEExUR<7!3ZNYFnX-KGz-$F~BX1%TWs435T4$lsS}QG(LA@~XuD;h z5IvC36`0P7d>$_TmMZ)q|A=VF*;0is%R3&}BV|iH*SCXKWx2ARkuQx4*?-P=l<@p1 z-w|~Gd-*3A|DVfqhLkU1m%8Q=OP9p|iiZ;tC1m-{&`bR#8yG)+o)CWG{1Z}J;1AA_ zU+4pU@eAaC@j?zjp5IJf8g0nwAuIp6f+GK&e6iM7P|#1FU*D1t!$()~A?tXKLZCkVAsFwlq=caa2zFfRuoy#6k%#oV}CFJj!Q>5o+vJ8GENiKZx{EjL4mzPux z|Aa_85y2~&S8p36UbUQfwf>jVUepgk!rD**qJ~%-a=k&se9qIaj`V+%&%r9vCEIgg z|6#WmO!f}^R?E84%GS0@iQe(us)uy915>;^VP$(njN?1@2Fw(=gLq%uo7(b>LgP1; zW)@3A67%4grJb185TXRCHpO5YBK_rmd+|13X|GaM!+a&ClMd1fB;Mct&BZf>t3iVX z!ug=JhzWBNCPum#oAdY??4=(m?on`UqX+2BNH>Oe`=k z66ufQgqg_<5gzU>^mK=b1XpX3mf|BeuU;*#oj)xC{QN|A+EdY>y|Os6f1l{9+*xFL zxro=VD}=e8nsBhT7Lj3L!cs$7g!l!C82_`Pzp{qt*Px*o*-J}&sLK@lO=b!IANC51 z88gJSi&w<*#fycH(?Q|s;USV@<3-`~0x?9bo2V+Q5LsDq;`_r#MM6xFs3&CSKQ{{6(*{u;vF{bvyt6e0?9pNn&+e-Urr)QJZ- zuZX&e8nI;NEMcUfCc}Ekwd` zdlBW~BnlGTao;aKq(=!OJtN@&S_JvIi(F?1;d;tRD7SBqc?c4@K_0?ztbvH}a1nKt z#loO<12MWq6A|cfRJfV;7YE1o76}O+qS(VmcX+_W=}K_HDxIx%g#VcMd#h(5JVc)Gg@AJj{Xi4rQUTZ@>( z<{}FiQ~cb-Zc9tCOmCRjZ>lX^9ZZG0^HE_iP+RQZXf6VLJjJ7+D3KE5CoKE-7jY3@ zB0W7&L8!<^Q{{3`tYJ;gNr zX~IZ%v?$9>7qvAtB0D=u)M4%2a`zO0K7m35eB2zktBT7-SYVLokH399-Nmw5Mq<3G zvUrl7E`C0KT&VHbJYB^PHtWSmtcjSQKoRKfD&m5|L^0-Twvmx&t*k8cR5e6taj~@i zS;qWluC-$a;u_yjWQJ!-*Qh^S;iIrs`SO~xa?zrS$0^@yZmnB#=gyrfeTS~~mxIHQ zC-+R|?EbR+^kIuC-p`)B`oYq=B}-64U*ADi12>evS72i}W!e`NrcYO0Ic19a@NQq} zFW?GQsK6aK@HJ$}y~{S$n{E&MT;ZE)16P#&d+40(d$LUW&u@x-QX z{j=K6@6?{VkQHB%ts2@h0&UGC8e!^SpDfVj(P=2r;2n0A5Xn*+t)9kciro)!6OlX&Pb;)7&SL)QkB^DAZ*N&*Yihc< zv-+Sotr;_hbh+!eaQzf6Jy=%WP~F&A?_J=!bss17D@6I0EmzL5wO#yp{gGSdGq!E> z^*=xRJ<1PeG@N!B8ykO$9Xar{+ppKVbNQ8}i*0SSA0OQF48^xCJutLFD$k{X$KGU< zv2jzk`SaU;=)O^x2*nq5Zd{|S-XOX)ifb)BV6t(H{S+Q457*uh>&19i*8GoFdv!LJ z6RqsLNMn&@jot8mw*sZ|X5Gtm=c%A&{D=QlY{rbynHxC&(DP3^dT772bWufxUCpds zeNT^+%6Bj+FP}Hhm`Q_cFxnrZV-+}Zi{8YEpHLpsWcFx}Z6>L;gHhGU6X@&BwfJXzx)mt{66};?3;I^4FU$jV{hvw(an>tTc!QP}=Wz&|C zBVSK6ZpG!f_>`4%PPRK1-CoOFi!PXK)J17r^9-dPbgET$-5eP>ccSscR;{>v;*=?! zEiLogI5yYRB=^E%hR@}v>Na9PhJ#hCC(RF>t7D7`L=qn^vb5|RHZuDfv`$1tM@F8d`9A~t^vOrBu&~hN6Uw84ygW-4bWjh7M<4_ANe{kXls74?W-=Pe+Q+|t z56~xhc@rCB?xMat%M~5~Mo>QhrqCx{ZXX@k*c4*PeJ;z^8tkd{uznyT1gVtxmm*9)m_Y5KO0qaer`HjJ`lA15TlV0_rW7Z(U$AK2e& z8saFh4TMdxY=MdR@Zp2lykG(B)dj-Z+EN4s1&J}}%fsD8WTmHwVHz63#l=N;yZuKv+*R64;K3hfz_mqhK@dUjsUZ#5spsiRKf5p3?ApvMCrKiKK2 zq7`W3>g+5m_4^A0eSHz*gmL{95oY8ur0^J)(mnvEZkPj z!kmVQlqf%OTwepUDn_05LK(K78T<-rO8@Kz_fRA0xuK`54S7ANJ|xT3KNGxS8dEQ#Ita7 za~1C@Ys68^ZC|vz1N669wMxJk5y#-`xaH|7jvhWNF1fjhGVoyxa3!TAh(J$2ao;ac zOjA=6haL7yHgRG?f^c(j6?s{?qByr$WG1AGo9-T^t zTh^A=;!Rl%)=Gj%Nr)2Xon3@J)`7lOf8g{H4&di3tdmbzCo$l4Ys`K722I3h@a}PI zbCx)NG%EjPN~B+XOGEsvK8!nZ>^B`9o#`t=L$8O1hT3e*Et;w*u&P6?W_5XtNJ`Kd z+ZF{vZEX5(G-$P5VfXoTc-6})^;}OUU2Xs```UEP)hHc*Z)qs@wqU1w=5FD;!j`Qu0~u(sP)H@C!T4XCZI$8@$wbAO*j0d3lxp1kX0m@U!6 zt!{~l!@H{}37s;2pKH^)`IS~hMH_ZaeEaqu(L%SxHEW(dX?Ny_leyEUPq+ET(tVV6 zdESy4mv&`ZhYT12BVV|~G z=U*a%LO{l&h{8r0sXsxqxwQ`4%`qE;IwoiHDY z_j(n@yKAR?yWqa+eOhVMDR_0q42z6KsYPA`w@dFw=2t~N*6sPQfr#0XSUm-Rhu!# zO*^d)zC3tvr|Pt{39+3A*0fr*h$zphy6FJpcO9!tO{-Q12M1r?(WzQ9t)1Gzf&E*h z;=Q(}U0PgR$7NMjbAvCxzr16I^gca4`R9(Qsi{QMRQeAqEgkm7Wv-@{Z0x^8+oEGf zyeGfeX3;I8CJdT3Vu@O;c6tAzRx_8Vsafr`vasvekvS}S(-ZmYWbJa3qE@BjXTB>i zeQL!8_&w34C+!BQOk1Lc_guf!d{`S(qc+-k)poM?ga%aP?Q;X>!?=J^tGsIYd(5)b zzq|u(00kbjk+-iX^tRa~203O5e|kYdI%K$;Fo2I+4Z4T-A~x`~ z9zA*#KDjVahP?pmR2ViwTeUrOv9st8eFuXddLv!hC-^}|V!JKcL*}x+cY@B)gI;90 z?BnSMJ(VllH%Pj=J=#%)&$UkMXT8RH7y7~ja$Z+gSA2kuHG_P0f}SmduC|5`J`j5W zS65e20KH%j-ORGQ1u#TmA7Hc0K+@wH@Rjr4AO&)o<+&F21Fp~|YS4eYr>KFBVtwW8 z?dmsml zgY~X9aI((R2F^NQbOF9H=%gB8`}g&43jC`nVDS&GUgO&?w=h+o+Ej1!TrR3PN^7NB zyZLK+_B7OOi|1CFCWE@^s;a74G+8~MdmoGTGj)~@G3snFw&jS9BUENs^wL?{rAHf! zWh2I!5AN8kg++^{{TolWn9^*-HyyhV>Da=e%Zf1z&2)z~)0j4~L-!%QEVRcgRI;#W zI6}YghOQmD_p%s1c}|1oqS1(TeJ4y>&|$Vk>rS(JtEi0oX5PH78Z=nY-eOSel|u(~ zY}Raq%2z7~4OOi{?P4gB{f$)Tql9D6tYmtT{wM9atUp7j^n~?JA|g-Bd}ZTMruC zO`YDodq=-GJHG^)WB1}c%xj>}nUtd<{8|lQiM=97pkRt8{)1%-JdU!vWB7!0) zH8q?HYinl$o4Lk0QfAjvYNB4v3wQmLoAw zwLnsMVDRT3FUt)UWM#354(;7f_ilskq2Ux49!ZbFLMSEn0cCjoOghSfMghxY^&T`y ztt-aRl_r6HhN>zw4rvV1aNrt@c^SZTM(W37Q338Qsx$!k{gDP@%$#)4#*iM}NVlgJ zO&vCZuot1H=^6Aa=P5n#aibNB7ncCAJCIrW6mq{N6|dh#Tg*6a14-VMJZBj7hg-;;pfi07fJ3K<}cW&FUaqr!6l8uK{t zJOF?5cn0Em5YwHpcL#2?q1!`^hWG4EGluC(_;WL}s30$&!f(5i#av_Bwb7yuXV?#b z_%PBOBt-p60Th3ji)~ihXbZ4!-Mp2yZ`n>eZSCpoPp2s^ERy0MMbgu!@f2=lM(w~u zhU#hF&vP_^zf9QB8( zYtYD^nlycg4t@OikzmVH(X;226&p@l=FXyxGiT5N%ZP`ZY3LFx7%t2V-7_NNbd7-j#*}yIzkTz}+kma0NWNx~M5DW3LQ^$_Hws#>JA$3JUBsL??V+Rh>?Q7@h*|R6Kcbqz*xHJb7)v=Z#izWd3gszZFz&{GO5eq`Y zF-FF%E5|+ryfU=A8VyrZr{Nks3GpyAs&{V^N=<1{LqTV@Eur6j`;DIGJ*Sd_Vk*hc zqGOovjnih(7US8pdiG2*orU>WWA*|2ZeH6zAo1GPM*3>!_8l_pxbL>zDZ_5>K>O_X z(t(}(=;%HN^0|G9o~C+JFW~R4)QG0^1a{C=A3QM*bR7%)%s(SlRUuD-7ubiXF`pwr z&Wu#=Ny9XHkxp+78q-sax(Frejl*&ts2=N!Re(F@(YGO?5 z=FFyVaNx6K_H5d?Y85S6xUdKd;3lwJA@x4!uusD8z%*yvJNMB3U3=-^o&%6chiLz9 z2Xa6A6Z!ewpcLN=G`@|Xah=-H1n|%p@bVbU!5GNaQMhv&fix6roAD3DdeH^1k5*SF zJdu(jz%K7um3n!3t;L8HP+y4>!?tOH4-vK(fe?NVD=n!PmMY?s#jr^}2 zqlDvjG`dAo8Uxx72VaboaI4a2jA1nX9?iTCtiv!iUaM-5pA8!}rhW|@l2!W_bamZK zdKT|aIk^#(kq}Oqi7`}|n?sM|lPNtumEbd@bH@(QrWw=7cK%%2WHN_V%$Y;WOiXCS z+_|)Jz6sfE*ieuE>`%YYe$afM{T@09x*u{lK#qG4(zp8$lH>kEbmG`|bo=^s^0{)E zZr(UYrMJH$hXFmIm#`ky)M$iS4;qcNFsi!>=nq~3=1~~iu&(OVs8I`Q)2I<0Fdax) z*B$ApuQR2k`BPGiFC{#Pq|~TrN_`YfIcaH-*U^yMF%UUwmm64>`0lG1kvj?hu0(@v-8j;AO2UB60R zw|=Fn2WRN;Xie(Z32PD9M|9&cfbV-CVLZA$G-v?E(YSGA+Nj=Ka8dHN3jzA*szDtn-3{6B!aRY$B_A=d9-DYG4Ri&HS#&&ajaP| zkL)*ZuE+nYs~erc9P9(_kL;7t{9EAu{_wZ-{h_1e`tup`_x7fMTOQ

k3sxyV0h8 z14y-t8tH+*NAcQ(OdO`s1M)=;dxmZj_6v�Jk?KB_&Y&gD^@AzC#JY_b4$ugpwja z`-hJx?NK~s#3sq`hei=%)F=_-dG(@zPHf#k>!(kLE|cM3H5atUe3&hmPrJXs?+*M| zFJ306?|#6VWqt?UF&`(sJqG-abou;63h?ovKrc@U4)vz0m@72CaWfjI)(bLRoksQ4 zfFA7y>>8xjS(#db?zb0C0B-2Nhu#zt^njwnLZJ`CDLx_sI{hIfKa8Qo=r~Gwlt`(u z$rApU&`659A4*S>A5&FDG2M3BPpc+RCUf9l3%WD@we#lDx`hjA*QU?(zXt3czg{Jr zKhU=a9f94EzB_V^et`b^4r94>?FQWg{`=myC^Ymg-Q2&1x;JS8-PwmmXsY85?7cLp zb?YuP3fQBMY@p<1@N!Hf#e@V=Joq9u0{fAN(ZKwOQh+@L*pp%sDJ3R}9>=9nPI?+W z0^fvT|5%b+K(ES6Dg4);Xw|f-WCs2>W4@n<`+|kEZm}s@tyoddKi4i@q3f5g(XA^t z$@%+}&{^No@x$NK502l_FHR@vKK67$K3;VH?q!O+dxoZWZcl0*AvZOlKQ(*N2<%}R zfR`4x_=>WfcT04S4iBTa&|s{`hm;Tv+)=Thc|33L&?E4FSz!rP zz9^;G>t|@qjF}SeubXQ^Yaol(nJ%XJGiG3Kw5}fib$1W)yn2&-u6xmC*Gu4;W7s>K z0RCfi^}HJe-SMShKVOOryG^HU%?O()G8!;YqWe(n!G`wgNr+>kkWFhT1#2`i+yi_b zO39#mLPQ+s9!JTHJ32v1sld#M$H4eA)1UE6V~~$STD$VR z?36?*;Qd=p0n#&iQSyx3PdUUbo%?_bi?gD#l{Ac z?}=SBNmrMaOac9Ydz_XgeXZG>Mr&wEc1^@d3#zLtr>de7dQ)0KZ_27DH}whjG%1wy zD1jbBM=|!tko5}LlZL-JFFPfZe*gFZ_;V=#Ne(@S4HI(Hot6Q&>8#o0uwn_7=cdyO z(7dFefL<0AQT2<@`0x3E?!EyO9B?20hx-(MKZvfoU80|%&#ql|q4*HMiDSmo zlIe`UH+V;r^!sQ^`*^nPPcVs(V(yU^`cRb z|JcJ)rSCC%TUSf37=K9xy(_PxcQ0${-K*DBQTRfVi_9za_`y3&e@-cw9|?bY7GYC)=>8Ku{LzMH0l%T%WLk=d-SK@jX>@;eBrQ^JrAh{k1=UsOQEg=nu$NL@StY$K zuckWSe*^q)tLx}B<{~2@Ra(D12FA_wXWhlJ>3!X6?AbEmgLp!DxlifhF$YQZn1Ww} zpa)6|iwNi3RL1sAA?ROHR?q*Ta=I(9Bjy16ox8B%f1!(~exQg5Pm1*TkyefvN+WfK zLvLw81`VXqJ^M5{Vx1q66fdio>E40NR**G(fBo%nX9v4s7sr9ReeHNAe8Mb)6o z>tbLp19rw=3EBfc)1UEwz<6pgwuFe7dfv%^?#fJfOc~H$N$_Lh%!ZO9@6*QlGie#@ z#l@2i=^pm%MUZQStQ(-;n2*ZPm%{#H?94N~|7P09MLnVikVTh%K1c3nT%i;Eu+IYi z%!lC5`;_WpLkEoqQna%bu$NM8X(82O&Aq|8t$p#5UQ27YR>EH=pM!V6{~mw8!y%8S5D9K!KmJ zM~7gq2>fxdDH5J4fCnF(FI z$8sIbHJVKGf&YQeRVv6Ypn`1ZH@S{3hAdLxe*`@vVaI+Y0Xm=ewGsEi$^G1~u#+!Q zAoic>NuX773ijqnSVPaKte_C<=owWO7f~hTO-)H9)k5aKf!ujhUPE;ikUcNofac(v z%C|@|9^yHuE_o^OP)029$2|sJ9z%9!lDEe#3W5H~NK2=i=YJsM2@}Y~Xd-L^U+Cs% z&<)UU7(*fEp(y`(J^tA6XxMFRd&W`{^gY`Xv7ynhLEQ=GjO2&C(Gy_LhK-sFA0^93 zPSqtZs0O->YcQN8?q?}`i=E-KE}X%3sWiRkz-*qM+U&w_mk|&tQ5%BjBIHh z@-T*HPxI>WCnrLugFn(z(NL0u}_c_`=}HN=i>C~<9qnDpP*gP^hqYLGi@`lSBD*SOl+CH}L&oQXT*a)w;bxzfc87wPh^m+2bzogVI& zVb{BmxAzUY?c+mt{jkRi2qeS>!VV6FUW=fI4L1 z<9OI;Nst}j0oKpi7zfXRf`1SK)9BL0i>F-Ao}-KBFVN*nkUN*LcCTF{PtO~KxHj_j z!5$lWAkaU69z4K)BP0YiSvVmsfudpG#>PT+B_v4rIYj)Kj=37F&M{)wbV;A_b4H0(VxQqp8&;CaAWP~gX1 zy1Z_98D4NbUwR39Pj}$wIk@3*ojh;CHui#j2D=~tXJq&9V~-siOo$7iNYIJrASNb; z;^X6CyJJtEk|NDP26U3dC)wH395DXp&!5-NK|#(Fsa{NY1ZW(O{Y@6t)<722)FMVJ zL()S@Y`ew4=49VuBKRA8^du!+ng@WE{GW38((V53+g;r+T@G~z4_$S?O4qRu^}KO| zyl;7t?`>c5XCAtD??25$JO_W~A>PlI7Ci?qXVA;CQmU>7_S#zLM(jJV7cYS=krbBz zK4O_J^RuKw4)R)fiaGd?@XN=dwP=k&(H4;DldeNkT>X*`mW z^cVj4-+BFa#)vik+=YBkqjv&oO>VZ_RFKoAML!6PN6le6~cPDT@5JS1J1M~9IXgFfjhPUlN z(-GS;xjV=zo(HD@iqwk5smO2nG|EQW1B76Bi7>(&RT=9muCIBLw^Ld1`TFuYM}qFmTf2tvP5Vpq$?;cv zkR~H_*loW9@iDgKfEW{w(ct(Pd=Dh;<#R&adAZYY#8*t|i5R!8-AKP1$HV{w#>%lU zocO$M6yiv@e=a{+vkO&MRZDxv^9S~l^@0Utzut_j)|%1wO`AT>oiir|<#r?Wbv$%X zinGA)oX|n^dkE?1funTk+!<*ADltGe_u<-zwSlK&AyW2ltzOOq?iuG&kXL;m6|keE}hHI zY~6q^E*UG?Xl!RD!bZe*ayY|vL2SSRa#**Hwyj@J+s)UL{iaRz{a?J`N=I=%%`qCs zIJN;8I8N*i&c5#X`eLtIOc{rklUm~@;Bhq?quzzaAwEF6i!2^sWc%jy(DOL@g-y*i zI&8Ys2=;qDqIlT9Ia!HhiT-U@t)}f8){(9G2E@Hs)%Sn(>Qy=ie=v`o&&ZDnLR3D#CYqGz9TB`n`LRM(57bnD@-+Rc~7-M~5Q@Axw(>NXK3}7XHHw z(Bajq5<0SGDQ);>Iqg8-J1s5AX5HsFl^d|bZs45zM87Iyp2jEPpkHiCyPHvX`Cw#8JXQ_OKEgQS+ z+>XaymS0TIa}l!#ze+}G49!QZ!(7B`lxM|DwpdO1=X25k@EG%2@Vy6g6?*8x>7OYa z{jAj1KD z5l^8h(IV)~R>`mT=0!DCJS#?=7S0C1bJE!je9TM}_GLfIeJ1tq?sSxvBfcg%;*P`% zii4J_^k zFRm1bb3*oU<>qFP)8c-F&65;sT~!_`+3s)Qv7V#QyQ;- zoUdnQJf=0qGiesiY?5L_B_G*yoYj;R6!EwuKUYjN{G2!^V1H6nP&oa1&W-N-_)!LY z8GJs%zNh@4pQtu3RN}ig;H|eW(ErP7+1U{=yhs1F@Lls6w(R`nG2OxWe{xbHo!Dnb zGiT1El!S+puk?8i{H6Jy&spN(SCry#fH^KahOW56H|}u@zWr4A#-C6XpPRsE!G4z- z@SJpx1)uo4O7`c!md;YxpI=k@QtCfl?z_K@xRn^h;0617kO|I+v$Nr6hri|-;uya4 z)2Ak5zTkt(Oist#Jtluo_>ykj#hFMJ&J}TXiL;xxW$?k5^SKB2_lAC}!PyP^{H^+f zELFXi&JP|#2J$%t``+1a9SAv=nh-~ig09K@)bQ_eJaWMoe)gdIL6YAm8~#l8mnr-= z{5Sh<{@KL72KG^~zlddr*L6?2e(5U3AYMETzTb5Cc(T&iuMR(X)@MKeg|ioCopL() z%H;;y6uhl6UZm_3$j0l{ZZ@-VP7EYTK2^{lxI0H@|f0k{|nrJ>Xka^v!-@Mc)d4F#F@# zhotbu^I1f_55BmNGSlFb#yQQ)7sV3a6crXpe(MBa;J6C~1_l4)E?s-}>}lY2(`)5b z_D^5GPTufMvtN|`y6jhHpR|Iud>)|irPq&N?n7r8qwpKDzmR=XyoS;czn6r)eG2yY z_?EwZ{VDoa-18pisocDNJ&S#t>=$IeEc?Y3=Mp@}U(%n?BJ$wJSNNV3{WIUN-<2`2 zkBt3H97B?T^_GmY6ZH3Y{bXpbnXk96%b(|;X~6T(XA0~GV;ZoWVjm>y8a@Y6_#T;m zxqluzuU*E#=RCYG#&1h-|9|P{!k8PuZ^ri0|I-({3^2fPNIj6)F8hOhi06OFwHK{~ zAhBQL9nx=dUj-Y+i1m>?6#u|a!MNC0&}h*f7@+q^*o!gt0MsCO2L?N!Z9 zn>OXFUAY?Hf!IoG((A?rYKF3Uu)#;bE^VtMdE01wuTGSnmLU0lAsc?fw+(KnKhDn1 zE@#We&9uvQ2V&?CNpk*>(Libsy9)2Adut^sN(+U>YqJ(Hs}1$XQjGl4@vf))c@kiL#45DEYpXY zcl4s51o6a(LxF5zy@GK|_3>LNIUa}!zH{r2B#*bRok3to&>>wK`y1>DKGwdM;%L|& zVj0DLl-;{`OZC0Hys~| -; based on the OpenAFS installer written by Rob Murawski -; -;Based on: -;NSIS Modern User Interface version 1.63 -;MultiLanguage Example Script -;Written by Joost Verburg -; -; This version compiles with NSIS v2.0b4 - -!include site-local.nsi -!include "MUI.nsh" -!include Sections.nsh -!include "kfw-fixed.nsi" diff --git a/src/windows/installer/nsis/killer.cpp b/src/windows/installer/nsis/killer.cpp deleted file mode 100644 index 7ba27fc..0000000 --- a/src/windows/installer/nsis/killer.cpp +++ /dev/null @@ -1,380 +0,0 @@ -/* - Process Killer for NSIS script - - Rob Murawski - - Released under terms of IBM Open Source agreement for OpenAFS - - */ - - -#include -#include -#include -#include - -char strProcessName[256]; - -typedef BOOL (CALLBACK *PROCENUMPROC)(DWORD, WORD, LPSTR, LPARAM); - -typedef struct { - DWORD dwPID; - PROCENUMPROC lpProc; - DWORD lParam; - BOOL bEnd; -} EnumInfoStruct; - -BOOL WINAPI EnumProcs(PROCENUMPROC lpProc, LPARAM lParam); - -BOOL WINAPI Enum16(DWORD dwThreadId, WORD hMod16, WORD hTask16, - PSZ pszModName, PSZ pszFileName, LPARAM lpUserDefined); - -// -// The EnumProcs function takes a pointer to a callback function -// that will be called once per process with the process filename -// and process ID. -// -// lpProc -- Address of callback routine. -// -// lParam -- A user-defined LPARAM value to be passed to -// the callback routine. -// -// Callback function definition: -// BOOL CALLBACK Proc(DWORD dw, WORD w, LPCSTR lpstr, LPARAM lParam); -// -BOOL WINAPI EnumProcs(PROCENUMPROC lpProc, LPARAM lParam) { - - OSVERSIONINFO osver; - HINSTANCE hInstLib = NULL; - HINSTANCE hInstLib2 = NULL; - HANDLE hSnapShot = NULL; - LPDWORD lpdwPIDs = NULL; - PROCESSENTRY32 procentry; - BOOL bFlag; - DWORD dwSize; - DWORD dwSize2; - DWORD dwIndex; - HMODULE hMod; - HANDLE hProcess; - char szFileName[MAX_PATH]; - EnumInfoStruct sInfo; - - // ToolHelp Function Pointers. - HANDLE (WINAPI *lpfCreateToolhelp32Snapshot)(DWORD, DWORD); - BOOL (WINAPI *lpfProcess32First)(HANDLE, LPPROCESSENTRY32); - BOOL (WINAPI *lpfProcess32Next)(HANDLE, LPPROCESSENTRY32); - - // PSAPI Function Pointers. - BOOL (WINAPI *lpfEnumProcesses)(DWORD *, DWORD, DWORD *); - BOOL (WINAPI *lpfEnumProcessModules)(HANDLE, HMODULE *, DWORD, - LPDWORD); - DWORD (WINAPI *lpfGetModuleBaseName)(HANDLE, HMODULE, LPTSTR, DWORD); - - // VDMDBG Function Pointers. - INT (WINAPI *lpfVDMEnumTaskWOWEx)(DWORD, TASKENUMPROCEX, LPARAM); - - // Retrieve the OS version - osver.dwOSVersionInfoSize = sizeof(osver); - if (!GetVersionEx(&osver)) - return FALSE; - - // If Windows NT 4.0 - if (osver.dwPlatformId == VER_PLATFORM_WIN32_NT - && osver.dwMajorVersion == 4) { - - __try { - - // Get the procedure addresses explicitly. We do - // this so we don't have to worry about modules - // failing to load under OSes other than Windows NT 4.0 - // because references to PSAPI.DLL can't be resolved. - hInstLib = LoadLibraryA("PSAPI.DLL"); - if (hInstLib == NULL) - __leave; - - hInstLib2 = LoadLibraryA("VDMDBG.DLL"); - if (hInstLib2 == NULL) - __leave; - - // Get procedure addresses. - lpfEnumProcesses = (BOOL (WINAPI *)(DWORD *, DWORD, DWORD*)) - GetProcAddress(hInstLib, "EnumProcesses"); - - lpfEnumProcessModules = (BOOL (WINAPI *)(HANDLE, HMODULE *, - DWORD, LPDWORD)) GetProcAddress(hInstLib, - "EnumProcessModules"); - - lpfGetModuleBaseName = (DWORD (WINAPI *)(HANDLE, HMODULE, - LPTSTR, DWORD)) GetProcAddress(hInstLib, - "GetModuleBaseNameA"); - - lpfVDMEnumTaskWOWEx = (INT (WINAPI *)(DWORD, TASKENUMPROCEX, - LPARAM)) GetProcAddress(hInstLib2, "VDMEnumTaskWOWEx"); - - if (lpfEnumProcesses == NULL - || lpfEnumProcessModules == NULL - || lpfGetModuleBaseName == NULL - || lpfVDMEnumTaskWOWEx == NULL) - __leave; - - // - // Call the PSAPI function EnumProcesses to get all of the - // ProcID's currently in the system. - // - // NOTE: In the documentation, the third parameter of - // EnumProcesses is named cbNeeded, which implies that you - // can call the function once to find out how much space to - // allocate for a buffer and again to fill the buffer. - // This is not the case. The cbNeeded parameter returns - // the number of PIDs returned, so if your buffer size is - // zero cbNeeded returns zero. - // - // NOTE: The "HeapAlloc" loop here ensures that we - // actually allocate a buffer large enough for all the - // PIDs in the system. - // - dwSize2 = 256 * sizeof(DWORD); - do { - - if (lpdwPIDs) { - HeapFree(GetProcessHeap(), 0, lpdwPIDs); - dwSize2 *= 2; - } - - lpdwPIDs = (LPDWORD) HeapAlloc(GetProcessHeap(), 0, - dwSize2); - if (lpdwPIDs == NULL) - __leave; - - if (!lpfEnumProcesses(lpdwPIDs, dwSize2, &dwSize)) - __leave; - - } while (dwSize == dwSize2); - - // How many ProcID's did we get? - dwSize /= sizeof(DWORD); - - // Loop through each ProcID. - for (dwIndex = 0; dwIndex < dwSize; dwIndex++) { - - szFileName[0] = 0; - - // Open the process (if we can... security does not - // permit every process in the system to be opened). - hProcess = OpenProcess( - PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, - FALSE, lpdwPIDs[dwIndex]); - if (hProcess != NULL) { - - // Here we call EnumProcessModules to get only the - // first module in the process. This will be the - // EXE module for which we will retrieve the name. - if (lpfEnumProcessModules(hProcess, &hMod, - sizeof(hMod), &dwSize2)) { - - // Get the module name - if (!lpfGetModuleBaseName(hProcess, hMod, - szFileName, sizeof(szFileName))) - szFileName[0] = 0; - } - CloseHandle(hProcess); - } - // Regardless of OpenProcess success or failure, we - // still call the enum func with the ProcID. - if (!lpProc(lpdwPIDs[dwIndex], 0, szFileName, lParam)) - break; - - // Did we just bump into an NTVDM? - if (_stricmp(szFileName, "NTVDM.EXE") == 0) { - - // Fill in some info for the 16-bit enum proc. - sInfo.dwPID = lpdwPIDs[dwIndex]; - sInfo.lpProc = lpProc; - sInfo.lParam = (DWORD) lParam; - sInfo.bEnd = FALSE; - - // Enum the 16-bit stuff. - lpfVDMEnumTaskWOWEx(lpdwPIDs[dwIndex], - (TASKENUMPROCEX) Enum16, (LPARAM) &sInfo); - - // Did our main enum func say quit? - if (sInfo.bEnd) - break; - } - } - - } __finally { - - if (hInstLib) - FreeLibrary(hInstLib); - - if (hInstLib2) - FreeLibrary(hInstLib2); - - if (lpdwPIDs) - HeapFree(GetProcessHeap(), 0, lpdwPIDs); - } - - // If any OS other than Windows NT 4.0. - } else if (osver.dwPlatformId == VER_PLATFORM_WIN32_WINDOWS - || (osver.dwPlatformId == VER_PLATFORM_WIN32_NT - && osver.dwMajorVersion > 4)) { - - __try { - - hInstLib = LoadLibraryA("Kernel32.DLL"); - if (hInstLib == NULL) - __leave; - - // If NT-based OS, load VDMDBG.DLL. - if (osver.dwPlatformId == VER_PLATFORM_WIN32_NT) { - hInstLib2 = LoadLibraryA("VDMDBG.DLL"); - if (hInstLib2 == NULL) - __leave; - } - - // Get procedure addresses. We are linking to - // these functions explicitly, because a module using - // this code would fail to load under Windows NT, - // which does not have the Toolhelp32 - // functions in KERNEL32.DLL. - lpfCreateToolhelp32Snapshot = - (HANDLE (WINAPI *)(DWORD,DWORD)) - GetProcAddress(hInstLib, "CreateToolhelp32Snapshot"); - - lpfProcess32First = - (BOOL (WINAPI *)(HANDLE,LPPROCESSENTRY32)) - GetProcAddress(hInstLib, "Process32First"); - - lpfProcess32Next = - (BOOL (WINAPI *)(HANDLE,LPPROCESSENTRY32)) - GetProcAddress(hInstLib, "Process32Next"); - - if (lpfProcess32Next == NULL - || lpfProcess32First == NULL - || lpfCreateToolhelp32Snapshot == NULL) - __leave; - - if (osver.dwPlatformId == VER_PLATFORM_WIN32_NT) { - lpfVDMEnumTaskWOWEx = (INT (WINAPI *)(DWORD, TASKENUMPROCEX, - LPARAM)) GetProcAddress(hInstLib2, "VDMEnumTaskWOWEx"); - if (lpfVDMEnumTaskWOWEx == NULL) - __leave; - } - - // Get a handle to a Toolhelp snapshot of all processes. - hSnapShot = lpfCreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); - if (hSnapShot == INVALID_HANDLE_VALUE) { - FreeLibrary(hInstLib); - return FALSE; - } - - // Get the first process' information. - procentry.dwSize = sizeof(PROCESSENTRY32); - bFlag = lpfProcess32First(hSnapShot, &procentry); - - // While there are processes, keep looping. - while (bFlag) { - - // Call the enum func with the filename and ProcID. - if (lpProc(procentry.th32ProcessID, 0, - procentry.szExeFile, lParam)) { - - // Did we just bump into an NTVDM? - if (_stricmp(procentry.szExeFile, "NTVDM.EXE") == 0) { - - // Fill in some info for the 16-bit enum proc. - sInfo.dwPID = procentry.th32ProcessID; - sInfo.lpProc = lpProc; - sInfo.lParam = (DWORD) lParam; - sInfo.bEnd = FALSE; - - // Enum the 16-bit stuff. - lpfVDMEnumTaskWOWEx(procentry.th32ProcessID, - (TASKENUMPROCEX) Enum16, (LPARAM) &sInfo); - - // Did our main enum func say quit? - if (sInfo.bEnd) - break; - } - - procentry.dwSize = sizeof(PROCESSENTRY32); - bFlag = lpfProcess32Next(hSnapShot, &procentry); - - } else - bFlag = FALSE; - } - - } __finally { - - if (hInstLib) - FreeLibrary(hInstLib); - - if (hInstLib2) - FreeLibrary(hInstLib2); - } - - } else - return FALSE; - - // Free the library. - FreeLibrary(hInstLib); - - return TRUE; -} - - -BOOL WINAPI Enum16(DWORD dwThreadId, WORD hMod16, WORD hTask16, - PSZ pszModName, PSZ pszFileName, LPARAM lpUserDefined) { - - BOOL bRet; - - EnumInfoStruct *psInfo = (EnumInfoStruct *)lpUserDefined; - - bRet = psInfo->lpProc(psInfo->dwPID, hTask16, pszFileName, - psInfo->lParam); - - if (!bRet) - psInfo->bEnd = TRUE; - - return !bRet; -} - - -BOOL CALLBACK MyProcessEnumerator(DWORD dwPID, WORD wTask, - LPCSTR szProcess, LPARAM lParam) { - - /*if (wTask == 0) - printf("%5u %s\n", dwPID, szProcess); - else - printf(" %5u %s\n", wTask, szProcess);*/ - - if(stricmp(szProcess,strProcessName)==0) - { - HANDLE hProcess=OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPID); - if(hProcess!=NULL) - TerminateProcess(hProcess,0); - CloseHandle(hProcess); - } - - return TRUE; -} - - -void main(int argc, char *argv[]) -{ - if(argc<2) - { - printf("Please specify the process name to kill\n"); - - return; - } - - if(strlen((argv[1]))<255) - strcpy(strProcessName,(argv[1])); - else - return; - - EnumProcs((PROCENUMPROC) MyProcessEnumerator, 0); - -} diff --git a/src/windows/installer/nsis/licenses.rtf b/src/windows/installer/nsis/licenses.rtf deleted file mode 100644 index 91dd907..0000000 --- a/src/windows/installer/nsis/licenses.rtf +++ /dev/null @@ -1,98 +0,0 @@ -{\rtf1\ansi\ansicpg1252\deff0\deflang1033\deflangfe1033{\fonttbl{\f0\fmodern\fprq1\fcharset0 Courier New;}{\f1\froman\fprq2\fcharset0 Times New Roman;}} -{\*\generator Msftedit 5.41.15.1503;}\viewkind4\uc1\pard\tx916\tx1832\tx2748\tx3664\tx4580\tx5496\tx6412\tx7328\tx8244\tx9160\tx10076\tx10992\tx11908\tx12824\tx13740\tx14656\f0\fs20 Copyright Notice and Legal Administrivia\par -----------------------------------------\par -\par -Copyright (C) 1985-2006 by the Massachusetts Institute of Technology.\par -\par -All rights reserved.\par -\par -Export of this software from the United States of America may require a specific license from the United States Government. It is the responsibility of any person or organization contemplating export to obtain such a license before exporting.\par -\par -WITHIN THAT CONSTRAINT, permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and\par -this permission notice appear in supporting documentation, and that the name of M.I.T. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Furthermore if you modify this software you must label your software as modified software and not distribute it in such a fashion that it might be confused with the original MIT software. M.I.T. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.\par -\par -THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.\par -\par -Individual source code files are copyright MIT, Cygnus Support, OpenVision, Oracle, Sun Soft, FundsXpress, and others.\par -\par -Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, Moira, and Zephyr are trademarks of the Massachusetts Institute of Technology (MIT). No commercial use of these trademarks may be made without prior written permission of MIT.\par -\par -"Commercial use" means use of a name in a product or other for-profit manner. It does NOT prevent a commercial firm from referring to the MIT trademarks in order to convey information (although in doing so, recognition of their trademark status should be given).\par -\par -----\par -\par -The following copyright and permission notice applies to the OpenVision Kerberos Administration system located in kadmin/create, kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions of lib/rpc:\par -\par -Copyright, OpenVision Technologies, Inc., 1996, All Rights Reserved\par -\par -WARNING: Retrieving the OpenVision Kerberos Administration system source code, as described below, indicates your acceptance of the following terms. If you do not agree to the following terms, do not retrieve the OpenVision Kerberos administration system.\par -\par -You may freely use and distribute the Source Code and Object Code compiled from it, with or without modification, but this Source Code is provided to you "AS IS" EXCLUSIVE OF ANY WARRANTY, INCLUDING, WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, OR ANY OTHER WARRANTY, WHETHER EXPRESS OR IMPLIED. IN NO EVENT WILL OPENVISION HAVE ANY LIABILITY FOR ANY LOST PROFITS, LOSS OF DATA OR COSTS OF PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES, OR FOR ANY SPECIAL, INDIRECT, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THIS AGREEMENT, INCLUDING, WITHOUT LIMITATION, THOSE RESULTING FROM THE USE OF THE SOURCE CODE, OR THE FAILURE OF THE SOURCE CODE TO PERFORM, OR FOR ANY OTHER REASON.\par -\par -OpenVision retains all copyrights in the donated Source Code. OpenVision also retains copyright to derivative works of the Source Code, whether created by OpenVision or by a third party. The OpenVision copyright notice must be preserved if derivative works are made based on the donated Source Code.\par -\par -OpenVision Technologies, Inc. has donated this Kerberos Administration system to MIT for inclusion in the standard Kerberos 5 distribution. This donation underscores our commitment to continuing Kerberos technology development and our gratitude for the valuable work which has been performed by MIT and the Kerberos community.\par -\par -----\par -\par -Portions contributed by Matt Crawford were work performed at Fermi National Accelerator Laboratory, which is operated by Universities Research Association, Inc., under contract DE-AC02-76CHO3000 with the U.S. Department of Energy.\par -\par ----- The implementation of the Yarrow pseudo-random number generator in src/lib/crypto/yarrow has the following copyright:\par -\par -Copyright 2000 by Zero-Knowledge Systems, Inc.\par -\par -Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Zero-Knowledge Systems, Inc. not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. Zero-Knowledge Systems, Inc. makes no representations about the suitability of this software for any purpose. It is provided "as is" without express or implied warranty.\par -\par -ZERO-KNOWLEDGE SYSTEMS, INC. DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ZERO-KNOWLEDGE SYSTEMS, INC. BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN\par -ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTUOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.\par -\par ----- The implementation of the AES encryption algorithm in src/lib/crypto/aes has the following copyright:\par -\par -Copyright (c) 2001, Dr Brian Gladman , Worcester, UK.\par -All rights reserved.\par -\par -LICENSE TERMS\par -\par -The free distribution and use of this software in both source and binary form is allowed (with or without changes) provided that:\par -\par -1. distributions of this source code include the above copyright notice, this list of conditions and the following disclaimer;\par -\par -2. distributions in binary form include the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other associated materials;\par -\par -3. the copyright holder's name is not used to endorse products built using this software without specific written permission. \par -\par -DISCLAIMER\par -\par -This software is provided 'as is' with no explcit or implied warranties in respect of any properties, including, but not limited to, correctness and fitness for purpose.\par -\par -\par -\par -Acknowledgements\par -----------------\par -\par -Appreciation Time!!!! There are far too many people to try to thank them all; many people have contributed to the development of Kerberos V5. This is only a partial listing....\par -\par -Thanks to Paul Vixie and the Internet Software Consortium for funding the work of Barry Jaspan. This funding was invaluable for the OV administration server integration, as well as the 1.0 release preparation process.\par -\par -Thanks to John Linn, Scott Foote, and all of the folks at OpenVision Technologies, Inc., who donated their administration server for use in the MIT release of Kerberos.\par -\par -Thanks to Jeff Bigler, Mark Eichin, Marc Horowitz, Nancy Gilman, Ken Raeburn, and all of the folks at Cygnus Support, who provided innumerable bug fixes and portability enhancements to the Kerberos V5 tree. Thanks especially to Jeff Bigler, for the new user and system administrator's documentation.\par -\par -Thanks to Doug Engert from ANL for providing many bug fixes, as well as testing to ensure DCE interoperability.\par -\par -Thanks to Ken Hornstein at NRL for providing many bug fixes and suggestions, and for working on SAM preauthentication.\par -\par -Thanks to Matt Crawford at FNAL for bugfixes and enhancements.\par -\par -Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for their many suggestions and bug fixes.\par -\par -Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and providing patches for numerous buffer overruns.\par -\par -Thanks to Christopher Thompson and Marcus Watts for discovering the ftpd security bug.\par -\par -Thanks to Paul Nelson of Thursby Software Systems for implementing the Microsoft set password protocol.\par -\par -Thanks to the members of the Kerberos V5 development team at MIT, both past and present: Danilo Almeida, Jeffrey Altman, Jay Berkenbilt, Richard Basch, Mitch Berger, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav Jurisic, Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.\par -\pard\f1\fs24\par -} - \ No newline at end of file diff --git a/src/windows/installer/nsis/nsi-includes-tagged.nsi b/src/windows/installer/nsis/nsi-includes-tagged.nsi deleted file mode 100644 index 01bd299..0000000 --- a/src/windows/installer/nsis/nsi-includes-tagged.nsi +++ /dev/null @@ -1,8 +0,0 @@ -!define KFW_TARGETDIR %BUILDDIR%\target -!define KFW_EXTRADIR "%BUILDDIR%\target" -!define KFW_VERSION %VERSION_MAJOR%.%VERSION_MINOR% -!define KFW_MAJORVERSION %VERSION_MAJOR% -!define KFW_MINORVERSION %VERSION_MINOR% -!define KFW_PATCHLEVEL %VERSION_PATCH% -!define CL_1310 - diff --git a/src/windows/installer/nsis/site-local-tagged.nsi b/src/windows/installer/nsis/site-local-tagged.nsi deleted file mode 100644 index 614a27a..0000000 --- a/src/windows/installer/nsis/site-local-tagged.nsi +++ /dev/null @@ -1,13 +0,0 @@ -!define KFW_TARGETDIR %TARGETDIR% -!define KFW_CONFIG_DIR %CONFIGDIR-NSI% -!define KFW_MAJORVERSION %VERSION_MAJOR% -!define KFW_MINORVERSION %VERSION_MINOR% -!define KFW_PATCHLEVEL %VERSION_PATCH% -!define CL_1310 - -!define RELEASE -!define NOT_DEBUG -!define BETA 1 -!define SAMPLE_CONFIG_REALM "ATHENA.MIT.EDU" -!define HTTP_CONFIG_URL "[Obtain a URL from your Kerberos administrator]" - diff --git a/src/windows/installer/nsis/utils.nsi b/src/windows/installer/nsis/utils.nsi deleted file mode 100644 index e9f98c0..0000000 --- a/src/windows/installer/nsis/utils.nsi +++ /dev/null @@ -1,825 +0,0 @@ -;----------------------------------------------- -; Common Utility functions not specific to KFW - -;------------------- -; Get the currently installed version and place it on the stack -; Modifies: Nothing -Function GetInstalledVersion - Push $R0 - Push $R1 - Push $R4 - ReadRegStr $R0 HKLM "${KFW_REGKEY_ROOT}\$R2\CurrentVersion" "VersionString" - StrCmp $R0 "" done - -done: - Pop $R4 - Pop $R1 - Exch $R0 -FunctionEnd - -; Functions to get each component of the version number -Function GetInstalledVersionMajor - Push $R0 - Push $R1 - Push $R4 - ReadRegDWORD $R0 HKLM "${KFW_REGKEY_ROOT}\$R2\CurrentVersion" "MajorVersion" - StrCmp $R0 "" done - -done: - Pop $R4 - Pop $R1 - Exch $R0 -FunctionEnd - -Function GetInstalledVersionMinor - Push $R0 - Push $R1 - Push $R4 - ReadRegDWORD $R0 HKLM "${KFW_REGKEY_ROOT}\$R2\CurrentVersion" "MinorVersion" - StrCmp $R0 "" done - -done: - Pop $R4 - Pop $R1 - Exch $R0 -FunctionEnd - -Function GetInstalledVersionPatch - Push $R0 - Push $R1 - Push $R4 - ReadRegDWORD $R0 HKLM "${KFW_REGKEY_ROOT}\$R2\CurrentVersion" "PatchLevel" - StrCmp $R0 "" done - -done: - Pop $R4 - Pop $R1 - Exch $R0 -FunctionEnd - - -;-------------------------------- -; Macros - -;-------------------------------- -; Macros -; Macro - Upgrade DLL File -; Written by Joost Verburg -; ------------------------ -; -; Parameters: -; LOCALFILE - Location of the new DLL file (on the compiler system) -; DESTFILE - Location of the DLL file that should be upgraded -; (on the user's system) -; TEMPBASEDIR - Directory on the user's system to store a temporary file -; when the system has to be rebooted. -; For Win9x support, this should be on the same volume as the -; DESTFILE! -; The Windows temp directory could be located on any volume, -; so you cannot use this directory. -; -; Define REPLACEDLL_NOREGISTER if you want to upgrade a DLL that does not -; have to be registered. -; -; Note: If you want to support Win9x, you can only use -; short filenames (8.3). -; -; Example of usage: -; !insertmacro ReplaceDLL "dllname.dll" "$SYSDIR\dllname.dll" "$SYSDIR" -; - -!macro ReplaceDLL LOCALFILE DESTFILE TEMPBASEDIR - - Push $R0 - Push $R1 - Push $R2 - Push $R3 - Push $R4 - Push $R5 - - ;------------------------ - ;Unique number for labels - - !define REPLACEDLL_UNIQUE ${__LINE__} - - ;------------------------ - ;Copy the parameters used on run-time to a variable - ;This allows the usage of variables as paramter - - StrCpy $R4 "${DESTFILE}" - StrCpy $R5 "${TEMPBASEDIR}" - - ;------------------------ - ;Check file and version - ; - IfFileExists $R4 0 replacedll.copy_${REPLACEDLL_UNIQUE} - - ;ClearErrors - ; GetDLLVersionLocal "${LOCALFILE}" $R0 $R1 - ; GetDLLVersion $R4 $R2 $R3 - ;IfErrors replacedll.upgrade_${REPLACEDLL_UNIQUE} - ; - ;IntCmpU $R0 $R2 0 replacedll.done_${REPLACEDLL_UNIQUE} \ - ; replacedll.upgrade_${REPLACEDLL_UNIQUE} - ;IntCmpU $R1 $R3 replacedll.done_${REPLACEDLL_UNIQUE} \ - ; replacedll.done_${REPLACEDLL_UNIQUE} \ - ; replacedll.upgrade_${REPLACEDLL_UNIQUE} - - ;------------------------ - ;Let's replace the DLL! - - SetOverwrite try - - ;replacedll.upgrade_${REPLACEDLL_UNIQUE}: - !ifndef REPLACEDLL_NOREGISTER - ;Unregister the DLL - UnRegDLL $R4 - !endif - - ;------------------------ - ;Try to copy the DLL directly - - ClearErrors - StrCpy $R0 $R4 - Call :replacedll.file_${REPLACEDLL_UNIQUE} - IfErrors 0 replacedll.noreboot_${REPLACEDLL_UNIQUE} - - ;------------------------ - ;DLL is in use. Copy it to a temp file and Rename it on reboot. - - GetTempFileName $R0 $R5 - Call :replacedll.file_${REPLACEDLL_UNIQUE} - Rename /REBOOTOK $R0 $R4 - - ;------------------------ - ;Register the DLL on reboot - - !ifndef REPLACEDLL_NOREGISTER - WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\RunOnce" \ - "Register $R4" 'rundll32.exe "$R4",DllRegisterServer' - !endif - - Goto replacedll.done_${REPLACEDLL_UNIQUE} - - ;------------------------ - ;DLL does not exist - just extract - - replacedll.copy_${REPLACEDLL_UNIQUE}: - StrCpy $R0 $R4 - Call :replacedll.file_${REPLACEDLL_UNIQUE} - - ;------------------------ - ;Register the DLL - - replacedll.noreboot_${REPLACEDLL_UNIQUE}: - !ifndef REPLACEDLL_NOREGISTER - RegDLL $R4 - !endif - - ;------------------------ - ;Done - - replacedll.done_${REPLACEDLL_UNIQUE}: - - Pop $R5 - Pop $R4 - Pop $R3 - Pop $R2 - Pop $R1 - Pop $R0 - - ;------------------------ - ;End - - Goto replacedll.end_${REPLACEDLL_UNIQUE} - - ;------------------------ - ;Called to extract the DLL - - replacedll.file_${REPLACEDLL_UNIQUE}: - File /oname=$R0 "${LOCALFILE}" - Return - - replacedll.end_${REPLACEDLL_UNIQUE}: - - ;------------------------ - ;Restore settings - - SetOverwrite lastused - - !undef REPLACEDLL_UNIQUE - -!macroend - - -; GetParameters -; input, none -; output, top of stack (replaces, with e.g. whatever) -; modifies no other variables. - -Function GetParameters - Push $R0 - Push $R1 - Push $R2 - StrCpy $R0 $CMDLINE 1 - StrCpy $R1 '"' - StrCpy $R2 1 - StrCmp $R0 '"' loop - StrCpy $R1 ' ' ; we're scanning for a space instead of a quote - loop: - StrCpy $R0 $CMDLINE 1 $R2 - StrCmp $R0 $R1 loop2 - StrCmp $R0 "" loop2 - IntOp $R2 $R2 + 1 - Goto loop - loop2: - IntOp $R2 $R2 + 1 - StrCpy $R0 $CMDLINE 1 $R2 - StrCmp $R0 " " loop2 - StrCpy $R0 $CMDLINE "" $R2 - Pop $R2 - Pop $R1 - Exch $R0 -FunctionEnd - - -!verbose 3 -!include "WinMessages.NSH" -!verbose 4 - -Function GetSystemPath - Push $0 - - Call IsNT - Pop $0 - StrCmp $0 1 GetPath_NT - ReadEnvStr $0 PATH - goto HavePath -GetPath_NT: - ReadRegStr $0 HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "PATH" -HavePath: - - Exch $0 -FunctionEnd - -;==================================================== -; AddToSystemPath - Adds the given dir to the search path. -; Input - head of the stack -; Note - Win9x systems requires reboot -;==================================================== -Function AddToSystemPath - Exch $0 - Push $1 - Push $2 - Push $3 - - # don't add if the path doesn't exist - IfFileExists $0 "" AddToPath_done - - Call GetSystemPath - Pop $1 - Push "$1;" - Push "$0;" - Call StrStr - Pop $2 - StrCmp $2 "" 0 AddToPath_done - Push "$1;" - Push "$0\;" - Call StrStr - Pop $2 - StrCmp $2 "" 0 AddToPath_done - GetFullPathName /SHORT $3 $0 - Push "$1;" - Push "$3;" - Call StrStr - Pop $2 - StrCmp $2 "" 0 AddToPath_done - Push "$1;" - Push "$3\;" - Call StrStr - Pop $2 - StrCmp $2 "" 0 AddToPath_done - - Call IsNT - Pop $1 - StrCmp $1 1 AddToPath_NT - ; Not on NT - StrCpy $1 $WINDIR 2 - FileOpen $1 "$1\autoexec.bat" a - FileSeek $1 -1 END - FileReadByte $1 $2 - IntCmp $2 26 0 +2 +2 # DOS EOF - FileSeek $1 -1 END # write over EOF - FileWrite $1 "$\r$\nSET PATH=%PATH%;$3$\r$\n" - FileClose $1 - SetRebootFlag true - Goto AddToPath_done - - AddToPath_NT: - ReadRegStr $1 HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "PATH" - StrCpy $2 $1 1 -1 # copy last char - StrCmp $2 ";" 0 +2 # if last char == ; - StrCpy $1 $1 -1 # remove last char - StrCmp $1 "" AddToPath_NTdoIt - StrCpy $0 "$1;$0" - AddToPath_NTdoIt: - WriteRegExpandStr HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "PATH" $0 - SendMessage ${HWND_BROADCAST} ${WM_WININICHANGE} 0 "STR:Environment" /TIMEOUT=5000 - - AddToPath_done: - Pop $3 - Pop $2 - Pop $1 - Pop $0 -FunctionEnd - -;==================================================== -; RemoveFromPath - Remove a given dir from the path -; Input: head of the stack -;==================================================== -Function un.RemoveFromSystemPath - Exch $0 - Push $1 - Push $2 - Push $3 - Push $4 - Push $5 - Push $6 - - IntFmt $6 "%c" 26 # DOS EOF - - Call un.IsNT - Pop $1 - StrCmp $1 1 unRemoveFromPath_NT - ; Not on NT - StrCpy $1 $WINDIR 2 - FileOpen $1 "$1\autoexec.bat" r - GetTempFileName $4 - FileOpen $2 $4 w - GetFullPathName /SHORT $0 $0 - StrCpy $0 "SET PATH=%PATH%;$0" - Goto unRemoveFromPath_dosLoop - - unRemoveFromPath_dosLoop: - FileRead $1 $3 - StrCpy $5 $3 1 -1 # read last char - StrCmp $5 $6 0 +2 # if DOS EOF - StrCpy $3 $3 -1 # remove DOS EOF so we can compare - StrCmp $3 "$0$\r$\n" unRemoveFromPath_dosLoopRemoveLine - StrCmp $3 "$0$\n" unRemoveFromPath_dosLoopRemoveLine - StrCmp $3 "$0" unRemoveFromPath_dosLoopRemoveLine - StrCmp $3 "" unRemoveFromPath_dosLoopEnd - FileWrite $2 $3 - Goto unRemoveFromPath_dosLoop - unRemoveFromPath_dosLoopRemoveLine: - SetRebootFlag true - Goto unRemoveFromPath_dosLoop - - unRemoveFromPath_dosLoopEnd: - FileClose $2 - FileClose $1 - StrCpy $1 $WINDIR 2 - Delete "$1\autoexec.bat" - CopyFiles /SILENT $4 "$1\autoexec.bat" - Delete $4 - Goto unRemoveFromPath_done - - unRemoveFromPath_NT: - ReadRegStr $1 HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "PATH" - StrCpy $5 $1 1 -1 # copy last char - StrCmp $5 ";" +2 # if last char != ; - StrCpy $1 "$1;" # append ; - Push $1 - Push "$0;" - Call un.StrStr ; Find `$0;` in $1 - Pop $2 ; pos of our dir - StrCmp $2 "" unRemoveFromPath_done - ; else, it is in path - # $0 - path to add - # $1 - path var - StrLen $3 "$0;" - StrLen $4 $2 - StrCpy $5 $1 -$4 # $5 is now the part before the path to remove - StrCpy $6 $2 "" $3 # $6 is now the part after the path to remove - StrCpy $3 $5$6 - - StrCpy $5 $3 1 -1 # copy last char - StrCmp $5 ";" 0 +2 # if last char == ; - StrCpy $3 $3 -1 # remove last char - - WriteRegExpandStr HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\Environment" "PATH" $3 - SendMessage ${HWND_BROADCAST} ${WM_WININICHANGE} 0 "STR:Environment" /TIMEOUT=5000 - - unRemoveFromPath_done: - Pop $6 - Pop $5 - Pop $4 - Pop $3 - Pop $2 - Pop $1 - Pop $0 -FunctionEnd - -;==================================================== -; IsNT - Returns 1 if the current system is NT, 0 -; otherwise. -; Output: head of the stack -;==================================================== -!macro IsNT un -Function ${un}IsNT - Push $0 - ReadRegStr $0 HKLM "SOFTWARE\Microsoft\Windows NT\CurrentVersion" CurrentVersion - StrCmp $0 "" 0 IsNT_yes - ; we are not NT. - Pop $0 - Push 0 - Return - - IsNT_yes: - ; NT!!! - Pop $0 - Push 1 -FunctionEnd -!macroend -!insertmacro IsNT "" -!insertmacro IsNT "un." - -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -; Uninstall stuff -;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; -;==================================================== -; StrStr - Finds a given string in another given string. -; Returns -1 if not found and the pos if found. -; Input: head of the stack - string to find -; second in the stack - string to find in -; Output: head of the stack -;==================================================== -!macro StrStr un -Function ${un}StrStr -Exch $R1 ; st=haystack,old$R1, $R1=needle - Exch ; st=old$R1,haystack - Exch $R2 ; st=old$R1,old$R2, $R2=haystack - Push $R3 - Push $R4 - Push $R5 - StrLen $R3 $R1 - StrCpy $R4 0 - ; $R1=needle - ; $R2=haystack - ; $R3=len(needle) - ; $R4=cnt - ; $R5=tmp - loop: - StrCpy $R5 $R2 $R3 $R4 - StrCmp $R5 $R1 done - StrCmp $R5 "" done - IntOp $R4 $R4 + 1 - Goto loop -done: - StrCpy $R1 $R2 "" $R4 - Pop $R5 - Pop $R4 - Pop $R3 - Pop $R2 - Exch $R1 -FunctionEnd -!macroend -!insertmacro StrStr "" -!insertmacro StrStr "un." - - -!ifdef ADDSHAREDDLLUSED -; AddSharedDLL - ; - ; Increments a shared DLLs reference count. - ; Use by passing one item on the stack (the full path of the DLL). - ; - ; Usage: - ; Push $SYSDIR\myDll.dll - ; Call AddSharedDLL - ; - - Function AddSharedDLL - Exch $R1 - Push $R0 - ReadRegDword $R0 HKLM Software\Microsoft\Windows\CurrentVersion\SharedDLLs $R1 - IntOp $R0 $R0 + 1 - WriteRegDWORD HKLM Software\Microsoft\Windows\CurrentVersion\SharedDLLs $R1 $R0 - Pop $R0 - Pop $R1 - FunctionEnd - - -; un.RemoveSharedDLL - ; - ; Decrements a shared DLLs reference count, and removes if necessary. - ; Use by passing one item on the stack (the full path of the DLL). - ; Note: for use in the main installer (not the uninstaller), rename the - ; function to RemoveSharedDLL. - ; - ; Usage: - ; Push $SYSDIR\myDll.dll - ; Call un.RemoveSharedDLL - ; - - Function un.RemoveSharedDLL - Exch $R1 - Push $R0 - ReadRegDword $R0 HKLM Software\Microsoft\Windows\CurrentVersion\SharedDLLs $R1 - StrCmp $R0 "" remove - IntOp $R0 $R0 - 1 - IntCmp $R0 0 rk rk uk - rk: - DeleteRegValue HKLM Software\Microsoft\Windows\CurrentVersion\SharedDLLs $R1 - goto Remove - uk: - WriteRegDWORD HKLM Software\Microsoft\Windows\CurrentVersion\SharedDLLs $R1 $R0 - Goto noremove - remove: - Delete /REBOOTOK $R1 - noremove: - Pop $R0 - Pop $R1 - FunctionEnd -!endif - - -; GetWindowsVersion -; -; Based on Yazno's function, http://yazno.tripod.com/powerpimpit/ -; Updated by Joost Verburg -; -; Returns on top of stack -; -; Windows Version (95, 98, ME, NT x.x, 2000, XP, 2003) -; or -; '' (Unknown Windows Version) -; -; Usage: -; Call GetWindowsVersion -; Pop $R0 -; ; at this point $R0 is "NT 4.0" or whatnot - -Function GetWindowsVersion - - Push $R0 - Push $R1 - - ClearErrors - - ReadRegStr $R0 HKLM \ - "SOFTWARE\Microsoft\Windows NT\CurrentVersion" CurrentVersion - - IfErrors 0 lbl_winnt - - ; we are not NT - ReadRegStr $R0 HKLM \ - "SOFTWARE\Microsoft\Windows\CurrentVersion" VersionNumber - - StrCpy $R1 $R0 1 - StrCmp $R1 '4' 0 lbl_error - - StrCpy $R1 $R0 3 - - StrCmp $R1 '4.0' lbl_win32_95 - StrCmp $R1 '4.9' lbl_win32_ME lbl_win32_98 - - lbl_win32_95: - StrCpy $R0 '95' - Goto lbl_done - - lbl_win32_98: - StrCpy $R0 '98' - Goto lbl_done - - lbl_win32_ME: - StrCpy $R0 'ME' - Goto lbl_done - - lbl_winnt: - - StrCpy $R1 $R0 1 - - StrCmp $R1 '3' lbl_winnt_x - StrCmp $R1 '4' lbl_winnt_x - - StrCpy $R1 $R0 3 - - StrCmp $R1 '5.0' lbl_winnt_2000 - StrCmp $R1 '5.1' lbl_winnt_XP - StrCmp $R1 '5.2' lbl_winnt_2003 lbl_error - - lbl_winnt_x: - StrCpy $R0 "NT $R0" 6 - Goto lbl_done - - lbl_winnt_2000: - Strcpy $R0 '2000' - Goto lbl_done - - lbl_winnt_XP: - Strcpy $R0 'XP' - Goto lbl_done - - lbl_winnt_2003: - Strcpy $R0 '2003' - Goto lbl_done - - lbl_error: - Strcpy $R0 '' - lbl_done: - - Pop $R1 - Exch $R0 - -FunctionEnd - - -; Author: Lilla (lilla@earthlink.net) 2003-06-13 -; function IsUserAdmin uses plugin \NSIS\PlusgIns\UserInfo.dll -; This function is based upon code in \NSIS\Contrib\UserInfo\UserInfo.nsi -; This function was tested under NSIS 2 beta 4 (latest CVS as of this writing). -; -; Usage: -; Call IsUserAdmin -; Pop $R0 ; at this point $R0 is "true" or "false" -; -Function IsUserAdmin -Push $R0 -Push $R1 -Push $R2 - -ClearErrors -UserInfo::GetName -IfErrors Win9x -Pop $R1 -UserInfo::GetAccountType -Pop $R2 - -StrCmp $R2 "Admin" 0 Continue -; Observation: I get here when running Win98SE. (Lilla) -; The functions UserInfo.dll looks for are there on Win98 too, -; but just don't work. So UserInfo.dll, knowing that admin isn't required -; on Win98, returns admin anyway. (per kichik) -; MessageBox MB_OK 'User "$R1" is in the Administrators group' -StrCpy $R0 "true" -Goto Done - -Continue: -; You should still check for an empty string because the functions -; UserInfo.dll looks for may not be present on Windows 95. (per kichik) -StrCmp $R2 "" Win9x -StrCpy $R0 "false" -;MessageBox MB_OK 'User "$R1" is in the "$R2" group' -Goto Done - -Win9x: -; comment/message below is by UserInfo.nsi author: -; This one means you don't need to care about admin or -; not admin because Windows 9x doesn't either -;MessageBox MB_OK "Error! This DLL can't run under Windows 9x!" -StrCpy $R0 "false" - -Done: -;MessageBox MB_OK 'User= "$R1" AccountType= "$R2" IsUserAdmin= "$R0"' - -Pop $R2 -Pop $R1 -Exch $R0 -FunctionEnd - -Function RestartRequired -Push $R1 ;Original Variable -Push $R2 -Push $R3 ;Counter Variable - -StrCpy $R1 "0" 1 ;initialize variable with 0 -StrCpy $R3 "0" 0 ;Counter Variable - -;First Check Current User RunOnce Key -EnumRegValue $R2 HKCU "Software\Microsoft\Windows\CurrentVersion\RunOnce" $R3 -StrCmp $R2 "" 0 FoundRestart - -;Next Check Local Machine RunOnce Key -EnumRegValue $R2 HKLM "Software\Microsoft\Windows\CurrentVersion\RunOnce" $R3 -StrCmp $R2 "" 0 FoundRestart - -EnumRegValue $R2 HKLM "SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations" $R3 -StrCmp $R2 "" 0 FoundRestart - -NextValue: -EnumRegValue $R2 HKLM "SYSTEM\CurrentControlSet\Control\Session Manager" $R3 -StrCmp $R2 "" ExitFunc 0 -StrCmp $R2 "PendingFileRenameOperations" FoundRestart 0 -IntOp $R3 $R3 + 1 -Goto NextValue - -FoundRestart: -StrCpy $R1 "1" 1 - -ExitFunc: -Pop $R3 -Pop $R2 -Exch $R1 -FunctionEnd - -; GetParent - ; input, top of stack (e.g. C:\Program Files\Poop) - ; output, top of stack (replaces, with e.g. C:\Program Files) - ; modifies no other variables. - ; - ; Usage: - ; Push "C:\Program Files\Directory\Whatever" - ; Call GetParent - ; Pop $R0 - ; ; at this point $R0 will equal "C:\Program Files\Directory" - -Function GetParent - - Exch $R0 - Push $R1 - Push $R2 - Push $R3 - - StrCpy $R1 0 - StrLen $R2 $R0 - - loop: - IntOp $R1 $R1 + 1 - IntCmp $R1 $R2 get 0 get - StrCpy $R3 $R0 1 -$R1 - StrCmp $R3 "\" get - Goto loop - - get: - StrCpy $R0 $R0 -$R1 - - Pop $R3 - Pop $R2 - Pop $R1 - Exch $R0 - -FunctionEnd - -; SearchPath (path, filename) -; input: -; top of stack is the filename -; top of stack minus one is the path -; output: -; top of stack is a fully qualified path or the number "0" -; -; Usage: -; Push "semicolon delimited path" -; Push "filename" -; Call SearchPath -; Pop $R0 ; fqpn -; StrCmp $R0 "" failed -; -; -Function SearchPath - Exch $R0 ; input - filename - Exch - Exch $R1 ; input - semicolon delimited path - Push $R3 ; worker - index to current end character - Push $R4 ; worker - length of $R1 - Push $R5 ; worker - copy of directory string/fqpn to search for - Push $R6 ; worker - single charcter copy or find handle - - StrCpy $R3 0 ; init character index - StrLen $R4 $R1 ; determine length of semicolon delimited path - StrCpy $R5 "" ; init return value - - findDir: ; find a semi-colon or end of string - IntCmp $R3 $R4 exit 0 exit ; we are done if no unprocessed string left - - loop: - StrCpy $R6 $R1 1 $R3 ; get the next character - StrCmp $R6 ";" foundDir ; if it is semi-colon, we have found a dir - IntOp $R3 $R3 + 1 ; increment index - IntCmp $R3 $R4 foundDir ; if we are at end of string, we have a dir - Goto loop ; still more chars in this dir - - foundDir: - StrCpy $R5 $R1 $R3 ; copy the dir to $R5 - StrCpy $R5 "$R5\$R0" ; construct fqpn - IfFileExists $R5 exit ; if file exists we are done - StrCpy $R5 "" ; reset return value to null string - IntOp $R4 $R4 - $R3 ; compute maxlen of new delimited path - IntCmp $R4 0 exit ; no more path left, exit - IntOp $R3 $R3 + 1 ; Increment $R3 past the semi-colon - StrCpy $R1 $R1 $R4 $R3 ; remove dir from the delimited path - StrCpy $R3 0 ; index back to start of new delimited path - goto findDir ; get another directory to look in - - exit: - Pop $R6 - Exch $R5 ; output - fully qualified pathname - Exch - Pop $R4 - Exch - Pop $R3 - Exch - Pop $R1 - Exch - Pop $R0 -FunctionEnd diff --git a/src/windows/installer/wix/Makefile b/src/windows/installer/wix/Makefile index 3c2bfd6..225fbe8 100644 --- a/src/windows/installer/wix/Makefile +++ b/src/windows/installer/wix/Makefile @@ -35,10 +35,22 @@ WIXINCLUDES= \ CUSTOMDLL=custom\custom.dll +!if !defined(CPU) || "$(CPU)" == "" +CPU=$(PROCESSOR_ARCHITECTURE) +!endif # CPU + +!if ( "$(CPU)" == "X86" ) || ( "$(CPU)" == "x86" ) || ( "$(CPU)" == "i386" ) +WIXARCH = x86 +!elseif ( "$(CPU)" == "AMD64" ) +WIXARCH = x64 +!else +!error "Architecture $(CPU) not supported by installer" +!endif + all: $(MSIFILE) $(OBJFILE): kfw.wxs $(WIXINCLUDES) - $(CANDLE) -out $@ kfw.wxs \ + $(CANDLE) -arch $(WIXARCH) -out $@ kfw.wxs \ "-dDate=%DATE%" \ "-dTime=%TIME%" \ -dBuildLang=$(LANG) diff --git a/src/windows/installer/wix/config.wxi b/src/windows/installer/wix/config.wxi index 037e252..15411c1 100644 --- a/src/windows/installer/wix/config.wxi +++ b/src/windows/installer/wix/config.wxi @@ -35,25 +35,20 @@ - - - + - - - - - - - - - + + + + + + @@ -98,9 +93,6 @@ - - - @@ -134,9 +126,6 @@ - - - @@ -162,18 +151,6 @@ - - - - - - - - - - - - diff --git a/src/windows/installer/wix/custom/custom.cpp b/src/windows/installer/wix/custom/custom.cpp index 3ef726d..3460def 100644 --- a/src/windows/installer/wix/custom/custom.cpp +++ b/src/windows/installer/wix/custom/custom.cpp @@ -328,7 +328,7 @@ struct _KillProc { #define RV_BAIL if(rv != ERROR_SUCCESS) goto _cleanup MSIDLLEXPORT KillRunningProcesses( MSIHANDLE hInstall ) { - return KillRunningProcessesSlave( hInstall, TRUE ); + return KillRunningProcessesWorker( hInstall, TRUE ); } /* When listing running processes, we populate the ListBox table with @@ -338,10 +338,10 @@ MSIDLLEXPORT KillRunningProcesses( MSIHANDLE hInstall ) { */ MSIDLLEXPORT ListRunningProcesses( MSIHANDLE hInstall ) { - return KillRunningProcessesSlave( hInstall, FALSE ); + return KillRunningProcessesWorker( hInstall, FALSE ); } -UINT KillRunningProcessesSlave( MSIHANDLE hInstall, BOOL bKill ) +UINT KillRunningProcessesWorker( MSIHANDLE hInstall, BOOL bKill ) { UINT rv = ERROR_SUCCESS; _KillProc * kpList; diff --git a/src/windows/installer/wix/custom/custom.h b/src/windows/installer/wix/custom/custom.h index 3b28eec..53a250a 100644 --- a/src/windows/installer/wix/custom/custom.h +++ b/src/windows/installer/wix/custom/custom.h @@ -56,7 +56,7 @@ SOFTWARE. void ShowMsiError(MSIHANDLE, DWORD, DWORD); UINT SetAllowTgtSessionKey( MSIHANDLE hInstall, BOOL pInstall ); -UINT KillRunningProcessesSlave( MSIHANDLE hInstall, BOOL bKill ); +UINT KillRunningProcessesWorker( MSIHANDLE hInstall, BOOL bKill ); /* exported */ MSIDLLEXPORT AbortMsiImmediate( MSIHANDLE ); diff --git a/src/windows/installer/wix/features.wxi b/src/windows/installer/wix/features.wxi index 398ddda..5aa5f6f 100644 --- a/src/windows/installer/wix/features.wxi +++ b/src/windows/installer/wix/features.wxi @@ -51,19 +51,20 @@ Level="$(var.DebugSymLowLevel)" Title="!(loc.StrKerberosClientDebugTitle)"> + - + - + @@ -84,8 +85,8 @@ - + @@ -100,10 +101,8 @@ - - @@ -116,7 +115,6 @@ - @@ -148,7 +146,7 @@ Level="130" Title="!(loc.KerberosSDKTitle)"> - + @@ -159,8 +157,6 @@ - - @@ -173,10 +169,6 @@ Level="30" Title="!(loc.KerberosDocTitle)"> - - diff --git a/src/windows/installer/wix/files.wxi b/src/windows/installer/wix/files.wxi index 9194caf..0397326 100644 --- a/src/windows/installer/wix/files.wxi +++ b/src/windows/installer/wix/files.wxi @@ -35,7 +35,7 @@ - + @@ -51,11 +51,11 @@ - + - + @@ -67,76 +67,76 @@ - + KRB5CONFIG - + KRB5CCNAME - + KRB5PRESERVEIDENTITY - + - + - + - + - + - + - + - + - + - + - + - + - + @@ -153,183 +153,164 @@ - + - + - + - + - - - - LEASHAFSSTATUS - - + LEASHCREATEMISSINGCONFIG - + LEASHAUTORENEWTICKETS - - - LEASHLOCKFILELOCATIONS - - + LEASHMSLSAIMPORT - + - + - + - + LEASHLIFETIME - + LEASHRENEWTILL - + LEASHRENEWABLE - + LEASHFORWARDABLE - + LEASHNOADDRESSES - + LEASHPROXIABLE - + LEASHPUBLICIP - - - LEASHUSEKRB4 - - + LEASHHIDEKINITOPTIONS - + LEASHLIFEMIN - + LEASHLIFEMAX - + LEASHRENEWMIN - + LEASHRENEWMAX - + LEASHUPPERCASEREALM - + LEASHTIMEHOST - + LEASHPRESERVEKINITOPTIONS - + - + - - - - + - - + + - + - + - + - + - + - - - - + - - + + - @@ -338,7 +319,6 @@ - @@ -358,11 +338,32 @@ + + + + + + + + + + + + + + + + + + + + + - + @@ -370,11 +371,11 @@ - + - + @@ -382,15 +383,15 @@ - + - + @@ -399,67 +400,42 @@ - - - - - - - - - - - - + - + - - + - + - - - - - + @@ -475,7 +451,7 @@ - + @@ -487,7 +463,7 @@ - + @@ -503,7 +479,7 @@ - + @@ -527,7 +503,7 @@ - + @@ -551,7 +527,7 @@ - + @@ -578,36 +554,40 @@ - - + + - + + + + + - + - - - - - - + + + + + + - - - - - - + + + + + + - - - + + + - - - + + + diff --git a/src/windows/installer/wix/kfw.wxs b/src/windows/installer/wix/kfw.wxs index c5c0f5f..d150a61 100755 --- a/src/windows/installer/wix/kfw.wxs +++ b/src/windows/installer/wix/kfw.wxs @@ -50,7 +50,6 @@ Languages="$(var.Language)" Compressed="yes" SummaryCodepage="$(var.CodePage)" - Platforms="$(var.Platform)" /> @@ -65,7 +64,7 @@ (Not (VersionNT = 600)) Or (ServicePackLevel >= 2) USELEASH Or USENETIDMGR Not (USELEASH And USENETIDMGR) - + diff --git a/src/windows/installer/wix/lang/config_1033.wxi b/src/windows/installer/wix/lang/config_1033.wxi index 78f26d3..3dbaaf5 100644 --- a/src/windows/installer/wix/lang/config_1033.wxi +++ b/src/windows/installer/wix/lang/config_1033.wxi @@ -27,10 +27,10 @@ - + - + diff --git a/src/windows/installer/wix/lang/strings_1033.wxl b/src/windows/installer/wix/lang/strings_1033.wxl index cb530b2..7207e9a 100644 --- a/src/windows/installer/wix/lang/strings_1033.wxl +++ b/src/windows/installer/wix/lang/strings_1033.wxl @@ -1,5 +1,5 @@ - + - $(var.LeashAfsStatus) $(var.LeashCreateMissingConfig) $(var.LeashAutoRenewTickets) - $(var.LeashLockFileLocations) $(var.LeashMsLsaImport) $(var.LeashLifetime) $(var.LeashRenewTill) @@ -70,7 +68,6 @@ $(var.LeashNoAddresses) $(var.LeashProxiable) $(var.LeashPublicIp) - $(var.LeashUseKrb4) $(var.LeashHideKinitOptions) $(var.LeashLifeMin) $(var.LeashLifeMax) @@ -79,10 +76,6 @@ $(var.LeashUppercaseRealm) $(var.LeashTimeHost) $(var.LeashPreserveKinitOptions) - $(var.Krb4KrbRealms) - $(var.Krb4KrbConf) - $(var.Krb4ConfigDir) - $(var.Krb4TicketFile) $(var.Krb5Config) $(var.Krb5CcName) $(var.Krb5PreserveIdentity) diff --git a/src/windows/installer/wix/runtime.wxi b/src/windows/installer/wix/runtime.wxi index ff86e3f..3d5c1df 100644 --- a/src/windows/installer/wix/runtime.wxi +++ b/src/windows/installer/wix/runtime.wxi @@ -1,7 +1,7 @@  - + diff --git a/src/windows/installer/wix/site-local-tagged.wxi b/src/windows/installer/wix/site-local-tagged.wxi deleted file mode 100644 index 26d6d7e..0000000 --- a/src/windows/installer/wix/site-local-tagged.wxi +++ /dev/null @@ -1,105 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - \ No newline at end of file diff --git a/src/windows/kfwlogon/Makefile.in b/src/windows/kfwlogon/Makefile.in index dfda87c..d5ebe2b 100644 --- a/src/windows/kfwlogon/Makefile.in +++ b/src/windows/kfwlogon/Makefile.in @@ -3,7 +3,6 @@ mydir=. BUILDTOP=$(REL)..$(S).. -DEFINES = -DNO_KRB4 LOCALINCLUDES = -I$(BUILDTOP) -I$(BUILDTOP)\include -I$(BUILDTOP)\windows\include PROG_LIBPATH=-L$(TOPLIBD) -L$(KRB5_LIBDIR) @@ -35,11 +34,11 @@ $(EXERES): $(VERSIONRC) all-windows: $(OUTPRE)kfwlogon.dll $(OUTPRE)kfwcpcc.exe $(KFWLOGON): $(OUTPRE)kfwlogon.obj $(OUTPRE)kfwcommon.obj $(LIBRES) - link $(DLL_LINKOPTS) -out:$@ $(OUTPRE)kfwlogon.obj $(OUTPRE)kfwcommon.obj -entry:DllEntryPoint -def:kfwlogon.def $(SYSLIBS) $(KLIB) $(CLIB) $(SCLIB) ../lib/$(OUTPRE)libwin.lib $(LIBRES) + link $(DLL_LINKOPTS) -out:$@ $(OUTPRE)kfwlogon.obj $(OUTPRE)kfwcommon.obj -entry:DllEntryPoint -def:kfwlogon.def $(SYSLIBS) $(KLIB) $(CLIB) ../lib/$(OUTPRE)libwin.lib $(LIBRES) $(_VC_MANIFEST_EMBED_DLL) $(KFWCPCC): $(OUTPRE)kfwcpcc.obj $(OUTPRE)kfwcommon.obj $(EXERES) - link $(EXE_LINKOPTS) -out:$@ $(OUTPRE)kfwcpcc.obj $(OUTPRE)kfwcommon.obj $(SYSLIBS) $(KLIB) $(CLIB) $(SCLIB) ../lib/$(OUTPRE)libwin.lib $(EXERES) + link $(EXE_LINKOPTS) -out:$@ $(OUTPRE)kfwcpcc.obj $(OUTPRE)kfwcommon.obj $(SYSLIBS) $(KLIB) $(CLIB) ../lib/$(OUTPRE)libwin.lib $(EXERES) $(_VC_MANIFEST_EMBED_EXE) install: diff --git a/src/windows/kfwlogon/kfwcommon.c b/src/windows/kfwlogon/kfwcommon.c index a348221..9249a23 100644 --- a/src/windows/kfwlogon/kfwcommon.c +++ b/src/windows/kfwlogon/kfwcommon.c @@ -56,7 +56,6 @@ DECL_FUNC_PTR(Leash_get_default_renew_till); DECL_FUNC_PTR(Leash_get_default_noaddresses); DECL_FUNC_PTR(Leash_get_default_proxiable); DECL_FUNC_PTR(Leash_get_default_publicip); -DECL_FUNC_PTR(Leash_get_default_use_krb4); DECL_FUNC_PTR(Leash_get_default_life_min); DECL_FUNC_PTR(Leash_get_default_life_max); DECL_FUNC_PTR(Leash_get_default_renew_min); @@ -167,7 +166,6 @@ FUNC_INFO leash_fi[] = { MAKE_FUNC_INFO(Leash_get_default_noaddresses), MAKE_FUNC_INFO(Leash_get_default_proxiable), MAKE_FUNC_INFO(Leash_get_default_publicip), - MAKE_FUNC_INFO(Leash_get_default_use_krb4), MAKE_FUNC_INFO(Leash_get_default_life_min), MAKE_FUNC_INFO(Leash_get_default_life_max), MAKE_FUNC_INFO(Leash_get_default_renew_min), diff --git a/src/windows/kfwlogon/kfwlogon.c b/src/windows/kfwlogon/kfwlogon.c index d851c46..c388fff 100644 --- a/src/windows/kfwlogon/kfwlogon.c +++ b/src/windows/kfwlogon/kfwlogon.c @@ -434,9 +434,6 @@ static BOOL GetSecurityLogonSessionData(HANDLE hToken, PSECURITY_LOGON_SESSION_DATA * ppSessionData) { NTSTATUS Status = 0; -#if 0 - HANDLE TokenHandle; -#endif TOKEN_STATISTICS Stats; DWORD ReqLen; BOOL Success; @@ -445,16 +442,8 @@ GetSecurityLogonSessionData(HANDLE hToken, PSECURITY_LOGON_SESSION_DATA * ppSess return FALSE; *ppSessionData = NULL; -#if 0 - Success = OpenProcessToken( HANDLE GetCurrentProcess(), TOKEN_QUERY, &TokenHandle ); - if ( !Success ) - return FALSE; -#endif Success = GetTokenInformation( hToken, TokenStatistics, &Stats, sizeof(TOKEN_STATISTICS), &ReqLen ); -#if 0 - CloseHandle( TokenHandle ); -#endif if ( !Success ) return FALSE; diff --git a/src/windows/leash/AfsProperties.cpp b/src/windows/leash/AfsProperties.cpp deleted file mode 100644 index dabcdfd..0000000 --- a/src/windows/leash/AfsProperties.cpp +++ /dev/null @@ -1,123 +0,0 @@ -// AfsProperties.cpp : implementation file -// - -#include "stdafx.h" -#include "leash.h" -#include "AfsProperties.h" - -/* This should be set to something other than 0 or 1 (the valid values) */ -#define INVALID_AFS_STATUS_VALUE 2 -#define IS_INVALID_AFS_STATUS_VALUE(x) ((x != 0) && (x != 1)) - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CAfsProperties dialog - - -CAfsProperties::CAfsProperties(CWnd* pParent /*=NULL*/) - : CDialog(CAfsProperties::IDD, pParent) -{ - m_newAfsStatus = 0; - m_oldAfsStatus = 0; - - //{{AFX_DATA_INIT(CAfsProperties) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - - -void CAfsProperties::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CAfsProperties) - // NOTE: the ClassWizard will add DDX an3d DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CAfsProperties, CDialog) - //{{AFX_MSG_MAP(CAfsProperties) - ON_BN_CLICKED(IDC_BUTTON_AFS_PROPERTIES, OnButtonAfsProperties) - ON_BN_CLICKED(IDC_RADIO_AFS_ENABLED, OnRadioAfsEnabled) - ON_BN_CLICKED(IDC_RADIO_AFS_DISABLED, OnRadioAfsDisabled) - ON_COMMAND(ID_HELP, OnHelp) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CAfsProperties message handlers - -BOOL -CAfsProperties::OnInitDialog() -{ - CDialog::OnInitDialog(); - - // Get State* of Destroy Tickets On Exit - m_pApp = AfxGetApp(); - - m_oldAfsStatus = m_pApp->GetProfileInt("Settings", "AfsStatus", - INVALID_AFS_STATUS_VALUE); - if (IS_INVALID_AFS_STATUS_VALUE(m_oldAfsStatus)) - { - // set the default - m_pApp->WriteProfileInt("Settings", "AfsStatus", 1); - m_oldAfsStatus = 1; - } - - m_newAfsStatus = m_oldAfsStatus; - - int enabled = (m_oldAfsStatus != 0); - if (enabled) - CheckDlgButton(IDC_RADIO_AFS_ENABLED, TRUE); - else - CheckDlgButton(IDC_RADIO_AFS_DISABLED, TRUE); - - return TRUE; -} - -void CAfsProperties::OnButtonAfsProperties() -{ - if (32 >= (LRESULT) ShellExecute (NULL, NULL, "AFS_CONFIG.EXE", NULL, - NULL, SW_SHOW)) - { - MessageBox("Can't find file AFS_CONFIG.EXE", "Error", MB_OK); - } -} - -void CAfsProperties::OnOK() -{ - if (m_oldAfsStatus != m_newAfsStatus) - { - if (!m_pApp->WriteProfileInt("Settings", "AfsStatus", m_newAfsStatus)) - { - MessageBox("There was an error putting your entry into the " - "Registry!", "Error", MB_OK); - } - } - - CDialog::OnOK(); -} - -void CAfsProperties::OnRadioAfsEnabled() -{ - m_newAfsStatus = 1; -} - -void CAfsProperties::OnRadioAfsDisabled() -{ - m_newAfsStatus = 0; -} - -void CAfsProperties::OnHelp() -{ -#ifdef CALL_HTMLHELP - AfxGetApp()->HtmlHelp(HID_AFS_PROPERTIES_COMMAND); -#else - AfxGetApp()->WinHelp(HID_AFS_PROPERTIES_COMMAND); -#endif -} diff --git a/src/windows/leash/AfsProperties.h b/src/windows/leash/AfsProperties.h deleted file mode 100644 index 2c6e1ed..0000000 --- a/src/windows/leash/AfsProperties.h +++ /dev/null @@ -1,56 +0,0 @@ -#if !defined(AFX_AFSPROPERTIES_H__FD135601_2FCB_11D3_96A2_0000861B8A3C__INCLUDED_) -#define AFX_AFSPROPERTIES_H__FD135601_2FCB_11D3_96A2_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// AfsProperties.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CAfsProperties dialog - -class CAfsProperties : public CDialog -{ -// Construction -private: - UINT m_newAfsStatus; - UINT m_oldAfsStatus; - CWinApp *m_pApp; - -public: - CAfsProperties(CWnd* pParent = NULL); // standard constructor - -// Dialog Data - //{{AFX_DATA(CAfsProperties) - enum { IDD = IDD_AFS_PROPERTIES }; - // NOTE: the ClassWizard will add data members here - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CAfsProperties) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CAfsProperties) - virtual BOOL OnInitDialog(); - afx_msg void OnButtonAfsProperties(); - virtual void OnOK(); - afx_msg void OnRadioAfsEnabled(); - afx_msg void OnRadioAfsDisabled(); - afx_msg void OnHelp(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_AFSPROPERTIES_H__FD135601_2FCB_11D3_96A2_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/CLeashDragListBox.cpp b/src/windows/leash/CLeashDragListBox.cpp deleted file mode 100644 index 2753884..0000000 --- a/src/windows/leash/CLeashDragListBox.cpp +++ /dev/null @@ -1,215 +0,0 @@ -#include "stdafx.h" -#include "CLeashDragListBox.h" -#include "leash.h" -#include "lglobals.h" - -///////////////////////////////////////////////////////////////////////////// -// CLeashDragListBox - -//IMPLEMENT_DYNAMIC(CLeashDragListBox, CDragListBox) - -CLeashDragListBox::CLeashDragListBox() - :CDragListBox() -{ - -} - -CLeashDragListBox::~CLeashDragListBox() -{ - DestroyWindow(); -} - -void CLeashDragListBox::initOtherListbox(CPropertyPage* pPage, CListBox* pOtherListBox) -{ - m_pPage = pPage; - m_pOtherListBox = pOtherListBox; -} - - -void CLeashDragListBox::PreSubclassWindow() -{ - ASSERT(::IsWindow(m_hWnd)); - ASSERT((GetStyle() & (LBS_MULTIPLESEL|LBS_SORT)) == 0); - MakeDragList(m_hWnd); -} - -BOOL CLeashDragListBox::BeginDrag(CPoint pt) -{ - m_nLast = -1; - DrawInsert(ItemFromPt(pt)); - return TRUE; -} - -void CLeashDragListBox::CancelDrag(CPoint) -{ - DrawInsert(-1); -} - -UINT CLeashDragListBox::Dragging(CPoint pt) -{ - int nIndex = ItemFromPt(pt, FALSE); // don't allow scrolling just yet - DrawInsert(nIndex); - ItemFromPt(pt); - return (nIndex == LB_ERR) ? DL_STOPCURSOR : DL_MOVECURSOR; -} - -void CLeashDragListBox::Dropped(int nSrcIndex, CPoint pt) -{ - ASSERT(!(GetStyle() & (LBS_OWNERDRAWFIXED|LBS_OWNERDRAWVARIABLE)) || - (GetStyle() & LBS_HASSTRINGS)); - - DrawInsert(-1); - int nDestIndex = ItemFromPt(pt); - - if (nSrcIndex == -1 || nDestIndex == -1) - return; - if (nDestIndex == nSrcIndex || nDestIndex == nSrcIndex+1) - return; //didn't move - CString str1, str2; - DWORD_PTR dwData; - GetText(nSrcIndex, str1); - GetText(nDestIndex, str2); - dwData = GetItemData(nSrcIndex); - DeleteString(nSrcIndex); - if (nSrcIndex < nDestIndex) - nDestIndex--; - nDestIndex = InsertString(nDestIndex, str1); - SetItemData(nDestIndex, dwData); - SetCurSel(nDestIndex); - - // Save new order of items to profile linklist - char theSection[REALM_SZ + 1]; - const char* adminServer[] = {"realms", theSection, ADMIN_SERVER, NULL}; - const char* Section[] = {"realms", theSection, NULL}; - const char** adminServ = adminServer; - const char** section = Section; - const char* valueSection[] = {"realms", theSection, "kdc", NULL}; - const char** valueSec = valueSection; - CString theValue; - CHAR hostServer[MAX_HSTNM]; - - if (LB_ERR == m_pOtherListBox->GetText(m_pOtherListBox->GetCurSel(), theSection)) - ASSERT(0); - - long retval = pprofile_rename_section(CLeashApp::m_krbv5_profile, - section, NULL); - if (retval) - { - MessageBox("Dropped::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - retval = pprofile_add_relation(CLeashApp::m_krbv5_profile, - section, NULL); - if (retval) - { - MessageBox("Dropped::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - for (INT maxItems = GetCount(), item = 0; item < maxItems; item++) - { - GetText(item, hostServer); - //strcpy(hostServer, theValue); - - if (strstr(hostServer, ADMIN_SERVER)) - { - char* pAdmin = strchr(hostServer, ' '); - if (pAdmin) - *pAdmin = 0; - else - ASSERT(0); - - retval = pprofile_add_relation(CLeashApp::m_krbv5_profile, - adminServ, hostServer); - if (retval) - { - MessageBox("Dropped::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - } - - retval = pprofile_add_relation(CLeashApp::m_krbv5_profile, - valueSec, hostServer); - if (retval) - { - MessageBox("Dropped::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - } - - m_pPage->SetModified(TRUE); -} - -void CLeashDragListBox::DrawInsert(int nIndex) -{ - if (m_nLast != nIndex) - { - DrawSingle(m_nLast); - DrawSingle(nIndex); - m_nLast = nIndex; - } -} - -void CLeashDragListBox::DrawSingle(int nIndex) -{ - if (nIndex == -1) - return; - CBrush* pBrush = CDC::GetHalftoneBrush(); - CRect rect; - GetClientRect(&rect); - CRgn rgn; - rgn.CreateRectRgnIndirect(&rect); - - CDC* pDC = GetDC(); - // prevent drawing outside of listbox - // this can happen at the top of the listbox since the listbox's DC is the - // parent's DC - pDC->SelectClipRgn(&rgn); - - GetItemRect(nIndex, &rect); - rect.bottom = rect.top+2; - rect.top -= 2; - CBrush* pBrushOld = pDC->SelectObject(pBrush); - //draw main line - pDC->PatBlt(rect.left, rect.top, rect.Width(), rect.Height(), PATINVERT); - - pDC->SelectObject(pBrushOld); - ReleaseDC(pDC); -} - -/* -BOOL CLeashDragListBox::OnChildNotify(UINT nMessage, WPARAM wParam, LPARAM lParam, LRESULT* pResult) -{ - if (nMessage != m_nMsgDragList) - return CListBox::OnChildNotify(nMessage, wParam, lParam, pResult); - - ASSERT(pResult != NULL); - LPDRAGLISTINFO pInfo = (LPDRAGLISTINFO)lParam; - ASSERT(pInfo != NULL); - switch (pInfo->uNotification) - { - case DL_BEGINDRAG: - *pResult = BeginDrag(pInfo->ptCursor); - break; - case DL_CANCELDRAG: - CancelDrag(pInfo->ptCursor); - break; - case DL_DRAGGING: - *pResult = Dragging(pInfo->ptCursor); - break; - case DL_DROPPED: - Dropped(GetCurSel(), pInfo->ptCursor); - break; - } - return TRUE; -} -*/ diff --git a/src/windows/leash/CLeashDragListBox.h b/src/windows/leash/CLeashDragListBox.h deleted file mode 100644 index 02179b2..0000000 --- a/src/windows/leash/CLeashDragListBox.h +++ /dev/null @@ -1,45 +0,0 @@ -#ifndef _LEASH_DRAGLISTBOX -#define _LEASH_DRAGLISTBOX - -///////////////////////////////////////////////////////////////////////////// -// CLeashDragListBox - -//#include "AFXCMN.h" - -class CLeashDragListBox : public CDragListBox -{ - //DECLARE_DYNAMIC(CDragListBoxCLeashDragListBox) - - CListBox* m_pOtherListBox; - CPropertyPage* m_pPage; - -// Constructors -public: - CLeashDragListBox(); - void initOtherListbox(CPropertyPage* pPage, CListBox* pOtherListBox); - -// Attributes - //int ItemFromPt(CPoint pt, BOOL bAutoScroll = TRUE) const; - -// Operations - virtual void DrawInsert(int nItem); - -// Overridables - virtual BOOL BeginDrag(CPoint pt); - virtual void CancelDrag(CPoint pt); - virtual UINT Dragging(CPoint pt); - virtual void Dropped(int nSrcIndex, CPoint pt); - -// Implementation -public: - int m_nLast; - void DrawSingle(int nIndex); - virtual void PreSubclassWindow(); - virtual ~CLeashDragListBox(); -protected: - //virtual BOOL OnChildNotify(UINT, WPARAM, LPARAM, LRESULT*); -}; - -//class CLeashDragListBox; - -#endif // _LEASH_DRAGLISTBOX diff --git a/src/windows/leash/Krb4AddToDomainRealmList.cpp b/src/windows/leash/Krb4AddToDomainRealmList.cpp deleted file mode 100644 index 9f119bd..0000000 --- a/src/windows/leash/Krb4AddToDomainRealmList.cpp +++ /dev/null @@ -1,107 +0,0 @@ -// File: Krb4AddToDomainRealmList.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for Krb4AddToDomainRealmList.h. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "Krb4AddToDomainRealmList.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrb4AddToDomainRealmList dialog - - -CKrb4AddToDomainRealmList::CKrb4AddToDomainRealmList(CWnd* pParent /*=NULL*/) - : CDialog(CKrb4AddToDomainRealmList::IDD, pParent) -{ - m_newRealm = _T(""); - m_newDomainHost = _T(""); - m_startup = TRUE; - - - //{{AFX_DATA_INIT(CKrb4AddToDomainRealmList) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - - -void CKrb4AddToDomainRealmList::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrb4AddToDomainRealmList) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrb4AddToDomainRealmList, CDialog) - //{{AFX_MSG_MAP(CKrb4AddToDomainRealmList) - ON_WM_SHOWWINDOW() - ON_EN_CHANGE(IDC_EDIT_DOMAINHOSTNAME, OnChangeEditDomainhostname) - ON_EN_CHANGE(IDC_EDIT_DOMAINREALMNAME, OnChangeEditDomainrealmname) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrb4AddToDomainRealmList message handlers - -void CKrb4AddToDomainRealmList::OnChangeEditDomainhostname() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_DOMAINHOSTNAME, m_newDomainHost); -} - -void CKrb4AddToDomainRealmList::OnChangeEditDomainrealmname() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_DOMAINREALMNAME, m_newRealm); -} - -void CKrb4AddToDomainRealmList::OnOK() -{ - //if (m_newRealm.IsEmpty) - - m_newRealm.TrimLeft(); - m_newRealm.TrimRight(); - m_newDomainHost.TrimLeft(); - m_newDomainHost.TrimRight(); - - if (m_newRealm.IsEmpty() || m_newDomainHost.IsEmpty()) - { // stay - MessageBox("OnOK::Both Realm and Domain-Host fields must be filled in!", - "Leash", MB_OK); - } - else if (-1 != m_newRealm.Find(' ') || -1 != m_newDomainHost.Find(' ')) - { // stay - MessageBox("OnOK::Illegal space found!", "Leash", MB_OK); - } - else - CDialog::OnOK(); // exit -} - -void CKrb4AddToDomainRealmList::OnCancel() -{ - - CDialog::OnCancel(); -} - -void CKrb4AddToDomainRealmList::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CDialog::OnShowWindow(bShow, nStatus); - m_startup = FALSE; -} diff --git a/src/windows/leash/Krb4AddToDomainRealmList.h b/src/windows/leash/Krb4AddToDomainRealmList.h deleted file mode 100644 index 8148c0d..0000000 --- a/src/windows/leash/Krb4AddToDomainRealmList.h +++ /dev/null @@ -1,73 +0,0 @@ -// File: Krb4AddToDomainRealmList.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for Krb4AddToDomainRealmList.cpp. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_KRB4ADDTODOMAINREALMLIST_H__F4D41683_96A4_11D2_94E2_0000861B8A3C__INCLUDED_) -#define AFX_KRB4ADDTODOMAINREALMLIST_H__F4D41683_96A4_11D2_94E2_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// Krb4AddToDomainRealmList.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrb4AddToDomainRealmList dialog - -class CKrb4AddToDomainRealmList : public CDialog -{ -// Construction -private: - CString m_newRealm; - CString m_newDomainHost; - BOOL m_newAdmin; - BOOL m_startup; - -public: - CKrb4AddToDomainRealmList(CWnd* pParent = NULL); // standard constructor - - CString GetNewRealm() {return m_newRealm;} - CString GetNewDomainHost() {return m_newDomainHost;} - -// Dialog Data - //{{AFX_DATA(CKrb4AddToDomainRealmList) - enum { IDD = IDD_KRB4_ADD_DOMAINREALMNAME }; - // NOTE: the ClassWizard will add data members here - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb4AddToDomainRealmList) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrb4AddToDomainRealmList) - virtual void OnOK(); - virtual void OnCancel(); - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - afx_msg void OnChangeEditDomainhostname(); - afx_msg void OnChangeEditDomainrealmname(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_KRB4ADDTODOMAINREALMLIST_H__F4D41683_96A4_11D2_94E2_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/Krb4AddToRealmHostList.cpp b/src/windows/leash/Krb4AddToRealmHostList.cpp deleted file mode 100644 index e012aea..0000000 --- a/src/windows/leash/Krb4AddToRealmHostList.cpp +++ /dev/null @@ -1,121 +0,0 @@ -// File: Krb4AddToRealmHostList.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for Krb4AddToRealmHostList.h. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "Krb4AddToRealmHostList.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrb4AddToRealmHostList dialog - - -CKrb4AddToRealmHostList::CKrb4AddToRealmHostList(CWnd* pParent /*=NULL*/) -: CDialog(CKrb4AddToRealmHostList::IDD, pParent) -{ - m_newRealm = _T(""); - m_newHost = _T(""); - m_newAdmin = TRUE; - m_startup = TRUE; - - //{{AFX_DATA_INIT(CKrb4AddToRealmHostList) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - - -void CKrb4AddToRealmHostList::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrb4AddToRealmHostList) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrb4AddToRealmHostList, CDialog) - //{{AFX_MSG_MAP(CKrb4AddToRealmHostList) - ON_EN_CHANGE(IDC_EDIT_DEFAULT_REALM, OnChangeEditDefaultRealm) - ON_EN_CHANGE(IDC_EDIT_REALM_HOSTNAME, OnChangeEditRealmHostname) - ON_WM_SHOWWINDOW() - ON_BN_CLICKED(IDC_RADIO_ADMIN_SERVER, OnRadioAdminServer) - ON_BN_CLICKED(IDC_RADIO_NO_ADMIN_SERVER, OnRadioNoAdminServer) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrb4AddToRealmHostList message handlers - -void CKrb4AddToRealmHostList::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CDialog::OnShowWindow(bShow, nStatus); - m_startup = FALSE; -} - -void CKrb4AddToRealmHostList::OnChangeEditDefaultRealm() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_DEFAULT_REALM, m_newRealm); -} - -void CKrb4AddToRealmHostList::OnChangeEditRealmHostname() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_REALM_HOSTNAME, m_newHost); -} - -void CKrb4AddToRealmHostList::OnRadioAdminServer() -{ - m_newAdmin = TRUE; -} - -void CKrb4AddToRealmHostList::OnRadioNoAdminServer() -{ - m_newAdmin = FALSE; -} - -void CKrb4AddToRealmHostList::OnOK() -{ - m_newRealm.TrimLeft(); - m_newRealm.TrimRight(); - m_newHost.TrimLeft(); - m_newHost.TrimRight(); - - if (m_newRealm.IsEmpty() || m_newHost.IsEmpty()) - { // stay - MessageBox("OnOK::Both Realm and Host fields must be filled in!", - "Leash", MB_OK); - } - else if (-1 != m_newRealm.Find(' ') || -1 != m_newHost.Find(' ')) - { // stay - MessageBox("OnOK::Illegal space found!", "Leash", MB_OK); - } - - else - CDialog::OnOK(); // exit -} - -BOOL CKrb4AddToRealmHostList::OnInitDialog() -{ - CDialog::OnInitDialog(); - - CheckRadioButton(IDC_RADIO_ADMIN_SERVER, IDC_RADIO_NO_ADMIN_SERVER, IDC_RADIO_ADMIN_SERVER); - - return TRUE; -} diff --git a/src/windows/leash/Krb4AddToRealmHostList.h b/src/windows/leash/Krb4AddToRealmHostList.h deleted file mode 100644 index 1c81367..0000000 --- a/src/windows/leash/Krb4AddToRealmHostList.h +++ /dev/null @@ -1,75 +0,0 @@ -// ************************************************************************************** -// File: Krb4AddToRealmHostList.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for Krb4AddToRealmHostList.cpp Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_ADDTOREALMHOSTLIST_H__26A1E1F3_9117_11D2_94D0_0000861B8A3C__INCLUDED_) -#define AFX_ADDTOREALMHOSTLIST_H__26A1E1F3_9117_11D2_94D0_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// AddToRealmHostList.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrb4AddToRealmHostList dialog - -class CKrb4AddToRealmHostList : public CDialog -{ -// Construction - CString m_newRealm; - CString m_newHost; - BOOL m_newAdmin; - BOOL m_startup; - -public: - CKrb4AddToRealmHostList(CWnd* pParent = NULL); // standard constructor - - CString GetNewRealm() {return m_newRealm;} - CString GetNewHost() {return m_newHost;} - BOOL GetNewAdmin() {return m_newAdmin;} - -// Dialog Data - //{{AFX_DATA(CKrb4AddToRealmHostList) - enum { IDD = IDD_KRB4_ADD_REALM }; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb4AddToRealmHostList) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrb4AddToRealmHostList) - afx_msg void OnChangeEditDefaultRealm(); - afx_msg void OnChangeEditRealmHostname(); - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - afx_msg void OnRadioAdminServer(); - afx_msg void OnRadioNoAdminServer(); - virtual void OnOK(); - virtual BOOL OnInitDialog(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_ADDTOREALMHOSTLIST_H__26A1E1F3_9117_11D2_94D0_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/Krb4DomainRealmMaintenance.cpp b/src/windows/leash/Krb4DomainRealmMaintenance.cpp deleted file mode 100644 index 466b31a..0000000 --- a/src/windows/leash/Krb4DomainRealmMaintenance.cpp +++ /dev/null @@ -1,268 +0,0 @@ -// ************************************************************************************** -// File: Krb4DomainRealmMaintenance.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for Krb4DomainRealmMaintenance.h. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - -#include "stdafx.h" -#include "leash.h" -#include "KrbProperties.h" -#include "Krb4Properties.h" -#include "Krb4AddToDomainRealmList.h" -#include "Krb4EditDomainRealmList.h" -#include "Krb4DomainRealmMaintenance.h" -#include "lglobals.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrb4DomainRealmMaintenance dialog - - -IMPLEMENT_DYNCREATE(CKrb4DomainRealmMaintenance, CPropertyPage) - -CKrb4DomainRealmMaintenance::CKrb4DomainRealmMaintenance() : - CPropertyPage(CKrb4DomainRealmMaintenance ::IDD) -{ - m_defectiveLines = 0; -} - -CKrb4DomainRealmMaintenance::~CKrb4DomainRealmMaintenance() -{ -} - -void CKrb4DomainRealmMaintenance::DoDataExchange(CDataExchange* pDX) -{ - CPropertyPage::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrb4DomainRealmMaintenance) - DDX_Control(pDX, IDC_LIST_DOMAINREALM, m_realmDomainList); - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrb4DomainRealmMaintenance, CPropertyPage) - //{{AFX_MSG_MAP(CKrb4DomainRealmMaintenance) - ON_BN_CLICKED(IDC_BUTTON_REALM_HOST_ADD, OnButtonRealmHostAdd) - ON_BN_CLICKED(ID_BUTTON_REALM_HOST_REMOVE, OnButtonRealmHostRemove) - ON_BN_CLICKED(IDC_BUTTON_REALM_HOST_EDIT, OnButtonRealmHostEdit) - ON_LBN_SELCHANGE(IDC_LIST_DOMAINREALM, OnSelchangeListDomainrealm) - ON_LBN_DBLCLK(IDC_LIST_DOMAINREALM, OnDblclkListDomainrealm) - ON_BN_CLICKED(IDC_BUTTON_HOSTMAINT_HELP, OnButtonHostmaintHelp) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrb4DomainRealmMaintenance message handlers - -BOOL CKrb4DomainRealmMaintenance::OnApply() -{ - CStdioFile krbrealmCon; - if (!krbrealmCon.Open(CKrbProperties::m_krbrealmPath, CFile::modeCreate | - CFile::modeNoTruncate | - CFile::modeReadWrite)) - { - LeashErrorBox("OnApply::Can't open Configuration File", - CKrbProperties::m_krbrealmPath); - return TRUE; - } - - memset(lineBuf, '\0', sizeof(lineBuf)); - krbrealmCon.SetLength(0); - krbrealmCon.WriteString(lineBuf); - for (INT maxItems = m_realmDomainList.GetCount(), item = 0; item < maxItems; item++) - { - memset(lineBuf, '\0', sizeof(lineBuf)); - if (!m_realmDomainList.GetText(item, lineBuf)) - break; - - krbrealmCon.WriteString(lineBuf); - krbrealmCon.WriteString("\n"); - } - - krbrealmCon.Close(); - - return TRUE; -} - -BOOL CKrb4DomainRealmMaintenance::OnInitDialog() -{ - CPropertyPage::OnInitDialog(); - CStdioFile krbrealmCon; - - if (!krbrealmCon.Open(CKrbProperties::m_krbrealmPath, CFile::modeReadWrite)) - { // can't find file, so lets set some defaults - CString defaultStr; - defaultStr.Format("%s %s", "MIT.EDU", KRB_REALM); - m_realmDomainList.AddString(defaultStr); - } - else - { - while (TRUE) - { - if (!krbrealmCon.ReadString(lineBuf, sizeof(lineBuf))) - break; - - *(lineBuf + strlen(lineBuf) - 1) = 0; - - if (!strchr(lineBuf, ' ') && !strchr(lineBuf, '\t')) - { // found a defective line - m_defectiveLines++; - } - - if (LB_ERR == m_realmDomainList.AddString(lineBuf)) - { - LeashErrorBox("OnInitDialog::Can't read Configuration File", - CKrbProperties::m_krbrealmPath); - krbrealmCon.Close(); - return FALSE; - } - } - - krbrealmCon.Close(); - } - - m_realmDomainList.SetCurSel(0); - - if (!m_realmDomainList.GetCount()) - { - GetDlgItem(ID_BUTTON_REALM_HOST_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_REALM_HOST_EDIT)->EnableWindow(FALSE); - } - - return TRUE; -} - -void CKrb4DomainRealmMaintenance::OnButtonRealmHostAdd() -{ - CKrb4AddToDomainRealmList addToDomainRealmList; - if (IDOK == addToDomainRealmList.DoModal()) - { - if (addToDomainRealmList.GetNewRealm().IsEmpty()) - ASSERT(0); - - CString newLine; - newLine = addToDomainRealmList.GetNewDomainHost() + " " + addToDomainRealmList.GetNewRealm(); - - // We don't want duplicate items in Listbox - CString ckDups; - for (INT item = 0; item < m_realmDomainList.GetCount(); item++) - { - m_realmDomainList.GetText(item, ckDups); - if (0 == ckDups.CompareNoCase(newLine)) - { // found duplicate item in Listbox - LeashErrorBox("OnButtonRealmHostAdd::Found a Duplicate Item\nCan't add to List", - ckDups); - return; - } - } - - m_realmDomainList.InsertString(0, newLine); - m_realmDomainList.SetCurSel(0); - SetModified(TRUE); - - if (1 == m_realmDomainList.GetCount()) - { - GetDlgItem(ID_BUTTON_REALM_HOST_REMOVE)->EnableWindow();GetDlgItem(IDC_BUTTON_REALM_HOST_EDIT)->EnableWindow(); - } - } -} - -void CKrb4DomainRealmMaintenance::OnButtonRealmHostRemove() -{ - if (IDYES != AfxMessageBox("Your about to remove an item from the list!\n\nContinue?", - MB_YESNO)) - return; - - INT curSel = m_realmDomainList.GetCurSel(); - m_realmDomainList.DeleteString(curSel); // Single Sel Listbox - - if (-1 == m_realmDomainList.SetCurSel(curSel)) - m_realmDomainList.SetCurSel(curSel - 1); - - if (!m_realmDomainList.GetCount()) - { - GetDlgItem(ID_BUTTON_REALM_HOST_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_REALM_HOST_EDIT)->EnableWindow(FALSE); - } - - SetModified(TRUE); -} - -void CKrb4DomainRealmMaintenance::OnButtonRealmHostEdit() -{ - INT selItemIndex = m_realmDomainList.GetCurSel(); - LPSTR pSelItem = new char[m_realmDomainList.GetTextLen(selItemIndex) + 1]; - if (!pSelItem) - ASSERT(0); - - CString selItem; - m_realmDomainList.GetText(selItemIndex, selItem); - strcpy(pSelItem, selItem); - - CKrb4EditDomainRealmList editDomainRealmList(pSelItem); - delete [] pSelItem; - - if (IDOK == editDomainRealmList.DoModal()) - { - CString editedItem = editDomainRealmList.GetEditedItem(); - if (0 != selItem.CompareNoCase(editedItem) && - LB_ERR != m_realmDomainList.FindStringExact(-1, editedItem)) - { - LeashErrorBox("OnButtonRealmHostEdit::Found a Duplicate!\nCan't add to List", - editedItem); - - return; - } - - m_realmDomainList.DeleteString(selItemIndex); - m_realmDomainList.InsertString(selItemIndex, editDomainRealmList.GetEditedItem()); - m_realmDomainList.SetCurSel(selItemIndex); - SetModified(TRUE); - } -} - -void CKrb4DomainRealmMaintenance::OnSelchangeListDomainrealm() -{ - //SetModified(TRUE); -} - -void CKrb4DomainRealmMaintenance::OnDblclkListDomainrealm() -{ - OnButtonRealmHostEdit(); -} - -BOOL CKrb4DomainRealmMaintenance::PreTranslateMessage(MSG* pMsg) -{ - if (m_defectiveLines) - { - if (m_defectiveLines == 1) - LeashErrorBox("Found a defective entry in file", - CKrbProperties::m_krbrealmPath, "Warning"); - else if (m_defectiveLines > 1) - LeashErrorBox("Found more then one defective entry in file", - CKrbProperties::m_krbrealmPath, "Warning"); - } - - m_defectiveLines = 0; - return CPropertyPage::PreTranslateMessage(pMsg); -} - - - - -void CKrb4DomainRealmMaintenance::OnButtonHostmaintHelp() -{ - MessageBox("No Help Available!", "Leash", MB_OK); -} diff --git a/src/windows/leash/Krb4DomainRealmMaintenance.h b/src/windows/leash/Krb4DomainRealmMaintenance.h deleted file mode 100644 index 6bdba77..0000000 --- a/src/windows/leash/Krb4DomainRealmMaintenance.h +++ /dev/null @@ -1,76 +0,0 @@ -// ************************************************************************************** -// File: Krb4DomainRealmMaintenance.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for Krb4DomainRealmMaintenance.cpp. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_REALMNAMEMAINTENANCE_H__9CA36918_8FC0_11D2_94CC_0000861B8A3C__INCLUDED_) -#define AFX_REALMNAMEMAINTENANCE_H__9CA36918_8FC0_11D2_94CC_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// RealmNameMaintenance.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrb4DomainRealmMaintenance dialog - -class CKrb4DomainRealmMaintenance : public CPropertyPage -{ -// Construction -private: - DECLARE_DYNCREATE(CKrb4DomainRealmMaintenance) - CHAR lineBuf[MAXLINE]; - INT m_defectiveLines; - -public: - CKrb4DomainRealmMaintenance(); // standard constructor - virtual ~CKrb4DomainRealmMaintenance(); - -// Dialog Data - //{{AFX_DATA(CKrb4DomainRealmMaintenance) - enum { IDD = IDD_KRB4_DOMAINREALM_MAINT }; - CDragListBox m_realmDomainList; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb4DomainRealmMaintenance) - public: - virtual BOOL PreTranslateMessage(MSG* pMsg); - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrb4DomainRealmMaintenance) - virtual BOOL OnInitDialog(); - virtual BOOL OnApply(); - afx_msg void OnButtonRealmHostAdd(); - afx_msg void OnButtonRealmHostRemove(); - afx_msg void OnButtonRealmHostEdit(); - afx_msg void OnSelchangeListDomainrealm(); - afx_msg void OnDblclkListDomainrealm(); - afx_msg void OnButtonHostmaintHelp(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_REALMNAMEMAINTENANCE_H__9CA36918_8FC0_11D2_94CC_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/Krb4EditDomainRealmList.cpp b/src/windows/leash/Krb4EditDomainRealmList.cpp deleted file mode 100644 index e2773bf..0000000 --- a/src/windows/leash/Krb4EditDomainRealmList.cpp +++ /dev/null @@ -1,151 +0,0 @@ -// ************************************************************************************** -// File: Krb4EditDomainRealmList.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for Krb4EditDomainRealmList.h. Contains variables and functions -// for Kerberos Four Properites -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "Krb4Properties.h" -#include "Krb4EditDomainRealmList.h" -#include "lglobals.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrb4EditDomainRealmList dialog - - -CKrb4EditDomainRealmList::CKrb4EditDomainRealmList(LPSTR editItem, CWnd* pParent) - : CDialog(CKrb4EditDomainRealmList::IDD, pParent) -{ - m_startup = TRUE; - m_editItem = _T(""); - - // Parse the passed in item - LPSTR pEditItem = editItem; - LPSTR findSpace = strchr(editItem, ' '); - if (findSpace) - *findSpace = 0; - else - { -////@#+This hack doesn't seem right -#ifndef NO_KRB4 - - LeashErrorBox("This is a defective entry in file", - CKrb4ConfigFileLocation::m_newKrbrealmFile); -#endif - ASSERT(0); - m_initDomainHost = m_newDomainHost = editItem; - m_initRealm = m_newRealm = _T(""); - return; - } - - m_initDomainHost = m_newDomainHost = editItem; // first token - - pEditItem = strchr(editItem, '\0'); - if (pEditItem) - { - pEditItem++; - findSpace++; - } - else - ASSERT(0); - - findSpace = strchr(pEditItem, ' '); - if (findSpace) - { - *findSpace = 0; - } - - m_initRealm = m_newRealm = pEditItem; // second token - - //{{AFX_DATA_INIT(CKrb4EditDomainRealmList) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - -void CKrb4EditDomainRealmList::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrb4EditDomainRealmList) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrb4EditDomainRealmList, CDialog) - //{{AFX_MSG_MAP(CKrb4EditDomainRealmList) - ON_WM_SHOWWINDOW() - ON_EN_CHANGE(IDC_EDIT_REALMNAME, OnChangeEditDefaultRealm) - ON_EN_CHANGE(IDC_EDIT_DOMAINHOST, OnChangeEditRealmHostname) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrb4EditDomainRealmList message handlers - - -void CKrb4EditDomainRealmList::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CDialog::OnShowWindow(bShow, nStatus); - m_startup = FALSE; -} - -BOOL CKrb4EditDomainRealmList::OnInitDialog() -{ - CDialog::OnInitDialog(); - - SetDlgItemText(IDC_EDIT_REALMNAME, m_newRealm); - SetDlgItemText(IDC_EDIT_DOMAINHOST, m_newDomainHost); - - return TRUE; -} - -void CKrb4EditDomainRealmList::OnChangeEditDefaultRealm() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_REALMNAME, m_newRealm); -} - -void CKrb4EditDomainRealmList::OnChangeEditRealmHostname() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_DOMAINHOST, m_newDomainHost); -} - -void CKrb4EditDomainRealmList::OnOK() -{ - m_newRealm.TrimLeft(); - m_newRealm.TrimRight(); - m_newDomainHost.TrimLeft(); - m_newDomainHost.TrimRight(); - - if (m_newRealm.IsEmpty() || m_newDomainHost.IsEmpty()) - { // stay - MessageBox("OnOK::Both Domain-Host and Realm fields must be filled in!", - "Leash", MB_OK); - } - else if (-1 != m_newRealm.Find(' ') || -1 != m_newDomainHost.Find(' ')) - { // stay - MessageBox("OnOK::Illegal space found!", "Leash", MB_OK); - } - - else - CDialog::OnOK(); // exit - - m_editItem = m_newDomainHost + " " + m_newRealm; -} diff --git a/src/windows/leash/Krb4EditDomainRealmList.h b/src/windows/leash/Krb4EditDomainRealmList.h deleted file mode 100644 index 9f8a18f..0000000 --- a/src/windows/leash/Krb4EditDomainRealmList.h +++ /dev/null @@ -1,77 +0,0 @@ -// ************************************************************************************** -// File: Krb4EditDomainRealmList.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for Krb4EditDomainRealmList.cpp. Contains variables and functions -// for Kerberos Four Properites -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_KRB4EDITDOMAINREALMLIST_H__F4D41684_96A4_11D2_94E2_0000861B8A3C__INCLUDED_) -#define AFX_KRB4EDITDOMAINREALMLIST_H__F4D41684_96A4_11D2_94E2_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// CKrb4EditDomainRealmList.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrb4EditDomainRealmList dialog - -class CKrb4EditDomainRealmList : public CDialog -{ -// Construction -private: - CString m_editItem; - CString m_initRealm; - CString m_newRealm; - CString m_initDomainHost; - CString m_newDomainHost; - BOOL m_startup; - - -public: - CKrb4EditDomainRealmList(LPSTR editItem, CWnd* pParent = NULL); - CString GetEditedItem() {return m_editItem;} - CString GetRealm() {return m_newRealm;} - CString GetDomainHost() {return m_newDomainHost;} - -// Dialog Data - //{{AFX_DATA(CKrb4EditDomainRealmList) - enum { IDD = IDD_KRB4_EDIT_DOMAINREALMNAME }; - // NOTE: the ClassWizard will add data members here - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb4EditDomainRealmList) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrb4EditDomainRealmList) - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - virtual BOOL OnInitDialog(); - afx_msg void OnChangeEditDefaultRealm(); - afx_msg void OnChangeEditRealmHostname(); - virtual void OnOK(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_KRB4EDITDOMAINREALMLIST_H__F4D41684_96A4_11D2_94E2_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/Krb4EditRealmHostList.cpp b/src/windows/leash/Krb4EditRealmHostList.cpp deleted file mode 100644 index 840f626..0000000 --- a/src/windows/leash/Krb4EditRealmHostList.cpp +++ /dev/null @@ -1,193 +0,0 @@ -// ************************************************************************************** -// File: Krb4EditRealmHostList.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for Krb4EditRealmHostList.h. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "Krb4Properties.h" -#include "Krb4EditRealmHostList.h" -#include "lglobals.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrb4EditRealmHostList dialog - -CKrb4EditRealmHostList::CKrb4EditRealmHostList(LPSTR editItem, CWnd* pParent) - : CDialog(CKrb4EditRealmHostList::IDD, pParent) -{ - m_startup = TRUE; - m_editItem = _T(""); - -/* - // Parse the passed in item - LPSTR pEditItem = editItem; - LPSTR findSpace = strchr(editItem, ' '); - if (findSpace) - *findSpace = 0; - else - { - LeashErrorBox("This is a defective entry in file", - CKrb4ConfigFileLocation::m_krbFile); - ASSERT(0); - m_initRealm = m_newRealm = editItem; - m_initHost = m_newHost = _T(""); - } - - m_initRealm = m_newRealm = editItem; // first token - - pEditItem = strchr(editItem, '\0'); - if (pEditItem) - { - pEditItem++; - findSpace++; - } - else - ASSERT(0); - - findSpace = strchr(pEditItem, ' '); - if (findSpace) - { - *findSpace = 0; - } - else - { - m_initAdmin = m_newAdmin = FALSE; - m_initHost = m_newHost = pEditItem; // second token - return; - } - - m_initHost = m_newHost = pEditItem; // second token - - findSpace++; - pEditItem = findSpace; - if (pEditItem) - { - if (strstr(pEditItem, "admin server")) - m_initAdmin = m_newAdmin = TRUE; - //else - //; It must be something else??? :( - } - else - ASSERT(0); -*/ - //{{AFX_DATA_INIT(CKrb4EditRealmHostList) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - -void CKrb4EditRealmHostList::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrb4EditRealmHostList) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrb4EditRealmHostList, CDialog) - //{{AFX_MSG_MAP(CKrb4EditRealmHostList) - ON_WM_SHOWWINDOW() - ON_EN_CHANGE(IDC_EDIT_DEFAULT_REALM, OnChangeEditDefaultRealm) - ON_EN_CHANGE(IDC_EDIT_REALM_HOSTNAME, OnChangeEditRealmHostname) - ON_BN_CLICKED(IDC_RADIO_ADMIN_SERVER, OnRadioAdminServer) - ON_BN_CLICKED(IDC_RADIO_NO_ADMIN_SERVER, OnRadioNoAdminServer) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrb4EditRealmHostList message handlers - -BOOL CKrb4EditRealmHostList::OnInitDialog() -{ - CDialog::OnInitDialog(); - - SetDlgItemText(IDC_EDIT_DEFAULT_REALM, m_newRealm); - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, m_newHost); - - if (m_initAdmin) - { // has Admin Server - CheckRadioButton(IDC_RADIO_ADMIN_SERVER, IDC_RADIO_NO_ADMIN_SERVER, IDC_RADIO_ADMIN_SERVER); - } - else - { // no Admin Server - CheckRadioButton(IDC_RADIO_ADMIN_SERVER, IDC_RADIO_NO_ADMIN_SERVER, IDC_RADIO_NO_ADMIN_SERVER); - } - - //GetDlgItem(IDC_EDIT_DEFAULT_REALM)->EnableWindow(); - //GetDlgItem(IDC_EDIT_DEFAULT_REALM)->SetFocus(); - - return TRUE; -} - -void CKrb4EditRealmHostList::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CDialog::OnShowWindow(bShow, nStatus); - m_startup = FALSE; -} - -void CKrb4EditRealmHostList::OnChangeEditDefaultRealm() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_DEFAULT_REALM, m_newRealm); -} - -void CKrb4EditRealmHostList::OnChangeEditRealmHostname() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_REALM_HOSTNAME, m_newHost); -} - -void CKrb4EditRealmHostList::OnRadioAdminServer() -{ - m_newAdmin = TRUE; -} - -void CKrb4EditRealmHostList::OnRadioNoAdminServer() -{ - m_newAdmin = FALSE; -} - -void CKrb4EditRealmHostList::OnOK() -{ - m_newRealm.TrimLeft(); - m_newRealm.TrimRight(); - m_newHost.TrimLeft(); - m_newHost.TrimRight(); - - if (m_newRealm.IsEmpty() || m_newHost.IsEmpty()) - { // stay - MessageBox("OnOK::Both Realm and Host fields must be filled in!", - "Leash", MB_OK); - } - else if (-1 != m_newRealm.Find(' ') || -1 != m_newHost.Find(' ')) - { // stay - MessageBox("OnOK::Illegal space found!", "Leash", MB_OK); - } - - else - CDialog::OnOK(); // exit - - m_editItem = m_newRealm + " " + m_newHost; - - if (m_newAdmin) - { - m_editItem += " "; - m_editItem += ADMIN_SERVER; - } -} diff --git a/src/windows/leash/Krb4EditRealmHostList.h b/src/windows/leash/Krb4EditRealmHostList.h deleted file mode 100644 index 5ed3864..0000000 --- a/src/windows/leash/Krb4EditRealmHostList.h +++ /dev/null @@ -1,79 +0,0 @@ -// ************************************************************************************** -// File: Krb4EditRealmHostList.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for Krb4EditRealmHostList.cpp. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - - -#if !defined(AFX_EDITREALMHOSTLIST_H__26A1E1F7_9117_11D2_94D0_0000861B8A3C__INCLUDED_) -#define AFX_EDITREALMHOSTLIST_H__26A1E1F7_9117_11D2_94D0_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// EditRealmHostList.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrb4EditRealmHostList dialog - -class CKrb4EditRealmHostList : public CDialog -{ -// Construction -private: - CString m_editItem; - CString m_initRealm; - CString m_newRealm; - CString m_initHost; - CString m_newHost; - BOOL m_initAdmin; - BOOL m_newAdmin; - BOOL m_startup; - -public: - CKrb4EditRealmHostList(LPSTR editItem, CWnd* pParent = NULL); - CString GetEditedItem() {return m_editItem;} - CString GetNewRealm() {return m_newRealm;} - -// Dialog Data - //{{AFX_DATA(CKrb4EditRealmHostList) - enum { IDD = IDD_KRB4_EDIT_REALM }; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb4EditRealmHostList) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrb4EditRealmHostList) - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - afx_msg void OnChangeEditDefaultRealm(); - afx_msg void OnChangeEditRealmHostname(); - afx_msg void OnRadioAdminServer(); - afx_msg void OnRadioNoAdminServer(); - virtual void OnOK(); - virtual BOOL OnInitDialog(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_EDITREALMHOSTLIST_H__26A1E1F7_9117_11D2_94D0_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/Krb4Properties.cpp b/src/windows/leash/Krb4Properties.cpp deleted file mode 100644 index a26d585..0000000 --- a/src/windows/leash/Krb4Properties.cpp +++ /dev/null @@ -1,390 +0,0 @@ -// ************************************************************************************** -// File: Krb4Properties.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for KrbProperties.h. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - - -#include "stdafx.h" -#include "Leash.h" -#include "Krb4Properties.h" -#include "LeashFileDialog.h" -#include "LeashMessageBox.h" -#include "wshelper.h" -#include "lglobals.h" -#include -#include -#include "reminder.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -/////////////////////////////////////////////////////////////////////// -// CKrb4ConfigFileLocation property page - -IMPLEMENT_DYNCREATE(CKrb4ConfigFileLocation, CPropertyPage) - -CString CKrb4ConfigFileLocation::m_newKrbFile; -CString CKrb4ConfigFileLocation::m_newKrbrealmFile; - -CKrb4ConfigFileLocation::CKrb4ConfigFileLocation() : CPropertyPage(CKrb4ConfigFileLocation::IDD) -{ - m_newTicketFile = _T(""); - m_newKrbFile = _T(""); - m_newKrbrealmFile = _T(""); - m_initKrbFile = _T(""); - m_initKrbrealmFile = _T(""); - m_initTicketFile = _T(""); - m_noKrbrealmFileStartupWarning = FALSE; - m_noKrbFileStartupWarning = FALSE; - - m_startupPage1 = TRUE; - - //{{AFX_DATA_INIT(CKrb4ConfigFileLocation) - //}}AFX_DATA_INIT -} - -CKrb4ConfigFileLocation::~CKrb4ConfigFileLocation() -{ -} - -BOOL CKrb4ConfigFileLocation::OnInitDialog() -{ - CPropertyPage::OnInitDialog(); - - INT krbCreate = 0; - INT krbrealmCreate = 0; - CHAR krb_path[MAX_PATH]; - CHAR krbrealm_path[MAX_PATH]; - CHAR ticketName[MAX_PATH]; - unsigned int krb_path_sz = sizeof(krb_path); - unsigned int krbrealm_path_sz = sizeof(krbrealm_path); - CString strMessage; - - - // Set KRB.CON - memset(krb_path, '\0', sizeof(krb_path)); - if (!pkrb_get_krbconf2(krb_path, &krb_path_sz)) - { // Error has happened - m_noKrbFileStartupWarning = TRUE; - } - else - { // normal find - m_initKrbFile = krb_path; - m_newKrbFile = m_initKrbFile; - SetDlgItemText(IDC_EDIT_KRB_LOC, m_initKrbFile); - } - - // Set KRBREALM.CON - memset(krbrealm_path, '\0', sizeof(krbrealm_path)); - if (!pkrb_get_krbrealm2(krbrealm_path, &krbrealm_path_sz)) - { - // Error has happened - m_noKrbrealmFileStartupWarning = TRUE; - } - else - { - // normal find - m_initKrbrealmFile = krbrealm_path; - m_newKrbrealmFile = m_initKrbrealmFile; - SetDlgItemText(IDC_EDIT_KRBREALM_LOC, m_initKrbrealmFile); - } - - if (pLeash_get_lock_file_locations() || - getenv("KRB4_KRB.REALMS") || getenv("KRB4_KRB.CONF") || getenv("KRB4_CONFIG")) - { - GetDlgItem(IDC_EDIT_KRB_LOC)->EnableWindow(FALSE); - GetDlgItem(IDC_EDIT_KRBREALM_LOC)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_KRB_BROWSE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_KRBREALM_BROWSE)->EnableWindow(FALSE); - } - else if ( !(getenv("KRB4_KRB.REALMS") || getenv("KRB4_KRB.CONF") || getenv("KRB4_CONFIG")) ) - { - GetDlgItem(IDC_STATIC_CONFILES)->ShowWindow(FALSE); - } - - - // Set TICKET.KRB file Editbox - *ticketName = NULL; - pkrb_set_tkt_string(0); - - char *pticketName = ptkt_string(); - if (pticketName) - strcpy(ticketName, pticketName); - - if (!*ticketName) - { - LeashErrorBox("OnInitDialog::Can't locate ticket file", TICKET_FILE); - } - else - { - m_initTicketFile = m_newTicketFile = ticketName; - m_ticketEditBox.ReplaceSel(m_initTicketFile); - } - - if (getenv("KRBTKFILE")) - GetDlgItem(IDC_EDIT_TICKET_FILE)->EnableWindow(FALSE); - else - GetDlgItem(IDC_STATIC_TXT)->ShowWindow(FALSE); - - return FALSE; -} - -BOOL CKrb4ConfigFileLocation::OnApply() -{ - // Krb.con - if (0 != m_initKrbFile.CompareNoCase(m_newKrbFile)) - { - // Commit changes - if (SetRegistryVariable("krb.conf", m_newKrbFile, - "Software\\MIT\\Kerberos4")) - { - MessageBox("Failed to set \"Krb.conf\"!", "Error", MB_OK); - } - - m_initKrbFile = m_newKrbFile; - } - - // Krbrealms.con - if (0 != m_initKrbrealmFile.CompareNoCase(m_newKrbrealmFile)) - { - // Commit changes - if (SetRegistryVariable("krb.realms", m_newKrbrealmFile, - "Software\\MIT\\Kerberos4")) - { - MessageBox("Failed to set \"krb.realms\"!", "Error", MB_OK); - } - - m_initKrbrealmFile = m_newKrbrealmFile; - } - - // Ticket file - if (0 != m_initTicketFile.CompareNoCase(m_newTicketFile)) - { - if (getenv("KRBTKFILE")) - { - // Just in case they set (somehow) KRBTKFILE while this box is up - MessageBox("OnApply::Ticket file is set in your System's\ - Environment!\nYou must first remove it.", - "Error", MB_OK); - - return TRUE; - } - - // Commit changes - if (SetRegistryVariable("ticketfile", m_newTicketFile, - "Software\\MIT\\Kerberos4")) - { - MessageBox("Failed to set \"ticketfile\"!", "Error", MB_OK); - } - - m_initTicketFile = m_newTicketFile; - } - - return TRUE; -} - -VOID CKrb4ConfigFileLocation::OnOK() -{ - CPropertyPage::OnOK(); -} - -VOID CKrb4ConfigFileLocation::DoDataExchange(CDataExchange* pDX) -{ - TRACE("Entering CKrb4ConfigFileLocation::DoDataExchange -- %d\n", - pDX->m_bSaveAndValidate); - CPropertyPage::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrb4ConfigFileLocation) - DDX_Control(pDX, IDC_EDIT_TICKET_FILE, m_ticketEditBox); - //}}AFX_DATA_MAP -} - - -VOID CKrb4ConfigFileLocation::OnButtonKrbBrowse() -{ - CString msg; - msg.Format("Select %s Location", KRB_FILE); - - CString krb_path = "*.*"; - CLeashFileDialog dlgFile(TRUE, NULL, krb_path, "Kerbereos Four Config. File (.con)"); - dlgFile.m_ofn.lpstrTitle = msg; - - if (IDOK == dlgFile.DoModal()) - { - //m_newKrbFile = dlgFile.GetSelectedFileName(); - m_newKrbFile= dlgFile.GetPathName(); - SetDlgItemText(IDC_EDIT_KRB_LOC, m_newKrbFile); - SetModified(TRUE); - } -} - -VOID CKrb4ConfigFileLocation::OnButtonKrbrealmBrowse() -{ - CString msg; - msg.Format("Select %s Location", KRBREALM_FILE); - - CString krbrealm_path = "*.*"; - CLeashFileDialog dlgFile(TRUE, NULL, krbrealm_path, "Kerbereos Four Config. File (.con)"); - dlgFile.m_ofn.lpstrTitle = msg; - - if (IDOK == dlgFile.DoModal()) - { - //m_krbrealmFile = dlgFile.GetSelectedFileName(); - m_newKrbrealmFile = dlgFile.GetPathName(); - SetDlgItemText(IDC_EDIT_KRB_KRBREALM_LOC, m_newKrbrealmFile); - SetModified(TRUE); - } -} - -/* -VOID CKrb4ConfigFileLocation::OnButtonTicketfileBrowse() -{ - CString ticketPath = *.*"; - CLeashFileDialog dlgFile(TRUE, NULL, ticketPath, "Kerberos Four Ticket File (.con)"); - CString msg; - msg.Format("Select Location/Ticket File (Default file = %s)", TICKET_FILE); - dlgFile.m_ofn.lpstrTitle = msg; - while (TRUE) - { - if (IDOK == dlgFile.DoModal()) - { - m_newTicketFile = dlgFile.GetPathName(); - SetDlgItemText(IDC_EDIT_TICKET_FILE, m_newTicketFile); - SetModified(TRUE); - break; - } - else - break; - } -} -*/ - -void CKrb4ConfigFileLocation::OnChangeEditKrbLoc() -{ - if (!m_startupPage1) - { - GetDlgItemText(IDC_EDIT_KRB_LOC, m_newKrbFile); - SetModified(TRUE); - } -} - -void CKrb4ConfigFileLocation::OnChangeEditKrbrealmLoc() -{ - if (!m_startupPage1) - { - GetDlgItemText(IDC_EDIT_KRBREALM_LOC, m_newKrbrealmFile); - SetModified(TRUE); - } -} - -void CKrb4ConfigFileLocation::OnChangeEditTicketFile() -{ - if (!m_startupPage1) - { - GetDlgItemText(IDC_EDIT_TICKET_FILE, m_newTicketFile); - SetModified(TRUE); - } -} - -VOID CKrb4ConfigFileLocation::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CPropertyPage::OnShowWindow(bShow, nStatus); -} - -VOID CKrb4ConfigFileLocation::OnCancel() -{ - CPropertyPage::OnCancel(); -} - -void CKrb4ConfigFileLocation::OnHelp() -{ -#ifdef CALL_HTMLHELP - AfxGetApp()->HtmlHelp(HID_KRB4_PROPERTIES_COMMAND); -#else - AfxGetApp()->WinHelp(HID_KRB4_PROPERTIES_COMMAND); -#endif -} - -BOOL CKrb4ConfigFileLocation::PreTranslateMessage(MSG* pMsg) -{ - // TODO: Add your specialized code here and/or call the base class - CString wmsg; - if (m_startupPage1) - { - if (m_noKrbFileStartupWarning) - { - wmsg.Format("OnInitDialog::Can't locate configuration file: %s.", - KRB_FILE); - MessageBox(wmsg, "Leash", MB_OK); - m_noKrbFileStartupWarning = FALSE; - } - - if (m_noKrbrealmFileStartupWarning) - { - wmsg.Format("OnInitDialog::Can't locate configuration file: %s.", - KRBREALM_FILE); - MessageBox(wmsg, "Leash", MB_OK); - m_noKrbrealmFileStartupWarning = FALSE; - } - } - - m_startupPage1 = FALSE; - return CPropertyPage::PreTranslateMessage(pMsg); -} - - -BEGIN_MESSAGE_MAP(CKrb4ConfigFileLocation, CPropertyPage) - //{{AFX_MSG_MAP(CKrb4ConfigFileLocation) - ON_BN_CLICKED(IDC_BUTTON_KRB_BROWSE, OnButtonKrbBrowse) - ON_BN_CLICKED(IDC_BUTTON_KRBREALM_BROWSE, OnButtonKrbrealmBrowse) - ON_WM_SHOWWINDOW() - ON_EN_CHANGE(IDC_EDIT_TICKET_FILE, OnChangeEditTicketFile) - ON_COMMAND(ID_HELP, OnHelp) - ON_EN_CHANGE(IDC_EDIT_KRB_LOC, OnChangeEditKrbLoc) - ON_EN_CHANGE(IDC_EDIT_KRBREALM_LOC, OnChangeEditKrbrealmLoc) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - - -/////////////////////////////////////////////////////////////////////// -// CKrb4Properties - -IMPLEMENT_DYNAMIC(CKrb4Properties, CPropertySheet) -CKrb4Properties::CKrb4Properties(UINT nIDCaption, CWnd* pParentWnd, - UINT iSelectPage) -:CPropertySheet(nIDCaption, pParentWnd, iSelectPage) -{ -} - -CKrb4Properties::CKrb4Properties(LPCTSTR pszCaption, CWnd* pParentWnd, - UINT iSelectPage) -:CPropertySheet(pszCaption, pParentWnd, iSelectPage) -{ - AddPage(&m_fileLocation); -} - -CKrb4Properties::~CKrb4Properties() -{ -} - - -BEGIN_MESSAGE_MAP(CKrb4Properties, CPropertySheet) - //{{AFX_MSG_MAP(CKrb4Properties) - // NOTE - the ClassWizard will add and remove mapping macros here. - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -/////////////////////////////////////////////////////////////////////// -// CKrb4Properties message handlers diff --git a/src/windows/leash/Krb4Properties.h b/src/windows/leash/Krb4Properties.h deleted file mode 100644 index 016badc..0000000 --- a/src/windows/leash/Krb4Properties.h +++ /dev/null @@ -1,138 +0,0 @@ -// ************************************************************************************** -// File: Krb4Properties.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for KrbProperties.cpp. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_PROPERTY_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_) -#define AFX_PROPERTY_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_ - -#if _MSC_VER >= 1000 -#pragma once -#endif // _MSC_VER >= 1000 -// Krb4Properties.h : header file -// - -#include "Resource.h" -//#include "Krb4RealmHostMaintenance.h" -//#include "Krb4DomainRealmMaintenance.h" - -/////////////////////////////////////////////////////////////////////// -// CKrb4ConfigFileLocation dialog - -class CKrb4ConfigFileLocation : public CPropertyPage -{ -// Construction -private: - DECLARE_DYNCREATE(CKrb4ConfigFileLocation) - CString m_ticketFile; - CString m_newTicketFile; - static CString m_newKrbFile; - static CString m_newKrbrealmFile; // static for the CKrb4EditDomainRealmList class - CString m_initKrbFile; - CString m_initKrbrealmFile; - CString m_initTicketFile; - - BOOL m_noKrbFileStartupWarning; - BOOL m_noKrbrealmFileStartupWarning; - BOOL m_startupPage1; - -public: - CKrb4ConfigFileLocation(); - ~CKrb4ConfigFileLocation(); - -// Dialog Data - //{{AFX_DATA(CKrb4ConfigFileLocation) - enum { IDD = IDD_KRB4_PROP_LOCATION }; - CEdit m_ticketEditBox; - //}}AFX_DATA - - -// Overrides - // ClassWizard generate virtual function overrides - //{{AFX_VIRTUAL(CKrb4ConfigFileLocation) - public: - virtual VOID OnCancel(); - virtual BOOL PreTranslateMessage(MSG* pMsg); - protected: - virtual VOID DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - - virtual VOID OnOK(); - virtual BOOL OnApply(); - -// Implementation -protected: - // Generated message map functions - //{{AFX_MSG(CKrb4ConfigFileLocation) - virtual BOOL OnInitDialog(); - afx_msg VOID OnButtonKrbBrowse(); - afx_msg VOID OnButtonKrbrealmBrowse(); - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - afx_msg void OnChangeEditTicketFile(); - afx_msg void OnHelp(); - afx_msg void OnChangeEditKrbLoc(); - afx_msg void OnChangeEditKrbrealmLoc(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() - -}; - - -////////////////////////////////////////////////////////////////////// -// CKrb4Properties - -class CKrb4Properties : public CPropertySheet -{ -private: - DECLARE_DYNAMIC(CKrb4Properties) - -public: - CKrb4ConfigFileLocation m_fileLocation; - - static BOOL applyButtonEnabled; - -// Construction -public: - CKrb4Properties(UINT nIDCaption, CWnd* pParentWnd = NULL, - UINT iSelectPage = 0); - CKrb4Properties(LPCTSTR pszCaption, CWnd* pParentWnd = NULL, - UINT iSelectPage = 0); - -// Attributes -public: - -// Operations -public: - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb4Properties) - //}}AFX_VIRTUAL - -// Implementation -public: - virtual ~CKrb4Properties(); - - // Generated message map functions -protected: - //{{AFX_MSG(CKrb4Properties) - // NOTE - the ClassWizard will add and remove member functions here. - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -///////////////////////////////////////////////////////////////////////////// -//{{AFX_INSERT_LOCATION}} -// Microsoft Developer Studio will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_PROPERTY_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_) diff --git a/src/windows/leash/Krb4RealmHostMaintenance.cpp b/src/windows/leash/Krb4RealmHostMaintenance.cpp deleted file mode 100644 index 7e8ad4f..0000000 --- a/src/windows/leash/Krb4RealmHostMaintenance.cpp +++ /dev/null @@ -1,373 +0,0 @@ -// ************************************************************************************** -// File: Krb4RealmHostMaintenance.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for Krb4RealmHostMaintenance.h. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "KrbProperties.h" -#include "Krb4Properties.h" -#include "Krb4AddToRealmHostList.h" -#include "Krb4RealmHostMaintenance.h" -#include "Krb4EditRealmHostList.h" -#include "lglobals.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrb4RealmHostMaintenance dialog - - -IMPLEMENT_DYNCREATE(CKrb4RealmHostMaintenance, CPropertyPage) - -CKrb4RealmHostMaintenance::CKrb4RealmHostMaintenance() : CPropertyPage(CKrb4RealmHostMaintenance::IDD) -{ - m_defectiveLines = 0; - m_initDnsKdcLookup = m_newDnsKdcLookup = 0; -} - -CKrb4RealmHostMaintenance::~CKrb4RealmHostMaintenance() -{ -} - -void CKrb4RealmHostMaintenance::DoDataExchange(CDataExchange* pDX) -{ - CPropertyPage::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrb4RealmHostMaintenance) - DDX_Control(pDX, IDC_LIST_KRB4_REALM_HOST, m_RealmHostList); - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrb4RealmHostMaintenance, CPropertyPage) - //{{AFX_MSG_MAP(CKrb4RealmHostMaintenance) - ON_BN_CLICKED(IDC_BUTTON_KRB4_REALM_HOST_ADD, OnButtonRealmHostAdd) - ON_BN_CLICKED(IDC_BUTTON_KRB4_REALM_HOST_EDIT, OnButtonRealmHostEdit) - ON_BN_CLICKED(ID_BUTTON_KRB4_REALM_HOST_REMOVE, OnButtonRealmHostRemove) - ON_LBN_SELCHANGE(IDC_LIST_KRB4_REALM_HOST, OnSelchangeListRemoveHost) - ON_LBN_DBLCLK(IDC_LIST_KRB4_REALM_HOST, OnDblclkListRemoveHost) - ON_BN_CLICKED(IDC_BUTTON_REALMHOST_MAINT_HELP2, OnButtonRealmhostMaintHelp2) - ON_BN_CLICKED(IDC_KRB4_DNS_KDC, OnCheckDnsKdcLookup) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrb4RealmHostMaintenance message handlers - -BOOL CKrb4RealmHostMaintenance::OnInitDialog() -{ - CPropertyPage::OnInitDialog(); - - CStdioFile krbCon; - if (!krbCon.Open(CKrbProperties::m_krbPath, CFile::modeReadWrite)) - { // can't find file, so lets set some defaults - - m_RealmHostList.AddString(KRB_REALM " " KRB_MASTER); - } - else - { - memset(lineBuf, '\0', sizeof(lineBuf)); - krbCon.ReadString(lineBuf, sizeof(lineBuf)); - while (TRUE) - { - if (!krbCon.ReadString(lineBuf, sizeof(lineBuf))) - break; - - *(lineBuf + strlen(lineBuf) - 1) = 0; - - if (!strchr(lineBuf, ' ') && !strchr(lineBuf, '\t')) - { // found a defective line - m_defectiveLines++; - } - - if ( !strncmp(".KERBEROS.OPTION.",lineBuf,17) ) { - char * p = &lineBuf[17]; - while (isspace(*p)) - p++; - if (!strcmp("dns",p)) - m_initDnsKdcLookup = m_newDnsKdcLookup = 1; - } else { - if (LB_ERR == m_RealmHostList.AddString(lineBuf)) - { - LeashErrorBox("OnInitDialog::Can't read Configuration File", - CKrbProperties::m_krbPath); - krbCon.Close(); - return FALSE; - } - } - } - - krbCon.Close(); - } - - m_RealmHostList.SetCurSel(0); - - if (!m_RealmHostList.GetCount()) - { - GetDlgItem(ID_BUTTON_KRB4_REALM_HOST_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_KRB4_REALM_HOST_EDIT)->EnableWindow(FALSE); - } - - return TRUE; -} - -BOOL CKrb4RealmHostMaintenance::OnApply() -{ - CStdioFile krbCon; - if (!krbCon.Open(CKrbProperties::m_krbPath, CFile::modeCreate | - CFile::modeNoTruncate | - CFile::modeReadWrite)) - { - LeashErrorBox("OnApply::Can't open Configuration File", - CKrbProperties::m_krbPath); - return TRUE; - } - - memset(lineBuf, '\0', sizeof(lineBuf)); - if (!krbCon.ReadString(lineBuf, sizeof(lineBuf))) - { -//-----ADL----///strcpy(lineBuf, CKrb4ConfigOptions::m_newDefaultRealm); - strcat(lineBuf, "\n"); - } - - krbCon.SetLength(0); - krbCon.WriteString(lineBuf); - for (INT maxItems = m_RealmHostList.GetCount(), item = 0; item < maxItems; item++) - { - memset(lineBuf, '\0', sizeof(lineBuf)); - if (!m_RealmHostList.GetText(item, lineBuf)) - break; - - krbCon.WriteString(lineBuf); - krbCon.WriteString("\n"); - } - - if ( m_newDnsKdcLookup ) - krbCon.WriteString(".KERBEROS.OPTION. dns\n"); - - krbCon.Close(); - return TRUE; -} - -void CKrb4RealmHostMaintenance::OnOK() -{ - CPropertyPage::OnOK(); -} - -void CKrb4RealmHostMaintenance::OnCancel() -{ - CPropertyPage::OnCancel(); -} - -void CKrb4RealmHostMaintenance::OnCheckDnsKdcLookup() -{ - m_newDnsKdcLookup = (BOOL)IsDlgButtonChecked(IDC_KRB4_DNS_KDC); - SetModified(TRUE); -} - -void CKrb4RealmHostMaintenance::ResetDefaultRealmComboBox() -{ // krb4 is loaded without krb5 - CHAR lineBuf[REALM_SZ + MAX_HSTNM + 20]; - - int maxItems = m_RealmHostList.GetCount(); - - CKrbConfigOptions::m_krbRealmEditbox.ResetContent(); - - for (int xItems = 0; xItems < maxItems; xItems++) - { - m_RealmHostList.GetText(xItems, lineBuf); - - LPSTR space = strchr(lineBuf, ' '); - if (space) - *space = 0; - else - ASSERT(0); - - if (CB_ERR == CKrbConfigOptions::m_krbRealmEditbox.FindStringExact(-1, lineBuf)) - { // no dups - if (LB_ERR == CKrbConfigOptions::m_krbRealmEditbox.AddString(lineBuf)) - { - MessageBox("OnInitDialog::Can't add to Kerberos Realm Combobox", - "Leash", MB_OK); - return; - } - } - } - - CHAR krbhst[MAX_HSTNM + 1]; - CHAR krbrlm[REALM_SZ + 1]; - - strcpy(krbrlm, CKrbConfigOptions::m_newDefaultRealm); - memset(krbhst, '\0', sizeof(krbhst)); - - // Check for Host - // don't use KRB4 - krb_get_krbhst - would have to re-logon, on file location - // change, to use this function - extern int krb_get_krbhst(char* h, char* r, int n); - if (KFAILURE == krb_get_krbhst(krbhst, krbrlm, 1)) - { - MessageBox("We can't find the Host Server for your Default Realm!!!", - "Leash", MB_OK); - return; - } - - CKrbConfigOptions::m_hostServer = krbhst; -} - -void CKrb4RealmHostMaintenance::OnButtonRealmHostAdd() -{ - CKrb4AddToRealmHostList addToRealmHostList; - - if (IDOK == addToRealmHostList.DoModal()) - { - if (addToRealmHostList.GetNewRealm().IsEmpty()) - ASSERT(0); - - CString newLine; - newLine = addToRealmHostList.GetNewRealm() + " " + addToRealmHostList.GetNewHost(); - - if (addToRealmHostList.GetNewAdmin()) - newLine += " admin server"; - - // We don't want duplicate items in Listbox - if (LB_ERR != m_RealmHostList.FindStringExact(-1, newLine)) - { // found duplicate item in Listbox - LeashErrorBox("OnButtonRealmHostAdd::Found a Duplicate Item!\nCan't add to List", - newLine); - return; - } - - - m_RealmHostList.InsertString(0, newLine); - m_RealmHostList.SetCurSel(0); - SetModified(TRUE); - - ResetDefaultRealmComboBox(); - - if (1 == m_RealmHostList.GetCount()) - { - GetDlgItem(ID_BUTTON_KRB4_REALM_HOST_REMOVE)->EnableWindow(); - GetDlgItem(IDC_BUTTON_KRB4_REALM_HOST_EDIT)->EnableWindow(); - } - } -} - -void CKrb4RealmHostMaintenance::OnButtonRealmHostEdit() -{ - INT selItemIndex = m_RealmHostList.GetCurSel(); - LPSTR pSelItem = new char[m_RealmHostList.GetTextLen(selItemIndex) + 1]; - if (!pSelItem) - ASSERT(0); - - CString selItem; - m_RealmHostList.GetText(selItemIndex, selItem); - strcpy(pSelItem, selItem); - - CKrb4EditRealmHostList editRealmHostList(pSelItem); - delete [] pSelItem; - - if (IDOK == editRealmHostList.DoModal()) - { - CString editedItem = editRealmHostList.GetEditedItem(); - if (0 != selItem.CompareNoCase(editedItem) && - LB_ERR != m_RealmHostList.FindStringExact(-1, editedItem)) - { - LeashErrorBox("OnButtonRealmHostEdit::Found a Duplicate!\nCan't add to List", - editedItem); - - return; - } - - m_RealmHostList.DeleteString(selItemIndex); - m_RealmHostList.InsertString(selItemIndex, editRealmHostList.GetEditedItem()); - m_RealmHostList.SetCurSel(selItemIndex); - SetModified(TRUE); - - ResetDefaultRealmComboBox(); - } -} - -void CKrb4RealmHostMaintenance::OnButtonRealmHostRemove() -{ - if (IDYES != AfxMessageBox("You are about to remove an item from the list!\n\nContinue?", - MB_YESNO)) - return; - - INT curSel = m_RealmHostList.GetCurSel(); - m_RealmHostList.DeleteString(curSel); // Single Sel Listbox - - if (-1 == m_RealmHostList.SetCurSel(curSel)) - m_RealmHostList.SetCurSel(curSel - 1); - - SetModified(TRUE); - - ResetDefaultRealmComboBox(); - - if (!m_RealmHostList.GetCount()) - { - GetDlgItem(ID_BUTTON_KRB4_REALM_HOST_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_KRB4_REALM_HOST_EDIT)->EnableWindow(FALSE); - } - - /* For Mult. Sel Listbox - const LONG MAX_SEL_BUF = m_RealmHostList.GetSelCount(); - LPINT selectBuf = new INT[MAX_SEL_BUF]; - - for (INT maxSelected = m_RealmHostList.GetSelItems(MAX_SEL_BUF, selectBuf), del=0, sel=0; - sel < maxSelected; sel++) - { - if (LB_ERR == m_RealmHostList.DeleteString(*(selectBuf + sel) - del)) - MessageBox("Help", "Error", MB_OK); - else - del++; - } - - delete selectBuf; - */ -} - -void CKrb4RealmHostMaintenance::OnSelchangeListRemoveHost() -{ - //SetModified(TRUE); -} - - -void CKrb4RealmHostMaintenance::OnDblclkListRemoveHost() -{ - OnButtonRealmHostEdit(); -} - -BOOL CKrb4RealmHostMaintenance::PreTranslateMessage(MSG* pMsg) -{ - if (m_defectiveLines) - { - if (m_defectiveLines == 1) - LeashErrorBox("Found a defective entry in file", - CKrbProperties::m_krbPath, "Warning"); - else if (m_defectiveLines > 1) - LeashErrorBox("Found more then one defective entry in file", - CKrbProperties::m_krbPath, "Warning"); - } - - m_defectiveLines = 0; - return CPropertyPage::PreTranslateMessage(pMsg); -} - -void CKrb4RealmHostMaintenance::OnButtonRealmhostMaintHelp2() -{ - MessageBox("No Help Available!", "Note", MB_OK); -} diff --git a/src/windows/leash/Krb4RealmHostMaintenance.h b/src/windows/leash/Krb4RealmHostMaintenance.h deleted file mode 100644 index 26881c6..0000000 --- a/src/windows/leash/Krb4RealmHostMaintenance.h +++ /dev/null @@ -1,86 +0,0 @@ -// ************************************************************************************** -// File: Krb4RealmHostMaintenance.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for Krb4RealmHostMaintenance.cpp. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_REAMLHOSTMAINT_H__2FE711C3_8E9A_11D2_94C5_0000861B8A3C__INCLUDED_) -#define AFX_REAMLHOSTMAINT_H__2FE711C3_8E9A_11D2_94C5_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// RemoveHostNameList.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrb4RealmHostMaintenance dialog - -#define MAXLINE 256 - -class CKrb4RealmHostMaintenance : public CPropertyPage -{ -// Construction -private: - DECLARE_DYNCREATE(CKrb4RealmHostMaintenance) - CHAR lineBuf[MAXLINE]; - INT m_defectiveLines; - BOOL m_initDnsKdcLookup; - BOOL m_newDnsKdcLookup; - - void ResetDefaultRealmComboBox(); - -public: - //CKrb4RealmHostMaintenance(CWnd* pParent = NULL); // standard constructor - CKrb4RealmHostMaintenance(); - virtual ~CKrb4RealmHostMaintenance(); - -// Dialog Data - //{{AFX_DATA(CKrb4RealmHostMaintenance) - enum { IDD = IDD_KRB4_REALMHOST_MAINT2 }; - CDragListBox m_RealmHostList; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb4RealmHostMaintenance) - public: - virtual BOOL PreTranslateMessage(MSG* pMsg); - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrb4RealmHostMaintenance) - virtual BOOL OnInitDialog(); - virtual BOOL OnApply(); - virtual void OnOK(); - virtual void OnCancel(); - afx_msg void OnButtonRealmHostAdd(); - afx_msg void OnButtonRealmHostEdit(); - afx_msg void OnButtonRealmHostRemove(); - afx_msg void OnSelchangeListRemoveHost(); - afx_msg void OnDblclkListRemoveHost(); - afx_msg void OnButtonRealmhostMaintHelp2(); - afx_msg void OnCheckDnsKdcLookup(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_REAMLHOSTMAINT_H__2FE711C3_8E9A_11D2_94C5_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/Krb5Properties.cpp b/src/windows/leash/Krb5Properties.cpp deleted file mode 100644 index c4ffef2..0000000 --- a/src/windows/leash/Krb5Properties.cpp +++ /dev/null @@ -1,644 +0,0 @@ -//**************************************************************************** -// File: Krb5Properties.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright: 1998 Massachusetts Institute of Technology - All rights -// reserved. -// Description: CPP file for Krb5Properties.h. Contains variables and functions -// for Kerberos Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -//***************************************************************************** - -#include "stdafx.h" -#include "leash.h" -#include "LeashFileDialog.h" -#include "Krb5Properties.h" -#include "win-mac.h" -#include "lglobals.h" -#include "LeashView.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - - -///////////////////////////////////////////////////////////////////////////// -// CKrb5ConfigFileLocation dialog - -IMPLEMENT_DYNCREATE(CKrb5ConfigFileLocation, CPropertyPage) - -CKrb5ConfigFileLocation::CKrb5ConfigFileLocation() - : CPropertyPage(CKrb5ConfigFileLocation::IDD) -{ - m_initConfigFile = _T(""); - m_initTicketFile = _T(""); - m_newConfigFile = _T(""); - m_newTicketFile = _T(""); - m_startupPage1 = TRUE; - - //{{AFX_DATA_INIT(CKrb5ConfigFileLocation) - //}}AFX_DATA_INIT -} - -void CKrb5ConfigFileLocation::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrb5ConfigFileLocation) - DDX_Control(pDX, IDC_EDIT_KRB5_TXT_FILE, m_ticketEditBox); - //}}AFX_DATA_MAP -} - -BEGIN_MESSAGE_MAP(CKrb5ConfigFileLocation, CDialog) - //{{AFX_MSG_MAP(CKrb5ConfigFileLocation) - ON_BN_CLICKED(IDC_BUTTON_KRB5INI_BROWSE, OnButtonKrb5iniBrowse) - ON_BN_CLICKED(IDC_BUTTON_KRB5_TICKETFILE_BROWSE, OnButtonKrb5TicketfileBrowse) - ON_EN_CHANGE(IDC_EDIT_KRB5_TXT_FILE, OnChangeEditKrb5TxtFile) - ON_EN_CHANGE(IDC_EDIT_KRB5INI_LOCATION, OnChangeEditKrb5iniLocation) - ON_WM_SHOWWINDOW() - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - - -BOOL CKrb5ConfigFileLocation::OnApply() -{ - BOOL tooManySlashes = FALSE; - BOOL foundError = FALSE; - - if( getenv("RENEW_TILL") != NULL) - { - MessageBox("The ticket renewable time is being controlled by the environment" - "variable RENEW_TILL instead of the registry. Leash cannot modify" - "the environment. Use the System control panel instead.", - "Leash", MB_OK); - return(FALSE); - } - - if( getenv("RENEWABLE") != NULL) - { - MessageBox("Ticket renewability is being controlled by the environment" - "variable RENEWABLE instead of the registry. Leash cannot modify" - "the environment. Use the System control panel instead.", - "Leash", MB_OK); - return(FALSE); - } - - if( getenv("FORWARDABLE") != NULL) - { - MessageBox("Ticket forwarding is being controlled by the environment" - "variable FORWARDABLE instead of the registry. Leash cannot modify" - "the environment. Use the System control panel instead.", - "Leash", MB_OK); - return(FALSE); - } - - if( getenv("PROXIABLE") != NULL) - { - MessageBox("Ticket proxying is being controlled by the environment" - "variable PROXIABLE instead of the registry. Leash cannot modify" - "the environment. Use the System control panel instead.", - "Leash", MB_OK); - return(FALSE); - } - - if( getenv("NOADDRESSES") != NULL) - { - MessageBox("Addressless tickets are being controlled by the environment" - "variable NOADDRESSES instead of the registry. Leash cannot modify" - "the environment. Use the System control panel instead.", - "Leash", MB_OK); - return(FALSE); - } - - - // KRB5.INI file - if (!CLeashApp::m_krbv5_profile || - 0 != m_newConfigFile.CompareNoCase(m_initConfigFile)) - { // Different path for Krb5.ini - - if (IsDlgButtonChecked(IDC_CHECK_CONFIRM_KRB5_EXISTS)) - { - // Check for extra slashes at end of path - LPSTR pSlash = strrchr(m_newConfigFile.GetBuffer(0), '\\'); - if (pSlash && *(pSlash - 1) == '\\') - { // don't commit changes - tooManySlashes = TRUE; - } - else if (pSlash && *(pSlash + 1) == '\0') - { // commit changes, but take out slash at the end of path - *pSlash = 0; - } - - m_newConfigFile.ReleaseBuffer(-1); - - // Check for invalid path - Directory directory(m_newConfigFile); - if (tooManySlashes || !directory.IsValidFile()) - { // don't commit changes - foundError = TRUE; - - if (tooManySlashes) - LeashErrorBox("OnApply::Too Many Slashes At End of " - "Selected Directory", - m_newConfigFile); - else - LeashErrorBox("OnApply::Selected file doesn't exist", - m_newConfigFile); - - SetDlgItemText(IDC_EDIT_KRB5INI_LOCATION, m_initConfigFile); - } - else - { - // more error checking - CHAR confname[MAX_PATH]; - - const char *filenames[2]; - filenames[0] = m_newConfigFile; - filenames[1] = NULL; - - const char* rootSection[] = {"realms", NULL}; - const char** rootsec = rootSection; - char **sections = NULL; - - long retval = pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - if (!retval) - retval = pprofile_get_subsection_names(CLeashApp::m_krbv5_profile, - rootsec, §ions - ); - if (retval || !*sections ) - { - foundError = TRUE; - MessageBox("Your file selection is either corrupt or not a Kerberos Five Config. file", - "Leash", MB_OK); - - pprofile_free_list(sections); - - // Restore old 'valid' config. file - if (CLeashApp::GetProfileFile(confname, sizeof(confname))) - { - foundError = TRUE; - MessageBox("Can't locate Kerberos Five Config. file!", - "Error", MB_OK); - return TRUE; - } - - filenames[0] = confname; - filenames[1] = NULL; - - retval = pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - if (!retval) - retval = pprofile_get_subsection_names(CLeashApp::m_krbv5_profile, - rootsec, §ions); - if (retval || !*sections) - { - foundError = TRUE; - MessageBox("OnApply::There is a problem with your " - "Kerberos Five Config. file!\n" - "Contact your Administrator.", - "Leash", MB_OK); - } - - pprofile_free_list(sections); - SetDlgItemText(IDC_EDIT_KRB5INI_LOCATION, m_initConfigFile); - - pprofile_release(CLeashApp::m_krbv5_profile); - return TRUE; - } - - pprofile_free_list(sections); - } - } - - // Commit changes - if (!foundError) - { - if (SetRegistryVariable("config", m_newConfigFile, - "Software\\MIT\\Kerberos5")) - { - MessageBox("Failed to set \"Krb.conf\"!", "Error", MB_OK); - } - - m_initConfigFile = m_newConfigFile; - SetModified(TRUE); - } - } - - // Credential cache (ticket) file - // Ticket file - if (0 != m_initTicketFile.CompareNoCase(m_newTicketFile)) - { - if (getenv("KRB5_ENV_CCNAME")) - { - // Just in case they set (somehow) KRB5_ENV_CCNAME while this box is up - MessageBox("OnApply::Ticket file is set in your System's" - "Environment!\nYou must first remove it.", - "Error", MB_OK); - - return TRUE; - } - - // Commit changes - if (SetRegistryVariable("ccname", m_newTicketFile, - "Software\\MIT\\Kerberos5")) - { - MessageBox("Failed to set \"ccname\"!", "Error", MB_OK); - } - if ( CLeashApp::m_krbv5_context ) - pkrb5_cc_set_default_name(CLeashApp::m_krbv5_context,m_newTicketFile); - - m_initTicketFile = m_newTicketFile; - } - - return TRUE; -} - - -BOOL CKrb5ConfigFileLocation::OnInitDialog() -{ - CDialog::OnInitDialog(); - - CHAR confname[MAX_PATH]; - CHAR ticketName[MAX_PATH]; - - CheckDlgButton(IDC_CHECK_CONFIRM_KRB5_EXISTS, TRUE); - - // Config. file (Krb5.ini) - if (CLeashApp::GetProfileFile(confname, sizeof(confname))) - { - MessageBox("Can't locate Kerberos Five config. file!", "Error", MB_OK); - return TRUE; - } - - m_initConfigFile = m_newConfigFile = confname; - SetDlgItemText(IDC_EDIT_KRB5INI_LOCATION, m_initConfigFile); - - if (pLeash_get_lock_file_locations() || getenv("KRB5_CONFIG")) - { - GetDlgItem(IDC_EDIT_KRB5INI_LOCATION)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_KRB5INI_BROWSE)->EnableWindow(FALSE); - GetDlgItem(IDC_CHECK_CONFIRM_KRB5_EXISTS)->EnableWindow(FALSE); - } - else if ( !(getenv("KRB5_CONFIG")) ) - { - GetDlgItem(IDC_STATIC_INIFILES)->ShowWindow(FALSE); - } - - - // Set TICKET.KRB file Editbox - *ticketName = NULL; - if (CLeashApp::m_krbv5_context) - { - const char *pticketName = pkrb5_cc_default_name(CLeashApp::m_krbv5_context); - - if (pticketName) - strcpy(ticketName, pticketName); - } - - if (!*ticketName) - { - MessageBox("OnInitDialog::Can't locate Kerberos Five ticket file!", - "Error", MB_OK); - return TRUE; - } - else - { - m_initTicketFile = m_newTicketFile = ticketName; - SetDlgItemText(IDC_EDIT_KRB5_TXT_FILE, m_initTicketFile); - } - - if (getenv("KRB5CCNAME")) - GetDlgItem(IDC_EDIT_KRB5_TXT_FILE)->EnableWindow(FALSE); - else - GetDlgItem(IDC_STATIC_TICKETFILE)->ShowWindow(FALSE); - - return TRUE; -} - -void CKrb5ConfigFileLocation::OnButtonKrb5iniBrowse() -{ - CLeashFileDialog dlgFile(TRUE, NULL, "*.*", - "Kerbereos Five Config. File (.ini)"); - dlgFile.m_ofn.lpstrTitle = "Select the Kerberos Five Config. File"; - while (TRUE) - { - if (IDOK == dlgFile.DoModal()) - { - m_newConfigFile = dlgFile.GetPathName(); - SetDlgItemText(IDC_EDIT_KRB5INI_LOCATION, m_newConfigFile); - break; - } - else - break; - } -} - -void CKrb5ConfigFileLocation::OnButtonKrb5TicketfileBrowse() -{ - CString ticket_path = "*.*"; - CLeashFileDialog dlgFile(TRUE, NULL, ticket_path, - "Kerbereos Five Ticket File (Krb5cc)"); - dlgFile.m_ofn.lpstrTitle = "Select Credential Cache (Ticket) File"; - - if (IDOK == dlgFile.DoModal()) - { - m_newTicketFile = dlgFile.GetPathName(); - SetDlgItemText(IDC_EDIT_KRB5_TXT_FILE, m_newTicketFile); - } -} - -void CKrb5ConfigFileLocation::OnChangeEditKrb5iniLocation() -{ - if (!m_startupPage1) - { - GetDlgItemText(IDC_EDIT_KRB5INI_LOCATION, m_newConfigFile); - SetModified(TRUE); - } -} - -void CKrb5ConfigFileLocation::OnChangeEditKrb5TxtFile() -{ - if (!m_startupPage1) - { - GetDlgItemText(IDC_EDIT_KRB5_TXT_FILE, m_newTicketFile); - SetModified(TRUE); - } -} - -void CKrb5ConfigFileLocation::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CDialog::OnShowWindow(bShow, nStatus); - m_startupPage1 = FALSE; -} - - -///////////////////////////////////////////////////////////////////////////// -// CKrb5ConfigOptions dialog - -IMPLEMENT_DYNCREATE(CKrb5ConfigOptions, CPropertyPage) - -CKrb5ConfigOptions::CKrb5ConfigOptions() - : CPropertyPage(CKrb5ConfigOptions::IDD) -{ - m_initForwardable = 0; - m_newForwardable = 0; - m_initProxiable = 0; - m_newProxiable = 0; - m_initRenewable = 0; - m_newRenewable = 0; - m_initNoAddress = 0; - m_newNoAddress = 0; - m_initIPAddress = 0; -#ifdef SET_PUBLIC_IP - m_newIPAddress = 0; -#endif /* SET_PUBLIC_IP */ - - //{{AFX_DATA_INIT(CKrb5ConfigOptions) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - - -void CKrb5ConfigOptions::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - - //{{AFX_DATA_MAP(CKrb5ConfigOptions) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrb5ConfigOptions, CDialog) - //{{AFX_MSG_MAP(CKrb5ConfigOptions) - ON_BN_CLICKED(IDC_CHECK_FORWARDABLE, OnCheckForwardable) - ON_BN_CLICKED(IDC_CHECK_PROXIABLE, OnCheckProxiable) - ON_BN_CLICKED(IDC_CHECK_RENEWABLE, OnCheckRenewable) - ON_BN_CLICKED(IDC_CHECK_NO_ADDRESS, OnCheckNoAddress) - ON_WM_HELPINFO() - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - - -BOOL CKrb5ConfigOptions::OnApply() -{ -#ifdef SET_PUBLIC_IP - SendDlgItemMessage( IDC_IPADDRESS_PUBLIC, - IPM_GETADDRESS, - 0, - (LPARAM)(LPDWORD)&m_newIPAddress - ); -#endif /* SET_PUBLIC_IP */ - - if ((m_initForwardable == m_newForwardable) && - (m_initProxiable == m_newProxiable) && - (m_initRenewable == m_newRenewable) && - (m_initNoAddress == m_newNoAddress) -#ifdef SET_PUBLIC_IP - && (m_initIPAddress == m_newIPAddress) -#endif /* SET_PUBLIC_IP */ - ) - return TRUE; - - CWinApp *pApp = NULL; - pApp = AfxGetApp(); - if (!pApp) - { - MessageBox("There is a problem finding Leash application " - "information!", - "Error", MB_OK); - return FALSE; - } - - if ( m_newNoAddress == FALSE ) { - CHAR confname[MAX_PATH]; - if (!CLeashApp::GetProfileFile(confname, sizeof(confname))) - { - const char *filenames[2]; - char *value=NULL; - long retval, noaddresses = 1; - filenames[0] = confname; - filenames[1] = NULL; - retval = pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - if (!retval) { - retval = pprofile_get_string(CLeashApp::m_krbv5_profile, "libdefaults","noaddresses", 0, "true", &value); - if ( value ) { - noaddresses = config_boolean_to_int(value); - pprofile_release_string(value); - } - pprofile_release(CLeashApp::m_krbv5_profile); - } - - if ( noaddresses ) - { - MessageBox("The No Addresses setting cannot be disabled unless the setting\n" - " noaddresses=false\n" - "is added to the [libdefaults] section of the KRB5.INI file.", - "Error", MB_OK); - return FALSE; - - } - } - } - - pLeash_set_default_forwardable(m_newForwardable); - pLeash_set_default_proxiable(m_newProxiable); - pLeash_set_default_renewable(m_newRenewable); - pLeash_set_default_noaddresses(m_newNoAddress); -#ifdef SET_PUBLIC_IP - pLeash_set_default_publicip(m_newIPAddress); -#endif /* SET_PUBLIC_IP */ - - CLeashView::m_forwardableTicket = m_initForwardable = m_newForwardable; - CLeashView::m_proxiableTicket = m_initProxiable = m_newProxiable; - CLeashView::m_renewableTicket = m_initRenewable = m_newRenewable; - CLeashView::m_noaddressTicket = m_initNoAddress = m_newNoAddress; -#ifdef SET_PUBLIC_IP - CLeashView::m_publicIPAddress = m_initIPAddress = m_newIPAddress; -#endif /* SET_PUBLIC_IP */ - return TRUE; -} - -BOOL CKrb5ConfigOptions::OnInitDialog() -{ - CDialog::OnInitDialog(); - - CWinApp *pApp = NULL; - pApp = AfxGetApp(); - if (!pApp) - { - MessageBox("There is a problem finding Leash application " - "information!", - "Error", MB_OK); - } - else - { - m_initForwardable = pLeash_get_default_forwardable(); - m_initProxiable = pLeash_get_default_proxiable(); - m_initRenewable = pLeash_get_default_renewable(); - m_initNoAddress = pLeash_get_default_noaddresses(); - m_initIPAddress = pLeash_get_default_publicip(); - } - - CheckDlgButton(IDC_CHECK_FORWARDABLE, m_initForwardable); - m_newForwardable = m_initForwardable; - - CheckDlgButton(IDC_CHECK_PROXIABLE, m_initProxiable); - m_newProxiable = m_initProxiable; - - CheckDlgButton(IDC_CHECK_RENEWABLE, m_initRenewable); - m_newRenewable = m_initRenewable; - - CheckDlgButton(IDC_CHECK_NO_ADDRESS, m_initNoAddress); - m_newNoAddress = m_initNoAddress; - - if ( m_initNoAddress ) { - // Disable the control - jaltman - - SendDlgItemMessage( IDC_IPADDRESS_PUBLIC, - IPM_CLEARADDRESS, - 0, - 0 - ); - } - else { - SendDlgItemMessage( IDC_IPADDRESS_PUBLIC, - IPM_SETADDRESS, - 0, - (LPARAM)m_initIPAddress - ); - } -#ifdef SET_PUBLIC_IP - m_newIPAddress = m_initIPAddress; -#endif /* SET_PUBLIC_IP */ - - return TRUE; // return TRUE unless you set the focus to a control - // EXCEPTION: OCX Property Pages should return FALSE -} - -void CKrb5ConfigOptions::OnCheckForwardable() -{ - m_newForwardable = (BOOL)IsDlgButtonChecked(IDC_CHECK_FORWARDABLE); - SetModified(TRUE); -} - -void CKrb5ConfigOptions::OnCheckProxiable() -{ - m_newProxiable = (BOOL)IsDlgButtonChecked(IDC_CHECK_PROXIABLE); - SetModified(TRUE); -} - -void CKrb5ConfigOptions::OnCheckRenewable() -{ - m_newRenewable = (BOOL)IsDlgButtonChecked(IDC_CHECK_RENEWABLE); - SetModified(TRUE); -} - -void CKrb5ConfigOptions::OnCheckNoAddress() -{ - m_newNoAddress = (BOOL)IsDlgButtonChecked(IDC_CHECK_NO_ADDRESS); - SetModified(TRUE); - - if ( m_newNoAddress ) { - // Disable the control - jaltman - - SendDlgItemMessage( IDC_IPADDRESS_PUBLIC, - IPM_CLEARADDRESS, - 0, - 0 - ); - } else { - // Enable the IP Address Control - jaltman - - SendDlgItemMessage( IDC_IPADDRESS_PUBLIC, - IPM_SETADDRESS, - 0, - (LPARAM)m_initIPAddress - ); - } -} - -/////////////////////////////////////////////////////////////////////// -// CKrb5Properties - -IMPLEMENT_DYNAMIC(CKrb5Properties, CPropertySheet) - -CKrb5Properties::CKrb5Properties(UINT nIDCaption, CWnd* pParentWnd, - UINT iSelectPage) - :CPropertySheet(nIDCaption, pParentWnd, iSelectPage) -{ -} - -CKrb5Properties::CKrb5Properties(LPCTSTR pszCaption, CWnd* pParentWnd, - UINT iSelectPage) - :CPropertySheet(pszCaption, pParentWnd, iSelectPage) -{ - AddPage(&m_fileLocation); - AddPage(&m_configOptions); -} - -CKrb5Properties::~CKrb5Properties() -{ -} - -void CKrb5Properties::OnHelp() -{ -#ifdef CALL_HTMLHELP - AfxGetApp()->HtmlHelp(HID_KRB5_PROPERTIES_COMMAND); -#else - AfxGetApp()->WinHelp(HID_KRB5_PROPERTIES_COMMAND); -#endif -} - - - -BEGIN_MESSAGE_MAP(CKrb5Properties, CPropertySheet) - //{{AFX_MSG_MAP(CKrb5Properties) - // NOTE - the ClassWizard will add and remove mapping macros here. - ON_COMMAND(ID_HELP, OnHelp) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() diff --git a/src/windows/leash/Krb5Properties.h b/src/windows/leash/Krb5Properties.h deleted file mode 100644 index c091ddd..0000000 --- a/src/windows/leash/Krb5Properties.h +++ /dev/null @@ -1,172 +0,0 @@ -// ************************************************************************************** -// File: Krb5Properties.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for Krb5Properties.cpp. Contains variables and functions -// for Kerberos Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_KRB5PROPERTIES_H__9011A0B3_6E92_11D2_9454_0000861B8A3C__INCLUDED_) -#define AFX_KRB5PROPERTIES_H__9011A0B3_6E92_11D2_9454_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// Krb5Properties.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrb5ConfigOptions dialog - -class CKrb5ConfigFileLocation : public CPropertyPage -{ -// Construction -private: - DECLARE_DYNCREATE(CKrb5ConfigFileLocation) - CString m_initConfigFile; - CString m_initTicketFile; - CString m_newConfigFile; - CString m_newTicketFile; - BOOL m_startupPage1; - -public: - CKrb5ConfigFileLocation(); // standard constructor - -// Dialog Data - //{{AFX_DATA(CKrb5ConfigFileLocation) - enum { IDD = IDD_KRB5_PROP_LOCATION }; - CEdit m_ticketEditBox; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb5ConfigFileLocation) - public: - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - - virtual BOOL OnApply(); - - // Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrb5ConfigFileLocation) - virtual BOOL OnInitDialog(); - afx_msg void OnButtonKrb5iniBrowse(); - afx_msg void OnButtonKrb5TicketfileBrowse(); - afx_msg void OnChangeEditKrb5TxtFile(); - afx_msg void OnChangeEditKrb5iniLocation(); - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - - -///////////////////////////////////////////////////////////////////////////// -// CKrb5ConfigOptions dialog - -class CKrb5ConfigOptions : public CPropertyPage -{ -// Construction -private: - DECLARE_DYNCREATE(CKrb5ConfigOptions) - INT m_initForwardable; - INT m_newForwardable; - INT m_initProxiable; - INT m_newProxiable; - INT m_initRenewable; - INT m_newRenewable; - INT m_initNoAddress; - INT m_newNoAddress; - DWORD m_initIPAddress; -#ifdef SET_PUBLIC_IP - DWORD m_newIPAddress; -#endif /* SET_PUBLIC_IP */ - -public: - CKrb5ConfigOptions(); // standard constructor - -// Dialog Data - //{{AFX_DATA(CKrb5ConfigOptions) - enum { IDD = IDD_KRB5_PROP_CONTENT }; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb5ConfigOptions) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - - virtual BOOL OnApply(); - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrb5ConfigOptions) - virtual BOOL OnInitDialog(); - afx_msg void OnCheckForwardable(); - afx_msg void OnCheckProxiable(); - afx_msg void OnCheckRenewable(); - afx_msg void OnCheckNoAddress(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -class CKrb5Properties : public CPropertySheet -{ -private: - DECLARE_DYNAMIC(CKrb5Properties) - -public: - CKrb5ConfigFileLocation m_fileLocation; - CKrb5ConfigOptions m_configOptions; - -// Construction -public: - CKrb5Properties(UINT nIDCaption, CWnd* pParentWnd = NULL, - UINT iSelectPage = 0); - CKrb5Properties(LPCTSTR pszCaption, CWnd* pParentWnd = NULL, - UINT iSelectPage = 0); - -// Attributes -public: - -// Operations -public: - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrb5Properties) - //}}AFX_VIRTUAL - -// Implementation -public: - virtual ~CKrb5Properties(); - - // Generated message map functions -protected: - //{{AFX_MSG(CKrb5Properties) - // NOTE - the ClassWizard will add and remove member functions here. - afx_msg void OnHelp(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_KRB5PROPERTIES_H__9011A0B3_6E92_11D2_9454_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/KrbAddHostServer.cpp b/src/windows/leash/KrbAddHostServer.cpp deleted file mode 100644 index fc53e41..0000000 --- a/src/windows/leash/KrbAddHostServer.cpp +++ /dev/null @@ -1,77 +0,0 @@ -// KrbAddHostServer.cpp : implementation file -// - -#include "stdafx.h" -#include "leash.h" -#include "KrbAddHostServer.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrbAddHostServer dialog - - -CKrbAddHostServer::CKrbAddHostServer(CWnd* pParent /*=NULL*/) - : CDialog(CKrbAddHostServer::IDD, pParent) -{ - m_newHost = _T(""); - m_startup = TRUE; - - //{{AFX_DATA_INIT(CKrbAddHostServer) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - - -void CKrbAddHostServer::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrbAddHostServer) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrbAddHostServer, CDialog) - //{{AFX_MSG_MAP(CKrbAddHostServer) - ON_EN_CHANGE(IDC_EDIT_KDC_HOST, OnChangeEditKdcHost) - ON_WM_SHOWWINDOW() - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrbAddHostServer message handlers - -void CKrbAddHostServer::OnOK() -{ - m_newHost.TrimLeft(); - m_newHost.TrimRight(); - - if (m_newHost.IsEmpty()) - { // stay - MessageBox("OnOK:: Server Hosting a KDC must be filled in!", - "Error", MB_OK); - } - else if (-1 != m_newHost.Find(' ')) - { // stay - MessageBox("OnOK::Illegal space found!", "Error", MB_OK); - } - else - CDialog::OnOK(); // exit -} - -void CKrbAddHostServer::OnChangeEditKdcHost() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_KDC_HOST, m_newHost); -} - -void CKrbAddHostServer::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CDialog::OnShowWindow(bShow, nStatus); - m_startup = FALSE; -} diff --git a/src/windows/leash/KrbAddHostServer.h b/src/windows/leash/KrbAddHostServer.h deleted file mode 100644 index 989d388..0000000 --- a/src/windows/leash/KrbAddHostServer.h +++ /dev/null @@ -1,53 +0,0 @@ -#if !defined(AFX_KRBADDHOSTSERVER_H__1B6B6ED8_D26D_11D2_95AF_0000861B8A3C__INCLUDED_) -#define AFX_KRBADDHOSTSERVER_H__1B6B6ED8_D26D_11D2_95AF_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// KrbAddHostServer.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrbAddHostServer dialog - -class CKrbAddHostServer : public CDialog -{ -// Construction - CString m_newHost; - BOOL m_startup; - -public: - CKrbAddHostServer(CWnd* pParent = NULL); // standard constructor - CString GetNewHost() {return m_newHost;} - - -// Dialog Data - //{{AFX_DATA(CKrbAddHostServer) - enum { IDD = IDD_KRB_ADD_KDC_HOSTSERVER}; - // NOTE: the ClassWizard will add data members here - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrbAddHostServer) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrbAddHostServer) - virtual void OnOK(); - afx_msg void OnChangeEditKdcHost(); - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_KRBADDHOSTSERVER_H__1B6B6ED8_D26D_11D2_95AF_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/KrbAddRealm.cpp b/src/windows/leash/KrbAddRealm.cpp deleted file mode 100644 index 4527e4b..0000000 --- a/src/windows/leash/KrbAddRealm.cpp +++ /dev/null @@ -1,88 +0,0 @@ -// File: KrbAddRealm.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for KrbAddRealm.h. Contains variables and functions -// for Kerberos Four and Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "KrbAddRealm.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrbAddRealm dialog - - -CKrbAddRealm::CKrbAddRealm(CWnd* pParent /*=NULL*/) -: CDialog(CKrbAddRealm::IDD, pParent) -{ - m_newRealm = _T(""); - m_startup = TRUE; - - //{{AFX_DATA_INIT(CKrbAddRealm) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - - -void CKrbAddRealm::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrbAddRealm) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrbAddRealm, CDialog) - //{{AFX_MSG_MAP(CKrbAddRealm) - ON_WM_SHOWWINDOW() - ON_EN_CHANGE(IDC_EDIT_REALM, OnChangeEditRealm) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrbAddRealm message handlers - -void CKrbAddRealm::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CDialog::OnShowWindow(bShow, nStatus); - m_startup = FALSE; -} - -void CKrbAddRealm::OnChangeEditRealm() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_REALM, m_newRealm); -} - -void CKrbAddRealm::OnOK() -{ - m_newRealm.TrimLeft(); - m_newRealm.TrimRight(); - - if (m_newRealm.IsEmpty()) - { // stay - MessageBox("OnOK:: Kerberos Realm must be filled in!", - "Leash", MB_OK); - } - else if (-1 != m_newRealm.Find(' ')) - { // stay - MessageBox("OnOK::Illegal space found!", "Leash", MB_OK); - } - else - CDialog::OnOK(); // exit -} diff --git a/src/windows/leash/KrbAddRealm.h b/src/windows/leash/KrbAddRealm.h deleted file mode 100644 index 48ae4b7..0000000 --- a/src/windows/leash/KrbAddRealm.h +++ /dev/null @@ -1,66 +0,0 @@ -// ************************************************************************************** -// File: KrbAddRealm.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for KrbAddRealm.cpp Contains variables and functions -// for Kerberos Four and Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_ADDTOREALMHOSTLIST_H__26A1E1F3_9117_11D2_94D0_0000861B8A3C__INCLUDED_) -#define AFX_ADDTOREALMHOSTLIST_H__26A1E1F3_9117_11D2_94D0_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// AddToRealmHostList.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrbAddRealm dialog - -class CKrbAddRealm : public CDialog -{ -// Construction - CString m_newRealm; - BOOL m_startup; - -public: - CKrbAddRealm(CWnd* pParent = NULL); // standard constructor - CString GetNewRealm() {return m_newRealm;} - -// Dialog Data - //{{AFX_DATA(CKrbAddRealm) - enum { IDD = IDD_KRB_ADD_REALM }; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrbAddRealm) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrbAddRealm) - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - virtual void OnOK(); - afx_msg void OnChangeEditRealm(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_ADDTOREALMHOSTLIST_H__26A1E1F3_9117_11D2_94D0_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/KrbConfigOptions.cpp b/src/windows/leash/KrbConfigOptions.cpp deleted file mode 100644 index c8fa66c..0000000 --- a/src/windows/leash/KrbConfigOptions.cpp +++ /dev/null @@ -1,674 +0,0 @@ -// ************************************************************************************** -// File: KrbConfigOptions.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for KrbProperties.h. Contains variables and functions -// for Kerberos Four and Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 2/01/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "Leash.h" -#include "KrbProperties.h" -#include "KrbConfigOptions.h" -#include "LeashFileDialog.h" -#include "LeashMessageBox.h" -#include "wshelper.h" -#include "lglobals.h" -#include -#include -#include "reminder.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - - -/////////////////////////////////////////////////////////////////////// -// CKrbConfigOptions property page - -CString CKrbConfigOptions::m_newDefaultRealm; -CString CKrbConfigOptions::m_hostServer; -CComboBox CKrbConfigOptions::m_krbRealmEditbox; -BOOL CKrbConfigOptions::m_profileError; -BOOL CKrbConfigOptions::m_dupEntriesError; - -IMPLEMENT_DYNCREATE(CKrbConfigOptions, CPropertyPage) - -CKrbConfigOptions::CKrbConfigOptions() : CPropertyPage(CKrbConfigOptions::IDD) -{ - m_initDefaultRealm = _T(""); - m_newDefaultRealm = _T(""); - m_startupPage2 = TRUE; - m_noKrbFileError = FALSE; - m_noKrbhostWarning = FALSE; - m_dupEntriesError = FALSE; - m_profileError = FALSE; - m_noRealm = FALSE; - - //{{AFX_DATA_INIT(CKrbConfigOptions) - //}}AFX_DATA_INIT -} - -CKrbConfigOptions::~CKrbConfigOptions() -{ -} - -VOID CKrbConfigOptions::DoDataExchange(CDataExchange* pDX) -{ - TRACE("Entering CKrbConfigOptions::DoDataExchange -- %d\n", - pDX->m_bSaveAndValidate); - CPropertyPage::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrbConfigOptions) - DDX_Control(pDX, IDC_EDIT_DEFAULT_REALM, m_krbRealmEditbox); - //}}AFX_DATA_MAP -} - -static char far * near parse_str(char far*buffer,char far*result) -{ - while (isspace(*buffer)) - buffer++; - while (!isspace(*buffer)) - *result++=*buffer++; - *result='\0'; - return buffer; -} - -#ifndef NO_KRB4 -int krb_get_krbhst(char* h, char* r, int n) -{ - char lbstorage[BUFSIZ]; - char tr[REALM_SZ]; - static FILE *cnffile; /*XXX pbh added static because of MS bug in fgets() */ - static char FAR *linebuf; /*XXX pbh added static because of MS bug in fgets() */ - int i; - char *p; - - //static char buffer[80]; - //krb_get_krbconf(buffer); - memset(lbstorage, '\0', BUFSIZ ); /* 4-22-94 */ - linebuf = &lbstorage[0]; - - if ((cnffile = fopen(CKrbProperties::m_krbPath,"r")) == NULL) { - if (n==1) { - (void) strcpy(h,KRB_HOST); - return(KSUCCESS); - } else { - return(KFAILURE); - } - } - /* linebuf=(char FAR *)malloc(BUFSIZ); */ /*4-22-94*/ - if (fgets(linebuf,BUFSIZ,cnffile)==NULL) { - /* free(linebuf); */ /* 4-22-94 */ - - return(KFAILURE); - } - /* bzero( tr, sizeof(tr) ); */ /* pbh 2-24-93 */ - memset(tr, '\0', sizeof(tr) ); - parse_str(linebuf,tr); - if (*tr=='\0') { - return (KFAILURE); - } - /* run through the file, looking for the nth server for this realm */ - for (i = 1; i <= n;) { - if (fgets(linebuf, BUFSIZ, cnffile) == NULL) { - /* free(linebuf); */ /*4-22-94*/ - (void) fclose(cnffile); - return(KFAILURE); - } - /* bzero( tr, sizeof(tr) ); */ /* pbh 2-24-93 */ - memset(tr, '\0', sizeof(tr) ); - p=parse_str(linebuf,tr); - if (*tr=='\0') - continue; - memset(h, '\0', lstrlen(h) ); - parse_str(p,h); - if (*tr=='\0') - continue; - if (!lstrcmp(tr,r)) - i++; - } - /* free(linebuf); */ /*4-22-94*/ - (void) fclose(cnffile); - return(KSUCCESS); -} -#endif - -BOOL CKrbConfigOptions::OnInitDialog() -{ - m_initDefaultRealm = _T(""); - m_newDefaultRealm = _T(""); - m_noKrbFileError = FALSE; - m_noKrbhostWarning = FALSE; - m_dupEntriesError = FALSE; - m_profileError = FALSE; - m_noRealm = FALSE; - - CPropertyPage::OnInitDialog(); - -#ifndef NO_KRB4 - if (CLeashApp::m_hKrb4DLL && !CLeashApp::m_hKrb5DLL) - { // Krb4 NOT krb5 - // Fill in all edit boxes - char krbRealm[REALM_SZ + 1]; - char krbhst[MAX_HSTNM + 1]; - CStdioFile krbCon; - if (!krbCon.Open(CKrbProperties::m_krbPath, CFile::modeRead)) - { - SetDlgItemText(IDC_EDIT_DEFAULT_REALM, KRB_REALM); - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, KRB_MASTER); - //CheckRadioButton(IDC_RADIO_ADMIN_SERVER, IDC_RADIO_NO_ADMIN_SERVER, IDC_RADIO_NO_ADMIN_SERVER); - m_initDefaultRealm = m_newDefaultRealm = KRB_REALM; - } - else - { // place krbRealm in Edit box - memset(krbRealm, '\0', sizeof(krbRealm)); - if (!krbCon.ReadString(krbRealm, sizeof(krbRealm)) || '\r' == *krbRealm || - '\n' == *krbRealm || '\0' == *krbRealm) - { - SetDlgItemText(IDC_EDIT_DEFAULT_REALM, KRB_REALM); - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, KRB_MASTER); - m_initDefaultRealm = m_newDefaultRealm = KRB_REALM; - } - else - { - *(krbRealm + strlen(krbRealm) - 1) = 0; - LPSTR pSpace = strchr(krbRealm, ' '); - if (pSpace) - *pSpace = 0; - - m_initDefaultRealm = m_newDefaultRealm = krbRealm; - - memset(krbhst, '\0', sizeof(krbhst)); - krbCon.Close(); - - // Check for Host - // don't use KRB4 - krb_get_krbhst - would have to re-logon, on file location - // change, to use this function - if (KFAILURE == pkrb_get_krbhst(krbhst, krbRealm, 1)) - { - m_noKrbhostWarning = TRUE; - } - else - { // place hostname in Edit Box - //SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, krbhst); - - m_hostServer = krbhst; - - // New stuff to put realms in Combo Box - CStdioFile krbCon; - if (!krbCon.Open(CKrbProperties::m_krbPath, CFile::modeRead)) - { - m_noKrbFileError = TRUE; - m_noRealm = TRUE; - } else { - - LPSTR space = NULL; - CHAR lineBuf[REALM_SZ + MAX_HSTNM + 20]; - CHAR localRealm[REALM_SZ + MAX_HSTNM + 20]; - memset(lineBuf, '\0', sizeof(lineBuf)); - memset(localRealm, '\0', sizeof(localRealm)); - - if (krbCon.ReadString(localRealm, sizeof(localRealm))) - *(localRealm + strlen(localRealm) - 1) = 0; - else - return FALSE; - - space = strchr(localRealm, ' '); - if (space) - *space = 0; - - while (TRUE) - { - if (!krbCon.ReadString(lineBuf, sizeof(lineBuf))) - break; - - *(lineBuf + sizeof(lineBuf) - 1) = 0; - - if (strlen(lineBuf) == 0) - continue; - - space = strchr(lineBuf, ' '); - if (!space) space = strchr(lineBuf, '\t'); - if (space) - *space = 0; - else - ASSERT(0); - - // skip Kerberos Options - if ( !strncmp(".KERBEROS.OPTION.",lineBuf,17) ) - continue; - - if (CB_ERR == m_krbRealmEditbox.FindStringExact(-1, lineBuf)) - { // no dups - if (LB_ERR == m_krbRealmEditbox.AddString(lineBuf)) - { - MessageBox("OnInitDialog::Can't add to Kerberos Realm Combobox", - "Leash", MB_OK); - return FALSE; - } - } - } - - m_krbRealmEditbox.SelectString(-1, krbRealm); - - } // end of 'else' - } // end of 'place hostname in Edit Box' else statement - } // end of 'Check for Host' else statement - } // end of 'place krbRealm in Edit box' else - } - else -#endif - if (CLeashApp::m_hKrb5DLL) - { // Krb5 OR krb5 AND krb4 - char *realm = NULL; - pkrb5_get_default_realm(CLeashApp::m_krbv5_context, &realm); - - if (!realm) - m_noRealm = TRUE; - - m_initDefaultRealm = m_newDefaultRealm = realm; - - if ( !CLeashApp::m_krbv5_profile ) { - CHAR confname[MAX_PATH]; - if (!CLeashApp::GetProfileFile(confname, sizeof(confname))) - { - const char *filenames[2]; - filenames[0] = confname; - filenames[1] = NULL; - pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - } - } - - CHAR selRealm[REALM_SZ]; - strcpy(selRealm, m_newDefaultRealm); - const char* Section[] = {"realms", selRealm, "kdc", NULL}; - const char** section = Section; - char **values = NULL; - char * value = NULL; - - long retval = pprofile_get_values(CLeashApp::m_krbv5_profile, - section, &values); - - if (!retval && values) - m_hostServer = *values; - else { - int dns_in_use = 0; - // Determine if we are using DNS for KDC lookups - retval = pprofile_get_string(CLeashApp::m_krbv5_profile, "libdefaults", - "dns_lookup_kdc", 0, 0, &value); - if (value == 0 && retval == 0) - retval = pprofile_get_string(CLeashApp::m_krbv5_profile, "libdefaults", - "dns_fallback", 0, 0, &value); - if (value == 0) { - dns_in_use = 1; - } else { - dns_in_use = config_boolean_to_int(value); - pprofile_release_string(value); - } - if (dns_in_use) - m_hostServer = "DNS SRV record lookups will be used to find KDC"; - else { - m_hostServer = "No KDC information available"; - } - } - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, m_hostServer); - - if ( realm ) - pkrb5_free_default_realm(CLeashApp::m_krbv5_context, realm); - } - - // Set host and domain names in their Edit Boxes, respectively. - char hostName[80]=""; - char domainName[80]=""; - int ckHost = wsh_gethostname(hostName, sizeof(hostName)); - int ckdomain = wsh_getdomainname(domainName, sizeof(domainName)); - CString dot_DomainName = "."; - dot_DomainName += domainName; - - SetDlgItemText(IDC_EDIT_HOSTNAME, ckHost == 0 ? hostName : ""); - SetDlgItemText(IDC_EDIT_DOMAINNAME, ckdomain == 0 ? dot_DomainName : ""); - - return m_noRealm; -} - -BOOL CKrbConfigOptions::OnApply() -{ - // If no changes were made, quit this function - if (0 == m_initDefaultRealm.CompareNoCase(m_newDefaultRealm)) - return TRUE; - - m_newDefaultRealm.TrimLeft(); - m_newDefaultRealm.TrimRight(); - - if (m_newDefaultRealm.IsEmpty()) - { - MessageBox("OnApply::Your Kerberos Realm field must be filled in!", - "Leash", MB_OK); - m_newDefaultRealm = m_initDefaultRealm; - SetDlgItemText(IDC_EDIT_DEFAULT_REALM, m_newDefaultRealm); - return TRUE; - } - - CStdioFile krbCon; - if (!krbCon.Open(CKrbProperties::m_krbPath, CFile::modeCreate | - CFile::modeNoTruncate | - CFile::modeRead)) - { - LeashErrorBox("OnApply::Can't open configuration file", - CKrbProperties::m_krbPath); - return TRUE; - } - - CStdioFile krbCon2; - CString krbCon2File = CKrbProperties::m_krbPath; - krbCon2File += "___"; - if (!krbCon2.Open(krbCon2File, CFile::modeCreate | CFile::modeWrite)) - { - LeashErrorBox("OnApply:: Can't open configuration file", - CKrbProperties::m_krbPath); - return TRUE; - } - - CString readWrite; - krbCon.ReadString(readWrite); - krbCon2.WriteString(m_newDefaultRealm); - krbCon2.WriteString("\n"); - while (krbCon.ReadString(readWrite)) - { - krbCon2.WriteString(readWrite); - krbCon2.WriteString("\n"); - } - - krbCon.Close(); - krbCon2.Close(); - krbCon2.Remove(CKrbProperties::m_krbPath); - krbCon2.Rename(krbCon2File, CKrbProperties::m_krbPath); - - if (CLeashApp::m_hKrb5DLL) - { // Krb5 OR krb5 AND krb4 - if ( !CLeashApp::m_krbv5_profile ) { - CHAR confname[MAX_PATH]; - if (!CLeashApp::GetProfileFile(confname, sizeof(confname))) - { - const char *filenames[2]; - filenames[0] = confname; - filenames[1] = NULL; - pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - } - } - - const char* Names[] = {"libdefaults", "default_realm", NULL}; - const char** names = Names; - - long retval = pprofile_update_relation(CLeashApp::m_krbv5_profile, - names, m_initDefaultRealm, m_newDefaultRealm); - - if (retval) - { - MessageBox("OnApply::The previous value cannot be found, the profile will not be saved!!!\ - \nIf this error persists after restarting Leash, contact your administrator.", - "Leash", MB_OK); - return TRUE; - } - - // Save to Kerberos Five config. file "Krb5.ini" - retval = pprofile_flush(CLeashApp::m_krbv5_profile); - } - - m_initDefaultRealm = m_newDefaultRealm; - return TRUE; -} - -void CKrbConfigOptions::OnSelchangeEditDefaultRealm() -{ - if (!m_startupPage2) - { - GetDlgItemText(IDC_EDIT_DEFAULT_REALM, m_newDefaultRealm); - SetModified(TRUE); - - if (CLeashApp::m_hKrb5DLL) - { - CHAR selRealm[REALM_SZ]; - strcpy(selRealm, m_newDefaultRealm); - const char* Section[] = {"realms", selRealm, "kdc", NULL}; - const char** section = Section; - char **values = NULL; - char * value = NULL; - - long retval = pprofile_get_values(CLeashApp::m_krbv5_profile, - section, &values); - - if (!retval && values) - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, *values); - else { - int dns_in_use = 0; - // Determine if we are using DNS for KDC lookups - retval = pprofile_get_string(CLeashApp::m_krbv5_profile, "libdefaults", - "dns_lookup_kdc", 0, 0, &value); - if (value == 0 && retval == 0) - retval = pprofile_get_string(CLeashApp::m_krbv5_profile, "libdefaults", - "dns_fallback", 0, 0, &value); - if (value == 0) { - dns_in_use = 1; - } else { - dns_in_use = config_boolean_to_int(value); - pprofile_release_string(value); - } - if (dns_in_use) - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, "DNS SRV record lookups will be used to find KDC"); - else - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, "No KDC information available"); - } - } -#ifndef NO_KRB4 - else - { - CHAR krbhst[MAX_HSTNM + 1]; - CHAR krbrlm[REALM_SZ + 1]; - - strcpy(krbrlm, CKrbConfigOptions::m_newDefaultRealm); - memset(krbhst, '\0', sizeof(krbhst)); - - // Check for Host - // don't use KRB4 - krb_get_krbhst - would have to re-logon, on file location - // change, to use this function - if (KFAILURE == pkrb_get_krbhst(krbhst, krbrlm, 1)) - { - MessageBox("OnSelchangeEditDefaultRealm::Unable to find the Host Server for your Default Realm!!!\ - \n 'Apply' your changes and try again.", - "Leash", MB_OK); - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, ""); - return; - } - - m_hostServer = krbhst; - if (strlen(krbhst)) - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, m_hostServer); - } -#endif - } -} - -void CKrbConfigOptions::OnEditchangeEditDefaultRealm() -{ - if (!m_startupPage2) - { - GetDlgItemText(IDC_EDIT_DEFAULT_REALM, m_newDefaultRealm); - SetModified(TRUE); - } -} - -void CKrbConfigOptions::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CPropertyPage::OnShowWindow(bShow, nStatus); - - if (CLeashApp::m_hKrb5DLL) - ResetDefaultRealmComboBox(); - - SetDlgItemText(IDC_EDIT_REALM_HOSTNAME, m_hostServer); -} - -void CKrbConfigOptions::ResetDefaultRealmComboBox() -{ // Krb5 is loaded - // Reset Config Tab's Default Realm Combo Editbox - const char* rootSection[] = {"realms", NULL}; - const char** rootsec = rootSection; - char **sections = NULL, - **cpp = NULL, - *value = 0; - int dns; - - long retval = pprofile_get_string(CLeashApp::m_krbv5_profile, "libdefaults", - "dns_lookup_kdc", 0, 0, &value); - if (value == 0 && retval == 0) - retval = pprofile_get_string(CLeashApp::m_krbv5_profile, "libdefaults", - "dns_fallback", 0, 0, &value); - if (value == 0) { - dns = 1; - } else { - dns = config_boolean_to_int(value); - pprofile_release_string(value); - } - - retval = pprofile_get_subsection_names(CLeashApp::m_krbv5_profile, - rootsec , §ions); - - if (retval) - { - m_hostServer = _T(""); - - // This is not a fatal error if DNS KDC Lookup is being used. - // Determine the starting value for DNS KDC Lookup Checkbox - if ( dns ) - return; - - m_profileError = TRUE; - } - - m_krbRealmEditbox.ResetContent(); - - if ( !m_profileError ) { - for (cpp = sections; *cpp; cpp++) - { - if (CB_ERR == m_krbRealmEditbox.FindStringExact(-1, *cpp)) - { // no dups - if (CB_ERR == m_krbRealmEditbox.AddString(*cpp)) - { - ::MessageBox(NULL, "ResetDefaultRealmComboBox::Can't add to Kerberos Realm Combobox", - "Leash", MB_OK); - return; - } - } - else - m_dupEntriesError = TRUE; - } - } - - if (!m_newDefaultRealm.IsEmpty()) { - - if (CB_ERR == m_krbRealmEditbox.FindStringExact(-1, m_newDefaultRealm)) - { // no dups - m_krbRealmEditbox.AddString(m_newDefaultRealm); - } - m_krbRealmEditbox.SelectString(-1, m_newDefaultRealm); - - const char* Section[] = {"realms", m_newDefaultRealm, "kdc", NULL}; //theSection - const char** section = Section; - char **values = NULL; - - retval = pprofile_get_values(CLeashApp::m_krbv5_profile, - section, &values); - - if (!retval && values) - m_hostServer = *values; - else { - if (dns) - m_hostServer = "DNS SRV record lookups will be used to find KDC"; - else { - m_hostServer = "No KDC information available"; - } - } - } -} - -BOOL CKrbConfigOptions::PreTranslateMessage(MSG* pMsg) -{ - if (!m_startupPage2) - { - if (m_noKrbFileError) - { - LeashErrorBox("PreTranslateMessage::Unable to open configuration file", - !strlen(CKrbProperties::m_krbPath) ? KRB_FILE : - CKrbProperties::m_krbPath); - m_noKrbFileError = FALSE; - } - - if (m_noKrbhostWarning) - { - MessageBox("PreTranslateMessage::Unable to locate the Kerberos Host for your Kerberos Realm!", - "Leash", MB_OK); - m_noKrbhostWarning = FALSE; - } - - if (m_dupEntriesError) - { - MessageBox("PreTranslateMessage::Found duplicate entries in the Kerberos 5 Config. File!!!\ - \nPlease contact your Administrator.", - "Leash", MB_OK); - - m_dupEntriesError = FALSE; - } - - if (m_profileError) - { - MessageBox("PreTranslateMessage::Unable to open Kerberos 5 Config. File!!!\ - \nIf this error persists, contact your administrator.", - "Leash", MB_OK); - m_profileError = FALSE; - } - - if (m_noRealm) - { - MessageBox("PreTranslateMessage::Unable to determine the Default Realm.\ - \n Contact your Administrator!", - "Leash", MB_OK); - - m_noRealm = FALSE; - } - } - - m_startupPage2 = FALSE; - return CPropertyPage::PreTranslateMessage(pMsg); -} - - -BEGIN_MESSAGE_MAP(CKrbConfigOptions, CPropertyPage) - //{{AFX_MSG_MAP(CKrbConfigOptions) - ON_WM_SHOWWINDOW() - ON_CBN_EDITCHANGE(IDC_EDIT_DEFAULT_REALM, OnEditchangeEditDefaultRealm) - ON_CBN_SELCHANGE(IDC_EDIT_DEFAULT_REALM, OnSelchangeEditDefaultRealm) - ON_BN_CLICKED(IDC_BUTTON_KRB_HELP, OnButtonKrbHelp) - ON_BN_CLICKED(IDC_BUTTON_KRBREALM_HELP, OnButtonKrbrealmHelp) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - - - -void CKrbConfigOptions::OnButtonKrbHelp() -{ - MessageBox("No Help Available!", "Leash", MB_OK); -} - -void CKrbConfigOptions::OnButtonKrbrealmHelp() -{ - MessageBox("No Help Available!", "Leash", MB_OK); -} diff --git a/src/windows/leash/KrbConfigOptions.h b/src/windows/leash/KrbConfigOptions.h deleted file mode 100644 index 3169e71..0000000 --- a/src/windows/leash/KrbConfigOptions.h +++ /dev/null @@ -1,89 +0,0 @@ -// ************************************************************************************** -// File: KrbConfigOptions.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for KrbProperties.cpp. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 2/01/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_CONFIGOPTIONS_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_) -#define AFX_CONFIGOPTIONS_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_ - -#if _MSC_VER >= 1000 -#pragma once -#endif // _MSC_VER >= 1000 -// Krb4Properties.h : header file -// - -#include "Resource.h" - - -/////////////////////////////////////////////////////////////////////// -// CKrbConfigOptions dialog - -class CKrbConfigOptions : public CPropertyPage -{ -// Construction -private: - DECLARE_DYNCREATE(CKrbConfigOptions) - BOOL m_startupPage2; - BOOL m_noKrbFileError; - BOOL m_noKrbhostWarning; - static BOOL m_profileError; - static BOOL m_dupEntriesError; - BOOL m_noRealm; - CString m_initDefaultRealm; - static CString m_newDefaultRealm; ///// also used for CKrb4DomainRealmMaintenance - static CString m_hostServer; - - static void ResetDefaultRealmComboBox(); - -public: - CKrbConfigOptions(); - ~CKrbConfigOptions(); - -// Dialog Data - //{{AFX_DATA(CKrbConfigOptions) - enum { IDD = IDD_KRB_PROP_CONTENT }; - static CComboBox m_krbRealmEditbox; - //}}AFX_DATA - - -// Overrides - // ClassWizard generate virtual function overrides - //{{AFX_VIRTUAL(CKrbConfigOptions) - public: - virtual BOOL PreTranslateMessage(MSG* pMsg); - protected: - virtual VOID DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - - virtual BOOL OnApply(); - -// Implementation -protected: - // Generated message map functions - //{{AFX_MSG(CKrbConfigOptions) - virtual BOOL OnInitDialog(); - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - afx_msg void OnEditchangeEditDefaultRealm(); - afx_msg void OnSelchangeEditDefaultRealm(); - afx_msg void OnButtonKrbHelp(); - afx_msg void OnButtonKrbrealmHelp(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() - -}; - -///////////////////////////////////////////////////////////////////////////// -//{{AFX_INSERT_LOCATION}} -// Microsoft Developer Studio will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_CONFIGOPTIONS_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_) diff --git a/src/windows/leash/KrbDomainRealmMaintenance.cpp b/src/windows/leash/KrbDomainRealmMaintenance.cpp deleted file mode 100644 index da9e883..0000000 --- a/src/windows/leash/KrbDomainRealmMaintenance.cpp +++ /dev/null @@ -1,440 +0,0 @@ -// CKrbDomainRealmMaintenance.cpp : implementation file -// - -#include "stdafx.h" -#include "leash.h" -#include "KrbDomainRealmMaintenance.h" -#include "Krb4AddToDomainRealmList.h" -#include "Krb4EditDomainRealmList.h" -#include "KrbProperties.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrbDomainRealmMaintenance dialog - - -CKrbDomainRealmMaintenance::CKrbDomainRealmMaintenance(CWnd* pParent /*=NULL*/) - :CPropertyPage(CKrbDomainRealmMaintenance::IDD) -{ - m_dupEntiesError = FALSE; - //{{AFX_DATA_INIT(CKrbDomainRealmMaintenance) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - - -void CKrbDomainRealmMaintenance::DoDataExchange(CDataExchange* pDX) -{ - CPropertyPage::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrbDomainRealmMaintenance) - DDX_Control(pDX, IDC_LIST_DOMAINREALM, m_KDCDomainList); - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrbDomainRealmMaintenance, CPropertyPage) - //{{AFX_MSG_MAP(CKrbDomainRealmMaintenance) - ON_BN_CLICKED(IDC_BUTTON_HOST_ADD, OnButtonHostAdd) - ON_BN_CLICKED(IDC_BUTTON_HOST_EDIT, OnButtonHostEdit) - ON_BN_CLICKED(ID_BUTTON_HOST_REMOVE, OnButtonHostRemove) - ON_LBN_DBLCLK(IDC_LIST_DOMAINREALM, OnDblclkListDomainrealm) - ON_BN_CLICKED(IDC_BUTTON_HOSTMAINT_HELP, OnButtonHostmaintHelp) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrbDomainRealmMaintenance message handlers - -BOOL CKrbDomainRealmMaintenance::OnInitDialog() -{ - CPropertyPage::OnInitDialog(); - - char theName[REALM_SZ + 1]; - char theNameValue[REALM_SZ + MAX_HSTNM + 2]; - const char* Section[] = {"domain_realm", theName, NULL}; //theSection - const char** section = Section; - char **values = NULL, - **vpp = NULL; - - const char* rootSection[] = {"domain_realm", NULL}; - const char** rootsec = rootSection; - char **sections = NULL, - **cpp = NULL; - - long retval = pprofile_get_relation_names(CLeashApp::m_krbv5_profile, - rootsec, §ions); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnInitDialog::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return TRUE; - } - - - for (cpp = sections; *cpp; cpp++) - { - strcpy(theName, *cpp); - retval = pprofile_get_values(CLeashApp::m_krbv5_profile, - section, &values); - - for (vpp = values; *vpp; vpp++) - { - strcpy(theNameValue, theName); - strcat(theNameValue, " "); - strcat(theNameValue, *vpp); - - if (LB_ERR == m_KDCDomainList.FindStringExact(-1, theNameValue)) - { - if (LB_ERR == m_KDCDomainList.AddString(theNameValue)) - { - MessageBox("OnInitDialog::Can't add to Kerberos Domain Listbox", - "Leash", MB_OK); - return FALSE; - } - } - else - m_dupEntiesError = TRUE; - } - } - - m_KDCDomainList.SetCurSel(0); - - if (!m_KDCDomainList.GetCount()) - { - GetDlgItem(ID_BUTTON_HOST_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_HOST_EDIT)->EnableWindow(FALSE); - } - - return TRUE; // return TRUE unless you set the focus to a control - // EXCEPTION: OCX Property Pages should return FALSE -} - -BOOL CKrbDomainRealmMaintenance::OnApply() -{ - if (!CLeashApp::m_krbv5_profile) { - CHAR confname[MAX_PATH]; - if (!CLeashApp::GetProfileFile(confname, sizeof(confname))) - { - const char *filenames[2]; - filenames[0] = confname; - filenames[1] = NULL; - pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - } - } - - // Save to Kerberos Five config. file "Krb5.ini" - long retval = pprofile_flush(CLeashApp::m_krbv5_profile); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnApply::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return TRUE; - } - -#ifndef NO_KRB4 - // Save to Kerberos Four config. file "Krb.con" - CStdioFile krbrealmCon; - if (!krbrealmCon.Open(CKrbProperties::m_krbrealmPath, CFile::modeCreate | - CFile::modeNoTruncate | - CFile::modeReadWrite)) - { - LeashErrorBox("OnApply::Can't open Configuration File", - CKrbProperties::m_krbrealmPath); - return TRUE; - } - - krbrealmCon.SetLength(0); - - char theNameValue[REALM_SZ + MAX_HSTNM + 2]; - - for (INT maxItems = m_KDCDomainList.GetCount(), item = 0; item < maxItems; item++) - { - if (LB_ERR == m_KDCDomainList.GetText(item, theNameValue)) - ASSERT(0); - - krbrealmCon.WriteString(theNameValue); - krbrealmCon.WriteString("\n"); - } - - krbrealmCon.Close(); -#endif - - return TRUE; -} - -void CKrbDomainRealmMaintenance::OnCancel() -{ - CHAR fileName[MAX_PATH]; - - if (CLeashApp::GetProfileFile(fileName, sizeof(fileName))) - { - MessageBox("Can't locate Kerberos Five Config. file!", "Error", MB_OK); - return; - } - - pprofile_abandon(CLeashApp::m_krbv5_profile); - - const char *filenames[2]; - filenames[0] = fileName; - filenames[1] = NULL; - pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - - CPropertyPage::OnCancel(); -} - -void CKrbDomainRealmMaintenance::OnButtonHostAdd() -{ -////I don't understand why this is doing K4 operations here -#ifndef NO_KRB4 - CKrb4AddToDomainRealmList addToDomainRealmList; - if (IDOK == addToDomainRealmList.DoModal()) - { - char theName[MAX_HSTNM + 1]; - const char* Section[] = {"domain_realm", theName, NULL}; - const char** section = Section; - - if (addToDomainRealmList.GetNewRealm().IsEmpty()) - ASSERT(0); - - if (CheckForDupDomain(addToDomainRealmList.GetNewDomainHost())) - { - MessageBox("Can't have duplicate Host/Domains!\nYour entry will not be saved to list", - "Leash", MB_OK); - return; - } - - CString newLine; - newLine = addToDomainRealmList.GetNewDomainHost() + " " + addToDomainRealmList.GetNewRealm(); - - if (LB_ERR != m_KDCDomainList.FindStringExact(-1, newLine)) - { - MessageBox("We can't have duplicates!\nYour entry was not saved to list.", - "Leash", MB_OK); - return; - } - - CString newHost; // new section in the profile linklist - strcpy(theName, addToDomainRealmList.GetNewDomainHost()); - - long retval = pprofile_add_relation(CLeashApp::m_krbv5_profile, - section, addToDomainRealmList.GetNewRealm()); - - if (retval) - { - MessageBox("OnButtonHostAdd::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - } - - m_KDCDomainList.AddString(newLine); - SetModified(TRUE); - - if (1 == m_KDCDomainList.GetCount()) - { - GetDlgItem(ID_BUTTON_HOST_REMOVE)->EnableWindow(); - GetDlgItem(IDC_BUTTON_HOST_EDIT)->EnableWindow(); - } - } -#endif -} - -void CKrbDomainRealmMaintenance::OnButtonHostEdit() -{ - INT selItemIndex = m_KDCDomainList.GetCurSel(); - LPSTR pSelItem = new char[m_KDCDomainList.GetTextLen(selItemIndex) + 1]; - if (!pSelItem) - ASSERT(0); - - CHAR theName[MAX_HSTNM + 1]; - char theNameValue[REALM_SZ + MAX_HSTNM + 2]; - CHAR OLD_VALUE[REALM_SZ + 1]; - m_KDCDomainList.GetText(selItemIndex, theName); - strcpy(pSelItem, theName); - - LPSTR pselItem = strchr(theName, ' '); - if (pselItem) - *pselItem = 0; - else - ASSERT(0); - - strcpy(OLD_VALUE, pselItem + 1); - strcpy(theNameValue, pSelItem); - - CKrb4EditDomainRealmList editDomainRealmList(pSelItem); - - if (IDOK == editDomainRealmList.DoModal()) - { - if (0 != strcmp(theName, editDomainRealmList.GetDomainHost()) - && CheckForDupDomain(editDomainRealmList.GetDomainHost())) - { // Duplicate Host/Domain Error - MessageBox("We can't have duplicate Host/Domains!\nYour entry will not be saved to list", - "Leash", MB_OK); - return; - } - - const char* Section[] = {"domain_realm", theName, NULL}; - const char** section = Section; - - CString editedHost = editDomainRealmList.GetEditedItem(); - - if (0 != editedHost.CompareNoCase(theNameValue) && - LB_ERR != m_KDCDomainList.FindStringExact(-1, editedHost)) - { - MessageBox("We can't have duplicate Realms!\nYour entry was not saved to list.", - "Leash", MB_OK); - delete [] pSelItem; - return; - } - - long retval = pprofile_update_relation(CLeashApp::m_krbv5_profile, - section, OLD_VALUE, NULL); - - if (retval) - { - MessageBox("OnButtonHostEdit::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - strcpy(theName, editDomainRealmList.GetDomainHost()); - - retval = pprofile_add_relation(CLeashApp::m_krbv5_profile, - section, editDomainRealmList.GetRealm()); - - - if (retval) - { // thsi might not be the best way to handle this type of error - MessageBox("OnButtonHostEdit::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - m_KDCDomainList.DeleteString(selItemIndex); - m_KDCDomainList.AddString(editedHost); - selItemIndex = m_KDCDomainList.FindStringExact(-1, editedHost); - m_KDCDomainList.SetCurSel(selItemIndex); - - SetModified(TRUE); - } - - delete [] pSelItem; -} - -void CKrbDomainRealmMaintenance::OnDblclkListDomainrealm() -{ - OnButtonHostEdit(); -} - -void CKrbDomainRealmMaintenance::OnButtonHostRemove() -{ - CHAR theName[MAX_HSTNM + 1]; - CHAR OLD_VALUE[REALM_SZ + 1]; - char theNameValue[REALM_SZ + MAX_HSTNM + 2]; - const char* Section[] = {"domain_realm", theName, NULL}; - const char** section = Section; - - INT curSel = m_KDCDomainList.GetCurSel(); - m_KDCDomainList.GetText(curSel, theNameValue); - - CString serverHostMsg; - CString serverHost; - serverHostMsg.Format("Your about to remove Host/Domain \"%s\" from the list!\n\nContinue?", - theNameValue); - - if (IDYES != AfxMessageBox(serverHostMsg, MB_YESNO)) - return; - - LPSTR pNameValue = strchr(theNameValue, ' '); - if (pNameValue) - { - *pNameValue = 0; - strcpy(theName, theNameValue); - pNameValue++; - strcpy(OLD_VALUE, pNameValue); - } - else - ASSERT(0); - - if (!m_KDCDomainList.GetCount()) - { - GetDlgItem(ID_BUTTON_HOSTNAME_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_HOSTNAME_EDIT)->EnableWindow(FALSE); - } - - long retval = pprofile_update_relation(CLeashApp::m_krbv5_profile, - section, OLD_VALUE, NULL); - - if (retval) - { - MessageBox("OnButtonHostRemove::There is on error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - m_KDCDomainList.DeleteString(curSel); // Single Sel Listbox - - if (-1 == m_KDCDomainList.SetCurSel(curSel)) - m_KDCDomainList.SetCurSel(curSel - 1); - - if (!m_KDCDomainList.GetCount()) - { - GetDlgItem(ID_BUTTON_HOST_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_HOST_EDIT)->EnableWindow(FALSE); - } - - SetModified(TRUE); -} - - -BOOL CKrbDomainRealmMaintenance::PreTranslateMessage(MSG* pMsg) -{ - if (m_dupEntiesError) - { - MessageBox("Found an error (duplicate items) in your Kerberos Five Config. File!!!\ - \nPlease contract your Administrator.", - "Leash", MB_OK); - - m_dupEntiesError = FALSE; - } - - return CPropertyPage::PreTranslateMessage(pMsg); -} - -BOOL CKrbDomainRealmMaintenance::CheckForDupDomain(CString& newDomainHost) -{ - char theName[REALM_SZ + MAX_HSTNM + 2]; - - for (INT maxItems = m_KDCDomainList.GetCount(), item = 0; item < maxItems; item++) - { - if (LB_ERR == m_KDCDomainList.GetText(item, theName)) - ASSERT(0); - - LPSTR pValue = strchr(theName, ' '); - if (pValue) - *pValue = 0; - else - ASSERT(0); - - if (0 == newDomainHost.CompareNoCase(theName)) - return TRUE; - } - - return FALSE; -} - -void CKrbDomainRealmMaintenance::OnButtonHostmaintHelp() -{ - MessageBox("No Help Available!", "Leash", MB_OK); -} diff --git a/src/windows/leash/KrbDomainRealmMaintenance.h b/src/windows/leash/KrbDomainRealmMaintenance.h deleted file mode 100644 index e22e86e..0000000 --- a/src/windows/leash/KrbDomainRealmMaintenance.h +++ /dev/null @@ -1,59 +0,0 @@ -#if !defined(AFX_KRBDOMAINREALMMAINTENANCE_H__6DB290A6_E14D_11D2_95CE_0000861B8A3C__INCLUDED_) -#define AFX_KRBDOMAINREALMMAINTENANCE_H__6DB290A6_E14D_11D2_95CE_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// CKrbDomainRealmMaintenance.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrbDomainRealmMaintenance dialog - -class CKrbDomainRealmMaintenance : public CPropertyPage -{ -// Construction -private: - BOOL m_dupEntiesError; - BOOL CheckForDupDomain(CString& newDomainHost); - -public: - CKrbDomainRealmMaintenance(CWnd* pParent = NULL); // standard constructor - -// Dialog Data - //{{AFX_DATA(CKrbDomainRealmMaintenance) - enum { IDD = IDD_KRB_DOMAINREALM_MAINT }; - CListBox m_KDCDomainList; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrbDomainRealmMaintenance) - public: - virtual BOOL PreTranslateMessage(MSG* pMsg); - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrbDomainRealmMaintenance) - virtual void OnCancel(); - virtual BOOL OnApply(); - virtual BOOL OnInitDialog(); - afx_msg void OnButtonHostAdd(); - afx_msg void OnButtonHostEdit(); - afx_msg void OnButtonHostRemove(); - afx_msg void OnDblclkListDomainrealm(); - afx_msg void OnButtonHostmaintHelp(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_KRBDOMAINREALMMAINTENANCE_H__6DB290A6_E14D_11D2_95CE_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/KrbEditHostServer.cpp b/src/windows/leash/KrbEditHostServer.cpp deleted file mode 100644 index 4245c2b..0000000 --- a/src/windows/leash/KrbEditHostServer.cpp +++ /dev/null @@ -1,97 +0,0 @@ -// ************************************************************************************** -// File: KrbEditHostServer.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for KrbEditHostServer.h. Contains variables and functions -// for Kerberos Four and Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "Krb4Properties.h" -#include "KrbEditHostServer.h" -#include "lglobals.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrbEditHostServer dialog - -CKrbEditHostServer::CKrbEditHostServer(CString& editItem, CWnd* pParent) - : CDialog(CKrbEditHostServer::IDD, pParent) -{ - m_startup = TRUE; - m_newHost = editItem; - - //{{AFX_DATA_INIT(CKrbEditHostServer) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - -void CKrbEditHostServer::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrbEditHostServer) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrbEditHostServer, CDialog) - //{{AFX_MSG_MAP(CKrbEditHostServer) - ON_WM_SHOWWINDOW() - ON_EN_CHANGE(IDC_EDIT_KDC_HOST, OnChangeEditKdcHost) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrbEditHostServer message handlers - -BOOL CKrbEditHostServer::OnInitDialog() -{ - CDialog::OnInitDialog(); - - SetDlgItemText(IDC_EDIT_KDC_HOST, m_newHost); - return TRUE; -} - -void CKrbEditHostServer::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CDialog::OnShowWindow(bShow, nStatus); - m_startup = FALSE; -} - -void CKrbEditHostServer::OnChangeEditKdcHost() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_KDC_HOST, m_newHost); -} - -void CKrbEditHostServer::OnOK() -{ - m_newHost.TrimLeft(); - m_newHost.TrimRight(); - - if (m_newHost.IsEmpty()) - { // stay - MessageBox("OnOK::The Server field must be filled in!", - "Error", MB_OK); - } - else if (-1 != m_newHost.Find(' ')) - { // stay - MessageBox("OnOK::Illegal space found!", "Error", MB_OK); - } - else - CDialog::OnOK(); // exit -} diff --git a/src/windows/leash/KrbEditHostServer.h b/src/windows/leash/KrbEditHostServer.h deleted file mode 100644 index 5cbbd03..0000000 --- a/src/windows/leash/KrbEditHostServer.h +++ /dev/null @@ -1,69 +0,0 @@ -// ************************************************************************************** -// File: KrbEditHostServer.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for KrbEditHostServer.cpp. Contains variables and functions -// for Kerberos Four and Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - - -#if !defined(AFX_EDITHOST_H__26A1E1F7_9117_11D2_94D0_0000861B8A3C__INCLUDED_) -#define AFX_EDITHOST_H__26A1E1F7_9117_11D2_94D0_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// EditRealmHostList.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrbEditHostServer dialog - -class CKrbEditHostServer : public CDialog -{ -// Construction -private: - CString m_newHost; - BOOL m_startup; - -public: - CKrbEditHostServer(CString& editItem, CWnd* pParent = NULL); - CString GetEditedItem() {return m_newHost;} - -// Dialog Data - //{{AFX_DATA(CKrbEditHostServer) - enum { IDD = IDD_KRB_EDIT_KDC_HOSTSERVER }; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrbEditHostServer) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrbEditHostServer) - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - virtual void OnOK(); - virtual BOOL OnInitDialog(); - afx_msg void OnChangeEditKdcHost(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_EDITHOST_H__26A1E1F7_9117_11D2_94D0_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/KrbEditRealm.cpp b/src/windows/leash/KrbEditRealm.cpp deleted file mode 100644 index caa1e15..0000000 --- a/src/windows/leash/KrbEditRealm.cpp +++ /dev/null @@ -1,99 +0,0 @@ -// ************************************************************************************** -// File: KrbEditRealm.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for KrbEditRealm.h. Contains variables and functions -// for Kerberos Four and Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "Krb4Properties.h" -#include "KrbEditRealm.h" -#include "lglobals.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrbEditRealm dialog - -CKrbEditRealm::CKrbEditRealm(CString& editItem, CWnd* pParent) - : CDialog(CKrbEditRealm::IDD, pParent) -{ - m_startup = TRUE; - m_newRealm = editItem; - - - //{{AFX_DATA_INIT(CKrbEditRealm) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - -void CKrbEditRealm::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrbEditRealm) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CKrbEditRealm, CDialog) - //{{AFX_MSG_MAP(CKrbEditRealm) - ON_WM_SHOWWINDOW() - ON_EN_CHANGE(IDC_EDIT_REALM, OnChangeEditRealm) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrbEditRealm message handlers - -BOOL CKrbEditRealm::OnInitDialog() -{ - CDialog::OnInitDialog(); - - SetDlgItemText(IDC_EDIT_REALM, m_newRealm); - - return TRUE; -} - -void CKrbEditRealm::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CDialog::OnShowWindow(bShow, nStatus); - m_startup = FALSE; -} - -void CKrbEditRealm::OnChangeEditRealm() -{ - if (!m_startup) - GetDlgItemText(IDC_EDIT_REALM, m_newRealm); -} - -void CKrbEditRealm::OnOK() -{ - m_newRealm.TrimLeft(); - m_newRealm.TrimRight(); - - if (m_newRealm.IsEmpty()) - { // stay - MessageBox("OnOK::The Realm field must be filled in!", - "Leash", MB_OK); - } - else if (-1 != m_newRealm.Find(' ')) - { // stay - MessageBox("OnOK::Illegal space found!", "Leash", MB_OK); - } - else - CDialog::OnOK(); // exit -} diff --git a/src/windows/leash/KrbEditRealm.h b/src/windows/leash/KrbEditRealm.h deleted file mode 100644 index 4bf5fdf..0000000 --- a/src/windows/leash/KrbEditRealm.h +++ /dev/null @@ -1,75 +0,0 @@ -// ************************************************************************************** -// File: KrbEditRealm.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for Krb4EditRealmHostList.cpp. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - - -#if !defined(AFX_EDITREALMHOSTLIST_H__26A1E1F7_9117_11D2_94D0_0000861B8A3C__INCLUDED_) -#define AFX_EDITREALMHOSTLIST_H__26A1E1F7_9117_11D2_94D0_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// EditRealmHostList.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CKrbEditRealm dialog - -class CKrbEditRealm : public CDialog -{ -// Construction -private: - //CString m_editItem; - //CString m_initRealm; - CString m_newRealm; - //CString m_initHost; - //CString m_newHost; - //BOOL m_initAdmin; - //BOOL m_newAdmin; - BOOL m_startup; - -public: - CKrbEditRealm(CString& editItem, CWnd* pParent = NULL); - CString GetEditedItem() {return m_newRealm;} - -// Dialog Data - //{{AFX_DATA(CKrbEditRealm) - enum { IDD = IDD_KRB_EDIT_REALM }; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrbEditRealm) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrbEditRealm) - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - afx_msg void OnChangeEditRealm(); - virtual void OnOK(); - virtual BOOL OnInitDialog(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_EDITREALMHOSTLIST_H__26A1E1F7_9117_11D2_94D0_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/KrbListTickets.cpp b/src/windows/leash/KrbListTickets.cpp index beab0ea..5dd37b0 100644 --- a/src/windows/leash/KrbListTickets.cpp +++ b/src/windows/leash/KrbListTickets.cpp @@ -92,10 +92,10 @@ etype_string(krb5_enctype enctype) static void CredToTicketInfo(krb5_creds KRBv5Credentials, TICKETINFO *ticketinfo) { - ticketinfo->issued = KRBv5Credentials.times.starttime; - ticketinfo->valid_until = KRBv5Credentials.times.endtime; + ticketinfo->issued = (DWORD)KRBv5Credentials.times.starttime; + ticketinfo->valid_until = (DWORD)KRBv5Credentials.times.endtime; ticketinfo->renew_until = KRBv5Credentials.ticket_flags & TKT_FLG_RENEWABLE ? - KRBv5Credentials.times.renew_till : 0; + (DWORD)KRBv5Credentials.times.renew_till : (DWORD)0; _tzset(); if ( ticketinfo->valid_until - time(0) <= 0L ) ticketinfo->btickets = EXPD_TICKETS; @@ -137,10 +137,10 @@ CredToTicketList(krb5_context ctx, krb5_creds KRBv5Credentials, functionName = "calloc()"; goto cleanup; } - list->issued = KRBv5Credentials.times.starttime; - list->valid_until = KRBv5Credentials.times.endtime; + list->issued = (DWORD)KRBv5Credentials.times.starttime; + list->valid_until = (DWORD)KRBv5Credentials.times.endtime; if (KRBv5Credentials.ticket_flags & TKT_FLG_RENEWABLE) - list->renew_until = KRBv5Credentials.times.renew_till; + list->renew_until = (DWORD)KRBv5Credentials.times.renew_till; else list->renew_until = 0; diff --git a/src/windows/leash/KrbMiscConfigOpt.cpp b/src/windows/leash/KrbMiscConfigOpt.cpp deleted file mode 100644 index 2c7153e..0000000 --- a/src/windows/leash/KrbMiscConfigOpt.cpp +++ /dev/null @@ -1,1020 +0,0 @@ -//***************************************************************************** -// File: KrbMiscConfigOpt.cpp -// By: Paul B. Hill -// Created: 08/12/1999 -// Copyright: @1999 Massachusetts Institute of Technology - All rights -// reserved. -// Description: CPP file for KrbMiscConfigOpt.cpp. Contains variables -// and functions for Kerberos Properties. -// -// History: -// -// MM/DD/YY Inits Description of Change -// 08/12/99 PBH Original -//***************************************************************************** - -#include "stdafx.h" -#include "Leash.h" -#include "KrbProperties.h" -#include "KrbMiscConfigOpt.h" -#include "LeashFileDialog.h" -#include "LeashMessageBox.h" -#include "lglobals.h" -#include -#include "reminder.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - - -/////////////////////////////////////////////////////////////////////// -// CKrbMiscConfigOpt property page - -UINT CKrbMiscConfigOpt::m_DefaultLifeTime; -CString CKrbMiscConfigOpt::m_initDefaultLifeTimeMin; -CString CKrbMiscConfigOpt::m_newDefaultLifeTimeMin; -CEdit CKrbMiscConfigOpt::m_krbLifeTimeMinEditbox; -CString CKrbMiscConfigOpt::m_initDefaultLifeTimeHr; -CString CKrbMiscConfigOpt::m_newDefaultLifeTimeHr; -CEdit CKrbMiscConfigOpt::m_krbLifeTimeHrEditbox; -CString CKrbMiscConfigOpt::m_initDefaultLifeTimeDay; -CString CKrbMiscConfigOpt::m_newDefaultLifeTimeDay; -CEdit CKrbMiscConfigOpt::m_krbLifeTimeDayEditbox; - -UINT CKrbMiscConfigOpt::m_DefaultRenewTill; -CString CKrbMiscConfigOpt::m_initDefaultRenewTillMin; -CString CKrbMiscConfigOpt::m_newDefaultRenewTillMin; -CEdit CKrbMiscConfigOpt::m_krbRenewTillMinEditbox; -CString CKrbMiscConfigOpt::m_initDefaultRenewTillHr; -CString CKrbMiscConfigOpt::m_newDefaultRenewTillHr; -CEdit CKrbMiscConfigOpt::m_krbRenewTillHrEditbox; -CString CKrbMiscConfigOpt::m_initDefaultRenewTillDay; -CString CKrbMiscConfigOpt::m_newDefaultRenewTillDay; -CEdit CKrbMiscConfigOpt::m_krbRenewTillDayEditbox; - -UINT CKrbMiscConfigOpt::m_DefaultLifeMin; -CString CKrbMiscConfigOpt::m_initDefaultLifeMinMin; -CString CKrbMiscConfigOpt::m_newDefaultLifeMinMin; -CEdit CKrbMiscConfigOpt::m_krbLifeMinMinEditbox; -CString CKrbMiscConfigOpt::m_initDefaultLifeMinHr; -CString CKrbMiscConfigOpt::m_newDefaultLifeMinHr; -CEdit CKrbMiscConfigOpt::m_krbLifeMinHrEditbox; -CString CKrbMiscConfigOpt::m_initDefaultLifeMinDay; -CString CKrbMiscConfigOpt::m_newDefaultLifeMinDay; -CEdit CKrbMiscConfigOpt::m_krbLifeMinDayEditbox; - -UINT CKrbMiscConfigOpt::m_DefaultLifeMax; -CString CKrbMiscConfigOpt::m_initDefaultLifeMaxMin; -CString CKrbMiscConfigOpt::m_newDefaultLifeMaxMin; -CEdit CKrbMiscConfigOpt::m_krbLifeMaxMinEditbox; -CString CKrbMiscConfigOpt::m_initDefaultLifeMaxHr; -CString CKrbMiscConfigOpt::m_newDefaultLifeMaxHr; -CEdit CKrbMiscConfigOpt::m_krbLifeMaxHrEditbox; -CString CKrbMiscConfigOpt::m_initDefaultLifeMaxDay; -CString CKrbMiscConfigOpt::m_newDefaultLifeMaxDay; -CEdit CKrbMiscConfigOpt::m_krbLifeMaxDayEditbox; - -UINT CKrbMiscConfigOpt::m_DefaultRenewMin; -CString CKrbMiscConfigOpt::m_initDefaultRenewMinMin; -CString CKrbMiscConfigOpt::m_newDefaultRenewMinMin; -CEdit CKrbMiscConfigOpt::m_krbRenewMinMinEditbox; -CString CKrbMiscConfigOpt::m_initDefaultRenewMinHr; -CString CKrbMiscConfigOpt::m_newDefaultRenewMinHr; -CEdit CKrbMiscConfigOpt::m_krbRenewMinHrEditbox; -CString CKrbMiscConfigOpt::m_initDefaultRenewMinDay; -CString CKrbMiscConfigOpt::m_newDefaultRenewMinDay; -CEdit CKrbMiscConfigOpt::m_krbRenewMinDayEditbox; - -UINT CKrbMiscConfigOpt::m_DefaultRenewMax; -CString CKrbMiscConfigOpt::m_initDefaultRenewMaxMin; -CString CKrbMiscConfigOpt::m_newDefaultRenewMaxMin; -CEdit CKrbMiscConfigOpt::m_krbRenewMaxMinEditbox; -CString CKrbMiscConfigOpt::m_initDefaultRenewMaxHr; -CString CKrbMiscConfigOpt::m_newDefaultRenewMaxHr; -CEdit CKrbMiscConfigOpt::m_krbRenewMaxHrEditbox; -CString CKrbMiscConfigOpt::m_initDefaultRenewMaxDay; -CString CKrbMiscConfigOpt::m_newDefaultRenewMaxDay; -CEdit CKrbMiscConfigOpt::m_krbRenewMaxDayEditbox; - - -IMPLEMENT_DYNCREATE(CKrbMiscConfigOpt, CPropertyPage) - -CKrbMiscConfigOpt::CKrbMiscConfigOpt() : CPropertyPage(CKrbMiscConfigOpt::IDD) -{ - m_noLifeTime = FALSE; - - m_DefaultLifeTime = 0; - m_DefaultRenewTill = 0; - m_DefaultLifeMin = 0; - m_DefaultLifeMax = 0; - m_DefaultRenewMin = 0; - m_DefaultRenewMax = 0; - m_initUseKrb4 = m_newUseKrb4 = 0; - m_initKinitPreserve = m_newKinitPreserve = 0; - - //{{AFX_DATA_INIT(CKrbConfigOptions) - //}}AFX_DATA_INIT -} - -CKrbMiscConfigOpt::~CKrbMiscConfigOpt() -{ -} - -VOID CKrbMiscConfigOpt::DoDataExchange(CDataExchange* pDX) -{ - TRACE("Entering CKrbMiscConfigOpt::DoDataExchange -- %d\n", - pDX->m_bSaveAndValidate); - CPropertyPage::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrbMscConfigOpt) - - DDX_Control(pDX, IDC_EDIT_LIFETIME_D, m_krbLifeTimeDayEditbox); - DDX_Control(pDX, IDC_EDIT_LIFETIME_H, m_krbLifeTimeHrEditbox); - DDX_Control(pDX, IDC_EDIT_LIFETIME_M, m_krbLifeTimeMinEditbox); - DDX_Control(pDX, IDC_EDIT_RENEWTILL_D, m_krbRenewTillDayEditbox); - DDX_Control(pDX, IDC_EDIT_RENEWTILL_H, m_krbRenewTillHrEditbox); - DDX_Control(pDX, IDC_EDIT_RENEWTILL_M, m_krbRenewTillMinEditbox); - DDX_Control(pDX, IDC_EDIT_LIFE_MIN_D, m_krbLifeMinDayEditbox); - DDX_Control(pDX, IDC_EDIT_LIFE_MIN_H, m_krbLifeMinHrEditbox); - DDX_Control(pDX, IDC_EDIT_LIFE_MIN_M, m_krbLifeMinMinEditbox); - DDX_Control(pDX, IDC_EDIT_LIFE_MAX_D, m_krbLifeMaxDayEditbox); - DDX_Control(pDX, IDC_EDIT_LIFE_MAX_H, m_krbLifeMaxHrEditbox); - DDX_Control(pDX, IDC_EDIT_LIFE_MAX_M, m_krbLifeMaxMinEditbox); - DDX_Control(pDX, IDC_EDIT_RENEW_MIN_D, m_krbRenewMinDayEditbox); - DDX_Control(pDX, IDC_EDIT_RENEW_MIN_H, m_krbRenewMinHrEditbox); - DDX_Control(pDX, IDC_EDIT_RENEW_MIN_M, m_krbRenewMinMinEditbox); - DDX_Control(pDX, IDC_EDIT_RENEW_MAX_D, m_krbRenewMaxDayEditbox); - DDX_Control(pDX, IDC_EDIT_RENEW_MAX_H, m_krbRenewMaxHrEditbox); - DDX_Control(pDX, IDC_EDIT_RENEW_MAX_M, m_krbRenewMaxMinEditbox); - //}}AFX_DATA_MAP -} - - -BOOL CKrbMiscConfigOpt::OnInitDialog() -{ - CPropertyPage::OnInitDialog(); - - DWORD tmp = m_DefaultLifeTime = pLeash_get_default_lifetime(); - if (tmp) - m_noLifeTime = FALSE; // We now have the value. - else - m_noLifeTime = TRUE; - - LPTSTR buf = m_initDefaultLifeTimeDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_initDefaultLifeTimeDay.ReleaseBuffer(); - m_newDefaultLifeTimeDay = m_initDefaultLifeTimeDay; - - buf = m_initDefaultLifeTimeHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_initDefaultLifeTimeHr.ReleaseBuffer(); - m_newDefaultLifeTimeHr = m_initDefaultLifeTimeHr; - - buf = m_initDefaultLifeTimeMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_initDefaultLifeTimeMin.ReleaseBuffer(); - m_newDefaultLifeTimeMin = m_initDefaultLifeTimeMin; - - tmp = m_DefaultRenewTill = pLeash_get_default_renew_till(); - buf = m_initDefaultRenewTillDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_initDefaultRenewTillDay.ReleaseBuffer(); - m_newDefaultRenewTillDay = m_initDefaultRenewTillDay; - - buf = m_initDefaultRenewTillHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_initDefaultRenewTillHr.ReleaseBuffer(); - m_newDefaultRenewTillHr = m_initDefaultRenewTillHr; - - buf = m_initDefaultRenewTillMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_initDefaultRenewTillMin.ReleaseBuffer(); - m_newDefaultRenewTillMin = m_initDefaultRenewTillMin; - - tmp = m_DefaultLifeMin = pLeash_get_default_life_min(); - buf = m_initDefaultLifeMinDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_initDefaultLifeMinDay.ReleaseBuffer(); - m_newDefaultLifeMinDay = m_initDefaultLifeMinDay; - - buf = m_initDefaultLifeMinHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_initDefaultLifeMinHr.ReleaseBuffer(); - m_newDefaultLifeMinHr = m_initDefaultLifeMinHr; - - buf = m_initDefaultLifeMinMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_initDefaultLifeMinMin.ReleaseBuffer(); - m_newDefaultLifeMinMin = m_initDefaultLifeMinMin; - - tmp = m_DefaultLifeMax = pLeash_get_default_life_max(); - buf = m_initDefaultLifeMaxDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_initDefaultLifeMaxDay.ReleaseBuffer(); - m_newDefaultLifeMaxDay = m_initDefaultLifeMaxDay; - - buf = m_initDefaultLifeMaxHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_initDefaultLifeMaxHr.ReleaseBuffer(); - m_newDefaultLifeMaxHr = m_initDefaultLifeMaxHr; - - buf = m_initDefaultLifeMaxMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_initDefaultLifeMaxMin.ReleaseBuffer(); - m_newDefaultLifeMaxMin = m_initDefaultLifeMaxMin; - - tmp = m_DefaultRenewMin = pLeash_get_default_renew_min(); - buf = m_initDefaultRenewMinDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_initDefaultRenewMinDay.ReleaseBuffer(); - m_newDefaultRenewMinDay = m_initDefaultRenewMinDay; - - buf = m_initDefaultRenewMinHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_initDefaultRenewMinHr.ReleaseBuffer(); - m_newDefaultRenewMinHr = m_initDefaultRenewMinHr; - - buf = m_initDefaultRenewMinMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_initDefaultRenewMinMin.ReleaseBuffer(); - m_newDefaultRenewMinMin = m_initDefaultRenewMinMin; - - tmp = m_DefaultRenewMax = pLeash_get_default_renew_max(); - buf = m_initDefaultRenewMaxDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_initDefaultRenewMaxDay.ReleaseBuffer(); - m_newDefaultRenewMaxDay = m_initDefaultRenewMaxDay; - - buf = m_initDefaultRenewMaxHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_initDefaultRenewMaxHr.ReleaseBuffer(); - m_newDefaultRenewMaxHr = m_initDefaultRenewMaxHr; - - buf = m_initDefaultRenewMaxMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_initDefaultRenewMaxMin.ReleaseBuffer(); - m_newDefaultRenewMaxMin = m_initDefaultRenewMaxMin; - - if (!CLeashApp::m_hKrb5DLL) - { - GetDlgItem(IDC_EDIT_RENEWTILL_D)->EnableWindow(FALSE); - GetDlgItem(IDC_EDIT_RENEWTILL_H)->EnableWindow(FALSE); - GetDlgItem(IDC_EDIT_RENEWTILL_M)->EnableWindow(FALSE); - GetDlgItem(IDC_EDIT_RENEW_MIN_D)->EnableWindow(FALSE); - GetDlgItem(IDC_EDIT_RENEW_MIN_H)->EnableWindow(FALSE); - GetDlgItem(IDC_EDIT_RENEW_MIN_M)->EnableWindow(FALSE); - GetDlgItem(IDC_EDIT_RENEW_MAX_D)->EnableWindow(FALSE); - GetDlgItem(IDC_EDIT_RENEW_MAX_H)->EnableWindow(FALSE); - GetDlgItem(IDC_EDIT_RENEW_MAX_M)->EnableWindow(FALSE); - } - -#ifndef NO_KRB4 - m_initUseKrb4 = m_newUseKrb4 = (CLeashApp::m_hKrb4DLL ? pLeash_get_default_use_krb4() : 0); - CheckDlgButton(IDC_CHECK_REQUEST_KRB4, m_initUseKrb4); - if ( !CLeashApp::m_hKrb4DLL ) - GetDlgItem(IDC_CHECK_REQUEST_KRB4)->EnableWindow(FALSE); -#else -////Or remove these completely? - m_initUseKrb4 = m_newUseKrb4 = 0; - CheckDlgButton(IDC_CHECK_REQUEST_KRB4, 0); - GetDlgItem(IDC_CHECK_REQUEST_KRB4)->EnableWindow(FALSE); -#endif - - m_initKinitPreserve = m_newKinitPreserve = pLeash_get_default_preserve_kinit_settings(); - CheckDlgButton(IDC_CHECK_PRESERVE_KINIT_OPTIONS, m_initKinitPreserve); - - return(TRUE); -} - -BOOL CKrbMiscConfigOpt::OnApply() -{ - DWORD lifetime = ((atoi(m_newDefaultLifeTimeDay)*24 + atoi(m_newDefaultLifeTimeHr)) * 60) + atoi(m_newDefaultLifeTimeMin); - DWORD renewtill = ((atoi(m_newDefaultRenewTillDay)*24 + atoi(m_newDefaultRenewTillHr)) * 60) + atoi(m_newDefaultRenewTillMin); - DWORD lifemin = ((atoi(m_newDefaultLifeMinDay)*24 + atoi(m_newDefaultLifeMinHr)) * 60) + atoi(m_newDefaultLifeMinMin); - DWORD lifemax = ((atoi(m_newDefaultLifeMaxDay)*24 + atoi(m_newDefaultLifeMaxHr)) * 60) + atoi(m_newDefaultLifeMaxMin); - DWORD renewmin = ((atoi(m_newDefaultRenewMinDay)*24 + atoi(m_newDefaultRenewMinHr)) * 60) + atoi(m_newDefaultRenewMinMin); - DWORD renewmax = ((atoi(m_newDefaultRenewMaxDay)*24 + atoi(m_newDefaultRenewMaxHr)) * 60) + atoi(m_newDefaultRenewMaxMin); - - // If no changes were made, quit this function - if ( m_DefaultLifeTime == lifetime && - m_DefaultRenewTill == renewtill && - m_DefaultLifeMin == lifemin && - m_DefaultLifeMax == lifemax && - m_DefaultRenewMin == renewmin && - m_DefaultRenewMax == renewmax && - m_initUseKrb4 == m_newUseKrb4 && - m_initKinitPreserve == m_newKinitPreserve - ) - return TRUE; - - if ( lifemin > lifemax ) { - MessageBox("The Minimum Ticket Lifetime must be less than the Maximum Ticket Lifetime.", - "Leash", MB_OK); - return(FALSE); - } - - if (lifetime < lifemin || lifetime > lifemax) { - MessageBox("The default Ticket Lifetime must fall within the range specified by the " - "Minimum and Maximum Ticket Lifetime fields", - "Leash", MB_OK); - return(FALSE); - } - - if ( CLeashApp::m_hKrb5DLL && (renewmin > renewmax) ) { - MessageBox("The Minimum Ticket Renewable Lifetime must be less than the Maximum Ticket Renewable Lifetime.", - "Leash", MB_OK); - return(FALSE); - } - - if ( CLeashApp::m_hKrb5DLL && (renewmin < lifemin) ) { - MessageBox("The Minimum Renewable Ticket Lifetime must not be smaller than the Minimum Ticket Lifetime.", - "Leash", MB_OK); - } - - if ( CLeashApp::m_hKrb5DLL && (renewtill < renewmin || renewtill > renewmax) ) { - MessageBox("The default Renewable Ticket Lifetime must fall within the range specified by the " - "Minimum and Maximum Renewable Ticket Lifetime fields", - "Leash", MB_OK); - return(FALSE); - } - - m_DefaultLifeMin = lifemin; - pLeash_set_default_life_min(m_DefaultLifeMin); - m_initDefaultLifeMinDay = m_newDefaultLifeMinDay; - m_initDefaultLifeMinHr = m_newDefaultLifeMinHr ; - m_initDefaultLifeMinMin = m_newDefaultLifeMinMin; - - m_DefaultLifeMax = lifemax; - pLeash_set_default_life_max(m_DefaultLifeMax); - m_initDefaultLifeMaxDay = m_newDefaultLifeMaxDay; - m_initDefaultLifeMaxHr = m_newDefaultLifeMaxHr ; - m_initDefaultLifeMaxMin = m_newDefaultLifeMaxMin; - - m_DefaultRenewMin = renewmin; - pLeash_set_default_renew_min(m_DefaultRenewMin); - m_initDefaultRenewMinDay = m_newDefaultRenewMinDay; - m_initDefaultRenewMinHr = m_newDefaultRenewMinHr ; - m_initDefaultRenewMinMin = m_newDefaultRenewMinMin; - - m_DefaultRenewMax = renewmax; - pLeash_set_default_renew_max(m_DefaultRenewMax); - m_initDefaultRenewMaxDay = m_newDefaultRenewMaxDay; - m_initDefaultRenewMaxHr = m_newDefaultRenewMaxHr ; - m_initDefaultRenewMaxMin = m_newDefaultRenewMaxMin; - - m_DefaultRenewTill = renewtill; - pLeash_set_default_renew_till(m_DefaultRenewTill); - m_initDefaultRenewTillDay = m_newDefaultRenewTillDay; - m_initDefaultRenewTillHr = m_newDefaultRenewTillHr ; - m_initDefaultRenewTillMin = m_newDefaultRenewTillMin; - - if( getenv("LIFETIME") != NULL) - { - MessageBox("The ticket lifetime is being controlled by the environment " - "variable LIFETIME instead of the registry. Leash cannot modify " - "the environment. Use the System control panel instead.", - "Leash", MB_OK); - return(FALSE); - } - - m_DefaultLifeTime = lifetime; - pLeash_set_default_lifetime(m_DefaultLifeTime); - m_initDefaultLifeTimeDay = m_newDefaultLifeTimeDay; - m_initDefaultLifeTimeHr = m_newDefaultLifeTimeHr ; - m_initDefaultLifeTimeMin = m_newDefaultLifeTimeMin; - - // If we're using an environment variable tell the user that we - // can't use Leash to modify the value. - - if (!m_DefaultLifeTime) - { - MessageBox("A lifetime setting of 0 is special in that it means that " - "the application is free to pick whatever default it deems " - "appropriate", - "Leash", MB_OK); - } - -#ifndef NO_KRB4 - if ( m_initUseKrb4 != m_newUseKrb4 ) { - pLeash_set_default_use_krb4(m_newUseKrb4); - } -#endif - - if ( m_initKinitPreserve != m_newKinitPreserve ) { - pLeash_set_default_preserve_kinit_settings(m_newKinitPreserve); - } - - return TRUE; -} - -void CKrbMiscConfigOpt::OnSelchangeEditDefaultLifeTime() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_LIFETIME_D, m_newDefaultLifeTimeDay); - GetDlgItemText(IDC_EDIT_LIFETIME_H, m_newDefaultLifeTimeHr); - GetDlgItemText(IDC_EDIT_LIFETIME_M, m_newDefaultLifeTimeMin); - DWORD value = (((atoi(m_newDefaultLifeTimeDay)*24 + atoi(m_newDefaultLifeTimeHr)) * 60) + atoi(m_newDefaultLifeTimeMin)); - LPSTR buf = m_newDefaultLifeTimeDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultLifeTimeDay.ReleaseBuffer(); - buf = m_newDefaultLifeTimeHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultLifeTimeHr.ReleaseBuffer(); - buf = m_newDefaultLifeTimeMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultLifeTimeMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_LIFETIME_D, m_newDefaultLifeTimeDay); - SetDlgItemText(IDC_EDIT_LIFETIME_H, m_newDefaultLifeTimeHr); - SetDlgItemText(IDC_EDIT_LIFETIME_M, m_newDefaultLifeTimeMin); - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::OnEditKillfocusEditDefaultLifeTime() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_LIFETIME_D, m_newDefaultLifeTimeDay); - GetDlgItemText(IDC_EDIT_LIFETIME_H, m_newDefaultLifeTimeHr); - GetDlgItemText(IDC_EDIT_LIFETIME_M, m_newDefaultLifeTimeMin); - DWORD value = (((atoi(m_newDefaultLifeTimeDay)*24 + atoi(m_newDefaultLifeTimeHr)) * 60) + atoi(m_newDefaultLifeTimeMin)); - LPSTR buf = m_newDefaultLifeTimeDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultLifeTimeDay.ReleaseBuffer(); - buf = m_newDefaultLifeTimeHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultLifeTimeHr.ReleaseBuffer(); - buf = m_newDefaultLifeTimeMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultLifeTimeMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_LIFETIME_D, m_newDefaultLifeTimeDay); - SetDlgItemText(IDC_EDIT_LIFETIME_H, m_newDefaultLifeTimeHr); - SetDlgItemText(IDC_EDIT_LIFETIME_M, m_newDefaultLifeTimeMin); - - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::ResetDefaultLifeTimeEditBox() -{ - // Reset Config Tab's Default LifeTime Editbox - - DWORD tmp = m_DefaultLifeTime = pLeash_get_default_lifetime(); - LPSTR buf = m_newDefaultLifeTimeDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_newDefaultLifeTimeDay.ReleaseBuffer(); - buf = m_newDefaultLifeTimeHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_newDefaultLifeTimeHr.ReleaseBuffer(); - buf = m_newDefaultLifeTimeMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_newDefaultLifeTimeMin.ReleaseBuffer(); - - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_LIFETIME_D, m_newDefaultLifeTimeDay); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_LIFETIME_H, m_newDefaultLifeTimeHr); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_LIFETIME_M, m_newDefaultLifeTimeMin); -} - - -void CKrbMiscConfigOpt::OnSelchangeEditDefaultRenewTill() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_RENEWTILL_D, m_newDefaultRenewTillDay); - GetDlgItemText(IDC_EDIT_RENEWTILL_H, m_newDefaultRenewTillHr); - GetDlgItemText(IDC_EDIT_RENEWTILL_M, m_newDefaultRenewTillMin); - DWORD value = (((atoi(m_newDefaultRenewTillDay)*24 + atoi(m_newDefaultRenewTillHr)) * 60) + atoi(m_newDefaultRenewTillMin)); - LPSTR buf = m_newDefaultRenewTillDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultRenewTillDay.ReleaseBuffer(); - buf = m_newDefaultRenewTillHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultRenewTillHr.ReleaseBuffer(); - buf = m_newDefaultRenewTillMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultRenewTillMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_RENEWTILL_D, m_newDefaultRenewTillDay); - SetDlgItemText(IDC_EDIT_RENEWTILL_H, m_newDefaultRenewTillHr); - SetDlgItemText(IDC_EDIT_RENEWTILL_M, m_newDefaultRenewTillMin); - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::OnEditKillfocusEditDefaultRenewTill() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_RENEWTILL_D, m_newDefaultRenewTillDay); - GetDlgItemText(IDC_EDIT_RENEWTILL_H, m_newDefaultRenewTillHr); - GetDlgItemText(IDC_EDIT_RENEWTILL_M, m_newDefaultRenewTillMin); - DWORD value = (((atoi(m_newDefaultRenewTillDay)*24 + atoi(m_newDefaultRenewTillHr)) * 60) + atoi(m_newDefaultRenewTillMin)); - LPSTR buf = m_newDefaultRenewTillDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultRenewTillDay.ReleaseBuffer(); - buf = m_newDefaultRenewTillHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultRenewTillHr.ReleaseBuffer(); - buf = m_newDefaultRenewTillMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultRenewTillMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_RENEWTILL_D, m_newDefaultRenewTillDay); - SetDlgItemText(IDC_EDIT_RENEWTILL_H, m_newDefaultRenewTillHr); - SetDlgItemText(IDC_EDIT_RENEWTILL_M, m_newDefaultRenewTillMin); - - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::ResetDefaultRenewTillEditBox() -{ - // Reset Config Tab's Default RenewTill Editbox - - DWORD tmp = m_DefaultRenewTill = pLeash_get_default_lifetime(); - LPSTR buf = m_newDefaultRenewTillDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_newDefaultRenewTillDay.ReleaseBuffer(); - buf = m_newDefaultRenewTillHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_newDefaultRenewTillHr.ReleaseBuffer(); - buf = m_newDefaultRenewTillMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_newDefaultRenewTillMin.ReleaseBuffer(); - - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_RENEWTILL_D, m_newDefaultRenewTillDay); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_RENEWTILL_H, m_newDefaultRenewTillHr); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_RENEWTILL_M, m_newDefaultRenewTillMin); -} - - -void CKrbMiscConfigOpt::OnSelchangeEditDefaultLifeMin() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_LIFE_MIN_D, m_newDefaultLifeMinDay); - GetDlgItemText(IDC_EDIT_LIFE_MIN_H, m_newDefaultLifeMinHr); - GetDlgItemText(IDC_EDIT_LIFE_MIN_M, m_newDefaultLifeMinMin); - DWORD value = (((atoi(m_newDefaultLifeMinDay)*24 + atoi(m_newDefaultLifeMinHr)) * 60) + atoi(m_newDefaultLifeMinMin)); - LPSTR buf = m_newDefaultLifeMinDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultLifeMinDay.ReleaseBuffer(); - buf = m_newDefaultLifeMinHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultLifeMinHr.ReleaseBuffer(); - buf = m_newDefaultLifeMinMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultLifeMinMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_LIFE_MIN_D, m_newDefaultLifeMinDay); - SetDlgItemText(IDC_EDIT_LIFE_MIN_H, m_newDefaultLifeMinHr); - SetDlgItemText(IDC_EDIT_LIFE_MIN_M, m_newDefaultLifeMinMin); - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::OnEditKillfocusEditDefaultLifeMin() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_LIFE_MIN_D, m_newDefaultLifeMinDay); - GetDlgItemText(IDC_EDIT_LIFE_MIN_H, m_newDefaultLifeMinHr); - GetDlgItemText(IDC_EDIT_LIFE_MIN_M, m_newDefaultLifeMinMin); - DWORD value = (((atoi(m_newDefaultLifeMinDay)*24 + atoi(m_newDefaultLifeMinHr)) * 60) + atoi(m_newDefaultLifeMinMin)); - LPSTR buf = m_newDefaultLifeMinDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultLifeMinDay.ReleaseBuffer(); - buf = m_newDefaultLifeMinHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultLifeMinHr.ReleaseBuffer(); - buf = m_newDefaultLifeMinMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultLifeMinMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_LIFE_MIN_D, m_newDefaultLifeMinDay); - SetDlgItemText(IDC_EDIT_LIFE_MIN_H, m_newDefaultLifeMinHr); - SetDlgItemText(IDC_EDIT_LIFE_MIN_M, m_newDefaultLifeMinMin); - - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::ResetDefaultLifeMinEditBox() -{ - // Reset Config Tab's Default LifeMin Editbox - - DWORD tmp = m_DefaultLifeMin = pLeash_get_default_life_min(); - LPSTR buf = m_newDefaultLifeMinDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_newDefaultLifeMinDay.ReleaseBuffer(); - buf = m_newDefaultLifeMinHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_newDefaultLifeMinHr.ReleaseBuffer(); - buf = m_newDefaultLifeMinMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_newDefaultLifeMinMin.ReleaseBuffer(); - - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_LIFE_MIN_D, m_newDefaultLifeMinDay); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_LIFE_MIN_H, m_newDefaultLifeMinHr); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_LIFE_MIN_M, m_newDefaultLifeMinMin); -} - -void CKrbMiscConfigOpt::OnSelchangeEditDefaultLifeMax() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_LIFE_MAX_D, m_newDefaultLifeMaxDay); - GetDlgItemText(IDC_EDIT_LIFE_MAX_H, m_newDefaultLifeMaxHr); - GetDlgItemText(IDC_EDIT_LIFE_MAX_M, m_newDefaultLifeMaxMin); - DWORD value = (((atoi(m_newDefaultLifeMaxDay)*24 + atoi(m_newDefaultLifeMaxHr)) * 60) + atoi(m_newDefaultLifeMaxMin)); - LPSTR buf = m_newDefaultLifeMaxDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultLifeMaxDay.ReleaseBuffer(); - buf = m_newDefaultLifeMaxHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultLifeMaxHr.ReleaseBuffer(); - buf = m_newDefaultLifeMaxMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultLifeMaxMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_LIFE_MAX_D, m_newDefaultLifeMaxDay); - SetDlgItemText(IDC_EDIT_LIFE_MAX_H, m_newDefaultLifeMaxHr); - SetDlgItemText(IDC_EDIT_LIFE_MAX_M, m_newDefaultLifeMaxMin); - - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::OnEditKillfocusEditDefaultLifeMax() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_LIFE_MAX_D, m_newDefaultLifeMaxDay); - GetDlgItemText(IDC_EDIT_LIFE_MAX_H, m_newDefaultLifeMaxHr); - GetDlgItemText(IDC_EDIT_LIFE_MAX_M, m_newDefaultLifeMaxMin); - DWORD value = (((atoi(m_newDefaultLifeMaxDay)*24 + atoi(m_newDefaultLifeMaxHr)) * 60) + atoi(m_newDefaultLifeMaxMin)); - LPSTR buf = m_newDefaultLifeMaxDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultLifeMaxDay.ReleaseBuffer(); - buf = m_newDefaultLifeMaxHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultLifeMaxHr.ReleaseBuffer(); - buf = m_newDefaultLifeMaxMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultLifeMaxMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_LIFE_MAX_D, m_newDefaultLifeMaxDay); - SetDlgItemText(IDC_EDIT_LIFE_MAX_H, m_newDefaultLifeMaxHr); - SetDlgItemText(IDC_EDIT_LIFE_MAX_M, m_newDefaultLifeMaxMin); - - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::ResetDefaultLifeMaxEditBox() -{ - // Reset Config Tab's Default LifeMax Editbox - - DWORD tmp = m_DefaultLifeMax = pLeash_get_default_life_min(); - LPSTR buf = m_newDefaultLifeMaxDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_newDefaultLifeMaxDay.ReleaseBuffer(); - buf = m_newDefaultLifeMaxHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_newDefaultLifeMaxHr.ReleaseBuffer(); - buf = m_newDefaultLifeMaxMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_newDefaultLifeMaxMin.ReleaseBuffer(); - - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_LIFE_MAX_D, m_newDefaultLifeMaxDay); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_LIFE_MAX_H, m_newDefaultLifeMaxHr); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_LIFE_MAX_M, m_newDefaultLifeMaxMin); -} - -void CKrbMiscConfigOpt::OnSelchangeEditDefaultRenewMin() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_RENEW_MIN_D, m_newDefaultRenewMinDay); - GetDlgItemText(IDC_EDIT_RENEW_MIN_H, m_newDefaultRenewMinHr); - GetDlgItemText(IDC_EDIT_RENEW_MIN_M, m_newDefaultRenewMinMin); - DWORD value = (((atoi(m_newDefaultRenewMinDay)*24 + atoi(m_newDefaultRenewMinHr)) * 60) + atoi(m_newDefaultRenewMinMin)); - LPSTR buf = m_newDefaultRenewMinDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultRenewMinDay.ReleaseBuffer(); - buf = m_newDefaultRenewMinHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultRenewMinHr.ReleaseBuffer(); - buf = m_newDefaultRenewMinMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultRenewMinMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_RENEW_MIN_D, m_newDefaultRenewMinDay); - SetDlgItemText(IDC_EDIT_RENEW_MIN_H, m_newDefaultRenewMinHr); - SetDlgItemText(IDC_EDIT_RENEW_MIN_M, m_newDefaultRenewMinMin); - - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::OnEditKillfocusEditDefaultRenewMin() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_RENEW_MIN_D, m_newDefaultRenewMinDay); - GetDlgItemText(IDC_EDIT_RENEW_MIN_H, m_newDefaultRenewMinHr); - GetDlgItemText(IDC_EDIT_RENEW_MIN_M, m_newDefaultRenewMinMin); - DWORD value = (((atoi(m_newDefaultRenewMinDay)*24 + atoi(m_newDefaultRenewMinHr)) * 60) + atoi(m_newDefaultRenewMinMin)); - LPSTR buf = m_newDefaultRenewMinDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultRenewMinDay.ReleaseBuffer(); - buf = m_newDefaultRenewMinHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultRenewMinHr.ReleaseBuffer(); - buf = m_newDefaultRenewMinMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultRenewMinMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_RENEW_MIN_D, m_newDefaultRenewMinDay); - SetDlgItemText(IDC_EDIT_RENEW_MIN_H, m_newDefaultRenewMinHr); - SetDlgItemText(IDC_EDIT_RENEW_MIN_M, m_newDefaultRenewMinMin); - - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::ResetDefaultRenewMinEditBox() -{ - // Reset Config Tab's Default RenewMin Editbox - - DWORD tmp = m_DefaultRenewMin = pLeash_get_default_life_min(); - LPSTR buf = m_newDefaultRenewMinDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_newDefaultRenewMinDay.ReleaseBuffer(); - buf = m_newDefaultRenewMinHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_newDefaultRenewMinHr.ReleaseBuffer(); - buf = m_newDefaultRenewMinMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_newDefaultRenewMinMin.ReleaseBuffer(); - - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_RENEW_MIN_D, m_newDefaultRenewMinDay); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_RENEW_MIN_H, m_newDefaultRenewMinHr); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_RENEW_MIN_M, m_newDefaultRenewMinMin); -} - -void CKrbMiscConfigOpt::OnSelchangeEditDefaultRenewMax() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_RENEW_MAX_D, m_newDefaultRenewMaxDay); - GetDlgItemText(IDC_EDIT_RENEW_MAX_H, m_newDefaultRenewMaxHr); - GetDlgItemText(IDC_EDIT_RENEW_MAX_M, m_newDefaultRenewMaxMin); - DWORD value = (((atoi(m_newDefaultRenewMaxDay)*24 + atoi(m_newDefaultRenewMaxHr)) * 60) + atoi(m_newDefaultRenewMaxMin)); - LPSTR buf = m_newDefaultRenewMaxDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultRenewMaxDay.ReleaseBuffer(); - buf = m_newDefaultRenewMaxHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultRenewMaxHr.ReleaseBuffer(); - buf = m_newDefaultRenewMaxMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultRenewMaxMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_RENEW_MAX_D, m_newDefaultRenewMaxDay); - SetDlgItemText(IDC_EDIT_RENEW_MAX_H, m_newDefaultRenewMaxHr); - SetDlgItemText(IDC_EDIT_RENEW_MAX_M, m_newDefaultRenewMaxMin); - - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::OnEditKillfocusEditDefaultRenewMax() -{ - static int in_progress = 0; - if (!in_progress && !m_startupPage2) - { - in_progress = 1; - GetDlgItemText(IDC_EDIT_RENEW_MAX_D, m_newDefaultRenewMaxDay); - GetDlgItemText(IDC_EDIT_RENEW_MAX_H, m_newDefaultRenewMaxHr); - GetDlgItemText(IDC_EDIT_RENEW_MAX_M, m_newDefaultRenewMaxMin); - DWORD value = (((atoi(m_newDefaultRenewMaxDay)*24 + atoi(m_newDefaultRenewMaxHr)) * 60) + atoi(m_newDefaultRenewMaxMin)); - LPSTR buf = m_newDefaultRenewMaxDay.GetBuffer(80); - _itoa(value/24/60, buf, 10); - value %= (24 * 60); - m_newDefaultRenewMaxDay.ReleaseBuffer(); - buf = m_newDefaultRenewMaxHr.GetBuffer(80); - _itoa(value/60, buf, 10); - value %= 60; - m_newDefaultRenewMaxHr.ReleaseBuffer(); - buf = m_newDefaultRenewMaxMin.GetBuffer(80); - _itoa(value, buf, 10); - m_newDefaultRenewMaxMin.ReleaseBuffer(); - SetDlgItemText(IDC_EDIT_RENEW_MAX_D, m_newDefaultRenewMaxDay); - SetDlgItemText(IDC_EDIT_RENEW_MAX_H, m_newDefaultRenewMaxHr); - SetDlgItemText(IDC_EDIT_RENEW_MAX_M, m_newDefaultRenewMaxMin); - - SetModified(TRUE); - in_progress = 0; - } -} - -void CKrbMiscConfigOpt::ResetDefaultRenewMaxEditBox() -{ - // Reset Config Tab's Default RenewMax Editbox - - DWORD tmp = m_DefaultRenewMax = pLeash_get_default_life_min(); - LPSTR buf = m_newDefaultRenewMaxDay.GetBuffer(80); - _itoa(tmp/24/60, buf, 10); - tmp %= (24 * 60); - m_newDefaultRenewMaxDay.ReleaseBuffer(); - buf = m_newDefaultRenewMaxHr.GetBuffer(80); - _itoa(tmp/60, buf, 10); - tmp %= 60; - m_newDefaultRenewMaxHr.ReleaseBuffer(); - buf = m_newDefaultRenewMaxMin.GetBuffer(80); - _itoa(tmp, buf, 10); - m_newDefaultRenewMaxMin.ReleaseBuffer(); - - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_RENEW_MAX_D, m_newDefaultRenewMaxDay); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_RENEW_MAX_H, m_newDefaultRenewMaxHr); - ::SetDlgItemText(::GetForegroundWindow(), IDC_EDIT_RENEW_MAX_M, m_newDefaultRenewMaxMin); -} - -void CKrbMiscConfigOpt::OnCheckUseKrb4() -{ - m_newUseKrb4 = (BOOL)IsDlgButtonChecked(IDC_CHECK_REQUEST_KRB4); -} - -void CKrbMiscConfigOpt::OnCheckKinitPreserve() -{ - m_newKinitPreserve = (BOOL)IsDlgButtonChecked(IDC_CHECK_PRESERVE_KINIT_OPTIONS); -} - -void CKrbMiscConfigOpt::OnShowWindow(BOOL bShow, UINT nStatus) -{ - CPropertyPage::OnShowWindow(bShow, nStatus); - - if (CLeashApp::m_hKrb5DLL) - ResetDefaultLifeTimeEditBox(); - - SetDlgItemText(IDC_EDIT_LIFETIME_D, m_newDefaultLifeTimeDay); - SetDlgItemText(IDC_EDIT_LIFETIME_H, m_newDefaultLifeTimeHr); - SetDlgItemText(IDC_EDIT_LIFETIME_M, m_newDefaultLifeTimeMin); - SetDlgItemText(IDC_EDIT_RENEWTILL_D, m_newDefaultRenewTillDay); - SetDlgItemText(IDC_EDIT_RENEWTILL_H, m_newDefaultRenewTillHr); - SetDlgItemText(IDC_EDIT_RENEWTILL_M, m_newDefaultRenewTillMin); - SetDlgItemText(IDC_EDIT_LIFE_MIN_D, m_newDefaultLifeMinDay); - SetDlgItemText(IDC_EDIT_LIFE_MIN_H, m_newDefaultLifeMinHr); - SetDlgItemText(IDC_EDIT_LIFE_MIN_M, m_newDefaultLifeMinMin); - SetDlgItemText(IDC_EDIT_LIFE_MAX_D, m_newDefaultLifeMaxDay); - SetDlgItemText(IDC_EDIT_LIFE_MAX_H, m_newDefaultLifeMaxHr); - SetDlgItemText(IDC_EDIT_LIFE_MAX_M, m_newDefaultLifeMaxMin); - SetDlgItemText(IDC_EDIT_RENEW_MIN_D, m_newDefaultRenewMinDay); - SetDlgItemText(IDC_EDIT_RENEW_MIN_H, m_newDefaultRenewMinHr); - SetDlgItemText(IDC_EDIT_RENEW_MIN_M, m_newDefaultRenewMinMin); - SetDlgItemText(IDC_EDIT_RENEW_MAX_D, m_newDefaultRenewMaxDay); - SetDlgItemText(IDC_EDIT_RENEW_MAX_H, m_newDefaultRenewMaxHr); - SetDlgItemText(IDC_EDIT_RENEW_MAX_M, m_newDefaultRenewMaxMin); -} - -BOOL CKrbMiscConfigOpt::PreTranslateMessage(MSG* pMsg) -{ - if (!m_startupPage2) - { - if (m_noLifeTime) - { - MessageBox("A lifetime setting of 0 is special in that it means that " - "the application is free to pick whatever default it deems " - "appropriate", - "Leash", MB_OK); - m_noLifeTime = FALSE; - } - } - - m_startupPage2 = FALSE; - return CPropertyPage::PreTranslateMessage(pMsg); -} - - -BEGIN_MESSAGE_MAP(CKrbMiscConfigOpt, CPropertyPage) - //{{AFX_MSG_MAP(CKrbConfigOptions) - ON_WM_SHOWWINDOW() - - ON_EN_KILLFOCUS(IDC_EDIT_LIFETIME_D, OnEditKillfocusEditDefaultLifeTime) - ON_CBN_SELCHANGE(IDC_EDIT_LIFETIME_D, OnSelchangeEditDefaultLifeTime) - ON_EN_KILLFOCUS(IDC_EDIT_LIFETIME_H, OnEditKillfocusEditDefaultLifeTime) - ON_CBN_SELCHANGE(IDC_EDIT_LIFETIME_H, OnSelchangeEditDefaultLifeTime) - ON_EN_KILLFOCUS(IDC_EDIT_LIFETIME_M, OnEditKillfocusEditDefaultLifeTime) - ON_CBN_SELCHANGE(IDC_EDIT_LIFETIME_M, OnSelchangeEditDefaultLifeTime) - - ON_EN_KILLFOCUS(IDC_EDIT_RENEWTILL_D, OnEditKillfocusEditDefaultRenewTill) - ON_CBN_SELCHANGE(IDC_EDIT_RENEWTILL_D, OnSelchangeEditDefaultRenewTill) - ON_EN_KILLFOCUS(IDC_EDIT_RENEWTILL_H, OnEditKillfocusEditDefaultRenewTill) - ON_CBN_SELCHANGE(IDC_EDIT_RENEWTILL_H, OnSelchangeEditDefaultRenewTill) - ON_EN_KILLFOCUS(IDC_EDIT_RENEWTILL_M, OnEditKillfocusEditDefaultRenewTill) - ON_CBN_SELCHANGE(IDC_EDIT_RENEWTILL_M, OnSelchangeEditDefaultRenewTill) - - ON_EN_KILLFOCUS(IDC_EDIT_LIFE_MIN_D, OnEditKillfocusEditDefaultLifeMin) - ON_CBN_SELCHANGE(IDC_EDIT_LIFE_MIN_D, OnSelchangeEditDefaultLifeMin) - ON_EN_KILLFOCUS(IDC_EDIT_LIFE_MIN_H, OnEditKillfocusEditDefaultLifeMin) - ON_CBN_SELCHANGE(IDC_EDIT_LIFE_MIN_H, OnSelchangeEditDefaultLifeMin) - ON_EN_KILLFOCUS(IDC_EDIT_LIFE_MIN_M, OnEditKillfocusEditDefaultLifeMin) - ON_CBN_SELCHANGE(IDC_EDIT_LIFE_MIN_M, OnSelchangeEditDefaultLifeMin) - - ON_EN_KILLFOCUS(IDC_EDIT_LIFE_MAX_D, OnEditKillfocusEditDefaultLifeMax) - ON_CBN_SELCHANGE(IDC_EDIT_LIFE_MAX_D, OnSelchangeEditDefaultLifeMax) - ON_EN_KILLFOCUS(IDC_EDIT_LIFE_MAX_H, OnEditKillfocusEditDefaultLifeMax) - ON_CBN_SELCHANGE(IDC_EDIT_LIFE_MAX_H, OnSelchangeEditDefaultLifeMax) - ON_EN_KILLFOCUS(IDC_EDIT_LIFE_MAX_M, OnEditKillfocusEditDefaultLifeMax) - ON_CBN_SELCHANGE(IDC_EDIT_LIFE_MAX_M, OnSelchangeEditDefaultLifeMax) - - ON_EN_KILLFOCUS(IDC_EDIT_RENEW_MIN_D, OnEditKillfocusEditDefaultRenewMin) - ON_CBN_SELCHANGE(IDC_EDIT_RENEW_MIN_D, OnSelchangeEditDefaultRenewMin) - ON_EN_KILLFOCUS(IDC_EDIT_RENEW_MIN_H, OnEditKillfocusEditDefaultRenewMin) - ON_CBN_SELCHANGE(IDC_EDIT_RENEW_MIN_H, OnSelchangeEditDefaultRenewMin) - ON_EN_KILLFOCUS(IDC_EDIT_RENEW_MIN_M, OnEditKillfocusEditDefaultRenewMin) - ON_CBN_SELCHANGE(IDC_EDIT_RENEW_MIN_M, OnSelchangeEditDefaultRenewMin) - - ON_EN_KILLFOCUS(IDC_EDIT_RENEW_MAX_D, OnEditKillfocusEditDefaultRenewMax) - ON_CBN_SELCHANGE(IDC_EDIT_RENEW_MAX_D, OnSelchangeEditDefaultRenewMax) - ON_EN_KILLFOCUS(IDC_EDIT_RENEW_MAX_H, OnEditKillfocusEditDefaultRenewMax) - ON_CBN_SELCHANGE(IDC_EDIT_RENEW_MAX_H, OnSelchangeEditDefaultRenewMax) - ON_EN_KILLFOCUS(IDC_EDIT_RENEW_MAX_M, OnEditKillfocusEditDefaultRenewMax) - ON_CBN_SELCHANGE(IDC_EDIT_RENEW_MAX_M, OnSelchangeEditDefaultRenewMax) - - ON_BN_CLICKED(IDC_CHECK_REQUEST_KRB4, OnCheckUseKrb4) - ON_BN_CLICKED(IDC_CHECK_PRESERVE_KINIT_OPTIONS, OnCheckKinitPreserve) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() diff --git a/src/windows/leash/KrbMiscConfigOpt.h b/src/windows/leash/KrbMiscConfigOpt.h deleted file mode 100644 index e2daf29..0000000 --- a/src/windows/leash/KrbMiscConfigOpt.h +++ /dev/null @@ -1,173 +0,0 @@ -//***************************************************************************** -// File: KrbMiscConfigOpt.h -// By: Paul B. Hill -// Created: 08/12/1999 -// Copyright: @1999 Massachusetts Institute of Technology - All rights -// reserved. -// Description: H file for KrbMiscConfigOpt.cpp. Contains variables -// and functions for Kerberos Properties. -// -// History: -// -// MM/DD/YY Inits Description of Change -// 08/12/99 PBH Original -//***************************************************************************** - - -#if !defined(AFX_MISCCONFIGOPT_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_) -#define AFX_MISCONFIGOPT_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_ - -#if _MSC_VER >= 1000 -#pragma once -#endif - - -#include "resource.h" - - -/////////////////////////////////////////////////////////////////////// -// CKrbMiscConfigOptions dialog - -class CKrbMiscConfigOpt : public CPropertyPage -{ -// Construction -private: - DECLARE_DYNCREATE(CKrbMiscConfigOpt) - BOOL m_startupPage2; - BOOL m_noLifeTime; - - static UINT m_DefaultLifeTime; - static CString m_initDefaultLifeTimeMin; - static CString m_newDefaultLifeTimeMin; - static CString m_initDefaultLifeTimeHr; - static CString m_newDefaultLifeTimeHr; - static CString m_initDefaultLifeTimeDay; - static CString m_newDefaultLifeTimeDay; - - static UINT m_DefaultRenewTill; - static CString m_initDefaultRenewTillMin; - static CString m_newDefaultRenewTillMin; - static CString m_initDefaultRenewTillHr; - static CString m_newDefaultRenewTillHr; - static CString m_initDefaultRenewTillDay; - static CString m_newDefaultRenewTillDay; - - static UINT m_DefaultLifeMin; - static CString m_initDefaultLifeMinMin; - static CString m_newDefaultLifeMinMin; - static CString m_initDefaultLifeMinHr; - static CString m_newDefaultLifeMinHr; - static CString m_initDefaultLifeMinDay; - static CString m_newDefaultLifeMinDay; - - static UINT m_DefaultLifeMax; - static CString m_initDefaultLifeMaxMin; - static CString m_newDefaultLifeMaxMin; - static CString m_initDefaultLifeMaxHr; - static CString m_newDefaultLifeMaxHr; - static CString m_initDefaultLifeMaxDay; - static CString m_newDefaultLifeMaxDay; - - static UINT m_DefaultRenewMin; - static CString m_initDefaultRenewMinMin; - static CString m_newDefaultRenewMinMin; - static CString m_initDefaultRenewMinHr; - static CString m_newDefaultRenewMinHr; - static CString m_initDefaultRenewMinDay; - static CString m_newDefaultRenewMinDay; - - static UINT m_DefaultRenewMax; - static CString m_initDefaultRenewMaxMin; - static CString m_newDefaultRenewMaxMin; - static CString m_initDefaultRenewMaxHr; - static CString m_newDefaultRenewMaxHr; - static CString m_initDefaultRenewMaxDay; - static CString m_newDefaultRenewMaxDay; - - static void ResetDefaultLifeTimeEditBox(); - static void ResetDefaultRenewTillEditBox(); - static void ResetDefaultLifeMinEditBox(); - static void ResetDefaultLifeMaxEditBox(); - static void ResetDefaultRenewMinEditBox(); - static void ResetDefaultRenewMaxEditBox(); - - BOOL m_initUseKrb4; - BOOL m_newUseKrb4; - BOOL m_initKinitPreserve; - BOOL m_newKinitPreserve; - -public: - CKrbMiscConfigOpt(); - ~CKrbMiscConfigOpt(); - -// Dialog Data - //{{AFX_DATA(CKrbMiscConfigOpt) - enum { IDD = IDD_KRB_PROP_MISC }; - static CEdit m_krbLifeTimeDayEditbox; - static CEdit m_krbLifeTimeMinEditbox; - static CEdit m_krbLifeTimeHrEditbox; - static CEdit m_krbRenewTillDayEditbox; - static CEdit m_krbRenewTillMinEditbox; - static CEdit m_krbRenewTillHrEditbox; - static CEdit m_krbRenewMaxDayEditbox; - static CEdit m_krbRenewMinDayEditbox; - static CEdit m_krbLifeMinDayEditbox; - static CEdit m_krbLifeMinMinEditbox; - static CEdit m_krbLifeMinHrEditbox; - static CEdit m_krbLifeMaxDayEditbox; - static CEdit m_krbLifeMaxMinEditbox; - static CEdit m_krbLifeMaxHrEditbox; - static CEdit m_krbRenewMinMinEditbox; - static CEdit m_krbRenewMinHrEditbox; - static CEdit m_krbRenewMaxMinEditbox; - static CEdit m_krbRenewMaxHrEditbox; - //}}AFX_DATA - - -// Overrides - // ClassWizard generate virtual function overrides - //{{AFX_VIRTUAL(CKrbConfigOptions) - public: - virtual BOOL PreTranslateMessage(MSG* pMsg); - protected: - virtual VOID DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - - virtual BOOL OnApply(); - -// Implementation -protected: - // Generated message map functions - //{{AFX_MSG(CKrbMiscConfigOpt) - virtual BOOL OnInitDialog(); - afx_msg void OnShowWindow(BOOL bShow, UINT nStatus); - afx_msg void OnEditKillfocusEditDefaultLifeTime(); - afx_msg void OnResetDefaultLifeTimeEditBox(); - afx_msg void OnSelchangeEditDefaultLifeTime(); - afx_msg void OnEditKillfocusEditDefaultRenewTill(); - afx_msg void OnResetDefaultRenewTillEditBox(); - afx_msg void OnSelchangeEditDefaultRenewTill(); - afx_msg void OnEditKillfocusEditDefaultLifeMin(); - afx_msg void OnResetDefaultLifeMinEditBox(); - afx_msg void OnSelchangeEditDefaultLifeMin(); - afx_msg void OnEditKillfocusEditDefaultLifeMax(); - afx_msg void OnResetDefaultLifeMaxEditBox(); - afx_msg void OnSelchangeEditDefaultLifeMax(); - afx_msg void OnEditKillfocusEditDefaultRenewMin(); - afx_msg void OnResetDefaultRenewMinEditBox(); - afx_msg void OnSelchangeEditDefaultRenewMin(); - afx_msg void OnEditKillfocusEditDefaultRenewMax(); - afx_msg void OnResetDefaultRenewMaxEditBox(); - afx_msg void OnSelchangeEditDefaultRenewMax(); - afx_msg void OnCheckUseKrb4(); - afx_msg void OnCheckKinitPreserve(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() - -}; - -///////////////////////////////////////////////////////////////////////////// -//{{AFX_INSERT_LOCATION}} -// Microsoft Developer Studio will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_MISCONFIGOPT_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_) diff --git a/src/windows/leash/KrbProperties.cpp b/src/windows/leash/KrbProperties.cpp deleted file mode 100644 index 0a64142..0000000 --- a/src/windows/leash/KrbProperties.cpp +++ /dev/null @@ -1,106 +0,0 @@ -// File: KrbProperties.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for KrbProperties.h. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 02/01/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "KrbProperties.h" -#include "Krb4Properties.h" - -#include "Leash.h" -#include "wshelper.h" -#include "lglobals.h" -#include "reminder.h" - -CHAR CKrbProperties::m_krbPath[MAX_PATH]; -CHAR CKrbProperties::m_krbrealmPath[MAX_PATH]; -BOOL CKrbProperties::KrbPropertiesOn; - -/////////////////////////////////////////////////////////////////////// -// CKrbProperties - -IMPLEMENT_DYNAMIC(CKrbProperties, CPropertySheet) -CKrbProperties::CKrbProperties(UINT nIDCaption, CWnd* pParentWnd, - UINT iSelectPage) -:CPropertySheet(nIDCaption, pParentWnd, iSelectPage) -{ -} - -CKrbProperties::CKrbProperties(LPCTSTR pszCaption, CWnd* pParentWnd, - UINT iSelectPage) -:CPropertySheet(pszCaption, pParentWnd, iSelectPage) -{ - KrbPropertiesOn = FALSE; - -#ifdef COMMENT - // If this will not be fatal, then it does not need to be performed here. - if (CLeashApp::m_hKrb5DLL) - { - char *realm = NULL; - pkrb5_get_default_realm(CLeashApp::m_krbv5_context, &realm); - - if (!realm) - { - MessageBox("CKrbProperties::Unable to determine default Kerberos REALM.\ - \n Consult your Administrator!", - "Error", MB_OK); - // I don't think this is necessarily fatal. - jaltman - // return; - } - } -#endif /* COMMENT */ - -#ifndef NO_KRB4 - CLeashApp::GetKrb4ConFile(m_krbPath,sizeof(m_krbPath)); - CLeashApp::GetKrb4RealmFile(m_krbrealmPath,sizeof(m_krbrealmPath)); -#endif - - AddPage(&m_configOptions); - AddPage(&m_miscConfigOpt); - -#ifndef NO_KRB4 - if (CLeashApp::m_hKrb4DLL && !CLeashApp::m_hKrb5DLL) - { - AddPage(&m_krb4RealmHostMaintenance); - AddPage(&m_krb4DomainRealmMaintenance); - } - else -#endif - if (CLeashApp::m_hKrb5DLL) - { - AddPage(&m_realmHostMaintenance); - AddPage(&m_domainRealmMaintenance); - } - - KrbPropertiesOn = TRUE; -} - -CKrbProperties::~CKrbProperties() -{ - KrbPropertiesOn = FALSE; -} - -void CKrbProperties::OnHelp() -{ - AfxGetApp()->WinHelp(HID_KERBEROS_PROPERTIES_COMMAND); -} - - -BEGIN_MESSAGE_MAP(CKrbProperties, CPropertySheet) - //{{AFX_MSG_MAP(CKrbProperties) - // NOTE - the ClassWizard will add and remove mapping macros here. - ON_COMMAND(ID_HELP, OnHelp) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -/////////////////////////////////////////////////////////////////////// -// CKrbProperties message handlers diff --git a/src/windows/leash/KrbProperties.h b/src/windows/leash/KrbProperties.h deleted file mode 100644 index f476ac1..0000000 --- a/src/windows/leash/KrbProperties.h +++ /dev/null @@ -1,95 +0,0 @@ -// ************************************************************************************** -// File: KrbProperties.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for KrbProperties.cpp. Contains variables and functions -// for Kerberos Four Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 02/01/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_KRB_PROPERTY_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_) -#define AFX_KRB_PROPERTY_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_ - -#if _MSC_VER >= 1000 -#pragma once -#endif // _MSC_VER >= 1000 -// KrbProperties.h : header file -// - -#include "KrbConfigOptions.h" -#include "KrbRealmHostMaintenance.h" -#include "KrbDomainRealmMaintenance.h" -#ifndef NO_KRB4 -#include "Krb4DomainRealmMaintenance.h" -#include "Krb4RealmHostMaintenance.h" -#endif -#include "KrbMiscConfigOpt.h" - -////////////////////////////////////////////////////////////////////// -// CKrbProperties - -class CKrbProperties : public CPropertySheet -{ -private: - DECLARE_DYNAMIC(CKrbProperties) - -public: - //CKrbConfigFileLocation m_fileLocation; - CKrbConfigOptions m_configOptions; -#ifndef NO_KRB4 - CKrb4RealmHostMaintenance m_krb4RealmHostMaintenance; -#endif - CKrbRealmHostMaintenance m_realmHostMaintenance; -#ifndef NO_KRB4 - CKrb4DomainRealmMaintenance m_krb4DomainRealmMaintenance; -#endif - CKrbDomainRealmMaintenance m_domainRealmMaintenance; - CKrbMiscConfigOpt m_miscConfigOpt; - - static BOOL KrbPropertiesOn; - static BOOL applyButtonEnabled; - static CHAR m_krbPath[MAX_PATH]; - static CHAR m_krbrealmPath[MAX_PATH]; - -// Construction -public: - CKrbProperties(UINT nIDCaption, CWnd* pParentWnd = NULL, - UINT iSelectPage = 0); - CKrbProperties(LPCTSTR pszCaption, CWnd* pParentWnd = NULL, - UINT iSelectPage = 0); - -// Attributes -public: - -// Operations -public: - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrbProperties) - //}}AFX_VIRTUAL - -// Implementation -public: - virtual ~CKrbProperties(); - - // Generated message map functions -protected: - //{{AFX_MSG(CKrbProperties) - // NOTE - the ClassWizard will add and remove member functions here. - afx_msg void OnHelp(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -///////////////////////////////////////////////////////////////////////////// -//{{AFX_INSERT_LOCATION}} -// Microsoft Developer Studio will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_KRB_PROPERTY_H__CD702F99_7495_11D0_8FDC_00C04FC2A0C2__INCLUDED_) diff --git a/src/windows/leash/KrbRealmHostMaintenance.cpp b/src/windows/leash/KrbRealmHostMaintenance.cpp deleted file mode 100644 index a39af34..0000000 --- a/src/windows/leash/KrbRealmHostMaintenance.cpp +++ /dev/null @@ -1,1044 +0,0 @@ -// ************************************************************************************** -// File: KrbRealmHostMaintenance.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for KrbRealmHostMaintenance.h. Contains variables and functions -// for Kerberos Four and Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "KrbProperties.h" -#include "Krb4Properties.h" -#include "KrbAddRealm.h" -#include "KrbAddHostServer.h" -#include "KrbRealmHostMaintenance.h" -#include "KrbEditRealm.h" -#include "KrbEditHostServer.h" -#include "KrbConfigOptions.h" - -#include "lglobals.h" -#include "MainFrm.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CKrbRealmHostMaintenance dialog - - -IMPLEMENT_DYNCREATE(CKrbRealmHostMaintenance, CPropertyPage) - -CKrbRealmHostMaintenance::CKrbRealmHostMaintenance() - : CPropertyPage(CKrbRealmHostMaintenance::IDD) -{ - m_isRealmListBoxInFocus = FALSE; - m_isStart = TRUE; - m_theAdminServer = _T(""); - m_theAdminServerMarked = _T(""); - m_initDnsKdcLookup = 0; - m_newDnsKdcLookup = 0; - - m_KDCHostList.initOtherListbox(this, &m_KDCRealmList); -} - -CKrbRealmHostMaintenance::~CKrbRealmHostMaintenance() -{ -} - -void CKrbRealmHostMaintenance::DoDataExchange(CDataExchange* pDX) -{ - CPropertyPage::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CKrbRealmHostMaintenance) - DDX_Control(pDX, IDC_LIST_KDC_REALM, m_KDCRealmList); - DDX_Control(pDX, IDC_LIST_KDC_HOST, m_KDCHostList); - //}}AFX_DATA_MAP -} - -BEGIN_MESSAGE_MAP(CKrbRealmHostMaintenance, CPropertyPage) - //{{AFX_MSG_MAP(CKrbRealmHostMaintenance) - ON_BN_CLICKED(IDC_BUTTON_REALM_HOST_ADD, OnButtonRealmHostAdd) - ON_BN_CLICKED(IDC_BUTTON_REALM_EDIT, OnButtonRealmHostEdit) - ON_BN_CLICKED(ID_BUTTON_REALM_REMOVE, OnButtonRealmHostRemove) - ON_LBN_SELCHANGE(IDC_LIST_KDC_REALM, OnSelchangeListKdcRealm) - ON_BN_CLICKED(IDC_BUTTON_ADMINSERVER, OnButtonAdminserver) - ON_LBN_SETFOCUS(IDC_LIST_KDC_REALM, OnSetfocusListKdcRealm) - ON_BN_CLICKED(IDC_BUTTON_KDCHOST_ADD, OnButtonKdchostAdd) - ON_BN_CLICKED(IDC_BUTTON_KDCHOST_REMOVE, OnButtonKdchostRemove) - ON_BN_CLICKED(IDC_BUTTON_REMOVE_ADMINSERVER, OnButtonRemoveAdminserver) - ON_LBN_SELCHANGE(IDC_LIST_KDC_HOST, OnSelchangeListKdcHost) - ON_BN_CLICKED(IDC_BUTTON_KDCHOST_EDIT, OnButtonKdchostEdit) - ON_LBN_DBLCLK(IDC_LIST_KDC_REALM, OnDblclkListKdcRealm) - ON_LBN_DBLCLK(IDC_LIST_KDC_HOST, OnDblclkListKdcHost) - ON_WM_KEYDOWN() - ON_WM_CANCELMODE() - ON_BN_CLICKED(IDC_BUTTON_REALMHOST_MAINT_HELP, OnButtonRealmhostMaintHelp) - ON_BN_CLICKED(IDC_DNS_KDC, OnCheckDnsKdcLookup) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CKrbRealmHostMaintenance message handlers - -BOOL CKrbRealmHostMaintenance::OnInitDialog() -{ - CPropertyPage::OnInitDialog(); - - const char* rootSection[] = {"realms", NULL}; - const char** rootsec = rootSection; - char **sections = NULL, - **cpp = NULL, - *value = NULL; - - long retval = pprofile_get_subsection_names(CLeashApp::m_krbv5_profile, - rootsec, §ions); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnInitDialog::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return TRUE; - } - - for (cpp = sections; *cpp; cpp++) - { - if (LB_ERR == m_KDCRealmList.AddString(*cpp)) - { - MessageBox("OnInitDialog::Can't add to Kerberos Realm Listbox", - "Leash", MB_OK); - return FALSE; - } - } - - pprofile_free_list(sections); - - // Determine the starting value for DNS KDC Lookup Checkbox - retval = pprofile_get_string(CLeashApp::m_krbv5_profile, "libdefaults", - "dns_lookup_kdc", 0, 0, &value); - if (value == 0 && retval == 0) - retval = pprofile_get_string(CLeashApp::m_krbv5_profile, "libdefaults", - "dns_fallback", 0, 0, &value); - if (value == 0) { - m_initDnsKdcLookup = m_newDnsKdcLookup = 1; - } else { - m_initDnsKdcLookup = m_newDnsKdcLookup = config_boolean_to_int(value); - pprofile_release_string(value); - } - CheckDlgButton(IDC_DNS_KDC, m_initDnsKdcLookup); - - // Compaire Krb Four with what's in the Krb Five Profile Linklist - // and add to m_KDCRealmList if needed. - m_KDCRealmList.SetCurSel(0); - - if (!m_KDCRealmList.GetCount()) - { - GetDlgItem(IDC_BUTTON_REALM_EDIT)->EnableWindow(FALSE); - } - else if (1 >= m_KDCRealmList.GetCount()) - { - GetDlgItem(ID_BUTTON_REALM_REMOVE)->EnableWindow(FALSE); - } - else - { - GetDlgItem(ID_BUTTON_REALM_REMOVE)->EnableWindow(); - GetDlgItem(IDC_BUTTON_REALM_EDIT)->EnableWindow(); - } - - - if (!m_KDCHostList.GetCount()) - { - GetDlgItem(IDC_BUTTON_KDCHOST_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_KDCHOST_EDIT)->EnableWindow(FALSE); - } - else - { - GetDlgItem(IDC_BUTTON_KDCHOST_REMOVE)->EnableWindow(); - GetDlgItem(IDC_BUTTON_KDCHOST_EDIT)->EnableWindow(); - } - - - return TRUE; -} - -BOOL CKrbRealmHostMaintenance::OnApply() -{ - char theSection[REALM_SZ + 1]; - const char* adminServer[] = {"realms", theSection, ADMIN_SERVER, NULL}; - const char* Section[] = {"realms", theSection, "kdc", NULL}; //theSection - const char** section = Section; - const char** adminServ = adminServer; - - if (!CLeashApp::m_krbv5_profile) { - CHAR confname[MAX_PATH]; - if (!CLeashApp::GetProfileFile(confname, sizeof(confname))) - { - const char *filenames[2]; - filenames[0] = confname; - filenames[1] = NULL; - pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - } - } - - /* - // Safety check for empty section (may not be need, but left it in anyway) - INT maxRealms = m_KDCRealmList.GetCount(); - for (INT realm = 0; realm < maxRealms; realm++) - { - m_KDCRealmList.GetText(realm, theSection); - long retval = pprofile_get_values(CLeashApp::m_krbv5_profile, - section, &values); - pprofile_free_list(values); - - if (PROF_NO_RELATION == retval) - { - if (IDYES == AfxMessageBox("One or more Realms do not have any corresponing Servers!!!\n\nContinue?", - MB_YESNO)) - break; - else - return TRUE; - } - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnApply::There is an error, profile will not be saved!!!\nIf this error persist, contact your administrator.", - "Error", MB_OK); - return TRUE; - } - } - */ - - long retval = pprofile_flush(CLeashApp::m_krbv5_profile); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnApply::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - } - -#ifndef NO_KRB4 - // Save to Kerberos Four config. file "Krb.con" - CStdioFile krbCon; - if (!krbCon.Open(CKrbProperties::m_krbPath, CFile::modeCreate | - CFile::modeNoTruncate | - CFile::modeReadWrite)) - { - LeashErrorBox("OnApply::Can't open Configuration File", - CKrbProperties::m_krbPath); - return TRUE; - } - - krbCon.SetLength(0); - - krbCon.WriteString(CKrbConfigOptions::m_newDefaultRealm); - krbCon.WriteString("\n"); - - for (INT maxItems = m_KDCRealmList.GetCount(), item = 0; item < maxItems; item++) - { - char **values = NULL, - **cpp = NULL, - **admin = NULL; - - if (LB_ERR == m_KDCRealmList.GetText(item, theSection)) - ASSERT(0); - - retval = pprofile_get_values(CLeashApp::m_krbv5_profile, - section, &values); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnApply::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - } - - retval = pprofile_get_values(CLeashApp::m_krbv5_profile, - adminServ , &admin); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnApply::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - } - - char* pSemiCl = NULL; - if (admin) - { - if (*admin) - { - if ((pSemiCl = strchr(*admin, ':'))) - *pSemiCl = 0; - } - } - - - char hostKdc[MAX_HSTNM]; - if (values) - for (cpp = values; *cpp; cpp++) - { - strcpy(hostKdc, *cpp); - - if ((pSemiCl = strchr(hostKdc, ':'))) - *pSemiCl = 0; - - if (admin) - { - if (*admin) - { - if (0 == stricmp(hostKdc, *admin)) - strcat(hostKdc, " admin server"); - } - } - - CString kdcHost = theSection; - kdcHost += " "; - kdcHost += hostKdc; - - krbCon.WriteString(kdcHost); - krbCon.WriteString("\n"); - } - - if (values) - pprofile_free_list(values); - - if (admin) - pprofile_free_list(admin); - } - - if ( m_newDnsKdcLookup ) - krbCon.WriteString(".KERBEROS.OPTION. dns\n"); - - krbCon. Close(); -#endif // NO_KRB4 - return TRUE; -} - -void CKrbRealmHostMaintenance::OnCancel() -{ - CHAR fileName[MAX_PATH]; - if (CLeashApp::GetProfileFile(fileName, sizeof(fileName))) - { - MessageBox("Can't locate Kerberos Five Config. file!", "Error", MB_OK); - return; - } - - - long retval = 0; - if (CLeashApp::m_krbv5_profile) - pprofile_abandon(CLeashApp::m_krbv5_profile); - - /* - if (retval) - { - MessageBox("OnButtonRealmHostAdd::There is an error, profile will not be abandon!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - */ - - const char *filenames[2]; - filenames[0] = fileName; - filenames[1] = NULL; - retval = pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - - if (retval) - { - MessageBox("OnButtonRealmHostAdd::There is an error, profile will not be initialized!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - - CPropertyPage::OnCancel(); -} - -void CKrbRealmHostMaintenance::OnCheckDnsKdcLookup() -{ - const char* dnsLookupKdc[] = {"libdefaults","dns_lookup_kdc",NULL}; - - m_newDnsKdcLookup = (BOOL)IsDlgButtonChecked(IDC_DNS_KDC); - - long retval = pprofile_clear_relation(CLeashApp::m_krbv5_profile, - dnsLookupKdc); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnButtonAdminserver::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Error", MB_OK); - return; - } - - retval = pprofile_add_relation(CLeashApp::m_krbv5_profile, - dnsLookupKdc, - m_newDnsKdcLookup ? "true" : "false"); - - if (retval) - { // this might not be a good way to handle this type of error - MessageBox("OnButtonAdminserver::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Error", MB_OK); - return; - } - SetModified(TRUE); -} - -void CKrbRealmHostMaintenance::OnButtonRealmHostAdd() -{ - m_KDCRealmList.SetFocus(); - - CKrbAddRealm addToRealmHostList; - if (IDOK == addToRealmHostList.DoModal()) - { - char theSection[REALM_SZ + 1]; - const char* Section[] = {"realms", theSection, NULL}; - const char** section = Section; - - - if (!CLeashApp::m_krbv5_profile) { - CHAR confname[MAX_PATH]; - if (!CLeashApp::GetProfileFile(confname, sizeof(confname))) - { - const char *filenames[2]; - filenames[0] = confname; - filenames[1] = NULL; - pprofile_init(filenames, &CLeashApp::m_krbv5_profile); - } - } - - CString newRealm; // new section in the profile linklist - newRealm = addToRealmHostList.GetNewRealm(); - - if (LB_ERR != m_KDCRealmList.FindStringExact(-1, newRealm)) - { - MessageBox("We can't have duplicate Realms!\nYour entry was not saved to list.", - "Leash", MB_OK); - return; - } - - if (addToRealmHostList.GetNewRealm().IsEmpty()) - ASSERT(0); - - strcpy(theSection, newRealm); - long retval = pprofile_add_relation(CLeashApp::m_krbv5_profile, - section, NULL); - - if (retval) - { - MessageBox("OnButtonRealmHostAdd::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - if (LB_ERR == m_KDCRealmList.AddString(newRealm)) - ASSERT(0); - - if (LB_ERR == m_KDCRealmList.SetCurSel(m_KDCRealmList.FindStringExact(-1, newRealm))) - ASSERT(0); - - MessageBox("You must now add a Kerberos Host Server or Realm you just added will be removed!!!", - "Leash", MB_OK); - - m_KDCHostList.ResetContent(); - if (OnButtonKdchostAddInternal()) - { // Cancel - - long retval = pprofile_rename_section(CLeashApp::m_krbv5_profile, - section, NULL); - - if (retval) - { - MessageBox("OnButtonRealmHostRemove::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - if (LB_ERR == m_KDCRealmList.DeleteString(m_KDCRealmList.GetCurSel())) - ASSERT(0); - - m_KDCRealmList.SetCurSel(0); - } - - OnSelchangeListKdcRealm(); - SetModified(TRUE); - } - - if (1 >= m_KDCRealmList.GetCount()) - { - GetDlgItem(ID_BUTTON_REALM_REMOVE)->EnableWindow(FALSE); - } - else - { - GetDlgItem(ID_BUTTON_REALM_REMOVE)->EnableWindow(); - GetDlgItem(IDC_BUTTON_REALM_EDIT)->EnableWindow(); - } -} - -void CKrbRealmHostMaintenance::OnButtonKdchostAdd() -{ - OnButtonKdchostAddInternal(); -} - -bool CKrbRealmHostMaintenance::OnButtonKdchostAddInternal() -{ - CString newHost; // new section in the profile linklist - CKrbAddHostServer addHostServer; - if (IDOK == addHostServer.DoModal()) - { // OK - char theSection[MAX_HSTNM + 1]; - const char* Section[] = {"realms", theSection, "kdc", NULL}; - const char** section = Section; - - if (addHostServer.GetNewHost().IsEmpty()) - ASSERT(0); - - newHost = addHostServer.GetNewHost(); - - if (LB_ERR != m_KDCHostList.FindStringExact(-1, newHost)) - { - MessageBox("We can't have duplicate Host Servers for the same Realm!\ - \nYour entry was not saved to list.", - "Leash", MB_OK); - return true; - } - - m_KDCRealmList.GetText(m_KDCRealmList.GetCurSel(), theSection); - long retval = pprofile_add_relation(CLeashApp::m_krbv5_profile, - section, addHostServer.GetNewHost()); - - if (retval) - { - MessageBox("OnButtonKdchostAdd::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - - return true; - } - - if (LB_ERR == m_KDCHostList.AddString(newHost)) - ASSERT(0); - - SetModified(TRUE); - } - else - return true; - - if (m_KDCHostList.GetCount() > 1) - { - m_KDCHostList.SetCurSel(m_KDCHostList.FindStringExact(-1, newHost)); - m_KDCHostList.SetFocus(); - OnSelchangeListKdcHost(); - - GetDlgItem(IDC_BUTTON_KDCHOST_REMOVE)->EnableWindow(); - } - - if (1 == m_KDCRealmList.GetCount()) - { - GetDlgItem(IDC_BUTTON_KDCHOST_REMOVE)->EnableWindow(); - GetDlgItem(IDC_BUTTON_KDCHOST_EDIT)->EnableWindow(); - } - - return false; -} - -void CKrbRealmHostMaintenance::OnButtonRealmHostEdit() -{ - INT selItemIndex = m_KDCRealmList.GetCurSel(); - CString selItem; - - m_KDCHostList.SetFocus(); - //m_KDCRealmList.SetFocus(); - //m_KDCHostList.SetCurSel(0); - m_KDCRealmList.GetText(selItemIndex, selItem); - - CKrbEditRealm editRealmHostList(selItem); - - if (IDOK == editRealmHostList.DoModal()) - { - char theSection[REALM_SZ + 1]; - const char* Section[] = {"realms", theSection, NULL}; - const char** section = Section; - - CString editedRealm = editRealmHostList.GetEditedItem(); - - if (0 != editedRealm.CompareNoCase(selItem) && - LB_ERR != m_KDCRealmList.FindStringExact(-1, editedRealm)) - { - MessageBox("We can't have duplicate Realms!\nYour entry was not saved to list.", - "Leash", MB_OK); - return; - } - - strcpy(theSection, selItem); - - long retval = pprofile_rename_section(CLeashApp::m_krbv5_profile, - section, editRealmHostList.GetEditedItem()); - - if (retval) - { - MessageBox("OnButtonRealmHostEdit::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - m_KDCRealmList.DeleteString(selItemIndex); - m_KDCRealmList.AddString(editedRealm); - selItemIndex = m_KDCRealmList.FindStringExact(-1, editedRealm); - m_KDCRealmList.SetCurSel(selItemIndex); - - CKrbConfigOptions::ResetDefaultRealmComboBox(); - SetModified(TRUE); - } -} - -void CKrbRealmHostMaintenance::OnDblclkListKdcRealm() -{ - OnButtonRealmHostEdit(); -} - -void CKrbRealmHostMaintenance::OnButtonKdchostEdit() -{ - INT selItemIndex = m_KDCHostList.GetCurSel(); - CHAR OLD_VALUE[MAX_HSTNM + 1]; - CString editedHostServer; - CString _adminServer; - - m_KDCHostList.SetFocus(); - m_KDCHostList.GetText(selItemIndex, OLD_VALUE); - - LPSTR pOLD_VALUE = strchr(OLD_VALUE, ' '); - if (pOLD_VALUE) - { - *pOLD_VALUE = 0; - _adminServer = pOLD_VALUE + 1; - } - - CString selItem = OLD_VALUE; - CKrbEditHostServer editHostServerList(selItem); - - if (IDOK == editHostServerList.DoModal()) - { - char theSection[REALM_SZ + 1]; - const char* adminServer[] = {"realms", theSection, ADMIN_SERVER, NULL}; - const char* Section[] = {"realms", theSection, "kdc", NULL}; - const char** section = Section; - const char** adminServ = adminServer; - - editedHostServer = editHostServerList.GetEditedItem(); - - if (0 != editedHostServer.CompareNoCase(selItem) && - LB_ERR != m_KDCHostList.FindStringExact(-1, editedHostServer)) - { - MessageBox("We can't have duplicate Host Servers for the same Realm!\ - \nYour entry was not saved to list.", - "Leash", MB_OK); - return; - } - - m_KDCHostList.DeleteString(selItemIndex); - m_KDCRealmList.GetText(m_KDCRealmList.GetCurSel(), theSection); - - if (!_adminServer.IsEmpty()) - { // there is a admin_server - editedHostServer += " "; - editedHostServer += _adminServer; - - long retval = pprofile_update_relation(CLeashApp::m_krbv5_profile, - adminServ, OLD_VALUE, editHostServerList.GetEditedItem()); - if (retval) - { - MessageBox("OnButtonKdchostEdit::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - } - - long retval = pprofile_update_relation(CLeashApp::m_krbv5_profile, - section, OLD_VALUE, editHostServerList.GetEditedItem()); - - if (retval) - { - MessageBox("OnButtonKdchostEdit::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - m_KDCHostList.InsertString(selItemIndex, editedHostServer); - m_KDCHostList.SetCurSel(selItemIndex); - - OnSelchangeListKdcHost(); - SetModified(TRUE); - } -} - -void CKrbRealmHostMaintenance::OnDblclkListKdcHost() -{ - OnButtonKdchostEdit(); -} - -void CKrbRealmHostMaintenance::OnButtonRealmHostRemove() -{ - char theSection[REALM_SZ + 1]; - const char* Section[] = {"realms", theSection, NULL}; - const char** section = Section; - - m_KDCRealmList.SetFocus(); - m_KDCRealmList.GetText(m_KDCRealmList.GetCurSel(), theSection); - - CString RealmMsg; - RealmMsg.Format("Your about to remove a Realm, \"%s\", and all it's dependents from the list!\n\nContinue?", - theSection); - - if (IDYES != AfxMessageBox(RealmMsg, MB_YESNO)) - return; - - long retval = pprofile_rename_section(CLeashApp::m_krbv5_profile, - section, NULL); - - if (retval) - { - MessageBox("OnButtonRealmHostRemove::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - INT curSel = m_KDCRealmList.GetCurSel(); - - if (LB_ERR == m_KDCRealmList.DeleteString(curSel)) - ASSERT(0);// Single Sel Listbox - - if (-1 == m_KDCRealmList.SetCurSel(curSel)) - m_KDCRealmList.SetCurSel(curSel - 1); - - SetModified(TRUE); - - if (!m_KDCRealmList.GetCount()) - { - GetDlgItem(IDC_BUTTON_REALM_EDIT)->EnableWindow(FALSE); - } - if (1 >= m_KDCRealmList.GetCount()) - { - OnSelchangeListKdcRealm(); - GetDlgItem(ID_BUTTON_REALM_REMOVE)->EnableWindow(FALSE); - } - else - OnSelchangeListKdcRealm(); -} - -void CKrbRealmHostMaintenance::OnButtonKdchostRemove() -{ - char theSection[REALM_SZ + 1]; - const char* adminServer[] = {"realms", theSection, ADMIN_SERVER, NULL}; - const char* Section[] = {"realms", theSection, "kdc", NULL}; - const char** section = Section; - const char** adminServ = adminServer; - CHAR OLD_VALUE[MAX_HSTNM + 1]; - CString serverHostMsg; - CString serverHost; - CString _adminServer; - - m_KDCHostList.GetText(m_KDCHostList.GetCurSel(), serverHost); - serverHostMsg.Format("Your about to remove Server \"%s\" from the list!\n\nContinue?", - serverHost); - - if (IDYES != AfxMessageBox(serverHostMsg, MB_YESNO)) - return; - - m_KDCRealmList.GetText(m_KDCRealmList.GetCurSel(), theSection); - INT curSel = m_KDCHostList.GetCurSel(); - m_KDCHostList.GetText(curSel, OLD_VALUE); - - LPSTR pOLD_VALUE = strchr(OLD_VALUE, ' '); - if (pOLD_VALUE) - { - *pOLD_VALUE = 0; - _adminServer = pOLD_VALUE + 1; - } - - long retval = pprofile_update_relation(CLeashApp::m_krbv5_profile, - section, OLD_VALUE, NULL); - if (retval) - { - MessageBox("OnButtonKdchostRemove::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Leash", MB_OK); - return; - } - - if (!_adminServer.IsEmpty()) - { // there is a admin_server - retval = pprofile_update_relation(CLeashApp::m_krbv5_profile, - adminServ, OLD_VALUE, NULL); - if (retval) - { - MessageBox("OnButtonKdchostRemove::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Error", MB_OK); - return; - } - } - - m_KDCHostList.DeleteString(curSel); - - if (-1 == m_KDCHostList.SetCurSel(curSel)) - m_KDCHostList.SetCurSel(curSel - 1); - - SetModified(TRUE); - - if (!m_KDCHostList.GetCount()) - { - GetDlgItem(IDC_BUTTON_KDCHOST_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_KDCHOST_EDIT)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_ADMINSERVER)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_REMOVE_ADMINSERVER)->EnableWindow(FALSE); - } - else if (m_KDCHostList.GetCount() <= 1) - GetDlgItem(IDC_BUTTON_KDCHOST_REMOVE)->EnableWindow(FALSE); - - OnSelchangeListKdcHost(); -} - -BOOL CKrbRealmHostMaintenance::PreTranslateMessage(MSG* pMsg) -{ - if (m_isStart) - { - OnSelchangeListKdcRealm(); - m_isStart = FALSE; - } - - return CPropertyPage::PreTranslateMessage(pMsg); -} - -void CKrbRealmHostMaintenance::OnSelchangeListKdcRealm() -{ - char theSection[REALM_SZ + 1]; - const char* adminServer[] = {"realms", theSection, ADMIN_SERVER, NULL}; - const char* Section[] = {"realms", theSection, "kdc", NULL}; //theSection - const char** section = Section; - const char** adminServ = adminServer; - char **values = NULL, - **adminValue = NULL, - **cpp = NULL; - - m_KDCRealmList.GetText(m_KDCRealmList.GetCurSel(), theSection); - - long retval = pprofile_get_values(CLeashApp::m_krbv5_profile, - section, &values); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnSelchangeListKdcRealm::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Error", MB_OK); - return; - } - - m_KDCHostList.ResetContent(); - - if ( !retval && values ) { - retval = pprofile_get_values(CLeashApp::m_krbv5_profile, - adminServ, &adminValue); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnSelchangeListKdcRealm::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Error", MB_OK); - return; - } - - m_theAdminServer = _T(""); - m_theAdminServerMarked = _T(""); - - for (cpp = values; *cpp; cpp++) - { - CString kdcHost = *cpp; - - if (adminValue && 0 == strcmp(*adminValue, *cpp)) - { - m_theAdminServer = kdcHost; - kdcHost += " "; - kdcHost += ADMIN_SERVER; - - m_theAdminServerMarked = kdcHost; - } - - if (LB_ERR == m_KDCHostList.AddString(kdcHost)) - { - MessageBox("OnSelchangeListKdcRealm::Can't add Realm to Listbox", - "Error", MB_OK); - } - } - - pprofile_free_list(values); - } else { - GetDlgItem(IDC_BUTTON_REALM_HOST_ADD)->EnableWindow(TRUE); - GetDlgItem(ID_BUTTON_REALM_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_REALM_EDIT)->EnableWindow(FALSE); - } - CKrbConfigOptions::ResetDefaultRealmComboBox(); - - GetDlgItem(IDC_BUTTON_KDCHOST_REMOVE)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_KDCHOST_EDIT)->EnableWindow(FALSE); -} - -void CKrbRealmHostMaintenance::OnSelchangeListKdcHost() -{ - CString adminServer; - m_KDCHostList.GetText(m_KDCHostList.GetCurSel(), adminServer); - - if (-1 != adminServer.Find(ADMIN_SERVER)) - { - GetDlgItem(IDC_BUTTON_ADMINSERVER)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_REMOVE_ADMINSERVER)->EnableWindow(); - } - else - { - GetDlgItem(IDC_BUTTON_ADMINSERVER)->EnableWindow(); - GetDlgItem(IDC_BUTTON_REMOVE_ADMINSERVER)->EnableWindow(FALSE); - } - - if (m_KDCHostList.GetCount() > 1) - GetDlgItem(IDC_BUTTON_KDCHOST_REMOVE)->EnableWindow(); - - GetDlgItem(IDC_BUTTON_KDCHOST_EDIT)->EnableWindow(); -} - -void CKrbRealmHostMaintenance::OnSetfocusListKdcRealm() -{ - GetDlgItem(IDC_BUTTON_ADMINSERVER)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_REMOVE_ADMINSERVER)->EnableWindow(FALSE); -} - -void CKrbRealmHostMaintenance::OnButtonAdminserver() -{ - // Install new admin.server in profile linklist - char theSection[REALM_SZ + 1]; - const char* Section[] = {"realms", theSection, ADMIN_SERVER, NULL}; - const char** section = Section; - - m_KDCHostList.SetFocus(); - INT index1 = m_KDCHostList.GetCurSel(); - INT index2 = m_KDCHostList.FindStringExact(-1, m_theAdminServerMarked); - - if (-1 != index2) - { - m_KDCHostList.DeleteString(index2); - if (LB_ERR == m_KDCHostList.InsertString(index2, m_theAdminServer)) - { - MessageBox("OnButtonAdminserver::Can't add to list!!!", - "Error, MB_OK"); - } - } - - CString makeAdmin; - m_KDCHostList.GetText(index1, makeAdmin); - m_KDCHostList.DeleteString(index1); - m_theAdminServer = makeAdmin; - makeAdmin += " "; - makeAdmin += ADMIN_SERVER; - m_theAdminServerMarked = makeAdmin; - - if (LB_ERR == m_KDCHostList.InsertString(index1, makeAdmin)) - { - MessageBox("OnButtonAdminserver::Can't add to list!!!", - "Error, MB_OK"); - } - - m_KDCHostList.SetCurSel(m_KDCHostList.FindStringExact(-1, makeAdmin)); //index2 -1); - GetDlgItem(IDC_BUTTON_ADMINSERVER)->EnableWindow(FALSE); - GetDlgItem(IDC_BUTTON_REMOVE_ADMINSERVER)->EnableWindow(); - - m_KDCRealmList.GetText(m_KDCRealmList.GetCurSel(), theSection); - - long retval = pprofile_clear_relation(CLeashApp::m_krbv5_profile, - section); - - if (retval && PROF_NO_RELATION != retval) - { - MessageBox("OnButtonAdminserver::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Error", MB_OK); - return; - } - - retval = pprofile_add_relation(CLeashApp::m_krbv5_profile, - section, m_theAdminServer); - - if (retval) - { // this might not be a good way to handle this type of error - MessageBox("OnButtonAdminserver::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Error", MB_OK); - return; - } - - SetModified(TRUE); -} - -void CKrbRealmHostMaintenance::OnButtonRemoveAdminserver() -{ - // Remove admin.server from profile linklist - char theSection[REALM_SZ + 1]; - const char* Section[] = {"realms", theSection, ADMIN_SERVER, NULL}; - const char** section = Section; - - m_KDCHostList.SetFocus(); - m_KDCRealmList.GetText(m_KDCRealmList.GetCurSel(), theSection); - - long retval = pprofile_clear_relation(CLeashApp::m_krbv5_profile, - section); - - if (retval) - { - MessageBox("OnButtonRemoveAdminserver::There is an error, profile will not be saved!!!\ - \nIf this error persist, contact your administrator.", - "Error", MB_OK); - return; - } - - INT index = m_KDCHostList.GetCurSel(); - m_KDCHostList.DeleteString(index); - - if (LB_ERR == m_KDCHostList.InsertString(index, m_theAdminServer)) - { - MessageBox("OnButtonRemoveAdminserver::Can't add to list!!!", - "Error, MB_OK"); - - - } - - m_theAdminServerMarked = m_theAdminServer; - m_KDCHostList.SetCurSel(m_KDCHostList.FindStringExact(-1, m_theAdminServer)); - GetDlgItem(IDC_BUTTON_ADMINSERVER)->EnableWindow(); - GetDlgItem(IDC_BUTTON_REMOVE_ADMINSERVER)->EnableWindow(FALSE); - - SetModified(TRUE); -} - - - -void CKrbRealmHostMaintenance::OnButtonRealmhostMaintHelp() -{ - MessageBox("No Help Available!", "Note", MB_OK); -} diff --git a/src/windows/leash/KrbRealmHostMaintenance.h b/src/windows/leash/KrbRealmHostMaintenance.h deleted file mode 100644 index c894e22..0000000 --- a/src/windows/leash/KrbRealmHostMaintenance.h +++ /dev/null @@ -1,102 +0,0 @@ -// ************************************************************************************** -// File: KrbRealmHostMaintenance.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for KrbRealmHostMaintenance.cpp. Contains variables and functions -// for Kerberos Four and Five Properties -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_KRBREALMNAMEMAINTENANCE_H__2FE711C3_8E9A_11D2_94C5_0000861B8A3C__INCLUDED_) -#define AFX_KRBREALMNAMEMAINTENANCE_H__2FE711C3_8E9A_11D2_94C5_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 - - -///////////////////////////////////////////////////////////////////////////// -// CKrbRealmHostMaintenance dialog - -#include "resource.h" -#include "CLeashDragListBox.h" - -#define MAXLINE 256 - -class CKrbRealmHostMaintenance : public CPropertyPage -{ -// Construction -private: - DECLARE_DYNCREATE(CKrbRealmHostMaintenance) - CHAR lineBuf[MAXLINE]; - CString m_theAdminServerMarked; - CString m_theAdminServer; - BOOL m_isRealmListBoxInFocus; - BOOL m_isStart; - BOOL m_initDnsKdcLookup; - BOOL m_newDnsKdcLookup; - - bool OnButtonKdchostAddInternal(); - - //void ResetDefaultRealmComboBox(); - -public: - //CKrbRealmHostMaintenance(CWnd* pParent = NULL); // standard constructor - CKrbRealmHostMaintenance(); - virtual ~CKrbRealmHostMaintenance(); - -// Dialog Data - //{{AFX_DATA(CKrbRealmHostMaintenance) - enum { IDD = IDD_KRB_REALMHOST_MAINT }; - CListBox m_KDCRealmList; - CLeashDragListBox m_KDCHostList; - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CKrbRealmHostMaintenance) - public: - virtual BOOL PreTranslateMessage(MSG* pMsg); - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CKrbRealmHostMaintenance) - virtual BOOL OnInitDialog(); - virtual BOOL OnApply(); - virtual void OnCancel(); - afx_msg void OnButtonRealmHostAdd(); - afx_msg void OnButtonRealmHostEdit(); - afx_msg void OnButtonRealmHostRemove(); - afx_msg void OnSelchangeListKdcRealm(); - afx_msg void OnButtonAdminserver(); - afx_msg void OnSetfocusListKdcRealm(); - afx_msg void OnButtonKdchostAdd(); - afx_msg void OnButtonKdchostRemove(); - afx_msg void OnButtonRemoveAdminserver(); - afx_msg void OnSelchangeListKdcHost(); - afx_msg void OnButtonKdchostEdit(); - afx_msg void OnDblclkListKdcRealm(); - afx_msg void OnDblclkListKdcHost(); - afx_msg void OnButtonRealmhostMaintHelp(); - afx_msg void OnCheckDnsKdcLookup(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_KRBREALMNAMEMAINTENANCE_H__2FE711C3_8E9A_11D2_94C5_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/Leash.cpp b/src/windows/leash/Leash.cpp index f4e7493..f338e72 100644 --- a/src/windows/leash/Leash.cpp +++ b/src/windows/leash/Leash.cpp @@ -23,19 +23,12 @@ #include "LeashAboutBox.h" #include "reminder.h" -#include "mitwhich.h" #include #include "lglobals.h" #include "out2con.h" #include #include -#include - -#ifndef NO_AFS -#include "afscompat.h" -#endif - #include #include @@ -46,20 +39,13 @@ static char THIS_FILE[] = __FILE__; #endif -extern "C" int VScheckVersion(HWND hWnd, HANDLE hThisInstance); - TicketInfoWrapper ticketinfo; HWND CLeashApp::m_hProgram = 0; HINSTANCE CLeashApp::m_hLeashDLL = 0; HINSTANCE CLeashApp::m_hComErr = 0; -////@#+Remove -#ifndef NO_KRB4 -HINSTANCE CLeashApp::m_hKrb4DLL = 0; -#endif HINSTANCE CLeashApp::m_hKrb5DLL = 0; HINSTANCE CLeashApp::m_hKrb5ProfileDLL= 0; -HINSTANCE CLeashApp::m_hAfsDLL = 0; HINSTANCE CLeashApp::m_hPsapi = 0; HINSTANCE CLeashApp::m_hToolHelp32 = 0; krb5_context CLeashApp::m_krbv5_context = 0; @@ -118,12 +104,8 @@ CLeashApp::~CLeashApp() CloseHandle(ticketinfo.lockObj); #endif AfxFreeLibrary(m_hLeashDLL); -#ifndef NO_KRB4 - AfxFreeLibrary(m_hKrb4DLL); -#endif AfxFreeLibrary(m_hKrb5DLL); AfxFreeLibrary(m_hKrb5ProfileDLL); - AfxFreeLibrary(m_hAfsDLL); AfxFreeLibrary(m_hPsapi); AfxFreeLibrary(m_hToolHelp32); AfxFreeLibrary(m_hKrbLSA); @@ -479,8 +461,6 @@ BOOL CLeashApp::InitInstance() } } - VScheckVersion(m_pMainWnd->m_hWnd, AfxGetInstanceHandle()); - // The one and only window has been initialized, so show and update it. m_pMainWnd->SetWindowText("MIT Kerberos"); m_pMainWnd->UpdateWindow(); @@ -497,133 +477,34 @@ BOOL CLeashApp::InitInstance() // CLeashApp commands // leash functions -DECL_FUNC_PTR(not_an_API_LeashKRB4GetTickets); -DECL_FUNC_PTR(not_an_API_LeashAFSGetToken); -DECL_FUNC_PTR(not_an_API_LeashGetTimeServerName); DECL_FUNC_PTR(Leash_kdestroy); DECL_FUNC_PTR(Leash_changepwd_dlg); DECL_FUNC_PTR(Leash_changepwd_dlg_ex); DECL_FUNC_PTR(Leash_kinit_dlg); DECL_FUNC_PTR(Leash_kinit_dlg_ex); DECL_FUNC_PTR(Leash_timesync); -DECL_FUNC_PTR(Leash_get_default_lifetime); -DECL_FUNC_PTR(Leash_set_default_lifetime); -DECL_FUNC_PTR(Leash_get_default_forwardable); -DECL_FUNC_PTR(Leash_set_default_forwardable); -DECL_FUNC_PTR(Leash_get_default_renew_till); -DECL_FUNC_PTR(Leash_set_default_renew_till); -DECL_FUNC_PTR(Leash_get_default_noaddresses); -DECL_FUNC_PTR(Leash_set_default_noaddresses); -DECL_FUNC_PTR(Leash_get_default_proxiable); -DECL_FUNC_PTR(Leash_set_default_proxiable); -DECL_FUNC_PTR(Leash_get_default_publicip); -DECL_FUNC_PTR(Leash_set_default_publicip); -DECL_FUNC_PTR(Leash_get_default_use_krb4); -DECL_FUNC_PTR(Leash_set_default_use_krb4); -DECL_FUNC_PTR(Leash_get_default_life_min); -DECL_FUNC_PTR(Leash_set_default_life_min); -DECL_FUNC_PTR(Leash_get_default_life_max); -DECL_FUNC_PTR(Leash_set_default_life_max); -DECL_FUNC_PTR(Leash_get_default_renew_min); -DECL_FUNC_PTR(Leash_set_default_renew_min); -DECL_FUNC_PTR(Leash_get_default_renew_max); -DECL_FUNC_PTR(Leash_set_default_renew_max); -DECL_FUNC_PTR(Leash_get_default_renewable); -DECL_FUNC_PTR(Leash_set_default_renewable); -DECL_FUNC_PTR(Leash_get_lock_file_locations); -DECL_FUNC_PTR(Leash_set_lock_file_locations); DECL_FUNC_PTR(Leash_get_default_uppercaserealm); DECL_FUNC_PTR(Leash_set_default_uppercaserealm); DECL_FUNC_PTR(Leash_get_default_mslsa_import); -DECL_FUNC_PTR(Leash_set_default_mslsa_import); -DECL_FUNC_PTR(Leash_get_default_preserve_kinit_settings); -DECL_FUNC_PTR(Leash_set_default_preserve_kinit_settings); DECL_FUNC_PTR(Leash_import); DECL_FUNC_PTR(Leash_importable); DECL_FUNC_PTR(Leash_renew); -DECL_FUNC_PTR(Leash_reset_defaults); FUNC_INFO leash_fi[] = { - MAKE_FUNC_INFO(not_an_API_LeashKRB4GetTickets), - MAKE_FUNC_INFO(not_an_API_LeashAFSGetToken), - MAKE_FUNC_INFO(not_an_API_LeashGetTimeServerName), MAKE_FUNC_INFO(Leash_kdestroy), MAKE_FUNC_INFO(Leash_changepwd_dlg), MAKE_FUNC_INFO(Leash_changepwd_dlg_ex), MAKE_FUNC_INFO(Leash_kinit_dlg), MAKE_FUNC_INFO(Leash_kinit_dlg_ex), MAKE_FUNC_INFO(Leash_timesync), - MAKE_FUNC_INFO(Leash_get_default_lifetime), - MAKE_FUNC_INFO(Leash_set_default_lifetime), - MAKE_FUNC_INFO(Leash_get_default_renew_till), - MAKE_FUNC_INFO(Leash_set_default_renew_till), - MAKE_FUNC_INFO(Leash_get_default_forwardable), - MAKE_FUNC_INFO(Leash_set_default_forwardable), - MAKE_FUNC_INFO(Leash_get_default_noaddresses), - MAKE_FUNC_INFO(Leash_set_default_noaddresses), - MAKE_FUNC_INFO(Leash_get_default_proxiable), - MAKE_FUNC_INFO(Leash_set_default_proxiable), - MAKE_FUNC_INFO(Leash_get_default_publicip), - MAKE_FUNC_INFO(Leash_set_default_publicip), - MAKE_FUNC_INFO(Leash_get_default_use_krb4), - MAKE_FUNC_INFO(Leash_set_default_use_krb4), - MAKE_FUNC_INFO(Leash_get_default_life_min), - MAKE_FUNC_INFO(Leash_set_default_life_min), - MAKE_FUNC_INFO(Leash_get_default_life_max), - MAKE_FUNC_INFO(Leash_set_default_life_max), - MAKE_FUNC_INFO(Leash_get_default_renew_min), - MAKE_FUNC_INFO(Leash_set_default_renew_min), - MAKE_FUNC_INFO(Leash_get_default_renew_max), - MAKE_FUNC_INFO(Leash_set_default_renew_max), - MAKE_FUNC_INFO(Leash_get_default_renewable), - MAKE_FUNC_INFO(Leash_set_default_renewable), - MAKE_FUNC_INFO(Leash_get_lock_file_locations), - MAKE_FUNC_INFO(Leash_set_lock_file_locations), MAKE_FUNC_INFO(Leash_get_default_uppercaserealm), MAKE_FUNC_INFO(Leash_set_default_uppercaserealm), MAKE_FUNC_INFO(Leash_get_default_mslsa_import), - MAKE_FUNC_INFO(Leash_set_default_mslsa_import), - MAKE_FUNC_INFO(Leash_get_default_preserve_kinit_settings), - MAKE_FUNC_INFO(Leash_set_default_preserve_kinit_settings), MAKE_FUNC_INFO(Leash_import), MAKE_FUNC_INFO(Leash_importable), MAKE_FUNC_INFO(Leash_renew), - MAKE_FUNC_INFO(Leash_reset_defaults), - END_FUNC_INFO -}; - -//// -#ifndef NO_KRB4 -// krb4 functions -DECL_FUNC_PTR(set_krb_debug); -DECL_FUNC_PTR(set_krb_ap_req_debug); -DECL_FUNC_PTR(krb_get_krbconf2); -DECL_FUNC_PTR(krb_get_krbrealm2); -DECL_FUNC_PTR(tkt_string); -DECL_FUNC_PTR(krb_set_tkt_string); -DECL_FUNC_PTR(krb_realmofhost); -DECL_FUNC_PTR(krb_get_lrealm); -DECL_FUNC_PTR(krb_get_krbhst); -DECL_FUNC_PTR(tf_init); -DECL_FUNC_PTR(tf_close); -DECL_FUNC_PTR(krb_get_tf_realm); - -FUNC_INFO krb4_fi[] = { - MAKE_FUNC_INFO(set_krb_debug), - MAKE_FUNC_INFO(set_krb_ap_req_debug), - MAKE_FUNC_INFO(krb_get_krbconf2), - MAKE_FUNC_INFO(krb_get_krbrealm2), - MAKE_FUNC_INFO(tkt_string), - MAKE_FUNC_INFO(krb_set_tkt_string), - MAKE_FUNC_INFO(krb_realmofhost), - MAKE_FUNC_INFO(krb_get_lrealm), - MAKE_FUNC_INFO(krb_get_krbhst), - MAKE_FUNC_INFO(tf_init), - MAKE_FUNC_INFO(tf_close), - MAKE_FUNC_INFO(krb_get_tf_realm), END_FUNC_INFO }; -#endif // com_err funcitons DECL_FUNC_PTR(error_message); @@ -783,18 +664,10 @@ FUNC_INFO profile_fi[] = { BOOL CLeashApp::InitDLLs() { m_hLeashDLL = AfxLoadLibrary(LEASHDLL); -#ifndef NO_KRB4 - m_hKrb4DLL = AfxLoadLibrary(KERB4DLL); -#endif m_hKrb5DLL = AfxLoadLibrary(KERB5DLL); m_hKrb5ProfileDLL = AfxLoadLibrary(KERB5_PPROFILE_DLL); m_hComErr = AfxLoadLibrary(COMERR_DLL); -#ifndef NO_AFS - afscompat_init(); - m_hAfsDLL = AfxLoadLibrary(AFSAuthentDLL()); -#endif - #define PSAPIDLL "psapi.dll" #define TOOLHELPDLL "kernel32.dll" @@ -824,19 +697,6 @@ BOOL CLeashApp::InitDLLs() "Error", MB_OK); return FALSE; } -//// -#ifndef NO_KRB4 - if (m_hKrb4DLL) - { - if (!LoadFuncs(KERB4DLL, krb4_fi, 0, 0, 1, 0, 0)) - { - MessageBox(hwnd, - "Unexpected error while loading " KERB4DLL ".\n" - "Kerberos 4 functionality will be disabled.\n", - "Error", MB_OK); - } - } -#endif if (m_hKrb5DLL) { @@ -943,7 +803,6 @@ BOOL CLeashApp::FirstInstance() void CLeashApp::ValidateConfigFiles() { - CStdioFile krbCon; char confname[257]; char realm[256]=""; @@ -953,8 +812,6 @@ CLeashApp::ValidateConfigFiles() return; if ( m_hKrb5DLL ) { - int krb_con_open = 0; - // Create the empty KRB5.INI file if (!GetProfileFile(confname,sizeof(confname))) { const char *filenames[2]; @@ -972,16 +829,6 @@ CLeashApp::ValidateConfigFiles() } - if ( !GetKrb4ConFile(confname,sizeof(confname)) ) { - if (!krbCon.Open(confname, CFile::modeNoTruncate | CFile::modeRead)) - { - if (krbCon.Open(confname, CFile::modeCreate | CFile::modeWrite)) - { - krb_con_open = 1; - } - } - } - const char* lookupKdc[] = {"libdefaults", "dns_lookup_kdc", NULL}; const char* lookupRealm[] = {"libdefaults", "dns_lookup_realm", NULL}; const char* defRealm[] = {"libdefaults", "default_realm", NULL}; @@ -1031,10 +878,6 @@ CLeashApp::ValidateConfigFiles() if ( domain[0] ) { strncpy(realm,domain,256); realm[255] = '\0'; - if ( krb_con_open ) { - krbCon.WriteString(realm); - krbCon.WriteString("\n"); - } strncat(realmkey,domain,256-strlen(realmkey)); realmkey[255] = '\0'; } @@ -1095,13 +938,6 @@ CLeashApp::ValidateConfigFiles() names, (const char *)p); - if ( krb_con_open ) { - krbCon.WriteString((const char *)subkey); - krbCon.WriteString("\t"); - krbCon.WriteString((const char *)p); - krbCon.WriteString("\n"); - } - p += strlen((char*)p) + 1; } free(lpszValue); @@ -1141,11 +977,6 @@ CLeashApp::ValidateConfigFiles() realm[krb5_princ_realm(ctx,me)->length] = '\0'; } - if ( krb_con_open ) { - krbCon.WriteString(realm); - krbCon.WriteString("\n"); - } - no_k5_realm: if ( me ) pkrb5_free_principal(ctx,me); @@ -1179,194 +1010,10 @@ CLeashApp::ValidateConfigFiles() pprofile_release(m_krbv5_profile); m_krbv5_profile = NULL; - // Close KRB.CON file - if ( krb_con_open ) { - krbCon.WriteString(".KERBEROS.OPTION. dns\n"); - krbCon.Close(); - } - - // Create the empty KRBREALM.CON file - if ( !GetKrb4RealmFile(confname,sizeof(confname)) ) { - if (!krbCon.Open(confname, CFile::modeNoTruncate | CFile::modeRead)) - { - if (krbCon.Open(confname, CFile::modeCreate | CFile::modeWrite)) - { - krbCon.Close(); - } - } else - krbCon.Close(); - } - - } -//// -#ifndef NO_KRB4 - } else if ( m_hKrb4DLL ) { - if ( !realm[0] ) { - /* Open ticket file */ - char * file = ptkt_string(); - int k_errno; - - if (file != NULL && file[0]) { - if ((k_errno = ptf_init(file, R_TKT_FIL)) == KSUCCESS) { - /* Close ticket file */ - (void) ptf_close(); - - k_errno = pkrb_get_tf_realm(file, realm); - } - if (k_errno != KSUCCESS) { - k_errno = pkrb_get_lrealm(realm, 1); - } - } - } - - if ( !GetKrb4ConFile(confname,sizeof(confname)) ) { - if (!krbCon.Open(confname, CFile::modeNoTruncate | CFile::modeRead)) - { - if (krbCon.Open(confname, CFile::modeCreate | CFile::modeWrite)) - { - if ( realm[0] ) - krbCon.WriteString(realm); - krbCon.WriteString("\n.KERBEROS.OPTION. dns\n"); - krbCon.Close(); - } - } else - krbCon.Close(); - } - - if ( !GetKrb4RealmFile(confname,sizeof(confname)) ) { - if (!krbCon.Open(confname, CFile::modeNoTruncate | CFile::modeRead)) - { - if (krbCon.Open(confname, CFile::modeCreate | CFile::modeWrite)) - { - krbCon.Close(); - } - } else - krbCon.Close(); } -#endif } } -////@#+Should this be just deleted or reworked? -BOOL -CLeashApp::GetKrb4ConFile( - LPSTR confname, - UINT szConfname - ) -{ - if (m_hKrb5DLL -//// -#ifndef NO_KRB4 - && !m_hKrb4DLL -#endif - ) - { // hold krb.con where krb5.ini is located - CHAR krbConFile[MAX_PATH]=""; - //strcpy(krbConFile, CLeashApp::m_krbv5_profile->first_file->filename); - if (GetProfileFile(krbConFile, sizeof(krbConFile))) - { - GetWindowsDirectory(krbConFile,sizeof(krbConFile)); - krbConFile[MAX_PATH-1] = '\0'; - strncat(krbConFile,"\\KRB5.INI",sizeof(krbConFile)-strlen(krbConFile)-1); - krbConFile[MAX_PATH-1] = '\0'; - } - - LPSTR pFind = strrchr(krbConFile, '\\'); - if (pFind) - { - *pFind = 0; - strncat(krbConFile, "\\",MAX_PATH-1); - krbConFile[MAX_PATH-1] = '\0'; - strncat(krbConFile, KRB_FILE,MAX_PATH-1); - krbConFile[MAX_PATH-1] = '\0'; - } - else - ASSERT(0); - - strncpy(confname, krbConFile, szConfname); - confname[szConfname-1] = '\0'; - } -//// -#ifndef NO_KRB4 - else if (m_hKrb4DLL) - { - unsigned int size = szConfname; - memset(confname, '\0', szConfname); - if (!pkrb_get_krbconf2(confname, &size)) - { // Error has happened - GetWindowsDirectory(confname,szConfname); - confname[szConfname-1] = '\0'; - strncat(confname, "\\",szConfname); - confname[szConfname-1] = '\0'; - strncat(confname,KRB_FILE,szConfname); - confname[szConfname-1] = '\0'; - } - } -#endif - - return FALSE; -} - -BOOL -CLeashApp::GetKrb4RealmFile( - LPSTR confname, - UINT szConfname - ) -{ - if (m_hKrb5DLL -//// -#ifndef NO_KRB4 - && !m_hKrb4DLL -#endif - ) - { // hold krb.con where krb5.ini is located - CHAR krbRealmConFile[MAX_PATH]; - //strcpy(krbRealmConFile, CLeashApp::m_krbv5_profile->first_file->filename); - if (GetProfileFile(krbRealmConFile, sizeof(krbRealmConFile))) - { - GetWindowsDirectory(krbRealmConFile,sizeof(krbRealmConFile)); - krbRealmConFile[MAX_PATH-1] = '\0'; - strncat(krbRealmConFile,"\\KRB5.INI",sizeof(krbRealmConFile)-strlen(krbRealmConFile)); - krbRealmConFile[MAX_PATH-1] = '\0'; - } - - LPSTR pFind = strrchr(krbRealmConFile, '\\'); - if (pFind) - { - *pFind = 0; - strncat(krbRealmConFile, "\\",MAX_PATH-1-strlen(krbRealmConFile)); - krbRealmConFile[MAX_PATH-1] = '\0'; - strncat(krbRealmConFile, KRBREALM_FILE,MAX_PATH-1-strlen(krbRealmConFile)); - krbRealmConFile[MAX_PATH-1] = '\0'; - } - else - ASSERT(0); - - strncpy(confname, krbRealmConFile, szConfname); - confname[szConfname-1] = '\0'; - } -//// -#ifndef NO_KRB4 - else if (m_hKrb4DLL) - { - unsigned int size = szConfname; - memset(confname, '\0', szConfname); - if (!pkrb_get_krbrealm2(confname, &size)) - { - GetWindowsDirectory(confname,szConfname); - confname[szConfname-1] = '\0'; - strncat(confname, "\\",szConfname-strlen(confname)); - confname[szConfname-1] = '\0'; - strncat(confname,KRBREALM_FILE,szConfname-strlen(confname)); - confname[szConfname-1] = '\0'; - return TRUE; - } - } -#endif - - return FALSE; -} - BOOL CLeashApp::GetProfileFile( LPSTR confname, diff --git a/src/windows/leash/Leash.h b/src/windows/leash/Leash.h index 6d5f815..c2b5f16 100644 --- a/src/windows/leash/Leash.h +++ b/src/windows/leash/Leash.h @@ -39,8 +39,6 @@ #define HID_DESTROY_TICKETS_ON_EXIT 98321 #define HID_UPPERCASE_REALM_OPTION 98323 #define HID_RESET_WINDOW_OPTION 98326 -#define HID_AFS_PROPERTIES_COMMAND 98327 -#define HID_KRB4_PROPERTIES_COMMAND 98329 #define HID_KRB5_PROPERTIES_COMMAND 98330 #define HID_LEASH_PROPERTIES_COMMAND 98331 #define HID_LOW_TICKET_ALARM_OPTION 98334 @@ -56,7 +54,6 @@ #define HID_LEASH_COMMANDS 131200 #define HID_ABOUT_LEASH32_MODULES 131225 #define HID_DEBUG_WINDOW 131229 -#define HID_KRB4_PROPERTIES_EDIT 131232 #define HID_KERBEROS_PROPERTIES_EDIT 131233 #define HID_LEASH_PROPERTIES_EDIT 131239 #define HID_KRB5_PROPERTIES_FORWARDING 131240 @@ -108,12 +105,8 @@ public: static HINSTANCE m_hLeashDLL; static HINSTANCE m_hComErr; //// -#ifndef NO_KRB4 - static HINSTANCE m_hKrb4DLL; -#endif static HINSTANCE m_hKrb5DLL; static HINSTANCE m_hKrb5ProfileDLL; - static HINSTANCE m_hAfsDLL; static HINSTANCE m_hPsapi; static HINSTANCE m_hToolHelp32; static krb5_context m_krbv5_context; @@ -126,8 +119,6 @@ public: virtual ~CLeashApp(); static BOOL GetProfileFile(LPSTR confname, UINT szConfname); - static BOOL GetKrb4ConFile(LPSTR confname, UINT szConfname); - static BOOL GetKrb4RealmFile(LPSTR confname, UINT szConfname); static void ValidateConfigFiles(); static void ObtainTicketsViaUserIfNeeded(HWND hWnd); static DWORD GetNumOfIpAddrs(void); diff --git a/src/windows/leash/Leash.rc b/src/windows/leash/Leash.rc index 798e629..2359a8d 100644 --- a/src/windows/leash/Leash.rc +++ b/src/windows/leash/Leash.rc @@ -178,11 +178,6 @@ BEGIN "Z", ID_EDIT_UNDO, VIRTKEY, CONTROL, NOINVERT END -IDD_KRB4_DOMAINREALM_MAINT ACCELERATORS -BEGIN - "F", ID_BUTTON_HOSTNAME_REMOVE, VIRTKEY, CONTROL, NOINVERT -END - ///////////////////////////////////////////////////////////////////////////// // @@ -202,7 +197,7 @@ BEGIN CONTROL "Tree1",IDC_TREEVIEW,"SysTreeView32",TVS_HASBUTTONS | TVS_HASLINES | TVS_LINESATROOT | TVS_DISABLEDRAGDROP | TVS_INFOTIP | WS_HSCROLL | WS_TABSTOP,0,19,164,13 - LTEXT "Your Kerberos Tickets and AFS Tokens (Issued/Expires/[Renew]/Principal)", + LTEXT "Your Kerberos Tickets (Issued/Expires/[Renew]/Principal)", IDC_LABEL_KERB_TICKETS,6,5,280,12 CONTROL "",IDC_LEASH_MAINVIEW,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,0,43,347,88 @@ -259,30 +254,6 @@ BEGIN CTEXT "Leash Warning Here!!!",IDC_LEASH_WARNING_MSG,0,7,257,27 END -IDD_KRB4_PROP_LOCATION DIALOG 0, 0, 316, 191 -STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Client File Location" -FONT 8, "MS Sans Serif" -BEGIN - EDITTEXT IDC_EDIT_TICKET_FILE,64,24,239,12,ES_AUTOHSCROLL - EDITTEXT IDC_EDIT_KRB_LOC,64,110,203,12,ES_AUTOHSCROLL | WS_GROUP - PUSHBUTTON "Browse",IDC_BUTTON_KRB_BROWSE,271,109,31,14,WS_GROUP - PUSHBUTTON "Browse",IDC_BUTTON_KRBREALM_BROWSE,271,129,32,14, - WS_GROUP - LTEXT "Name:",IDC_STATIC_TICKET_FILEPATH,34,25,22,8 - GROUPBOX "Configuration File(s) Path",IDC_STATIC_CONFIG_FILES,7, - 92,301,93 - GROUPBOX "Ticket File",IDC_STATIC_TICKETFILE,7,8,301,71 - LTEXT "Config.:",IDC_STATIC_KRBCON,31,110,25,8 - LTEXT "Ticket file name is set in your computer's environment!\nTo edit, remove it from the environment.", - IDC_STATIC_TXT,12,54,283,19 - LTEXT "One or more Configuration file locations are set in your computer's environment!\nTo edit, remove all of them from the environment.", - IDC_STATIC_CONFILES,12,160,284,19 - EDITTEXT IDC_EDIT_KRBREALM_LOC,64,130,203,12,ES_AUTOHSCROLL | - WS_GROUP - LTEXT "Realms:",IDC_STATIC_KRBREALMS,30,130,26,8 -END - IDD_KRB_PROP_CONTENT DIALOG 0, 0, 314, 172 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Default Realm Configuration" @@ -315,36 +286,6 @@ BEGIN GROUPBOX "",stc32,7,7,227,98,NOT WS_VISIBLE END -IDD_LEASH_PROPERTIES DIALOGEX 0, 0, 305, 166 -STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Leash Properties" -FONT 8, "MS Sans Serif", 0, 0, 0x0 -BEGIN - EDITTEXT IDC_EDIT_TIME_SERVER,59,22,233,12,ES_AUTOHSCROLL - PUSHBUTTON "&Help",IDC_BUTTON_LEASHINI_HELP2,138,145,50,14 - DEFPUSHBUTTON "&OK",IDOK,242,145,50,14 - PUSHBUTTON "&Cancel",IDCANCEL,190,145,50,14 - LTEXT "Name:",IDC_STATIC_TIMESERVER,31,23,22,8 - GROUPBOX "Time Server",IDC_STATIC_OPTIONS,7,7,291,45 - LTEXT "Time server name is set in your computer's environment!\nTo edit, remove it from the environment.", - IDC_STATIC_TIMEHOST,31,22,201,21 - CONTROL "Create Configuration Files &Missing at Startup", - IDC_CHECK_CREATE_MISSING_CFG,"Button",BS_AUTOCHECKBOX | - WS_TABSTOP,15,105,244,10 - PUSHBUTTON "&Restore Leash Defaults",IDC_RESET_DEFAULTS,31,126,243, - 14 - GROUPBOX "Miscellaneous Options",IDC_GROUP_LEASH_MISC,7,95,291,29 - GROUPBOX "Automatic MSLSA Ticket Importation",IDC_STATIC,7,52,291, - 40 - CONTROL "Never",IDC_RADIO_MSLSA_IMPORT_OFF,"Button", - BS_AUTORADIOBUTTON | WS_GROUP | WS_TABSTOP,16,70,35,10 - CONTROL "Always",IDC_RADIO_MSLSA_IMPORT_ON,"Button", - BS_AUTORADIOBUTTON | WS_TABSTOP,62,70,48,10 - CONTROL "When MSLSA Principal matches Default Realm", - IDC_RADIO_MSLSA_IMPORT_MATCH,"Button",BS_AUTORADIOBUTTON | - WS_TABSTOP,116,71,165,10 -END - IDD_KRB5_PROP_CONTENT DIALOG 0, 0, 321, 126 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Configuration Options" @@ -407,19 +348,6 @@ BEGIN BS_AUTOCHECKBOX | WS_TABSTOP,169,158,131,10 END -IDD_KRB4_DOMAINREALM_MAINT DIALOG 0, 0, 313, 213 -STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Domain-Host/Realm Maintenance" -FONT 8, "MS Sans Serif" -BEGIN - LISTBOX IDC_LIST_DOMAINREALM,7,7,299,174,LBS_NOINTEGRALHEIGHT | - WS_VSCROLL | WS_TABSTOP - DEFPUSHBUTTON "&Add",IDC_BUTTON_REALM_HOST_ADD,52,192,50,14 - PUSHBUTTON "&Remove",ID_BUTTON_REALM_HOST_REMOVE,106,192,50,14 - PUSHBUTTON "&Edit",IDC_BUTTON_REALM_HOST_EDIT,160,192,50,14 - PUSHBUTTON "&Help",IDC_BUTTON_HOSTMAINT_HELP,214,192,50,14 -END - IDD_KRB_ADD_REALM DIALOG 0, 0, 295, 94 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Add a Kerberos Realm" @@ -448,34 +376,6 @@ BEGIN IDC_STATIC_NOTE,11,15,267,8 END -IDD_KRB4_ADD_DOMAINREALMNAME DIALOG 0, 0, 295, 89 -STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Add Your Domain-Host/Kerberos Realm Names to List" -FONT 8, "MS Sans Serif" -BEGIN - EDITTEXT IDC_EDIT_DOMAINHOSTNAME,75,15,208,12,ES_AUTOHSCROLL - EDITTEXT IDC_EDIT_DOMAINREALMNAME,75,32,208,12,ES_UPPERCASE | - ES_AUTOHSCROLL - PUSHBUTTON "&OK",IDOK,232,62,50,14 - PUSHBUTTON "&Cancel",IDCANCEL,179,62,50,14 - LTEXT "Domain or Host: ",IDC_STATIC_DEFAULT_REALM,12,17,58,8 - LTEXT "Kerberos Realm:",IDC_STATIC_REALM_HOSTNAME,17,34,53,8 -END - -IDD_KRB4_EDIT_DOMAINREALMNAME DIALOG 0, 0, 295, 89 -STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Edit Your Domain-Host/Kerberos Realm Names to List" -FONT 8, "MS Sans Serif" -BEGIN - EDITTEXT IDC_EDIT_DOMAINHOST,75,15,208,12,ES_AUTOHSCROLL - EDITTEXT IDC_EDIT_REALMNAME,75,32,208,12,ES_UPPERCASE | - ES_AUTOHSCROLL - PUSHBUTTON "&OK",IDOK,232,62,50,14 - PUSHBUTTON "&Cancel",IDCANCEL,179,62,50,14 - LTEXT "Domain or Host: ",IDC_STATIC_DEFAULT_REALM,12,17,58,8 - LTEXT "Kerberos Realm:",IDC_STATIC_REALM_HOSTNAME,17,34,53,8 -END - IDD_KRB_ADD_KDC_HOSTSERVER DIALOG 0, 0, 295, 94 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Add a Kerberos Host Server" @@ -502,57 +402,6 @@ BEGIN IDC_STATIC_NOTE,11,15,267,8 END -IDD_KRB4_REALMHOST_MAINT2 DIALOG 0, 0, 313, 214 -STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Realm/Host Maintenance" -FONT 8, "MS Sans Serif" -BEGIN - DEFPUSHBUTTON "&Add",IDC_BUTTON_KRB4_REALM_HOST_ADD,53,161,50,14 - PUSHBUTTON "&Remove",ID_BUTTON_KRB4_REALM_HOST_REMOVE,107,161,50,14 - PUSHBUTTON "&Edit",IDC_BUTTON_KRB4_REALM_HOST_EDIT,161,161,50,14 - PUSHBUTTON "&Help",IDC_BUTTON_REALMHOST_MAINT_HELP2,214,161,50,14 - LISTBOX IDC_LIST_REMOVE_HOST,7,7,299,149,LBS_NOINTEGRALHEIGHT | - WS_VSCROLL | WS_TABSTOP - CONTROL "Use DNS KDC Lookup",IDC_KRB4_DNS_KDC,"Button", - BS_AUTOCHECKBOX | WS_TABSTOP,18,186,89,10 -END - -IDD_KRB4_EDIT_REALM DIALOG 0, 0, 296, 113 -STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Edit Kerberos Realm/Kerberos Host Names" -FONT 8, "MS Sans Serif" -BEGIN - EDITTEXT IDC_EDIT_DEFAULT_REALM,70,23,213,12,ES_UPPERCASE | - ES_AUTOHSCROLL - EDITTEXT IDC_EDIT_REALM_HOSTNAME,70,41,213,12,ES_AUTOHSCROLL - CONTROL "Has Administrative Server",IDC_RADIO_ADMIN_SERVER, - "Button",BS_AUTORADIOBUTTON | WS_TABSTOP,50,61,96,12 - CONTROL "No Administrative Server",IDC_RADIO_NO_ADMIN_SERVER, - "Button",BS_AUTORADIOBUTTON | WS_TABSTOP,154,61,92,12 - PUSHBUTTON "&OK",IDOK,233,86,50,14 - PUSHBUTTON "&Cancel",IDCANCEL,181,86,50,14 - LTEXT "Kerberos Realm:",IDC_STATIC_DEFAULT_REALM,11,25,53,8 - LTEXT "Kerberos Host:",IDC_STATIC_REALM_HOSTNAME,16,43,48,8 -END - -IDD_KRB4_ADD_REALM DIALOG 0, 0, 296, 113 -STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Add Kerberos Realm/Kerberos Host Names" -FONT 8, "MS Sans Serif" -BEGIN - EDITTEXT IDC_EDIT_DEFAULT_REALM,70,23,213,12,ES_UPPERCASE | - ES_AUTOHSCROLL - EDITTEXT IDC_EDIT_REALM_HOSTNAME,70,41,213,12,ES_AUTOHSCROLL - CONTROL "Has Administrative Server",IDC_RADIO_ADMIN_SERVER, - "Button",BS_AUTORADIOBUTTON | WS_TABSTOP,50,61,95,12 - CONTROL "No Administrative Server",IDC_RADIO_NO_ADMIN_SERVER, - "Button",BS_AUTORADIOBUTTON | WS_TABSTOP,154,61,92,12 - PUSHBUTTON "&OK",IDOK,232,86,50,14 - PUSHBUTTON "&Cancel",IDCANCEL,179,86,50,14 - LTEXT "Kerberos Realm:",IDC_STATIC_DEFAULT_REALM,11,25,53,8 - LTEXT "Kerberos Host:",IDC_STATIC_REALM_HOSTNAME,16,43,48,8 -END - IDD_KRB_DOMAINREALM_MAINT DIALOG 0, 0, 314, 213 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "DNS / Realm Mapping" @@ -565,21 +414,6 @@ BEGIN PUSHBUTTON "&Edit",IDC_BUTTON_HOST_EDIT,185,192,50,14 END -IDD_AFS_PROPERTIES DIALOG 0, 0, 290, 68 -STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "AFS Properties" -FONT 8, "MS Sans Serif" -BEGIN - CONTROL "AFS Enabled",IDC_RADIO_AFS_ENABLED,"Button", - BS_AUTORADIOBUTTON,12,19,59,10 - CONTROL "AFS Disabled",IDC_RADIO_AFS_DISABLED,"Button", - BS_AUTORADIOBUTTON,80,19,59,10 - PUSHBUTTON "AFS Properties",IDC_BUTTON_AFS_PROPERTIES,11,47,70,14 - DEFPUSHBUTTON "&OK",IDOK,227,47,50,14 - PUSHBUTTON "&Cancel",IDCANCEL,173,47,50,14 - PUSHBUTTON "&Help",IDC_BUTTON_LEASHINI_HELP2,119,47,50,14 -END - IDD_KRB_PROP_MISC DIALOGEX 0, 0, 314, 215 STYLE DS_SETFONT | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU CAPTION "Ticket Lifetime and Other Initialization Options" @@ -653,8 +487,6 @@ BEGIN LTEXT "h",IDC_STATIC,230,26,8,8 LTEXT "m",IDC_STATIC,267,26,8,8 GROUPBOX "Ticket Initialization Options",IDC_STATIC,7,151,300,59 - CONTROL "Request Kerberos 4 Tickets",IDC_CHECK_REQUEST_KRB4, - "Button",BS_AUTOCHECKBOX | WS_TABSTOP,19,167,203,10 CONTROL "Preserve Ticket Initialization Dialog Options", IDC_CHECK_PRESERVE_KINIT_OPTIONS,"Button", BS_AUTOCHECKBOX | WS_TABSTOP,20,182,208,10 @@ -696,14 +528,6 @@ BEGIN BEGIN END - IDD_KRB4_PROP_LOCATION, DIALOG - BEGIN - LEFTMARGIN, 6 - RIGHTMARGIN, 307 - TOPMARGIN, 6 - BOTTOMMARGIN, 184 - END - IDD_KRB_PROP_CONTENT, DIALOG BEGIN LEFTMARGIN, 7 @@ -720,14 +544,6 @@ BEGIN BOTTOMMARGIN, 105 END - IDD_LEASH_PROPERTIES, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 298 - TOPMARGIN, 7 - BOTTOMMARGIN, 159 - END - IDD_KRB5_PROP_CONTENT, DIALOG BEGIN LEFTMARGIN, 7 @@ -753,14 +569,6 @@ BEGIN BOTTOMMARGIN, 206 END - IDD_KRB4_DOMAINREALM_MAINT, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 306 - TOPMARGIN, 7 - BOTTOMMARGIN, 206 - END - IDD_KRB_ADD_REALM, DIALOG BEGIN LEFTMARGIN, 7 @@ -777,22 +585,6 @@ BEGIN BOTTOMMARGIN, 87 END - IDD_KRB4_ADD_DOMAINREALMNAME, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 288 - TOPMARGIN, 7 - BOTTOMMARGIN, 82 - END - - IDD_KRB4_EDIT_DOMAINREALMNAME, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 288 - TOPMARGIN, 7 - BOTTOMMARGIN, 82 - END - IDD_KRB_ADD_KDC_HOSTSERVER, DIALOG BEGIN LEFTMARGIN, 7 @@ -809,30 +601,6 @@ BEGIN BOTTOMMARGIN, 87 END - IDD_KRB4_REALMHOST_MAINT2, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 306 - TOPMARGIN, 7 - BOTTOMMARGIN, 206 - END - - IDD_KRB4_EDIT_REALM, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 289 - TOPMARGIN, 7 - BOTTOMMARGIN, 106 - END - - IDD_KRB4_ADD_REALM, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 289 - TOPMARGIN, 7 - BOTTOMMARGIN, 106 - END - IDD_KRB_DOMAINREALM_MAINT, DIALOG BEGIN LEFTMARGIN, 7 @@ -841,14 +609,6 @@ BEGIN BOTTOMMARGIN, 206 END - IDD_AFS_PROPERTIES, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 283 - TOPMARGIN, 7 - BOTTOMMARGIN, 61 - END - IDD_KRB_PROP_MISC, DIALOG BEGIN LEFTMARGIN, 7 @@ -957,7 +717,6 @@ BEGIN ID_OPTIONS_RESETWINDOWSIZE "Puts Leash's main window back to it's default size " ID_RESET_WINDOW_SIZE "Refresh Leash window to it's default size/position" - ID_AFS_CONTROL_PANEL "Enables you to change settings" ID_SYSTEM_CONTROL_PANEL "Open your System Properties window" ID_OPTIONS_LOWTICKETALARMSOUND "Turn alarm off or on, when ticket time is low" diff --git a/src/windows/leash/LeashAboutBox.cpp b/src/windows/leash/LeashAboutBox.cpp index d5c6be2..8c621c3 100644 --- a/src/windows/leash/LeashAboutBox.cpp +++ b/src/windows/leash/LeashAboutBox.cpp @@ -327,22 +327,9 @@ void CLeashAboutBox::OnNotLoadedModules() { m_LB_DLLsLoaded.ResetContent(); -#ifndef NO_KRB4 - if (!CLeashApp::m_hKrb4DLL) - m_LB_DLLsLoaded.AddString(KERB4DLL); -#endif - if (!CLeashApp::m_hKrb5DLL) m_LB_DLLsLoaded.AddString(KERB5DLL); - // NOTE: If the snippet below is commented back in, - // it should read - // if (!CLeashApp::m_hAfsDLL) - // m_LB_DLLsLoaded.AddString(AFSAuthentDLL()); - - //if (!CLeashApp::m_hAfsDLL) - //m_LB_DLLsLoaded.AddString(ASFDLL); - HighlightFirstItem(); } diff --git a/src/windows/leash/LeashControlPanel.cpp b/src/windows/leash/LeashControlPanel.cpp deleted file mode 100644 index 47273a0..0000000 --- a/src/windows/leash/LeashControlPanel.cpp +++ /dev/null @@ -1,43 +0,0 @@ -// LeashControlPanel.cpp : implementation file -// - -#include "stdafx.h" -#include "leash.h" -#include "LeashControlPanel.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CLeashControlPanel dialog - - -CLeashControlPanel::CLeashControlPanel(CWnd* pParent /*=NULL*/) - : CDialog(CLeashControlPanel::IDD, pParent) -{ - //{{AFX_DATA_INIT(CLeashControlPanel) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - - -void CLeashControlPanel::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CLeashControlPanel) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CLeashControlPanel, CDialog) - //{{AFX_MSG_MAP(CLeashControlPanel) - // NOTE: the ClassWizard will add message map macros here - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CLeashControlPanel message handlers diff --git a/src/windows/leash/LeashControlPanel.h b/src/windows/leash/LeashControlPanel.h deleted file mode 100644 index 173dd6e..0000000 --- a/src/windows/leash/LeashControlPanel.h +++ /dev/null @@ -1,46 +0,0 @@ -#if !defined(AFX_LEASHCONTROLPANEL_H__940146F3_6857_11D2_943C_0000861B8A3C__INCLUDED_) -#define AFX_LEASHCONTROLPANEL_H__940146F3_6857_11D2_943C_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// LeashControlPanel.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CLeashControlPanel dialog - -class CLeashControlPanel : public CDialog -{ -// Construction -public: - CLeashControlPanel(CWnd* pParent = NULL); // standard constructor - -// Dialog Data - //{{AFX_DATA(CLeashControlPanel) - enum { IDD = IDD_LEASH_CONTROL_PANEL }; - // NOTE: the ClassWizard will add data members here - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CLeashControlPanel) - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CLeashControlPanel) - // NOTE: the ClassWizard will add member functions here - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_LEASHCONTROLPANEL_H__940146F3_6857_11D2_943C_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/LeashFileDialog.cpp b/src/windows/leash/LeashFileDialog.cpp deleted file mode 100644 index 7e45f42..0000000 --- a/src/windows/leash/LeashFileDialog.cpp +++ /dev/null @@ -1,75 +0,0 @@ -// ************************************************************************************** -// File: LeashFileDialog.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for LeashFileDialog.h. Contains variables and functions -// for the Leash File Dialog Box -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#include "stdafx.h" -#include "leash.h" -#include "LeashFileDialog.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CLeashFileDialog - -IMPLEMENT_DYNAMIC(CLeashFileDialog, CFileDialog) - - - -CLeashFileDialog::CLeashFileDialog(BOOL bOpenFileDialog, LPCTSTR lpszDefExt, LPCTSTR lpszFileName, - LPCTSTR lpszFilter, DWORD dwFlags, CWnd* pParentWnd) : - CFileDialog(bOpenFileDialog, lpszDefExt, lpszFileName, dwFlags, lpszFilter, pParentWnd) -{ - m_ofn.Flags |= OFN_ENABLETEMPLATE; - m_ofn.lpTemplateName = MAKEINTRESOURCE(IDD_FILESPECIAL); - m_ofn.lpstrFilter = lpszFilter; - m_ofn.lpstrFileTitle = m_lpstrFileTitle; - m_ofn.nMaxFileTitle = MAX_PATH; - *m_lpstrFileTitle = 0; - BOOL m_startup = TRUE; -} - - -BEGIN_MESSAGE_MAP(CLeashFileDialog, CFileDialog) - //{{AFX_MSG_MAP(CLeashFileDialog) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - - -BOOL CLeashFileDialog::OnInitDialog() -{ - BOOL bRet = CFileDialog::OnInitDialog(); - if (bRet == TRUE) - { - GetParent()->GetDlgItem(IDOK)->SetWindowText("&OK"); - //GetParent()->GetDlgItem(IDOK)->EnableWindow(FALSE); - } - - return bRet; -} - -void CLeashFileDialog::OnFileNameChange( ) -{ - if (!m_startup) - { //' keeps the OK button disabled until a real select is made - CString testString = GetFileName(); - if (-1 == testString.Find('*')) - GetParent()->GetDlgItem(IDOK)->EnableWindow(); - } - else - m_startup = FALSE; -} diff --git a/src/windows/leash/LeashFileDialog.h b/src/windows/leash/LeashFileDialog.h deleted file mode 100644 index aef156d..0000000 --- a/src/windows/leash/LeashFileDialog.h +++ /dev/null @@ -1,57 +0,0 @@ -// ************************************************************************************** -// File: LeashFileDialog.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for LeashFileDialog.cpp. Contains variables and functions -// for the Leash File Dialog Box -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - - -#if !defined(AFX_LEASHFILEDIALOG_H__E74500E1_6B74_11D2_9448_0000861B8A3C__INCLUDED_) -#define AFX_LEASHFILEDIALOG_H__E74500E1_6B74_11D2_9448_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// LeashFileDialog.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CLeashFileDialog dialog - -class CLeashFileDialog : public CFileDialog -{ - DECLARE_DYNAMIC(CLeashFileDialog) - -private: - CHAR m_lpstrFileTitle[MAX_PATH]; - BOOL m_startup; - -public: - CLeashFileDialog(BOOL bOpenFileDialog, // TRUE for FileOpen, FALSE for FileSaveAs - LPCTSTR lpszDefExt = NULL, - LPCTSTR lpszFileName = NULL, - LPCTSTR lpszFilter = NULL, - DWORD dwFlags = OFN_HIDEREADONLY | OFN_OVERWRITEPROMPT | OFN_FILEMUSTEXIST, - CWnd* pParentWnd = NULL); - - CString GetSelectedFileName() {return m_lpstrFileTitle;} - -protected: - //{{AFX_MSG(CLeashFileDialog) - virtual BOOL OnInitDialog(); - virtual void OnFileNameChange( ); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_LEASHFILEDIALOG_H__E74500E1_6B74_11D2_9448_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/LeashProperties.cpp b/src/windows/leash/LeashProperties.cpp deleted file mode 100644 index 2854231..0000000 --- a/src/windows/leash/LeashProperties.cpp +++ /dev/null @@ -1,202 +0,0 @@ -// ************************************************************************************** -// File: LeashProperties.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: CPP file for LeashProperties.h. Contains variables and functions -// for the Leash Properties Dialog Box -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - -#include "stdafx.h" -#include "leash.h" -#include "LeashProperties.h" -#include "LeashMessageBox.h" -#include -#include "lglobals.h" -#include "reminder.h" - -#ifdef _DEBUG -#define new DEBUG_NEW -#undef THIS_FILE -static char THIS_FILE[] = __FILE__; -#endif - -///////////////////////////////////////////////////////////////////////////// -// CLeashProperties dialog - -char CLeashProperties::timeServer[255] = {NULL}; - -CLeashProperties::CLeashProperties(CWnd* pParent /*=NULL*/) - : CDialog(CLeashProperties::IDD, pParent) -{ - m_initMissingFiles = m_newMissingFiles = 0; - dw_initMslsaImport = dw_newMslsaImport = 0; - - //{{AFX_DATA_INIT(CLeashProperties) - // NOTE: the ClassWizard will add member initialization here - //}}AFX_DATA_INIT -} - - -void CLeashProperties::DoDataExchange(CDataExchange* pDX) -{ - CDialog::DoDataExchange(pDX); - //{{AFX_DATA_MAP(CLeashProperties) - // NOTE: the ClassWizard will add DDX and DDV calls here - //}}AFX_DATA_MAP -} - - -BEGIN_MESSAGE_MAP(CLeashProperties, CDialog) - //{{AFX_MSG_MAP(CLeashProperties) - ON_BN_CLICKED(IDC_BUTTON_LEASHINI_HELP2, OnHelp) - ON_BN_CLICKED(IDC_CHECK_CREATE_MISSING_CFG, OnCheckMissingCfg) - ON_BN_CLICKED(IDC_RESET_DEFAULTS, OnButtonResetDefaults) - ON_BN_CLICKED(IDC_RADIO_MSLSA_IMPORT_OFF, OnRadioMslsaNever) - ON_BN_CLICKED(IDC_RADIO_MSLSA_IMPORT_ON, OnRadioMslsaAlways) - ON_BN_CLICKED(IDC_RADIO_MSLSA_IMPORT_MATCH, OnRadioMslsaMatchingRealm) - //}}AFX_MSG_MAP -END_MESSAGE_MAP() - -///////////////////////////////////////////////////////////////////////////// -// CLeashProperties message handlers - -BOOL CLeashProperties::OnInitDialog() -{ - CDialog::OnInitDialog(); - - pLeashGetTimeServerName(timeServer, TIMEHOST); - SetDlgItemText(IDC_EDIT_TIME_SERVER, timeServer); - - if (getenv(TIMEHOST)) - GetDlgItem(IDC_EDIT_TIME_SERVER)->EnableWindow(FALSE); - else - GetDlgItem(IDC_STATIC_TIMEHOST)->ShowWindow(FALSE); - - CWinApp * pApp = AfxGetApp(); - if (pApp) - m_initMissingFiles = m_newMissingFiles = - pApp->GetProfileInt("Settings", "CreateMissingConfig", FALSE_FLAG); - CheckDlgButton(IDC_CHECK_CREATE_MISSING_CFG, m_initMissingFiles); - - dw_initMslsaImport = dw_newMslsaImport = pLeash_get_default_mslsa_import(); - switch ( dw_initMslsaImport ) { - case 0: - CheckDlgButton(IDC_RADIO_MSLSA_IMPORT_OFF,TRUE); - break; - case 1: - CheckDlgButton(IDC_RADIO_MSLSA_IMPORT_ON,TRUE); - break; - case 2: - CheckDlgButton(IDC_RADIO_MSLSA_IMPORT_MATCH,TRUE); - break; - } - - return TRUE; -} - -void CLeashProperties::OnOK() -{ - CString timeServer_; - GetDlgItemText(IDC_EDIT_TIME_SERVER, timeServer_); - - if (getenv(TIMEHOST)) - { - // Check system for TIMEHOST, just in case it gets set (somehow) - MessageBox("Can't change the time host unless you remove it from the environment!", - "Error", MB_OK); - return; - } - - if( getenv("USEKRB4") != NULL) - { - MessageBox("Kerberos 4 ticket requests are being controlled by the environment" - "variable USEKRB4 instead of the registry. Leash cannot modify" - "the environment. Use the System control panel instead.", - "Leash", MB_OK); - return; - } - - if (SetRegistryVariable(TIMEHOST, timeServer_)) - { - MessageBox("There was an error putting your entry into the Registry!", - "Error", MB_OK); - } - - if ( m_initMissingFiles != m_newMissingFiles ) { - CWinApp * pApp = AfxGetApp(); - if (pApp) - pApp->WriteProfileInt("Settings", "CreateMissingConfig", - m_newMissingFiles ? TRUE_FLAG : FALSE_FLAG); - - if ( m_newMissingFiles ) - CLeashApp::ValidateConfigFiles(); - } - - if ( dw_initMslsaImport != dw_newMslsaImport ) { - pLeash_set_default_mslsa_import(dw_newMslsaImport); - } - - CDialog::OnOK(); -} - -void CLeashProperties::OnCheckMissingCfg() -{ - m_newMissingFiles = (BOOL)IsDlgButtonChecked(IDC_CHECK_CREATE_MISSING_CFG); -} - -void CLeashProperties::OnRadioMslsaNever() -{ - dw_newMslsaImport = 0; -} - -void CLeashProperties::OnRadioMslsaAlways() -{ - dw_newMslsaImport = 1; -} - -void CLeashProperties::OnRadioMslsaMatchingRealm() -{ - dw_newMslsaImport = 2; -} - -void CLeashProperties::OnHelp() -{ -#ifdef CALL_HTMLHELP - AfxGetApp()->HtmlHelp(HID_LEASH_PROPERTIES_COMMAND); -#else - AfxGetApp()->WinHelp(HID_LEASH_PROPERTIES_COMMAND); -#endif -} - -void CLeashProperties::OnButtonResetDefaults() -{ - if (IDYES != AfxMessageBox("You are about to reset all Leash settings to their default values!\n\nContinue?", - MB_YESNO)) - return; - - pLeash_reset_defaults(); - - HKEY hKey; - LONG rc; - - rc = RegOpenKeyEx(HKEY_CURRENT_USER, "SOFTWARE\\MIT\\Leash32\\Settings", - 0, KEY_WRITE, &hKey); - if (rc) - return; - - rc = RegDeleteValue(hKey, "AutoRenewTickets"); - rc = RegDeleteValue(hKey, "CreateMissingConfig"); - rc = RegDeleteValue(hKey, "DebugWindow"); - rc = RegDeleteValue(hKey, "LargeIcons"); - rc = RegDeleteValue(hKey, "TIMEHOST"); - rc = RegDeleteValue(hKey, "AfsStatus"); - rc = RegDeleteValue(hKey, "LowTicketAlarm"); - - RegCloseKey(hKey); -} diff --git a/src/windows/leash/LeashProperties.h b/src/windows/leash/LeashProperties.h deleted file mode 100644 index 314eba7..0000000 --- a/src/windows/leash/LeashProperties.h +++ /dev/null @@ -1,78 +0,0 @@ -// ************************************************************************************** -// File: LeashProperties.h -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright @1998 Massachusetts Institute of Technology - All rights reserved. -// Description: H file for LeashProperties.cpp. Contains variables and functions -// for the Leash Properties Dialog Box -// -// History: -// -// MM/DD/YY Inits Description of Change -// 12/02/98 ADL Original -// ************************************************************************************** - -#if !defined(AFX_LEASHPROPERTIES_H__7E54E028_726E_11D2_945E_0000861B8A3C__INCLUDED_) -#define AFX_LEASHPROPERTIES_H__7E54E028_726E_11D2_945E_0000861B8A3C__INCLUDED_ - -#if _MSC_VER > 1000 -#pragma once -#endif // _MSC_VER > 1000 -// LeashProperties.h : header file -// - -///////////////////////////////////////////////////////////////////////////// -// CLeashProperties dialog - -#define TIMEHOST "TIMEHOST" - -class CLeashProperties : public CDialog -{ -private: - static char timeServer[255]; - CHAR sysDir[MAX_PATH]; - BOOL m_initMissingFiles; - BOOL m_newMissingFiles; - DWORD dw_initMslsaImport; - DWORD dw_newMslsaImport; - -// Construction -public: - CLeashProperties(CWnd* pParent = NULL); // standard constructor - -// Dialog Data - //{{AFX_DATA(CLeashProperties) - enum { IDD = IDD_LEASH_PROPERTIES }; - // NOTE: the ClassWizard will add data members here - //}}AFX_DATA - - -// Overrides - // ClassWizard generated virtual function overrides - //{{AFX_VIRTUAL(CLeashProperties) - public: - protected: - virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV support - //}}AFX_VIRTUAL - -// Implementation -protected: - - // Generated message map functions - //{{AFX_MSG(CLeashProperties) - virtual BOOL OnInitDialog(); - virtual void OnOK(); - afx_msg void OnHelp(); - afx_msg void OnCheckMissingCfg(); - afx_msg void OnRadioMslsaNever(); - afx_msg void OnRadioMslsaAlways(); - afx_msg void OnRadioMslsaMatchingRealm(); - afx_msg void OnButtonResetDefaults(); - //}}AFX_MSG - DECLARE_MESSAGE_MAP() -}; - -//{{AFX_INSERT_LOCATION}} -// Microsoft Visual C++ will insert additional declarations immediately before the previous line. - -#endif // !defined(AFX_LEASHPROPERTIES_H__7E54E028_726E_11D2_945E_0000861B8A3C__INCLUDED_) diff --git a/src/windows/leash/LeashView.cpp b/src/windows/leash/LeashView.cpp index ef2a5a3..a2d005b 100644 --- a/src/windows/leash/LeashView.cpp +++ b/src/windows/leash/LeashView.cpp @@ -24,11 +24,6 @@ #include "LeashDebugWindow.h" #include "LeashMessageBox.h" #include "LeashAboutBox.h" -#include "Krb4Properties.h" -#include "Krb5Properties.h" -#include "LeashProperties.h" -#include "KrbProperties.h" -#include "AfsProperties.h" #include #ifdef _DEBUG @@ -83,23 +78,15 @@ BEGIN_MESSAGE_MAP(CLeashView, CListView) ON_UPDATE_COMMAND_UI(ID_INIT_TICKET, OnUpdateInitTicket) ON_UPDATE_COMMAND_UI(ID_RENEW_TICKET, OnUpdateRenewTicket) ON_COMMAND(ID_APP_ABOUT, OnAppAbout) - ON_COMMAND(ID_AFS_CONTROL_PANEL, OnAfsControlPanel) ON_UPDATE_COMMAND_UI(ID_DEBUG_MODE, OnUpdateDebugMode) ON_UPDATE_COMMAND_UI(ID_CFG_FILES, OnUpdateCfgFiles) - ON_COMMAND(ID_KRB4_PROPERTIES, OnKrb4Properties) - ON_COMMAND(ID_KRB5_PROPERTIES, OnKrb5Properties) - ON_COMMAND(ID_LEASH_PROPERTIES, OnLeashProperties) ON_COMMAND(ID_LEASH_RESTORE, OnLeashRestore) ON_COMMAND(ID_LEASH_MINIMIZE, OnLeashMinimize) ON_COMMAND(ID_LOW_TICKET_ALARM, OnLowTicketAlarm) ON_COMMAND(ID_AUTO_RENEW, OnAutoRenew) ON_UPDATE_COMMAND_UI(ID_LOW_TICKET_ALARM, OnUpdateLowTicketAlarm) ON_UPDATE_COMMAND_UI(ID_AUTO_RENEW, OnUpdateAutoRenew) - ON_UPDATE_COMMAND_UI(ID_KRB4_PROPERTIES, OnUpdateKrb4Properties) - ON_UPDATE_COMMAND_UI(ID_KRB5_PROPERTIES, OnUpdateKrb5Properties) - ON_UPDATE_COMMAND_UI(ID_AFS_CONTROL_PANEL, OnUpdateAfsControlPanel) ON_UPDATE_COMMAND_UI(ID_MAKE_DEFAULT, OnUpdateMakeDefault) - ON_COMMAND(ID_PROPERTIES, OnKrbProperties) ON_UPDATE_COMMAND_UI(ID_PROPERTIES, OnUpdateProperties) ON_COMMAND(ID_HELP_KERBEROS_, OnHelpKerberos) ON_COMMAND(ID_HELP_LEASH32, OnHelpLeash32) @@ -122,19 +109,8 @@ END_MESSAGE_MAP() time_t CLeashView::m_ticketTimeLeft = 0; // # of seconds left before tickets expire -INT CLeashView::m_forwardableTicket = 0; -INT CLeashView::m_proxiableTicket = 0; -INT CLeashView::m_renewableTicket = 0; -INT CLeashView::m_noaddressTicket = 0; -DWORD CLeashView::m_publicIPAddress = 0; -INT CLeashView::m_ticketStatusAfs = 0; // Defense Condition: are we low on tickets? -INT CLeashView::m_ticketStatusKrb4 = 0; // Defense Condition: are we low on tickets? INT CLeashView::m_ticketStatusKrb5 = 0; // Defense Condition: are we low on tickets? -INT CLeashView::m_warningOfTicketTimeLeftAfs = 0; // Prevents warning box from coming up repeatively -INT CLeashView::m_warningOfTicketTimeLeftKrb4 = 0; // Prevents warning box from coming up repeatively INT CLeashView::m_warningOfTicketTimeLeftKrb5 = 0; // Prevents warning box from coming up repeatively -INT CLeashView::m_warningOfTicketTimeLeftLockAfs = 0; -INT CLeashView::m_warningOfTicketTimeLeftLockKrb4 = 0; INT CLeashView::m_warningOfTicketTimeLeftLockKrb5 = 0; INT CLeashView::m_updateDisplayCount; INT CLeashView::m_alreadyPlayedDisplayCount; @@ -229,22 +205,22 @@ static HFONT CreateBoldItalicFont(HFONT font) bool change_icon_size = true; -void krb5TimestampToFileTime(krb5_timestamp t, LPFILETIME pft) +void TimestampToFileTime(time_t t, LPFILETIME pft) { // Note that LONGLONG is a 64-bit value - LONGLONG ll; + ULONGLONG ll; - ll = Int32x32To64(t, 10000000) + 116444736000000000; + ll = UInt32x32To64((DWORD)t, 10000000) + 116444736000000000; pft->dwLowDateTime = (DWORD)ll; pft->dwHighDateTime = ll >> 32; } // allocate outstr -void krb5TimestampToLocalizedString(krb5_timestamp t, LPTSTR *outStr) +void TimestampToLocalizedString(time_t t, LPTSTR *outStr) { FILETIME ft, lft; SYSTEMTIME st; - krb5TimestampToFileTime(t, &ft); + TimestampToFileTime(t, &ft); FileTimeToLocalFileTime(&ft, &lft); FileTimeToSystemTime(&lft, &st); TCHAR timeFormat[80]; // 80 is max required for LOCALE_STIMEFORMAT @@ -345,14 +321,8 @@ void DurationToString(long delta, LPTSTR *outStr) CLeashView::CLeashView() { ////@#+Need removing as well! -#ifndef NO_KRB4 - m_listKrb4 = NULL; -#endif - m_listAfs = NULL; m_startup = TRUE; - m_warningOfTicketTimeLeftKrb4 = 0; m_warningOfTicketTimeLeftKrb5 = 0; - m_warningOfTicketTimeLeftLockKrb4 = 0; m_warningOfTicketTimeLeftLockKrb5 = 0; m_largeIcons = 0; m_destroyTicketsOnExit = 0; @@ -377,11 +347,6 @@ CLeashView::CLeashView() m_hMenu = NULL; m_pApp = NULL; m_ccacheDisplay = NULL; - m_forwardableTicket = 0; - m_proxiableTicket = 0; - m_renewableTicket = 0; - m_noaddressTicket = 0; - m_publicIPAddress = 0; m_autoRenewTickets = 0; m_autoRenewalAttempted = 0; m_pWarningMessage = NULL; @@ -497,8 +462,7 @@ time_t CLeashView::LeashTime() // Call while possessing a lock to ticketinfo.lockObj INT CLeashView::GetLowTicketStatus(int ver) { - BOOL b_notix = (ver == 5 && !ticketinfo.Krb5.btickets) || - (ver == 1 && !ticketinfo.Afs.btickets); + BOOL b_notix = (ver == 5 && !ticketinfo.Krb5.btickets); if (b_notix) return NO_TICKETS; @@ -566,21 +530,6 @@ VOID CLeashView::OnShowWindow(BOOL bShow, UINT nStatus) // Get State of Upper Case Realm m_upperCaseRealm = pLeash_get_default_uppercaserealm(); - // Forwardable flag - m_forwardableTicket = pLeash_get_default_forwardable(); - - // Proxiable flag - m_proxiableTicket = pLeash_get_default_proxiable(); - - // Renewable flag - m_renewableTicket = pLeash_get_default_renewable(); - - // No Address flag - m_noaddressTicket = pLeash_get_default_noaddresses(); - - // Public IP Address - m_publicIPAddress = pLeash_get_default_publicip(); - // UI main display column widths for (int i=0; iGetProfileInt("Settings", "AfsStatus", 1); - CListCtrl& list = GetListCtrl(); // @TODO: there is probably a more sensible place to initialize these... if ((m_BaseFont == NULL) && (list.GetFont())) { @@ -1275,33 +1201,13 @@ VOID CLeashView::OnUpdateDisplay() } } -#ifndef NO_KRB4 - INT ticketIconStatusKrb4; - INT ticketIconStatus_SelectedKrb4; - INT iconStatusKrb4; -#endif - INT ticketIconStatusKrb5; INT ticketIconStatus_SelectedKrb5; INT iconStatusKrb5; - INT ticketIconStatusAfs; - INT ticketIconStatus_SelectedAfs; - INT iconStatusAfs; - -#ifndef NO_KRB4 - LONG krb4Error; -#endif - LONG afsError; - if (WaitForSingleObject( ticketinfo.lockObj, 100 ) != WAIT_OBJECT_0) throw("Unable to lock ticketinfo"); -#ifndef NO_KRB4 - // Get Kerb 4 tickets in list - krb4Error = pLeashKRB4GetTickets(&ticketinfo.Krb4, &m_listKrb4); -#endif - // Get Kerb 5 tickets in list LeashKRB5ListDefaultTickets(&ticketinfo.Krb5); if (CLeashApp::m_hKrb5DLL && !CLeashApp::m_krbv5_profile) @@ -1319,55 +1225,11 @@ VOID CLeashView::OnUpdateDisplay() pprofile_init(filenames, &CLeashApp::m_krbv5_profile); } - // Get AFS Tokens in list - if (CLeashApp::m_hAfsDLL) { - char * principal; - if ( ticketinfo.Krb5.principal[0] ) - principal = ticketinfo.Krb5.principal; - else - principal = ""; - afsError = pLeashAFSGetToken(&ticketinfo.Afs, &m_listAfs, principal); - } - /* * Update Ticket Status for Krb5 so that we may use their state * to select the appropriate Icon for the Parent Node */ -////Might need to delete dependent stuff as well!!! -#ifndef NO_KRB4 - /* Krb4 */ - UpdateTicketTime(ticketinfo.Krb4); - m_ticketStatusKrb4 = GetLowTicketStatus(4); - if (!m_listKrb4 || EXPIRED_TICKETS == ticketinfo.Krb4.btickets || - m_ticketStatusKrb4 == ZERO_MINUTES_LEFT) - { - ticketIconStatusKrb4 = EXPIRED_CLOCK; - ticketIconStatus_SelectedKrb4 = EXPIRED_CLOCK; - iconStatusKrb4 = EXPIRED_TICKET; - } - else if (TICKETS_LOW == ticketinfo.Krb4.btickets || - m_ticketStatusKrb4 == FIVE_MINUTES_LEFT || - m_ticketStatusKrb4 == TEN_MINUTES_LEFT || - m_ticketStatusKrb4 == FIFTEEN_MINUTES_LEFT) - { - ticketIconStatusKrb4 = LOW_CLOCK; - ticketIconStatus_SelectedKrb4 = LOW_CLOCK; - iconStatusKrb4 = LOW_TICKET; - } - else if ( CLeashApp::m_hKrb4DLL ) - { - ticketIconStatusKrb4 = ACTIVE_CLOCK; - ticketIconStatus_SelectedKrb4 = ACTIVE_CLOCK; - iconStatusKrb4 = ACTIVE_TICKET; - } else { - ticketIconStatusKrb4 = EXPIRED_CLOCK; - ticketIconStatus_SelectedKrb4 = EXPIRED_CLOCK; - iconStatusKrb4 = TICKET_NOT_INSTALLED; - } -#endif - - /* Krb5 */ UpdateTicketTime(ticketinfo.Krb5); m_ticketStatusKrb5 = GetLowTicketStatus(5); @@ -1400,37 +1262,6 @@ VOID CLeashView::OnUpdateDisplay() iconStatusKrb5 = TICKET_NOT_INSTALLED; } - /* Afs */ - UpdateTicketTime(ticketinfo.Afs); - m_ticketStatusAfs = GetLowTicketStatus(1); - if (!m_listAfs || EXPIRED_TICKETS == ticketinfo.Afs.btickets || - m_ticketStatusAfs == ZERO_MINUTES_LEFT) - { - ticketIconStatusAfs = EXPIRED_CLOCK; - ticketIconStatus_SelectedAfs = EXPIRED_CLOCK; - iconStatusAfs = EXPIRED_TICKET; - } - else if (TICKETS_LOW == ticketinfo.Afs.btickets || - m_ticketStatusAfs == FIVE_MINUTES_LEFT || - m_ticketStatusAfs == TEN_MINUTES_LEFT || - m_ticketStatusAfs == FIFTEEN_MINUTES_LEFT) - { - ticketIconStatusAfs = LOW_CLOCK; - ticketIconStatus_SelectedAfs = LOW_CLOCK; - iconStatusAfs = LOW_TICKET; - } - else if ( CLeashApp::m_hAfsDLL ) - { - ticketIconStatusAfs = ACTIVE_CLOCK; - ticketIconStatus_SelectedAfs = ACTIVE_CLOCK; - iconStatusAfs = ACTIVE_TICKET; - } else - { - ticketIconStatusAfs = EXPIRED_CLOCK; - ticketIconStatus_SelectedAfs = EXPIRED_CLOCK; - iconStatusAfs = TICKET_NOT_INSTALLED; - } - int trayIcon = NONE_PARENT_NODE; if (CLeashApp::m_hKrb5DLL && ticketinfo.Krb5.btickets) { switch ( iconStatusKrb5 ) { @@ -1554,8 +1385,6 @@ VOID CLeashView::OnUpdateDisplay() LeashKRB5FreeTicketInfo(&ticketinfo.Krb5); LeashKRB5FreeTickets(&principallist); - // @TODO: AFS-specific here - ReleaseMutex(ticketinfo.lockObj); } @@ -1656,9 +1485,6 @@ VOID CLeashView::OnActivateView(BOOL bActivate, CView* pActivateView, m_alreadyPlayed = TRUE; - if (!CKrbProperties::KrbPropertiesOn) - SendMessage(WM_COMMAND, ID_UPDATE_DISPLAY, 0); - if (m_debugStartUp) { OnDebugMode(); @@ -1672,11 +1498,6 @@ VOID CLeashView::OnActivateView(BOOL bActivate, CView* pActivateView, ////@#+Is this KRB4 only? VOID CLeashView::OnDebugMode() { -#ifndef NO_KRB4 - if (!pset_krb_debug) - return; -#endif - if (!m_pDebugWindow) { AfxMessageBox("There is a problem with the Leash Debug Window!", @@ -1725,11 +1546,6 @@ VOID CLeashView::OnDebugMode() m_pApp->WriteProfileInt("Settings", "DebugWindow", FALSE_FLAG); m_pDebugWindow->DestroyWindow(); -//// -#ifndef NO_KRB4 - pset_krb_debug(OFF); - pset_krb_ap_req_debug(OFF); -#endif return; } else @@ -1959,11 +1775,7 @@ VOID CLeashView::OnUpdateUppercaseRealm(CCmdUI *pCmdUI) VOID CLeashView::ResetTreeNodes() { m_hPrincipalState = 0; -#ifndef NO_KRB4 - m_hKerb4State = 0; -#endif m_hKerb5State = 0; - m_hAFSState = 0; } VOID CLeashView::OnDestroy() @@ -1999,13 +1811,7 @@ VOID CLeashView::OnUpdateDestroyTicket(CCmdUI* pCmdUI) VOID CLeashView::OnUpdateInitTicket(CCmdUI* pCmdUI) { - if ( -////Is this logic correct? -#ifndef NO_KRB4 - !CLeashApp::m_hKrb4DLL && -#endif - !CLeashApp::m_hKrb5DLL && - !CLeashApp::m_hAfsDLL) + if (!CLeashApp::m_hKrb5DLL) pCmdUI->Enable(FALSE); else pCmdUI->Enable(TRUE); @@ -2092,17 +1898,8 @@ LRESULT CLeashView::OnTrayIcon(WPARAM wParam, LPARAM lParam) menu->AppendMenu(MF_STRING, ID_INIT_TICKET, "&Get Tickets"); if (WaitForSingleObject( ticketinfo.lockObj, INFINITE ) != WAIT_OBJECT_0) throw("Unable to lock ticketinfo"); - if (!( -#ifndef NO_KRB4 - ticketinfo.Krb4.btickets || -#endif - ticketinfo.Krb5.btickets) || -////Not entirely sure about the logic -#ifndef NO_KRB4 - !CLeashApp::m_hKrb4DLL && -#endif - !CLeashApp::m_hKrb5DLL && - !CLeashApp::m_hAfsDLL) + if (!ticketinfo.Krb5.btickets || + !CLeashApp::m_hKrb5DLL) nFlags = MF_STRING | MF_GRAYED; else nFlags = MF_STRING; @@ -2112,7 +1909,7 @@ LRESULT CLeashView::OnTrayIcon(WPARAM wParam, LPARAM lParam) else nFlags = MF_STRING; menu->AppendMenu(MF_STRING, ID_IMPORT_TICKET, "&Import Tickets"); - if (!ticketinfo.Krb5.btickets && !ticketinfo.Afs.btickets) + if (!ticketinfo.Krb5.btickets) nFlags = MF_STRING | MF_GRAYED; else nFlags = MF_STRING; @@ -2162,12 +1959,6 @@ VOID CLeashView::OnAppAbout() } -VOID CLeashView::OnAfsControlPanel() -{ - CAfsProperties afsProperties; - afsProperties.DoModal(); -} - VOID CLeashView::OnInitialUpdate() { CListView::OnInitialUpdate(); @@ -2181,14 +1972,8 @@ VOID CLeashView::OnItemexpandedTreeview(NMHDR* pNMHDR, LRESULT* pResult) if (m_hPrincipal == pNMTreeView->itemNew.hItem) m_hPrincipalState = pNMTreeView->action; -#ifndef NO_KRB4 - else if (m_hKerb4 == pNMTreeView->itemNew.hItem) - m_hKerb4State = pNMTreeView->action; -#endif else if (m_hKerb5 == pNMTreeView->itemNew.hItem) m_hKerb5State = pNMTreeView->action; - else if (m_hAFS == pNMTreeView->itemNew.hItem) - m_hAFSState = pNMTreeView->action; CMainFrame::m_isBeingResized = TRUE; *pResult = 0; @@ -2196,56 +1981,12 @@ VOID CLeashView::OnItemexpandedTreeview(NMHDR* pNMHDR, LRESULT* pResult) VOID CLeashView::OnUpdateDebugMode(CCmdUI* pCmdUI) { -//// -#ifndef NO_KRB4 - if (!pset_krb_debug) -#endif pCmdUI->Enable(FALSE); -//// -#ifndef NO_KRB4 - else - pCmdUI->Enable(TRUE); -#endif } VOID CLeashView::OnUpdateCfgFiles(CCmdUI* pCmdUI) { -//// -#ifndef NO_KRB4 - if (!pkrb_get_krbconf2) -#endif pCmdUI->Enable(FALSE); -//// -#ifndef NO_KRB4 - else - pCmdUI->Enable(TRUE); -#endif -} - -VOID CLeashView::OnLeashProperties() -{ - CLeashProperties leashProperties; - leashProperties.DoModal(); -} - -VOID CLeashView::OnKrbProperties() -{ - CKrbProperties krbProperties("Kerberos Properties"); - krbProperties.DoModal(); -} - -VOID CLeashView::OnKrb4Properties() -{ -#ifndef NO_KRB4 - CKrb4Properties krb4Properties("Kerberos Four Properties"); - krb4Properties.DoModal(); -#endif -} - -VOID CLeashView::OnKrb5Properties() -{ - CKrb5Properties krb5Properties("Kerberos Five Properties"); - krb5Properties.DoModal(); } /* @@ -2370,10 +2111,8 @@ BOOL CLeashView::PreTranslateMessage(MSG* pMsg) if (InterlockedDecrement(&m_timerMsgNotInProgress) == 0) { CString ticketStatusKrb5 = TCHAR(NOT_INSTALLED); - CString ticketStatusAfs = TCHAR(NOT_INSTALLED); CString strTimeDate; CString lowTicketWarningKrb5; - CString lowTicketWarningAfs; timer_start: if (WaitForSingleObject( ticketinfo.lockObj, 100 ) != WAIT_OBJECT_0) @@ -2470,113 +2209,6 @@ BOOL CLeashView::PreTranslateMessage(MSG* pMsg) } //KRB5 - - if (CLeashApp::m_hAfsDLL) - { - // AFS - UpdateTicketTime(ticketinfo.Afs); - if (!ticketinfo.Afs.btickets) - { - BOOL AfsEnabled = m_pApp->GetProfileInt("Settings", "AfsStatus", 1); - if ( AfsEnabled ) - ticketStatusAfs = "AFS: No Tickets"; - else - ticketStatusAfs = "AFS: Disabled"; - } - else if (EXPIRED_TICKETS == ticketinfo.Afs.btickets) - { -#ifndef NO_KRB5 - if (ticketinfo.Krb5.btickets && - EXPIRED_TICKETS != ticketinfo.Krb5.btickets && - m_autoRenewTickets && - !m_autoRenewalAttempted && - ticketinfo.Krb5.renew_until && - (ticketinfo.Krb5.issued + ticketinfo.Krb5.renew_until -LeashTime() > 20 * 60) && - !stricmp(ticketinfo.Krb5.principal,ticketinfo.Afs.principal) - ) - { - m_autoRenewalAttempted = 1; - ReleaseMutex(ticketinfo.lockObj); - AfxBeginThread(RenewTicket,m_hWnd); - goto timer_start; - } -#endif /* NO_KRB5 */ - ticketStatusAfs = "AFS: Expired Tickets"; - lowTicketWarningAfs = "Your AFS token(s) have expired"; - if (!m_warningOfTicketTimeLeftLockAfs) - m_warningOfTicketTimeLeftAfs = 0; - m_warningOfTicketTimeLeftLockAfs = ZERO_MINUTES_LEFT; - m_ticketTimeLeft = 0; - } - else - { - m_ticketStatusAfs = GetLowTicketStatus(1); - switch (m_ticketStatusAfs) - { - case FIFTEEN_MINUTES_LEFT: - ticketinfo.Afs.btickets = TICKETS_LOW; - - lowTicketWarningAfs = "Less then 15 minutes left on your AFStoken(s)"; - break; - case TEN_MINUTES_LEFT: - ticketinfo.Afs.btickets = TICKETS_LOW; - - lowTicketWarningAfs = "Less then 10 minutes left on your AFS token(s)"; - - if (!m_warningOfTicketTimeLeftLockAfs) - m_warningOfTicketTimeLeftAfs = 0; - - m_warningOfTicketTimeLeftLockAfs = TEN_MINUTES_LEFT; - break; - case FIVE_MINUTES_LEFT: - ticketinfo.Afs.btickets = TICKETS_LOW; - if (m_warningOfTicketTimeLeftLockAfs == TEN_MINUTES_LEFT) - m_warningOfTicketTimeLeftAfs = 0; - - m_warningOfTicketTimeLeftLockAfs = FIVE_MINUTES_LEFT; - - lowTicketWarningAfs = "Less then 5 minutes left on your AFS token(s)"; - break; - default: - m_ticketStatusAfs = 0; - break; - } - - } - - if (CMainFrame::m_isMinimum) - { - // minimized dispay - ticketStatusAfs.Format("AFS: %02d:%02d Left", - (m_ticketTimeLeft / 60L / 60L), - (m_ticketTimeLeft / 60L % 60L)); - } - else - { - // normal display - if (GOOD_TICKETS == ticketinfo.Afs.btickets || - TICKETS_LOW == ticketinfo.Afs.btickets) - { - if ( m_ticketTimeLeft >= 60 ) { - ticketStatusAfs.Format("AFS Token Life: %02d:%02d", - (m_ticketTimeLeft / 60L / 60L), - (m_ticketTimeLeft / 60L % 60L)); - } else { - ticketStatusAfs.Format("AFS Token Life: < 1 min"); - } - } -#ifndef NO_STATUS_BAR - if (CMainFrame::m_wndStatusBar) - { - CMainFrame::m_wndStatusBar.SetPaneInfo(3, 111113, SBPS_NORMAL, 130); - CMainFrame::m_wndStatusBar.SetPaneText(3, ticketStatusAfs, SBT_POPOUT); - } -#endif - } - } - // AFS - -#ifndef NO_KRB5 if ( m_ticketStatusKrb5 == TWENTY_MINUTES_LEFT && m_autoRenewTickets && !m_autoRenewalAttempted && ticketinfo.Krb5.renew_until && (ticketinfo.Krb5.renew_until - LeashTime() > 20 * 60)) @@ -2586,17 +2218,13 @@ BOOL CLeashView::PreTranslateMessage(MSG* pMsg) AfxBeginThread(RenewTicket,m_hWnd); goto timer_start; } -#endif /* NO_KRB5 */ BOOL warningKrb5 = m_ticketStatusKrb5 > NO_TICKETS && m_ticketStatusKrb5 < TWENTY_MINUTES_LEFT && !m_warningOfTicketTimeLeftKrb5; - BOOL warningAfs = m_ticketStatusAfs > NO_TICKETS && - m_ticketStatusAfs < TWENTY_MINUTES_LEFT && - !m_warningOfTicketTimeLeftAfs; // Play warning message only once per each case statement above - if (warningKrb5 || warningAfs) + if (warningKrb5) { CString lowTicketWarning = ""; @@ -2607,13 +2235,6 @@ BOOL CLeashView::PreTranslateMessage(MSG* pMsg) m_warningOfTicketTimeLeftKrb5 = ON; warnings++; } - if (warningAfs) { - if ( warnings ) - lowTicketWarning += "\n"; - lowTicketWarning += lowTicketWarningAfs; - m_warningOfTicketTimeLeftAfs = ON; - warnings++; - } ReleaseMutex(ticketinfo.lockObj); AlarmBeep(); @@ -2626,17 +2247,10 @@ BOOL CLeashView::PreTranslateMessage(MSG* pMsg) if (CMainFrame::m_isMinimum) { - if ( CLeashApp::m_hAfsDLL ) - strTimeDate = ( "MIT Kerberos - " - "[" + ticketStatusKrb5 + "] - " + - "[" + ticketStatusAfs + "] - " + - "[" + ticketinfo.Krb5.principal + "]" + " - " + - tTimeDate.Format("%A, %B %d, %Y %H:%M ")); - else - strTimeDate = ( "MIT Kerberos - " - "[" + ticketStatusKrb5 + "] - " + - "[" + ticketinfo.Krb5.principal + "]" + " - " + - tTimeDate.Format("%A, %B %d, %Y %H:%M ")); + strTimeDate = ( "MIT Kerberos - " + "[" + ticketStatusKrb5 + "] - " + + "[" + ticketinfo.Krb5.principal + "]" + " - " + + tTimeDate.Format("%A, %B %d, %Y %H:%M ")); } else { @@ -2758,46 +2372,12 @@ VOID CLeashView::AlarmBeep() VOID CLeashView::OnUpdateProperties(CCmdUI* pCmdUI) { - if (CLeashApp::m_hKrb5DLL -#ifndef NO_KRB4 - || CLeashApp::m_hKrb4DLL -#endif - ) - pCmdUI->Enable(); - else - pCmdUI->Enable(FALSE); -} - -VOID CLeashView::OnUpdateKrb4Properties(CCmdUI* pCmdUI) -{ -#ifndef NO_KRB4 - if (CLeashApp::m_hKrb4DLL) - pCmdUI->Enable(); - else -#endif - pCmdUI->Enable(FALSE); -} - -VOID CLeashView::OnUpdateKrb5Properties(CCmdUI* pCmdUI) -{ if (CLeashApp::m_hKrb5DLL) pCmdUI->Enable(); else pCmdUI->Enable(FALSE); } -VOID CLeashView::OnUpdateAfsControlPanel(CCmdUI* pCmdUI) -{ -////Is the comment even correct? -#ifndef NO_KRB4 - // need Krb 4 to get AFS tokens - if (CLeashApp::m_hAfsDLL && CLeashApp::m_hKrb4DLL) - pCmdUI->Enable(); - else -#endif - pCmdUI->m_pMenu->DeleteMenu(pCmdUI->m_nID, MF_BYCOMMAND); -} - void CLeashView::OnHelpLeash32() { #ifdef CALL_HTMLHELP diff --git a/src/windows/leash/LeashView.h b/src/windows/leash/LeashView.h index 190c93b..2caecef 100644 --- a/src/windows/leash/LeashView.h +++ b/src/windows/leash/LeashView.h @@ -129,22 +129,13 @@ class CLeashView : public CListView { private: ////@#+Remove -#ifndef NO_KRB4 - TicketList* m_listKrb4; -#endif - TicketList* m_listAfs; CLeashDebugWindow* m_pDebugWindow; CCacheDisplayData* m_ccacheDisplay; CImageList m_imageList; CWinApp* m_pApp; HTREEITEM m_hPrincipal; -////@#+Remove -#ifndef NO_KRB4 - HTREEITEM m_hKerb4; -#endif HTREEITEM m_hKerb5; HTREEITEM m_hk5tkt; - HTREEITEM m_hAFS; TV_INSERTSTRUCT m_tvinsert; HMENU m_hMenu; BOOL m_startup; @@ -157,11 +148,7 @@ private: INT m_largeIcons; INT m_lowTicketAlarm; INT m_hPrincipalState; -#ifndef NO_KRB4 - INT m_hKerb4State; -#endif INT m_hKerb5State; - INT m_hAFSState; CString* m_pWarningMessage; BOOL m_bIconAdded; BOOL m_bIconDeleted; @@ -174,18 +161,9 @@ private: static ViewColumnInfo sm_viewColumns[NUM_VIEW_COLUMNS]; static INT m_autoRenewTickets; - static INT m_ticketStatusAfs; -////Remove as well? - static INT m_ticketStatusKrb4; static INT m_ticketStatusKrb5; static INT m_autoRenewalAttempted; - static INT m_warningOfTicketTimeLeftAfs; -////Remove as well? - static INT m_warningOfTicketTimeLeftKrb4; static INT m_warningOfTicketTimeLeftKrb5; - static INT m_warningOfTicketTimeLeftLockAfs; -////Remove as well? - static INT m_warningOfTicketTimeLeftLockKrb4; static INT m_warningOfTicketTimeLeftLockKrb5; static INT m_updateDisplayCount; static INT m_alreadyPlayedDisplayCount; @@ -218,9 +196,9 @@ private: CCacheDisplayData *elem, int iItem, char *principal, - long issued, - long valid_until, - long renew_until, + time_t issued, + time_t valid_until, + time_t renew_until, char *encTypes, unsigned long flags, char *cache_name); @@ -246,11 +224,6 @@ protected: // create from serialization only // Attributes public: - static INT m_forwardableTicket; - static INT m_proxiableTicket; - static INT m_renewableTicket; - static INT m_noaddressTicket; - static DWORD m_publicIPAddress; static BOOL m_importedTickets; CLeashView(); @@ -327,18 +300,14 @@ protected: afx_msg VOID OnUpdateAutoRenew(CCmdUI* pCmdUI); afx_msg VOID OnUpdateMakeDefault(CCmdUI* pCmdUI); afx_msg VOID OnAppAbout(); - afx_msg VOID OnAfsControlPanel(); afx_msg VOID OnUpdateDebugMode(CCmdUI* pCmdUI); afx_msg VOID OnUpdateCfgFiles(CCmdUI* pCmdUI); - afx_msg VOID OnKrb4Properties(); afx_msg VOID OnKrb5Properties(); afx_msg void OnLeashProperties(); afx_msg void OnLeashRestore(); afx_msg void OnLeashMinimize(); afx_msg void OnLowTicketAlarm(); - afx_msg void OnUpdateKrb4Properties(CCmdUI* pCmdUI); afx_msg void OnUpdateKrb5Properties(CCmdUI* pCmdUI); - afx_msg void OnUpdateAfsControlPanel(CCmdUI* pCmdUI); afx_msg void OnKrbProperties(); afx_msg void OnUpdateProperties(CCmdUI* pCmdUI); afx_msg void OnHelpKerberos(); diff --git a/src/windows/leash/Lglobals.cpp b/src/windows/leash/Lglobals.cpp deleted file mode 100644 index 861255e..0000000 --- a/src/windows/leash/Lglobals.cpp +++ /dev/null @@ -1,148 +0,0 @@ -//***************************************************************************** -// File: lgobals.cpp -// By: Arthur David Leather -// Created: 12/02/98 -// Copyright: @1998 Massachusetts Institute of Technology - All rights -// reserved. -// Description: CPP file for lgobals.cpp. Contains global variables and helper -// functions -// -// History: -// -// MM/DD/YY Inits Description of Change -// 02/02/98 ADL Original -//***************************************************************************** - -#include "stdafx.h" -#include "leash.h" -#include -#include "lglobals.h" - -static const char *const conf_yes[] = { - "y", "yes", "true", "t", "1", "on", - 0, -}; - -static const char *const conf_no[] = { - "n", "no", "false", "nil", "0", "off", - 0, -}; - -int -config_boolean_to_int(const char *s) -{ - const char *const *p; - - for(p=conf_yes; *p; p++) { - if (!strcasecmp(*p,s)) - return 1; - } - - for(p=conf_no; *p; p++) { - if (!strcasecmp(*p,s)) - return 0; - } - - /* Default to "no" */ - return 0; -} - - -// Global Function for deleting or putting a value in the Registry -BOOL SetRegistryVariable(const CString& regVariable, - const CString& regValue, - const char* regSubKey) -{ - // Set Register Variable - HKEY hKey = NULL; - LONG err = 0L; - - - if (ERROR_SUCCESS != (err = RegOpenKeyEx(HKEY_CURRENT_USER, - regSubKey, - 0, KEY_ALL_ACCESS, &hKey))) - { - if ((err = RegCreateKeyEx(HKEY_CURRENT_USER, regSubKey, 0, 0, 0, - KEY_ALL_ACCESS, 0, &hKey, 0))) - { - // Error - return TRUE; - } - } - - if (ERROR_SUCCESS == err && hKey) - { - if (regValue.IsEmpty()) - { - // Delete - RegDeleteValue(hKey, regVariable); - } - else - { - // Insure that Name (Variable) is in the Registry and set - // it's new value - char nVariable[MAX_PATH+1]; - char* pVARIABLE = nVariable; - strncpy(pVARIABLE, regValue, MAX_PATH); - - if (ERROR_SUCCESS != - RegSetValueEx(hKey, regVariable, 0, - REG_SZ, (const unsigned char*)pVARIABLE, - lstrlen(regValue))) - { - // Error - return FALSE; - } - } - - RegCloseKey(hKey); - - // Send this message to all top-level windows in the system - ::PostMessage(HWND_BROADCAST, WM_WININICHANGE, 0L, (LPARAM) regSubKey); - return FALSE; - } - - return TRUE; -} - -VOID LeashErrorBox(LPCSTR errorMsg, LPCSTR insertedString, LPCSTR errorFlag) -{ - CString strMessage; - strMessage = errorMsg; - strMessage += ": "; - strMessage += insertedString; - - MessageBox(CLeashApp::m_hProgram, strMessage, errorFlag, MB_OK); - - //if (*errorFlag == 'E') - //ASSERT(0); // on error condition only -} - -Directory::Directory(LPCSTR pathToValidate) -{ - m_pathToValidate = pathToValidate; - _getdcwd(_getdrive(), m_savCurPath, sizeof(m_savCurPath)); -} - -Directory::~Directory() -{ - if (-1 == _chdir(m_savCurPath)) - ASSERT(0); -} - -BOOL Directory::IsValidDirectory() -{ - if (-1 == _chdir(m_pathToValidate)) - return FALSE; - - return TRUE; -} - -BOOL Directory::IsValidFile() -{ - CFileFind fileFind; - if (!fileFind.FindFile(m_pathToValidate)) - return FALSE; - - return TRUE; -} diff --git a/src/windows/leash/Lglobals.h b/src/windows/leash/Lglobals.h index 7141d79..c462722 100644 --- a/src/windows/leash/Lglobals.h +++ b/src/windows/leash/Lglobals.h @@ -60,76 +60,18 @@ TYPEDEF_FUNC( #define pGetModuleFileNameEx pGetModuleFileNameExA -// leash functions -TYPEDEF_FUNC( - long, - WINAPIV, - not_an_API_LeashKRB4GetTickets, - (TICKETINFO *, TicketList **) - ); -TYPEDEF_FUNC( - long, - WINAPIV, - not_an_API_LeashAFSGetToken, - (TICKETINFO *, TicketList **, char *) - ); -TYPEDEF_FUNC( - long, - WINAPIV, - not_an_API_LeashGetTimeServerName, - (char *, const char*) - ); - -extern DECL_FUNC_PTR(not_an_API_LeashKRB4GetTickets); -extern DECL_FUNC_PTR(not_an_API_LeashAFSGetToken); -extern DECL_FUNC_PTR(not_an_API_LeashGetTimeServerName); extern DECL_FUNC_PTR(Leash_kdestroy); extern DECL_FUNC_PTR(Leash_changepwd_dlg); extern DECL_FUNC_PTR(Leash_changepwd_dlg_ex); extern DECL_FUNC_PTR(Leash_kinit_dlg); extern DECL_FUNC_PTR(Leash_kinit_dlg_ex); extern DECL_FUNC_PTR(Leash_timesync); -extern DECL_FUNC_PTR(Leash_get_default_lifetime); -extern DECL_FUNC_PTR(Leash_set_default_lifetime); -extern DECL_FUNC_PTR(Leash_get_default_forwardable); -extern DECL_FUNC_PTR(Leash_set_default_forwardable); -extern DECL_FUNC_PTR(Leash_get_default_renew_till); -extern DECL_FUNC_PTR(Leash_set_default_renew_till); -extern DECL_FUNC_PTR(Leash_get_default_noaddresses); -extern DECL_FUNC_PTR(Leash_set_default_noaddresses); -extern DECL_FUNC_PTR(Leash_get_default_proxiable); -extern DECL_FUNC_PTR(Leash_set_default_proxiable); -extern DECL_FUNC_PTR(Leash_get_default_publicip); -extern DECL_FUNC_PTR(Leash_set_default_publicip); -extern DECL_FUNC_PTR(Leash_get_default_use_krb4); -extern DECL_FUNC_PTR(Leash_set_default_use_krb4); -extern DECL_FUNC_PTR(Leash_get_default_life_min); -extern DECL_FUNC_PTR(Leash_set_default_life_min); -extern DECL_FUNC_PTR(Leash_get_default_life_max); -extern DECL_FUNC_PTR(Leash_set_default_life_max); -extern DECL_FUNC_PTR(Leash_get_default_renew_min); -extern DECL_FUNC_PTR(Leash_set_default_renew_min); -extern DECL_FUNC_PTR(Leash_get_default_renew_max); -extern DECL_FUNC_PTR(Leash_set_default_renew_max); -extern DECL_FUNC_PTR(Leash_get_default_renewable); -extern DECL_FUNC_PTR(Leash_set_default_renewable); -extern DECL_FUNC_PTR(Leash_get_lock_file_locations); -extern DECL_FUNC_PTR(Leash_set_lock_file_locations); extern DECL_FUNC_PTR(Leash_get_default_uppercaserealm); extern DECL_FUNC_PTR(Leash_set_default_uppercaserealm); extern DECL_FUNC_PTR(Leash_get_default_mslsa_import); -extern DECL_FUNC_PTR(Leash_set_default_mslsa_import); -extern DECL_FUNC_PTR(Leash_get_default_preserve_kinit_settings); -extern DECL_FUNC_PTR(Leash_set_default_preserve_kinit_settings); extern DECL_FUNC_PTR(Leash_import); extern DECL_FUNC_PTR(Leash_importable); extern DECL_FUNC_PTR(Leash_renew); -extern DECL_FUNC_PTR(Leash_reset_defaults); - -////Do we still need this one? -#define pLeashKRB4GetTickets pnot_an_API_LeashKRB4GetTickets -#define pLeashAFSGetToken pnot_an_API_LeashAFSGetToken -#define pLeashGetTimeServerName pnot_an_API_LeashGetTimeServerName // psapi functions extern DECL_FUNC_PTR(GetModuleFileNameExA); @@ -232,13 +174,6 @@ extern DECL_FUNC_PTR(profile_release_string); #define LEASH_HELP_FILE "leash.chm" -extern int config_boolean_to_int(const char *); -extern BOOL SetRegistryVariable(const CString& regVariable, - const CString& regValue, - const char* regSubKey = "Software\\MIT\\Leash32\\Settings"); -extern VOID LeashErrorBox(LPCSTR errorMsg, LPCSTR insertedString, - LPCSTR errorFlag = "Error"); - // Get ticket info for the default ccache only extern void LeashKRB5ListDefaultTickets(TICKETINFO *ticketinfo); // clean up ticket info @@ -249,26 +184,10 @@ extern void LeashKRB5ListAllTickets(TICKETINFO **ticketinfolist); // clean up ticket info list extern void LeashKRB5FreeTickets(TICKETINFO **ticketinfolist); - - -class Directory -{ - CHAR m_savCurPath[MAX_PATH]; - CString m_pathToValidate; - -public: - Directory(LPCSTR pathToValidate); - virtual ~Directory(); - - BOOL IsValidDirectory(); - BOOL IsValidFile(); -}; - class TicketInfoWrapper { public: HANDLE lockObj; TICKETINFO Krb5; - TICKETINFO Afs; }; extern TicketInfoWrapper ticketinfo; diff --git a/src/windows/leash/MainFrm.cpp b/src/windows/leash/MainFrm.cpp index 886efe6..843f2ce 100644 --- a/src/windows/leash/MainFrm.cpp +++ b/src/windows/leash/MainFrm.cpp @@ -165,8 +165,7 @@ int CMainFrame::OnCreate(LPCREATESTRUCT lpCreateStruct) #ifndef NO_STATUS_BAR if (!m_wndStatusBar.Create(this) || - !m_wndStatusBar.SetIndicators(indicators, - (CLeashApp::m_hAfsDLL ? 4 : 3))) + !m_wndStatusBar.SetIndicators(indicators, 3)) { MessageBox("There is problem creating the Leash Status Bar!", "Error", MB_OK); diff --git a/src/windows/leash/Makefile.in b/src/windows/leash/Makefile.in index 1b124e9..4ed42f7 100644 --- a/src/windows/leash/Makefile.in +++ b/src/windows/leash/Makefile.in @@ -1,69 +1,23 @@ # makefile: Leash executable # -#TODO Fix later: -NO_AFS=1 - -!ifndef NO_AFS -###AFS_BASE= -AFS_INCLUDES=-I$(AFS_BASE)\Include -AFS_LIB=$(AFS_BASE)\lib -AFS_LIBS=$(AFS_LIB)\afsauthent.lib -!else -AFS_INCLUDES= -AFS_LIBS= -!endif - -!if defined(VISUALSTUDIOVERSION) -MFC_VERSION=$(VISUALSTUDIOVERSION:.=) -!else -MFC_VERSION=100 -!endif - -!if defined(NODEBUG) -MFCLIB=MFC$(MFC_VERSION).LIB -!else -MFCLIB=MFC$(MFC_VERSION)D.LIB -!endif EXE_NAME=leash -WSHELPER=wshelp32 - -!if ("$(CPU)" == "IA64") || ("$(CPU)" == "AMD64") || ("$(CPU)" == "ALPHA64") -WSHELPER=wshelp64 -!endif SUBDIRS= htmlhelp OBJS= \ - $(OUTPRE)Krb4EditDomainRealmList.obj \ - $(OUTPRE)CLeashDragListBox.obj \ - $(OUTPRE)Krb5Properties.obj \ - $(OUTPRE)KrbAddHostServer.obj \ - $(OUTPRE)KrbAddRealm.obj \ - $(OUTPRE)KrbConfigOptions.obj \ - $(OUTPRE)KrbDomainRealmMaintenance.obj \ - $(OUTPRE)KrbEditHostServer.obj \ - $(OUTPRE)KrbEditRealm.obj \ - $(OUTPRE)KrbProperties.obj \ - $(OUTPRE)KrbRealmHostMaintenance.obj \ $(OUTPRE)Leash.obj \ $(OUTPRE)LeashAboutBox.obj \ $(OUTPRE)LeashDebugWindow.obj \ $(OUTPRE)LeashDoc.obj \ - $(OUTPRE)LeashFileDialog.obj \ $(OUTPRE)LeashFrame.obj \ $(OUTPRE)LeashMessageBox.obj \ - $(OUTPRE)LeashProperties.obj \ $(OUTPRE)LeashUIApplication.obj \ $(OUTPRE)LeashUICommandHandler.obj \ $(OUTPRE)LeashView.obj \ - $(OUTPRE)lglobals.obj \ $(OUTPRE)MainFrm.obj \ $(OUTPRE)out2con.obj \ $(OUTPRE)StdAfx.obj \ - $(OUTPRE)AfsProperties.obj \ - $(OUTPRE)VSroutines.obj \ - $(OUTPRE)KrbMiscConfigOpt.obj \ $(OUTPRE)KrbListTickets.obj RESFILE = $(OUTPRE)Leash.res @@ -79,20 +33,16 @@ LOCALINCLUDES= -I$(BUILDTOP) -I$(BUILDTOP)\include -I$(BUILDTOP)\windows\include RFLAGS = $(LOCALINCLUDES) RCFLAGS = $(RFLAGS) -D_WIN32 -DLEASH_APP -DEFINES = -DWINSOCK -DWIN32 -DWINDOWS -D_AFXDLL -DNO_KRB4 -DNO_STATUS_BAR -DUSE_MESSAGE_BOX +DEFINES = -DWINSOCK -DWIN32 -DWINDOWS -D_AFXDLL -DNO_STATUS_BAR -DUSE_MESSAGE_BOX !ifdef NODEBUG DEFINES = $(DEFINES) !else DEFINES = $(DEFINES) -DDBG !endif -!ifdef NO_AFS -DEFINES = $(DEFINES) -DNO_AFS -!endif - ##### Linker LINK = link -LIBS = $(GLIB) $(CLIB) $(WLIB) +LIBS = $(GLIB) $(CLIB) SYSLIBS = kernel32.lib Iphlpapi.lib ws2_32.lib user32.lib gdi32.lib comdlg32.lib comctl32.lib version.lib LFLAGS = /nologo $(LOPTS) @@ -100,8 +50,7 @@ all: Makefile $(OUTPRE)$(EXE_NAME).exe $(OUTPRE)$(EXE_NAME).exe: $(OBJS) $(XOBJS) $(LIBS) $(LINK) $(LFLAGS) /out:$@ /ENTRY:WinMainCRTStartup $(OBJS) $(XOBJS) \ - $(LIBS) $(SYSLIBS) $(BUILDTOP)\util\wshelper\$(OUTPRE)$(WSHELPER).lib \ - ../lib/$(OUTPRE)libwin.lib $(MFCLIB) $(SCLIB) + $(LIBS) $(SYSLIBS) ../lib/$(OUTPRE)libwin.lib copy $@ "$(OUTPRE)MIT Kerberos.exe" kfwribbon.bml kfwribbon.h kfwribbon.rc: kfwribbon.xml diff --git a/src/windows/leash/VSroutines.c b/src/windows/leash/VSroutines.c deleted file mode 100644 index 63f0b4a..0000000 --- a/src/windows/leash/VSroutines.c +++ /dev/null @@ -1,64 +0,0 @@ -#include -#include - -#if 0 -//#ifdef USE_VS -#include - -#define ININAME "leash.ini" - -int VScheckVersion(HWND hWnd, HANDLE hThisInstance) -{ - VS_Request vrequest; - VS_Status status; - BOOL ok_to_continue; - HCURSOR hcursor; - char szFilename[255]; - char szVerQ[90]; - char *cp; - LPSTR lpAppVersion; - LPSTR lpAppName; - LONG FAR *lpLangInfo; - DWORD hVersionInfoID; - DWORD size; - GLOBALHANDLE hVersionInfo; - LPSTR lpVersionInfo; - int dumint; - int retval; - - GetModuleFileName(hThisInstance, (LPSTR)szFilename, 255); - size = GetFileVersionInfoSize((LPSTR) szFilename, &hVersionInfoID); - hVersionInfo = GlobalAlloc(GHND, size); - lpVersionInfo = GlobalLock(hVersionInfo); - retval = GetFileVersionInfo(szFilename, hVersionInfoID, size, - lpVersionInfo); - retval = VerQueryValue(lpVersionInfo, "\\VarFileInfo\\Translation", - (LPSTR FAR *)&lpLangInfo, &dumint); - wsprintf(szVerQ, "\\StringFileInfo\\%04x%04x\\", - LOWORD(*lpLangInfo), HIWORD(*lpLangInfo)); - cp = szVerQ + lstrlen(szVerQ); - lstrcpy(cp, "ProductName"); - retval = VerQueryValue(lpVersionInfo, szVerQ, &lpAppName, &dumint); - lstrcpy(cp, "ProductVersion"); - - retval = VerQueryValue(lpVersionInfo, szVerQ, &lpAppVersion, &dumint); - hcursor = SetCursor(LoadCursor((HINSTANCE)NULL, IDC_WAIT)); - vrequest = VSFormRequest(lpAppName, lpAppVersion, ININAME, NULL, hWnd, - V_CHECK_AND_LOG); - if ((ok_to_continue = (ReqStatus(vrequest) != V_E_CANCEL)) - && v_complain((status = VSProcessRequest(vrequest)), ININAME)) - WinVSReportRequest(vrequest, hWnd, "Version Server Status Report"); - if (ok_to_continue && status == V_REQUIRED) - ok_to_continue = FALSE; - VSDestroyRequest(vrequest); - SetCursor(hcursor); - GlobalUnlock(hVersionInfo); - GlobalFree(hVersionInfo); - return(ok_to_continue); -} -#else -int VScheckVersion(HWND hWnd, HANDLE hThisInstance) -{ - return(1); -} -#endif diff --git a/src/windows/leash/htmlhelp/Images/Bullet.gif b/src/windows/leash/htmlhelp/Images/Bullet.gif deleted file mode 100644 index 090f96cd8bdfdbfd00b3e46c7cbd6b646e607595..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 816 zcmZ?wbh9u|WMg1s_|5~0I&EPo&W#< diff --git a/src/windows/leash/htmlhelp/Images/Capture.PNG b/src/windows/leash/htmlhelp/Images/Capture.PNG deleted file mode 100644 index a87fa36e6475bcbefc19ff4717a330b0dd78fb75..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5304 zcmZu#cU%)o*G@tQr8gmzD^;Xkq)AMuVuL7xp-BJ>g0z5uv;cy%Q1l{20THm#3`mzi z=!hs0rFRGfB_IhU1PI}c@ArED`hNS{-I+ZzXJ^msndf;X`Ld1GQC=xt0040G{5cC- z008L5Dxc@(WL??n7{718AX_Ulz`FtPPgaH9)707&0I1I3W4Lp$>O2AG9D@J={?6Yg zu-E_XO#ndD`n-jy-F?@!>vx01dh3S$K^F7T3tgJ-m<2RZZc(|NTNvg69k+kY+gtic zgKt(Xp7^LsB8ksk#Q9v08_!L}Bf{rmWKAJmx*@YIp|IPba5#YoK6`Fe;QBM&=@z+i z1a`)gKmYsYmddM_Je(cC`IvwgQT$tw$g(G=+D#1Q!Gip?gxKd?@@?PP*;qys!>>@T z@N0#tO4izf{M=meY->R#><;|$MllcBI%4$}Ob7?P7tV_uiDzRuGua3KaC8Z)_!Y~2 z@z0}Xur`RH%U$)a`#zxXTyqB6rap9M9TDvO)cPm<^QToBA zV)ChUt(p@DUY|MS(lP?z_uoI>G4lmNgF?)xwCSBpZ;wDH>+7w>HqZCUJ^(V-5zY~= zws>jmg{qR3IwxZJ#L?b|Xv%hU>7jP{+9aa%&bB;V{xD4=zdVKQQ?=vPN&5c{-aUP(=%}W z^0JC%XyCy@Melp0H)45tfN{hig{0H*Ofx!}bmD00-um0<@X4X4ND0x{+&A^xfmx zOeyWvD_eabN06I zB;_=4+1@=Ch--#y1f^EO)#Vc0|4K{={I+9MsLI*V;+Xn4O zCOTi%z~xzM@w)*Rg~97iPPYC1{X;z}nub7|2?!p!4f<$E67(UhnUCN(qt@zmK)Ee<6qMJh)qF0_mQ%R z>f(5R(Y{sf^W!&+{z^Ym;uG~=^5eU1K+lfZREP{t4`uj<;+q+vv#O0vjjN8-D>R$w z8hJ_`3^4A2r^~rE>&R+NlCG#*Mf-lDNiVZ6KO(@H+z-}`aGDF}Q#QSrPrN3bb}|84 zl}wfK3cw+8Ok%5Xes3z@$-&`rga7Qc(Dj*M-@T0to0zNmT&7)n390ZY%0c0=!@^Ri z;9TsczAW?fa3T@YqwMo&?50>P%~>Tu(l2{&iD)T`o0#)5XqYER_>rP%0#bY@C$oF zcuCh8s860%HQ3xwZ#u8~U=_Qc6qY!+KXTK8&o&>v`R3B($Oj}JCFJz| zsQr8FfmJB;rCKoyy0v^^XXQtP8s`j`wD(Ewes}2`_7Rq2RF^@0zq67TB^T~Gn2U;I zylzEKlAa3*VQS7?DrRinkPZ`(Gq;=fK9+M7op{W(>EOLS>&IH$9Zi0tHkuo?$R`R$ zwO$(!^^(o~V zb$h&%)%#cH=^w_PYW68LsWW53&|G)7lHf9jN}DAOs_#MGmezS0 zK~j8a#a2~BUE7tFhtTF-aCi>=rsr6LN9fc?Y2SC&$U}8c^R_ydxuB+Q8(}>?iPesH z!@`V0y9kpxYRvIw`4`SEXyf7D+XWkjW7~XD_UP7=n5Vlo)E3?>87*5jaVr;T|-zJ0E@*@xKM2vKgLP*>`wW?GFqP&MwW2;(Oz$0xRTyT2vroWBc*!bmd3# z!_OGejKA}~753nGpv-6x6$ZKMu^yKD-TK!nN_%U_M$6lowooGq|5{qj^s;s1i^E&fLU0v7UES@JhncEn~I$%Cf;o(ml7bJt?^ zaQJPG<^C5io55c}k<$4W{-9+!3oTQRtN#I8-@q7l`spO>zu?&q)Mz`*{^Pvf=<@j( z*umCS`-ZxLB>H4--kZL|co9vXOPW4i!AihZPO*TpBKkr@VfRFVap;e`C)TH%ms_6+ z_vVa0VFpfdl=P;x@|gvQ_*F{q-vPR!pZHjUz#>S7pPTTU@bAF5PzLFzcI|Jr+ceg> z8k&G0d=~J!TtIKvDB3`qg|tTdowGyI&9qWD`rQ7&YHHce-88JX0a#+MeN?VYL`l*; zUxk0wwmHO9nx1#s**)^a*(_gC_qZMFOTV-{T(hrUuOO#mTlKBcVojo>gP}vD=e{cq zC6ILZ@X24Y_;<2*OJ{G@@*%rw&fsAQJAQFmKdN=+8)a7DS)+K>o_`?xYZP>M#O6%$ zMwGL$a;ENna1MfBue&xgIN5zRx#hJHeX|yz)&9kTk7JB^h;yt`}TTTk3KWF;`k8yVQ6vQ?*5T$V{UeK*QKdI8O= z&F5pkjP9pPy;E$%rS$7l3irZuldR%jYpGjoxEtwls=l)Ktq^nVz_zHl_Ccc0 z`&0_W#w z9oMNh>$3wVQWR=_-Z-Bd)-=S&e{h4!<7%_-70iob6j-CG9P?}{3C81<45yq^`B7wz47wjauOg=$N4jq{=TyiWUf%qMh^>@1BeW=;H0jL*8Q;I&~g~H3u z&I<-q?;#uE3&ioH7X9iMaMAYSGZ!*=DxyAOHrn#5KGfcK+^;t5$RE!w+bq$sb5wvT zr=OX(*yXxmyy2K&9w}fa?#9eF5JieEtbp=oyX>~>G}`Jt26ihIBBdQ;=4IIJ@LT+y zB5o0vA9m#9v2x~Pb-v0Stl4UIh(UGkN^=y(p@-~Z3cgMpO*_s(@&A4e$dyOFPd?(2IEWQyd5PHe70xa!6Ms%^TPq?U~!DS>w{Lx;+Z1bd?ZqR6K#wciQWcdO5^}Ep@FHVau zz8g)bycl!k*k}h+8UOM6Vq6!E7!x5!?iEBxj3vW|qI+T4vpno`zu%0Jr zi!zKh9SA67_{GM(2|%lHVxkAbmkySwdf*pz3$)e5`{0HYbjnDHg>xDJ2AIQ0^9I;c zEp=Y=8oI;x)JGHoF0VdhQ%*a?q#`nrmgvXSf2Kx9U5^7>K^{-NgYjIT-}s8|f{3`a zD-5(N&vH<49*(r~&-I64X~=~OyUOkitK24qGU1~f zHGKRpBeCaC0`Sc{DdmH=Y*)Ft{$?={B&X0ne|(4h<`8)de?`ZSAriI}aoj^Tat2!# zha_I0(c8RT{O=0b-yfg#J>%h;Sc(yv+n3MnuI$tL{(AL1Qp&&GiXz01lLWujX!9Jf zQJrbsN84IovMDd^M-25{MPA9OI5~G5AW)8EN2VNL4!uD76F(7LB3xEb&ioqtgB>q2 zHaU&A`Z-#pRqfG!yHU|PZ;1DjGR>kko{gNwrr7poQ55K9W=Cz(+lCSLyd?ZY*n-t@lJTbFDFqL@imE&0c<50!vX6_g9C4B}nbA=BqzMP{mjc z#mM+J){=~u6m>TtMAzL5)NmOv7||DngN?p|&Q zs8hgB?il0P!`vOm$3q>*BrI1kU;5Yy*N6ugxt zEkj^D7uU`tzZ47C9D4jo-@D`^A{KTvExZ_`(|AEIsk(%|h)Uod#b~%l-#WOi65)TBH_OTAJX^9Fwuz@lv3CHT4l zRA?^kJy0n_Vqd;gsjUNOVgeE6y4D$Lxtj5pQpA zspmk#+g)jcp^k-Or}*VI4CbQz0G}8~E{tse>Y}zMm=1L*@qT|n&xhk1+F^M8pqy|2 zuWPh+mo$O-Dg0Ct;ssL|S#u(PECD2i!Nyr>Zp7wCs-6Hlgo58HwFNU(TtaOW!^)>+ zz^}}N!4KI83S4S@0n_VoKWyHUFUDNOhfm5tZi?`vcf_W3#a;m69t&r?++^cp$pHc% zE6>((QrPp$>#C6tE}wAu#Vs6yInw`IXzJ8_spxLi`zK&iw}YU$Lm*Z4mX4<; T<0Wgi5pdqp#^Rls+k^iA8ftIT diff --git a/src/windows/leash/htmlhelp/Images/Get_Ticket_Icon.png b/src/windows/leash/htmlhelp/Images/Get_Ticket_Icon.png deleted file mode 100644 index 1c9c959c0531e1a186709ddf10a81751e3a93efe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1588 zcmV-42Fv-0P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf1<6T7K~z{r)t6ap zR8<_tzdK7yYiY~Ow576@vI`cBSPU&K@j;9svgm_`L=s~HiV-DB1Ye8-K1fVdd=N=Q z#SkJ!Fd?E+2`FHzrHf_jHl1l_I?md;%go)!{~Z@hBzESu4bGjM%*#3V{N_8~|NEa| z1UZ#Ljy()7&i#w;aY-9mmk+Z^x<5V~|vFT=udU(J@|wm16kd+Xzsg&w#)4V ztV2^%aF6t(H*y0FOB>PD^EEzeexDRin%>zm*0bWJI6k`g4t&W0)ZM)bZNsgQ3q_Px zIN}@4j-O>i#+T`!#xe? z47DMc2!hc8YrYK;Zxn2Zg>$wOs;WVfM9iE#8}l6t&~&*84=#Ebo9kZ8dUw->$Sb7q z1@bT{YykfnX-7m3r-2!(1z}GVwn=srlole;8zRLuQq_u{a1T0%Ix(Yo2D~Akse?8Z zd4`8Sy>tK`p%?Yb>d_VJfP2u5z||1!1$IPzEJA$|=qU{aCHW{Q&O_K8O@mt)3)jN*Fia;j7Dp}bhsR}rJaX-95A66Nb2)AQ^fc;lOsIHv>A(n*ydJwbjyAvZr zak57O<#$a18xW9WlPGZJBgHUC{FcD9{3;yUb|QOwWOF_Vg~O5NchkW2e|k73g~5lC ze*+KSAmCa8_OpojI5_4OBgxCK-(iKdzzRiFkVpt9$uGe(YhN%|h{JI?Bc(-+$B~u; z=#O8gSZkz|_yr*`1dGnVo^M6S8^>@r0WYsa+|MC8$dbYi$Vr8Cq3F|eQdoz;^C*>F z*tza?ESp}RwaUf<#y>JT^oSC`$uIcBz8W1A zYuCE3r;p!83P%Yr&=W@03Ig`U5hEX0)Rbd{lo!e0#Z^Vn6b&pX>@a{y;jsXxmG)(z zbkA@X&RqQh?U5EZ7dS{^1>P%u6gdjgu|^R9KAQML;Uz9AKn@84E}b(OnyjT2c4|)S z+OQXkr&YIYzvW8s0$M#kp?nr~Hd&>iK_#Gy>N2oF4qTW+ z1r?n}zBR77C59zb6&zW@nWCcG@CGS-{}}IfH#wQ1m^5m7h&qSn!P7W+_5fUS9n|$0 z0#~S6q@WO7gu0)-C=Yo>cBoXGI(;~vMVVfXT^sjep=*WdqPx{XW+*y3w6Rc2DLC)` z5(m${htipp2AYLzLWJH4Y7;CZP-!*!|c(%y+KHpjtAisDIC)^dRgkhJ|iwb<-cg^AEiQ*25u> zn}oW`2CzN>t`sT!=w8e#U7poDv)SL6%XlN=sD*edQyL!suJz7QT?`7~ZT_8hjX z+m5-#1U$hH;|-gGo?x#3e0@f3{B{D~GV(m(q$zvc&L5Id8=tTk$R@h}F*hgekyTEc m6lUBHDp&3Cf6*^MpQ5Ku(vnvI0000x7Pdq_ujSce^1WZYtEUInLV@jJbTaHb2@hV89;SQRYMhk zhldC7#r*)M6M&ll0(|@*H|`?D-9)5BM1+Jy=SWD1Nh!`zP>`P^CqGYlk?K4pkdmC7 zijE3MO+!mdOL2jofsTgZA`LCgk4EqaaQ`7BA|oOqqd8B0p5|{~r%eDLDc%LVmjrkm z0DK@G0TAyL31Gpo3cx4$!SA0J2|h6%5h)=78LnD^3V?@W8xQ|H9tk1tGXMY|_kxg! zm;`u{ng&El%fQYdrElyVpHx0b$H^_CsAmnOSF-aIl_29%dxC3#9@p}jwtw`2hfjd3 z-~-~}TEZj6BOv;-V?2By`8IwlDjN?oJiOQRS;wmP zSw_`Z<O{haWNIK@Ok3d_g z?6K=@pypOXQ04qrv5WecR4S7VFKvwnjW4+DRV*wrYGTRGsfP>%#<)F$^|p0(n692{ zxA~G7`7R=YG~)4Z5~XH3OF>gpX$2!DdNFLVRp&do;Hw%QYDcKkWN=)R+S?sjC;D!^ z8NJ5?ez<;@s(im!sJ$#Lh(2LN&uY~=IAMm~X5B_4nPCCspGiS^?16CeroEuK03 z-C8BAc^cHm3Fe39u(8>C?cb%t{b>P6OQ?K9S@}<*!ddbq?3~4fa9ap|*XkSJsd^Xp zdd{0I@9}x=@dX)bEiNFZQpdbMV~?oIiVAa@UXqG!2I51bsur4{Z+^?m_d2=}X`-|uL=z2E6C(zpS@{;iu0+r)c zRR%N5j-2o~K4gjxt00f*LE;v#za_i3U~hF@g-Sg(9t83oX|U&^c65)33jRYKe(D4p zhY;!0fT^_OT1q|Z;S0_|jz7qK*_EO(%aJq-`~;C3ok;_8LMn=(5jBueaDJ9+%ZT0&M6Zm;R|RGzs!u#J zKLr@bm3}MuK}u94P*zpzei3V3Oz?cK?zVOMmA<<|t#5~F15@X=S9HupKh67?97A*V z!&m!nh$hku8)Rz@>Z4ebA&*uC z(q3E)Gj7un(E4a7@kPh^6tEuUhVS!T$zf))HW0trB}E77JBVI!%A!LGU7T7M9~SX& z#FUV%s3JG(>g^0m%=d$OCjyVB<5t5f6~ulJak#BR|LD}>F?MKJ^iAm+OQvxDX1Q5l zvK?a(+ZGK^m&G?pL3b+f83|e$xBec z36my1+6t^+ul0B~6WID_yF0Tmz;?$h`VP&PTLn&t;+Tq^_5(1C^2b|?(ny7r)Kfrf zw#c8Fs?tmq8&LKrS+Pst`m6QW-k*fh@eFHWzn)is28L4_=ZF`miav1kOifc*UAvw}Ku8W)EWP*t&NIh0_@Nid?pdg5Z`u zNol-sSA6};pU?MlY6t^Q8sstcE?1VQz4smxyDKuPvq&?Wc1X^^)|ViI=`Kebmremm z7GG~pT!s(Xq!a`j${1=}c)iV(Y!x%{`tf!lTH_em|D6Sxa8~iJzA5-zJ^k`P@iQGZ z=W@k-(m^Tg>kWO&LQGKvms9bL(s$~8Jz7ZZ#vtVS@i0Qm{er18^{i~j26kCw+h$Q!`d$Zy z~T>Bva^*_VaBy)2nW83lIuS zexUpNwdwpTtGexoh+v2RWXLGGb16pv!htcfEi&MsZCr_#sbR;8X^Y^si=UP;6h5n&qiGkkt= z_=9`|pHXBl&7bB^v@tIEX(d@%+4q%smi|+K5N_6f`+E@)v)s_l-0rwJB+~I6 zN;;lNIeIL!;r^+eLg{Ab{3pA63sFedQ7-i}ZZ*{dyY=PLxIFqDW z0wV680z%qfPUKeG92mjpJ%L?cSPb(=6>(tSgZ#X}PzMsF`Y?4w{m8I>j!F87Zul!yXmXz5{10>Qd48;%osW!dMN!w9n^KXx_dX|LZ1t0N@zri^&5pYA^kYV zb(suV=Z$0blF%04&~Irncx5t-WgAGX6Z&P@9pG-MGX`a#xO7S0{?@RJ>g9vaVU?`u z0~-^Oy0?eJ7YV#MY#s5_qinywy$j7kFILlT45J1DlB9t%h4%5sbHEBI@5b2~kEEn) zHWyiS>s7k`H@Qw1t>>V_>xXv%U6Sv8yhWsH$ExP ztC6KdNBvY?NzIs=>FMbUSu^W%$Y=1* zX}G-Fqu-ghCm)!GqC0RpWIouL9iqo{M{HI-qMNBndUJT>(4fG~*ZXkD_&awY%JJsA zbjTuS%!ik=xoMHklt3-jw$AFqi%{PjL-$S9CI9!1C*+406=U!$AI!LF=vQTY}ReT0Y=yNPEQC4<3`?pN)PoSR3w^suc5fN*sMUJ+q6>$<6J^5i?k(UYMhInyC$jxzyGKNuTyS zY`&M?p)fOr0KxSXD6U|W0tRsG9p#Xk$e6d zO@i{o;4_2JmCFu*Fm7-Z-P{$fk@UZ%wPabpwb1d5Ynjh+w&p=SQp^K?a4kKV*@_GW zt$X^eL3(%`a$CO(T30G1-7c^pG$&l;JvTGpLV6~0@Y|+TM30_3(Hz^LJM5>PADOmy zsiUyeNfwfweJ;uRS~eXoH?p&8j*#o38cjTQImD!;%xb9N{ft}Amb^CPv*aZW&7l?d zg_irV)~kb^P1DjQ=0V(C>|E|B*1o^d@>b|#BO<`^!>q=fGkl`SMIs>?2m9Sm2UuHi zu>Yjq{axj;mb#MqLd>;sx{Tx%;>+oiwzZZeZgSfUa8luNWlx{$zUZlgo2KMXx5#%S zya~YGq7G9LsrxjFpc9fz8~G%`bl=qoS&Tyu!mQwa>nVVlYNT}#E;j+?U1fTA+~k7P zf^eSPt;Z;o^}6v-6~|`p3%GMO-tOl7hU9c|TYuF0VM$Qn9+FEo%Xf06BjgoQbkgBA zYN?FC+NaYBm{TN;-264-OaTCmL;BSL+rE><<;gmn0cBk{>W%co@bV zOui0eVd=}1@Cl+CQJR%iI_}MQjLwKg@7r((!FE~wA`VR|p_n4Joo87hc}^KQ7mnR- znqSblzYjqc6gsu;;MD;^XnIF39?*x~fpY&! zC!{(wDSOSU5Ib}m>cEcw3%X6aG$=Z5a1y(Vumc@Tf{rH!8<5Z(Gx!ARl#3 zwg}FXk(qAc_{I~96*jzu+`tOVpXbt1c1w*&Okoz)u6`2^YAxK6u`~F3v0u$to8R!Z zMPX-He(-L!sJLT2hs!mX7x=0h6sa=rDw zT6~cpU<_tBILr=)qP=GfTn^n1=)JzST-B5K{Va89I%aJmdfMxA8 zGOtIXP>`Z(i(Pn8#>RIr*h}^=cYR{?nh44J#-Pf) zf%#kL9{hGu*vfMQmUc7$FmE1s$`zlexQNuq_7sluNXF0$ub8B~x{I$8fUg)7H0zR~CWpI6nNGvVAB>Tv)SP^>e!3)8WO*MJz z!2IWYuWIdSNuWuYuQDPR^T{mdayhtdp!uXBP-1H^z&e|Qk}<^`3`si@()02Y(u5!d zD(KB$tATOAElv6daJS?4>8pd4@EAnn<4IxCGNK{>BXsp2!m_`?^=GLfdQb<8M%f{X z!{1M@Pj-z4=20=N*@dFwo7u^?7LX>*=oUo>GQ#E#D+gsJZ$lgRQ|HRN0EG`a*oan_If<0 z4Cm}+jGenF%5jergXh4@CCUznX6)#As*;|Oy2$w|339tr!NQ3cq%^vpi#389QLP)9 zxdbW-4O4Hgr=Q4|IFw&lZZiMMQ;6OwaaxF2mO`{OB{@M)r-%m3Cqw_ z=#!RGy@Ryo<6^8L^;V|a}4X>hTKrm^X^IJw*CR$hbEj9I{r!Tm`1|B-z%G&sG zitm24xEGCnnc?kJ_wnl~mmS#>-6VYHf!uD~-VXF&^bo&T_wJ4{Yy5hOoOg+#p2v0a zim+gbn0OeBdDqynkAYYb6m7XubiKuT5$qe;`YLyz*Ympn*g8`&appuHU2syrm~JvH zuLs$=m;9?OnLZq2tpze#9NZQfRngWLlr3G#jbtE(EeobZAA%D&Gqa0|^kS~s(z%O@ z@PL6}2OpmuQBeeDZ9Q}M*sWN6N6+d2p2Lzy*#fOfiMf6l5|-d{<(-rY=n_3QW?7@% z$EnS>6^9j&TZ5P0-0{eJ&QEYP48v_sOHo%={_ai(uwNV0)iO^brcG6)u@8*B|Jvkk z{+xgCuyxE#p^KN81ygMpuW3=CRtq2>)M)f6GchW>DY8g>j8FAU%GsEtNOBt)3 z1-rt_8pKjWUT*^%xD&2-6=K5VW~_bt60DRp#>SpyDkNb(4@BHWv_B|MHlMypQEH@b zXY7wDDXAJ!wY@s@iK6~h9#0&gOUi~+_wf@|Js5!zkT@-D;cLQVZo7!d%j_#y_Au7AR^2lMq<(MlCvJ%L>>&rcPGL|xG-PWSm3(^cj5f&N|6ckO! zrXKQ=)-tBf4R?&R*loQ9g8^CW?i@zjqrk!1zsQKk$J&9-k;9$yX^(Px(=7bnq#iDo z^}h(#aM%V5W@p_8BI&{$~VcO~k?-m5O!}*gvu-+8)$Hy;g)i=3`5a1YKa0fCfe=r+M$l zh@JwtE|TYG-*t0tPiW*xE9+EIA4=|G@&IMO&gP2< z!Sl(SBIKykoytuJpK#qFzo*3(jBQ4Epjg`}Kj zf74l8R;$~zw8EZ+J&P%u7tP;&DX5*cfxnd25T_9(yVGaMYZIOxF0L&oz;kP;2{dFx zpDVWUEqUrLxdcCK1 z%wma9!6z-e5o0xymz8uBREm|}jsG-%aq zcu2p?6~c^PJNjWdQG>#W*;dD!Wrg%W&0)2nWvKgG&1?_8lv zs*2*IeLnUd}p%r>c*V)~fjendzZm=2u={@(punWzNpZyV)AZzmhp zeA5$=y|^p>9@%TCWRLRWEr8?(Yd5jvMn6q$vdl;~op4a5zP#JW-*yVv?NxeHkneg! z(9cU|hS!>8C!XRhmtiPpaz>OHg3u(wL}GUEQ4!-^;Zs1(%DR`FsK0|J(uwt(CaFS- za`yeX5?4Nwi8Q8 z6$MDCJ5W5iqGB`bne)M%SIB6!nt%OkT&Rkiq1ZF7JE~epZbBif5*BwI$z19i^lz0fek+uOCU3qI@*?5jO11qDMlu``+(;_C)X+Pe`9BHzZ%xc7#zvshAIS>Eg z`>z>$N0Ln0V2tm~AHVq;3+(2#;NyB$xV$nhujAon>k$&GH(eB--!_a6H0hIsb_#ob z1Dooii|@_v!N^lO=pM5}{kWh$jQkX&Pv_~O(dyZelXp#>*qQjlR*9h+ig8BJ_G#UT zhB;gq)Y_XbCo;RJn2C%rjIR@KlGraweI;0^mq_gSOci2RhrYmfB&)(2eIL#@KFw0O zV61n=(#w_7Qog|e>7m^miS!S%AhBi%O^t(G{TVSA?`BB+7MXQ?o#G#|CBO3~ze_4! z3PkN+Nm?!ds_Yp~-f~s7MOzi&C#-#VKfN&ZWL zi107>23j^hMPE4u^vP))42x4~nKwUDW88=Ev@o6mDsk^d?rNFIZ4{h4^iSL>vSCa8 z_B(%85dcn^J%r8*Mg%3c2~?w;k(&(#$h`x^^<%zuS?S%j8tA;a>s067rkCg0Sp7No zU)jq4mPDn9F!6b2p_8jER>v4z785$(kOMgd%pa%?mS;V?^H+oH|1~MF-=h3o`p1mR zzshu;ovZ)GwAgQ!{;Bl;8;Ad!vsQne!1|61JCmgFvF!)1vy+tsr2(e4WWux~4~>F-Ur)BC z;1R3~%c#-k0OgBMd2~6i z4XF#Vs~pjqwuw!Oz>*KD`qjHV2P*;}t|hv+eUT&R_831_g{ecUH#{Y3&C5R- z%$1iaZRspD-AI=caS^VANmcm>qR~}Z+=8t8cR~Ykpfj3OrftPghRwu0%FMac$?q2Z zP)K6J9$m;MxT9(0dR0?_IswkMMxw7sFV(aU$v}^GM_R4rRxKKjQyi|O(BUQAv4o?+ zT|(3E@Ioiq*%K^K7E-wpSxlpK4&tBJ0QfW-5%nI<5pAlpj`YMeay#UNAm` zZkfMvuTb@k_+h^rN_8!(x1hSuz_5z1E^oWG9)WP0!tj|%z?oKU^1$JR*z;`ds@#(r z2kR>k?sL`UGpsRn9I};#yo8j8p0QeAC;Z?pX?0j+PhWpssbp>+_NZ8UF|AL0Z)m6LZ z!M{#Cap3>;j1l251Q*8(MD1jX zY1r$OwEDZkqHn~FLA1(ls3VLVhgs#y(3hQ+8XcKy*Yd8+d=p}+@-QFG|kP#G2%ZsTqKP9mHu25=V!jenvB^9R{ zmRhDtMq55;jM4K|hl#!5LGKWbWvWuYJeywXsWZD#?2$zbkY)O<+9$^m_6~B=^79+6ups$ms#9K^x(ZRvs77SU(foaO4)ftrc~GU`)HU?f(;(nCUEbfH+l%w S0vj$clBcdc$t_ekMgJdECH+tU diff --git a/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_11.jpg b/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_11.jpg deleted file mode 100644 index 45eaa8b39525eceb6a3445547486719c00fb5d93..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 9638 zcmd^k2UHW-)@~3PXT*jOL5Qf-p${cgfpLI@&Lj|!K0`nxAwjx=z^GTH2I&eSN=-tO z5|9#b=u!trLJ0v8LN9`J1zy0pBje0n@80*;{nuOT9kP-`a?AMW86LjVJV2g3A#Cid?;Pg%hJ)i9p5vUydH&>T@x*bcE&`05DPY3{EtDyn+&@CnJot^8sVOM8K5c!d=%!;~S;P{hx-DI!0x1n{yX zACSGb2TK6!14%B{+iZsp9c69)`_61!hc2Fm3CUmn+4FYH^P+dZjw*C774HrLj; z;$r6lXajZ#zkFJ44E})d7}Sh_jpXxnoPp|+Ucjwn?5Pwj{Q+lp%wxobq_EIQab5yU zy_>ht4SU9z@FsR_ur_wcw{A6O-Pp1ZeJ7mOmM`->w+i-RbNeHj{7P=M24G zBAt}B9v#Q4?6p(!uHx>qx@FF%Q1|3O(wz)YUikBOGNQ(L33gHR&8R@2O`g9EDJT$A z38s@Yme-&Cu0QLAEq&I(Kd|?lay3&~+7FbSPUR$KmmArY;%-UnS>+1G7*xe@2Lp9S z3JZf`ymKvjRSV5+d>B?-yMzh7ulvKpsRN>3 zWFjpi=|O}QI%56StszBqbH&`%v{2Gr%Q^+4?WNU~%@YbQ=Uw=lhE;O~5GED{*qJF2 z2&vO4fUGP}U##L%w!&QatR6tg9^JVZfXwcDlHG`_kEhr?_qCu+qZ4Dg?u8Opkv$SB zUP2yq_>|Sv#bQ}sRI)2@25p)`e5>+I7qhh(*Fm^(M#U;@;HOe%VvgN2vd%*TVVJeR zc@g=h(x?eduBrT$WSo;4!|;ii|NN~Qq|!RCohRDeEJY|<;03w7aonnNep_waSN*02 z7tE$gq`-<~L-BgIgqrsZUW`t;?`n9}H@IZ!%nMXM#2}2#foy1z_GY_Z-0H`7cRK%WoS86WW9^JYhx6Eb?-u}M+n(xW4 zYmh2p-rr(Ny?PAOMg^%Ry}N*K$!>2@!JikORAUIP=idv`G1xpd(+f7rUL)lodan}t z|IzK{kW<<5%Op@qCK~QG;iu+K`omROpu?r9_@L#uh10}j2IO~D!Ij?#@z4>7> zWeg)4Cx8*t+H|_1KU4V~oav(qu1gYrIb3+AUl!i@(@W=f(kiHk05HB80q#I=Y;1;x zuaRabs0wbcI^&O%K7qq!z}4g8*j0Ie3=99IL9IX-?@9p%5l4pN*{IMtadx-~Q)&|Gx zVgqbK>C)Wt-LD16rl{=Jh+ROIxYp;r52*N!a|zI;vHknA>1UbI?8_|}1KWqw`O|sz zKi}%KvZNy)cY6B|AgTv%!cW3idr2Yh5;6Mq_~$*g5SfQ>PrK3#2P*uxPyxP)7U;(! zC5R&Yxc_OBk{G^Rafj~o+Izee?^C-M1NyBfN@)*oc22F6-KA#u&036oZeVvVt#!O_ z@(5V+d0DjM5yngAS^tge-?zwM~v-;2i%6^Ze@I%xTCEvvH5Ee{xYmLq<3^vDfM;92$Q5s5JohynE# zbs(T%7z}1kfaw?FKbaOJIhPV=_SrRn?DJ7BA}U7>rcuJ~FN~X^BG^?mVv3~PPW+S2 z&w5?@>}%23c0>}dJm6}mYvQGoZ5K(RSe@+h?2_a6-mBT$VsNf%9V0H5@7p! z<|5j}u;K`+DG;+Tr}pZ{>M3D$y&amt2oP0IPtP<5izv#($JRf6)IWbNTU{%D9^Gn!vIm;OAD?7b6duiv1of z?Q9Pup4JEJ#CQE%EBxINrnE7$_BRhgNRjGPBct3fn1{5TsVC;}dgrJ~rMy3;C+(h0 zh}$WiSNkXU|9SU41ANlI93nekY5p#&a9&74;Y+(`?;8qG_k{(y43dgN?!;ju?dd)_ zqehN{x*Xr_ul(xt7ZSpa$#EZfQhb~i=vmrFZFYJtNc^(D^1Cl3z+L9j-el4Nd> z8}Poh7&hbmg>3)$LV{47obxV#LyW;!RW@x_msndGdi1CLrN>0S5W({}P<%r|`Ex9M zZ@#~9|LNzyh{1PTJ|(OHha?u^rB_(%HV`%L4cH9czAdOEj)#7>dnFQdZ4he86Q57 zI&`Adw$CBx8-@Q^+|jtexwTj~MX zhg?6`i3_H2m6vK)|Jk1%^x1)Ga^WvXf++Yr>1IZ~{)ng}8|{o{e!Or07d-CA*?xkC z{B&$Td4sY8k8hs+<-7gl-Cc}1R;Q3c)tdn#{9w=@L_B0$Zp`7&v`S`-gK|nP6T86tPgfcKi%}8j) zPvmwBQlsN(_mR16ot^@;^Yv4e%<&Pt4WoXrgK05zE8NdlBjrjfroY;d_O2xo50dnl zWhXWj8wt8z&8g~_P5i(lW<>2x6p_H7mWQ#Bk{+yAq+PrVl|Vym=!Z4mm|vNungDvDAR@@4P|?s zC-CxK->>ZTTh$2;HQ^*uDXdI21LeMg>TYFPcq68wQB6E=jLmIBu!VAJ4U3OLPNvT$ z#qB&t`=3OsB$#_HOAJsJFi44VrzI)ddLhMtrs5RkPv@qnv>~9pVwDVdYpCd`7imb& zDc8ys++m+YfSG?_8{G2MDuUf5HXmFWH^0OP8%ddkfgeEp<=b}M`xB3;?l zjs%e_OneM6KlVNjLfp%514RC+2K-cpLx{k%4rf-7WzNvdoTX&gHF=^zn#qk?xF#|& z9YQQKF%C70xG3(v}XbXx-gY_9dFK99mjq4{X(!Zx9-ks@?)^-q1y zSD#=cgqczMq~jOQ*9oWU*eSm08bF5hB-i`-Al{@36N1Q>_7qx|;3H3NE^ zP?LgJn1R5khN~-x{QUH&qDBF8*9=RXm1IV8p>Ck10@`Dq%A8b9eSdOv#olWH2ud&wHO2=ms@|JG_Kr zU>Z8QuRU`U)dKKs^6DWH`Dyn&&WMqViWizl{IQS%3wPg0qzz4<32C8~Ng()RjLb^L ztYymg(TNZ=*V8^N{G|C`qVtr-_n*S(8%EExEn!`~3K(7xaO`TVYp;VGC05#tqEEGa ztpgQC?9~`|>T&zG7Cx{-?WmP!mG)A;T9Z~zMToA;kv+y+=*F#BJ)BJ#KXKsOYvZW& zFToK&8l0N*+XF}JQO+O{?q-IzQIshQ4~rDjAsRXSg{c2zln`6qW>@dvejkp zl$f=x+&$Tem1oG(RL^W4GdRrKDz1f_G~<^nJPdxAD;}2HuwsGi1`4j&cX#Ryeb0Tq z|K^17w9`QItcCF`CQTvBFg3%~^)UFw@U(qFT#J%twdnG3~aF>r#x| z2i>-bYTSzyg%&c#+0C>|YA1F5R%uZYs81!#Kg!V*;G=plq|`r$l>QeX^?HQg&oPrP z*xM5~?N{`wyv0fXLQS{Yiog1eZp4j?dH1X@nK-DVX9$Mk*V7kpUUGULPF`vVlD1Xd zMunwfN+v7_=B4g)Z|;`~+I26aka{Vi$gM}KP&L6=4pr{+Z&xSJ?l_=tJIvc@g%1_A zqy;}u)SE>M8~WXJTv@DQW<`ZgR8$*Pqqgf$b$O;erWT%cXvEid^N91fycfE)`Del$^0 zpz9?me(l<0S+G~L9OCR%aWf{k)-cjjUw5+l}hZ``! zmcuV!_Q(v2Us);b&fG5yv;&3VGMd!gKOdhs>np-@W=sFEnVFFZKa@wF#FdZar|6<# ztn$I_tgH3xFVX(_jZrJ-q2vQ(3&$SG)bUSF?f9fftMmpYF?}hdvfEll>EorD4^cW2 zZz954XiJ(iQ6@tZ=~yxfpEh)&{UAAYtJ{Wx?=Lse5@Ht`G2hhB7S{VYYmC+V2uMUt}*SL+KcVz2Ev z3*#6rP@WZpsp}=2Toth96%y;>)BbJVV6>I!eTjMNAl)t(KVe@KT+EEe*q->UXh5bS zLg6dCgGTrYTwdOClT)g2NM2U(6sE6BaKEn9l__h3A-8*7+VNyw15AFqv@az}e<;?x`2G~B6!=>UBZZ96 z>N4ft;#$JcT4mIntJ<`Gh zPY%ynE&)&X>bX=J!6FfQK6%fQIV0ivTO{X_x;%`!La}}d*y6Ro=IIV;C68E~+B7qk zuz2Trl5t5EGtI&G{=ntvapiWiv*rEM*+%m_?+tVZZHQB`25YYInYd(C<-3oK3DTxP z&YW$e^g(ok@OeiswEi zsr`KK=0}gL7lZjemPRh3l?($8j+)prm;XQ$tEK&nrc3YdUQGr@nz>illU&(bJjz;P zIWfjbQofp+$+9PonA4vj%d#K1cn5hTw7+qVZH+0pANKhsbrJZd8}ASI(3P+enfN3D zUpwI1*2~8*Gb|r31s#k}ArcE1s2mr$y*n?98TnA|_B%6Tw#Sb_ z3_}UU>5?ILAAV{b_q+YbS0G8D?AB1i&as=Hh&AH?Q%J)UgIEQwoi@r@+XaM47)2Dj z-r=9f`8lm2NV#=MTY6i2m5xA^v~JoBL)Ceq&A(Q9USIMko35c_@3+$4k+?sKz4F@E z;1g@2G}SD?o8gy$rLo9onGpJph@R{hY|<&7r+c@Lzv4k57Y)hkq2?yi z=kWL{-}IDfbVCzyi+U<~C3S&L964&Q)dP>?b?!RM{z=$>frmSw^B+?dH|Md(szz7& zePUJrB{v67HLceU-NGci4YuA2nJpvcx+W}FRO5VPqoeQoyd8Zzg6Rz^V;oP&A4Q38 zm_(hoFE+vnq}$vMDWTjvH%N`{>w{6QgFg~7asvAoc!fxQ-Y`E43;W7$lVR{%Bq9hE z`qlUQ=lXB3fPW}_U~&S;1%m|{`o64D!PI-^BJOmVjVGqqi&!Z6e8h%G^7Tg|Z#*F~ z2l90p2!!7(LgTFZnBOot{yps;S|;syw~Y1+2We}v=rA?y?MHT3Ll z2cx{TW2WoosQhxKBIVcmX3_G~m3`k=n?S{n{bsJEvMT9O#~kq28-T&s0}nTMil5m9 zkXY!xJiH6o=tw(Cv9%0hre(uNB&y@?KHloMUpdg&*jRofLFc^UmR0cajev5x&yezU zR?AeQm$kjY#PxZUx+PryP7yMPx|At4;pb zwx!{;5S=GA$r%BaRBrE<^-Ef#5pT9KoO&ybCkl;;MTUwKdaQ@l|EocbixC_YKOzTShp(*>d?2F;7SH=7qJImmZ(UFdOtyYOK7z>+Zh6sa2ca9>zI>h4`xAZHkx?j@ zs196eyX7vxLV?sZYckkr?l+)pnq0VCjHw-4!fH&&O5wuXV;M_YTVs8Su6S5WZn31~ zlc$DL71`hQd#ejDIyQ%HuK1Y4osU%vxJ^xoC;33zMD2WHZhA=#RC`PsuRyU?LN8Yd zx$<{423i1I-|u_x6Y~}M>NF?zrG;K$f{oilWc*tE(-^8Bx>3`M0(GpXZ8$Xl&}o5h zguY8B162mv>T=Ws%VY`(!*678-lCxkE34ePohLRZeOH0dgaP0!rbmK5$BZ3Z5p1Xql)Z1 zQ?E>Ba68+R&uIGF$K}#)m>+InHN$NLS)=d?)h8;|HnZ3oooFZE3oTsMLO4Xew?@3p zT3uXa7tk#={2D}g1IbOuT~{$CxR#81F;;5A$D*ti#k5d#Q%(egw1Ru)eO{?7sbL!F zfOdlB@)eP7n#Je=no1L6nj@>q^QO;;Zj4OsWss^e$A@WzeQfPXhyl;1eL;i8JU$onwU6B$K=KcNVZdAICQ zi|bUdkMH&E5A-)x`>lp^SUGxr2GdrYmKqh~ej+iD_Z`%eVVfwwBj-0sVlS|C2-R4*V~I&)l*A diff --git a/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_12.jpg b/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_12.jpg deleted file mode 100644 index c3c73d508ea16205efcb07ab8dfa89baae87f151..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 18413 zcmdtKby!um21|lS(D6~-~4{}eNV2j*S`R?x>`C~00II6 zfbY!PQX&!nA>gJb zB)919kkT{oknu_}@-az2X66SP3kV85kWsT!fA-wO!SfGt*_6cMn%1S8HkfZ3|EK2v zx(xv#(ai}lx|?DGLc-gGfA!!Ww1AWpexfnO4-m?o zIV>5hy#XBhPH)5EyVg{;I)F31PTL0oxWI}e#GAf&FvtsDCy$L& zW3i_V;WU4!#gUs}0*_UStP5U26dSkO3tl!<2l%XsOoHH@iRezcMD$okmT++e5Jk(< z-cH~0HZVT>8W4M`chI7DA@OUP#NVbwbzmc40W}rJR#~#P+jF$teK?YM%i%J0O9t*= znQ@fO>X~qp|1h? z8_?BjfL_U~)AP$LFYduz8?T=|$)!=)(&ax~$1>GwUL5Jh6F(b-3^34Hkv>fBcg3qS z09ki&Ip#mHe`t>NE|h|$(spro6JDXGB7PxEMjiN{Yw0gMve(C};kO0{rxhO#UZ%A! z(B!z9*3EFkp&hc@W~j_Axr=S0Y#o8$GjpT9{gbwKiJ$$>)rsv&c-I&9QuZ@?GueF_ zBo;T@m_(*3_;eVClBLMsQJ`p1ii(P=)PtxeWD##8BK~_;##WM4i{UzdvTx3%yE%K+ z$NG$1Y!)?AS^E2Bh_3T@DJkY+l2Je2U*l&1Cku36r~ zAf-O#vT|IpbgkXJ)A(=&yF)ua{(~0I#Xs_4_N-gW(#L1Y_#Y-cX0=XeBvL_jirrP4 zhf<16jYc$=k9x3MM71kVV@lQAY~1M!>LyTip?h&5qI+?D!GK}JBy%Q$ z(r!L-?x%|Oz%`)jqUh{Z(G~L!gs@rSdH%{_^RD$KnrdR?;AH6>w&cIo{Xy!g_xNs0 zvuS^TLA2E6u4XdYUf?TeP83M|;&Va)Y(7HGtY<2Xp7dAd6;ATiDWA_F{M7%rZt)s` zIYfD11Byl}FD|bJ6llS|l?t|wJ)@njFZRC6zUlvDaX&yn`@Jw&4irW9jVM=VMHb2v z#Ts*h9~AxN`jB^h+4BW5qt6!~`{ZUoIy}tE-bf`07YKTCO9?`GpfE5P!jTIO?z7z` z9h4QBf+VP-?Ac)D*8PiYSFm>jg-HjH?R6!Po1|p-kkaL+_mU%tKAwKMe*I4RaSx}N zcaP>N7&pfg3!`55WQ6<-or$o{&CSgZ2U`~sYdq4>_;<4x+xH;MGFA+X9*9;4*MWYs zX(|`{Z5zEx%IfHTJbsakSh|l7iICUOr+g+)U}fS^ehsLY^_fE62^#a!O>lY9W>m9) zl-KlMiLqP;Q9H*ePEXVHCG56<<^`UBDk4dPm$+0+X1Hq$}ch@K=A#-7MGr zy(Ce@4EYt04a#bEc)gNN=P&Y@PSLB)h*c4|yWd_oVZZjhBjWo5V8e7#-=VPM{i%92 zt*B{QeL>=zlr!0kyT};+6bg$?&pfc zw_X0;T$ENZP`-$n9G%?o@H=2nKV=H{(j^Wqn@Oo%3>D?Py=j!7nO%9jt)*?hMj*fH**TfpVy&O|lEw25v# zBWX7rSzF8K5t&E|NZZsss$BX;&zOD0k)i7xnVH#x)i4hYxfvW{0N|D%qp9$6kPvyT z>A06-@a?c3yPtOLxE^(mM)qq!Vi>ca+~%dcd;ag79caaqQn6JU4*3<1`WdGw$_vN2 zL;nlo;7iqj?aP*y&GUxSlZ$UMaQTx}SRXoS0=5ZOPDyyumIjov>F8*iPOc(Ap@4xc z=r#kWc=os7NPNktYSfOOp8RxtQte&VyVXs=(b}9ccEl4*`@45+^2w_0$ol)Oux|f4 zIn|ifDV!&xx1Z$UJqJ)Tty!I_>L139P}viBBKYE=JK~QSJ1a%6>3g{)9zTC$KlI}L z%7clRh`C{2Y42-zH7+O=vXMa41<-pBb#f7F)qMN-3odL~L@K5V`_0v}mv}moT&^8? zlj@h{SO>|k0o88fabK?iwZ&lhaI1*mYk=J!e0k2l>kn^lQ`(dhwNeJ>Mx1L=SqPNe zhov7<1YlzKGs>+JOb7kNT_ai{yV|z;^*g4KiuI~ve;WNC`6&H?M3>h9f?Ck(`JSHv zQf6!Q!vDwkK@Io0<^1>Y5)0KZNRSGqhmL-&PiiOs49K&T>m~6$joB5sxum*FGyC|J zkOb^PmEKX1Za(`hEqE!j`vd7dXsCMa8t@FIqD>KlgpqP0qJzS^?w$6${Ipf!pJWnW zhDe6r7!)<-9M-;Yj%=5`JbH8L*L(*oGIsZ8sJTWy91E_d4m3nO)-jt9=L- zMUDnr zsv&_()FgQ8bAS6x@58~yl<5njoU?a>8;hlAOOnLO)ZTV6@=xq3vGHMgL}VdNCf?^g zF?ldA74~5EXn6Wsy(U8TuHOd8b*jV42&^!@I;QxWwD#+TZVl z36S|^&1X9)2ClTn>v_$0iuJZ9A~{4#*nkAsFVYX_=_RARx#=$pt^qy`v*O-!s;8HI z#hHCTeGmxVQl^+`o&SYK$PJa+P(uZ%K4CZLt=X8^wB(^r(TM|8 zmHW3(_1=mn4j1M3D`^(Ur3~0)FQg{5@DjF5@IU01zFCZ|-vpD6{I;!J`1Ij^tM5Wm z06MqHkI*+iBlDXQ##TecKl(}kOmx_JezrCM&SNo%&^I*l5Toe#_#Q}O{DDnHGn*DW9O;w}o59*Lt zClA(^%E!u>Rg=~zrAX~zyc<1=$*3P0PNO$=rKi!nWaR02{H=8buM=d|SWwcRa(g5> z?^1DXvKKWD0v~L_Fenp~mk?M;#NhANeDnCX@Rnb)<z#X%Y28A)a(R0zJ}O=!H~LjSz3Cw_=yky8p)LWBXA+3hpI}Ga%4-|_ z>`=D=bRkuSS9#pEHQ~_9)EP%(SiZBe)z0wf0?PDO@O6&fmm@GWO&N4GG+M0s_^eOW zB}eZ#=j(WG?#NL*U|HJVYIc#?J`|a;0(P-k{@Dzw#vDJmJl*Qt$6U&ry-L_+F>g8Z zUe9#-#Gufm(in?+*Ca7K5ExAy{Nbl7Uf(g0hVU97x;3pj@2-7-T3qdS^^X-SXNR3Y*yg<}FU3ygERi3w*p=~bZFBS(p98a+lgb{2 zX1@LOzJFMol>#W45G{WV(02U2TGXe^(deKE0~@ZK_?}4{?7GK!wxpGRtwGJq-S=bq zA@XA4h>cmsRo<}->{b1IK`pFZo{Y-bLJQ^vw!e1`=*!QuD2*Bx_Oo2e?#zfaIYjo` zIn?+@r!TxYy1y(Od08E72YRBU!V#Iue(F>{M&_HybS$ zxWt6$bgOco&fyID^^=%)lZM1 zpBC*{l*y~`4-$e}EOCSocpd?3CT{8q%h5tHX+KRNx@vdkKO}2K6(d$|kk!zq0PM%S zVot8rEN;-~+RJXer=V(g2LywHnV=x3Q!x5zG_zW*yskr7lLIYdWSlccW&>E5YC85B z&>uN7x3{(7?UDym@d~gO0?}`y2Q~*EKso-0XB3spzZEC{M`b35YWSC6r%u!U(_w@8SI|C@7LO}|en|H?*y~nGul$~%`WbbHNZ0}{a zvY8_(5oa6Tp!+8J#BXBStI0K97|=L%j}AEgv6+Rb$oh2NfDid8#rY=O>>AMQbIaD5 zFUd&Dm|C8P{Gl2X4@tm(`2WTMvIDWBl678~cnF&e z+__Ts0xU16M#GOLFCuMqwyB6%XyOULWOW=%d!IGD;--A?mI_`Kb8u5R%=~tw1JccRDq4-bS*E;r$c{Liw?J`X=n(r zl9Q|2LE))On>4mFyI0zKg0;#O?XNx%&t$ zWU>?m!*i|WQ$i3lpQ{+dVSWvW+1PIIxdu?2bZy2Q*WXOq-{&~NgMdKj!P(I|N8`E@ zDb1=CwEJrAap&xuo6as3K2Vd1Exx_?l#fg8$Gk}A7`1rXPot;FK+s<+z?LVFtgxQ%iC;- zR--XtC5WLY1=4%*W7?65-h2HBjH+)sP2TPL-LZgE!4<=@d1PRH)5lhBrM#5bRuYfM zLhoD9J9zzzlzgB(!m|kSyTQF({N>|+enuIY9rx41zpl92iMx)LV1I4Q*>ok(_O{qL zKx#fZUoSy_KSP9JAG6rru5{;cv%+xW+JWp4Pn2A-roFRHYi5S^SyeO;NRs|^c86_C zRu9Ww$jV}ux?u)@vA!AXAAD*==i$*Wsy->qqHle|13r1)n_qtt@MO-*cxivKPJ%Bp zOfc++)dtzzSJ5rC9djmUJ04!%J24?4`Bf;@-gj5+aNTRbX2m&dJjm!c{s6sx)xyk8v^YB+YEin)*CIEgu8{eGdu3e9IH>!kun#wEq z>2c+Qc8%XWV7J~p8qKGjMRyq6HC!lFCP^Le$53Gn%2Gxsju-fR2f~ajcJr;qg0ejj z+RoE1M|U%6KW+Z%>RR|UuS>6>OTDnY&hqJ_e%DTf&q1nocwGWOVe=zF<-nG5M736vZMcxxTclipM?N=4U~hinPu z{H~}W6#}TINf4Qw|vE#J#P%dTMuX}U%=m$s;I3NnQ~=!wX^k_O0`O*m$F1F z)Qn|yMus@p`-Lt=f68q0v_bqcM!9fle2H&ZgF}_Vm$esU ztk^t3+R(_3+(sC$7d$>cY|*vXer@%?@b!=lY$-_gzhSS&GOk4fY;JB6KuCaZ8Es6~ z$}1keoN?0Cc}rOrc7e`RM^cZhb@EUJ`xfc;&?-K|=}P#k2xzIa%* zOEU07me=WZrBPk{*4p6!5a=AWId~x_Uf4LFzIEtZvrzpIr(dMRDLt#r2f591mdFv! zRNg(*NohZ*0n)&?iS}=8ZMOsOi%T%WdQKl^PH*b`c99XJkPoD4m{o9nBHqcdk(dmO z1R@z^dKx3KPKnLI?@YgnUb#2w{&|_FTmYds1i610#JxApA}@eCt^O#4ApX_bJ@Q6l5pbm$#kmPE91L>yfazJ;z zG3Xi~IPdj0gv8&G6#u(23aO&2ZaFeU<&iTRBTCl3R&J3s6=7HCzXccHol0|#;WT6s z1V_d+cls8Lq}U8qEW*UxMJiWB&YKKP3TxaZwjQsybIY?FG225lavN^|`e2R(UEa^H z1H`qyx$u>^)+xJ=(afMF^|v_wGQse*Z<&FZj(Ys zO1J&-*yw7EmCb9h#~=hy&!Xc_$e;Qg8KJ!j4l%fxCmfv_A)(VYezeb<;0@CQ*#2MM zh{vzMtp@CJ$_-5((-Ez4YzYLYjCMX4Cr3}1nX3j`qHvF~^Lf*|5~~4hJGkmu>tEIR zM=x8I{;J;g#ybOeQ~eKd^T;qWm)?1a!l9JBNXFx*?GQA^%?};)Ma3S;Ruhttb6fPskhX!57H-Q;A8zGh>U9Cg(4{ zOJdYzWp+M^H48^MTgIw`54ko5c$V^yu$tz#~1TrI-H(FaOW^_|IOzzfi`+ zwOkRL9i)EZAU6=+vb8-5ans$Y3GTHI=Gk0BC?dUFm2V>IxiFCBdrW;iZQXYB`uXEc zziIvN_)sycVCAm?4nSsdPOY@Y>?1;tV5$c9#PwJAy`yDIbC30|BueA5Dq2Ro8v@{8 z7TlX`s!Wky5(p;suq?9<%cOhKpHQmf2^GapW=0Pddy8 zip$4E_4(N7`z83TDF^AJ3N$pwI+ul4rBbEkH$46#A4N@TEwuhJj`s9~%s0f;O$z47 zg(m#t=VJ0{SlDuAW3WskEZiT>1GyEj8Oo(>PO#(Rm2KZSWkwods{vg*tfpkv;sOHtW>6 z_`o`!BKiF|!bL%g0&UO+YJRrCXn`RQM8rmxd?87>ThuqS)xXH}2 z5_*p8aLON&F98wEi;S{k#C){u=|{-#^d}6d(ToT$4cAm441W z&D+(2D|9u%Pn9K&$pI-@T4V>eXMq zyFh_gi`QSi`%iQg>c)59>{C?q-ocmMbGq=YS)=A~4)-4mpeFo%4wY|L zMHm8XksZt%V4^j@3@Q+dM?6fAV^5F4??6UIaKcsaSy4u`X# z^_%L>*EN@r^Y8rO&e_#7D(Yvwd&TcjS23zGTV(lsK%i9c+m=-g?_(};LkGSCkKAD; zqPo|2m*o4w8FdP3DahR0P=s&WCw6z?9L7POa%q2Vak>W02L_|opASeshG8RsTt_|c zZ_r@2%CZ}zaH6@M>k3{mm47Lo3t!znf+GG0#0S*FpWU;?b;n)UN?c@>DaWn>Gu@87 z1SvZ;H(}jIDe^-Pf8v=G`F;;w&#-N!&Y_z z454;SvG3Rq@JbQ9M8+vl6-LRs2S03`N8BA{@|d^=SVoIX@X7wMLcY}7!%cIXoWdG% zPDDhbWlKv-*1-p$BUg5@=vrs7I4OS#chjXFY}0zinn|D8!;{>o!;?vu6Sk$Lp<%eR zwSDjJwGIC}x8c95A^!P_+m%1o;GKt3BQNXEATS#DLw1AX=<(Y}LBhPSBysb?n1w8} zeg)G8?1W-c`6-Z}j-gry2X@=H}P|!pt3^ zP$9C&cTw5^Vda07o4*^3ysGz`fb{DezZ|>&xZ*jv%1BiIJmW^O=o|@qBBxkp&kVM# zyPtP(Sup2AxFA;_628^2C3b0f4H&b(2AIpUn*^+(pzO`J>pxZK;I+3t)4z5EgPcj` zPIWTp-a|MV;i*%5sxc3y^NKz#xUOSe%yNQF5{65}SfcJO_62H*D^Vx{fyh9`U=#21 z+-kpRv5fgOsO7Ts#E|X5)t9o))Y)vl=ug^oUs~T-`h4zTUHNI}X~&07AsAOMKaG2o z(vgW?&Yj6Bfo}lq+U+WBPzzLVyF^~ty?@=+sXI)PnI*U>a5knl#_V~{M^17cKiiHC z>&tP-lUhW;*;muo)-}v$RmL4&PwmJc8_s;Ee53Z9#6~}PRCKaeE3}(8t3}C)t54I{ zYt7>tR>NRJjG|p}9E}hrr}uDtwok#=mQCl(L7oX-t`@8{*=m-**rgh(ow*FKqs~=g zuQK$(B+|JzcllCnc7HK&MTD83aX&BGqQkt}aLAB@fuFwQ0l7G-S>VFTwMd+ zP9nW8PnC*sS;yX2%CB7fEf}xHPaw6W=nXViLO)6+-Som|9qvn@&@I4s zu-HPZZyr~1X!_iAx2qt2C=i_1O=i2XwA}WbJ#?bP=9z39%Su?`CV%Bxen%(mmCB7m z%JOA?nQM-D&TqMRvC%f${frBlDV$QuQ=`tV(1HYRI@LtK&~C~P@8(Z8v82992Vjv+ z&u!QyXhvrH;3ONWbsX7x>;Bl31SkON))ZWbJY0QyiwU$Y+CN8a1H02(T4N9YnRF*AmX?kYtk4p3~@Vs z-KBTy=inAzRCLL3(5U$T6(01zz>+A@j@N*v7kyEboIaH3s&Pn%rGV^8~dbgD@} z-ELajt$h_~VKewtM$cT7ymbJpo%c@3gf~t2Aqo{K5974X$jrq(cDn``FvyWfYRfJo zpY<+mrD;?j_GaQ5ofdqvbb>6pDBEtiN_7Ei>=Mt`Avr}viJ4I29x{zKW66`8+MwvUdr*=CJ;Mibe`wJ9(FjVD zt;^M_J6N0o`;)t!QJ>vL$5uf&#P=|!K~oX%)bkHz zid76@AdR1NU4(z^ul`EhC&Yb>3C80q z8vURuA(4(;OHIuPYn{JL(#qs;8FrO=4Vbb#+AcrK-{xA2AG-`zO}`RkYF24VKe1MX zo}+xIEAauU4o8)K0kGyLSGe_qPLsm|_zI25ZK(k+u|8PTBdOIy9zn3}2w4YQ{6T=@>;JfyWk5Ach;&sRfD{T$ZG)W z#GJ>*74vTF6zjJ8H6UQO&;?}qV_uY(@*wr+hBC@yIqmnc$Qm4Ei(DGxKS!edRc~c9_8-+^=A!y-* z@Kw!=!nl5qh6l}t6_FWML62bD6KU``Umu{#F&O*(%`n}ILshZg=gZMPhZTJURTzC` zJt_NY58OTVJViDF#c1zK>tK&7n<3e|)#ja$tSj9nM}YT>-pBXI*<)FN4arCawko;P zWMuG5Jk!$4p!8mUP&)gbD;tD{l%1Z+Pfs8*45ckh>PhG=_$w!P1$+uUy$~PN6#AI!Am47^Pd%WwLFa*DhlBB+~|7 zakBE2k7#3xH5Sn}Gv`1ceZ39KlUMnvY^nR>pF;P1VmViIn*(!|j6o7+Sf|?33`p5C-gn6OMU{>95H#jxP9B^0#2$8XMB64H z#mmEh;aPT77qPuzo5ogu|8^g$o-1{)&(GmiSL+vCr4y0?nmr$nw(iXF{^@9}Bl2XW zvpw7_dMO|f6$m$JnfTVzr+k%tD*mKe^hU5$M?|CT*!`?+1$mOgnDJUKsY{!*9tqWH zqj4eVk@OF{W#9FRE*e3RZ|CVA=e}-|mPwKc6O#asXgHfSzT9)uecH6s^(=>uBS89t z!Jkh;__^_ImwxLP;3BEv<)d?PanE1aAxCWf7dk}pL>cJ7pyXvm6?0K+OVS(QW2GO7 zx>7B*wNf7v2$B^d;wSN2n0D1Z%d@;O*?2O?ivp888zn)7;=?a`Wcl!G*0S!Anh*{6r`H%u< zg~U@&PLiu&UkKOo%RlD6SOZ}{?U6OoKA+oPeFF0yyUu+ju#l&`Ws=$q7WDLnSeb?R zo<~@B=9}&=G|BlLA0+Q34V39=YBaAjt0{}sm7Caq!-O1?7B>W+Tf6q)qEC)27t7_s&X;riL_ z40q|;&zN}3Lj||VJd~v!dakj?G;3VkBHb=YxJ^Yx6MHH?2eT>1U(#Hpz5iPg|38PV z|LdUk|8^GH#7QLbZV#4FN8hDmAA4qYR4A##Tn|)}(7=EXt`=vP>T7r5#6I?=s^P-s>c3s1Xh&B^CKfIJyGqZWcV3r0|7V4Ins zFkAebi=scDZN7*l4M?Bkz8~esc)UrA>(@4S%&#JrB~OULsjb9~Qa8@7X&I##GUc5) zpl#YVFH;IJMZJc)n2;BK(dY0J_DJ#6K}J9yEAIui_+9j6;nI99ldE<)ovz)B-5HFbNJ{jpFQIK<2f^v-7oU) z?+0GrzYR4)GA9pfye9T*Wdey47u=@GM=X!bc~e3Rg{cMYZ9QYVvsX_uSp6k9RyX;C zYSb$`Q#1GOO!^b3t{quKPT6|hpZ8pRecJ>CpK`c?**yCc@8#+ZScHK^QX3P)ikTIj z?#Yzob}n-lX!R#HjTrtMU@%nE=!XpSB~v6LE2d5dRk?(3qzL2g4tE?r6e!sH4=DMo z1nW!K@0O$jZNRF0?d7fy51-Y`Ya5ZmXvD2}l5$^nOuI3p!t)vtKrWCyGqXfv@X}7+ zV);hhLZ>rIAZFaFsGv4jwD|TSR-xQLqNYb3)bL0On%)@jRPKD~7Ox$%a)HF5ana~F zQsKTq1_F|H-?jD)vxoU@q2PPC++G?Jlu|(tseNqhyU2(J_f&A->6<*E_UEURh>4{V zCXqu`+c6;*nj@&K@2u+6;9!nv6}BxX2yC^j{UL0so~9PloG!mUQTmO2cQMQbGPBRg zzH&w81~kNxnHBzk1jDA46|Ra-1MaN;dZ!lposKS} z8T0R=Boh?-Ti4<}60H0rTHbH;z4IL2!F4`7ar*&1cfy26*)QhIAN*dNlvG~q$_`JH zwN6&?7b|Df^QkhM?*h3Fi!f=`8BJsOYJhrN#Y6NLbVo2ShztEtdsH=gFYj5j`loos z+ON;C4z-E3an+2g?vjF(QL2rha`qguadrW~L>A+FLW@aAZx+jW23PcW^< zyP=Cu%}}%1uv}wd8?8j6BrBw~(<6(~o4oLwM`ijJ&6x*&R}I7+!Mju*PXubG?xu2h z9J#98oqagom|SFEe#fkY3hU&b9Fj!J#0L=PKOtw$oDP}6opT0`%gud>wMH-;u;-Oh zOE>ow2tqdr(>C9iDEqpo$>4j%aH}w3er~(hP3TK6)?G;B&C5HvWT;NIu+%4GLj zJGGH^ph;+xZMARD!f~TA>P@te*8QtQl6PTux-C2taA%RkwwqI@9Ra{D=RD%MDvPj| za-DE8DN}@p<-iAQNFIBrnG@NE<5EG5?ha?$&4P=(K%yk1R|4r2L)!)Ob`Z&pB6${+=s0nL%{88d#A&Wx zxG#~0cjA;FrK#gWW47J)kl~Tdh2^SE?v7Rva&D7Oov&ldrXXfuZaIGoc9mzD8n?~4WJHxzO#_wzi<)dd%j#4R&v+uOze_3AB2L{QNl=yOF=#(C zQ80AJxlnAd#lJ&C<6qzc|D`IVro!8*2K8s~&&QX1M_2PR1&8v%%`-pz_t8p$J5?B3 z-_>r5G*Fkzn~B5zl`&BHI|opoa;oG#fFGMY_Zv5H=Ps-?NJ{e4_Fk2c?2*^nwJ=xueFw(=tDZJnToaruW@ z2K+hxi*k^HJ_<$D1L~H8k$T$?y=KL|c7?5{WYyJ{86kP&D&|op-;7aODpmeoa=tOy zpAhnF2>CJy&3e08pBeTyCbHLI-%R~IxhH2cTOBCR`S!hy@EW8fWhM9F8V^yua{fE8 zV66LB@5&a7*4Yv7Kl(YpsjzDo5jV0*14$yA#T{}!9ZZrvLLnOBzs_`<>6IA@$1Z2= zCj}Qz?~Wsj#F~~dY3^IITixH@!1c44*I*wMOu38%IO|==b%)#E2kG(?E(G> zYztbx!JTS8|8NRTk2V*Azu}UbH{uy-clSTKBlhM>!uu163-k7pt4THo-?Q6E@)|Nr z&gcj%IyrJ?rt{>=so1xmtG+2HW2&SU)ch5vC&T~M80xS_bx)+l6Z*@#mlq21I)R?9 z&Ii@aNsdkkPTaqd?!=af<-gZ^foOR5R=}5!PFR2sA!-~EU&`jOikqGagXeMY-0UM_ z3A`+)VuzxtEc%w6P}aKzltf|*Zw%N?v>b%9WPk5L@q%jl;%!TYyp{uNHmH)2lZ}0^ zERTM-Se2v25lv>c14PO=sDE>EODj*LCp5n$r6f_fIIZIAbHisc6ug^99cr6>TB?ru z4a(7Zca~>{%%Ce#;LHGR}!)dmHT56(7862>@_ii@rrOAQ??WkF;j#|n%yq^zC zDF$Mdn$DI_g4CK!qz-R2+xyXL@69mUxbz5i$x3KR`WAC3XgqglkGUT(s0$SWYY>J2Qn&7$gMGx~}KFkYb zqowE2Se*!qyi>iE?7jK7zXxO>n-5$EfPGvf>~A|oZHd*}>5rK2eV=>zFsO^C(o#ew ztaW^lk_Z5mtul_0(a1S#4)^6A7rc6z*~jNh$D zWa6m}((Yrf4!0VsPW!-@`GH(r!Astf!@hlRXppyEuKX$^W_xClrDq|y*ec#RUhq^6q!hVE0m2LqYZfze@-E3F(up!}6+%Wrrk2@n z&c`DvlSf@u(d^ml4jeA_-M>8UhV|4e?^Y_#RK&gU^r!2TQeRgvL((R*qJ>PDy?$9w zYcJ*xHXc3>ovwH(7GOFF^!0v|w<@KZqDduPMd%rms8nIwK+nt@$49ri^kaCz1J@~# zbAx{|@77tbY^E}~FK!F0$ZiYxky?ft4V_DaJ@WG!1VcnZ!(iX$rFOZXJYKLviuo*e!!vmIuj8X>prs|) zYZWrKcD8ugY3NYS$_X?;E~bVZ`Dwk62Cb{OYBAmZQCuQ z@@DisLHNjG%M7mBbagTQc^p@KZYaa=p1is3mCPyRaeTyJ{T!2wca>saRnwJ ziSne@zH9nb&ju9Vkn;Eee+PyV!aod@qaMUyI=JFh@|T98qJmz7KXFQ-YJC`3k%X2a z{al`KOabT8E=t>htLE3iNCXtPjKpomkQ=Pj^usJ=t)q^2NGE+Pl4U z)-o?9hymHd&TmT{vgU@)Wh#InD&AC<9kV*MDYOv&~Yv0p!P8_A- z5Ba`y4Xk$Un#J>DYCe`jI+oV_^o@&h$%mxF92{~&1=ID2febN!3aZ!CA3Jc0#Jm3V zT*Q|_bRoo=jaQF?gXi+qcy;7mkvBW{@6F(tKzaKM%2~lUdAo<|@)|y_ zJ+_n`(UFfLu(~(+i1}3g%x*QWz4ODYHLIzK{rn)Cpw6IsrbS;}UuX>?-uEuW6{h0X zEpk}Cjt$ndD`|N8C+WyZQ$X#r%c6l4M0-Z`Av-@7bEaWz6Gvog_!{Va)*PtgPBC`s z)`Po51m*kCd*3sokw&=q)%uIF5we?2mFaEZ?cn(P0|)B-jXmCV`;&v1jJokKoZDoG z-^0xfb45y@g=4@@MoO_#Bb)pom{U8wdL=kjbZN_WBd+y>t1RE7jBw%Tde|#=$p*Sm z5f29A305*i#RtR-D?!%TWi+3R%})kd67XaItE6j ziwulFMmoBSY!`vdEUc`o^cOC%v$3!wcNou#HZedZi3)v1$ig^K_H4b|yWr_Y|E zK6Ao!!a{ZG z#0%uN0=n)uE5bh0Ok%^X1MIK=;}KGAs@-B6Q?x2cRt$&xxSO%A@LPc)3#u!k_vDw@ z%_3g9%2MDW`E{MN;6eQlA-lXP{vB7L;5$S0f!zm+hj!qV2No{4N`H>NfN$lmu-Iir z;b1tDn9?4S@G9xMM!IWEZiZWiA2C4I&VHm`a&T{c-|I}kTEP`J8L=9=s+?B^p?#XE z)jMq9YZOzKw=8(J$e?!7niUS_Vnkvd#eoAP5?tmol3Yl>^P-vkO_`HMpgY@TgXCKA zcp3a$lE|#%L{mrih%)y_LXqFN!6U{AT#A zxzMxyPrW~uE{#nIrE~g4bjUr2%*T)LT)15GT~dQmHmKrXKKi&fFqXR`claGzKoE-^ zcn>T)knl3qB##<QmBXoRs+9 ztUI|1!f%hfT*aD;D6M_dO}GggCW~k4DS)0`iNcmfbq~{gzk$D`po)SxJZ{pA({g}6 zgMqjUQ7~@g+npNpjC^3po`0C9@rPk!d*9~!PiHxUbf3;Ak~~=|j!Zi5n=|%>2F;Pl z#=;_|!7xLGc4XX9ggZhL5z?G0ll0L*a2XU9bK#ns=<8JNQP?qn1(F(rMBZ@>ou4}> z5B^*;Y^CCai^I^EFp?QjumoC+3YwoJKl408*a$br<&9v;-)%rPIwNgNUt=&36SkH^ z{Y5rpJ~xiU0haNbq`X8FEnN-q%25!wib+gkvdhFJm4h^0U<1UsL8n*WBhBvq@NC|n zMveb+E#U?3`xS(ysdKz-^9Gk?y{AH3P`4^xr;0x8N>x=!Z^?{i6CARZ%fnHdhs6#K zC1_aZ^ZkUyQg*oY=aP&*9i)y9OiB<31G&;E`k(JFs7~1y^F&+M+U6xr*Ah5D3jsio zcE#GA4B%R5UducK;v4h1{jR$+;XRz4Uqyi1$<3{dd0JfH7Okg=okI!zAJR-88U(+2 zk$vhOpOyaMt;s?6d5@fF9Mb-Ft4g?qENkVxR;+ir23kagRqKfv#WBBdTn3oV6eNyp z0{CD4C(iKq-KXq_YHDShWf9FmnV`2n5T`PKWB%tHe=qe^OT+`MV?czn(rECo@E(%1BWR;WywMq5@^a|K^4-76K+gDi}2dKOQ5P7|NA zjfG-28UT-Nw?pFWwv$AsX004Fea*x+Xw`0~a9717>4FW2lo%L;@_?)U-241z9Xq;L zy8U==NC^mAM!el{@gMzclTJ3v$xDde)~+lEDW!50~!N@a}%=_j|!G;?LvC4}o^GlCZt zk%iTPxR|OSvx(GR(3rg%lN(|ps+>@T9JSHqK!e0}(JPMH#5qSTE%xc>1}zHxEk(?{ z&zs&oLrxMq346xsuRUJ@H(vj9zEo&=d&yFVzltI?dyW43Ln{8h! zh#yA`Ez2@3^`5tu2Mbpw_-?=+SN;C6oc%qJFc(J^i^zWNR}HisGA|Id`zb5iTji%A z=khrYU;h=GHXB^A%Alw-Y+49ygf6Kp0sW5+QtDzrf{=)6%SAu6=6^tFKRSr=4VegmuN`GBlvQo#xBx zKDESxXyH;N69JQ5_QCtjOQwzVnESI6x0uYI9f1QuLCA)6OCj9hR zykdBaJ~jgy>jN1RN{j7&e!I?x$EB6|IZie*TI=z;#JZQz5h{j?^HPFP)S!BcLTJf zst&^L6B92sL$Kg9b`aK8Nf_wp-eWNSA!b6dky6I};!_`Z`Kt;XAFRLKqlkH>Zmq5{ zl=r4dPA&Xk9nL`UXq)K=Vn5HFdoFF`eP>}jFDVQXv`hAGn zb)NA*bILz&XH>d2;>xYsS??!*)Mjv?xfSf6lb572e5Ln_7sWWwAbqIioieiW83)sZ z(JbB8)lHM863T_kvuj~a`465G5=qAZgXjiSLg#tu(%O7C^#Og?dnrFNOthF6dL4)? z4$tm#Kv$XHuahI68tmT6lg?>Ds>Vayj4xbVCw7@3^ifK2k^@z}T07BZ$aqo0`y-LE;R$l5kWIXRIz`a5G8-ZQ|59H% zy4fX!Pb%ZY=7ERv)Jz&rpS|$L*^6`R@_>1TO?O{rG@X0AQCDzBwCAg(8hHN|OqNlt zt94urEbd5~FF)%T;HKRh7lL_V8quzE^nElTgZ)7GHiL4Cc2SuJ;_h(g^CzDm^1J1z z-HY8D5AqYUFOmm{4yYTPz!@$dqMk|3n>zzNn|%%s4>(HCE^j~nt{vGDu%@d1R0_9%?F>5V*^SqHh+B(WPByD5Z0>WC7;z^4BOKa9qKxtMvWK^S3Wl zqz{BP-@ZHdz+EnD_88#jv8LlmhF#2hi}NOVNWRQgKkr4~=msk2S(zy>EwFN$w>m?0SMrNQEA}}!!uSjS+-Ls2M}Fl$Z|{e4J`5H)Eh`y#(}W2`KfzeL z-IY_}*Ff=vfv_*#S*on8(MAE8puz9ft~IOo%W#pKUT!d|F6;zqM^khevbQ=iYS<4G z^Ykb&S_JSJVgW}WW6Qtn7g}HGxz(t1Uc1?Z->_))kyP{+0$0i?fi?w%UmcvxgUY#j z0gBT_u8>JR=r-5uUz8%EsQqP!5Io*a5^I$=@J;xz>bzHxP-*@U|EtQTA-22)b#>@4 zQxSi@aq60;*PfK!kxl}1S?`*LRc#0vsSNh5lqv;h|wVt7@ z=?8;AV!A7#ky>{ufoSu=sef&cOI(8Ej#r2f17QN=#+;&U3XeKFa818$5vnIz+eQRQ0RD6 z#FyXmsdF@Si+tww4cL~XyNN%^kMc8&3dzOgw%K{vvZu% z<5%yD2b|^eIZzRNx0)Z>zmG7a#D(gZ;E=6?)@+a9ru0o`Oc@7|c5QApkJin(X`f~` zC@#hI`o$Y0=Smo5VnKQVg~Q3>rbJA++LhL;179N(O}F*AqOc5EerJEno=Ek3<)djMISN-ARk(fKN=Oons98CfFsD?7}H#z8|s~Io}M0jKT*l@Y|zO z#y^e3KXy+=Ib;?j&Yb{blbjJ*QjwS}gQjCdRu{$dI#1MJt#xjdreNug^GN1O*xA6^(s6!Iv!xOvh-vcI3iNOgGHJPtT#(TH%5Uy#QT)}KZL9R zJRo)NZ+@54kWcEF)M(Kow^hUh(Y$aMN3_IV{UrTFz#vd8p0SA7t84PoRZv=J$AS_F zSh@aJMQS_C$iX(XUM$#uQ@y&X>E^~s^EUO+_%y4(KTnO&929(4Nt?$rS{f(D6RfkggNfKNJG^gu z&k;wMVSW8R^o^q*wQkhN>(0;DxUoA>q2ZDTdqTCk*j$z97DS1KjtO?6Hk;XE9;3@4 z^l1FQ)l`5p?RZZwWT<;*=&t-puK7E0X7j>G2|e7b+OF8TY%_=&VIXC!0sJ<_PYkA$ zP#|lRLC75Lqc+d#0!x+ShD-Y$`pTV6<{x9Z(!RNyZ$ZQOyV}S%z0D#@jjm++iTQzq zd5vnIm)#gzAfI*=DF3s3{Ps$gc$MQcAk&31d ze+x1{wEltRq1TvVw&a;5xTKx$fqvonc5%jX&ZnE2c!xRxbwgl=b%tIh3@*b_1YcK= z8`d>yt^8tE!HluCM=s8Leb+a?Gnq-wzy4Iu*u}?l3^qqtiV*YI|g+D_vNDIE3IlA@~fUjxKQ>=aGj2?b&66^ z>^ysu>zM^9=jx5hOV^_DRv?#WbDD>6wC(QZ!l3*<6a+iSCj?gc{G}YG-Mn&($W7rV5%NdrZ zXQ~4|RrMkJm6zDX`M&j<+e({EL7+ml-Uc;BpGBD>uGUy|kworD zWca%7LI=U}ZVH*RzT?Y!-m-F{yrGqDuv&2W9;5PfMv=OWPXbMb;G~FSX;YxsTI!}E z*6VzM3|pCzLWETTQlA-BUFPyKS$>c`U`t>9QY)T8sM1BW9_FaMq^(=<0VAu~F22}& zQm$?^|299~W2|JvBUyHktxcO?H1&~uNWvVgdEtK~+KOKP=C?o8M*mnSm3Mn?obt#I zoKm3}f*Yo`fA+*OUOOPyv~mK?FA~*TYKSuefzwYS?YA5)S0TI|>3;F;=uWT{acfgP zOt`q*qYnwYtSv0v74J}|jPHCxU+eju67%U*hYUzu4^=IPv)Yd>#_n}GToWrbs#n$n zxepeZg0dZ2<(~}hMhV;%v>qgW6BfULG2T(N$yWsHKOb)0q`y;r$|sdzy=O(2syXx` zneb}ACl!{@?Cf{Wuh}%=b<$wOHyaq zr%jvgD-qGS@Au5#hLfz zHj*E;Zzw9d7o8W&h>a?Ra_nNlty3YQW;3j^ebODI50K}B5=GfbF?}eyu`shN%E3my-ZNrB3q_RW*@5F-4Cb0 z#g&wxW+hW(!!~yKgx9NgI7dREJ=_qzmISq!YGS=_5b#`Ip4yZ%)>4%F?bRV!Ty!mY zOnO|8+l5|vUpR+uW+)P4C7m=0f(mX6<_~#xatYW!+xkE(15Jq?`nWraKF2erjD_^) z{W$CYAqB8E`}mvJo~)7np^E$iL1pwC&;J~blL7xwQ=c{hDywE#NN@0z8v08AC^VACuRG>2Bzv!8hyge;B5Id8Yk$p!Gv(l*))oYLliim^LEB zL2~`Z?-};PKd$}!0onba${$zIq_-@Y>fU}eztI7tE(wqwB_>qE`MufQTE}&glZ9J} z3a}N4hYghhuf)HT zo#_~S!t&HbuZO4?m#}vslW*8Mwuxy3#IEI+VIRQ2tGt1msS`>uM;cyEnporfLEWqIN(Wp)x{&Q{LCG7J zd-mNr{8$^Y{x?$1Bn2yf4&r*ENTW(*j|G0hWSPcu<4PAUL^B!JCgX>{@h&tL7dVO$ zJNGmEM%2WHqz@eZj34wR#2QYy@#2@ZR^uFrySyEfnjfg{#NtGtsJZSC0_Uyw%KN;* zyC&Xn!&1=1t_jLwlKO%P&=WO8xT+)=u_0-BebqfLBJFD9BdFg9T34FcS*S=WxQM<>CUNy(I3eMb!tfTitS>ns_>I<>#7dld%*>%_^bFjY-6g3E!oG!MK|7 z1bgzZNT6wfm1?HeV}0>!37#<{(x_!Sk^Hn&gOofS^yNuw+mG>4@eBk<7eSNkBA#o0 zvV_}10e~O>OToSuBf;~o44t6ZE!P#fe%##Np-N z%1E%n*C;b}2CaJj8f~P!wpN=*a5tp5-tf~mJO10Uu_VgkO68MY_NFE&J#XN+roUvg za}C^Pz-9jK0eJTq@DbZT(32$4;j#*$Z=-HVorT0ie;7D`F>Ur_sF0otA7zuyL#3rt z7hz5Q;HVh$At)={#y?YjwuR1Cr@H7>(fU(QPE=D;liE^r>9xf%n)>c#Nbuw4f$=ma zG)DzVw^S<`lZ82O+$@GbSF0xOuCDCk14Hhcpsw0GEE{oQss*|Ip<Z16}_y$q# z7+o|bS{EXdE;rHr4U?Z-krg93{w_Ul^T_7WMpwmSy=U>DF+qsq+M4Fn-GlSiHo6Lj znhQv^mI|az@c@z3C-tJf?LCu(xT`5#rPk!BGMx42j`0A)qSkc7GNW}tSo6mB@15s+ zdd&^Ddv@2kcSSh`WIjLrFa;ksSGl)%)Q4ApGusJ!f$O&Q@yxZ6V@h)t_PJ+}v#q0x z&e5GOh^~TcS)ud$W`t{vlICu+&ed+$`GyIr*c~PLNsRbpc0ISMp9Nt((hc+c^ex&t zUqsvJI#h6&JyPqr%e^3%d<-Zea`gHB7My=Q(Wu(RK0%4++xJ!WZsauH;!cDU)3`4X zT_xu=OP}-vg45pAVb+ucL4DWa^&eXt5Wkg~O2M8dt`nWtD=aT#$rQc8YQdKw&zlT$ zcl`H*uI6lNNqQQG!vf4s+U3kLzU+Q8X*JjkOba=G)V1F~);ul>hp63Snxg{%NHK*n74|6lY3E}f!ks6oc;tt$*FC7G_7ENW_4%_In zlLCh#=Sp?jdE&ZqYHvj^E(m&bwhLeoh+LRKykq<>L<>ki8 z7x!Q|dp*C7p0tJrv|P&fx7ZXWqcETX#rW$A+)|7HCi=v=NmLLtV`Iq4qx~K%_6cmQ z&JbB%Q&*H@l3P-v&T#o*b91G771Z1`#7E^&TcxutDn3xKW*57|YJ58|%%^DJ<%12g z5|H~Qd>es`aJ*9-v1A;`Ho5d E3#T0$Bme*a diff --git a/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_5.jpg b/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_5.jpg deleted file mode 100644 index 517a34200c38e6c57bf786c97eaed017182764ae..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 13318 zcmeHtXH=6<^k(QC=^cbngwO;jf`XKU-bnzd3Iu7P_o5;oAr$FVdJCZ=gbva>N)-s8 z(mNte1!Vc{{@eb~p0m3jcE9Z2_xUjA%sY4PnR)NM^FDWO=5M|MXtdNc)c|;Scz}T0 z2XKP}r~(M^@&CcC5Z;1_l!%CskcgawgqW0)oRX4)oPvUinvRBwnwFY^f`*BPmY#u; zk&*HaGYb;~3mpR^!#_&!2yVv^5|I%RkugwFP%->(%gsjsEhzwl*F}H_1mM%+5zyk@ z^Z__;O$Fc+{A2IG3JDQ09zH1{8NqEgmlSA||1wqi5g& zN{})!^O`cUC>tfFq)pFCK2R}y?#U-5Z6a__24d%<>J?UStA*uO{ePU{b|yT00>axK z5n8<4CO#Pf(Z3mhhfm8RL8pAHC#<0RM`GP1P_pp*F@eg>B7pMN0DM{kTEG*)wQ-4% z(!b!D*VP5<^q#jrWf4!Kod<_63z?}?RlnnVsF9M2MCBaE!+-mFp0H|PgWlw5W&D|}s0%%!jTe53zG)XKdKj@>zHX?ts!uvphjEgwr*(J;5#pa&A-=6R@r(t4xa zl-tua(s1^r!gnFSHekRwtL4(xZ`2Ti+Iyn9KbBPq32j^osL;#GVx!@~r{y*-H@<7r z$aV2Ix}=N$v@3Wo_3vY`(i^~s$$ehgG@Q6tnLeWTox*6$9F_eI!1npw*pk1g%6cU_ zp^mfjoqtU7Y^Qi-*L*7+EHCS0={q0^ek;@VtEJmOH!P@)hecrho$G}e*WZhh%#Nh_ zCmlJH;T}8gONy(MW$RoU^}*N}#Dy3zLW5z~BqnYzjU?6DZsGa*=ZvAejb5%6y6)C8 zT4QU2Jf)Dwq^0k}WU1n086j31%&$PyPFe;+|Bmh#auJV7=vuyR$y~jCE>$W4Bxi`$ z!{j${Cc^aG<();b?1hOLD1VHBXU69J+EF_rzJ{v>FDs2&L~TF0&Tn#*$|w+nEJpKb zfeQfu2YUdqUD;J+uCpxa(&LQeuJ_+h_JN$O8i-eK!OP8q>x6}fe#rg%s?N4$zV@dV z1kH;ZPZHtj;^~qLq0gBggZeST@n>|DRmpBdH-mhJKR!+R!DHN&mk1@M;Kzonurp&(f4wi{}8>DRuR_b z^Fc6>z=?Lypa?r(&MiwjzZ%m`MhQ?Bn#rG(r~!3|^adXs#!$*ghM>F6lsY zvSV)mG}0axdRn+~DeeAQ1P5{Kba17$cASORrAQ2H?uk>x4S>;*USNz;laj-=-yqwA z65Ra}%FRQ^r~-ygH*B8y*V&YP%ha8{JlGV5c!hwwq&tRhY!y-clCq;h}vn9JF@nVzvoMh+AX(aCZGhivulD1 z-5P663NTqgY}rvAFSNtwGGAXlcy7tc1!2<`qo`~yYV~H2;OvLV3GB4Gw`z9fn21(g zdvNS5txA6^v148`vS(GuoHw062xE@Wq-tW5W%FUAaMR6nMWfq52=lZS7pgUFv3Ukz zH3?xp5!A`g;BJNtI)Iv`Cs@9w0lE5Pnb9=9Cm18nV1w0W%d?L}z*-l*9>vBai;nF3 z>5VcXL$5|-l2iJ+vXT0)sK;ueT`qUeGxTRv`UMu<4foSSy!K_yCdS?vvv?$yu^Gtp z&qW&=&RTt*hJ#Nkq$tn+P8XE0e-fDZD(wV&IU(xzj*Fi9v69!*w0hK1JTE(lU8f=* zh)%*Jrds&Kfcc%~tP<@%9GXNO%9duiX+J!BU*&0YpO-)3MC)?Mi%i$hl8e2}tMCFL zIFOOKFgJf3mprIo(grbRIM{g=XRYg;QUd)Cj{Dm!X}Jl z6+Nq_c|!|weUDW4J%Z}}xr0e9d;X{D`IwmA)BeHz-w&vSrzCJ~+HAo}pf_&3@TEOL zcyEJbwImqz`a9yO&er{?*Q=(Ft~S3Wj0vO+@F}Y#3e7^9*6Km!<6F8AY_E^e16sW^ zE$Rmx15B*0&fv7XY%%R}CMqmTfo2|$p~h2tnBi>>iq=R`0#J^<28{XK01`fos~y|8 zapkWazFOFS$J?YyRr6ygyNTuMb&75?x|Em{p#wdv%+3Ag&u&@vQ>1?5=ca{tC2%X! ztP$e5Qm7nLOMDPN9{pG)Ua<;KuATtV*zwtE{%ykZU()@fC8YyBHe60-FMmtL!zWao z(d}FrKeG=}o`m2BP%r?zKximSsM}tV^)GSH_NR`?Xy(&mbMbSeY#TIJ!BLjw<0bVm zAI~~5O1O?R$t`CD*#&W|D3X+b?Cl)tK4S8Glr-xh>y`$;!;Jtw+-2~?G4c_wKH@M8 z;Nf{q$}gY7CLoPY=kHLjb$ECKz+99+PGTR^VNJtDBg>OL^HzzgDV&Ba0!yOd0@(4np3R(k|<@bK2`ds+* zie9L-E401evD!d9Da$FTRoQb53?c5W-BYv9)+@3t>K~c_p}M94h5wcnp@SBo*S)$0 zV~2z58;PAz-XGW;8NMeJ*?HX^-DpyUov|7AV_p=IUX`6uZI>epY+z)mE7>7W4@?oI zT`^x;|E+^bUEfDtUSDSVJy}3HHGeavg!q%zbi42a@fCw^u}y~Ug#FIq;! zVZL*i1;2xF)~Vm=l!2Mhv{^@oz%xJBWfQ{`=j4kMuw}7yqe?b>*5^Bsp}@aIR0@vS z=5heF`R~UxK2y+`by2AQ>Jf*owh^b+jP)0W_bkwG$AEr_ghfxgav}`mxGSm^ma@g8 z4F(Z&x?+))LH<7drNdr#oOjx|T$Ca_?PYA&^ibkn=nT}sY3XhBGSl&qeraKdXrVAG zX~FtwGVeX!`ufs{{02a%Zil>In(JKM8n%LrS}M=zark}OG=3C1hi%MkEHix-_x`9{ zX41+dJET+gj>L?Gw`qX47xlD*+X`hwMq&vsV#s*eyITh*oG0D#gq{mAoz}9ldl+5$XD)8pbpTK1@kS->Zb44 zh%8Cb8{eIYi8r5dHEZ6Otbb^rcgANp_l6A2?J>o6I&2(PMk{r~b&!xg^RYM|VU-7%xoYg);OrwT%i#ZMN zRpkhgmvLCp*ir;WFOj_Pw41^|K+deyif8^H=}?x{RjH}Zaa|*ozYkGr!C=HI$q%Ll zLtrqgM7pw|pgX%vwtox9!sWjZq2E1qmDwwnwbgdYoop``YxovM;v~Z>DC39`9dMmg z%JZxvX&fv2*6DsRdT&?iyd~v|dHnBh`)jrGnf#1P%aNB9n>T=v`jAzzQu z^kPmchAr&lQ_0xAvedNq{_t-C-@?%3)kDQ^w4%TEhotbf z#H))dV4H5;DnB!_KaEpUV#&)Y!3y~Yn6KDdCNxEX~Th^C` z?m4Zr7k|p_dE;CdtpC0bU*^hQQd=lO(XJ3d1Pe8vF5z?w?6W-1g`BtTKKAN}7Hrog znqxI$pRLO(rx?;PSveJ{r9b0yN0l)`^Os!iqz|NuGq*~UZwZWx+GRB=vPkLGYh)LY z%M+7#eC-3}P1P=XqpMy>Y(Y|qE(O$`eTtT<=wA0_^F462v5&>GM(sANHvA!{cq6*Y4i#y46}tIQcarS(WaD?4C`X~|IU1|Wt1clOh@dx1&3U)nY{#cK1e z`q&LX^fYX`(l^GW+=}Ul$|60*#aNqw;vhBtVu(Vcl} zz;1BpuzvXSbI#E7sv|9vEWM3He!B*hUT3uRkIw|nSmOp zJ*D(uVDxQO8FT$^#vWH+U1Qj-hXkQ$q90lY7RC>#C|k_s?49$Z zE7?leB#OD3TeNEWxtiKao{$R7B#c%AuqPVUZc@c$t^TDu=2T6Sw@a1kIEUjOoxOy2 z$-vpLLyhe_r!sFPjNf}X8rCf|hylMJjK=Q`CRP7^_f)acyhp}sqlim`WvMcVfJrFc zl5j*xMohzJ8J@eY7D-!8p0kU2sgcp%e^7rf2Xo}uq;LQ!b?Rgp^Ns&9zdFpL$ofT| z>zOKxFcT#70<`!p$70CWMBQRO#FM@`Xa$u(+^ypR?K>1K;K}+vHME@~ZQk{F>*V*J zWhE99tb@O)s1U+j?42OvEkAbyWaRZU%bt#xLB&{01(?{=N9Pclt;KbPka5^7#7`2HXr^`udZlfPiwT5!R1un8KHa8 z=7mVl@SAl{mJ36yu8zjH_d4LXUApKzBAMY(t3+=dTfl<#1)Ml_0?i6mVj|0UbeM3PrbmljNYrhX7Qf!-uvs9v;Bt7;vNf5}a9KFl3CIg|*}M&fj^ zg2ig~T1X%gg~7A|`Sngu@6L$yUqdp9eXA)9x$5T;Uo_nM(xw%P0*$Pky78%}T-6L* zC!rRx3x#2dYj%u!|4xz!DOWl)n^rEze|OLPDWi+nG})_doZ0bO8&6mD+#U3O%^N2q zaHSLxHn8X+9Wl#3L2>BIG&uj9#J|cSKPo)n^#tIx_P8juBKI1TG97_E9At5tkGf zU+C2B8eUBj_Y=}LKa>POh}iw0#)vQM^Qy~<=wEn#OC+u@KInYmI<{lWmK&H}mUbVl z8e0a|e){}I*Dp}*+deQ}foB%FF-|#5sdCG^+yExDnJ;;zcW(d(Ys=a0UA`^uH-MO^ zJ8N6tg1Rg7_H}rVQ@WM%jkNmx9V7%>Q&!FYigUbY#CgEK{w0Ft@ffz1uX3 zXnA{;xce5fbOY$MJYyRqrv3XqX2EMyXbu=yk@Sp7bbDa58sXucXBL!;>vYlhV9A5T)P5~^_E8Jdm@Dc}Ab zZ)IAZrr-IZM(!`XJ$`eo7JhKasqG!YUBelLC@Mn|e({%;E?BHGsPvo1Ub@PN{s2l* zs>d)E{FCdI0eB3zx&BrT!CF*oU!v9*d?)xnDf-PVX}Cq8&HCTJ4|*VpXQ;eGXQ}km zo?LLvY0{BRav3s>NLPvecdp|<@*e-W?ZR5kxF>7ZY_S;co4Hk_S)7 z5?WE?ib&n7ZHbIIV~4T*$-{Gs2KEh%x>)RKT zMblFsGZr&??w;)aGoUzT8D%`z7WoVZN0e7_Q zW^n^p{oecQ_b;wmmwT7=q*rk9Qw+H;$nNJrz4irH`FEzyn((HeaWQv?uWjX@_bJbs zf1m!T`iXOU-o+PGfN6U2V zgpkG&(6077S~#Wk(B>B7|-zyFr8@{acYl+)Nm$6f$pl6Y~CD|YNP z)F23)PQ&yRAN6q2$DBB}$cKthr*;Fu zFBHdrcJya-yyOV{u}kN*Hsp^RO>*B%tqR%l30}oA{(5_F)4*8Bc=ScFNvd_Vq3HRw zcHceyv~3A45tn^a&cGfhEr3DVh#v+9>z%)n@S-qQUuOEy(p9sy~2#%2mx_Wr>eTHviFyW{vo$u?ou=($a?Tda_;bThu zvHVh_vb0YcRiF;bLW_ex=}5gi(a*Mz&A!Z6%b!G`fdE10+tUmZnX_8~W$@7SQ-RoQ zH*l8!XE*(BYQOAA-WE9XbEmR)W2t1pqs{yG`1yk}HYHpfF(FALloUQL?zbRgDIXhU zq!C@fOPm_pq#Znk7w);Ok2_tm_HA%h#!u7Xwg;|y0QHmOXes@zjUtkhDA;4O5Y@Bf zgNSH1Y@aPrC$CapK%Ir!BD@Yv3!nunGu%cRy>)PY&YutE3-0m9>B`+j%(2gGCGhP_ z;~oq0%edI%s*>ECg{TT4h78h5{N5?2K0SvNp9JC_J@UA6du!nlw8gMuBRjxeT=&$| zUoTS=9NkOsz9Iu&l#>(h3-gk`5mVdUq*?R|dyXDxgqe%ywjrBg^ zyLT3>c9f5o_J4?*EcjhU2%h9?JI*IEX{)U1%V-oT*`m=ZXbdW53Eik@qZTRxm&18z zi#?Kl;_o#GEWvm``BVmy)!n?%?GIq{qT{jZOJ&Nw{fVg$dB=5ZYn~YLcJ#?cl^i=_ zy=Eb8;aQ3JkUt#oNKYLjN$0)@OpvseL+4U~TXtQ&N$IruE1%lEfwq3d? zrul;qSw#mRr%Kr^zZwUZah(|FI(pWo+-Yv_wLQ_KK}IRpm!cj023_69CtQC40);ZB zRMGQKSC0oKraj;9Zgimbd}?nuWqUr4BA1YQ4NZT}p!Rh>F7k*$W_ZqO#OW|#Ab-Io zLuO%4Zj!%)*tc+JO4B3P6}!6K;2<=_z)7S6m07;c{<=)zFG_^trbC;K{^uou)Sl|$ z*3XQ7C*>Q{PoIyrXxD%D+d9eKf1xK8*2G3hdWRfMGn!?6Q19C8%Sv6GNUx$sCCuuU zc2P_~y!JV-X{Wh;&vE7rkw}Kp5Tx%LIPV@CkmazwgzO$4lPs$g&I-dAkE2^gAp0mn z)WVR*w%E9aQClPs07SkKMBaY$L($5Q&R!VTf8|^g3lCQlXZhG?OE|2{7GR*|Iyc;8 z!M8MH#12Lk3Oc{m+7jB{iCkjN)n)VZ`~GX068r6JLa4pdJyurJwtn@{LReJh^;;EE zZj7{U331)q9lu*Y{V=Pe_m7`)maWHl-}Xtozn2q`&wa%x~77Y@WNuj@M|C>u;wXYHQn=0+qsJWL6uDzS{2H=i% zhj!BFdoDgIr(NrH7RL=);j61vgU%sK}gc%Ap7%n?ul z$x#hd{NsID{`&bO#Q1lp0aTTyppd%|7|8E!BZ}Fh{_Ps=*`#e7+G)W9e2kvpjeER6 zPLn}{DIhPrm3?&MnSq_8W!jf0y9c~C zfpbkZBS|-<`qGv?6CsC2JosS!5H7 zQ%%=ST>Yhy9ODWKBwS4+geC(O<_8$c@>_1|W@rxj^!Of5?r@|FexZoWp%gh(q#zwJ zI5Qk99ZA#4lmSCH89O&&(1%4x%ss8Fd#>u0-?z?3iqxE!A8-_XdinA)$1l?LVS%I_ zEwynu*Tc^3H|?v17=T+Ra31ETcb)huHPrX_R`R;p#wVk!56chsBHHa(XH3`+jy95r zp4XmLrnC$*CxksxVu=I4uE1s{1|=`rvq8WhWQ+^MJVf-MS&?K(+Bb4PuJ}QQo9)>~B}|vGahXUQeiz zoGviB5ZGjk&Mp2ncUMC}Lr0YtE0OR#V58&9p(h{kG;K$awi!)L67+ZsmSzu9$xpVG z7c9<4ymg=3FEZ{J5aM!RwYvdq4Aq=Z&=uqVg7WnGL=L=X-0XOY;6{Zziwu!4geycj zy;O*@%xNbvKT1}d`fv}}*0K1al@P7A_|R%xvh?xgBS9Qc3quuu#`3$!&fI&o&S`=% zckSQ?uu$Wtfw1Dm=Jj&9YsbcO3vw?Nt3HsHbpZOC1XE9k0><3*7J9Wk+0}GU@71XXOlZrF|bau-|rRYsKSmvQ7vuIS%B zzv~`G=3$^)tuyL`m`L8Ng|KkWZ*fk!b-pTOYCaUnImGhsd0+yEq@OPQd zCs}h2 z?mwv3!NFHJP*bf5&yrP6aDn;4rFdPprE>7$NlodjZ&U~t+>9%!Q~WBLkjMpnL3^8@ zB1v^fVYm6|R{WsmgAQLRUOqyuh?zc}tV;WJYo|td_ZPb;5 zL7k)BkR66(IeAmhV`E7Ae`;G3q<*qYJ#)i3J0Y&?1`^~d-$2q{Q{77{X9Iysx3deY zP{M;iVX@}!fd_;@_$;H$tZ}<33geb*HBx?+>he)BuC;_-$%FENbmzKk zrD80l-QgJu4S`a%s9DXV7|Ml#GQF0y(DJzVZMn|865m}!%kcX6%-K@oS8#sHgUwp% zmSp6k$7T1Y4`t9JKAh^1K!5ySO?xKv66}bc$rXvM56tqOF^64u?@=4qkd!t)G8Apq z4_ooV_0kvP5QZbF;}&)dQA5VNZ(d!)pbUCHpOzCy2uxdB(O>@=148ggPFeSZTtv@Fse5D52S?vLv70s zc4yR5rfDNL?JCv%8_I2R107%j-KF*J=XshB@~GiGlQRxud*kQEa=f$ZHrb%3^;!$8 z3_b$M4!0qi7uh(ryJk1gNOWZb=OAE*-~uzpdX{ zs6OcQqGdAn$mVkkV)^@1F8=$+gpe7RMWGGz#tsJs)^=-LVW{QIpui0v!uJbpyX^Ov z)V^128C1XG7DNa>6tDs>C=dGCBC}B}B2}tj=oAK!e5HCG9%h`3z6f3~{0nYq` zYSF-_h&1DO^NdPHwUje5Tv6g!Ohx&>=cgndJ6&_6%OAxJ=6LmQX}=8J>?7VUTWdcl z-kW|-UQT!D0A5!*e?=- zI$TDh1M}m799Et=Exb*c_ohhpe}lMG)alh23qgI}9mxGmUQXcr?LvNp)qDSlH#QL{ zgtahmlb!__`YYew^=Z`kt1)Y--s{?7c7{(Ez;4Hj->9d1rL~p}#IA|CwxMKb*?uHo zvJybe=c8VA0ba|GM_l8gT7@I)1y>5&e+CxulDrQcQj@k|2=@9dsjmsL#=Nh%=@2Vybsv76kmPgA*-*Im=@qEpDfA}uM zq^FCf?`nkH6z@;@xv6tzP4Qe(-dnL^+Y2H7r5R!PY^GQ7-Oo4?Dezh~-Ts?-GFng} zIS9k=dw%VlcPNrk?H=5cewhEKLjLP4uD#=Gb3UG(dhdvn^L###4vD^HX8tRWRh~Zj zry|AQLc)cMnd}CzJU(niK&Le#cYy^KkmxOJhWp@@|6RlY& zbYn9<$hfT7CS)@(XR9b1u)?{sO}fFqe@f!-YV9UnrI(pfPm+B)35@lVueFn2?}(ma zbg+!HR(j7kkjX6_?1lIIpqH!%!4??*!LF|UQs#W+rP@?Uo6xlHmhP6$azJ!1(6g7{ zh~H}1MIQMk8|a!kj^CPu1ZKJ-qgydI0MLQi<)wE{y&i>q#*eLJzSt*1sez@R+%~vX z82SEYmpGI+=v3MXSwnVYo$J2Qe$Z&HRu373TdI9!gW@4?>ol@NrMa|0sxDKqWP~t7 z=3glWFfu=l*7~cZUB&wYj0x>OA+|buuQ~W*5T=GOwvaY`u|h;^jBRKiD!cH=`o+vx z4O7(iqqj2S8xm>vma2vsM5Btrs8BH~g*xYcC1CWhO`<-TXM$N-|vK0HaE`YJ<_iETe}!&Gc^ zcw-!Z7_3FrWuHaFp>JtM7P{2;Yw`4=!&OsxkU#qH#c~6m?Uzau@H6Z{eQaJqF#rNEmYm^XPAr zUaP$r*!`19d1&86eM-r5Y?1R!Md+Y`Sb)oqO`NzVZ}FVUGZH;l7?d$I8K2Kk)f&X# zHyJ$RX9yeIxYxg^T_4X87ko0s;R>0DyAKSuvB)z0&tH^o&)pz01o<*xV zbEr^Nl2HQhQ1t2sS_4J5HK92Qnja;!%9{9sW1-G{B_Oj zZgvos&p$U|+ATn!-T_gR9W6*MRK1NxW@8W?wl@F>Jr?oX@zS@mLR!KZgPdi)a^Ku@ zX-#A{vB}O+A7JUJXU^5A)Xec9h^Rwgc0on@=}sFnx=n_z`pt>PK32P7)@D;wZuO3- z$5j$DB56ao`UTHd_Gx2I)I&V6y{A${WCC1(4`;ToFyI< zKLTpLwws-ka^Z>zOpjj?|FM!bBdIMvus#}}f&Ic4y4i*tQ}6A>9k$&Ib@A6&Jt~o| zJ;?5BC6;uGPV&Uk~jCqEuUdYO@y-dDG&(q_BRZ@f$Nu3OWrL#Zgtkgf0r5O=kV@HYbP zj-GgLKn;O=?iazxm`+Xq}?RM)KV=i7l?c zQuVkeMM+y$$IU0zX6-xfpW5eNFQ;7j=lbLXx$?k(R%1i&k(_QE^#?I7b)k+gE%taG!1jPz+#$!x0h=u3y^wd1M5| zWg_0>OO7bZRK1BlS+^&eNuA~YEv{G1SxBF^dBU>q`)t5vIGDZ|G}c1i9`;Z;PEyJF zd>y|R_m)0lQR;-#VbBhKjyPz)iYw9fGcMhm$eze-J*IyPUVE!mtksq@=Sxc@16~l$ zA`;U2PoO3Rw@)%(miYcFeT9)B?dW*|_xo2$o3Wdm1)b!E$_9ygYf-(xpT6{azd$|i z?5AlCISCSx6L?GWI{jsgHgm+x{WB-G-o2WBy zr4}4#R|_0_XlWL)=Q(LFG2Q?Mn{v2v_@qYgL%c(g6?4qNV3!Rnl*|hHj=vGnAOE{{ zi}7Uj8;GXnj1f|44SOq{v{vB!&NKU&iEbJ1SfjA*z8At!71>O@07P605I&h6sdMV} zvDkbmx4NWblb6?p&=-Nsx%}B4@8xzedoI70NdifCGmW9}%0P-F@>x%FMm?A1n}JSp zsL*lo4mXOa?r>O(h-yvm>#cb`dY>;~w?qVgv|ttR%MJBQozHdBe_6F}s(J*8j<)e* z42uUo;7Sc>woiYGA_MOEG7((>WOt&N*qj<@*DYL0JNaQS*b4R?XeV7SasAl)Q_a)7 zEt0{Y4=O{ICkRu)Zpp9G$?t%V%A1=PP|>$14hRHV6LY73v9~URNv%w$MLpsxB>hl~ zx5j5O1YZsLzB#@pqAjTqn3Qx_kyQd&%G--K_Ux59gbm>Ms@gPT$13tA#YJ0%+5uO^ z_z=b&EI2qxFn%eT!O+klQ_Z8lcXCat>FJr%`$6C%-3b`x2w@g3qpgdd_EGeX?jc8F zy>C8v*>7G~wgv)n-!i+Xq$#$xUFJaaq%#&d<%NVwsN#}NFTRy5H}UIfpwK8JCT0TT zQ;x}LI{$rxsAv@ zd$Xp*(@)1DgbMR!gi-C%N~^7YDvsr_|B%>W{?(PucG5N3{hqQB=%LG~V8BX`jBABO+PdyEHw$_R`jL^VLlH~pkJ!@V( z@N}KqPT;vOu?lfyffxJ)FeuaN?<1qF8fu`kk6u(=*F?G44e+V~GZtuf++#yGY8It- ziE19T!4JoBygKxs+2W1)z?wZH19>T5BlA(Y>zMY~RAVnFEqF1-;2&@MB2}qI>*yla zhIw6+QMO?1G{b?~LItV8y{>({zD#wKBT8pIn6%hy@D!^-_|kJ87T<6Yap_`zuLqH3 zrNXR9^K8TW4-WL70C~L@1=7Ik^6s)-$7KE&WoHn`PbhR*SQ_a*sn=Ft*#7Zk^eJtdd@q#yWHmF)okec1BZWqaB4?vz?>AZX@tV zmnVF%)BZ1g_Oh!h@{PraXa_kBJ)(TPfV|XEem!fBNDX8g@Gv@|*XP@DOmdTOuD1VZ zb;Q)5Gkl}@wW}m1LihE+^MrXM1O|n+3w^CeSR?^~uF>_Tx@|Xrmw*1i-#r`|H<>Im z5Di?$iTl~_rS1k3&`{eIR`tdT53|@4LI|N3{IGR^J0vNK$m!)vvo?XtnSysYYbycB5f6jX_8v{Ut0`KyzmEzux*LAp}}G d##~Rep8iY4XqKJO`ui=*|9`%cdG}`FzW}0%Vle;! diff --git a/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_6.jpg b/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_6.jpg deleted file mode 100644 index 536bc776695a2286a312e0332055627d7dec409a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7854 zcmdUUWmH^Ev+f>TgIn<69w4|AT!T9V86?0E+%kbAKuB;479dz~2<{NvAxN-60)qt@ zoWYsPd+mJZ*I8$+`~A4p&yQZKyPw*-YwxP+YScXH4?wJ;qOJmfKp-ICp#dlu@Ekx# zL;D90g7E-M9863M3`{(1Y%ClCJOToIJbZk@N2J7rk4PTj;}cU7laP^9P*4yMQBhNp zQQP;Jl`E97DG}+pl~*JVMeG- zrK5OESI_3YQ~zoj2!AiiH96LR$Ps@xe8(aMG00@;OkT(-4mtSqqdsG6%Nc>lea>2| z(WOWJNK;VuC+Kjf_>Jsw`1r17?V?q6*E1ro#-!)0OucPMOpm^uGm+B9QomMZ`e1Y@ z8x?Uh3#X$zvK(L+TH{wj+!0gHYwQ*j`x)*lQpxuMR-k=OS=D)c4+`h&h*qb>rH*)W z78B|IBbd34#GWaSh_)X8O}1QqM72Y1Lp+~c&C zeyk||_RM5&4{GM+*Pv*sYf*9_Wxir4M<==_#<^A2Hu;JI!g=qu$X=dc$DX7~jagNv zvyZMF2XZmF%+UvoG0}DLCZwo`4NErvp}_utu#T=w(^Bg1FmWsLQSR&gyWQbg)0wgQ zI%sPkvTNf|JLcZ9#`OBv;ExHWi?gt0sN9QKwdh7aP$UL=uc*i9bw}$49V983UC)pA zbI_L`&%@d?xL$ZJg#E>hW5Em9_G|9bY`Kx|7K29?eA%#H$LW2nxp< zIqqtlPP_=<85eIpO+(PhnWUffQwbW(vK-o+@;7O|ow}{43Pk5h{n0I|<5F!f82;E25h@hDs~4K3Q8tia4h@i z5-e)e))ZKoS%HwQ%A71b(ckN9@xHaal_U6t`_E@`*6$=Jse?!*2RIy!<;C^Ij@XQ|;~vM||1Nk&9bkQ&@F65H`2gYK$YVXUxLfZgnQh-_S$uPUA)0{;0Xvm zg%RFA?iU3(xm(=3wxWR5^v>I1sQh~Q!zYbf54qIJKmo6A{u&{lPi-%BtY51?#Dop# zhW3DTl`-DWXS>Gs=f0h59XCXq!TVVw(1<8V_ky)~*wq)q8chj|uc7EPW&yl-q(&)c zokNSOw@!-H3kZV)<88f>Z!K8^!;bas#Htu>AU5Th(eM=2VkxzU*kn+L0{CCu^lNB2 z%3cRsj(XC5_&72@5!3k;jcSf^j*IR)!zk5n{9lbcuz2~VUtAh5{x9Beyc=^=b#FZ- zxr7qEyd<=eIq>H-eZRfV%E-w}@QGFEbx5lePu`K8{8aj5SncLg;pTFGMUmaXc5T~& zmu$-NSaLXo&+}KlwlC-I^SmZCgbdh0P-b7JobE~eA;ssK2OA2`!_;^MkqK<=?SYKR6pbn)Hx*G#~ zpFS=POfC%^`X1$a?_A&d{H;;aY)l(X0vNomJwV9fv$kU;{IFn`wH%#p1{xD-x zqSoy(DzIfC>}ees#_ew{Gj$xyH@<(}Kq-?bzOXr7DJc-UOIC98r+s39?#;dRZ<6&+ zX18ql7%vHW4Fdkw5HRI)vV;%3jULioUW&R@-y^t!eC)^vbDU#u;12M~pa7c& z9gC~&o)1CCGdEiUWlL7zds^(UcFWv>=MWi-vf`^VO)b;&m_XLNVqV3&A0Xocu(UzJ z7P9QYF2ygakeXgGkLA+#dh*O`#yYl{L}zsp^{I>x~71>YosNvZW-De`=&+sy`rBHZiMZ$)8 z-j2Xzo9avVM&2;Iir|SuY(S3yEIMJC#%d;9PHNryKK#S&NNvF zw!Be2X*uMEy~r-Kt8r5-yBbO1Ru!E)QwAs?neIi%$PCW5bArl@R!{!Il4Oo;;v00C zRGR5x3$duII%=YrKMi($v1rVekYMJBnto2+E-8rTpj)TEOS4m6^s zo6b4mPwei!^59Z$B?$zx_GjcTxn|Nn-fzJ?zIKLQjKIrkQC+NB@1(hfgD3Gpfx#D_ z7uk~4j$lgs6nv9S@H`OB+H;j%wBH|Wj&)kg_b<$DI8TTYn}l-i9F2E(si7u^9Qgz_ zb+3`OLubE328PRStF%H?GS_al=d8=Dx`$^^BI#MuN^nlNz{c?Tc$^LIOE0-y?(l-k zV8-{;-qbRm{=i@|!J?{9=a8OJuFZu^O~eet)uE*nxOQlc3R2i%MA>$sitN_Y4XS-U8B%l+F0miW!2GkgFP|}_%4iD zwMW@>lUhgZ?zfiBBT6T%%Bt%QIntnsbIxXC**+X|UTBl4?D^QBd_LTzTI|_=z9aAXU@D_};vEo?hdV0yBhKlNfwDCoL-Q1%SVzf{Y1Yr1S z+_$t+znv?hr%A!3@w8BRzbUHifOM;WL3l~Pkaaj zpFK$*!7H@VC!8R|hqLZ$;M@DDTbIfQFR{MSW8W^dw~|Af)S98$y0?#82EjM zy7W4B*(BVW9Aq41Lb$v{Nm*;TG)CWE$La9J#gzNWyCFx8c|hh$BuOMXy}9ItdBa78 zhp2jB#lCpkT|RP8mj6U58B&0?mJlgT3PJ&NpR+3P^phVzEEN&;Zne64e*5^fgKdPK zC*%aJW^o*ZD@|HOL@-R#GD2gbA83rdQi1|V5|0{Jz_nBhcQ`k)s_c7gvlv8RVGZ(U zv$l#689LKS3W+XkF)Nx-$qr(iKR2HrH3)DyeeE}Q@SJ;X13y^Tj0$db!AQ`i1%`Kq z)xb>eaga=NuWA|TQ9#qZ{Jan5&DY1~7F)hM7W=G}SMdup$Bzg<&pYqUCD z)IE;eUKjQe6Ny0|jh2g`%qvK1gGf}_r`S{qXbL08<+j!WpI~b9zMo8`r|YwT?JO3$ z>mSm(z`pF1q#%}D!fwZ^gGrJ!^R{J9Oj}4qb=~x_|6KelQ%*q><91oeUCq{JCZ&`O z=XjM^b<@^R=tOb*{Y3eZHP(#Cj$`bK^w>m+8#19o({|8$$dydMnDX%1!R$uKpE_lW zP?@`r6#G<1pVr6xX0K<@kTe|KeaBkHvZc7&hUqk*KqCzWpaeY&iXayF!Oq~mt{t>#fnBq(Yk1y z^N$4LdqoYD$(*a!-TOdLKz{ezW#bU~zcvc>#cl@za+!|X>u`befOZKX|3V6fCf|*7 z#0;jqM*ru8BHYKtwZ9zY41;yIRSvJEIS@0~`HLZvVj+`ja*ztiWSY3&4AWPWt@m-b zH@>pP$ei(*)w2LySeZ^Cmi@mf)Gd`MI?eaLV<1EBPM0X8-RU9ZvS>SZj&d3ecH>-b zcOL3Xs$q96b-OSAe^ICYAKPiDonaZlDC`;97Z@^_88MA*V}V%(KN8mUSa@F5JBY+3 zta4zRUT2M)!RwYqAYFYId|_6#_@1BJzg*LrU0=L$zeNhimQ(v?V5^fYJqr4<;YGw0 zZ$4WQG5vJ*G8&700Q*xTVrL#+F|~qoBj~sr`4DK+p02Kpo*o!gtPPXt4kY2J^S)HIuBM1i zT<=fAuv_iqJM|X`+Wa!?ShZy}=M7aOp9CBSu(3Wh8rPz1U)JwR!HkHT_zxUk6Pdoy z^0oh{Zyc*(b|LSj38T`W$jT)!n$)Te=ADE^M44^p)YC#w`)DfO!k@Jq4^lIIcyf%J zDD^=oh#4+B9-;Gj5Sm6xR9*2XuK{X7(qik>>*RR^_Vi8>Hd|&2DBSG|1g?JwYx6EuRwt=SBS1?~PR z8raf%tg1gqB(>uzd9T?n;GB*hp`Sgk+l! z!fZBl^?cA;ZgqPOxztb_OsR=2veL;ehUpEN6WiJCBv?LVB~T3*)a!aZ8mN}r$r}|nz_@Ec0WT2UhYQ*~_+N7{ zWfi*wDxdnJ9ny>R2)B`5yEDG-J<(OQ9oo(gyt$SIc$m1#Z_D-ZN1=|Wvxz~#INZ($zuGp36-_y5!>I~GG z5J+2mGUsVbX{LFr0rwP~kgi~*!V+X|N=Wuy(>OnCwnIPpdTsAini|_?R(V;(7y_>7 z3Uqge`m>$=^-pYWLkMSEb!Dq^o1W;>p{a8${cdPfi^-p}@pF}Nn%1>TE`6vuM#p$4cT6QRBRjho+lD07 zW`wC%dXe=AcdH>|)$D#W#^-L-tg7@f;WRwQc0}t5v--AA-Ii`G!KVULMeI6f zdF82(+OpeQLW^-tC-tALu^3SXJsh?FHU}L&CJJ2n+{)1oqGpa&_Z~y^1*q>9aGc zCE1qkpV0BOe0Oo$1SF}Oqmboh#dK9&4E}t14e!e%qe{DXU!O8dJSr*De_#FmN>%$r zpzn?x_B2zV>+CXTlZG17{^+j7|7`vo@w;hzd*=8=#F2n@LjeU88v6@SxpXLB>J|oN zlQ~{Klzs?rSLq4oa#yR~X6HS;VwLop>)5x7WgM3tzuYG*RfKK~8e|dR5=W2Mew8R7 zItKIWq{6gEj)ZK zsIl1-AwNhHhRk1U#~!%i5_;U9P`Q_S()%*FT!$Oq#aie&Id3GczL72?zhTJd#&-k5 zAB3*OHndL9J|q zV$o@^Bxwr8#E7W*_+~bM=?NCEQ>`wOx*AG9mM?bDUB7=a-TxX<3%+kex5JxywvR>4 zMzsfQ%zIcMsl=MUKL|LyHar?Gmtg2czcei56lVMe`|<&KR*nKrZ(pK-z08!2Xi!$MD&gXnL34*yo~!OA=*CQ9HNuSTiG z20x$xjq(F){^>VSM>!hj((GeL(0kge4oTXo=bhGfGRiW+zSaR(=XAH>#=1wV-(cBI z(O_he8+36*e{|&!!U_e@JjR#Eiz#3Ub>KD)f1!)_4J*?I7f*uY-F zD(#fAYnL+ek>FjtFfKy1Cx|HSMBhOqhQ(@5U^DXPh3QvA%BePo2u?F%(t^@#SwQ_H1htDc#`*WGJA{Ke(nZ{Zq*lF5Z= K|F40KTKFG@#v@Vy diff --git a/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_7.jpg b/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_7.jpg deleted file mode 100644 index b61a044383e8d128148fce359cbb6643a68aad72..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7210 zcmdscXHe5yw|A(5)X)Rc5f0Lc2pAv-L{vbU(u+Va5s)qkHBkf%y<_MHX-bEv1Op-x znzRE-?_H6E-b*g$!*iea!~1@?bKehl?r-ne^Pky!m07cAt-XGK>KJtnz-ef3&j3I} zLjwr97y#-d;1+<6miC`{0s4!{z{J2nPtS1q(j`VF*2}D{ESFhW*x0!^+1P>XEG(RS zoIq|KUS3{S4t@bX9sw>MUY>uH(9m7T&@(VIFfjA5v9R&{mqGmk05Sod(v;BANC0So zG;}~3DhVKb;VOWZ?jL{ug-i5|Gz?61w9FUVx|{$SdRiJf8v09&bc~lS4$%TGJYir2 zUgF{wXX4?P;FVO-wN4)vP_^{S{2>K4=ewbI+a;3u>h)W9ETTvkD)=vS{~y}_u|h*j zcd;Q0ys!*lpk@5Gbs8Y8xQgy3SBkkyVO{H>--~$(y&>uZfR*mzD3A^afCA3ny^)}m z5R>@tE{ZjeCwwR1f*p^bnME&2qvRc@uCdFTcczRbr{L=f-JEg$=hf@8AtN`O-h}ph zbd;3!8OaekCq};X^e}R%@=53ae4(N)VZ7DamAmm%5g3oxANiym-3Iqu-5&Ar7P^n# zU`IJ8OXoNE68MQ70M22`C1)rq5h}^ll()Pi_FG2@j`XP*dM`g?Oa2 ze0PLyh6+F>vR|vGOJO=t=hD!5zE(Z>J8i-@#8H+C=q;&+ecM}`3eSh^=N0O#!ciMV zKc)Vh1z#`E#Y#iztK7~jU~48DbwfV5YbU1y)!jOa+l$UsD!%>q$1F6UC`Cm*MWyjc zt8+Ob72pJ?0-7E!>8hONeehWzw(PC=oRAK!3B$*0&8`zqZIf1GujE633J-4V0dW!~ zJW)a|ta@A>CR4RIDE*HMxr6iS-%gozAs=^a(4XuzdbsDSkm{4HYL5@F%W2UlE{Iu- zX6@^Qs3rNzM-H{BZso2Y1%n-hz;LrFUhUMPRvvr~{x-ceO@Hx@5QMXxwId7#j?)lg z1G+A&JjCNBgVr)R`TYnmrsTJe+qNzjZxX!wbv?Q!3~&Z(Z=* zKdNzi$`B+;kp@!0NWLZP?M93>(x=%|NXcA#RSjnGeWfI03P$#He!TpW8N|YE`s`0! zPKtEU+>!}um!GM__Kl~bNSg~@ZRf~Sy@9Q?1@#J2dzahPp5VYTy$E3PIH0Q)C3cFY zL^_#lA0-DC@Z%xs!@unKeB`FLKN`WXo7Y`an(s<^(rjReotJoRX}Tgqb7HQD{uyZf zWUrg7p{dFu=apP2kz5P*jq4DND?`DA5Vn&@+jMp)HjEbI1UP-DN; zdwIjpS*_g){Eqx;t#AZ{^t$X7QQ~WUaen@Fas`HWnhK}^V`i@Ti{Z}uCmOaKXODN( z&lbYuraaC9o$9=9$an6vvzrQIGvDQeV0(cUv3d!!(c;W78E+e7(Fl(Vxf3eDI1=1j#L!JE~xcuiNuiEr{>EzE|gF@~)E#;5OGpd(<=4 zUN?LH(h{eI)(A_|3Qa6%nnSI-HPnJMRFzxhM(TmY_zyC0goaE!K?BYwPKh<(=0`Kx zo^hhyVxMENEH-Q2tD8GzM`Y}^@T(qCw^BZ$faW*>M5%UR_q?cmWTxU87=rPcQYvhT*t zfRc|%m8}--EhPa+$kXK=8U94$yippEyukKZ(>|UFOz5BmzM>Ie@nYfT%_z%l|K1HF z>xM*i>9vPi7Q0JitMZ8}tDs!@5f_*rAF-qTQL;u!VDCXVqy>yFj>$1!IegRoW#kQz zecL~dNU(jmg0>%QMz@dd?Wp989?LYl?X@Q3KPZ1(DVaapPj{8!5gZ#C04W`Oq>?{AF7@a_4S znKL=EnZl?O>&w68DQY!p$z_xQZ>UV};x@fw)6R@}Lnz0@;_pt8icd}wB(D#jyharg zKPx%4F4YDrP+C%d4AvPre2#L@4*4qIwyeXE<&bkw@HcU~6Yk^gR9|3<&slfWDi(a_ z`5nGBqRQ0@utow?#lg`_+qSNkWT*gX;&1q5)| zzuCfA9p7M+D}4>RqWjwge)6zm=HM{ z;=`!7e{EzSGs0FiD2AxGC}$!43As3**ZJGI#<2t~sHs3QojUu=g+LKDYhN4xWAlSc zf!m~XOr>t+f>dNp_a(&vNPIouHj74D@MGmm($22Itbn?}N`s@+zL8!pP`QRj?E%vB z=AjyvBgGFB+^FRxH3eaPv5?pRYh*sk!lhp_{UvhpxA8N=`p4e{r#2(-SRLNo=IO)j z@!Tw28BxD(dr~&x)MYu*=#^y5Jz4$P$B*p3t3vVxKR==wC6{T&)J@MfC$h3(rN}Z| zWaUmm3%!(5+c5+Z-X(vx6w0(;(2+2^9c21FZC>R2;UMwcl=;~IvcGK7SM9Q`BGhR< z_wLf+o%iS0y{Uk-ujt%}+*sIVlKbhCi)1Aed8VlYBtsK~T9!5o%EZbfaHohmBvLAtF>d7Qt7@GMs z_1iorm>H51r<_Iv{}%ms*fR5mKc{&;+l7q#u1U`~-hYw(v6ZjUHB+Ti_NowY>T(rj z7nTvL_u~0omP`o*`38daa*N5ckAr)-Yc>tL)!v<6xu4w@wz|_k%}HK;De|Zxf5e3m zCGbU0c}|kXtI*Z8{{0T_Q?PvaTP3qbCYu_M_X$!D4D?9SjEd`e>lZkM-0b<&j?7-< z5p2A7Dy&ez;iL9v2PEjH5(z1n0;N?oXrE%=_}RNY^=V@n9+dRj&s+4h&xhB^?{~VM z*@esSesET?pEWM+iSZzgDBJkBuHa>Us1Y0+{Z(-4pz1lP2@N{my{ z2CMW1FIQ_v(+8u8~=CNy3}2D{ELc!c4( zH*ZhwI6H@|4&OU|^qo?&LjH9~exwG+!DUBD_Sts4D@vj`M5x}BCLy3V%%Fp^A%o~` z({{@L6maaCn1#!$`R)|neq6|(bEBUSsL0x9tXLOalHUbCJCKP@t=3W9Ty##=XkAVW zOF*U<%i7?+>XP|ID-^?3KZOqG*La6pha0IsA9-I`5?P3A=1Db5t>2JJrLS#>UyK)? zQ6)>u3V^a^yJyx}!K0Qf`zH@cN4TO=xQx%IJwn+VbKt}OV*Y@Qw49#LB$T!NMkv&N zZxQd@$+H_fGC1npYN+V27_G7Go5o#U@}^K07}eK#Zh3ohg?ANfuDbs6~fiq_Q(ynObAp($9;Zt?w!2? z9YgpWDG@_wn5cmD(6-jjXRprr49~Vj!#+D{_?8k?!1xAvD!@M*c9#48iiv^Ibw6v_ zkhn=fN;RIa**7CNc)fU8PM6!b)iGfT*Cc->hO_0H$-n~` z7e)_pZqjnk+_HXZy0}3*^QK>N{*RHZU?Yq1B70%+zFIf7Q{FBUM*iS)3tC2Ll{s8) zLH^ymUx$@XHJ(1UQ|k{Fs}dkFc#tx$`oZUOmy)r)Ek9zWXUV9*%-ZeXSOH_Nrf5BK z2+uYBfUys7^Ta=3eEwin6dVXgpisMTge3@DYD(rWSrWzD;zL7|&+jH#boQl{2SCSZ z9I#H6s!++E`|?j&T@4o4NrZ#*G9OWEd;UA6hcTZgvsh?Sda>wVFRhZYYr9SxBWtu% z;G7$g#I8Tp+1mU{N@1`%S53+!Ue2;8p;X?=#|G&y;KGkY$hb)O%Wwkdz+wQfNZhR< zyjno8LXmIdovZZ@$K@%5*a=o`8G-3vdIqQ6y??Drou#Dr4;}#G&FO>fFov}^k%q=! z?&v&%=gUNQw7|K%2KGT|q%W+s=&pKSz z_A>=1bxk*$RIQD84XPwgaek8u?25t~=pvRJ+sCpB5^cxN_p+PN(}8OS9OcNp@(@Zq zh$Ylb@a(k7d<NSnf*R0i2!NGUf0pR)P8}vE z-T-w37gzEzdEJ?njMp=z|?z1KK>M?WqIP5lexG1!@t>W_Q3XLAiGRJ z+fa88fnEKo&4;+LUlou+&Ftn+sZ$%f=v5@lPX{Kh$Z*o|U|0a*&|U9C3BcsD0w<^QokWEvz;9{)dQ8$US%EB*0oc0#B^*rmH!UX2X`V0bq;=8E_AatywjvBVu;1&S+d~>2@I35Oo3~At6kAJ_SXOlbT)M^8!amb%?8=N+X zpV+_!aAMs0b!-E6~m0?=JUeh=itR@mpQANU+r*nqSM;}Z6 z`iOX!<|B01El}I8io56b2HtACvQLVQl8i~`NMcM|o?`Q+aMWDRaATm%AMy9~G3A#25JgE2Phq=ri#$0^S*Od& zW3|A%cMu1n1OjbLw4Hsie256l@tETA=!5qTj@B?~rQVlSe$Jw3nO>s)n z`zr;5S<{Utnd2|}7m;E29ZE&Tt>xn1i`-Ql!oj0mE~>`GqvAdlU=_HKnChMMVr+fk zV1mZ9RK0e>I{xa%R&up zxU)3k1pi7-@*&1$c;F%2{sTRd4GL}V(smv9_;;R-s+_k$Fx}ykGn;p)0N9KOJER!8 zS#Q0Oe6qZ~)fRO<3hVG_IFAshMLK~#!D)SliW_lUS4hezdzW-<&<*?D+e==#>?8R_ zb$iLlAgQ?v+eks7+7AmqtWg0Q1*SgMm9v`5YC;^j6->~-V)O^weT)5f{bDO4I# zP=_b?eX8w5hO=s-%J3F1T?>eKr*7`SZw*fxTLNXrWH?fCCkaBybCW4Zl)(dEFME}z z&o14o%l)>DPHJ}Qu(*{!#p{0{Rv|@V<$zc-+ll8yBi!``#1%_;n555L{d#KO1U7G4_J>ep6^ zO9gf^wlj;d^Zd(E^RiCr=v4`dAH^RmgOZR5C%Y`|@F?RZgIS{{cK>*YU9I!zExKaX zA-@E7qx4Gj_ERn{Z-4cEjW-E45vUBx(9D{ZjqC>*TfmZ_!u{7nc)I&XJ<|f6{7ql^yBc9yTx9j!V2$sXzqW z$*YmFlCJTEry8V3c3p9B(gZk2#g8A(=Vf&gDt?wAFf}#>K~YT=2OFZQ3D*0!e^otQ zw=FEIy_cT&)6MS3B;4*+sF;XKIISH5+aGecOM$sr!(e`8@^C&KRLJs8K{}60lqZu%*(GjZsWX!p%-AD-8>{+DT ztlKkn5He$pN?B`PUN1LUdUTzYeX50hswVxsKSZI@;bB=xTJAyjEj4bIHMi%yY-0PT`{V zU>+2HZEgPVt~Ce7}M zQ~}9YBgP?PXVw96<=Q&#hKWOdAPe@;AHu;kR-m*D%uZ z)B{5btGvbC>81l{XoKgFf+b7F)hfv@m2Vs%EejraFS%_$nW)in!45#ed)8wurzzQ% zS1rRY`cG?vv1c1a{z$dn(klBxJ)jW4%9n`OzSoD6xFl|8D00Im6Z zMn8oPeJ*^O_h-Dnrm!KaA`zW#%W7i4T05z^nD*K^Ur9jAVjsy}+w@`wg4&*GMyHL~ z=U7|bVAI(b%mi*#iMI+@Y_l8m>OG}%skj1QpgATQ@zmo(n2~9OhQVW+2-1*-T8^f6 zSR%Y@1zX6So|DC++3m?eAm>FRH@u!*&F|l4Lqcrv z1O!!RfA-K6Y}Ml0PvbnG!N+atNli5r;h|GReO*-yygF<2s7^3J!KCMyclvJ9r6+A0 z@nxmvcg=~L8$xMuggBzV1iAD7!VTB_iyQ9g2)(&m!IJtexpVisSrNLpP&?GJ))JNp zVi=43f&-DV#`E%;ZO6?9FR{u)VPMSFZ~xsNJ^#*&{~x|MBu;EkVCyrTAT5_@L71hOs7mG*mO;P%O9=_u>vM zTD&+dHhfS1@0)q=&6>B?{AbP1zFF(ubF1K{A`0KD%$ zfZKV%6Tm%O+<)ku;N2-c5k5X19zF>nApsE?2^kqF2`TCQ2UHaIA5cCZC8eOHprob& z0)b@Ybo8_|^i(uJntvFCFAq@8V?r-|6d)zp~Phqd8KTC$oowd9AD8s`V(}ha?jAUa_n{vKz8r$e#(24 z042ap$yidZ;r|C(z1snGlJ@9pl&QO3<_h@at0?!z!FI%**jTyC$xpmL?e`%$pHn25 ztxj%=w9U~Iahw2;b6@&?{z=Z?rEUqL827Nx&AYU&F_%%JGaf?yEvT?5z@s*okz7;@Z~uRFY; zB$t=6z*65Ol{$GCw#9E^VL4!DSNNTxR~ZkeRxCLnPs)kqY*{9eC!%~vz}^-89Xl?7 zd=vyggNV=|5XcjvMSRet%Xe<#{G0jU%>6vFt7UuW=3ev7aLGh&I(Kzhde70~(XVHj z$@{{UqjF67RlUEREOKMI?%jG5J;6J=${i=*mt30(M8cJ%$lqI9*6J6TG_xCsJWF?@ z|NKWFFEi`+wwRr(+Y^!YS<|@6f+3?bbn3Sq8i}IIH*WF?4loEi-LVqdxd7E zXt^pPozw1XLCMUTD!z-AiH;5K)TV^fUQ>6 z7@i1|JS-OHSVhkM%6tf=<8|Fm1CY# zm0=YJ{p?ALqX)(I?MXQHioz7I%H1L*^^nRY^Fovhhw9tHajFdeKIl10b-~;i0<_vj z?V>PRB~iBk_ZQmb)gy7smIGc<~hYuTbUPPOCNQH~`GrbrAtJ1g1fFL=zh_v~U5WVF})QZBLl zA<@Sx%$e50{wDccQh}x8P%X3b#A6em{|{$~{h)IwTG*}|zdkFAJ8`TA&# zvODwZUmeZ2>}(V+1h>-PC_TL29JUuGa9S^_N9`=Q65D{(>|z!a$U}d8kXQ0Vgc&%& zq&OS5d4VN&>-JEM+U?7Cju%|2IC@6KNgYY6Rm<~%_$!C8OEM8q@`1x#eRqYgNubCJ zztZi~zEZP5X6HSrzfEP;QGTMGL&FMaKCg7dYfC)IcrG&Q=z$N{%4kFv-c7&VEkI)V zi!*7z;Bx}mRMImsIkFVu)|=yKU8u$W}aja`J`mx!deRyCOO#B!}dtR?HZza7lt7G}GPu3Bsrq$7s#m zYsM6QS}(h)nXiykhc4^G?)*6`SA6?F37^;U4PGg$sCScttDx~kAzqW>-_Gfs!EojV za5bzuSv;}f_r@myG+RcIgfWHHcFk9ZcW#VE;s?zA)1kd3_-A^P0fb>J4)wyqZqWOMY)yt8sq zz)Ses0WIG*8-B~Rk%~1s?jPVjhm|KT#C7{{(n)SIPbb1iugAu#+H_)4J<@0W&HI0! zNMk^J;Y)(o)jMJtvvD!KyNL-STpV&m8cp(%qkU(9v)#g(G)nR_72wS&UH#kGr#@$f zsTf-Nvqqh5fdi3-C;iw3;>U{T;{vcYsj^8OR%}Jl7cGL!uHN zYmuJR;_kK-)M~jp5goBaoDf<%X|MF^n=(LkCWs$LK#fMd6N*ltr{%if;rfv*8JGoZ zv%`aKVC0?Op5g9TEB(05ps7Lle1MsR!*F_@i})#Ue$=nX`QSy(tM3K8kN=?#vtgJS zmz_jUH^gO&_NB&&zvuU{zU*IA#qW_bXAa3CKUY{xW~q#yxOkP)1x@U(ZgMO>+G@@_ z(D1zYiD-%lcqEaqarhkJ^;j}K5){GRzOuoAqhqLiYOMFCWN&1SPph<+*Yh&0V1?p! zr~6Dit7~@umQYlc`5Bq_Jj7pS6^&Bk4KCU;ef3J|?TXD+HS`aBplF=$WCKz-%2COP^{%6Nr`xce;$d3ZbpU1Z_UI>8kTl5rAj zb5-7d7s;_MF>l*^& zTR^jS4xP2q^*P`dtnceBfM($xoRy%V5uT@8;IFzUrFHo)z4@ z27_i~Hl-`R>?Z;2n5?#EeZZiPFBIssRzlH8SJH!9d~PI3>{&+mObt+zS)HQFv)YE{UXVyQco-> zpi{nNMpLiQN-JJO(fI|mWaLfDRGs11i>#?lukO8L=akT%{gLW$uGy6ky>O*c+5B~d zR*Z?IhS84RFh+5#f_}=}VPJLe-Kem=!~>h}tZY;)IRD>egyHSjCN-`eSieD#p{1CfC7P%#%5t#tkov?A78p4c3TY( zf7MIMo@BoBu_`aUn@Zz8$xwI6K42B$9!>I#1Y6M(hwV7nAfs25G`kUZ61ip6>a)mlW%8|sE%I;D zdDiGbmlNL#eNKt;^z>L=Ocl$F^Lq4`p0@|T8~UDxsBg)P>;GvevA+^m7(2QccrjNhL=(kv=YC;AJ?ZfviC=m=+8MQxjK`)3pEb9p9@L z6rI;ve#5`cSFpfCGQEl1{hb>*A^uUO?Qv&E^K)Vo2W5t0Ax1sv1C1m+4Io{;6Uw>r zpmHBsVr4zSQFoObX$Eukz+H48^Az?D;!jT9i{&et^8UsrD95%KY*Zj%rcC)D-AT1) zjODmN;o{2&|0mR^d|Lf(Bd;^R{W+?>HtI=FdwgHv2=1wGmcZUh8BoX(Bp=yOG)(LX z)zh6srlDdb=0x6^H6pVvhgq*0Xd|bIS-zi@n3OOm+ya=BIy9zVtiSo4C-Rfx!>EUk zavH(s<&yS83Fw;NqmSq{HG5+(dY@dMaQw&fBC1qCon#>0ByC~*b%DD*-~Gzrl9zj; zGr9L(1%`!yA}c{4nOUko2H z$?qgiAW&93<((+-?cM??f7p8KvhWpJ3KorS)}{vTwM@$XQ&9i2=}d#|$f!vhE>zwW zeL55G@1r+=vbuL9=g4fa(Ov06W?E)cr@+uSW-1jy+61rpGBtazQ2NS-pkr05pde%_&C2JNe~OT@f}S~6h|qoU ziEFL4LhN|%4pvOGpQjLk_1}_( z%V;N<;w<9XbSgFW2XHhElD{G-(Q#vyKlUMW@K8zqaZ`6Xr6?c@Te8w-U}5?!5jLoT zmlA29>fOxz8$oH{X{<8)uG(yW_2E`tT|izVtjgHscPz=LB5q#mC&LMUQL%N0jG?X1 z8NlVIB_RqD)ZZE*>hr(qDy)Q{ZU+E&A05xbE}fg--27A2^<(*z^j=-% zKnX~uK2DX+x+S8R{Ohl}uz_!(7M3tbmnnk7>a>uZv#?tGSfZ(`c^=`f$i$eUDYj`> zFEg&j|2xS7lJPqPzOf&2&&kax+t@8KqI#?L(F+H%r%(N{Lk3-^tPf8$T#qi@ywZ5G z^&P^QgyH6XJn%|O!Vfs#xNRvT9xU&6WX^bm&89i3CTw&~Mx7r18a#w@zv_&5&m2bl z)CNcVURn%AIDQ>nvT@QN2F@C;(jic$9=m#M*XLoUTd&Q*EA|QeC~<@e1WL$_$VC#} zt*3X#1K&GfB$;7K!FI@fbc^asnnKxuwW9_7J;|Q|p48<^oZlU!B}JH30o;V~Zp+iJ zpgJj*+UoKtpeaXV-<>bB1Tqh2-!%Ljyali>2@1B=%zQal@#POD==zpq7!%e@k0T`G zo^0S>%z=q~ZsPIuQO`_^T*l8LyN_>b6gmZ=ZCfs z6hG#{AEpy`^2UTfs6gvKy9gwn)44A-)S4U1t(Vzhe*z=FbBQ9>R1@Z;$A{vI0ZrERpDSK>HOvZ(Ec7#l zrKx4c9#gh0(ir1B632hAjVx|-F27W>O?1N<{~TnUZsY0cJgm9hR;}misP>4xw4!_^9qVa_8N7IRVBylqFy>S&~=(dkxqYn%Hddpt1SA6F& zDn*%9xT3#$DCbSRPMm;b{FPC3S}?)9_(i&Cld--kP}yAdCU~qNF!i(F0rgo~^q_^w z9A3OW%~pRHK7&uT?Ik!_cZAdM9{pEWry?%89|kEqJrgBo9! zq#~kN1Ik01s?5RT^qhpGFVvhkY1)CFci>NsNP!?!_*Y5W z9Ptq%X2mvs>Ei^$O)%bLxMgR?R^}EM)ymtskXpQhfoGIZl`w$g!I(0shvTi(z8_OI z$i6jf2pl~NyEkdwJ4=GBAd1#cL~yFJ&gh)(Yuu00u4(@6vPC$<+Mo64^4=d)S^fV% zoK;`-NGICV*Vt8BPs=A(q~zkz9tJP_6N2aKhblQwx(8 ztID${%zKAJ18xBy_%m0{I!#-3mCt;gttE$;^kaX6c~z;jb{wwDXyZ0(GZoUJpC3l8 z4lN)GZ6x`h*iF2`h1Q3Ckd{=bn6mHdvOF{-QuZZhHhGJm_Hv5p@5}__bwyMZzifgH zV+49veH4gu#>53DxY+jQ+}TYk$k%ufQP9?eZNe+zIN zCTJS9pnPI#Wzr3P3=>99vf0G>ANwajyE7biOv z=!%GZvwp`l#g!d66(w;tipfBH_T-bl3Y&ftCAjEa)A2Ipt;<>jmEt^pMLG^v9!0Ya z7VHI=)Vx~NX;^>QmuxS+-YSZE8Hud>GFP7G5lo;ns;O^IWY}QsS1kvA@5uAH<=4}O zzt%|+5#!oBO9y4O(~cp3_TG)NJ~Y)i_EFdRTGJts-7jnBIDp`{Hq&t9?<^O7;W&hM zK}i}n)Vbx6yh3RlVLwXZJfjK>u+%as=Luc4<2B=YS}OTgVna1#{GsQoq@LBO3Y)$6 zBi(B}HY-eG1lC9RM&uN$0T3#+KdC9XecO_6(iBCn>JAm5&AsanN9_rH;T9Xklu}Hj zcB`#GLkU&dHl2ONbFWpNsLtxKa4PMJM)#-Si6 zJEtKh6xy|F=C$H%aJ0~#W@^#Z@|2>@xAZw9n}G=%C6WrxQM`Id+|t~KQ{j+O+knrj z^`Dg-iTXQnw3UaY6ExhfI~gdu?~}0A=V>n`@XTR)2x=KHV;@d=9s`7A`6MdTVW@a; zW2lm-S#dtsO?%gBo6AHiiB7!D^x7S(8ZxDGDF@2jJjAC5htHNeZGvXnF8(DIQAKExDK*cYRxc{2>J$_q*$4f*yyD1Nj7tOzdBm zL56~lh(b{Dl!ASWP}7~#0v?+GXQ~Kx-Z2^|44bj2f7-A*E?6hA@wA9@Hf^EiRnZFx zsK@!M3?}s@aVV9?hW6P?u|_V5xR$=QKS9~5<;tRn(}wWXfI%5zxk~Ft_D2QYa*Fvf zr-)ECU_7S;+g5JA?Tw?o$UA$J*mY5k+BJ_IyYBD1M&i4WzD9{6;u^~djX9@eNkf2T z7w<%F+GXd;vWNXG0B7kI@LJD1)BN8cqwOp$;*ZBz=*T8wNOI^%T60~-3Ma~xQ1R=Q zMNagg6OwPxT;Ix^jhFaQ%Zo{i{F*A-ik~hyw*W!7x(n}kK5S}!0kYfy_LSTS$6A)7^j~eq=i7FVG_yzNKH+)JU-Z9 z2kI6IDsY!6^WQ;AblG8|Gw67Rc<>`62#hJWg_O+g;1BRxNfWTjaYqNFw=S?S+NDj( z_ZJ`LDel-ZQYf&<4b~Mh%G8PiiVO>tzR6}Kcs0HLiiqer?qH;>#_fMOJ(`d#@d9?% z1vJnERjQ#mvc%WsnwR;h6g@p|0a7{QS0nv5Vh!Cp(ybbQwKZTV=a$p&9|PoeL7<2T znwH{#imRP7rxwEZ#+3lNq<-rHacrSf9|IQj+?nk z&NsC)-{j~oC}$p&P&o@oCm^|pkW$LJ1=@j;r*f1>RtS2TPJ<(|E461&lD5jziSl$@ z%pEFp+BLakwTd}{B5Y%JFRThyGlEy zbA%UAHFtJPOP}|@QLxR&TfnhE)-B*7Tj>_Cw*=0p;i=fd2Ec|b`U~u(cTu5d=*JD> z!;+Ueas*D@fq?3zklerT^%Sg~QRW{>-xhDT%-O{{Z3K%;txaykHN$Rf_^M|TH zI;MKS8VRw76o>FcU@*<`R7Gz~>G%u0f6)8yW{aHNjXf7{Sc;ADF*v_F^zuub)8iBG z1JRWaOc6&EF>j;^X+ILdk_b=46j3)zX=V_p-9LT5o9z;ea=t%W7>uRBdOhmfl3EdY6G#Chi2W>e0nTItEn;FrX& zbu8IKGqU577Iv(Yh(v+v(4UGy$VMWx|Bca__c@AcB5Fu$uQ}v1#PmUzdBEIY$0m?nGtKR3+`Erv|y;tmz;nf49!WLW52Z?rAVV4v>N7@!R zHvyL|L8|JfZ)&U~VHA7_v90@|qkEpSa!vDl{n6IxO4Flb`R~Tz#rJwW*%qL*?_dAt z_msOUUu@(j_~1DZY*IJ3UY1AdQ9$J)ELyKs(y)3J{e5r!etRm=!aew_GE@vl)oga# zrtlVUnw@K(j=BXX(ehVym&OKuWmhxS3~)=QZ<$eSS8a zv%qG)U%B4wo`$zWJD}5`)BOsoq&XaFzkpy=ou!%ZMq{`xF`U+Ueh`PrZWxxvzmPp~ zpSpjV0C(j*c!k6DwY8_(J_t-~2 zx%ai?3ZV}84iUq#VnKqLyaY}bV~Sc5y$b|Dw{ne-;?_8 z4IV2i3#NZ$TX>3qYRzsb%T{iT3-2N)!#2p31b@1Eug)9{by_7);uNtw3M^ERJ_^Rh zXwtoh=N`X>4TbU41P_0`@Y!c~|2mAg*we9l%n9LOptMv~aeTs6+{E(cJCoBHlp2R) zKhjK)uiPZeeU-l6uIgE2vaUmKWvOS~eqYjhH}46YtP43NeZ11KvO&5W3h77L}IicO{6GxhlSPhr#7m0Ww>N{=|H;b7k25Jn@Q9F%Gr?l|HUiSs_7 z8&pXq>6#<8$VLNEm0~g!6G*J5DgmEEp_aeojQ?*}ZD8r^j1RE!Unyg0omqE1zTIB#FRkf-&9SIjf(|tu5_h%PsWd&;l1gP z6z+UFI3F&)Fk8PpQkQQq8gnmOG%4JS?hFc@2{+U z=PMO{8Rl3V!Bh{%c= zLVajJ;NXLnD+N3&vTQmldp3H)-CV_cMVf4TO*Nd`5-DRQDSI;F05Ie(2Kgp49%$sQ zvxV4v`uFvy)Uny$^~r{@YV9ZHzZW((A1*u8w^Z2$D^Ny$<$&-yAwh|Q>_g$tvsaJv zdgVJd_E85ODmBsLIwC`lf5%$E7Vif01z)CmW~3~gqJnN{p$5zA3=(4ZL7xXJ=17dm zh!*i=s$_b&tx2hru+JYa(!?H?o_BE2Nm=oI>BD>1B3nI4_p2Q>nixF@QRZ+b5!KQM z9^oA$2*!diw~sxJZ^1ZVwnx3lZ7{VVgM{jjW3`~w*OkR-#N6&$-3||4iOG&fG0**) zCwl=ci1Lb|hd%s>c-a>j9ky*A<;v(zsUHa>bO))b=r1_@r!@p@^GWGsSSS0Zu8%za z%t4&~)vz4N8eG# z-xBw}e^Z=Qg#&t8s$R|iS<7CUDbsQWW|b%kO%+1xR;}XBJ|ZlRK!>3p%~3>x&?KPZ zFE6T?<-0tn*eP909Y+(oV*^Z{H?}+KOZvfj4cd)W=doMQ=7*yk&eY%3%$3bZO1ag{ z1)B$x*cF67597nGe5U~83iizyC{WewG8u)FK_*QdBL561x@8YpdDpfao~-waF0N-j zH9ajd;g_ClWp15?nHC;COP!@7O~U4JoLfpkdNZC;QOrC@VOc}g!hA?20&v2DPyglF5d$r8s!vb=lr6yJ^e#dh1Z_vXY~2V zIPDMt8& z7Yh-N(xO@bikM{Jt_38;Lscbpd3fiV?>*xqAdaz4Wla9o_i=8IdLP0qYfJ>I+(ql0 znQ9o&OiEcM)t;ISkBN4K$w1UQ4Trre^kmZipm?>q*6MXoWK|lC%lqG*Jkzdx$IC=< zrYE3p|mxiY!p=j>11`gd{Op{V91-3r&jQFLsI1bz2DQr~avJDZ0A zp{X&({nL!B^^RTpBXLVw9w<8OQwD4kVgvGE#hPSM`S!$TnD?_DpzH& zHNgU_S@qU_n)Fog%|^ic7q$(Q`7u3;%{0UZRJlZ*8Dg?<>JKA@eJ5*iAqiiJjm6Kr zx=hD*P**;F*XsuGlw#8Xr$&!{cIv&OIY|!Hq<>(T2|RK13IB>=o*A2c8){wk^&D2P zhFVW8RFT38r%7bXezDImI#gH*1aW)J0`R4vkle|D#R}(Ux4@4=flWn?Sb_60=fm}b z^JMG`4}$iXrTjVWk)N*b#KzUcv{8lp;wV&6n`sa?n$qcxyhUNqCLujFVObj4`lDAd zwe2aNq(53q*^d@laMCV{@)QTnf(5&^-p~4-nZ=8U8Ehsi;oVKw^~VFY&Hr_+I=Wjg z93wyehaXAjo?R`cLpSoxH%GPdJ)+e=Ot{OXdKM#{Y(KChEWBo+H86$09;edBJ7pIL zHS*wusG5D-Ca73xuz4Bm*Q%W&nLaEz;p4gEgnDnQRvfcmG4FJurTW&M)Yc`V#d+GxX{n2&^UMAslbjOYs+cVxMq+^5*Z++u zD}CDupG8S;ELCn$s&bY78YCnWy9lL}vYHgEp=bTy=*b;8@J|n?@E@)JrC~gK=DP+iZe3F-!!qT_&lrO`pp+5?ra6T z^8GQUs!YSFGZeaE0VT$h0s+?|N|p+`ED!dE9PQuEFDL$YJ;^U6TKhVM)|oapTi6P^ z^`(0eL>ijoz~~RSD7%h|9XJI~xz>n?BvnyUXa2XXYltrVr-nB*eF7VLDJ4Ik+qP`N zKMia&H?i5|dionq;(VIzos=}t&Dr&7tyz~0H;0o0(ck4T7hJTzKE^-&)N=jGjlHsI z^?RAfETL+X2@E+T)Sr> zA?!d0NZ9!m6H?yA$+mJt!nM=ZRjbyE4j zh>NR?1a?sZW`vCGjl|BIaMO;J@)1PI3d%%0E2S&~kzrveQ#PTY5Mu}eU_e@l@mijA zRHHA~-ekC3&}|l40ZAoq`n#T$L=JrM9~|!0O?@G{C^+<$UvcXl)-jeaPI%jfLHJS3 z9KB?_bi^HR+j==<`~7{fG9Dtbv46 zCQ22BfrkCh%gs(6^{D9=ioR6_4}C6v874>dxuPT)?Bl&!7jtL!L@rK?ENt;S8P_z} zdx!LmT-j(A{V?bN51M{gb5Dlo#qx6>7OF|dh}|t$Y08syCz`=JB(LB%a3cs@wiy5R z`6!v=YLvr=^r(qI!a&qi<06_ZGSugoMaDG)rV5pPdAv{L6V=aNPxU92?teP-|Cgu; zJyQq%*Uf)0l6y`T&+R7SnHK&RAGzz)#G~3ZHK7glqEbCD3;dmper080!|^`Z?BV_- zN{|lMkb6`uY-1Xv*5;kSH@YV8$T>8*5lXYIuN|0K%SV?gFg{q=JL5lUArP;23fxSb zWT1zv6~H_}bj-11PLV^5q7+t|dlH}W){{%E z0}3RjG%zel?lQ+erMW6r^mwxOaZ~pnfXFs%zbk+FgS2VKsFH5>u9?Dx(FcD8>XTn$ z>7JD@WdmK|%ZVEo`!Whs@xP-y8!8yaVRu=+ctb!{V@;`(1=GJK_yM_x1DKOTX}ZDF zO{H;}SaT*%vgVc?-IYxuz8>pkAL0#Myv3nlFEVwUZugtH^;Y^G*t0c4OVeS2LTW^Y z6p+Gr;;{iuGM-VO+z0|cBw^QUEI@Vr(p33*i7^O)QFCEY z&P6E|6=Q?tNb+|q>95Xq>#s0^e0DL3y{hWv+VgV^u^=?)$cHdvKO%B5fRZU zX=G#b-89WIrtYtwuk)5AZ{=9g---;&!&*d?>W3Y7#SOY!hu+P@Ybn_`LGTavFyO@OvpeVWXX4t3{JHg|jvQ32g zOABuN55LMpnfhu`^a)HLyEW!6n!a|GV<($R!4a3y1@Lv$bCI1h5yw85r#+)JwN#ys zwpttx4p26vk&Xre)id+8=ccnzJQY*&Zy4?qLr~rVgx(gH&7Q=Jzj(d7xWo0ty-loJ zg`g;pX|pK4L@ZvUr9)7J?ow3}_)4jN-d0ym;02#n^P7~cwQ}>N#vk63qw{V!4;hB4 z)xGmYS(UL9!QMpIDkx9@v~;ICciqf?GHcf-E%@#1G`z|ZTkqz|&eo21#iv)jU0W~2 z&8TiHsWWd3Wvhok^z@cy-*%*eKnUxMW7zR{Y-+Zf85DAAiJ{xe6(xs|S<6rO*!fqp z3%1PF0p2OZf>lDn8d2C^p?CO>@hL{_Mev-5 z!BEXTokl8ng=VIZ(rP^Fxg>TaLF%qnXNTP?KN%ZuLIGlH={Zqp6MN7XQ^WcO#8>m%{YsE z_@>UwE?6YoJr~;4!rWk#OFV<&-(fY6tZfP$V-TBeU*O5C z6N^v#Meb{SRf(oR|2!!5+*r_^TW{;ywA81~+)^Z@(IkB3o#9c#Y0T+tyZ-XiYuYLx z&*GGn-W+;TaL!6{BT3`@nsyVJrmmrV z3CmYHMJbuFe6#o=)OM>tMZMTO0ZP)>?OFAFOh$nP8wND2MrPt$7k~3ThRRF>Svh|_ zc^iB`?bm?*N?v|wXj4R%%g2U{;=*2@plmxq&t|&u9h#{8vjs-R+Ex#TZti;8u?{UgHbz+p(_ zf^GoV9#w$$16?^FVu+aVPmEvO0&)z`%=#zpDZh+qxdq7njGhr@dU_wF=utDTlRfL!XHEUd5o+$26=GShAF*&G0^RIs=)*KWR$bJ{BM zdGM9OgWpbyY1Y|a0Qp>&XUY%HN=}mjLO0{U_WW622cz4KY8NR=l_7cnVcW#04`pX>=+>pSI zx+8*3|3L&Z|DTEA9laas32nZCXxli~&rdAps_ee~(1QHs`Mxl>rZGcKrRpmm9s{Xw zX!;)VFYHjty7kd|gHO^dBY6hjhf1C$bkmVEkLWSyqZPE!z!B_ z_fK}y=HJ&M12(bkskP%<3l=}|y?4zI*yP(Dqw2p3{*3q`J)ARdQM*dN_n9eZ2lJ<^ z`WswKZ3Rt|5kYd7e}r`2`C4>Rx(y<6imVKDBu?%B`#II;ONu#HPWuZv=QVrN=R38@ z=B`YpjCRe_uIjkvEe16DDiUf(-cui+mrkdhUsk8jh8eM@s$IrOlPfXC71M<~0T`ls zfq*MH*eQjo#fFvR($;^G#r$7l+y8!1IjRrwR`T_0-|;xJm&*cryJhWl-Na<|mFS{J z;>MQAlzv4RlhO=^P^S8|Gbx8ec)IgPC%LECnWg*em0CLCcrY2zU2f3B1ag`m@9Ujg z#tKyCSzq>i@h(716b`^5-_&%mkf{W69xa_*Cj@S!*)U<&8OH*{VecYR#1B^o-o$m->9qn;i;y22?AM>cY1ln6@4ZW;0uatlLpjkrp z$=xHHR}|)%warsexPTa%A~rfTba}z$w!0CL&^rD6`BxQG?Dth8I;_X}MTr12|D4r% aUI3p(-~Ey3KiH)I1UUZhE(*Mz{XYO7V_RbY diff --git a/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_9.jpg b/src/windows/leash/htmlhelp/Images/Kerberos_auth_serv_fig_9.jpg deleted file mode 100644 index c6a8e55ea34d5010b68f1d9c563a262eed12aab6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24615 zcmd?RWmp{Dwk_NQ5+Fc;ppCl(3pAQW65L53!L^%o;~Lx&+}$;J2u|Y-A-Fa0;ts(= zfChp)T;8+yxyR49_degff9|4sJw?}3Rg0=Q=bCejvACPL`vD+QmRFJoU|?VX-0yz? zck=)l0Oo@Se{S~;>wbHP^Y9@S*2Blx*pG1VALHZWJ;uW$c=D8p;0f^)JUk+DB4QF! zGBPrJLJCT9Qp%^KWTbyy1OxN_9IS`94|rm^sGfR{v)D)IN$SAU(EnKvLtB z*Ks!oz{kY6A3r8BKnieMlE?IbiGk_=PWQX=4nV09OjcIG#f)S7WSwtA-dsWjJG zuznCJ=i^28Xvme#e+u^OO;rCH?2)Nhs#h#RfgaID|MCv-=#_YAC{F0dzoq+l*kqZB7``~w8Sr;7LGQ0_aTxy<*&A=~U_dQX}HL1@PDYX9zZ zL8WEd?UVvNsk{Qc&Qpt`^x9$cODG|}25juwD{9Qwt_!p{@P7Z;Yu39wzS?Rq1`c!b zD-xZFmZpRd1=8ugkf+T`%6$aA!0x+fJ6}$0!#i%vyUzGnsWP#7+G?N8)!MkyeCeA* zlVf)sqjRX!IC*3B4LWC|7qb)2oed`D(Gos0OJyn~4We$tmwwu#zEG7ag*E5IfbyGX z!@DAGzHB@5JR5Yp1GJqWo$mmJ1#BWk2a?f@myd0+Zvd%mkWCiTjuBWMB zJU@1Da(h-hSze1uH+yv$Ulo5tBDzSR&Wz(CCPd8a#LVM?)`vswrnNgjVvJDSamC{P zq3%GelHJKtmXC&X8IzXUXjo|LbKd-ZiU-5n)feM^8Srgus`oU)O!ngu>(rEPTo{b9XwcPXz#R$BjU>Ka50 z$1GHu$isY#($!Tv5E!#g&;0Wau;#0I%{O)%acK9Tl}{^Y?&O<$#pzn`&eo;3lMnJx z!ld7LP3Pq6MT})NOsayT#vLtNr#inFY#N@ZNose^kD~$vJ9U^|lUViz@ZSM!Qu)yG zJKJ}F#hqoI-rGCC)b7Y_ihA4h{;_MdvD5edgp%-?l8p~GlWEemZ%>tDur!D5hDeDG zv0o&hY|t{KAmG7lrr!6N4|0z*>6Hpc{dDYdI5LL7^dT)4m z0sP|07PD)m?xmI#W8iy=wAtAnBAoZh3UG)+Xewoa!-ItJ+DlKEfbz+D_6Ab3we*53 zup4$00(+Vcfx(TG7#Vt7kr2lt+)F68iMl;pT1f^Oqu04F;!AyA z#nv~uN%1iK?kpWxCwg*+T0yWeVpJa|Y(Dv^d;e@sj4!QjQXfigG&iefgV&@)g;9I4 z`Kh4x4}UXIg&nu50G<@X9&Z=w+6yeTZ?ujj`>L~nrvp``ah+gS>!NeR0}|_cu`Y9R z9rQ=EM{(YA3s(!jXB8n9|D`MQE~St~a%Rbr$pp{7q{uL&+Ub>v*sr=WxeS(FGMmUp zpz+jm$U3x|MjpMYiWV1507nFMlRgP*m^geAQ)x?iz8M^BPiw+z3}))&=oN%AR97Jp zB>W=W!@DE@LaQ4sIAn5p6>hE7cF3N42))YbgsochBr{85I`He?bR;C#sSkK(m zl^rMSQ@8?vQv$3}Tm)sQG*;R(sN!P(7-VdO;jujc+k<%_s& z@R+tkDV@BVeDb{1{r|1y8^B%H8n8 zn{_L8rt&T&ZstGxG3{p`4JFb6+W^BnsJgnSKc$uIo#n7KL?YcGmA^vTaa6 zoajs=KkHhQ5p~S+;1%z1~=2Px1htPUfknU7gnsjWHZQZ>!L zlIpa+lr}HN)u{~_5St3yNZRQiNmvHZ`f?GHmJRO%pOgGnMeTQ9UA?GgYINOb)Jw*_ z1H{`-MSr~y(M5345W`U4w%BIk5y4}Fvmm!%K5dL2!BXm7KKYNzpN=Pi2QPzKH+wEn z+PsQfn-b)8p$PM=yz;n@J)X|=_=b_L%%O{!N?9QxPvMRZjd`E`sK3m9HF~m}Pfzpv zkD;~F_0nE*-S?C~BhAT$DO@2iwvDvKrklOuSYl!fVxoVrgGplC`hA>3INx}P7tN+$ zG~F&$4lE@H(yMrh=uhk@pod0^XD^tTyy=HB@W|%%Usq=y|K#QdgP-Yk z2g6C#2ToIq@s^#Y$NB5CRz2qCC$lOC+%@RjMaZh$Z-Z=3g;%t411h6L=YWs9@=4W) z;gm>F4sVy~9vZ#QySJM$dt{$gb#}rn4^{ncW&?M{?ovn`Ai>O()7=0*%CgqhHB=-_ z=91ER12fy(pv$fF=5b%v`Tn!&!}GH?EEIl}GtgSZb4ZI5H*%e_Fg1|H3C8yt7?sro zc|V)7(jZqYOy#iyvzhNQv_9UQnK=~D1*SDeWEO%mBbnBj*w&ePY*488!)r&{uDx8^ z;HAk5C8^}NOr6>>F9YpaQ>vd@&IgjttJvVm=wezMa`|sMT==zYflivjl0a^Jrl$vb zBRgyY9*ceFj;BssLph;@?6%0H###bE%{h(QK<$2AZ#l8@p$z_*RGAx8l;#2K(pTSZ zSju(t(9J<(Xg z&rf}MS~Op6NZ4h6KO4>3Hkg)_y(XSnpR`=Fd>AHcOZKyzHmocyWDA>bhKkL3d$^n4 zF2HoiBc$&#skK)J5z%W4*5;$t;#WS!26A-sC>3%PI2CB)3@f&Z;pXFBBsH3C@4W2v zmipDGCL-}wE;N0qH8Wj>;@A2ixjlZ3;&mEggs~BvGTDdpG0|CG^es83*U0s63lGLG zeYh5`v`^=Hu#UUx3xPErNqizY+vZ^gx$;tP`@SJj3|pMznnD=<S*?9|C)D43k3T5ycyP*X*)KvU8Fs;_@}w)G}WHO=LL-;agzVLL}7n~|07 z8+vk?D8iy-3Z9hqKO*h`3F_I(L;BUuXS}hUM6T>kye$b$VC2@Iz_}HD>TkRJ6h3P( zfzB)srtf#XKA=%1vprH?Kv(#Yo12*#oXOS6M@a5J1_W}qq@!<@TI}`|;WQPqiRGLV zFD{pOyU+b+kP(x~6Q(CSsP0ap5pEyKz^LygHKlu!3WutqedUwiA+_HdK(C@oQv7;A zKs*{LGW{rzypK4|nc1aA&vEjdlk(|b=i=@I?f_EXZS|UNTe7umhP)T<0QNc?_A1hZ zg{>LoRxbIcu+4GwbsVu|W))$8PXuS;L_>=_lren3{5d#UIjdCH6QNUi!%&k50|jdRi@5iKIGQ z6#qa^lFi)l{+R-KWkLpHvPFNJ{FD_(p4Fbs?XV0r5YO)?-LmV3YlGKu`9+TNCWT~8ip-;Ck%Bam%&MzTLzfWBubMegn@g=Kpjq*pIfm^*(HIV6uO z^5E0zH2NmQ+GCadYWkxz^&2d8IeiP!UBe}g)Wx6yCf7^%?berHntKClZ)BvNz=6?K zL zhnq|ict2}gQzwz7U5mEmul70S9*=cw)SSN{_B*s3@7F8U=Jnkeql7%^+LN1(cVl<+ z5rdf!$Q;oTOgL@q!p**3v3|Cn!4t#eLIm2LS@ftp`aZme=H^~kAJ!=P{9jcOe@pR; za@9B?L^YOYYk13#Y7$so_nwx(fNU9b-d8vZjJkCgVq#)yJPa6iUHioxt@--BcAirP z7^#&z+LSUz zNT$qhxH;gtU|c_YK1T=*QD7D$9+5xZ++S;S?%ol?iwymc-gn=S^9?28Ih9S?J&k@+ zHP=onQxxuNab2IvbicAKsu|bYW>9}Iv)OQ}_tnp&)m!{n01{vWL_a5YikA@}!fDTp z43*XEpUtjbldxvugF4KXUKg$9l<3-xl01!}#`4YWl%=8V(NHYTs9iwzIRQmFV}pf3{CHTvhmdf;|<0K-@udXH!@8`ZNz$em=(&{X%GMb)foUWF1xh?ICB`%y zEYo3mStjmv^oZ`%NlSEhT4nui-L3wHZ+B?BSmdYB2NX}^6(}6zS3VJC`tR|Fk-h;( z4Dv+Rmq#?U?3OpftTePJ^ciCeyUdv#(h*3-ag%rv*l|%R3uO-o9?ub&wj@w3&YYXz zN@2gcz;MJKq<37FOycfWYH&!_5(KaJv+(z>yAG!6Z6hFc?)A0kFK`n{_k2@@D<0V@ zT5>)@_QS$Gx-x1r+B+KYgvjLxPXMVRq5bKzD=4NC>(v?K&fawcUP&&xi7KruIt!t9 zf_N*XLmQj=hVR=q+F}AjwDJMQE>?3pJ z!_0zMRN#Z>aAqcAawk`Knfr)-U&PFUu+<%avvG4<_WzF^wMCWESBs`*?+Wq_^{DphW3h@mgZIfKl1s&lr>G{8js#= zmcKg--4kF?X!9U-SVS9>>g~1*5lkw*zKzm1cv|yx)Bg_8F;hj^0Djm0EefHS^X_1FzzOfyQ+ou^p4k(5MZp0}5>XjxLG3xWMjZ ze{#R~;w4vpA+=FwtaKU@rI16hREUN3#&A{CW!~^Q-@`aq^3$hGj2wN6N>_M@tIv&0 zzfVJ|?9T51%oim3*;6Z(?VpBqE2L5oh3RcjDn|S&ea~6bdI206)5j)pDbu?!z>A6v zlJaSd$>qM8S?;x#wMHAt?@8Mxg_Nt?gFpmmP}?myQu`UIL$!4Zm@ z-2r-B&K6$W0pu=vb|cRQ?*KoKeO;AW>6R8-C0m^x(rpddVlp-zUp9b?c=dL_b+ zoMRUp<=d&nL@H^FZ)3;%gfthF_<4`_Huo~n3H)1bEAUOPm+Z^8`wW)TAlK)!XwoX3 z+22}9LQ<*h(bRF2qH5~SkDMvZ?ScmRpAQmv7_uIx3pD28(6T!gx9(JJY{^MDdK8!5 zhpizVYa(Tb5!@3e3XYBFmu?Rj+$bEGC?FmiS$mYobop-bjgKYbC+uk%@E)zGpJ10c zc0dFEgN3XwnP%{}(&c^;0T&a3jE!$j0azaoJvBwJ$U4~KP{0|L zYS5vk*WS?SdnRi-JH2qV%si$q|1<@y^k?j$2a`72B5C17x8nV1kq?p4E3U1+xxNwI zEax~u3(>o#$uAufrL0qZ5e|>o&Bz@Wg|36Vi!iBO%f@s|A+^qOg5~Y0M2Kn%gclMl zHOq9exS4&$>L@EGa_#5)ZrN?6$tBHN^%mA-0&Bekuxr&T1oYf=GO`FDA1T9c(wLnd z#ea#2b#X_76N5;!y)OFi03lJ-cYr3p8^SvP*X{hxz8Y+$(OiKe^yB9S0&2`QC^SE( z=TFPmAA-hZzApuXsx+_y+B=_DQ|Lh*`Q6r)au(I|@OzK6r`HJonA;yQ=OaCS%A90SD){{t#KPNvRT36nNgrHB|-J6PV0O%lw?p z^kXGeH>6hcc`EX^^a#2*Ny`5BY23H<{Qk{48)F3!z8Zmd(-d*rTfK##A2r-#9n!M0 ztUz2`DKl5U4-{B>F^AOWI@fh=c9$b1w+FYW*Cx|zr+%wu*5f<W$Z@-AFkY-mSN}Zq(-A4`|GuWq0p1(hEYL*|`4F z_;T?m@|E;W=DXqu_K+It(Agk&4g`O!KzV>s&)o~s9%6`>5aoFFVQ5*Pa^Rp3|@w ztH-zi!u@kx+nSt>I4bNXMLcgX9Jh<2%t*=cd>{#qlvH+S#92pLek!a|MU61lLKwQ# z7uwzsZ``D1%(|xNP$U*-_Pp&|D{uFsw_~U_p0uP=EQ(AERmCxy37Wlc=dLbuf0=jm zBBjvQ?@Lwvv{YxE#y>Eha?30C_lvp3-DJ0>h0b_MIaG_vOLUk%zI58&aD01|I_Qp$ zQv4IxbV0vEP~QWav5o%*5+^y7>IkG$J;c~ezAjw%=H92A#&^XQqJ8!W6HL<8K~yc8 z(7?N{uCcq1Ua%9gmQ$~NxAG{O^3z9*ZynqVpl8@IhYf<)S@g8<-I4e{o!+cSd6);C zo>T2-jyzD6`rfXUNIFK+@>bFY5HosA?onu*#b{($%arV2Cel|*3oZ86ANoi}n&1cL zV!0Pyx{sMvt>&;dqQa#sw6PIVPgXeE2zDoLCg?m{e2oGa3n6Qi9~6UCVQ!4n4$}|Q z)>5e7-2no8-i(0#6i(!*FPCyB_ie>gGKS|ajj0w+_+9cig~h)~D&UraYwZbe*5UTb zmj2SQ1=t=;p>nhNTtuoOWyZYOgg`CY=#q!{K8pUWo^|;atHJy*VgNDBj2w2~R?-rf zMc$_crDdT1cNQSm*+ww{U1+A{zEeJDs}7* zU``#VJAEk_6~36kub;6SIWSW-CgCRK=Ds^9*h9#UPXg-dG2u7nINqSBwRT?|G#J>q z2)_e}gbhq2M>XH{N$8qmW72h?)%p?|xY4^Kh?+7BFJAcyYvy8`dI_6J!pUBf#Q*Q4 zkHL*rGJ7*Jx;2cw*siwRDp)z~xn90mY9K7|9>q)x4Vp>)_#Ji6rF_p9w{J9@;jfIC zf%-@9goiT>z5ZwjIl;|J@Ae(ub9wI&w<>9L{uFbE+v%g>JFv(2p1G6mP!0wQ(XP7% zJh;@5-D+wFbwGN;<_d8D(%~2tVmL>xK3IKu!kEa*@wwKvBm1Ug4Rj36t`&hmpCxw( zcPr^Fm{&drwJGHZi>^O0>iQmZGdr<;&s9ES8?0Hc7hjCh(5gP1Hr<|$+yV4aeq@AL ztU=&FUP_`^dDS(_*g-DQmN&Y)cHpQ!0Y~c>sMm&bWnJUQ8H#5!1ABWsR^xbxMr2s6 zBR?+6RGJq+qK2QHRjf76A3s&eea17JwrkRF$i^jt20u?6Cjo&HszMQXIQPKw{RhXj zuH5>*xUycYes`;%NShTHd0$+ygW_e_|17SU#RwK6LqoIr7nk1r8KEg?em5B#osS+4 zH|faD)n0*v*|9xop!(^F7owjVY(m?Van_umjJ`C3!DleyGYFdvs!NDi=S!TtwO*!g zcja1*Zs}x=?#^qhSc4LdLDJ8=Xlck^*YeVE!PHMq7?U-b!+xjJj=ExSD_Ob|f@NHAH{$BC8tzr^+4>moX{xpsE4gPaP}n8k!nV+HaIvz-e5c zKGf+jz;WOGZ|D0T zU99N`FQ(@N{`|4}%>>`+G9JoXg{x#Z7`)qS<|qsU0{maDvpn#6F?@zL8d8wBxC3Bn zdIyatS4fFO1&btBK>eY7n*8L>mZd@wBse`?M|k}dGN8cK)_=oqb&+$;{U`j^SFqw= zsOtd!W#F}5M#H-D9iX^8N{P_Am=KX^%75Jd{HnU&m;;3`m%0&{u_RrN#mc^+mc#s| zJ}0>pKGs>^sTr*gz~JPTv2PW{0*f>lxIR-9E#p4B`d z)`4dA@nx;2^4sA?A~$~+N5+_6Vo>LJcxCfmPI7vY6us6#R0ivUV`E&(_=)GqzF={? z=exB%LY4}?UQ=R{c*Xqq#~S?Ob*n=LcAaaRtx&7rh!y^OkT~7L7AFzPZhRyEoGBUd zC~hqr7!^1p>aokEd|h{xh95N2BW#l*-M10Wr!l!RU%-#ex}_7-bnl*0w2`6FO04lO z-S<_lW6EVThuXRk&IeGwG|^Tu0XIV|^D5}z$>x`;0C1!!Bc%iJ$GWV)=0!T-3j2)GZrZ$FROi9WuVqMNh~%YexI30_$bG6dcRzS_AhurFiCZ z)e#b)cei`~c%t!WIkZ8-n&%@*=b}YjyP(!iXYbW^Cxa;EDFwt%HmeB^xAV!0Rc6Zj zJ0_<}i+hDfDRpst-3a}4fk#W^s zUVn$sLrH?Kw{emECt5~gp~(0SpwOB!Fv~?=)_Cd)XTO9-g|0IOGvd73NGLFyoqY&D zDvlE#nV1qB5VetAE+*HoYi0FP9XYKLJdPl2mkJHEhFDA3D)tO(nO@QJszaHN9gdY5z6-_#p{D#D7JEJ5 z(CWl|{1g7_rCw-3u6C}jSpL^PgdCrTgoLtCvW7IaQwDVLOY*W&VoJ8I683pSo`5XJ#Uj3o_R24vDrV<$3&a*<6FO8WP>o|mC&8aY!4c2Qp*gI76(*Fs6lS&TF&t@E18jfIg9so z?SH_C?~{<`pY}h|*6C_5#PC~<%M<#|-}4uS?Q#F;`aY~Rvkm3aej1Z{?wm}oO%cl~ zqQPpNEp?%Iq(`s3yL1O&jV!@R-Z$Eso;ZHi!78{&nHn+vU|T%SfqSo%K1)2T-nXc_ z=uIbt?MAf5%Vmpe4(3-E*V|1T*E`vj&RJ9rLK0DSc9P82w$ZJ9$jPY2KXXd+x}iHY z;W97NuUVU&&CJ<~7G{nOrVM1nPF9Z#fxowSm3sT?P}2TZWP`8chVNG!+Yhd>6S130 zgU#@LJ5jrDImNx~^KHzN*GYRqe)^TEry1nX%hd?>=q{DFL#;C~oDw-k`Tb6!!0P*? zlZ~)lI5QMPf7^aKUf?#_pb^+4`_^<9qL1)?}O9_-QXv%fqvEM{lOROa$gtvBvNO=0Hm>C1wNGO-9+|DY zz`Yn~nB@`6@Vyuajo$qyF%Zi4Z?;HJHa<=bvB;9RUIYJI$puD8Yx9_3oEi{BluCrG z#zWk<-{@ceJTd=g+J*oAJO9dWTYeea(4tcN-wS(m%d4Up`xIql=u1u6eHKH660lpa zI@O79O4@;A$p7VLuUGMAlohqBl`ly~K=_3>|KPS#Wb=1cR%c%72HK#m*;MlfxR|lA zxab}5aj^Sky}I(RhX!l;GrsP9wtyeI3;zXv&5?sZhpKgw{|fWahzvfsOzKa%DAE%k8L z->!Ul*r`6gwUye>H68DjysLa#xn4m+mT^j(s%#mSmexNbs}~e_pF3j#0FPYyL;eI( z49j%Z*fGOLyhZFfQ*yPBg-RqsZ><=GgXLXeu}1eLQd-tI+sb^(nO?VGcwMky5o4_z z`OWSf;IvJJ;ZQ14a3Q-echzQl##%SiS37pBn1?c)YHiRv?X3<4p%z&;Z~QsK`I z-n$j`t^Rt`W%XP?dC{Uq-lK}rP*?F_1K<*^?F)@%%@3@EB#ABe0f&(gJiv_3mH z!;aUXSgXPb>t}h>|1kK7RXirz(ZHs0>vEHgza46sp$6vxX2z)IKHZuqs=x$CX6X|# zdni8Q#5ce8D>m%VMQtK#+M)2_A)0AP!)!&%EX*6AAR6ToPCD~hm6~_}SrM~+j)>a7a8AV@ zG7e2&e|#X40cAN5%j?ez6v@e>jW~)iPz4Dx3e}3{r!e!*?orL_-Uja z^fG;8<}BD8T@Pm-&S0YhAaA_nn<5s37NQA-w84#Kk=Xh}mL{L#1?+HqTIXkPclQb@ zG90LGMMmg}j5SJI*FMiYPxr2^o{93~GK3XU4;mH4&v$r-^{M;lE;bQUn61Tcf~d6e z)pS-;P&^-e-rdfr7q5Jpu2?PXxAS6~)*_9IDCf9Awg+U{&f!v4sv zk4mB2$~{&c>$aQ7aRgVJF}K*$sLnLWY^>n2Sj_mn^yGKoKXs(Q@TC~kJ})gPJzsm% z`|BHM&>ZWz%c0W>XSDRrcqJ#b0=~11rfa;;@yHw`)OXor`D=AF0&F?Vb*0eSkpR*fA1yBJo1Z>HOiun3*5 z9|2@myD10>r0|lIrrzbzcT7Bx3pval&MOs`LL-7OP4?xfafCU4UJ`H6!VMUP{+_ls zKYa5_ih_zf`sGL2o9>?!3<6KELpB>ssTDe~SL!2>@5OD1-;S8%t1F8rL$}BR zV#XPdnPEg`8KVJH+tcVF7aGE8XfVexyL^{~rW!E|qRb4+p(8{EBRtkb?`1+7K~2guNCGWfUZ zH_LtbD-1huA5}mgkQYc`*Vp8T{d8aPUUENw2M~Hy%!KmeyGXclEAR`jy#u5d-?Ie* zes;$(zir!&-cmVn_a5E>(xe(Z70!j1FTVa=XOkfPVk&HB8Dbl_Z@GxxcnUi-?k7Gz z4OwomRDMwPMD-fn%K-*?Ioxi~>es&A>Bb_CeBH&3K`DaIG}H+a`Mm;LPPy*CL5@ka z*WbfSTK{Gw=CJWNnACrLoIs2mdf|u4nQvvjrnbMHl=|0y<>&wYTs+C0oSBp51Vqqe zo8aiZ>H%zAAuY;Bh_3bHqd`3%+}qpS)}VMp;dp{Oqos0a+_X-Z5knAn!l$`))HvwS zuX)0I(<)_L)-tl3M**>>Xz9#HXn{V} zCv?LCPMG(CB1_+lRRyDQalfL8gC!6b@|$*H#M@N_oxBHgFp%=S_0w0{s9i24X6$L| zL-b8lP6!X&?%*{#gBX4=FX{DeDC>2e_V2?E)z`SdV-6cRZrPitWn@5xni2 z(H|vHm&TLpVe5B;rr*py4?|f4cZa8NhX*xwx>=lRYaAK*v8xfHCo2%9IJMi$Tg$A~ z1FDR)PLR=(M{?8D7i+1fSJ_u}Y85}kHLPh9Lhy71p!FLDlqi9?F!>)uLmUZ2U=atp zMWw}0&0?q3%cSHR2TSa>t>s$5jgxI|QtCyo(Q4t33x2$b@J4!$wM32QU)s)RAWdjI16E@uGc^N{hLcU^g+mnac(@7&$pH-J(6V71`R7 z8Mj-dj&ow+pmyTon&haUIm1w|ye~~o%np!Zak5+Az|Tv8``o@%)Y3$IZ~Cl46?V_f z!#aaIja%Kis4*h7zjR`aMujI8;DH3y=2T9;rhMgHJC=WncSc_xQcYMORH_$|YQZ)F z-C8|-KR;0_y`ug5}G56rg7hh<5bF^V=8CuB1yq4e!1J3Z?)gkKJE@i*z3~+HVC@3>*w*PqI zU-0I?cTX?6|2Fp`g$&WZA3Aq0A~#9Bo#gIh8HbMKnBlB*k$+}qXXh*|0PxIY{SzCb zyE~#kXbK{`wI@j`;h|2tiuJ7Od-6ykXeJ|$-A-?IJ_m08G(v2?g;mCELBY0j6QOTB z{8~swj~lmrXhtFXlejihGUp2zr0)(aH!4mgC4onTSPLm_n4l z)a#YJCr{Sc3$%vj?2OjM@H5JMGv6%z@$azEfBIEh#7Kj+;W|svRb>WW#?5OK5(uqx z%qbOAGrQn`I(mS`RY6V%u__b_`*Y*RHctYg;-fKvk6r)^y@a0#J0(x-p}NHnDcA+O zIwT6?`ugYN+5KEzgo0=jZe)&lx!?)Q#Iyp32xUQGjxis}fxXu_(%wlQqz3{3D7N;1Rl|LRXENkmz7V=D5HWn`~p`R~wtZT0zMzh3%H zy(g?PLsI~xG)vmi1-JpNhEc<>HHaM?P~0+eoRq3Y=Zx@Et%00|b1%hZr#I_IbM<`8 zX~As4-wbzfmcMfEN&nU(w=`p9VtN`G7?@LqlxqHTE93Y04v^fiyR3I2wInr8A8~o@ zJ94ec)>0mI{=UU{5Qn5UyEOn6vfH;P0o3${_*9Z$>@jO`R(0_7j1Fqo0zfIjoqaa=1X|# zIGMpz)E&S=Lic`|ly?Kq5+|THTQ)E)D?pW*_zEd9vVDynMoYdS#_yVGmv9 zs9NyJ*16B*p2|N$vrP_I23;Kxx4=64u7%yVN3P)}KAn}vCYg3KBi?Pd_6nQk8Kb+q z^W!`7UtBl8929|`H{dS_Jm&p--dF8EDz*H3C)$6b>6DZILwxk>g^c-}!`!f}KyUdV zf!EXyQI_BRTB=`0cc&(tTj_?*{Z+P& z;xrDbLL1!4@>IJt1+-nbs0@F{%e0)u`DJu-ium{%+QnP&v?0r`7Fe_!nQT)F5XnfU zGjo$A=XKG{)rFn0Oze6Q25&RDK?CbCR1-dO}GB? zxZF#541z3~O57(PBU5>}u}ERjt=GTOAmPUoRW9hV*`&aZH7du6#5a{^L9?i%QN!0r zq~n>1VbL+c*U6C`(NcpA6(ePg>GHRH+9L3qH}RIMks((z7iXt%ZJRikTyoB+^ZeeK zNv4^@7wY4I-Sd1hl&9&D{6al%*WX)A!yTcv0! zqE^dY?F0cbIGzmtd+tu)+iX`T<@bo(#yF6aHg929nPw?5NHDk}f}`8xWV3Il>gNZZ zV(t8#Dl!i9LqA3qcK%N^rZUD8H312Dzt{0mw_WJ6Z?6uQ5NmkNi$(#=1i*Uyk875K z_v^|9M3IL#eZI-AFgH7s1oE{-y?QUpeMAJm(BONY`royOhH-D+AGsz(mFpY+915Nq zm_(B9$R!QFjVz-PXi?Z|98lGm&DesY#SuhdPCWB%8xnrR4dxC&E@)(Y5LLrQtE=K_ z=~&m83=w~v?|i1+0$601@X6jao2{xQvaMpr^I1|1uf?SB=w$Ii6%o42mfFm`ze9v3 z)9d*quhE6;*;-6P^M(8Pp#F67)&_b<568YcqE9WV>OhSqQwiv>e@yJddPd<(doN&9 z{ATQ-tJIL`Tj=y}eC_`i8OOc1>n#ytBz?aC_Zi@>u~f_7aC>P|vP4YOI0P#p8wllb~}bM!JtIF2AO z{BFyf2{w7=4B6&0hpk?Gqrfd!acZ5HLFiYhu{xmlzKi~Ji&~sTim(g~R*^Iirgc&l zIUM9zM$skx+zKJ*egUF}WICV2bnUVBsVkmN=nWv{RFin5Paj9@>Qr^=vLkThS8$-8 zokcUo?JKk>$jyG>_B9_nHCK!_*`>{$)H+Qc)d_iH#jV=TmyH`-aK|Z2vy+C9@IM#r zSy$V?QpInjh(0=vOPFJvUL8PP;Mz(6a(-X&$nI8&kvTLT)IQ__No`f1Ze%rXWF@K> z{w$XPB@Ha}b!y>de(|6hA6`9-eUlGUT(T@Sg@v;-GQmV(8~s83vr|8P9AlOf)$Rbh zdJA20&n$jFJLS@6s2{3Mh!te|p{h$SM>9FN+VYpMkWW@-_;j5W^s43*$rWW-M zZ}p4Aeox%WaJyV^c86bUtWy>2n%zdD2&sFw3EL3J5QL993bm8@>qjR@%xqU^pI@kG z5N%E1IF4@&=jGS1b)`^OqV=XaN&#u+-RfpqGZP z=7W6=eVU3dmbG01hY4x`Ehhsh%=7Bmb&8B&yRMglx zE}xbAX`fDTLA<&Kopv;8Yx>oo+`sn;2n37Mtr4p61BplfF~segA*+E_m|e_D^nNmRyV~>cU#V;YSV-#7IV?Z&57wOm3^UBc0ij zh_#sZ#0PJQOI?paTGvwpv*bjl#hB!3GHog+(zqVA@yWP6^!0CXk!NP9qoYwr!%0V8 zTKZGo4HH~7?m70wE6eoP(UL7l$(&T~kstNkICZ0tDpmk$c=gdM5hjhkQy63=Yw@#q zVbEdlMfDme-8CTd`@H|X0?Vk)%D%Ir`q^^{Ky4FQ7zTRlR3W{-9?zY5q4zcW7ta zT2H_JXR!n*wlH)_V5QJs6X3xlywbIRo$b3cAdgeXZ0n&ZW)M=FAeezJelY@`wrArj z-=Th}R;(|f(@X6avlfjukrY#lZb?->PRp4Je*AnX`?=dnDwQZ^>D4K{?}s*loeP_; zW;v8PuOV{P_1T$CJ60T40Cq9Ax$Sl;-iZfrv1v2d7q~oo{6RmaTegb&(b-Of;1898Ew%7fZrlg*OFcuwS}LRPlezlGiqYWLYV2Pg(Gv7G!dGTy zOp^WJcC^PI^g5~diK+5(cCJjjU%abms=QyF@F6tx>%Ac4fA-%W{=)?VN)sw@B_Gagy4=g>OgVL8MP9<&P*M8hdzA>(@RRIre`0y2cqBi#-}#WZ5rTuG_x}Xuf%NFY}S0va;Nh(&|EC%3Cu~7^RNg(o6hWKRTr0@7{pln zChDUZ;hW3*RfJ17x^2iLp#$P|?~riuH}SLl3D8o5N=N|@ln+R&`^bR5%Sn-$#SYD6 zXHqX^@1{3ZazG2AE$VV>uoda^ELRn3snFmr9E+tU{`JApGSyZOaw0eKO+)fom12t|4G1j9J0%N zks$2*VpzAag|{k%S@^oQ4E@4JV3iyGY$W+{P1M&aoXjo)ZI4hz+4jo}yf#VH-tf>t z>499ZCA>0mvfhwj=5z1dg<+sj<^XlFe(j?Xnx9hj*9op@?vX)fbe*X6uPoP1JKyZ2 zITR!V8dWWMFYDYXlkXpGxqk-a#RXEx3J9m(AT+*fnnLspDqIX1>%Jhi$?tGezJM z`}h~@ro|Xov`(bs`Dhs-13o{>sWxGR)P_l*XJjTdYj6t=bF&EdBhxMWU$vZ9JRAJK z$0?6$YgD!No>e1=5wlP2wpMw>UO_?;Ma8C1?JblhW`|J?HDb?dY(a;Sn6-=8Gb(y= zajwqmb*}#BT>h@V7r)p0vs&6gX#n35r>fg^t9QRu*_8Jw1r{(UUNfDqRp=KDs@l>x zK3PYub5)$xD%{5`bp<+_H$$UY4R1#kbZkt1>$Jiz#Azm&F?Vbcj2bX!9iy>#DxJHK zwRS$w(~RyJE#90$mJ5iw37AR-2Xii;p6#kY?N;Aab zq*Fq{=D~1p&1SwtOHN;!lo==d-lSwMFId}2$}Q~25dD0)%<@bZb`P+P&v0A zyx;U~Y;s9wt#^dzRO;7z5zw#`xsz zSn?>9YC3+v*c93L+K@v^)3(g+vWFF5GvJqFpSzkgQtUv8CSHScXQ@uf3FU>!=*~N% zdxUQud*t7@c+!J`$S+X&sb?*WwTPNvo)$+kIuf9F^#^JRU^$uAJ8i069Sr9;@Gho? zX5uHiM7MZZROxC6>VybN4b^vYcLj3Xyf*aAjccTLC6RY#Apzkb&9*k%vgv5$OPF;nMtyC< zLuR;r^z%!TD;}x2*WR_Qb`p;58$pplUn8-p7yyCS5|>y`h|MB6HJLE%RMGLOB_ zQX`EFCZ{oUJ@tyD+f@!lc7(#Y_J!t#(}IS$vQ?!BuBMA^Qe{Ed zD-RC1qYPC_@ zZr@ShaUa+BZ3$)jsu-cLgR3Llk!LyRMBUS?*3lmd6O_~L;yy)*z;;qpaHZ;ewul>&0tn{1&?4$AArOFk0bDMM+G;J&w5^{Dbxixb>8{QoX>_(DBz4%_C zU-o~`cN*Aw{ZZe!K3muON3^*Z2~W=|C`({2OrqrP)XTOjk9_q+7s zN`NuV6cavV+vV;D!JYOkU0}1fI%jqxsXR+1_1Duz#h^F+ueeYQ=JDEp7xX2_ifSB= zH6M%&XatN&C2&aLG$g_dxHpu%S#tUL`2*Q@3lPCa#W5rV9eeKEEG;kx)r4f2Y%tO3 z6d9y{^EuE2SkMzFbLX z|8|{1vFjCN-UE`{tbDk7`(~6sQ6;q_6yv$;W}Xd{W2~!jce4NXm_3v4V8YXefz_Nb z{Co~w;Mm==h?$n`0b3Y5XTsfUf2{fEMa~Yc9QaPM>IoHDS6k4yK=aIuxCdvct{DG7 zVzaOD!bSE+?2vlY(<9BJy^-9U%d?MkJ`G6NO84eAHP9aQQK2C7oTn|!d zN&FSG^y0G6-K-HWsxn~V}on;Sq4Yz1C;tf&}sK+|u@sz=8A!gpYT5^as?Rv&K*iRt=8{Szq) zMHbjszSN_aTbkc;BdW?)bMLK&d&YOr&bUquof_8dIzTo|C}=SJ*1k)?hBctXwX^d$Vm@N!tp=)_P})6-Zdm0 zUt-`vaOg0A!u(3lPQPBHd{{rR**giUDm<<%Q~W^?bgH#0_i0cQ#k z<~&`FOM=^T{Gmx|s~^sv4Q4hJnk02zmjO317+$eTpv*s9PtHL@IN<`;xkgEyO&qRJ zaq_&jlFK(m+g6UNCPj{6Io{l?MbrI)5b~e{41mM5D~2tPqvHl}wfCK=t5rS5rd;dm z!+|!v3jIsk72jOvqIiH&;L_rYt)^wTV@FyFzf~>Q)hY{)^Z_CykGs%5^_Z{cM&6j2XeW?ku#V*Q|bg`fLfq6eJT%l4BMga)--}>H||E<%C9i7dr0u zz>TqLYWJSf%2g!}n3rb_jbv?TKADMc|5x6cD=F#yG4UzI)GjeJ_2 zTJN{A)equ-vU4d!XnkO|MgcsY*qlXBr`6Wa0=5KO_RxN!)!u}SQ?4(4S7MKT5o0(f zTEcUxtkvktP<8D@5UQt?vQi~CSb&dXT$aUgv~qIaEuL6ou)MB%)ifcO7wy-lDC`#~dRhlp{vGlK;cg$BkPLvZ|mZ zco|WsppC|;0LmYf8HhXJ%WgfoCs}xRtboW+{!{Y%wr8V4sEniP)co$qRC!Etskg2- zCSUh9J>69cw$0VeF7VHS!P&{q|8q2?qNX-@^FdVQL?wJUc(AgoUSp~$NyxwdE()ZU1Uj6J_MV&Bse3W2s4YEL$9+8{ZP>9QZM-ft z-|lj&F89en^^KnWSAQJ_GXP9xQ42L1=kJg5fya4I*g@qH0cldC=4VSszqZpu4H4bR zXMsHsg!$NZLH#zdboV_eI$SH9?5>DgB2cJpC*2Y(wBpg4nPl<>E+xgTB|j^q z{-Uw#j@n|XJLC0mKOxia0meQ2j;(<>>|O~VbYUPY-k?uajSLglc=E+Ly-)kqac|zv z1I$Bi1Iv60?Qqfwd~A0DT>#z)xlo&e2c;82_23W*sM4~JnN-SQ?UJXSP5yevk_Gi0J0O@))il?wAd zod9X(;{y>9ZPJeMR+;ln0kABh({7TZtj&P7?rOO3ht)N{RHP|HY)|j9Q(Yv{z|6uW zCx4tm;V))aI70$cWNeSg=mntq^s!4xUuCPuaID3)sK(w{>aYr=!=%ZhdkLH4T7l~Q zn)OyUlWWmaO)2cty*8 zrW#;$$g$h9Apjp*sU_PrdRl${8Y7rcqoUJ}kaK=IqJ(F!c|5Vu)E-%28*3z(6=@*# ziN6`cSLQn^`;pz?hw(f4<8Qx{x8G3!xE5VA>C_%Fuixh_B6p>U1V{GrC>JF_6s7a< z<3ms_TmB!Khg6IFlgvoJ?A}arzeknLXI~AKs*H}m>`wPX^37Ah@$J61{Wb^L#@NDi zgjShqUtbv;<{YnRbIy;5TP|pfb{gVns#)FaPHZtfe#HLu-!Ihc|0_^QVmYb>3X@Q| zKR+9@zxzH^Qmf;sI)_Sx^CDU1hZ&dqf%#&kZG5{X`=F-HSy^c5sVhgKcmSNzBEbnm zDkQMH@^~%n{M@gxp=4BgJvyn8+-O~pRkh^6ZP?liBw`t+jmeB<$ile18tWxh>bL$* zCCYK`cfiHvs!jePj+0;3cfU;=moWNsbR6k($Gu9tjn(6~?Qy&f3;T|-*dLmbIS0dP zFq|Xs^%-hf_#-!Oh~}^wQ5@>U zzW!=Vb{lqW$svjt_{k$f`t^`|O^)xx4K-d91tK{+bydx=e|K7VQ~2v&g+2Olad`*r zKRU>#_oMr+dh=&smv|S6FytPQ2ODb(Jlk;n7 zQ^uxG|9EOxLzr5)Bh9DU1CbIT$2W*k#3i$|BWV+`NzZzAMt3Vv>HNU*=(~`lRQ14B z%=90cnXioP*rn(s-{ok$SL4F%)0!FP_vs_oTM>2`$Q%F6m#`rtGdtXk7dM(;D5xFC z%>pc?9|KkL7!&{Z#KM06!`!qfTtDSC z4%xq6d84}Wu43Mr{CDv3M$G$2(SA|}&vhvyyP+G9@A5OyHh~)eo84uapE>VydkSY4 zGu=}Q2yN`OFS_J*#{@18wkqmEhV5psIRWHUm-!B-oC44Gtm3kua#yc+St@c_*MbDy zV2i}U<{(c!)Tb!$TqV*6J&*m#ENB&vx2i?>^=jSf13~K$b-s6Wppa^I+g!6pB2a

sceg8JPQQa)qa`5NY(rCj)VH z)4P_@*LjyK6K2Yhx{`izU3`5}?KbT>5gGW7rr`%gT>|>6A=4s~jllXb0=*u3?B%BB zAD#B{72~; z>SPj~wO2*0b%|9#j;D&ENVO(XX9Cs6FXpl5$siGv9>Q7 zW*jHfPY}s{5F9HON}Eujs>2>Etnd?khCnPfH@J*44Ta7pG$r0F(`CpYw1{&IP$S@dFvw2My@ggY)2InH@{B7KtD zEo|2+e#(kI8UYV3`BOpo?Xc`U?8>%Hx!%fp3m79-%EUr4nC+p%u>qg;kj{Dj-xlTn G5dRC$7v(1a diff --git a/src/windows/leash/htmlhelp/Images/Leash_about_leash.jpg b/src/windows/leash/htmlhelp/Images/Leash_about_leash.jpg deleted file mode 100644 index bb6a1d58a59e3637649876ffa5aac946ed3cd31b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 42760 zcmeFYWmFv7w)c$&2ol`Aad!>gIE^~qfE``&TSd7nF;uTOQ4QL9F+o@@SpYj)MDRcroQ`1KV5S4BZt0Ra&a5#jaY2jLeS zK@I^K3F-IuaYK3hqN1asqM)EYMMHanj`b7^3-c)^CN>T}E;bGx4kjipF)khfArTP~ z)-w`PVnR}ULL$Q7Mi7x7e}jUGfr^Sjh>eL&_`lwMbtB-RBVr@YBO}ryAmJe*<01a) zMW8}JL_k7*bQclfUmNNZ6f|^1WF(Bo(?+-mh$xR`#3!iF&@qrukOx0^m(dCFK*+)zg2KQc(0^a%y^(K|n^!(!;ZXkzY_)*1|2RK5Yg=4(J|i z1!GbITPGLxKiZ~vZ1caijDU!QjEeFE?eQc(9^&H>3Mvu`$`j;&c!r3Chm6mwg+fS2 zpU5x6XEAw#O5j%iB)FjG+o`tYr(a75SjdlJ@R0Ekq!9K;ItnACpu(-j_-Dk-70Ojb zu482hMaQN|LftdUTliplF!(AJ@AY96^1|Ny>UR5iesgUJEj_^n9NOtx8VIUkLvC zs{`ttKLpouets0E61!WT4|sKTSt}+t+ctU|N~0=gbQm(s+Yu{@1ho6k!VQZR**)>L zSOg;sd94HhO-sIcYGCGXq*l6EGU&e~fC675?jE@;dxp>g{m@(t1&Z^TFH5QgwbUDb zYEk*8LH~!g^oDO!p_UgB;%$fX&|G*+y+Q0AWn_0qNAe3ZDKm;QxHT9IO7u$V`Mx-Q zV&_9>;L@v%_jb!t*V{;w5rq+WjKCUSJ7brlx+OmY((MHc=Ve{~3`kNm_WOk}Fo*vW zn(Ke;*d==B>m}y-qqXLK=V<@K^z%&jyyTg!A2v82X(F}Xi-^NMvqZPoY*seVGd+Bm zU&=2d9lJODF5~MsfSQnSpWmKB^ib^-dvK~PzsWjYuou({E{6(lSBSSuNz|1<5NdFAL1reRfT z{wC}Dc))7zpE8H5V~E!~1$MbUa8ai9ZJXQsAO|V8B(eFGm9-6?(_HCn&z4M1xojC^ zf2e zUkEmmkmmzGQ*N3*ihoJk{htDfaa-!JbgVSv7eYh6PiLh<5H4`&izO4)(+7-PH3x6qx1i40*WxiRiEXP5MVu+rJh3U&H!86q=Z!Py!jyz4bxaHSaJ=ac(``{y#0-5FguzC8N&sY(N;P>&A!4*_2>_3q zv?pv!e~YUcd}U&^>kwV0x#;LYK+ABIOLy!pt6@XZv^J(e)7M9nnZc?8^SfVA1YP(RL7kZA4e(XCaosrgW|D1-WkKn>yGy4;CnE)^jk7jQ#t(N0=>EU0s5R%n6(W? zM5-2Q!=;~t?~fbr%RtlosfYLerO*eV@5i3oHJMo@0Y?x13&4x!wdFUW2ZU#u`zVLr zXuW54mqaPo?eP*j| z*p)Z<7edxA1ckLdW>r21^~~;p29;f&D#t=B1TU0NNh9mn?~1aMU&vNA+&$NK(XS3H z9N7!h4wxPYr11VB=4(Ea-*mdxzw&duS{JMfCg5GE&CLI)Qg8R+V`n1G5;=hK%wu0X zm&p6Qe#%U}qe;*qjS~B@iDwVviuApxBKE*zOuLal9?X-qxO}L#g)-je`*N_5@$%x6 z|7c*n;xJIKpK;s9p8r^q=JyN+Rf%(wGm zP=8a-R#*}3Qa$uPvnaI7j4CZPd*nK2|FhJ5+PZhiPKIjn123l*#3{ontAD$ z%tz0?Pn!c@mA?O}e5XNm4_RB@Tj?MUTPwgkegOSPFU6ZfCbBQ+{MUv`-yJ+wmi=3# zJX&V|mu0ULBZ7d?+V&fP3#!M;Wg7n_y8rbD^Eh6`d=%^XTkP-3e~9h;D+X)-8H2g- z9y`!2PUrW{=|3tLJPOqRXKei4a{Fsej4qk^M;gArE6*^$|EcmXfsYvfW!c*W^%0%e zZ*+fD{*BK3uc-T%<$s_<`vcwY%D>V5De!NW|3LQ#4T;~Ce|PYo0{>?DALxG5_zT^? z1peLfZ*+gq_$NB4e~<3f-_W7`P2gjv{LAuhbn1W5_y@XoKmR?tFMmTv^EZKiv-}&K z=-<$V{!QTDI^{Py=09lI|4~^p;NPR$`5U@t{~le=AA$4_bTYSp3Ha~>tN0Mo1jQpa*I0~anFAEC~ zI84Oq?Xs9WJ*1wk+kb88kfgUfRa+S+E!8v!zvYuvsdSmfn)tS-rUrCd-i^aEk(G zk&Y!&;TasGzS0;BND?CKS~J96(6aDE}} zf#rdzhvK3AT8~~pWN39v?GxtSegT1L19g)ghY5D5j)iFdT>)i`744dhuErkdGRv^d zA!7EpQS(B(5cY-E+2V7q039GE;>k@-I80(_iR@h$U0E&Kh2Pt}EO682j;;_t;#81Tr& z2534n7*!;M?N}u;o9UsN;nMi&+t}X0O`8iftEm+|fU&ssV4qK~wmgETY83I;fMV01 zArJ2-jGAWo%W}2KyX)`MG@>HJj8|7~GPQ4Y=CWl-CvXwHLLO+W4=S zICw`xoH;blD#eNu2C@sroqRxc!Y5GCwj#wLpnm$?nY`|V!Nn|>l+ITZ&?oYuXJP|G z>#er%yJU%q6Kjz5DX%aPnc~aI8zw@-=1Q}C)`fr4hk`4Rj-qfF$Sq(C52OoAJJy3 z&lz&;enE8Emt)Ej;MKZHG~TF>AYjzNt-Ls>oH{pVQ`ny3H$(%Jith_&WHnH_ld@A> zC+G!}dD}a2BQPrltiQUFR}-?$nl=1l#35#T7=x8gdeZXgx;u)V;WXgQdvf-(D0L|m zCxoTQvyh@qvuP#irwVZ!N(TxuroOAJ!X(vLbH?>aga$uwL`@(aGXub!r24nr4CH&p z(LDBT4cUj*)#0ntM&a|r)QpniF{)mfJ4ZDQ3*p`_9V`~k>Hg2~rtl>;Q%rS`)|=RpG40@Kp} z+nr4DeaS;VM_>=lPk>=bo=%_@vDDZ2hs3IBQ)h~48@);?U_gKFJ<-eENU?>sdDFjN z53-|91>&$@>8I^z7G8YEto=}##`$t$RoRmR;moZ+EVr09C?(;t|G5kv5H!E_3!!wV#%%vbqGx;>xYxNr=aRFGG^b+XoF9?sv%EZ! zB6_oy7QQZMdakX%ykV(zeEJtcWVNl^3?;EM_-%2AQ9-l%FdCglu@cY5D4rKp#C!wy z$WY)`P3@WNz6nPNY>hmMH?zJn_xmSz@v_~pms*sN_Y9Y>5P9)|H$)^R_OlvvgVY)s z@|PusDN~!+Qs^D?^fk&TY1>Gp4V+xNyKEIve$lK4myn8I2)_`XJ+w$oJ6G|`G4xhA zd%IX_Tskw?dYIo7azFm3L9bprIdKF4h^s`hryXoh?Xo>%0@Cv@h4a;!w{_lv1ox@} z1G|cDPiu!t>2x2OCa@_H=}dc*J#-&(eJdLr%g&mxa8h5watX`!R#yD6i0xm@hP`>( z5u)A7xy!BSD&rMBsX+4PY3>BSP)Z^Yq+_14n+ARohfkn}p_+5CcoAo-H%b7lq-GDTm|HB{P|Bk>^UQE`qleVwa_h7;N52 zCCKZxFR%|;D4w4p3892k0mCp4T>RzNC9qm+M_Jri-7NH#B5dJjM$e)BM>~M#Cp`&E zz$ST(*u3aCOv{kSZ>(8a=+5DMr13z6I_ZB_#$&rN0qw>inVPvaI7%JX$_%6}%43z{o z-I|tG0E~pMSt9?r5zF}f53s>u*5r`&vcXvF`FC7Ctl>sq*+Ylv98+Ry(^O+uyk1am z9}x+qE9P?Ody))++h{){#`o5@mx-nhKQmz(A@t834zQB@tq-=pk-2LVf&u!3;zKV%JF`t#^T@F%q(-jeVO-{X+tj_crq(d3V#| zO$AdA5z(PKKHekoHfE>mDzO46cymLJ-s-b>8~n-1XTNox^T=p8*O0WHk;hGQUn4Ky z@rMR(SJ5XOANOD`*@I(_-@i@7s$L5bPP$|^`OF`@5PQNAqnXANjmIY7;uo-O-zACN z01wPu;UBBvS6aM?OyPBB+o6kfV5+9}VhCTf>`Mit)rVy>s>*S(^pu{tfgS|G?ZwV5 z7DZYDg$4e(Hj6>9n3Brn(UiSdp3W(yDW%V8OmGVm@7f(Md``abHC#coZrx!i9Pti|D3 zwLcZfU0UqqNS=(niB5V-?$x&*M`enFx1Lr(owg}>BO&0!Xq0ipB=<5&A#W!AsYxjl z!^%dECj_=|N;KjKEy;|a8B81W66Ap^$yjD83)(W0x0B1U; z=b}Vz^NJR+s!W;U`&MjuY{0}*7-W`7ACgdy4@@VGXKZ!;BIC5GFq%#0?2ca{WLLaK zlhFEJZ(}HWeYFCs-+eDt_~8}C_x{NGmA91YM^0g!_h~Qr3=^6W=c>-mxo3lBmJ+5GD9=g(rzwh6IR0M$X zx|C%*nCs@?t6o?8(%#s19Dv4QWP2^-6Rwm;DxMb@t`OX2QO&pTg!tV!X}jVYVo{*x;G>SXNQF{z5qTOeyTlaC2zK8FTQ^-lAAPM zKuZf^+R(uQ#^YO=C+b?zdKGqwFQO zZmI|1nx`%hJOd3b=>RVh>2HD*H(F7!8fmK9D+2rU3>BQM^{;Wg$z3(OTaxHY*2~)2 z=u0n3LKHy)69Us9>`PPD7W(3^0lyH69R=o%!!H)W6<;Q4 z>PrJr4R7gjU|b*O|2|sUUiSk5AwZ<(x>QGOwqGx#Lk-wyNG$13;6dzQ3jxsM1BIZDCyX_Q!Z%=D!6ZKv%< z#yYdzbuZmDZn#IPVfHQf%){liy|2fB)nLb>f857B(JevE+u1jJ6nM&=-`V@kvopzeZqk3(U#~Q z*g<-z-F;KAlRE-#S2}@NpO2FiQ44-)HPyV~0Xf)7`Ae^_nx3@;_G|z@6c(l?@=m(s zX_t`+)_}+5p>;le&AV3+)*WYSA^{t|uX?AXnFbB-DPBIUfgKH)uqu56l)3bzBF3d+ z&ttkJg!aa0k=}C*Hx%JHT%T+Ak5Cu90cZyFEUs)g%xu0RaA?q)NzugXvGIv?#Ru9D z5tLb2r3%8XgzDMp`kES!t{1E7XfJ9OPF>pUvh(r4GLNqdxrVCzO0fpcv#!2cdw9;D z7<>g*-AXKbnfvOt z%+2Q!HNS~k^;^UlckjrwSW#2l$uj<`ZT3z`u zTTeMy-o4ID{Rzid$A7{rwBClpcN--JBzPicQ9mhlmwlD{h~{YS0y`kq z{UXLY6O3;*Hb25(urkB7@UEgVuAr?e%+^%?lUTZqyxhiVyZx&wcvX`!&r3Dhk{EnZ zELo`S4qA4SfOXV^CbK~Ab2a!zmgbULHrtq(u z(qvDmrkzCJL3fph@Gx|AmjL6-gL}KV9&t8f~zia!p@kgkT$K>tYY8&YKqZosC+4DQ_jLP>xC1 z5&+{nDZlmTU@xVAqPmZ-0?v`oWItNo?mk==9GMgeG=Xk9q%n7% zYfX~+rFLFt-a!Pa@C4yn^kzxZG9#0aM#rbmjq+5^kVZec(6;^TeZMWA}YLaVe})mc>lcjl6jtzMgd@!P!G!EG)I?tUElwGe4` zt%bK*X3_#FF>^+CqUlt7mmi3&$AYDYNK>iRtr}Cm z^}Sl(p-6twZ$VEaX|_D%&H*}cRVx^EOhV!oSlrnVI8)FGlFscX>6OZv)X?w(vAkPX~6TpUx z#^#keBow|=t-I)N&+or0L|=qkY-&g`_GfDo zQy5hu$O&pxQ`;i9-8S=Tr0N)rFox!I%{S*!R7Pqcjgw>*$dzZ)^M4qe#$;}}9zw@H z4&Wu}6>=%0XZK6BiuO>?!qIbweg||res%vsF$x9aZN?AU|DYSlBTk6hDZ(mX>f}^V zj{b}v9mG&WAI)2d>P3)bcqM zVP{$|G+*d3;l9l(F45#1Vso-3lQ-xdwNMy4Y}?8{6sc;PM1i98;yYvGl{wIdBm{}M z*AclyaM4pzJiI%Zg6(Z;p9{5Z4WBS?+qOeE2Vorsef|*YjBW#{*w2>@?U}iisZB{} z?3Q&p>3vpI{F2Sd8C!=v{JvizECx4@ZkK;QKZ6%_R;h2ODQlq^lBw&1=H}GrIU~Uv z>WN06A(g!9mMrEmV=Fg!UcVS%T+7pw#1_w#`4N!?!vlg3%}DpZis{Ms8FfR-?4B0enOdE<9>fR4a) z>q=V!t~h}t#nRPYq=J-&T?s6-+Eix#gL|#4PK7EtS~_Xv6TaUA z?epMp%L$9s#Z7ABq}Bzb<#6KXJ~!mB>);`4s?AY`wGB9ES%>OMVdUkf= zkrbm5t~F@bn4I)z&7!+Y8~W-%Z>p{j{b6U*OxSW|k)CGh=d@LEHpcK(KJnRg$k5`3 zzj#PN{o#3y=)oG?b!3YXY@(of8N*hW9n);thpjEP-wU%CLOLxv;9aPWN`5B7GdLT8 zQP1cH`X*9*ppH%ftB?hrg^o^w34S4b%aTeBeAu5i;M~b&w7FHx_Kl@3vdgG&wJ0Qf zGKkmkge0QxX$Wlv&R|(&KD~n!Yx{1vo8|I7l$tkC6qXp2{L)}K9kmIpivoavQ3<2G zZiK-PAGwjSS6dCW24B*5_`-xpnATTwtpxFA(@`8hxwW#aDq>LMtL%_8aYUEC)=6Y{ zTz*@8V6Iub8TUd?ydU0wv13qE_QA>-)aRI#qRuI0$l z9w0^_h>gtGZZp)m3wT3=57yd@X}FzM?Vcm8)o)yuteGpxN~7Az*fKF$QUBWe`pXZl zBUHtlsIk{P4@&Dlgi`ySdD6sO!&B!JQ+LSHknP6aN_bk@k`Q^Gm{fc2EF_X+H(C4d zXiFEp0}f?1al*>NLzk~~qlZ`Kfn=76Y2U06#wdz^>R1^pVWFW<3@)gz_2FmHu|bC` zBD>h^tvn|&-z*BhDzGAOwr*1EvZAkVW)NExT%=_t>IAYaRXRksv((Zg&z5yy_vbUU z4wNOtU^bqG=4yxyKVR>*GDJz|F!$`IS^cJE2oTf*>S_Tg*6F*9qN*!TzJ>gp?7NA- zbR-q~I9+l`lSd-BA$k=YVI89a6u=m5+FF&*5w+VRWED7-Zi|J;K6WuIP!aRXro0J9_=D`NM}wUZ)?$Edpq?8}Ztj zvTn0}8{p4MW69Bx(GIle(JCRVT_bg+mkuw#4WQl?#hlaZPn~cZImDc7{L?f0ze=x3 zss-h*-FgCc*Y5{zoBk?wV9sR~-iv(g@^A~V`f23%XUPop0HhT_>1y64(#88wE%|4O z8|kv7tP4kkdxg^cah;)F{$IuPVBcw7^9V|kV<`7%V5P>NCDrba_7&Wpp_o4uNw%eC zOaCmr|7zAWOY*0H=|4;VPs;y)uLM;4oa}`7Ps!iJT-v`T`6vjycJGngqrdOF{qSb- zbueziD?|YTB7C5(JZRG2uAO_Z^YQWKe={}HaJ%ua?=E$`_h2!{{MQ`K$U*#F`QR^v z_R^aHlTnaOv0d{TmrVAh^BPfbx{<}@MU&^8>=wgob#c~3jWMUm*;J~{bqp+#ceGr` zqC={S8<{y@$hk7%Z98aaYGJRkr14}K$I|B6ok~WUQbod-Ea{7ElOxc|8c~D zXBxYI@EXdS1ng?sZ@b7_9Ve9$#Sm-F7v-lMg;VoqdIYc(x3xEgbkQ7@J5jorS(Q|k zUAV6fjDJY`g|NH(Vg3sW^xU4rDmHqZb#N2TE#^PvI^qphmd8UIpEMY|{h=JZV12qh zwW1OaooR)LSu4GR6k_6Z#=R>qxP#PvCyCS+%OEg4-mSDxM5~gqN${!8k)or69=`TU z&UWCh)*bap%SHbZ`CJ{3cF;n(UuI68YB@&+4V?~hpIKhJKi)abGVD~8CwV1l!}VJ1 z6fmj4KLwtGfK1$AaC(>Y2xe(BJ@Aa8pv|k|`p^8S{?F(;Dr3ZSgot(P^6Xn0w*=sj z&~X}wIgLf+dNpiU$Zm=*n653He8?AW5xxGAog;4r0OwC=jon%s0_LQ1W(~b>bP9U) zpn1oe_kse^ZNeW)cUp!iG1JA4#a`@{3T{=^m^DzYb(nH89u-zl1jp)C<~zMx9%G`i+n~XU7d4IK+b&l0(Q{f`_fz}>e~@RM3A{1JfX}lZrTmC z_o-7Yi})L^lF5OAlf&@sgvBAc!J4@3?UkgTe!ILK1_V=bw!m>!yJ$=6_ieDU5aqP_ zG<^``wnxjo>NBDpb0m(j?+T7DnS|hpa-UjuMWTr5!NF-$-eHJ6~rKck`B! zo)2TL-_@4;H0;ig&C}Dehp2ohNY2B8{OL(-A!!!H$L_F*EoDV2HWAII3Gj@^Ze*=pL|4N@4cO!zZgb>!MgwZ^r8p3jlsfLqD>PqR=a? zmXY`oHmwX^4a>B16|H*;;BqqMR);yjjmn++32Wpr3w(?P+=P9~iJUP<#`Lt()yGK8g|+E zrh#m0PAi8!#MG-pm0{Ct6RvpUbsbpgJ+8<5L%`fZ;w=fqF|G38!L|gSBj@@_$<9PS ztpTXMPw#m@oxHG_ovC@8Y~ZUnMsc^dJHjuLBj{0{ryf8hxtqx>jHn`VI9@1K$3N@h zWBCjjpiJ2Gn#noLDE5Q^mEs5F76P7orl($HNvb9jEt`aYr$}Z4fUm67&Otu?>#>BC7Nm2d0^`&r~T$TcF&aT1K=B2u}8uC3fvRNnyIt&$?jyrX0&LM<8 z`I?0vD^iy2C9lc);iq}Bw|A&{ta8(}XLDqEDz&2%Io5o?`0SLQDsY3DvfI?o#AXBE z*9zOI#$92<-G#N{wZS%s4??U3osl=rz&#_*4%&%MHN#Imjb7^b28iT&Ps$M<{NeCW z^$0yRwZ6md>xE}fsSM=?E2&|{X#D2r3S15~+B+`^~#Wi-f zbaNKfwWGYI!1h&i@S+b_%deo!}#-l0@ge53_TTg~E;~Oc*)*cy84(yWl$9ix%fjs$nc zp0sH+213BKVb604SpT`)XB()X1)`ynEpmHN;MoV8%l2MUeJp{doSW#R+&@`L;otu=&hsI2VBC{kyNfSl4848 zWD4JG%Yv(tTA1UTN5y@MD@ta1^WpSsa1oqhfK9x*D5R3cLQa1IUD?L)%&Q^-^<6~L zrq+>xFT-37RF2OUYnzS(DNE&C0q6OJX_gz7a+eJj0;RTKaNtmhB!8qe=fr4k;%1r| z*<`Z!iy7`MwWZ-kXMMMfaD=Z)SqG64p-$}}L^L8vnV5tdYs-uvDGJ(mO#|OE>%2Pl zAf;fSx7S8rf-~S4MB2+jVD*OOtfj)Sjt#MF{nJ@!{V=1!re{#_^e|TV2Wz7bltA0* zu`-((*TlzV$`&_O%08cnfdE)#D@zM|YS4|SHJ))@*I=Wu%Kepp%o%jG_?xn4#_>Q{ zPoK6II?rx;c9G~9eUoKjP;^OFHbQnL5Q&GV9p@kpWjb1J^!8_Mw^&!e(IfB8@*L%IlJE{|+TK3dz8c4q? zEmoArfY@yf4Zb8_QV>rYVcpRWS}4@jBtt+#CW?Irq;3|)-ooLL@+r(Fit!Yn$eePNe~Rjxh&)LU6$l$51H?BT-#Uib zib^OL?-3ln9T`&&BGR*>mI!@t&iN!c)LfrDfUi~2Hd$~IL8X~scsac=(B}3k?#maG z13vgjO*$n(S%637<7#>W>2nZoyAy-Jm6J7eyb0LJzqLZ9`4l2-%FV@<*0v$g)Sppa ztDIPEX%)pMP+-hX+P$?D>rQIP(G7J$69GQitY@@0UhkiepS=+gl1dX!kUfn*TA%E|O&Hh%%piI3dh1ev-c0ld$7!y#zED-{@uHgwAqeif!DnK! z8fuIFKg@ZT;b5~37$4?q)6@sUy0SvP;JP!jj139xmbU>bMfU|_quweda{lF9vJJL6 zFCG(gOopQHC?Ryl z<_aq!oQcZJr4F0KaRvw#T+ST!ZHI)tXr;+_E}Apdv?Z!m%V#08&*vL!u`u)$Eo8Q# z>u?*|B3xXU5~A0end?dO08p!W^VrUFx0ijYvRsnjYV22xe}XiMmS$bE-vlM8zQH;5 zA0R`LRKkEehNVG5EHamG@3TyQA%r?`lzljscw$A{+sa#Q^^q!lR?DYlxn;Ba$zAkN z5>lkIbFk5YqS>aEzwih5w6y(Z+T3V!bG_kIqM#G(9=q2{{-qiT=fXv00@aD7Zg_KW zEdf$!v8OrD(9@83@_|=QR&)-t5nPq*24w-gj?@tnhJL1=0|lWknb?rZTbOb`P$inU zu{&*)=6ct_oy@B#j)*r23@~(aOJ>w3Y+flzt^4Q!U1>jj zij^;BWYP(rvK&hGnz7wR2{(5u&GZBy@D)!7L7b;pNL)Ms^4q#2ZM7hsXPmye zRl$ogU!BSkSSvTK?G-5(+)%J@WH-IUV_z5YBPFa0Ot>*wu=%EZlnPb^M`-M=TuHs* zJS%N!{qkI(auM2D%FzRR*Rm+0o%hPsIz@x)4cB$>heYb4%_1M zDTzJXKohsQJ}Z#FkcW|gGE#@;=Y{3hC736M`ly*7Wj-XUk}XUEfDM*447Pp1qDDge z=L%XVadVnLFlIIc{c)iN6$ROu|Knx4BvU`%Xw$>sfR}z+Up^gmH#PB-ynhTx)i`IvLu27fz&}#0ei`DFs%T^y9MPC$Sk#j~-A`@<$$toSHESCcrA|3xk zsrLj2KooEJFXxx{6oH#mMr9+s=uz!*KL2*+yyL&moTtyz{Lo4Kh2X7m4y_maYYyGq zBydGt@#l)vxY)L(BPRfO1aph?m>))FsvmXPKlMFOv&?#qq5p~^a;DiZ)m8%;xL!ym z6yH!BQc(zP?p%)W8-)hPEaO#TVcna;Sh)m05IwUgGegJ@L*DKjLJpwl!rP%(k}l`p z@F`?|(rerBm`BWDvZTNnX_cz)MRYk?wbSbDy!A$UIf4d~Vs9KrXTrJOHH3kPD*lG` zjEgKSSI4q`)I=T4aa?aq*BJRMYX^8Z4ig+OjTbdwwi5L>g4hzKP;P%0@WNMriGc!s$sf2wqh)|W-Ss26nY0HC zEzzfVd~r(Av>V+TgoMIWHZ+Q;vyvaSwYc}JEJfd&sKCkrT}Wn%3>Hd*9Fu!kgVAmZ ztvl8oi#&tv_-yiiIIem$igwo z%@p~CpmqAD>T{(#572FSozPKVy@mxg^QKHIBMg&CR7egEjcBD4D`x1pzGF>|^X#hl zu_D{Q)LK{E$0W6F@#)xZ0x}x*Z8Evcs5mSEp1ss#{+%;sdH}eep;J^`Y1zG zUB4_xc6v_nMhdd{rbveptcr6wAmob?(`wIe{^G`-ZF&(p_3^IUIY5U z$c8dj7!k6ktgc3?XH52`dpbd|^Pwn@Gqbj8t;0S6zYJw%9OG5*du8BewGfH*v-HC-l zxGAPiDJoB&_@}<4GX4Bwd9`!aj5nEY(V&?sd{)VPm>qRs$oT79PRma(U@}B*N0|zd zeFWv)ZTaDr&2k!^sgpCtgmQU2%m#cT2c#&2t6za{;du6+bl}zsV_^T(rKfAv*JDhI zu{{A(<+t~lyKWWRz4eejVe3ZDIprSH1Vc}HSDPMyzKI|q;l_}h*|xvR5c@0I+7Z58 zQ;vi_HJ?=1N^rXZ_e;ts*-b6QqR{i#$ULbAksKd8K2WQa3^Bwkruojj^p53N9VqIQ ze31W=o#Y);>)-4Lr|IGEn_AyfdKN9Ycay!ev4N=LWGyR+;`7-|)R+UbrC=O$=~ zPL8Yan4zwoTHahJ7PIGZcDs*e_+e>{Ya3dxu4ZMA&u%Rq10^LaTEz5Fa=v2=QQ=Lc zlHQx+M`nB9+h77d@C_6-{!;0CQ-4xRa4f;HMSM)@HTgp|lZ8!q#F|DMCsfDgr|$4a z+7bJM#&W!^_p?AmXCkYoU^S)YD1t>2BYNmr)5b_s!E1&nL3&nn%xYmYpSgfytCXqd zL}&29+?|YypG8_5%?7hJ7h;WB&}J&Fj~hz9I>%!0F~sIkqbFgRTv<)~0c61R7@O3| z`J0&f9T%b(BLOboAq(Hn7>>M!)hVyG+8~`DgJ)e$LLqA+!fgnaJG?)t9dC{}(^7e~} zIDAU$7emPRk>sFm3VLP=Z=dHl148?ff}YmnAmtfMKNSri5XojM{?Fv;afY)tgnH>w%6#iJea%JsB3jFCo!=tpHl2&TP>AGpw*(?9is@yF zsQ10Ii##ok2$yPr7e}$!rw>h6lBjWHL!z^f& zww_pCX^m`dt%_u-Ng0DFW>gFZ#eY)RLm5%W<1vL<9>=8dpwpz$sj|$sQQs<3u|1ut z>TGqjp|wcwD_CqsAcN?8A0IR0IM)&n6kpLa2WZ!OOlm8YYHgLj3C(JsQMq$)s%eXY z=~3Wxq_~jpH6j+fLrLj*KxA<@lu4?p zOaN{&d#2_y&1|L+goit(Oo0GgK+)o}_1sRa+FG{dmssTCBb_0^>9`h3cndNzAv;U&ouFCtmYaGhlO zpi8FaU6C<1;*t0aF!1zhGKIT_&UHDmWOA*y}TI|UET7ekVX03)VQ_k zbkyr#2+CFDr>}o{w%1YBo=}UAla72Kj_-Zh5cG}4>06E&dhvNDS|)vQ7=Fo?Xqb3j zB{jq}ZKKh#z(8M^LL3^oEv`MK@DbP20rO7mgrV3ej-esi3pX7``C4f=C$M7NT0*k7 zL7~Fx?b{KR_z9{|3*K@Ivj2~>w+xCS4A-;?7CgA?;0}XZ5`t^6!65-=AixYTxCaYv zgF6HWGPn&+f-|_gYl0+{@c}EUETNl+}HIUF^5dSF|5+o zs&kdsVyBqbN;MT)sH(J1%G3;#aT#o)jamz|{P`4P=r4x(CR$hXexx=o^0ck6E{w0M z%9I`Vxi3#xkocFP9c&DNRSq0`bxT_Y^3a(#FS%1?eWs+6WSA=h`trb~W$5~s85Qey z72Rjk1#9;=3&R@wmOIyrNz;*PJ{B;w=lnXdr`~1j14%9;ghgK~v6{%PrS$cU2QjeX zy;dibmd3^>1L{S`g(MO_$SEIOo1D#rVbV3RQMgf=>8EI(dDbc%#Pjj>r9_FT)*5wN zl=)C~b)&((19r1(T2*~GFF5}&s*dE!5duHH zlC7jrw+k{GCNyyFLW=xvL??~#Rk1H z6o5+TbG*8hVutpNH{iT}$3z^XoIEe?VeI8D8AslyS}t*t`dwt z>LU9JtkM`C&@r1ri6F5ov`f4_cC~0I$lswcadZShY{+|N!F*{AuvVyL$XXOWpg9n82Y2x`P=S~ zW6@ESOYLs9G4o%#Oz`pK%5Ma2SEI(yfy$qR_Z z7w^BP@;IyLYP1}6e{c$75Vl*I!92Dc;l-5@S35yx8V#ulZ9V_JuPZL}#FWr^0tNc= z)h}PCZ`)sP_Y%qT7XiN#_U}bp6$&v1N*-LS{bX2+{C&mZCt=ocT%eY4;I^}3quwGp zyT4>8Ag8+Ckja@fHKHtur=_QEFgmf1<=i4T~4m ziu|bLJmt0su^SYQtEtZP?b=U191C0Z)#Z~5@A~u*I%D`L!=h}nI#+51-c3`xdIPAn&R`Dv(O{PHtZ z2?CThC8Ze0wQY{lU6eL%xp`oQ>ZNJ<9R|=)ZHhj7(0s+vs$=YLm;Jzgy+%1E&yxG_ z8$>IyV0N*Rt>TW~d-%9;eTxfiAMe`2>_s!jc?)N`MZ~i3w!$|i0$@wwxKNP_J z6M31)FlY0h$jkpYr#8+1pA4pO?Thnr_P^(aM@$}~5*di%8-$%%I*kDoxUSie_4X>M3d%m`Mvm6JrUk8l*HI z%O;>SM3dpq`sLRn*d1j$ifY6I=ew13I*Le2y*mD3u(URH+7{7HXi_M!J$fwVC~JymS3xF z8I={^mNzi!)*1cY=$GEmKr8&JESBQoR;56O7yj zl1o)${*E!8tAaNP)t!t=-0zu25?bds8dZ6YWXHZ|lS>WWE;9C+SQ;;zNO|?1W+(Jl zG8-6oE1-+^cEWW>1hXm=Ts@f6E3Z0PFFNq%U)fTGo#d4~kJ&Zm$sGKx(V1V=SNBaQ zAObAzV1{G$<4=8J6madwfGhJ9v4 zZ{~)*Gb~UB!qAU#x=Sh%Uy6+ygPAS?AtZ#g9kJNQE+i$GLK;!VSErrGyQ{VXV)J2D z_mSt$^&^D|%vyQ^+sbq z?ys_3hh-W{(9p~lx{-=C*x1{A6HdujVaG+}ghA6u&$tDKTFV7(5lkiNN415E+pPwh z8CTY@9}^nTPpa79E)!w;-4gri_mz}K7qK;`jCQ4|c84p5t?A3B)y9L_+AXBCCh6B{ zyNpS(Zr<@itYOcWb8FCUIDg3|tZ1Ah{u=p+{g7UH{juI6;TdII&X(v=iD8@t8wUeB zRiNZ7*t=N1bmjI5{!9J7SB7-et&(F`ug2f;d@ZbL9?p+*#5QZjEnP14BkmC`pxTaa zlA(uZY+?oVFkJ_r_Eh^K7=uIXg>p|IaLmD>KeRE-;A~+zE@h`UG;juut9YjF&h`kK z&%gc|TrXYQ0Dr?Zp2>XdY-X40RDjp&03KKL8Za^U_I|0$M&r87mgKuq3?Qe7XK*Uw zNG!d1#FU#uQL(0j*bEQuIyy{ok}1%Q$h~q`-mmr8rltcGTVAMzegHWJ+{nT$DipMO z8P<;OXo&_HfbM&sarXSeW{7t#Dqg5LHhV2-Y;%P|D>7!c2IIkhs`fYM!8b`Z{mS(%n} zK{z){Cb`yv=OWa%P4u)(YBlEsp%BV7&w!~+K>;X)jG%%fM?GqcvvKZU_KQlLhfxJk zqjWZ;Zv+Nxj!K)CRg>5v4E>B5lOQ*V%qWw#VkgBt1#fTNSEi>>$NLp=XF^qO!=Vhk z$MxSvp;lH#_>&UuNRai!6*HlN49$St0K1K66zB7d@%RhSt4a3dPZQ!rY5N5O8OoR< znt3%?vk|#4cG+VTNuCLQ3O7Ffkwkn?jKc=#+oEEEdJS@zRjq5Bb73M|^d?;t9R;IG z^Oqf_grsYc9LoyHmSQkG9dcnH@2qT<^bmm_5536wx}M2S*BDOV_nC|-;}o92Z;QKO z!jLxI%VnK7S0lswSDkf+BH6Dz?b9b?id2h@ol{&9SFrfa~>Iw`uBKq=XNC6S@75jr^oc+U*N^#pe((_Zos?%;ok<@x%g zZ9Oxz^=^pMi!prkA>)!Lg-Fu4k1&|r>iQa&Yb4&4F)xv+%NTJuNSwbGUBl4ZF0LAZ zdBkK1to^)YcX=rtZv#~T;C%4%`iF`sQ$0kxW zp4uI}`>SBW1sY=SJqk2(T6E^>6a{O?IWQx&T=0g~aGJAuYgfddN$>Hftv;1*RHUOp zo3D;??z!iOD}KXONH&@{Tb=3*iYjk0@7Jx)c8cPT^V+Za`w54tY``Q&))>l-z8L1Y z;<@KgE=zw;E>0Fqt#213`67xt&sNKWyO>{B^5l5$6)`vL%ejXH2lXD{-t@ICcWiqv zx6x3jp^q2TwYuUEQMDR<#G|7b+n*vACsDsKlNhF>(3pc)xm#xm6v#+$uVVCGqKpe) zZg7Pzx4a#YBWR^de*Aa0RIhE*kBBvE7RaHo3B@t=*zMC*Q}2jAlQ>D7LV8c$_Tg+a z%XXTj3u*;An@0iI-B&S#SOp=s9tCkX2QE0zu0d zVXMYnJI8Omx9hYAY%`*nOvQ*bF_rVSm+H?K2eKFQ!s(ih(IZK?D>-?QRMv9X8_7v% z_Ub6kyRY-6NnMs?!`81bJk#a65UACoit+cOGY=W!?PQ|NbMRtCa3pxiuKmc&`;yN* zu_n(`Br$2wEoP6*Q&H{y#q*bJO2yxVoENm#f=fn*XKTTojxqG9vlh_zopj3*0{nkD z+a@%1g^X!$nG^8>?~5zK!H27T5BcW9ZsVQAnQS2?ZB9=HvJEFbu*`9!?$F zi|2m@C|-HT@zyi0(zvO{c3)t3;#JoOFED`6d<>u91ZX2_URytInA9NYYC;;5`n8zk zBM;&!X41F1l!Zx}IUgiPKK=f)wOxbFLb}&`>_#m{LgKpo@3hYPGIV0gwisi(D5o5e ze=GOf3Jv@d_m6J{Mar%SM&TLWlfEOmTA{{suqHAyUb3SPQ|332YV z1*+Pcs^v>zIC&(_uD3lAu}T#@h?eWx8M9dc#qU-c53i>iX=H0V2xT)c_K8@SEtY2} zcD*Ob_MX4dARe(VHj0E26X~>LKiJr+K{mfWK{Gq)0xOZsD!@7BDe#V7-Z**88ZDr$ zshwhSV>L$9MfpJsD-Ag&R4sj8#E8Pj#g5<_w0@aPm->)$o`>nnYCBg`K3`*LA)`zC z`2!3HjU=h)#MZro=Mkf#8zj|0NVLij0XZIFNHit11kH7M5I@_{tXH!2a{qhtR3$Ol56B&-W`gv!%I9`$z{`;o{2 zN^)!%Na80bumV;qDpU!Yv!n5v{ zCtZia`kxes+4dJ|`)J!vB&RwFw4iFu5Djz{rA{M9t6N*Chw_iUydDWq#b1%fR#|aME z80)xz-cF{1pdPkE32)u)`r&wc%{y&|?1b2>QuQ2>>xTMDFY$K28AAv*7yASy$%JP+ zGLFxyN=tfiKRX&0vQz69Uq!u;ZcAiKbNME&(&jU7jvng>DqMH4LoB}P-?p4<5}U|= z3cp6!uc#%9R+TjhUg8y9opm?~w?)F02a8O|=ohTsU6wlq2Iob{7f?T?hjiO3@uI19 z#19ha)+GmwC_O?;-0gls+J{%)vh%+Nu&>peuwM4o4sUOC9I&|SfGvJ%zKG>GyncFw zZSUuuPBAC}vi&Y>F0s>=$qDaK^!=tl0*UYQ=G=UtMu#>?QT}ZYq$wZI+Yx`aA7xZj z&v(R{xEylv1m+tBrGpjE@9cjo)YQ$N*Idf{lg-0ZIuGqfr9Sc+#k6pbVnYw@TNias8@eDKTvJ z-AqiriSt|fy7wR2!A3l{Q)kScZ$~WIbSDpiD)ztxNn)Ahl()rPm(bt6Xcf@wqOSZJ zE~{&-vJ6S!R-uhBeNC`(yAXe3*NzG_dK?W>Pk&UUns|Yxp$h+%+=zDZ#p(TvFyRL$ z68duSn`3{UD_)jx;Rk2)y&FB6XQj#ecu8o)lk8{DAKc)>Rw7Db01nXOk1XhsL$OZN z{3&So<@2L~?BFr_8+QJ~c=s67?H-5DhQjHM;r95{?3(j*>At^23OIWUp9jgMXbyD0xCQL_7gi}F(o-@~WWcm4ih%oeK4)A}e7 zTusIPSf6Uy?OHnXzW@2#>bvouzgu~AvrUGMx6uO>tN$IhfwKA2!YHiDS8GH4k9@uzj zJ9$XcCI*-COSURo%dMTSTuZjTZi(OL_TH^96%2p)k$2}KdBM!EE3dopcd220?|6PA zNki0Gpc<$_`o?Vc#K02Ft&Zo;;)p{Z^fl~V|I}05wvKJGBuIXYoZ_(JjqG_d~6$q!?<&z{Q2{6sX?k^1`sudzYm=xSv(WZH7tAD*_g-G2F=w`t@-s^pes z6l(w;u5cJEJRjcdXgIcq^ZYa97SXI-8HCYWCWaqY8I*-EH?1U*h%aOROp~285L5(z za#vI<%|1kKl z)dcDqt<%~Y>BDOGnRS&L)PU`F3t!-5)|ezRaR3DYhv{+f z=BCNWSOQr+!-TL~Y`^GYjINl*D!2QUL)bjj|7^S$c|TrAcd23S#L(SqTF#I|fq5lQ z_Vs(8k&%jW78Ym5#Po8*FP0A~{sA?HaCgtPt5V@uKfkWQxJ4bBrC)7h$yc3RBVBh$ z9sq%=*qm;jzC91G)#2}ZgVkJSrMeNAbxNZE7wfQR40hiBAB6Or)@R7x)2EHL{N=Fa zV_cZ;SxcHF5;-cM?Vf*ked*9&C#8D~mMbr576LFp=*XshXRKf;Hv7hLF&q#fv3x5p z3wj^6q_ococ4mYG{k3_`#w#wyIwWFw2*2)57o(C%VNQ7JQx*f5_B9h{mS-x>J+g(W{-=Uygojps30o-l_5{r;l%Suyu^+?Z@1~vgY9NXY9GTxP=o02oI@lO zSChX+BYL%`2#vA`OT2uuwQ$BB8`l8ENTCLGvMLw)7#aC&*)@sa!_1RaKtSUDMY= zjwJ6!)lwOEzzJl8V4Ai}CFpfJfn1{x-vk14?q@lNvW1MYCCLWqk~lUq!2bP>_%8G`E@9iGqW==y6VMwq_*7U#+iWOQg}#F=~L z0ZX5ysE^tCL6A3#HNW0= zcLSX@?1M3)6DE@Pz)@||jpmNqZXo>PC&u%Viz#C#jcd>-!P;2ApDtDlFV%xG_XlBZ zQLdznutu03wgKOB+iNVA7XuXnE0Afbr-qLlUcW=nPd5X& zQowCvf%D}%4A2wlZ)%CQ3Y_`43__Dy0vYBe4P1+XoiYZNu&8}Pezq&O!FpIb7i(z< zpDr|7S6ImBWASlj#F2(a+S&^mW^}1took;OgH;+=H zvQ$UQGW0mOrJsLnuL-vzpZ{PXq$b!X&HdJ+0spIIVcFgElQ4R3dQ{41SOWbsw z;alPctC{C{oko9%wO~-@DaBHw}R|!Uw5{+zL!$cMf#JUGuy7QmN-L)O6 zmyywh-45@|wS5rFLf2{TmnB8Z`}d%0_{jj#R|f-0ac3jMur28iYV#8Kr-cQoRi#+D~B_m-{lJ z3q=f?=nqXR281p4FmV?j8~TdNryK^m9BPqoQAQ7Xh0g}q&@FpTthPbP1HJ#CyZZui z#9?hVt8gYD@sbZ{c72oTg?`Ph7{tukdhX180`@q*sgI=GrAWb!Uemtwo6}3bAhW*2 z53p+1guV|gR4xChzU-&*$!Fey!ajf4*LL=NZxs@mrT(&zl^_~>@(=F* z^6S6$vrCu*3$66i*Xu)8TaRmq_{T>=(@w`>46sjnj%Bg!lJd?_OP4 z6HW$wCf@RCKiXWXYTdlZpOW!!zuOF6ie8*}PuJ()cTE&Jvgs}B=gvBem^ci0t=a(I zAdyQF0-l&zEl|-k9fPo}Ezw#^`P<&!?KlPy3DjZ>=OL}Wqk$G3b}yj|4PslAU>{nXYu}4K>me5(c`&N^E5TtDNHC{vrE7ui+z89SeyK8$~H(M)cP9Nd@o%<$CEALZj97 zvl;pA^7jD??tQatHEQqPjw+)>jr`4J$l17-Z%v8i)5nLD*%zCaP8lp5^c!q(6{RoQ zQ??PvH;iyVyspp0;!N};tAJX@-}tFzP;HZw7<>WfoASkwyofP0!up4CoMiF3a=B#z zry0o?o4rU$vve&Z@E(VD!=*z@N>6?pXOPq!_Qm*s0KkX%6j!F6`%W^wP+6oZNv;&> z0$Uwu2sV~L1lutiqUa0V%e&i>=TMyvx>3AZYkcm z#%O?iRfpv5{3$!#=npy&%?vw463BgcFa7$HlKxv~{53xTLMVOslZ|9DZH|r#a9y+y zqJ&hf4+kZYYEK8#d2Z-O|8rtNq}D~$?CT9YW?6pE0VnIMXJ7rxp3_Q+WxlrwbpJFK z-f#Qm8@G;Zu7!=~0L|&~ceGgckw(;Drdt#Jqh$7`Qr2CUu+%-Sq;pqju_05Uc z>*7?BAf`|;KpQyrX^YYeluMza*${swZa}@WM zcjFLNiPl=wE-r;T_=O-WU}G@C5MRNWmsCFuVkC9y$~9Ryh_e0Sbi{z@bR>~m60?lM zW=Ln&lcJZAuTg_q$I$7cBGl}aC3jAb@8j*fmR+PkimzFE=NFWnh@>Az9{ET-4EY$N zOdCp_1(1oWd2Rb#In^J3gaZNdNIxcl!ikU;K#82`Nr-eP7c$fDB_H8?Us_A+vd*Q!U3pW!rbUnKWe_raU{ z_nI(`e;DJX!9<@gYFtgoxVEL&zz-QX{D6WBa9b~53GZbxIbV6*{uazS0hCT#L%oXg z8wp=m3>6`>bK7bC!1)g&^eFZHo6nDq35f=m_l0%aYyU7`EQV-b$mOCVXA( zaNmVM(efqwNAIp0x~IEjp1|}hhmXx%Bh$m^CMo7ZcNEHi;i4V9^$b@Ni46Q*5gpoVbOp37UbXue+s#Kv zx-8e$LPu61zo)OM?WG#XA3emS0`OrKk8?8tj&pP_xyW+@T17@(A z!NEz6C+OapPCszoBc)WR30A9VL#)55y70(J=cQ$KogafmPxb(`hf^Mn&O^!X_AEp$ zu#k1)c~Wkq757r9Jt|qC)dAG;)9BzON*|^|nGX9^f5Tc8W6&@uF-A#T#C`}wtz)gW zBb3$LZH3=6IA_bq!FVxkMTu%&%A3f1wO4k)-!7?zDf)pfxz>9PycRo>oXQnEH!6gg z%x_~Jy5tyd(=CMRfCE6R>h!!RZbb`?5-<9+6BXEe}2)86f6(Ct&eZ ziO&4GDOZwjJbL}=03;ZQZMPLShjPBB2p%g~FIeSv+*puP8*0e$lU_W$AF&v(UrjzM z+5D_0kU}@*(qlxGvK|U2&XjZMV`W`K=_&Wyxh1e(xpJmWxfWYmE$_ACWSg|U2KEC6 z*_YMTYvk`6_l?+9OGfpRgNCWf>D_u8RWVd7^ioGW0#<5*+>uL171w_Wi#0@DL5hVq>mMwyx*1aGy{as@j(Cb%dDF=q z%}Ec?dI*qj(nzxJ5uzKHJvXND5_0J#?%f+a)87sMM@}#1;}Q8QJ{)u7L%!V|YUO zY>&GAD?e3qd&k<5AKHDF;F}v5_M_80gosloi3H%GdB&@{W>Vl5UQe2s!3pV*z$~u8 zzMVZ%Ad0>&JF2(O{V4~iDsk)sU2854fbTgk-L8g#6gSz0ig9=0+s<4pif@CFQU&`y zQ~S(7Vk9^H?M@tl%I8Wnc0}<>LKvZ78^#Pj0P}K$Yfa>tdrzyaw6405lQ5e;)-TCVq)efJ#As1tBX6Q{RSmrTV0xA7epU3IuH9u~ZGxaUi2}@M zBnom?Y;gZuYr8C%t0%1dJ`? z@oM{$x5d|EUeGR z^#~PORlW@C} ziy`-SOdTZ8MyI8!nYP9Rk3WjUgB$_oqbE#cRimBgz?fl|C;LvWBdPQ>^`5JLv??b? z_8>;P@n#;8B-Fy3c-7>xXCWypSsQ34n5XYJ^i#!?2*s5N3%j8ieTJR#AgQ@=_gdW^ z8pZHP*HV6zB4uz_99Oeo!38|44;VT7NI1cB9w|3Cd9vV%ru}`r@yL^0N_d_4fZU6; zqX&xoDqJFbdRvXGa(A+6q)COo2j(|%oq()0yb=~CJ^&$Bo?3ibNVDk%SuQ7b)@2S> zZdw@rASP*8ZWZ!^tfOk=rDAj5w|^L^`On4T51JPj?pnjq#hjjBO*3RE^{o3oc?+%hp| zQ@tlBRy6aIS~1_d+BJoU)Rir3g~Q%vdWHjV(r({kbH^IJ^u!rCB&z=*601;2%$_%{ zXF)&sJ{7wsds_GB)6NR%@!D*;)O=$7du$+8D;5ZRnKidUw*LA{*iQ}qKA^l{u_hS3xr%$qu--1s(^hgo zy@1l)qY_>AVXQ${Rh|kB=U(h97h0}OZzX;$enK{$PL@t;;u~5L5rP{bds%|cVJWuLLx2SVBOV z@Du*S50-Vfw%2&B7z$!x!%t(raV>{sk-3Z%RnlJlB)UxQZ8ScvS{o;M2ZU{#KI_c!;rLDG989LTqV^6Ym_$<&Nbm#AweM8R{$?iXl znk)O?-%ou|%WW=-3h_7QlUL=-%17(SxGeLoKSs#R9ACR`S7z}#Dm-T9piq1==DP#6 z4~i*@N`{yVWjg@G$U%1jkKKdFIE+oN_un-QFkU`Mc3KYZp^qaHWi9&Q{KJ3-gOHbWf8tcc@p@h?kg?`0$aEAI{_}D)=JUbyD{~3pmxD>_QML4uW;T zt-RdF3w_CJmt~_~Z=rX021gE}I93-t;VT>XFBjI5^g8&mQ6Ta|&fy&Wz?CChd8vS* zJ3>kBf!nmX*8cdRKWVpJ4uFHzC)284N~5w-lmkssj*!y4$Q0y|wnR3jrio@IwOlQu zTk3$B-xuRNCC745?`chPM*GFS8~9pVWqdx3wxq(aOJQ-;Fif(hB72?6s_kood*9ja~xxNvez5# zY5p9u;Z_2UjUe;BDXeckVc{lNTeq)cX|2Dw(FRLp8nWMN)KO0)n>`uY7h-!#)@XDN zIPb1AcqZ&XACAtUV#;^{J6amL#0f;?I?{zcg_w6V;tPZj>y$-n4lN@JaA&K}(m-^M zq_jgGg$LArk`g8XQ5&X4a*S_Ai%p&<1KPA$-$dx+YQ^rC8OzBJf}4xQUZxqM!fs0N zkE;x2^(Nn>v<;{#9_`&#!004w**Nxw5mcpz_P}X#ct)=!K!Z4%0$Hr0GxCc#>%iK* zK0jAKf1^As3OsFB$7y-I+#}G(-q7XhNQ zoXstq+TF^$M|Gvqyv>&=TMNrEBLi%e?Y?3@HXqqs%hMh$DJhw_Y*oeV-b|N2O~y%| zV7x;%0q#5-q@*%Jq`$>&`H)&C$)6hCcC9Fi9LsWW|C@jFKb?l_t%^q8977+|vEwtU z9(xX7(eHZ^(i249Pe%W$3dX`I0csRpE02fN8*B8XGsN^CM$`UZyw4XE(oT7EOI34{ z#zrea;!WQ2=?FjC9C#+Z7kx;v(+WXM5wfEq_HmOG-UE`EjWBl zTAuqHR{e+UsaX*GABL9<%TLdL7}6&c#V_o1{}MD^D>FfEhX2g(zu%a9*sHbYYMd3< zU3+`CWYARvbUGahtK+Gy8saT|8RtXX4pa8}W^8-$IJYXIi028HBr+O&lyBuhhQ3r! zqt55CuC`cI!XIX0T~at)1k;5>Mm;8;4W&64+NWjiDl{|or+>LzC7|=2X)u3qXbQl7 zN6aSRpm7~?@^$}lG~3Hz%i_AqY+Jm{2LN1LH9HlQ`zf#Q5g&M8Q^1}1@Jz2OZ-jhw zU+JW5z;#%X-rfC__KxeV2y17WB3%!E2`@WMH@k(%aii>2P=eIuj4h!_D^fuInZ!}8 zi;o?zhlAd**}3OotlPp4fH17C{CTeLadV8KG)uAi-wz8#-#2Cd!?6ETe)DwkedaWnyLsfjdMGd9JM3nqvw&lEEi?U^O%ooMZH<t8#+1=44K`FF z;2iXPiG`iDnmSO;Ru%n9j)r-wDx-TqzEZ5~*KWaT9kHztt;_5{fdNb00Aqa|!7HSe zyPYb>s;MMky5Gx+Yg&1rV5O!Z)8>!ZhzH~QXCrP-a_t5HvyE353!;TKi9mMW#@iVq zORp7J4w4&H;iT2U^%LKhOZ0`nht$#G<5KW+w&{fnQ{;-a%_k)l3_ruH*pftlg!k>( zuO-DPP_RDT^=4M0!H!+nA0d1~`L=k8x}xP)9!Q7CUR}(lD25WNNm5UQ?nm!ItWYx` zVPI|*h5Nb@=U(+^vYD2lFP0uL=-M1~W34=&BWEGytP~H1nK$n<*SP2_APrReTLzuo z*Y9zI@AiMm4Ucyp-)c?d`NDs!B@LXdxwQ;}GZ}e_Idt^iMXqgq;MVD|61f zC?G`oI`ZR?Nz#fT^}@wX3NqS#H|~1F?M1ZX(If9o5P$u|L zZVdb_A2umZ>t)JMd&3cMqTXKoBz2*(>pJC@B0ofv^Pwz4g!UTGF+We|q!P3VnyEM7A^HL%EfTLAp!!Sn zFzsB-7wO8NB`Pu#unE55Nv7Mhe&ZVA+NY8ZzgH$}pk4a*)%?37%8!cKJ333&@w(E8 z^~5WEqNxGd(E*y$Cs`e{#C8=5KI4uZ@YFYJLxb)_!F~3IDkL$hnNh8Ww>88~X*=qo zDQltTMKE@l>(&N7sdUD*y(B}zc-1#gc_$*xT&G-o*ur4gh>5R#{#y=l7+3#U+K#n6 zh|ovoaWRzA>V=YsHVH21IW7b4uhqRt0|85EeFCo{tspeXfRqk~P9wYO022o@V3jOD zzL`?Hwbm~k{CmXf5^kU8y-4gO+c7q)XW_mm7*OZ(3~y}vbz34Tj&ZkZS@PXi`L)5P z&Ib~?d+CFl)yVGpMsF{Ooy3ern3JVkTiT?w?P;Pg;pDgm#%$X#RH^wji_qP*>~>q< z^73-V3&Xurt2lt?r^qdDEkrtjXorOhcs9C%*QKZ;&wEYnho!BNPgVd+rC(HbMt@D7 zWVBAZYN8gVPPgqvF++4u35SZ{<9kSWz&$VE%U!Fc1fqNJPG#+A4y%|(=ZV-Yb@kf{ zXs3{>XY?;7GVB*k=isrAgr{uk&qGrfbLC4I&h~w=+p?8;^vx32b7?1AfC6Q>M1FI` zmOoDT>%l+R>yn>QQd=5sE&nBqw?&*Rmkb{}E{BZG?6hJsK#9EbMd8~p9EyVywj5Hxr zD%UW>d!OpV2sb;E9g9x|*S%n>2_Xjmaib!V>(Tv-@Ck6tbNz0pI<2V|j?Op+J(^sFra&}Yms zdwXhrO?s&lF|*Xt%?UB;yI?R0l54TQD_a&GYeTYo316*FZ1_#p5-51Qld7wAR-%5a z=9p~Ls2ZWPn@c=HW#TRd$bVlUokz4&LAI>+{b&tWm`~exglleMsoQ?dRoa4AQXo6| zVn6!zStDOTZ~429P>)B0D~muWs-(5A{BS-wg95IDChzhJ5`UXA-uoVv5Uc)ZDMnwt z!W>eB-P~TW-hy)N|~|1Yc6F-SKj}Jh4G7-r(uqy=ss$eyQvYMfSXe1bonoP zVoQRGO|>QtqeGWKe+3U>uKtR3RwPo8SF#ou4+Oka4qqn0sVDd$+YJzyvkvGT#y>?A*H!ks7o;Rk*aaARealFzWkNd zn_t@bPxBrBwS3@lRp4zfBdwc;(&-KjHf z_yqpRZ{!lvgCwpf62GPd7`UaokI8&n)IJoS7s~jY@*-9|$r~`I z>filCF)WF^T6sGnVzglVV|u)oG3lm^=0I_6eXjXf2HZl*+@0g^S}frioC<;8`Y0&! zaV$1^MY+p3u_)B$;HQeUAl=xI0eE}44WSgZm(@4paA$PB+VsgTApsBL&Ew0Dg=UNnuSHD)#T733L+kg*%}B)mZYWQB3*x zJ?mg9UqgoPLv3m`?uc^UD}tq3vvdj+$N*wHY?HVqL%le&Xl)Zi7Re~1{xj-31H!I& z$}tmim5f+;G6&9eTZk5_y4Q!?i9bY67UaiiE7G@pFtOvq08X1OeaZM;?7}hYx1)Bl zFJ7`^`k2$Kj2;bflUmQpvV^eM6D2f+%84?7#WSGZcn9(^uvcV>=rL)=jylP7IRzk@ z;eEA=Ic!p5uAuqN{>;X=rZYMBiA4Dz`3(h(fi1m+rU(-6w|1-kV z+{4YW;Zaw>-)PY$0pz5#41oAh7bbLQ4`G;{k zDB0m`e!@NCD9eo*%Y;k$u=M>D6UC_u98lliOXw4$5<00yg^_)9Q!&`UK@C!Xm9>p! zw>@^cHiGffmiNgx^W^ApG3j4eznT+vIXU96{k4|LIG}h5Pz!p6TpL-2{*kCQJ2{hY zDJ>+=xzy!^ZL8$f^<#BgZhG{uVAT9xV?c?u+5Er`EeW1EBp~)9IM|~ z%9cxkQVBZje90AP9tSq3vVjrR3YEUp-?Zu1j!2f*9m6{Falcn%N9M9pbt4){4BxU^ z=;q`5@}wXiU>+wY%C{OV_eK$}|3&z{)BOu!{{eZVq#aM41->|~4K{RgR0XiKMpkwpE6IN?x$ipV7E!N7{*T&rnrzbSG81TkC;QR4XQmWNe7qK&Tk@k& zmEkr7q3^wJn0%glTF}f!uEP_zVU{cDRbUo!(Cn8-k6np?sgCus|9|bBXH=8Tw#RwJ z0*LfpB{b=RGzn6KP^1|kM5L*JfP~&bKm}=11O$W#XoL_#4<$h8y;+oec(?teg%aJg&*~M8bCYh0c&X=cm9UaE_4=b730T} za%57Hj8?18skEl~^mH`sdP70RI4$#Z8!Zo$sq`M)>0;0QOJG{EM3;vIpq^A)>y$|i zDHn6Oj`>t*^3K5ttMN*wPt}C)ouKaUset&Ld|Xa-5&xu=^R4Iyg?DB**;tige~A!~ zrNHGk=4P&Q$B< z&Hi}XGDq-r`v;Y-2t-oi6N-`0*Hd#Kk_cLAPgRIPyw}dJHodQ%Nk-d3)!e)yzK@Mj zs=c_isLGtF)g~a&#p-NH1S@FYp#&@ZX}cy{`YC0{MWQkEg(~^pRA|L*a`s6AXbo=0TY#6-+5?jI3wFL_OMuTI6yc8 zPp7y{#7dxM5U1|ztn8PXdGHetN$`*2U2NvQ1px)d97tK)gb@!xuOq&< z#5mHTm?%pwst9N}6n5)YM=r}YW}CEJ^;EUI5s^_~=YV`Lg1el@(srY!{l~aQSbYys z;#2zI0bmM#Jhp$#;Z0OkvNV@ns9vvoC*LL+)z1hL=TQS28jfWYUvFf3V0v9eW&e+n zfLD6bS^>^cBf=6G_+O0|k$FQcTpGC*iTpiYa||zVTX@yVNHQIi0|sG%({Ou>l6K zrc?Q!LFr9R>=Bvq-k(Qp$>p46xQ6UteK)X(SdwjZRy1-LgdN=SFMAn1$7sS>`ss=E z%^yQ9(>5g+RXcFS<6f(D{>|PG9g6H+9v5>LFsOh16_P%KNiVsZ_Hy&mHWDT?xkH50 zQ^ogzMOTXOuE*cprFT<2_aXDREMIacY`j*-d>5w(^cc6*-k6pkgUuH4%}VhBV0Br6 z0|rH6XAghH#bDbIdc<3 z8%Ra@P~`+DJ+QP9(8Sk)A{cRAgsDu@K{Uz0$?*(WV~s|7f{_dI&)~7KW@*9Y1%z)> zFs~L8GvI{QROx~|ZE5Lj=d2vs22^NOlEC*tvbzFV>G$^g3~%e0&)!S!Ipn}Y*0mk6 zqrRs>{VzxCB8&0^RDXTt7XJ+OyvYliZ`S&TZ_h52Drw3>h~j3edl|~V#LY}+9SL0D zVY#icorPr-5sO@uWX130ES{&u@{J@Cxq?e*o&H|#j}PThj~E6*riNyCZEJeQ;5 z%osWecz!2?-3goLRKE4+_repWl5rw9-|&X#r+D6`xu;eXFzWIs{8{!&$`y`l{kF5e zIF#{X7f83QVlIgK%LUW z>EOx5Rfi?rB3I>gkG*p0U+!3nyJs8l@|+|fvpgqTsrr1snBfYLAbBku?$tz9`? z3mVFJ*R@Z2wy*4X|L9l1z28AXE4lZpjvxM~oxJLte~T7zLQCX=wN8mEw&G)YepcWx zrw2RAZJ1oQ2Z8ugwFP%H2=SS+vXGID5I>ZIYIJ{`^PP~F$Md|5HU`mwCK#E64G~BC zL*|_zDOH8L0CWVL>R6y7B2(g2X0zYuan{LyT+=mDJ#6t?l;sHl9!X52x+ZfeVL>&n z*6JF{5Vi{YAn;fwcFnXlf-A;*50<-W?uZ3k0-kY3LhTY-q zaNieHq?G1UP#GeeOrCDvQp4O&(^D^T7Vn9*NW_l?4$|t{$ZY+hrfV%YP>9fTTfY>% zoFS)*Sg7c(y15K{Q|-2kaE6B_r)@%QAXf1*+;KKHrSknNwhGQk7@^jTRq90f~NVF0Bl4a77=|^k4p4@g-4bM+i_;wIAl}U1_zQGD(*3+gg*fj zlUS_@jAOw+@xeJ(6g^ROvra8q2|$c6U-a!y4dG?Wn6VBZ8X(bH)9Vb+DX%z2ATB1S zg|)dK)il*{ET>o|UAAG_1JA#+GjkZ?zH2f-WVvYHhZrkWf;AJUc_#0+1$cRFJyn!o zmmC$;wZ^!}BW|Ek*Io&+`q$pQfzDf2hkUnLDxx1o6n3EN0rq$LAwx$YDtr9k#L&~9 zt2K0YlSY+eHl1b1gYDvYei+DR^a+gD7Q{0cP zVWV@~sHf`pHO=0=(qoq9=Ndzx#r?yFTcJ^f-Gsig&U;HJ!b(^@Yv=$@h>H!F@VS|E z8ie~+Ls5+4Y>`B3bY!H;i~L+5#lp~!=IIG81&o5#!Z^rqMZDsQ zpQ`~MPt3%b2$%q%OEp6HKU!X)v47t8WeH8l(mBQ?yo~lT<~uYRQhPEn##;K!yAMugv?6sN|R zLkY<67XL08f|#v+6i=`Jd7%RCNT3%VLlCBs=7jDR^48_zjhxcO7HLf_1AZlATuf3~e}gi@vae%H5JU z*;!WV(uyP)8ype7P6sq^6Yh1lElVxO2_EH*qM%*|-x&R`MZ3OjuCa$v`pMcO%xEG7 zmX?h{XEByar2ZEB`Hl5E!rWT$V4ye@VZ=p~0V+%0*2c?Y*{8WOxz8H^(~ROLfD z$(?D5Kp=nOkmZxwy+Nr>?M{4>eJ7mQ(I`Spn)UtR$m_z0m4ekRB8)kYOCw*7xpOTh z*^DXGIS@tq2u>Dds;#cBen?AyBqPbQAh#!JeMWXpvc&d9dJBHcLOeLQ7`zknG>xz^ z31=%eJ^HOk-8xkL``*=z*?im}GRwZ8yUEsu6}~Q~qzBUx4YK9k{;0jt&*P)TU=>p!EovyAKZH~fDD0~0oC7YS=jKG1-a#;inVaa#!17abQzo5 z$+O+JEz3kU68S=A=f8$aq3h}#zhG%A4Hc!svb#Ld-zVHqv1D&l?z-?g)2(c=Q#Tge z;>e-d4#9`svoH5?x-B}d7vWB8mA@LLxYz&w$~7#f#)KQ^U8e?S&S*eRKM^)NC)vDZ zneW;BX>}~RBURyEjGb)5bdf?gNlvm;r{6nO+STqAbcMO9&LiWIiU(Tq&eobvne!6E zcy(Ooqq)+xuNP?L$1Giw6QA6iv$9-yb~eWGd1VGg`XYi5QV(|c_(Mg9FsJ-A?|sM|&M+}?bsHnD!DN}h&8oIpb%ke5p(g3;^?*&u zag`HE2Eg;$*1ptEJFJw-)n}ov(Dx8pxde4REb(OGM*UgvLZLBc>C(c!QFS6fL_!_e zEjEIxgFYOw9mJZF^)?V|=NZ9pYHx2o)0RcCISN5-hb$1HIWd>uKI)tfZj5Ia4!62` zwRKGXKK%Vi)(h52p2Ur*u7~`_(U-xY=}wSWuGivSDeO=|X=FAT&N~}x)HI1Rb*d&A zTKw&Y6`Pb_whVR^Z9`U%IXhwn9g)%lpL&v|Pw(Zmb5yo3+9Y5I>^%wel8XvCY|`pi z)m}t&=i*7AqoFF>5!t1$MsMSJoW$OuuS6vyhtc725IgR*xs$ChjN1krVuL zh`J{t@oj(5vahH1T8f*z(-ZCDEUjE4$j0 zkW6Kn_0fZg$7T8X;fx%vpzA>uK7-rr$ zo=sy02K#Zh&zDAg$VDY+*T@K{vcb1M#>C%RT6qC;r2v?ndoavI)SCsbf-nm+ueUKA z7XTnIgtd6z?g{9FzWd}&gi2dMw@|fhl*)rDW08nTMl+VOXKg=Z$DoLA)K5L8AW;zc zbwt*Bq`KN!>|S-V-W7nC2zQq|JI~XrtRc19&RubS;TPrZCV60RL*kf z=SL@6FUvG4NNz}CQ{#H1bLrKnU`Cq8;@s*NfsL9;KL#=rPIE}lbcNj#Lu|+RuBh_A z+G&%U4dlw(%(&HhV1k=;TRF&hPM_jax@o>YmEtlo6{J*9&X0VVzx-|2h=@HbIt+iH z&|22{zV+EcSCHsZZG(nt)IknUA3vW}0fR+6Eu)V`;vlvQ^@hEKHT&#=QLWe7CvH~8qA*d2xA9I)Go=ACh>4twl zAm{F|Z*3>|?p4qQcnO{Ao7i9hGpW%(5Gf@sZ-*3?K_~3;-I4(ckJ1yYR1>4;znD|M?9J0gi$*&dTF$keyrgc{&Z>@iw|$kTT>fegPs6(1%2C4-R|SN*qb$ zHB*xnmC9U6`M}W8sa72pi>UsXTjGk`N>)f!XLhkQ;x7P_%Pdhw``W8<1cW~7<&Yr? z3mK~<7&&8$^GY~C&Py9u?zMjmJ*R0rxGFmDr(Li~%FBQO4U0V?kJHZeE%ChI-*eSi zyX@%gnM^a<=Kj)K-G_})!L9-C0L}>5Q91=IrKd{JtsLijjfn0^EP!;&N&Fz zaM9tw;e@px84{Ks0R?oP=OWud0u9EY;9)a5i&`_{c~!1!5V|wdzlOM&4Zfa}j4j9a z8BQH71`SMU-nqDar#(w4-EZ+Ug}2eyKud9EeDi~%^0tdhoJWepo3W}DN5SR%)cri- zi#sRlr*)YSn{Tz2KIbGki@~eAj-TRtqus}l+v_VoOmtJP@^=;hzp`I662X=x#8+@) zZ|IYMj%-!BG37QmKh_3w3ACq1W9%l2fafIr+x2@#fsjO{UB9Wb%=B{-Y~P%x?bMSL zS!d(-01B+9BG4J{JFC**8!0mD)AB4_T`T^Q`M?Etd_^)A?EtF7xClttZ)c+o)(r-ie zk+At8uk~TmdMR_8sDY|IN|tu2V+pQ?0h1~r b5t58@i;CS~{ndbt8)-u2y36qHbNqh+PMi1! diff --git a/src/windows/leash/htmlhelp/Images/Leash_change_password.JPG b/src/windows/leash/htmlhelp/Images/Leash_change_password.JPG deleted file mode 100644 index ade00bc44e2028b8c56c10211b3cb9d21b0e6745..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 30300 zcmeFZ2UJtd);AtRP!LqA0)i3}AV5H>fE0mHl29ZRrK*%b=pd+of{*l0LP!WzN@xNK zgsO;pB0q74M`tg5o96tDGILg3q_%H+Wkt2*pS(sT^jxirQ z#(JFnBQKb?3`SjKZMZHA6#>ofr){EiIephE9Zav z`2GUGc9hQUkQO~15O9c%j-HL~dkcUcKnFO0b^!O+!Ek_!?$BX+ri0U#CjkJ4Lx&Er z96535&{2j%M*sl2LkB7_9${mrad2^;5=5DpW0R8mIf2r~SMYsDPs=E1n3~yn-^3BJ zbE|~>G;hetUGVWOrwjzV6G#iDt>chWaUh%Tz(~IzznVUf&A@p0$id0;Y=A>Q zJ~92^0MP&7pkq5^%q}RcaRZzEnI0(P{ag9VzNy0utC}2kIp4?&Gr%YGz3eO2akY@@eVZx*dCJ+a=hV8f8$MS|BtnB zm$n@0-42NwMEo=%7zoFcQd*v@WZ$|*>AXiXpgkP-qcQ~>CuFt+s z`Ah6Gmx9U1M*PX;n6{Xluq@^b)(_g)e<1FX9O%r@63LZrF6uoJoM#V#x(zq)8FYuGXN| zUjd_4N=C}_U_m$?G#Uo;PfRH^1g|dj{wCsSgRUh7y^OGp$Goj8(8Uq~cKIk`=C?&jcc#m4o~La)c0IW?s^u9Szh_MvhE+A08)(w5@X9J?u0q#8zI8>P?1WufP`J1+q_O zcPSkPNxNckP`AVR?QdzuJlt&vsGEn6O zW|%45i#p$G@b;{F!OM{(e*b%AqM3gXmx1BuZ9 zj)lZ11iT0e4be~x6OEApgDR;Ny)wPzS5bs7+=&rsKK4~i=O>BWhajj4?85}kp&2Gm z2X|fzZd?a=-(LO}-UL}xBM?|HGAPc`R6n}nnD%!nin9pA8=kC8Jnq5}=1d<}K?cqz zfxrkj4^EHTD|r@Ab=cMYf_&)fjl|TnG!@B<#{C^|cB>y83JFWZOGyTA**p0DuCqYZ zKTf)z9hAJE>aiUq^mlhi3!(2DYJoNPEBQ5t!CN+v#~cuv6lwi~PLzt)2 zpnr%WcKbgNAv=A5f@c-^P&n;5Q18tjH^0Kq8`c|4acY&kKlX#o;KE%P_UYf53+db& zeE{PJ+dtGKi?g2oFKlveR@rryf8Lf;e^@07nyUu!W$Zg(`-iIN-2GvV1GdBcw_D)< zH-rArlkW!`Q~sw&+=V}!i1iPh;D6Cm;eW>*|7oxM=>C6b(fy(WYaDd{Kh)%h-~6Tf z|Diz-{D$v`6aK?~JwQnBe9+K8wCDetgZ>XpAs{L>k{so8nmi?Ei9MgI`Nn;7Ob6>F z8sm76(f=$RiH+b-#K%Sl|8TlP535}cURWK4p-9iWh~;quWN;@c0gS=-Xiq7dF@UwxC! zvA=xxMqR|R`FKHhdEThm1txfmNq#rbugdxJLMf48u|UdK(D3$uE%8Vb4BLav+_k+*0OJ0@-E7wIHDb0Z?l z>Vtbl{ART2^g8O`^-R0MG)MZJvL2}ZaX)#iPuFG0Gl)3wW$`=U?9S8R_aC2nbU125 zdt9I4r@EJ_=kOndgRg8E3coDUtN9=|?8T zF3kj@hlB?cA47m@_q4976$PuK2eRm+(sIKINWTe@YWRFdn?v7BHby;JxKpp|;q~pn z(5uAo&lrV3)303SLj@}NR;6`H15{IqhfKsM5ZmMea_KHl5 z;lq}^VlIU=qj<8Rzk4atR9HY3h;(_kU*z?Et~aDNX{C|>4jgHbU7hM~LtF7$`X;%qiwBR(<(Xn2+?besm zJ3b{6=}N?S*Rt1qkJ`%Kv>Fwd3R!=4)s|%5;~#{a%(x|Y>$r07D{~mai?R_*rNJ(^ z`i&&5U%Wl^X5|P0ir#y$_9jlZ%D%oav^vw$^f58CBc83$qrl8K*rKTS)aN-_B{4H` zGE<;bGE3`c6FRU(oVg2^@(q(mTvsj^F^RRLW*3PXM$2X0-5@wvd|r4M8JmP%SUkfh z5Qt4BTMu*D&byn;Ui9uL>F4tZT!Fbu@}#*aF3GrM!g&aUa0jOsxoa`He%n7GY5k(K zKN(6;5nLw5x0@|7`tuQI3ybVQjakrYYQ9 z$LWQF(63hiY+nbG-H#yaBGlCUsN==9l2xAX!!0>ECTDh=K9rY6-sU$Yn&l1I-gDTf zLZXU1F&v3;UqJX(USE#93OI@Fv)9Sp#}md^e$%TTD;Th^Q|fF%B%f%C-Q*sLt?(|4 zcSxr_Fs@H;PsTz;up|d5_u*+H>c_WMx9eDcQM}RlPFcjE@u!taFuxkfyUAFs_AThO z3kF4TDKT~+>%8ae_s8`hwm39v*2eE zA-dk6crQ9##l~Uorl6PAktKo-*SH*WljXRWoAC5AH*teX6bgn;YOj={M53QYs!1&f zUbq&eE?aZYeRB3s%CBhH#808}d=XhxcPwZZzM zIGOef(Vy7(KV%Hidi_$lx&Vw$rK z(EKQVpn3euQa`ER(Huy)H1Si+9~al}{XzX(%zwc)XI9Q^H$Dt`69m57^X5xUVB(+D zC!3?N`KjKRuZ%y6qpHKxSAN|yKdIwiUWXcb{E+aM;@@I^JWu|cwwavjjg|{X4qQzs zw~F$X#JoOT)&rsTvm^-)aP-WMnYtK;<0x>15SZP-QaIVUu;zr{cJlA96zvjQ?;43H&A2X z`|7q?cVG&yY9Fh)7z*RJ1iJEh#f0_61QjJb9>!C-kIPN<_2u^j8bg#-AcmH_qH^|k z6ej}8l*aMfK4+6Tn&!4;akS9q)rgA+4kFar-`7X$>rl3sg;}s&-QSG9CIj7{EDU5s z-k9=zCjF@Fk%#520p8!L-M2NDeBPo^K`6uaG0M#ypDyVg%)Vqlzx)+Tui3B1-+ueF z4%rVHuG}|lE4J~S8X;h%E~Hx7*>rnu!F4{XU}{IYps^!H%L?>UEB8zJJECPDF^sG>e}J`m+e2w7f0Uri0@&dz7eo{zFsU>w);7Dp+egW?^KuW zioW}D;n?9I=*2D5-sy8OoL8<2tzzER=LfSLzM9+mQAOABA%Kor&|NSdh_v?>?^8*D zt+($rpU#RVl*;TSpphl=0&`f-d|8GT3Cb8vZXVgCtJ1z_y-_RMC0KUn+e%b^AkjNN z2}GRQu>8vDSI8m`_nI(_5}YmQ$&u|=;aR{EyD}7e>kXS;O=vd=bHcHbdpTA1&?c3k z8GjP4V)e4CszkRgA^O>@;;nCwmN8~G(uZ?AuYrrk%X2bm1xW9t1l7oIymS#az&m{G z5@I$U${px+m?2icU!s=NMo5~!=N!Px1+=3d^AX@f|3F5%{im_%W4n3)vquCjQ|bQr z>c^SmvS;oC=wsIbK0o>XTh(!{&qm8<;(wHYpu5wJZ7Er!n6s~R0joQWZ2MboS<+1xo1Zhba32d@7}(74lMw7MBvXo7 z1>kVr*ce&0LsIxaorb`oZ{1aHn4l=jht{Yf`Ba(288*UHnNYFj#%r>iQ;rKbI7VVG zG)VKzM4JwwE_FQmJK&p&>gzihR*xr8*%(8G^Ka|owDZ+#>2E|edu#(Bb0^p<>v>!VV~=v0g6W`Fu^cWc&)kv{#)B4I zSEfs787^-keL?&(s_-wu7e!4fNRG``9#55yX|O%VAsw3YD-ENhV zW;i~J$0)ss^;LfVEGN<6@B{B4E}l>P5GXs!*9<#Hnzb-AdGfqJUtJ6Lroq4`8x|R9 z`ZZ+r@@yfMEQ~|&%g})Bz3st}9ja)jw8xyxH}?;P#d22P0m>WF$PXOi)uqdC>RX(p z8n1dNF9aBr4CEq7h9bxGDb)&bk|MggDr?^X(vkhEogZAC9eR{G3u}%U3%9zQxqZ1l zP}0CoIn`fhDXMj$U4j4`Wgj z6!tM^^Dko21~}Y{WN`$zwZb`QPHlyiM@l9Z`09LuURA^F!@n=hM z7mplI`FiHduUd~eZ%{27mAUjL@<%h}xM8ckP zA%cX;6U9D6YNQ&7%i~NPoT-szg|%jmn)v0y%`m1YDVXSSl|gxYsdp3z=Ri#&Rl^ZT ztqz=C#k;e2+w(nL8a<|0*3 zkcGm0jzBGcHfP0oOQa!88%rY6G4YSAZzrUGGeERn9RBo5zr;DE&Zpq0r^`p1dXGiu z{N%NeZ6T}`Jc-Hg@S4IElYObs{vJVidj|}SF$%AYIaSI!mO*EPD!#4Ob#$?ew#aPd z!?dAR8SnN~sR9`ZyM3wxvH|KRzePz0AL>1NA zrDebJNg!7}a!KzroMqAL^^gjEGyMK$XpN2c6+&beD{DQQ=M`onWU# zy*iqN8$bY6g{bQiE#cd1na^S%hBmskb;}R3^X$zQz0wi(Zm)~vBfyogWWh~-tN>UW zk~oX&6S?fFk)2;HhXG$35|Za}(4BGOmvRY_Nl&O-`1sO8!s(5Vc#pycF~2>m5)50r zrNE?5o=DK^7IvmdbU6B(xjhYPFvu`0y1ZD$eD^(k(c2N`K9r|usRV5)jKx1@QxPF; zljj9HECvqU-{a3KxWln(!Z0$)92eKVCtg~$;$c~#5fOmyY)wq3S%{H)64%05^!+bC< zGRCZ4Zq`8`yae!U-2QB*_FL3ACDf}vIxm;&)Ij72r|+RsU08%kNKc4xm?93L7p0RV zml_k=zP83(EiQJ2;Y4KC?OsEMn^B4xepaU#+EcA4n)z1vlqw79d>wBebW+ScaZFWG z2U5qOgWVK!Ew&^!_Il!~z~^QwVKbCcUmk6C;6r;1-9p*&$7kb7XOZzLh6}0sV{&N@ zqdXX=e1C`AvCEKZv8}cbV!kQKh-UZm15Qr5?w<}T;H$uHsY!WZJhlF$v)d-K?fP(v zsEJ@cC>pA|9c5LPbX;3A5$T0D6o++53?Xf?d-X28opw6f$rl^dI?W%)Yz?>4>;vP81WoErmW~3t#0ww_-P}R*nZN&rK*+a#zBVKFunY)S}|NM zFr9j|$d6TK2_)q}GaYz^4-wrFY=Ju;xN4dP7JPe9mlev~+RWRiHk4~n*7kZt%m?yO z30x|`>0FPYNj%q2xbLgOZ4uWmh99srmFq7qTmEu1%+Mhxlkfn*rT@-I z`3Up2$mVg~A0Eq`segGk#_-#q>~ajmls(y$$es+CCsEORjq@zwC0(&AUUOso(EjM zb7e)m*$rytBSbT~oE{sShky$8eg}Bpt?2Sj)iMx-RzK(vg*(8m&0f6!5CFLU-_hv5 z$otQnm>od;R~>Xs&zZi3V1JbNPxPk$Icq%qcr{;S(^7Y}??vFiw(-j)5ALITmbX`m zvRX8_Ma%wbR-+p;b|=2;5`dm`>2FXfQhh}E=0>?EWv#dDr4%nOQcgq7PJ=~X7rI(E zi1;Ey;AHkIS;R}}z_nP*p*E|`v6_;Ufjd;w(!xFn=Tb;a0a@+%`f?TSuAm8uED%%r z7^GwAV+B@D6-M6oJcqLaW*xewDR@mG#|2Yqc(S~M_BI3B}Tu74|AFLBqqLqF9N2ZvA$ zy+@g#SY^b>%mRsxhpmKi`?w|Lv1wk~ULCP~hs8uL1~*q|ENJRzE5d4`;0L@YC!7TW zv-3MtT0D!TZc6Mk`D=GtEIZ~oxO9cKR|xSM2iwp}JGGVAiuH1#Bhc#T=*a}GY6COn z^2~0*c>z$h!=!d9*NkXng*+)57w{$hE-Bztg=A_jZX!Be1C>X?m%1g_zbs`k4-j^o zvcL*NSEv(()=yMVUQyck4w%aiUeU=M-;x^-|6J`_#TO<~Pqe%~uj?Hq3x$shkFR#; z;V2tSAZLUer5A)v_30|SU^9WI%_Hl<2AZR}h+E3pZHO~U9z`|Asa9b2qe-bg2kXw6 zE;6gS`potL*1j_1)~xvP&i86rdz9X9?P(NDjp}=p52yI9onLj_%!Q9_QA%vsySNh( zZG!o})T?za$unVxmM}vFkYq5qJx0<-C0RZ^?u6U~Ix2ZVIY$m^NaDRq&Izz`UC|<5 zHkM$G(p>5IjnaYnD7rq~rF_VtUV99E%JVCU)eHJvt`g zz97}8*QYL3@SOD*b?WqqUWp0L`HfR=^PIDY{cjn6QO9BrU44)~`CxY=j$`d>;JaVc zl=pq)Nt3kK*MhJ)LD!7#^8KPD&okLE-wZhRi6&>%wfHII7Zuh|MOl+`pwzQJ-~j>vMj$*+Ed8hzZMf6-iLc;!;Y$ym7!95yRoO3G9F4lZT@z( zaZ-1Wz&>|W`aFQ2<+p#`6H&!APs4A=sEpIE0g`iLi<4$xq+n?w=tPXg(ad3Y1*CVV z_MdJ*6NHNx^FC%=x|K`ETE%X;7@Jo9I$;Cj9-x$$w8qBcxW@A25Hsw8^XpX2lhN|3 zN8Kf|neiZM#oC)$sx#M^F@ENH(JXOPn8*j;+zb! z^iDm@LZFAtHrIrdWvf+&D)J$>b17>PK zkSHXuJ+>RBof21-3lg?`I%siCx9WqTYy9m;75fRELleVX+JoLt?ah)Ab*g>URgESH z_Nk^~d0yF;=HkmX^yeo8E***nXUwMwdqvxJ7$B_NE6 z_(;?sGHQ&!weD*|z0A;Ww*6XGS0IHSJNj)cnMRUDlT#@%z^(|Hu1=BBY#W^5nYQxc zlv&N>cWNi2UD0nt-O>b_$x}R-c zYsfPP(Jb3eOPblsMZA3wjbPnOvmgn&=!RkrhPuXVB!>VIVxq4>xxZNb+{toWrXL{} zU)3K?NH~fVE@k%}{~QO@D2%04bg9wdh*EzeKFoXUsa#yOt=eTa0uqb^MpRY%4k8_wv>JyStmr7~A8$lrNPPzGX z@5`JxW>4^3P0Y8b{=_6*gtKgOxmmsx4!^$yaZd%49uC3!@Ug^HcJiIN&!FCRO`||- zy^Wl=H;6$J(%G18t233su_3?X6zl%zEkujC7jCod=^7<~w_29@)I#OX`Wq{iOb)ZF ziq?!cz75~3#V%?;Z*n>@Ft8p=Qc#-2~Q8d+Zc=Z!U=w+#A= zt^pbE}NTd*Zsw^0z~(1%|}FL_1QWTirXy2ReI( z6?UHJpQ8~_xyI+>EO?607No30$lsJmhXzl!Ujp2c`KQj3{$>yk7)qOAcfBn6Xo_X> zg0`BwLZC55t{u<)Ca<VU=HdsPqM&xlX^RGP z%&XjU<7q4%J1ltvGZ0s&(L~3G72w*jljy97rX-af4_?}PTG>)yPltk}U+GO20?q`T zf3nA2ARz{41t<8=mYrQYz4K00+PO%}r@_XIF#xnok!#1)J_UtBq@JeoA*1DaCu|=O z+;PM_Jt5G-6oL$$m%0S!Xyyk6o$A9Wp!a2bD>Q&?hVvukr-3%sqRliC=>s zi{0&B#7KYkr9I}X1cJH!Ki0(?i*E^WUU5(T0@SJ?9-hpM9Ov_4Z|gB2Rj*OI4erch zgy8<1m@Co1Yg=-(r5M6Tm&ICFoP$itu1aqBX!Y3Dd-!Y!TA3XN$4$*UIAtar*T&8* zPq{;)*TfdFvP~u?%H^P;3|9Q~9Z3u4_qo~41ph^^_e8*A)tJ)U?$XUczu_tTOWbTb zi`w#)>-94ZRXTTHd&r@!A;#GVL&sTFE*}5bRtP)Es>NEq$}P=@L8b^2YF1n^UNn#% z8qVb7s1rX0Wt)^WhI*8OFhE&{UOkHTD5GrRyC=;R8R;L~aa`av4aG&QR}n0ftdxb{ zKxxkd*;ADCeO@(px&!lOgIO^h$4f}}m=U*hCw!AKgHT|sfHe2h#Tl1+9~ z4OaRs^KUZI8&QUHhH(Yif-;GCv;`ZQR-ty5uU#R@BgeaMsHTL^?^JwzRl^ODXG?Jj zX-4lRC5rOjHliuxS7QfDV^38n=!jgsRVj64rpQ-p&qo=LGZoE4_eaQ=@=H)mzJX_R z)Wc>^KRPc^=`6SCJ?d@hnz;|^K(%=_Ko(dUQoKzR!HFPOIP&W}Bgs>^*R7MLFcNQ*JQPPV5Jn7Te>UYW^k@Lxyk2f8Hw{d`qbq8$4!|hO4LRi{a#Cb z2tK^H8D@77Co~2Mxo=h=&RQRRW#nDMm*^}zvXL>OmzXOgFQk%iX>HV|CL%My;QdzI z2Rd^*k@o7YWxs|SJ=~{|<7Wz%mD4-lQit}G%S^;gsjQXnOtYzVA2ElE-+&`%b#gS9 zEO2t#N9>}U74S8#A4nb0o|ECz6pF4qnIL235F9Z1*ROJ+Fe;|Bmm0#{a+B=$TqT$XgtR z_t&KhAd>joc`_c9@zkSzsMiOZ-$DL7dH5umchqOO!awaA<{or0aNq-SjIlJXSc9#) zK2D?MIhpt1rW4h`A!XWQWY?Usj>FRXn1$%evV2*)f`aOz@4vpdL8cgolUj{5+GONv)ssz34hOG&r0eh}Q| zwF`F43+6vV&$Tbtvfrh*udH|?Ad6X1)u8FG77n?F{%XZ)HPDD{)ENM{Df;{Sk?xAM z>EJY@Xitp`mspiD_F#8lYQJ1`%;!^r@6-Jmt7tL)iE!FH-p9 z)>&{4y=95MWgV&3=@O`T?$I-M6lA$K#oPW_zN6{oB1tH;Fwq4Kf#`(y!eKaImqZ1l zr1JXy{Kcjsr5(0M-N4G!oNlZ5^Ax?iI6|f>gF|{0#2nrpS<5jiHfivXaL1OsM1Ku( zfg$*q^PpvuXmaFhVKI=)J?2kk?S<4JL&LN#N8_Hre4V%iVVdrKR4XsaqVOA~*SBOT zX{dZf!}!LaxjvkzU{apu_#MDx?I%aehz~7olH;wufNzdQMB>7vU(cj(;zku&Cm)q1SY4VJS7Y7Y9*B9qz)QYY z$W}zaG1ti6h)pqB3Owf4t$tLAMS0rN7Dlrd-Jm67cyTbCBpX=GdR=bOx7Lw%D9)%} ztXyu-HTA?XXbLn-+UT| zHj)4K+d{YL1dghs!j#PYqDm&o)!QA)&z+RuL+s=@4iX*y!o+dX_4ywS^Zmg%68EF=zc975{2Rc(E$~mY zKnFA}pLpj*&_OzrVPtb?=UYuvJut~BmxM+8dy!5h$@F$=&i-&s#*4SHoF0d|+78ym zPFI3XrvO+J|7lyE0Dv={zdwWRPlcbk{Fs>2Xo|K3w;~b;>islfJWQGuG`BZ5oGr3- z;IbN-QK=}j1=ca?ew;{=iK`ZKR)~4%cGy`LLq2C0Syr(O@IuTD7T!(%D0irsbAN@R z#lvCPv@xS0f~;^$6852r)!Y<6UKqi*z#ycZEdg9(@AW zoV;Lzg*RZz-wpC5mFxIPJz0h%!0r*5gmEYVM`v%595QIl7>$roX{Xwszt_7duhbbZ zLWYAiw?XyksS4r+KXQ9&oo)1Y}IO>-Mgaei2v`_{P0%A9;Wm&bQdS1jyO@#6+&lfJCa4V(pN ztx~ACyCnqJ%`DL+^ButUo_JsLL;s?eroQ~Ma}-h@H9rTZ7bPivc@lBW7oR_FITX@Q zqlqwiKm!GNr1Uo8EU>3H#zrujm8TVopgqpS^Y80tz9>o6?zT;~x%hb~l9i_Crc0=m zK$S|MOy?zqjtghbCcg5#>9otA7u<3XR4lpUr^YTY&T!K07>fV6_!_8+-%#R>KOToK zIAap?4(!E^>jmx{ljK;79WcFmU%FvL_RCk?FzfHt>7KUOM8*qG8G{;8mQz2gjNfp8 zwyo>E!%Il(3%^&gPh>8go?Pbn`VHBARr z8Q<>}&j`;s7SCHO--7b0ntxUo=|OaHD=)Ji4-jfSey^OaJN%#6Se9A-4ef8OcKXfK ze#x~@Li@;{{l`{SKW?V@71G~NgMWUAvtSe7>y2envN#zApc`mEBmORHMCmUjU~lKo z{f~5iHBLLyU=(&nAb;w5LTf?L5@`>{W*7b8ulA$fX()(XrT_p+2jS&^+3_zJMbbqN zmjkixlbhcjE9PBLs~ul~`9tU1+?~;3kJPyk{ZIjx1R;s__5?AmhVOs~oF{TDeJwHn zp}ZcU!%#Dc%xm1pGsKO5Pf9iID6ExPl~I?}73QrD>fTL;7?tMVaD5{!IcE7Drd28z zg#z+k1A;LXOJl~Lc|P+dqOZ*nliI->F+EyFVyBtz4s+-ey->v`x>2BIwgpex1_U>( zw1wYkfYxw#aua!Ee5Cn`Mz&FCxFGS$dC8@KDpQYR@UfeOTIq2mxTf`Q>hc5Was=&E z8x%`qd+a7h7xcUV)ql5XrUQM2IiSn)xZ~)(w`2!lTzH|Mc(^;txFwF6;7yyx8O{v$a!A9sIp` zh(}vj)lYB*8dT(v>mu__mXJXv_@$61Hja%9{!DVUwAWL2mNXoa*3O<_w99`L%TZ*S z9>O?E$?J_dl<9~}qpP>Cut+H|uPW9j&3lrS797}V(W(h>OnD6Qip=Vx(;#TA@n9I`erx9yD+ ztW}QGU(w3di9ou%MfTY$xj$L5P&gC2i-Q!QPA<`sMs2_l)=~ozEp3pV3|!kB-e@!S z4i?E?B@)Rm9Vx;;qT!yd<0o{eLO!kTCH(;m4|JD`OzvKm?VZJ9GS zRG)pRbhg^q*|ji;9V?yko|0n)=8`p?%@o z-|U+oyK)W;D#Lq77&v{Mip8wNC+p-ljI*mwiIojLS9~R3pK(lkfSbsaSmVB3hFA&l zxl`G0FGf6DnFNDBVHUUCqLMgHPr?U?QrbPAX)Td;X}5F;i063v&?nyK0IrNid+ z(@O_|Sm-al3nDQpVHqEAPqS|wM0-(IzxX_ixc!e^90uRk{CE(D&8zu?@8K_aVPglu zUidFQjbHGNQ4S)?|5l^^f1x+Br4c#SzGJQ{*01#SyOSY~^{5FehY&E@1=S&v={O5~ z*VXC&*)o^!nfhSNx7py18S3kcC7%5ig z3LkZppmbqCf|TVIX&e@3vIzTU5ezs!YcXz~fsh z*La?j1zwET-9>-J2Oc_&YofFLIPqNe9zylE8lUa%FQS`=rNN0d2>i*x_*3@D7Q#v9t)CpMPl;`wMY>M}qa@D#UF%xxS1*ab`N^U16GS-Z$^9!& zf8ulh34#UwZ45&Bw~l>603JpEUFd} z-u>!wvGuTlASZpH8KMf2fN)XCT1-WV_f&G#oWxw94is?XglPfVB#cq(mgQK|qHo9L zqAKOkDB5Ir5A`(DPgu_ZNyy<(Fkj zJ2xy!gptXo?zwJ3u5yI9;8Et*^uRgmL$Azt(>V@10q zJ#Z!&IZEeJR+?Z2^}C)bxuB$cgX~tex}0lMdR=UBt7mI13v_G5ea^Kf16f=;?{Z0l z^c<^7+xqf$lwOuAW`Gs+Xz=Y(ugFx_Q#QUKm)})fy4-hfn7bRrw=N_Lsa{-p+-xsX z>&H-95xd*^aMr>@Az9!>8NKnN`;jzQj)enPx=k`LL&1czlUyem0X$QeDCYjknEGHn ze6%pG=1iXu&>N=XYyqL*lCUJPXH|l3@v>5i>rMFCYVI04RaV&aYlCObvc_N?SVbQy z2F%7DBikz^(Vie9q04X{)z@%-iNUV?kZEyf6nn=j6BKTg2Z$_$vtOP9RUlB-3~NUx zIJ+yQlo%b~3yx2YM!ba~Kl*1Z1dgBIU5L8(Shj)VWJsCg`*YN1vlsvT@^(NA zs`=a5ks8A?>xpPvAO41qDfc#D&xc8q5e=0mo<|bL)-S$pIro9&-!3bqbbNA?s`eFl z&6WB|>(6%VPWl~4<{_p>c>XE!lUwtr9Ps9|o(<`v%Ja59EL}ZXHGhiSs=l$+$G&Up z6mU9}|K@)HokjC_9Wg!R0N%$xMXLTn87_Flx~oUy0N$-XMGE|h^52U8zuMy}um1F= z+@To8uTMGv)^F5`ugm{$igAZ;R@6Bd2~bN}2)dQ|<# z+TpM&lWeM0DXdV}+R6MS778)u;mM=MR!;5cwF&uMH>KRv%hj(Pa;XVGFneTVSR@@!uerqXhmu%&{}B!$RMOQ_bMdvsFR;NRnTP8E z9`$%$REU;4nNqEt6Tq5%*aa@SZjQcb?)V$B9BTg%wHZv;?;l`Pm;e3?r%M-73aHls zk-|dYcSFE*yaw{Yt)D|10>(F~%C}CNpr=|c%8{vdEW-8|1gu=#W)%vTG{>Y`i2c%)=j*>j2|t&VlG<oX`>_(kGQ>#gM$Ts z;vr2N|8M20USG9u($kB&m049WRq;;L^*Od?3Ezyv&2v6*CXkbyHBmW8R`Nw2P-IL; z)=^x!SGR%zii`@FE}6Lb{(OsL`=g=|Ifb6g2Pl2YXz+G4l^WaI>6B?NM`vy!S&vis z0DwX7EHm@<83HNBL7_@Wf90<+XS|^f>0mCMuMivH)ijMn;gZnE@(F+`3qs?dxWv zy{cRvIR|=JT(D}-4@L2`K25@aK9{0P>APXDWF8{3k9iQik*a=4h05!kI<~OvQBQs2 z+Nz`k_Mm8{d)}m|Bbjj{jcewoypG)1t*CrLyoON?kzlvxvgNb?h7P! zn`LiSY>=M!V5RfLKldT}FI(pX0R9Clo&Qs`?D{Ik7}0~xTUAA0K;3N}*1VAQgv{~B z^Q!@&yN5GcRnDo7dsKV}to`LPLqiPr;P~Z?LlIUrA7me9#?}sOrQBsQw7A>~={D#n zLp#|og9-&ht3$D1kOheEzSaHn8FTI@R7ZEFYrX?+@pX;~1XixMdhRd7Z!x;jAGys~ zGGt{EujD64VJkwIty=+sQV`Pi)%!VCcaS%Y$%BihR8fx*;b@eTW=lXNRmQjk`~X*U>LTAN$-xx$7iH z8X&XOZk}JM$!#&v3|!~p&pI4kfss_JdJMx?@vs%{6}&%H*a!HZq&meWoOI>77(jhw z24SfL`f}d|k^HM9(luG|(|WkPOzcBEeCnMsmc-*Fp!DaDCWKG3FL8#kLBu3t6WSeA z42K-220rOKDsy#Poqk9wb3Y{je$87@u^SV^y6BU4uz5*=&+#B<*xaCcX#l60AO!!+ zCU7rr_u;a0UYr>Im1+Lvo$P4+SLUNoS9d0Fh;w&UQQOd{LJl~!OG{U;JscuF@zen8 zm=n9vZf4}c}M1xC(w5y&}?a|90=PI_wY}|@3 zI4YfyKlsKW#$aHoCR>0v(J(|N%uAC|tUWw99V-yC0{W+IT8Uy(et67ZFD?DUq4 z+CUU0wdQ&@%d(ywXN`#Bhj^9Is&{!k9r=hGO>zWWmqq|wLqv9EtDdpVAw{MbekUV- zqUub5LjmHVIO?^bdQRUm6Ig*#IMMf7jwB9igX(Rmm^mZjj3aI<6z|F2@CG67&#aQ< z#Ec;gQ78p1S9?Mpm`~CfB=Sl|A~c=l@aKy`iv`8?9*th8J*FLzlaYyQ8MqJeINyDy zGDL+=5Cjwhw>9=0vI*|a`%uGyAuC=OEY$8K9pNFSTIQ#024%Ui3P_G;%f{!Mv zQfttHL&~l`3t=d+Kl3%{sPW1mFyl~>>1Q-w5T@w7g~=mOdh&eUqZ^>bi`c>hSY(`b zrrm8WueGWm8bof%CV)#4ggLx1lFaKeuUjYx>3}NY)%q4N4!MQ|L?6)jU@zY81h>4) zQZ*?A^@!G!&0|b%#kYcC{Wp1hCq!7uY9-?;i5UrccoEk(tLlpOv&xZ^i)rFsV*bteGV;>lKfDoBnmEail95=-!KGj^+piA z`&?K0#kh)5VA^tey}3WCZIjb*5^g=9_5M&a`(8{Rg&Jp zLDsqNhDG?p@)SE2%-o!Hbf*i4TvQVD6I8xc4<`8ZRgd{TjZTwnF!d9|N=GBc9HH4E z?s*D*?G||*{u13tV*wY5BoeRTO_w*i$ahiB8DBHAI>Jr8Wwsxh&sp6BjVFDmV5ZZ> zG9Oz^F!IrwAFck%xsx_3C}ydT?<-6U61yq5dYj9Wl*tFb|B->KlaGsuOX-Bkq^Z9) ze+!2mrXo?Nqc(Zo1vSyv)o%ah(o6ATl8X`|?N;A>FRa=n)-3g5{rF0cR+L49IKpnz z&R7IS%SZry2GMXpsl0U7$DEGsVYf76YzpP&qn{1ZxU2Jk2wLulCFHO>g!izXJhTbe zDfTt<{F3?x))Urw+p$^2+EhEeMW|ou4F2PsWiDuCdq!O59k}M@jF)far`>rU?v{lC-VBr>iao8FEuL_lNxg=;nFh{cTs9?f7ms}d)!-!CSit+ zls&sIfp|OZm{Z9?v}&|*bj2q|;#3n$YCwTmchs@vdg|vzs7VCqi1(3ArW=v-L z7Z5dbT}k>TbHd8F2lClW{(O9)&fUW33aC)Guh!#Z&Cjj57n;k zfcCNPfXFKc8HYkmK#y46>XL2g8$;sK54-$Y>j~Vs@(T{yc?Ve}Y$P7GETYhXGx5D` zYkhylHY||QoQAuaeLUN^IWQ9nA`~YLjIzE$2D2g+24L{-0NJ%uJJHqCtyDFa77?f= zUZ@m>S+u)|r&JhSeqBYOMQxqI3}|Wy#FLcc4_8;dHm-Is|G8;Pd_?)v+Z&(11ExjO z)y-^Q1l}CpTCU9h)SH8CR?%qi=FOWsU4Hl(FVICyxq-pU<%o!#D8f@mqge|9R5}jo zmJkUE3GLFGFHN^B9(F|KnS17q`w_1eNHRQ`5VkgOJYGSY@J*BB`_S#`$E#loakZma z@PPft$Z?y3{*t0$-vO<*FWx?H=~eB6^?n-+WEde5A-%(QODO1I1K(^r)x|rFtTEwr zh;&2KqQ}&nS1BkE4aB9R#3AlpYj8)+qEvYNlX8_aI!OjW-8y|eZENH}=8EV+Hvh|> z-?xW}kBDJRA_9ZnYWoig`<~Zr9LKAFQ`!24)XLa%v-NIWxbj5nvgDHLRO~W5*T^Lh zdfC?9#Z{fl_GI6z|91d3a`c$~4Mp+&9;5F7==1El`->dH-R&dxK4()w1(1zQbLHagqXG32nmUbp^fQOO9+D2aH?9JC_#{j5TS|~ ziy9(^R$D_$%u|h>5Hme3t!nGEU(Q|M?fup|UEd$~&%5sX-@D%RK6~x`?7i3XywBdh zmv+jc!^pnBjX|tG!lj6VLA5jNiH71l@F{;Pc_)hOO_b;yfaCLf61&s`9U4kyreuit zj*{W!kDZ&|Tj{`9A@pvx6$JVr&`##xwVpQmtayEHi}^#~{_7tCc`-U4Dj&~uu}wZbjOW7~=tU_%k)T3qXW;3?6aS~DWADG$S^a6&`xZG4I>O6PY63(t z5D4lxZQdWGnFy6PAT;G28O)}VJWqkX2`MqkE$c(d?ql+&M{Fa;AB?^6*PFCOI2;bP zoGbjS$maJWXq?H!&y zaIQ{Etz}7e=NM(lCzF>=S8x|4?|AScFyv7h#K}*$q+*OvCq3<)p%UjbY^CIeZo{6& zNW_nJmxXLN(1}^0(>?jKGjkjAg1LAoMN&0wsj7(TM1 z71K$hh%3jBJVH9LuRE>+Ngih>>^9{1tjpIj%@wf*KEunjhSTbyD}ytu7vfR?~aAwR9Zm@ zM8VsTZm0zxp=D2hjL_XV z5MqTM$YdG-nR$B=+)73&1twazYu0M)x!rusKL=O}KEG+xmE7o1WG;V-M8wB5*uz-m zWcV$po`Wyr{rlMPbLi%qnuA_h@sEluS-3d{-ax%Js7`11s%vdY{c^=nV8P|LWB7`U zb3X)-1&|LUH5{`RnFPxae5aXWY6;|L7V(DJyO3r)G>*GMJ}Ppmo4uf=qU-_=V~N zV!AsUCB`|jX{a1@ELchwZ!0EM#Icqr?Qhs1i#Js$fy_n=Rcg!)59k*heyp{uAM>hS zGy~($#M~4NL-juGO7XpKHZz2&uK{Gewly}w*8!+b@R+NID9FKz?I)Kuy4{l&-xQmD zoh`!m6I3-fG#?N2JetLgdAkWelfsqeVY}L$9S*1`ILN-2Os~7|NvfsCrBWBtro|O# z7gVlV)U@pl?8k)^G z^U^xqz}frFuHag^gnb9KnRj~IrzRgFqN%5sBK|aS9}k^yOR=>y)%l8sXdlhO#?#<+ z65UXx!S$rdw)V2M!ONZXDjl~*x(s91hO$m}pE6)g2YLrUF`YwX|9)GoT}tbegzN^_ zh0Y4ExgK_?9NCjS_a-zb!M0~?Nyj<0_qi1;&;Hu{lvh(C1iYyutfIE<9={2vI_Bf# zQ}&Y&ygCr&o*`v&M)1%x`z&v?M(09`+zk{z<6*41S{C(I@;sxMUpw+Zdgz0S zZ1m*T3U;KbzF~a3`xpo$1v5o!{4Pb@#~LV1Z? zek)q3D$Uq!dM#JDsVqHXd41`R;bC1kDo%Vth{YQ(IeB_^$$sw$9;Hc*1kjz4L(5T; zSLH%pyu0JBjdhDIULkSr8C3I6#Ksi2K1n8?NQ6`DPL&s(daPbpmOJexOQn7&GNv}@ zD-hVsXcG_U2O;9N&cdS4Ug&9sN0X^vo}lqD`23_P%?evrj}rEfKKkS3UhXvw71r=~ zC3NXq#>ChkltbDjN;j^Qkw=a?ay1&W!;d7b3!c*-coD2QQFV3*B> z-{FFDm1<>?P49`chW^3a?HLckW?+Np^>)p$rp5HE9#;*g3uIJ|qMm%}5KBuui+pGp z%Q(di8)khaVc2o#8fE-YEmZU5c1Pf;^1+}wM?#N--#!zv$swe7TM(NUW)!6)?Z{nl zs)$9{*o6U+@MaZ>1NI_aXrklVCUI!AKIO4Ecq|#(8F2Hrv!p<1xTFEfIihH;z5Q@+ znMAG669M8FI`bXcvY7`OXNJ&z8^KA&&FpXe)|lP!-hZ?*YqsHI<3|F@2^+#NkSntL zh-@$P&fbn;Q6KRTVk~Nu>67mTt0cpWT*y~#0pQvbi=!twrH;I!sSJxJ@StM*gl-{# zZjNCAj941ng;FrMj3Hpsj7yctId1jP}D&UznME%8vSWk5;<;{dLdeTi|E>`Ccx(mGr=A&a!lbARP!C z#=a)BGv763{16ygGATIoRau;&meg;v1yxc*MXS%4OW#BmI=cGLSB@+j6mRQ1#j>ID zW(A06_qI2M`wi#_%vK3fToDIMbpEU!)|?Yf0S{dxfcul7n(O^BF3#>&m3B3&B>m@0 zw6fm570t8_DaX8aY^Gb+w9iP|L>iv9*uY5$4)v@er8Q-&P)`v8|4~}CE?;gTQ zR=Z+EI6h3>TX2?MzC5D}%qxOv0ALjAd;%-7L>UAvU zHZFN;B(5+!B0;xNk&Z3Kk}8|N`ArN3xIBN3pdzVgp90#P#uH9s8*C}S{7(10G4P8+ z?zQ6yBU|J%YpVCzU#;Ld+3hkf30g}hL#Vvt!YZ)oC28DapMv}+AN(?4o3Pi;lL5a2 z>fq;NULlx!CNG_T#4Ap4)OGT=or0(c#@d+0PkB<56Q5ZeEG(m5!@sY@yC&BotBiTZ zz;5^Ul{>S=Za!x{z;^1xBa<(|gg~RXJVgUF?zlWQ8)s6WighK}MneO%6!dG2mLjZ+ zPNgd^N{GEJt}~(A9b1;Polwzh0ppm(wGvkq!Tv}C2Aj>p&1cnmR$QsPyIR*PSdd{s zsk&jXi7@cws&Fb=u@g) zAQcsKB~sB;JquYVSl)nE#^bGWQCRT2J-M$c#HG zFbjXw4pf;}>=ZB>)X^0rMaEwe5YxBqvCQ{8FLz@XSz_a$xOk*6pYpj(Wc?6m_1IM< zV6y5rQ+yAmf6;NkRA5)-^JMiayDnHCGXMV{87Wh*##n8Noe=oFk*GJvSN!EvPB|hX4yjLxS{Nd>INEbMiTVpZWb_t@b1@tz@R( z+E8uDp5W3ygiRbA0q-4uPpS4>T)KW2M_S`E>g0^>?vQQq$~puf$C~U18Xfe*;8d-7 z-Q0EIYkwb9M$`qM;L15NS+{aaC8Cgs<#WldScqcN_Y^DF=Hm$i7x`2#5LB;oYkvo< znJGWcz-2kAIQhOPylh7bg_)a?l6iYUiaoEN4m9*Ur13 zh51%1a1f}Z2cGmy_Crb})gUP$x!G5L|HT|U6ro0jEmmTJ{Acw_$*>~I(E-HF!2%E# z>4^pDvw9wTNNfn3CW>mwHWnIs)RnxTkMg(KrHA%L*;5|o+f3}Ir+r}Cq!rF}#y^TN z`Qx7fF8GCW-J~SvUSHL@2+f>{wkVVVvMdqy3{ZC4VehU>gFEuW#pBsXDo#}|SX)$X zy_+X5Q-yz;b}|JX(NTY-z&hN%7UKcAojjbNNn_XN@fnV^&RX4-U&O%Ewb92sQyo#F zjJnfg!rB$RGO6b%eE{ml;6w3zkP@-bZ$5?spdp#FfdasA;b}| zNUmUan9EHlGkoq{5$UzCmufH)zWn(Yma4C^lMkET6Q2;~dL{5-?^Vce+&`J$PH1oMHlOIm_(t9-l< zMf?E$r;UE*MM3G!J@mMiZBTWgWtzwe?8d6Gnos>~WhR%ijMI|Fva&8Yz}!VZTPnOx z`(}7C@DHaS9$WIP0bKead+A}{nn-RgDJn%pbtPIzOG z?jDxzj}Wef9@kS>Z9~sOK`ps#+UlV?Ipjo<GppI|F2p8bG@a*{}bcW*W0zrp)4m~ eQ#u#yRu=w@2e-SCjJNVl91E@ diff --git a/src/windows/leash/htmlhelp/Images/Leash_debug_window.jpg b/src/windows/leash/htmlhelp/Images/Leash_debug_window.jpg deleted file mode 100644 index 56c06cc5397a8697143a62b67b670fda62a0ce06..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15354 zcmeHt2UJs8yLK$t5EW@k9jO|MLkUQARH`%)La3s25&{wkNT0D#4NSm*gf@UuLK8yJ zgf`NPbdpFPq<85ZZqO0to6+xn^WU}pb?;hp$a+u0dH1`Y_u0>W_ddzldB5`;;LJ@` z4OPH_0|x*PXn%m6Zomz|p@Ro^U$o;e?L~Ktj_&Ybx)Vo_9yxaM#L1KNC+O)JPMtl& zaEkF1J^dNhGmK2kEG#T1PqUq4Wj=S7nT2^b$bmz&Hizks)6pGgW}s(a{@cgSuK>nl z2kss`aOeOp;2`6HLyQM@Dgj)81Av2vXmAezz8rK%4<0^p?D(PG%eT(}4$z<f zk%I>h(9ygO9Hgaigz@NECKlEU`k1zMX0~(U5_-1{zz`R7WJ-PquOvuX#?=k^EUAES z?3$q^qLuI7^`8XzrL5f_;%PBCXnpN=`K3SF`Ox752kDL+rCt1 z`s8we@u1$JvrHGnub~g~(%pO8`qAa5q&$i80p_;3oi4!1L$nr*hZq4@0ZTTs%tkI- z^3HE^P88pu^LnYBU&GhWBEX{L^xkas{SqwIkO*!9gI8|`k%+uMOtH(&xjHSy;Vl@t z6W*{k+(M}d!wqJf{Fms}MbCe*sge^a_^{EPK0U6;O9rd=3_fI5F{8==hk}9=*5frR zI6}u4w)|?HCP&8I8Mq!0Uwbtfy_Z6M80npqwWdo{KL_0bXj_0zlJQCbtOnXQC(ZSN zhC-tmeBZe_@T1%{BcGF1>b%u{Bk7bMhX#}gk9yl=Axoa2yK&~mtqf3NtEhw;o)4Xo zm7dk76`hry>hUUUVRU(WjmxuU)I7*_ZkzN~mb%_%#~ ztpa~<a1e#gro6sSKZ6NnBgecKn^Ryf59?kGu`bafdY~ z2cBzo7}G3?U-5#)b6$QCb{LiAmUoj{CpZrp8;Ue$L>Q2DM^^_?QeE)(z(MzlTodg2 zC40(E%_pSP^Q^~593A*9y^U4~dgi#1? zpf4*-kZ6Vnk?PZ9&sI+_H4HFJiSdrcdr&NuUb)A#PfIRhYQB)VH>SY)t&0$~U?=8x zrbq^yf|^F)I8gW!(0VMGCEMf~m1fpQfBVom6-6eJ+ zU&c6}*d`q4_pHjVUqrB8F7(xo zi+0@Vg)fo|YID-kQTf%Q)g!VdLyeL!Gz*)+B#<|$WN=|&eJib!@Md#!ttKkx%N*hO zl4C^I)oI=DKbc}=qDYs_UodFEd6v_je=>LEnj>0^zBJvVN7J54q{RTu=)b$nWmjk4 z`vv|Nl^P2azK{k<>&ff@pfpBy?Kf!+ z-=Gc6uKDKh`gbMVE7&#PWOciPHZnBx&C&huRrZ;XU9IhoOfr;Bwc}?Eg)YTHm6LEt z$*eIWdxsVoj9jl7bqqY#cjEf)hl@htGAwQ)PDmJoQxEs%~0%;Iyx8L#iZ;!lalB6GX;reSVZ)?`jwW53hBh&kd~q zYK!ZyAG?bL<{!2Df0*hM^0T<^27hGX(JIF7&5mvF9B*amb)>K+=?pXvG^@|s8=A9N zI2M|ix{e7X_0p9t@aKaXuz6djCfsd%9r4;|Hj(u$%a+!{D^(j$^SiU8qN4Ro;f3oS zawNOz6~&HQTDYM1y|e`a=sZeo_I}+yQ>I})8tBhdE65hoQoxbS-=@FttLBwK<`b93gK6Wn^SDR>tgGQfTJ69 z^RsSNy64N7LKHWbTpQL{Stl1G`yP1AAr|l(8P@~cG8NLee{YNJNijp3`)B7^dH zCa%&}9`#$G#Bx=sHaI>h@6p)z>n-;>9Sz5_kz$#)#X*f;!Q3ONL|k>{`_`h`(2vok z{9(B5Q+ZF?>CD|V;ib`Rjs{YT3kH^QlaD3U=xzvlIpPTo9A??(hW!3?UNi3b6YE#^ z`bU$t_*W9RHqDCb65W@Vs&)XKi8FRXl;qd2=*^(@>w#7N<<$yp=1Nke-t+daES#by zfG60G0WI{kI#LtuRHERhFt9gXtL^HKF*doS_q*&{s+C^8wo-rxXNWw9+rZ z!1=+8vecz&Wy& zGK?h)#Yhxf$7KkF?f@QTxY$O!aBU|iD>nCK=_Z*-<0e&%mZzNJO`|MWYtbw+E74L~ zXv2==QmbyL;w8~@CK#She#zQ*o5UX+X|nxYFLojxIKBdi1;)>zE=TgpyJqjQk&f`& zIzp)}+s9u?q=sdlF>zr4&5Y}dgsGBc^GO;#HPBgN6JlbL&m+HCEDz)HF(cHr{7pbF z$8;|f7!?zIsRu6)b|78I&tySLYJg0mjG?1DfGE@9&b@)DrAgQOvviwDv(cv8E{RKz zFsfJMcL2-LiI=aIQ_$&Sli&9iVjB^!3@p><_&tm#`x(r%#sZr8PX*p{y))#V&$q0s zqHR7jd6qSIz?5Cj%<+MrTcP~1E^*E`A@nbhr%gJ+P3WnI>fj*C1PNlh=uJRp*KuHn zJ@>Phv3QZNP*D~d9RsR4UyURB%D}3pe7zcEb(Shu)_d3b5)~5MqF0aRhIPB7Jshb- zQyZh=^$<<(##x$w0XHb*dsD><^OxrP71eZqTt3E!I$vC!;_-9fetP>e)0XdINbqKQ zcv?)%Ol3!7^XTZ3MoHym*ENP+b0#*oP1kdvzpCLKiaIV-{Bicf@QBt1Appqa9du`O zo@3Ws*vHGU=N|6<%0O`COiA;Q%qg0=PV4dal0@^)`J5g1^xbsr87}X{TBlv}_+Ki= z@7{`CZ*Rr+$gN!cdDozilePprKFy-t!TP<Bp6yR0J=)KBpUqu<;`aGD zx}WjB_bxxO`}~~#7C)~0{BZAQyzjls&&WPMir?a=ai1UWy^Lx4`6EBEd;EO2@(q53 zK2h_@T%%2nugXW~lX5V2Lad4B^s1A+fMvdVKNv`8 zG^o?lzdH$JUhJ=c7kVc0y;9;*Q>-6Wy))U>(OeMJgT6X06QY#TZdcgAIe77nSN|g) zNZYz-0JYsKOCrwod7^Ve!9tk+`oet=`1fzaKVr(eQKpK%BeAx)JPQYGQ_zcauaPlp ztyV6rC1r};ylN_rw@^ln?0pC#TdA{KCm4&d$2o4 zjyvUHK!2d4VS^~L9Gj4FabhIFE~{OF8Ekw$Hs6>jXL_hvtd+HgX@sUW&P?i?IrM{m)}aK_Sl*^q3T31n5Us+Ggj+?Z&=aUMtPq^DW_x8Gg9V4VB}T z7|LTmxaN{!bJs=fUg_Gg0^^`NHL~H3$Ff}^0xDFe^-C39{?F3F!uqAAe`%Dr_cz^? zwqG+z+*GkJEnkWo-U5oKFAOl(#wvYOvEZP%rexsN`i^A| zdNsK@GuM2MVbjr>GJ6<2S7Ik87c1raTS%!))~M>-KaKw(>>rW*KTM3A9|mi!$`Pfl?RNr>Cs?Z1FF|Lzap?*6^EhtSnL=h@bZI`3In?WJ>f@buHr&EBb3 zxp`@I%gv?P7P&u0+jVA@x|ZQRo*i9wnt#+HtT>#+6MK6Lj9(66a@M)3awU9fe7c}x zzskK%<4KNFTXtLSx?dP?qu}OsA^wq1fU3wYZs8Yy59S}e5mzb(d3OLZ-Xg+NdyI;3 z-kU@F$CgB~EK98^b*_*zmp-1I+5km2dC=f~F2Zzn#RYr|Pzzk4U+Z=Fc+FTE<5s+4 zAr{NHMz~Biy=tE%y*Rk2AGF<+(5=JTo|P6Bt}OY=`RCfIUEnHiKmHNL-+F&a?VOLb z#mKD96JL~)ZlUiIbjyeC(NiUf%L^X)<)zh$LfuO11i#XQ=83lXYfZaL22W>E{plaF zR-(Qp0sZS&rC+XR+D$VH_Qm;yxbSqgcRQ4KA)n2)js>_g%%4Ap-^HEt^M8zTKq~De zca+3{!W5EPJL_R*YHdT1))-HLb7||3I;vyap@lK7s6>X^%yeoA2S-KGk?fptHJ`%U zW^nR-NcY4C8x=*cR4~83>W~^}$`!2FXh1v6Fw9;53gLgf-cHnLCSEPLyaSky+^%yI z`9Nyh4xfELgFmEwxA^TnY@Ls9c`8Z$wuAAZG2u%Vuf%J!jPV&zg0+ej7!=pZSj15g z)21X}VNn5Yy-au?K(()c1i#G4eMOL;b46RbJFDsHRD#hK`PH#tm*Zw>1^B>LZ1FFPCz?I&)kZqXz>ZtVkGtE$TXpz0a+Nknw+E_-}pS4Euhywyd$Q;lu{JPom?-1bKax{^(z8#^EBRMw^BB zU9?wem6-b{g~%NKO0{#X`29w#psakny}W z#**-d8>IcM1N3V%@`|ZWeuA9hnWnd;H~3h0*E^QBKLh#CKg)h)>%e;IuM_gPyDzq3 zRGxZ6`MXm#cp;ws>Q=wmmi8#SKya6OO;}@t>mnht0fB zp!yqI{Q0{@@liin!p&hEOk4^IsTiQDWjLjy%KV^>Wa7Sye{og zCywv_eStXi9l%-waOB1}PA7jn@N+HT{NCxzxxMY2?$7)0;o(L+`|C&_Mivi@(G;oP@fo>7 z{W;`-|CtAAZttU71HCSv>?HBPVachT1ZWPn3p=CjNQg}^hg(m_*{o=tEA2LYfNgL$ zoe>MctsH(%pOhT^i-SW_7LviRg5zw4w1W^qdy0Au1Xz>6r^&y{*B)R5(gt^3^*fbmL0rn^5jSdhii6M1A=t z2e=RiY>WuF6PS)Qp)_!p@aw(K3t%B5fT^BKaR`zO(Q=b-Q(|nn6xNt;kFzWztb zLhur%5YDo=kdTnr`VcVsY-=T>BLP>32{-kkYNu4rRj zo-sT1)vhCBBMo#jt&XqtyB(RIMFHz8;o41MH`^|?6ghZ5l6sH6-jB%^Xw8W>G_ zRi8@~V^=PJL%;f{N@x1PsrOW{9kLa9QI))F{$j6uWj7 zLRGQKR})}LN`FywgY_aVIXyv^Rd6atT_BiqHI{=ZMX#F!^g&glCRM=>Y@aWha<0nU zmsA5sE=MGXB|P{@D2K(9=#t#@q-FVFv0#&`kfce8mojhBIaWPMlT7i&4s0jx^;}c2 zBz=G>7Ot3Qv=nxc#*#DAsa|&Ozjo)s3Iyqg?T++vf z#Wvn2`>dGQb*0}mco^gAt9fU2IGDY<$b8C`k)<}Bu6_f<4>@*`2TU)V7Q9fUHO|N% zAuY@}3-g+wWTBIB&b%eWrIrBvINJ$Jk!z-w1WTA={mPBpR>Q8Ft1mOsI=sZ!=Lq#9 z6GXjCtl-V`&{CJ@^Y)I+hP@YB&82&v+u{h(awz-W9Y9r`bhevpo`g<-o1SI_sIBN1 zX%TXpqG3_Rg8*{S{T?IB8bnHV4YS;h>}*qC&S@l^LEh!?EDo!zLis7|h1)xbJea#P zf*&H%XjQ&49{NPaln8G(UeW#SPIzdF(q-$_c(`B1z)}&{_A7I~d&*U@QN5rXZ_XXGjXW!o{IWo?~+9YCTf zL^O0@G_w>bccp6edM`Zt?aKNFY)&!{OnLBeYCWGisWhvnr!ArHT#HgA0Ut*~1o4+# zRa5in%8u|AbhLF%+#|L&=pq|n!`9QT!jh=A)XH?CMx3K-JLKv^@|}EOzz2EFX=V?@ zp0Qq7)_X5@f)KPq=^ahwYNL^ao@G9S#p4{Ppl8x3it_^pc#vTSaQeON!(k26ppPRJ zuMNFCyVi^D)L3VxMJC@l^|Ylacp8KxgjKMH6bt*L zWxM51VM^FcmEWfid8NL1`eY^t9Lxwh*9}d^rTn^tI)ZrxrZUN&(zD!PxpToW|A$E} zwu=@95vn2i;+ASK7>IqUU8EiCI?1Jz@80su)xb?>^@gpDQyqgo!XnL;SAM$ms#r_a zd@vFYd;w8xxJ8=oP%8spfKCuI6STp|&}+X;opw%l%X`m@$yecb)$eHF|7f73Dkp1) z6(SmoDnE67zaE&9>dieuoS*_PBE>B=wbgDoLT<{+0dXc5K|+>O1V+bL5z+otUE2yV zyuPor%t$bf=-AfdAZ(WzkdS(QBn9(bM%X3BrT`VIJ5RlYET`4-I>okip-Y$(LPzd) znkGGoq&H0pn|_jKK0jdnx;^Crs)41A1bSg9rdQpW(GQZ7t<7N9&Iyj?h?WgrT(Iy= zEv~bzy8k{K$rkjIV3EV}jDi)^%TDdT)#ah9r>3_95XsH*$wIaAk@FfpcA=qH6eTqg zFLDxcPI#r;VZ#g_re1lWCU>3%z*(bU;ZvT_KX8iZaB|; zr~+ad$^Y_6sJ4L5bHrPHE;;^2KTpTo?8XX_680F_RA=Q#Wi_bjjqD_@)`aq; zl_Y=j-d1V1oMOtD6RKM@zJ#G=owOlVmyna1TTW>fdA(2@_Nm%%UN!Y4(8^?e9j)3x zfV66pn$}^dxWSJ?5J=euh>?s4AaIu3tAe)vyq+C+q!yKFD^Or27G>fiYU-B!GAG11 z-C;b_o=ab33Wl+=)`nqb5WM2-xM3~Slyi`%Q3a!AvF2T(Uf(OS^kAWP3CX=#jqQ5h zXgZF93CVJ*pzjok$^F#|J8DfN<~;#-!;O+og`lU>&>0FHa}7Ge&i_)j{eodK_mIcq7Sj4OrF|8 z&Ee3q6~VKtMbF;c$wAv>XS#N4&%9$;yil%LBklm zb3sqN&C2MdCXp*oXR051I}2}2=w9ir-(HVwx<7e1J2@r7y_YZ0Fy{3oNHU{MI#OHy zPHmBQ!>yp7oq;ygRiSBp6^r!MjKQollkMP?*A)uks5xL2Q@7+YSS`gQkL)7^EXu}( z#4x;XLE=B$thdc;1J?(woo7Ncg3VU=Ok#xKV5S{_-N=;jt*((aH|vI5(`L_6;K@QY zLE7`T$!Py=pT~;J-2#2HBDZe8)q_90#ONhq%!@Jy%1LLMQDp0fEH$ytHaX;Gh45;! zhPmiORBH0^xb)gs(Df=@P06zrR`unfpr9(h4Ub6AsXndNBUAQ*EBC;KTE94A<_*g7 z)W>bS!AuYkMKu$l?LI;r!qz3Ij`TrRIua1vS6-M-+ZIwYALVeJXLgM8Z zZ4Mie`JM}i8dE&~(y8qDaiD%7vxYk>0kSPZ-2tRc`Ef&uxz;jP*CeGS6OP+hc92Uh zC>y^BInKj*DawCdG20OD?Tf@nXfO5kU-dH6Ha4P`0N~suSyxLg+Znu zoZZW&kC_+`r$h|W+h;;kv3Yi=f`VK$Cpmys&{>%b%}nv~5zxwSM5w6nu5;Vt986up zew(l(tH*LlG-U#_qGe_sHM6G3uZZBXI`+(B8YU|Ktf7XU2ty{uIylR_-Jf4g7+tgl z-%|4or+$)vY^7YcNi|jWVoolpLA~iGD-L~Jl?JYmKN|Ae$WtS>OACF7No0?@ToevC zZmvlO2Wv@!NggF_((!X3f%oUAmp3ow)F=98WXDEd-3*wrm-GFk;nATt5qZEE-Bv_a z6RIsmAG9iJn4IHl-S4eW6Tu}L0=aZpCwy#ey0w85JNqyvCPMx$&J}NbXOu{K_lR}} zVJ5BX(*DVXAyA@1~)XcK}k#9C^P? zxX+iBzF0tg0x%Lp`_BhA7h^@=W=?H=$x)2U;YKRDez@+tpBQC!01>>ry#D;kB3&Et zVBYqcle4J!)9e$;v+ftcB+(tfta#ZD;8pVuVC}lGj6W)EL&2|}{oRpIVsSMY4zjBj`^$09xE3ybx0wW6;;>mcrcF?W)Zf=zqPYtW40T+ua(P+|s z{4NzHtzrGsloc{AJvbJ_1Ts+GhQf>3kDFae#d2ERk9Zi6Gp%V>8|B_^J`Hy76hN^s zHlqmQs`((?2p=XU#ZVPylhd$2=@;hH01?iwBJGV@vWWo>E$Je=eDWpT(R^oAOtR7<{$;qVn=Pn)xTW1c*y8eVlcG) zjbBW7MpDjAlDtptt2^+yENFwT$Ys8qW<05Rfu> z2T&kf8c%ULaZ0Jc`?v94+uwc}oK!14#jR3aNqZ=`PLe&lK_v3>g>T0an!kn%-uyXd z{jb2Uc(Tzm@i!~HE+??iNVr|JAAhgQfgv*yt;hn#^iV7>@7jsky{z|%2t?n{1L-Tw zYi(G8C7b!13n9MpSv}00zV<6`+ewXYuhme(eK-|Dp9GAMsDK^zUWtwnxHg z-hq1)AU1_ar9M>^8m?vx05zjAP9##j| zE1Rp}Kxjq&HW~%R72AEi6H92C!x4?H>)%RO8K$2Vl(>Fg(A@G{E>c#sqRG6#(*fnR z4hnkW@eQy+9nQv#3W0M*Cj=bh^^L;AzfYbEA<#e&8;Js}G_Q`TlW4%X7 zyBMYWW&Beo_28@_Ej(DIuUT<=6R)+_6zjGFXg`-3{Bj4Nn!6WaFX%~HEDm$&@f|>_ zID|=aJ5ZbCKmHV4*|q~nfqV^F%>B-Bf_64XG`(e@Fn1?MwlzkNldJ|p7)&N7U)~NM z@`9vc3(0=xK=oLc3Gqx)qCyRN0tYciQ&zDl_fN>!7_FvtJ>u zct$hi{2}0tJq}tkzb2h`ZyfC-lLbSWDcU!Tf2i;7AbekAt}|wBD5A$JmWgJ|35m~Y z)o|2!dGn@xN`}>|4{}X`Ru|kBDZ%kfag=1S%zSO@W~oM*XpwfQI>V!18(j4LKd>dY zpErBS-gMhT#;MQ{K;2hM(tg_H|NlfD35Sjr4;EW^nA%kLYJeH&dAr%w+KKg*7_JCe znfXS!&ZU;|{pW{9_J$+iWz9`PALR|Wkn%0l=M5MZ0}RNc+p@a)hCXL*BOlHcgEUGH gLYXh=yf*9Rln5R%Q}}-Oi5RZV%g?w9PVaR77c?=A!vFvP diff --git a/src/windows/leash/htmlhelp/Images/Leash_display_window.jpg b/src/windows/leash/htmlhelp/Images/Leash_display_window.jpg deleted file mode 100644 index c0227973f2cf9cab1520ecc3aee1cc5080d9c2aa..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 79940 zcmeFZ2UL^W);1aoDj+HdC?F`EP^EWNdO{BYgir)&354DeJQk$4(7Ql@5Sl@r`jp7$YR}U31Q7K69?Q-nGKX$jK+bHLxm3 z6>#Rv8Gz5}58z}RpaeK~_Uw=6>ErzAlk5^1+4=Ki6c;aExOAD~@?}a2N=m9LG}oxE zP+y^>yheYG`Z_Hg9o^-tH*V6?-lUa0AK-}0h~F1?$q30kBjHYE?hc$j{FS8>E|}r006Rc=K$v} zT)jeehV0xWO2C=3r#@VuzDRSOmR0x?9h(R=j{XMw13i5MLswLM{{Vq_lS5QYT++zX zD>fmw60ZocbbFRf&S_PSQ+oc6OIbzL-Qxwif=BAHjdx;BUdxwLHB6@loEq_GGfvfz zoxgDL^g~JNQyWkJx_JKV*)!+Jei(Y@EcH27;qx>P^uAoD6|sC4Tke|uuAgj%O>y%A z9fY0ZdBwoV7~t}`GpC-OqXygqB#UKf6+1X}7Z^C1KuS#}RZuY@D-cw-S6>O|rxfeH z>SCJ-8P7xMf~TU(QQ_L@1#66F_o!nDRw~h@UOAFL&xK>%SR**YM&C zk2n`pWdm2M>NyUPjrGjyVaV0GO07((6ux3JW zty7<4D{W=UE2aC&M#RDj)9j=V4lHJj)0F#6MxT5ll=b(>9%N}siTz6xZJa|qBhpKp z-pneEzLFzkq@WRqQ}>9L605SSH47dwFOQB{*`bK^QlSyBP2sA%88KZTDu8dd4`-Md zW%=ByfopW5BKh{!dfHvc2#kVHcOP25E3n8-_1;!UZWa=NRST?$R9c{kKyL?YFj&@b@erG<>+zWiH^|AIekYKL#E{gL>ZlI>`znF}v;J!+69DwP0{_RABU zLA8gI;Ret&{yMTDCxDNJ*rj|SQHAYhp)bkd%YzHk{B19^o7BWM76R`6g60vCN;llS zx8gD3b@oD5mFS1q$jo+aq5Yq-t45JB?RgA0{{fQc(;j~^|a?%^x0sq zSoLVSdBapp)hs2f69TFf`2w+qvu#Fm{MGAJ-A6kT=|9k6Xp9*?Me zKH)zE7SX0G-U@imhUF6S-Pd9A>~Z0`y6u9vgYO{ ztG$hE-DFDrhsN*%d!+3mkK|43HwD>($_r!46&&kqNL3$0^{x`>HC8$!6=8ABUURqP z$mNirjlUvimDr1h?S?yzV2C8K&da1@Rdh>!SNf<-uVZr2=Wl@6SMN;4jbRuD;BdJ12wp^m&sK_U|F88lm4ENC|fOaK%A}nH+ zLX*4=kiUbCHwo<3mT%~d^WT2aE1K^2y@R3$+ESTmvfaVA_!I6wc$ph)QB9&76;sD! zty8G3R1mE^n z>?!$0xv!hK{}pT6O%l;Kf{b3e3D( z%;@Oe)c~*SYk^7;xjk?jI?nX88l!)x;LRmuua5l4tD0Juzi>VrDY#O_=iX0|;R50A zF^L35GdgHX*@7mlL7WVW&KB>61aaSkjWl1p;1X+&+RANkodAEG)Pckl--d(_v#+p9 z7Nj5Le3|)`r@vI(9oK<;nlcGD#XlNY5TC*vcVz){;njUH<0AGE6=)PHXPRgXinXq5 z8}<}QEP(|*`Vi&LUCX>U4|*_z=~RT|IQFs7bjPd0JCN+4Ecm4`Oq!Ob1cG~k{;(mzL{WoI8MkDy?U>)NuJvJ;aKHq(NtLei;*5+{W+E#bX&l%v4 zxklb=YRAERs)(2tD6dCyZx5N1iq6*dNGJp%gFL@dKoU`3>Mw1N2P=ESSAmETbW~Q>N;xYnP3QEG_x|zyf-F&Juhf87@kk+m$ZOMt0 zYd--j+Rx!fv|bY%Srg-9t%)A+Ih7N@UKk}a9aCwN04?J*_^ z(|lf4<4(6gdi$~0LpNj4#mDD5T>^|d9<|#GFO&I1d_R1)cw^_n31FGgNNi zrDjND6wY=)!_8oY;gW^fPMUEp+#?9OUMm@N0oA3KS)KhJ%#3+Iq3%IM#|r2;iW;u9 z#OYY*rQBLBU@TEcK*08P1&94g*A#-Zd>3K9XzJ_z9iYvjEYqaX)yqW$lcjs#UxN;; zol96u9R-KDQa^KXFKy`=&P{QmZ|`|8SLKe|L4r)Ow3cefS6gFp)&#y7NO0v$$eeRA=%5rRfgWlcU3oRpVF_W3o*$uo<$tR8PglnBc`b-nirGw7cw#PsU8re7w@z0%oqkjK+@@>QK5 zQ+TUZO7)$gptr${`pTdgQN;>#8g*i})-qF}zPMr#q-;DPH7$mZU?Aa#g`3_0u2;=E z?%0w~+zGvaGIq_jwM#GJ6&Zi}OZms0p*s0bzdKGB#>K||(zh*%#J=pAUo_o!^zCT0 z!0vTjG`mh|mv)weA>(UWdos-e)2m8uFhNQFbl*g@SS2@mHp6(Q|IwxJ(R3sgdkH~& zY`H`p4E1A%MC&L))Cu^uvAHQQh(*0U9@QCAxng%#{|}{qf+4S{tMk~mC83jW>jdC> zFDR2M0h()CfzT-HOE@!!RAF9t9Pf3ts96!!FPoXWnV9n>x~P)c&cn{VCGY?{N<-0TLY1nFD8OLbJB{S z@iNKnY1Ey_H>5-uQwUyQ`$38woGGfLlAS+RBCb_9jj6Fasb$)BIG;DeG}?_$;j&2H zgwA~>QCQTWxv59GY6p`Jh2kxfh(1>o>gA_Cr$+J8XdjwDW2P0QQ=;uZt&NKIYbn{T|~?hrIUCuN#pxsVej=*U~a%jsAWkF z2`Q8YnvFmgogW+L6mq*9(Z>N7{F(|Y#KFG^BIZ-qIs~)r6R5uum7>OR2XK>kTV&m= z{j4!iTB7?){$V(iJ1#JFSgnEl9)IL+_Hv1b|8H?y?b9Y~E(=zVv(lf=ihcVW*xw;+ zkk4J>ynO%{Z<*M~?h1%Mb5gHbxqefth=ul248lH|g=2>ytp#|VBrO7ZaHl){!R-Te zqD|c3PG;3!J&eBd6A(+)+O3gT#{6DXUt}hUA=|thHRKu}*ntbEWwQB0G5?oRssR*Mvod)U`N}%hi&O?Q&vyEe&CZx^?p*a zd3`V3ud~Mn6z4fChC%?Z zg-JYQmbz$YWmm87PvlYY&bJGyX)T90H89vYN$#c1?;{)-frX`{p2mm87qc#E))uoS zGyXvhW%Me6u|FfNF>aMf_7A*Renl^*Tt!cHkr3gsBA$;)Nm;zkvj1(42(wf36in_- z9_K4xRPr0bXuBD>w$0X(TUSkK@HwJBr$aO+K$&wKT_bBP*p$~YxiU{e#re!@=1t5B z^mB=ML~P01;Ke%Sd}60>{Hqa2I5`K3oO_m&L)otO`!C&pV$O9H19Q8`uWdK0+h$ST zYr?|K)9|J)Gf!C!EWMh$O|9z(bT!R#MRKrwO@2mxo&*ZHpyLb&Qn<<+^QSxlrBb4u z$Ht76qXim>))MYqC1yn^Qe+$SDFw0Y@N&-QIyT+qj{Y`pRBJ2p)n z58M*yb(;Ba8;9rm<+2UjLFsnuk}kOvq!79E%1Gaz3wrIhe-?Dw z{M15R8|7w{sOW(S(qN-?+CJp??l*x1ZatpuMfIG0bZ%cDpRC2AlRl4e9u1Q@asCRm zlVI_q_V(_G2xU*0;9kkTT27e@eAjaY9JG%ob1@5KXl6fs=6xnIrfv)l&(=sRVRQIGJQJp z4P(Q! znvX|jH?wa&Mqc23(e5pQc)^ET?)pEmdd(|}Q1xsJpbfP67&@2cHJ%PTka6;(D|nT(+Z+y#w!H2Q|AlzfCXb+Ga21c^y{^nRrUH zM>-8!8O%bL2SWF%jG)aQXQc3V!Xq`tkY9a8NTPBS>h$tkMx48tO-JJ%Lps%HP4qay zT1{i4q|zk5nl_250#wpxZ0iqGDCy(~J^EXay?H}$Pg<++->bTkcr?2;rydtgO~tMB z+K_t-!b{wOkiF6F<8*ZfebTcS1B3x2Du1EFBDxhRQ^`?q9>q!H7xKoeCSCsg?E}jF zD}R)lKc%~P#_~Y_3dP*w(w)XFj>TX=i1Xbp$V4fSC4~^g8%3>{?zqQ z8WG>cWxalJ0$>gN^iOdqKL<0GFC51el0(7y`2LNvI$i7m_9k!hFQ&E)k-^Jhm$*ezY z4Jsl%>gfCU-~mmfcZZ13fF$q1ix3gPLJ_}lx_Ui@b# z_6JBmVrRmf`J8Ue=IF)8)74^=%gTQh68d1f*FpZqKS=W*1AhhQe-wf*k(1Pp%zWyk ztw;`29VNNFr`!4ACxDRHfM5Qopmu8!b`oqie8=Yt`k<*1x@D3tY+MpZDI z$UW;IVV=@DuFOD}Jx3qn>bN$Gyq-@!CJSC~;xRT?RbpQunEH0Cr-f`MKlFhr|mO z>q0>w_TrkaPFe19Laxp_v$Q9GWQ7GE^I7wzR^SQX?&sF`k+kbJ&N=~}fk{T&Pu~wl zPT6AjH?I5JQQuyUpLQXw(6+iTH~bQ?czVCP8Kd8oi4?h=JP$dJYL1A zw$X!zN`-x2YK;awz<}!P7mfsS^M}N_5OD_ew0=+igL)JVW$O;dwkY%BcC( zn}{2FNF?`gX63zqG<>a|N{O;~QgYw}$5%ceekYO4@LI7F^YQMtvVar?YMk#27=%CO z$jvNhzLazovbI*W=J-mT9(+OeN{5$2 zq(nTg#@usP0^15ClpO39P=E_*e10blHa=Sh!{*iUm6!PYEd(Svet zGFAz@VI~0{m%jYE>uNS1xF>Hen#XVwD`duHgKBS1m{>&U=ilQU)u>Whfn60}@=V?w zk2+HR>>D$X3ZZgP>O#U$IbtZk3gyRAjSGi1+v!Kv4P*U%_afdNbPnnb^Y$q0#e&ih zM4p{FajKZ;LarPK?%t;#FwpY`_3JZNXI7V9TI*KQfmFZg zz+$_itD4O$IhHXfuy3x2N1ERCQ2EB1I^qtP6H!8wt1w&A88faso(Puukov6EXUfJ2 zox%nV1snR*w0EegnyG~Gdb_vKQ*P4kBJg^MjOH*H&7=*e;4bmiG#8^74h*5v#Hl(l z4&%=&=d1`LJVS~!zBN5*C~LXypjE3@FH~OkYQraP$fI@#gga2XVy1xBau=Cl<>OD& zmKqBg!0|-#DNHpmFwm&khi5EnSbsHx(3syJK(ZGAPC4VQB;sGu{{zFJ~T8Y$=qgyItfP)QCza$m41v943 zdTyIQZL?uNNH$7WUEK{P?W*IA+B4WWYMNtk63<2COHx1P6)MzaxNNDGVr87dDz&Sz z^qZ3g2ZlQ#VL|k%2Q6ZR{_p2(1|DUIOABAiu#2Rz+=OVDx;+w9fH*Wc>jL}~5 zxOklbUaah=NTQ*Nm$L_t``)_5QS)*`tj5+hcl>26@9_QggnT2`-_n*4HG=|+mMU?E z9CtCXw^8GKaEe`sr?MR@Ze7Dx*>3px3WInXx_D?spLACcJYPL6mPaSG6U?CD9ts>$ zt#r*R!8;11jp{qRyAc$R?z)w2Pr*8j4NEXdo-D;iz+=`h`F+YFmane$*X7!!xf#CW zgUjOfxH)|FnC*uK;Yq!Ln+3BGgUH9l6-O%vGw|yATpNKavM#Ve3fH`jHMOvAFEi6! zacSxl4X|pTe#a>VX^>=Spq*z>tS}L;ktMAehl)P|kOLjK#ue2ElGj){UZO*RtD-A(CjfzI zS)Hb<8v_%D8RLD!YeQL{%mrn%{-2js7(>C>Ui*}&)vz!~r*U|9o2>GR?XnySa`{b# zV}H%wdItk-Ji83n3&_&okrx^}Xp+;@&@ZX^>~1cwrd9Jg1;msK^m!tFUY%QlF)cDF%=5RKI%xgz$D^}QI(ZSF4YY>lL~G5 z0j%!m%PlIEavuAM(@il3_FV%zu7Dt-neY206DG#NfT%4qagym-_^UkqG^tWyu`xJ5 zYC`fRWFSxCC8sI)0n30K^;{oASUzu5%?ZGGyGl#wMw98iDrqZkr5uB5B?FUiSp36h z6nQS$$;+=MYWXYBP9Pa=OK?C%CzBX@aQHcYXpItml6$o;cegFF4HAoFa|8+Vfb?%& z_3&9`&3jvV*4tO=oe<&{2MckouKQ)LB-YA3>K^8JdZ2p;0MNVh>)6o$=@*wz?=2iR z7EI%cpFY@JY(DmU!v4|!1hBQ26*y4-?P6ON<>?e171e{@?E$AX<$@sCvb6-Z(-kk5 zzzN_t&bZ0_iX&epi*Lf;Ye^qU%BMYfS)6W+zBI_aonY}Tx%vdK(@UOebAQ>RU64)m z$_6J>m@6(NmL|H4%lx-FWW6d&m&(JDN(4N-dn@GCh)0h*ZEKNNTL2N`TVr8M6?Igo zyY2F}TcDk&0v(za^YIw%%TvziO@-M<^s!K*pgAXimsv*Z%u}I)GICfeK}MBE>eM(= zD1%3bLwv4Js_O)hFQT8uOKfJ5%a@JcbFTJj+bPM*pYmxLtUio2)sG*4S=~Cid6(Op zK20aJ?D1O?RBl43^1@FOZX)?0Y4|mV!@1JptVr#$hEDz85>jCr)E!l6I(qcbVrozN zd4`nTlnAr+WxiBS@iBCUbVQ4A&ctlv7aQ%W7jiW5{p_xfi#U{RRpNGo>l$++q?3z+ zi{6Ju1_w)EpX{V`^^S3t{PdKGc^{I!FcXk$V%$)Ab0^ueGm>{is|nb?R?V9w-8QMG z@R`ZF1K;8p&F9MSCH%Z?fX_R^_`WRZtCgsbu1Zp_zWW)hAXIi?bZaQvV?BFLs>s$^6neApym@UNfAP2I zDH&2Kwg{1{9t4Y2ie}5-dT4WPYC#kdAJ1K=#g5kyIy|lK_(hbP#h&bXo>EWq(OpOH zNpNsl(4M6Y;!_g4Q9rrrs3Kw_mQxrt0IKvxzsXp5xFW(IYgfq~VZ9wHJ!#A?E@o#`QFL9hc-h z1L97ul2%@&??q|{$E2tMfzei16#E)m%V(#pZl~@Km1cj5i%~x+fp`rJHdGGEq*b;d z#)*)GZ#J(-2kQ-nl{{md@=`&hj|;vXN8VK>IJm-LofGKXNFJ$DA4>gK5QwQYnm^9I zVfm8X(a%6j`~)s!X5VTY?6(3v)W?0L@BW}%qzN^g&^!mZ7QfBOUDG|s)J=U?hu&B` zHIxDzU8PW6iWd9( znm+>nRV6k*TM%lMrwj(wp+rPF7_47_)Od$|S?9&!1JeQV zoQpvF^gbO8usDt8NBAted^lUz%Q&$VCz2?21HN?ir`dlbLo|V(G_>aHcwa`vDuWr} zN2bWg6vv=CT8IZSTU+O>oNnCgCc$~aqcS`FkS~z!F{J63H3`uu8B!$JBodv1=|1f4 zKHTCWm5u);!gFWUnEyg3H^42gzxdh?aQ%yE!FSHI{e|+k{&Dd?L;fn7|H1Ol1^E9v z61}o0G;yL*m=u9N-%)RSe#jns1Jg82a(umg0+2cZXm|VWH8ERU+M)k`+;rM&L_Ag5 zTpak(YZO#0%e&j@`-nZ>DmnpF(w_jnr@Uh)X=%~Q-wVX7Th|SpZ>AB=QR0-NV#zN(zcy))aOy-O$8FfHqInmN_3TUZ{l&#aem8- z<0vYBuKpW2HMnp5(-d`YNMXxE)B-P9BGobrfZC;CTci&$m!z$8YN&ZO2Z^sQN4~&V zpaPET2(|fY>u;z7HenZKy`b!0b6^XZF&EHmHGIVTKYd#uWY0#l;l(n$V>lpx~COVS7Cb>EKhN$#h9fOs#nFMdj~fm4&{U%SWBTm zjOobyc#y&*8tlp)pH=cg=7>+Jq>g{olVZ}4YTn2jk-)ZqdS5<}BmVtN8C2h9hF*Or z01i5Q|3E@fZpEs*k<@eoz&>)I>T)nmQq40I1onw)H^TLql5YeJoasu@8=42F=; zCifJkeXMZ3 zZ7I1pC4mBrUnBfbmY8 z0hv^tJ8wZgLrE3N*6B5YEI(qnrUR_E&dz^1>*KdFMZ)-Zs(({O9^%_z$NTc-{tqFeRb0CNvcKo>o}s_SIPn8q*_wo;M*1}VujI3=F?_WpzX+^gGhP zY{}nS-O>)<@DO|rS^1a&;{`*kZH(!E0nBv`|Jb)frt+t$X*x4%cE@QBu(gEpDktZ! z4${`5ZYgkCc-!{I#P4FZlvUNnKzI{l^+7y2HlM4)a7q&>jtG(n8<-({2BKw17BT3z za7n|LEK&@j6FKj^JTtFsJ7^YmzAe>wmG>ac`GH^3S*A;vMg|90q^y7w!}TjQ%E~&D zV>X#@OS4%>g?ZyuoPN(>=t?)eC}j^7jOJ&{y^Im!JDfWs#egErJ!;5bqieQ9+%R~ zaij!F6f%@c0;`9dHs&EAKEhAjm%lXFznAtDYG1QR03E)WCpNL;0}Z%It#({_G}k|l z#sU*rl9wwPs!cfx_sJ<-K0d$40K0~NRQDz5w&l%2hP-E6B#YRwCf>MR%dWyeHN-Ji zXE5RmEVX7?Xvaw=T~bD~z)~2$lg0n4R@zv{;w8?dzLs;y)S-i(@S9b7UDBLaStt72 zL${x!JeH&V$g9U&3|xYwBzBs)21&htiHnOY{`mQF*D=Th8Yeg)mU7z|@V7?$0PZT7 zX>7?F%|il)!P(qyPUv}Nw*2+A5Xw%rqQQ$_jR!Lx>wm$4`Z*+C8 z-lZqjvz2p&xK0QT1cN;0vFkl0P!$L`;qLTYYl{OWN9Cv)rpT&FV^)L?oKtoDrD}kxy`k)7D`J2h;V3wNzw~Q0uh|8W zh0dh}Tjr(B{>b$*L?7Zhsx$h$F@G|J`QP}QFuu>swTc!t$brrb0i)MHr=8h(+m!}| z8xEqoqbWeKpAI7;8ZB+{c$3bz2*LZ+f`@d0?ntJtNR2{K&JR_p$_`@Ls@5oRj>^$E zA#1YgB*<~p?~K0kOPj45R_{&|b&5zz)J~gLNKf4ir%sJJq~{X*WjS6vbQgPF}{0KNFv{t^Y_ngouZ%kJLx(xNzAa?s7W|iK#D8bSWe%#$#(Tds(;*C=e$f4S+!PBN4|!W2HYhi z;v?cg3Qb6ST$>ZEdHZGWG<`YLKSBFN0z0eB483rpg4T=+8lsOn;X=Y(vM*L~`7fj`e+fij>DoYr1|%pZLCOv5(W{U_o-|OMv&HTH z1jF7b$q_-Q3FjPAVo|MJK1%S3M^8(9#=1-SiLn*kb-vdfUziaxo!|`q2!H3Jj83uR zIGgr2xY=r8J~+MZChM>f&4N4Q8MLXTX6?mjhT`{9Ax;viHbhn2A}&b%^7X&FRu3V} z)g+L-WgM{N6h{MtH$zffJ|>{(RX!J4eJs9hP9L`_LU+OE&VNZqu0QD5^(ITBU0^Mn z=!x!b;F>_%tmeT*NFu_ne-F(n;P<-n7nTBUa{oyk|1BN=C&QwKx8I#_ zd{h5fALF(Mvo(GkOi~3V^9<` z1Z&ztsFc&Cjuzaaq@{8tsn948Y%;*v7(VunE83F~8F?SELcnb2WN2?BV!%-y^)z`M zbfd!K$X5fw#`!6pG#wD#1fC8ehhyM5_~V=WPtI|?&NxRj`JQWG#9m3-zLonvjFh9F z^*m%`+8FyLs3t)y3563Tf3=4pL|-0?GoCA{yPXCuGc7Xe%2O^f9c&l#!!}*ioHUAw z`v-bYvUdyg;q*)f-Xx~8I}-C@;R7|b7yUW1RRCed*~pWt9>l3p5AU}nGUtgaa0=|% zYQ0vE)qnXuwkP)=FO~Hqj^kZAO@qB9U|Obv7!r?6q)FxL37$$p(RwGbVJCch`PbQw z4L_J4`bfz2?#oW?1F9BhK`C?=cnrlUP^mq!#Sy=H`L(i`j`;X1NIZ72X(ZaTA z7PjX|yd)e7HxXzjn*^0K*K}U_`o8juvCeJ1bl4{=5LN8=?)e@7@vXSLrsRN3Q<9|nBZ~PQ%`myry6{nvcLISfoguW zn&lFtXd|C#xAU3Ykxr|r)jw7$n30;eB(_$b4OZt=nfR)X#w?ClFY0SZ_T7*RWi54x zA-cLMJN(g4gwA1!jurnX|F8*<8=(!5_EXWLSYBXo;;Ph6#zpB-VY!Y5g@Y zl95xPZV+>PIyI*OCRs%T~pGVs$1AAkOM}+4ZRDAjJl~M zx9gL99GEk7G3FOdYbGm6Izs}hEka5INo>hZDzk80-O%8M>L`UtSMUY@P*r~+T=>u( zj#w5KxCzuX}x0YbVj zVg{bO^oaYpDr0IVO5pXLrXC}>d>}1jqy!W!i`nqYO}mOK4DNkvi>exxG*o^^Lqm$x zid|Q2dsH6bd4cj~o9?A;l~M~8kGkXTev(w-<{|6r^7j9F6qt5QKqWuvEx4z_H zD$*TQWob&F)olCs2kr0r&zio_H%-3w6}q7w6GkVmRb74oY&cI%PfTH0Bpc#_u(7?P zzjXJUe$jqQV1f5o{~BdNiB9;1H^i_2`0fW+-sE}S3J4qOb6(;teJ$MkQ2QP{!&~L* zG^J1zL6g{`YEzR*Hu*9yLash6_stH_V4pyBIDbDgpkP)|_`c`pm8yIbjo8Pu-Z9lZ z%wU-HR3A#c{!)lU?BR!VX3P7#Yvgx}L`t<2dmsxnJp6>CZXG<0ocTe``v%RKgRAHn z)|-k08jgFb^Sh51p>>>Q867eyf(GvWG-=s`$y)bAlV}!3iY6q+^>2tIf3Z3bd(E^WTUn3|MaCt+&45>NUD7`N6+}}JS>tpd!t(3O`jF14d+6e$4o@8vx+@V@x!IyOtFgskSdOEtU!mPFMkdxJ!_q}N z3t58c=M(hso`6C;o!%y6k;UrbKwHGpk;bhLicVt>TPaz7qd5(I_;&yTpIdAI4tmt7 zfMM=?sG=Qwg{r=vwQZxA{O)pB+`XJQ6`+)6iksXGa)C`Bm2y1C>W;u;qD*2E-qdRe zA(O9@+nfZ!lnN+t0uw&6_jrDfaWzu{`{{Q$_6$v^VOepUc%FEerA9T72p{x~nY}K8 z7>E|Z2Xy)Yp3@E?fA-NOBzT3CuB*G8yTJ_PG#CF^BWpqwYQ6~-*1#4mN2 zEq~ju&M{pg@me06h-L!G$<6%cVB-TcIF7fji<=^fC>vGbI{FET)qj(V`>adAEP}xg z3^-|^rgPABPLA4fraSP{9q+sE`~l*bbnmZ>BCD_uvisp&gIK<5JL%A zE+r+r_mqLoQ0FBbeUpNTg%mpQya}J3MCSYARwYS!nbb}RRvt)9B8yKn-&C%rT0=yP zeIrzyzFfVYm%gM8<2<&v%j<#ZY{+9f?@PnN6F+)c)wAuP)Q7zIWm}LE$Rv*Lg4!n; zhmmi2tJfISkJKYB6ln}Grj4QMR64L1t@J4KfY<9dWb8yS1^vuQFm4usu@#rmdcYVXD-l|^2TEne?2jfCY%rk`PF(UCeNrl)ADL?&k z&b&UcE*<^!xDt1|6<{TC6ZU$Xc<5=K2ene*rDG9^V|9QGp{vp*o{KZADZ1ryaFcUN zeJ-zUNiDte>%QCnqZj9x-kzQfvkV+kJ>6bYXYmqhGisK<{@3?pVBD|#X8BhJtHvG< z+#WWQQwq@tks*@=>RCsBCp~ex=a=ov&f@sivcN>=;DFFXq@7-aT$q@oV-V{E$zC4Q z3~G;Rh8|Mc>#(;wb`Pkk`fxJLa!8L55T~tii433YAZ5qRZJX_jKgV%c@|LV4md!*3 zyoNy06JoZx?STOj8oUY2K~)nMne_77PXBF$>gK2Rgv|G=H_dEL0FAm0vC$G1cb_3O z%oiI!5Ak*p{U!yNzZEIj((;;dj9MmgzkP2Hs-@PDW5w+js@jd&N?h}8k*vS4MR54M ziUY=vvG0r|8JG#w1B2r?;}UKR6{nhkyfB-Cqt7%o5ianlGPSJRERmVXMb}k3hYQsl z?lGrURT;jPI_#k0(xhOcLMSxzH?IiCs1Ojumz?&4d%VLg>EHJ`wU!KZ{LfpB|fgBOm92d(d?osVKx%+mN2a7ELm`r2D5 zxG{A$f z7e8UgPaDMx+^cY+%*h$=yPu;!2Swv)Q3cR(fx;FVa#dx72%dH<+qpg-Z9l51j7SW; zMmzcM0#WJ1Ap+@|s#TCt&KSR+PRD~U3aW<20S4IIJ*8D>U_@^6EqPHz!6pGn@w-arX2 zbS+%jRoqgQ8-4Qrd@<=bOrela>{eb1EF&_S=JWPX{6n`_77-OZCBKDQ=F9`z$D8{1 zm0208#2PHOsP3>XMdxZSnTG^Wxo+mhq4$Ry(>9xKJ(;3+&&cri_PHa<@~^?)O<~N{ z+tP%RA0;}yQEyy9J$_JLDuF46a_bwos=J+0l4O%xxx#QKkLgHj2pXS7uft)hY%Eex zE}LDVrG^vRo6C-0T&~8o-O=x9CC9(ncAaY=nX?-iPQBW?OsI)ePG>;x17eQ;J@Kq? zyY!KMhU;K6@pX_G(1u18`hwdnvl=#*E9#h`vC0?`epMwVYKRB~j^Q2qiY%auy!`hA zyF77*bmDvC8dRlxZgF>xg~;NR!UR@05*IQAKg?aw`{~WkM8C8?HJp4S@>&6`YTgOY z>9xx{k4W!Of$u+t(r$`9m$Xo_{!AeoW(>4eemItw^2x%Z0CF8WB(6ZReP&R-yh{&D zAjj6W&Brpgew=ltzPpW%$0Uv9g4+jtL7vtkf&Y%8ikQOE5NXU=w<+(Tkrv}Xq;svC zxNa)et)RsOOmxju!4RGE-awhnv!O`S1XIX@)k zN;6cGtEHnN=BuBxiM-?EddNTh56Hihs~H3M&wKyD;K~009w?9XF=GbJ6g0H5(HVWT z-7zS(zVq1&VLy)i5Coi#%LszRI7wgTOj~Gw0%&0AU96)_>4W=ae|lr~@SU#& zrl|4+z~baJ-8kC1y1BKz5PxqCSiRH-UsEVvX07`GC)c1n0nnhz817vxI{}aARYuILTU4Lt9Pjkg;@A91cGt<$fsO(MgwGI-7qIxkz@WqY2@uhyJMU_g;E z1IyJR{u99Kp`?Ne4LP~#R@S}iv@@RwbXr?Ijbal#S8}K>5?=*_IkJt9f*5q_|cN^lM4oxYMI_ z9a+S?Sg%C&=ikChoErM(Vu9iBw?*yWHfH z-EcFKXA2-pRmZ%d8>)i)ib@XAENC_AkRl)`B{T_23sT)u0!auZp$Aa92_*C` zc6v`j=pc{~0tBRY3ra^y5?TT%Md@Gxbc4FTJnuK(%=bL+oM+y7&p9(^&iW^lS^4GH z?zPsv?)$p03!|&5usLDJiCauO6_8WF=_LTTNE@YPOHsZy9x+=4vyoBaNc1h@3o5j$ zFMUl#0+fbw1J%}$w=@lDhGG2lYX^vYzYo`%f`R2@lPGrl6uxKModqS>-<97Ul+Y#b zR@7k-3TGfr_HrIgTJlUr?!a{wIrB!4aaka^(%C0G^fIBD=g2iGLPckvvi4yHS@JDE zj!6So8n0nrjLG#!oG61uOw`{AaRh2Y5i-muvP3{g7v!! zGko{>S?ZNks9~OkwdfUqBI+5`Dg8w0oua2}O}yYr(AM)F_`1Hn`Zg+({TQwj8nM68 z_`P?ij|fnSDhNLtga>nY4b9pn>8(6sJML)UVOi)9ro1h~zqL+L?atSkQsk*DkT-&6 zmJjUv2ozYp$c@sDN?xS(hp>!sJ}JLek_!7OwJ6xXc@EnNuC1a0iCgucs(k4em^K_zjlYcj%>$zS_=Qp5y zY6mg*91jK_Tdrktqb+EK`DWTaR_$Z9yEYU#!AVUVleI8c_fqbGj7FDHV1Zy13f)Bm za>B@Q{xQ=c7VS(GZ40Yg^_Oh(9h;sS)|$EXdEU?~%k5m~30wvZ`H0rb02F<-E)Jf9 zljn+G9);sH1LpJEOxoqyLMVe`;}RA+3D+VmHb>l~E?j?nr?fw!`DsaQVD(sJU>CWT z*RTG+wXOWG93)Nu*Og&+2=(I1+Rm2VtyQR`cP)1-s>8YTk8S6bi59W{-;%JBdW~^^ zbfoatQ|`V6lcA*-{JE10@|Y~-;ki(K8rnu~#tvBr#UMCT%e;?T&kv7Mt}LjM9-QW7 zh+FEfAnuuGLd?hc401(rN@HaT11qRO8JP>PB!~ziYieR@s$fNyFbI>!Y~Hi(47?+x zXx{uaB^cDY1|`Pk2|YrRBL*!S6GFS`Hl_7smD$Qx@5QMiho8ojyo650<1xmbF0Je9 z(#rhc&t4SzDdtCKSVE&BH_1-S67*b7iNhJsdYdKtVxK;9t>Zrh1-J;cM?#Ix^zNC8 zAuYG&W2G>L3H!O(7|UnFzV_i0PA_20b!+5GC4ldnvl2n!rs#8Q-X*NI+JLZVc!TJu z!;rX0{p$j_-;nV0!Ni)W20fqlzj$VG3+2?!NxM_SP4&MG*#2po*0>Ix$ zdi6KY0N+}}hYt!HqMH%S#s&Wg;r!9PeUFC4iDdAeHG2J>ci=5nG(P!Hn%&^ICvA6i z#5_g-(+~T|L2D{x#EmV&9b{gKC8T_ER2k1ji3sYp&r>JS8_TiU#OI7IVnw~-l}Xs= z!#~WfG)1tMZOLNdakHlBd^F2e(uv9Y%PQu@2g3S+ggeJdbh;V5-jA(g1iTCr;#f;D zg@r~lss!fwJj367!&b{o*PNT~0CypNFEgJ*dE;Q6cg<^SUj^PB-nzM0m32X8*0KFm zH4i1xCe|ubGogMO|3f56ubdq~tk@Piw;<(d`o3ap$@kU!eY*U#r_uwSV?YG$OuTuv zb;XeTF#{P`rnGbR$>vIoQ8>R-pQzS`u@;6e1ErO1Imd~Vf060FUA3q`F%r}nVDgkSeUcJ_{G9ojr> zTQb)u{`!@Aze4c^o6I+Q@rVD#gS(p4KY5N{;o&)Q>Uq~&wxFF8n{7iC>S77AF1ZHCMQIFX3FzfiwX6&renHYg<7GCT><%Ugz>&;-g${06 zl$K4~3C$*)O(8_lOjBw#jtjBCC)0j0)YNX=?(cEOo(yqfx~9YMr1$-J6P=($xMIDG z0sgP|Eeh>F1g?5qv2@iE^VnWvUl9Qns=qstrYYIfv%7PfS=*3VshA@-1WF zU@hD&A9HmNAYl3Hn0G==VmVz-utvJlJ2!GAM2c^B1B13!D)zjHEC#z!cs_Yk~8+a-`ZR3+(I}n-ygYh-HnBm)5gE(MGOe2 z-Fqd#`s=RTmEAHIoDLxS&*n8&cfLLK4NiQ-)R0W`PXGNCn>*C`_lg}p-@nut_SHod zUJAr@8SES%O}#)+m+sa=o_<{HB%A2gLeLz~WM% z`B8{POInwyH|10&AeXt-rdB!T(RN`*CrJEBDbBe3ySFxA?yWG>o_El0+s}e~#)gNx zc#{p0?cb_XF?)md`NIui`BO(KCn_|>)w}3#cK{&uU<)DBl4ryb`>Uo8?wv1>kHU$| z=2vg7ICRLl#`Lt;s=2&cEyQy6a@J`4*VZLCe9_I&v?r>-u8&>m8XO0U$yw}Kjn8~J zY{wB^gMNN~;SJ-VHjrCvb${ppy z8%Zo&30Y&IVv+%Ax_tAq{|42fgV-o(TYQOXOCA$5M0W`;hkVe)!ihuT=NF1rmYzlU zG0J)w1`RUoVSZu#+y6+ENN#juG{s_{d`P^nUM;XVJLv3)5KC&TKd8vM2Tn3Jt`pr8 z5XdT5&4&R*gPyZxLCwF`i<;)Guk1QZrmn#fVVFdT?*iM}im}q~X#|F7rcfZ#B65a{ z))R%*NfYhI+K#7DuFq&TFXL6ZxftjN8kq+@hYv7%y3ZS^pzdkhmrUcBjW6$!tZ(Qo zy)S}WCVkSqhJrJ}fHwxSMR8fuo}^;LVn-Z=bxPZp*|(*=1On2CZDAW{7FrU1vVC7t1v+dHn#)n7!Hjgg;Z3VLDORx0LP3pBeShQF+-` zXAhLv_wLja2fel#hAS-kbIOvOV=wGmvU*F`^H7HkrJuU7%B@hfy!p9avIk&*!{Wxp zH}F)duC4ZKd8uD$Zm3GU5dx1Hu8OGn2PE zRiMFH$x*c5sIw`X6*cwoY-xdpFBfM3vIq;O@!fS)BO6&VC zXOkt_Pm!Pk9U&FP6>V=`$c=eO|B%lc>Ydjq(1>4h!`JGfous+w!Y3O|PY(8t+T3mJ zViGC19G|~=PUGWDeO+ymM`XSz3Zxl2L|V^ddr3ppt%UB3=1F6+Lf2zyVYV#A49eG=MyMaiQ+doA6%~mvIp*OaDM} z(RFxuR2{f_8UNNMJFTqk2l!sUd$AKgq}vjvQ{NkYrQrg1=}M*bGSZ|wd5)&&?6oO2 zV=Z6oO|Ki)3f>#ge~ie#5b*~}(G3L%C3xcSfo27lK3EysGH z`G?@Pb;Y61@bJ&f;@e#hQg+-{?C8@UJcr4%DP^g4Bb0uM4t~p6`;eIaT{>gn{>x&z zV}u6DSbOfZb*3S0-S%RqFcnE_(F@v3T^(YVUEOHRpaHnU#3x4;yhEBG1wqq8*_zFuB*{%c<3)BZu^gf9h6;S#7gP$0oKyds=b?LIh5eZq7;w=@*^D~P zMvTv=T#0sr*3($dVkb*HF>RCI_)gXj!-g!(iHAfd>qFXhk32~?pTGZgeqOM< zRtX9wT$OGN9An%t;KS(krqY155h}5_eE%Z-`P6L)(|xo{2aq)3|&{F6E^3 z+c3?tyw3<$lM~gx@#pE5P}E8Q17RyT6fomo2KaIp|Af+6=^-~cp*;CmJy2P>wFh9Z z7;Ui^ZAW!(!P-&$n7|~jh;e-dq)l(?0j-mSawF%GGrDz#N$ZIx0l;X4iS(Gp@?bxNflEe3je8_ufv2#;O++s|R=d=EH?RB{9?fv!RJ=c}PKIz6;QEIn0al zQAYN_lbDYMk@j0n8e2IUeyP$^FU_Fx9?X1V@vIhh{`IG-I zK4mj3E|Wb8gsib5uGW9ay*^xOyt3SM?6I1=CE42dl$YiVL+*tfY)_bvw467kJ|QG2B}KXjp}hep%6tqwGaR77o-OCta6&7? z4(}C1Z29t#JFUC6MjD{U=t)u;Z2or$M6nx@km_j~TN|b-)7IUW#ZM}7Z{8$%mHLL7 z%w_>>tQN&0$pG~;rrIE)S%&eHT=z=IfVNXg_aQlCeNUnc4@-(G_GdStO^T$cx(9uQS|>BE&3pq9z06N zU9BD!Cq^jq-%d!Vc_1DA=x4l$6EJ&l!L7P?f8W!Y-TquB6&mN7&ZPqbe(&Y1v_r++ys?eh6S19eitLwu;>SJy3r(E% z-@Q><=Y_tHS2p-6>oDJ1R89HVxESVRkibkOqaihjbVw;@@dH!OGofEeLFlijmhzqc zM4iw=-=grI3tljM22Q%6nc70Xt9cgow< z5MK7j`b=%1wFX2Y*c>_bbsdY#6|a{JG&hxowk3SX?*{}_iO2Y(G&ptzyJF6`WTCYn zA7IzIt82!=yGTdt-0v1TO&-r$xKA-5X*vpxt%7&)6l$a~ckCl|=l!+67oR;VBDeK7 z&*M+wxVeoL{oB`ESJzY8Uj*CE1v+IvSy$|Bp-f8KV!t`q!?3CsoldIIcwb`%Z7ekI z+(N*4EoiCjL`Khvu@sDn`>1d&77@c*aJZ8kxgM;esG z=7KaT_)G#37eFpQPE+~dK5mM`m*mBSuSHARx*xV^RCWn}tg+dXu7Z|KVvZswC)AGV zn|UDxe}J3&4i^+jajCtNYwc_K-lV0xvbXkf1k{vsM1PU3%?r`BGYvXI7*9wlVQ4wD z6wjoE+S%f~JMzw%SD3m7lN*B<01C5&<^thNQDSUyEa)sx!hamfX)MRg;lX zsaF%Y&>LznyxYh0tzoVe?(A&I*{YWZ27L-vEC04Rfa7#rAMm*_!1L16rE%lFO?9u# zY)<3ae%4D`?LejCM}gKLTB_o}nbwBcC4-u*>x-!n_3*%Dma5p*PztWjAs#1Vc}ch4 z1*`{Jp#K$6MzHKD`f5oFE&+#QY~c|F?7@T#&+@k`CuRhi{s3>aNBIm?Fy6B&LmhmR zZDg>oAMJpIlyed`(xi2RE~=PXrFT~(TI44IyYuF_&ts-Fr?xkh8+Ue_EW(7kcIcF@ z3vv*-eu)T4M?B;_MfjbFO74;@_|L~--K$tF-we`q`MI>{q(SIJPse2Pz1Psn4r;eVXUb-V+IFh zu|G$Bs0u25Lop--IAhm6N#&(Xa+6~K!BRS7amlPA@TwoV*Q?(Q-=>toCJq2Dj+nj4 zjay~tx^6ukt6)5RairKV@+^Z>YH^Q?_=jC_lVvQ@o1|o!H8N<)xys&SiN98Kwf{;P z*4idfwfN6jc!M^@L6aGo9KvT2u3H93Df;$e~%89ngUuGGVyQsW2BrB>( zDc-Sy-x6ihFZe-(x6hV3y}c@O}Iggq2?0nNZTS<4TSxho?zMcjyTI zjy&BsWE{YbR2GAji-MW{Xv$GA_)o=-g4w&fGyAd@g;uNKd{MktS>?LGU&5F#Y_wA7 zgrYB-eGadwFnUs@PX4qmWD}hi=@VXFhIFs93M;dsndOQ}^`LREoL!257&1)^LAc8> z_O)Kn9(5T0)6nh=WjNYJQ+h=0UepYoSn50@$FW+F%Y>^Ndsd`pnMy5cg60KgbSSN4 z#a_gZ82@iZ^OmEP>%9BR=bMr(E2eCrgw=;1REkA$6B3BUr;GSY8O`G0<%${L+mee( z5P>1LVx}(6_^;qBi#Id2-c@N3qisNU4u`J~R$+ZbVF(DI0IoyFe4&YuK+kIQ{Kt*o zCXl>c!Fj1i2*OVi%qP8DgpE&dzI#C2uAUD@)Tq>p z0xER{n$u?oAAB&Zs8BtevaAe2EF%M*H983~B*r7d0W++HBExZ0H!L^Y%)Z9=)Q>KC zghSXRO$pEk3H1|&&TYGu!E_{RLCu(0X*0<{2>VPPq(ZQKq+mYyn25@w^i>4qI4hho zkSp~SS2pZ>KV=Sf#;BOzym^tsoi^2tY8EEsGg2`x9Gy=O=vh%ACZ-l+vomcA5pId{YmZgCyOrg% znOj{qU~O)zQx@)9gM_On439mo#*@? zonPsKCm*B+A2_!u3bD5)cPGoAw;o>`Od5wr#~L>RJSiXs111d-d4gwO7eiy2ilA6E zP2D6RN<$|-xHU$^(_WfdJ(0DLU0@oA`P{I?FY2M8vT{Xwu0=_B*UmR>Ode5CstYX) zvZ0umYd+1uf|&J!q|PI<_zVaFCQFc3|4l@T9(qN3o2nW)S}0BParh>97 zzcwdHCY@kRz2iGSB7@FDA!{361Y2Z!xePm%thR2$!r)WJT}mM%sdiCSI961MM##2p z+l4|+(QH8yh0;8n?1@VNW9)vI*{h__e2W=9wNzy_O>l`DQe_uq0b3&SNW;AuWj9H? z<;LCx(spJkL=)EHfIYM)-L%FYJwY?q%cJO1`cmaIs168m)cCy9*;EJs088jyw1Yq( zKL_CL*n-_b$Q|0s&FMVM#g$%l_0zfzPpd3Cax{+#ipARL?sD8|(z0tp z+5+AhYo?)Zs>$t5Iv8lWqPlfnfU$$LwDOtdr%IV*0THodKfPbrw$Ts#;;N=X5(z>Q zgVo?!kR&c7?I`_h`%FGg%IERGZM=I}`(~2K7OW6nUH_x~?s`a`O->?d1FkRe1?mFL zh~*bc!5hPRclj&uPkc|q`C4ar*H6^RqE0`^i zs{FnHz@PAO!&cm%<$I8o%mo%xVYR}7T9Z(GxItL z(dELzElsmk@=ESb(T9Hh%@Yr$z2ILHggNEI1Hl$e@NDbK(O4#8us)V{yxCbpR7C0; zQ8e@RphY4%tWg(=ZMC{}uUL~o0IUTU-}4wHk71wFaLVtr@|S#5=MFgwzV3wH)W&Cx z(D8V#4j$ljp>=G4vCXOcCa3B)1{sVHPCJkPS``V*yuL;`=_ml7666+=f!(UY(`sa3 zzTbd1lhdk9v;3P>Jaa=gx(2S=7AJi54w=#D<6IxJMHt=+Qd-<{YS1&3Xn??6Om)shhZg#qHVl-^_imW$S?5k}_o2P?5b3(`ERY(Enp7N>}d zw2<%lXG0=*M(AGOv$3A@{vx@=m)r zGHl9rr@RGd@%|~ZY^eRp2K~jQ7=(=H*E=>dz|Xk`jkK<{W!XGCaAA4K*N!qd1eHtZ zha4VTCk}bf#{Cqi1419)q{H&9(qa_8q^M=ps1?KX@6HIieYU4YOyfSHs?CC) zGDxvHOUjTm#w^qv-vr3Tiw`D@V(_L#8rajQw!xo?5z|?xLSPS*8|jhTR$b@7IY@qM zEFWkyJoSt9m(IZX+eLN)&TDrQn(^j)>!VYsU$vz=H;wSr@!)a__C|nR$~)P9a+g|> zIqoBnjO-Xh6h6%+nE6QL|&|tEKpG! zfA$oF^Z{T>z#h*J!AdnOa9D#ff*>&})2Y1f0-o}P(jGk!B_OyRDNHJ`SOh2x$yKjJ z)t`e82*4-GtSbq=Q|C2L9Arx469w0QOhd1yyL9pURmHOWA*Op8xKXjY@KWRL6r=s# z1l2S6_NC5H44=M2`GgCm43IS;t=3EcT1wqb15qx|qG;;#-V~B~Z}=J-`|WXO*Y@8$ z9lBfZM$UxakXW0$ksY@AOMN{*xaG%n&imMv@?G6u#ULT<`Qp^8rDEff6ge%ir5hu! zQ^hT0*?}qx&Z%37=F3EHGsrokrbBCqEk+W*+_$C$`Kx_KpHDdI?KulWz+1f zQ|dP*k$tjJzojCjpNP5qFvRXQMyL%VsCfZXm>+&v?DgOE<)3LQU_nm!DXs!g4S`j*}+urkuG@ zvA;ar!|={zGl2?r3$J35?#ic``;=P5B&IwsbENMMVLkuSTaoEZ+nHZc?_kxKZ1cKi zPsp*ZVo~lkEz5PsSG@J?<^otbTZNK&3nfQ=-jgSnl3(3!0h+SCWv$&Bs`E_Z&BOSl zvKjG3+GqQ7fipp#t)7tiuRDr3ol>aPBh89ot`N*KB01>?&-K=5t1=aa%*FT~;pNcCWYaA7sAh;(p_hYP!P;T0tNLZCc{wi1c*?`Je z25u7oY5Rel(Zios-qnW#uWM;hBdb!o8jkX5G_Mi!4Rgf`drmQC=Iz>M4U+4xWFjXq zgP(>*WL|4V%zRErp%eM!s3V=@QyWs7YBtVgsu2KtG|Ema|iAJ3mrvYtl2 zE-wp?ig?Wp^8ZWYxBJ($L6jH$UDocm{i3V8fV1lMOH~UJ*!0)>fh3`IPOAKmA8YT{ zPxqr*_unMt}7he z>{TtQ_P_)-mL=5k{3f%Ic?ss7l+aAx^5deYk%B`Jydm@f2 zzegYA3ms7c+>HLd-xu(0o73{jpmQ5+AThv=poe8CmgXr{wtHw#jTg9ap`U@(rF7kG zbEXRjAxTAT-cW8IF)v+qEN&nO>_)sbMg!{^VpzZ<==n!d(=Ja8Qm=+?-9CED_JuEQ zF7&`tyYagl>X;IdZD|RJ% z(+^;R?RS&>$}b`WtLd!PZf;OKciV2>V`HN`=F$4e3p__<|K+{^Fa7#|su5lOkGoXx ztqHVN;(gcGtQ-F#Z0`BVy_F!bWfqFQ|ZQM87CimRPl|&3V2xfSBwB&#rhmqd3ziJA)9wWSNXg z*{dtRWzO+eh-p;{8cq2+J?RnfO*MRYs~K}fMfO;`!!k%x+UW}yHNx2Nd*&b=lG-2h zYvY2jR%q7e(8|$jo2QzVyDFv<(*sUL$v{S+Cp4h*ceVAsgZBQ=Zx-Pg=HBSd?PP&` zx2dP2mF3#%a;VSOGqC;Gcf7vkF{!zsBDg>D=+q;*jZ-2Auj%nWZhUcQ1j|Xjb$+vQ zUeH!mRnJ47(l+4vL==bN`)c8D=RL0luYM~%sO1qd4PrI=IU*O|u35;Gw^Ev)^dsOz zH`p}TLS7dfS}IoiJF2laGZJ}wsNA@S%26OR2ZNe#1;*l=6(KiHQf~K;R$bz0cGkK2 zZo}Swb?*E7-IrRU#bvnFi^TpzY#23f%QT{mpnuM^7lYc+dSrSrQhjjffMFZtE| zSfQ);Gi@IeuKNg)hb1r^6;eLqc}Q-l5`QX6cpTl7#M?oB0%C1!H7 zopL7rR#_Ib_~g9EbYN^f?($rc*LRiBk)=`=~M;@x263>L-3PGn&A+6l; zoGfV=G>Hj@xHVS#k@JN5DIzEH;~KBGw61;3p9e|UdHS1ZXg3p+=oZv5-R`f!OvZ;B z@;=bDxX05=-$&0rAub*DX?r7YUGnx;~b_(oJ9 z)`UY5N=gZ@3J)G#*NC-NA}WUcJbvD0c_3Xs0N-e;20@nRNhYTNj>^6hKQ z4(HV4OBQOea65&w)*|uACzPL6YzsT-UFWpTW($xW>)daLzKrG1rrOFQilUq@HyojY z^96isfz(2@Ldu3>q%%cgx7qWtyfc<7!MpN6&CCAXbLGc0N6iRTikY%$E|S_I)od3J zYUhl%i3Y03GL|shH<#}ys!&fbd!=|F>X2U%f?E98_LSwjyXFUkP!RTKuGHluBHYRc zn))Ll!7;WUXm3A);mvqM%b-zRCP#iuqDw8CsS|Ei$y&eL=^P#9yz;@X*HTw|-^W0B z_I<;n(>K7HI#d)Bc%$Z)kPf0stHJyR+&vQ>rEZ3NW^v0@f26AoVq{sB!Fp1GH)%{4 zucULi?vJcj7$=)oTEw*JpUcz_LDOFX2HdDipf+F6T%$B;BXJaB08GtD@wb-!oc|b7 zMT`M4@&)FcSCl5lUwY*as)Et&7@7JUhAZ-_Vr1ZI8VuX`*?>sz*4$)U2vst-!>gIT zQ$W5pt2<8abFWP+nCLqREi2FG4EV0)Xu!0OoB0(zA}XFyqtJlW177`EWZ8}TC^~Ps z`y%7xTjJU#^0*BRZ9GX@7gOZ7!wPuz0d&S``*5t3iWJ7lid?akmmD#LLq7!8dT~po|^1?Jx|QOdOZiG*6Zj zs$@mhyAkN(@j6hKchZLWo(Tn}ymymP$zH=!Cx-U^u&i=a=Xx4*R zkY9wayUu~R%K&0Z3hnfaBGs7N{8&>UD4J=b;*0rS#vW=_K9Jo*mUJ>(epdlwR`NE| znwPK3kLIl3Y@A<`CXtDgL66zaP3JY#>TXs!?di&Wd}y9;mS~%<$ce+Zr&|VOinl%fkKD(sdTMMXj`u=2WO*R+lXm5H?>8Wqp#9&=u< z7y+s%cR4Imbe+2Iif9{tsI(7tf3!t4ZJ9c*>HeWgi8OqW5<1{6*&pOZ!+4zmQG;?S z{SpemeBE}IxE^p+a#eOw-fVMIN6qWZ8$nsO8ug-{Q{Xn;YIf`NB})E6`MTU zXJ61VhSi!t1(sqq;M6MaXG!JKLxGZG+u44t%jdnJ3st_SOWiN}qr0Igvyn_hVeoO{ zrs0vI^oo{!GV49E0*k2Dc^vju={?P)mFCYXG$LdH^hGeYlCU&FLOp^A_SHJk-16+3 z=hV*+LE}$nxH(A%E!$+&N(n(v*wBdvuZcRd1J08l{2FAZrA{FBjniCA#cyp z(SI>4Eo&k)UMKn^=`BA65cY@{cq-DY`}_*A3bWB|9 z1Zwqd+lb%F4YS3L_DYwmer8Hh&Id68G+=G6C+QPjE1VFUW2G_Kp1hbE=G>weHHY9c zD6>SKTZ!0B7iI9hra!jCG3PEZc$ zfS|=nO++cO&~L^#E~`Jbc@VK8cN+iEI*as@K(G0cC7^~o^Qf|2OX{0q$3T2QnQSYu zw%b1nq68YAdd9jl|8Z`;o!6!52*tbr}kzQtD1waua zOVK4QwgBz_{GW5-|4#)ye&P}Mj~hD@*S;bo@U-hkv`1_7H!SCUv1_=@r8CQa^R#wA zTdk&?7fWqKUZnelpS`!$argYj$g;=6Z1Fb{wDIZ{*t7WYPh8hs;F?4rwL{%PNx%aX zFNbvYE*<&W%S6ASn-)9l<6lJdDXL~$-H%bZIM^627%TOCbuqQhtL@54IQn{uXoNXs zWd2o-&7Q=ys`Kd2tC~tlrFuEr{a%6jcSu;NS+6OpdshyIO@B)O7+XH3g$-b<;!;KtwA*f`)0&aNJZCU4HE2+ zMTGYMeuM0a|$mriZXX~}OHh{be#ez!g zT+CLGo&z8ze{(K$CP)Vk>9uqGxDKJYxITx;zwG%XodR92@h$l1b#SlmZyuK|UCFoc z4akS)J%T-2ou87WUmV^jH2OIRBBat)Ky9J60JI)HVLj-X=e;(*gi9w90gseL4$hXf zz;zpY^osMB+$}%=2f{C=`Zf#`Jj(xB`RDBC@_(wRO1r0(7GogBe9H5?&;uTxe;0G8>iIW7U4_LfFL})VnOD0EVXt`HBTWKR<+bLyz=_v;#KBE5mx$K&^J^!wbfCk@Of#; zpu({iHR>H!)ez`+qIA8y0miCI8DnR@Q?SB#W9%R}4XQ`0r)%@M)*hA$iwZlzA0Bq^ z`FKbEA}Sjg%A^evdkl+(<4-5Hc<+FOv;6HAv3&X1ZP(LZ$O{I-yf&Lx53S2>*VEf{ zAs=eq#o?nu+GU&iqt5Flq)y;7%&hq(^#CAn#HZwEu0m0^zm5JODwt`r_d1dezn)MB z{3awi3y|B*E^s>|rWLy7iQmAeeI_-Me+ag$lZMW0l5Yw3s4P4k!BLHA&vN!zGp62rPs3C2vxGywIf{^jsQB@+QV}Qek^nXCbXLta2^?uk#iNnEf-rf zxt#=Y1Dfd9sK%L(K`>Pyqo}~bo^&7SJeuZU49J-z)rE*5*)2+ekz5`RuqKljo{R|$b zbkSkU7|8Yb-+fPVhp5kVzt|8uSCT71Nj*p|5s7(a*6|*x{1wi*IxddiITMkvvnd+r zQ_826pH04!inuMGx+_Htxq8eS-iRp(`3e`JwkL-Q$ra9TSYRb{%9~%jAhYnB+qqJ6 zgPLtp*vd;X+g`XW@P~@A2;S!f8^^?L7MZeR9u{HB?dF)O(N^}!b5Ta{&S4)SOl|EH zni0SO|4fvndE-L~!P)@+ebGxlQoWg}qAxUt+BnXVvP|kSr*duXXUKmfv*K5Z{qUOm%cQPZ(v_a zabzh1VYUgOd3!rR_7?y0oAjKj2&BF(gSU{oS|{K%VC?e|K~Gd_{6)Vn#!z6D0Yx|< zQaTkEqd-F(;xX-Lv)~t55&OvIUCjm61JuAHzssK}SnwWySkW;crz)#Rd-6!j|*|Pb_CUAMsLDGrSmPcn;SbQ}XOhWA1yR>EApu zYYOSl`nh!QXxlbQ6K66%sIsSNWT@RXU>-QYIv=EA@t0KJdfl`~o^BGUMqA}g@EH)1 zTCxqv%NSR(*p6VRGiSaO2aVO-d@POnLqOk45EMNpbs8$~U8<>h!mDdFR9Sogncmi# zL6#~{#GE{{HfhWWe^Z6gFAKDvI#MWBWnFBB(WM)u9j2F@0{5+(-a=cqCC$Ia1lILeWchHlzsViO5w)nzu*HJ)s#xuJ7lQHDj(k z-Do?PByHE44Ug4 zvsXIO!uj=_`e1+o?)M*Q?9rchDu0TUx0BnR=t6yoof+9`W5v-z0 zjvKWoE6qq}{4iE5B_VI;54=+h9NP`KTGsVwl{%dIyu>yHWv^L63qdhtqdt~`-2qOg zXya3s-ZpBaT@fc3YD68AHe(p5?KHXXV(K&`_u$ZOoA}rySCwYx#b9A<0hJSBsFWV8 zpu=Do41?@y*Sq%1#ucj{4;*AB( zt|nPL8OY_04{0%J3TBICn{-L{(${6ZrEQ;97D|Nddl@PE-wY*db}oS`wutiQv*`X_ ztkCNEJ53E_!k&!n6)l$;b2>+rf@ zGw^iW`(^WNdEd_6eixu6#Vl}N6y_boFq7khsA!VT;lXPMq~$(Z=EaIWci>I)62yg+ z&z(%1sPJ-0kJRzT%;iMzliX}q#^&Y9f8#*?SG)eN4%%PhB zlxOieu8R<1^T~qi#tzDRSV)9%jM3zktuT`wXg=0u+uG+Pkyr{>sca_2^U9L9vG-o# zZA{b3q}4X1jymeUb$J^W%am-wp%=Ic1Gi+#s`)EI!e|H*(--RMi$Qs#bb|?dCYg9XIn!GG z=`0t_wk^xat2AmSY%a!tn1o->-!YLDm<#R7*De@+pYj#|x$fZxv1%|9Z;_3esD$rH z?gg4ChjPU_K2RLj|K_<`b8S7Y2=(p5o^@8p%xbDlEt{dB=4xw;30x0X3<7i2Z2$)6 z58KW~Cr1kJI3(7u%&z!NYypLu*7i7+p&Lk$h~nS}h?05Y$;h70M~>oYqGIP3ty4cb z-1MkAD*F%uq4bn6N|^1Fa%94$qv(O4hxUQ-+=8k#4 zMh&XH0ycrZ8b@%o8G!9x8}AQ3MM_odD@XT8bngx{(`Squa89qR`YJa@w!6$MBe zHR2s2vAGHvT+)717FSwaBi8GNCjB4|wg)`X?&7Ntb#WzTiQcD$l=bZhz72;V*{pn= z1k-D_`C`xW_M0|WsvDR2b|}0?$E4NMO0EL$cwn40xJmj*b+##w?p2;uF986PoSs(i^(l01%!$`&6>?Y_>S5spOqC{86IW_6l zdEnE@CM-lO{UoI5M9Qdyv4_ppVT*NRrKUx#&QQ&tZQHt0Wq{QQpR&ozuet#0}W zOIt+;n-2gMbi|6EyWI!_Tu!ugY~h=b(nsDaNc2-FksvMW^Q-W4d56RpY*xxLz6{+h zqxLEv)0Y&1tjwt5pZsys5AJqWSHi+HpaANO#bDovW`6H?5{wl=E6SNZmJ#z2vG(|L zqUw>!CC9WboJHcz$4)QW)-1kd{y*%!2~<3>o!J zTH8QuY0Rk_1!{ zHxqKwvt09|w{U7pY`m(=sNCwNZ$JY=1K{pkgDm%E zQ6|?Wo2zVcUQ(l7&XP0Nxcq#x4Bfnbl~7gj;V;8^d?-Adg17j70qt@xYfN`D z&&Qz2I}qn(c5#5dS9w>MMm%)%Ove>thQ z*YA^118T0b^lW~zZu+F#yei>@1>G%DBv90N8FkS{1yuRumE85ZrPvY>JEKNrs#p;$ zJIuAbK}$gt_?q%RcjaMUM5687&8y8z9HA{;x@jMd8v;%xcWlZ)$eW=ct2|7cBS~G+`^q@=*&;t@@90tL1b7UC1mla(n}@ewK-oIA2GR zQkTTnLnN)-q;LGoI`QxH^8ZE(*vt{mVXkIMM%?7EDn{ptT$8wq^0WOJfAVOR4sGeN z@&@d~e}k^%V3_2w3Z(k_+Frc(>`{goLaLJYpc-bY#V@5aY}^t@ZFFzxn!;I-djSD` ze%_$hegN52kS)aFReUPFRnz$PSm83}yW;yuhBF4;5RQkLBYj99f#Do@0obizxR@Bq zpu@FS=%PvRLm?A@N2Pv=vly!7tE-J{Z-eBa&iuD(`jc&RUtOB98{uH{F2}^!$PdNk zop*3)Ya-7XBJ4)S!Anirbqr*!J=DEd2-OY%0m4 z=r*7|VsdA){6(b*-oyk3kW_tom@~_Ws1X;)qf$N|3{K2{m2g?=HW8jXL1+t{r+@{3B0sw~$Yd zU@)PR@kwv5-u`)r)_ueN`W`Q(@D=y3K{sB2XTDHG`X0~2m*GFq>$$(@pMUz(3eUet zc>L`XKL9c&_3!Z<{X0$O|9YAq<^D%Oo>Wst>uyKkAFQrFqKj8Bf75TQuKny;19{bs z4*2h>@GRc{7T?x$OSDI)h}V0B=ZD1Kd3a8rmir>XEk%6)_{B4LyT{gkcsbbh@*CTm z47F*S#i+y%W1RSRuI#Xm!(40aSe8<=)01wcF#^_Hg%lw8mgm0!u>K+N%)hv%xl5mV z{a5kHZSn6j!JlO&3VM4wn{RC^G80B@vz^bE{Dzu=m%H=Eb}8*Q|2TOztzIg^Xglz-9I-LA6=+okTz}gCy!`YdjM%BtkV@E_(|WX zI&8E?^`Z#UP68pL3iMLmX){ zIh84_kQ-n%f2UY_(R94jO6Zi4kmBCQpN~D`DjuJJ|>$moJ2Ov_iL{X>o8T^Oj1Hwf+z`Rgoaal{#gg~s@EL%3HqFtvd z8u5!Y85Sd??`@f)t9}8(rF((QL@Cgg)>y@<{e zGUFBI{kRCnLLcWYIAO*oIs<%N8Y1GBwJQpsnS#zbAMSSrc`w_w@CTtADy_nDoO_-j z__P&373h_UmqZ6FFYpBMtxxqU6x$dE_5q|{@Qvp+udvmeufSHGRw-ctO)I*cbo*$I z5BD8Lv(J?@aDS|?sD!kh9Vg5A7}OQM<2Rn4k+$Qm79YTZYCVBt-h#*2au=qlH+*}G zerS+8uQKa-Num*rU&-^nIUAtA1~x`9IXN;&{*jXdx^Bptnw6njkv1-Ya{Ho)ALlAR zm@pIGOI{oLK1}gO=cNYQX7Uvg;2Tm&Gh+_9_}R5<>y5Rw{%l;!7~{v)rllK&Deoi7 z8W8yiW|q!j%0TKxX|v*or`(Tap!k3Cylv<-7;>vr@jX_hO0jyO4}tycq!>mHifIKZ zP_FM@m-cw4kxASQg(fPC~nH$JS_kFIojz`M3T5xCNaY@mER}* z5-28{Kt#Kl+(`#hz@kY$$!eR4fA4$#6G!TFp)=GQcYnXc4cLZ1SGZA!Q7lnHwwWNZ z3qOmev$oWjsXDdp#@q$;Q<60Uv+?}b%|qr|mbn@ZAQ*(taM#ZijduWp`u2Yr;<`!Uh4<6OnvU#fDE+}C zL~6OfcLSDOTc481qa`XuC8cv<+0jTiZSiu**cFFjxAKz>IkJR?oN2+#y2rnG<%c`B zJVxy}>Xmid+_NnKHzGYEeC#SR!t19E37*tmjL_q|mfkH!b3x2<laQ53YW#2;7Ee ze9C#dviO$NeB#q(5QP7siTP67q7A899}mU7-w=9iOl7$suByoKO3)O0seO^UL;Pe@ zJ@VHS(CfAw$U^9K{)E@n`XyE(d<_OXd@}`a4wUwKKe{3AWyQ`1ymy0B`@>9`{%P5$ ztfN^~AcRiu7aCYc`{*f9U{HFL*|2!}^xo0l^q}$eE~-gTp*6ugEt+2Art=OGb$1-` zsk+#YQU`aFt=mx_SGw?nPg8XTcFF=HXsZe*u$x$E$?JyVDMwe`9boC773ndq&kz1) z_np#(U}~bC1xs@>kMFb9QE4360*MPtI#Yn$h}8s#8=rb7$0rZGAPKI%c;J zx-$QvDtGgJ1r}6?vNSVC_ehW_ifu&r6}bP`WrD`aX5mB~NXQMBYV7`b)1Q*z9XN-V zgP>DDWBhEl@~p;ubn4X#jZ&!q6NtjSN5>Oq>u4&ODlr!1x^Eg0{DsJ-n-{^$(Ahv~ zCW&^UR7Qa4eaz(Uaym}Z%J1%aQshJ#iv9j6OOoVOGmxQ<&1JW>OYC>-)|D!KEWl%W zoN?Sf@(HqeP+Q@cJP$N7_qd3v9vM-heBw&P`rooPY0=wOx!kOckm=wXF%K86^wN=oAKl#0P3WHFdgInn zCSK6|o0EWMEG=M0;DKTuABtA%PGlNI)z&OTDGt+c7ZeQ)`shAll%VbSJ~(9>P8

r-nW7){0oL!!jUCU@0KryE z`-;^!4t^}c-f8ed>C#5h#g+EHm}>sbfv5abH*%U6t~BdW=(^GOPW+W&n$<>bXn@s| zXRk-GztXJT=s93BT&XrDqFxeO4O}=&Z0Tj+TCUoZYnP`C zv|_HCU>tGKATodg>XO(i4!prR^ATYWd9~|vDeT5ii8dtuc4BX$FBl&ez~08&u)Bn! zJI!rY8R{OUHzCB)yz8)K#E>FTv97V1@2!BhzpaPiTDpzf^B*r#4$Vg07cMCXD~vgh zdhe~H)21?TNPF5qHn4ArgVjd^KCPMfGwT+;KEfglJ&bL;^A0W0jmqaJk_?HX2wlR`H zCJ^U~ZZR604FXf@f+XO$ZDSE!RQIYo+zQARsY%-poS;s4j4ql-+UQD=`}17R#!$xY zOT_VJ5>?u=oB~cpnB``O8O0@cJQt2Xx#8fKm-{Nt&$O5Yvi9EH;8t_t`d@GolUsd7 zA}S8<;2e!one6d$QGhVe{(iO8@s99f8HeeT7HDokD_1RS4w57^MFqktZS$T`d)0Rw zRf+loCZt6(Kqt90Y9|oDet75BBLY^lVb>MG@|_(hL7sL8PPb&}rtE4CFji(Tn%mV~ zK`A(+ra4Y(Yq6Hw)Uy6q;*07=O_=~dvQ$sYH^POsCL{pl< zspGY>4%gVF^DD;0i}t+1zdHF?DICa|F64$dQA{c&3zzrJuo3H}5!)LBAc6n`&?e2H zXYP@4jw`)PG`~e}u+x6vyol*sWPvFK>C=xtaHV{~>HcPgrOA6Mi3Wf>$dIqbAl~$g z6b4&ppKtfF@$c7~xzW;)fd#wDb9WA799I*;41dS{AR5hw`u50 zpcQWJUpLioadNsNQq{0H{yaPSdzxQhGsNJgW)?x<%~-zT(Z4c9HLT- zpocVxnv&bSMz5=4PI)MJ2~PH326!^%yRqv_2-+vx!B3`XsfyKt! zsQi>{?rtG|>I5qRMMxdjj;?yB9igWy2h~Lx>)hk|3yEixoQOeDhip+`RSC|e2TVJN~1EsUeOKzOR#9F@)$F4Q@t6KDtNWWYpmFi5U!AXH`6yNNEu}PO z;f$>75zHy&bXo(+G1{kJ1;BF$`Nv9MP!cZBf{P%}V#i{7kl`cC&%1Qw6-7k-vP8Y^ z9=Kh^=7x&n_Y{iK;!t=>aoMNS;<*#lOI@A!QiE^a2u`27 zj97VE7AdQ*?pKPaS+1Mq4+IQ2bM@#qp&XXR`QxY@qj@NF%3u8x~yL)=qF7pJ}}tMw!9gPh$ZjAa7U#R}~55ww>*f ztk<@l{V7uwQJ!={*$$ zqr4C{QUit+&YIe9s)J@`h1=!d@IC9Oi_^N zKdfsf$~zVYRlV#J9zK}P;CR6Azrb*w4!n{?`L)EknX=7vI>0a+70H|a)=MmxUW`O; zal;-?N;$oGy#h$|dfEC1d#~&*F7KGaokimcGy8A`PWFoNM)-Ayn$fKm`KI&=I`ZDxCp)+G5gQ zF$hb#d?0^>H*DEutMP}AsQ{x*f(MI@QhtwW1_e!g0gSklV8W=g1^r=jei*_~9sc@r z3`9X&NLLeWS>d2|=9nh)?8bbxk4ju(1f=L3`BMd82h^+x!`8vxYsN3C6Csi>%TI)A zDGUtrelkwCdK8!IoEW{1$+$*@t4j6<%g5R)eKhl>GDG{w0{|o9wHJ@RG^-7p{QO68 zQ~mU9okyLF^T;(3uND!xbWGhPdun%CH}drTXY{zMX@fzcZ-839<@Z;$n#j5FBx4}8 zA<5|;+B+z`!9XG?w{q{Z%}IJ#Oem>-^Y5=2LyHO zAJ!*}$#;ldFAlmTnwmigOZooI;bXJfw;RHfCkw=Ed@h>`nLqO`30vBTR?|1yih7$!@q%`}x-I&QY31CRbe{8!5 zd3iO;`_`;mT29D{i%4>%r$Y6+!`7pQZ{b zHfPcDzZ*n{|9VqV`=uW|P|vV)HP1ZY6pYNqT`TlF7P=voq95U&q4P@Wr5D3sPMiGe z6vw@j4QB)w`LQqbv&Y(dSkk@LDYsrbCP05-!yUF?J~%#+?-{M-Z^up(y^ zh1HlNblR!A{`&e6E;}W4q^gAAWXZ1IPPUS2RI%L>Kzg%WjA@wb5Yf1?4Ru#Jym?;h)X|x_`{%NnZ&FEQi6gXp!1!}kBB`L}>0o1FcbdLAU#?Atg6v@T zro+Z|1+@nQZSly}^TV86-xai!MBN`JcSCd!UBAgg@n6NFF4k#A;iKllt+6f1Z*cu3 z>sKZ}AlG-w)MjHj3?NReF43x&w9Z^7!escTLn<}fE}Ev^QG|`jxzmt2T)e~fGx3Wx zon=AMJ!^iz6WIFxXUE&uCCxeO3QJ#4G+n)aKt(}So?2}u+8`dbdX)OgRhmU@iRk&Y z^e=c+D*r(|T58KNwnJSo0kYj%jK=G1nScgz(xk%qk|gMk1_(GaUTRUY+H zynIU9!mmx}N=oEYcBbKd*ZOOk>l;RkU(AuyC%3Xb+&3EuZeRCB$#^wu0D?guITeM0 zx#eL%+M8@MuLN@=MPmy?BmO~7)p)d;NAxq?1`n@M%+s+J_Y8x$b3>Kp?iHMR3B-nt z#{Hj7=Vy37ARowLv;f=san{nOXEVjRfJ;DDIxs42D?%#=KE|!v=)6+*mmYB5&Ry!h z>X;p74R>efW@YNkoYEDSBu2OL8sn*n5#<-M-dp|<<)h6&w1Q7Rltbb&ft9gw>R$6C z=O_F2&)TY}y=_9dsM_gpe|--(BQZ=z)=-=B>8rQtnA)o!<|Jz>V|gD=leK1HH|PCV zUdfF1$&QMd7CVV8zBEw6AIp#q=Hb!Jbw;+VD<5v3=`pL3y#$RVzPcCbbaOIjawD_^ zY2S8VpdM~=USmBi^TqF;Q8VHiBH0w1jYV2jKykzCV8y(1z!w%dK&EtxgIt9PkQf36 z!AyP`LR$c8s=EyhlppchXOvCE+$kd~WAC1w`iS9kE2y__wvt>7V5X|m&g&K4xAg@Y ze!oR6gL=g8vgiq8(uS6EzXd(hy~;3;`g&iK+GuYgm)4_MD`@A)&^K9H315t-!p#v` z_Z~K7TZ2r1Iyv8XFyR_Tf%^H0>?EDF48L~8z$YcvHA0ikoZVV;ETf+$zy_@xc4lGj z42H-C@`;!}(RJ48hUN$XT%s zo40D|C!`r10(pB?7SNNG^q?7+O3}F7({{V4xN4p zVrsd|OzUgBv#qdlKwQGvI4TAByitfOK@92N6?m*u0#TgBel|gk@T|OpUlc+wB zB1=gC32%`P+9kz`C9kJI%Zg^&PwTQ{xHv0Cc9HXw@tO}6jL7VAc1iggBwTd6$wt~T zO6lPYRA)NSou~l$;GtAlTd1Po>^uy7=Ap(oK$-=&=Ww(qj+``Vy5#a4Gwf)_&IpI( zAM=1?8q)!pfCDV#W5&kO;-~YDtt;D;Dh7i`7PS+6e9?dMKy)qscsv}Ad$L@7?>X*x zxr>A&1UnJm%0IIfppgE}_WU2ler842K}Pm(T)PX(&qPw`^S?f;7b_B~LaA0HS=fG6 zO8ldAmV`PEZ?H`QT9g|Gx~^u}>fTeCfzkA%RpR(DFU3!?^*y8df(iYTO~rHL`#SX& z_W+>T4sjDvMeVu<(f2&keaoj}n1yT+^=F4MN^+ z@Tqa3G&Gd^{F5OkpwBhM*xXzf?;{jG$!A_TgKjhsxdmUYyyI75;&Ci_*U}N<#94HY zh&+?D;)yw5?MQtozBn{u^UHAsI9V<_p~@iZb@tmft7R2dG{wk&B<|E1$y>(_<3#VC z|C!;f(PY86Bo_43F z(@an#HyDghIH$;pkB2Zi`^G~hnsU((KmkTccKGOXU5i$_SQdNyy)60Ih{!loB7SPH zOleGm0=F@=;FBHe&IU9sre!GgQKa=t;ijJ$Y8?(?MV^>jrh78@QN_r(dh%i6)4>kj zuMK`2tF1YP{Tm#s$C>ctzu0{xaCHj*f4eW_f3^EUjhDUz0`xsRBJ}ld=H0j7l<(Hc zUR7nZqFv-iIUUOy6`gC|Jrmup1iY-atdl-oFdC=eg-lQU@?%yhGR7z+?)`wv#WSJQ zwLrb-X(T7f1pAcmrW-X*0<@aJB^7egD!AZoE}r{;(~CB*5LG6#S z&E3i4frK+T#PXi<>3xwix%Nj-3apZN-%HisgFnGeq)jg1-F2 z)ZX`IX@898+;p}n5h1NTWzyT$OJt8o9{R=)Cni!#uipb8B1(l!;gCcmzALm3aqnFK z3_;B7SY&0uay(BfcHYE}C3$_|g*LDDUAN7)2t8X=lN~JFQ1T}a!V2&w&s$rs#MN93 z(;2=fSLU5v7@~V&J`tmE3MN@ya$IuN*Dwl-b$IRAwEMWqAv~xii5y%n zfKoa(&99GZO+7UhF8ym8UPh)xNq78QKkytm>0?XM-)@?Mp5YgW#d++OH2l zjUoYHFlU26l0C|agwMQuCKk*-ayLRylfk4DPc?;aKPEARGVueo`>|hsGiSpD<*P$t_$8+5T7E33 zGz=^-_CW5}#a@&O6jq&AhLE8d1Ps*IBta{1e7qgmB$-85>0UFCAeR#E756o6szptM!~JTey^tRRqZMaaJM${tw`_qGe=5j+kmQf zyT4pD>akV5=Jf3RuC=Qw^c^xx^pxpx;NF9u-)VS-l)bBiwG0pAlj_{x&!Q_n0cXV% z#^+u*q~xYwJXbvTe4^Ejx~j)NGw(C`$&3-bh3y{sWN~3CnUepue)BgzuGhlzANkoL z-xpk_gLf6f$1@F+tg3@B)pJIalKe5rOZuVR>$}t820rl``w9PiL z8I09oYsB1rt8&kP2HfDnH?cUI1s5j=`mpm!-+sf@K^CBe44BjvlL>BM?y7wI8$rkL z?(bN|ni4Ku<~HAWjBUjskcOs?S3DcL>NJ2R^xyR^V+m=65#p=rqOhlwU=q=VcFi6X zc{#{Sfe=4Oyu6YA)dE;}$v}uT@DA!Tv#nn8V?bO6S7j%9rqVpzB-psOm(T!+PpbbL zY=l?2avkjQk$Hq9%~#E-MkgjSG^#!N-OF;HB2yUVIr)n0mXlc$1V;ET@Ip|uCx_K+$Si|^O^|(EjZHzxw zEZD z?ahs^CmnYe5sP~dpYO8QgImUPzr&}<1EddH*^AJPn!QWEd_bicdXCO11?1-x(W-`w zcaR=#E-T(rTaq{T{x_`xJpWN0ksd<&gs(cMJ_YzlgdDSH)~pF8lKL_)Ct2kMjim$2 zMw{5ieOFN?GK93;YHbbrreJrOm8}0;K6>K?Z1FKS7&Lv~GvM>`xW3!n<}4HS_@|){ zYV-}id1&_3hu{Pj?y3p}6wZ|sKKBh@LU|`jvb&1mUS;u&8#P?DWxikHMucXF`O7Zz z6}P<)r8MQ_tBMau-e?c9Fh9|K+|Z#<_>AH+G}V{DrjwHQ(My>RJHKuc@@TCQ8{UG;olu<7T?+U3-m1YD=$d_bkhs&7PT=gs zej=#%h%9XGV1{;U6m?)b6Rk;}GV?c0f*+)})(g*mNJ?IAOm4kBpRd7XrskFbZ?w;; zn)zg7ivzXmBj*ZEHs2f|c)%Xa8g~bL?hNg|!qNVV_P9srI*KUs$=&U|GR8o|NVE9V z3*2zD0UHcO6?XM zzVTl8FWRqY{V;{_gFFAlP39eF-$20hlGh&itEOz=EI=%L3lG(mxujff$W^y#t* z#_4nJ(;2rutU*=has*hyv`OE@p9r_ACYM)+y6u)oezd68cQE&Feew@BPy9M1t!5z} z{n0ibW*U9^w5O&B`2F|kZNIkPT2c6B5S)AP%0O4{kb|2bhBx|lYaD&*oxe3-^hwC) z`Q6{SmXL#?W0k?`4oVcIB^!MZk~KzAf(>sB-E>;pm5R3DplKnprO-@&gF>uFsgr(ld(7$l!VpvLL%V$mMzHhQbb5I`^}ux9=EP%%wZsaG^#Cl0 zp;FT0%(o3Y`U7;{DbI-zVrdiJqv4~}%LR@Dc-r{h3m5ZMZk#3D6?UhmhaZ8gl zd`freoJjqHno5i1DeVk+Mth;h*a-|Cmm<O(TdVpi(g*BJuID*6@1SJ-yN^viaKYA62+rMWUKY<&$JLl;%F4Xc^1+ z7#{XUn+Z;I>|=ls63PnnEJNO{A z(Xn!nR(T$-mrQe%x7zw8EgGg*@k=h8mkB?cHTv;=)^eUH0}gv>nk}AAFUZhvWnD#B z7f_c&eeS-_CAsBqNudbw$#A6}j#p+SfBJmGsQrfkl>uy*Q&?D@TW-KPD3-77p+^k# zF+BaT!Y`>O+_)}I$;|C?=;DV2BTyg47Z!JW?bDnb>0u96fuFQ(YuMO4D;4kx?QIQ% zz?OMk4lfF70Dq%eiWJy2D2g~;>R1mJ?3ApUA><(v$doCs+0oo7|FPF3d0M@U5<4fj zz!?D=DTs~GcxaS|FSoB?lg;(w{nJd~#IH#}KH|yvRJHz{Q%{*pdW*3nVGXQzOCfbmiV5yFsjhE(;b&p(eyzU1SnyDWxUPw6IG zImy)j#Vu!-Pg?~S~7Ku#Z&TNtY^kq>>xwy zIw^=TKEYgNtpe%c`0|SCsc^IwVE1u=8#aNrK&LS$50Nq7U0`F-D3Zonx31a@+TFEe z5=N#psz9%FP15z@cR31)a)zWC5~|h4)}cVUgcXnH#|Xj@;~9E>4N+2|U3h-C4s^J- z#m@_g5_$Yudxb`n=o^xqS@UovH%uUgI~ z9WUhK*T2Y_b8H<$$21n}JR&MlsbVqtLT8T2rVN&f<*g#$rH_RD9Ihe5weP;f;Y_{I zY%{NVuhS8Dk^knv%G1O(`;kSYlZHVU<@Kk%DU7$pb4$05$9h|`B%(5%*(hN^RB&UK zN+rlRGO|Gv{4EhKa4Mg4zA)F$m5zAe$ri?$E-t|a{8E&Fbe04+W1xI(=#9;!Nz_#N z>_>ExcB2_s&78jJIh*oHUJ^1pQ%#e0{7|knl(jzEdkNY4*wG`4V)ad*8jM&HR_Z+VP+Its&N&TEpevGmQ{os`qx0A&9B^1kyQ93-^ASPj zq`AE7i~#k%cU|c#j1qk^<#v3QiHoqa$0&{d^f~dmm5-Pc+TUJEYba*K1@%J1KneB% zmVPx@p=r+{rS7Xd6wIK+UazNNAbsStzj@EpG3kNqQtQm)@en71 zsk9PMu~b^Oq#*-Ne6k+U1tNeN*oLFzJ~NdFDl8KVaz-Up?N8g(+7+2l43aJGcd$Pz zE1N09F-W!DaUZ0s+h{#eq_^F2*DwR3kZU3{rb%D5wNX(vFBO^2bc$&4857Uz9u(WE z?io)w4G^*AvLT`M7U;5ZguZ7YV70{aZhw_cxnU+uZ`V!PFy(c$5uy;=o!!qOUU5dJ zeJZQh1Jiu0sBd1OY;u3E_YPVod2f}Nu%vn%Z40w+uAMgVk%oEi8&o!yLOmkNN)T=C zRqR27{q=tQB{;VAaR=l{uFV7F`z1>`qGWf35yAsd>N_3OEOK{3ja@}eD}hXx-V6&{ zq)ks}+mKnSi~-_L0;jzj*xrO^rIooDGavQqPuUFO1;Y|$kYgm@zR-Qo%@!?UzPaA4 zwPz2lci$lEi-P~o^~Op+BTwpcqxz~;ncNlX^Qo$VisF2WOfl*+?WS+i)7FVtwc#@- zKE)9g3b)(d)~a0KOB817){wQX7}x4Mpg&b*IQYt1@MXApTYG z(}8}gi~;ExtlZW|Q{un_DCb0!m9vuzSW>e|**P(|s#ajb(jHSJ2j-iWA|^nVYaCQc zBN{>;xW%ZSB-VGc_vTBrqc&)lVhl&wGwKJkLq9!5Ub6FIS4k9lnNfBXh$aa*B8jmt zQFDK5Ysk*sDxb?+7SxlXAj9n7uIZ69rV!)BJI?@|b&^i00yo#MaJ6oAcR_}tzcwJd zTOw>4;72j-LkWH5TJiLblwyz52TsAc#=~JzOi6i_4^5RJP@{^JzQ@cDHpK$_pzfh3 zn5VP@dptvU%fbCjfH;WD9@rnx^ffE7_ z^NVkSRfRYT9IE?#)atU$hitvChvkQFveSPh?BSAL2=}~wc-B?CLlvL0H-kK2IY{T> zV{ET1KjB<&njY^EP->Qg$B%@I-r;*XAR6ctdQ*ju!7tAky4%w4sF`bhqhgbiFj{Hi zQ6LEVO_1pwzyfO4F=PjukQqxGO5n-j(q_3NeW%GG^Rn+|GmLfD!2znyH#;eH2c+(u z8;o4h$!VguN}sghwDBO*2ToRnPA68TAFZD&7Z3l?2wY6I<7$33MN6DQOzM%R+k{3k zq+sbp|IpKhxt6l{a=CQZK6SaYJ#xdh!+GcOLIi0e8N$fJRvU5(`T33Fgq#u~YR_MV zf3e!5uQ};h!1jDbLz^>S#EqW6B!0gjKk~%crm8x`$i^?^I5NiQVt4xrcrMEY;3C;|1;V37Jb*;1d zM4zJ@oz+nKMymEl2C}O+KUA0yrP$;e?J-3D-~(2=Sko@bYkZjPnT7PY0yjD1O_O;G z(kBkoL_VgTUyBKb_AgxyIU7y!HLQfib!gCb$;I+|ibR+jy}_eo<6}S*iw#J0ZxkxH zd7oVl921Lwt$wixGJhnj%6o!LPB<1`;Qt0=%{llbKB+=G$0%t;tpvNOw1ngwmArAw z{?cqWGto-cW=9yjpe7xUA?w?X?cXaMWfa5*RV=afRl}4~SE#F)f4HUxTN^BASxJdyN!;u^GRjaV>+B6&EwH*7>6xAeC9}_=Yf^15PH?h*;Xtw=` z%FBg2cm{@DvJ&5sfU#!6+%=$=){?bFlub9z0=qzl?9K>_ygsW!#KR+=E?AqJ~ef!Enb8Y2x_3ftNh*q_I_l4S2?GRa1b=EX?gf_oLT12;Cf z?3YPKf+*zK%c z5mj`>4d#Q)rYs^>4u!Ub8N=QZqHDTxj9l(?P$NK}Tol~ZZ+7(}(uI8j9$PhG`bQWv z{rZo|hK3#<1~DpwrA(Px6@U&%VQ*M@S7C=)WU{M4*mLvboEVzV3?rdBS zG{>6zY}>5gG_w&QC4{40f?{*wu(3+q1yVYfQ2SD(&OP0g89zK$i4P-8hCqs3s%=g1 z>dKUw{Bk{gK&G0Ewe$O{Vels(+873^;t0}Wi+T$dPs7-%yd~_~ zYn^(Y3Z3h-{m$Tm2-flHZ{}`Jd6eZA-1(A#O3B|VL3oog&+Vs3RKYo|60~RwG^D&^&npL3&c2KqYVglM zoJj^v$AEy*Iq6+w?0k~aC_Sv(GwE?k%<(IZj_4b&&ftcn8#wh>u$+1qEyQ5AaLM2v zR=hT6@hzwLj?tw{LW4J=X6h5Fn>KqyA8byh3e?|REI>cvx%O|!t^7wVVDTJ#^bgV| zcV)%z%BSy%^FEdwaCE@l!$U!H(@hXl5Z+WqEa>1fC z`Z|VjI>Y?MvyjR1-wA9t7EK(h0&=4C{*PZv8`$P_EN62!pFA@= z83Qp>i}!?5556gBYi*mc%#;yMEpa9H!=$9oQ;`)(8qXeRjGd_YYVG;FVM&jyvw?E~NH>bcr@*v8`VPv? zQM%tCCMJ3+LTH-t;tb9)rmr4%bd2p9BBYd+93%mXFB;_IaI=yO@? z2(^ZpY>7bMnU3F-FVA%mmP=+n2YIT^#3`l7s0iaIQc2k6z)R9Yt*aNUl4tFQQQ#MG zhWC@3?yD`{_gLa791j&uV+H@?Z=7^*A*FyDmU|uZR6aa4GgJ+5RrhN6Lri#B<=r4B zVJI){hv_#`fg-p8Jm?A)cNPs`Fl6cKc~+BMNx-k13ET8zzu><|0oEay=COAZpJi` zmKx3Eo!m1vQ-n;tvo_4SVEEW~+Q&KTW@AE|t0>=M)-OCa9RCfwq5o63@4q%Cz4i}w zJQInb7xG9PA5;NQsy=z_X`5SRReW!1HE?D_INODga{TsZu1L*+!D-prnW;FS_*~N* zn6)`YSa$mLvHAU(Oi#_Rj3E21%}!#f$1E;u?ZCG?u;#_fa`mnLdQPQ6PoAAY)=J^L zigM_wDUpm&+$y02K1mz>Ap1V0 z4k~KwKd@Bu(3RhyT>D%GPD0{Sw9c`oJRt%v_oTCz4yg|DHX%>{8X8}6 zG**e&8*c|4w(2rejD(1`~v-a|L` zbrbaS5Gk{y+*~x_c_Y6GAV-)y1SCpH_0;IKG}1`&7*4sBT#8woT&QX%C}>LN=kO$` z%Jj;`hbIGkBz4i~XbK2Rjvw*@I^chWudFAlBR?OC?qMEIKkNr1Wcb?HPY_&vYU4X# zKmttqBdcGAe@bl|b@z`dC9Ck9b4P5i#+yiLtl5}%=G`#H&t+qhK}PoXOYh_irzDFF zr)KyiM~dzWW-LwTD!vK&gsy70Rf#w=9=?>ocRI+^Tz;?-RCFw>OlXlmyNOMgVBVol zp%TvV3%RAkyzbe7t?m5Ks8&;o^%^@DuTyLme5?`BDnUCx>=)i$HX}V2AHNSJCP-uU z4VD^MlOo_%VH7UnaINEUwNZ6ySJTnmKOV3Dp}yI3XGiP$tIzZ2WA0aZD{Cw@KT{uz z(}<8>Yb-(6gC1B%mM~ZH;`%fB+n~eHeJpgdPk8&I?#tOfd8%0WlH<$B$owvyoF5xU zy}Fr0@N9EO*}78r-GCUa1i(rs-0T#}vSc<>n4@A?w{UnR{H|Wm*Wjw}?|qwtM%Vh$ zdu&#o?mJwvq{YICqXr8FjaU?T@aiM|5486h)+O}s(iQW>w>EN&6Wbb(tsku8LDv6Y zd+!<5)Vj3|v$quy+zCYiK?M>zO6XOAP!b4`0tf*V2w(yM=>npA)1(V2^dcpY(4|+| zA_Ae8(2F9V0)k3au)I0vJnuedyyF}1_@3_@=f@f2`IR-+y)y5)<~_64omsBSN<{vp zYq-(ZbLt+*EI6{6RR~Xx=(96oLqHcOdBUkD{5C#V;rH9Q`+Z+IYadJ4uuSzixX8vX zCVzCk=nHB{MdzYtmWq=3cE9_loNsQ(qEE=U!^@g+In%pRiJB~{il)S8%h1m>yob!) zSczH{K`#jCgKgTGfMEv8OLLR@O4j!9+Xer_ssf%pn47F(QKhr`;dz){j*o0q!ftdw zP|ZbdGvwnjBkp!!@tXf^kI54?g3NRdC}tj&ceK#7as*dl$U7Zh%j8Rgco;`QBS3E& zMZ*_uU>NtIc6xjT=8#V&9@gk6W54d{NNISZC0x9n`_4_?Tu|4$^5LE(BPA&NyX5Y_;XS=D$wmVW5L2 zB)+0n++VBCNbH2eD2)&!qhN{G{im|H7REvz@`ziQmk!d}cI)&AC(IwKN=!LoE!4-5 zf|IE2X1LZG8!XtoX*NrbG0cI!YT!0pW$lLXmMKfnu_#01uf9-n%QyEb*zxYwB@rA~ zl^g8L{PcyvSUnJQEk&yOyUv!m)>Y)~1$WKK5`SAC+(G47{n04@&;_dcS5$~;vya0L zvuZktvRoy>`)lRFme%EsRMTr7q#QZp$7s@rlLxfHq=xM#d!IC6MXq6f~vg}Bw?unio*yczQZ;yv&2v}4F#3(C#ARuW=4kUxI8QrU!I5?>U7*If$Znb z=>ERBMtPPo-ePE7f?j>IJU904I=g>AcxJd(<5R=C6WM%tzaS~gtp(td>78|Qigo^M zlHI4WPdH|5q=rawHZ}orh}t2b&z8^lz+oT6uGoKC-YmbHwT0$Kr0~W(Z-O&7r|EW83kH6Av6m+|TTS!e1ZSZ?RJEcvmsRDy zR?kP7D)?tzm0D7*C_+&p=-0^bhLm>YMY}uS9Ul|KqO3onj61NqeW~$^|+d=&LNRivgY=tNc9_|CP)23m<~U7 z-H#KzW+G<6DJV5k>n{@!Z&x#*e>&PA*Ahwv?zt2&zo% zNI&cb!euF!OZZra!m)vqlG z*xTxSsH=FeYv>mZGS{`vC2iT;+~4-t7pJLjFik>&iYGRJh6bef&LsjwJyg!)#ZFi7 zOnzv#m}wSLdJ6N%(Wj0^Wyqpj>Kg5R^gNy&6>iQ!KsUw(7&3*w7V_}c9ju|nHIKY4 zoQ12pK#Cc$cUG<#k1{)vjG~ohOLs)c!kEBnKxS8Hc-0vyvUsA*GB*IxGyuj%LEykg z5>@hGV?!s1z-W0|PxC^ocX>78p-;y1CbE^xCV+A64X=;n%f@@9N=1#je3Kw6+-`)% zknauSDU!c&)j`$DbXO0TQKM|D?pJtGl6sLq3k%Z~E` zU0cr1BUK}15~~%aWJDRbps9gcIw2+(2|hc`fRoIdmYOp*kQL_A>O^VNJ1X)X-Su2e zBOeLec9~YQ5|v+bFwF|GLC+jE*J^3~t0ieB-i0O#8Be`d@8<|T*&+*bHU~SE4C8Pj96m??j|H_SbSv%JVOeZ@MEEGNlVi1bMX%BfxV{mD@vd-yZ}yz+j`75*{Onuljs z5p)WQJ^8K_&@}6i|74Oh?O_%rL76E^b&_~QrM%9JS`abFuQhR=rM~)FyUw~9rXZqg*5~Irm?3!5BfSq1 zJ+Hpa$pU!+^2B9ki<-i1G?;b0d6mi9=rm!u;pm%r4r{WyJI zkx1UICBW)Ov;veISaOs_utZJBMEO6DBD7lu+4F63KF;z9WDl|Zw#Pb|%1w0^GY5C^W_kQ17@l{eB?JaW3H7+smRsay+ z&KJx^Wx6oJM$e0sInsm13caQZ#xny0>@pBVEHQA_iAR}+diye7zKTeUfUIc!5B{bJK{{$;vOd@^sY4|4in_J8MXkQ8CO&zMbaeZ3gli1?; zrEYeUuPU`~A?_TV|46cbAt;(1G7x2pB< z2qV;5)tAzo3@I_5`uVWfF6ec;-jOVRHj91&}+2l-HGNA8Ad;?|%#R%@^&k zvU+7oZ?t|;`eDZ0AVvOV2FuYejVNwO)rkKL^sYDoUq^RXsYmNZ4WdITz#02fG!GN zJCrms$X2)~UzPJA<@H2$1HC$!%}g~{8C$p)-@Vw(PLpIV*rl2N0i3?QbZvQf(CLv& z)7Qadl8;GpVyO~L)eVl6m;57p{cUV2gKyrdFKvvdIZ^ecN@4Mf|1F!(UTa?t#P*oBDr8>lBvimkjRF((LIj2$X)sLnnas!DD@*Xxz2miDH`8@7E`nA* zV?E8s%2wg4osYbxPLC-D%!ek(W`AI*zPRH9n_q5ccW2*W%BYFV2CD!BZqd@R`#XnC z>!Z`-{l*=9v#_xu;ON=RDRlHKpIcqc5;2(U$XD#>>SowxT<^FFCt6r45Jqj@DSFS7 z)@o&xPpVxru~$mnhAVxj;4xZ&7$|X@bSA#dQ9{M;0ez3eO{m2OC#*Ieu8G z^68gH$}#V$Afj*PToSPtZ`M?39pWjD6x6nTW}jL1ux~tl3iKa z>mKS@Y!HDJps|?9kb>R=-~`JaC-Z)x4?_S|dF#0qX0}7*TlxDQ8R%Wv+G8ec&zs^x zlUFERN#k)UWzQ2YJP!KRWZN5d>&J~lp^t3xP^=E0e`VrNj?d2yKM`O3d}&^&y{Q4n`a^yXXb0UBPU5X*Mc8UXu?Y>UI>D2r(^feK zjVtIY)=$O)O=+y#tzy~D+9;>VELs#; z4pM2icd(Z0CN}l~XED+M1hq$_yVhEwsbXdAJj&D^nGvNd;#^K;dSTJxdR7kST~gb< z47khFgZSJ_5giv2v000xM9S3%FVJ+5M!iCr;?pX@MwMZ@@*3jWoWPz>si&1P86;ni z&W9^Gnr&BX+smZ@h!T6agy9Qm1xg`jWhgR7+^@`Rc$Nd7D*V#Q1D(*fKLIQNu>>LM zWy?fPe~LXq+9LqE)Jk4!PgET?eBf$V{L-%d7M%(&6uW2;E1aS@oe=IyRezIAA}HB{ z)N55fA_V~?lwi#Ns}Rb6U39t(+abI5aZ~%&d$_1uRgX=l4&?s?$xmwNS;}qdKeI>d zCjWTg|8ehx+7afD=4CVGyq%qrhji(V*&^=Yi{HF29^O|exxsN#mM#4M#%g2}_kV%Q zM|Ro#&L#3LWVG(bs}#E`gqe`v$#85bjJ{2yaf-oB2DWJuE%8&F=`n2uZemwuUvq2b z2i+fP^_m5p$#OLc54e}ad<@A)TaU4e5{Qh`xZyzl+*hB{Q|}xMD6I|L6_X&3bw*d@Zu+Pg z`X({WL7y9@AB%gF2*yG0Aw|!A!iBj=jrGq6C6?3)r*KN}!^I?oxSoPt$yaD;t*D2a z=jv9(O3W%01q?>Z_+b7T@Py7Bh^?S}I0SadTbxF|0H&hq7Z2+1SV~#XsrK1MzJSQo z<5t-e?l4sHV|F;fPc$(Du%Bvh;lk)6bCCdNqk8OzzH0@U>y?t&u*@j$pwqA>aKVEj zN2+Yb{FXZ7?g;bJp9aq5VHaz6x3mzJ?|q!5+nmPqgmyl>t8@EZH6z0Vz^3Sp{QbXN z;NSM~?}ONS$*A!X>PJZ^>ShU2`jR_^eUBwck>>h6YYOhwxWR^<0^_3bX&3#4kT%5` zLX;|=-0jC;H}^^3b7fWZ*3;E&WIBMup4WPgPmAX6cH2vE?m$Z?!BfTqAQJr2Od+YL zX;T+Zgn_n|NtSLNur2M|H}L}3{Y_QYm1-*Y&*V-R$&ypVn$NIl?$eTeg~6jYoZzTT zNno~if;2RE{rRNWXaABp$3k!kOwCOgo*WCjfJ)cPKeHT6Od**K^h=Pmaou%4Ic86I zikSB_5(a5ry-}e33|EcLRL`t6?fZ%*9q+yyb=nOMIVixoQ$&jV*Seq^XKYC=rr+Ig zHB8*dy?tQ8aHLVTR*THBxN+$K&SF+7o?L)u8gJHbgZUpVaaF#>VBwY7}nE8e2 zuu5)>U-X6D!1Msr&NsSgz4R_uPJt4lIk3y~gczn@%#ab^5C;KL&rM(0Ijr)uO+n1o6Xg7i zAhXu&s*YNE>xshV@V2amTE_Vk8nFm$KuD_}zLYZ4KqFj~<^yWE$Kg@7627nAA4lGn=RWj^Zb=qv0%;X(05^3~^3P9sN8mUUkSmVt+w z)+WOM>sjbZ#wkwAIkOXO^N%=-U>K_8{UBgAgrHma9I$e`(VRj+I5PYeeMD(0mI$Ag zcFpizU3kH4Nm-J%$(}AHby-QVVG&t01G!U5A{AKgZ87V{4JW+p4k($4iie4Wddnuh zQW59oE3;x}wh%Tm!1|HDlG~oHt3eT9f%8oj6=y7MMLf$LHfA z8M;0+PnMwekzwtXQ*aA6;@1ee@sXj)AUQC$AifM$Tg* zuYLBUl(4x8Ws6A5iw@YaaP4@vn2|D8W=_})-(1`up4tPL=S2=wQt2?XE^7g_9a_YE zA*)|NlX|<3R>%`l^YZ-)Yak%&Tehm2FS&xlT1_H^%y)ASrc+Q@#$3+JdWfKQ20-*j zp|jC&G|B!cc3O!V~d@t|?!d3?&l z-f>Kj?jq?uG1gtgw5Uy*c?VeXoOGjJ(8o0p&_ z0=uQ6WKbzgiob(;JBNN}xw-YlFb&ZNPrFu1%Ebf;mhxIf_&lqTz8@E047#ej1YFdg z-1(z^E?%99JKcM9PTZOI z5yVw8QRB*KF%(~}GGF}sfitU|+`_9lyQ@8)!Nx*sW+t!nXp09-Wb)x3b~^H^uo|Uz zfoBXtXCy^9BmZp=+rJC`w{_tBl4y``BOMz?54g#h(0opp(qUmYnQP3qltRxH(-umo z4gVnWo#*X=9rc^ya2?mDGqWdZ7HL{W#r{Eg&@{@KMUiLLCQVb31zV;P-jr z$6k4D)NW90ViHReBnxD9J4f(;L-e~L|707u+WN|^DYDn8XZ@TI>4R$TposxpPaA4D zTWM`k_LBpUFlXXldvij5bey8v$_(^2~^>V`JX3&yU!|Q4{hltS&no2md z$F?l8g3fIvAvYfgQ=>{71uH$@1H79Sysl`>Fp8N`jZW=P@)U!KqKW`6o#H)_!JTF; z{ovdJn|Ry|en!jetJAqow3PzDh z3WZ7^gl&upIvdx@ZvZzf12N6*Ot0B4p)b^Sx^1$jYjF{3UGC62)_iKcg8u5hKj zn3#lZopGhBIH*C}ain-lo@pk%G*5Knu~l|z?9OAD>rC0Sd$_freoO5{%4d;L<+Z+- zGNY{o<`5@w>`>F<$1SY0xc2MV*iku-q(XxHgcZ_X{yJ4qa=NtMS{B64{ERJJKRmOk z#_GD|yCviq12QWgahEy!zW3guCp8>}iONI~;H07qSBbE&a8HM<-~Xex27mt@oH>;i z$9}_fyR?O>1uh}jXeaK1o3rq- zthx(+6MC9m;?t54^wns=R*Z<`;E1N6ikkV-NW*_v`3Hi7_Wlg-nl<0|=h$ z$ElZW%DQc3PyJ{n4j(2?)`Q-8+n&DEA~ciefhJI)LfAYHf`9PphMUB;e)dm}#Bu)5 z&<+pyY=K-tpqXwDSM4*h?o^w0(}ggqa7rhe;i(~poskoH^)TLx5T~$t9-Vp=_$0FWI*hXC1O6ibXJcpLDag{$) z(GE1=`?~FdDVZy7S%qAMW^t#FQU&eNi^OjG;CE`uxU}SAR(Ho7mjTi1@H{FfI{S=49kKjD-$k? zOkE|`dy;j=X<{9uve`>5vVo)wk|{VD6^ z8k3#5msM4OFH88S#1T3>5u*39id6g*`_d_%yB*Y z)=+ntK4J8}2_LwiGX;xYohVl0r#0aS62NREfX(rP?Iok}J^{a*bIo>vNDWJbX`6kl#)X^LxtXy-6h>y=rGgm!bE33D^!B1?Ns zp+XAhRjrGeNrh&V3Uio;47Mwh#65|Mcfi^ZO-qL#4765y1pa|(Ufa2hsVp6c84=0w zD#lG$uRsc?GtR+q**>+NO~Pu~p?DDD+857-S7CE@VF*H@zrAv+*Re`6cVC&Am#pdC zUX}?+y+9mE!ra^JH2d!4N%s(mfVToX2HPvxMXU?>$kDvg>e%SzNHXy_lg(R68n1gw zW>>SB7@v2Yxlvp1JJ__5hLgY&N4Mb48xyw3={VNQ;gU=z;Vu);Y(3-T$S2<|`((2k zrMWC){GFQZ4E5@qyV~6qL#>jgrS05xkDZm9#R%a9y?M=5#uk>G(sI?7#a*uvGyShvZzS(-nc zpz7nm(DIn`%}Ri7+YhNbhRLUVgv1mop@2&lLM|S=*{-bcU8fDKrrK!V&S16vaTLI& z`02859t1C1;d1qFx)x$;g8(CxOgmMk1TibxEBBnUhvSolsR>AL1cT465K=mly!pZ~ z=S*82ljUw&0v45%`pwFIOL!ctx}BXCfJW7e zo3HQ4`#V%;6AfW`y6+j;A*OuMt6)YiMVr1Y^!QR{9)IznfkhPrGn<2&oSox-`b)_m zp`oPR(@|y0Tis|dA6M^NH=zK$yKnBd=@qQJvU%>5xP0pH#8s~Y z0}MM#Zu#1@dCh;r*-D?N8P;xF_7Xbl0=Uf#Mkie{G$@DELnVPnH97hj$yA?`l#64b7ebrqW#GMGpZpvc6zgc*#{p& zr8bOmvywRcn@-tR;b++=3L;PUpUwDOWbvkuVDuy+oBHTQk|CA z?I=M`%#i9AoX+jQ9upW>SmIV5uX~C8G~Yz)*2fYLNr|DT+)kKa?&uu}8ZHG;?N&(XLf+1pO0|JcXt##q^e?7mI&HPcr=x-WK9ky#JPi zqx8?e?)_Z4+&hs6ydB53OzY4>C7!;ij zx;?5wS3V_^KETfZX^_lOKc8AJv|VUYWV3e7!#_hf z_zBD9%D%{K0V?PU4zDdO4Pgcd0uDPfN1n=8=oV|4*KZy=G+P9WhxJm@i7)Y9f6b~b%#z}{$=OHhu?@- z*@#i>0XC4_k@(xLm2bd}pB#GZI~EiBAb0M`Uv~QM9Q^-_5F*5rHd@{}X-B6v6wcL6 ziTX$@nc_8Fm>{X|&htg77E{Rcm1^f{Pd5j@`Cj~nPyD+3#lt-5wTO=VV=wRJWd8=8 z=8hx-uFj$VYdhWb6c82(A?cmLhLU#~Ydz5n)y#);QK9Bcm= zjQGb4Tz_u;GX9UjQ>HF+SzlJp|1p28G@1 z1~vaNV;j%^sI&4v*7*>5JffXgiQNaFDZB(Dd z^&?J$fxR#5UyN_Le6p~2jS6YBFsqymqmGwS2?GRvl``jrw;2$)OHD$Lt)wptXGn&K zG56D{M50OYt=}%@c-eoJ{gicg);<%r+e?%c6IaemE)>%i6ur)hZiVL$H_cjc>aud0sFO4bQ-Y%A<3E`s+M*B=hGaReeHwNz-Uk!27aw=jOx#mZ^nw>O6q%U~ zR#0$qjPkl?+PvMiutGMfefPjUAGdKO#fgFkhsHTs=<{{Pwhg?`YVTM42sN1VlO&9t|#&*!ZnHSbTV`&;Xq0Hdgpt%$%X>vo9=D+lq%7tSoj9R=bL*i@tGl_Ui3|@h=9z&=ayv@`Z){(a!18FlelZ{WEu>-6*k>%BIZ{r ztr`JubRn3KNo(A*n_^jJt!RbMIYzM_8VW1E?c<5fz*u={a$LqeI0a|1_cT%zO=cEJ z4}skye_Z{N{q2p4S$AMkEzu&(?JM@j-5+;9mcNpHICN>~io@MX<@r!ll4{<`G=ph(xt?8CGGN3?VH`>l3! zM5C|a-GR(|tkGx9=S=klDj{kYP+3Goi4;;ET3+y{7Ny?kcgBFjN8yBP7SP=9dQH0x zaR6NET1o!U{L&r+I=*(x>x~@v^QG0+sapwO9o27Dc4$ay%+7eQ>saQ-ueLz#4zmqF z@R0H`kkC|O>>HJ>zM7kIxb2&QLJDdZ(?38lEC%t4LPhvPS$#f&1bsX^MUVzH-q^f; z8>(6ni+zZ^3U4g1+vE9lgQ&Tnl0K>_*9DgIRq+bcT!0{HCQ1fTZ*s5U+;nHQ(62rA zKFn)Md^x3iTs+VRiBlB7M6(XWlJx2jO$G2-xh*B#&Y|&__#x?MwdaqZ#l9VBn~?u) z9G=6$?Z$6Q-`-G;=Uct9eP;cWBl~)`)`nW&tDQ$XahAXQ&&mIuL0l9Tt!!k`OJc7d zaheHcUPy*x%ZTy~wB|3EFA`oUg3Bk^|6$`_PYqhv$fgC-*kv^eo)@0dWN;^n#zl*= zZ`c_4j6o!LBdGy`OW3;wD7B(DZsUNxFBxV&2ufB`l`qC;5TU_N6+CN|Q)#DZAxWv$Wr~mFk*OG()GIb=DjVkfcF$|VH#=G@q=O4ZWcW+LXJm?B ztTYYCmNC5e5*gP|w^~eH#kl~bg6@Bpe?OI|2gGm7Ka0OvGPdRsLT8+D@#w>^wA?|i z44(#DfE|p2#m*!6^KRyul!NoZRY+RxwM^PzlQivDzYk=@mYN_q<2i5i8LR)YT1T;GW7JfPX{g1G~ z^@^tsiAD}Rf-2IA^OSKN&X1f8tjG%6x6g0S8zXZ=4qML}Kp0ara1X7~%P>!%;#J>9 z8*Yq52Jx+4D>>co^}@Ceukr=#7O~gsyn{#4tl#f(A>udv>AP#N${bsM3??Gte?)Vjsn@7yg5vm6jR?xf6toq?71-Uh} zFcxB~wy#=)jnfaL_a`J?xO$9^(3t&t@4*g!|HwzOe|S?c^cz?<-cr)8x}=Zckep#A zFz2(M6|++%k&Vo6Q+||4P@yME!vL977D;KHe>XmSxnf-0;<4?rvp#2+m;=Nt$mH?2 z!KQWVh@TvWfJ=v`wUBsHy)Uj_4fswgjLCPtP?d{eBGyJDcGQe9}9D|Z_`-&k)G6*5V9+e}I=<`(u- z$E?`H>v*udhXwj4$0hFYJZzJ+B@U70s~5|oMF?0sSN%qq$SKEwBRj&y#FUhDpFi#> z8+F0@RGzN~&l3KS9ukl#yB{Z8iR*WE&=AH1!&_o@UguRS#w}<%nCjsQ&2>Wi<2MFv&*IWCX|W=Q*i)h0D&Z4ugY5Ok?upALA%U`Ix5?;PN}v!7LUKm zQ&^1<;Ns32Vg^(58|K8A6>zmrFtH6K-TZiQdxpZuP+cOXp5Ivd#Bb{-6i;2uh0G(i z{c~CeTK3~z9`0G}JlqkHdj ziG8!yd{$IuVn}G+8bq3+CcE#ljWbW$Ihz%^Yt4IM=0%0jZ#$7=fm;hr6jNTz)UvgUg`7_71zWmaQ^ba>9*S%s~oS+u4+gMXaj;-Sv%5D_Z% z?7i24`q`+jNUBm&k^9CLZpGYA_p375%l_Opxbx}YDzk@uEkKMOhXAQHPV2iS>jZ#bhVI!-3qahRQlMO&_3Orx6=M0 z;Cfc@Ku_l6cx6}scXGvoRcoLuig5nooe!;7=yV(XU|XLFGO^_N=Y0lDZeJkelm61U zLSB&ged?=9p(&es57LLe1$ZmF^&qMCX3>?#3y;}24Px*!ufozz#8G?%(^4gg%#qOE zM9C)iLwEDGiv_IELF)&3P|eOX#IDOp9JB0??!}cnrA^(4)wi?WLJ8!?=iMikwe~vm zp80KRQ#1M`E3a3z`N3qGJz!dN;`0 zZRLS#>KfC|q&KD^MIweY`zf2wveDYlz!EALJ9tI+0`%m7^=p&pS*Ayrq}+a8(Ozc1 zZwPr38$WXeuvE-gewgvNb8^U8yMt4xHej;iOG00sPq)*fJU7Vskwt6!06ej7Pdn_d z&G2r2$wKcdP|!wny@UVyge(6^;KE3SKEhWkK?WB>t}|K|^MkwM_0JXvf(rELz03h} zw0lnH#9gDdRVzF~#OrfIeoqXg*nkz%Zu^2k-twnPEwzpDJ$^2vfwlKDM&n_?5wVQL z#_aDEyc>P@H&16b?S(#kXxe}0X4Mp~5@p-`M3WxBoJ@h#s@l|1>+d~$u2Two{oO@; zug5gV%69Uyc6?2G1L0C^Q|ct1{95R{+1GE^k0(0Vu8ZqFzqt0j1%v&F{^~Ntt9zf) zhiA&BHd)lr2U6cQ3f7pez{l|B0#K5;7)-)NwcecA2P7OSIo$1^ z^qBd{agZGW@95qinmR&II&Rq??zG0KSe5YFDX)WC3JL_Nmdr8T--98051;9nR>*vQ zI{o0!&AL5#n`M+pL)AKWC(9M+=pY>?k*V|nBqYHu(hGa`XWT9$!+$-eaZIZIPUUQB zS6qPWJN)A(MKHAs5Ysct=V8p6Z6?B7e38w_4OrX^IXhk2xG@oPa2y-HR9>1dA7>jv z!CiC*b_G9sA>UvEO9}A1{gb0hO!J^Fw98STRL$G#QrX_#VUcFerf$s90LxnwdMYE1 zQQ0U#nN1OqjM6Sp>pv~Nu5t+(DxTARk5##jw$kKZhL?{!D1qOi$4X{wQ(k|n(`9Ec zA)9;Ajjs-|VWVEFtXEWlHE4`QJ0t+|Dwr2&s31ndg@N$c3Xt&Jos=kE8JKFtTTuJ2 zQK~8mt0{8pXn<;E^I0nozMYbR>?H7*X`o{MGbQsy?az&ESs>!48hSxc!A@V;M~~0| zrnQ~lk=@#*Vh7zVqpz|Z_8P1W{#l2X`6$fT?v!hRrnQM37LI8klP#`fWOyULyxe#= zXp-NW*5lEIOvwNjFki<@esR-rQo1w2Wgq|6({KXyeZ$xllgeBVx9>9-b|WL@=R4N% z$|)H_)i=czogYG0{tf1X_yaX#7=+mH>ReI>XIIK=cv@omX0v`#e}%(AJMsPa zESU!8`ApZ)2eZ|ZqF0rsX6}lj56ZU#OV!L8 zTGI?btx zxLJuFJ1~5ukOD4_pc`ujcqOm+`@^(q#c+=tP?%?8x{|<12IpLawK?&#=+0C(eZu0@M zdhB+Zn8)8w;SLv`!z08z=SXKweCE(qCSi|$oBLbc4l3~*0KiV~?Q@5XuNzKTOyEt* z=54qnx-t@|Dt(4_2EZ!-xk3QKKB{w}HWtgQYazgBZUoez?Sfa10_{m%b zQ3pt1&D)V{Q0c=Ajd_Z?FMAt)iX^_5aO-`Vq2nsem@%f%M?_^^(aOl+tZ(b5WxL9n zzBRHHS18lZu%eOk3 z;l4Q`?JZLXTPv)U@Dqav4i-rHb$@G+|M|Ssk3iv+gij1On=#R)3ct5JDF}3T;DSl3 zO!vW3P5NY;uD|2P{&Cwu$PdztUIWDW+mWjoDU3_y^) zZtaP(Q!Gxqm9Mf0_=+kc`lj?J>8H!jD55ATtp)@TwV)?dJGjrxIy;Xee&pTjnA^$A zHox_ddi2*XLKB z*JS*^1FD~?G?T@alA-19)dLjhgJbX!~$|9V(f+%*ZQ@^TXSgc1Cpqb`w zXZdOgpN*M=Np_>+=>v~XM4bQF!pSyK#kto3H-0I9jn*t{ms~jh_~GQEPnu7{MobRA z-+6efl;iZ)ZUFA1Y248hVIMH{R%$q@;CaeOshg30isq;pLcYbxVP6BCrH_R|8VUB& zaG!dK1UAjiO}T*EzaMKIok&~@?46QAize(GRHW{VT6F}L@l7u8HT7Z9C4c{i4+Jbe!8^t{cs}Z}okHZ& zt0?j}VAXEKR?_2-oy;GcHitKUS$MBjbW~V)^r_}yxYdv3u+h=)Uu>^Gm-)$I@^_he z|CDpCMe}+Gm*f}Ftu>BQK~EOR|CFP5U~GJ_#3m6uUiSSm$JQ>})&51$zo^9_vKSF! z@lQdg{;3w*=SRF@|0?KT^kT0Q_nLp}0+--nxSLk6t(SIm6Eai&X6$L5W-&3Fs;4^5 zAHEm|{dc7Oi&p<3#^T9nA9-3*(|^^`+O~SU=(8%u?kS)=QAS*8A-522(Kz|{l~(xp z|IxhvAqKG**@}1S5<-XA64{*SZH5u##N zQlN*)YeiNv2ZJre1y;h0XLlJY5^ZbwXY?c}b@W&XYAz58 by(uR5+k~qq#{I{WV|G$;%GPclf6n|b=T+o6 diff --git a/src/windows/leash/htmlhelp/Images/Leash_init_ticket_advanced.jpg b/src/windows/leash/htmlhelp/Images/Leash_init_ticket_advanced.jpg deleted file mode 100644 index b78716e8eafdb4eb2e999bb8578cf3deb7164b01..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 41549 zcmeFZ2UJsCw>BCDQ9wWFR~(Tnf=-rmF}mZ&X-=G^J9(0xj-H-@ z5qOG$k(rU6{uJ9O=F=>!tgI)Q&YWdqISXWAW%<#`5vs#B)W>L#9iwGopl4wDFCX7u z1DH=7As@X$b%Yyml=%o1^O5gO08YRW0M#MdAAtWlj?o-HL4AaZ_UNJd)+qqs7}XJ~ zqYOZ5YO3SM4vmf+J#>MF8F>8kB^DAZ+nKZ6SH$7^ak%(_6H?MQ5PC?Ifs>0{Y<5Lu zKbgloA(K}^+3Zo-prnkmt9xlVt%~a7#(=|~&;2>*-^TsX^D%0gCxqqN(Gi_U(J=hszv zL`Hc&Bc=xv8}Skb@v~fYP808_DllMAVYO|* z%rgUc_DiQ>SgjbIaw|8G%lY9SDn2wadR1oyTW%IYsmSN&6Iy|>;;AVO= zb8*=!{DB-$GC?uUuJHv#75zf_6@-E_D(fc}p32^07^^f(_NqeVbr}i4(hv;bmrp`z zrm^YA)2NHE(T^fAh;dEw^X67PZHUK?R9Z_f#Ty8S81 z!T9)y?Tu%Zg2`?+{1f7$vdYnq*mpu&-0rM8SoUj=E)NXq1dG0tD~x47g%_Mqx!T1q zkA*?X`XD*QhT;-$EZQXVy{FE%Z=`6acX-ueCELJhz zW!BH>e5?@_MdwQ1)PV9vKhfGZNA=eUo@okYUKHmC84RTNqab~+Y3vpwVjkiUFHcAqN#lfS}_@sGu z3Gps{1i5qiRxkJR&w%}oT!7Q6l88sK8!0YJa&HXeQVTxzIqF4#r9*NkW1Ounbxu13 zlFI%a&}d?Gvw|-6XwLW|@UE_m9QR#4i+Fz5cG1Db!>xH5gwT%pZ7(^LlemGBNf zGatKfVIy&blj<8{|0t$;9r(Z3gnb{oPxZ|De400M z{ND2HhqT?)Pd|lqzP@X7VlU+X$K-#Rm*2T3&Scep)@hgMqlHNz*`bFVnE7}OB_xK& zE~H&aft0f3yd4=3eNi%JhkFb0pK`7N!F^j)Emvc{?mU7>7imU%YnJ9|T&ufTI5H@7 zOm$Z6Im*%qfgHkY&vu~A-?&yMwOb>M-0;lIg2TAhGW2*iMjMux)-)Rp3%o#|flxODqYW>tVj;t|%SvJrTCjTGU|?&bSm5 z9M2#IYKwz{;P@(vW|(qcmQ<`@G)Mw<5@#qVzsj)BA1_wG0EN{c+wo8JKmcLxCPDm~OUA0Ehj2b_6( z?R0MMf_uj*PyR{+**ET+CI8{qKnV1Xcf7+g+P#}Ixz;70m{G_w(b*y41jIqcQab2) zjoqxFi4_n@?G)2951=@-8x0@dO+v+(ubYrdr@bvY^YVHU(8z#kI`RC@=G#}+i?1-I zR8_vkQ_4y-1^PN}yD}Cxf+$=$l*UkWsio4KT#Jp=*vm!Lfx|IEy?1?HJ}bivp+nZA z?QVX0y$v$$BRV;Z7Dj7G7uO{#qNUVMCuAqFGF4B9P^81%Kd_|=Ah6cyZPnJ#Y8}T6 zUaw9Gd-Mfs??XRx*3CKWF^B0RdE-#(f>BQ<5ELJ;uJ3@A9;e*B7{_Gy0TAo%`#!50 z-RB+ouWrlH%Wa={&WF*|FET zWmw^ZcX@_jdM;3Odc@@cCvv0Yi^p#;lh$F;q4~{I zW(|29_1OlohSiIaYDGA<#dg1ftqy|hm@XnBp0}+p&H#8XZsgrQpKYUSPs&c*r>hcpqM0^6ihCNu>na?#tCYJMR$OcSbUoINdFp zpKdP*eO4OqCTBBF%#NMKXqO!4Jdv2*XB%sEJ#5fKG6{*Vwngai11lF|BG^uqbBpAm zPHaXbFkueEd+pEga>}d2vDrq z5IRnXn)YMS@Tnv;8}3ymO=WUoD&}5DnIU{#e&ss=al4-Z)m4=ij!ttZ=Z|@8RVRug z^s!*1x%9et5L`MqY#&BaxT=s>CCl4!O!q&8T+*cKZil=so4|RBqBqY4qMsJ)L8|Fc zyz@lvz$_{I<{tgchb!}FW8YT|GD+k_?XKj+5wK+xXVOlm&*H^{)}2#nzdTX-9aM^2 zC9rbSWiTm7q7M7mF(+X6+K9ZyHJ5`xfnVu%>Ngt#g)Em&`|)0=`Syl%V?Sf%lKelx zdTQG|ko*6(E3TrOf!bR!{`33Cp~pWycoFz}l;51I42GQwZNM^(e+S$-^rH7)c;Q{D z%q;T)2jQ$O@AAjjp>p(P0Q80= z_ZL||RoeToKhNdA$oc_D{s*=ny#G`kGV<3&=1;PI06P8$wjX5ur8*=__|F9WldL}g z-T4FDkC6Y={buA(vVH*iHbDy|Jkt8|$ETRJHHt8_^HdpaEd zm+6r9J01R?AS>jc*s%4SrAPSKgU)O%(~*uY=cumdn*Ku>+;ymjwG#-sbI!pG7U_^s z`G_wnU)@CdM?e*^cjDvk!=;IPOZwdv(9*Q110{-A@J$=1$_`gjPSTyWPNy;PvzwE- zV|Huc=36_9AX_PR?kYu)$Zkm7W3e4ks`p=`Tb{QRBoD&idsFML2EUp%eo`=P`C1_4 zIyA7gLS98F?%?E!Be!0y3I$1TYi=%IsUqd;kF=``hF-Fc7k_UN3Qw>=$F2f3q0IP7 z8QX1v#)Yl@iH*jntEbAN?IPm1z7fMro5COT4l?!KUO~I5-|ZU-(5J;jlIIv{@HLJy!})l`;gIHQ+wVW+HOeN9u!_*pzV8%g z=C5}C4VOf5$UcY10wDu;gG2DsSKX11B>;dNj;ULWSj94C3`>Yw>8otJ#kG#Q;Xm{C8!UB88>Ex2eHemt%B&@FlSKlv3r!NzNt0wK~xrbA25cS6jtiw z58ja!z=mw7H$?<*Hq2}ruVg#=+(sIONhyP0 zafMZrF=6)Tj@(LSy!Yv*7v8k|{$sidC*8gS2$Ki?+b@#LvoPB3*z!j=?S=U;UJcF0 z8eP$$OzF{QG@G8kwdGzV3Zp*Ecuf|7ka{MfRtHh0&9#vlfa5L?|J}r2znxw+pj3^uk@8 z16GNR5FRzI3!(d*gRcR{#nWMU6e}?O>rw>qVxyV-L>ynEJ#kmJLpgbSJDGK%D(Hf`cj zl;h@Bp9kChSs6NuL6{&Hcu7YmX3Gmry#rI?Kxb1N{%_i z)!~iLoGYpRs*0}!(MEkJ7QDUA;cVHe;CXfqoHWG>PPC^z(Wo5=2^mbGCAf zeL7YuB~%A!QLa|@sNyPm$ucj$3d~*7`Mf~b;d<&oyHPu&QW_G^g@W?H^Qs>A+8BtM zB*Cf+c00!jPm7FM_(5QW#}aOM9^4Wl{21;#fK!%RNiorml9y+7=FKqoMC(zC`74Ic z1cz|0tPL~yPWWt@t=#z(1j;v$H;oh$TBf5br=!;@_oabBpM$u&x6_>bwXPuiXgGhV z&~q9^eo#?H`U;NkNhF=52(DZaM9Pv(*L{?5)tp~?NF+4&A}reTrfKBO`=d`b-T0BA z!hAq&aFQ^+I3iS5BwZ_mX9TK zs@)ShZ;3weBD2U=nTlu+jWvKNB>GM8-nMuRLr{vNMsAmbihWTye>{lBLOp=z&2AG~ zy4eie7MZ(Ug`2JVBH|hk50FV;(RF`3I4WGOZf@)&x!Z=^Q7=nQOVw{@6)er{N@IO$ z!@s;u*O-vd?ukfCu*{UZ|7nbQWW8gskTwUUsI~3!tnaBcRtIK3Qo&w2cspM&TV1-+ zl3aC0R|r-W)~R#OuiZ>7fBnIdl;P&66L&4;J0Qbny0g3BHo2(7&sz|9j0$jD zav5aPyOaZzO2&;A!kGoi+7s=fZM^L~y4j|lHeupVL=^kQ<*pEoW>-Is8_JfUN#0t? zrYx};=GGB>kXvf+%Y++DRf_dOb=<=aUbZet+#5oU&Sgkj1=%8k|;OevYC~%WbBz zCF-N{XwvA`GBxvcVevp7R({mVV<bZW9zce4lNR-a|SPWjS2VK4itO<95cIcJRC2bJ`hUV{SW zFTkfN7+!9AAx*LG0Bk&;9l|xa8gKC!+O^Vam8f0rdUL$+ii&OQjqGdc;oKQ~gKbYW zo#Oe1&*?!mtt^JLc`J8dN^Kh~W8~F^nN)CHK&kBLaH&Pk>QFO*qWQeeg+##RkhyZ5 zLpMh-H2Zc4ZR%og=PaF^1ZRx60-I|5`-)}vw;9*NjR@+G-D>C~S%;_WD=fi;xA0_~ zNfb~G+sn#ZUz*Be=@HLo-yXy`nco)8U(yMm@9|=gW3!uGSFnPUZQS_L3}t+LP>FAs z+=G(+dzO&3Y(3_$jnPTyo{A*vD|UANZ&aP-$&X>@B}}dJV|c5VIF z3CS3YGG#k0MN{oA#y#j|lgCn(Hd}Jn6FN;%&3s9cu}vrMv^Gp6r!Bfn^!!mPlD&|# zO-G_DJe$7^DsNV=nB%-Mb1t>;a}qff)9Y%oasE5NapVl=H9UHb`$;k`&|uOb5m+|R zM+fG6y2;GS#I@L58oALGsXbq=tcA6HOVQiDf|`^b7vLuA-+VG_xXx;tKQOHv5&t__^ zAz7=~9_OWEL)_Do?Q=}kEAkPzCbxU8Ap7rtFih({j-#6as4qALi^>=3O4ZBltO+gJU>OxO1UIHJ=5cdm^HIms9~2zrDr9u;;=sL{C2N) z_JpfejFvuIPHWf9ROZO(IriMCi3HaatRKf@U7ke8X-7`|DhuFM9x$&(ycl&{JDy(^ zgF4w(cE6$*$r^{O|6tTTzIA#c3k1O?mkZ75zRaV)A2=V@78CG>J!y^p(fuBWVZz=g zf^ihm?&H9cV^1QRMNNLSke1{?EGdw;|5)+KT08!mWm5T7w)Z<3@y7~x6(3JHfeNzJ zLhVb^;FXIzTVs#sYR5yY+Us6ACA0?!XzT{=QS%U!|SKbM(loY+4>KBq!aub3IK zCUMp*tPb80cjmugyc7Dlo0&N!iU*a$8wyoOV!qSaa81aaywXvx!z#@{QAvTP#*2z* zY_p+O0&~c)pO+eOo;R5$GiUuA$!`ragx-aX&1i;$#v-aKg@WF|os8NwT&t|9qvNV_ zCK1}CAzPU4XAAtC3_7>Ha6>dnyIK2U{^^1kJH}qOVYz$OJeMls7%H?E5v(;jY!196 z9g&KRD%?a|`C71Sq|H@+=>w;^m2RP_m-%OGb8~}@@=*H62F&5t6DS|v22qr^k`@i9 z-uXiOR48gFeJk#QEe=a@N(v%PD;jQFQe_I8aqJq}6p9KY255OO@h+9(cDveN93&1) zdkGa3WPxI{s^2nmx8!xW8v>1FnBcN|v_mP1ei1HCWSLPLICB!y(8x%t9qN%&NAC43 z(poKc31&MJNn5Fuw%;S$U;Oq42o2Sq6To&{X$lFn#|txh?Mq@Eq&N1y-7>sI;SAyr z;3sykI@GB}EZy?Y3M)L$na4VwsRP`?t7G4=&xdSlj`^h>b9EDbDQ@~>wpz|CJ8pfev2tX|Q0Sx`2~Cm9MdA|w+-?Js}q zsi^LB%;PmwzU8K!e!ob1)SBAdA-?P!mf%GyK`*n&8?9%U2?s!9W>)b;bC{**B|FUV zmr_vCRwxkhcm*e%a#!}?9wv^q$4jcHR!{nsqrpx@3M5i5cgRwPQ8lR`K(Q*3;cs)C zdspeR&f}}MA&TYTWE1J;er4yPW`+W_qY(#O!dqWNOH>>6A_$_@W63Zh3H~w+-}5r~ zj(Y5i@b3WObKcc+)I*zv)rWiC|C!_8`EYRf!o1c|)V`N5?wBmmj}m)KZ1rB~l**k|Tq$WQpW^1^KN`?`G=n3Nxw`+Xs^@9~ zkb-H{{6^IWxcHxO6KZ)f6gP9SI+%2Yg`5(`q^dAQ| zAMQq{u7Usd?Ab%)S;0(Y<@&>^ZL;64U%Ojd4FG(&`FmihwpBDeD?g}5D{A};L-CL~ zfgD$IiAJ@OPww#12YPrv2KQ)tP%U+$Qkr4G8I5ZP+owbnC1BA=48r;Ls9;1yeKyaf z7<=>aIODO2V*X^P(1d8TlAEIKJIK=Q@Pw{|oaz80EB}6xUZU#dy(r2OaWx5ON%wxy z%&ImL`E1ClIWTE#NnEmwqSNFxJOSp{v}crfjJ_&T$OrOUqxmPn9 z5=;}9%*X{c_59+2D#c`G=2MqGQfBp_xo93~Z8S2-%*x7Efi3RFY!AA1%x%q(qE|5% zZyV2bsW*|GVyOpp9tjJ4?s73Zi*3CO&R4l+g3TrC+zE-)fS!IzQAl;;xtY=^LwZM=+a=$to9ViOVagXRJg3{~COu_#j4CjvFZ!c!!tzVvzDZ7XdcRS|Meym3@H z7ET_kfoWCCCA7tO*Lgvio!+Uc#P8H8WwUn_dD1@pwwH&NDrabIS6f#0sJ(?SHYCOu zqi?j*fP-9$H&QatoVHHovR3~LDNi=vaQ?#Vl)YS^A! z%^V8W_Vixg?7UEU9)~(`C~h|)NI4@9_x4+I@%)@RS3mTE9+s1WQ8oO=T;hBn^%3?w zYHV|fUzKwWm+#Qrga8O$K)N}`-vRUJ?hw_$J&S(~rYX7@PA@tt7*a|~2Dy?ZYZm3k zEUTnBSqaaXZYz1+-N~}*s~W5QD2QuFay(mi@Su62oPGdLQ!>mix^wj|RQ7y>HT|7VE*6N!p;yJ~gs*82Rl{;_VS)@0tiEYhj>5sk z;lB2nX$!!VtoiarPI)SudLQ6;fCW*+J=VGNd0&#-C~G_7;#E;0V^aa6d%WHJ7FIZd zRw5&NU)(fW%csRh-C?GBq;6Sks$w4ztV*b7woB8ox33_b3Q7rg)47OM)wvs8)Bdzu zhov2n!qAJib9sH!_mM*1B6|E2%Y}=&l4ey__XN0QTvNs*9!h>d|~i)B;0JI5|; zX#U}|FGszycY{^3^k%tL(ONdW+43eC^!XJgln zsHFbsGDq=}xh7jII>u8$u=;Ge!$655FdKBvJhMbfGUUU{WIg_n92)_8Z{O?_9W3$g zw^oqqW0$K=IgArH=M~VeuFq+#$xRRLoz(6;x?ua916N;2ibY~OX0Om9QSI|+Xih>! z_Jepn{+!q(HhQ=ONCrL8(Zq zLvLSwe5EJ@uM)sHs%@hnrU%8^f(2f07&8&Mi61x<)0jG9CtaEgw-}L8o9STFXK#Dj zsypa%w~ezmB->}Ld7iC0v>$v}b}M`k>C^L8*U{i^#3!JihGQ?zCSzc6t1*FW_wpZj z4ks{t*@!&7=cn{kK4vOIu>V@#z~aLvb^kC@TkS7p!0#4EN;YylQrB${sN#8E&W9T; zh>PaP%y&rYE^h7JSyJ)$%~t)Ep_>c%Pmap5_741bNP_oG4&P0D*288bYaXa@gEKxP@9z*VUks4#T|JAvPHS^dF>v%654=niA1 z#m%ip=5naT+|``H!uFCaeqNb#Zu!u#NJo&@`*`;Eg4{e3qKn2%)MhW)`T(2}kA83D zP=9_{ujrWT=LY-gLxr4t^mYEnzQU0ovjErnX4>4}_7m8L{x%zU`U|Xh7ytn0JAO|9 z0GF0Q3#E_b65h6~DXGH~DF_HNsuVpo(9hEC>_*Vey-PEV)6kK`TaVm*slJEy&qw3D z;~B@~dF$|3k{&S@n&!16FX^ZhNte6PgoIg8xZUUwsa}=L9MRBsl@3~zPiKp@3NJ-U z(MCwI?^fn-6Gw~sQmu~#IQeRndCiPn(hGk<5j|P!vVxezTt;-DBa$}c#CJ_+2}3d| zRmcbdSSk#cCio@+H?1dGJ!swQm(s1zVE@fs+raRJZ#HQ=gpo^rx0}8la>AOFj?G!(MR(wD!W+uNVr9`r6o`I+p z+unwIFA|M#143oR4KvJ93rcyNTp3b8qdXlqd%hE9HBw&DjQEqpDs6^~2?N%6 zYHXuMY1C0GrH*3HqRXAgZtx2-zY%yp56{eI7hy8I$71zh?ORbyg*OIPI44tQ${VU* z+*)e+xJE~^{As6%yp9Mq!9?anA54)>LNbpA^CtPe1;k3#wnbOKY$?bp(WFA~6KLBu z&1&0g`!%5piQ)`rf7*MsxJhymtF206dV%r?RF9aoJ9Vc@7h_+Mhl`i3(wg*gNJnPF zV>u$a!udU+_n~(}4iE1gb*OuPxUe&LkELLBDP189Z%E^#OLHVS%0?~~#jE1m#YQKqkD4MMe2CBQD?ZQ|(^g7@`I9TH zTORQj%xT+T$E^@EF0Pm1-SjtvG?ODHb~wMpS! z>@B5Zv7HgE=T~kgjwxeex?zX=fy~SnU7t_&?@67W$Zo0XVT@GUwOKFT3|5^%<VQ}T@or(H9sPJ@bB98OZq2rBt%m@j}DAl%ip7?nqquTY`%4Xy;ZQf50nU zuxu+DJeZfGHZ(Qm&!TPt%uTUW5ZcDUvn{~D@Z!S$U#eCOcqH5!Y`!HmEz*$qA@XloRX zdV7zr@@g?7F`lkFy^iC3q^E?l{`$M^_9 zGH3Mv=Z!E|j$dAo}Nn%8Ahq!0dKwob{>+<=`;WgN&nXBs-HLF!n>7(fk+_{CB1f! z)6+V`b;E_udz=FiiEi2KJLRbtZ1knu%Z^LuCg1+3eL5zbJTB`i`7Q{0j^(4b3eaFmW_6_}CXu~;P{>0_rQZ~B zd2&^>Du|fy6lReB9nh%=MU`BrU2aX;z!FHq@-Xr`*ZLeY zb2@_pJuQ^^Oa*o|U26`}C>g`bm3n4P$FpgZD(~3-K>8JhH$7a(u;WLw2Ob|R_MT0@ z-Mh}tR_f6~NW=?l8{?+Oz*HO*;bkREWyLk%cUXOk@Qh5z^I09dM z7NyrKDPpB@}MQ~OD`!XSOfe6tf?vP_DN7G}sL8@m(A zH+dMpOAr71mS=xn9{xR_r_SURZ}pZCOr!7UhWy@|lhR(e(Bt-F`S{FXjpC8D3v!cx zUp7wrTdksc@U(xc+kL>1u4jku&T7={v^v}xe7aRoCLAQL9D34O*xR>d(h#rN7tC&E zgQ&nmFgz06(AjGG>g-iuhLC-GdF$O4ubt^(Fjwj&xr*^#Dfq@n7w5Hw-OyJTrs=#WXyb?w@fG3;`6*o?Gncu-o|q&J$juvcYSJC zoa$!l8uY(1$n8`z@zuk|IDxFjxIw)Hn6|}g!c4`ch-!i}FG!(=R*~@>0l^Y%{1!U! zm^Z&&$8ykO?VICXQ>}E5#M!d9qy+mHlyF|cAXXcKi``Yn3n`qb zfcW=q*4=*G>@LObxJZCT&E_Wcm9!JdfyIU`^fc45?DNr#{Zaa5_Q^{nh02+z438ng z=SOTtntNxCm9Y{#)=3oYL0NAGnav%Wo-v01%MDbmgx;?oO@l^06K z!{^A7vUztwAh^1{RVtP>K%9F;%V7!Y<1JnDVc<;BOosCu@M|VnR5?>6rPKCmkOo}M z(xGAuIGv*Cfaf1$EvAR^!T8uSJ$Xo;vH8P`xFC>3!4)%*h$t*frTt!e&RwJ6xQ}`S zIRl$A!__E*V7p1@yQ@d%@T~2?Qn(qelH047443B<9OutI7lNv2=H<8<$;ejnnv^H* z)L-10%M+zfXEJAiL!z6|lBB%BEKn5#Gdb{_qlVXXN9chN7K6ZHd6}_jV3M0nef_zW z>J*G^kNwWo^AR{z3oo8&h*H$8{4s;Lm;${4=`Fd=V55X5Df!wkITbzn7(5uSs%lgz z3_I~++9%79*&N*x--yYdD;3*4QVdcyoK<)xN+=p>K`A(1|b8(~SyJ*i;+m@nq ziGZd^s<|&Wa!f zOjIm~ht}~4S3tax77$<8^s5j)`vK>aFZ{!j4q^KGYC5!?>b9u4%}#k{A}no&t>n4IB1tDLXM!B*dfEFB5oi;yA(e*O5>j@Uq>tZHEs8-6_LvO+EH7uiUX6 zvfIUVRN>{-C1e3^SNo|`jDu{Ma)PIr4Hhc_&#=L&T3K1BLaZ*+JHJ9#2o;k#tv2JV zMn&q zMvmR$&ji_ygV85DAV_=?do12d9IPsyy0MdZUVrtDf%P@dHD`GQ;r{h(XGZjTtJdO) zutwZiMM?pWBp#v`XnmFkb%Ko1wO3VV^0pV98r{q0ujJOVjS1$2nO~0uL+#HFEw$rB zDE9Jk@rAS^30f|5B`HB{CZlY*+wDTCp)5nwu;;l*7vwgq1t)PylebuCA~}(BuoceC z0gPbhim#lX${a7u7md{`gk(5q1($2ve+oE?gjmcy(JMv~A6og2-J?BUwzhA@IN{9%Vo_`OTjJ<=k zFv+q*f?e8MCugu}$Mi-?I$2zvgD1*Ouw*ZhhFNPF-ONgCBz}<(13%;Jjf{J<4^dx@ zU_9S3*)3)p?hN1Dk(>g1avh4f;++KASR}rqo8b z6h9$J*tB(BbQ^Wf9>gEk3+dd8)aFYxapm z{y_9&bHy@YyV`Y>{MngPvORq|Icn@CJ~>iQD!-T78=)Gv5`8R=y9cTIfUcf;xg*=L zf*dBN$&U&s{aT{@Qad%>|Q!H`HEWYP?F1e2u6gZNloylZmO8(_;!&Yy>{SpnNA_m5i?RCNv zi$BMYdztp0nHdC=OpZw1ET4EDIw1??Od9`eJF@$x4gkpcuTSWId!HcVZxgv~O5e5A zRRFg_BFaKUXBmcLzP@b9Q zsP-|uqFzWRCuvsz4--i|FW5=BtR^q)GLibUE7z_VpU8_nk%|V|O6Ckw#CgzN;T7oU zhP%6mNW@Jxj%Hl<{Y$#=Qv&=R^jl1jY!*y|oUQOVwC*Awtn2(Q3cAe2`%p(}iBHC;D!z2(Hq3CPNYBV>hL;dJmr z9=v$GQnowO!zC`C_+G|e65H$3YDe?P4sSkjs`NV7y#FOlj~vN*q_-q<=QCsGe2wv^ zU()(LK>u~Z_PH0n$8T92Nr$T?V}F_-i*N#g6&lUsCuTnlNhCS7kojX}5DbL)BBsxxB<>O_STOc41fu z$tn(YvP|vu=d&+h-vNqiU)8?@s=ouy;};&ZMvyMV3|mojs_pT%qP&nSJ`Rmu%A1*& zewk{{Is@m?xcjTd`CXr3aSM&WJ0&X_RtZ6G?zUtg@mg_mi{iUcmB^S5{ZP?ZGg>(F zeePA?>EB$!q}iId8w^@Qlm5EQ3fHm3wz$8s+RX67X3bXrxDEVldqn>jnCn?Dio zPCht&&gJbdsrd!f|Ea-e;-s0#L?f%-^@Dm;RMzpC4EgPq+pyXGLsTgv46_mcx zJy5y4^lt1tt*a552SX-&GX>DX@hfd%b|ixykez|^mNyz1#vd57knM{sItkuAv-@BwfuI0z@-NLopaVGFZOymS4&kn zBmDJ3%@EI+_wsuzhj)``wlW?`VbD8ORkhdNR`(qG(@>E&O~Bg4ffcxxXwV09G1ps` zIuPadJeJ42i-ck$PfX+4)T$OHO8dZ&)8coUQ{%Z+F)^BRRPVzyg| zu0@}Xt^l{w%B30UZ9ZApgAl7C{sAj{cl-W|u=-NbhsY=9__-E;RXn$9p!78S<+v6#cYsp4Ha^$2eP^?@GV%|k2r2d19_4GL#bV&w!~`YlpPic zrTgI+5-IN8t>QI0kC#u+ftrPpRjHPhvRQh$144$x{$f=~wmpdKtIOk#(JAyVCr7Ok z{pK@Mg}~lZ6v>V`|6?~?*|**AkaDD4VZ4&Ch(G~Ja{4=p3~d(yHcT+=f6N0EUszjZ zTx{S_AtV3l_TPjccg;^tkyT}Ze`qzG4+AOd&Q zXa{1TbI}{-p8a()Vbb+ITZbHei1bvj@b^Hq+xr~8BTQFxW*nOv8r&f{KO+Oqk`TAm zvklk8DXyE)fFzFxS0X5t2(n42FeD329O}I%C|zH86wDQ@6{V#X#EB7y+Ch_cA$Y-F z1P;$mfJq<@%qaKD?q9X4r5zo3+fNYi9F_zQUHjQB^dY*8Q z06|_WKFMohoD}Zzyi_(Vo0Pv!U@(cp5YudP$}Pk0?ZwGw+{Z!1EwcjBxEp|kNkRVy@V8x;cr&owdcM-O; z1F(e9D_nVP!N78O&g&;*_=XLZanBZ`Elh0A2s%csj$7bz_LbbG(RjD37wcAbqteF- zJ;<<(OF(1vdDYCCTTW7KX4g)gr;RGPRtx-Z>u3R?)gtTTK2OtNnI&}ADyXKaw>;*NEV zw9KY~N%R7Fg&(~$#8ly585Zki4=m$G2R*4_iAN=geZje0jjp?Aa1sno~j(O`90{a;8M-6rm2AWJmW zgrqJ_-pcIN|T~dBsx*WYNA48 zP~t8wm#UKO<{qWbZb(ClISIpqa*AN{QI5A+!B%S4^eg2|2+q9K#^jfXZ;ZP^lR#Az zI5q_;ZJ}C`9|~J#JGo(jtlFXSZ76i0-*~U}NK5{9;@+L)w@yY8301|pbR6StQs7F0 zXl<6k`iU24;1wx(lp{sN>I=p6q?DxWj zCIxXAXdVr0=CNc37gaOQJt8%X7u~sAU)#-P6lSY~}8I^4>#4A?^6@H;8AI-7eQt!F4Y;(rg9D85z zvPsNxXA(5WSb`9E_=+mAv!~bWvD@~=n6il!8=d%^=&NNCQz6p@6{3S_Rrl&gV8}+o zyn-7?=qfi!XdHcIe9OEDrYNHK#m6{vfTY=YZjfLS7HUjiVc|a#ky4q=dcj6)tkOG3 zDf;3_*eqXn@{>fV)`TSw?aW(Jf>ml`5)wnk^pt0#KF5oU+^;ETct3Sx)fe1M^@|rF z79xJ9#ghiO0rrF*DEdmcM*}x1Z^H_ zZ(KiDmIz2e>lN8#9iD67GnMFcyYz#8K5~q&WdG(IGDn{RBkhsm#GT5yH8uEzZwL;@ zgXzJ1d6B5T5h>XC7{WFhR8!F+v7YD)2& zSCw<@302Y!iV$3^xo6ZIc-cwkErVm*V$YIhLhY@_+O~`NHB5oJzU$rEk?(s9-uf~a z+P?2CPRV02;Tnrf;ZnO2?9g#ecMv%COtSWHN5NwLi&ekvO8c!9*LkJBEwb3MRUB)( zgo6-Lb~Uc0$~1ZG6xPxrIHGItabG!a;doLk*GWqjzej`5`W*u04=xwD!Ccgs?d>L7 zo+de4=G0*oN$35_ctrU%BuMFfo3BTXH9K4{VdXAn1)4r-clEl+{%3$h7YyyT&; zqdWpP>pBAJelp~Krwbxb@)b)Qk{J#Rw)KEdqs0X7%)^VaVxJ1U`v7NV$ znvGetg9s_M6mih&*@{}Q_dQe&i!0P#wZ>kYQuHZ~AP+3E;Z4`*YN-^c8>4svJN>>@ zC%gAaPhdve|F8DmJFKa1+xNy!5fua!5R{Mr2?UiUAfRAC5^4%96cs{AAoL=jKMP%Y z2*J=4NPqwV1VU&QklqQQ7nPz^3kvq1H~Z{!e(rPcIrpCT-e2m z%{Av3SqrZ}hcyl*V2ffmNzLV)~m&Yv7Dyj=@nHKPZg36Y27u< zxR18i$WCu{kT)1kX8Hb^qSK19cphH+wr$hLC0JiEtJW4PwjHsl+F7 z2!>RVzXjtg7_s~}=iAwUp78a;4BYYwzwbP~1DvYu0yLGy+lS3^=yiUL*MUqAb0 z3-&Qs~d0uC}O9!ZSv-FH<*9U zvHOo1R}EdfCUhwiF5G|ZW1taR@|wy0pS^GncOlh!;wQb#PB?t#5!IG6-|}V#U*d57 z3cE`3@aQ*1i#QkeRa2XjS@n&;(bG)k2X-qg(`zjEYHiX3p9t#AzBq-nrgA%G%O>>j ziI4$fWR$xqDMU&*q8c&!FVyI_+GnLF5WG~}2#U{A*E!{SIh#S5YN;j%a|DOsQL zz$fXCk@{x5HSdNs52RnZPaTtRc zM->%lJ&z=xs{t-0j?o2s(y#tatmiT&(uzD%^l9kwvN+8ToE*5rvb1W#vE17hXDm&w z)iGmiRLgIdao#=y7x<}|2ay3F}bbTJ$ZF;rGaR>(ab7qxb?fsttz zvf_hu)#{xN4SFn=2e!c9U&`~Hd#XC4_IYH)-_ zdy%rbtvLyw?eN| zN+l&E zq*bI>IsjJz7H-_E=F&C~EwE*Z;gGU55a`Po+$0u1f<6SuBbK1Dj(nt*2s;)Joxsq+ zQW>S$Hxx@E{qK}n%pOpCyq4Fbx^g6!O+3cfu*lozzow4Vq{t>M73XMZFIL0rn0Wt3 zO=xIwAQ9fUtimyu=a_$o(&jS<+A=ml#VwyL8Cnk1Xtz3_pb*pa^47VK8j zBRRs86aP|SS*g``<)s`KpWH#z6r*ozhlJgCBxszOI_hm^lF?HxfCx0xRBE@dDUw>u zxyve2FI~HMe3e-C`VY5H+V#nr-|MAobezHDS+(RxxckB)>QCMI|aNCGNTRHwkLvULNw@2rI$1`~Vu2Zk!7;u}OSR)TDTm zA#aRE5B0>MOY0db7;@n2TrW~cK>!&*W~+qvMVzL)6?53DEMo{O+Gs<9F5y%bkKFVi2-J zge|u~SbuRtKO&*fNVxqJy9@(Nm(3FBzq~AoIF|HEx1u9DL3i)|W71{zhr2RZK7^WFG* zP_dhEi={N&wg#9@LbN4A5E4!(8XbmnaE@52+W1p~D;4;X(Nn|=J={x0OR%q+`R2FH zXf$}1vYT?%^?vc)C;j3>=U(}=GNre;lz_;6^N4%<%=riSDzw%JygmEHB{@~70@}Ql z+!T=sf@n6Z_ZU{2A+io8VtZgFHLB}Lk9W649rI(dr}fRT!gE^5W_8!B+{^AU z%zHEKF+l-av8XNDQ6bKJGMsBdCji>allq_P+Li6MaXte{awHZ{I99t_jA5-wflYJ`p2?O>xu;Nc@h0Ccg?Ui8`%4 zpL*z2cTy(l!`ye1f~mvpsi;u5T97EEAL6bH`wB4%U_{>EWa92>0+T(krd-mXdHhGQ zOv^$6$6b$f_9{VQ&ga#+a}NiUxh*g2vdvQ!pLKtn zmXUg_rpOeBJBrmUx0@+SJ?x{cUg&ePd9AMQvU)HdSHKDGF(uX@z1xz31bGAb5ox!b zq~nhk+i7B2Mg4?Gz0A*8w3Qae0g*;4O$If?PjN2O;hLiHJ&1u~kO}ZJ5THT9sp@{V z0@431n8WK6LosTHe0ejqjp`C*pNUEq`MJ(r-6w$x2A^kZfChBb7AKhpNIe1X(i0wd z8#Eq#L$$DdwvkzkvdmE-eWeY<%gj_wVQVhHj^|Hbp<9f^>3Mr2j*?m>K+H|bj4kWA zD%&D@U41F%o^4~QcAv*Wf+eHaww73gjVBiwp$GN^7_Fyl>X`r(Vps)uHJD>k#H$8@86IHem;Rh?GG6mzj;560OZ;Pbo|5gN(( z?#n->WX-SVOm-BGS)fNO!bQdE8Vb!<_fC&fA>>T(;|O8c7P*ku%al0I2~>eEpF?Eb zvHEJ7hE#Q+)^}z>#(0LADu^8k=r!fA=n5v`gV+7_%%FIp0$maWR-sZ~#@{i5Gk@`& z6xo1=>b*t~TOY04z7GHVx-~7~a1VwJyi{s>Z;eu%#_4mk1YyNuhY^0d;7d6~4r|^F%Y>ib#00s@Xo=cpGK)Xw2)J`0~sfnSgNRt@&_Ax~Gz& zM6H8}$jd}KS9?IKhycRk@$T54hAZa2&ZPz@Tsbzg#Xsi~u2SLphNI!tYNzwBU166W zxkM>6s-?|*D?2MmxYWOb^ddfYIQ20})`In3zQ--qCng6c-u%LC=gIJLZuTs`Qny}E zx#JK6B85{!Xdd+gWgW4kB_mo@$i@u&&HP&jLghT3`m0uNLMP}@%LX4EU86$LIiHyj z_1d)vW~LhRHAsLd0Bcz2CSAJp?dcqcMDe!!yYb zYd)6ggD(vNGp3==mHSdV9QW2pa9>X#Zgws!8p?%8Ld;?BMBf6^8~+qz6$n0;I^$*d zi;u27e9_LEV(cFO@N9J=L}OBP#5}!MZn4(J1kni3h+VUUOW!Bq7RWW{SX8C{zJ$~* z=3NINLXbDzU@#DY57I7|BR z9Z{4=QKvddLPFL&)-eQFh~OXqSPMw&=k71*zxW<~5GKC4U@u2FWmo%6i1O3+UMa#x zw{)?}%;!arW1{~S-Fu9oINg~6)dpDdCyJikToLgmDGOJ-Bhw{IeV=$Ev$Kh2sH0JO z{^xANJFR#sgA%}t`~N_!=NLRZkFqheR)?a+tx%9e)(Dl_h<-E(hdONIb zlJ&r{Y_z1SSa-Bq+P&TZT$LL%TXMcN*x<4*14m^v3 z_9kxjhED}5AhbSPG;G9C=;cPjFj$fL%lU%|QkI|i$j*5;i7&izw^sQ6v(??-AFcoJ zIQ>7?ZoU2AKf{m9^muL-!?4LgxMO0vAY?PC=#Yh4O%g0e3XPNk$CQILI|7OV^b@GB zxRlDCtgzMjUGe(v1b#yEGcb@ zABDm`fFWpti8Zc5l9pN3Y)$?qe8@DU{Uj0MKt29rf3S;ALv6&sR=`i(PPr4r{9dx{ zDt$F&3p}kvdO+Er^ShNt#eubv zaE7}0@%JBf)9S~`5}Ocp)ONb;yW)$guVkPv+`m;k%PzVwkUgkOn0Q=fy*;}vR8!or z^$Nkf7-v>q7yAJA+QOu-1d4l0ewTFbC~Te=ah+j?)11o^Z%eM5^@N6LWCziexFK50 zmlIF0yJzM211v9xRS(9=Lu-Lc`99+jiD7&tqq09ZSN1Vht=OmEjr7&K^kwNj;VM#_ zubM=c$NjNtUTTcWb9!yt3NWEn4AZU|H@n18m4=XOM>I2E*krS6P)CEGF~HeQ__I@q z4p@cyMdDToW!*~QgqtPXn$|GVU^2z)FQ-N)`OX%tVp^tO^!qN@Vd_8R2h1eI&G-|@ zPtn4=#pUj8I0O`Qcmy2+7(p!RvP4mwk@G*Cad*Q^^7RMb{oI{(qYPa?t6l#Na~z}D zleTE1ON;o#fHI-%SW*Rcs?Lq^ID9!`Cb^wn<|^K$ z;XpRyxC=siY|=wMwT)p@rU8$6GyY=TsaVti(zJ(F0=b1`LWT>Glni;#6z=*K zc)*!yJ73spyziU3y5OD+(N9tBaZ&&rC(o2i6&#^oejdN_QrZ{$LXY$%@3qZ6^&3BZ zbvnDE{!sKie8IkaY+J_Yiqh>lNCe|YoY2y1lv8GRU+mH^zPp28GD%3c>jhtkCNnLx zp+<;*ncYF9yfd0I%W5H#{JuHe)9TtET=hm1`|ny}c=qO@lsvpa=B@#>fQnd<)nbmO z7CZGteB$FwwapNqo?m5P| zhoRuiwD>Kr%!b;xke>!lU7j_?h3GP+_yKBE;85+ znT!j86{(cjcyk!|G9PrA7}myB>~&x0P7Q9J{ArBxF=KsJ6j{=s-q)~xioZTA@Mgsh ziI6mtbB2=QA9d}5YU7q6<`E5_zv2II*3qq*@5o?rIA4c9t%p=0plm2YuKzJ|?w{OJ_;oZ8es zOqtVUd##Ug`_GSsEdi7X0li6$C~F+O!97j}Me^o)_W-v=gGF8e?@Czp{?GJu zR6c`SVz>Sl1F)g`O66jYduFznhL~w+=b3taD!ASymbiUj>{#H$T-2_|5A>y~46tq{ z%Yzm%!f^EA^QH3{`{>k?KwRM^GXRLzJ=UHW0+m=DPg=7=pG)Hjy&|`HSwU1)j#Dtb zOgM$IX{)KD?*3MzC)9u<)_zXlx#pSGlA8_kP(3rqDA;-%E~AFKf7;P9aObEd#Ebq4 z_?=(}^cpagmrtAVRY|qFRwP3)9a4K>V3%23HPt`E=g}Nllxc;_5{IK9_ymTFeiq8MAOuK>deGBpb@@fe ztI1CMsXBTR?(DJ{vs+%sR~?lDan|{-`jdUlmV$tC^%8aUS)ZA{-CQ^-^?H<=VToe- z0f@glmNtId<81xiCigpd$ef2o53-`+zQ1D?Vrh_okYH_Pk*52T1@JfzQ)D*Dxg|Rm ze_%|=xq6d-kXyPjp&*u>bT0>Lkpuc-p%By!fU|_#eY?}}M)QsW`um*|fS>04*+Q-k zqo>a5?#!(zv&;Hhixgx+PlR`z4wsLZJs=$by^P!eRpiZs+OymyMIYBZdtc-gg3Ynh zCtG`1KPW`!N95ULqQkPfF*d-oZ!;lvIZW+BkT=m!4&LjekzFS%6HHfKdEo6?@}!7B znN@Lnq0=yb+v79KDBWdh8Nha8jDs~k=XhL}FB}L}-kJ;8*L+R+DrbvKK;kbEpgcv7 z2Eoy@s=aDEx=kIe7*}+yrMMBvPothkGwuVo=M0K!HY^06O4?pgw`3|@w_X{w(RC@= z55C9X*q>_~CGJXei8N}ccwFSnd4+bYuwEsbs?%8zTIuRFsbxR0HUYMPZz;*?u%Rre zx9_&?PwSwSB#W{}AGPJi${SvyqbRj>01Tr|r+0?g;{|71;0{pF$r3Qs2@q(@9Q=si zmF1jsm4P~aox%dlr(#OYlx9jm7)y2I#{_g-X%C$$iU4QrR@c8-*d-MsM6|i*?0P?e z?B1Ucz?EQe-3J5WKad#8N!;tNiw80Spmi|}mNth%P$#N_O^htcawFc@Cn~;}G59ff zdsnh~BP4hrX}+Ir03Rsq$+B=QTrXymrj*#eQbP$0;RceXq+oH0{{friw zatv8H%6u(VYLbd#=z|wEFLUd|-hsVavo$5myIJo6avGW6vMnNKhGCDzZ?M`1i#zx1 zZn$Y3CJYh2CNAxK?+VcAJ|feq;^<(pk=%(o-=6L!3x#=pZsCUAbEDCz!%n~WF#4|P z@X%USPExkqV`PFPcPts@5+P?$#2sHmNIP7%bFbi<;IL=gy@emn-gcX)94jBzdgSAX zxsOEevaH!Q{wkUb3CMEmbBU%=?Zmc-4j@GZSpHrQcWlYG;<7CFM^|$8kL4h)VLJM0 zHZBS0{3{qrKJ(}itPeS|y@E8FLhDi9Xb>qocY{CCc|1t>_*2ZG~iX0L{y0p$iYJKY#;xn17mKa5_KZh_JY0+rAvi;bcu`(Cf%`_d!T^%Rc zUT7$jDOW!`61VFAj!m}0nBM-MTciGA%>Jhsrhf4qs>_;o^j0ar;dzRlUEle5`ZR2D zhO`bFG`zy~T#b*QngYq%gHVDQ&H|h(YgH>x^oEmaOb~iYmuJ48U_q&mil0Y;dmiN} zQZsdn6db$Nh(tP&or|gisW!mvI<;?YOMMt?=)kkn9f#v_6%6Jh5L&;i~Ll5CZNgH?|0 z=@Qku&*Doko|+ivu+Qa7EsKix7(alQ*7kxw-gm+uT+>)5;x!mL@N|l4e~pQW^2DJY zremcesf_#t^F2vHEvr|?#8F}1Cs6=-tMF1s{tM6iDGBJy-OgPU8J+v8rjCf~1KT97 zr5?{P0Y{joWlEBS1XKlDC6_*AsB5p+571q>uM5T;)4cGUn^^^Y5%L=iFn0!F;tWpp3*!!(K|xCHJv;u0aiH~XZ9p2=75fR1Ye_Tv?y{rKBb zZ)UR}4&i4`#TLH{v6XSX(OmHvH6M3;(JO_*<}H)6`?=9e+tekl2ae~SX@UC4W=SRM zi!7Dt2bRbn-(ZfEkOyTna#>wTY|Ly(bBtuRP?H*pwRoVEFRk%%ygE)UEvLJYSqWHIRuQXbQ)$6_7}mJv3Pl&P zzuIW>!k3Z*UF>I%4n-cXovfBXP5qENAr0Wj7)`n0bs`6$H%Cl%Vn=n@bxJ$PHfZh@?1xkWHJE7wyX(Z>Y-KxhWzE)IbcYec)i|2XyUH{-^ zNmn9~mwwhF(?udZcp)CY_)a;5WePs&VPZc9j_77RHD^zN7M2f{pc7Mj$d!UB?v-8p zp3iK4I7!Q+On(HMkDjEQsW{%#M10;1CL<`x>Z;0Rqz1)JPe%#}CH&j3+*IL=O9?DWCT3bpNq+ay%M=DotOQq#Hxo`fLI~%<-WmbFhOs_ya z7B0sRze*yhh#dKO5%s??*Z;!+`A_C@czgOAR>k9u#1qad)~u;L$kNR+Fz=d0S2ksr zZ;FzO)b&97;ef@IeVYM2OG6)jLp9XvVyva+B_8`FSn?O_@*8`JZrSDicd$y_@-KGh zH^n1xefI?ET^g==36l30T=N^V5q-a}3iLuwPS_*cd=!zC>UhKS7vBd##lLox2zul( z422k@ANu2rmW4cTKF!|9!-lMOz8|twyIDDZYtm%q@$NjLs`3${r|VazQse0c-O0*?!JHg`Rmcve8igxmue^>W^ z?alwY$NN{Cb^*+dTu*qOG+TFMXxJ9(fHvK^K-hUwL66~mDmMU24mKtM^@V&`uI&wsbHU&mtgqY6z%in7zue6S&nJ z1O4Lp?*^<&Pd_t6Zqu>?2%Vl;1fJ{sNp38<0!y^bvmX@F9^_ZpRmMmA#HvdrOIv+Y zv-@eSi=DpQD_rtZQu)tPg*4S?V0|c2etG}spGiESHOwJOefm}u{uiGK4@)fD|Nr=V zSwfzoS6!12qw>m5*-Q#2ABA-9;qqn?YARzwseGJ$KlTT$-JIU%i2n{LcG7IW1br=vM^I{2=rz2_;|F!AGb4Qerwaw+{BMmewM0nkwoi zBVNafWJ+XA(4Y5|KB6TaD32@l827msiOkEqKJ2Eca6$Q+A7%=!+nHgztw2~v1|!#0 zkHa6-=?swU>xJwEQ*9zG&d|8I4Pf)($&~)0iprvsB=8}omm%qMEhxkasLyD?Vm%0tbMIU=7KT$CAJMB9%8XCP?5=_ zO*}p%pFi0Y5kGV5v)jTU!1aP!2u@83!0aRPU>Fc}L>fe>vF9#wb$ z2X3>sB_K;yyhP9@G@m=M_CCuFE0q%8hp-Ah>iU=@_KkDsmP{$@Js2Nr&hsFm#jkv-VMU*71mlC*KVY-s5Hu z%uR?9E~*{ad1ag9J;OqPs$_%9k_GGzHUyRt+(=yrYmaECO4apO+3!hehO!wO@%C2U z)hC}4%RLU-DL|?O(79wp8=%OLS%|#44aQ}@jQ=8faH!s4ykYRk(48yAT{+E_N>BOt zqW>Bf|6O6v-1+gfu#u`igJebC=DH7m3;T25FTO!nePf+~x#HQ)sg;!A^XX89x7t6| z0=rxC%rh~g&A<5Sq`w9K;yVmyCHZ&e%a2^}$pQ^|TZ2%m-?J~NuOwsE-i=u_=5%Gs zj1{QVx5~9=%NSuIa^%Mgfmf>|u^Uo*$d=I%0h#lZPnUw8T>1L_=btTWLto>{CA)Yv z9yw5*1AK#aSD?z#(Y;!)C}k+?*4!Ju5{s}`a$^rkBoGr~%b%!ys@UdBNt+^l+^>`S z8r%AjB!rWW$Y5c6spnAz=5*70L8mYiQh1H^hA946ui7h8Jv8X1h@C4J}F$rY+0r0?X_a)5?!EQ9-`o5Tx`TLbUZKMxdlDKah@mLGd7;T+KAW>$Vw z#KFDvkyBXcnwwPSR5t>Zd8&V_Nb^)R>3%`P1L$>;wFE}7h5K|=M)JUqp1sda$qU>X zeBNq7=Bhu(R|}46$TveKfSZrhmWiPHhF_Bs=2m+MOlYIB?ef7=@;7Hiu}rNQ9F1XO z#siU|rO)~L1 z0w6+wb}N;zDX^KoNeJb*kGo;K1lY7^a}|ZnU<8R=F>yCMP72?dIq3<^)T-DyboxM| zpcc`GweO1sXPO|-nar)1#*&gh0;e=^uYqtpY9UtsM%PrJS^LS#;wpwR#M65Cz^zvrmC0weO^gnJ$>i#jVBC;e!6_!r9*W5 z7vJNYH^2CxmcRHiUqy=W>5tv|==O_mnU|4|92Xr~_S$js$E_csyieq0R!X9+>nlD{ zEwNmM;@;wR=9mt!$2uQ<`Y8O`gav-&SeZ~uVZ=# z5I3e&w4xOq>WT~d(&`9mn$jio{WSoj2wlF5B@J4w^dW6VA0YO!JTkFGTj6p3MR zrcUa(f;k!fFDG74)C1dW)W7r0hrK{AO2%ATVlhMZm)EB2Y~m4^EO*dCcso^YAKhEy zl|XAKDB+$;AZ?M;s|I{1jLO{&+rMx6SXlVcJ8`82}Wa3D+b zt5uVwbi_cH49~U5GiDdcJ5bZ*!14eUA&X3fx9lQ^=FsZ5F}cf>XaA<05p&q%!cOA) zFFtGDy73h*B2@YppMSFoFXjUCptVkK<}7avymIB+U7p&4ko?f2NK(4cwdT{V#wh8- zg&Z1zIK_|1xKEVCC4KQ%yYMAx-B`m~MCP1zi@Mbo?T>=d5TWN9zxW`R*R+hPSk%Bd z=W;_=r?Oz|wq3e8RbWi*o21!cJ+Dg%D)ru42~zQ#LXd0*=xU$Zc%Qxg&E^Y*MOGaRK-#mDW=mPJ*Wm8-(yXj(J|`^3#I zvBlU7BYu|B7huLLWj`wDyq(R|axJmcmhjH66ZvIB>qc|ROs4->v030#1H=fjxaC6* zhMj|axS%zqG@Lho##>eOq=#n|T!I9_OsIU*4=lHfL*9`Mv7W(nCtlU0|)_b#eFoWY7YfPj7bP1Jw>&LSoBjx8Q18{S^mhu36wN_@wI6ezit(iEa8( z!n`Dnj2$qJLL_xf`!QZKE!f^00H|b-4S#h{L!}Kw5ZJ_>ScWQ|8SCZWTJ!%Z8Umc*=JOJ`UIwY^Ti5VSK0P}@T>!STjv9~R1u&Wv$eT@yyNEvy zzZ@`a2lM8lqd7U_rYT!5C|kpqi_X(>$+Vr?`Dd%Fn1Nn|02#ff`tu(#5v! ze?R-uGysYB1-CgKRLj8YPRsX{zE3*2_hI*U$#PWO_0eTJ?+|`5lX4qRM|gWODtz+8 zG(O7A!}3Hhn1If!8O{Y=jzZGn-$ay7JwBF)Sgns6F%<@X^=|?Uemjo`pePHP?z|Xw zb#(whUcxm%VM>K;5~Z>>bZ`%xF_rrx-68kQwP>UkzHZ+L(6nNd*fF=v3*fP_UAJnX zzEgW8y9^6B+A|51;@q|TXj$ z=(kFD#~7y)nP(LC8eOdZEArgifr_=!_J+mXy5Od>PAH2=8XJU@z_Np0&iWI-H{*J8 zwzaxToW&Ze{RC@P;pnxT-A1n2HkA-JTAKUG>v&GIqF@k^OgRkbs5O&%L*qJT1u0NC ztDii)(!NQ9yFRZPQkkDM>*hDcV!!VmH;&p!a^CFgy>lIaE!Aua!Jn1U0zw`@**#f8 z^)V~zoT?oI`S;0n(k?{X67$qR)D;G5*w-p{_BHtv>=@DVVJ4YpC@wsO*YU$H3kUn9 zES|-AY;R@lIjv82(GWsS$H7)qn#kVnwo4y#&W>YEQ1d6fIK2ZA7Rno9rd)(-ceTET zA9|_T_4`9x2K%N>Z!r9jX_gh~esPRsr^ zLzyR8jXGn9;vtaY&CbuZc~>@b6Gp4hM@0`7l^QFJlA~eQ=PeWV*Ypb14vG;}K}m0> zrN`&lTd%e2e|{Fs&#TgX0L-fYIKO9b&Pcg7KRQ9B(v8OPG0CApoU**gHM0*FX_0ls9Zs5B_woTHI`DQs;XdXAR zKLX>RLi<9wC_BtsL)_veDWh?VfOJrXx}M099|e}F=-BoKKNduJMN#TzCTV!#U=0G1 zcqcteRE_VCm%P7x%}s418bLK_=T*(lIy%PVmBV?V(F_F(>MXxld| z0hEJzmm`|l^*>7Fbv=~Z{U84GjaGp~Hb*84bf3vftC87KV<^QfM2MRFF;&_f|F~97 zZiWA1VTfp*!JgBDfsar9Eq*+==Kuj<2Xm6-ll~jUM9mSUJCN(zw zE|GVp!P~@)nULPZk8dvL0MNYTR)fHpAO=Bw69k&siM8)4oxpvtCsMpZv>b@QXsx*p6aq!!sn(#hMZ#hyckv%*JG}1G zJ8b(Wjq&G8-61W9ml5o3kk#is_+4^)B-Zt&JnyW%;AUQ!J@5~|Bc3{PCov@7r}o*l z-x}h<+dUN@-SZEW-$G${6FIFk{)-(=ziZkx9$quFXY45ha;rhwbnmH)ljEAlJa*b0 zBj)clVD6WN5Y-mn8Wf^az#UX(2N zz4V=a=@6QjJ+Lq7 zWwr0=1PLp>NSF@jL{Lt>M9{muX3IaAFS5RJfis(SS4t3tHuBFOpv@&P4AY#mq~sE` zM^d5g98YzuSq)AN?Y1e4w5Y&RSQZJ9hUYETBE=6dd`}R91gp%uVVlk}A8e-`wb&rzp;P|8Pi zZ}i4M*#uaf6t1o$hf|BjnQAa2YxIF|H6-PX8=7O^DYT~pTll;Itj4IFdU1&qMQj)4 zMzwy&(Wp}9%{;*yH8pv8c{!;}X*ok;09?* zNo1^O)PnQkvFR9yzGaTW-n;&b-FS1I<`9btPGRdSyc){tz>K`S>Xhu|)%^z}d=%t5 z+(j0ur?Gen2aY&GYD4kV+W-KSeZi|`85246grmZmxv#(L7}acR#XLGM5k70Jl&QE; zRD8~gF?t9^u+ScLNR_TN6pKOvNu&vq0kkwRj>T^S`ONmRa6&>fFB3kjg*b)>vmhlh z_^3j&&bJk1x@jgPHSZd9^j-hHY8h+1{AT)o(xAVCID;{k_?449@FL~8jSYP$I|b~# zb#+{`)5fB}&V7>b(CIybx?dUEaTD{Uu2VW-);R2v-$^Ct!WgaRxC(H1UQ;zI%*8f; zG`k_)*G4H|!7;7uY!UL*lOC(=B4l7!n1H^QSAq~gUZsJcna`g_SmVHtdBw*K2*|%R z+YnW8`SJZ`|FnlYyP0ycGG3=3>~Zzu(!wo^P)aC(5bthNNO>U#b{58JN>7bUYp`eD zCMDJ@!$TK=8@;d`M3vh79bM7VEx^+w_mM4ITyN}&o2sIuk^1P+#>^=Jz3N(6+(`lC{FL&`}%h;)dJ_R$}Wq+WWI|-Fiop%=J>t8+@J2L2w8=VHIo7 zSrA*`ct%sz>F!m!%|_d`ec5XjS2CqT8JZo1v**6vh%qtJ@%;&R0>}f?LxrV!uxB$t zIy>FoCM5NqbjkRfh_T}7pGR~fEenE{A-Jq7X^U@l*Wwcu*kW{Eaur%eE(i>O^K!&8 zjK7EPu&+EK1cml5N9Oij<&=p_=j%a;AFY$ML}puxF&+gv5Z!wZdlNE1YBYHrL_c|| zT<9fU-txkjkk9vv%=w*Hrc4gl0&aX}y0C|08d}=dUsv*i0J*07F&g2>02O?a+dpm# zBbSbiO`AS06b9wKtPx`#x3UZUI;4za=_|~uzrU8_?-3-8s8`l#u);us5t!b@vqkm3 zx@%|vz{N<^$pYc-OG}*5Jkm4fKce1Ge1CkHPcWq|9NNNG|@x;sZ1BBZH7LlRVzH^ zoSqZmEFhY0nkszS*S0M5%ZmtuC7N{PJn*AX_{pEOct~$t@@AvmU}uuEby|OI-l_Be zco`Zn>T=1arpR4AT!{IEX(?F%PU-!AOtePc53(T)nm=8AV>s6h?)F-Wi8pu9V?HQE zEt-S`)f~bXY!c{!XRXqmo*wnFp}}r9XwCRjLo{ROQ>N#x=V(Z;%VXzEifzg4CT@)y z;-ie;99wn3XJ((Tv(;1699WbV*1a<+{?ls_g`>VJNG*g}WXbG!iES-ZH-0oq21(an z_`U~zvhEUET$ciVpQE#bFfS*CH?zZac=oQDWt*?+uV*G^l|E^$4Y7n*ZcsgWJ`Hg% zg6IrLK*Q%y&CH`mEvN~H15LHd#U8>+JdtDXtnRW2N&uKVks^7w(H zB<1(Hfj3rJay-_supXu}KzHVRVR5W+`EU?rY=cDv@b>DOE=c)~ozh z`-f}F0wwUiIw~8alIC$Em_#<-l*|%&v|`nGy833T+wuK5$O~V7@qJCHhO<-Evx`j43n|3rjc3$R?7>mj3zinP8Ttq{pP8tiTksn#1`?9$aH>{|82x1zUD7xCT`nfr0VVhAjj> zgLd{ue@@(xVm7UXxakZHTUXfKG)$X6*5SIpf1@`B)iOZK&Pg9}Xeg>P^%cbQW-&p~ z3N5n$CBM_>Cf}XGAv%@6@A;$Fe-rT7xopCNo7}6Sm8~dWJ<6NeQsX@gMX?}>IxS0z zIBj5?Dv`H0??-o1wL57yKy_sA^!#a^B~O&20d7bYr9rIWV5Jo$Fj9?l{fhjZLqhUG zb@fAaIspU@Pcs5+rri@rKcpAkpFyN{6Av+c3WbbM22ana!{VIP=LqsB>sJpPUutB@ z?rV2fO3oNyf1DO>qMHO|DQY}RSKXT4r%@`6raC4{WuUa)Djm7TSWZ_JO)d-z49Ei@ z^D#3{=c6`AblxOb=AF|+R>;%9r}Q$Wf(X(fPV#I%j3SrQ#3kl5j>!?=bbRZgZsP4# z*T0SaywO+?17zRYJbkY=uh_Y9>VTr`aQU(G8ufXNnL*4c%v1>0_f@p`{s2r7>DqD~ z$g~ICzH)v1>C3f2^#{Si)lP}D{&d+b8)Vlhxo@wwOkdk(ya5-_nvk_j@@9Mun4+5H zKMaa`LqxV^N$-xNR$05w22;gWy~+Jy-3i`NXD3r74yHZ|$pqmyZ_$lOJ)udhN=Vid zEl=lrV?N`{@0ast4*3>uV&9~M9P=lfo=Bqws`PJH0|UnXn+uR2-> zjEoxrxXlT1hxd-M*USI> z#22)+`mCnQ$;PwQCw!sm`|$d`iZ9SqJ)2*A5qz@F+5&EsklL5^dLQh5u7q^h-jL|Z zhw#k$e1}zY_dfbvjqXCZfsosf_^tWd2eK@8+y6r?G66OZ_C0!Y@9DdXd-_Utsr*AN zhZ@R;?oNK}xbpeouI16&l;5?){caE+uYqR2E4lQ$J$&K8FF`4P)lu-fIedCe{-Xc) zp#JZb;*0p*bN)Zs{eH?v(3C~oyV8g4MUTmF4W>a{NT4*R07g?9USa|J$uM`4o}|e4 Vi~n+i;9|qo&+y6c-}*K6-vEVU$OHfY diff --git a/src/windows/leash/htmlhelp/Images/Leash_init_ticket_basic.jpg b/src/windows/leash/htmlhelp/Images/Leash_init_ticket_basic.jpg deleted file mode 100644 index 09552c8d890b30f1343f8a95b443e954394a35b7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 24631 zcmeFZ2UHX9);Ed@NL8sy5v3EVgkF^vNFc$48k&M6G(oyFu~I@$p@iN7gxeML;zmp%u&uI!RiZiEA|JqMB%9EXnhKh=kl8Wx^S!x;vItB)MI(mA>bIcbQ&oP~& zr@z2{fr*8cjg5`r{KZS`te2Qs*;s!GId$gb8cHf!Dk@r5MtVlp|LyJPOA00$isRGL zXHM}^oMt+8hUwJLHj2v>rzp;xSo_Q1-!`hVG}M%5PSKt|Ic7g1x2_^K*ut*#xfY@q6BddHR2&VlnX_(`!5MCljcT`2E# zGo=ahIv!0(SZp7(-yG^wneu7Xz?bRDesY@NmhH_OCYg#a=8W2P<(ZBEminIpIx@7N z08l8DMix&-1PM(%Dd*=C|3Krld$&QSNrKC{f=+#?$+TF;P<~_dAQA;OD%2p=#SLAZ zK^PT$=@qntsDb316Bcb&V%*gF z&<4lw?W7GbfMX>Ilv`p>+r&7{jg)f!j^9ca3Nn;v?winH zX%>2Xl%4F$jt)5s(t|9B8GVTuA z^Sq)6w#W0?{QNKXo)jiN4cf!=dtd;WT@yLU_p3KUf7d4#*q;+PSV?r5_7L?w(5a7? zhAJL&tdxo(HN-LI`h4!au?%|HS20&^;PY?6Z%>rb)J(NYB$+Pzh4G@!X*=9p!kBsz zU`!-166@GiBR;?_EdzWbN_Ix=h`VG>y$AZdUrqa{yzsl?80w|&AoEWanVF_RYJ`GAk^@ zofwlxC)ux53#__G(IcrEr98KmUR|G5AeH>2IBWR3raxR%H0Q9%8mq*@YRF%52kah5 zu*r*7+)>>W6D-C(X_p`}yN|nZVgT1E2e|c$`*IFR-x#6N3On74kfgDFY~$|%as17d zMSaH~dgOX#OzNdj>O1NG4_nAACeCw#f)L+N zJN4}_gZ?QT7>OKpz=<;s?f*BX{zu4vy*Y7Hf5Sv~PyaJ*zCtgU>z|TNpf+~n1p5E9 z_zk*$8;?JdRl8F)MccMxuIr<8o+Y@%1zE36z}lf5GG3~Czj5VkL*UQz8#KOt0hs`V zM*YaZH2~lbLbXx5aR)1>qg>4sId}A5Me64JLD zEqa%$QWIvKw6!5}n;LdbM(6--zuA@=S9!T1P*>ZU@WxLH%nuodX%)%o>d_Q$InSQJ zS>-w34(-~`sH5&Td(RAa?u zZNJ<;a}JRT5#^7JM?&#ZFBrj)24lRaNrNs~LST}afXm=*Lz7*}dN$D{CP6U&0Jxw} z`rrfJVa%<2DZd0-!BFv&V(!~PlY-0iM4hEXmDyGgdC#|OF;Mx(b(d*hMZ~DeV$rZ) zv(%f-A|mRP!+9QnL4vOJAn=sn!cVjDOMemgFAw68-67uz59w2 z)j!ib{JKQvjCuN>)gSOFbu&QV|jXuFb|Z<=FW`a5KM-t)5yLCYdrJO~y()PjOH z$<H;jEhkxTFn<&5Ac6bP;>zM|~j}UyMZ=Y3wMvd#t z(8f@qNNNptXTgIGR?uX%g~BxpcbF&6A@-R?#h_(bw;6Hzxx`$X!Yx9^-*vW&7BYj2 za&mPm>WpjO@l;(ul2IH9jJucYYXo51Ul>F;7?yPxwAd)oEA7#g2|DTP3o1k~=8^#d z4rC#nA_dusxT+IdQ%ofdEWMmFJO?w3JXVA>ckF9;#e@hMlZ)n@k&3ZT-}hhqy19*C z_5GxOzk+dMMY#9lT*4nIM>QX;1&ldNXx+dX+FfgCvcy^pR*~*)Q=><2zWSau{^!gZBky>QHM0&Rk?1UyT`5$OPcV zNg#AREB@X^^RisCH@pJoOX;_OxqTn@FZ^aQnON9SUr9;s(?tTJ3hpb+`Fqug7$4=u z>*eW$A)O5hE(kYPS!tpiEf7EK7+vI~xMeK)#P!*Ds@5F#1y?SN-R<#zTSFe-1Uk_O zxm2!0(oTW!wkxWyW#YEI5c(RqgQeUb^g=PS!HA&#*>$(Cyp7*;57L^3XFq6Heri?6 zepG#%x)*eG#FtSUm?U?>klj&JX#Yac ztwDufMANMWpzh$dTNilYPtl8gG}`|UVpNe?G$}J0Umo80MKoyt@KMX>0KB7epVag= zEK-)2B`{oF>OI#l!ux0D|Eco}`WfFnkF)K^XWZA?k12&Vx8wgvRI$G&Dv$W!Gw2rg zx0Xz|U*s18&A;PH^8XvITJ6afFwa{vF77h^A{S25?a#aIw>#XgN|Q;U-fQv4<6qG&X-g^PA4UL9;M$g77c$3*q0)JVE$3oqvZ$=@&F7 zoWYTOfo zVa^fntitXx>&u1@Po-=$;TK$Yk7l=D>0S;uU)XiQ-Ff#sJFzqJ;l$W^_pJ{WKDzva zZ=V|0IU0A1Z#;9{j^M7#@JH`-+DG-Z*%dRsUNFt>IDcWK;zJ-rKBBP@cE07{%9;xG zbj8O&1^dY{Xl+UoSPQnC@YSFl%R^Mf~t$9yyuIzE44 zbi=B@$81tioFU%$+hW200D1IW{a)TfPSQj5ml+o>=J)LmEE$)rz2(ejJ-?>>!{Wst z)%ThQnQBXG3JKZ|ebbH#9d^U{+S$hc!tn5nY^xMgP@F@ZSxua_jBu3{)Yt6>^Hd(` zJ)pk5Rn@~9ye1Yp{hU_u(ls|lb`qdr~0E(Pk3T; znW#iNXBPXrSRE^8*>?HjZE}gWlZ~BE!r3IS%pt;WL%QrJ?bF03OWFicA;N@{m?9hX zaHXkB-#5{5kbOXB(5|bitJq`>Qy5qLW>@`=%9xI5gbS&6=~d71t@`Rm6!#VXyRoOF zTHkpf^KDG*;49^~zeHh7G4r9)#P--hJW zoNkESNOmcbx66IlzV-_cod2x1v$uyStBI_VF}wA+5=qi2HOTIXsF8SnrdwZ%IlMx@ z1iM;X!+t5D#Lqpcxc}*_mY1dY+mWrp2j?)Cb9IzSd`h|rOL{LOzdmzF!7wqcVi}B6 zoV0WFsck=$+~=M_QgS@M~< z5>BWk@k-D1_i65i_qFxdDDPeBM#{VpMM`!v0-K<6gd_w_!n8w4+np!aABu^ak9L}_ zeBU*z&Z#zY>Ma@4Z;*_xOTSQRU0WC_JEqz6^9e z0$H+fXeChn)Yy6BgYNE(1g`>PyFnIR0qgaoT2bS8$mgrqq8L31Tj<(oI*nTYTo(oA zRA&1sUF41K%OyU*kx|P8tQl%zjIHh}%xSq~IY$kOCFw?V2{_Aso;Uw|&U2-UP!v%X z^t_T7(f&%)4mZ-tuV8_Yhj|jr*#XCm?tE&&7tfA# zFhX8en-tM!o(#Gqf zA+OL7xbW$=FF>hW&mnQHN+Df`o0Ey>*m^|mG0uu!mt9jQ(14XnBIO*md37{zmkjbW z*uj}&&z+mzaw}85&px9U34z+M!8qA?%0x@}B)gpXolHA%&lDFDI*{o?=1e5PqQ^ls zxXt~NS6Y$#yS>j{ixy{}Uu^-tD>D*{dyA~yjkx<}S$?XsLYAy2!>7s+d*(}cH7eq@ zC6)`ic@NNa?}PceXb$x~wfXdDsI$EdRlS#f?ln^zY!)+J>p?w_nTu}6M+%k*C)*G2 ziLBa9Jx59AF zaw(G)tk@=i#hGQJce*+;SJOa1CmJ4%xMqMXUIRGCyrU!Wo4RE~YKZfocB^am6ImGw zCrvC;IlaYRgh*zoi5lxg851olX@znNrZvRam^j&WAM;Sh`$hQyCT;3Ai6AjhtWnNu78j$7wty1IWG46Y%_I zY&qdI7nt_~5`lbp#7Y*kz$ZJ8$Kz;)W$>!W*7AKrTAs!2jDO%M2ZH;2Z@VRu{8jp8DKSA>GGz0%Z*OmbKi6loqoPRhE)YE636oN3J=nwfT%7 zXSkoDKqPaA1@4w!DHE=#8&|vhI_#dYy)NDiRj{+B8k!m@x9yiMBeEf@j2Cacivc4} zmdhQj&g5m_8{;KI@JZzt+4D@RN`#QT7E>eTaPF9ztGF!V zm4?GNt4<{6i&skA7k${GNK@=POz#S3Wi4EQmjL1ol9?l5j~sDuTQb2sw=?#&gvApy z!d2AMu{+Tlo+DHVR@A%h-m_|A7F%E6-*frZFOal&!XEkeNWShdaF=$O)JVs;0;tG$0PKbpp$9p2SgMr zzF*B;q-K*_5-GkWSvW=nKk7}3JBn#7=rYhXeKRJ}@-;8@;d17eAtp9Xz_E9SuEW2vrd8}5%-jp#(F zDR1Hp>Ne|EYFySn_O(KCSD9H$(&TErz}h+Bbk9fzFnw!BQW;aY*gG-VO}Z*(K^>B) zZ1{Ntt==M~4sNaD+G)mGorv+p46s1>H+S*#m#thCgcL&V0jirSmoOUn*<9F`xATU+ zwyV``Z+0*)F%!?62~qTn+K`D?QD2QJ1)<$((~u1FSdMQu0eJpvi;)~m_KmgB28Klt z*n+l(LyB9kw|wE6m)OK)NAYpU`TPboy>1;PDa5*hz@gmp`!EN4p*iIuw@v{+5Hi<3 zUg|V>(Fu&@GQ_@R!3ym=wyWruuoWUypZZsjGFG-15yZ3ihtA6717?g|N*_jUn&~g-f7;>%~OP&hhLaa;x}d2))Xd zKUL$Rk%@LB^R%^cj?2i$^%|-kpN0#4`1^WG5_oDDcAXZ?ZyC(&Ax(Pl$$YK*Cxtqt zGkw;FoGFh@ne}rsyS^Lc97-%#O9QpPqr=1dI+)T@pJ4&Q7%V%rjr4Xt3f5aRx?psB zwpyu%qYJUv77ItYbwZ%pIj)q&#@dcZ4lECKh+h(@05;lrzCmT!B zMMexmv`9IM0)dyCNBqGG`l_RZj1OJ^yI=E8aGqqWw3Em z;Ls_d9pey3qbGfB$>8<`r(-4Ptg8BfPx#!^#yhbS>giFHB}d(leG8o(eHwjGH?8Fb zS!rEg+*Py^v2jXwuHnfU7u(>m5UnhdW;4qi0VK>!5jN}tB29c656!q>=sKdYw_r8r zoq9ifVJqvm-mbXsi4#D7(Za%P05-e6m5J|7ezz}@*;3)WV(J6RO=$YVr`$6>jNgzE zd@{UywLoFcu}mvZa-2wY(^hUHF1db5)73B^wi6@k;yws5bpkXa{1QZ3kxVqx5L0WP zuTBCp9_xEQth|d+F|Y9&cuVxxI_vB=KH}HmIwntJMj{SGjGi@*7JLz>8Mu6BObYPT zo3=YdbTb>2l$4^n)C5OKvfh;*;e?vM|2&cLDr{IJAuyv%N0g-0>HRvXj#pBJSxU6H z4g=+bm~Nm;vMqIg44NzCcvSIO7-ul_lHNZb@L6@c1St5(SuoASXc){n{xlAC){YE# z=9(g2)^Ush`5bcN8Yb7IC;?W|m2oY9?_g`-1 zclme4;{V~n(cgGG>SO8llE&$dHUC^jpxfwN)O-lCfMJnAr19 z2baewD9!>OQBc4yk6!MUwOMx@HG!t?iDv0r>>|ts7OTY=mc^K5TH!p!lsx)PPqtn0 zi57$pEX6R;SyKE0yE>3J_vKChd7~x7q5>yBP3+~$R}!_U%(r%V9{qcc{5#J6-sZpC z>EGq@=sFLYlciyv_P%SKu5MLqu-r5c8lWH<(7_^*jK?HWd-!!ete2yyk!O7GX+h|c za7~FSPQY0hJ0U!zatR>NEe&j30kFaiT#9lV$3q3;-4b;(l+$aR`F*5x+N-W-NnRbF z%ox;{S>R)RpewOw>D!9|hPZFpq8p=)Gsn^G&xn(I92~{9BNaS8`}(q7u32x~1#@1v zn-fS=`U>hFgNb?BHt^CSy{UO%ALM(B(K(Wl&bl;#@3LEFc=+SDr5Ioj#eOLJ3C&oE>o-Gh(Tq#nBpAyr5aZOK(atD`LhakCl# z0vj!ZPz6bs6Y{0+V$Pbb`F19S zP{S6OS6tDEC8{xMH^;t8we~r!lPDkG5CB<%Wm3){=<|syjYuY2zEfj8_D>MH-Kg-q zrl+SPui|a!erOB1Z9Vn4k&U`apGsMa#Z`#1DRyA}*aXWKy z34?Of_C-`DcX3Q5K!%XgwHxx$$6h0~P+t_S`&EeTM(;X{-im}F{!oDjQRO3;BR^tGKh6Jth|IoG zCAvM9$LlB%S*p0BP54;-OwnMzdMQayQ=jEz>MUGjdMRDrJftz$&FgsJ$9r0P#W;$~ z29Hk#1idr(AqV;K;IaBuDZ`ZYj5p+41Lblskt_W^zgG9?51fx~1a|b_6A%CKQDxtF zVEuwlgjn%k7*)0W<@@Fo6x`jv_nark;M><3Y1Ntee^O-rq_{!xy-$jX+UZUVRroOl zMbNgGYm>H0`U6PvUA;t0!gm0@!^LyJ!Pf@E_U0r}BLP3>4r$@yDuV}9fx2!>^>3Rt zrQTH^A;PrD&zW4(V6Lv!!xutQB7I<2aoRB3vPeu)AB?pNkrK^OiCy$cF{_tHsKUIQ z_ZilG@7O9aHKj){*DrN-Y>PD|fogEfMh@U_M&ct2#&_B=7nI=ptMOn7 zCr}2PpinNB$WE1N{yFX^1@MDPG8LMU4`%8ly-_v1xTxV9HGC_Mz{J^C&2`W%fW;EA zJeM{ptfv7y!b&xPPk&RD1(_}4P)8*MoO&;y!ZZVj3hw(l=%zT_G9@P=!jHfObcXlt z(YV;;aDFRR0N1HxemFdaw~-w~45Hb!x&;zMftmtDB9n`n#p7F#JS$|={|?Ojq}~^$ zzM>hK2Nri^x#B)3rT6rxwr~b!N;~`%&pG?9D7wfW-48$ zVAdr8X|FDg8xCi^iusUNb)ITXmME0nr>2W>R%c@Sc5SO|@aP|1$m#E_@21P!pUL?k z+x6Cg-)U+He+XrdR51(<#=q=a=>P2AaTEVZD>wjzIe4H}PI}J1^^aDHO71GG))boSX=%*tDiwT7gV5r!;qKQ$H_R<@vh&GSB7pv zUv?AEY#)4mY^P*83!MfRnc=OclHz7u$Fqb)W#$lH#v-CVLukT#dsf8Y^B|tvn>Q$Y zf&Z;95Jdj$*H5Jbi+J}vNghHv><48d>$@U2#4OoeGCe%c1)olmCq{8aztd!m=Cy}|b(cVtdqHf=GCmK#kCGj~OAFfy@r)oO3Bk`#BG`Q&(<=8+S4 z`R~+XMxvc}|@4yg~v ztApOyL>{pzzrlkxuur^<7magQbIyp5E&!6PPL^JGT6@QCPF&fUCvQF&+!G76a}vpm zm!nc?}a;;~9fZ8#XUzRYL+(x)>AcScsT^}W~oOLDUq6oks8zuw`M z%o@!~7+=rIWuCgba}zAitP{%ltT!m$;)}U$0-0D+J}P7>p^~2*9x3-mD*m{gBjejo zia=)eSVn+JRNnWxUA=glnSjgUY~3ED)Hg`mVGnyk<$68n34B$gcQ}<{gQ z>kOS-tMdu*iggBa{%+}_@Pf{05LyS5PAdTxrwI=a4=WS!PISFg$5%)n11U7MDY!;Z ze~Pd`aA|r~0ACJ(973Oi%;){EUL`_V$)r|-DQwh1ZRP-$Wg7Qd?CV&cZVn8U*teTG zMb?pzN^k-f5W17$BExvq5AKqul)OgDIEYR!V#Z40B7J-_`F9Cp1p|f(K}tzzF3+Ui zRvSfJMO*!~iTkdjFlD9j!&i0ipzM=lE8DmC-p#j~z`?oii$Z9f4Sek0<=dOQw{Olh z|9Y;oqJY||nQ#5%VW>AgaAY4O<1w-Q1MdFd`dw0ap&FOO1WD$&kxf&R?4$N9b@xRN z;afhZ#%%|T{9)gGLvbt9Kdr0zNW$b9W_ zKT#(S9avlDuJ%x`8>*fL2_CI+c=K4Oa0Tj!n?WO%yu2=ntcGO93-&H4;7hNceOhWM zF-B#)o#8x_&`md=c5k?lg@{i1F}RdB+8N!2qI^2OP@6w}^1xD61U;E9NU}|jQr~+~ z&gRVPF2TL|z_w4M>h-N6_@^M-7*u>vDNn}A$mb|B&c$cb?o*aV!mvfb<Zl*Hx%^g7$GW|FCpxze zdNoObW;7ejA*FDIp<*Q8EYu;!%kOyU!EMntpeh)OJw9>SQXj0JmH;g#YWRkm6chY%JuR zdGN=XTOu(&FUo~kTgSSBBdy&UQx@L=Z%_u$wr_{8S#DDQcBD)apwRujvFmRa>HX(# z<^LLkvkHC>7h3jDM)e^WXj9}0(@ExV3&By=@c;vby9)P2d29g_qE!heRUOVRaRfn~ z(6g@{%6Lw)U^tA57?T&@ zXq9Ev)Gx3^FM=UaKP>zdb(I`Y&rABD8P*AAtfmg70v0P7+C)k2WfnbT{WIxGM#^{z zC^5M=8d`Kl@-!x2Rs99rcDCcweBBLqNz`12b0++vW#1e1?nz6wkCDX8NscCd8J&!* zk2k*XI8FAjmvyS>suqg8MMao8RIgb@oabHUt1bAy!WXl3xWM>m<_53`ut!H z7q;1OaDDVj=$Vk>mD+(UC-7kuk=|*RF8MJGFVX8Q;x`IL)o^4<)Q14E!NaY{aXtaE9sTa~OeEYV(ZbUT)8!z~ z@=+k!4w4MRtG1vQ@)cO6e+vDADb9kkgwMfGXVRN#q2MVsaGVI4rwM(=!pIKyIKWG@(zkZY{A$^va;tcx6 zU+QuG&#R(-A6lOa{#v7O2NHSS{)08;H+AWn2KkV1*I6bcDj5MN3Q%LKUAdle@ea<$#=rLH(vLyngF1%zmz5G)??79gZ>uA; zAtA0|bX3-Im!n~i3I=hnu7)oHU#EL%4ktWQ%q1Zk+WZ6s{OEJ3GcdLL-v=5}nUN1e zRA8MFniC|%klQR{dr_-FeLswBREyw=IK(~;kZqi!ca^wCC{z4NQKh0lKgv*bXLX&EUN2kID7{iP-6I{KYV;Vpdpz*)?X8R* z)z~A3^Lj^9Dbxe8O7%>0kbHfsbupv109}GM$dA*9ofgb=aS*qlYOsQMEgr`m^Woxh z>Ke-^<6EgNrGDW8rPj_$pO;FPe`C4IZ{fUB4R7);3v52}RQZilxZNVKrkI|o)d`-U zSib)o=k_WX-0z`wBPHfx1|7IbLKdtioKiPX>oB2QH{_msv#{wx+;BPVYFTBV! z5U~VtI>|#?2$F}h^Bb+;;tA-yk0^Zp$0pjp_Y40$$G;SBvMiq7J$OOJ0XE*+Z$!VPm*7bQrajG}--?oWuN5SWl zyVZRIG0&OWclkG+Me;FWEW z2O;Lzz<84w^jULG^s>yg_~IJQ@{eKAHoqtQM(K+Y3BVz_dd6$YcX)deksCby`jx8+ISnvB6;&b5uy@W5{N9^OSTr@c z;-P}UH}kuxg`Ups-)ChO?3f+A)#^@7Bn1mXnUkF}7jy6;h>D0Ra2-Z`Bz=p{$lhT= zkWQxWWoKYnK)X$u&-8ejP!ZpxHAoc1iLn&AUu2& z0yC};liB~=r!AkpG+pUQ?kc*t<2?`(+SQ#eRD7#%M4er+(9}}c(g#wK56>N!g6s)t zy`MBru&Zrgns%0HG^2H^ed3M>R1<|6mLSmpm;mkou9C|^24^T+p)fx9WhI3rk=U*D2bo`kqZs&qcRjK*j z`uW-(R$ZnKTr9uQ?tQ`|;t+!-#Ooi1ja*^aGq+ zG{>Kn$r9U6D!9U!xYfoUe!TOOqP6ZP#kM9eI{M6j)#~+8F3z**4ZRNw{B&6e-R&^x z>0Jx$B@(oBRGw+{<}kMvdblT6LJ!h8>;iNgPF*GoIJXV^-S)^&GD{G8^LVY)>&gb> zZ=wK2g+Cr%HQhj2oA}@N1~7YjtU`Q=um{<_9nxcsyJ#yJps8ClWikC3{+FWFxD=#w7A?>jX)q}3}C}~Nx|6;Qd zJ}_HkG$j}noUc_f{Bc>jlGkLV_BFrp1s4cYj!nu}*gM#VlVv$Ub^?Ze)(O1$RuoHYBZ32Z})OH((i*K zPr#b=kIc7&s(bx+jA~GHtwg_PufKy`tmOs8OVbzep1+1f@`M? zx}5mL7yC``&+T{AbrnhFZjKIF{+1W=vgg&jl73R$EUr}YFp)~}xo@KBj7cu+^KhIJ z$RtN+_HnWia}(~_>E;S@;EX{8EVGAMupFuwiNVkQX7{5dqn@7>vwsuwIkt8FS{PB! zMRV2pQ&x6CtC(%#l?S=Jt^9COUBaZu=Xn`{JE6_ett_o9$=pKPE!&IdzZ(p!rd@tp z@aX?l(Zjg)zG@(FmWWJf-R5f(C|Q0ZkUabp&YZX)5-BHu&Y5_Le;M_ee|h_ln)1tI z7DS#JeWGE)qzb#GnC|@o_xm)IKDR2AubxUN$ZNGr>LpgMz-(y~c{`AIcU3s( zgi8hjr(PO!3Lu?HNofCx)~v}8i_*BSuw*Nxq|HgsCWtxPGqMC z_QAgiW0;5u#d;Ou!3XPK5*LA_i~I`WoPlSJE2hbVNX5|O(h)4aibJa^Dp@|^FiG(0 zyO{Nw+`&b>P%j1m4qUpgK1!ONV2S5K%k0VCoOYXY+PCmtAHZ+VIOP$XU)6DF6<|c!erW zg_@=)+GL#x=+E=Xz`v3YEHv0goh*^Cxh0;W?Ws|K&mHDL*D&jSk%2SW@ozWWZ05TO zh%0dx)XZy$!OL-YcVy=o%gY#y=0#|gWWhu}gE@$+i_WjinPJo)D$`4s8{@S}7BvxC zvLTwOeX{xGz44?vLv`gVS{r>qad@DOKNH#U)v)RczrwrKhI>KHpEfEzk;V$|$CMck z?>w6+bk&fM)RexP3W>b2M1})I#bt~gFdVma3*6x!0}HdThwUwVX^4|MFJVuqutuZ7 zP{&o0Ii~}6&{!kkJn;krV`92ZTGVz>aA7*_{-eK;iA zc~`Dt+&D6;jC02EK)!yU{Af)=%gL=~53%(a&kBy+E^cg(7|k`TapOekh}d=-PrAM_ zh37hwEayUxJ~DbmE3K7+ztv78*h zv1&WRD2EfAJ6`c~t0`mrt(dqQ#C+wPB8Q0O`N|{P^IY_{i4||*jLZa`dHbdqHHh+hc;bb$eDVZS#ppKS;Oa>7Q@Qu!3s~Z9kc?c( zK28P7|1lg4u zYgUWe?09B-eB>Lb?>4ZC?g8?6#wG8snI_|x3I}$pUJwO==Cs|w%vkaJSulea5 zVfqE`(51RCTF|w*Es;&%!oI`7_C1$lnvx zxW@E|)tC_W)}7P{Y46|~Qf%h>%oG~z+|1uD_^3uc4PI0jyb-_gE`i0@DBwlLkBscS z{ehl#pjv}Qv1aCY;YSm)bIDylM_VbKP(tSTX6{m_goSp3Gb2Q%vSFHm!t}_!oY;M1EW4b_5!z!Lq-_BMaO#OuyGxkU-!z zeDY+Li&0FL=-sFUh%9G(K{+_~c?&jhc)S~0V*+)HH_okGj6lSncv{|VhnJ`#{qpqj zLh=w3zy*$7yR?3sJbS(Nd2x%`df|7e)}q9%;a$W2BZ^Zr|9a$0bss%EWa%Y-?V^x@ zY-i)(TxaMu(ZAWTx|cO1p%S?8lVXjT{c2vB`l_Q@$b@+*-?yd$2je)5;f*|S6dbo< zj(Tc=SoR@u#CRB>$|AZs&}m0;~QLlDnxS=LZMehQrCL5Y}A5{1h!v zDAJYk*@v)rvOo@^rl2!CEcBMwF}vohzFcyfNEPGqXm*DW&MkWc#~n0zUnvJJK-kFz zO=cmBfO40X?`LW6raah9y1sHIfYlIO_YVB@$4$!>>FAF8#+|4N^Wp(==cFZ{E9f%R zJ`4kZEal6IfSH_KwOs`BZG5pomoS^%9q6sMQZ>dI8bvoO;+e_%M)pVA*{>Y?eCS;r zPdcagEFFwM50#*hiTtieI{w}Z{MqlB_cSr<@<;2}9(L1S1l71F%9Pj`LOW&F+!47W zZiO`xc?*4RIYy{)GxflMlBbBoT$C%8Ll!kJNF8;7fX*$K3J6S>ct&152h}hRDG`GT z%-*{(cOixeXF|;VoDA$>%Xo$Zwj!?xKBp7To&J>j>L-N=*I;%4^u?jUmF*`*@ktBo zGFLcgy_CoO(`L`|vmWZ$G1{SgD{P9jADqj30DdDIp~>NsFa?(#W=X<5Xl=tm>kDTcZof(OVH;uH5sTV667;-TB`ELg3ifEfoky68768Kw!ae`g`1mh& zh`Cm83(;NZjQx?bJ+W_Gc2w2=L(BlXER=%dB>9rqpIeso7b|e&&lT6djt1PGm1XvZ zDy$^NC?0cPq8Gn#X4dS-`1S894}Ve!sPbcr-y$|mg!7dAtvss3<|{b0M4YOzx4~e? zdYbS^8=)W}G#bqhn4sb69*FiI;f&ZN8y_&u85H2>O8~)QT^(|54$L@*$3zZ*C>TrR z;NXaR^2w4vVc$&OrSjZfrP4hg@7kuT_c2dIeYMU7EcJRGHTv#lKd35BUMN|SU6&3>M1(R=a^PsH403W* zOq)#}CkTcWJ--`cIcqIZ+Nm<$x$=B$cnA;=&5|Xn&Nh3Vbngi#oTSPVYr$MW z*6u(Yr@nEHKE{J2lRU&ZI+b$o+B*fPQoTDsn_T1|BtE^@xkr@SXb&hJkt!#fC|IcO zHo9_rW2}9~&v=>!Q%zDHMT1D3VXgnHH3Y_;`Kf;ErF+_@z31GYf_^$IApPlpp+6_FZ)DABb=APh^;fD!gus94D&Oti)tfX_EZ}~}j(s>2-664}g zdsw78)YN%u^1P@D#)H7YTV0zl?9?hp1NMVlC*;6??3ZAB0*gpBlV<}ax$7DmEv@4s z*2FAAI!pSMNAac~DvGdqhLM2%pWI0^=` zxP||?{{9~#PetOJu7th36Y|gL!)yPP@796G*&jjrQ-6{`zb*Hm) z*g{Y#BE08xTL;F%tw47$W|;t)2VO4^jzCvX&vu!Zrs;Hz>ifPen|S98oYDuuFWr+~ zA?@>4FWJ|KY1a-nBb-%fM(v}9dW9wTa|?Z(vtO5tO1l{i0R!oxHYVT*`)=E|4x1zl z&gM-!b+*?To3m-5{5VhZfMv%)j>D2f`YvER=qYE!tZxe3jScB(?gN!Y2v*O?2~sYI zMBi=9KhMTtH<^Fgk6;y4dQ19a#KJ4$4Lej5GYaInrWt>=keZ0I5Gaq=??(w%^bWAq zgNFqLw84CGlEWtASK5xKvrQ{y^Aux;aGMGtpIq$oiW?sw66vU54+2!Jxpiyp9WE@_ z?M`_<5G>Qq#epfEO$5)>`J&FvwuK}&}y*MA0z zV$?nP^21;+s*WxwQ6*$9u|*rHwBEs>f2I0imiF?5@PSH^`PVVeGU|jTT=`H1Fnj0O zOv7-()Cix<$=6cp5-@?caIydti~dFxhPqvTKMzD6D#W3sz#Q-iQQ3~1P7jIV!9?2C z(Rge@90&~&_fQLX-B>I%Hy{7LyieOoNF&vJ0b>U=LC-qdXn(M%DyZ8i8NQq2H$Q&d=60OG+LM@bi&jD}O zKLOD?(L!c^Oi+Fk&Jny_VHt5U-r1y|vV3J5{iZN)z$U`xxqI^%Ww!bmeul*_aoOU& zyvs`>Y@G@10on@oQ3FaGl8EMjev8#6&7fgob;nOhW5mkE7jY1d+<|=vL zMV<1#kqJ`hfb)pyP((b_T7fZzFg?`-3dY@B_dQm&dh0c58LO|MBJ~vtki43V2q$RQ zF!!+V^(|bs4kHwP9P;a|6YO|0+AZHTO_B{sK#PH24`GY@ltBa+Q>C|Pj*GOH$UPy^ z$8=-qY5KZMhrqpj$)gl+gblg{98etU1_ad51%8sBW*kL=6|yHONmrge=D`XORuj&q zl!C%$&j(s1GAh0I9rd%8#-oGX+x@!CCrZ0Yv%0hWbT#-}@3hRr)aMR1b5%VXbFX zTPdZl^Q{OYSSW_&W{OEe5lCr0oYE5>xHt_ihkGKXD(_?$#4`<3uxBFZ>TGQUBg zt3&)24XScQuw^k=DS4Fou0x~zX59AxOnatIwq73ZxDoF=D#V!Kq=kZ@;F5utpmXno zykXaGPTm7AuWYu2d_QK$0y&@APeEK!ST7!o8il8z;>j-hHSEbCrx&rb4N@fg>g0#b z;2IScm74u!9sNT7;1|uy!&gNjc+4bSR>N1ERg2uhbfbFNS8o)uJlhTFvdw3Nb_&x< zT>RK20+pnwba!J*u1s$C6%9{3Syd*sfemPFD zJQ6Srx1O)G$DHPLF2!E2on(i$3OPu;n>FrOXF;xB6{)651EtaBR@&BCcq((N@v$3q ztr?flMa3n(m&IZHy9IcHSqRB<`P0kOq++kwbhuF2m85x@$G4E$wH%F@WRhr;k>{cv z1A2_symIcP>jX4u3##$_rEa$CYk2UGJ?zRO75c4J&!x_>5^K2*k9Dv2!-Rs|1)#H% z0dW#__kXSjTO--)^@??iuM@u6uB+cRDhd!$_YLi4{g9uS1c@JjHnFhk5 zUzNy7tfqorY?2=yS*;m6|LCGbL-=J*K6}Kn3SJj&(9IqM$QHUlt;VL(K-E8b-U2K* zVtL>>I!WKZ(hRUAP{Y2R49Iy;{@szuH&O5BQ%8Kz+`VVXLBV$B3o#W)6VFI1B5IP^ zDS8B8l9D!#6kZj{*9s?HtBWs5L>SsZlZ}!Wn3BW4w8Fm-ISakgN*qulgR1oCLMOX-U#*>$-h&>LzT7zahA5LU$B^;p}cc-I6k=`UUf z1r-du$mp(7=QlY5Z+uk8!i62AsrEVb{RdM88qV7@r?~G#GTZ|8_1)U9(*HWwKOCaZ5W$hL7|Uo#e%$F0yxn>`~}1;uf5b`)W_x7djiK2Nx4bq%ctq`^S z0Oyp^x+JQ$f&kl`VpKKni0pucm)BH7-(>Qo&{3F5ogSN;&~~?=#re7{x(%-LsS^eK`$C$j?0nY}d zDSjMep%G0baI&2k0-3TetgTS3zpjqKu}Ct1nnMrWzf;-+dzM_bC@0Zd&AOq(2uO!x zbp0agkDu$fT`g@#R!?;f-fA49p0?!yU{4rc7G`Z!>@|Aio*m1BkxKNai!dr&9yGO9 z_V27iw#!j&mD%NY9}8P=a^Iu8y;GBEHGgWRvQ}eO zOmzHI7h*a6uK25L(?2d$JE+=Kp~2VGjF88Ypa|Zbl%0LTkGUK$jYXX0!U0Dkz)=)% z(jx{J-a{9AZ2h+Q(5t*-a4zGu)OAKZB_$9&G2R9O%IGZnF}DyGF)Tg$Td_I^)oBCJ zy4_YR87@nG33;RY{A_G>@#0Ggp=>zN;X&olrG0T^#?SX1y&DQ&gu?H>0r7r28YNCvWr;y@fia2>H!*vp0JZ`-yPLtboFl!YL^r3rQ0w0aSD$ z^qOP$Yv--zX74CxN;khF!GWmSJ6D#@bz`D+iR;K$#b}eGi z5mmM%AdO*}1wO)*S&O6JehdlAt&Y3cB?^^*_Hh*3Z7*46T?3rM%210DL*5{OLVO7M!xj0*AY5p7P=_1ka@PohqW8-e614vJj zrW4oeHiE8`%SLM4GjI~HRhH54^7hGPL+Y2^t{||fmAO{J5GYBDw09krtrVs7YvXa> zi2@35Z4IBghJQ_WvvG+ zpz_|#pfYB$C=+CT}*TDW)!g-jt#3FE6bnp zv(d~HuJK#T)rHl))k-5y6*N{O$&!9pA@s1Rdr&j9zr-pVkWnawFG+ zGyf=3IR3cj2o=mEI`~%>blKx@5>5*~U&Tc(pCojBv*aqE?Kl~9y!9Bl9&zJOjwBSm z=!aWkK=5&jAFc?n!X=yad6%*ndfaB!dXUW&6B@baf;@n_JkM@WT?W~B^@&HTL@5?I zjQ}Uy$?`k1@Rq6U5ns1BdOJ6u2%Fm5Y%AWI64FSDf`5L)>}suO<_m&$N&0TPSLg|; zD@(fIrlLCt2*C}e%;UK*15?{T`;B8A!KPKa<0o<+S+G4-jmZJ{{J}Mow1+(ys%!aK zaR}Dv6gaWWIX8(4nk%@W==B{Bhw`J#(pcTTc18)BJ#PB519M-6%O~Mou~d;-eMHxv zZs|`bvX&;s^UoO|9IVPOA56D6y0Hz5X+WM%7?g$7?_yHy>K+y*!$>Dgf-VwZ96&KW zymQc>Z9(Vr4`cVBzWawMztGsHEW~t#mKYX%4^2haBBL?%5!-A>Q{~4LHOO;<;3yaf z<&unHgB1KtM zPwis0bP@WLvCWFb-0ai=xU%9nnji;1+gK0%$B98e0`Ywl8HgOydvOuBP^)*vc)o;R zf%%B%Nkf2P&(HA(2gUV;-P^z!2#>CIno?&BTXGMvLn+S-4C-J88BwClei6p_Lz!wSu*hy{U>I7lHP& zYQGn+Fjd&UOVPVC>{V=G@`oO}{*1Y*Eb#G{FV@q1T*=JkDEq8^GfWS|Es0f%mbe;A z4zO{JI4HQUB{&(0Er*(Xw{hMCt=={WswzR>^`LKj&t)7 z^3CKJ)j#L5Z5+IZyC?LH^hlCyiNEZYpL3#(VAiW78p@XzQ5~K*Bi%4&R z^b(3xX@ZELH1%@Md*AQxckVs+z0Z69y_0$JtY^=jS!;i0&ziN?to?WP?=pZHst3^n zkdcuALN0%Rzw-cXz!h@x|EQOR;<8fGP*PG*P|{ITQ_)zo{HoUCl@Z2vI`*_F#a6qK}-l(cLN^bBnO+vV>E01FME4zPcP zOb|fMLUx6P>~A-K4*(#)LI$|3{}d`pY8nbM@+-8L&DP8SvMX0ErKhDMqoSi^001r< zC@85|0Iby4fP&IAZ0sD@&8@~Kgyc0X1Jlu%(mEMoEoa}iV_b4D3+o^hmN-evsp$U# zBqDo9LC57mWLj-U=jFhhmk9j_NdH#;W8}*gDV9qf6jx~eQ>_1NCIhgL1EmjGHO-xU zU!)bi?O3@oc1`fR3`OzyUlQQzrR?M^S6Bdd0SlQMU#4Qcb4rM(7?`UxJI+VRe$zg% zyCJHyg(wh|p^VpfV0i7M`?tI*(+%Rz9UIg}9Ut?KKhR%ZO8aW2hV!p@zAC>xd$C|}c~_c<>XEnGv~B8q3J}skHwe?C=@6}=O51OzZhBa!HeX`3S8wCw-{E&T=jNd_Iq``Fn5H&y7G`PsY4O}Ia5%tMZ=A?Oh(9KT9EG31I;rJmWob4!JbhOqi>h++_I|q5wiu|t#LrZZZ*)!AkYjl$ zyJi}Lk82V&f0o|LFBB>xSc+pKNGZ92p^-28#d}*_4;b-$tH;a}TU&`H350-K+=0u( znl)vAY2emDpXcb9>jVaV*SXv&}XWYFmlvUD(= zrB(*hqSZ<()KqcBl2YiowS!D9W2CjVrSu$IOVnV6AD>aLW6Y4)&4v^!UagM-&ufWn z*q-EAzVMv|a=g?O5%E>C0g{cg`qJ+>cg^l`EjHF_DvsgD zE?6(FHcUtBvA+9LR@K7LVc3E&f^SW6Vvruo8D*Lgw`7*7sgdIbYMOjZW7WwsetLC# zgnU0FpC3qFdA%hDAOVBX0tHfKC$@#m?WGH+_lC4o4HN8SksC7wq0{6vdrepXJSK-x zjGW9#l2XUDTzGf4yVd!8CU%CM9Gq>GfTk{PaAoD8bQkBTq3v^QV@!j_)2nW^5gLCB z#@}{<%1?#Txt8&k=1Is^e4}(@YTX4QK>waX$j=Cj%pv zuX7Z*n5?r$3-gy428&WkK~*`~@5wKKCa5W`z6iH=!wXRZ@B= zC?d&r$sTr4Gy$&|M4%%G1#&TTx=QB9@t_QH4A;ARDc zUS-!sj%O!tKc7$hehCBnXIaBmD)~2|epHn%i)i*fv~K&&{}1)Z zKvgd+-l)uheK+S)nWGW=lM~vBhFZ&LDywC;@-Bf`82T?jZGUk&VH}Jud=6lpoO|F$b(!wlJIa9zR6r1=H7FFa{5{;?*X+CXS0R>#MX!3 zZsZvu->P2232iwYZND5Eji`BX%KJL;%~}tY$FK!Hz0iJ&K4N1imSJm@C*g;F&KYyP zS7@|YDu<6AwFWf&xW}}u!iVs~GsoYfxx#$CQeE0EYe9#@&MjKp%}8%6SUr`MM`@4m z!+qraZlmL^&(2y>za$klw$x`eE>cW;#{QwEbsJBHrP4j8^TYCvEeGv?t-Z&p?kvji z3WQw5Y`RZ=tcdX}>p5m=HvMS9AS;z~Bc!El0nHXA+oqHM zZXG3i0ld%H4|qh=6=yTPUd6o3Ln3Zw7M?p_IaIoPUH>1-MxE8eO3tNzLt<&=&3Glr zD0C;`+zj2U#6$@+{2uUT6P?Gmyq<^K&DdIF*Ne9;dFxP?W3+`D{V}>-hXG|@ZR0i- z6Yl}myhgi6dy~GE3|@;K)weW%c2ckVJ(YU(4^_K%;eqdM>EW^}jpx6) zW?tS-EAv_VmL#ps?5fKlnxq{+n6ZZZU_Ljd()@XiJ@njd&dclp%n@hKZh=+IUXsxq zLUavml#0@YQrB9iGWvueohcM=U5M7`aaCIXGl~B;olc3q1}^VXZuC3-+SX)krFuet7y4UGB)C_Xn~dp& z1?*Pdr;35f@j0qHzTAsq>R-Qb;QxoR%DHn9Zt3QB8phPXd{-#_dmzZToeNu2meYzz zfLML4iWbXTe)i*83H-e3UklHgBcaN6ua)te<=_uOF1y7wt@S<~VM=*J&*+%REf_@4 z%Bs-7`Vob&iZ8OMT~Xt*tU}TG^`zn`CcEJvl{sM-b(jR?8F1z zyy1pL$k{vFoJK|uldmvlE)(8`B?C@qaDaI)edS6|Qv;?$8w&=RuYnFH%ejh;Q}gqp zo0JSaYcUmm7OALWs;@61^@>lNquxpgI#0hj%6si0?vy%sLQ)eIB@J4y%e^U{NM_t-(mfE@MPn#$fyB5Ls%<{i@iT3?B!W@y!NPGe z^hmKxneZL=hQd;gjC#x+n1(x#>ivdS1$ZWI_u=z3 z=lT%h>kX!Fwvh`TPUW6No{Oqw=RW8HPrUotS7c6@%4tQ7u@D@jEag2CVRNCA5;-61 zYo1&1jm`Ulgc&*nA_JakU(H!;9n-tJRhs=y4hJvniv_=cN5t?VzI4upRD>hxv=Uke z=nT{#Bg&g*$0-zo4d<`gy{2c;>o3J&h0QV&^Fs*Fd%jqZCP+*}oEkx*<>H#c_=I@g z<7g@qDO>25aV3^xb+SdSK3WFdYU=z|G$($Gc}*%ZYhi7+pW07BZr~ubK~Vgtl@%8` zB)fF)X5sxFyLidJfE(YNxC1>?Hb4}pg6HkhN|wKWZn1Z2Y)t1*(F%3!@HXL7_R8TF z&Wt6BXtu(&yeW1uUKH;hR%e552bErpTZSA4-19Q`g3u(2898sWZngr;gU}nd#N9s7 zK`2!kQj2Lil-o|Ge4T;wp*3%;UIa|!Eb00rBeEfM-HbWAAwAcy&=`er!1=P>M zc}i)d<~?3$vAhEOg>6*Mv`sUH$Cm2G^U16pz8qXSH{r-g{eg6H2O>TU@M+G>RZ+~$ zNW$ED3(l)8xeE^MuuU;TMx}9IK}srGG+GHQ8=CsG3-Y9f#%MK}bT?~org*k&|3q1x zS>9~YLWoz$;anm^AAOugNNMBI9@MANDhdy_CcR#7%~18cT&J~QzNT8i%6d!kqo2(#`}-PMp9iH)^MCLFu9gVo-%rE0l??q z#F>2*U}60jp3c?cfzEjDe9_3|41`c@Ry*^RpyYr3+UaZj<_NM?pmYK4h1gwl&uHV8 zw8Bfty#?a^%xeA|pt1>CR!Urhc0k>GG<TF$(_TX4s-^HEjRy@* zjoYP|`sEX1`|6V=$KOp9(j4ulBC{ z!zNuu^4~G@gl?#76G2v6@9$|d)Wh_h1w=D;CYLyNHDXy`M!TszA1U9wX~01yGnh`2 z7mv>33V%=m+%WtjS@;;p~>>{fw zV1d@8#!(C1VYQqT0KIT9E{KKN$qk|Dv`5*MQf;`LqcVKlluS|7<#+6!JU%^wtw zVkC&Z%YU5BRD3ho(PyP$+^Qt$=!&Q%!|Ram9Gi_LP86f6v-#`;W0lkQ-+{&NH(+Iq z>fdKfuGU1F*=X<#2LB9}V0rTOJB#L%`Qp*2ZcZc~{0Ja4wvC~C;^9~Y{FEZ7K2c^@ zf>QAG1nHoKz0JrJ0lZfMa(8dV%5fbc4sSH>NCaJp-WvS=NUsMiPI1H+E@8G?@Y|@o zGqTa=0QDrp6FSBC_2I0p=Qb9X5PL0af`AyiDEf#sL}-e2W+;gIX)I_TAFoKd_e%Q*jg?o`~~!5_}BgdS}vzAb0s!P4tdh< zY%$v;DS^7#^5z647NEGxPN(w_et@)(ed6}PtjYqhGjTt2B08Xx=+e6`7S=0wSNy(> ztj*xS%5Uy(2l^{+CJ~TCuM(ZQLTI9|8c~o=6@pb68AM&@)1>_(j}>N)!im#+HnKSB ztV*(;EN|$st5-vCmf{M6+&EbST%%IPV2M~!@1njgaTy}!$ZEod0Wku*feFFnt_NL_ zR>vksgwX!IR`0T<<_Efg)AvK0a9b|^H-&=M565G^NUoRmN0=KTHi~*lNWF_@(diKR zVX3AQOn@C`Ot+$+0n0D*!*{Y_eNTf%Kk4=^YpA=h!l#Y&X1YE_mpf)-h(+!@9yz#w zGXicSo_c@UxjR?)EJzBc(@~9X8pvk`p=*q`9z6qv!E*V&B)yFJ9cdeQ1VEed$JvG+`l$3*#m9dI~X~W^^!9H|m!aWg{g} z!cs89=mx)avgRSdSri@0C<8NO$&sLxLP6uLVCe-14}ssQB+SP5oFymnY!{)-gL$d) z@@)yWXdWKDhzLN(r;0b9kBkfBnJV?44HWYX-kVSEE)^00l;))^XijkYITBJ0$x&Gc zPvZ3np?XWLRT2+92*JGz&z)O9MSc#c%&WrsfdWA97FILXNq81biYb#7K@V;^9UiO=g?H7jk3$tdex-#3uB zf`ssC2wzK^sA|q@$M4*!@AWcjnkbM2eOXg^5ykFx<&k?ZW4_8?z<~1e7vY-wilwCP*{D$cj(=;+&PNA|Q%PkSS)S)6 zWLXM-hh?l?6=(!fG?Yz_Y5SrEb734cesk6yK#k`*zhzD%e}g5)^R1I5%g}4SS-zjp zwhE68421InNirHcVSzKX)lK~7ah=RR-Wa5;tsK>?(99O1Fbr+4%T?Yc-T#&Bo_4j` zZoPzOov{6sVO&aC*J`HHUe=~AX@IdOn)Wi@z4m@9!U%%Yc|@*c;wrxerKc4lK>fl$ zQSVOKCgB4W@LM`(Uq#n@+;v)AJF7KU{`Pz4lT^tJGCnI$SgN8Vn$IRJ;}Kei@-{q6%k4Q9)>d5XEnN z&#G;%aw3*fsuy-Fvv;Sq%Zmz~z+I45`0T|nZoMQoIa)v*th%wj ze|9bD0l`E4s?|}mphJ&MrNfT|)OD#E-1&l=^pbM}8t4O9euC2e#FZ&(j0PnIWrptA@^ zKZl2dKPcCnc)Ck<*NVgSv9#kQ4VEHidLMr5n%h;-o{?u@d7qiY2Rq5|X5g!eEumnx zdhetioA3+`UooeHO*Lildupe><;z35T5O@ln;Ab4zDnOZxNgi7XryNBmTM=&+d&cN zR3aKjPSZhc*;d^l@5wc+K)%=1Q`4CT54ZH{yUj^Y$HQ9FpK51v2qP7Uo4S%kmC^&D zG!R${D;4CfUZ%jp#HJoQ+xVzBJv2{y={EdSgCg25Qu<}ebFn;@iLGf9=6xbxmN0?o zWi)H-V{3P4l{NVG&SV)b+MoA9Hn))d=!7R)CJ!BpR=6ptL$RKYa`do*)9t|)Ujw~C zJ8T$e5|22oEqW*^_1(*~`X2tQ9qMDw`tM-jgexeQqHcK9U2c|wl>Nyd2qjefinkVd zE!mk$Z+7WaPORV+M#}3VHya{TZ_{X+e{%dPyzANq&w)IOymJpyszM$C&4*n&pPyW? zT)kZzGW-^w`W($*4IGw{(ZXv;HX2*jw=PKjSQ`vH7w&eF)aS)>5mnhZ6x~IX5N2a& zV^dF`QLn1wjznoeWF2YxJEnO0h8&Y09u%kP7sBq3ZcFb#)<2Z%>jZHx#G)&48nj$6 zv`2U_(0V@|G#c&}?M$0Y1|>S50XM{(lQEft`B?)9!u7|m-i$(6jCbaS?xqzn=U?C6mdgH z8(vFg`3RIqIWMB0o1fk9VT)#FoN@`QlK1(3?q~U7@t3EPX52}#ATH;fKYOOhZPMcB zdax27%6}5csZr%LvbA1)^33zdR zn|j<%V`R;w%9{;V`n<4R}~!TMD_78@B&gCS(OytIcKhb=TPdj^5v{f_O) zN6J~5J@Xt_YPi!w=f5xDAbz}eRN&4chFeaOp7M099?)};kT8GLBa5rT-tT*?fxg;A zq~A5l?OTF82e25rIalf>?MG#Ou;oq;Y4lB&yrX^P?Q$~$lX1*N|3zuD9O>oOQu>h9 zXiTbss3@O_vTN`!HpE01&vrI=9V`nWIg(OQwJ;P^YczS&9mG>Bx-r24?J#`Be+oy9khRd$ef;`n->+s~o~ z61@CF>KejqVGT0>?gsjk{rwBib{hJpMGv)GydLtd^l(2D`;Zp&=>@M5qfi*VTQeiT z;14pv@;CQ1^E%=dzw%@A0l+#uYXzmBQl4$BE;}p&DSO4Gl}D`@{45BvrRO_w*QB&! z`dw^(x>?M!pY0O|&)bCnST-z0#`H&I+@EA$v!+T2-l`&CdmK2P7j1b6*A{fqENEx< z(v*Cel$yyt$I~KE(c1d)se;eGCHqd-^$p@NFcaRDK3~yiLE|gFRC=BKXEa4*v1}?; zcs(}D_(ROJSUr}u47X*coR$0H@wnAYj;dT(*QH?8RNh(+2)Q>n4~5-kv%JtC z*Ov)d)WO5|W^mUK!Mc@JSuJ*$K{*Jk1;@k1VR>R9+vPq)*BFUmV->VXl@Yv0%>}TFuMkCxMpQ=#0qJ7)zdwpZB8*o7*X_rnJhA27Vj5 zJPkwnP}}d+VST419i~1$oNnSFeh4*az2PMr@QalM$KFDO7i5g|09Hv*CN1`QhCj!ov5?9}fOg7=~*szP@S*p0) z6L7a6o>Q`Q>#yx9qb2E}@LhL^A{QluYHE@V74ycN@T~LYm#a*~+~4JaKFI&N7vbEi z7%qJ$aEalMr_ap)4CkJ|4d}q0w%>LC3wSvEd$y(M8dWpF93zu29>vVD3)KMc4^SY5 zMr>czV!YepzaNDToBxDW|9Y#gUdN{RBI*n7rh|FKGU)qLpXo%m#e_mL0W*Y2XS~QO zrPF=G2(!GnOnZ8_6c}r!RdEys!_GJ!^s|KPAgJZRc$#G5!;GE@et7UboJzOt$3B>? z+YxYjDUEByTr=XHn{f+ie6_QK@9g>r@{;?r|H{1q5{EK=x+u-ur3*D(W?zvC1mSPl z9lJ~E78T>p=aNcW$!!aq#AD_pE2St?sRyFaDI@H2nN3Z%{NdGu@d@tR4TMHY^_4WZ z46j!?moIGed%zuTF<nH_4(}U8~S-uH{8H~0pZuyb^txS z)w4&=Lt&ip!5UC6*E8wWA4#2fpaK33dJ8nBh|GizqV2_Ny; z=uuIbTK?_~Ynu{^+l?2z=Ca@$n{xVd(DtS7 zle2$GU`7?CUHCq5DXaYf2O+caK>hH|JcbA4X-;Zzow2ybeo`OLLU04;WJ~Cavm9Vb zy`lC@fuxj|qRev7sKN^(U@CQp0OW=$EW5CkoNvmaFW}zl7Ar|<@~T&!Bv{|SMIOZSTjdn)mG0LuLL3uGl951bKic9 zE9pmK&Nt9i`3o1_87nezL2gfSBiBcsx(-xR z0;gmyT$@ct^ySE=WN2aNsQb9j{QnL2<0L@m{h?95=boQrh(dxlwc0KA4Zk74yD`%s zElOk&zlBK=fxVfE6nVaf18z_?ziNsW3qnEMgv-lph1wKZ(wkI*%`49-1FR%>rd(cn zwRsQ5TcdVa;sP7A3J{aEtF`n3o|4JiHhZFcp0AV$>VuYlev0;u{c9o?w0TxX+J8O` zd8KA`Uy-Z!0C2z&P!=L+y>%ySou(dVk^C^n{nkLi8o@&PD$UoBE^Wl@H@T!rB3?X@ zQYC|pL{m`njvqNWRJ`iTRcQPKVVPzWciW&P^n z`~MDya*;=mbn|j0jt9)y9a*g^BhZ_8X^F}6NRU_3xn!AENiE)QMnpl$STt)M3PsPS z2tUb5F!7ynxRc0zP@X_pXPbgI{n+$iYA7w=ej4Ee#MXlvk#s48uYC!xD=;^rtwgQ+Cwu^qc{bcf>psaFZJ=Q|BmxmNMcS2 z0X4tE_ch1fL;cM#BdCP+T}wY+k6@6g4!foVn?o2&Mp2FI<>pB>`CzWHRt~&BYX8@3 z@~`y@sdE_6H{ve85L3VZ;T+OV3bvyDHzm?|kcL_x;hAs@5*oF)gm5_@MiMV_OYmCg zg0|nZ-=<;++!B{L2>(m3p+xUJEOjl-@zSAfDP@jcQ!!EIbIoAHLFx+>eEz(E5iCTO z;5wGuNmV+77XEfY9+E{olO=q@&0}g+@gvIHQ}m2L3CJK^hUv&dT=Br8W9b=#wVS=? z(iq-?Go;a5eLc`+^@qI07YASp--N|3yli`xrv`;4zBs-; zDUpgmFuVm?^zijwV}%t_u~ybxe=a2Ups|VXw-yl;&wbZ$nL{I}_1sRWk9C}_9tWi5 z0-JxhGJ|bZiJyMPJR`|bIiu5T&E%a_mS*nEiE+eN{!+!V&|Lk9=(dlb{JFB(azm!@s(e?WwN>EL0&kwyAWXiY0dufLM|3;43w zp)dgN-Erz){-NssO!idu>F5_#r3mv0p0SxK;xLWMdD^Tm!C6Y9B~-jouZ_z;Z;+Q% z>SbUxmBjM8@ReiRF^BnoX87E3ANwDvKL0`dKO0U+?teF&o{s&S;dGf=^FIuy>#q$s z+KB?6h;Wx{uvv8#{IbsOY%^aC|Qjk0_5SAQ^mH>%= zyQ^`G{6JFE*1PNsSrq->7`kMfvU-nC^n2wwDWCM(Y$m^C@(xPu#{XBzzt;VKD%{*h}Bx0u(*xnBwi5q$A4I9~n32^sEw%)q0MLkOFx{{zR^ zzc4cO1u{euyH?^5#1TT0V3&i-Mk|BoE?YL}QN|6d*s*>I4C(M$(`secA`#n=MS#o_gzQ!<7Njfpxdp2~C4r;`1)o@r7$w4cX z7+s`I3Fe{*s~=G`GRxBQFv}2l^QiNw@YGEL-99yEi%k%F(uSX>%wBbscV+>tr}03H zHSk~pLE7?1JT5Po{`nUW%b0f3(Mz0vvOQfYW@>=$a4Bn&UK9i(X83Idq%A}J48wW; zP>NR{M!+1~FK#T&%}HX0#+0oSqSJc2jwm#pilo7O2(eGF zPe6wFBFgfC>-}K@#d-|NJ6e%erH?zz=*%dRlKZ9u$A#iDR)&B33<K-Vq;BYw9eSiS# z=h-Ajjek>lg4Y~morqRRWetxs=o`Z$jVtvEKjIC`VD~4mlS|*@KXs?XWQs352qzd& zBKwRgL~Vd80-mpL?GKt$7-?QHRj7B{Jju6j$qA~Xt2RqyJct@@Gj(f@e#`pk&=v0~ z9B9}9bK5r~)9#7!ZFHzPnRzA+c_%#1Kuho>bRAzGvv_FVd<`Z#f-nYk3Ha5<4FDg7 zK!mA&E{p0bxY>QICo9{6Ps)))%e1vzXRT8@C7Jmvoc58q{HtB0;TYRkBo4f%&$7!6^=Q%+F24WSzX|InN!u!?S8J zDL1;!oDJ$Al{jX1c~4Gq&G#}+xaB>DiebNKk;}zDv>;q#_CGI z@biq#-h{e95Tzhf<RwG`OoV zeXmZv;B<#52x#@#MOm-tvq;R8VBC*!2Ze2rq=nFmlxP9kj=u4qGOe*EfrQC~tq4SL+ZX$Ubv0y41|)))uu^uF?Lag9 zV;M(Zx~1r9q}~R|q0rPUETv`iZd2UXUr%#IFVe!*_QuTRQj~pRSW52O7%@m4*I z(aMxJdM0;qo}0qA(7z!xp|m#-QK26(Vv2<{P_5IGy~8&u*xQgjcdH%5Sy68mZZ)Bn`z> zQXMq(t`kvu%RZ*Y5#mqyiCYs6aAj44$({*aaW=hTVjP3?N4rE?H?b=X*q?Q&LFI+J zdBo=`%1pllY<<=f{g3C7*eyB3{T>V>pVXaQN6ImEIpwTR%*cu=HI}2A^YI%X)&&@9 z)y|W~6~b4Dbygevi9OL?I_8?ZUfNeOzD1jw5TS=(-z-xAJH2XV!;+Psrq18<2={84 zuSB&Gd_hW9F-?0=$u-@eSB|9`mE(@{A77d$#m+j8)A>b5rbm)--Owx6r~Uc@UNRZ| zT9chyR_v8g=6Y{vjjc&g5oT`)!KFwma5euiSMyAXlxs8tf`W@q~D7#m)+>E)Xo2#0_D2`1Pk$qKY&QBhYFH(5?V zNrI!qDzzo=tSVJoVD%98-9WGzgYsHRUgJB3Jc6HTl$_sN-+nBKBZ+PeD4Uv(RDYj5{TXahfut8tv&gF>! zk2jE_sO@=_@QoGD^EuTUjc*e8+Q{#Cc@S-3_^Sg0-u@C|QX7}?tV(07ez|E0mvSsi znf9A`^y|>a&p+>c!*Abu(mdJN$meCZ88zeJGFI3~m&O=Bf`LD+X_{Cw@Z)v`Nt3j} z^x}q<3_F4EOV>{P9)9Alrct7rd}{EA1E?~;wJ*$Kj38wr=fuqixQjn}VW=@#?Ej>w!{WcvO+GoM^97zk8IBB*>XBHE8`xxovWhVFk(C z&Yu+K2|Rf(vg;?@(#Y#xj-U&u$ST$kOK9Z3*tAWT_YnBVZZNWn8S7H17&h3&`Epc( zaD#5=kpTuYn!ef9V(HwhK7jbf6U+R851i)KJb$iZXpTbmtGdGnF?TxBAW_}f*RH&Q zy8VKcce__zhT5`5A~Q%K}zk|0;$255(7K&#ibS z#&4TvAG+`Clg<8EmSzcv%{B@W)JwUrjmi+#*STNQC%&%8>j`0OQow3L>CMaq)?ofC z-}>NJ%R<~jA?;rY5ngT_Zf#O}N3EuLL&J(BR4q!&(X&xr!fPGV5DC*1hbS^ACpWsY zc!sHlxhgzt<9e=j-7N2DW(1;EUSPZ6^y~*Z!l4UhJN5|GPrB42NbrBvD*vfoEdH?F zxP3pO^z)ud#Y^~KKs5D7&Kn4YbCX@O|1j#@|6h!{VHgS*ux(mM-jD&3(>Y#iS zSgJlg?+Y}zCk`_mXL|aUQ-l>rD0-2D^-z79>2WX=(ZRpiSWH!Grx-O50%0*5{dmcu{;mnnM!xF z9rg>brn>CErn;s)fHS}EfXUwLD;tQ`D4SYH0gj{Bz-}N3q+)2eooy;TA>g@b=q}#- ztf?=xbn=U1=FN(>#(REhqt&cN{R0R_prkzM0nNrc^%I~GuE1G%UAWwr*+m%kjRa{Z zJqwObQsMtt48PTcnoYCBP1-DcCD}3RXj|ALB=J~?))MSm&5i4Z-D_<+N&Qx;5^MLS z=(`<=;&;wGWg2pHr5+_~rc7>d?zPor9TBl~B&)U&j!}!Z0-1~xmmlIqdNTN6yIpph zi|WkczJiMozHA$s_3wY2_&cPfJdZ9&66<_`^WrXcB* z{XMt80AKK#68YRhC0rlFc$b!xqbP&wv)}#v#m`rlH-+BcbQre}e5yd$S>6yis9D$2 z#vsv94<`5=>zuQRp;52`C>E6|&-#XAk@SX~O_QPvuK2@h1rub+6vrz5t^fI}8$l&n zWi1(4EotmKbzN_~kzzW-s84z1a})C5{0xS!&W%M5ws5bKK&yOocMPcb9a`IHbk`I# zJw?=C4}ig>2Rp9dJ~?RJ>iC%tGRT$LY${uDo>Hxd?wi%=k?2`;t|8|#G%!R&xQS~c zcv3bf*(H3&MM(2m3f3Cq;h#HnwGVQTSpNJ~RkhYf#yH)uC+@zMCO)m~H3PSbR%BC& zEI^*1CJ0cQi*tPPF1@k?>uj~dvEVUm{%O?&Th|)=EG*mEN2niax#nHN_NMZYJJ=Dz z`C)sGr^C^b`|u%N_k9H%J%9|yAWN+f!y~zZS|x#!arRNA*p%_nsGB%)h;Y8K>~ggi zj6dbL&9-u$u?AC%nV9106snB-TKU|`xs%m`rKHLEV%-XH$3OwrE#d9N(~;mtPn{&i<0=c^_E!)zNo$6r(f9)Ge?hxGYJIDhgo#uQXlS) z*`CN)F*x_?`&#@hm8gd3=I6{o^1OgGrO*(PY_7GPr2OPz(2XZSQvRvRjG_M{0`@=6 zg~b0`K6l+SrjXrd4jBx#?>MF$3Aur!Qm_i|-8UBV@YGotk5OZRg`b|uXhscoQ(S-n z0r5?jk@$EsHP*}w8h)U6rn{gB?<4p4BBaIqW;x>If+AQnwY z$yWq16JVK~C0VTe1u)sv%;NEuVVDjJ0_1yhJrwUzaMsC6(wnyPBx1$1VC2kc6QaT> zJGtWKs7tkE4*xG_HunD>LbSaM3*PE)Kfs*mKPxr;C3*Lcll}?xLa2RQ^gQGBU%;&r zy#%2P&{LMr+t+>%nf?W2PDdUX9CWRIV;5aW_e!iA^g|@y{-}GZEM!kqwX)~*EPaU@ zia70E${H9bv5hj;B4(CX?CyRVm)>_jI*y14J=0Sg=9Zg^Nt80*-Z?w_ag-FEqo(HM zw3I`{kN@_qu+&Gdr`aVb(`L7;9!}2C%WQ z0pSM&V2uIB00%q!?|D$12a}7Ji;I(!i;stgn^%BOK!Bf*pZ|~`MEH;(SdgDzSVS0n z7z%^I1cXG7h(M1(pfKof6E=>6J)B%1E-n!C5dR_Q|G8K%05C6r0$MoOBms6X8wZ$; z^$Iuv0PF{72e|(f7dH4R*iX; z+cijBG-iLElZx!N5hsG4D?atLsTVN`u})t5Zf)~9-?uT1My7JYDbgNy;A{OhGanz> zJCG}fV=Rm8OXU_UBAS|DV>&3#R+I%tkcuj4N=}!X91I0Ea0$^eNNyHRg&MN z$YP@k#6jaJg_1+WSXnQ^oADON$w=r&c;Q41;!9^0s^feED(v_v0un4RLLlQVv_OV| zI408L&XUdPn_;qrD&_8A`mw814&QFkI|lbqXTb*LH`~vu5In2O&b`JD+gEfixJ4j@ zI8L1IK0EL-UlhLG^-3h1iEyIUCLtSoJkM1^I*16RL)jdRGNWj6>*do!nL1{wlnx@YfNU2AgWqT zX=fgH6>A6f9;<$BXRJ10<6{}%jH%83bw$>f2MABnDenR;mk*3M=?3q(Id~E&YI8~s z=(VF|Q>oyR2FCbUa%{;%Y6+XA`?Mu|Yp@Hr;H*Jv2<}c)HF|`XmATjwcb5jHC)u4H zwOJcqx_nfs9o}i9jvLMMUhR#9?FII9ZDi$d2fS`s&#nq>FBvMr&rt@4G<26~QXC~a z)f5X^?Qwkd3$I*E(`sKeTC45l{6kEUaVjpeUo8F_+A{6ucWyZLenxs@!Su_T#Z`Y^ z*|b5w+|@5rgXb%5ubr&b8t~J;qUlmKAW7{11;0#IYSPdPbeutkAPvJqtNhxAAIYa{ zb%ID`^QB70mt?BBZ0Rf@NTOKcSmv^M@4CkYgzL$~#;(S~l!Ee|mtS{?d7&0H_I4s( z`u&@Jxhb(BqFcIk)0!kn6gCE1GE<7g6QF`<8};|37dqsylzwB|(h@}-R7Foq#Za6& z_e%?eE%I3Zu%9k2A^jQp;%hj~xq;F+_)I;(Q~HTN<9~9MdF{RWOHQMt7T+eXVn(lJ zB^3J_NM>jYM~Cd5;}GsDXG_=jKZiN^c#yz<8HT4y4&$z<{)IT*FAJ;pHW zhW>DH(%^1=Fy7n#TgG^zU}Qub-(9M30@8@?czDLbTw&A7Vs)W)Iw9}IgavgRhCL1r z(YcfqP-KU!FU;&~p>~7}6{MBV%UOV#uT`sykR}g5o^}V-3}7`OXNzg>S?=n-YMJlD z=wp}KPQA60DjKIOzKqYlDT|!jq}>lcHn>}we1jR4D&4qr(!dar&T)IN^$nq1$*Ce; z9;S6WPb_l-9f#;l#x^44h>bTPk3n3PE0&xw`H>yd9VGP!q`GB3{zZE+tF`O_%PbkG zbKdg73E?2AR}L|ivFR`5YwqI`(elNWx!;prG2RYMf@NOH#@?AC&gQ0x!u7|+6{@+A z0bYN08ALhXbU=(gP1R3QyS8NKV?ou01MZd0 zogLrNjrc;6mJfS8*Ig5L6~FYr9;Tyih9ExJL{y}?TfL*RwT(7p2%R#QnjJh=Gn;y0 z%t2?iUuPB@8S*AX0B|IeAsDpyg`CV()TdPL#w$edvizs~1ljmPcDm+_ceNn+>iU;q&xQ-*8~e zL$NP~Q9?<+fdzZGpp!)K@$9pT2{|GJ4Hlq7+Nl+^SS34&ErvMw#v~8O;20VLw_{r; zOiN)1>e-9uS3)xgKTo%$+nfq|%U~F!5GrakS~OD7v>!aB*Px%XYzR~)O5s)pRSF@G zz46I+9ug-02r0fMmOB0r+9bE);ovcLHRliOpM(wVF!**?aC1d1G{=P`5j*_{7`mhj z6^8Kg6d*K%sV%lCmU|In=hc>bzDG3$Gari)QNdyjViVeacze}+gwT@`L0*2ec-plS z5f{qM1**j;&o|yUR%>!2@QgnW7sTPN*_z*@Wsg``B^!IU8>3B4L7yLaWm``5r!|}@}zwa8Z zI+i|I#9p?}7f;*pjGOO{&Um)HK6vZB%uRO%xAceePnYI>?mhI<>V%(c{q|VTu4)|T zx{h)Mk8XNz;?L;~v_1&4rbt|(Ak2Km8vLE4AI{#BdD8Og_PW@B!C)3HZO_w%U~y}G zM3Lg(kog%qsi?^;?);z!8{4%$KL_r^7InoCcxZz>q)g94xhO1kV5mcJb3S<8mdcQ}P z1r&X5auL09dUS#EB;BDziM^$7#7gU4e&fLdO`<}_=MRBr2U1e)CK6L5iQ0_}I-8He`sNYt zQ~7&D5?LZC%KBsT*MTGUMPng8y^_YJ`p;8U4~$ON$(w~XHOg{%q|-m%$v0fc3fn|j zO~AkR^DpwvuV*}7{;*$t(#Oe`oE3c|Y~$jY1y9RmLKUM8<@WWyUX@ay#DGiK+P%MuWxu?YOa-Ge_)*M)p! zLA5nMHcKKj1CxQ~6uyccl6ObUg?|nj&}Z;upB__7jaFMsB{&n+_iWe@bymX zYH!~~5MRI$JitVt;v)Vo_VxhBlxe4}vnb;ge*ZijeQr3#j5e`cG9z1^GBu5iK5ZT) zdQ|_C8w&tiZ9Om|c`Awxg*{KXQ}9$dI*GFT{`k7fxsAH(yQa#Yec5qI4HsP}x0O^Q zhM(jlD%C3JgqLrM>>LVOy9k1{;EX=vtOcq38F|!6s{qfYG6ofelYxHIoIDtDO Ib%8bVA1|&b!2kdN diff --git a/src/windows/leash/htmlhelp/Images/Leash_menu_help.jpg b/src/windows/leash/htmlhelp/Images/Leash_menu_help.jpg deleted file mode 100644 index 215891b9132e6e31a525d6f26b9a9f8696dd1f16..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7711 zcmds5cQ~9~uwT8`AbMS4l_WL@mJlRZon4}Y=pmM9D@2JFCDGQd61^-|FRQmi^d7x_ zI?)q^1c@upeQv(*d!Bp$xPRU|@A>05@0>Gd-g)PoGiNTRFP8xH(1#ii0R#jDfEQN} z;BpS20w5wJ{N1jI_^OeRlaLS-lTeb8k&;tWQd3h=Qc=;+GSbt~GSE^{(X-GqTw`Kp zW~QdQ&dS2X%E-jb^jir5(bX7Y5(*L$3MLvV8m9j>UA_k}kON*3Tq7dj2M{t45HS#3 zb^y2l1OTGnjR5dpL_$hNel;5*#g*8Q9zZ}$aAiFy6%7$3*;S`2hL{9E%0R}*ca4dh zg3QO8hj+EC80edmrW%g09Ao1FhUB?#L*6cm{>VR|!h1J~YU#sk~Ck zdgYzp4*CcE)_NroV*n5m5L_AXx0rx|k5J-%_7_HdtN6+fMA!J;f<7&O1uI|90;sPH zCuAUE04M_XwS7uvM|}NeA(r6r6zT^~oV5M5Uft%JPobK{%4F!u2`G_siSFvPZxels69UZBFWK)|6pnEv0R!L*a+X1f3_sjDBdWg5IP~Z2$mno)U{(3mJU{Vrbog{ zn^Ln;q1uU2(Cp|-7cG(8Pfd;#Nkw9@Nv6u0T8A;|I3UwerXYl<;q=bhq@U9#Q|8oc zhr%6_FjW<4xWSF;MaF4B$PDO7^pAwvbE1KamWKx4qu(#6l$F=etg@G$;cQjU;|W5m ztP4AhoqOZ36$OS(+ZI1j;qi58$HTt$ZpHJX@4D4lj~$EaRZny0Pp7mpW})bcB%2ce z6IK(nNxN@=&d_iDNYV0c(Q;^G86iIYbE?qwJCoj^Q-LI~zD%zawRl%TK9B3w5xs{1 zr_hvsxt$Yo=eW5z(g{6=aWCPKc!&7@iCt9l=Uj532xvhejuLtapa6QEP!q2z`@vp|n$P*@tUBDuwfV#Zpd=NQ6+Yar89nB_PFk>L|Ty zF|M|;mRbCmvcb`-W-#V_PkkC`>ANm+A965YQ1(Q6o4%|C{7g9Q$@1|KpPovz8K_X2 zVV&fL%KRKDCo}~W-#?XHvD4g^n#P+Ea>vPLETGZCX+XE|h$z}re^6#&y(Ldu++sBv zANH4aEGMSE?=e(&kxrz+h>pM3SQ$BI?YuQ1*&jDYQ5#$^AK1i~&Bxj2UA_16_TBm7 z>cby?7cG7Z9(0r3bajSawr~2zA0!X^`bj;CzAu+_4yjzZ+YrwzsD#x=?)JejBt-R~ zxqCD6MEIDmzHw7yIpUshW90*#X0{4v$za%F{80W!{aI(R7%!6Y=W=!~sKou`U)C$3 z8s>ksR);(flU6`Kv{UtO(6>-G(*;-H#f1h8)RgHO!HRIF2zKe$@D|i$M11>w8s1VD zaVUi{ef$K}0F8bnzZR6S2hkcz8~awH-!*Xm?Yu4G63|IO!E*@!i$*l+|Fpv{1koDs zJ(4`X#(!^Hb|fjq>t@|hde@eS5}8ZWwL0_KWjQ&d;Jc2v8b90819$6fr`|J4O)Uxy zom_V?hYzYE7%$&HboY}J6bfw*GWAPGQ+##pZXwg>(CwGY$%p%|)$x7I)&iO-^fI!vg3A0sgu}2A{$V>8jn|u)a>=eha~<=`_ttCc1lkP`>Jw3veFiXfj<~y9KY9jv zUQ6Ef^-x!fEW}nz&o>?o%e}wPZ5E|RqVAZr@`{)FnyGX%U>x1Jh zUDf2zw+?z68^SRaLN2Y#L$y!mSvu|-u2oJg0fD;=E(4j@4Rve^bD9<@DN}(ex5|?j5X5 z*p^d~zXD!I&5)#;xW|i8pn2M0THV0#6hr&mCk{qVHW+7|Cfri;hO$eL>4COZ7kZc3 zLaTaj9=u#AQ}>r`DTpG*Cl*9OK}?1RpVVX;10z=YTzkw(_{Gi3DDU?NGbp=adAU zlqq{@!kC!~aC0uH8AVIOztn7gR=1rx+`4{|9qHR8kpX^d!%D>31?ZA^CGqwNPkY-T z<`R%!z@WH(3HasbY;%DP+`@I}{s_DTWOA_O3Y{!=d=EIg1Pt*Q$?Jw6lwT}=v)z}# z_mc;Iy~oqqb`(Aldu{oA=gO1*CXlxXiT``=lWSU|Lc=X9GI8-n^SCh%JB+dTQME3P z%u6tEo-WzvD7%_q<<`o(@=57Sz+l>zRqcu@{a<2w7e1~d<^IhtDpkI&w<))r9JXN6 zUA+W!a^Cp@NqKL4sC6Jj$JNeLA_P1(W+w37T)v1OMFD`_Wg!}E&-En{`)NxbWd@+H(&0~)OO5W=d#MHs=nTc?Ml`7Y@pX5 zE|lz?V+zTh;c9E)mMq=W@ny7xDu`J`IfpO8Jo_6idE{ILSbwx%I~Jw#QZf!^V31I| z&Wo}4Ym&I-XPfDv=har_9v}_(B{eSV{)2`fWvlp9Z4JuCo9_ag9~42r`5z9zW{%xv z%BP6QRa_W8ZpGU)w7Jpz*`-R7YU2 zY#Uk1`b=`V77<<{A>nIP@d&sD`8RSWqpMli^a-NvYq&W%Jv-eIYu!Y+7UL;*HcDll zO4`l=B9_rrl2san`_q?y>0iH*$6@@(Gym|B(}>sISGNg0;SmNE-oM0dC77J8A?q|~J> zG`TilYgrF%Bts9g9o9t~TqA5sIk14X6+D}E8Z7|6@|=?hfc` z*|elqotVdM4l|Vp5Lf;DG+Zq3jf{F@`<)})=pC{PMxn9hmB6-kM00wSM<^GxAv@^< zTZt(TRQddpLtPvHvmlx0z zDP--SI>y<5!o_>expnG=$~Kv^WLlWsv_<`%LP~vJmXnO3p|yrxk`XiCxI0#;W=0_! zDD2GSKEcx-qBZ2p@x^K1ert1rAxY|*Gd@Cp5jD$cg$b)qf}**ey1X7oCmAqhdCw}c zLF5%p2M1i!mxb(h$hUMJ8d|mYBGEizlF36^Swhyq7$6}A_(~adpO}zb zfY-ll*PHp_c^J+I{l(u9@-6(OK`>Ma4AB|S6NGX$&$sC6G}P}LkRu&sp1T%`2o6`L zLOmjtcz*4+RRaIzSAx;BO=rk3zy(g~aH{row?QUA|De}P*5&XohpnWWZfEr9^tH zXhJ|QXOG5-oMl1lxJhqO>I zW4LqhK~LGR0VSd`F~i~+YWqYERfalmk~pr|#C=y-*{;(*E1_S(8N?AT&%Uo zv+Jg6+PPP>oCtauio)quVPyocqL#K8adisNX2J8x5L1(hwj0`v@Pf5N_1u6~zc+9Z z{t+g0neuAQY*1U=0USgkzYc|_d1N2di<;@SKV>&ldLL4dw>30mpQ^L1BC(E#j&MGr z^r(J;sXarzRAcx50&fbQbjOVLZ=A_{zAoZmfo8cHj_oePV(Y)@cOTdE0TA7xYJSyYlR7Vf*wdm4x z3HUglRcmJ$A%7=(<*nRjb`(EC#HwGbb5dQIGg@2&ib6Ms0mJf`J&2DFQK+k}LTFZ^OOc03u=Kk7Xt$0#=tbPCaxBB?K}J$pna zIp^}w(jLS5*)qP8(x68mAk!m&de&MzRG-ox&n4F%50uSk^UAe2|C*}eELUdV|3QOB z>Ju$iL>!0%9<&@aIAy*TQD8dw#=37>upAZp0P^!8pX#%4(aBAHxzo0kjHwqAqg}xl z6pab`=2Pq@>;YmLu@&g{&;y4i1Snsx%5a8P&;{hQwa#qUxzE;78Ht^(tIkAzqk7}T zX#bjU9aFJNxi>oJc%L(-IEOJKD=^?tp&xc3q5rucu&~>GLXjHg3tHU1JznVBa_Z4s zwc%C7q|Qx8t*32mlsS2pA2gXlKkRKTOW;OdBOcMmC;(ZL8p3C*ILN}Q60@$=Ejqj} zG;l29Gjh@#RJ>6%32%PJ$~EDNogrCSQTGYw5dJl?M3nGcdZ&JV4)Wi**skS1rQ|KL z7fg)&&@t0;y)7S{O=bEGf{4SCQ=jgrMXiYa+_d_mz72%1qMzOoacJ+*QnbyP6OFm( z8{bIy2}*p~tlcf+8@tMoT%D})oS~BjU40BZTLpcdB`UV?-+ZeCE5)6UOP#7qSypp9 z4a{EP)C#HcQ#JM^DLV00aVMDjsw=3Q36{??au3nqYu}Ce^(P)|{{CM}94?0+-j<(= z8-D3j%Sr#0s}R4ut=jXn?U~Ukfl~eJ9dl)L`q`_TAJcn3P864()0(X=u3H?P@Vs|r z{e##(8w(^f?^4^aZOHvA(f@b&mwyiIs0uXE{e{@AunScAC75v57kK1q_nw8ibf?9O zN@-jQtYwl22DV1T6&Jsw)kr?8TX(EbR~NE|Cgx@HGJ`bKfhOR{PQ-NtZYB#qHq@?@ zH8x4ubxqp5T{76zt$^Ll5sF^C<5EJ#h+!(W>C0}^v8X9`a4VLOn%o`km$$_h=fE>+ z5axH(F$;`CWhsn`Ppjhc4rS(sBwIcxFjo0t2npE4PMIW~{U2}#Etse;9Agq^iXXq> z*DRu-0%@AhcO1r*UKMo$@7eoiKKKeTn4Q}8cJy>?h-UQC%lDnsj8Bc_6Z`ocy5HRS zK0iWu*MQQvPDa3kC$E{q*)#u*d;A?FiTI_ zPB}_3pBGYVV!o32_L<(pY>U#|2Wwa+iATjOs!1@$>s4kO8~W>dM(=$h?%5=ZZ-yjR zVeWA(NA*jK-Y_E{P@6D439MN^0g5`B5dQal^&?ff3q z!27)QV5ZKPjrxmT)jb?=jTxJ@pqzUYpkUGUI>2BXL!A>#~b-7nwk z@QM>e)t`Aa=-bUkum{}*v&D@&Rzd8@tVIM$?xja6CwqcK)}W}`aleeD*L}Gic37OK zDLopep(_leli^9d02j?9l?GVxj|-`_l{K!!A|>9k{bx2w6#M=3hjH`I@Gl%)GJlXS zyl3ryyLVfTTmm9(e^q5(%*{L}2@#b$jlic#7DwCoHS}DC%k#P0qP9aOUJkav?AMdo z14wlsqJhZ2hs}OqEcW^St|V3yCWl1kp(hsn>I9U0?`W!M^{Djg-)fxIRiy_2_tmuP z_^p$e`<}(?=kbl#qYJr1T`NBaZpBs9yk$FUozjsG51pN^TyI_peksVeE{7&gKb>cR zw=Vf~XO_(`J1lL!SfFCLie%VMq|x=C+v|*a7CvMZ1jXZ>Gp~1Ze#! zxAEh(9o9i?;T|6isUG@O;(GuuVqhplgA*Ipp1;$6nM*)yAm-)p z@59#S4|2eo$LJhYNW67O-oC0Q{Ck`EbL4^x^7l*%$A+8FfHGmGx=IYWGG}!Mt~?(Q zBD|hQdv!nEXa0FtK+|!HwmqynmT!Z{{y~YN!D06~|T2vf1^q@gqL|tfrGQ9E5b|-=5*OjK@XMrmH-yZ!zCQpVrR$jgO z!~av#B}{qs#mtMjW@p@%Mcsc;FLHOe<;ex<`t61RKH4U>n}n-RP4tw}nKG0hqmCax zbn88~{-@dgt#jDc--ZzOIz@#g$VHg^UPBFhaZNk@4In86${?%Z993h#!K72eynv8WsYz+ zH)Tl}oDhKq2XT?}#)Jz?iuE-EUF;q%FV4$t&m^(P#hAfq-j^FX#vN%c82C`VQ6`|~ zTWw5?ujg{#*$uf@%kY{w4j@_*_#vqwL zC1BC?+{CIw0bV!cxh?2*u|6Ex@7wg&;5)9p;PaAG_PtJ1LeHiRky*Q5>PL4Mg5$P{ zoOaVVhXu8r$v5t)^8ugEel&9&lqCwDIx$^g4kJWx3c*YUqQ-88DWTD&I<*`QIQdp} zqJUJ_cVAXW(LCodxu=t@lP`YT+ci6MmM`MHAU)u5a&@3%W_AStPkeq~VFLguuqj49JK3dt%;wbd) zb&hILVqp+)7xEAiHoYfq;RU=__uZC$g%rb$P}4u(v3w?f&gba*7Q@pfbyDp*Jp_Iv zaaAU@6&L@C%01m^om7a!*L6W-7vG(m@C9FGZGZQ!{5x7YZo6LsxGw=BrVcBNjS4e^EZSqUN>#LP5d*^cIKL9O|puqqD diff --git a/src/windows/leash/htmlhelp/Images/Leash_menu_options.jpg b/src/windows/leash/htmlhelp/Images/Leash_menu_options.jpg deleted file mode 100644 index 808e7c20dab1f9fb4b152a372673a56009c286a6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 18430 zcmbrl1yo#1(RSb_(4 zc${_Df6n>u{r4n7_}{u8_>PY9lp5D`2je){AI5d{%3DH%CAIX)pJ z6$Kd;2^l%rUqDdNANycn;$mXrk`X*1Ap8GZ9=@Ou4v+ zP*EO-_Bh7?dhq1pNnGZa=0c)!S{~ksb@i+kme%hd0a86u<}c#> ztDvHxV?4HS5kJC4!$8OVrx}$Pjgf?3_75a6ADz_P?S0+Xv7dk=xrccaeDud*6QdKO z$e^@mY}rg>$5$0LobW)c_{q!ONSORG_WJ6C0i8h6u$%ZEMe6KGdfk2J^p+tnYIgj4 z8c+Jqrz2Lpzt9uDaqch?wj&~I3a;4hQsf{TlAq|IUlq${KY3QyJ=M|5dkRcH`Ig0t zoD5%lgX68k(+w5YnS%zLgYB-&BAOjNl->qfv%Z89g$)p!D=L-QZYL~j%Q}gczll+9 zy*m6VwQRqfx~ajCkk?)=)*LSfE*#Ivg-%84;TxV-^EWqruO zX|C?~JT_-|o-zf~^g{LVe^UGjc>>U?qg|+_LdU&2We-9x&kGruUL#^N0PF>9sU;nb zK(ImiMu%E?j|aXFZ90jH^Bfg&_Z8=ar1nrNqO5Q@FmaC3>(=ntCeWd)R@VhS%2cU} z7a1)K)dbs4VAcb5Ovh+AUHiRPtW4#9ZDo#M$NpH15bx}Fr5ap8q?VJeM&du=B1`4) z$uPihA}ws&@IQ}|itX6ltUliEHQnM!Uwgt3<8XlHKXwo(G?lar2io!W?E%=MXyOHZ zyokxyvi8!!KRbPHuSA}Z{B&Kq&hntQ?@~`cV74Z!weMiI_+$+j7f?*Fnr)86isN*x z3mBhmPw`%`Hm>LZ_2_?&2X3iqE-i*=+SHc{!i{;^jh+Owa31NHBuWiNm&J-}qT2Wx7{GKkQPMti%!*^9PT$a4>>Q`syR)f<>W{ce8!3Y%N8T>eqSc25{XV zqBd;iLp=Fmh)+Am!HmN8jz>$OB6DG3%YVv-_-0 z(+|$g=&J15!_LXrq=sW-o%ecySL|ub;PxL+Mu!Zl>~dajpN`~f%EuaUlnE1WGU7+H zIK_xEe@|4G4oHbGSwHo71w97al*j*)y0LLc&-=ZFZCIzs-+Rcj53raz5M6lXlVsTk z6``gC>TOa+xe1zL*7He$`=O0VC?5HP>nP(Q!vs0UwY?cW3h-Ui$) z`+YbeBy7@lAD~Rhr?8Yxz82D_#@I2t@UiT6^-3huNdy+`FF+WXnN7wNo&Bv&pN>lm zo&jbiLJfZxn>-oM@ujYHroq&D`yoR(R?)s*NZl&jzrfd_$zC<0@pEQ#9f^U+=jvK@ zqOCq;_+(jp6DQY~@QLr4R8%!BAngH2FpUFNKi})M)A+ejDAnG_gV>Oa43dwLIHeiH zBp(adI-o)#mi6D))9;*hJm(_$vtnq2mr!Lj?i$c-(s$>iMK#y@sgjJmG9bBc#NM?| zgsi%26hT46-Y0WBvk%3snE9#Px_VX+ zumHxXq}(6Sr~@_d3dXOp$W&R;mBCwnl1afq~fQYr@MY_gbAGVX6S zV%ycy&W%B-o#y=5F~0$7>}zezs`<2e(okOU#BXIytaSUwQq#u0?up1--)RX>u;<6(9901IN%Kh2U(sG5~nU+Pz~7Ux}e*gesl2vCcY2& zk*&jLPI**4P&WUm(3cE{-+ppOrK7K6YoHE0TNx}tUGkwGbz$~PN-|K0QHK&&w0b#c zh&N81+lMCnyLd~4wkDCfn3^9|R@bR5(fh3r=}wi2i~!f6c=$n^a}(d_&l`!iTk5nk zI~%1M&PE9{FU|D?c#^Rbp)C-4N<%@=+}i|1!Bs(NYO!(#vy)6|v9BP#J4>LuvL_W# zn~~x|hYSi_8QRvFG>(KtS#Nc$O2LB`@rak}kvemw%IR`7#{v(Zj$vgX!Ow^K0yMMnTxbA0Nuj|*%u8<-RC?qyD zx@9#t=AU;aVuQE(S8kOv%P2)AFN3E)-)-E}_~j8^&pe>C=Y2C+5^@uedtqAo?Y`jw z<&f>q#NQu{Y?rVyQt@g3d_XaLK)Fb|wBHGk*)_XA4kobmoFFBNp)CLNfKnBFGjJ<- zCjIQJ<^jc5Cj3*YeN?2vlfR+-89%Ncr5WnY^rUBeO z&iJvW?D>mkVn>ISx*@}Nx4)g$s2)%-n-7Tvmq-)x@^ZIN{X6E7VJCXW4mDolI}9Q* zV@CQNzt8^gM;;e-^r(J#jRiEq!3f?be9^-q7BqH+`O0Al(G*V2==$@_wRo+$NH_ z9TwCu4#bryzS?tIf+&Aa;>oe{Hy z$|Zz4jyi?~>zxrfrx+~);FNV+g4h=^JgjDj#(&eNUz^5l`2v}pM!^q2?q;{a0m2T2 z^E%8F1ElE)&Z`1vvCtdkIU!aNGn-AyQpH66tD^<`z63+vq{bOfC1R)v2>P7Q3Q9~2 zC4ZVxe<)*Nko17^?MKk;t2;%uL(fY;!UddXWgB+~h;z%yxg`!4I$XRKd*qx_4s+sI z>I9x+_i*zVIRD%S$ixavrgUyJY305?0u-1GxtF09MLJ9>6|<~pz&rj}(dqYh!I4(} zg_RY{%8iR1v9<(~3M7*OQrP>Ugp=+;7Y3Y*N12VdCCK?Ma$chxvSO2SjRzFI+XkKG z9Z*A)(sA_42W!jJhNBJdo5baXgr9VET`}5+Dh>c2I{Aql_+01K@50fw zPWc<&j&k8YT>@+g=Lc&h1v+muJ2P{}F~t0TuASNM&70|@oZ1~KsR!SQ?% zzE_-ly9RVMqXpj{P|`^sP-0q#O)^V1tV<`rLYsnu6JV4Hupl~E@CSk5#H+_w)UN?k zx0%(xC2VYLeMgNH8M_X@j%LSJoB4WE^wt;!*!>fyG)pTlIl z$cfpF%iTesl$5u=100cElX{u-M@EYzc?KyM{qB*5?J>j@&n00L%LfoOZm_R&V)uB1 z`vTKooTYGQa{<$awe%+KBZl0;yrm)cpsR1yagjC)JOaB#H=RM>9Os^sUnKhCapIPF zdNoP3eyvlWq>3g9f><(J%z!eP!Jo6r|u8j#7z7EOrX~g~%r(qpJyS$5Y=dHC< z^`KF5nxknVRU~;Vcke8-)1rW0C>TqT#bcPBWMwq)inq<}0fk^dQ!6`5(e2G?L~(Pz zAd46k=7|s^&KB?oAE~AmF-S-2QPP!HJTrN`vE;$@mp{B@h&Gd@WDGPwF?EvWWq;?Q z+)`>c2JzPL$@}aa^el4V=vb|!+MCqtMZr=m=!I?(NP6oPa^*5nq{}$Od(EpQ` zdZ5%@0ZpYZrmIL~IdJwX{nD~V@?otr-&48hI*#Wq_PwfWzev07-FA%}w*LT(L{FFn zw)9?{DpLC+Pi!XOVSSMVl);LWO$$ST6Fvbu_2BhM1qKrwU9<4!m+2H{y+~}@eXgek zgSokIJfM+u`@MlLHG(TUg)Gf_#y^)nzjI?Pn6fo#JJL>;aUc#|G8R825uju4`!RL@ zIfA{Qv_*&~K8jkXrQt5{P7-E_HEIs6PpRBy6tcP(MdF7o#rh^S5LBvEu z;2XZZJVKXb+AoYibBwtV`l#1-Wzmbe7DG_Tg6EpLuu|vg@k!2Uv5vju;H0R3NORBc z#mL#cL4o4WSti_SrcbbKRNjOpS*x!XDMU5>2+azl*=_y()=HpADJR-M^fdAt`5IP{ z$RaAQZ0pnhBFru9llM>^sECP@Xr94wt6@K7#@QXJ_5c$3u4-a^v=$sAm|XHx)WdiV z$I=~0G2mk=!F!uDVYx=r)l?=(yjPcX&E5!w4^l{RzittqS8AiC(IqY&bq?zjkr(~} z!HLC?Rp#@LLRh}JCl8gnx=Vby%s`V!Bf+P&N$5>B$>819oePnc{F1FFmgLy&XqUMr&Uf+%1fcc&$g_E`>&Q&WqP>PI={W5$;V3rN0{>UeG8-TXXVD{9sjbM<$D{7 z+7J19VTcYdn9RFWisQf|El`TgZaf+DJ``;BN)D%}y!CUzEo z+F*yslHK-b>>g%r4YaJ_H2p_KK{Yr8QC$Wu({yRFGSQ>v(DLVrye;D(3nOP$CTbzU z>ZoluT^AwSbcV#QEJ6E1m%>8lk0RG!P_dcXMUIXW8Lzr6E>Y`|Lx|-wd9OQm8=CzC z-GSk$mv_}x@`T^oMb*AL@f-OB@|PMUY=oqq#6_3Qi}im`PJz<6&aVX9u57hk7aeWE=`aOoFyPXX7|_RSG=BcS_d+R6wCr(eB^7e@>bV!@B<3<{&7(EF@q5FF}p>1f^~sj25>#MjGpl=c*l;H!KC%>5%+-Y#F+t0O1!X1}y? zn<^a{n2oRd|&mVW?Ewg!&v4L+b0V(G`E z^JceKAKlP6!L-NbowxS3>f>MhuHP1HCweufsmVgjuRBbCxI~~smCNLGtv!*YTZd17 zUtp*>jHEhOYp|Nc`9rqrG;CmvjAS1N5lNI$#uV%GQqOLO(Y1a8?8g4zW#wO@ z6C3j{DF`m>b@Wh=>*_mTx;6n-5y@se%fR+Z(|^Uk!5Nwr#pwcrWnFPPy7OgzPSR({ zyGLEm%PPFz^YX;d{#nt*%JH+o*;Xz~f^~pfI7aV+IZnj^-5=lXb>~m##wOW)V`rb;_8Qmb;zWHd4mF z7|-yruHJ%YT5k9I)K?a$H$-quawoDhj|c^-WfDdX5?Sn_kleL3ohfQzArNQfqW!6a zWWIJWg5N%&@(2Dn|8hrvVAHX5J|`LGl}1oBSn}sBVV8>(1Jc?=T`^HpdlCpnNk6GbsFuBlIVV!ZK zeXbW}?dtKtIZp>&pHfXR2Q9pGrhDm47Ln^UJ-Om1*u+v;`pGUk+xHjFIZ#6?3|+s? z74KB{i48weEu=*16Cvo64K>hA&3=Hee^p__{e`R;@BYH`C32z`=c)wBSLUN@F;;cz z$6bjhtCP)COEHOps}YMp=Mbo?^#e*&6Tz5b;27k^rvPOw{+yP$m(;&#bU8N^8$^%q z2>zt+yxaSuDBR<{R@k3NpseV&rjn+Av@`R=x#xm#?{w*{TVKtw*txdT{!*COM8chj zR}GLYj#^%X*gtSm%NioANCW|q6H^9WNYawzL`;i4b%DC294OBRZCDh>zyJU=Zf_bn z4W0`@z{>V?$xM_>js$~oe8e*sNiSF1rOIT20ZImiSL?)rQP0VHh_^=h7b8aJ!RL!y zWn?+B6^YUrR~VDFgM#5UT|so=^kg7Sx3n*Gn6qJl`QRUkkM=h&3f*}#?LV9u_f4NC z4D)^%yNrj^OZKr2yr*%xT0(kiH*57Ac`9o{-WDi(#4T_-NjoABqdmS=s!C5ZwZy3= zsz;Oe*RqZ1JAXz`L|Uu^zuVkv61-z%k~5iXaR)8vJ3LwwG^~Ug`DDu+(2rbqR|N!2 z^x!4|<$!)wG9ZKGL|czk5r}L_Z>b7t8|lPQw~JNDItP`&_(J!DQ+W(J;`#(oSr`-l z7TSfnvBJFAH);W1i@4)i*iJ2<@wtlE{zU$J1wm2MM);ziz9eCNv_qDWF`D*aAicLynyt8YG|hTPE6yr9ydK?}O+0oN--7%4Fw% z4tLDwW|VN>unLec^*j4e(lX1DXk2k}^42$3G3^IY4~_-|9w-VgKSS84rLZ<$pU?}` zs@j?BuhX|)!C3huzle{)e8RpdqWs8$vM^%^Xqg$DD&X%_!gw0)dcJ4vH162yE1%jd z3%|>SFe+qVb>AB&c@i`dAFp^BJOhKQF`b*Z&FgF8g1Ekq6$e=nv*>kTb$8W3vvRG*IeoXo|4M4`Y@2WPOkeIlA?IRl-#MsCB z_*sgKwa;?t648X4?nT{;~!EUwM>2MFWi~afMI_yVX zPbGa|B<0(~uSj~B67L6Bg?)GkoRbkivWI|W-94$=`|IP^e!-X6aX~KeH+54#h-@Rw za9@hMrS^}CC#A|vE*A>Ue1)cICp6FK3BwlTe!y!evkC1dmh_V10K^>P>*L;m6StYW zf+YiWPT?h~PB;RuMW=csQVCk0W+}EZx$8rib+xy3OlF3(SnDM(5T#)o31)-&7%EQ$T%Xu$$-MlAai7Zu_Z;P zSLw|(z1AmcODbpnVy9dIsINCfNCv*T+;7IQH0fqWU;sMj38QdKeC5!`@cyYJ6?95v z97N`rEu=aiQc1`70#;Bm)E;Xz z9e}mQF%XtzIiBIdq5fvB;q_SaT1d$@=d%PnDi_m@jocvn%A9AK`~kV#xPn*o;Ce?? z&z~Jwjv5$=&facD5El7YP#{m!!uFI;>Y2xG@KS+lyb^%s5MNh1=~d&Lzc6uK$vUuz z0+EtN1DkAQCQ{-(Vj3XgReyXYk7hwqjQI`-y z#QYs{s!fkB_D@|pOk{U%otW_Pt1$^uZRKahT)y|2g}GsXMd+gO2r zbNbB$vOCmU>i77bga^~W!EitkwNgN;ctLX;>jB5}(oF7(@Uu^}-|G1rc+{LqukZ#dj&3$Rpt!84H%UIBJY&N7*w?`}5rh}=olklH(M?q=yV>Wp5ZJWf zwQ#gskXD`^uI$B`TgXvd-vk?%0d&%TQ12Xah%B?2g(txB2{TKU$AhF4nm z6qFgy=l3%PX#caY2{B;X-53FtCVN6LJgW$JRo7M^nM?*%ehX*4C70~jPEDIyq(HBw zNy=D1TC9a{h`!!0L_?aP?`MGv(i$y-24OB`ohn(sYf_Jc*#)O<7D^iII&`{znaZd> z<1I*h^G#iP-(OcPIeY;V@@Al(R|!y7hA2mJ@?M`?v}_4wPqx^{ZV35eTH1iK=Ub`< ztdxn#L29@Va$*QnVrK8unmP*HXQcYU3fS z?UMRi+p^(>B*?)I%TI6Dif9Vtu@y@aM`Jg%kCy6~9z?v6_2}LikA%URx%i0FS%5n> zHl{P5Xx92xf4{sZj)W}BC@TK=kvKK0jDslxWMLw-jf&#ZXNzLp{+Ht+;#M;V<;(5H z%0bTL*RtRq>{Wci5%B%?l0$a?G3%o-%iw=h*3l;(P`*fdoOlK=#eM4eOMQp*aBs}K ze*3v_O7+t(<32tRt77pyb>5;&yG!uYO zPsI=6gXXVM??tHZjl7}cs7PKP7s%)S73=gtfNQ@b&B6pxZ`j-#^MnVWP!zpkTN#7Oph2ViRJN7vU7`3n z)!^~&n>+n_-?OFIb%YzZKSi7^$NkG{=&U`aG|mmXqzXmhC^pJw40p+bjOOZ4r21zg5b!@{*H7U)O+0swRTF>3LqJ zQNMR4W}L;uA2yJ3jfw+?tvPbOg=*>}@0$2%Jv&cfejhvv#d$^J2X`t1hfUQ4bY_zw zMUSJjc*{EttghrvykWPPJSy7NInRdS;o^XZZpvQ&hs08UFLzlob7~?3aq66#Nbbfv zYtL^o-5G;hzz=3dcs&_03RNZ9cLm7<&+UZug4L}N;eVWS3Hi}jjm_YWtJLNxY?rBP z*(4DP(KhTaEqfm?8w;TTlZS@q<k z$zi*OYrH%Y`?dUF<pvX5Jam234Xt^sl4-g28Q||OuiufzMhHSr z!+#72>i}6mkKSDVSkGYgv~lAZ%Kklz-jslev4SUB6n#I^bum9;GbeG2ak{=ii>xLn#lsI9l6V>#Y zmi<-Mg@`LZWsyNPmy#H|)A|Zt16;&?^Y!<)OiUod7fUGqwM8(N{)mlpW@6APqTM?F zKb>mwtbkzYL>nDfvqmQxN3(x+f9~JJ8OQk_TTpB5tAhXYIx1oPH)g8D@Hf0k*EI#z zBym^6lRAcwp9WZa(jQA?Sa*EOhzavP59qB_s9X7xDrDMMCjVP)|6lH6^pLBHE1~z> z4=Ae)Vppv)2Ym)>|9g$zE8DXz2~p?S22=NR>VtX>5prXo=K?tylk7!VK|(=Iix}HF z*w2gTjFiz8e^;HyN4)U>YWpSWXEF??oT{`?a;ilv7&8H*{YX;)2l#XSDyz{djkysy z!i*L$oq%F>EEmk2k+L;q*e9wtm=C?QrJ_-N7hz5r9Zmi*J3bpLEy7we%Zgz`QqMzc zvtlOPjRrpd^1`<}CXiJ&b;co{)oPQ{MZ=FXqu;M5K?}>rw?UI+6)}bjXV9*{WE(zQ zc&VP%eYD-Fw`L-q9oKqpQfVh3aX2+_DrWg5qW;i{ZoRd@b+7qJt4nUs-Iy1weJ74K zW<&GnCZ;hCaqUV7s>re!5-{5`mj3`$0`(_Z%}LG-K}WH_BGZ554C2Q0mOP+L8wLp- z%qe?Pa43c>7QZFNVDXolWXr+S(S)9pQ#$_=+YVBlmt z3bGJ_o{jQ7yo7^CojmL2Ox?+`wZwu<0tQ-Vde@?~;5=4g8}dXdgZBEfOysoL|UT_Ka~`c?JQ zFo6%bFtv_tF4H2$IevwC=ke#Os^6oN^M2kiekv+-!MHX?8fhQk(K&LF)CH0$2v94( z;f64G+eIN6<|-n??Lw?rI$=8jZ2srwH4GBVp(iB`>?U%jD}^cn)-y=Q z&mBDaiKO=Z@$(#KWu#4dZ)exhpl*ICwZ<7@@7TXq;L33C|%L za+`941&c}_5-jC!8?KP_^68*|4}Y&t+W27< zo%2rDJh1>&QXe!x%f;fN>JFsw4Ki{y$52dC$|fW2*VCqi9t9Q8{aTVqlJ!z%sFsS# zGH0VpV*knav6I=I4mUO*4^dX&=4#DEk>OkV>xoWI#GtoUR7l0WpNy-C~} zRsMVS^n+ZZC;+VVM_F0tzMt3Aw{QD(d35%)dNIEn%{J<~o4JGWXA>4lGqK)=Z3ZvG@ETX@f~MobO= z!jLTsRt*q$hQWwG-b_N2AbN}0Nk=6J4C(5Hmy>qMv+70>>r}v(;XU;D(F%+#$!Jz& zagtggF46%}Kgb7k60@?u+~)?(|N$)45${&oQeA>-1R#kmID ztF=9w*kcE-gxHzI1KKZmiwR`HKa@mBer4xP#^h#Ue6h8rhbBgYK9_jUD**SX2+-6N z40K;NR=)t_q_G*VDXC|Me53(5rPgd2O*l_4)s%p*b_Ahy|I+NRqPNNZeOH1Xq+xLr%0 znq;1@TiI?M&F>@mGQ23&oCI=fel<0mQf>O5WpMkdrY99OfzdVBnjwZ5miM$#%_J2! zZk`uT9YdV=Cdc7df}OT^xGI~I4XqAk8avV&sv)mmBI6MKJq0Th63$EjZ+xuxtW4Y$ zFO2l4SVL8ls@<5`z_OYI#KLMqGA5rS3|3vYhPy{X#>?Mrm%SuVzC2WnbZ=>_s?7P& z_I#|H|JDADaROAR>^?_QdVQt%5(gRJ(^=de0`2x))$}d4Wh%l?wxk>amzdzZPhYVPw1dn!-Z@t5uXji)BtVDpKYs*p#|&hG@AA_SCcJZF|P7WDF~uiLTC7tnB$uyqg@9l8ZGhHY=CwmRw-?05?$NyRr9S#Ccy)1z;2 z_oidGh3NjsJ`WS!Uv{12iJrgke@4%;-(}#@eHYs@I23u^95%2#&c=%qkg*!; zw)obO9E#hC=X27v2u4_|?PBKDA)_FuR};lA@yOojF(fi}J2&=7Z2&u!qAq7l-!n6U zKueUvZla@?!!{aX&aj-92q>PAE!OD&Nm0;_Rd${or4nFfAFs##Hs^*zn!#5e zE$XGmx&zhqo%o%8#=~@`F-z-A783`Q%er5?B6V#fS|mc%(E`bNc%dHCUobRq3(2Ni z?GMP%IOgcwM+(Mn2_Zk7r|X(DHR6LoJ)#hsYp2{xN=EP|jr)Fc=lPFr3~~bFMw-Dv zr4zgV3+F<3F!iTDhICjJ{uAEuU)+n1a@cI3lJGHL3FT;Xc%5li{&=lz z51VAxQ1owpzhOT#+Y21@i%l|nJ@;yUtszbO2=_dz!+>!%aaJodu=trWiGbFUe|8uq zr3+@`t{aO_+PcFshx06_QRC-da}H#fdR}DE+ssW6x#Son)RpXrX>#PFNlywWRJi%p zdzB~4hJSMYG_p#`t>^7lkoIQ*&8=}mT|8f7A$k9Kn&2+-&q^WGw^ zo+_A!XPO66$&UlGh1il)mgU}YG&yy8SDAIM)dz~~Wu2~@tMuSH=y$R|n&3XKFMu0N z-|%*BW`x_vZ%{%C)9f8X%DxEqpNW6$<(x!o=>k&hR*AOq(_@yQ2 zoMC|<(8I6QP#s68>yBNvH@@^lmoUwq5Dse*%|Ix2DO7+{M+xH72 z-DL%^T)XH>Yjq(bMS*c0_WtkDV$x~cSBXCK`yT?@r@YUNFy@3c_`G*o-~ahOBUyL! z3`<%$&MNs$sg8!`yVHI)<00qvF5%zN0%|d7UW@%iO2bl4uCW4Q_t{UX$%wT)#WcB|`J+o-K2*>O z%=JoW5XN~>25YSm>(lqx6Ws4Ewj>mb)%p}@Gx#Nt4(U9TBO6aH#k3I#N@3XcA^P68 z@l~=R^z+fPoS&ztsiV=dj*6^a-4yl!1>dNuYbwcjgo2P3mNerRC%R#LCLL)$w9O;sc792jyT}+sN!hG^>qfJ zy9W>3_&*t#@mC|bH%CbzEUx7M@R8N1`yOFn4f7fL^)=ceF`w}>cCG~NP5L0)6Kg5KH471HdgIrV0reT$};w%)FL5Y3ZVUX;r|-9Qv|Y~ zVR-Sbr=pL=Xm#a#fLdY?#4cGhc_8deJaZQ(%*{MO`y#wNOYBf^t=B#^2I}9vFc>E= zU&gRBoFWS6ORui9T~%^sja>l0EnLzYs`KlJ8q3Wcl4b0#YGwW{?4X1t7u|}>PBGZ2 z+T(q}+tC{Om#4!qj;Zs8^#LW`*=z949PFr(eg=aqRAd3ZzmfS)+){TMG_liuw>Q3e z!XM@{VMxiD=Ca`wg}F0A4&XiW_+fl-D@L4XUqQ5wcR(YUgF8FU_7O$C?G$ z$^14V{yxc*^`Ls~Aa1;o7n@=nxEgY;ma@$)9fD`gJdsfG3b=FpYo85u114~&b={I; zL0wI(t^Hv`*XwvIiBBnX)7IgO6v2#y^F=W#EDDdLoXM`E0SH|pYMrc|+!jbF%JSCe zsrE8LN*>C1RA0Ur>2dcn#CFaJ`G!ASb1DYrR*cN?Mbm1w3XL?z5rql1`zErUD;gLm z3%&ohEl`c-UuMGT^8de@TzmDDT#&y#z|!mqG-W^r`W1`qs7T1%5+VJx;Eo^nArJ(qUsz7$ilesQKFf8O1t9P z+CbQKbIde1CCqB`t6M{sF4`il3`X5zBtS(jmXhErQ52NOd+x6|jlc&KAJLVsw;mUM!b(~NNM?|78#0y2uXP(i;UWz&g(M~lo&OxEVW-KP&W}Y*|gJnOpmMkV4PyguX@&xRh=f=~6L}4GSIGK=~1x`^& zUkB3iqtGo4f5Rn;C$5$Xm-43>Un$(OFd4&_K}%(E3ae;;JlL3pl_DM9m37&oEjr_1(W!`eR#Yr_D}pIeB9Qr!!lOvf0s;EB!Fj@3?f z*+HilgveizE_jk?V(L6*D3si9ObUfvrbzx0Evk%)|6~MmrBC}g(wqxn8KwkWOcuOQ zJKuQc@-DC``Kyl>27QWmn@g2a#SqK7qYAI#Efba?#T}nj3iS~{jJC{Qs@_JcjE(1p zW1mfMzJ5aaP)=U&Po8{$c)yE&!)rHvj(tJ3CJrNzCoK#4bGeIuHkwt9aQ>E%RvTqj-`U z^A!Yger$`ZUjJ)%*6NGM|EbQ?s6`_BcE@+VZu1T`yVFW%UP~XhzIMf7Bmy7+fWwVP z2IgAD$FX~$3d8utV*Uo)D*mJ8^Yb>o3#B;GHMAGG@yCbW^Dm#9&K4BliTWQ_Li1o* zbPf#yT$L}Vzb$82qe=D)M+4kCh^#0Zs0~nw-dN-g#=#593gQ+JJaiYklOT;C(lK|I zY|El_VX_NbRFIs%8 zzgYJ`_Bd(K6(Zx%@+o$r;u?1E^+GpWw6C}+mU=qH@s&G1VmS@d7&f-u%PKU^Kuri#QR<(lhLPYVyqQxb ziXw)JsH+{rdpZ9QM?+Z@xqCrj=dt^RuuQ3Eq zZHF>a$wX%8NQJbfJ!u=6l5x=2>$Dl~I%ez%jWDo!Ke55sik4a6u|#UEv#Zthr$ZXQ z+=rzFn(#|0@;1FvDTuM6Zpo`2U^S`pm<#wF3XJs8$cIYj_<3Q}C2hWGUCkrZ7_6wH zHK^i`Z~X2s8nOZkkK@wFM;mcoUX|_)z!ZgXmfUdfS8g-TeVLS5`|t+~``4qo;CWC& zAb-y;gYr7a-St9!S7*z5L+w$YKtle@0QFDy&(kMcH5=2|r4K0Y-u~M9{eaR&ZyWu8 zRGFaWO;ar37kAXtKEXTRQdZK?3qY2mD*DQrIK9`4V&pRK{N1_VnX)2Oc2U)`G)(|| z(cG<{bR131MA6DU2C(mvWuw!QWi(^Watqx4)z~sQuC2SZA{ncd^(GGSfI`@80t&TH zplS{|L0NF%cYlJlkPur+bQ<1sN{#oS)@6t0i1=A1d(@K84=3SkdNRE={azb5$&8%J zZh398B_|pet6DqWZ$2jxMY5*#vXYf<>$7DDW~F-%>{?kzlV_g)Yn3~tF$dnk8i-(( zLK9LClm}1gd?wj-?eZ&3GCh+93H8L%)8cY!<6C;{Y=V%<-;|756yWP+i-|n%`VH+N zb#55(2{$H;-z5(x?rhvkDbtK&>qa8ho)I>=QPAy_0|XR6z(ZcGexveTGlnfO@7b2^@QO4?Jb+wM665n_hjxV>`aRFGgeaH7)JJe zL~f+c35x;RQgVX)dpfK=! zQdx1>@Ff~(!SlHQ=&?*YDyb}V2J~mGyf0Wcq3AhMCNd2dK2}HH2C#LdeJU-o+^02T zjc>QZ{rZi81L<3u`Wu#)r5<6fXTZHMH#x-VG^GWffG_LUkkmr@2Sua@;YgKvc=(P4 z0I`?lnrZidQrYE}NP``b{fbkeg<;^1j-E1;Wyl#iP4?Y_7$)`F+^Rr2XH0pigy8eL>r;qrtq3VW) zKYMVI1An0~Z8(Eo&Bzpo!QwOaB{~C9))?IaznRiA`X156?PKcZ?OdnLvJlJ+o`F1l zmVQRb)>mkYSIh5KO_m}~$0UzP;QcQgrgSjvP zEem_f=2og)s(tr!xI4B$mLPH>;h0QaCF|Z}%?M+A8WO*LA*L(!w9DfzV|cjPLL%ko z@2%ght0V`JDgchpWLLlwGiK8UHq~&OgRSo~N_F8U!A82=eJ;e~0mQo;yde8=*GBaw zvTR)=H+eU0BDvY<(Rq^#9{F$6SA1vHk149pKZg$jYg~pK0B`oD;#G*`<<_by80GI{oxprkUeZbacr`MMJlrR}P5pc)oj0zxCUFCNKw){z3)LvXmEN(h z2@C#jm8Jg;BAP~P=KmGTtE7XH%uBuhhB^3O82?|5Vms~su)19)%j|O=(G*2?$RC?M z28x*7=b6dv`psob&440k)*EOfSU&FBAXIoD^&v!W_GR*;R@2OWyt& zv5Ib+Ii^pOO#S<$!f4*?_`syVE)(@R!lDX>32}N#ubVU;FY9RCcF%bW% z%b#3+{95VP=WlxI)z+~a`FL!;Dq+KwDXD#C$4}t)nwjc5oc8cW=FV+S@txf5w6FT- zs-J&3SKclW+m*^^8Xq|^?(wD-+NYM;&Q0#oX-^VhnC+*$W_If7Z8wV?oLps(x|iPL z{qgJEzCC{@_CL7{_hRs_EtMskUflX*vbtSmdQU}S(xz({JEw1M=lS8Kv%_LZX!3;) z<>SDm$UlW;zbcvu?C8ED-jLV5Q|XPUoc!a^@S`hr_AAfrcdRr1`sLCzsmMDw=8Pj}vmRX^WvRMEuZ$E|Iv<27DR{`}FnGsQo$-$iS)%>g4$v1=PTCP{fU ziroB?nJxOYw$;S!#6_2m$u|`5at4;)6tyw6<(la1_EtAPu;@mp0>jmsfC$zP8H@`V zwxo*s9&wbDw)0!mwMy^xrX}iFEZwx*Y)XFJ(bBUwQ+K6bp0#gk;>W^UO$Cn(@~qZb z@tQ4r+_o(B-~zV8MXGVS4PCVyvuZc;G($ zi)MwAXU&;)Ph6Hrn4|GyK2^|6(4`4s2Hd4r-aR*Z zyhSN};fIHw?mclAMV~(HvCdkyQskM%@gftq-77BVt}wD*vG~Xw;MOsL^3d3;<+Iml z@xEPVY3H~{KhRS%aN<@GVWre#q5LJWm%Cf`MOQAWa|P}Mmyf)Def}oHKeK9T)8pgn zP8|P~?bkK;#t~osio^r+Hb*aAl~c5IyZ8Lai*0qn?txDV8Rf&izb*8;&R?E?^ZU@n7TkCuOdH0!f&Ym;p?ERa)X3wlM7n2tY02YL%wkCj#j11s+ zc>peE02%-aa`L~+rBGfLDq1QkN=hmq4GlFd1CW7%9!O8m$i&9N$i&J-PtU@|!phFU z$;rvUeB~+^$5l2CPL98gkWpNILrFzPMMcNKNYBXezm|)S09IOn6`+xVOb|fMN=Cs- zcF_(H0079SE@>}${}C!`8d^F^atbowWjlfeKt@4v$xhBjLqqlVOJwAiU7%(Ku+gxC zXgLHq#ksC>OGv938ksme@y4VT42>)c$=Mdw5LW1}NU9s7hoxjvtKTCpZC(Ape*Wv| zKgKRwZm|N$$;hZFsVV;DAY%oQvx%!2{;*BXYo%a+Sv|BUD1qKnznBIvP>@}AfPxip z7tn-VT^oyX&&(&BrXe4TbC!6>TdrGrx7UUjG!U-)r7Pf7?ewC5KMHyyKod;Zk}|`r z*6_1zJp(JqkDDjW zB!IMAfjvk~+SVJD)USWqJgIl6xo7oO7iS?=5~G6={FERVQPra1R}LY#!lt-2ZdCd( z%Nox0dKOzJy=}tF*C(p$<;`=g4j7h&DdC-EO=BG0NUr8~vyHj!P?E3X(JDV&-xQeOtp0_ZIt zs51c7Xib#gtZJx7`;wfkWnLy~=!w0H{;pO2b3!-AD-CKZ_IU+>OuJR==L>;qPfNZG zpPgQ|sa#vMHaGenlut^Kni9zus}|hAwdVV#b~qFY;;(8Y5oNFd^|tUQz@ySn4eW6b z(@gzhovUpU)jd}WWG#|#kxr#qgP5h-2wTzJulmDGfCCn9)&%x>!?O34KAXo)rR_w7 zQ;%h7*qWr?2OgonoPrzOV89s990MTY+!MY%`_zNlyT(aTOSk?R7}z1`>Cjj&w{6J# zDuOe+;Jfl{e?HhR$}lC~tjtJPf$$b$E%(^&kG-8ur5{`N&iEAe&&~zlI9tP*H&NO;KA#P@5)~$N*M1t+c$sM$q3$^zW_LmQnmMr>1}JqwR4NM zW%h;S9^@`a5b(txKi8V0`&-5rFfXPz9qjfL9>fjYImve|4UcKo_p*4-9_vbgRY4=Q zk<&WS+I!ih(^cl>B6)J1bRNPaZHq2@$wh4XcaUgQ3Q7Oz+EWT;Vb8nuMMmHvr<_{4FH(4Q2U4{s)h(=%2av)bhK|%RV&f>NR@?hBS zfOng$6{ijx1wF+R5E2vL$q_Xtzdi_veCbhs<4aOP#-6Cq%&30{z07$-^8I>Ps)FE_ z*A&aLD$eN1U1+iI{g~}4Wsu>pL6T5@uDyjSGFtwlkquqt7($lKERSfDW+Uw+mD=x1 zs+|h8O~q*md1C9B*vtW0#l@8qbiTY_n)5S*lC8*ftlGX0;K8a(-c=IDF#5Eu$A}Jn zL5I#lWrK&^XdI@Z8^KkvKv~uvT5zIG`7+x-wj);9Mf!%_9LJUEA}Q>;XlV*eSF@|f zWE1!UoG5NWjRR@{DjV!&_$ezROYPo6z3I|SRunSgni7?Qz5O&97iU@v~pIt!egFQo2uNSlsmI|wPE4@F2T-Ed_4D^WTSg{D7rXyI6zh< zAq(A#;go&bpa)OG&VgMng zy=sQs&~AmZJ+aB4qs5~R)tDk9!9uc)iVVugR&$`{H*)kul}2Id!&~hW6k{eAfC57i z2GtT3P+?ENk#t|6<2@g<$F*FRW(G5VVE0KOo?5l9Dy65lN=GO-OLgA_J>_Pn@^6UM zgz4zNAMan-0pq_t@m0@yxLyz(8V}iGDlUDuk8uPr(na1wWhRU^;4~J2+g|j@?k60r9spb#9 zxEmO}$=s;ZAl1|kqW`C=^{-8=my`did%^AW$`KY~QteSZ-lyVrg`WZDMlBkSU#KPH zr#dxpo9V7RlyyrV0;HlQ&EKF^G`$v87vdroj(D=%6K(BYtWuoTdYhf3c@4Y1X+7Sm z$qX&ccA8|R|4iqjp1OpYd-1UZ^x%tx2Mv;JXR-ExMJ|xRAc(K-NM!zCXyZ}XkJS%& z>kB{*j)@N)nbx5gx*n}+KZSA@itFU8z5wV+sMlc)x;r^|$(l+8nm($|5OsD7te9n1 zx6U;!ZboZo8Vs*MMP+)`CB^uAKdX@t5H0YNV>>J2?{`K$S3C>l*rJIWV7sBVU}W<<^O-2@D-jhl0n1Vq*=Z%2ZPf~8<&=D!^hDv{07fxrG)pFC z_`ePWtiyhMq8arJzGCcL)phXy zjjuM}bqxN*LHqc#M?Nm3^T@wuXF*>{rBthYq6CS&&kLH-(z)vf6U^^)nY z(4g+Rg~1JM~^wjt8E9h6gz{|Eyzys zamQx^E=UDzJ0Hhs!QtOYpKm>_Z!|Fw)j{exSE%Dh_#=?Uut14C6)fY4dt_KH)LmCY%*|CBsiA)> zsY+HO%AM(?S8pi-X~&_UXWaADWCpp-TswkB6?5Ak4`z}23`JW~hOY9W=xDfabI-V? z?8Tgct%?pskc|pzo|fJ8MA$C3qc;M1_)~_;LY~<5O_*HLzz|ri4+*J~f)PWPrCG0I=HcvJWgGf-G0NAHZ zPwI7oEtCS_PaN4mH2#T3UI5yk?T+OSm8~n2nJUwn1`ok(P7(sAU2S}JOz63K_nn^E z-FfqV?(6nYdU)K}5*bEQ>5Rnl2wmD!K7R~zGWp#lb=K(ZZ2VV-v~c=1<4^N&e;7<1 zi26Ve`$V2nzu>OvOZ(eoR88|Xf64eyrqaRswAC2nW>LupoV4EZ-_#$~y|agEB#P4N zw$~0ZRv^gQb7dCkblj@r&fmEM@3JVu=dVCM$Ty^M6+_t`A)d1Ex$5SIg_3C>$Dqh4 zSyZpbyF{F~O(!z!X1a`Otxc3ln*~`GH6t-;AH zIP^3ziG1GwA>*zH#SH*}Ej7Fl3b)F3P%D`o+`W;$hvlM-@iYVS6-w>TAbTPuvj|z< zopc+|9~RD|fU`4}wbzZWVy*Is+*_%_+DM$Rs@daPr=h7l$l7%e{V^8uVI7F&!_rZ? z8f4AJsDfoDo<0GlY31HHiX6eK$3+TyqWJAW?V&`uIJ^j)vcRpMSLeA(98tS@_uk|= z_9kPyrT-PGHhI=196$H{t|x(v1xis#ugi4Q5Yx40@-G_TPS-KA6iYVtrME^)b?W|V zccT$N6_>RdDvnegCX~ z@RomYt6@n#hjwZj8J7}Ya>G_JvVnJp_h|y?uB%dXNx~zeg7z{Zxl#4wj94VkeQ8my zAq;B-=b}Z|X7z(IPTy;p2Y!3)^5whG5sKt5{Ze1{`?X^$7h}i$r2jO&@`x#Nm_|#K9OG;nR)?8PG$e4 zef*Aws`v97*hsb@$60Ef@aMozfp~H(%&vlK#`QB-fy8i^E7TuX44;$@K{4ye_{~pq zcwlNYLZ(H-i;97|Lt-2C{rngnQ6>v#*10vgN;h>61@M*#qNj*?%H(dw1)#8D4m^-= z_|;8*W(P)2K{L{GwyXvjlpD-8+1r}yvIseXz`1E#kNHCsxQOIJuoPKBZ zY<5p_9rPRQ0*{;5X}V(JpXpfAnYj#fFMP?m>X zK_pLOtM9~LnYoA}<3bD~3w;m6223MzEBfBV6yjY>$Bz~vK4*>ieP>fD$hO;CRH8{V ztC!L!PGNkQt#9xI!Bz;~Rl?w~T=A1aY&p1w57!ol#CZDTxw6|!AzY8HkGh!{a(XcmR^-C1J)%dYHt_=I0sJVo&?XE8|b{3K>?vB@~7wx!j zOX&5@EQIo}GFEChBir0L{E$TQ2sTuJ&9{Ezcxo(9ir?o~ue~x+5N@dipHq%?o$5J& zQhW(Ann`vvIlfGd`*zuKf=orBJ}H@t2rv8Ur4W#IWoNBaPuRLWSET(V$&r%dBqq2| zc~;ay$$)U1%iM}>12;xWd>x`%B6R`S`~(~wh|ua}1ID~qAVSgyYUdtBC&AR_rhQT{BS>sPsUWHEQb&>aD{M^-Tv<*Yf6K7}4vz$nVL z{w$_-Th?!kl{v2!4MSRsx(l0EGZnT#YjZ{j5niw)@!@-g?2o(3QXj0B&ZAv~1+w_X|6K%Aez8TxrfT$LmoDVGY-`PZ>33e%pvm#?hE>yL9*YzTJc&djd2_`~S$G!ERx_OIsN@cEkcgu7E; zc~%Pl^?BYXZpK}hO7m{|vTrKx2`G$(j`5Dgi;6+EwV&u}$i4k>YGVS_C%a>tt1_l^ zVb16G=BOc9p#N?b`APApgPZ)@bGmJq)%wogZtl@TYU%Pik5->cbiB;4WOLE_^p6T zOtP%B{oesEemy^J*h0@W5B(L$v;I;=+Jv1Q1b4R78su|2=Hi-(R!q{KFm}$cTc_m%-L*8y%f%J9Jf0o%nMxrnm!CW9yzsW zT>$)p3x+8(#s8l?tx0eDGj{uX(SH84%`7(g*Vk0|_Z+MBofUz-`0Oe9*`ArK!`Ynr z)*9=~`PggjznhKi2@oy{1N(r;D`O_UERGD-?ln$xlJtpV69$1s`S0q>-)*t8Xwf3O zoYY{qLu4a3%G^deHY-l5k1qhdL;ordoCb<(z8SmSu~RRb(yZTd%Y0@4JrWj%m7Ysf z$n2JaZpn)>+rkR>C$8FM)s7O%AmA#u9gd{s&s%Kk#Da;dRYRw{^ciPqx~zo##`EFe?<-hbd#D_Xd61K|%LiGD(tv)*pUj(?t5|1WNbg$M;6W}XBe#F%E zgn07Ci)M%x6tLIlJudE(g~-c|+!(Rgv%B23#OD8_6n>`D3|yliiZ(B@H!&Lv3=m1) zB57+YMyvvQ)|92@@(K1O6@8Lm8YLQfqe{h)tYSJ%_;&c&fW!1mdPO|b+ZC~&t_B(5 zB?D;0Qlg+X3+Jm>B;j6N}Kdc$Sn z{8kFdba$?$7J}TyxOEuu>u~kjTp}mItLNQv$Y~@hQ2GOx%KYhb<^SAsjKw;j!*;24 z=amT99?x90%6yk_uXT8Tl`FDj@5j~R4rdX+3&4IjW#YM$k?{rK|3j}JI*+8=N~Lm9 zJh(E`d(^n}mB(()Tw2{DFn|~F;nYqOSF^Y?tF1F M8d=SL<6`Rn0AuJ$q5uE@ diff --git a/src/windows/leash/htmlhelp/Images/Leash_properties_afs.jpg b/src/windows/leash/htmlhelp/Images/Leash_properties_afs.jpg deleted file mode 100644 index 389bc805c88f474f1c4943e788c151e647ca59db..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10505 zcmdsd2UJtr+HF93mCz&zO79?qCL#y~FbOSG>57yP1Vumu5tSk>fC&K%ReA^MO|Svd zdy^`?cTkGRi{~8m-1E-)@BQB!)G>42wc=@{s!sZX<< zW?*DuW@e_LXFbEhbOy-8%=A47(J8_;B&3w2q?Amw)U-_h?RN48z(4_rB&t3|#0?;3 zAUefBbkYFe01yEP&PAZOTh|`4CsRx(BLEsgFJgvM3;<=onw`tyi^;7%%bMZXJH?8v+EP!a2m7xg zc8oLN&eYO5Gca_28dzz+IZ~5bkVAvR>tdF-&hUPjqcFx{bRFczliAp|sV^M{2ZE}% zbXLk*o<3_7BhgEbJ)2R9f$E;4D}XyIlI|uyb{{uH%t#Ea-dt)wZmC0ESZV3F)O+te zBFIX|aU!ZhIDz#wYB&)Vrhj+7JiT>5;cMRAcuGwfTm}rvkUb~ZhsWxIZy&GLCp2VI zj_+w1JdJy|Y$(75I;#~YeRZANLvq`VS9%+_gstr_0?YQ`F`%o>jhXm}qoXh1{8z7; zp%u2>baoS8_TLzait|ig3q9N_9Cx198bwXs4QH#0`8Kv>m{PNyWL183V2P_A$-4`$ z??J@U6K&D=4mZWyRI9&G7O`!}9mokcqI%vSFeg6>N4yw_cTRHT!^FgrlWBM{JTow2 zMoydnT8}ULuNBoPmsi&>|CQ)@wgwUHqkzTW98AYxHHV0NC(e^o#lGU%L6%`9&~!c^ zyWjL2Ini9WvrTmJz1GK#N|%trA?SX?JChXdel$Q0r4lWGF++P%{#g zw7&Bn9=L=N2T74AMBB*dr*Hx}PS?f+Im>F4qoxbX3q5f%C>E|f=-HTNDQSwZanxuHF4i_Ez{-RD4nQAo8rGRaK-~{XX9AeZ$#)yLI^L%tX|_Z1@jCKT&#m+RV+ZhT z>=o^c4?=i6{s?{JM-hPL8a~)X+B7AoJ4s(`6;|$t&q06qu$ZsRp@op+e@uvfE7t$e z4w0QIQ)L=wAFf``lx}mBDR7dbz+y$)+jsW^DteN6Ye?wMBf|55GgcvXYla0RIIAPxdav!s@!V((8G6NE@uqrSaa)K|3k+AP?1+IW>6eUEW@p zp`-KX-sxv$g5kC>o(_IgbBj9u*3t1T;+b>{uM>d%%~7h`lx546cCLL>2Dj8iPXG%( z9(C4dzHRMVFuC4ytadY)t(SP$xA{$Wf%dlgIrrq%UBc1lyn%)Xf%gCuh&{Q=4#bTf9ON*QKxackl2)WTj z;p%-OHU>-cxVik6h6+c%vh+MLW>9dKV&85E@*H_f|E*i$u5azxW&7?;3pS&Nyk~T{ z=0r<0LU=K$w(6MUvk-5q*W)uO#iIu6PUo7j->5A3@3&WS8h z7s70DudJD|Q!%!`4`{@}ADw1~BivfB;YA?(VNw#Qy?>(&>rPkhqcz!~@sel7(KXO- zRAdMH+!J!gs4sb9dXD-cV)}M(Z&Vj9Rtj_4S0uPn!mxpCc)kYD22&Akspf}m`@DmE zW(J&=DLT=vTG{1d4e*+Uf_WKjA)1=@JuVj~y#hv_ZWSaxji(vsIkB=OfFG@Mp0r^v zYDoIs7ezczah``KfOEa0m3P;3P+3J^{gkO*Hch>_u}7Ea-Z2W>z1D&<>;!w*TG&6@ zI5(oi*an^gvs+EmN6nv({~70(zxEWCom;_%=`Z5PRJMKIR{75!1n~b&=19@h8;lQv zm2{uWo%Tt-5b!tZ(2J%}{8N-aeC=gN0hyTUikhc=pDfVMCHG@=ogVk)bNk(fZGx)& zU+4%aT+SXS-Jq=b3Y)*TVeUEnbY)BAcR4ssRT<=}+-48_?<}4$8>u0#27`*`PbwY~kV;8r5-Z6UYNB{1A+MnSRO9HrW ze@{X79r1VdevQsQ!p-5h7$1C3A@?0IL6jdXeun#96heykiQn;@|2d)jD`kP-0{ljq z{3phLrF`)h<;y=Y{ww8%AykI3g>_g^@ehuznV-4#dQCV`b`QR@B3a&>Z8Y4X(Hz3%5Qo20%57+e zXTd7@L6I1cxxs^(NwN{A4Y9^+pO=JCGHl$HmxV;Xl0cio4yhme+(u>`U#&a=tPIfW z&5Dz)i9{QwO=K;}DL4BvdRN|?%RLyoxF#$;=QAF=m0x{9iE^{z@ZtJ_ZCXTw==Pz! z?epb#^^(Uk^|E3LY5v{A{<@V&!&cGd0OWS)*~(-u`<-T6bVq}Ie)zi?6C#J$$L<#& zaai9!qz@Xo=e#W^c>>T4*#E$;+aN!hpiRY$DC*%myfo*hESq?21pWeHunAou@pZm* znCq|}%-wj#;vmAN8vtm3_H)1bfAN8Wx^MQ-VJ+8WVVKjcXeMui6K$0&(5LLI|61wI zPU3f*OLyYH3Y`bnBRjGl8EGB&kX%cxd3!Ei=UXoRD3zjE^XWpnB@*DHxa0cKys$v5 zEFcb7o&>>)gTaRsj)_BpPdht?_b#VyeSYKVw7>n$T(n-!>)3?|&%b&qnzuU*7TlYv zh(?!4NwRa#q&J2eVfS>{C6_L)`4=kTQaQCV`i9t&v}Z?pOMBbu5a$>$k9n^+zAR3r zUp5R4H|E=Nfn^$aJdkygv1e(wv?((m%#X!N<20bXQtkT`w=SinuRpq7(aG7f>KtET zw!7*anU+;B=#Z9@HtFaPV{vg7fFUX}yB3C;92Ies6XTv9j$`LRWyuH_WF$o-`9*48 zX0}V_4B01p2LLpM>xalJp+Df-Hq_kl*ijuI?)}q%s;j1~jmCc6`H?|<>HBEEL`2B7 ztfpjQIQV+2ql6^?rGOciic}t0cj_m7Ei@WkMS~{7o?>goY2?zpvB*SR{2X(Hz)dkm z$oi{@IqI@y@Xy%VTaY;E_}EHa0T8iUSLIZc%eXC?BdQ4cWDyw9Ta_q^37k?Ez%WOh^RLP-$7ELp8-gSq~A<&+7k zQid}gl9*DA(qEA7cLX`gq!~}+pvKs%{iba55POSL9IuQ^EbW80#SeiW3l%bjbokR- zG9QGP%BElNw$4C^w(vvSo7=2wfRt7Xjy7t;NW6&z4mZtd6)qm2sp)MYt3v%ty-dVHYRFX3Sj%VDa+8tSZFKj4Yqw) zDh}QbjhK=jEyxb;EfcI_isIqn5kJL4E{p(WgNg3qAqyksYZ?XtI`Sj5B;^^3_PF?P z4E_#7!Nsj-r+ELf0d(cBBV*TQ_dp4Mgo-}+OrEf^zkKuo9?*jy^lbanaAh8(_&Vab zXV^7r#HfFG9+rN?n6G#< zF7ScOL*`4AJt`3Csn0J$wB)t1&~O+SS!Qx*`79c=FT<-b&#CA!5Wf4j`n zGt(7p(;p)#5syv0W#A+;;y(w9)ke=&>r;}Iz@5+cPj5rn@}3AQ5rdVPQB zUSFs8<2>Ird|}Ed+he9Lt2{ScP7G@Wls;IPqrG&xk!seL+1 zQ$pg4ylL~P2)+)94`f^1pCcwX5YG$rg>d`3tt3}*LQ#}bs5@i+47x2Ypc_?3BmA=g zQ60^W>1W;K7*pFa>t~Syio0;-Dz{YA1&lplMTdSo@0DvrXR_Wax@y;2q+wFN`3M5; z)*H+H+(mt$Y{b$@-5c5SEF-`CBHI$M{YYG%7sF`_(YOd8AvKN?_Smz9X{q-+b}v&~ zWM^}mP?nT9&p>CR_=m7N;Pw(Rpp31i65z=1ZFXA(!Y~75p?cpaMgw9EedJ|t-S>QD zP+@SPZ`CiO2O~K$=WF1ejqbCAOZ7)%V}%goX3w5ZLX2mtMq<*_V@B?`w+NS5<8~7{ z+&V9%HD;zM2F*On)q^YKj@2BPK8ulBt$dtfha7*~ukKj)xkJJi7I!Pe9c20h>SIiA!=ex{ z_n0(p(SBQX{3agrkVji2x8QcWrN%^Tu~==yX3UyQ{}qcSTZr(fF0sLzl~G};3z{C& z{Nchr?Sp|r62RDDH>e0Y_}galD*##}&Acitt54 zS;npO948MrawMWBr@{i(QhD=Lpwn~H(4FN0(}BUlCVZ_6Ro!d86&9r?*$l8S9x9}- z*ZM5SOiX%a9f)1`gDIi-fEK;$oS|AJ%_T=cAj+=Gz^-+G`{e(Duj;zU*9Ru#KRD=S zTajB-jh6}Q8jGz7W>hc1F<*9Yj$Y%XPvjp^Ri2cKu9?_lVQer5>JOpx` z?#h2O9g>hPZ9fEm9uV1CrN20|HSi@;Lqa!dDY+uYI{CU+=j(`~SMF8XY>5s&FE!`; zUgu`|F8YZgEdO*Hk@ntgUc3wd0RM;c?|%)8nE0=gaT;q@%Wl`GVNush#RcmRCKC!4 z{OHco`fEHpj*|lh%I+#Gf`xwuH&wmEY6bvG??o{k+(wPMI-1*>H2_Px;7XEP6)W>w zkBF2~a4{FIIB;0nT6au;BYvo6l|MaK>@vEUS8ldftDUOTJzOqy`{j>S6^$+6#blR& z+k@Myh^>hDiD_Rsm;Sc0KCrws#9_dc#VCI9?^f1^@V*dt5m3_DQACc~3l-Pi8$eV9 zn5|si*8VD=Xmhv*6fyS!bM7(UC${TKVn@sI_w=vj_VD#OF@4xAH@J?PwCi978KsuZ zYhtmsUgwA~vE97)#(gFvJ_+;#H)&3@jk?s|X5D05KC{Q35(=RNXC*2z2^I)_nQc~O zch2n9K$+ouD4`5&_+%mml2@m;h!X!0;KiuN&i&Vqll9E6LzoaZ%nuBz3lMw$uDGI0)T(Gi>=Hy!-E8fjmB^} zV1v+%Z53cwFF#8`^Desd}(1(v3$kKIubWaQ_sbFb7W+}3DDhDNs zi(U3y+`YehG*|@{a z;LyTSiQlUF_oOr}VriZmuj#ANsyly9t(kEWT)fN-q-oxkYKwda+@ybbdf)gcnjO~T zZ4ipx*-RB1;zSha2zL7;vb)e-;4aCsIzw}p0zOW0C<0^u?xD*0h@Ud1aNMyr9M!=d z8&`@)X=X~M6~rqWzZY8)#3u6P5$3E^?)H7H=K5!`j~_nXuiVIW{s^_ngTzAf4bJrr zXg|q&7%Oe)XdK#y=Y&Bqvp!@R)>kk;)ccpp+^lxjM7?MyO}xyQ?0CDJP5VWHYZ-{r z33k6jNRFLH>JyKd+syBB{Lq`+#7grk=MSrZ?lBK!nur=Z=seW7tL48@(0BrX#9j>! z3;y219ur>NTv<~r%zEN9=U+O>IL6*OEYP3G>WbyvFl+N3N<@#08Hd^d;WC0<+}zw< zkDt7>I4_+vT@mzj^#q`3d;%BC3FwGY|j3C7_f zLr%Z3TD%+Hv2q+8zg^}cJJMkrm~#m%1q-jFK=0FZ=U1U^zc806$~hcNSANUq`^5f| zR-mdNWvW)Wi~055_4{H-hI6!kKp(l78@67g{u zW30{hVX%A=OIUAY&av&QFN>-WdHW=59hbwt9-Zp+`0DX+rYGz#TP+T8MhyqkNl}J_ zvW?}ONP|!U|{>CwaBM)monb)JU$IY{b#VYTQ}zxVk%oT?V#Vn)u9z z2=?1zr=&#Nz|*2_@6-&}XKapdhIJR|HKN+iRIQk28?4^V=!yD$MSuRcEBfG%6+M$Z z)>?Qk(cx`K)nTIerbUgkh#%N3LQG1XKQprh8FoIt8(z?HBeQ$i!}&rB=sva1=FfDV zcZ$JX?g+P|=w%k1iskeiG>;`iHbb~nCGk#w!915vg>YHRM{-*dE3gqhafF z(bml&f`w~q3_(xGMYk?1F(_Y0wMX*8*hIuL^UPRja^^tAa-Dw4P$AxZ`QZf&ONNrD zxBJyw8BubaFiH?VQf&n82JY>VQgJFzu)@$)!m`wx7`>Y@2EqMdD>^X+=7nlGRjZf1 zG>0=%vtJrvD)YrK@A4B=m?y`Z8V^6PrdXwL7&fd*=Xa#H;mv|~Lk%;up1vB>$(gZh z(l%va5ZS%0kPs=gQQ9WO!}~&C=9NQ(k+LoX9*TjZ#~duuwQ^e^&V54QxssNY^mh*p z+=p%0Gsk#tz&-{b6_Xr{YYS^Lf&3F~)%K-IiCVAmS+A;kLU6U52FMVa;E@(nIm+7@ zw)jx_b+#Ps3`f=zz`Y|z|NTZr|JA&HjxkZ)e1rn?GUb(Q!RI-?Z4EVJo-4b-9mV|F zt!oqCe41Ua3ABn96xeXv3h0_}bO`W)IN%4eP=i%ImI~6b?ZUS6bFGCgA=<630sRzs zS8*iPy^Qw)4lD%n_7<-g^%798JRKYF{#2KcRq=~Dqw;cIKPjOgt`@FvLP036Of&_5 zIl3Ek0-(Qq5EFEH?3Q)Dt2guV>3-^($on@h0g-(pNo|I#@n&&db;ixeZN(G7iw0S0 zEda@5!1o5uP8Jk6jCeGh;zw?gHL87CKNpUop;!~sQ93NsPw2H(|ANOeu(IJXtd!xb zwc%lV5fZ9(s`csd-LyZys{AaKBZSHKO|9Ii65094>WHP+{A=)9xdnUc&U-pRA2wcN z_Uksz`J9)OW7t3qC^IcZQ;l<-ZjE<^_I#lQji!-y{ z(AU@z(!E(*buIZ?>aIvX$LOlo&N!3S2_Uyf4@P?P>2R_^zV*wgN*|67dcJe{eZn#I zdIM#<`|BP2yhy2D>)V0B;Y+W|c|U8II*O55hA=0RGj8?{2du)JU3ih}FpMO!qtSk4 zLu|n)F1V}SwJ}ee`}^$44Yd3rCqd@`_3<73(&LbgBO0f~AIBMnIKdwc3YHV>#n0q< zEf!V;d})je=ZBc$@2l#`(QqEb+C91+cmkMzqAYOG_IgP9TT^+U+nKCuEa>Xnav%|= z=7^e|R$i_$#;Yu@QexGyUG7_4;kXGPUSBc?;` zzKHZo2>R7FikhaUhJcJBUHh`NjRfSshP_;9%+jBeZxfSszBQBzb^c-)Eeqv6-`>j8 zGRQluPjB&Z>+VsFb4lI22?!e#vOf-OhG^+?HPeaH%jpzLg<&0yy-^-y zIR5$d$s2Pqi>Y>>dQ7t2#@{ta95*tiSiQheIp$kdGe0ds?T&uTtsD7z#$|9(pQj{d z%^?xPQO%nbXZsm+O|3+$Pf{X3R0)p_3F@t;Ia@8_sU&0$6fw&6XwpWkv^V7T&aPI> zf(z3G+h@6@?DunXB| zc_ki@oF_Z$%2}&G?;!FBS#iy;zfIvV@=oeUrB@$~@PBjciF)#Sm6cj~N?3PxT zPDcbt*B>1z+7@6!l9)!Ma(nijM85N*@cQ9jpUP6H={bdZm-o4X^{#7p-&!)>Q;Ffx zyfx-J#LV#yb{adSk8TeRuF`5ZI5Tr!Pm(Ozt+U+8eKdmk67Bju{+4u@i-D_!dkVXt zhc+I|RAM&+72!chzbfrftkC{?UwtpUXsdGcEbIFq3V7(W?dyfx6~HI2rj)nr=*{-9 z-{frFG7U{m0EJ&6!guL6yE7kcp8(R3VMf{JF@i5Vx29MJWnVW<-g0{#MNwZ|{!RAi zh9K+Wr+u{EgM$lUE9}-Yw=3k8gE$%3&TV17XQI3^^C@uKm;VINxZ$gD`t=7(U(#r# z$BHKdis?X1E0BB5!&#{{z>#i}fiAJ-}AX8Mj~_&$8HpzuwhervJuFMFMc zWXd#f{zlB7e%n!4u$>94b?o7hYD7gGCWnyf%1IjFU4zU6ITc1*7|z0i!~HLFo6z}K zuqC~%cL|$e_bljtIH5Q&Qc!)h1Vx?S9EmQa1#X_skn8C2x#_Z36IuJ-XPmW3cEddT z=#@d58%e8p9pOAO_Hm%luK?`xi}jL~-s76%Q$5vB1Z#HTZ&XsPh?z1EY9!Fk6P1WB z_ix9i?l+CEc%1VL(wHYnUFne^A`7`sp&$S2(qHj7*q;N#iXg8@KzyILV81SX`YWEh z%XQd)2;~Yyy+IW>DW|>_UOTv~v_ZS$ZhdC7&LwSqb8+kq&hoL)?=XqJY*`L7i6=KFM>P%tWkUtai=LDJla5gv=NkNpV+6Vm=i zDTfGp{Ij+)+JA?if#JJ!rZkO!)8nYpaeKYO8VRH@kMt0d;09@(`00)&z(6#ewOkaCFS{Z=g(77(_EyY22!6t zf05xLkd}^~o}TgoBNGE16Ac|b-ET@rP94jTou)W_nu3n%JQdx)`}+1P0C<)pk!1H2 z2`7LQNOB5D@~s8H1|R{Do;o&{1n}b`BR_rS>?u-;-`J)X0f5saq^Bv*0ZC7tId%Ft z6$$CF3*^8vH1r&Uv~&!Ndin;@ctZccSx!+&xZ&NXvI-`!n7ATB*UHt+9T$_9QCiM5 zXX!Ew;+BxYrZ=lR9^#e0sbo`ftey3@e1E@w%Bs6u zQ`_K0cK;h>LIkz^axT%~<_EnGnOlhPZvZD7<08(sRVLXFceTD~Rd1K#E99;DwC19| z0cyFJEfx?G)Mu|X={K)Wh$A0(p?HM!yUXt)CVF$*9FfTIe(NQya+0+KGfutM-yZ7~ z^!nL)z4n^Me3xc>?ya@fUb#Kl*&oDQ@r85lVD~y*eO;cpRxfPLg4FBD4-*H5M#xBr zH~&Y?3`5sCkf3`$gJ9|mlRFv~VmtYA1!kv03?(`2&J%_T;! z5VP&&#E7Vr;?fjfJM<41PKaXOvm=_WmkJVshuUgoA6D_*PO5iNOHRfF<)dTmTUr_! zD{I#09+1BL}LO-d@UT|rA z(!zej)=CqMKiZzTH4S~ncQqRvR)M<&Qplur6wmDl#btaBHO{JzozfN){sGzvdh^DU z-S@$-W{vX&+{1gu)de#-Q-j>zEzLc1)8?<&yu3jfdnfQK?PiFX`=pK&N1HE7pf_1L zBkPlh(xdGJ6yw}#AB}{jVut^xuxX8ar1j zEMfAkKxPYUynU+}&`@dVXyI*k`(Lv%jrL3AqAqBaIm9JIu9W&B=B{g$Rzdd@J*PBO zP2tR@0dxd=q4BP70H!g$l7ZD660uAUTN%Axmpw@sR$@R8C0Ws&$Wu}hJSXI|jHN$_ ztR3osZ552(6+?{_bZe#g7Bh-(4XyeAAVTTx``Fqd!D&@+2`$~Vz^6%u!EzC4JXxhd z8Nx;rErNJ^PY?C3 zwPNtGdrb{XFPcjCDB144$a$D!D)ECrWXw{NB|68Qk7rMYItMNq@2^I3zr;U*1!)oQ z7iN)-1M{}U+PG>ZMuRjhty*7b$BOFn#%UmIMp_ac#MlTuGZ5sN6m&|u6I0MB4(jL$ z-+WtpTwYJW@X%ypt!e4aSkudi9!(*vG6TiX5pa$p1Pg8f&*7sGY!P zQ~H~&F?bi2{xx7e4;*{+>0iUeNBkJwuc+S(;O}9%+dQKdM@%X{wm;6qN>)^vNldvRrEG`!45@}}`1HMZ*h;d=}82zGj=pD1)`^IYf zVZi4bJMX>$V5@@T`du;eQv44!+`(uT$_{)-?UQ# zvZRJwO8|s_RW}2*zSy8Wg@Sd+8I*1>Y7B1yQG+_w$qLaHcoVRf5uSaN~KO49;7iPcEzwP8To2@B12p;T$=}T)1 ztL0VJ!S?KWI{HH)yUVO4XZ-;dqVa4mY~PY>#OgabFP2AdfWKLNbI?G8Dp*HS{Qk+Muy&ei;L4a(1bo` zLCx-paCJ_iYGK#JQ3sJvmTGzLm00BX3C%(4l+j5;516xHf#0%8g@~9AaggQek zb2=*-25pK!~HN(;Zjc6(2gnv3HPX*}4H7oFd!>@4@*(3>>hh!4IK zV&(z4;hVhnC7^O(po8FeSxZi%O~Bp_ z5yr3U6&SDS-^zDV3ZbC;B*CvA*p+)jxK)myj}vjpgIQ}j$OWGP$y>LAn4^T-OFx4) z<>b1iU;B5zkNyq;H-G<27RUn-vToF?)+YwVdV8$Q2`vFLQ_H58IO2B{=+7(7spoJ= zJUc1b+ZH*(k<|<@4b^Aqro$HvZ3=E1TqqeB9XAC-3q{FO?AKceP}6ti6Bz@{MA-^n zgf~11!ymrFEngamZj(FmvvziBq>u~m+pcouI5FnwxjatJnal>7Pc3@Gy4Sw}T=dO; zwKaObZ_xa%56);m2-CgSp3l9|kRuw#V`vr67rZUE#nt;h_#wUAB@BK|7ma3s*O+#= zmj(xmFAUiT=UlOx&wPgBzZo>p;$|@@AvFn#V3nD!JT8Lde^vylW>i_QChhA>4~?_* zBuAz913#+CAm6m~aOt8X2ZC(J()Cf5=>$^h8ltv~+-m|GzBK=JjDglXH^{~&bIQ)M z%zh$H_*Y@C&dD_kV`4Tq&A{k!;Xqd}45QHwgKGnkk0=h;>7LZ_$XO5qlWR7cG z|10Ey1icoCZvgxKuGs|D$$g&(9mO7HBS+chbn<){9x`TJh zpjRzzbIbQL~&VMZ;+uT?V;E4w&w2qM*-ha8!k&vec79w^&+mS0jCA@< z*>A4>A${zc$@fNMsrRhv?OV$qe6IZNoaJ#L{%lpNes5KkdJ`^&zWL1~#ov`R|CBy) zFd$K!gSq}Uk9>bq#^HBdE`La$ICw$Q;ig#PPk7FpNFTSJe}c#UcZ9#gbKyk#pTg7k zyGP&QVLy@nr|=~Gskr1%!2RjqZ}7N0^S$<5a`cy+M?7D4Ant%}FtFDK6`2O&`FFwCv3AK$?;-^eNfC*awwi5l zT}1wg(ZFKi>8al0^ww8Kv%MH$^_4y=DQIF$B)6*&urYTlDd2!|e7K)#k!_*3y#b z-5ayt02!s<0Aj1?i4Bx<0?~Dn{@S8@&&b+(AUXmO221VdEb*-_kU3=y4oq@(vcGVc zcib-h(_z|cF-aI{?U`cLg8l-xga}0Fy`H)ar1fF^M~DcAvf5WE zbEUcWCI*8=1GXf@{Z)c@V2ZigS%VmZkyAls@1F`b=8*L zUIXO>gvs*ZPVWfJz2ZHC*+p_IHe0H4Vzywr=<4FDD@$@A661kq)+%+YGrwAWkiAMO zzah6ke3tt}5_jwQ0I&;*TG=4RZ3pM;@4;4h$;WnPRic8DdA8~07X>Nxmc-bqCDf1+^toGwa6yb6xuoz4b4+bloUuF0$sRr`$uqCFN@ZhcdREa_*(~WUq_v z#z210kln01@e;A_%?j@fQZ)h9KJ6~sX!6T+5%%&F%LMtx-N3K2sf+S#)-6S)E)apSXr;-M-RQm8qQLD)c^aDPc6B18z^u)B*&;gwsOoO3<42C&al)+-E zR!XS^hpD3B!skI%ff+rXfk8YTz@<8)`$d`WBiwFW<}k~Oum5KrUn+)|)2w^GzNPBx z#^-6SEZgaAE_HO*0+zNVWe{8Rve>AzAzkf&HTwSl4yH&la4@D^Y+AD|n_(;2P zX(1EF>F_ummID3`XUVnO(l8gTD())-aa+JB@w$b?&`woU@QO?;@6;e%p`mU4kBrDG zAJ>}B-Kchu^BE^GZCbx)uTu(-6{ZwXfzqJ{vgDY{t5LiFuy!=@o>C6hyk!lLmnnFNAVJ_yg~~ zD!JCOqKP@>{-VX_&Lsyj^Dn=ZYx?9%3^CT&>{*C4s=GWY*ti!pG1pIV9BIleVdrbB z!1Z&JTMR&=qM``X&&Nlg{ZftvS)A3~Fw4A9)vT>yC;f0N(ltJn~ z<~6%QN|?S%nBLQH_?tE%L*3v^egW}99<%OF2)M`2xQv<52DS=%eDxFd%!=3z{JZ+# zUryqs|1n~Av!mz}>LJvpaQTtDibpqWTldTD>t|k+&8nRV8jJ&Op=P)>_LPC;t6$eH zzuWjaz*6?}xlFd0w*JD_IHA-!flVGEugQCB*J+R+q0c?IAUrw^+vZG9e{%0x&G zE4`7QovQ7`NB1~0TZ2||0>82~v zc1#N2X`G;@ekXoJoquJ@FxI|Lc5cmZv2MG9+ro>YwO~Y9*#l_po`t1vQ5H%SKey-p z>uZeAM_ROwTTdJa-)^2)J_nSY%!(J_RG5y5kpDWeIU9coCi-Mj%6fH6Z$;;soo=A6 z18?^ABW&VvGwLkoEUa!xZWApo4uQ<&NTCf)04h!r(gz&s$&d3z;pMbz7bJ8?X-Bj) zLZ|Jl?<_pa*8B!Q2$=C0sQP8`Koz5+?CU($e)WzFQGOT~sH<6(jG2#FG(aw;VFcgsmtbj_?BTu+Lpc@w$g_aSv!>Jk>M8!WHcFm8wDgaDZt zER!?fY2y>(0%r2bw@GQwhQBmwD^MLU1Qm;k$pwbUB+uPBU+Cf80l&lj4Ipym3y=MF zGGl(gwD6+N+jKVRXmU;}C=B>o{iY^Vg0Ca6sL#&MXU>j$vGa)dO1ig8v08+-bm7a; zauWFWyU1Co)6MRtDK$wu{=eU!Hj%%r*6NNv(0z92`@QXeaye#8Od0m z%*u&qPiuL;{Qchi*7uGnukG(ye7~DsbUyF5{^Ew4%rfQg_w!Gvn(idW@^0o_pZ$Kn z^Z%qNB;Rpst8Hp&Umn_cIbd$GnVjk=y~#J^K}!i_@Ocy%7}!9{d4A`Nz|Y3xRH#$G@{3A-j0_WzQAG-0l<>aXbQ)F7E$&l@0r`)rC&kCPOPfYziz_ z)cBcPF_I)pxWeCWlj+^TFh)#tX<${K0%$dX4xuD2nFeYmm?$my0ck@v5ID%ZJr{eW z?)jMTQ5`Nw#&|Pv&?tzWo__$Hi$=4%%Q@#xIK;!8aWt!RSu6>Sl`V=>%J&=H1DR33g1v*uiN6CdGMH(i?M*w+> z3Ox@PEo^VF_+I|>#%`M=9TTrkv}{gep1>66H3h+*>^P>54wHho`Nx_1uJ^<2^|(Mh zN0GBrAw`?OA*U@HZ$t>N86B%rL65HUgINhK^KaZ{yT&2h-FHbXG<4*X9gI&g0q>E$ z&DAO_vvL$Mo}DlXk&Ps0@wJF{5ZVLhwKCjQla#$|DuYb2pJ&0T1uRZ#^FG+8m_4<*(F*tl1vWOM` zmEsY{+8=aNk$_w$FQH`+zyk>QL6iT`4fuyjT8$Hc|1V(qa)2^R1GOjov<(~ECp&>v zhvS0InjNG;A%s5O>W3G}9xFH9ZWL~uVEjVMxz86Te6Uz`bn_b^-G)iV{%1qL7G<_Q z@EQLNVDgG&)9E9;Y0h;Dl3?tiE(|#!DQ|@2zYs7u6PXhLNSHf}(4~)J6 z)Nb!besE8+cY6#t^5=xhy-D{rVSIfBrZ5|b*E+~eF=*XA%Y4RfQbsG+fJ+~wHq5IU zzN?zt4!0^_NuAPc@nBmT5Q{fAdQnujmG|tFlV!(~S>4OWqe4r3t8*H+Xfls_P_!rR zuCAv#r~XBvw21+q~vwe06qq;sRD`&(guag+22>rkDcT% z>kFXXOYP|u;1X**y4iF(wu~T6&m?M>ok687EXGdk@>~uZN)sF&siM+e!jy8l4u=pk z7}gOrOQ%ei<3``M@$~6N87AxU9cU%9RhP208#+%=+4)U-w_>a777UkPO>yX%lNMMG zBK>-0^%y3Q29vJ^Tr$*EdeV{*o>ernph;AD0=7gyQ1v({7xJFsER1tt1g z3?LVT*aog=;{0FZUhqR0?*sKcvWHwJY+yZHnhrX@8Oc4LS{m zqwUErX+Hhnt5!izW*(aOlwUpMQS^e^@;y$)iaWD`WfM?o!WbK@7b4LJ-x)v zt947QKIZ{JZ1|$;VE$2oPe#>|I=biVLHQOg+bjL-gqx3B#IE}{0O|rGs?Edb;)QA} zZrb`)-r*8&QnIp5rXb}lub@3Ai(ei`YW!xO4<$+QiqY+|;RL-;{Syhuwn{z5F)R)i z^k9LO!mKSntn9e@DnA_gJQ|g0@nP^oNT1C1!?T5Qbcf=3PUKx)8yqk6!>b~V-a~U= zXkJ$f!xG8tY@Tfjb_*7Ba{Q8ci)FC4yvs#D)GLJr)oz9=MMp7^#nS48uI`bwf;~rq z$`x!}G-0iBwR!MM>F8i{?0WIedvqqgBESCrj@$*NI__ms_~knt?SgtoY>p+lE*Uy} z8*oGJU|(<_MH_UXtxHpmouB4Iq)l!o_AGP&lS&9qhiY^nrDuql8KvL7Hd3Axo2t(Za3x`bdznn(byf8JF1Cpo29Gc%|pzN ze~hy4%1%0*lGal9uTw)zhFb~DgTW2+AJw~#%Fd@|&vJ=X%56wU4Ms))(7VVQv5J); z8)V3>JUkCA$G%IMSq8dcz7c6^pC|*2CoFo>FFvG>eR{-e5Wu5r@a#<)TVR0nRNVGF zZ7BU{^&8@8*>vc3U&xn|d+Lt+4*O{dL-)-$1!iBx9bU>xk6X1Xf4LBoC`F&gwvY^! z4Xpqrz*u&AJU%NmwY-aCcTpx1yjtz8(E%)El}Kp1b$PUjW?FV+hM4%3+6T7oPg81r z(0rOOqX#o{Z|e4UKA9oMCZxr<1qL(*{Hf6r5qq| zRsCz;ZP#7_mvt90I7{%}Ibv4vmeFXj5_oSv*^74?BUhj+PD`V0#MZVp&q7O zdNQin`|=epyREy8UI&zH6tSDIBisBik(ZpEhTgPSR(m>mI#Jh&im?~WT$kZQL^K76S4kBb{r=fS#3z){*QIQ5fdz7y#jwL zC5zF7xU~w{stjP4uY%&uZIqQ&yjzr&Eso;j=lK;z3ioi0VN5240W}g|-5w5|3*(&_ zZYVYUkU=&0IObpK5LDx-jn{*>VqzC^4&U56V`KQBypj9H$j-0#6BX$0+)I{u%)Xzz zt@lb#kyWdBv*c^|%mzpPwZDndx;{cjhf9f5`6|eoNo3qZV^x{s9hUm4w zvCVVcNAvU0KqU&ZtT}i+mxLUPzX3?Wg2i>ESD1YHgY2rpFGy95P{PFObY$uqp0_@V zGzQ1T*xyUNd*Az3OPO5jsl>@ON+U9gzyDTDXHf^W4dfIS5VG%oC|J;RQ!lY=zPi)! zfYPS&)~i=@up)t5JgYP&lHWhDUbA2Rz&%QTjcN!~>C}{x(h_U>2TR}EOo8$RGO9nBDn`f087j zj^04e7z=*v_iH*KAJLwsJ>BrR@*BXxVpk(%Ed5s1Ow7#2`L98dxBlVczbD%H|4J#U zfXDV|Z+uNWo^@$l+~(%>IVV%2kReb{QtXd zoW-X&8XR_7w1qO$MAzY;Ia}v)g9k;eqk$P}ft`G##5PMRUZ#$~o=%Wqa*Oddz^^2` ze-3?^xBjV-^*tlBfAV7G&#}?olylP8wUYiW$MA8g~nCURfvL85pH)@UiD#QBx?fmxE)@kp-xB%(uJQI>_q)DB_<89EQe z`SxUhap`!b&6m2A3fVEYS)%e;Mgz;*lyafB)zJ5{q1y@_6H3_5gMy7zTOz0%-^%Z= z=cbzEP02k%ArgivR`#ypZ~~Zt4{q@|-GaTNLU`Dl^^ssN#ETeKE8;C>!E6TRiQ0?p( z3aQS?ZUj~;(Iy(9U0EyLHT<6KW}&_?*}>w_#XaZiaRW4yfuOXjRcsXrR~4sh;E6Ry zI|;=N+cm+PB!YWuPDc_D^{2ku5ASXa%n#FE8F@ijJrIMx#52;FZ-9L%d}j`k0fyd< z%Fa25{}6D)=hGwX*2Xsg_MHVrmHC!&Ewq&+PuRT7Fe(=jO>z5K$5mGXEgC;b9Um=5Pb>(tQP!Gc2ZxB_ z3`1PgZ{6gU98@i*XN8%TOW4tkryT~hDq2+zZe%ePJfCo`fdx#}y<$|bZagTJgz7TL(@>zWb9E9J=R2@$<$_Gm@Js*5-3C*TwN_c2Y5Xce8YXc8X%6=^jC%C^D zK-O$>R`2laTtA38=azX{dL*UfW@SuGYACofosC#QXC$OM+Y!OwtE4=(DLr3|>pPAu zY(RK4Q;T)O2xIM@rglc>JZv!{Jp&6`<)z_P%iXtmRbi1UOB#+$#X{cz6E+;DU1s*P zS4StOj9Q|>Z_bup>vzZ-#$h+y5dJ;9k!T_1w2V6gD8XW`uX)9Fud0nh; z4&w~Nrv9r@`fM%~g^Do@!+qe&UID(I+%1)b%s0^xJ7z@A#+K}EocL_L?a{U2 zhK?><+0<6d(~cCoq#z0)Q*iEvfNQ*870_!zxI6<`dDnani(koJ6r_7P(rrTFCTI6q zs$$^Q5DLC_(ONSs_Xf>QiyI+(4qUw_VVXY#MRpwp20pKtIwyn3pFY>9pEa2BsK*n` z9HZ5#8;X1Fi?qOuEO58I!HUqf6ufil2;GT6zkE9_sZg53Iy9*HSR+g|3rt8D3EYSx zqVMzs20`IbR@vK}7+xPta6*YEY{RF=%N6_)6DqQuGvVz`Wq%8^k(-ZPygqF{FlvI% z*R@N75mcNdB(ED793rK+`@~QtaUHgdtZR*Ib~Z-YsDsDj`YdB3M7l{al_-we+S1WO zy8PQ+U}~{G4x0r}XU@-d8og3PWxQZTy?Wb3&)Ze}ba1}0Tb|NxS9aYf(;BBSo>1rv zWCofgw*v2-+uU;1S6%)$^crE$j$xb`?n7*gpPB2Qid&AXY`n<1s6{HgG{Kbj2Ul#DH}EJKLs z2KCIbHnLW5i7d5s+1C#{qoXsJSa0}xVG|=dt17iU2EI(6Vwh*@vrXZO&!PEnKce-3VRW*R+!m)P3p#fe6sw(=6S>T zh{IOw&1#hdq~Bjxel!2BUNTeSJ#)a{Y9M9!k>rO=P}S47XaAx0KL~>S98`HE33+kH zD>1w4^^qV7Wy~#5Jy6OeGK^AKZk8{;xbh>CLvroU-G6;B&w1}pn6IxJ-^G*vpN!d% zgp|i*hgcIGiH3Ra9qCYze3%YBYzg2T`X5Zd{qdj?zJ(G%B9)@k^YX9~CEQ1mAi+ z3Q#ZjrFhVK2o-(&x2>ZkD!@f_%RzXzazn(pu72RSrUM|S89{bbDx9Lp5*2{l-~gJS zS&{kqSWg@dVlO7vi#7L%KTA1w&V8)!J$P(~_6td+SRG~M^_FjdUvOpoSQ4#C<~QUf z>{dRhl5HN3W7^|V-ccAonIld9nGO@WbxJrw^u}wNvePZ6<(%yAF*|t%eSLHy$!&K& z@NaW~_Ap+g+bBtXYg@9!dwA+Zk`O0yg@4jo?$>VX9_?N76Wau@nf{_%`NIyXAA+O? zx2hlIoS4D-Ly)YX>HiG}dX4jT_M^?7-7FX|34MZ0%2zZ+n5}Yhsw%i$ZuX#WeIIXb zm}N&yP;eKgE;(GvjrV14`v|k9y_9%B!ir#CX31@+EJ<6$(S%T?A7+0syG&{c3vIyG@SR z%*t_GgYQJG`yBcD;GE*dT4=I?n7LYmUUk?CH(%FhYY5var+nNEe`W81#;@t!Ms!P) z_D>!91+Lax7Ya&xk!D;v6ym#M%u}ehr%>uyo*2gRj7z*~QVoo#c<{iDzD@9>c9987 z3?=$5w+V}XRY7OrKvIqbHK(zyKdrEOtC-D*BRCw-*Q=^Z5Lmz!!QEo`@15^qWPD^R z$X$qHxGg(+BRXzXas(4wFwCznc=vgY*j+QF7y|t5we@(aU;Q!Q`S9mX^D^P9TjJL2 z*$_w;e>G;3%89l3)r6#5126^OwHh_Ke3-;+1Wa zDkVt?&I#ee@QHj(S(poo;CY9_Ccl__%>y28TpQf5e&C^De?@m5@wV+L&`&LdxxBPn zn9zBX#*iCiPRhy2kjUpPpM8JQ(DPpI+DFhiXBz5dC+tVz-`>T&I7es<-tCl>r!23+ zC#q>&!6f^K&LJeT}mHIkW1>>R~%wnKkh|SL-K3 z9>7rlaimV{z?^!&*U0LCeZ+)m=A0d)gJ5@o9`S0C3diBFs4ia)2PJXrY8F|nkpYh! z8bLXEr&wa%TH1Kv@vQwdHJa|>3>oSPBu(l|x7#<%kQ;tYp;;Djc>kb-i$+~9s?3n* zwl|!iqD}-kQJNCX3{h|i_e%K-DyUsfXqOFtiyb^~f#yc8FOm+T$RIH6&Oc?_oJ+h} zRXE^%7ulMu8=N@m6h@`J?q7^Ql=sRKt#(HRlOpq#Ow{Wo^p(AkJwqy?Mu8C_!G^%q z>6g_-J4Lf+D0c5FEQ;nU4-~@g2z9On>BJ9(>%DN60^#wQwfZ;+b3KuMrFtg}_YGiO z9~xzoFX_6dseG=&b>q}38lf|*;GESe84X%;=#=&k{gRG1T&}Y(BtM_a5MD1*%<~{- zq0>ypQAt};oy+eq#cobKei_k2NRcsf=U=9msl^I=30ZVo*t{^p5n{AQar+jY&YIc| z&tE!h++3yV&!<_RyiIs!2^zY$7Om~2agfoYwr7IWL=E+x2`2zq#28(*icCx_Y&XiC z7&(X4Q{egX7w3?~605b20@#ihDzjO?eFf+u3xYS}GQQ7$DyqHnmL_#KX z7#aXC2Vc>6s3N~~LFXaohY4(^?8IwTboCGv8f0jJWsXmJdJ7sMKoFKVuWdv`^3K>n zF|b$d&Z#d$=g~ZGG6$F;S7J(AhDzvQ=CX$2`JK59cUR7JkGMR;8N(_XK9wfxR~a-k z8LYZ{sXWxo6u49)uQ(AJ*Pj^0nF3adnnul`%G39I&)tdflk$RqyjxjH=pJ01IGpOF zYcAplaywF_SfveXvsLZozg-{xL`avLxrAbIUSLPqM3m5?QqJ|(J#aC)f(~8bp5?%e zG@xhCG0wf-33Fre_oIPSz86O?~ecS{794Et5S7Pi=pgg{=*JVoT+6+&!Ccma?Q!WF<_^Hu8nWZfN0nd2HUSHT*L5$wv@aG8>rJpL20N# zrlSY1u3f9wV`e_RAUF3+Ra+s^Fl=tm$dZVQ7H7$j4X#bFoRaQkgk#!B4)So(MOap; zbfw%2A9E?}^fFC(!s}9p6thljOJ=g04bFJVINH@j`%xl?W1*YYYdw&p;B@fd zJ0*1lzCQ`i%*%Emrs`IZO@0VMG0NO92o?Zy?tj=P?{n>wVh&aP-H)G5h+36wQNwn^ z(@7cqPPVxZ67us>^uh;qv<+NWRwLs&kqc&_N$x|ATs+;naCCeJp(Oq#H}ErS_E`4y zY3CdXqAsL7sn;VP%`!+w2+3QW8QdSMT5fCIc(vUvPic?cHKjKuJu#9C^^JZ8MY_uN}OO|ytQ zawdz~m2CESV2erdjXToc(7ZZ;bST-VJZf`|G z&piL=Y*6H5|Mj}tcLk$P56XNVJkgPVbZ_lDvuNy--PccKsrLaN zzB7HzO168yY*YNQPcr|VN&Y=Yn#b#>+P^cYzFWn8>fd6H<wcGK zN`&q>4<@%D4PC_Mk`LV9QT$TS_6^{7ymnd6;uE#eOL;`m2ptC1;yiRcK|e7_5|pQD ziA^1NBgM^<2?<94^K%Xz#GuG~y~6QU$qQ;jAHr9aXLc&S0U}2wi%%J7O^ll54`*n) znDkEuafq&#W|VN_`Ju4e;7KB8=uO3bJ~XgXRn3#_CCc3GktS$xxF7mBKu#BlG|n_S zbQ(32=?*1Iv|iIH0nXbl>$}>{vEVUtppxP?1JMk+l7{~AtCU%~1A9~>>Afy;#QUc7 z8#le=9F+-~1BO0kBV*#3uVhO~inuu3^4@xNj_^mN%Aejh3O(9p(G&0s?90;59ojyQ zAwql4OE445uIu(DikfX0G)Y7hahlw9z&=CkOVr2}MiKd>1K~s}8iWmm6CO_(y?j@} ziavYzS@CDHHxLzuWS{Ov=j=+txD+@*;#{#YJ%ax!tV__lGjG_y_TmCjbf8ja>WSu9 z@X(YLO}dz5(CKjDkC&V4VH7edHCZu<_U6GcQRGFUAfDxT(^xI893t9iEi5dT=oLR_ogi9r*Wym1^&Jnz=Uyv% z{x;F2kh9oNgEMg-(irC?wXRp>CTf98bW|Ziwx%kcGg%?Y)}O)e;f1EHC+`NMZf71L zt45$-#VvJyuJ)UO>{r|_AbfWC_3?j`nWKIMlVOP@XKElr@aSs?v6yk$xMA67(J2IF zPmnSpH+-$*_)v@Y*Z9#S?_X|o+E&G5Mat(O>PYI{+z1)w%gst%n47{9nQ|g9Q4^Cu zl%S{06N%%<4Jh<0Ej$YNfXC+ME)VDt;3CO>Pk?p7&|nBk)zJJYGuz9zmcq6LA=Yn2 z1$1dLqql+dm1z}uHC2r9{Ggb-V%JCMmpvm%y9suiRUcojQ07ayHMU(=Pyg$bi-ND} zs;7bTnop=gWLKGo$!E*mV4jot+s`>8l<^fzfAAtO`=)->%AW`o(ZtA`hm*E(_ z=siTVv$2Z!Su6id^XOA^gU07`|G$*nP9kWq$nHi5;CbW z3;bte`&`O>ZPpxEEBd&OeE-;uNAtL_5?9LVZz0n)Kt5ogbf6Q%*Uv&A;nnMPD-E;K+tU(41NfQH3g!bE+~#Le+aHUZ&XyE{P$M;EN}&OCdTm^? zFQ|dMY+9=U!H`#RL8qU6UdrfA*dhFAB44WeHT~aTC{6Y&06>l_e=m%$6EUGTW+Bk9 zc9gvr9V^gf!)xcWn{y({)o<&HtS~1SPB*NNvTt1O_DAPuX4@Sa)*a~Hh90W3rti5OjR#wz`WUpJbiWxds5e}vdBbGQ}-vBLj z%`e;p5|?E^eSG5LxKXSdCp2ACNQ?ZKa*&xhd(qV#US&I!`{dm6~ zNEOD-{3eUOQ;?kWd9+@|QwwyxGf+CCmI}Ggp~AN=JKqIqgZ9RZOvKpu_sMObJKB0y zdzCYHPq)6k0*ZP-CM9(n|Fv*qQ^tLi_=Ro?#MU=9{~n3Hox|ZmFX%(Rf^+g>M&0I@ z41YFUBx7YFEg}Jl%I-r^GXTfu5(Q} z{o=$F-fCRH-HO{PQPs-U3O0yxVZrxmGvhmS1A8*`J3u~g@^U`h6CwS)b=~Ujr*Op6 z+a{TZOBErqIrLIR<18#G<5U*>yIy-x>pSa%bYv9<{*_T)=)Az)iul|RrV`*~M!F)d z;o1PK*|J$PHSN27?=EYDpe$s}TjS_anl!QFZLuy>&Jccnh&uE4RB)+T*Xpq9vHEN7$=yWOJ78FV;=3Z~uo=SMu zZ|UDZ@pOna!+?9daz^laGbH!JD9^Lq_${@#h}FvSgh67$1vUXraXXQB$)=T+4c(It zVl{DQATbroUf}+V$ulGDiq2S6@rbqs+lr@1&$aW0E1nLeuacO zA&)?v;b8Mi+~?r?J?yEURp!g*)!iymLx-`scmhpP!jfVpi*vmTNO#wiNh1`)0JV(MIr*$kuM50(e$V+$7LL8Y;d-aEFk`Obyj zPYQ?DcY{ACs_V(Pdiho`i)Ki1swmh5aMcX945Cyv66j`y&pPko)Q^HCtoS}!RP4RL z@jo?HqFLL2LOaCE8rl_>fS9?@MrM=^6|p)nSHQ226VhtoC|@s-_mZPipw@!cQcDeKs5>3B81ar zIAp>kg64?{k#i#kpQQ}#bLZ(4*}cJgq+lH)&FY4FXqS;S%RD^3u*Y;ENyR$1lRMPVfr&qWeN?GXt75Nf0qGiG zJLs^-FC@cqzKY)ng2=9Rg37APc-~c}kVxJfMXn~N=Bh{D*5mKasin_( z?H`%NpCQ8s){?y}?A%1tX~>Z2%UM@U6H6U4o&F`s>#OCquNJG<@`sOAh-4=@uDl+T zS{b$Uv2LAD5{CK;M7HeIX9X*R!yKZxijG=l>5beGRn3^}^kK0m0gPJd*DhWDfxHXw zdo3YCy% z03M`Plo5<7=;AEFRd+cIWOwZdYfm!Ao5h7p+_0XGicll|BH(vGFCW-pTG8S3M%f=E z$4xVEFP3(qw(HIom&$@lAf%qxq{`%YLT*1vB+z=m4wI1(3vk8xHwskmz}EaxS1 zXO86du6YEJ%>wHd7M?GGDMN#DOchp`fl*P`M6;M{sW%*WU^xaGRKm^zS*P{J3K+_= z(=Ra^REduG%7vRt@>>^dfgx-yH>cshg3!TMPy-+aDtwA%@mw+bwQ1zMc2;?Hzhre+ z_=JdUeg#jYM`qvAP?;Xu!kRuT3z7W`x>(NyOmrS#$N`n2d16`&=+fo2C+A)|Y;Brn zEmd~}4~*=%S+aiv?0IjFBBV=4Qme+-uOS>Ik^P4D&AG;HLPteX@CZF6yETwMZd0PC zuqB?=@n&FPukj|B+g#~vox&xDFnl+OW9snY^+EAfxpn2?Ri+i>7OJH~lJ2^i7Nr`Fu;hPu*?o(F3E7!X zUv^i2v9Oh(n{W8+D2U1yC1>H)H$}yDYKmsKEhP@|XW(SgQv_8n zVwK35FCVz5UFD*VGc0Hzv1JDRmjxF7cf~oFOmx2isPBGG`IKt=JfX4`k~jX=K%%7FjfFUYUgW6BBqtJ>=;lK; zdcvPd+dSoOGnl)|o5UqK;#`*@7RlUkXdZZcf6Za+A2Aa(BfVfeIw%2g25$VVj3Q zl^i3VveV&a$skqLhX%d?*YmpO{1wIo z{-Kug%E`3r^JxFhLf`NT$$JU;HkkORG-_^g?~)u=>5{R0>ct3tfhdPH$*^Ud|G=X0 zND->sBG`{3W>V2ZYcD|)-5Z(#$_#-q7VPb>+P=+T_u5(;SORzZ^d`FPqCGb5nVh`K z))T7wJYHp?n)7hI{d1-Ff#d_ew;yEh{>_mG z27j}4?Ov^xSk14G{`|I#JLOIbl=uFScD~gi8Re5(fS=cqol?mN8r52!Ay|AfG<^0w zfWr8n&iw;ZPjlNE*A{-gcBmxKJAL~@zyRkXQUm?Onwj|vnc#xyk>fKuy*c>+|48+3 zK;nU%4*rmeTHUSXvYUW$JkxssIs3qC8zf(08@g6Ey__&#Kn%fI-nw`*sKP0nb)v{%Bv7(2>g9d?u8IEhV`QZN!q+7>POJ=2 zZzxJ%K*IR$zyO<9`W!=kVq0tVfZyl4n=|hzr+-W+DW0(XAOSq*elEUXEcrQcywcPy z|8plT;O9n~3wQ0C!!OY0{LM}o3A?{;v<(O;pO-5*duB?MCg{x`?dn*=V^ZTkzwzzh z`B_i@vlQuxU;l9N_kGg;D8+wwMNJB|MlI_GL332i7!+Tyb5RNnig34OO5)>V_iAIK zLgOf({PjG7IKW?z9%#M=`0LRF$158Cdh`Gf;BSsN_=n2la~^&iW;7{+ut7q3VH5P!DRrzqN3N+UhQg zYx@4Fi-@2SM~|0rNo~n|PRQx^OT3~v(Btmu9M6wLX(#;pN5A~75)wfAi74xjOhSI^ z%T7d3`2Urvt%Ce=1WMN`Ndq*BwaNkuN2Y^BFcP_IK5!LDCmhtxJz3Fw!F}txl3ZX% zQJtFOd^& z^MY`QNyDX|G3G?p`#nhvP%WH5*&2#X~o~|RD{d=F++^5V=%IKsF z!=j7RZ{K}jb*N;a{ATH6>ux}*MCD)W#rPQ=|7RQW>E8hP`74*Fy=m_!&NB|MKN^|* zD`qxp?-HkGm>MES`=wqqhj6*8B6;`*+ql-`QvH@7wp>yY4+_U*o(UG}y%DRgy@v zIoubW?xxvdae2$xy>K}cBF!~?!>UeQm4@1j(lv@J+r^WAhdSk zgId#R;(ui#dw2$lvlxyvtWM0Tas)Acbz%h;TGv>kwacdwUuHz$a?Td4;9Q|)ftofy1WyyqvNjPs9{Jq`3 z%omS;moHx%^N#;VW1w`NmbM27k4RNwEU_lyt*QT#K@Yc}p{_B-_twH`)`m{K{}b)^zL>INDdA^nQuS1@)0mw97^}~R}!s@)#9ex5ZaG!n4 zGwc*=Dca9?{c;-N7T->?m`NZp`9^DITpp$Opl>PeMKBWLg1Kl-ws|AJ?3nqU%LBWz zUy%mAFrYT2vP%1nTuDa?x#V$Iw+l*D3Id1F))^5^_Bt2``bn#?e1RY>8SdhwPvkRy3*oFp}n7ATl0L;EC3s9(ZB1R4>k7ZD-?p}sd~ zb+B`MkpikJn+%onL79_aF!%*pUO(!fP@x5{QI)Z*f^wnI6@qraAQ)E6rES-G!rkPJ zO)YZ%@JEtU;J(W;!QF&&B*xfy8C_T27O#|EfP5L7mh4Cp%*<^-qm{E{vf*Jlif< z4oWUsOe0>PS;%RADt>naUL;3iQ!DL5Q z-y|4+oY?VxZ>zkjA2MEwpCPDEyTes`BJd3Vwnk}3>x|2|U=dP9NwT0v31bkgQAuoa zS`o%VyD6EH)#XxoP&5oiEC)YXe=2wmx;EWupO#<>r{IH_3nuEZNZtaI=B#_*TF9>< z2a$6Lz()KnyI)B%@4*^|VDMs6c82-GiQKm2ZjN>_pGM*DAiqy=cB8{&yPUNgbgQ>G zM*fi1?rF>x$I{rJJsLM$dLd)K*S)x~f4)+H9834Ycv-&Ad#*{8J&+QvoQVd3>Xee> zueBH1Etf69ebA9*>0z8<{0ijRu=22P zpf|m0cSVS|tUZMsNwb)imOJb2KG`}!8PfHoAW7$glAYzo{x+esYK*RNKvjBV9J0w8 zcA9VZ95*jg#{1{Gw<{UnFe;>{O4_Mn>=rVuG`H(-dYBA6fXNsKD$&)6`6~8VO$W{t zc>K~Ytm)<;IH+TmYIuj7gUHh8z~CrmDEI(H{6r)qA*MJ7WFFMAn9x9m@*G9oMZM&q zi9qr7&`5=WByyu0u7%(p=om3X5|A^F(^!RqI{Hcl`%6sZI`zD+r;GTc(Hc*vmH_s) z37)uZ1C#}f-Kj-t)n2^H=`)*~L(WwX%@HlGt6YML9aN|jTV#3O|1n`lkKGm0W&4Lr z?0sCV4`u{57$1?E`p$dbtBJ3>y@SKcPIYP%%Q%B%64Jdukcfz1-o9YJ6=j!t+^G|L z1qhN?o}1j_nE70`tFO9oRQ%%y>Ri6Po2ND^CMHItI{w~89&VO&VK+?Im)Tm>g2Pp0 zCS_N>3rXp?CVbb8v)P(qX_2W)HkeXXx?-pl*Kl@m5*z&LO~pvm^Z>`84;k9L;Mo^v&KAAZ-3kWCNg_DY>fK*bKFcaH*-6;d96q=B;fVFBZi{i8a& zTKqFdeb<^j`L0w_HX4r>iL#sOi)=30B4|t7BrFApQ3ihyRa6L5(x2gEH+i(#xUaU?}V_M<8(HT?cn^a zZLzllxw;d`X%(T%a*s}mcf>#MOLRzl9@Y9>Zd_8nJ1B8n0v;Je%$I>2Vhk0Vb65M053en64^zmR#7$t z^8G?|5YGm8o!-YDIV$SrT~HlRMH%`NmDSq$z{`wD!vNss%o@DEqUo%?vEzhd|2>wy zIyajw?amPc zpSc}WUR7Dr>#8G!{+UEkHnHq9KeT`GY^cbyT~rj43JLEq^>!tzhkRQSI$$Y~XBQ>> z*)hat$42MAc_kz%@3{X5s=Zq#tsNqWnD&vda4trV;c;!YF!GorB4xWO0xouYzpVJv z^>1gBbEtq9`>v2@TXNBodg%hh(m$G?S3@rm*JT?&Xu_M8Z)Dz$Op#|6u&y505js+M K+f_AetN-uXrLjVzh`DL?>sZ_!NkE!06kO-q6Ii| z4bT7_B_sR#e|V7}{vSJW>=-%uF{G1Al0G0;&{ z)3eeuFfp^Ru+W@5b()p=G$S($^H(89jvn%mAEP{WjFOp_nwI%LeH}amFq}9Nc;wU3 zBfJ1Ih9gHAjvTZDH~~ihWJkZ6`|Bd7IClKR(IaGswPy4Hz_BA_$EX;nj*(H29XSR7 z93eaOfP&%ppFtD&y_|2O_TS2=BOfh=Kq(Wc*Qs^E>pt6lSELWaEZj?`D>{d_=I~hCv+h{PHQEL$K_svi| z?&=FV#fFb;`@4uYE(03JEe4%l5H>?|g34dZY!csh_$g>rIp2GYCK?q;RTnNU(QYT> z;@7GZY%o*!X@!*J`5j}6D!vCH=BNA35R(I4o;j^yQIZrI6%BQPeh(mGX~Q*ERU!O| z_X9X6Sc?XBIBlr)e+qwM_-NcS&4&~)-zZ2ar^RI&;kg5p?N7&|9j=J2^<4O>Ml?{1%549FE4A zMJ(QnBIZr;u~CD}@}`Y|iV#0HVZNr|B>qls={50rBjG78keP0Gckf$~?(S|UB}>|! z-H*~D77(+)dMHyWIOQL}V)m(kz$p4zbyWDN;*pe?T$tPyV1A1MrWlHYn(00xBraZb zPkK1vE)kC|G$?AvO7|E|ci+vj|CMHU#a(6OKWdMPsR0ki0 zyT6G?XBVRE6%9QYoqX?#MFb1Z_gp#i>Hu(y#5iC1^s+qvR;+b}%57IzIte2BS05v) zQ;?OV2!tXjA%0qM1)qNMVcbkG6z)DWoQgotBlFi1S41{NDq2E;8B(zPIVzPDOtLZD zvcQ2c=~^l}R|P>I=ZaBiH$Uz_>dr8eSxt?!-+P-K+1cDR&~X6x*(~RZtXCTcly_9N z)T=(A@-EmAWFtDX&Ns>mq7!JJfkwCxVNML~B%Acg zn|Y)$%->T~+sTlp4Omn6w$cm{BNqb9g~i9)rg=xPAe-?!bg#y$ME(B~#Hb|OFT-yr zz82InulB+voBobOmDqA5kTdlqHy3Ru;{VPQY96ud;LzM8E zd6l`B^`YlmEnCz+{0;d?I*GsYuS1TM>DO8c+pp^WFEi%C`hNu80ifm(;BV!>_WNg? z{xy2B`#KNVz83#F24C&4|8Hl^ucmj@!-c#zcjetD7BB(g5{VMX)Nyj@ui#J1^gDKA zTAt-SLwx3V;`TN$eM5u;#~Zljthk+)cbTfCzaTS^O$Ytra`M>Y8JC6XC|pA%E=a1S zGNH>d8Z?3xWDF~%YAJE|ye4nzzX z#>#UZ-;{tLNSWywyTtSN4`|u@Q;m!|C2~NhRA|HF9eazxy7mtJ9_H;CIS&#W=5cw_ z%7Y8A`40n;5y}dAf08q-_#!Q+Tk_yav zR@0SUAFBhCOvI`x7`-p$cTR6Y*x4UnW17J%L`Kcb!D;hNdx;n zYu+w~68y-jQ|=3KHNq!T!`Rpgoj>nVjEx5})^lYpxGif~e1Ob&`$RYAoEpz&{ygI98PivwR%GVaBE@ja z$Wqf)ly!-VMkFQkM_CXmtheZbScfu5h!@W3!>0c{+yj>fDPFUISUQPym4D*jP*(1I zJ`~#gCZS<%lfy?H2zu7c4!O>6_Q3do<%{(+t?757)9lgkao9?TUSO|TZw;oDu&He( z@K|o3+C5)3%;_r5C67g`sskuOP>%SN7_@w?cGs8&TcWF0IJqwggeNPB$rZf|#psto zh}lR74ybJt!~mJkUK#T_SF&FAMQ~=9gYR?`{UIPe-vCh$K`}7+3|moNpBKguvMzX_ zEFRjKyxBE+ygUdy*A*lXv|7}|uD&Gm{E_%*~% zCW}tLgTQdLOa=HRoiFC)?J~2*@h@(U?i~Ko{dAUn^RfQ-&?jBupI_OOe%o6dI<>%+ ztIF`yeec*R?5eR^Q%ZL&dV?zR^aC=$~K}cU%GW+^g654oe{$5yAg8TdeSKqII)B4N_x=+r^ zZ3H`+Ap$Qv#S{4MJ~95B)^_~Hi2-<-Y;MVv{iw=&SI)En*}B)Qi(12TsdafVc>+C) z@u{{pmRbQ+DwQ9ChAK?bgVuy5F}R{FuK`r19CJgb8KIs4`6SnB4PXtN!&1?kP3(~9R#nsC+;BRNd!k_uP^XqLAK%qI5<39Q>E z83k*qz1%?gAca1aVC+feNLQ@@)_toXyqm>5zl30BumqA`dXw-TRh-Dh|PhItb+%owaz9i|SQ zhuSHDH77pawkc|rOzde}d)s=pHzX7iASxRxtywvg=xEFyk8sOmPd9TLeo{hY53Co? zFSNZsHO-H^yNQSt4d{JWXUr`=2m%?G7~ERbMYP_WJwO;le1<%2a?YEw?^7pEyhd^>>h>NT_sC?l( zR$Zad$!j&|+wTs%nsL*i>;m#{0C^ydnt=l=d~8kQ>MHnrNR@-liVTUl811`O-ppPB zB#7P1mPbo8kbng`Iuji_F|!G>E?Ey>O#Nz-&TW*+F@sz6*LZ;_Ne0jC?D{c@hEe@# zLaVgu-iWl=L{}oL_?z^!wm+(#TO=+P_P6{4K3*w)00Cf#x@f--nFD zUi4!C^{-ZENFP(&ZHsgMs_*h)=Pvuzxqk>8O{0&Rt$bShDd?*{4a)LQK)0V`&<}y! zr9;8?J70}u|Elk_p3j`f_iplA;EsJTpZr&2&wkVQ__r^=1l}!?;bD95)mVzJ`a+p3 zKK$_Iu;2XdrDe*)Rzo3YjLruO2=LD)a8~ zvgZ-=;L9@FrPdoFbbpNX=L&M9vpxADeE7>!`P^e0MlhKcMt%6uC%YCIaA(C=ucUzB zxR#lgX$Ylk$zf4+0YSuajS8mR%l9f;=gdCJz&|iJeDu%hSJktmc5*8&Dg$}k)SS5a z;ESE*8N2GO0QTZ*2!|jOaLMSpd$?&DR+?yPVv-B4E=fb4TD=dYmX!u-J5lT#*Wnox zVeKEtU(ib4ug^fLYGEd#+uFKp+K1Hi>KqO3@PV}Nd z$*fpY9PnZR7omNpFL<&883ai!>fg0#NFUSkS$qBg ze@zRy*5s+o8c1+{RV(1qSYk)0;&KWq(ss?4FVgZ8C^a$yCmZ#;LA4XTKD1(XbTTgQ zz@3V+F2WawT`l0M!mY72k&5&>S(6ANCrN>*_{%Ps zGGY@NzEqtn4Ha(;rL2iW2`dTdw%Ol9+QJ=BEDFzf8qeV=qV-h^&~<%Aj<`H`!BOGG zl2ho7tFtvdkBwiyUY<^sp`CgicL11>a^$Fe%5wm?KSDbfIm^lnW!7yD8}C3!8!{FeGo9k?0DYT)9zWK?6S-)GhM zvf7$dL&LVE8^BLm!xm<-EMQz3NpIBtO56Q8LF8W?RUcR4!N{CO6c3u(zo=gHTzH6! zNdBaoD#_ulqZ5@5PKwLBJP+-`sN&`E3e%?oXx)TI_twp#Epj{Zh&+ zZj6#RSNVu4xkP_$oMxp*EGgW8(b`Klp8aN(xnqcU&JR%N8!v^nP0Dz=yQBlXh+SX$C>a zZp3Na1J@YwYyoJG!-%wCjf*Nbp&z52O_PJuou&HL&EIyvrs+FZd!>&r12g>Ob12bX zsknJSmQ63IXk7`)_)%=wPQ;ox$+Rp_3+i%alP4%E18+c|z0-a&uA)Rst1rt?Bwa`x zHOWDm%Jl@_>q+F!zsT929OZ0wia38MXw=Xifq+Q0+g$ndLyNR%>u8&3jC%>`w14Hb zw2Uw*664gR8z^yzp19e(ZOvo@iRo+_5m$p3mR1uYY9)wN@bSdgG?-WI>gPvzX}Ltb ze1#{phm(PmFUd2K;vgE@u%ZD`B_9U1B!R(6t1FFz{O3LMwsS0evXGO&ZXMz zmVHEfMw`3`(}to`q>3TFnK3i9oc`!SsImxrNdH2_GZH0GuBK?Fqg^Idgt-$F62c+x zfv^6qv>AnF+RC(9z=xwT3-LhH&@?-jW5-- z?p&DK?z$Soy&SQclssFwZ|S@CX1Y`O;Y$CBotjPmf&ktVQ(iYSW8Zs!W@N7>Q*l+E zC1iEqk;}AtZTtCo8~CpH$n~j*gx>o^$bFGFSs}6PEqL+VXp~(^YF$z+I_BNZ35b`x zt5v;U6pO}@UAclJ_>S0O4%M}>X{JS~R7$T=rG+baItJCrG94AYel)987#3`=zI#;B zL$s>VKu+j866&!l-!UXb#mE3Seij#V5Q^RN&p_lU#IyXNyz|BOt14X~gl2ID@*-=YmG{ z(fSPdf(>9QR*zC<#?E)*CH2T{yQ)Y*G9x+k9!U#eJs}mL!M{7G1CfxyjO@^r#Jy=#I5`OP{qD?lfV? zd6_S^jSFSp%{l<|IBHy>7{jK*lG&r3`9?}>dLq-_vB1M8qX``gP191eGvFMIELX1` zM$~I2m!zl6s;t*eU{Om-ck`2RVaBRqf+tgjo<-M3*n@psEx}T3Zv#o5kEMt$)beV% zbJs3BZN)y<8mX0%J(1Uy&y(hsUyvsYOddEXf-)+e!+FQYVAWVUeM9X9jNedZix`#X zWbJV7GomdF_&bTR-nsSBfr_>^i}lYd168I^xokvzyx^rcNAs;@QA%9RzV09U+J){? z`Wg$6Qr7RT11VP@!!>eM^RI!76MI`>Z)7bk z8bUCxw1q*iOg3GtS;4R|L!O39uVchg_qEOQMMQ_2pOP)AD;u{LKNDXEOMfeM=8v|# z!uY5M@7WnBbk#7k3RX>{iDRNu@dD;yN$q$10~+;Z3Qrm~5X~}Q)pByEsf9!lNHL~6NzPx3f+C0@E(yx|E**|IPu@N zx<6C*g2`l90+yEG07r=#5?E4eZN40vDu>~2p8QxR=@I*CvW>~HVq&}E&~b5u-GS%N<$gn_mF^n1LzAPNV7UT17c{7pE7x6^1M(?&u? zy!$d)iDRN^%%W);VezU{2dx390}pP5YNVyFstK~tVIZdb{W$!3bbYqqM&Ws$@8$KW z(?zniNqj5SZr&HZ$SObcwcKFxocS8k8{dIGN6v9)PWeyvX|~Y2Q3tR6sijdrqIlV$ z|EK8C|C{7%Kcs#{{^t=N^>W^Jo8&#Wa!%~M{?PdhA7+elc<6~p2NEwY@42F|yTaEr zz4~-E5uYp0dw+0U7%ZjBco=K0|GwCv>TGnO@yElNyw8VHs9%9M*sX9pyi%D{iK2 z@kg{ktOHe{o((?|SqLf4Ar$#dtT*L3<=TlgY3mfhaTv^(5{BdM40EH*N>%&LOV>H7 zme2$JM>AdI!M3H=ei8EoET(eh>RAmBaQzw32<9XZtHwm$J0pj4%inQL6kcNIxLS!U z?YQ*>SXOVMlZRL|eR2<;NQNn>mcUCDa=N;2aareU*mdNG&sbp9EZtnVdG##I{MW>9 z;67n!Zf-lJcTZY{WL7SbDkg#srf` zM9f>rg1gKUJ&jO1MR@ovo+TEp#e~jzry!xCP5vx-Cf&0FfV()P&mr331vI&NEm+?f zJqa@F6MmW({rI;U(yV)hm3suE+eZNZCj4&(&(KmMa7Fh4L$_O(jt-pDy>@{qWif%z z6?5(Y;A$M7$~}&T0ALd4@A|HM2sr>CyO*-U${U?-kZ#t#jwyI_WkjrP{?um#Uy?s> z(-QtY;mdfI(kJoV#*~tyg?}>+VE$$b$vLgJ?M!xL{d72Z)j#};+_|DZk^;1NVM?>P zH=`p-^in4&>pU_IOSOu%V~h2pxt61qV{$v3M${V8!#0!$@?BCbO`1S1rR3w&>D zlRvonr7Q;=65On&N&|5Q!u);ixXW7)&9udECfj(muUQgSv-Eri~g z)`3p@AJa!VooK{KM;OS>U*b=9l}pf<6RtebAJx0{@$VFAn^M|MCF_KP3pxrPM$ITl zn(2sMwByIg1t<1Ewd=yd${9o3elu>z2N$ntZ?t|+jOe4~A6tkqgZjgR<1Ov&-PRaR zjfr>$@Kgd&Z$I&zIRK1dKU#9f-RQd?GBa!?@?@A&2%mAxR{ZfPPssI(liF9eX_mv=g|q6^(+jhUtg5HV6zuYa|c+y3a@@I_~0mKLP)dQdUm?aTOUk* zgat*aA@;c{|J^h%;aINI6^HpKkbXY=#F|=ad^OV4KcnMDM`vj#kz{8qGr|_7d%xZc>5^A0%Rkff%AnYkThhW0 zLNM!%7Cat>%!~)RPuEbnexy}c#kx}!Y3pdaQp$=6M4{*7U$_JL6Rj#ojeK(466|am zxl@h&LNjCt=!TdEj7(k9u)XuurymWm(|Z-u(voZzl-Fb>o*YNU=}Pjzhk7JF@}Usz zA4^AyXYxiFwTxeQz0!1Ni{C55Q^FG-D}z7XNC{o4E%`ENRDasILa&mM6Aw$ZLs5a7 zaDGC?X%qHZ&^oqn>e0WWc@NK5adSxSsEHkvvcGH1Q0-jjEG;IOV9DmSjH8 zH`rW0YbxsL0vClhMnypHg3_Q@Beh11c6_3;2-_Jsr?|psV%p864w%iXkA+|OE5qSr z!Y8{kS?XtKo$IADUCQch?xiXL|MCZYxQT5iy^{F|1O1 zKv`b9#=E!DQM5MSJ>sbUtinhx^IAg{uB=8O5v0pb$sctM#P8$|{etLd7+l|duO^1| zm+_{{krb;*%+Z=fhCrZ1XEU@=7GE3`R@9#<%djAP0C=T*0FVv5ldcRO6t6apXGPX! zLNCm{K-yn&uU2bGnX1dzX}stk&Y$#fQl#>|Ip1PlQU0-eWFe97{_6x|2|MjI z#l_Kn#@lO0yM!-ZekxFI{eu{IbmDl-cPWp45JQjOKgmhpx_dsYG3W;|?xZ!hB3zly zPu7#-2eAMteN{z50i+u3t%d zu|@rb5Z|Z5VBs;mPdorPKjjKM6>zB^b$cX*Vby7NM|T&@P(wNZD4*F_-{Y6HC-O|4h*MrE%;b_8?YM%&h>f#J^*l>BA(Sz$zu@8yaKz>*|Bqijr?H? z0MK#{060he5J3I-4S?*;|Mo8)0*=s~+VSu54OxLQkt_Uy=D&KPOL^-bFV+47LY~K8 zDoi%%AAr=Y?^5qQux(L)ho`(nB|sgR>Usd6ZzH90RzG7I7d!XBV7Fz9IPv!_!75~S zT$;uD+N-|?m)7)ms!qRRyYkD%i(HL#r&d?%KmHtI#;1<$P(gE|!B*uBbqY0!e_;AQ zCizqF{xl0X0{;64lk{V4x^)MDFsmKi7}MXY+pBMyr(W6oCss2&UB9ko9IvqfGL?}8 zKTNddkeUAZ@ugefA3N|*2!BWK4(B=2PRthdFirsQf2Qjmby2ekoAF(fcy3gll!1M}6|00t^6KM{jb=-O>e+pC2|~H{M!sJo=;Vhy;Ls z8*-)Asw?^)&5t_rhX9SAEYd&fm;guqE$;tT?B?i>O3=ZFKQ$V36T|hP<_;dP*a)z; z>lyQi={6GgOThn;kxA{yo81$(D^8=*bN3CP-+=U%)p)!B3a zC`Gf;*zh&IZM&};&0+7-5m72>QR`hLdTh#9c15(&C~ieoianlxge~+%C$J{LWs=ub znAcRf#y{sp*vf)y`rV6uf(}4M$BAgEj1l)){VT3LQ4$4<+{I-maOyD+tX`5dM${rR zT&I>gGKOTlsmG2HL$|(M4w5=odV@3B&6T#e$ege-jy4o_Ga>0&xRRKA7xb_FFyz~7+r}W3VB7$ljv1f#ZLOlhwJhbq| z(y|??Idpj(%SF5*eIFC60!}$Y2ifl5b+jKjD=7?A%|s+nd5Kr1=}SVQle?TR*B~#s zYnxd?vWk)nn4>BUPH$00k z3ew+yT&iV5-6(J$reMaO_17E;~A&_O)!}Mfb!`;}?~Q?IpXo7^MTidRLy|T#7z20if~gt0#;V zQ*edV13*0+NP_%4w9QF-q2kMor0{1vUrgKnRq}`QTR-oAF+F7ZTL}Q&BPV}}qxmW7 z$iKyYnfX5p0>jxh;H0z(E^OIDiOrPL!Dt?-&w;PPsMAE%ia$C4$W0^xa{t9-Tkp<` z0`r^g=k^LNioW}mdhz;TvF<5pbX?#1ult}z|88EcSeO24jQr@7BxCs44$~(WE5qBO z|I>sVeY(+CwQ7f2w<9mnenrZa#)H4w$eS99n`B^P0FLNOUeXGDc{-7`XKGT?O5MWgm1C?J-PzuE1YzEW!*f#I-Qt?<_qD5-L09_x_QX_P z<8xfQ-Mfq6SDilb$q=%x5mU-A(04ODHhft_lV?7 z{-mE*Lh4Se4(wrAkA3hr3aSdw)@Y#hM(<#Pemw60oL{@3rI9}K5Y|h^Mx|b5)iSdo zAPZRPCHnxuDk(A3J##kILcOqA{kMzN5s!7?UcM6>g0`2TT^6s*1*1xK`;D7yl^^!m zb{lLT*LCn^bMd46av5l^Ep|*d6#fDSGX=ppbPQDWl9a;^S9y_T)x4dk_5hQvNy$4! zFFU(NSAaU1c8BKyf=S#$aL`&=ChUa3P>Y7%M2{My_C`xsSY5Dw%HSKRiMLFj9*wZg zQkZkA-%J6rzMY+Rw5zF`f}DUb!f}c1niITda`acCHjj$M@?7ZW`ssQ|V(Qt3TZPv; zeQqap#bv*u`zh=(v>)GoO!+tTzep%e@63~B{?euN(?9akNA5@dM#UW?>%Z0TNJQe& zABexgW1W~Heirn1(TDb*qG#UtY2lyTwWkiF^7#p`^)D|OtB?Knbm6jV*g}=ln*w%%HP2Q^8%SU;2)onN(&giU~6J&4FqQS;OeXHko z&qVoOnS{O#e-DmRJEF{;z6)>3y)o2P@EKPjlzoj~jhuY#2Z6@V%6M{mrplEzJCR<& z=QKYm)xq?C=>OzGIZRz+rJpxlt{h-U*75d?Rcf(I3m+RgY+7JV51d2&jip-m**G-M zuQgqbkk6Ktvpk2ng-6=|#hIuRNzG-@r!!gaXpG;OvyV^jOS7cu)g_`YPm)}vm`#T6 zX~xYICX$^G5!WxBO3J^qK)r~_}>$T&Hx_dw{(j}hDZj+NesHyY9x8-4YV~Zk= zL5XMSHAcC)@FB2MGkQ$dHl97wZGTs5*ZVGot9YSqk-mj~x=OVj%&v?|$CU#eA_wIK z3dJnI(gvUpE>?TBqx=JpudOK~OEh`�ya#cOuX4k8r!}cvG5m&i8;InBpl}mJWB; zM<-dQTnkGB;Z~s^IP_B>t9QBe_VMkxwZW@8a>Lb9vW}Veh^}CgiyQ-2DY7$K-{*9= zNkiB5f=j4ZK8L9z#C_lM+?R_dP@-dWbK`>d)|m?>N$2X>PUwCZ9I;B^S}a&i7_E=+ zt!Gsh;U#%fjO4tuA28jQwq157NoPdcv#!Ql1VS(Q?KF&(i5UoujIt&4!BQvH^pgI!C+g!L-e$jH$M(cDp1oYE6ZKJq z=Z?~iq%!rQzS_h-U1Vochkz^wAug}49?85#TQ^k567C^;k+_gjpCpg0Hd?Jl6pQQI zV%u69EK&T4${pFH-Pk%&E>k|otxOM&EQ2j8FW>xp zV!MCcvl(NZ8rG~?(`DAnM!8dCF6}N|EU!g~)2jW;u}GZ#m4bT^JO3a`G5rO|{q*R* z=X|^!4=xOC+VYzU4`eDLU}R+$%75&o;cyBD=>&JZ{2pamHbMGl)kM(Y!IK5CD-!0c zFQ9P-)9mYV@v^}k1Q-v*dS2hLf=@ksEUB&%YoEwL?Lxd*lt1uI5jM8WfxtM&nC zta{WYYJnp}HM|Sdpqwc;I9Z~V7BvO##S357ig4;N71&72S6E-1Bz40L^GTuLn@?Kj zRpPI_v2wT{ww~>Az0jsSQj*}3agjp|CDw44GFcK^GA&y(92K$fpk~HyXAFN$$<$9m z_&!y$k$tul`JOEUM_dnYHn&;2d032pmLwzc`7)3_T%l8wh=pei&uI+23*kBd_~q`I z8*F_ZUl6$LTE`|vn}5I7QO+g^<0v=ApLSW%z)kd2u_FK7;fp*tf?F3aoc<$2ixWS) z?ii%Oe%V)7iJQg-X@@LHaF8~!Pf)%jkz4F}P8`aC&=&yJbS&zKBux_J*+f31UyLhw z=`X9AjsQ-VXbQI}EW}UAc1IA$u#Zx!rVK|;SPvz@H=$E75zeixI&ncVqL=AJjn6vJ z%p8=3f?R1?^Yp%66*s-OT`Ul>z;}fiJIO;H!p7*$=p;wPm#SuLW5g2_@TCU;ckb=$ zr-d?^BuaFj8I5L_8*-E~gJf1@9ph)f6PwzX6WQr!GQ9g^G|={Q0&6a4{9``8=XpkL zxB4V`Rj_s_PB1U7_DYE*8 z0#o>5E<(h1J$#SU1z`L zA-+jbORU@-_^|jbqw!}c-;)sE*eSlt`j*c4&ffb?*7wB7H+Ht~vcBaqz8MkpUDmg( z$p02o@}{y2^S+GwcSI(AmtQdD3DkG#-sDqDWxF|>O^N7@Zbh`9+o!hTY$Tz;Er4|brfH#e2Z0|LQlCn=RYKK88M z>Aj`Unh?z(hgJS17=wquW@U{?+^Vn~zG1C2KUw@04mNzpRahFx-#?ULBYTY{?;c{^ zjv`01xH=Jmp%Ir!awkT4k7+?g(Wz{QCjt4YCZ2KxNK2(h4N$0y4o^(r&>Fqr#tUJUOfCbxb7PvuP-XVZJkN;he&BXjrGi85SoPh{|Q~U6}xs zk5_q@Y9;W&7x7OoLfR86uB0CTPT63_n?&qNSHCm{pX<$i|hX-<^`BN`B z#sGDUa_8pT5>j1&CdELk5@j;vmEjyCRtF*!uIZlm8M_xkrA1bXEUM&d)W^DZL8mQ7 z6~P2Y_<%DQ&s5(F#bKm%UR9m9v$TM{2!sGB`3vSDEbW>*v~Q%g8a`9;y;#Lvc=Gh- zV$C_@WON9_LK_|I!bz0_0Cp(q)QMk7k^f(GQDz08Z7N z8NgWm6F^@2 z<5v1VRPb+Mum2%t?l0fnMHk^#BfY@JmbGk|Pu>8i9^89WMnNR%d+DWm@Uuh6?F{3B z@xU4g^b&u5-QYa$q_j%4WYh`}El<;mNX$QV{{&bllfN`{F1gpE=JqhO+l}pdp@{Z5 zYx>*ZUsQBhBaN$lONwS{0f1mCL5K)XgWcPVva{E)RUDyKpx$BX3G%ZrC5S2QlXJKw zCkpt$%c-Z6!q{Tw?pRqdJy4MQ(pWFo+Q4ghVqU z*ZigF@{?=qQ+lM@KG#v8ccZNFo!<6zlb1u2wl{_*HC*cw;7NH=SYBSSYU#aT3dW-! zz^OKQQ}v@ZD>!3ofr7>G?M0cCH4gtA!YGF?fxpo1;*AdXwHeVQ@qpbsj}6O?4(I6V zT@D_ISyvRthg@_&VGb2Tfh=AnVq@7rQmw0X=TyYt%RI%?&1#y$>vg419(5Se%Av~c z50rsZy-veSV|wWq0x0dATm{y<{0O1_QBM&FE)i4w+tnId-KFX`qr!{Jw1nz;(0FG=^i8xU3Nj%D z#~`qHkX}uG{$|TwqRnjO$mF>bqe!OOF|M953`=}GGUhWBTvSUOjG2*}ys@KHW`cWQ zlA)#4$3iP6+{gv9Wh*pRd+3U>h4Be@vT#l-xQyp#6kPcH$6LYsq@~olIRaW+gY;m{ z_@t2x)&Px3dY+hJRZjiBlY>RQ=I#FYn`LUf;1fyq%{qADW9oUlp67aCBU3t!%A)hO z4K)jlqgC^a5LXe?v^pktw#1YSXjts&I&bfb=Zuv&x$TF|CYhbtbff84YK3YLQ8V`8 z34US0!7^Yw0%H<C%*FG zk9vBTv19#Gx+<%RvbGBfrYSrNpD z;5(O-(XuR59kP}SB|5GJ^L*2AtnoU_zC3+5dstn6nEM?GO2;MRQ--NQh1?<&$?!X{ zq9~1I9;Up8+=wJ(VwqCBb_cT7cD{JEdn{M=)?-%c+&QwDXZfSc49+qNHGZXp@DO-%h z+m0Ziq{sT9Gwp~hJGl061o{*u$-jr(hdsKzG@2i5SK_jE_R0aEXilYi^GW7=rr@{3 zZkmJF-WjqtmumiaFB_5vN-#*mf`J`Ubb$FxjHjO&r7v>F41cU4hJT=SJ7N_y(4woZD6xnkkq z8mY$+M(FwWhF#E()?9--&A7K@nxRh?aH;G}{z%bS#K0u`D0?RA@sXY!UjDIH4+HIh zNpYQJoKx~u!3;L%=hC&|wBifwVHHh!Tb;;&=M@3RDpe%*fl$MB>V;n2! zISJC5tmo?Ra)P9~9B$~M>S$Q@D>o7Y+R3bvg$*c01bZmJgq}IYYWB?Ng84_T)s_-r z{XHYZ;hNNV1|Ws`m)$27WS!S**Syx0(wT4{Ws8$?t6a5KMO<+9Sk#Iv17q*fDP(%@ ze(!#FH{O=zy`}MCO3G6VLB69Xl@G}d3aXeK&%U}a>7{(43RO&_m3n=s5P~H}C#RE; z7=77gAj7N_vnctfwH8Vr4~>P@Nv>W?PAwB_SNNhoVmOVfdk$MTn@DJdisN-eHu+jA zaI?ccm!IeF>3&gJ5MLUvpR6aPXx-JREg#a)hT#?%*pme=8NnAsnPNb+KrpoHfmTT7 zVh|J};0%W@oPUs911q!3z>nnuJLieE@}PWGus$Oz7RDGB)w>^SzaUv85pw$@D&VGN z4fFH`22TMN22c@ys>UD_6Z7I7SvG9Bz;I9I0bn2uD>A^ZsaEZKwAQdJB((^2b~H1c zq1aMSiHTSvspphrrm;2S*O`%IOrXo+_mrCvbd%PXBEln=P-$kv#_R;3f8X*d6O45- z{=_zh_75jIC4GXhJ1v7$?{j5hE`$xM-5;?%30q^Zv`2&OWhl;ERk5fy+5^IhYRzhx zAAGg9QahYw1e@t5y2ncSOd;?mbTN$dU+mFCyc?|l@z zHIOQFDH>LbKglCvEs;=2H5IRGoG%&cPm-TJ;q@Ue|1I|4AV8jdYYE85UMsau!r|h|B5r(6$f9z|sQio| z7=sw_MtlCcx3(VOe|@{EijxF^kqZVhzc;0rszl$L9j)!B2ZBHt=8NY$4`0dIXMH#o z6^VMI@N2to~PS;+F+LX999s4K})jhaPJwam$4}WaKWTz~vH7o#jlbuu&By_NxaIu&*32~M|5MQw z(=$p)30u2@DP_GN5o6uFC;HOEQoYIrnqRuXJD`g@Gg#?{sNJx~!~JZn>FysSF^z1q z)+_aAf>=x9GhcC#G27|;(dIzZilU8+_rt;}_S%;DU$wh^Xq9^K%>0(K+u!gA%JKPh zY$a}lx@c`iE{Hs59G9f1`z4a@C&%R~PaFB`R&18b_TS|V)%L5E{S8zu857YjPIVeL zu~l-ko{OruCgw^1A1aPzE7dA|5{TG2U358=xEdkq*~o94Is<9hr6y5dYG>d66@_2H z3+Wsnn%6S-URov~T!^MludrK(@6Np%HWKZ%fB15k@u;5Rp#&+#XWD%((a`srDHOH; zz@caVZ-)Lv=&MoFe>Ez!XCUnP)^)ppoOFif`47GC)&CcfG;`Ux7mfji7~aB*3upP^ z#GE?1h%*TLT(Rb;A$#K)A2v&H09pGwXNtRCqns3LLc=h|sOtc*XnM<8|7YC()H?pl zBmHLpN61q(2Fy}p)l!czIqUb>H9jNug$6n0@^!!%*5i|H-b(h}_|q|n9Gwb{(!LT& z+9v^WeG2-G5$Hq(ZS|+DpA&eycw4&b4mZ@4OV5A#eNy%Xb&KEVpN~ycYBl{nJ0Edg zF1<4e063od$G@8Ag5<_OYdtzOuV~p$h`gUaZMDNeZWXo^z*r#uM1<84a1<>2xv(ZF ztHdR#< zkhB6q--7>W}kd5y?YR3(GL7Y=o z-CDQG$$Gg>bri+YflY`@7IM_b9d|$O!VjkZhAA-dTPl8 z71q>E0J#T+DKYSm zERdf~UOpWvV5pk%!r$ti&FKv2F|rXeYM4=-+hnt#aDtARtpYbAUcFy;U66JFXm}`)P;!LjHI6SDjU8A2M0x9zm z;p|;vV>htwRdKeUy6?a6E)W%>Am@)#ipMbUW}Ewo<&4`P3LfYQ8sCTLK0&8VDu;zb z`C5A9E$yyjEVZSkl6Vg49uFyvHcDqYmWM8fMy6V=XecSxu8VHFlkMZg@!sVz z8(xvn{`3nF@QGn65F2RsdDN-_=j2Aq zq{T0fb=4by^AZq<2tQp;a+pA|Ck6_E%C-x5q4}}-B5d0HGc{bFVODXEb{dqg2n>ti zJN>h%{7;AQ%Dys?Dk?p%Bi+*7KQJ;W60usRTAgby3P9e!bB&akUozRJW))l*_YCFo z7(G0FdDsPq(?on&tdhg#x*G^}6RVmJUr{zIVHf0m)#-nXX)&M87SFWcw>DE2X%|kq zsRSIAog}T~7{4+(X3COosYgmmT!m$u-fMrg7k?zj#XaLl)Vr;w8|Zf?b_C#>wLHL#9Lk7wJSR&Y!woe449`rwNle1<({75)Dv-Mua|1w zykRJ`Ic>4hblq7&@|lss7X_xPSiG8(bKA%{{z&9f*1l;yXI0`)mK~IsZ8p{9wa1jM zmhxpgRjz!QGg-9lwzE)B#M)QKvP?BUYkxeQYc0)QAy=sNVrpRJr0@XGR9)rZK%F~b z0oh*N|AIZ;txufj>FMcDPw?wi6nbo|xY*R>b7tvQNy%hY7q`hfzLj~LIA*d!JM)=T z$L}MLrrnxuFS_ky%d1HuzdE&o)|;vYcRCe@mmW#0k4z1^?X%^yj`>RW)GbDr40|J1 zIC*MnpU-)xbd#Z0o$CO2vs?e^Tz}y7s8ty7e~asnF&*93M)VfkyzU+Em=Q{^tJb+?epBw{w3>O`CsV zrth-Qm!B^DWeZz&$7WT`Z;Lat8h6VsF`3-2cyy*gtFXsji*6(1$fcR4g3Hg|>YD!e z`=9+AcP}eF{3|+#PkzncWsMHKc0o7S`=uGFsLraH)OKZgg!9Uj`zF#JL7hh)E%n~> zUP=2*uHix*JtkdV)t@3&Qrasp3ni(aJFou(<6d}z9raaXsX(CoU7P8EMs z!5Obibe3(sB55>P`*Izy7`?FRKZ7<$^^^Y$vsFJTtWJ(DW(`$da-cZ<)FHW__Rmh% zc-VyrdTeUFS&F7y>;_*<^6j- z@mNC9sZ#Wn>ylI}kB9ZUqwVsoe_wd1-1_fr&d)vX-@EC<15_RnE1$HlbbFjCnRw_w zL)o^Pd*$C360pMYN%%^!iBk~fIxp!H|Gjndv(NkYO6;H7V*9E7?4%zP5Yc#IeUPrQ zCX%VDn_k2p^4-6=ctz+Q1GkxeGj7c)+ zvhzgdrCxu8Zn(=TMW5&@=VV9S{qRg(ak-Zi0mZ=Z%wl9x{1v>z?I(R&t?tF3Xg)9;$+O zD+OnHy589TT6F5o?uxBaeRo}qjrRa=v@v<fl+WYf$kR}=;LfkyHd6UtaDNzf3S1PU4 zTWA?Pw^r~g)3G3d$vQEqWz*mOt#+P>IHkv|9G(_3WAtuY#co-BStV$y?y(zPkK~I| pN;YIyo-9()xzw`b>509+yS_@k$+^F+)|z*2NNDA(SsDLt0syWi55xcf diff --git a/src/windows/leash/htmlhelp/Images/Leash_properties_krb5_2.jpg b/src/windows/leash/htmlhelp/Images/Leash_properties_krb5_2.jpg deleted file mode 100644 index 597a6e65fe126c9c7bc10e90389071c23ec65395..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 21146 zcmeHv2UwHY)^6;gqK2k`q5`2uB=jZRXzK6mEaxwB`^o~1occaioy z@ch}c7nv>s=@}Rq8P8p~beW0aG93dW!>^efId+id_z9X5CukUG&(bpdr?35=0l?Eo zypHT1JHie)3OsTQcx1mGa0PG#aP-)(#XY=^pE_~!^pRsn58i5D1OQGPa6V0U>g2K0 z$9|1;9GceuI)N<^-beUa9SPZSL6B!+wR?^+m*DrF{$>n7+nFD1? zh?<6ons9=|kfsoIG{#@+R=euUt-?I&l!?xA#Ym z0&fU?q`QkUi9B|ko*nYC=){vZ-Bb1qYx^UBa|h)*3Ooh`$N}CP&!k3>B)go_> z4!~o8ygsvWVI0^|=u>y|plu_)X>_9DqKp-Ix&p*46jgXiWEHj=9urNp~Fg&wkxy8@p{k5F1jK00|< zpmL|qC995kyf$QXc4m7kcvqmUQLXAqZ#8!fb4Ze#WacCF$JW#q(I~@H2(Hu;q0)|& zk`~r?f;N$>EF0d0xIr@XC4(KB;8OYe1W`mshQR`0ReVC6bJyhaDixQ))^CZZm`quWv z0*I6s7ad2^t_a_S{;a>pGkM^-d4fr=BP zAMOXiL0~S+_Lx~^``C}Krp?)@YAL9Ienq7m>q4^VW}Umx446>eSN`Qi0xZ&QHLDQ3 zUZtu7ZR~#+_BhpxODgAKg0*D$^Vo*(Mp^gW@IPTbPjf~0e0KG~Gt1tuoN4TJJKe=O z*VxvKJPyorMpn<|FBs{y<>(IZW+!gKnpYA(^|br{qGBr#;+5#?A!=ZzHPcsP7Wh~B z3#SdhMj1G|SSKPTRc8L^-4bHGVwG#Y4)7{<={X+N_-MVhk*j)T zZU7ut$$knZ^H#`cW1yzNP}r|^R5LPCO>GxJOsH6)B4MftQ@KQsF? zL&V*E0FB$Te}sM$$-;fFS^tD~NbIxQvsHIrbXEvnH2QaxLo57G;Ia?!sk-~ftrNX$ z`==@k(ZBE+QP1*ga49on^Je4x@80UrnaqG*{3CF&ydRTnOeDhTqtHkm&{Jvt#U80e0RE^Gr!K?tDn)4zx7X^O(a2;c?zSx^iay}zf zsJwHgD^F?Jmo+~Mq0LXlSaUO|jLH#Lq*vW@OA5kTOuJ>)XA-t!Jg>cWxjI?2@>=(8 zrKw$bj_Hnsn&azp_@oJoWm=|O8b%x9%?_|_rgfhQQprBfZjm9T_-p%_s>-N|#RC3S z2y2d*25KEjAa5nLG^FaEPJV(4tFy9i4r2dVo!2(KZ&5WiN^5i$CM=91CY``7Qd&aO zecAl#n|Daa^OE3cwIMrCTL}_RTgOIupPSuVB@9$_B{H%@v@k==TTAp>-uth{ z>MIsC8k#O-55%me-9q0tv4U1CSX9G3jK08ODKU1KJ{wcoQU#lIh+-|Ia^4%DH<3-J zHn4P3)7}ql)~UwhGt4uiV{;xR>xWB?d^AqBX$!p^C_R|o7Bpo)J2IyKtr3OmyBr-O zpV5n3>&xy0mt19Hs6 zo`%_EnDKJcxSftk`dKIEQ~bl#(AX9m%{;v&tp~X_3c)lCUqpGe0$Q@;2W^}9)&IH$H+C>2Rc8bAkX7v#rmL+p<;z%!g*M4NIJfzA;Aol zqrWJ7E4y$Qp{E_H6(hTF7CNLfTxu)g_lo5{h?VDUnw|-WKU+FzH|E*Ug7tEN9!UH7 zGj;NoDV%iENgt0|IMfp^f^o^V99!nCV&CXA&B4%xY+J%Upw4-SRy=0bb#l|w%x&BY?RGV3z05u0 zkcvzYwhS!2v|YVtUZjJ7RiNAHADtRe|@$pHKJXw#hH3* zdbGll9mg4k7VjbPDh5ppQ;K;bVA?`C?edwbe9ophi;Oowx>1^NRe$7@gIr zyFg~HnYw^&@ZcQxli^8zS0e2p#mI_!?6~KZrh^%AwZ1k|NS&z1W^2cHYpn=dCGV7m zA+hnJj*|`?xQA_{s3uetW?iMN=s{J;cC@Gc=VwJmMdIAUsN#NJ)bxk=Tqzq~`;alN z1UD*jhJ!O{7NZ+AuoTH0tnT~;_M6Qs98%DBVKVtKn4G*U`_UKgURpM>4|weDFk4lP zaTrAl;7v#LpKCrBPHRj@nZC_XHE5GjN$zRyFVBcbpVnLDjBrz_Toj%dUGZw*w~sxc zy~3!O9s8(w*%I9I;!W~K9#7iqWDXbkd!s(q=xCjn$1Mf8bi?zz)b$h7RB*`GN88Is zg63{GBtanG8ugwmf{jok^7jJ7>`%k)!&Ea>0%~0!uv+DZlB*nudy}zZ#ireHr^6}c zd0(@BnMxT036xihne`pc^}V)2&zM9vSe5pWmZHm*uKQ zEFoEMI_26c2A(9T8D4+iJKY?e^`SU%>tT{jU)%_!Wu4229Hi~wZbi@`}ionnx<4=me)69{hvpCsTvKX znn+M#(t#>yTaS$N3W&@k0uus5vt5)^1}bxwQ3!mb9a0$Ij$xJ_0fxV1$?G z()}Qy!?ZcGS^n&U_Yt2%)Bb~z*Vx`lP!KP7{NN23liZg3>FqyxqThXzd-)qn?Dl!j z&RF^896w|e`u?}Qy0W9gU?M&byn;id-!f_?-)(xF6rU-iu|3LpE>a|;U9c# zuk57!Y;qt+!J$OIQ!--@D8e4U@}aFuar}IaYiT{^5cuCI|AY`GKf7P~9Qn2A{}8SG zu>Sr|ZP-8UYX9&nAMsy{ek-A{Md#4H{Z6sj-qL5T{*}+kUyFW{{;&Z!s0_b11q$tr zXa5rr$^JvWHy{4!(f@#>#Xk!38;-JnhvWPY98dinj)^~Te6am@I41nSk?rqrbo_zi zvjY?POB_4?p|9U?JZL8V8prk@I9~XH-Vf?m93_94+J69%%>URP9sG1hL*cDSshMpN zySg5>T*D6R_cFVvO=irch(-IU27ktd2IpCGcedv0NLth)D%**LQyb#S=zrZ7i=q#0 z51HEQN7L#SRnE<)p^NOYb!O_xhLLs-hJw5$PW|AkQDluAn!DnqK#kb9(S#*BGCq@W zQfqrmv>-Of*qzDSSX1`dZ2#D6WMxijd2st=x5tG-Pe{S)u#4wvQBHPhQc^Fo{#uBc zP|aW%A3?ZJPfs@$O3sbfytMQRepXZ%q=GxSqf<(viwQqdM5l?h5+T^L!~`nG4g0Eh zyQ@86TYA+KFUMLC>_WxpJluTWA1@k4K9D1vUQk;5`JT-_z#UZ26R-~$SZYS^@PUu# zqHNyBFt>}e^=1@EFJM-c#IP-xc5ZtkWAcP_@S~OKYw8Q%COpn$Y+U~6<+@a>v3$_7 zSo~7oAfjO>=D4x`zA9jgvIgzE&|~ZFj8QE^W{xfysCx|!jo3V*Z+hCP z7B)|aZ83ehDWS%GH!EmU&{Js8{`z*b7$2LFWn0gvVX7x8Ep~1Mz~AHLmO5~yHeqU z4AjD{^vG=Sgv-rEz|9c9GHDDc1!;i08!B3#kpOY*?Bm@q<$}!2w~c!8g<0EvstDRZ zZa=8t>tO$6gk|T}e>z|o&t&W{xf!`adseW*?rZZ_PzTmfz)%Vg7pTmQ>{r9R!>HV6 zKEb-hTfc7LEuLU+iJVWr0Y}}>ZGM$BoXZi-2P${4cFH8N7TsdaM?T$EoYMMy1#Toy zYpKn6pE40u{z15$eIuGEE~-Hcbue!hGlbM01%`VpPFA^>ym&Y$_ww5to#mpvj>)+j zFg=7=u8lLl9*QFNlol;(WT0AhCTj_mCd?*3icn_St$R)wj*p(PLcKfJ+%n68-I;%g ze^s|Ts5tsPtKaW$pBOb;wYf!b%9;`D^sQv#Sy*ySHT|vmSac<%}+vh|&*0&j(#XTRTlk6DVzYx4+5YVq^aDaMPxgNB2(%-Ib(8gO%Y zeT{=6q>~v}VEhsm&Q1PaQz<1xlWf!q1tF+H?p}1JQM@whVhEiPNnAoF3ZtSB5YA`~ z@U*aur|D~Nun%&mY>RT9<=rQ_a{Hz=`Y>d)NjUmGFP*5leT9JUhZx-Kr z)5Q7nX?ZGi@pLq`Qim4~Vx%?{rwNMczFM?{zKGEWGt9Q+sSr_!n?=mR*UTk-UWN$r zpFPh*$Q!SZj?9M(3l-4|F&fiUIdRjJ78&p8pQ3gAdTosL_dD;XP%K}yL#?WnR($A5 zUyW=eNijY?@-;|ZS-cQUY$KpY2ya8eC9F6g0^)W7==ZC0=le$eGj(z`we%KF`>QHK zQa>pT?E|p5jffdb2x8vKVfkiMz}sOUx2Icb_HghdPwfaJutdyv^1st=T|(Y`b1+J) z7--e0r(zD2Rys%YN9$i5C79hR?TZyY^DWsyo-R#v8fKIVFDUoQ(>4IB1{tOV@;z_R z@9)ocYGMwXyDRY4ppYFAY_G;8Cbkc-xYC!(nODSuj*e+0Jwgg!YU1};8fQ)Q`VcK_o>cz#cU<)AT>?IHD(*s_2`ke>00e%i?cndmWN?|Ez!f$c1yl6^oR zv+Ry)=Qpj;wRt zGhbx};tWZ?jIzR!Agwt)*0JKTRlw6;Ob-x3daSQp%Li6yv@2-X;oZ8jJ*6BVioX?OfU6b*F#N<(9sr4kiQYw!O=#grG&xjw~rUZ@G zz8`PoqKL|T{=E9tg2lZ>76o5>zUgWK5raWP|3^z5-zX;=nXmM{6_ZMJxi>p#wJA|- zX?qh9_!5dWLkdjbRI|qA=Ox}`b(NTE*ocvMR)r@avXz~)`qbf^G%cPY3zaMi1x&Xn zigPsNfM3Of0=KnY>5QEMWo>iw-5E!lk1M8j??LR_^*PK)zIX)WnTGTT0u0ikHlpsu z-CNYS61tQY3C?H>%oBgW4qlmxAV!{Lm3-eJjd0o0o^Ge@i13jMopD$3q=_d<8HlJVPQV#8{#*X~9_lRFc5 znm=gSGlvR}D~*xQ(t1!c8zZ868ut@ zWhUnKGqxeE{Byltj_dE(t$|{#%>i#nej~^=YFlftn(ey1O1(}bIf1ZzSBaSyy zT>bed_+{*fyQrS|jp*V`hHkMvSBZ%$OFl|5m(Y1~Q{}!t9jTmrSE@J?azAQVS2O$5 z01i4P`B6iSFnoLN!>g!=&7r!5_1Gmp>sq={B`nr#)1ue_n^*EOPCw&~b6^j$fhP|9 zj@f1m#oLRE5g4@`NaaA4M#qOgUS)l7a%UC0B!a;01Lz$kA}Zuw36Kh`Lri~rwca{S>|bHOm~ar8dGp!2FuRA6{#_Nae) zRoS@oopt;2G}M^tE$D%lK>>k4PbgGU1EXU@seyavzYCjKS#UtpY>vyo}6Fi;tTYQNcFKR`BPx$@$azG;T2LKH%%P z*R{QxmmEgf=DFMyt5!;oZzcJmRlX$A;aoh$Wm0}8>TX`Na_vCnS_Lmop4JKl;?#)` z*$(ivvpF3Z%YUmFuG-S6eZiB{eE51$26c`F6R*WCsy0?;&dqf~l40~#yOdOsLnGRWqenn zcR4TC|Dw4&FCTb@1H2BoX5GX&96}nEmLqVDN+QwLk?%F<&G1 zGf-PrAD9Ln$i6kk0V?DsAW*s#W5=&mEz|9j6{F$5@ zhh5->>=l%3sI_z-p}cSs@@+czcmUo%$9}caixrZa(Suu?Pmi8c11ibWvq>Sv zt1t^SdeNpR-X7^%OP#^kM`QZ$?TKW^{85ti%UbpHq$q?v(?;ISE1u-*t2lLDWJ0)P zBFE24<1HY@SsBwjF4qz60;YX{+1YBY1T{Br!PVD-g9b**o8ijWb*){#F|`agGM6HI z-Up|3r}cqNL{E?Z6vbOk$V8^u6gX!L2`p-=)O!r|VLgspd)wv=cy((NzCX+-1mv{;T#JxvHMsQh4w z@1g3E3pn+efRSwDi>z?(D@y(F&p*)v6u!qh*^|-)EJ4>?KmPN@t>`_8(43gHBb3aw zdc0;~z>!qcksNs_N-d`(|~_x`2QS3sYkQ;79V#y)|lr|*NZdu?a9q{ zz{tpa*YSA%u=S1b4^IzBnX2HWBkzAr zCHv1W07uSW`ciEc;roR|^Yn_~#-pYiXE)&V081kHt9jYZ+kL`b&CpX$BN-uvS*82Js2amf5|m0OHk#@}*gF#9Ez)NEBC> zPBuQ0iKEu7t&*Z7Py{(`cZf?><>6e<~?Qh9aG-YkiYaZnk z$)pu$9Gr0PH+E0atsLE+H4?IAdalz{EJg^J-H3JQ5*v%A%n8y9F!$@*f4UW?%kK6u zlQo|?s-nc?Vc1gP>+N1viy@11BU+{@_f*|GrPbUsVmA;$d3@$@e1mwR!(0Le0YTlc zaKC^1qnKRxRDswdvR;bDh~rBnl;Ig{144UDcBcQIjVZy^Xma$8Vz#U&jf` ziJ>i55;dF57gX#8C1S9`85YS8n`5T~LJh400*W`s0)NgQp=H+^X*(T;2)-8u3zz{h zY5LJJmt6`ZNhmwwBMD5=$#hkPlc%c}h;v@$J6@8-_z-2ecPlUTL!W72)+MlY zX;=X-ep13{%vbIxi)OId5bFIMtz_ouxMAeQLjG5|=e{;Je-_c7>d0X?KN*L7A|wiz zRj}q#(75;sS{x&x#%dl2L1R)~PjmpYT4w6N2A6S-ZQAf*eT=ZWN%<$r^(mmny})xd zPi^0i8@8AfSC35*fs^jU=dBe*AAG^*rEh0zXZ2s@)?Ptvvv3c5O*E-jsh}m%7+5fd z9FHcPj;x6>GC@wW@9u%GRE#=}jP{FFjS9$B{?dWT<=2!c>`L!@AG~PVEK$rX37lnB zql4*KaFox$tNCCPzPW|=V;GD<)*C(6n{%;0Z3qtJIDb*Ew38OgnWk;HS`UT#b@`3L z=n&cRbUG7Qr8Hrg_t{VY;MNId8}LnJUI991y*P1W4JT}YUI214l%+KV>@33_Sr_s3 zQ}U%noCB@|)gB99iD;eYZxGayXv#yp4?ps(S}z`PPAN%^KxO3|<;=UR8Vv^#qOCxY zk?GWv3850<++4ZiAu&sGF=zV8C8cVOs_8?QF`7$~mV9VT{>WRZV068UwB%~} zI$JtSvy^T)5`@q|SW=*AcolUfsB%fb|IccJi%rlhOI?iwy> z=OmT{Rot^A8>2Hq1*?!RLTPLQ`SeUVf&Axj-y-_5XgPD3T&mUMv(Nr?&k*NZ=@?9t z%FJrV%e54sul=kcL4-I_ERq$Bp%8D9M%mdRX-C)9KBqf?Od*ihHO||3c;aQ8( zR(W<|C6{)VKfLA|Ey>=h*%8vpkBT;6hG(i4LL*``sIhNkQ=Tx4wl!Ghl^45+_QjeC@e8 zsLidQu*MwB5IRlBDxX$TIPEo4YI)PSeo0cz(tJ$(Ozw$R&(YAlQx0XTt| z+gC=FjkC~`_Xo{-Cmn=DPf+#R7Dq%NF~qSYpTy}{80c!l0PB@6`vAG*l`7~|t8uMq z$8ucJmOoE}>GP|_V_YoqoIaTt*(aaJz$T1~>M!W;wG-Kh!GM51!C5YRE+^D(dXoK1|MA7a*_p4ZI%B2BKiQQXgOW<&`Wg5>p<@aAW9 z^z^K885HjWY@u-hfjD^@C8ad^fIb9H&{;Gcj%&aDycu!Y6au5%;Dp_!SF{H@7w}is zZDQUtNxjux0hxAov7`B1!t~T~;lV(j`(=R=FocZvHs5r45x8MIup!%MAi5vbM3tas zvU06L*tLdW+&fLaD9v6WH5V;mppdHoW=Fu$OvpTE6Jd?Z!Ply}q!|QST7rM}>%%CC zUwtG@qK$IunW7LlCFU0Nk{S(Bw%U&7q}Y<-@=sQV@O*6-c@9xTChQ5gKYqlyk7vvZ zO}xttnR2$}?7`>;a$+nhHP=P&i-N=)gPfY3&U zn|Q#gn!s36qzjfk5kFJ{iSVFO}SEA=k`j+2ZR- z%^5mN6mbkIHL=pM?WLo>gF^UxEZMT}DSX0-P#RixI@Z&0RtarIJVO?J)b=$owA=x! zY0?+xyA;SDmdJb8&iDz`x-m+)A<=jhc+jZ6J0BTN#&&yHAM`#mb#Z!#Vd0}s=Q7DC z-6%u}khjM;U@`sY2=~Sz@qi9#yYlr%go8#kJ^cgwK7h#Su*B>Ql}ch3p3xMDH)+<` z42Z!#7r%7+7pnUOU}@QDf|ZFuJ*HT!EhIS4{mfQli`L6W)^;NvciQX@`fFRtmXKG*3&945OfeZ~lOD`l+^@h4|$;1O9S`SAd z&_J$2-bUxr6^dT16B>SJ=joZ?qlIg|YW>JaWqlR9-sa5pK1Ymnhil-IGa``lBMX5BB80TJvo(>TyFI*Yxz4gMaQU6oD-Bbs0uiTyd@ox5y7`UH)2QcI(KZw zBdsRt(>T+EEiZ|UZ3M3Z0A_a)=3d>puW#5S7R;TX*D>eqgGzEvNi1siBxWgx#i_=l zHPh20*#v$iq9s<#s(s-k37wcGjr5Yb8uH1N3H~q<9-iCa6XmmA z(BQefika<4MzSiH7AM37k=><>3pE93qs@_Wc%v+smq=wr<-kdHl5PAIc@}Za%v(8| ztX2ZN?fK({;LXZ!C+niNObu@3s`Wi+G#RF)4^4JJSfVwf_5m@_G!DolyL5B&2PVS+ zU#x>YCfmiR9o?<;LW327dZ~z=eaV@3Fy}@V<%L(n(S_*fG!&6Y47KXh3n(o<1_YIF z;K>k~z635Pw$u=j#ZeXR*7uZSAAs0yEnsK2V=W4cYZ@+Bt}J*Gr>tc;XPVi^XMklm zE>HeAiXk!d7wDQb+8;fDsu$7JSWqr}=i~$??ifrfIr@iWuH!5(PubGi7 zgvBfD!U8I224#DqogH&bqiB4=-K;1)*tF|SRzHt(W$@Y@zQrTdn0fx*jN6DpX#S=A z^ZEQB5KKmAOu0rFM@2tkViozoy;ja| zsE*Qn-h+Ny#{xAU4pips#@Ym0Wn3(qJOyj?jf{-3?4V)DwI;yHI8na{#4+&ID4}{_><|dTfkWzi2p_-XI z1sb{~Vgy!)=PshKd7}_p%>?^*Y!J7;H<8TXceY~GQx0t*ZGMd_CN^@8)nutJd$wjv zqXGw=;gHc7J}tPEVI;eN1*j#n4qBpYkE|)}+s$Y_qe-}#OOwlN0=l0kd3lt3Iq_?v z-}Q#`Q-!` zunXvE;M(3L$loK$jQO_kbfj$s2o6`K2@CTV!ULsgV}?&zfJ=%(@1!bbY0`XdYv~an zk#6-EVv_A7Lgw9RM2J8M{QMf*Ik(D47N({kPso>ud|4Mz+I@fHM_t9w6~WWav@h$y ztj4!6spe^-*dk)7a?noOdUr8c&2$iLT`;iZ7!>C)eJ6z%qL1sbfY?TbU7rN;UYmwV zsi25iJyya(sAQ?ZPR)#!?>?Xh$guzoY&ef&UBw8T5t7 zT$m=ze%QdC6;4vL4}rs)MS*lZI%9BkgYAfT!2gv=!8-tzf3fENDH$z2s8+RfAK+&E zjZ0ZzIcOy|j;g*{wbnQM*E4f9ON)adTL06_HVOY&wgDWu{wK!&;sX)Y*l&>0Z&Ti% zh*!uzb`)q}$`)cLSI_PP(wpa!A`OdszVPmqB}?rT=HBoAr`-kLy`}FTHWwUDBA&PH z9Vn+B2OR(DUo76Al66D=#y|82g1T9Wy< z_x-o`{V(c$lPN^a!1GyI`Ca%c?FBxN%o#MB1{{rsx@p;)9-NqMbvrnw#~<=h@^HPe z;mWsk_ZVgowP5?5p%Q)Kd#NE;Ju&n>*evJ+@j5zzHRs& zvY!vpy-@InC?g~LfaBU^UDWLdtf>0Om4C+Wn&BVgl$7k9&d0t=ef+anTELe>1s*%p z(e2kiqF8Tj-;6o;d>B_6){ANB@8$W}8@Ryg5VjEMoeGqNqrSOvhJ4^SIINCW1|}Sq z?}zqvFQ)N1HsjC0X`xotI%7~p@BV|e2yP_~|Aswtk2I_ezwMvFI1!Zwtef5kK&rdC z1E$uziAL|+3(RB64sGhtKAuv)N3g7a__?;N&`GQ!R(t%X81c&cbn`(Dbai*xtNcfQ))tdmi1LNt z-Ii^I?X#`8LrEJ9aq3vTd_|0?KT;QkCp9(W4M z%3zc~8eN{_K7X$y^SsPxkWHWBV0rsVbI&IGgMSpL663a-Gp}Bpc7;`7N@|{-GyAPPlbhWnL;#~hWcqS-FsAXb@sHt$ zo%5#5BDMF&HjW0yfy3Tjf;EZW4WsA_;kB=(FQdLMAn7ck>UwW4=CdCFPp?i9frT+SpGQEDJ z_^$-cSVq%oDN!@bCl9gsqdDEvijgR+4J6Z|!2W9*-AK^$|j#ioknW{XVgHiIt* z9itnU3K7e8Tv(61k^T-;V3uFG(?}VEp`(4TQel^Ls$J-A0KHQJ%VtLK64l(;Z*rHm zx2jBh%W_5H-&)#>?7T|KjTcgp@<8C9q7KfAg5ju0=R)Dh%AF|BhUm)%tjbx#JEA8O zG;^;yU^KB|kBIHyS>V_+JyVG2RC#o2c{BzKP52qJS6uSJ@E zV_@n~-;>f;LmFok2}c>y-}!3x_~2aZjQ~^gV+*0{h+V%MAroDeOz~a%K_z6D_F+lQ zc!LNNaVeXxRoqz4ja+>L9PN$ygROj+5|(xg=XzbWomOua#q1){rWIcOv;2m>(Cli) zTclJHQuF;P#g`YEd|al5K#3o8C?eiZB0ULO$yh15gUjkZiG=z9|4C7=U>eW)K9Wph>@hF`tv%U$v<*Iv&-f|b@}?m z#fx$d zNta;mmQ^*QbIn>!7SCGKR(CoKnD0TpX+F?YrVdSu($ENUSG{r^#g*e|1&6^!>$x18 zVIUQ4(Df*XF4s*(F9q&_UskFTR7&HR7a#M!H)RMIB+9g;zFHIL*x(QrSASfmSsN9OgCyQ za+sQaCPZSr8$?v6tfK?+8xfd*WwKAiFx{Em0e(Vsq-l9Tz|+Kc*8bHqYu+J_+&pB* z%fW^tB#UKrF9l}%fRgbXZLj+6S)shg>#`$;K|9952)G)d;>Dqx!!(oYzCZZ6tH1aT{59h%i~JJe>9{l#(wjI?2fNcSg4T_ z_CC@0RZuh^;ykm9%7QQ~uRvJTSp~JqIHcXZ*>`)XKpAI=$E!kpvmydoeAZ-gsc;Ui zkJFHfvy+t{NCrEN?AkVc81x(&uCT(7lLgW^D1>DGpIJ(}Q;}*#QH| zI1M#Qph}kVBWnUu9X9e@7f%rafqbjh;zQw&TXxL{)wb3qu1Ul=!LzEU{8^mEv5^TV zfidkNQPRPd0p9eqgX7UkN=nMLRoqGuf%e3R?)Z3jO65pMND&CC6ji>x-Q3(LlEsgk zX9?J;pN<`glRJx#qUli4SmexxSM?Fq4vu)gF5nRU+R7I@VxFOAQq|{TpaA9o=AOAo zfWtSIlIjh9k!8E4+mu$fbeWcwUGC%jsS&LAij+XmyDwFRJ8jxufcpUdTeo|K_W`(W zjE-FUocDyOYu&v&01Zap^w!Xm^`j&GXL|HmXj8DV5RoB$HEa7sPiu_@Jtomuc7YMO zw+2ID8^(}|Xs8sI4 zYVnF8oFgMEHgj~8#M2)gPY#;4^UgE`ecRa>w+>pCb*z0v%3M~>=;izL#nS5;zu1^; z$xY8hEb`8HSPu)VDPp?qxqM){QQ}#MupS8~3e4A;EO1yXWKP(yV3r13o@7<+JQ5lSg{4^AM}8c!OI@~xJL24v<=r}4ZPjK@`C>V z@=5}OLw@Wqqav9hplAw_#N4155QwaWLJ8dQ0d3AKOd9%&=ZLVFh1$pafcJV{38x=p z_5lf?jqABZ1=uYct@BYw+LOdCex~jN#1Qj$drdBcq-6{l>0gz4rG%7YH}84(zY5O}an z!?3nS>)qWeg`cf0+TVGJn11~;9u`lG3h)ZNUCR7>EW;b_lcDFIN*aG0=uGI?wQTq_ zq%gz1J1j^%h4i@%@op!4iEv|FobQ7q9e1dm%1;qb`rP%NBW52!YxAXQwK2r_Fq+e0 z%KyduyM0OxF0Dt|EsrfS+6e$NG&00867eqfb&#r%LjL)yjXIl6lYgbKLLIS}-5O3$ zugk=1mOkjz!1~SBG`fQ)beMmsPw1GDF8ffk)ZFU!X}r~-X3x}0WFs~6uWjNNy!_Bu z$?Mg5t~7Ni*4Q%7-TFSuzw>`tVeLBEhEz&+(){)#$3re`CmvOloHcV8Sgm~?A1d?yb6b(i$YbRhIs7y@ zE+S(f=`^95ONZG=ZEs5Z@0bbhh{Gezm)mb9&>?K$nNTZfw2@`|83RjBlGRkw4FKh*j|9b7nCeSgHa=n#}cP=iwbPTe-P`s3Rh^r*}v+V7zLol^VTvy5Em zS_>NW+$b@vyagg<_ca!*#o*#sH4>=xxdlzG_rKO%y8XHLqSJbKMSf{(XyH0h_`RMsaz#U032{FK>OP2sIFK)m& z93Tw1a{2P-zl-bY#ox6X*REZ?dhHep%Jmz!Z{5C)dJ7d54gKyNG;~aKRMb1TcQCQA zad2>MW8mGx#lCkJ8wdMyBA2dQ#JPIy=Cx}#vC&Y`uz&bEZvnoSY0hci^ zUBSF`-V7iDTmoFVDD6dg|8iZub{*x)t04`m=sKIrV^KroKE0+M5 z?_9ZaL0jIHuQ(ox>0QOyv)-4Lim86F$e6(GpNX!IX!`HN56HlBizc@E*`h@ZcY<3k z*Mf7dtVPi49iv4}BIU)+xw-p}K_L`rHxQS39{s_PU|p-=wuG^?+(>FK>B|);5buG1XOW9<^%Y5z3CqCt7*@hDg+$2jzH)LHm^&XG)<+%BequU`at`i<GIraMf&n#pmlI`&4;z9 z^FFtv(sevhE=EOG*#x7F*eQ?pKQNw}8j z=G(o*j}e;O#p}(LKX%loRx7AJ>{@rqe-7y3db+lRB&JESbK@O(G2MR-;6l7wBz;%E zMkI)JjZr}w${B(4k%IjOuL9n{6wrI{<*5oGK>rCLfC6r6Qxh;q_% z#@(2fbbDTWiZyfFnC|rcC*|#_veV9UK+G<21ya(=6r=wv>;yitSD$q*$I#4w1Zvm^DSi1V@|4dAStm!E+=OX>fcxwBbg+^fNU)d4Xe@@ce zb`mI{XWBj{eNm*pNv)h-X4Xrjr9_bHuetxJ2p1p#8jhCf6@Pf8hr_&}xhyBEWh=J@ z&$PNSQJCGB`Ev~=Zk8D7H$CfB>;6*_bNGdy_CMvdytl(JYjAOp zQlC2cgi&e9gR&?$pkd4zZkHq>!?UL<-)vQCF?LvyYYWRz{M1pYnbENjP0Y2&xn!AF zdW!z>NX?FONv9ygnR7c-uRzDmp=PkItdVILNwiHD(&e^kDTS(4sAzj!Bgay>Shg1k z)B33Ju)@(s%W$r~lG4{fP{48kNfe&H83(FZreC6}7H!Sk-ViUfMI4Y=CG5+pZ(iSo zT5{K4FF(CKzr!lK^lB+$FA4E(fz_r$&h6#6MxD&z*7KS=oQj8CPWZ$;g9i)c?n!4H z!Tl5GfSbYz`~Cuk25Jb)KAuB6houJFeHgH@`7Fq2Cpw+s+Ua%sW#+V2-x+9W7|auX zkdZ8DyT2qG&bF*eBzE1Q0a>e2ywQ)*TcTgLt8B)+-Mw>$Q(q8o+s&ad5259eQ{_lL zZZg}3?O^$;$RAzm$=c~Ft|F0)bMv)Y0RyM197I0oW!UKXSC+B3r*P#31vnFKxAbc4 zEnOKBu`^zZRkhQ`qf1S%sd;0LgJ8UQ-FQcmE%HUROKUQ(rbzVNijO=F+EWQgV&l{N z@mr(1_DiGNNr~MygSz@3cKEl>nxnmzrcgvOs$nE(Z@V>z)attYG(kGWCu>8qH3f`# zyNUTc8`v38L195&8J~?1w=?dYlc6JVU(iv>!gL0gs(9{OL0;1bt4w{0r9tbncUWMR zsVYR`=`B3=ie|(_s_rKp z8$H8Z0tG@zF{kr!o#GFx3&V?x!DlT7=~RgpcKpV@jZgqu@JEQ0~K$rYP|iUr6gwZjp^t4#;~GTQ1Zw~dmR~c z)ruQ*y|Ho5%`vtP{c@aLuWn%{^l&XuwEUp+m4jJd`aZ?cGS-twf}^!eJ&$E{R~G0* zD?frzE_IHlbt-OAl!1xrUBkPLNU`Z`Q9}-u@{XlFd?Mq_mE{fg&ZyUCZy0!PgP7mF zoR;gfv?S8x9nsgTf9$GqoSU39xIDwa<67Hgm{=amOT5OEbF#!|EZ$?fb}LuwI_L0a zaQ&+^E3mBBJ6qrJ7nA5OW}~)thljkU*B{!#`Z5$&j;bsVD-kfI+#R@NI4cCkcIoKZNpS+biPv6Efd%MRSdNEw0xAd1v>20_GduSNsM;V^ zOe(X2&Z6G=TVY69nj^t5qh%XY?g#~Oy@gXVlg*_HXcfY0bAMZHPFt9+pK(?_D4P&% zYY53%cW?VhbJ{m87ZqfKpKX7(3sXky?gu)eJE!aJRCy#y6S23eN+nykQgH}d)eh{Q zaU*-uYZviC3+NWv{6`l9d{9lgbB88>raS~@3!;7)o=e^S1r}E0%5&W)EeXp z16NCh816`k-2HbVn=&t{-rY2Ltw9#$^BH-wc+C&%WEP77lleRIY6oEo)Vnvc9#sYc z88FqOwO1jP3+Dh4kh<=uU#|H%z(@M*qRe-HP5-YMeF4#SC@zsn^{cZXywM(O@>+N6 z0nuV`5$W8Pu{T1#y);Yu>gwetHHk+78gV#1MA3o-#pd$%?9&#*kwVg6{1eI zeZ-C!~lvrSj=G~Rc4zN=lk-uNZ)es8bkNcmB^hH>>xuoS&&|F3^B7O@;ApQ5y z=P}zLBB=Yw{-Uog)F&yatHB3vFSB2J`_!rtC$M+UY<)ObZ^;k4Kv_YWf+-L! zFve2_YaM4CNZeq!^zJ!ekU?VMt%9S@*+`m=u0VoMx3h^tpYtS;nJWC=#W<;;Vpf>Q zOuxVXsO(w4nR1!7Y!18e_OL}CxD3duEfFzqX|8H>RG*bMCt#ngq<7?m?T&|3DH(L4 z$NXy904en;Q3e-%++RKT)$}vFAO&7l#Q4R~7Iow(?^;yq!(#A=`s=ZOkn?obDjYj+c+iAQ04T|6<{Lub&N;A5{Z!CxnCeNcw^ZBEC%4F#qkMEA z9$Yu+mKs4co)+6DI<%G|LBnBBBdR5xs4ptCrjx-AzaP8w-WO^#ya#635p?Qxyrw$}O!m385poD2-5o zIb>B?@Al+Io0uKz3OgYz-_dE%3eg92x{j*0)r>4VK)fj|9<Yhuj4AI`Ad!?+?6Tfb<}S?udM|4;dO*K4E=3jO!g;5b>_>l>pV| zp69i;>TYc&S&@abW!wys=xm@#%;`7{irqWVlar-P);cQcG4`f)R1vPI<%%R{$=syg zar&;g>dum&y^#XR24JKyJ0e9x{q%BypVWM|6~E98F4-_Io#+%MQURTnK9&kNHIRE> zNo7Z8uWRY9|5Ja*ZJh*2@s{Pd5q8Lzo6*;(DZ>k8bUt^!tCf-H)GPQ4Ts;VR^tIG} zfPP6hyUSGZ4%v5&JA8F6>9{U8H_3kafgHXT^s={N)Nlsbqwmrmj!uV?^aoh8dRs{? zukz#0N@9usUiLBQBfM zYt(I-o3ScM^|Nk%d!C}^y=f|6tIN0OKl5rMK+IbW6yu8y$6~4s${?5eYD>24CQEex z*9h$iIEnGlLpOI_{`$%7)6Eu5CudbPZ4~~zIHR*d9@lIkL08`e_~JQWaW3~3e?Cum zurm+D3q$Kj@bTg)h51307t_-=9emwdNSn*rf^2F*)El6cx;9(VS@=ev>x7xKL&M<3 z1g?566JPCH_4*3$7O||RLd+|`_l)H!3&;i9l89DkGzAY$K^<$%XJ}`w>MY3xBG^Zmv+Sa`rQSSMGlV60g5DYN&>nPF6RLE ztP9$suN3T?WLi6Ju%!OgA5t+ihbZvS)ZB;5iB0I7x49-B&b?>~{6nJ{TNW`_IadMG zg;(5p!}i_*N}sM+k4H4$xFqZWobdZqq7@^7pyTkkqsr$UT{vKTO!bm>Hs zFS|%v*bG#4^H%-RC374%4N59HjECx`6SYa0u0$x|gKFJuk4tuhlMEPiRy{rPc0ABI z(HDcspUp=bKe9P8Nh)3p0a}!vl;y!0w*vjzw70kIdaL%m>6$L4=BWwZX}PA0iRiG9 zh117E8ozw=rT-)ILcygF2##pAgp~oAxCD$D)?5TD6->P%f2I@1Of03^#5m}P4!d*M zAj?+I0g-|ddp7fVz*Rcf_GMkl3~hgYztI-c8jQsr2NApJUj9CeK35AxWRrO{9z*$u z&7HH?gH{$plWk3D?)SHMIs@m7GnkK!vDU&Za3;9iU)V}4)JcVJLyy%Dw{^$55dBrt zB5hji(a}l#_)|@7M`ydUlha-f{BOCp{;{s#rd%l8$JfoI6isH%0e31BQ+HrbJIrL| zKj+#z@_6^>j#J`JJw-cJ3qx*C$-zfAsC@{sZ@7kbU|}l`(&S+;7Ard}(3PhGeFx zCdfVq4}zY_kS+b_7i`X9mTp@ey8$!iPrR$>MV;bCuD=?tQFYauXmgFy${0kXJ}yqY>fT2V82lO4N%{2! z@ISnXuM>Vo`AE#j1DCdWOr`~&+yDT>_5D?J$>idK?^P7%4?ZKi$V;S2w3<8zx^t`j z>luHO^E0KA3no~zRYwRVweQuHll;o znLjn5lTSNbvXCk|97f)|J=}v<(!S%AV8p9ryG)SZYgTVFP%`1F6vNmh>|}MCcSILM zSQRC&#ndB~Z2Gaxl{CTzxo`D0wqA`mc$=!PAUXKyA_rtzuFs^ri`h)5ugc+-_5{l@ z)C+AYT5{z;&b7%JsrqI^Nn?mY)S$dpZU8n!p>lBimh6kw`6lr{Y})KnItIc)J-GUhRdhBh^csP>Lwp0MU3K~Y`lH87gbRHxaLm9%d^2A6;tf~ zpJ-VZ&CYcUstz3?ANjeO)MRbVVPu@S^QhKlX0^@2Fw8PGk!^JKUFO^zoik2EBmq{{ z49c#HGM<6%3^^=E$*$xm<|n6c+e})C+9oGc*;jpRtu>`vvIXT%$vvbgT+?_)a(Zd6 z@>RIe++@deO$${Z?7Y&la4li9Z}yR|F)?a*x_HLZG)j3A%F~%I1HQ*vCENw;lsA5# zj71o|iw;Ix+FE!ZJ#}JSw;qoFAj!)&Fc$XCYOlf!)`ZcZFv6};+A20X#+(>$>YEQ4 z2N0j%x4+Mn^))g6F#TJG{l6F`fBE55zY^iQ)*N4n`@`h#GDZRbN-AdqRU(Lj zXUDCprCAD(0GIkQoKU+)E}?866GWX!%qOa9oJh`{IvFf0h|z&_>Kj2bsAxeMbzbm@ z3+KGHd;x*k4*&pb1s03PWBPo-q)E%ANX<2Gp`9KC_2sA^E;iu1gmiec75Tt*EVgGS z0asIEM32LjZ@AW7rhIX^$rwy!8Kn>I2?Psa9ghLciG%PINBZ>IdA!V`Q*CvxRWMrg1#WB!;i@TGG~ zTTV@3<45O4<0RLeYuii3dn=&B*|)iw<5QU8T4EIEiX8M0A~^hA!i-eHq(_gB_}+AmfI| ztQC~e!vsqh_zeo(vSYXfOWI07W&s;nRxRB)AZIGR>i^l#>&$Sz38&Xv5!Vr>p<9ntX-+Q$uV?HSH+qaH--W z2Qk~imi?Gx+PY_#la9ug$vJ?SwS<_4d6no*v~11p<$Ma1`0B|aEivbzcV@wy2Az-OB3n@l#?d0N|G$^o}#o@I+P)`-W1qxTbn~0jQbjH zOsdVjBS)4`z|C13;0Fn(5rU~zG|$#%3+C$l6Si!fRXclhO1AAIH=TKoiOpg7SyhXl z0`&;yoc0>jii@*U-hZX`Unc+5a+HZliJ1Ta7GB0t4E51GdpRm@JSpwqS;(m5O$mk0{RZXb|b=)>HK|?s^y@%Toi@?3Cb3 z%YGhTuGH74KV@f-<4bF;3nZjwGmjZ4HW2Ihzk>?v0)9p(P;*is6Y2>fD_HW@+UPr-9pT<+tD@ zqqm)(F|Ym7R(|CVfOfAV&5`WnKWX~DSe4IW$S>6ynCfk5$9rt=*d4kE8dtF6Da^XX zg2BAJnP9`X_UT>gWxL9}3Wno8rlb6L+f@$L#vR0Pb!~bDBKK57rouBiVl&Z% zfsJl_t*>>Fe?~tp$t!{6i01yx$6w|u2l<705>LZkBu8wL_uU~DOM$X_Hhyb=Q39)~ z_{xK|*gg%A(~E9IUeP_cd!O+Nlct5;5VE9BOe%G0MBdfb739AiDG^o7BOY9S;HCP{ z3i~y_z$%g+X&P$U|5M+f3`Z!NTFgBqN0lIdRA3mrKTDmb^D}mq|95i{$}>l)(NEr$ zj{q36?pZn|cd!2G{a@)C25kAoZeTe6$#n;%uhCVv&%^0!ZR2b7pBg*#t)}218Btmd zobcV=bHIj&T51V*##B_PRW*d7cDu)$rE{ddE){y%64_OZGqiIhdLCzE9nH#Ql@SFA zT3^>|NON9z;dtC2UR6)Zd-luW!dNa$c*NSJg6I30`z3icI5T;kck=`$kPw z>4|sY^GYXMtAiHL?c<3BTHs6myZj@F$gELCnObwl{9KKZz3vRWo8gw1Np{l8;QEeE z?uod;ny@a*3okItnU$g4Akg43x1-nGeeb1d8}C7+zVTL;rvHrGT*?+Au3@3aom5t_ z2@2Pdl&$ha5OPmzFKH7JF0qd1hKG~ z7*bjXuRi*c7`{ULsmax!U1Y9;9>DQS*xz0(i+}$5nc(e=a_ z0{ds6|0C#z6)_{u&lv#?tj|)qdW&C@YzQLudU_(ONlV4cY?JIXcevG^A=U|7XDU;D zq^okdO`ZA%2fk-15-~d>$CP}t&ApDU(yq1jB5rQT%tdw*C^6_!RYY9mxdkxG?znHe&HUJ0ll-8JwNq$B|HhWX^P=p@fkgL!w80G z$KYvFR4cJr6KDSe^UQb-xJGa8E>ca7e9G8@2Y+I+BHuvF^IGgZ!w)y-q{GpY$BFy!Xf2Z zj4o3zuTyx$2Yb)l_A*|vi2V7)qM*t(-+ad)8@M_msG?ez&qlvbmWs6yCi7BNYD8@# zNgQo#6d9AgOqWLl?Lik!nZlb(@e`;CV8L#*#|F#MquzZLja>jSAA1D-_QIWr-et~pWL@Y{TrCedC$$ZpBU1DVrC^YKJnDP z0{fpoOvm%2H1G%GwDlOJn?F!#{3jr~U!5#LNb?-w}(%n8-xhqF5dA}}B9A}ZdUKGYoP6G0le_gN);aLW+ z2qaUU3WyKQTU#V|9eGfx!PGhhy$d{bGF7Wt?itU^fTA}-cSuAeiy03+Ad zZvJU|bK~D{A#G*(nm8`=`D`t?`UmYjkn{Px?^}PHnI{d=YiXwy5DC2WsX%l3&}sTk z--XxB=KdyAADqa(l~`69M7Lj1Sdhg4xa64`I28UGs{7og?xdjm$dz?1x%U!F?;%Fw zQ$x4Oxvm$mWrj4Zgo7;*s_`IsI+6rFWp1jBmJTHPw|!hb@B1prVqZ}n+p-CTF$ z6Cbfym}xJ8^)*;K;fM3*h-22IW}gmeO}&x={906-(B00?@r-dCcR^i_%K!jYyHh4^ zAnu^8TpzExom0}aJRhj#OZr5_WZi+TO`f}$J>VN2JO8YqtZF$FDY%Hf1puzZkC}68 zfilv)hb@yy>S{+6rI~~l>qyPrS}(Tkk&?RKJvl9EGuIoQZw*U!I=*%Ex*tF^zAe#d z2Hs#x&M^z?9z&Ea9Qzk+*C)&ssBY71^nyl9dT3{-O!m9=)QjZ9Ob`C2$50E}S`Q39ez>O`6 zuE^b9aTpM28gHU}a_TaA;qD=Ke8RHY-B-`-`;Z{S?cmz({Z)}m~UYqHb`e**9g z-&n5JM;FcEi_8mFydp&}j86!`75&0xvC7e5VdG-ru(Gk=A!BCYctMFm_3#G zCAy@&Dg89(iB6l+g3a~L8~f?3ACbJUAFY+>e@TBJNnkgjYS56a z3qbSD?Tm%*>XpMJMVd2ufYal#>WbCF>t(zUS>%6_{~#e$P4=!k*wiFWtj}88Pw|fD@W4B^LYq zHQw(U@#s4hNN=WhmLTZ+K!@XmQI;p)85E`GNl4bwCjt#A*qoy~;jH&)idcc)k7yn~ z+ooVH^KC2~(K)VG2XA*PR+aiYyvZ~vNjFj-jDAw_GQv46u2b<&+m5Idky>#%XGusQ zVWmtDUa0w))Z&;Lr*(L|YOK-t-e92ih#~#s&e`j@BdNnA@QA32V>diW_&hVEq*VEb zUZjw^SXQnr9QeSmqd>nTAha&;*NiGc+I*x-Y+UJ}LFoh~RruvnlXiQfiPZSRX>ee! zpAkcDfZ#)DKnC`+tq^Cre$nc7IclXtY>bu<2L^xljh@CGvG#y$b{^Y5 zQdSiI##Lv==q2mdDKPZPEyI%Dq>;5+AX5$QWRO`2qIP@{inbBo+-f_OJ1b5NgS%U*Rh_i-~uCMP(^= z9Vb)e@U|DbxPnfMMT`E!G)T9Wf$hb4>|PW6k0%JVp$ulF!5?f_#@3RL$oXelz%r@4 z4y>#UOzThdIHf4?JW93n{jIy-!=Zu%71deK(iy6Pcpzm~w_00fDPQ>InR!qvRaf1N z7c6gSeQ>(+lFn(WQvll0tC&INUy;jaJGDaNFbMQ42M${WPUZA;gPV52dq zxwo@QuFeSrA{`+la?Bp3F$v1-3=)RG?=nKO1kGT9nr!TFiblQ~i*t z&^5Rq*lCeOJ^k3@OK$~@ReFf6=idUl|6Q+KUN$(}YD8S}{rl7#P_sMAqWbA!5yDt{ z@VOBg^Bp_g)2GmLfJIbA>XjQqIRr+reh;_X6ha_oX7o~?MB|5Cc82;-4Y_aU0cn7_ z{xb<39F3tXMG`|!S$>}sR&{gIj+@^;oP^w#^32(Tjx?j)eH~nNOW%cWb2tslISfRD zXZ}WWHho5$&C8j3QGvb9yh>U)-HVLLQt9IKmR5O4SK+H)>>GtBkH*quX4-PPTPQR& zWrWpfVS1eCrREfw`Bo*aH`-Md>C~T8(M9LY&=)0m5x8UTLc+qN7&~{#-;xoxHAo1a zFzb-ki*n`2w%rS39xgGb!p-FLn@M1W4N4P&s4_rtMzQ}% zAf|qz;3!7MzR00ZAFam*ZBlDYB_^^u4=Te;T)8Qf31zXE3b>6gn>EjZBN?qQ%ut%+ z3NkYTGg^XM2*xB45nwPdq^hnWUJ6wcu9u+$f~sPol@zqLD@Pl zqC(b6Q_Voyj2VNC!*n1UXG@MKY^jvrwf?$LteoZLb>%0mPWa2lDM?;VIF%Y_rN77> z>)gNS5Le+RE_<l+K=!%XUa z>?Y{#TC!&leAT$*PIBeI*;3GAriq@JIM54X0E`G0`M*+cSXbQK;)D)yIE993p89fB}`p* zY$H2ea6-*JJ914+&jB;a&Y0=ZFW>O*(8D;L> zwc$o(lIn5$3U%&142TyFIjSpMAr`|Mc~=byDhs+)B{VX7oIQrBBUf}?vC@r3;Y!++ zv&nPXoiY%iaYj+>GN6LX>wWiR%+pHaF^l8+*I}yz)g2j}li;0tzgp2-a95^x`HCXx z!w}p^lc{;i@v1}4n=7atWnc%_XZOj+`g+7Al;y(8mK9_mu;_M9*%fW6>@(x3IK0U- z^xr!4$Dx&qN!{bLC^Qh2a{&D$-OfW^Bm1V2#mDD>;uTmpeD8#@K+24*!8!AEK$j3T zx1-@4z?pvpL$nQAgW`GB(|KVWXlda>v4z~@V;Rc$ZsC!i4>sBI^woj zd)tLUkA$Oy_co^8(;8eRSBi%mnJ+Sj7DMHCb24E}Jw9g>tg98ST?ebbi0NBNUmZyd zv6hrKx62kS%u7U;wTwVeWb@6?NWIOQqpa*wv{K@wZOaH#h!S-=v}L1YM8{}+K&RY# znqWgC!ieHk=!x<%!K99i<}J7p5?R&ZR%g+R4$3AG%IgJEi>`qXLsVc(TCrm-bLUJ#A?@%^~go(E6#zUvXz~>3db5xXz z45lk$`GnK=@9y7`(ss3H@riNL2)m(*;KZTKDIdFkCvARqkF}mrU#uMkSz$%HwmKAR z;;SNYF$lD<*Obo?@`&lmmUq7^8x2EeKHUmmp-pJ)FOj?xjt5T6*#b4u$fn@NN7}dq zP%4En=5OZe#6)uA^`%(`#spMLY8#S2j}?#~>Z}d$P7g|M0b($K^(mE+7r%)%b~`op zM(oRuDAgHfU9Lb^G@vTl1bpvw#^P{$4u!|py1O|28=O@`L(!=%Eb+#Tpt2;|+PIdwow=n^ z9`!~RJ257brD<4QiG@^kjOe?Pr)E1XeS0h_?(*PrI3>tmtM|!BU0uDx_+tsEXkGwc zdM|$d)_sSH#Uy#;QZbB)3VWu}I&?*hDZe|xwe&GskY@&kZ{3>D9PhhqLY@SFNAY~a z2@0EKW#dKYpaUMe^*zI*3K|-+1xHW^l?4P}q8zUo4~R-KsG*MQI~B&&G%)7Y*kMfQ zds`qVqPtl-%x`Ss{zy`+l}NNtoII^>*| z(eTZQX;8tPpxO6=*O~;n93~oq@V3ws!PRkU1z3vmEr>~C8sDgQ%M(M6IOcw%>QBs{ zB|vrxG_ZmN_nKM9${N-Zqt;^HoQai373;*L?3_fd(1}@t&4|trCa{pf>dgXTvC8tZ z7+(|?mY{GO@_`ZO2q~`|Q?l*GmIqohHw6kU2QvKkEE0<9snzd$bXKtFNl28cak*Yz zaZ~Qm}&(NxP_j8@|a$|&;Z_i^x{jJD6|4-Xt{lvU9VIUag^-0-38HS3s< zT-&FOau&Iu>SR zNb)%#cwn$`Q${TVGKN*h&a7A!Kw&P)h>-EaPRCD`gx%3|h7?UbROpE!-J1{@%ug-M zE$x>X+^s)8!gPD9%w{Wkm0!5>7_RO;hJWbPS{J{}(I}25{ zTzK+esi~juh`;VhMqywCw3WoONhO#Z8l;FpijOM9;WVRSH_(o4D`$3kwH^j?!X)0wc^L}DFZ|j4-13Am;6?G}3x&)>9khF?K zwF8&Ym`JQ$xhW7`L4Bz9#z=Y?gMtNFB9nPdoN%XJgo8+}@^dSy>7gC4*m8MZ%BLQ> zCrx-qoIQ5rDd1|Em++k>+DU1(S%X`emKq#UOGAS-~6ATU4dRfIVrh$QS~&L^OX!nkevFw!){Y?2l8b_w^* z49+@}d}15h=TjsubwCWtb-G2;x@J55O~EJ9oMiqPF^-KADYp0gg7Z&F09jrt`#FFZ@U;BNGrx*^+{qH8T=wlR7K3lwp(!g+^E^f@5Lz}(Su0D60| zdM$R>f>u#c!gEb-(?P~dN61+&lpvgH5{U_gLZ^XJuVxMvj_VNk`(_4`46*Q`h^ zcK24QecZ#gsY9Tk5mGc+ReM6U4lbv`%+~w_O?b}AJI2C%Rlk^FyzuPG6OVh8y=c$V zrrt}jX=@4kkgDEcmZvliY&IQ-lIr*JC!}|YKkDGNVgTg&=U#2Fw+>W(OpU(RQSTFB zx>7EwyzOKw((G=5zo%Kh0PZnpznPY%7|`smi-Ti;oskmdv_Qy`$?TzIz1u81<2i88 z6Qcj{cqFQLBC4;<9>E3GWb@C4`ZX5Vj+7!KDn*mpB_HMI;5N@vF_xgyJlF0&@GR^8 zG+Z4Fx;z`!AJWBao%Uc~Mou{I#57Ssw9!tU>xo@Vbv-6zgC=FfP5Kf20`I#`(Y>NK zc0_}82`%#ezc}So#ui70U;Ji-PWGeaq7roOaz?83HGDx&?dA+JFM0WKu2+aV+{tqno@-QFlxrPdJ~#Ayo78iZfG(dSGSXkYS(=2~M{*L*R=m*f32>fIRq zFjUG;-_cnC|4d9T1pZ&7gt8fFJ0^#K!`Hpu@3&=(MWl0-Qa)Qg3k}@~HdGmg*q3tr z%Qs2O!1%*aw@{Nc6W+!h>m%srOn$woUns`XJUIu*YHQ@)%f(MGds{<5ANN82J%`*BncAn#GDL84wwbxH5KA)8Ucq-2XoQFGwTl95CL8Q7_;3H`6S%+I)eAWhCTn z+&N&FZBRXkuV{9e$#l;mlPfD{n?uDj&!AyCJom0pro_{dW~r^MNy`Ahv8g<@Vdp@-Sh6zQTd2#NW3Tk(mQ_3|TpyQl zy*aE$OOn~C3*`17pm;HyfmESwnYK7rEwD0W&>}TSiZTw* zMrF|~SbeLq6WS&*6*ij0jSBB8b`dBz2MkPe^xR7KQOno#iP3>X4@ennt&Qp}=W5Ze z->-?YlPmQNG(c+VOY@}(Hh@}dm3v7@|G zWj0dA3wkh~t?f&(iru`~aYJ8ipL15-!vrA;f703}PrbU)!kj$;6+-dV<>>89_f3sf z=vq#1Sl<4s5Tu5+_lk9VI&_&y4$bCM2_{ykQoWxDml!oZUgZk+iSB`f_?`qg^t&G} zeOg-y;IpPDR7C_Z*w}jJ70IeOPjEZ?Eh<_p*?Dj2acc;OnZ~%*lbav?U7DjND%eh)V8HI6aF`ME)TRJvG!3hxEo+ zfV4q%nO9)rS_Xsbjd5!Eiuu7QUxBjMuN&8NnG?+}HzKD*(rp9uQQ=f10WJ@M3oNfs zUn{YmVyS3t@C~RIQ&2@M@)gH`SQkxyqu!>XCB}ETUX=yTy~|e_rCuGKB;R5vqqIoh z*wj`|<5M*q*S67Iimfb*B9D(T%>|mpV?5Co8E@l}XmUEGsheaf!KNyJ=w%K4N4e33u2ktEkTE>B^^=>kVp;k9b4?GqV1;vcUwj$W-kJ_c1 z&O`;51y7FLnp&rcs$L~t@3#L0~|w) z3RdVdb+E@Q$!22U65iM*k|n>o1~g~mBfh@$#xwcfRy4nMwUu&QXBk$xk~8+jjk-g7bVT4X0>Q?$=Y-8d z6t_cGaPTY`GBlnvr&0oM`Sl3Swc_^&Nz^!0Vup{zKf`5+sJ~RVPS{8`3C~i}=5oaj z--+ia%MmHZGh@7eD)8)eHnR++)-!5G)j*HO%-HwkE!Kvlh|^o)U^W&WmT@Rsx@l-V!bRTIkEfBq=;E(Y*aYsLX2Jf6h9us_50>A2+ z*T=;goz`tZ(*i|)m@nhTI7#ua$~m1ScQX%?Yg2J|&r&m?eJc#nx}^8bU+Yr7IaZ?} zyl?LB9wsR{IuC93O-qk9PK%ffg;8cek_librcu+M>Q~gwGdN_qn{_y3MKvvYESC|< zQl2NNznRbp9kpED-_Nz6mt{%S*k_Qrl9EIi7&41kbCyP!@3myAr>YkBXvrvIi>pzV z`KztFhT{;(7Q5Q`s`OZhIfi>;w_s*#^$MXNYU51agSdM38y)&*sI#(KMg5)FKjdgD zP0VtjVH>jy9BirQUY=0Lx3jvu#}(MrClA8Zk|G6P_z%&_r@h7i*^Qahjf98C%Sj4h zkN~&U5F7yrzd4{LUXjRz{*%3mcA2ueq&v}KM_6_>6*Fvid7^~-eR#u1(|t<)0?b_7Yz}=jrwmafx!hG zu1;#>!6bzEm!Wcysy5$7%gHW1R}&hpV$ElbZG}>IhG^CA6B9~EIMVZlgS@#I5($N6 zwBj|o!~|5vO!mwq;OhA5PrN?0mww2b;`Hgk0#esFFHqb^n8A4#nu(oVgh30K&RUN; ztC!mz!)fkpE!x~3uTLoF7Bj7Ef(9gxbOYfQH5l1mn)a1XC>QSOIf3Vmv_WjI&CUUt z_~WxnP?i>M9SZtzU%L(4>Vx}XV0|5k3YxP`i{{MA{D(q_pW@qMmHdP#QnyKamSQWZ z*(xNxRdv%Lh2hG&Ai7>N75-k$!?{(FIXm&3y&FK1_c@QdQ_Ve;45_G6@5hT$=ZZ&9 z7lm-JTyK3e+D?dn#emHGIaz-0F+t1F0eAQIeQ4O#>HkjR#fx3o=^xCp$#wQuJS zw6w_?EK$oY>tqQ^1RHR`Cf1!0M*g)q?6P`wX4W?K{wPN`y~-<1`&ip!P$}ZcW_Fwy z=X0U1yL#pzLObA{iXyH(KBl!7oX?}RWf!R9Y$f=F*Rx)38b?WvmxoyS5KML6ttgkE z>82bADtoT_VMD%nI-Bxrk>g=AB!R+Li-xwe+d`cX#{)jPNh9;Zy<)a?tpBx*OSczG zU{w=sb+g7KXAh9V>vS}IHznKZ|K<&}GX?Isl>D9Q|E#%B{9b-M6>LP>4CJve5ak8t zQhVW;PR=D)V;|TqfCm}# zi)C?qxyYr2NMO>Bp-_>dcddc}SJFQNd5PIRO$^%%!+G&$!-bZX1=PPV;JJzNy>Lr# zG~6!_46`DoEUCe=7#Zq_1=49~ZtFWpav0uSDGLmXu%SI-sP2h7p;XENe=2FwRzKs@ zsOhY(xGgs+LPvGE`j#oxX2HPmZeBvk+1ly-ZwsU8Zp%uF`J3$fZzyNR8d}2GY*74& zcxoExCMUUaZczDQ*Tuaom*@$Ilz+|~I9$vPr7efvGi9b;TQZI?6tU9k&7F`)A=<~5 z;5I|y+bovnf@}rNr$bD}EAwq~iG-}zz^xb)sQMMY#o~Bf@^%^Fvi#Dz47pcWC*`yK zwA7{~=+*J1s3+6;auGZ&B^kg3Bq@_BM0b`u4KJugZbL;vZX>_QAR;L>AX(kj>bai< zri1mWJ}Hlb+(6hj#e72a^6lO7@XDZ-LEc-b#+J?hAA4T`7FU+7ON0ao2_Axk;1uqf zKyWB5Na2#g-Ca8b*Wd{*g%uQDg#`%i355kGXmAMbyz1$>Z*I@)Nq67*?tL@g%{hE^ z*t<@hv(MUc_WIYq)&@)_L?vFMoyk#3k4@?m1-^g_w2?6sJ)(TA3m^;5V+yJS`F+I$ z5QQblSro8jjpy3F(c(?f=S+Eq-_9%q3zJ#!%A>%h{vs+V~{ zADJLktL=tOqejf5xD?=VpMHa^q6VkiC@-CrRd!n0Nz3>3xcaoLd_T(}rb)8rb_Hy+ zfxw8zwn>dZTb?@0x8cAht88NLx8`blfW_Ab*J$W#qXN>s1>Cg59-rzP+xleq3_Sby zU2`Go9Wj}7qyt`3;J{KKPlxPm6^UfAjU7$6N^$-8JngCOaZ+7`QzW;GJ%n6+cvUzS zG)8Y=c30S%)A?vjhRX&1R<3c4?&+vSjsD^0hid$R`68i1EU?8!tZar2G!BJOjJ|D5 z-*~W?0AhCZK39v1aL6UzE8U&Z?`ceR*vc7=kFtT)2D?^5<&4w`HTc-MEegXxCV(@p z?{|`D9UrE2IKY;b*_Mr`gzH6~kPov`!62-@od^AxIiN`zdP5))Bp4E8D2S*lj&DFw0SiAw)do!1H8r?^gkO5hXL zBsoWIAIsmJx}>=GBjbNg9+mY;K6L1QpOSt{M~PJ?rz{{p;rZ-x9wkR^CA+99LmDSA z659!h=B0HkqWO{eZzB*Xhv`JXIIU6(wHqcuxomoXueQI%R{i>}Ry-~{-85$y@wRH@d_{dk4^xdK`0GP&#&5n= zX5$rG`-}i+SR^NQcLYbmQ011R$>Cs0c{Gh9uf4D1T!H?=?H$K(M`2Bsoo}k)2-u+n zk-R{pQQ${bSL3_2rC$Y-Y%ff_oNDW=sT{GV2%R=^pE3(AXpHVaEx|p<_)6Dk;>8-(hjh0U$wT{`LEMo8d zlx7R}K0eSZj#Z{tr&z<$MP-vG_=q3p{D?|77ky$)TwHL>%GjHG=;ro>A0V$1_(i>1 z`5H}ExeD(}W3JuU>L9wUEOm;^dgb^tsRz~N9d3K8d*ke&-K!ht6ek>pwSIw`n~n=_ zJj*TJ55=%i_XZ%SDu$dN5T3Ih2mPVy@yJhgHC<->HuAnc8a!=X+2z+0*jW5wIH$7l4#gA%dhA(HCtEIs%7WK#erm?N-D%vIBC-q8%Z!;S6@4it1 zzHRGaHq{X^^)=`NQ>t8}ZCD-|iS|yNM7m{^m}nlXe}>Wc7a+QXI@Nn;DF=;Ro!UAW z4BB3a9!~Bx;DjUyT3aYQ#D??h1RhsjjXv=*N0Y$HTLlanmR6`)p2y{l9l&J|XLm^Xsast`#Ou9`H27@FrR zqS4P03fe@1l+w|)a~k`2q&m|41S;=56Hbh=tMu^_uxn{Bd>xE4lk}l$LYF1S?F!Z8 zoaTkJYZa#H?FjfWlWUdfGIq;e&wqFFEAX}DUWdU(v4lo23`d8wn%BZ=a5Vcz@=rCw~ZIJc{gS9af;q;f-^y4X7Bd~tgn~qN(XT@j^NtzX)QYzeqyo+oQ~jy zwjUY)WAb2XWUu;uFA@E3)|VYkVPf>$ijW6c)#s8Fs&z&CPkrJEr)n#D?N?Gdrw7)R zV^5f1g_9rU9-vSbY&;HD>mtyWJqmHC?Ici;6L@i{&3tz8IHrzKMyPrT?$6N(}D z1P&?ruy@4jFxG>fkKRNO$jqI2O0?#5!vh zro%>Td&C*YWvl+ML@D8yt13?3sdOn@?fGuGukbf*e1@pmO7k*dvf~HkmnTuua>c>v z*7|yKR0dIGrDayZZ8iNoW>Xf?e5ys#j4M)mTCS7U)$MUb!k$&p7D6d?OX#(B$KT3v zt>mV(Hgf_YZhU5gCtD?=GrZg_y)*z{uB6`V~ z+hE(LjCA_$yzOU|+;<0$K{vO&s(Q=#DU7^(Y>QlxcA=LW>}K&Euw}+sncOAGSs`l{ zVR-Y>Vr-`ZYg`HE&bE#5gbvE$N_@}R)TU#dex>JR0La&h3(Xp>2J+8ix!Oe?SccKh zGE_!uH+V3$SJmBPc(Ubk6)?OtsNcG}+C>L4dBSo2(7hXcLegM3nOHhp!=?H_m}Z)B zvIg#q8<8fBAb4#zGg{)!@}R~nkNNkM*MKB*cp&k>UXhCWk^^vCUmRRItpsjbWq9@Y zg=G-mW=?K{wWX7Od8N zx5@ppsF$N|C4=9S;f6T!H%lS3f>b^CWt}8`B>rC+DC2^3k%*1d-hl{zDOs;_Lj#9F4~pD1MuOdSE3)~KHOBx~jg zA0Gq#XGG;Dj+wul0KW%JD+%s$92eUAziG#z9DKBc~Y4ZntQ{JtI~YNL6dA_e3PAuvSn6WvB*Ba_yUXY4oT|NZW;V4wrX3m zW%v8|yz>|Ej!Gnfj;G#DZT?ukT`D|XPeEU$Hl4!;wL`M6k$!Sfcn|I_I z5XB<)AefXun7P`wdM?b8GpcAtiwKPv099!2oHh~rvrz2@^T2DgZRUfhOsC(QWiMvl zdf+9^dYfD%LR`9&lXVg47?4X|*os$TWg*3HQ=Rn4nAuB99!qvUUo}9Bo)xcHaw6|c`cvKS_lF9W!wKDEn-n@cKRSn|TT*cjgx*G?3&|A^yD__2x%g#GF;F(OI#66rtB7ck*y(a(qC}MRGHbCt zi3akt1BE~6TAMwN%RQ}=u{YDBF@X>i_4MYq*)z??jWzmoVO6?Jlr#*)%W7nv_V}Tk zdBZo?7}%MhV>6Fim#C-sw@tX_TbJ}H|0ByU5i4@68j3jRz&SK7pW0v-bKSJb zp!bRIj0I|I9a_s*kfT@ca3$n9-eEn6d#EdAUq7YYMKvaKM_=)&u`kc#Q_i4deQdmd z62Hl5+Frp;RhJrk-2=yk*J8Y8i7)3A>s=7u*fX{?T=pU;d!Kx+7+2`x!oPs+-h z@|YH?SEn9$w?sY#)Z~V~({wdS?a`f(oO*Q(kl@P2RA9E{wFEjvf|lA@n2t2&*7h{% zg29s<^}Wlb@cjREJEZZT_8+|f|3a(^=$>qh)ABqwg@v^%l`7xMw#LpjM`}F2c~BA& ztX&d64*Hy!83sBd2}?3L=7npqw0i+;2EbtYHQ(;kn+uUxmGf)kwcG zpX386q0{Hx(s~mR1aZyW`98FIjTS9^*Jq{AN%ySsyLiJt%T7~~SFNZ{b6E|0ML{SkSiVpz(9c}F?LmiBHr4*2{_9VEqh;>&Wo+pDcL6%avt|1 zY-U#mP@Kj-f(fOhOUz?=xq7wxO%Wvtz0prfLcI>-ZyPA);zBp|xulkcOJ{d*1e4-b zOjPO{WX4L*bnl6?dvD4xyi@v|<35$vCMD7M&Zd$KW1zk&c^;Hb|D_9SlsJmBYUD*? z2OA`=UbSStw(1xYyhemaF%6kQY#Bh_lasFZ<(Wy&d3m7L+?AE#wM)R^2KIlLaaz;X z0u{{Fs>oq{toaE3!Yo_#Nfq?qfzu?{>GbigA#&upd>^ zsEOCwf~D}9w2fUJ(nD=>L#aAxjgqfppft5xk0P)~3%?UK;R9%-8kc2^sH6 z{~6AZ09Ix`k2+zCmP0r^!X0zEQ|R2T{h>rhZ|UfMC%%W(=1|*?a^R&Bty0AXI2o>@ z!8y`lr3g-Xv-n8_aMU^59;XSod+YUtETZ{do76LVQv|~m${_z;Mrn(@^Ay>gTtReX z&YDQ86R#_F@TjfJ5e4Y-2rLMV+^vL-OUTTS_s2&li4i$K2B4Djnt&qy;B9wfJqAEA z)veMNjH&qOpx`D!-X{rC=Zqm`6rJDt;ecc<6Y_*uxc%q$r-38rH$@?9e}ku zYuC=Og73AiuGpm_d+(R~Bu0pRC~So+J=?Ra5{C_@MKmeG!Q5SrkHQU!?ppKE?!N9z z4rx=;E%L*Eqa@Xstd$xFj}HoJ;?1?Y-@(HvV|M>W~ zlmWQ(v0cFWiOBDf^zJ=dmsSxt*uKh{vK>4L1L&GNsye{0(PFo#9TVw@QaUl)im%aV zCMAstm)YOGtE4Ksh&7efQ%Y-OU?>TaxRNOcN5gy;j0v@IV=iJWDWcOZkcrAZFN zb(fZgs}LaMRjqLga8nFNgb6|MQ;+k`%>D?dj54^eMVZm5MA;kZ=?j~1;;YYPbu^`u z=DcG|ulc0a(xfM23Nxt)xon-!w=jGNP((cGXg=i$HKX}mqf z*R(zpQZAGI=D>r!OWw8tABH{V~5TkJ-^;E0%B4smz(obTp<2@h>qF zG^@MHQ-U|@m=z=_d|1+HQ~lokL3@TWn<}*&;D}eLUj+o=q&}KFebh;))MFMA=XZ@} zemN1!vbE>Yq65GVp_|AiW8CZ7uSHdz8e>mBA9tl`T(VJWk?Uro2)m3;3eax;|c`!|9EoQuwp4gL>_Td~i z*)9g!cs^n-geEpTsS$C*XhJd$&P?Y}tZkk8bNs@ps@N5$(>^^`7tb=K#1PuNAjPN2B$S_=>My6 zAPwfF+EJo54;n`7WWZNJ8{XE&fhfQP5Te%WbhebP{e%?p?pagpsc zTGsbxeH6L1c4Ny~rW8Qh2!YN%#b%U~*J%Y|WoYOZukOh}wf?7v@MFg06Fp`~8qeq+ zvya`m`sg;_W%E5-+g@JFpBR^K<7wV2MRqPfNMC@`M(QR`=YDGk)yIyD=(~)?s&PMk zlJ`0H4D0*4ZSa$bS-7Qj9Rpu}g7Do3^pNQ`1rd`PH%INy#d`53=IL%nb}P$xmQp2F za92kzmp*VPJ-NmiYv>~YU8vm_*+duXU~*!D^ke<4@H}>A+6MDsPP^p-A~;V1Ojou? zR^Uw=M$hQQL1oWSV!Pbfg_J8&VMei+#@V-uh;l$~CfH0*K&$gHMwwKk+6LjQAsA1$ zg0wm$P2+&zZDOo8W|;aIP+b3Yk(X>q(3p{WuyX`c=Y{y1fV{qvTun&a8>^MXb!9K& z$PL**{f&HSOags>6>hT`l56)X5_+QVeZ{9y;NGBBS!CSqRJVcgi=6<=mBIT zCmqyM<^sltvI?ngKD(KYknX;cGM{?3>X74B{D>L`9((m>LZaaQKHjL7sS!k_a&kdW z&6cTT1|aLHYu|9cyd`=%nE~gw@};z<8hH5l(PmkicC>*TQ%g_mDp{-OY{J@*#Z}T3 zO8AM!(^Cx=tvV{6g%oZYMPV?ic|-fRmG5HW(t<&{06jTR1wk*ox4t=%gEwd>cco9{aaDkoSZ`SXdoQOJ( z8S@!6x-Iy7cp(H$1BA0jn+6>Ms#cROkSgzKc$*E#=o6v1y9s#rtfzg=2%|UeAl79_Nq*br`JaVm*ug zez*G_hsWfZxY^yP`+KiuUkLZ!^?bg=NU?nDeU^K|kF0+|NwiXf#$>+F2uAVdvz_bi zvwL>z2sD0u_}E1LfR56wSlap`UTOh>fZHQE+P zR|TFH$G&z({RfpQB7I@IMtQY-Z>OFWmzi|8t!ya=tV+`u7DU5L8z4INc}pV=Vj zgfD_6C2_1W*#H)ns4Z-1-OetOXFXUv0?NRd}kft(C%ed?~EEpBl;BYnM9a*>tG z9Dfmw=>~uF`ULC~ZZ&Aq>qT4*E5KN>G0X{&H(1;35VW<~>qz^D~{33Yn@<&1flutG8^sFSfU<0eaEdNE#^?U2Ql zT=XN57ia5>zM63J`;&^Z1To&4C#HL@$TJ_Y8(j#5F zDZ}n{l05RBn9#RpNjk$1s5Z5fhor9Llnc%i{~%-UZKTF?XNo#7-YwbQXKj2!?f`;m zQdltW3q|tK>>GIu{6TDSP5rl<<-xY&nm6i4Lqid~kKU5XGbNa^SQ3T6qC5pdiddxu zDB4`@OfP7kFiZ3QOeKGV;Id~37;{-6!_;d%4V5=ZRlD&%Z!1epEHw>l<#6g{5P`B^+lwe2>@k@Re)CA3}mrb;WH}=(>(A%FN@!lK++0&Gkp^>dh zhVZ~P{p!>JNDgZ`cS3?Qwo%DW>*;uneb!veVZ0_ftL9#}(0~;2<02}<8()Ne8KHvcvGhd&DY8-W{t zj^6c8Gdur{BDX}*;k%mcHJ+kPLDi_35_75fr_Nwiu++3uORQLb< zkAJ?Cex50`52T$LAU9F)Un#&NRf^Kr>e-pIhadhHz*iKh=jFdv0Ik!R()UU^}DjZO>8b|BHU&*h<>g<~K}?WfpTDwIJj>=at0MJ{TrEBfm)o+KU) zY=*XB)B|LB$9lxBUP zxp744j`HjheCv5HCF{|E5k@*aNy_V4ofK61NW(xIn3IHxs!Uwf z-7DlY-6h0HA5xdGiFp&>st{A$dWdZ4ej8ho&_QzhtpZC2E{=5 zI(JB*sv{OpGiF`NmGSBsv<-J5XN9d;3~x{Po#OFBX;tjZJ4piK9nBc zYzn(;Yjd#j0u+`5g=(2u#k{yiBbu{g`sT0H7%0*Gbz^@afA07$Q|j2BbJW6S=G(fB z;&LBFvex_*CX@?7q(~38Reb&@e3ge)vfX(hyZd(o1Ml5?u{VM;C;sZ$Zx5$X&oW?E z!~@MSxMP$miHjJwhTM3gfC$MBi@9WtQu!=C7|Jzl709E)VYhyoZ6ZEl zLj{ir!9P2iWie3hQfXT%52Wkn6KCatHPBPGm9lK93Q~O1w$t@*`#VJ-bG7uD=)v$P z03~|-A{}^~2SAg#^CeuT%!oKY{fQTlF_941&)~$RG0ZC3_Ny+ok!>A8%K_YgQ3hz( zRcBCC?D2khU?n+^ox2$vx+SL|ehd^0fwwVzVMsT6X%nMljxl@b@t&j@ln$O`TSrBo z_$0WVa^_fuG%P!z&$df!Ox59$TeK3CmcW^vRAjlg!(Dhz(kTT_#9^Nt`v18;uhFLdRF6NPE~ka##eTyh~kjuPi1M36e}qD5=xx8Zc;y% z(VPOV>sb94cg4@ee;H0d^3MO&OR(kD|2)6|hoZJsXX}$v{!4q@@eu4+!Ok;Ri-)1Y zkK7*kH&V{V?8qGFo+B?;uMYgZME^v_U_HTo{0}9grdR?7M{9xxV!h3uL^J%KUU^>Z zpMKr{^fmL3CHIcX9@aH-Wyv-=j0){+82-`U{rV=P$WKlu@=cy9N>j6y$gvB*lhXzGF z03J3rT-w&p^wTi@WwUuF5r>az=m}O0NN-_@+UP7M5mtt|^^C;{q|(c#SVfn* z<7G$g3GPc^=>Fxy@(8#@@as^{gvBJ1;d7=B5l}1KVTuPA?5A&_&#F_M<9Dv;bbkVS zQ&v+Nd*-TB-IfJ4A!m1A67Q>D@J&>{vap;`qfaeWPo1zxPktCl`0>%9hQ*zp3;PF8 zvk9DS89jFdl^-se3|l6W+xhc8y>HH|km86DcKaUiDAd|ADDKN*rAKWXC!lrRH*?|b z29YS{F)t6=XMUqxuFTFS;2R{X{_}5--V`IvtGT+E2(>piDF# z$GwS6>P4z~z`q{e{q5ghfAObMS*u(G{t=@$F$@pGGl!Z{1N=}BI$Bx)&UMVrW6-eP6i?ph~>?jr|;WSy9VLj*}qa6%JP#-SQO8lgAd1@H1PxN$XVR z8P{wLxeBLf@4bNyI*YY-JsS_yMRQ(i(hY|!#x-UDMqDf_^XE7jZ|YkZ+@j4finp!<2z95b%)XpXjs4(_vbf0Z23zq zeKGtNyZ$Pfcpvk_bGua%$m*!@r&pCEkeecSE@q&c+P4euc?w%)jo$YZy`q0t?6hBA zGb)6^ks1ne=E%%av46u)F@kfzZ~D`;6J%c@dlF9ywSpsVdHlWLazs z50HUfTS=7Hf8Vh;UccRf0Nj2Pf|&G!X0Rm~bH9ud2cR#%FQw`3)R5|H@Lc z%Tor6n6ykOSqm(#ugOIC_pH*caH&DE57_C&bVS65=JD}t zzTo)W3BBRDj0xEtq6}x-EM@7x+RNZ*(m=&sx)HOKT2R+yA{9eh9I@?q@$lld9f26m zZ3eP+y}MVV%1>U-sq-qGi>vGl-1i zIzlMS!Y69Jb4QP z4X-EDd&aLQi|6@vOkFyTNdZr_K{PKYkhr3LJDT_SskFFdEwJduSfJKQy&!Df66!ul z98{f;9SLY`xA;j=LWt@4Lq|Y7YJ}YxR^NU&`67-E)%Wb{?@o`3^aF0D7py3wk3JqM zdaYV}8ww##_R7E68@w(1h(!IvEv%xHHz_QI`~AijSwmljbIR^qqe*_n#d1LJXb{it z;V^+e%^;4V69_&^a+V3aDM%m5vkkY7QnCz~e5a{zfmQXK{pAFISj)$yS5I%5$lhp4 z8-0Gm@;u9Tz%ld%y;_(@$di}T1V8z|6OQSB#ma??3+F23dO+*65nVLxXYUS03d}(7 zkXazn(5k&t@foDH2(*X`95F<`I-VwF@yBJ5xjjc?l@WEhUqqoQJb(|DHK{whJ-EQe zXfC-UcuVs3602{U5CC0-6uF-E8I7{?sZb7$`c4w@Zm^4T`>RSjEg*qSVqwAp>EO0y zz#`_@`&xe7to8)%oJSv2>K_efcX?*Kgz{g?ry--|w!gfj4EHG~nZYA!Uw!*LdwvZt z)Z-v6mDcQ)kBiiq!6R-Wl5ya9GRtH?<-ePT-M1{0nA)1ZYQg9e77P5kceS30!%qOk zseh-KI!*y$(mL{%j)y`;)M}Peg{gHxL0>VK;#yYIS%T438BgX$1Emtys{O8t_C7qH zxj}JHc#`Th(_$v*mgJ%zd5S#8D3*e5r9E13)*z1zvx;5M*Xn(0dH8d*C*Fvl)keHN z8zHLTNgfHDa*JRdrNw>bD8y!#MYL3&-gEf#&{fA#8mNqiWBKr$J+xj1Os-pSqEncx zgGf{k2Mcz-CG2`z`l$*l7=97tSI5*?07DR4D+SuA-+ z)Ifgno?HA0gC|hb!Y}NnV0~m8R7O4eoW$TIlOza9j>#zW{OO40dU`8ZIoK*4??b{i zmT%GU^flVO;Pl}OVY$-;D?x^aDtvKcd&yR6w5P*Pwo>H_?eoSF$}-W{XattY-0JdD z@>-l&W#d)r&~~2fF#amc!N;~zT~%lWHC3h=%{c-r#_#Jhp^yb>kOpaf=SJXJRH@F< zR^U#x(@_k!NO+priw~_uUnwQOJmt5)BDh9->p!Y7VD93v(?nrn3%Ibo73W;~(w=sk z@j!C9DGccXcO-60G{l3EhjUH}F1oBb_nj7p`p!QO#aQm>%`JPfhas4i^F%@|`vb*i zJlBuP?s$a*!2CWkipN6U*pwKqvO5-Ry2>u*lJ{2OJ1t?)Ul+(l?|Zx|7;ucg%Cz5x zO59-W#=!KAK$BA!a|wFUQ7yf;Nq8a+eK)vWNxHy`g$@%=cv`unySE)|fhgk{a#yY! zOIjtcbyifr^D@T=VgbrIey}!r@9pydM`YXk;rj|4dqAIZ;^F=RUB#Bo-q&FYe7!F% zP0J*wy=DC5n%wFHQrz9Vb8qu}3|+y%T;iO`X{5_6qN3R@zz**s8AdVN=23f?hEF9V*p1Pl$zO5&2ZU9P`YMgAlFmO$K^M7d5oKK}-$~^*T1jhadCE z1#)d@_RG{_KJTT1(Ne^w+E3Lx7|$raI)j>>rpGHphf%D1au7ZJ!XPwd8T2gugY!jv z3f)L&=p%3KN@^rpccOZG4bmu)_(naq0{%^iKtM~Ot)@`oSC?+{>YFZsbODR?S?GLo zJvZhB5}yYL=;xTpLOhwwgCdpi+g2T*VSMRe-oXh#tJY&z#l5;4ZIf4)xosxfDI2%% zTMpb=!6E3^`6T&4_sId{&aFon8#GuRwqjWrYH?~GU(!2p43pCD)^DjP!r*v9S;mYn zd+&!Gs$cNW)!Sni9H_9?jJhQQ)AwEmofUeL)*>#%Qce_KAJGt(H?S^RJ ztL>W#fPMyyJdaU)VUBOe*NqBo0mfpbdKuo*&pvWy_HcRIrX=wN2!DcEyT!Vl23|i}vFG$03BjRRMuJ&`Cg;A}D6hgcg!g>sj z6>!Y{E6WRz{D%)0t#$@_8Q>_8?n^WaCryXEgsg68UY4Jt@iYAM1?!tk%73aCdyZUOBrb+Ck+EZmFwp(-p#Ov=mZLQd9 z)OB=d^S_aav%RA8sj}+x|%xYR$=_FEU*(bAiUMJKFL>e0L2!o`)!oYg^1K^=*p{5J`zO6%r^2 z@Vk5&x3PI8h?QPps(8PsE^nd^|Es{QWlAXd9ceYOXjU(+Ut0EifpJUct93p9tz6-2 zv^5dHgPfcCMw3A6?4Y$ea!;wCw&oF-C3f~Q6u@G z=6LHJSCF0^j&zdFid`65j2<=3agLpVRz5~+=%eRLLF$GI99Cg!G2mVzcIN=_zr0eTJ;xmE;m;P(pjcB*OB-@;?cQkTpous;_7RQv8^VI^WwI^e-1&k;P5muKgG@$I;Q=rANnL5u$tf(71-@RCVw*Ams z!ex*F@n!4=B4Q$1Of0K@A5x&Gx~7TpD$9XR$wm>$=;&h=V7w&DnvxIjbR7UMMOKpF z?WXOuKj#y60Uu0T5z&p_qU<{YaoxJJ_Rhj{421E(yO*`PI(>LrYwT6F(r$_#@{Xt} zxXii{SHQaF`JLKVgT~E{ElZ(qR`z9>t<^qRuBf${^=1YwYeY!6VO|(vSw~3TmaJde zpY)7%WQE`38%WH;&?K{cF3wJ?lPgIsQL1=zBb>GQV}?C(Vl^vFldSZ)&PKrducI8} zCQs1#+2lP}Ie#AZ)PFq+{^R8Fli|jfd zV>w&4$H9Qmnas5x)ua#lM4Hcs{Kj;eGAoO=cVof?m!PJ`H1tuAMw^^pcRlG!!i)$m zKG<7QNWOVdV~NK~O}6qY*wU5Xi^+C@)sH~2RoTNGieLhs11nZjR-bJCg!5=duC{z@ zS7!RP(xEaQOgM1S(_-8Y>LafI23FAl8(t8N{*05z@YA+zKM(y&L7gX}uI^T?b4)IH zXjBEQ1qAJdwo|6Q@n5x6Sne0CNY+C>eJMt0&6?j`6<&OQG4iH#@gR`uz0g?!4+d&Q znjLoc7D^}EW9fXAUZmAV%}z{!b6G3pgRk0HxFE|>D~XNu1(TR{&Wwf_>m@jVrUs&Vs(F@IjYTr~UW>Zx!E34Ho8EHX5s>(Ii9?*sujUx1u zM1uD-Q%ppani?rbWQLWueM8fngj(NbMce`HY%bDCH+FABuCWmZqwHYxEagG{p*brO zomJV?2l*ytv;-Vn%RAR#2JxPB2rMrIDNj~^K|ITz+|=c>I(?RpbteJj+RVkBY_7Yi zgu|#EK>TUaTv=RscCGzrj%COIvcCo6)uHCxTc;sUN z)eavBzx7wWKOll6vPsMBo{JS1$i|$|s4*E`kMv5Gk{OIiRz!{0&Ai}bAIKB-uha47=s-=?!E^)yb@_YeF|(RrQm zH15Saxth>1+NdBTqT?bG-c6a?rX$=Ye*0iF94BnERfYIC^)GRttg5;c79Fk>!VyZU zUO$tM`-jc#J3{ys`u5v(%cQRBk}S&IWf%7~cQy#m@|Vpb(J4ayKQ<}SO`X5r7(W{g z{bd^lGbJcg|FY$<{$*nfA+`ID^Pdv37Fk+KqLM1aNvJJ>m38T_XXgpYpl(_~yO5bW zn9$(Gkup7EU;iaGPigtE<54yF@+$_q)%N0C%x41+5Xo1xkZnsZF1OXS4v7pL$;}dX zbzV!%j~PJ}dX{loktS6t(natO%W`xQgvz6X(N=lEQKFu#f=^A3BIWY>cpqA-l4ReV zaZTo=5p{kbSwo*@4pxK>C`!pDYbxPIA7z_Gc@0Lp98AqZ^5lAW%M+vhbrrR>p^LOu z3S>$VWtf6mwBmhvtJIfe#dr#Qh zOEbx^5+F~=pC{N-O}6a7cnV8;CX#cadVxYek4+g`APv!gg+^Md%T!)t8=|)@N=pZZ zqKz1R4aEf_)|ve!#E^vJFYeM`!>&@%X(0x*psVL4gkJMN?1Qapuc3XBXqZV=mjSWMt=q|g3FZ$5!hawJm zmd%R&3TwEMktx?`g!G9P^7BrH5}E^m0jK13zUC32-U|a+OGGg+wl%)6$Uj|us5R=- zj_6>XE5o69{Fs-MM{ZBqirtWMQzIpd{b2!f9&|Fn;h%;a!tm6OAVOqpuhpEYp2 zvVH9OQ9v7wYVylB2pXk!YKcCKQ6JH|W0PT?qUqPcc=@Y|{+Q$vQeNDkxwa!EzOf<#J4G#nb{(JboE> zK+MaNJb#Ub%v(Bo+uU$v;#4xNa}lncMi`?B#l!RLV5Z4$&8|C zbVX|}^+g$~b|ffbvbP>v^ad8qMxGcJsUM7PBnKe6R2nPJ;`gm#iiN(-Rh`(k;+*`` zWHK$v9+5YsSaEec+M=}R8WMI%e#YMuPp|Nf%jA29C?rhqADjVFRXw0hOMC+nHg;RqEnc7k;y~4hV(c|=FGXp9fIP#t z^EW3hbOXv3?WG5 z5J$maW`j=rN^?cQvbr7&k%nZ&0UHR2-Kr6&EKLmKQb$@Y1!w1O1L%Zy+4)|ic$0cYmdSosx)!k=+`3}IgRCG8PH}$g8S9dkk@v@;1DG5_7z0mnE$xhj!~!&F?;a! zV!D1yph{fSlD)_|DFfomXn9IU=6jcn%D;$CU&sH`5#5p3oU~Oz5o6b?j~^2K^i5*@ zE(LK!Qf9}e73(rjh9=R>J)Rl+xHAGvcFw$q1w|CkkhhakT|dzgZ1Yvc3?lW{Eoyd6 zBDMtww#DOY;m0qQrixE-@TMSjYZUKsH18#+-a9yZ$hZD;jR2Ka^fpw(fZKAOGegt1 zjUC~GIk0x0@K}76@w%}B9Is?f@U$~(h3C@fMY-Oubl~c2{`ILy=gdA?^&1~#Q+gIrXl*7RwD8X$Uj%R5>T=${4C`DI z6IFF`9C0|Wyhg(#In_wfHe6P8-)1uII&xl;SMx&e#nOME@uM_3TQ;tLa^1LgO zKTkp+Zo4D@$xiu?W=enXl$-;D2&9uA?O(6Vo$D2gCRfP@ax1c88nbb$jT6j6{~LOBMI-mBCjH6a8D zDj=XpkPSADzu(L^cavxDwb$P4^6s_X`djbf zLex~2@XRq?t;xz+t9yLZDiWVIO84>}vl6w5le~M3{^G>=QFEwfbKk|I>gHa@1M^8> zVG&|T++#L}Cu=;uHRI+pfKq0%@FA}s|K3Ng5yXNxl~ul;>CY?dJS74h za*z^k-BP$^vqk5~ZuKnL#(Zpga@}MYoW8M}*Iabe#P(g4;w^39i2hU^cgw^uRis7e zH8^iUdO{YCjUVDz1B3B}EtJF8 z^X9t@^rfaE4FInz4DxCl$iU&Ej8r+bp!j7irCHDMM@IeT z`y$kgzVnZ2!~V9b%>Ny7{)giHoBvl5toa*rl8KVwAT}h+ObsHO32?( z|5TmR9ahdN=XbDCRIvTH*wgCe;Hy}(+euaZ^R~aW;yZnS{09{eTbynw#R_v~ zyTjCry;X%IAM4Lr_YUpVCWk$~va%|EoSNBymT8~1*R5kpIlVg+8|Q0B>QXcNdS=$K z>YvYn7adEjUf>#ESGyr$7Hks>gqzs-3+uY(ij zj_IyFHDt&s-N3}6!u0jMeZ#o_>U(`ev#*BD-8k-d{EXkws#jMiha0yC?cZDS(vC0t z;;0@<;9l%+TvqGOUE0ahx;5x2IOh27mYYNq1ZXd)#Pm+^cWuaO_4$X@{x}eb@`#{G zYP+BLa;X^eW%s~gIoE{B*)gZnoPk}j#71DHDV&Z_c#jB z%KlQE7aH3Uzdd+Tjoza#1)3471w7)F-foThdisX8mbsaABM(rhrK`msYPJ3HZ# zP~*H~!&qB;{;xOtLrG=MfMp4(ygXoZjug@|qJK&6HGj7bE-EqN2))|E_KYsu{N!9o zu`I8ai|iPwgHe!-U5ldnFKm|nkncLwI>L9zN%CINSD4)KOnRbwHG@FB_~6EN@&SEm zrR71I*rb$>>2X@EyQk2K#?7<`Yp3^<3I-vzIl#P|28XOE*A(yvGJkL_=8WQ3)&u+e z7d38NpMvh{#k?pn_e_`x5Xvc>z+B+JaA8GHPlsV!05?fVbDniW z^Nu^lh1w`1lS|WWWo`|}sLU>J2o4$7U#44Q75b#5-6tWs-dAxIdkYJ#0wfw&D<`|uRj-``UaA1a%ZvONMG;CG~%zSOtSZG}NcIeBr zS7GVAyR6P6$CooW7O(EBN9M6XbBC;kYXXom=E-W_4sxPl6>iw!2 zpNvAa^pYMWe?24o8xM;9$GRZ@kcT10Mu8^Xz~y%ZS~;huna>Y5bqWO^lf{eRxNf4{ z?-J`_+M_@nc?>@j<2K%Pkc&OZ8hILN`6%OF6;|&SKRFn*cN>91$**M9WM&8QrbCUdgOzI-WpJB;@@6tH__vllJAZ z(tUlJ_&3Md(>(Xe(hm0@Fu&fAff|hBSjj@%dxznr@yks>t5K50-6#djK(rC_@_+<(5y%1_#MXws2QH7|s9&5I(U^DWr)0Al`VB52UwTrPR3RWU)hU`Znhd6XmcI`B6uo6zE1SXAZ8< zB~J<3s9&Eqihk@^>yiu~6C>!PTfnc!r}_Tcx=t^?KRVt{I65X%vbxf=Snir0T)Md4 zYy9L%6m;%qUK|#F7b_UcgZRr;V{DsSQn$95GuW=ED*4rrdFTJ_V!4oLG7r%d1%Qh{ z5#^x&21OroBw2-y963HqasC{|*|X=qJNG>q)KA_QmpBKYm-M7#;J%@PA;*)wC>VKF zJ+ABD1OAxA_k-F)_+5kWEPg2)@A6;b$={thul&8K-fTAKrz?v;xJd`56fz-iJ;wd( z_n)W0+t}=T^1yDLoX@ZmKb6TF8j943|A7bnn#$;D_cUq!!g*iFr5wJ9cfy`F zKGmb{a~Jb=mqEL}+cyTa@#FH3avpr~vjUMv0JnZP5PLCxgKblJO(#5f1xByDuGeiR zSWm%?kyd_7kvOy`_MIyrFXUJk0xXF`yZys3C> z>{4;NeO9mxTHxh+4xs#C#jxccmXUR|l$C8?TW6iBgS$&-zi zYLc>|alr3HoYvH}?jf*Tf4f!qMRU!(_6>~(EPULfW9zvGsZSUl;OM`v>kMgsVDCw@ znI42dM=cnHIo@`f1dHDe77ljRLa9E@ZjPm zOHc_1?d2z}hrJUzUYBgeM5MThJNo-^1Zbt10Y%H2wG!Zcl_;Nv1)npx8`j=l7+4i9 z?zJw?E1Tb1E~*_3HGVK~|NI2}R5LMKe&1EkW^_#h8<<{XWvlY}b(KZI+F6?)Aaxs& z;Nl1ySTQv}cMfj2b=m!j!ikW;vrAg#nvgpQLF(-Qo9sQakF$=ePMMtU5y6SyYL zt6QV-0@&n$(1;iZ=w9kGp8klhXRr*w5wT^sD`DieqvKS87=SM7#S&i$Hy&pXfepN6 z0pvGi7fS~$qcb0yii>$o`>woFu56~2Xo4Nmn7)1zi|m6q!y=Km%PQ|lYPt|^-hhoO z*o`kPL7rE|RJWmZl-qVWKbBm(*oZITny-AYiLG?2W68R7KOC#GB}}ih;I5QI@CduA zxVVF-2E7NeE^dC5zNAshBalCQczQXiyzIv+YgBlFkGQ&Fu-2TxIVH-$G`8ye=P6=( zL*vR%QDi`JAlHGf$}cb85JS5knte}Ec0yV)mSc}5!pXHy6aA37{S|$mvv&3&UD8=` zA*zw$8V#P?NYEvg+ArQ9ro^eq9ZSg&3Ve%`2mSe#4!Ey-{20jq~3VD*VzNb;= zfE($-5S_F4+)ChdLu}%T42Z<+*9-LrC~9#<;~lp1{j?+r1OLkj--|9YJ?Y>Ja=FPP zllO5S#w#y0xGW+l9LztG;L`i`%-!|;m-er8^fb)@(#ozK9(OY6W+Pu~+cRF1z50%w zu14o#MJ)X&4=f;eN`NNgZel8H;UdXmaT2HXW>()rHg}Yru3`0Y2Cbm>MkIe-R#*a+ z=M@s9-)8vWKk$=!_i^BY-0ocbkHe$?EItk|)iZB*%D21rI9LDaE%F8{FKLu*isBK< z%WYrVmVc&`XMh`6_WggnP$}AJ+NOwDAdl&~(c$>G|5~oW?cAq#{Jq*sjQaek2WaLaqpqrRUSc@Ia9NxJ`?+$N#5Gw%PvYZ(a|$0Y3a(6}MrL zIbK)`%lPqVT+b_PIdPEb(+<7F-JI#ehz+q+O>xlvINSlYGwRGzTJ7=PB@_m_G>AapVf@{d<%TnDaB(Zdx^C}V zwD@6Y48TK?!+&KGBx#0=X7`f|Vb~d{Ts%S0Kt&*-2!yOx_N!gnWS%D$s%#22KdNj}V^L1Mo_dES1fUHRWj$gbNZ< zYxg;TK)GS9t*y+(ik_=dGQt-xBy+9jH*}@cyB&yzS;qIicB^hUy>R%l=9GfIdzbFi z5}$JnX;B6V@8|E0uRH4nr|PDb6+Qzh-WmVGc4Pc|hHGA%Vio-BYz-ez8?iZguFu&9 z^?-pa7)pg0Ie*ju*_`F1xU#t^6z47bQfk&hHG)b{_FBF7G%_GQD&|B&zcGKlK9rwF znnSI;XT3LOYn6cCWFU`WRY_-zAL;QD*l>TLxB_@Z-^mtnLamUst;fdtiiwMG$)%W? zzhGdA_ZdkIc3z;$q&pxrul&7LOm_&XJP|9WS4g@Kx$-7_!I%)ZZy3f!9U~+(1m9M1 z&t|zi_FTrTy87!G!xSw>L)@A;!o-=%PLBAcJ<_N zm%AxGb)&9BOK6ydZAws?Zup=fi^q6Zx%#gxIRZ-n_IB zU#kg7_T%@zJ^gAl>Um_y@)Sv{1sakzF>-0!qHdwGA5?j7stMOcFQ&Cf!R{FxExXEFma`y!@8|btmPS4#N zv>*#POzAQ?-lIsef@+qVJP4!E>&RrVVd%4P<2C=Ffc1bv6VWa~nagHogfG@ayEKN9 z*xdnX`EekOq+Vn4;9|Yuq4;1dLH&3#J2(LrUAmzL@tyMGsx(yMj{3mkR!r3+L;VFa zBy94~-b=kWfHPp2xN~K*fe(^O>V7RG)9afiRL~0d^mK@!5_-K*LvxZlSReh2T8YBA zR?J}0c${FnQKjh?C?pr+cg=C!J{0IX6~oVTYM~~bekBd zNgm;zKgAqne5_U0-)F&N4n{g?ltM+;PAP{1#EtMY4_W02eYU|}+P8|t#?-vJ4d7u5 zZ@h=s=gP~ui^m(TE`y)*L3gUBc<#YUYi>)!^vyPkCk&^}!K?A_$Kpi_zgtd!ueQkI zZ0Md<8~0g{HA55p5TKW`32LE|UKU%c*X-F(XCIjJdZkk}uZ-1$@i(SxXdcF8nZTeT^gKzWUGpj1O}{6x9}o{Ua_ z?FWJkcl4>#n}8FVmvu_j{2m#n({ggpPI(p=qgTwbrdjcAX4+?bt+cFJ(inTq9zEEjk}1aJy&z^CTOM|h#Zhpq8$A{y z!gi|ydHPzS1^O|P(t}6XAK{)fQmsfC*Rpd@CKdyqGx8E_Q>iRcR5x42;0tD4l1)Tp zkpt86;|tGPHZ#$~p9AWCmpQ?7Z4NLg?z{;p-a=22QZ|}WW2wMOL*%Uu4Ov9da$l)0 zZexl7&~yfkefHmg>eKT~rMQs$J*&Cq^}&wTQUj(QVskC3T3}GiS5phic> zwwr4GxC^R6e61scWULC|f?}ta1wZb&LugKZ#RikwtO@h9W3Y@hpB{>J;%I#)Fxe1F zOwolS%&RZ=Rvab7P?_DUIMq3SFjS3hjBD@3EFYyyffoh9?;g}Wx~K4BsaXfCwwUP< zd@}@~Nu$|=4BXL61BH3onP^`OQ=KLW(B@=LNUFq6#n(?(4Hwcc0N?vDf|C=P=#Mh!ZX*?n5dhJ^$8Po;@R%Lb#)yd*1 zBbiKz{mdrZ#tN~)1cb+KH05B|CxqR`Cy{&YjGn{9~P^2ysyfzo<7V#v6B9;tL4sg+@m&;#;-f8AP zQh)1y4)Ic5>6b@y|K-tm%y`{P49H&td6|n1qbc&s=iqUG$@+48TnXxpS!KlI2Tn8l z7M?thSA7q6KTj47GVxW!uV?tdT`edoYX3EE9x+DGd(da?;4P&q`7hl)FUP3%C^H}B zL|Xf`py8l@?lM2VCjQjNu5(-|uZj4{>v6my< zEN*{#vHqz?U6sUpDp=Rz%A-+M!WPY+ToOmAp~L(WXv~H3Sb$U<~xKobx{1KycyprH_Ms1A|_1Hs8 z?k?Mbs0(XO$#xYUJ~u$XtPyPDy~&+>dEc309-Sc#m53UGH5<1yO=-F~_W=Mr=E||k z$RN}%o=5ruguCUn97mLHYIzBLcRg%YI*Wrk)yX23mxlB3Z{5*3RD2ro(hja*YcZGL06y5mfh9yEP4r!e7o=TJD)c3-UPMf0?_fBHrI*#;< zxQM{?QdM4HLjZE|x+!N|1W9}d&x>JY99#EflF11e?#_P^OxU-7G|;@sG#5cKOQN|>gl@Cc>d2PrvG}t^q3vcI zcK{eT_U&@S$G6%UGl|nTMx)tV-^8YD)M!YYb!$X&O6CVzkg49@TH~(2qTSam;?cO^ z66v-hV-=AJP^ztR*H_-&`*_;|VvQ7)PWFkoEpaKVJYQJf9~9k|vn;l~-(@SBp{c9@ z;CWC>)9);80Zp(8lw#)v1N43@>eXSA{b^ULfah9cc!sAHR?X`{AD*p_58}d!u-VUi z2Gc}D(0AcIXSKU3#yWLJ(yz3|?6S49gRQUeOD$t)mXy9{Fx(e zmE%N_G~%Cn%D;4lKQj{YvKb^KBHry3VuDA~UzjS8U|WV$dGz?g2=>_Khp7;D)H zMT^4jP0R9M4WBXm6W~8|q3ZItlB=6ADPH*1)%?p^{gOX`tG)%1|DRhTPgX}jn+$Zt zt&qd&a`4YrQk!`#N@11r^~@l9=B{w|Sc8rJXQ;Ye(+_R2YdOE% z0V8w0pY6YLIn0vzhq4^fCBkLP383vT49ZfyEqzg;*o~dKdX43}`-*##a6=f6o*^)Y>`+A00 z;bx8|On9J?EF&;a|1SQ;O^$_Ui%eqxM&q~Si+&fisRyKZ%L1D7!}K$~h}QzJKT>iM z$mG(Xjj3}MTSnY3#3({-Rw?7v*qKwuge`%9yKj;si6R{9sp{gZMD!OS+DY}PoD-<6 zCTW;En%&1pMw5(XCEKoE)C>Ws2Dn!Fi?O}P2jT2K-UwzJOYiEZd(vw{5gx==;!&Jv zCI8|U!=~hbmx$qvLHqUYJk#ark~O)FD3l7@42nd#>kA4BbRB{+{Y{XzQ3othqd`rbuw z4>7nKmpVv1KRO--^iv))_jnJW*-f^}hH+9qTNNu)36^arFr6x%J&1SVs{vBWtHH{_ z9U`V>>xlV=FZ1b5^gduM29y}6?|V*W+(2|m=I-qf%&&cVBy&`>x60i{>bV)yQ|S$&x9`+AyzM?Q(-Xsj;Y@O3##8liLl8r9 zIDYPy=#+B#EOunp*E2RDQF)hvMCo%5=;-1dk@0-Qsp2KQn~7xfO}x5>P4Ze)_5^=_ z)61}BT2~91m_x&;pB?8jYyM9tOx-m$NM;!W4GUy1hWTR7Ff|8meg_#sr-My&zDDF5Vhhqufp7HVf$sN-0KUZ87aLz=3FBB5%G%&BQ|Kgau25bcO! zEnJlA#ef8-sln^&acEB;=Jp*?B!CrLj=@+6TRK1t*qP=Wcd*%)vw>W%1S$!=scVXN z5p~HtlO&A>(*a{>Jlc!8IyOP65^~SWTz`ukEzBVbK>Zj2AbG2t^*Dqz#Xf2vm?BFy z`RbuyROW=#CP!5MfapPFeJg6=X*i#cbBr7&H&R_*YTd+Rly!Z~5=6p?9aYD9hb99X zJKr?$t~u-5ODf4z0Jnm9tWZ+=xX=B#fuQO ztDK7>^@;H~gpDj1=7@nk8dlaIY*Zud4%^Qq7(`yndX}1}_d2O>jg};}Td+L|X({+* z^}`<5F~vYt!8Ugx6XT7Kc;>sWf+DX3p>80q6tc|&`6d1~-{QcaRn*4~jWekvMO^67o?Jmg zc#)Ke^|BC@a6>qNMAJwe{bnvIcWJeD&Zk4ORC^sMKHeZxd`uQr%eJWK!qdU}iH7tN zao#C6%uT$7JNuGU*u#4ju|k$aZ8eL}CQ}yVJ||wY4n3vt;WrUFL{V%RfMk9aOy~(Y zsx~bRx7y;_DqAeUYTHQ0V}DsmSjd0xSj_XXF8iO1OTa;Wcyr*NRB5YT?iQFwLI2Jv zkPzlkF3uN;I?wZp8nocp*1D(W2V?>9R!;_u_-P2!o1ks|=fX;cg^d@gQT2Yp&khs0 z&9dD#!7XH6^y`_C>5NKu^M&f40|d<1`%a;s_HQv&$K=KTDMiWiWI9*%W#tW?o;NMA z&aJ<#{V6csHU2#zW?Am_5Fe8dn_csQ6_%h#x%mV)uUGQ$erv2$A6ryM#@#^N{fZ{v z<$A_e6xwo;a9i4V-6piJZk&@j#1N(?3Pa6|mW%7#>ZU~0d*SNvDiint;*^-z1A~DX z_*U#vPM>*7p~i9jxlmxW(@U-$OH*;)Q4cjM>=@vkXRrczBg~`3EVok_3vQ1UIDC91 z2Q%I!I_H75Pg7#7$>U$xVW00N+l5pu$c9`t7n%+cltRqti)M{NsB7-`YDRenN;#RA zxF+1wQfgP)j)~yO&gKo5Z+t?h4e_sMJnfqYiQo$kFhH0m?J5RvzRfs9yOisD zp@Y&I%A!|FOR1JD*DuF78d@oytJ?)U^JjPBeQL$?rrmj|?%_gQs^%tG7fSpfPX<7G zqK;*L+6P<7>;PY<%)Z)&aBRgHZ<4=Mrz8(QsX(BQz4*3>*F@y`(Mj*YdTRW;$V&C9 z8m58?n|+_#*Adpr4D@i3=L5WA8>Z_gO;|dgV-D)S?S^AHSv_#9nBK+-^rueYIVpK0 zt0ah)qG5r4l8UvZ>G6xQQKawB#bx<%ib8}bD0`1yP!)mgTGf zN>tDt4ij{@iO`e2J4KAABp)<*-N8`aZ2Q`i@9xyNY?T6|033pJ{g@I;6SccjKo=gE335INHK~u02mnC?wV9PZz z;5*I0^H8LILeN!&i0Kn6^@nh{9BZCvw1W3_Vl~RXQhr^kTl_}CciR$b*g)Fol?D?m z+P|a~oLR8RzCXy;Dweh-(Q;%f-TCzlYbNO)Z<_RbdR9IYt#i{Vx6jHvnIr~lD?0Gb zs6d_C;Tk_7sq=?bb&CTMY|k0zk0>*2sc&Lb88e;i{(7LzKyyd-O5Cn7~1eh}uds%<5Ub}R5EJ6PI{Y%uSR zL4|4t;NjRpi6MwR3?YuWxfkbdcqj1@dB_Vp*EBIC&EFGzXPf(TIr7yt3ee3PutraB z8*!6;k7-ZpF{OclL*xL#zE1yVQI)+7p89&`O}mmb(2o;gv7&$pd&I4-V)yJFYOUHY z5*$oNAS&MU{KMW2c$URxnb7;=&M8Gma%Y2jQTJ+YTMg7Kk>G*Rlm|T8XJK37kvK&Z z$P4te_`VD2SYXe5=LC)4w+J1S+n=7#T?!}{)xx>Mcl5Z!nwQNpl2|(xWa14I6PaeF z3{NR>9M={4Z7)BtP1w!8i{|tgtN_<0?wS%ufnwFR*3V)mECC%7GChz`&e#HR<*h46 znkk-omMfRyQO(POtJMCD8xl-HRuQYohJ=+}?iv@Vk9dWB02<<*hrIjmybf`02^Ldu zGNE0PLVuIL@zVy+gi0?eixRoY(M+Bi{JzqHRkVfbKG@4+873RjJb6(G=QxF(8bY!F z+-yo_uhEEF7oA3kq?!ceo2}^*&bi#|y6AyMr+d224A|2o>wHg_1%VnN@ccxLiGoO3 z-53T2Nc4!Om>#B&iIzKYl9r#8!lnN8OtMw1o7-IUj6Vr4H2cvlOM*vEvoBMy-e5z* zr5XjI_Ne8Das1s@#C&y^RcT#+F{j;gR;W1|ZS<^_8LffuyDj3zC>rF+9ffYneCwU` zg_;?y#_+kz>oDV`QcLfQR2o$gT*{=k=3O9FapZu})9smTpON_Bt2OWV4Ib3GDeH+h zYgkys0F2_)rzIcM-43mz=gqydaN&G6yh9ilxOc@|lUYThFElwnCFNba zT)v$pmF99-md>ER{i+$-TZ8ioJr8M3d6H!g%rd9_@^{~Z&7tm7o^?z7geS7sMEL66 zpBFVGAcNuUH^lL1E416S{U3}G`iBCJc;?5y@!ZG0|E0fN|tok^0wke0m^_ordiTLq%&BE6VlHLrNvKT4y`g(@y z!E3ak;f`^?-;(@9pB+ORBkq0Uy)4>1$arDSg|{>TR7DU% zJ~(GHlZJzoyTXR$gVuGuRF;_ZiE)52(HBfFt0CzXM#&Dtd(*M=)rkBb?sTlBR@}s2 zWvp@IvPH3Z5swlzyY?SV?QS*)?3GWsf7D!$-z^@Vd;o~u69>2v7^hy^LtN@ResHRz zQg;V#iUaKKRH+0nVh`F-rVZb z3hgPD5Bxv2e?zJcg887jDv5(`UV+Iz_G}rd8iBN5_z2qe)iLFyY?wd0K&Nsz1lEpn zynWYjs^*zk>P~sNY3CvGGw&wkOMYU1S9LAdWetJ;IwYDrID6C~#x}Y*$RHNePyT$u znQtky*NJ^APEJJ%^TF?%G0aD$v)SX0e*DlHX=#R1g7I9}e4YMuxXCq!C6=X@HyX7d zQANhGHT^{&0A#;kEv7Mqd*x}MWpEo99orhl$3b0s%=V4GH0}vfQrO%E z#?MAzf2b+~m5zlMIi&CG=vmTUT@+YT>)yN|N0}&-GP^7d5;1Wx4JezE0Pam##lIn^ zeUc_8Dqqe!jxgHYQ$+4&inge8fl)cb@nqmpbS!>De2n+F728|`aI0bJ-8xoje;!Q% zn-#JsI{ z?}X*DO-0*5$R$6NNta9?@j}&zK9}k&>uhtBI{;xxGoG4RbG~qOEr?-N=91x$?f%oA zv5!hOY)KbA6^KT%8xDJok~&Y|CX(3vkgel9{WX% z{Eu2mt=cngsP55iZ~hshn)Qox^;1@P2~(mj^W9Xd__2}6dYC|lZo-Jo%T}ns0C)O# z5vSy&y{~J`{5ECT(rru! z8`o5D8~b$G;N##NjM4Rt#6h?fK0Uu&uhhxXW88o(mJ0_0zNY4GPLjJDLEpw<^&SG~ zoBXM~rZ7-Aift7fI(s%H9L_wVCoXJ&+*W@c)}@_UXBX$gGKD6_FD(ML>TQ^rGoG1D>? z^-+>CE-oeO^1BpXe}I@{EoAF*blg@g+-%}~ZbXA+swbC3@nHj2TEU&%d}K}JE^$yG zNLF@$ji=s;ha2lR%OYcFM4duG-|`!TMp#FA9G=R2>sZq({l))2qcXmcIj=_g8$CIU z;~Q+@|A$KFK?bBgko#Z1zor0P3GDda8pb7(Mq=cI^cjS%g*AIIZ@HkSofAD)i(Y&G zs{DV8Ak`>>QMHr6Uj!;L|01k?{OHf1&3x(~AvR^cKSlV#Uxd@&{Rt%q%^Zvya+aqfA^_j@-#-^r;X^YhT^EAO%7`Zuykpw!Wck11?3aj_o!UN&}+bY9kS2)X`?}apkr54yJlp*W< z@6GeC_;p#;UucbTHkRn~HKYQMImoCCxAh;%;y) z_c*-#(^80o>+DO{xpIrSPs&tNX6$6Ry}H8f+io17%S6~kRG$U^^L|Iob$>&B{NOs-RHiGD^Y7PDYV(0zKa zx*`x&pcYpS%rE2z*tE39W?WFtKe~0YkZFh3bDIs$dDhY1kj<+!RARfv1A!OFWt>CP zekjtyTxpIg4pySdc6ps&H_ZHET>twpAwJVafQzxrssa4 zO+_=Z4zWAnu3R9oep^#6_Op&Xg#mE*sm^CRh4RO1tp;^0|0@2M=}?9!GOUO0{96^; z$QZjRF+M_0A1z)c_C-qeMJWO=b-tEiQ-*H5(H&52YaRgdtj(mYpW_)@ETw*&u+A_M zEbH5B{l$}YL5nA@&D9&b4b|t-jcx(Ujto0RLzFjpv+38xRQuxtVgx44o;spxw?W`% zosPE0M5Y=fO~)thi(#8euu~}jvX5Hsf&HYY2<@ySdkNEr+2J*|ESH%9NBWMXqN~kj zm8Ok1_AL7he+IW(rGsHCYXH3G8+qbvM{8K;n`!xB0Dki+E0vI$;T zj5f|=_yv}ap{K}!m+G55b^UCIFHfFog$1$vtN35119b;-@oxfEt4*J%8D>xqJH@%j zu-Pv}dNoaDUo5^sASnXb#&y{=aIBIz&+`fn4(J$#PByl*BtS`QdX{J2ke9_wSe_hn z%Pcmyzpo`_p<14mEfY~9#kHkNhNHVT@GixT3LdF0lyoBcGPO~N2 zv7cR*#S_O{l4SIF1Ue7tX5P%OFrsODkA_xK-N6<%fuC)ISg{rso0LvcNF`Yw;TxsMIJWr)RM5*+ba@aN33g~J^KLj251-qJt!OXsOIgviP?O^XC03kdPH@WF7TXw z_YM1H)!Viq`}2E5HMd}ilYV%c9d3hlEqeKeiAF2l>ZSCYg-{ZEK7krmUSq^)tD7Dy z&b$OS)QW3#F1l+~HmEeuJq8-vM`XBhu%uMId*hnDIMw+G*xbk4z{v%k`&=4ZZiJHp zi)gOLcp*8#xW3e9jIW3`gViZ723I1{7kO(C2&jKo0WU|}fs#f@jrA0t^@?oCT=bSi z`P6+60;Q*t>qeWXZ@tE?JWwq>hhf6C)J)>-^`jx8-$^UHzVObd{zZ! zW1|F74z8u=Q`OLNB4HhF_)`6NdGxy2xdynI%=_5)Cm+B=Pi_nG2u;87i>ixB&)Vt} zI@LDUBuoP*!kCZ%CH^la8_f@FTx4qM-m5Kv2KKNa5n$yT`(eIB2MiN^MGU|u%cSdFC6YlpoHK$3Z;P(_Ves^J1X_*-5NOR75)XpBEq-+#7mVAijMZ zJiJ4gu;dLMCz&yG#SV?#|~B|&)WR+}Kfl=0KzcE?Ct#K2@= z@{^HOYU^s4bAW~U9KWeM7yZD(ZDIfKN+b7#rU&*tvO}U?txrhxS#2XKsw3is_hRd* z)5YF=D|Ckk*c4XZG**ZeTryo{%MXnfw!!z1a(BB{C*0yikuJm!BEUd+z=#fPP+HhX z7FGTF$C$ozNOxpopqB1-Y$Em$eSp&0V)X%?V@u_u-k0EbHh*9+41HRosIi5d6; zTKJCY5l6Q7<=z$tzs(h?5yT)ln+P+3&PTeqBl|}M)K~_ip=$}rzx^;j9zEEqaLG0z zaFd?@)zyP3Y}-Swv%ujA9yxbdlp{+IY%{+sL*2;m&35hV5lyyN3yEh83?qsZB9$I@ z_Zu(JQyjZhBdKJba^mBCV-uG>of=M8g z5WT9V)Zw@1uxoaS?ie8l2E5YZbLo$)}4u_Um)7ub1;9v zdn;tXF}RLu!a63PvFd!e3x+MsNR2J*^0&C3vP$-h@Do6+l#GZKSEX-Gsqyq~maS8+ zsN%1~JS?uKP103lr^RNz!(2YrzPgYZDlq9{<+Kux8NtLwhzF7HsX7~Lm#N8=5;Q>=|1W` zM&+oli|zS|4-zx1?syvhdmUiD@9`m z&<8&uM}AJ3`!}|~r66px%1cui2BKRW$df3%P>qV`T32mfD&bUwkjLEj%x3eJcOHX6 zlI`p->CDP$3LdGk<|m1)oL!dLyV9k-N7px$%ro(eg)g7SNR%84*ML8G(#leD)}Q6w zMX_bMvbm~d93L;iY|l!BnUrXr>4o8Lj%|n62(QAP5IDiBuUZ5(o+e52C@vT8i0b~GTRKhP1OKi+b-u=A;J|C09k zZIx8ait>R~e4pPvlPabUU(fW;T9l_|9w+dr*O7e{Hhz2?jA zdOiiT-xVL@E}AIdA&6RkFae~_*L}aw=nkx-OE(_~#CP{PpL&TgHsr_zJfo)y>0$kP z#=6(5*-d~syW%Y2CZOy+Wg>h!{2+gcXPal%$XfZM>^FS;!$0cg2R};QZTdg#y$4uR zYqma4?=7Ks5<(9pbOb>{D53Y>n+QmiB1HrOB%y{5BE5@97Z8;as;Gc~fT(m45kV1A z6#qGAX3osq;oRTMf9~Ap-uujEKf8wgeS7V%t+n3ues&x^b##6$qlmBPdAwl|YynbzzDU1)sIO_M(tr_ZF3 z&h}N^taRMkH=B|)8D_25P4UKrvjVPx*pAN|sIK&G-A6Np5o*A4#a~*RpJb+SJFRr&1noS%lLHbu4Kv8P zVy*MddrS3BN2fAw@gfFZCc-9k6t5mY2uA253&RTYOPhbOzY$*T_d3S*(y*?s&DRec zCs2pv#ZwS7i>^PWybFD`pwPM_5IEht^4%cl{mY8_mxz?Wv`iam+RXg+2kSp99hSZ! zGFq>tnBiVMxX2L0ZD7uCEa=}gR=A$^!0frusT=I+$<`U)x6=U0teK6s+kXn6A#j2$ zu{{lD*jQL-UYXqy#06@RRth@br^4=up0nHsyX+{XEZ8f@{$Z4PsNFN10{qPV9hu|W1U>3dUMtxgy-VRZs?F6($iZhV_? zGP}^*tDH^-#~_~!OzcF=Bgug4&tt2}QZLzlxnovxjxB&cc<89&qRy*Qw>yD&#}_kN z&V)etK(NRX*yLpA3;}d)2o6UFcvPR`?#;NI%(~yp{Ti)Adt;dKMyni)CoTcXFUFg3 z@#Z=RZ%}fB_vG)U=#f?hrg<&M1`I$TllL+h>(doP*(f$M6;l7 z=(XbNM<$0y?(2Ay9hv?12I{Qr&nbctJ>Nq3`DPyFnTGGNPe*q*e3Idgt=BV7Jgi1| z0IUU%4>%dXjvIVWEoE#gJd(bra?MTxc+X=#KE}Vpd$PK!quh zlY7JX9^bssPQ5F(Kyp2(jzw^BU2#`Gz&|T6AsdA69K1)9o|*FYTb4C<;NW^V{{Di_ zg^U7~K3&sIzDOQFKY*NZ^Gtkzd*k7E zUmVckj8^d;e|Z*eAy97eliJh&vzvqFD~@_MX>n3UEoXMHfo~<&ZjT8r-0h5eEpZcM z4SXHJIB@n)1180fD!(~9zX6MUbcu4>Q4RL-W1m03ut`|O1}cxZ$1QF~scJnrx@*Ok zj(sk@UoA?&HPw@2Lku!`pW&LVB3i0S$!UUaEAL6S<;O?e`(7Mg=`%v!{lHM_+?< z-*<1-*!_t2>oEVK!c{hQQYGusoz~b8uAn?}G4vOBmvktu;rlNjD^P@)S?Z30ppIX` z7w6zK0_{Sp<3jqLJ;(9bZDcS3c%@+Rh?Af)M+aQ-2Jc)2D=di-d=PU61WZ?$v<(lETkLqDB-}ZfQ#SJj=#U-x6qkr?h&8)v| zK00gut@F9jbmw`ggX8LGNn3qBX&th%~q)ze_+XLH^W zd*9OE^I?!(kc!3QsYLJSxvY}e`$HbKlG2^$zB+5Y5_-}dy(kxx|NO(7gpYDnofdR= z*yN+5%X^~0X(<;wB`f&)0xdRd?+W%-Jos8)_$-5aHf`*-wbKAga^u|w@1BWLw-#6r zSHrYnoXnfRNXd5~=MR|s&4+zob+lg%`C3*gLOiwE9zPtQzIF(dxF-BLB)IpZB4uzO z8Rz{pLO{0|4Y$WRafC~c3C{PHSyaXSul3lwE@7LuXl`#;xd7F4#0j&xxk}8v1q6KJ z2M=57hH19GxP;y`R&v&Un9v?iY`>E3&Aymr6PhLN1tbL5Vnx!;e2GXPZ!KPXD9S1)U{l1DuY+Lj`W zWS$FbK<&$4`vMLnMNiqgLj&&{F!wsUV3b7~0OLZM01>7u+D*%0$?*22g~rbY$@t?? zT-FDUR(1j*>LVY+pr1sETi1Bdqc7uFC7~UvTylx|k-wE08_Gs=Y;GRT= zJ)g{InU3kBy5!2A zQD3}?Ij7eby6DZITNvfK2ET|?goZ50duZehUFc@8c`$tT;a9e}pr<}bji0+cX)Rcv zMws0>j>fh8F@F=U&M_@Ufh)tfy&Lup!S|N|+6EtNEj`yjrm^$ z1FL-8 zo4mSudoMJWYU;qF&tEV6Io$V0z4!>`VMHS~EqqU858x7D(|L}TxIp$0)c?x-?kh#! zj|Q2=qlC!|mq1H%=v%R4LQjVPz+JC{%ePn`c4{XK_uqB8+MCH7SN~?9t4a6{0;Ze( ziSe_=TMYu}b2-t8ZK2ivCd+bbgpW`eyTKj4$;ej8_4l?PhM%3RoiUam;D&w@&E#cf zW2m!D2C~j*#j&p~n44`&tN*+BHP1kD{6BRfsk3mxFaD*0hX1TMjzND5bvjc&`d3{1 zAN?_Zjq3c5Fk73b)a2>pPem#@|6c#21OQHaC&|@&f8nV8J)i{g&%t89LoV=7pfLXZ z@ZY!|{sNprgFWoKO*8fH_3x3u%Db`OfIm*e(rAgf63g=c8w2c`+pWcPV zL2&sgs{Z(N$oZ3~;!lJkPj`Jv=hVgaemE`r6ezzOz(l8h9iQ9 z^R87x=d+A9CNz!7-Fb~LF7X$+_vGz0ETO0Lk9d1){oGc0X2RXh7$el1t1qQzuO({O zHKE_-%}8r1HTRy9s6g(qK3ze(qwdzd`atbD@` zFBubdFPD-%Pgo8F-(|6T{moaKyBYt34VD`6@cNyuR`C6(bO#a$q*Jxx92{5DTu52R8*G?aUA!$FAY4JwONu(y=b`_BAVImU_EtfkPu5lu!v5Z z1Tz|C{1CY}O);F#%2j_3Le^RLHm5!xbv*JqVlbW>Vzo6m#R6rMWT++LfZ4PYRMYbPm zmfiOHLO+$b2aTS6z{k=zN|;8WZT1n5f?sio9>E=iqYnlLeTMD@a_8PV{8I?p#UptW z-!hgj*D5>5uVy^H^ws-xzVN+bSz%yR8ofd0jbC(#)~NIjt@L=zk;vNymVkTAhgQu7 zlh)Dp{ehJnx7j*7l#aS}+O`7_D})Jw7nRW&>FLe|&MMul&Ue#4t@Z>eX~aGk%#_AE zVzwRMRjPPDs8v;qD=3$dGp?G6HK>~H9Wxwfz!k+iOR+W|%61+${0Ua6(OMa8 zd0cnz$Ih=U$m>7UyIX?iYIm*A=}WkcNA7kz=-+DnMupG5mUGB?I_-wfPEQ^e+4&Q) z^bc*5cyoxz4Z=fMDc-e`uO;bO{@ts{FE#xi0DB93kk#{kCG-!Z5cHST-sHPwM-#Vd z%l%Q&_1xeI96TstmJ#=mO7hn<{!CxG4VB4c7e^nDHr_CLx2#PTAQ<7Ltbl zz>XUWoOGA2eN?VBiv9=x_1Cm?5HYGbzWph*<2zmr`L*^%zW>N>1c3(7=9LYTpeijfX*klpr2*wh1EhHrSzh+HLYc#>m=i_%7U89LvUE0r= z(T~fy)yDDYwyAHst82&oB>G4GP7;*alrdF{$rPi^{Uy&D47=&{@vZv~3MWYKN%1)g z^b148I;={a@yh&X*W8TyR!yWx+0jp;Z;rV+Bzw~yB4c33BtfncegYNbPal6zBCauGPXFPHP7W{+mc&Qg z%v=-d2z?XZVp@q5 zAypp!c!Q-e?Lt+8$5fv&F$VP5&|-*=%b0Gkso%}Bg@eS`o05{UigR^@x!BWQZUwB% z%C+n^7A)*21JzlBDnM3SnLzOM9!BHa5cy+BcC$PcK|8Vsi9FrF@W|(L4n5owxNTbpte{_|I z8U|U>XIPh|Cg7PVht^=4vWy%}l)~Rl&R+LP6eGW1$jL$dVzQW1}nPdWRgNV<&$E_^NX(#2xCji(QLd%X} z4fDE1Mk}C5JUG{odMu4|JS_yQk#CtKri%rJw@?V>VN$ZP!Am_trfQ5N7dT8>s^8j) z8IXfI8GMY7R?zmk^+VUkiCL*CZ}U*?83})4FOPiUZbb)|xRtG|iHc(?v?^2PosRhw;LEq;)a%!S40fEOsFsr;Ny z{&MSvu#Eb>_FZnD0Z~60T1k5HXU}U<+Gia$b@#JvbUEnN%o{r-yHX z0?>Yvp72?qCPy-co^4Q#DHwg1sU=rB@z>_`KNg+8JU_)2KNje~LkABc`<#KtCAPNS zvgzfyF9@W+Yl<%}cm1|b%h^Hh4i}o7f`7Y2I9OWfl1z2~uh=~7|8rV@nZk?99o>1h zv=xyb_V)HZ5vUMDE(GUrbG!h`PzUIi@C98RctiQ`-M>%-Bm^R=9Dq05$Ym(U5@qUn z%^gP5sKi;m^3Rm@|33L=WDtMO!K6Rx@}zv&*9%UF`RMQEQk8z^zYLp*X{@*XKgZB| zZLSW034H>w$r(Qt6Dh{mJcmZ>5DNK^z zJfF*D!E^HAE-heSCiZB3ypkh9ZIi&CelvI&BYrO3zuVdE(j!EXc%;9FoTk$bf1SpF zX9vi1uzvN&9QSJq>9zrC3D%!Pske(woMQ`bNC-3EoYOWj2H%^-wYdW=aGly#ZOS*c zBoqmDDebAT-2OzGOKYQ^8U)buz|!J7`s#d*a^D-kk`82{ot(B5M|YZNzQ92mOLki* zz33}}fx1U9r^jN0k!*n5?Of=)4hh5&HenKyR6*X&FzSg?3du&uu&{ni+ynHp_p?S9 zAME$?X6v=Xta8wAmdQxd%mXo2Pv0(93x=SpbGydmB@;#BchiK;2Gk}mHPLKeAOeHIJkmo z^M&K`kx4Xu-(M=*?gJQ7kX~14OrJcD;M9tR<{#=r>3KXPNYP*a1csMc<8Zabd2$RuTy>lwkiwFmM22qJMJ!(& z_03qaGq!MGC^B&CvaT#=u(%cBX% zAnWW8K1wpUO>7+?(6!GMOMmsYNMT|aCaRAW$G}XzOw(eF>Rhi7_Yol<*;h^m3fm z&hU27t$;QUBr#hC+a0WI$A#n%PMQqfTTF%*Kucp@*Bv$wl+(z@-Phj(hm8V+9W`uD zKzLOC3QGLVf{RlS?3K8)xxVU=&cfG!%;G* zB7@7R7sqTySuL5g)q*%Z{H^NDvaLcmgaj{bXh|Vn9(i(C$hc27NL2JsNSMWb8UUGI zaHB3thlBA#rbCQ3B3F0BpRuxSOyIP^?}~l5*l~}Rl=Z?u;;@x54EL7zzYhao(oCJz)lLZ#X^)^Rs|Kx zf+Lb(rYGgmVhwiE9}m+FwQW@3p_9oYZOP$~Zs1sMr7ED|6uxa&=kZebeMOTI2`hmXaA zT85XgPNp03R&w(VjhRhRi7N}vp&&Z)*io5R9ECpfs(M&yPJB_1pAz1et2OJh0SQv< z_y%7YC3g`waBL%z+AMw(am|J)IgVQ4(hC;Vgh>WKHWCIqyw@zcP)zesVoMYv07N@hFhq+fN2*CRg|xqOfb=p+KPlq)`5}&Xkv>Pgk0pP0yjsSv5cI`zb@5xAx9th%K*=o9g>t+&u3Kjn3M zk0-L8!g8q_u9397hQSmXIUfaX)_f74H8g4HyCB6>n`-eyfSklI6=4?4%z@$ih>k!T ztaBZ5=@0V`o9CurlZGSp47kELDg$l^yz=A@G2Zw{7a)M1XT54^Mu7xp&{CY6n(&8q z;J#^f)EqakwcKr0#_(nlWQ46>thl(eNV8(LDswszx=*<_-Zv`-T#2(u7g7Mn{V+3ztz3L}a!7031H?5v=3x*J_)h+|}ovp7lIm z=80#Yy9hb+4v#o4wXptsFd1YGwel({dJ=t_JA%#Q8+-x)S9}WbfA9Y}Sw;NZb=N0Z zxxJWW5QTD=Y!?zN@T^K5uTLXzgx#;-KHNY}QD3<6p1%pB-=A?mThw4pO^-!qlIm6Q zf&39SuO6b$q_DY;QCI~4Db(s`(n8b9Yojx1se5x@Qq@002zXE!ELhZQg#pEp&|1S! zAAS<)P5T=%zM{!AG8@+M22OBTj%jeR`U-B10%3Y9)tns6?hw~fs7%^I)#_}3^X@cP zZ11ll?z9EwHG_vkH2%?yBgcL%GI`SZf!g{ z3a8wb^S@?$zw+*}PKza}sTXQX7IonUGoKnq$z?;(=^}k3AkmnN-e9I4LozsKMbRxK zE1a9BMR%`WBv>I2>|YPI?vtb&pJFI@+n)isAe8@=TK`FZiU^at#Xh(q2yW4>`<>&~ zB5fIVoQRn^zY2mE>px$Ddc28ls8E60p@Zp?lV@?mtQ0^to^~`_wRt5oIf^5DJoR!d zP5de~w24r0jZNu1t!r148rAaiXblsz%;U4iM~o~;yiFT2eddPXG)>exo^5Yd!0Ha) z!40<;e^n^71NYM}%%Ugs7i(WnofKN+#?t2)^HN`^7(*Y|`x`7DTuWS^a*lBf_tfKT zk}%`n_OF+0{cZyjb%{Hi|7NBj`~%Db9acSL#R?Mz&ztDAyXS=JckH68QjBZB6_foV z42n6G^4u^5fKcRWPwHB}irabPx{qn03zSh00Fn0mX2yX0iEPAsu5#>mU~s8XdSngi zA^8)gDCCFpFb?Iw3PIgzWf>`o)rx%*#zzam)n1g6(1(NK#V>!=Gg+*E5>d@3$+68b z`VX$j8q`fe4~}vMb?+GpRG`_6r<;ZwLrZ1^Mr%QyGW7@CZ07iPXyx}csaqO05P0p= zTJ0iXO%9wf7Od}ib*vvV!W8I*t;bGRzjeZGhAw_qq=V#h$r!V6v^PNAN3I^dC5w3~ zEJV^X161Mv;=aF|rWPXO;_jv>2l}w?_I_VNOHOG36NoLl;6xn&SkJm_Xu<&d2xXTp zyz6fHTHpu3A+xf5&KXj8*K$fv_&Oo-4`rorPl4I)L!apFQ-Co`e1(o9kNA%ZjV-QV zNfz!)iSpy0NCd_sH4B|bUUF(0szb+XKJnrG-9%Tjwhx}*KaGp(GkK(9EtxIK@Op;! zp<5954T`X3(qKHsF_|pQ%=6y3=*UGeWGT~Z9s^|DN3-zS801?9d&msW)Y$2ou#*ubR6H3&|t-pUdb6x zqkL<4wve-0AL&5wqEI#Zh5P=}F`7AizpvL=7${{HnqU`~`sa81c;3RH-AtkMr1Dk; zSS?O)?zgx8?am2 zieA2cA%{gc8+k>R`QG}GG71)A4zB~e<`O_n07bf!@{>Xx*hXrohjBWQmn*&qclv6J zR$1)F{xL6v6vyDE={ZkQ^0Axa?&lP=5DXW=9bm1;-RG=}s9|FHAj2rzAo!;h3-6i= zh(t1)WK!pLBKp$hLj3;pNWL`n&Dz}6xn=Py5Q_m@A(=_MwPb=24_bfvyaI#yROy(~{?KX;}(9$xQV=*rp9DIw~J+25uLUKg+Q9jg`6JMdFOH zAmD7h9#S%diS8U&zGA@H_EMSF^;1%T+zeooa?sk)x~@=#Bzfu~$Aqls>QwkahPqzy z^9?#cPXz00MbH45l_&y!5Y0@CM~nJQtAG0je6H!i|VC|dyeVL(Sqr| z1_rC~g%c)hG6KpeBMXlrSEj~>(YxzPBuE^J6UxjxD-0jAz=DH0(tLI~ugn^^a(Ygq0CS#sef^_ev~#(|WzCm0kB&H&8zwKZ8QA$dsq~M zB~7bGpM{v}6dDMQZTV>DzE}=ivfFP0n5mT?@PD6ZYboyd$jM_YKA6}%!nGBo?VfrwxK_5?SA;?M_s7Vt3S7g5w;41$X4F)n~#;Ee(Q5DzjU38{vNjUw{L&&{L=EX zh{oSKx0mzuHV;Rg{@!Qq_Iq)Xc2LTdzX2heeAP#n))zF%eW-VF%6;}8Q~{Mj_n3&G^d~& zB&RE3UFZ!wE(q{R!dH2mMrA|jydLpZs5eT;Vi{+JiKhW!)5$KyaqROjl^{1R4)V~^ zHwou^(G5Sk{h2kxR)pK)1YzGwnn5NJ7Rl7ioWIAb0#%ew@M!?Yn8zmN(9m(1-X_DB zLJdO-vv#uPLdp`Ojkj+6RrU70|Al0%)!j}r*)}DE9gWmTqxT=tH0XY38_nwk^m2^G zQ5EEX6)wtpHC0XOSUI8;Z_xKLkIVsLIsuwIN;YF%)J9rb_U3p0EX#mTGn7w973_~2MwGh?oQ&H zj=f9w=8OU!|6u?d@Q&ivYrkyUT$CJDc?U)e`j(9XxFB51FP>3F3e#bn;Q}&)ikJs> z$FBqA=h=!d7wm*;-5Q7KVfnM&>+#C7y72-o1<{4w?P{jV^DKFc;sfV}jMlCcevDOG`FJ9VV9yFs+Da z()%Z-f*SW27=%^k75dYZD>qbg*62`1A{iPKM}J#}_aG{IWs>Qeog*daI-ar2Q(_^w z`349C$?FnwW3~Yzso|m`vhwjH4kgB#ty(&52>_-laNIGy4AX3VWYs(w3SxlMW(Ofa zQYd`QN2W63o+r{EZJ|dV?)FMyZCI0{c&4=S&+%Y55|q}p2iz{JkSH_(flW(R{0(%z zQiH1J@EC*}PE&<_;QrrTNgQN=lC&iKEztkN8>SNL^}A;jHXluRjRxCaAz%K|U;97p z`1|;WIV&q<@i0?fx6>J4_(W^;>DolH9Cw2d3Z~~P`_?4zZyV4DQwN_GW^71C5jj(k zw~6RatZT`_(l@TKOsnXnoI-i5X#{(j)UropJ%P$ z+SRNvOIZ-LtGl`a4=HMe16IJ(%NKX0g2sO*ZUwIwLyL>rMxt$A;0^TLM^9;-MCFH9 zFeZ3t-iW!Kp)7-*D=s&0&~WUiR-L?|FU;u1@8we18D3F0P^e-d%hrn#uJUTTyb@B6 z0KrdfA)Ly?;U$$MyJI0rsYn3D8)1|L+PfaUvrnD$nma9$x@6$Vqi6KmN0ae59 zAFrZy8rm_J7iZs(INQrqv_oDIw7jIpGZ_{fo$Lj|2<=!GNnUwj}Q-!cG9aqWU=@h-7_%( z(VQG}<+rrUGgOVx_%V)l#tL!fJ=(IuY#rdQ`Rr=isdbuv0kqzh)q!VeJQe% zEmI|fqbAm};4}Ii=Rkdt4Ee=f* z55AKqnPvLzGGB+H^M(-NX*E6D$JpAwNlzjeVXSW_i2;DSFsPY%`@i%+@PX~E=%KPn}N1SzO~#aoRVu%X1F`zUi#V!s;5@ z6dWdK=8trFg$P`#(MVSP+mY3gFvd|{YCPR_e4oUGMdXoB1MdVoS)~biUjzdlZV-f8 z<;ruLm)H@5WMUVeM=Qgk7VWmfFPWR_r*C9EboEbgH$la%J)i_Ga6+-rk&(Nn@sU$S z<~Fl_)()QiEt4x*J~%;HeP=ydFUc2NH2X}IFPe$7odNxrRxH#Lcyu-0?e<4N<ox1YGEv&kM4oK$J@st4LwIsxj z<<98PBO~Az4Qb_%H*~-j`FM+UA*WGe^0V^%w$$e&9ZKkr+0=oQey61Q3$tkq>kODeJuVV!kTrmtdZ)63v$-SVLE9|0WyGD&e6+&r z*OIO%#v!ye{j~rWR?`QyoW(-tu8+$&8uJM&uKXXcl6vBEEv=+AQSbJ)3fv=_2J#*PZJ7Q1 zFAY=GQX$!VR+O@)ROwklYXq#$;facYJ;lP1hHH372}$OP&SC z1%VV)*3%Q<2Z^Tc_?VF@faarJHJ-i_(>r^P^v&Za(DkpaP8q0qpdIZ7o4R>Vmleb0SKn=PPZ!D8}V-(lko;JB4JmTtbwbK|ZZy zePRfXk|Ma%)7)emqFX2i@>2y5^TOB3&g5-&{ec`Wio~(XkqN(-_>_H#H7$9($aXQoKbtfIaXY^mEx+>p zX6gI~FK;%Z5uwwYA`pAfa!-koktcHa#vfD5|;`Hc;CI$k1(hE67tW2vC7HR86$P}j7!o@x2vIz0gvDg9RI>zAoJrj{o`A81D z`+)~vJEzcApP+V_TlvN%bk8>Qwz#W>g#3t#v791=hcJn6K&rbbLy0!o?5~(Pk&i~b z7fFn!a?!U=QhLjk%Zq>N%X|n;LZOlUmf*8)I$BqwS2)e;5_5N5VNnldo84?pO=jg6 z9rCE-d)Ve+dIHi9cA{;p^#!67q&z{ffO#(0pzGNzQHb2|WSjF!&~f($4hVL`GRP|S zyy1tp4fXaNwaJt#wKDsRx=BW6;mVO(@rL7g(dWQO$XG$R5RC!5d$zU7luQf~2Pu0i zi_jNQM?ufo>>`jlJoG{J>6AT8=`)-~h&73?NTsX-1&cCZlqAMJx48A~OnGiw1f(jY z*A>$=dzu%JV7er1@_qOB`h@>K*X?*{uzzE1KWdS3v>H9&bIq>b*hul!+t`r+LA37B zrAdJ(vv5fzm+qivDJ&1tN~|ZxHNsP|bNV6U=UOj@h!^8o*2z(CYH4W7`}Opqfz{3? z*SCc9I{G8ni!kBpmOfuRmPV`T2v8y;edIPo< zfW9}dI$hA-wLowp5|dX@7T%7U5Ua>Z+BJKoMS$XUZOaPN43$Q)1q(oPj2+FK0d_wt zUw#LMc&VuCsV74Ugsw_rh$-Jv!+sJ8&89q%AP_`6Jwr+ONmSFk<$2lc;Eb`*KjOE+ zOy^J7WXNzQsmi;9yewi9i1AIOSvl2lD*;SdZI>{f3VR0p@x8CTEyE@pj_LX|g<~9=0>7YcOLQSA!p+TspD|%!D|}s1hkp3cc)- zN+=6}t}Ll=Q`^pt*-y?r8Z|nmAXJH6f2DU*3a%wRraVKV3Se?}8~_=SwHwK=S^H$G(QpGglwTND z9gC=G*F5D|9*qnIsu)HG2oB=Q&4B|1AiBccv9%EB=%WFW4kb*$|kVo26Nx~exvT#tuvG9AzcwCNUPE`37}Sx=_kED9fH z9tr}yp`h6bdM7WMaju(MZ~&qan|@GA`V9}g?r6K7O43q%Q2(|ChiqbW)L+QX2rSGj z6*IT~GI|UXu;ouAE6QpNN3KYqVuw;l++i|E zi~}^i<|Ojo6SswAPx=ERF~(qH@+rO%A?ND(v1MNt7f&mL<;Q+MFrAh>lxZ$he!R%s z)zbu6jLWW_Ey2a&)^8}Z{!L?Ed%#>sK0_#_hI{CGC}XI2Ch23ElJ3>L^KwB!bR*Ub z(xlzlyL5*_$>(}AuivEcWfr<={sv~o)t^oFmS|qsh*ZbOZl4X$wF6K;ud#3+Bv{C@ z_;L|B&Y@>!@U*^s@tF7w=Vezc8TLw6X}PJR&5Xy)=MW0iT3S49yAUG^kF)5`YbAMc z;QmJNB^i+)V5)GE=C%V*4B47MfVJ}A)%F<`^o7@Evv|wW#?;smZoeHN6DGd)BFAR&@D*pM-HjcoY(}1aN|wN_sw=aea3J!xweHMXf1>=7nrGT%T^ao^ zT9U$w5SS{Svvk*^#OL7;;n1$BFJatN!c52a zsYTo4cQrSwD>NJUqOZd%>89l^!HI$w3gZ>{+7a#Eh>2V1{4|DWBE6_NHcYl72iiGz zWjp4(XHF`%$&k3x5M;E&XR_LOwoV-XrX5Qp4Gq*~&qw>G@xB$J({&Qkx6h_$a*{cUc%S+Kj|}VOGm~BFWJR?Q?cSB8KT7NuMlE1-r5m2Bl=cg z_W9glfCdTDcnl5^4$@3Nhy6SdiH9)hs_=(XVV~76+N`ZnVWTOrWAo8jLX@er5%L{% zKay;ehWL}~S-Q?p*7hhJ4$g0+u$&ibWB4Hk<1XMHH-pct(wf!sIoAs_cp9Omn4Y7g zMpWSKz(H%qWGzN*L-X-;Mf(@RDxB>6?IWJTYUm|l3pSh|69cYhyP8YK0sNHrhA19Y zzkr+XUj43cq2??nVvs6WCQ@IkJ)`(Er?L-;KK9Z(;;&N?fN*7{QsD@b?rt;a$K1~w zFUkRXjvd8Sz5T?$ee60TCXi*Y?6~4#HVEUxdSQ}F5Vhsy{yr|ELITa*2EQj+&6<}! z`G__l92Dbe0JZ~;{rlu^Wx&gGrrqjDp;v}eP8`yDJoDEAhXi`OAB6ZhaMP{YrK9r3d6@MmY(SCSPIh z`B`@^k)%HsW4EHGShNeukI%6fB)}rV3Se zvrIX?AO3V=;3SC>oGbIs4vLDa1kn_hg!>VT zO}beYO88m;SP{r&51&nbN;9H%X1-f9WTcapKZ#1tkoO*08AtATdb;<(fdFr=N*{2 zNqO39_7i2(B*s_J5VisIl>z!%fylE&2ATMIZ#9a zdK-@PtK>x9b7vlbQwn;F=!05>?j(MfA$#^13r316=PxqyPn&p+)|f{IlDPBJ;cNjQR`NUNLtR|%I#S3XYWT$e2&;o_qEg7M4{B{{bL4e z__bQK!QFY;Ln?JznO-$?18!OUw%D>yrGHynfr6B;<7`jEzfb=eX;elJ+96HOL=cqUYz$`K{Cdr$;Q#DKc{(+i*?jD* zq3%zj`bgJJn*ogLo#Ahmmaz^;~PsJRP$pUap$HQMCr1;FZ%Ym0Zjd1M$h~u${ad6 z&CwDv%?u=BMt|7fM>EJbBA#mX6WY=}NZ%2oXbJcXoRDaEP4MK%mz%#hLp|%})ASZu z4Gz)F{OUN0Hsezs57TgSoIrL4v_r0i1s70}D_e1!v`dpI_R<^NZqEa;?5kwj(!awvM z=rWz-lVltwcVM~2ON~}Ar2gC_n7E!6tbYr5rAvl(#mPYC;^1Ux>-zYtA2@Pc5X3H+ zAeP(*EAdTRYbVZC_lC_5OuEL&;|8Cp$#HGkjf_0$Ek#H*XlRP&9vFHqd(H%#MJj@q z;z7@dTl7UFY0h&p(U_2=cpCAR3S1;3&<$Q#{fZrzObtd4w3!XtmuM-w2H$@M4ypV8 zlA+9PG7as&|NA4h;(;!*?|6}hh;Ic~A$8l6Z zxm>F!dg1*w;mPC>f6L+J+TkdT%Tkdltyi>@nsuY2#hcinsc-~XO7 zpL6ES%$a!RnP;Av=b0J3mK`}&5;LrLSy+UhVw^ar3ABQ4JU0-BWDt2TorI?Mni`mt zzkQ7RIF;n-9V|w!hmnMCxsu#Aa@m#o1Zf92LDtXOySX?bA3CM#OicFtMBZzbx~R&Y zw6RkY+0eWC8{-LpCv*r|dNc@fDFOj4-EH1VQxr|kA|kOjiaa110L=`ggT2B1bUOm{ z4j-11rR|7=LaDuDkdokeX1jDV3kd>wE;`nkG%se)ytLbX;Oo&|uw1@Zg0nScjYzPJ zs7KH90f9*Nx}{3ckpqs>9sHJJbzZ0!{aZsUdq3?-L)+jPa)7t7f?ijV&wr7iiI&RD z+2N;WRbnece>xDY5f=hz5*5)jzIBGO7#smQzV+XS;fxd;5GPu};$u8R z^SLno_DJUvBAyV?+*Z|u@ooN^8{W5ABzgi1%JZS>|J4Vi=1qDbmv6BC2h(?;nrt-x z4?j2^t^c!$-Ty>83nSB1pMfX(IY1^OOMW=VbfkP;-SKaS{|-F-AK}maT6MoqK`=P7 z4d#D$b}dlc^gy)ki2EPsFgsnED4jI8SXDtvYg z{bk+S-_AcTqxpd_L2HUwa_#-$S4U)K$>$Z>;ElTFShq0l%mB7B4&_gC+(url>o_vi z#{BK@KL-zX5|E>lBY5@p?oU@+Fnr!-4Lm0la57ObAdIo=x3T9T%ent2Jfvad?vb}M zv^PiG4;46X{3@tN?}4fHlM{RyYY&!GSATVf)N3O5v{y0B(7BlV>Iy@4gBAE`z4-+i zQ*>ub|DlMU+H39(t`+>nMEeli-?kRcz?ud$JEQZ;LN(9ZRBJNcf%o|h3*lp#cgdB^ zx`w~u|K(Rj;kpl%u@MXZDlTx?r&B$j7mI(&^4Mw7T1xOB9I(!lQBCM!81dVA`L2jM ze{}Dnn-f8=UGUq3yZZXH}+42-rJ42Ig+#`){-*?deQ!pxNuO z+`T|EqCu=~bSx+fCVLah0utXHE)%Yf&)V*WyTwJG+38(I-zw>qa+mNY9ZE{_=qN{$ zP!<4b8FNWN%PN$e9|x6R7j=|b7n9N81um7n>_u7l@O|#n=9C+tr~c-T?@Rl{Ey>c@ z%ey{Gjm^~XX(dxL@y$+Q%V9W+0D~(|GkY-UK%@0(ZEqx-uT@FmqL+%G|~d$15F)Kr!Yb^dXv0b!Gz#wz!?| zww)_7%WBg@zVu;iBI%ttDEE%0Zy$`NPOY%vMf7>9xNLVPB)6qbL>|Fpo$3rUb2ufP zca~ZuN#e-ILR?nDRpXh^r+o9>L+q}HJNPHY+(G5k+^WhTtkQ<4&+AVwA?8VsErP9U zFA`zNhjEWXF^Gq7>qC7|!s9{&-Xy^@KjqSDNO~Sm&^jvc^euF(tbS4xx`oItFV$0H z3|@{Ucx^&qrLA7qB3rn5vDtyhJQcJPtjA%n&r>yZNjriDsguYvIEZ(_+Ylk5*JNEn zNLH=dA~*_lPNP{^tP{V5hinQLTS;k)%X_E0YaIx>m30Q2E?gZ+8xth2>O<7U`|8v* z$|K&y%jA%m*?~MhED{=h$hcKw-Q9Px+MijJI^aU;^ZMpXh-T5f2m-t|yks&5U=cflr8s<3Q_*Mz@$n+sCm?bwkETy5nFY=-Z#=h5S#|4v8VJP5B z`pkk1MhjVvQ-pzP6f9bVjrJm>x*&BlaO4mZ_J=Konh4Gze$8F#TK^1>LM%Q*f};H<>Fa9!2s%X`Nx12bIX0 zJ?}M@ynRG6U_-~W@|ojkIFfj!L8h_QaB$*e;*1WK3e0@MgH6r=iuGF3W|{y&E<2?X zizm!4`}S!9ntx6Ky!Vn61CE;c$O;Bij!CxR8_rSFg8msExE`lRxv=z-K(QGYNupQ6Gr)O0xg)Zbk1Avf9y zLa0n$0sj{kRedWD$F6sudFk@X)Dfwvnl{`6{t2SfUv@e+XnpaHS*#y?ssaM|@P(TY zx4@k<%3Tk)!`VN@IGwJRpEJmb6QR%e?5%R~gII32OyXTR3EVjbQq5KL#XY?NVbTjR+0v{f<^gOqc4u9}yz$rDJ zr&XfYMRe`l8e9)3f{_2tAQ1m5j10A)5QJRNwZEY77oqSMM3)WV}zqsuYq30m;oo((a zzbEb*CuiTE@vA?cv@kgBF_jE6lr0vOuk`3&LKIdH2mO(_){d>;pUVD`KY#2$S$`Bi zer&eBV$Deh0cOW@ySGc_y~syxNq5oXwDw+}P5s#9e?gj43z)NH_0ElX63iPq$^=8& zcbO)~IgcgxuBglJH{dhpt`Gox(7?IIih%3kdHG&F$03ryVm{aD^u?m(-SHn;o--ye ziTYg6AFY36Lf;ejcEguC9g&Z7g?Lo3naoSu>7Eg;t30*W}<5;yS*VUqZN^S|3eqx{PnR z9~Qj);SKL=A+KRb#DB`xTG)0J{i=pFW;uruYEL~*59v!!L#um!Vf=olr5lPXqv2X* zsac&Np`z_PKUvK+KRk(VM!wEJ{vJE^?MB7xfH$m8$|%{dUu_kAU)Nb*JndD2 zDaMxe*Fc!`E#CZ_4Ewhon~7TxJ$?nkuQm1Gwq2_SjSIf3+&sR7c>Xgv>CpLWvv<7` zt(#9YNX*`v-eTpzXJ8UiNd_wl{uTGNde26FT(-K_fjE?u!(PV=GKlN{D>49{`M6F` z|C%I!Pb$|?Mb+ltjWqwgKiT!#)@7QKbL&s6SzoDsPs#Cna`R_}NxN3zk$HN|Zd%mE zwX=%cL<)aa3jaQyi_l+HIrg~rehUK2VN&sXkH@pWhXVdnm`;J~we=U_?Y}PQ=Joov z{?}puI^S!xe~pLw>(c*LO4pG=_ur0Ye@}p~$ndT7{=07f^TVkBE_nVi^=m`&g?!e2 zfsZYGdjhVkmf9};e4Ke(F8x0ojlT@Xl(29n&yo1IJEYTsm%?G`6fjTNJ-!(CN z5PEHZ)wi=AUO(&c@)DxRZjpiGP{8Am{}N(c_Vgct@aKL1ueX0?j7Z)~h(-G;SC`>a z`muzH_ebXAt~-Ao0KOg5SAub_o=19Da|8}!LPFzpZ!s@!&i0?~-Ti(jP`(A))$0{yfOdvOq{y(v-y`s?us_!AIu{rJT?FWx zfe$`h?}NbyCj775*V?59Le(Y2MakEkfvMy7F;)QYQTA_`i38s_;2FI z#mZma1izH=8e*ukenXV_?U{++oYpQ7&_x90kwUDZ+W zLrQzSDgQ)^T-r3mufh%(Bz0cMD_ld9f?~FM|MKEXvH#5XKa9d|3~%huTAUmb9?u57 zYLPuFadp{~c9~-MA=9fT*T-w>AO3U6HsE>%{yp0I7XItJ^!07KM$V%n_2jF+J7V1-w5_y5coD4{kH4h2=-mz z{hNaQHY$DF=Whi28^OK{0^dfX-*)|kVCUb<4gOa61F&{iUC4Ki%l^g44*yD>?)&eT z*Yq=g>+f@(*>8EBfpv4fbq`+Y;eGFY;{N52w@<*zKH#a1*>#nEKJcUl-(DZ*UO!yQ zCtLj<@NBRD9@x2lub-!xu)aQeBQ#PAoU6U85Aul#2lKEWf~R1qwizq+rwhR?R|d0spRr}B^Y2la%nbDP-N zE%>(WeD_=EZ953uKY*X$5eNeKsS8%X`o}+i&-dV0jSyyQn6DyX$fK`z2zmdnAHr=7 zdH*EK{2Ix3dyStD{N@zLzi3Loqg3Pno}gO2RBChoWms z{LnKjrRhP*;QaQ^-TPpjb(kBsZrl(+dF}n59KiUy{w2H(S`f?<+1aAJjnyD{LyDK` z6!c0#M|_(voyl*TO%KailKKLnN#8tIdpY>AaAjO*$0Lepm$*zr+V+qO$Twa0{31Ex zD{xKQD;w|==MkR-JroX}$kOz#8gSJ~!1F(O8H!<|l!})S9fQV|)DO+LYIzAkM0Qe2 ze=rA_UfB>`QbDyYxtIy&;H-X|$k2zK5b=oY1JQ>u>0w26+9WD?Yv`waYCS$l^Vy9( z8H{h9AWSYRg?jmh%Zv?0OO?9MTaBC@xcTV9zQ1R~0~h@=zS-y%7U8~5t~Y94Fbn@H z4I^%~iQs^!*OWzyV^8U=6+aBLg;fzbVpkMb;VyPSskk!Xc1>$o9GY(zx3L2hUM{dx zTP19I%DwA;C1SgG0A6KS{scw{#hc_C4=S*(*1eg~P!OI?!U6dk&g`ih$*y3n_CUc? zmhubn{4sf!IJlfGzlt7Lf04@2Ld1c-H}A;mg3%h)v6??n?4wdRQmN>Y89I|nzg;VC zrEF2DesUJan%d57>9x(O97d{n_Rsdp}eC@j_ ztajm123Rm%!Tyab{yN*w30RKw-v*+ihR$|+nwmRim-$=)dyvbY*bC+tgPU$}O|AL& zNQ$q8xj)LnMv*!>8&Q7xJZsujBrkNLC-so`Q1S#mfr)t=`1|(IW_LU{4;P*2GTa(7fDTU!$#&3iR8=2Qk3FVsmP;Vq! z_nZ*;qRnJcxwGkI8(MZQP zxEYS~M%&a1$T~bE<;5_veRD<_mLAzYO2r4M+=kiF&1&t1 zOpphHc+a%yVc+@ZZ3f?KzB9ssTK4G9O`MvVfYE%G=uJD2;N*@KL-^P+jxMNI>$XjP zQjy|WkoyCGJ~iK}<|RZ^JIc;mhh%!YQ2F{4@BA36GdS}3W^Pit>E-jDsxphMkN5-< z*@NN?piLQ3cC3~{Tai=A91SU@lntuU;c&=Sx5hU?qo*+CtRk8W$+y%^Mz_=WUI!a* zb6D!D_jlH^shwDGKGWN%)PdA7YR5sJrPJ4Kn3%Q z8{Co8#`-E=u%q|H3lKld_x$NE0Gc9 zA4ol7-0O(tjD#|*J&(8GLUP&B{)p43feeSs#!x+F(Q!#4Zjt#_HG3;_(RW8@Zx*4hZ^dlT%R0K4`s-=u1LB=Ac?F|52_J6O@7UC*t8Y^cY;mYZs5Fi{3c!k5hA$Z$ zOu$>lX0NU8Yh#5j$)shJuI*amt{-gGfwGCi$CrX7K=3MMrZdKeI25HcSUE+FInYcE z{kGwStE~|Vr;*k;ISWgLlG!TLEl%~7&+CFTec?NwX5=MTO2xP(wU*9Ij3X`_vWf6W z%#xP+6harCi@c@sR-7ElYq0Ko6B(!Rb|&yHdB$u{V-;7@u7Yfi7s6yMYGL-<&Sq^+ zOcmw$A`3*%;su>Ku^~WMUX3d2Q}Z@@(cm?j!`Rc1T6WX%ZFWWoQmy!c3tqVD_}Pw$ z7HjD+g~3{Tft!`LM^A9E?>=mL3XSkDUa*Rlzu{|Up+9#3i&@Z%9-+wi-mdo_gUQLg zKp7ut@{B)~_2jlCBOsC|S`EoJEWspDX76yB7H>5<+_H&j?0O+p9fXLHhn0@2EkZpi z8KOAyXc_;pf3OLZQi=IQsH&bK9D0lvC%RH(QvKn^V-a_sm|k>dLcHdALh8~5vd4I8 zkjfQ`(nydWQ0@9x^W7voQt2!;K?f&{gM--CtXUm;xyhu9-eJa!Gr$|_MCt)7)btjaLtq%gJU?ONR4+`E%)v>{AoYMYJIsuyS=1r))=4Zx9&hMcQ`4e7L1Zwt@#U8* z;t_7cX_W$Iq~6;w=b(V8$ZfasHDFp zAr7Hhl$&;&>UpchL=adWq2D80-KVCkgSk#S&RqPK!e*SQdOgTOgZHI!ach)s?{b4K z&P>e-(w>x)^o;swB{@8iSluB3g5Kt-_U%$V2a6@?*D;o^FWZWvEUP+$2|s0@axx{6 z2ZR{0wM9;?I=*DLPGWAL4vYCAC&3-s3cOK4W^Fv|2FK(y{#H2-?j=O3o;mZjC^p;k zay-jq@t9@IjuKGouo&+c7s7raw04@J$*Ql>ZkmRS?(<-k#DlS1OZ19?RiY`tkz3uFob-vtH>YM&CVIjs#v+=K8 z9brp>TKC;Hxgjys0k*V&Gb@GBaaxAkWyFzT4$ki!9V#yx2 zRNu7W1WE;OT);gojZ~0m;P2o=GPWx+Y=WI}Jw<#!Zmj^Oz$utNm9={l31~|$kLUE^amO!W_~odO+b=|4fw+BM#UohzNY#Z%@=PS}dUsEcC2ZHA zX6dWyvsf7OkIhcxsU3WRiG+n%to4TVQOmqWl9-4|_m)bWnIXN+lh!eX`S*v@&%-K+ z>}Hn&F*FV?B+lOYbvSnx)R3DeRG+BxbDjj@LMPs{h9)&tOWW44l;ia2&=oD<2z1)5m-48Z?3&(-3ldc2mC$mv40L_^w>!xb+L~wWWq_V1-U;?9Wttb1n2!Zp=u% z^HJX?1|?MD2us+rq|vDfl}*X%)(?%C4Xe@_LHdU;S}M)HsKlg>_tS=P3XoU;L)Kt( z{R;F9A`*iX8n5ij7ww=&Hr^awbcq$HkVJCGe$2BV12+*UshOk_;jp8WfU&; zK;~^Gn2-sLIQ7l(8nJyuqd;pN;Z+j7@S}`)c(-alV%t1AwYFVI`>O)bk0ZUy( z1DKE!*A|_AvkVL5kNDiCivQ?oPbXg>_6tEh4FeN^>7XwNNb{bV<6tMz_y}j2QsMb4 z-X~@UDQr;=ex3bubJKJCdK{G~706H{z_Vr9E^K=C6+RN)WU<@A(DCF_IRp=TTyU<) zNs+@NZE0jOU{Smt0%uIWRUfuiVb&b8cfj$>q@EIKHS=jB6b{#y_t?n9R>|LtKR*~Q z9u)1a6TnAtrk6o8c&e0GCVe6LIyiisyGs;}^hsvDMF&=Q7U74`u&Ea3_f<_L>TWi# z7TG6ay6WF;^UGP`EgPSU(ihkF$JE%9Dge;2QM^r_z1!5jGjJ+2wBT%WMovOf`kK)` zF~}?}qxZGP6nsep|K>_av)W^s`olCtwBcmktIh>`>Zx+4tNu!7>TzG)cwT+UhlGNy zS-Yf#4w+F%Ft~nzw zi8JPSB0@W=^#(G_s$m-4&7u`?fnbKBE+x^nTm$gAuj?#FJgWbT+La2>;Uh92!D4jG}y%KN_};Y;MG$ON=9uhsDtwjH8KJQx2SpCoivh_f>szJUqDv_u>Wk0+m)X z@6LsxsUtrL@-A5|Tdl-o=?PKoht3WjlTA?xWp?|IcwD?6K2j>T z7&??ICmu7iqdd#3g}kGt1~52&`jYveEip7cEdpDNb=B_)d+si;^PV#%zoxJV-|g*3 zZM)>rcS?TY`_w^*X{cj4*_pAV_B6-1m^l-Q1BL>0QfF}Xcm2m5nVi^IS35>zq@~s4 zyuS0iHI9#0xP_G=CysVPLb;4Dbs#K`;WMS2c!ve+o>u3kveO0c8T#16jJH$A1 z60gYm4-7ID(5y167oR@EIk5VfYDndmM`-9DQ_ACl=+_!L_j3pO*3#IErH`L56_;B9 z`1qy#x&?Xj*+WUw3>0OWv+jv2zK$nBa}r>>rFE=aNHNunnOP9C@}};|6&Zk+C;dSe z8T!Z75SJjRQUE4E6@TGkAr1ENgB(strosgI$iH4hG!i>DPR1=APk*pmTAF$7CVM>LdAY zQL!UdlK4Uau^@hnr)y+Diw@dWQZIUAhdezWo_N9$myWXjrBj$hZp#ND-}eSB|~Q(@WgTG=(nwz(w~dmKY~;k3DJ$IkM1 zsqnpox4so3N2NbnwA8sXq~LI7Lx$Pj@X>_TmAI#Zn(vQrt%GrBUcA279Pb&`dLdCUg|9v1XWBrWW=gi9qf|Z2 z-|^0UIQbzMwwDm=ZNy<5V;5sreOmLkX9s^h_4bVk#LxJl&>)gtafXZ=Xj)0j(o#eC zv^js|Ei!Ic&yZuV!HC*GXMyTY4sMrsTv}AG(o0b?z1Ppd6AuNJU%Jz1e9fBB8Z`XI zM;@eJv~;_G=LOP~eT29dqPKOn&%F(K3a5x*Y8>2V=YnIqs$S<+*9@BqB*NG~K{U%7 z+?-I%(f2^TxShERWJvZ1VBb}_Ab*kBB*dokvc0IsWiM2Id2^$T5 zUXjR5ymv2ld@jc@;uuRc*f?n39kN=a+)X&@VRZdcR=oc(&K(U|K7F|WxXe7U82(tfUZKg9Mfb!7_Pw>)|O2t6)$uH%Qtl(S4*b^_RD>n)Cmql3u=!%%czCRqX znyFx1WVguKS-RgIA-fDKY{ttpN6z7IjP-t(3bs0?nQ|_qA4VeFhK;cnrZOd9*FH0cc)lt@iTKxj`yiw91u}vCoaY>1rzR4;g`B$?f*ZexfPguSb8Zh<+cVWL}8@vc=RKB{%djnwr zx4Lv}Y(C_U+FZG)jGmz5V4);V@)gM#PE-x~6=g~4JA4>t-e9t0S;9qfT?>*s_ft97N7vLtgjWYKMk!e7y=db(%t+yo4KMWAAqm zz5|E zx`MVSVV)(#4^tjAf#qHI@9un(cip^_cL8!m-jhkD51F#X11Tf^A`9*jx(tywPuop7 z>PRUHG>}N@Utm$g#NnjT*TMsh>E4tVZ0Ul()q>zEmO~kjKRnggLd(X^A!$4E@eQV< zC=ewhGg?SFA|Vl@J=j~4ktAeCzlpQ0oqjj`L3)p2=ahFyuU%w?u$`ECf~GG<&(ZQ3 z%*dK$dSzzGHWw{c_bTD~30O|$5BYT~G|6iRj>}$bgJqHArcgAIM={hnpx*XveuKTd z;=W)D85cSa(nRuA&1S8X5=vyJ8eF%oE;`@fidcUvain-x%*A6I6{VOC(Unq+?G(kr zT}@fq@?)Y0P^83eAiBrm*ciftk`5h0E^1*?GG8Ic6$?JnygKoqP}7r^O^BSD5Xl=NvcC69RsD*2^CJe zBvPJ2R;%{0-^|q)$BUo9IlnO_PiVIL5Kh9JPl)K~lgR!O;uvP-Bl7Q&frBCN2-_~( znlqe2qUcr|4n?@y|E3|ROe`XD-Z*u<367T6qqQ*0ik3*lL3ShcjTNP4)x zfv?0bMqPsBPP$2<5cwxJk!PR6O?(X?q9S(_ha~)y3CkYvWC$3H907ZKOCo^71}j-8 z$bX5?tPa)Rw&u$Dvx(G21zAYy6DQgU>4)XCIO1EAvk2`{DKWS23X|Uoj(Ixj8dWe|R*_(?Pgj=HCdL&bUZXMQa)QXfDL2YMlG8wD| z?`BxB9!>5;-Psx8u2s-FE;MC{w0;TUqx+0yx#fN8lNr=V%ScE-672>TORNH)1BaoG zsW9jW(-pGxJs~J#G?H6>9(-a1$NIANgT<738E9Hu%tYhTS0a=iw5dItepr!ttD1@E z1+U6!4bqq*4V2el!>#ZGma`RLw`ctLkLb0rHX=3vEStl?frva!&B%oNt0!Sy3$n*( zevsQqx4En7G~|n?()LLav~VsVwgV}b{t6X-HOT_80`v_u2V2gCW? za;25t=PnEu3skD2vk;gIsHCukkwVr??xMky-soA1O1FPb)e|v~w6?z5V`;rjS%Ab+ zlVc+q#V;|!wQ~WF@=~JK2zpgZvZq_3)CpBha6oEPh1YSSl0f=iSMxFveuJmtembbv zPPVVEgkGBTo_Ov$SfVxAyO=J4Q?lVZgBA*Ed`1YlU}iDo-m_;~KK3rnjCY={>ef^x zfM`IWfYY3|aTM=iQlz;EMfJ#Ti~wm0sS;m^J-1ie!issv%={#Mtx)YCT2|L>n!@;A z3IZhVqQ+z*Ql2%7o>H3_DKDG{ZFY&ayEJ9K&xRWe{1e$-JF_?gD?6kT!_CXHmXU@h zrSC8j7>K-)=!u)37|BgdS`#`%VebacmK1nz)EuK4wVK7s#!+FV@hHRDRs$usL|NJR zNFGY|DK0xVj)+PD_$to*3P~PGS>?N}(Q1U9%PT3hNK&sF>njD)_#dOD7q`-O>#(dU zsCl%ZiPC8$0_@5qqziwhRzkwQ9J@7a#6}DzgP(KKH375qlzc7L`;ptwtv>u}O)<5)Z;elKQDM zuFzYf8~7l?MINw}b*5=#CGauuj*nbV`m$@VU6pA+O{R))6qXDLT}8LYt=2Rdg_p^P zn9QNQ6Zu7CqgoyJ^c^lC_>mf;bgUK$f{sNm1YY@Mn*3A~mnHJkN&nDtd2hNea86ByFf| zKCokZRz74#WFev5bLSJ;2`Cpx|3$ybgo|o%?>ws(O$pZHlcv}_-kV)!${^#eMHmE? zwyfGqh_u0I|L1txs*qKzy%X=`0yVJZR4tSt;}wg%!Mz z?w()n#4C^}#)W?%JeZ!^Y@TBn#1w5|WC;!zxZw9tq=F7FIwA)$6DPOM(PLiWsrtN| zbn=mjd#)`C>`5-IC6A5|klucy(>TxG9Mf@l=gBL$gfu%djx)_^$%@lz z0r#5oQwM@STXu--$*JMOEw>|;8a8ThIRJpSiy&O2_Q-H;8uOJ~jQ7QM1iLlMQ1wlu zYS^;ZC?*NHk=QqsW8}zaJSn#6MiPA(cJ1YPizcNMj_LFklSL?19^px8%o%gy8i|X& zf5V<$r}#09?Oo@ji5uLaK}h&4lybI-J}mM+`OhF}jP|$@VweeX4fh*Jq}eY-HEd!0pXan@0-DUO5lYdy|Pds`OU0q(&HWKVK}TF>5z?KRnrhA~-!e z1Wi#GUCOW_Q?f%z>OEAipb)qvnPX0^7z7@qM5gAQl|k~jV5)~F-%WkC@hp3~M2Q7) z)X@b=8CYg?oS!bEq?MWjBs+&CkIz0XqK-rBGALD}j|NbL|3?<0$SNJhN|TQ$c_r51)5{XgI={}N9oH%lFlx&%F&Xo_1JqCgi^Fb}QVCI*KYQI>uuaN=6BqGDEywB< zEmf&=^7Z=2y@vbla=P{vi(3Q@x01(oe#y|v$MNN#F=v~bI9*zI?VdYS%#A&n&7u^- zaGS}YCDCH3V{{Uw*tOPiQJfr{w)R3te2Si)W}PnD$e5vsyVMS2tu_g^{Kj({DuIg= z?LxT%39jgjik7lymE5$xMWOnl`;6=AMs>ImXlA1?p+jh2xgp*rPaja12C5`9h7s6) zAV1Gq{m@PSnf%Pzk(sI*O43O58DYw`yp}bgIM1fd6f!i+6boG3NAZ;C?9f}AB$}3g z#)4~&JYN!`!g#d&VCh~G$^9bAcdMHu=}wBTyoA;XY2QNpvkQ_LmSLvl#-^#Wj;V zhe)%Yos&{(_^3_)O@rG2rGQfZHA`I&OIXlNT}v$RD)Q{8pnN}O#y_%+jfd4C{7{06 zBQlmoI5H^PSbt3MQBQn|IVIbsZMl`zf7~M#KEf;`qaNuImolfd-gC-~DmWHOJGl-2 zE;)`YkScB(H|;n2<9JO z{2vI@no561B2&^)@hJ$a zzMr1Cr6v#TqMV8!oqplKCMS;f7#loROxvgP8eBeV_@$=1I8splq`9)Dr%)Aw@Lkg% zmT!M;Yv+!~pNY8B8Ip)4+=95=E1ok7DYX}Cig;O_9bVYp(b&zxXA$0x!q^h$%wGeG zIdjwR>TDQ{<)t=lC$re7M%Ky?w;@W)@S@*C0j^Ve4Du~g(28|aHSJX%H4#o)QGO_K zCckf;o!j};b24#p$=>Q&XYxLI3@Mm_YKM*t=aQj4lDXUFA)lS0`7s!zpJ8A)T1Lm( zia;72{b;ewUVg3UWRW6Uv!YdfY4Vs1=BbLtQ`hq_hfc>NeM0aK%!Ai3!>xDl@qnL+ z0^4mmhU`q38@j+{M)8F)+;ueOQn3@9tO6j*bMzxLG}Uknrsg=@D$70@YF46D=RpO&@Y^l94V7K`R@9xh`#1Z~Q?OAFwm78rCRRkmI*hkG0q}iYdkEXk728QL~-=E zH_(+rNOozB^P?#bokb<59NP>zGz&q>8IaTq7~?Dyc5*lkSxuWNX9Au|6g4WmyPIde zRahdqYCmgS&&|hN5OXPHWk9G$i4y><*?8&v)q5^xA7w(Cvz!k8g(NlS( z*STINPu-m22gTjT&)$^rR1n?D<{`VOC2b|rwLbG1AnmUC4~B?d7^)Mpk>ir3wRxo1PZ^> z3Lzgj4C)6df8Gn<_6wo-g|GW(%MQi`N$VXyslllgQtcesopdJZBYAd=ojg>C3h;^* zG&8x=?ReKpZ~94BROnI_qUFY(QC_{6qQ%Y089ojy!<)EE>G88iRJP}sUpN3NA$o{e z&5+m;nY=9Bu1r`x`U_D;%+#oa{5wHRsM-S6_0}SjTkpe|JCysQ^PqO_rL$z_v~5jvANdLm2fa;p zAvTw5-6P&q+A_k z9*1GZ>X-<8_PkKuicUS4G&2v&swKYK@~t5Qn{2!cXpo0WWc4|Es>7dV{mM3l!41*` zicHXtFQ!sKL}&^vz>201%+pge-FLi%FhI%8k;yH(r8v2OnHFH~B?Y1!kuSVx15nT4 z%dt`4eG2MJ-Cah0ML}x8Q=ce3j5y|eWeII$RI_JCRdQPmbJIzGNq4%>gK9f?XtQ@ z9o{Bk9F*d~E>mq77Gpk&F*wDOX}yGqJ;(go zEs1ix!U*ROrJ9-ICe=@mxY(x!AeW?7D7I%~HU{&m>Q{DSwaIq^rp(;2u-Mgbi}RAY z4y9Hz6xiOdkzrqKc)dhEhz&-i9GY1a@utl+_Pb@76&a(lW@sfL8n3hWR)iqCVpnlX zmviTQgTkPMo*NWKE{L{VWA80V5$-`Pyy|B!yQILEx)G(LL|}t2RD={F5+kROg9zz; zL}}QWmq16`$M~u6n(sOCZK5*f(c#qh;}aL}V*abY2=cU(yU08YSGv*Mk~WPM!K zBT4J!VA7oa&UiJg-H%)-%elUJ8c_`Lha0A^ATJ;_#gQ*MH}eRBM=XYn>1x6TLW?JA z$4bUmzw$fwC-1NI4Tu0oTNC&)gCkl26f6)O2R|MFjkC!FdfrKlHousj&}YDcbuou4 zAQhX$>#sGQ>Ct>&QLIb1q3TVLR080RsFS})fEkGndkv;?T9o4ZrYEhm+=U>cn7cLl z4k~3B??pyZX4WiBIFiLW0juhz23gVgE2O0798O1HTU&UGrnH@XtBK5!lt#vg$4$8; zbR5Pf!Uysdv@SF;q>|0gIU9=~14@k8jrj#{szs)|q@WCE=m^}*F+}!nmqA&`EyD+o zlp!anlZUllT^oTVJ{U1$#|;)slgs{r78*PA-{?5*F)nTw=UHFy?zo^5#TPUPe=T!Z zj(4i}aGeIVof2RA2mWnxWsVFgry^NTWjm@384G;Q=JbBy@LJl+sPQh5Bd&$JvRWJw zPKiiyxbp08y{*c{T-1ca98vkIni-X&s{o;y=z?`Lmk^{&GpMa~aLi>9^YX^2CIw!j z_WR7?R)$m?T7!x?$K?Dsj3I$e6uUtnHrxyvLlZj+Xnz$YKYmzPJGDG7Pu=px;Fl=$ z%j7A+iSXp3E+oW}859*5AsrcN<52o}AzeFQpPJ(Q*1!Yw7UFqmmql29hfB;Nd> z?cGx8D6NV%^6~>Ww&xL2^cL#+Pfh2$Ds)OPzp#kG`t(CrC~6HfSuedqPzb*A0pn0Znk z=Un0|IU%!2Uv=OiK=Kn#8Tf$~9n|@+WETKm%|Txv&P+6|l#3@gC%YtzM%G+_vSts$ zw9tHNN!MqTPPBY_t_|AWZI14GxDJ2_nNoE12~Jfkkyjtaq`RB75t*A7y*+brbBZUu>IOku zVS8Y@B)3D}Br3+bl(X#F!)M{;L5%l=C?AVd3X(aZsRLD&M3vZz-^(SOHl&>lUuX8B zQL32{W7Xw|ggIpcJ*WgT02Rn7sLgpol8ECIK1yb(^3l5WDbnx2BYzUi9Ov`K1lcC= zMvw$Mx84nXJf?FHSk|S;tOhbZZzorpHmAtpEb12lQLed7=xwTxlhH<7xcCZMy0>!Q zvCmmG09-gRB?#%z|8bV$)Ro_$QP-K<>#W0nIuZ7J=g}IPe&$I3nd|+px=cv9w|^Q| zI{QB+S@H`fl=%P1OC&|`YVz*_B=iq@2>}9U#Nbg66M&ZDC3z5K*GrYNa z;|F5rLXv_#MNA^I_rJQM_zTr-lfM9mK=BU8>Xj5Mo}>sikubOlDuniFI;8G|>?}a~ zqvg7sOa~bax_Vr=>Oy3B40@}Mey%*%yt~u~EO&UBPyX%Y5e!-%KzMRoS(}ZgaE~mq zmu;jR<+#_daKm!q{Ex6^yG`9lX1AAAdvv^qZA8@pflM=Fz9A zgqd^H3-L6AQ5|bN6;I(IW#JbYc{axfl(eWye#dn6YDdHt@i~_eO!`WawcV~Y)e%tx z&$J|?+a*uPN5%4F1<0drsPyjOV$!#%=4RaXXbID2aEHN!oY8KWNKLPPARmwW^0?^% zdC-2^F{7u{?6wZ1S1wC7RZ*AL5oW`kq*CMM&O$jJ;T8`YQUj3L9omX$)lqhLlu<%v z?z7MHycZzE-mlAXp_~H+PIu`U-0#vzMJtO$Q7@OI3K#b&N9%;wZPR&d=ax^OT}XVI z<@69S>4SbM_+r3>4HxmV1x@PhZ)3YiO6R(87cx2Dv)ymJK=((!>Hf))^uddo$?XuR zze-EznnsYAV)ypM()4*ka+&>sm3v?Ro0?Nj0i%_T|Km4c4sM5ws0UDH%kWC-!Wzx%=?`gHMW8Hz2@@RnLI-T;9<7Ei0g;2EI1r z@^Zs81{{+fF?E)~=%Bwp{vZsD<4IuW9BdNBHRT0uZAH4o(e%2~=S?U;N(i`tu#!wM zy_G!{f17^=fzFFXC*LYX#vDgLu9o~d$WWRu^{FheUydx655kj=%n`=^s{Tpptxlab zx^LRpFCm0~_z~fz(Lr|t3G^1~>)<}n0AJKSVSF1{mAbhasb$Bym)Q$-MBF>qOBt8H z{8JN0dP6FZIpWz8H8-nQv zS=Sdh1!(1MnPK*@tc}QBZ(}}-9#_BsuLF0+$H69k7|-a9l7)o$Z5<&D-hBQZcjP?l$CmX3R-#}SF6W2e(oY!1JNO$Rt(88@o7#s+)e~jf< z71Yug;_X0|LIATWF2sX6@FPBcmEM1fACXJk2KA}h#ROv(mSnPa>)w{6o?lXXHA_(58r1sD)h);wqe@91CQqq_O z1&h=q&&Ax#(}^8DUme?C-Y&+PA0lK+y0VV~XAl4hr7qX1MwJ9%qAA#l%?}&qOB-io z#48lRTuqX&qJ0Y;k`3k7-NoEH(7r!)TF?9JL_8MGTZv4f4HstvCh9j@gvj6Oib3Z_ z$4P@6&CEb+)hG0|F$lwGY-4L==b|s;sTauv=#vIuypS;4hC^hw2uG=0mqGY|R!*pu za+eI!2;~+NIekBIb%4BSZaZnGv~KB=*Mh9Vjlo=CPG7u61^d7GIa7Ol!>ONtk%p$*pcsd zVBZNdfD%ZGw^@?m$;T0pSh3-6tEn}GJf;mng>s2gt?_>_H0G-8y+%Ou(!hubqDB&9 zkTIy;hL{84wr3W}dO|z`q?`n0Jt0iH2$8>( z?}$t2%3TbU5i%~1@Scj*AL}+nv<~KLPSldhg>;8@!dnM054V9;H!en`2>dC2lGs zr>1pH*JWWAGYD#J8i=f9B!r7dv^`qtTHUrRe!H#N-490qgsI-9^gzXbs7#1T1r6XK zWnJxKXf~J8j})v@6Qg4vC0gLoK^Bn|txy%NF$u<`m2INkVyC`;rw%|f zRb2(ZQ_E@tJ*O_)eng5(v=_yaWw1x2RDP7skTX~fcQVX)Y%Wv^C|e-Y z>oHiypPtC}Nn49Ix}81Il2Ty=y=MD`4l@JZ#!~N0+$^3($XZIXXP}&)K0-Dw=O;{;YF7Dd1Y}8 zSWf}<@O{sjo*G0*C9iW3W^`@c^j7A;tC~FV=2=TrVrIO~aW z8bOu8>63kZxZan>9)MhHR)3PhY)hc^BdQ>V|_bBUBMucRipfzYHV{^?JODBwcuUqFO$}`@4&i)|QI|KXvQ1w5PiK&adswDavStA)1NEK%q#CMkYJy7Fz11^vW+2c!ALQ$x|&O4tCNzuA7$ zEX4lzHvD@9#1g@i&7IP}h)D~zMWja55Qm&?U|O?-P}H%y=Ir~TLsu}UTDgE2l!{5M z`?2mkrYx26RBUY8-RJ(m>VQSrTd~EF*-HaK#l9)$pBS}6)p+t@JT(YzqYBE%lL{u5 zH9hdi(@%nM9owhd%PPS^T4k@>qXV1q`EMlo-7i03N^m5!f=l;wm2H? z^%9da^GI`lRY0?97N_{_7SaENMz0Zn{5dT;c6tJI+Vs|tJ~u@y-`3d;0;@0@j_(^k26#d)3v9RJ=nLn#Ym6H&F(XhOSrRp&hs^wZeFZbd5w|mJVPo zRwSuXdhG8NLuVviE4C(~rLYX!B9Abl@HQ(+Vz22LQpa z*UP6r2%Bfw>XUQ8k_s?Ns-@!2wphJ{kVQ3>AH}-yaNr@8|Lj8a;D26}tJ?gWMBIFKL^N-5!P{?sp$BK*-FX1`6rFl zgN<>{^7W`A=Y<%7#f2B*RrRvw6_8yr3l3CNqvNlO+Z6Qgp2#45_#HLI%NPP1N|vl*f=H-CM$p(Qxu&GxOL zqshKJpG9eVY3*I|8&8gR1;_4$5V_vxdMtb0q{7ZJ^5{l5=B-RQOJP`v%n?Ub^&)9T zq{}csQtNEqrQG>eh8#z6q6HYPF1LVsGo1&NX)Qej+s|wCsc{#tPEOh+Byx|23#$I4 zd3b8~#G~aC*-J#p!3@zI&gsD$;2T?FjoV?bl3~pWIgtq=iUaGP_;S4{1qRn&l->4t zhOUW25gQ$b*UAe;!UqBF;>$UlxthM`ZH$K)R!-~~sxL?m___F!q~x|Q*lWh`$lFr*@GS1ot%(>=Yl{)i1Vyf9-1iump;}31iiMwM z|GvA9iv#+$=-E3`%;#e7?ghfDghA0muh_MQn@d>3;iW{EgR!~XTLU+*A(&j#T{OAS z8a&68C54oBhF#a;S*bT6Mw=pVYJQR%T8Ly90W|IiK;cC*cVs}N0|x>hJC1L{GPjY>>7~;mzr6`CW`D+@K5-Nc z`wqWZ4cJ1w_p2IpIl#!BJ$`_1?wq6hrq{3ESJ^1!=iXG44i03oG$+-l9Z#0u3E47# zc8pS}W}>tFygB_2Kx*wgRBD{8@+!p#%!&(EFm)-^+@1}tF#sYk6`{HasAzD<-gn6M zar&=gSYiM!2R3~|Y0KN{l6ERnY<5kWX4aZ2V_Un_r~!A0l^IJbVGD(f%c~LEu>R7 zs9i{A8xnf2%6Dja`?w(&HD_0KB*_|y*~56zjfg0P@&(J6LnVgC-z3^BJ5@xMFYgl% zDlp-;x%GOW_Jcp@c$q7j9Sx$n>1vGtzcf`M_`zWYXj5Ft<)%}MHn{HHnu<&D={x=f zk0hY>mT9Uy9oqYyZCuZng7Fc)G-w$@uwx(V_x_d>%voPk{EcpJSjx|E!w7wC&MC_< z$1)4ZvsUZ|HX#s6=&vn}2(?UV3G+|TK~0eLhfY~-M5Z8rnBN=Cy6Ok#HjStcA|@u^VPC59b#|C}8=RGt!% zDR-#=RomHuoGcJMb{42PVU3snp3O)oU|i{n46O_AR{K zSY&m90@>k&*@SuFIUY+Q7B$6fz2LHz(Mg?R!wzN`oO_~OmSZ>4e9Ee|F~XCaD%??>iOp49-7)9M#w^_q zi&D6zbBo#gKw@g@Rf_iVN(ghgxS8`Iore!cp*2p#`^#poSjmvlx5i0%m)P3bM&p@A z%Mg%Y{=0+ymWZv59$dT+iP&g3*+dV$^9RrM1;uLlU2%2ThdJ`^b{ zUcwA7$+kQh><^)>KH^qxUL>v8Z4j+xmQ`NxAhDtT#HXrP4iW0p_15w)jf9wi^0Y1QbSXc!$(#P7uYBhT@X zz(!InQJMNhIb$L|K6XRrMNdqJCMzN!a-&FijJLSU^=vO7uh@Rgx)S{e+v;~9#Z*a$ z?HLXA#oR6HR%0&A-#AO;VCE6&UrkG`A3{__2vNsFr8o*c-NWbG>jtoFZ<_7kE@YB! ztX?V|xTMGRAks^9V4C=dR$^GW%}2tf2uLtzw-(Z^1X}eaSw&dllISy-ytpdB!b^y2 z^}MTv#@h(hUT}A&2)voQsgy5lf7Q!1#V;dn3}m4ZH{Yi*ufFdokz71vHl7K~e;wt& zM2l?~*8o|mWBA8{4jInOCdPQrKX(zX{o(bBBfMAsLHfOxg{s;Q02RA%(8_mh>}#PF z=?;JE$4*pOp}$*~CyV_pE}F??*E2lJd83UGcn1ALqKXPyuI>O@yaRq<@=&~}R~;m_ z&YWwWEj$DVdEzK(Cm3r}HNT3eZ>;C_8P2sz`VBn7b=Y4cT9Qe_+kXu&>MMUYb0;rZ z#-+vcm<4KVWh07@fa}cNfTU-pHzXP3z!o`tMPZxg6xbz`{8;&;O-8n;n&`C)yr0Uh zWj&S0m5qbfW!)5{z6YHZM;jVGQKF@#m&r3}k>JLJOP8`X+Zps{nb~VQC%i~?>y_Iu zkXiA^g)ljeBtj4eq77?0bOi`=yPn~JJ%jkP*$dYp1f7-Eu)*wEcZ3s7^^9c2zQtHM z^-76ig17}%I`RZ_&O&6yt3`^7%eTr<>C-)yEsZaTTjXCpJz>|}d-b`k@iHLE0^X0aVD8r8Sg6kfqN|B7Ep&cXypw+@-RxH%A4|~8EI*n<+ zVU}aFFYn?wnMe1YBoro8a-u*iNpaRk+-=x2dsU=kvE`xVhi3%exq~py95A`h_>4w! zJWL|gQA%ywd?b4i82s8k-57Uzr-h7Lj+3i%djb(O&KmjP zj%MZprd3J~L61p+EM&7tacPESi|PI|riG##*xj$5DBA)=T?9nAx9@(-xh|Km>I?~X zgrf&&)?oFeS!MkRiHOJX(d?Iu6x7nDjonXZ+RdG^N!0-40AnAU*G`Q10Ud*iZ>sh) z)0&OBG>q~t$ zbY+;VEbl2$kJX)Y3NHKNll-f?$bWxdALxEwB8E!8jD4!kyFN(i6`qgXXYHNP{wTdS zx^ao-AcD~DW?i*(syC|VCr$CrH@2)Ki?p~V+Xe?Zeh|iCrD(mYCR5nh!TxwoZ&tGJ z8D8JjYbV%m?_CB~`k^x_^tImAuY>2q6_)Y1H^^}Thr2&%EJvhBwkNSR{0-b>+fHb8 zvau_Q{{x0ue}L4dn&J5|+(E?t(j2zOdqOijcya6k&yei5;7}DNT^;)ye6Vz7or;df z-qJQSqZGqjBfkDdd~6&*9(?s~iHs>N$8~}hH@16fbuDkX&f*(M}_4g zm5-RW&_vI;pdGWm8IcM#+(jnfGUmYTDfppyGv89=&W>mUamBDiyT;HMbXeXa1dxAx zZo2FxUwHf>O7^A%wrV&n+N7+evkw!))I7;Cfnn)456Fm~2!`}$XLr`GdcM_+)(d3q zj+kP(9*9z#YCJ+fvspn4)qq}Q7(svy8F<|oKUfWrVJR!9ta#3Ev z5$do%3n|<+yzPDFp8Du;RwKw*+Sw1MZSdKu=DDL;+fu?){*y z=7W~ent-&!tZ7}rs=dPwX+C^3C}e(fA1$KVOkiQyoNidoU=_+a>4}l6fb=jf4i|y$ zmS(QVeiMGXBRpDo-vLp_Xo{mBj1Q3EUDp$@nR5P_IE3;THK2+O1wjeVoRmb;}6stFXmzXJi7O6pxfjirgtn zx0GBWLBIN9KXWl4wZx(>h{$^?4~5>ebai3u=R&InHRB3D!Pke<2x#94_W(%WKyB9j zwM94BWw3CKvho;(N7jqSICKAmQMR|V)TYNA{iYYvcl(nCql$IdX5w>@_ozy->+(s4 z`YG;aL3q1tiJKvbTI{OCmZVlsJ6kq4;nTd5O`s(-Zzks&d%v8PB!JU>kENPRchPH7 z^QMSj>Du+-o#>k>^C}668P!Vm`Slia)tmO8WiC@5n7jX9d4k$n{3*MCz&y$##Qg8y zBu!aty0G%9XWX^1Kld?C>e;~w%Ymz=2U=n1hz#onW~Pu)#fbj^%r13poc|fDd6>q! z3lo0Qi3O7foVNeWD>l}}vhcB4JQ?(7K|HwB(kckJV>eqBy zz13na)S9Z6BHp?xg93*5si<4$uB&uK80+f zg&4KZXajSbH;Z`%lHy*_MttiRnE*meysY`;ZE^1|*u%@>XVm5DUK&~FIg4gs13(@< zeK!zu?1~_2vBQy4GBF|6)Yal3YPLL+Ay6N?0CXZ;%~>uFN}~@`_Zq-RiDpOXa1bB-oyxXvML)F zbAWKpiN&R)du)M6o;YA?|ow^Fxs1g}HD$#G63=+QZjNl*IH}G|}$TpKnv&v{J+iL1e zPi&DIl`>>$s=aBRceDJ20urOdZmGfWn!YKT$AKwLW#Tld>IH}6Ec^o}0|y)RW>(dB zsz70?J@FJ17uI6pB2kBUM{G0vMLqkbDF(gA{CdIWIF|7by!DrK!>X0 zyJ};*8G_mqY+ojgDe@*K+a%RisOQI#IoLS_VU(9teeg!soQ~rAzbl2 zn_5HIYx%>wZ)rbM#d|_pUrbyZiSgQ)P=R|{a72OL>E!vJANnwfJ7#05r1+sn+KU~1 zhzY^Cc=^43dJp1CJypK2xiz_5sKXdvNiA(jP_`(GSeJ4R3jTa|C+v%^lDe3l#2bB< z$&3WTsfJzt@8;17G8NQwOmhzfsV|ngpB+hbUSpd&EATr%|F`RJj$q|epNt8NyvwA! zGv=OW%aKFwhUyV<^?D??;x?-kQ4~X5GGpi-n<9f8!4SH8p0QB=&mjp zsJN$G4BfN%cy{IrVe2i?C#j0q$gB;A*7c@Tr!KDZF3O+F&c+w1oq}cWIWvV*E>#on zb#gyI&4P?LN6d{bxFB;DVIlQMO!IQlHsV~IN^PQ}{-+q0trAGM&EM%s#*ZxhXX=DW zn-?kF&$HYG-(+>+w|za;ajaX@8$av{?{}bkxT)?Es6n(Wrnl!Q85&%tHfI)!2md*1FbN_ z-Z^dTl4nZOUb2mJf={LK{SaojjAOwlE%ti#JcV9Oe~wS>Lpw?M3)4s5FaU5MZhN7N zbeKeaQw(~ZJ_f0ie5R>WKGi2NCIKlL)ai83;pebGYn1YCGDxMQ0=})=d_p!NjcM)u z#6a4I0C?ZjC8TxZCE8H;lip$Z+r9&F#ckM~n;2w>{Kgzx4Ri>yF+-W<>FCOdR_q+O zH&=X--6lOygXc+-@*H~vKaLpF0@i8$q`$Aa6!yuqo_n##w=VzhbhB=1eeCAv&QwZ> z(&;1DKkA9!_5NlwZzn`9;s&gyRE{zi^cdeNrTt#_nfmQe^q>5lW2vxzQ^q28Op>G6 zya%Ialy{Qy_$vd?v*mzRbIS)Z8Qj&1$2_IUIK5 z0AI1ca)v>-z^n6m=M=Ouj{c;id`_V$2&fBX^1 z**Pd7fv`VzSfwf<19KrK`4(chP92H<(Ssb>aaIc$kMh3vx9tZb3eYb!CG4Z5p%79N z!D%a?SXtt`w|6Vw85F_J*j+l>LB=Oz`wfkI8KnSvRfKisL?|b_dvvGq2PuwW<&6E% z$!#KkwR-QKP(p|F=~z80rzLi7QVddll0=t)CDYNC+v_lnREJt6k)i`ze7`=9!n*k0+qn;qATvPFI;0w z7RQ5IttZ=6R8f^s{7_Phu-ICVgPnLz8ML3ptc#1G4DB{RuGitT5~O+qI{a*S1>ma( z+^Gxx$ONrU@Z#W|CTBFq%S-g=M{z%C2w%B+qsEtiA9PW@e}IiZJ~M=HUC_#l!NDjE z%lA@dUq@f&+08=j_)PTYi7R989+6uo!+o2xIfdTGv-fYThmSfAFWnhPk@WL9aFf~9 zpQxpl_gx1FwfbKh=p;%d*eLG;J;ybp#BPYxq>pGfN%5*D_MXa+Vp`GIC;;Vue2@d9 zX~8ejb58y^q%sd#tJ$=LOW@(Tv76F3?5YD|v?u^67n8&OVgn zaVTl1z)7*-fEDa?NxLzY483!MFGa*1R5Q6iuK;^JZ;4+UOu0Smpp{c=>vjC90aH-L zZT(v|mj;W)gaQooJq|^%TI-|yO3z~OgNj-WQ1~a2JaV-bZFPR4F`_=@Z;k1Dn0X)#%w-`Wl2YSc#4fMVC$F1BR&4b z9Qhc%7}U|_y!gfIRC)tJZM8?uD1I3y&7oDii-ygN#EnqX2hToMvlq&X@hN@o_r>|} zugdR1$l6SENH^Ai_GFI#k{+c&>)*K8WaM=( z?bE=nr8?um0)%8i`bop$(a)7b`!JoO6U)6z?K-oZ(nZCkuR>nG7l)ed#ao`Y(V1>$ z<8#A!NGn3L;EyF}J8}NXiB+lvTsTfz1t*CdJ)URsBJ>s(seV^?{lcTXe}nQ{$v{8e zu!4Iio*T1?&ouC@dA-{eZsf5M={V>MZ)SL#stlc*K+`^dbne9Q;ylJgqswrVgLBoK z{AIRH`R&o{=Lejli}e7mqey~NU}J1_(NlG1iRiW2tn2Y*9jFL0?o z+MQb2f9Q8<{|!pv#lthI{Q?&)XXppH0ATG+pY{#Mb0WfSQAV$+i}iM_;#rI7cJ;6p=M=*7hCVY19#r-F zhI1r^`q${9>xnz0B^OqzuO3)5&6fpJ!?9YJj!mtco(lAA3&uz*JgWE8b95MLw7`Av-M#birF*Aw_sCuHUcF(Ju zGBGWb?WW6Bq2WF*J?6YIzulBp6jb_q1MW`XPa5spWu5-ric9-STG9WzF_*q)`0B>N z<}6{U;^2PrV%OULVm24NI?|YAyLfBwhWS5izwW7D+{A(3aYl5H+y=>WM=AjZ_?c^G z{?KX@T2H)xdSGfzQ2~AV^(n{q`9N3F?5Z0>ry0y-U}fYPP4^>lDqb1HVLhbGrRZ$o z{}kNjXANrBgkMXBEw>f0vD zB;eO&u@3nh&fMsTeFWS=q}54OXvAV=f1(w2(Gm^G?$x*W4!<>h%SA-q@FHpJ1wE#I zHd1Cdj^!o1xv>8(6TwT=C<`@UA5*UR>|TxJt_i~%QDbGWiDL24_Xcd%eHLkLn=}$o zSk0Egp7Tz0se>ZGA+YvG+StxRf7kYFJP`S{qonug(O`Uf%{qbA%q<321shg==M|jl z;(U6`cTz`*bRP1^*XCi^u2+fCPPtGYko@SAxWk|YP_ZtCf(++II3(1@-{5bqI%{AB zb?A3a_$q(T9Bj2M#UjC(gRzc7uAR<%vo&JgQaEAvj&B;x*3vV_ zY3sSOsoYV;7f+L1DvFCQD1SowF_){X@0BY*!CAWc`i!`#5%xWH$UdtmIk9CuV|RZ| zlTo_i?}JgNSx@$fO|N5YI9K?qHC3p*fKr{$#x^+lJXOd8fGT?q(E1GKMV%v_^@&?R z;TS+A7fy6g9xflp=(Q1iJ=L0mNLdOAy|Wc>8sQU51H`lw+9`Ppm-wR$OM7n;j6eaL zU|r)#==V@yOfa@yVA}<}xxWPar28Yi5n1*&*!kVcB+K2hF0H9X>*f47q$O=lBQ`-K z$Hm?V+Smkbe)rWI+mUCa39#U{tksT5dhw4T*`t0On5?o{`W83HalOP_Eb+Tcnsk$U z`SrM7IBz&cloy5(?_*h{urBeZ-~!tmthHHK5|$sB*ucar(jAqB$P1sZm3Q5L;%}5y zP#DEA<$C?9iEM>&V!GK|7U{Q?(aLtiBMvkFr|BT03tC+)Fh!y$>u6A+5ZaKTJi_e7 zZ%Udl>R$RKx?-5LiGG;qHcr0X{D{NoBr;f%BlXTAh7VMrp1}&Jq8Rw!=BN9bhKud) z5B`@W<`Ts)?~~w5Ym+1YhW}Gr6LZ4ZqJJ!RAD(E=DpG`~s!MInm$rFbnYn+KMO7;1$iZuK2pQwMm1NP8r__7V_PDpk`4@QZ9?Qu3S z9Qsg2zz|hA!Epe$Ji}LIr%f>UgN2%x_yaC8 zrJ(c?xevZ728|cl#5qo4hFYMqelvN45W#>;YCp^-XD&4uiTKIkk!V}&dRFiCdN)a1 zYx|!xj3>W--RbhbbhhUgl6~h@rc#eXS9V*Xw3A#C4sn^q*c|&6L9_K*bnrGqn(8W| zbF$Z?9ru0?ar3Jnsjx)uiwf{gQVA=C@4N(jLNSxWwqx5uBfmwlj!CG`$uxZXWaA6@ zT@f{HE7IVmbK4R-@9-SAlXlKj=n)B|e#{=eMmo%oFI4bHeiM%Ww#yArJ5R`Fq};rO z)ZdH$sC^!LYZa)L=a@~!a>(D-nmBtQPneAA=C|$&&d#czG={2mZG=O$Z9k@z zA)I7dijtu4vwx~(1(QL~G=;$bhlX-+R_W5HWpq))&jzkvTXBs!z_;2XeeHe834GhhZ< z%@O@E6tdSov;9hHwyf=gUckIwpVzB#TFh<02=FEZ zuxHE56Fup6ZkPgez&FGDvJ_wA;oGRts$?>+d{9+YE_pF)pJbg7@;ED{RgQ&HX8o8f zwE42%Yns@}IjtTT-ExbnZV z+=gr}*vkxx-Z>!6C|J*L8*9{>r zW0N+NeBpqxnz7&H+oeBp9EB9}e>f{Vzk9$)W1CwL2&<#$tIIA3;zG7~)t?lcwKVq% z+L9sw^I$a&$oSc2!@ImFkLlwKdtuLF*Se9x4{Hv-c9OL_9+tivQ_imv7&f+gjqJ0}Lohj*9oei_P4aW#sZ9ZYvj6_qz z%5uBuzfSz8;Q^}M{goy7f8ILYU%fm}`nndrsl))UPS+mrz%95(-+4R8`ka&AHmS@W zVA`_WCM8;s{#aW)fUuw(Fnp+G{}zS`N=|NGeXc)#;PngpJ)ym**ftZM{aO`?<~Nn@=h` z{)vX7ZztzE$#Et2&guIBSR(K!8*8*UP~~j@^1Nnt0@P@AMEdf+Sx$CS9U)rVlYON1N?EXx7>6BOfTgdx5{AyQmR1H?zXD#~R756xLWQTsl&^_j@>*~0 z-K;ugJPNZwtC~I&Y#y8-P2Xyl#Sdm(i#VPkdVRk6fufuWqU4H#LjSuRqW6m;SK*@F z^rcBoPZ|k9dx^WbLpj9W>9g%U*;>n+3ZRkCpxfMovx%89a|4IA9u7n~E;3dSTRlSl z#?u)6xICpo!UfzSyQ9eoOKCk$z^_FbWmwT*ZmlsRgZW4rM1 zBmi{xU??aNDkay#R$gHGk4$ZPEpwNFyhS-m$x4o!O4jT#lyuTuJjx0EFSEzZo>U*U~{8_oM z_ZwQ>+5O8rrR8zj7n(1)8YnWuUR}3%+~<{~;#I28Q%0%i(S={R z^S(X#g#yBb&8KA>E9$LsF}s}|AUg$& zTB$De7(Z=(aNbOa2R+~4PcSsu*h&y7r)rTWM@s@aa7i;sig(^7$g z`WjDIO+^q(t5J-~Q^j|!>w)xM&yeG=i-;`Z1YeqSn!nwvtkSqPtARYfG$oXdr$ksO z6bRNrhj4O&+v3{{=jsuibu6sOR4i+3fsm#=1eH)igs~uuU&F}XuZblEdPKfe>;ck! zmR1p5m4-w-ujSMkq+@tKp3*2IN6lDT+$!Nx?fXf?^UrjIz32*^3)~}*2hAEh544m- zHyY%Ky{r)A10m$OSc*leQ*o0_xMW5_vs+4%&=N0fhZcWIzjb`fEkvy6ATqXak7rx6 zBxrX!G~6tqSe`|<32zR8u$)ydW-{u{3>A<9mi@N!y<^RpXOc4jl_0mZ#vfZ)bal)25w|s9V|2P>!^ZHz>?&`Czc; zvgGjzb>6nHzeU@Csrf1sx~Qgbz3iOWJ*TTo4ig-g`Gl@(8v9K@qYFLvY`^9=`hRAW zv04k|VtrF*Z{L(N|1VnvsGEKKrRTIiQM4>8P^dssZ~Y%9BKdm>O8%Ggmgn6|)&H?p z8FT#?_R622WW9CzSMH%~2uBN8pDYR5^DEMMzWzu(s_n0Xe~iIN^f;Y0-QSC&5ug?hb(i>CM} z>UOAN&}myr8AU=hxX0{r>c6Yl_iT=bj(bcO%EC2aY|dH?O%sru|fMbh!^9(n;Sz?Fh`iZy8>Sp{GbK zYn$mzvzPybhS|TRDX^sHSlgx;4VbkHCCVGFqWlwzw|Q94ECB1iyi!pgY_yH}=!1)9 z|Hd9>k2p?YU|jp`i9}cnLXRC^w}G6QY3G&T#NwJV||N=_+|{ z2VQaQn3V$fLz07$n?u5tCf_gCD?JCeWn0C56aq8+F2z_yX^HqaUQ+FN znJmw$ltVpYXy(7_<$X&8I_Th%DW$Wizgw8Bn`{EogfG|HwOqaeGaHgqqRW2L6PcXl z-scsNm3>2xB|ACr3WD0|LUpR2)F#KN%9fU=eSrnUb0w;!CYT!IyruIu;55jI3TIX2 z`KQ(orsEyt!b;In#pvSTftHaW&H81Elz72ON%j)viCA~7oD90LH%M;d)DMJ z?O_YfJgwV!kaJv$uhV?vy1PQ{Ms8Cc@ML6b(2FixDH#>{UGu99K2&50mu{cF8Ug<{ zE(6RexiExx8IlhJ3;5Gpq^`C)yST*NS!7>WAa!4Mqgd`-#g4ybr?pqL^3M5 zYMY+}sU`R4S+De-$Yl7a!_&F_SM^`Vfr;BA{k^)HwSCT)zsvkGVn`?~S zH#fTM7brLR!v57aB-fqvq>Xe~BZ=9HijN4KZCDj;r|=K8caE?p0f8Ck(9+#-A#1awttk3`#vL-(O1*e~KZW2PsPmcCq6$Q}u4- zBwV~)e9ZWPvMh(|htD1W}n;z1{zJImVbP_99Tz`fnXR8Fy!d0vIdTh<&<>=SgOjHQzKfkml8zpAw)CJ z)T2(@%n|$l>;dcB=M8TEI7p~tu>($vkbm~BJdsHvvaBrCRC-GJW72~_gB(Z=tM4Ox z1GIumgyA|lYS#8ENCyJCQYkkc>)weQm}6&d3PK-4+? zp~aazNMg5rAKw!dwjp^7@+s2SwbNnQZn%KdX|D)6sUD2-Smhq=t6M6_YDr5g^OgiJ zM2@IP`*&DdIjnOd)-y?=A5H6bWy=Qb%4SbjikQ>)LuYg+a|;hqCY{DMygX}(E&X50 zQ>R8|^t{B;bX$H-)2ndta)l}vqRqZB8W5PlqR(*xVL&)7Z7-|Ck3K{9>77$>tqV1t zLC{GIJa#8N8#Nce$u@Dg{uFPM!j0C?o%h%DRb)A zSjtiN_%Dbae+IoXA(k2q{D@@<_sEk!2TWQYyfYqpFgvc(e;K73yY;k|=XjlmIQ9?* zN*iO7+_7~XdC+gnTz86LF%<1F&ERQnH+U_up)$DbOkC8@U5&aO{CSe-Qnr=cN9*`CU>&eCKUT@cWG6IbKzmR(^Hpn#nxS-!Ajrk+KK z$0Hrcnj(>cF{agXQoNb9PadYTx-Abf3oI^S3MEmu%1IeMd4yA51INh&itNM0KirvU@%Dgiz3?2e zbo!({m=Da{Q|Bt=_J(qAkC+Wom^o^WlD&@CVdKoCZBp=B$r*00%n`C8d7}y!C#B@; zyrc>wxu(l%EZO*scpK&{@kS-gJ(|oaLC*$Z`K-kF)_598L9maVSp>fXtxmw}a0`-$ zm9rc-+VN;HQ8MWHY%+w+9c$!kO5Lc=uGo8o@QXC?@J)(alQk{3B+ryUQ2dF7 zINmjHFSiU$dc-G_r6ey`&2-)F@+XVSEg4a2yivx!s+I|P*zJefpfB7BidiZb;e(oKa>#lE^lP~Ns|yf zaKWt4g!PO`P?LkT%Qv8}myB}VM?0OSN_BoVJLF+OgKPFqZc?xO?6zZ0J?s@cnE9(? z@oeZ1-pR1BZ>q`$GVKYL`ZL3C2ri^@tdbos1TsC#a*LbMfb1UAb#&JK-Ynzk5;bBb>|0>LN0VnveW0n=V zryLg-&@mvRj4|Xrw34LM9)JSm+Ku33UBk-}1GZk#bcXU+`C%6GodVO=)1%y7q__O2 zmxh+Tv>F3#viHgYybuoXq6T5fK%XSJnO^a`NWm6kETSytg}h7%Bq|Jwf@0c9Cga7)9U*7&bo^>W!$F<$*!%|GOI$GKYn zs{CI80-OwQjpD9=*GlgFN=gl1JdwW!xBzK1x~yMRlr4te8*zp}!jEz^MGZpEXaVMH zWG}PSeIx4DxqWE}U9Kg_XD(jvV}5UssF12ppmwu8v}yj585caiZD|tenZCa+Z^MSP zY5rWwQT>FgLDNwXVw3aJXCWBYg}J^pGU zB?(hX&X*0gO&NkPoWeQ zLi_iQ)KA>{B^$kE{hN^&ez4%VglbmZtu#$95r6@&ehgv9p*Y-&r<+ex^OVF$(gL1I zBjqCShn4XniX4|=+c?H7S3F(=nV2rBf3Nf+?tx2yCfyIqyTjb+Q$`UC&8h+fFuMw- zMUuGrIwh4b8X(>GZt?9}Isjt`=P0d8&U(VnxEGy#PXIhsmkTPVPJh8q~J%DqKw*9h9&sk5#(E{ zwwP)9f|s;<0dQ=8i92~D|yd4^tk!xQ~O1CTK>7v6PmGL9ZXaW@-9^I66oVy zKP<@R`|-3|;tN+Wv+~HU1~!e}L~za8s^OKbTl8P`P#^vn|TuQ zwqtC|*6=Sv>gq-%37P-Y-6nqKSoEI^mAl9HiuGgSCBysWXQrDrPDlK8;y(!wM(A@z z(_c%O0VYx!L1hOl75b-URsRzcwEsCj1%M*Buj~Cndi`<^X8wHZV-b*xq2Ry zr2sZ~6v;jcymtPCRSi3y{eAgBQBmnZ>RfMsg(&lsNoxO_C3*R`i`Yc`TOfOhV(8B9 zG<(uZ{(RbVC8KeAZFTM#P|nT)qNmNZ);p)`0w znJcwAZA}ACzQWu{NbQ!-eeO4Cw?(v_LwKxzKK~kg~9PfQcF#yLT|JykvL}vw-MuUOD)WZ2HC~|5pE+WJ+w-& zk+qrr$lfv$3)9sGy7+{3FZSw$8+G$rw-aHVBF4IThe5M8rjU3lxrZo#xW&}bh&m%F z6yL1UI#b8v8RV&ctS|Xtnzs5Cr+^A=nBaL(IlVz{#1!|z?6GI+d)QT9wBj#bT$=D&ebcwtA1Bbb(D|c zSbQuPk?TIX(&HaSdr&V>qf0zj^|@T3608hNoQgEIt`XdCAfA@Rl5SHXz}Dix~&7avc|Y+hPR;XKk+7TNK%_&5SO|7S7mqEXH3XspJV% zqjSt+`wi2bsFaSWo8qr*{LaikHd)U-+x(6m`j)NxFMCgQF3iZn3Zm+jJw_9&o7H?H zh}I&P-m9*T>M?gI;HO=e3Y2w^_`k6I7=`}ek5-)()pWPfPKIQ;T&li` z5qw5HAE>VA30AH+7NsY>(xZ8dR;1P~tVc2~%(C||@kKo6>_=B6w+dg9o};N7GL5K( zKd6)uk%vMjr8WlQ@y3b5YU}!P=%6B31I<(IVa*e1^3E~H*Wja4qImq+bF#p^;69*m z8U-bZnY?wsCTa=A6218gs6gL`tM&S zY;PD;@Y>TsgMG`%jRU8FFsCkTPhK&lg(tB|-viBLH{7jaSl?|l!CV|EItW*LUAiLD zo;x;v&2ZE z%j4Wg1e;<(;Tfhk=VyS)>LIb%X&%(G4CX!eYMe9Cpl~+N4G6r`yr2<-12+#PfFv}5+fci zo_QzvpVfgdn>i7TFqMaqK(GK)FDCq;+`Y%v`}(po&{z)f}ek zMM}wu9n1;}#J^n;6DVz*_P;@Dyc;aOtNH6t|MeI3RFm^D%WE5td9ERgmNGyM3X@kqbV6$)%aOaKYOC~ zk$skEL$|Y+?g=0sOC`)3!~xU%YYFgy^7sn%EY4^cOvd5)RmmL_x{)85Oldo3&7a}{ z%J`WE3KFq@hQN6WUK^i>&Mb?5G!bpOL%I;7{t}uaq24)PJ+NVxvMil&d87f$IM3XL zE4Q>wEs1-*DKcTTbkXD|GD|bghkaa8m1?cYjs+R_uxuQ9Anm|jOP9DGs<}MZ z*KtC;yLdHu)}l)@9!3pUtXUAJjoI>Q6$kO8AfpnTu-c81I0>CAL>WhaAGCs|nNO`i zxg@oRD;gej%UYiWldT$(2W_EW;J{2K+C6crPj#ImopN{w*-?~c3=!jHKv!ki-$6+~ zaV1$?5r_+1j;kIjeI*c$Rf-xSN=#!JJb_wG5N~_-gW{`mLR1I%m_61BMMgOu5nEDYi`AL-lQ0p*}Z$VAkz_Y;`dMp9*z@>5^ zv0CX<**iIrq=Kg45+(C;K2XpQ!prP}=y)4PGcAD@oR}l?(axdSXigib`qXewGyEhl zXr3!IL@7yv7~%)Pg;rL7TM7 z<~5q|WjQ7T-3g8$a$meA;QMG+iNP$zd>QVSThC#d%D@}O_riKz550uvX@B!fy(xohPxBOqhpd|Is zWkh%^W>n4Y+ty_Rjh7t8YnKj(DrjdGnhjTY+3c?P-@`-mRLjS$Z`&XKH}LxZeiP{b zaVf&?A^(=G@Q)LG{1c#@R**Y$moH#pYq$Lf0tYX)Lt_8L&mB5}0Atl0Ekrq17N3cx z?3Vv07{r-4p8jRAAT+aZ|JO+#Tlrsy+`N1AmGyrFJ)cp%$tMqNp325w_6Hv-p*bGTtnm3xK~>Ig1K_^*X0J)Sa`^u4hf`rqm^bZWaTpoQ4@jeb zhF|*A0FiA#w{z%c#MU-o&CM#o&)Soca7Kvi>z?Io6ca}2uW$V@w{BT4Vx*Z=-knFR zZgP{|p@80xJE!tu?Z!6XgXW@Bix=l((7KwU9ZiK0kU6lEN*$PgN`mg(Khu+C7O{L| zQOPmv4c)7@0sE&<9_88$=pG{r=(D1|!y9ZF z-5$jphzFalq`0#Q7TCPp1|0o!1>!b5q6?kl= zEaNGxbQ1RfL}l?+-cVWh*4aPPVQxWQUZq!UYyuij!m_1M=Ys0gUkKi(DMnX zc2iUWf0REoIe`i6u?^7q?Rx5F4Y{9t$d++$ekDtXb7H#S%EvCs|Qfmc`TFgeAl;Q(`5w3LqnatThQp-lXa@3mJJG{SVIX z1g`AY;Z@l=96nWaNQ|KAI{U~D)sM7AJBBmYW)#1Z9o;Qr0{60#3%mWGVl5*Xb{ejS zOV7D!St%*g3&|B^^WJp0iJ2@bPVghw3;53;jaYf}Q|R=LYxi3jqd5A)N=Hm}g4Rq~ zdK8LU(G_#tXdK^~ZXvRY3xx)7NY@E&@VMhUTyLP5<}2XQ;x#Bm%5pl#>cww(ihtIa zbm>0$b{l{=unEa#?LVJG8-uvFuJZ8X6F5{jg=xkoV>yLPu9t)Kbo~g?>GjL&-PHRB z(+ai$1Mf?oC4CCtiFeup9vC@o8|8QAXAy04v+fHL#$ysqE!nK&)>AexIL~;a!ohT) zIIkA^gH_u5l|FzEx>LN=!#%g(*D{D~3Y1r-79J)X>L>F*hRM<3-3sb#f+80`D}Q1? zd{HDJd*_BvUh1)!(c*dr=Nw6D;58iX`kKHE>31q0HW;oiM@*h1>*&8TPOrx@^_(p=PD-;k(n=RI zMzvR=S;ci6)H+#*`XXf*3%hvxPpAv-xW;b-{@j3i$B60r%MU(ZwgC$-j=RUqKlJOo z8RV`yS7D$Rgbq`zr+P?>1Q*v{aLK`M9Hd_vj^_E*yy+{vSlZekgPb_parn(3K3AzU z?8^+0aE)ure*MsR0`WoUp<;IF5zbM>b$C&Nnm z>$gfX;lWJG7{cXvUDv7#)-i6UOi;|Bs|Y%Y!CqWC=`!C=?=58zH6dG(*ub?@m$~9m%7If{ z{H#K)PkP@Vi8oRnAD=z>{e@UK)>BqAGhgp}8xc)nsd@csx9uYE4@KZy$Q|Gjdm@UC xs~qA|JM*C{R2J$<`=nU4*l@9Q;9L@Hx4VnO58MR&c*MNcxnvL|kPh5__-|{d=-U7Q diff --git a/src/windows/leash/htmlhelp/Images/Leash_properties_krb_2.jpg b/src/windows/leash/htmlhelp/Images/Leash_properties_krb_2.jpg deleted file mode 100644 index 871cabb5c1a32aa3207792eac2136c5a6ef52b2a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 50291 zcmd?R1zc2JyEr-^APn6h4Fk;3ogxf9^uW-FbVy4G3MdlNFmy@{FhfYEA|YMUt%S4% zhzg=y@O#7e``-79^FRM{?)}}pHk%dCdR9F>d**EJYz06DQ`JxfU}0eaZl5Q>*&;v* za0wgx;y%A{&Tm|NTwEL+T;S!)c=$v>A|gT{At5md1sO33ISC;l84VdZB^5O_H4!N- z9Ss#71r;^b1rn@F=Y4Q+32<=|2nrbvlt>pxug_nS z@WK9vL^roo{nP-~vm{O=XjUI<3=?yGwu-ivb-167HkU9*GZ_MN0e_#6GKt)Y@oxhC znn38a`PjN_j6IFZlHA9(8Ici}94QXf;VB6|>d6~JK@5Ie-<;i7>uWq|X#n z;`m%n*Zw%jLGsbIhUXbTwjipm()h}?7FFg?Xa_+9cWLh@ESfdhYu`vsTNET5Lyx$t!VgNB6GslU>n`biOf!}Wyh(WALHAN5(0t_1Ub(gO7OMJM$&t=Y zu8Y2@m5<~E-s2y1E+^E^o{Vf#owck zYF^HhIb!Jbh=2d2ZssVYdx!{Z0)+{AkpjvYeaLpnAmFS1R{*qg0E$Wa05rD_si9w7dq-Uwac6gU|8xJw5#a@1vJnDF!nQ8C>R(x4CBn(Zr~4FF~Nqv5-x<|MwK4E?|&Y)BQF8dQv|8-C!!u>O*_@ z=e}OeJweG$(>>qQy(s36gP^qBy*&Ti1c&4yH1m^iyMBEUauJpZ6Nj+uKdwnhOel-~ zLF8PTn!L@6>h+H^hCb{0<)CE1>L*ZASI!n)RuUw_^QviTyoKs~SVS+9&q0^|p8UdI3X(FW~wk zd610|1qY8XoVN4L1MQ$$q8o=d!i9cLk)QN+oZQJzM;=|D0KYlb{7P0bTy-DJu6IHF1f1sUHaH^q*p zuai8AZMnWFYx~6WDdp%lO3BYmH7o0eyi2dY1|0Rexy8%cW?OO8k8Ms??hhP|=3nf2 zi_R+P?ATOmrvS^|K?6>miU~V>fv1%XxNhGv!l_mV?X(& z(yvT9Ej~5cXGC}7{ZxKCk6<+6TIiR5m7%f6Xm`E)kif?@_wlWcxj|1eTNYi$dTzK0 zZDCPhM<_&dLQy36UTEtpZ^3!%<3pAkzb_VW!LI+ngHh#kNq2$+%Hrj+-%l6Gb){GH za>pL+ucu$N2rvw;70GqS=t`9Dy4@TsJSx6-?>aZMrNMa$sed+z(1H3%IOg@S=3&^5{$L|HwCAM&4P8i?S@=cml`i;k|^e_t-(n--PJz~$qV zIbP_f`hS{D2$g-p*_V8wwPIuo*XQj1wwSd~&C!12&;1TIW@sm1By(LJr=Q13r+~Rh z1y^S9JxsMh!82cuWu7J7eZKqMF0h&E^2Nr(cy5B@V&k5>7C#L63oz_+Cj*NTkAjLrjGUT=OjtyeRa}8hNKXQ!bZ)uhpWE|T zxY+7(I+5zD6H-3$OdS7v8NFeW%Czo^Kp0peRzC|houk}UyTw@~8fgGV=JueX2kQ#7 zIbTFK`7JMu(fVp|O=_pBB8efZ^+l2neCJ@Il}T)z$Y;y+uhr{KWwAS|`3V2RhxB%A z1aie2<0Adse()VXs=rYRH0;gqX@HdQkIZAZdYAcVAZrzo-FhcHkEfhS=558$60h+j zXZMz>M^7FXYeDYt^M+0x_4!Rk?|RKQ?E5FZU7Ga8hPGiGAC;8FE^eq8$A9JK;xR0h zi+)&UR_N?{BNr_-JNhxOg{>UP@Fx$dTkQIO-tuSA|BZE|Ya?8b<2V_h+r~XQL_4p! z>59=k$%I@qT6`I%LbcX*T?66&SBsZH2CUC5GIS)*0FehM_Ji<{C~}RKO>@?O%(b2< zQ-=CDdufG$Ms!I$y9Z2==lUzmb-9M;L{4;T*p;diZ*#MfhsU5coHSmq<~};@bED4y z9PNCLdo{FNlyOkQ{`r4z4LB=|5zP{DF72eEkvCWUb&1x5jrr|9^m&?Yk`B-FU32xr zIFT|O-B2frTUN{zqgUw%TV1K76Yu77hgu&-jQH&SG;ZwUHdHYsvUtxmj%!>$OSDY- zuCYV;C#l#fh=p=!Jo$4zV^LGp_ta+2<@U1ca#32D>gklc&mn^W)R7_f<8RP(vbUnl z3wb4$MI>|i>qZ;c%x$QsJuDP@@9&`=m&#>f(SI~D%ebGaq0#Fr+75xMCWJc*_`|HE zZgLnqzmlqG0LDnGSQ2j0jtb_mP!(rGq^>&OT{m*cJAU4cGKdTQ+*DwpVmMxLV#onj zv5X7y1wD5Vew@Rgit@d?GWRe{)D+m}cHY7D^C&Z45C=6;9iPfT*gEgKI@zj4Xw@*P zYoMf89$3LBePj3W&F}#ujn&p-LabD&Sh*b7JI_jsR$nq-OK$Qrz_1y8cYZyVg}8Mj z&xqr`*_J@{ahlH|aC%%f(y)GuglV$A`lSCwqV$y~HoiJe{?1QI=u!BwGOdr9B~Y)Z zjUs|@LD&si2gLJPlcbo!*u|<|Nae>jjL%!WA6Q5ll)NLJEM{H9^baY>=+m1tfe;S# zv>t$(92k2t=jJngsi-C4+w)U}zVVg>bUxI|Z{X5SCMuLF^@NQ(65a2Vl@&AO%;Uk!Mst zr|9=0tHr|>7$#-r$m;@27vx}Q2`D*k!$ ztH%>Q;C$wkP|@8YNnm43|Gc=Za9|C`U4?quHodrO2iE?4?{&8R^$86n73PenTcxiD znY?X8FevU^xmy;hKIxv{)THi^wRtKWQan~pePmfP`y5kXNGlp~oI?Lgx@+ zJ-lFDk@i()>4L1>!Nk~UeG`ZBX3k5T!_yeo#J80gLpC$Xt2a#P;^vE|P~8u9HKAcAeb<$M?Z+)1_t-VNO$QMB_C(kr^qszw(u{s^JUL%#Sz&htbT$S&^d3 zu`wCF??%-lqKef^o_nkNIj8s0MR(OTExssXR}^EL3UjE<&CEAr!>n>fM~B3;Lmu6T zIbQp*P)&sIfV;KE-@hk-e4t@o?Og^a)EP(3SO%%-0l^=a}&DIZ8hI znx)pAo7pVP`PZo>`g_@z&4LkMpK`2^aC$K3n~^;P(HRYv?>-P!AGm#VIYH0a>}Co- zzK0U4W9|2=itAG(X7x_5`^Q^CxbGt5JAdCQsie;zpHE2!+&UCZT^b}9n+}v#G@Ob@ zxx5%|^FxyEJog}0`vo(z2)fgP2uTD47*-T}^{I40$h8eL_yqz)BM55F~` zV8N>o>zp|(_?n7zzmXQBb=7XgVCL~#xZRn81-@W{LIt-Twg~0e2X)DL?q909+btx6 zU*>2fqt;lI1i8OdJuFJpITBcENGVx_oO-*iVaQQO)M<7EGGp}^eCA)wuBMO~aicOY zsoN*FIGUhQOQq1~wJ1@ykPkFxL#w#VCF<*_b%q0}I)cb(hwRnA-gYQP`LpWw@|7YV z_qg#^$-m0hd;N9WPn{9s2=${~uV1%zrCjgh?d&WVN;-h+b}I8UOB5l`X_f9$)|zXW z66N^9!!^US3I|R{zKxH_=RWI{O-_65Y4=^P4>UIm5QeV&^ng6&k=ZJQG`p<6{%-WH zM%KYeX~=bdPpslAP)|Y^Eg9CMTwtt|hoZ=rACwo=q4EEG}VF0kJz~ zYyA!i4!6JU~8cAodKiQ8^^YdhMbGm}_YearlNK@b z_Wes$EctVNdgvF?)UXgVv()cQ$E4FB*UBYkFt>%iO#HHBTr~lr7SD_*H>$eQU$q;% zkz{v7xA}INv&b)jvV@sq;z>O}A@s#h4~jDY7~Jpak_1F0?)AvXnn~O)^l?A37nF5c zK1ZfuG}xlQ=QzOgz_D>21xn|O(pQLHHYE^9@PO01Fu>j8u9s=cPN#ULq`79Ioy=&$ z3!KadLQ+EIej}K3vDN;5TW!Z6@qKjZ{5Sk>Y(Fo6@s(#(OvQt9_V=fX;iO}Y&;C_J zTvd1nrcoDCWD?;e?~+dv_D!^1pJH$boU6~0G2j0c9}BZH#}C0E2+X##C3mm9%1k!Y zzQ22!Y`b0sUZVn(;57{5Jhb26C1uXP!x$F8kdJh`Mircxz^HP%e{R3TK5kZv_h`0$ zHW@W|MVkpWU0jzsyuu_LYIT(s>{AMR8x8hFusC*cuvYDg+M$#40!c`B3G(XVre zeERf4l<<+FuS*ZU+fY0Mc#?k5!U!j%YxpF_di!hRBs?o_seh;ANF?;eBDsm=8O}e9 zugK{)9uRS3^Qi&+YVA;zA<0I>InR^aoW5ql8NVPXG|YQFf1B$Txk#z5VQ{K6$+_4` zjAFuep#LE`Xo#~b_;NM0x`l?B6HC#Q5Fb)9nXL=Cvk$}AyC)HU;rJMKd+m2Qb?Xce z{&(#7cSQ=6Q*=&vlrIOu;L1OjBgTR)ekq2P z8*r7fvL?A!61Be91-@HL6m)IwjwDnQH&r{-0re1s50aKco+UKA8p(~W=7FZudsk*#;)Oua?TQ>-6`%D3Onnn)pAJt|7ab&B*VyMQR5oHl$$_4E(&WaKlExI80Tl_A}>T#8&8W_L7Snu5pX5N+L(fk*$gNeT4gW zjX;h*@?Wh)^7Wh&bkkpH%3rl1CBJ%B&OO6;_;2L(chvT$MY2rbAI|LzfYwp_^oPOE zjgg#$H)`?h-*3kx6Z9G{kztaq{u9;x>xB4uY~TGe75^)oq#|LG@UI&D4De~~*Kza* zxyt|Eje64M#*$6WhAv*9H(#TwC*8l~$62vwH>A<%U^!F9m z5Iq)!X1n7I^{SQR<;pJqjTyD4IKL@WQcIEHcWrLKHj#8fu57w5kZR8g!~k@4oollh z-k{eUV5jdDuC>}{Z-FVoF}xyUQrS_8vPiq zQAckyA%=Nf_`M?%5_SfN_=74sr+jUfiQ;tE^3=S>yT}-(PNKTVcMKS{dS|@2jE|Ym zV&n9)`-swb>sYh>r&X4jOmf|K7NvH<>Wdx}2?*NDmR-8EiLPn{A2Q@Bs26&OZ5FA-ft9-Y|X87uOnuEf7;L!>H+<-jXT{p#) zlA@BO%{^PKit$Myc?R$+8(lTyOVp0-CjLflD+i%)X#?! zan|}MgX^CNWpzWj6U6yNV z_C+5g|TN|>Pp+N<sLJZ?NAF|5 zgNho4v?8wAiIbimW@OxH!XC8W#GFfC`seK=)*8nbfs z0VpzwPcF*(wI(UMNdQIn|9dKL9PdB62>0`mpTAs$LvRu9|K-9W2e7g!V&jkr3G3bOm`W$RSOJuj)K&MSkyExDaM-g)YwPQ)!Dsu z5swykFF>g)gn2wd6exf70TzaMi+Nl@C_w5C_9vG$N`qyEzzAWz0q`Jk~wUn$7Q+|7nLw_)*xHxd^JzUNRoK0BX$eI3ho@_YN* zfVb!CxpQ(pk?KWrc^wP&x8U>jU44=;FvyC0_{^&(T-tiIC)`lP^IPCg-QS-tFRo{j zfAvB4FQ0GWUBh-8G@{6M%v4G<^mrE|+EEwt#)F(`^$L|B}Vk2WJ4ct1kx4HSZeE6bl$}XL6L#a=XG{n|gL|L5@eO zREQeMD_$?c87Zn*^91FrJ=2Ujr^{{{ZI<6%Eehi%l*wmP&b$udAx`Hk5^S~O_T(1c z3zry&u=`DkyS6VD__#>hvx(i6%uy6=+*=LB4EWA;Hw%RpUhYu6OwgC91IFlzy~|;h zXb2dFHclm06{=LX$lAb-MINx@zP@$J7G6Limu>;$x?*(qvpLlhjwns7usOZ_8u@1v zyvBxmhUf=~fLAf#E~6X-K~z*oYC9EyinS0?2_$wu+#!qnqvK0om&4dI05`0X;#=?m zMTePbS4o-KV7$<%bgMf;(ds{MBKXq#of&zhEtsPO5?)&e4F4EJ}3+ zg(9FlUfC1+ZdXPYq{s=Hz=t>9qdFlrh#?i#SQe*^m}sdqjzQUf6Kb@8!Cnk5I4{Xe z5k0Tb5gg?qZZa6;DTnTs^+O(O8Cb4~l|Fze5K4gQqrO=?4qQR7x#KcSp@!8>pzm{p zmch4;Co;iz&j1@f5i^A;M%p&n8-|ty&Jl3=cy*owdo!BkAopaVk_0P&m5RcqP`xR> z?ze)M)@gH^h%0XO`@`)ka?8R|YBRDN6bTi6svs7VH?c7Jnt8gEAlq7Do|8U18~vmB z{^vz|Oi90isl<&(epmammVXn$|A)YY>Z3vQ?w02G1xp-n41<^ZHHTkp4|qvZ><-s= z3-AG+Fc}Dhmjx#VW`9VcQFRl})^eDnukZa|%TV)#6%!zJFIj5t8(&60BOtr#vHAox zErO9?YZMA}v1LRm%l zD&@+t8wllK6RNbSh!Q>C_GHdbm10v;S~TCpg0|UXy+uw6$DTw;X5ALPXF5diJ)V)m zQN`NnjcDj@izQUuO&L}L^BI&YN!a2g3&X|E6BcR8nuC-!Pd*gE7xPOs$#Z$)+;NBz zRX3(?U?|F&x1V2~Wnm-M_EjZzHbmO*Kl>P(Hr2Xz3$_R+Ms6{&6GQiElcXeQ%HIyl zSZg;D>l?(^qd8*Hu)S4Bpn_H_0sof(50Uh1QzQVui3=ml;gcHD#`Xq5>W;#@rfgilwlhD(k)-$z)J5pyJR-IJ$qI zg16H1k%W`k4prk&w6>MRw0?BKmxQ&5Y_myA2sAppSJhvK>h;1`OxZ5>xQUil)S~q< zej3fgFi!BB=UmYdS}zFo19vKKeQ1Eb&;SuuGMgCaypt^2sZr_kXI!iHfn zp>O1_-(uE{fPUGr%5|xw=END$$ZgWWmMfr^Dn=1aw{(^BSDW)VNoxQ#so_)EDM%{f z#)aF3VBSh|qSnurH&{wPJPwTDX&<=yVitai=-l<_Qs$l}i_rTqCH6kn5>r>Xak1<9EeX-2@nR;3XwfS+%JVHbduO9xrvf z`}&O&HT!w}#WGveVN?YKN&?h8NwR$FcQ0%4*Iz=g;k6?3r3O=~+R0L6>dfGWn%IkV zmXo-RDTM`YWnduVO7?fMdYRHIWdsm&O@g|NK~*ZusFymmCvSzLPgqGX`Gz%hS}CEE zR&?+;!?7%~X)&%u%TyKpMZK>bSEQCc6hEn8=vtyI%Z~?N3*6~f5YNHMD!@&hx%Oo+ zAXY40T@#|HZy38JcK;P|3g~791|=mP9;47xe)@uH!;?U-A|kCgir&oLPOh|9D|00g zm1(5cOu7-qA`2=8LplV|xif=g2c529e1t+O^@u?&ym6b^SJfG~)>veCE1R!PPE@tX zP_qiV^&KY~te$q0J4B8jW1o^X1<#|>;!sWA z3a!!@aJNPm#NBdp+P-$(w5M^%`n_Hc^?=lS^7=4IFw#!6JFc>{Y&0KR@2z?K9fD2a z1nLPCmZ?Tl{-AIyoQYS@Epx^gaS)Cx^o=g&?wiUlp|;GzMGRoEIAOzVb2A*LZg?fds6HwI*yPzIkg+Q=949sFvX?n4AGq!wu`H>2rl zt0K)!_?<}G&(>6yt#rbWVhwr^v7dk?o+`rao0LH6HOki9!{j0g&(`2xCH58Uv0yGa z<%9<56F)OUTrmR)1i0Q?6st~C*P(FJR=$TD;b%E~W1MVFg%Ks5%|A?g`QAtHx6O9)#dPic+!Rxciq9hjp)QgB{lmmAT8hL68HX}*)|N;L&S4uYl9>=>5x z>$_pvU^+i!Sb>RvAWe0>(Wdd=NfhT9CZY+33?Q5rn|LLLjYQ;xx00}1u5pt<++FKL zUeC1q{7s$V^GHUn<{98LVn=WSzBj-@-dd;#VcgnR(&0)>LZ}#YdhHJuQ_E-4k1`(- z=`E;pvuh&|A{n{WjSHk#RUyzR;KbVW?eZ<|7j8Qd=2XTsdJjV7Z&czr^ic58+CZm{ z=y+Bs4Uqy}W#wPBz$FV<9SsrVc1U1sJ4NWETjc9ZL({&!a1haiSwVR5F>gFuPxcn1 zMW@?>@k)JSbGRZ z=}VtHms4);d?hJ6EpB)$*a|jGR)I@Z&3a)K=a-;Ui{iCsyMgB)N~MhF_=JS6dBv%W zz;my=9v3ETPtMdzxu zM5w_SN%?@W8n~#kn5~Dab`UkJE5`3+EvWCwi=;w(r6^Ax9CyET-o45IEfQ?ARM;A| z6R7oUvZTK5Gn~*RiceB3ou5L%B%Q(N+OOy7y+Qb?zJm4Jm8 zT|fRIBmPDoO`XGQ(@bM14V|V2X4lX_uSI4QJ%#Q`@+&G82KEPWcoF2) zQ=tmf<-E-P%Xa#C+JO3bC9s#M?w4dsiC43CABPRb+%KXY*5BhEDQWXF-7TBHJm~a> zf!KGY45eLcQyNQAczJD-2n9t`Sz903#Jovf{+UTnZ4%w}QY2m|cTrG^*m8;WYB|Sd zOwtRNh}de`^=1sj2`4lBW3_?17*+UnE*twx{{-l#zM;suq}oHOFj%>p^aH4>-95G{ z)R*!HQ?J4v>SC^qf!jaa2@{`sM(ufFxe*+xVIx8j2!i31w+Se;^%n9ilYz%52K5jR z;V75_pHwU41Eit^y`DdOGFsen*iB{A;l*BPl)oNNl|1UAsS!=@EKYNx_wMSF-Tb$4 zHL+}(y&GlqwemK4V4yd0>rnt+-L4h2_=ZjC7n|s}0`aCQ0fX_I6wPJj0#{_Li38{Z z7Vh^%+^kYq2D2~L4KjKiUYdW&syR z(No{#cC|xPsDRGCpM@S~4|q*W z%d;6iA4yjsehji?0u&6oa$w3R2U3(sH4dJu`JIN{d?5357;zo zEF4a*W$9~pw^de_q|~S7!uit`6F98}(ZEme$JwVw@iDeX=_(78@6Ri&AnM$Wx zD_2K4@XiakJDK(1l{r_hHzQKWxZH6imh3nRvj_XM|ZEKs-fdi+Xz*(iW<-8%CvQs z`ZapGqVc($1a`JWOv;=Tg(hfkNywUUB zsWX7dMcW3#T4|$jNghJ*wOdSL+uo+t@jUvaYq8E=Y4q+I^^7mi3#Fof z@Ja6+FHQCVM@ci+Fm5~ynj+E5IGEC{D1V*=R1GyMECfc?znaDpw}b-{VLK!|grFN- zmj)GiYX>*csgv5hWP0;id|ER_yeA7!vA zea-?HwF_V`+7oM-_X-;?jLIlk2-S?bg34KTt|cWOGBDKM*jL`_X^Qb|#qX?0cC$Iy za~PBUHcn{YY1&YNiB#sP#H&fHNTo{REmoP$FcUHoFc2SpBbxI*XXHZzxc26#Ek33( ziW1z*OFFnx6O~Kzju+f^!u25m;n?_@nYo`{ zVZnWS2xA^sde<{<>jlmrZE zHGVKo;6{KCRSs44sQ6rFZF!gK)$OZY47*m*%~!R*sE3^t-GAhe_kL}xVr=tT@6}y8 zV=G+Am!zH%t?6r3qz1thZ1QC*j`O8$q48mr+Oq-p5S0Ti`Bz%AS2*5&9Pz4^OZ91W zMx=$Cx=pUl<12vRbc0VmwAb^X6ik$Z+B2&p)E0NL*6rjDeVfTVtjxtaCBGMWrc8I5L=YtvuU`j~t_hrHfGC6N$@GI!gH)H= zN6P9JfK^R8e^XVQ$0PLSQhx*bF)dA!Adn6T#Mlhy4JDfh3!T!9RCQa(;nB+@BHqV; z&Pbg~pVPj6ajsmMDg5G6hzwQDdBGlm;!o@-ZVqdt>{~-Y?Z!T?6bC*L+o~1-6O`1y zL59MR6j6zyXMkg>NEpq6Wq>Bk2$>9y?cGK-ht6CYG>0a_Z_=Z%kLNo+m)V5B(O>S= zP;#znP2+Ujj`ro0Sa*{)a%SC^c*<_ERMg|{Mfrk?;-CPak^gl zf&}3NUK-bYV4a0}gY-O_3DSD}okH0JZL5sFAXrz6IM;fg9E80g_O-8X^C4oxA{1};rXwto!O@#kL5%D35mV~@<3sj_VB!WM2_S1A64wd zQklIUl5fcC%%+4)m+?BU1e7FO_7DI#e!PX69B-W;RhTgTxkF1$IfUk73g3m_>vgq$`A2Jla)@tPLz`ao6ww#eE4P5`iSlbI8%*0%{=vHyY5ejXycXav}0 z(&tANc>5oA0>CDqzSWtjq^>(b+BmUjo{DW=i*W7P38NA^EX3Sw4Fi^O>gm>$!!f%R$%avmz?~7Ql7T}fXCSuemqqp@7;2Sb+D>AE zgcz{z_@!-_ul~X76-jPB1PY;EqnGfZJ`98)w#VtmwaH%961m-B#Auh*z2f?15Ij)= z&o;kF;9Or#s20shg-J6DSRIrt)AOoN^)h@QO|V3Ll^sY-k;sxk;22|iE4OgoL9+X{ zVPymT3~cJ2K8IkBTOW-lXKESaj-qg~f2~pfK-)a8o!#=A)LIeuPq2A<$vYs|*zBjs zMpf;X1LhoD@9ip+{tS>NJiea!@eF=)+!;Vvk!fGU;F-Go0YeZ`SS4})3_-g>Fpp+I zlhbf&p<$##S+No2n0?McM6MU1y5DUf6dQH&m*&AMf$YfqD3MemhBE*ehV+^i>3#}w zr#R(?Q3ug?$a0fb7mu{P#~4DYZcy5&%yl&H#b?6QtXCCB#0xxurBt)Qu%-j zfktXtN&QKkZx^HUtW#=-2`g9i1b#F{s+QN5Gl5b>E4d>*>)`p6ir_-!O68qKUiC(Z zVjZYjD_DnrcE`sL6Fn7Hkcv`0bxE@<5sIt+`Vha1U!$CpAZg64cc-&r2yNrStlxtc z3)KnOlrC5z+LL5AFy%ch?)~Sx^e?s(TY%m6&t*6M?PODY_~l-6Hn2;wx*M7kTwkW) zO_5m}5dPu{YzgWDqM&#xg=yUWBO&QsFG-Jgkl5>=;hR5x4oROStL*p-2}h z#M-4m<(?NiO7T3>90&(*R@m1=RqR^Ks!-jS%ya?xAaZH~zq4K)6GcDxF7_~7E;85p zh^HKX*>nNG{vrfF+*n{l8_)6j{3YqJJV*@gxT=aHNKFCiM*r~IP6W>+LKUOFwYI!W z=XqGs3Ia*;f@Iw;@6!cU@RoP87fuy&2gtn|z7hG5MQz5cS_(Etm5IB{eLI{g{rSE36o{vlZBIKCR4K>RHKw_19XpbXwI3Ys>TWw!xE;jLc zF>Ub>Z)YV!J36{wPj8D{tc=G}xGVH+urwxd(Z!UzOwk-sA;RVaW<6plOLN?!Lgvd{ zJ_A@kFCK2hV74VY3?j-P1YfdoK)hB=%A9QMwUygUYRcL$0?O2yAIQ!C{C~LuABn`m z%w%a_N~(Ge{N0p!fXSUOBN&aRz4MKx+uABQv)3Ny+$q|zT!oZhVKSLBrsL1IuX4IF>Kk#Y1dEn|LSiGdH?B6Z27arT9K+VfP4R7 z+qX83f3uENYk0)ykx91|DLL6%_$p`TVLZg*V4f;Utb*c0Io#e^4^r-^)mvd;go1Z1 zD)JTcE5%s`x~3*J@EblKcpf(3f~_*G`_-PRaS9v_Uj*A|m<@NOKN3%M6I$Dwyg3yB zClRC*jB+%}$j6&m=ady$zd@15wuJ-D?rOi%RaTXlmWGnD%Sw|l$g&yY3;h~{f+VJA z0Vov8IcL@$2n62_&mFFEY`|8xDLfp}fOZvQ>MWS}}wmvF!t&F}?Xq15Vh!Kx&G&hxh zVwRqDZKjcC9KhwV_@g0~H49V=LfxQWNhgY7ZQX3?OQ;o(7YrdR;>9Ln79M`FP<$O4 z3AH{#w2b;xGA|;gv^Slh!Lq5XdQF3nBTi)3L zIw@?5%3!;N%a5>~KoO3Qs!Py%x^I77lJ9Y#QHkj&|7S@R^*iLg| z60j2sG8U4Ar;n0n9uHeTj(qs=&XiD9Gpf?3Rmqo`hrkUAPu$-5$w>%r-I@@qZ@h1+ z+B{DffI)zF>onYvKs);{>X#$JI(&QKs|cIrolVZJ$!HAa(%2fSW3!gV|!BH<2HEAN`T5A+l}V1(;s^(q{yfF{Bl(=E*= zQj3cRZG~HTl*XnJS4J;W6=FBn*1g+W{V@zt?V?XChl?CSaYY4ux39Tv7 zxZYrOT#8qzXYT$3+w-3VGU(z&!ln$yu-vD+aKU)_i6Wdq%17mgbT?Pm*v|vHyj9@u z2UV-xf9c5dP;aFTXr|a#;=76PP-<`boi@wI9i<hk{^mW+&V#@)B3+6?n~OO$nX(WOBXKD?bs96E-UZ&iI>`= zU_ja3+sw|zvtCdI{0sNvyzQH6wl9b%!&m)Ye9+4ykXpa)yP)yp}HvoIZ{f z|FBO^8W=%6OI2H+vdY4%tDg9acR|EIQ}$M3cRwu*po@$9yf{U|$S|O}_Lo*Nm?MX< zux}D4C#Mx#rwYCX!uUnq3#?ySr3Nav1j)r3Q<7vAww~>lR$66zxCr!gYJYyP^mAxa zivE-HyNEah54NMB?z@cts%iQ!jIMvj*wyOP#)z<6-Too?>j{Bjm7#Vs|JS^qpZ$@r zP(_JsnSsAWK>jp7)`6;2#8=OR$KH#Gpr-VvjEkE-azNok4NhX|G^gDcS2Rt1)_HM~ z-8veYk5-<~I*2FNG6abdc(Ex!zNk0F*+1AdS1ty{auJfaAaY%vMf-mYf?8*3rRpyr z>A%eSe}MBDXCM%!avk#}j9@4-jIXd3)th<{&c>MvLJ%QcMIN0to=fEBe{h&Co!d$; z7T^jM9_#^8-`KNF6@#6PxlCKv;@2xHxE>lUs<2OF#mHHOTaxXXp$fAOT+$ZZocx|_ z2@9nxgU>%n1#=~6XX%Bvg=sn+hJo7N>NmsHZJ;Arp{ zeUA%RzPlEw5#+2j)iqOhqnBJ2L6efs08PG0O+|p&*tGg8bq1i+cB>CBa0e0MYB8*J zZ+>}3;l3An$tMR$v8!Szk;yOy<`!d{Q+_4Vr-_y*^68^gsw1 zm8bNGt+GO-?hI`AyQZGUEg9ic&%{8p+Ylv2J-vO!9ORRZJTE*qygi|1XGfD*lyTMdkg-wP>d|po$&sS}U59 zWr+?0b{8nccEzS>Eylt1Ys-msEHzaQfg4XieLb!|c!oPc_FeQ<7(oG=z*Sb9d$f$7 zt07`u{nZ%I9PI-sAdxCuHb%&PDRevo@SNy}=~?=~b;+mD)Lwv5^l3o~P`L9l6T~{K zK}2J%JfWv;om4DKkV(~kVQ2j~t7-mGk(`WE9D8i-8b&G;i00QkR62Ct)XSHOr|D@K z&SsHa+whBCq~)zQnrpEvZ0s3)OWi17>{MCf-KOFeiFaf3*0t8W3lrfl2y)Eyv^2Dq zX9`uC%ZEIF6K1rdZw{S%KRh5Zi(qsY@&P@)R&uO%QI$|LDSL^#ubKgfQMSq863IR8FD$|kg z(|SYnCtakVDO6}o89t@x-v+ZiAM6J#^-7M@B|(|2(r}$BUxT|vZ+tH1x%11Uu(}o& zA1!;Te{&2fJu&#NR&w3UAETFM9UJ;B2~+!dO%<kAxhLv zR7o?g@(2TS|V$Eqj1h{r(!rlqg#LC3_uU2CVGplV2bNr$)A56MURi^VJl6AOt{^c zA3LJ_#l-nxz!m<8{qge-8a6I*53h8%feB8nqJysCyHQ2M&{8fkR_h@4g4}#{LXH7? zucj0Vlt5u8PZACJ{z}2up`cSSn5ZBoE<(Rz4FE}GVtwdz>f=O8R-ce4UcU=+7db(dSZHX6(-B<(X9$2-a?KFuoB;RMKjiRxN_$FuMjxecb?X;YF0a11DioLK)#1CK#~)`8&} zKplmKCs!F$94UO0Iwu1lBGNA&gQ_)4r{~&t5?bU*BrqdN5HUFLuV7ob=ybj$7#iHXl>-Z_8J1gTlTbjSyc zL^oRnWNg+;1Z0B$$VPl@-0_&*#zR^rVXw&_kFI%7N_|BeHK|{bq%>=~M>To?27keD z!}KWkUrbC<+qC%GI^Xl)|ADw>b)q`gq@(GDqoRgw5TS(x4E*Q%{~S!t0bmw2o5a_!`A=DBE=WB5_UX3qS;7d9~scf z@!uPV{@D`y%TV_ftt|wr>GVICuYdB%JkEnM?wK%=$n8#4fje-RClRNjZzp22U1ox4 zB9)3@SsXSNTRH1csAwx62&_L&U_*nhm0Gc*Oo6_TB=ju3c*s-nhHFyA-z~8+T{p zZpGaxF2$wArN!MH3dNzgLvbrkix-N%-5$B;+Z>Tr$F6j@V=WGQHp1FP~G#G=E*7NH9pOSN;BXxLxE zh7?MfaLQq;b9xf0O~A%Vs4JGjBk8V*g02Cy{4sztmUd=m2C*cJ0fvU*ZZ>;1%^Dq< zYJqO`tujpny_eJrPH%+CEi62Y`jakt@WmTb-nSH$)_Jb->(M8=18%2Mq#7&|D+$bP zrF01YHwUmr|B;^$MQN$cbuI2VpDZ;WDgRcFoM()g<~3Gmrn)LQgh_U)D?XP5U!pXF zqUDGyO!sy51e27P{VYqUT#YV4{>JnRrpmhGi%@m8*X69#t--Hua|EMgvVEpmb~A1R z-t8b~aWZyq+>DqyAlB6~RvOpuniMS+HdC`OQ4H9^$daSA^B1G?8Clv?*?t%KakL7g zyZOA0Lb+K^%o;J z7EsUGlqFLSON>vwm12)EBVmtm8(^QoA5{4N)!X}*RN~|!{4cT13Tj6^cFGHtQp4F>j%m;7d=BJ4n zZI?F6#1Pr&OhRwjm1;)yytk1w8K-3ltry`dNQRgcx$D9X#(rZ(CGwr>FYEjjtpM9j z7A4TFyNRBnv1K-!x@8i&IHJl)f}x#hvz;;O0KwWuJzTcb%!0p&x$dLwFrET-1r-G% z&h(-(u4`gB|M-n{lVB-ovvk>c%2I#5!uN6l&6ZvlpNuWrvO>*liLc3xQQv9ddN75*9yN}J9=N70%qYFY+}Gtf>-d1YW@v!-ppS1={AW!-a% z1&7U$sjw#8*^#GfI*U?bZrjR7fO2IyVIi3iKP%9QKxR3cG*By)N&$h+uT(B9cbZD$ zx6{G1v46g+>V)PYlIBFsBc>H@BPnJ^EOx5A;BDV3qo!*IXrwKHlya)`e{EdU_VQdG zR+FHp37*=r^9p_8oqa9sVZ%XLu_&ZXsm5F1WD5G+H?n#o#XOk7dditbU9Jk?W8uYQ zHdPq1T&5rRWLiOD%wyIXmGSvP+fRTCee6~xGU*(gl+U5x=S*ntIngS<9ZA zrGhN9z1u=nz;nH6l$L2DOg#r0&7|@uB^0VnzYbMN=4#kR+CpokYa)ywpOmr+0g*li zdcmH6V4vN_e33cTpZ^m+2Bpf*Www)c|B67pRG=*z- zlh>EArFB1qQmf{-^c(6>3L84|Nv)JtgA)vffF=gi@4Bz)kKwSW>Bg7J71O)$q^GJr zY!TQAS{9}wOG+|)18K%>=w>)`2YiW|i{Mb$TZaL2t0#W~XMMd1;+t*>!>YAl0a(k3^ z_mob>!~yVIz1(UA#c^2-I6JJBLMjQX&*2+qd!izr0H}F2jH}a*yJ6frpN&`5Y%3_= zXK5s`+hmSqsd;aZZT%NtT!-OenA7SJhoWa6>M^rSdWS8E8YCwX7(NT$eX*s>88#aH zYev@-fbZuqmw(FSd35@*fAo(_JS!7bw$O*K5hGN(93SUn>bUcnW3B$L2;}}#-f{Q; z7E1IV5j)2}w?6sClys?6MZWNUf8G(3x#^U9avi%>+wdZOgMo!zj4o?klN1Y{jvf_m zbVX%iwB)?z$NvWiZXPteGA-xfdvS}uodJ8q4Id-1Z)#qpXL5!yMvMZ@kcA6TNIb?G zeH|>Ie>YYB@aZxP>y|sIh*)+ED{@mlSk67dbVdrYRjH*b!)?MuZBHbmJ zN#Q|K_#K3^72o=nr1pwlZ#s9lrcZO+3uk7BhHE3i_4o zE)D&|f9HjhDd%RKh`|{6yZGOru`{WOJaQ&~=Uc~b`bS)cd9nIQPOUi4FIg8|>Jl^AgPPRzveM@9NjC{b9Ubd9fFo)S> zEz18rFJ&tv@*-Hq<1m_K0Mbm@;8gGY^$=@EJleWK8lGXJv5BicGlcJ-O;M*q$bdSZ z0C-f)YYi5e^D*^4ldq40>m1Y_v6;$@do5rJHl{)pl8u#lhcRcAC|HU%4PC%MQz?$R z3>2s|QabSxs8!gdT{R7#aF?UR+KS#Fs94LEQ>mgd(5JnRLe51=X(@4p&Qy%7H;!u5 z&pI+;8>z13?+Kwt2}yI8zufShWf!}`ScMBxEXNU(l2RFw+k(|hrY=Zia2L09fTm!C zh6CwH3|}c(9-j`$h!KdVsjceGLcf{2!uZ(`h%2ci)(EQmPk^a4naH7zTC z0DF%>-?)IXt*l5Epu>-40p{oa36qoc6t>ABPA6+&>L|o6wrx|MT(LSzNv^z^KsN70iuRQqKVdR7!Z)1<4uCaHga_W%C=`+K1~nKYuEm4D2qZ~5Ep5yd9}zx)iY!x2zuTu^g|?*Z z+joA_SfNM`yD-o#8By=$0Ai$?k*mg9r&sIL%$*vZH%_BMl~lfhaz&W3BGZMsO#R$D zsQIHv3jjx5vAmg1`nyjfhsbO6!y5ir<0PzZDQm%->Qh5PZx;V2mh-Jqdj#^^&vn~z z>IAWi32Uv5;-caT*BAj=)~oAO0UvUzVF4R^NO4 zr8Ai)1y`*5Y`RhdX&JyOA%GL=;rQ3r_2?k1Bb1slHsifJE3f6_+7qn2H|2TR(Qu;>LU8{}nk zZ;%IvoQA;5b5k1|$0tB)``L3xH0`q?2G9RN3$raK6A1uo$eRc;2WZy;?ECdD`B8&$ zrLAqSfu9g`vz7p)q|F9}2w!qug@-M$xQA4g2%%CBXE#2>7|X}mKvovmDQV0^+o)nP zID62?fRWnKh4SG(QEf0?1cgzuyf@1X$;Fv`Ca=BJXrjL~?le%CP?#lZBfrD^wJke-LOyj3lw`f0Qz~|AW~1+o#2GAlsg8}a zJ#H@t0LhjNUXkS3CPNpB#ms*RNnC6THbKe@L{8eo;YvCk7^vqEsLvWh*pUdeY^m#l zg@yr8eU4bdzv#7xQJ}VX?NF=XC}8H)1gqLc6l`!5L8Aa%#IDHY0GY&*oPM&Z@-c>{ zoo%kB2;8m4@#Ict$_6b+Iqq;0p0Z~ZYM3?}37GO2@F!@`G{@Rk8gpbecE3|AJH`z$ z*p+53eT9!n%5`|dwb$0nP`8gvb;@tF=dz#4tN+urOhxGPf%-0miVs#aS zw%o9v-kM0PP!zgooCr$tVt$4&o?DGnm6x}Gephcj|FVx3+kN@j=Sy?stxQ5g6kEEM z!QoTb!WArg)^QG{`d#;n>JXt8L{Sr;7dOVQblu;vb%EtaTio2TUyL%{V60%y)FIkK zp81YTP*M@?HLfX{HYHmVXxhGHWY!AgTkYnVKHjFbCLZVFmAu>Sm_9OH`)2Y=!u=gP znsf_#z?S=Yw9J)zFcE3V{h23f}O|%gRtU&7u#fPAoT(d}SeLpfx zADc=vlo*k4GJ7x53%)K$16lz!J&bt>pWQ}OVbIdT?%NkT=#svvtPP8DfkgJ>t%2`^ z2k@K_!&QwE+}$cH>OJnd*{&COd7NIPG89aL_@Oe)2bvmUmnD-b$vj*jMV#~yK}SfJ zugAfr4t53xV&vL7O&$F@-b?tsIU(0?45L55qXAIVkL0c_sE49KG|$L$->lG<@m?&l z6xd46sHnCrJie|PjL>0wfq@vto6F|@{vhJAQHIskkVpVj^4LOy;ekaU9@Ne8PB?Br z7?s@?hn#M)*(Om7&!io)i(@gTQZj5){=F%8E=ja)_xtk4tgppD=oX%5QcI=?Z$+b- zDrr58sSxLZBq-Ke+IBe+WoZ_H21}O1PXOc)Nu4g)w{>&sIw@J?N|o+uNfH8s2+LkR zgYhfigCvVK!8q@I&Yl?x4io9Umheg-AZ!NDQ&WW>DAa5h<=;@{%` z0H!LqrE^Vb5G&PZN|pP0#O3k9Z15{_Kxa9rh|~6D4UiD4!-6?wGe(b7(r7u|VAGle z3%V}pLYq@+vefmoJv<|JK2+C|E0$z(YV}?kMKifxt?N#-FYk>FE(%1Hw|gyHc3@4d zMFdMyZ*E0hWdD#YLeqq{V2QHnIXp!4g~XVpT+%@F;YqS}G3Y{gzgi;6I^OgI(Vo|pWv!s$)_^gu zbgRvvopbL)c({TReB?Tqda+oTdICGls3g?a;W!eoJaj$qmb_ptX|jtQVOd>f ztvq6QaEr<*(2ZzE8X1B8bkqty-q6#7Pp%^2G^c6Ixv1~sOvtPZTc z0Ctrhi9mbtuZxxd^&v*Gy1Ldy(RG`P6rD+0=FjtbtYNuq;PQ!pTxcUTXCfK*Ha|wx z<=6Xw<+Wo$<=sxgA1GSrc_*3FSARroG8N-B7vVVI2;T@>_MIbD@>M6+oa}2HA5;QE z;g!K z4!}^Kw)BzMV`L0MYraZb>l5HzFwx7do~8H_d@d2OfL&jHeV76QN3#XHPV8U@!P^kH z8Xw|sijCc-CQ#qjq?x{dBc;1Aiq$^5dqtYP9>0ClMGu&7LM&>Py;pt&-{ADhMgW6X zOJjDT*nT$rRh~eQn2O|dHY@WaYYa?oqXF&t0+VcN6rvHz<>iT>(%j%w5~Vw6VwjQ( z^{YdATf-6;@9?F~32I{;f!evzO*PZ}Ky+<-Su&X4{LL2OxnZ)8tTW?6#T=(=L@L9L5s3zsY^4dHDva zgIC~epIB>`YV3`S1|1wTX)lt=<^{!Ke9^;X?tv zOrMj_733~G_Qwcz9lvtQt(N%5%N0bqqdkWH$j0ahc9V~`sS#uU#p}#Xj zbk574g))6k6GcvuM;l{HVS%Kn{=9Sl9u4dJ?;~>Xq2p_B-=po>PsBN$)*fDogEIhf zPS&^3A^`o{9vcXJGYZGf@c$(5?@z2mXv$8IFjv2sizjPw-XC5ZW6G?g^h~O?hgqwi z`%sg>sg4Z0+6y!^Fm=4wsE3Rd&vz@L23-iLO(qYO_UaTC9n(&nrn@=l$xC+IyB)?l zplDK$Jpq8T19&usUG04b+|yf)2RiAobAyDso~pt1MK%24-x;HZ!^huCrotQ1De!GP z0TL~Gbkusq80s){aV{UYMF^i6pZjr|C~*0S0hT0^ufvzY7!o}b9bZ$py4q;Q9=f53*I|gPN=P5V+T8(7>Ucat~$Ie&*%s*lTF z8@HKjB!WN&W?nO7*Zg~vU2VblCji+WD%M4R!sO-%7g0r%h}!^2t>lCWR4P8amE@_F z6))T$(ltyEdQJtH1fE+hR`zuxC%zPL(7>(jW7l9wPHYrX${?1KM@?vGLQ%9laCaMg zr8r2e#tlo`s|q?}2DwMKn`Th`14g;fR=x8b2Rs&vgtI60X^zg#kyar!~IbsME8J@+5Z+t{;ip+~a^ zO3^afglLCLvX!ITW8Qq)Mu+LeD&b}Os7J6wWc!>YxorWaKN`0!s!F46tvSU~@}uKe z*8xF4P$x{jyl>$K(K#Hkd0ww-d&};F#gxL3&VA{++3&`5u25rxu$R7IlwJA@ z0S0zgFc-ty@|(EnkGS!q#@t3H?$?Oxtz5!leS7$l;;PlYLYVx~GTaz@Zgb!XU|6|w zk4-O}(>*sMzmR!LuB18!p_L0>(vjSV+^&MmV) zUP!JY34DOp$75B-$_HWARBZ`KcRprIzsnvUN!+GQap!(4=_PK@I3R#5UN>XsV^&Q|qn9`=f0yL8PqMPg z>2BSiR78MmS20`t0*{dJW-6-{3}fcgO9!KzOTD zbxr3GFZv_OniBYpnQ1lx*&OxcXaoC^?ZjQ33Lhcv!9lGdWPm`XVE zcSq?Tldj;nCL$W}D(4sKo0hQuWh!NFVDfy4;8FpHG)Vlr#mm@UN!r7B_Z;g!B;|Vs40_445uyS0sJ54HE87`OI08*$Hr|?Nc15jSe^hq*|cg2 z6c$>+6e@O;lEpUV{mrBJZ;rcX#F{p<66!+`K8AX$2!D5EGsGs}a=Eg}&PY}c8`d@E7|A?RN z&kBecis^I$#L#LW*yKu0V zI;%JRRY}Gu755B9NxlLPMMk>M=DKuoZqyYS@}n4i(W>}YryMsGxkADya&PUwTVFq* z{u!$f4dME4O}sWulc;?op)OofzFKXzH`8<|E~;X(`4A&%PHM z@}ux3j6uu1Id(2UWk$2zU!hfvB&%cUr2a{QUL z-wxQ!iz{+K`Ep$!-e50XBXu6386FH4K-Cl+z^9v8))sJ9zOB(T=tw#_!x3=fnQdy} z{I%{?B`|1&TISAB1iymSPG$5*k&_^~9Nj!llx`gAceN#ej;>W!w>8&W5(ON3L3f7P z&1!_CNv=E#U#5+Rlyww7w(-IBX&g*0t1WFz{C(Z$9ttR{zEoCaRWx4;7k1`evGivz z++I0meInNH{59qQt@H!p&b`o0s3Kxj_2{pFoO7MZ)u%t&IHscP_$a^tEz)t{Pd-5W zQ16yZT}bcp_6nJyjqhif;1a-TiV8&UjWoZH1@(jPZ~O_Swmx~Axlv^_qTIRvhb|cN z(TgjnBd7mATU=C@8z`JWz0;7_z?~0L-NE?x49IbaVRCw1`VZ(1OlPIvpZz`?4p^aD zy?NyR!A9~?$4i*Y%lo(R>7Rg;)gZ%~_pgTkO`QCvGRk8r1mxSW;kGpe{Wk~iZhx-p zk;%CLqfP7K)^$i7S50qH-~^m<^su!TV}|K+XhKx@b+j7OVq{cbYeVEMR<_7Z$~i<# zkHleqJ4RuC$V+#0mnwc1EQNo5q%7md#Sm65!sx!Fe~j+bHsW6`xuk)j{=PJyk>xU#|+ov#^P`CXGp`Hupu3l&M4ri$T05fa0om&y9j_e5&at1 zC~y&`1mivL`>NM9@sS`WbV=)u6}~dySut-Q%38ijWGfwQu^eh_+@uIzLZgWdU~Aor zLRhcDG{ z7*w&eG>(3om)tnKWyr3A{JFf{1CjSRe^7TyZ>-#i@gWZ=zr|9;rN0q7z1QF?X^n9xai7jOTR0kh_1A{!*dsiYRc|*_UFW%MJIRzrjq5rOz0-XZb&T8}od1?i|8)RSPz zbx!{Qi^S(Nz(HZD?Uk_AK(xokPu#Kof!1l#{`)gWp_=qDbKrpx* zD7p{tgp*$92MxC=5{IJQiCq7&9;Hu!JF;&anb9xY>K0AW0>kHP(!xOt>tS;-AQZ9cHs@3@bGk>PDU4r~bTjg|ft*>wAIRlq*40 z$%3yi|>;{Na@p8(Fkqhq!hYAM2r|8J1W ze}j+)exDFO9{$sD{HL+4LsIDdW1TTOIX51Yk&HMzYv)zJc(P;UW`k*!2dHA6aEN6H1?6$fzV9rnevHZ~J z%1G@APuS)ziM_#nxgbjk@ zmw>CmxQ-bs9-cYerqvg;3H$g_ZjKc&`JgSe5!EJ6kE=)Z$KngJi}~@J6_6a`qI+6~ zvPms$!spqBRcoJ<;3iyzx8jm_QqYyWpHak+vo8wUA!{eGyJwi2t(u1eGhWv%PNUC>$b2JfjB{)Jz-Nq&My`s;0xS1)qqw%1ku~ll zqY82G^j*rR1#(cPj05bR07vDdd_^ur!TwZ&QeH7g`J(7Y5;HN@!3KlSp`hs_^Ue?U zBa_WanaUV%saQ8-iP{3#p8!J2m|R>(zy(FhKKeHd^~OmSJQQj+q?1Gou4;|Z$l^H} zNo(FfwRu#k7wm3MFhs_r;H|$;Ey|yLbPu;Am0CIED@<~zAVUWPY#Z`+B|!{l*qMXq z$M`9ZCT$SfC~?g{O{4D2%c#Nx4dl``7ln*n6EhlBBHSIdQs zwNv1${9kES>VjwUCCly%k@&2Q_6x1=&V*lnzu232=bxjx7*WQsaQ#R(@$P5bV)Zai zY4bBpTK`6zfSzBVgiRK$>qW~hg{T5wnMxoMxDix#uFEAeYLu!K{(DZ9D;si{T3N*k z_=FTP6!h zdvQJ|0r%iEALKBtXU`JRC!PQc`(IZ{cDy+KekS-ne81?ZyZ!>sw{S7j;kthR?F4*{ zF*wVI`sn*XHoX0YRz$3FP<7%Zh_&IUtv zW9>Hj4O!h>2mDNEyuW?|wExH=c)hUw;T${`JSM>J+yTzzu`DdC46bkum@4&F(CecT zC|Q8RKl9D1uX|%%?N&blddok$Ypsf$gMJq1z4rbIAp8Wl2H)lLI9Pwwd9l}dH}Oja z!NvZ)S@`>iUyA?7*e3wE?tgFYZ+i^A7oOR#9hvqbv;EDY+=9Q@<@G(dA>)1jKGSdE zpRa+|egPgA*I*Sp|J?ipLU{tPdT0o%KLMIakNzI+2ZZnX%Zmx2>j{w~<$rj`AL+!- zga2UrmwKew{;ZnWf#eNwY|L`C5i#jDp2uNrcur?)#Uq==OfPx)e)Z~<0H7IwA%{j5Q8@Ty5Wl-ot z<9@zySDbQ!n}yeoRJ*#48zLoEn#Yg%7=L~tS4vZ+bYuVSF<308n9=pO>9bNM6fzYW zCEo#LrD>jO0Se?3BCOaG+>2i5%^V#^-;_tiQ`ye}A}X~o0cSt}eW(}(dV~Ze2K=8q zVaGCgn|XtS{4!$9fh0D}hmob>r+PCQPGMf{BZiEnC-9OsMK#l}W_g3BGSXcnQJ&$d zz!qgz42?*FNS+U$w>{{c)7=X87@+nwTE5?dVsO3Bc{qV6df3^C>Q{JstqQMqbQOpS z32%nw#X^`NAJ*|Wf0ljstYrH`V_+T{JpxQ*BJn15huN^;HiJSEP0EW+aV-eVxO|^p zjZNDN-_;`yT}MAflX9s_6wfbP&yOCzA0$yzX)Q{tSBG_&)J-`Cpc7?wrop4HA(@C) zX50i~`71$)wqbqeK3WA5K&>|bCSUN|4j@B+#5IW!bEKDqxIS)=C_h^RbWyzt#Ik-9 z3Go7_&9gxXvX_|lR1fYM0e=0yt~CN}5vSEC_~N;tb>&iv0_+Bx6{%Cb5DtpAU;yLlAA~y`o+44<*YYkoSxe0;B>|y$6zBsUpYOKHPLN_&-#_BgAGu_OLd$Z&YKn zox{dM z(2UxR6m3EFq9`J~E8Iry3NQkSS+SIpDRd1f007;kZHD|7Ab<>SWEj+r+l8$^>zLX{ zcoAaYdlOnCEn{;4BLo2Pb}o(pn>%wMKnT&DXQNDskEQyeDgrV$*<@ z*o|f=>=!5>gVFJ3jztm%wE=)uV;Y%fkMUh3(h4oGum_Ezw`MC#aYV^&-oXe4R|DU8 zMQ@Qx4osyHz%Mo!-9Om3-M@7+w$Xf@+3k438~jNhZL|?@?b{CV&X-m1Bp>1Fo@*n_ z6hg;|7pS&I{de~Rr+PRK;ir0d2#(cWmrF+1b%9m8B5P*{4XKS55AkhhNO%!D9!eQEC*7DSYD%+oCGlgX6$Ky>ER3b z9Zf+YfU(rCcnYkx?&slZbmySN+}iG`Q}RtV;4f(Eht@ZAXhrG0qiyEd%{U9sjN&YF zb-|s8x4wfR!%&~zI+qnAyE3)U32x7g3l3&^$Mao~I`0Z@k9rTLUBt8Rk(&Jr(VH2d zvKEX`rAC4^NT<(lh02v!>jTief@KaBpu$d}YS7h^g&;nmUI&Isl4%|HB~miPY527& z-ivM_P?fSzL1-DQy<*hFh%|LXXs12R?D?-8kclU$C_#B#6=Bry@4rSUiV&t*RF~G_ zB4K{HJ;u!LzF}B9i@*JxQ)scN8U2i;lgP)amG6UIznediA!s_#Yt^95Yy!6`X}LZQx67q4Y!ekeKpDv_WXccnquB5$0&jK+%XBd@m+PIv0ooX&ox6uX z;2U(mi^q9%>zG0A!?#Cdg*&k&%*Y?%(wq{Vb*oz-jh{mb(%9x5K1gA7;b|SBi&8yX zu1E;g?%#1DgL{m)i2pLRx}oLhl<@34t#Z}U2dM3PYbXGf_L2fV|Au2=7RCyI`--c- zTV4VKpCEnW8<6Wc3?t1J`uyF^$h_a&b=7yzin}cC+|agn-6=dp)AayTtxp!kavpG9 zm|j2%T|y@sn6Bg+ECL&J$wx^~vS(VG5p}t z*^g(=N{s{bXszL$>jRs3oa^rswqHOR8e+y~VI!jV#AX44*FTRCsX?8vui#5P0p|QS zv!F4h3>UnZmJky-(Mm|oayYKY>LFl=7eE``YEnktCrQu%ZSYFuIs(e=+QBJ>e1&4{ zmJJ^j#^V}6adV62j$>dB`a|D$_66P+$mTh}-HZ>E0eflUfPjcRZLgd!url=8>jUJ0 zBhz2tE#6fh_o|IM#!#e~Jo{!5TWa(A>P{*0EI5Z)eqVzT`JJ>N2~gMvs{mw9?Sl4| zZ0itiovz=x4|#Y`h7pKcEjNq+cNE~&1A5F6_MV2+rGiv)b6dB_4jszYcl;)&0TX#} z9f72`Abra*xGD3>gb@QTD5EkGd-;4a63c{<8s=CAuzYS2-_r+>hK$3~7Xr5h#RfJ7Az zykupoz^ZmJsg03D;I8O`3OM-D{_}GwV0j;)BjRZ&rnDuw9W`K-Jp8nv)4O^f-0UQ@ z2=|M-j)>#{C#t(%ct!2eR^K2f3V;6t2na2_=`}NtPXo>|PXKame%7^CzGVK_-Vf`L zx@=DR?IU}0&H&uU@&zwZqOAv)rhOFcg$nWzayar_*eawjAwJW1p=D-0^vT7kX;vn zJ4Oe%)6Ibo7b%CmJsLo;Fk-6yBrd8I#511xF3%eQRCaVdFg;O6YQ$WvN!sbxuRzBB z==uam8X?k?;#qs=Cq7~e(GPk8P^9n_@L`@(!YRFV8d6m-6j_)-ZVc7PT9BUZpv)og zbx-T8Ig&FUcd8*FA#0J}a`&8k?wiaPGIUqfd6sTwBZrPDLy*9qj3H9>J_N=-V@r28 z*|{ADz-$8ZxTVCBwHmm9uYyFku)xvfgm0|n7$ATc zh)3gh#aO27uk;KM-*53<~U@w2OaG@+NQAm0R-ppC|p zQQ_81;y1?Xub*^GqgVOkZ5I`S! zo>>tgmy0%ZG6PG@>c8^>0AfFgBv=CJrwGz75=cMjvhHQB~W&YD!}lkJL?Sz`cd71{G$a-AAnGcNqQIlU;Wfx*KtEQSgX|%1P(_@z}*B?S)-= z^%&;bP<|!fcCr-eq0<{D?z$3i2U1Ba3j~XM6JLL|p;DG6Uwg~p>hbc0tf&%UG<4q! z2U-+=j(PYa1)2h(AaNNc%x*7YJ`Pmc$1BP6=joUd0sB5%bD;ciK>kT?E=`~$mt6RB z2-|0d`yz9h+fdXyK()ZcP3WU{Q@0cQ4=*nL>u*JL4Bk~#P0VY(IAW^5N?yDjK7O$9 z@UMISuOx`%U;U}52eOLC`1t_oqyHuW{0tM5(GxBhwXCqB(Lm1k^t%JNrwqswvW)uS zFt#`i^!V{^{Xm}2JC?x_N11sX(*?BLwwFNyEI83Bu*f?RH=k`VynK%cFm=##AT6^C zhr(O)%rn%>uz@Aan$`ze!6jyird zD{GyODSIV38dR%3hX$8KL4pXb+ktOGnQ(KES=4Qv4OB{%5J`A#bZhiOiy{)J$4#Br z-SuGIMquW@(x(q!`8ExIad}J+Q0Oc&nt67Rd^vn;;m7eI-AJLjNNa}ae;Bda<8Cu} zmzx(UrKT2aKdw+E$?GC+My<555vsu;E-Lo~@LpDf&=eOpSaW#)1c>7LMN)~w6e^dn zN)wEmCVv%G8q46an#z}oCHzZ=jJ|ge4sc*ML4Pws_8jvowD5V_E1SYLM(ll)()_6l zz}o_d$CWd(tpAHFMT!Tvx*MQ%;vDZo&bF3%No|UHkW7Y2Z&JwFjHI(Rp?(R%wMU{< zl=hDKjwzWv4iY&dp(}_tC>XX-M%@)M;agjm2bBsojM%D15)L{#FEYl*2J(#_C$VC9 z4bB7tZv-4O2}GJc${;T*7BR+5%#?w@U}V{)Iu}TRAOFv78yK%xm*0r}=nfEpoXCD<-S6d8V1C6;MwokBQ{z4C1~zyhUnm=C?7Rrs6J^?l_D03*Nd9XI-X03Ljm z*6es;Ur2)8w*N^@5G*KsP8gk~1rjj|)>CHZKrk*#H$O)a3Y#&32B|q)s>fJk7h)3V z1HS$vB_er0BQ@a$RSKU=Eng*2EYIx7hh9at)TqQ-jj7g*TTL7TBFHx6Ft8-cr6#DiTE&UhL82NnaHe*pxitiUAY-+`XN8QV-Y{&p?KSGu zxFR742sWoT z(4k(GWKW$m5o@OnCFDcbLSJQ6qO?b+zjmcyiKE|7Fi+rSJhek`l7vvRaH^N$k%GW3 zL8SHide5Fy%S3R?12A)-<;E3MiIB9Bl*VlPju|(7pz$rsIr!|ZHrJ3#0MXh&J1D(F zqnKFbyu>C)8v7O9x z>ShIblxY`~h;*i-#pw10ui903-yJxW(pkeH+1D*dzfk21xQ;O$R78|0rQlJD9oi0o2!w%s z9=%_*oCpsMKPn)xV8x#CH46pJJaFCk(_Q8mMJ;w1JdUA|)`ts{^oMs})-~U=cStO9 zkM>hwc0hcj3TI>omGm?0qr|~|hrsG~N6v-7h&Wz#E?R|;hj=hS!;!n9goXwBgh#t{ zS-~?{Q{k(KF3}D;LLYae?I*wP+9!sA(1;8POgI8~yw}udblQ{`GoE7!CSQoLjrfXl z8cnWp-pFa(LJwA!T}a-QRB&Kk7XIGw^}Y@q(7wU_Ph~m-3;{tz@m=#w^rZ zWWU~&E#sarmN$`VMbOT9Mv3g=bNImAZ-G2JOPaqQ24F9{E(hy8JBSC zd|EqpB#|8X)@*=vWoC$?l5=jQ1Pk>X&r&{0Dg?s%kI>IetHl9bq>j6E>Q3?Etl;mz zuG=sIfXBA3995Ml#EB&Z*-1$nOgO7HF}QHz36EbJA4AD`uA!(!S;0dxEJBzhD$h0p+3SSO*e2&HY=8vVi5M8* zzY){{1|DP(8DOB*PM@)sAiA0#%Rvgg@`uZ{sjn4}FD$Dl*|tAYAadVsk1e*juLh%JXtcdrAbTOp6@WXQ`bSy6MbHCD>PAW0#QAD0_^h z#x%(_AgCMT+TW8uGaOPj#vOo_?K4&1B@YWO1~jK*bCX~-ZatrvsBs5)i{LtnIn0Yn=^c}_WIph&Wr!b`u<3brwHhL z0_aD3B&%Y^+o{|Y1eP!~YBc%)FAeWTJpxYN{&37H$nLMP^OPUMcf+pRs5Y93bBgb|r0OXrIO8>g;1$G44H)*E$c?#xrGP0|=AfL5o z?8PiBPEo~@j>bp_qu9hzd`K9{hc2f}7K9$s$S(vd{_q3^Wy=7GDhdh1P3TQgXO>Bs zPiTjWU2qxYF_#eG6G+(EqRb6)Enxa|V9Wx)S|Mj9P{4?;@y;4&*ii({-5^-(u$k!c zWoT8vl`*xK2<#JbcM+z^H82M%Uy9;1uzXP!vy(+!0lf=}D$e&8%c(+fv6duMr9q}F zifx65pUl>iBZiMz7^|79h)e7uiQq%^(yXE_3&tlb)Q4y~Czf%>y>Q^;In_}7xL7^( zW5W;k9Tfl+Ccwv@jQHAFx$pdX&8(i3Ov&D%e!}Eb(Qqcg$xx_EO$naTmq+W}R8XG< z2{URqu7vzn6R*OgY{jz0ax!#Kmo@+$iX>s%sX@iAd=g%46f*%K6p~Lf%z>+0-~k@C z6rh4=Qd1?wtSxCkp~1Mtpk*1E%MVSWAm-Xd!YR1fm4T$z{2B@!un({y!J+U|PvD?H zjOm*LibC(021k{3?(#6sh_`HeHDKnL1H|B=fIX7w@36=j9Rl^@<*aDcph{5~ko9su z=#PKnui5%i3UOejf*~i|&uN)1e5iV@-7-rRj@J^+qUbrFx zl|kL|iwm)`g;fiW1WuG`88MTyTQ=>OdZZ__T-*m}Cevg0K@FIi1{Kc_p3T_2#1zj0 zk)eD{zi>e2w`Id_EFdDOT4qNix`A|8%mbGNG?;S7V;MpvBq(cZL|s>y(1Fm&8o9Qm zHf59chU1ht43JU!$R^|(5M9vs?Qs6yRVQ2CKZa>M+J$$f_oGqZ$prW6z49}^-RJC^ zSG%Kzf-Xt&q4!_mN{bAb{f*D_9j(wEtCpI=edZQtjkz zLcbJZTPP`)D3q4m6m>@OhX~?}C}QdSS3F9HfFe+`A0E)On6T0a4wmonqg(g?>h3zD znrgar2!VvqLJKWmsM4j0QiKFTM>+&hIx1D^qKJ@y5UPNHAfPk>10o!^-uwOd?p^EtxNFT>XU#ct=FDVH_I~#4J!EWR6o0t;}L&n2xvtLfvDfEwb#P#l1&qwos z3RWa*H-mR72v<;F=?)ndUjA~rVRW?Sd@-AO+gVQHNQlYlr=&mt_2*T-?YYKhv9l{p zooCh5n|3c=AXa2>i+tQ%U!*MZFp=zY`+vtIojklh#Ua~xn*B#|eM%dxG* zTe+Rk5ymfi9MP;AG$gN$@7KOq##ur5OobQy!u^I}WT8y_Z*|9w5~Ozo|2OQ|cZ%!_!dC zyeu!$iY-kMf(84Z0cJFhkbuO+X9a54i~8UCrqA>a^_*+|bh{^V^u!(TBM&1gD$->f zKjDPDiPgYSu$W{o)9t7#SU=4|twN%$;jc!VdpPy=6@461^js+wIr1%C5G%DRN}TVwV9`+A0_nrdesNMG{mcCb6hq&mCU z2gO>-=gKKq7TH7V{2^;Cr*#?9#PI|mz_u75sMfrWPmL%gT05q)>j{rvaOKSXY~dS3 zy8()@xHR>Ngq|@Q_2ouL-x=}()=>*-6`BIe+2@NGPMUY0WNjol^CB#{nIXbvGB+P4 z5S>uo1i>Rw{T;Uk(1F^%Po@0>SVq4YuwdmP<&Oaw_uWF*`#Y-fZ^;Z&DQ(Cjbn=!|;}_ z76Uw*01zM{pD+*-LEF-oNvc#d&c*yZeEPq2e!x~S_*O&fnBa;Goc>`Am@2mEy zCaF}K7s;BdqyPXYyR*lpQXi6$k9`A4bs;*zJ9 z3$VToKKjbqi`QlOy{s_(gp;_HC?`FgQ9V<{nK*n3;4NAjdy(r{HxB@%F$m_B(^+oh z70p!=R_W$&RP>ahx0O%lnV07&A!8z<2HX3EsyW@Fc-+P0t>FPwNK>Wbf(~~_5tqE| zN~!*e>S}+x9iaAPGjpjkX1l5X(*CK|zw+<0Z}IaO>-Z$WH6{B9A;=Qx0OGl2q;^A8jwXJtN>aE%uqLnGBB~foL8x zI0p{A1!c;^kO}XpIzd_Jen>9M3EOkGf%zrGE~6{KtWHPO1)!k5t9&0nm|8{!-k+%R zM=#bziGH0wxrvzLu>u3s@T>N%%IPD5i|isW3B0C;w1M*xD?pHGhiej@d}Jw$iePx` z^ltqD>T8{Usa~hr%F1y2)zD}U`qsG%IA5vGRj=J31^@J;~?+(v}iw{@3J6=1ej`VOe?{Cd!*9~}%!Zh`m08NmqGzdxGo zrk>Xpq>CSKEq@0{1pIydUDjp{xN$QAfMu3!B-am)-g!R*(5y%Zc>`j!m&BxcS`U+r z=`hM*IREwH(~CYmYij@jtd6iA9$1{tLID)XO!nDe?*iK1(Rc6!2fRRl44Om!Qh-pQB9IyYcCZTLj_*t| zk9F-gq*Ud5d&8JYLV%sdIeF`_7ZMPJvET>nmZ)jmRQM%_F5L+U^TtRfL^QOPR?v`M zOAVnVs`(3{Xxtnk3W!ac{{=b(PP@?z@@f0Z0L?O5=&X{za4nW3VkkQqEV(bawk|rq zT|asB4SQLc7duYZjy`|!<5{0;Q#fO!dSd)}loek`l{>E|9J`)Va)9GF(#L^Bm`a}h z;Cr1Z75(D{DIxc6O~}}Zb>Zo8qXVsJ=IBWqyVJsjMvQILnS-K4=1`^?^5e72>`9V} zOy+Rx9TUFM1>RaKUMBan?8>?s#L^{<%5>dXOY-cD_&8`d*YU+a#*|mzV#s^iOj*iB zH1wC&XMh>xf1@lMmn`D+WkC<~scy{P6FD4;9WXQ4ozNrHrmAURcoJr)I$URp{)Nb=gqL-&8re7xRTO5pTeTZHedXZG! z6tNor2QX-riLZ_MmT*NXbs<_2|IUM~1no9I(F>S70{jg#e!RT=**Lv#VWo;t8R0Dg z?gqA!_+qsYC17H@7jftl&QgJbb$-B%ALt}R{0M> z^GcNp3@k0jzplUJ)#;$J_AdITmJL~?WL6JUF5l10Fa0ZJDI8@AVk?peVvZ~R4eqsrS#keiqsXeEzVK3ap zjAN`k>ixgXc1K^eW5+uX0SoyA(Y^28ZX3-uu>uD5jdO)6TnPMmwSx+D?6G%v-^*w4#07)msd=Z=qUgnkC5ovQuCD4v zg+EyRqX){hGLOYzW`Q3oKy-j7nv|f#=PKhsvw}CK_6jvw)9p!T?~_I(YWz$WJ?YM}rtjX3k{ylbKe@(!PUI7s7ZGj6rqzx1JK_WB zi%ARgRki)Mha1C9Q%EJC+@!nWC(KVP>Jx6+DNor2?Zsn&3sL?ju{Rv#h^9*AzE{yr zt!P@BOAn1oyt}!irFt8w;9eKKAaPE|0iUc5zf8dNr2~NU!oBP`?q*(qJ=EB;OL6=r zUb?v>xr(E6X;vrRXMj^f%zK_t#7UFPI)<{!=d>1u!0ojx;8u@oTQ#0di&YMh=}|7J zxsf?6Zwk886j*#XiRO7&_bKl5G^IJGDGbxxl!J>3y!XNgyca^Fwab<^wG&_sq7?`>WXWmk zIka_b0>{Ok_3O=nVFk;N@b*08X>WFK zQ3$Nn!rxO8YxL(St5C*)cqziOI$?*92MV9A8RLO%YcSrb@|g&OzqmQ){J^*;7No7q{k3B`yRB?YqSr z>WS`rnjqGLZafU+01yw2ICGfa$>grM&OEDZ%>4e`geS>qcwiPfOb~-)_YCI7I7SGD>%)S)j7P-CGJ{(vE}$n!SByvTYmwirl;Q znW^jJh&hAS*5%bWEhotrf4$`c9sxX@{9q+TSkj}hGtS~56(x%r{CEr7LARew-6UB)ejC@v3o;TGa z56LU|w_U{D7?iU40!&BOFyTf&)2{BH?m3tR*_f*raY+O=_;ebF-}t8;_`}@Wl?HJY z1Eayd8)oBe#)kPY2lAok2gHR3UcsN7g+Kg(VODeO0>cAO{Qe%`-3d=M%I2#7`ocpM z^RU1L-|C*({r_Tx{(SpKeGnbog(m5(hN`BDo-X*F^XdJ1{1-%Rd#X)S7JsPJ|z&_;-pznl}IUy#6IF{IQ zI2BCU3EfXW;VPP_%sSu0x&42fS}nEGGzni=cn^Lx*Vfc7ee+|3;pe_x9H@AC!A$97 zfSexY0m>gT9hYF`DQ9q*+7-8t!mQeBiJ>sArP%uvCb^0+uP^fF=$#O$s40O!I!P%< zv-m#M)Fz;2|H?66RX$p4Fw7ia;+A^1EGF^Zt1MI3VO_O?CN%+Jb`{Lx$(vOXzI;-{ zQA;k{Pd2X69qmmnf7(mmXm++LN2lF_Lq3|uG9$$*Nfx)l62T;+%LHQp!B7Z>Z_#0` z>eF|8d+N@ODJ*ku{_ifh9{vs}{7c&Icm64Q9d# z6x~8De)7ECosF1xqM^$Rj-}?&F`&c_w1$MsoV!VJv}LaDd{#GXL3I#7+Jcu;);u*K zmm_ownD^uV=ws%Z7zb3yiCyZJ6X?*Uxa^@XQydJjzT-q1loexB-8V#bG?H9c5>99l zI(k|`ZbeqCCfz`w2!m;J{%sPU=}-|CBq5T~mvyh0F5ct-)w#X+VTZ@g>psXotW_CD zLxb-*M;|)S7zGQ>?8HRbP^UtU=&g`Pq}(WmG2dyg9fEs@iX7YREaUHhmwz{ZA2H#( zJ&!LDtyz}+sc>6l2(^ACI+(wuMV9zdmZ6M^_1OeMfw*ZN$j7NtRY_ z;a0SrGYWDIqdr0JWqZwr{eu53t(c+S>4`=nyNz;J^o&EM1b%P;ZJG+|LB`W=)wvx5 zYMbU|Gi5d0*H{mdzdSl_4$ISHlnf5`r`)W6lnmpMma zmSh_V8*BcRD=-1kHVTUAyrf_mwO@S%yeKd#IOMP`$E@`wWvIt#&xP4YtGB&D!zLzw zr^jQbYw2n=UxFrvZBkIrh(2QPY~9Y4_M>5b76CV*wbZl`!2sDj3QvTr>s_7;OsVhbI@Mk>#X1NDvKNuYZwy^QsGpH9>jx zk(FP+To<115f!FU$>X{)wADZjaj`zlqjqKfed8X5(0=keV5Kk(SVnR=S7$)`m81WO zrvb2=tXk93PA$^5Pzz$C&KFF1U}bl$@O~6Kf8~?wx-q>ydyb~i2~`oaPRm*o*F3Hu zb&NKX7|jE?8=<<4XY*^_rifBymQreB6Zd-!<%7iDbX7vbS^6$(6t=Kih&q31W79u~ zQ0?{xX2S>pP#rjx@s(9w{>|^thN$nB1c;9{hal6^&i4Aab8FE=ZUgu;1DoO*uuLbj zPDj9H+Nql^@}N%NG{@nSb@aajR6n(W3V8O{b6@IejBhl&zWQu`RyET)e~Og~6ko+w zm@RXSDMMB(IMNlW3k^*^Zc6P#&GU5|tShrnK}xWwPg{0LnaocM2%1&RGM)qLck$HQ z=(^jlL{jg25de8zT3SUc1Q26hTeZ)z!nEZxlu{qpnU7o%923@Jk~))nXPUwVC1q3P z;&1B9D5%Qpt>5<<=}pUXG@ol}U22hP)fVdUfY G;r{@uNs8?N diff --git a/src/windows/leash/htmlhelp/Images/Leash_properties_krb_3.jpg b/src/windows/leash/htmlhelp/Images/Leash_properties_krb_3.jpg deleted file mode 100644 index 91754424d2f1701d1f9da7f84a89bfa9011c87d7..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 45661 zcmd?Q1z23mwl3PZ6Fhiuhu{`MaOg(6p^-)soW|V}5}cqx8h2@+arck}4G^qxXp-QT z5F`Xb?2@(i+ROIYZ=dt-ci;QIJF6Havuae0Q8NCnS^QZ1@fJV<(g11zu&}TIfmaUj zV+EiJz`@4;>8~E#E00Hrhlh)cM@&F~Pe@8kN=iaZLPADPML|YRNlrpSK}SJJO+!md zOM2}(Jsk}_6%8%TPbOG6S9Ngli16@;Xvj#&X#U&Jk3Ik;A=WI`M;t5;05&BS4kgx) z0RR&K3xJJt)!W}6JbWBn0xaySmyB0p{PO(%5(^s_2M_UC8gP&_GxE|O4R-jfcPou05nR_zS(usrR(Tdmg!d} z15^E1B&b9thx6|waKW_ha|khprQ2tC-^ldt-BT9EF<8s-yXWH*&m|g2-{IT>{3&8+ zb5b&z0ln$j!q+rs2PrEVs=k030h^vz??cCp5wXU2j`tWA@%^##L;n~N+rOu$a;tHs zR?6ir-C43vXRo4S%~`ya<-G9d^9fN2^`R41y;n8M@#*pRE?hh`1oBIrb{<-sAjX8E zS0U?N#-_-ZYq4C7uERGNKV5vb@p8n>`?;oMXL!AOcWe*+P6Dg7Zl0{#4sxV4r*rRR z+bVRNsi`@;$hKW>Ci(E*w!!^?mxX0wJDVa`UY4DZ_yUuLG-yd&HU>S_kH-mF7z=H3SSjC73%so_1fI5d9UM5k#l ze8Yd9uZpO){u-^MzZ98I%O)vM2J_%ob2A7qW zR~Lp@tl21zM2|zy5XKo`n3+1_%-Nv!nh3dS<4t1~T}*iBKN>Q9S#XEWH+Aj#P9{P6jpdxyh%EpxRB<}XO3w1>(+*%b5C zU3yAKUW_wEm!H|P!JY*HU#C7Y#FuPZ4{KZz>k_}Jj>}rGou85hK4)+#Sd6?j`!@PA zlY(`Uczd(sCwBm46Sz!=<{e%07=gdMUwJKj{WT%ch0ehSY&=(*oxMn6)YSQ#y^7bD+n z=6X@3I;?hCJm-2?6fuLDX@+f>WW;j8?NUmBj9mYkfTU`246byO*AQS^0dt-&5Po|; z>EpV7_cnkvSm7gU@UIK=7hODWSUmO=PtbX$fe((&ox$cY!yi3RJfUY8!he)TeY2b{ zcu$%V?-s82i`Arjcr`4rJ>t#n@#a{i-vs?db`puVgXG;Ets~FQ8D$h(G=li<IQ5iB!;WexIHn3bvO9ihkol5qv+#AMeTSqv*#MZ!(zl z?r+ZZK-MPfqtxyIOvKtZ?cz4V!)T z018{WZvC@)3d07?-`BzIQ_PAi;x~5x80FuRfImw~x(Ln>?fkoq`z`0jBkX_H1YrMZ zR|SN!c|Xt}vl_98y(tplTO$$tnbR8*1I=viRCLorl1&POy{3|p8DD!KLBTGGc6!al zl!A82zq9*GSFixa#UFZUXfF&**2Zev^o@z+wYYY}A9vx>?1t+-zTv3utf%#d+JN7c z==S>dXi>IaQRF`1|9kR6f;sDI-I!LliQJA>`lUfavr2WIX~Nv<+^U;ENot$eM>|g` z&ce**SO|M7RW7T{1Xn$tq?)|CE0$mXDygc(iG{!V+#xWQkh}S-sD?kWZ+ndJ3TF2m z;Ux95pDSr+rUtrlowc9s7w%Uh0&b}$(Xj(MoG4MDs|gP?RXZ4xRUI|?eOy9f$rd?) z4~EBbZ-}bcT;J_7X8>MVyJWcGBV68*TeWm|rP_X)%?2QKV$!<@A)&vp{2Ngv)4zg( zqE|o<4;v2$7yAmx{)!f{ub?az{!g$fNku14Att57DavNRuF4@H&3y$B39mpU79O@% zqFyv*KjB)WXP>M!vuF~%CMoCt!3RULsN8NsbegCfREim6zZXC^BQBhnx-Cc7W|%4+;GrNH{OSGzkBf87>dcDS zdR#-hWo!0*=eds~!l$J&%aha;1{2#huq8dMrLB%Fr_A~I;R8mr={QFzGy9DaM)qGk zWijLb#EYpQ)G@fBqd1YStlj1bK9IPD0_V{){Ldigt-!3C$kGx@;nhd(f$#~LPqLDMX|vx;dxac_EiAJ1 zWG)q}Jjd|cvKi;@n;5*m?-vm5`Dy|-vNDitHdtB-yk$4CU{@D33#&2CQyX@KP@sB$J%(vSctSTRiJ4Z3jKN zTBlW|wrr)x%sjErl_u9Yto>8StuG)b@Dq^tgVxS6p#TP|%Q%Tt5l2857ZxDq2}9Dq zv~IS8-|<*gD!ICCX@{}d@2Y9jOAP@A2b1eO)QR6?gl8e@Eg+OZvOW>ZHDU({xfI!E ztecS5{E=X>@u$5huLqT~qjZKh z|H@}SuAnp<-|7ky0WlCCkG(vrxLu@2(-z5oW*Qk+BP-^|D-#|1t{ik3L# z54IdPqtp(VyQoBW1!5P=yr&xCc;cO|yP@4YIw>jf?;ShYF9ZiV`Whuvx6PCJUE^78 zfh5Ely}y`D>gW{Bvt^8|Fw^`WI1PKzOVVlG92Wck!r2jw$=M?IuV3jkq5j#q*TaCn z#5!OVHC5M14+@afOlfCaruX~He1}ZkD&eI8N!yBV z$Ny-!0|F8nNYJ<#_>YK+ zV+kr|bjZ2tkbca4y44_QElu8I9c-abomzLgb2R>w2R#cTmD z+KcLQJejC#Bi-Wn_8XD$)f5OJc*t>c;^+30eonRlEV1IQ5~c}zNfWM?sPDpaR_o@R zmEV(lc8zYN7U+>xuD4(YYmK+_qli#mTtXZyT98FO|Mx^pAO)Lj+K1iTPduu~fbadl z<7x*NR@9iS!;6owT3;x*`$^))(NjqC}&>hQSFib_h3F#Z* zNPuv74aT3yg-WCftC8EZ#+r^(x^b(!W#buUld-aMi+#xtifJ{ddYb#di0;9fecr^V z0V8lpYu^4OO`OoLH|^o>36VS$o*NEd7N-(-$)C08B`DwJ~drFp$f^l>vnq(u{00dt{bo{fT;*Optrv!~LNmBj*&UY`!Af5u#G&*Hsn z@s0w6PeU!Ibv>#!lZ4ax)T{-N;An4C&7=Jue^XA56w^EYC^uY)Q=Z`IR$O@e3e#k)lg7m@M82#Lu)%Wv1 zD0Nn%e5~FOsp$aXN=-5br^`6X&wY}MzUAr@E~l16i&?)R{nEet3`Iou#gc7HU_=Mn z_kkvB%x)OuCWPcJH?j3Tk)r2S*||1P?h4oc39+Q`9&+9`khyW)0Zg6?^=oWOD6g zxaV=)9ByeYH!2z=y}BP19^V+}!R+w|t#7y)Ls+^^ zJXl!pa)mXb-JzCXM3wu*i0Se?<($@oOo|WWuXcsI-cP(K`v%Q>p1q*!oSL0Hi<4)|Qpd{@25=$k z@n?^g--mu(I1Hn~PLdJuj=AdSXvjzHy~ePLyzDEjNZT%X2$3P!)TVNEfFzx1=BweZ z{3+!P;ZFsDkDuL&Pa_&K!9aVfL?U;Sb`?s{HI*h4E!j4%3s7y%X@G(8$f+dpS(l|QC6z$Eg%!@ZxcaQ)=&RGEz+6WbCwAYJwwaHH50ESuu4}a#FP?xq6xk(6R_K z>{MV$(#nXWfAAewyQhCs9jT9GJA?QPP+Sj%7Ew-vY1Tx#_=uZJ6&w06k$#OYDvd<3 zm~ky!V{J6uu1eZuuJdzDv zFcc2T>C9mqiVl`PB_q_RKH!r=FpiSh<2OZ^Dc2Ou8@T*O86?8$#J`yhFSoCEmi>0l zOa5U-{*m5K^kmqf@pcaHkc%_nm6Dj?+uUYMn_b#r*rAR`wOq=286}u#ivEV)W(&$^ z3#%126xL>qGp23dZ@ia3J=0%=cTFH^N~AbY>GJlxsZHtvlHzl^7G1ml^m={( zqC$$k<8OF7*!u~xEe>=P)U+^FB)ujPlDi4($U+<#msH;<+Rqm)xYvH+a6;Hw_xNn! z(GxBGr0P71xV`wYu(bZ`2@XX0Ep#bn-7W z=P}46F^-mcKK0yI&JAehpEm4Jrvi#Uthelqx3iq%qJ-&Qx=n>92X;BW#)z0^`|UBe zG`Dgw$j&u?^ZK)XKI$W-q%;WFjf6Q&r&~>>t0p#bp3!I_#2Z}~bViatdeKj>>a)&i z%sMABp{Zn1*=ar<3iqMJE)Nxkzoq<{*I#GD@9C0OVTpwQz9S7T{4n?rBmM)h`g^p` zg|WGY6J(qso5YkIj1w7BcaxxhNORz+v#6}tvA{g zR4VBZBSNZiyp39Xr1~2W`2iqGlItnRcl+LS_;RnMC$(?o2OysRO>Enp(+RC3^!qIq zN{0`H=)^KsSBC#xm7{El@C5SX&`D--A|X2;<_@+JxM zmU>cqN(nn3Q2OvV>u(AFSTP^IVSbH?l!YONbZmLV(&$GL?1sc`8N?E@{!eC5 zj?cN9|1_MJse-Z`U2yjDRK`CO>UyqXTdE4PXY^lfkDm=Z`~b+u6qZK% zow)NPGVW$#FM06hHBw9@oKC-?yAkQZ{*G~yg}Z%N!>sm2SZt#99?|jG55UUq*2()V zGYe;X4c&U=S^VkGA8a0#-&=&DYq6@8oTsi)+FX_i((EtSGL-&IU$5Fjd9d&79?B7v z*Wj==t4qn>XHsZ;HSJ*VA^uvQOfpowCJ!MluEo0Q>Sq+Kbr9V5!21W_(!txz{T&%B0}Y4V zFikim2+RHQL z_?JV=t8d|Vu;wxD>!$=NVDV7{H5(L^U3?gXm*%enxai*r#kP55Az;!i}6s$DB=tL#6Vq-$zyV?$sxJ7g` zpAidf_g)3incmX3e{?05FeLyR>*_`UHXiP8f?-i&vx`wsi7F`{v4L@@t-YpIiW^^~ zto>@Nvb&)m~aXxaB?ZzoP3-XRE-*jaQRPeO}1C@zcqto&f?C(j$= zyZkSVHD9%+0yln1e(aUM>eK0;ip&vD@ATF@Z#?*C1>bN&wqJcxbRMlE8u7-0A|QNP z-nQhb$WOflUwT3d?$%dHePGSBxyd*aUUT;G?Q&w}f5W$2%?=0!;OeFZ79J59{?)Y+ zY=Wy>8rV1hTuLf-YB6!;6b=cnwO49d^E4g>4X31(lDBVIaU)s<()42Oh|LBuL(3&< zpsMB*-e+iw&mB=xy8i1F!UEvm!FC&|DLZ84CbzbIWM^HcfO#|Yf5V@++d01opJOpn zI_p#*SnZoZ^0|)!YXu%M=t;+r^7_W*RDWaQcO8=W%rnZVc(=CT@}=plBSM$F z<0QZEgm;F?KM~?@iv`mT^}911kCS9%3YGEP72crG^%^gr7w8n}S`6T!Fj6`ve7Pm# z$3HEd_QGN=5`Vs)p~!eSmG-69&~MEvO=w>0qK8pzjQ9fsTS z&~AM#IhZrAY38XuDAY)gtd$p_y}EY!bJI9k}&LfS=X6vPY2LW_;L~nU&{d2ZS@JQd`8^asotJ zalpFNrN>Fz_>kqobeK_DtuKCf_8xJrG>_A>^q0svZb@WIkL`z8f^e#YoIJykQCi08 zgq_$n^O0<`cF2APv|F7YtQ%CUk1KOisJdR;J)MBO6wZ{!5a9B5Fd+rR4AFI|%PE#1 zB&6!Q%jq;hX5B`v|AHaJkjPii-{-An@2#A4WE+yPsvfl8>d1hKekf}$!p-eu?5N~J!>hSLMb_>Z392P&)d({_9ysWZMjXMlupIF?!FTe6E;yaD%)>PHkh2E&R8HsV z-Qhtd=p6nBci#Ju)vEJ#%Fyf}OC`C>8MF?)l{F&-DO&Q*y|V1Z&o@bS8|2Ew=vAnH z09q6s7~CRTZQa`Pmns$sB9bJzKMyzkw}_~_=_Aa2PL;cP|F;l9F@B+T2}^{*XTlTy zhxsqHUyY1$4{USK<+w##m|_Lp(v{69{;a&|QKe?h*fvz#SncY(^8Z<+!Kj2PSpax@ zyYu>d-8Ie-2wU*$#5ECAy0-n8nPi(vT6YWM0!#7(W|Uq!H-9w=+bp{D1G%0EJ%rWp zF+`agWN*!ry$e?*YOyCAbSkbD2H%Lr9dlNN@?GyuQw!JNvc7h`+$iXGq0{!-Uo^-}mpRtm` zEu_o%Ah~=6tR!xH=^9fPu0dUARG^f~f|zvpdYVVP!*ogU`IFbtx#r;?QN#j7&!-k7 z`A6G7L2YZT;-l2H7Q!wFRe=@_7;|+{94F%(cFCJ0Ym(#Vn3j4OoTvv1o}I4c-1g5K zbw|3^2)#z;o8DJ#zjt`d@S?J-;tr{~;xvz@!49t7yRDHa%Ya@V$8%ql1DdcD{ zu4OTkBqc1_Dp2eeF3ip;YDM7FXZzx0yxu?kV*XI2GBk%@YFO$Xr^sAxDkS>-t2JY$ z8hpvco&EP z1#lie`W8c9Rp-X8`Nry{A0atlRiKra7~QhAKWQsGYNDX5G;#~y?ZB;_aaQU^k# zL*K$pXA=1=bv?uP=~gs8mY+v&NlBsxR0sDm9F}$4p7JcQrCE++LG^CXt44O(e4nzn zyJk){*-MyZS!Y$OCSAhs1@cGZ)G`(w#XTU^(JAgJq7^D~G-YXMFU-lzb}!-@WjC=r zcN>_e5|0~-!B6i*l^>9btwmuYQ9x*<^m2v^XrI}$e96qS%qTg{gZ#nrx|hGCgSjuV zWkV${PhZNM9q6Yg4I$#zso}-4Amg)X?=-J%=IE{l?V=kL>>))$tpWmE3ncKb(2A@_@VXaleiL}J^CPzW-*cS6_L#axPaE%Vh)O)k|t-nXMTz=D_r^b zW40a-56#>N%a}^nJqGcFNJH@V5?7Fr=%3o($)t0IM(n-adn(5YbIeV0LXDq!w3^n(PMqaD@r~(!d?#$syM%S*f=C3 z9#<7%n}#@UjwWVNg|JyiN)D}{ju?lD=n{I>e#wwc&D(m5r zS1NxyGbDr&k*p;Z2V>5pBkj-$3?=4$#g3rPQ)|+wbH#0g=+wb4S*rV3K+>>+n&OfVIfY7yD@rp|q&-N*L8@ zJ*|aeMmOa*s?{mrAITp$#H$Z z5A4?hGsz8|r`a<9BG5QruijTu=JNb2E_cIb1D$zSI*o=@^*u_DVbQ3I%d7oPGpz5~ z1aqc#%Ttid3>d0ELEm-p?1Ihkt!K$g}0{lfU|iS#~x@yMQ7! zlg=R53w-ARrFK&3>!7w7pE&I>{##E$lkcey4Hh^q=U)6o zE!@%z79O^)|9d?n7x5(_oWFxOr}8Lg=#%t+;$Hw=4c77o`uJVk-#smk@k%V*$nr;1 z4afzc@ahe6{soFWM0dL+MVW19#q!1k(YvD<96>wOEIvBTfBT)w-L1DV+1Xy1!fxbv z;^BE`8w!+ZerydJ_Ct9iOJMNV{j~+HEVVwv@AM9T&^fhE%QA1eG=v%CguK9LveL!^ zTk!|hPoKhswdV!vt(dLCZoMbi{NwQ6nqYTvirPa0(OXd{R`PTqObHWOfrswYihQLS z4Wm>EIbMIjQsa){$U5qOPIQm;4Zgm9X0$kwIllv9B=QhG!YVeD8K$=<^?WC?p?pi5 zPfFXq*y$X?Ck}utn^i}=wrV%il1mVQzyee`%Q&jUJ9Bi%?Ue~gS%q4@ zEnxt+IB_0Yn)?oJ8KGfKtiPpk>eMPx3>C7ath1chxAR^v+CDdM$4hux^9^y9enh#o z*(%}cjR!$0wxiUn23aSO!w4RQVzDivCww}8$|PQb?%}6@(EFnNnb0LA#QE)s%p3>x ze$tsY>K>{uc^##8*s*Q}&qlU-sp#o&ML+>Q5#&w#uY(iIqVPeD!?#PAdL8V$8kTto3+>(}ekW5WN`Dn(HE~ zfx7ACHMNRXp~K(AUKc*%%Ya-LqG@#?5*T9eo1afU^Hz3tyI%3Z9dRqL#PB(?{D!?A ztRyt<<{$=u+Kg^W$5W{SLa5A#qFaq+BT6l%yde_$HdSU0yIj+nv<~mX1jgJ&P{gAE zJ^=y2#E_3=!ePAPC#gO8FNunw?S|AZ2(8;d$ocRdWRZC|;g`GPFIcf#14kp%trCdF zquduc?hYtoN)r!3;ScPM5mBTr^_J`(xhTvmWhXnn)^s&YVkK%P!sELJHp8Lqt z_^gc-FolGm)8GPTFycZiE;NS2VI-q(VS`rPX-&z;OF7%N%Lx94VSN-t&Me(mbBJl_ zqtISr?&8aHvB2|;;bAz;y#^{aQ%AN#%t6hwIrmTdz!?r_#F4A9l;y8y7~S5B{l|eQ zn%uWMe{Zw5n}SxPI8h9D$}KD<`=O=JZ3MM{=ES&0 zG@_#;TJ7egTM3MUb z?1m7iYmPC*JdzLNQM~c|c-RM#OUX48>*dt8Lapi?=SMuybL3TseI4n;d4F`uU^Q1t zJ!I|Iik&xqI1;x6x$a%Ix zIkK*8&sDM5okNr_fkC(UOJgwytAz-~`+4g;nxS1Q@pc#ixU=U%0rz!*lN;LN2jp~f z=0to&3V}DyegGca-b15RFr%Z(>5SMOYq6fZ27RNMYvc+ol8mMm@lz%&g0X9{z}VM& z7gW?@_AmHB;B^V_OrrOFJ{s+N+K+s<>At!+Sjz8SYRcpO<`43B0Y#H4rNL;Z?%g}_i*JaW&-GY-c(%h7D!$H84@0T*#?G+@Vx^1cV6Vd~a8?wWTUQB; zm4kQMNmuk$wdFtM8^FpVJ&SxL#xs_<<;~0Y8CVB-@rhKIC>pZ7wM1Uc(;Y2io#m-g zaYIj)hc;c^#ab`WNq3aT>}Es?`${4lCP+#qD@Zj%om$f@aOn=pc~GnB^!AH2moPjdr1gy6jYb%A9j2IYTxl*(2+GU7jVJx#zc6i`QQYMuV75n2`3IVD6l zUvXYX-|H5+bzapW^B_;OrtD*ruyoZ9gfCDLUxBHQ@hHbKwZ~GAQT;n{`e^wIMr7JF z$K6opAq7(~Ji|hExg8)TG+{=36o)^bNu|Z zorg(Y9MKMtWpCx?&yc|t*sP@N)W_u}vN855Q)DK6Rqbt<*32?8#6+&G4Q$G=aN!iH z3WE@GddsqRnlQWhU>)seNZerZRdCnJ43tctwihS?#g311c!Tlx`14(YKweTbatD^M z3+pFjFS*6%_=PI-N>FZkOnEz`Hc&G0{%dw8hUAhtR;hV@wu$6oyi%eAsn>5BR4k*s zUci~@y^SufeTaFwijQ5hs$H2}lBNWdeVn1y_(FhY2Cmb$*olweDsrSb?-#J9s;jN& z&!~0QDhIv#2>$$BO0`psrXxc1z)9T*8mgDI>L58zhC+;Wy}gN@Nu%P_YTQ~p#2_P+ ztfD@FC$I&k+ubJkoT?n{>Xsdg54X9IZMhJ#(Fw(v_Sf@?iwI2_cd*+Xd8+yVni?|Q z*(wtRcCMd3HvFg(k+=yWoq0?I$aBiEEEHQ|B~@V7j_PVS8#)b!<{5tOu(5G)BW*K| zWaG{xJ~fFXzoC-F1} zMG(-1KI+lvfl`yLO3y*42j)o04mCxMt6uQyV_r0QI}3 z-xYyPy9pRt6TncR<9WyZ=zf9q-6#|&q_4}wM}5Alm0o*oI3weA3;&LVcYJN3(=qy1 z$<_<1I6tlI7cfVhFBFvBN6|gHpSc%vrqKK5FNpJj4YEyhE2UjM3*@ljD7iJ#xX6o` z{GqDnSMu{Pd2LQ|y*3DE%2F-wNapXV=qF6`%HdS#=0NAT@R!%Jc&<~?WiohTU|w#O zwC;~9Fw$7oGHE%YuPU14qwFmjWOSM3$h!XR6kgR zu7h-iwO)BKJe&J=blzRM-}?E|^=~)<2m;xmzjQ*kSbz{naxWHWhjERp<7-*&NY+dF zFC%idNy3BdoP?DmNw zb{~R7otLj6O`UOpEYQ$MkDa=S&rkrXQH zZ&kW`x0m(YH^lha9o@fg^}yJG)PXVe=X5Prsl?;Tv^Qk!=bj>hZeGV&B6<)jhu_$< zv(2KjVH9N)r`*q7^zg_Dvn8&Tb$kJ;k8`YmoK>QEW7g>OxKV@LWlhWTQ`Ps#tiDG8zTbb+U>ZvU)#r+du4Ay&@?F)qr+{ygehrSHtNlO zuk|b9?-!Qexp?w9Nh}UtoWS+TXari8M67)gFL0%9J*VhcVt}j*pMP@ zwX_EOxG0ql!VIqwv+M*`$iUS#L8P`RRM6XnN>7UK3|)4U>mXLZpcqKoaoDNf%UJjW zK<;Tuvk8Se^|nJUa%t)06f-^%iXJXN#`y~49K@=FZjjY?tjsP#E5V*9;} zJfmj!wtiBpD4_*Bff?l(!q~cf9;f0qnl8|CE)9Z_G4D)L{(^Hr;B9udw|^p9+{Ap0 zWi~srz^jmeTbB+U0Zt>Pt$uXLW4rj zRc~KSAPTclyjyDwlJ?l@qT}v9=l89Jx9W^q=921OY?u>1bCc!lV%Njd=E20lb7^so z^)LV324g(1k^0194G34M@O25Ryv1QQ@^D|aFY0}axuGLpiF3^!M=N7dMt98xESY8x z?o^GME$!@2mkdomHxpmC~|soo(o zr&elr%ezdCT;9gKNiWERP@o~*tUztJE_|dwyyjf34ty?P3ZKo$x9YuZ7WVb+t7r1j zAcvcBnh<~`qWooE*%z(Ud|1_?ne=QNMH;rl-L5JdOCq+XBJ0G28rZ@Tqj|D}+~7zO+=>h)UmZ!9=W^6*zS8HnegOWRJ($Hd z5!pXtJQUF1X45iX-!hi~9HZFp+**@J47adRjt`wE1Djl%T*adHkW8reStN4nkIym1 zs^c*`>;yTm!m;=RXytPOEg|n*Vs0=8D1z*08HSjynMC#IZ&CYDCtXNYxg|8Eg=+^- z(w@c4t|RAsknErBma`KlykhI|eM+gl(I3Y28fH`9`4O%*DDEFG98SkVpRV!~?fF}h z_`ERG$to^M?>43_15J!|OlP_~*T1Szy>C#vl;p{Nb3|dTULRV4$Sa}2p^A zvAu;XPgC%IB40@R)H(`7vrxc;h}qm>cq#HZgI3v!YvZDnZO7N{ehJB|@K`l;_;I0s zWe&AV%a{OI&@T`hC&sUdhlh*BO{aFmE++bY)3#x}Vx^5o*R?j787$+hO*)1zId5|Y zpzczi#N=1c?e8_%tTSMztF_M4h@s>27P;8;2~@)h-(uVrhNj{P+ZY=RXWSO#Jn% z_|&TD2Y}(@vp3f&{>{51p(ovp8sxig;aJKVkyroWoye*6q9h4FS$(KPG67DXy_(N@ z*{+dZPMNQC#Ah&+lE}%ZA(=qwRT=Ltg|yZBQmQp@3`QMA6ed5y{Tu3%I=FdUsQvBe z2LSt<)oD)Z`tCF1h%?p;S3pr&Qw~@_b|(HbDwN3h1Mgs$+?w-oJY!Y3V9Puows!_) zht#Sgsz1|}338}4Lu(-z{sW-Z&u@_ho-8w{N3$@Mr076vHcYe5?ti2u;LFpfQM(N{ zSzOK2^RbvJ5s!Wh)>YQKm17M%+KJ+dAyHQ2B8in(p#Qe3Vq)>aWviUiO;HS*p60%f zVl#Oi!%bx@4#!^WSc z{Z9DbPKR#d ziZS}G=hT+kAn1mY4_!-q=k^yLjqy$wG+7rb$xpfRY8i+?6b;5C{AZ#hKRLYyQ-a+1 z0r2|H@HdR%GJkhNG4spXcag0xoOeUjns))Ut-?xz(w`~~71@W|acN4y-S5&5lXhZO zv2+`vw95x-O#z_LS4KsC+ii54{j~@Y%L*JPAl-aV$l>mNkMD%hQ7Ef-Z+n(`gjLiB z$DHyhJL?#p@lAx4@E1~*$Oaa>^d-jSNj7q>mXc$Oxv$sh-pw4MVFpl+oS>pZ{2odW z^k7?QSCbJ-7wDOW2+Lbl!NIDQV|kRFGS{B=zt*gIHt;C=zn%^8os~v?*l7Y&oZqKu zyyo+6yb>h7#t@)_GH5Yw87K6;kn?MFzV5)!Y>-LS25BjOUX-U2D91SprrvZodh?Z% zc1&i1Qe{KUxP?pOV!qba*h%kwn!EE1p`u(@-j`xJo!3&C`!hjDy8kL6aJsBWAk;L4vpGpKv>tQcy%jaye@i{QyAzOO1pm{!d=rU%M$! zp(oo1gTHO3&E`b^?ZiK*-t1Ar<=qc4y_*Ah?a_)?zfN!Th{ty2`PSU*s>k8S^u=@A z)0Q=YH)xy5?*=jJOFsG<8G$M&@pB_%N?Sss24ST0b8I7gHk8uAxGSi{ zKKhN4eZLEem|=!0sRb$2kU18(S0rRT9J58*ff$?M;@`TE?5j-2Zti;Z5Vj8fU+jH# zTvXlG@X!rIH_TAd-5?Ap&Cs3F-6A60-Hmj2mmu9pr+_pFA_xM4qTi_ZseAA9=0EQr z-^~7341sQ~i(P^d{BzyBuiQxkf+gTT{{!Bi{MU1}c^zc<_w=xxFG@_*a5 z&i3Jv)zda=6Eh?f0@PIyDP1hTV#NgVu~`hY?1gQfdo|WXfxXa+T_t@P^fIH}Eun;R z3f0Q$Y{;1*^w2bU7%=Oa%R{wlPEMI6n>@nx|rOg==PEpws9maso+7 zhsYD&tzum|`XCn14!XIQoYbuRCUVV!>g)(<0K+Z?I3ZyIEGld{htIV9ATqvW<&1eU zm+f!Wf7@662i@4eApsZxi*k#Nd=9Y&wA!QpZ6M}fE2@9bKX1v#Z%aDqb7Yty7RWG! zE(AyH#NWO;d2yFt_%3^xUX1F>pTd9YJHYT}k^0hq`Qg>0uWzrWpF_XIW){~l^?tTr z@xPHyj-x1?tR&EUDbI^*F*sR;QR3(-FCPGrK#AhjX#C|E2%^B+hX^FVJTyOJ2k6;CnO4U)k4W%(ErIu2n zXDewnGJZEWqxr_{fpJ3?nX5*$yIcP_D+KvclE*5XnG4`C2w0owrm+spr<@woi$l)vBhCVJ7zC=If?-_ly@5D-C()pBU=F-f31`g{uB~?;g0#`YV=ZkwV#lXgOsOsG zLi{tSxY*d7h3w6$f~sOmgW+;0&b2RQcHV2BlBSMi_!j<&>$t*3$c8Fkmu01SP{+Dh2fz#GI%|=e3p{E3@+~8j~{{<5{ zvr-ah{wCl1i+}Dg|G6GwE8|^T5i>6DlX1V?_mYjN6EaFHVtK7&VKaW2y88c-{|Q4x zjT>($Ub(oyc1ivrdK@p4Y-Qxw+P1;S;)-O7K~TL&?IpU+bWirGi^?VCTdc`Oyr6== zY~6>E9D4C0otww6@$zP?zBC-7sU9ufuUv+deX{%Z{%OC)9iP7!W%hZ6PL$Y45Tnl9 zltA6dnubh+$K0*MmX0ywZ%9*Hc~~5*v{&>`)ta?aBR#9&chr>ycmIX{TeMz}XuA@# zvmk+glg7_5=GN%Q8}$yqZwWmryrEqqT92R)OT`~d6%l9y6)9g?pf`cTUd zZM%@|^MIY38skJO(WqiejU0hCi7hsXV;h}4cW1VNdRn#&S0z-X2Q}MOV(@dHv`{X2 z$oA&51upty+I^Isk1dCddrZxu1R*}zWlmyy9X&iwy6W2cHV zNUb{wwF<@knq=yZ1r69tjO9}u$O&N+1}OqbDi091S7_cC);Nt@ruz%Ggd#)9QJ{Ne z`@eJJW$9vJfs~Y-Wr-64i$apRT!|34Ne3R73Xf3PAw4f#rIBsOtqu%>9%!~XdBRCw z_{0C=L(RC;QbH;f$7%>g<~ji0S*zWuyauO-;NYD>elg9Jeij{EsErEgcfdcrd{o*2 zR6C{eqfE-o!Quq@#H)plE7^;)EB5DVFT3s)^E92=VNbGTd9a^Dp_Oay zGjqIzb1bd@)eC}rB^0SJoY#h>SjXYNdO?0e0NJg^Q*TshJnnidVMOy^xtNv|uc1{` zRR0u2OxaWGkW-diSGHlQQ0vCdd|N9}FfVd7{7Kl_uYEII>1>&N=3VaHt`8;8D??|g z(kCaeM;@>5UH^a3zvsX_j0m5T?!#0Ui+v={IH3aJT?4mjvt} zVd6P3uwnKi2vX3u%?bTY^`AI+_I!|s8<#}p-oEoj$MZw&$%fH#XIGu)6XW9#-HRK~ zs{W6mi?c8hf*$o}o6S-R6MK8@s%c3(X+^h(E7(j&t08uzNw<$Pe6H|9iGvp7XT_m4 zAFJUu$rlu+|bn5i# z2j8o-knLavCz4`?*^SMbQgfmtm5o`)>B5qXO#zH{Qm|nz9{AHfNHBIpTEsni;jrx- zmG%iAoeFDwuU6rI<9eR@eE_k$Gb=g?DH`+84+y<1j77raS&;eqhH%tT`#a!ssx4|K z^Lm`-@WN=R6OABSBtj6)DY3pX6sc!nCwMI_cJ>*MO%(T>dB0&|{|SD^Tp4j02|O<2 z06*-A&{(%c3L?^+RjFGR5{m^rHtGH&N}68sh=`~>ng#aJXhi0VNsFJF9yemOHa*q#suf2P(-F>Ek0C!!~C5Q*>?c{Mw1mx zov_1dY4HH7#dko#5BLX4z-gn)>-0_A-+G~VtPchI#0V`RopxCAwvR|#KGTj#kvABM z#k$<_4IC}w6#ZWWd8>+%0n116lwaeePRkzm88M|9;Yo>d@LpN>N1#5?9&0QZJy+xA zqz`n}AKP;PBi9jVlZ!D-mY6Lv6A*FWV*rrX%#;}v9`Tdn24~ai`;8#7G$4|T>Ib9Q zhLFgIX=g*f1A6I2Jv$#g)3;ehBJV88<_;T;9zvxQlvhr=CW&rko%KYZ*h|Rs$x&g9 z58&QJAjDl89HJUk5*{7o^A)T|>wi5JGTH$xce&jg97{H7ITO)wT-~J-xupt!Lu6(i zE{BIm6pSQ4y1IhJfyT$oAETDqX%`$|gCtYN2SKrpe4T2|*Bow9!_`G$PwVkO>M5~Q zseB6)DN`~NN$#bW?DEq!?xk9L-_met(0Ua_2h%<3IcfoGF&nP!+?$u!5#fMY<~3P; zk*9jtLY8N}LrjLz#sD>7wKiLx?G3A-!qu^kVotu^iHMT{ip#O2z=n_$T2& z_Pkh@m=g_`cM*-_0H@Nd5<&Oj;KR>)WAw&ysbs-KjV5GP?XO!#W-(&Fj;B>?plbJu zq@rUGM}`IrnX+&P(D(6jp`jEb3qZ_m>Wie23o?q|rq#En!yB-Z zg+UrLEO0$Qg}?#DYh^M&`PX3%5q1|RZo%kih72TL1?^@fiZml217#;LF3Gfz()wm< zeHE@JgSCbFkT-(k0=|+`wqYsm%UxvC7f<5svPPRaIGaKRUpI#bzd;p?+C9dQThsmE z+?s0pW(F~PnRF?k8?hvu!aizOcw9q7ui4qB778h2A zouEwa8Qa(QqizU6B|DNz6NM9C^Nrn9+SgvFDU-8NFDLAHxr3l<9Z^!Q@~d<$&0y1d zjqEhc2_G-|g_dK2m&5S$Pb|lTC)Cc3I9UywQk34SD@`B*m?V(a?ONzrtx(?wM6gB0 zQdkJV?*NlM+81=ni{Y`jM=iC2aI@EwF?ga*a zDL))2!QzA2tV^k44c-=|c4u4RZ2cY+R63f+K850uX~IC0XD}}tj!g7!MTm*^r%zDU z$K=uQL|7HB2dc=!TQ7$fNF=qV-T6~LEfrkag^)8^;H|A`qBW>FRZA*ap2}%5y+jL+ zT_!3kDU{&xaTps^D7)%oj7&%yCC7^D^t}@%y5?`LVTPzSS*g*)mP+Zv*K@B1lpuz# z%4gb=7EngoHe?npywws0&^Hta@(z_NeZbVCFyknK#ISG!wjL9>78xPRXf~d}TMaks zd^RLu><&`=SfQoNpz9DQ*c3gd20Y;Z*;$EdM)0_$UPj#x`R??%nh4hA=)7h*B>c}1 z`~L`$gu1|5w^B81LCov^@1y<*nY^iP6e}Cbh1+{!(dPU0@yG{q|F>0C;x2E#GWc!! z&ne_J{k-c_*2G*4MKp5Quo*`;WQvQE&rRug#@v>(ESl~X%|^c_cfkIN#@#$JZK;}m z*IjYc$C;mOY4IBn`GA97T;cl9 zC?Gmare*A_fnjh(Kq}dVtqD*ZZcI$CN$8WB|Ljk{;s|`(%T*)4h^P2eO$5ijn?`-5 z1Zm}qEFH;~M?Nn}K5Hbg)ulSxfA_B=eMgep zlhv?$gY^;)rooo-lWy9luf2|=9i=om^In-e4wK~O(T+!?v^dC%4^7c6XPvowllT=Mr6$6yoDC0>(|_5k*MGQCf#bxTThhApbN7vjS0fiqC zI_nl-P&d7lB_S+LiBZH=!z;+86veL zb(I>j@XOdhP7(aM?eFA5{TQAChBxh$ea=yPU_UKL2BB)j3Uj+ z6UOn09rQjRf}-X!2^8SE=ySK;%~wQGgO^<3`|uv=<=WzmHNs?$8YIejXS>PpaznLM z?6J%p+GbnWhYvIm1lZ`_50UV60Pxj%ukC!4iEy;{?5$HJtkG)r_S1M@@FIwWF_O%P zh@XWgAD?siJD72rUf7Tp*y(CY9wVaVZ)0C;gh^<^&Sj9O9N4XL2}Bpskzf?$<*z6{ zYaiNQmyMVQT@fPqw8t~JLFF=BG*Z(j(o?x*8OEL~xXh9nfP7XGWYsX#)m*n5CO{Z> z@C!Sw!YyN1Gh1qg-j19?de>CHzrSK4I`@LOjEWLD#Q`EF&EzJdL9q6UC0$@KZ1Gm+ zNWq52Dcey-Pon^*)ribGY?V}L%6u*zMnz%Abh6lt@ws!BK4CP32XVWE9WjT%Mwe}P z>LW~RG3}XW4BJiyiuIGhJ;#b|pNR7Kn}M+_ZwFH%nZt40kq8R6#iJ=W<}@<3*1l2# zA1b0ZJ3Q-;eTEF$Q~JB}Bnn0o2@k8|_yF7#Yw%;-=gQFJw?-S|^R< zvIkE-g|4t&nCI>m;~!h-PFlsU1b}$ZUBk;(e8SJ({p$UD(gish?fOP}EasF*m71b5 zuD)*bO-zAG_;KNI8|bzV6&-??<5=9Ixim(|5a{P7ZM$vH8FVR#Ftcv!C({+mr(DJs z>(fXyl&bN-Xr3P&-8@&r@m<~KgJao`)DTFy(w=0td>g=du(*{wU=5BAM$U_ROO&)C zVUy0?%D7SHN(;j65VTj@c_5=d0$O2LZWz}&F)IKhK6RG#q$BzgPme(hDL$sp-A{08 zDz^T1`NTSs=xvR~23h9SI-5P#g*m;rI8jY(U2-XkEJv zeI3wKFv()(+l2d+G~j|ihco_RdMzE4iyfo_Kb684`6R#oMac&PUrok&+~}#(eO4t@ z`U=JJ6_7+%7%`#PN?PIZLPc#`^HGwJ z0pG6Dr_3Nz!KuBkm1xgBvNO)C$rlp5Toh0nG9}prnRwOvYbXaz!?~hzm}KFi&{t!? z4NzH#A#29lUOW~;^P`z2Gq(?#b4F%(Rk!~0u)4EtaXF@xv@RKIEVzP8O9yF_&wpoO zyrssF!KPiNLTVWjGl4(RrCK3nd0CYvt%!(wg0d4B z!WlQXMC}k5bklWFLmbI?Q$pOTXh6X>E(-SUbe3b;vWJrk71_OH7O>4!3@c~%BE74QOUoQasnnFt}kaJ3)XOeLwnPu4K4L)BUC zWiR~;TnjEVNhvr_Zeok{GS)Z#1)J$d*L&%^|faCUm%Q)tSE%UjFrl z7S@J$d7wPJiJA7vu%Oj2+4D}wT6;)Sc{WI}yfGA`oa3@Q+Aq`2ELo0ZYzZ#GZ{%Nc z=8D;aUY1vJzt|bJ~y~q)akf$Yv`O?z)?M zvy2?dWyPX_Wi_^iHkZRrbxH>{C(GdVad$JfF*flFTUtqo+JZU>HUe!pn-HJJQK?o9 zbUNPnL+|hTeoSP&pDG#)wKN!}(Jlm9j^-I8dM8X0_a_4ljp0jx{CPod=nnh-F1f(HwZlWC(cx_*uTLU}*lN5XJ& zGaL93fN0OZGMLmgL;H;dM=o}IDRl_kLx^rTV1N7`eF-6ji7^N}r zh!L=NB*GNO4_Gxg4yQ?%2}{LpH;d*0<}k_Zp=ly6D~d@Mam! zBU6ry=L;T~^3eEWS8;+dGm=%l`>c@tdkVnlN> zHwATjC4++7O$-9}@osE_Hfu=ONATN+(_9);Fot)C{8;0en@8VkaOc>q@$u+<>k7c+ z29a}%#wpZa&)l_2bt-7T?g4!Qzcr2ABczjKA&f9oZh&xxa0dXB@N6pREVt9RLSD3F zz2d61Fm3Rjr8|=_^+N(gPkhE7n(5+c0m2iZAMDJs3QMomG7ow(F1RM~656Ddp!K#0 zEm`Zc93RaNg%5gG_|tW$Qw!8pN;ynusX*il}f#696?U zs7#1)<36f$laqi!j6<%Y#n?ruK&t%*#FnV|TT@F6n)lCt)akd+est-do*1gav5`i* zT;Cf4Y&zK@6q)^^RZyx`n%*zFN_W(S6qW@OqnsH;n_3v2=&eAJX!vzc{hyU=fI zD5o>lVVhgnYRyuLc^fnob=sctxc8)Rg1s`P?u?v7+ccZF$5ow=_yCf6A5o#d1VuGI z@D?ZF2Qvu(2FzVt>v*9w_6TF~LvVAt%%g$z(h7HN)pJA;O|y|B=2hB<$0G?Q)2y?} z+*+?!2gI9UTDA3mtQ>o8YGGZ>QMhlkT5kMB;{+?rHB`UqO?limO@{Fuuy2{B2Xhu` zm6`@P%RiS~n^&-+_V52W|2*^A-n;8b$HKE|04%_)-^7dg-k$GAj0KRy=|t(8?)>Td zh9Y1O0|GZwDuvNn_SMsxkBg5^*Ld*c{illW07})*@9ZbiKNJ2K9iE>V!dlRL@<6G* zo*6+F#@p%yTL8G8vle)ms0|0x0A7WgHZ(&!p=`X|a@uktW=YL_+4`K(&%X~G8oJ}1 zE*ukyU|GQoi7x!2Y-FA@Or*2^mbaJj{g&Bl>GL=G(%K1|9uC%T21fS0*lJ7-;vG$9#m-cP8dhIL=g_CoiN;PV{PT^vrBEJ#-QLDaXwb(6IsSgo8O(KOS z*KzWzY7^IblUI2knpr{nHB#+VG+o z7M~{&nG`?Fbh{yM9QJfKm@8=3xDx z1{&HvJceVcIroZ-1*-digm*kEd2M6Np(TAwo0{7r>D&6AxIz&w@))o z;gmpU=keU(vdMKN|L#8+vP(1GojY2W@calTiz3)61OZQV!$O&j%yLTxkGMuY)@D-P zjs#JYVJMDBSi_3v$P%$}z9nA{(ZaX#I+xDe308J32=~M!gOV(dRv+a*LU$R5Hk;#S zx3GTYtLKhx9`hl>d0^&5&>YF59Blpx_~*R81JHjiN4ig7!y2p&{cI3{UYdYDL%&$p zJHC;lW$L2;4anPD5p6F1tMmE}@cWrraWtKBHzJ<8-cl02B_~e=s#K^DRi5nAGS_>) zv@5MDbxBLZX3`Hx!QT3jriqw*;=8|^)UmK~7z#5jC%^l63kq)&mr&6@aLb8a_4Bd+ zh{iWzNiAR#!6#D0Dp)fg`q`R~$8HHx8m^=y7-Ul!zr2SksIf7~sK0)pGF$ickO`pOV7&F4cgx zf@aLANcV1ft8=P=Vx}E(x=%b6czCZE@+s14-!y$=`&k*}2W9JPd^FN|UUl}^Z|4j2cfMu=h z)_75T{JP?sPK)YAccp*osm9kjyDp10d=zFtFA)ui~Ws7W>b zO>)0QP0`uEh06Obf7l%{e%DM+&Kyl<#o?IY!>0*$z8QFV zY7}kh_b4dP00~9k<2`Cstv>9_3Y^#RqTHOlsz})6KtbXmZ#FV2DN5e##Kl*$@GTaB zVQG@JG-PJqLK!^t=xnEQI^ldQHIVP}m(GUWC~Ia@md~-ivOTmC9yT--eVl764H~X} zU|i0OS&f@1Awl{PES4RmhU2-(6LBCU*tW} z7JW8SyUtn?M{M$Ou}Zr}zr~J!1KnJGXoQdI0Lrkd+JKvB~8Bv)V$2THhMwMoD;WwY_*Ycph@uk9KS?F-MrjwL?J9iltr{BfoTYeb;B z&-nlXNiZ-%ng$m&3H0?{%0@93c%!VWhhm?126;z zEIX{+0@f#P0|K$O+HSJ@Y*6L)cd=?R^IS9p_62$+AH8mPJyVQq9?m1IBPl1&JK1>~ zwlMjSz$~?881L-2@D$wz#8WKFp_w$FLqXD*qBOgNWtb=7BqdWn%N( z1`~;ayCWdhP;C8y&A2s*E}QL>YBMssqwO9m18HZZ{6;r)0c|9CXR)9WnN}Y_pZs@ZZ>}czpeFV+6v&@cHCztItmVGo6 zrB9c&9d@V3!-Z~V$@^@dD+E4K@_RN_w)^6hIK>W}l*FyE&|^RdWqbn8o0Zq?lKEL0 z7kMnNJD`yTG~Kr7K!FdVMTw$3crBUc517+{bNYI%`3%2CoNzIKnpv%1jnX-H}ilDFhMO;-p|@C zeDmg4z$bF@30Ir@)f1@YjCc`}OzOMC&~o}S zX(DF;z2b`}7*Vuw?YzWI$FB%ad*P-YrdHl|6~hPkEJMXYkoj>%14|uS=OxkfU)saz zIKCHuon1(C(09|O|K1M6-Lb=}XP_cR)yeu6_1I-#rn@H$OXww0u#$hkCWb_*crUC7 z=Bc#^^m)A5kTdQ&hlQ_*DH<+;b1?Z=?C{&IulNZwWt z*6^8p3+H(SH}Z(O;3d%7dWlUQAEihg7t1p9z zhaw@utV91Y4-J3=;DWi-B!0+;1{UiymM)8Jt?>&L>)n zRN{&pi&7>$MB5Oaa~a<6S+d;_bDUp)qUyTwaKz(=^1lPl=F+bjA#)BM(p*7uDUx@u zxEA;A2dVOtM3MrwUEn^!6X_MrP(z+CB4A33Ke^VRQ<8pc<6o2ZQsNkmwu9+C#CBR$ z$|gmYzJGxzzXhqBO~MWXsvq=kZkTkn=J#+jJ+3?X<$s?`t)hVYG}f^eHWUT78?!5{ zeJOb|QF#BDW(`5L$}ms^*zs~Q)JyQBE3DN|Cn~_RbSR9;qmX0-QK#u`q2PiGp(q>> zkHjeW;~DidUTIu}*)ytxCwHSXdt-x6h+fjlI2gpoz4?109|JE+-^FUA#fdx*3Zx74 zzr8MblP(i?_emNzLcNSoYRATEH~G-`!?F9r+k?gsQLQdwNGnNjV>1*tjA^vwt=)5m zfygt>PXrv>xTZU}IAI)ZA}Ml_=;_Mr%jDkymU!}RY^y5U8=R%iOAisj+3@#9^HL0$ zGBZJPBj4`x$#VPy;Sz#QhiS)wB$!>v`=mC745Z5JN8tc|L?@HmVh|)VLhR<-IB1w% zz*+5s#uw&tzdJ3Q&Ih#%N(?T)L<{FUhRt&23G~h z@`BONDE%(Egi_ls%zBv3y7w~N=`u&^&k{B&loLp@UknQjFIYj`&JjH0kI_PA^NPf0 zzkyhXU-ccO<}{_bz1Eu$vIfhr%KD+?2Jc7?3cwCrywLf)+SMN$_F;ZAvNt8GQ=s!n zYQT)s{M&PLTum{uzWt8JjOfV9BhL01=CoDbvTD$1d@}L*;URoncVQvQ_485?aCHF~%Me`~#N=27xQsFf*AIDAaq7&U z(~z{?f>~+i`ux1D2MRCRI5W72xYm3+ z8nLvx(%9CokcaRt{1@SXLX%+=Vg~O}6GAk$q;dKpWT2nzhz_&%LXDPbtt}rKiMmS|85C3Nz8)h``R9&g%c717hG)t|0Mkp z%4vDv4yRv}vMGg+xoP5Te&RW@u)^a+m;1=vDd#{{=!NJFpgV+TkiTy%ilHEq+VetS z2mlvGhaG-ba@?edzXbYl2X@h=8hUv>g^&N5UpSP_^tn8>Bu}(26!!_t@LS_QIlzwx zn9;-uXYYe8%Ame#f=IAFLnFRVQ(OWn#-)NEa$81?T+#39u`Sr?A5`ual<%MaZYnwZ zfr<(m%=1l^`b3DZr$(H4_;3-(0IVB>z?uM9^;gJJC49tzd%_<YnR7y%xxCdr3Umc&#s-h*&0e6xWBI?o ziY4dy7FBSE9(X%maGrpr!J26?!Jx-ImZsEbnf#BNxA|H)=L!2#0j>~iwo_nl8Gv~I zxj!x-LQwD_!i#4(68wiEf?8A{{B8Wi6bSZb0Uri;zer8-{<&k#LP~{Hrjmtt`WSn&&#TMm9O5QxK7G zO^9G69(E-@2j`?<4m77iS~z8umhV8^ zEhjHviy?i!IfR18?DX5AJ(4(FuZ2_?BOV%9bqFb;kw|h>4+Ct$8v37rAOI%uuQL>I zFsogNa0rO7QS!$y`HwRcedixx!z2&{o#lkUEHQ2Weue`0z$>!804`K3`>DS`ZRg2< z)fF*Bx+s7h)>&~a*%d8aSuWdig*a#Sxe`FOBH9GBJf>NdqlZsjI1rzDEJvuxVH1Wv z2Df8I1g2-Qry6Tt@hU!Jh-==B(;^Y6=vVGt8ZY`9 zDk)nD|KOX@)dxFT)kmPs7u@b%zSi;*DrC`!gVs(ASbp3~s3%JF#Sa6ewc&I$_X17vs=!bITgIgF3Q?FELB<;Md`;As2Nmc>SP ze|IcRA5&L9kH7zF>E*}WB~EIT7gIYutYf|VpA)QCzWxs!EFaGLgC|+=6)KYRRuIyS z6!*s%-UMOR#i{I4@GVhm1elLH&GX6K+?ph$J*Q?#ZPoF~TJ9jZL{UTK2*_@OzHWS| zFU2~CrPHJt0hwjCZf3PMnG7k%p+IH~!Ym)HtxA%W&=^_}Y5sfOm)HpFJ(GiIQAll7 zeAOJ|7NG(0DhOn3Ck}=psP(f-H3aq@U{EDZK&tHXGvI>)bXXP`nrrJin#>wO;mT`i z)x=f+N(yjCIcMX>E{!lEx&U2keXoDh3O2iY^R=& zf421f-yyQwRcdr$MvZvY7{?W$${k~=qop6@94sQ&DS%O-j5bUrhaz?m=208_uBm1J zkFv49PE;sCJZQDXU;B^#I&J|wVgXwm&Hh>={d+Gy#cVe?z@yc=*?WRo1n&c)xSoI@k!`=GBLvxeHp>CEuYH;UB?(}eVdbi?1sNRFb17dO}fu?xacrs{L*ymRYf3(lJ}|x?S&63#uS+7Z}>mS6R-@ zG(ttE`YrI-$AzDe*AEp$cx#`p7l*+W)`zx$2cnIZKLq6-Gjzi(3_k7bmy^afFD!@w zhs9BTl0awHHYW+O3~~e|6ZdGZ2ZoHIrj_85G56l{JZqPBrCB@3Kq<^V{;=Vptn)8* z0-uL9QCgYCY41-jgws8J&1`(zL^sU|J7w7}w|Fs#g`&$+!cAqhq==7ygm}UYm*!Fr z$RBZaQ?;UB(G2mZ*=%<)Cf#NQE*?BkH_lpIhRejzl_Hd85jZ7Puys1eNB$0w!5a7u zSbxL6YcwAv>rY8I4st@%3y8PvdBI)K2*GtH2C1zXG3UvTP!|@ftV#60acG%cUD&sb z70HN%dz2nRo~LXPEjP}UNW&NhNqS+OAVNTfF3EMjDo_yQ>=jZCsIOyYRNpDh7>&{E zq9@DGS3bwf2vARv0YwB2E`N>(!;gC@RAf1^W4~HPrn6yhhgYcQD3HLJJA_ZT?(FrV zg%Ti1ZfK?u0)YaUxTDRWt$vtBWK>NqU#L6;I0~ZS9grp%#86)gIMqP|wddEJBgbX2 z7{BJ^#Ut&ygvZAwi{;bHdtte^in@Oggs33V>L>O!qGY?N9|EvDDeFqk%r_GtM6?l%bP{ zbhs3ojdLhbK2+_bWWlwO7=w&tDuIH+zUcT=D4wBtA7rTWtK?7_^x)VAk@Rsr&CS(1 zx7%HZ>=ghSrXOV_NxAzCK%+=w+e}a<1Dl1B)DI1qoSeEd$N+=D-bk(S${1#5oS4X^ z0%uYnv{(mVKggug69=^*^s?S+i0%q{cSoH8Gt5@g8Z zQQ88}Nna`Z#qn9hIS`3RaN`>3J0N2>E0h2o$x~CTUB<6nC4!YqOA}6G`8{%kpk+BL zgZ*kv+NGv62HZyYYigsKhAChRp+$G2WE7;0_8wpuhDB?`f~w@i>&kpo z&g@c&9kEi8-FAgWf$k!|a;%2=#3Ga#6-{HK$#R!1sRmwi1u5Gf6=S(kV+E-pFv*o9 z57h{#SBt58}ngfWLBfvA0eH=9wQMP@nyKvKgy zxffU?zed+WYkgc=!Pz+)bw!U&k3P6nlhh!s1SrSgip+I@!i9Q5$hHuX&wus^IZg14U3t- zOo0QdJz&o8J1K3}8w&BD3rC{lgdU)wNn_~`wW`zQzvG0`7KzV^cHgwWzsI-z+)G#h z+0XYF-QVA6@PS|Oauy-ZsKtNe=yis&za_2o$fH(Gg{wJ;CaUsj>y_IMN(D)+<$`cB z1_FdEgj_oS1=X3U3@20}tOaWsUp5x6*TxOAg2MqW=IW4du^~x4+Q7&c%+)7o=MQg~LNquIpFbkw(wk0#4vEO&=P{)V6HPVxxv-FIHq`s!T$3n}QUS^q>M zVYXD1vFh5>XJ@Xf@z_$rtdeyVfLZypnOjg2Q**Esg^x9T*i=3!IDfx?Q%-D*yc0_( zj5t{Bs3VF^*cX8Ag8d?Nh+1|z2rES?=kwA(?8+USk{GjAVX*}(Vb8g=W5YcKM zGHOVhQ7c>lIuNDbyBJ{NT_%)vB!nm#dJgk0b%-F>VbciI_ zp;=sN>yp`gMc#|OxfbP??SS6P{)uNxGck6-THDR&y_KEx$|;rWL!J=$27L3G*mq3q zF@;F_ds>0Cfu?hE5!^Dsc4?`$_G3eU=!M$kZptd-Wb46Z)!HlaUwXgK${e*n6$Lnk0aPMzUW%Q z2-VI;31=K(1LPE|wYCcJmXPcthG;?`#Eh_8njbG_fjU^oTJaca_zFFrZF7OtR9;6Q zVnCY}(&4)1_}`Q~WD`I7XkAg~ikPww6r|!L8&@yqg2zV|X>62=k!Q{TLxRX|EKSuV ztJyf6prO@Ud;%Fg6uq%>7{UsQIzYCmF5cttG6IE zjffVq9qpAFkaxMhA~bv=E~xyKnb3>VNzV)*1Y5*ldM{= z0@ql0v~a9RO+^(M2x8a~$WF_r+mY~h1Ne{yQ5kTnp%Jr+A)|As1aH)kkAefJAH((H zwB3n1e+Q(qaJ_7*PB}!Yx^+IbzjD7ehUG`dJZ-j$YHg^i4 z?VVr~Oc0=e*x%gLO!TNIAnQ_;b(NSRmOIRyRz9H&I3VUZU z$9Ft-(y4)LN1YIlI9jv(mkZn90aAY|dtvXMuZSUve2<&(y?O=u+;-p;0g}<+33%!R zuzmp^)AOCQCH^E_}#z6I{Jq}lZm4sYkpa-N6J(SI{5*fui z3=1LbHY_AAJkFVnqSG566NQC^Xfd`;*1MTc6?WDDKLIz9=mrX1cnb~^pYCHs%ulUF zSVQs5hZ=B+H$nq3YhhV`dopHpbGB z>{}v|p)|(W#*%#t4a$;Cwvg&IgORPtR+!L?v6Dt*2`{pyM3ji6M95l13x3|}ec!&H z-#_2q?{oh+_nv#sJk`X^ulVFXa0RTI|LsG8eSI)0|iBl+Dl8M ziMbsRdH?9m_b>qU5Nq%)Zm7t9KU68To&W7!xWve-TH;h(;`3x%1YqU(y$M?p?=47B z-)}OS;gy^Jj>bH5we9Z9731LZSRUQLDlV7^bp#7{<*RB-PrYy}AOWv__c+O^iw+H8 zP8TCt7x4udDP95dLl$6LNFiLWic8Y0zPdyhyr+cxp%ZKpKKX1P3gA*yc2>UAR1#^) z9j+Y7-tuYX>xX~n@2X4ZEFl zd-xQ}aKt*)mi5__McX{Mqi$X^a)?;te<05_l2wY1Onn(pITDamHu8*rmJ>GTC=4>V zCxl5m6nesWBE@?&2sb+*ZFgA0CkH)86fv*JS$%Ne;vex@MEIp!%5WAIED-3Sr$o2s z#b5w&Fj^}{pbM=4RbMT4ou!Fz;_5CufZa4#@QdCx1^tdVN|Uh)qaaRUVxo2j7$%YQ zR9z|diE=s4$;X5Om=8XlK5z%Z(D)z{Cpo!V9raWNv9f5mK|$cnWpkHY6DMb=#!|_W z%e==6#r?E~t-x9ZP1%5Hij67f@U3}(Mwrqj^?eNtOA$^@z|6e|D;RiOhu9DD4)mCd zMnFd}a%|p^lpKZ7F+Bd$DS1&)s_PQgV39zgWz3|27`x)lLoAX51hhOtn`- zIhp8d71LdzW=WbeS5|7I%MJ~z*vxBUNdnj8=7UZ@CwB+&S8fQk+4xH8Uhws6ur+_j zMSCUV1~b~rBEl%E@#W>H5?Rxx@%IGHUolHt(Q_x?QOKCRpy9-^%=@3MCPNQXZp;@H zjq#uk{SiUkL+cs68C(!3oS#)%fK8q;IWK&>0CmV{E{H|tVa0`4220wL?}E=1kyDcf zzyIX76UAPq5eRaXJtTKclSy+HqFGfTIc@aUrtofHIQHBqtWe7I89ZNSi9w9+TEWE%dAw#Z506Ddgc=vD788_g z^P#F2j1B{}Mu~SH=dElx`$GVcK=KvjQ>S<`SS(Gh=<1QCglht9zj!XOREa4(WlkO@ z6{1`7-WuQ@oR?H$$i@>IiM?$BxK~9zWF1sX`c(06Yd~O%DLx`{A1k{;nLGBO4kEWQ z9VwjF)}-wugvC!ol&#~vT)*Jr1O%LuKgtTQt_9*X%~BuLroXtUoJCm+egm<&;?tx90e<0bzrCi0rn(Jhk!tSoV!ob{|wSWlshn5l!n z@i&{l&%4AygaYIgClhNITy$gkjo%p}8m4^U>Ap%|YC7)hF?2!=3Q3Tf4yVKo>Sid# z){xh^sy6j3R=!*uR`t8af{~7qIgjc=Ce}mO^8q|;Xl{xeqe=2>Fhm@<*gF#!$Etl5 zZCr%EdfWbXpwwe+d7Zn=x>Q$|3@hf?c#NHzNAj@A1atIQ$2aRAA9 z<%fNBgvd@7{&?XgmoWs))5+vT_qLW*eDGb3P;8V7Z^x|Qfj%U|uGLA{t1U(%pXd_C zI_!U_kneymv8$WQNm>(XV1mrG+`OrF4kyh?Z}%D#EXq`giNiw5jK5VrVL@dAxizkgy-LP6t1yw|x*OsT8tMKuQ`94!`zk29>FU``MHNca$){jN zSchOJ10DM;+N{l}#`zALIeV@9uB+zkGi3{6VEDDMj)l{2iGf0A?+j2K2Q}tI*OI>) zU6$5My=Bs0;Pc;Qe3;V0@|JEf{u2KmM+ClnXHaWU>s{$fNnIg!R59muRpMTnLL60JG(9_%7e5f}OXj(YKF_*FFD5V_K~PbWcd~&{Mc&{(H7Do}lls zp+u0q73l^0yAEG1b&(EHk$N9dA=e( z6ZO9LRXG3#oV9Lzk9vLh0o&F^uKp8Mx!)e_iEV-}n=CTXhovhTW< zQgAz)dgEb88XV+VaB@ZB-+p;0I#?ay0$kc{Gxqwg=DnCYdZ+8+$>h&1qKkiMy!`HS zZ?oTjH9GY%-T3TRAGR^=-ckj=34PWh3ww+HSFwL;SM#)Li112M+%;K=gjRZ3_jxr5p=5-(j`?hRNvHGN$btN{-5s01E61et`nURaBeC1* z0)&c}_gZWC4y^k$M0Cl+WqDTSswD@c?#I6v`>2ara#z1O7xmc0_p%}}5CFsg*xrBU z*&bxn$}u|CMRQ+=k!^^e_a{^~ZUc~)N(we!vX7T)gq^k+_smPIg6%byzp{4mv1nvZ zU3JEoM>k4d$NV@@Ah4Bi470*F+hQGVUWB>X%2mx2_#^Q7u-gh~% zC`aN{twrT-Jb>3bz|s+IAw*r^;6cg0%tVnz)efQw$R=RCWQt)zuw73lgtD$*Fwi2EZdB`FwwH0M=zRkPj z&7OBX`FmyJzmQ!=Km*8jz76FK^cLW%zk4XnTnJkp%K+v@p9&}6!A6L>mf@+h99%YA zAt8x?y}y{VZ_#Dm4VOWrB-xRWm^`f7BBa`UaGu&Bl57+1O znYTXu>hCVJ(hMrgTE2eR6OXgp-!gD$19m_bXY1Y|qqjGtaQ{tFZfY-!D_owAAwObXF^VzU%ybXq!pwA;cTbjlhm ze@y@qeG3mr`ttq_>G$78=BQV~U!(3bYsW`mC4!AEUQ6ECE4rkoF@DLXezQMlHE(L_ zXm{8DBU=QX5)Yhc+t`Nv;O&0tqF?sE)Go}SVnpGcskCxQ?2fHNIgydS%2{A&*D59xHg7B$ZLL{BGZgU`&ZlW zA7E{S{Y30D9K18^^FpqH)IJ?$E)hj7f`1@=1?_R>vD zG6||)sqQBZi3eA>$Z~09rKur|XIW@~2%1XM$^0B}p2r%Do`7N8nw;W_>IZb6Lr5;1 z?y)*Cc`sU^Tm+QD%IN)Xgji;EnW2E^J26P1(UNyQ4B;5wBt?b$%SkCFE&zqrVYib! z&Lm1vRQU&;iUfGgsmJ2%exTVmv#g~u0s#~?11U%dUVgIB^@xL)EyLwRBRp&?TQS~c zmB)dTCwc|7dUELSYum+JoLg!V$9UH|FPyX-rN#Bo)QY_z#m&s!-IBnxmDaB6*8JqN z9pLfi@i|hUUT#&C?GB(}_zqXV`eX-aSNgHGY?a91d>;IJosyyUESw5E_%|7l{g0TerJ#_u9mK31 zAnvD|i!EkvQJeLE{wsoi>7Vz6#O1p;Bdq8cG6$T!6h&Zl$q7-zBIAjR=W9=7VC`OP zLOI|HR&;&ok?&qSf?;~@yFuSyAwByFEpEN}Sxv!0qo_5ZGeRFmaNH_fzFo*x*QOrN z<7Lff{lq~#BhH8hQVZwF&te4JA5a6p>jn$ob^vETs5i9LphV%WQL$5h<0k}=;n7dN zTTY=_2MkTr*6WYtXF_?f+emb2>8u%P}*)`Ww zC0i4V0Am2a=ZEbonpxEo+&1MMsrS7&L~*<=LNX)6dmzA9)Bqau1(3)JZA#*D}XxB^|Qgn)u=?i?qg-E6?P!na3tYr zUnb^?naI9I{VK9F`DhPP0aQ!6dht>WBlEl?-biu0H(cFhdF>#D(DYZ^t#c@_qcUuf zvv~y{)fWW7MPa_7(dq!HM&yP?(c12p|0=Zu;6H9W*#7{l_O{D;bQ|eZ<=L5pke6ix z2Bn#wJ95m9%qxN3uz6B4zw7=y`15)fGI((xr-2 zX)1^X1#$7~|L=2m-+TLh`*wf3cZPEhGiPS*oH=vunK^UwbN1&O05e<nT3rV z2n5nIad3jzIa%3(?7u1@Av-HWPC-LKLBq~K$H4yYzJ7KASg1*+NIsE~2m(l1NXS@7 ze)a%(03-lXva_fC`$a)XMovZgE0g=I8-Kd~o=HMVPDVlba~?oXc2zaKT|q76u!}p?Y&wKo_O#VFzHLw=Su%4C3A={W z4k=Om9mo|5FIM~)a4jh${zKMSRp&yp>TR5E^yi-d+40Jz3KPCz`o%r6OMubm7i;PN z5ut!ykdVTo5nt)F5+GK(5^yQ6j;@Jfqf81%M739A3A|SFH>Cgr56npeS(cIuJS&h# z&6SY_BS!~2FDsEB-`DwCQ3l-0l~zpo7>ahAva3W<#SlNa;OC*q*FL_*mfE^Pce2es?6tGIZiw_rliLm?VJrYS@i+zp%=x{+`hC4$UToUN> z)HLwYupP{HI?54mb^dl^l&kq5uRQLk;C z&1$T21&+~cTRXSS^xyK&LmMgJw*XD!PBE!-v)ePdO=SsTLM2W?6%M{ZRe6&k-`+)3 zaet~Y8BkR?%50#V;&h88g}E{Alab zYXi9cZF({Rk11}+p0(i>*!gEM3u}%v2vt|?$$K5bvU>+Upz>}_&xV>WL%)*eqe{R- z)*x^M^xB5jyIcK`&m7>uzt!{$;gkGA``sm?AY$t8Oe1IiFuarQxThB6Ie+;wT8nY_ ze1S{N=u2<;`@XSWxo1Ov^ragsSNEPrLBGaV#Tt})Ii!ZpO-D=J7AO{J*FQ8E86G=(6jkdz;HO@SOBDDas!)}X z(kjo@*VL_W_lMPw_#1X$FM8ZZpKka1O+C~HD-B7SF3X>|&B`~rhw3{bPNin!vC|{d z^T%0Mba&Kru-TFM8cdHg{>IMV)lEB{+5Wc5PjT@()~F)3(!0QCQBnSFp7r34=kwr2 z1Jj7@J3`3liGaC5T$}ZXiwjEFe75P_U zz;CC|hnKCy0P){Yhtq}xMnFsNeb?||GSZ!>ZG)xG=CqD=ls7O zQ}PD5)tN1L)t0N&qyauhgLf;uaOJ3zYszC1SAHB_XOLI#cFBvzCx&{oGjSnEH8g~h z^zDPW2r;c+rO#@l{<|gt-2Ignl~=r)aH8N^k4lkf`Cv+Or%*J(je5i~HEN!-{+4Lt zy0g1ePTCF1nE26eQQS5qaVimPwI({VzsizOTq6IAp7T9;Z%IBFLM~>i^}h^4X|mV5 z&t8(f_H_Y!a=#h^0JKK5z|i|TOLj|U*I|Wu>;^vpm$zbPDBLZA1-}>3?ciN&+Fq-s zb;yP%zPs%jV#%hlZR8m0em^AwrT&W<#+myY?KcX}-Q!xl_9ofp(v$BY@$D{avwu^M^(?_DO^oNQysXeg1yg1j4Q;3Z|CyCXeMUnO7@0);Fcfy(_>azL9L#XKV%1wr5aPvZ0A1 zLsFvhJb1eft?t;e+(@kNXw=`=kc6orkTe;;acn|T(az#`W#pq%ssHyww! zVuXpdu>_h)aXxu+wc_o-X4*<%WjEH>N)Dzmgi8qYwd~o=M1SqRHs7aLj!$UCbBM5Z zCJsf7AVSS#z7=3g{WC11G#%?vB7cg&I@Et821L3%c`qf9+S0Y_v%;5A;Mu$PHPqmm zYx8eFt!Qt>?{j`f{hyfjpduvyX%j1J)>SnxfnF}yu0r-xkJkVF;c|9gZ}!t%6V&PX zjrg8n?%S?00?UE&Os&r_$fmj;_*jjMNjpesWmtP9>Pyo0F@AR;*@=pr(aC3)!B^I| z>qzm#5{g29m=eg%^eSv?TBIJ_E&-= z_sit8Z6?kMq%0c=(6@ms_PQzAVtv6M4X(+XCxo*V`Z`k_tlbu+;~AGprpY!`xE=nh zI~{NIKf+uT4C|Z*g}CfZ;BP9a7nxj#n=VRTDSAkMWvC{S{;7!)<$1U*6%d9~nhspi zb))~vbc=po;akY8!8Kcfo}8@ZmO7lYn*qXVu?^-X&Fwiy7I>1(J6n3cSTi`&Y@7qc zY_{`qoZ9)!CU#L;sVsNv?K8_<@gMp)z<+g=!Aj`ebJ3DwCl1K!(a>Y@a`Bxynn_cj zFto{)XnS`(|2j>+Ziy@f=joNCr!=40fIK_0%TesLqx{Dnb>*wPwy+c(sMVN%2Fi9B z#$IwsV(n!#*KFj%=*=%0?6SZyCFJ)G)!w~{>!YFc-31l@fk4pfm6-B+``-^PQ{7Da zmftpiNn_TA?;BJL=siXIz5fa%@>|8>u)~O0)rCPm&d?(c#{^kuGX=@>!9^O7?K+n8 z{thrdx~>HVHfs#q=v;BJ2!k&=80Mz#8Ti~yT+L(GX+PI$GJkn;pOjZ18^1OsdiAQ= zNK2xAA^)usI#1Gh4Ppx9e+?0!h{hRw1v)--`Qmxm^S0?!kIhUfwvr)PD&Io80n9xG zGLS+zW-z5`2liG5q-Q0kbIRd|Q@_E(-D1UG(x;*?3HbL*aS+oX$d_z^@6wm~5E25H zZdSs4jk9>22WMPh()M+IW*=LHUJO?_sR^Lh$j_I6+BCiY^MDt3{ncE@7Q)FPM+0ov z;3FY^b|Y(cR%>S=+_m*R4^2t(>}HCdi%i%BNFuAtJA?X&XY*R?oEq+E@sML5ZR*4I zsB6>H0ev2KjuFzFd%Mo#qOekb+qi7L+Hw$zyG*%%<0s(CC+UN%_Y!}W-H8(d-kC?b z{^8Td23G9j7*a;@id{qV$yeA$Kw}^L`NqR%08Zl`L4Axz0M;pE)_7+{_yU(#sSH^} z&;1KMSmr{SY)vnjaW&+t`$lLT8(W)Km$)uc7hR>83R1nKl>Detxli-v9B!BS-JRJF zT(?*MCPfikut7aj_JiWVnj5l%AM13;-wm0YA2uR)X(z}BU-lM_VPCE2_);uSvUxhW zIf{l8_5}?9c$&&=6&jKlLP`v+0_uRg>PL3jeRR8ffT)~TpcJnqO}kmea4fSI94`dG z#lL1T%%s;8%leW0haN}FpBWJfvX#}XeO`4J@5jnD$Q<6g9FNw4{iRaS*$}=x|Pg zq-TrQHrXOUPh$bhSQa<#lXFj2*I|;noce|BWo2#88I+u+_wFWp{MQEBXH>MzHhizM zAeo?hEgci>eg81}u@{-^Q$sf*eU2kxcTr!NWTgx$4Qw@PPl_VI%{G;*WZ`9ByA>IoYD~toVa~gsfcNJs|IkA#O#xdUFG&*9Rz#Sn z6q|#MC64a$hBGK^z~)B5*dt&`cL7T!Xbi^FAG>?*A6v9YcTscbR~jf|m=nPt3O&Bd zJ1(HNme)G!=JrS*l?UQn9Neyrl>_oeYzpSEgbK^lUzC4bYcL@K{g$Sutz1ULGja9a z$JY_c(=4+dl?d}1HsAl~98b@yl$bs15^PM!78;1R(_LaTG+`aizMj$OqB@5P)p6Y@ za7aD97B=*EonXnI%BAz2drNPNe@&RZDG`EQtsU5o63&{W61LgU_{upR9mg_B#ZEtT z_ez|61ZdSulE0sJd_TLbHcQ^0KZxI~0IU*4n^$|zLIeOzY``Y}}3)kS;AEh+T za_ov3T4RZVq>_BLW2+iHSE3^4L9$9QK%WTIl;IY&$cOkDaa`D8)^vqW>$~E{YEec zGeUgW(`M#B97N>2AUv6TloKGHwyFFoiq736*sMC_NecqH6&t5erzt*s<6Xz=Kd6>? zAr-rD`yb+}RZXPa%0(Axi}RFnpfZaNsBrT08FkQpZqHn))?2G_hTsL|z?507Q2Xcg zt|j>|D)G(R)0?ck^7K*o-JzbGz(cw_x|x)11+&v5woazAlWJklX>Htp0&YA(AII0c zl)WMUu(3npN!L|UsZJM-+D%D8ih!OhcaiPf*-i6)dha|JH`=|!jrfxZl&6>f+fI*w zERJijl(!06!=4E}0`EJ?bSHC2OGy|vI3`5Llxub-Fn6gQc+VU4gtaK~7?OuaVC~5I zSw)<0 z(S17iTJA@$_1j;jI?^#C^Cy7m*!>@+;sUrmj}yV1U~`6 zls25B-j*X?tyR_vgv})m$XxBJu@uE`p5Th?==`{ARq9fkq2hZtzD`dZb&zqNJDW|ye>J7dk+icCN zHENQwAocvSCD?(eDwnl)GHJVPI`2=wKu6l?U(D`_lb?W)3u_%QmOb5}F5V-AY4;jL>1~*G*u3ru%OVO_u`Gs%%G5d;j zq}bmd_VoQ<^u@HX~x~1^x)uiK}Z{{#wGZIk|rsRio+cl-na=&~3`Q||yAmhHmbMEhyX9eWJm$LrS ziaJ37UTFPGaU8%Yece(4zbv%T;4@q98v?b7pRf5;;B z3(ZR)dCmhK7P8oDq)X2mDh~#-3J*`|s_(wKs=;)L5PkC&{bkw6C}{By>+xXprm zsKwZv#!1`7jkH{`k&}trDtFpXFl*CW_YUbaWJ>P*bx}KT)k>k!{*hI?T2<&R-@v;oN-Ogui z^s%kCUiE>{W6nO=#H)V-LmVuFlJ~Qf^`DPgFW>G`wv`Q_)?$tl_ywfusz7tXuTzVh z5lg(xc;JsX6r)giV#=kuIeNDrYUePpXW?DtQ4-RzjAdgp@wwyXE@!rkz1bdQKUq&d7hb-MWMS z9y}tp`@>>-*g{kxU9c}&91&GVsn6RWYM3MEI*|VNn;MR>iE3+l0X%MXBK5s-t2`f8 za9wsZ=`daGL9_f;#Z6=PcRP%eAXdj@(V&-RUn+y9ZY414uga1Iu9xYeR;l?T{y7Te z23yv(NCS2EB_6$8x8#62vcK3#Jf$nNym@MnkP{@09&XK&+q4_{J38?2to=S8N($v`~*M0V&AH`slPo6RK;L;=G0-)c^GxYPV)2+8H#}3rP zzsTNB7Ed7)%)B7FK#r47(F4)dVAiqq+zP35#)u5=ZmB{WtiyjGp zQk@htP$~TGwFslVbBDZrwQBxy-~S7LGMFQ)(V$u=voo2 zl87sRzC(7`igZ(CgVTJ|xI4u8ag-PxieEq{7tLNmIfOMU%k_{c<;<)|==CS~2q=pSU@ry!5TQ zbobjX1tP2wky?}pm0KxYW3hY&)gnNK3Wq0IJ+E1MaHU$l;-)s$%iEwT0NYrl3_^{3zrZJB@CUDT9PmQb4p@uu$j2pbG0m_al|*u(HpGDVd}bqd=(Ej73mP z1H*%pjvW_^PmPbT2Kan#$39*7s&2>>o%5qayDb?IY^_wl z@ObY5+Ax9Ea5R#bxg^1OPH%v-RObDwJdlj8cmPbHy3H$Un4jN(<|acbmb=@B_q;s% zv!TdXWl-ko<+?XhRgfm}X-kYGVH)d-o4dZ^(}K+?%4nQy2`T4}cgtT+)Q2u52S_wZ z4(kv!2KW-%<}5hBmPm zPhi+LaH(mmlk_EF%KVS>B=#HgiEYDjIXA*cze`bFj9%T+y7Mu1xEoTNSqWY6?3X_z z+1gDUxGl8Am3DHa?V`xhgJ3s<1HP@{tkuioITw0vJeG63|5eYmgXR6-$)tU4?zH@K z;=i%%|7~P+vS6uZIb@gk&8S=Pj?1ky;W^5#E%{Mx4MzJz34jY!u9JAL^An7H$HKbf z6*s+>xtsf{4*ts!3b+86v?Tq-Oz)S9$hv0(%$F}LwGI)`h}pmy21rWD+8kw5M=+nS zMHxH|I~|?klGg_UE;4{CE&=i5AokepzJhf@+WuhD!O=mJKu590vn@^dBQ#4O_ zr073MC|dnAbP*#ul2x)G%<7$>VQGG?k9kGf#xbAEmTaP(V}aaIdMI;BJZ4H4!d`Yu zD1Yc^NJoG~ql`1xar`FGq-FBHJhj|AiSf&zfC{p{@@WB^s`9yWqPz9pv35736fEaB z6>t`?vgQk)A~L7iU7Fwv2!^Tcb1n=KyNyLkP*7#_&N=_m1W>TOTAI5U0%CQJsoXP-^`hbqnqQsIt?G;>&Kb6WdO z96^Fu=k5p16^^u!aw^CeJ(0U~cjaW^0 z?`?2(E59vtR8%_ihL|CstEtG%y&kP>buw)eQsL1kA)(j);JFrx(SXEdRKC3ULKO;- zpw1h?v9{~!>ENdweP@OP5~Uz1O>r+5gJh27E%0NUuTn(E^P?$?r;Q!5bN!giWu_x4 zRCbC@HWQ5S#w|<5QAL7H(iDj$t|ii*{XChu$P7~=K`JFRMS3k^;%eSX%9G%lz9vuF zVp5NinUjpW$^HqPB{=%I7b}*p7B7^@^XAYRfDqF>I97Isudf4i46COr<=&m`$eo`& z`Tjo^*ZoxuAXrE|hS}4Tn%a`VkAu_O<=C=wcG>lQdCLrWvs|vN0vKTs%#SF$R1KN8 z1fzQCLB{VGtbJx^6U79*e(aq&gAO+X&V`BK&sb6OVMBT4G?5 z)fM<PxZ%uDD zPD@-{0^LJWLoK2=U|TXJBE3KnD+ZF5iMmHzB|KjrCbqc`sJjcM}E2Qs6{SAM20G%4{PeeP$+z=n`>o?8g0$zKNdz57A$}D0XvQ zsjS_kf#KF?vh)HHkHC$Dgpc-I2U-=y&g+N;4+&7ccIRsM=o|K3xE3v2XtBg~XDCct&EB-X1kEeVY(`c_}@>CUE(p)=dlq(YnO3 z9xH|KwE?zftTAGjlJ=smGWVu?O?uJM5;WL{-UjQ&SQQhjxthd$&G=Y-heEvf)(*Jo zpG{L|yakQzmc!#1E>M}DSd{hA?h_g`bdjb_sA%bqIU2LTK?ZM630lfR#E8lp>B;7_ zJWk-k3eK64h!Jp^FtITH-uaFCZ<4@=mDw@35XoXSv28HH%AeoAqjY^J^gJ>3ULg=z zbv+PW362(S`8a7{Vp9s?P_o`VK>PVfyA? zx;@Bk)9r|4Kc_6yGSe|1{Bvfig7|=%XR>IZC1v?)yhI9bRXW_O)Sx;Bo8wwEg-i4% zurn$z=p&X4ima#udO>?_gpFRH`un(87V*NS6%r&FOe+oHv;4>|$Jquf+%C2{)#_@? zX`X~i>K{@3q-8@Nb56U(LQcQ%apv7Np6sB`bxJTg7EYU$oK_Y5Ld6LjGtsk}e|_>R zlE$(^@soo<$~vLv88eW0N}EG?Hb|lH;7HJ6D0H4Q{@KIpOfNXC7-Eyk$i zE`i%YvK}%Vrd}Z7EPWwwTC~pzh%YTivMy!CS8=82DaJK8d_Ba?`4!0(MqU{OgF=j5nx8<}`$En-;z2y{+xambxUm=)aXCD`V<$J85rC#v5?ZAl^YS$lTuGM$mEj_iS)ec>QJ}6PwksD?$V+E~;V|Pb zpPbW&Kxc2q;iB_@)Rq+GWR`SIgjXaB^yW9=ic2P;YvYV7ImMCMfHJs6>9i$F+De76 z%BqKnKnY7(WJy%GS0KG8)EfEDR3g{PE84A{}Pz(V*Czry%fx zT(@zRJ_4OfjBiRNmi_$bASfzYW$<|sl*TsV7>sc951ZQ(2H6$Xp zb4;{(DQTbi@IzaygFpEZaZfa&jd0y%z_Kab)4SB1BwtkK20e$nsKTA^u{;>W7RX1q z)P{luxt6=;T3Y1~jPX?ZvM19Uh1P7bK2np3mC3AJkuF=cEH@uAljvH}z053rjf}p6 zesDib6&CY$(5T4NzDKml6Vr9vO2Kz-r3t9rU!PR$<#s!IY`Dzs znYWsB@upd+U%dRtfnLrt@&Dtqq-~dN)CCxP9KBjD@$9A2e7YhK&?6)fhlsU}sN^$| zuf?2;$dJvIv)VN3u0FGW?paBd<2A%cVJ#D_0$BOMfGo6TA6&ns;D!)siRkia!NRsa zZJotL6YI{vWV)CgbcjJFqa26|0Md|EEYO!|GZr6P09B!t{HX8C8ou6{9 z(^RxHrnqB8Qm@H#SC8(- zEE=}c1*dP?mBhb>-aCk8=JI;3WySC?_p7FheQPj#>3rszRsA}5o4`F=2SIpmr}Dl8sgfh;(c8sYTzsQMwE0!C(ii=x??P#DCh`82Y}4idL(oG6wKzrH z)p>|xR_S>k5pY-YRTi*5SBP~rM^c8gh=@EnQepeJW5XeS_LAY<*BGC1R7+y3LtgGA_>hWtlq3JX)A!uaO_-BAu4w7z5`4TiP;Nks#J z^_vtLEJ)14Go}PiZm>X+rUt=2>(q+tc}t!L9ffh}G$Hp?fRp}VNJSN@%KI60z|7!I zS}s3%JokE&W1@W7zBhz0)>%4Qtj@9>N2K)rj9X(Z#tt#GUsa%BFW-58_dL2a#@vp_ zo2J;y8;Hh4%~2PRqwdKcwyn_*X#1w3t#0&w5E%toug z=Co@wOfR%i9P`z`)?Zq;SYEhEEp*0Ox|eZwOL4^kpM5im#!=p97yUHfA<|dOYQ@v| zInzqd&ak)}5ncEh%I;og<|Gks;B+}zyKK3R(KPYtH&7?E_Tc5Bub&~7U9jFU%iglIB#4|c)O=l%O*TEu`-2d zE+m!7+lLAho-^BJi3l`{Zq|?j*XmO0x7jxGBi0pOg&McG1<0lC$`coGMP}8k4r!U8 zBXCS3gCM$0ggY4e4s_0k+0xaqrR%(11zk9YNG}v3w!r3*%ZD)iq+_msvtg2mH z$?zC92TnJwQ6Be5pyet{(Y6lMpqE5p(@*Kr64Nm-PcbS@M>l=L30#iFpf3|U-PHvK zLnf-CxoL>ak?;ze(^%!hgd#SwPP%l9**3Jkcb~miHbKm)h0ZRrQYJIJTR%X&AAX0L z{4=`bvRVy=Sm&sN)!KdEIqngJA>>Nu%KgAMO27SXP-1gBbX-g>{j7`># zI%bHP#sUAvoanh)OQe@&;HUc+LDo)}?+)C;%ziul{<{H7aE=*V3|6@Zx4+)z>;pRU zcqcO|ee~B20zX^x+9}x)%(AEHh6CrG&vt_;VEXG~rdMbW4d{MlK6>;BJ6 zd>U*r({xfjVH#Zu7Iz6Oo{HyHegbx>g`VH3zk1q@;Uw^zg?hVszX+L;8O*es14Ht; zC(SJslM;2OVKMZ>x$Ny4($kF6*O=0>v33!N?cB!=48l=KFidAt?9jo&a8Txart_)JqKZ}J!A$ibtnz* zWubJXks(uah&0VYoUi<#CmR!&!Vp-l0!_?ELLl%mO~I_-o`&U>4~?zXTKfj(q4^;F zw)oPg!4a$T=A752>NCWVK2ARLv1P^QX?=#3o{+w}7dT+X2$UWu-;Pp^yMn+DgQw~b zi;T_5b$9SpCblu6WDktzeQ+};HuXW(1J$k9T|77RU$$c2G(zGEGq+vQ#>~ONS7hz- z5+CPh8Fpb4p#GWfi>hv=xQ5s7yLmH>VnloMMcU9+A+A3@brC=Q(JVA6R#xun6!)es zX3J9QZpz4ZhBZQzuqo_pURjdGeEE5Pc_KJvY0S|;(_*a(K+sRmZmF4 z3>}JMum#eoPxA#Zism>YRGCJDk-G)Bany((BEmTKxQ{md_JsppY|J?c>$ocHPKV>k zb}Xu~oi0q>pqfAOTBG*MX{!Pa%~{E1Y8UhF-nghDxg$_M8V>a?FIi?w^L=L3tRFJ$ zj8OzIS^15M;>K6>c!>r>NJmYC$`35FgT;;*vc8mtv2;|H!{r!E@zo8{M>DKUd_$sO zbZ;-Nf8z=NeB^sNW8#hlGl4w*roiWmE6Oq0CMsTMPB}Sqq&EQwITgo8L+iiFO8PO+ zG!=rHb`x1|N=5TRp1GX!%{F|NiQ2Z=jKD<7t8cAPJY5drw0aHuXIofsQTtwV`Fr|D zy_TGw_tdPklZuSgh!bTHZ#Y?q;0ZBCU-f->%p|5sDWw)?AW5BH{Jf!hgYEFayx3Ul zdCttz{CctyTihFxDy{eTGsL9j%wlqt zG8iSGiDSD-Em;1;1Spu0`=U)W&m^j&XI>jacr7ZCdqwYY*lz2;daJ#6p5}!ii=e0UpvP)J$l4>Uk&39z!@3b{ z*@i9;iL^yx>HdWwreT=cWYvsi5cbi5-a}24!*!q|=i^3XhyC>xN!0M6^mVV4aYnJe zTpp_qpn~fIDtOU=%XfP%H<5E*lf-wl71EHeQwi^nvwtU{Ji=q7?JrBO76i@tPuFrmZulGHJ4G&vSSbpmqBWAM zc>EJk&Lko?bnTpy*f}!*bKbi-LbCMJ{gDbrv0gCzEn|srAxR*`-~hI}20C2P;Lgod?+*h-=_aLo?uCGfR1KqalvtU_ z<=UN`&E%YTFdD62+lDA~Gz*2_2R`{R|GSrNwrRAAS(K?(UqZQuE3Wtp$i4>e{ZE?N!6S$A%?0A0BL-%0vX;NQH}}y^~&9hX#3`iBNfxD8CeT_jFxd7Ox0ps{N^J(C%a9d*e*t*NtDymh9*Xi)n_RQ3{e%G~(ZPir2=N|T^b_j5cGi-WDZ+Q>@)F;lfGmwi1|RT;P!t$7h+t29muo8;v6WqbZf&bCn`(BrJ!wEX4bXjD z{m^58Rkt-K_S;BFdvtJhOSDz&$^aqa$n*2FrlCWqb`kuArT6(;LeGt>zE$|m8Dxs) z8`Xe}aUoh(-^*k`W0?+~CpxYmtK4Pt>R9RWK>Jq?n9N*wmu-mAyl~!5?m07+a|O9D z>|+dA8vCtqUcS)EK7>O%s2Ut(#3i>bgQSTCky0d1iBL@Q}rbM zS?z7Dzd1VCwvzSo!lC1ygQd;9X!LgC4NMVd@1#uaGnJW#vs&FypNaeMDQ3?!d=(Rs z&I3L)LQWVgu%!l;$BcrA4b!fCDfxFl_nqq-uV>5Wzgp(B2al#mFT3!kD66~2 z{B2n2=5dJtU2x5ck;fxfgQm!yt9lXvzGZ_lok7$X(h;D{&V>3rj74SV(XHkjlDFMK zj5xu)M#|ix7`sAJ@7`!+>)x3SOR>yXM%Jq&8y!qV-RP0f_oPtEBEnx9q5);bNtM6W zP2AaN3YyhU!DKWGu`t3gyzTd5AXO{16xJ2I2F8T=bOGF9dm| z1x5b|cXF1=zTqiMFG_yFvPN#kuz5X!>LE%iGhc;li}b`fiu-9}{2WT(v!-ho7SQ;f zk>T6*H!Vj-7Bj4$GF%?pt5h&XIcIA-n~1A)-*0OYMsjRS(=y;bO`d*gTlk@&iQx=k zF3z)?8v=3#R8EMz#=IeJ%6kEpL+%tkU@xOE_f*oeS}L0MaNLU)S1Az???Q&-ptRR@ z3niJ9F&^}#6Wvu{TC&msU|a{UI(m|p7gfPKr{zu?NIux+{jT8^@0_$G4I;(gt5$!I z6t8vtG3Cy*2Q8u7%SL0{jErM}lNa1%nx{!CPQFeNT&T7bphP#d8Bt?#Ru99I@y3O? z#`FpG$=?aBPCa`gWKn{ZxEt?Pu_LD)Z>^%of>UFakdlZNI4@#eTAMXzF;P0Rwp~0^ zoRWV-sg)}4rplVj7e9d@imxp;WkN=$xM+5{6WWv` z`U?p=nu5hEcx~r6wCqc%ctBKfqk86h;F38iJ%6m3S`S=y+jFUC`R^3*?{zEf1N9@QzF#t+!sxE@_sn=?zln4%3ir1j6%NpK##m2TLv&lZZV(U>F zU!=#_c+^Kl{#d*_Oo!Xf0>Nf7SS>E@{V<4fUbtDVlj1R6yp8bcsGj;qq7m^hxr}<; ztx~DLtI42xmrG7(u}o<{;#`0U`B07{Tezj{{+*LzH=`We%q5GqH2*4g5z!opz+*{9 zaEvG=Eo^3lXp!z|KFkdmO1dc^i~#KP z>L^Vt@835IS)Lm%i+`$@eWZSB_9hA!{l+5CyItoA3uU|Sml;*|LC#xr8AkTf^`+aZ zgB}tWh6p0|<`0I48y8$<-kg~UaO^z|b;g$L+xBr$#JDTm2Z?wJFH32_a>W`S@Kz?M z*`hcB;K^*7Um&kOBW&$7YrsfKuwyWz(J9Z<*7d$nd#DEC3P@}7mTzIp6rE}fFC!m} ztOCuNRf~g6RtDZ8#8g4(M;A@1hG;v};-zNB9W>#ecIMc0sg)G@>bKPbr3zow$Upe1 zlLktQ#$hAUvG%7q(U|pu&ygRQ|8@@Gkxrn&O8icfvJP=R->gq1jh=Nb{0%^iLTdHn zT|J%8_xTjucJ&f#*ew#h>jHV}Afh8yRx4W5k(POBMuP)3o4Wy;*GRS45ov*z7KLBB z;=*BMww@Xi-(8lH?&y$*jlE{@g?M{<*12UdUvWIC6b}28v56mWXU*Mt60cLaI0_D@ zfuc0cgcI-5X7eduVO< }8Iug`1axN-?VvgON#i@^kSlD+;r|RRYFCQ`}&|;xm`( z(R~R6Omv*PRipH=wD3KntnRAzkxZSo0<@7lN~6ILk$0u6R5WvO{Xvv=;7;gby?Ex7 z9L3fAXTvGy_*hc*1nr9_y8)8GI;Gr@xn^?<(y z;sGEJ)^x#06_pGvhyazo=09bJO|$A}V;Uh-s&>>>y>w*Xdp>P2^Ey3YGfRjsrnsh+ z*&lUsPIZGgCd0rjIDx;Ds6N4qKA}seHdorxgj-}(kHYglo-JxUqy(@^jBRPvA6n>t zW8tP5eFJ5#ti+DUhJrV-h@>b#Nb zYA<)$SP#v8#FY}j=Jf3B5AzRM8DrH3XBbEF58-47R!48;4vpkKMn|Ju@gfRsyIKd6 zHi%L;&;i(oO@jtpGujxFaX}`^5L!l!N6P6M#EG=Ux8 z{oOK3cw@t2(!hah$dA9$?g^GWxDTiVXaX}3Cu}4UQ>LK6mefh6r?Aj(4K`O;OIR&1 zQY?YhBfDRE5(p3{@}Y8V8k0l#Ukv;x57%ydm@KWa3PNNt&4$m!}&88ODdCZE1_Qqq!jVc|QSQ ziX52#Dz}H~YL*)oKVy~aI&@R^lIPt?NzO2J2Lu;(dh6RqNfwZ8EEcw zS2pC8xK)jcDxG*eT)(T{WTjK$@$79ERmxU96#DCg%&hz*bskW}UU5QIxQ4o@2_GSq zb!S`fg#y*cv*zUF@`7t8P(2LEr_-_TCr&-ahT4ZwC26)fj|h@@=i~lH$30o4k^uu8 zEK6%bTWiDe+Pep2Pg=QP?0Dc?xlO_~HU*o<()Qs(UAlAbHimm`OSJx_@z$0!hx$WD zF6hATP6Og)Mnau~`+=rFnG9$4U2+^~U&Uc0&X1s>w(tLN8Cq zW`AUBWo1(iHt(WQ`MJwNhXTiv{9IeUggTJae-Y2O!S8CVy)8l}crqifnq zFy)Xp!J&DSeWUlg+XbZ7zWK*{ilE+zktPUOJ#Tn>b`~U*4Wl(+c|nkMVisd0CP=GG zPOdWKTj&a(G)qf8R?VY#^zJ3H-7!=mirAuk-{PqO6+X~>R;lJ}sm;BJT|}b%HZ*>0 zmi*zPxF37Jo1NUBvcA83z4<%;(5sS;ncH7~XL#y86*+DA+WNb(Q`o-n`O(wi-{|ht z8rYr6AMby+$WOX%@WcH>5beUizc{tMCmeUxZ)E>wQ%uMq?I*zYc=7-D>dcq--ybUt z3II2ryIHSlydv0Z>AwK6{uj^V*Y$sP8~+Gt8Lq6RRwDMXqBZg)zypz&S-yCl-+c9> z{8;|Mq4(+3t=uc$ntlSj)JB9(=6?d3&by_aV(!d8Xwd%&fOfpQGFNgZ&+*ISy$SV^ znq#v|;)f98*`C#ik`)m7sU%oK#G=N+ylKsGJ-()C+i0GkZBfEngtSN{u*eJ$fIk5WfkM+ScbG3rTk@6bbWfU3(n2DT zcC}jYRx~li`uV`! z>qieGg1_@WuZaDte*&5_PSb~X#)|X|Y5MW| zvD8ASb7RG-$c*{l;s!#sWM`H}HY;O&7qBj=OpBLQRTQ*lTG6vI{Gv791yd8_DsUR4 z>~!3!vIxM_andic9whDcRpC+7Lq#biyHrP?&tmZ8TpCg2O5MTg$#aI~xm3#^-@e`~ z6^^)e`xf#@E+sAlljLh^T>?ne*{fmDQL#idm52RpRHcbR)_m#F+YHg6jh_G+|F>Vz z{+X}-?O6Fd1ThUgc9-h6Q3JorjRE(Xp!bP4OI4H~DIBu49#8#O;N(hK zhTn8dpt;)a_mF??S7$^2@Rw1LBVUjp6_MT*@M=XGOl33mRvnC`ZfUt&4qq^}a#?t# zek7@Dll>I4WJvp5(!Lt^{r^M!rFeu5YaIqyw#e%Kl;e#5Xug!L=TP}Y7JU__4eCx! zDmWiVp%qQm`eHVW`(~*8d+jco($3tE#mkVlm$vsO-f*?AJpP`-c?@@1AKpJvPPtbw z`WR0y>rYqxsi)reNMkFWD~n!hB_vRLu<{~NZ=32}zl2jv)H(@42Pc!Sx#q3zNy!pH zk*R@gb8||vV)MVi8mv5jOf{xn-d-cgd;2eNGFt=R*<*G8!T+TGVua|^{hmm4u;n?q zM^ly!6YwoM3$9{q9Wi~kpuKRYKnY?6CMD^ou<3OCBb(Qax{NoMqbK(Xysnku@*F;BQyY_A=81!m$8o5deI9A(Or9Zqa*ezokA*uuPGbK z*3-%2`!8ux(~ad?e~`iTy^xZv3n_XOd`9I~Ojj7X8s0^x>Zm4VA1ZAf{sjD^JkyVb zE}ASLd-+em9qV6Gba}K3NQFCUPWVg~u&`kanXUrlEXIx3@gcOuIdDBim}A55vUhZF za@km(CnaP8s&7HvGtPRB4CqVh8M48$3Rz^RE;165^2#=-_Ki_t=Q3>%?BNidx?MXv zv@nAX#(8`asQqIx3(>dKYk`q$FbaC%Cc+$o)T_I({$H%Y^BwmYYU18-}8Rc_O18Z9EKML7a7%FRkx#BZCbv+A|l9?DI+C{CH>n8enkW} z^??PC5mPFXD_Z|f?Z2SHV8aXJ;o=q(`ezSAjAq|&}4FRCU<+RRx~kqinWIik8- zAsBSfd>ATa8$t{S9Hkh|Y|Yj9aL5UJ1G{iMqbuo3K zkH}FQwdk1`AZm(9ww$fO&RU%;2z1D$CZGUHt-}q+yex=IG{))`mrzQyB{G)?BJj4v zRBgd=g}kypWH2&9DXNJ9}E z-+Ui$u}k~aCABd9ueeI$CA=3N#dLHtN;uD&aWjXQcSq~qAFYwZ)MNH!M5gI(@*uvN zXHA`|{@Qe!&1=6@Z#l+8M`HGLhs$#8x8J8L?;JnA_xzXMWWGfBTjHmOn(7$ExwC00 zF4;y?Ph^QdMs0q!3!kc@kZkrN{qG1C89>;PKbU)+4c^CZD-Hy;sxi0Hgn1d-98H9R z!HSj17GjAT`R2xQpsmK_!9_ThA$vzn~_ z_=(V^Xu)k?hIZaGVjxm(m#QnTCxTqJf^2L7zJ+5}?glAP#b!(yxU}U~q%-C~xx^&z zI6yl15p8l!V)8J_K}9`9eHf~E!Dp`BHjt;M>GAHGn+hFkxB=ODfWLSuT0#{+qT$eC z4;xVnkR#iam=?7*?-ts?6iTxkTJpUT7(9M}Z&os+%)X@)TlVR3iHz_C#-Se*vhsMq zY7MRw<7Vf{4F4Cu&I-iFo`Z!)1^Obf&fj?c6Hvaycs|a;Usw+dP$surQL|B65w7iV;AY`ApLv~wmTJWhorlN~iFFR?Rk?Fl>H_R&v3oDykv0UcfxxxBJYn5 zK!tf?PIK5N4f4UdFR63~N3tabUg+jE9cXP~Pq!M*auEz(XCXGVZp>n7VOss`jY~vArTR&*#xy6v+h|0MEJF|X$iu{SH{0Jg|0fw|{+epi7 ziFy(c!4efqZY}`Y0w=pS&uWzvf^M{!iI-;q4&##H&JjldQ@tn$W7ZmTyfP}@KXBh?1r55e@l4s5 z$LLonXr;Twm*iL{Go*+{5@gvVLL2s?a_qP?y4undR%X_PB&b3eus=zlcEZ)E8q#Z$ z1Q8BzGx3L!5^$LL+wtpZjQb*yI6o4VES(N7qT$$to|%+tdQj;tG{k)3=#Jn5wpN*< znwiqms@1v3lCM{?iCdlvCBP+aSj4574<*InF0ep&zP)uxhNdCLX(i(B$0fvu*~yHI ze2BD8+N%Z`zUdf~&fx20VLDIxCjb(qScc)FWIENp^kH7>vv* zSWaq!cwcdRda{%SogV3-+WSR-lA1QnJi71hJceD8W810D+&tQ4e^_8HJ_NX2YahAf zZ)?gpfQE6HgtX0yS14@Sn~ZNQ%y0Q@SzI+cK^)~IMp!8rp@J|#95m?zz!@#xY3Az!YEGCBKzfG75(o&H^1Zh2jg+a z*=W9$c=53Q{vRHR7r%tl5`Et?+MJ807Qz^(bp!WLZ=wwola`>4*pq^bay5G zA$k4gF36VnNn8^ciY1Bsebl04pqPjl@>CGk{g~m6?#H!sIwxRmVMkDygiv5en>)Afo$c zIP@b%tMU>CjdTW9*iaM^t}+>K7>d!4iu!TLx9UD$S2?{20cHYoY~*uZ&rt)n4Hb92g;IAuX(hM(9|hIM zTq0h3T>b<&XkXlgt;-d;&@pQlFtexH);P4VvUu_0R@_z=z1o}jRLOFm!jjO7Rk7NX zp5ZpddZguMt2;N2hjkH!X$mPRQcXigSnMgPq2ny&w+>QmhaY=Y=(9y1uAUSqXW(wK zPqqylb{-R@n=i@aS_O^n#}>Qh`r#XI^H7#ZMl*Qfwr$G?jtqv~&1jZNPTc2d z3f)%LismnM4JtlEGSQy*DI!vnz5nJoaTt*@JXXC>ToQzPG;-AGa{_qtR^O zlFSdH@o>u!=RE$8>0U5xa}Z&2!O5I+2HlD(`7DeQw?-RxJl)nmBdn-RRjz!jh(wp} znEAm#rOHc)5d3R4;=4u^YJ6xjIEjI)1sm^04p${27iz$vOKBAE3SvubS~A-Rpvif2 zQyg;_vKW);Ga0gojXHp!KGsP$o2QxLB)uxWR3su!uQ4gt89crr=7d~GE zfKZ_X0W84&8G+tyfCX(0t^C}lmI{f&neJfUE_o_u%zQ7^aoR#YfF4o6+s??_%Y?9F zR$G%>C`l%(5_=i(qSqLLF+Jx%#9Oj3IO=0rG3gXO`R#B1eA|tGR-yRUZvl&Gk~J@H zvf}WKPy(%xLL_1%oRxWJ`vG7oW*8I=VDgmB+1Oey6j?^RZxg94z1w!y4H=c6l}%XU z?Xbh^2P-eq7q-H-Rsvb=n?C}#Vbm}{!jVxH zbe*kf&UMBnN*CK=le#V#Oj^>p_j8m0-j9-%m5&H?yrNfLsukOTM zw{<*#YLC-&6PGSP$1GPe206y#XDD8^xg%Ao0-0$1A}rxbLFpyP=DFFFjaAD>U-`QaF+GqHIu z^ygSLCX-7teA%nS94%Oy5D&WKlwAGKb|DlSEyql@u{0hxXot%Tuyw;*yes+jO8kPlAI8g6p znnCglQm1)eTTGlVs7qFpYP`S5h)3I^hFlM*eM(JFhc$G^Hek1Vzg)Zh6{{n>WhHq!IrDW(K!nU!$_v3@~TA&OTKHz5wy zj~K)C51`H;o*c~Ufr0LQ#|L1jFfR$+WhQz3>lB*xSSB$KiHr5@xDpU9cBec zHq|-cmZiX!0EF%e*$O+GkE2bEyt=)$_!TDQ>OF~Gd$8%D+2TbQnWT-XHF>3$ROm(i z2<&4^aLtUc_8DWtH=;)phq)?kTfwz zFNoCkYf=+rxzA)-?&FwC@g(z&4r=LPd9 zo|ZP!Qab)qZ!a@>#6c@=@7OUyxe2=t!gQIeSXCOEj1P>ku-uFm_<=p^D7XzBIEGG< zpRazCmvjFi@vnNzhbX6^qheA%Xhf!LVA9g&z2ZkTF|#%3RP0@0ZlH|drN7(pG|hN) zC$8#d0UD#s=Dfjs?peJA?d=Ykl7K9huJzO}Vx1KyVXF6HuAAaCP!R zX@YH6pW$|T&uo>JqoH;Z4tMKOh3f{xE-qP*_Q+C>~^Lt&6;%MmE6hDy+seegYED=R_wLLsU-#S ze8%>?t&mMC?u3fdNaQfyt_K#=VGvT>(mUG%dlQLbD`3QosF^Do@PQQ-fo`B?O{mI+>KGxf|czI%M++tAlI#Oa>#cAOnWhIGy@ zLfWv}?;Z_zFuQ;JeAa?=)o*T;dI)yRP%e{LUo^?rRxe3RX+_dlC_C?Dl{pnm&Fin8 zF{`8B$TrVpMPQF;SBcnoM)d~wz)g}mM*2e|5e9Ewua%*_gNmpE$!lQZn+w&$@bOMD zxet;@A}efgaW#Wc*FqcgWHHyy_AcM)NCdKeWcmf1e5Xe~OgqBoXg?lX!|T1NfX_`1 zW>p+(sbxl0E)#-}E zw$5K=1baoPaDqt#+Gs2r={V5}twYGD*zhZgN~RxHWHPJ`wkn-8=z7*T$*yTsgRcOk zwUEqoz9Q6TmeZ=bTCuz;D$Fq&#wl`VEGeQP?1@utHi~Q|2(`>1jr7m;w_luT_CL)Es?Jvp z9G0V4F5K2tq#=fx>xA3%#XobfoJ}H9cffnse%Wp2!bTEpS%Cu#UL4w{penAO!+%F8 z1&BDB;tzbm!`Dg3#q+}FoQtM?lGQTpEM?k~ftkk2;IOM`k=(ou*A7WBkw0))`gJgY z0HvoeO-sVH>JE0~^<}?%sbw@vfNN$+F}48PrA``k`&M|nY>4riJ_-C zs-nl*XMq+d7|UkY;QX*2Rwtff9Fg6Y6%X2TOeYLgd#uKew&$cYZ>w$%BFYC3^9%Bz^myCe8Df#2T^IXigYovI{2pDzcI|kK*h+uNAXv-X4sq~U}<(1Q# z1n5iP1c~>aB->t)(EKM3(=&h}pJ&-G6*Mj^SV&gs^T-G>fQS-6jxYStWGo{uQ!M01 zyQ#@P({E{Zm$hFADm#Khb~~+yk1k5{|Jb)|;VE)FPfS|5E`K{f=$3#e`Z@p2k8(xr zx}ZCT%Y7X!sgV8WX9{ZLNDQuhHHEDl`39(^Cw)mD@z<-}+eXf+-hQpbv z&HRcl(K%SF9SZ~G`id(l>_by9cnQBJd5HDI2iSox0!Lw0p){qQ^+ym8M4<_8f z*uA?W`)#p~3}d)%gDNbvmOQPoWW3?&RrlwJ5)>?sxE}nxNc?k?MDCKxS{O6g*uKwH zUPvH2>w-@MOppR!B8E`4xCuhb06kYrRv~mG!b4y$ys*JUY-)q~wv;%Dn~9%V~_gE~M!e3pFbg^kvK z5WV$c?z5pd(Bk4w@RzmthtTsvV^c92lG!N{;7e_G-aQsBTiH;dQfeBq=}pC^MM5=c zy_fgnqB!^W;nEqbXtepK=+GT3v>{NwhCn@j7UC8tXTvO-Hw)0?SkuDL1m$ek9$Oy; zum|bLXEnaWC2YqNpK z%;*Zz4>`ZZ{+{yR^zOn5#l!O6U2G5FsL5*|-;gZaQ~qX^xt}`8-_@)Ll@{Ezt9Gwt z`{we!`cFXW^4q(rIniCu(w_jPMy0O?W&XpbTK3s+<6S5*s23KMlHn!vukd~&Qv&Tq zfSR1ErYN7B{uhL0nJ({2Xg)OF>w6u45~H#7j9=#<%&qc*4N&2Z z#O&hnZf5k<5W~VZK0iS%!tPtbl>(MCJY+%DBU9-|o0rxM z%X=o8t||OtplX%5D2~YJ_Gs?c=1Ark%E4fIjJxXgp#SuA;*E&!*Q>KhbO8<=M1da< zR~20C{~C6Ee2HW}@;qARO_7Ar?XOt-6B!=M=A9N^6w(`%lZl`(d8BQn3E5Oe^-|TM z|2ePniX9_VwXA&1|3UcS*K5214+fzD;2P=({(xY_KTNRy<^y>y@@Zh0#K}_3btAvJ z-%NaC_$g>j2w(l;IM;=RjvYjPg@vyM;YzDFJ=kBb9(6cDXXt4*uA-qh@W})dpqTcs>?6trImdj<3q1prl+DQZNCjXttFJwiQyAAx@{}A+bSA_pB zS`QhxD<@e$#V?0{`84ql;cS1<{HGWC|9QCKUxoGeKQ`QL^kC8d_viaZ|IM>+H{tDP zvZ8;4efv8?3_Su0CQdgwyMloKUkFnFQHf3P!}b0^`OO#EuWq_}{5klO+l^Ak%rNL5 zqVL53>>sf)sS&}{kJzE39Pod(OaHs2`oITKA%R0K8^(wjxWz&h;+J_~C6voC{H9KHWI_ z>f2cK{*-NXjHS+7%LutY0qA9ds<>qy-@m85rI%}Kv?5-9>YXv3l3x zV~>c$@0rDB_%(>Mr%Ox=s2Nwl-=n^1cjld5G37kEXNRTB#U&`|#^0kHW2yLX27ij> z!#tsl&I$rzZ8S|WUX<*{^GRt?pk5FAi!QII>l6zGp20->+`wSqo=V5J zMZFY*Yd~9^U#;12_Ipf7!-Q}?bG+f=4}N}~D#vjbVg%=iPVAomM(a(wdZYM^Q=gkQ ztjX7bz1d@2dkGm6QiDS0(+OIakHgM&IjM57%>35_kygh1+zmUL)-g(vJ1HFBsHZc} zeDmofC8fxD#y4Ew&61NxkNa?5vc{fCf25`0_kD!(=*`5lA5@?!-ztZeKmr&L*4t1)qn7U;5mudfixxD5z0DBn>_^;Rv$ z;Cj9;g7+W=#&1N*P+GEg=2m?P0$~5}J7mH%Y|n$FA+t>iVQn;MX)_}1zfJ&;OzgjO ziFIB3QCxXF-r5~oF9esK32%BbRnJ`fJYr2h@uPbl&Ln14hqz#U8h^#~Pk{Y3J1HvL`$?soA(?|VINFRJ3;-K`3XQ_Lni5*s-pT&W7$Ubx!R~C5w1OU-i-!0KuCz7U#^4xb;kcgPBJmi zrMBxla0(3FWdD8e`{l9`FrtFg!u4UAt@8lq`!TgPb2Xt69HHwc*pp9s&q&LD5A}H$ z&#@*v;C1zQd-VDL3>apkS+*gGBRFg2h1QegbyF!~U}Xro3zFW+K*5+qF@_W|`T-ZQ zzXXIxP_Ui!CQ>oPsrxm(@(R90qfRo*2UWF;gw0k^6E$5nEv|2)Uw5JQUbI!Ic=Dj(5UK4hZ{e+ z7V^sgGh}9=GPw)nGZ!Rz2fpzx!C=x(X@WQO{o5MG)ZlYSw*IDMPuS~W`xF18Kpd{iQ^T@C>Hr;_Tq`Yy! z)&B-RKQyctQeQl)6$thD^kTt3LOu()Dgp*?iLoyNcjD~ONDx3R^4DcvW~itF9e8g9 zq440(wq<2y8ReL@w+_L`1${4t;pWfXcVDkBqPyoJ-hE%iQ-(4}b-GHwFhd38Wm1sb zbtyj@zrUX5M2o;bGQuZYpp+U~jb$a$56GCGTLi(54$?{lvU{@PvANOn1*T?`4+50U zt2I$5-*Bhqx^2a`EU%xra}MkhSuBX&n4PtI1xAfh1W1V3dV=-av{ssfIcgs1Qty=m zoQz=>!hxq|Wy6^A=@SL7c2Bc!yQ+k($UFm|q55jPiWEY0@nI> z&EgMB$HVE7`+0d5$B1Xj%eFEH)DQ(QZm;H`0>EZtcYXTxj-LQa-3OcR3*wJ^o_q=a zv~Yw!^WCr!4LDkz<#!>4ffV3(pN9g~@~<*8#yNfRaNakW_!d&R&=W%SVfw%#zB?ci zn_ykY-v-ShfT@T?WDOlaF!W^KqoXF96J_EBcA2UBsUrG1kQm@&FXPW`<+WlM^@h~) zaW178@-7QKq8Jh}sm+D1Z^qEov7@bP=mqqpQWYoX)*N+GkWg}N_c@WrozPw50y1&Q zj7WD+9KCppnA&P^^TcCuf-kB5=0 zqg3_f;jG!zvLR~=NGUG$;WS=LjQJ%V#OKRe0)Xa)?UjuBv+B5)7Cq&S0;fp5A7jgY zY&{Fgn)UbeK~lzoLrye5`^*OsxmBlbvle4;`dW0~Q_&ds*qsZTj?$r{-z!}$kXE&+ zW;gr8e<=+bN)p4FPh}vSvM(>J7aItbv{D-dw}A*$Ii#P!Mx4?6*FORSKU^Klb-|vA z7VLM1ObiVI?s7E=8ff>39(4iEVhB+r2CG%eZ8L1msv+2f!+1V70vEPw#JQMK!C#K^ z%&z0tiCg_ECr2pSs=~B?>^?NQGp4*WQEvmx+V8^;@38jEAG~ZOG5eDGJJKBuf>);a zFr5l#WQu&g1s?r>{zDnSf?0b{Zz-7X{M6zLN#?r_N|5Aq4Oa{S;Qdd)%NTCVEI)DE z$NAdBIVS9}1%}n1A90Xx3H$^Eriu1piXYWeAfL~*`F*jLq0Q80U~af#`Q&ki1bVW0 ziys2Q!MT3+#rlE!H9`^i56j^{md5wY{u#13cBuSNVzFcDfs(!oZe$iSExs@7t#E>g z2P+eTzRT?Ls|d}mlgMmHuxcdRgE#HAt@LS}lOQqYgpA&RCEvP^chTA@wf82N4BBGN zF~i;D6}n=2-{XDyl{VO^$`AX*F=@kB&J5~sKLm6thv5Vy$l!j6#)DfcpyhGXg-mAs zS6~1D{N|VW5&SSMfKd)Iu)ob{AqnLu z4k!XrccWds*}R!J|88~bSAQq6WJqCO{isPRe1)m!GjN{y-)O+ z!*?H=mJF(lHq&n{?n(T^j5bqmEnbosg=zgC1S~({m1~OLghkPk$jG9-6X0yY|2Tvd zlPDA%gri)9g~arI-$5El2Mg=Dck9)6m4e?C4U)l+QRiIi-&~SBs382Rc_0}}%56PW z@Gm{HU1G0|4GO~1(nI{o*@R=OJ{nLU=rgu)&3*cDS%Q?oEHybb z!mmM{IiSR5OnnU*l{A%7VH90#`53qu3sok-@K9A&heB7`rKl!@gVDOsb10R^p%yzd z8nIydbZ`{XW^N;DnZ2wYDkbQ6h;Eo6&g1g)$mv%IFu@NWKb-+~W6#J(L$o2s41D`hcrP2U`G2Pn}7|5gg9%Qes&R)nqySXk7&M&fLijic-lR?aAzpVSLfCu5!O%b;)7yD-MX&0wA z+U^aiQixOeZtJbW!)bFe9XgyH!S3H|9z0`Zg-E`&y0KslD#nOQ(XuaNnRMO(6Zf0c zS|ecY$HrADgWlOX%<@VHXjh!TH0K&X?tqJ{k|ph;dWd`FTC=ku$tE*+Ztv+3TYsZR zrzLzI+^2#*_FYmnORo*F>%)|o^H0F{Y|B-yWf?zuI_U8{o;h8&Fus}Hjvct#8D&pS?PZiSu@fQk+{+JlrOq?j{lwBs^fo2dV5WgSeQ$!DQMwM1Co+aRc zr}2l+Wx1b4FR@UoBC2L1KCoQF=xl`uR{{$qhXby~$%0duqzf|g1W@G-4Ps>{hc{xz zKnEo?QE0sa&hxWOrI&q@FM(~VEb7RV+iVE+A>~u8TFA-+3OwAWGEFyPlvFh@lo6r| zh&hnTlBeEYH$R7ixXE-R2(VQPdF{|SR69YK#h@K%28dH&6dL>ygvqT=1*0}#!4Mun z43MQuc$qx1t~>)>s|uRW?j|o{q`6O2I=SdkhP5JE->t-nW6bXb`^U=KhFJ+fBKEG+ z5`@(z?>5YBv0G`_z_~Vph#QCJ^zvSh=L!8=@cr{N6TtFyAiW6m2CAdp-U5#v=k2KZ z6hLv;R#XV5MMx7Y0VBCvHCMH1sx+SIqbaemacwRp;2lCBZh5K(vAQ}130@_9jT4e5 zT?JT(P<`dEsBBK+$;#JihVhP61G3KhLY-JMky0x*YKGDfOSlJ5g|Z6+=Fz=teky4GP6k9K^tkvXRu~%+pP!Dj(jf=g85n94(JliZl2@*Y3({E-qd5B)WGP!`->J z$99x8TfY+B3RF53u_Plc)j5`c%=Z;SUx<$**V)#Z%P^K)OOJZ<`1VO?*#r`{NLpE4 zLGYw7J@Ilb%BLO&TrpeCXbZMvX8Zb8sTEIYC~4)pQz4K}O;|SKa{6a%ma*r035d(h zVq;CA>~omtqt*rG{p}3rw}lVp3$54pr~@ zR`B_W;aA)5_!&%Z1t;2$MXoBokJq35FM(HoChOI7SKA_-x^=(Hh@@(~Ynk`k*ZK0w zYR%(~_x}LyuRULX2;GX+IKGOjL1apas}8^C8d-n-gyQYLO!Oa<`o9&bIPnwU0*3TT z$4`5|__W>ggxnUb#19D@uzSnyKKV}6oEjdVY<;1bww6l{)I*J#e;PiI?rI0gv+X|9 zlR0@}me1~LV`2f0DWHtSQN^MUmwdy$#%MsF`vj!sw9`OFg^MJ|NYS5$^&DR+Nj%q~Kq=KZX6u3!D1 z1cM*g==hR0<6lNTzc&2dd_EA4ii^+3=SFXf71=7lP={_CN)E_HUBa$40CsiKb*bnJ zuq6yOs=)~q@SH-gUejy5D7{VI0UFQCQZ88(XE+9{RmD+CdtlSxi`%K`#$rby!Ff}l zJ_bY(lfkk8#yPS1CfzbLoJ-cGfYwj&BuZl}gzq9O8}7Xckj6%nILC7HAl)K-Qhcm7 zs^dtKRP0g+kK%zEz1WLXVVU<)%B_nL&iVF}6h!2)qYuZ~{1Y)>_w^o)n8`@L#snLh z*f&NHBup;HE)$v&j$+72m(v+!Z%{mbKLJ2er``lv6qhr&sYXyG>Pl^m=h*=+W_h{> z&RMu;6#gTpchWqG-rdaAe);2RddDYWj?G?TwAzux95<3}3K7W=#v>>uHT@5+l1BAl zAe_KC!lcI=467=|8bC#!+!^zZ#sEm_FTOF?z(zxzCmnUEP1S3Wb3nS{Cu}4A`Z5QL z04VK}7>a|Tw$(V*&NHX^plt>R7?4)kqdCVE1{y!=dZhR$9W!?J4L}?ZB7w$a1HjOy z{0fNfF7f~LII&P@@xxvmTUr?~_&f=D|JGyzPB+r&P5CKPKdO)fi+hEZLI#+xR-&3rp(iYus&L)0nC#(yzpfD1Y&BS2@Y(R>y2*jz-q2Zy~k%v3=Z0h{OiU3ln5g44C@a(;KEYOG(y9hkoQ&F=d7HKJ zaiPWqp-EaAS^gSWSi65*4#qN zuY#A_>FFPY_|Q+Z36zJb z^lhj2>6ut3X$Vk|4--x|$p8g5$f)cHVLu2FRWzGLyUok#8@n{X*gRu3Cg$Vg?z?@< zj7&04$}w_-!sm4B3KnME;**$Q5zJZK0BnR>fZ!Agli;IO+ob+PE6W8QBy5qSR@cN-!-6czY!%1x$^jL~BVay} z0=02yoZ7>*B71`QA_{){1i+ADhaAWD9lDrKO3%_&2B&0c?NyxzC>RYBsF2z*OK4+< zMM46lJc7UZ-fK4`1Q)s_$k`zhtBL`oomD^G;=e?=Gt@kLwE4c8WbNxO>$c}lh|f1b zW=XVM;>ctYj5z`+y`{&AcEiQBJjP9k3W=9MOGx88aWhQq$BVs)j`T}fXk^m%)X2RM z9Z%zY^5Bw8{TQ#oA=0HH%BY1y7Bq>v(gMkY5(l$#q2oujA>91h_`GD+1EktapdLzb zd|>k&B5_PmRA>wz3+CfU-_KJ7w6xasz5Smw;FW41{ z^XbDX%i0758(fk5I9QTIOw*4gO+P1{*GQNsab(Y?AGbkWLMcJ4_i><8C)-Z4gnb;9Ky5&m z?wi9JHa@I>5Zsf1D4S0a-6yCK%A^NN=16njni4U*pJ#tPcsd*QL5dt7AX5zZE1!-snTm`9`QxSaRad*0o9cTVp4X2AO=S5Gl#i5-{IoxMn!02Wdk5sk43US70 zG=5&#$a+F|KvD86Y&T#9mOnT%F$$HKkVGc z@Pi=`{2(pBjso!CgWV2#4U%E(nG0JU6OG=JwO+hBOFtBD|KhS4k1c&Z89omx#DYQT zeJjD2iwJh@vC*N)l80US1S&8@v#J>2nbL?Ju9*T%$q4G5l%s@$X?m7MS zu25AKG_x97_Hf9t1&Y(RVaxp6i4rAzi9lwl8x1vH_khQ2G}3Dx72!;45RF23-+3-36f%>nnY+w?Wvwg4h5S7c={+^s>%3r% zqCo;scSFGL<_E6FGKhE=*rI-+@@P>lo!Ci?`^w9ZPF}8|jmF*J4#1|709?&Pm#RUB zOJ3I(O(~X$et~q^ifk{8(hzFh&PY#os)<@jnXFG8tIbmam+g~@r%dvIpmWP3(!*@& zHLM?VuB39CR5&=S@=jh7M+Dz_W9U-JP{;X->VQMsAx4L>hpqdsmMplbn%_(*UDB6g zvW#<^g*O8b)e;ve*WAqXGbDGY_1LdpIR?-bI!`(eT39l7$%Yj*ZfxVM$r-U{L6Yrs zhqk}ERLMs{nNTnVzm*~fAtcQj5T2jHuHtZwFADF|&p{Z%tsY4?XjPE)THW0S& z^K>YdaMgTOVG|J) zxb+d}mg&)qzLyF^wNZmqXoe*4>)zinIX(T>Rhj_6EhfRFx@ZVVO^QX{1Vix6plFHb z?6*l|N+!yzxqR>%zf}m`H_J7oICN5@dbj z#XL>Nd4o+R0ln!is5;_qUO3qx@yP#I&XtBk-LCP!nK8zUWiZo-DPzsPye1JZGh;Mp zY?GxZBx{xs;e9JJV;kErCd-LJk)=pNk;)*IC{ZC~cx@GBNnS;c)cMf)bk4VPUFXyD zT-W{K`SARn>$&gW@BZDbdTOHc;W_kv!hMJqvOeX(OHU=3tx1D4Vk&i<-D)gZMwucw z4rkHg9N@|CS`Uq>7f=9&PtRJttJa*{*!~;?UpOtOZ{etv)R(3AZc5&};`wSP6B)DP z$2aAmp3cGz05b^I5J+!1KM)uvzS5l@VZ!g^TsJIPXdEvm#+f1y7uW8GiXoF==3HoG zQV*<_#SFrSii)=I>?Px^5g1D0eu?%w01SdHRT5S9BIt9XPTG_ZRkAB^iJVlU&Urb~ zHMFD@#_}J_Hd*MqPY07&%v&^D8Uj^B^GKXLKjk)7{^p5wK65q;fk7He6YAtrWTV30 zi+6UJ=X=>&3fYjl_LL;yZ`1n19d4%gQ-|e=1-NW2`87edVCkUMw)(&w@V%}_N`$4| zCo;o?>mEml@-=)9IeUYS-J*zTe=Okd4PjAUjG32P1YR`s-p1foFmH$nbW;ps-TSkBqD~ymeLn~Dq&2_-N(@BFCOM`oi z7hsNF!FdALPQRK{OqIc<7%`VsOjUX=fNK=t*gVVn>-o(32k%BeSC<0H=k(CDO9=on zRQs_gVV6UpDsF#qI52nm^8t)Sa(Pu^dV}PjE@bLd5KSt4Q5-exAA54Im062wv5+5W zVE|7Mt`U;|d#xz5ok!s2ay|IXzq5PoU)|!HgKG?wQ~VRJIn^f(hNDA5h|a7fk0gBN zJbf|5>in4e%NGOnki?q67?OmrD+^tF8iy!x@ksN)HO!kUq&KqQhH@W>eYFU2H(UX< zdc^MQF97CW-GgzIv`QPOV24+V`mW*_VG|#lxaBny5nQSVl(Y_ zQ9>Od7>Uw^zIN_yMvUWn&0Rp~5jey(sfa2+-a^f=#~BqbVCesINe58Bnu1=_>a9 zFGyg6{kZ6a)R+rajYan@OqYH~W3H_*N~`o$Mn`ar$f3SPeH>m{CC~6+~cK z!jp;Ns=6e{u;)%Ya$|JaEYrwmaRvI0!5Mi{S;CgRZ|9O1$2d(~J}l8~^@?Rg_xW9H zl1Y!1*u3s;503BJA1h9?LP0M3?26QjTd#~=w^NJX8(j6mPb6=5iK&v7_6s#P-Za=% zv!8j1In==NTnSM4|ek zZe@#RCd{C2|5Uij2Lp*aW^X%gKa_0+3-;K64OZLaXJkcTZI&Z3EoneA1OSPu>PUNY zgqTi@x)9u&a`5Z3L3npqrFDzNdm)-uT&^FkTBI-7te^Ch)NnOSkQ%FT0apF$uan?I z7=wg6CV^>;PZ<`O+gu8D3J&dXvncZ~(g#u2m4Ih{qRS$b8sqXKf$wCxZ`w% z%#gwMs%9BKX-p_ikQfhNnrweMH32IHF(h~DZQmCKS7GgYw>=>H`YAocePyl2^;(8x zviHh~D``vZ8tu;mL6Uq#6s8b0&C zv_1IYRay3r4d4FoG-TX7x=OYn1O~j#(^sc>~Z{ ze-PnslWtCbWVr51$3>#?6FA+&!j*(f5X!;5=_5f_tWi);GvJfi+qDgVEDo+ump5S0 znxzxQG47t8J|K?Bj7e8fuNxp)t{-K^Q1_D$0=@i}MJh2?F9M2uOB+UGdXzLIQxumG zMb!_*VaM=%m0`RhX}3Me!|>*Nne0>b$N+nqPTRr;fZr-h;WxSZCZTxlZn1tJ zNAI6q|GEr0R-w7ch7K*Xx2e`;hx4o}E3Y=T2+jVq!qn7BR7zIcbq!7LTG7K#q7Dk_ zo`;VP{It1fkk+;5cW!pAY_=ADXQ9NWpXr=#KR{7HGJFzpoLyFH$;pyRmK=ruW>Kxf zDZ$wu4~6fq_TMAgSz_60;{|dWv@ga#%?Is5 zk3r-cJ-+1LYdE)a6w-k+N+%O3MhC}f+hynw-ms~K-oBy8B2Pf*UDC~^b)OP+9!5Ys z)4@C4_C{gul%{}cTOq>7MNXbgM%vWCl?QK9{|I%Kap3=Tx9hUa^}@dDrS;9hrJELl z^>u6!+8r$Qd#nAPn(ETk3RQ$o(T6?+N+egR@&%GA7N4^3zIr`^;s#SS)4eDDd~980 z16Yo=hrcmaChlupXqJA9(7HkTS6qY+wGDJj=*Zc&VVWU;y>?fZdV zoY5H{?5If@S8bx@tr6Ho12%`aJMS6W9R{Gb!~7$ddH|zNI>+Y9r||D@OKoCPL|$BJ z)oLZ{j&~dy`)c^3gWJ|xOrV5vbRpR=CuUJyU`)u1o%{LJ*8IbKjWmQ{%?D%eSV{VFiyXtKY4Cd-|hK;aE+wN}c08cI|BHP|uy7kEqYvOyr(v Z{4k6C^o;$7%T1mJ6>%Wfx!-JK@SnSk?EwG) diff --git a/src/windows/leash/htmlhelp/Images/Leash_properties_leash.jpg b/src/windows/leash/htmlhelp/Images/Leash_properties_leash.jpg deleted file mode 100644 index 2358a6e84ddd0c12aa743b929e51fce56f8799eb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 26797 zcmd?R1zcQ7wlLmkaCZyt5Tqe!f=lBbqyq#9?h+sn2=3arH;py!mIRmJ-MA$If(8gd z5&|Ur$;{5|%=;#0`n9F(&Gg4MQ>EdhF ziVZMR?tcXsc^J`1j!56U3xbK9Bv}Eb!$k&C{MQj=!eL6b)FwhG#zmO#$>Brlwwl69 zY35R(XZ4}PO5QY&zgNzvki&f;QH+^vb;M3`0|mxPuF>v`thkw!e_E}|_$t!wMez$s zyx_l+F#s)|ev=_~M6$10qjk_VVB%G}P@}b1L!}~(y8wgd4#}&MA?22M+j~(;F@qib zs5R4{&DvMK9eAgT_nz}|Hc9nA(^J&XLB{mf7+(rYc25l_nrS40Z`zxTgiQO*(mZf0 zPIaLKHQD9PBdrz%%2 z5=7#wZSVa4PKoW>9pFQqH}vpod*Ns8Z;^EEr#l7Zx&%G~?YZyg7NVu#@#Y}v@Kh8B zhqQ(1sTsj>p$Pj&6GI~EABEMSb?m=NWkcCd8G4*>bnx|Jy!G``T(!@BCT^a<*mwJ( z{Ad1*{qm=RQOHHS1Bxr%>HP@ZE+4@>kqv6c0Kxdolfb<4Uz_#Qb1otk+?u}A$$#95YWAr~AufEg=UteA&DNuobz=510;L7+Fu@)4;iko-V4mo)CM za7^KJf`{XX!VSt0k+q7vGy-iLt5jAbGFH=TA18OI@sd#agV)`wY%X zxhLy0WMcd@4`J(N*Vw@*^os-}k3vyRSE^<+{jUKkaT@JV$|jY^ec@Wzeg@!Y#?RZP zq~h?bCe%#!7Be8;oOD~DLq-f{J`k2VgQO7f`@n_*2;1gSQ`Mbd0X8ZxjCSoy5ecuoC1n5& zU^wijKAOIybnW}F*k^YXPZDDu3AUf(dv84%A=Oa7!e5L{DaC!Um2u>87BCbEZq7mi z<5^UG00jh4gY?gUb)|)(VwkQ)P6hC7W0V#Lq0*}-Wv#5vuW3D$R+4{46wQWLe#iJV z=iiLrmVX_22+Z10#d)6?8}_xUE$3^|J;#qFkdjq79^Sc;Pt2lG?ksnO9NJA@8~C=z zsC^0B)o&X}4QV~Dk!MO8wicqsi}=$BUuVr?S2pRE-cgmV8cPsis}3vkfzz7rh?rXy zj>F@sqOwj^Y^)~2r zWUsgeJP!lkX4#mL@{df^{M&s^y=#=ohgj-WZ|Rd`kvlH@{JsWO|b@&Nh4dVMWVnK6-oKMd$46u0`he~&|V2b8N% z98}E+=3pE_nKrCF1H|lDPZhH)wOe^_LEg z%u^Fn`qO=H1Wzc}-c$YaoA*jnLnK?W-n_d?^b(>w+(!2U)bPhPRe5my_-8rbPCDFxh zKD-mD;WHcC>YQWxpz(^yRJ&b~yTl;Wdeh4{u)|0fg{(Sp?b7tkKpIuaS6AmKapQon zDw~vYFd)zL_0hKme&@BN2Z$?;23%vxrzX18y_B_do3q152T{nuKp_$-$u7sXr|HiQ zsSnIwu1U9iE50HZd%{+It~+x8^Gq`|3Y*q39J}LkhUM)HUt!PAxVLsNbh?)F70CfH z3u9}bT1929d6JybY?3Ta+a;-F64A45lg**mQ6Y@;fe&{vVd_`9kZyw7;SrU7V+Y ze~3DCh-q|WafX|F=Yi<|jgbO8Z~c=_Ja6HvF4v_mA#1_UYl6{AP;?758$fAlgKX^; z?fdrmI$Mj%U*O<0RnbZ&>*8n6x>GF9?v^=lT>~_K8SGfX9ZIU4F~APhk@C6u3-1PS zN7VAYrEOfb5+`s>yN$E$q6vpoN+MB?-P%*OC3tZHv)nQy_i?<53gdZnj?M?p-S=iK zj*Ove4BX=+kj`h#9E-~~HzOT*8@dVgw5$2t0Gb0+!#+9(Tsnu_QbR+H?4`B7h5bdV zpFc{YmCzYzHTjk|5niP4uNT3kwCk4F0(8a7c6U&g@=8^CnjEy=q$yJ66gp&gw5qE# zLAs+jPhhr7OMQADrpy@;z@DRMmHBX3Eh0s+L%S8)nNRa_+TQN0`~YS$B0J#r#o6Of z+SXBgZGTQ+ZIuk{wo$2TF|pOP|H}{LFY0?du(>0Ddg-Z_{eg5@)93#r3iX-m-@4I$ zIp^1auPqaun*SiGr_=l7{VrzlN*w%|$eL$Bb~DTU7z{zQ*8uaYV-5dwL(5GzF4lwT zoU;6PwgR8}AvQtdw*7a=Mt%Jo}pSJ9p@Ch8JM5%QoJkQPUI0stiwK`q{q*}ih z4E~t@yJAL5^E&Nl|3M^wnK!qpMA_aF$6FFLSmxbiX_d1y0N}-01-w6gvNds9KW^`Tk=b9lz3lwCZ?iCEo&+{O9!A`p!a()xMA2W;VXV-5*(W3_K-nlQWTs=&N z5Cmi%eV@!P2d)A3(l@=w#J{vPzGdES?^PUw2X6EFa#Xh0c@1#wA4xB4taN#{7V?_= z?I+1=fL>qM)z=@h*4zD#G`ppjpQ7JV<^2FLuLrAx0voYK`lv$F8 z-+Nq*Uyb`lQ@r-GiA;a+KLkjuvznFMth|_re_C_>WzqH167t5%hKf$aBqK{Is1y9t zV(Z4%b{}P9Y5U{g-0a{8`~FMSXEjtGt`@#0&lArJ&c|1@Y8Yr3_D?!3t(J~FhSz6$ zTmzaO3<}0sQT-Ma+|Ye-G+ku&E+S(Qk$(zq<6nkSb3P_=+H114 z_iccm_^bbA*%-?ETbsMliS>GSHnavvuK~Sf63;mGP8Im$q0Mu5&^;C>@hYzYxT zHUDBy4IA3va0q#JNWEsXLCGYSdN6f2y-J1$o@I~zA+dCQ~YQJDz1D;+3lGE6FJN!;m%rTx{B41nsCQ`MG zK0QU{T;(nMDtpQG*;vgRM~bO6THN6p@Io9|M3%)yfuwln&NvpG^L#HxPJfC(&q^yc$rU4Z^j^zxo*EePsJW!wB4n!M$KLy< zd;B#l{i^yz$htoG~olS|c!M_m^3e0Aw?(PjI! ztY-kf4lCWn%)@xlJ*y58&aVkOGsRny#lL5fy2ROB4tY7~oX{gGl*gVZmE0CwrGW(e z-@uwG&2xxrnYC2aS)~Idwt9%A-FA5|sW{azjqBWv=D@xbcB5$-O1~lRn@9yPm zdrp~sPpqpE5r?l$i}6=eT9s%!*<9l8`hZrcT=vsC1XdS$yevB#40rxF76Zg~Sa^#c zX56ai@``djAwD4N$VcezP20jUH~`F(GU0{QulWdDoGB&XBVT1r%%3P5tKq5Zp<#bb;>0E^19mBYWqaoP!KmqPS~9o$_dLWkV5kC}9?P5GgH*)L z|6KT#!LIPdNjzd+O-?^zu3kumg5c@9;y$VxN+=f+JN)}3ID*~|X-ojjK4fmoCY|tm zwa1N?Aev^xjmV-U6?>=46+?o9Ll8~m?=UDW>~xQc=V;^+s|_FHxmDt{a6DpYH*0Wb z<8*Ap%l+c9dxzLJVX;-ZXIZ%}3HQ|}?ke9dwWTfoUr-P#_YR$-`XS=^%yx&_kDne> z*O+qCeWjG62hJdyriORT8r5t8cg`-Hi3ad_8gOseQr}^c)_)@^Hv?M77axCtAFy=qF^V~t*ZyGZsp2X;$}iAT>-t_K7kvFd6Y;ORBjAjf+_ zUGpIYM}(yI%V9X5*H%(kt%81;3`$VrJf2~xXx=@t6$asRzmG(#}nk7Zh zmbSHA(R*nzkajz(zK5faA!EOCV3$c3s;atZFexmcMT?GJ1FR2sc4J5#cuRn+ElXr% zn#oLqGpdcDR!>X=k8oXza2SX^qVk@kv}>hwD}3d!)+3Asy_Fvit2k?CY?r%3yH||NVqH-8CWMv*5ML0`1ZyZ=G(zXs~$345*;t5L!RzbFJqYA z(tNe&i!@SIi=Q#}ueN0ANz=ZyZtkVaMM_R*)6%_}4f@W6j~KC=Xz>EMJFw2`YKJXk znN|c0d@**gW3pqeRMV-FMKV{X)h1U4?(U;>sA7Qktm8H5ALA_icEJXuRIea!(P1$Z=5XB=fVj5pZ)w)H$uSW90IJXmX zH=EPxlQDDeTRU%Iu))LT22~yV@kNDf>eArs_wso#7+xw=sf?c zmcal1NV@1^RrJDR3t#pj0 z_&mU#v>szuUfj?Tlf-3`-jw7Q*G-Ybh9YYMJo>-~($I$l+dQB)v$Yl6iYVX1bsm_( z;3o@b0->sM<+&hk)d2J&MbH)(Np^SyV$2UZAJZG+(6Y>b)*NT9r0phYY5}UA{;ZFswS7dIYPEI=FK;zRiBRS>pgfSEjT_^< zq$QoHK~C zKxJ&2lC{$zLu?5!(~{zP|LTLiNyr=$3*HPsKP+I} zOv`f{pht%QgBQ48$pn7TmZ^GaHS%nm9;UNg!uR;g6s0z34KX^WE($GUFfpX7+C?u9 zLtjqg{?3TU(X;9ivkro7c-yk6h1x-?ROot`$zk6}3VzZ0rYl3lQ54)@4tIVn1 z3bD1wY@1Af^O%Ccvp45~Tbm)g#5`^$PshYzubNP|QcGotwvq>)cKbUt1$YLWs2Eor zak6{mz7{V<>&HaS!`vWCBkK(H5qruU3vx&b?=lvdYdPmidDx%mQ*$=Zgr-geITobgyteFZfDc@VxxpyOUZEdK z2?rcf$bZcEz%i`t#sFp5eppNT9=zFq-JyVKhZ3t~mX}4HJ~f{J z*l4yba-2ZC^}aRl=5)k^`1ZThRqGDPJ#u9|6rLXWzR++z_E~Z+XPDhJ0LO4C?4WC4 zB(N_%Q4V?ZK+oI2=%`5M`2rhRN(r`9M5>NTW;U5V#{^#o(ernyINW?Rj8mpO4w{#D zSl`sj$NTDkK%^<>C+4*vZp_kWUk3QREA3YZKt^sP1>b{Y|J;o6H!}+fvsI0bM@!6G zN*=rFPyf##M$whpr9HcN1hX^a-AU~_uU}z7IZZCu^jJz6Emi@G_V6dQXa<_)F zgv_mF$x{VhQ{q_3WN7{>Yk6`PDi*_KQbDGtiiOjuJ6b(|*w&|+NCtL?(bH`A=tZl- zize_RF8!Dx(;{zWG#H?_{glHtVwCE$w)P{nTV(Kbb}^HX^vp9Q%{Y~iLvzLLYyL5dk2U|7Ai))&OKG9sue$GTE#d`7^jS(B%VzWK2&C<_$twB}D$H>=c`T`t zcBW7OAA?8$)k=k3&s|a1DtRJ-j5{%qREZIjnCNVcQlGt>a~8OW8v8VDuntH}){Iyj zS2w4<$dSv$%%qaMWj(1f_{Hs23NJZ2e1l3ZCT=DQa8Ji;f}U{<69RIR;5jL>F=~!% z1#Hlv%8^4pPt}BH?smYo)5pBJQtdKQuychb*8rafD5T^;)?qHisG>|b2A7(SZb(?% ztauLFf_RuD7+UyFo3jS~f@fI$J$6=;XTGoQTqul*xx-Mmh-*XvTvf9GB1#HlRbgY6 zA)Lkjdpk}?dZ=n3tc92n*}mO@n@_6Z-`C@97{pl&98l;~@l>Lyf4~t^0=7Q$`)bKM zo#zTFED3K(A=MGex;qQ`s=4FdQ}W59DjxO2@)JzGYe4Zh0rM&iwOR+LEDfY#tY-2^ zw+lL4qDO-S*1S(8wbqNzumTZ!uJ|5i6;VS)Vyb=s<&oM`dE6p zQaDe2dMDEOsUe(XWV7{hhK?Smp1tKgOTq^Ffa1=mV{2>^^^30r6|GrA>B|*ZfljLU zeEx7|AA-cs5ws4j^L~8fMXb+(9hkB*O!^pb^IBatElxlhQ2O%xdb;IGT zC92YlOZThF{?0OWZ%=L0YH*g^ujCrw<{Y8F{JbpdVKRnlRn~AR!j?Ia_cktU7bnv@ z+zz3w>h03?+0QlzN>Q*ArK2rE3q^0J&;ko**KWUONNX^23Qr)BzsGNhT=x~8T_aNF z+=|h_HvzIIkx{-I$4p^ovv@1Ubz|lb;?nbHcZlhcm4Q15cjkIrND0n|CUWw>)HhJ& zP~vSG860x*mB=@JtpO8FBCFlGpvEpx=g(2$EPfS}O*3w6;YJPPJr=(-m(a!MYBLaA)cwDp`$|Q8nDL+;p4}Qj5NFm=Xg~mP*JxjvuaDJjPbgN(aqpo8QsHk zdF<@TY4fZAs>Ac?IX@ewDZU&m+)vddVQI5nO0cYJKz8}329BTk-&iQf-Ozu zwtC#Q8zjDNL#@=2%YnpYg49uAQ}WzXC~1dOfNRFB)m%d+jE##?MU4G1Y+{J;4vcb|S*VAO`b}+V*Egl`ew@_?n&oqgN zWe=g)2cgAh4=$@GJ5RsQ;2Cl6{xEq*r2#Ul{+`sLHJK&jV&tEi>Cj6A3M>8bHpXr5 zuO*7)UI}hB7DPzRc^(aAPduYKF`n#Wa1=kc`oE@#3M;97V^!uaCQX*p)Slc8 zJfA_TgE+xuDytTOAt%d(g+BWF2uZ6yVwe9h`#&iCr`Xg87;E)=#{B5-Nqe5F{DgYX zc5lPpo)NZIFkmYi#_Jt51bFJ&P!xy0_FcpED{^jC#*CUSw{a9vgk!hZn7`tM+wL}m z#Zi?ceF(h9{89>rDuy(LiVB zTD(iWUEq?{m*!V0U-$;oKBI94RCXA!YLH=iCj-z8kAe-&48t&rC069eYfe z)onN2$Hr{!46K&ruBS(fws+2O?w;SM_k!JDO}7^s;cbvCGj*%G z*@8LaRO4H5k580@{fenyAmZNG4Y~sVIK!K@PWO;eXl;?lZ$Au4#<`XBoVCN|0YRI# zN^x-Wu0DD-_^e}XfQ?MQVgREmIG^NsCdV`mtgL5%Ne<)%s;75f<8g?BEA${CrA-5K zeP=p~ngtZH_k_>eKMFvY;LJp6yK=gaV9HCdTNVX|0eNhdPVS`NK_X6t(ow-jSoRmt zxdxM50$ffZWjD=2VhtuWOFRQ)4Xfs2Vu4aLGsl#O*FZ@{jClgl6V){yB@~-U3iDZ7 z7@7U?`}~J5T8w_P$%v&mRCXHq%kIH9=90Rl89)7CtC+?{;sN8usP(G-es@EkM`D$d zf^-IXnF-tzW6I>Vk6HdF7C=o^vg0(tlKIB;%a+akYUUnSv3UK@O7N#lOeVmzELLK_ zaP*xSZRN=0z{vsJ0X$*{a_`P)GCFss#nO# zVDS`p^zC38WHZUR-;|rxvS#H`N@-*bxg+>9sf(IxVyk6eO94$GF7bxR z%kZMs0M^%P8kS+(to?ddPgULZ-(}cSsmOU@3%4}2V>EV^Qk$NhBIGOV33N>>nG1GF znpM*pG#Xk{NLukdjV*b;HH8zU`70!reN;a8JiszqAwSo? zULl6-RUoDKN7HjMr`=#;gu&aUO3`(Lo(E*cL}U^%kNHn!@LA+&-%;2wzdaoN2)hR0 z1!jGx?y?T-tC;j^lh(L|1)0dZ+=Eo%Dg)iahN#qk0>F|NDWz#($^~oXV|KA#tGF9r z!Ic&s+(QvW6n+g*RlG_bB&D+y{2QPOtFRC#XrgwjEmm1^f4)j*@kE)59x-^!>vx0{ zl8dXV$a*-j@qXXk{lvCkR;`KiEI(QW(k_9`YFHRo+o@mc9v<}eix(Tyi3%FoWJKc6E*0T43@x*y5ve6s98 z5Is-UE~;N+6p*p_#ark;ldP(11x-cG{$@ZK&!)IJ*T`2*qY;l+dTGbGwUGZaOiaeB zmm*=g4|8kuN$V9w&F<>PSZiq}3)UoE*_8Es-0XjtJvfe5_yxP>6B-%C8O=lrlurJ= z1wKzZN)4R5DzF3(*otQ9ylN-j7oVoU0!HQ+Te(|_`MvKOD)pIw)%n&G||tfn!4$L^YWFVFfe#93U!a=u-iZhZ@Z|$ zbt1Er*3Ibsea+vUjr{F7$zSloD#Mp#Ys!S>HwT`5PccemDP5i~&YfV{6gFhY>qyT7 zLv4u7j6q0KG%}|#IJ0Ra&#rzRT7l`{_K-i>ze%Kzzf?8`pE8{N;Wa?n z+2o-KUZM*!eGajrYw5MSyOKfrF-~~u%d-?bDgle0P|SaHVNnr!EB{S$W2g|gV`z(K zh4+xcay*WrP@+e(m-Z-Rfrjf8h_>i9*|gqpx}1jOH`lfg!z5KTKz7hnxf8%3-B|K; z#R!e?qrB)9RYc{X`L4ur5aE{}FJRatlNEbfk~R_~)ULJlxCu-ZB>W_A>!alOn?4DR|uyD?N8@I$b4IbyoOk>Of6`Q%dEzWPTMYkIw9 z|0QHOA-aylH{VZ)rB=_K562?G;o-A{qfMlMk~`WQ7#vTC?hTJ*6;ARDK4LVsdcaE{ zcN*uF!8)2zi6(cNCQWYU)Kd5QD~EYzCgXHV?6a?Rk13Kn7rxk3OTQ_WWXQX1Z+vU4 znn}k^P*VsA(DXOu1r8~l4h#>xrEgX$5Zy=k*98yi6b0TQEry*P51u|46dJ5Zc1$AD z*xbMWh!M5>!Jeb|hL_nH3BI21siTBSTNS)HFw#TY>;p=ME$r3vSb?QS+z)HWtG_Uc z;46in(rG3nEjPB%I!oZ?T?1rpOmgBs>~g;WVb8lRe&Bjl|33~R%?|qL6Le~q)_Ji&a@&+jeK`>x*K163Hc{K6ft z{IcJT(9b8NfxGo8YcjA*`g87=CC|6^|2~umfYT#;4QT&m%rYeEv$!+9fnNi%9zGuX z+>?y_NKULG)2V+!jBndw88NIHz53vsq-hkW&YDOO(J>wC&_C=M95vzWjj=f;Su2I>Pyu9#l5FyV;3LwKaSF}yNw93k5yu|k1IESzB-NH` z5h((+PVTVSMl$D!0bj|)h_uIgQ1x1OeF)kiEpwm=z;s!(7Q#V$8NH`Cer}&+N5)r^ zCdcRyiz6Cp!N?g0ET5&oVUWXk!H2UaI43&bUoB#?YtZBf#|W5;C3jRdwDAX9?3jv_ ziv!ltW0zYW5k<0mPC9NYs&t&zqPo!0DEzqeur+aFrCn(xz z9SW_db=>Lv#LhU5*sU10JY?sQz;_YDo+!^5M3Klhzyc|=N9`2szGaXmQ+7wxSI{X7gbR_0i0g+VM`>@l%AyKpb>7nK_#a zFHx6G4W2;-$m5t+_AXAZM!f2xH3$|*>D^~v3Ja0EL-IQ|RbJjLmL<%fN4skhRo;-a zt>Qjrqo!)_ySJxkd2ps>tS%=~EzNd?8}b^1x00e5jP9zjE65n!Z5mlqhf8-V_6sDKa~p3x#hg}JSX-kT*LWD*&v<;tv#N8lOeKuq#n&K+MQR)OVH-IMjI56&Bs zo|f^14{N)=fBb0Q=gf;ViWJ^K` zo=gj=+voDSyN}TpNz?uE0i)*~Zl2d<29NUih^;?{&DUGPd;E21nF=d$Sc7iSJqy4oKg*Ew_dGCgC5MKSIPITcIw@T*o6JtbY?}+ zmjn;;w#qS8jFyumv{|@yAzorhM67OZ_AP}_{x$1D>QNp2Rg@w#{+0<2Qv>dUJw@C( zyyRvLu$|GA=Nnl@`$r9mPRk39>e+>(4%9A^U{oZ^j15##^--r{KS}??2>rXtd@B;g z3W#P6KDkVk3TjQI<8X1e=&~`V@|{Xh-32aB@!TQ34%BX`G`(zT-D#SQx4?vgWv@Zt zy&*ZJG*Mxly8Ij`pgYzJU&m5u$_X8VI3kV94-;45!LW{j$2z}5PLA2jY46ACsC`Xg zyoS~lZs(SKCYWvMji{T}FKqOTl0wz=!e^LO@;4ca9AyoHAa0};@3q5V9(D=Q*8raz zX*~g@(c#X|pUdpoeK}~lUkl#QhV5WFJ{~fbC)h$JG^Z75%eFrzLhIyr;HI+Z`hcxC z4p{Kw+S`jniJTv&sd~vt@1r^>WU_E*)Tdd>*$Y#)BYu*~SmM(alokZHdbEuPI9LPUqQsI-=dYpWjbjyn9L5E)BC0^I*jUlA$&NuORr7U^S)_t_) z8{F-&04DsDttc6Nzp+MZ?B_B!H{+`*`-EQ#T?3{wzULB$BTE3Hl$!f04{sagdu2{Ke*)vqVij{bbHov(a4x4O0a*`mtm#trQ+W3EOGwQ;Wgv9xWm z#xM_QmT#jvb2Y9*Nhe+h6Q3_D(nKGK=mSU4#TlJje|tMkZdDjjS%>oyB@Ll6N)!$> z(CIgb)WebThJJ!B?P0xS4+o+e)Cr)ekBmK6v`09E@XvL1TU{nrDs?&~l%i?x5j28s z(-sradsV6r7M`HV3|m0qby4XoXX`hA|FbF~^)%FE+376T$9-|gmOi%CKBDBT_i{o~ zY=5J^zr~-*0hH`_JL@JZpD$nfNBmI|iDQLRyDsjXe+{@fFsJuApe*~Vmh^GHAo*{~&zWBuVn3HT%mR>D6;BK=wgC_j@J2Mm#hu zlV>QX%JmzR@LC%;Q#AumpDY{~yD?%`eo-X7lN6X?VHO(HD6^Ye{YPd~o8 z{7pJ8svn|r|Jy{Be(1Bj+BF@2@%E4F8^QhdBjYFV$0dH|mfuOgegA!2&^16#w69iV z*-UyH|HYT@g>`wNnHazO8r5}@;i8eUnZr$ zeEg}ge^>GMq8rxFg4U8cN&Jh@Z`@7NuK`zrKLkSzeo_!<@RN`dZ+7BMuK@?ZX^kJL zFF|Y#M{GTgNvpoX^>17DtuoL5*{byZdeBKkspl_U`IlZHlscIZ54y1ia}wW-4pbCW z3^a^iM#YU&v7n5srOxxB`Xk0<1d)5s+NYmP!9RSNiH;t!AHVV@skr$dtR2qw`&zj_ z$z(6-ze!0}!UfWW`~@iZzPYuiu-qT$`GOCBB%5#Wg=dy`txknV6DMr<`_udPnjAE| zuGp@aSX02+m#~6*kIT;OlVJx9-?Gm-{`lon%4x=dzadj4~EIMF=8+wV$N)!~dG7Wm4tb8bM_xe zC!Yp=xulhxzW051!`NtX6C`LX{H=9gf7RIjXxW_EI+kiE-aY;zA+K`&YfxQMD&<$b zwL2N9?exQk${v!*D+%wPu>1i*KBd9QU-P~fTgqnG46wTk{ch=(z!M$kVb0$W?SQCSpVEnH;(l8i9STMDEROhror*F1Lwise=3=H z5`^eZ;X4%4>$5|;&5uOG4t-j6L{jX*P`FIGJezJEhTWAcc4Qq<%aR@HasMY3`ZF6e z5Y1BswLn@_4Zs6;E(8@*MMgST*fLn+C0qKYx52)ezTGa(`ze~WajZVO8F^W%GU8dr zHf?gaWk6Vc+%9e@#|(4&g@1PuT~unpWIWEaK1gg|2LbjEMN}^5uxopNb>l8TQs@ z+OCbY@c?#h36l?) z>}zyfw>DRgS-DBfqPDla0JKpQ0DMV~idkE_;N+f3Y!s-liW8dgIPOoWLE4B;C3R|0+TlyN`ze+NP*!as1V2(QJmb;J% za4Njn7BXoppNX`5h?2w{p1kt4WGM-!fr@JD?8TFB?!`a$K^$fKJUa94EdO;=ga&Ab zC{~L9}+;2DX$|sQQS2?fo?&TMq={J!CN+B% z6C`QuQIa`LI^ky8G{2yo(SDuyp$n>fVY6Aw=jS;3(BybN{YCSCf_T8qjiO2x9EGD< zU^Ll0Dlw)2;JMht3(2Acp{`){upThaVIa1s_}i83EL^In6&8lenuYEf@|G4SVHO!t z?4a?DOT2Sd%t_#6b?QRV?fB3}toIMh7QZuTd{3M#a7_2U9NYd;^Y@6ByOhP;aD)Sd zW{*>GJ&ePQAGMd;`hmh08sOMLU})#~i0LzVAsOxKQ@S01X&t7jL+?Pkc-*7oex$aZ zoS=`&6Fnq&I&#VApEn>Hi2djzPuf*`kiyTEhc76hFg*u|CAB7JN{&u`;K6=Em>ZUwoxP3-j4sO$1sGpf>Fo`u1DgKJBAr| z+wM*0FOQw@D=iiTBc9KyBeakMk!qsi5@4FTry9wU%svYH(Tk)F9M+n{dH)GAw~bLZ z7j0-K_v`0&Tk{ta0heZtwQp?i1yIAf)!{q09xS(h$uS>W`u=$SM6@fb`D(m&%Q;Bc z@$3H?=D>IH1)Ai&K=XSH2m}`gZw5^RPdN&JC+>@x*CUKN6uH8t=i}IM^}27`3ZYO3 zwOm;R679i451KJ=iUKqiP=iwv5~9}$2>pW3Gsmby{{ot?Aff8baSoM>)HU9T7I~sK z5xsN8d-lezYes!N$3FxIyNsHv{wwxVQge{pd%f=S-U}=YJ)LJy`nkuIQHX)MrMM#}?gFaZFWSp9C;D#)d*RV6T28r8ULE<|bs=AHR|!B)|;4oWOTaYUlB_NaSPRn<;T zalb!S+)+~xJAyS9=D_=oKYWn7rFdeloX4#1u@X~pTZ^`SRamzQAzQ8}x)6@r@KdQV zPUfUXg=U$3K6c%$9_ZMz^6XAyp9mWNzgmtfstIhFgc_14frQSI0MdhW0Tn_*lV<1; ziU9#>7L?FLO(H=Eix5SMp!6a&2%%a63Q7~C3%FL0B1jPwRD3+&?w);TchB3O_ciy< zoSAd)ojdo=nVB;x#Cp8T-XuPxi&AkY%RZ8%KX-Z05LH9oMRU@|$E}fHI0b=?-Q~3S zszN*POy&lQwW!X1-f_EDFpF5yXM)hSXqldtaMGnun3S6LAsi0^K0dCK$>qr}uf$>o z@6Gx49}m&v>W-V<7wz39)~$jd8s~c7jagq9tNAM+-jo2vitTP&|LyXht9BooyHHEs z*!=OrWZDV!j)1^lAuVEuuMr#&&_0NN)$7~@GiMOwl!iba)I9VHiz1I}I;3aTey3uZ z`VM|Eb45l(Eb)=;Rr-EkX-Wv-Ho%0nMQG}Z1&vDbtdHcJB0HQYS`$PfU3Zg1(oQo2 zgS~HBI+#olXai3%U1EB=N1u~Fxl|q(^r_0DQV%=?G;h1(8f>uplj@2UXMtxs-0cai69#WbRX5h3*>1NYb`P9$cWE4or~97>Gi{qr%||D37$iOnH8Vchc&!g znY?Wf*@n*dd0MZ`TuNfr-`ER~4C36TPDLnA3rJ2;I?sBvGFauy^66QN`9|mx{;RtH zL}uFz%+WSYwM$b%_XbJPkYjSrGg@t34L6e+*WSW=JtkQk_Ld)7X&Z1^oW5~Q!7|99 z4sDEp6$5E$MO$Ct!T=>@6cGU6C+S-~z|^$^mxk5_F6*F9U*eK*E9RF77>g$(D%E?^ ztvOlTi4e0K7bWfl6=D?B&+zv1HXgaoV6;wiRutgbPVZwS4W;qN{67^sX}|q>Oo@mX zVOMpSz)mzF4_C($;KVkq{8GFYHM6LhM?qbTq^OE&plGCp;I~SRcJw-G2u*DeJDYLL zPa1c?($v8-Z3I}naADZsF+U!5**vCT&_GjtUhfg$PNCe1NO4zrgfC5~N<2Dwb$P=| zAH_JVRfe+xVp~94G6X*|9mgo7w5STiG@xY>(1no;g)7OjM{-H~Th9j+f?Da0kO;4l zdKEFLj}~m{SsHg-(jwrN*zGE7`_byeoWlktsQdUnUy*dgDSEg<2c4f7-xZSd)zxO( zqp<#IX);NE$@W~3w2xsp{Fk#{4ha=rWVK4|r1PR6ST~i68g9V_p!>*4zlnB)(+ox? zPsA7`XwA-W`>AKO7#`Kf6?7rymGYc;E*U^+!WJ0EX0=&o5V#t93$BqH%O;dJ4TeWx*Ymyu(Bbw@3mv;G_j+%A z2e9|?R5+mK(pQ#I4O8XH+K|mfl37vbIyV0@$6l>1H6*qozT&31E3Y5aRgtk9y}>5W zoEx}0S^7yp*=xa_(}mCl5N!mexXnGB$L00a0_b3SOOoF^M93R?NR-`)b8e9!EI0IH z?t|iqFSR>`*4q_IH>cROLvD@hc7L?e58Am#fIR+GngF*+tB2;FGY=U0n-roT45Pc9ZQ%YT~0o-A!$>TR!D{;Xmz=`7^VolmfIfb)w+)SU%* z**aP`Um&gFZWj|^X4+1q7i~3IHQJNX;wuVmm@<(YvoJ?X&k&T3J*slvb0tVS>KL@X z43!jaN2_lCf`8YaYZSY=_V?h6cU(D6fZ4;es;PK4F-;$z<*?vb$!Z;bkC3i}6^l@g zG+;TJ(ucyDrzzubS+(6~pT3YNPd#YWtm2(pHtwWiLO>^B!5Q4gPyvPfFyI^dR2d^{ ze(ZE7c`7sg=RQ4s;a*`86O9%WIa{uun=#0O`V=cnwE4dZGz-}15y=fBmPA9HGRrSX zt8)W2007c%_77j8(x)H44?L+;<(39V_mB%*FgDNKWQ$-^JjgVz#092Co!YIBr>3)>I*OT~(843#Et%ohk^DLcKN zI$jNg*=1dUri%{6U@`)AvlIZVEr^}sSsA)NA>ck3!&QKDYXx(Kn z>DNbu7UGUtj$`V@l#?4CDLcQp!lvk%eTh`*CgS6RW$x`0f1V<2=Gy_5;id8FWb+v8 zk@TCta53eEVY&Z&7Ud$&DHO-J$b}}wG&L6_ap}gyp31Z7@Gt5-YJqn5d(s5sOj>{+K^PbvxB(Z7;J5b?GL?mJcIonR2?<^?ZMi$C z=~!T2q3^ehcf{utCUA+ZFb}j`Ty~Jq2j3;0!RMSO^oQb-=_=z#v7iai=L{z~L-Pm6 zX%{qpcS^U`X}x|7+Hwo|OY1+j?jP^KR}2r-5r{YGlVNSH*1g9)l@@P^?W>zPo~s?Y znSHEx(kS5BnqGg_pOH!-#wWkc{DFA?KOBvb+r8H^8n@R%H`ABC1D^ev^Do8yKt7n9 zRgprmgZxK%%7cu<))sT`e@5`lx#W*o__vExJH+|c0CjMq7_AV$iF`)zh#U~X(k#=d zIBDj0wobnIu*73^Q-MKu+Dqk&$vdC7lx*haRGA%9Ir2o*lOvAI#~7Qbd4~^pvZ{jY z^l>Plnie1CO1X{>0l#-ovCjzWW~M9b#1%6NqAORZiLa!!5A9Jp)9v@|+m4fe#3&Y( zhQwQ!$OQev9jR-G<7_?MJy{Y!(WAB`o-OE6?>asl56Wc!-Qh7Gbt67EOONDsRmon+ zUIc|}o0mN&$WImlh=g-RIMm)Z z$!qgRH#8_1kpaH-jbTfstZAZ<{Qm&P`@ssFba>x4`r1N|m6d@+U364-&qF-n`c>Qa zVb_oIqVv2gOCk*V^b+B^=j{z&Qq)DN#P8g(oqm0CFML&LUk+ykDq75TnS3E7y0U{s zz4l}}aX=Lmxz|AtL2N9TIPhU#M&g}2rn=x;I=?&;FBu3}UD=nBuyB$okSgug=vA>d z%dhD>K+U*kw`o|jfS?*^s*HS5EM|5TC#`mgY}%(R&j>~h6W$)1zO?C6wA!FVH81zd z@TVsxG+yxqhZdAKyKdIxhVF!{olftsQ5Ip@7fX%kUc+>S_- zOLQt8J_HvuD)?va=`znvd?AUJ}u4B+G5V4xhxMm=`IC>yzK zY0)=tk<_BY)hRmx^AE$Ci7g7g@dU$EBuB`v$1AutEjUv}ZA0IK&v(rEAFo?79*%Pg2*J#~sW z&dR3=I>t}W-;Kdw`jVvXrMx4>Zl&OUOU(S9sR4xlKKujinv>HjMX>&%b~~X{SL1Tz zU!hz_R*Kp+qhw6_56 z2%ryud3b*7p78D|WFG{=%L@_U=jYoeC?F^Z6@Ws84v2~f9e^ExLPaD*U}EBMI9yOz z@}PwHK~ZtI`0pej@LmirWIqJ5Ut9<(B>q1O_YDBs2OvQ{V2}d90|S9!AnrRr761WY z0Q?*8e}#{K-(DRs&u_Dq2(VWew1=FBmzV#y2MFNVy8<7KU-XE^J~2xLJ!kkS@xOed zB#xfW*{`T?bv-(1FHUAJ9|-dQIrjp=ARb;me#o8?0RwnIU>*n$9}oCnm%Sq|401$N zL(kHgPfWo#DkRbF5` z%p<#jAl9g5FQ18J?}Xutiz1?Hml4Fz-e(Sr&uABG_H~UbPjZ12B!Ts~^$GxCL^5tj zt+llicN$__KR=9Fd)(ObwRd!Wz30#ut(J^G+d~7E0takri8Ye-sJf+_Uq1LwmdTxt ze-sZB&*xE)-*^9xf&%bp+V)&wp<8;zpMgeiSH(kE!Qk+tu0q)@SLL8txM02yh}#n( zTD2&Bq%KRN0}f2eG1(#CKDLE9A1tRyui>!~9z5lGtAixNq%i=)%ey5E0=*+X&v{%=4pgDHVN zZ(igS(hV=4DDsrK#Cnw`D|0 zKJkN3NVmGg3>J}XhY;ec2ZvOphQ4L(&S?V6Wh3nVdant#-2Umhc(honn_>Ikq-5F+ zyFy+Ad%iym3_yF$Ft`XaPz%e#H{8^IZrH`V>{wdjHO|C=an}16kKKGD?lZktN;}RG)zQTM=1KPCf?bh8ue|}>YQC`7s#y;P zNB{Ltd(`UL&k(gEzUUhe#op!&>yEa2m6Z75jK|0c41?DrPh?V0P7iA8c(Qge;wfg7 zy-?aW+Z63kh?7AlMp0oC6^j+NDj^;-9oIX2(lOq-`30owttY;|^1<{ixeNM-XpNnH zfp-mFetl9k3DqpxZm~MUS-~f#(VXoIe=N)tawRWvlGV_YGcGXMPZ!c-})It+~vUE0fC(_A!aP6|U=*+OU z(==29Yd+yMpkJ4(=zZ1!?bySgFdeda#N1|w@L<+eK>_~H&j)WB11W=$dv&VMi_WmK zR8KvZvq9f1f2`-1n>xF;p7KXlOD`j5Qbemqdt*GdCR>>~Fj@g+W=g+`zLM-2>8)dV znl~Q5Eh+LvQ`2OE3rHB(ZyoK(M2k(=;n;^&>3I*5&o=OGDA7Pp<~k%S`EI1d`bq1P z%2zAZqDLS^^)JGclza~%FW;mtz`xc3;Bdw~I!)@Zx&sFq><0t~R)w^84e%00XB7H(X(Vn#c`K zUqkqh21xTKoARi(2C5?Y#C#LBKA7p*G+(+F+?CoPo4MO2>$1anHkEcYLdIUcG(L$= z5_s57r|jDakn~}7EkbKol1&+B3-}oRhD18K+16wWe%{S#TCmh#R#`_KQh!eRFd-1L zG}p82LP&O~8?(6Oa_G?V1M``cQLoM2VlqCE+TDhEay&QRxtjb7*Lh>2z@M@eF=3nl z*$oefg*T@O#^r`mq3i8*MWr7=i|J|{NN>8%4ogWR$_|)IjPTs_Gs9`t;#$!e0Tip`D<}Zhbz9_ zMme610-S82<;LyJrO#da?$eKS{5xY2MZc198uPio{+dSX9n;fzqvGb}hT73~_1eS` zj*+gKA#FB2?A=V)n?5DkRSJfLIpjKAV#}pr8tKnhhA5%N8lNT(xU_gT9d<62h3mVK z%TJYXf#dI%2TWD=r8}or)soWVMl#G23eKF#mIrOx9Cw=Ec=}UxHl&qZbV9idxh{&{ z3QO^{)vUiJI`%r!yu32%Fj`7N@|fl4(p>WJmMvrbpb9wCXi`h=YYY{%0mf&sC3~6# zldlw9vhcRs3K;vr?)7h&CpD6((MW872~t%!{Cod`+REeVifox@PLwj&Tt-MN4SkV? zCh&RqB-1Ga{Z7YpZ=4(KCzrDQYCR4aF&1_ux*av9?3a2Uo<>L5x;(F~9Od+Pf63)R z)yc$-ih#Pet5070<8fu;x#qxZqAsJlWzm;yTC|w%jmZ-3-ySX znOjvTE@1r%DgBOE(z}CP+wE9|NtSu&{WHzoR%{MIQ@_WQ4tRO9JY@|~S4o9qe`E!2 z97J)vKriRQ?+*k$J^zTMFy)r_VJR$P1gS57;|QJkON08_2WPBQpwEc;CDCYjcgfwa z&aW4L=(A~QO6h=^*-f&}?&kTW+4*3ZIF?s+`qJ=~gm%Bwbt@~YzJu?|-QE3Vl`Nds zh1nC8g=epS)c5$L%p%kdsjW#$+ZA7bLGlTDE7!Hee@9Cz^!CzJhz1My&~tk*`$LO3JnB@dDeYrZ+VskxThtxr)Em!q&xPbX|SKO)Rr!`BO5KLK# z(2)^jN&SzH_EW1|U>U4~YP-_FZ|`%jVZR-1MWNbtW4ql(FM?WE)hrg-njd}5octkP ztdt9A_2=OX8$?mk6ck;z*m(9K+@L%F26Ii1f{8#l7?}8e66eD0wNtJRQv?f8`m(*#lj!&4m?PZugTK!x3Jj2sAEp! z*orQ4^PV0vM=G@|@EKu=(X}66tyuiLZTRVFoi{(&EHp=Mn+rT}RW$CVuwNw}?Oew? zD$mC~@vARil`V6t9Y`C$6HkKtQkadPCKt=(xkiCAW*^- zo2yWnr5PChm9zIuLbG04vzcFr65H5e9M+zrHX+xp+12kFg2}LW2Gx^ZoHOZO#Z|8On1aCN&Yq}!K2%I zb8k^Nsr5Al9q=IL##-6;ixVW8#t0XvKI=eq%={^rn)-t-edg*-^2-t=(=re=VbZOe zP@SJvko!qh*`&?eJ1KF2m7Alh?oV9TSmvy5oAy*UoVJRd#TpQ9HDt~{cB$-iTxscA zS-+}mhbE|vdX{|48#5!~R${Ynd$bWgWUPAUm%mJ}5l^+$a(BDA6nY4RkDH7Zm?@Jb zGtth~-8lE_B9@kKTZ0tjq-3O}yMNt*rqQR~{Y$FSS#iC)p((R#=@A6|kkska?XPRsiN9*E#2A1Mcof{Yn6`QYN)@j3Phq5g#GaLlXiyl5ysp9n~(qj6) z^)^oaa7-x@W6tr}`fI^ZTX0pCQ!-&weMR_27(xSY%O}^YKL?i%XHma)jVL_S zdNbUbK{4xvn+6 z@f18!C=6SIV9=bJDnhF4dRDxYYbX|ep1yGwh)#8mS%jI${YPGBy8e%7@9~ZQa_;|W I3*rv_2Q2Z@RsaA1 diff --git a/src/windows/leash/htmlhelp/Images/Leash_systray_menu.jpg b/src/windows/leash/htmlhelp/Images/Leash_systray_menu.jpg deleted file mode 100644 index 3145019c2715b3135b3be6a1c76f76609413f2fe..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 15892 zcmeIZcT|(x)-N3FN>Penr~(NPARr}F!7YS95{e1E3xtwDKzb8#E4>qX6Da{gmEK{i zfb`y*QWX$sf+7eXXT0Cu+wT<=XsEAIQ`6Eh z+@PhSr=zC6!F+?Bk?H2mn>5#1ZZR|6Vqm(-^p8%c&Y#_L;o{Yc7q2qWQqwa1x6A1t z0QxI{PO9PaR6Kxl^i=2RsZQGfoB%4onP~rz_s??a^2IA>+^$_cch;_c0|2;0bw+WG z_5$F-`KxC{ROilgxJ1uznUR@$RYYRP@~E#O`CVwizs( ze~)D>e?7FY!y}&k20OfXIt`#XeqO_&tEgBlW^@_)X+j;D z!iTWIS(n9`wKS{0d!9$%Oy7PAa1dPv2A`M&|HhFAY%|q*j@PLM1%+uY7x$P| zte*l3a_T;6!3>?~DsJlZG{4NPaGtsHAg2&rfSsA_eP#_Jm_tpUKv=^~)fxgh+HHvg zp-$HO5zAgt{7z1~+7Rc|xJ%ZlJ;{zTiCFkfV&4rjk-~f2z$85#by$R31KWl?g(z}U z2r_mA=KJyWjdZq5>t^8bFG@*jzK#;8Cw0ml0&$AW^^Umi)p85Lt_$jG^%_|ntDf~` zrqteCF}=~9-s-m0y+l`*1&top@USbB$NAYke8Q9va$0^59=`akE|*k|EI~=|@F=v! zq=~h^4OqLEb#vh(>+AZ&V`SdTG7rBO_kt(x+iT)d9z7Vb8|@6&g}_xPDJ(yGeMVAL zF!YJw@DwgXpdQOEYfj4j?%k**n%$vg;j6p`NT2oRTTX;{TRYjXUupj!j&UxS!#I6f&P;tg|8XO8vFg-*w_lI^BZ=4 z=o^TPu84#o+>oKvy4Ky4yNe%~+%4^qx|A6*L_lJM@C3qy_Gmz6Lnck9gA0w%JJ#Y9 z1&^J~j*^>Ks|BXRc1gI!-cVy~9QZ|^5p(MS^DyREPi!9Sk(iVoj&u$5MVnbjf0(*z z;_>F?n_zJ?`@Lv7dxD2>u(36?C19;y4O5>TQVmsaN)5dxArr+dgy0W{2ttu61_*@t z$=khgE^60f>-1G&wOW&6rDpf!wz_f?0z9BqI2}8!?f*RtL?4@~_cANIRWM zOu3M_o(k6;V%?1iLBm%CY(u57`_p+5@g=%dJ@9=X{jJa`_lRoeubm^65&@s`wsfpST`GpyfW5vN@8Y%yzeMFMCI-hQ{*azYbb2>NsE9O$bRoo?UOTSo~7&@v|q6 zo=lP|$$cl?`Vl*vo5|lU3A_=;UDIkJanQtkk7V3(PXRPGPVHZ_vatC*8-g2&i*shhgUvazL*}sp!h$E5b)^y zvwo$kTz}1f-+~GmJ^h5i`L=Qr0iHNzm|YbLM`7sK#{K*(OYhECH;wgL4Ev>>3+v65 ztBFWXAWO8Fgzkp3f?A$k$BsYDlDio3<8{HY@uu=igMnh!==PRTb6@RM?*9LjMcj`o zu2oHKoaExy_rFpD_n%|F*G>ojrDe-k%@!qE#?n;gtaYPaCjP$~-2S8u-@|){Nc|^L zuAcEf)ATaM{>}rxKb6b+OJC7G@+x=7=wXNg+VEMxU&{TK|$kBEudiHcrXXF|#xkFyn-RrD)GMu^PbQKW&;S|8rb%gS7 zZUUVb*#-c9`=8D8|7gG5zva%-Zye6$3-#L^r2A#&OW}T;TiE(eCw<`Hv=36d;2+%j zLFWBbdFyEGZJ=kWAf1@nlL@(Y=TL2;#ZZ5+qU9txy^f)nEUv+Z!GP(ca)D&cGQ3RW zY)j>I0{z(7v0Fcj;3fID>ZtjJuuryvIu40&!^BH|huqJjmV<@UBpGgU;Q7N_B077p zV~UEsD>8x1&JP-jqY_(AN(iWlYyE;CaWZHhnaYen;QVkt?lc_H7wi0-&9%=xp^of( z{vb}n4S!QuW|T*QSKOK}k`1aB-9FN(EQNpa#ObFSB2B|I=-c;@;AM`U>V~c17)H0hE0M>6C`df%~VVO>iF!_1pV$)K%bg)QXd+Jb7XTM z!_~}21-`10bapbsSRSkC!c;CkQBlt34V=ho=u=*CILqJNFq}IT5B%lp;Hnv~G$~5L$<;=V2>r(?KSXR75~!qQaf{5)~(*K-5N(t zQ^e`;ubec5xy`m{VIwlFJQr9OC|OhUi7bR~XwJixHu7veGf4QEYbd^+BXZt-MV}`HW8iY3 zlY)UJW?0){fRe31Hjhn-dk|pEzV@T+pyzzQJDCl5mm5;)jwR5i;*(*U6nH*UkKKJc z^5%VDN(%k$P*8?$qg%@A5~=j4K3V(}Q0%tlF`?;}a%OD>HHGCG=XnNk~P zp)?ev0@fxlHulVs;d}=3_?A*60-7-6TlN;cS|OtvWF28Js$<0>kzgJp&(q~%YJK3J zS9`P|2)jM51};uFx{|0`H@4U-X73Ob9V%P3ac!^LiBSbxt@JL{QCiw{&kb!2-qi|= zgX-i{dyI(ljFR+(j=`^2w8uu9gC8j9>ozvst~cmT4y}tw=)Rv1Cm?(_c_y?O_y}35 z>0igQ@65hSQ`YQM#%am~I7)(1Bif)ZdI3)~-sQ))zu{Lf_7|H;CR#Ut2`ZjmNjld3 zAY$R_r=4PX;D)d9p{??*($69|Di2P0l+Q12hQDod{=Ut9 z&kCG*tZ7Y-55F8SHty5N-Cm|8<~Z2$jCVR0hEN{ajlj#BRn+liU~*$U-wekFGm5F%*p)KD zs(SFL655eAZUfb~@M>>M4)uAR9Q9hc2pdr^Lb>LADZ}GM-t=8^nf^~L1FUbxBM(Ni z2aCqKg6CB^~-b_(K?63E}QtQ3T1D!N9!fn3uokBrZasp>Eb?t?KzgpA}z$bFKhIJ__O zaJ>I}e|AvMa*~ZqXzv{jLHRFaq-@L*#2$P{4U2t_bba7EP#iWA`$ipQjU%iv^&x-f zgj3X_j>4TUEtA|bVe|!E@Cv_S$s#Ot4sOJp{N3bQo5i47u5+5bVE&xNQaI69&gDU# z9@-&x!25AkY;HA55=?K0vmOP>QF`VZOyI+B@4X&+`vr_#jKFVqpP&4icf0nzXvGgR z6GMXYL54Nk%ybT3oq&=|5pr?Yd|}kxvL)0eTwypq3-7A9r3-|!N@b~8QsSZcVce;+ z+K-S3oKqQvFGG9OSgV6&lM|vFg|3b>Wy)#A^S7*&`6Tpu612+D8RwKUXw zkHx*5qk19B`%iW=aD7eD8#2Z#u%4CrpL0eo#yjYCg=U=3i-s~5hB@tnga#B`;Y&pJ zo~9xWw)s#tGEz{`S%~^#BURy%EoZ{R;RU2NByp%BD4ACg8!@^*_N*j&Or9@U^YV-@SV;GQu6Mi2ls`H>s_Np&f0(6m3uaQGtx@>=B_0G|T88%@=)j(5HNTP%-U@zDvc2*P0bs${bbzjnP~ z(*8**8HAs<=Rva8GGo1V_fTJtN96H^9it8I(UdH@C1Q(~g+=fYH&+oB3IFW8+3+efdI{jZmQ> zgH<)F;Dg=a#0&EVbbv<T$aA_b9EW;uq-0G+b~E?4d0A@G&$tq}MILq}s&0s1 z!$e6vgoGrDPz04EMl*(GgHQ$ALf;)QTg+`!A~07uYn-Ert5pXPdpm2Nta3XfViM^@ zR9W5$47C13op~xsJyltf6$d(W<#HHE|E6GLlMtH{_kQ$#rZHjT{>u(!&IJ+qh?be1 zI9qYF!#yAav6Ro?ZsH56zBZ?r^|7opH3iuE;MWoDapm9)KT2tQ$rn_{mR|yrKf>di zc%Ch6jJd{rUsAX1b;p9-L1||urDW==1sz)mzBzMxCWyq(6c5}4rfVyt#n{M*pk^oM z*5a6^LlgE{RPBu%?<8^H57>u5syUiqgvQGOZ?JVCwffIs*EzO>SN)6w<3kBnH?bQz zYB3|FwLs&A5(=~_*wC5G8t%;+iNwSnUg_bEe&oU_oj5iLPpldlRq?L7StQNj*Hl22CJl5##JaA z6Quzn^pSouhf%Mq>}lV*EvI*fv&tM8dT=LR~V6Tw2MZq*;93D zsQ73$XI^EVW-qoFV`~#}N=4B^yeur70Syy?}qEBB^`d z#*N(P9niFx%CF~BqESO;H3kdm0&kNLWC+5jptn1&c}q^!bpQQ&{U2w+f@7{_!+UtG zZ?yqWe}%0~Km7lKT7A9v_Wd@y)91uNDq&YTDTKb%`Dt^6rGzlm>2K6DW>92hp-M@MDNvAVwt7S7al=nmPC03YtS+h6g&HV#KW2}ecp;wLpEv3w z+G$Ji?$NB^*#M@cdrMrv~Ky-#-qUuWe(BxlOj z6PIe@u;HfwOB=h1qBV()Gt}&U*Nz_TgFW7m?L(-{rh9-(OxHc8bmAo!wbA(4+oa0D zeIuWQ{3P?+Usd{VB`Fj@Cp5RlAb98JXrJ<`5lZp5%@LK{9})Y!>l^EwawnX;AL@#y z3{VM>kWbe647s2jAggYX@dNWcZUw^VG4>QtT5pt&f~oJNV?oH|Y}e$y)eI9@Dog^D z8;%8m!j*Uio1W{wFrHz0p3l`#(Mic|z>JteL}f-C)g01^@Pt(N=_Ht9_Taww#;!Y! zsfVGWqz9h~I(WWc@d%MTm>7qI^^W!-)((-Z`=I0Z`wT`tI@mmAqT*ge!+HiH{nGFO0OZs4sPQ^Pmrf?Yv_{F(tj0LiuDdv@{Z*E zcmrXRk=xw^tXTjj1Z%9v9 zp?XATLvLFFQ4{p|Dd5^~|KC&e|K>AyY2EK_G}&=t1syx;j-@}&9Bl`7-IBKnpNKRi zxkO~P#3~usWQIjD2ak(w`{tIPFZ`Wn$aQ_S0S$Q-N3~{aP%~#N;yDsKSTl8BW+rsC zF8AdjK^#NUQjhX|ikpxnOQFMY?mDgyU&m2(Y*J=l%#<|MB-)VRiL`>exTd`94aF>z z*>7Cqoej_NK(F@MiYSMEGpF!s*ZxP#^4w0<)#I|%#?cJ~o-zJKJJQTVnl$L>(4W3u za0f45@kX z;*;snB&gE^OXnAW8<$GxS1&Xy78D=VNM$vIlEl3qj~~GD#eAD|UIgcAzkY$E)JH$Y z4c*o^f0J?}YjCXanub#mHWt$2GZpjWN+@Vea(YxHJKj2r+4{w$>DJ)o8xG=LUvSJG z<)vwrfd&rcoZ45SG)@8corFgthe!miI}u$7IL=3aX(_RC-xO39O!KYzsxAvq>~3fs zD*WLQDsegJ!RRM(9=YIKn%|7w>1q-rD^#Pa-yl;TTk?vO2Q7*+LksF~5g)JTmUiJs zF6wC}ki++**!=>kC{^Ez@^UbK)FAxW#5nhqlk0v-9*a2RUaV8R*|LVAp^1L=wl5}4 zYJ_76Pp(@enSM%uWkFFenKJ{Y?O-b-Z|G0Axr5-+uwr~Ea*h*i+!c^26-#o5x{2ms zsYf<9MXTyex$r7@YjYpJ?^%q&9pndjuCk-3bz_0P4(B^!hY}*3Ztt~oryo2Enx4hP zp%hBUgdrgb9?<#|b>jw}D8I-(eQe7$>(G9lYoOoaIF{QS*%&x{Q0$tk49|U4pl^ua z`l|{|*%OT-A2I?vtcM#M0>g?X*8=BJNoFp|M0Gy2{p#%uhgsAR)H(}tDGtfGw0mW_ zW%a7mfVD(EZYY+RNLqT|eD2Jl#_6gk-_1SS`l{88XgkKqqK^By!`YZn5#tEOoR1<& z7n!ttXCzYi-Bv}lA`9o4&}ruh9ZZ)$)FTz|){JluE13ywME4m<&f_I>2&2!HbnE=h zxx{#IEH1_MD80rAEMuok7#!4K4H;fY$&HW4#a(F+8AuuITM30oyTQB-vML#cL*!TVv#wEuJR zWNi$*uDlT90OM9?6qO1Z0#j)2CNcKoS7*mSIhvbl)zunHN#9Qa8%^f-5%J$9R^>I? zHkcM&$EPADvFTx(Ox<}~c-yL;*l}lfP(yIcV#K#BM4;o4f+jty+OSQ5B3DO0ACBeL zF>JxBVsZY>lU4RHoVXPfw&q@Ozpm?z*@U-KjW6;HmC!fx32~d*ek+#1FwVf1Cg0?I z;B3I`x*}Dt9r}%JtE&)GXM;pBWJqU zJtdr6RTUl|$f|?)ev7t8>Esp+BP?5!W@DO27l~%tq_&p4{ID~u&HR}xYKsYFv0n>1 z>_+!P#ZnMo$rVs0Uz!1m_w0-P`TGp>eo_4KJ(hy@p@xY(Y1T}7=|;(urQeB2FVZ5Z z7AEdWxLMAJAdICm_I-bE;!TY)m_K@G@JjyWBYXKIAzmY-Nq`_4x4U624Rlm}KY(Xo znv%???=eihYE!~so0nmAF?44a6xJQIs~UB2f0r%o+6BQ-7e;etrGqv|sT5k7fH~Bu zmP`NSG4_U#n!HH z!i#*-Uj1garbj3{HM}NA!dF{iz3b;{9Gcp>l9!(i6`zCB3*^SdVNyNUC~K6jJLf}~ zWj5QT6rx7N{NrZ8ACtqyJ-s{dK{b13-owOpGRTn|q(-zM7@?J*I_B@L*g*-D&CgpF z3GVItY2!|>SHbNFR4BA+I6e-mlUp@|%R#1kIu7<$Nqh{sd#|d~5nsXXxL@oGE=2cA z9(Srr3GK|y^x{{M9i!P}HKTFpP)W+gaU20T-Ja5=Wl-8+`m~af;8<+W`b4c{!cE)Y z;)<@OH{#?T_mBESSFk>hM!ZajMO(g^t8-@!L=d)RD1{#a<;GHYRG&Mm$aXk+pX0Sj zHAom-Mfkv_a}=xPmg9v-laTzCKdwr?80O`jMP!SMvGmum#MzE*_j}l1m0B;()VAW5 z44&T-1FPwOHG*8oi+_&4fFRdX94EBJ#gn=hz$*R9G3w3H*G>voTbM2v3Ug> z??Qps6V@GLKjGIU>DPVsO=KtLI%3!@nnz#H?-V+u9(#NF(b#)`lNMi_v0Q!qfQ^U= zJ+bT~Rvmt_| zX*dU^rNX?N+u2#T-m?7Tm;okPd|@ZuoVT<#!O{cOF|>6G*pm#x8U1@w^i)+G2pwg(Geg8pTXIdS7lXkLtp}5k&f7CU7(e` z+jo-8dlx+bK$jQNW%$1YtyTX}O`A0KveiLc}0M62x{wsxQuW?RgFLCkR ze2=-W+xdp@kI?q$=ERnRPqZnDPwRY7&PV=CWBZ9@pyK)^dUwfmH6+oyP4AAUkR=Rb z8#`wR#Rp;@1oeFjy?|Kk(=4e;Q&Q{Em8nY1Lqc_OW7`WGvpzLwZi+kz+6E$etyQB* z1JRtyTMZkVy9^|wm}-{W5s}r!@o4D1jo3vIu2_Y{rNbalSiPsNgW9uA_qQ8SZ3P2q z1ik32TBhOQ8e6mDJ5r$T{abO-HJP!;y z{>@QIEh3^14mV0lcbD$CdvRS}DA#6keQkqNV5FFl@Vflw8JJC+kls|P7KbvO#SaD8 z-`8i}>lbn0$W)}sE%+SMJLS#vkE-o3=cbsBxyqgm4>G~BQGJ4ykMqeWQ+0pEiov0 z!1t%|#|{%Ju{9j0QxqeMz0~@gyq?qmMu3EW`0djIDIy%cG46An)4$#Ijc5@i+cK%% zG+;8ie?^-ezMF#AAQLd1ekDG0ngJOdetycPQ5}PVXVBJ86OkjuA)~o@`vWpUY$4uX?%CQL*R0tWl9gN({F>@SWtK|s z;K7iyC9yqlA;!58s@>)~O+`^o%yfxScZgat4b*K=cCqAU=YFY}ETkJCvA)+R#56l>Buyw+v!F8 z1WjHg3rS!4XwC=wgN=h)zN0t{($*=s!c>b)UhVCe=zlc*k%2zzd$&|8CCmNuPE&?e z&rVLzG3;C>Io_XoQtbVM507~U6wz|PJvPK<4N@=f#KvfJnZ-=PnIi{Xr;l~BX3(m$LXzZE9gwp2&Xt>Q$QMHE!{uIQR1V&roJ0O`}c*;1S5<6m}-wFGwM3$-s>&Fq798FRSL^&H67~9 zz=>&R*@G^lxPN318Xl_qlCq7ENO5t+3h^Jm<(ganPKV)3EwPZe4BL>@WkT z%U>qLn6(*9L$>&oSRchZ)K?{xClvFh zyuZxY+^r;=zUY)pBuymnU|T*gg`ozMQd5#47i;oLs_bj`cc+h$`81isbrE_je0&Iiaa zXrr1H8@nHNo&T>#=l18*3rzbr zf+uykqpSGZXHx0U=9=Y_;AwrVdQOKsnn!|%*Ew4PS*Fu5`D=I*;jeMY5M|XM&DFWr zwp2&vyvMprla!HWlO`Lb6y#79$wt)53XVv0teYOr2(s`dieE@=NA?lZ$+J86qyv*^xy$Xy=?#Ju+CMmw^tO>}r=L0(v<^BUV`4-k5s9Yq@G zl)3{FF}Z$(x788@zMHYRDZ_PftckRbMUs^($nf?tb#?o$EklR&L&=_ej)N&AIWa}t z!$P5t9}O=m^YGc==-HVEuWVVy>~g@^UW5i4J$SS-LBxqBC36a>@ zNm66;rg*>Ofr|?D-uoTa2)*|H85dOp^&TM7y}Wx3^4Ot*rO@Q)MIUl`#(Wa54~-tm5Z$D z`V!j^iR(br`$sV-X96hef{h;m8xa!TZG(eDTUYLOS#R&b82s*bd48?&!ad;;NrjnI zEeqDGyn&kBZ=}_P(N4V(XU9Is;jyB?lNhG5Y|vVbm-BkJyfO*;-XdBzmKz@qX*a64 zg$&=O&@t)6kB}avV5A(1T#Sf|SPdbC)#e#Tz;IPYk{j%!n_$%_V#$3owwS3dvd}m2 z(X_hH%~7H6db(Hqio-xt_Tk(Vb=Ua3c_Y2N8+gnqKm+fD=WJ*2={PS^G*AR_{2;$w zZMxi>!dPKUU^U!Qj=QqNhM5ZrajFH46p3|p%sie~>ar>6<1C!{aIj?aHxR9*8}!-#Hfz3CZ7Bb1+8L%vM$HCdzL=*lxPy+3>$6}BJ+w`~>? z2n#?^X@ zfWpY;!N~q^0|`EWzwO5b|I3HWTGQG;Hy3XIYH#$<-T=A%Z_Ua-HJtzG`HPov`ImG- zHt{FBl`*|-bqwL%>%qHM_mkJuqqSMg946Qzn}vA^I=+cGB$Od%^f-8#sr8C4rGjo< zL};k~Ez0)8c4|VLKe(mtVX6nNmZvDmltWQEVtAJ52;pB*#fDyr`aY@21!O)Sx$b{d zbCy0UUR@o7&nXF^w|Z^iB+sp(N`#U%>#AiId&7%d#;c*KD=>lHeF?EdZ6jaGf|aXR zc>phe?H`br2`ZsA-{=KrGOwan+joqWmhZqsW2>njtn5snIhxb6__d)*^`mUi9GnD#ER@$mY5<-rf9gQNLx3 zeI$)mK*<}*0!8zK?2x9g*C|XUeEaHj3f*7h*r|Fd7b$exnek;b@1|J~mmL{I3goz<~6vevBx#w*K75uRr#<>fwMXA`G0)PD=NOk?Rf zuOyuJs>g-nVRpqyI3F9a62lgTWPOmK7DoZD+m;%vL@9^MZzGTqCRPK>iEdL6p1#f= zos@RVH@0l>p8ijn>m7qh)n?`_1x|{Ty%=Eb@mmOt&{v$JRTKA_FH+d{3D{GT6xTp4 z+v%d)M(H#3pnV%_VsS0$QinC-NT8S!JZ-}$U@@-~$BTDV%uPjiKxxKgYg!k9HoJwq z&a8bQ$VQhyLAl9m?gEZv@x!CYNZF2cEpwKnY66dwXFtrR4Kp=Jy{XtyDoMFUl*c+kt0)MSugrOVN;)#LnX;D__hQ!Y zMS5u{8t^r`-<<23mf6DlmBF%99cL|$qOySh(l6d0YE(~OpQywg#Ge9uz0MMK|6cJo z=K+8#|FoF@edTcOOZH)pv(=V$S#tx`FBrq6-pm$*#C!U_PZ!@`)oXjTqF3ItmB+B! zXM|{Qzs>oVSR+l1Hr0-Q_zzj_AAF~PkjLhWCs8^lp{A^VkSu1 zl>s5p0K8TNUSm}nFE0X&``5}yd;nD>Uk^VvAL`B=l0H^mJO!|Pb;E=ANJX1>rjXzXH`_i+=kfId9#2S<>ci*K z{^k&Tf1{<+>8Pz`R1I^9{DM`HY3bHjACYXr^0K$A)R7!#W4|1z;$&vT;q+v}!%=Tc z28Hz$QiiId1N>j^zc;M?xoA${xLo?9uXT&z2xFYqsRmH}aou!3&3_(zkTvMDRXlUD zBU*j!+;8XZ{Z*rTKH+Ec{#&SD!2<>W{mEZ7H_pZlsZ&4`dQ<6X%$XbVS5^5hUQ8FB zUicTBAG`#e`A&bz@!)R-1F3FPas6HWTVH{z|L}|cQeW;bnSc9lYC!XM;)B;Z!3y(Q zT`kn;7AmoIT_&H2fIUmv#76Y?j^-$+pTvItFCwI8Chk9btKsM9cJ_z&B@w*S0vRv8 zFpr$ZJLor=GzS4{!qL}6Xn#z;QOFLRz8uJM>8FDQ=Ma1oaPGqYZTP=K@_+bb$P7>z ys);F+fB8Ml$`l&9zq{)Tp(nRLO2@B`LE6D~M(SN>_?5W00!;+qqPYL*)c*tHSbCQL diff --git a/src/windows/leash/htmlhelp/Images/Leash_toolbar.jpg b/src/windows/leash/htmlhelp/Images/Leash_toolbar.jpg deleted file mode 100644 index d66952bb1496d8edde07c33fb71f6ebfdc2cceeb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 5632 zcmb7EbzGC*+uj%rQf{Cq<2xiA-AdQ!hJjyFQc$`>LZt+hZbr)J9wkUimo!5GDG?;b zlty`nzc>DV&vQP{=X{=X?)zN#bzS#!wQ%(nK&PRit^xo8fdGHP1GxGOPy&F6h^{AL z5ECW|ISC0dF$pCZ87Vn6B{ek_B^A{T8V0%>H1sr7RCJ7V^f$o}2!xuJ=@ujS76TXp zzD@!J5n_l*C`d>sz&EIFfdAj)stZ6*4!BD+4g#_Pi0FYJdf?SZ01E&>1SBD#{l5Vu z29c1GkrPo6wl(PprI3O^q|`(dM8sr-LqH+`p#*vusgMGLzBSoRh{wwUaxfdasGONLzI&#YGP5Kol$O>x?Ne-izUdi>7aGl`>M0f`*%E`0u?W*xwi=&%+0pk` zjkR#fTmd-i=ua)Zs2FU~9voufQD(o&cz|o#dN;VitPQ1(-0^f7-h0H_TGDihdLw}!{&(MaWwavxaIcfo z@AZ2v6c^c=Rf#J)dB_yJebGz{`nqYqXq=S#>CvF6jxkq+X%Ovw2O2A9_)Vc`0jAp^ z@?0N$Q`!;!OPB^~#!>sT zQ6FUYD#){H4VO!s6j1R?I?!IY^wyS|U#6)=5%9Nid+Ub)u80BRONJoH)=-Dx^O{~= zFAUkYC6m-qX*O8Cz1urWMd=9dsA!*YRp(Z}hC%>|Iyc*vm!-|&AE6{g>5Osr%T`LA zO{JU|FOjX3lq3dnRZ$*KKE0KPLLWn9`$ZlIR|>rnB0~)Hy+=OHXj2R*jQXtL2sde@ zDE-GypzZs?{e4@`4_Q?+cOS;ON4*Xfj8dlv#NUP*oYfcJY#>*EKggoyR2+bQD}yjd zue#&K>yiC$PK_s9UCJU?TBcn~A0NZ7p+Yul;Tv?#sP(!Am4@4oxU-%(5t*$D!D2!s zBjchO9I={xuuIWErN%P0A~+NNWx+esA`Fv=tLaAFr#=-Z*A1DVJp`Qwvf0k8v{}q^ z{+}#-+i=hjyr|h9DkhBb z!QhkyvQGW_0#};v=9q<@Iej#LHw+Q$Iej{#1q`x~GVd4ZL;j+*fG-%;*vwB3-`(cl z5)>hS7+|+U3Pz;!vyz9Ssi?lqHr8h+?fDj?%&2g_xvG7uuOEq+JVx~O)b!14vODv# zQ}Th2w4cXnebmjzmKXaWs3?+>fzeGLc>bu1n^bY+g{TM!(6hdiRI zd5m`Y2C08n+fehQp@rig`cn31SeM3JL*lMw$ke4zc%cyZZvDgIRSUjdE!z@x|JAvX zuGEre`KcW2()XSWRom%T3jVp9Vee1kUk;mIP-ENMG4Jrt>g|Y;*QYD<7Z|_K*{lta zsPDC;{@0IIscc1U6ltl%3Hg~$tCZmot)=mJk4c`sLBk+|Iji`c@jPZHiGHhhaRZJ>_+>_luuULB`ijP&WA3rqp*-Dc{mKfZ6 z{hAz(TD&nY84uIVVT$I)>UDItR8=UF7ZfZiT7yHsw70Y~y3P7dw)B$7TS>zrH>b90 zpuGZg3LW@~Bnnd?O;^4C#tiU7)6Sp|)wE9W%#`*#U_e4=v)bW>2T!y)Z!x1-PrjDz zLTTyLSE=7l&Fb>N#o=hft_3VEDKETCm1blr@maMEj^@<28Nb}@8layh6MVttPImxN zD171`wToRA@Ap()a9MA5qVg}$v_yG28z5CiNu_%FooE%VjRra z(CUjWrED3G=0jP3@et3#*NAu?bA+&eQ`@^}LFCP%pP8zQ&Mc>nza6ZbjDt>iaO;Vu zl<|(olD?aSHfvi=aHVEWj{KI~68NUX1%cGYI!~}kXuJs!3KmEmVdD~Vt;F@@d+DTj zYRqZJ>xn+QDXZs!$b#r6KD766cjOQ-;t9z}k9$1|2kWRxGDkLey2RPvG9((gXS1ZW zwlYCAR5;I@g6J!Puf@cud+#ZTa;9)rg>HlhIZ)|5p{JYF)3I^TKjhbEp~kbUdN=PF zfc0=Bl&@}dxwzCYML=gu@~pR#(2Xu*D>yS-iAUz^AZ^b2s1MU8bO+o~aXpqT{t3@g zi#8M{OYu*oGF0(?k!v>Z)@*E8HBo%)TQw=@5Bk0o`s_1VJBt@|AA2PRP$iOK#-GdH zG}2Eb$!)i5fXZ*o5|spqIZr3$Eu}GD0j6R2E5L}3c71BDl*m27n3|&Yvx#p5YRbAuEkLuB#ZT89JYTM*B0ndX+9!&7mP0?H8PqyT8U7(q`rQ!gQD}bENF}Q~C8F$h6 zWXX?^qJ8zm7<-9-#u`*n9Z-LI^rOTJNWf4Uw0U4Nc7Bb*VO=1^OSjrZF-=;eICG;< zu0PAKHo`R_hIQZaGdBU>?ztk*GOOX)Sjc+{>4nq%>dw^&cJFYb%gqC3-j(uQ z!ZMiSVEpOP*t-o{>g^Ik$;a`2XI4DX;g3GFgNG}`f3&f{AP2N%kDcd#B&&k>p7B|@ zRLH&M`J6Wy&T~6lpKRPRD|Yh9??(<(^vae=CtITD-zLXiPQCgyU6vz|&UjswJgr0^ zJk{7`-d9qQvm@a`&iPM(s5>`lBV%>D^U=Iq=j4m(C-lf)QO)DA51P^m)i>u=p zipOiZ7JE-EirgC>3g;nUB}27?nJZ70^3;^=*J&}cPu?Fj1R^Od3uou6a{W4j-`7G$ zd$@BGF6sz~u303oHSuloWDARKaM0ZUDr&9q8wSxtwC|ZTTP$poR|NDf&*ok<1e#Tv z#hb}|@%u5?_2^ot;Gela{>pTG1?YFnedKrraNRG4hg2;({Ew7B^CrY46?xRs+pk&D z`>P>*rPKW9^&K}4XgjvcP3#$-G^E+obmTx+-bw$l0v3EJQ1Gs^Z^DoyaMXT{oUysT2L zs4=_lhsqDu$AOjeJKY(|hEuG**PxVS&UQwWaxjEMe|;LvvAtt*Nl>ahP;+_qI*Y+Y zYo@`9j*K%g0YNiLcF*MCuSEqqyq0_m+Twl(VuLaNT~GVw-U;uC1>xXHdZ)zYPsj5k z*JNZH7M$Zc;hVvc^>K+ilMJ(Yr* zDv821;LPfE4E5&H6E$R;ZE4O-y3BgiD$I=CCGF@fpf~m!swIqaO zsYabKdtAJa%$xA29*<9}*u+-fq_b{#EAmV(<_f@g7(pUo->>+>;1QKIdc?CEmp71q z|MViB-RubXPTn73bLPBkE9`mBG_a16@;p07&FtnU-RIG{E$S7kY<8z6HOhTT$7ppq zg`=lLkUs~eK%9O^VHz1G^Wxr6_S2Jrr%h3eXT^Hj58wVJ)VE~*$tTST{>rB}+80X}%=aXH;1!mPt_D5&od2kn(r z6>sqR2ML9trEpmTbhu9macl+VN(#MgQQmtrybR&tF*8ZpHw{0g^^J>Xh^Mm~@+U>U z_-2k6h4v6D^l|i}0|cfL8yG8`kD5O7d%Rim-&4gb^ctM&T`{pqPvF5zW!4!VTx1rORNR!QIF;1u+F zEm@a1Y^1G40xHmJm_CG%w7DzyGU&oC2@R3rH&DB4nK);rB#Dder{VhjV4|nmW*_3N z7FZ$|u^5AN1frki_@$);ad~V$UB_+NA&pu17}bgwen~#2kVYw~FSn!(KQ5H8YeNJ% z(jCL~V^Lfm+(guh9A$!$%8G~`YpW-r@ zkk@Ne>SNN_33Hpd0wg)hp2@qwrz*6n50x9^!v**=N{DQkge9a-{r$Q0hF+KFxbSJ1 z=!vm!h`VTS$q0^+Z}hLqLPv)rzhDDG)Mv`Qtoklu1D(rockPWA6m38U9PJ3aODE997>Qt{^to)zcU-%;ivGa z)lbXS^xuY+wjl1KV@b~))9AH-?e=-Fp}{xSUkk?Im^i-VS)U~G#G1F-18GX5VtEW+ z`->S(IJvH-?f5-l7bCbXY~<8dEJBaMn?Zrr&|S&5C$%;;afj-`biaoA zU5whPHUjo=RI!-vBiQVWbq7LMm;zUS8)b3_`JhmJ*M*O1Y67N6FPBz@peygA*T*+} zP*_!tTjTPuQ&xO0ADEx+y4pW1FA6{=FV7uJc|pPPa#489Pw$2}wLbl@w;7tzhylt0 z?Jbdqr%X7Oo6xU?^oK!5n$M{Z7XfP8Pa6s>y4!R~LXJzga94m5^DDr)lGkkbK5PPYr-RSo$Vlf%65yRKZ3g10wegav*5ei1yQea zZP`F0H#(_#kR!0|E5J2}ux z&E^`X+D?TM##8pc4sml+NS2v#l~+ROQd#Xj3DWX|+aGw?>a`_DcJCl7r`;Qd#SbU7KaS^+V0bG>*=5^BWC|ODr-GcAf zEl12_(Bf_XlH@VRXTEj9KE_Z;nXwM!b*IfXT?bTByZ>?aZlPXaQ5#wPmEQ zLA{J7ZCIeVY2*tR-&&~GZR2-qqB@!gAN*g?zVhz z&1pYIWdw&RR+M^nqfFi|QLpRv8w`P8k#!3{9D!a|6EWUbO|K}%RHE8nggQO)HU1mr z>#|WEZE~zLxbKFT)MRESl3D=$W!NF;M@?fkV5Z2?upw}_OG;fqwyxm7it{4pR zw2u_VzQGqMQl*w@Izst-l1@C0n|k?mk~2vvBI^d?H1l zwCOeRk46mkiQP2n4|N8})bOqBu0wz4%xH*Aj<|1|*|5%BUvSVLYS3JJ>fTV=HK+ZP zASa8e+~HbGZF+cMrXaKtEmkGFOW;(+a$3YbG5?N5)h3ryHrYHxjubd|HutOg54GI` zy`U!BXI(o+7_6~|6wEF#Gw2pAvK?OawDqhR)o)aKmOc3&(|#!0BYrfmt=s*=r^Bb6 zr!$PSS5hyCFPXiv49+E7l{{-q8DoIi&7uth;HOfqjVqKEd}&fXtaq&P$&O!-wlXUX zF!9!BrTa~b0fC%M5*K0?q~r62MHsj25SGQ*3TkSQ<@z7v-c;swBxoZBX9n*<+XP92 noCqvG#+8*ucVe*F{{k1ux#mP=_Ck9iJ05fu1)ItOudx3Gs@SBB diff --git a/src/windows/leash/htmlhelp/Images/Options_Button.PNG b/src/windows/leash/htmlhelp/Images/Options_Button.PNG deleted file mode 100644 index b33d4c49fcca2a0d66ed09211917938e8d3489c5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4116 zcmV+v5bN)WP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D52;B+K~#8Ni?(N&tGng5`k0>RDRi_4n>ACluzK`w!r*iq!xt9r*(WP@Q6DmUpy7zF? zRTr0EIFL8_$EbX9x8c^?hi-K7^o0X?lmFnt1ymRris_H8UO139`Hu@af9j5hS1%k! z;7viN=Pp1agbRHn;)@0obOJ$!mqgGr2vP(=Jw)h5gGK20?3pu6EokWhTKmF-=K}hg zW^zqXAA$^(>cX-co?p2mM5qX#qcv`JdhY2n_gp|<^jXG<*T|dvd!uIoQwd^ZDCT)> zk?4y)f1aSz3wKli6LfL)%uR#y%V%zQcH#ObL$|lzlOxah{WSLnK_#5X)gp8>dP^?|^<1;lboEYMj!o3XT(#z|eX{6w_8_dp z7JW&|O&Ots!Bc0LIzpG2HqLGl+TBAp|JQ#D@mh0EQ14U)HK5v@#dkFkJA3W6Yj^ew zZPC|{iO~Mw${B*71MDA)P+ffB=wxtqnTzAWnfu`8zg)A~bhVW^L*)m^pDsMHW8pg>fu ziKsQ}Zg#Hb8f&dwdqGeMCvr7GdnZ@UAc6)+rF{%20tH=MVFNq52sjyDIKyX44_tkv z>E>!PAj>qXDS8q7ceRx&#?8tE+`4@?*obY@7k!p-;x+On|1Ja>Dj%Zw24@g-d{&4c z2qKPiF#pLtq*Bez&c7*9k|_B4iI4n#ZfVBNR^O6Zn!9!@*Ip1*!ijvzoBVf=F9TH2 z`K8;#fFe-PIcBXtIM2oW4G5~&+zbTG-g*n7*Z?3bY6?8B)*%MhgP{3ax%TLbKFc`q z8hMj{2Z9V!3pztDJvu#0;{@lx!qR=D9O}Xgngj9b3et+5twVA8nS$nOZ%JxO$}N5+ z_h;?W*N+m^haiv2bswQ_|I8JE#_8k`vy#QZ@yI=FVB^ZBur#Y=Dagch7%49bBAIe^ zNza;FURlevX@bf)@fssU{yY7PfFNiW1BxJmun>}bf-`(pbdLt^8pg0~Gu>1Sg!Cft zoZq7N#ba5V|(b{!4mws?{+4>l`$m-UIY5C`y|8$Qxc2f6c?a~*0mT}@W@}{6|M93f! z;)UHKM5qA#-C>A)?Hmmihdd5E{CECZ`{305(A;(RzTb2U->$pGuOGXGd+YAY}DG0%`G@1 z=y=nM3c`XIO~W>3Fa@8UCW;ebLc|tqntl43N)ULHzlq^72x7_Lv1tOa%F(XMaisJ5A1Y|MloPpKZsM1M2IOz5}aKvauU?YsEFPEIkxi|;5%O97>yL6HpCWe(sqate3o$%LEtTd z_94ha1obHh28&Q#d?A*iD3di|dVvVPq)A3+dtktcxEx1o&*)E4EEvlfyxgdjyq5C=^Ujp!o~H~g41jPJ7+Q6CLp+Z}MN?g&>b4LMbtch`6T4 z>MXN%HE>Rp)nOQuUH5z{=GAgqAjEmDAws!=LR28;k8iq4r4sPU%(oMog%$q??)A!R z?wv2=^Iy5&jx~q4S(HzJreQWqGAXw^K!g;T8tS`GXI_JlH{E-|$hYq8S0V0=52omV zCdiYFqhQToLIm@oo31Srm(0J*#@?~|&}l zg=NHMiTd;R-l(`hl=r>*uKP4hl4e1^O|u_!DidT~u2hiCsE<%C>Ho&HB;}J%tc{`X zyWEoW^OUl9cUxq?r4W;eRWYRs=gYzpL`Bj`Nc)#484KR?D% z_j)?(?|iAPxzWa&;@fkB=YDaOBhL*}EV|mVy`LNosm{v?;UC9ig0yX`Aciq}lL<+7 z;(o392Ny?AI1)i|jdn50w>ZfntNtJ^hm-LnZ}MN;ISugZ(7F4eb>vn66^74%iDX)^ zFvH`3d`=!Wj3lFB3!`j-BE(xFj*GWAVX`70^k=m)#tA&hw^YzdYdkt?NX0Z{`x0$a z{EDASu{hl%O2-j0=@>_qb~8H&`ZH14tPx(|Yl2qWr_K-}q+L#u&7f()-L4r5Q9)kfoTmM9ovb4rMlnA+7w(hA4roi15T$dG0|W z{GQjP#;i&B=27?<;W-#5on)Q-DI%nKn|?ORf0PKFEg~m`Ma&6~CvGhQ&-Hsh#!@bh zSd`MK<`Hp9mXCr6eYkL6HhFR3XFE}L2W+z|d@SeQmGv6uIdm?w&S zO9e@q71WAEDC$a@R;&jv#!@UIZKASbf+&BFL=1L z^poadb;+8FYbn$HEJ_n2H1-2UD*V1~qDBy>S)Q2n-BbJ$qsWSsda|1G>1(wlO(LqN zqFS0>kUb7WYeeX1vW_IhKS@X|YLc*2JNHqtH7abcqTlaI1;x=B-*6^rmTCk!4Im`| z|GZi^Op2DDBuzc_*N9RtZ+)6hkZ;S`O&XCa7`QyJl7us zEd}+SqV6Zr@~LM$$R$p{$%1lP^jH&!(#^C@m2#T6SQ7g|Cbe&rt z^z-a)K#ln5AX4#0Q|bo7C}>QKCoV$pKhuCnSgt6)Ag4F9eiu=&;Ofsv^B>b1Mu9A zoF~R>MukbeNF;_30q|(Rx&Bj1>uNkoYS(068h*Du{M}MC#5adNA!jxyRAbC$AiH-^4-by!;>Bwk=3IthXc-)WR zzi&#UqVAUwWYL#M(XTyg`ALqWq%U5uh6VxnO#w{-7i^#&wPk0cW6t6hounD-BuX`i zX+;omJ{5zgO!~$4MNph};Yl}{_;NwfqjPuyWpt!ieT0}A0w0~YElXERA`*+S&la(i zAhvSf&S_WeN2v$@_V{j(_R0@6R2CsFWOhS%T#m&s&BS4nYU}J?QG0HQAik!Oj!s(8 z2(Q2(?X2@r3_gci@;>5vTBRs^gb$DVsG-u7qafRUAa_@N-K?Qjh;kI2b>P86$AtnYdCv6%i&I{$ZFbO_QMVO_Z_a}a>`(?P1?{tE!yWj?^7l}&rE`UbI z*9(sE?584gh&K%lK3Xz1ilR&iCdTS2_G1$%HD!W4zfwW`_jpJ#-be$sHb~7RFE-Gj zERfdGD2N0jNSZ;&Rs<2287JxI?Wmx%ANrNLW!ia8wuF$c{#zeyJ5D*iA1#7>&g#vI zC(-}^*QJmnL~Bg^iX=bFJD|COl2;|4p|4`CDX~Fenj;R($PTtefNoRtnkjf*76c2t1Fk+l#OIY9;NYw@Wg4mKid! z+Kh}N`I0yJrv!b0chlPY`f^_p?B%@pXfN(%k9?_b5{mB4^Hau)yvaW$XuEgmK3i&} zUcifA#w+?PF97Bt^HSj0%YM9GaPKsJQ!fgFH~Gh?eAC!-FB2+%xc+zdGT}estB3K9 SZEAG@0000P001or1^@s6TLQq?00001b5ch_0Itp) z=>Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf2v|u(K~z{rwO4D5 zRaX`M&bhC1UuUK>19WD90tHb(Ni+?O{HVnGA~6a-T1_g|HZf|5wuYEW`pYztq<@Uo zMvdBFMgM@>G_*C?T1bnvp%e-XFbrin4D`axz`)Efb6@AUzP0wbGc^8aV?8(f?sNBJ zJ-+p=wfFU!aUA3S^h6O5iFEJSKqa1@sloF;TuqTkU)bG=j`kwFqx~1-mCL%(Y<{>7 zWiuWQ_YGt1M;F3}$Zj+vG#U+S&87@d;rnk~&wYuEy2^^-`JPJgj-I|4FI%!eJP`mn zAnoMY3Yr3__kJ*xkWv`YkWL?lImo1OY~TV`uUH5i>Aw(PuQuZ=H|pBIcKp1o`QXoM z$A(&RDCtmPT74Il=^>mOeom3?j|`t@iRs0NhB+h#)*iVr8OE&8#30A6*a+pNlzJt^ad<1d=|GAmZH1-DP%5x0UukrSbX$Q z7cZDoH2Y>bmUQZgWe)>1o8)w#8|$hl#;WCAD8_4W>C|dWp8E*aeq6km*N&NbL)S^N z+h!++Ow+2NGMN?$yXNX4TpAx@9;rvgVj3%!c42XES;jroM1jt8ovcZiNx8-?Q^a0t zmo=jW;gjtmTo#Kb7Er^sCMMS%)s?bJbx+r83b*74Qrwil#c|Tia>cQW`05@el{hQ; z;(NX%pET(;aTNsRrWj$UlZ}*N@(db!YZ>o8YPQQ8GDR)nh|q(H=~0P$S0gk58E{ta zM2hq}#*HRG;EFLZUBkpoU3+G1TQP_Ex8%_k7H~^j9_{4-VL6Aelto$Q+QUG{InQ++ z<$^M+B}Zgc8x|eL$2)xLLR<>V2E2py!n3 z8Nrf83!IX2$uftJY$Em_^dSoqYp67&k|9yDaKW5BNoP=M3lZe9l8ACrD*stpq$bFm zMk|w1W31#@E;U#gNMU-w7)g?7Je6Dtg=Nyujh{B;OVJ@z^5*zpWr+_MXtw(Y=)r+$ZhFYHF? zt}R%D0}Lg;q2I1$OI z*jDUC$E_hc;wh}z@&l|pw-Zku7(gzQ($kWUA4d&D*%kQ3FYm$EKfe)!D;~s_&&XYA zavYCrdmP_-^kMOC6aKO5XSn@K_u$rS7q)I%EaUsI{l}ZJ>h8M{+^FHs&0odnf#(SnnWW`As?hs<>6GX z3d;%z(mp09Cy~zO5LIjNvl%^u0$DdTIfXEv6$+1Hk(@cEM3|z7wbl`q4D0|Ddr?kdvAZREil@QB@2g`IIB|La`}ZHf`VC)1y()2W z&}ns63YqZKTeT1T7p;@~_`#WEjRQwFLv z6lzpfztu^qa~|6YHOaiE#RjVEG3)dvp>TgIB%zF|{HWq2M`oF&In!d3DK{FK!PZ+g zns6ql<`Caq_Pc;yA5-89bupi}}0~`Gkvk!#Jo# z;ugK85t=k+wdS|Vv%4FOnf1(BZ2y+%pmWltt66RIrB}*mh1lY0CCCWlc+|=iF`mpx z$#sSnOBE9ZX?i68KYSVUIj7_7J!|rAx5>2rPto%DL7b?!N5t-JR*cb~h@Z~u0zo{ri>Vme|hEUbs>AQb~FENtHUu@NEu{j>Iv zFyg+$_BK#c!m1de-@KpTzEady#KNkEKe)EWyPp$zfQ-GdupV{%-LQMyOYN|*D8toN z6u|)&yXM>8lxlwYC?c{*6jz#S^8VrMS0S=w1ULyXZfJk}!&q=F>HKku2JK{H+=6cx zAh|)~ZPj!?-y^bG=7_+rxHO&0D*~OSD;}GLm&LhBp9tR>9%gs>I8-b)%t}E> z?-dFASyE|{Iteb$+c0Tctk^9Ac3vlPoFAc91xOmup4>II(r$R2%SY#T=oF;KR}R1e zTpQv#7GPYmS4q(&+w|@(f=*!Ij}SFu7usG*3r2H z@(QI{k@VBe4D)^-=iILIC#Zv3aa3gWafX$HgX&|5R^CaZtw8l=h%4^W0z9x*QcxQl zof!YtsY6Zo`=F`+a^+nJ+cnzdj%W@AL?957`flM8$++Z;>91Xqr$Li^2bFBQkG}P& z7Drdy30wm}Taeu^(ny97z~yQ8+IzFT{o1NJhFhxsUn&zs!O^QvYs(2;kWG7Z;%uKJ zE&Np{+pnWqw;utM=W3UfOE0L74yq|UtXGIhZf^;%d6LI#@}c-fl@|T=A=ZJjAH`u} zmpUEUcpx*)db~dw8I-3iYnE4-79{1&3*X?RR*{>*EmuDa+MK-I%%PQ*9Hj571SIr~ zGQbusvJrSD)<3hiq4SzWKa$R}cVvI4{UWwsD9D*)Zy`Tw5q6Dx>$)6W<+4O1DGEq` z40*W-c$rEL0d}{kt~*Uc;yQFQbYpF5xY7m-_jmsiC!Q7X-KBi_4Yx<&<%8%n-QW+L zy{5I<^we%T(8bpHgmuq@8GAd)nzY>D*2$dBUw(GB$9)EKcXHFf%gN4lcr~8e8)~S! z?JK)km*sbNX9r#66dmLE{Y;i$I|5>@za&C)d;ArHXR>DkgkO4l<}S{c`#xF^?+)gs zMp*S=bh2T_iNdt}C_2xL%O68y^qlmFK>mFxhvXd5drxLXUa$SKmJGn~Ur&9k*+5L7?w18mi(?IbVRqN=2%f1)WL0=2_g+wT;0eVM!TJ%huyelRHO22yS-c91+P>eTsT&0_A-^{ z%qSxPo&D3j4U3$gRV5n2uJ%nEgdA)F5T=$_hvpo}kK*38?yIxi+?LAJx&RAklOCf? z<6_U0l5Vy{V4l}bOQy$R=Z)2chSz4dPGDu?g4vW;%9pGXGG_;tVRM>jSitrJh#~`R zRw(LfUHc%z{hAzk83dNgp_6&@j15uMTK@B$O5K*^ls~Z{i~gTSqvBf)`PQ4;L0UC- ze6?d~kmc)hf}gd&aA*v?%-_Vj2?qk@PwMgpsGs$$r|@;Gv%z0bz6n0fI={SO(BPZQ z^VcmFUK3F|YHy6SM(ErhN<*T)EOKx5NvFj^49Vw#Aiz6#VJmv7k<@)inyEVJp)pWe z#H2j*=kTxVJ+s@ki6)_QATmF@e0vH;bh4mHZH5QYJY=Tydaq5(Pw$QM5gt zWmExw_r-c%2&c;i!|ZKjceA(cI*9n#GmJp*ESR0YvaR|8C?k$OEtt>q7n%{xV#&Xr za$~w^23MD4>)3CH;=}esN6_}2QyfwG&1b&!OZWsM=grgb&OD4=WYqKq-!koD?)8t~LA>@qIrApT2yy7_#aHtu@V$_1l#S~4o&@d6>`*vZjb_RM( zgTjGLM+uelYIAp0@?F(G4N@BlMf6h z9jolPdg}Kb<~pB1I{wOfYfZb+)0VixGJhb3mtU8H;x6DXDdz)5wa09P$jl?R`1=yuPQ!`-0vG=|ZtDkH?qfL8RA5RjI4{apYDE zFrX%r&H@XrZ>siK$?VRwQS;lN0pg_zX`lqg>c!(TXwtW)r<{VRyBhqfFWB@6U4-Wa zYK54FqbIABYo23lWigXLdaD1fwo{&WRjr0u*NkdWUO4CwXYOu zXUufsBYz&dE-W)Uh*l`n5N%vr6v0=yEKoQq}!_@duec8-D~%m zPWu0l$~is^v$fE}tZlx&xhaC3<3EGNri}{!C?*J#aUdLkO?*XMop-HPR{iM$ zdUbMw$TmkmPU@uR%HG%Ee7TuQuFik0aH@cT$$c@r$$~Xe zxuzX?gCWhp4~WihZ; zFbuW0(AOl`Sinl$y5^i-Bf{{j>j(v?n^Kw93l2hZp@`aNw3B~ml#)}g$Mvc5SI zKj`w`qi@ceO})`w-MFl@^8eZWzV*E}q{rw`fGI~yYgxS@a&go%_(bf3wD+T-Jf`T_ zcNtc9Oph=slu2qqrxhkxm1oZ)o63ZQYpZ!2qkE}B=<5X>8c@UR0?F^~SGlhXqeJwu zV>LG2jozJ)sImW^9eLJfmT0T28Far>IsezBa8JIYSqi?4QpYm2LDxSq9~fl=3PL7h zvRM(#z|jb~3C6j;)hdv?KFY0#_U4_esF@ob%o zQ1H2jdLgSp0q*nnr>&%KG#^t|5_=WEMstK}j@j)hAMnbp{jt!Z(Mis1^)_m&eLSJgX+8+AdjhMrK_56R{lgyE>sG@AN9SB<%?tnC`yYzmxje$xfyK(vcWl75-39Ojm! zWz-~`xjgl1$<&^iZgm#Dgp)X>`0#wOj@B6fQ1XRE=&wZRfDR#(=;5+N9Al>|9rz^in$ZHQ1iw#@Uiw%pPNU-VE<(*{imt*k~#PMl)Ql`Eg<@7 zbO^iBF8sBa;e~M5Rq&Cwd|@!zGNZqRNC?h7Lb4#1_ODIcj-Qz$Nm5c$Jg!dNAgnpv zOG*?e8Q5_rk2lFixEFXFNxKtsk>O4Tzk;6wpgh>~pcEbSiojITjG{>DLzWvJ7Q_}l zTBLU3R^2|WD4k>}(D}h8dktZix!Z7j@QLPyB2d51X2t#?TnwtYiqvw98*=QOY# z$cNOsq3LuVs;(b!Pgcf;IM(D9%n1ffkyHBiBAIhXeH8LX5>TR%Kdk#&GwEw9tgA0I zRRs3J#-8#6t3bbzG#9z@(Of7l{c<`2S{&m%HT7nBrMUlmZet39*L8NdXX@CFPbRb= zVf<^M!ML!G5RH|eO#2%zHk3nELl0~%mK-l1cG5_QoyLKP@+2|)Y(ui4Px%v7 z`w?C76JGFemz7uh_C7#L${bl&5;sVeLLaKemY#caXB5R$S?CnDJ3lJpfz%nRL{g@+ z+ANx}jzfd4qSGKby}V7KZ~y)+-`u&wR1Hp=C|J3UGsrIUQIVY7g5?DPca>wiOOaxM zu*8BoI1^SvR`^7Gb`O^JI_|kt;~$ZmxPSviC}8nOn=5-#_%HdAz_#WZqU|Zu3QNAL z4VY-gOzI|cR$_S;P^No^Y9K)lo`evJZ*xG_%bfjqMKIL`?cN6c^p3kGoc(T}CY3my zR3TBGdsNJkt256Q;8(4#V$Ya<#mmFWv*;KsY3b8`YRzg1DvMvSZEIu8S~9R%J>8od zzs-GmgnaN#VBoTm(I`VO!*;djBWW3vZTP7Gllx3)n!)OHW(b}8%Hy?6n!5uerk$Ob zNbEK}F)2x3(%XR~Uq7KEt<1>!sQY1K*zlM6hMy63JO;CvjoG3G7&RyDLAfp6FkkhP z>28Z`-C?zOv$Of5ciRe0l72%P>Ras3NbchiGJsEU_cKU*%O&1D4!h3KEH98|c-7EA z*HMmjnzJP)V52hdqeh=57&|LU>G;#(ZY>)Z;uO8}`nuW4-|JRdn(JTeR|1P$&^Lwk zYJ-IeghN%t!wLQYd#LdH4=n(ke{%+A6%G{v3Em$HyTbQF=5jgEc5n&xT=R=q&h?5y z)_+)VHw{@K;&7$+p~~yRx7Z0`82($fe{%`_Lg)K$^7S)xO|g4IBAZXc&CYwKEn4l( z3czkZCc-tAFmCvpRXfw6yOy#8A87x>aFeD9@!M&*wZSKAw2MmaA9+YlZ~YIr4AweO zJAw}eu+Ke<5AA<9ubRpEAaMbzF=kg9tMg2_?00c%Mt}GK$dM=}*rY4Hw0I=~m0P2X zp;~ifS!-eHu-oYqi!c#&{}_w@gk0cT>nMAW@%;m3Pk4|UEzSWi`9#iA#4i7+aRmw@ z2U&0MZe`mZ<2X0f1=S?g2~el_b+;l=yW;{i&8WrQgg~c4-Ycr?0ENVkoMY}VvTw(W zVGG8rP0WDx6PQIg2Gd>XO+I#PVJ>NT!_APe)F_mT@?hprt@)9*IksAhPV1s(!-Ugz z_;8z^2P~Xzl~h+FB@Yf?(@W|%H9J`#V0cN{>26E1bnANjyW&>TvGi${$a4`W18Vu3 zgks(qE=+$%@HrT=s6_E_K%#M1lPFxloy&o3d4m^msN>2(!U0kZl5PTvBt1*H-kLVD z{u$scry~}3AX0P8p*(TnAj?s2F1%K~46Tmq-1~$Ohoir-x-hsHF&?A8vWK*Dvm+)nL662nqpEH!k~5-!>26d-s@3o7xk*2m4s_- zRbDvE8TcX@pz_6tqoQVQ4$orN=)&uMBe3RMmSa{5UKNQSTERS^EF?`&QMIG8O+zTbmWSc&~T4 zDAxTZ`1obAw@hJ>r0@m?euvGhT7bN`2zWF1WE7HKy3^MqE9(5M4bc`f=y=tGu3Lt) z6|eHCOeEYp-Y1n6@lm-$?^HnSu$ zrvL5FIeF6y(y=jupAP-$K+CbYlIs~0TY9C5B+k?wsWc;t>#Xd+?)6!r^w--paf5P3 zlpoz0`d#xQTP>d0I5qt3@ST#e%~g_JfF4Huh!`IiCsGCS=PKkc#9lb>X%vGoe6KRP zv-L(8PM(I_dV`&jsiB33GjSickTP9&BTEJBw$2^<@1bOAWNETSPe{fYag@M+jn0Oj z*q73D_5|4T-^cpB{LLF8N^y(o2)=-y9?|Q>X#6cgdT&Sw^@%_(qy}F~iwepAC;u4% z^YVVV=N%EHu7$HGhLC12Kbynqvdfqx&n^T_?{nz zN+PQ&G>$f{uRO@oR|Q`*(V-qScto-TaGbYaVXmN8?@{(kd0nip8`YbTf8eqs3BxuA@?+WcBv{0LO>uOaK4? diff --git a/src/windows/leash/htmlhelp/Images/Options_Menu_Open.png b/src/windows/leash/htmlhelp/Images/Options_Menu_Open.png deleted file mode 100644 index 251ab3ac4102e40c4e5ddd0b5c81be2c461a0685..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 10690 zcmY*#Ta$e%FpvRhGd5k^un#0G6Dr)O!E`fg66^fQ|_NRyO(HFeJ}GC zP&-Aj3%^0Ol2DQW03h+0_a-Rtdkkk;9ajJVd*IIpVZ^E28~|X}mXngu@G?BixpAeC z0k7ZTWG*h!NTc3#P+l#6yRo6IPHak%%JhhN$rNv9YWXnW6-F4ZBi}H%nA%kMj_`#Z zTDg0|j4C0H8l4vsjV!Mtu9YW}e?HD??65R!Jx$v}+X_huSBhwI;WR{TblmS|Pw%E8 zEmdo zw0bMVX%z9n=g@c)BcoQ&@5$#TTvD`>re-LJ+B95j(F*ZTyIK2IWWrhP1e0%y`p8Vh z=_1h7AP~f0R$MwT+LIrIG51huv)?!Z`4l-o^ff>W07MSkTHW|LkY}(*J&6-Tgqlq7 z|F0tfw^c|RbERaHD653^;bLrL82C*L1CeXR6F^jgr$3#2OkeYm0u@wfa+ii=?5oAU z1CgV*N`7n(%Gz>23zLn@Zslz}iHIda*9yKraPflJ?~ysQ!kU9o!>dj>A=!prgK%k8 zz0N}Eo*2K{=#SWg5!UodDLmS|jd^)4Prm%b;(h%|&&rcYiY~&c^5U-~gk+X*{v4Iq zt;IoSmj+k@9m3{tcLqwh^Zo&LsH9m8y;0KJ0&!Iy5T_nC-I|IF9aw=iUJEj`C3B9c zFxz?#4oQ^!3n9pqC-uj(NmrhGdDvC(WLQWL#q;LLKb6LK`?|=cVGMGA2 zjgZ9-^mrxq`JbFcNH#0`ojncM(K?1-Dv^%dtRBcsZie**bOAE>*{j;W(DIzkwUHI> z_~)1wD|HLy1g{n zh_$JdiHZHS0$WO6Ew}bO#+nfatl_K(cV*VOv2u4 z*~{nvfVK}CnMEliFIIh4TfYK?BPz&vG95%)VL*2+__b)9Q4oh41o*M3nu4(`@S%|z zC@VmolA~ZX-7}m1%&7qJ^7IKBDoC!X8iH@V0)p|l*+aS!XKtSUd9%H3tX^WuX zULtf7sAxZ|2=WYCLgZZTP{1V#&SA@KUk*j1OYZ|R?30x>nUK@__wsubKH}SsGYpUQ z!=f-1);fB*`I`UaS*>_J=<(*gihU=s*p9kM3VWJX!|Zwesz#)}?!B-kS%g(j`!X8$ zF4(1#1E@zc;K4>PBy@P%Sc4O$?m@6CW4a4Zu!zl>JW_>jme9AsC#HfuP28e%7Iuy=MrKP(4-v2z2Dt_Q)1epSF*1Cb?3z07-0T|g zL6ApKg+Dkjx_>aQ|9z<7Dpt!yjG+yA+wyW?iN&Vnj`g%G*_IaHm#EC-z89-P9g;6- zC0Z1fIsR{96YE%fBl7Ld23KdNP*44{;S?o8b%OJHUi${wCs^JPWOc&15Fb zRFTAIr)B*_M5EhZ29bmX(Eb&hwEmIWpE5ex511=2R_L!tCv??VH7A>G)Y1^=)5#;--Y%y8Usa5;_&$(`lmJAIvmg`E zAag|AkynWP&~HNsdOyX652mGN@E6y0HchL3S!6_C(orM9yUPW5?`SI7b7Ivl~XSABpog~mHxbX;Tp2d7;8|%`*Qrt$MGr?eV zE`hM^k6y&do&+YuJb(T#KnbBLobS+Jhhz$p==@|{ktkptTA($(wUBK(o5=={j7J?a z!vr^3kq#QYzUg#Ho-g0#q}xc2NL z<=B3`-AkU;4hk2M~6D~9guKQXZu zft8dPjs0Y`9!OBo^JLJf;d2?xp;xOM@(hWLeZ>H7;g0kiJ=!cyKm3do9)Zg1!MMgceVegNuOlB8MSiE*t--oK^7+iqEOtdL@qL+j9W1$J24HV>wv?6XUU78+JE|>*CS`}_3m!hzX=%NC$81R<4Z%r z3+m_Ai-M<|1S{@q@XLkcczq{==a*RmJG{x$SBqE<0xM>zmRGPan-T$*4poD7>Nbx& zu%GFY_y6jj8o(Qim4iqNytQn$z)k~Q)N7`w8Le)Ebkw!rNg=YyG@So)dMrImLvO+= zbyhj~+VPzkc*yA;>tvO&uBK4+L6e#}H1YI*GV$A>T6=+Wev}te88`llb)7=0%*XN_)&r{>R&}6ar&NIU$ ze@pr<3+5(~EgukVZsO^`e3W>oZy!9nZ*DQU0joSXeU_rF>#Ul$tnIqgP8{V_UcOO> z6rUhPp(-Gm3;`3;Ple`V??VXzv=Sl%8UG|yM23oQLqys7UYKmZaJ#}0BSK!!Im@%@Fps_n0nAls0N z$vaLtba((JvJVv{_MoFrew13y|8#SXgTR7cG?mQ@O{J-@XXd(US$~j5{;u}I_HmAS zZ_d!l6{R>JN4(o_WQm(ilIO&a$QTg3DYsP7=aLRfOCz5gc$O@dgDh%MARxz&shmED z58nNweKlgA*^-x$F|$>r?K1OdN-Lo-C@sF*ADcU?M#L?>q zi8}`G06_dp$KK}8k3wgS>jnfJ*7&TSE2fN|3c6XUUS$rBYf*PK_$d7#?TR4R^;sA1 zR(7VE^?`>72o8~F4!7MUUSvynJzwzZp4POE5iox3B^)oQncm-UZr0W~`KzQldEf^B z2E08DGKcD|kElLbhPUFC#Os$0kvB3ev3z!F$r@o<#LY9xF0Nhqxlni^kF!1{ z4Io6PQmAhIPU*J(QR-G*6#WHaFs`-Y>Ve|wp5p4&%C8({i_gL`5N+NHN0`G>)!VZd z@)U_&U`1(?zbga3X&6aq9p__`U1Gi=gFapPXQv;KXqKvV&hqJ6<`jJv+E7-n9>4xH z+7qy4;CGGxiUvP;i{h^x5zOSAZdR$=zG$6p$(ARsN{KMR(D5HZ6y@pQE zqf8-lD*Id0Jff!8OQ{u^u^!Yp)u*_;h7Av3o5 z=14E)w404u&gDrDLym&^iQj(Lm_yFvJ?0blIoa)DuOEGvei0jIw98 ztT!;vKW!=eP+g$_@`Qn0Ro-VBFjcMXhDEmY<79NtHFfZug9Zl{6tuoeYl-_qFpulT zN!dy>Z~MZ$pBHL54l2FmA|TLsW#^LZJI$#b!Q=t7fS2d1BtK zAn;OwnGmY%=QOrU>jtzxGgAzuf9M4Kc%h2tfr%ryIiX&+AxnlKU8uG>{LNg!=Fp;i*nr9VehdWX=OscgFQ`mHi&8qAv2WcRIB%} z_LGjzkQ-qe1Y`E=H^K*2$br(gLj^hRQ_hx>0t#OXI4&>i?l+x0dy*>cLj2_E?=@yc z&?7$h?2|e|^X5y#Uy;zc9AU~2+|{k79kW>tEQG#E>|7Xh7Scm6((Mlw1_;4$b=0sf zcXQP<<+4CRv`>}7A?k{zco=nqVXoEA8d;@5!%0-ymG%`>%Htgpx;1kA@s9(E=J2}Y%^rmRp1Dgnce^!Y`&DZHSFQG&vH>Gz)b5puR8l0mOpy_YVPchb2oH3m9g1nDrXsa$=J!&59Zxuz;MzP_7HW$+xc z)yUHwE6d!gi1eGMHAE^r`uZ^$yEAcw6~cL&zdF%LIMuxwAEuwL!MyH&*-iLX0DQIv z@K#wwY#KyV*+;UtP9V|Domiz-^{5m3I3c&yq&-*MtOHV!Z%=aEIxO*%Q0YXHIv%IR zA0$wQyk^ldb|stvjSC!DA62gJ;!W_n?^?xkYhHc%i7UYnyz^@5*u*=pUc-D`=(YmG z`@|4+Pkx-9ezwRD6p{ucfldluuPRs*;U+JtaL(KzH8IHx`1<5B=PK@nC!c+Y04O3b zr%wRhZjQACe^_C11-{1WGVPo9HK!%E96HD6t05A|FpEHd!~4wMP%s2BD?g||se4t? z+vR}&4PN4`cBf#_5S6eV3)?GUdNQo!hu(%&^Rut+sz#=fS>*HZ0M^&)htJrTHB9 z`-;WTuj_UH0;ZT$^bm%m9lYDxci8~rC#%p_HVe4d;b02x-kFoyI6T;Jky5hp6cX-> zw`1=W5iR$Bbd%;Ji4bA-DL67;h}mM$k8F!RVavB5{s6K+MaWg(pEVt1)*o!x-xTgdotT|h zztpHB7?rE0llrCyYp)8xr8U}Wi?*VA;PMf*nKwAb37N28QRT11T49oCYvyOAwkiEC z(FVg&o{2tC9$;pGbmBwnhPoGl<;Qv(V=vg-Jzn_#AVt+ti1+%&l;#~o@Me$e_!*$> z12;f0JvM1;IXnffSja?mH3PBbmO8<%Jm-@tXM^w_ahI8Qi)&1e(@iz!@PXJS5Etwe z=#!Yc3mu8PU72u0V=|INla_Te&(H#(PN2&+`~tjM5>0WSo^rPy;Fph>Lr9RDGbd;Y zMca~3kW=Blq)pIIE%CGv9>JY92KK)j0obTA^R5Bls}#1 zYeIAi1w|SgEQYzS3gsjWL+tcgcB8+T>0v(sM|7@VOd34C3nU!}1&?`2khQ3VxE!R; zm5Xxkh--`^k9!cpBOJRgD;Eo zdGtsLtxm{hF9i#gVXt+6k-gkkR+jyriZZNC^f>*g8;$YbdDq4OxEN+*pfE}JMyMF= zMUYhbsAUb#@bT5pFkBrD&%lIg2d4En^N18#Cd8gdjt%DqVU(=BFJTTWa>}N4)$byP zF|9FiU_^fXJU23&EZ$MIzC5EDpXeXa(Es9lh#r>KHJDZ<3LDSPsR+r&54tO#nN~J0UAI%poPeld%RQ?H|JP3gNHN#!u=Vj2-WuMSS{WKqj~W zp&kB%!(C|UhA<@>(n;+PuIWzk!S76pjFa$R7NqCAfKFcR?A)FY1xIdt-|XbIFGAj0 zWUVR?)h%Ebk<~t79wi)8U-Pj1B7C|eFa-)TRYlFJ=%4ZZ4r;mjNg7s&$I9Czi^TB3 zilpeqia3ZO=NDDho*Z=W^@0&oKPuxkTABR7EapodOvsY7&Eh+Zafr5-q<_;}J+Fk? zdTuH6jTToX&W>b1T2y$G#0@S`r4eWQaNir0j!aI2j9K>5n`DwdaxAhI`3S$vc+lMA zN+Q6~*fhYp5}EutFT*w%e`pKhZ4r56k&^#6p5V?3McW06{vdt)5`BREF#gA1q)`&2 zVSYsR&-zTgPiCVXklL;!MC=J0=YJqpBe^cT*0N(@mMbka>H68|FW9%~W`nHr!Q++a zXI}oEBz=$^r>G+5oA)ihap~dEql0z%1?ccYqCG^#D=hGWwxcKjQp}q!Ll+S~LeGlZ ziHHi_wB#In=X^r#@4NqYmS#KoP}0=K${g{XBCSfCvO6Qh>mxJMa~Eeu9g58Ul+>V4 zu~VFk3Q=Pdu$MN-jH7Hd#&y+Ux7ML8Co~3qj3NVKiOlUqn<5(G&;Bryf$||;%C5&I zsx-a!8QHpF53?0n;bM1*2U2bR0XGqljTM7^%750};6lc>0?#(Ts=f0od6tjfWtikdq!)3%0mOd^Yl7}L*Mf|&3FVbU) zj8XcF#Eb2W*+jlL(^Ugl0VuQ|%|hFTM(p7?xKt>#?(Xi5(SPYz8am*2)|o`3hdpih zlSMco3x9$O{*7~D`J77d@Bv4(e5jId=Zsh?SQiyzuam}B{V)kD?YdGB%uR-R}a-gS{-1Yg5VVvet98yBHLR4Gi2gLX{bg z8lv6Pu$$WAj6f7o=D(6!h}v3fakQ!VlG{Ic5qMw6_&CS<0vlko%y1b7bEc z^GKuunpN4Ha(P_?yFsi{B@}kqch!)1^K3f0-^JyzVAjuN-R?M&{=F4P)5E^@w* zz*J?cO}hCxaEK_3dF_gN2`}jk^(^R5J!4*25cA$#G2ndFBCZ__Xus8Lq zEGVC@qYB@$T8fi*ihdQ;Xdi!XYo%nO!zAjKnR2If-nHFQ@Z{QF!S(9HuI}~v!R>Fc zha=YNTQ|>ZSvCU)=F9=gVTUIZ8n>`Vk!C%|d?_vQ$*!_az(E)tHTJt(8Odht)4vikiY7v(z8mewr&$vRE_?oxY23*NrW{YC9hea-ykmZ=iZEB)Z5D7E9G-d9qkG zAnM7$@+RyDLRvtK-*P=#=g&_pZ0AEn@X!o5JN^9lo1NQSPkW>1KHll^f&9tu(N^Gy z1uZ;`9$edEzh)|b z8An_4G82b$1fIPdkv!ZfS(a6QziK57(^+2-Hh9_Mu-Za@a^D3t^ZphaNE)!Q#uJWo1d#6 zQ$3xocRfx&{g_lC<7k0~gDW)TO?PcsZynPdhkl7gQLpy%i*v7dlp%6e9@|-GSAXrP zAP2t4l%ANB@jUWzt@CgccDp^jtljgI^rMxLC(2lnJQX9WD^L z5*-nOm;P$3chquqjT1vRye=HDyBL{gX}NPA`j#V&ntECu9>o~a=Y1w#?#t_ea)*m| zSeI3H-QHUBH`_|f4=}a+3mnR^K9AY?-%Y?F!TP<$RHe4Vk)x@UYsyusKDiRWJvkLN3f1F_p(r>%Y$kNmxo{1mu)`BfNdr{4<+{ZNv(kW7*RcEP$3k2Z4RWx|^i_ zS~2fOFrM{@pgr?6r$PUygdWrpggEVzo&6v@v$#!__tXV4CW1n9? zY2mw*B2gsCmkW-o??GBNqRY46=11cmYKCt->ng=2!#a$txVA!1g4T_HPjPexQ!||2 zAK$Fc6;|pR(pRecPC&=?a6A`qS6I;K`{(ntRptVIs}!fJWHZ|8`N|q9QG-PpPUrOf z(4oMsI=}XK(eQu>(bF+qo~ilxYs#CeU;`}rD>PrVvl}9rg;WRDj;fNWOo?_@CN_dl zlrqi7LLC{;!1dmf8Cj86LLPU@$%75L=lkKFowv7C&nyfiV&kRy>|5_@wr5z)m z8*Z-MotiNtLdi0P_gf2T84eBS5B2$*+P%1^RfgMR17?RS>VSyp77Qz!$`Ju!q~g6OJMmjzseIJhcCsT zUZKb^>vNpj4_l+iKDeQMTB}<5)=|q6arz~sdm?NVOxRS4zi&tIAf!-M> zaT~D}1prwp*JjYudf+8-2_6c&Bs{#j9j0Hb%7g&YE-D&eUr= zpRc)HEv4$hEVD&NafN62brPX)tIW9{_51_)O0o8l|Vlku~MXSfXjs0~s%jH+>vBt(1zWZV8i zG60ooSIJ@M#S-{QIQj4SZW~$E*FuuXZ^4Sx4^AT#jY;r9VXa|Xv`_22c zTFSucK+pXa&$_LS$5thN-ctPv!V&Z;$sRo?gZ`BSfPIeZzvi*Q*{x&JDm>i?Nc zMn$(4GLgE$kqk2I_VIUP6BHGVduC(Fe8sumwhYEnnmF1U?IEF_oWkl*6<=IE0fuQ{ zulVj|qEK1j*=jE~S0NnWnPER|6yo9$M>GH?PBRk@wx_z<6B^o|4Lh>lTvJ+>RF+~S z>hrP45Ld}+KMy^{HM45AH5s= z)`LIFU}s0}LmWOQVL#BDQu%JU5T#`MX|h&hK=%cl6c|qRfxP3Pe0OQb6yGeuzP_l; z-tI^3U`j106|lCBh~8yQC2;9*UT50#vW!2b)bqS~4MBUQ+Lwn<5>l|5s`(ZGtqQY3 z&N_}V#-21XGE~a$YJEL|QlhI7$1xvS(&-_t2s{{D)v|3S1H0Iaq`@ahH>xfAV&FTv z7rYlZxpo8r9MsyOr{s)o1q5xn^~G-57zGQ`Q`&vO7TJ5F3KO%L{oG(y!O8nV9c}IF z-dS4D z_JUvO$!;HBK5L8qRS1xWYVC4wWnt9f>Df$m}lVQ z&QbKH`g-*DHF9doG&`1tI9?tIZ)hpIX2KMLo_CK2<$BAnAHNM)!@S;DmTA0?y37^M zFNH7$5F&sc-RT;()w71-Q=_(tN9jh}y1V?ie_#cGj<;1IL0Jau*$a?G-W_;GEV()X7iwa5o>MB z5|D`vP2E+w>NM@RlK1%cgF=T&v2xEn>`PwC(=4Y<%hMzHK*8~+(F4{`B+7PuaLSzD zP4nRe`z8`4qalH?kuW<;5oSl*bXJ{kM}gqC@dQP$((Ve$N25oWPM;^?)vHX0aLvSMwYa~!;9v_OWoBC641QSjgG#Z!8{_%hxS;6xU#1+{`(_A$c43rwi|V@2e8t7 zu2x^CQN*BJiazJ{D_8EHiq@&hDbwtn8PU-Epmj`i`%>bGYsQlakCT3BVamzr&SX4P)3!*uhRUUlC* zn$us!^J$~m_ppIyH=E`soN_81w^MWPe0<%aNyFX6m`Rw(1zbqYKI=Rt zR=uA03424T=gQv^^%=|P43Cx7MTo`GZAfNq3rsC-L6&{)$ob$<#U`xjCc&M_$LPDF zN5NfrMt3C$P2iV;`|mbd6jbAX3q|rZh96lg>RkrSpXst;?rHS0EiRH*6S3BpBH9_Z zS^C!Y!V`nM7GQQmu^w#y+uAt%Ps*9I=>*R(_kzNXQa){lOqw8<1K?C+!=E-7@@$P6 zcd_mZ}A>a%xaed=XC=9`P% zUXjy3&+CE)&(JKnMSx9@&U*q>1{LbmR8Nx&U2_ACkY|$?TQ_Jg7f<2pIxu~dOn#8E zf1?ymR1(rltwH;+*`gTl@&3|6xeYp1V(6OuX-E?=_j)qSn(l;-Uy8Aa;w=FQy&}%r z3_%+(tHfDBIZfw9bM8aocDPbaWvOzf#U$xyLTs>xnpp-1c0;HHLIydMRxamOwii5) z3^QzeNC|c30AUS4T%YN}U)p}*B{>gX7TTUV{x5rFgQi?!&qhUQYeHkTfv^%B{Bg_h z=`tz)B4N2UB^v*)UvYfLx|@Fp2fG+o8SWx`#U z_Y%c0U-eX|@23^=n+^+jwY_8(2QievPhi1!IU;Z_>>ADGKi=$-dZ0G(64%b+JN(=w OKu%g&s`jmM$o~N_^NJk+ diff --git a/src/windows/leash/htmlhelp/Images/Options_Menu_Tiny.png b/src/windows/leash/htmlhelp/Images/Options_Menu_Tiny.png deleted file mode 100644 index 2f4ce68d22f8af9686a8cb53e0754ad114c91bc6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 7332 zcmV;V99!dwP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf963ouK~#8N?OX?V zRK?nUx3_F6NdW0xq!&?91mRMpNKwEFO0irO6!D_qMK0J7sS-g#Ec5^YLPvT}fKWnB z0_h1!Aa%35+48@0b~gz{FWd+3|6G%KIGmGnroQvdH}ie(%*u+aPA4iuB?1o+0a>A? zQm7svo|Rb<0a<~?QL3p_Y8hm=!6H5?c@7L9Oho2Pe_T z<#GL^*2$q|f0&7l!0LYSkUO0+xGsUF4D}l|g+u8Dxz-!S2*%-9JKD8ri4xXU#8ar` zxON}{W5ExTf;(~a_D$hDfldt!;8-bO)+*voaLRJB`&2La;6pEWQ?y8m8HOl z_c~1xrjB?EAO2$^7OdNj{aY?U$+#jchxTE}A8q`mOb0(0Je2S>61AM<659yJT6qnBa$pg}lia$?)uc?dsw6S+|v@ydwF zurvPl$UX3}C1d6OtFSu^_;l&pxNuO9_Xc)Beo+DREa&SHqp&;eD#Cv`ij)H@5L+n2 z&EuQ!UdV3bM*o7LgPy~=BH*{s&#-vYC1_Mah-An-yq@KJiW031N&62VY|%`77P^b| zq)YLd2O|c=_DGv>^j9e$F-+7`F@?4@M92em{8MS>MeU zl5lF(I*c6k76?1ES}PnfJ0fS#!-liz2%GvozFKnv*~fmCa5`O}W*=H4T)%mJB!1i; zPdqF*x-1;8kA53hOq?m?9Ol$eiQzwE&d$Re#K4K4en2WU+>cZKj_Jz|FpV9XzMGHr zXX3E?hei0;swk}e>P_rVbx^6eWQ0N`9$c55Ghy9Y)estf2Fd9rsy`cgbZP)=i5+5+ zl;VjANuvd4Mm*f(pK!!2LrmCctj)Aw%J|Q*@w0!T`GoOk)9z_J)A=>D)MsJxtYdho zy&vA1wh_P1>W0x1w<2QmdR*P}6VkK~!AZTYgbq5r7jw_SvZaS`Y~ffGK0gE9ss|zW z(n_pNtcMN(z({JeGc#Yoi6(>5r|Sr`G!$UctgCpZe`A=efKFk?`(H##<&2!T6X#Y< zMRvRQVf|?a4zvDZiZuqw@$um2F@H-E>LkXX-Qd~i+Cqng-yA`o!Ts^#@Sf6CUmlx3 zVKyQ>j4cNkt9u?m+qEk`QyFn!JuywIu|>Nly0@Uib8ufrhp>cW07 z-oVdG4&m^E(eVEu6p5jqFun<|j$4JLvxZ>I>x-bL_TsV{i{tG$`HmA`oF-O2dI_|q z&1+-*-zOj*MVK+?IEJoBW+Aq#J~qC zxskE$s8_$a$eF^)M1D1qo05g8y=r67ayj06T+I#?+1t4OqExU1B}G2@QW{#c4U{JS z+>}hDJIs8#36r5G_Qj>3hgS})PMr`D9NGCAy1zOfM)4;bU1IZPIkjNT%%Tp8AjucY4=CjT%A7G%Mjtu@=*y(`JVclRNAVH!dE09`ya*@xEJq z4Xkhd28}q1yrH9p5o=F7M`!&e?b$Kmm|yT5o_|b9*KY*eFqygZ;4W=|Q2j_vD1E>}TD>GfzTD_7DTU+#~P zS4Lu9LR*A>@G$y*{XKTP-4k;ouHxj{d5CV>8?6w8hik6I_GBfx^=bwS)R^>YRdnq- z1>gMq3TihE!gWV5I1aclccR$tjn2JVQM7b;?8ycgJbNX!59)>$=ZoSXb z6`S{c3RC+J#2a6(!sZ+~E`$!jqNsFq>DCO-j2(cvpN2rCRsQLk>R$1_v%W9j=ksy! z$v%p{{bu8M(8yy6kGcAKt|_r zXaN;EbbExDtMGK6w(KJyA?gf%I)4y9g@s{Y=US-Vz7qo4_d?KGkzXGKI<)Bcw`Nj5 zJ<+)_sy_M@ye&#}>fM%o=$g%B8F?j=^`}rOaW(EDQW6s+>rX>%A*MeeQRZS3y7zsK zTFeG-ZzYBd8ir~?Rp2PGA~h`y5nDD%Qp!ImzkoqSZBSr?o^eZxsChIp6q{Ie9Va<{ zqmsmg{)6z!vh}FX>Iox2j5Hl5{9=>CbuV_p%P2!hF~2YkXJ9BCj7Sx&p>P!Da{##W zR~uxoo1I+yxokF1Ii^AzWEu*G*+#>|br*v}eAhEi2cwI!#X#YoQaPf@qW%R%!VdlO z!oA|{Y0vHT_0eTw?pHDRaAFVSl(y3WwN7B@gwfk&o}1VY8e_SBaN{b>>_QLL?z@0@ z!-mb+v?`2PXxZNugs)qT+(IYxUY`6sWw`oDSn3Y5=bZ~PSz2zH14>E3lFM)RREbz( zS`^~q3O+uf3(7)XUfH*M>joJN6bNf!iCduVE!AHw*1h6=_jYp-8Wbolx?k-77)7mC zCAoq;;r{!U;*wfUsQzl5R@t8a9|UBnH!YQ}^8X*~|FWgZQf_cD;tom`9TH+yep`^! zVPO@k;L7ko5s)iLfZYXe8Ld!z$^S0ivg8{sO{G$*5EFff3*LfKnnrjM$H{Jg(kSO9~4S8%}%kNazZ9oK+T1>O?YEzecnkk zl%-d&j^)cxk#|rsZ3$fwwm(W(ngwYmS_;CcXEj@;Mf=^t?d9AWM^INP35!3D_s8-l zjG>f-OT;^$5#0ls0w(azy_tg+PxOFISUwD*95`rXl+m>JEZlP9>!d{@IUV?{5Z+$~ zhusbbSLPlF%Ev38`R~2|qY99wq5nl(Y?rCXgl5fKKx^=W&gc)LZx#3j1foH`y0Eba zJaI)M5*N}DL6mB?_Q1Y8rtEO|FRv$;A5KJZgBNQJfS%zGpLgv}M zxR_(-d&VzF#NL=BWSl&WLh_7Cdi6c&)XYbu5qap0YGj>@mdX%$tMzJJJ{XSg=X{5_ z8#3s0YFezKJmKe3)4S`Up33K;)|OyL*pCSLexX!%0k7w~OsQfklH;=w6dG3|uJ~IiMw#cCI22?i z!6M^862h8t0Vhu!$El-7k(!hSE7OTIqRn|^E=-QHyo7Zs1mBZhY&G!YT`Dsk*}3g5 zdfVlN<4BjW;QWF@=nV$=7>%f2H3(jM4F!s}wTbsk1^(pH3&A!acK2KOq#I) z3R@wrUx`MBO@mW0N8#(Q#*W1yh%ZpVM?8lv#e$C};c|%}el@Th{RLm|D8dtuKaLD7&<4D>fcWK=g)%xSS^jg%Sos4yL{EEcRvs$LD^IID)-@l_>i> zeCcD1-B~`3+*Nm}9ik3GGTnF!e-8h)l~4l-ts!-ckOvXL!^Mh0C`W44KICh3$hdS4 z7ZS6Pa_%5*S`;v4XW-hE7+g-urci5O&bfwThoj&m8(c(ZX8hIjIIwyN4#p-y$-dS5 zS4Ymt-(U@F09o-(I*(PbGEH>sRU{tSiW?N7s}~d5M;x%n4uhTq9A3Ey2hXQMivmO) zj7ABCt$Z8q_FSf^#8<)FuyAjK7J&iY@b~e8x6zwwvTTGw!OEXsg}^aU$UZoY{v9t? zLJO7N0B^D^lc#)(&W-Z$>Fne9{+pT5r0>L_DWS;N`6YHGD(Gb=WV%Pt-a8HnbZeYf z*2FUbJ~+XSx$YZ)koQMo(~f*3to;xnCXpL#C<#{}^AEX3mVwNL)9eTpa}e=EjnE3!Y3VG$A#GxP)d9_zPk4 z#1k`~mrpSK{Y}^qaTMuCmLZ4n_U}21`bpvtz%s!Gj^h>SVfEuL2lsY3~_e8=OP#qb^*WlRY z1VnDw1^?h+1W>LiNp&;Y(pMdU|EJ#lL58FU%-3Fdw=7RMq_pwo+O z(CQ&yQa!G%F%KJavE{UbPCkyn%j>bG_-Q;@I~NykXc4loKc>&#jw^@ar95VRK8j_C zPP9Xz^M@njJgV2Pi_<$|rSBo%{2k-}xd89JI|6Z6E^>NxpoHGmMyP~)S+>&mtZ}z0oSSBME%Ms+&iAdeg~H{@t>IHf~)vbVUbJ~7hmd0+X#oK zYio>%1Y}iz0+CdU$F_Zn^}DX3akGcuQ>Ovc1zy}J_AR-ejgk6 zC1Th&pJ8^le%NiUfhsgmiwmvjKYbA{%y}Nq^?nYAG%capIu99v?NHUrj>V*3>NRVC zep5b?^4K1AU0Tpv$?>&(x)a7sT#Wq-{(&A}ej$C|d^8gs>+134FMH9cRUH`XG=k2q zK&|=#Fx0FE75Rty&FfImSpO0&>NN_0v0*sS$4C#Jt zP(x)zo5mI_n6(BSpX&^@H^0+>tl6{y4sPEkl_Lbpt4cMfxYW^C35MM6k9LjC2wAz0 z@9Sg8ke-NGxdm-{_e0|T2wb?9jk?Vm;>fNe$i5PVOdYkBq+vZWbN9RKY9@!U+rqef zJ_dz1uS<(Jk9HCbypfZG?)`^LWU~l5y`EHn2{NS?S~=}Mns35-bCAwaaH^nj1aqO8 zqd*N`y7F^L1Ne|W$SW|xo2>WC!(M=wnrfc{TWqq>ax-CBcsTNNxiFQLkoXiNvxC#A zoPtmSvrQpAi;9}^O)g813seJl_6cLAn3Rf+Q=o`o%D0e~(7-_kz>`koQ7lv>r$4=y ziUx^=X|;SuP3JDdK?8!@f@l#sQ6ja4wI?^?YM1NTR7lRqlLy;p@X^6SRzUB~21{k% znWmT?8&5l2b#Mi-*v?G72AheKP&v1P&{Rc*`DoPYDQXm#^(S!R;tMhwA9i77b7X3` zKb1kOe zcN_B+Whh9`S;^dKNpA`3(?P)%=}R0kX`hx^$bcjf$3DkoK z-rj;nzBS}iSSnf&mYX#1-xh>mc?9Z@Fi}t-gkap0H|4(wt}G!#tnn*DB?1o)0a<*y zYx=7Ul?Xg21Z44PWkMya5aFx3n>rTTASy#80{4P|EY7W|glQXh@eB%cGbKww3T_8o zc6Jt?=`)n;sxrZnixW4(X?I&G(mH{(!2Qhgo-{OjB+IkB>J;CU(&-*2X$s~mOk;PM zzgO1n?^QI5g&8a@JnsdSe-r0FY2yPZ_J1Y|VZ6Fr{(QQblZD4RJW9VrFoJ@rBDiXG z)T&hzwH^wVTnwJL!bz8xnhYB$8KKw2Q7+MG!Xz%v$%KuTlz1;_1*Q9&aPf;1AVM38 z{q4dpqZZ%!UZkB!bdmU5*qnj}DXXvC zU9Rg}DSnmDrC5}D)FrJ%fU|OLNc^1O&;0y+q=HH`pmlZa$A6A{q=00ydt{gvvhf*K|qj*cMSPX4Xk;&NWFF* zmr}B!rEA=tmw}iB`n1ehD733cdt}2w)B8qVKCHQ^tZy`&MlH5Y8jTZXt;AFQJMVHu z{9bnM&pqD>zm%7bG>yME0(`wlR|uNMHED=*VUTloLh5e_d}9}G?)V!1zM1%F@Yb+LhI0)MgMPSN|?eLdpWBD&rG4tC! z^b0v~Ju@2@HY`RO(|<7PIb2~!%jg2G*5*m{c(gqRzug}x>t-W`_3(W6395m!Yv$un zA~*3Ln1QLY7UI)s3nhw8`+aOBIEFq2;O z$wOa6k-rkNC%k}ZZ@-4<1EKhKR{=In?t%>o3Viz{!5+=vvVLmd8G>-ZCnGB~vQqR3dh zGqf4@g#Ctwy#`|VfIeu{q$%_3K<_slh7_#4^b1%Tx)S|gdJOxPig<(Z>fon%q{|

V>yIdKb-lkAr&8B*;5WM)BJ5Xw-f@eqFtZ_3eUlXQHL)Ss>!U zuJV2>7Ppvsg5dP?^(IFo&b+wNo@nLu+WHP>L-5ue&PI%gz#Hlz5OwX{r&;&0M$O=;$c1K@Abw49JttzH{ zvYbS26)yg3;>m_l=sfmY7!5k<=$OXH_~Oh11>Ez!$A^pQ$!?6$nPbrB)#-SC%DXtd zJQQ&})Y$a#YWNpV#AtQGTdYK@Zo~1zj}Zu+@Cmw2eou;*km2N%>CJ-~v@3K5$V!6I zy{8ImmPJEDEv>q?0{*>ULDBgYXwvsd$np}U`qrr84W)rs8H@5ivw;3@Ra6$2=5l_D zeNbmk9)`khaxFRCY`V0WEF}rO2EATN)9AS)!DK3;=Fo9V1YP|)3Z7V#F{O#~pI&Z9 z0Z(lhdALFRC_#RKnHo>yqCbkb#^UxA8>b~{$3nR@7MX(Ii=g!4sWwiz1x11u5nF8x z(tA0#LSC zD&jfmkuIOF+Gvm#@`d?D(EAu*W0?xJ)h^nqF_hNVBDI6(3oAW*ca_spq4Efp5UAUO z;FCPO-+xQmA5=MN?vv4w$MS>%3QT4Aa}l^jsQ%odDs!(W2;AvDuP80AZ0DbbK&4QX zgZ3`RX#X_e|H>J2`YWjL%T00ULB?&u#XJMA*XyL+k+%oeb`&0?r{Pj2e3E0KT-5S^ zS6o;n`>R4KvrfV5$$m)Ky^hW;B{a>Sfo~l5>C37i_gXq$eX}<< zE{R0bPEVsju$T0EUllR9nAi$_+3COHxec*H8I}_MGL71a;Mxykz|ig}xR8Q6b*rIm ztD1BOi*s?=JRVgWgJ0^3j1#fkQmx11oge3+3pG;mG(002z^%}nCdCh(R8U+iyikdA zcaL^`9Q#(SM#LumzNL3P)a3!8+_Xzr60#Aso@l`nDZrjXm+2T4d%3G1*pP&!i?*Ql zlRP%Yp92uvzb*VdBALvLf;`yBOtq!nqM(jllKi(WrBM};Qs(z>Eo3;7DclF0000< KMNUMnLSTYlj~@R3 diff --git a/src/windows/leash/htmlhelp/Images/Ticket_Options.PNG b/src/windows/leash/htmlhelp/Images/Ticket_Options.PNG deleted file mode 100644 index e26fc1e4598a4a9c96d3d84a0b53b623f63b7cfb..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 6267 zcmZXZ2{e>%`^T->$u1NLmEA8fA}WNRwX$c+gt9Z)%`oEEZL zqqn1-TeF^_?Ku;uaV@mGaFqSdjx`2_z31z{pUcg@=aN3LA9gc(5 z3ln9pI+EoyLwZEmY>f{9F^%UL#93MU7^K+f8KmhMexcI5SA(%D1qJrMMnThW6{YQX ze23PTopUPNPdo-Vr?he-*d@(W&T_M|#50b8B+ptRSgch9O%oV9>2bF<=hqa{uB$(1pz;`Sx>{mtO<76$=t=j4Kg0Hx!A`acCcB5D-Ey! zsORll1rUcr=hgML>MQqRE9*|d5>)WU?TOR&q)S;xt41z-4?CpAUMj4=Th->RwJ?lrFi#(BUeGEobSn-gh9cm`JFUCPpca-J>r;4!C3C^l8Em5|+^!=XTQ zA};IXwgd}94oMydv!rNfYmzxaPW_?lP46#mwy;=7rA(X{M1Avffw%w0i)WB6@B?Ke zDciH@*Zf|We}}J5R_MFsxY}0X_op~_)H8S1#7gHl{HZoC8*+$y$<#^{bO@B zAzt^?k!$NPS_a?0ZM{x?cKqs{%TgEyJD7dtK>ksZr&<4_`!a;3Ei?S={3h#{=wDoO zhJj8LtU4+X??J!b*rtp=G(aunY{-4RouSvL{SEJgg|uR9JD@eHqJ?#X2q}V>FH=Ln zwIyBk@q-l=$%{H#ffBrV>L*HeHNP2ur$*t3 zmioJP+iy-JTqs7b@Y^LWY08BSk16u-;*Vsl*Gc$*Ys;z&1okzrJRRM(T*rsvwO_=; ze4=zDDvy;X-(1Hg#l35Q#R*L?IrDNCo$ec@*R6@T)Sd}xi~rPmhBJ~c*nK)l*=1CE zXbUwSdBW#-uB~D{cl}p19jyIW08(|J2MGAWqr}ZAFkjHD-WDdpB9-2jprpX6rgPDs zKk8?_AW_O3q;oD^O=(z^-x+)1tAj}ner)UO;BbRZTa-v*nfTxR#`_?hG7*9G@W^(N z=$has1Yf3?59VU0)6pkG1&paP!e=Vb^FOR*;QajjDw>*Q4i^3{`ay;7K5wkD{D_ep zA==C!O{QQLTq{krZA0stH*?gRYNjhvrpj>R`j*76!YM)&ON@Nc^%s|58prmkPYU&8 zcBtP5HSo&lCIjuz3@+WA?u!{cI^)KVVJdw!m>?u6UA88e{cV@O98HV?W?<^rG zi(9=7gXx(U8^F}XgW*86Ufh!D_Sc*bt?J=NFidOA~0>(r)_GVJVSnasmpLbRjTOCyy2f7sy$kIgZ1!7nKRHS=2!07@d z=vkvRX?ADLGxC>Kr&fI8{^3oB=RFjklgGWkfF{Gycc;j%${Uif7MVNq4IGEl_)KKX0-F* zP$m6{bHAx+2)$Hv?_gm_qXS{0E+6Q$NATP{=o`(N!F$I+zV~$YU)8G52whga&0Fy{ z*bIL=*+r~NzS^aLCv#Oi{KOr1_1kri!h=}mgu+ULJty_dsHQ#b!&vgs>6wOeSrU|X z{0r1OoZNrnmu>*a;x~Ur~pv z&G;}ml8t*g4V)f0dzjeydkJ_B;zd!Z zT)`oq{UfiGU@4ZXRxV*O4;t1{kIF0&w}$LGDnXIAZ#E&W0a?G z<3OL@n6NCi(d$7SiPCA4z`l>EyD)V&~_ zSxN_z-${hhWKc+%vOACkn&R1aLF-Pa0A80MSZ8kuc#}woJ18byG@XBEb#Hw#YFMO~ zoERRq?XC^<_N$Cju2h4F7J!^lM}8&Yi$lZCc~VCMtGq6LQIPMCI)_)E_Shy=zl**> zd>N75Q%VFYiL~x>&b;0qS6g=p9}X)#zii?rpZgey3(CA;IPBs#oTj+_Bz4=rB4DFC zdN^UDeIeeno$a#o447}Gn>qBMVl>Zs?Ip0W52CyKxCVd2)UIP2YYZRV%3 z(11Va@VS6dswxQjf&)o2EiZF3jSpA-LlMyVLtizye}> z|M>cBE26D_^W^ww*j9MtA1B@K-*;s#>8zdn2AyA71O_~Oi$0{?5u?Y3#ANKqR12Ec zsFp1W!~RV$D(RiS)eC8tj72Fc!1gDr4+l3ALv6~F&J$mrP(fOcKxJfuwI;ly?hXYA z_}$S1+n&c-S9uB6*EJV4qYoU@*{6-V5)Zp_i%b9R+7-IC%FwyFtQrL2m4M^teH&>jw-eoq}Ke2O?Vd1Gc~Ne{ad3(GGJ|kj-w7_WjKO2Nefbz|y7F z>Zrwm^|xN+zNnffculYxva=~vcH+1Wp90bPQWvcWGLwgVZ{)VCFSe z?fu)riIO#aZZ*`+6T$DYE{vU$X5V2Gq{`;SK)KTt4t)pl-a>h|N5Osz7a(;WuM8bH z`_d#IJ;g~Qt)kdwCJkztH=K)uiF-9*!ckw>Z9FfhnKnbi3)ih2yArph;=`Tg2P&}M zqg8$IakJ|#_JP-T`j+z9XFm_Lne!|~9v*=Ue}N*_SN1Nhk)B*bI@EIXyd{iGY>HDl zflGSlHM*es8EUgTo;~lu73@F@!dIeD%I(aQ)qC6uZFeXJl%ScJ>k4@<&*?IiUzsOI zZ0_QSQF~y(<;Ltj{_o|lUDO7@OjgqqG}f*1DNGuRBt_YhcbhlZXQt2ZypbRUZjbLh zDY(ast)l0~lOM^1O$qHj2!7ma50Yv-*L-mLBQYb6T0$v35!_5kO*yH=!+;ymhT+PL zX@2il{9Oeqt|y~poR06Qhq;4zwV9Yn!kg@7dqypu$hN-eo-2;R-&hi?%Rk-72;A!7 z#rR-euV0(9(BT$6b$uevlYcjM*`{2&!qKYmW~2uPZIV_;zP~DM67PoSO%mJ9 zPk}}c-XIQ|bXyCYPvoTJ#*@#b=JO*6B2bsxX$AF+`JI6%*Dm*>S;akAz|J@b%`Obbt&4oLrykO^QJa^dR>U=(~5k z)D=?BPMHX*)EDVJ`jo14HRA+UiE(H3yazQ)2YLhLb_8_c47+Zx>)W)26-OGwKlWN? zqgT?fv?$+k;&8gPg1eSttdfjwg2~x!^Yz;{W}&w3;=v(SE_T&h+eclgApudW4xR9; zqG_3&4plYcoCs+!Qf%N7eR41EQmp?^O~tIfaAYB-NN!S1cjk45^41$PJZ4Vcr@GbO z=y|btDuIaU?JdMCW$Z5rWHzX9k6(V%?mdU(om5B3hG&1{P4rfzWkfFxq#cFQo|wsY zMsJvM$xr?0fcHmkxZO>7xX+~#&#BMbn?k?xZDUiEe-x9248PoZB5`xm@a_0#`MzhT zhgfQ*oX%nUn|`;{sOM&vv0n>e(a#X;LAk(>ayR%Z-&Eo=K$|@sU~+!7gtEf+)|L?r zIxQEJ&ufU9{SqRV^OW)|VE@VI1xFP?;vg;hj8AV!mIv*!BQe~Q)@~8q6pQT$V-cMpFh7Q=sNl83kC76h>4$% zomt5=C*&k@VJ33o(sDXtvCzzM2Jv!>LP$yZ_~&zbT8*T-M?_B}PJe@NgKlZ}zJX4zt_qCr}~Ef5`Z2s_Wm|EV_Q_?tuj;Rt$OyGHa^ zW}832!Ox=aN@7A7zdnnY=fr#53u~7u_aOQr!W4)94nghf)frWZ|@3~ z9`^8>(pG--4B-|WJ+j|Xa(&xCWhXmPEs@DSS*0OGl60AL`48Y+sp7E|UwggVUvOE= zLT`I78vT&e9s`vhkAYa*aQKX5?6Aqw&1RH*mInfx2p#T_?18 z*-ZCre@mdueq+a}tLq{?N^vdcCQFjx`(u*dfleyvTSI*ZOibg0A(M_)Qze(P9+}cr z{jqRI(;D{f+#HLoa{RcEa#A>A=r0A&-q2%Jq?clM26C()Lwm@zo6&3)oGwYTC-kV$ zQ+lUaGN1ndeOR>-pxiQrItL*)`>qJ{L_{93 zvn!lBN%LL0q*SCbTps-s)4h0&&jB)+{9fp8`|n}Rx%|i12Mi!FQ3ed>*eiLj%X24f zVrVlGkg-ZpW{t`alNgFyG6+#MbhkL4m;bnHV2SH;b-N>VKwzRjPH!`>A@p-29Ws-#c)X&U}Jx#u4UGdtosbQ=SZmsLJIRlaBRl75oF!A6`gzrbn zHyX01$n~7HerujSnrd-DBUz=@v2&*w8Crr42`+^8>wVblD)f)F&GE6pHLVT|&68i2 z{%x0(m{clL1@}_3e!Cy;dmCzIRd`LNY7fY&xLL3gK1EJJw_Oo4-wJC~5_rQ9N!4db zH=BWSnH?<{n&`w9DoitI?HAl@A2$$O{rdH*8WVO#u5|7%1p9cCuLZBUv!>jzl2jGX z&+UQVs(Nr%534Gh9(W4B?H5x4?^I<(F{IH*u2`CM(^m8O)vEKQHx@b*(hjn`1=Q8o z;&e46x`my19=Qea^aCJ1qAIoo|j_ zFgQgb-pZ%Xu-nFcu+onG5a6mFAZhK|50SWiz3;msbl`C8hu7wFGbsQ&3*j%876z>x z{;UaiJ$9OEs7;{hjV*CRF-EJV%(K7bHNb;M*ueEqqg6GbHv(@l)tjUL7F3Odv)Xgm zrxAN-xr5iP%=wSt_;;^PrF_XjwwD<|B@!UXAkQE_MoU3|#7i<7%Vt+5jQX>&O}WK+w2zyjxT%nPMs%mQpMht1{xSUyHd%m zHsYj^OaUayaXP$O7-rv_k}Qm;V_y}>vVQCOycY_(l3RWy*Ff|B+QHzj@+%e6zk5$v zzd({ZPbrNIEsA0$!{YAwt2u7sXQA0?CK;BEQcFkTHcfx;9E9KSi&eyMo!j-a7BmFn zzPF(n3tI6|k3Pge>pP5~+C zRJ6H?>ppnh=H=b)ESwRr?tlzBXI&!mv0_v7VbSxqsWvywRXTIPf$zhl7Cwec6vUYK zBx&bKA%lvpgcO~H3PRr{($vzu{qnBq15}Wi%_}SV-fWL=my%7P*FiPPm4qJA1tUkba} ztQrh0i)ih~4<)*9e4Xu^k6}gnJkRIKlBu#A@V%pI#(O`Q;q%6jowXM7 zhj@Sf*%e~yhJYRUm|ucdAiq>uRKU>AfFnu&@q<6#G7l)qAZCjkPLoG;j=6nye!@El z-%?Yq+tl<(ZjH$3*B@#9Fft|;d5*xlqga@yTK{{p9xTiO%o*xOOiiZUSjbF9SXFI_ zEcSpoU+w+AjivTDZ8z4|-|zUF`7ez8Sz4rxOv&*bun>TS0W1RG0RRsIcpQL-06Yxf5r6;y1P~zL00IOM zV1R%CBmf|R00{?>Ab zkw6>?ha*8a5{x4uI0V2UAP&Ld5D16BIOHFKf5bruz(D{60q{Q}5C(uSAcVm|7zo0^ z5C(y;0E7i0EDpj#5Eh282!sb9JP6@&5FUc?FoZ`S0ss*}h=79#5JZ3>0s@f$hy+3; z97KX35)6?L2mv4jgb*BrKo9~$$Upl3#0Fsi2Llic!2iU6F#wDKVGIt&KrjY|F$jzW zU@Qn@aWEEwu`rB9U_1chK^TvN@equMVLSp80GI&61RP9&U;+#i5SRqOBoHRyU=jqA zV3>r!2mm7>jNo7df)N--kpCIspBn#={HyC<@Shbh0D=J#3=Y9S2nI$l2!aI=EQnxn z2o^%HFoH!8Jb>Uq1dl`T5Q2vhJc1Aaga9H0972E)0*nw4gajZY5Fz0Z5`>Uog!I2; z|BUue?SIJs_5FX7|9{{An^3>W&jG+6K=OZE|GN_aH3A%ImT|a#lMNte5R~+E6X*%1 zy`*I@6)V^q!6;&rkxI<#j}*8bv9D8`uNxz#NT9zfD>9UT(eA$AB$+1rW;9vq&F!bf zMp>$_4qYWQkSPlfM%0oTtjoXg;^z zt^2MTNX6KVRl4(}zUk@DF_JUK)44YP-(+8Tnxq$c{FoVyV9%PR_pub(3bUTIHbY4w zbnga@vqv*d6E*W6gZrHsSzdwch9^a9-X+)h?H-(XxRC0!Cso@eF{~li5woyD44kkRK_xp(7ZB>2FwyQl|aA z6sZ>DDHQMeyUFgYmMYDXyL&Tbx@8qKnef2= zv$t|63gFCqymo2L(o6ZS;=N+}K+A-Z4BF}0(mXGO;8e00_dTIBqd#rKuYAVRDXRGy zWey=tRePhX>*L8fp@A>*hx>_FQMl|lOFq3!j>Xjq^pJTg{kzXk)GK5cE%gn=W?o)> zA~PA-z5Q;3WzY59a?HK$hBec&?fOld)5?yof%ksaA7!O)zx%lVW4mdV(x9q|{88l3 zt{?ACpY}|S@Km<5@X)*Uoyqc6^`D<~e$v6Y=Ug-JN7Z*+Rr-VE9xONMvNx>sy?k#( z3{WoI^idG!OCQ~dVg{Moy?09MuGnP4G*&w0-y z*TX3@R;l01iFcm-UP+D2+*5nnb)OMtL-oe53B?)3uV2bljoZj&lxz7>*yG=_Svua) zvQ_b#uXVd_?_ulD#`D>&>p749ddF5m-Nn~TaXH!%A5_D|WQC&s*sAf-bbS$d<{C-&tNai-SQzrvDGcyUEscUm>EY1?xn-HIt%QC@fRCTs6N5c);4zKw=Zto&v= z%~d5`>kg(TeFa~nO%BO-QkDZ=TkQ$b7kKuH%hTT4}ter89uS=;|Nmz zX#(HsZP;7naOzyYf<&+7s73kZSpRowOb##!ARMLyk<^zv-&J=_g0D`|lhW}Hwy4c5?`tjTv`MeZ2 z0Q$5Ph6uTw%Sj^Y_@?ea72>^*79p~qpBdV*>|byfT0OCGcxPvBUC3cRtCYZPRBFQ% zS8qOh3uK>2pV$lkyE#mobJFO7lXv|(^ueNL?dIcJLw*W2UYV+o>Y+f~^NaiQ8VA-= zo`;kQ2W^j$`IfN<1N#?GrON?z_lW>i4=!oHPJP7^WkR9rc9A;Ur(cUd=d&~-aDz^J>cbV5PRmKMdFqoXF#vzV_-(fw zkQ+v+M*KB%TBC6BWK^B^#n2ZC>7&L33cTIcm|7OCMp(XXx?CtB?bDncOQrLGNC%Qe5^e!c^G_Z;#nLQ5i%qVAu|5NwLK4-MU;IhX35`o1-G^D;h%ku7MdCpx&_Y;W+rEWZWg=7mohCXdeGGkn$@{LCtHe z=W1B}(d7|a%F)rPsDyj>rLMjlat?Opo%p!cbfussG(-y}@L*k+j-%C6E#pulu5syD1yBXprQ^he}a;1$abo6GeNhbTKvE0hbK)Q!_{&~|*3Hc|jWrP^?!$MT zNAqX;zK2IQ3zXs))1FV0$%$vLdFsWss!s^K+x$^`nEO`lL^Hc>&LMm+mkda3de2)S zX_`PhVE&Zf;Iupnk-_FZSgnL&SiZek}xqA z(D#^1`h(WUynBT4KJ+^ zCXNkvT=J6lG{yDOj?clqw}p$ZM5SiSE^fnI-L$d6X== z>-oxer6adFw~v1eFXFX&HMn1@%CMPL_L@@3xFIV}6j+yM+OIrom?haBBycboCEaJa z$kF_P`Cwj~BF;$Z9rM%AimNr|QYhcARA{C+UvP(6#)L&y$qyV*a=l~!VwJ_2QiWMe z##RWGNHV=ER0=G z*-$|&=QRGism31=ynjB_Y%MqvaS#o%2o+xlxiWQKhWd?ZQ5_))4)8gcC=ACI^=AaYg1; z9p;`jrb`3i6=T;6n_`;pyzb)+VUCMTq>kQiiYzXP`t|*F?(G<^(BK~yEDh8#o@+6$ z%-_yCM12;ElH&}#`29uuak$@NApQ4>JZxLP-^C2Qd2n7WXMcOj3@J3M(el% zPYH(KA`JsE+a*3);_)a{?Ac^EU3hf+t5|HwQ#vTr)=R?RmA68mHOVv7CpAPOHTbeP z>$O4VE>H3QroFpA#4+EE2bJSZ99bA~LT0}c$cRkEi?5$M_;~0hNUz6{#|!Q-Lvw+w zjfv5Z;(6Y#r>yOy+B669hzGsfjrrJ=tQ*cBI~@r$L-ItQR7b%$aqjqV{=OZ)=K%s6 z0nyMi2!e#mn)xrTrU~6mqd6DIuawxRjEC?VkL74mtvpN_*koLr7~T=0!4CiuvjIafE095M0N*U(x?p-lZ1bVwcTJs9WM%)G2-J#ZW>(wNAH%AW9wB7M78h=0H|(|<N>P$w#=F0;QFNF&he1A(I;4d&&mJAjyo`|?Cgs|(XDO!io zG6#DqNI1rx_fp8|*~N={&{itkJIJ}+(f24;{+`?_Ui8BSMrpU<;3pj(FIFnG! zyBaxe^}0h&$8q%8>{Kco@3uV}#6s@>-r&FJE{3@z_szfX1f)OXb}j{&s0KU9imRz7i{70I(DSkZ2_aQ7r}yzZX6~bW zGWVYG^3?S8J)h93VdN~wCR0)Yx7ztkQEYobK)@O;1-xiRLj0PE|S=^Q{%q?*mj%Bs8e3^{E!|l%$r? zzGu8)t;fN=7i#Dp@Yu;T(o7W(rXb5sQt&*Mgj*HB9S1 zS9+BfP|Y;liv!w`AY_bT_|g%|54q7Hn@9h z#r)sf*{8Ox976l9IW9P-$wl+-L6mmX17JERjzI2Wix~ z0S65mVJ+PLC#p67nOt&}UDF1L^Jw+j$+N29Dq>y>+20?>j}JW^?VO0;j1;xobZ zfzji-bQv_4iSS!U$Zdy1Y;59PUS-2H%Cj_mZX<-i!r!R(R8&^D%00r-lA})zCBM`D z;~c^AQeZHrBwrb8Q7&r-Vl99+Z6@m;%a0?xQW94fBP#DSrF)CT5ct`ZB`jz;%=FMV zteGCnNMuuwZK(A)yARL6P+Qz2-KFW30FnFfSaYfPvU|^FEB(n1VcU8%`<#HC-)L0D z6yZT!krUs^&ZY149M}Cgs>i0X;wBvP_%l$GtZNdz>JJTM2}l&r{chHJnY0CGfg@|d zV1vo`s1}_??ZVq)qKrN*Yt3>nKm&Pi{cz+G^$MZEAEbJiQD?>*FJgi zh-Z3>JwI=O$)7|;HlH&*dxIFJdHIXN83vIFnCRjcZC`HT;NAR7{Cag*Gp<;DXjRZ+ zwy&Eb;TjY3?yOf9+CA=@ssGo+vxV(kk!RbYPGs|{{$dRN-_0)b)|kw1ZlRv&d_TB` z9?JYye>VHuU4(BQm&~>o3eHy5b_x^PH(x7@1zO~xm3rJj7DJK?Y8kpf2wWWPU-+hmUAlg4JzvxfDDzJ=J@s|i9z!CKGBqbs4L%rCz~2l^S}H_K(5QTTKn_4Qsa&EmhBEh zoPsYrtG{+Re9R*{4@g^Hi)5wqC-;(G=nJ9zA@#*#XQ9WQ%;eeZv1xAqTe75UycWAF zT^XWgv=c~umF;K@gVg1o`u`GS?WN>bbn2@3(gK+BX?)yR((;sO=@f?VtX#O6!j_E< z7kV+RQh)wajC|Vjue42K(=kb6GWka7j}$Enj%sc60)=kfzO=S$+t(LLb6F*fXx;zj z@`GAmv1vPE$BF+UdD{`XFO=i4y18WH@>(EKZi^wp+p1glR8F2P6-^}*kWikL@j-B+ z!|t}anh-ev#6~!LdJ>TwMGH_lm~}LSD}1BX{TQHgG@>vvt;FM%m)Q2J#48p{GK;Y= zv+v7Fq9Wj;-R*B?Y3uuJev&&T7ox8D;A^QR3yGcR)Ye)FQmba8C5>6bT%1d;B??c6 zHs*vO0eU5VqhjkNeodB?WvO{ImlL*4lWp7t1E) z&FbMy-BosaYlZpjg0N66ODkhxdRriiT8Nvs%V0o3ltE`t#L2MSf%%@8=pg*Y(LjnL ztyF{bazhp+Cf_AqB6sc{F5cmg=*l%0#!PHPqfFy4AweeF{hW#c{mpC&;HNk)sJ1%v@W`$-NvQ|!blsL_|0|} zJ6YW`U)ty!;zzRB_wBUa!ym8HP;_O2N zV4^86uQ>G~b^uEk3bNNM2?U;4brj) zzxA5B4zx}fdNp_TvuQw!gj*Di<4RECD`>0V)K1xZEidKA@$t)6*Hqa`f^Kam;=Qv@9%1#=T(tOyppQ_vPTOJZsGPmNw!3am zYDzc6D-9m`#NOc>EBO7p_b$`ILQqzH4>hyC|5K2)2UlG7x1bbDLHD4`=sc9c?0%yX zgwJJq@Gvi|i;9=ha-OH=mfz98%SD`KZ0zM6&(VEKFBgk72-djkr~AYii5i_T?=Cy^ zbg}Z%zio8pz;wSR^u{hT|NhKHj{RQ}FC%DlM=TYJq}2z6xg=(@i$t=&G54Yy6BhWj z$G9*Hq83xE{0p9%+Rc4TPsnvY1sZ{z9JkSKG%pHgfuh!c3SomrTXr6J-tm=@{MBIrSFBWy)|U^F)J6TXt^H}3hldpFe1`E>l}~L5+(Dz z#4{)2Id%Po^<~Pf4MyvUl`Fqg9G@{?n^QTvz6TS1yUfM%THH+-2JcnZ*>zgSdyg1l9?_F%qaJmsAqEX!{Bj+;8;^eaS zo986+5PQ()w6m5{{hl}8<@|k8`9+~Gv&7n06)P(zoV_dw%yn^$YT_u4J#B#5-Rtn$ zsFIY6&SB^HBfF2*_paL%PhBuVaR$yyQVo=ikk!XIyK?^J{L?Z;wihkADsfvIJ>aSE zvM6(oo?DwtEoiK&cCC%G$4+pteON}n&>;EIfNpH`Z+5~jlL}YXG{qzagLHG1hkLOe z8dU>^qLR5bPEyk%uh7P6@AMu?gl3?W8sU&K$j(1vGxbP?KDu@|6;BzJLo~IBXj~ku z*4Z;wTorj{7?7|_X?o3}(CJl^=3eq{skEqJbxmzx8D9PK2gKIqc9O6N%+FsxXAra~ z-GhH4>)UhVsl*QcP4d=LJV`#xxHhEGTjuY5iMFPqvHsVYqr%g+9aF->3a|GDt_t~> zec)A4Espt$ZSK{dY`&ax&$c#ykQNhe(R<0w3YI<;`Ci^JK_IV*cyFFMjUP!-Yx$hi zzw6AEzETx+C(G0fP0zhI)vuuzw^R4$0q(Zu)vW8yH3c$0ciplQN3UO`?Gl%hrefvb zj-HZkWGTAwE?SqS>ozKCS$AcEZnzwY5Jg8(lh6jc9-!7finzuW%C^l&>U$U62!v&Bf zUpr8aHTYFGJ;|M1_{=vMKcPy$HeiVoyLFRWU5!z`ocAKTgff{~=?AK~qUwYCtCdy_ zbJO2qW@iofA32QZ)E~Mw9=S(58Lw-^M@0`2T<(4Q!}5tnFuQi0A@4-?s&3cxuM`n( zN-;6(tazU@QE1dZJJC9Knf*akrd0N^1>?W3we~NmuC_rc*7Up%PuhuPH0)?Wy*yi+T)OUoY@q{l|s;u3MgP2vHc2~dhNnZUT zX-n62eUPn0P&Oq!dLln`RR5X{Q@eu$715_&T2}0oOTemCnfWHV^&B*PHComt8oDZ@ zx{i{~EsghNn2=SGW3Bp+hAA*XcEcxY$z3$(9=oyW``J3qgJ#Lhrfwn0>k8pni*y3M zElF**u?pv_GITl7&qaEaJEgveW5m-BbJHaS!}redhS%iNIakD3#?3m`SgX_A*HiP< zE9p((i+AeX{hfmK?mCFq40A90>?8BOvs_qM6&SjVV8}{^Cdx{jJ1GmAILj0k+{=Eu z6}2p}fVGuJ({)W;HT&U0?jUmot#p`~RC78jg)Yc^Ur2VhhYpocN96iIEyi-M=zDHa ztBj_%dY)pw=(&VW39m*s1GV!sA6V|k2PH`A@^c!^I4SJ{ zd6F|~S`~-x5g@$oFyVrd6~8h*%HwMT-v8*g{ReA^W$OO)m$M> zjLDl>pQl(-<+`C+jSM+;Kb`cnjKPdis;rFY>qP3T0^I;6p`S!uh+GKT*G-WOlaTqC z`6uBgaWLf~Z@#2n_wTHdKdb?3G+E}F>5^gF?z6ht^!g>{`XA!-W*x$t6Ng#~hFW_W zS|{||mi0Sk_1pjG-`X8&=7l@qq2!XG_i_gB@59{%`T_UgUSEUW7jRFae#>$vJOK|c z!z26fCvw9J_cKO?4M%u~iLk+h%J8tp@YsvtN#Ehm^uwPM4X5gdCngN+@sx9R5d%}h zbIXRk6NcVvhDD>p5+C}BOPa&gI}~u zz6PrnlW{YXxp7`GdR#Hs?26yGa>Mx5LNgW8__YQz)vfUxf5+7h#?>h%RFcfpGtF+; zn`>xJXnIU&dzkC6OjiYByJ<$Tm8dxJ5xSW+R!1U`^THm}-*Du_UZL$+R%y Pb}-3;{9pnP09XGH^Qc7Q diff --git a/src/windows/leash/htmlhelp/Images/View_Menu.PNG b/src/windows/leash/htmlhelp/Images/View_Menu.PNG deleted file mode 100644 index c917f27abfe0d2b08a33ecdeb7746f95466f3dff..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4838 zcmVPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf5_?HRK~#8N?OhFY z71g!=CJFfg(GbvDS0Vo~EK%EPQfOHZ2q7j41VgQ?>S_f9v7|K1zFOqvK~;*hzGAh( zL}O4`gom~T`Ab3we^!?%75f%1V49zsfQtHnBxnLf3wis@&%JYRX6|2Zaxa-Z;jG*_ zbIv~deBaq;@0r}$NEg5A?FAo<03#4I1f&aWgh2zJ2WA8W0#eVH>gpFcFZxU?U7B{ya7#05ZZW{B)ET0wWMa1f5eAls@mX zS`R<^GoSl#hk-+YIUG1_11VWLZ(@WMWQ2!PtI+)$<%VeP?p3`db93B!hkBWhR#CS~3MVT22ouqW(4C4rN`90m@{ft2LcpD4zD z;~UVIq=a~+r6l2IDv@M_o{oKmVTg^PGVOWTJT(sJ^=cHwd=I6q0Tp^x3hOV2fWT7a zQT<)CHyBX3aw^W3U|&E~={v{RL0CUwz4R9fqhd6turLWxk;4!j9f|0uVe;o;5#jcx zX0o#Xum=xe64sP2L!!xeW_|ltuc+2P8OHcr4Kf4Cq4I|;;_!bjqw|7Np34aaHm;oJ z;<*c@$PUQ560*eH)b%RQ^=&Lk8rXS;32cpup1`oMFbX{*WTT6Tra}fNj8J&NNUGBg zGg(@_Y!FmzC6h5~csLbh2Q#j#LDBHZvKLeO8=VUoR0?Z!a}e#c`ZwizZCp?K4Ylh7 z$)N))m6wtwDyQMdDQPv~L-3@uFDj%pkhKIwS>Y(ERXMID8Cfq-wA5Fo(ni$ZgV*pb zR@|zM<7QnLtshf8``UrBZdy_5laBiJYP3H4jzgYMc#6J7BQSzIoiMoJ)C@JlSlsbvCF7gnykumUKe)$w@<)|MP$@o=;^u!9BVBZIX>y=etjCPHS&bUKN^9N zni0lCVt7mxqR99nBO_%4RE#iM=LyZET~T*NaXlHS6U%Y`Ppfnz8`bIih<^I>D(u-n z26k^aMvq9tf7HK=f3%7=qJ9$cbCVR=IkWL2c{j7>PvAM6gw@CXg|j`Plw!J!tKfy| zi|*24-hgHuANFgy_8LbCx%VOC#6QU2G^1u4RPNl#^t3Kq_^*EhHL@=5WV)^o=P`WO z(QJJhufs6ISXB4td*KO1*f}gB0^#A|auMOF_FIIhUd5yKm^B4U>i&fzH?P5%5s#uy zj%$qSbitH9p4DPYLA+QH-AY+ELyc?gr$|I z`66s85N)aKf*M+i_H?a$9eRJ6u3Q^Q9#tOOrQWGe-y7ng?i97nF%TRoPK`LcUFCyt z&wG(JL3I#4mRhhP^Ra&y#%nw+t2S((m^uNQUTwha+!T9YCZ5EOZ=5gl`<-6`Pm3q( zGRJwyBSRB<7>%Fxf^NKm239fzj(gzK8uU1)6;`29V z9#~jt@6R8CkHFQ!VcU!UhKbw0kNP^r&_GW?|NYuENc;O+SezVu9EAo0siX9%i4krg zBlPw7p@|XRc&+2l7&M-*V!6Ga2n-a5dUg88XA54=9*>nrCgCY3gR8+W$OuzI!UzXm zN9oh^#-7km-nknizzFz=fb_}vFAc*{ALVd!Mt~9U69MUT7aO6U*l{;TARq{M^#$&L zjKo410Y<1GfKI&jk$m@U+2qpriM)=0Y7k$?22S5Ia&waSVz#+gK4ji_Dlq`K{;tBsqM(8fv zns}>1yh(BS@?~7Paz#$`bRQdGAi3$cEatG^5Dtm}dY{nb{UddFk!{Vj9B*tv<@S24 z{M}BR{;WebM)?@3?*v_~^I{IKiZ$u+RVKlsK2z7Yv15^vl!)5DwBl&PCunUyYd1pk zSA+Iq`RHhj)s^M+?onvHN+figii$QPz1&^%w!OD9T-%BBr8pq=ICv{V(Mf*{1c!6V zL@pWMbP6rbLt_nke6wCpq{y~5CN36l9kHRKs|Sf=N8`5i8|83R@q}&)CgN8|{)tm( zscc<{%KMk%V5l)7<{+kGq?fyE-nREvhEuz{@XXoun5KU#-AqTbx5ITL28=`Ear-0m zo{?tl-s%);oQHruUVUwCI3;)*Gdh-%J4GUH)V0{Y_n7=v{rxk)MKAbv`yMxE&&C5z zz4qdXG0_+&%41qGOHnr!8_Jd{^;GVqo!4>n?Q`%keH*pEmguyO*| zo2qh58?&GDyPCUsO!V}%8^)mf0`T^GAL7Ov;!ywoNt`*?gRwV_!sLu3e0k|h`~2Of zQ*tC+YAbsNl^N+sP!lj6cq|{iTQB0|*#@lo;2Bg%gZ6b~~H7hOZcA_x@*i|du{-*X-6}TgfvU4E`^Q*;JqP&TlbuwMYtDGmoKus5i z{^t7X5im+HrLQxZTMpKcPCulmVbzg~*tSGXSS35>zIu2{U!@TfI1ZJ~LE99UQ-UDn zN7K(7TY*{Q>IND2b@&r)G+Lh;loj8C*JM6QFjY5GPxBip*FA=#U;o+|RK9r>o437( zQ>VM}=W5{vCCttHrW}Sw>9Vc44@c|qWM&NF$HZVt({h}wDpXS2_3lM2C6C!MPh6XT zC;wKDX0b!cVGb?ErFSWxr_Z9rc^qxR8JhG-pkyU?Y}zGI!8&;>XOv7Q0M$=P7m5~4ksrRS zcy>2F`m_r-j2?+;-%XW`&?(!R+n7KjPrXr;|qg6NqLx=L56B0(m$As ztm$-)Mmn#?ZqT{N#Z& z^@UaqN6nu@2*@v8x`b;+L}B{mG)Uryj4?mwR{GT2H`|(aqf!Zhv@^*ehrJcucG$K30$ZWlwx3I33<&vy13C-w<@On zR|8g_P{)zw-GW#57|GLxbn;vk1Agi|F(?oZqBJYiaL_Evn-!?G9S{y(cSkXnDYh<{ zIpMw+D`eg$;HmM;u|P?wW~m~z|K9~Y&GvX>Tjfhm-Fl9#p4%2f15s_H^klIX)a61{HugAS6MwocRa8pqF6No!NV{D zmPLR(VUOWGp=A-_i8BI&jDTeOl#OtZG3VhJ0Vf1F9OVVU2m~1cHo_niz{4{FlI;@? zM|l}A0>MOpJz+4>=dl?9LO^O|Psj^_5eO;*rbf79>&reXmOpQ?&waQ9BVcs|+!~>; z+1A(yt-hRi{{A39_k?C&Sy#mQlx@vwUw`NM(h9NID-Q!OU#}j_c$=xqY!^86i)&CU z(uL`d1Iv&+YdubyZXLBK{(2T(Ym>JE`n(K>4BP74=^Gf;o3(Wn?AlI0zPB>`*%P^s z6%h#YkapAw6Hl4C%w$c;U4Z|tu60UFdZ>B><`q#=CE7?$(|U@1R=%Etr%%6tDQ0c$ z?ObFT)tj|-mF?8dWqfaCxSJba<21GE8t}>!_B&Ho)=bRXyc>t@CS8ktn-^e4mZ-4d zwb|Do;8C%pBU@MMb_4hP=)V8u$ z=7SLkECL>l(3ebI=Bnjj#)BKMPYX#8?8epyXJU%nAqfxd>_!VEk!m@;4QZ=>uQOI- ziH9FAK+}`Qls>s2gYowuLu;O?$e~T)eR=F0tR_9?Arr;#bmNUhA~6jgjKIJl;L!+u z%GBjXPZ5%Ct*Mn;9Il~IG&jf5n(hx3PbfT41KQkr9N|SXad)NY~poNU6@i$l`hoW={1N{BX*spp*{|$;+W(2NI z1Uwp{FPXaBLy&}Nvw*6ftwqx;CG(m6NLR9-L4>Iuaiq*$cOF4ioqF$R+DC-I6mFI( z-d7wa%hzJ-opUjb(<*pGnHvlq0v?Ufr%YWQ^p4M_WW4Xe5lV{o@fB^<4R7ojEH zLq7i-VAX9N`%L-mG4j5uY?42H)dW=RTU}da`02`qdS?4*26as97Aw>r(V?_km2(8FE&pD(J zU?U7EI#?MiBEUvyMb>%FA%y@NVMx)z%2*KrHo_2O-FB!Fb?q*SwZDVXZ4KzcDb!WG zL-`2!7%B*m5lS={E}?`$QbGcn+dp*T#n#@A)NkL4Sb7H}d*NitN5Gtg5@-FuF)8Kt5eIwe=y4sFKk|8rh#;L^VRZF{>= zoVpctVj~Pm*2f_!xg9nwByB&1=47ff(A9S6EnxbCcy!?`WOf{rjWaGb79Cxx5mMiC zqkxunogJ}ANnj%kCECOI)*?i2i4$){W~cCMWN4kY<4%#1L%R*s zR**QSyTr`7Y8+DHgh7hF@kmajbLl*J$5UvL=$t$w^By`FuqOyS+GXUoB3IF~ezOwH)H4x`A}T25;Be_9*YzT&(KHgTV5Dl24x81jm-5r#0uvGEi} zb^s~yX5r&?xMSMwl(%OWN?)On^p&^m4|8J0ePKrzMyvOK;=H-F-F_az)3%&yQVak8 zgq9Eo`i4D*g!5DT6%BM=k> zr1zW8un`6YdLEP!P!Nz_-S!q6A+H8TAczP^4b3015eAU}9-0yOe{o@X)WR{u4gdfE M07*qoM6N<$f~^}h!TPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf5zR?NK~#8N?OO+Q zRaMsh?&~e@B>__C0fbOR0qJETY7|fr3m}X*6j?eH#if9v&bV|Ol~KSl{x-0Lp+(`R zw;%)}C{<*r2?PS9C$HDM`OdxXB`|~kztA;EV$ND8_vYMt?m2t!b9VX8ev&&74x_%* zY7R&)f4vZEwFEhN$>FULqE3HhazY^>6s+x}l2{d>)n1v7U;wD9s+}}Sc5g^lr#ig~ zo7ZoITBCs!p+!6h1OjN&rY%~wN#ApBq@0FfcQzTdo zfb(bdy_#|U^If%C!r3$V2ze?XX^jX|SYaw5jYbWP6o$iJg?6c_T&Q8FbrLMxwSqhs z=c+98t1E&}X7b7D=kDj#@BhC)qBTe`MTQXkxtcLmf)J&0wW`&~J9{1;UkE{d#cVR6 zsH7BXwMKp}krBbu|Damxg@9gyjRUK=Z)3y+SoNZE^18^?z^iyitCC=p@16L4|7q~D zuS6ErjD0Qcg*sKi;dGIv3Yo^Rq=qC(aJrn_scM-?5w0$TRWWU$hmICokoKFTswi+z9;zDVEwZbu>2UX>Ti#tXaC_i;szGZ z8IIv&#v#{ahEQggj(hFy!?MuydL3e|CM3jLWg0a!Az}_<^^2;~7-2SR5o7C)s z#OjS7Am{ioe3iKu#Yg^*zFpHXXySY>hJ$Du*9{{Ew8xZ;)6jCvKBK4Mxv`JngJrK` z;|JNhc?S#shmHCEh~0OSpO1&9IO$D!mD@u|RyI1oqFxr*n^> zNAFZr1#_`yZ*P3{#d7p8szD9I?BV+3iC|&e1mc6tX>W*#Erl|qc`qjKsRaHqOKvYGY z8Vx!G1;t#kqFT)6YT}@#EzJ8C%d@xR%$XvbIGl|_mmkj4#n|#q4h9bEj9DW`;;DC+ z!5wIYUg>5OoYrwsv_f*jHMr;ZBe3;+IaM$xP(5yR{QvHi>qVwfuh-H%a4ca$ghNNo zV=(BI1sZwBV%6ZQxzq6Y^RMGnMHrPOWhg5yMrEZ5gC1^#;e*EGo0Ao&C@qGmVOJC$ z%0j0hz2J8o!Pxsp;bZ9r^h=1v<|Whlo(q-55+0b-6AyL01D_bXqko(Wg%?ZU^_9Tk z3UFH}_Saoefl3cB?t$i5daf~AvhCpd*D<8~P3Zj6lel$kKjh||KwP|VGR1rqo=F$& zip4b;wOI7--_WU37x)8yGFdUiLY9mrk(NGG{(sBnZCIA^0Y3VCF$|Q3!xe_sOdZbG zDNooUVT#8~2Z6eqa)-+qg26%ug7-pz6%J+M*RrTp8eBMk7KgsgLPAn9wMkIcJQD3w zMR_?|ckG6gHtl3v_tu*WaPI7JxE)SBF?}Yw-P8_tFKAlmpfKDrkq|FwHR*uO@6W~y zJ7V!&#xt0c{vhsNw-nvUvl171VJ7YDM~g%o48%luQ^{u*K6CII!>gVA5Zlp2k5NJw;9DMWa=0$)!as)DZPkC=v{tOj_Ba6va(@9uUsJPZS+_M)QdZ z^25j-9H2k~zlbd=Sgdriyj9d@Dp2F2(*D!q%R($Dr-%DquKfQAU}`mazm3UL zh%{c2qSaDqN8y@F=&z!VjjEd3%ogF9YJLKD3lZQD9&>Fh(z#MaooaPDWM{3X=O$bc zITVMQUWk_#Jf(FzG;NV0hZeQ92nWXFapS;uyBHTLu$!Qf&9c4ka&u2uVr(*!Q`?Gk zwp7`P8lvBacdbM7R;eV)Pwz>OqVg)-(lrIkR<6Z>TZbUv7txG{F0NXEg{X<`!X^EM zMQhSS&E4+x36xz8ORNU&O5eXZAT{l3h6Eb!8jrWe;A_~Xld2$^ga@oAZsz4TqVSan zpU$5<15=ouiiWXoRftZ51?3FP8d<~0yYyf8NTzF&3)$unJ~d38oI104K-W_sI*Gm+=D;7iH{*ydKSb1Me+43ip|#$S=#o zbA$hY^J=|p9il*mP^WgnZiOY~Y?E*@-;SqV{z^6#0+N$?z4OKHiD4<{{fSd1|g{2!Z;Xiy7q0%iFH)J@byq1Zbul)f7?j46tEqmjlQHM2i z$6|2WC~V7k5mW#1BX<00INsjw#_O}k;K;!o%$htDGhWC-qt@|QJa;;J-k65{l^Qfi zXatS(2&UbCFUI`w4M=q3#s0FyTIF4)HO3&Zi4TuOcp&go0lOJwARs0t4zWac z4zBzF58pQot9H3?di%?``__BWCuIPRm*it)pF6Pr;6>;ezEqDF9rqesYXCSA_{t!S zo=C;l_IyQEE5g$u~3b z@iRlPKj##8uo3$+Gm+jZqFKjue70&6`V^i;>d;Ym zV)9Hhv#EKU#$6Qw^`qNEL1YLk#+a~se*q@V7CSJE+xxfU!W7#zB0&MWxq?U=_Y&s6 z@(kkD4oE&Hj+}FVS|0~~+<{FWUceVwUt`k1E>OiJp-ay;&OTg^a1-dt369*VrfJ76!f!{G^Vca`JKsUz^n z{A{G9wLwuqF;WNhMZjLblappdJi@fo$>=e-9Aobqf$8skkF+5jQF5V(J-r;$PDDtL zMeonTsbVjM?t_zU0$+^MCzHoTDv*x*?&yFx!YNNYGC;J#K=l~qy$r?iv>-r}BGXM< z?eSG2XUA@E8Np#UqTdJ`9vLwn8T)dH3s<7}R4(@YcuF=$)%=X|^%`8IydvUe!Vxf- zuwvm`=+L1v3_7tv!#tw#(t9H;}K~sZ#6Dr%rA+WKe+Wu!XidX$TYi!&(P)Juw5 zXW+u6R^m4*1!Dax7b*9mvmSQ)m4)z2hnG%WRMcsGsl6PKa?jTYQJ^+gDni8y17BaR zPYy^YFDOFPYIWG1y-CgrlQUrG*zguUIwQj1CpT@W*vtBI-En}{ljZ$@irckQtj_o`5fMO3<)TAs!#}7{c-F7i%VbWk$oq3d~5K4pl=f zzTb2NyFPjrAFe*ma7Tgs>g!MQfI<|iQ`9TNZaPgQfrvs5`8-IxcMddb-e;h;AD+Z% zh&{g*(uQl?j;f09h#^IbT2&r^@hiWm-icRw}F*S27-WWfW zsRl}n8Swdt>@dqrV@25KC883GX@6OSccC z7R_T*0Eo-1^c7$?Qv`O4z9+;vef%IS_+KZ6wgSG}w+nu^2M#yU52u|+L4K4KmZRUO zzIgebJ28EJ27F9D4l-wC;P}z_Z02Cx)pHnP#*cx~S&Y*13Y3+J%r6^CPyG)*+kOZE zmzxNX&~0FjwU3XJg)@%I=vCAzMPK^9Xk;-RRClM&(MU2TJ8*@_rN<9*lp8# zEL*w+$q82E(|#^mwu))+;5|R>;X18+mM4XLku%2Yh-25`RH}s-737t|2%*{n;y$V;Sbq)c@xe!@`)3V)`i zC43YRiB1}ZI?MzRKavsWqIJD+C(6-b?XD70o$`Ea*q0~&lIx$lx8YE35lZvlBtuQX==44uIdp-UZ#GzylaUa#<3yzv4MHU-@L141$r#Bks@*)OGeQ(87fqWa z;rP+hNNSwGxK;oKT4t_WP+8_<23;%?^+h=9O+Y*2MdXJYAcn~?gpF(cBCbA9tP{qc zHcp&+_(j?_p+2=NBwkg-e3_gj(GK#*drVxX6C{P?B&oVk>Xs1ef<%4>4brK?nrye9 u(Z9aSb-)2>&9?n@Kajc(82#Uz!oL9Us?MDV6f0T)0000Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf6&*=LK~#8N?Oh9a zRMoZqC+`H%Nx%oRkT7|OpMc&1DYRUH5F#iDLM>SNS^-fgDdp2!ihCo>DjxvyJWA(}uyAP^P^I9h~5hJ_)75&{86z|s7bh>&6{2n50ffv9j%MCc(9 z5C~9&Y&tI@q}T`ofp9^S*05l$4_GB9YfIl%49sZ zY89r>5)smpB|3=6pAA_BK2T$0qY)n)gCW@iq(fEMu!D?4VuJp&N6+tnA8PN_vnMiK zy;1Z=HI9~jit5@^l41R|z4=jaCQ={qG-^6-y(DQ5<|Y0ZE2=wGXjlr<+K^wn(o&I? z;lef4$ruJEHfL% z$HgKcAr1-gvEbLSG0`4U|5%a@-@kx{7P&u__if;!x9Mm+)v^M)A=y{Vi`S;?S81(p zVwS6Y))~c*Sgm%gF_V%K(5b%$wSQOWv^HdW#Zn|>2TV+$ zPR_^<$D^OMy-`ObkUp zcD^Kvik<0j?b0a`ostr1ES{W{qh+E+8_JH5LI++7AEwG)0y{|g1R3+KGx3iHp7h*f zd#szjOTPEl(UOgr{)0a2aC+ZL{A%J5tlLhGO5-&ZWf(N^7NjXOTAu4Bu)NV&+Pn+D zpls{+r58{zCtcy^wXKi+xAw(DGs(d%=&84-cdw-*&z6qfeQ2~lwQ?vzTK`ck)cvY% z*!bE}Y}j%Hb)Pih)jb>?9hfxc1}RmIPe{<5u4eo%Dkmo2PeKkUxASlu51??pLdf6^DUBmF>m@X>A}rI zPwvD=pSf{m*De_GqfE&mISsOu?|5>e49qJ2H%hK~9Njw2MzNG58I5TYE;WzR=2g52 zcylz#ed#F4^V;fSH5Ut%t6hrsm9=w(9a4C3&TC*=bqla-&jYJ{i%@?RLXk({CRZl6pxWZ zv*6$#a?J60{peMzWK=e?M|VHzutcM|-}{#@U~zUCs`x#kGVVK;iLC6mQK6)wtwr0h z-orz_w{1_AE(O<(`^<^llvR44NS*(7tU4jvj&1o(Y^d5zZ(HxRv7LPBGcalrP_g4f zVA9R>&`-7#r?skmtCv5H_1U*$RB!d3?_Toq8-tstY4!!%-_pFcd*hqwXtqCn4OE=J%oGcL~J!2%fLPJXJY+Crlr0EO8Uw4bZ_-iwEnh_e6I^dT1mEU+-FYP zH|>{V(6ghndQkGixRWPOp}xKW?#4!(IeV5K#x4-v2O>iRqZr)k0E{U%)VIvLK$uyo#9F1KpD`r<1{qu>4q@ zKb^zBwT=I%eCLdOzdXgwjzvIk!$8u%EgK$x_C^fe@)H~`mYojtH1)qOdmLHszK(m+ z18Lnc_uE59$7ePiauYeE-S#sRhrIeS?_+h+!7f`tA0z_pWkanx-^`v>Se1J%7M2Xb zqdv}8fZvcqW`>1Bwx5oU&l;^q$RPKCm?jVq2v|hG@oD2%mQz-XJO!CRKp+q#0*+7I z!XbmiPD~RBgdBmOKU^MiO$0-MfIt9_k41zO+dv=?HV8OAZV)MJ*jPg-67dL-L!K88 zbs~Nn2mrzb0mnzeA;ZNMLJxre93Rz-2r2e~Kp^cK8e0_WwSZvW616`q>o^>1jvMLa@19k9t332{d_4#I$qucs%ER}&+U;e-2`jmFjy;{) z-;Uw7ugvucs$zgPRtKs&=hwq97!Q|xiMmtNH_yPv$#ZZZ+^oZkRjs&8kk}X7g`RpP)ZFXSM2_7g`_y8eJT@F_SI&{gsozE?vbVLJbKpKLjWS;?1Y1meB;M6nJ4TV! zh9~FfUU?7lx1J4~k-nB!PlRS`h{Jd|TV0E89d^WMXhUv8Lp}Uq>&5K0mCIz? zDz>RzIb5+Z9nwLr?^2u=RFNxNRpH5f-LDrJh|?I<4v>?q=IwG;jBH5iaZ zRm$MPv^^|~`)jyH!&5JB;}lL6Rb9OLo9nABVq{cYOFL$?wmdveI{l2YiA5#nuw|A~ ztV;^oZS@FLx=Y=pp|hcUP^bswd@6_}|ET(zW6PM8FD{dCUyA>sLr0xcfRzib!;6wV zmSMQxJrrogm)8BDQdT=v=lrLvhw(^uB2v30Vpzp|oYVP&?F|m;n6~UmluyZ5 zo*ZT%W6)vj*sHB}?R{2Y9CXa)q$6iMrK$N#P(FSPQmF=P&iG>}T3(J;>004?ZKnL1 z3NUT*2|ivuYM)zzO@m}7R-aqQx|r+h)%7Nf`Z;9;%L_e+zB#|PYt;r)U)i!%tOknq zv!SmJK7rp5TODRP+<85z_dbt>bePsqc4T#ZmpWZgDXX2TbN*9SO)AzqA5T4Y4AaIe z!--ZpA<03ppfA#{NTg1ur1puTkF`}E=5tchufsc(_V!7a(^J0Qw0@1}8ab5uuAd;w z+6`}nR8r(V6?aSbhAjXVE~9ALMi)Q&YIewoKb2wO2Z|ht-*tFlmk~cr+9$15cIHQa zn23q|5KHw)6$jPJtn5aGwq0zfKPg$3DYiPyd~h$sLz3P5;?Zm8W4c^gE+V?4_KOy+ zdHv=eTQ)vtyXxG;JMRrmjwQH+1c7k1;fd#RFl^gI9HQq4oT)@=a~!wfkXy+i?Y7%Y z9J2S7Nv5nwC%a+zYi;#55~g3@5eN`=3~S*$MMgtN63gpNi19- z&_M_U^^~=PbQ59(0uhG*MaX8$?;#@&9kF16KnEk>sQFAdWCvp|#0dmU5fCY>*c<|Z zFhW2$WEdGks3H(>)O;#ZR+o8389BTfDmw0iwG$;f5zCI|!~6#?50>96XX9z_1%cZEYn>edqL4h8{o$R^7l4A{1Lwe;a~u2^Q& z_`f)hjg3ZpYz&5E4}k2DGlS7f%n=AgBmzM{)X`R*zjK;BPu( z0hdkFw*7OFK5jWqm`*Ojg6=tZ@i-Ik>$x~+NUNpO5*Uq}(drrN>9q2#@(6^AxF6{V zMA<1hX#^HmEQ^neMM6Rx65?Z}*Re6t9#S*@!$wcXOM8lZ%EBJpvldh4Q9&t+*`|6C zXZcii)E2G)8j3 z#02W(jO>sc9ph*$V9ObcDI0d;kcY4cdpAtSs2m=s!Hc(cMn(_0|8%ulCQcXadZ^J- ziI@s~#sfP8iZ>>pNXI-^&(+E1@rl@s5-k3)s*ge|MQhOn0--@5D2I%p2*}QtL{YJG zQUbbkN<^omL>h}HC*^3FXhFL?jGDR@d)2gc|4wY4Iu^sEnJ(P5y$MyHaNmNgMSsya zt}*LF4@^YGBc<}3(IDpuwvp3Sj+Ob)0r8F`I}eLVk15E;g14IR%1kcABbq=U^aupy zka4O*CdMHtF&^>ch;eaok~7K}@d+e5XhCA4K%fl*K{+HxNKQ>-V`2~;9W8ZEVb$N9 z%35kU^RS?N2|c7ChbsRAW=iQQHFn0oT!Vc|gbd!fENLN#1Oj1$Ku``Ty-%bbqc|ix zBX|C@hxFc(#;r9MMvMb?|9S~3#>o}nJgtvh1rD6b24qGR%m$WVcd_zb({v7}$&`|= zkfSoU6RVeC^T0_M5#gmH0zxbZIs}2B95Nw34ku5ZLVbM$+>MPmbM`Ennw!zw(t_sZ z7K)Ts9g-@* zwZ&S)9s%KyVQ(U#U?d?R95RH~t~t07#kD$ywQpg?mNK|ehvGGFQ7wdaXe?vRMo)kF zy)zbtuueO1)UA@YqmC9eigYsi=$!bk1VXk6YTv|)+FqDFyqAY%&A|<*Nt=q?w2(>h zVdQ>qCtf=0#7#4XQk?~EjX1hx2TD?I^wGmuIy+z~k|&MD0B8H?C%D=}AbRfozkAr; z6hUo@0B!2VeRaSOdLdaNs>9KJ4!Cmonm7L&XmDkrhg493uXmvE-BKJmJY&(8iHBsyVg5co7_FJvTZ^q_>f#7&WV2FV+lhRS_!QtI3bxifA= zCY;EgG!>I?(D7!Oq~qxUIH}E-XZ_Llm2|ugN2G|&Yg41PWdI|dP&j0W zw}2~+Hat0#>O`4o-t^Tgstz^PAjjB1@B1jdY;c4A!AZ4kQ>y8nJm=!WYtkV}K8_^P(yYb7$xzMCQm^<1V)rpT7U&cbt3k=~oG z9gP$9ukt*-F#D4#~aCF@PfO9m%D1*ia-Ed&}0| z5)sng0cL^va->s^T6Lflr(M0s?Ti{l5puk$6H0pOA<@s}Yd31%BRWG~y)bYfQ1U9L zplYLsItTs_7}!sfDtl$Q-z!CBisIaUSHtPIMn_J+EzOgeI&b(-Wb@(DU;#2g;z2+- zWIJpIXDX$d^*}~y+xKO%IEo@8uBTc;JFwz;N?V`zI+T;&N7lR1Re8V2*Ok?^o@>3j z&Kt(!j)86zN_@EQK$UBp?meLsT^rtz?!QF!i?T=bQw|E*=}KPRfS1|nbTiyI6iiNZMiOMBmpDVDiHWK5cq$CKgPtHRl5fO0000< KMNUMnLSTYfjfy4! diff --git a/src/windows/leash/htmlhelp/Images/allowed_mix_case_realm_name.png b/src/windows/leash/htmlhelp/Images/allowed_mix_case_realm_name.png deleted file mode 100644 index b3589111607bf0facf9956bfdd99561af741030f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1986 zcmV;z2R-Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf2Ukf%K~!i%?O9z+ z6jv1fc7bIV+ox)u)LoY4FZf0<^hv-1fvTXim1si!iIR4=4?<0_A^ucSOca{bwZ$r0 zNuZ{difn^|$i{~zRMS4WW!1t$wGXXSYb|JBx;=M(c4ua1_NQCZV&-mcm^*XsIp6v2 zx#yl43_m^iGYGxu3_L>&81Cvp{R}Oq?h0eTaQD8Rsr68Jwit*A>d()7l(2`dzwuVW zbMy&115b+q!yQGYK1V^lbH|Rj?R|3M1YXmFI&Qvn!KcrF;m)s5WG{;6dOqfYdc^y+ zs&#|GfV8v}q^G6grIm%?g1X_&r;k*(pfeCB14b6n(k`91Z0S-+yWM6*j>C>z>Lv_?rs;+o& z#qeX)Nj3?O&}+LUBXA|>FT*JKEV0uv8V`0gnPk>Qjr(Nu#qWbLf>o8>U^E(#Zc2mM zY=SvGjk``uO$kfJSc&ONUm&lc0G>;ekvr%wA(EIj@jCgH4clRQ&kVvV(>aN;fpH!` zXR{LRv&T^SZ`jrH07O>{55Mger802Q6`F%@J%4 z35Rt_ZA?=(59^d*lG%~oAJp(}5~n(R6lk<@A|&WpmFTO~KY+8(aX>*S!z#$D`l~ST z@;Zs1B5%t1+8Dyxc#ifo@tD{;Fs?X!QE;qneia_4TV>s~Y{qLxYdrueKjc5riB!tO zEPyj8J3p6U#`B9TSd?L*d+8MDENfdr{wj6I##2M^jwxhKk425R-VG@JdVnT)` z9qAOzCX^wnEnUAzJZu8-q3J3WFbSfxHi;E?z$eKzVMy-as4`rt!= zJFXqbF6zb>mIXtyS~wJXF^&T(nLZ0v-D<(ikP9|WN0j-h7?d0d9A{=Dmr9Fl#vykt zVpihd$E6(uKnG=O@sot;kEYF7cB1p3S$?og&B~0l)KsLTq;Q>;BjR6Hmc(un<4cI- z`fh*)W$cOS680*rDIx-=Nbf`)%2v}Dei~oISCk3M?AnS;oriIgHq`XxetwfhX*Ndz z_cYf*8!Oa`vF{toO!xTSzB&OX?6mM~V+v)IY~~dT=#D&G<@63<1 z>+F*rS8LOKv1umiD<1SU3}BiTOzfu{x-mi|D>p6E#p|g=dBZq7mxV6_Oh*wPut8*@ ztcFSs*CF_8s$k{DK8zgmBgl;--@8J3X+yj+aR|F^)uE9BQrkY&YW2Wr3NX~WgfAiv zIEo~gLUt7Q8CDex%%{dS;DC#-EtPyBKbyy{GT+*G5_@SQPtk@5LJLRa`!{bR3tQcX z;g9JD32R^ouM5B0Q4d*#Z&G<{Bb9)y{ancy((#XNM(07Z{4l4RaPQtM?%#ia-yS~1 z?~fkgkGVO_&Cg?QZk{r>BvWfdwU_GLO;vp9A@%?qcU!#= zd)<`H1Rd6_0(?iue_j?}p0IIWPj_e>88L$5AZ5NL%D~wa{L+;XnHR*o&9(3!WMu~h z;z1v_HnZcO=2CD##KbZur$cdn2;oet;KaJqi>vGUv5NU5^bPFgwT#NEo?8B%Z2mCb z<>Xf2y?miu(!`+>O`>0!E_}fJsB&XQYrZCiaAFN*0R>+X_mw4AD6%W@{%36M1f5CQ z)LIXo2gCF)^J3ECtbN&gJmLQ+ZrI!?@m{~w8TfA*Fa#7qeV&3k(YF478q}FDX2j(R zaS)fBF0?QhFa&;Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf2G&VLK~!i%?OI!G z6jd1h_S$YMMk6LZV1(_(wpM*m8X9>jwzegurKE|`1m#j%V#T5f81T)4Q4^3_t#PH$ zCK^LxTUd8nT8Iy5O5hDQZK0P(#c(ZUOF`Q8KW8p`c6PSAYuSmBnaRnXbLPK(=i7hI z%&uknZYTuvFcB~Sf#B?Y1H1s1>AUkLsSSbJbP}AMGXw<7t=TZCziU5~w9~EI-%DD@ zRCqWMn7L~Zsiy=|A0|?7tFKQO@ozmIY%xilFkTP4;2on#ee+JZQg?hKk$T{l-*oY} zSS)ZjY)Et1QC##A7^ycmnw9!tCu^el&)zepQd?sM^z^c25Sx4XGsw+$<5_A>B6Y&Y z#37WqUP1drq8fc@PD(yeyIMJ|A2x2pU|e%d&Wgt(8p|)9ezJKjBp)3^^U1h@8!V7) zz7H-uYlvQcC{53-)oMYS(}DDKC(_d#yzj8vR8di1uRrNOhJww7==P7Reiqh|Ovkgk z`0H9f;cXOS|L?5-D;nML^pnkNA$fL9@lF1F>v6QE0RwSk z53lv&@r!3GI{pVo+l4Jz*{ctwiK14km9`poPGVO&H6k=4HLKE2no|x@Ke|7G{_a9l zw$-4Z+lNWjS3jCFR`cpD=_q6NxfVw;ggwvOP}VjfT({xz4A!FcnwwVhYfOHyNtSEs zmvtx5UZUtKHue1I#iX?r#!AF2G6ylIXnp>L<@wssJP=DZ77mgAC0o?WYVel4AmLcF zzUBPd8f6?se8VwujAiT?mXT{9U_U^1xSSrok(|=wS1Jikm6}yWsVRq@DlsE)236-r zGSaam(}m0o7tN&+(OK1Y36(mmFWTb$aUXgLYOp3$j>>|aXr)`E=u7K6L~;j$K3bq+ z?7J|B{&%vt{9w~s41abB*Mf7n)>DW*^{tpxV;;hAUMH?yI0)>@g|CWasK2tK7lT|T z3k|1fj_H!^f?c1}yuKgl4k0z>vvadg()+SposW)LKPNqX$vz`N3vwyH1EpbK=wb0) z!oJ}aw2$k@7t8l#TMIf@6~HaT9%)ZmUn&-(H8PI%IM1<&6$9YTE5`ZJF)81oVfdWzU}auT41B|U(&JYu3C(O%r4FBpGp9momlGMTG^7!kolYkwv_$H3p;C($ zBKw11>_mRmYuv+{s(N&K{j#@txr!?C;#hml4_`+ys>|JyZrM6)JbMiN6Kup}sfrc*n4&e7uDQY#nU^Pts(4vf$7-r^5`C1J^e10$F(Qq#Bfxx(2rqxd7V@o$nKyw zfa=|KK=;p7o5wIVEUZaF_!{?fh*jNtXeu?^W;pD2*laf5*mgwuWZRPX`;R{OX|cN2 z+p#p0+IkPraRR5b_aeQqc5k!LSiGj!Ke-)CKgq|r+xKzxwwD%CxKAf)H`X32S$!fR z=8G|MXXU~z@Wwf(rs13%kGhH{WwGz7l3OrOc}d$X_&Qteita?=ow_pt{}S+=MSr7NOk zc}!XxZ0@-ntcdF;Om-zc)n|+xMStq{jmt{;Y4zE|UA5;7J{ZkI#aD7ZF=Qj{MQ`!K zzO&KbIe?Mc?Yv+t6nnDqhCCult~w zp60}rD_3#-`VHKin!>H=Y1|G55uBMpFgQaMTOhSiAjCp)%Im?#s)~pkK?!X^y1acf zmyK;7Qoq)YCznw3f>%&UzXBCR;*VamqvC5?c$zC|^&)?Fo+Mivz{j2)AWo~rOf2?M z{ZhKk9;r&mkNlmG;yW$)+`(dwEUro+jVPX~jK02Nzoc~(>wcnqxLuMZQihcLmJm5( z;Gpk|;&Sgm+ou7%zJ{JPV%n3~6f<7k7=RTyg*bn12>ChLT$hczj(F5@C?>x8{tVzW zEPvhlTfNbJf4D8_UliZm(qu%OrjP#t0!ICH&T?5G^$$eqWREvYQYQ=9qUE1@H2g|c zYmC-&(e_hjz@TSE%jKzXrA}EgrePBS0}-(NId#vV?~j35nXdkm2v}e-BreMzH%(F- vg0$%bR(gA8#1ZokO-493eV7QO0)c-3oho7aMnApv00000NkvXXu0mjfd76a> diff --git a/src/windows/leash/htmlhelp/Images/destroy_tickets_on_exit.png b/src/windows/leash/htmlhelp/Images/destroy_tickets_on_exit.png deleted file mode 100644 index 39843614d93f1ae1e028b02fc1de9cbf17d780b3..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1742 zcmV;<1~K`GP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf24hJ?K~!i%?OAJV z6jc=dW?$Xiib2%G9~kL&DMhRPFf?pz{86Cv5kQLsqlpi&wa{7{NFb@iA6iJj1Y)U_ zPytJ#@ex5FrKK&Jh^7txFu}DzY4M+8c$TvDMZ2DRXJ+@#?44zo*w8jJ7D)USKmYUJNKhCQd5 zcj7)aYC2+AE;JRWbADDWnN1l!Mi1&AccQ3iP+M1kx*D=8Y{Uh#FMoj+V-U@SPSka3 z@j9yndt>hUXP`JP-G?DpdeyYy*_`R5x=|iU9M{^k@bXK)} zLZvqPF#9vcn2ntIJvcX@uIZ{N0}hSiN~9l~`$+73z5|UL^6+_t&F{v7Xfd`&=w+Zv zy7}}dI;ykzT9C;5a$9lbL@j1%zWTQH(;8ZLC=c}&B=%@FipoQ1Jwh8tHW&KCm{(rL z?Pa-JVP`m7SGB3WcNS~$nGg2TG$4m?ZC_-SlMKH($3#3VW@0|79m~D`?6X>~75H(( z`{ow!K#<_hlf1#O(2S zxS&;0dxc7E_M+d9Y1Kn~F3uf8+diQ6IVbMV%)#5eB=$jOn~mA?Td?xYV*)y}FLoco zvf_Yd!+Z(%MN9E=?-%GGf3u2LU|!!j4B|XG4nkOCg^SIbafZ-Pw>SaM*OfUqxA7$2 z$ku&X zH`8!wqGp0-gMHHDy*ACqc$6G_`tihVV$a*L?um84R;mtsj#`oY9vp5TNN5Gv`mDA4 z(U2d;0PDYnhF9*p1f{PDzB-TKK>i9W%3^DSShO7IKY9jOUWzOWyhf~XL0jQuFXXb8 zlURQ?7bPF+Iaudp_AkpZeyk_UN5m%QM$VDm;?O>n1D_2a1VVy^D1 zJdF2RYC)Rjwpp|DaA1EJON;f`iN92dMcU|}aGnr+*V5M;A%0=wSuFjEa^Uk;Ihpax zax`K}mX9@7)1hJDU*)d5b_x2ZuoM!f)my`O!IY1T>q%0i`MxNB-1t{KT=B`?rnLW} z_|obc;cT6lKmNMw8O%TUJbJrTq1)HgWk9)T67{Df>U6IcEkym$z46a}GM^MX-B5R6 zKY%?8=i;4HA-wz3cc{$10~hv^NyUJ2amZMyClz`dtj&Og0p<6he+=!1&63T)WM@G6 k?Yb@M$-ap;ej@|_0eCyAUzUCDZ~y=R07*qoM6N<$f(h4E*8l(j diff --git a/src/windows/leash/htmlhelp/Images/encryption_type.png b/src/windows/leash/htmlhelp/Images/encryption_type.png deleted file mode 100644 index 7e4b4b76a60307d6990a5cc309fd5b72e28d6d3c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1660 zcmV-?27~#DP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf1`$a_K~!i%?OJP4 zR8<`R-DQz=4dj(lBaJ)_SU`%U74sKce%T=u)CAZy*p>vJ?H$NzyIUh zqnu-UW(N9m-+Ewl;tsF7;l8y%S6t-*&hFGR@_vqqu}L8#xp4-_(TVAR*|gNWC}6yF zM&3Ozt^nzld*rA?KsON2(k0=6V59T6hX=+d?+O_?Hl+YLCN@sGaIC)8ZzsO6<#m}R z%B%zFw*%)vV4o6!9Q6X^aRTJ_%1W=SjYcClj)TkPg4^xJ;kr6h=s?Z`iiMFlL?8|H zs3Q&e3v>SI`1X5vj$ir)(9qO{-5)h$@WwC?DE~0bSibsqm1|UPUZ`)RFi^dI&}JzO zHck>(tbjBgNlZj)auPbev*A+DHQ0W?B?GBV-wMlO1EQH>X;md9DFPyH-nb zMEN8`1-%$~R4>)MFFn=quh?pX)h``2^x*BD&0h;MRgWa`BYz}xmM@EkeF8Xt@h>DS zi$&Luf8gej1BnmEASWvs(@y2xlciVnUeSTE1e91aDQ99|2A%KQh#`jyLrsN)NgAM);=!e`wHFPn^BLUv!CM4vTW2h6GO@T)&3r2m6c$nxQFFgzmdu-#C}H$ zwvcSu+wDTz8z~|`rFT(zy&v|Ax~#&kN)i}z(9^TWDMy7A6!@j1pbOOlO~htLKlb+S zfpx%le`PX~0Z#+!hnB~q;pAs6w4mzw@&##H|mgj_>1sm`(dT_-?f1N_h=Y&RDWA>L8CiA~m7FHmu_cCm_g0@CL znD@n#uF>e0KJ0Hnp2VBirRx~lcwKz)RE4g%SCQerj#Lkzep49YmZam|u1;L$b@2XC z4m7l7Z+w!A zQR+U9j`mYH;jTbIvRH#y9-e%HvF6LBdFdzyy`2O-8T<3+R$Dzv>+Dmj)9J(mOCqp7 zCmkI95I{={R+Dcte4h*_?~|VX;ca7IYecZL$`DNx`SnNMmxlDUojB1t;Db*p^2>q# zlfMGx#YkexphRc;qy|UURv6gN`!qpN_=ty8W1u?2dd5XXciW;BJiFkqgk|lycYF*zlR^ zW`|}Xz0ILVbb6b^zpgM3z1b;y=~a1Vu_^dhbidU;jVBv7qw9TT<0Ns zKPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf1foeqK~!i%?OID~ z8&?=TdW|H<{Q(UrZfsfcLS)evL+QfAX@n`p0hhL3Xc5{vPzp|0&PHHNyhy!D3!xCz zAqy|mLJV6tA3AZZ_^BC6C7Pvg-HUJ0p#(ndr(<#}2w5Ts&Og@2N9q z&RF&p|0P&sP%ue(M+(yQBexFy$x6V+TV^|RGfE+=te>w65;>?y<%k2-7ZF-C)&f99_v zo=V_$zG%xuIcst&)Y@!sukrboqSqyuD^vUZev%qN0pe(c76F<;%`9!u-d?RR*@;gx zMdAJ^Gl>ac39@3)ARn+cqn9Y*}-U8=>&oa%Gx!`7GC2hU0LCFY~8nF%<8 zI!H{+0PY}m?(B%*jYCl!>WI=_n1If#9aYRBfh9pVfdY9A%q}24b&0NX$V??LH=8tL z(b)&XlGW!wM>ZwT*V`I4dVj>j#jnwYZk$=Po&;9hBxbf2FlIg_eje|x3sIOH#m4mS zX08Ng&hZUmS#2G^iCP_O^Dgf64PyXFoa#G|jH9%2s;`=-+6V8MeXV{AOdUsli29=I zcjj-o%t7%ZXv1TUpf)T}M-6mD!w3_Y4Z{$CmY|L(j>;}SNJ0p&B*v%L@ddHz#`HJl z9`DoHuS|ds4ihNXu~}hId%Avn^q~!?%NDycJG=SV{d36A+hTC8U$0}Ol1r_Q!Vl*W zACmPB4AD)v+~Ym7Qf)pFTF6qc@H%#s>WZwjC`hk-aRhA{a-|Ebs1+=*jcqeeXcDhPzUN}r_hd|W`=h&mLl5rcLFt_ z-rrJmc0GaCOhErXb!+CRqa2_KXiy)Z4?~yInhE>|(O1V`-;7{}00000NkvXXu0mjf D>DFsy diff --git a/src/windows/leash/htmlhelp/Images/flags.png b/src/windows/leash/htmlhelp/Images/flags.png deleted file mode 100644 index a1b7d4d35ae019725605ec052de9b34e96eae121..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1142 zcmV-+1d02JP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf1Pe(-K~!i%?V4Fg zR8bhm|92d7w1w2s7MfhAk{0U0kPw<|0ij531AC~15~_#r$;2!oD2RHJu$7AJp-o%R z#!|5bM$sN3p@$r`%}P_D8Eq`*cFwsoI>p@aj@HAyo$vB7!#&^GzTf%2d+wPLKJ>Xn za8b1fT&|xG-gA(uhDZlL#6b4)h*Uetp`idEZ(KPO^!&E&*c)^mUSZ-MU?AVgMC45Z za?kGFvc2f_dI*Am;o)Jp-EN#ae;!*n$ca-KM+-j)NF7A7*YT&G25ah{<4+aqa3ev)KQg;wX(#_t0LQh`K77+{Q^4nx=^L`6J;$)GO&mqc$Y9 z`oFyMoe^t=#gJE=ykC9prHxh?;OL}~@C!PAH@2X3KP_n?r7KCTeSQ5nkhhX; zXo^lg!23`Ah>f0#RV&O4WN4`V?>Tskw{N-MDlV^Pjl#}uh5g7obCBzCc}vube_$? z%DXves3NI&qK#>!zS}KAXqN$5K|ls8*)kv#Vk7)EMfz6M1%+ohWb@djp`@`6yJ+-r zVIB|}$j|;GlKV(K9-!G#(Sd+^ru6@gltiSH|3g6K{ONW@uz%tpRnCzOpQlzWP~;#r zLXo~l+PipaRXtAfyFPzLs-B`W0sf5SAT{CvjZA|_q((sg0#2Z7eDO2XvH$=807*qo IM6N<$g2vbv5dZ)H diff --git a/src/windows/leash/htmlhelp/Images/issued.png b/src/windows/leash/htmlhelp/Images/issued.png deleted file mode 100644 index 266f0d1ebf609f06b966c294293041036a1f4d7c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1183 zcmV;Q1YrA#P)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf1T;xRK~!i%?OJO{ zR6!K}=I)xN89p|%XagT>LM8R1$XbY=6usyHLP12OR9Fc?g+;%tA4P%{7;O)V4Ej;_ zGEIe`2TEi=q@qNnhnivOTD#I(?rrAo-u3S8T_0Q6?l$*w*t=)WId|rKbIzHWU1IGO zMer-=Js<@A2>1Xb4-kuuM`S3>1@fH(845Up0%_+pG6bL`-+p)ldA_)4*hAaCbMLTq zxWeD_0O?i%@&W}iCp+8cTeMm&2qEa}>x12H$2pS;+c=Pa4;4Qw32dq3NwS^Fhfm>2 zuiiAGq_h@CPToP==S~SwcB$Fnypi+EpxY1qq)CuzvR;qWY(&K;&-ji}{Fx2)F$JPcfh}1*NeN_RWCV2a zF^C8sg}B(UD1A^5K@gC&awaTRi%V3^j*=%il~VH=BVr>ply;!XC$9o|kwz(+95&Rx zGaHn0D-``_ax(vx#FyVYSpR~(eZU$yK0yad5AfvqM&xRfnrLpW{QD1vkoBG!m>|K0`{W;Smvvh*Y!0 zcy?#Ru;&yQ=9rMR`@Z6>YCNTmr;Yn4yGTJ=t3iBJ8V=Rg;B6C=Vf;+2S(fauy>vA; zOVRv)+=5qLRU8j=b(xX3b-uKq$v<%qE$wC`#7ASnT!RE;SeUjy3lEf=WGOKfJF0)- z*_30@MeRhjq@%`DBzM`a%LaSML_z&8e6cvFaEUWVD`k|&9KoJ9htU54Q>)Ep!OHF{2sJpIeTr^B%CRq6i*eEEI6O5UIms;bsqs>gb1)lM)-hR1 zci~KvOrExx3LzdyceF**$d=yi!FSW~UeFC;lB*`GK-D9kzy0(&Yc08O#_eQ>MIt-R zVaslIn!`So7dzS6v@O?-$G?oM2S~dLkk=@X!@V~805WlGn9CG>*Ko~p`5}6Mw0C<) zPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!vFvd!vV){sAK>D1NccqK~!i%?U>6? z6G0ru=Wn7k**`#|sCSd1i=-M84<^P$JW&!FFEwI_&jSIX1k?meJSeEq#%L&y6p}7c zD18aV(uauldGa^&+wRUzmx^)mpfmX%W@dk{`ONI}K{7jaDaQ$r&7HcG;{?d&*SeJB z1ORJI%5ef@<7-XIaROwcSd(&`fQa?Rz`%awcpd*(K=Qd*;{{BA*tKf4TC3H{@)k@tukXx*o zg=a!ixe71D8c(J!`X0jxjYQMuuZ|x-bNBfh4Q|!gdR)h9^=`b}oxfD4f20Hxxa2)JOAa%^MJk?sdJoY^a;@zlKZSq+AGN1-0uB3n{xcC#exNPe+6qYSK)=H^~3Dkc77*t|K+i+yC=Hu1*ezsOKT>RL9Buo8`A1~!z@}j z&_=w&bTZoOCT;#GXV00LF3o22CTVjk=nH+1>eb@_Ry9Zi(ld)0>0vi45jt0oO>m>0 zVU@mHIMnYhVJ&8nww3dfCP|XquJA&vbMp(Ut80mL_WJ#qn?tX6znAlcLN1rjX18^$ zRxcKzk$^o4^(&-35Q08MjLkbNnsF|oStU76-*nG7E06EfM0nMB^^IhyJ*tA&0tGE3 zY7TDJAMI^7t_ZA9Sc_RC-2>Ra{wTLt%c>2MfVIqv|CI&b{Na$oClz$~UtaXITD{~@ zAV3n^WnTOFLjY_9FBqC13S6(*>_3?yiELTQaRL(Sft)J9T9R^{0EvGoNjXkHVm**k pC9xh5)~!-p%4q^bGCc?aKLN>ynes5OLPx#1ZP1_K>z@;j|==^1poj532;bRa{vGi!~g&e!~vBn4jTXf1g1$uK~!i%?OJO{ zR9PJV-RqcA?oujN(iGZQeJClYK9n#x*`SN=vf4u^C<$|( zC@U?ii%8m7rad6U`XB|;L$imyRcJ;UakO*py)$#?&b`j-YFFl-;V^gZ{lCutcYgnK z?osB=uxk=3H`mv3l`ZP#q#2l)^oNb5Kh^Gf+Gjok%y?RH~gVgi5KY}hUXwE2}z3S@r0(Ub0*!yjE z#E*uIUYQEi{~#sd4ZHmF}2fiBnegRl8M${f#pRPFrYa9?5J97 z!Ige0K(8y%AuB7E6AQ@QSCW+)mdc6!hiW5iVyUJ;7%AGe%9v$Y2C2#Oal5MzLnBUP z7*mkFY7tjjc}50yN=$Qp8UAUp`w_OI^hO`9{G0?+I^TEL`ef`87NmRFDKJ!!Hyv#b?q7+?)TXUM;+y&^ zMm@T4YO^OEss9LF&X5`@t-g=P=fbp9I7WfH-LJ4HEgAP84&dWwCyeO}kh38ZW3Dl8 zcw&9eHUH3xt-CLy%~M|6n^C{J5N7UKCiXTt@NAIw2CS$)F9KYCuDixhfJ)8oNp^mkvK}R5mombxLTeWsqycoCtF$#k@b>iBxS-Q^mFT?Qlo6%h@bL= z1XH$0oH7E|0U-{~PB7mQJDO2N+0r^ZJc7zHGq<5RcD5O>-;E$GLV)N!jdHH6l14#1zY;eEMn(=wXko;Hl=vXLMB-|C^TFpqVzow7v`1ZU}3sq7E(R zq;y{5s{m~Swi?v0FF|fbP$#omK(@3R;#iCfeZ;ncY*;oeM_x`A`Od-@hXYRMDB|Ko zjGP)tEXykay5TE}G+o?AsF*LUtq7q^k~Q_W(?E50P#yD`9#RDa+r<8s>ecwG>5%^< zl7&o|1m4Zg?823K@nO_^jNVZ9hu_H#WgmxckK@t@%Xs#YBIZW zF{`6x`b9uC5+K8EzsdmVCO}fQDK)xd)SJ2)VEW(t7^#+Nw_9hVTDc6>j^cqps0MU7 zZDfD|IUNVm+8A6cMZwDb@gmxLv6Miqj8!kKT0tVpICLPROrTcO{SO4xS}wIRx)_Rs zA@6jm|2t$1NX - - - - - - - - -

- diff --git a/src/windows/leash/htmlhelp/html/Button_Menu.htm b/src/windows/leash/htmlhelp/html/Button_Menu.htm deleted file mode 100644 index 7b5b19b..0000000 --- a/src/windows/leash/htmlhelp/html/Button_Menu.htm +++ /dev/null @@ -1,97 +0,0 @@ - - - - - -Button Panel - - -

Using the Button Panel

- -

-Use the main buttons in the riboon menu to work with tickets and passwords. Several button functions can also be reached with keyboard shortcuts. -

-

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ButtonClick to...Details
Get Ticket Get a new Kerberos ticket. Click this button to open the Get Ticket window. Enter or select your Kerberos principal and password. To verify or change ticket settings and flags, click Show Advanced. When you are finished, click Okay.
-More Get Tickets help
Renew TicketRenew tickets.

-If you have multiple principals, renew tickets for the selected principal(s).

- 		All of the renewable tickets for the selected principal(s) will have their useable lifetimes extended. Each ticket will be reset to the length of the original ticket's lifespan. Note that you cannot renew tickets that have already expired.
-How to renew tickets
Destroy TicketDestroy all existing tickets. - - -

-This button is greyed out and not accessible if the Automatically Import option is selected and you have Windows domain tickets imported from your Windows Logon session.
-About importable (Windows domain) tickets -		 -Imported Windows domain tickets are obtained and renewed by the Windows Logon session, so if you destroy them in MIT Kerberos they are not destroyed in the Windows session. Kerberos would immediately import them again.
-How to destroy tickets
Export Ticket Export tickets to use in your Windows Logon session to a Windows domain.Click this button to export a ticket you've obtained with the Get Ticket window into your Windows Logon Session. This allows you to use a computer that is not part of a Kerberos realm (or Windows domain) to access that realm.
-How to export tickets
Make Default Make the selected principal the default principal. -

-You won't need to use this button if you have only one principal. 		Select a principal by clicking it and then click Make Default to make the selected principal the default one. The default principal is the one whose tickets are used when an application or service asks for tickets without specifying which principal is being authenticated. - - How to Make Default Principal -
Change Password Change your Kerberos password. If you have multiple principals, you can enter or select the appropriate one in the Change Password window. Or you can click a principal to select it before using the Change Password button.
-How to change your password
-

Related help

- - - - - - - - - - diff --git a/src/windows/leash/htmlhelp/html/Distroy_Tickets.htm b/src/windows/leash/htmlhelp/html/Distroy_Tickets.htm deleted file mode 100644 index f8936e8..0000000 --- a/src/windows/leash/htmlhelp/html/Distroy_Tickets.htm +++ /dev/null @@ -1,11 +0,0 @@ - - - - -Destroy_Tickets - - -

Distroy Tickets

- - - diff --git a/src/windows/leash/htmlhelp/html/Export_Tickets.htm b/src/windows/leash/htmlhelp/html/Export_Tickets.htm deleted file mode 100644 index b1083bb..0000000 --- a/src/windows/leash/htmlhelp/html/Export_Tickets.htm +++ /dev/null @@ -1,36 +0,0 @@ - - - - - -Export_Tickets - - -

Export Tickets

-

-You can export tickets into your Windows Logon session so they can be used with Windows services. This is useful when you want to you use a computer that is not part of a Kerberos realm (or Windows domain) to access that realm (or domain).

-

-Note: Exporting tickets will destroy any tickets you already have for your Windows Logon session. If you have unexpired tickets when you run the Export Ticket command, MIT Kerberos will warn you and give you the option to cancel the command.

-

-To export tickets you have already obtained with the Get Ticket window into your Windows Logon session:

-
    -
  1. Click the Export Ticket button in the Home tab.
    2. -
  2. Click Okay to confirm that you want to export the tickets and destroy any you already have for your Windows Logon session. -
- - -

Related help

- - - - - - - diff --git a/src/windows/leash/htmlhelp/html/How_Use_Kerberos.htm b/src/windows/leash/htmlhelp/html/How_Use_Kerberos.htm deleted file mode 100644 index 38e54f6..0000000 --- a/src/windows/leash/htmlhelp/html/How_Use_Kerberos.htm +++ /dev/null @@ -1,44 +0,0 @@ - - - - - -How_Use_Kerberos - - -

How Do I Use Kerberos?

-

It is simple to use Kerberos through the MIT Kerberos program. Click the Get Ticket button and log on to get a Kerberos ticket. This ticket is proof of your identity and allows you to access all of the network resources you are pemitted to use. For the most part, your tickets are passed on through the network without needing anything more from you.

-

-Kerberos tickets do expire, usually after about the length of a working day.

- -

Related Help

- - - - -It is helpful to understand three concepts before using Kerberos; realms, principals, and tickets. - - - - - - - - -

Realm

- A Kerberos realm is the group of network resources that that you gain access to when you log on with a Kerberos identity and password. For example, a university might have a Kerberos realm that includes all of the servers that students should be allowed to access. Some companies or universities might maintain more than one realm, potentially overlapping them. If you have access to more than one realm, you must log on to each one separately. By definition, each network resource in a Kerberos realm uses the same Kerberos installation for authentication. - -

Principal

-A Kerberos principal is the identity you use to log on through Kerberos. Some people will have more than one principal. For example, an administrator might have a regular principal and a seperate one with admin rights, like root access. - -

Tickets

- - - - diff --git a/src/windows/leash/htmlhelp/html/Import_Status.htm b/src/windows/leash/htmlhelp/html/Import_Status.htm deleted file mode 100644 index ba7ec79..0000000 --- a/src/windows/leash/htmlhelp/html/Import_Status.htm +++ /dev/null @@ -1,75 +0,0 @@ - - - - -Import Status - - - -

Import Status

-

-The Import Status column in the main window shows whether tickets were -obtained with the Get Ticket function in MIT Kerberos or if they were -obtained by a Windows Logon session when you logged on to a domain, and -whether they have been imported or exported to the other application.

-

-To show or hide this column, open the Options tab and use the Import -Status checkbox in the View Options panel. Note that Import Status is -only available if you have obtained tickets through a Windows Logon -session.
-How to: Use View Options Panel

- -
Tickets
-To keep passwords from being transmitted in the clear and to provide users the convenience of a single log-on to access multiple services and hosts, Kerberos uses the concept of tickets. Once a user provides a valid identity and password, Kerberos issues the user a ticket with a limited lifetime. In most cases the ticket then allows the user to access all of the servers and hosts he or she should be able to access, for the lifetime of the ticket. -When you get tickets through Leash, Kerberos verfies that you are who you say you are by checking your user name and password and then gives you an initial ticket. When you access a service in your Kerberos realm, Leash passes your initial Kerberos ticket to the service. The service verifies the ticket and then issues you a service ticket that allows you access to that service. You don't have to worry about obtaining these new service tickets; they are automatically given to you. You can view service tickets with Leash but cannot directly obtain or destroy them. -
- - - - - - - - - - - - - - - - - - - - - - -
Import Status Meaning
importedThe tickets were obtained when you started a Windows Logon session by logging in to a domain. - -They have been imported into MIT Kerberos.
importableThe tickets were obtained when you started a Windows Logon session by logging in to a domain. -

-They have not been imported into MIT Kerberos because Automatic Import -has been turned off. To import them, select Automatic Import in the -Ticket Options panel of the Options tab, or click the Import button in the Home tab.
- How to: Use Ticket Options Panel
-How to: Import Tickets
protectedThe tickets were obtained when you started a Windows Logon session by logging in to a domain. -

-They have not been imported into Windows for Kerberos because User -Access Control (UAC) in Windows is preventing that action. If you want -to allow the tickets to be imported, turn off your computer's UAC.
exportable You used the Get Ticket window to obtain these tickets. -

-They have not been exported.

-To export these tickets for use with Windows services, click the Export -Ticket button. Note that exporting your tickets replaces rather than -adds to any existing tickets in your Windows Logon session.
exportedYou used the Get Ticket window to obtain these tickets. -

-They have been exported into your Windows Logon session and can be used with Windows services.
- -

Related Help

- - - diff --git a/src/windows/leash/htmlhelp/html/Import_Tickets.htm b/src/windows/leash/htmlhelp/html/Import_Tickets.htm deleted file mode 100644 index 0e71ab4..0000000 --- a/src/windows/leash/htmlhelp/html/Import_Tickets.htm +++ /dev/null @@ -1,82 +0,0 @@ - - - - - -Import_Tickets - - -

Import Tickets

-

-You can import Windows domain tickets that you have already obtained -through a Windows Logon session. Imported tickets can be fully used by -applications that require the MIT Kerberos interface. In most -installations, MIT Kerberos will automatically import these tickets if -possible.

- - - - - - -
On this pageOn other pages
-How to... - - Learn about... - -
- -

Turn Automatic Import on or off

-

-In most installations, MIT Kerberos will automatically import tickets -if possible. Go to the Options tab and click the Automatic Import -Tickets checkbox in the Ticket Options panel to turn the feature on or -off.
-How to: Use Ticket Options Panel -

-In some cases MIT Kerberos tries to automatically import tickets but is -prevented from doing so by the Windows User Access Control (UAC) -feature. If this happens the tickets are still displayed in the main -window, but have the Import Status of protected. You can turn off UAC on your computer to allow the tickets to be imported. -

-

-Back to top

- - -

Use the Import Ticket button

-

-If the Automatic Import option is turned off, you can still import tickets. -

    -
  1. Go to the Home tab.
    2. -
  2. Click the Import Tickets button.
    3. -
  3. Click Okay to confirm that you want to import your tickets and destroy any that are already in MIT Kerberos.
    4. -
- -

-

-Back to top

- - - - -

Related help

- - - diff --git a/src/windows/leash/htmlhelp/html/More_Menu.htm b/src/windows/leash/htmlhelp/html/More_Menu.htm deleted file mode 100644 index 96b9968..0000000 --- a/src/windows/leash/htmlhelp/html/More_Menu.htm +++ /dev/null @@ -1,49 +0,0 @@ - - - - - -More Panel - - -

Using the More Panel

- -

-Use the More panel to reach features not needed by all users. -

-

Find the More panel

-

The More panel is the panel on the far right of the ribbon menu. If your Kerberos window is wide enough, you will see the full More panel. If the window is too small to display it, you will see a More button. Click the More button to reach the full panel options.

-

- - - - - - - - - - - - - - - -
OptionSelect if...Details
Forget Principals You have previously entered a principal in the Get Ticket window and saved it, but you no longer want that principal included in the auto-complete feature or list of saved principals. - Select this to delete all saved principals from the auto-complete list in the Get Ticket and Change Password windows. -
-More Forget Principals help
-Allow Mixed Case Realm NameIf your Kerberos realm name uses any lower case letters. -Kerberos realms are a way of logically grouping resources and identities that use Kerberos. By convention, realm names use all upper case letters. This helps distinguish a realm from the DNS domain it corrosponds to. Realm names are case sensitive. So for convenience, anything you enter in the realm field of the Get Ticket window is converted to upper case, unless you turn this option on.
-

Related help

- - - - - - - diff --git a/src/windows/leash/htmlhelp/html/Options_Menu.htm b/src/windows/leash/htmlhelp/html/Options_Menu.htm deleted file mode 100644 index 5fe4920..0000000 --- a/src/windows/leash/htmlhelp/html/Options_Menu.htm +++ /dev/null @@ -1,62 +0,0 @@ - - - - - -Options Panel - - -

Using the Options Panel

-

-Use the Options panel to manage general MIT Kerberos settings. -

-

Find the Options panel

-

Look to the right of the buttons and View panel. If your Kerberos window is wide enough, you will see the Option checkboxes. If the window is too small to display them, you will see an Options button. Click the Options button to reach the option checkboxes.

- -

Turning Options on and off

-

-A checkmark indicates that the option is currently turned on. Click an Option checkbox to turn the option on or off. -

-

- - - - - - - - - - - - - - - - - - - -
-Option -Turn this on to... -Details
Destroy Tickets on Exit Have MIT Kerberos destroy your tickets when you exit the program. -

-Note: MIT Kerberos cannot permanently destroy tickets you've obtained by logging into a Windows domain, even if you've imported them. Those tickets are destroyed when you log out of the domain.		Turning this option on provides greater security. However, you will need to turn this off if you want to exit MIT Kerberos but leave processes running which require your valid tickets.
Automatic Ticket Renewal -Automatically renew tickets flagged as renewable, without promptings or requiring a password, until the renewal lifetime is reached. -Renewing your tickets allows you to run batch jobs without interruption and to work through a long session without continually reentering your -password. About renewable tickets -

-Note: Automatic ticket renewal will not work if you exit MIT Kerberos or if your machine is in hibernation mode. -
Expiration AlarmHave Kerberos provide an audible alarm 15, 10, and 5 minutes before your tickets expire.Regardless of whether this option is on, Kerberos alerts you to expiring tickets at the same intervals with pop up window. However, the pop up -window will not always be visible on a busy desktop. About ticket expiration
-

Related help

- - - - diff --git a/src/windows/leash/htmlhelp/html/Renew_Tickets2.htm b/src/windows/leash/htmlhelp/html/Renew_Tickets2.htm deleted file mode 100644 index 1233c67..0000000 --- a/src/windows/leash/htmlhelp/html/Renew_Tickets2.htm +++ /dev/null @@ -1,87 +0,0 @@ - - - - -Renew_Tickets - - - -

Renew Tickets

 -

-Renewing your tickets allows you to run batch jobs without interruption and to work through a long session without continually reentering your password. Each time you renew your ticket, Kerberos resets the ticket lifetime to the length of the orginal ticket.

- - - - -

How to...

- -

 -

Get renewable tickets

-

-In most configurations of Kerberos, you can choose to get renewable tickets. In some installations they will even be the default ticket setting. -

    -
  1. Click the Get Ticket button on the top of the window.
    2. -
  2. Enter your user name and password in the Get Ticket window. If the advanced settings are not visible, click Show Advanced Settings.
    3. -
  3. Under "Flag this ticket as, " select Renewable if it is not already checked. -
  4. Use the Renewable Until slider if you want to adjust how many days (or hours) you will be able to renew this ticket.
    5. -
  5. Click OK.
    6. -
-

- -

 -

See which of your tickets are renewable

-

-In the main Kerberos window, click the Flags checkbox. The Flags column is added to your view. Renewable tickets have the word "renewbale" in this column. -

-

 -

Find how long a ticket can be renewed

-

-In the main Kerberos window, click the Renewable Until checkbox. The Renewable Until column will appear. Your can renew your ticket repeatedly until the date and time in this column is reached, as long as you renew it while it is still valid. -

-

 -

Renew ticket once

-

-To renew your existing Kerberos ticket(s) just once, click the Renew Ticket button at the top of the window. Your ticket(s) will be renewed with the same lifespan as the original ticket. The new expiration time is listed in the "Valid Until" column. -

- -

 -

Renew ticket automatically

-

To set your Kerberos tickets to automatically renew for the entire renewable lifetime of the tickets, click the Options drop down button and select Automatic Ticket Renewal. If this option is already checked, selecting it will uncheck it and turn automatic renewal off.

-

-Note: MIT Kerberos can only automatically renew tickets while MIT Kerberos is active and running. This means that if your machine is in hibernation mode or if MIT Kerberos is not running when it is time to renew your tickets, your tickets will not be renewed.

-

- -

Renew Ticket Errors

-If any of the conditions listed below is not met, you will see an error message and then the Get Tickets window will open, allowing you to get a new ticket.

-

-You can renew your existing Kerberos tickets if all of the following are true: -

    -
  • The "Get tickets that can be renewed" box was selected when you obtained the ticket;
    -and
    • -
  • The " renewable by" deadline has not been reached ;
    -and
    • -
  • Your ticket has not already expired.
    • -
- - - -Related help - - - diff --git a/src/windows/leash/htmlhelp/html/View_Menu.htm b/src/windows/leash/htmlhelp/html/View_Menu.htm deleted file mode 100644 index 73aee19..0000000 --- a/src/windows/leash/htmlhelp/html/View_Menu.htm +++ /dev/null @@ -1,99 +0,0 @@ - - - - - -View Panel - - -

Using the View Panel

-

-Use the View panel to choose which information columns are displayed in the main window. The View panel is to the right of the buttons in the top of the Kerberos window.

-

Show or Hide View Columns

-

-A checkmark next to a View option indicates that the View column is currently shown in the main window. For example, "Valid Until" is selected by default, so the main window shows the Valid Until column unless you unselect that checkbox.

- -

Viewing Ticket Information

-

-The columns selected in the View panel show in the main window. -Click and drag the line separating two column headings to make a column wider or narrower. Click the blue triangle next to a principal to see information for all of the principal's tickets. More help about viewing tickets

-

-

-

Column Descriptions

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-Checkbox Name -Select this checkbox to... -Details
Issued See the date and time your ticket was originally obtained. If the ticket is imported, this is the time it was originally obtained when you logged on to a Windows domain with a Windows Logon session.
- Renewable UntilSee the date and time that your renewable tickets cannot be renewed any more. After this time you must get a new ticket to access services authenticated by Kerberos. - If this column shows Not Renewable, the ticket was not flagged as renewable when you obtained it. -

-Related Help: -
Valid Until -See when your ticket will expire. Note that you cannot renew a ticket if you let it expire. - Kerberos alerts you to expiring tickets with a warning in a pop up window. -To add an audible warning, select Expiration Alarm in the Options panel.
Using the Options Panel -
Encryption Type See the encryption type used to encrypt each session key and ticket. This can be useful when troubleshooting. Kerberos supports multiple types of encryption. The type used for a particular ticket or session key is automatically negotiated when you request a ticket or a service.
-More About Encryption Types
FlagsSee how the tickets were flagged (renewable and/or fowardable) when you obtained them. - You cannot change how an existing flag is set. If you need a ticket with different flags, you must get a new ticket.
-About ticket settings and flags -
Import Status See which of your tickets have been imported (or can be imported), from a Windows Logon session, and which have been exported (or can be exported) into a Windows Logon session. - -

-This column is only available when you have Kerberos tickets obtained by logging into Windows Logon session to enter a Windows domain. -

-About importable (Windows domain) tickets -		The import status tells you what application was used to obtain the ticket, and what application can fully use it now. Tickets originally obtained by starting a Windows Logon session in a domain are imported or importable to MIT Kerberos, or they are protected from being imported.

Tickets obtained with the Get Ticket window are eithe exportable or exported to the Windows Logon session. Import Status meanings - -
-

Related help

- - - - diff --git a/src/windows/leash/htmlhelp/html/Windows_Logon_Tickets.htm b/src/windows/leash/htmlhelp/html/Windows_Logon_Tickets.htm deleted file mode 100644 index f3d44a6..0000000 --- a/src/windows/leash/htmlhelp/html/Windows_Logon_Tickets.htm +++ /dev/null @@ -1,45 +0,0 @@ - - - - -Windows Logon Tickets - - -

Windows Logon Session Tickets

-

-MIT Kerberos is not the only interface for managing Kerberos tickets. -When you log on to a Windows domain, you are issued a Kerberos ticket -for your Windows Logon session. This ticket is automatically renewed -until you log out of the session, when it is destroyed.

-

-Sometimes applications that require Kerberos authentication only work -with MIT Kerberos. Others work only with the interface that is part of -the Windows Logon session. For this reason, you can use MIT Kerberos to -import tickets from your Windows domain or export tickets into your -Windows Logon session for use with Windows services, depending on your -needs. -

- - - - - - - - -
Learn about... How to...
- - - -
- - - - - diff --git a/src/windows/leash/htmlhelp/html/afx_hidw_status_bar.htm b/src/windows/leash/htmlhelp/html/afx_hidw_status_bar.htm deleted file mode 100644 index 82cb4d9..0000000 --- a/src/windows/leash/htmlhelp/html/afx_hidw_status_bar.htm +++ /dev/null @@ -1,34 +0,0 @@ - - - - -(status bar) - - - - - - - - - -

Status Bar

- -

The status bar is displayed at the bottom of the <<YourApp>> window. To display or hide the status bar, use the - Status Bar command in the View menu.

- -

The left area of the status bar describes actions of menu items as you use the arrow keys to navigate through menus. This area similarly shows messages that describe the actions of toolbar buttons as you -press them, before releasing them. If after viewing the description of the toolbar button command you wish not to execute the command, then release the mouse button while the pointer is off the toolbar button.

- -

The right areas of the status bar indicate which of the following keys are latched down:

- -

Indicator    Description

- -

CAP           The Caps Lock key is latched down.

- -

NUM         The Num Lock key is latched down.

- -

SCRL         The Scroll Lock key is latched down.

- - - diff --git a/src/windows/leash/htmlhelp/html/afx_hidw_toolbar.htm b/src/windows/leash/htmlhelp/html/afx_hidw_toolbar.htm deleted file mode 100644 index fc47454..0000000 --- a/src/windows/leash/htmlhelp/html/afx_hidw_toolbar.htm +++ /dev/null @@ -1,23 +0,0 @@ - - - - -(toolbar) - - - - - - - - - -

Toolbar

- - -

The toolbar is displayed across the top of the application window, below the menu bar. The toolbar provides quick mouse access to many tools used in <<YourApp>>,

- -

To hide or display the toolbar, click Toolbar from the View menu.

- - - diff --git a/src/windows/leash/htmlhelp/html/hid_app_about.htm b/src/windows/leash/htmlhelp/html/hid_app_about.htm deleted file mode 100644 index 538cc9e..0000000 --- a/src/windows/leash/htmlhelp/html/hid_app_about.htm +++ /dev/null @@ -1,16 +0,0 @@ - - - - -(About command (Help menu)) - - - - - -

About command (Help menu)

- -

Use this command to display the copyright notice and version number of your copy of <<YourApp>>.

- - - diff --git a/src/windows/leash/htmlhelp/html/hid_app_exit.htm b/src/windows/leash/htmlhelp/html/hid_app_exit.htm deleted file mode 100644 index 805f043..0000000 --- a/src/windows/leash/htmlhelp/html/hid_app_exit.htm +++ /dev/null @@ -1,22 +0,0 @@ - - - - -(File Exit command) - - - - - - - - - -

Exit command (File menu)

- -

Use this command to end your <<YourApp>> session. You can also use the - Close command on the application Control menu. <<YourApp>> prompts you to save documents with unsaved changes.

- - - - diff --git a/src/windows/leash/htmlhelp/html/hid_context_help.htm b/src/windows/leash/htmlhelp/html/hid_context_help.htm deleted file mode 100644 index 34f742e..0000000 --- a/src/windows/leash/htmlhelp/html/hid_context_help.htm +++ /dev/null @@ -1,20 +0,0 @@ - - - - -(Help Using Help Command) - - - - - -

Context Help command

- - -

Use this command to obtain help on some portion of <<YourApp>>. When you choose the -toolbar's Context Help button, the mouse pointer will change to an arrow and question mark. Then click somewhere in the <<YourApp>> window, such as another -toolbar button. The help topic will be shown for the item you clicked.

- - - - diff --git a/src/windows/leash/htmlhelp/html/hid_help_index.htm b/src/windows/leash/htmlhelp/html/hid_help_index.htm deleted file mode 100644 index 9356177..0000000 --- a/src/windows/leash/htmlhelp/html/hid_help_index.htm +++ /dev/null @@ -1,18 +0,0 @@ - - - - -(Index command (Help menu)) - - - - - -

Index command (Help menu)

- -

Use this command to display the opening screen of help. From the opening screen, you can jump to step-by-step instructions for using <<YourApp>> and various types of reference information.

- -

Once you open help, you can click the Contents button whenever you want to return to the opening screen.

- - - diff --git a/src/windows/leash/htmlhelp/html/hid_help_using.htm b/src/windows/leash/htmlhelp/html/hid_help_using.htm deleted file mode 100644 index bcf07e8..0000000 --- a/src/windows/leash/htmlhelp/html/hid_help_using.htm +++ /dev/null @@ -1,16 +0,0 @@ - - - - -(Using Help command (Help menu)) - - - - - -

Using Help command (Help menu)

- -

Use this command for instructions about using help.

- - - diff --git a/src/windows/leash/htmlhelp/html/hid_sc_close.htm b/src/windows/leash/htmlhelp/html/hid_sc_close.htm deleted file mode 100644 index 775be73..0000000 --- a/src/windows/leash/htmlhelp/html/hid_sc_close.htm +++ /dev/null @@ -1 +0,0 @@ -(Close command (Control menus))

Close command (Control menus)

Use this command to close the active window or dialog box.

Double-clicking a Control menu box is the same as choosing the Close command.

Note: If you have multiple windows open for a single document, the Close command on the document Control menu closes only one window at a time. You can close all windows at once with the Close command on the File menu.

diff --git a/src/windows/leash/htmlhelp/html/hid_sc_maximize.htm b/src/windows/leash/htmlhelp/html/hid_sc_maximize.htm deleted file mode 100644 index 241292d..0000000 --- a/src/windows/leash/htmlhelp/html/hid_sc_maximize.htm +++ /dev/null @@ -1,17 +0,0 @@ - - - - -(Maximize command (System menu)) - - - - - -

Maximize command (System menu)

- -

Use this command to enlarge the active window to fill the available space.

- - - - diff --git a/src/windows/leash/htmlhelp/html/hid_sc_minimize.htm b/src/windows/leash/htmlhelp/html/hid_sc_minimize.htm deleted file mode 100644 index 118fe1e..0000000 --- a/src/windows/leash/htmlhelp/html/hid_sc_minimize.htm +++ /dev/null @@ -1,16 +0,0 @@ - - - - -(System Minimize Command) - - - - - -

Minimize command (application Control menu)

- -

Use this command to reduce the <<YourApp>> window to an icon.

- - - diff --git a/src/windows/leash/htmlhelp/html/hid_sc_move.htm b/src/windows/leash/htmlhelp/html/hid_sc_move.htm deleted file mode 100644 index f97f855..0000000 --- a/src/windows/leash/htmlhelp/html/hid_sc_move.htm +++ /dev/null @@ -1,18 +0,0 @@ - - - - -(Move command (Control menu)) - - - - - -

Move command (Control menu)

- -

Use this command to display a four-headed arrow so you can move the active window or dialog box with the arrow keys.

- -

Note: This command is unavailable if you maximize the window.

- - - diff --git a/src/windows/leash/htmlhelp/html/hid_sc_restore.htm b/src/windows/leash/htmlhelp/html/hid_sc_restore.htm deleted file mode 100644 index bdef357..0000000 --- a/src/windows/leash/htmlhelp/html/hid_sc_restore.htm +++ /dev/null @@ -1,17 +0,0 @@ - - - - -(Restore command (Control menu)) - - - - - -

Restore command (Control menu)

- -

Use this command to return the active window to its size and position before you chose the - Maximize or Minimize command.

- - - diff --git a/src/windows/leash/htmlhelp/html/hid_sc_size.htm b/src/windows/leash/htmlhelp/html/hid_sc_size.htm deleted file mode 100644 index 9332719..0000000 --- a/src/windows/leash/htmlhelp/html/hid_sc_size.htm +++ /dev/null @@ -1,26 +0,0 @@ - - - - -(Size command (System menu)) - - - - - -

Size command (System menu)

- -

Use this command to display a four-headed arrow so you can size the active window with the arrow keys.

- -

After the pointer changes to the four-headed arrow:

- -

1.Press one of the direction keys (left, right, up, or down arrow key) to move the pointer to the border you want to move.

- -

2.Press a direction key to move the border.

- -

3.Press ENTER when the window is the size you want.

- -

Note: This command is unavailable if you maximize the window.

- - - diff --git a/src/windows/leash/htmlhelp/html/hid_view_status_bar.htm b/src/windows/leash/htmlhelp/html/hid_view_status_bar.htm deleted file mode 100644 index 6068737..0000000 --- a/src/windows/leash/htmlhelp/html/hid_view_status_bar.htm +++ /dev/null @@ -1,24 +0,0 @@ - - - - -(View Status Bar Command) - - - - - - - - - -

Status Bar command (View menu)

- -

Use this command to display and hide the status bar, which describes the action to be executed by the selected menu item or -pressed toolbar button, and keyboard latch state. A checkmark appears next to the menu item when the -status bar is displayed.

- -

See Status Bar for help on using the status bar.

- - - diff --git a/src/windows/leash/htmlhelp/html/hid_view_toolbar.htm b/src/windows/leash/htmlhelp/html/hid_view_toolbar.htm deleted file mode 100644 index 43dfe35..0000000 --- a/src/windows/leash/htmlhelp/html/hid_view_toolbar.htm +++ /dev/null @@ -1,23 +0,0 @@ - - - - -(View Toolbar command) - - - - - - - - - -

Toolbar command (View menu)

- -

Use this command to display and hide the toolbar, which includes buttons for some of the most common commands in <<YourApp>>, such as - File Open. A checkmark appears next to the menu item when the toolbar is displayed.

- -

See Toolbar for help on using the toolbar.

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_acknowledgements.htm b/src/windows/leash/htmlhelp/html/leash_acknowledgements.htm deleted file mode 100644 index 577ceb5..0000000 --- a/src/windows/leash/htmlhelp/html/leash_acknowledgements.htm +++ /dev/null @@ -1,76 +0,0 @@ - - - - - The MIT Kerberos Team - - - - -

-

The MIT Kerberos Team

-This is by no means a complete list, as we have contributors and -collaborators from all over the net.
-
-MIT Team Members - -The following people are not officially affiliated with MIT, but -contribute to the MIT Kerberos V5 effort: - -
- - diff --git a/src/windows/leash/htmlhelp/html/leash_bug_reports.htm b/src/windows/leash/htmlhelp/html/leash_bug_reports.htm deleted file mode 100644 index d830815..0000000 --- a/src/windows/leash/htmlhelp/html/leash_bug_reports.htm +++ /dev/null @@ -1,30 +0,0 @@ - - - - - Reporting Bugs and Requesting Assistance - - - - -

-

Reporting Bugs and Requesting -Assistance
-

-

-

If you find bugs, please mail -them to kfw-bugs@MIT.EDU.

-

kerberos@MIT.EDU is a mailing list set up for -discussing -Kerberos issues. It is gatewayed to the Usenet newsgroup -'comp.protocols.kerberos'. If you prefer to read it via mail, send a -request to -kerberos-request@MIT.EDU to get added or subscribe via the web page: 

-

http://mailman.mit.edu/mailman/listinfo/kerberos

-

 

- - diff --git a/src/windows/leash/htmlhelp/html/leash_command_change_password.htm b/src/windows/leash/htmlhelp/html/leash_command_change_password.htm deleted file mode 100644 index e2e971e..0000000 --- a/src/windows/leash/htmlhelp/html/leash_command_change_password.htm +++ /dev/null @@ -1,28 +0,0 @@ - - - - - Change Password Command - - - - -

Change Password Command

-

The Change Password command is found on the Action menu; it is also -the fifth button (from the left) in the toolbar.  This command -changes your Kerberos password.
-

-

Change Password Dialog
-

-

Note: This command will not change your local machine password -unless your Windows Logon Session is authenticated using Kerberos.
-

-

How To -Choose a Password.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_command_destroy_tickets.htm b/src/windows/leash/htmlhelp/html/leash_command_destroy_tickets.htm deleted file mode 100644 index 595ce81..0000000 --- a/src/windows/leash/htmlhelp/html/leash_command_destroy_tickets.htm +++ /dev/null @@ -1,27 +0,0 @@ - - - - - Destroy Tickets Command - - - - -

Destroy Ticket(s)/Token(s) Command, Ctrl+D

-This command is found on the Action menu; it is also the fourth button -(from the left) in the toolbar.  Use this command to destroy all -of the Kerberos tickets (and perhaps AFS tokens) on your local -machine.  Leash confirms your intentions before completing the -request.  Tickets for individual services may not be destroyed by -the Leash Application.
-
-Once tickets are destroyed, you must Get or Import new tickets before -Kerberized applications can once again access network services.
-
- - diff --git a/src/windows/leash/htmlhelp/html/leash_command_get_tickets.htm b/src/windows/leash/htmlhelp/html/leash_command_get_tickets.htm deleted file mode 100644 index a380919..0000000 --- a/src/windows/leash/htmlhelp/html/leash_command_get_tickets.htm +++ /dev/null @@ -1,43 +0,0 @@ - - - - - Get Tickets Command - - - - -

Get Ticket(s)/Token(s) Command, Ctrl+T

-This command is found under the Action menu; it is also the first -button (from the left) in the toolbar.  Use this command to obtain -new Kerberos tickets (and perhaps AFS tokens.)
-
-Advanced Initialize Tickets Dialog
-
-Basic Initialize Tickets Dialog
-
-When you select this commmand, Leash displays a dialog requesting your -Username, Kerberos Realm, and Password; if these are correct, Leash -will obtain tickets for you.  You may optionally specify a ticket -lifetime and various Kerberos 5 ticket options:
-
    -
  • ticket forwarding
    • -
  • addressless tickets
    • -
  • renewable ticket times
    -
    • -
-

See Also

-

Kerberos tickets

-

AFS tokens

- - diff --git a/src/windows/leash/htmlhelp/html/leash_command_import_tickets.htm b/src/windows/leash/htmlhelp/html/leash_command_import_tickets.htm deleted file mode 100644 index 846bb35..0000000 --- a/src/windows/leash/htmlhelp/html/leash_command_import_tickets.htm +++ /dev/null @@ -1,27 +0,0 @@ - - - - - Import Tickets Command - - - - -

Import Ticket(s)/Token(s) Command, Ctrl+I

-This command is found on the Action menu; it is the third button (from -the left) in the toolbar.  Use this command to import Kerberos -tickets from your Windows Logon Session.  Importing tickets will -result in the destruction of existing tickets.  Leash will confirm -the operation if necessary.
-
-Note:  This command is only available if your Windows Logon -Session is authenticated using Kerberos.
-

See Also

-

Kerberos tickets

-

AFS tokens

- - diff --git a/src/windows/leash/htmlhelp/html/leash_command_renew_tickets.htm b/src/windows/leash/htmlhelp/html/leash_command_renew_tickets.htm deleted file mode 100644 index cca2fb8..0000000 --- a/src/windows/leash/htmlhelp/html/leash_command_renew_tickets.htm +++ /dev/null @@ -1,27 +0,0 @@ - - - - - Renew Tickets Command - - - - -

Renew Ticket(s)/Token(s) Command, Ctrl+R

-This command is found on the Action menu; it is also the second button -(from the left) in the toolbar.  Use this command to renew the -Kerberos tickets (and perhaps AFS tokens) on your local machine without -requiring the use of a password.  If your existing tickets cannot -be renewed the ticket initialization dialog will be displayed allowing -you to request new tickets.
-
-Note: This command is only available if your existing Kerberos tickets -are renewable.
-
-
- - diff --git a/src/windows/leash/htmlhelp/html/leash_command_reset_window.htm b/src/windows/leash/htmlhelp/html/leash_command_reset_window.htm deleted file mode 100644 index 3c189e7..0000000 --- a/src/windows/leash/htmlhelp/html/leash_command_reset_window.htm +++ /dev/null @@ -1,19 +0,0 @@ - - - - - Reset Window Size/Pos Option - - - - -

Reset Window Size/Pos -Option

-

When you select this from the Options menu, the Leash window moves -to its default size and position, near the upper left corner of the -screen.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_command_sync_time.htm b/src/windows/leash/htmlhelp/html/leash_command_sync_time.htm deleted file mode 100644 index 8b69f87..0000000 --- a/src/windows/leash/htmlhelp/html/leash_command_sync_time.htm +++ /dev/null @@ -1,27 +0,0 @@ - - - - - Synchronize Time Option - - - - -

Synchronize Time

-

This command is found on the Action menu; it is also the sixth -button (from the left) in the toolbar.  When you select this -command, Leash synchronizes the local machine time with the time server -specified in the Leash Properties dialog.
-

-

Note: Kerberos authentication protocol requires loosely synchronized -time between computers.  The local machine clock and the Kerberos -server clock need to be within five minutes of each other for Kerberos -to function properly.  This function can also be performed with -the clock icon on the toolbar and has no keyboard equivalent.
-
-

- - diff --git a/src/windows/leash/htmlhelp/html/leash_command_update_display.htm b/src/windows/leash/htmlhelp/html/leash_command_update_display.htm deleted file mode 100644 index a10718a..0000000 --- a/src/windows/leash/htmlhelp/html/leash_command_update_display.htm +++ /dev/null @@ -1,30 +0,0 @@ - - - - - Update Display Command - - - - -

Update Display Command, F5

-

Use this command (in the Actions menu, or the black rectangular -icon) to update the display of your current Kerberos tickets. You can -also perform this function by clicking in the main Leash window.

-

Why Use It...

-

Although most end users will likely find this Leash feature -irrelevant, application developers and support staff may occasionally -find it to be useful. For example, you may want an immediate status -check of Kerberos tickets if you have just used command-line kinit or kdestroy and want to check that -they have functioned successfully.

-

How It Works...

-

While Leash automatically checks the status of your Kerberos tickets -every 30 seconds, the Update Display command forces an immediate status -check.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_copyright.htm b/src/windows/leash/htmlhelp/html/leash_copyright.htm deleted file mode 100644 index f3bc88e..0000000 --- a/src/windows/leash/htmlhelp/html/leash_copyright.htm +++ /dev/null @@ -1,45 +0,0 @@ - - - - - Leash Copyright - - - - -

-

Leash Copyright

-

-

This software is being provided to you, the LICENSEE, by the -Massachusetts Institute of Technology (M.I.T) under the following -license. By obtaining, using and/or copying this software, you agree -that you have read, understood, and will comply with these terms and -conditions:

-

Permission to use, copy, modify and distribute this software and its -documentation for any purpose and without fee or royalty is hereby -granted, provided that you agree to comply with the following copyright -notice and statements, including the disclaimer, and that the same -appear on ALL copies of the software and documentation, including -modifications that you make for internal use or for distribution:

-

Copyright 1992-2004 by the Massachusetts Institute of Technology. -All rights reserved.

-

THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO -REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, -but not limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF -MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE -OF THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD -PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.

-

The name of the Massachusetts Institute of Technology or M.I.T. may -NOT be used in advertising or publicity pertaining to distribution of -the software. Title to copyright in this software and any associated -documentation shall at all times remain with M.I.T., and USER agrees to -preserve same.

-

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, -Moira, OLC, X Window System, and Zephyr are trademarks of the -Massachusetts Institute of Technology (MIT). No commercial use of these -trademarks may be made without prior written permission of MIT.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_errors.htm b/src/windows/leash/htmlhelp/html/leash_errors.htm deleted file mode 100644 index 9179109..0000000 --- a/src/windows/leash/htmlhelp/html/leash_errors.htm +++ /dev/null @@ -1,18 +0,0 @@ - - - - - Leash Copyright - - - - -

-

Common Leash Error Messages

-

-This section describes error messages commonly displayed by Leash. - - diff --git a/src/windows/leash/htmlhelp/html/leash_export.htm b/src/windows/leash/htmlhelp/html/leash_export.htm deleted file mode 100644 index b7b39a7..0000000 --- a/src/windows/leash/htmlhelp/html/leash_export.htm +++ /dev/null @@ -1,34 +0,0 @@ - - - - - Kerberos Export Restrictions and Source Code Access - - - - -

-

Kerberos Export Restrictions and Source Code Access

-

-

Copyright (C) 1989-2004 by the Massachusetts Institute of Technology

-

Export of this software from the United States of America may -require a specific license from the United States Government. It is the -responsibility of any person or organization contemplating export to -obtain such a license before exporting.

-

WITHIN THAT CONSTRAINT, permission to use, copy, modify, and -distribute this software and its documentation for any purpose and -without fee is hereby granted, provided that the above copyright notice -appear in all copies and that both that copyright notice and this -permission notice appear in supporting documentation, and that the name -of M.I.T. not be used in advertising or publicity pertaining to -distribution of the software without specific, written prior -permission. M.I.T. makes no representations about the suitability of -this software for any purpose. It is provided "as is" without express -or implied warranty.

-

Export of the documentation is not restricted.

-
- - diff --git a/src/windows/leash/htmlhelp/html/leash_external_aklog.htm b/src/windows/leash/htmlhelp/html/leash_external_aklog.htm deleted file mode 100644 index 5b00030..0000000 --- a/src/windows/leash/htmlhelp/html/leash_external_aklog.htm +++ /dev/null @@ -1,20 +0,0 @@ - - - - - aklog.exe - - - - -

aklog.exe program

-

aklog is a program which may be used to obtain AFS tokens for a cell -which may or may not be equivalent to the Kerberos realm whose tickets -are used to obtain the tokens.
-
-

- - diff --git a/src/windows/leash/htmlhelp/html/leash_external_kdestroy.htm b/src/windows/leash/htmlhelp/html/leash_external_kdestroy.htm deleted file mode 100644 index a623193..0000000 --- a/src/windows/leash/htmlhelp/html/leash_external_kdestroy.htm +++ /dev/null @@ -1,19 +0,0 @@ - - - - -kdestroy.exe - - - - - - - - -

kdestroy.exe program

- -

This is another way to destroy your tickets. Running this application will immediately destroy all tickets and tokens you might have, no matter how they were obtained.

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_external_kinit.htm b/src/windows/leash/htmlhelp/html/leash_external_kinit.htm deleted file mode 100644 index 97d62c0..0000000 --- a/src/windows/leash/htmlhelp/html/leash_external_kinit.htm +++ /dev/null @@ -1,19 +0,0 @@ - - - - -kinit.exe - - - - - - - - -

kinit.exe program

- -

This is a little program which will run a command-prompt, text-based version of the ticket initialization window. (However, unlike in the graphical version, you do not have the option of changing the ticket lifetime.) This can be useful if you have a slow computer, or if you are having difficulty with the graphical version for some reason.

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_external_klist.htm b/src/windows/leash/htmlhelp/html/leash_external_klist.htm deleted file mode 100644 index a2e7bdb..0000000 --- a/src/windows/leash/htmlhelp/html/leash_external_klist.htm +++ /dev/null @@ -1,19 +0,0 @@ - - - - -Why Use - - - - - - - - -

klist.exe program

- -

This application will quickly list all of the tickets you have.

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_external_ms2mit.htm b/src/windows/leash/htmlhelp/html/leash_external_ms2mit.htm deleted file mode 100644 index a2f301e..0000000 --- a/src/windows/leash/htmlhelp/html/leash_external_ms2mit.htm +++ /dev/null @@ -1,20 +0,0 @@ - - - - - ms2mit.exe - - - - -

ms2mit.exe program

-

This is another way to import Windows Logon Session Kerberos tickets -for use by Leash and other Kerberos for Windows applications.  The -functionality is equivalent to the Import Tickets Command.
-
-

- - diff --git a/src/windows/leash/htmlhelp/html/leash_file_exit.htm b/src/windows/leash/htmlhelp/html/leash_file_exit.htm deleted file mode 100644 index 72ecf49..0000000 --- a/src/windows/leash/htmlhelp/html/leash_file_exit.htm +++ /dev/null @@ -1,24 +0,0 @@ - - - - - Exit/End Leash Program - - - - -

Exit Command

-

From the File menu, you can use this command to exit the Leash -program.  If any other means is used to close the Leash window, -the Leash program will continue to execute and remain present in the -Windows System Tray.
-

-

Important Note...

-

Exiting the Leash program will not destroy your current -Kerberos tickets. Unless you have selected this in the options menu, -you need to use the destroy tickets command.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_help_about_leash32.htm b/src/windows/leash/htmlhelp/html/leash_help_about_leash32.htm deleted file mode 100644 index 8eedd89..0000000 --- a/src/windows/leash/htmlhelp/html/leash_help_about_leash32.htm +++ /dev/null @@ -1,42 +0,0 @@ - - - - - About Leash Command - - - - -

About Leash

-

When you access this window from the Help menu, you see a Module -list, three radio buttons, and a Properties button. Modules are -executables and dll files that Leash may require.
-

-

About Leash dialog
-

-

The radio buttons let you choose to view a list of: -

-
    -
  • Leash Modules - displays the modules that Leash currently has -loaded for its own use;
    -
    -
    • -
  • All Modules - displays Leash modules as well as those loaded by -the OS;
    -
    -
    • -
  • Missing Modules - displays modules that Leash needs for -complete functionality but that are not found. (Leash can still -function with some modules missing.). This is useful if part of Leash -is missing; you can find which files are needed to restore full -functionality.
    • -
-

If you select a module and click on the Properties button, Leash -displays the properties of the selected module - both the general -properties and those of this particular version.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_kerberos_copyright.htm b/src/windows/leash/htmlhelp/html/leash_kerberos_copyright.htm deleted file mode 100644 index 68fa98f..0000000 --- a/src/windows/leash/htmlhelp/html/leash_kerberos_copyright.htm +++ /dev/null @@ -1,45 +0,0 @@ - - - - - Kerberos Copyright - - - - -

-

Kerberos Copyright

-

-

This software is being provided to you, the LICENSEE, by the -Massachusetts Institute of Technology (M.I.T.) under the following -license. By obtaining, using and/or copying this software, you agree -that you have read, understood, and will comply with these terms and -conditions:

-

Permission to use, copy, modify and distribute this software and its -documentation for any purpose and without fee or royalty is hereby -granted, provided that you agree to comply with the following copyright -notice and statements, including the disclaimer, and that the same -appear on ALL copies of the software and documentation, including -modifications that you make for internal use or for distribution:

-

Copyright 1992-2004 by the Massachusetts Institute of Technology. -All rights reserved.

-

THIS SOFTWARE IS PROVIDED "AS IS", AND M.I.T. MAKES NO -REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. By way of example, -but not limitation, M.I.T. MAKES NO REPRESENTATIONS OR WARRANTIES OF -MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE -OF THE LICENSED SOFTWARE OR DOCUMENTATION WILL NOT INFRINGE ANY THIRD -PARTY PATENTS, COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS.

-

The name of the Massachusetts Institute of Technology or M.I.T. may -NOT be used in advertising or publicity pertaining to distribution of -the software. Title to copyright in this software and any associated -documentation shall at all times remain with M.I.T., and USER agrees to -preserve same.

-

Project Athena, Athena, Athena MUSE, Discuss, Hesiod, Kerberos, -Moira, OLC, X Window System, and Zephyr are trademarks of the -Massachusetts Institute of Technology (MIT). No commercial use of these -trademarks may be made without prior written permission of MIT.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_manpage_aklog.htm b/src/windows/leash/htmlhelp/html/leash_manpage_aklog.htm deleted file mode 100644 index a9c5f6d..0000000 --- a/src/windows/leash/htmlhelp/html/leash_manpage_aklog.htm +++ /dev/null @@ -1,17 +0,0 @@ - - - - - AKLOG Command - - - - -

AKLOG Command

-

(from UNIX man page)

-
User Commands                                            AKLOG(1)

NAME
     aklog - Obtain tokens for authentication to AFS

SYNOPSIS
     aklog [ -d ] [ -force ] [ -hosts ] [ -zsubs ] [ -noprdb ]  [
     [ -cell | -c ] cell [ -k kerberos-realm ] ] [ [ -path | -p ]
     pathname ]

DESCRIPTION
     The aklog program is used  to  authenticate  to  a  cell  or
     directory  in  AFS,  the Andrew Filesystem, by obtaining AFS
     tokens. Ordinarily, aklog is not used directly but called by
     attach(1).

     If aklog is invoked with no command line arguments, it  will
     obtain  tokens for the workstation's local cell.  It is pos-
     sible to invoke aklog with arbitrarily many cells and  path-
     names  specified  on  the  command  line. aklog knows how to
     expand cell name abbreviations, so short forms of cell names
     can be use used.  In addition, aklog understands the follow-
     ing command line options:

     -cell | -c cell
         This flag is not ordinarily necessary  since  aklog  can
         usually  figure  out when an argument is a cell.  It can
         be used to introduce a cell name that  would  ordinarily
         be  mistaken for a path name if this should be required.
         If this flag is omitted, an argument will be treated  as
         a cell name if it contains no slashes (/) and is neither
         "." nor ".." .

     -k kerberos-realm
         This flag is valid only when immediately  following  the
         name  of a cell.  It is used to tell aklog what kerberos
         realm should be used while authenticating to the preced-
         ing  cell.  This argument is unnecessary except when the
         workstation is  not  properly  configured.   Ordinarily,
         aklog can determine this information on its own.

     -path | -p pathname
         Like the -cell flag, this flag is  usually  unnecessary.
         When  it  appears,  the  next  command  line argument is
         always treated as a path name.  Ordinarily, an  argument
         is  treated as a path name if it is "." or ".." or if it
         contains a slash (/).

     -hosts
         Prints all the server addresses which may act as a  sin-
         gle  point  of failure in accessing the specified direc-
         tory path.  Each element of the path is examined, and as
         new  volumes  are traversed, if they are not replicated,
         the server's IP address containing the  volume  will  be
         displayed.   Attach(1)  invokes  aklog with this option.
         The output is of the form

         host: IP address

     -zsubs
         Causes the printing of the zephyr subscription  informa-
         tion  that  a  person  using  a given path or cell would
         want. Attach(1) invokes aklog  with  this  option.   The
         output is of the form

         zsub: instance

         where instance is the instance of a class filsrv  zephyr
         subscription.

     -noprdb
         Ordinarily, aklog looks up the AFS ID  corresponding  to
         the name of the person invoking the command.  Specifying
         this flag turns off this  functionality.   This  may  be
         desirable  if the protection database is unavailable for
         some reason and tokens are desired anyway.

     -d  Turns on printing of debugging information.  This option
         is not intended for general users.

     -force
         Forces aklog to obtain  new  tokens  even  if  the  user
         already appears to have tokens identical to the new ones
         they would get.  This option is most often required when
         the user has recently been added to an AFS group.

EXIT CODES
     The exit status of aklog will be one of the following:

     0    Success -- No error occurred.

     1    Usage -- Bad command syntax;  accompanied  by  a  usage
          message.

     2    Something failed -- More than one cell or pathname  was
          given  on  the  command  line  and at least one failure
          occurred.  A more specific  error  status  is  returned
          when only one directive is given.

     3    AFS -- Unable to get AFS configuration or unable to get
          information about a specific cell.

     4    Kerberos -- Unable to get tickets for authentication.

     5    Token -- Unable to get tokens.

     6    Bad pathname -- The path given was not a  directory  or
          lstat(2) failed on some component of the pathname.

     7    Miscellaneous -- An  internal  failure  occurred.   For
          example, aklog returns this if it runs out of memory.

EXAMPLES
     To get tokens for the local cell:
     % aklog

     To get tokens for the athena.mit.edu cell:
     % aklog athena.mit.edu
     or
     % aklog athena

     To       get       tokens       adequate       to       read
     /afs/athena.mit.edu/user/p/potato:
     % aklog /afs/athena.mit.edu/user/p/potato

     To get tokens for a test cell that is  in  a  test  Kerberos
     realm:
     % aklog testcell.mit.edu -k TESTREALM.MIT.EDU

SEE ALSO
     attach(1), tokens(1), unlog(1)


- - diff --git a/src/windows/leash/htmlhelp/html/leash_manpage_kdestroy.htm b/src/windows/leash/htmlhelp/html/leash_manpage_kdestroy.htm deleted file mode 100644 index 9c7aa42..0000000 --- a/src/windows/leash/htmlhelp/html/leash_manpage_kdestroy.htm +++ /dev/null @@ -1,86 +0,0 @@ - - - - -KDESTROY Command - - - - - - - - -

KDESTROY Command

- -

(from UNIX man page)

- -
User Commands  KDESTROY ( 1 )
-
-NAME
- kdestroy - destroy Kerberos tickets
-
-SYNOPSIS
- kdestroy [-5] [-4] [-q] [-c cache_name]
-
-DESCRIPTION
-
- The kdestroy utility destroys the user's active Kerberos
- authorization tickets by writing zeros to the specified credentials
- cache that contains them.  If the credentials cache is not specified,
- the default credentials cache is destroyed.  If kdestroy was built with
- Kerberos 4 support, the default behavior is to destroy both Kerberos 5
- and Kerberos 4 credentials.  Otherwise, kdestroy will default to
- destroying only Kerberos 5 credentials.
-
-OPTIONS
-
- -5 destroy Kerberos 5 credentials.  This overrides whatever the
-    default built-in behavior may be.  This option may be used with -4
-
- -4 destroy Kerberos 4 credentials.  This overrides whatever the
-    default built-in behavior may be.  This option is only available
-    if kinit was built with Kerberos 4 compatibility.  This option may
-    be used with -5
-
- -q Run quietly.  Normally kdestroy beeps if it fails to destroy the
-    user's tickets.  The -q flag suppresses this behavior.
-
- -c cache_name
-    use cache_name as the credentials (ticket) cache name and
-    location; if this option is not used, the default cache name and
-    location are used.
-
- The default credentials cache may vary between systems.  If the
- KRB5CCNAME environment variable is set, its value is used to name the
- default ticket cache.
-
- Most installations recommend that you place the kdestroy command in
- your .logout file, so that your tickets are destroyed automatically
- when you log out.
-
-ENVIRONMENT
- Kdestroy uses the following environment variables:
-
- KRB5CCNAME Location of the Kerberos 5 credentials (ticket) cache.
-
- KRBTKFILE Filename of the Kerberos 4 credentials (ticket) cache.
-
-FILES
- /tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache
- ([uid] is the decimal UID of the user).
-
- /tmp/tkt[uid] default location of Kerberos 4 credentials cache ([uid]
- is the decimal UID of the user).
-
-SEE  ALSO
- kinit(1), klist(1), krb5(3)
-
-BUGS
- Only the tickets in the specified credentials cache are
- destroyed.  Separate ticket caches are used to hold root instance and
- password changing tickets.  These should probably be destroyed too,
- or all of a user's tickets kept in a single credentials cache.
- - - diff --git a/src/windows/leash/htmlhelp/html/leash_manpage_kinit.htm b/src/windows/leash/htmlhelp/html/leash_manpage_kinit.htm deleted file mode 100644 index 88e54f3..0000000 --- a/src/windows/leash/htmlhelp/html/leash_manpage_kinit.htm +++ /dev/null @@ -1,17 +0,0 @@ - - - - - KINIT Command - - - - -

KINIT Command

-

(from UNIX man page)

-
User Commands                                            KINIT(1)

NAME
     kinit - obtain and cache Kerberos ticket-granting ticket

SYNOPSIS
     kinit
          [-5] [-4] [-V] [-l lifetime] [-s start_time] [-r
          renewable_life] [-p | -P] [-f | -F] [-A] [-v] [-R] [-k
          [-t keytab_file]] [-c cache_name] [-S service_name]
          [principal]

DESCRIPTION
     kinit obtains and caches an initial  ticket-granting  ticket
     for  principal.Thetypicaldefaultbehavior Kerberos 5 tickets.
     However, if kinit was built with both Kerberos 4 support and
     with  the  default behavior of acquiring both types of tick-
     ets, it will try to acquire both Kerberos 5 and  Kerberos  4
     by default.  Any documentation particular to Kerberos 4 does
     not apply if Kerberos 4 support was not built into kinit.

OPTIONS
     -5   get Kerberos 5 tickets.  This  overrides  whatever  the
          default  built-in  behavior may be.  This option may be
          used with -4

     -4   get Kerberos 4 tickets.  This  overrides  whatever  the
          default  built-in behavior may be.  This option is only
          available if kinit was built with Kerberos  4  compati-
          bility.  This option may be used with -5

     -V   display verbose output.

     -l lifetime
          requests a ticket  with  the  lifetime  lifetime.   The
          value  for lifetime must be followed immediately by one
          of the following delimiters:

             s  seconds
             m  minutes
             h  hours
             d  days

          as in "kinit -l 90m".  You cannot mix units; a value of
          `3h30m' will result in an error.

          If the -l option is not specified, the  default  ticket
          lifetime (configured by each site) is used.  Specifying
          a ticket lifetime longer than the maximum ticket  life-
          time (configured by each site) results in a ticket with
          the maximum lifetime.

     -s start_time
          requests  a  postdated  ticket,   valid   starting   at
          start_time.   Postdated  tickets  are  issued  with the
          invalid flag set, and need to be fed back  to  the  kdc
          before use.  (Not applicaple to Kerberos 4.)

     -r renewable_life
          requests renewable tickets, with a  total  lifetime  of
          renewable_life.   The duration is in the same format as
          the -l option, with the same delimiters.  (Not applica-
          ple to Kerberos 4.)

     -f   request forwardable tickets.  (Not applicaple  to  Ker-
          beros 4.)

     -F   do not request forwardable tickets.  (Not applicaple to
          Kerberos 4.)

     -p   request proxiable tickets.  (Not applicaple to Kerberos
          4.)

     -P   do not request proxiable tickets.  (Not  applicaple  to
          Kerberos 4.)

     -A   request address-less tickets.  (Not applicaple to  Ker-
          beros 4.)

     -v   requests that the ticket granting ticket in  the  cache
          (with  the  invalid  flag set) be passed to the kdc for
          validation.  If the ticket is within its requested time
          range, the cache is replaced with the validated ticket.
          (Not applicaple to Kerberos 4.)

     -R   requests renewal of the ticket-granting  ticket.   Note
          that  an  expired ticket cannot be renewed, even if the
          ticket is still within its renewable life.  When  using
          this  option with Kerberos 4, the kdc must support Ker-
          beros 5 to Kerberos 4 ticket conversion.

     -k [-t keytab_file]
          requests a host ticket, obtained  from  a  key  in  the
          local host's keytab file.  The name and location of the
          keytab file may be specified with  the  -t  keytab_file
          option; otherwise the default name and location will be
          used.  When using this option with Kerberos 4, the  kdc
          must  support  Kerberos  5 to Kerberos 4 ticket conver-
          sion.

     -c cache_name
          use cache_name as the Kerberos 5  credentials  (ticket)
          cache  name  and  location; if this option is not used,
          the default cache name and location are used.

          The default credentials cache may vary between systems.

          If  the  KRB5CCNAME  environment  variable  is set, its
          value is used to name the default  ticket  cache.   Any
          existing  contents of the cache are destroyed by kinit.
          (Note: The default name for Kerberos 4 comes  from  the
          KRBTKFILE  environment  variable.  This option does not
          apply to Kerberos 4.)

     -S service_name
          specify an alternate service name to use  when  getting
          initial tickets.  (Applicable to Kerberos 5 or if using
          both Kerberos 5 and Kerberos 4 with a kdc that supports
          Kerberos 5 to Kerberos 4 ticket conversion.)

ENVIRONMENT
     Kinit uses the following environment variables:

     KRB5CCNAME      Location  of  the  Kerberos  5   credentials
                     (ticket) cache.

     KRBTKFILE      Filename  of  the  Kerberos   4   credentials
                    (ticket) cache.

FILES
     /tmp/krb5cc_[uid]  default location of  Kerberos  5  creden-
                        tials  cache ([uid] is the decimal UID of
                        the user).

     /tmp/tkt[uid]  default location of  Kerberos  4  credentials
                    cache ([uid] is the decimal UID of the user).

     /etc/krb5.keytab
                    default location for the local host's  keytab
                    file.

SEE ALSO
     klist(1), kdestroy(1), krb5(3)


- - diff --git a/src/windows/leash/htmlhelp/html/leash_manpage_klist.htm b/src/windows/leash/htmlhelp/html/leash_manpage_klist.htm deleted file mode 100644 index 9bc955e..0000000 --- a/src/windows/leash/htmlhelp/html/leash_manpage_klist.htm +++ /dev/null @@ -1,106 +0,0 @@ - - - - -KLIST Command - - - - - - - - -

KLIST Command

- -

(from UNIX man page)

- -
User Commands  KLIST ( 1 )
-
-NAME
- klist - list cached Kerberos tickets
-
-SYNOPSIS
- klist [-5] [-4] [-e] [[-c] [-f] [-s] [-a [-n]]] [-k [-t] [-K]]
- [cache_name | keytab_name]
-
-DESCRIPTION
-
- Klist lists the Kerberos principal and Kerberos tickets held in a
- credentials cache, or the keys held in a keytab file.  If klist was
- built with Kerberos 4 support, the default behavior is to list both
- Kerberos 5 and Kerberos 4 credentials.  Otherwise, klist will default
- to listing only Kerberos 5 credentials.
-
-OPTIONS
- -5 list Kerberos 5 credentials.  This overrides whatever the default
- built-in behavior may be.  This option may be used with -4
-
- -4 list Kerberos 4 credentials.  This overrides whatever the default
- built-in behavior may be.  This option is only available if kinit was
- built with Kerberos 4 compatibility.  This option may be used with -5
-
- -e displays the encryption types of the session key and the ticket
- for each credential in the credential cache, or each key in the
- keytab file.
-
- -c List tickets held in a credentials cache.  This is the default if
- neither -c nor -k is specified.
-
- -f shows the flags present in the credentials, using the following
- abbreviations:
-
- F Forwardable
- f forwarded
- P Proxiable
- p proxy
- D postDateable
- d postdated
- R Renewable
- I Initial
- i invalid
-
- -s causes klist to run silently (produce no output), but to still set
- the exit status according to whether it finds the credentials cache.
- The exit status is `0' if klist finds a credentials cache, and `1' if
- it does not.
-
- -a display list of addresses in credentials.
-
- -n show numeric addresses instead of reverse-resolving addresses.
-
- -k List keys held in a keytab file.
-
- -t display the time entry timestamps for each keytab entry in the
- keytab file.
-
- -K display the value of the encryption key in each keytab entry in
- the keytab file.
-
- If cache_name or keytab_name is not specified, klist will display the
- credentials in the default credentials cache or keytab file as
- appropriate.  If the KRB5CCNAME environment variable is set, its
- value is used to name the default ticket cache.
-
-ENVIRONMENT
- Klist uses the following environment variables:
-
- KRB5CCNAME Location of the Kerberos 5 credentials (ticket) cache.
-
- KRBTKFILE Filename of the Kerberos 4 credentials (ticket) cache.
-
-FILES
- /tmp/krb5cc_[uid] default location of Kerberos 5 credentials cache
- ([uid] is the decimal UID of the user).
-
- /tmp/tkt[uid] default location of Kerberos 4 credentials cache ([uid]
- is the decimal UID of the user).
-
- /etc/krb5.keytab
- default location for the local host's keytab file.
-
-SEE  ALSO
- kinit(1), kdestroy(1), krb5(3)
- - - diff --git a/src/windows/leash/htmlhelp/html/leash_manpage_ms2mit.htm b/src/windows/leash/htmlhelp/html/leash_manpage_ms2mit.htm deleted file mode 100644 index 99184f6..0000000 --- a/src/windows/leash/htmlhelp/html/leash_manpage_ms2mit.htm +++ /dev/null @@ -1,16 +0,0 @@ - - - - - MS2MIT Command - - - - -

MS2MIT Command

-
NAME
 ms2mit - import Kerberos credentials from the current Windows Logon 
          Session and insert them into the Kerberos for Windows 
          default Credentials Cache

SYNOPSIS
 ms2mit

DESCRIPTION

  

SEE  ALSO
 klist(1), kdestroy(1), krb5(3)
- - diff --git a/src/windows/leash/htmlhelp/html/leash_manpages.htm b/src/windows/leash/htmlhelp/html/leash_manpages.htm deleted file mode 100644 index 3838622..0000000 --- a/src/windows/leash/htmlhelp/html/leash_manpages.htm +++ /dev/null @@ -1,18 +0,0 @@ - - - - - Leash Copyright - - - - -

-

Kerberos for Windows Command Line Tools Manpages

-

-

This section reproduces the manpages for the Kerberos for Windows command line tools.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_menu_commands.htm b/src/windows/leash/htmlhelp/html/leash_menu_commands.htm deleted file mode 100644 index a3d8a8a..0000000 --- a/src/windows/leash/htmlhelp/html/leash_menu_commands.htm +++ /dev/null @@ -1,58 +0,0 @@ - - - - - Leash Commands - - - - - -

-

Leash Commands

-

-

File:
-File menu
-

-

Exit

-

Action:
-Action Menu
-

-

Get Ticket(s)/Token(s)

-

Renew Ticket(s)/Token(s)

-

Import Ticket(s)/Token(s)

-

Destroy Ticket(s)/Token(s)

-

Change Password

-

Reset Window Size/Pos

-

Synchronize Time

-

Update Display

-

View:
-View menu
-

-

Large Icons

-

Toolbar

-

Status Bar

-

Debug Window

-

Options:
-Options menu
-

-

Upper Case Realm Name

-

Expiration Alarm

-

Destroy Tickets/Tokens on Exit

-

Leash Properties…

-

Kerberos Properties

-

Kerberos v4 Properties…

-

Kerberos v5 Properties…

-

AFS Properties

-

Help:
-Help menu
-

-

About Leash...

- - diff --git a/src/windows/leash/htmlhelp/html/leash_menu_help_why_use.htm b/src/windows/leash/htmlhelp/html/leash_menu_help_why_use.htm deleted file mode 100644 index 9a0f1bd..0000000 --- a/src/windows/leash/htmlhelp/html/leash_menu_help_why_use.htm +++ /dev/null @@ -1,17 +0,0 @@ - - - - - Why Use - - - - -

Why Use Leash

-

This command, found under the Help menu, starts Leash help (the -document you are currently viewing).

- - diff --git a/src/windows/leash/htmlhelp/html/leash_option_afs_properties.htm b/src/windows/leash/htmlhelp/html/leash_option_afs_properties.htm deleted file mode 100644 index c64aabd..0000000 --- a/src/windows/leash/htmlhelp/html/leash_option_afs_properties.htm +++ /dev/null @@ -1,27 +0,0 @@ - - - - - AFS Properties Command - - - - -

AFS Properties Command, -Ctrl+A

-

The AFS Properties dialog can be found on the Options menu when AFS -is available.

-

AFS Properties Dialog
-

-

There is a radio button pair to enable or disable the retrieval and -display of AFS tokens. There is also an AFS Properties button to bring -up the AFS Client Configuration program in order to alter settings for -Client Properties, Cell Hosts, and Submounts.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_option_auto_renewal.htm b/src/windows/leash/htmlhelp/html/leash_option_auto_renewal.htm deleted file mode 100644 index 904b9b4..0000000 --- a/src/windows/leash/htmlhelp/html/leash_option_auto_renewal.htm +++ /dev/null @@ -1,22 +0,0 @@ - - - - - Automatic Ticket Renewal Option - - - - -

Automatic Ticket -Renewal Option

-When Automatic Ticket Renewal is on, whenever tickets (or tokens) are -near expiration (within 15 minutes) Leash will attempt to extend the -ticket lifetime either via ticket renewal or ticket importation.  -If these attempts fail, Leash will display the ticket initialization -dialog.  In this way, Leash ensures that there are always valid -Kerberos tickets (and AFS tokens).
- - diff --git a/src/windows/leash/htmlhelp/html/leash_option_destroy_tickets_on_exit.htm b/src/windows/leash/htmlhelp/html/leash_option_destroy_tickets_on_exit.htm deleted file mode 100644 index d8da0d9..0000000 --- a/src/windows/leash/htmlhelp/html/leash_option_destroy_tickets_on_exit.htm +++ /dev/null @@ -1,19 +0,0 @@ - - - - - Destroy Tickets/Tokens on Exit Option - - - - -

Destroy Tickets/Tokens -on Exit Option

-

If this option is selected under the Options menu, Leash destroys -your tickets and tokens when you Exit Leash; otherwise, the tickets -remain. This option is turned off by default.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_option_expiration_alarm.htm b/src/windows/leash/htmlhelp/html/leash_option_expiration_alarm.htm deleted file mode 100644 index c253970..0000000 --- a/src/windows/leash/htmlhelp/html/leash_option_expiration_alarm.htm +++ /dev/null @@ -1,25 +0,0 @@ - - - - - Low Ticket/Token Time Alarm Option - - - - -

Expiration Alarm Option

-

Leash will always pop up windows with warnings that your tickets are -about to expire, beginning 15 minutes before the time of expiration and -continuing every 5 minutes. However, when this option is selected under -the Options menu, a bell will ring as well.

-

When you view your tickets and tokens, those shown in yellow are due -to expire in less than 15 minutes; those in green have 15 minutes or -greater. (A red ticket is one you have but is expired; gray tickets are -not available to you at the current time, because Leash or your machine -is missing a requisite module or piece of functionality.)
-

- - diff --git a/src/windows/leash/htmlhelp/html/leash_option_kerberos_properties.htm b/src/windows/leash/htmlhelp/html/leash_option_kerberos_properties.htm deleted file mode 100644 index d3ea130..0000000 --- a/src/windows/leash/htmlhelp/html/leash_option_kerberos_properties.htm +++ /dev/null @@ -1,133 +0,0 @@ - - - - - Kerberos Properties Command - - - - -

Kerberos Properties Command, Ctrl+K

-

When you select this from the Options menu, Leash will display a -tabbed window. The box within this window has four tabs:
-

-
    -
  • Default Realm Configuration
    • -
  • Ticket Lifetime and Other Initialization Options
    -
    • -
  • Realm/Server Mapping
    -
    • -
  • DNS/Realm Mapping.
    • -
-

Default Realm Configuration:
-Default Realm Configuration
-

-

There are two groups, the Kerberos -Realm/Host Server and the Computer -Host/Domain Name.

-

Kerberos Realm/Host Server: In the Your -Kerberos Realm field, select a Kerberos realm from the dropdown -list. The list is editable using the Realm/Server Mapping tab. Leash -automatically fills in your Kerberos server with the first server in -the "Servers Hosting a KDC" list on the Realm/Server Mappings tab.

-

Computer Host/Domain Name: The field labeled Your Computer's Host Name displays -the name of your local machine.  The Your Computer's Domain Name field -displays the domain to which your local machine currently belongs.
-

-

Ticket Lifetime and Other Initialization Options:
-Ticket Lifetime
-

-

-

-<>There are two expiration times associated with Kerberos -tickets.  The first specifies the length of the time period during -which the tickets are valid for use.  The second specifies the -length of the renewable lifetime.  Valid Kerberos tickets may have -their valid use lifetime repeatedly extended up until the renewable -lifetime expires.  The settings on this page are used to configure -default lifetime values for Leash to use when requesting Kerberos -tickets from the Kerberos server (key distribution center).  The -Kerberos server may issue tickets with shorter lifetimes than were -requested.
-
-The minimum and maximum values are used by the ticket initialization -dialog box when constructing the Lifetime and Renewable Lifetime -sliders.  These sliders can be used to modify the requested ticket -lifetimes when Kerberos tickets are initialized.
-
-When the Request Kerberos 4 -credentials button is checked, Leash will attempt to retrieve -Kerberos 4 -credentials when ticket initialization, renewal, or importation is -performed.  Leash will attempt a Kerberos -5 to Kerberos 4 conversion and if that fails an initial Kerberos 4 -ticket -request will be generated.  Kerberos -realms are increasingly configured to support on Kerberos 5.  If the realms you use do not support Kerberos -4 it is suggested that this button be unchecked. -<> 
-
-When the Preserve Ticket Initialization Options button -is checked, changes -to the Lifetime, Renewable Lifetime, and Kerberos 5 ticket properties -on the -Ticket Initialization Dialog will be saved as the new default values -for the -current user. -

-

-

Realm/Server Mapping:
-Realm / Server Mapping
-

-The Kerberos Realms list box -is used to add, remove or rename realms from the local Kerberos -configuration files. To add a new realm, click on the Insert button -beneath the Kerberos Realms list box.  In the dialog, type the -name of the new realm and click OK.  However, for the realm to be -inserted, it needs one or more servers.  Immediately after you -enter the new realm name, you will be prompted for the names of one -Kerberos server in that realm.  If you do not enter a server name, -Leash will not insert the realm.
-
-To add servers to an existing realm, select the realm from the Kerberos -Realms list box and click the Insert button under Servers Hosting a KDC -list box.  You will be prompted for the name of the new -server.  You can also remove servers, and designate either one or -none as the administrative server.  (The administrative server is -the preferred server for performing password changes.)  
-
-By clicking and dragging on the server that you want to move, you can -change their order; this is important because the server listed at the -top appears in this window under the Default -Realm Configuration tab as the value for Your Kerberos Server.
-
-The Use DNS KDC Lookup -checkbox is used to specify whether or not Kerberos should utilize the -domain name service to attempt to find Kerberos Servers when the -existing listed servers are not available.
-
-

DNS/Realm Mapping:
-DNS / Realm Mapping
-

-

Each entry here consists of two portions: the domain name (such as -.mit.edu) or hostname (such as dialup.athena.mit.edu) followed by a -space and the Kerberos realm (such as ATHENA.MIT.EDU) which is used by -that domain or machine.  You can insert new entries, edit existing -ones, or delete old entries.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_option_krb4_properties.htm b/src/windows/leash/htmlhelp/html/leash_option_krb4_properties.htm deleted file mode 100644 index a8922c9..0000000 --- a/src/windows/leash/htmlhelp/html/leash_option_krb4_properties.htm +++ /dev/null @@ -1,33 +0,0 @@ - - - - - Kerberos Four Properties Command - - - - -

Kerberos v4 Properties… Command, Ctrl+4

-

The Kerberos v4 Properties dialog is accessible from the Options -menu.
-

-

Kerberos Four Properties
-

-

Here, you can specify the name of the in-memory cache used to store -the Kerberos 4 tickets.  The format of the name is “API:” followed -by the cache name.  Disk caches are not supported by Kerberos for -Windows.
-
-The paths to the Kerberos 4 configuration files: krb.con and -krbrealm.con may be changed from this dialog if necessary.  The -default is to store the configuration files in the Windows directory.
-
-

- - diff --git a/src/windows/leash/htmlhelp/html/leash_option_krb5_properties.htm b/src/windows/leash/htmlhelp/html/leash_option_krb5_properties.htm deleted file mode 100644 index d686882..0000000 --- a/src/windows/leash/htmlhelp/html/leash_option_krb5_properties.htm +++ /dev/null @@ -1,126 +0,0 @@ - - - - - Kerberos Five Properties Command - - - - -

Kerberos v5 Properties Command, Ctrl+5

-The Kerberos v5 Properties dialog is accessible from the Options menu. -This dialog has two tabs: File -Location and Configuration -Options.
-
-File Location:
-
-Kerberos Five Properties: File Location
-
-

The File -Location -tab allows you to specify the location of the default Kerberos 5 ticket -cache and -configuration file.  The Ticket -File field specifies the name of -the in-memory cache (Ticket File) used to store the Kerberos 5 tickets.  The format of the name is “API:” followed by -the cache name or "MSLSA:".  Disk caches -(type "FILE:") are not -supported by Kerberos for Windows.  The Configuration File field specifies the -path to the Kerberos 5 configuration file, krb5.ini.  -If Confirm -that new configuration file exists is checked when the -configuration file -location is changed, then Leash will not accept values which are not -pre-existing Kerberos 5 configuration files.
-

-


-Configuration Options:
-

-

Kerberos Five Properties: Configuration Options
-

-

-

On the Configuration -Options page, you provide default attribute values to be used when -requesting Kerberos 5 tickets from the Kerberos server.  -

-

When Forwardable tickets -are received from the Kerberos Server, these tickets can be forwarded -to a -remote host when you connect via telnet, ssh, ftp, rlogin, or similar -applications.  When tickets are -forwarded, there is no need to obtain Kerberos tickets again to access -Kerberized -services on the remote host.

-

When Proxiable tickets -are received from the Kerberos Server, these tickets can be passed onto -Kerberized services which can in turn act on your behalf.  

-

When Renewable -tickets are received from the Kerberos Server, the ticket lifetimes may -be -renewed without prompting the user for her password.  -This allows Kerberos tickets to be issued -with short lifetimes allowing compromised accounts to be disabled on -short -notice without requiring the user to enter a password every few hours.  When combined with Automatic -Ticket Renewal (Option menu), Leash can maintain valid -tickets for a week, a month, or longer by automatically renewing -tickets prior -to their expiration.  The ability to -renew tickets without a password is limited by the ticket’s renewable -lifetime as -issued by the Kerberos Server.

-

Traditionally, Kerberos tickets have included a -list of -network addresses within the tickets.  -This address list restricts the use of the tickets to the -computers -which are assigned those addresses.  The -use of address lists has become a headache for many users of Kerberos -on -network connections which use either Network Address Translation -(Cable/DSL -routers) or Network Address Hiding (VPN) capabilities.  -On these networks the address of the client -machine appears to be different to the network service than it does to -the -client.  The result is the Kerberos -ticket is deemed to be invalid by the service even though it has not been -stolen.  When No Addresses is -checked, Kerberos will not insert an address list -into the Kerberos tickets.  For -Kerberized services which do not require address lists, this will -enable -Kerberos to be used across NAT and VPN based connections.  

-

Note 1:  As of -Kerberos 5 release 1.3, the library default is to disable the use of -address -lists.  Leash will detect the setting -from the Kerberos 5 configuration and check the No -Addresses box.  If you -attempt to re-enable address lists while the library is configured to -disable -them , Leash will warn you that the Kerberos 5 configuration file must -be -altered.   

-

Note 2: Distributed Computing Environment (DCE) -servers -require the use of address lists.

-
- - diff --git a/src/windows/leash/htmlhelp/html/leash_option_leash_properties.htm b/src/windows/leash/htmlhelp/html/leash_option_leash_properties.htm deleted file mode 100644 index 2ca9221..0000000 --- a/src/windows/leash/htmlhelp/html/leash_option_leash_properties.htm +++ /dev/null @@ -1,79 +0,0 @@ - - - - - Leash Properties Command - - - - -

Leash Properties… Command, Ctrl+L

-

-

-

The Leash Properties dialog, located on the -Options menu, -allows you to configure operational properties specific to the Leash -application which are not accessible directly via the Options menu.

-


-Leash Properties

-

Here you can set a time server from which Leash -will obtain -the correct time.  Leash needs the -correct time because of the time dependencies in Kerberos tickets.  When you specify a time server, Leash tries -to get the time from that server when you next run the Synchronize Time -command.  The default value for the time -server is "time".  If access to -a time server were to fail, Leash would notify you, and revert to the -server -"time".  Whichever server -succeeds, Leash would tell you where it found the time.  -See the Synchronize Time command for more -information.

-

-

-

The Automatic MSLSA -Ticket Importation radio buttons allow you to configure how Leash -interacts -with the Microsoft Kerberos Authentication Provider.  -Leash will automatically import Kerberos -Tickets from the Microsoft LSA at startup depending upon the selected -option -and whether or not the Kerberos Authentication Provider was used for -Windows -Logon authorization.  Never -means do not import tickets from -the MSLSA; Always means do import -tickets from the MSLSA; and When MSLSA -Principal matches Default Realm means import tickets from the MSLSA -only if -the Kerberos principal belongs to the Kerberos Realm specified within -the Kerberos Properties Dialog.

-

-

When Request Kerberos 4 credentials is -checked, Leash -will attempt to retrieve Kerberos 4 credentials when ticket -initialization, -renewal, or importation is performed.  -Leash will attempt a Kerberos 5 to Kerberos 4 conversion and if -that -fails an initial Kerberos 4 ticket request will be generated.  Kerberos realms are increasingly configured -to support on Kerberos 5.  If the realms -you use do not support Kerberos 4 it is suggested that this button be -unchecked.

-

The Restore Leash Defaults button is used -to restore -user configurable Leash settings to the defaults as configured either -by the -local machine system administrator or by the Kerberos for Windows -distribution.
-
-

- - diff --git a/src/windows/leash/htmlhelp/html/leash_option_upper_case_realm.htm b/src/windows/leash/htmlhelp/html/leash_option_upper_case_realm.htm deleted file mode 100644 index c4c1abe..0000000 --- a/src/windows/leash/htmlhelp/html/leash_option_upper_case_realm.htm +++ /dev/null @@ -1,24 +0,0 @@ - - - - - Upper Case Realm Name Option - - - - -

Upper Case Realm Name -Option

-

-

-

The default for this (accessible from the Options -menu) is -on; when this option is selected, the Kerberos realm name that you type -(such -as ATHENA.MIT.EDU) is converted to upper case regardless of how you -type it.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_about_kerberos.htm b/src/windows/leash/htmlhelp/html/leash_topic_about_kerberos.htm deleted file mode 100644 index a71181a..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_about_kerberos.htm +++ /dev/null @@ -1,52 +0,0 @@ - - - - -KERBEROS - - - - - - - - -

About Kerberos

- -

In Greek myth, the three-headed dog Kerberos guarded the gates of Hades. -These days, Kerberos is an authentication service developed at -MIT for open network computing environments such as MITnet. Kerberos verifies -that you are who you claim to be by matching your username and password, -called a Kerberos principal, to a -private key encryption.

- -

When you start an application that relies on Kerberos authentication, you -must identify yourself by giving your Kerberos principal. The Kerberos service -checks to make sure that your name and password match the encrypted key before -it gives you access to the service you have requested. The security of the -network environment is maintained by never sending your unencrypted Kerberos -password over the network.

- -

To use the Athena system, you must have a Kerberos username and password. -Some Macintosh and Windows applications at MIT that use Kerberos to -authenticate a user's identity are Eudora, Zephyr and AFS.

- -

See Also

- -

An Authentication Service for Open Network -Systems

- -

(This technical description of Kerberos, by Steiner, Neuman, and Schiller, -is available via anonymous ftp from athena-dist.mit.edu, -/pub/kerberos/doc/usenix.txt.)

- -

Kerberos: How Does the Other Guy Know Who I -Am?.

- -

(This basic introduction to Kerberos and definitions of Kerberos-related -terms is available in the SIPB publication An Inessential Guide to -Athena.)

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_error_57.htm b/src/windows/leash/htmlhelp/html/leash_topic_error_57.htm deleted file mode 100644 index f765293..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_error_57.htm +++ /dev/null @@ -1,25 +0,0 @@ - - - - - Kerberos Error 57 - - - - -

Kerberos Error 57: Cannot contact the Kerberos server for the selected realm.

-

This error has three common causes:

-

1.The realm is misspelled, e.g. pbh@AHTENA.MIT.EDU instead of -pbh@ATHENA.MIT.EDU (realms are case sensitive).

-

2.Your krb.con file contains an entry for ATHENA.MIT.EDU but not -athena.mit.edu.

-

3.The realm is missing from your KRB.CON file, which should be -located in your \net\kerb directory. If you suspect the problem is with -your KRB.CON file, either call the Network Help Desk, 3-4101, or copy -the /etc/krb.conf file from a nearby UNIX workstation to your -\net\kerb\krb.con file.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_error_62.htm b/src/windows/leash/htmlhelp/html/leash_topic_error_62.htm deleted file mode 100644 index 41f4540..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_error_62.htm +++ /dev/null @@ -1,20 +0,0 @@ - - - - - Kerberos Error 62 - - - - -

Kerberos Error 62: Password incorrect.

-

This means that either you have misspelled your password or you have -gotten the case wrong. Check the state of your CAPS Lock key.

-

Characters do not echo to the screen or cause a beep when you type -your password so that nearby users won't be able to tell how many -letters are in your password.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_error_8.htm b/src/windows/leash/htmlhelp/html/leash_topic_error_8.htm deleted file mode 100644 index 5fb8846..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_error_8.htm +++ /dev/null @@ -1,21 +0,0 @@ - - - - - Kerberos Error 8 - - - - -

Kerberos Error 8: Unknown username, instance, or realm.

-

This error usually occurs when the username is not known for the -designated realm. For example, at the time of this writing, there is no -user "zzwn" in the Athena realm, so entering zzwn as a username will -generate this error.

-

Check the entered username or realm name for spelling mistakes or -the wrong case.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_error_invalid_principal.htm b/src/windows/leash/htmlhelp/html/leash_topic_error_invalid_principal.htm deleted file mode 100644 index fa7829f..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_error_invalid_principal.htm +++ /dev/null @@ -1,17 +0,0 @@ - - - - - Invalid Principle - - - - -

Invalid principal.

-

This usually means that you just clicked on the OK button or pressed -Enter without typing your username.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_auth_service.htm b/src/windows/leash/htmlhelp/html/leash_topic_kerberos_auth_service.htm deleted file mode 100644 index 6aeb657..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_auth_service.htm +++ /dev/null @@ -1,988 +0,0 @@ - - - - - An Authentication Service for Open Network Systems - - - - -

Kerberos: An Authentication -Service for Open Network Systems

-

Jennifer G. Steiner

-
-
-
Project Athena
-
-
-
-
Massachusetts Institute of Technology
-
-
-
-
Cambridge, MA 02139
-
-
-
-
steiner@ATHENA.MIT.EDU
-
-
-

Clifford Neuman *

-
-
-
Department of Computer Science, FR-35
-
-
-
-
University of Washington
-
-
-
-
Seattle, WA 98195
-
-
-
-
bcn@CS.WASHINGTON.EDU
-
-
-

Jeffrey I. Schiller

-
-
-
Project Athena
-
-
-
-
Massachusetts Institute of Technology
-
-
-
-
Cambridge, MA 02139
-
-
-
-
jis@ATHENA.MIT.EDU
-
-

* Clifford Neuman was a member of the Project Athena staff during -the design and initial implementation phase of Kerberos.

-

-

ABSTRACT

-

In an open network computing -environment, a workstation cannot be trusted to identify its users -correctly to network services. Kerberos provides an alternative -approach whereby a trusted third-party authentication service is used -to verify users' identities. This paper gives an overview of the Kerberos -authentication model as implemented for MIT's Project Athena. It -describes the protocols used by clients, servers, and Kerberos -to achieve authentication. It also describes the management and -replication of the database required. The views of Kerberos as -seen by the user, programmer, and administrator are described. Finally, -the role of Kerberos in the larger Athena picture is given, -along with a list of applications that presently use Kerberos -for user authentication. We describe the addition of Kerberos -authentication to the Sun Network File System as a case study for -integrating Kerberos with an existing application.

-

Introduction

-

This paper gives an overview of Kerberos, an authentication -system designed by Miller and Neumanfor open network computing -environments, and describes our experience using it at MIT's Project -Athena. In the first section of the paper, we explain why a new -authentication model is needed for open networks, and what its -requirements are. The second section lists the components of the Kerberos -software and describes how they interact in providing the -authentication service. In Section 3, we describe the Kerberos -naming scheme.

-

Section 4 presents the building blocks of Kerberos -authentication - the ticket and the authenticator. This -leads to a discussion of the two authentication protocols: the initial -authentication of a user to Kerberos (analogous to logging in), -and the protocol for mutual authentication of a potential consumer and -a potential producer of a network service.

-

Kerberos requires a database of information about its -clients; Section 5 describes the database, its management, and the -protocol for its modification. Section 6 describes the Kerberos -interface to its users, applications programmers, and administrators. -In Section 7, we describe how the Project Athena Kerberos fits -into the rest of the Athena environment. We also describe the -interaction of different Kerberos authentication domains, or realms -; in our case, the relation between the Project Athena Kerberos -and the Kerberos running at MIT's Laboratory for Computer -Science.

-

In Section 8, we mention open issues and problems as yet unsolved. -The last section gives the current status of Kerberos at -Project Athena. In the appendix, we describe in detail how Kerberos -is applied to a network file service to authenticate users who wish to -gain access to remote file systems.

-

Conventions. Throughout this paper we use terms that may be -ambiguous, new to the reader, or used differently elsewhere. Below we -state our use of those terms.

-

User, Client, Server. By user, we mean a human being -who uses a program or service. A client also uses something, -but is not necessarily a person; it can be a program. Often network -applications consist of two parts; one program which runs on one -machine and requests a remote service, and another program which runs -on the remote machine and performs that service. We call those the client -side and server side of the application, respectively. Often, a -client will contact a server on behalf of a user.

-

Each entity that uses the Kerberos system, be it a user or a -network server, is in one sense a client, since it uses the Kerberos -service. So to distinguish Kerberos clients from clients of -other services, we use the term principal to indicate such an -entity. Note that a Kerberos principal can be either a user or -a server. (We describe the naming of Kerberos principals in a -later section.)

-

Service vs. Server. We use service as an abstract -specification of some actions to be performed. A process which performs -those actions is called a server. At a given time, there may be -several servers (usually running on different machines) -performing a given service. For example, at Athena there is one -BSD UNIX rlog-in server running on each of our timesharing -machines.

-

Key, Private Key, Password. Kerberos uses private key -encryption. Each Kerberos principal is assigned a large number, -its private key, known only to that principal and Kerberos. In -the case of a user, the private key is the result of a one-way function -applied to the user's password. We use key as shorthand -for private key.

-

Credentials. Unfortunately, this word has a special meaning -for both the Sun Network File System and the Kerberos system. -We explicitly state whether we mean NFS credentials or Kerberos -credentials, otherwise the term is used in the normal English language -sense.

-

Master and Slave. It is possible to run Kerberos -authentication software on more than one machine. However, there is -always only one definitive copy of the Kerberos database. The -machine which houses this database is called the master -machine, or just the master. Other machines may possess -read-only copies of the Kerberos database, and these are called -slaves.

-

1. Motivation

-

In a non-networked personal computing environment, resources and -information can be protected by physically securing the personal -computer. In a timesharing computing environment, the operating system -protects users from one another and controls resources. In order to -determine what each user is able to read or modify, it is necessary for -the timesharing system to identify each user. This is accomplished when -the user logs in.

-

In a network of users requiring services from many separate -computers, there are three approaches one can take to access control: -One can do nothing, relying on the machine to which the user is logged -in to prevent unauthorized access; one can require the host to prove -its identity, but trust the host's word as to who the user is; or one -can require the user to prove her/his identity for each required -service.

-

In a closed environment where all the machines are under strict -control, one can use the first approach. When the organization controls -all the hosts communicating over the network, this is a reasonable -approach.

-

In a more open environment, one might selectively trust only those -hosts under organizational control. In this case, each host must be -required to prove its identity. The rlog-in and rsh programs use this -approach. In those protocols, authentication is done by checking the -Internet address from which a connection has been established.

-

In the Athena environment, we must be able to honor requests from -hosts that are not under organizational control. Users have complete -control of their workstations: they can reboot them, bring them up -standalone, or even boot off their own tapes. As such, the third -approach must be taken; the user must prove her/his identity for each -desired service. The server must also prove its identity. It is not -sufficient to physically secure the host running a network server; -someone elsewhere on the network may be masquerading as the given -server.

-

Our environment places several requirements on an identification -mechanism. First, it must be secure. Circumventing it must be difficult -enough that a potential attacker does not find the authentication -mechanism to be the weak link. Someone watching the network should not -be able to obtain the information necessary to impersonate another -user. Second, it must be reliable. Access to many services will depend -on the authentication service. If it is not reliable, the system of -services as a whole will not be. Third, it should be transparent. -Ideally, the user should not be aware of authentication taking place. -Finally, it should be scalable. Many systems can communicate with -Athena hosts. Not all of these will support our mechanism, but software -should not break if they did.

-

Kerberos is the result of our work to satisfy the above -requirements. When a user walks up to a workstation s/he "logs in". As -far as the user can tell, this initial identification is sufficient to -prove her/his identity to all the required network servers for the -duration of the log-in session. The security of Kerberos relies on the -security of several authentication servers, but not on the system from -which users log in, nor on the security of the end servers that will be -used. The authentication server provides a properly authenticated user -with a way to prove her/his identity to servers scattered across the -network.

-

Authentication is a fundamental building block for a secure -networked environment. If, for example, a server knows for certain the -identity of a client, it can decide whether to provide the service, -whether the user should be given special privileges, who should receive -the bill for the service, and so forth. In other words, authorization -and accounting schemes can be built on top of the authentication that -Kerberos provides, resulting in equivalent security to the lone -personal computer or the timesharing system.

-

2. What is Kerberos ?

-

Kerberos is a trusted third-party authentication service -based on the model presented by Needham and Schroeder.It is trusted in -the sense that each of its clients believes Kerberos' judgement -as to the identity of each of its other clients to be accurate. Time -stamps (large numbers representing the current date and time) have been -added to the original model to aid in the detection of replay. -Replay occurs when a message is stolen off the network and resent -later. For a more complete description of replay, and other issues of -authentication, see Voydock and Kent.

-

2.1. What Does It Do?

-

Kerberos keeps a database of its clients and their private -keys. The private key is a large number known only to Kerberos -and the client it belongs to. In the case that the client is a user, it -is an encrypted password. Network services requiring authentication -register with Kerberos, as do clients wishing to use those -services. The private keys are negotiated at registration.

-

Because Kerberos knows these private keys, it can create -messages which convince one client that another is really who it claims -to be. Kerberos also generates temporary private keys, called session -keys, which are given to two clients and no one else. A session key -can be used to encrypt messages between two parties.

-

Kerberos provides three distinct levels of protection. The -application programmer determines which is appropriate, according to -the requirements of the application. For example, some applications -require only that authenticity be established at the initiation of a -network connection, and can assume that further messages from a given -network address originate from the authenticated party. Our -authenticated network file system uses this level of security.

-

Other applications require authentication of each message, but do -not care whether the content of the message is disclosed or not. For -these, Kerberos provides safe messages. Yet a higher -level of security is provided by private messages, where each -message is not only authenticated, but also encrypted. Private messages -are used, for example, by the Kerberos server itself for -sending passwords over the network

-

2.2. Software Components

-

The Athena implementation comprises several modules (see Figure 1). -The Kerberos applications library provides an interface for -application clients and application servers. It contains, among others, -routines for creating or reading authentication requests, and the -routines for creating safe or private messages.
-

-
    -
  • Kerberos applications -library
    • -
  • encryption library
    • -
  • database library
    • -
  • database administration programs
    • -
  • administration server
    • -
  • authentication server
    • -
  • propogation software
    • -
  • user programs
    • -
  • applications
    • -
-

Figure 1. Kerberos -Software Components

-

Encryption in Kerberos is based on DES, the Data Encryption -Standard.The encryption library implements those routines. Several -methods of encryption are provided, with tradeoffs between speed and -security. An extension to the DES Cypher Block Chaining (CBC) mode, -called the Propagating CBC mode, is also provided. In CBC, an error is -propagated only through the current block of the cipher, whereas in -PCBC, the error is propagated throughout the message. This renders the -entire message useless if an error occurs, rather than just a portion -of it. The encryption library is an independent module, and may be -replaced with other DES implementations or a different encryption -library.

-

Another replaceable module is the database management system. The -current Athena implementation of the database library uses ndbm, -although INGRES was originally used. Other database management -libraries could be used as well.

-

The Kerberos database needs are straightforward; a record is -held for each principal, containing the name, private key, and -expiration date of the principal, along with some administrative -information. (The expiration date is the date after which an entry is -no longer valid. It is usually set to a few years into the future at -registration.)

-

Other user information, such as real name, phone number, and so -forth, is kept by another server, the Hesiod nameserver. This -way, sensitive information, namely passwords, can be handled by Kerberos, -using fairly high security measures; while the non-sensitive -information kept by Hesiod is dealt with differently; it can, -for example, be sent unencrypted over the network.

-

The Kerberos servers use the database library, as do the -tools for administering the database.

-

The administration server (or KDBM server) provides a -read-write network interface to the database. The client side of the -program may be run on any machine on the network. The server side, -however, must run on the machine housing the Kerberos database -in order to make changes to the database.

-

The authentication server (or Kerberos server), on -the other hand, performs read-only operations on the Kerberos -database, namely, the authentication of principals, and generation of -session keys. Since this server does not modify the Kerberos -database, it may run on a machine housing a read-only copy of the -master Kerberos database.

-

Database propagation software manages replication of the Kerberos -database. It is possible to have copies of the database on several -different machines, with a copy of the authentication server running on -each machine. Each of these slave machines receives an update -of the Kerberos database from the master machine at -given intervals.

-

Finally, there are end-user programs for logging in to Kerberos, -changing a Kerberos password, and displaying or destroying Kerberos -tickets (tickets are explained later on).

-

3. Kerberos Names

-

Part of authenticating an entity is naming it. The process of -authentication is the verification that the client is the one named in -a request. What does a name consist of? In Kerberos, both users -and servers are named. As far as the authentication server is -concerned, they are equivalent. A name consists of a primary name, an -instance, and a realm, expressed as name.instance@realm (see -Figure 2).

-

bcn

-

treese.root

-

jis@LCS.MIT.EDU

-

rlog-in.priam@ATHENA.MIT.EDU

-

Figure 2. Kerberos Names

-

The primary name is the name of the user or the service. The -instance is used to distinguish among variations on the primary -name. For users, an instance may entail special privileges, such as the -"root" or "admin" instances. For services in the Athena environment, -the instance is usually the name of the machine on which the server -runs. For example, the rlog-in service has different instances -on different hosts: rlog-in.priam is the rlog-in server -on the host named priam. A Kerberos ticket is only good for a -single named server. As such, a separate ticket is required to gain -access to different instances of the same service. The realm is -the name of an administrative entity that maintains authentication -data. For example, different institutions may each have their own Kerberos -machine, housing a different database. They have different Kerberos -realms. (Realms are discussed further in section 8.2.).

-

4. How It Works

-

This section describes the Kerberos authentication -protocols. The following abbreviations are used in the figures.
-

-
-
c        ->     client
s        ->     server
addr     ->	client's network address
life	 -> 	lifetime of ticket
tgs, TGS -> 	ticket-granting ticket
Kerberos -> 	authentication server
KDBM	 -> 	administration server
Kx	 -> 	x's private key
Kx,y	  -> 	session key for x and y
{abc}Kx	 ->	abc encrypted in x's key
Tx,y	  ->	x's ticket to use y
Ax	 -> 	authenticator for x
WS	 -> 	workstation
-
-

As mentioned above, the Kerberos authentication model is -based on the Needham and Schroeder key distribution protocol. When a -user requests a service, her/his identity must be established. To do -this, a ticket is presented to the server, along with proof that the -ticket was originally issued to the user, not stolen. There are three -phases to authentication through Kerberos. In the first phase, -the user obtains credentials to be used to request access to other -services. In the second phase, the user requests authentication for a -specific service. In the final phase, the user presents those -credentials to the end server.

-

4.1 Credentials

-

There are two types of credentials used in the Kerberos -authentication model: tickets and authenticators. Both -are based on private key encryption, but they are encrypted using -different keys. A ticket is used to securely pass the identity of the -person to whom the ticket was issued between the authentication server -and the end server. A ticket also passes information that can be used -to make sure that the person using the ticket is the same person to -which it was issued. The authenticator contains the additional -information which, when compared against that in the ticket proves that -the client presenting the ticket is the same one to which the ticket -was issued.

-

A ticket is good for a single server and a single client. It -contains the name of the server, the name of the client, the Internet -address of the client, a time stamp, a lifetime, and a random session -key. This information is encrypted using the key of the server for -which the ticket will be used. Once the ticket has been issued, it may -be used multiple times by the named client to gain access to the named -server, until the ticket expires. Note that because the ticket is -encrypted in the key of the server, it is safe to allow the user to -pass the ticket on to the server without having to worry about the user -modifying the ticket (see Figure 3).
-

-

{s, c, addr, timestamp, life, Ks,c} -Ks
-

-

Figure 3. Kerberos Ticket.

-

Unlike the ticket, the authenticator can only be used once. A new -one must be generated each time a client wants to use a service. This -does not present a problem because the client is able to build the -authenticator itself. An authenticator contains the name of the client, -the workstation's IP address, and the current workstation time. The -authenticator is encrypted in the session key that is part of the -ticket (see Figure 4).

-
{ c, addr, timestamp } Ks,c
-
-

Figure 4. A Kerberos -Authenticator

-

4.2. Getting the Initial Ticket

-

When the user walks up to a workstation, only one piece of -information can prove her/his identity: the user's password. The -initial exchange with the authentication server is designed to minimize -the chance that the password will be compromised, while at the same -time not allowing a user to properly authenticate her/himself without -knowledge of that password. The process of logging in appears to the -user to be the same as logging in to a timesharing system. Behind the -scenes, though, it is quite different (see Figure 5).

-


-Figure 5. Getting the Initial Ticket.

-

The user is prompted for her/his username. Once it has been entered, -a request is sent to the authentication server containing the user's -name and the name of a special service known as the ticket-granting -service.

-

The authentication server checks that it knows about the client. If -so, it generates a random session key which will later be used between -the client and the ticket-granting server. It then creates a ticket for -the ticket-granting server which contains the client's name, the name -of the ticket-granting server, the current time, a lifetime for the -ticket, the client's IP address, and the random session key just -created. This is all encrypted in a key known only to the -ticket-granting server and the authentication server.

-

The authentication server then sends the ticket, along with a copy -of the random session key and some additional information, back to the -client. This response is encrypted in the client's private key, known -only to Kerberos and the client, which is derived from the -user's password.

-

Once the response has been received by the client, the user is asked -for her/his password. The password is converted to a DES key and used -to decrypt the response from the authentication server. The ticket and -the session key, along with some of the other information, are stored -for future use, and the user's password and DES key are erased from -memory.

-

Once the exchange has been completed, the workstation possesses -information that it can use to prove the identity of its user for the -lifetime of the ticket-granting ticket. As long as the software on the -workstation had not been previously tampered with, no information -exists that will allow someone else to impersonate the user beyond the -life of the ticket.

-

4.3. Requesting a Service

-

For the moment, let us pretend that the user already has a ticket -for the desired server. In order to gain access to the server, the -application builds an authenticator containing the client's name and IP -address, and the current time. The authenticator is then encrypted in -the session key that was received with the ticket for the server. The -client then sends the authenticator along with the ticket to the server -in a manner defined by the individual application.

-

Once the authenticator and ticket have been received by the server, -the server decrypts the ticket, uses the session key included in the -ticket to decrypt the authenticator, compares the information in the -ticket with that in the authenticator, the IP address from which the -request was received, and the present time. If everything matches, it -allows the request to proceed (see Figure 6).

-


-Figure 6. Requesting a Service

-

It is assumed that clocks are synchronized to within several -minutes. If the time in the request is too far in the future or the -past, the server treats the request as an attempt to replay a previous -request. The server is also allowed to keep track of all past requests -with time stamps that are still valid. In order to further foil replay -attacks, a request received with the same ticket and time stamp as one -already received can be discarded.

-

Finally, if the client specifies that it wants the server to prove -its identity too, the server adds one to the time stamp the client sent -in the authenticator, encrypts the result in the session key, and sends -the result back to the client (see Figure 7).

-


-Figure 7. Mutual Authentication

-

At the end of this exchange, the server is certain that, according -to Kerberos, the client is who it says it is. If mutual -authentication occurs, the client is also convinced that the server is -authentic. Moreover, the client and server share a key which no one -else knows, and can safely assume that a reasonably recent message -encrypted in that key originated with the other party.

-

4.4 Getting Server Tickets

-

Recall that a ticket is only good for a single server. As such, it -is necessary to obtain a separate ticket for each service the client -wants to use. Tickets for individual servers can be obtained from the -ticket-granting service. Since the ticket-granting service is itself a -service, it makes use of the service access protocol described in the -previous section.

-

When a program requires a ticket that has not already been -requested, it sends a request to the ticket-granting server (see Figure -8). The request contains the name of the server for which a ticket is -requested, along with the ticket-granting ticket and an authenticator -built as described in the previous section.

-


-Figure 8. Getting a Server Ticket

-

The ticket-granting server then checks the authenticator and -ticket-granting ticket as described above. If valid, the -ticket-granting server generates a new random session key to be used -between the client and the new server. It then builds a ticket for the -new server containing the client's name, the server name, the current -time, the client's IP address and the new session key it just -generated. The lifetime of the new ticket is the minimum of the -remaining life for the ticket-granting ticket and the default for the -service.

-

The ticket-granting server then sends the ticket, along with the -session key and other information, back to the client. This time, -however, the reply is encrypted in the session key that was part of the -ticket-granting ticket. This way, there is no need for the user to -enter her/his password again. Figure 9 summarizes the authentication -protocols.

-

-


-Figure 9. Kerberos Authentication Protocols.

-

5. Kerberos Database

-

Up to this point, we have discussed operations requiring read-only -access to the Kerberos database. These operations are performed -by the authentication service, which can run on both master and slave -machines (see Figure 10).

-


-Figure 10. Authentication Requests.

-

In this section, we discuss operations that require write access to -the database. These operations are performed by the administration -service, called the Kerberos Database Management Service (KDBM). -The current implementation stipulates that changes may only be made to -the master Kerberos database; slave copies are read-only. -Therefore, the KDBM server may only run on the master Kerberos -machine (see Figure 11).

-


-Figure 11. Administration Requests

-

Note that, while authentication can still occur (on slaves), -administration requests cannot be serviced if the master machine is -down. In our experience, this has not presented a problem, as -administration requests are infrequent.

-

The KDBM handles requests from users to change their passwords. The -client side of this program, which sends requests to the KDBM over the -network, is the kpasswd program. The KDBM also accepts requests -from Kerberos administrators, who may add principals to the -database, as well as change passwords for existing principals. The -client side of the administration program, which also sends requests to -the KDBM over the network, is the kadmin program.

-

5.1. The KDBM Server

-

The KDBM server accepts requests to add principals to the database -or change the passwords for existing principals. This service is unique -in that the ticket-granting service will not issue tickets for it. -Instead, the authentication service itself must be used (the same -service that is used to get a ticket-granting ticket). The purpose of -this is to require the user to enter a password. If this were not so, -then if a user left her/his workstation unattended, a passerby could -walk up and change her/his password for them, something which should be -prevented. Likewise, if an administrator left her/his workstation -unguarded, a passerby could change any password in the system.

-

When the KDBM server receives a request, it authorizes it by -comparing the authenticated principal name of the requester of the -change to the principal name of the target of the request. If they are -the same, the request is permitted. If they are not the same, the KDBM -server consults an access control list (stored in a file on the master Kerberos -system). If the requester's principal name is found in this file, the -request is permitted, otherwise it is denied.

-

By convention, names with a. NULL instance (the default -instance) do not appear in the access control list file; instead, an admin -instance is used. Therefore, for a user to become an administrator of Kerberos -an admin instance for that username must be created, and added -to the access control list. This convention allows an administrator to -use a different password for Kerberos administration then s/he -would use for normal log-in.

-

All requests to the KDBM program, whether permitted or denied, are -logged.

-

5.2. The kadmin and kpasswd Programs

-

Administrators of Kerberos use the kadmin program to -add principals to the database, or change the passwords of existing -principals. An administrator is required to enter the password for -their admin instance name when they invoke the kadmin -program. This password is used to fetch a ticket for the KDBM server -(see Figure 12).

-

-


-Figure 12. Kerberos Administration Protocol.

-

Users may change their Kerberos passwords using the kpasswd -program. They are required to enter their old password when they invoke -the program. This password is used to fetch a ticket for the KDBM -server.

-

5.3. Database Replication

-

Each Kerberos realm has a master Kerberos -machine, which houses the master copy of the authentication database. -It is possible (although not necessary) to have additional, read-only -copies of the database on slave machines elsewhere in the -system. The advantages of having multiple copies of the database are -those usually cited for replication: higher availability and better -performance. If the master machine is down, authentication can still be -achieved on one of the slave machines. The ability to perform -authentication on any one of several machines reduces the probability -of a bottleneck at the master machine.

-

Keeping multiple copies of the database introduces the problem of -data consistency. We have found that very simple methods suffice for -dealing with inconsistency. The master database is dumped every hour. -The database is sent, in its entirety, to the slave machines, which -then update their own databases. A program on the master host, called kprop, -sends the update to a peer program, called kpropd, running on -each of the slave machines (see Figure 13). First kprop sends a -checksum of the new database it is about to send. The checksum is -encrypted in the Kerberos master database key, which both the -master and slave Kerberos machines possess. The data is then -transferred over the network to the kpropd on the slave -machine. The slave propagation server calculates a checksum of the data -it has received, and if it matches the checksum sent by the master, the -new information is used to update the slave's database.

-


-Figure 13. Database Propagation

-

All passwords in the Kerberos database are encrypted in the -master database key Therefore, the information passed from master to -slave over the network is not useful to an eavesdropper. However, it is -essential that only information from the master host be accepted by the -slaves, and that tampering of data be detected, thus the checksum.

-

6. Kerberos From the Outside Looking In

-

The section will describe Kerberos from the practical point -of view, first as seen by the user, then from the application -programmer's viewpoint, and finally, through the tasks of the Kerberos -administrator.

-

6.1. User's Eye View

-

If all goes well, the user will hardly notice that Kerberos -is present. In our UNIX implementation, the ticket-granting ticket is -obtained from Kerberos as part of the log-in process. -The changing of a user's Kerberos password is part of the passwd -program. And Kerberos tickets are automatically destroyed when -a user logs out.

-

If the user's log-in session lasts longer than the lifetime of the -ticket-granting ticket (currently 8 hours), the user will notice Kerberos' -presence because the next time a Kerberos -authenticated -application is executed, it will fail. The Kerberos ticket for -it will have expired. At that point, the user can run the kinit -program to obtain a new ticket for the ticket-granting server. As when -logging in, a password must be provided in order to get it. A user -executing the klist command out of curiosity may be surprised -at all the tickets which have silently been obtained on her/his behalf -for services which require Kerberos authentication.

-

6.2. From the Programmer's Viewpoint

-

A programmer writing a Kerberos application will often be -adding authentication to an already existing network application -consisting of a client and server side. We call this process -"Kerberizing" a program. Kerberizing usually involves making a call to -the Kerberos library in order to perform authentication at the -initial request for service. It may also involve calls to the DES -library to encrypt messages and data which are subsequently sent -between application client and application server.

-

The most commonly used library functions are krb_mk_req on -the client side, and krb_rd_req on the server side. The krb_mk_req -routine takes as parameters the name, instance, and realm of the target -server, which will be requested, and possibly a checksum of the data to -be sent. The client then sends the message returned by the krb_mk_req -call over the network to the server side of the application. When the -server receives this message, it makes a call to the library routine krb_rd_req. -The routine returns a judgement about the authenticity of the sender's -alleged identity.

-

If the application requires that messages sent between client and -server be secret, then library calls can be made to krb_mk_priv -(krb_rd_priv) to encrypt (decrypt) messages in the session key -which both sides now share.

-

6.3. The Kerberos Administrator's Job

-

The Kerberos administrator's job begins with running a -program to initialize the database. Another program must be run to -register essential principals in the database, such as the Kerberos -administrator's name with an admin instance. The Kerberos -authentication server and the administration server must be started up. -If there are slave databases, the administrator must arrange that the -programs to propagate database updates from master to slaves be kicked -off periodically.

-

After these initial steps have been taken, the administrator -manipulates the database over the network, using the kadmin -program. Through that program, new principals can be added, and -passwords can be changed.

-

In particular, when a new Kerberos application is added to -the system, the Kerberos administrator must take a few steps to -get it working. The server must be registered in the database, and -assigned a private key (usually this is an automatically generated -random key). Then, some data (including the server's key) must be -extracted from the database and installed in a file on the server's -machine. The default file is /etc/srvtab. The krb_rd_req -library routine called by the server (see the previous section) uses -the information in that file to decrypt messages sent encrypted in the -server's private key. The /etc/srvtab file authenticates the -server as a password typed at a terminal authenticates the user.

-

The Kerberos administrator must also ensure that Kerberos -machines are physically secure, and would also be wise to maintain -backups of the Master database.

-

7. The Bigger Picture

-

In this section, we describe how Kerberos fits into the -Athena environment, including its use by other network services and -applications, and how it interacts with remote Kerberos realms. -For a more complete description of the Athena environment, please see -G. W. Treese.

-

7.1. Other Network Services' Use of Kerberos

-

Several network applications have been modified to use Kerberos. -The rlog-in and rsh commands first try to authenticate -using Kerberos. A user with valid Kerberos tickets can -rlog-in to another Athena machine without having to set up.rhosts -files. If the Kerberos authentication fails, the programs fall -back on their usual methods of authorization, in this case, the.rhosts -files.

-

We have modified the Post Office Protocol to use Kerberos -for authenticating users who wish to retrieve their electronic mail -from the "post office". A message delivery program, called Zephyr, -has been recently developed at Athena, and it uses Kerberos for -authentication as well.

-

The program for signing up new users, called register, uses -both the Service Management System (SMS) and Kerberos. From -SMS, it determines whether the information entered by the would-be new -Athena user, such as name and MIT identification number, is valid. It -then checks with Kerberos to see if the requested username is -unique. If all goes well, a new entry is made to the Kerberos -database, containing the username and password.

-

For a detailed discussion of the use of Kerberos to secure -Sun's Network File System, please refer to the appendix..

-

7.2. Interaction with Other Kerberi

-

It is expected that different administrative organizations will want -to use Kerberos for user authentication. It is also expected -that in many cases, users in one organization will want to use services -in another. Kerberos supports multiple administrative domains. -The specification of names in Kerberos includes a field called -the realm. This field contains the name of the administrative -domain within which the user is to be authenticated.

-

Services are usually registered in a single realm and will only -accept credentials issued by an authentication server for that realm. A -user is usually registered in a single realm (the local realm), but it -is possible for her/him to obtain credentials issued by another realm -(the remote realm), on the strength of the authentication provided by -the local realm. Credentials valid in a remote realm indicate the realm -in which the user was originally authenticated. Services in the remote -realm can choose whether to honor those credentials, depending on the -degree of security required and the level of trust in the realm that -initially authenticated the user.

-

In order to perform cross-realm authentication, it is necessary that -the administrators of each pair of realms select a key to be shared -between their realms. A user in the local realm can then request a -ticket-granting ticket from the local authentication server for the -ticket-granting server in the remote realm. When that ticket is used, -the remote ticket-granting server recognizes that the request is not -from its own realm, and it uses the previously exchanged key to decrypt -the ticket-granting ticket. It then issues a ticket as it normally -would, except that the realm field for the client contains the name of -the realm in which the client was originally authenticated.

-

This approach could be extended to allow one to authenticate oneself -through a series of realms until reaching the realm with the desired -service. In order to do this, though, it would be necessary to record -the entire path that was taken, and not just the name of the initial -realm in which the user was authenticated. In such a situation, all -that is known by the server is that A says that B says that C says that -the user is so-and-so. This statement can only be trusted if everyone -along the path is also trusted.

-

8. Issues and Open Problems

-

There are a number of issues and open problems associated with the Kerberos -authentication mechanism. Among the issues are how to decide the -correct lifetime for a ticket, how to allow proxies, and how to -guarantee workstation integrity.

-

The ticket lifetime problem is a matter of choosing the proper -tradeoff between security and convenience. If the life of a ticket is -long, then if a ticket and its associated session key are stolen or -misplaced, they can be used for a longer period of time. Such -information can be stolen if a user forgets to log out of a public -workstation. Alternatively, if a user has been authenticated on a -system that allows multiple users, another user with access to root -might be able to find the information needed to use stolen tickets. The -problem with giving a ticket a short lifetime, however, is that when it -expires, the user will have to obtain a new one which requires the user -to enter the password again.

-

An open problem is the proxy problem. How can an authenticated user -allow a server to acquire other network services on her/his behalf? An -example where this would be important is the use of a service that will -gain access to protected files directly from a fileserver. Another -example of this problem is what we call authentication forwarding. -If a user is logged into a workstation and logs in to a remote host, it -would be nice if the user had access to the same services available -locally, while running a program on the remote host. What makes this -difficult is that the user might not trust the remote host, thus -authentication forwarding is not desirable in all cases. We do not -presently have a solution to this problem.

-

Another problem, and one that is important in the Athena -environment, is how to guarantee the integrity of the software running -on a workstation. This is not so much of a problem on private -workstations since the user that will be using it has control over it. -On public workstations, however, someone might have come along and -modified the log-in program to save the user's password. The -only solution presently available in our environment is to make it -difficult for people to modify software running on the public -workstations. A better solution would require that the user's key never -leave a system that the user knows can be trusted. One way this could -be done would be if the user possessed a smartcard capable of -doing the encryptions required in the authentication protocol.

-

9. Status

-

A prototype version of Kerberos went into production in -September of 1986. Since January of 1987, Kerberos has been -Project Athena's sole means of authenticating its 5,000 users, 650 -workstations, and 65 servers. In addition, Kerberos is now -being used in place of.rhosts files for controlling access in -several of Athena's timesharing systems.

-

10. Acknowledgments

-

Kerberos was initially designed by Steve Miller and Clifford -Neuman with suggestions from Jeff Schiller and Jerry Saltzer. Since -that time, numerous other people have been involved with the project. -Among them are Jim Aspnes, Bob Baldwin, John Barba, Richard Basch, Jim -Bloom, Bill Bryant, Mark Colan, Rob French, Dan Geer, John Kohl, John -Kubiatowicz, Bob Mckie, Brian Murphy, John Ostlund Ken Raeburn, Chris -Reed, Jon Rochlis, Mike Shanzer, Bill Sommerfeld, Ted T'so, Win Treese, -and Stan Zanarotti.

-

We are grateful to Dan Geer, Kathy Lieben, Josh Lubarr, Ken Raeburn, -Jerry Saltzer, Ed Steiner, Robbert van Renesse, and Win Treese whose -suggestions much improved earlier drafts of this paper.

-

The illustration on the title page is by Betsy Bruemmer.

-

Appendix

-

Kerberos Application to Sun's Network File System (NFS)

-

A key component of the Project Athena workstation system is the -interposing of the network between the user's workstation and her/his -private file storage (home directory). All private storage resides on a -set of computers (currently VAX 11/750s) that are dedicated to this -purpose. This allows us to offer services on publicly available UNIX -workstations. When a user logs in to one of these publicly available -workstations, rather then validate her/his name and password against a -locally resident password file, we use Kerberos to determine -her/his authenticity. The log-in program prompts for a username -(as on any UNIX system). This username is used to fetch a Kerberos -ticket-granting ticket. The log-in program uses the password to -generate a DES key for decrypting the ticket. If decryption is -successful, the user's home directory is located by consulting the Hesiod -naming service and mounted through NFS. The log-in program then -turns control over to the user's shell, which then can run the -traditional per-user customization files because the home directory is -now "attached" to the workstation. The Hesiod service is also -used to construct an entry in the local password file. (This is for the -benefit of programs that look up information in /etc/passwd.)

-

From several options for delivery of remote file service, we chose -Sun's Network File System. However this system fails to mesh with our -needs in a crucial way. NFS assumes that all workstations fall into two -categories (as viewed from a file server's point of view): trusted and -untrusted. Untrusted systems cannot access any files at all, trusted -can. Trusted systems are completely trusted. It is assumed that a -trusted system is managed by friendly management. Specifically, it is -possible from a trusted workstation to masquerade as any valid user of -the file service system and thus gain access to just about every file -on the system. (Only files owned by "root" are exempted.).

-

In our environment, the management of a workstation (in the -traditional sense of UNIX system management) is in the hands of the -user currently using it. We make no secret of the root password on our -workstations, as we realize that a truly unfriendly user can break in -by the very fact that s/he is sitting in the same physical location as -the machine and has access to all console functions. Therefore we -cannot truly trust our workstations in the NFS interpretation of trust. -To allow proper access controls in our environment we had to make some -modifications to the base NFS software, and integrate Kerberos -into the scheme.

-

Unmodified NFS

-

In the implementation of NFS that we started with (from the -University of Wisconsin), authentication was provided in the form of a -piece of data included in each NFS request (called a "credential" in -NFS terminology). This credential contains information about the unique -user identifier (UID) of the requester and a list of the group -identifiers (GIDs) of the requester's membership. This information is -then used by the NFS server for access checking. The difference between -a trusted and a non-trusted workstation is whether or not its -credentials are accepted by the NFS server.

-

Modified NFS

-

In our environment, NFS servers must accept credentials from a -workstation if and only if the credentials indicate the UID of the -workstation's user, and no other.

-

One obvious solution would be to change the nature of credentials -from mere indicators of UID and GIDs to full blown Kerberos -authenticated data. However a significant performance penalty would be -paid if this solution were adopted. Credentials are exchanged on every -NFS operation including all disk read and write activities. Including a -Kerberos authentication on each disk transaction would add a -fair number of full-blown encryptions (done in software) per -transaction and, according to our envelope calculations, would have -delivered unacceptable performance. (It would also have required -placing the Kerberos library routines in the kernel address -space.)

-

We needed a hybrid approach, described below. The basic idea is to -have the NFS server map credentials received from client workstations, -to a valid (and possibly different) credential on the server system. -This mapping is performed in the server's kernel on each NFS -transaction and is setup at "mount" time by a user-level process that -engages in Kerberos - moderated authentication prior to -establishing a valid kernel credential mapping.

-

To implement this we added a new system call to the kernel (required -only on server systems, not on client systems) that provides for the -control of the mapping function that maps incoming credentials from -client workstations to credentials valid for use on the server (if -any). The basic mapping function maps the tuple:

-

<CLIENT-IP-ADDRESS, UID-ON-CLIENT>

-

to a valid NFS credential on the server system. The -CLIENT-IP-ADDRESS is extracted from the NFS request packet and the -UID-ON-CLIENT is extracted from the credential supplied by the client -system. Note: all information in the client-generated credential except -the UID-ON-CLIENT is discarded.

-

If no mapping exists, the server reacts in one of two ways, -depending it is configured. In our friendly configuration we default -the unmappable requests into the credentials for the user "nobody" who -has no privileged access and has a unique UID. Unfriendly servers -return an NFS access error when no valid mapping can be found for an -incoming NFS credential.

-

Our new system call is used to add and delete entries from the -kernel resident map. It also provides the ability to flush all entries -that map to a specific UID on the server system, or flush all entries -from a given CLIENT-IP-ADDRESS.

-

We modified the mount daemon (which handles NFS mount requests on -server systems) to accept a new transaction type, the Kerberos -authentication mapping request. Basically, as part of the mounting -process, the client system provides a Kerberos authenticator -along with an indication of her/his UID-ON-CLIENT (encrypted in the Kerberos -authenticator) on the workstation. The server's mount daemon converts -the Kerberos principal name into a local username. This -username is then looked up in a special file to yield the user's UID -and GIDs list. For efficiency, this file is a ndbm database -file with the username as the key. From this information, an NFS -credential is constructed and handed to the kernel as the valid mapping -of the <CLIENT-IP-ADDRESS, CLIENT-UID> tuple for this request.

-

At unmount time a request is sent to the mount daemon to remove the -previously added mapping from the kernel. It is also possible to send a -request at log-out time to invalidate all mapping for the current user -on the server in question, thus cleaning up any remaining mappings that -exist (though they shouldn't) before the workstation is made available -for the next user.

-

Security Implications of the Modified NFS

-

This implementation is not completely secure. For starters, user -data is still sent across the network in an unencrypted, and therefore -interceptable, form. The low-level, per-transaction authentication is -based on a <CLIENT-IP-ADDRESS, CLIENT-UID> pair provided -unencrypted in the request packet. This information could be forged and -thus security compromised. However, it should be noted that only while -a user is actively using her/his files (i.e., while logged in) are -valid mappings in place and therefore this form of attack is limited to -when the user in question is logged in. When a user is not logged in, -no amount of IP address forgery will permit unauthorized access to -her/his files.

-

References

-

1.S. P. Miller, B. C. Neuman, J. I. Schiller, and J. H. Saltzer, Section -E.2.1: Kerberos Authentication and Authorization System, M.I.T. -Project Athena, Cambridge, Massachusetts (December 21, 1987).

-

2.E. Balkovich, S. R. Lerman, and R. P. Parmelee, "Computing in -Higher Education: The Athena Experience," Communications of the ACM. -28(11), pp. 1214-1224, ACM (November, 1985).

-

3.R. M. Needham and M. D. Schroeder, "Using Encryption for -Authentication in Large Networks of Computers," Communications of -the ACM 21(12), pp. 993-999 (December, 1978).

-

4.V. L. Voydock and S. T. Kent, "Security Mechanisms in High-Level -Network Protocols," Computing Surveys 15(2), ACM (June -1983).

-

5.National Bureau of Standards, "Data Encryption Standard," Federal -Information Processing Standards Publication 46, Government Printing -Office, Washington, D.C. (1977).

-

6.S. P. Dyer, "Hesiod," in Usenix Conference Proceedings -(Winter, 1988).

-

7.W. J. Bryant, Kerberos Programmer's Tutorial, M.I.T. -Project Athena (In preparation).

-

8.W. J. Bryant, Kerberos Administrator's Manual, M.I.T. -Project Athena (In preparation).

-

9.G. W. Treese, "Berkeley Unix on 1000 Workstations: Athena Changes -to 4.3BSD," in Usenix Conference Proceedings (Winter, 1988)

-

10.C. A. DellaFera, M. W. Eichin, R. S. French, D. C. Jedlinsky, J. -T. Kohl, and W. E. Sommerfeld, "The Zephyr Notification System," in Usenix -Conference Proceedings (Winter, 1988).

-

11.M. A. Rosenstein, D. E. Geer, and P. J. Levine, in Usenix -Conference Proceedings (Winter, 1988).

-

12.R. Sandberg, D. Goldberg, S. Kleiman, D. Walsh, and B. Lyon, -"Design and Implementation of the Sun Network Filesystem," in Usenix -Conference Proceedings (Summer, 1985).

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_command_prompt.htm b/src/windows/leash/htmlhelp/html/leash_topic_kerberos_command_prompt.htm deleted file mode 100644 index 5d1eed6..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_command_prompt.htm +++ /dev/null @@ -1,29 +0,0 @@ - - - - -Using Kerberos in a Command Prompt Environment - - - - - - - - -

Using Kerberos in a Command Prompt Environment

- -

Command Prompt commands that are available to perform Kerberos functions

- -

KINIT - Kerberos log-in utility

- -

KLIST - list currently held Kerberos tickets

- -

KDESTROY - destroy Kerberos tickets

- -

MS2MIT - import Kerberos tickets from Windows Logon Session

- -

AKLOG - obtain AFS tokens

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_help_topics.htm b/src/windows/leash/htmlhelp/html/leash_topic_kerberos_help_topics.htm deleted file mode 100644 index 6696ffe..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_help_topics.htm +++ /dev/null @@ -1,26 +0,0 @@ - - - - - Leash Program - - - - -

-

Kerberos Help Topics

-

-

About Kerberos

-

Kerberos Names

-

Kerberos Tickets

-

Using Kerberos in -a Command Prompt Environment

-

Kerberos Copyright

-

Kerberos Export Restrictions and Source -Code Access

-

Kerberos Timing Issues

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_names.htm b/src/windows/leash/htmlhelp/html/leash_topic_kerberos_names.htm deleted file mode 100644 index 64a512b..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_names.htm +++ /dev/null @@ -1,29 +0,0 @@ - - - - -Kerberos Names - - - - - - - - -

Kerberos Names

- -

A Kerberos name contains three parts. The first is the principal name, which is usually a user's or service's name. The second is the instance, which in the case of a user is usually null. Some users may have privileged instances, however, such as "root" or "admin." In the case of a service, the instance is the name of the machine on which it runs; i.e. there can be an rlogin service running on the machine ABC, which is different from the rlogin service running on the machine XYZ. The third part of a Kerberos name is the realm. The realm corresponds to the Kerberos service providing authentication for the principal. For example, at MIT there is a Kerberos running at the Laboratory for Computer Science and one running at Project Athena.

- -

When writing a Kerberos name, the principal name is separated from the instance (if not null) by a period, and the realm (if not the local realm) follows, preceded by an "@" sign. The following are examples of valid Kerberos names:

- -

billb

- -

jis.admin

- -

srz@LCS.MIT.EDU

- -

treese.root@ATHENA.MIT.EDU

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_principals.htm b/src/windows/leash/htmlhelp/html/leash_topic_kerberos_principals.htm deleted file mode 100644 index 7b83d8a..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_principals.htm +++ /dev/null @@ -1,125 +0,0 @@ - - - - - Kerberos: How does the other guy know who I am? - - - - -

Kerberos: How Does the Other Guy Know -Who I Am?

-

A portion of the text below was copied with permission from An -Inessential Guide to Athena (5th edition) published by the MIT -Student Information Processing Board.

-

MIT's Athena Project developed a system known as Kerberos to provide -for security on a physically insecure network. A complete description -of the mechanisms used by Kerberos to provide this security is beyond -the scope of this document. This section describes why Kerberos is -necessary in a distributed computing environment, the theory behind -Kerberos (with pointers to further information), and the user commands -which interface to Kerberos. It also gives hints for using Kerberos -more effectively.

-

Why Kerberos is needed. -Most moderately-sized to large computer systems use some form of -password protection scheme to authenticate users; that is, -they require a user who wishes to log in to give both his name and a -secret password which only he and the computer system know. Anyone who -happens to know the password can claim to be that user. It is therefore -desirable to prevent people from listening in on the conversation -between the computer and the user's terminal or workstation.

-

This is relatively easy in the case of terminals directly connected -to the machine, since each terminal has its own cable. In a local-area -network, several (typically between 10 and 200) computers share one -cable, and any computer can listen in on any network traffic. With the -advent of network monitoring packages for IBM PC's and similar -machines, it is relatively easy for a determined user to set up a -program to listen in on a network for any and all passwords being sent -over. This would allow an intruder to masquerade as someone else, -violating their privacy and perhaps stealing information (academic or -otherwise). Note that THE ELECTRONIC COMMUNICATIONS PRIVACY ACT of -1986 makes this a Federal crime punishable by lots of nasty stuff -(ask your lawyer for details).

-

In addition, since Athena (like the Internet) uses a -workstation-based model of computation, with most operations taking -place on a single-user workstation with occasional requests (for files, -etc.) going to other "server" machines, Athena needed to set up some -way to allow users to prove their identity to such server -machines.

-

A few definitions. Knowledge of the following terms is not -essential for use of Kerberos but is helpful in understanding what is -going on:

-

user:A human being who wishes to use a computer system. A -user, through his workstation, may make a series of requests to several -servers in the course of a session, and would like to avoid (due to -sheer laziness, among other things) having to type his password to each -machine in question.

-

service:A program or set of programs running on a computer -which is accessible over the network. The service would like to know -with certainty that the workstation to which it is providing the -service is really being used by the user who claims to be -logged in on the workstation. Note that workstations are not services, -and thus one may not use Kerberos to log into them over the network.

-

principal:An entity which can -both prove its identity and verify the identities of other principals -who wish to communicate with it; each user and each service -registered with Kerberos is thus a principal.

-

ticket: A block of data which, when given to a user, enables -her to prove her identity to a service. Tickets are stored in RAM in an -area of memory reserved by the Kerberos cache. They are automatically -erased when the computer is rebooted or when the user issues the -destroy tickets command from Leash. They may also be destroyed from a -Command Prompt by executing the command: kdestroy. Tickets contain -information which must be considered private to the user, and thus -should be protected. As they contain a time stamp, they cease to be -valid after a limited time. One ticket is needed for each service; -tickets are used to build authenticators, which are sent over -the network to the service.

-

authenticator: A block of data which a user's workstation -sends over the network to a specific service to prove that the -workstation really is in use by that user. An authenticator expires -after five minutes. One authenticator is typically built per session of -use of a service; once the service decodes the authenticator, it -generally permits the user to operate for as long as she wants. This -behavior is not in any way mandated by the Kerberos suite of programs -and libraries (it is just a detail of the implementation), but it is -convenient and considered secure enough for most environments.

-

How It Works...

-

Kerberos uses a standard encryption-based authentication technique -with a few variations designed to increase ease of use across -administrative entities and reduce the number of possible "attacks" on -the system. The system uses cryptographically sealed tickets -and authenticators} which may be passed over the network and -decrypted only by a user or machine which knows the appropriate -encryption/decryption key.

-

Using Kerberos...

-

After obtaining your initial ticket getting ticket either by logging -onto your workstation or by utilizing a Kerberos Ticket Manager (e.g., -Leash), Kerberos aware applications will generate authenticators and -obtain service tickets without further end user interaction.  -Examples of programs which utilize Kerberos authentication include -e-mail, distributed file systems, remote login tools, and browsers.
-

-

Registering with Kerberos...

-

To use Kerberos you must have an account registered in a REALM -associated with the service(s) you wish to access.  Contact your -network administrator to determine the registration procedures for your -organization.
-

-

Once registered with Kerberos, tickets are obtained by the login -program every time you log onto a workstation. You can also manually -obtain new tickets (which you usually do only if your old ones have -expired, 10 hours after you log in) by running the program kinit. -It prompts for a username, requests an initial ticket from Kerberos, -and then asks for your password. If you are not registered with -Kerberos, it will print Principal unknown (Kerberos). -Unless you mistype your username, this should not happen. To correct -this, or any other errors, contact the appropriate Help Desk personnel -for your organization.
-
-

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_tickets.htm b/src/windows/leash/htmlhelp/html/leash_topic_kerberos_tickets.htm deleted file mode 100644 index 20b8859..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_kerberos_tickets.htm +++ /dev/null @@ -1,23 +0,0 @@ - - - - -Kerberos Tickets - - - - -

Kerberos Tickets

- -

When you authenticate yourself with Kerberos, through either the Leash program or the kinit command, Kerberos gives you an initial Kerberos ticket. (A Kerberos ticket is an encrypted protocol message that provides authentication.) Kerberos uses this ticket for network utilities such as telnet, ftp or email. The ticket transactions are done transparently, so you don't have to worry about their management.

- -

Note, however, that tickets expire. Privileged tickets, such as root instance tickets, expire in a few minutes, while tickets that carry more ordinary privileges may be good for several hours or a day, depending on the installation's policy. On Athena, the default time limit is 10 hours; if your login session extends beyond the time limit, you will have to reauthenticate yourself to Kerberos to get new tickets.

- -

See Also

- -

An Authentication Service

- -

How Does the Other Guy Know Who I Am?

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_leash_help_topics.htm b/src/windows/leash/htmlhelp/html/leash_topic_leash_help_topics.htm deleted file mode 100644 index 57457d9..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_leash_help_topics.htm +++ /dev/null @@ -1,33 +0,0 @@ - - - - -Leash Program - - - - - - - - -

Leash Program

- -

leash \'le-sh\ n [ME lees, leshe, fr. OF laisse, fr. laissier] 1: a line for leading or restraining an animal 2a: a set of three animals (as greyhounds, foxes, bucks, or hares) 2b: a set of three - leash vt 3: a Windows program developed at MIT to manage a user's Kerberos tickets.

- -

Leash Help Topics

- -

Leash Screen Display (Kerberometer and Dash Notification)

- -

Leash Commands

- -

How To Use Leash Online Help

- -

Leash Copyright

- -

Acknowledgments

- -

Reporting Problems with Leash

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_leash_systray.htm b/src/windows/leash/htmlhelp/html/leash_topic_leash_systray.htm deleted file mode 100644 index 1ac822e..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_leash_systray.htm +++ /dev/null @@ -1,64 +0,0 @@ - - - - - Leash System Tray Tool - - - - -

-

Leash System Tray Tool

-

While Leash is running one of the following icons -will be -displayed in the system tray based upon the current state of your -Kerberos -tickets.  Clicking on the icon with the -first mouse button will open or close the Leash display window.  Clicking with the second mouse button will -display a menu of commands.

-System Tray Icons
-
-
    -
  • Green:     tickets are -valid and have a lifetime of greater than 20 minutes
    • -
  • Grey:       no -tickets -are present
    • -
  • Orange:  tickets are -valid and about to expire
    • -
  • Red:        tickets -have expired
    -
    • -
-

System Tray Menu
-

-System Tray Menu
-
- -

-
-

-

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_leash_window.htm b/src/windows/leash/htmlhelp/html/leash_topic_leash_window.htm deleted file mode 100644 index 8e515da..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_leash_window.htm +++ /dev/null @@ -1,81 +0,0 @@ - - - - - Leash Screen Display (Kerberometer and Dash Notification) - - - - -

-

Leash Screen Display (Kerberometer and Dash Notification)

-

-

The window -title contains -the name “Leash” followed by the current date and time.  -Below the title are a menu bar; a tool bar -(optional); a tree view; and a status bar (optional).

-

Leash Display Window
-

-

-

The root of the Leash tree view shows the active -user -principal name (user@REALM).  This entry -appears with a "+" icon and a Kerberos icon to its left.  -Click on this plus icon of a line to expand -the branch, displaying a "-" icon.  -To retract the branch click on the minus sign.

-

Below user principal, the tree contains ticket -categories.  Below each ticket category -are the current tickets belonging to the group.  -Each ticket entry contains the current ticket status, the time -it was -issued, the time it will expire, and the service principal and flags.  For Kerberos 5 tickets, encryption types and -network address information are listed below each ticket.

-

The tree updates once per minute.  -If you need an immediate update of your -ticket status, you can either click in the window or the press the -Update -Display button on the toolbar.

-

On the right of the status bar is a -display of the remaining -time of your tickets (both Kerberos 4 and Kerberos 5, as some programs -obtain -only Kerberos 4 tickets, these are not necessarily the same) in hours, -minutes, -and seconds.  This used to be known as -the Kerberometer. 

-

Each ticket is described and represented by an -icon of a -little ticket. The color of the ticket changes based on its viability:

-

green = normal

-

yellow = tickets are -within 15 -minutes of expiration

-

red = tickets have -expired, or you -have no tickets

-

gray = these tickets -are not available -to you

-

At 15, 10, and 5 -minutes before your Kerberos tickets expire, a screen pops up to warn -that your Kerberos tickets will expire soon and to give you the -opportunity to renew them.  This used to be known as Dash-style -notification.

-

Andrew File System (AFS) tokens information is -displayed -only on machines that have either OpenAFS for Windows http://www.openafs.org or Transarc -AFS 3.6 -for Windows.

-

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_online_help.htm b/src/windows/leash/htmlhelp/html/leash_topic_online_help.htm deleted file mode 100644 index 1a91f3e..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_online_help.htm +++ /dev/null @@ -1,25 +0,0 @@ - - - - - Help on Using Leash Online Help - - - - -

How To Use Leash Online Help

-

In Leash, F1 are the online Help keys. Here's what they do:

-

Pressing F1...gets you...

-

in the Leash main window: Leash -Help Topics -- click the one you need.

-

in Leash Help Topics: Contents for How To Use Help -- list of topics -explaining the features and functions of Windows online help -- click -the one you need.

-

in a Leash dialogue box: context-sensitive help, i.e., the specific -topic that explains where you are and what you're doing.

-

at an error message: explanation for the error message.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_password_choice.htm b/src/windows/leash/htmlhelp/html/leash_topic_password_choice.htm deleted file mode 100644 index 5fd7dfa..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_password_choice.htm +++ /dev/null @@ -1,91 +0,0 @@ - - - - -How to Choose a Password - - - - - - - - -

How To Choose a Password...

- -

Your passwords are the keys to many computers, from a bank machine to a multiuser mainframe to a server on a network. Your password helps to prove that you are who you say you are, and ensures your privacy.

- -

Compromised passwords are the means by which most unauthorized (and unscrupulous) people gain access to a system. Someone logging on under your name has access not only to your computer files, but to most of the facilities of the computer system. Since tampering can have far-reaching and serious consequences, it's important to take to heart the following guidelines for choosing a password.

- -

Do choose:

- -

*Something easy for you to remember with at least six characters.

- -

*Something obscure. For instance, you might deliberately misspell a term or use an odd character in an otherwise familiar term, such as "phnybon" instead of "funnybone." Or use a combination of two unrelated words or a combination of letters and numbers.

- -

*A combination of letters and numbers, or a phrase like "many colors" and then use only the consonants "mnYc0l0rz."

- -

*An acronym for your favorite saying, for example, "L!isn!" (Live! It's Saturday Night!)

- -

Don't choose:

- -

*Your name in any form - first, middle, last, maiden, spelled backwards, nickname or initials.

- -

*Your userid, or your userid spelled backwards.

- -

*Part of your userid or name.

- -

*Any common name, such as Joe.

- -

*The name of a close relative, friend, or pet.

- -

*Your phone or office number, address, birthday, or anniversary.

- -

*Your license-plate number, your social-security number, or any all numeral password.

- -

*Names from popular culture, e.g., spock, sleepy.

- -

*Any word in a dictionary.

- -

*Passwords of fewer than four characters.

- -

Mum's the Word

- -

Never tell anyone your password -- not even your system administrator or account manager -- and don't write it down. Make sure you have chosen a password that you can remember. And, finally, change your password at regular intervals

- -

Reprinted from i/s, Vol. 4, No. 9,

- -

May 1989. Revised March 1993.

- -

Copyright C 1993 MIT Information Systems

- -

Send comments or questions about this publication to

- -

<comment-ispubs@mit.edu> or call x3-5150

- -

Before You Begin...

- -

Remember that passwords are case-sensitive, and note whether your keyboard has Caps Lock on. Leash is not programmed to inform you about the state of your Caps Lock key.

- -

How To Use Change Password...

- -

1.In Leash, click on the Change Password button (the one that says abc and has a green arrow), type your username in the first field of the dialogue box that opens, and press Enter or click OK. You may start over anytime by clicking Restart, stop at any time by clicking Cancel, or get help at any time with the Help button.

- -

2.Type your current password in the second field and press Enter or click OK.

- -

The program checks the username and password you entered and notifies you if either is invalid.

- -

3.Type your new password in the third field and press Enter or click OK.

- -

4.Retype your new password, to verify it, and press Enter or click OK.

- -

Once you have entered the new password twice with consistent spellings, the Leash program replaces your old password with the new, if it is a strong password. If Kerberos determines the password is weak, a message notifies you, and you need to repeat steps 1 through 4 with a strong password, as described by the "How To Choose a Password" guidelines above.

- -

How Change Password Works...

- -

When you type into the password fields of the dialog box, neither characters nor sounds echo back, thus keeping secret even the number of password characters. The program accepts only printable characters for new passwords, i.e., characters between ASCII codes 0x20 and 0x7E.

- -

When you have entered the new password twice consistently, the program attempts to change the password via a dialogue with the Kerberos administrative server. Some Kerberos sites, including MIT's Athena environment, check the password's strength before allowing the change to take place and notifies you if it determines that the password is weak.

- - - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_timing_issues.htm b/src/windows/leash/htmlhelp/html/leash_topic_timing_issues.htm deleted file mode 100644 index 281ee1a..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_timing_issues.htm +++ /dev/null @@ -1,27 +0,0 @@ - - - - - Kerberos Timing Issues - - - - -

-

Kerberos Timing Issues

-

-

To resynchronize your computer's clock to the network's clock, -manually set it, or run the leash Synchronize Time Command.  If -you are using Windows XP or Windows 2003, the Date and Time Control -Panel contains an Internet Time page which can be used to automatically -synchronize the clock on a regular basis.
-

-

Why Do It...

-

Kerberos authentication uses time stamps as part of its protocol. -When the clocks of the Kerberos server and your computer are too far -out of synchronization, you cannot authenticate properly.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_topic_why_use.htm b/src/windows/leash/htmlhelp/html/leash_topic_why_use.htm deleted file mode 100644 index 26e1b7e..0000000 --- a/src/windows/leash/htmlhelp/html/leash_topic_why_use.htm +++ /dev/null @@ -1,77 +0,0 @@ - - - - - Why use Leash? - - - - -

Why -Use Leash?

-

Leash is a graphical system-tray tool designed to -manage for -Kerberos tickets on Microsoft Windows.  Leash -is used to obtain Kerberos tickets, -change your Kerberos password, and obtain Andrew File System (AFS) -tokens.

-

Leash combines the functionality of several command line tools a -user would use to manage Kerberos functions: kinit, klist, kdestroy, ms2mit, aklog, and -passwd or kpasswd. Leash combines all of these functions into one user -interface and supports  auto-renewal or user notification when tickets -are approaching expiration.

-

There are many ways to execute Leash. In addition -to -clicking on a Leash shortcut, you can start Leash from the Windows -command -Prompt or Run... option.  Command-line -options may be specified.  If you run Leash -with the options -i or -kinit, it will display the ticket -initialization dialog -and exit; -m or –ms2mit or –import will import tickets from the -Microsoft -Windows logon session (if available) and exit; -d or -destroy will -destroy all -existing tickets and exit; -r or –renew will renew existing Kerberos -tickets -(if possible) and exit; -a or –autoinit will display the ticket -initialization -dialog if you have no Kerberos tickets. 

-

You may create a shortcut to Leash within your -Windows -Startup folder (Start Menu->Programs->Startup).  - A -shortcut to “Leash32.exe –autoinit” ensures that Kerberos tickets are -available -for the use of Kerberized applications throughout your Windows logon -session.

-

If Leash is not executed before using a Kerberized -application, the application may prompt you for your password. Some -applications, like lpr, never prompt you for a password. These -applications -simply terminate with a message indicating that you are not -authenticated. Before -these applications can successfully be used a separate program, such as -Leash -or kinit, must be used to first authenticate you using Kerberos. 

-

Leash does not perform a logon in the sense of the -Windows -Logon Service.  A logon service would do -more than manage Kerberos tickets. A logon service would authenticate -you to -the local machine, validate access to your local file system and -performs -additional set-up tasks. These are beyond the scope of Leash. Leash -simply -allows you to manage Kerberos tickets on behalf of compatible -applications and -to change your Kerberos password.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_view_debug_window.htm b/src/windows/leash/htmlhelp/html/leash_view_debug_window.htm deleted file mode 100644 index 1ed4c3c..0000000 --- a/src/windows/leash/htmlhelp/html/leash_view_debug_window.htm +++ /dev/null @@ -1,32 +0,0 @@ - - - - - Debug Window Option - - - - -

Debug Window

-

When this item (found under the Action menu) is checked, the Leash -Debug Window appears.
-

-

Debug Window

-

-

From this window, commands that -Leash issues to the Kerberos server are visible. Here, you can see -exactly what -Leash is doing. This action is useful if you are having a problem with -Leash -and want to see more exactly what is going on, or if you are writing -Kerberized -applications dependent on Kerberos tickets or the actions of Leash. 

-

Note: Debugging is only -supported by Kerberos 4 and AFS.  -Kerberos 5 protocol operations cannot be debugged using Leash.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_view_large_icons.htm b/src/windows/leash/htmlhelp/html/leash_view_large_icons.htm deleted file mode 100644 index 6e676db..0000000 --- a/src/windows/leash/htmlhelp/html/leash_view_large_icons.htm +++ /dev/null @@ -1,25 +0,0 @@ - - - - - Large Icons Option - - - - -

Large Icons

-

-

-

When this option is checked on the View menu, the -icons and -fonts in the main window (such as the picture of Kerberos) will be -about twice -as big as the minimal icon and font size.  -Naturally, smaller icons allow many more tickets to fit into a -nonscrolling window.  The default setting -of Leash is Large Icons.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_view_status_bar.htm b/src/windows/leash/htmlhelp/html/leash_view_status_bar.htm deleted file mode 100644 index 18d722a..0000000 --- a/src/windows/leash/htmlhelp/html/leash_view_status_bar.htm +++ /dev/null @@ -1,21 +0,0 @@ - - - - - Status Bar Option - - - - -

Status Bar

-

-

-

The Status Bar is on by default; -turning it off causes the bar at the bottom of the Leash window (with -the time -remaining on any tickets that you might have) to disappear.

- - diff --git a/src/windows/leash/htmlhelp/html/leash_view_toolbar.htm b/src/windows/leash/htmlhelp/html/leash_view_toolbar.htm deleted file mode 100644 index 1f6e674..0000000 --- a/src/windows/leash/htmlhelp/html/leash_view_toolbar.htm +++ /dev/null @@ -1,49 +0,0 @@ - - - - - Leash Toolbar - - - - -

Leash Toolbar

-

-

-

By default, this option on the View menu is -selected. When -it is checked, the toolbar containing icons for commonly used commands -is -visible. Otherwise, Leash hides it.
-

-

Leash Toolbar
-

-

-

The Leash Toolbar contains buttons which act as -shortcuts to -the most frequently used Actions found on the Menubar.  -From left to right:

-
    -
  1. Get -Tickets
    2. -
  2. Renew Tickets
    3. -
  3. Import Tickets
    4. -
  4. Destroy Tickets
    5. -
  5. Change Password
    6. -
  6. Update Display
    7. -
  7. Synchronize -Time
    8. -
-
- - diff --git a/src/windows/leash/htmlhelp/leash32.hhk b/src/windows/leash/htmlhelp/leash32.hhk deleted file mode 100644 index 85b6221..0000000 --- a/src/windows/leash/htmlhelp/leash32.hhk +++ /dev/null @@ -1,364 +0,0 @@ - - - - -
    -
  • - - - - -
  • - - - - -
  • - - - -
      -
    • - - - -
    • - - - -
    -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - -
      -
    • - - - -
    • - - - -
    -
  • - - - - -
  • - - - - - - -
  • - - - - -
  • - - - - -
  • - - - -
      -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - -
  • - - - - -
      -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    -
  • - - - -
      -
    • - - - -
    • - - - -
    -
  • - - - - -
  • - - - -
      -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    -
  • - - - -
      -
    • - - - -
    -
  • - - - -
      -
    • - - - -
    • - - - -
    -
  • - - - -
      -
    • - - - -
    • - - - -
    -
  • - - - - -
  • - - - - -
  • - - - -
      -
    • - - - -
    • - - - -
    -
  • - - - - -
  • - - - -
      -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    • - - - -
    -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
  • - - - - -
diff --git a/src/windows/leash/htmlhelp/leash32.hhp b/src/windows/leash/htmlhelp/leash32.hhp deleted file mode 100644 index 5946eeb..0000000 --- a/src/windows/leash/htmlhelp/leash32.hhp +++ /dev/null @@ -1,228 +0,0 @@ -[OPTIONS] -Auto Index=Yes -Auto TOC=9 -Compatibility=1.1 or later -Compiled file=leash.chm -Contents file=Table_of_Contents.hhc -Default Font=Arial,10,0 -Default Window=Default Leash Help Window -Default topic=html\leash_topic_why_use.htm -Display compile progress=Yes -Error log file=.\leash.log -Full-text search=Yes -Index file=leash32.hhk -Language=0x409 English (United States) -Title=Leash Ticket Manager Help - -[WINDOWS] -Default Leash Help Window="Leash Ticket Manager Help","Table_of_Contents.hhc","leash32.hhk","html\leash_topic_leash_help_topics.htm","html\leash_topic_leash_help_topics.htm",,,,,0x42520,320,0x304e,[0,0,800,560],0x7b0000,,,,,,0 - - -[FILES] -html\leash_topic_why_use.htm -html\leash_topic_leash_help_topics.htm -html\leash_topic_leash_window.htm -html\leash_topic_leash_systray.htm -html\leash_menu_commands.htm -html\leash_file_exit.htm -html\leash_command_get_tickets.htm -html\leash_command_import_tickets.htm -html\leash_command_renew_tickets.htm -html\leash_command_destroy_tickets.htm -html\leash_command_change_password.htm -html\leash_topic_password_choice.htm -html\leash_command_reset_window.htm -html\leash_command_sync_time.htm -html\leash_command_update_display.htm -html\leash_view_large_icons.htm -html\leash_view_toolbar.htm -html\leash_view_status_bar.htm -html\leash_view_debug_window.htm -html\leash_option_auto_renewal.htm -html\leash_option_destroy_tickets_on_exit.htm -html\leash_option_expiration_alarm.htm -html\leash_option_upper_case_realm.htm -html\leash_option_leash_properties.htm -html\leash_option_kerberos_properties.htm -html\leash_option_krb4_properties.htm -html\leash_option_krb5_properties.htm -html\leash_option_afs_properties.htm -html\leash_menu_help_why_use.htm -html\leash_help_about_leash32.htm -html\leash_topic_kerberos_help_topics.htm -html\leash_topic_about_kerberos.htm -html\leash_topic_kerberos_names.htm -html\leash_topic_kerberos_tickets.htm -html\leash_topic_kerberos_command_prompt.htm -html\leash_topic_timing_issues.htm -html\leash_external_kdestroy.htm -html\leash_external_kinit.htm -html\leash_external_klist.htm -html\leash_external_ms2mit.htm -html\leash_external_aklog.htm -html\leash_topic_kerberos_principals.htm -html\leash_topic_kerberos_auth_service.htm -html\leash_manpages.htm -html\leash_manpage_kinit.htm -html\leash_manpage_klist.htm -html\leash_manpage_kdestroy.htm -html\leash_manpage_ms2mit.htm -html\leash_manpage_aklog.htm -html\leash_errors.htm -html\leash_topic_error_8.htm -html\leash_topic_error_57.htm -html\leash_topic_error_62.htm -html\leash_topic_error_invalid_principal.htm -html\leash_topic_online_help.htm -html\leash_copyright.htm -html\leash_kerberos_copyright.htm -html\leash_export.htm -html\leash_bug_reports.htm -html\leash_acknowledgements.htm -html\hid_view_toolbar.htm -html\afx_hidw_toolbar.htm -html\hid_view_status_bar.htm -html\afx_hidw_status_bar.htm -html\hid_app_about.htm -html\hid_app_exit.htm -html\hid_help_index.htm -html\hid_help_using.htm -html\hid_context_help.htm -html\hid_sc_size.htm -html\hid_sc_move.htm -html\hid_sc_minimize.htm -html\hid_sc_maximize.htm -html\hid_sc_close.htm -html\hid_sc_restore.htm - -[ALIAS] -HID_ABOUT_KERBEROS = html\leash_topic_about_kerberos.htm -HID_ABOUT_LEASH32_COMMAND = html\leash_menu_commands.htm -HID_ABOUT_LEASH32_MODULES = html\leash_help_about_leash32.htm -HID_AFS_PROPERTIES_COMMAND = html\leash_option_afs_properties.htm -HID_CHANGE_PASSWORD_COMMAND = html\leash_command_change_password.htm -HID_DEBUG_WINDOW = html\leash_view_debug_window.htm -HID_DEBUG_WINDOW_OPTION = html\leash_view_debug_window.htm -HID_DESTROY_TICKETS_COMMAND = html\leash_command_destroy_tickets.htm -HID_DESTROY_TICKETS_ON_EXIT = html\leash_option_destroy_tickets_on_exit.htm -HID_EXIT_COMMAND = html\leash_file_exit.htm -HID_GET_TICKETS_COMMAND = html\leash_command_get_tickets.htm -HID_RENEW_TICKETS_COMMAND = html\leash_command_renew_tickets.htm -HID_IMPORT_TICKETS_COMMAND = html\leash_command_import_tickets.htm -HID_HELP_CONTENTS = html\leash_topic_leash_help_topics.htm -HID_KERBEROS_PROPERTIES_ADDDOM = html\leash_option_kerberos_properties.htm -HID_KERBEROS_PROPERTIES_ADDHOST = html\leash_option_kerberos_properties.htm -HID_KERBEROS_PROPERTIES_ADDHOST = html\leash_option_kerberos_properties.htm -HID_KERBEROS_PROPERTIES_ADDRLM = html\leash_option_kerberos_properties.htm -HID_KERBEROS_PROPERTIES_COMMAND = html\leash_option_kerberos_properties.htm -HID_KERBEROS_PROPERTIES_EDIT = html\leash_option_kerberos_properties.htm -HID_KERBEROS_PROPERTIES_EDITDOM = html\leash_option_kerberos_properties.htm -HID_KERBEROS_PROPERTIES_EDITHOST = html\leash_option_kerberos_properties.htm -HID_KERBEROS_PROPERTIES_LISTDOM = html\leash_option_kerberos_properties.htm -HID_KERBEROS_PROPERTIES_LISTRLM = html\leash_option_kerberos_properties.htm -HID_KRB4_PROPERTIES_COMMAND = html\leash_option_krb4_properties.htm -HID_KRB4_PROPERTIES_EDIT = html\leash_option_krb4_properties.htm -HID_KRB5_PROPERTIES_COMMAND = html\leash_option_krb5_properties.htm -HID_KRB5_PROPERTIES_EDIT = html\leash_option_krb5_properties.htm -HID_KRB5_PROPERTIES_FORWARDING = html\leash_option_krb5_properties.htm -HID_LARGE_ICONS_OPTION = html\leash_view_large_icons.htm -HID_LEASH_COMMANDS = html\leash_menu_commands.htm -HID_LEASH_PROGRAM = html\leash_topic_leash_help_topics.htm -HID_LEASH_PROPERTIES_COMMAND = html\leash_option_leash_properties.htm -HID_LEASH_PROPERTIES_EDIT = html\leash_option_leash_properties.htm -HID_LOW_TICKET_ALARM_OPTION = html\leash_option_expiration_alarm.htm -HID_RESET_WINDOW_OPTION = html\leash_command_reset_window.htm -HID_SCNCHRONIZE_TIME_OPTION = html\leash_command_sync_time.htm -HID_STATUS_BAR_OPTION = html\leash_view_status_bar.htm -HID_TOOLBAR_OPTION = html\leash_view_toolbar.htm -HID_UPDATE_DISPLAY_COMMAND = html\leash_command_update_display.htm -HID_UPPERCASE_REALM_OPTION = html\leash_option_upper_case_realm.htm -HID_WHY_USE_LEASH32 = html\leash_topic_why_use.htm -ID_CHANGEPASSWORD = html\leash_command_change_password.htm -ID_COUNTDOWN = html\leash_option_expiration_alarm.htm -ID_DESTROY = html\leash_command_destroy_tickets.htm -ID_EXIT = html\leash_file_exit.htm -ID_HELP_CHOOSE_PASSWORD = html\leash_topic_password_choice.htm -ID_HELP_KERBEROS = html\leash_topic_kerberos_help_topics.htm -ID_HELP_LEASH = html\leash_topic_leash_help_topics.htm -ID_HELP_PURPOSE = html\leash_topic_why_use.htm -ID_INITTICKETS = html\leash_command_get_tickets.htm -hid_view_toolbar = html\hid_view_toolbar.htm -afx_hidw_toolbar = html\afx_hidw_toolbar.htm -hid_view_status_bar = html\hid_view_status_bar.htm -afx_hidw_status_bar = html\afx_hidw_status_bar.htm -hid_app_about = html\hid_app_about.htm -hid_app_exit = html\hid_app_exit.htm -hid_help_index = html\hid_help_index.htm -hid_help_using = html\hid_help_using.htm -hid_context_help = html\hid_context_help.htm -hid_sc_size = html\hid_sc_size.htm -hid_sc_move = html\hid_sc_move.htm -hid_sc_minimize = html\hid_sc_minimize.htm -hid_sc_maximize = html\hid_sc_maximize.htm -hid_sc_close = html\hid_sc_close.htm -hid_sc_restore = html\hid_sc_restore.htm - -[MAP] -#define HID_ABOUT_KERBEROS 98320 -#define HID_ABOUT_LEASH32_COMMAND 123200 -#define HID_ABOUT_LEASH32_MODULES 131225 -#define HID_AFS_PROPERTIES_COMMAND 98327 -#define HID_CHANGE_PASSWORD_COMMAND 98315 -#define HID_DEBUG_WINDOW 131229 -#define HID_DEBUG_WINDOW_OPTION 98317 -#define HID_DESTROY_TICKETS_COMMAND 98313 -#define HID_DESTROY_TICKETS_ON_EXIT 98321 -#define HID_EXIT_COMMAND 123201 -#define HID_GET_TICKETS_COMMAND 98343 -#define HID_RENEW_TICKETS_COMMAND 98312 -#define HID_IMPORT_TICKETS_COMMAND 98342 -#define HID_HELP_CONTENTS 98340 -#define HID_KERBEROS_PROPERTIES_ADDDOM 131255 -#define HID_KERBEROS_PROPERTIES_ADDHOST 131254 -#define HID_KERBEROS_PROPERTIES_ADDHOST 131269 -#define HID_KERBEROS_PROPERTIES_ADDRLM 131253 -#define HID_KERBEROS_PROPERTIES_COMMAND 98337 -#define HID_KERBEROS_PROPERTIES_EDIT 131233 -#define HID_KERBEROS_PROPERTIES_EDITDOM 131256 -#define HID_KERBEROS_PROPERTIES_EDITHOST 131271 -#define HID_KERBEROS_PROPERTIES_LISTDOM 131279 -#define HID_KERBEROS_PROPERTIES_LISTRLM 131250 -#define HID_KRB4_PROPERTIES_COMMAND 98329 -#define HID_KRB4_PROPERTIES_EDIT 131232 -#define HID_KRB5_PROPERTIES_COMMAND 98330 -#define HID_KRB5_PROPERTIES_EDIT 131241 -#define HID_KRB5_PROPERTIES_FORWARDING 131240 -#define HID_KRBCHECK_OPTION 98335 -#define HID_LARGE_ICONS_OPTION 98322 -#define HID_LEASH_COMMANDS 131200 -#define HID_LEASH_PROGRAM 98319 -#define HID_LEASH_PROPERTIES_COMMAND 98331 -#define HID_LEASH_PROPERTIES_EDIT 131239 -#define HID_LOW_TICKET_ALARM_OPTION 98334 -#define HID_RESET_WINDOW_OPTION 98326 -#define HID_SCNCHRONIZE_TIME_OPTION 98314 -#define HID_STATUS_BAR_OPTION 124929 -#define HID_TOOLBAR_OPTION 124928 -#define HID_UPDATE_DISPLAY_COMMAND 98316 -#define HID_UPPERCASE_REALM_OPTION 98323 -#define HID_WHY_USE_LEASH32 98341 -#define ID_CHANGEPASSWORD 112 -#define ID_COUNTDOWN 101 -#define ID_DESTROY 111 -#define ID_EXIT 200 -#define ID_HELP_CHOOSE_PASSWORD 2511841056 -#define ID_HELP_KERBEROS 211 -#define ID_HELP_LEASH 210 -#define ID_HELP_PURPOSE 115 -#define ID_INITTICKETS 113 -#define KRB_BAD_NAME 39525457 -#define KRB_BAD_TIME 39525413 -#DEFINE KRB_ERROR_78 39525454 -#define KRB_INCORR_PASSWD 39525438 -#define KRB_NO_TKT_FILE 39525446 -#define KRB_UNKNOWN_REALM 39525433 -#define KRB_UNKNOWN_USER 39525384 -#define LSH_INVINSTANCE 40591875 - -[INFOTYPES] diff --git a/src/windows/leash/out2con.cpp b/src/windows/leash/out2con.cpp index f7a1d35..877eac1 100644 --- a/src/windows/leash/out2con.cpp +++ b/src/windows/leash/out2con.cpp @@ -96,9 +96,7 @@ ConsoleEcho::ConsoleEcho() FILE* fp = _fdopen(m_pipefd, "w"); // copy to stdout *stdout = *fp; - // now slam the allocated FILE's _flag to zero to mark it as free without - // actually closing the os file handle and pipe - fp->_flag = 0; + // fp leaks, but we can't close it without closing the OS file handle // disable buffering setvbuf(stdout, NULL, _IONBF, 0); diff --git a/src/windows/leash/resource.h b/src/windows/leash/resource.h index 5f606fc..5b4a3e7 100644 --- a/src/windows/leash/resource.h +++ b/src/windows/leash/resource.h @@ -27,35 +27,23 @@ #define IDD_DEBUG_WINDOW 157 #define IDD_LEASH_DEBUG_WINDOW 157 #define IDD_PAGE1 160 -#define IDD_KRB4_PROP_LOCATION 160 #define IDD_PAGE2 161 -#define IDD_KRB4_PROP_CONTENT 161 #define IDD_KRB_PROP_CONTENT 161 #define IDD_LEASH_PROPERTIES 167 #define IDD_KERB5_PAGE_PROP 168 #define IDD_KRB5_PROP_CONTENT 168 #define IDD_KRB5_PROP_LOCATION 169 -#define IDD_KRB4_REALMHOST_MAINT 178 #define IDD_KRB_REALMHOST_MAINT 178 #define IDC_CURSOR1 179 -#define IDD_KRB4_DOMAINREALM_MAINT 180 -#define IDD_KRB4_ADD_REALMHOSTNAMES 181 #define IDD_KRB_ADD_REALM 181 -#define IDD_KRB4_EDIT_REALMHOSTNAMES 182 #define IDD_KRB_EDIT_REALM 182 -#define IDD_KRB4_ADD_DOMAINREALMNAME 183 -#define IDD_KRB4_EDIT_DOMAINREALMNAME 184 #define IDD_DIALOG5 187 #define IDD_KRB_ADD_KDC_HOSTSERVER 197 #define IDD_KRB_EDIT_KDC_HOSTSERVER 199 -#define IDD_KRB4_REALMHOST_MAINT2 203 -#define IDD_KRB4_EDIT_REALM 204 -#define IDD_KRB4_ADD_REALM 205 #define IDD_DIALOG6 207 #define IDD_KRB_DOMAINREALM_MAINT 207 #define IDD_DIALOG7 210 #define IDI_ICON1 221 -#define IDD_AFS_PROPERTIES 224 #define IDD_AUTHENTICATE 229 #define IDI_LEASH_PRINCIPAL_GOOD 230 #define IDI_LEASH_PRINCIPAL_LOW 231 @@ -102,7 +90,6 @@ #define IDC_LABEL_KERB_TICKETS 1011 #define IDC_LIST1 1012 #define IDC_LEASH_MODULE_LB 1012 -#define IDC_LIST_KRB4_REALM_HOST 1012 #define IDC_LIST_UTILITY 1012 #define IDC_LIST_KDC_REALM 1012 #define IDC_LIST_REMOVE_HOST 1012 @@ -173,7 +160,6 @@ #define IDC_STATIC_OPTIONS 1083 #define IDC_STATIC_TICKET_OPTIONS 1085 #define IDC_BUTTON1 1086 -#define IDC_BUTTON_AFS_PROPERTIES 1086 #define IDC_RESET_DEFAULTS 1086 #define IDC_BUTTON_KRB_HELP 1087 #define IDC_STATIC_KRBREALM 1088 @@ -213,9 +199,6 @@ #define IDC_STATIC_NOTE 1129 #define IDC_EDIT_KDC_HOST 1130 #define IDC_EDIT_REALM 1131 -#define IDC_BUTTON_KRB4_REALM_HOST_ADD 1133 -#define ID_BUTTON_KRB4_REALM_HOST_REMOVE 1134 -#define IDC_BUTTON_KRB4_REALM_HOST_EDIT 1135 #define IDC_BUTTON_REALMHOST_MAINT_HELP2 1136 #define IDC_BUTTON_HOST_ADD 1138 #define ID_BUTTON_HOST_REMOVE 1139 @@ -229,8 +212,6 @@ #define IDC_STATIC_KRBREALMS 1149 #define IDC_STATIC_INIFILES 1150 #define IDC_CHECK_CONFIRM_KRB5_EXISTS 1151 -#define IDC_RADIO_AFS_ENABLED 1152 -#define IDC_RADIO_AFS_DISABLED 1153 #define IDC_STATIC_KRB_DEFAULT_LIFETIME 1154 #define IDC_STATIC_TIME_UNITS 1155 #define IDC_STATIC_KRB_DEFAULT_RENEWTILL 1155 @@ -256,7 +237,6 @@ #define IDC_STATIC_KRB5 1171 #define IDC_EDIT_RENEWTILL_H 1171 #define IDC_CHECK1 1172 -#define IDC_CHECK_REQUEST_KRB4 1172 #define IDC_CHECK2 1173 #define IDC_CHECK_PRESERVE_KINIT_OPTIONS 1173 #define IDC_CHECK3 1174 @@ -265,7 +245,6 @@ #define IDC_STATIC_RENEW_TILL_VALUE 1177 #define IDC_PICTURE 1179 #define IDC_DNS_KDC 1180 -#define IDC_KRB4_DNS_KDC 1181 #define IDC_CHECK_CREATE_MISSING_CFG 1182 #define IDC_GROUP_LEASH_MISC 1183 #define IDC_STATIC_LIFETIME_RANGE 1184 @@ -306,9 +285,7 @@ #define ID_UPPERCASE_REALM 32787 #define ID_OPTIONS_RESETWINDOWSIZE 32789 #define ID_RESET_WINDOW_SIZE 32790 -#define ID_AFS_CONTROL_PANEL 32791 #define ID_SYSTEM_CONTROL_PANEL 32792 -#define ID_KRB4_PROPERTIES 32793 #define ID_KRB5_PROPERTIES 32794 #define ID_LEASH_PROPERTIES 32795 #define ID_OPTIONS_LOWTICKETALARMSOUND 32796 diff --git a/src/windows/leashdll/AFSroutines.c b/src/windows/leashdll/AFSroutines.c deleted file mode 100644 index f04ab29..0000000 --- a/src/windows/leashdll/AFSroutines.c +++ /dev/null @@ -1,833 +0,0 @@ -//* Module name: AFSroutines.c - -#include -#include -#include -#include - -/* Private Include files */ -#include -#include -#include "leashdll.h" -#include - -#ifndef NO_AFS -#include -#include -#include -#include -#endif -#include "leash-int.h" - -#define MAXCELLCHARS 64 -#define MAXHOSTCHARS 64 -#define MAXHOSTSPERCELL 8 -#define TRANSARCAFSDAEMON "TransarcAFSDaemon" -typedef struct { - char name[MAXCELLCHARS]; - short numServers; - short flags; - struct sockaddr_in hostAddr[MAXHOSTSPERCELL]; - char hostName[MAXHOSTSPERCELL][MAXHOSTCHARS]; - char *linkedCell; -} afsconf_cell; - -DWORD AfsOnLine = 1; -extern DWORD AfsAvailable; - -int not_an_API_LeashAFSGetToken(TICKETINFO * ticketinfo, TicketList** ticketList, char * kprinc); -DWORD GetServiceStatus(LPSTR lpszMachineName, LPSTR lpszServiceName, DWORD *lpdwCurrentState); -BOOL SetAfsStatus(DWORD AfsStatus); -BOOL GetAfsStatus(DWORD *AfsStatus); -void Leash_afs_error(LONG rc, LPCSTR FailedFunctionName); - -static char *afs_realm_of_cell(afsconf_cell *); -static long get_cellconfig_callback(void *, struct sockaddr_in *, char *); -static int get_cellconfig(char *, afsconf_cell *, char *); - -/**************************************/ -/* LeashAFSdestroyToken(): */ -/**************************************/ -int -Leash_afs_unlog( - void - ) -{ -#ifdef NO_AFS - return(0); -#else - long rc; - char HostName[64]; - DWORD CurrentState; - - if (!AfsAvailable || GetAfsStatus(&AfsOnLine) && !AfsOnLine) - return(0); - - CurrentState = 0; - memset(HostName, '\0', sizeof(HostName)); - gethostname(HostName, sizeof(HostName)); - if (GetServiceStatus(HostName, TRANSARCAFSDAEMON, &CurrentState) != NOERROR) - return(0); - if (CurrentState != SERVICE_RUNNING) - return(0); - - rc = ktc_ForgetAllTokens(); - - return(0); -#endif -} - - -int -not_an_API_LeashAFSGetToken( - TICKETINFO * ticketinfo, - TicketList** ticketList, - char * kerberosPrincipal - ) -{ -#ifdef NO_AFS - return(0); -#else - struct ktc_principal aserver; - struct ktc_principal aclient; - struct ktc_token atoken; - int EndMonth; - int EndDay; - int cellNum; - int BreakAtEnd; - char UserName[64]; - char CellName[64]; - char ServiceName[64]; - char InstanceName[64]; - char EndTime[16]; - char Buffer[256]; - char Months[12][4] = {"Jan\0", "Feb\0", "Mar\0", "Apr\0", "May\0", "Jun\0", "Jul\0", "Aug\0", "Sep\0", "Oct\0", "Nov\0", "Dec\0"}; - char TokenStatus[16]; - time_t CurrentTime; - struct tm *newtime; - DWORD CurrentState; - DWORD rc; - char HostName[64]; - - - TicketList* list = NULL; - if ( ticketinfo ) { - ticketinfo->btickets = NO_TICKETS; - ticketinfo->principal[0] = '\0'; - } - if ( !kerberosPrincipal ) - kerberosPrincipal = ""; - - if (!AfsAvailable || GetAfsStatus(&AfsOnLine) && !AfsOnLine) - return(0); - - CurrentState = 0; - memset(HostName, '\0', sizeof(HostName)); - gethostname(HostName, sizeof(HostName)); - if (GetServiceStatus(HostName, TRANSARCAFSDAEMON, &CurrentState) != NOERROR) - return(0); - if (CurrentState != SERVICE_RUNNING) - return(0); - - BreakAtEnd = 0; - cellNum = 0; - while (1) - { - if (rc = ktc_ListTokens(cellNum, &cellNum, &aserver)) - { - if (rc != KTC_NOENT) - return(0); - - if (BreakAtEnd == 1) - break; - } - BreakAtEnd = 1; - memset(&atoken, '\0', sizeof(atoken)); - if (rc = ktc_GetToken(&aserver, &atoken, sizeof(atoken), &aclient)) - { - if (rc == KTC_ERROR) - return(0); - - continue; - } - - if (!list) - { - list = (TicketList*) calloc(1, sizeof(TicketList)); - (*ticketList) = list; - } - else - { - list->next = (struct TicketList*) calloc(1, sizeof(TicketList)); - list = (TicketList*) list->next; - } - - CurrentTime = time(NULL); - - newtime = localtime(&atoken.endTime); - - memset(UserName, '\0', sizeof(UserName)); - strcpy(UserName, aclient.name); - - memset(CellName, '\0', sizeof(CellName)); - strcpy(CellName, aclient.cell); - - memset(InstanceName, '\0', sizeof(InstanceName)); - strcpy(InstanceName, aclient.instance); - - memset(ServiceName, '\0', sizeof(ServiceName)); - strcpy(ServiceName, aserver.name); - - memset(TokenStatus, '\0', sizeof(TokenStatus)); - - EndDay = newtime->tm_mday; - - EndMonth = newtime->tm_mon + 1;; - - sprintf(EndTime, "%02d:%02d:%02d", newtime->tm_hour, newtime->tm_min, newtime->tm_sec); - - sprintf(Buffer," %s %02d %s %s%s%s@%s %s", - Months[EndMonth - 1], EndDay, EndTime, - UserName, - InstanceName[0] ? "." : "", - InstanceName, - CellName, - TokenStatus); - - list->theTicket = (char*) calloc(1, sizeof(Buffer)); - if (!list->theTicket) - { -#ifdef USE_MESSAGE_BOX - MessageBox(NULL, "Memory Error", "Error", MB_OK); -#endif /* USE_MESSAGE_BOX */ - return ENOMEM; - } - - strcpy(list->theTicket, Buffer); - list->name = strdup(aclient.name); - list->inst = aclient.instance[0] ? strdup(aclient.instance) : NULL; - list->realm = strdup(aclient.cell); - list->encTypes = NULL; - list->addrCount = 0; - list->addrList = NULL; - - if ( ticketinfo ) { - sprintf(Buffer,"%s@%s",UserName,CellName); - if (!ticketinfo->principal[0] || !stricmp(Buffer,kerberosPrincipal)) { - strcpy(ticketinfo->principal, Buffer); - ticketinfo->issue_date = 0; - ticketinfo->lifetime = atoken.endTime; - ticketinfo->renew_till = 0; - - _tzset(); - if ( ticketinfo->lifetime - time(0) <= 0L ) - ticketinfo->btickets = EXPD_TICKETS; - else - ticketinfo->btickets = GOOD_TICKETS; - } - } - } - return(0); -#endif -} - -static char OpenAFSConfigKeyName[] = "SOFTWARE\\OpenAFS\\Client"; - -static int -use_krb524(void) -{ - HKEY parmKey; - DWORD code, len; - DWORD use524 = 0; - - code = RegOpenKeyEx(HKEY_CURRENT_USER, OpenAFSConfigKeyName, - 0, KEY_QUERY_VALUE, &parmKey); - if (code == ERROR_SUCCESS) { - len = sizeof(use524); - code = RegQueryValueEx(parmKey, "Use524", NULL, NULL, - (BYTE *) &use524, &len); - RegCloseKey(parmKey); - } - if (code != ERROR_SUCCESS) { - code = RegOpenKeyEx(HKEY_LOCAL_MACHINE, OpenAFSConfigKeyName, - 0, KEY_QUERY_VALUE, &parmKey); - if (code == ERROR_SUCCESS) { - len = sizeof(use524); - code = RegQueryValueEx(parmKey, "Use524", NULL, NULL, - (BYTE *) &use524, &len); - RegCloseKey (parmKey); - } - } - return use524; -} - - - -int -Leash_afs_klog( - char *service, - char *cell, - char *realm, - int LifeTime - ) -{ -/////#ifdef NO_AFS -#if defined(NO_AFS) || defined(NO_KRB4) - return(0); -#else - long rc; -////This is defined in krb.h: - CREDENTIALS creds; - KTEXT_ST ticket; - struct ktc_principal aserver; - struct ktc_principal aclient; - char realm_of_user[REALM_SZ]; /* Kerberos realm of user */ - char realm_of_cell[REALM_SZ]; /* Kerberos realm of cell */ - char local_cell[MAXCELLCHARS+1]; - char Dmycell[MAXCELLCHARS+1]; - struct ktc_token atoken; - struct ktc_token btoken; - afsconf_cell ak_cellconfig; /* General information about the cell */ - char RealmName[128]; - char CellName[128]; - char ServiceName[128]; - DWORD CurrentState; - char HostName[64]; - BOOL try_krb5 = 0; - int retry = 0; - int len; -#ifndef NO_KRB5 - krb5_context context = 0; - krb5_ccache _krb425_ccache = 0; - krb5_creds increds; - krb5_creds * k5creds = 0; - krb5_error_code r; - krb5_principal client_principal = 0; - krb5_flags flags = 0; -#endif /* NO_KRB5 */ - - if (!AfsAvailable || GetAfsStatus(&AfsOnLine) && !AfsOnLine) - return(0); - - if ( !realm ) realm = ""; - if ( !cell ) cell = ""; - if ( !service ) service = ""; - - CurrentState = 0; - memset(HostName, '\0', sizeof(HostName)); - gethostname(HostName, sizeof(HostName)); - if (GetServiceStatus(HostName, TRANSARCAFSDAEMON, &CurrentState) != NOERROR) - return(0); - if (CurrentState != SERVICE_RUNNING) - return(0); - - memset(RealmName, '\0', sizeof(RealmName)); - memset(CellName, '\0', sizeof(CellName)); - memset(ServiceName, '\0', sizeof(ServiceName)); - memset(realm_of_user, '\0', sizeof(realm_of_user)); - memset(realm_of_cell, '\0', sizeof(realm_of_cell)); - memset(Dmycell, '\0', sizeof(Dmycell)); - - // NULL or empty cell returns information on local cell - if (cell && cell[0]) - strcpy(Dmycell, cell); - rc = get_cellconfig(Dmycell, &ak_cellconfig, local_cell); - if (rc && cell && cell[0]) { - memset(Dmycell, '\0', sizeof(Dmycell)); - rc = get_cellconfig(Dmycell, &ak_cellconfig, local_cell); - } - if (rc) - return(rc); - -#ifndef NO_KRB5 - if (!(r = Leash_krb5_initialize(&context, &_krb425_ccache))) { - int i; - - memset((char *)&increds, 0, sizeof(increds)); - - (*pkrb5_cc_get_principal)(context, _krb425_ccache, &client_principal); - i = krb5_princ_realm(context, client_principal)->length; - if (i > REALM_SZ-1) - i = REALM_SZ-1; - strncpy(realm_of_user,krb5_princ_realm(context, client_principal)->data,i); - realm_of_user[i] = 0; - try_krb5 = 1; - } -#endif /* NO_KRB5 */ - -#ifndef NO_KRB4 - if ( !try_krb5 || !realm_of_user[0] ) { - if ((rc = (*pkrb_get_tf_realm)((*ptkt_string)(), realm_of_user)) != KSUCCESS) - { - return(rc); - } - } -#endif - strcpy(realm_of_cell, afs_realm_of_cell(&ak_cellconfig)); - - if (strlen(service) == 0) - strcpy(ServiceName, "afs"); - else - strcpy(ServiceName, service); - - if (strlen(cell) == 0) - strcpy(CellName, local_cell); - else - strcpy(CellName, cell); - - if (strlen(realm) == 0) - strcpy(RealmName, realm_of_cell); - else - strcpy(RealmName, realm); - - memset(&creds, '\0', sizeof(creds)); - -#ifndef NO_KRB5 - if ( try_krb5 ) { - /* First try Service/Cell@REALM */ - if (r = (*pkrb5_build_principal)(context, &increds.server, - strlen(RealmName), - RealmName, - ServiceName, - CellName, - 0)) - { - try_krb5 = 0; - goto use_krb4; - } - - increds.client = client_principal; - increds.times.endtime = 0; - /* Ask for DES since that is what V4 understands */ - increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; - -#ifdef KRB5_TC_NOTICKET - flags = 0; - r = pkrb5_cc_set_flags(context, _krb425_ccache, flags); -#endif - if (r == 0) - r = pkrb5_get_credentials(context, 0, _krb425_ccache, &increds, &k5creds); - if (r == KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN || - r == KRB5KRB_ERR_GENERIC /* Heimdal */) { - /* Next try Service@REALM */ - pkrb5_free_principal(context, increds.server); - r = pkrb5_build_principal(context, &increds.server, - strlen(RealmName), - RealmName, - ServiceName, - 0); - if (r == 0) - r = pkrb5_get_credentials(context, 0, _krb425_ccache, &increds, &k5creds); - } - - pkrb5_free_principal(context, increds.server); - pkrb5_free_principal(context, client_principal); -#ifdef KRB5_TC_NOTICKET - flags = KRB5_TC_NOTICKET; - pkrb5_cc_set_flags(context, _krb425_ccache, flags); -#endif - (void) pkrb5_cc_close(context, _krb425_ccache); - _krb425_ccache = 0; - - if (r || k5creds == 0) { - pkrb5_free_context(context); - try_krb5 = 0; - goto use_krb4; - } - - /* This code inserts the entire K5 ticket into the token - * No need to perform a krb524 translation which is - * commented out in the code below - */ - if ( use_krb524() || k5creds->ticket.length > MAXKTCTICKETLEN ) - goto try_krb524d; - - memset(&aserver, '\0', sizeof(aserver)); - strncpy(aserver.name, ServiceName, MAXKTCNAMELEN - 1); - strncpy(aserver.cell, CellName, MAXKTCREALMLEN - 1); - - memset(&atoken, '\0', sizeof(atoken)); - atoken.kvno = RXKAD_TKT_TYPE_KERBEROS_V5; - atoken.startTime = k5creds->times.starttime; - atoken.endTime = k5creds->times.endtime; - memcpy(&atoken.sessionKey, k5creds->keyblock.contents, k5creds->keyblock.length); - atoken.ticketLen = k5creds->ticket.length; - memcpy(atoken.ticket, k5creds->ticket.data, atoken.ticketLen); - - retry_gettoken5: - rc = ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient); - if (rc != 0 && rc != KTC_NOENT && rc != KTC_NOCELL) { - if ( rc == KTC_NOCM && retry < 20 ) { - Sleep(500); - retry++; - goto retry_gettoken5; - } - goto try_krb524d; - } - - if (atoken.kvno == btoken.kvno && - atoken.ticketLen == btoken.ticketLen && - !memcmp(&atoken.sessionKey, &btoken.sessionKey, sizeof(atoken.sessionKey)) && - !memcmp(atoken.ticket, btoken.ticket, atoken.ticketLen)) - { - /* Success */ - pkrb5_free_creds(context, k5creds); - pkrb5_free_context(context); - return(0); - } - - // * Reset the "aclient" structure before we call ktc_SetToken. - // * This structure was first set by the ktc_GetToken call when - // * we were comparing whether identical tokens already existed. - - len = min(k5creds->client->data[0].length,MAXKTCNAMELEN - 1); - strncpy(aclient.name, k5creds->client->data[0].data, len); - aclient.name[len] = '\0'; - - if ( k5creds->client->length > 1 ) { - char * p; - strcat(aclient.name, "."); - p = aclient.name + strlen(aclient.name); - len = min(k5creds->client->data[1].length,MAXKTCNAMELEN - strlen(aclient.name) - 1); - strncpy(p, k5creds->client->data[1].data, len); - p[len] = '\0'; - } - aclient.instance[0] = '\0'; - - strcpy(aclient.cell, realm_of_cell); - - len = min(k5creds->client->realm.length,strlen(realm_of_cell)); - if ( strncmp(realm_of_cell, k5creds->client->realm.data, len) ) { - char * p; - strcat(aclient.name, "@"); - p = aclient.name + strlen(aclient.name); - len = min(k5creds->client->realm.length,MAXKTCNAMELEN - strlen(aclient.name) - 1); - strncpy(p, k5creds->client->realm.data, len); - p[len] = '\0'; - } - - rc = ktc_SetToken(&aserver, &atoken, &aclient, 0); - if (!rc) { - /* Success */ - pkrb5_free_creds(context, k5creds); - pkrb5_free_context(context); - return(0); - } - - try_krb524d: - /* This requires krb524d to be running with the KDC */ - r = pkrb524_convert_creds_kdc(context, k5creds, &creds); - pkrb5_free_creds(context, k5creds); - pkrb5_free_context(context); - if (r) { - try_krb5 = 0; - goto use_krb4; - } - rc = KSUCCESS; - } else -#endif /* NO_KRB5 */ - { - use_krb4: - rc = KFAILURE; - } - if (rc != KSUCCESS) - { - return(rc); - } - - memset(&aserver, '\0', sizeof(aserver)); - strncpy(aserver.name, ServiceName, MAXKTCNAMELEN - 1); - strncpy(aserver.cell, CellName, MAXKTCNAMELEN - 1); - - memset(&atoken, '\0', sizeof(atoken)); - atoken.kvno = creds.kvno; - atoken.startTime = creds.issue_date; - atoken.endTime = (*pkrb_life_to_time)(creds.issue_date,creds.lifetime); - memcpy(&atoken.sessionKey, creds.session, 8); - atoken.ticketLen = creds.ticket_st.length; - memcpy(atoken.ticket, creds.ticket_st.dat, atoken.ticketLen); - - if (!(rc = ktc_GetToken(&aserver, &btoken, sizeof(btoken), &aclient)) && - atoken.kvno == btoken.kvno && - atoken.ticketLen == btoken.ticketLen && - !memcmp(&atoken.sessionKey, &btoken.sessionKey, sizeof(atoken.sessionKey)) && - !memcmp(atoken.ticket, btoken.ticket, atoken.ticketLen)) - { - return(0); - } - - // * Reset the "aclient" structure before we call ktc_SetToken. - // * This structure was first set by the ktc_GetToken call when - // * we were comparing whether identical tokens already existed. - - strncpy(aclient.name, creds.pname, MAXKTCNAMELEN - 1); - aclient.name[MAXKTCNAMELEN - 1] = '\0'; - if (creds.pinst[0]) - { - strncat(aclient.name, ".", MAXKTCNAMELEN - 1 - strlen(aclient.name)); - aclient.name[MAXKTCNAMELEN - 1] = '\0'; - strncat(aclient.name, creds.pinst, MAXKTCNAMELEN - 1 - strlen(aclient.name)); - aclient.name[MAXKTCNAMELEN - 1] = '\0'; - } - strcpy(aclient.instance, ""); - - if ( strcmp(realm_of_cell, creds.realm) ) - { - strncat(aclient.name, "@", MAXKTCNAMELEN - 1 - strlen(aclient.name)); - aclient.name[MAXKTCNAMELEN - 1] = '\0'; - strncat(aclient.name, creds.realm, MAXKTCNAMELEN - 1 - strlen(aclient.name)); - aclient.name[MAXKTCNAMELEN - 1] = '\0'; - } - aclient.name[MAXKTCNAMELEN-1] = '\0'; - - strcpy(aclient.cell, CellName); - - // * NOTE: On WIN32, the order of SetToken params changed... - // * to ktc_SetToken(&aserver, &aclient, &atoken, 0) - // * from ktc_SetToken(&aserver, &atoken, &aclient, 0) on Unix... - // * The afscompat ktc_SetToken provides the Unix order - - if (rc = ktc_SetToken(&aserver, &atoken, &aclient, 0)) - { - Leash_afs_error(rc, "ktc_SetToken()"); - return(rc); - } - - return(0); -#endif -} - -/**************************************/ -/* afs_realm_of_cell(): */ -/**************************************/ -static char *afs_realm_of_cell(afsconf_cell *cellconfig) -{ -#ifdef NO_AFS - return(0); -#else - char krbhst[MAX_HSTNM]=""; - static char krbrlm[REALM_SZ+1]=""; -#ifndef NO_KRB5 - krb5_context ctx = 0; - char ** realmlist=NULL; - krb5_error_code r; -#endif /* NO_KRB5 */ - - if (!cellconfig) - return 0; - -#ifndef NO_KRB5 - if ( pkrb5_init_context ) { - r = pkrb5_init_context(&ctx); - if ( !r ) - r = pkrb5_get_host_realm(ctx, cellconfig->hostName[0], &realmlist); - if ( !r && realmlist && realmlist[0] ) { - strcpy(krbrlm, realmlist[0]); - pkrb5_free_host_realm(ctx, realmlist); - } - if (ctx) - pkrb5_free_context(ctx); - } -#endif /* NO_KRB5 */ - - if ( !krbrlm[0] ) - { - char *s = krbrlm; - char *t = cellconfig->name; - int c; - - while (c = *t++) - { - if (islower(c)) c=toupper(c); - *s++ = c; - } - *s++ = 0; - } - return(krbrlm); -#endif -} - -/**************************************/ -/* get_cellconfig(): */ -/**************************************/ -static int get_cellconfig(char *cell, afsconf_cell *cellconfig, char *local_cell) -{ -#ifdef NO_AFS - return(0); -#else - int rc; - - local_cell[0] = (char)0; - memset(cellconfig, 0, sizeof(*cellconfig)); - - /* WIN32: cm_GetRootCellName(local_cell) - NOTE: no way to get max chars */ - if (rc = cm_GetRootCellName(local_cell)) - { - return(rc); - } - - if (strlen(cell) == 0) - strcpy(cell, local_cell); - - /* WIN32: cm_SearchCellFile(cell, pcallback, pdata) */ - strcpy(cellconfig->name, cell); - - return cm_SearchCell(cell, get_cellconfig_callback, NULL, (void*)cellconfig); -#endif -} - -/**************************************/ -/* get_cellconfig_callback(): */ -/**************************************/ -static long get_cellconfig_callback(void *cellconfig, struct sockaddr_in *addrp, char *namep) -{ -#ifdef NO_AFS - return(0); -#else - afsconf_cell *cc = (afsconf_cell *)cellconfig; - - cc->hostAddr[cc->numServers] = *addrp; - strcpy(cc->hostName[cc->numServers], namep); - cc->numServers++; - return(0); -#endif -} - - -/**************************************/ -/* Leash_afs_error(): */ -/**************************************/ -void -Leash_afs_error(LONG rc, LPCSTR FailedFunctionName) -{ -#ifdef NO_AFS - return; -#else -#ifdef USE_MESSAGE_BOX - char message[256]; - const char *errText; - - // Using AFS defines as error messages for now, until Transarc - // gets back to me with "string" translations of each of these - // const. defines. - if (rc == KTC_ERROR) - errText = "KTC_ERROR"; - else if (rc == KTC_TOOBIG) - errText = "KTC_TOOBIG"; - else if (rc == KTC_INVAL) - errText = "KTC_INVAL"; - else if (rc == KTC_NOENT) - errText = "KTC_NOENT"; - else if (rc == KTC_PIOCTLFAIL) - errText = "KTC_PIOCTLFAIL"; - else if (rc == KTC_NOPIOCTL) - errText = "KTC_NOPIOCTL"; - else if (rc == KTC_NOCELL) - errText = "KTC_NOCELL"; - else if (rc == KTC_NOCM) - errText = "KTC_NOCM: The service, Transarc AFS Daemon, most likely is not started!"; - else - errText = "Unknown error!"; - - sprintf(message, "%s\n(%s failed)", errText, FailedFunctionName); - MessageBox(NULL, message, "AFS", MB_OK | MB_ICONERROR | MB_TASKMODAL | MB_SETFOREGROUND); -#endif /* USE_MESSAGE_BOX */ - return; - -#endif -} - -DWORD GetServiceStatus( - LPSTR lpszMachineName, - LPSTR lpszServiceName, - DWORD *lpdwCurrentState) -{ -#ifdef NO_AFS - return(NOERROR); -#else - DWORD hr = NOERROR; - SC_HANDLE schSCManager = NULL; - SC_HANDLE schService = NULL; - DWORD fdwDesiredAccess = 0; - SERVICE_STATUS ssServiceStatus = {0}; - BOOL fRet = FALSE; - - if ((pOpenSCManagerA == NULL) || - (pOpenServiceA == NULL) || - (pQueryServiceStatus == NULL) || - (pCloseServiceHandle == NULL)) - { - *lpdwCurrentState = SERVICE_RUNNING; - return(NOERROR); - } - - *lpdwCurrentState = 0; - - fdwDesiredAccess = GENERIC_READ; - - schSCManager = (*pOpenSCManagerA)(lpszMachineName, - NULL, - fdwDesiredAccess); - - if(schSCManager == NULL) - { - hr = GetLastError(); - goto cleanup; - } - - schService = (*pOpenServiceA)(schSCManager, - lpszServiceName, - fdwDesiredAccess); - - if(schService == NULL) - { - hr = GetLastError(); - goto cleanup; - } - - fRet = (*pQueryServiceStatus)(schService, - &ssServiceStatus); - - if(fRet == FALSE) - { - hr = GetLastError(); - goto cleanup; - } - - *lpdwCurrentState = ssServiceStatus.dwCurrentState; - -cleanup: - - (*pCloseServiceHandle)(schService); - (*pCloseServiceHandle)(schSCManager); - - return(hr); -#endif -} - -BOOL -SetAfsStatus( - DWORD AfsStatus - ) -{ -#ifdef NO_AFS - return(TRUE); -#else - return write_registry_setting(LEASH_SETTINGS_REGISTRY_VALUE_AFS_STATUS, - REG_DWORD, &AfsStatus, - sizeof(AfsStatus)) ? FALSE : TRUE; -#endif -} - -BOOL -GetAfsStatus( - DWORD *AfsStatus - ) -{ -#ifdef NO_AFS - return(TRUE); -#else - return read_registry_setting(LEASH_SETTINGS_REGISTRY_VALUE_AFS_STATUS, - AfsStatus, sizeof(DWORD)) ? FALSE : TRUE; -#endif -} diff --git a/src/windows/leashdll/Makefile.in b/src/windows/leashdll/Makefile.in index 16e2b6d..76df81b 100644 --- a/src/windows/leashdll/Makefile.in +++ b/src/windows/leashdll/Makefile.in @@ -1,39 +1,17 @@ BUILDTOP=..\.. -##FIX ME: Enable proper compilation with AFS -NO_AFS=1 - -!ifndef NO_AFS -###AFS_BASE= -AFS_INCLUDES=-I$(AFS_BASE)\Include -AFS_LIB=$(AFS_BASE)\lib -AFS_LIBS=$(AFS_LIB)\afsauthent.lib -!else -AFS_INCLUDES= -AFS_LIBS= -!endif - -DLL_NAME=leashw32 - -# Use 64-bit DLL_NAME and DEF_FILE on 64-bit platforms -!if ("$(CPU)" == "IA64") || ("$(CPU)" == "AMD64") || ("$(CPU)" == "ALPHA64") -DLL_NAME=leashw64 -!endif - +DLL_NAME=leashw$(BITS) DEF_FILE=leashw32.def -OBJS= $(OUTPRE)AFSroutines.$(OBJEXT) \ - $(OUTPRE)krb5routines.$(OBJEXT) \ +OBJS= $(OUTPRE)krb5routines.$(OBJEXT) \ $(OUTPRE)leashdll.$(OBJEXT) \ $(OUTPRE)leasherr.$(OBJEXT) \ $(OUTPRE)lsh_pwd.$(OBJEXT) \ - $(OUTPRE)lshcallb.$(OBJEXT) \ $(OUTPRE)lshfunc.$(OBJEXT) \ $(OUTPRE)lshutil.$(OBJEXT) \ $(OUTPRE)timesync.$(OBJEXT) \ $(OUTPRE)winerr.$(OBJEXT) \ - $(OUTPRE)winutil.$(OBJEXT) \ - $(OUTPRE)registry.$(OBJEXT) + $(OUTPRE)winutil.$(OBJEXT) #TODO: Fix resource compilation RESFILE = $(OUTPRE)lsh_pwd.res @@ -48,25 +26,21 @@ RCFLAGS = -I$(BUILDTOP)\include -I$(BUILDTOP) -DLEASHDLL_LIB # Set NODEBUG if building release instead of debug -LOCALINCLUDES = -I$(BUILDTOP)\include -I$(BUILDTOP)\windows\include -I.\include\krb4 $(AFS_INCLUDES) +LOCALINCLUDES = -I$(BUILDTOP)\include -I$(BUILDTOP)\windows\include WINLIBS = kernel32.lib advapi32.lib user32.lib gdi32.lib Version.lib \ - ws2_32.lib dnsapi.lib $(BUILDTOP)\ccapi\lib\win\srctmp\$(CCLIB).lib $(AFS_LIBS) + ws2_32.lib dnsapi.lib $(BUILDTOP)\ccapi\lib\win\srctmp\$(CCLIB).lib WINDLLFLAGS = /nologo /dll /incremental:no /release $(LOPTS) -DEFINES = -DWINSOCK -DWIN32 -DWINDOWS -DNO_KRB4 -DUSE_MESSAGE_BOX +DEFINES = -DWINSOCK -DWIN32 -DWINDOWS -DUSE_MESSAGE_BOX !ifdef NODEBUG DEFINES = $(DEFINES) !else DEFINES = $(DEFINES) -DDBG !endif -!ifdef NO_AFS -DEFINES = $(DEFINES) -DNO_AFS -!endif - all-windows: all-windows: $(OUTPRE)$(DLL_NAME).dll @@ -75,7 +49,7 @@ clean-windows:: $(OUTPRE)$(DLL_NAME).dll: $(DEF_FILE) $(OBJS) $(XOBJS) link $(WINDLLFLAGS) -def:$(DEF_FILE) -out:$*.dll \ - $(OBJS) $(XOBJS) $(WINLIBS) ../lib/$(OUTPRE)libwin.lib $(SCLIB) + $(OBJS) $(XOBJS) $(WINLIBS) ../lib/$(OUTPRE)libwin.lib $(_VC_MANIFEST_EMBED_DLL) #TODO: Add dependencies on include files here diff --git a/src/windows/leashdll/include/krb4/conf-pc.h b/src/windows/leashdll/include/krb4/conf-pc.h deleted file mode 100644 index 65a8779..0000000 --- a/src/windows/leashdll/include/krb4/conf-pc.h +++ /dev/null @@ -1,108 +0,0 @@ -/* - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Machine-type definitions: IBM PC 8086 - */ - -#if defined(_WIN32) && !defined(WIN32) -#define WIN32 -#endif - -#if ( defined(WIN16) || defined(WIN32) || defined(_WINDOWS)) && !defined(WINDOWS) -#define WINDOWS -#endif - -#if defined(__OS2__) && !defined(OS2) -#define OS2 -#endif - -#ifdef WIN16 -#define BITS16 -#else -#ifdef MSDOS -#define BITS16 -#else -#define BITS32 -#endif -#endif -#define LSBFIRST - -#define index(s,c) strchr(s,c) /* PC version of index */ -#define rindex(s,c) strrchr(s,c) -#if !defined(OS2) && !defined(LWP) /* utils.h under OS/2 */ -#define bcmp(s1,s2,n) memcmp((s1),(s2),(n)) -#define bcopy(a,b,c) memcpy( (b), (a), (c) ) -#define bzero(a,b) memset( (a), 0, (b) ) -#endif - -typedef unsigned char u_char; -typedef unsigned long u_long; -typedef unsigned short u_short; -typedef unsigned int u_int; -#define NO_UIDGID_T - -#if !defined(WINDOWS) && !defined(DWORD) -typedef long DWORD; -#endif - -#if defined(PC)&&!defined(WINDOWS) -#ifndef LPSTR -typedef char *LPSTR; -typedef char *LPBYTE; -typedef char *CHARPTR; -typedef char *LPINT; -typedef unsigned int WORD; -#endif -#define LONG long -#define FAR -#define PASCAL -#define EXPORT -#endif - -#ifdef OS2 -#include -#define lstrcpy strcpy -#define lstrlen strlen -#define lstrcmp strcmp -#define lstrcpyn strncpy -#endif - -#ifdef WIN32 -#define _export -#endif - -#if defined(BITS32) -#define far -#define near -#endif - -#ifdef WINDOWS -#include -#endif - -#ifdef WIN32 -#include -#endif - -#ifdef WIN16 -#pragma message ( "WIN16 in " __FILE__ ) -#include -#include -#ifndef KRB_INT32 -#define KRB_INT32 long -#endif -#ifndef KRB_UINT32 -#define KRB_UINT32 unsigned KRB_INT32 -#endif -#endif - - -#define RANDOM_KRB_INT32_1 ((KRB_INT32) time(NULL)) -#define RANDOM_KRB_INT32_2 ((KRB_INT32) getpid()) -#define TIME_GMT_UNIXSEC unix_time_gmt_unixsec((unsigned KRB_INT32 *)0); -#ifndef MAXPATHLEN -#define MAXPATHLEN _MAX_PATH -#endif diff --git a/src/windows/leashdll/include/krb4/conf.h b/src/windows/leashdll/include/krb4/conf.h deleted file mode 100644 index 2e2a84c..0000000 --- a/src/windows/leashdll/include/krb4/conf.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Configuration info for operating system, hardware description, - * language implementation, C library, etc. - * - * This file should be included in (almost) every file in the Kerberos - * sources, and probably should *not* be needed outside of those - * sources. (How do we deal with /usr/include/des.h and - * /usr/include/krb.h?) - */ - -#ifndef _CONF_H_ -#define _CONF_H_ - -#include "osconf.h" - -#ifdef SHORTNAMES -#include "names.h" -#endif - -/* - * Language implementation-specific definitions - */ - -/* special cases */ -#ifdef __HIGHC__ -/* broken implementation of ANSI C */ -#undef __STDC__ -#endif - -#if !defined(__STDC__) && !defined(PC) -#define const -#define volatile -#define signed -typedef char *pointer; /* pointer to generic data */ -#ifndef PROTOTYPE -#define PROTOTYPE(p) () -#endif -#else -typedef void *pointer; -#ifndef PROTOTYPE -#define PROTOTYPE(p) p -#endif -#endif - -/* Does your compiler understand "void"? */ -#ifdef notdef -#define void int -#endif - -/* - * A few checks to see that necessary definitions are included. - */ - -#ifndef MSBFIRST -#ifndef LSBFIRST -#error byte order not defined -#endif -#endif - -/* machine size */ -#ifndef BITS16 -#ifndef BITS32 -#error number of bits? -#endif -#endif - -/* end of checks */ - -#endif /* _CONF_H_ */ diff --git a/src/windows/leashdll/include/krb4/osconf.h b/src/windows/leashdll/include/krb4/osconf.h deleted file mode 100644 index 340421e..0000000 --- a/src/windows/leashdll/include/krb4/osconf.h +++ /dev/null @@ -1,59 +0,0 @@ -/* - * Copyright 1988 by the Massachusetts Institute of Technology. - * - * For copying and distribution information, please see the file - * . - * - * Athena configuration. - */ - -#ifndef _OSCONF_H_ -#define _OSCONF_H_ - -#ifndef PC -#if defined(IBMPC) || defined(__MSDOS__) || defined(OS2) || defined(_MSDOS) || defined(_WIN32) -#define PC -#endif -#endif - -#ifdef tahoe -#include "conf-bsdtahoe.h" -#else /* !tahoe */ -#ifdef vax -#include "conf-bsdvax.h" -#else /* !vax */ -#if defined(mips) && defined(ultrix) -#include "conf-ultmips2.h" -#else /* !Ultrix MIPS-2 */ -#ifdef ibm032 -#include "conf-bsdibm032.h" -#else /* !ibm032 */ -#ifdef apollo -#include "conf-bsdapollo.h" -#else /* !apollo */ -#ifdef sun -#ifdef sparc -#include "conf-bsdsparc.h" -#else /* sun but not sparc */ -#ifdef i386 -#include "conf-bsd386i.h" -#else /* sun but not (sparc or 386i) */ -#include "conf-bsdm68k.h" -#endif /* i386 */ -#endif /* sparc */ -#else /* !sun */ -#ifdef pyr -#include "conf-pyr.h" -#else -#if defined(PC) || defined(__MSDOS__) || defined(OS2) || defined(_MSDOS) || defined(_WIN32) -#include "conf-pc.h" -#endif /* PC */ -#endif /* pyr */ -#endif /* sun */ -#endif /* apollo */ -#endif /* ibm032 */ -#endif /* mips */ -#endif /* vax */ -#endif /* tahoe */ - -#endif /* _OSCONF_H_ */ diff --git a/src/windows/leashdll/krb5routines.c b/src/windows/leashdll/krb5routines.c index 3911720..ff4f360 100644 --- a/src/windows/leashdll/krb5routines.c +++ b/src/windows/leashdll/krb5routines.c @@ -80,139 +80,9 @@ char *GetTicketFlag(krb5_creds *cred) return buf; } -long -Leash_convert524( - krb5_context alt_ctx - ) -{ -#if defined(NO_KRB5) || defined(NO_KRB4) - return(0); -#else - krb5_context ctx = 0; - krb5_error_code code = 0; - int icode = 0; - krb5_principal me = 0; - krb5_principal server = 0; - krb5_creds *v5creds = 0; - krb5_creds increds; - krb5_ccache cc = 0; - CREDENTIALS * v4creds = NULL; - static int init_ets = 1; - - if (!pkrb5_init_context || - !pkrb_in_tkt || - !pkrb524_init_ets || - !pkrb524_convert_creds_kdc) - return 0; - - v4creds = (CREDENTIALS *) malloc(sizeof(CREDENTIALS)); - memset((char *) v4creds, 0, sizeof(CREDENTIALS)); - - memset((char *) &increds, 0, sizeof(increds)); - /* - From this point on, we can goto cleanup because increds is - initialized. - */ - - if (alt_ctx) - { - ctx = alt_ctx; - } - else - { - code = pkrb5_init_context(&ctx); - if (code) goto cleanup; - } - - code = pkrb5_cc_default(ctx, &cc); - if (code) goto cleanup; - - if ( init_ets ) { - pkrb524_init_ets(ctx); - init_ets = 0; - } - - if (code = pkrb5_cc_get_principal(ctx, cc, &me)) - goto cleanup; - - if ((code = pkrb5_build_principal(ctx, - &server, - krb5_princ_realm(ctx, me)->length, - krb5_princ_realm(ctx, me)->data, - "krbtgt", - krb5_princ_realm(ctx, me)->data, - NULL))) { - goto cleanup; - } - - increds.client = me; - increds.server = server; - increds.times.endtime = 0; - increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC; - if ((code = pkrb5_get_credentials(ctx, 0, - cc, - &increds, - &v5creds))) { - goto cleanup; - } - - if ((icode = pkrb524_convert_creds_kdc(ctx, - v5creds, - v4creds))) { - goto cleanup; - } - - /* initialize ticket cache */ - if ((icode = pkrb_in_tkt(v4creds->pname, v4creds->pinst, v4creds->realm) - != KSUCCESS)) { - goto cleanup; - } - /* stash ticket, session key, etc. for future use */ - if ((icode = pkrb_save_credentials(v4creds->service, - v4creds->instance, - v4creds->realm, - v4creds->session, - v4creds->lifetime, - v4creds->kvno, - &(v4creds->ticket_st), - v4creds->issue_date))) { - goto cleanup; - } - - cleanup: - memset(v4creds, 0, sizeof(v4creds)); - free(v4creds); - - if (v5creds) { - pkrb5_free_creds(ctx, v5creds); - } - if (increds.client == me) - me = 0; - if (increds.server == server) - server = 0; - pkrb5_free_cred_contents(ctx, &increds); - if (server) { - pkrb5_free_principal(ctx, server); - } - if (me) { - pkrb5_free_principal(ctx, me); - } - pkrb5_cc_close(ctx, cc); - - if (ctx && (ctx != alt_ctx)) { - pkrb5_free_context(ctx); - } - return !(code || icode); -#endif /* NO_KRB5 */ -} - - int LeashKRB5_renew(void) { -#ifdef NO_KRB5 - return(0); -#else krb5_error_code code = 0; krb5_context ctx = 0; krb5_ccache cc = 0; @@ -247,13 +117,9 @@ LeashKRB5_renew(void) my_creds.client = me; my_creds.server = server; -#ifdef KRB5_TC_NOTICKET pkrb5_cc_set_flags(ctx, cc, 0); -#endif code = pkrb5_get_renewed_creds(ctx, &my_creds, me, cc, NULL); -#ifdef KRB5_TC_NOTICKET pkrb5_cc_set_flags(ctx, cc, KRB5_TC_NOTICKET); -#endif if (code) { if ( code != KRB5KDC_ERR_ETYPE_NOSUPP || code != KRB5_KDC_UNREACH) @@ -282,10 +148,8 @@ LeashKRB5_renew(void) if (ctx) pkrb5_free_context(ctx); return(code); -#endif /* NO_KRB5 */ } -#ifndef NO_KRB5 static krb5_error_code KRB5_CALLCONV leash_krb5_prompter( krb5_context context, void *data, @@ -293,7 +157,6 @@ leash_krb5_prompter( krb5_context context, const char *banner, int num_prompts, krb5_prompt prompts[]); -#endif /* NO_KRB5 */ int Leash_krb5_kinit( @@ -309,9 +172,6 @@ DWORD addressless, DWORD publicIP ) { -#ifdef NO_KRB5 - return(0); -#else krb5_error_code code = 0; krb5_context ctx = 0; krb5_ccache cc = 0, defcache = 0; @@ -500,7 +360,6 @@ DWORD publicIP if (ctx && (ctx != alt_ctx)) pkrb5_free_context(ctx); return(code); -#endif //!NO_KRB5 } @@ -512,9 +371,6 @@ Leash_krb5_kdestroy( void ) { -#ifdef NO_KRB5 - return(0); -#else krb5_context ctx; krb5_ccache cache; krb5_error_code rc; @@ -535,7 +391,6 @@ Leash_krb5_kdestroy( return(rc); -#endif //!NO_KRB5 } krb5_error_code @@ -552,9 +407,7 @@ Leash_krb5_cc_default(krb5_context *ctx, krb5_ccache *cache) goto on_error; } } -#ifdef KRB5_TC_NOTICKET flags = KRB5_TC_NOTICKET; -#endif rc = pkrb5_cc_set_flags(*ctx, *cache, flags); if (rc) { if (rc == KRB5_FCC_NOFILE || rc == KRB5_CC_NOTFOUND) { @@ -577,10 +430,6 @@ on_error: /**************************************/ int Leash_krb5_initialize(krb5_context *ctx) { -#ifdef NO_KRB5 - return(0); -#else - LPCSTR functionName = NULL; krb5_error_code rc; @@ -594,7 +443,6 @@ int Leash_krb5_initialize(krb5_context *ctx) } } return 0; -#endif //!NO_KRB5 } @@ -606,9 +454,6 @@ Leash_krb5_error(krb5_error_code rc, LPCSTR FailedFunctionName, int FreeContextFlag, krb5_context * ctx, krb5_ccache * cache) { -#ifdef NO_KRB5 - return 0; -#else #ifdef USE_MESSAGE_BOX char message[256]; const char *errText; @@ -639,17 +484,12 @@ Leash_krb5_error(krb5_error_code rc, LPCSTR FailedFunctionName, } return rc; - -#endif //!NO_KRB5 } BOOL Leash_ms2mit(BOOL save_creds) { -#ifdef NO_KRB5 - return(FALSE); -#else /* NO_KRB5 */ krb5_context kcontext = 0; krb5_error_code code; krb5_ccache ccache=0; @@ -709,11 +549,9 @@ Leash_ms2mit(BOOL save_creds) if (kcontext) pkrb5_free_context(kcontext); return(rc); -#endif /* NO_KRB5 */ } -#ifndef NO_KRB5 /* User Query data structures and functions */ struct textField { @@ -1063,4 +901,3 @@ leash_krb5_prompter( krb5_context context, } return errcode; } -#endif /* NO_KRB5 */ diff --git a/src/windows/leashdll/leash-int.h b/src/windows/leashdll/leash-int.h index b5c0b27..cb40c60 100644 --- a/src/windows/leashdll/leash-int.h +++ b/src/windows/leashdll/leash-int.h @@ -27,16 +27,10 @@ Unregister_MITPasswordEditControl( extern char KRB_HelpFile[_MAX_PATH]; // Function Prototypes. -int lsh_com_err_proc (LPSTR whoami, long code, LPSTR fmt, va_list args); int DoNiftyErrorReport(long errnum, LPSTR what); LONG Leash_timesync(int); BOOL Leash_ms2mit(BOOL); -#ifndef NO_AFS -int not_an_API_LeashAFSGetToken(TICKETINFO * ticketinfo, TicketList** ticketList, char * kprinc); -long FAR not_an_API_LeashFreeTicketList(TicketList** ticketList) ; -#endif - // Crap... #include @@ -90,66 +84,9 @@ Leash_krb5_kinit( DWORD publicIP ); -long -Leash_convert524( - krb5_context ctx - ); - -int -Leash_afs_unlog( - void - ); - -int -Leash_afs_klog( - char *, - char *, - char *, - int - ); - int LeashKRB5_renew(void); -LONG -write_registry_setting( - char* setting, - DWORD type, - void* buffer, - size_t size - ); - -LONG -read_registry_setting_user( - char* setting, - void* buffer, - size_t size - ); - -LONG -read_registry_setting( - char* setting, - void* buffer, - size_t size - ); - -BOOL -get_STRING_from_registry( - HKEY hBaseKey, - char * key, - char * value, - char * outbuf, - DWORD outlen - ); - -BOOL -get_DWORD_from_registry( - HKEY hBaseKey, - char * key, - char * value, - DWORD * result - ); - int config_boolean_to_int( const char *s @@ -158,14 +95,12 @@ config_boolean_to_int( BOOL GetSecurityLogonSessionData(PSECURITY_LOGON_SESSION_DATA * ppSessionData); BOOL IsKerberosLogon(VOID); -#ifndef NO_KRB5 int Leash_krb5_error(krb5_error_code rc, LPCSTR FailedFunctionName, int FreeContextFlag, krb5_context *ctx, krb5_ccache *cache); int Leash_krb5_initialize(krb5_context *); krb5_error_code Leash_krb5_cc_default(krb5_context *ctx, krb5_ccache *cache); -#endif /* NO_KRB5 */ LPSTR err_describe(LPSTR buf, long code); @@ -304,22 +239,14 @@ cc_free_NC_info, ); #define CCAPI_DLL "krbcc32.dll" -/* The following definitions are summarized from KRB4, KRB5, Leash32, and +/* The following definitions are summarized from KRB5, Leash32, and * Leashw32 modules. They are current as of KfW 2.6.2. There is no * guarrantee that changes to other modules will be updated in this list. */ /* Must match the values used in Leash32.exe */ #define LEASH_SETTINGS_REGISTRY_KEY_NAME "Software\\MIT\\Leash32\\Settings" -#define LEASH_SETTINGS_REGISTRY_VALUE_AFS_STATUS "AfsStatus" -#define LEASH_SETTINGS_REGISTRY_VALUE_DEBUG_WINDOW "DebugWindow" -#define LEASH_SETTINGS_REGISTRY_VALUE_LARGE_ICONS "LargeIcons" -#define LEASH_SETTINGS_REGISTRY_VALUE_DESTROY_TKTS "DestroyTickets" -#define LEASH_SETTINGS_REGISTRY_VALUE_LOW_TKT_ALARM "LowTicketAlarm" -#define LEASH_SETTINGS_REGISTRY_VALUE_AUTO_RENEW_TKTS "AutoRenewTickets" #define LEASH_SETTINGS_REGISTRY_VALUE_UPPERCASEREALM "UpperCaseRealm" -#define LEASH_SETTINGS_REGISTRY_VALUE_TIMEHOST "TIMEHOST" -#define LEASH_SETTINGS_REGISTRY_VALUE_CREATE_MISSING_CFG "CreateMissingConfig" #define LEASH_SETTINGS_REGISTRY_VALUE_MSLSA_IMPORT "MsLsaImport" /* These values are defined and used within Leashw32.dll */ @@ -331,29 +258,16 @@ cc_free_NC_info, #define LEASH_REGISTRY_VALUE_NOADDRESSES "noaddresses" #define LEASH_REGISTRY_VALUE_PROXIABLE "proxiable" #define LEASH_REGISTRY_VALUE_PUBLICIP "publicip" -#define LEASH_REGISTRY_VALUE_USEKRB4 "usekrb4" #define LEASH_REGISTRY_VALUE_KINIT_OPT "hide_kinit_options" #define LEASH_REGISTRY_VALUE_LIFE_MIN "life_min" #define LEASH_REGISTRY_VALUE_LIFE_MAX "life_max" #define LEASH_REGISTRY_VALUE_RENEW_MIN "renew_min" #define LEASH_REGISTRY_VALUE_RENEW_MAX "renew_max" -#define LEASH_REGISTRY_VALUE_LOCK_LOCATION "lock_file_locations" #define LEASH_REGISTRY_VALUE_PRESERVE_KINIT "preserve_kinit_options" -/* must match values used within krbv4w32.dll */ -#define KRB4_REGISTRY_KEY_NAME "Software\\MIT\\Kerberos4" -#define KRB4_REGISTRY_VALUE_CONFIGFILE "config" -#define KRB4_REGISTRY_VALUE_KRB_CONF "krb.conf" -#define KRB4_REGISTRY_VALUE_KRB_REALMS "krb.realms" -#define KRB4_REGISTRY_VALUE_TICKETFILE "ticketfile" - /* must match values used within krb5_32.dll */ #define KRB5_REGISTRY_KEY_NAME "Software\\MIT\\Kerberos5" #define KRB5_REGISTRY_VALUE_CCNAME "ccname" #define KRB5_REGISTRY_VALUE_CONFIGFILE "config" -/* must match values used within wshelper.dll */ -#define WSHELP_REGISTRY_KEY_NAME "Software\\MIT\\WsHelper" -#define WSHELP_REGISTRY_VALUE_DEBUG "DebugOn" - #endif /* __LEASH_INT_H__ */ diff --git a/src/windows/leashdll/leashdll.c b/src/windows/leashdll/leashdll.c index b6d6318..b1813a0 100644 --- a/src/windows/leashdll/leashdll.c +++ b/src/windows/leashdll/leashdll.c @@ -5,9 +5,6 @@ HINSTANCE hLeashInst; -#ifndef NO_KRB4 -HINSTANCE hKrb4 = 0; -#endif HINSTANCE hKrb5 = 0; HINSTANCE hKrb524 = 0; HINSTANCE hSecur32 = 0; @@ -18,8 +15,6 @@ HINSTANCE hPsapi = 0; HINSTANCE hToolHelp32 = 0; HINSTANCE hCcapi = 0; -DWORD AfsAvailable = 0; - // krb5 functions DECL_FUNC_PTR(krb5_change_password); DECL_FUNC_PTR(krb5_get_init_creds_opt_alloc); @@ -332,23 +327,9 @@ DllMain( Register_MITPasswordEditControl(hLeashInst); -#ifndef NO_AFS - { - DWORD AfsStatus = 0; - GetAfsStatus(&AfsStatus); - - AfsAvailable = afscompat_init(); - - if ( AfsStatus && !AfsAvailable ) - SetAfsStatus(0); - } -#endif return TRUE; } case DLL_PROCESS_DETACH: -#ifndef NO_AFS - afscompat_close(); -#endif if (hKrb5) FreeLibrary(hKrb5); if (hCcapi) diff --git a/src/windows/leashdll/leashdll.h b/src/windows/leashdll/leashdll.h index b990224..c95afe7 100644 --- a/src/windows/leashdll/leashdll.h +++ b/src/windows/leashdll/leashdll.h @@ -5,42 +5,6 @@ #ifdef __cplusplus extern "C" { #endif -#ifndef NO_KRB4 -/* - * This is a hack needed because the real com_err.h does - * not define err_func. We need it in the case where - * we pull in the real com_err instead of the krb4 - * impostor. - */ -#ifndef _DCNS_MIT_COM_ERR_H -typedef LPSTR (*err_func)(int, long); -#endif - -#include -extern void Leash_initialize_krb_error_func(err_func func,struct et_list **); -#undef init_krb_err_func -#define init_krb_err_func(erf) Leash_initialize_krb_error_func(erf,&_et_list) - -#include - -extern void Leash_initialize_kadm_error_table(struct et_list **); -#undef init_kadm_err_tbl -#define init_kadm_err_tbl() Leash_initialize_kadm_error_table(&_et_list) -#define kadm_err_base ERROR_TABLE_BASE_kadm -#endif - -#define krb_err_func Leash_krb_err_func - -#include -int lsh_com_err_proc (LPSTR whoami, long code, - LPSTR fmt, va_list args); -void FAR Leash_load_com_err_callback(FARPROC,FARPROC,FARPROC); - - -#ifndef KRBERR -#define KRBERR(code) (code + krb_err_base) -#endif - /* Internal Stuff */ @@ -63,17 +27,12 @@ void FAR Leash_load_com_err_callback(FARPROC,FARPROC,FARPROC); #include -#ifndef NO_KRB4 -extern HINSTANCE hKrb4; -#endif extern HINSTANCE hKrb5; extern HINSTANCE hProfile; #define TIMEHOST "TIMEHOST" #define LEASH_DEBUG_CLASS_GENERIC 0 -#define LEASH_DEBUG_CLASS_KRB4 1 -#define LEASH_DEBUG_CLASS_KRB4_APP 2 #define LEASH_PRIORITY_LOW 0 #define LEASH_PRIORITY_HIGH 1 @@ -95,19 +54,10 @@ extern HINSTANCE hProfile; #include #include #include -#ifndef NO_KRB4 -#include -#include -#endif #include #include -#ifndef NO_AFS -////Can't find it! -////#include "afscompat.h" -#endif - // service definitions typedef SC_HANDLE (WINAPI *FP_OpenSCManagerA)(char *, char *, DWORD); typedef SC_HANDLE (WINAPI *FP_OpenServiceA)(SC_HANDLE, char *, DWORD); @@ -116,40 +66,6 @@ typedef BOOL (WINAPI *FP_CloseServiceHandle)(SC_HANDLE); ////////////////////////////////////////////////////////////////////////////// -#ifndef NO_KRB4 -// krb4 functions -extern DECL_FUNC_PTR(get_krb_err_txt_entry); -extern DECL_FUNC_PTR(k_isinst); -extern DECL_FUNC_PTR(k_isname); -extern DECL_FUNC_PTR(k_isrealm); -extern DECL_FUNC_PTR(kadm_change_your_password); -extern DECL_FUNC_PTR(kname_parse); -extern DECL_FUNC_PTR(krb_get_cred); -extern DECL_FUNC_PTR(krb_get_krbhst); -extern DECL_FUNC_PTR(krb_get_lrealm); -extern DECL_FUNC_PTR(krb_get_pw_in_tkt); -extern DECL_FUNC_PTR(krb_get_tf_realm); -extern DECL_FUNC_PTR(krb_mk_req); -extern DECL_FUNC_PTR(krb_realmofhost); -extern DECL_FUNC_PTR(tf_init); -extern DECL_FUNC_PTR(tf_close); -extern DECL_FUNC_PTR(tf_get_cred); -extern DECL_FUNC_PTR(tf_get_pname); -extern DECL_FUNC_PTR(tf_get_pinst); -extern DECL_FUNC_PTR(LocalHostAddr); -extern DECL_FUNC_PTR(tkt_string); -extern DECL_FUNC_PTR(krb_set_tkt_string); -extern DECL_FUNC_PTR(initialize_krb_error_func); -extern DECL_FUNC_PTR(initialize_kadm_error_table); -extern DECL_FUNC_PTR(dest_tkt); -extern DECL_FUNC_PTR(lsh_LoadKrb4LeashErrorTables); // XXX -extern DECL_FUNC_PTR(krb_in_tkt); -extern DECL_FUNC_PTR(krb_save_credentials); -extern DECL_FUNC_PTR(krb_get_krbconf2); -extern DECL_FUNC_PTR(krb_get_krbrealm2); -extern DECL_FUNC_PTR(krb_life_to_time); -#endif - // krb5 functions extern DECL_FUNC_PTR(krb5_change_password); extern DECL_FUNC_PTR(krb5_get_init_creds_opt_alloc); @@ -230,12 +146,6 @@ extern DECL_FUNC_PTR(krb5_cc_support_switch); extern DECL_FUNC_PTR(krb5_cc_switch); extern DECL_FUNC_PTR(krb5int_cc_user_set_default_name); -#ifndef NO_KRB4 -// Krb524 functions -extern DECL_FUNC_PTR(krb524_init_ets); -extern DECL_FUNC_PTR(krb524_convert_creds_kdc); -#endif - // ComErr functions extern DECL_FUNC_PTR(com_err); extern DECL_FUNC_PTR(error_message); diff --git a/src/windows/leashdll/leashids.h b/src/windows/leashdll/leashids.h index 94e05b6..ae62383 100644 --- a/src/windows/leashdll/leashids.h +++ b/src/windows/leashdll/leashids.h @@ -72,7 +72,6 @@ #define LSH_DEFAULT_TICKET_NOADDRESS 1974 #define LSH_DEFAULT_TICKET_PROXIABLE 1975 #define LSH_DEFAULT_TICKET_PUBLICIP 1976 -#define LSH_DEFAULT_TICKET_USEKRB4 1977 #define LSH_DEFAULT_DIALOG_KINIT_OPT 1978 #define LSH_DEFAULT_DIALOG_LIFE_MIN 1979 #define LSH_DEFAULT_DIALOG_LIFE_MAX 1980 diff --git a/src/windows/leashdll/leashw32.def b/src/windows/leashdll/leashw32.def index a453924..378090b 100644 --- a/src/windows/leashdll/leashw32.def +++ b/src/windows/leashdll/leashw32.def @@ -6,26 +6,6 @@ HEAPSIZE 8092 STACKSIZE 36864 EXPORTS -; DllMain @1 - ; Leash_kinit_dlg @3 - ; Leash_changepwd_dlg @4 - ; Leash_kinit @48 - ; Leash_kdestroy @49 - ; Leash_klist @50 - ; Leash_checkpwd @51 - ; Leash_changepwd @52 - ; Leash_get_lsh_errno @61 - ; initialize_lsh_error_table @80 - ; lsh_com_err_proc @81 - ; Leash_initialize_krb_error_func @82 - ; Leash_initialize_kadm_error_table @83 - ; Leash_krb_err_func @84 - ; Leash_load_com_err_callback @85 - ; Leash_set_help_file @86 - ; Leash_get_help_file @87 - ; Leash_timesync @88 -; Leash_WhichOS @89 - Leash_kinit_dlg Leash_kinit_dlg_ex Leash_changepwd_dlg @@ -38,11 +18,8 @@ EXPORTS Leash_changepwd Leash_get_lsh_errno initialize_lsh_error_table - lsh_com_err_proc Leash_initialize_krb_error_func Leash_initialize_kadm_error_table - Leash_krb_err_func - Leash_load_com_err_callback Leash_set_help_file Leash_get_help_file Leash_timesync @@ -67,9 +44,6 @@ EXPORTS Leash_get_default_publicip Leash_set_default_publicip Leash_reset_default_publicip - Leash_get_default_use_krb4 - Leash_set_default_use_krb4 - Leash_reset_default_use_krb4 Leash_get_default_life_min Leash_set_default_life_min Leash_reset_default_life_min @@ -82,9 +56,6 @@ EXPORTS Leash_get_default_renew_max Leash_set_default_renew_max Leash_reset_default_renew_max - Leash_get_lock_file_locations - Leash_set_lock_file_locations - Leash_reset_lock_file_locations Leash_get_default_uppercaserealm Leash_set_default_uppercaserealm Leash_reset_default_uppercaserealm @@ -100,8 +71,4 @@ EXPORTS Leash_reset_defaults ; XXX - These have to go... - not_an_API_LeashAFSGetToken - not_an_API_LeashFreeTicketList - not_an_API_LeashKRB4GetTickets - not_an_API_LeashGetTimeServerName not_an_API_Leash_AcquireInitialTicketsIfNeeded diff --git a/src/windows/leashdll/lsh_pwd.c b/src/windows/leashdll/lsh_pwd.c index ac85625..c02b39a 100644 --- a/src/windows/leashdll/lsh_pwd.c +++ b/src/windows/leashdll/lsh_pwd.c @@ -23,19 +23,17 @@ /* Standard Include files */ #include +#include #include #include /* Private Inlclude files */ #include "leashdll.h" -#include #include #include "leash-int.h" #include "leashids.h" #include -#ifndef NO_KRB5 #include -#endif /* NO_KRB5 */ #include extern void * Leash_pec_create(HWND hEditCtl); @@ -47,7 +45,6 @@ extern void Leash_pec_clear_history(void *pec); static long lsh_errno; static char *err_context; /* error context */ extern HINSTANCE hLeashInst; -extern HINSTANCE hKrb4; extern HINSTANCE hKrb5; @@ -985,88 +982,6 @@ GetProfileFile( return FALSE; } -BOOL -GetKrb4ConFile( - LPSTR confname, - UINT szConfname - ) -{ - if (hKrb5 - ) - { // hold krb.con where krb5.ini is located - CHAR krbConFile[MAX_PATH]=""; - LPSTR pFind; - - //strcpy(krbConFile, CLeashApp::m_krbv5_profile->first_file->filename); - if (GetProfileFile(krbConFile, sizeof(krbConFile))) - { - GetWindowsDirectory(krbConFile,sizeof(krbConFile)); - krbConFile[MAX_PATH-1] = '\0'; - strncat(krbConFile, "\\",sizeof(krbConFile)-strlen(krbConFile)); - krbConFile[MAX_PATH-1] = '\0'; - strncat(krbConFile, KRB5_FILE,sizeof(krbConFile)-strlen(krbConFile)); - krbConFile[MAX_PATH-1] = '\0'; - } - - pFind = strrchr(krbConFile, '\\'); - if (pFind) - { - *pFind = 0; - strncat(krbConFile, "\\",sizeof(krbConFile)-strlen(krbConFile)); - krbConFile[MAX_PATH-1] = '\0'; - strncat(krbConFile, KRB_FILE,sizeof(krbConFile)-strlen(krbConFile)); - krbConFile[MAX_PATH-1] = '\0'; - } - else - krbConFile[0] = 0; - - strncpy(confname, krbConFile, szConfname); - confname[szConfname-1] = '\0'; - } - return FALSE; -} - -BOOL -GetKrb4RealmFile( - LPSTR confname, - UINT szConfname - ) -{ - if (hKrb5 - ) - { // hold krb.con where krb5.ini is located - CHAR krbRealmConFile[MAX_PATH]; - LPSTR pFind; - - //strcpy(krbRealmConFile, CLeashApp::m_krbv5_profile->first_file->filename); - if (GetProfileFile(krbRealmConFile, sizeof(krbRealmConFile))) - { - GetWindowsDirectory(krbRealmConFile,sizeof(krbRealmConFile)); - krbRealmConFile[MAX_PATH-1] = '\0'; - strncat(krbRealmConFile, "\\",sizeof(krbRealmConFile)-strlen(krbRealmConFile)); - krbRealmConFile[MAX_PATH-1] = '\0'; - strncat(krbRealmConFile, KRB5_FILE,sizeof(krbRealmConFile)-strlen(krbRealmConFile)); - krbRealmConFile[MAX_PATH-1] = '\0'; - } - - pFind = strrchr(krbRealmConFile, '\\'); - if (pFind) - { - *pFind = 0; - strncat(krbRealmConFile, "\\", sizeof(krbRealmConFile)-strlen(krbRealmConFile)); - krbRealmConFile[MAX_PATH-1] = '\0'; - strncat(krbRealmConFile, KRBREALM_FILE, sizeof(krbRealmConFile)-strlen(krbRealmConFile)); - krbRealmConFile[MAX_PATH-1] = '\0'; - } - else - krbRealmConFile[0] = 0; - - strncpy(confname, krbRealmConFile, szConfname); - confname[szConfname-1] = '\0'; - } - return FALSE; -} - int readstring(FILE * file, char * buf, int len) { @@ -1426,11 +1341,6 @@ AuthenticateProc( CSetDlgItemText(hDialog, IDC_EDIT_PRINCIPAL, principal); CSetDlgItemText(hDialog, IDC_EDIT_PASSWORD, ""); -#if 0 /* 20030619 - mjv wishes to return to the default character */ - /* echo spaces */ - CSendDlgItemMessage(hDialog, IDC_EDIT_PASSWORD, EM_SETPASSWORDCHAR, 32, 0); -#endif - /* Set Lifetime Slider * min value = 5 * max value = 1440 @@ -1817,12 +1727,6 @@ NewPasswordProc( if (hEditCtrl) pAutoComplete = Leash_pec_create(hEditCtrl); -#if 0 /* 20030619 - mjv wishes to return to the default character */ - /* echo spaces */ - CSendDlgItemMessage(hDialog, IDC_EDIT_PASSWORD, EM_SETPASSWORDCHAR, 32, 0); - CSendDlgItemMessage(hDialog, IDC_EDIT_PASSWORD2, EM_SETPASSWORDCHAR, 32, 0); - CSendDlgItemMessage(hDialog, IDC_EDIT_PASSWORD3, EM_SETPASSWORDCHAR, 32, 0); -#endif /* setup text of stuff. */ if (Position.x > 0 && Position.y > 0 && diff --git a/src/windows/leashdll/lsh_pwd.rc b/src/windows/leashdll/lsh_pwd.rc index 98b4d5c..d08378d 100644 --- a/src/windows/leashdll/lsh_pwd.rc +++ b/src/windows/leashdll/lsh_pwd.rc @@ -217,7 +217,6 @@ BEGIN LSH_DEFAULT_TICKET_NOADDRESS "1" LSH_DEFAULT_TICKET_PROXIABLE "0" LSH_DEFAULT_TICKET_PUBLICIP "0" - LSH_DEFAULT_TICKET_USEKRB4 "0" LSH_DEFAULT_DIALOG_KINIT_OPT "1" LSH_DEFAULT_DIALOG_LIFE_MIN "30" LSH_DEFAULT_DIALOG_LIFE_MAX "1440" diff --git a/src/windows/leashdll/lshcallb.c b/src/windows/leashdll/lshcallb.c deleted file mode 100644 index 0344b79..0000000 --- a/src/windows/leashdll/lshcallb.c +++ /dev/null @@ -1,14 +0,0 @@ -#include - -int (*Lcom_err)(LPSTR,long,LPSTR,...); -LPSTR (*Lerror_message)(long); -LPSTR (*Lerror_table_name)(long); - -void Leash_load_com_err_callback(FARPROC ce, - FARPROC em, - FARPROC etn) -{ - (FARPROC)Lcom_err=ce; - (FARPROC)Lerror_message=em; - (FARPROC)Lerror_table_name=etn; -} diff --git a/src/windows/leashdll/lshfunc.c b/src/windows/leashdll/lshfunc.c index 0f76cc3..7590956 100644 --- a/src/windows/leashdll/lshfunc.c +++ b/src/windows/leashdll/lshfunc.c @@ -3,14 +3,6 @@ #include #include #include "leashdll.h" -#ifndef NO_KRB4 -#include -#include -#else -/* General definitions */ -#define KSUCCESS 0 -#define KFAILURE 255 -#endif #include #include @@ -18,8 +10,6 @@ #include "leash-int.h" #include "leashids.h" -#include - #include "reminder.h" static char FAR *err_context; @@ -71,8 +61,6 @@ leash_error_message( int size = sizeof(message) - 1; /* -1 to leave room for NULL terminator */ int n; - // XXX: ignore AFS for now. - if (!rc5 && !rcL) return 0; @@ -279,19 +267,11 @@ Leash_changepwd_v5( if ( !pkrb5_init_context ) goto cleanup; - if (rc = pkrb5_init_context(&context)) { -#if 0 - com_err(argv[0], ret, "initializing kerberos library"); -#endif + if (rc = pkrb5_init_context(&context)) goto cleanup; - } - if (rc = pkrb5_parse_name(context, principal, &princ)) { -#if 0 - com_err(argv[0], ret, "parsing client name"); -#endif + if (rc = pkrb5_parse_name(context, principal, &princ)) goto cleanup; - } pkrb5_get_init_creds_opt_init(&opts); pkrb5_get_init_creds_opt_set_tkt_life(&opts, 5*60); @@ -305,29 +285,13 @@ Leash_changepwd_v5( if (rc = pkrb5_get_init_creds_password(context, &creds, princ, password, - 0, 0, 0, "kadmin/changepw", &opts)) { - if (rc == KRB5KRB_AP_ERR_BAD_INTEGRITY) { -#if 0 - com_err(argv[0], 0, - "Password incorrect while getting initial ticket"); -#endif - } - else { -#if 0 - com_err(argv[0], ret, "getting initial ticket"); -#endif - } + 0, 0, 0, "kadmin/changepw", &opts)) goto cleanup; - } if (rc = pkrb5_change_password(context, &creds, newpassword, &result_code, &result_code_string, - &result_string)) { -#if 0 - com_err(argv[0], ret, "changing password"); -#endif + &result_string)) goto cleanup; - } if (result_code) { int len = result_code_string.length + @@ -583,23 +547,6 @@ Leash_int_kinit_ex( addressless, publicip ); -#ifndef NO_AFS - if ( !rc5 ) { - char c; - char *r; - char *t; - for ( r=realm, t=temp; c=*r; r++,t++ ) - *t = isupper(c) ? tolower(c) : c; - *t = '\0'; - - rcA = Leash_afs_klog("afs", temp, "", lifetime); - rcB = Leash_afs_klog("afs", "", "", lifetime); - if (!(rcA && rcB)) - rcA = 0; - else if (!rcA) - rcA = rcB; - } -#endif /* NO_AFS */ custom_msg = (rc5 == KRB5KRB_AP_ERR_BAD_INTEGRITY) ? "Password incorrect" : NULL; return leash_error_message("Ticket initialization failed.", rcL, rc5, rcA, custom_msg, @@ -612,15 +559,6 @@ Leash_renew(void) if ( hKrb5 && !LeashKRB5_renew() ) { int lifetime; lifetime = Leash_get_default_lifetime() / 5; -#ifndef NO_AFS - { - TicketList * list = NULL, * token; - not_an_API_LeashAFSGetToken(NULL,&list,NULL); - for ( token = list ; token ; token = token->next ) - Leash_afs_klog("afs", token->realm, "", lifetime); - not_an_API_LeashFreeTicketList(&list); - } -#endif /* NO_AFS */ return 1; } return 0; @@ -789,57 +727,6 @@ Leash_import(void) if ( Leash_ms2mit(1) ) { int lifetime; lifetime = Leash_get_default_lifetime() / 5; -#ifndef NO_AFS - { - char c; - char *r; - char *t; - char cell[256]; - char realm[256]; - int i = 0; - int rcA = 0; - int rcB = 0; - - krb5_context ctx = 0; - krb5_error_code code = 0; - krb5_ccache cc = 0; - krb5_principal me = 0; - - if ( !pkrb5_init_context ) - goto cleanup; - - code = pkrb5_init_context(&ctx); - if (code) goto cleanup; - - code = pkrb5_cc_default(ctx, &cc); - if (code) goto cleanup; - - if (code = pkrb5_cc_get_principal(ctx, cc, &me)) - goto cleanup; - - for ( r=realm, t=cell, i=0; ilength; r++,t++,i++ ) { - c = krb5_princ_realm(ctx, me)->data[i]; - *r = c; - *t = isupper(c) ? tolower(c) : c; - } - *r = *t = '\0'; - - rcA = Leash_afs_klog("afs", cell, "", lifetime); - rcB = Leash_afs_klog("afs", "", "", lifetime); - if (!(rcA && rcB)) - rcA = 0; - else if (!rcA) - rcA = rcB; - - cleanup: - if (me) - pkrb5_free_principal(ctx, me); - if (cc) - pkrb5_cc_close(ctx, cc); - if (ctx) - pkrb5_free_context(ctx); - } -#endif /* NO_AFS */ return 1; } return 0; @@ -848,45 +735,14 @@ Leash_import(void) long Leash_kdestroy(void) { - Leash_afs_unlog(); Leash_krb5_kdestroy(); return 0; } -long FAR -not_an_API_LeashFreeTicketList(TicketList** ticketList) -{ - TicketList* tempList = *ticketList, *killList; - - //if (tempList == NULL) - //return -1; - - while (tempList) - { - killList = tempList; - - tempList = (TicketList*)tempList->next; - free(killList->service); - if (killList->encTypes) - free(killList->encTypes); - free(killList); - } - - *ticketList = NULL; - return 0; -} - -long -not_an_API_LeashKRB4GetTickets(TICKETINFO FAR* ticketinfo, - TicketList** ticketList) -{ - return(KFAILURE); -} - long FAR Leash_klist(HWND hlist, TICKETINFO FAR *ticketinfo) { - return(KFAILURE); + return(255); } @@ -1018,7 +874,7 @@ config_boolean_to_int(const char *s) * - string resource in the leash DLL */ -BOOL +static BOOL get_DWORD_from_registry( HKEY hBaseKey, char * key, @@ -1041,33 +897,6 @@ get_DWORD_from_registry( return rc?FALSE:TRUE; } -BOOL -get_STRING_from_registry( - HKEY hBaseKey, - char * key, - char * value, - char * outbuf, - DWORD outlen - ) -{ - HKEY hKey; - DWORD dwCount; - LONG rc; - - if (!outbuf || outlen == 0) - return FALSE; - - rc = RegOpenKeyEx(hBaseKey, key, 0, KEY_QUERY_VALUE, &hKey); - if (rc) - return FALSE; - - dwCount = outlen; - rc = RegQueryValueEx(hKey, value, 0, 0, (LPBYTE) outbuf, &dwCount); - RegCloseKey(hKey); - - return rc?FALSE:TRUE; -} - static BOOL get_default_lifetime_from_registry( @@ -1890,63 +1719,6 @@ Leash_get_default_publicip( static BOOL -get_default_use_krb4_from_registry( - HKEY hBaseKey, - DWORD * result - ) -{ - return get_DWORD_from_registry(hBaseKey, - LEASH_REGISTRY_KEY_NAME, - LEASH_REGISTRY_VALUE_USEKRB4, - result); -} - -DWORD -Leash_reset_default_use_krb4( - ) -{ - HKEY hKey; - LONG rc; - - rc = RegOpenKeyEx(HKEY_CURRENT_USER, LEASH_REGISTRY_KEY_NAME, 0, KEY_WRITE, &hKey); - if (rc) - return rc; - - rc = RegDeleteValue(hKey, LEASH_REGISTRY_VALUE_USEKRB4); - RegCloseKey(hKey); - - return rc; -} - -DWORD -Leash_set_default_use_krb4( - DWORD minutes - ) -{ - HKEY hKey; - LONG rc; - - rc = RegCreateKeyEx(HKEY_CURRENT_USER, LEASH_REGISTRY_KEY_NAME, 0, - 0, 0, KEY_WRITE, 0, &hKey, 0); - if (rc) - return rc; - - rc = RegSetValueEx(hKey, LEASH_REGISTRY_VALUE_USEKRB4, 0, REG_DWORD, - (LPBYTE) &minutes, sizeof(DWORD)); - RegCloseKey(hKey); - - return rc; -} - -DWORD -Leash_get_default_use_krb4( - ) -{ - return 0; /* don't use krb4 */ -} - -static -BOOL get_hide_kinit_options_from_registry( HKEY hBaseKey, DWORD * result @@ -2011,12 +1783,12 @@ Leash_get_hide_kinit_options( hmLeash = GetModuleHandle(LEASH_DLL); if (hmLeash) { - char use_krb4[80]; + char hide_kinit_options[80]; if (LoadString(hmLeash, LSH_DEFAULT_DIALOG_KINIT_OPT, - use_krb4, sizeof(use_krb4))) + hide_kinit_options, sizeof(hide_kinit_options))) { - use_krb4[sizeof(use_krb4) - 1] = 0; - return atoi(use_krb4); + hide_kinit_options[sizeof(hide_kinit_options) - 1] = 0; + return atoi(hide_kinit_options); } } return 0; /* hide unless otherwise indicated */ @@ -2090,12 +1862,12 @@ Leash_get_default_life_min( hmLeash = GetModuleHandle(LEASH_DLL); if (hmLeash) { - char use_krb4[80]; + char life_min[80]; if (LoadString(hmLeash, LSH_DEFAULT_DIALOG_LIFE_MIN, - use_krb4, sizeof(use_krb4))) + life_min, sizeof(life_min))) { - use_krb4[sizeof(use_krb4) - 1] = 0; - return atoi(use_krb4); + life_min[sizeof(life_min) - 1] = 0; + return atoi(life_min); } } return 5; /* 5 minutes */ @@ -2167,12 +1939,12 @@ Leash_get_default_life_max( hmLeash = GetModuleHandle(LEASH_DLL); if (hmLeash) { - char use_krb4[80]; + char life_max[80]; if (LoadString(hmLeash, LSH_DEFAULT_DIALOG_LIFE_MAX, - use_krb4, sizeof(use_krb4))) + life_max, sizeof(life_max))) { - use_krb4[sizeof(use_krb4) - 1] = 0; - return atoi(use_krb4); + life_max[sizeof(life_max) - 1] = 0; + return atoi(life_max); } } return 1440; @@ -2244,12 +2016,12 @@ Leash_get_default_renew_min( hmLeash = GetModuleHandle(LEASH_DLL); if (hmLeash) { - char use_krb4[80]; + char renew_min[80]; if (LoadString(hmLeash, LSH_DEFAULT_DIALOG_RENEW_MIN, - use_krb4, sizeof(use_krb4))) + renew_min, sizeof(renew_min))) { - use_krb4[sizeof(use_krb4) - 1] = 0; - return atoi(use_krb4); + renew_min[sizeof(renew_min) - 1] = 0; + return atoi(renew_min); } } return 600; /* 10 hours */ @@ -2321,12 +2093,12 @@ Leash_get_default_renew_max( hmLeash = GetModuleHandle(LEASH_DLL); if (hmLeash) { - char use_krb4[80]; + char renew_max[80]; if (LoadString(hmLeash, LSH_DEFAULT_DIALOG_RENEW_MAX, - use_krb4, sizeof(use_krb4))) + renew_max, sizeof(renew_max))) { - use_krb4[sizeof(use_krb4) - 1] = 0; - return atoi(use_krb4); + renew_max[sizeof(renew_max) - 1] = 0; + return atoi(renew_max); } } return 60 * 24 * 30; @@ -2334,83 +2106,6 @@ Leash_get_default_renew_max( static BOOL -get_lock_file_locations_from_registry( - HKEY hBaseKey, - DWORD * result - ) -{ - return get_DWORD_from_registry(hBaseKey, - LEASH_REGISTRY_KEY_NAME, - LEASH_REGISTRY_VALUE_LOCK_LOCATION, - result); -} - -DWORD -Leash_reset_lock_file_locations( - ) -{ - HKEY hKey; - LONG rc; - - rc = RegOpenKeyEx(HKEY_CURRENT_USER, LEASH_REGISTRY_KEY_NAME, 0, KEY_WRITE, &hKey); - if (rc) - return rc; - - rc = RegDeleteValue(hKey, LEASH_REGISTRY_VALUE_LOCK_LOCATION); - RegCloseKey(hKey); - - return rc; -} - -DWORD -Leash_set_lock_file_locations( - DWORD onoff - ) -{ - HKEY hKey; - LONG rc; - - rc = RegCreateKeyEx(HKEY_CURRENT_USER, LEASH_REGISTRY_KEY_NAME, 0, - 0, 0, KEY_WRITE, 0, &hKey, 0); - if (rc) - return rc; - - rc = RegSetValueEx(hKey, LEASH_REGISTRY_VALUE_LOCK_LOCATION, 0, REG_DWORD, - (LPBYTE) &onoff, sizeof(DWORD)); - RegCloseKey(hKey); - - return rc; -} - -DWORD -Leash_get_lock_file_locations( - ) -{ - HMODULE hmLeash; - DWORD result; - - if (get_lock_file_locations_from_registry(HKEY_CURRENT_USER, &result) || - get_lock_file_locations_from_registry(HKEY_LOCAL_MACHINE, &result)) - { - return result; - } - - hmLeash = GetModuleHandle(LEASH_DLL); - if (hmLeash) - { - char lock_file_locations[80]; - if (LoadString(hmLeash, LSH_DEFAULT_DIALOG_LOCK_LOCATION, - lock_file_locations, sizeof(lock_file_locations))) - { - lock_file_locations[sizeof(lock_file_locations) - 1] = 0; - return atoi(lock_file_locations); - } - } - return 0; -} - -static -BOOL get_default_uppercaserealm_from_registry( HKEY hBaseKey, DWORD * result @@ -2651,7 +2346,6 @@ Leash_reset_defaults(void) Leash_reset_default_noaddresses(); Leash_reset_default_proxiable(); Leash_reset_default_publicip(); - Leash_reset_default_use_krb4(); Leash_reset_hide_kinit_options(); Leash_reset_default_life_min(); Leash_reset_default_life_max(); @@ -2898,7 +2592,7 @@ static BOOL cc_have_tickets(krb5_context ctx, krb5_ccache cache) _tzset(); while (!(code = pkrb5_cc_next_cred(ctx, cache, &cur, &creds))) { if ((!pkrb5_is_config_principal(ctx, creds.server)) && - (creds.times.endtime - time(0) > 0)) + ((time_t)(DWORD)creds.times.endtime - time(0) > 0)) have_tickets = TRUE; pkrb5_free_cred_contents(ctx, &creds); diff --git a/src/windows/leashdll/lshutil.cpp b/src/windows/leashdll/lshutil.cpp index 37c0723..a90e7e9 100644 --- a/src/windows/leashdll/lshutil.cpp +++ b/src/windows/leashdll/lshutil.cpp @@ -531,17 +531,6 @@ protected: IAutoCompleteDropDown* pacdd = NULL; hRes = pac->QueryInterface(IID_IAutoCompleteDropDown, (LPVOID*)&pacdd); pac->Release(); - - // @TODO: auto-suggest; other advanced options? -#if 0 - IAutoComplete2 *pac2; - - if (SUCCEEDED(pac->QueryInterface(IID_IAutoComplete2, - (LPVOID*)&pac2))) { - pac2->SetOptions(ACO_AUTOSUGGEST); - pac2->Release(); - } -#endif m_acdd = pacdd; } } diff --git a/src/windows/leashdll/registry.c b/src/windows/leashdll/registry.c deleted file mode 100644 index 7113d05..0000000 --- a/src/windows/leashdll/registry.c +++ /dev/null @@ -1,105 +0,0 @@ -#include -#include "leash-int.h" - -static -LONG -write_registry_setting_ex( - HKEY hRoot, - char* setting, - DWORD type, - void* buffer, - size_t size - ) -{ - HKEY hKey = 0; - LONG rc = 0; - - if (rc = RegCreateKeyEx(hRoot, LEASH_SETTINGS_REGISTRY_KEY_NAME, 0, 0, 0, - KEY_ALL_ACCESS, 0, &hKey, 0)) - goto cleanup; - - rc = RegSetValueEx(hKey, setting, 0, type, (LPBYTE)buffer, size); - cleanup: - if (hKey) - RegCloseKey(hKey); - return rc; -} - -LONG -write_registry_setting( - char* setting, - DWORD type, - void* buffer, - size_t size - ) -{ - return write_registry_setting_ex(HKEY_CURRENT_USER, - setting, - type, - buffer, - size); -} - -static -LONG -read_registry_setting_ex( - HKEY hRoot, - char* setting, - void* buffer, - size_t size - ) -{ - HKEY hKey = 0; - LONG rc = 0; - DWORD dwType; - DWORD dwCount; - - if (rc = RegOpenKeyEx(hRoot, - LEASH_SETTINGS_REGISTRY_KEY_NAME, - 0, KEY_QUERY_VALUE, &hKey)) - goto cleanup; - - memset(buffer, 0, size); - dwCount = size; - rc = RegQueryValueEx(hKey, setting, NULL, &dwType, (LPBYTE)buffer, - &dwCount); - cleanup: - if (hKey) - RegCloseKey(hKey); - return rc; -} - -LONG -read_registry_setting_user( - char* setting, - void* buffer, - size_t size - ) -{ - return read_registry_setting_ex(HKEY_CURRENT_USER, setting, buffer, size); -} - -static -LONG -read_registry_setting_machine( - char* setting, - void* buffer, - size_t size - ) -{ - return read_registry_setting_ex(HKEY_LOCAL_MACHINE, setting, buffer, size); -} - -LONG -read_registry_setting( - char* setting, - void* buffer, - size_t size - ) -{ - LONG rc; - rc = read_registry_setting_user(setting, buffer, size); - if (!rc) return rc; - rc = read_registry_setting_machine(setting, buffer, size); - return rc; -} diff --git a/src/windows/leashdll/timesync.c b/src/windows/leashdll/timesync.c index 32ab5e6..b6b4481 100644 --- a/src/windows/leashdll/timesync.c +++ b/src/windows/leashdll/timesync.c @@ -8,15 +8,7 @@ #include #include -#ifndef NO_KRB4 -#include -#endif - -#ifdef WSHELPER -#include -#else #include -#endif #include #include "leasherr.h" @@ -80,7 +72,7 @@ gettimeofday( LONG -not_an_API_LeashGetTimeServerName( +get_time_server_name( char *timeServerName, const char *valueName ) @@ -167,11 +159,7 @@ LONG Leash_timesync(int MessageP) WSADATA wsaData; char name[80]; - if ((pkrb5_init_context == NULL) -#ifndef NO_KRB4 - && (ptkt_string == NULL) -#endif - ) + if (pkrb5_init_context == NULL) return(0); wVersionRequested = 0x0101; @@ -192,7 +180,7 @@ LONG Leash_timesync(int MessageP) else Port = sp->s_port; - not_an_API_LeashGetTimeServerName(hostname, TIMEHOST); + get_time_server_name(hostname, TIMEHOST); rc = ProcessTimeSync(hostname, Port, tmpstr); @@ -228,8 +216,8 @@ int ProcessTimeSync(char *hostname, int Port, char *tmpstr) { char buffer[512]; int cc; - register long *nettime; - register int s; + long *nettime; + int s; long hosttime; struct hostent *host; struct timeval tv; diff --git a/src/windows/leashdll/winerr.c b/src/windows/leashdll/winerr.c index e624fc0..a10d485 100644 --- a/src/windows/leashdll/winerr.c +++ b/src/windows/leashdll/winerr.c @@ -11,7 +11,6 @@ */ #include -#include "conf.h" // Private Include files #include "leashdll.h" @@ -77,49 +76,3 @@ LPSTR err_describe(LPSTR buf, long code) return (LPSTR)buf; } - -int _export lsh_com_err_proc (LPSTR whoami, long code, - LPSTR fmt, va_list args) -{ -#ifdef USE_MESSAGE_BOX - int retval; - HWND hOldFocus; - char buf[1024], *cp; /* changed to 512 by jms 8/23/93 */ - WORD mbformat = MB_OK | MB_ICONEXCLAMATION; - - cp = buf; - memset(buf, '\0', sizeof(buf)); - cp[0] = '\0'; - - if (code) - { - err_describe(buf, code); - while (*cp) - cp++; - } - - if (fmt) - { - if (fmt[0] == '%' && fmt[1] == 'b') - { - fmt += 2; - mbformat = va_arg(args, WORD); - /* if the first arg is a %b, we use it for the message - box MB_??? flags. */ - } - if (code) - { - *cp++ = '\n'; - *cp++ = '\n'; - } - wvsprintf((LPSTR)cp, fmt, args); - } - hOldFocus = GetFocus(); - retval = MessageBox(/*GetRootParent(hOldFocus)*/NULL, buf, whoami, - mbformat | MB_ICONHAND | MB_TASKMODAL); - SetFocus(hOldFocus); - return retval; -#else - return IDOK; -#endif /* USE_MESSAGE_BOX */ -} diff --git a/src/windows/lib/Makefile.in b/src/windows/lib/Makefile.in index eaaaecd..50044e2 100644 --- a/src/windows/lib/Makefile.in +++ b/src/windows/lib/Makefile.in @@ -4,11 +4,10 @@ LOCALINCLUDES = -I$(BUILDTOP)\windows\include lib-windows: $(OUTPRE)libwin.lib -SRCS= vardlg.c gic.c registry.c loadfuncs.c +SRCS= loadfuncs.c -OBJS= $(OUTPRE)vardlg.obj $(OUTPRE)gic.obj $(OUTPRE)registry.obj \ - $(OUTPRE)loadfuncs.obj +OBJS= $(OUTPRE)loadfuncs.obj $(OUTPRE)libwin.lib: $(OBJS) diff --git a/src/windows/lib/cacheapi.h b/src/windows/lib/cacheapi.h index c485080..b308578 100644 --- a/src/windows/lib/cacheapi.h +++ b/src/windows/lib/cacheapi.h @@ -102,21 +102,6 @@ typedef struct opaque_dll_control_block_type* apiCB; typedef struct opaque_ccache_pointer_type* ccache_p; typedef struct opaque_credential_iterator_type* ccache_cit; -#if 0 -enum _cc_data_type { - type_ticket = 0, /* 0 for ticket, second_ticket */ - /* Ted's draft spec says these are to be - "as defined in the Kerberos V5 protocol" - all I can find are typdefs, - can't find an enumerated type or #define - */ - type_address, /* = <"as defined in the Kerberos V5 protocol"> */ - type_authdata, /* = <"as defined in the Kerberos V5 protocol"> */ - type_encryption, /* = <"as defined in the Kerberos V5 protocol"> */ - cc_data_type_max /* for validation */ -}; -#endif - typedef struct _cc_data { cc_uint32 type; // should be one of _cc_data_type diff --git a/src/windows/lib/gic.c b/src/windows/lib/gic.c deleted file mode 100644 index fe586c6..0000000 --- a/src/windows/lib/gic.c +++ /dev/null @@ -1,157 +0,0 @@ -/* - * Copyright (C) 1997 Cygnus Solutions. - * - * Author: Michael Graff - */ - -#include -#include - -#include -#include -#include - -#include "krb5.h" - -#include "vardlg.h" -#include "gic.h" - -/* - * Steps performed: - * - * 1) Create the dialog with all the windows we will need - * later. This is done by calling vardlg_build() from - * gic_prompter(). - * - * 2) Run the dialog from within gic_prompter(). If the return - * value of the dialog is -1 or IDCANCEL, return an error. - * Otherwise, return success. - * - * 3) From within the dialog initialization code, call - * vardlg_config(), which will: - * - * a) Set all the label strings in all the entry labels and - * the banner. - * - * b) Set the maximum input lengths on the entry fields. - * - * c) Calculate the size of the text used within the banner. - * - * d) Calculate the longest string of text used as a label. - * - * e) Resize each label and each entry within the dialog - * to "look nice." - * - * f) Place the OK and perhaps the Cancel buttons at the bottom - * of the dialog. - * - * 4) When the OK button is clicked, copy all the values from the - * input fields and store them in the pointers we are given. - * Also, set the actual lengths to what we collected from the - * entries. Finally, call EndDialog(IDOK) to end the dialog. - */ - -/* - * Yes, a global. It is a PITA to not use them in windows. - */ -gic_data *gd; - - -/* - * initialize the dialog - */ -static BOOL -gic_dialog_init(HWND hwnd, HWND hwndFocus, LPARAM lParam) -{ - vardlg_config(hwnd, gd->width, gd->banner, gd->num_prompts, - gd->prompts, (WORD)(gd->id)); - - return FALSE; -} - -/* - * process dialog "commands" - */ -static void -gic_dialog_command(HWND hwnd, int cid, HWND hwndCtl, UINT codeNotify) -{ - - int n; - WORD id; - - /* - * We are only interested in button clicks, and then only of - * type IDOK or IDCANCEL. - */ - if (codeNotify != BN_CLICKED) - return; - if (cid != IDOK && cid != IDCANCEL) - return; - - /* - * If we are canceled, wipe all the fields and return IDCANCEL. - */ - if (cid == IDCANCEL) { - EndDialog(hwnd, IDCANCEL); - return; - } - - /* - * must be IDOK... - */ - id = (gd->id + 2); - for (n = 0 ; n < gd->num_prompts ; n++) { - Edit_GetText(GetDlgItem(hwnd, id), gd->prompts[n].reply->data, - gd->prompts[n].reply->length); - gd->prompts[n].reply->length = (unsigned)strlen(gd->prompts[n].reply->data); - id += 2; - } - - EndDialog(hwnd, IDOK); -} - -/* - * The dialog callback. - */ -static INT_PTR CALLBACK -gic_dialog(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam) -{ - switch (message) { - HANDLE_MSG(hwnd, WM_INITDIALOG, gic_dialog_init); - - HANDLE_MSG(hwnd, WM_COMMAND, gic_dialog_command); - } - - return FALSE; -} - - -/* - * All the disgusting code to use the get_init_creds() functions in a - * broken environment - */ -krb5_error_code KRB5_CALLCONV -gic_prompter(krb5_context ctx, void *data, const char *name, - const char *banner, int num_prompts, krb5_prompt prompts[]) -{ - int rc; - void *dlg; - - gd = data; - - gd->banner = banner; - gd->num_prompts = num_prompts; - gd->prompts = prompts; - if (gd->width == 0) - gd->width = 450; - - dlg = vardlg_build((WORD)(gd->width), name, gd->banner, - (WORD)num_prompts, prompts, (WORD)(gd->id)); - - rc = DialogBoxIndirect(gd->hinstance, (LPDLGTEMPLATE)dlg, gd->hwnd, gic_dialog); - - if (rc != IDOK) - return 1; - - return 0; -} diff --git a/src/windows/lib/gic.h b/src/windows/lib/gic.h deleted file mode 100644 index 2321316..0000000 --- a/src/windows/lib/gic.h +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Copyright (C) 1997 Cygnus Solutions - * - * Author: Michael Graff - */ - -#ifndef _WINDOWS_LIB_GIC_H -#define _WINDOWS_LIB_GIC_H - -#include -#include - -#include "krb5.h" - -typedef struct { - HINSTANCE hinstance; /* application instance */ - HWND hwnd; /* parent window */ - WORD id; /* starting ID */ - WORD width; /* max width of the dialog box */ - const char *banner; /* the banner */ - WORD num_prompts; /* the number of prompts we were passed */ - krb5_prompt *prompts; /* the prompts themselves */ -} gic_data; - -krb5_error_code KRB5_CALLCONV gic_prompter(krb5_context, void *, const char *, - const char *, int, krb5_prompt []); - -#endif /* _WINDOWS_LIB_GIC_H */ diff --git a/src/windows/lib/registry.c b/src/windows/lib/registry.c deleted file mode 100644 index be4ef89..0000000 --- a/src/windows/lib/registry.c +++ /dev/null @@ -1,232 +0,0 @@ -/* - * Copyright (c) 1997 Cygnus Solutions - * - * Author: Michael Graff - */ - -#include -#include -#include - -#include "registry.h" - -HKEY -registry_open(HKEY hkey, char *base, REGSAM sam) -{ - HKEY k = INVALID_HANDLE_VALUE; - DWORD err; - - /* - * if the base path is null, return the already open key in hkey - */ - if (base == NULL) - return hkey; - - err = RegOpenKeyEx(hkey, base, 0, sam, &hkey); - if (err != ERROR_SUCCESS) - return INVALID_HANDLE_VALUE; - - return hkey; -} - -void -registry_close(HKEY hkey) -{ - CloseHandle(hkey); -} - -HKEY -registry_key_create(HKEY hkey, char *sub, REGSAM sam) -{ - HKEY key; - DWORD err; - DWORD disp; - - err = RegCreateKeyEx(hkey, sub, 0, 0, REG_OPTION_NON_VOLATILE, sam, - NULL, &key, &disp); - if (err != ERROR_SUCCESS) - return INVALID_HANDLE_VALUE; - - return key; -} - -int -registry_key_delete(HKEY hkey, char *sub) -{ - DWORD err; - - err = RegDeleteKey(hkey, sub); - if (err != ERROR_SUCCESS) - return -1; - - return 0; -} - -int -registry_string_get(HKEY hkey, char *sub, char **val) -{ - DWORD err; - DWORD type; - DWORD datasize; - - err = RegQueryValueEx(hkey, sub, 0, &type, 0, &datasize); - if (err != ERROR_SUCCESS || type != REG_SZ) { - *val = NULL; - return -1; - } - - *val = malloc(datasize); - if (*val == NULL) - return -1; - - err = RegQueryValueEx(hkey, sub, 0, &type, *val, &datasize); - if (err != ERROR_SUCCESS) { - free(*val); - *val = NULL; - return -1; - } - - return 0; -} - -int -registry_dword_get(HKEY hkey, char *sub, DWORD *val) -{ - DWORD err; - DWORD type; - DWORD datasize; - - err = RegQueryValueEx(hkey, sub, 0, &type, 0, &datasize); - if (err != ERROR_SUCCESS || type != REG_DWORD) { - *val = 0; - return -1; - } - - err = RegQueryValueEx(hkey, sub, 0, &type, (BYTE *)val, &datasize); - if (err != ERROR_SUCCESS) { - *val = 0; - return -1; - } - - return 0; -} - -int -registry_string_set(HKEY hkey, char *sub, char *x) -{ - DWORD err; - - err = RegSetValueEx(hkey, sub, 0, REG_SZ, (BYTE *)x, (DWORD)strlen(x) + 1); - if (err != ERROR_SUCCESS) - return -1; - - return 0; -} - -int -registry_dword_set(HKEY hkey, char *sub, DWORD x) -{ - DWORD err; - - err = RegSetValueEx(hkey, sub, 0, REG_DWORD, (CONST BYTE *)&x, sizeof(DWORD)); - if (err != ERROR_SUCCESS) - return -1; - - return 0; -} - -int -registry_keyval_dword_set(HKEY hkey, char *base, char *sub, DWORD val) -{ - HKEY k; - int err; - - k = registry_open(hkey, base, KEY_WRITE); - if (k == INVALID_HANDLE_VALUE) - return -1; - - err = registry_dword_set(k, sub, val); - - registry_close(k); - - return err; -} - -int -registry_keyval_dword_get(HKEY hkey, char *base, char *sub, DWORD *val) -{ - HKEY k; - int err; - - k = registry_open(hkey, base, KEY_READ); - if (k == INVALID_HANDLE_VALUE) - return -1; - - err = registry_dword_get(k, sub, val); - - registry_close(k); - - return err; -} - -int -registry_keyval_string_get(HKEY hkey, char *base, char *sub, char **val) -{ - HKEY k; - int err; - - k = registry_open(hkey, base, KEY_READ); - if (k == INVALID_HANDLE_VALUE) { - *val = NULL; - return -1; - } - - err = registry_string_get(k, sub, val); - - registry_close(k); - - return err; -} - -int -registry_keyval_string_set(HKEY hkey, char *base, char *sub, char *val) -{ - HKEY k; - int err; - - k = registry_open(hkey, base, KEY_WRITE); - if (k == INVALID_HANDLE_VALUE) - return -1; - - err = registry_string_set(k, sub, val); - - registry_close(k); - - return err; -} - -int -registry_value_delete(HKEY hkey, char *sub) -{ - if (RegDeleteValue(hkey, sub)) - return -1; - - return 0; -} - -int -registry_keyval_delete(HKEY hkey, char *base, char *sub) -{ - HKEY k; - int err; - - k = registry_open(hkey, base, KEY_WRITE); - if (k == INVALID_HANDLE_VALUE) - return -1; - - err = registry_value_delete(k, sub); - - registry_close(k); - - return err; -} diff --git a/src/windows/lib/registry.h b/src/windows/lib/registry.h deleted file mode 100644 index d628d2b..0000000 --- a/src/windows/lib/registry.h +++ /dev/null @@ -1,40 +0,0 @@ -/* - * Copyright (c) 1997 Cygnus Solutions - * - * Author: Michael Graff - */ - -#ifndef LIB_WINDOWS_REGISTRY_H -#define LIB_WINDOWS_REGISTRY_H - -#include -#include - -HKEY registry_open(HKEY, char *, REGSAM); -void registry_close(HKEY); -HKEY registry_key_create(HKEY, char *, REGSAM); -int registry_key_delete(HKEY, char *); -int registry_string_get(HKEY, char *, char **); -int registry_dword_get(HKEY, char *, DWORD *); -int registry_string_set(HKEY, char *, char *); -int registry_dword_set(HKEY, char *, DWORD); -int registry_keyval_dword_set(HKEY, char *, char *, DWORD); -int registry_keyval_dword_get(HKEY, char *, char *, DWORD *); -int registry_keyval_string_get(HKEY, char *, char *, char **); -int registry_keyval_string_set(HKEY, char *, char *, char *); -int registry_value_delete(HKEY, char *); -int registry_keyval_delete(HKEY, char *, char *); - -#define CYGNUS_SOLUTIONS "SOFTWARE\\Cygnus Solutions" - -#define KERBNET_SANS_VERSION CYGNUS_SOLUTIONS "\\Kerbnet" -#define KERBNET_BASE KERBNET_SANS_VERSION "\\1" - -#define KERBNET_TELNET_BASE KERBNET_BASE "\\telnet" -#define KERBNET_TELNET_HOST KERBNET_TELNET_BASE "\\hosts" - -#define KERBNET_CNS_BASE KERBNET_BASE "\\cns" - -#define KERBNET_HOME "KERBNET_HOME" - -#endif /* LIB_WINDOWS_REGISTRY_H */ diff --git a/src/windows/lib/vardlg.c b/src/windows/lib/vardlg.c deleted file mode 100644 index 91a6bf4..0000000 --- a/src/windows/lib/vardlg.c +++ /dev/null @@ -1,454 +0,0 @@ -/* - * Copyright (C) 1997 Cygnus Solutions. - * - * Author: Michael Graff - */ -/* - * Dialog box building for various numbers of (label, entry) fields. - * - * This code is somewhat hardcoded to build boxes for the krb5_get_init_creds() - * function. - */ - -#include -#include - -#include -#include -#include - -#include "krb5.h" -#include "vardlg.h" - -/* - * a hack, I know... No error checking below, either. - */ -static unsigned char dlg[DLG_BUF]; - -/* - * Add a WORD (16-bit int) to the buffer. Return the number of characters - * added. - */ -static int -ADD_WORD(unsigned char *p, WORD w) -{ - *((WORD *)p) = w; - - return 2; -} - -static int -ADD_DWORD(unsigned char *p, DWORD dw) -{ - *((DWORD *)p) = dw; - - return 4; -} - -static size_t -ADD_UNICODE_STRING(unsigned char *p, const char *s) -{ - WORD *w; - size_t i; - size_t len; - - w = (WORD *)p; - - len = strlen(s) + 1; /* copy the null, too */ - - for (i = 0 ; i < len ; i++) - *w++ = *s++; - - return (len * 2); -} - -#define DWORD_ALIGN(p) { while ((DWORD)p % 4) *p++ = 0x00; } - -static size_t -ADD_DLGTEMPLATE(unsigned char *dlg, short x, short y, short cx, short cy, - const char *caption, const char *fontname, WORD fontsize, - WORD n) -{ - unsigned char *p; - DLGTEMPLATE dlt; - - p = dlg; - - dlt.style = (DS_MODALFRAME | WS_POPUP); - if (caption != NULL) - dlt.style |= WS_CAPTION; - if (fontname != NULL) - dlt.style |= DS_SETFONT; - dlt.dwExtendedStyle = 0; - dlt.cdit = n; - dlt.x = x; - dlt.y = y; - dlt.cx = cx; - dlt.cy = cy; - memcpy(p, &dlt, sizeof(dlt)); - p += sizeof(dlt); - - p += ADD_WORD(p, 0x0000); /* menu == none */ - - p += ADD_WORD(p, 0x0000); /* class == default? */ - - if (caption != NULL) - p += ADD_UNICODE_STRING(p, caption); - else - p += ADD_WORD(p, 0x0000); - - if (fontname != NULL) { - p += ADD_WORD(p, fontsize); - p += ADD_UNICODE_STRING(p, fontname); - } - - DWORD_ALIGN(p); - - return (p - dlg); -} - -static size_t -ADD_DLGITEM(unsigned char *dlg, short x, short y, short cx, short cy, - const char *label, WORD id, WORD type, DWORD style) -{ - unsigned char *p; - DLGITEMTEMPLATE dit; - - p = dlg; - - dit.style = style; - dit.dwExtendedStyle = 0; - dit.x = x; - dit.y = y; - dit.cx = cx; - dit.cy = cy; - dit.id = id; - memcpy(p, &dit, sizeof(dit)); - p += sizeof(dit); - - p += ADD_WORD(p, 0xffff); - p += ADD_WORD(p, type); - - p += ADD_UNICODE_STRING(p, label); - - /* - * creation data? For now, just make this empty, like the resource - * compiler does. - */ - p += ADD_WORD(p, 0x0000); - - DWORD_ALIGN(p); - - return (p - dlg); -} - -#define ADD_DLGITEM_defpushbutton(a, b, c, d, e, f, g) \ - ADD_DLGITEM((a), (b), (c), (d), (e), (f), (g), 0x0080, 0x50010001); - -#define ADD_DLGITEM_pushbutton(a, b, c, d, e, f, g) \ - ADD_DLGITEM((a), (b), (c), (d), (e), (f), (g), 0x0080, 0x50010000); - -#define ADD_DLGITEM_left_static(a, b, c, d, e, f, g) \ - ADD_DLGITEM((a), (b), (c), (d), (e), (f), (g), 0x0082, 0x50020000); - -#define ADD_DLGITEM_centered_static(a, b, c, d, e, f, g) \ - ADD_DLGITEM((a), (b), (c), (d), (e), (f), (g), 0x0082, 0x50020001); - -#define ADD_DLGITEM_right_static(a, b, c, d, e, f, g) \ - ADD_DLGITEM((a), (b), (c), (d), (e), (f), (g), 0x0082, 0x50020002); - -#define ADD_DLGITEM_entry(a, b, c, d, e, f, g) \ - ADD_DLGITEM((a), (b), (c), (d), (e), (f), (g), 0x0081, 0x50810080); - -#define ADD_DLGITEM_hidden_entry(a, b, c, d, e, f, g) \ - ADD_DLGITEM((a), (b), (c), (d), (e), (f), (g), 0x0081, 0x508100a0); - - -/* - * "build" the dialog box. In this bit of code, we create the dialog box, - * create the OK button, and a static label for the banner text. - * - * If there are items, we also create a Cancel button and one (label, entry) - * fields for each item. - */ -void * -vardlg_build(WORD cx, const char *name, const char *banner, - WORD n, krb5_prompt prompts[], WORD id) -{ - unsigned char *p; - WORD i; - - p = dlg; /* global */ - - if (cx < MIN_WIDTH) - cx = MIN_WIDTH; - if (cx > MAX_WIDTH) - cx = MAX_WIDTH; - - /* - * Store the dialog template - */ - p += ADD_DLGTEMPLATE(p, 0, 0, cx, 0, name ? - strlen(name) < 30 ? name : "Kerberos V5" : - "Kerberos V5", - "MS Sans Serif", 8, - (WORD)(n * 2 + 3)); - - /* - * Create a label for the banner. This will be ID (id). - */ - p += ADD_DLGITEM_left_static(p, 0, 0, 0, 0, "", id++); - - /* - * Each label field is ID (id + 1) + (item * 2), and each entry field - * is (id + 2) + (item * 2) - */ - for (i = 0 ; i < n ; i++) { - p += ADD_DLGITEM_right_static(p, 0, 0, 0, 0, "", id++); - if (prompts[i].hidden) { - p += ADD_DLGITEM_hidden_entry(p, 0, 0, 0, 0, "", id++); - } else { - p += ADD_DLGITEM_entry(p, 0, 0, 0, 0, "", id++); - } - } - - /* - * Create the OK and Cancel buttons. - */ - p += ADD_DLGITEM_defpushbutton(p, 0, 0, 0, 0, - "OK", IDOK); - if (n != 0) - p += ADD_DLGITEM_pushbutton(p, 0, 0, 0, 0, - "Cancel", IDCANCEL); - - return dlg; -} - -#define SPACE_Y 4 /* logical units */ -#define SPACE_X 4 /* logical units */ -#define ENTRY_PX 120 /* pixels */ -#define BUTTON_PX 70 /* pixels */ -#define BUTTON_PY 30 /* pixels */ - -void -vardlg_config(HWND hwnd, WORD width, const char *banner, WORD num_prompts, - krb5_prompt *prompts, WORD id) -{ - int n; - WORD cid; - HDC hdc; - SIZE csize; - SIZE maxsize; - LONG cx, cy; - LONG ccx, ccy; - LONG space_x, space_y; - LONG max_x, max_y; - LONG banner_y; - RECT rect; - int done; - const char *p; - - /* - * First, set the banner's text. - */ - Static_SetText(GetDlgItem(hwnd, id), banner); - - /* - * Next, run through the items and set their static text. - * Also, set the corresponding edit string and set the - * maximum input length. - */ - cid = (id + 1); - - for (n = 0 ; n < num_prompts ; n++) { - Static_SetText(GetDlgItem(hwnd, cid), prompts[n].prompt); - cid++; - Edit_SetText(GetDlgItem(hwnd, cid), ""); - Edit_LimitText(GetDlgItem(hwnd, cid), prompts[n].reply->length); - cid++; - } - - /* - * Now run through the entry fields and find the longest string. - */ - maxsize.cx = maxsize.cy = 0; - cid = (id + 1); - hdc = GetDC(GetDlgItem(hwnd, cid)); /* assume one label is the same as all the others */ - - for (n = 0 ; n < num_prompts ; n++) { - GetTextExtentPoint32(hdc, prompts[n].prompt, (int)strlen(prompts[n].prompt), &csize); - if (csize.cx > maxsize.cx) - maxsize.cx = csize.cx; - if (csize.cy > maxsize.cy) - maxsize.cy = csize.cy; - } - -#if 0 - /* - * convert the maximum values into pixels. Ugh. - */ - rect.left = 0; - rect.top = 0; - rect.right = maxsize.cx; - rect.bottom = maxsize.cy; - MapDialogRect(hwnd, &rect); - - max_x = rect.right; - max_y = rect.bottom; -#else - max_x = maxsize.cx; - max_y = (long)(((double)maxsize.cy) * 1.5); -#endif - - /* - * convert the spacing values, too. Ugh. Ugh. - */ - rect.left = 0; - rect.top = 0; - rect.right = SPACE_X; - rect.bottom = SPACE_Y; - MapDialogRect(hwnd, &rect); - - space_x = rect.right; - space_y = rect.bottom; - - /* - * Now we know the maximum length of the string for the entry labels. Guestimate - * that the entry fields should be ENTRY_PX pixels long and resize the dialog - * window to fit the longest string plus the entry fields (plus a little for the - * spacing between the edges of the windows and the static and edit fields, and - * between the static and edit fields themselves.) - */ - cx = max_x + ENTRY_PX + (space_x * 3); - cy = (max_y + space_y) * num_prompts; - - /* - * resize the dialog box itself (take 1) - */ - SetWindowPos(hwnd, HWND_TOPMOST, - 0, 0, - cx + 10, cy + 30, - SWP_NOMOVE); - - /* - * position the dialog items. First, the banner. (take 1) - */ - SetWindowPos(GetDlgItem(hwnd, id), HWND_BOTTOM, - space_x, space_y, - (cx - space_x * 2), max_y, - 0); - - /* - * Now that the window for the banner is in place, convert the width into logical units - * and find out how many lines we need to reserve room for. - */ - done = 0; - p = banner; - banner_y = 0; - - do { - int nFit; - int pDx[128]; - - hdc = GetDC(GetDlgItem(hwnd, id)); - - GetTextExtentExPoint(hdc, p, (int)strlen(p), cx, &nFit, - pDx, &csize); - - banner_y += csize.cy; - - p += nFit; - - } while (*p != 0); - - banner_y += space_y; - - /* - * position the banner (take 2) - */ - SetWindowPos(GetDlgItem(hwnd, id), HWND_BOTTOM, - space_x, space_y, - (cx - space_x * 2), banner_y, - 0); - - /* - * Don't forget to include the banner estimate and the buttons, too. Once again, - * assume the buttons are BUTTON_PY pixels high. The extra three space_y's are - * for between the top of the dialog and the banner, between the banner and the - * first label, and between the buttons and the bottom of the screen. - */ - cy += banner_y + BUTTON_PY + (space_y * 3); - - /* - * resize the dialog box itself (Again... ugh!) - */ - SetWindowPos(hwnd, HWND_TOPMOST, - 0, 0, - cx + 10, cy + 30, - SWP_NOMOVE); - - cid = (id + 1); - ccy = banner_y + (space_y * 2); - ccx = max_x + (space_x * 2); /* where the edit fields start */ - - for (n = 0 ; n < num_prompts ; n++) { - SetWindowPos(GetDlgItem(hwnd, cid), HWND_BOTTOM, - space_x, ccy, - max_x, max_y, 0); - cid++; - SetWindowPos(GetDlgItem(hwnd, cid), HWND_BOTTOM, - ccx, ccy, - ENTRY_PX, max_y - 3, 0); - cid++; - ccy += (max_y + space_y); - } - - /* - * Now the buttons. If there are any entries we will have both an OK and a - * Cancel button. If we don't have any entries, we will have only an OK. - */ - if (num_prompts == 0) { - SetWindowPos(GetDlgItem(hwnd, IDOK), HWND_BOTTOM, - (cx / 2), cy - space_y - BUTTON_PY, - BUTTON_PX, BUTTON_PY, 0); - } else { - SetWindowPos(GetDlgItem(hwnd, IDOK), HWND_BOTTOM, - space_x, cy - space_y - BUTTON_PY, - BUTTON_PX, BUTTON_PY, 0); - SetWindowPos(GetDlgItem(hwnd, IDCANCEL), HWND_BOTTOM, - cx - space_x - BUTTON_PX, cy - space_y - BUTTON_PY, - BUTTON_PX, BUTTON_PY, 0); - } - - return; -} - -/* - * To use these functions, first create the dialog box and entries. - * You will always get an OK button. If there are at least one item, - * you will also get a cancel button. The OK button is IDOK, and the cancel - * button is IDCANCEL, as usual. - * - * After calling bld_dlg, the banner will have ID "id", and the labels - * will be "1 + id + i * 2" (i is the entry number, starting with zero) and - * the entries will be "2 + id + i * 2". - * - * unsigned char *dlg = vardlg_build(minwidth, banner, num_prompts, - * krb5_prompt[], id); - * - * Then, "run" the dialog using: - * - * rc = DialogBoxIndirect(hinstance, (LPDLGTEMPLATE)dlg, - * HWND_DESKTOP, myDialogProc); - * - * Note that the vardlg_build function uses a static data area and so cannot - * be used more than once before the DialogBoxIndirect() procedure is called. - * I assume windows won't need that area after that call is complete. - * - * In the dialog's _initialization_ procedure, call - * - * vardlg_config(hwnd, banner, num_prompts, krb5_prompt[], id); - * - * This function will resize the various elements of the dialog and fill in the - * labels. - */ diff --git a/src/windows/lib/vardlg.h b/src/windows/lib/vardlg.h deleted file mode 100644 index e609d4a..0000000 --- a/src/windows/lib/vardlg.h +++ /dev/null @@ -1,32 +0,0 @@ -/* - * Copyright (C) 1997 Cygnus Solutions - * - * Author: Michael Graff - */ - -#ifndef _WINDOWS_LIB_VARDLG_H -#define _WINDOWS_LIB_VARDLG_H - -#include -#include - -#define DLG_BUF 4096 - -/* - * The minimum and maximum dialog box widths we will allow. - */ -#define MIN_WIDTH 350 -#define MAX_WIDTH 600 - -/* - * "build" the dialog box. In this bit of code, we create the dialog box, - * create the OK button, and a static label for the banner text. - * - * If there are items, we also create a Cancel button and one (label, entry) - * fields for each item. - */ -void *vardlg_build(WORD, const char *, const char *, WORD, krb5_prompt *, WORD); - -void vardlg_config(HWND, WORD, const char *, WORD, krb5_prompt *, WORD); - -#endif /* _WINDOWS_LIB_VARDLG_H */ diff --git a/src/windows/ms2mit/ms2mit.c b/src/windows/ms2mit/ms2mit.c index c332503..2b4373c 100644 --- a/src/windows/ms2mit/ms2mit.c +++ b/src/windows/ms2mit/ms2mit.c @@ -74,7 +74,7 @@ cc_has_tickets(krb5_context kcontext, krb5_ccache ccache, int *has_tickets) break; if (!krb5_is_config_principal(kcontext, creds.server) && - creds.times.endtime > now) + ts_after(creds.times.endtime, now)) *has_tickets = 1; krb5_free_cred_contents(kcontext, &creds); diff --git a/src/windows/version.rc b/src/windows/version.rc index 147d3d1..fc6e83f 100644 --- a/src/windows/version.rc +++ b/src/windows/version.rc @@ -41,7 +41,7 @@ #define K5_PRODUCT_VERSION_STRING MAJOR_MINOR MAYBE_PATCH RELTAIL "\0" #define K5_PRODUCT_VERSION KRB5_MAJOR_RELEASE, KRB5_MINOR_RELEASE, KRB5_PATCHLEVEL, KRB5_BUILDLEVEL -#define K5_COPYRIGHT "Copyright (C) 1997-2017 by the Massachusetts Institute of Technology\0" +#define K5_COPYRIGHT "Copyright (C) 1997-2019 by the Massachusetts Institute of Technology\0" #define K5_COMPANY_NAME "Massachusetts Institute of Technology.\0" /* @@ -144,50 +144,6 @@ #endif #endif /* LEASHDLL_LIB */ -#ifdef WSHELPER_LIB -#define K5_DESCRIPTION "Winsock Helper (wshelper) API - " KRB5_PRODUCTNAME_STR "\0" -#define K5_INTERNAL_NAME "wshelper\0" -#define K5_FILETYPE VFT_DLL -#if defined(_WIN64) -#define K5_ORIGINAL_NAME "wshelper64.dll\0" -#else -#define K5_ORIGINAL_NAME "wshelper32.dll\0" -#endif -#endif /* WSHELPER_LIB */ - -#ifdef KRB4_LIB -#define K5_DESCRIPTION "Kerberos v4 - " KRB5_PRODUCTNAME_STR "\0" -#define K5_INTERNAL_NAME "krb4\0" -#define K5_FILETYPE VFT_DLL -#if !defined(_WIN32) -#define K5_ORIGINAL_NAME "krb4_16.dll\0" -#else -#define K5_ORIGINAL_NAME "krb4_32.dll\0" -#endif -#endif /* KRB4 */ - -#ifdef SAPKRB_LIB -#define K5_DESCRIPTION "Kerberos v5 - " KRB5_PRODUCTNAME_STR " (for SAP)\0" -#define K5_INTERNAL_NAME "sapkrb5\0" -#define K5_FILETYPE VFT_DLL -#if !defined(_WIN32) -#define K5_ORIGINAL_NAME "sapkrb16.dll\0" -#else -#define K5_ORIGINAL_NAME "sapkrb32.dll\0" -#endif -#endif /* SAPKRB */ - -#ifdef SAPGSS_LIB -#define K5_DESCRIPTION "GSSAPI - GSS API implementation for Kerberos 5 mechanism(for SAP)\0" -#define K5_INTERNAL_NAME "sapgss\0" -#define K5_FILETYPE VFT_DLL -#if !defined(_WIN32) -#define K5_ORIGINAL_NAME "sapgss16.dll\0" -#else -#define K5_ORIGINAL_NAME "sapgss32.dll\0" -#endif -#endif /* SAPGSS */ - #ifdef KRB5_APP #define K5_DESCRIPTION "KRB5 Ticket Manager - " KRB5_PRODUCTNAME_STR "\0" #define K5_FILETYPE VFT_APP @@ -202,27 +158,6 @@ #define K5_ORIGINAL_NAME "gss.exe\0" #endif -#ifdef TELNET_APP -#define K5_DESCRIPTION "Telnet - Telnet Application for " KRB5_PRODUCTNAME_STR "\0" -#define K5_FILETYPE VFT_APP -#define K5_INTERNAL_NAME "TELNET\0" -#define K5_ORIGINAL_NAME "telnet.exe\0" -#endif - -#ifdef KRB524_LIB -#define K5_DESCRIPTION "Kerberos v5 to v4 - " KRB5_PRODUCTNAME_STR "\0" -#define K5_INTERNAL_NAME "krb524\0" -#define K5_FILETYPE VFT_DLL -#define K5_ORIGINAL_NAME "krb524.dll\0" -#endif /* KRB524_LIB */ - -#ifdef KRB524_INIT -#define K5_DESCRIPTION "Kerberos v5 to v4 Application - " KRB5_PRODUCTNAME_STR "\0" -#define K5_INTERNAL_NAME "krb524_init\0" -#define K5_FILETYPE VFT_DLL -#define K5_ORIGINAL_NAME "krb524_init.exe\0" -#endif /* KRB524_INIT */ - #ifdef MS2MIT_APP #define K5_DESCRIPTION "Microsoft LSA to MIT Credential Cache Application - " KRB5_PRODUCTNAME_STR "\0" #define K5_INTERNAL_NAME "ms2mit\0" diff --git a/src/windows/winlevel.h b/src/windows/winlevel.h index 13ad8fc..b7ae959 100644 --- a/src/windows/winlevel.h +++ b/src/windows/winlevel.h @@ -24,8 +24,7 @@ */ /* - * This is the slave file for Windows version stamping purposes. -/* This value should be an ever increasing number that is + * This value should be an ever increasing number that is * updated for each alpha, beta, final release. This will ensure * that file identifiers are unique */ diff --git a/src/windows/wintel/Makefile.in b/src/windows/wintel/Makefile.in deleted file mode 100644 index 7a6686e..0000000 --- a/src/windows/wintel/Makefile.in +++ /dev/null @@ -1,46 +0,0 @@ -# Makefile for the Kerberos for Windows telnet client -# Works for both k4 and k5 releases. -# -OBJS = $(OUTPRE)telnet.obj $(OUTPRE)negotiat.obj $(OUTPRE)auth.obj \ - $(OUTPRE)edit.obj $(OUTPRE)emul.obj $(OUTPRE)font.obj \ - $(OUTPRE)intern.obj $(OUTPRE)screen.obj $(OUTPRE)encrypt.obj \ - $(OUTPRE)genget.obj - -##### Options -# Set NODEBUG if building release instead of debug -!IF ! defined(KVERSION) -KRBOPT =-DFORWARD -DAUTHENTICATION -DENCRYPTION -DDES_ENCRYPTION -KVERSION= 5 -!endif -KRB = KRB$(KVERSION) - -BUILDTOP=..\.. -LOCALINCLUDES= /I$(BUILDTOP) /I$(BUILDTOP)\include /I$(BUILDTOP)\include\krb5 \ - /I$(BUILDTOP)\lib\crypto\des -RESFILE = $(OUTPRE)telnet.res -XOBJS = $(RESFILE) $(OUTPRE)k5stream.obj $(OUTPRE)enc_des.obj - -DEFINES = /D$(KRB)=1 $(KRBOPT) -RFLAGS = $(LOCALINCLUDES) -RCFLAGS = $(RFLAGS) -D_WIN32 -DTELNET_APP - -##### Linker -LINK = link -LIBS = $(KLIB) $(CLIB) $(WLIB) -SYSLIBS = kernel32.lib ws2_32.lib user32.lib gdi32.lib comdlg32.lib -LFLAGS = /nologo $(LOPTS) - -all: Makefile $(OUTPRE)telnet.exe - -$(OUTPRE)telnet.exe: telnet.def $(OBJS) $(XOBJS) $(LIBS) - $(LINK) $(LFLAGS) /map:$*.map /out:$@ $(OBJS) $(XOBJS) \ - $(LIBS) $(SYSLIBS) $(SCLIB) - $(_VC_MANIFEST_EMBED_EXE) - -install: - copy $(OUTPRE)telnet.exe $(DESTDIR) - -clean: - $(RM) $(OUTPRE)*.exe $(OUTPRE)*.res $(OUTPRE)*.map - -$(RESFILE): ..\version.rc diff --git a/src/windows/wintel/auth.c b/src/windows/wintel/auth.c deleted file mode 100644 index 433bce3..0000000 --- a/src/windows/wintel/auth.c +++ /dev/null @@ -1,867 +0,0 @@ -/* - * Implements Kerberos 4 authentication - */ - -#ifdef KRB4 -#include -#include -#include -#include "winsock.h" -#include "kerberos.h" -#endif -#ifdef KRB5 -#include -#include -#include "krb5.h" -#include "com_err.h" -#endif - -#include "telnet.h" -#include "telnet_arpa.h" - -#ifdef ENCRYPTION -#include "encrypt.h" -#endif - -/* - * Constants - */ -#ifdef KRB4 -#define KRB_AUTH 0 -#define KRB_REJECT 1 -#define KRB_ACCEPT 2 -#define KRB_CHALLENGE 3 -#define KRB_RESPONSE 4 -#endif -#ifdef KRB5 -#define KRB_AUTH 0 /* Authentication data follows */ -#define KRB_REJECT 1 /* Rejected (reason might follow) */ -#define KRB_ACCEPT 2 /* Accepted */ -#define KRB_RESPONSE 3 /* Response for mutual auth. */ - -#define KRB_FORWARD 4 /* Forwarded credentials follow */ -#define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */ -#define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */ -#endif - -#ifndef KSUCCESS /* Let K5 use K4 constants */ -#define KSUCCESS 0 -#define KFAILURE 255 -#endif - -/* - * Globals - */ -#ifdef KRB4 -static CREDENTIALS cred; -static KTEXT_ST auth; - -#define KRB_SERVICE_NAME "rcmd" -#define KERBEROS_VERSION KERBEROS_V4 - -static int auth_how; -static int k4_auth_send(kstream); -static int k4_auth_reply(kstream, unsigned char *, int); -#endif - -#ifdef KRB5 -static krb5_data auth; -static int auth_how; -static krb5_auth_context auth_context; -krb5_keyblock *session_key = NULL; -#ifdef FORWARD -void kerberos5_forward(kstream); -#endif - -#define KRB_SERVICE_NAME "host" -#define KERBEROS_VERSION AUTHTYPE_KERBEROS_V5 - -static int k5_auth_send(kstream, int); -static int k5_auth_reply(kstream, int, unsigned char *, int); -#endif - -static int Data(kstream, int, void *, int); - -#ifdef ENCRYPTION -BOOL encrypt_flag = 1; -#endif -#ifdef FORWARD -BOOL forward_flag = 1; /* forward tickets? */ -BOOL forwardable_flag = 1; /* get forwardable tickets to forward? */ -BOOL forwarded_tickets = 0; /* were tickets forwarded? */ -#endif - -static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0, - AUTHTYPE_KERBEROS_V5, }; - -static int -Data(kstream ks, int type, void *d, int c) -{ - unsigned char *p = str_data + 4; - unsigned char *cd = (unsigned char *)d; - - if (c == -1) - c = strlen((char *)cd); - - *p++ = AUTHTYPE_KERBEROS_V5; - *p = AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL; -#ifdef ENCRYPTION - *p |= AUTH_ENCRYPT_ON; -#endif - p++; - *p++ = type; - while (c-- > 0) { - if ((*p++ = *cd++) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - - return(TelnetSend(ks, (LPSTR)str_data, p - str_data, 0)); -} - -#ifdef ENCRYPTION -/* - * Function: Enable or disable the encryption process. - * - * Parameters: - * enable - TRUE to enable, FALSE to disable. - */ -static void -auth_encrypt_enable(BOOL enable) -{ - encrypt_flag = enable; -} -#endif - -/* - * Function: Abort the authentication process - * - * Parameters: - * ks - kstream to send abort message to. - */ -static void -auth_abort(kstream ks, char *errmsg, long r) -{ - char buf[9]; - - wsprintf(buf, "%c%c%c%c%c%c%c%c", IAC, SB, TELOPT_AUTHENTICATION, - TELQUAL_IS, AUTHTYPE_NULL, - AUTHTYPE_NULL, IAC, SE); - TelnetSend(ks, (LPSTR)buf, 8, 0); - - if (errmsg != NULL) { - strTmp[sizeof(strTmp) - 1] = '\0'; - strncpy(strTmp, errmsg, sizeof(strTmp) - 1); - - if (r != KSUCCESS) { - strncat(strTmp, "\n", sizeof(strTmp) - 1 - strlen(strTmp)); -#ifdef KRB4 - lstrcat(strTmp, krb_get_err_text((int)r)); -#endif -#ifdef KRB5 - lstrcat(strTmp, error_message(r)); -#endif - } - - MessageBox(HWND_DESKTOP, strTmp, "Kerberos authentication failed!", - MB_OK | MB_ICONEXCLAMATION); - } -} - - -/* - * Function: Copy data to buffer, doubling IAC character if present. - * - * Parameters: - * kstream - kstream to send abort message to. - */ -static int -copy_for_net(unsigned char *to, unsigned char *from, int c) -{ - int n; - - n = c; - - while (c-- > 0) { - if ((*to++ = *from++) == IAC) { - n++; - *to++ = IAC; - } - } - - return n; -} - - -/* - * Function: Parse authentication send command - * - * Parameters: - * ks - kstream to send abort message to. - * - * parsedat - the sub-command data. - * - * end_sub - index of the character in the 'parsedat' array which - * is the last byte in a sub-negotiation - * - * Returns: Kerberos error code. - */ -static int -auth_send(kstream ks, unsigned char *parsedat, int end_sub) -{ - char buf[2048]; /* be sure that this is > auth.length+9 */ - char *pname; - int plen; - int r; - int i; - - auth_how = -1; - - for (i = 2; i+1 <= end_sub; i += 2) { - if (parsedat[i] == KERBEROS_VERSION) - if ((parsedat[i+1] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) { - auth_how = parsedat[i+1] & AUTH_HOW_MASK; - break; - } - } - - if (auth_how == -1) { - auth_abort(ks, NULL, 0); - return KFAILURE; - } - -#ifdef KRB4 - r = k4_auth_send(ks); -#endif /* KRB4 */ - -#ifdef KRB5 - r = k5_auth_send(ks, auth_how); -#endif /* KRB5 */ - - if (!r) - return KFAILURE; - - plen = strlen(szUserName); /* Set by k#_send if needed */ - pname = szUserName; - - wsprintf(buf, "%c%c%c%c", IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME); - memcpy(&buf[4], pname, plen); - wsprintf(&buf[plen + 4], "%c%c", IAC, SE); - TelnetSend(ks, (LPSTR)buf, lstrlen(pname)+6, 0); - - wsprintf(buf, "%c%c%c%c%c%c%c", IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_IS, - KERBEROS_VERSION, auth_how | AUTH_WHO_CLIENT, KRB_AUTH); - -#if KRB4 - auth.length = copy_for_net(&buf[7], auth.dat, auth.length); -#endif /* KRB4 */ -#if KRB5 - auth.length = copy_for_net(&buf[7], auth.data, auth.length); -#endif /* KRB5 */ - - wsprintf(&buf[auth.length+7], "%c%c", IAC, SE); - - TelnetSend(ks, (LPSTR)buf, auth.length+9, 0); - - return KSUCCESS; -} - -/* - * Function: Parse authentication reply command - * - * Parameters: - * ks - kstream to send abort message to. - * - * parsedat - the sub-command data. - * - * end_sub - index of the character in the 'parsedat' array which - * is the last byte in a sub-negotiation - * - * Returns: Kerberos error code. - */ -static int -auth_reply(kstream ks, unsigned char *parsedat, int end_sub) -{ - int n; - -#ifdef KRB4 - n = k4_auth_reply(ks, parsedat, end_sub); -#endif - -#ifdef KRB5 - n = k5_auth_reply(ks, auth_how, parsedat, end_sub); -#endif - - return n; -} - -/* - * Function: Parse the athorization sub-options and reply. - * - * Parameters: - * ks - kstream to send abort message to. - * - * parsedat - sub-option string to parse. - * - * end_sub - last charcter position in parsedat. - */ -void -auth_parse(kstream ks, unsigned char *parsedat, int end_sub) -{ - if (parsedat[1] == TELQUAL_SEND) - auth_send(ks, parsedat, end_sub); - - if (parsedat[1] == TELQUAL_REPLY) - auth_reply(ks, parsedat, end_sub); -} - - -/* - * Function: Initialization routine called kstream encryption system. - * - * Parameters: - * str - kstream to send abort message to. - * - * data - user data. - */ -int -auth_init(kstream str, kstream_ptr data) -{ -#ifdef ENCRYPTION - encrypt_init(str, data); -#endif - return 0; -} - - -/* - * Function: Destroy routine called kstream encryption system. - * - * Parameters: - * str - kstream to send abort message to. - * - * data - user data. - */ -void -auth_destroy(kstream str) -{ -} - - -/* - * Function: Callback to encrypt a block of characters - * - * Parameters: - * out - return as pointer to converted buffer. - * - * in - the buffer to convert - * - * str - the stream being encrypted - * - * Returns: number of characters converted. - */ -int -auth_encrypt(struct kstream_data_block *out, - struct kstream_data_block *in, - kstream str) -{ - out->ptr = in->ptr; - - out->length = in->length; - - return(out->length); -} - - -/* - * Function: Callback to decrypt a block of characters - * - * Parameters: - * out - return as pointer to converted buffer. - * - * in - the buffer to convert - * - * str - the stream being encrypted - * - * Returns: number of characters converted. - */ -int -auth_decrypt(struct kstream_data_block *out, - struct kstream_data_block *in, - kstream str) -{ - out->ptr = in->ptr; - - out->length = in->length; - - return(out->length); -} - -#ifdef KRB4 -/* - * - * K4_auth_send - gets authentication bits we need to send to KDC. - * - * Result is left in auth - * - * Returns: 0 on failure, 1 on success - */ -static int -k4_auth_send(kstream ks) -{ - int r; /* Return value */ - char instance[INST_SZ]; - char *realm; - char buf[256]; - - memset(instance, 0, sizeof(instance)); - - if (realm = krb_get_phost(szHostName)) - lstrcpy(instance, realm); - - realm = krb_realmofhost(szHostName); - - if (!realm) { - strcpy(buf, "Can't find realm for host \""); - strncat(buf, szHostName, sizeof(buf) - 1 - strlen(buf)); - strncat(buf, "\"", sizeof(buf) - 1 - strlen(buf)); - auth_abort(ks, buf, 0); - return KFAILURE; - } - - r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0); - - if (r == 0) - r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred); - - if (r) { - strcpy(buf, "Can't get \""); - strncat(buf, KRB_SERVICE_NAME, sizeof(buf) - 1 - strlen(buf)); - if (instance[0] != 0) { - strncat(buf, ".", sizeof(buf) - 1 - strlen(buf)); - lstrcat(buf, instance); - } - strncat(buf, "@", sizeof(buf) - 1 - strlen(buf)); - lstrcat(buf, realm); - strncat(buf, "\" ticket", sizeof(buf) - 1 - strlen(buf)); - auth_abort(ks, buf, r); - - return r; - } - - if (!szUserName[0]) /* Copy if not there */ - strcpy(szUserName, cred.pname); - - return(1); -} - -/* - * Function: K4 parse authentication reply command - * - * Parameters: - * ks - kstream to send abort message to. - * - * parsedat - the sub-command data. - * - * end_sub - index of the character in the 'parsedat' array which - * is the last byte in a sub-negotiation - * - * Returns: Kerberos error code. - */ -static int -k4_auth_reply(kstream ks, unsigned char *parsedat, int end_sub) -{ - time_t t; - int x; - char buf[512]; - int i; - des_cblock session_key; - des_key_schedule sched; - static des_cblock challenge; - - if (end_sub < 4) - return KFAILURE; - - if (parsedat[2] != KERBEROS_V4) - return KFAILURE; - - if (parsedat[4] == KRB_REJECT) { - buf[0] = 0; - - for (i = 5; i <= end_sub; i++) { - if (parsedat[i] == IAC) - break; - buf[i-5] = parsedat[i]; - buf[i-4] = 0; - } - - if (!buf[0]) - strcpy(buf, "Authentication rejected by remote machine!"); - MessageBox(HWND_DESKTOP, buf, NULL, MB_OK | MB_ICONEXCLAMATION); - - return KFAILURE; - } - - if (parsedat[4] == KRB_ACCEPT) { - if ((parsedat[3] & AUTH_HOW_MASK) == AUTH_HOW_ONE_WAY) - return KSUCCESS; - - if ((parsedat[3] & AUTH_HOW_MASK) != AUTH_HOW_MUTUAL) - return KFAILURE; - - des_key_sched(cred.session, sched); - - t = time(NULL); - memcpy(challenge, &t, 4); - memcpy(&challenge[4], &t, 4); - des_ecb_encrypt(&challenge, &session_key, sched, 1); - - /* - * Increment the challenge by 1, and encrypt it for - * later comparison. - */ - for (i = 7; i >= 0; --i) { - x = (unsigned int)challenge[i] + 1; - challenge[i] = x; /* ignore overflow */ - if (x < 256) /* if no overflow, all done */ - break; - } - - des_ecb_encrypt(&challenge, &challenge, sched, 1); - - wsprintf(buf, "%c%c%c%c%c%c%c", IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_IS, - KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL, KRB_CHALLENGE); - memcpy(&buf[7], session_key, 8); - wsprintf(&buf[15], "%c%c", IAC, SE); - TelnetSend(ks, (LPSTR)buf, 17, 0); - - return KSUCCESS; - } - - if (parsedat[4] == KRB_RESPONSE) { - if (end_sub < 12) - return KFAILURE; - - if (memcmp(&parsedat[5], challenge, sizeof(challenge)) != 0) { - MessageBox(HWND_DESKTOP, "Remote machine is being impersonated!", - NULL, MB_OK | MB_ICONEXCLAMATION); - - return KFAILURE; - } - - return KSUCCESS; - } - - return KFAILURE; - -} - -#endif /* KRB4 */ - -#ifdef KRB5 - -/* - * - * K5_auth_send - gets authentication bits we need to send to KDC. - * - * Code lifted from telnet sample code in the appl directory. - * - * Result is left in auth - * - * Returns: 0 on failure, 1 on success - * - */ - -static int -k5_auth_send(kstream ks, int how) -{ - krb5_error_code r; - krb5_ccache ccache; - krb5_creds creds; - krb5_creds * new_creds; - extern krb5_flags krb5_kdc_default_options; - krb5_flags ap_opts; - char type_check[2]; - krb5_data check_data; - int len; -#ifdef ENCRYPTION - krb5_keyblock *newkey = 0; -#endif - - if (r = krb5_cc_default(k5_context, &ccache)) { - com_err(NULL, r, "while authorizing."); - return(0); - } - - memset((char *)&creds, 0, sizeof(creds)); - if (r = krb5_sname_to_principal(k5_context, szHostName, KRB_SERVICE_NAME, - KRB5_NT_SRV_HST, &creds.server)) { - com_err(NULL, r, "while authorizing."); - return(0); - } - - if (r = krb5_cc_get_principal(k5_context, ccache, &creds.client)) { - com_err(NULL, r, "while authorizing."); - krb5_free_cred_contents(k5_context, &creds); - return(0); - } - if (szUserName[0] == '\0') { /* Get user name now */ - len = krb5_princ_component(k5_context, creds.client, 0)->length; - memcpy(szUserName, - krb5_princ_component(k5_context, creds.client, 0)->data, - len); - szUserName[len] = '\0'; - } - - if (r = krb5_get_credentials(k5_context, 0, - ccache, &creds, &new_creds)) { - com_err(NULL, r, "while authorizing."); - krb5_free_cred_contents(k5_context, &creds); - return(0); - } - - ap_opts = 0; - if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) - ap_opts = AP_OPTS_MUTUAL_REQUIRED; - -#ifdef ENCRYPTION - ap_opts |= AP_OPTS_USE_SUBKEY; -#endif - - if (auth_context) { - krb5_auth_con_free(k5_context, auth_context); - auth_context = 0; - } - if ((r = krb5_auth_con_init(k5_context, &auth_context))) { - com_err(NULL, r, "while initializing auth context"); - return(0); - } - - krb5_auth_con_setflags(k5_context, auth_context, - KRB5_AUTH_CONTEXT_RET_TIME); - - type_check[0] = AUTHTYPE_KERBEROS_V5; - type_check[1] = AUTH_WHO_CLIENT| (how & AUTH_HOW_MASK); -#ifdef ENCRYPTION - type_check[1] |= AUTH_ENCRYPT_ON; -#endif - check_data.magic = KV5M_DATA; - check_data.length = 2; - check_data.data = (char *)&type_check; - - r = krb5_mk_req_extended(k5_context, &auth_context, ap_opts, - NULL, new_creds, &auth); - -#ifdef ENCRYPTION - krb5_auth_con_getlocalsubkey(k5_context, auth_context, &newkey); - if (session_key) { - krb5_free_keyblock(k5_context, session_key); - session_key = 0; - } - - if (newkey) { - /* - * keep the key in our private storage, but don't use it - * yet---see kerberos5_reply() below - */ - if ((newkey->enctype != ENCTYPE_DES_CBC_CRC) && - (newkey-> enctype != ENCTYPE_DES_CBC_MD5)) { - if ((new_creds->keyblock.enctype == ENCTYPE_DES_CBC_CRC) || - (new_creds->keyblock.enctype == ENCTYPE_DES_CBC_MD5)) - /* use the session key in credentials instead */ - krb5_copy_keyblock(k5_context, &new_creds->keyblock, &session_key); - else - ; /* What goes here? XXX */ - } else { - krb5_copy_keyblock(k5_context, newkey, &session_key); - } - krb5_free_keyblock(k5_context, newkey); - } -#endif /* ENCRYPTION */ - - krb5_free_cred_contents(k5_context, &creds); - krb5_free_creds(k5_context, new_creds); - - if (r) { - com_err(NULL, r, "while authorizing."); - return(0); - } - - return(1); -} - -/* - * - * K5_auth_reply -- checks the reply for mutual authentication. - * - * Code lifted from telnet sample code in the appl directory. - * - */ -static int -k5_auth_reply(kstream ks, int how, unsigned char *data, int cnt) -{ -#ifdef ENCRYPTION - Session_Key skey; -#endif - static int mutual_complete = 0; - - data += 4; /* Point to status byte */ - - switch (*data++) { - case KRB_REJECT: - if (cnt > 0) { - char *s; - wsprintf(strTmp, "Kerberos V5 refuses authentication because\n\t"); - s = strTmp + strlen(strTmp); - strncpy(s, data, cnt); - s[cnt] = 0; - } else - wsprintf(strTmp, "Kerberos V5 refuses authentication"); - MessageBox(HWND_DESKTOP, strTmp, "", MB_OK | MB_ICONEXCLAMATION); - - return KFAILURE; - - case KRB_ACCEPT: - if (!mutual_complete) { - if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL && !mutual_complete) { - wsprintf(strTmp, - "Kerberos V5 accepted you, but didn't provide" - " mutual authentication"); - MessageBox(HWND_DESKTOP, strTmp, "", MB_OK | MB_ICONEXCLAMATION); - return KFAILURE; - } -#ifdef ENCRYPTION - if (session_key) { - skey.type = SK_DES; - skey.length = 8; - skey.data = session_key->contents; - encrypt_session_key(&skey, 0); - } -#endif - } - -#ifdef FORWARD - if (forward_flag) - kerberos5_forward(ks); -#endif - - return KSUCCESS; - break; - - case KRB_RESPONSE: - if ((how & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) { - /* the rest of the reply should contain a krb_ap_rep */ - krb5_ap_rep_enc_part *reply; - krb5_data inbuf; - krb5_error_code r; - - inbuf.length = cnt; - inbuf.data = (char *)data; - - if (r = krb5_rd_rep(k5_context, auth_context, &inbuf, &reply)) { - com_err(NULL, r, "while authorizing."); - return KFAILURE; - } - krb5_free_ap_rep_enc_part(k5_context, reply); - -#ifdef ENCRYPTION - if (encrypt_flag && session_key) { - skey.type = SK_DES; - skey.length = 8; - skey.data = session_key->contents; - encrypt_session_key(&skey, 0); - } -#endif - mutual_complete = 1; - } - return KSUCCESS; - -#ifdef FORWARD - case KRB_FORWARD_ACCEPT: - forwarded_tickets = 1; - return KSUCCESS; - - case KRB_FORWARD_REJECT: - forwarded_tickets = 0; - if (cnt > 0) { - char *s; - - wsprintf(strTmp, - "Kerberos V5 refuses forwarded credentials because\n\t"); - s = strTmp + strlen(strTmp); - strncpy(s, data, cnt); - s[cnt] = 0; - } else - wsprintf(strTmp, "Kerberos V5 refuses forwarded credentials"); - - MessageBox(HWND_DESKTOP, strTmp, "", MB_OK | MB_ICONEXCLAMATION); - return KFAILURE; -#endif /* FORWARD */ - - default: - return KFAILURE; /* Unknown reply type */ - } -} - -#ifdef FORWARD -void -kerberos5_forward(kstream ks) -{ - krb5_error_code r; - krb5_ccache ccache; - krb5_principal client = 0; - krb5_principal server = 0; - krb5_data forw_creds; - - forw_creds.data = 0; - - if ((r = krb5_cc_default(k5_context, &ccache))) { - com_err(NULL, r, "Kerberos V5: could not get default ccache"); - return; - } - - if ((r = krb5_cc_get_principal(k5_context, ccache, &client))) { - com_err(NULL, r, "Kerberos V5: could not get default principal"); - goto cleanup; - } - - if ((r = krb5_sname_to_principal(k5_context, szHostName, KRB_SERVICE_NAME, - KRB5_NT_SRV_HST, &server))) { - com_err(NULL, r, "Kerberos V5: could not make server principal"); - goto cleanup; - } - - if ((r = krb5_auth_con_genaddrs(k5_context, auth_context, ks->fd, - KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR))) { - com_err(NULL, r, "Kerberos V5: could not gen local full address"); - goto cleanup; - } - - if (r = krb5_fwd_tgt_creds(k5_context, auth_context, 0, client, server, - ccache, forwardable_flag, &forw_creds)) { - com_err(NULL, r, "Kerberos V5: error getting forwarded creds"); - goto cleanup; - } - - /* Send forwarded credentials */ - if (!Data(ks, KRB_FORWARD, forw_creds.data, forw_creds.length)) { - MessageBox(HWND_DESKTOP, - "Not enough room for authentication data", "", - MB_OK | MB_ICONEXCLAMATION); - } - -cleanup: - if (client) - krb5_free_principal(k5_context, client); - if (server) - krb5_free_principal(k5_context, server); -#if 0 /* XXX */ - if (forw_creds.data) - free(forw_creds.data); -#endif - krb5_cc_close(k5_context, ccache); -} -#endif /* FORWARD */ - -#endif /* KRB5 */ diff --git a/src/windows/wintel/auth.h b/src/windows/wintel/auth.h deleted file mode 100644 index e0f60ec..0000000 --- a/src/windows/wintel/auth.h +++ /dev/null @@ -1,28 +0,0 @@ -/* - * Implements Kerberos 4 authentication and ecryption - */ - -#ifndef WINTEL_AUTH_H -#define WINTEL_AUTH_H - -void auth_parse(kstream, unsigned char *, int); - -int auth_init(kstream, kstream_ptr); - -void auth_destroy(kstream); - -int auth_encrypt(struct kstream_data_block *, struct kstream_data_block *, - kstream); - -int auth_decrypt(struct kstream_data_block *, struct kstream_data_block *, - kstream); - -extern BOOL forward_flag; -extern BOOL forwardable_flag; -extern BOOL forwarded_tickets; - -#ifdef ENCRYPTION -extern BOOL encrypt_flag; -#endif - -#endif /* WINTEL_AUTH_H */ diff --git a/src/windows/wintel/dialog.h b/src/windows/wintel/dialog.h deleted file mode 100644 index c95ec04..0000000 --- a/src/windows/wintel/dialog.h +++ /dev/null @@ -1,42 +0,0 @@ -#define IDM_SHOWCONSOLE 700 - -#define IDM_OPENTELNETDLG 200 -#define TEL_CONNECT_NAME 201 -#define TEL_USEDEFAULTS 202 -#define TEL_MANUALCONFIGURE 203 -#define TEL_OK 204 -#define TEL_CANCEL 206 -#define IDC_FORWARD 207 -#define IDC_FORWARDFORWARD 208 -#define IDC_ENCRYPT 210 -#define TEL_CONNECT_USERID 211 - -#define IDM_SEND_IP 800 -#define IDM_SEND_AYT 801 -#define IDM_SEND_ABORT 802 - -#define CON_SESSIONNAME 302 -#define CON_WINDOWTITLE 304 -#define CON_COLUMNS132 305 -#define CON_COLUMNS80 306 -#define CON_BACKSPACE 307 -#define CON_DELETE 308 -#define CON_CRLF 309 -#define CON_CRNUL 310 -#define CON_BUFFERS 311 -#define CON_SENDS 312 -#define CON_OK 320 -#define CON_USEDEFAULTS 321 -#define CONFIGDLG 300 -#define CON_SCRLBCK 317 -#define CON_NUMLINES 318 - -#define PRINTQUEUE 400 - -#define IDM_PRINTQUEUE 500 - -#define TEL_PUSH1 601 -#define TEL_PUSH2 602 -#define TEL_PUSH3 603 -#define TEL_PUSH4 604 -#define TEL_PUSH5 605 diff --git a/src/windows/wintel/edit.c b/src/windows/wintel/edit.c deleted file mode 100644 index b275850..0000000 --- a/src/windows/wintel/edit.c +++ /dev/null @@ -1,444 +0,0 @@ -/* edit.c */ - -#include -#include -#include -#include -#include "screen.h" - -char *cInvertedArray; -int bMouseDown = FALSE; -int bSelection; - -static int iLocStart; -static int iLocEnd; - -void Edit_LbuttonDown( - HWND hWnd, - LPARAM lParam) -{ - SCREEN *pScr; - HMENU hMenu; - int iTmp; - int iXlocStart; - int iYlocStart; - HDC hDC; - - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert(pScr != NULL); - - hDC = GetDC(hWnd); - for (iTmp = 0; iTmp < pScr->width * pScr->height; iTmp++) { - if (cInvertedArray[iTmp]) { - PatBlt(hDC, iTmp % pScr->width * pScr->cxChar, - (int) (iTmp / pScr->width) * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp] = 0; - } - } - bSelection = FALSE; - hMenu = GetMenu(hWnd); - EnableMenuItem(hMenu, IDM_COPY, MF_GRAYED); - ReleaseDC(hWnd, hDC); - iXlocStart = (int) LOWORD(lParam) / pScr->cxChar; - if (iXlocStart >= pScr->width) - iXlocStart = pScr->width - 1; - iYlocStart = (int) HIWORD(lParam) / pScr->cyChar; - if (iYlocStart >= pScr->height) - iYlocStart = pScr->height - 1; - iLocStart = iXlocStart + iYlocStart * pScr->width; - bMouseDown = TRUE; - -} /* Edit_LbuttonDown */ - - -void Edit_LbuttonUp( - HWND hWnd, - LPARAM lParam) -{ - SCREEN *pScr; - int iTmp; - int iTmp2; - HMENU hMenu; - - bMouseDown = FALSE; - if (bSelection) - return; - bSelection = TRUE; - - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert(pScr != NULL); - - iTmp = (int) LOWORD(lParam) / pScr->cxChar; - if (iTmp >= pScr->width) - iTmp = pScr->width - 1; - iTmp2 = (int) HIWORD(lParam) / pScr->cyChar; - if (iTmp2 >= pScr->height) - iTmp2 = pScr->height - 1; - iLocEnd = iTmp + iTmp2 * pScr->width; - if (iLocEnd == iLocStart) { - bSelection = FALSE; - } - else { - hMenu = GetMenu(hWnd); - EnableMenuItem(hMenu, IDM_COPY, MF_ENABLED); - } - -} /* Edit_LbuttonUp */ - - -void Edit_MouseMove(HWND hWnd, LPARAM lParam){ - SCREEN *pScr; - int iTmp; - int iTmp2; - int iXlocCurr; - int iYlocCurr; - int iLocCurr; - int iX; - int iX2; - int iY; - int iY2; - SCREENLINE *pScrLine; - HDC hDC; - - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert(pScr != NULL); - - hDC = GetDC(hWnd); - iXlocCurr = (int) LOWORD(lParam) / pScr->cxChar; - if (iXlocCurr >= pScr->width) - iXlocCurr = pScr->width - 1; - iYlocCurr = (int) HIWORD(lParam) / pScr->cyChar; - if (iYlocCurr >= pScr->height) - iYlocCurr = pScr->height - 1; - iLocCurr = iXlocCurr + (iYlocCurr * pScr->width); - if (iLocCurr > iLocStart) { - for (iTmp=0; iTmp < iLocStart; iTmp++) { - if (cInvertedArray[iTmp]) { - PatBlt(hDC, (iTmp % pScr->width) * pScr->cxChar, - (int) (iTmp / pScr->width) * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp] = 0; - } - } - iX = iLocStart % pScr->width; - iY = (int) (iLocStart / pScr->width); - iX2 = iLocCurr % pScr->width; - iY2 = (int) (iLocCurr / pScr->width); - if (iY == iY2) { - pScrLine = GetScreenLineFromY(pScr, iY); - for (iTmp2 = iX; iTmp2 < iX2; iTmp2++) { - if ((!cInvertedArray[iTmp2 + (pScr->width * iY)]) && pScrLine->text[iTmp2]) { - PatBlt(hDC, iTmp2 * pScr->cxChar, iY * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp2 + (pScr->width * iY)] = pScrLine->text[iTmp2]; - } - } - } - else { - pScrLine = GetScreenLineFromY(pScr, iY); - - for (iTmp2 = iX; iTmp2 < pScr->width; iTmp2++) { - if ((!cInvertedArray[iTmp2 + (pScr->width * iY)]) && pScrLine->text[iTmp2]) { - PatBlt(hDC, iTmp2 * pScr->cxChar, iY * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp2 + (pScr->width * iY)] = pScrLine->text[iTmp2]; - } - } - - for (iTmp = iY + 1; iTmp < iY2; iTmp++) { - pScrLine = GetScreenLineFromY(pScr, iTmp); - for (iTmp2 = 0; iTmp2 < pScr->width; iTmp2++) { - if ((!cInvertedArray[iTmp2 + (pScr->width * iTmp)]) && pScrLine->text[iTmp2]) { - PatBlt(hDC, iTmp2 * pScr->cxChar, iTmp * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp2 + (pScr->width * iTmp)] = pScrLine->text[iTmp2]; - } - } - } - - if (iY2 != iY) { - pScrLine = GetScreenLineFromY(pScr, iY2); - for (iTmp2 = 0; iTmp2 < iX2; iTmp2++) { - if ((!cInvertedArray[iTmp2 + (pScr->width * iY2)]) && pScrLine->text[iTmp2]) { - PatBlt(hDC, iTmp2 * pScr->cxChar, iY2 * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp2 + (pScr->width * iY2)] = pScrLine->text[iTmp2]; - } - } - } - } - - for (iTmp = iLocCurr; iTmp < pScr->width * pScr->height; iTmp++) { - if (cInvertedArray[iTmp]) { - PatBlt(hDC, (iTmp % pScr->width) * pScr->cxChar, (int) (iTmp / pScr->width) * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp] = 0; - } - } - } - else { /* going backwards */ - for (iTmp = 0; iTmp < iLocCurr; iTmp++) { - if (cInvertedArray[iTmp]) { - PatBlt(hDC, (iTmp % pScr->width) * pScr->cxChar, (int) (iTmp / pScr->width) * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp] = 0; - } - } - iX = iLocCurr % pScr->width; - iY = (int) (iLocCurr / pScr->width); - iX2 = (iLocStart % pScr->width); - iY2 = (int) (iLocStart / pScr->width); - if (iY == iY2) { - pScrLine = GetScreenLineFromY(pScr, iY); - for (iTmp2= iX; iTmp2 < iX2; iTmp2++) { - if ((!cInvertedArray[iTmp2 + (pScr->width * iY)]) && pScrLine->text[iTmp2]) { - PatBlt(hDC, iTmp2 * pScr->cxChar, iY * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp2 + (pScr->width * iY)] = pScrLine->text[iTmp2]; - } - } - } - else { - pScrLine = GetScreenLineFromY(pScr, iY); - for (iTmp2 = iX; iTmp2 < pScr->width; iTmp2++) { - if ((!cInvertedArray[iTmp2 + (pScr->width * iY)]) && pScrLine->text[iTmp2]) { - PatBlt(hDC, iTmp2 * pScr->cxChar, iY * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp2 + (pScr->width * iY)] = pScrLine->text[iTmp2]; - } - } - for (iTmp = iY + 1; iTmp < iY2; iTmp++) { - pScrLine = GetScreenLineFromY(pScr, iTmp); - for (iTmp2 = 0; iTmp2 < pScr->width; iTmp2++) { - if ((!cInvertedArray[iTmp2 + (pScr->width * iTmp)]) && pScrLine->text[iTmp2]) { - PatBlt(hDC, iTmp2 * pScr->cxChar, iTmp * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp2 + (pScr->width * iTmp)] = pScrLine->text[iTmp2]; - } - } - } - if (iY2 != iY) { - pScrLine = GetScreenLineFromY(pScr, iY2); - for (iTmp2 = 0; iTmp2 < iX2; iTmp2++) { - if ((!cInvertedArray[iTmp2 + (pScr->width * iY2)]) && pScrLine->text[iTmp2]) { - PatBlt(hDC, iTmp2 * pScr->cxChar, iY2 * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp2 + (pScr->width * iY2)] = pScrLine->text[iTmp2]; - } - } - } - } - for (iTmp = iLocStart; iTmp < pScr->width * pScr->height; iTmp++) { - if (cInvertedArray[iTmp]) { - PatBlt(hDC, (iTmp % pScr->width) * pScr->cxChar, (int) (iTmp / pScr->width) * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp] = 0; - } - } - } - ReleaseDC(hWnd, hDC); -} /* Edit_MouseMove */ - - -void Edit_ClearSelection( - SCREEN *pScr) -{ - int iTmp; - HDC hDC; - HMENU hMenu; - - hDC = GetDC(pScr->hWnd); - for (iTmp = 0; iTmp < pScr->width * pScr->height; iTmp++) { - if (cInvertedArray[iTmp]) { - PatBlt(hDC, (iTmp % pScr->width) * pScr->cxChar, - (int) (iTmp / pScr->width) * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp] = 0; - } - } - bSelection = FALSE; - hMenu=GetMenu(pScr->hWnd); - EnableMenuItem(hMenu, IDM_COPY, MF_GRAYED); - ReleaseDC(pScr->hWnd, hDC); -} /* Edit_ClearSelection */ - - -void Edit_Copy( - HWND hWnd) -{ - int iTmp,iIdx; - HGLOBAL hCutBuffer; - LPSTR lpCutBuffer; - SCREEN *pScr; - - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert(pScr != NULL); - - hCutBuffer= GlobalAlloc(GHND, (DWORD) (pScr->width * pScr->height + 1)); - lpCutBuffer= GlobalLock(hCutBuffer); - - if (iLocStart > iLocEnd) { /* swap variables */ - iTmp = iLocStart; - iLocStart = iLocEnd; - iLocEnd = iLocStart; - } - iTmp = iLocStart; - iIdx = 0; - while (iTmp < iLocEnd) { - if (!cInvertedArray[iTmp]) { - lpCutBuffer[iIdx++] = '\r'; - lpCutBuffer[iIdx++] = '\n'; - iTmp = (((int) (iTmp / pScr->width)) + 1) * pScr->width; - continue; - } - lpCutBuffer[iIdx++] = cInvertedArray[iTmp++]; - } - lpCutBuffer[iIdx] = 0; - GlobalUnlock(hCutBuffer); - OpenClipboard(hWnd); - EmptyClipboard(); - SetClipboardData(CF_TEXT, hCutBuffer); - CloseClipboard(); - -} /* Edit_Copy */ - - -void Edit_Paste( - HWND hWnd) -{ - HGLOBAL hClipMemory; - static HGLOBAL hMyClipBuffer; - LPSTR lpClipMemory; - LPSTR lpMyClipBuffer; - SCREEN *pScr; - - if (hMyClipBuffer) - GlobalFree(hMyClipBuffer); - OpenClipboard(hWnd); - hClipMemory = GetClipboardData(CF_TEXT); - hMyClipBuffer = GlobalAlloc(GHND, GlobalSize(hClipMemory)); - lpMyClipBuffer = GlobalLock(hMyClipBuffer); - lpClipMemory= GlobalLock(hClipMemory); - - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert(pScr != NULL); - - lstrcpy(lpMyClipBuffer, lpClipMemory); -#if 0 - OutputDebugString(lpMyClipBuffer); -#endif - PostMessage(pScr->hwndTel, WM_MYSCREENBLOCK, (WPARAM) hMyClipBuffer, (LPARAM) pScr); - CloseClipboard(); - GlobalUnlock(hClipMemory); - GlobalUnlock(hMyClipBuffer); - -} /* Edit_Paste */ - - -void Edit_LbuttonDblclk( - HWND hWnd, - LPARAM lParam) -{ - HDC hDC; - SCREEN *pScr; - int iTmp; - int iTmp2; - int iXlocStart; - int iYloc; - SCREENLINE *pScrLine; - - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert(pScr != NULL); - - hDC = GetDC(hWnd); - for (iTmp = 0; iTmp < pScr->width * pScr->height; iTmp++) { - if (cInvertedArray[iTmp]) { - PatBlt(hDC, (iTmp % pScr->width) * pScr->cxChar, - (int) (iTmp / pScr->width) * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp] = 0; - } - } - bSelection = FALSE; - iXlocStart = (int) LOWORD(lParam) / pScr->cxChar; - if (iXlocStart >= pScr->width) - iXlocStart = pScr->width - 1; - iYloc = (int) HIWORD(lParam) / pScr->cyChar; - if (iYloc >= pScr->height) - iYloc = pScr->height - 1; - iLocStart = iXlocStart + (iYloc * pScr->width); - - pScrLine = GetScreenLineFromY(pScr, iYloc); - - iTmp = iXlocStart; - while (isalnum((int) pScrLine->text[iTmp])) { - PatBlt(hDC, iTmp * pScr->cxChar, iYloc * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp + (iYloc * pScr->width)] = pScrLine->text[iTmp]; - iTmp++; - } - iTmp2 = iXlocStart - 1; - while (isalnum((int) pScrLine->text[iTmp2])) { - PatBlt(hDC, iTmp2 * pScr->cxChar, iYloc * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp2 + (iYloc * pScr->width)] = pScrLine->text[iTmp2]; - iTmp2--; - } - iLocStart = (iTmp2 + 1) + (iYloc * pScr->width); - iLocEnd = iTmp + (iYloc * pScr->width); - - bSelection = TRUE; - ReleaseDC(hWnd, hDC); - -} /* Edit_LbuttonDblclk */ - - -void Edit_TripleClick( - HWND hWnd, - LPARAM lParam) -{ - HDC hDC; - SCREEN *pScr; - int iTmp; - int iYloc; - SCREENLINE *pScrLine; - -#if 0 - OutputDebugString("Triple Click \r\n"); -#endif - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert(pScr != NULL); - - hDC = GetDC(hWnd); - for (iTmp = 0; iTmp < pScr->width * pScr->height; iTmp++) { - if (cInvertedArray[iTmp]) { - PatBlt(hDC, (iTmp % pScr->width) * pScr->cxChar, - (int) (iTmp / pScr->width) * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp] = 0; - } - } - bSelection = FALSE; - iYloc = (int) HIWORD(lParam) / pScr->cyChar; - if (iYloc >= pScr->height) - iYloc = pScr->height - 1; - iLocStart = iYloc * pScr->width; - - pScrLine = GetScreenLineFromY(pScr, iYloc); - - for (iTmp = 0; iTmp < pScr->width; iTmp++) { - if (pScrLine->text[iTmp]) { - PatBlt(hDC, iTmp * pScr->cxChar, iYloc * pScr->cyChar, - pScr->cxChar, pScr->cyChar, DSTINVERT); - cInvertedArray[iTmp + (iYloc * pScr->width)] = pScrLine->text[iTmp]; - } - else - break; - } - iLocEnd = iTmp + (iYloc * pScr->width); - - bSelection = TRUE; - ReleaseDC(hWnd, hDC); - -} /* Edit_TripleClick */ diff --git a/src/windows/wintel/emul.c b/src/windows/wintel/emul.c deleted file mode 100644 index 2a7ef4c..0000000 --- a/src/windows/wintel/emul.c +++ /dev/null @@ -1,766 +0,0 @@ -/* emul.c */ - -#include "windows.h" -#include "screen.h" - - -static int -ScreenEmChars(SCREEN *pScr, char *c, int len) -{ - /* - * Function: Send a string of characters to the screen. Placement - * continues as long as the stream of characters does not contain any - * control chracters or cause wrapping to another line. When a control - * character is encountered or wrapping occurs, display stops and a - * count of the number of characters is returned. - * - * Parameters: - * pScr - the screen to place the characters on. - * c - the string of characters to place on the screen. - * len - the number of characters contained in the string - * - * Returns: The number of characters actually placed on the screen. - */ - - int insert; - int ocount; - int attrib; - int extra; - int nchars; - char *acurrent; /* place to put attributes */ - char *current; /* place to put characters */ - char *start; - SCREENLINE *pScrLine; - - if (len <= 0) - return(0); - - if (pScr->x != pScr->width - 1) - pScr->bWrapPending = FALSE; - else { - if (pScr->bWrapPending) { - pScr->x = 0; - pScr->bWrapPending = FALSE; - ScreenIndex(pScr); - } - } - - pScrLine = GetScreenLineFromY(pScr, pScr->y); - if (pScrLine == NULL) - return(0); - - current = &pScrLine->text[pScr->x]; - acurrent = &pScrLine->attrib[pScr->x]; - start = current; - ocount = pScr->x; - extra = 0; - - attrib = pScr->attrib; - insert = pScr->IRM; - - for (nchars = 0; nchars < len && *c >= 32; nchars++) { - if (insert) - ScreenInsChar(pScr, 1); - - *current = *c; - *acurrent = (char) attrib; - c++; - if (pScr->x < pScr->width - 1) { - acurrent++; - current++; - pScr->x++; - } - else { - extra = 1; - if (pScr->DECAWM) { - pScr->bWrapPending = TRUE; - nchars++; - break; - } - } - } - - ScreenDraw(pScr, ocount, pScr->y, pScr->attrib, - pScr->x - ocount + extra, start); - - return(nchars); -} - - -void -ScreenEm(LPSTR c, int len, SCREEN *pScr) -{ - int escflg; /* vt100 escape level */ - RECT rc; - unsigned int ic; - char stat[20]; - int i; - int nchars; - - if (pScr->screen_bottom != pScr->buffer_bottom) { - ScreenUnscroll(pScr); - InvalidateRect(pScr->hWnd, NULL, TRUE); - SetScrollPos(pScr->hWnd, SB_VERT, pScr->numlines, TRUE); - } - - ScreenCursorOff(pScr); - escflg = pScr->escflg; - -#ifdef UM - if (pScr->localprint && len > 0) { /* see if printer needs anything */ - pcount = send_localprint(c, len); - len -= pcount; - c += pcount; - } -#endif - - while (len > 0) { - /* - * look at first character in the vt100 string, if it is a - * non-printable ascii code - */ - while((*c < 32) && (escflg == 0) && (len > 0)) { - switch(*c) { - - case 0x1b: /* ESC found (begin vt100 control sequence) */ - escflg++; - break; - - case -1: /* IAC from telnet session */ - escflg = 6; - break; - -#ifdef CISB - case 0x05: /* CTRL-E found (answerback) */ - bp_ENQ(); - break; -#endif - - case 0x07: /* CTRL-G found (bell) */ - ScreenBell(pScr); - break; - - case 0x08: /* CTRL-H found (backspace) */ - ScreenBackspace(pScr); - break; - - case 0x09: /* CTRL-I found (tab) */ - ScreenTab(pScr); /* Later change for versatile tabbing */ - break; - - case 0x0a: /* CTRL-J found (line feed) */ - case 0x0b: /* CTRL-K found (treat as line feed) */ - case 0x0c: /* CTRL-L found (treat as line feed) */ - ScreenIndex(pScr); - break; - - case 0x0d: /* CTRL-M found (carriage feed) */ - ScreenCarriageFeed(pScr); - break; - -#if 0 - case 0x0e: /* CTRL-N found (invoke Graphics (G1) character set) */ - if (pScr->G1) - pScr->attrib = VSgraph(pScr->attrib); - else - pScr->attrib = VSnotgraph(pScr->attrib); - pScr->charset = 1; - break; - - case 0x0f: /* CTRL-O found (invoke 'normal' (G0) character set) */ - if(pScr->G0) - pScr->attrib = VSgraph(pScr->attrib); - else - pScr->attrib = VSnotgraph(pScr->attrib); - pScr->charset = 0; - break; -#endif - -#ifdef CISB - case 0x10: /* CTRL-P found (undocumented in vt100) */ - bp_DLE(c, len); - len = 0; - break; -#endif - -#if 0 - case 0x11: /* CTRL-Q found (XON) (unused presently) */ - case 0x13: /* CTRL-S found (XOFF) (unused presently) */ - case 0x18: /* CTRL-X found (CAN) (unused presently) */ - case 0x1a: /* CTRL-Z found (SUB) (unused presently) */ - break; -#endif - } - - c++; /* advance to the next character in the string */ - len--; /* decrement the counter */ - } - - if (escflg == 0) { /* check for normal character to print */ - nchars = ScreenEmChars(pScr, c, len); - c += nchars; - len -= nchars; - } - - while ((len > 0) && (escflg == 1)) { /* ESC character was found */ - switch(*c) { - - case 0x08: /* CTRL-H found (backspace) */ - ScreenBackspace(pScr); - break; - - /* - * mostly cursor movement options, and DEC private stuff following - */ - case '[': - ScreenApClear(pScr); - escflg = 2; - break; - - case '#': /* various screen adjustments */ - escflg = 3; - break; - - case '(': /* G0 character set options */ - escflg = 4; - break; - - case ')': /* G1 character set options */ - escflg = 5; - break; - - case '>': /* keypad numeric mode (DECKPAM) */ - pScr->DECPAM = 0; - escflg = 0; - break; - - case '=': /* keypad application mode (DECKPAM) */ - pScr->DECPAM = 1; - escflg = 0; - break; - - case '7': /* save cursor (DECSC) */ - ScreenSaveCursor(pScr); - escflg = 0; - break; - - case '8': /* restore cursor (DECRC) */ - ScreenRestoreCursor(pScr); - escflg = 0; - break; - -#if 0 - case 'c': /* reset to initial state (RIS) */ - ScreenReset(pScr); - escflg = 0; - break; -#endif - - case 'D': /* index (move down one line) (IND) */ - ScreenIndex(pScr); - escflg = 0; - break; - - case 'E': /* next line (move down one line and to first column) (NEL) */ - pScr->x = 0; - ScreenIndex(pScr); - escflg = 0; - break; - - case 'H': /* horizontal tab set (HTS) */ - pScr->tabs[pScr->x] = 'x'; - escflg = 0; - break; - -#ifdef CISB - case 'I': /* undoumented in vt100 */ - bp_ESC_I(); - break; -#endif - - case 'M': /* reverse index (move up one line) (RI) */ - ScreenRevIndex(pScr); - escflg = 0; - break; - - case 'Z': /* identify terminal (DECID) */ - escflg = 0; - break; - - default: - /* put the ESC character into the Screen */ - ScreenEmChars(pScr, "\033", 1); - /* put the next character into the Screen */ - ScreenEmChars(pScr, c, 1); - escflg = 0; - break; - - } /* end switch */ - - c++; - len--; - } - - while((escflg == 2) && (len > 0)) { /* '[' handling */ - switch(*c) { - - case 0x08: /* backspace */ - ScreenBackspace(pScr); - break; - - case '0': - case '1': - case '2': - case '3': - case '4': - case '5': - case '6': - case '7': - case '8': - case '9': /* numeric parameters */ - if (pScr->parms[pScr->parmptr] < 0) - pScr->parms[pScr->parmptr] = 0; - pScr->parms[pScr->parmptr] *= 10; - pScr->parms[pScr->parmptr] += *c - '0'; - break; - - case '?': /* vt100 mode change */ - pScr->parms[pScr->parmptr++] = -2; - break; - - case ';': /* parameter divider */ - pScr->parmptr++; - break; - - case 'A': /* cursor up (CUU) */ - pScr->bWrapPending = FALSE; - rc.left = pScr->x * pScr->cxChar; - rc.right = (pScr->x + 1) * pScr->cxChar; - rc.top = pScr->cyChar * pScr->y; - rc.bottom = pScr->cyChar * (pScr->y + 1); - InvalidateRect(pScr->hWnd, &rc, TRUE); - if (pScr->parms[0] < 1) - pScr->y--; - else - pScr->y -= pScr->parms[0]; - if(pScr->y < pScr->top) - pScr->y = pScr->top; - ScreenRange(pScr); - escflg = 0; - SendMessage(pScr->hWnd, WM_PAINT, 0, 0); - break; - - case 'B': /* cursor down (CUD) */ - pScr->bWrapPending = FALSE; - rc.left = pScr->x * pScr->cxChar; - rc.right = (pScr->x + 1) * pScr->cxChar; - rc.top = pScr->cyChar * pScr->y; - rc.bottom = pScr->cyChar * (pScr->y + 1); - InvalidateRect(pScr->hWnd, &rc, TRUE); - if (pScr->parms[0] < 1) - pScr->y++; - else - pScr->y += pScr->parms[0]; - if (pScr->y > pScr->bottom) - pScr->y = pScr->bottom; - ScreenRange(pScr); - escflg = 0; - SendMessage(pScr->hWnd, WM_PAINT, 0, 0); - break; - - case 'C': /* cursor forward (right) (CUF) */ - pScr->bWrapPending = FALSE; - rc.left = pScr->x * pScr->cxChar; - rc.right = (pScr->x + 1) * pScr->cxChar; - rc.top = pScr->cyChar * pScr->y; - rc.bottom = pScr->cyChar * (pScr->y +1); - InvalidateRect(pScr->hWnd, &rc, TRUE); - if(pScr->parms[0] < 1) - pScr->x++; - else - pScr->x += pScr->parms[0]; - ScreenRange(pScr); - if (pScr->x > pScr->width) - pScr->x = pScr->width; - escflg = 0; - SendMessage(pScr->hWnd, WM_PAINT, 0, 0); - break; - - case 'D': /* cursor backward (left) (CUB) */ - pScr->bWrapPending = FALSE; - rc.left = pScr->x * pScr->cxChar; - rc.right = (pScr->x + 1) * pScr->cxChar; - rc.top = pScr->cyChar * pScr->y; - rc.bottom = pScr->cyChar * (pScr->y + 1); - InvalidateRect(pScr->hWnd, &rc, TRUE); - if(pScr->parms[0] < 1) - pScr->x--; - else - pScr->x -= pScr->parms[0]; - ScreenRange(pScr); - escflg = 0; - SendMessage(pScr->hWnd, WM_PAINT, 0, 0); - break; - - case 'f': /* horizontal & vertical position (HVP) */ - case 'H': /* cursor position (CUP) */ - pScr->bWrapPending = FALSE; - rc.left = pScr->x * pScr->cxChar; - rc.right = (pScr->x + 1) * pScr->cxChar; - rc.top = pScr->cyChar * pScr->y; - rc.bottom = pScr->cyChar * (pScr->y + 1); - InvalidateRect(pScr->hWnd, &rc, TRUE); - pScr->x = pScr->parms[1] - 1; - pScr->y = pScr->parms[0] - 1; - ScreenRange(pScr); /* make certain the cursor position is valid */ - escflg = 0; - SendMessage(pScr->hWnd, WM_PAINT, 0, 0); - break; - - case 'J': /* erase in display (ED) */ - switch(pScr->parms[0]) { - - case -1: - case 0: /* erase from active position to end of screen */ - ScreenEraseToEndOfScreen(pScr); - break; - case 1: /* erase from start of screen to active position */ -#if 0 - ScreenEraseToPosition(pScr); -#endif - break; - - case 2: /* erase whole screen */ - ScreenEraseScreen(pScr); - break; - - default: - break; - } - - escflg = 0; - break; - - case 'K': /* erase in line (EL) */ - switch(pScr->parms[0]) { - case -1: - case 0: /* erase to end of line */ - ScreenEraseToEOL(pScr); - break; - - case 1: /* erase to beginning of line */ - ScreenEraseToBOL(pScr); - break; - - case 2: /* erase whole line */ - ScreenEraseLine(pScr, -1); - break; - - default: - break; - } - - escflg = 0; - break; - - case 'L': /* insert n lines preceding current line (IL) */ - if (pScr->parms[0] < 1) - pScr->parms[0] = 1; - ScreenInsLines(pScr, pScr->parms[0], -1); - escflg = 0; - break; - - case 'M': /* delete n lines from current position downward (DL) */ - if (pScr->parms[0] < 1) - pScr->parms[0] = 1; - ScreenDelLines(pScr, pScr->parms[0], -1); - escflg = 0; - break; - - case 'P': /* delete n chars from cursor to the left (DCH) */ - if (pScr->parms[0] < 1) - pScr->parms[0] = 1; - ScreenDelChars(pScr, pScr->parms[0]); - escflg = 0; - break; - -#if 0 - case 'R': /* receive cursor position status from host */ - break; -#endif - -#if 0 - case 'c': /* device attributes (DA) */ - ScreenSendIdent(); - escflg = 0; - break; -#endif - - case 'g': /* tabulation clear (TBC) */ - if (pScr->parms[0] == 3)/* clear all tabs */ - ScreenTabClear(pScr); - else - if (pScr->parms[0] <= 0) /* clear tab stop at active position */ - pScr->tabs[pScr->x] = ' '; - escflg = 0; - break; - - case 'h': /* set mode (SM) */ - ScreenSetOption(pScr,1); - escflg = 0; - break; - - case 'i': /* toggle printer */ -#if 0 - if(pScr->parms[pScr->parmptr] == 5) - pScr->localprint = 1; - else if (pScr->parms[pScr->parmptr] == 4) - pScr->localprint = 0; -#endif - escflg = 0; - break; - - case 'l': /* reset mode (RM) */ - ScreenSetOption(pScr,0); - escflg = 0; - break; - - case 'm': /* select graphics rendition (SGR) */ - { - int temp = 0; - - while (temp <= pScr->parmptr) { - if (pScr->parms[temp] < 1) - pScr->attrib &= 128; - else - pScr->attrib |= 1 << (pScr->parms[temp] - 1); - temp++; - } - } - escflg = 0; - break; - - case 'n': /* device status report (DSR) */ - switch (pScr->parms[0]) { -#if 0 - case 0: /* response from vt100; ready, no malfunctions */ - case 3: /* response from vt100; malfunction, retry */ -#endif - case 5: /* send status */ - case 6: /* send active position */ - wsprintf(stat, "\033[%d;%dR", pScr->y + 1, pScr->x + 1); - for (i = 0; stat[i]; i++) - SendMessage(pScr->hwndTel, WM_MYSCREENCHAR, - stat[i], (LPARAM) pScr); - break; - } /* end switch */ - escflg = 0; - break; - - case 'q': /* load LEDs (unsupported) (DECLL) */ - escflg = 0; - break; - - case 'r': /* set top & bottom margins (DECSTBM) */ - if (pScr->parms[0] < 0) - pScr->top = 0; - else - pScr->top = pScr->parms[0] - 1; - if (pScr->parms[1] < 0) - pScr->bottom = pScr->height - 1; - else - pScr->bottom = pScr->parms[1] - 1; - if (pScr->top < 0) - pScr->top = 0; - if (pScr->top > pScr->height-1) - pScr->top = pScr->height-1; - if (pScr->bottom < 1) - pScr->bottom = pScr->height; - if (pScr->bottom >= pScr->height) - pScr->bottom = pScr->height - 1; - if (pScr->top >= pScr->bottom) {/* check for valid scrolling region */ - if (pScr->bottom >= 1) /* - * assume the bottom value has - * precedence, unless it is as the - * top of the screen - */ - pScr->top = pScr->bottom - 1; - else /* totally psychotic case, bottom of screen set to the very top line, move the bottom to below the top */ - pScr->bottom = pScr->top + 1; - } - pScr->x = 0; - pScr->y = 0; -#if 0 - if (pScr->DECORG) - pScr->y = pScr->top; /* origin mode relative */ -#endif - escflg = 0; - break; - -#if 0 - case 'x': /* request/report terminal parameters - (DECREQTPARM/DECREPTPARM) */ - case 'y': /* invoke confidence test (DECTST) */ - break; -#endif - - default: - escflg = 0; - break; - - } - - c++; - len--; - -#if 0 - if (pScr->localprint && (len > 0)) { /* see if printer needs anything */ - pcount = send_localprint(c, len); - len -= pcount; - c += pcount; - } -#endif - } - - while ((escflg == 3) && (len > 0)) { /* # Handling */ - switch (*c) { - case 0x08: /* backspace */ - ScreenBackspace(pScr); - break; - -#if 0 - case '3': /* top half of double line (DECDHL) */ - case '4': /* bottom half of double line (DECDHL) */ - case '5': /* single width line (DECSWL) */ - case '6': /* double width line (DECDWL) */ - break; -#endif - - case '8': /* screen alignment display (DECALN) */ - ScreenAlign(pScr); - escflg = 0; - break; - - default: - escflg = 0; - break; - - } - - c++; - len--; - } - - while ((escflg == 4) && (len > 0)) { /* ( Handling (GO character set) */ - switch (*c) { - - case 0x08: /* backspace */ - ScreenBackspace(pScr); - break; - -#if 0 - case 'A': /* united kingdom character set (unsupported) */ - case 'B': /* ASCII character set */ - case '1': /* choose standard graphics (same as ASCII) */ - pScr->G0 = 0; - if (!pScr->charset) - pScr->attrib = ScreenNotGraph(pScr->attrib); - escflg = 0; - break; - - case '0': /* choose special graphics set */ - case '2': /* alternate character set (special graphics) */ - pScr->G0 = 1; - if(!pScr->charset) - pScr->attrib = ScreenGraph(pScr->attrib); - escflg = 0; - break; -#endif - - default: - escflg = 0; - break; - } - - c++; - len--; - - } /* end while */ - - while((escflg == 5) && (len > 0)) { /* ) Handling (G1 handling) */ - switch (*c) { - - case 0x08: /* backspace */ - ScreenBackspace(pScr); - break; - -#if 0 - case 'A': /* united kingdom character set (unsupported) */ - case 'B': /* ASCII character set */ - case '1': /* choose standard graphics (same as ASCII) */ - pScr->G1 = 0; - if (pScr->charset) - pScr->attrib = ScreenNotGraph(pScr->attrib); - escflg = 0; - break; - - case '0': /* choose special graphics set */ - case '2': /* alternate character set (special graphics) */ - pScr->G1 = 1; - if(pScr->charset) - pScr->attrib = ScreenGraph(pScr->attrib); - escflg = 0; - break; -#endif - - default: - escflg = 0; - break; - } /* end switch */ - - c++; - len--; - } /* end while */ - - while ((escflg >= 6) && (escflg <= 10) && (len > 0)) { /* Handling IAC */ - ic = (unsigned char) *c; - switch (escflg) { - - case 6: /* Handling IAC xx */ - if (ic == 255) /* if IAC */ - escflg = 0; - else if (ic == 250) /* if SB */ - escflg = 7; - else - escflg = 9; - break; - - case 7: /* Handling IAC SB xx */ - if (ic == 255) /* if IAC */ - escflg = 8; - break; - - case 8: /* Handling IAC SB IAC xx */ - if (ic == 255) /* if IAC IAC */ - escflg = 7; - else if (ic == 240) /* if IAC SE */ - escflg = 0; - break; - - case 9: /* IAC xx xx */ - escflg = 0; - break; - } - c++; /* advance to the next character in the string */ - len--; /* decrement the counter */ - } - - if (escflg > 2 && escflg < 6 && len > 0) { - escflg = 0; - c++; - len--; - } - } - pScr->escflg = escflg; - ScreenCursorOn(pScr); -} diff --git a/src/windows/wintel/enc_des.c b/src/windows/wintel/enc_des.c deleted file mode 100644 index 33472ec..0000000 --- a/src/windows/wintel/enc_des.c +++ /dev/null @@ -1,725 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* based on @(#)enc_des.c 8.1 (Berkeley) 6/4/93 */ - -#ifdef ENCRYPTION - -#include "telnet_arpa.h" -#include -#include - -#include "telnet.h" - -#include "encrypt.h" - -#define CFB 0 -#define OFB 1 - -#define NO_SEND_IV 1 -#define NO_RECV_IV 2 -#define NO_KEYID 4 -#define IN_PROGRESS (NO_SEND_IV|NO_RECV_IV|NO_KEYID) -#define SUCCESS 0 -#define xFAILED -1 - - -struct fb { - Block krbdes_key; - Schedule krbdes_sched; - Block temp_feed; - unsigned char fb_feed[64]; - int need_start; - int state[2]; - int keyid[2]; - int once; - struct stinfo { - Block str_output; - Block str_feed; - Block str_iv; - Block str_ikey; - Schedule str_sched; - int str_index; - int str_flagshift; - } streams[2]; -}; - -static struct fb fb[2]; - -struct keyidlist { - char *keyid; - int keyidlen; - char *key; - int keylen; - int flags; -} keyidlist [] = { - { "\0", 1, 0, 0, 0 }, /* default key of zero */ - { 0, 0, 0, 0, 0 } -}; - -#define KEYFLAG_MASK 03 - -#define KEYFLAG_NOINIT 00 -#define KEYFLAG_INIT 01 -#define KEYFLAG_OK 02 -#define KEYFLAG_BAD 03 - -#define KEYFLAG_SHIFT 2 - -#define SHIFT_VAL(a,b) (KEYFLAG_SHIFT*((a)+((b)*2))) - -#define FB64_IV 1 -#define FB64_IV_OK 2 -#define FB64_IV_BAD 3 - -extern kstream EncryptKSGlobalHack; - -void fb64_stream_iv (Block, struct stinfo *); -void fb64_init (struct fb *); -static int fb64_start (struct fb *, int, int); -int fb64_is (unsigned char *, int, struct fb *); -int fb64_reply (unsigned char *, int, struct fb *); -static void fb64_session (Session_Key *, int, struct fb *); -void fb64_stream_key (Block, struct stinfo *); -int fb64_keyid (int, unsigned char *, int *, struct fb *); - - void -cfb64_init(server) - int server; -{ - fb64_init(&fb[CFB]); - fb[CFB].fb_feed[4] = ENCTYPE_DES_CFB64; - fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, CFB); - fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, CFB); -} - - void -ofb64_init(server) - int server; -{ - fb64_init(&fb[OFB]); - fb[OFB].fb_feed[4] = ENCTYPE_DES_OFB64; - fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, OFB); - fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, OFB); -} - - void -fb64_init(fbp) - register struct fb *fbp; -{ - memset((void *)fbp, 0, sizeof(*fbp)); - fbp->state[0] = fbp->state[1] = xFAILED; - fbp->fb_feed[0] = IAC; - fbp->fb_feed[1] = SB; - fbp->fb_feed[2] = TELOPT_ENCRYPT; - fbp->fb_feed[3] = ENCRYPT_IS; -} - -/* - * Returns: - * -1: some error. Negotiation is done, encryption not ready. - * 0: Successful, initial negotiation all done. - * 1: successful, negotiation not done yet. - * 2: Not yet. Other things (like getting the key from - * Kerberos) have to happen before we can continue. - */ - int -cfb64_start(dir, server) - int dir; - int server; -{ - return(fb64_start(&fb[CFB], dir, server)); -} - int -ofb64_start(dir, server) - int dir; - int server; -{ - return(fb64_start(&fb[OFB], dir, server)); -} - - static int -fb64_start(fbp, dir, server) - struct fb *fbp; - int dir; - int server; -{ - int x; - unsigned char *p; - register int state; - - switch (dir) { - case DIR_DECRYPT: - /* - * This is simply a request to have the other side - * start output (our input). He will negotiate an - * IV so we need not look for it. - */ - state = fbp->state[dir-1]; - if (state == xFAILED) - state = IN_PROGRESS; - break; - - case DIR_ENCRYPT: - state = fbp->state[dir-1]; - if (state == xFAILED) - state = IN_PROGRESS; - else if ((state & NO_SEND_IV) == 0) - break; - - if (!VALIDKEY(fbp->krbdes_key)) { - fbp->need_start = 1; - break; - } - state &= ~NO_SEND_IV; - state |= NO_RECV_IV; - /* - * Create a random feed and send it over. - */ - des_new_random_key(fbp->temp_feed); - des_ecb_encrypt(fbp->temp_feed, fbp->temp_feed, - fbp->krbdes_sched, 1); - p = fbp->fb_feed + 3; - *p++ = ENCRYPT_IS; - p++; - *p++ = FB64_IV; - for (x = 0; x < sizeof(Block); ++x) { - if ((*p++ = fbp->temp_feed[x]) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; -#ifdef DEBUG - printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]); -#endif - TelnetSend(EncryptKSGlobalHack, fbp->fb_feed, p - fbp->fb_feed, 0); - break; - default: - return(xFAILED); - } - return(fbp->state[dir-1] = state); -} - -/* - * Returns: - * -1: some error. Negotiation is done, encryption not ready. - * 0: Successful, initial negotiation all done. - * 1: successful, negotiation not done yet. - */ - int -cfb64_is(data, cnt) - unsigned char *data; - int cnt; -{ - return(fb64_is(data, cnt, &fb[CFB])); -} - int -ofb64_is(data, cnt) - unsigned char *data; - int cnt; -{ - return(fb64_is(data, cnt, &fb[OFB])); -} - - int -fb64_is(data, cnt, fbp) - unsigned char *data; - int cnt; - struct fb *fbp; -{ - unsigned char *p; - register int state = fbp->state[DIR_DECRYPT-1]; - - if (cnt-- < 1) - goto failure; - - switch (*data++) { - case FB64_IV: - if (cnt != sizeof(Block)) { -#ifdef DEBUG - if (encrypt_debug_mode) - printf("CFB64: initial vector failed on size\r\n"); -#endif - state = xFAILED; - goto failure; - } - -#ifdef DEBUG - if (encrypt_debug_mode) { - printf("CFB64: initial vector received\r\n"); - printf("Initializing Decrypt stream\r\n"); - } -#endif - fb64_stream_iv((void *)data, &fbp->streams[DIR_DECRYPT-1]); - - p = fbp->fb_feed + 3; - *p++ = ENCRYPT_REPLY; - p++; - *p++ = FB64_IV_OK; - *p++ = IAC; - *p++ = SE; -#ifdef DEBUG - printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]); -#endif - TelnetSend(EncryptKSGlobalHack, fbp->fb_feed, p - fbp->fb_feed, 0); - - state = fbp->state[DIR_DECRYPT-1] = IN_PROGRESS; - break; - - default: -#if 0 - if (encrypt_debug_mode) { - printf("Unknown option type: %d\r\n", *(data-1)); - printd(data, cnt); - printf("\r\n"); - } -#endif - /* FALL THROUGH */ - failure: - /* - * We failed. Send an FB64_IV_BAD option - * to the other side so it will know that - * things failed. - */ - p = fbp->fb_feed + 3; - *p++ = ENCRYPT_REPLY; - p++; - *p++ = FB64_IV_BAD; - *p++ = IAC; - *p++ = SE; -#ifdef DEBUG - printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]); -#endif - TelnetSend(EncryptKSGlobalHack, fbp->fb_feed, p - fbp->fb_feed, 0); - - break; - } - return(fbp->state[DIR_DECRYPT-1] = state); -} - -/* - * Returns: - * -1: some error. Negotiation is done, encryption not ready. - * 0: Successful, initial negotiation all done. - * 1: successful, negotiation not done yet. - */ - int -cfb64_reply(data, cnt) - unsigned char *data; - int cnt; -{ - return(fb64_reply(data, cnt, &fb[CFB])); -} - int -ofb64_reply(data, cnt) - unsigned char *data; - int cnt; -{ - return(fb64_reply(data, cnt, &fb[OFB])); -} - - - int -fb64_reply(data, cnt, fbp) - unsigned char *data; - int cnt; - struct fb *fbp; -{ - register int state = fbp->state[DIR_ENCRYPT-1]; - - if (cnt-- < 1) - goto failure; - - switch (*data++) { - case FB64_IV_OK: - fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]); - if (state == xFAILED) - state = IN_PROGRESS; - state &= ~NO_RECV_IV; - encrypt_send_keyid(DIR_ENCRYPT, (unsigned char *)"\0", 1, 1); - break; - - case FB64_IV_BAD: - memset(fbp->temp_feed, 0, sizeof(Block)); - fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]); - state = xFAILED; - break; - - default: -#if 0 - if (encrypt_debug_mode) { - printf("Unknown option type: %d\r\n", data[-1]); - printd(data, cnt); - printf("\r\n"); - } -#endif - /* FALL THROUGH */ - failure: - state = xFAILED; - break; - } - return(fbp->state[DIR_ENCRYPT-1] = state); -} - - void -cfb64_session(key, server) - Session_Key *key; - int server; -{ - fb64_session(key, server, &fb[CFB]); -} - - void -ofb64_session(key, server) - Session_Key *key; - int server; -{ - fb64_session(key, server, &fb[OFB]); -} - - static void -fb64_session(key, server, fbp) - Session_Key *key; - int server; - struct fb *fbp; -{ - - if (!key || key->type != SK_DES) { -#ifdef DEBUG - if (encrypt_debug_mode) - printf("Can't set krbdes's session key (%d != %d)\r\n", - key ? key->type : -1, SK_DES); -#endif - return; - } - memcpy((void *)fbp->krbdes_key, (void *)key->data, sizeof(Block)); - - fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_ENCRYPT-1]); - fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]); - - if (fbp->once == 0) { - des_init_random_number_generator(fbp->krbdes_key); - fbp->once = 1; - } - des_key_sched(fbp->krbdes_key, fbp->krbdes_sched); - /* - * Now look to see if krbdes_start() was was waiting for - * the key to show up. If so, go ahead an call it now - * that we have the key. - */ - if (fbp->need_start) { - fbp->need_start = 0; - fb64_start(fbp, DIR_ENCRYPT, server); - } -} - -/* - * We only accept a keyid of 0. If we get a keyid of - * 0, then mark the state as SUCCESS. - */ - int -cfb64_keyid(dir, kp, lenp) - int dir, *lenp; - unsigned char *kp; -{ - return(fb64_keyid(dir, kp, lenp, &fb[CFB])); -} - - int -ofb64_keyid(dir, kp, lenp) - int dir, *lenp; - unsigned char *kp; -{ - return(fb64_keyid(dir, kp, lenp, &fb[OFB])); -} - - int -fb64_keyid(dir, kp, lenp, fbp) - int dir, *lenp; - unsigned char *kp; - struct fb *fbp; -{ - register int state = fbp->state[dir-1]; - - if (*lenp != 1 || (*kp != '\0')) { - *lenp = 0; - return(state); - } - - if (state == xFAILED) - state = IN_PROGRESS; - - state &= ~NO_KEYID; - - return(fbp->state[dir-1] = state); -} - -#if 0 - void -fb64_printsub(data, cnt, buf, buflen, type) - unsigned char *data, *buf, *type; - int cnt, buflen; -{ - char lbuf[32]; - register int i; - char *cp; - - buf[buflen-1] = '\0'; /* make sure it's NULL terminated */ - buflen -= 1; - - switch(data[2]) { - case FB64_IV: - sprintf(lbuf, "%s_IV", type); - cp = lbuf; - goto common; - - case FB64_IV_OK: - sprintf(lbuf, "%s_IV_OK", type); - cp = lbuf; - goto common; - - case FB64_IV_BAD: - sprintf(lbuf, "%s_IV_BAD", type); - cp = lbuf; - goto common; - - default: - sprintf(lbuf, " %d (unknown)", data[2]); - cp = lbuf; - common: - for (; (buflen > 0) && (*buf = *cp++); buf++) - buflen--; - for (i = 3; i < cnt; i++) { - sprintf(lbuf, " %d", data[i]); - for (cp = lbuf; (buflen > 0) && (*buf = *cp++); buf++) - buflen--; - } - break; - } -} - - void -cfb64_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt, buflen; -{ - fb64_printsub(data, cnt, buf, buflen, "CFB64"); -} - - void -ofb64_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt, buflen; -{ - fb64_printsub(data, cnt, buf, buflen, "OFB64"); -} -#endif - - void -fb64_stream_iv(seed, stp) - Block seed; - register struct stinfo *stp; -{ - - memcpy((void *)stp->str_iv, (void *)seed, sizeof(Block)); - memcpy((void *)stp->str_output, (void *)seed, sizeof(Block)); - - des_key_sched(stp->str_ikey, stp->str_sched); - - stp->str_index = sizeof(Block); -} - - void -fb64_stream_key(key, stp) - Block key; - register struct stinfo *stp; -{ - memcpy((void *)stp->str_ikey, (void *)key, sizeof(Block)); - des_key_sched(key, stp->str_sched); - - memcpy((void *)stp->str_output, (void *)stp->str_iv, sizeof(Block)); - - stp->str_index = sizeof(Block); -} - -/* - * DES 64 bit Cipher Feedback - * - * key --->+-----+ - * +->| DES |--+ - * | +-----+ | - * | v - * INPUT --(--------->(+)+---> DATA - * | | - * +-------------+ - * - * - * Given: - * iV: Initial vector, 64 bits (8 bytes) long. - * Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt). - * On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output. - * - * V0 = DES(iV, key) - * On = Dn ^ Vn - * V(n+1) = DES(On, key) - */ - - void -cfb64_encrypt(s, c) - register unsigned char *s; - int c; -{ - register struct stinfo *stp = &fb[CFB].streams[DIR_ENCRYPT-1]; - register int index; - - index = stp->str_index; - while (c-- > 0) { - if (index == sizeof(Block)) { - Block b; - des_ecb_encrypt(stp->str_output, b, stp->str_sched, 1); - memcpy((void *)stp->str_feed,(void *)b,sizeof(Block)); - index = 0; - } - - /* On encryption, we store (feed ^ data) which is cypher */ - *s = stp->str_output[index] = (stp->str_feed[index] ^ *s); - s++; - index++; - } - stp->str_index = index; -} - - int -cfb64_decrypt(data) - int data; -{ - register struct stinfo *stp = &fb[CFB].streams[DIR_DECRYPT-1]; - int index; - - if (data == -1) { - /* - * Back up one byte. It is assumed that we will - * never back up more than one byte. If we do, this - * may or may not work. - */ - if (stp->str_index) - --stp->str_index; - return(0); - } - - index = stp->str_index++; - if (index == sizeof(Block)) { - Block b; - des_ecb_encrypt(stp->str_output, b, stp->str_sched, 1); - memcpy((void *)stp->str_feed, (void *)b, sizeof(Block)); - stp->str_index = 1; /* Next time will be 1 */ - index = 0; /* But now use 0 */ - } - - /* On decryption we store (data) which is cypher. */ - stp->str_output[index] = data; - return(data ^ stp->str_feed[index]); -} - -/* - * DES 64 bit Output Feedback - * - * key --->+-----+ - * +->| DES |--+ - * | +-----+ | - * +-----------+ - * v - * INPUT -------->(+) ----> DATA - * - * Given: - * iV: Initial vector, 64 bits (8 bytes) long. - * Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt). - * On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output. - * - * V0 = DES(iV, key) - * V(n+1) = DES(Vn, key) - * On = Dn ^ Vn - */ - void -ofb64_encrypt(s, c) - register unsigned char *s; - int c; -{ - register struct stinfo *stp = &fb[OFB].streams[DIR_ENCRYPT-1]; - register int index; - - index = stp->str_index; - while (c-- > 0) { - if (index == sizeof(Block)) { - Block b; - des_ecb_encrypt(stp->str_feed, b, stp->str_sched, 1); - memcpy((void *)stp->str_feed,(void *)b,sizeof(Block)); - index = 0; - } - *s++ ^= stp->str_feed[index]; - index++; - } - stp->str_index = index; -} - - int -ofb64_decrypt(data) - int data; -{ - register struct stinfo *stp = &fb[OFB].streams[DIR_DECRYPT-1]; - int index; - - if (data == -1) { - /* - * Back up one byte. It is assumed that we will - * never back up more than one byte. If we do, this - * may or may not work. - */ - if (stp->str_index) - --stp->str_index; - return(0); - } - - index = stp->str_index++; - if (index == sizeof(Block)) { - Block b; - des_ecb_encrypt(stp->str_feed, b, stp->str_sched, 1); - memcpy((void *)stp->str_feed, (void *)b, sizeof(Block)); - stp->str_index = 1; /* Next time will be 1 */ - index = 0; /* But now use 0 */ - } - - return(data ^ stp->str_feed[index]); -} - -#endif /* ENCRYPTION */ diff --git a/src/windows/wintel/enc_des.h b/src/windows/wintel/enc_des.h deleted file mode 100644 index b7f0f95..0000000 --- a/src/windows/wintel/enc_des.h +++ /dev/null @@ -1,120 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)enc-proto.h 8.1 (Berkeley) 6/4/93 - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ -#ifdef ENCRYPTION -void encrypt_init (char *, int); -Encryptions *findencryption (int); -void encrypt_auto (int); -void decrypt_auto (int); -void encrypt_is (unsigned char *, int); -void encrypt_reply (unsigned char *, int); -void encrypt_start_input (int); -void encrypt_session_key (Session_Key *, int); -void encrypt_end_input (void); -void encrypt_start_output (int); -void encrypt_end_output (void); -void encrypt_send_request_start (void); -void encrypt_send_request_end (void); -void encrypt_send_end (void); -void encrypt_wait (void); -int encrypt_is_encrypting (void); -void encrypt_send_support (void); -void encrypt_send_keyid (int, unsigned char *, int, int); -int net_write (unsigned char *, int); - -#ifdef TELENTD -void encrypt_wait (void); -#else -int encrypt_cmd (int, char **); -void encrypt_display (void); -#endif - -void krbdes_encrypt (unsigned char *, int); -int krbdes_decrypt (int); -int krbdes_is (unsigned char *, int); -int krbdes_reply (unsigned char *, int); -void krbdes_init (int); -int krbdes_start (int, int); -void krbdes_session (Session_Key *, int); -void krbdes_printsub (unsigned char *, int, unsigned char *, int); - -void cfb64_encrypt (unsigned char *, int); -int cfb64_decrypt (int); -void cfb64_init (int); -int cfb64_start (int, int); -int cfb64_is (unsigned char *, int); -int cfb64_reply (unsigned char *, int); -void cfb64_session (Session_Key *, int); -int cfb64_keyid (int, unsigned char *, int *); -void cfb64_printsub (unsigned char *, int, unsigned char *, int); - -void ofb64_encrypt (unsigned char *, int); -int ofb64_decrypt (int); -void ofb64_init (int); -int ofb64_start (int, int); -int ofb64_is (unsigned char *, int); -int ofb64_reply (unsigned char *, int); -void ofb64_session (Session_Key *, int); -int ofb64_keyid (int, unsigned char *, int *); -void ofb64_printsub (unsigned char *, int, unsigned char *, int); - -int des_new_random_key (Block); -void des_set_random_generator_seed (Block); -void des_key_sched (Block, Schedule); -void des_ecb_encrypt (Block, Block, Schedule, int); -int des_string_to_key (char *, Block); -#endif /* ENCRYPTION */ diff --git a/src/windows/wintel/encrypt.c b/src/windows/wintel/encrypt.c deleted file mode 100644 index a26674d..0000000 --- a/src/windows/wintel/encrypt.c +++ /dev/null @@ -1,999 +0,0 @@ -/* - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* based on @(#)encrypt.c 8.1 (Berkeley) 6/4/93 */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifdef ENCRYPTION - -#include - -#define isprefix(a, b) (!strncmp((a), (b), strlen(b))) - -#ifdef KRB4 -#include -#include -#include -#include "winsock.h" -#include "kerberos.h" -#endif -#ifdef KRB5 -#include -#include -#include "krb5.h" -#include "com_err.h" -#endif - -#include "telnet.h" -#include "encrypt.h" - -#define ENCRYPT_NAMES -#include "telnet_arpa.h" - -/* - * These function pointers point to the current routines - * for encrypting and decrypting data. - */ -void (*encrypt_output) (unsigned char *, int); -int (*decrypt_input) (int); - -#ifdef DEBUG -int encrypt_debug_mode = 1; -int encrypt_verbose = 1; -#else -int encrypt_verbose = 0; -#endif - -static char dbgbuf [10240]; - -static int decrypt_mode = 0; -static int encrypt_mode = 0; -static int autoencrypt = 1; -static int autodecrypt = 1; -static int havesessionkey = 0; - -kstream EncryptKSGlobalHack = NULL; - -#define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0) - -static long i_support_encrypt = - typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64); -static long i_support_decrypt = - typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64); -static long i_wont_support_encrypt = 0; -static long i_wont_support_decrypt = 0; -#define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt) -#define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt) - -static long remote_supports_encrypt = 0; -static long remote_supports_decrypt = 0; - -static Encryptions encryptions[] = { - { "DES_CFB64", - ENCTYPE_DES_CFB64, - cfb64_encrypt, - cfb64_decrypt, - cfb64_init, - cfb64_start, - cfb64_is, - cfb64_reply, - cfb64_session, - cfb64_keyid, - NULL }, - { "DES_OFB64", - ENCTYPE_DES_OFB64, - ofb64_encrypt, - ofb64_decrypt, - ofb64_init, - ofb64_start, - ofb64_is, - ofb64_reply, - ofb64_session, - ofb64_keyid, - NULL }, - { 0, }, -}; - -static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT, - ENCRYPT_SUPPORT }; -static unsigned char str_suplen = 0; -static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT }; -static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE }; - -void encrypt_request_end(void); -void encrypt_request_start(unsigned char *, int); -void encrypt_enc_keyid(unsigned char *, int); -void encrypt_dec_keyid(unsigned char *, int); -void encrypt_support(unsigned char *, int); -void encrypt_start(unsigned char *, int); -void encrypt_end(void); - -int encrypt_ks_stream(struct kstream_data_block *, /* output */ - struct kstream_data_block *, /* input */ - struct kstream *); - -int decrypt_ks_stream(struct kstream_data_block *, /* output */ - struct kstream_data_block *, /* input */ - struct kstream *); - -int -encrypt_ks_stream(struct kstream_data_block *i, - struct kstream_data_block *o, - struct kstream *ks) -{ - - /* - * this is really quite bogus, since it does an in-place encryption... - */ - if (encrypt_output) { - encrypt_output(i->ptr, i->length); - return 1; - } - - return 0; -} - - -int -decrypt_ks_stream(struct kstream_data_block *i, - struct kstream_data_block *o, - struct kstream *ks) -{ - unsigned int len; - /* - * this is really quite bogus, since it does an in-place decryption... - */ - if (decrypt_input) { - for (len = 0 ; len < i->length ; len++) - ((unsigned char *)i->ptr)[len] - = decrypt_input(((unsigned char *)i->ptr)[len]); - return 1; - } - - return 0; -} - -int -decrypt_ks_hack(unsigned char *buf, int cnt) -{ - int len; - /* - * this is really quite bogus, since it does an in-place decryption... - */ - for (len = 0 ; len < cnt ; len++) - buf[len] = decrypt_input(buf[len]); - -#ifdef DEBUG - hexdump("hack:", buf, cnt); -#endif - return 1; -} - -#ifdef DEBUG -int -printsub(char c, unsigned char *s, size_t len) -{ - size_t i; - char *p = dbgbuf; - - *p++ = c; - - for (i = 0 ; (i < len) && (p - dbgbuf + 3 < sizeof(dbgbuf)) ; i++) - p += sprintf(p, "%02x ", s[i]); - dbgbuf[sizeof(dbgbuf) - 1] = '\0'; - - strncat(p, "\n", sizeof(dbgbuf) - 1 - (p - dbgbuf)); - - OutputDebugString(dbgbuf); - - return 0; -} -#endif - -/* - * parsedat[0] == the suboption we might be negoating, - */ -void -encrypt_parse(kstream ks, unsigned char *parsedat, int end_sub) -{ - char *p = dbgbuf; - -#ifdef DEBUG - printsub('<', parsedat, end_sub); -#endif - - switch(parsedat[1]) { - case ENCRYPT_START: - encrypt_start(parsedat + 2, end_sub - 2); - break; - case ENCRYPT_END: - encrypt_end(); - break; - case ENCRYPT_SUPPORT: - encrypt_support(parsedat + 2, end_sub - 2); - break; - case ENCRYPT_REQSTART: - encrypt_request_start(parsedat + 2, end_sub - 2); - break; - case ENCRYPT_REQEND: - /* - * We can always send an REQEND so that we cannot - * get stuck encrypting. We should only get this - * if we have been able to get in the correct mode - * anyhow. - */ - encrypt_request_end(); - break; - case ENCRYPT_IS: - encrypt_is(parsedat + 2, end_sub - 2); - break; - case ENCRYPT_REPLY: - encrypt_reply(parsedat + 2, end_sub - 2); - break; - case ENCRYPT_ENC_KEYID: - encrypt_enc_keyid(parsedat + 2, end_sub - 2); - break; - case ENCRYPT_DEC_KEYID: - encrypt_dec_keyid(parsedat + 2, end_sub - 2); - break; - default: - break; - } -} - -/* XXX */ -Encryptions * -findencryption(type) - int type; -{ - Encryptions *ep = encryptions; - - if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type))) - return(0); - while (ep->type && ep->type != type) - ++ep; - return(ep->type ? ep : 0); -} - -Encryptions * -finddecryption(int type) -{ - Encryptions *ep = encryptions; - - if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type))) - return(0); - while (ep->type && ep->type != type) - ++ep; - return(ep->type ? ep : 0); -} - -#define MAXKEYLEN 64 - -static struct key_info { - unsigned char keyid[MAXKEYLEN]; - int keylen; - int dir; - int *modep; - Encryptions *(*getcrypt)(); -} ki[2] = { - { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption }, - { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption }, -}; - -void -encrypt_init(kstream iks, kstream_ptr data) -{ - Encryptions *ep = encryptions; - - i_support_encrypt = i_support_decrypt = 0; - remote_supports_encrypt = remote_supports_decrypt = 0; - encrypt_mode = 0; - decrypt_mode = 0; - encrypt_output = NULL; - decrypt_input = NULL; - - str_suplen = 4; - - EncryptKSGlobalHack = iks; - - while (ep->type) { -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>I will support %s\n", - ENCTYPE_NAME(ep->type)); - OutputDebugString(dbgbuf); - } -#endif - i_support_encrypt |= typemask(ep->type); - i_support_decrypt |= typemask(ep->type); - if ((i_wont_support_decrypt & typemask(ep->type)) == 0) - if ((str_send[str_suplen++] = ep->type) == IAC) - str_send[str_suplen++] = IAC; - if (ep->init) - (*ep->init)(0); - ++ep; - } - str_send[str_suplen++] = IAC; - str_send[str_suplen++] = SE; -} - -void -encrypt_send_support() -{ - if (str_suplen) { - /* - * If the user has requested that decryption start - * immediatly, then send a "REQUEST START" before - * we negotiate the type. - */ - if (autodecrypt) - encrypt_send_request_start(); - TelnetSend(EncryptKSGlobalHack, str_send, str_suplen, 0); - -#ifdef DEBUG - printsub('>', &str_send[2], str_suplen - 2); -#endif - - str_suplen = 0; - } -} - -/* - * Called when ENCRYPT SUPPORT is received. - */ -void -encrypt_support(typelist, cnt) - unsigned char *typelist; - int cnt; -{ - register int type, use_type = 0; - Encryptions *ep; - - /* - * Forget anything the other side has previously told us. - */ - remote_supports_decrypt = 0; - - while (cnt-- > 0) { - type = *typelist++; -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Remote supports %s (%d)\n", - ENCTYPE_NAME(type), type); - OutputDebugString(dbgbuf); - } -#endif - if ((type < ENCTYPE_CNT) && - (I_SUPPORT_ENCRYPT & typemask(type))) { - remote_supports_decrypt |= typemask(type); - if (use_type == 0) - use_type = type; - } - } - if (use_type) { - ep = findencryption(use_type); - if (!ep) - return; - type = ep->start ? (*ep->start)(DIR_ENCRYPT, 0) : 0; -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>(*ep->start)() %s returned %d (%s)\n", - ENCTYPE_NAME(use_type), type, ENCRYPT_NAME(type)); - OutputDebugString(dbgbuf); - } -#endif - if (type < 0) - return; - encrypt_mode = use_type; - if (type == 0) - encrypt_start_output(use_type); - } -} - -void -encrypt_is(data, cnt) - unsigned char *data; - int cnt; -{ - Encryptions *ep; - register int type, ret; - - if (--cnt < 0) - return; - type = *data++; - if (type < ENCTYPE_CNT) - remote_supports_encrypt |= typemask(type); - if (!(ep = finddecryption(type))) { -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>encrypt_reply: " - "Can't find type %s (%d) for initial negotiation\n", - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - OutputDebugString(dbgbuf); - } -#endif - return; - } - if (!ep->is) { -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>encrypt_reply: " - "No initial negotiation needed for type %s (%d)\n", - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - OutputDebugString(dbgbuf); - } -#endif - ret = 0; - } else { - ret = (*ep->is)(data, cnt); -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, "encrypt_reply: " - "(*ep->is)(%x, %d) returned %s(%d)\n", data, cnt, - (ret < 0) ? "FAIL " : - (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); - OutputDebugString(dbgbuf); - } -#endif - } - if (ret < 0) { - autodecrypt = 0; - } else { - decrypt_mode = type; - if (ret == 0 && autodecrypt) - encrypt_send_request_start(); - } -} - -void -encrypt_reply(data, cnt) - unsigned char *data; - int cnt; -{ - Encryptions *ep; - register int ret, type; - - if (--cnt < 0) - return; - type = *data++; - if (!(ep = findencryption(type))) { -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Can't find type %s (%d) for initial negotiation\n", - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - OutputDebugString(dbgbuf); - } -#endif - return; - } - if (!ep->reply) { -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>No initial negotiation needed for type %s (%d)\n", - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - OutputDebugString(dbgbuf); - } -#endif - ret = 0; - } else { - ret = (*ep->reply)(data, cnt); -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, "(*ep->reply)(%x, %d) returned %s(%d)\n", - data, cnt, - (ret < 0) ? "FAIL " : - (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); - OutputDebugString(dbgbuf); - } -#endif - } -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>encrypt_reply returned %d\n", ret); - OutputDebugString(dbgbuf); - } -#endif - if (ret < 0) { - autoencrypt = 0; - } else { - encrypt_mode = type; - if (ret == 0 && autoencrypt) - encrypt_start_output(type); - } -} - -/* - * Called when a ENCRYPT START command is received. - */ -void -encrypt_start(data, cnt) - unsigned char *data; - int cnt; -{ - Encryptions *ep; - - if (!decrypt_mode) { - /* - * Something is wrong. We should not get a START - * command without having already picked our - * decryption scheme. Send a REQUEST-END to - * attempt to clear the channel... - */ - /* printf("Warning, Cannot decrypt input stream!!!\n"); */ - encrypt_send_request_end(); - MessageBox(NULL, "Warning, Cannot decrypt input stream!!!", NULL, - MB_OK | MB_ICONEXCLAMATION); - return; - } - - if (ep = finddecryption(decrypt_mode)) { - extern BOOL encrypt_flag; - - decrypt_input = ep->input; - EncryptKSGlobalHack->decrypt = decrypt_ks_stream; - encrypt_flag = 2; /* XXX hack */ - - if (encrypt_verbose) { - sprintf(dbgbuf, "[ Input is now decrypted with type %s ]\n", - ENCTYPE_NAME(decrypt_mode)); - OutputDebugString(dbgbuf); - } -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Start to decrypt input with type %s\n", - ENCTYPE_NAME(decrypt_mode)); - OutputDebugString(dbgbuf); - } -#endif - } else { - char buf[1024]; - wsprintf(buf, "Warning, Cannot decrypt type %s (%d)!!!", - ENCTYPE_NAME_OK(decrypt_mode) - ? ENCTYPE_NAME(decrypt_mode) : "(unknown)", - decrypt_mode); - MessageBox(NULL, buf, NULL, MB_OK | MB_ICONEXCLAMATION); - encrypt_send_request_end(); - } -} - -void -encrypt_session_key(key, server) - Session_Key *key; - int server; -{ - Encryptions *ep = encryptions; - - havesessionkey = 1; - - while (ep->type) { - if (ep->session) - (*ep->session)(key, server); -#if defined(notdef) - if (!encrypt_output && autoencrypt && !server) - encrypt_start_output(ep->type); - if (!decrypt_input && autodecrypt && !server) - encrypt_send_request_start(); -#endif - ++ep; - } -} - -/* - * Called when ENCRYPT END is received. - */ -void -encrypt_end() -{ - decrypt_input = NULL; - EncryptKSGlobalHack->decrypt = NULL; -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Input is back to clear text\n"); - OutputDebugString(dbgbuf); - } -#endif - if (encrypt_verbose) { - sprintf(dbgbuf, "[ Input is now clear text ]\n"); - OutputDebugString(dbgbuf); - } -} - -/* - * Called when ENCRYPT REQUEST-END is received. - */ -void -encrypt_request_end() -{ - encrypt_send_end(); -} - -/* - * Called when ENCRYPT REQUEST-START is received. If we receive - * this before a type is picked, then that indicates that the - * other side wants us to start encrypting data as soon as we - * can. - */ -void -encrypt_request_start(data, cnt) - unsigned char *data; - int cnt; -{ - if (encrypt_mode == 0) { - return; - } - encrypt_start_output(encrypt_mode); -} - -static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT }; - -void -encrypt_keyid(); - -void -encrypt_enc_keyid(keyid, len) - unsigned char *keyid; - int len; -{ - encrypt_keyid(&ki[1], keyid, len); -} - -void -encrypt_dec_keyid(keyid, len) - unsigned char *keyid; - int len; -{ - encrypt_keyid(&ki[0], keyid, len); -} - -void -encrypt_keyid(kp, keyid, len) - struct key_info *kp; - unsigned char *keyid; - int len; -{ - Encryptions *ep; - int dir = kp->dir; - register int ret = 0; - - if (!(ep = (*kp->getcrypt)(*kp->modep))) { - if (len == 0) - return; - kp->keylen = 0; - } else if (len == 0) { - /* - * Empty option, indicates a failure. - */ - if (kp->keylen == 0) - return; - kp->keylen = 0; - if (ep->keyid) - (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen); - - } else if ((len != kp->keylen) || (memcmp(keyid, kp->keyid, len) != 0)) { - /* - * Length or contents are different - */ - kp->keylen = len; - memcpy(kp->keyid, keyid, len); - if (ep->keyid) - (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen); - } else { - if (ep->keyid) - ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen); - if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt) - encrypt_start_output(*kp->modep); - return; - } - - encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0); -} - -void -encrypt_send_keyid(dir, keyid, keylen, saveit) - int dir; - unsigned char *keyid; - int keylen; - int saveit; -{ - unsigned char *strp; - - str_keyid[3] = (dir == DIR_ENCRYPT) - ? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID; - if (saveit) { - struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1]; - memcpy(kp->keyid, keyid, keylen); - kp->keylen = keylen; - } - - for (strp = &str_keyid[4]; keylen > 0; --keylen) { - if ((*strp++ = *keyid++) == IAC) - *strp++ = IAC; - } - *strp++ = IAC; - *strp++ = SE; - TelnetSend(EncryptKSGlobalHack, str_keyid, strp - str_keyid, 0); - -#ifdef DEBUG - printsub('>', &str_keyid[2], strp - str_keyid - 2); -#endif - -} - -void -encrypt_auto(on) - int on; -{ - if (on < 0) - autoencrypt ^= 1; - else - autoencrypt = on ? 1 : 0; -} - -void -decrypt_auto(on) - int on; -{ - if (on < 0) - autodecrypt ^= 1; - else - autodecrypt = on ? 1 : 0; -} - -void -encrypt_start_output(type) - int type; -{ - Encryptions *ep; - register unsigned char *p; - register int i; - - if (!(ep = findencryption(type))) { -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Can't encrypt with type %s (%d)\n", - ENCTYPE_NAME_OK(type) - ? ENCTYPE_NAME(type) : "(unknown)", - type); - OutputDebugString(dbgbuf); - } -#endif - return; - } - if (ep->start) { - i = (*ep->start)(DIR_ENCRYPT, 0); -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Encrypt start: %s (%d) %s\n", - (i < 0) ? "failed" : - "initial negotiation in progress", - i, ENCTYPE_NAME(type)); - OutputDebugString(dbgbuf); - } -#endif - if (i) - return; - } - p = str_start + 3; - *p++ = ENCRYPT_START; - for (i = 0; i < ki[0].keylen; ++i) { - if ((*p++ = ki[0].keyid[i]) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - TelnetSend(EncryptKSGlobalHack, str_start, p - str_start, 0); -#ifdef DEBUG - printsub('>', &str_start[2], p - &str_start[2]); -#endif - - /* - * If we are already encrypting in some mode, then - * encrypt the ring (which includes our request) in - * the old mode, mark it all as "clear text" and then - * switch to the new mode. - */ - encrypt_output = ep->output; - EncryptKSGlobalHack->encrypt = encrypt_ks_stream; - encrypt_mode = type; -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Started to encrypt output with type %s\n", - ENCTYPE_NAME(type)); - OutputDebugString(dbgbuf); - } -#endif - if (encrypt_verbose) { - sprintf(dbgbuf, "[ Output is now encrypted with type %s ]\n", - ENCTYPE_NAME(type)); - OutputDebugString(dbgbuf); - } -} - -void -encrypt_send_end() -{ - if (!encrypt_output) - return; - - str_end[3] = ENCRYPT_END; - TelnetSend(EncryptKSGlobalHack, str_end, sizeof(str_end), 0); -#ifdef DEBUG - printsub('>', &str_end[2], sizeof(str_end) - 2); -#endif - - /* - * Encrypt the output buffer now because it will not be done by - * netflush... - */ - encrypt_output = 0; - EncryptKSGlobalHack->encrypt = NULL; -#ifdef DEBUG - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Output is back to clear text\n"); - OutputDebugString(dbgbuf); - } -#endif - if (encrypt_verbose) { - sprintf(dbgbuf, "[ Output is now clear text ]\n"); - OutputDebugString(dbgbuf); - } -} - -void -encrypt_send_request_start() -{ - register unsigned char *p; - register int i; - - p = &str_start[3]; - *p++ = ENCRYPT_REQSTART; - for (i = 0; i < ki[1].keylen; ++i) { - if ((*p++ = ki[1].keyid[i]) == IAC) - *p++ = IAC; - } - *p++ = IAC; - *p++ = SE; - TelnetSend(EncryptKSGlobalHack, str_start, p - str_start, 0); -#ifdef DEBUG - printsub('>', &str_start[2], p - &str_start[2]); - - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Request input to be encrypted\n"); - OutputDebugString(dbgbuf); - } -#endif -} - -void -encrypt_send_request_end() -{ - str_end[3] = ENCRYPT_REQEND; - TelnetSend(EncryptKSGlobalHack, str_end, sizeof(str_end), 0); -#ifdef DEBUG - printsub('>', &str_end[2], sizeof(str_end) - 2); - - if (encrypt_debug_mode) { - sprintf(dbgbuf, ">>>Request input to be clear text\n"); - OutputDebugString(dbgbuf); - } -#endif -} - -int encrypt_is_encrypting() -{ - if (encrypt_output && decrypt_input) - return 1; - return 0; -} - -#ifdef DEBUG -void -encrypt_debug(mode) - int mode; -{ - encrypt_debug_mode = mode; -} -#endif - -#if 0 -void -encrypt_gen_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt, buflen; -{ - char tbuf[16], *cp; - - cnt -= 2; - data += 2; - buf[buflen-1] = '\0'; - buf[buflen-2] = '*'; - buflen -= 2;; - for (; cnt > 0; cnt--, data++) { - sprintf(tbuf, " %d", *data); - for (cp = tbuf; *cp && buflen > 0; --buflen) - *buf++ = *cp++; - if (buflen <= 0) - return; - } - *buf = '\0'; -} - -void -encrypt_printsub(data, cnt, buf, buflen) - unsigned char *data, *buf; - int cnt, buflen; -{ - Encryptions *ep; - register int type = data[1]; - - for (ep = encryptions; ep->type && ep->type != type; ep++) - ; - - if (ep->printsub) - (*ep->printsub)(data, cnt, buf, buflen); - else - encrypt_gen_printsub(data, cnt, buf, buflen); -} -#endif - -#endif /* ENCRYPTION */ diff --git a/src/windows/wintel/encrypt.h b/src/windows/wintel/encrypt.h deleted file mode 100644 index 4d7afb1..0000000 --- a/src/windows/wintel/encrypt.h +++ /dev/null @@ -1,178 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)encrypt.h 8.1 (Berkeley) 6/4/93 - */ - -/* - * Copyright (C) 1990 by the Massachusetts Institute of Technology - * - * Export of this software from the United States of America may - * require a specific license from the United States Government. - * It is the responsibility of any person or organization contemplating - * export to obtain such a license before exporting. - * - * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation, and that - * the name of M.I.T. not be used in advertising or publicity pertaining - * to distribution of the software without specific, written prior - * permission. Furthermore if you modify this software you must label - * your software as modified software and not distribute it in such a - * fashion that it might be confused with the original M.I.T. software. - * M.I.T. makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifdef ENCRYPTION - -#ifndef __ENCRYPTION__ -#define __ENCRYPTION__ - -#define DIR_DECRYPT 1 -#define DIR_ENCRYPT 2 - -typedef unsigned char Block[8]; -typedef unsigned char *BlockT; -typedef struct { Block _; } Schedule[16]; - -#define VALIDKEY(key) ( key[0] | key[1] | key[2] | key[3] | key[4] | key[5] | key[6] | key[7]) - -#define SAMEKEY(k1, k2) (!memcmp((void *)k1, (void *)k2, sizeof(Block))) - -typedef struct { - short type; - int length; - unsigned char *data; -} Session_Key; - -#ifdef DEBUG -int printsub(char, unsigned char *, size_t); -#endif - -void encrypt_parse(kstream, unsigned char *, int); - -typedef struct { - char *name; - int type; - void (*output) (unsigned char *, int); - int (*input) (int); - void (*init) (int); - int (*start) (int, int); - int (*is) (unsigned char *, int); - int (*reply) (unsigned char *, int); - void (*session) (Session_Key *, int); - int (*keyid) (int, unsigned char *, int *); - void (*printsub) (unsigned char *, int, unsigned char *, int); -} Encryptions; - -#define SK_DES 1 /* Matched Kerberos v5 ENCTYPE_DES */ - -void encrypt_init (kstream, kstream_ptr); -Encryptions *findencryption (int); -void encrypt_auto (int); -void decrypt_auto (int); -void encrypt_is (unsigned char *, int); -void encrypt_reply (unsigned char *, int); -void encrypt_start_input (int); -void encrypt_session_key (Session_Key *, int); -void encrypt_end_input (void); -void encrypt_start_output (int); -void encrypt_end_output (void); -void encrypt_send_request_start (void); -void encrypt_send_request_end (void); -void encrypt_send_end (void); -void encrypt_wait (void); -int encrypt_is_encrypting (void); -void encrypt_send_support (void); -void encrypt_send_keyid (int, unsigned char *, int, int); -int net_write (unsigned char *, int); - -int encrypt_cmd (int, char **); -void encrypt_display (void); - -void krbdes_encrypt (unsigned char *, int); -int krbdes_decrypt (int); -int krbdes_is (unsigned char *, int); -int krbdes_reply (unsigned char *, int); -void krbdes_init (int); -int krbdes_start (int, int); -void krbdes_session (Session_Key *, int); -void krbdes_printsub (unsigned char *, int, unsigned char *, int); - -void cfb64_encrypt (unsigned char *, int); -int cfb64_decrypt (int); -void cfb64_init (int); -int cfb64_start (int, int); -int cfb64_is (unsigned char *, int); -int cfb64_reply (unsigned char *, int); -void cfb64_session (Session_Key *, int); -int cfb64_keyid (int, unsigned char *, int *); -void cfb64_printsub (unsigned char *, int, unsigned char *, int); - -void ofb64_encrypt (unsigned char *, int); -int ofb64_decrypt (int); -void ofb64_init (int); -int ofb64_start (int, int); -int ofb64_is (unsigned char *, int); -int ofb64_reply (unsigned char *, int); -void ofb64_session (Session_Key *, int); -int ofb64_keyid (int, unsigned char *, int *); -void ofb64_printsub (unsigned char *, int, unsigned char *, int); - -int KRB5_CALLCONV - des_new_random_key (Block); -void KRB5_CALLCONV - des_set_random_generator_seed (Block); -void KRB5_CALLCONV - des_key_sched (Block, Schedule); -void KRB5_CALLCONV - des_ecb_encrypt (Block, Block, Schedule, int); - -/* int des_string_to_key (char *, Block); */ - - -#ifdef DEBUG -extern int encrypt_debug_mode; -#endif - -extern int (*decrypt_input) (int); -extern void (*encrypt_output) (unsigned char *, int); - -int decrypt_ks_hack(unsigned char *, int); - -#endif /* __ENCRYPTION__ */ - -#endif /* ENCRYPTION */ diff --git a/src/windows/wintel/font.c b/src/windows/wintel/font.c deleted file mode 100644 index 9224c41..0000000 --- a/src/windows/wintel/font.c +++ /dev/null @@ -1,100 +0,0 @@ -/* font.c */ - -#include -#include -#include -#include "screen.h" -#include "ini.h" - -void ProcessFontChange( - HWND hWnd) -{ - static DWORD dwFontColor; /* Color of font if one has been selected */ - CHOOSEFONT cf; - HDC hDC; - SCREEN *pScr; - TEXTMETRIC tm; - char buf[16]; - char szStyle[LF_FACESIZE]; - - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert(pScr != NULL); - - cf.lStructSize = sizeof(cf); - cf.hwndOwner = hWnd; - cf.lpLogFont = (LPLOGFONT) &(pScr->lf); - cf.lpszStyle = szStyle; - cf.Flags = CF_INITTOLOGFONTSTRUCT; /* | CF_USESTYLE; */ - cf.Flags |= CF_SCREENFONTS; -#if 0 - cf.Flags |= CF_ANSIONLY; -#endif - cf.Flags |= CF_FORCEFONTEXIST; - cf.Flags |= CF_FIXEDPITCHONLY; - cf.Flags |= CF_NOSIMULATIONS; - - if (ChooseFont(&cf)) { - if (pScr->hSelectedFont) - DeleteObject(pScr->hSelectedFont); - - pScr->hSelectedFont = CreateFontIndirect(&(pScr->lf)); - pScr->lf.lfUnderline = TRUE; - pScr->hSelectedULFont = CreateFontIndirect(&(pScr->lf)); - pScr->lf.lfUnderline = FALSE; - hDC = GetDC(hWnd); - SelectObject(hDC, pScr->hSelectedFont); - GetTextMetrics(hDC, &tm); - pScr->cxChar = tm.tmAveCharWidth; - pScr->cyChar = tm.tmHeight + tm.tmExternalLeading; - ReleaseDC(hWnd, hDC); - SetWindowPos(hWnd, NULL, 0, 0, pScr->cxChar * pScr->width + - FRAME_WIDTH, pScr->cyChar * pScr->height + - FRAME_HEIGHT, SWP_NOMOVE | SWP_NOZORDER); - - dwFontColor = RGB(255, 255, 255); - InvalidateRect(hWnd, NULL, TRUE); - } - - WritePrivateProfileString(INI_FONT, "FaceName", pScr->lf.lfFaceName, TELNET_INI); - wsprintf(buf, "%d", (int) pScr->lf.lfHeight); - WritePrivateProfileString(INI_FONT, "Height", buf, TELNET_INI); - wsprintf(buf, "%d", (int) pScr->lf.lfWidth); - WritePrivateProfileString(INI_FONT, "Width", buf, TELNET_INI); - wsprintf(buf, "%d", (int) pScr->lf.lfEscapement); - WritePrivateProfileString(INI_FONT, "Escapement", buf, TELNET_INI); - wsprintf(buf, "%d", (int) pScr->lf.lfCharSet); - WritePrivateProfileString(INI_FONT, "CharSet", buf, TELNET_INI); - wsprintf(buf, "%d", (int) pScr->lf.lfPitchAndFamily); - WritePrivateProfileString(INI_FONT, "PitchAndFamily", buf, TELNET_INI); - - return; - -} /* ProcessFontChange */ - - -void InitializeStruct( - WORD wCommDlgType, - LPSTR lpStruct, - HWND hWnd) -{ - LPCHOOSEFONT lpFontChunk; - - if (wCommDlgType == IDC_FONT) { - lpFontChunk = (LPCHOOSEFONT) lpStruct; - - lpFontChunk->lStructSize = sizeof(CHOOSEFONT); - lpFontChunk->hwndOwner = hWnd; - lpFontChunk->Flags = CF_SCREENFONTS | CF_FIXEDPITCHONLY - | CF_INITTOLOGFONTSTRUCT | CF_APPLY; - lpFontChunk->rgbColors = RGB(0, 0, 255); - lpFontChunk->lCustData = 0L; - lpFontChunk->lpfnHook = NULL; - lpFontChunk->lpTemplateName = NULL; - lpFontChunk->hInstance = NULL; - lpFontChunk->lpszStyle = NULL; - lpFontChunk->nFontType = SCREEN_FONTTYPE; - lpFontChunk->nSizeMin = 0; - lpFontChunk->nSizeMax = 0; - } - -} /* InitialiseStruct */ diff --git a/src/windows/wintel/genget.c b/src/windows/wintel/genget.c deleted file mode 100644 index 4e760d7..0000000 --- a/src/windows/wintel/genget.c +++ /dev/null @@ -1,101 +0,0 @@ -/*- - * Copyright (c) 1991, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -/* based on @(#)genget.c 8.1 (Berkeley) 6/4/93 */ - -#include - -#define LOWER(x) (isupper(x) ? tolower(x) : (x)) -/* - * The prefix function returns 0 if *s1 is not a prefix - * of *s2. If *s1 exactly matches *s2, the negative of - * the length is returned. If *s1 is a prefix of *s2, - * the length of *s1 is returned. - */ - int -isprefix(s1, s2) - register char *s1, *s2; -{ - char *os1; - register char c1, c2; - - if (*s1 == '\0') - return(-1); - os1 = s1; - c1 = *s1; - c2 = *s2; - while (LOWER(c1) == LOWER(c2)) { - if (c1 == '\0') - break; - c1 = *++s1; - c2 = *++s2; - } - return(*s1 ? 0 : (*s2 ? (s1 - os1) : (os1 - s1))); -} - -static char *ambiguous; /* special return value for command routines */ - - char ** -genget(name, table, stlen) - char *name; /* name to match */ - char **table; /* name entry in table */ - int stlen; -{ - register char **c, **found; - register int n; - - if (name == 0) - return 0; - - found = 0; - for (c = table; *c != 0; c = (char **)((char *)c + stlen)) { - if ((n = isprefix(name, *c)) == 0) - continue; - if (n < 0) /* exact match */ - return(c); - if (found) - return(&ambiguous); - found = c; - } - return(found); -} - -/* - * Function call version of Ambiguous() - */ - int -Ambiguous(s) - char *s; -{ - return((char **)s == &ambiguous); -} diff --git a/src/windows/wintel/ini.h b/src/windows/wintel/ini.h deleted file mode 100644 index f26c162..0000000 --- a/src/windows/wintel/ini.h +++ /dev/null @@ -1,16 +0,0 @@ -/* Defines INI file vocabulary */ -#define TELNET_INI "kerberos.ini" - -#define INI_TELNET "Telnet" -#define INI_FONT "Font" -#define INI_WIDTH "Width" -#define INI_HEIGHT "Height" -#define INI_POSITION "Position" -#define INI_BACKSPACE "Backspace" -#define INI_BACKSPACE_BS "BS" -#define INI_BACKSPACE_DEL "DEL" - -#define INI_HOSTS "Telnet Hosts" -#define INI_HOST "Host" -#define INI_HOST_BS "BS" -#define INI_HOST_DEL "DEL" diff --git a/src/windows/wintel/intern.c b/src/windows/wintel/intern.c deleted file mode 100644 index 8ff8605..0000000 --- a/src/windows/wintel/intern.c +++ /dev/null @@ -1,815 +0,0 @@ -/* intern.c */ - -#include -#include -#include -#include "screen.h" - -#define ScreenClearAttrib 0 - -SCREENLINE * -GetScreenLineFromY(SCREEN *pScr, int y) -{ - SCREENLINE *pScrLine; - int idx; - - pScrLine = pScr->screen_top; - for (idx = 0; idx < pScr->height; idx++) { - if (idx == y) - return(pScrLine); - if (pScrLine == NULL) - return(NULL); - pScrLine = pScrLine->next; - } - - return(NULL); -} - - -SCREENLINE * -ScreenClearLine(SCREEN *pScr, SCREENLINE *pScrLine) -{ - memset(pScrLine->attrib, ScreenClearAttrib, pScr->width); - memset(pScrLine->text, ' ', pScr->width); - return(pScrLine); -} - - -void -ScreenUnscroll(SCREEN *pScr) -{ - int idx; - SCREENLINE *pScrLine; - - if (pScr->screen_bottom == pScr->buffer_bottom) - return; - - pScr->screen_bottom = pScr->buffer_bottom; - pScrLine = pScr->screen_bottom; - for (idx = 1; idx < pScr->height; idx++) { - if (pScrLine == NULL) - return; - pScrLine = pScrLine->prev; - } - pScr->screen_top = pScrLine; -} - - -void -ScreenCursorOn(SCREEN *pScr) -{ - int y; - int nlines; - - if (pScr->screen_bottom != pScr->buffer_bottom) - nlines = pScr->numlines - GetScrollPos(pScr->hWnd, SB_VERT); - else - nlines = 0; - - y = pScr->y + nlines; - SetCaretPos(pScr->x * pScr->cxChar, (y+1) * pScr->cyChar); - ShowCaret(pScr->hWnd); -} - - -void -ScreenCursorOff(SCREEN *pScr) -{ - HideCaret(pScr->hWnd); -} - - -void -ScreenELO(SCREEN *pScr, int s) -{ - SCREENLINE *pScrLine; - RECT rc; - - if (s < 0) - s = pScr->y; - - pScrLine = GetScreenLineFromY(pScr,s); - memset(pScrLine->attrib, ScreenClearAttrib, pScr->width); - memset(pScrLine->text, ' ', pScr->width); - rc.left = 0; - rc.right = pScr->width * pScr->cxChar; - rc.top = pScr->cyChar * s; - rc.bottom = pScr->cyChar * (s+1); - InvalidateRect(pScr->hWnd, &rc, TRUE); -} - -void -ScreenEraseScreen(SCREEN *pScr) -{ - int i; - int x1 = 0; - int y1 = 0; - int x2 = pScr->width; - int y2 = pScr->height; - int n = -1; - - for(i = 0; i < pScr->height; i++) - ScreenELO(pScr,i); - - InvalidateRect(pScr->hWnd, NULL, TRUE); - UpdateWindow(pScr->hWnd); -} - - -void -ScreenTabClear(SCREEN *pScr) -{ - int x = 0; - - while(x <= pScr->width) { - pScr->tabs[x] = ' '; - x++; - } -} - - -void -ScreenTabInit(SCREEN *pScr) -{ - int x = 0; - - ScreenTabClear(pScr); - - while(x <= pScr->width) { - pScr->tabs[x] = 'x'; - x += 8; - } - pScr->tabs[pScr->width] = 'x'; -} - - -void -ScreenReset(SCREEN *pScr) -{ - pScr->top = 0; - pScr->bottom = pScr->height-1; - pScr->parmptr = 0; - pScr->escflg = 0; - pScr->DECAWM = 1; - pScr->bWrapPending = FALSE; - pScr->DECCKM = 0; - pScr->DECPAM = 0; - /* pScr->DECORG = 0; */ - /* pScr->Pattrib = -1; */ - pScr->IRM = 0; - pScr->attrib = 0; - pScr->x = 0; - pScr->y = 0; - /* pScr->charset = 0; */ - ScreenEraseScreen(pScr); - ScreenTabInit(pScr); -#if 0 - /* - * QAK - 7/27/90: added because resetting the virtual screen's - * wrapping flag doesn't reset telnet window's wrapping - */ - set_vtwrap(pScrn, pScr->DECAWM); -#endif -} - - -void -ScreenListMove(SCREENLINE *TD, SCREENLINE *BD, SCREENLINE *TI, SCREENLINE *BI) -{ - if (TD->prev != NULL) - TD->prev->next = BD->next; /* Maintain circularity */ - - if (BD->next != NULL) - BD->next->prev = TD->prev; - - TD->prev = TI; /* Place the node in its new home */ - BD->next = BI; - - if (TI != NULL) - TI->next = TD; /* Ditto prev->prev */ - - if (BI != NULL) - BI->prev = BD; -} - - -void -ScreenDelLines(SCREEN *pScr, int n, int s) -{ - SCREENLINE *BI; - SCREENLINE *TI; - SCREENLINE *TD; - SCREENLINE *BD; - SCREENLINE *pLine; - int idx; - RECT rc; - HDC hDC; - - pScr->bWrapPending = FALSE; - - if (s < 0) - s = pScr->y; - - if (s + n - 1 > pScr->bottom) - n = pScr->bottom - s + 1; - - TD = GetScreenLineFromY(pScr, s); - BD = GetScreenLineFromY(pScr, s + n - 1); - TI = GetScreenLineFromY(pScr, pScr->bottom); - BI = TI->next; - - /* - * Adjust the top of the screen and buffer if they will move. - */ - if (TD == pScr->screen_top) { - if (pScr->screen_top == pScr->buffer_top) - pScr->buffer_top = BD->next; - pScr->screen_top = BD->next; - } - - /* - * Adjust the bottom of the screen and buffer if they will move. - */ - if (TI == pScr->screen_bottom) { - if (pScr->screen_bottom == pScr->buffer_bottom) - pScr->buffer_bottom = BD; - pScr->screen_bottom = BD; - } - - if (TI != BD) - ScreenListMove(TD, BD, TI, BI); - - /* - * Clear the lines moved from the deleted area to the - * bottom of the scrolling area. - */ - pLine = TI; - - for (idx = 0; idx < n; idx++) { - pLine = pLine->next; - ScreenClearLine(pScr, pLine); - } - - /* CheckScreen(pScr); */ - - /* - * Scroll the affected area on the screen. - */ - rc.left = 0; - rc.right = pScr->width * pScr->cxChar; - rc.top = s * pScr->cyChar; - rc.bottom = (pScr->bottom + 1) * pScr->cyChar; - - hDC = GetDC(pScr->hWnd); - - ScrollDC(hDC, 0, -pScr->cyChar * n, &rc, &rc, NULL, NULL); - - PatBlt(hDC, 0, (pScr->bottom - n + 1) * pScr->cyChar, - pScr->width * pScr->cxChar, n * pScr->cyChar, WHITENESS); - - ReleaseDC(pScr->hWnd, hDC); -} - - -void -ScreenInsertLine(SCREEN *pScr, int s) -{ - ScreenInsLines(pScr, 1, s); -} - - -void -ScreenInsLines(SCREEN *pScr, int n, int s) -{ - SCREENLINE *TI; - SCREENLINE *BI; - SCREENLINE *TD; - SCREENLINE *BD; - SCREENLINE *pLine; - int idx; - RECT rc; - HDC hDC; - - pScr->bWrapPending = FALSE; - - if (s < 0) - s = pScr->y; - - if (s + n - 1 > pScr->bottom) - n = pScr->bottom - s + 1; - - /* - * Determine the top and bottom of the insert area. Also determine - * the top and bottom of the area to be deleted and moved to the - * insert area. - */ - BI = GetScreenLineFromY(pScr, s); - TI = BI->prev; - TD = GetScreenLineFromY(pScr, pScr->bottom - n + 1); - BD = GetScreenLineFromY(pScr, pScr->bottom); - - /* - * Adjust the top of the screen and buffer if they will move. - */ - if (BI == pScr->screen_top) { - if (pScr->screen_top == pScr->buffer_top) - pScr->buffer_top = TD; - pScr->screen_top = TD; - } - - /* - * Adjust the bottom of the screen and buffer if they will move. - */ - if (BD == pScr->screen_bottom) { - if (pScr->screen_bottom == pScr->buffer_bottom) - pScr->buffer_bottom = TD->prev; - pScr->screen_bottom = TD->prev; - } - - /* - * Move lines from the bottom of the scrolling region to the insert area. - */ - if (TD != BI) - ScreenListMove(TD,BD,TI,BI); - - /* - * Clear the inserted lines - */ - pLine = GetScreenLineFromY(pScr, s); - - for (idx = 0; idx < n; idx++) { - ScreenClearLine(pScr, pLine); - pLine = pLine->next; - } - - /* CheckScreen(pScr); */ - - /* - * Scroll the affected area on the screen. - */ - rc.left = 0; - rc.right = pScr->width * pScr->cxChar; - rc.top = s * pScr->cyChar; - rc.bottom = (pScr->bottom + 1) * pScr->cyChar; - - hDC = GetDC(pScr->hWnd); - - ScrollDC(hDC, 0, pScr->cyChar * n, &rc, &rc, NULL, NULL); - - PatBlt(hDC, 0, s * pScr->cyChar, - pScr->width * pScr->cxChar, n * pScr->cyChar, WHITENESS); - - ReleaseDC(pScr->hWnd, hDC); -} - - -void -ScreenIndex(SCREEN * pScr) -{ - if (pScr->y >= pScr->bottom) - ScreenScroll(pScr); - else - pScr->y++; - - pScr->bWrapPending = FALSE; -} - - -void -ScreenWrapNow(SCREEN *pScr, int *xp, int *yp) -{ - if (pScr->bWrapPending && pScr->x >= pScr->width - 1) { - pScr->x = 0; - ScreenIndex(pScr); - } - - pScr->bWrapPending = FALSE; - - *xp = pScr->x; - *yp = pScr->y; -} - - -void -ScreenEraseToEOL(SCREEN *pScr) -{ - int x1 = pScr->x; - int y1 = pScr->y; - int x2 = pScr->width; - int y2 = pScr->y; - int n = -1; - SCREENLINE *pScrLine; - RECT rc; - - ScreenWrapNow(pScr, &x1, &y1); - - y2 = y1; -#if 0 - wsprintf(strTmp,"[EraseEOL:%d]",y2); - OutputDebugString(strTmp); -#endif - pScrLine = GetScreenLineFromY(pScr,y2); - memset(&pScrLine->attrib[x1], ScreenClearAttrib, pScr->width-x1+1); - memset(&pScrLine->text[x1], ' ', pScr->width - x1 + 1); - rc.left = x1 * pScr->cxChar; - rc.right = pScr->width * pScr->cxChar; - rc.top = pScr->cyChar * y1; - rc.bottom = pScr->cyChar * (y1 + 1); - InvalidateRect(pScr->hWnd, &rc, TRUE); - UpdateWindow(pScr->hWnd); -} - - -void -ScreenDelChars(SCREEN *pScr, int n) -{ - int x = pScr->x; - int y = pScr->y; - int width; - SCREENLINE *pScrLine; - RECT rc; - - pScr->bWrapPending = FALSE; - - pScrLine = GetScreenLineFromY(pScr, y); - - width = pScr->width - x - n; - - if (width > 0) { - memmove(&pScrLine->attrib[x], &pScrLine->attrib[x + n], width); - memmove(&pScrLine->text[x], &pScrLine->text[x + n], width); - } - - memset(&pScrLine->attrib[pScr->width - n], ScreenClearAttrib, n); - memset(&pScrLine->text[pScr->width - n], ' ', n); - - rc.left = x * pScr->cxChar; - rc.right = pScr->width * pScr->cxChar; - rc.top = pScr->cyChar * y; - rc.bottom = pScr->cyChar * (y + 1); - - InvalidateRect(pScr->hWnd, &rc, TRUE); - - UpdateWindow(pScr->hWnd); -} - - -void -ScreenRevIndex(SCREEN *pScr) -{ - SCREENLINE *pScrLine; - SCREENLINE *pTopLine; - - pScr->bWrapPending = FALSE; - pScrLine = GetScreenLineFromY(pScr, pScr->y); - pTopLine = GetScreenLineFromY(pScr, pScr->top); - - if(pScrLine == pTopLine) - ScreenInsertLine(pScr, pScr->y); - else - pScr->y--; -} - - -void -ScreenEraseToBOL(SCREEN *pScr) -{ - int x1 = 0; - int y1 = pScr->y; - int x2 = pScr->x; - int y2 = pScr->y; - int n = -1; - SCREENLINE *pScrLine; - - pScrLine = GetScreenLineFromY(pScr, pScr->y); - - ScreenWrapNow(pScr, &x2, &y1); - y2 = y1; - memset(pScrLine->attrib, ScreenClearAttrib, x2); - memset(pScrLine->text, ' ', x2); -} - - -void -ScreenEraseLine(SCREEN *pScr, int s) -{ - int x1 = 0; - int y1 = s; - int x2 = pScr->width; - int y2 = s; - int n = -1; - SCREENLINE *pScrLine; - RECT rc; - - if (s < 0) { - ScreenWrapNow(pScr, &x1, &y1); - s = y2 = y1; - x1 = 0; - } - - pScrLine = GetScreenLineFromY(pScr,y1); - memset(pScrLine->attrib, ScreenClearAttrib, pScr->width); - memset(pScrLine->text, ' ', pScr->width); - rc.left = 0; - rc.right = pScr->width * pScr->cxChar; - rc.top = pScr->cyChar * y1; - rc.bottom = pScr->cyChar * (y1+1); - InvalidateRect(pScr->hWnd, &rc, TRUE); - SendMessage(pScr->hWnd, WM_PAINT, 0, 0); -} - - -void -ScreenEraseToEndOfScreen(SCREEN *pScr) -{ - int i; - int x1 = 0; - int y1 = pScr->y+1; - int x2 = pScr->width; - int y2 = pScr->height; - int n = -1; - - ScreenWrapNow(pScr, &x1, &y1); - y1++; - x1 = 0; - i = y1; - ScreenEraseToEOL(pScr); - while (i < pScr->height) { - ScreenELO(pScr, i); - ScreenEraseLine(pScr, i); - i++; - } -} - - -void -ScreenRange(SCREEN *pScr) -{ - if (pScr->x < 0) - pScr->x = 0; - - if (pScr->x >= pScr->width) - pScr->x = pScr->width - 1; - - if (pScr->y < 0) - pScr->y = 0; - - if (pScr->y >= pScr->height) - pScr->y = pScr->height - 1; -} - - -void -ScreenAlign(SCREEN *pScr) /* vt100 alignment, fill screen with 'E's */ -{ - char *tt; - int i; - int j; - SCREENLINE *pScrLine; - - pScrLine = GetScreenLineFromY(pScr, pScr->top); - ScreenEraseScreen(pScr); - - for(j = 0; j < pScr->height; j++) { - tt = &pScrLine->text[0]; - for(i = 0; i <= pScr->width; i++) - *tt++ = 'E'; - pScrLine = pScrLine->next; - } -} - - -void -ScreenApClear(SCREEN *pScr) -{ - /* - * reset all the ANSI parameters back to the default state - */ - for(pScr->parmptr=5; pScr->parmptr>=0; pScr->parmptr--) - pScr->parms[pScr->parmptr] = -1; - - pScr->parmptr = 0; -} - - -void -ScreenSetOption(SCREEN *pScr, int toggle) -{ - if (pScr->parms[0] == -2 && pScr->parms[1] == 1) - pScr->DECCKM = toggle; - -#if 0 - switch(pScr->parms[0]) { - - case -2: /* Set on the '?' char */ - switch(pScr->parms[1]) { - - case 1: /* set/reset cursor key mode */ - pScr->DECCKM = toggle; - break; - -#ifdef NOT_SUPPORTED - case 2: /* set/reset ANSI/vt52 mode */ - break; -#endif - - case 3: /* set/reset column mode */ - pScr->x = pScr->y = 0; /* Clear the screen, mama! */ - ScreenEraseScreen(pScr); -#if 0 /* removed for variable screen size */ - if (toggle) /* 132 column mode */ - pScr->width = pScr->allwidth; - else - pScr->width = 79; -#endif - break; - -#ifdef NOT_SUPPORTED - case 4: /* set/reset scrolling mode */ - case 5: /* set/reset screen mode */ - case 6: /* set/rest origin mode */ - pScr->DECORG = toggle; - break; -#endif - - case 7: /* set/reset wrap mode */ - pScr->DECAWM = toggle; -#if 0 - /* - * QAK - 7/27/90: added because resetting the virtual screen's - * wrapping flag doesn't reset telnet window's wrapping - */ - set_vtwrap(pScrn, fpScr->DECAWM); -#endif - break; - -#ifdef NOT_SUPPORTED - case 8: /* set/reset autorepeat mode */ - case 9: /* set/reset interlace mode */ - break; -#endif - - default: - break; - } /* end switch */ - break; - - case 4: - pScr->IRM=toggle; - break; - - default: - break; - - } /* end switch */ -#endif -} - - -#ifdef NOT_SUPPORTED -void -ScreenTab(SCREEN *pScr) -{ - if (pScr->x> = pScr->width) - pScr->x = pScr->width; - pScr->x++; - while (pScr->tabs[fpScr->x] != 'x' && pScr->x < pScr->width) - pScr->x++; -} -#endif - - -BOOL -ScreenInsChar(SCREEN *pScr, int x) -{ - int i; - SCREENLINE *pScrLine; - RECT rc; - - pScrLine = GetScreenLineFromY(pScr, pScr->y); - if (pScrLine == NULL) - return(FALSE); - - for(i = pScr->width - x; i >= pScr->x; i--) { - pScrLine->text[x+i] = pScrLine->text[i]; - pScrLine->attrib[x+i] = pScrLine->attrib[i]; - } - - memset(&pScrLine->attrib[pScr->x], ScreenClearAttrib, x); - memset(&pScrLine->text[pScr->x], ' ', x); - rc.left = pScr->cxChar * x; - rc.right = pScr->cxChar * (x + pScr->x); - rc.top = pScr->cyChar * (pScr->y - 1); - rc.bottom = pScr->cyChar * pScr->y; - InvalidateRect(pScr->hWnd, &rc, TRUE); - SendMessage(pScr->hWnd, WM_PAINT, 0, 0); - return(TRUE); -} - - -void -ScreenSaveCursor(SCREEN *pScr) -{ - pScr->Px = pScr->x; - pScr->Py = pScr->y; - pScr->Pattrib = pScr->attrib; -} - - -void -ScreenRestoreCursor(SCREEN *pScr) -{ - pScr->x = pScr->Px; - pScr->y = pScr->Py; - ScreenRange(pScr); -} - - -void -ScreenDraw(SCREEN *pScr, int x, int y, int a, int len, char *c) -{ - int idx; - SCREENLINE *pScrLine; - RECT rc; - - pScrLine = GetScreenLineFromY(pScr, y); - assert(pScrLine != NULL); - - for(idx = x; idx < x + len; idx++) { - pScrLine->text[idx] = c[idx - x]; - pScrLine->attrib[idx - x] = a; - } - - rc.left = pScr->cxChar * x; - rc.right = pScr->cxChar * (x + len); - rc.top = pScr->cyChar * pScr->y; - rc.bottom = pScr->cyChar * (pScr->y + 1); - InvalidateRect(pScr->hWnd, &rc, TRUE); - SendMessage(pScr->hWnd, WM_PAINT, 0, 0); -} - - -#if ! defined(NDEBUG) - -BOOL -CheckScreen(SCREEN *pScr) -{ - SCREENLINE *pLinePrev; - SCREENLINE *pLine; - int nscreen = 0; - int nbuffer = 0; - int topline = 0; - char buf[512]; - BOOL bBottom; - BOOL bOK; - - pLine = pScr->buffer_top; - - if (pLine == NULL) { - OutputDebugString("CheckScreen: buffer_top invalid"); - MessageBox(NULL, "buffer_top invalid", "CheckScreen", MB_OK); - return(FALSE); - } - - bBottom = FALSE; - while (TRUE) { - pLinePrev = pLine; - if (nscreen > 0 || pLine == pScr->screen_top) - if (!bBottom) - nscreen++; - nbuffer++; - if (pLine == pScr->screen_top) - topline = nbuffer - 1; - if (pLine == pScr->screen_bottom) - bBottom = TRUE; - pLine = pLine->next; - if (pLine == NULL) - break; - if (pLine->prev != pLinePrev) { - wsprintf(buf, - "Previous ptr of line %d does not match next ptr of line %d", - nbuffer, nbuffer - 1); - OutputDebugString(buf); - MessageBox(NULL, buf, "CheckScreen", MB_OK); - } - } - - if (pLinePrev == pScr->buffer_bottom && nscreen == pScr->height) - bOK = TRUE; - else { - OutputDebugString("CheckScreen: Invalid number of lines on screen"); - bOK = FALSE; - } - - wsprintf(buf, "screen.width = %d\nscreen.height = %d\nscreen.maxlines = %d\nscreen.numlines = %d\nscreen.x = %d\nscreen.y = %d\nscreen.top = %d\nscreen.bottom = %d\nActual top line = %d\nActual buffer lines = %d\nActual screen lines = %d\nBottom of buffer is %s", - pScr->width, pScr->height, pScr->maxlines, pScr->numlines, - pScr->x, pScr->y, pScr->top, pScr->bottom, - topline, nbuffer, nscreen, - (pLinePrev == pScr->buffer_bottom) ? "valid" : "invalid"); - - MessageBox(NULL, buf, "CheckScreen", MB_OK); - - return(bOK); -} - -#endif diff --git a/src/windows/wintel/k5stream.c b/src/windows/wintel/k5stream.c deleted file mode 100644 index f39daa8..0000000 --- a/src/windows/wintel/k5stream.c +++ /dev/null @@ -1,118 +0,0 @@ -/* - * - * K5stream - * - * Emulates the kstream package in Kerberos 4 - * - */ - -#include -#include -#include -#include "telnet.h" -#include "k5stream.h" -#include "auth.h" - -int -kstream_destroy(kstream ks) -{ - if (ks != NULL) { - auth_destroy(ks); /* Destroy authorizing */ - - closesocket(ks->fd); /* Close the socket??? */ - free(ks); - } - return 0; -} - -void -kstream_set_buffer_mode(kstream ks, int mode) -{ -} - - -kstream -kstream_create_from_fd(int fd, - const struct kstream_crypt_ctl_block *ctl, - kstream_ptr data) -{ - kstream ks; - int n; - BOOL on = 1; - - ks = malloc(sizeof(struct kstream_int)); - if (ks == NULL) - return NULL; - - ks->fd = fd; - - setsockopt(ks->fd, SOL_SOCKET, SO_OOBINLINE, (const char *)&on, sizeof(on)); - - n = auth_init(ks, data); /* Initialize authorizing */ - if (n) { - free(ks); - return NULL; - } - - ks->encrypt = NULL; - ks->decrypt = NULL; - - return ks; -} - -int -kstream_write(kstream ks, void *p_data, size_t p_len) -{ - int n; - struct kstream_data_block i; - -#ifdef DEBUG - hexdump("plaintext:", p_data, p_len); -#endif - - if (ks->encrypt) { - i.ptr = p_data; - i.length = p_len; - ks->encrypt(&i, NULL, NULL); -#ifdef DEBUG - hexdump("cyphertext:", p_data, p_len); -#endif - } - - n = send(ks->fd, p_data, p_len, 0); /* Write the data */ - - return n; /* higher layer does retries */ -} - - -int -kstream_read(kstream ks, void *p_data, size_t p_len) -{ - int n; - struct kstream_data_block i; - - n = recv(ks->fd, p_data, p_len, 0); /* read the data */ - - if (n < 0) - return n; - -#ifdef DEBUG - hexdump("input data:", p_data, n); -#endif - - if (ks->decrypt) { - extern int encrypt_flag; - - if (encrypt_flag == 2) - encrypt_flag = 1; - - i.ptr = p_data; - i.length = n; - ks->decrypt(&i, NULL, NULL); -#ifdef DEBUG - hexdump("decrypted data:", p_data, n); -#endif - } - - return n; /* higher layer does retries */ -} diff --git a/src/windows/wintel/k5stream.h b/src/windows/wintel/k5stream.h deleted file mode 100644 index 3a63ca1..0000000 --- a/src/windows/wintel/k5stream.h +++ /dev/null @@ -1,57 +0,0 @@ -/* Header file for encrypted-stream library. - * Written by Ken Raeburn (Raeburn@Cygnus.COM). - * Copyright (C) 1991, 1992, 1994 by Cygnus Support. - * - * Permission to use, copy, modify, and - * distribute this software and its documentation for any purpose and - * without fee is hereby granted, provided that the above copyright - * notice appear in all copies and that both that copyright notice and - * this permission notice appear in supporting documentation. - * Cygnus Support makes no representations about the suitability of - * this software for any purpose. It is provided "as is" without express - * or implied warranty. - */ - -#ifndef K5STREAM_H -#define K5STREAM_H - -typedef struct kstream_int { /* Object we pass around */ - int fd; /* Open socket descriptor */ - int (*encrypt)(struct kstream_data_block *, /* output */ - struct kstream_data_block *, /* input */ - struct kstream *kstream); - int (*decrypt)(struct kstream_data_block *, /* output */ - struct kstream_data_block *, /* input */ - struct kstream *kstream); -} *kstream; - -typedef void *kstream_ptr; /* Data send on the kstream */ - -struct kstream_data_block { - kstream_ptr ptr; - size_t length; -}; - -struct kstream_crypt_ctl_block { - int (*encrypt)(struct kstream_data_block *, /* output */ - struct kstream_data_block *, /* input */ - kstream); - int (*decrypt)(struct kstream_data_block *, /* output */ - struct kstream_data_block *, /* input */ - kstream); - int (*init)(kstream, kstream_ptr); - void (*destroy)(kstream); -}; - - -/* Prototypes */ - -int kstream_destroy(kstream); -void kstream_set_buffer_mode(kstream, int); -kstream kstream_create_from_fd(int fd, - const struct kstream_crypt_ctl_block *, - kstream_ptr); -int kstream_write(kstream, void *, size_t); -int kstream_read(kstream, void *, size_t); - -#endif /* K5STREAM_H */ diff --git a/src/windows/wintel/ktelnet.doc b/src/windows/wintel/ktelnet.doc deleted file mode 100644 index 64e4f452697bdd664faa1be51e115c9506bf784a..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 16384 zcmeHOYiu0Xbw0ygzAUXIN*3eFl5)LL6-%NwvSOvS=r)Q-%A_cfj7VE{vKBMk9dbw9 zomtP$ilWn^vYP-Y>H>CRATf}@N?^HpA%N}ts{2q<$8LkBmC+c;LunN_$)6U5W29)} zIAXu=&dly|`3MyYZiVhh-<~^n?mhS1bI&>VF~bZ0+;Qo1&usdU)LnldF}Xa~E-f|r z2GSd%`*kAMBh9?ab8~adUJoGIxUL}$Ts)VP%%%1?$Is$Vbj3s-TrD!1j54b9WUI*9 zrt1BosZNo- z30;NqeJGFa$_GH(Ks(+k!Y*zAAe+N{lfc_kGEABsn_U{G#7tk}HlxMLk z>i>PAoFc8#jux91NM2t%su9tsg?(Fsk`d>KMjEK+6Xi$s>M8kOM5TH@_4m|N?REa) z*IqgI(dUh)Fv4AUZ~^o%=%(=gPw`gZd%JeK{o-*ycIgz*aClWn5*DbM-srucLuS_Sa zMqJO2^2g0_=8q$PocSt&Mkej4vd2n;mN&6$$nw>gm3KfUT~8giovb@kswpeNTL$@Xpt1Bv4qCbh_ zIm=PAZdpy*9{TB(o#mwOQns&V?0jBj?NTvs&O$#~+swODYQjB@hTTGulIkA&&~^?= zN-5Qc0q|6mp&YYdDTtlP+nH$vx%tHOJa(U%ErlV{plP_m2 zEs$p6lnWCO-LX#VCgyda3!)ZH&-AUVnxHC5MKfbT#39!w3lnw|wU{-ng6o8B_Uao| zC`02D7M1Q$X<8Ae#D-I~gSRr%O5BHGWGA2!ZHktf$yt!ti|o+mFu*$eQlQicGc&Da zR?`;bFR5fDC&}?iW-%1Ll{^@g8$VSV@6~zia4=AmT#sK7!(a4ls6%CPuAK>okI#~k z*;`3fu$(e_H-@3hna&hF623`Y>S0eF!fh&*N>)d2L2ad?u7;J^2HAj%KbyDI%~onE z)dic(XKAt~>}+S3cH)x#pfz8&3*1bL2JgerVbH547}^eE2OOF9##Uj%#R(UtRp|h8 zbFT8%>>*S3p+(=z?;dbUmggq} z6&4W&!saT*UJ(h_3@Nqy%#(ekqA=`OOUW{tvnTx;VS-o_7`P6VI@&Jgc*-uRz3+jW z3`12O#@#ywW1$6_hcgVO!F|==g3?(R6538Qg;Zjor>YXr zfvwXyd%}iuBZ|46$EY}A<;+tyj0x2jGlWRxVK}ERCr|VT&VS;47<=D?pTm+fIX*-5 z5A8k}kb;|~Hzl@J=h*GlinHB1D0Ev0Fm>Dmm(dFra19-3g!ySGbq)ZJssYxxKq9eG zp1SbvbC-Vq>9*FtXlwn#+2${vZT^x-zHz;s8o)MR44?^!0db%iXaQP*ZeSFc1`5FA z!1KUg0~df-ff)9AaiAG!0a}4JfV;};h-U1KfStg{fKLEV0_TCR1K$At4tN3hCh#Kg z60jGC4+B6N*o-~r7GNvzPCx-S0ZCvR;9}EO1Rel9;QPQ2fQ!Hnfpojb{lE!e95{I$ z`UI4LQ@|PEA>hw|M}SWOp9Y=`(~4E?*_VnZs1N}5I6#uzyvT0@GRglpdyL<>gsL68l2u{4K$UFVEkbQIO_oR z1N3$JIDPvkz)t}K{@Vm>2mS^=`M1Dpz-Qo-p9MC-_ihAk2mTGX1mxjw1;7FR82B#m zJ>Wlp``~*Y1U>|mfgF6v2I!CUMfxFqkp4&Cqu-cTCCV9KA4m`GUDB+}c2&#nqcqKt^qRNsYo-&jx9HL}eSI%Wx6CWuCiiIB zJHfrRp8M~yeCxdO0rz#_-d4~3c9w3NS32U(^6mBIaV)(CXUOyQ5=gUNlJfooug`rB zw6oWmG|PD(Cx)Jhjc+lhc$`w>21(fh-mjx94h~)4;dXco=Nvo{Uklx5t`||Vayc59?2yaDhU_(VNQXW|)oj#&lg05H){A(X)RAJrq-;iu2Mx3s zSY1t->!srYPvRALb%3*ybz^q%-TM42G&IRpBKnAeFR&!YiePC%CYrH7=91DMft-yb$k%7&W0 zSDKN#vtq^UDOt2hi$>C0U6x<3ZAPKlwJv;z>AGio`b$K>Uk6?WegynCum&=B0Ikww%)tWqi}y14 zjX`H~b8($+*1s+K7fT*oY@cni9r7k$@+7a|!VRwA7E3E!PzNq30T*={T+~FfUU3KS zQ(L7)X-V+gq|=ZD>9|fq5~N#nI*^1T!cm~+scmYSS`IXP6B;oPSt-e8{KoYAv$&4) z&9IY-BoL9i1Frg8=?A#yYJod}cDTeUX*)K2aJawk$jC?W=p*6q)uxBRY#R7;fd2Cj zz^lL}2)7e>1b7lSi27;ZWe9u`xE})B0ADmd0Xze|3cLZdLy|qf9|2DR&jBw2{|+=k zh7Mpea0{>>I0}3ipnR?9@bXyxX;k~7(ScVoGp;wSMlCOc7drmzojv>0#|MUbhmVh@ zd;3NQ$A(AJgMG&i_8l7@Rr~npj(zH`y9d%eL!*jHONXajsovq9tI6)z*r98homHCl z-C~+AzAVozQFpdet2?}stLSdY&ITv&rF1rAH(h0iM_@Nqw$m9LuIB34%^m0;QAbRi zI3LDax!aCPIz2Xk(Hu)fpHKUHXIIWk}$Ze9**#h1e$*LVJ@_xL@%FBlJ zO!wTSf*Lm;AKED!lFU0gszy!N7=na7DQjEE0LDDUg>ngtp1AZFt8chxHP<)6g6RWy zwoMXLZ!nDO!DkDCcPryBYW#^LD!LEEXE+b8?Xi0hoX=oBL@^ym!6Tk~lCJ=!EXNAoQR){`EXWY`RdvU{6j(2eCkt~z5kTI~Y)rUT&jU%v*p5@UL6NSFHz zisc&D|Gox}iHm=}DCxu2#ura!F?zI$LHyLuNAC+_65?fSxOY_KOFKHT_K$kOTGAdA zInT7nA^se={IdQcDEcypd$sd0IMzFk);-KMy`UK>O95Y@QI3^EJWU+`J(2t}Gs*s=jUqms&4~@|UC3 z_3Ef2%N1PVvny?Xg=|+`>{@PrIsa>V<=d}(CUxVwPksvi*Y(S<(*G_3^dSykKR|yN z0qA!{fPQxxpx>PVv_FB;UmgYMSCQXF{_+mwjd^y_pT&6!Ld^`mwC%zPa0Yu1`t_gw zZa`_{yeG()S43B%0opU|`pW!|+=A;ZE~OjQ8yaY6prL_=1{xY@XrQ5ih6WlMXlS6J zf&bGQ*c+ZJaNksS)>HEriFgl$9p8a)pG2}C{hy_8@~=L1ewgOYisvq*e2qoQS6QUI Ycp}u;e@5B}^l_zsi(h;8@Y|&S2Q5ZA#4RR~09!5NpTi7$DRQnAoJT4VYLFLu}$>NZUYDN3~6$fy76JrfRBK5l~GPWam6L zRabQrLfRkGeC6wRKJGp5-rv3VoO9p$J6zB$0L)8r2;ghJ6!Y*{1#jF!@h9#_FIEKMIv=R8_^p9F=Jp@5l*8+uk7TU9iixJXz_8dCNw=`OzZ&XVclv#v1HKC zTp=M+Sf#Zcq6E_Z>j<#R%gl@b0{BpDxO@)42jbhdCi{0L;Xn}JKs>o~+m_x0yfP1& z0n~s&)TSL9lH2?HVM(3C^z|lt;rA5^4{1;>y7Wb@k(y?(zoeE8YpFYMvpnLjeL2-}y*MPp$|&&9qH8Oym^(dggUoRtzj z7Xx|7W#|>I62IfdU5RrQl5%~e3Lg>`as#hZ6A%>*uh`1K3 zxQI|A(eostf;2b{DD*+wa{MEo4PiV@rvTG1ed_q{x-w-97~h!dKlSH#zctueJNoEL zi(g-un4T7PK!L@xMlJ^ihMh6i%^;FA3R>D?5Kv6c;>tKET24vjco^2u8y2&9z*aFo z+ug!o#Zop{lVE!jY$ZE57up+PXSs#71O^PVA7DG{_Ofun1a4W(H*oC=$HD@#LUSCY zsXO?*MHH1$f|eKuA8PQ0h;VD8*P{%>S0z<=Q0S=u)GBnlThG=#QqZvFz0}d^LJLG2 zUiK%;L088sAE?99Yg5E!m%y%ItX{l< zfW8LngR~TDT$NP<@tepxJNO9{(MmacdQBO*!+6TCpN6lYjCL+98{CQV1aarZ5 zgnjofL<37^ZBiFljaBX`AG%R|`(($~J*4wTjfLbypfgl-{sx3D~5vf)0Z@K>Q=Y6Al6 ziKJCSOTSugmKlVAZ4QKl4dYFIMIYmXqJax&c~1)v9O(5zFcyo2qJ`SM&5!vn+r*0<_|E0Zh1J zD3Mn!E8lt7$vq9vN#m>>Ok>*1a(@Xup|S(zkX%!5Ho%-dm#wlu9@ESpa&KcCI&T!b zsx%U*kFNu<(=|EZN(ps-+st`-f}!_!w}uOf^|ZLhKLWLEL%Q>(zcUCYTpj+wa(GzP zvbM+56B)u>(8)u|d!40OevTueDS&tq|Io`-3aK3Wa~kq7Ob+(~+r0vXm}NS1hiFYt zWv(x}7rS5lv~D@HIKg5!>dC6pi}ur1XWY-f^x=bzZ-iMNYxk|}S}Se)acHfzlbhoy zv0uzSE{1D){!#aR?!Z7Y;q}VGEtVTIbW8Ydm_|DnE4~ik1lG#BoFGwUsQ93_k%yk4 z1}eGvy(~(Db#h-CJ$#OTIG9CnUyXdMW5 z`I`<7^!}>Z7rNaw_)J3>LbtCEMOnb!Y?eNBE3UNqPV+$j`Kxa^={7Qa0lB zN$)!l*P9w7Y0;%I|8(G|)7{e@^=uV<5v$zs0sI8VN0{>44tiaRTMkm;D z7oN@guQd6JyP#GZnWy3%k-m6}$q)Toe?iXc%X$ZLYFF|ApP|dSa65E-&?rXO3w)pR zZ4TZ?$%a`MCXZV&xv%0cK62vRl_ph{RS~EnP(`4MKox;10$&n=%hQD`X3>>&fi6-n zGv=fV>hNn*6vXKx4TWm@gh;`jKB-YKKRoiu)ieV7!bk}NeRZU)qFSm5R1v5mP(`4M zKox=iJp^Ju0(j=wk$aBb`@p+T9{b+mdmlP-H+@sRv^;h6k)ywO;rP!km0e1c4evhz DM|puD diff --git a/src/windows/wintel/ktelnet.hpj b/src/windows/wintel/ktelnet.hpj deleted file mode 100644 index d69185c..0000000 --- a/src/windows/wintel/ktelnet.hpj +++ /dev/null @@ -1,92 +0,0 @@ -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; Help Project File for KTELNET -; -; This file is maintained by RoboHELP. Do not modify this file directly. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * - - -[OPTIONS] -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; The Options section contains the following information: -; -; The optional BMROOT= entry sets the directories in which the Help Compiler -; will look for graphics. -; -; The CONTENTS= tells WinHelp which topic contains the contents. -; -; The TITLE= is displayed in the Title Bar of WINHELP.EXE -; -; The BUILD= setting allows you to create different Help systems from -; the same source file. -; -; The COMPRESS= option tells the Help Compiler how much to compress -; the Help file. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -;BMROOT=C:\WINDOWS\DESKTOP\KERBEROS 5\WIN95 GUI\CNS HELP -TITLE=Kerb*Net Telnet for Windows -BUILD=WINDOWS -NOTES=1 - - -OLDKEYPHRASE=NO -OPTCDROM=0 -REPORT=YES -COMPRESS=12 -ERRORLOG=C:\windows\desktop\kerberos 5\win95 gui\cns help\KTELNET.ERR -[BUILDTAGS] -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; The Build Tags section specifies to the Help Compiler the names -; of all the valid build tags used in this Help project. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -WINDOWS - - -[CONFIG] -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; The Config section defines macros which will run at startup. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * - - - - -[FILES] -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; The Files section specifies the RTF files for a project. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * - - -KTELNET.RTF -[ALIAS] -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; The Alias section sets up aliases for Topic IDs in your Help system. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * - - -[MAP] -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; The Map section specifies the project HH files. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * - - -[BITMAPS] -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; The Bitmaps section specifies the referenced bitmaps used in -; your help system. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * - - -[WINDOWS] -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; The Windows section contains all of the information about the windows -; in a Help project. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -;Gloss = "Glossary",(100,100,350,350),0,(255,255,255),(255,255,255) -main=,,29188,, -(w95sec)=,,20740,(r14745599),(r14745599),f2 - - -[BAGGAGE] -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * -; The Baggage section specifies any additional files. -;* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * - diff --git a/src/windows/wintel/ncsa.ico b/src/windows/wintel/ncsa.ico deleted file mode 100644 index 8a6cb6a564b581cb96115998f13bc864e432c31b..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 766 zcmZvaF?NJ73`B=)-hu=yh;Oi0;wULox(h|#bNSgnYAiu8n9ZV0a z&xtwr!?h>X?@f++@89)ZiqEj=TY|jPW94q{>_!iM{1RsfBS^WSpC#k;xq?C`&@T -#include "telnet.h" -#include "telnet_arpa.h" -#include "auth.h" -#include "encrypt.h" - -#define STNORM 0 -#define NEGOTIATE 1 -#define ESCFOUND 5 -#define IACFOUND 6 - -unsigned char parsedat[256]; - -/* Local functions */ -static void parse_subnegotiat(kstream ks,int end_sub); - -/* Local variables */ -static char *telstates[]={ - "EOF", - "Suspend Process", - "Abort Process", - "Unknown (239)", - "Subnegotiation End", - "NOP", - "Data Mark", - "Break", - "Interrupt Process", - "Abort Output", - "Are You There", - "Erase Character", - "Erase Line", - "Go Ahead", - "Subnegotiate", - "Will", - "Won't", - "Do", - "Don't" -}; - -static char *teloptions[256]={ /* ascii strings for Telnet options */ - "Binary", /* 0 */ - "Echo", - "Reconnection", - "Supress Go Ahead", - "Message Size Negotiation", - "Status", /* 5 */ - "Timing Mark", - "Remote Controlled Trans and Echo", - "Output Line Width", - "Output Page Size", - "Output Carriage-Return Disposition", /* 10 */ - "Output Horizontal Tab Stops", - "Output Horizontal Tab Disposition", - "Output Formfeed Disposition", - "Output Vertical Tabstops", - "Output Vertical Tab Disposition", /* 15 */ - "Output Linefeed Disposition", - "Extended ASCII", - "Logout", - "Byte Macro", - "Data Entry Terminal", /* 20 */ - "SUPDUP", - "SUPDUP Output", - "Send Location", - "Terminal Type", - "End of Record", /* 25 */ - "TACACS User Identification", - "Output Marking", - "Terminal Location Number", - "3270 Regime", - "X.3 PAD", /* 30 */ - "Negotiate About Window Size", - "Terminal Speed", - "Toggle Flow Control", - "Linemode", - "X Display Location", /* 35 */ - "Environment", - "Authentication", - "Data Encryption", - "39", - "40","41","42","43","44","45","46","47","48","49", - "50","51","52","53","54","55","56","57","58","59", - "60","61","62","63","64","65","66","67","68","69", - "70","71","72","73","74","75","76","77","78","79", - "80","81","82","83","84","85","86","87","88","89", - "90","91","92","93","94","95","96","97","98","99", - "100","101","102","103","104","105","106","107","108","109", - "110","111","112","113","114","115","116","117","118","119", - "120","121","122","123","124","125","126","127","128","129", - "130","131","132","133","134","135","136","137","138","139", - "140","141","142","143","144","145","146","147","148","149", - "150","151","152","153","154","155","156","157","158","159", - "160","161","162","163","164","165","166","167","168","169", - "170","171","172","173","174","175","176","177","178","179", - "180","181","182","183","184","185","186","187","188","189", - "190","191","192","193","194","195","196","197","198","199", - "200","201","202","203","204","205","206","207","208","209", - "210","211","212","213","214","215","216","217","218","219", - "220","221","222","223","224","225","226","227","228","229", - "230","231","232","233","234","235","236","237","238","239", - "240","241","242","243","244","245","246","247","248","249", - "250","251","252","253","254", - "Extended Options List" /* 255 */ -}; - -static char *LMoptions[]={ /* ascii strings for Linemode sub-options */ - "None", "MODE", "FORWARDMASK", "SLC" -}; - -static char *ModeOptions[]={ /* ascii strings for Linemode edit options */ - "None", "EDIT", "TRAPSIG", "ACK", "SOFT TAB", "LIT ECHO" -}; - -static char *SLCoptions[]={ /* ascii strings for Linemode SLC characters */ - "None", "SYNCH", "BREAK", "IP", "ABORT OUTPUT", - "AYT", "EOR", "ABORT", "EOF", "SUSP", - "EC", "EL", "EW", "RP", "LNEXT", - "XON", "XOFF", "FORW1", "FORW2", "MCL", - "MCR", "MCWL", "MCWR", "MCBOL", "MCEOL", - "INSRT", "OVER", "ECR", "EWR", "EBOL", - "EEOL" -}; - -static char *SLCflags[]={ /* ascii strings for Linemode SLC flags */ - "SLC_NOSUPPORT", "SLC_CANTCHANGE", "SLC_VALUE", "SLC_DEFAULT" -}; - -/* Linemode default character for each function */ -static unsigned char LMdefaults[NTELOPTS + 1]={ - (unsigned char)-1, /* zero isn't used */ - (unsigned char)-1, /* we don't support SYNCH */ - 3, /* ^C is default for BRK */ - 3, /* ^C is default for IP */ - 15, /* ^O is default for AO */ - 25, /* ^Y is default for AYT */ /* 5 */ - (unsigned char)-1, /* we don't support EOR */ - 3, /* ^C is default for ABORT */ - 4, /* ^D is default for EOF */ - 26, /* ^Z is default for SUSP */ - 8, /* ^H is default for EC */ /* 10 */ - 21, /* ^U is default for EL */ - 23, /* ^W is default for EW */ - 18, /* ^R is default for RP */ - 22, /* ^V is default for LNEXT */ - 17, /* ^Q is default for XON */ /* 15 */ - 19, /* ^S is default for XOFF */ - 22, /* ^V is default for FORW1 */ - 5, /* ^E is default for FORW2 */ - (unsigned char)-1, /* we don't support MCL */ - (unsigned char)-1, /* we don't support MCR */ /* 20 */ - (unsigned char)-1, /* we don't support MCWL */ - (unsigned char)-1, /* we don't support MCWR */ - (unsigned char)-1, /* we don't support MCBOL */ - (unsigned char)-1, /* we don't support MCEOL */ - (unsigned char)-1, /* we don't support INSRT */ /* 25 */ - (unsigned char)-1, /* we don't support OVER */ - (unsigned char)-1, /* we don't support ECR */ - (unsigned char)-1, /* we don't support EWR */ - (unsigned char)-1, /* we don't support EBOL */ - (unsigned char)-1 /* we don't support EEOL */ /* 30 */ -}; - - -/* - * Function : start_negotiation() - * Purpose : Send the initial negotiations on the network and print - * the negotitations to the console screen. - * Parameters : - * dat - the port number to write to - * cvs - the console's virtual screen - * Returns : none - * Calls : tprintf(), netprintf() - * Called by : dosessions() - */ -void -start_negotiation(kstream ks) -{ - char buf[128]; - - /* Send the initial telnet negotiations */ -#ifdef ENCRYPTION /* XXX */ - if (encrypt_flag) - wsprintf(buf,"%c%c%c%c%c%c%c%c%c%c%c%c%c%c%c", - IAC, WILL, TELOPT_AUTHENTICATION, - IAC, WILL, TELOPT_ENCRYPT, - IAC, DO, TELOPT_SGA, - IAC, DO, TELOPT_ECHO, - IAC, WILL, TELOPT_NAWS - ); - else -#endif - wsprintf(buf,"%c%c%c%c%c%c%c%c%c%c%c%c", - IAC, WILL, TELOPT_AUTHENTICATION, - IAC, DO, TELOPT_SGA, - IAC, DO, TELOPT_ECHO, - IAC, WILL, TELOPT_NAWS - ); - TelnetSend(ks,buf,lstrlen(buf),0); - -#ifdef NOT - /* check whether we are going to be output mapping */ - if(tw->mapoutput) { - netprintf(tw->pnum,"%c%c%c",IAC,DO,TELOPT_BINARY); - /* set the flag indicating we wanted server to start transmitting binary */ - tw->uwantbinary=1; - netprintf(tw->pnum,"%c%c%c",IAC,WILL,TELOPT_BINARY); - /* set the flag indicating we want to start transmitting binary */ - tw->iwantbinary=1; - } /* end if */ -#endif - - /* Print to the console what we just did */ -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n",telstates[DO - TELCMD_FIRST], - teloptions[TELOPT_ECHO]); - OutputDebugString(strTmp); - wsprintf(strTmp,"SEND: %s %s\r\n",telstates[DO - TELCMD_FIRST], - teloptions[TELOPT_SGA]); - OutputDebugString(strTmp); - wsprintf(strTmp,"SEND: %s %s\r\n",telstates[WILL - TELCMD_FIRST], - teloptions[TELOPT_NAWS]); - OutputDebugString(strTmp); - -#ifdef NOT - tprintf(cvs,"SEND: %s %s\r\n",telstates[DO - TELCMD_FIRST], - teloptions[BINARY]); - tprintf(cvs,"SEND: %s %s\r\n",telstates[WILL - TELCMD_FIRST], - teloptions[BINARY]); -#endif -#endif -} /* end start_negotiation() */ - -/* - * parse - * Do the telnet negotiation parsing. - * - * look at the string which has just come in from outside and - * check for special sequences that we are interested in. - * - * Tries to pass through routine strings immediately, waiting for special - * characters ESC and IAC to change modes. - */ -void -parse(CONNECTION *con,unsigned char *st,int cnt) -{ - static int sub_pos; /* the position we are in the subnegotiation parsing */ - static int end_sub; /* index of last byte in parsedat in a subnegotiation */ - unsigned char *mark, *orig; - char buf[256]; - kstream ks; - - ks = con->ks; - -#ifdef PRINT_EVERYTHING - hexdump("Options to process:", st, cnt); -#endif /* PRINT_EVERYTHING */ - - orig = st; /* remember beginning point */ - mark = st + cnt; /* set to end of input string */ - -#ifdef HUH - netpush(tw->pnum); -#endif - - /* - * traverse string, looking for any special characters which indicate that - * we need to change modes. - */ - while(st < mark) { - - while(con->telstate != STNORM && st < mark) { - switch(con->telstate) { - case IACFOUND: /* telnet option negotiation */ - if(*st == IAC) { /* real data=255 */ - st++; /* real 255 will get sent */ - con->telstate = STNORM; - break; - } /* end if */ - - if(*st > 239) { - con->telstate = *st++; /* by what the option is */ - break; - } /* end if */ - -#ifdef NEGOTIATEDEBUG - wsprintf(buf, "\r\n strange telnet option"); - OutputDebugString(buf); -#endif - orig=++st; - con->telstate=STNORM; - break; - - case EL: /* received a telnet erase line command */ - case EC: /* received a telnet erase character command */ - case AYT: /* received a telnet Are-You-There command */ - case AO: /* received a telnet Abort Output command */ - case IP: /* received a telnet Interrupt Process command */ - case BREAK: /* received a telnet Break command */ - case DM: /* received a telnet Data Mark command */ - case NOP: /* received a telnet No Operation command */ - case SE: /* received a telnet Subnegotiation End command */ - case ABORT: /* received a telnet Abort Process command */ - case SUSP: /* received a telnet Suspend Process command */ - case xEOF: /* received a telnet EOF command */ -#ifdef NEGOTIATEDEBUG - wsprintf(buf,"RECV: %s\r\n", - telstates[con->telstate-TELCMD_FIRST]); - OutputDebugString(buf); -#endif - con->telstate=STNORM; - orig=++st; - break; - - case GA: /* telnet go ahead option*/ -#ifdef NEGOTIATEDEBUG - wsprintf(buf,"RECV: %s\r\n", - telstates[con->telstate-TELCMD_FIRST]); - OutputDebugString(buf); -#endif - con->telstate=STNORM; - orig=++st; - break; - - case DO: /* received a telnet DO negotiation */ -#ifdef NEGOTIATEDEBUG - wsprintf(buf,"RECV: %s %s\r\n", - telstates[con->telstate-TELCMD_FIRST],teloptions[*st]); - OutputDebugString(buf); -#endif - switch(*st) { -#ifdef NOT - case TELOPT_BINARY: /* DO: binary transmission */ - if(!tw->ibinary) { /* binary */ - if(!tw->iwantbinary) { - netprintf(tw->pnum,"%c%c%c", - IAC,WILL,BINARY); - if(tw->condebug>0) - tprintf(cv,"SEND: %s %s\r\n", - telstates[WILL - TELCMD_FIRST], - teloptions[BINARY]); - } /* end if */ - else - tw->iwantbinary=0; /* turn off this now */ - tw->ibinary=1; - } /* end if */ - else { - if(tw->condebug>0) - tprintf(cv,"NO REPLY NEEDED: %s %s\r\n", - telstates[WILL - TELCMD_FIRST], - teloptions[BINARY]); - } /* end else */ - break; -#endif - - case TELOPT_SGA: /* DO: Suppress go-ahead */ - if(!con->igoahead) { /* suppress go-ahead */ - wsprintf(buf,"%c%c%c",IAC,WILL,TELOPT_SGA); - TelnetSend(ks,buf,lstrlen(buf),0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[WILL - TELCMD_FIRST], - teloptions[TELOPT_SGA]); - OutputDebugString(strTmp); - OutputDebugString("igoahead"); -#endif - con->igoahead=1; - } /* end if */ - else { -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp, - "NO REPLY NEEDED: %s %s\r\n", - telstates[WILL - TELCMD_FIRST], - teloptions[TELOPT_SGA]); - OutputDebugString(strTmp); -#endif - } /* end else */ - break; - - case TELOPT_TTYPE: /* DO: terminal type negotiation */ - if(!con->termsent) { - con->termsent=TRUE; - wsprintf(buf,"%c%c%c",IAC,WILL,TELOPT_TTYPE); - TelnetSend(ks,buf,lstrlen(buf),0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[WILL - TELCMD_FIRST], - teloptions[TELOPT_TTYPE]); - OutputDebugString(strTmp); -#endif - } /* end if */ - else { -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"NO REPLY NEEDED: %s %s\r\n", - telstates[WILL - TELCMD_FIRST], - teloptions[TELOPT_TTYPE]); - OutputDebugString(strTmp); -#endif - } /* end else */ - break; - -#ifdef LATER - case TELOPT_LINEMODE: /* DO: linemode negotiation */ - tw->lmflag=1; /* set the linemode flag */ - netprintf(tw->pnum,"%c%c%c",IAC,WILL,TELOPT_LINEMODE); - /* - * Tell the other side to send us - * its default character set - */ - netprintf(tw->pnum,"%c%c%c%c", - IAC,SB,TELOPT_LINEMODE,SLC,0,SLC_DEFAULT,0,IAC,SE); - if(tw->condebug>0) { - tprintf(cv,"SEND: %s %s\r\n", - telstates[WILL - TELCMD_FIRST], - teloptions[TELOPT_LINEMODE]); - tprintf(cv, - "SEND: SB LINEMODE SLC 0 SLC_DEFAULT 0 IAC SE\r\n"); - } /* end if */ - break; -#endif - case TELOPT_NAWS: /* DO: Negotiate About Window Size */ - con->bResizeable=TRUE; - send_naws(con); - break; - - case TELOPT_AUTHENTICATION: /* DO: Authentication requested */ - wsprintf(buf, "%c%c%c", IAC, WILL, TELOPT_AUTHENTICATION); - TelnetSend(ks, buf, lstrlen(buf), 0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[WILL - TELCMD_FIRST], - teloptions[TELOPT_AUTHENTICATION]); - OutputDebugString(strTmp); -#endif - break; - -#ifdef ENCRYPTION - case TELOPT_ENCRYPT: /* DO: Remote is willing to receive encrypted */ - wsprintf(buf, "%c%c%c", IAC, - (encrypt_flag ? WILL : WONT), TELOPT_ENCRYPT); - TelnetSend(ks, buf, lstrlen(buf), 0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[(encrypt_flag ? WILL : WONT) - - TELCMD_FIRST], - teloptions[TELOPT_ENCRYPT]); - OutputDebugString(strTmp); -#endif - break; -#endif /* ENCRYPTION */ - - default: /* DO: */ - wsprintf(buf, "%c%c%c", IAC, WONT, *st); - TelnetSend(ks, buf, lstrlen(buf), 0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[WONT - TELCMD_FIRST], teloptions[*st]); - OutputDebugString(strTmp); -#endif - break; - - } /* end switch */ - con->telstate = STNORM; - orig = ++st; - break; - - case DONT: /* Received a telnet DONT option */ - switch (*st) { - case TELOPT_NAWS: - con->bResizeable=FALSE; -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"RECV: %s %s\r\n", - telstates[con->telstate-TELCMD_FIRST],teloptions[*st]); - OutputDebugString(strTmp); -#endif - break; - -#ifdef NOT - case BINARY: /* DONT: check for binary neg. */ - if(tw->ibinary) { /* binary */ - if(!tw->iwantbinary) { - netprintf(tw->pnum,"%c%c%c",IAC,WONT,BINARY); - if(tw->condebug>0) - tprintf(cv,"SEND: %s %s\r\n", - telstates[WONT-TELCMD_FIRST], - teloptions[BINARY]); - } /* end if */ - else - tw->iwantbinary=0; /* turn off this now */ - tw->ibinary=0; - tw->mapoutput=0; /* turn output mapping off */ - } /* end if */ -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"NO REPLY NEEDED: %s %s\r\n", - telstates[WONT-TELCMD_FIRST], - teloptions[BINARY]); - OutputDebugString(strTmp); -#endif - break; -#endif -#ifdef ENCRYPTION - case ENCRYPTION: - break; -#endif - } - - /* all these just fall through to here... */ - - con->telstate=STNORM; - orig=++st; - break; - - case WILL: /* received a telnet WILL option */ -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"RECV: %s %s\r\n", - telstates[con->telstate-TELCMD_FIRST], - teloptions[*st]); - OutputDebugString(strTmp); -#endif - switch(*st) { -#ifdef NOT - case TELOPT_BINARY: /* WILL: binary */ - if(!tw->ubinary) { /* binary */ - if(!tw->uwantbinary) { - netprintf(tw->pnum,"%c%c%c", - IAC,DO,TELOPT_BINARY); - if(tw->condebug>0) - tprintf(cv,"SEND: %s %s\r\n", - telstates[DO - TELCMD_FIRST], - teloptions[TELOPT_BINARY]); - } /* end if */ - else - tw->uwantbinary=0; /* turn off this now */ - tw->ubinary=1; - } /* end if */ - else { - if(tw->condebug>0) - tprintf(cv,"NO REPLY NEEDED: %s %s\r\n", - telstates[DO - TELCMD_FIRST], - teloptions[TELOPT_BINARY]); - } /* end else */ - break; -#endif - - case TELOPT_SGA: /* WILL: suppress go-ahead */ - if(!con->ugoahead) { - con->ugoahead=1; - wsprintf(buf,"%c%c%c",IAC,DO,TELOPT_SGA); /* ack */ - TelnetSend(ks,buf,lstrlen(buf),0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[DO - TELCMD_FIRST], - teloptions[TELOPT_SGA]); - OutputDebugString(strTmp); -#endif - } /* end if */ - break; - - case TELOPT_ECHO: /* WILL: echo */ - if(!con->echo) { - con->echo = 1; - wsprintf(buf, "%c%c%c", IAC, DO, TELOPT_ECHO); /* ack */ - TelnetSend(ks, buf, lstrlen(buf), 0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[DO - TELCMD_FIRST], - teloptions[TELOPT_ECHO]); - OutputDebugString(strTmp); -#endif - } /* end if */ - break; - - case TELOPT_TM: /* WILL: Timing mark */ - con->timing=0; - break; -#ifdef ENCRYPTION - case TELOPT_ENCRYPT: /* WILL: decrypt our input */ - wsprintf(buf, "%c%c%c", IAC, - (encrypt_flag ? DO : DONT), TELOPT_ENCRYPT); - TelnetSend(ks, buf, lstrlen(buf), 0); - if (encrypt_flag) - encrypt_send_support(); - -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[(encrypt_flag ? DO : DONT) - TELCMD_FIRST], - teloptions[TELOPT_ENCRYPT]); - OutputDebugString(strTmp); -#endif - break; -#endif - - default: - wsprintf(buf,"%c%c%c",IAC,DONT,*st); - TelnetSend(ks,buf,lstrlen(buf),0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[DONT-TELCMD_FIRST],teloptions[*st]); - OutputDebugString(strTmp); -#endif - break; - } /* end switch */ - con->telstate=STNORM; - orig=++st; - break; - - case WONT: /* Received a telnet WONT option */ -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"RECV: %s %s\r\n", - telstates[con->telstate-TELCMD_FIRST],teloptions[*st]); - OutputDebugString((LPSTR)strTmp); -#endif - con->telstate=STNORM; - switch(*st++) { /* which option? */ -#ifdef NOT - case BINARY: /* WONT: binary */ - if(tw->ubinary) { /* binary */ - if(!tw->uwantbinary) { - netprintf(tw->pnum,"%c%c%c", - IAC,DONT,BINARY); - if(tw->condebug>0) - tprintf(cv,"SEND: %s %s\r\n", - telstates[DONT-TELCMD_FIRST], - teloptions[BINARY]); - } /* end if */ - else - tw->uwantbinary=0; /* turn off this now */ - tw->ubinary=0; - tw->mapoutput=0; /* turn output mapping off */ - } /* end if */ - else { - if(tw->condebug>0) - tprintf(cv,"NO REPLY NEEDED: %s %s\r\n", - telstates[DONT-TELCMD_FIRST], - teloptions[BINARY]); - } /* end else */ - break; - -#endif - case TELOPT_ECHO: /* WONT: echo */ - if(con->echo) { - con->echo=0; - wsprintf(buf,"%c%c%c",IAC,DONT,TELOPT_ECHO); - TelnetSend(ks,buf,lstrlen(buf),0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SEND: %s %s\r\n", - telstates[DONT-TELCMD_FIRST], - teloptions[TELOPT_ECHO]); - OutputDebugString(strTmp); - OutputDebugString("Other side won't echo!"); -#endif - } /* end if */ - break; - - case TELOPT_TM: /* WONT: Telnet timing mark option */ - con->timing=0; - break; - -#ifdef ENCRYPTION - case TELOPT_ENCRYPT: /* WONT: don't encrypt our input */ - break; -#endif - - default: - break; - } /* end switch */ - orig=st; - break; - - case SB: /* telnet sub-options negotiation */ - con->telstate=NEGOTIATE; - orig=st; - end_sub=0; - sub_pos=con->substate=0; /* Defined for each */ -#ifdef OLD_WAY - break; -#endif - - case NEGOTIATE: - /* until we change sub-negotiation states, accumulate bytes */ - if(con->substate==0) { - if(*st==IAC) { /* check if we found an IAC byte */ - if(*(st+1)==IAC) { /* skip over double IAC's */ - st++; - parsedat[sub_pos++]=*st++; - } /* end if */ - else { - end_sub=sub_pos; - con->substate=*st++; - } /* end else */ - } /* end if */ - else /* otherwise, just stash the byte */ - parsedat[sub_pos++]=*st++; - } /* end if */ - else { - con->substate=*st++; - /* check if we've really ended the sub-negotiations */ - if(con->substate==SE) - parse_subnegotiat(ks,end_sub); - - orig=st; - /* - * XXX hack to decrypt the rest of the buffer - */ - if (encrypt_flag == 2) { - decrypt_ks_hack(orig, mark - orig); - encrypt_flag = 1; - } - - con->telstate=STNORM; - } /* end else */ - break; - - default: - con->telstate=STNORM; - break; - } /* end switch */ - } /* end while */ - - /* - * quick scan of the remaining string, skip chars while they are - * uninteresting - */ - if(con->telstate==STNORM && stubinary) - *st&=127; /* mask off high bit */ -#endif - st++; - } /* end while */ -#if 0 - if(!tw->timing) - parsewrite(tw,orig,st-orig); -#endif - orig=st; /* forget what we have sent already */ - if(sttelstate=IACFOUND; - st++; - break; - - default: -#ifdef NEGOTIATEDEBUG - wsprintf(buf," strange char>128 0x%x\r\n", *st); - OutputDebugString(buf); -#endif - st++; - break; - } /* end switch */ - } /* end if */ - } /* end while */ -} /* end parse() */ - -/* - * Function : parse_subnegotiat() - * Purpose : Parse the telnet sub-negotiations read into the parsedat - * array. - * Parameters : - * end_sub - index of the character in the 'parsedat' array which - * is the last byte in a sub-negotiation - * Returns : none - * Calls : - * Called by : parse() - */ -static void -parse_subnegotiat(kstream ks, int end_sub) -{ - char buf[128]; - - switch(parsedat[0]) { - case TELOPT_TTYPE: - if(parsedat[1]==1) { - /* QAK!!! */ wsprintf(buf,"%c%c%c%cvt100%c%c",IAC,SB,TELOPT_TTYPE, - 0,IAC,SE); - TelnetSend(ks,(LPSTR)buf,11,0); -#ifdef NEGOTIATEDEBUG - wsprintf(strTmp,"SB TERMINAL-TYPE SEND\r\n" - "SEND: SB TERMINAL-TYPE IS vt100 \r\n len=%d \r\n", - lstrlen((LPSTR)buf)); - OutputDebugString(strTmp); -#endif - } - break; - - case TELOPT_AUTHENTICATION: - auth_parse(ks, parsedat, end_sub); - break; -#ifdef ENCRYPTION - case TELOPT_ENCRYPT: - if (encrypt_flag) - encrypt_parse(ks, parsedat, end_sub); - break; -#endif - default: - break; - } /* end switch */ -} /* parse_subnegotiat */ - - -/* - * Function : send_naws - * Purpose : Send a window size sub-negotiation. - * Parameters : - * ks - the kstream to send to. - * Returns : none - */ -void -send_naws(CONNECTION *con) -{ - unsigned char buf[40]; - int len; - - wsprintf(buf, "%c%c%c", IAC, SB, TELOPT_NAWS); - len = 3; - - buf[len++] = HIBYTE(con->width); - if (buf[len-1] == IAC) buf[len++] = IAC; - - buf[len++] = LOBYTE(con->width); - if (buf[len-1] == IAC) buf[len++] = IAC; - - buf[len++] = HIBYTE(con->height); - if (buf[len-1] == IAC) buf[len++] = IAC; - - buf[len++] = LOBYTE(con->height); - if (buf[len-1] == IAC) buf[len++] = IAC; - - buf[len++] = IAC; - buf[len++] = SE; - - TelnetSend(con->ks, buf, len, 0); - -#ifdef NEGOTIATEDEBUG - wsprintf(buf, "SEND: SB NAWS %d %d %d %d IAC SE\r\n", - HIBYTE(con->width), LOBYTE(con->width), - HIBYTE(con->height), LOBYTE(con->height)); - OutputDebugString(buf); -#endif - -} /* send_naws */ diff --git a/src/windows/wintel/resource.h b/src/windows/wintel/resource.h deleted file mode 100644 index db79dee..0000000 --- a/src/windows/wintel/resource.h +++ /dev/null @@ -1,17 +0,0 @@ -//{{NO_DEPENDENCIES}} -// Microsoft Developer Studio generated include file. -// Used by telnet.rc -// -#define IDD_DIALOG1 101 -#define IDC_STATIC -1 - -// Next default values for new objects -// -#ifdef APSTUDIO_INVOKED -#ifndef APSTUDIO_READONLY_SYMBOLS -#define _APS_NEXT_RESOURCE_VALUE 103 -#define _APS_NEXT_COMMAND_VALUE 40005 -#define _APS_NEXT_CONTROL_VALUE 1002 -#define _APS_NEXT_SYMED_VALUE 101 -#endif -#endif diff --git a/src/windows/wintel/screen.c b/src/windows/wintel/screen.c deleted file mode 100644 index 91de8dd..0000000 --- a/src/windows/wintel/screen.c +++ /dev/null @@ -1,1147 +0,0 @@ -/* screen.c */ - -#include -#include -#include -#include -#include -#include "telnet.h" -#include "ini.h" -#include "auth.h" - -extern char *encrypt_output; /* XXX hack... I wonder if this will work. These are */ -extern char *decrypt_input; /* XXX really functions... */ - -extern char *cInvertedArray; -extern int bMouseDown; -extern int bSelection; - -static SCREEN *ScreenList; -static HINSTANCE hInst; -static char szScreenClass[] = "ScreenWClass"; -static char szScreenMenu[] = "ScreenMenu"; -static char cursor_key[8][4] = { /* Send for cursor keys */ - "\x1B[D", "\x1B[A", "\x1B[C", "\x1B[B", /* Normal mode */ - "\x1BOD", "\x1BOA", "\x1BOC", "\x1BOB", /* Numpad on mode */ -}; - -void -ScreenInit(HINSTANCE hInstance) -{ - BOOL b; - WNDCLASS wc; - - hInst = hInstance; - - ScreenList = NULL; - - wc.style = CS_HREDRAW | CS_VREDRAW | CS_DBLCLKS; /* Class style(s) */ - wc.lpfnWndProc = ScreenWndProc; - wc.cbClsExtra = 0; - wc.cbWndExtra = sizeof(long); - wc.hInstance = hInstance; - wc.hIcon = LoadIcon(hInstance, "TERMINAL"); - wc.hCursor = LoadCursor(NULL, IDC_IBEAM); - wc.hbrBackground = GetStockObject(WHITE_BRUSH); - wc.lpszMenuName = szScreenMenu; - wc.lpszClassName = szScreenClass; - - b = RegisterClass(&wc); - assert(b); -} - - -void -SetScreenInstance(HINSTANCE hInstance) -{ - hInst = hInstance; -} - -int -GetNewScreen(void) -{ - SCREEN *pScr; - static int id = 0; - - pScr = (SCREEN *) calloc(sizeof(SCREEN), 1); - if (pScr == NULL) - return(-1); - - if (ScreenList == NULL) { - pScr->next = NULL; - pScr->prev = NULL; - } - else { - if (ScreenList->next == NULL) { - ScreenList->next = ScreenList; - ScreenList->prev = ScreenList; - } - pScr->next = ScreenList; - pScr->prev = ScreenList->prev; - ScreenList->prev->next = pScr; - ScreenList->prev = pScr; - } - - ScreenList = pScr; - return(id++); -} - -SCREENLINE * -ScreenNewLine(void) -{ - SCREENLINE *pScrLine; - - pScrLine = calloc(sizeof(SCREENLINE) + 2*MAX_LINE_WIDTH, 1); - if (pScrLine == NULL) - return (NULL); - pScrLine->text = &pScrLine->buffer[0]; - pScrLine->attrib = &pScrLine->buffer[MAX_LINE_WIDTH]; - return(pScrLine); -} - -static void -MakeWindowTitle(char *host, int width, int height, char *title, int nchars) -{ - char buf[128]; - int hlen; - - hlen = strlen(host); - - title[0] = 0; - - if (hlen + 1 > nchars) - return; - - strcpy(title, host); - - wsprintf(buf, " (%dh x %dw)", height, width); - - if ((int) strlen(buf) + hlen + 1 > nchars) - return; - - strcat(title, buf); -} - - -SCREEN * -InitNewScreen(CONFIG *Config) -{ - TEXTMETRIC tm; - HMENU hMenu = NULL; - SCREEN *scr = NULL; - SCREENLINE *pScrLine; - SCREENLINE *pScrLineLast; - int id; - int idx = 0; - char title[128]; - HDC hDC; - HFONT hFont; - - id = GetNewScreen(); - if (id == -1) - return(0); - - scr = ScreenList; - assert(scr != NULL); - - hMenu = LoadMenu(hInst, szScreenMenu); - assert(hMenu != NULL); - - scr->title = Config->title; - MakeWindowTitle(Config->title, Config->width, Config->height, - title, sizeof(title)); - - scr->hwndTel = Config->hwndTel; /* save HWND of calling window */ - - if (Config->backspace) { - CheckMenuItem(hMenu, IDM_BACKSPACE, MF_CHECKED); - CheckMenuItem(hMenu, IDM_DELETE, MF_UNCHECKED); - } else { - CheckMenuItem(hMenu, IDM_BACKSPACE, MF_UNCHECKED); - CheckMenuItem(hMenu, IDM_DELETE, MF_CHECKED); - } - - hDC = GetDC(NULL); - assert(hDC != NULL); - - scr->lf.lfPitchAndFamily = FIXED_PITCH; - GetPrivateProfileString(INI_FONT, "FaceName", "Courier", scr->lf. - lfFaceName, LF_FACESIZE, TELNET_INI); - scr->lf.lfHeight = (int) GetPrivateProfileInt(INI_FONT, "Height", 0, TELNET_INI); - scr->lf.lfWidth = (int) GetPrivateProfileInt(INI_FONT, "Width", 0, TELNET_INI); - scr->lf.lfPitchAndFamily = (BYTE) GetPrivateProfileInt(INI_FONT, "PitchAndFamily", 0, TELNET_INI); - scr->lf.lfCharSet = (BYTE) GetPrivateProfileInt(INI_FONT, "CharSet", 0, TELNET_INI); - scr->lf.lfEscapement = (BYTE) GetPrivateProfileInt(INI_FONT, "Escapement", 0, TELNET_INI); - scr->lf.lfQuality = PROOF_QUALITY; - scr->hSelectedFont = CreateFontIndirect((LPLOGFONT) &(scr->lf)); - hFont = SelectObject(hDC, scr->hSelectedFont); - GetTextMetrics(hDC, (LPTEXTMETRIC) &tm); - SelectObject(hDC, hFont); - scr->cxChar = tm.tmAveCharWidth; - scr->cyChar = tm.tmHeight + tm.tmExternalLeading; - - ReleaseDC(NULL, hDC); - - scr->width = Config->width; - scr->height = Config->height; - scr->ID = id; - scr->x = 0; - scr->y = 0; - scr->Oldx = 0; - scr->Oldy = 0; - scr->attrib = 0; - scr->DECAWM = 1; - scr->bWrapPending = FALSE; - scr->top = 0; - scr->bottom = scr->height-1; - scr->parmptr = 0; - scr->escflg = 0; - scr->bAlert = FALSE; - scr->numlines = 0; - scr->maxlines = 150; - - cInvertedArray = calloc(scr->width * scr->height, 1); - - pScrLineLast = ScreenNewLine(); - if (pScrLineLast == NULL) - return(NULL); - scr->screen_top = scr->buffer_top = pScrLineLast; - - for (idx = 0; idx < scr->height - 1; idx++) { - pScrLine = ScreenNewLine(); - if (pScrLine == NULL) - return(NULL); - pScrLine->prev = pScrLineLast; - pScrLineLast->next = pScrLine; - pScrLineLast = pScrLine; - } - - scr->screen_bottom = scr->buffer_bottom = pScrLine; - - scr->hWnd = CreateWindow(szScreenClass, title, WS_OVERLAPPEDWINDOW | WS_VSCROLL, - CW_USEDEFAULT, CW_USEDEFAULT, - scr->cxChar * scr->width + FRAME_WIDTH, - scr->cyChar * scr->height + FRAME_HEIGHT, - NULL, hMenu, hInst, scr); - assert(scr->hWnd != NULL); - - ShowWindow(scr->hWnd, SW_SHOW); - - CreateCaret(scr->hWnd, NULL, scr->cxChar, 2); - SetCaretPos(scr->x*scr->cxChar, (scr->y+1) * scr->cyChar); - ShowCaret(scr->hWnd); - - return(ScreenList); -} - - -void DeleteTopLine( - SCREEN *pScr) -{ - assert(pScr->buffer_top != NULL); - - pScr->buffer_top = pScr->buffer_top->next; - assert(pScr->buffer_top != NULL); - - free(pScr->buffer_top->prev); - pScr->buffer_top->prev = NULL; - - pScr->numlines--; - -} /* DeleteTopLine */ - - -static void SetScreenScrollBar( - SCREEN *pScr) -{ - if (pScr->numlines <= 0) { - SetScrollRange(pScr->hWnd, SB_VERT, 0, 100, FALSE); - SetScrollPos(pScr->hWnd, SB_VERT, 0, TRUE); - EnableScrollBar(pScr->hWnd, SB_VERT, ESB_DISABLE_BOTH); - } - else { - SetScrollRange(pScr->hWnd, SB_VERT, 0, pScr->numlines, FALSE); - SetScrollPos(pScr->hWnd, SB_VERT, pScr->numlines, TRUE); - EnableScrollBar(pScr->hWnd, SB_VERT, ESB_ENABLE_BOTH); - } - -} /* SetScreenScrollBar */ - - -int ScreenScroll( - SCREEN *pScr) -{ - SCREENLINE *pScrLine; - SCREENLINE *pPrev; - SCREENLINE *pNext; - SCREENLINE *pScrollTop; - SCREENLINE *pScrollBottom; - BOOL bFullScreen = TRUE; - HDC hDC; - RECT rc; - - Edit_ClearSelection(pScr); - - pScrollTop = GetScreenLineFromY(pScr, pScr->top); - - pScrollBottom = GetScreenLineFromY(pScr, pScr->bottom); - - if (pScrollTop != pScr->screen_top) { - bFullScreen = FALSE; - rc.left = 0; - rc.right = pScr->cxChar * pScr->width; - rc.top = pScr->cyChar * (pScr->top); - rc.bottom = pScr->cyChar * (pScr->bottom+1); - - pNext = pScrollTop->next; - pPrev = pScrollTop->prev; - - pPrev->next = pNext; - pNext->prev = pPrev; - - pScrLine = pScrollTop; - ScreenClearLine(pScr, pScrLine); - } - else { - pScr->numlines++; - pScrLine = ScreenNewLine(); - if (pScrLine == NULL) - return(0); - pScr->screen_top = pScrollTop->next; - } - - if (pScrLine == NULL) - return(0); - - pNext = pScrollBottom->next; - pScrollBottom->next = pScrLine; - pScrLine->next = pNext; - pScrLine->prev = pScrollBottom; - if (pNext != NULL) - pNext->prev = pScrLine; - - if (pScrollBottom != pScr->screen_bottom) { - bFullScreen = FALSE; - rc.left = 0; - rc.right = pScr->cxChar * pScr->width; - rc.top = pScr->cyChar * pScr->top; - rc.bottom = pScr->cyChar * (pScr->bottom+1); - } - else { - if (pScr->screen_bottom == pScr->buffer_bottom) - pScr->buffer_bottom = pScrLine; - pScr->screen_bottom = pScrLine; - } - -#if 0 - CheckScreen(fpScr); -#endif - - pScr->y++; - - if (pScr->y > pScr->bottom) - pScr->y = pScr->bottom; - - hDC = GetDC(pScr->hWnd); - assert(hDC != NULL); - - if (bFullScreen) - ScrollDC(hDC, 0, -pScr->cyChar, NULL, NULL, NULL, NULL); - else - ScrollDC(hDC, 0, -pScr->cyChar, &rc, &rc, NULL, NULL); - - PatBlt(hDC, 0, pScr->bottom * pScr->cyChar, - pScr->width * pScr->cxChar, pScr->cyChar, WHITENESS); - - ReleaseDC(pScr->hWnd, hDC); - - if (pScr->numlines == pScr->maxlines) - DeleteTopLine(pScr); - else - SetScreenScrollBar(pScr); - - return(1); - -} /* ScreenScroll */ - - -int DrawTextScreen( - RECT rcInvalid, - SCREEN *pScr, - HDC hDC) -{ - SCREENLINE *pScrLineTmp; - SCREENLINE *pScrLine; - int x = 0; - int y = 0; - int left = 0; - int right = 0; - int i; - int len; - char attrib; -#define YPOS (y*pScr->cyChar) - - pScrLine = pScr->screen_top; - - for (y = 0; y < pScr->height; y++) { - if (!pScrLine) - continue; - - if (YPOS >= rcInvalid.top - pScr->cyChar && - YPOS <= rcInvalid.bottom + pScr->cyChar) { - - if (y < 0) - y = 0; - - if (y >= pScr->height) - y = pScr->height - 1; - - left = (rcInvalid.left / pScr->cxChar) - 1; - - right = (rcInvalid.right / pScr->cxChar) + 1; - - if (left < 0) - left = 0; - - if (right > pScr->width - 1) - right = pScr->width - 1; - - x = left; - - while (x <= right) { - if (!pScrLine->text[x]) { - x++; - continue; - } - - if (SCR_isrev(pScrLine->attrib[x])) { - SelectObject(hDC, pScr->hSelectedFont); - SetTextColor(hDC, RGB(255, 255, 255)); - SetBkColor(hDC, RGB(0, 0, 0)); - } - else if (SCR_isblnk(pScrLine->attrib[x])) { - SelectObject(hDC, pScr->hSelectedFont); - SetTextColor(hDC, RGB(255, 0, 0)); - SetBkColor(hDC, RGB(255, 255, 255)); - } - else if (SCR_isundl(pScrLine->attrib[x])) { - SetTextColor(hDC, RGB(255, 0, 0)); - SetBkColor(hDC, RGB(255, 255, 255)); - SelectObject(hDC, pScr->hSelectedULFont); - } - else { - SelectObject(hDC,pScr->hSelectedFont); - SetTextColor(hDC, RGB(0, 0, 0)); - SetBkColor(hDC, RGB(255, 255, 255)); - } - - len = 1; - attrib = pScrLine->attrib[x]; - for (i = x + 1; i <= right; i++) { - if (pScrLine->attrib[i] != attrib || !pScrLine->text[i]) - break; - len++; - } - - TextOut(hDC, x*pScr->cxChar, y*pScr->cyChar, &pScrLine->text[x], len); - x += len; - } - } - pScrLineTmp = pScrLine->next; - pScrLine = pScrLineTmp; - } - - return(0); - -} /* DrawTextScreen */ - - -static BOOL SetInternalScreenSize( - SCREEN *pScr, - int width, - int height) -{ - RECT rc; - char *p; - int idx; - int n; - int newlines; - SCREENLINE *pNewLine; - SCREENLINE *pTopLine; - SCREENLINE *pBottomLine; -#if 0 - int col; - int row; - int dydestbottom; -#endif - - GetClientRect(pScr->hWnd, &rc); - - width = (rc.right - rc.left) / pScr->cxChar; - height = (rc.bottom - rc.top) / pScr->cyChar; - - if (pScr->height == height && pScr->width == width) - return(FALSE); - - pScr->Oldx = 0; - pScr->Oldy = 0; - pScr->attrib = 0; - - /* - Reallocate the inverted array of bytes and copy the values - from the old screen to the new screen. - */ - p = calloc(width * height, 1); - - ScreenCursorOff(pScr); - -#if 0 /* Copy inversion array to desitination */ - for (col = 0; col < width; col++) { - for (row = 0; row < height; row++) { - dydestbottom = height - 1 - row; - if (col < pScr->width && dydestbottom < pScr->height - 1) - p[row * width + col] = - cInvertedArray[(pScr->height - 1 - dydestbottom) * pScr->width + col]; - } - } -#endif - - free(cInvertedArray); - cInvertedArray = p; - - /* - Append any new lines which need to be added to accomodate the new - screen size. - */ - pBottomLine = pScr->buffer_bottom; - newlines = height - (pScr->height + pScr->numlines); - - if (newlines > 0) { - pScr->y += pScr->numlines; - pScr->numlines = 0; - - for (idx = 0; idx < newlines; idx++) { - pNewLine = ScreenNewLine(); - if (pNewLine == NULL) - return(FALSE); - pNewLine->prev = pBottomLine; - if (pBottomLine == NULL) - return(FALSE); - pBottomLine->next = pNewLine; - pBottomLine = pNewLine; - } - } - - /* - If we already have plenty of lines, then we need to get rid of the - scrollback lines, if too many exist. The cursor should end up - the same distance from the bottom of the screen as is started out - in this instance. - */ - if (newlines < 0) { - pScr->y = (height - 1) - (pScr->bottom - pScr->y); - if (pScr->y < 0) - pScr->y = 0; - pScr->numlines = -newlines; - n = pScr->numlines - pScr->maxlines; - for (idx = 0; idx < n; idx++) - DeleteTopLine(pScr); - } - - /* - Calculate the position of the buffer relative to the screen. - */ - pScr->screen_bottom = pBottomLine; - pScr->buffer_bottom = pBottomLine; - - pTopLine = pBottomLine; - - for (idx = 1; idx < height; idx++) { - pTopLine = pTopLine->prev; - } - - pScr->screen_top = pTopLine; - pScr->width = width; - pScr->height = height; - pScr->top = 0; - pScr->bottom = height - 1; - - if (pScr->x >= width) - pScr->x = width - 1; - - if (pScr->y >= height) - pScr->y = height - 1; - - SetScreenScrollBar(pScr); - ScreenCursorOn(pScr); - return(TRUE); - -} /* SetInternalScreenSize */ - - -static int ScreenAdjustUp( - SCREEN *pScr, - int n) -{ - int idx; - SCREENLINE *pLine1; - SCREENLINE *pLine2; - - for (idx = 0; idx < n; idx++) { - if (pScr->screen_top == pScr->buffer_top) - return(-idx); - pLine1 = pScr->screen_top->prev; - if (pLine1 == NULL) - return(-idx); - pLine2 = pScr->screen_bottom->prev; - if (pLine2 == NULL) - return(-idx); - pScr->screen_top = pLine1; - pScr->screen_bottom = pLine2; - } - - return(idx); - -} /* ScreenAdjustUp */ - - -static int ScreenAdjustDown( - SCREEN *pScr, - int n) -{ - int idx; - SCREENLINE *pLine1; - SCREENLINE *pLine2; - - for (idx = 0; idx < n; idx++) { - if (pScr->screen_bottom == pScr->buffer_bottom) - return(-idx); - pLine1 = pScr->screen_top->next; - if (pLine1 == NULL) - return(-idx); - pLine2 = pScr->screen_bottom->next; - if (pLine2 == NULL) - return(-idx); - pScr->screen_top = pLine1; - pScr->screen_bottom = pLine2; - } - - return(idx); - -} /* ScreenAdjustDown */ - - -long PASCAL ScreenWndProc( - HWND hWnd, - UINT message, - WPARAM wParam, - LPARAM lParam) -{ - MINMAXINFO *lpmmi; - SCREEN *pScr; - HMENU hMenu; - PAINTSTRUCT ps; - int x = 0; - int y = 0; - int ScrollPos; - int tmpScroll = 0; - int idx; - HDC hDC; - RECT rc; - char title[128]; - static int bDoubleClick = FALSE; - - switch (message) { - - case WM_COMMAND: - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - - switch (wParam) { - - case IDM_EXIT: - if (MessageBox(hWnd, "Terminate this connection?", "Telnet", MB_OKCANCEL) == IDOK) { - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - SendMessage(pScr->hwndTel, WM_MYSCREENCLOSE, 0, (LPARAM) pScr); - } - break; - - case IDM_BACKSPACE: - hMenu = GetMenu(hWnd); - CheckMenuItem(hMenu, IDM_BACKSPACE, MF_CHECKED); - CheckMenuItem(hMenu, IDM_DELETE, MF_UNCHECKED); - SendMessage(pScr->hwndTel, WM_MYSCREENCHANGEBKSP, VK_BACK, (LPARAM) pScr); - break; - - case IDM_DELETE: - hMenu = GetMenu(hWnd); - CheckMenuItem(hMenu, IDM_BACKSPACE, MF_UNCHECKED); - CheckMenuItem(hMenu, IDM_DELETE, MF_CHECKED); - SendMessage(pScr->hwndTel, WM_MYSCREENCHANGEBKSP, 0x7f, (LPARAM) pScr); - break; - - case IDM_FONT: - ScreenCursorOff(pScr); - ProcessFontChange(hWnd); - ScreenCursorOn(pScr); - break; - - case IDM_COPY: - Edit_Copy(hWnd); - hMenu=GetMenu(hWnd); - Edit_ClearSelection(pScr); - break; - - case IDM_PASTE: - Edit_Paste(hWnd); - break; - - case IDM_HELP_INDEX: - WinHelp(hWnd, HELP_FILE, HELP_INDEX, 0); - break; - - case IDM_ABOUT: -#ifdef CYGNUS -#ifdef KRB4 - strcpy(strTmp, " Kerberos 4 for Windows\n"); -#endif -#ifdef KRB5 - strcpy(strTmp, " KerbNet for Windows\n"); -#endif - strcat(strTmp, "\n Version 1.00\n\n"); - strcat(strTmp, " For support, contact:\n"); - strcat(strTmp, " Cygnus Support - (415) 903-1400\n"); -#else /* CYGNUS */ - strcpy(strTmp, " Kerberos 5 Telnet for Windows\n"); - strcat(strTmp, " ALPHA SNAPSHOT 2\n\n"); -#endif /* CYGNUS */ - if (encrypt_flag) { - strcat(strTmp, "\n[Encryption of output requested. State: "); - strcat(strTmp, (encrypt_output ? "encrypting]" : "INACTIVE]")); - strcat(strTmp, "\n[Decryption of input requested. State: "); - strcat(strTmp, (decrypt_input ? "decrypting]\n" : "INACTIVE]\n")); - } - MessageBox(NULL, strTmp, "Kerberos", MB_OK); - break; - -#if defined(DEBUG) - case IDM_DEBUG: - CheckScreen(pScr); - break; -#endif - } - - break; - - case WM_NCCREATE: - pScr = (SCREEN *) ((LPCREATESTRUCT) lParam)->lpCreateParams; - pScr->hWnd = hWnd; - SetWindowLong(hWnd, SCREEN_HANDLE, (LONG) pScr); - SetScrollRange(hWnd, SB_VERT, 0, 100, FALSE); - SetScrollPos(hWnd, SB_VERT, 0, TRUE); - EnableScrollBar(hWnd, SB_VERT, ESB_DISABLE_BOTH); - return(TRUE); - - case WM_VSCROLL: - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - - ScreenCursorOff(pScr); - - switch(wParam) { - - case SB_LINEDOWN: - if (ScreenAdjustDown(pScr, 1) <= 0) - break; - hDC = GetDC(hWnd); - assert(hDC != NULL); - rc.left = 0; - rc.right = pScr->cxChar * pScr->width; - rc.top = 0; - rc.bottom = pScr->cyChar * (pScr->bottom + 1); - ScrollDC(hDC, 0, -pScr->cyChar, &rc, &rc, NULL, NULL); - ReleaseDC(hWnd, hDC); - rc.top = pScr->cyChar * pScr->bottom; - InvalidateRect(hWnd, &rc, TRUE); - ScrollPos = GetScrollPos(hWnd, SB_VERT); - SetScrollPos(hWnd, SB_VERT, ScrollPos + 1, TRUE); - UpdateWindow(hWnd); - break; - - case SB_LINEUP: - if (ScreenAdjustUp(pScr, 1) <= 0) - break; - hDC = GetDC(hWnd); - assert(hDC != NULL); - rc.left = 0; - rc.right = pScr->cxChar * pScr->width; - rc.top = 0; - rc.bottom = pScr->cyChar * (pScr->bottom + 1); - ScrollDC(hDC, 0, pScr->cyChar, &rc, &rc, NULL, NULL); - ReleaseDC(hWnd, hDC); - rc.bottom = pScr->cyChar; - InvalidateRect(hWnd, &rc, TRUE); - ScrollPos = GetScrollPos(pScr->hWnd, SB_VERT); - SetScrollPos(hWnd,SB_VERT, ScrollPos - 1, TRUE); - UpdateWindow(hWnd); - break; - - case SB_PAGEDOWN: - idx = abs(ScreenAdjustDown(pScr, pScr->height)); - hDC = GetDC(hWnd); - assert(hDC != NULL); - rc.left = 0; - rc.right = pScr->cxChar * pScr->width; - rc.top = 0; - rc.bottom = pScr->cyChar * (pScr->bottom+1); - ScrollDC(hDC, 0, -idx * pScr->cyChar, &rc, &rc, NULL, NULL); - ReleaseDC(hWnd, hDC); - rc.top = pScr->cyChar * (pScr->bottom - idx + 1); - InvalidateRect(hWnd, &rc, TRUE); - ScrollPos=GetScrollPos(hWnd, SB_VERT); - SetScrollPos(hWnd, SB_VERT, ScrollPos + idx, TRUE); - break; - - case SB_PAGEUP: - idx = abs(ScreenAdjustUp(pScr, pScr->height)); - hDC = GetDC(hWnd); - assert(hDC != NULL); - rc.left = 0; - rc.right = pScr->cxChar * pScr->width; - rc.top = 0; - rc.bottom = pScr->cyChar * (pScr->bottom + 1); - ScrollDC(hDC, 0, idx * pScr->cyChar, &rc, &rc, NULL, NULL); - ReleaseDC(hWnd, hDC); - rc.bottom = idx * pScr->cyChar; - InvalidateRect(hWnd, &rc, TRUE); - ScrollPos=GetScrollPos(hWnd, SB_VERT); - SetScrollPos(hWnd, SB_VERT, ScrollPos - idx, TRUE); - break; - - case SB_THUMBPOSITION: - case SB_THUMBTRACK: - ScrollPos = GetScrollPos(hWnd, SB_VERT); - tmpScroll = ScrollPos - LOWORD(lParam); - if (tmpScroll == 0) - break; - if (tmpScroll > 0) - ScreenAdjustUp(pScr, tmpScroll); - else - ScreenAdjustDown(pScr, -tmpScroll); - if (abs(tmpScroll) < pScr->height) { - hDC = GetDC(hWnd); - assert(hDC != NULL); - rc.left = 0; - rc.right = pScr->cxChar * pScr->width; - rc.top = 0; - rc.bottom = pScr->cyChar * (pScr->bottom + 1); - ScrollDC(hDC, 0, tmpScroll * pScr->cyChar, &rc, &rc, NULL, NULL); - ReleaseDC(hWnd, hDC); - if (tmpScroll > 0) { - rc.bottom = tmpScroll * pScr->cyChar; - InvalidateRect(hWnd, &rc, TRUE); - } - else { - rc.top = (pScr->bottom + tmpScroll + 1) * pScr->cyChar; - InvalidateRect(hWnd, &rc, TRUE); - } - } - else - InvalidateRect(hWnd, NULL, TRUE); - - SetScrollPos(hWnd, SB_VERT, LOWORD(lParam), TRUE); - UpdateWindow(hWnd); - break; - } - - ScreenCursorOn(pScr); - break; - - case WM_KEYDOWN: - if (wParam == VK_INSERT) { - if (GetKeyState(VK_SHIFT) < 0) - PostMessage(hWnd, WM_COMMAND, IDM_PASTE, 0); - else if (GetKeyState(VK_CONTROL) < 0) - PostMessage(hWnd, WM_COMMAND, IDM_COPY, 0); - break; - } - /* - ** Check for cursor keys. With control pressed, we treat as - ** keyboard equivalents to scrolling. Otherwise, we send - ** a WM_MYCURSORKEY message with the appropriate string - ** to be sent. Sending the actual string allows the upper - ** level to be ignorant of keyboard modes, etc. - */ - if (wParam < VK_PRIOR || wParam > VK_DOWN) /* Is it a cursor key? */ - break; - - if (GetKeyState (VK_CONTROL) >= 0) { /* No control key */ - if (wParam >= VK_LEFT && wParam <= VK_DOWN) { - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - wParam = wParam - VK_LEFT + (pScr->DECCKM ? 4 : 0); - SendMessage (pScr->hwndTel, WM_MYCURSORKEY, - strlen(cursor_key[wParam]), - (LPARAM) (char *) cursor_key[wParam]); - } - } else { /* Control is down */ - switch (wParam) { - case VK_PRIOR: /* Page up */ - SendMessage(hWnd, WM_VSCROLL, SB_PAGEUP, 0); - break; - case VK_NEXT: /* Page down */ - SendMessage(hWnd, WM_VSCROLL, SB_PAGEDOWN, 0); - break; - case VK_UP: /* Line up */ - SendMessage(hWnd, WM_VSCROLL, SB_LINEUP, 0); - break; - case VK_DOWN: /* Line down */ - SendMessage(hWnd, WM_VSCROLL, SB_LINEDOWN, 0); - break; - } - } - UpdateWindow(hWnd); - break; - - case WM_CHAR: - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - SendMessage(pScr->hwndTel, WM_MYSCREENCHAR, wParam, (LPARAM) pScr); - break; - - case WM_INITMENU: - if (IsClipboardFormatAvailable(CF_TEXT)) - EnableMenuItem((HMENU) wParam, IDM_PASTE, MF_ENABLED); - else - EnableMenuItem((HMENU) wParam, IDM_PASTE, MF_GRAYED); - if (bSelection) - EnableMenuItem((HMENU) wParam, IDM_COPY, MF_ENABLED); - else - EnableMenuItem((HMENU) wParam, IDM_COPY, MF_GRAYED); - break; - - case WM_GETMINMAXINFO: - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - if (pScr == NULL) /* Used on creation when window word not set */ - pScr = ScreenList; - lpmmi = (MINMAXINFO *) lParam; - if (FRAME_WIDTH + MAX_LINE_WIDTH * pScr->cxChar < lpmmi->ptMaxSize.x) - lpmmi->ptMaxSize.x = FRAME_WIDTH + MAX_LINE_WIDTH * pScr->cxChar; - lpmmi->ptMaxTrackSize.x = lpmmi->ptMaxSize.x; - lpmmi->ptMinTrackSize.x = FRAME_WIDTH + 20 * pScr->cxChar; - lpmmi->ptMinTrackSize.y = FRAME_HEIGHT + 4 * pScr->cyChar; - break; - - case WM_LBUTTONDOWN: - if (bDoubleClick) - Edit_TripleClick(hWnd, lParam); - else - Edit_LbuttonDown(hWnd, lParam); - break; - - case WM_LBUTTONUP: - Edit_LbuttonUp(hWnd, lParam); - break; - - case WM_LBUTTONDBLCLK: - bDoubleClick = TRUE; - SetTimer(hWnd, TIMER_TRIPLECLICK, GetDoubleClickTime(), NULL); - Edit_LbuttonDblclk(hWnd, lParam); - break; - - case WM_TIMER: - if (wParam == TIMER_TRIPLECLICK) - bDoubleClick = FALSE; - break; - - case WM_RBUTTONUP: - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - Edit_Copy(hWnd); - Edit_ClearSelection(pScr); - Edit_Paste(hWnd); - break; - - case WM_MOUSEMOVE: - if (bMouseDown) - Edit_MouseMove(hWnd, lParam); - break; - - case WM_RBUTTONDOWN: -#if 0 - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - wsprintf(strTmp,"fp->x=%d fp->y=%d text=%s \r\n", - pScr->screen_top->x, pScr->screen_top->y, pScr->screen_top->text); - OutputDebugString(strTmp); -#endif - break; - - case WM_PAINT: - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - BeginPaint (hWnd, &ps); - SelectObject(ps.hdc, pScr->hSelectedFont); - if (pScr->screen_bottom != NULL) - DrawTextScreen(ps.rcPaint, pScr, ps.hdc); - else - OutputDebugString("screen_bottom is NULL.\r\n"); - EndPaint(hWnd, &ps); - break; - - case WM_CLOSE: - if (MessageBox(hWnd, "Terminate this connection?", "Telnet", MB_OKCANCEL) == IDOK) { - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - SendMessage(pScr->hwndTel, WM_MYSCREENCLOSE, 0, (LPARAM) pScr); - return (DefWindowProc(hWnd, message, wParam, lParam)); - } - break; - - case WM_DESTROY: - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - if (pScr != NULL) - DeleteObject(pScr->hSelectedFont); - return (DefWindowProc(hWnd, message, wParam, lParam)); - - case WM_ACTIVATE: - if (wParam != WA_INACTIVE) { - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - if (pScr->bAlert) { - char strTitle[128]; - int idx; - - GetWindowText(hWnd, strTitle, sizeof(strTitle)); - if (strTitle[0] == ALERT) { - idx = lstrlen(strTitle); - strTitle[idx - 2] = 0; - SetWindowText(hWnd, &strTitle[2]); - pScr->bAlert = FALSE; - } - } - } - return (DefWindowProc(hWnd, message, wParam, lParam)); - - case WM_SIZE: - if (wParam == SIZE_MINIMIZED) - break; - - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - - if (SetInternalScreenSize(pScr, LOWORD(lParam), HIWORD(lParam))) { - SendMessage(pScr->hwndTel, WM_MYSCREENSIZE, 0, - MAKELONG(pScr->width, pScr->height)); - } - MakeWindowTitle(pScr->title, pScr->width, pScr->height, - title, sizeof(title)); - SetWindowText(hWnd, title); - break; - - case WM_SETFOCUS: - pScr = (SCREEN *) GetWindowLong(hWnd, SCREEN_HANDLE); - assert (pScr != NULL); - CreateCaret(hWnd, NULL, pScr->cxChar, 2); - ScreenCursorOn(pScr); - break; - - case WM_KILLFOCUS: - DestroyCaret(); - break; - - default: - return(DefWindowProc(hWnd, message, wParam, lParam)); - } - - return(0); - -} /* ScreenWndProc */ - - -void ScreenBell( - SCREEN *pScr) -{ - char strTitle[128]; - int idx; - - MessageBeep(MB_ICONEXCLAMATION); - if (pScr->hWnd != GetActiveWindow()) { - FlashWindow(pScr->hWnd, TRUE); - if (!pScr->bAlert) { - strTitle[0] = ALERT; - strTitle[1] = SPACE; - GetWindowText(pScr->hWnd, &strTitle[2], sizeof(strTitle) - 2); - idx = lstrlen(strTitle); - strTitle[idx] = SPACE; - strTitle[idx+1] = ALERT; - strTitle[idx+2] = 0; - SetWindowText(pScr->hWnd, strTitle); - } - FlashWindow(pScr->hWnd, FALSE); - pScr->bAlert = TRUE; - } - -} /* ScreenBell */ - - -void ScreenBackspace(SCREEN *pScr) -{ - RECT rc; - - pScr->bWrapPending = FALSE; - rc.left = pScr->x * pScr->cxChar; - rc.right = (pScr->x + 1) * pScr->cxChar; - rc.top = pScr->cyChar * pScr->y; - rc.bottom = pScr->cyChar * (pScr->y + 1); - InvalidateRect(pScr->hWnd, &rc, TRUE); - pScr->x--; - if (pScr->x < 0) - pScr->x = 0; - UpdateWindow(pScr->hWnd); - -} /* ScreenBackspace */ - - -void ScreenTab( - SCREEN *pScr) -{ - int num_spaces; - int idx; - SCREENLINE *pScrLine; - int iTest = 0; - HDC hDC; - - num_spaces = TAB_SPACES - (pScr->x % TAB_SPACES); - if (pScr->x + num_spaces >= pScr->width) - num_spaces = pScr->width - pScr->x; - pScrLine = GetScreenLineFromY(pScr, pScr->y); - if (pScrLine == NULL) - return; - for (idx = 0; idx < num_spaces; idx++, pScr->x++) { - if (!pScrLine->text[pScr->x]) - iTest=1; - if (iTest) - pScrLine->text[pScr->x] = SPACE; - } - hDC = GetDC(pScr->hWnd); - assert(hDC != NULL); - SelectObject(hDC, pScr->hSelectedFont); - TextOut(hDC, (pScr->x - num_spaces) * pScr->cxChar, pScr->y * pScr->cyChar, - pScrLine->text + pScr->x - num_spaces, num_spaces); - ReleaseDC(pScr->hWnd, hDC); - if (pScr->x >= pScr->width) - pScr->x = pScr->width - 1; - pScr->bWrapPending = FALSE; - -} /* ScreenTab */ - - -void ScreenCarriageFeed( - SCREEN *pScr) -{ - pScr->bWrapPending = FALSE; - pScr->x = 0; - -} /* ScreenCarriageFeed */ diff --git a/src/windows/wintel/screen.h b/src/windows/wintel/screen.h deleted file mode 100644 index e3e7460..0000000 --- a/src/windows/wintel/screen.h +++ /dev/null @@ -1,325 +0,0 @@ -extern long PASCAL ScreenWndProc(HWND,UINT,WPARAM,LPARAM); - -/* -* Definition of attribute bits in the Virtual Screen -* -* 0 - Bold -* 1 - -* 2 - -* 3 - Underline -* 4 - Blink -* 5 - -* 6 - Reverse -* 7 - Graphics character set -* -*/ -#define SCR_isbold(x) (x & 0x01) -#define SCR_isundl(x) (x & 0x08) -#define SCR_isblnk(x) (x & 0x10) -#define SCR_isrev(x) (x & 0x40) -#define SCR_setrev(x) (x ^= 0x40) -#define SCR_isgrph(x) (x & 0x80) -#define SCR_inattr(x) (x & 0xd9) -#define SCR_graph(x) (x | 0x80) -#define SCR_notgraph(x) (x & 0x7F) - -#define SCREEN_HANDLE 0 /* offset in extra window info */ - -#define WM_MYSCREENCHAR (WM_USER+1) -#define WM_MYSCREENBLOCK (WM_USER+2) -#define WM_MYSYSCHAR (WM_USER+3) -#define WM_MYSCREENCLOSE (WM_USER+4) -#define WM_MYSCREENCHANGEBKSP (WM_USER+5) -#define WM_MYSCREENSIZE (WM_USER+6) -#define WM_NETWORKEVENT (WM_USER+7) -#define WM_HOSTNAMEFOUND (WM_USER+8) -#define WM_MYCURSORKEY (WM_USER+9) - -#define FRAME_HEIGHT ((2* GetSystemMetrics(SM_CYFRAME))+GetSystemMetrics(SM_CYCAPTION)+GetSystemMetrics(SM_CYMENU)+3) -#define FRAME_WIDTH (2*GetSystemMetrics(SM_CXFRAME)+GetSystemMetrics(SM_CXVSCROLL)) -#define TAB_SPACES 8 -#define SPACE 32 -#define ALERT 0x21 -#define MAX_LINE_WIDTH 512 /* not restricted to 1 byte */ - -typedef struct SCREENLINE { - struct SCREENLINE *next; - struct SCREENLINE *prev; - int width; - char *text; - char *attrib; - char buffer[0]; -} SCREENLINE; - -typedef struct SCREEN { - LPSTR title; - HWND hWnd; - HWND hwndTel; - SCREENLINE *screen_top; - SCREENLINE *screen_bottom; - SCREENLINE *buffer_top; - SCREENLINE *buffer_bottom; - int ID; - int type; - int width; - int height; - int maxlines; /* Maximum number of scrollback lines */ - int numlines; /* Current number of scrollback lines */ - int savelines; /* Save lines off top? */ - int ESscroll; /* Scroll screen when ES received */ - int attrib; /* current attribute */ - int x; /* current cursor position */ - int y; /* current cursor position */ - int Oldx; /* internally used to redraw cursor */ - int Oldy; - int Px; /* saved cursor pos and attribute */ - int Py; - int Pattrib; - int VSIDC; /* Insert/Delete character mode 0=draw line */ - int DECAWM; /* AutoWrap mode 0=off */ - BOOL bWrapPending; /* AutoWrap mode is on - wrap on next character */ - int DECCKM; /* Cursor key mode */ - int DECPAM; /* keyPad Application mode */ - int IRM; /* Insert/Replace mode */ - int escflg; /* Current Escape level */ - int top; /* Vertical bounds of screen */ - int bottom; - int parmptr; - int cxChar; /* Width of the current font */ - int cyChar; /* Height of the current font */ - BOOL bAlert; - int parms[6]; /* Ansi Params */ - LOGFONT lf; - HFONT hSelectedFont; - HFONT hSelectedULFont; - char tabs[MAX_LINE_WIDTH]; - struct SCREEN *next; - struct SCREEN *prev; -} SCREEN; - -typedef struct CONFIG { - LPSTR title; - HWND hwndTel; - int ID; - int type; - int height; - int width; - int maxlines; /* Maximum number of scrollback lines */ - int backspace; - int ESscroll; /* Scroll screen when ES received */ - int VSIDC; /* Insert/Delete character mode 0=draw line */ - int DECAWM; /* AutoWrap mode 0=off */ - int IRM; /* Insert/Replace mode */ -} CONFIG; - -#define TELNET_SCREEN 0 -#define CONSOLE_SCREEN 1 - -#define IDM_FONT 100 -#define IDM_BACKSPACE 101 -#define IDM_DELETE 102 -#define IDM_ABOUT 103 -#define IDM_HELP_INDEX 104 -#define IDM_EXIT 105 - -#define HELP_FILE "ktelnet.hlp" - -#define IDM_COPY 200 -#define IDM_PASTE 201 -#define IDM_DEBUG 202 - -#define TIMER_TRIPLECLICK 1000 - -#define IDC_ALLOCFAIL 1 -#define IDC_LOCKFAIL 2 -#define IDC_LOADSTRINGFAIL 3 -#define IDC_FONT 6 - -#define DESIREDPOINTSIZE 12 - -/* -Prototypes -*/ - void NEAR InitializeStruct( - WORD wCommDlgType, - LPSTR lpStruct, - HWND hWnd); - - void ScreenInit( - HINSTANCE hInstance); - - void SetScreenInstance( - HINSTANCE hInstance); - - SCREENLINE *ScreenNewLine(); - - void ScreenBell( - SCREEN *pScr); - - void ScreenBackspace( - SCREEN *pScr); - - void ScreenTab( - SCREEN *pScr); - - void ScreenCarriageFeed( - SCREEN *pScr); - - int ScreenScroll( - SCREEN *pScr); - - void DeleteTopLine( - SCREEN *pScr); - -/* -emul.c -*/ - void ScreenEm( - LPSTR c, - int len, - SCREEN *pScr); - -/* -intern.c -*/ - SCREENLINE *GetScreenLineFromY( - SCREEN *pScr, - int y); - - SCREENLINE *ScreenClearLine( - SCREEN *pScr, - SCREENLINE *pScrLine); - - void ScreenUnscroll( - SCREEN *pScr); - - void ScreenELO( - SCREEN *pScr, - int s); - - void ScreenEraseScreen( - SCREEN *pScr); - - void ScreenTabClear( - SCREEN *pScr); - - void ScreenTabInit( - SCREEN *pScr); - - void ScreenReset( - SCREEN *pScr); - - void ScreenIndex( - SCREEN *pScr); - - void ScreenWrapNow( - SCREEN *pScr, - int *xp, - int *yp); - - void ScreenEraseToEOL( - SCREEN *pScr); - - void ScreenEraseToBOL( - SCREEN *pScr); - - void ScreenEraseLine( - SCREEN *pScr, - int s); - - void ScreenEraseToEndOfScreen( - SCREEN *pScr); - - void ScreenRange( - SCREEN *pScr); - - void ScreenAlign( - SCREEN *pScr); - - void ScreenApClear( - SCREEN *pScr); - - void ScreenSetOption( - SCREEN *pScr, - int toggle); - - BOOL ScreenInsChar( - SCREEN *pScr, - int x); - - void ScreenSaveCursor( - SCREEN *pScr); - - void ScreenRestoreCursor( - SCREEN *pScr); - - void ScreenDraw( - SCREEN *pScr, - int x, - int y, - int a, - int len, - char *c); - - void ScreenCursorOff( - SCREEN *pScr); - - void ScreenCursorOn( - SCREEN *pScr); - - void ScreenDelChars( - SCREEN *pScr, - int n); - - void ScreenRevIndex( - SCREEN *pScr); - - void ScreenDelLines( - SCREEN *pScr, - int n, - int s); - - void ScreenInsLines( - SCREEN *pScr, - int n, - int s); - - #if ! defined(NDEBUG) - BOOL CheckScreen( - SCREEN *pScr); - #endif - - void ProcessFontChange( - HWND hWnd); - - void Edit_LbuttonDown( - HWND hWnd, - LPARAM lParam); - - void Edit_LbuttonDblclk( - HWND hWnd, - LPARAM lParam); - - void Edit_LbuttonUp( - HWND hWnd, - LPARAM lParam); - - void Edit_TripleClick( - HWND hWnd, - LPARAM lParam); - - void Edit_MouseMove( - HWND hWnd, - LPARAM lParam); - - void Edit_ClearSelection( - SCREEN *pScr); - - void Edit_Copy( - HWND hWnd); - - void Edit_Paste( - HWND hWnd); - - SCREEN *InitNewScreen( - CONFIG *Config); diff --git a/src/windows/wintel/struct.h b/src/windows/wintel/struct.h deleted file mode 100644 index bc1cc49..0000000 --- a/src/windows/wintel/struct.h +++ /dev/null @@ -1,29 +0,0 @@ -#include "winsock.h" -#ifdef KRB4 - #include "kstream.h" -#endif -#ifdef KRB5 - #include "k5stream.h" -#endif - -#define HCONNECTION HGLOBAL - -typedef struct CONNECTION { - SCREEN *pScreen; /* handle to screen associated with connection */ - kstream ks; - SOCKET socket; - int pnum; /* port number associated with connection */ - int telstate; /* telnet state for this connection */ - int substate; /* telnet subnegotiation state */ - int termsent; - int echo; - int ugoahead; - int igoahead; - int timing; - int backspace; - int ctrl_backspace; - int termstate; /* terminal type for this connection */ - int width; - int height; - BOOL bResizeable; -} CONNECTION; diff --git a/src/windows/wintel/telnet.c b/src/windows/wintel/telnet.c deleted file mode 100644 index a2f5083..0000000 --- a/src/windows/wintel/telnet.c +++ /dev/null @@ -1,904 +0,0 @@ -/**************************************************************************** - - Program: telnet.c - - PURPOSE: Windows networking kernel - Telnet - - FUNCTIONS: - - WinMain() - calls initialization function, processes message loop - InitApplication() - initializes window data and registers window - InitInstance() - saves instance handle and creates main window - MainWndProc() - processes messages - About() - processes messages for "About" dialog box - - COMMENTS: - - Windows can have several copies of your application running at the - same time. The variable hInst keeps track of which instance this - application is so that processing will be to the correct window. - - ****************************************************************************/ - -#include -#include -#include -#include -#include "telnet.h" -#include "auth.h" - -static HANDLE hInst; -static HWND hWnd; -static CONFIG *tmpConfig; -static CONNECTION *con = NULL; -static char hostdata[MAXGETHOSTSTRUCT]; -static SCREEN *pScr; -static int debug = 1; - -char strTmp[1024]; /* Scratch buffer */ -BOOL bAutoConnection = FALSE; -short port_no = 23; -char szUserName[64]; /* Used in auth.c */ -char szHostName[64]; - -#ifdef KRB4 -#define WINDOW_CLASS "K4_telnetWClass" -#endif - -#ifdef KRB5 -krb5_context k5_context; -#define WINDOW_CLASS "K5_telnetWClass" -#endif - -/* - * - * FUNCTION: WinMain(HINSTANCE, HINSTANCE, LPSTR, int) - * - * PURPOSE: calls initialization function, processes message loop - * - * COMMENTS: - * - * Windows recognizes this function by name as the initial entry point - * for the program. This function calls the application initialization - * routine, if no other instance of the program is running, and always - * calls the instance initialization routine. It then executes a message - * retrieval and dispatch loop that is the top-level control structure - * for the remainder of execution. The loop is terminated when a WM_QUIT - * message is received, at which time this function exits the application - * instance by returning the value passed by PostQuitMessage(). - * - * If this function must abort before entering the message loop, it - * returns the conventional value NULL. - */ - -int PASCAL -WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) -{ - MSG msg; - - if (!hPrevInstance) - if (!InitApplication(hInstance)) - return(FALSE); - - /* - * Perform initializations that apply to a specific instance - */ - bAutoConnection = parse_cmdline(lpCmdLine); - - if (!InitInstance(hInstance, nCmdShow)) - return(FALSE); - -#ifdef _WIN32 - SetDebugErrorLevel(SLE_WARNING); -#endif - - /* - * Acquire and dispatch messages until a WM_QUIT message is received. - */ - while (GetMessage(&msg, NULL, 0, 0)) { - TranslateMessage(&msg); - DispatchMessage(&msg); - - /* Process all non-network messages */ - while (PeekMessage(&msg, NULL, 0, WM_NETWORKEVENT-1, PM_REMOVE) || - PeekMessage(&msg, NULL, WM_NETWORKEVENT+1, (UINT)-1, PM_REMOVE)) - { - if (msg.message == WM_QUIT) // Special case: WM_QUIT -- return - return msg.wParam; // the value from PostQuitMessage - - TranslateMessage(&msg); - DispatchMessage(&msg); - } - } - - return (msg.wParam); /* Returns the value from PostQuitMessage */ -} - -/* - * FUNCTION: InitApplication(HINSTANCE) - * - * PURPOSE: Initializes window data and registers window class - * - * COMMENTS: - * - * This function is called at initialization time only if no other - * instances of the application are running. This function performs - * initialization tasks that can be done once for any number of running - * instances. - * - * In this case, we initialize a window class by filling out a data - * structure of type WNDCLASS and calling the Windows RegisterClass() - * function. Since all instances of this application use the same window - * class, we only need to do this when the first instance is initialized. - */ - -BOOL -InitApplication(HINSTANCE hInstance) -{ - WNDCLASS wc; - - ScreenInit(hInstance); - - /* - * Fill in window class structure with parameters that describe the - * main window. - */ - wc.style = CS_HREDRAW | CS_VREDRAW; /* Class style(s). */ - wc.lpfnWndProc = MainWndProc; /* Function to retrieve messages for - * windows of this class. - */ - wc.cbClsExtra = 0; /* No per-class extra data. */ - wc.cbWndExtra = 0; /* No per-window extra data. */ - wc.hInstance = hInstance; /* Application that owns the class. */ - wc.hIcon = NULL; /* LoadIcon(hInstance, "NCSA"); */ - wc.hCursor = NULL; /* Cursor(NULL, IDC_ARROW); */ - wc.hbrBackground = NULL; /* GetStockObject(WHITE_BRUSH); */ - wc.lpszMenuName = NULL; /* Name of menu resource in .RC file. */ - wc.lpszClassName = WINDOW_CLASS; /* Name used in call to CreateWindow. */ - - return(RegisterClass(&wc)); -} - - -/* - * FUNCTION: InitInstance(HANDLE, int) - * - * PURPOSE: Saves instance handle and creates main window - * - * COMMENTS: - * - * This function is called at initialization time for every instance of - * this application. This function performs initialization tasks that - * cannot be shared by multiple instances. - * - * In this case, we save the instance handle in a static variable and - * create and display the main program window. - */ -BOOL -InitInstance(HINSTANCE hInstance, int nCmdShow) -{ - int xScreen = 0; - int yScreen = 0; - WSADATA wsaData; - - SetScreenInstance(hInstance); - - /* - * Save the instance handle in static variable, which will be used in - * many subsequence calls from this application to Windows. - */ - hInst = hInstance; - - /* - * Create a main window for this application instance. - */ - hWnd = CreateWindow( - WINDOW_CLASS, /* See RegisterClass() call. */ - "TCPWin", /* Text for window title bar. */ - WS_SYSMENU, /* Window style. */ - xScreen / 3, /* Default horizontal position. */ - yScreen / 3, /* Default vertical position. */ - xScreen / 3, /* Default width. */ - yScreen / 3, /* Default height. */ - NULL, /* Overlapped windows have no parent */ - NULL, /* Use the window class menu. */ - hInstance, /* This instance owns this window. */ - NULL); /* Pointer not needed. */ - - if (!hWnd) - return (FALSE); - - if (WSAStartup(0x0101, &wsaData) != 0) { /* Initialize the network */ - MessageBox(NULL, "Couldn't initialize Winsock!", NULL, - MB_OK | MB_ICONEXCLAMATION); - return(FALSE); - } - - if (!OpenTelnetConnection()) { - WSACleanup(); - return(FALSE); - } - -#ifdef KRB5 - krb5_init_context(&k5_context); -#endif - - return (TRUE); -} - -char buf[2048]; - -/* - * FUNCTION: MainWndProc(HWND, UINT, WPARAM, LPARAM) - * - * PURPOSE: Processes messages - * - * MESSAGES: - * - * WM_COMMAND - application menu (About dialog box) - * WM_DESTROY - destroy window - */ -LRESULT CALLBACK -MainWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam) -{ - HGLOBAL hBuffer; - LPSTR lpBuffer; - int iEvent, cnt, ret; - char *tmpCommaLoc; - struct sockaddr_in remote_addr; - struct hostent *remote_host; - - switch (message) { - case WM_MYSCREENCHANGEBKSP: - if (!con) - break; - con->backspace = wParam; - if (con->backspace == VK_BACK) { - con->ctrl_backspace = 0x7f; - WritePrivateProfileString(INI_TELNET, INI_BACKSPACE, - INI_BACKSPACE_BS, TELNET_INI); - } - else { - con->ctrl_backspace = VK_BACK; - WritePrivateProfileString(INI_TELNET, INI_BACKSPACE, - INI_BACKSPACE_DEL, TELNET_INI); - } - GetPrivateProfileString(INI_HOSTS, INI_HOST "0", "", buf, 128, TELNET_INI); - tmpCommaLoc = strchr(buf, ','); - if (tmpCommaLoc == NULL) { - strcat (buf, ","); - tmpCommaLoc = strchr(buf, ','); - } - if (tmpCommaLoc) { - tmpCommaLoc++; - if (con->backspace == VK_BACK) - strcpy(tmpCommaLoc, INI_HOST_BS); - else - strcpy(tmpCommaLoc, INI_HOST_DEL); - } - WritePrivateProfileString(INI_HOSTS, INI_HOST "0", buf, TELNET_INI); - break; - - case WM_MYSCREENCHAR: - { - unsigned char c; - - if (!con) - break; - if (wParam == VK_BACK) - c = con->backspace; - else if (wParam == 0x7f) - c = con->ctrl_backspace; - else if (wParam == VK_SPACE && GetKeyState(VK_CONTROL) < 0) - c = 0; - else - c = wParam; - TelnetSend(con->ks, &c, 1, 0); - } - break; - - case WM_MYCURSORKEY: - /* Acts as a send through: buffer is lParam and length in wParam */ - if (!con) - break; - memcpy(buf, (char *)lParam, wParam); - TelnetSend (con->ks, buf, wParam, 0); - break; - - case WM_MYSCREENBLOCK: - if (!con) - break; - hBuffer = (HGLOBAL) wParam; - lpBuffer = GlobalLock(hBuffer); - TelnetSend(con->ks, lpBuffer, lstrlen(lpBuffer), 0); - GlobalUnlock(hBuffer); - break; - - case WM_MYSCREENCLOSE: -#if 0 - if (con) - { - kstream_destroy(con->ks); - con->ks = NULL; - } -#endif - DestroyWindow(hWnd); - break; - - case WM_QUERYOPEN: - return(0); - break; - - case WM_DESTROY: /* message: window being destroyed */ - if (con) - { - kstream_destroy(con->ks); - free(con); - WSACleanup(); - } - PostQuitMessage(0); - break; - - case WM_NETWORKEVENT: - iEvent = WSAGETSELECTEVENT(lParam); - - switch (iEvent) { - - case FD_READ: - if (con == NULL) - break; - cnt = kstream_read(con->ks, buf, 1500); - buf[cnt] = 0; - parse((CONNECTION *)con, (unsigned char *)buf, cnt); - ScreenEm(buf, cnt, con->pScreen); - break; - - case FD_CLOSE: - kstream_destroy(con->ks); - free(con); - con = NULL; - WSACleanup(); - PostQuitMessage(0); - break; - - case FD_CONNECT: - ret = WSAGETSELECTERROR(lParam); - if (ret) { - wsprintf(buf, "Error %d on Connect", ret); - MessageBox(NULL, buf, NULL, MB_OK | MB_ICONEXCLAMATION); - kstream_destroy(con->ks); - free(con); - WSACleanup(); - PostQuitMessage(0); - break; - } - start_negotiation(con->ks); - break; - } - - break; - - case WM_HOSTNAMEFOUND: - ret = WSAGETASYNCERROR(lParam); - if (ret) { - wsprintf(buf, "Error %d on GetHostbyName", ret); - MessageBox(NULL, buf, NULL, MB_OK | MB_ICONEXCLAMATION); - kstream_destroy(con->ks); - free(con); - WSACleanup(); - PostQuitMessage(0); - break; - } - - remote_host = (struct hostent *)hostdata; - remote_addr.sin_family = AF_INET; - memcpy(&(remote_addr.sin_addr), &(remote_host->h_addr[0]), 4); - remote_addr.sin_port = htons(port_no); - - connect(con->socket, (struct sockaddr *)&remote_addr, sizeof(struct sockaddr)); - break; - - case WM_MYSCREENSIZE: - con->width = LOWORD(lParam); /* width in characters */ - con->height = HIWORD(lParam); /* height in characters */ - if (con->bResizeable && con->ks) - send_naws(con); - wsprintf(buf, "%d", con->height); - WritePrivateProfileString(INI_TELNET, INI_HEIGHT, buf, TELNET_INI); - wsprintf(buf, "%d", con->width); - WritePrivateProfileString(INI_TELNET, INI_WIDTH, buf, TELNET_INI); - break; - - default: /* Passes it on if unproccessed */ - return(DefWindowProc(hWnd, message, wParam, lParam)); - } - return (0); -} - - -/* - * - * FUNCTION: SaveHostName(hostname, port) - * - * PURPOSE: Saves the currently selected host name and port number - * in the KERBEROS.INI file and returns the preferred backspace - * setting if one exists for that host. - * - * RETURNS: VK_BACK or 0x7f depending on the desired backspace setting. - */ -int -SaveHostName(char *host, int port) -{ - char buf[128]; /* Scratch buffer */ - char fullhost[128]; /* Host & port combination */ - char hostName[10][128]; /* Entries from INI files */ - char *comma; /* For parsing del/bs info */ - int len; /* Length of fullhost */ - int n; /* Number of items written */ - int i; /* Index */ - int bs; /* What we return */ - - if (port == 23) /* Default telnet port */ - strcpy(fullhost, host); /* ...then don't add it on */ - else - wsprintf(fullhost, "%s %d", host, port); - len = strlen(fullhost); - - comma = NULL; - for (i = 0; i < 10; i++) { - wsprintf(buf, INI_HOST "%d", i); /* INI item to fetch */ - GetPrivateProfileString(INI_HOSTS, buf, "", hostName[i], - 128, TELNET_INI); - - if (!hostName[i][0]) - break; - - if (strncmp (hostName[i], fullhost, len)) /* A match?? */ - continue; /* Nope, keep going */ - comma = strchr (hostName[i], ','); - } - - if (comma) { - ++comma; /* Past the comma */ - while (*comma == ' ') /* Past leading white space */ - ++comma; - bs = VK_BACK; /* Default for unknown entry */ - if (_stricmp(comma, INI_HOST_DEL) == 0) - bs = 0x7f; - } - else { /* No matching entry */ - GetPrivateProfileString(INI_TELNET, INI_BACKSPACE, INI_BACKSPACE_BS, - buf, sizeof(buf), TELNET_INI); - bs = VK_BACK; /* Default value */ - if (_stricmp(buf, INI_BACKSPACE_DEL) == 0) - bs = 0x7f; - } - - /* - * Build up default host name - */ - strcpy(buf, fullhost); - strcat(buf, ", "); - strcat(buf, (bs == VK_BACK) ? INI_BACKSPACE_BS : INI_BACKSPACE_DEL); - WritePrivateProfileString(INI_HOSTS, INI_HOST "0", buf, TELNET_INI); - - n = 0; - for (i = 0; i < 10; i++) { - if (!hostName[i][0]) /* End of the list? */ - break; - if (strncmp(hostName[i], fullhost, len) != 0) { - wsprintf(buf, INI_HOST "%d", ++n); - WritePrivateProfileString(INI_HOSTS, buf, hostName[i], TELNET_INI); - } - } - return(bs); -} - - -int -OpenTelnetConnection(void) -{ - int nReturn, ret; - struct sockaddr_in sockaddr; - char *p; - static struct kstream_crypt_ctl_block ctl; - char buf[128]; - - tmpConfig = calloc(sizeof(CONFIG), 1); - - if (bAutoConnection) { - tmpConfig->title = calloc(lstrlen(szHostName), 1); - lstrcpy(tmpConfig->title, (char *) szHostName); - } else { - nReturn = DoDialog("OPENTELNETDLG", OpenTelnetDlg); - if (nReturn == FALSE) - return(FALSE); - } - - con = (CONNECTION *) GetNewConnection(); - if (con == NULL) - return(0); - - tmpConfig->width = - GetPrivateProfileInt(INI_TELNET, INI_WIDTH, DEF_WIDTH, TELNET_INI); - - tmpConfig->height = - GetPrivateProfileInt(INI_TELNET, INI_HEIGHT, DEF_HEIGHT, TELNET_INI); - con->width = tmpConfig->width; - con->height = tmpConfig->height; - - con->backspace = SaveHostName(tmpConfig->title, port_no); - - if (con->backspace == VK_BACK) { - tmpConfig->backspace = TRUE; - con->ctrl_backspace = 0x7f; - } else { - tmpConfig->backspace = FALSE; - con->ctrl_backspace = 0x08; - } - - tmpConfig->hwndTel = hWnd; - con->pScreen = InitNewScreen(tmpConfig); - if (!con->pScreen) { - assert(FALSE); - free(con->pScreen); - free(con); - free(tmpConfig); - return(-1); - } - - ret = (SOCKET) socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - - if (ret == SOCKET_ERROR) { - wsprintf(buf, "Socket error on socket = %d!", WSAGetLastError()); - MessageBox(NULL, buf, NULL, MB_OK | MB_ICONEXCLAMATION); - if (con->pScreen != NULL) - DestroyWindow(con->pScreen->hWnd); - free(con); - free(tmpConfig); - return(-1); - } - - con->socket = ret; - - sockaddr.sin_family = AF_INET; - sockaddr.sin_addr.s_addr = htonl(INADDR_ANY); - sockaddr.sin_port = htons(0); - - ret = bind(con->socket, (struct sockaddr *) &sockaddr, - (int) sizeof(struct sockaddr_in)); - - if (ret == SOCKET_ERROR) { - wsprintf(buf, "Socket error on bind!"); - MessageBox(NULL, buf, NULL, MB_OK | MB_ICONEXCLAMATION); - if (con->pScreen != NULL) - DestroyWindow(con->pScreen->hWnd); - free(con); - free(tmpConfig); - return(-1); - } - - WSAAsyncSelect(con->socket, hWnd, WM_NETWORKEVENT, - FD_READ | FD_CLOSE | FD_CONNECT); - - lstrcpy(szHostName, tmpConfig->title); - p = strchr(szHostName, '@'); - if (p != NULL) { - *p = 0; - strcpy (szUserName, szHostName); - strcpy(szHostName, ++p); - } - - WSAAsyncGetHostByName(hWnd, WM_HOSTNAMEFOUND, szHostName, hostdata, - MAXGETHOSTSTRUCT); - - ctl.encrypt = auth_encrypt; - ctl.decrypt = auth_decrypt; - ctl.init = auth_init; - ctl.destroy = auth_destroy; - - con->ks = kstream_create_from_fd(con->socket, &ctl, NULL); - - if (con->ks == NULL) - return(-1); - - kstream_set_buffer_mode(con->ks, 0); - - return(1); -} - - -CONNECTION * -GetNewConnection(void) -{ - CONNECTION *pCon; - - pCon = calloc(sizeof(CONNECTION), 1); - if (pCon == NULL) - return NULL; - pCon->backspace = TRUE; - pCon->bResizeable = TRUE; - return(pCon); -} - - -int -DoDialog(char *szDialog, DLGPROC lpfnDlgProc) -{ - int nReturn; - - nReturn = DialogBox(hInst, szDialog, hWnd, lpfnDlgProc); - return (nReturn); -} - - -/* - * FUNCTION: OpenTelnetDlg(HWND, unsigned, WORD, LONG) - * - * PURPOSE: Processes messages for "Open New Telnet Connection" dialog box - * - * MESSAGES: - * - * WM_INITDIALOG - initialize dialog box - * WM_COMMAND - Input received - */ -INT_PTR CALLBACK -OpenTelnetDlg(HWND hDlg, UINT message, WPARAM wParam, LPARAM lParam) -{ - char szConnectName[256]; - HDC hDC; - int xExt, yExt; - DWORD Ext; - HWND hEdit; - int n; - int iHostNum = 0; - char tmpName[128]; - char tmpBuf[80]; - char *tmpCommaLoc; - - switch (message) { - case WM_INITDIALOG: - hDC = GetDC(hDlg); - Ext = GetDialogBaseUnits(); - xExt = (190 *LOWORD(Ext)) /4 ; - yExt = (72 * HIWORD(Ext)) /8 ; - GetPrivateProfileString(INI_HOSTS, INI_HOST "0", "", tmpName, - 128, TELNET_INI); - if (tmpName[0]) { - tmpCommaLoc = strchr(tmpName, ','); - if (tmpCommaLoc) - *tmpCommaLoc = '\0'; - SetDlgItemText(hDlg, TEL_CONNECT_NAME, tmpName); - } - hEdit = GetWindow(GetDlgItem(hDlg, TEL_CONNECT_NAME), GW_CHILD); - while (TRUE) { - wsprintf(tmpBuf, INI_HOST "%d", iHostNum++); - GetPrivateProfileString(INI_HOSTS, tmpBuf, "", tmpName, - 128, TELNET_INI); - tmpCommaLoc = strchr(tmpName, ','); - if (tmpCommaLoc) - *tmpCommaLoc = '\0'; - if (tmpName[0]) - SendDlgItemMessage(hDlg, TEL_CONNECT_NAME, CB_ADDSTRING, 0, - (LPARAM) ((LPSTR) tmpName)); - else - break; - } -#ifdef FORWARD - EnableWindow(GetDlgItem(hDlg, IDC_FORWARD), 1); - SendDlgItemMessage(hDlg, IDC_FORWARD, BM_SETCHECK, forward_flag, 0); - if (forward_flag) - EnableWindow(GetDlgItem(hDlg, IDC_FORWARDFORWARD), 1); - else - EnableWindow(GetDlgItem(hDlg, IDC_FORWARDFORWARD), 0); - SendDlgItemMessage(hDlg, IDC_FORWARDFORWARD, BM_SETCHECK, - forwardable_flag, 0); -#endif - -#ifdef ENCRYPTION - EnableWindow(GetDlgItem(hDlg, IDC_ENCRYPT), 1); - SendDlgItemMessage(hDlg, IDC_ENCRYPT, - BM_SETCHECK, encrypt_flag, 0); -#endif - - EnableWindow(GetDlgItem(hDlg, TEL_CONNECT_USERID), 1); - - SetWindowPos(hDlg, NULL, - (GetSystemMetrics(SM_CXSCREEN)/2)-(xExt/2), - (GetSystemMetrics(SM_CYSCREEN)/2)-(yExt/2), - 0, 0, SWP_NOSIZE | SWP_NOZORDER | SWP_SHOWWINDOW); - ReleaseDC(hDlg, hDC); - SendMessage(hEdit, WM_USER + 1, 0, 0); - SendMessage(hDlg, WM_SETFOCUS, 0, 0); - return (TRUE); - - case WM_COMMAND: - switch (wParam) { - case TEL_CANCEL: - case IDCANCEL: /* From the menu */ - EndDialog(hDlg, FALSE); - break; - -#ifdef FORWARD - case IDC_FORWARD: - forward_flag = (BOOL)SendDlgItemMessage(hDlg, IDC_FORWARD, - BM_GETCHECK, 0, 0); - if (forward_flag) - EnableWindow(GetDlgItem(hDlg, IDC_FORWARDFORWARD), 1); - else - EnableWindow(GetDlgItem(hDlg, IDC_FORWARDFORWARD), 0); - break; - - case IDC_FORWARDFORWARD: - forwardable_flag = (BOOL)SendDlgItemMessage(hDlg, IDC_FORWARDFORWARD, - BM_GETCHECK, 0, 0); - break; -#endif - -#if ENCRYPTION - case IDC_ENCRYPT: - encrypt_flag = (BOOL)SendDlgItemMessage(hDlg, IDC_ENCRYPT, - BM_GETCHECK, 0, 0); - break; -#endif - case TEL_CONNECT_USERID: - GetDlgItemText(hDlg, TEL_CONNECT_USERID, szUserName, sizeof(szUserName)); - break; - - case TEL_OK: - GetDlgItemText(hDlg, TEL_CONNECT_NAME, szConnectName, 256); - - n = parse_cmdline (szConnectName); - if (! n) { - MessageBox(hDlg, "You must enter a session name!", - NULL, MB_OK); - break; - } - tmpConfig->title = calloc(lstrlen(szHostName) + 1, 1); - lstrcpy(tmpConfig->title, szConnectName); - EndDialog(hDlg, TRUE); - break; - } - return (FALSE); - } - return(FALSE); -} - - -/* - * - * FUNCTION: TelnetSend(kstream ks, char *buf, int len, int flags) - * - * PURPOSE: This is a replacement for the WinSock send() function, to - * send a buffer of characters to an output socket. It differs - * by retrying endlessly if sending the bytes would cause - * the send() to block. observed EWOULDBLOCK - * errors when running using TCP Software's PC/TCP 3.0 stack, - * even when writing as little as 109 bytes into a socket - * that had no more than 9 bytes queued for output. Note also - * that a kstream is used during output rather than a socket - * to facilitate encryption. - * - * Eventually, for cleanliness and responsiveness, this - * routine should not loop; instead, if the send doesn't - * send all the bytes, it should put them into a buffer - * and return. Message handling code would send out the - * buffer whenever it gets an FD_WRITE message. - */ -int -TelnetSend(kstream ks, char *buf, int len, int flags) -{ - int writelen; - int origlen = len; - - while (TRUE) { - writelen = kstream_write(ks, buf, len); - - if (writelen == len) /* Success, first or Nth time */ - return (origlen); - - if (writelen == SOCKET_ERROR) { - if (WSAGetLastError() != WSAEWOULDBLOCK) - return (SOCKET_ERROR); /* Some error */ - /* For WOULDBLOCK, immediately repeat the send. */ - } - else { - /* Partial write; update the pointers and retry. */ - len -= writelen; - buf += writelen; - } - } -} - - -/* - * Function: Trim leading and trailing white space from a string. - * - * Parameters: - * s - the string to trim. - */ -void -trim(char *s) -{ - int l; - int i; - - for (i = 0; s[i]; i++) - if (s[i] != ' ' && s[i] != '\t') - break; - - l = strlen(&s[i]); - memmove(s, &s[i], l + 1); - - for (l--; l >= 0; l--) { - if (s[l] != ' ' && s[l] != '\t') - break; - } - s[l + 1] = 0; -} - - -/* - * - * Parse_cmdline - * - * Reads hostname and port number off the command line. - * - * Formats: telnet - * telnet - * telnet - * telnet -p - * - * Returns: TRUE if we have a hostname - */ -BOOL -parse_cmdline(char *cmdline) -{ - char *ptr; - - *szHostName = '\0'; /* Nothing yet */ - if (*cmdline == '\0') /* Empty command line? */ - return(FALSE); - - trim (cmdline); /* Remove excess spaces */ - ptr = strchr (cmdline, ' '); /* Find 2nd token */ - - if (ptr != NULL) { /* Port number given */ - *ptr++ = '\0'; /* Separate into 2 words */ - port_no = atoi (ptr); - } - - if (*cmdline != '-' && *cmdline != '/') { /* Host name given */ - lstrcpy (szHostName, cmdline); - return(TRUE); - } - - return(FALSE); -} - -#ifdef DEBUG -void -hexdump(char *msg, unsigned char *st, int cnt) -{ - int i; - char strTmp[128]; - - OutputDebugString("\r\n"); - if (msg != NULL) { - OutputDebugString(msg); - OutputDebugString("\r\n"); - } - for(i = 0 ; i < cnt ; i++) { - int j; - - for(j = 0 ; (j < 16) && ((i + j) < cnt) ; j++) { - wsprintf(strTmp,"%02x ", st[i + j]); - if (j == 8) - OutputDebugString("| "); - OutputDebugString(strTmp); - } - i += j - 1; - OutputDebugString("\r\n"); - } /* end for */ -} -#endif diff --git a/src/windows/wintel/telnet.def b/src/windows/wintel/telnet.def deleted file mode 100644 index e2d2ab9..0000000 --- a/src/windows/wintel/telnet.def +++ /dev/null @@ -1,39 +0,0 @@ -; module-definition file for testdll -- used by LINK.EXE -NAME TELNET -DESCRIPTION 'Sample Microsoft Windows Application' -EXETYPE WINDOWS -STUB 'WINSTUB.EXE' -SEGMENTS _TEXT CLASS 'CODE' PRELOAD -CODE DISCARDABLE -DATA PRELOAD MOVEABLE MULTIPLE -HEAPSIZE 10240 - -; All functions that will be called by any Windows routine -; MUST be exported. - -EXPORTS - MainWndProc @1 ; name of window processing function - OpenTelnetDlg @3 ; name of "Open New Telnet Connection" Dialog Function - -IMPORTS - WINSOCK.WSAStartup - WINSOCK.WSACleanup - WINSOCK.WSAAsyncSelect - WINSOCK.WSAGetLastError - WINSOCK.WSAAsyncGetHostByName - WINSOCK.listen - WINSOCK.accept - WINSOCK.__wsafdisset - WINSOCK.socket - WINSOCK.bind - WINSOCK.gethostbyname - WINSOCK.getsockname - WINSOCK.htons - WINSOCK.connect - WINSOCK.recv - WINSOCK.send - WINSOCK.htonl - WINSOCK.closesocket - WINSOCK.select - WINSOCK.ioctlsocket - WINSOCK.getpeername diff --git a/src/windows/wintel/telnet.h b/src/windows/wintel/telnet.h deleted file mode 100644 index cd1904a..0000000 --- a/src/windows/wintel/telnet.h +++ /dev/null @@ -1,41 +0,0 @@ -#ifndef TELNET_H_INC -#define TELNET_H_INC - -#include -#include - -#ifdef KRB5 -#include "krb5.h" -#include "k5stream.h" -#endif - -#include "dialog.h" -#include "screen.h" -#include "struct.h" -#include "wt-proto.h" -#include "winsock.h" -#include "ini.h" - -/* globals */ -extern char szAutoHostName[64]; -extern char szUserName[64]; -extern char szHostName[64]; - -#ifdef KRB5 -extern krb5_context k5_context; -#endif - -extern void parse(CONNECTION *, unsigned char *, int); - -extern void send_naws(CONNECTION *); - -extern char strTmp[1024]; - -#define DEF_WIDTH 80 -#define DEF_HEIGHT 24 - -#ifdef DEBUG -void hexdump(char *, unsigned char *, int); -#endif - -#endif /* TELNET_H_INC */ diff --git a/src/windows/wintel/telnet.rc b/src/windows/wintel/telnet.rc deleted file mode 100644 index 6fd62c2..0000000 --- a/src/windows/wintel/telnet.rc +++ /dev/null @@ -1,247 +0,0 @@ -//Microsoft Developer Studio generated resource script. -// -// XXX since modified by hand... - -#include "resource.h" - -#define APSTUDIO_READONLY_SYMBOLS -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 2 resource. -// -#define APSTUDIO_HIDDEN_SYMBOLS -#include "windows.h" -#undef APSTUDIO_HIDDEN_SYMBOLS -#include "dialog.h" -#include "screen.h" - -///////////////////////////////////////////////////////////////////////////// -#undef APSTUDIO_READONLY_SYMBOLS - -///////////////////////////////////////////////////////////////////////////// -// English (U.S.) resources - -#if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_ENU) -#ifdef _WIN32 -LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_US -#pragma code_page(1252) -#endif //_WIN32 - -///////////////////////////////////////////////////////////////////////////// -// -// Dialog -// - -OPENTELNETDLG DIALOG DISCARDABLE 63, 65, 175, 129 -#ifdef _WIN32 -STYLE DS_ABSALIGN | DS_MODALFRAME | DS_3DLOOK | WS_POPUP | WS_CAPTION | - WS_SYSMENU -#else -STYLE DS_ABSALIGN | DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -#endif -CAPTION "Open New Telnet Connection" -FONT 8, "MS Sans Serif" -BEGIN - LTEXT "To Host:",IDC_STATIC,3,10,33,10,NOT WS_GROUP - COMBOBOX TEL_CONNECT_NAME,37,9,128,76,CBS_DROPDOWN | WS_VSCROLL | - WS_GROUP | WS_TABSTOP - CONTROL "Forward credentials",IDC_FORWARD,"Button", - BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,37,28,77,10 - CONTROL "Forward remote credentials",IDC_FORWARDFORWARD,"Button", - BS_AUTOCHECKBOX | WS_DISABLED | WS_TABSTOP,37,44,101,10 - CONTROL "Enable encryption",IDC_ENCRYPT,"Button",BS_AUTOCHECKBOX | - WS_DISABLED | WS_TABSTOP,37,60,73,10 - CONTROL "Connect as userid",IDC_STATIC,"Static", - SS_LEFTNOWORDWRAP,15,84,58,8 - EDITTEXT TEL_CONNECT_USERID,77,82,80,13,ES_AUTOHSCROLL | - WS_DISABLED - DEFPUSHBUTTON "OK",TEL_OK,20,106,51,14,WS_GROUP - PUSHBUTTON "Cancel",TEL_CANCEL,106,106,51,14 -END - -ABOUTBOX DIALOG DISCARDABLE 69, 33, 175, 148 -STYLE DS_ABSALIGN | DS_MODALFRAME | WS_CAPTION | WS_SYSMENU -CAPTION "About TCPwin" -BEGIN - ICON "NCSA",-1,15,12,16,16 - CTEXT "Microsoft Windows",-1,48,11,93,8 - CTEXT "NCSA TCP/IP Networking Kernel",-1,38,21,120,8 - CTEXT "Version 1.0b2",-1,20,31,144,8 - PUSHBUTTON "OK",IDOK,72,126,39,14,WS_GROUP | NOT WS_TABSTOP - CTEXT "Written By:",606,20,50,144,8 - CTEXT "Jon Mittelhauser (jonm@ncsa.uiuc.edu)",607,20,61,144,8 - CTEXT "Chris Wilson (cwilson@ncsa.uiuc.edu)",608,20,71,144,8 - CTEXT "Special Thanks to:",609,21,97,143,8 - CTEXT "Joe Lepore for DPMI interface code",610,20,107,144,8 - CTEXT "Keberized by: Cygnus Support",611,20,82,144,8 -END - -CONFIG_DLG DIALOG DISCARDABLE 6, 18, 160, 130 -STYLE DS_MODALFRAME | WS_POPUP | WS_VISIBLE | WS_CAPTION | WS_SYSMENU -CAPTION "Configure Session" -FONT 8, "MS Sans Serif" -BEGIN - LTEXT "Session Name:",301,1,5,54,8 - LTEXT "Default Session",CON_SESSIONNAME,55,5,105,8 - LTEXT "Window Title:",303,1,17,49,8 - EDITTEXT CON_WINDOWTITLE,53,15,102,12,ES_AUTOHSCROLL - CONTROL "132",CON_COLUMNS132,"Button",BS_AUTORADIOBUTTON | - WS_GROUP,53,33,39,10 - CONTROL "80",CON_COLUMNS80,"Button",BS_AUTORADIOBUTTON,110,33,39, - 10 - CONTROL "Backspace",CON_BACKSPACE,"Button",BS_AUTORADIOBUTTON | - WS_GROUP,53,46,49,10 - CONTROL "Delete",CON_DELETE,"Button",BS_AUTORADIOBUTTON,110,46, - 39,10 - CONTROL "CRLF",CON_CRLF,"Button",BS_AUTORADIOBUTTON | WS_GROUP, - 53,59,39,10 - CONTROL "CR-NUL",CON_CRNUL,"Button",BS_AUTORADIOBUTTON,110,59,39, - 10 - CONTROL "Buffers",CON_BUFFERS,"Button",BS_AUTORADIOBUTTON | - WS_GROUP,53,72,39,10 - CONTROL "Sends",CON_SENDS,"Button",BS_AUTORADIOBUTTON,110,72,39, - 10 - LTEXT "Columns",313,1,33,49,8 - LTEXT "Backspace is",314,1,46,51,8 - LTEXT "Return Sends",315,1,59,49,8 - LTEXT "Echo Mode",316,1,72,49,8 - CONTROL "Scrollback",CON_SCRLBCK,"Button",BS_AUTOCHECKBOX | - WS_TABSTOP,1,86,50,10 - EDITTEXT CON_NUMLINES,53,85,28,12,ES_AUTOHSCROLL - LTEXT "lines",319,85,86,33,8 - DEFPUSHBUTTON "OK",CON_OK,20,108,50,14,WS_GROUP - PUSHBUTTON "Use Defaults",CON_USEDEFAULTS,90,108,50,14 -END - -IDM_PRINTQUEUE DIALOG DISCARDABLE 69, 25, 160, 80 -STYLE WS_MINIMIZEBOX | WS_MAXIMIZEBOX | WS_POPUP | WS_VISIBLE | WS_CAPTION | - WS_VSCROLL | WS_HSCROLL | WS_SYSMENU -CAPTION "Print Queue" -FONT 8, "MS Sans Serif" -BEGIN -END - -IDD_DIALOG1 DIALOG DISCARDABLE 0, 0, 183, 92 -STYLE DS_MODALFRAME | WS_POPUP | WS_CAPTION | WS_SYSMENU -CAPTION "Dialog" -FONT 8, "MS Sans Serif" -BEGIN - DEFPUSHBUTTON "OK",IDOK,126,7,50,14 - PUSHBUTTON "Cancel",IDCANCEL,126,24,50,14 -END - - -///////////////////////////////////////////////////////////////////////////// -// -// Icon -// - -// Icon with lowest ID value placed first to ensure application icon -// remains consistent on all systems. -NCSA ICON DISCARDABLE "ncsa.ico" -TERMINAL ICON DISCARDABLE "terminal.ico" - -///////////////////////////////////////////////////////////////////////////// -// -// Menu -// - -SCREENMENU MENU DISCARDABLE -BEGIN - POPUP "&File" - BEGIN - MENUITEM "E&xit Alt+F4", IDM_EXIT - END - POPUP "&Edit" - BEGIN - MENUITEM "&Copy Cltr+Ins", IDM_COPY - MENUITEM "&Paste Shift+Ins", IDM_PASTE - END - POPUP "&Options" - BEGIN - MENUITEM "&Backspace", IDM_BACKSPACE - MENUITEM "&Delete", IDM_DELETE, CHECKED - MENUITEM SEPARATOR - MENUITEM "&Font...", IDM_FONT - END -#if 0 - POPUP "&Send", GRAYED - BEGIN - MENUITEM "&Interrupt Process", IDM_SEND_IP - MENUITEM "&Are You There?", IDM_SEND_AYT - MENUITEM "A&bort Process", IDM_SEND_ABORT - END -#endif - POPUP "&Help" - BEGIN - MENUITEM "&Index...", IDM_HELP_INDEX - MENUITEM SEPARATOR - MENUITEM "&About...", IDM_ABOUT - END -END - - -#ifdef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// TEXTINCLUDE -// - -1 TEXTINCLUDE DISCARDABLE -BEGIN - "resource.h\0" -END - -2 TEXTINCLUDE DISCARDABLE -BEGIN - "#define APSTUDIO_HIDDEN_SYMBOLS\r\n" - "#include ""windows.h""\r\n" - "#undef APSTUDIO_HIDDEN_SYMBOLS\r\n" - "#include ""dialog.h""\r\n" - "#include ""screen.h""\r\n" - "\0" -END - -3 TEXTINCLUDE DISCARDABLE -BEGIN - "\r\n" - "\0" -END - -#endif // APSTUDIO_INVOKED - - -///////////////////////////////////////////////////////////////////////////// -// -// DESIGNINFO -// - -#ifdef APSTUDIO_INVOKED -GUIDELINES DESIGNINFO DISCARDABLE -BEGIN - IDD_DIALOG1, DIALOG - BEGIN - LEFTMARGIN, 7 - RIGHTMARGIN, 176 - TOPMARGIN, 7 - BOTTOMMARGIN, 85 - END -END -#endif // APSTUDIO_INVOKED - -#endif // English (U.S.) resources -///////////////////////////////////////////////////////////////////////////// - - - -#ifndef APSTUDIO_INVOKED -///////////////////////////////////////////////////////////////////////////// -// -// Generated from the TEXTINCLUDE 3 resource. -// - - -///////////////////////////////////////////////////////////////////////////// -#endif // not APSTUDIO_INVOKED - -#include "..\version.rc" diff --git a/src/windows/wintel/telnet_arpa.h b/src/windows/wintel/telnet_arpa.h deleted file mode 100644 index f6d0eb5..0000000 --- a/src/windows/wintel/telnet_arpa.h +++ /dev/null @@ -1,327 +0,0 @@ -/* - * Copyright (c) 1983, 1993 - * The Regents of the University of California. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * This product includes software developed by the University of - * California, Berkeley and its contributors. - * 4. Neither the name of the University nor the names of its contributors - * may be used to endorse or promote products derived from this software - * without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * @(#)telnet.h 8.1 (Berkeley) 6/2/93 - */ - -#ifndef _TELNET_H_ -#define _TELNET_H_ - -/* - * Definitions for the TELNET protocol. - */ -#define IAC 255 /* interpret as command: */ -#define DONT 254 /* you are not to use option */ -#define DO 253 /* please, you use option */ -#define WONT 252 /* I won't use option */ -#define WILL 251 /* I will use option */ -#define SB 250 /* interpret as subnegotiation */ -#define GA 249 /* you may reverse the line */ -#define EL 248 /* erase the current line */ -#define EC 247 /* erase the current character */ -#define AYT 246 /* are you there */ -#define AO 245 /* abort output--but let prog finish */ -#define IP 244 /* interrupt process--permanently */ -#define BREAK 243 /* break */ -#define DM 242 /* data mark--for connect. cleaning */ -#define NOP 241 /* nop */ -#define SE 240 /* end sub negotiation */ -#define EOR 239 /* end of record (transparent mode) */ -#define ABORT 238 /* Abort process */ -#define SUSP 237 /* Suspend process */ -#define xEOF 236 /* End of file: EOF is already used... */ - -#define SYNCH 242 /* for telfunc calls */ - -#ifdef TELCMDS -char *telcmds[] = { - "EOF", "SUSP", "ABORT", "EOR", - "SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC", - "EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0, -}; -#else -extern char *telcmds[]; -#endif - -#define TELCMD_FIRST xEOF -#define TELCMD_LAST IAC -#define TELCMD_OK(x) ((unsigned int)(x) <= TELCMD_LAST && \ - (unsigned int)(x) >= TELCMD_FIRST) -#define TELCMD(x) telcmds[(x)-TELCMD_FIRST] - -/* telnet options */ -#define TELOPT_BINARY 0 /* 8-bit data path */ -#define TELOPT_ECHO 1 /* echo */ -#define TELOPT_RCP 2 /* prepare to reconnect */ -#define TELOPT_SGA 3 /* suppress go ahead */ -#define TELOPT_NAMS 4 /* approximate message size */ -#define TELOPT_STATUS 5 /* give status */ -#define TELOPT_TM 6 /* timing mark */ -#define TELOPT_RCTE 7 /* remote controlled transmission and echo */ -#define TELOPT_NAOL 8 /* negotiate about output line width */ -#define TELOPT_NAOP 9 /* negotiate about output page size */ -#define TELOPT_NAOCRD 10 /* negotiate about CR disposition */ -#define TELOPT_NAOHTS 11 /* negotiate about horizontal tabstops */ -#define TELOPT_NAOHTD 12 /* negotiate about horizontal tab disposition */ -#define TELOPT_NAOFFD 13 /* negotiate about formfeed disposition */ -#define TELOPT_NAOVTS 14 /* negotiate about vertical tab stops */ -#define TELOPT_NAOVTD 15 /* negotiate about vertical tab disposition */ -#define TELOPT_NAOLFD 16 /* negotiate about output LF disposition */ -#define TELOPT_XASCII 17 /* extended ascic character set */ -#define TELOPT_LOGOUT 18 /* force logout */ -#define TELOPT_BM 19 /* byte macro */ -#define TELOPT_DET 20 /* data entry terminal */ -#define TELOPT_SUPDUP 21 /* supdup protocol */ -#define TELOPT_SUPDUPOUTPUT 22 /* supdup output */ -#define TELOPT_SNDLOC 23 /* send location */ -#define TELOPT_TTYPE 24 /* terminal type */ -#define TELOPT_EOR 25 /* end or record */ -#define TELOPT_TUID 26 /* TACACS user identification */ -#define TELOPT_OUTMRK 27 /* output marking */ -#define TELOPT_TTYLOC 28 /* terminal location number */ -#define TELOPT_3270REGIME 29 /* 3270 regime */ -#define TELOPT_X3PAD 30 /* X.3 PAD */ -#define TELOPT_NAWS 31 /* window size */ -#define TELOPT_TSPEED 32 /* terminal speed */ -#define TELOPT_LFLOW 33 /* remote flow control */ -#define TELOPT_LINEMODE 34 /* Linemode option */ -#define TELOPT_XDISPLOC 35 /* X Display Location */ -#define TELOPT_OLD_ENVIRON 36 /* Old - Environment variables */ -#define TELOPT_AUTHENTICATION 37/* Authenticate */ -#define TELOPT_ENCRYPT 38 /* Encryption option */ -#define TELOPT_NEW_ENVIRON 39 /* New - Environment variables */ -#define TELOPT_EXOPL 255 /* extended-options-list */ - - -#define NTELOPTS (1+TELOPT_NEW_ENVIRON) -#ifdef TELOPTS -char *telopts[NTELOPTS+1] = { - "BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME", - "STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP", - "NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS", - "NAOVTD", "NAOLFD", "EXTEND ASCII", "LOGOUT", "BYTE MACRO", - "DATA ENTRY TERMINAL", "SUPDUP", "SUPDUP OUTPUT", - "SEND LOCATION", "TERMINAL TYPE", "END OF RECORD", - "TACACS UID", "OUTPUT MARKING", "TTYLOC", - "3270 REGIME", "X.3 PAD", "NAWS", "TSPEED", "LFLOW", - "LINEMODE", "XDISPLOC", "OLD-ENVIRON", "AUTHENTICATION", - "ENCRYPT", "NEW-ENVIRON", - 0, -}; -#define TELOPT_FIRST TELOPT_BINARY -#define TELOPT_LAST TELOPT_NEW_ENVIRON -#define TELOPT_OK(x) ((unsigned int)(x) <= TELOPT_LAST) -#define TELOPT(x) telopts[(x)-TELOPT_FIRST] -#endif - -/* sub-option qualifiers */ -#define TELQUAL_IS 0 /* option is... */ -#define TELQUAL_SEND 1 /* send option */ -#define TELQUAL_INFO 2 /* ENVIRON: informational version of IS */ -#define TELQUAL_REPLY 2 /* AUTHENTICATION: client version of IS */ -#define TELQUAL_NAME 3 /* AUTHENTICATION: client version of IS */ - -#define LFLOW_OFF 0 /* Disable remote flow control */ -#define LFLOW_ON 1 /* Enable remote flow control */ -#define LFLOW_RESTART_ANY 2 /* Restart output on any char */ -#define LFLOW_RESTART_XON 3 /* Restart output only on XON */ - -/* - * LINEMODE suboptions - */ - -#define LM_MODE 1 -#define LM_FORWARDMASK 2 -#define LM_SLC 3 - -#define MODE_EDIT 0x01 -#define MODE_TRAPSIG 0x02 -#define MODE_ACK 0x04 -#define MODE_SOFT_TAB 0x08 -#define MODE_LIT_ECHO 0x10 - -#define MODE_MASK 0x1f - -/* Not part of protocol, but needed to simplify things... */ -#define MODE_FLOW 0x0100 -#define MODE_ECHO 0x0200 -#define MODE_INBIN 0x0400 -#define MODE_OUTBIN 0x0800 -#define MODE_FORCE 0x1000 - -#define SLC_SYNCH 1 -#define SLC_BRK 2 -#define SLC_IP 3 -#define SLC_AO 4 -#define SLC_AYT 5 -#define SLC_EOR 6 -#define SLC_ABORT 7 -#define SLC_EOF 8 -#define SLC_SUSP 9 -#define SLC_EC 10 -#define SLC_EL 11 -#define SLC_EW 12 -#define SLC_RP 13 -#define SLC_LNEXT 14 -#define SLC_XON 15 -#define SLC_XOFF 16 -#define SLC_FORW1 17 -#define SLC_FORW2 18 - -#define NSLC 18 - -/* - * For backwards compatability, we define SLC_NAMES to be the - * list of names if SLC_NAMES is not defined. - */ -#define SLC_NAMELIST "0", "SYNCH", "BRK", "IP", "AO", "AYT", "EOR", \ - "ABORT", "EOF", "SUSP", "EC", "EL", "EW", "RP", \ - "LNEXT", "XON", "XOFF", "FORW1", "FORW2", 0, -#ifdef SLC_NAMES -char *slc_names[] = { - SLC_NAMELIST -}; -#else -extern char *slc_names[]; -#define SLC_NAMES SLC_NAMELIST -#endif - -#define SLC_NAME_OK(x) ((unsigned int)(x) <= NSLC) -#define SLC_NAME(x) slc_names[x] - -#define SLC_NOSUPPORT 0 -#define SLC_CANTCHANGE 1 -#define SLC_VARIABLE 2 -#define SLC_DEFAULT 3 -#define SLC_LEVELBITS 0x03 - -#define SLC_FUNC 0 -#define SLC_FLAGS 1 -#define SLC_VALUE 2 - -#define SLC_ACK 0x80 -#define SLC_FLUSHIN 0x40 -#define SLC_FLUSHOUT 0x20 - -#define OLD_ENV_VAR 1 -#define OLD_ENV_VALUE 0 -#define NEW_ENV_VAR 0 -#define NEW_ENV_VALUE 1 -#define ENV_ESC 2 -#define ENV_USERVAR 3 - -/* - * AUTHENTICATION suboptions - */ - -/* - * Who is authenticating who ... - */ -#define AUTH_WHO_CLIENT 0 /* Client authenticating server */ -#define AUTH_WHO_SERVER 1 /* Server authenticating client */ -#define AUTH_WHO_MASK 1 - -/* - * amount of authentication done - */ -#define AUTH_HOW_ONE_WAY 0 -#define AUTH_HOW_MUTUAL 2 -#define AUTH_HOW_MASK 2 - -/* - * should we be encrypting? (not yet formally standardized) - */ -#define AUTH_ENCRYPT_OFF 0 -#define AUTH_ENCRYPT_ON 4 -#define AUTH_ENCRYPT_MASK 4 - -#define AUTHTYPE_NULL 0 -#define AUTHTYPE_KERBEROS_V4 1 -#define AUTHTYPE_KERBEROS_V5 2 -#define AUTHTYPE_SPX 3 -#define AUTHTYPE_MINK 4 -#define AUTHTYPE_CNT 5 - -#define AUTHTYPE_TEST 99 - -#ifdef AUTH_NAMES -char *authtype_names[] = { - "NULL", "KERBEROS_V4", "KERBEROS_V5", "SPX", "MINK", 0, -}; -#else -extern char *authtype_names[]; -#endif - -#define AUTHTYPE_NAME_OK(x) ((unsigned int)(x) < AUTHTYPE_CNT) -#define AUTHTYPE_NAME(x) authtype_names[x] - -/* - * ENCRYPTion suboptions - */ -#define ENCRYPT_IS 0 /* I pick encryption type ... */ -#define ENCRYPT_SUPPORT 1 /* I support encryption types ... */ -#define ENCRYPT_REPLY 2 /* Initial setup response */ -#define ENCRYPT_START 3 /* Am starting to send encrypted */ -#define ENCRYPT_END 4 /* Am ending encrypted */ -#define ENCRYPT_REQSTART 5 /* Request you start encrypting */ -#define ENCRYPT_REQEND 6 /* Request you send encrypting */ -#define ENCRYPT_ENC_KEYID 7 -#define ENCRYPT_DEC_KEYID 8 -#define ENCRYPT_CNT 9 - -#define ENCTYPE_ANY 0 -#define ENCTYPE_DES_CFB64 1 -#define ENCTYPE_DES_OFB64 2 -#define ENCTYPE_CNT 3 - -#ifdef ENCRYPT_NAMES -char *encrypt_names[] = { - "IS", "SUPPORT", "REPLY", "START", "END", - "REQUEST-START", "REQUEST-END", "ENC-KEYID", "DEC-KEYID", - 0, -}; -char *enctype_names[] = { - "ANY", "DES_CFB64", "DES_OFB64", 0, -}; -#else -extern char *encrypt_names[]; -extern char *enctype_names[]; -#endif - - -#define ENCRYPT_NAME_OK(x) ((unsigned int)(x) < ENCRYPT_CNT) -#define ENCRYPT_NAME(x) encrypt_names[x] - -#define ENCTYPE_NAME_OK(x) ((unsigned int)(x) < ENCTYPE_CNT) -#define ENCTYPE_NAME(x) enctype_names[x] - -#endif /* !_TELNET_H_ */ diff --git a/src/windows/wintel/telopts.h b/src/windows/wintel/telopts.h deleted file mode 100644 index d8b6a06..0000000 --- a/src/windows/wintel/telopts.h +++ /dev/null @@ -1,164 +0,0 @@ -/* - * telopts.h - * Used for telnet options - **************************************************************************** - * * - * * - * NCSA Telnet * - * by Tim Krauskopf, VT100 by Gaige Paulsen, Tek by Aaron Contorer * - * Additions by Kurt Mahan, Heeren Pathak, & Quincey Koziol * - * * - * National Center for Supercomputing Applications * - * 152 Computing Applications Building * - * 605 E. Springfield Ave. * - * Champaign, IL 61820 * - * * - **************************************************************************** - * Quincey Koziol - * Defines for telnet options and related things - */ - -#ifndef TELOPTS_H -#define TELOPTS_H - -#define NUMLMODEOPTIONS 30 - -/* Definitions for telnet protocol */ - -#define STNORM 0 - -/* Definition of the lowest telnet byte following an IAC byte */ -#define LOW_TEL_OPT 236 - -#define TEL_EOF 236 -#define SUSP 237 -#define ABORT 238 - -#define SE 240 -#define NOP 241 -#define DM 242 -#define BREAK 243 -#define IP 244 -#define AO 245 -#define AYT 246 -#define EC 247 -#define EL 248 -#define GOAHEAD 249 -#define SB 250 -#define WILLTEL 251 -#define WONTTEL 252 -#define DOTEL 253 -#define DONTTEL 254 -#define IAC 255 - -/* Assigned Telnet Options */ -#define BINARY 0 -#define ECHO 1 -#define RECONNECT 2 -#define SGA 3 -#define AMSN 4 -#define STATUS 5 -#define TIMING 6 -#define RCTAN 7 -#define OLW 8 -#define OPS 9 -#define OCRD 10 -#define OHTS 11 -#define OHTD 12 -#define OFFD 13 -#define OVTS 14 -#define OVTD 15 -#define OLFD 16 -#define XASCII 17 -#define LOGOUT 18 -#define BYTEM 19 -#define DET 20 -#define SUPDUP 21 -#define SUPDUPOUT 22 -#define SENDLOC 23 -#define TERMTYPE 24 -#define EOR 25 -#define TACACSUID 26 -#define OUTPUTMARK 27 -#define TERMLOCNUM 28 -#define REGIME3270 29 -#define X3PAD 30 -#define NAWS 31 -#define TERMSPEED 32 -#define TFLOWCNTRL 33 -#define LINEMODE 34 - -#define MODE 1 -#define MODE_EDIT 1 -#define MODE_TRAPSIG 2 -#define MODE_ACK 4 -#define MODE_SOFT_TAB 8 -#define MODE_LIT_ECHO 16 - -#define FORWARDMASK 2 - -#define SLC 3 -#define SLC_DEFAULT 3 -#define SLC_VALUE 2 -#define SLC_CANTCHANGE 1 -#define SLC_NOSUPPORT 0 -#define SLC_LEVELBITS 3 - -#define SLC_ACK 128 -#define SLC_FLUSHIN 64 -#define SLC_FLUSHOUT 32 - -#define SLC_SYNCH 1 -#define SLC_BRK 2 -#define SLC_IP 3 -#define SLC_AO 4 -#define SLC_AYT 5 -#define SLC_EOR 6 -#define SLC_ABORT 7 -#define SLC_EOF 8 -#define SLC_SUSP 9 -#define SLC_EC 10 -#define SLC_EL 11 -#define SLC_EW 12 -#define SLC_RP 13 -#define SLC_LNEXT 14 -#define SLC_XON 15 -#define SLC_XOFF 16 -#define SLC_FORW1 17 -#define SLC_FORW2 18 -#define SLC_MCL 19 -#define SLC_MCR 20 -#define SLC_MCWL 21 -#define SLC_MCWR 22 -#define SLC_MCBOL 23 -#define SLC_MCEOL 24 -#define SLC_INSRT 25 -#define SLC_OVER 26 -#define SLC_ECR 27 -#define SLC_EWR 28 -#define SLC_EBOL 29 -#define SLC_EEOL 30 - -#define XDISPLOC 35 -#define ENVIRONMENT 36 -#define AUTHENTICATION 37 -#define TELOPT_AUTHENTICATION AUTHENTICATION -#define DATA_ENCRYPTION 38 -#define XOPTIONS 255 - -#define LINEMODE_MODES_SUPPORTED 0x1B -/* - * set this flag for linemode special functions which are supported by - * Telnet, even though they are not currently active. This is to allow - * the other side to negotiate to a "No Support" state for an option - * and then change later to supporting it, so we know it's ok to change - * our "No Support" state to something else ("Can't Change", "Value", - * whatever) - */ -#define SLC_SUPPORTED 0x10 - -#define ESCFOUND 5 -#define IACFOUND 6 -#define NEGOTIATE 1 - -#endif /* telopts.h */ diff --git a/src/windows/wintel/terminal.ico b/src/windows/wintel/terminal.ico deleted file mode 100644 index 7ec59e980f2318ce2d830297ae2bc2813aa3ddb6..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 766 zcmb_aF%rTs3{!zSMl-RJk!SF<{H%EjBV$IkAhlPpbKQayIg#x|aj(F{kDN7S*7OqBK8Zc+C3kC z5gTig_GXTlI`0aqFW_;D1*HCfsOLeBDSsJD0|jaL@|_e|5Z@nc YHID)upTL=o+8elO6<2%&+nv(=0AA{XzyJUM diff --git a/src/windows/wintel/wt-proto.h b/src/windows/wintel/wt-proto.h deleted file mode 100644 index 15b9c1a..0000000 --- a/src/windows/wintel/wt-proto.h +++ /dev/null @@ -1,63 +0,0 @@ -/* wt-proto.h */ -BOOL -InitApplication( - HINSTANCE - ); - -BOOL -InitInstance( - HINSTANCE, - int - ); - -LRESULT -CALLBACK -MainWndProc( - HWND, - UINT, - WPARAM, - LPARAM - ); - -INT_PTR -CALLBACK -OpenTelnetDlg( - HWND, - UINT, - WPARAM, - LPARAM - ); - -int -TelnetSend( - kstream, - char *, - int, - int - ); - -int -OpenTelnetConnection( - void - ); - -int -DoDialog( - char *szDialog, - DLGPROC lpfnDlgProc - ); - -BOOL -parse_cmdline( - char *cmdline - ); - -CONNECTION * -GetNewConnection( - void - ); - -void -start_negotiation( - kstream ks - ); -- 2.7.4

#bE)F_s(M&nY5u zJ~DkFFw?DxWSYaG)Q|V`cthKASIst-wmS zWchPKJzmBDnIT{skr^(li$pqXI%F%^`B^qGVcHGs^|HMfatc(l^hfTJ zbgMu;4d&(#-JX>21!>KH9KJiLSXiQ)B3Xiv%9&tVAY6^LO;UXg78$W2%MDpy2?n;B zyEwk)3Ff0{JLRg&9MmoyXhy8mf-^D9LcFOo`p*-6qY1`0hbR^xdYDF_QApkr;;s%u z1JQ9G8misNJ~bFE;h)amtugVtq?mP$73Ycg+MMPmV6vNNAyJP|e+eq_HwA({Kj1h% z+aZ>YNI8Fbe2on9xEC=@R8!1eX8|J}3XoA__DklkS+1bmGnrYSIaD9_8cC6u%aTBZ z+hL5m{k*&x)N*ZOmxNJ=W8D7M-Gk{Ov{*b}#$N5?R=CS4?oq;}$wK_(I%#q*lS>RsrCz)pHZSo{QC-8d_S4QXoHJk4+x9LzejK6~!!p{Gu;ko{C`Yv}n#v(i z8t{K$>F9@=Mo8OvvO55mZh;h@7n%anEqxgM8hG88?>WOd%THNNw`iIwa0Nx zPS*D<;rHObcn!NE=`e~D4jXaIce6J3F1kaJXg``JV>7Ddwdotn4Gp55-XX6X2WuFO zZuYkrxU-+~or}{nN( z4y%?>Up;CXI%R{Jd=w#0_4~}+qaphNRNr0M5Plnim^7$m?udh4DQg;d|Eqv`*}_^+ z#yf@VBt9~{)K6x=k5FFtaaBRBdT9m7Co5XsamuEP!4YXe6!Xh*vKh%F{Ih=gRH@=_ zvvKR+H*h=m6c3f``__B0Ko-AQ11SY=x7d(RhxmOd2ZT+GHIsAubnU?b;IAYa$+6K@x#c>c3&- zQqV>p2L)q)QbxPjt8Pr1F7-^`W)zBp!bIp%j$!>T+*?Oyb9zPpXo{LJ_>~CslV*7P z4!5tfS_OaYGLY^ulela`@wMq-cJ!r)u@-amlwy)m1f*zr&LOHl4oR0=&0V$?HR#&R z-(VE1YE9NhBUzIgNQ%j?U3cGvCsvrfhtcxPUQ@tugqTcl{~3+N%_-Yv$z#){Qvc>H z{TjVBM`~TZ(Cf&nl%EmXoL_c=9JM8-ieOM;e?{1Gl&pNIDivQqSJe z^xwsCQ!nGph<(M#5q6~)`F+I#`If^AcU?Zeof-?%BrcvRn_zRmXH0WFywk9_q8iC0 zIUevJPK1ifSGzRkV9KA9sVpyk?a+}Re*hoOlsE@^(lGX9HcPo_e12NJmCcdXBinXU0|^u^w3Gk|yOQu}M152!P4vaaK{ z{S;&P5b?>uXek^7azp8v-x(vP_8z8i=$sOVM;#Q|2S76;B{vH@IBzw&JYycD&C=@- zFn^Y{ETz%OfkPhJlIxu3RDea-?AaH6ZBoceqrR4n@_mI-ByEMBvY_aPKQs(v zfqEYdqfL+v4k@7#%Jq`?Dq~NGyM!Ai-(R?cO0C(@{q}BAm!~9%0;#X3&q_81(;pVr zt-h&LJ>{ss(7Rsq!~X`25YKyV%KwV~sXq)6uwum8-b~A2vsByDuK#bHkuX*D%^&x+ zu3nb`BR$!H%0s$P$f2ggX@xwhf=rNex>6^U07mIz4xbZGvUXI!5wTkUa=Be@0{{87 z%Ej6DQ07(<4pjbmMq8urm_OukZgX&^j3HUv+F7Zo+1p<2%e}kx!%eo@8y|=KHqrE` zYytFk@-DKMUDTWF<4uqIfv1<%_qkp^^davy!+@wTYBcdc=w=l};|&)g(UDZD$8V^L z=88|CR541@FwL%50E2qZ7(H$8xW(e)%2s#xRE%F@cSffjS^otTPN9c%Ce(;xk9M~l zLYxG=Zaj+go}9~uC=6x(GDt9#&%MZEOMWfl;|K79z*8Q=K#Ip96egV|g(N_~mS2js zp%$6IPiHX$RLYwrZFIW01wnNdV>!h!V8Y8Lh;Kj8=||Uv-3{YGN0ALxZ)6j7s0HK| z=KZpOc!Qs7q{oLRA{y&0CDWBTf`Tn{Yj$;?rxiNkyL%mkH>?#7YC|5T)2%>dH`J@@Qnt*jS|M$9el5GM;sl9x1z46e6QQjJ%xja~&cC`2!#8XmZKm66 zT~uUn>*4tf?S~17v?ujX9Qkc)r}%JaHlqtbGJP+?&XmkS5SEygH7F{Bj>~aNAKxS# z$dK2y-ypV3dZZK=d_U-#Gb>a!s|?|?|DVIS!KIq_ysBNhFRUnNMy_et#CE$vm;90^ zy!iwTic=r+1w;S+a(=fMX(Zd3+6Z4iwBMhC*~jPd#`*IDvy<8<8wBBrH)qSL*ePhTKZTTN-NBJ#Y9>R-jJ1}_Z3k&Ccb zYb1vWOvU9^qM1hha}DBnp_0OAM)6Tw6`}HR2YSFTs2M%Lwr(`rIA*)A@NvhV`%<>O zhG!{S#jDK&Mc2&+0B!Zh;s|%oX{p?ekePM)`N&^>TIHKgF)i=hZO^g$HHkKV=nkh! zg9tFrIJT2i*?u{MeMET+Yak@-k3pF7OxImOavGt4=eZ2}-7NJpsvU86(C8SYp)wG; zK7E>@7Ag_+ueHjlVV4&>Z)TYXOwms!ytQ{426)tj-9h#*-c zV%WkwPCRrNy;l2q#|-{asd>T%<;E%ArN~+GFpo!LNIQ;-e@i%2PjznktQF+B ziKvl8MIao~H6KK6o_C5DcL!PO?o29ADrz(7x0#V_l0F|yFS2w!Sdy8iU2QE6Yno}9 z0~MdpbCTMjM=^Y$;_D{2OV@6wZvJ-LzZKZT-qGyC%k(JZJLne->hen0g9N*UOl41T zfZXgTW;Fq8{q`Dz6YCg|iTg(hDN>jUeV~|kM6|l$1s0OZz;JnS)o5KQN$l=HD$YEM zghtjm5W+r&F)Ep$sseLFO7kW3WX(yrntU{xa!~XfFIC}RA?3tJ4Fxxak-RH|b8|(f zNLIn*j;_Plx{|VM1!2_~T$wsLFBKJ%ei36*8w!s^NSV#C)8+cjp}x=#p6$DuEmYW8 zBl8*`3UQ?YVN*@f(D*UWFRk^RFwo}|%gjET_UqM5tA6H6oB7k(_PW*ah{wnLUamB>Dleokf-EY;ihnUTtp4ghcREZp}a@A z-|-QodQS0xy=j_>7cdnU2Opvg08QV zDW}&RqV#;^lsAk6Tgt}_c+CZcNqwIJu9dmuW~`8&r0mvByEbjjyC>_HtiQ=7X9pvS zEujU838XJs@$RW9Z__Hf)Q2@>kT92!BU@482eTb9Qr6qqcj|xj+{CWc-b`D0B_lewxmV@n^@eBezM!NKDwV-rpfxL zY5C5(c~)8cjujA#R)eSpmvp}_n?hH}M|jb?fQ1!&Xt1cD(VXUh_pmaP}e! z|Iw$Ganw3WCdyYyB{V4BO2o!mRw?xO4?`3c#!XN_-6MOsA)=$ndSsSkamZpSvq=}L zoT{wQtXAtW<~SEfePbG*jic`sA6iCdAKY3fJahP0SH=tCtsHBM%9&laRWAIKME zVsFJICRR~va~}yunWi0m^FEE5Dn4=U%0KGaz{pWYNx@!y1`1;#Fqk{jFSaisJ-bEq zjL4}Z94vaj_|p29onRNzDLJ*-^!|BJ`HwScq>fDwED3?nJ8&mw**{O<1y^+%wxXsn z#?%9Graxn>_nGn?Xuq$BZX>9js{PqhT&`Cc!@}OcnbOHN;!CP30+6d+GK87GnoJ~|fr^~O+WLV7`Z~L(10DDCd^va;g==^% z>`!IBIr_hiG0-dOKJOUz?zon34Gqy9Qg#hjuyK+Mpy}?)qc#V4b=;R+3 zHP~DL8IrcSN{-M*2$#E0MQvVV-1QYom#`!sz)XIyYG)zyQ~)95e!AVzo(K-jOqnTB zvS;KVkIfq@Zt)-~@9w2DLoA9N%sU)7n1*l3jZEg+9ZV6&d<8ldVqEQ@n)`kw5MuQd z+;#g}XsZZU%Jy$>W}Lc4Fr`2*L*_nulgaEsOOqG`zS#13L6gZf1T!D^i&u-1QS_a% zMTp_q(y^jj!lnS8s@x2zb4uR{LQfA>4RY7@e!=-}qg{Q!2dL{Eh^`8~(F12#H{n2S zlCO_Pn7|78Ry?C^1Ebl77|`M^visyPjS@^Gv#|U8@Y6snt(Wa_u~R2ZW?iWY6i+(V zGr^+Ly*t4#0>JIL#UAHkiMUhwDLKBLyv2a!S5fc|UYeUFOA1XTL@7$M&0*@tW`?Q* z*PoTbWA`1$$yC9>fXS@(KHQy_zDunVbR$NyH#)fv+q?wMr%uE~X<*;Wg21hpLnj(U zpyAZ03!|^JCAo$y6{Ybbx-TWjJd-GH&DdsDq$!NNrkdpZw0H=0G?#p4vr8||z#I3G zo_A;tTbneaAzCIw1}O}CE}GnBL}*=Y7HNUAc4NSd9I505IGg)5LaoNlctU)6Sf07I zQrX;JY{*m@LH$#hM`#%b(ZuXGm-TvBq2pL`$q{hV0kMY}gZq2z@~Uhpbx|-d_{~6Z zcJ1zDP%BIH&r$fTF(-dP9-5;RbFRb~WRaLR*~+=eITaP*-O{vjlGFGG4mRt-P7Ro9_kHl=Ei?mkzL*p;M)DD2zbx|#5|&Iq&Msl|C^kr4 zm_UJeDFkIj-F;zMH=L?Lh%nYMVw957Q7fz5131KG(+@#KGCBOied2$w z{l&%Z4_bm^bTY-OFD2X727^9aOE^}^_3j<2r?4`2xH~HKd=QGe+G!S(%A6zgv!#{kOpqa~mu& z`nUAuSLW3#f3wcC%1Lg|iJ>h7oC z{(J|H8Y#|(*K3a~8R7BgVIS%jw^*)!|N9h=z^p@ZhZrmdvVc`4Qs58Ir96imH=*!d z{-?wXj)^on;$4?GR7Ex;Rl&1~ai$@VvnHcAHAD(9YngLi0-;9!G(RnNwULN`2nNH} z=vl+#M}YbWWiPw3hNr})sZQH$!zcG#M7VU|G-Z5^;Lu<=7K_DsXHHB}KFJD^{1h%? zsMMnVYChJcLfu0UrvA;`&o2GEZ&s7dTXp7PSmz9Mw45OyN6Rvi<7Q4naXqK|h-8~@6HZ6>pcWbHI)4{Q@IvwQMFAKY9+_mz0KQlJJz-t|(q}X6e zl`8qdC%k{c{{X}0DywGT1*IkA!C6*tFgb%PaPpPD`jE7&A+6T!Z1_>@Q8sz@a?b?F zFPpcog=$`~t|B6j*=7+0RV#McSac0N*m{6L%g{9fnx2CT44DudA;rE5K8}RdfESLh zM_?E<`qui_+iKA`q!`K#tg90;D40f_C?UPmKwq~u4`4@*5J%xkvA<|YoRlLkHyW7Z z>^6E5B-t+8O~f(VALC=P^GuUXT09@Imxob=p7oVRa(2S#kXkd1NBye%F<*G7Ux55E zD|?w8j00{3a%ljAt9mysAPYHhBctAKXp_a4fN@FC`XLEEP>i5YMaGGO`1{iiq11(&$eK{9)9e;r_ByFfTaql90$)R zRXQ)BrZasA-!@wFtWygxhO@^6sF;Wl&&`^ph|v|SgNiFe&sPN@lq;Cx zB)u(%pLoU_Q&u`_2SeRw zUr$O?b$!6NwW-y-(jk?fA4mwB5ug_?K$}c0-|EN*LwfF(wtSAZ9k2V`hH>hLS$V7O zQm5<&*?n_9!64_F`e>TR!M8^YZ034D6M1*W^Jc!(X1{a!*zx=1-2R>*D0Pmx3-7cA z>ACtXg)Cp4kKMWAwP{WNIrlY>)BZKSKFslq6gufqSG?ES33-F@D*DcJX?8afWlk94s-Cs8+L~BsO%#xH zis6eX#tZpNUR15-I47_KY)H&I;uZOXnlt_o%b?|qBlRu>%6aXIsV&W*!8+}5->k?z zLgUhh@?3tslk6gnO}T&oJt!aU_%PuEzgL9rIG4~&CJzOgEM1NcKF+;U`N(sMlBHHb zk{1fqcH1oeK&N&8HLT+3>Ixt>p59sLisqwnp@8%QSj&J(jvq1lgVe|=&Vqb!#g$Jy zzyM%xHCQ-dqE@nMf@!zI%hI0NGktF`CO6AoMf5%VKE$}A@}8Q1zR?l*cTvK>yGnnD ze}=Wbh=vtse6mPxwK09`J(AXuT+S!qrZC`L%Q~f-x`op6RF`0P25fyDnxg1pb%KNU ztg=knil*8YKX1UuJEK0hN9)F)k-~mykxCk2D1LBmgZtb1;@OsQOY|lX zlcv#L0ss=OK1RkCm<;y+(pD51*a^_PZucye`^mBdLO+oD%{KV?!9JkTDG`OG#Yp|b z3}cuO{(%d-YV%CYWj;-p*UPsn_YS4B%X|^u>Rt_>uTg%;fh(6}brvN^E|KTN`y?D- zWw+NYe0HPuSZHIFeytr?W{*N`GJ<_*tr2KId}pb=aW_XMN=+F9aNBOxq@Uq>aT)ZM zQdzYssV3MIF5i0EFwfmb095xPsUSHA?dc@@*`J-hnM0h_v%f1GGXV zP$i`~Aih34keD&1CIQr6x=BTSLQ0JQ9Eu>dd*U$}WQS+;eXmL)4gX>XV zXywB2yaZ%e^EuT)OV_Gu)sr7h$_7YS;xQO>yQN-hApMR7E2(#p8aeQGJs0gGO0bJi znlO0%HcB6-E0lBivO_hsN6#vPgWJb~oj_RFh|)=w_sA!UFYV*}e{S5x-2F4*Ltn3_ zga_NKc?0|R?F;}JWc)vapMy#LmSR;LIRZkxjKsD_3sSSv2kY<5!>FT&wU&=^z|&GOYZk%+hrNyR zn@xwB(Uk~{8SMUwyQ!cvRkT=V7}2qB*VU?TLGbhDcUfSB?;*GkxZe#PG-hAR0njyD zA;eV-sAXg$mW)WMJo`$)W7Zib>-(K7#(Dj67bFbct3L_%e@0NuUE>RcAHY5`M0QFv}6B@A(~F6-i7l1qyq_c$kW9tV-Z zgzt^l@{HkDKL>pe#@{a650P0@SE=|UhFeaTUjnFA*6Z3(2}c;ST+&fb50if^c6Tfs zs}*I9)mp&yE85xHwVg%UwG^1!aZby7UBZ}XUkB%d$x<}wtkTQW@VCL}baGp~2*@+;;`}Hj zKZ{(X)(>?OVOV`BXXCpFJ24I+lX*uz?bAnIslPw$%%q)!gdA!ev&C*bf}nRLr0H$~x5OI*;2 z{1k@?Hko_;JL>6k1yjuvU-MKx$3-`&duN>;)ZA}Iatk-L*hc#vJBeKhiKw8vatnk= zZPu17<@F5O4jhlE)_gRVzbpo%bi-o2Fvso+&fg$sRv zL457KN5k-I1N^2B{yQvcf}roxo|gRX5Fjgco_^I&+UN6h(AZ4n@4H6**1O6D%LDN^ z{MwjG%CFIO#Cz3dkahF$l4Up^p`n*Pm@lEDLkdeX1 zPV@Q3Fu}2w6I;omnqRm_X8CvBxQ}Rb#c!^!jX81InspjOT~@|P2AKyXb$ySQz#GS# zUu|uBa(aZyPccqkxZ!M#n;bk+D*1mih@C5IDA|!+_g&n5x&F>SZr2;F*%ts_ASn*p z^_H->tX!F4QqufN)vc1=0I$Y1EHHE0^gfdS>|S9ThGB+9z05`2^-}2L22ui#tmxJD zvf~i6iu1z3yfhGM;!GxbZ%DpaE|_f22o9OcRDOMwlH{6}!ED%~H4MI}ay}o!o<`B% zEE&;&5`hion_UN{Di+0JL#ubovSf70(LZCCxu#FSo-*i^Q{MY@1wpz$C*(U;`adKO0#AcUa{<#wIpFQi0>HUSM9`p92Ec$oq z>Za}slzvz~7P;;nlVNOvVDD}JZj^4r>1SJ1KpbOBd)c?oeQBHmKAj)J_Q$1DqnT)4 zrqqUbfndC;&t0*Of7%FGn2CF{g+DE`t=cQ|H{52A8gm)tk(1h z_M0@66mv$(Vf%lbyK3h?CpV5q-7tfmagQy|H;+BGrhk+5{%Wg~G*t_8f$(Y>+HMthb7CutWV(yjM0diqfuYo5ek^&hEsc#>v7xV?WqBOM_bP2 zObRGtS)z~6G$FG%*=x&xh$8tl>`-*8myz}uLKpucan7e6KwUV$#S7%{UJEHyuw=urm+6RL|x=39XMQq^ok^m2a@e(S%9IGEl@mHkZ_Sb_H|)TJcTSGiY?oOejw zEl&$*q?oKGKjNrS_GB(YfTzoaL{1#yUq-fB-4F~w#spkt9s9N3X}VJa2jNd+LMS-# z(utxB=j|L%XgH5%*>4E5Wk6bZK{AZ+4;1nd%Dy8XVquH9Y9_C*waA$hHEtqnFA(RpAm#ptVQ3e)d~SX)kag|f#_aoh284R!RFpvy zVE&s;vI`8+6G{S}?wOQ7VEU;KzwK<~OhU`jctGzuRVn%j9cbc04tFo~$Jtm@B}-=o z#hv)P^?0416{BNyEWe-;2KlfHs=;qR9Z-$3>-aDBIj7?$O)6J;D{kW79mdcgdAU3W z(>(ah7hDYtu>sDUmWvy|of8#8Wx`^E#+#E8MCQyL75_f#5X z{&mB!c}hfl(SxAaL^z8e=u29EHEZcSGr8Yt&klJcWuB7V;8?`(IDYMix^zEnkSoQ> z+N%Qi$DjOZ(Oqp75_YOGS!#C{BI|OE`;t*DXT4bKIU+-uIuDmwS0&@$%d7KRZ{`>} zh)GnDg|9WNpGkeHJBk|9zatW&HE3dyIluZR!v$lY6jcVje}r<2+IaHehc~s#!#yc5 zV)pL^aq@M!FWD|xNTB7|>ufY4&wN`prV7V#YFtEn_MbiKrlvrto2kD@RoZAQ;j5%* zK17Ss{`sb8Pl=!zH}AFtAovv$qC#83(H@^!!yaK{Oct!rOEAo*7q{9C(59+hqrkJ9 zA3`FK?S=UFjAo3GIimrR{C&XjcC6(9*c+Ym?>E>iG~@Hyt}n-EDZ82o8g?h(>o-d< zK96f3L``n?+>C!i%1{z93iEA$TctM{yGH05md8I1&*pWjdQ!7O74PWactSND_}!xG zC$6O=@lCj?m1vq{*3QfD1QDqIx~uR0JbG3REP4+&B_3aC-$BP9^WjxDe#8qKf@|Sw z7pAlEKk4Cyi-rb+B_;u(1*2IV^}QO0lP4?y@R#05NGfv}8{$WO&@2od-I700O_~`7 zu#E#gleXcnt@Z^^>+spXb7REOMdSYR7VfvSg{qJr`Jv~U~1CD<6Mro zztbLocI8mLdrQo6Xxm~XBGW~f!FwiqBh=kCNqA=oytV#v$ufo@0rURL5j<+iG_pKU zk0McepVQADzC`wzziuR{nyFt5cuMK*d4}~w{DZcl-_@+T7ojckge;*wbvGCWZZtuc zXjv1}Y=L=DHEbGeg5g6Jfo05fp>}z)*Tu9fCHA-D|miM-2rJh)XCxS8{O)oaiYIrqck`I zEWM{Es|_*_&$J#Pu>JE#Z~RHVYp0fs1*YyT>dp{m(v#-tij=E{HB>&rtyTF&)` z?&<*^2*^bHH-8m?i#|bk?jw8|5(MRVZifiGsr|!P?w8!ZYluV$Lx!leAe%swDFBS! z08~Hrr)ykG@^ZeftSnD|hh3*->nFtGVN@8miyJ1hHt|VpU7%gR?sp*TVbzlnJaC2A z8a>>$yvrRoU3j6UJKjzD4# z)Qt6sy4lX>qZ1PYA9#AgGnOeJWaYEYxbk_vH2sac3!D3rUa2cY0cnG~B5Is*WB~}f zO?wdqg?xc}N28Is$=R!?fX?$#-+(42&n_n?pIh0Pmcj4qXdFQou#kGV6B9=*pvQTK zup4QYhy%ks-GXnHs)=hW0spHHY<w#Nd!-iJhhO zUcZV98l=6OgK?#L8$gm!nX-&lE}yGOi&F`Q;kVyRt!wlBQpMb6uARC?^E_$s7qOP3 z($-A@3}yqB=c^yUhElw0A(OP3Vh*Z%f-_L)czo~3PyWkwF*Q<#IK zCW|@0YF*7$sx}U4k(1*7a0+zO%V@F4yyWZ0K#GcVQ`846^=gb^YGkpOdmDuU7ayLH z)pLGkmh#=yYdFu&*^M(_vB?C|64vNWu%`s^=bPuxxLuG+M7mg6HBRl%$H6kiqM=W+ zF$4!medmBHGsSY1dKy1pf(lWJej8W*DFY3SmfEeA_UnwHxmvLmU&yty zJcc72V=+xDEjgaE2?u}ql_f-|q-0W}FP!ab+Id>FI`7iyXK`H&D{xMknY4fXdI`+9 zgL7Nb%4-N%D2Jsh0%7l^vC#zhAY)an`yBhW{b}Yse4EW^#2SC-%4_*E7I5gy>w8H1 z-m80m>|PIskmpBde1u?xLTVM%LsP&d$1sgnYPvZ3eW8^_I8lnsMNOF~`EjXc*n;ol zqx>w)#;Gz0g}gUp0QfzJ-|xi_$`I%_02^ku1OS!>Vk} z!?3#@iNA@5#NOYR1+_$MNXe^{tLgCr3bfbI&FYd}oo8@^`(kVTyO{eHjILvv!W51# zTA{;fLUtW=jt7I%Kn`8tTfWxfd-9ESHW= zt$5awLD3Hi2Jv{Svib>Ez1M*Zq6l_)4(!Q9*0XZ2NQ^KcaYkB?7^oj z$_E$fqa%a$&_--;BL^ZEvEvZ2+OE{6HvKR5?UDE=6qxDjC$G4}ngEo6_ki84zTKNe zoB#aunqCV+4-E!*^^vSC-L`3 zPn(dZp!jfjr&)Zn&&}j)Z_SB~5{mq81KI8(oV}+&;544CwYGZFOijKrU+8u%;8uCf&j5oIfCHtOIFHq*H#wbv{S)~1^4532rQ!{ zgVw!9i=s(H$>Km3!V+fOWTpey<7uyXik}0yLoZ^&b z3OX3wEdTa7WBHd++sEaNhM4H(?}cvXjCVOPHixl`(ENS+krT*v2etfQ+n$rD`klA{%!F<9Ce@4@n7V%W#VLv@NMW8nCiCAKKGB~GsGl6IFh_6ou{u$hvnx$FN7n=vu}z-BBQKaLk8At%%S0-Le@udo@% ze}~Ojf7bp-*o^hRyJr8vpZ))H%?xdSkTPdOI}-*&XO|zY%-Nd3(B(%vGct5yFmf_9 zHnlM|`&s{w%IQAj?J#CAwzsjj`&ruB8Z!J}R+_1!tDy~psfV$R zq3!<-PBV8hHT)U$2T-%{bg(eB`*GB){!>!3F?DwSA2>BbCsVus9N6JMs{b1He>c_~ zY+RjxpfyKVQ)d^;pR;guwRbT!F|zru;=d04Ple6Y*7Cp3)7jMRXT<+d*_>?*oh|-9 z+HC&;u_^tpHXHkYyOREkU;7W6jgj;Jz}T1xnV7g(f26wq!DeITVCVRMXtPzjsH$Xd zC(_;AV6)%c$T_&Tf~|AnP)Il+-rOK`6qaSjQ0)zlMF>bzoj|cVwKRc7 z;BbMy0%-{-{{U)WeIpPC$H&K_d0^q|>z&+M8QPqn7OX1G7U$lU}JLphOU%&t9>#Kl*0MDQc{7x^1M_LXh)7Qd7K?{#jiFWJH2ae&E}JOmt&cwT!#VLANV_&Mka=zHzW zN26Syf91~D&d$i^?WUW*_$LOWv^hmy3>FFq&8D~<%4yuzNh%@ONiT#bgozoXf$3}5 z_R{bdzi*AeXfKY)!|K$WUpymoGw6C7s7!zv)KsL~3;`7|>o<2w`j;>9HxB7nE7XU5 z!pk@LO|RACF8=-Z6Yn=oQ&Ch*OhLl+DA0#-KM)^#G>QQJ-D>RXw^57@o$c0l*qJ~4 z63AE3{x=x$q0Qrb=q%v_B9+D;jW5F{m&7I)&w9ysjHJn1yCWZB;Qw@duRsr<`s zs&4GQ1+Vxo6zW($YX|i)3kuxqfaJy0?A(AzxM5#Ljg1W<@0{+uJ`rEPAdEgwHT%cb z=NI7fUKCkjFL#T-M_*=>`g{8%e#>0Rd}pArnUlnyk6L`D?K8ASL=_%}75Mi)$0dG0 ze7wYi2G|Lp1RsNQqkIWeCO@j2T5VnF8y|ReZ&$_l23|#7EW!Tup}FqxQ4(tPnC$6M z0cTp4zw2&po6TM8y%}G)Msz(~Q*b8(W^jt=8ng8NJGWZC(RTjwnGPQnuPon8%)@Yc z#F6jPuEF}!I;x@q@88phB;QoeJ)p}s_m6*6Ev7z^frZZ^YpKW`D)hWQ z5~My8#Oj+RAF6&hL@<)@{RA;-1nriqUO3QLvjzG98#GO0YNRjLF!ar^ug33?gH7?H zAp#`!)X4b6&EIaJDGY4i%b8?z&r3>34zt`ZU<`7eQMockQsUtjI3X75mIXIi6M9GO z)296DNSq;Dq~`7fdm}|D{2xPg&Rct$zs)XcLk;IOTvJIfGM3^nOU!RNIJ@n=5w?;N ztPWcC95Fk14b7r6rhg8Kl&99#B7&$ zfOBWR`5Jl_5tdB=7t4u6l@34T)l7SiOg`}Ta8KMtk`u*@UAo4gED6*oX(S3#_;O>C z2UFqAWFmd{+pd4c;V8Kg^@cuiD`}B$i|}ti=g27W=ky2!(U<6p+Qz;S(R`}BL)dR) z45L_w`vZ4iuv|^X2h+81Nr(F!^Zb0>wF-mO{b7T4w!#hWx4}Ftv_#YAUW@D`>#bACEJeTY*p zr^ub9|K&Ywm|MzjvoZOWzhqOSA}ZWb^wG|y!8KMc;P-eFMRB0mcwsn}Be+4E6&Io{ z%`+RqoE;a*SSy0Ii6SL76Huc4OgZGOQ|z2oWoMy(Qn4k8mcT10&9Mj<*-$s?A_a9^ zC)pM6mJr6F@N2H_=r?nuis0pMM`OB32N!McY`ZO`~t2kLOFczorrmL?U z2K1qkmkXD3#bfCUyIV`r)u_uFHlorn<1GXsHBHvIULFMSmwt95=9Y>nf-2xNgdm2; zyKE8ui(R0Ib=tz%%zLoy)kfUJ)r-z&m7)5!%>^~MP?%ntY~TrYOSyrXX;b^sc`g8r zV5ZbLamfs;@@m{k25W@FaDkqf^nmN9wQc8ssqq^{szqv1{aadeG<~-;1>eAYdy~ur z7U$tpT{KVH5UGVk%P$~>7PbRG>Wgp<=o1!iNDuUE3sEPL>^9`wQ%-lib-m|oelIke zu)mzn=3S^Cj~oVtWm-IdhNL4Cb5`BqErWD*str_>ZSU6-gv8@LD9#cSyR^IK7)nn< zjX2Zlx+7pyE#VnW71F)O+HF*`d=#c7DYP;qZ%$jtLo}^NZmFr!i1)tOsI^DW_;-4R znCAtqsVNCNLNPlEl1vX_HGsMdlB7Ism$U;TUaRigMmiA+8@HQR!zx=i*!&6W*;q+! zq-y9qe1r>fIcPE@h4rt+1)nazyu0%{G=j8^9&yW`HvrcmD`_M?-Lks`*QElQFpJMJ zq=WyEr-wmO6G+EW+Y_H?44F_L1dRbdmu$ddv>;q*pjZ&gI?!MkMqIaUAAB_k#NUsx z2^gkjk(jWATL+J@bC9HkA15ukR4%jkqIT#0#q@L{t(=&7SkG&&0>K&n9jDkJudT<&tkaXk+O@oqPudxupWQR8?oI4JEadLEhlk_{|n%4UtD zbvQ1Dz&FQ|sFp$KjqiD55wV58Q^JKI5pw1dw3kle)5Q!(^bZz^-46fW<0TfNLYX{L z#DcSazRa%TAKX&yQu2(FRmVnX1ki=r%WI<{{;lNFdFD$9G;JOu`*H&_*_%0d4rwi{ zBXKI`QCH*n-goI@33^*`Nk3N;pv6ZAxZ}5F`#0GQuH&*3}R& zaDG^;!+%9B+|c!~lD?fxe|as!I5`<33NgLa+tmEliivYy!gi9<(%Q_ut1l>ruj|L~ zFCv@uQSQq2#}6!8W|R(V*iyBZRLn>ghZ9!(xTmvhDW{jfd6!d0bk;;<3AzRmLeCSe z@sIeUw78AlMkw6jhPmR+UOrun**CZO+SdsND;Ke!QQhpBP5?C;ux%k|tl<9L#$N=- zXz^*M)(NuzzV~}{cECscoka~Y@$u)UR&NC#Jr#lZ+FFMcKr>Z3mjZS&ZPjTs8Sv;T znp?H1V7!;on(^9CsvI8}2<2xPmL>^P#{^d^n|ozllZROBAH;s4UZM^f{Bk$$2oM7t zTui{v{Ilxc>1ARduK&dCT%eZxT=|*GL{n~_m*pSM+1MYchl@f89Nl;snT34j@IyOh zCFm7ekwd~5({vG^j|(Gdq#cvW&DVRuGUsOx6!TjeC%{g5--gVht*Ha|h4tV_3{zc; z{~5+KlEiqM+lSxmrASO#UJ%pazx?y6%ELwFJ%BqB^PrkvIOv3v(=p{<2LG`&6 ziwX)&BSKZp^XqSA*ko{*Kc>EJO^{7b=BOMrcG_@3eJ@fI8z74?GESM%xSV#@%aR#f zw~~satVd8iV$aPlUZ6$$tvCxRm+hjy1#OEmoCe50Aw9l&4O8tr3Dri#CS=wMk*#;vx4xG7eBIA_3tXk45#!0ge5Q;-D<r=Jj!^0epRC$7_zHYlDnux1WDhp4AoR!$hOoQ33opT4Dil&WA6Njs0P z<80sgDW!Nl=@?E(@38G2@c!=Lkl7YL5HmJN_QL0^|C1j>7WH;K>NpLSkakhH5Z^Tu z1M2VsTR|dNlE?QgB02|PN7X@$Yo!+_g{E$87PyW6Lkd5@_GRWk(s(rUR*g4XaU~gG z_FBY9hugS#--mWopnf6x#nXZ(aMjj-9y6!}5rgZJ#0~ta2TNx(YS<#WIOgeGa^ONa zz4!HG?fqn0%p{G9A=L(A?D zCwCHl2zGB&9P2N6eKCo9J8%86hGB2dFM?%gZ0Z_f%w-u;fKy^Bmg3_A;RDcCr}>;d z1G@5rq3fg89u-{pl|wV$`HK15{8MRN5z%roX;pON1>7;yN)zdL=TgHDn8w#^VVKk+M4_h z^BNVPqqO=!I~~AoFBA*jp|Bbf15;4^c_}c{mPe7YQd691QE>F?53MqaBG~w@FyIm) z>_;bjb)fj|!6Dqr1lBb&A>zI%qe0kBgpU^3w>yHMOrZH2v(!CD8dDCCgWn2g=U5ES35VJrcsa{o zYqqI8Dj7|ntxS!;;0Zv$PnSGP7%F?cGzEDQZOHNZ9om)L5i zUb;J|EWyw&)#7Au2w2M)h`Zi?>ZU~NOpq>SZo*XvjqG*l$tVmvYO~QbT|yQttrn`_ zsnI~lB}j(14Euq9+}^f{K@LsLpV`6BFgT`U++|(D0||u3@jCl34P?($4>0b51nUhi zfs|p0EuwfcVLP$*h<+UhYn&0g&1Q=#WUKO?-pA((G+*53`9-9}f;>e6LA)>=Tn}_= zb>@?10!6=Xzx&Ckh!t58rN2cJ>8i(3J(T>t8p58ZUKx?-(cYy`{|b1Mk5ohBa*`{Q ziM&SK3jp1m9PG?&fs$SAqWdemDZ%f#Hc9D%96FMx$z7RnH2C0IQslLGK~Vck`$q49 zs4|X<%_a;QkFcgk-=P1Gu6J`pVR`R~(dJTm%A6?7+o5oXMtELU*HTV1siQq7fP1FH zdG1w0-&3-VC?qPiCtFjAAZy=ky?)Lzv*xkuuW!j(J^+|R70(z?oyB_^mffyqy;g7R zO$@#Na=VV;mxbQpC$yqP41C_H%U1TIK<|Bdv5%oeD{xSykX5#Ne`MpVY!km7GBcN~ zKxzV9T!Is1K#9IQn2QCJQufgVS=jwXyq3N8VSfS9oryW^k)Ix;kI*Xi%lBDjB@P?`bi7(k(rNF70G=?!~XpFY}lXvDqB1{5E46JxuZYtANF9LUbAb0kC z-bwhpe(CV#vM_9{mt@5W0%8CUP~vV zpO6sT&N$aT+N~G!DI|NCSc;w*UPvI=wC%8v8ye|ZkwN@OUvv#uL~Q}vW;bYt88Ls1 z&;)NTt^AGT^hFB+j0Qb3;jp(~V33J0`7O*&XUFhCXK0vk^_05(ZLG6>9#Q9|=oY&%&W~agM{om|FaJ93ZOpfptH9T} z;t;jj4#NrWK%%et7=k^S7sfg7VuvBe_pBMfj-r^{FWZ8&Yu70ANZaTD(KlSDK@&cC zmgpr@OMuarOhXiV=j0jyNzT-eNaK${-^KO*QSna&r7c!}ODemYmf&}AUo~kT*lBkg zQ#Hni#+Qk`*4ZY{D`9rucXEs`j< zO)=*wWpGXT>{?+3$I{6keygMijg<$=bw0=ge&1R~;>hgKR0}ySTX0p6Nex3N)x=Qrs^!aJ z5fm>#0rQO!!^At+)m5kX_0rBWN)k>LW6kaY!BiI|L)8nSE)c7n&KWOh$X4zBnH%dX zO@x7Er$O#ifUVeLd#P-^T;tmG@F-9r61>N=vY58kZC({Ct)^?EOV!uYlm^?Owz2lp zaOV-u4GLpNWP-!sM5U%FsoJf9I3wvNqs7lgwAQ#-Lp*8O!I2zLfWowH$m{smIzb+! zu^K#^M7g?YgfXXGLc`bE1U=V3RE6zrs<1X*V57z~(Ue?8qVsK#7x2R^*hBN7*}7FD zRK|HDEL#|$wv*ap;$?(|ht~}1F^#*)OwpwWs`&B`q$I$`9ED*a(L56|+7~f0>ywr) za1?+Y^V=?uL4BJgrSz^UibPqP$E{(Nhp8T7eVEZ)6_Tqj6n@wvNs*jeAku zC9}|F7EUMe$#e}3u8R5Hz25Or3Mr=(-eBzPfJ&uRT;Dq2<&!kOdklNz`r)srH_4*| zv?+RV={w?seW3AZQ*J%(2R9auw&l|PMN@BS4bR8HtX?q(8~2}%s}b_oPHCwjDUUL2 zFT<(!oJ>qP5_6DxR|aLt)rmJ7+y_DVtpusW?MKt|un*^Yp<(9W$7m;FnQpL1M;ef$ zCyRzEB*@SmXLZ~J7sq1#GW>IE0^O~-UAfSGr%cO7W%o~`M{h}l`WR~Et@pBF^qPP{ za;~#ip12Fd6DgLKhZuik@4#@Jh0s%=(r>st)8A=b4ZhHri zu8^3&#f8RfwB924a&cPnjb8~{$4_8{YafDD-7}p-hf0{Jn;e4i4eCjGKZS}zn70$M z4E%~ORcy~4a>#kH7onc0o(!MY{Z9sF!M7}*II6uERevU#?|5O2tnv27b}3)Lf-ELd z85vN^B!FQe;O=vF#B6Lf6~^5M^wX!40H-G`RF0cIbgP!`F&1u(2iwr~r; zmXZ9oj8ZboldbdB)K`Z;Twaty)mU1Lj|~V4kM&j z)Sv>Bu&HKb0Cs8@A7TvEE#WyG!<$=8>5*Ae$$aMJx{zAMcRL&mH+B=mUL#E^)V7MO zZXV2%QxT4BjCMrSPN|kkQ{!q< znMi2Ig77pVo%fwDXHV4V!A<1GP;Jhxt2u|Q?N!AHDX@b(>g|AGWW0(koVn2){f#6v z8Uj95Fe30BiM&AwTEzsfX}^?r?jf&to_!VBhMY}4x0J7O73_Wk!NX0MTl{hq+*|!q#i!n>jm8l;=sPLXpNhxA`p^7RL4Qvz(k)CjQ&W4``NL}8L;bt7f)<<8)ZV zy3rP}d(T;wtUm+jdF-cfaS@T#DYaBI*^O%R`PXfTdWnZE1>W#3cD?EZ6_fq_9ZS$Q zSCP-dKscBRRU$8n3>!jLIn>_zOhtNIzy4rBW%4-R!&7O>oc_@{o9nFbR;@hg5x1LP z3%B6O)EQjW{50hR?`@Oauvjl@4|VDFF~Ii3D!nJJl-kaIJ(Zcz_Wnypvuh(UMGQ1lwa zsy5tc4@yz=J0su6+9a;yxG;vSieY?$ms);z(gq%}SmIs|+rV1&} zm&JBFLo1x%9UaTZE&SP9*yZ1a_4{X%={xsFUG!PR+1M!Yxbc|sBK^rf?f6lR6%_~2!<#*c#e^Ru0(eV1qoxcuH zmDe|rz@ox6;rQp8t-f~@c1=nGCAJn)=omxl^Ki$KkK@VQC`LE1t8O?4nlry#Vwe!U zD;5v4(=h>WXR_*Z67KCCRECdr?+4nrtl!ZRxfJ1=AhCi5&~aKsGfrVTKhNqef%7;- z@Nc+AbavI+JeCu{aAx-Y2xi|zsjt&RPf*nnmY)?@)=$#3_YZ7mA~U$Yeyf`$rv}TG zXf-^R-(Z}9_4RIi-ma)F}&-LdvZDuNOJ1Qt3FOF)TDu-Lxk5Y4>cN-CHZ#O5sk#TEdtm#Nz{S|>W`%a zhp}ALwpB|nJS%%uh+o1`XAHAzrF+rsj)C^}m=4XiLdHCjjCdeWob?OPOPV?RJ&R-_ z%7{CbywS$lLF^2;_e4b4My#Lpq$@6eTFRUVpY%pFP720Yv8{~<2!(X+ee~X?hH$3N zR!HD#b3R=YG{ryIjXEw!@ZRmuf2SHfnF#h%59kU4HT<}_v}OFZ3mM7f6(m$BWN z9JGFNSnmRmKm1EZG)0Gh;pb1^ywiw&OtW)~1Z0v`mIlo&PCZK@)$YczGC?dW-!lX9 z@3759Vrl<$e*XHy(;{=68ya(VOG>hjZiG%R)_s)K-@D_k=NSLz2Mx2sXsqZ^U6nV+ z#&G-etH2Dj(4ZC(t+{wNu4<%4`l|=3-phkF>nXGGd$tgch|FwGe zdGO>=>?F!faGxlRJn!Y-B%P`9i-HW4wicb7qc_g$3vksKYJE6jn?joYJ5d7BUQ=Ud zvFad;hvRDo%*Hpf^o}8gsjaq}nd#Fll}d;mu@FUV$9jB|-Oj-Kc;6+w!(4u}~G z_e_M{Fou(gVHhx~SMNL|3KGkbUEI_8UKn;v@@lsvqYO(~o8*{|BD7d7%^svn% z*~IKDbKK3F(Q`V_0=wn-O}XhMGMyY7@!Ix=#P!F(V7ElpafBkj37UihuVKoIx@rJ6 zhqgv8SIp@%p|-`*E)<_zUFm$><2t#z-SpjZ!Au&IDkbj83iwLRPZwg`guj+#pJ-&| zZ1LOy{$>yDfVamHmS=@yD}sdKsir*qf&1~0l(Q(ob$c3M`q)TkYbSogB+`f;kUq2{ zh0x%7T-bIU(wpi9)R(JZ-~!zfTS343MNQVtu}9;eCnhPI_v!*iHhox(Tt`A>;|*kY zPNeHJ_!`SR7G7OVy?H~`E1(Mr1Qw(Z8t0M`*mu-C$Ow%3{Hg?d%7Sv6UC^^% zvm~F#Y{9HAl2!*0vU{18F>5_4Y!m<|s8Ex;DkU@5-zb7L)LEr_%REPd2gQI-I%Dju zu&=}L-AAWusQ!F=RP%AqEa6Nv*~>CR3hx~mfV_Oq^3ez_yPjU!N4F8tCmsV2sB@4s zwjnm>UY4-R9M6BcWm9*gn?zx%X`Xk@md(y6XEzaQX8Nj=d_x3IJFIR)iNwje?vdfB zxw^ZTw_j_OToVStCLIWJK3Nf5;Qc+S^UGWj1eP>x3B6;TQE3A<1Dzj5{! zu#vP~mZrIEmzkNd3~6R&W@ct)W@ct)W@fv}%*<3~W~TAiJ>C0H@AS@SrOcGBB9svs z5mM^B=RWtKHGgK@$u_EOAUBIxY%li)_NSGtY{~GYHTW1aSy`cL@^rhb^~T!d%2^nv zM4PQ0i*YcuY;-ujX-%&nj~9cytYbIaOh1O91JErf-%h2BG>)E9Dl?`RIYNJ9On6~p zMhod)Z=mMrh!VmF4MEy6`aF|Rj?zq~0iF#P#akT;jL#H$|8^$vuBst18IEN<6B;Cz$_rVrzs?SQ`KbFwn02-;6&B@?7kP?LM7;; zWdFd*OZ0#MnLRYUYk4A8Oeb70mSqSgs0zAXS!YCPB4h2b;;|JkLD{Ot64>-i)t>m; zJuKQ&Tl?X19O~P>FHf@xh(Y0}3-C^+ijA!zQCg;9SZ0{lA z9izc3YCJ%h#7wkC(vID^7K`oi<1Q%v^zvX$Pb?<^7k27E7Yon`qKzv8aJyX*&5Ne}P6`FTI z3z8+R3~7`isj0in%q`v7*IfebktBGN0zT6boPa}qj2av}_+$hh)l`B9-i}asG+w63(ekRPjw7JmdFSn<2r)uwN|R2UJ3srYA(MzAKVX#EK0$@53a(pe(Sp& zH*Urv6y0!_*qW4^B}Di5JUnHsn5#k}r=IbYiIVwg;*KGj<~I|FRW5Z>kP__}(OdHv?BcSjPy&W&Wc0GDX4?ptA|po`7Ftp(SS#Eq&ot1c{NCdqlfxXwDqK zZjW%|r^QBuNxKy;9GYRhYL{JmV5G^;f2z-6P#jCLVmb?)yFOHMg(X?TQ=^?XzU10C zx>H@=`G8OQt$eN+!D)w>F^0DtuN?`aiYET~$t}fw(Nu!O3no9~+7y1}V11iD)|@_m zLw6|kC@Vx49(AXoS`)@;>q<6;9n{I+A*O}_$|JEs`<9}Z3$}GoMmFh^VdQC-uVu+K z{PW&6H{4AuZl)G>z77Knzn5|)+xw6T%HAez8BSPXKc&H06*@ps{&9EoxcLtnlVNyk zMEs!0`bx|UXyBw{Bsnb8|RTV(t5CchG4iH85d5mfCPN#Fsun|6qYwNTasKp3CGMC3SBzRUlOG-BrOL znK;QK&5?(r3Df6EDDBpVr6nK>oEA=Gp~WTQnE93)8+=fQjmu<3cv=-BE>Sw$s#QoYmESc6)&znl_lTp>%SymMM|Z;Z8IDWd3fq5h?%hPH33;$p-4h`QsT&}zv53k zEs*nW$)p1{Y}k^Ht&!O{w$hignddTy%WQFQkuyPEv_;MfwAJMsqlDFA@4dP!Qg0LMVUh78wgZMbS|%}xMSZyuUL3jZ55TP1%r*$Igc|=XMpGm+ zCcfTUDTWr)^d}JT?v|2Cr6G^y7ik(`*<|JGPl;WchQYwV|f#=)GUaUZbJds0%1}v#TxF(lVUF zTH?Z0ZUXghrt3o0XY?INeA6y)Ub-Ax&M(1-7 zhNcOMIW$PEct%e6NCmyLJZZR(K7@ho;AqFC%l93QI5Q!vYj-g!Kkx(?`y4{=D z9j*2CXASQ`);~zU0E(zx@bW`jp+l(N7UGqLEepsbixl>bcT4P1E zai_{aPRaPJJynf|lGmD2<#G5{G*xrUy1jqaBQE(WQthYK%Y>ER)-G`?Xoy*iJ6^6{ zE7(v48z0Q|vINlFlxtLs-WGxqu^yX?t>0Ok|6etrihZ;F zTGWhA*}(}zLi^Tb{n+DrQ01aS9#$6!3;-Y8UT5l0STYSiT4s7weD5$Kg_NtQYqo2v zTHwg4lN+OOm>cO+NsC`t3e;cxy}XmV%B@kt80el6`kk?S3YArl!b%F`&=JBQE5JM8 zmb4+(jfhQJ!a z=%O`Se#!cDE~&859u17;9+s-yH{L=bd@yzY`M6hnmsX`+NNfFbO{Jp$@6CZ@!*ee zsKr?<;yKIP=}f@!yKL;s-2)Dt?Jx7sE_ZVvLujp@ZMAs*Xl)gjlylH+R;O!Dq^sp|wb)>PjeuC^rYi!u^`uytgA{>Hz&Kz-o_d>@gAaU6H*5l>E4?n z_;m(x6XAqWt=X^8b+X&Ovq5_&$}}H{N1O6~2cuNZciA@0&3)k?-q}U`ZxJQde*sIB z-0h4B03x}4Wh)# zNI=6#$4Wp?N5@FO&cv<_4d8b)G`4XfU}a$VS4ipK%6|^{&o&wc`u`46qW@P)iJ9@A z?=aJMP&9TTpaAd#1OS2nA%HMI1Rx3!1Be480a5^IfDAwuAP0~KC;$`zN&sbm3P2U0 z22clR0QA3kq<`q5|CK8;0hpM7zg&y~CRP9wTW1G=>HixfvIf`yY|L$p0k#0!?@v3x zzmY@#Cx+-79r{;d=s!3iCxDZggRwEd$<-F%3~;tF`X;9gZ5@mOE&x}68^9gl0q`(( zu%-O>`ygU&W&BNjG5>=D{TD)r?O$%>|3e5deDh%cUNI0b)3JYFw12M{3I3B6B4B1? zXa6@oh~WDm=2qY5`TY=BeM3}2#)h^=#@`?kw4>8ERb>tBwpOibs-|e!0wF9^^dxiK z4TgwP^t8nZLI_2Ofg}bZ28GLCM6BK6cke+#G*^it93hq%ljrBB0M^y-XgbApG*#Pv zXLx1md!~J+{h%p3Fl=l^RszD$F32n|R)ry_r2wY~>FWA8kmeuvYEVG|CiLT{0MK=x zwE_l6$&7^t0LUpGNS3V2rvq{!0eSlG!tIiMv}Xgh!6JRoLbLu_0@8o#`h zd~m*>5kUnv;uxOn#5;O^JUB4I26+NN=qOlz&v!sTg>eYa#uga%T&d6yKp=Wtd3tPH zFs}$O4{bq0z<6>^oH&8~zMwl8KrpZZ1~<%o1weKr7`x!@FhBrT{tvhj(C7inwmo{T zbb9E(LBCl$cxs@lMK$faX}0w&)bx?Um#@VtCF1gro*13EV>t|w#X&oSg{z-k~D z7eY^OwR~^$CnhLPq(70?A8~&Lw_H8yEmoKqlH@iVG~A+}&_GG=if}i#&p!@fg}-Ry zb`B;WcLRa=<-~#jKp@V9$#g>cH?+V3U+SrYU!KyRfTri(xt%Ww&oAG}56{@o1EeqC ztGn%T=57Q?!8lGIpieCZp!bx1pnKp{PYAnqvz?tULlB2hVz000*=^M7JYNWp(FfOa zSqoGWm~BM*yrj1MTmv={`VhnZ8X$B85Z$V6ho2;15h8u@a$btQ%gDB1V4tvz zuEBx$1b|9_;}a{Gu)rrCXU})|LMq)H3ri~l%8P5|Lu(1W4_Mt{51w4#SBQzRU%>mF z-DqJ&ga_m`I_TIK$R8W=EpQdr=;>{tzTPPa0&1*J1U+&}T1qIeo$W8T zPmawm>}Uw2r~oavXiT)Apq-=h+yF_8^I(y^^|!avz4_1Km#061`SAIAbLo^QYCIb> z+*F{Nzth%Pt8A7RfxFhwcjXmqKf4IppcnCy@E%TV+UM1sgWP_XZ3stR?WYXCRMcFr z@%;c5$m2%sNSqGYLp-I<%Q>=5MpgfrY)3&jz0wkKvzNN0Jek|&elM73TGw0K`mx?TrK}R4 z^^EOxOEA=zL{n3$rb~XW&;7h1S|vft$!-wzbAy?W+DBp1voSE$OgdOOebf2Kr(>Xc z(9CXcxDTosHf6d)q42!=?k~g6;tF>r z6B;K^(kbz&Q=&JZUVQkfZ9J?kmSx|o zl%kWAJO{(n1PI(pZNt|BP2u)NXN|PlcW_j9m+zSl=((z3vv&(lhqxhd9$n^(1m|nQ zVp9r_HF!ulMQLFIFA|3vikDS*KGC2GX)}ij=7dfTNj&E4^$a+nj2i(L+gwowUtTav z-LEY)$Fy(B6G>4=N=@n=92%yEf;qp+b?CR(eazH{FWKWC{_xh}(Os&sCLz#C^O&@| zp{v;+VLj>W8PXcXZbe1vqRPl!S84sOR)3KwQbl>|lx>+dYyYsKIigF}Q*L=O*}{K; zK?7Irh$?J6acrvi)6O!caW9}N@q&br!cu9{@6=If>oIB#>zBneX}na_i+hypADT9C zWIyS}PPyFl9DEVvZPgg4sMJB}Z1|MKDQRq!Ofo|G#5~L^8cN{je331JSgsi%z}m(p zFoBdy`?l&Wo?H?w4j;|hq7g478>h@`8&>($dI7nWT37V`E4SVVp|e?lc;K?HrPUHhht9f z(T3}^^or>Vir!_RiRUJ@PNt@gRd`Wpq>W~kpz)(>T`md@sR%sd2Hi9LRVgw!JR5r* zib4mR*_7r|TCnH!tz9mi(;&z#xUA~-lcuOLBNBeIShUZ8?OtB9fDw1u4?{Ha0tD>ni09qd>BHHHpOOOMsZ<&?lA}mo?<8 z&3kjyYsuxs*}lE3-Z=0?U2LZf#jg_e($PK5Afs#&X_!PtXTK*hA8<3#d;?YKqIrGC z_a>a}GOW!M^yn>oTUJ+WmQc>nQZLg4@dZ;;nD#J7vX*AjZp)9xsv zgT!8y$S74U5^8_y*I1^bWI7_{$Ncm-+gQ`&Q>PYhD_2ZIQfE~i>n81X6QAs2>EAa? ztJWMPpa_%b%)ko6I|C%!Tl4NRM`H{k(G`?2vjYiMR4-WgNQUAVqB#-eahmr}5BV-{ zz$Jl-ceOvGWRvbJOH*VajV^zT{1G+u-f+YteHFSM>`ISLI6_(PFFF_g@njt=Ewx$G z`>2qsM;60+ohaWwk2FZF!#pUS3{bX_>y6AmNidcJ~hloMqWj9^J^$_&O zgBfx~saU0lxtylhv$vv{Xy)6KQ*gCjxieOoKs$QuP*ch(cTN(H%Pfg5;V`b52_}E; zxf612=6O4JU#O&sNQ<4fuOLTGABR|=VUE*tsTM2|Fjnh*5?PgVb=Y_PinY)S0&OHi zd|3*9cR?s(7set|lH3QLH&cK_c+WH5kvptFS6zLRsUjd-oo@QfX8&u@O4*)N-xDw9 z*9hgXcJ8iZa>n*cJyY5qF(qnHq8{QjFxYDDu=(SyY~nm}dKo{T#z|gXXb}fqYG3x! zcOk>K3i0j2&(}aVq^F3dRiViyDsCXT@yAv$nS#YoB*TD z?EDeE#RQhXErqu zF)cM}^%A3KKeo_gdg84-5WXogZyvf6iGD{)L{Q|>r702bK>1D*z6nx0cby5+zS-X< zk|d9y&IyxMj^+-6wfdl%ET4XKojKeD`%QMzgB>2vIBuL5PP4oHP0UPjo82hfSmXME z{HWU_LQwuO*Q&fKg8XQy-_D_tP_wQ|_R5)jxu&U{i*X7V2N2(CHj!#O{k;nh{y{L) zk;ImyQ*n57%IzpkdC6xZ)F=&aO%dCf7?!e$V82AfeLj^0d)_VxMPbg2LW<=)Ab5bt z$)bxc`EY~a-gnlA#Yvi2OTV>!m(b4}X`KItF5@cL36wqE(<%Jdb9VuYVRi6vt>WCX z(=@3KDV-NX-vS!CrUD{3{d&9UMZ_3uFu-hlm7Itg%~4NIlW=C^9tX~{68p8dtuTMx z3Xv5^Tg_{v<_+abvKas9rp3+S-An?_>N$4vT^Ly7JgzTDz^_&$G`m zXdrqwjrlZktRzx9LfM=_y(T{~)9eJl0tDXhr4Zh-=o+stE0OT?58v{x5&Z_6r}D!G z1=x1EU&yA+*(KKGc4p({DF%pJM}mj_QiS42=_hBrop^Pb&DqlXx;T+@-St@2zk_^m zvk=F8`}(;?G7amd=|@U`r)W=2yeO-OSWE7CNR>RlohQ1=qL`j%EPxD*^B~!QmR2Tf zSTRbpv-yZ`?@F8I%`on15)H8%W)ZID3vUXy=@6-)tvU98`Zl_zm?Qv->c&#;M}G`- zsl36XrK+}vY-22^ZS(Zx+douL%3DZaEk&$GLPB96u%b9lGWPmB$*Y1pc9;5&R?<{3 zu8 zeI&oda2y7!lyV*a-1}7sGcg(EFA04lRd2$;u4KI--=P`bR~kX`eXuOH_{c1u$$o!g z99T`P^8Uy2rbU-Vcj%)q;&Ouxm@X!JBD4)uG&6%U;scb^O-uH^_btj_t5a%$@<7De z^~BwBTDbiCZXG$S=~RlptgS|K+bZpuvDEC-X^zsL1)zyuKGr!_PeYdR?}t<$;D1Y! zYlUzZ1gQ^OezR~gbLmnuaCzvibR>`%WB6SBW@D_)GJR+#I)Gu>v>48?%hiexte75XDnHnX zn)u2_>|s$oScT(ESOaQ~P6w^ely?wnT4f8|gA(#oEEDIaCRN8D&%Nfpnv%9csE1N$ zeTI$gQt7sikhPsh^_yD;j_FFJ>;ehwD*BZxrPYTS6PLh$?zuc>+OXeO} z<+iY>V^cRbAI(sQh8$6~6Zvoe&@r7f&-J@Wi#k=cCGJ;#goUWDL^FGzN#icsS7S2{ zVRd|(##_{V?#rg)rrcN;rJhp<(ap2=?5|e(poN4(_3~M&6e5%7>vJ2T6)P5nkZg)0$Y| zx`;emeEwKXu>D?h!tC6{opn7x5b>ZHumw0|XpBh~n5LERBQwDn_P-=%HeX0Hcpg0t zwHtM7>n)FHU~F2wqCy zjqdikQp``xtk-?+;FPI}@;2D2s}bbI<@3^$hW*uKf|wS&{c}ZsRh>~JtQ!)rbEaY7 zlq_LeuSHE!^HX1)cGFNxt?^_)8JeOX+J=7Rqu_a`*T1DKe|Meha*w+@SM#A@WSc$F z|EXk{j5Gv75kf9Tu)!3UGm$ za7jstq47!}bI3acf%aAG(}QGxzxDwqI^6Y}{xJBxe-;+xddgmGYMwcpbciAR?UeXs(v% z=Q!#E33KBqi;^!>_Q)|UbWCzD&ER4yXu7Rh{Ca>owDJ!9CAG`efG&DxE8B` zXNAP=oZNaFFZq2r+-UL1yz2c-)zJL4pk65ij1KXPjV$%AobOyR8>nTKN>}?=sI2yf zh~es}?dhMYs}{b9CG%&;m8pNJJ&^3Lxe{z>f4!HGN5Xfzke{t`P7c~y*6$f$M|rr9 z_ZV#W-{l|NHO&Svp~4B^83B8FI$<$GLX(UKOOueJ3-Gc-(W%O=1$W11x{x^ z(61v}oT31TvHPs4;J3b$Z-mVX@5`qDTf2G!9;iyx_Qnj@8M4jW3x$nM! zq?-4{XxT>?7MtH7y49Iy|Ew}E(i2W0)!!5{X2%#=HAAa2aoy$?Q!RnVv1utuG7(Q? z*PE9HZVzK-?b!=8-|9ZJ4_=CN_FLaG*Su>4%8PxU@PBPF%1-H1s`~Ao>;Gm~0*uMN zkJAY7_7V(M-n1nR{(WQ4XgbB1>niA2*j>kr={Keox;bl%W#*lb#~SLv+HRIFL5JLZ1{%Oyd&Oc}CnN>S#w&viveo!Fr zsFd0=6j!HP>y=}rbwSis!U6~DRHLQ*82<_Q2j)fQD(iwN6$p~Usxd6KM)V8-W}r@|dP!Kkh0A^8&hTI|9Gf|Bl7gp#aE$&ca=Fr`w?G+j>ZY9rH}e)qmBpebg#>fy*T zIcIf}=eOa`faxLoVCww0r_|ZA#7Zax26-wfvpA71J&`21>IMp%FxGN7!ry058hTS! z+$UhyI)a+)qgygvc%6mk&HENwyG&~4ZssA=<{|bw*%4~s9wBP31WMTD1IqJMXBc27 z{0n!l=QA$r=AlpxDFXwT`Z!5jX(el1=sXbd_4AFiRL8ShpV1 z%GQACt(wBUb4a=kl`B-?Zmaz?V{_4K2{)D-fVqTCy8gb4v9EiNQc1jAvp_mTcRKCz zy|m*^(fUTPGm0HJzw(Sew|Rc6{wi9B@88}zHH4;g#?I(+F`W`QG%}Xky}XN}?LDkV zIhjN|*D$RM7 z+YDB#qTrh{b|~U?5aYS~UY{VKfKlJpFdF1(9iz2W(xbitik`E%oJHMIVDw@|7xcEGoJ0gGgMgrF;v*U2Yr3J zD(uXR|9=e?8v1V+K+(zAT7`g~>DwMq6Eps22phqFu~ZbkEs}2=fe2iZ~wy9 z2;lgSRqu7#P|Ab9~vq+7XQOjBNk6c7(H{ zJ6Dn>eyg_8bOPmi;CTq96g`DxN&|qDB*fiBAI&6OUO-(DMRje)AaYq@q$enoJAu@) zSb(rVZh+IN@@dJNcN%}1ef#R_J>}{J4_w`oyo^5M95y3SoQXmUGz84*M#z?95lXlr zgd;$WqYn&`0uLPAlq(wOQ-l#p5jw13ceDtU0xQvVXcib71$-s|*bW1!BvPm^-7@X* ziH`vsYDMu{$bn7|evS_sSk^${#|V!Tkyruy?8gU`8^Q&o!l+XOyqGWuhKXsfD!A0> zCk!-RWFhcaD6Y2B!oq?tksUWTcVFgBHZYu@5?2Zs1p_)cAIPe2BNAgUxEKiK#5ej< z|A>)YG{5$SMkeiQzS{wv{o(3Iv8X6D;kX{_T zjALUF<8S;8qTNioh#)xj6WPZfbQB<{F#X@sCH9B})foiL421*3;np|Y_tI_04k-F5 zA9#x(#T}Nnkx?Jv&e}GxK>nKFk5dX1A`rB0@@jZ2&^_ObA-wMy(l-&U)A z8ix=537A+uLpKzK?W!91v#F0J1MC$j$QW<6BTR@Nz4q_-{;x%aubr<&wcaJVQe;TY z3JTvuP`y)r@G5_4VMvNG+g%ExoWAE&&|ZiRzwM1L-&>rbd`LHZL!^{zK{BpI9DJ~X ziyJ2V4c1OCRm|=OIDStC)ZUi_Ug5q38+QQ$C{(Y|!fz|zJe_d4tj+V$b_ZL7PFWS7pFV9)dtK`v1Cuq-M@8=oIXLpd$ z!cj~bqc)if<*oE0_cM=FE>uG`=zL zax3l~OzXks4+LyAt8 z&8{!zbA7qMPd**$T60-1R<>}n$T&rpMsb2YU7ytCp zT~eC-hfDWsMz3hBRkl2LiI?T?IfK5G1>IYGORsaeZYZT8GMNl{{_9Jz!r$cCJkyKE zzk;`QBdm4^Y1$<(OIQyndUCl%Mw#twKhD#T^TSjU&(4x?_E_kXw#q_;IiPij#i-iz z3;{-U@Y_vIZtJXgtqoXbOlXQ&r&*h<5#R$hIkEajoz+I;3G!)Rv*}uZm1TsE(72=9 zQUL)e~D{Y4#Pc`A{-W-HlMHkM;hITPesDkTonvcX1Pe{u-%X5*b;co>W zi=rJHdW?~n_`_NoO@S>|aVxu%!q2Gxlbf>#vTm@t{MSZ6#0zsMJ=4*I0 zI9QC+Ltd-=*;u7f$C3gl-GmtaQ98^59sWl5;NiIMkb8&≷=oHrKS8U zu4Dz9iT|a}=x%Szk|U>PPcO07OODG!#73ntoa(-w;U|y9=Ac6R6DLI8Gcm@9q01+{ZkYzh<5RELV?UxJ`-zMT240ry35iN(i#`bVO z`FQVF?H)DKDg3>E$Cc8WuSlT23Dcid}s`n49=;So?xe@%E zL7X5r?b;6-K2>f2pEkVf*dL#@x>(J2fg9=lwtoHW>_bZTn@y2x!t?G!Y{ux@ab#0d zrzef=7^d2}u#yp7{)NZCk&>VqqCtfNLT^$BdVA9LsmsG$TUO(??P;ZEf7%(1;;YjT zrnuw&{@8TvOw;@{Y_yAqdc7&lmd1uX3;p}W!D`Nd5o&>0VWH5v!u%uuk$+$g{G!CQ zXlP_8D|?MQ2-~i=jBD{jtM5c=_CEW>nibE~-KAf39*rBbh5G$Lqj(abn#bv?_(BvPZ=0;(s)tIhF<{>K?H`eY5vS!)oFk(zb zNvbN=S>=2y+P$U8l0!2z;Gg`pHcO}=F02_5g6qKh7J6D5?_lw14eZg_lW=hCZ3RJn z@EeknB|f-~F@LZ?Pi>%p|1@M{KQbn+#$rHHMd&*vvC*TQU|z5^Ia9JJk)Z;hV+ez} z_lTN!N>*S2eP+`N>oA(qwai)?(QL*h2<^G@7}5wMa=%N*dWQl7#*8X4xGYc+L8Eqr zzLeX1fbzz|d6wqC#)iCy%nhIwU0#e%b6s(8UHI;h+8m)$09Gl2R-uQFE&e$YQ9d1E z-cyBZyBvM-xb5DJfqSzuB?L}(p9YU3*+Oigy3JXnmxN>8&4Y3;!oXUq^mX$`EC%Qd zTuJz_%x!*I5xnz9aF=I>WF4k9aRI|wIPHje#P+WK z$28Onp{4ne@fKLnf?%+9BK_Oik1mJ&SXRREAMV^8cF4YVJL5=dusH75QS|jB+2|r8;K5Kh8}(a!ieskkuYBvTU-P zv1Etf>|9H9X{n1ii5RCXVr9BINBaGicNscEMJ84cU|N?KDK-sWd~EqCer41VDJ;ZA zyn(jawU=_2Skv!;m-UiF%cATsx<(QuTt_Em!p!slOxT^_)#~nFoReg$$ZPCeL;qOk z1P!oJ32L?GOJHPtGuNA@oVFTHjvb#BP%RBf3QHk%+D`hx$A5=ld4k-Wvfna;JkEYC zHdqXk5q>kgY|>*{;qClhGqOaCKZ>*$@_THZV8}IV3zpY6;t}Ecz|)RXBX^nb@yrL( ziR~=kGLLHw=t!ZDV$b76iTK@N5M23%;ROKVh40P%X)r-tP}4SGAxUP{jLXf}o<5`wFR|`4RbgAEtnQY`8Lt~Qy?|3m z^m~1e1KbtL20lLNp4OJ~rpZ9OC&xnK`fRl~^0?s@$%S$`?#z4VApf_Bze&$9%H|l@ zStQIdvSM*I@gX4<CcfeSPQ|g%|BH0_KdCqw86ink@qblu{~uGkS((23+t`@@ zX^Er%FADA-O(v*s_dlf=>p$hcw8Sy~H*>q${#Cv)eDC$I9dUx+-EjZj1t<4E``=Xl zSK0P&8tuQxHim!s?f)s;SpFFa{vWc9o|%<_{Xfco)ot`F%&aW`w{xaj4daS8mq;^O zs3x;pswLK2tk+wpzTeRjnaM5Hnpfnm~qJ zLdXhSTBe$!oM5zo)PG_NqLT}AVykn?m}_7n8~*Im<)nh4ERQP;_iqf&uCDWMghJ<= z{DVPYWdNpU07B>B;4lye5_EpfjYBgrkqwOUE5agaVS(w(_=Oxy@A!t7+m|t$dcq3W z$d^}3y6WQGTFNT>OW<9X{8xG!P}Zb0Pzl-+84w}6J1mqsJy3936*S+(pQS&ueOLrn z24>d!U~w&U4E4?o`Cw^l>>yQN-ar_ut5}-v^BKsSy41kre!zXBTYpCW+Gd1z#)p6K z(qj2_hZjZ%C(du%`UNBRP0aQ!yzoAh%C_#eIYzsvNpe=6MBkv_9C+Qdi(b8 zUu0!vN8!+%X9N3Ij{S`M%q(qe_rK$9&ZhqC0Cp+yC62y`()u(%(e3G_^X;C3Kx>f! zGDUVh^0mOs0E(i?Iw(D1Hht{L2EJj8uWwMF*7jPF|)G%yMK><2zcb3 zf2rjG{?dGcczj&K`xP=3*G(Kc|=fkIj&#) z?zW2|`rFruBeVVcvLD6gD&|-(2~5<5)wiG+A}gW0Z*ZCNl?0*qyizK8yFz~H<^TJI z=KrO+|M5kB>1%P{tNr(@_vwW4Sqbf^#Q`Y9V&4D{38Ov~z1 zmlA>n?fa~B#lJACO>S*l0$i4czD^SDSe`kNfHfO?8|Y@}-`CA{Ni24445)2)t&HI4 znCm_{YkgOht)iuIs%fmGKTlt4<3Y?YF)==Wms;8A8yUaF0#$vvq_1Fok$?0md_;0} zHqS@}1dk!$f_Ze)_(Do)z8U(-F0ZxD0(&MJF`+SKn+) zzv+hfZivvv#Q1`LE+2fYKYVe0SsqDCZAeGyEu~yUwFT15Gt6h7(K(2g1T{mvV(^O! zoJ(RSM?$|_o_l=E4Y;yXJ@8rx9%q=e^{jEHOr7(>la#{^zs^*TdMZlQ+}eAGQNI0* zYaQWOEr$m^ahBYjpI$8Ju0bz$?PFTSP=bFdK|yhrF?i6}@YBWJ6CwC-tNK`b$)3*N&-mdI>{Ev7$ES*>4G^8)P=P@S_ z6PCAsZ+pW!Xn9oUilsyi)GR3mtEHC?~@QQZxx7|HwYY@P;^GH2u(k}x)Dp?7Mugx zWy-I@mXVR-nx5ej(JQtbOSZ&!@J{=i$h1BxAb8&*sDhPB;3WZ0)!Rk{jN3oMS0{dZTp&yR z2}#41if7W}(NjirqtLmGHjH!2VOM-X4I`5?q((tmKvvgti=Xrb@$W@BuUTMBA+*GQ`xu8I!tBTh}3}q)q)z`iaX}8@hovz^FiFFdY za@ba?`4vXDx5Z+Rw8*I7UZKF<#S$uVHPYjq(2w*@&Pe%Y)+qtH-4320ec}Y{X6#ap zEubN4jZjVlfvHoyFn+FL9-T2`%tp-uQaAvE;y6g)TmAnu);V`tj(j`sMV~4q;r%xc0TH05c`0we-)t?_Qu`w3E zK#yH3+8g(!PV#ZBUZ#0Ql)tcDuXD;2lZNXUelu&m1il_lX}H#7<~^EW(i$)}qFFFy z_}mRWy3yqs+V!Cd#3X**j*yFoYwB!?>dgJ%RUG$3 zNwM3i0NG(|1VI_6fI1`}W3;>NTJAm5l$|CMa>ZTZCkdWIEPSG)Oq7xc(mnt;c~#G? zr82{rs1Z%~Cn+nXrEVHQitAwAbDVFr6n-nf7@VB`g8^mvFgUCXYxm)&B{c(%OdChQ z_496Eeb!)eNwfKah`;7&7Ljqa%9a>OR4|e$>fzfM=}dYACeBGiaQqff_p+*DB2B?+ z-p!x}(kfJ2b8Uajte15kmL$d4kICvZjlbn@d(-a>hD@SHjXx@l(I}si-w{gXx-03^nnT!yK0^e5+;Q0Q5sA;w*h@5fgA$^&K8 zI)m4;RoucEcQ~2MFxfG|k@;0TN;cgYHnI0o$$gcLUg4@qA_j=u82x}=Mi-M-lPH)? zc7?}xMD4z_v_1t#81;M&3viTP%tR2w_W&S`GqD+0C)!_;e7x*+m3IomF^et$ z0A;+0)%luWu1*&T30CG43zRo8R0ktyp@DNtymq1Q&KUJUAQG7C&!L5AR*@2P!?4hI zbz7reXQ%qWvXZ2=aB^|v>=uiQ*_tyl==FTR{9jOUXm7L65Ur3WxlhBe60MTwa@5(V z6{h%D_pUJVGRD?dP+N)$M-#TU4n<3uJ-i!d(+L(%wy%U~9W<$)%|)w$rqjap8d@sq@bL*gNL% z!YjoBqr!@}3|2tcj~>buIJAy72)6K{79G;pNmJs->?K+&ob6JOB!&f*{D#^x{ zyAX#Hg+GC-!M9)t0~EW>`mpdxc<2xzUo6E(o`)!sGj)A98kHBz1gLZGu5#arFe zeqLV=Oo-^1zMX^T!t1>GYgsK37~uF?6F#(7Y{gt{5PyhO zS(=CkeG?}b8sQrFsBSb#$<6+D%e8PkRh?~d42iI@!e0h9!ABXm=5|)QmV~inBdv4j zTTi^FTGC;M5w+&e`%d|*u>>+%Xjymy;~E#FI1dg`ZF?P3AdMQ!A0$cLDpb-xfRjI^ zrx&Ex^VpCXeMI@MIj)vZuJEsji`~1^iqRkTb-BlGSESljvX)x6N`;niu@?RqX@0!L zrToH{d0j5*2F`n##c;(wJ8ORN?zoA+IPsd7kpv=rhJ&K0XO~U0bJWF@Ok5Zt z?^O6ux(@QuY;Ovo2)FgGi7O+}9=<(!fCoDx(z+|^$wI5@wwUu-f60(|Aex-$`Lasm zTRyT|w+x|iUlW7_^xQ`R3Am#hb~T|*bTU)u>7h&zc)po6Q1DzfwwCWi1}z>bCVH|` z=hdAt6b>&wn^QiFa;J7g@2q<)vTtDUN^8yxTMR|-5?;b%)OW-)e%D^n&VP2CL1?>a zPl0(MM^eTn`x6)|pg&|Fx^1_$)LbCgZvy2TT93=A4dxP%Q9(4oT)|F`hk{Khv$D>O zqLr48S|A%RL%aoY1{Pl@@-gO01pW-MP!-ZD5~elFKTm;jw18>bC%rC{!Sf-D0O!Sekuuc}_Mh zGE3G(Fp`$breK~bv=*SBlpk%Fs55v~}WVEwox$r3? zMf7c*J0&zoca}4d0lp4UL#-O%@{q$LwQ_s%^kF%3@<(gS!oZ3gIhKAV^DGR^w>|{@>)STCg%w$ncrWPElwG8noIvbSi7ef zQKCRm({0(wx-WHbLQSrZYG(xTB%AZsd^}_`u-DWG;De^ zpdZyu^4E=^ZE#CQuKZ~CB}7hj<59~1G%$_3z(JGB`64wwIoEw6z0= z5M0e6ndK`o2)IB+EgV>RRrfipvvQC@BLgp11@1X!Jf11VgB^6=IPCk(tq407k3gnB zg5BY7dP~DvUA~`Yc5CtEDAloI*dqN-D9T$3XQO%cYg?Lw;q;zN4de@OvM9Z01tw4F6{lK^ zj|OJ%o=nu$=#0bFobjIz0E_vkQ(8AGg}~kN5+jzR97>Xr(5#YFE~iYTmy2)@YIQoT zo)0(cRif5OW^B}JcHy)Y0xZ9RZv$pY?~1Sm9J6iX!UokcFOx>V)Cla3i|5u8JE;pGV8uqRPp=BKxs(!o?Kg?iG{!_sLedI$10h>3lGH*mADDTZ z{nURc6ye4=fq;$0;sVWk@u`;C1RL4PU%lSKOmKEA3yi8AoY-qH07L<{% z*4_lgA=MDS&k3?wCu#?;j8N~PJ9U7 zB${V*qdnoPfJ<#~B}mfEYo{m4GA-QbPYil1zPGAsO6m7&4UfWeTG(VJM6nt|*(U`t z%|4q}_4zE~w4eF$ZppR0kV^4d*7v>1=g zBxM^=xTfKNEXBL39CMsen4-eO5x9V-pQA0hYwnAqeDFD z_RI6ymHVa7y9^>i`v7~KcKCFQ_{`kK)D$CIAvt^vF+^DS$pyIrtVA8W*6pLFb~qtb z#{sjV?0^NZ%fMfmhVJL(hEfmmD8Y3agqF5tH|+DD$7vw*2^0YD$oiSzBR{U*_rImT zZ0|Y&BmEQc6}Hvu>$#z8?vumH44Sf<0*9haSDUeSvOobUA9ZSzaNk2(*p?LYwuL7X z^%|<3qZh!Ew155-9iN?_Tb>fEF7Dt?qOR-_i;P4Diif`^{3-I~-3K#oFq->T_5RqR zq~(1B2_AReK)Bx;izg;~H2u47phQJS*-F-?0)%G#o3HJSXDZim?J3j2iJL1Wur_cc z5U=B<>?!3WMsstB0jnAOv<2FF zy#rp{9KbI=>Asm@o%S>9K^hhw1}1E+SpkGIcX6YR4!r~LDQ?frFy(Ygaj(mo z8MQyF3A+`)xr|I7xDGXMOvLA92oB5d5_p{cX*J%s6cS^I*ep3P-yp~C6K4Limb{CC zY4X%IV0J>;mkS3`EXSZnN=GQgk+PB10wI6;F}_}A?M8dFJRUE@Ut<;3K@+C0tq-Nu zXaa(`~DxtL2QgPq|a;cH>n({ zP#JP*vH<^7ou--aE<_gK)L5&?vJ0@T1H~kz0Si4c?sKq&?4!=nHCDe1=Ic~5l+NB~ zkwM1gxh+EWsPy0*2KfPO(+V3rK35Oc~qowM}su3e7Ekn4F{n&EPPLbWuAOC zn6^rPEUh`Tt-hDJI&8S{Coh6e%TOufHwl|xm(fwg^!{m(Rty`Ny&yABV8Gz+8S8rnqKt?LQSfM`epDU98(}n5GCxeQ;NM{_2*&b})G(o0wBz^FqA-y1+uCs=tD4VC zbN7b~xT)Wvv#7j|q{4#tiAVlAqi;%Cf}KcqGixiS{wXxH>iSbYToC4rtE-L~&=Bm} z!gYiReN>-d3>T(~9@H&-vi~sbn+HOY1*&wYOd%sxPMt^vy9yCv96en*3|tMyG=@q5 z6&EKAb&Af==0JR6Dd;ApZ$hK$b>o=;p?GW-wbKWpN5CZl5YEY{;XTi))GOFpReSIQ zyl`uI8tER-o06W_JH@p@s-z?*(;L)bOAO11>)ag>}s#A3epx#J^!tdoOwGK@6w<_Tj)z;hzhbr&k zAs2ZMUboGoW=N36ZyzkIm68WwUU8n!n+(`+X6U|vZ??6_+6y6en&MTn##!EvA0XWl z8rG6_vfVYHqpLyo?@8q!8-@&CJtWV{IE!X| z&%-DsNCEX|Av#95m1d%MiADBkm90`qpnya3kwrnO?4$7_WDVj!7K5|W@>qXBV`4sUejE9^uCPc*i>^>F z))6-BfPTB_P^G|5?)Q0+KVuBfy}gi0E9wlFiD=(;&^;@HVbbve+51~%{{SzcUv>R9DA6xPQeO}8E^zQRm{&) zamOINnxVy|x54L#?2u8bXhc8C`^vF_J}&rLq}w}{$}5OXENHG_m+#{pG2HjU0C-U7 zb)*aT;&(fRTo28jS8ymK$ubHqI|-hXMiy%9>L~4SzOiaOl3kJBv1;&FP@hSBw8aeT z?bL7-9xAB^L(wh)FoURf0CfUIqqYz%apIuu9XW60pn;hoGSY-wF(JWZw>C(g+@I5H zlRdf|@058o5QNIG-^PfvZvInF(&ox143J!AsQ5uZ8^n=_XjHm=TnXh z^U>uq%Y#jiNx>1UxuJn0IYM2VhOM%Ikmv|K@c_D?`ps@KrhhK~fNltfG52T9_%sz6 z0!_W#0#iB3zlCye9%X^E{0%_;lRLGbr5Rx&JBqMD#D1>_{yx`^OUMx54wAM7CGPzc zisM{GcVi|OCF0#VwUq;)4VfSJr*l~#urd#Q8zP1Zx+k87Ir#IQ-FeqU;~LO8mjhWMGmf!!r60L?9E_cYk!g-PnyzdP>;0GZwY^3q*C>T7T1PE=TV5rbC>P$%`r@@}7u zeGP~ATz)q*TRkuL$wFn10B;jLrq5O_uB_R0@OutVPJ?qc^je>d`{$$a1|w#oDK#zi zVTLINe!Gjp`7aIt6S(4%Nyu5{*2Lw?*-q zUO5u?%;ViAbWvf@D*nX#rM;VgE`m89p-|7A*c$yskf#_TColoP6GZ`}3hPrCU zoxL+BL7HIrpbiqO@rss0?W}<-VJrr0$`}C=KUVigD{q%#*bqZrjNFnzx1QP@uqzPKEFV-OAC=SUx5{+e$EgC9C) zxdY3ovNEyw^#r9%5)&3)10U@(Vbwzrea8Uxh9Uq=$yy03~f zg%(Ke&W6DYZ}Z*ilu|%oBjIo~2VSNH-rV`yNFpC(I=*XC9p|V!b6t}p?aX^ro%YET zh&f1A-c34lBa+hD^aUK$xq1vQ%g`d)Z5xbJKaQ#T4WpmMr7`~@!{l1U1Qf%-{UCPZ z2ObMlt_uudt`IH#r1*i9pQI-3vqb|^VCt+n5?H6t{E;sUZoREr=_@IhK+%NKB7FX1 zVMFR{Ca(}3J`TZtx7^n!MD&jfRp3>9R!3_2#RQ!!4AGe*(hZ1}rwqwJcZ6aBO9k5H zq2n~79rLvkgPPy?X-~ALb4hzfSFaTmgUy-L8L7>+*Q`<^p7cO2cd;=d0%@E< znLZpU0ZRg0GPEJ{-+0aLYQIp*y4Wu>wt~Q9L6W$F#hJ zI>GSO6xhdiWmYr(&|@8ICmW&tynh~eXfqd)oxH{SMgs4K)=7m8M6l1oQ*N1zmFqC#M1IFW*|o{t5%<{%BK5QnmF6dep3d=5 zmEty!?RjQ|LQ2TRE+KV?{NZ##Pj5B$+9Id)qtg&geoUqSFo{T{$X9Kt{Mr3z{@GDj zD{2p=e`k@)n+4RP7_Jc;z|U-I?#m-ez`L8F^z)ew?_W?7W^+pN<#d{&f057b^p_WR z3ygy<;plKGJeS@ob4Y%pA*5K|mNMfqqSJks2Jfyvu8q9Qjq|Q49iPd4!qDu9;h@Ne zbb4S92kHT&)fZ*51FC=FvOdlW)U##YNcEr7l!p8(k3vyt<=0YG6D3>_A-~QZoJQm< z2|HLWffM;byL>E*X6m9&Z_L=^rnod*^{<$7UxH46RbBBV2mV>s7U0*pM@F$YA68yY z9Hljl8dFiRRJHjg@t<5Fl-4!*%DyFObMrjeUBco(q*a0`HZZ( z_ zhvkNCBJ9s7KvN;(c?exi-X1HIp+*|xP3*5+xLvWa7*9QYnHQNsL}N^XUEWdr65b=^ zdaQtfqzR!4k;i?u874@2Vs7+9t%0nC(xd_-1Rh2rU4#;d{D0H@TCt|?3Np`S(va5O zZ=sLJrTBB1?nHcPybYS)$GyA}0|JwF;iH~2zeZ~538VOP7)^UnmY=a=$2NxHVgOmz z-0?o#v(h7_(1(h}y_51L`1?P^rc-VkZJc4-h)`nVy9(Eti`}Lr_s!^~^V+W$UFiy> z-}0$3?=HnOEOr6;g-lCG6@pTz`@Q<=$vjLfLM(MU=Zp`%$t~vhwh)hsVg-48VZkW! z(gfmH-wt~3#n9^AkWu6@EhAF-1k1vmj2SU9RKR2)@xAih9D3I^H7)@O_jp zgwv@^eS(wIFxc#n9rasAE?(D~U(Y+n9657oqTKIH&0fJqR9jwaQeYhw_fNKBXy_Wg zK|NT;!g66pQbq_c7^*9=94{}@alSUktQ2r!jRji7mc(aT65Fq(3uso70ibfM-fnK) zRU?Auhtrsjr&tO(9GE~s#2#a1zA@;W>C2#apGKdA4;imwqu#}gxTy_+2-I-z@`tPw z!eI;H*1EU}qG}pao79XKr(6FQo+(3QXF-Z zmm1kj8ffh-96D+#zlDr#MXI+e<4iH}Q)CXr+>%f;#SXHJdUjxU4^zEDS0!eLZ?orV zl1qsxS51CaYxJ6agxNpZ4a9#g-)k~V{RoINzO1pWBrK7^O4|Wlysu>=st&=+2GsEH z<{BG>opUpQ7S_U&L#^vTBy#kR(nGK#RV1z(GfwY)PGMc-M@UZx7&1enV#NZ@QSBcY z4yKJeLyWrtuRJTApp_!4E+x7GSSTRd&mmV9aIu=sp%<=Vcgb%Uxf?9QP zdT(tdm@`6%;Ux_04gVQ;+hrUfMCW#cVg1I4PL=(&197U+R9& zCoFR>3&SemJcrY*x;chua)sIx?^F;Tf!ivBeu@K7qKgd6s@s`FG+w)@EgoWTYN!ps z=DVxk!d2pUR^_9x+9Djf7~Tkbc%xd zn$*dySl-Wv4*79*3jyr=%hW71^Mb za4`>nhUbLg!;q2hW}Iob*JMXjVn_7txg~s4`#F26Lu2Xi z(g~z{JRd$DHwa!I0F)?C_-Uj1I+OyO2pTVBQD#%B_Ync=V)|eU3~xAVJHw=Z2 zp@oYS)lIgN^|eDsy4XwAte83gSJQeS^Xz!3w?@^bd~kCd&9rGPTlg=Dk5O~8DbQ1rC1N9hC$q|HdGUmRDcwR z&D)(%M%^@D_98o6=}y_JBYaYkPh~-pR$ui%jSDNE(x|sFL8P2aM(8oEnE3f=wHoEQ zm!-l_yDXXU7p^5%!s&V^%%iBJg@+uZH+d^dyDJ&xzzEAmY=D=kK5)i2Wz zScW36tz>$R93EBVUbjl4p(x;JzCDDo`-dYG9jDweiDR~6gk5VA4}H#^*8ICJ6hZf! ziIl9#>$rCMqyId*-G~^9i)f_kQl2i}&Ylx(!UF@P(4%E6cYQ{3wVoDn&GUo48`io= zg5u2eyFhjCw)<(?Xr4#7fuf4t`DCRT3Ab;}ZSPyk8aSDG*KV@Y%co}du>CLCw>yc> zQ7vRTeM<4xV)7M2LKybW>344&my3n}-ro+iFY*+HY3M!-9qX+^MO7xXpZ#jqEQA>5 za9WhJ;;J4HLkdn4al{qLmYeEDWG2(yAf7C`DST@`V6CPa0NO0sY%kkUr=oQ|@Yfu( zY|sQY=ikd%lo58YRye(*&*+2O7X)K5a7XmYj!f@5st3sb{-810`I<6Twd0d2Eo=nZ z=QO+D=P0xDD_zC<3jyVcIz1SsHc4M+pUzL8B#yJw7&>5XCw|hXQQ)GoC;PiLu&tz{ zkoh)!G(Fa*ix0u|9Ians4m0I@Olc|??&}Gh&Uucg`H3w_;4j*?e-C{G5~w{L9hYhi z%SilmgXI6wyW3k9GH}d!B=`{vIv5ItZ{?f%O0C87H9CK#j)Rk<@W?z%Iv>WuvSDut za?69*3faQ@e4NRlSQy3NMq2AE$h2ev(A0-!MUY^tVN*~$H*)3 zjP4lfunqJ<0U^V%t=b$RP06~WTOs3$Gt+s)+l8M60|@1lW(5^`D&j41fZ6K_*r#XP zKstf~OdxGd1|Hn|_uLHp;GOOo#?$suWM2II?0xN0Db&MQuKgH&JKeoho*10=D0L@N z4?poP+`-M8nguwX|1Ra`ne#c-P5!{#>o57b_9nYV%UedgjA|$JDVP_eJjWR`SyNK4 zAd!%J20{G8Fq^zhF7^ZcKv4JM(~p#BJZYz9q(OW zb>TBkIhZH&Ql!^zNvKVM<#NkSNW}~*U+O^h-L7$O@Xif?j8UeCNAn&)f?^vu-~vy& zaTv9I7tHHbsgje9m33KJT?Dvji(mX|k(ld+E8n+);juqndCVwL{N61swjQoI?DCzq zj2gw-b%2ia@|02VVJSh|hIj*7@hAs`dYmRqIBKi^Ma|h^?L4FSECP=`s^z{lp?Lm$ zrKW?N8l3CgIQ}cKFJEja@Xb!kJAQclHH%25cQV>oNnR34q#3H=XJvau-g?F|4DCPRBK}B9}R3>FkAmGFO0pADU_{YVbinYhC7RPdcvj&uJLT7dBR{?D0pW9PvPf$loJ@gKH|fdo4-bU zd7gRIm)6J&1x9ZhW5z!6TWX|_Va6C-bc2x2$lWiXZ&QkVPoC3BCnL|)P^&8fK6~O z4Qs~bMWKAHI{m15rPXR*VpjwIBWl5-edz*{CH^;zjuR68!}AFo-b~@X-Y{3FNLd(t zBgB%qtJIktQ(>QisrC;{#wI=%FWNaY)p!gdkbqXXt_WB*b4U&R^T^+Nu_yNs9LDir zUb-bazhQa5-`sP~RR1e%oMnGB`E14u4J2l@@3#uy2}+hJV<&^?JvgSfW3Y#AyU!fE+qCc}h_K|W!ge4&>ie9VgX%sqFHM-Qe*-A0stt3b!5CZ@eDsGQSHkyJ zaT|y%$r~M3T0G`Q&2?&dV>ccPL=r`%JbXX2;3Uwaw04nw41(FT}j=&Q#l$A1o~a_EWtQJZdvg~tc= z2Ay1@s=q@2ysm?QONx_Z$I_K{soIfuSwRh}JhG!sqI0qmgOzEyc>B8OTddbnzb@CM zDGzUis?|_kcU_gK9lUIF<7Q;Y9$km!Cu2J>9@;=7a_7guVi`OmHSLP8B5xr!SdCQP zHf3#eJacX~!?wpk8fsPeYVogWkS4+*e5jLGrH;JUo+_)k2D~rwUG4Zg*98FbMFX*` zF9%iY&_SUA*-)fw8+@GIqs^)oZ}JF94Uf))nu5g}Oi z7;0p@5_oFdbUavSK2D^dp-bUmamo8C!#|mbxGit&-fQc!xxObjYqxrsRkR&@BzN_Aa3G-QJ6u!C|OM-w={@k`o~A>rJMqHy=XUA?Jr8 z;va(@_2i5~p3j!>=_K$6Anq3-vUGfjs*22tUr)gVrm3~;Qsfgdrv5Z6*1a94A7mTq z5nKU*S%d(fSOei)VNGdfsnlhp5sU)A?j}tl(1AvFu=)I0VZ6tOkFi zy@nx?J*@LP5ik@Gk4Xnr&6vb7_S4yRwnMc5#cq#m?IA8Duy@`;c~k)>7efBE%@!1L z9?<}KW;EtWed(o-;VwnK_Jk+FJWwG26p7*Lg5z2SMv7X}wA%=NIJ^GCM&zkD^b>(W zI1H&)FNfg)4b5oT?;#-`o?SYsNQNf=XwX3|oeR42O^5GiPulB!(S97IJ^@gmkk>(? zalxRn8j*TAvhDg$Zm&x?_+o>6sDuZag(m`oj20uj$KV8=#3CP>mORpfKn#2TA1Ge; zlEEOFs4^Bmx>{>ms{j&o^&(D&iZS88U4W32;Dv@0YRv2Mb-03_!$X0Q18lrc^TfvV zt{0M0S|1ghQ5PxQ8**mRp$;9v0?@wo5)pAu1yhl~ve*&Tdsh zy!|WKNsC)TYIJvn$y|dFK1C735iK|*tyww*3S@5T@kPtxWT$8$%6=A&d17RQ-p)I?A9rSeUHZimIPk zJ6yMxK?@Cz3!ZMx@2SNziS~~|722q#c@ngtao7gOJXu0$#e|$YZHqLu1T}W}UuuH+ z$!ck{M*!~WAmcRc1d)+hp7T}tr=DS$3yj~|Xs=JOpr3iSM2bhQ&~ChM2Z?Qz{L}U4 zU-c?d_X`z%x4RGQUw#nSlj!;P?7^#_I%RA7Ebh76Z_eRqq}mEu?u9d#$!}ysLvjc> z9EvY22&HLKqC9@bH=okZ^1k8ZhDQehhl8axnJPEdemD-|yX)BqD(CrI@NIVP-Nt=iU9i8op>Gy|sYfa!T)dg(E*xTW@FfK|HJw(sUidd33t)g(c zlFE*eW|Vv>fXp=OQ|r5@OC!kB*b-SPz0O_V1Z@9;V04UhLB#z+t9Y<}Fnr=Zn+Orn z{1WRT_<^$F)n#DP8;(_E({{DMuR;TLeB&BEPT(AVNkWNn8l9dsEx`7zrYf-bVj%eZ z=Ox+T%bJ+jdlG3WD>a%23Xk3p1v)NSl}=rxf87J7YvlOIaoE)WT_gW-(wXH@y!&ePX2RBkTxlDXCp^mcvh>hHH>04nI;TF&|Z9D!1HAd@r>r||v33{~Cpr#u6y)9@p zA;qq|%nlU4Wj;{wIV(yXzo}$uZGlRI436_;lrG*Xjk}DiT}G{->|U;O44}XoCky%@ zS=2r&jj}zQ1Yjzzg`B`x^}5|v8?kPBT2|y@;wS3UZ>!D%uBnC0dJ0C7ax9zuSgein zyEcaYKl2COheK3w!E2?-g{l3>(KWR+n1AB)1W^Rd--OV27dRk^Ik*BMNu3m-?8oly z9q$$lR!t9%;BmbdNy*a?NihMv_1ud;2AayC0m&saEm!Nyu-bcER77qK;`!>^XhwJ7 zsWbdJ13@a`&-#i)y@*F_S`$(sn7mIXly&tzYMo+t{fk&tDbIEa=}d>bFH z`@hYsv!-TIxkLMkk{#=PLrSmXlyDWeeT4hnkSB4HCmd}w_f!{}Zh?YfaCEn(Y2JyY zaQKsieF>Oi1J=5PqP)|cx(T5?tMJq7LL(O+^X1v1lOC}uL?>|t&d8vf*^`2sQD@b> z1LVdrrYsRuVd7$E;^eyjXgwHzWhr^;%=$0SXZsR^gMaP)l_0ikbreT%G?Yv-+e7Y`r?AQxxL=nIdK4;9 z+rbf{d9=$5A6uwejD#)nINIn$ag~J8mwy7hwha4{dGr_}D2X;-1{`Xy672m8oKZKl zf_@Lt-r3-vmFNGlTK`J*CJKmhVrkUz_YzjGmC;9g<#hZUac2_Idh06VZ++gJ$*L0P zEctm=&vqlV57a2(f_Nsy*p5as>yFiK%Q2A2fWv?wYw<2y#z}8 zL=tb6-wV#?Ny;-Xv~Vj1p3Eoo5ivBQup6-@^;6MQDC6M8**SVpQDb<#yg7e8H%Aqd z+CU80mB?Cfmie@8_H)BhV$(F8o9~L+@GUM_%^h8M7da@T^^@SRWP1{pelmYJqI#+{ z8D^IO2Fa|)l9S{Hbp#2x0wk}5ymL{jl8@*#^OVdn&0}9q+$C`H2elmu1FF3tzGcNt;Ku?gvo%2|)Fq(4TZ6yLnWu zgspia(vV{d=gC=`H}${>%x$0<7!SRBZFxA-)71uuR`1lypr=ZV@A)E)P7=atj{}tU zH5YgPxhj-GdWojuQVoY7LxP<@2M(OmA5I;Kws}mBW?O^Bn;8ZHK5C|x0J7{YG0OxL z8o-q_9C1)bG7!O@I(p?rTwzibhflPqh%;G`6v|dV$=bGQdwn2*i3a>&%#;`_)^oN& z0Ju@y@s36>6kUbPqB6%hw4A^W3jJ1DMh^m^q#7=*GTF}YVPO#|v2+MYJPsI$g;!;v zWT3#<=W@)mgCcpM(2+-dCOKS|OP+2n9d&L|@52rm_z33{0qMi57%UoW;l!r}zU|AN zOrLO}Fn?uVg#NlD*9$j*1Km-2#^(Rfno^ati)CH_)VVo4&MIa1g}ZUIZQ9<;oFy4D zh-)C6LapL!xP{nlGGFuErYR}q2;$C34;!WM$qJ*eZ z;CW`l#_gr}0)@DsG*;h`3z@qDVbj!bn&rEs@N{jNOhMSVvdj_CTX(nRgmj?VdaW$9 zjl_3mq@I*xLdmz=Fg3h*^!h3!EpoJeGp^37G9jQ7Se(hU>C5cI&cx25L__xtV(qIpegwU{8%lK_qcNV)s(zZe@kfDJ0WLU?Z2VG%reU?-5 zEk}-7YnF(L+Mr*MHpy>3oC{&S2<9}d-S7xL1|A1JSTde5y^trE7t}q39rHwlZyx2!Hza~Q< z^W9gA^?5+@k`!yG1~Xn^Va(A3UX5>d@~Q$5%EAGKN(UG5m74}@kShaCb}U%0w;={` z8~k&1m(zqfjiV6-TcfSd(#UhG`t`xFkJ9nw z`VWroC#({ELC_s4n2O1Cmdj--^l3-R9W3ox>PJ&3;{$NR0y2--5nC3osmm{z{V(1rha@d3L~ zy{Eo{G~)jCiL4DigqpGPB3`q8xd;Uo&ei-hK~vro`r#Lz{A&$gt=*P{LXj+Gz9q!t zZ-h#XxFB&}6R-+Uc7X~|Y^eMZ5zG*Tu9TvW8Uv2Mvw)+jC7u(a&W$I6jnf4G01f0> zMZ4A~y4w|{PFXq3p5#H{b$5l|z9%Kuu_D8Q!EIG?w3ic4J#HO*T3-mL4CVTDZ|b^` za8F7y>R~0Iy$OdnHgch&!3~a0LQ&<9gKx#u;-<*1O*9X2`B@MKFh- zfT)Okz@Gs`R#lBw31=p^bGVaXa zb)AEbQJKK#^+?P6g!z_x`mdlP5S(CtsJJMTR}Q&Yi>*txT3D|r3{y-46+S7biKOuX zMyg4gB8sM~SAx1qEFs2u-eGCR;WXL0@rbGKS)QcBQcz3S$6RXHmQj=b)J@-i-}N=v z&36F8@0JY`rlgTq-!`eiP@cTAtZ{Oo(8YFbQRbnl79pF;^foqG2Z6L%??#SGEW{&S zZPogEaVP{~-G=#ww~JdVC@5$ok(e;g13gmWF)LRn_U&qx`YWT?00?kKy%C2O$3KDH zJY$3ol=~9Ap;nSsZ;|%Gv5e)M$>$^RQA;d=ChkZrREnaehoC(!PUWIu&=OgvkY=qY zA8po2hfQeQhE-#c_yA>M7diyfic2e+yJ~biEnV6Nm^nkrIqjzB=Ec)8K(3jK6?8yn zWZvtii-`Nvoj!aRT7q15mtiP*3(5mQlJ3a$kuj~GELK9(tTo<>Y zny(ONd?s;0C^m1q~qCW|P?$osVK4jbaTvHmZ@W z1tvpHRT)6U6`=1xoDqVWT@5zL187CWG5cpKZm;NYiUvY?``_^2@8W;Me=KZ_|7SVk|65Dx zKT1jl4*G_c#!mm)K>FX8|0{O%ABiO^TN`?#UrX>mnL+yhMPkYFR~!7l1(xjT?VW%7 zNk#@%|G9_%9{m5-Q)2rM_Tv8{VX*v9=ktF^7|j1iHi?OVk(2R10FM7!`9Dh-Ouxyi z|0*i|p3nb9P^qfb(5YCvl?;cwe08-v;+Mdv&NeDF_?0jstg%s*tW>NrQN5qKY;*Z| zr&qp8KR(+=+E)It+E1~Ls2vvlsdyYPaUm0c8!G%eO2qZy+E zYPJXTN^L4mK#uMVg2f$pX*Cp;?au=slZPn)V+N(C56Ix?=tvv~EOPa$VF;q7Oao9k zqsmxlXmtD}eHsEW+`Yn2>B^DE1=ITN-^5bSu1{}+nO%IM@BgeTphAFfXaWHq6Ic=m zC@Dy4Y6v0;ke27c#eu8?;YL>j{-GmVCQ$Ul8AUO>04V}X+xRaFBW-;x!~dIdDtwPV zr4G3dW7i0t1@y}qxFZwj>PKM?@X|kqjexwg_Xi*jxo==@b@|N}{+Gfa&{VWUZ}dfa zrDkvaP!)QPaq*?K`ab^-pj_kR zTKk*wOt<5g!f2izCeS4JWBvuNbJfTM{4htyw%1n=Y%hEDo@4TSi}&_H8k%2cU`_#I z1fUJYnJx1Y7j)BlSAU#N_%A>{>6frKHZ(myCpNBiReqSk;~J4?*Rufq(~oSW6;FEW zX$4v!qJAbLnyTAz{nF2N9GHJ4jM;V|+@B?a3SX0ucUz=k6PK1{JOJiAPN2eo?1!B= zfQldP6wL1riErDy*WTdWA2g4jozbsaoG<#+*Pkc8A5}9*bW2N6!^~db+Z$Zq*G{7- zYe3%@7y-E3nSy#Ym(QO!j19jk-fuabpCt|C*BhrFc)j`QVc!iRE6cl7EHbbXUuZ#D zBm&pGbfnR>MI=2NtFKnmpM=Vd3_#p!!Ir+>&F{);01p$glAi*_Mv!!$)~`^IXWvS{ zUlpV|px5b(+E>h))83sCbNy#3;43wMen-$w<)Q8;bK|E>Y)O+OhD=5BgIkqm6_6lkiy!dfR&b!|`Kz?JwY(M>%kwkWFb@r|h8;;)pA| zeH)Z^Er8E_Xcy*fUZ|nq?;EXMtLyQ~=2|?bX$>K~fHEWAIkI2=_0a<})nChJWjVgB zv}??lKf`|h4b%i1AuGEcC?FR2_b`fi%B;2$w4Ig$7mh4CFdNbsH86o4qo7=|Iw2A|PXu!5Emno(1_E^i!-?wyVesz7 zPr0)Ar)q{%u>k)VTyTDb0l!0ZoBNg#64G2Vcs@&%f8bkz(liov^Jp+sV#{m*tvs!% zA_H3|I0RMNHs(sK(mAnvli2ht5IuyfS${!f0GT#h+~;?mk-_YG<;GSb-85bp54{~dZD#^Or!Wa?C3}J) zdwMDb^sU=aNVn7;Ras6hR|w8I-W#qlpGz5>wh78-f81Qa*tvC(i&Hm7f zUTTj?Es7n^)tUkC$1u#tleucz~Rdq<`B zj#tuz3SKMlc)X?9!??%7vx-!PcjY41eWC?L$^>GiNvmKpBm^xpjD4-^ynwfpGkn8{ zkq?Eu0V&KP$}imNHs^Kf_0U-7)l%isxNg znZ!@wyQtMq!c@xA*z7WH&{PXD?WH~T%Z55!=+0rk1eT^sbGG#28uCXBmI_uSZpL9}%2X(^@vdaxi zjay~^ylAr?gGeu2FJ;1_qdE|5BOm8C#2)A~Vni5ldgSVT#~J*K_=j^9vKj)r+m&~8 zSzT&Fc*990mgAF(pLx*A8OQ!P?cbmIGSXwDpYWKvJJhcoi`op&*a+F|k0%&qlY=G$ zor5&pZK(sf2H#{U z?OqH*#D@NKqLE*Sh@F1;f|j4R@^C&>|Fq(Nq3CXLf&oI8|DgOaS086D!GVAtG)rP) z@h2wNEjxtdW3g4KSBAL?Y#Eb|BKe*eZC7e%y5*cr;287%k|3K1QQK#jtyw>Hrp1I31$ zkFfk_%q3QxRbTEcV9_lZ(Y?C&on_PEfjyOVKYtcD_>g?PtR7gfIhA@(B_&FmA#AL6 zPK=K=G5@V~CF1+m_hGs|mI8tNYt;N#rTA{&{Imru8g}uEd_B}T+ya4HNSd48YqSR> zXON;?GaXdRBh_wvQqR8%LuMR`k58-%>ws>zwTb(0us^?3fx71aXu~FF{y`#u$c|=D z^(!kp@;77bj2Pllw|{%lzOdDsMD5VtF%n=bdX1iY!*}p|J-Nult}ttU-a>0I!TI?(o2wioNXgBqzzQ6rk-LC_G5$Nv1LI zJZ-(s#)GbPC}S>T;^O>WIcj6opC$}q55Kp_NHU6|Z>jNF+%%DAp5r4cA~! zwNeDzS~VSEAXgntlR84i_47E2QR|hvxxti;zqYJ&rZ%CEwuxi%ASJ=qR+P))S65+x zdnf9^2dCi@V)>??(saOtpP-VKnOfmf{vxcBQn-WW)Qe^=V7eI0;u;-=l7wj z8v5Bp6jf<^JBA@Z9@JwY9mC7f)q3azND#%CSxzWw8| ziBX8{q;4kVmQfaU`iZt!U2kH7PMTxyE|}cLO2JWgnPcw;vw5`Q)7|iqCwA?ch672w z`*sp;foz)(+;g=_p(H2;lH9JQ35G0(I?<6Eo5o>ZaYiVc2Go>hqNAZGN*sYquN32D zQ|g4Ua^aAcIt#q{fowy@avcr~*tod0FKkQP{ov(2!P4uKW7yMHQbMBER#b4FTRZEb zMBmO$^BwaD`Kta5ugf`@PXj2r+~NVD;qy{du(3LR&Pxs{mU*+h(Ae9T|&X} z>+VgBtumUz4A)NinkcQC6_ZA@_Q4;Oh8H)6t7f63XP%CX%)JfcBDz_vJ4NB4IOn_tj0Y!Ea};xz3OKsK1{ag39{R&yb6HIcG=lc)-PK*H=1WP-@K$5?a!0 ze}qCBc}@~_J<2TL5hQ`KZweArckVbzsl2D=%}YbH#yYOw07v2;s`Zu=D6bA1+tAC^ z+YMmrR+fs^=?kDzsdyB(%7_%KoimzU7Tn^fIjEM>vWVs@}s z9O$Zi1y=p@l3z6Nix}@g+cSgu858envKo|L;OHrm8{&e;(HQv_CL+7c2Rcn?X>um= z@~<&{)YSHEBnP1US?KaYo@yCT-9@vh)i`q3iZc?gm)V-p`^pp4#>koQqVKpt@yR(4 zIQR>Z{KK#kw-AFg&(>!_32vSRN(I&Q4D!r9-dA%zh7XbxT9fcU>&c}KWV;FDl)b3? zSA#h3^|cjtso5qF~usKE;d?5)_B10rvc zl7?*5IIUr)jogTrOLW_r`K;QJ2 zBJ1EFgzO>QBP>f>|Z{DT?*;nfMcM~qG5$cZ!kFcRKY#UlA*H{-uFi$`1WQ>^c zNE+YP)9v(iw;}q02=eJ@o3rf*c#7vNKxdGu)I-ih_d?vpiQ&TM%%N zMqU_i;XcMyJWKY!m&O7oecM>@Uf%6i(tP-S%*ni7ND2~4uYZK>D-pnOSy}3#h|d4Y z(_r3+gAOU8wO44wHBQ88RNqwCQjyGZa5Q=pDQi--dh`Bc0j^y%|9Ej+VfPq(*EKjb%~G&KGP8N3 z=|c?-6E;fkb&X^fKy8`}E%6&p`pRjb2}9yhgwb_*EH%g4xdpdLa~XA@t-^{+b(~le z4?(S`K~@;5OL5G!o|4d`LC|V_=n2WkhF(6c7A`}Qlv$QLd8R(p(ct|=tRI3wF7~h{ z#FLT}LgPTe297Mxl$RsQ7iHq&H4do@Hw*m1rq+hX-WG(2>)UqhkG&Swm+kiFX1AeXNKKZ_f$lAFJ;6%a!t&znv5S>z0~>CfZPcGuM%*tCeQ(9n?E#(u@LdMkj3bv3yhd*nCkBWKL7bE$k-J-=2yyr)61^_;-LwGt1~Wrb3h*=65w_nviz(ZH4fS9gWV&OE+B7@SY)43CzOzK?B4l43aRGBI=Pfb5NigrxWpBWvfmKI9WlcopufI3FJRdbcV z^98U6plv+u8`p*mw>n0~qTTd4oPF!vq*mkJ&C`OX#P}1drR84V)y62{6Zz$}jUly~ zZYfa!fL=HoB@e$*tUG$p{Cx=M`^ISx!=nuQY>BMV_SjWj`7rL>1F%5Z`YD8S74N;QAZO)AoK}%y`&^ZE~L*=ICEil`Va?! z`B&TGV-_*Ri6gA6HRonWh6W08g*g-a)H`AMDBE|qU!DV=Z^e*=`(3JZaB_`}P5qep z>DBQE*b~#DwM;6<*CKI^<1!q-waLe+)=X+UNGBvZSzs-`r-JkoNZPYHMgjsRjHm9& ziWN*y->)#nf>*IODAZ`(d2Z9wa2$;w^9)5ci1N7yVfA@n?ZR!aHZgZ53C>a*EXK9)gCnisMH9Hy*^TdAOSVhe-l} z+*i9M6yk?2Lo1ALRZ)mN_MX7EA8c-cLV@M(t<3C~?;Z(~2CADbLQ2a=ytAuGLjXEM znWF+TPL3vD=;|w}EfkTwy)22z@2x$0b=`N{Bs4~;QP^6i`_qJt!udkxNWhG4nzLB5 z`O}m?UyZ#Z*gG}oc7t4a*PFn)pNATf4H9(Pd5N7si6<#-49w+1KbG0$h)Csd;|h`L z!r^DN)|2<21XIMJ$49;=Xlx1?vZGcdM1JV&ySswv6^dP2pyS-DaAiDNdW76y$=^9} z)&FSA{lwg#QLaYj_%ipaLMb>qHF&*+6X?v7mX)3uU$<%4#AzV5hv`LUa09CGV2w`A zYvVCjpEA@CVlZ`(I{Eh8qC5U|MGC9kPPGS?@sFCOdGf)j{;@xFq+1qY~BBN!&`C!UvgG z9Q*lCj@is+P&FKI*E$bOsvZ^W;&z|lC6cL*kj2gHFuqvbujz!RsXQkvH+cSnAqt=_ zjHgWfgXmt#7v@g#&L&A3M?oL)-gLYvU&9!8aC_o|i{25Lm#nGB_*bk*Iu;eZ={NH) zcC9?Fe96|rUsKbFnGQ|(K8h0D6w$ujuF?dSn+47UVsEKlzyu6QQESO{RTjhCk7Ke4 z@%Nmji^B*?lwaYLOBZf#8bRkNB;@$h58u1sX8H9@# zM*9HYF#Uz>+d#ZLGxs%8)e@Oq32cO?MRxx~?VdQ#02cc8tGC&h*67D{PhWLWg1?J{ zZd#G)w19an{rpU4oaM^V4|t(E69tu9TzGp)>Bkjf-oPAe{!F|_r6-GGp1_wCPNyqe4QE_l7VNkB3&-nA55gdi~=K|7JB-p4vUu0w~iT{)3yB0WOl%Q=ue_ZXEm)=NrvO%U5rP*qqpx{u!!gMlm3 zj_sUI1^x0uL)WW%KQnSHCXMgsme&OdufDea)1|2RQ*#L$gWsG0!ACBfD!~Ztu$Nx_ z4uiO||Lq~#E6Wc=nzRd(QC(#tW>EwD8k{3p#G2B!-4(yzJtiZ+`oek!vaSbtH;l|{ zn8J;IP(jyDG!JL8dQv~<_*n6r-2$PfKsDbO0LHDL30RY`B1#Hl87RmAu6wW-P5MS@ z9z4}?jdDcz-|j?!(eImH41}4k>82i>VydHdeN@dPJl~^85}nWc+cWAmo22<^FW2^k z_({UR>f}yOjd2l)Sw&4P9 z>ZOUuK--|&wT2kcu`lc;U>_6jsmNYB6fA_o%F;d0edMiFMm#&O&!r7qwcoUlAxPj9vk!a$K8V%Fa$xgiGwj^6s2 zQ#=jli)|}Wbw93SVsMg)bj^}O4{Mw~XT#Y^x0>jrQ0G3pZrvNOerFno>x8dF{vK{?K%5?%@HMILSpTh;@@5HxZ}{Dm39Q*f;t7R7q*vZwltok|ypD6hnho{} z?H5Dv5eLn_Pwe@*SPeBW-?q-OTsGTcvTN@lq9HcQS>|KJja$@HMXBb}#d}PUQi^DL zqX0ITJwQOp+hFhb;81M}T!&(Wf@9*D8_3=nWjb|aeHm}vUyN;>bH^BEWs3;s2Z zg>1!oyb(N78x*0T)`wtNhkb@+iA=ti&yO0Wyb^hRFdfeJJNkLO#jOi}zjH>EDlK|< z;e|a}!+*}WFmFp#2(z*R{m;Od+@J*PSaZR$RM*NZI(%4a0-gHDyYGC#1S;#hMU0+u zp*Y0Piw$oogKdkNqbQz>kQLZ$hK)$_IjgVqr2a-d3@F;84qs+!%28u%Kc4PuuIyzD z;%q@dRmL728Z1GaqRGwX##_N}D>Xq2@58kylWe{?I2HQCa8zJ*=yzNro9m@NhdQA@ zha!ki^I%ojT~eFRs@iT4D0kcMhAOC!a~JxYih(P)iIEL1-mDlFB8D;CzF7+$6uWJN zY#UFO7@EW_kSi;eowVZ^3|ocA)D4^|-86}*h%cPp2`}5oodN1qtukl_=?~kVf4I%< zJ0283O#(P8?bIa$)7j-^SWe(_|sMDc`!Mi(`FLH)K-Wg|^C1IUN0HKR6! ze)B^Yt>@!RzxXbaHT$B@#+FRw*wdqahp_D212_V5T~I6hCOe{$F0Gd*5q$MSmrduT zBqxmxO%un%#C{5%9SE;6VVN#gGR9*^wI8NA-}B}I+KyuRGaNWYGo)uj-J2C`c~JSo z6FI8~cyD)kBmj6Nzh+z@VaD>^M=(2@7cYWPM|C1nGk6Mji9_MGKTm7+75 zRsY~`a3HEX79GXhRZE7CZZUv@_wQ6nPqwl$tWLtOE-D(uT-lM_Dw&ghDXvPWzu-!} z9S)PXW~lTiRZXE~Z8Fc(0HhV1bC*t$Z6INFb11Z5^cxJHciN+M_2}!t{ZcV2uFFAN zszF`&Jg^Ea&U+h006R>$>=Ll_&j%tVZI4%@M%!{%!R`hz#*USfC*8DT@mOyhVSn@W zb*5>%$)RO~0yB2Z9Mn$*eH8;_OG<$R(_S|3_x(U5xsj~EKbt$-xzcDuNF;TGBxi!) z30ogPxnt6BsEzglSsCdk^*YA0wSb0f0x18U)%57hLU-EVUn47ll7r`L#do9-VLjXs z)nGJ=q$!QuwJxzxT0<3GoN0+mhIYLZR0Q8V9oL)*p{x1u8^rnoRMjoU;K-88sSr~_aZ28^OqJmdT5h}8%1HAuzZl zcFX;#%+T=BLYB3L6lWngk7viXLRgch%?+LL%ns>$I7ZqPi-6HMIT49h5Y?6qX|&K78$Dc(#h$h_ceD$?m5a&#ECU) z#_Uslypch@xi;aX*s>FHC^H0HvB(t5I;e$C0uYfbo^nE=x{JDL)DJ-WlPIV)Vfd{Q6|i0~hx?E#UJV zGB$a4ybBJxDZTaYn(8T4x$G{hy=(2}3R&EJ=|_O5BVyq?WirdTF6}rP)o2bEe5y#% zP(acjNx7L~3KFoS%X}kYlq3=;Xr)hlg`@^4QS7A`T|bW_ud`##OK$JK;Mos4Kzly^ z&6k2`HDvtq6U5a6~it`cVGKlU>82~q_s3e zNC8JGFuyfMz825mWr9)`uRm^DM!=Ep>$|puFZy8} zoZBY$k&fjCS1?P|-&A~7!83vgIgJAKB1$!`nLd2t?#@jqxp#_4zmEPAALY|y{gARL zKS-#AXxg5}Bo+Cw+kA6|za7;v3cvrSXSZa6bjMtiJ4S!dx5XcwThaF{iVJ@TjeX-M zUexA?hV=#Rv$`*NuZ0nO0@K0m9fs6GtkfENck!?Is`CJxFG2&=cVmG!)?QWO>C66o zZ%3;|Yy1*q4XjhC1vET8T8xBJ!3-DzK+0DKp9r{bW;&T^o1*T4`P!{cS0oYddJaP? z+itnuR&cTDAeHTN-FXfz8c(_}NbeF){Im_o1TINx`!99Jz^j4iostE3-uZN?F{MfU zV6ERdCXtY6H8L9p-235z-sO`T{a!^d_iv;NDx7c+l$6 zi;u=oF;izc2NSW0c8gXcNXskE(HtI{ub(XmF*IiNjidA{nO`BENrGy?tg)TEIwvTQ zcPF+vu9`Xsv#k!Qj%x*@qk^35X`X-g=Pg9LRoze~*p?Vo285nXnaM*781 z12!SWDZHL0Hn-S=Gd(-06SUbx)xx|C9_}YBilmx~eyX@GFp0{;O<-W@ne85att4g~ zXeU}~(mUUjQ)~C-`b;E&p=piW-2D<(U@yW{Qt)v%|3@ddjJsMI)dK3=cqmCnywp1UDbsZm_-MOM4Dx3S6#Hndl^c4pa{E5?}SB5TYp;{}~>!`+V z*SGxnh|XR{fm;#NOW>t3E8)k6kT9D{uY)P%ZBVy6DpzxsyJ$}M5MC)c&Js6Gq~_H0 z(Y>hT;Or2vRXa74hojLou)cFQMp*tK0UE`_aL~WX80iX?7}HEsk3F+dtjIYAs9VH< zP4M#@kzkT;ab&C(bE}l8ON=WRlCZlypMC^l!f0Kkew1^~KN)NdFM94bPdMs`Z6bdT zxLlUYw?6j2D?2}&yU#XoX5jvUl!eoZ;AknUi2D5}usaih*yzpBPv8$xPt%$n6t@v0 zBFUG_Q{P=z;TXz?v6Ta-q)MOT%HaUw%1MXOpbNt4Tgx^bKpgR&lo#24Fa*E*$!{Gp ziBCX|Bz0F}X39yz`faS%p6l*3E^6t;98tub;L|P&wZy~aRnfQ3nmy>+!dFsI(3UZE z?vWM;#pgN$lU+(uQt)+#&ns2Jurj5cBml+4Rj=81jMSu?`uc<-ABq;e3Z=GpP?3nz zq8mB5s%LBct}A}L3^yF_@ms=)pKBi^C8ny&r_^B;F9U0BPpGmhcymU(70?ZkYqSqm zO+!BTnw>e*k+?n%1TWGYR*STZR&>`kQ~&PxK-9-kRO{=p3SM25?5xmWeF#b7>Be}P zEfxASt39ZTPG$9bugwhehTf6zado--p zWjxUypac*?cuRdZzS~Sm`PBJ4+mTq>z>gw5>yafCwPra6;a7=@ZN5-O4?Bp)ggvH5 z^;{k~M98`Ux{fE)ogV7|qYZ>d=wt_-lffYDE?a{r+{Ygr zvKNjY?Jd(-Ic}%Wf{(mB;QtU4O{Zi9plMzi?BrCtSBs5|=ByGqOwb6RJPDzr)NVBH zU70*R?YSdelSd}rv#t~#O*Sq_WeN2$&fZ7w#&MLRKI9+7`loFgBgJ}@e?66KH+!GP zm{?(6z=~|`VwiF$QLj70Y@Nvm7xXYCMzudjZm@kXEXi?M3bkuQLj<4V-miJ9q<9y0 z1LuWDfuUEQ*$zq2bDb!OCuHiXEF3OlnGBVInG@8;n z`@`@0>6bjmh*D|E4;;I1QQ1n@YXX9qwAk!wa6X5ESP|}(KeeF61%oFH&NJ}!)}vWh zNq8c`cm9y`!zGG37?Pf)f|L5VotmD}ie%S*VgWbBbt~NX^*%-X9kC^*gt8wUJ%4tf z9j6dx63K<#%06AF$?QlCQ&RO!YLA#?2TP~KIF725-wevJr*Q_mKN^sRmc14>{vxms za2M^Z2nqBNll)k<)|iN|*68@Io1j;q-*Mw3xPVf3268&?pdZtcLLw`Qt6Z{$sS$S> ze0k&(Q5{ZidSkyO52t}-Gm9`_tdz<}uJLhHUy+=50Dr9715;i)T0+Pc!Hs~i`dSGw zV=p!({1dSWVohFf{te-Qku?6%qge-I?{UfV)89h713|Dr!^oMs^iIet1gB3W0_T{; zudSsX!a3eMHj^q@&uOgVZYPb=<&Uq?dyq^Q`tgAxKRpHJ7rO=spafBkt!DG6R-*A|)qE3J7#b?H&O`O75kqYB?s3ws4sh-j?9+wBKxCez9zcbzoc z6vwu}@iYqHXqGUH@Gfkc-vFJogC2oNdC_&jJ4uGC{Z8WGb%;#NgP2r!4F6RKGG`#*~;<}QwFQcAg8D+j&xctTPbhVm$B}i zgwJuU6Mb5$pXWY6=zZ4!gEeiatrjlZ+0-Y|Pt8l83C8WzA*GVLrl_UDzEit#7{(CX zK&AE*awjN)?&691^0iuY1CPaOpGxSIT#%4Z3yc1hZ)UWOxR8M>6{sa zmRKe?gZHRdVHgJZXO@lSikvK}GJ4;;DN;s2Pt^I#nDP@Ry&%swdaDNtVq7-|vY4JZ za<4#yMl1QweLu$z1pltmBY%dvr80A|F0aENen~&gQt)ODY{xHc(NvdeP>h^Pvo}6d zrG7_~UE|T`64M7H(z17P{Z`>awh{EeyzKyE#Qdb!--+ae+1^8vtrR-@M)2nXkrX&e zkTj5-2W0N}!b%b~n1><+(xP+vdu&FTuoGBHyg!K_jiwyGL3DI6vtVB%H>SKS8X?MFy(IRHGCH%gw_Ll?PyT>C|y_Pz7q0Gb;-BBBgQ%JvW|Hd-Dj$ zD#yh9LG&URblv=|lNDCM#kYRCDIZl95_BQj#8Rab_>h#)>Z1p$kcfST-af2IR)#Kt zp_yF0EsPZAj{9!i!Ks!+cd}4s?=J8ddwHU{8ebUX0Iw{#kDoG|`v(K_>8+3pT!hKetCQ1Q*v0rkr~YC!HcW}oE9XDyke5D{;*W< zxxRHFOd(P4QEMJ+b#x@ny@Sb%*rnsKgZ1#x@eoY9$-pLy{p*V=$xq6I-In*nxTga` z+Ker=0?yHZI$De6iwm*xryu@Z)#?f*(Q}k`-=O9t`n^>yy={Z@-9=2F@*_86IQ|hUr zxT_;)_F}+w39|di$v+<%Z;p{o>NUBDyZ3lr?goxgNl5xGVTo07C%|v)DRHTALMb?ragg29=@bGR6JY5!%7W$eogy^#h zluF-5H9qYkDR&l$FT(i|2-j`O)`za|GZ`c&7 ze~gMUcnlFu^SD8M(5*1U*6K-?je~I3>&A)Fjv9DbspWa{kd?%`*Rykq)#%V#mWIG^ zJNXsP%ds=bqKcY8UCk4Y^Ri5Aj?d{;narww=okD&b7mrJFV)H)*w6;Fd=xLW+btc4 zjOH&=ZlsdN%F*N}e&WBx1YWoxu4d`rdq44TyRO4%%M^F(swem?kKWk)+MHIKl9VXw znXs%Bb$a!KQ3ht2-f4Y_hfw*-l8_;G)|nmxm<9#p7&x=FT@gvzbnP!1s^FJ-Cf3p* zBqOg;Oc=lia2O)gK73_7?dLi|v9IVLNibcvmT%h!o37qFsMKt_4b_I>mHqUH+6;T1y_Zuh?EW_B}xP4Lc^T(Ylrk*M(g% zf7TA!W6p)^6Wb@wwLNak9DXeuH0ZhwXC=A7Qf1hmQ<+WWnFQ#Aby4dj)^~9S;hy}8 zq}52KCcziH?P>;Pz^03Jta4o(TvPn1v>?U%;8tWji6OwjUp1|ZWE&+|u`o=5{5ivX z!LJ$AlX5l6GU?q7)=5hg7(F?vqI0OCkhR3!iQ0cZE6p@TmzBMx0t`Ohe5~r@amWc{ z>Y-?>db9ziE=BeumWq*lWwsOVT6yT|-PQQyf*WuX%fxk#{Vi%zl)l{$)Lt7kGxn9Z zE&0G0bd0lZ!u(*4#TaL%I^j9=4Qwgcq`d;vZxViEM;++(GZ3Sb*gXHZdPcAmPc;S>OvAE^Sz?`5&R;?OP&U&&d15z;~x5D~`-E_A9 z1EM(4MyFgTZT}IQ)sbGXVih$?mXYiT0>StA*8jgKcea zzqq_Rct^p|z(`KWm2U47jdA;#>GGWi&-lbkQf2|AE<&h*qr6}@D)hTndfj%-%}DL* zDid%YA?gHGC2SXG>dxPa8xu){Gdig7CcF`TwdF=>VXx%$UVxs+p)Clq!ad70fG2a= zae}-r>;TuX-cgr)(D!x2ou(~lMd|+O;I6Py1nv{XtQ5CgE8`Xe*ED_JrW<_pXtpVU zOi6E@FSKeLb9K7k1X*)^o9k%z%MowV(2ysuJ|vQsUdX^%3FhYEwLZK z5jVRZ*AavyeKzi_PzNiTh@Io#PfQ6t?7HMmeiKNRA+*@Q5{ptZPqG+YBJ6n%^O`Hj zNCGEJPhdn3NhqE_vF7PEF-~av67GXQVk#>F-pNe4flx*W@GPkO8#o<9J`YnbLmuJT zbA-nCDy^qt5TiS9#m?PU+$Y>N@_({8vGm4(Gm}oFFt7p)t_m{B~_twz7A|G7p`5E(X7|-U62smmj`lRn^6Lel=i~)eM3Q1tme~ znxU0#xxy%A`FK^K=kQxE>6Tf2du&LrA$OP`zngxLyy|jJ2}LDq^X%J)_Fy}HfEKs> zyOgT4Tj+^>0T-vZvIHZSJG;x>7m(6YMR1+ji}>ojAre&mr&e~9u?L){n)eU~NzXGn zq0atCV9uIgt|wVD(T>YzrhB{X%a+j!>xO4URcKwpgN&qjd&bJx$NlPlULbNSu{%SvzM)FL8 z%FS?$r7p0K4fnad zXw}R$W939^VSh0$__OALS8gHisEY&l4ihrua`HVtIUgk#@~~iAW7$RUJAYcl(bqI| z9!fj5pvri60kd*7Q-XC-sfVc43v-YKE}l~NG)9r~>v*%Lu|bIoY*dQ2clg5WP#@&Le8jdQ zuYh{539yrQvb`C%GoJCuJcidIyNIET%x|V2ZoV(5hN`lrCgfeh=w)2RK^K{I2@PS> zF#b@rye3-FCG(0wPEl0%&Qs9Otes7DLo6TgkuqfdhsMHmM((h=juce;-!qdhuaZF zr=ICptHf=~Olq^zcWDhVn&2Y_HE_-N)>k2cZA~)DCiTAQyp^lZ;jy-qU$Fs$L`h)< z2@ZPEkY8toMc=vjzh|Ddt+scLN;FJ`J__hw#dsx?i9ujx4_W@9A~Ehd;5}G-)?1eS z8s<`)V;o<(Gu{$chFn?1<-lU;Ph-00#CwIkiFcqYN=@COdqSUY)!LLkRt6|TbEmDx z$;8FobqMw+es-sNM)cykU9eKy;A3FXR`>n!J=L$aK`YhV8;R_GBfP!p^yh8|ViepT zD2fGpY#N7LFLRt`Ts;e;g|c@V?84`Y&&Y4Rv@P)lYracF^fpy5>GxB-t!0 zW3Ta58lPBn&|fO6W#E$Z65Oq?OsI^l*j8#$T?MNcdrWr`lsmSOt+9mGIg#D`+@I^d zS%9bgAfluz&wl@1V{sl0>JlExd2AIXiTJ4HgeV;}kj>xJ?;yN5G(cFUK8Z{JnP(b# zU=9i#nc8TnC-F;nT``M(xFhXayE}yQYzSrmf+96vZ7OA~=Qd;+dHsbK)}~fPm^k;q z=TL71WDIp1-0u711YuOLCO{G;7aGwr2u;@8hOYhm+nU z6oA1v9w#UG%6V|n&4-1QsTNDqr|vwK4N)POpO zNnt_5HB|RV_g^x;7VDZQD&5*Dnfr;nU5&VF`4C$?wHW^ti@8yn$KVO)4YZt zc`HjyB&EiFz2f&QoCjwn28>wa6nha3dpgKqM;s@U!+qT)CwoVNPwqD4hsV2I>ZaoF zqU)TUoS&P;C{;k_(7?3#Bv4-crhSTL^E`NiX=>|2VtnR`fq-k>DYFnC7~f*-g)jB- zBTSUShtP6hh`_%yoReDz&XE3b#`oc#`!Vmv_k1v&F%S{5*S>6`gK`_sz zi7X^0ns=P*{=|xoZM5)G8UN9eGD62#7-Rdy`6UcIruJO1b#zU?{Q{ffL9Qo>9+?_K z0|9BI?sJG%LC;TorF;pHR*jNP{)?NZtXuXl2*-mC4Voe!w)qh7;W_-qXDoq2*&wDQ zN+fzll*Gsy?-`sD`Dg$>COSWrWn2f#iV_9ir+B3|rJiBxhN^|KW>t=9v^s;Ze#wj1 zr)uZQq&H8rRxjnuscKo47_ZB6y%XWTLAdKVaRwE7!GsVfZYuUiAtyapaD8IbN}H#F z<7NaIgI2p_M6AvwSc-x6`yc(Zfwfc9RQr#UYAH0{)0cfV`~jJ}H~sXWOMTBXXUX;# z;#joYw&ARGlF2C2;WMw&hT&l+59eK~MeipPrh$jZfz!4ia{7`OCcO?q&j>f!YK;KB zsiisu&#jh`?@mE5)TC}7rW@t>PBkrz{-of;5bq6a%td+QE_@HvnPcekB)}dtJB740RbYYB~v-O5dvG-=~ zVM~418d)3h^{?-${vo9?T3C2RFzvl!3)L*O_1RHJd9t46ke7{=zn&jUigg!A*A-Ff zUB}sOZ!xmIRNLZ277g&!RFIvnsX9goRX{*C6=W7T@|ty(ww!h5o&I8@Ot8N+v_9Ob z)!QsF@tX`LG7tLqZ^Yo<<<0qTf!nQ~Z|6&-v@MWPu!O33d_y3ZcAFJDTNUdnUQ?ph z7K=o%G8i;%881!^r!y%WkzBQ9>5yF`K~IhEAMQd*PxVH-K#Zq+wPInV!Cl=3XNrYL^-k)bs-*FU^+>*aV=*eGEXgc*T>= zwwXrU@e6(5>67=iV2z(oT?KlTiEl+lcJyY{D^kyRJZ}i#G7{B|zg)BsocdtW3T=OF zy*4K7b|mDpR+v6T6Zs6**aX+_v5iE*T2ZS{P(>?>!?ONK*&fV+(~7?FJ;@PC{QR;VZuBgUqK1jN%p$Nv*=a@PDPW62Sy1lFwu-dL3#6ogrq;?eauri z3x_={Q^$gZQeIL1)fg5@0r)*r4AMEKW<-&3f$!R$bMOO7o>GqnI4i|T9+b~Fkg3;J zz(M$DFR5;(!5|{SfE2u5yQT56w!sVNOY{x2W8Ud}223GXRh5S9-VYY@ASoqr)vj&cnV0M?#!jT}Ik=me%x78&? z#1vmMO`SJNoEvPH%Ge3)Ei%c+_-mhkvN0`>UlV+*yfg9o<3%QL{lNEc)nl5{Mgbk}o82wjfZpw5NvxihFhOb?s@@JjPhhhR^ zBEhdY(2+yv5}~-$Zcl8p2&&N5D-X|4(w~j6mR@ECA5%y{lf(eQ0xGSI^yd^3QkoQe zL0j-uM?QN}L_54k&=kTWgItkvwZE0*BJW$)J2N@eJLVU#74_SGe`#*6?|dA=evr7@ zl)Y`H162Cn)S&>72}t@NSfkTudj|=2Hy<$*(yWDa2}tXsy7f6hQJXVH!p)wCjT z%5IT=Cf`u<4wGVJt27A4yXdv~az*XR7pT0YC%tFc7tXjwjH_XIm23Bu4=LJl*S*&K z+9^S^d3joS5x&oA34c+st``s$e~*X+_gzr9gMtqICk zq-K1;GBKvMc?wSA!|PRZGV8?oI5kN%96tP<%V(pN<-woeB+rnDy6X?G=h%^+8 z-*G?L004^FJ0IV7uv$3*N-!h)ZP&(OlE&Ps-xg!(V@uW5xa+Sk`39Aa&xx0FJoQ7G z%E$07QX6>daYBV%=GrHCNgdff$Kg&n;#hjn)6=Af6c(>eBi6`JziI!OK&y;u7NC}q zpc+4bruGDPezPoP7%#zT=Y1nRc0exnIb*&@*$aGhcUstmKR5ErdtitHJ=1MVm6#=P zc@v7B!dQ9WwpBCPp7e;F%)V(1+oa`B207}Rx0PJ~30;_U{@w-4dkSo8ZFpk{p~I#z zxQ%U9Q%$M68iP`=6AML{If(gP$@sNmO3ksQdim=kAJZ@NP<7?DShqP*05rFFC9rT( z4yLz2)*uNuF1xAv$0|3VN6HOq)(w<45Qo z1hec@-ikNV5RNA9+QH4doVttiSX3_Thsh>pONTvQ7GP^lESMe~=y4WeVNp46r1 z1DH}iF5UE+DU-ihAu5E%k0fIwRC`KtbLS^vPeB#`UGf(G(R7@k+4T~EVG zfUr%}(Zri~WYuX&7Pd85x$`KiAB&eHfYu^qKqRb7TiJ{);VotTm>SZB*RSWpe1Gn|H@fd_@6#lQncAU&ae_+i(C z6xde(wn*5g#dv~%SPyUnQ9kKWtgPPNvjS}eZ@O0^)pgF+6~YmL0JmD3D7o2P!(}bA zusQthsoCDfq~bRBcdRnyI-g5k%!u`yUsC|0T-z&9sp16IVKqxgg$rEC+Dv0Tt*5xF z*Tde2v;c;kL+qS#j%pgF-@x z*A=IwHljOot!~j?*MZ|o^t`J4a-T$<8?<`HD!}I*m%4prn~aCkT;Ulh=%F8V;!Nv4 zE$7;_R}A<~tTA2Q77iDm%^|ybc-z_0{;O>Ezawsp#mlq_^80Hp>Sa{lAp-f?MS1xH zm41t@Ir2s2+W#}PZWT@r8=M|ds?;!9&||`Afw`-xjp3*d{|KA$?33#fh=?RP&bx0D zF9>xb`DH@%kB%BcTwCSxwu4!K;r%@_46SNZg`R^e-{hV|U{#Hd@47Fl-I*<>Bp8-=B1y+*gJOnT$tnnu&NK2-;A@*0t!s{}KhRTP3wlagm5nlzIVaZ`G;)18Bvh*T;RG`a+T($rfD`(UQ% zR6MK(y?EyGLh*PvrH>@u&VkI=LR*QnR}S7?aYBs#b>M*v^#2UP1N!QDpS?S&ZHG)< zX02Rn{)I#l3YvF!BLa~@xg%*xs=Z+y&54<>=`l7jUiMkvKnj@A>@*_2HnkuG81hh2zRg1p&953L~cD<~=a7_Dk^6cP^>35S? zIr}h|Y2Ij4*=`-9-FfK^953ZxhM5cUHX$|H z_X!7fB|MNeMUBe;uyf2WjNM~!X2HHL@E8*(6Wh)kOl;e>ZQHi3iEZ1qJ+UUXlbd~R z?S1ySb?&+MTle~~x~tY&wYsYN|9f`b@04XWo5aYblCKHVue_A~sK>fQgX*oB{L<-C zx1Zpw{OupKz~oi&|JKtrT2yl#@oX-L|Apq+X3IVo)uBA=HA_*(-c^%pE2ESU@iytq zIMb$uP7OX4}CG!kh27G#7IoN+A5}ECAnDCGw8ns37P*5u={_3gz8el z(n1o{GUnC>&W`^C2^EY@o&N`rkdf`5AR*(ge*+0w+5QVi$oy>!{wGMt!18|q3I74< z{mUa{{zmo$&Ga1I)cRMp<8-O{$0`L#L(8}1+@jnSe8)s_+V+TibQyYLSz}ChXUl8_nN1B8Le1>2Jf0wD&)*(^+lPPgA^1$FW^Crb}IatIM5N%Fos^v()(0b!IWl z%!nWwo%2mi^!7kT)mJe%IH`cG5B#zi?Wtgof5a(K(X>vB?MrU7M5N&^+6Et3K1yMs%Mv)cnDw`NiCZ4NFE?p8p7 zn+jUO5c@?1$A?!HKr{FLJOQfxd;-w}Yh-SIF8L)I0-)m;^#ksmn;sn9o0uA$8XdgE z4};e;-P1GNJ$ZhBt+fM7W5@U&F54dkQBU8}=)&q<7DU%Yai<5l-Vw;>qV}b~d-SJY zj7*FOJerG)Urp%`B7?8#g|W@v)7;e2CVh)dnNp3!q0n$P5rhJxU#HD41xNIQB4COi6O7JH}n{FlAYW2ess zncgpzF8}Q8rnjC>|F89j9*0^xhhKFp#(st-FA?Sk_oy3_{b(^axjylY%-|qt>7UlD zF3oQUlS6~Mx{yK-vNLkNr22ZWjZH3)7@2AP4CBDr-2xz`pI1sI&sQifJ^XuLX#QWC z2OqvDPdyg*J=%L;D{t?*WkXq2Rfn)v-B>%@ju6+(X0TSkx(yHnpwFhOYS?T*pO|cD zB47Bbpx7{$PhW|5zFSo`w^x;4Qcw~rW5mZpiJzV=xFan?hKqPhR2F_3EWRqiLR zp(W2R82tD}Z~fJzzFR?^rL=h=1@y&~&`vY^>`VKZhl~u;4$O6$zQzW8PjfD%n|gD` z;ZXm6{rLs`1|T~6(we|xV^?bhZcN8WOG^XR-Tu0HnMuC%%|mKp2EqDT5FM9+Xdc$B zdg_7w>J^!Whu4kxvc&RI{=`4?)doR9VMQTsZ8H9ivB1o6!!QHBtDDP zYMU2G$ouPllRK=mR+$Y7UsWt=dFCN!1zX;ygO}d25hlKs2oo9gtV0JxxxJZ5?L9!w ziTR1yF1&v7H9r|Xl(@(59OO-41R|rwt$j@;ayy4~d)b%Ow5rA=UzM z6Jq5p1ZhmrB~YL=w0FlSh4<$6K@Vr2Pe$#on2o;hc&ue;XxLkTn`LjI?Gq9^x(Boi z<{%FuVLF&Psq@J_UOSk|dT7P5>AO4xsEA@2{&a8*u4nD_j-3>WdkjEev3IhM($F<0)C4#G5k1tLpL8Qy11$%> zuc=loicG3gUqH1$zb#)CI6B9*=cpSajyH`Hlw^@4jrk(;cLgR*f{Jz}--hcC*5n$g zmq`-6$L!tQao0l#Nd;e*NDU^wX1b=u4_M-VRev`LC=WgsXt>%g?GuF40^dxEjO4dECzowntr;W z3zi3lVI-8USc3)CUHS+XVReboqcHIJ@rsIQA`bEG>o;ptr9v~zcGTkOw{YYrz>%TS zHHwHN=W3Fkcn5wiWiMitZ`HZTzXXbYISiX98I|@FBMiSy+XVAR_0D{}mSRk4FQdkz zAXvr!wayptF$=l6Mb~J!{hL`VVg%AAZp`1~Dfl=k#n5*CgICn3BT06yiCF>9_+Fd` z>7rZOSuxwL23wwqEQdzj%eIe*99D4AFh@oekzAFXn9%BiHPRBsZ%jpS??j@6DqUE% z=~sv+bN5}hLKQ3;H)q<@)h}Z1{EFhfm`dlqeg7asIV5a70Zd_N+X;Es&Ax&qHeaJ2*Z$n%#buo}l~1nK1tb7{ z3;$OLe-2JtT{5n!e(6H>ZTtphE#~*-W+^9twjAvEGN1L0e6^D|3llHJ4p2guhwW=h z6NL*(RmLUiaxz8nJVeev8R?HJEyoO)m(EKpZghin4eR$(3CWNSTC-zei7Eklxf5;IOHD>Vq!TEfDIj(GlMXVn8Kp4F9XzM1CZzHJ9D?JbCjjdp zAB_dEm>RyQNM%WuyAo2@I3IIls}AKo1d-E2MOV=gc$6j_?cC{~?lA3_bxh~z%*fkz zZxu){-+*@Za5*^$!=A)#M?}1yN}0^?Qq~r-OLNM*WJVbMAsqDP zo`9)D72M{*$~m)_On5)PssfefOo4oKmr7_?s;q;>y24aMxH3gdX)W5NLpfCiGnYu| z-%S^J!vt78n|e&vrR*OKpXaA$#1uhi>zSA+mgsj^qhL~&THpC;))sDD5?(UH@aB@g zjJIsTLJWWFsfTi5+^_Xg##dOJe$AmE+m8{%%F`-4ib`v(PazY)C3C@t>+zSc9qyj* z!aaD4qvtg%^YIl7E?c>8*ZO0U&dlK|j|B>~Vs7PAM6ozyQ zT3QtBw3HVz+eC|D@~EZHnX>Q`5S?E4X2$69^%OhEar3I1JjA~Ia7XJh;~h>azP9B= zhEF>Gj-+t7QD;jx3X5gUx}L3jIB)Z;2E7o)z=nb3BQbxD1G~GP6EX#O7Rnnk52wp} z3Zw6tLcfjB=-U`{B)nF2&J{vtR>fQoJI-&)WclC8iW*oO!{c3bF}`#W&p><$;jXYq z=#^!apeSbOR)-|>2VCe><_k;SZB_+pr<#<2M38DcZYb8=X@6&{gGpfGC8o*Ga7mL! zaY{-edjq%pXL?>XEmSt(HPl7f7{RM>^J=8>pftL8T+1J(jUO$e)aMbxAEBgL9Yv$N z_{7%`E7B*v3**=*+8&11Bhb|z=9L-;kYM43q2Do|d}aYLQO8-98Q7s2h$@~0OP1;u%jHTjFmtcgEWh-WXiKmACX$eAMm=Zs ze2}xyBBIoksXmsYpm|2~{qAZPb@;~O8%MmWpN&*mJwI4vw&h>!KVC<^*3}J7>0X`f zs*OEVu1tcq_RdFPu1nL=3rYl!5T_R;6w10D_g?CnM-{ z>%gf6g%^kAvs%!(kt91(H60zntpnsEGhcBTBvNBijGMeOyw3Z;D*+Fukx?jZ{Blww zFrgE&Q9wT@N3D@ylyCtt1=Mt{Kbw5@f{~8jI-_G$*#=Gfk2iZ`hkQ}y`omc|VPqO=CKYEi*?k;5JynQ2Ns1`3lk~l+?l3*Za$GgEEH>JP zttd+!dFK0Dq4`Y(L#zZ89BQYNL zg`*Ned~M_Yn!IoUhgRW1AhiVWk`Ngd)BX`S4wzaYVRYLSYq;ca9UN?DRD-aZ&@~(o z-U;e@#%ue$vMW=#T5{9S76pU{gG>On2b>t0JQmk&)~}m4I=JC!r(@go(^VX0<6ewc zA=1JfM{qltg_s!q@+l+AODdtGQbUc4cvsjVIZ|C3e~2K_Zi@-~-mcIn=i&U8LYI#s09<|6yHLhkxInzy!qocITff8?k(Y^Jx3h89TZ3lI)6+jQK?2p zOR%$=TDT@O$)hFfp}L{5&V;m5{Fcpd_`?Ky#F6KoBhZZ;#PorV4px+B@5$Jy<&$qv zA911MYJ*&ki``%rGGzPl9x|qee0`9GilPVnG@<4@+#4E&l`WXv*EB~Byp17dH>8t# zaCb>`@QLuN(Rh!8m~Kr?sbkpr*@y_XC~`cIdxl_z15J6$_HpSPJgshq8E=FX%oPu$ z&+{4D7CNQqsIDJNr?usN)dvoe+)+1@A4znpR(|}d1zZQLYdfz_`3@2I^lu19#FS6W z-Q}65f?C(cul;fJd^m{fs;Mq-4N9F98uklQSJjtYuHFiorj=SL6ezh(^=z&fC(R)d zfMHE(1TSLx9|plgeU^uJ35oml6)s;o3773om<Hl4`O`}n0T~u8 z?TZYaMAk|2PHNcZE=7*hzqqe3N~g8UT)w(ZfZCjs3Y7sdCp? zedGe`?T)8IRwS#;a>L+OEkkl;NN!z2GUAfP3&nfoXa1g%rB*R1P3RnI#fI&LdOrQG zs>R5?L3CzBkk|W#m(+oUbrf<>Bc=M=Qg<#>FavV`HZnf+9LeheZuEhYbC2a99}hodT1WxC7cI93ZcFgze9%7(Yn zvIK0BieCrTmUd|HI2;bfBhUUgWju2M=sAoi9rJ1DUOR>Zojq76H-r&cEzl_D=-00l zG2ydF3trhl=w4Ccf^Y?;o!~h>Sj-6hkQ-KmA;RxZckYMH!MU{MVZbP@F(M4I(*P%B z_toEXCR_N;P5C($?;fw|*|_i#W8YnsHDnhBoV1VRyJE_CFADd@E587@>T+DP8W6H> z_2RDJBUt!aHCRgZD+@=v4&MVcQkK~n?7YT;>9`7efo-WdMHmOHz8JyQcjhrPJ!x~Z-AY3YII_8*9=Bht-NEu2;4_phI#d08I zu@@E9P{~K%BSAtUkTPz`NyVL23)vEHLnQkdsB4d14M*L$zuelz-_>KG6L9)sQxnNK zWeBBsuRr2|PbZvdJ`$WKVYJ9MOoLsrU_(=_d>uGK{Xc@D(`1JepYv|Y(f9hovxbi; z4dn1zUBkPNMqXvl<;vzM1=XfEV#4;u_4P9%20it2bN0CQYv;u|$yF!#sdqb;Gu1wf zUI%-U^N2-5KycVp=+5v@?fFYS)4H5};5eo1p-*inEMlkpwX~-z}#SPd4lZ{-Lfx^&kY{yOrCV0zlEb}u)0_#%tBmQD~1u@h<8|6{OZjy-|CSY#u?n3@93RfOze_NNb7UU27OITimR%YQS5seGauL( zyl-ZAp;?Y90QOAh3WcAcFEW-D>4qjBrULWi&zaH17?Ofz-<1Rw;2P=$(za|f3atu&JXz>8edV_S@nnhGg>or*zL;?%?M6_PU#Or|)sbt} zJ&GP7ty7H2HLT(AG6=4Y3!rkz!Krj(<4}bz zJD&Sq(E8}fDr+p?RDs89C9i6Pxbwukq|`*l8}EtThMZ_e<$fjXGs8>=_%g?0Rbs96 zKqsP%wJ3RAh?*qja63DEW-=CsDFdm-_2B5^aX9AL5VsCQHKSUz!tUwv|6n%HIOayO z!Hca|ng*#J$%|>%(JM%)dHv-Qc%E>98mM|qWyOA8ac)Oro0!k>^>nzFpL|1Sax8cB zYC{z+&ynmMuNl^qA<1o3t4_52xpII2U;d}`**=}8hTPf1xGi2@DpzMpsGH0p)vnQg z`OK4=C{t}$;m6B|E3zeo;45#Q;10rxUNBM3vU-&bElJQr0|K|=7Fj#*15N_|Z!38c z9#xw<5TD4AGaT6)8O%|MquSqd3QLlu@BVyM3i-7snwf6|aPs<=;v*I3Y0i-8de+0k zIgng)r@wdxk64^YE^`Pcxba)I;q~`=ww4)@g6dcG6#uA>h1^B1R)!cgyNCYb5i$8* z%c@DvpKrX&2?Nzkn7So1DB)5fPZXtZWrih^=`$6GI8#A~?mB4LjTbCxAC~T*&Li+% zo@6K8U%n*Dff$6BPxz2uv^$b?8~}VqPoWbH4HX*#%on7lfLlNwZ1PvwVc2%|nkc3o z#yfAmKz)}<0|Gk;0-P~0hpqw(d!0*v59r!hOvi1mh|b2x0`)sMjS}`Pdn*|3ggHVm0g!P{qMT@A!MN6io#~mh>*xw@850|Drv4_NC6Se~3!2n$sk(r@fA?i_JMmkJ5~+f#XI& zGAp{M;yKE`oO&Td-=@v*r{HtRii@kk3ua$CZ5F(cO-2o6`J&QV>rf4n5nOWPD?hHU zU)4eh3LQi(t#8`BNZ2F!MGZRaJ%7_@+E`8_yMh-NjV58*5}h$Tf(Z8E!wbiS66QRl zk{-t#Qihcpexu!U;AO{Ug8Bz1-93yGN43dV1jUc2*BTm5;FB_TpWtjDE&)!_4B`P^ zzl?3$T^yX9$OY{aeX{QT`Sq~cxE(UT=J z+Q(t++)LY!CG=-Ks6;@B#DWMWU7vr^WnVscR)$PcO|!Z33})ov;)x1vO_~%lOKCW_ zsczvTDuG`REb~Afvoh<_IuTXgA8v77zPV0!VrZ2tv14FuVLr?5yscGv-7yaO$AvY( z((^qWVcp!(RtV6|^CaY5>buAMp}hO~U@cO}J$f-Vf~QfX7W}98ujuk?tnVS$@{rs1 zc~JO;%arxD4koDU*x=z!OU-DIzrxlwdmPj6|JQtWdqb_XbIOnZmKt4Z{%Rweno2_75r6;sH zTp=g49$q|{rgw4~Oth*ku&@JmpY%2&UTP2on8oeAmJq2qisqB(AsW_SB0T+!q1?=U zq8EQlEnW$y&%VApoTpOfP+(Jt-%Ijv)xX{{^>qH;+hje=4W<0E_2&_NHR1qRa^3f3 zbP`LgSz0yE{vM*n!4l3$n1>vKn}DqUFIyUkJ=CugF7E7OIkBA{=#-ZEI9R#ctzas1 zu(_|jrVW(&DJB6JpxnTWMQ!z0G3*YlVM{aR0yC9VtDAE@*x&QV;^aR@%$@A}>69*! zSC)mEc2BwwG%nV(_}HQd>c?Ekah6e><3O0FHw;lJ9(TIxVas*r_g{NcW@QQdyF|+E zfTh%%x)V=S7w{ylqKGRUdMmi&pYR0-MBUA;72d8d$rnlNTfog4sK1w}s{}5Rsg{cv zosc=u9fi=8;T3tp6VN%?eGD)Mr8*oP;${3?MY%4`Ih4}Fz{gP zz_EiOI7s-D#^`@c@1dn;Lci>bm3R+d_=n`Q{)Hvv50vAeP0!F8!F_ZdIe^99a-lh_ zp6wEiIVf8NNN1G%#ZeD~f&xEPm9GoEZvw~FHlGmkgixPt#bFU1gw!dz4Q&Ab5lNzf zAToLeU61>~obtJgiuh&Rv5fAa8d*`Duo5uiLrhNKL%B1$q;|vF|5Q)Fv3Ol($K;3^ zNYo)}J7zo>n)p%z54^NfYyjPdr{458aWxZkm%_-G_oGr`9Pj))4|alfL(iS*9ZlY@ zgA7w0j5jyY21!CH*Sm;k@ZwM+A{hnRq94yZirWBkfgQ3oET`REI@se^aAS2WOh^jE z_};TV>2hkM^pJ^4I1r=5!P!}ZA zPplVDZ6o|inqp#&Q!bcqTJJ3KQpOsT5T6Q|Ap8aMeF9{PT?rGx2 zj|JNESPBdal8QApIQ(k%YFzL$5|F(q0<(3g1nvJ+n@W?HW9INqWTS+K=xFjMWUGD} ziK!|Nhhk#Y5M-_XxX8&SKAJlNw0z>x3XD=qh{3gTry=$Fq;atX7**cNvwCgbN5ot* zEz zp=(_f|H&7eD7Z{!TCz4_Z!$LmIYF1I9>)4+Nr7_>7NO0+{=X)>r zt;8j^Db1SH8g=U@ZIWHV=s~^6?KH8$?gLYp$Yo8Zx0UZyLyzGCLcGD(*@hE)XLHIA zGz{>R=8-Nx))P;D`GnRN>1oC&R%$>_fkD6AZJ+S8?@(}G_vwJgi~CELL#+>I?1Pn9 z<&_gw7cJ$Y>}1~>XFu_LW}O`*@)Goq`o3w`tJ!`{c}0;SOEfhaawE3lz+fa)jJ_;w zUh#g`Zf#fVUYn-f?B!4peHv*-XXzY@3;3Ihq z-bnl*9os4aNA8T}I_A=5sb%;3LH{sUGEO1^a}YpL!59`#OS1OUnbd_suTsyTnyGYd$Kj`xo&<+J zcZAE8LA0~4x9W@EF$i;Lb6*qe*wj-g+^SPW?+1x@gx3z#-h+Q(T3>FxWO-PGaj^Bt z@wGptUiF-0T{turyY@=4WbnPX;vibgXUwVy-QPr>jraHvLxk*EGqLK(iMCLw(zgc~ zlW0zRdExIG3c=yVQ6Q>Uqan@EjDya$oFnA6f)Gi3BKYx3NIKT~=(HG_zWf;X!Jt2y ze2HWQ_;oWIjm5!O&DDKna4QNAtd2`(_#c4T*5nZCb*w+-){uzHk7O2Z+8h8%E5&1@ zF(mF&4rCE*a!K;boCF&NfHr5a(5v0xXd=u5XqD*iT;lT;_-VdU3oO82v7uc?FkHx( zae5w%?med|0YoFFZsvU=$&~he@BVPGc35M(1U1L`q8y@RjA*L3A3^4mAw6Tr2U(u% zH*K4x2GnobkdaNWlXXDRnT75w52Z7BcM15#93JNBtHDJi$S*j-D1;<3>eR?;-I9PC zoKRxV2R6lG-XcM$HE9?y@ZX{Z&5G7Ow_v5Sryp@ohNvSD43=a;dxkEm72{ty`+s3~ z%P(7N3?$&txce$mdxjc$kqwqx)Xz6b@ST5|FCV@_w;O{0z5O-n8-j7akVmcqGTsnO zJ%oxah(jY_P2pmmT|FJ;WqO0*X_dJ`ef`d%+uNWY0B}_&;z`*VP3>mZ0sjf!Cim_T z5u_pGHX5B5GWG}JfFng$L72pHI)g{{P*fpgOo{7EaPLnjl`GtDI?$86kt@fIyns3k z4AjL<`j{lB6C(QqRCvJ@@C#HAn${!x_6o7;p!}a~3gxD%exUVMkHmHN(XggL1gsba zLrzB_Q`aA4v43|wIf_O+k?Ts@JcQmqK8Jy1IZCUubMF7iAoCk^KiO@BHN0%Do8sRfLH-SsGKl^pk7+wWsS>Api=- zd(rN5Th7JZ26T*SUM+X(Q5+7yy#jHOv{rGo{@7S|!-y2Y z0Iku(kr%OStrvghexQ1<3U zngR4q(QLtA+T|&1{uKllMa*NnraS>G`RQ13@tGP1DlmT(INgh7V|+$?6t{ziwuhg% zxl{g19W9Z(nUmo;+{lIsQz+75>K~&mgF3S8FIrekTljOHCfqS5>0u21kbU?dj;Tk` z81RX4Yx4c?NTSi1x57xUv;@uyL_t`+DN0sS>oHcro&ORMdE3-5A= z{fzjuy-2*6s|7^^i?3&24@_%5INPoQ{=5e+ICm8axw(%m%Ra<;^3XG}vGKRts;dBO=K_3U>6jCXF{h51r^sUHkW`~ubg@WEMPxI4M zJxZ(plfcm5qB*AEH}lTq0R*CuvGVq$G*Nv}5Blg_XluZZ;m2t*I#Lk=jh4?@~&* z3#$STciSjiI1}M$dfde2`b9({9+#eR?WMknc$4uf#I;H9G9y`$l1RukCKwwJTB40g zi^j@FkSXm#*1)fvfQwafg%%mSIcypklXbBjyXjM8TZv6x96yEuK7_j!{2ho6hIT6^ zDw*9wtjlxXsC7ukOJgkb8*kt6`a8jxn!qIex*sJ0Wzq@f!{%B1TQ?PuH|s0UtC2#{ z2K0r@48q(JXR%_4;G8^_wen)e2w@t(C$HmUo5+p5QNXXlf=I#`b&)BfgFBIxg8hMd z;{BCHz+5mo5k0DYFsTVaKyu#0o1N<3RB7&NFb#a=w= zc_*~w2>kAjSzTO=L=KmxKrA$fo~qTP9_p?+{*HscM6R;G9oT;vnCgq9*5vArY1*v! z?W@RM0+zbcB5PMQ3z%D9en9RX6!F>E&0kxSVsIOdMB=h2@d@p#MT(GwzZHGd#@=!Y zeU>@xFe!09B-Lg$@PlrD{E8~QkGXe<_EnhINtvbqd zf??xQ4UR%Oep_&1hC``{asYV~xNh7cZyR8?pRoH?=!+9nEEcD`$&D&A?(w^VpnVrB zK&Ed^j2w;j^M%KHeA7^|7KH5T9Sl; z2R0)S1!emIMO3A>rm&W?a!8y^a2ov89%$Ne2e~DYvG-oP$JIy}E~2HmLYg9P(=tpF?(V)2D4XUV#a#9#M-gFugkEpPK|hu- z(|ZrvyB3@Z_eN7CWHr=2I@(YLX{Du?Yu|$=Av5A~YsKefZwYZ$Zr2Ux?8`;#D&+)#< zFYNFH_4okHL&Dgx*b-RkMObtaGEtTDlH-Yft&ekTvE--W9U`&tdhurm#!sisKFEbbp0L9+U`31pD8A`u6F)s_0I5! zUUKJAI#V^uGAZG)&RqA3@o2Twah^+kR|eug<uc# zJU=c=Bi!F-98}j6;}OiQC#P9on}ed^*QR_0;aVls)Oms>GeU9}hat#5PUjArW+{S1TjC*SSB^$+Xq&2jLTz4?h@MPE^a38_Zjp=Bbt zCMX3~om}_Z9E>c%*+KcZb+O^IQG~m=Ccj{;?yI?jpxC^eBgK#nKD2%>4Q^?p6w_6!>qhp~1O)>V zC~>i-4M~lj@!2_MSw1)0LO#PzHyLM>o>u^Wtoq$8Gzg6P?kdcyB78J%>uDt}hdJKQ zOna!o#*}hQdj_+SKC%l5JKApRj@yWqDqD`cUqZ>x%jJ8ZHkqp6F?lTJGtABnk6Z7i zigZZMn_?wt(Xe;j;-Z-}P#e_4Xbx5!O}TafqP}3p?qTCA!-??q%~ML>K?x~fcqcMf z=tQ{>?D2G@{HE45;BP1zHYqz=S9&m_Bo=kUe)o{eew~M-!n!YG_>hvNS6+$ltl&@3 zBP>i2qdxn43icADyW0}VbuGSFjUO33(rD?{GP5`2LsB%ybOfuZ1hOd(#99XN4wQ{C zs0e2sAvf+*LGK4DAc{=y1Ss7lf#YgkmK2I1F{mOx>Z#TEpYlc?L-!u50$KFB#1Hy} zq@MlLqjN8wTK`CqTS1!TR7O@p2X)N-{f?5r;yn2RM?=Y24}g}R9VSomOE&Jh$xB}q z-q%S4kBT#~YqpI`ql0BrRW?fvq}*4>#$cwq2WWJ-hW1VJV% zsR@MS2f19o#x|ULP%I;CXVvq#PC+OLQp`Sl7;l& zrDtYcch|=W2reZY+sl&I@m_}q{Fqsoj{OPdkfbMAwuxPVyIT83NU zCYt{?;Q%uY+6K-zFX<*>L z3_6{J;?v4!Xc#djG=neqdqg?#Y&q<`>~l4(Lro46`Y~!DsyqKnEyo5~V=0+zo~{CA z$)(oSJUKeUwO!)9w8?wJQXzGG)b(s>A{=f+W-2147R2;i{^qCk)0KV)zB32~V%-Y` zhOoSnW&PhZJy_65R40vsqNvGKX&v2~>k0oPQIIkLhp+;LTR1f@uq_npu|-3V2)aQ! zb1~#iKiIt_wnH0ro163IaB1e}b;OiSn4*ua`n7|$fcHA7YZ*z?JZ6aubCJjB*2sbt>qA;KN6C(H@Ox{XJg03JT(?!FU^w>Y)ezNZfGSXj3qZKHvRK6_Mtru*C zwFsDSr}pqqoX0`UL*N0>iL}BBg6xiT6z^WtUdc~rs*0}qXQBiGW0&Qs4t#ZQjjoO- zsP3ewmb%h%p6DJ?)x(g>`8oy|`(&38y%Lf~rQ%GMb}2S>^M~R#SM9j;r6#jw!^r z!O4#|JkR|Byxn`MEgu;Q4QAnwCGo2(Br*<;+y^@?C)P+5p)LtN37U55fNHgzon-|& zKf1gN4{%Zi;wceTcKX|_o=Er-*-r{&Wl)m*3AKjo5rQc0{QwI_Qft;x!SCuZPw2jE z8iYQJ2BC^N$ERFPG-?eKi=L$)6AM2*R0xJnw?PA^AF)JKH%Z`!$E{8ycBO9=a-*|g zu7Y00@$ zv<}uks%@(tliR7RpHmQGXc`P7Ygqw z?2egtbEb5%I$((@?@VDRAV-*&VRcx6zve~K-o8`2^<_8t!cHL#YwJG%n!qy;K4e_C zGh_iTHgIG#k+7f9SBV{!=+H}3Dz(xY+h&6qh3Y2SghZt8bCIF4{T=KyNQ?=aM=uz& zqpJYK*uKTIH~U^g-V{+(VRYlI-a6(@%fW84y~E_{2|=8JA zX&5yr8R)J4_i>r!w8xZonyn0R!Pq-WHUfKvBkPpficT3M{mA63=2o50dj(!I+WJGE zwTjqBM4LI00qEv08}hgYV|>Z?2dvR%4%exY;NEL)1S5}jU$iWNlSEnKbgXn& zlH}LetA)7xVSb$s;KnjjG9aa)WViWfLQu*Y_aXxMN}ADMY^fAhGa%zLgQ_9o79RS! zY?S9<%3v%hB<7CATc_=5OKZf=8Ix4C7j^dInBbsxiCsl-#eB;#oFqc-#%g35kfZT= z`a1y!=j6icte}YJ5R-qNKLlg#&#ODg41{xxz5kJd2oc0XF=?`JOWQ$(bVN=<6@VqMXBGGu&vGFpwFbwpvONc zr3(6tzaiTJHUD5<72U}pgfW2uuMYG*J35k!P+kJMM1AW<<_uH`XEZaa`aJt_;B{Es zRt(D^>S}3zTCYIH8j0h1*)tQK;)*HRbL+@bCLg3UpMmRGT3B$Dgmnu z{W&=dZxH5u(DQU}p|3Mo_?!uRE|PUFo#jf_>mt*GtsB^=I~`wqB{zdkWj_Luy<`{u zGJcN;8SeF_t65ItZv_XPKmtvjC3*X(jyX{&qyx6m>wI~B(!J6MRz>D`MM_(@=HbLM zi%Si}HZy(V73@CMhAe3=0{_j2az2#;A^M-!ft`VuhgJP+*)*;DH861B28N&B#QDw> zIEdytgx?R(r{m!`-BDAUu)gQ&Jf*bB4SFpt4@Zo{&hcvM!2N+iHJ`E}HMbU#Rj){R zZvTf+G6Ps#9b9LC3mvIx#go0b<*}A-J__(pwxERfi}IffZg{0r7Uw4%v^n-ltki=k zO4U56}IsH|eju;r@( z=gC>+_JqZyP`q32IUIPEOOq?RPH#rbj(WXv3y=3J)eT|{RoTqT z*G5a92)?I}ehR77o5 z_0PFzG_E(l+@Isb^yq=T47_ykZJ=Hak}x)hc5Nm26KdOBvIktmOo&`8q;yvp-JA(g zCHW95<$uO$JB7Anhbb0IsV?TEyh1JOIxxF5O?kR6gXR|;WDFd~s>;Py4wX}+vnC|T zcirZuA)dG1nquDFRooyNaJ=>z#wH5J^bc7%eV-@^!l~kTU$e&GFFwm2zBlXyydkKu zR%4z*nk0P5K5tb^0ZJKPJLy&*xWQn+2owHGJyI43G}yUd+tSli>$X2WS?^}nULoI) ziOOyqE*LfDUcxXB5>m&4p{@$a8VA=`HrkI)&&e;<^vCLdUzl9oF}dF8l!-zpZq=)h zZbit-au#m?Dl0q!d2M+At90*^x{iD+fhNBBxe^|ad+Pj<>EQ0&{|H72S1zqg+FzbE zXDQQ?c3gfwI-VVzAKDY}JNNP_^=8@EQ*|V!bM;48G#!1~3C;w6<~A;8Yq#|@rkx+y zfpv)F-_M-RLF8A8(VQn&@?^udtK=us@XyKK7&%#Z89uGdd{r;1kp1QRjH#3%?!gl8 zFdKTjSxL#yoU7iKM;>0zR*@z1KZ(OiI;EZGIQ|uO1fe)#*e+YMRw+-RBaO`a5>0~? zKFRo;_=*qJ?vMJ-ie;M(%`+B-4O9%u;&UztF#JW2vUrq%LKn@LjTf%O%!u$I+L<ZhT;~*&&W%-qh75f$ zj8byZ@%O~^!!*6a^L16)HRKhv*6u|Z_z=H7;d^~&b5i2LX6-f0~tUmp7F2 z5ZOb?Jp@f<<8ITy4<$vR+H*^3GZeaLxvOHpna|DA7q;(&GIhrhG@8E`Y&_mFk!^(g`vD$vJu>FvyIC$r4N08D@Wh)&n z&Xlk1hUI>#%+pB3u5%-n?$-O<^U>6-V$~1|_;uS=*cev28cp-3!%S~2 zA|*wH!DvdJ`%vUnE_x<&Ve>!(nxZ;Xz@%yIg-wu&`Fx}DK6@HnqP7vwa;Svh>g$to z2<1Fk3N%hh^R+wMv{~g%o2~EiSPNCLMPRaBktwd{2^VClY2RmRlLAFw* zZBM(j433#}9_23T_oIjHB#0@o;t8P5=CVDBVCGKH155bSB_k{|Cu+Qr4PrpJRiA@KKFr%vsy>v>oZ_E7*YtT#cb?U8o4BABB^=dNgyLM8g!nP4#8yUD zSH%>O{?wm7h58gtwx|KYYZM&oKDJ+=R3Y0>|E-6>`ftVS|1S?gQdC|}P3gb!5X7DI zt^RK&0y_aMBP%@t13d#h0sDV35m?y&i;3`$?!Qa~2KMiI`G4Hj+>qbK^t<$)mf_n% zP;@f3Rw4L@rSLBm;n%mM@ZYNl;{Wmx*6>h_+>W+O3w`YT4}>hc8NGNh+I7 z(nYdu|ND8~cL8ewnZVjdrBDP<0UHbXg+wAVkytu%34}ks`{PIc|IZ)Z{qfs(fBgRE zPw)QpZcz20t9kI28V9@O4L-g5ajRM|tyd6A6{s#jU#j3t?SYr?|M1^m{_3y3c(-u- z-+cG=_uqW{?oZJE;~)R{ff@{7fB5m`zaEX{w=bvDyAS{S>u=xx(>qsK_~sAazT0Xy zyqxau-v1Ld8h(8L-8ah*O4)`{Er+%CgsV9$H6==sh*IWZsmq|E3$6*F!VF7^29wz| zclibva`<4zefN>#5w*TUt@Pkp6CeKP&+oroIrBe%{_x{ZAHV-jGVnR2Ga3PTd7P@e z7~7Y}rL7*ZRib!LiH)yaHsg=T$e-6z7$mDx_2LH#T8OPbQG8;nIANJw#PIzmPqRqq z%i(-mS+Lc)fFDJGU9p2g6Nh(8b&mh`#jk$#^5MI0;Pw}%$7|xdYFewowCcfa}Nzxw{$ZTEL};wg9j}ds1PJ4O+C!2CbCiGiYD`a@zjpAOHQ|{O5lt z(Eh{w9oiNEHfSMc18hs$%i%4+>PLSWY5&9j^Y_31$KOU^i^fmneJnt10QbTmCBBmP zBFa4>@8$gX%R&C_Z-4!_|M)j8$P;O}7Mg9~UIB0=@Et*3p*=5^U-m`!G%hc+x6pp` z|NY&+`%M*wT4d<&K78|Wu-2|=t#$HnW@Fsoy+5b!;UuK~GI`i5iWJ4+npRr}uc{zz z@D|b8R}FtTyw8l51oQry>uJ1fvHLRddQ3F_`}cqP@FRB1_dla*5wgG6e#u{#Yhl{o ze*A__*rNYCOec%p%i-h&!+#ATTY^dUa#+aRYW%}ZT|HypIO*YLro9~Q^}l77hlTIu z@Gy)oN8|OocGlzTXU}?kH7Q??2QSH&kZTW?G*NBzj(KZ@a=V>;O)44{kCjV*zk)q z-4`i(xgXQ4cZ>I1Ww@L5UZm!JU2wkJ0Q%j_?^w1Te-(GRb;vUXoRPe`&-&FJ@Yb zjyWEVW=%W!@oeAeWQEi)Xf{F(e%Hp%0$thr;^D(G5Pe>eHbuzud;r^49dsZjfP zs!*KE%0Hf$W6{g;eD{jzCck(ce%|DlxSG^twp$%c-h#Y=%YWolw2jvse#Fy`C09{jAAPhg+H9__}Dg z)3I!)C%C`Nc`Rf{u+6iU?5ETDFHoU%+>SjVnMc(pI>cd ze%9pYs=&|1N_jaSiol(zSZaYgABqKcE~a}o`O(_o^Cmwo_QA{fSg3tgOaO@66F zu6E10)SG3hO6_YgsL$60z>e%3ApZi)y?&~+pRbEei1+TYtg!R7EVc8sSas*yVOa<) zbN|szezW3uE9U*=w{pBY-xdY(a=sOl{alTl^SxMg=lik{y2sAv*f@liv(%-m{Fdw(GQ#Gwc+Tl|*}C}1va4OH6X0?@E(`ur z4k|B~wq4Q&%@RTfk>e zekwZja=I@@(*;$&On$DIBZEuJB^!{qiT;vx-eZ0(n&fhO6#73Z!jD3N>#}$J?&ZpP zDPn$os@rj)t`04;2p{j_4Zzp1%y~VP&Fp$UF6#AKl&K;DdCtW#w!`XE>qT3+ zdLUa?+Tx|+$WV5b#ghZ$?OW-%j6T(v&zpDgn*8o%@nhg@DBDIk=HnGuj@q z&otT|%FB_KFE7VS{;1B0a_j>A7sD*vc*W*h$slwumnF!(t-v$Ff~V+@C159m=zN)-AFe%h*+xwOzIe z1Z`2-a_}u`w^c0Q{zR)C30Q6G%d=HcN1H7uV=fo%6wcOUr$^!NURsL9%Y2hT(U-HR-wkK+=M>Wj8pc?SeZ}#vxkz`PG(WN+l3m8!b zvU>jyKmYVC;bt87ju*WYy{d50%c89}m;M&cbk7RXM{*2amSgJ|@BaE_(d{jX%{Cf7 zefZ~>#T;n@x%W;qmT!6Q^ta0CrLe0EUcR*KGwqker~s8&rY|kBvqIH)v|FO5dkvED;hux_OO}OYBW^*= z9IWBYzkXRv_!Y$NON)Xk04{El=Cl0?!k8~E24TJ&$R?jHz?$pzrz3RnS*tSJm%KFlgHEFn)`P;9Wu++18)!s=AzYY7w9Wh51`oWmLb-OvNLxK8|`I&|=%mVJu_)_zsJ z;j8OvT-?4Z+I0?rw;X5-(g{}g_FrAR)q-{Lxs1Qs@^SG5G_cw!6~4N%Xt6fOUoBE- z1{J_J2KAvCuZzW07p%+4bokZf#9Sz__{$nt-P^;u1pWNgO3BQv#ot-Kx&Xex>fZ3x zm0OF$Y6xo)GZUb|y?s=j{Wrbo3(#VN6usUur@*;=MVz3#by@zc`TpDY|D@EmU;O&}uYdUuKfV9-)0f!fn)KxtU;p|24?J7+FTXl` zNqF6~S{v0CT8>}hg6c+ob)soG+tiPJb^h|D#*N?o=Howo{3%S{{IIuTyjxc)Rj3Py zUtPX@DaO?=ejts&5ElnVX?XpTFnR%R`N^xAE{oE6slNg(yvP0TK#VYg@!;{Q73gN} zI{Nr!fVn*{RG7=`(1w`AVi(u(5QnH?KRc)qVkj&rW3Or}e*QZ4M%!&!Co490wJln_ zg?xjc4!%dgTh$f-f9RvdM^eU%YCYHo5%*pW@by>v*}a4cYMY3AFUN!0CeqxOWA^}T z=HGr8=q=Jk8CkGBh_;UsjHu&9+ea1J@;lM?Q9|VPccSg1cm`@4v?cCQq`Qm-G(sR= z>ltuCPzOIEy;~K~(^~{8uC6lr2yF?lc)iyz9r*fYdfownjK>n<#rON2=N;%3PM1 zRfby-Y(EUrEe?&zeG+Le#aUg)i?o;GOsj1o?X`p_Ynw=06J1K17E8$>s4XJRb@2`j zz-IpKhXHH}+ZgP#Xj^jw>Uhz%X2#Su(e~DBiL+>XTMk?6+@kHh#69a+k>CLqKH4XjMR68w?_qM$HfWf$X!|H(x-t(i*0^MC5p5sKv8Y0G0kE^K2iV8D?K<21 zb?_m`w_WCAdS9R|aj|aoU!X0qEnB+lj8(h=bG41z6m_X;yAA@(3YTChsss7#ShnleHCfYpksP# z{`$eV$#*$#y*{~$ws`fri9}o0W!EO!1|4%1ZL8kjR(7Zu#O(w7vA3&P}u>T+o7e6KzYHdxhpE(p;8(HjBxX`RgQ6e|NcP zJ=izV_EH?1b-ZYME#CavCfZ(0RH3$swl#C9wu!dalDJdbM4IcORx{v&VEbXOPb`?@ zg~>dpo{o3X_FB@z$`|jV?X5)oYMW?#>zDLhw5?(J`a6;4wroWi>`lDyag(z?RGXS zWVLm+DqE7;x}yQ1G}`*j%I0}V4=d2QP6e%VS1wK~Mn?2GzC8wCZ+BQswl~p0P)0 zOO(4?T+(;l=E9kdUmZGok$VZW9T$&th2{ic_%i&pOmEF!z~+a6-qT|xP6j?&GwkYk zXiK2HweYYC)mD;}%J29Y**h&)_z}vyZSku20X2iHxyz@LU{8;fW?tuGGUdD7XQ6wm z=a{J`f-Ezd=-qkKBwu0#8Prvn`Bk8;2ryiN=2v$H5yH35a5_Q5TW8ye(6>&v=qP&Y zr1}In_a*F{K-H`T#U#Dco$!S4+)Ii?8I0)OJ1+^49y(DzBe(aGt+ou(+3((Mr)Qvf z)C(rTl-8tWToTyn26%>qkHy7b2Lsrn+Yrx?u;w|H2_PZ&C0dErf%EX%nM-E?;ts{w z+oXxh$AZ~^wGBTM0i9O4jA8jNqk-*E5@43kT_7X*P%UgasEsoT|;r*8z`<8ttjB7M_ZjmF=tze(^2$rEBP+vdm`nnb3yAM%Jsf(ph(%fmTn?OIo2fVYVPv= zXkyycHYD#&w7hq|ftzS~FB#?KgQDfVvoCL=Wq$_YNA;@5GEApOL~Xp-H1qnietWRa z8G@^`Cw6YD8}1Mj7Pg)vojftzyC#T$qjytcl&KO_` z81marB0AL+?eam0iMiOSGqrTWtK%AmdaK_aK*U`de>{o9otc-f^RqzT>7MowF^}DD z^bj#|m^To(Z5$N{(qI>ExYoO8=$f$J%wq2TwOu)e?yG2nd>Y5@fSbKyS z77*5+w2QEvt&O?Uz^7e;gXxGCb}iN<@*W1fe~jABP0a`Irp2~}H(k;nj2f)j=0}3H zpNwGvVc9dg2-~lA+??ml_oW*M$qhKnPUEfthp8gquGNs*K6rRF!dr}|>5}{8Tyo>5 z92Tq{!Uu*0ge6&f2xCKgrV;2m`2)m2$8eRIF7k^dfdK}c8;NtQ=1zl^&SG?pXraRo zUAr7MtUbaE3kYky>>{i~*|~89HSj6oN7o2GouLS{3>GT!Z*?sRF@Y8`;^`U@*HNrf zy}s7&mn}eix<{B{0byz1U4$LlB5*w5)e=4$inOeKN+b+6vx9>mL{$eLlofj>7ktzu zeL;*>T{DqBlrUIB0@O@ESQ=*+VXL3hl5`r#XB~6ej!4Z!jw_tDb7#{fqlo17kw{x# zoVO#uHtJ}lP%c_b5f-c+hczr9tVOYhu$|jP@&@qPRZQ1l4YOAXtIgTcfG%exU4y;H zo=*aVgFT;ZLZcR6)C^(6+9S-c9$|yDi?Cc=X99j%%b8VbZTO(_q`ArU4<@Te%Y1&O=EL^$b{l)5dXXJjW{!Z}NB1 zla=F5b~!z!(2ThTvx9+A0o5lq)=jwvr`r}Y+hCI@)05dp99=yFU3HTn)00&J{v`Em znT6XtVi-MEiW5u?Wrrw(0-{fBD+2YJW^>JN0BD<}Cu`-KTnY4KMRZp*^i;}ObmGSC ze|qX2yB6lVf`jzzvD8q;K><<0xg)&XiPkim=W<2#zQkb%TQT7TkIC!t?xeu`U`xHr zmL|1qKpff2RJ7W&rVM3=XtI`ldfP+vB++fMXE#Khcy=G~`tId>9~}Mf@Jha*-Q%cN;-eJrXo>bviUg){R+QXSR?p`8Ugsy2rJljM zet3!0>#yBBibj%nxVJ`;k)ERz0*Ht{v6&uPRZNrlMz~BpgVpY-6y?DpnV@*BLx`wi&4ub+m1Y8?h_(cIYCJcy}TGjGuMxdL@9^Hy-^8 z606J72A_`A$JzYe>iJMl+--+Np`N$f4vRv)(7vs|<|n?C(fpeee^`DprFQtIj1(do z#Yk(vWZKq?7HtO(wE+6CRk>eQ6Sf>az|7J))aAfGT z1FRHk6tL~EQmDyFO$R{TY92t_tnKwsifgnYrOXV@Xjy|PzyDAYyeIla87JMhB6?kc zs~UuBq2dFOux$EG$8rj+$N#oNj6GJLblag7d#p((ZHFjTi+Z-uGT@dkl{F*n-E96H zeYxJlccjy4?xX}JjqY6clIqzJ(5~8J^=P+KYaNpzm_H>AM&vnnNODS$dcr=z*AXOo z=ezsp1NJ%p{5aT|WMRP9tafY@;2ulhDn?GoC?jZZ%CQ>24N06FUP|Rm5OkhEKcruN zww`x5D4nnz+B!ll(f+|Mr$fPUy))3vEEf(HUy{1j@gi?O#HO{1t#T%)0a?R34G5U+ z8!n`dY34+3V)5cbJtuA$kOtDum)4y|@8M_4 z=H*50Vo19rfp+3yQ=`